diff options
| author | Florian Westphal <fw@strlen.de> | 2023-04-04 11:45:44 +0200 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2023-04-04 21:22:46 +0200 |
| commit | 73611d5582e72367a698faf1b5301c836e981465 (patch) | |
| tree | 26cadc917f59dc503459ceab03287cc863fa4eae /iptables/nft-shared.c | |
| parent | 545310d9ed412f895a8aad757f6f6324b66d062f (diff) | |
ebtables-nft: add broute table emulation
Use new 'meta broute set 1' to emulate -t broute. If '-t broute' is given,
automatically translate -j DROP to 'meta broute set 1 accept' internally.
Reverse translation zaps the broute and pretends verdict was DROP.
Note that BROUTING is internally handled via PREROUTING, i.e. 'redirect'
and 'nat' targets are not available, they will need to be emulated via
nft expressions.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables/nft-shared.c')
| -rw-r--r-- | iptables/nft-shared.c | 39 |
1 files changed, 28 insertions, 11 deletions
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c index 1b22eb7a..c19d78e4 100644 --- a/iptables/nft-shared.c +++ b/iptables/nft-shared.c @@ -511,8 +511,24 @@ void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv) *inv = (op == NFT_CMP_NEQ); } -static void nft_meta_set_to_target(struct nft_xt_ctx *ctx, - struct nftnl_expr *e) +static bool nft_parse_meta_set_common(struct nft_xt_ctx* ctx, + struct nft_xt_ctx_reg *sreg) +{ + if ((sreg->type != NFT_XT_REG_IMMEDIATE)) { + ctx->errmsg = "meta sreg is not an immediate"; + return false; + } + + if (sreg->immediate.data[0] == 0) { + ctx->errmsg = "meta sreg immediate is 0"; + return false; + } + + return true; +} + +static void nft_parse_meta_set(struct nft_xt_ctx *ctx, + struct nftnl_expr *e) { struct xtables_target *target; struct nft_xt_ctx_reg *sreg; @@ -528,18 +544,17 @@ static void nft_meta_set_to_target(struct nft_xt_ctx *ctx, switch (nftnl_expr_get_u32(e, NFTNL_EXPR_META_KEY)) { case NFT_META_NFTRACE: - if ((sreg->type != NFT_XT_REG_IMMEDIATE)) { - ctx->errmsg = "meta nftrace but reg not immediate"; + if (!nft_parse_meta_set_common(ctx, sreg)) return; - } - - if (sreg->immediate.data[0] == 0) { - ctx->errmsg = "trace is cleared"; - return; - } targname = "TRACE"; break; + case NFT_META_BRI_BROUTE: + if (!nft_parse_meta_set_common(ctx, sreg)) + return; + + ctx->cs->jumpto = "DROP"; + return; default: ctx->errmsg = "meta sreg key not supported"; return; @@ -568,7 +583,7 @@ static void nft_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e) struct nft_xt_ctx_reg *reg; if (nftnl_expr_is_set(e, NFTNL_EXPR_META_SREG)) { - nft_meta_set_to_target(ctx, e); + nft_parse_meta_set(ctx, e); return; } @@ -1145,6 +1160,8 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e) /* Standard target? */ switch(verdict) { case NF_ACCEPT: + if (cs->jumpto && strcmp(ctx->table, "broute") == 0) + break; cs->jumpto = "ACCEPT"; break; case NF_DROP: |