diff options
-rw-r--r-- | doc/nft.xml | 84 | ||||
-rw-r--r-- | include/expression.h | 7 | ||||
-rw-r--r-- | include/linux/netfilter/nf_tables.h | 27 | ||||
-rw-r--r-- | include/rt.h | 33 | ||||
-rw-r--r-- | src/Makefile.am | 1 | ||||
-rw-r--r-- | src/evaluate.c | 34 | ||||
-rw-r--r-- | src/netlink_delinearize.c | 17 | ||||
-rw-r--r-- | src/netlink_linearize.c | 14 | ||||
-rw-r--r-- | src/parser_bison.y | 18 | ||||
-rw-r--r-- | src/rt.c | 141 | ||||
-rw-r--r-- | src/scanner.l | 3 | ||||
-rw-r--r-- | tests/files/expr-rt | 21 | ||||
-rwxr-xr-x | tests/shell/run-tests.sh | 2 |
13 files changed, 401 insertions, 1 deletions
diff --git a/doc/nft.xml b/doc/nft.xml index 3b215f8c..e6b98ae7 100644 --- a/doc/nft.xml +++ b/doc/nft.xml @@ -1222,6 +1222,90 @@ filter output oif eth0 </example> </para> </refsect2> + + <refsect2> + <title>Routing expressions</title> + <para> + <cmdsynopsis> + <command>rt</command> + <group choice="req"> + <arg>classid</arg> + <arg>nexthop</arg> + </group> + </cmdsynopsis> + </para> + <para> + A routing expression refers to routing data associated with a packet. + </para> + <para> + <table frame="all"> + <title>Routing expression types</title> + <tgroup cols='4' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <colspec colname='c3'/> + <thead> + <row> + <entry>Keyword</entry> + <entry>Description</entry> + <entry>Type</entry> + </row> + </thead> + <tbody> + <row> + <entry>classid</entry> + <entry>Routing realm</entry> + <entry>realm</entry> + </row> + <row> + <entry>nexthop</entry> + <entry>Routing nexthop</entry> + <entry>ipv4_addr/ipv6_addr</entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <para> + <table frame="all"> + <title>Routing expression specific types</title> + <tgroup cols='2' align='left' colsep='1' rowsep='1'> + <colspec colname='c1'/> + <colspec colname='c2'/> + <thead> + <row> + <entry>Type</entry> + <entry>Description</entry> + </row> + </thead> + <tbody> + <row> + <entry>realm</entry> + <entry> + Routing Realm (32 bit number). Can be specified numerically + or as symbolic name defined in /etc/iproute2/rt_realms. + </entry> + </row> + </tbody> + </tgroup> + </table> + </para> + <para> + <example> + <title>Using routing expressions</title> + <programlisting> +# IP family independent rt expression +filter output rt classid 10 + +# IP family dependent rt expressions +ip filter output rt nexthop 192.168.0.1 +ip6 filter output rt nexthop fd00::1 +inet filter ether type ip output rt nexthop 192.168.0.1 +inet filter ether type ip6 output rt nexthop fd00::1 + </programlisting> + </example> + </para> + </refsect2> </refsect1> <refsect1> diff --git a/include/expression.h b/include/expression.h index eda3d98f..3ae4e804 100644 --- a/include/expression.h +++ b/include/expression.h @@ -35,6 +35,7 @@ * @EXPR_RELATIONAL: equality and relational expressions * @EXPR_NUMGEN: number generation expression * @EXPR_HASH: hash expression + * @EXPR_RT: routing expression */ enum expr_types { EXPR_INVALID, @@ -59,6 +60,7 @@ enum expr_types { EXPR_RELATIONAL, EXPR_NUMGEN, EXPR_HASH, + EXPR_RT, }; enum ops { @@ -180,6 +182,7 @@ enum expr_flags { #include <exthdr.h> #include <numgen.h> #include <meta.h> +#include <rt.h> #include <hash.h> #include <ct.h> @@ -283,6 +286,10 @@ struct expr { enum proto_bases base; } meta; struct { + /* EXPR_RT */ + enum nft_rt_keys key; + } rt; + struct { /* EXPR_CT */ enum nft_ct_keys key; int8_t direction; diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index e84a9f5b..2d477847 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -753,6 +753,19 @@ enum nft_meta_keys { }; /** + * enum nft_rt_keys - nf_tables routing expression keys + * + * @NFT_RT_CLASSID: realm value of packet's route (skb->dst->tclassid) + * @NFT_RT_NEXTHOP4: routing nexthop for IPv4 + * @NFT_RT_NEXTHOP6: routing nexthop for IPv6 + */ +enum nft_rt_keys { + NFT_RT_CLASSID, + NFT_RT_NEXTHOP4, + NFT_RT_NEXTHOP6, +}; + +/** * enum nft_hash_attributes - nf_tables hash expression netlink attributes * * @NFTA_HASH_SREG: source register (NLA_U32) @@ -789,6 +802,20 @@ enum nft_meta_attributes { #define NFTA_META_MAX (__NFTA_META_MAX - 1) /** + * enum nft_rt_attributes - nf_tables routing expression netlink attributes + * + * @NFTA_RT_DREG: destination register (NLA_U32) + * @NFTA_RT_KEY: routing data item to load (NLA_U32: nft_rt_keys) + */ +enum nft_rt_attributes { + NFTA_RT_UNSPEC, + NFTA_RT_DREG, + NFTA_RT_KEY, + __NFTA_RT_MAX +}; +#define NFTA_RT_MAX (__NFTA_RT_MAX - 1) + +/** * enum nft_ct_keys - nf_tables ct expression keys * * @NFT_CT_STATE: conntrack state (bitmask of enum ip_conntrack_info) diff --git a/include/rt.h b/include/rt.h new file mode 100644 index 00000000..728cf5f0 --- /dev/null +++ b/include/rt.h @@ -0,0 +1,33 @@ +#ifndef NFTABLES_RT_H +#define NFTABLES_RT_H + +/** + * struct rt_template - template for routing expressions + * + * @token: parser token for the expression + * @dtype: data type of the expression + * @len: length of the expression + * @byteorder: byteorder + * @invalid: invalidate datatype on allocation from parser + */ +struct rt_template { + const char *token; + const struct datatype *dtype; + unsigned int len; + enum byteorder byteorder; + bool invalid; +}; + +#define RT_TEMPLATE(__token, __dtype, __len, __byteorder, __invalid) { \ + .token = (__token), \ + .dtype = (__dtype), \ + .len = (__len), \ + .byteorder = (__byteorder), \ + .invalid = (__invalid), \ +} + +extern struct expr *rt_expr_alloc(const struct location *loc, + enum nft_rt_keys key, bool invalid); +extern void rt_expr_update_type(struct proto_ctx *ctx, struct expr *expr); + +#endif /* NFTABLES_RT_H */ diff --git a/src/Makefile.am b/src/Makefile.am index 63bbef2c..9a151bd4 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -38,6 +38,7 @@ nft_SOURCES = main.c \ exthdr.c \ hash.c \ meta.c \ + rt.c \ numgen.c \ ct.c \ netlink.c \ diff --git a/src/evaluate.c b/src/evaluate.c index 45af3298..ab0dd9ef 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -612,6 +612,38 @@ static int expr_evaluate_payload(struct eval_ctx *ctx, struct expr **exprp) } /* + * RT expression: validate protocol dependencies. + */ +static int expr_evaluate_rt(struct eval_ctx *ctx, struct expr **expr) +{ + const struct proto_desc *base; + struct expr *rt = *expr; + + rt_expr_update_type(&ctx->pctx, rt); + + base = ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc; + switch (rt->rt.key) { + case NFT_RT_NEXTHOP4: + if (base != &proto_ip) + goto err; + break; + case NFT_RT_NEXTHOP6: + if (base != &proto_ip6) + goto err; + break; + default: + break; + } + + return expr_evaluate_primary(ctx, expr); + +err: + return expr_error(ctx->msgs, rt, + "ether type ip or ip6 must be specified before " + "routing expression"); +} + +/* * CT expression: update the protocol dependant types bases on the protocol * context. */ @@ -1609,6 +1641,8 @@ static int expr_evaluate(struct eval_ctx *ctx, struct expr **expr) return expr_evaluate_primary(ctx, expr); case EXPR_PAYLOAD: return expr_evaluate_payload(ctx, expr); + case EXPR_RT: + return expr_evaluate_rt(ctx, expr); case EXPR_CT: return expr_evaluate_ct(ctx, expr); case EXPR_PREFIX: diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index c3b0b278..dc9cc837 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -585,6 +585,21 @@ static void netlink_parse_meta(struct netlink_parse_ctx *ctx, netlink_parse_meta_stmt(ctx, loc, nle); } +static void netlink_parse_rt(struct netlink_parse_ctx *ctx, + const struct location *loc, + const struct nftnl_expr *nle) +{ + enum nft_registers dreg; + uint32_t key; + struct expr *expr; + + key = nftnl_expr_get_u32(nle, NFTNL_EXPR_RT_KEY); + expr = rt_expr_alloc(loc, key, false); + + dreg = netlink_parse_register(nle, NFTNL_EXPR_RT_DREG); + netlink_set_register(ctx, dreg, expr); +} + static void netlink_parse_numgen(struct netlink_parse_ctx *ctx, const struct location *loc, const struct nftnl_expr *nle) @@ -1086,6 +1101,7 @@ static const struct { { .name = "payload", .parse = netlink_parse_payload }, { .name = "exthdr", .parse = netlink_parse_exthdr }, { .name = "meta", .parse = netlink_parse_meta }, + { .name = "rt", .parse = netlink_parse_rt }, { .name = "ct", .parse = netlink_parse_ct }, { .name = "counter", .parse = netlink_parse_counter }, { .name = "log", .parse = netlink_parse_log }, @@ -1724,6 +1740,7 @@ static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp) break; case EXPR_SET_REF: case EXPR_META: + case EXPR_RT: case EXPR_VERDICT: case EXPR_NUMGEN: break; diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index b04625f1..a5d4502f 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -172,6 +172,18 @@ static void netlink_gen_meta(struct netlink_linearize_ctx *ctx, nftnl_rule_add_expr(ctx->nlr, nle); } +static void netlink_gen_rt(struct netlink_linearize_ctx *ctx, + const struct expr *expr, + enum nft_registers dreg) +{ + struct nftnl_expr *nle; + + nle = alloc_nft_expr("rt"); + netlink_put_register(nle, NFTNL_EXPR_RT_DREG, dreg); + nftnl_expr_set_u32(nle, NFTNL_EXPR_RT_KEY, expr->rt.key); + nftnl_rule_add_expr(ctx->nlr, nle); +} + static void netlink_gen_numgen(struct netlink_linearize_ctx *ctx, const struct expr *expr, enum nft_registers dreg) @@ -641,6 +653,8 @@ static void netlink_gen_expr(struct netlink_linearize_ctx *ctx, return netlink_gen_exthdr(ctx, expr, dreg); case EXPR_META: return netlink_gen_meta(ctx, expr, dreg); + case EXPR_RT: + return netlink_gen_rt(ctx, expr, dreg); case EXPR_CT: return netlink_gen_ct(ctx, expr, dreg); case EXPR_SET_ELEM: diff --git a/src/parser_bison.y b/src/parser_bison.y index ec9052af..dc02fd23 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -338,6 +338,9 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token OIFGROUP "oifgroup" %token CGROUP "cgroup" +%token CLASSID "classid" +%token NEXTHOP "nexthop" + %token CT "ct" %token DIRECTION "direction" %token STATE "state" @@ -590,6 +593,10 @@ static void location_update(struct location *loc, struct location *rhs, int n) %destructor { expr_free($$); } meta_expr %type <val> meta_key meta_key_qualified meta_key_unqualified numgen_type +%type <expr> rt_expr +%destructor { expr_free($$); } rt_expr +%type <val> rt_key + %type <expr> ct_expr %destructor { expr_free($$); } ct_expr %type <val> ct_key ct_key_dir ct_key_counters @@ -1995,6 +2002,7 @@ primary_expr : symbol_expr { $$ = $1; } | payload_expr { $$ = $1; } | exthdr_expr { $$ = $1; } | meta_expr { $$ = $1; } + | rt_expr { $$ = $1; } | ct_expr { $$ = $1; } | numgen_expr { $$ = $1; } | hash_expr { $$ = $1; } @@ -2529,6 +2537,16 @@ hash_expr : JHASH expr MOD NUM SEED NUM } ; +rt_expr : RT rt_key + { + $$ = rt_expr_alloc(&@$, $2, true); + } + ; + +rt_key : CLASSID { $$ = NFT_RT_CLASSID; } + | NEXTHOP { $$ = NFT_RT_NEXTHOP4; } + ; + ct_expr : CT ct_key { $$ = ct_expr_alloc(&@$, $2, -1); diff --git a/src/rt.c b/src/rt.c new file mode 100644 index 00000000..232c1dcb --- /dev/null +++ b/src/rt.c @@ -0,0 +1,141 @@ +/* + * Routing expression related definition and types. + * + * Copyright (c) 2016 Anders K. Pedersen <akp@cohaesio.com> + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#include <errno.h> +#include <stddef.h> +#include <stdlib.h> +#include <stdio.h> +#include <stdint.h> +#include <string.h> +#include <arpa/inet.h> +#include <linux/netfilter.h> + +#include <nftables.h> +#include <expression.h> +#include <datatype.h> +#include <rt.h> +#include <rule.h> + +static struct symbol_table *realm_tbl; +static void __init realm_table_init(void) +{ + realm_tbl = rt_symbol_table_init("/etc/iproute2/rt_realms"); +} + +static void __exit realm_table_exit(void) +{ + rt_symbol_table_free(realm_tbl); +} + +static void realm_type_print(const struct expr *expr) +{ + return symbolic_constant_print(realm_tbl, expr, true); +} + +static struct error_record *realm_type_parse(const struct expr *sym, + struct expr **res) +{ + return symbolic_constant_parse(sym, realm_tbl, res); +} + +static const struct datatype realm_type = { + .type = TYPE_REALM, + .name = "realm", + .desc = "routing realm", + .byteorder = BYTEORDER_HOST_ENDIAN, + .size = 4 * BITS_PER_BYTE, + .basetype = &integer_type, + .print = realm_type_print, + .parse = realm_type_parse, + .flags = DTYPE_F_PREFIX, +}; + +static const struct rt_template rt_templates[] = { + [NFT_RT_CLASSID] = RT_TEMPLATE("classid", + &realm_type, + 4 * BITS_PER_BYTE, + BYTEORDER_HOST_ENDIAN, + false), + [NFT_RT_NEXTHOP4] = RT_TEMPLATE("nexthop", + &ipaddr_type, + 4 * BITS_PER_BYTE, + BYTEORDER_BIG_ENDIAN, + true), + [NFT_RT_NEXTHOP6] = RT_TEMPLATE("nexthop", + &ip6addr_type, + 16 * BITS_PER_BYTE, + BYTEORDER_BIG_ENDIAN, + true), +}; + +static void rt_expr_print(const struct expr *expr) +{ + printf("rt %s", rt_templates[expr->rt.key].token); +} + +static bool rt_expr_cmp(const struct expr *e1, const struct expr *e2) +{ + return e1->rt.key == e2->rt.key; +} + +static void rt_expr_clone(struct expr *new, const struct expr *expr) +{ + new->rt.key = expr->rt.key; +} + +static const struct expr_ops rt_expr_ops = { + .type = EXPR_RT, + .name = "rt", + .print = rt_expr_print, + .cmp = rt_expr_cmp, + .clone = rt_expr_clone, +}; + +struct expr *rt_expr_alloc(const struct location *loc, enum nft_rt_keys key, + bool invalid) +{ + const struct rt_template *tmpl = &rt_templates[key]; + struct expr *expr; + + if (invalid && tmpl->invalid) + expr = expr_alloc(loc, &rt_expr_ops, &invalid_type, + tmpl->byteorder, 0); + else + expr = expr_alloc(loc, &rt_expr_ops, tmpl->dtype, + tmpl->byteorder, tmpl->len); + expr->rt.key = key; + + return expr; +} + +void rt_expr_update_type(struct proto_ctx *ctx, struct expr *expr) +{ + const struct proto_desc *desc; + + switch (expr->rt.key) { + case NFT_RT_NEXTHOP4: + desc = ctx->protocol[PROTO_BASE_NETWORK_HDR].desc; + if (desc == &proto_ip) + expr->dtype = &ipaddr_type; + else if (desc == &proto_ip6) { + expr->rt.key++; + expr->dtype = &ip6addr_type; + } + expr->len = expr->dtype->size; + break; + default: + break; + } +} + +static void __init rt_init(void) +{ + datatype_register(&realm_type); +} diff --git a/src/scanner.l b/src/scanner.l index 8afddf15..c8352014 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -446,6 +446,9 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "oifgroup" { return OIFGROUP; } "cgroup" { return CGROUP; } +"classid" { return CLASSID; } +"nexthop" { return NEXTHOP; } + "ct" { return CT; } "l3proto" { return L3PROTOCOL; } "proto-src" { return PROTO_SRC; } diff --git a/tests/files/expr-rt b/tests/files/expr-rt new file mode 100644 index 00000000..4c154091 --- /dev/null +++ b/tests/files/expr-rt @@ -0,0 +1,21 @@ +#! nft -f + +add table ip filter +add chain ip filter output { type filter hook output priority 0 ; } + +add table ip6 filter +add chain ip6 filter output { type filter hook output priority 0 ; } + +add table inet filter +add chain inet filter output { type filter hook output priority 0 ; } + +# rt: classid (see /etc/iproute2/rt_realms) +add rule ip filter output rt classid cosmos counter +add rule ip6 filter output rt classid cosmos counter +add rule inet filter output rt classid cosmos counter + +# rt: nexthop +add rule ip filter output rt nexthop 192.168.0.1 counter +add rule ip6 filter output rt nexthop fd00::1 counter +add rule inet filter output ether type ip rt nexthop 192.168.0.1 counter +add rule inet filter output ether type ip6 rt nexthop fd00::1 counter diff --git a/tests/shell/run-tests.sh b/tests/shell/run-tests.sh index ff243444..d9c44c80 100755 --- a/tests/shell/run-tests.sh +++ b/tests/shell/run-tests.sh @@ -57,7 +57,7 @@ kernel_cleanup() { nft_exthdr nft_payload nft_cmp nft_range \ nft_quota nft_queue nft_numgen \ nft_meta nft_meta_bridge nft_counter nft_log nft_limit \ - nft_hash nft_ct nft_compat \ + nft_hash nft_ct nft_compat nft_rt \ nft_set_hash nft_set_rbtree \ nft_chain_nat_ipv4 nft_chain_nat_ipv6 \ nf_tables_inet nf_tables_bridge nf_tables_arp \ |