diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-09-14 20:51:20 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-09-15 19:03:36 +0200 |
| commit | ae1d822630e6dcbac2650a90b2004360d7a51e48 (patch) | |
| tree | 77660fadab33dbb52d5748fb9ebb1c299cea3b16 /include | |
| parent | 30fb63b524f8920ce01531947b7c595813a3ba32 (diff) | |
src: context tracking for multiple transport protocols
This patch extends the protocol context infrastructure to track multiple
transport protocols when they are specified from sets.
This removes errors like:
"transport protocol mapping is only valid after transport protocol match"
when invoking:
# nft add rule x z meta l4proto { tcp, udp } dnat to 1.1.1.1:80
This patch also catches conflicts like:
# nft add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
Error: conflicting protocols specified: udp vs. tcp
add rule x z ip protocol { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
^^^^^^^^^
and:
# nft add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
Error: conflicting protocols specified: udp vs. tcp
add rule x z meta l4proto { tcp, udp } tcp dport 20 dnat to 1.1.1.1:80
^^^^^^^^^
Note that:
- the singleton protocol context tracker is left in place until the
existing users are updated to use this new multiprotocol tracker.
Moving forward, it would be good to consolidate things around this new
multiprotocol context tracker infrastructure.
- link and network layers are not updated to use this infrastructure
yet. The code that deals with vlan conflicts relies on forcing
protocol context updates to the singleton protocol base.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include')
| -rw-r--r-- | include/expression.h | 4 | ||||
| -rw-r--r-- | include/proto.h | 11 |
2 files changed, 14 insertions, 1 deletions
diff --git a/include/expression.h b/include/expression.h index 130912a8..b039882c 100644 --- a/include/expression.h +++ b/include/expression.h @@ -167,7 +167,9 @@ struct expr_ops { bool (*cmp)(const struct expr *e1, const struct expr *e2); void (*pctx_update)(struct proto_ctx *ctx, - const struct expr *expr); + const struct location *loc, + const struct expr *left, + const struct expr *right); int (*build_udata)(struct nftnl_udata_buf *udbuf, const struct expr *expr); struct expr * (*parse_udata)(const struct nftnl_udata *ud); diff --git a/include/proto.h b/include/proto.h index 1771ba8e..304b048e 100644 --- a/include/proto.h +++ b/include/proto.h @@ -152,6 +152,8 @@ struct dev_proto_desc { extern int proto_dev_type(const struct proto_desc *desc, uint16_t *res); extern const struct proto_desc *proto_dev_desc(uint16_t type); +#define PROTO_CTX_NUM_PROTOS 16 + /** * struct proto_ctx - protocol context * @@ -172,6 +174,11 @@ struct proto_ctx { struct location location; const struct proto_desc *desc; unsigned int offset; + struct { + struct location location; + const struct proto_desc *desc; + } protos[PROTO_CTX_NUM_PROTOS]; + unsigned int num_protos; } protocol[PROTO_BASE_MAX + 1]; }; @@ -180,6 +187,10 @@ extern void proto_ctx_init(struct proto_ctx *ctx, unsigned int family, extern void proto_ctx_update(struct proto_ctx *ctx, enum proto_bases base, const struct location *loc, const struct proto_desc *desc); +bool proto_ctx_is_ambiguous(struct proto_ctx *ctx, enum proto_bases bases); +const struct proto_desc *proto_ctx_find_conflict(struct proto_ctx *ctx, + enum proto_bases base, + const struct proto_desc *desc); extern const struct proto_desc *proto_find_upper(const struct proto_desc *base, unsigned int num); extern int proto_find_num(const struct proto_desc *base, |