bsf: major rework of the BSF generation code

This patch reworks the BSF automatic generation code. This
feature needs more love and it has several limitations like
that the maximum number of IPs are 127 due to BSF code
restrictions. See this patch as a first step forward.

This patch also adds the stack data type, which is used to
resolve jump dynamically instead of the previous static
approach.

This patch also includes fixes in the limitations, previous
calculations were wrong.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

1 files changed, 11 insertions, 0 deletions

diff --git a/src/conntrack/filter.c b/src/conntrack/filter.c
index 7966e54..7cee673 100644
--- a/src/conntrack/filter.c
+++ b/src/conntrack/filter.c
@@ -9,7 +9,11 @@
 
 static void filter_attr_l4proto(struct nfct_filter *filter, const void *value)
 {
+	if (filter->l4proto_len >= __FILTER_L4PROTO_MAX)
+		return;
+
 	set_bit(*((int *) value), filter->l4proto_map);
+	filter->l4proto_len++;
 }
 
 static void 
@@ -18,12 +22,16 @@ filter_attr_l4proto_state(struct nfct_filter *filter, const void *value)
 	const struct nfct_filter_proto *this = value;
 
 	set_bit_u16(this->state, &filter->l4proto_state[this->proto].map);
+	filter->l4proto_state[this->proto].len++;
 }
 
 static void filter_attr_src_ipv4(struct nfct_filter *filter, const void *value)
 {
 	const struct nfct_filter_ipv4 *this = value;
 
+	if (filter->l3proto_elems[0] >= __FILTER_ADDR_MAX)
+		return;
+
 	filter->l3proto[0][filter->l3proto_elems[0]].addr = this->addr;
 	filter->l3proto[0][filter->l3proto_elems[0]].mask = this->mask;
 	filter->l3proto_elems[0]++;
@@ -33,6 +41,9 @@ static void filter_attr_dst_ipv4(struct nfct_filter *filter, const void *value)
 {
 	const struct nfct_filter_ipv4 *this = value;
 
+	if (filter->l3proto_elems[1] >= __FILTER_ADDR_MAX)
+		return;
+
 	filter->l3proto[1][filter->l3proto_elems[1]].addr = this->addr;
 	filter->l3proto[1][filter->l3proto_elems[1]].mask = this->mask;
 	filter->l3proto_elems[1]++;