diff options
author | Florian Westphal <fw@strlen.de> | 2015-09-24 22:38:06 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2015-11-06 14:51:36 +0100 |
commit | 775e7ff1f5ddaa3208ea2c9178d9e5d8890d9739 (patch) | |
tree | a599cc7782458e684cfd01f88b57b863c2128ea6 /src/meta.c | |
parent | b851ba4731d9f7c5e38889875a83173fcc4d3f16 (diff) |
src: allow filtering on L2 header in inet family
Error: conflicting protocols specified: inet vs. ether
tcp dport 22 iiftype ether ether saddr 00:0f:54:0c:11:4
^^^^^^^^^^^
This allows the implicit inet proto dependency to get replaced
by an ethernet one.
This is possible since by the time we detect the conflict the
meta dependency for the network protocol has already been added.
So we only need to add another dependency on the Linklayer frame type.
Closes: http://bugzilla.netfilter.org/show_bug.cgi?id=981
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'src/meta.c')
-rw-r--r-- | src/meta.c | 24 |
1 files changed, 23 insertions, 1 deletions
@@ -19,6 +19,8 @@ #include <net/if_arp.h> #include <pwd.h> #include <grp.h> +#include <arpa/inet.h> +#include <linux/netfilter.h> #include <linux/pkt_sched.h> #include <linux/if_packet.h> @@ -468,7 +470,7 @@ static void meta_expr_pctx_update(struct proto_ctx *ctx, switch (left->meta.key) { case NFT_META_IIFTYPE: - if (h->base < PROTO_BASE_NETWORK_HDR) + if (h->base < PROTO_BASE_NETWORK_HDR && ctx->family != NFPROTO_INET) return; desc = proto_dev_desc(mpz_get_uint16(right->value)); @@ -572,3 +574,23 @@ static void __init meta_init(void) datatype_register(&devgroup_type); datatype_register(&pkttype_type); } + +/* + * @expr: payload expression + * @res: dependency expression + * + * Generate a NFT_META_IIFTYPE expression to check for ethernet frames. + * Only works on input path. + */ +struct stmt *meta_stmt_meta_iiftype(const struct location *loc, uint16_t type) +{ + struct expr *dep, *left, *right; + + left = meta_expr_alloc(loc, NFT_META_IIFTYPE); + right = constant_expr_alloc(loc, &arphrd_type, + BYTEORDER_HOST_ENDIAN, + 2 * BITS_PER_BYTE, &type); + + dep = relational_expr_alloc(loc, OP_EQ, left, right); + return expr_stmt_alloc(&dep->location, dep); +} |