diff options
author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-04 02:43:44 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-15 21:56:29 +0200 |
commit | c330152b7f7779f15dba3e0862bf5616e7cb3eab (patch) | |
tree | 49c9ab5d837ab99a23e15399acb7ea610606ecfc /src/netlink.c | |
parent | 1cba7a5e5e96dd920271823125b45e182f22ec82 (diff) |
src: support for implicit chain bindings
This patch allows you to group rules in a subchain, e.g.
table inet x {
chain y {
type filter hook input priority 0;
tcp dport 22 jump {
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
ip6 saddr ::1/128 accept;
}
}
}
This also supports for the `goto' chain verdict.
This patch adds a new chain binding list to avoid a chain list lookup from the
delinearize path for the usual chains. This can be simplified later on with a
single hashtable per table for all chains.
From the shell, you have to use the explicit separator ';', in bash you
have to escape this:
# nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink.c')
-rw-r--r-- | src/netlink.c | 47 |
1 files changed, 30 insertions, 17 deletions
diff --git a/src/netlink.c b/src/netlink.c index fb0a17ba..f752c3c9 100644 --- a/src/netlink.c +++ b/src/netlink.c @@ -269,31 +269,41 @@ static void netlink_gen_constant_data(const struct expr *expr, div_round_up(expr->len, BITS_PER_BYTE), data); } -static void netlink_gen_verdict(const struct expr *expr, - struct nft_data_linearize *data) +static void netlink_gen_chain(const struct expr *expr, + struct nft_data_linearize *data) { char chain[NFT_CHAIN_MAXNAMELEN]; unsigned int len; - data->verdict = expr->verdict; + len = expr->chain->len / BITS_PER_BYTE; - switch (expr->verdict) { - case NFT_JUMP: - case NFT_GOTO: - len = expr->chain->len / BITS_PER_BYTE; + if (!len) + BUG("chain length is 0"); - if (!len) - BUG("chain length is 0"); + if (len > sizeof(chain)) + BUG("chain is too large (%u, %u max)", + len, (unsigned int)sizeof(chain)); - if (len > sizeof(chain)) - BUG("chain is too large (%u, %u max)", - len, (unsigned int)sizeof(chain)); + memset(chain, 0, sizeof(chain)); - memset(chain, 0, sizeof(chain)); + mpz_export_data(chain, expr->chain->value, + BYTEORDER_HOST_ENDIAN, len); + snprintf(data->chain, NFT_CHAIN_MAXNAMELEN, "%s", chain); +} - mpz_export_data(chain, expr->chain->value, - BYTEORDER_HOST_ENDIAN, len); - snprintf(data->chain, NFT_CHAIN_MAXNAMELEN, "%s", chain); +static void netlink_gen_verdict(const struct expr *expr, + struct nft_data_linearize *data) +{ + + data->verdict = expr->verdict; + + switch (expr->verdict) { + case NFT_JUMP: + case NFT_GOTO: + if (expr->chain) + netlink_gen_chain(expr, data); + else + data->chain_id = expr->chain_id; break; } } @@ -546,7 +556,10 @@ static int list_chain_cb(struct nftnl_chain *nlc, void *arg) return 0; chain = netlink_delinearize_chain(ctx, nlc); - list_add_tail(&chain->list, &ctx->list); + if (chain->flags & CHAIN_F_BINDING) + list_add_tail(&chain->list, &ctx->list_bindings); + else + list_add_tail(&chain->list, &ctx->list); return 0; } |