diff options
author | Florian Westphal <fw@strlen.de> | 2016-09-15 17:28:00 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2016-10-28 13:17:44 +0200 |
commit | 4a75ed32132d8e2292dd276f3ea7f4edec4f3d06 (patch) | |
tree | 1c095dc262a953ebb816d1770ccbdef1724e3e00 /src/parser_bison.y | |
parent | dfd92948a0a88a9f245e71c1cfb63ae670e6e7c1 (diff) |
src: add fib expression
This adds the 'fib' expression which can be used to
obtain the output interface from the route table based on either
source or destination address of a packet.
This can be used to e.g. add reverse path filtering:
# drop if not coming from the same interface packet
# arrived on
# nft add rule x prerouting fib saddr . iif oif eq 0 drop
# accept only if from eth0
# nft add rule x prerouting fib saddr . iif oif eq "eth0" accept
# accept if from any valid interface
# nft add rule x prerouting fib saddr oif accept
Querying of address type is also supported. This can be used
to e.g. only accept packets to addresses configured in the same
interface:
# fib daddr . iif type local
Its also possible to use mark and verdict map, e.g.:
# nft add rule x prerouting meta mark set 0xdead fib daddr . mark type vmap {
blackhole : drop,
prohibit : drop,
unicast : accept
}
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'src/parser_bison.y')
-rw-r--r-- | src/parser_bison.y | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/src/parser_bison.y b/src/parser_bison.y index dc02fd23..106df271 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -162,10 +162,13 @@ static void location_update(struct location *loc, struct location *rhs, int n) %token DASH "-" %token AT "@" %token VMAP "vmap" +%token LOOKUP "lookup" %token INCLUDE "include" %token DEFINE "define" +%token FIB "fib" + %token HOOK "hook" %token DEVICE "device" %token TABLE "table" @@ -601,6 +604,10 @@ static void location_update(struct location *loc, struct location *rhs, int n) %destructor { expr_free($$); } ct_expr %type <val> ct_key ct_key_dir ct_key_counters +%type <expr> fib_expr +%destructor { expr_free($$); } fib_expr +%type <val> fib_tuple fib_result fib_flag + %type <val> export_format %type <string> monitor_event %destructor { xfree($$); } monitor_event @@ -2006,9 +2013,52 @@ primary_expr : symbol_expr { $$ = $1; } | ct_expr { $$ = $1; } | numgen_expr { $$ = $1; } | hash_expr { $$ = $1; } + | fib_expr { $$ = $1; } | '(' basic_expr ')' { $$ = $2; } ; +fib_expr : FIB fib_tuple fib_result + { + if (($2 & (NFTA_FIB_F_SADDR|NFTA_FIB_F_DADDR)) == 0) { + erec_queue(error(&@2, "fib: need either saddr or daddr"), state->msgs); + YYERROR; + } + + if (($2 & (NFTA_FIB_F_SADDR|NFTA_FIB_F_DADDR)) == + (NFTA_FIB_F_SADDR|NFTA_FIB_F_DADDR)) { + erec_queue(error(&@2, "fib: saddr and daddr are mutually exclusive"), state->msgs); + YYERROR; + } + + if (($2 & (NFTA_FIB_F_IIF|NFTA_FIB_F_OIF)) == + (NFTA_FIB_F_IIF|NFTA_FIB_F_OIF)) { + erec_queue(error(&@2, "fib: iif and oif are mutually exclusive"), state->msgs); + YYERROR; + } + + $$ = fib_expr_alloc(&@$, $2, $3); + } + ; + +fib_result : OIF { $$ =NFT_FIB_RESULT_OIF; } + | OIFNAME { $$ =NFT_FIB_RESULT_OIFNAME; } + | TYPE { $$ =NFT_FIB_RESULT_ADDRTYPE; } + ; + +fib_flag : SADDR { $$ = NFTA_FIB_F_SADDR; } + | DADDR { $$ = NFTA_FIB_F_DADDR; } + | MARK { $$ = NFTA_FIB_F_MARK; } + | IIF { $$ = NFTA_FIB_F_IIF; } + | OIF { $$ = NFTA_FIB_F_OIF; } + ; + +fib_tuple : fib_flag DOT fib_tuple + { + $$ = $1 | $3; + } + | fib_flag + ; + shift_expr : primary_expr | shift_expr LSHIFT primary_expr { |