diff options
| author | Florian Westphal <fw@strlen.de> | 2023-08-03 21:39:13 +0200 |
|---|---|---|
| committer | Phil Sutter <phil@nwl.cc> | 2023-08-10 13:44:12 +0200 |
| commit | 7304f1982d619e19860106bc74b9cf3d05ddb113 (patch) | |
| tree | 346e49793170f200cfeb5d494292b09eb17f6e31 /iptables | |
| parent | 2a6eee89083c837ac429b0e5aba33bdcaeb51a57 (diff) | |
nft-ruleparse: parse meta mark set as MARK target
Mixing nftables and iptables-nft in the same table doesn't work,
but some people do this.
v1.8.8 ignored rules it could not represent in iptables syntax,
v1.8.9 bails in this case.
Add parsing of meta mark expressions so iptables-nft can render them
as -j MARK rules.
This is flawed, nft has features that have no corresponding
syntax in iptables, but we can't undo this.
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1659
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
Diffstat (limited to 'iptables')
| -rw-r--r-- | iptables/nft-ruleparse.c | 40 |
1 files changed, 28 insertions, 12 deletions
diff --git a/iptables/nft-ruleparse.c b/iptables/nft-ruleparse.c index a5eb6d09..c8322f93 100644 --- a/iptables/nft-ruleparse.c +++ b/iptables/nft-ruleparse.c @@ -146,11 +146,6 @@ static bool nft_parse_meta_set_common(struct nft_xt_ctx* ctx, return false; } - if (sreg->immediate.data[0] == 0) { - ctx->errmsg = "meta sreg immediate is 0"; - return false; - } - return true; } @@ -159,7 +154,6 @@ static void nft_parse_meta_set(struct nft_xt_ctx *ctx, { struct nft_xt_ctx_reg *sreg; enum nft_registers sregnum; - const char *targname; sregnum = nftnl_expr_get_u32(e, NFTNL_EXPR_META_SREG); sreg = nft_xt_ctx_get_sreg(ctx, sregnum); @@ -171,21 +165,43 @@ static void nft_parse_meta_set(struct nft_xt_ctx *ctx, if (!nft_parse_meta_set_common(ctx, sreg)) return; - targname = "TRACE"; + if (sreg->immediate.data[0] == 0) { + ctx->errmsg = "meta sreg immediate is 0"; + return; + } + + if (!nft_create_target(ctx, "TRACE")) + ctx->errmsg = "target TRACE not found"; break; case NFT_META_BRI_BROUTE: if (!nft_parse_meta_set_common(ctx, sreg)) return; ctx->cs->jumpto = "DROP"; - return; + break; + case NFT_META_MARK: { + struct xt_mark_tginfo2 *mt; + + if (!nft_parse_meta_set_common(ctx, sreg)) + return; + + mt = nft_create_target(ctx, "MARK"); + if (!mt) { + ctx->errmsg = "target MARK not found"; + return; + } + + mt->mark = sreg->immediate.data[0]; + if (sreg->bitwise.set) + mt->mask = sreg->bitwise.mask[0]; + else + mt->mask = ~0u; + break; + } default: ctx->errmsg = "meta sreg key not supported"; - return; + break; } - - if (!nft_create_target(ctx, targname)) - ctx->errmsg = "target TRACE not found"; } static void nft_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e) |