diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-04 02:43:44 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2020-07-15 21:56:29 +0200 |
| commit | c330152b7f7779f15dba3e0862bf5616e7cb3eab (patch) | |
| tree | 49c9ab5d837ab99a23e15399acb7ea610606ecfc /src/netlink_delinearize.c | |
| parent | 1cba7a5e5e96dd920271823125b45e182f22ec82 (diff) | |
src: support for implicit chain bindings
This patch allows you to group rules in a subchain, e.g.
table inet x {
chain y {
type filter hook input priority 0;
tcp dport 22 jump {
ip saddr { 127.0.0.0/8, 172.23.0.0/16, 192.168.13.0/24 } accept
ip6 saddr ::1/128 accept;
}
}
}
This also supports for the `goto' chain verdict.
This patch adds a new chain binding list to avoid a chain list lookup from the
delinearize path for the usual chains. This can be simplified later on with a
single hashtable per table for all chains.
From the shell, you have to use the explicit separator ';', in bash you
have to escape this:
# nft add rule inet x y tcp dport 80 jump { ip saddr 127.0.0.1 accept\; ip6 saddr ::1 accept \; }
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src/netlink_delinearize.c')
| -rw-r--r-- | src/netlink_delinearize.c | 37 |
1 files changed, 33 insertions, 4 deletions
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 7d7e07cf..d0438f44 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -163,6 +163,24 @@ err: return NULL; } +static void netlink_parse_chain_verdict(struct netlink_parse_ctx *ctx, + const struct location *loc, + struct expr *expr, + enum nft_verdicts verdict) +{ + char chain_name[NFT_CHAIN_MAXNAMELEN] = {}; + struct chain *chain; + + expr_chain_export(expr->chain, chain_name); + chain = chain_binding_lookup(ctx->table, chain_name); + if (chain) { + ctx->stmt = chain_stmt_alloc(loc, chain, verdict); + expr_free(expr); + } else { + ctx->stmt = verdict_stmt_alloc(loc, expr); + } +} + static void netlink_parse_immediate(struct netlink_parse_ctx *ctx, const struct location *loc, const struct nftnl_expr *nle) @@ -182,12 +200,23 @@ static void netlink_parse_immediate(struct netlink_parse_ctx *ctx, } dreg = netlink_parse_register(nle, NFTNL_EXPR_IMM_DREG); - expr = netlink_alloc_data(loc, &nld, dreg); - if (dreg == NFT_REG_VERDICT) - ctx->stmt = verdict_stmt_alloc(loc, expr); - else + + if (dreg == NFT_REG_VERDICT) { + switch (expr->verdict) { + case NFT_JUMP: + netlink_parse_chain_verdict(ctx, loc, expr, NFT_JUMP); + break; + case NFT_GOTO: + netlink_parse_chain_verdict(ctx, loc, expr, NFT_GOTO); + break; + default: + ctx->stmt = verdict_stmt_alloc(loc, expr); + break; + } + } else { netlink_set_register(ctx, dreg, expr); + } } static void netlink_parse_xfrm(struct netlink_parse_ctx *ctx, |