From b851ba4731d9f7c5e38889875a83173fcc4d3f16 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 18 Oct 2015 20:02:16 +0200
Subject: src: add interface wildcard matching

Contrary to iptables, we use the asterisk character '*' as wildcard.

 # nft --debug=netlink add rule test test iifname eth\*
 ip test test
  [ meta load iifname => reg 1 ]
  [ cmp eq reg 1 0x00687465 ]

Note that this generates an optimized comparison without bitwise.

In case you want to match a device that contains an asterisk, you have
to escape the asterisk, ie.

 # nft add rule test test iifname eth\\*

The wildcard string handling occurs from the evaluation step, where we
convert from:

          relational
             /  \
            /    \
         meta   value
       oifname   eth*

to:
          relational
           /    \
          /      \
        meta    prefix
      ofiname

As Patrick suggested, this not actually a wildcard but a prefix since it
only applies to the string when placed at the end.

More comments:

* This relaxes the left->size > right->size from netlink_parse_cmp()
  for strings since the optimization that this patch applies may now
  result in bogus errors.

* This patch can be later on extended to apply a similar optimization to
  payload expressions when:

	expr->len % BITS_PER_BYTE == 0

  For meta and ct, the kernel checks for the exact length of the attributes
  (it expects integer 32 bits) so we can't do it unless we relax that.

* Wildcard strings are not supported from sets and maps yet. Error
  reporting is not very good at this stage since expr_evaluate_prefix()
  doesn't have enough context (ctx->set is NULL, the set object is
  currently created later after evaluating the lhs and rhs of the
  relational). I'll be following up on this later.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 src/utils.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

(limited to 'src/utils.c')

diff --git a/src/utils.c b/src/utils.c
index 88708e78..65dabf41 100644
--- a/src/utils.c
+++ b/src/utils.c
@@ -66,3 +66,16 @@ char *xstrdup(const char *s)
 		memory_allocation_error();
 	return res;
 }
+
+void xstrunescape(const char *in, char *out)
+{
+	unsigned int i, k = 0;
+
+	for (i = 0; i < strlen(in); i++) {
+		if (in[i] == '\\')
+			continue;
+
+		out[k++] = in[i];
+	}
+	out[k++] = '\0';
+}
-- 
cgit v1.2.3