From 2250296370752e516dc367f1239753b15efbea94 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Sat, 23 Nov 2019 17:22:39 +0100 Subject: src: add ability to set/get secmarks to/from connection MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Labeling established and related packets requires the secmark to be stored in the connection. Add the ability to store and retrieve secmarks like: ... chain input { ... # label new incoming packets ct state new meta secmark set tcp dport map @secmapping_in # add label to connection ct state new ct secmark set meta secmark # set label for est/rel packets from connection ct state established,related meta secmark set ct secmark ... } ... chain output { ... # label new outgoing packets ct state new meta secmark set tcp dport map @secmapping_out # add label to connection ct state new ct secmark set meta secmark # set label for est/rel packets from connection ct state established,related meta secmark set ct secmark ... } ... This patch also disallow constant value on the right hand side. # nft add rule x y meta secmark 12 Error: Cannot be used with right hand side constant value add rule x y meta secmark 12 ~~~~~~~~~~~~ ^^ # nft add rule x y ct secmark 12 Error: Cannot be used with right hand side constant value add rule x y ct secmark 12 ~~~~~~~~~~ ^^ # nft add rule x y ct secmark set 12 Error: ct secmark must not be set to constant value add rule x y ct secmark set 12 ^^^^^^^^^^^^^^^^^ This patch improves 3bc84e5c1fdd ("src: add support for setting secmark"). Signed-off-by: Christian Göttsche Signed-off-by: Pablo Neira Ayuso --- src/parser_bison.y | 14 +++++++++++--- 1 file changed, 11 insertions(+), 3 deletions(-) (limited to 'src/parser_bison.y') diff --git a/src/parser_bison.y b/src/parser_bison.y index 631b7d68..707f4671 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -4190,9 +4190,16 @@ meta_stmt : META meta_key SET stmt_expr { switch ($2) { case NFT_META_SECMARK: - $$ = objref_stmt_alloc(&@$); - $$->objref.type = NFT_OBJECT_SECMARK; - $$->objref.expr = $4; + switch ($4->etype) { + case EXPR_CT: + $$ = meta_stmt_alloc(&@$, $2, $4); + break; + default: + $$ = objref_stmt_alloc(&@$); + $$->objref.type = NFT_OBJECT_SECMARK; + $$->objref.expr = $4; + break; + } break; default: $$ = meta_stmt_alloc(&@$, $2, $4); @@ -4388,6 +4395,7 @@ ct_key : L3PROTOCOL { $$ = NFT_CT_L3PROTOCOL; } | PROTO_DST { $$ = NFT_CT_PROTO_DST; } | LABEL { $$ = NFT_CT_LABELS; } | EVENT { $$ = NFT_CT_EVENTMASK; } + | SECMARK { $$ = NFT_CT_SECMARK; } | ct_key_dir_optional ; -- cgit v1.2.3