diff options
| author | Fernando Fernandez Mancera <ffmancera@riseup.net> | 2018-10-23 17:06:22 +0200 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2018-10-23 17:46:47 +0200 |
| commit | 03eafe098d5eead786cbbe6f79348f05819cd99e (patch) | |
| tree | 852498d1288759dafa8773c04fc24e3f54d4512a /src | |
| parent | d7ef1e206bd9b36607dddcf337fada11d743b61f (diff) | |
osf: add ttl option support
Add support for ttl option in "osf" expression. Example:
table ip foo {
chain bar {
type filter hook input priority filter; policy accept;
osf ttl skip name "Linux"
}
}
Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'src')
| -rw-r--r-- | src/json.c | 2 | ||||
| -rw-r--r-- | src/netlink_delinearize.c | 5 | ||||
| -rw-r--r-- | src/netlink_linearize.c | 1 | ||||
| -rw-r--r-- | src/osf.c | 24 | ||||
| -rw-r--r-- | src/parser_bison.y | 25 | ||||
| -rw-r--r-- | src/parser_json.c | 5 |
6 files changed, 54 insertions, 8 deletions
@@ -857,7 +857,7 @@ json_t *socket_expr_json(const struct expr *expr, struct output_ctx *octx) json_t *osf_expr_json(const struct expr *expr, struct output_ctx *octx) { - return json_pack("{s:{s:s}}", "osf", "key", "name"); + return json_pack("{s:{s:i, s:s}}", "osf", "ttl", expr->osf.ttl, "key", "name"); } json_t *xfrm_expr_json(const struct expr *expr, struct output_ctx *octx) diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c index 3931127f..db1bf03e 100644 --- a/src/netlink_delinearize.c +++ b/src/netlink_delinearize.c @@ -655,8 +655,11 @@ static void netlink_parse_osf(struct netlink_parse_ctx *ctx, { enum nft_registers dreg; struct expr *expr; + uint8_t ttl; + + ttl = nftnl_expr_get_u8(nle, NFTNL_EXPR_OSF_TTL); + expr = osf_expr_alloc(loc, ttl); - expr = osf_expr_alloc(loc); dreg = netlink_parse_register(nle, NFTNL_EXPR_OSF_DREG); netlink_set_register(ctx, dreg, expr); } diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c index 0ac51bd0..0c8f5fe4 100644 --- a/src/netlink_linearize.c +++ b/src/netlink_linearize.c @@ -227,6 +227,7 @@ static void netlink_gen_osf(struct netlink_linearize_ctx *ctx, nle = alloc_nft_expr("osf"); netlink_put_register(nle, NFTNL_EXPR_OSF_DREG, dreg); + nftnl_expr_set_u8(nle, NFTNL_EXPR_OSF_TTL, expr->osf.ttl); nftnl_rule_add_expr(ctx->nlr, nle); } @@ -5,13 +5,31 @@ #include <osf.h> #include <json.h> +static const char *osf_ttl_int_to_str(const uint8_t ttl) +{ + if (ttl == 1) + return "ttl loose "; + else if (ttl == 2) + return "ttl skip "; + + return ""; +} + static void osf_expr_print(const struct expr *expr, struct output_ctx *octx) { - nft_print(octx, "osf name"); + const char *ttl_str = osf_ttl_int_to_str(expr->osf.ttl); + + nft_print(octx, "osf %sname", ttl_str); } static void osf_expr_clone(struct expr *new, const struct expr *expr) { + new->osf.ttl = expr->osf.ttl; +} + +static bool osf_expr_cmp(const struct expr *e1, const struct expr *e2) +{ + return e1->osf.ttl == e2->osf.ttl; } static const struct expr_ops osf_expr_ops = { @@ -19,10 +37,11 @@ static const struct expr_ops osf_expr_ops = { .name = "osf", .print = osf_expr_print, .clone = osf_expr_clone, + .cmp = osf_expr_cmp, .json = osf_expr_json, }; -struct expr *osf_expr_alloc(const struct location *loc) +struct expr *osf_expr_alloc(const struct location *loc, const uint8_t ttl) { unsigned int len = NFT_OSF_MAXGENRELEN * BITS_PER_BYTE; const struct datatype *type = &string_type; @@ -30,6 +49,7 @@ struct expr *osf_expr_alloc(const struct location *loc) expr = expr_alloc(loc, &osf_expr_ops, type, BYTEORDER_HOST_ENDIAN, len); + expr->osf.ttl = ttl; return expr; } diff --git a/src/parser_bison.y b/src/parser_bison.y index 36a98719..dfe30683 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -15,12 +15,14 @@ #include <inttypes.h> #include <syslog.h> #include <netinet/ip.h> +#include <netinet/tcp.h> #include <netinet/if_ether.h> #include <linux/netfilter.h> #include <linux/netfilter/nf_tables.h> #include <linux/netfilter/nf_conntrack_tuple_common.h> #include <linux/netfilter/nf_nat.h> #include <linux/netfilter/nf_log.h> +#include <linux/netfilter/nfnetlink_osf.h> #include <linux/xfrm.h> #include <netinet/ip_icmp.h> #include <netinet/icmp6.h> @@ -740,6 +742,7 @@ int nft_lex(void *, void *, void *); %type <val> fib_tuple fib_result fib_flag %type <expr> osf_expr +%type <val> osf_ttl %destructor { expr_free($$); } osf_expr %type <val> markup_format @@ -3173,9 +3176,27 @@ fib_tuple : fib_flag DOT fib_tuple | fib_flag ; -osf_expr : OSF NAME +osf_expr : OSF osf_ttl NAME { - $$ = osf_expr_alloc(&@$); + $$ = osf_expr_alloc(&@$, $2); + } + ; + +osf_ttl : /* empty */ + { + $$ = NF_OSF_TTL_TRUE; + } + | TTL STRING + { + if (!strcmp($2, "loose")) + $$ = NF_OSF_TTL_LESS; + else if (!strcmp($2, "skip")) + $$ = NF_OSF_TTL_NOCHECK; + else { + erec_queue(error(&@2, "invalid ttl option"), + state->msgs); + YYERROR; + } } ; diff --git a/src/parser_json.c b/src/parser_json.c index 7047c00d..fc0dc9a9 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -376,12 +376,13 @@ static struct expr *json_parse_osf_expr(struct json_ctx *ctx, const char *type, json_t *root) { const char *key; + uint8_t ttl; - if (json_unpack_err(ctx, root, "{s:s}", "key", &key)) + if (json_unpack_err(ctx, root, "{s:i, s:s}", "ttl", ttl,"key", &key)) return NULL; if (!strcmp(key, "name")) - return osf_expr_alloc(int_loc); + return osf_expr_alloc(int_loc, ttl); json_error(ctx, "Invalid osf key value."); return NULL; |