* [iptables PATCH v2 00/12] Implement among match support
@ 2019-09-27 14:04 Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 01/12] nft: family_ops: Pass nft_handle to 'add' callback Phil Sutter
` (11 more replies)
0 siblings, 12 replies; 13+ messages in thread
From: Phil Sutter @ 2019-09-27 14:04 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Changes since v1:
- Rebased onto my performance improvements patch series.
- Aligned set caching routines with changes in above series.
- Fixed patch ordering so builds are not broken intermittently.
- Replaced magic numbers by defines or offsetof() statements. Note that
I did not move any defines into libnftnl; the remaining ones are for
values in sets' key_type attribute which neither libnftnl nor kernel
care about. Setting that is merely for compatibility with nft tool.
This series ultimately adds among match support to ebtables-nft. The
implementation merely shares the user interface with legacy one,
internally the code is distinct: libebt_among.c does not make use of the
wormhash data structure but a much simpler one for "temporary" storage
of data until being converted into an anonymous set and associated
lookup expression.
Patches 1 to 5 implement required changes and are rather boring by
themselves: When converting an nftnl rule to iptables command state,
cache access is required (to lookup set references).
Patch 6 simplifies things a bit with the above in place.
Patches 7 to 11 implement anonymous set support.
Patch 12 then adds the actual among match implementation for
ebtables-nft.
Phil Sutter (12):
nft: family_ops: Pass nft_handle to 'add' callback
nft: family_ops: Pass nft_handle to 'rule_find' callback
nft: family_ops: Pass nft_handle to 'print_rule' callback
nft: family_ops: Pass nft_handle to 'rule_to_cs' callback
nft: Keep nft_handle pointer in nft_xt_ctx
nft: Eliminate pointless calls to nft_family_ops_lookup()
nft: Fetch sets when updating rule cache
nft: Support NFT_COMPAT_SET_ADD
nft: Bore up nft_parse_payload()
nft: Embed rule's table name in nft_xt_ctx
nft: Support parsing lookup expression
nft: bridge: Rudimental among extension support
extensions/libebt_among.c | 278 ++++++++++++++++++++
extensions/libebt_among.t | 16 ++
iptables/ebtables-nft.8 | 66 ++---
iptables/nft-arp.c | 13 +-
iptables/nft-bridge.c | 244 +++++++++++++++++-
iptables/nft-bridge.h | 21 ++
iptables/nft-ipv4.c | 10 +-
iptables/nft-ipv6.c | 10 +-
iptables/nft-shared.c | 70 +++---
iptables/nft-shared.h | 26 +-
iptables/nft.c | 502 +++++++++++++++++++++++++++++++++----
iptables/nft.h | 14 +-
iptables/xtables-eb.c | 1 +
iptables/xtables-monitor.c | 17 +-
iptables/xtables-save.c | 3 +
15 files changed, 1135 insertions(+), 156 deletions(-)
create mode 100644 extensions/libebt_among.c
create mode 100644 extensions/libebt_among.t
--
2.23.0
^ permalink raw reply [flat|nested] 13+ messages in thread
* [iptables PATCH v2 01/12] nft: family_ops: Pass nft_handle to 'add' callback
2019-09-27 14:04 [iptables PATCH v2 00/12] Implement among match support Phil Sutter
@ 2019-09-27 14:04 ` Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 02/12] nft: family_ops: Pass nft_handle to 'rule_find' callback Phil Sutter
` (10 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Phil Sutter @ 2019-09-27 14:04 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter-devel
In order for add_match() to create anonymous sets when converting
xtables matches it needs access to nft handle. So pass it along from
callers of family ops' add callback.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft-arp.c | 2 +-
iptables/nft-bridge.c | 5 +++--
iptables/nft-ipv4.c | 4 ++--
iptables/nft-ipv6.c | 4 ++--
iptables/nft-shared.h | 4 ++--
iptables/nft.c | 5 +++--
iptables/nft.h | 2 +-
7 files changed, 14 insertions(+), 12 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 9805bbe0de87b..d9a5f861eecb1 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -149,7 +149,7 @@ static bool need_devaddr(struct arpt_devaddr_info *info)
return false;
}
-static int nft_arp_add(struct nftnl_rule *r, void *data)
+static int nft_arp_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
{
struct iptables_command_state *cs = data;
struct arpt_entry *fw = &cs->arp;
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 2e4b309b86135..0fc21b3a3c0d6 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -126,7 +126,8 @@ static int _add_action(struct nftnl_rule *r, struct iptables_command_state *cs)
return add_action(r, cs, false);
}
-static int nft_bridge_add(struct nftnl_rule *r, void *data)
+static int nft_bridge_add(struct nft_handle *h,
+ struct nftnl_rule *r, void *data)
{
struct iptables_command_state *cs = data;
struct ebt_match *iter;
@@ -182,7 +183,7 @@ static int nft_bridge_add(struct nftnl_rule *r, void *data)
for (iter = cs->match_list; iter; iter = iter->next) {
if (iter->ismatch) {
- if (add_match(r, iter->u.match->m))
+ if (add_match(h, r, iter->u.match->m))
break;
} else {
if (add_target(r, iter->u.watcher->t))
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 4497eb9b9347c..57d1b3c6d2d0c 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -26,7 +26,7 @@
#include "nft.h"
#include "nft-shared.h"
-static int nft_ipv4_add(struct nftnl_rule *r, void *data)
+static int nft_ipv4_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
{
struct iptables_command_state *cs = data;
struct xtables_rule_match *matchp;
@@ -77,7 +77,7 @@ static int nft_ipv4_add(struct nftnl_rule *r, void *data)
add_compat(r, cs->fw.ip.proto, cs->fw.ip.invflags & XT_INV_PROTO);
for (matchp = cs->matches; matchp; matchp = matchp->next) {
- ret = add_match(r, matchp->match->m);
+ ret = add_match(h, r, matchp->match->m);
if (ret < 0)
return ret;
}
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index cacb1c9e141f2..0e2c4a2946e25 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -25,7 +25,7 @@
#include "nft.h"
#include "nft-shared.h"
-static int nft_ipv6_add(struct nftnl_rule *r, void *data)
+static int nft_ipv6_add(struct nft_handle *h, struct nftnl_rule *r, void *data)
{
struct iptables_command_state *cs = data;
struct xtables_rule_match *matchp;
@@ -66,7 +66,7 @@ static int nft_ipv6_add(struct nftnl_rule *r, void *data)
add_compat(r, cs->fw6.ipv6.proto, cs->fw6.ipv6.invflags & XT_INV_PROTO);
for (matchp = cs->matches; matchp; matchp = matchp->next) {
- ret = add_match(r, matchp->match->m);
+ ret = add_match(h, r, matchp->match->m);
if (ret < 0)
return ret;
}
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 3be8bafed60e9..0d0b3dff2b4d4 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -35,6 +35,7 @@
#define FMT(tab,notab) ((format) & FMT_NOTABLE ? (notab) : (tab))
struct xtables_args;
+struct nft_handle;
struct xt_xlate;
enum {
@@ -69,7 +70,7 @@ struct nft_xt_ctx {
};
struct nft_family_ops {
- int (*add)(struct nftnl_rule *r, void *data);
+ int (*add)(struct nft_handle *h, struct nftnl_rule *r, void *data);
bool (*is_same)(const void *data_a,
const void *data_b);
void (*print_payload)(struct nftnl_expr *e,
@@ -163,7 +164,6 @@ void save_matches_and_target(const struct iptables_command_state *cs,
struct nft_family_ops *nft_family_ops_lookup(int family);
-struct nft_handle;
void nft_ipv46_parse_target(struct xtables_target *t, void *data);
bool nft_ipv46_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
void *data);
diff --git a/iptables/nft.c b/iptables/nft.c
index a19a691b4f906..34a93d7e79c7c 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1048,7 +1048,8 @@ static int add_nft_limit(struct nftnl_rule *r, struct xt_entry_match *m)
return 0;
}
-int add_match(struct nftnl_rule *r, struct xt_entry_match *m)
+int add_match(struct nft_handle *h,
+ struct nftnl_rule *r, struct xt_entry_match *m)
{
struct nftnl_expr *expr;
int ret;
@@ -1270,7 +1271,7 @@ nft_rule_new(struct nft_handle *h, const char *chain, const char *table,
nftnl_rule_set_str(r, NFTNL_RULE_TABLE, table);
nftnl_rule_set_str(r, NFTNL_RULE_CHAIN, chain);
- if (h->ops->add(r, data) < 0)
+ if (h->ops->add(h, r, data) < 0)
goto err;
return r;
diff --git a/iptables/nft.h b/iptables/nft.h
index 44377c0446942..94eb5759349bb 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -129,7 +129,7 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain, const char *
*/
int add_counters(struct nftnl_rule *r, uint64_t packets, uint64_t bytes);
int add_verdict(struct nftnl_rule *r, int verdict);
-int add_match(struct nftnl_rule *r, struct xt_entry_match *m);
+int add_match(struct nft_handle *h, struct nftnl_rule *r, struct xt_entry_match *m);
int add_target(struct nftnl_rule *r, struct xt_entry_target *t);
int add_jumpto(struct nftnl_rule *r, const char *name, int verdict);
int add_action(struct nftnl_rule *r, struct iptables_command_state *cs, bool goto_set);
--
2.23.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [iptables PATCH v2 02/12] nft: family_ops: Pass nft_handle to 'rule_find' callback
2019-09-27 14:04 [iptables PATCH v2 00/12] Implement among match support Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 01/12] nft: family_ops: Pass nft_handle to 'add' callback Phil Sutter
@ 2019-09-27 14:04 ` Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 03/12] nft: family_ops: Pass nft_handle to 'print_rule' callback Phil Sutter
` (9 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Phil Sutter @ 2019-09-27 14:04 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter-devel
In order to prepare for rules containing set references, nft handle has
to be passed to nft_rule_to_iptables_command_state() in order to let it
access the set in cache.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft-arp.c | 4 ++--
iptables/nft-bridge.c | 4 ++--
iptables/nft-shared.c | 7 +++----
iptables/nft-shared.h | 4 ++--
iptables/nft.c | 2 +-
5 files changed, 10 insertions(+), 11 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index d9a5f861eecb1..78bcc3b4b6ffc 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -655,7 +655,7 @@ static bool nft_arp_is_same(const void *data_a,
(unsigned char *)b->arp.outiface_mask);
}
-static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
+static bool nft_arp_rule_find(struct nft_handle *h, struct nftnl_rule *r,
void *data)
{
const struct iptables_command_state *cs = data;
@@ -676,7 +676,7 @@ static bool nft_arp_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
ret = true;
out:
- ops->clear_cs(&this);
+ h->ops->clear_cs(&this);
return ret;
}
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 0fc21b3a3c0d6..73bca2f38101e 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -537,7 +537,7 @@ static bool nft_bridge_is_same(const void *data_a, const void *data_b)
return strcmp(a->in, b->in) == 0 && strcmp(a->out, b->out) == 0;
}
-static bool nft_bridge_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
+static bool nft_bridge_rule_find(struct nft_handle *h, struct nftnl_rule *r,
void *data)
{
struct iptables_command_state *cs = data;
@@ -568,7 +568,7 @@ static bool nft_bridge_rule_find(struct nft_family_ops *ops, struct nftnl_rule *
ret = true;
out:
- ops->clear_cs(&this);
+ h->ops->clear_cs(&this);
return ret;
}
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 6fd8ade5a1e59..b6d85f1af1da9 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -982,8 +982,7 @@ void nft_ipv46_parse_target(struct xtables_target *t, void *data)
cs->target = t;
}
-bool nft_ipv46_rule_find(struct nft_family_ops *ops,
- struct nftnl_rule *r, void *data)
+bool nft_ipv46_rule_find(struct nft_handle *h, struct nftnl_rule *r, void *data)
{
struct iptables_command_state *cs = data, this = {};
bool ret = false;
@@ -994,7 +993,7 @@ bool nft_ipv46_rule_find(struct nft_family_ops *ops,
#ifdef DEBUG_DEL
nft_rule_print_save(r, NFT_RULE_APPEND, 0);
#endif
- if (!ops->is_same(cs, &this))
+ if (!h->ops->is_same(cs, &this))
goto out;
if (!compare_matches(cs->matches, this.matches)) {
@@ -1014,7 +1013,7 @@ bool nft_ipv46_rule_find(struct nft_family_ops *ops,
ret = true;
out:
- ops->clear_cs(&this);
+ h->ops->clear_cs(&this);
return ret;
}
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 0d0b3dff2b4d4..9b51a39d23f16 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -104,7 +104,7 @@ struct nft_family_ops {
void (*rule_to_cs)(const struct nftnl_rule *r,
struct iptables_command_state *cs);
void (*clear_cs)(struct iptables_command_state *cs);
- bool (*rule_find)(struct nft_family_ops *ops, struct nftnl_rule *r,
+ bool (*rule_find)(struct nft_handle *h, struct nftnl_rule *r,
void *data);
int (*xlate)(const void *data, struct xt_xlate *xl);
};
@@ -165,7 +165,7 @@ void save_matches_and_target(const struct iptables_command_state *cs,
struct nft_family_ops *nft_family_ops_lookup(int family);
void nft_ipv46_parse_target(struct xtables_target *t, void *data);
-bool nft_ipv46_rule_find(struct nft_family_ops *ops, struct nftnl_rule *r,
+bool nft_ipv46_rule_find(struct nft_handle *h, struct nftnl_rule *r,
void *data);
bool compare_matches(struct xtables_rule_match *mt1, struct xtables_rule_match *mt2);
diff --git a/iptables/nft.c b/iptables/nft.c
index 34a93d7e79c7c..b877f9aaf6dee 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -2336,7 +2336,7 @@ nft_rule_find(struct nft_handle *h, struct nftnl_chain *c, void *data, int rulen
r = nftnl_rule_iter_next(iter);
while (r != NULL) {
- found = h->ops->rule_find(h->ops, r, data);
+ found = h->ops->rule_find(h, r, data);
if (found)
break;
r = nftnl_rule_iter_next(iter);
--
2.23.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [iptables PATCH v2 03/12] nft: family_ops: Pass nft_handle to 'print_rule' callback
2019-09-27 14:04 [iptables PATCH v2 00/12] Implement among match support Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 01/12] nft: family_ops: Pass nft_handle to 'add' callback Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 02/12] nft: family_ops: Pass nft_handle to 'rule_find' callback Phil Sutter
@ 2019-09-27 14:04 ` Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 04/12] nft: family_ops: Pass nft_handle to 'rule_to_cs' callback Phil Sutter
` (8 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Phil Sutter @ 2019-09-27 14:04 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Prepare for 'rule_to_cs' callback to receive nft_handle pointer so it is
able to access cache for set lookups.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft-arp.c | 3 ++-
iptables/nft-bridge.c | 4 ++--
iptables/nft-ipv4.c | 4 ++--
iptables/nft-ipv6.c | 4 ++--
iptables/nft-shared.h | 4 ++--
iptables/nft.c | 19 ++++++++++---------
6 files changed, 20 insertions(+), 18 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 78bcc3b4b6ffc..8bc26c5271c00 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -605,7 +605,8 @@ nft_arp_save_rule(const void *data, unsigned int format)
}
static void
-nft_arp_print_rule(struct nftnl_rule *r, unsigned int num, unsigned int format)
+nft_arp_print_rule(struct nft_handle *h, struct nftnl_rule *r,
+ unsigned int num, unsigned int format)
{
struct iptables_command_state cs = {};
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 73bca2f38101e..b0c6c5a4db3cd 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -472,8 +472,8 @@ static void nft_bridge_save_rule(const void *data, unsigned int format)
fputc('\n', stdout);
}
-static void nft_bridge_print_rule(struct nftnl_rule *r, unsigned int num,
- unsigned int format)
+static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
+ unsigned int num, unsigned int format)
{
struct iptables_command_state cs = {};
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 57d1b3c6d2d0c..98d7f966e3694 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -261,8 +261,8 @@ static void print_fragment(unsigned int flags, unsigned int invflags,
fputc(' ', stdout);
}
-static void nft_ipv4_print_rule(struct nftnl_rule *r, unsigned int num,
- unsigned int format)
+static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
+ unsigned int num, unsigned int format)
{
struct iptables_command_state cs = {};
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 0e2c4a2946e25..56236bff03c2b 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -187,8 +187,8 @@ static void nft_ipv6_parse_immediate(const char *jumpto, bool nft_goto,
cs->fw6.ipv6.flags |= IP6T_F_GOTO;
}
-static void nft_ipv6_print_rule(struct nftnl_rule *r, unsigned int num,
- unsigned int format)
+static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
+ unsigned int num, unsigned int format)
{
struct iptables_command_state cs = {};
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 9b51a39d23f16..7501c1c2169d8 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -90,8 +90,8 @@ struct nft_family_ops {
const char *pol,
const struct xt_counters *counters, bool basechain,
uint32_t refs, uint32_t entries);
- void (*print_rule)(struct nftnl_rule *r, unsigned int num,
- unsigned int format);
+ void (*print_rule)(struct nft_handle *h, struct nftnl_rule *r,
+ unsigned int num, unsigned int format);
void (*save_rule)(const void *data, unsigned int format);
void (*save_counters)(const void *data);
void (*save_chain)(const struct nftnl_chain *c, const char *policy);
diff --git a/iptables/nft.c b/iptables/nft.c
index b877f9aaf6dee..0942dbe48fbb9 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1321,7 +1321,7 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
}
if (verbose)
- h->ops->print_rule(r, 0, FMT_PRINT_RULE);
+ h->ops->print_rule(h, r, 0, FMT_PRINT_RULE);
if (ref) {
nftnl_chain_rule_insert_at(r, ref);
@@ -2364,7 +2364,7 @@ int nft_rule_check(struct nft_handle *h, const char *chain,
goto fail_enoent;
if (verbose)
- h->ops->print_rule(r, 0, FMT_PRINT_RULE);
+ h->ops->print_rule(h, r, 0, FMT_PRINT_RULE);
return 1;
fail_enoent:
@@ -2393,7 +2393,7 @@ int nft_rule_delete(struct nft_handle *h, const char *chain,
if (ret < 0)
errno = ENOMEM;
if (verbose)
- h->ops->print_rule(r, 0, FMT_PRINT_RULE);
+ h->ops->print_rule(h, r, 0, FMT_PRINT_RULE);
} else
errno = ENOENT;
@@ -2434,7 +2434,7 @@ nft_rule_add(struct nft_handle *h, const char *chain,
}
if (verbose)
- h->ops->print_rule(r, 0, FMT_PRINT_RULE);
+ h->ops->print_rule(h, r, 0, FMT_PRINT_RULE);
return r;
}
@@ -2543,8 +2543,8 @@ int nft_rule_replace(struct nft_handle *h, const char *chain,
static int
__nft_rule_list(struct nft_handle *h, struct nftnl_chain *c,
int rulenum, unsigned int format,
- void (*cb)(struct nftnl_rule *r, unsigned int num,
- unsigned int format))
+ void (*cb)(struct nft_handle *h, struct nftnl_rule *r,
+ unsigned int num, unsigned int format))
{
struct nftnl_rule_iter *iter;
struct nftnl_rule *r;
@@ -2557,7 +2557,7 @@ __nft_rule_list(struct nft_handle *h, struct nftnl_chain *c,
* valid chain but invalid rule number
*/
return 1;
- cb(r, rulenum, format);
+ cb(h, r, rulenum, format);
return 1;
}
@@ -2567,7 +2567,7 @@ __nft_rule_list(struct nft_handle *h, struct nftnl_chain *c,
r = nftnl_rule_iter_next(iter);
while (r != NULL) {
- cb(r, ++rule_ctr, format);
+ cb(h, r, ++rule_ctr, format);
r = nftnl_rule_iter_next(iter);
}
@@ -2671,7 +2671,8 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
}
static void
-list_save(struct nftnl_rule *r, unsigned int num, unsigned int format)
+list_save(struct nft_handle *h, struct nftnl_rule *r,
+ unsigned int num, unsigned int format)
{
nft_rule_print_save(r, NFT_RULE_APPEND, format);
}
--
2.23.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [iptables PATCH v2 04/12] nft: family_ops: Pass nft_handle to 'rule_to_cs' callback
2019-09-27 14:04 [iptables PATCH v2 00/12] Implement among match support Phil Sutter
` (2 preceding siblings ...)
2019-09-27 14:04 ` [iptables PATCH v2 03/12] nft: family_ops: Pass nft_handle to 'print_rule' callback Phil Sutter
@ 2019-09-27 14:04 ` Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 05/12] nft: Keep nft_handle pointer in nft_xt_ctx Phil Sutter
` (7 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Phil Sutter @ 2019-09-27 14:04 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter-devel
This is the actual callback used to parse nftables rules. Pass
nft_handle to it so it can access the cache (and possible sets therein).
Having to pass nft_handle to nft_rule_print_save() allows to simplify it
a bit since no family ops lookup has to be done anymore.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft-arp.c | 4 ++--
iptables/nft-bridge.c | 9 +++++----
iptables/nft-ipv4.c | 2 +-
iptables/nft-ipv6.c | 2 +-
iptables/nft-shared.c | 5 +++--
iptables/nft-shared.h | 5 +++--
iptables/nft.c | 29 +++++++++++++----------------
iptables/nft.h | 4 ++--
iptables/xtables-monitor.c | 17 +++++++++++++++--
iptables/xtables-save.c | 3 +++
10 files changed, 48 insertions(+), 32 deletions(-)
diff --git a/iptables/nft-arp.c b/iptables/nft-arp.c
index 8bc26c5271c00..2e0d73484bec7 100644
--- a/iptables/nft-arp.c
+++ b/iptables/nft-arp.c
@@ -613,7 +613,7 @@ nft_arp_print_rule(struct nft_handle *h, struct nftnl_rule *r,
if (format & FMT_LINENUMBERS)
printf("%u ", num);
- nft_rule_to_iptables_command_state(r, &cs);
+ nft_rule_to_iptables_command_state(h, r, &cs);
nft_arp_print_rule_details(&cs, format);
print_matches_and_target(&cs, format);
@@ -664,7 +664,7 @@ static bool nft_arp_rule_find(struct nft_handle *h, struct nftnl_rule *r,
bool ret = false;
/* Delete by matching rule case */
- nft_rule_to_iptables_command_state(r, &this);
+ nft_rule_to_iptables_command_state(h, r, &this);
if (!nft_arp_is_same(&cs->arp, &this.arp))
goto out;
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index b0c6c5a4db3cd..20ce92a6d5242 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -333,11 +333,12 @@ static void nft_bridge_parse_target(struct xtables_target *t, void *data)
cs->target = t;
}
-static void nft_rule_to_ebtables_command_state(const struct nftnl_rule *r,
+static void nft_rule_to_ebtables_command_state(struct nft_handle *h,
+ const struct nftnl_rule *r,
struct iptables_command_state *cs)
{
cs->eb.bitmask = EBT_NOPROTO;
- nft_rule_to_iptables_command_state(r, cs);
+ nft_rule_to_iptables_command_state(h, r, cs);
}
static void print_iface(const char *option, const char *name, bool invert)
@@ -480,7 +481,7 @@ static void nft_bridge_print_rule(struct nft_handle *h, struct nftnl_rule *r,
if (format & FMT_LINENUMBERS)
printf("%d ", num);
- nft_rule_to_ebtables_command_state(r, &cs);
+ nft_rule_to_ebtables_command_state(h, r, &cs);
nft_bridge_save_rule(&cs, format);
ebt_cs_clean(&cs);
}
@@ -544,7 +545,7 @@ static bool nft_bridge_rule_find(struct nft_handle *h, struct nftnl_rule *r,
struct iptables_command_state this = {};
bool ret = false;
- nft_rule_to_ebtables_command_state(r, &this);
+ nft_rule_to_ebtables_command_state(h, r, &this);
DEBUGP("comparing with... ");
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 98d7f966e3694..70634f8fad84d 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -266,7 +266,7 @@ static void nft_ipv4_print_rule(struct nft_handle *h, struct nftnl_rule *r,
{
struct iptables_command_state cs = {};
- nft_rule_to_iptables_command_state(r, &cs);
+ nft_rule_to_iptables_command_state(h, r, &cs);
print_rule_details(&cs, cs.jumpto, cs.fw.ip.flags,
cs.fw.ip.invflags, cs.fw.ip.proto, num, format);
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 56236bff03c2b..d01491bfdb689 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -192,7 +192,7 @@ static void nft_ipv6_print_rule(struct nft_handle *h, struct nftnl_rule *r,
{
struct iptables_command_state cs = {};
- nft_rule_to_iptables_command_state(r, &cs);
+ nft_rule_to_iptables_command_state(h, r, &cs);
print_rule_details(&cs, cs.jumpto, cs.fw6.ipv6.flags,
cs.fw6.ipv6.invflags, cs.fw6.ipv6.proto,
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index b6d85f1af1da9..bdbd3238b2890 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -591,7 +591,8 @@ static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
ops->parse_match(match, ctx->cs);
}
-void nft_rule_to_iptables_command_state(const struct nftnl_rule *r,
+void nft_rule_to_iptables_command_state(struct nft_handle *h,
+ const struct nftnl_rule *r,
struct iptables_command_state *cs)
{
struct nftnl_expr_iter *iter;
@@ -987,7 +988,7 @@ bool nft_ipv46_rule_find(struct nft_handle *h, struct nftnl_rule *r, void *data)
struct iptables_command_state *cs = data, this = {};
bool ret = false;
- nft_rule_to_iptables_command_state(r, &this);
+ nft_rule_to_iptables_command_state(h, r, &this);
DEBUGP("comparing with... ");
#ifdef DEBUG_DEL
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 7501c1c2169d8..947a4eb00c4d4 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -101,7 +101,7 @@ struct nft_family_ops {
struct xtables_args *args);
void (*parse_match)(struct xtables_match *m, void *data);
void (*parse_target)(struct xtables_target *t, void *data);
- void (*rule_to_cs)(const struct nftnl_rule *r,
+ void (*rule_to_cs)(struct nft_handle *h, const struct nftnl_rule *r,
struct iptables_command_state *cs);
void (*clear_cs)(struct iptables_command_state *cs);
bool (*rule_find)(struct nft_handle *h, struct nftnl_rule *r,
@@ -138,7 +138,8 @@ int parse_meta(struct nftnl_expr *e, uint8_t key, char *iniface,
unsigned char *outiface_mask, uint8_t *invflags);
void print_proto(uint16_t proto, int invert);
void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv);
-void nft_rule_to_iptables_command_state(const struct nftnl_rule *r,
+void nft_rule_to_iptables_command_state(struct nft_handle *h,
+ const struct nftnl_rule *r,
struct iptables_command_state *cs);
void nft_clear_iptables_command_state(struct iptables_command_state *cs);
void print_header(unsigned int format, const char *chain, const char *pol,
diff --git a/iptables/nft.c b/iptables/nft.c
index 0942dbe48fbb9..66d318b721551 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -386,7 +386,7 @@ static int mnl_append_error(const struct nft_handle *h,
nftnl_rule_get_str(o->rule, NFTNL_RULE_CHAIN));
#if 0
{
- nft_rule_print_save(o->rule, NFT_RULE_APPEND, FMT_NOCOUNTS);
+ nft_rule_print_save(h, o->rule, NFT_RULE_APPEND, FMT_NOCOUNTS);
}
#endif
break;
@@ -1339,19 +1339,16 @@ nft_rule_append(struct nft_handle *h, const char *chain, const char *table,
}
void
-nft_rule_print_save(const struct nftnl_rule *r, enum nft_rule_print type,
- unsigned int format)
+nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r,
+ enum nft_rule_print type, unsigned int format)
{
const char *chain = nftnl_rule_get_str(r, NFTNL_RULE_CHAIN);
- int family = nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY);
struct iptables_command_state cs = {};
- struct nft_family_ops *ops;
- ops = nft_family_ops_lookup(family);
- ops->rule_to_cs(r, &cs);
+ h->ops->rule_to_cs(h, r, &cs);
- if (!(format & (FMT_NOCOUNTS | FMT_C_COUNTS)) && ops->save_counters)
- ops->save_counters(&cs);
+ if (!(format & (FMT_NOCOUNTS | FMT_C_COUNTS)) && h->ops->save_counters)
+ h->ops->save_counters(&cs);
/* print chain name */
switch(type) {
@@ -1363,11 +1360,11 @@ nft_rule_print_save(const struct nftnl_rule *r, enum nft_rule_print type,
break;
}
- if (ops->save_rule)
- ops->save_rule(&cs, format);
+ if (h->ops->save_rule)
+ h->ops->save_rule(&cs, format);
- if (ops->clear_cs)
- ops->clear_cs(&cs);
+ if (h->ops->clear_cs)
+ h->ops->clear_cs(&cs);
}
struct nftnl_chain_list_cb_data {
@@ -1813,7 +1810,7 @@ static int nft_chain_save_rules(struct nft_handle *h,
r = nftnl_rule_iter_next(iter);
while (r != NULL) {
- nft_rule_print_save(r, NFT_RULE_APPEND, format);
+ nft_rule_print_save(h, r, NFT_RULE_APPEND, format);
r = nftnl_rule_iter_next(iter);
}
@@ -2674,7 +2671,7 @@ static void
list_save(struct nft_handle *h, struct nftnl_rule *r,
unsigned int num, unsigned int format)
{
- nft_rule_print_save(r, NFT_RULE_APPEND, format);
+ nft_rule_print_save(h, r, NFT_RULE_APPEND, format);
}
static int __nftnl_rule_list_chain_save(struct nftnl_chain *c, void *data)
@@ -2786,7 +2783,7 @@ int nft_rule_zero_counters(struct nft_handle *h, const char *chain,
goto error;
}
- nft_rule_to_iptables_command_state(r, &cs);
+ nft_rule_to_iptables_command_state(h, r, &cs);
cs.counters.pcnt = cs.counters.bcnt = 0;
diff --git a/iptables/nft.h b/iptables/nft.h
index 94eb5759349bb..bb88f0b796f02 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -140,8 +140,8 @@ enum nft_rule_print {
NFT_RULE_DEL,
};
-void nft_rule_print_save(const struct nftnl_rule *r, enum nft_rule_print type,
- unsigned int format);
+void nft_rule_print_save(struct nft_handle *h, const struct nftnl_rule *r,
+ enum nft_rule_print type, unsigned int format);
uint32_t nft_invflags2cmp(uint32_t invflags, uint32_t flag);
diff --git a/iptables/xtables-monitor.c b/iptables/xtables-monitor.c
index eb80bac81c645..a5245d1422af9 100644
--- a/iptables/xtables-monitor.c
+++ b/iptables/xtables-monitor.c
@@ -11,6 +11,7 @@
#define _GNU_SOURCE
#include "config.h"
+#include <errno.h>
#include <stdlib.h>
#include <time.h>
#include <string.h>
@@ -41,6 +42,7 @@
struct cb_arg {
uint32_t nfproto;
bool is_event;
+ struct nft_handle *h;
};
static int table_cb(const struct nlmsghdr *nlh, void *data)
@@ -106,7 +108,7 @@ static int rule_cb(const struct nlmsghdr *nlh, void *data)
}
printf("-t %s ", nftnl_rule_get_str(r, NFTNL_RULE_TABLE));
- nft_rule_print_save(r, type == NFT_MSG_NEWRULE ? NFT_RULE_APPEND :
+ nft_rule_print_save(arg->h, r, type == NFT_MSG_NEWRULE ? NFT_RULE_APPEND :
NFT_RULE_DEL,
counters ? 0 : FMT_NOCOUNTS);
err_free:
@@ -593,7 +595,10 @@ int xtables_monitor_main(int argc, char *argv[])
struct mnl_socket *nl;
char buf[MNL_SOCKET_BUFFER_SIZE];
uint32_t nfgroup = 0;
- struct cb_arg cb_arg = {};
+ struct nft_handle h = {};
+ struct cb_arg cb_arg = {
+ .h = &h,
+ };
int ret, c;
xtables_globals.program_name = "xtables-monitor";
@@ -610,6 +615,14 @@ int xtables_monitor_main(int argc, char *argv[])
init_extensions4();
#endif
+ if (nft_init(&h, xtables_ipv4)) {
+ fprintf(stderr, "%s/%s Failed to initialize nft: %s\n",
+ xtables_globals.program_name,
+ xtables_globals.program_version,
+ strerror(errno));
+ exit(EXIT_FAILURE);
+ }
+
opterr = 0;
while ((c = getopt_long(argc, argv, "ceht46V", options, NULL)) != -1) {
switch (c) {
diff --git a/iptables/xtables-save.c b/iptables/xtables-save.c
index 000104d3b51ae..8f89f370469e7 100644
--- a/iptables/xtables-save.c
+++ b/iptables/xtables-save.c
@@ -248,6 +248,9 @@ xtables_save_main(int family, int argc, char *argv[],
strerror(errno));
exit(EXIT_FAILURE);
}
+ h.ops = nft_family_ops_lookup(h.family);
+ if (!h.ops)
+ xtables_error(PARAMETER_PROBLEM, "Unknown family");
ret = do_output(&h, tablename, &d);
nft_fini(&h);
--
2.23.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [iptables PATCH v2 05/12] nft: Keep nft_handle pointer in nft_xt_ctx
2019-09-27 14:04 [iptables PATCH v2 00/12] Implement among match support Phil Sutter
` (3 preceding siblings ...)
2019-09-27 14:04 ` [iptables PATCH v2 04/12] nft: family_ops: Pass nft_handle to 'rule_to_cs' callback Phil Sutter
@ 2019-09-27 14:04 ` Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 06/12] nft: Eliminate pointless calls to nft_family_ops_lookup() Phil Sutter
` (6 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Phil Sutter @ 2019-09-27 14:04 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Instead of carrying the family value, carry the handle (which contains
the family value) and relieve expression parsers from having to call
nft_family_ops_lookup().
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft-shared.c | 40 ++++++++++++++--------------------------
iptables/nft-shared.h | 2 +-
2 files changed, 15 insertions(+), 27 deletions(-)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index bdbd3238b2890..80d4e1fcdcea1 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -310,7 +310,6 @@ static void nft_parse_target(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
struct xtables_target *target;
struct xt_entry_target *t;
size_t size;
- struct nft_family_ops *ops;
void *data = ctx->cs;
target = xtables_find_target(targname, XTF_TRY_LOAD);
@@ -327,8 +326,7 @@ static void nft_parse_target(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
target->t = t;
- ops = nft_family_ops_lookup(ctx->family);
- ops->parse_target(target, data);
+ ctx->h->ops->parse_target(target, data);
}
static void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
@@ -339,9 +337,8 @@ static void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
struct xtables_match *match;
struct xtables_rule_match **matches;
struct xt_entry_match *m;
- struct nft_family_ops *ops;
- switch (ctx->family) {
+ switch (ctx->h->family) {
case NFPROTO_IPV4:
case NFPROTO_IPV6:
case NFPROTO_BRIDGE:
@@ -349,7 +346,7 @@ static void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
break;
default:
fprintf(stderr, "BUG: nft_parse_match() unknown family %d\n",
- ctx->family);
+ ctx->h->family);
exit(EXIT_FAILURE);
}
@@ -365,9 +362,8 @@ static void nft_parse_match(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
match->m = m;
- ops = nft_family_ops_lookup(ctx->family);
- if (ops->parse_match != NULL)
- ops->parse_match(match, ctx->cs);
+ if (ctx->h->ops->parse_match != NULL)
+ ctx->h->ops->parse_match(match, ctx->cs);
}
void print_proto(uint16_t proto, int invert)
@@ -400,7 +396,6 @@ void get_cmp_data(struct nftnl_expr *e, void *data, size_t dlen, bool *inv)
static void nft_meta_set_to_target(struct nft_xt_ctx *ctx)
{
- const struct nft_family_ops *ops;
struct xtables_target *target;
struct xt_entry_target *t;
unsigned int size;
@@ -429,8 +424,7 @@ static void nft_meta_set_to_target(struct nft_xt_ctx *ctx)
target->t = t;
- ops = nft_family_ops_lookup(ctx->family);
- ops->parse_target(target, ctx->cs);
+ ctx->h->ops->parse_target(target, ctx->cs);
}
static void nft_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
@@ -474,7 +468,6 @@ static void nft_parse_bitwise(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
static void nft_parse_cmp(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
{
- struct nft_family_ops *ops = nft_family_ops_lookup(ctx->family);
void *data = ctx->cs;
uint32_t reg;
@@ -483,12 +476,12 @@ static void nft_parse_cmp(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
return;
if (ctx->flags & NFT_XT_CTX_META) {
- ops->parse_meta(ctx, e, data);
+ ctx->h->ops->parse_meta(ctx, e, data);
ctx->flags &= ~NFT_XT_CTX_META;
}
/* bitwise context is interpreted from payload */
if (ctx->flags & NFT_XT_CTX_PAYLOAD) {
- ops->parse_payload(ctx, e, data);
+ ctx->h->ops->parse_payload(ctx, e, data);
ctx->flags &= ~NFT_XT_CTX_PAYLOAD;
}
}
@@ -502,7 +495,6 @@ static void nft_parse_counter(struct nftnl_expr *e, struct xt_counters *counters
static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
{
const char *chain = nftnl_expr_get_str(e, NFTNL_EXPR_IMM_CHAIN);
- struct nft_family_ops *ops;
const char *jumpto = NULL;
bool nft_goto = false;
void *data = ctx->cs;
@@ -544,8 +536,7 @@ static void nft_parse_immediate(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
break;
}
- ops = nft_family_ops_lookup(ctx->family);
- ops->parse_immediate(jumpto, nft_goto, data);
+ ctx->h->ops->parse_immediate(jumpto, nft_goto, data);
}
static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
@@ -555,11 +546,10 @@ static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
__u64 rate = nftnl_expr_get_u64(e, NFTNL_EXPR_LIMIT_RATE);
struct xtables_rule_match **matches;
struct xtables_match *match;
- struct nft_family_ops *ops;
struct xt_rateinfo *rinfo;
size_t size;
- switch (ctx->family) {
+ switch (ctx->h->family) {
case NFPROTO_IPV4:
case NFPROTO_IPV6:
case NFPROTO_BRIDGE:
@@ -567,7 +557,7 @@ static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
break;
default:
fprintf(stderr, "BUG: nft_parse_limit() unknown family %d\n",
- ctx->family);
+ ctx->h->family);
exit(EXIT_FAILURE);
}
@@ -586,9 +576,8 @@ static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
rinfo->avg = XT_LIMIT_SCALE * unit / rate;
rinfo->burst = burst;
- ops = nft_family_ops_lookup(ctx->family);
- if (ops->parse_match != NULL)
- ops->parse_match(match, ctx->cs);
+ if (ctx->h->ops->parse_match != NULL)
+ ctx->h->ops->parse_match(match, ctx->cs);
}
void nft_rule_to_iptables_command_state(struct nft_handle *h,
@@ -597,10 +586,9 @@ void nft_rule_to_iptables_command_state(struct nft_handle *h,
{
struct nftnl_expr_iter *iter;
struct nftnl_expr *expr;
- int family = nftnl_rule_get_u32(r, NFTNL_RULE_FAMILY);
struct nft_xt_ctx ctx = {
.cs = cs,
- .family = family,
+ .h = h,
};
iter = nftnl_expr_iter_create(r);
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 947a4eb00c4d4..efc40e7714e0f 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -48,7 +48,7 @@ enum {
struct nft_xt_ctx {
struct iptables_command_state *cs;
struct nftnl_expr_iter *iter;
- int family;
+ struct nft_handle *h;
uint32_t flags;
uint32_t reg;
--
2.23.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [iptables PATCH v2 06/12] nft: Eliminate pointless calls to nft_family_ops_lookup()
2019-09-27 14:04 [iptables PATCH v2 00/12] Implement among match support Phil Sutter
` (4 preceding siblings ...)
2019-09-27 14:04 ` [iptables PATCH v2 05/12] nft: Keep nft_handle pointer in nft_xt_ctx Phil Sutter
@ 2019-09-27 14:04 ` Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 07/12] nft: Fetch sets when updating rule cache Phil Sutter
` (5 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Phil Sutter @ 2019-09-27 14:04 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter-devel
If nft_handle is available, use its 'ops' field instead of performing a
new lookup. For the same reason, there is no need to pass ops pointer to
__nft_print_header().
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft.c | 29 +++++++++++------------------
1 file changed, 11 insertions(+), 18 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 66d318b721551..6977b8946d08f 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1757,11 +1757,8 @@ static const char *policy_name[NF_ACCEPT+1] = {
int nft_chain_save(struct nft_handle *h, struct nftnl_chain_list *list)
{
struct nftnl_chain_list_iter *iter;
- struct nft_family_ops *ops;
struct nftnl_chain *c;
- ops = nft_family_ops_lookup(h->family);
-
iter = nftnl_chain_list_iter_create(list);
if (iter == NULL)
return 0;
@@ -1787,8 +1784,8 @@ int nft_chain_save(struct nft_handle *h, struct nftnl_chain_list *list)
}
}
- if (ops->save_chain)
- ops->save_chain(c, policy);
+ if (h->ops->save_chain)
+ h->ops->save_chain(c, policy);
c = nftnl_chain_list_iter_next(iter);
}
@@ -2593,7 +2590,6 @@ static int nft_rule_count(struct nft_handle *h, struct nftnl_chain *c)
}
static void __nft_print_header(struct nft_handle *h,
- const struct nft_family_ops *ops,
struct nftnl_chain *c, unsigned int format)
{
const char *chain_name = nftnl_chain_get_str(c, NFTNL_CHAIN_NAME);
@@ -2609,14 +2605,13 @@ static void __nft_print_header(struct nft_handle *h,
if (nftnl_chain_is_set(c, NFTNL_CHAIN_POLICY))
pname = policy_name[nftnl_chain_get_u32(c, NFTNL_CHAIN_POLICY)];
- ops->print_header(format, chain_name, pname,
+ h->ops->print_header(format, chain_name, pname,
&ctrs, basechain, refs - entries, entries);
}
int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
int rulenum, unsigned int format)
{
- const struct nft_family_ops *ops;
struct nftnl_chain_list *list;
struct nftnl_chain_list_iter *iter;
struct nftnl_chain *c;
@@ -2625,8 +2620,6 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
nft_xt_builtin_init(h, table);
nft_assert_table_compatible(h, table, chain);
- ops = nft_family_ops_lookup(h->family);
-
list = nft_chain_list_get(h, table, chain);
if (!list)
return 0;
@@ -2637,11 +2630,11 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
return 0;
if (!rulenum) {
- if (ops->print_table_header)
- ops->print_table_header(table);
- __nft_print_header(h, ops, c, format);
+ if (h->ops->print_table_header)
+ h->ops->print_table_header(table);
+ __nft_print_header(h, c, format);
}
- __nft_rule_list(h, c, rulenum, format, ops->print_rule);
+ __nft_rule_list(h, c, rulenum, format, h->ops->print_rule);
return 1;
}
@@ -2649,16 +2642,16 @@ int nft_rule_list(struct nft_handle *h, const char *chain, const char *table,
if (iter == NULL)
return 0;
- if (ops->print_table_header)
- ops->print_table_header(table);
+ if (h->ops->print_table_header)
+ h->ops->print_table_header(table);
c = nftnl_chain_list_iter_next(iter);
while (c != NULL) {
if (found)
printf("\n");
- __nft_print_header(h, ops, c, format);
- __nft_rule_list(h, c, rulenum, format, ops->print_rule);
+ __nft_print_header(h, c, format);
+ __nft_rule_list(h, c, rulenum, format, h->ops->print_rule);
found = true;
c = nftnl_chain_list_iter_next(iter);
--
2.23.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [iptables PATCH v2 07/12] nft: Fetch sets when updating rule cache
2019-09-27 14:04 [iptables PATCH v2 00/12] Implement among match support Phil Sutter
` (5 preceding siblings ...)
2019-09-27 14:04 ` [iptables PATCH v2 06/12] nft: Eliminate pointless calls to nft_family_ops_lookup() Phil Sutter
@ 2019-09-27 14:04 ` Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 08/12] nft: Support NFT_COMPAT_SET_ADD Phil Sutter
` (4 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Phil Sutter @ 2019-09-27 14:04 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter-devel
In order to support anonymous sets, cache them along with their
elements.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
Changes since v1:
- Fix cache flushing: Since set fetching happens only if rules are
fetched, too, set list may be NULL so call nftnl_set_list_free() and
nftnl_set_list_foreach() conditionally.
- Support fetching only a specific set from kernel. Make sure no
duplicate element fetches happen by checking set element count. (If
non-zero, don't fetch elements.)
- When fetching rules for a single chain, fetch only that table's sets.
---
iptables/nft.c | 208 +++++++++++++++++++++++++++++++++++++++++++++++--
iptables/nft.h | 8 ++
2 files changed, 211 insertions(+), 5 deletions(-)
diff --git a/iptables/nft.c b/iptables/nft.c
index 6977b8946d08f..f46f13c2501e2 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -874,6 +874,14 @@ static int __flush_chain_cache(struct nftnl_chain *c, void *data)
return 0;
}
+static int __flush_set_cache(struct nftnl_set *s, void *data)
+{
+ nftnl_set_list_del(s);
+ nftnl_set_free(s);
+
+ return 0;
+}
+
static int flush_cache(struct nft_cache *c, const struct builtin_table *tables,
const char *tablename)
{
@@ -882,10 +890,14 @@ static int flush_cache(struct nft_cache *c, const struct builtin_table *tables,
if (tablename) {
table = __nft_table_builtin_find(tables, tablename);
- if (!table || !c->table[table->type].chains)
+ if (!table)
return 0;
- nftnl_chain_list_foreach(c->table[table->type].chains,
- __flush_chain_cache, NULL);
+ if (c->table[table->type].chains)
+ nftnl_chain_list_foreach(c->table[table->type].chains,
+ __flush_chain_cache, NULL);
+ if (c->table[table->type].sets)
+ nftnl_set_list_foreach(c->table[table->type].sets,
+ __flush_set_cache, NULL);
return 0;
}
@@ -898,6 +910,9 @@ static int flush_cache(struct nft_cache *c, const struct builtin_table *tables,
nftnl_chain_list_free(c->table[i].chains);
c->table[i].chains = NULL;
+ if (c->table[i].sets)
+ nftnl_set_list_free(c->table[i].sets);
+ c->table[i].sets = NULL;
}
nftnl_table_list_free(c->tables);
c->tables = NULL;
@@ -1457,6 +1472,159 @@ static int fetch_table_cache(struct nft_handle *h)
return 1;
}
+struct nftnl_set_list_cb_data {
+ struct nft_handle *h;
+ const struct builtin_table *t;
+};
+
+static int nftnl_set_list_cb(const struct nlmsghdr *nlh, void *data)
+{
+ struct nftnl_set_list_cb_data *d = data;
+ const struct builtin_table *t = d->t;
+ struct nftnl_set_list *list;
+ struct nft_handle *h = d->h;
+ const char *tname, *sname;
+ struct nftnl_set *s;
+
+ s = nftnl_set_alloc();
+ if (s == NULL)
+ return MNL_CB_OK;
+
+ if (nftnl_set_nlmsg_parse(nlh, s) < 0)
+ goto out_free;
+
+ tname = nftnl_set_get_str(s, NFTNL_SET_TABLE);
+
+ if (!t)
+ t = nft_table_builtin_find(h, tname);
+ else if (strcmp(t->name, tname))
+ goto out_free;
+
+ if (!t)
+ goto out_free;
+
+ list = h->cache->table[t->type].sets;
+ sname = nftnl_set_get_str(s, NFTNL_SET_NAME);
+
+ if (nftnl_set_list_lookup_byname(list, sname))
+ goto out_free;
+
+ nftnl_set_list_add_tail(s, list);
+
+ return MNL_CB_OK;
+out_free:
+ nftnl_set_free(s);
+ return MNL_CB_OK;
+}
+
+static int set_elem_cb(const struct nlmsghdr *nlh, void *data)
+{
+ return nftnl_set_elems_nlmsg_parse(nlh, data) ? -1 : MNL_CB_OK;
+}
+
+static bool set_has_elements(struct nftnl_set *s)
+{
+ struct nftnl_set_elems_iter *iter;
+ bool ret = false;
+
+ iter = nftnl_set_elems_iter_create(s);
+ if (iter) {
+ ret = !!nftnl_set_elems_iter_cur(iter);
+ nftnl_set_elems_iter_destroy(iter);
+ }
+ return ret;
+}
+
+static int set_fetch_elem_cb(struct nftnl_set *s, void *data)
+{
+ char buf[MNL_SOCKET_BUFFER_SIZE];
+ struct nft_handle *h = data;
+ struct nlmsghdr *nlh;
+
+ if (set_has_elements(s))
+ return 0;
+
+ nlh = nftnl_nlmsg_build_hdr(buf, NFT_MSG_GETSETELEM, h->family,
+ NLM_F_DUMP, h->seq);
+ nftnl_set_elems_nlmsg_build_payload(nlh, s);
+
+ return mnl_talk(h, nlh, set_elem_cb, s);
+}
+
+static int fetch_set_cache(struct nft_handle *h,
+ const struct builtin_table *t, const char *set)
+{
+ struct nftnl_set_list_cb_data d = {
+ .h = h,
+ .t = t,
+ };
+ struct nlmsghdr *nlh;
+ char buf[16536];
+ int i, ret;
+
+ if (!t) {
+ fetch_table_cache(h);
+
+ for (i = 0; i < NFT_TABLE_MAX; i++) {
+ enum nft_table_type type = h->tables[i].type;
+
+ if (!h->tables[i].name)
+ continue;
+
+ h->cache->table[type].sets = nftnl_set_list_alloc();
+ if (!h->cache->table[type].sets)
+ return -1;
+ }
+ } else if (!h->cache->table[t->type].sets) {
+ h->cache->table[t->type].sets = nftnl_set_list_alloc();
+ }
+
+ if (t && set) {
+ struct nftnl_set *s = nftnl_set_alloc();
+
+ if (!s)
+ return -1;
+
+ nlh = nftnl_set_nlmsg_build_hdr(buf, NFT_MSG_GETSET, h->family,
+ NLM_F_ACK, h->seq);
+ nftnl_set_set_str(s, NFTNL_SET_TABLE, t->name);
+ nftnl_set_set_str(s, NFTNL_SET_NAME, set);
+ nftnl_set_nlmsg_build_payload(nlh, s);
+ nftnl_set_free(s);
+ } else {
+ nlh = nftnl_set_nlmsg_build_hdr(buf, NFT_MSG_GETSET, h->family,
+ NLM_F_DUMP, h->seq);
+ }
+
+ ret = mnl_talk(h, nlh, nftnl_set_list_cb, &d);
+ if (ret < 0 && errno == EINTR) {
+ assert(nft_restart(h) >= 0);
+ return ret;
+ }
+
+ if (t && set) {
+ struct nftnl_set *s;
+
+ s = nftnl_set_list_lookup_byname(h->cache->table[t->type].sets,
+ set);
+ set_fetch_elem_cb(s, h);
+ } else if (t) {
+ nftnl_set_list_foreach(h->cache->table[t->type].sets,
+ set_fetch_elem_cb, h);
+ } else {
+ for (i = 0; i < NFT_TABLE_MAX; i++) {
+ enum nft_table_type type = h->tables[i].type;
+
+ if (!h->tables[i].name)
+ continue;
+
+ nftnl_set_list_foreach(h->cache->table[type].sets,
+ set_fetch_elem_cb, h);
+ }
+ }
+ return ret;
+}
+
static int fetch_chain_cache(struct nft_handle *h,
const struct builtin_table *t, const char *chain)
{
@@ -1651,15 +1819,29 @@ static int fetch_rule_cache(struct nft_handle *h, struct nftnl_chain *c)
if (h->have_cache)
return 0;
- if (c)
- return nft_rule_list_update(c, h);
+ if (c) {
+ const struct builtin_table *t;
+ const char *tname;
+
+ tname = nftnl_chain_get_str(c, NFTNL_CHAIN_TABLE);
+ t = nft_table_builtin_find(h, tname);
+ if (!t)
+ return -1;
+ if (fetch_set_cache(h, t, NULL))
+ return -1;
+
+ return nft_rule_list_update(c, h);
+ }
for (i = 0; i < NFT_TABLE_MAX; i++) {
enum nft_table_type type = h->tables[i].type;
if (!h->tables[i].name)
continue;
+ if (fetch_set_cache(h, &h->tables[i], NULL))
+ return -1;
+
if (nftnl_chain_list_foreach(h->cache->table[type].chains,
nft_rule_list_update, h))
return -1;
@@ -1749,6 +1931,22 @@ struct nftnl_chain_list *nft_chain_list_get(struct nft_handle *h,
return h->cache->table[t->type].chains;
}
+struct nftnl_set_list *nft_set_list_get(struct nft_handle *h,
+ const char *table,
+ const char *set)
+{
+ const struct builtin_table *t;
+
+ t = nft_table_builtin_find(h, table);
+ if (!t)
+ return NULL;
+
+ if (!h->have_cache)
+ fetch_set_cache(h, t, set);
+
+ return h->cache->table[t->type].sets;
+}
+
static const char *policy_name[NF_ACCEPT+1] = {
[NF_DROP] = "DROP",
[NF_ACCEPT] = "ACCEPT",
diff --git a/iptables/nft.h b/iptables/nft.h
index bb88f0b796f02..bfee7ba727eaa 100644
--- a/iptables/nft.h
+++ b/iptables/nft.h
@@ -31,6 +31,7 @@ struct nft_cache {
struct nftnl_table_list *tables;
struct {
struct nftnl_chain_list *chains;
+ struct nftnl_set_list *sets;
bool initialized;
} table[NFT_TABLE_MAX];
};
@@ -89,6 +90,13 @@ int nft_table_flush(struct nft_handle *h, const char *table);
void nft_table_new(struct nft_handle *h, const char *table);
const struct builtin_table *nft_table_builtin_find(struct nft_handle *h, const char *table);
+/*
+ * Operations with sets.
+ */
+struct nftnl_set_list *nft_set_list_get(struct nft_handle *h,
+ const char *table,
+ const char *set);
+
/*
* Operations with chains.
*/
--
2.23.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [iptables PATCH v2 08/12] nft: Support NFT_COMPAT_SET_ADD
2019-09-27 14:04 [iptables PATCH v2 00/12] Implement among match support Phil Sutter
` (6 preceding siblings ...)
2019-09-27 14:04 ` [iptables PATCH v2 07/12] nft: Fetch sets when updating rule cache Phil Sutter
@ 2019-09-27 14:04 ` Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 09/12] nft: Bore up nft_parse_payload() Phil Sutter
` (3 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Phil Sutter @ 2019-09-27 14:04 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Implement the required infrastructure to create sets as part of a batch
job commit.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 58 insertions(+)
diff --git a/iptables/nft.c b/iptables/nft.c
index f46f13c2501e2..7cab4a236aaa7 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -306,6 +306,7 @@ enum obj_update_type {
NFT_COMPAT_RULE_REPLACE,
NFT_COMPAT_RULE_DELETE,
NFT_COMPAT_RULE_FLUSH,
+ NFT_COMPAT_SET_ADD,
};
enum obj_action {
@@ -323,6 +324,7 @@ struct obj_update {
struct nftnl_table *table;
struct nftnl_chain *chain;
struct nftnl_rule *rule;
+ struct nftnl_set *set;
void *ptr;
};
struct {
@@ -350,6 +352,7 @@ static int mnl_append_error(const struct nft_handle *h,
[NFT_COMPAT_RULE_REPLACE] = "RULE_REPLACE",
[NFT_COMPAT_RULE_DELETE] = "RULE_DELETE",
[NFT_COMPAT_RULE_FLUSH] = "RULE_FLUSH",
+ [NFT_COMPAT_SET_ADD] = "SET_ADD",
};
char errmsg[256];
char tcr[128];
@@ -390,6 +393,10 @@ static int mnl_append_error(const struct nft_handle *h,
}
#endif
break;
+ case NFT_COMPAT_SET_ADD:
+ snprintf(tcr, sizeof(tcr), "set %s",
+ nftnl_set_get_str(o->set, NFTNL_SET_NAME));
+ break;
}
return snprintf(buf, len, "%s: %s", errmsg, tcr);
@@ -419,6 +426,13 @@ batch_table_add(struct nft_handle *h, enum obj_update_type type,
return batch_add(h, type, t);
}
+static struct obj_update *
+batch_set_add(struct nft_handle *h, enum obj_update_type type,
+ struct nftnl_set *s)
+{
+ return batch_add(h, type, s);
+}
+
static int batch_chain_add(struct nft_handle *h, enum obj_update_type type,
struct nftnl_chain *c)
{
@@ -2995,6 +3009,39 @@ static void nft_compat_table_batch_add(struct nft_handle *h, uint16_t type,
nftnl_table_nlmsg_build_payload(nlh, table);
}
+static void nft_compat_set_batch_add(struct nft_handle *h, uint16_t type,
+ uint16_t flags, uint32_t seq,
+ struct nftnl_set *set)
+{
+ struct nlmsghdr *nlh;
+
+ nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(h->batch),
+ type, h->family, flags, seq);
+ nftnl_set_nlmsg_build_payload(nlh, set);
+}
+
+static void nft_compat_setelem_batch_add(struct nft_handle *h, uint16_t type,
+ uint16_t flags, uint32_t *seq,
+ struct nftnl_set *set)
+{
+ struct nftnl_set_elems_iter *iter;
+ struct nlmsghdr *nlh;
+
+ iter = nftnl_set_elems_iter_create(set);
+ if (!iter)
+ return;
+
+ while (nftnl_set_elems_iter_cur(iter)) {
+ (*seq)++;
+ mnl_nft_batch_continue(h->batch);
+ nlh = nftnl_nlmsg_build_hdr(nftnl_batch_buffer(h->batch),
+ type, h->family, flags, *seq);
+ if (nftnl_set_elems_nlmsg_build_payload_iter(nlh, iter) <= 0)
+ break;
+ }
+ nftnl_set_elems_iter_destroy(iter);
+}
+
static void nft_compat_chain_batch_add(struct nft_handle *h, uint16_t type,
uint16_t flags, uint32_t seq,
struct nftnl_chain *chain)
@@ -3044,6 +3091,9 @@ static void batch_obj_del(struct nft_handle *h, struct obj_update *o)
case NFT_COMPAT_RULE_FLUSH:
nftnl_rule_free(o->rule);
break;
+ case NFT_COMPAT_SET_ADD:
+ nftnl_set_free(o->set);
+ break;
}
h->obj_list_num--;
list_del(&o->head);
@@ -3110,6 +3160,7 @@ static void nft_refresh_transaction(struct nft_handle *h)
case NFT_COMPAT_RULE_REPLACE:
case NFT_COMPAT_RULE_DELETE:
case NFT_COMPAT_RULE_FLUSH:
+ case NFT_COMPAT_SET_ADD:
break;
}
}
@@ -3200,6 +3251,13 @@ retry:
nft_compat_rule_batch_add(h, NFT_MSG_DELRULE, 0,
n->seq, n->rule);
break;
+ case NFT_COMPAT_SET_ADD:
+ nft_compat_set_batch_add(h, NFT_MSG_NEWSET,
+ NLM_F_CREATE, n->seq, n->set);
+ nft_compat_setelem_batch_add(h, NFT_MSG_NEWSETELEM,
+ NLM_F_CREATE, &n->seq, n->set);
+ seq = n->seq;
+ break;
}
mnl_nft_batch_continue(h->batch);
--
2.23.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [iptables PATCH v2 09/12] nft: Bore up nft_parse_payload()
2019-09-27 14:04 [iptables PATCH v2 00/12] Implement among match support Phil Sutter
` (7 preceding siblings ...)
2019-09-27 14:04 ` [iptables PATCH v2 08/12] nft: Support NFT_COMPAT_SET_ADD Phil Sutter
@ 2019-09-27 14:04 ` Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 10/12] nft: Embed rule's table name in nft_xt_ctx Phil Sutter
` (2 subsequent siblings)
11 siblings, 0 replies; 13+ messages in thread
From: Phil Sutter @ 2019-09-27 14:04 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Allow for closer inspection by storing payload expression's base and
length values. Also facilitate for two consecutive payload expressions
as LHS of a (cmp/lookup) statement as used with concatenations.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft-shared.c | 8 ++++++++
iptables/nft-shared.h | 4 +++-
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 80d4e1fcdcea1..a67302ee621ae 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -445,8 +445,16 @@ static void nft_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
static void nft_parse_payload(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
{
+ if (ctx->flags & NFT_XT_CTX_PAYLOAD) {
+ memcpy(&ctx->prev_payload, &ctx->payload,
+ sizeof(ctx->prev_payload));
+ ctx->flags |= NFT_XT_CTX_PREV_PAYLOAD;
+ }
+
ctx->reg = nftnl_expr_get_u32(e, NFTNL_EXPR_META_DREG);
+ ctx->payload.base = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_BASE);
ctx->payload.offset = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET);
+ ctx->payload.len = nftnl_expr_get_u32(e, NFTNL_EXPR_PAYLOAD_LEN);
ctx->flags |= NFT_XT_CTX_PAYLOAD;
}
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index efc40e7714e0f..684d7e40c3bf3 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -43,6 +43,7 @@ enum {
NFT_XT_CTX_META = (1 << 1),
NFT_XT_CTX_BITWISE = (1 << 2),
NFT_XT_CTX_IMMEDIATE = (1 << 3),
+ NFT_XT_CTX_PREV_PAYLOAD = (1 << 4),
};
struct nft_xt_ctx {
@@ -53,9 +54,10 @@ struct nft_xt_ctx {
uint32_t reg;
struct {
+ uint32_t base;
uint32_t offset;
uint32_t len;
- } payload;
+ } payload, prev_payload;
struct {
uint32_t key;
} meta;
--
2.23.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [iptables PATCH v2 10/12] nft: Embed rule's table name in nft_xt_ctx
2019-09-27 14:04 [iptables PATCH v2 00/12] Implement among match support Phil Sutter
` (8 preceding siblings ...)
2019-09-27 14:04 ` [iptables PATCH v2 09/12] nft: Bore up nft_parse_payload() Phil Sutter
@ 2019-09-27 14:04 ` Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 11/12] nft: Support parsing lookup expression Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 12/12] nft: bridge: Rudimental among extension support Phil Sutter
11 siblings, 0 replies; 13+ messages in thread
From: Phil Sutter @ 2019-09-27 14:04 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Down to the point where expression parsing happens, the rule's table is
not known anymore but relevant if set lookups are required.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft-shared.c | 1 +
iptables/nft-shared.h | 1 +
2 files changed, 2 insertions(+)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index a67302ee621ae..19630c1e2990c 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -597,6 +597,7 @@ void nft_rule_to_iptables_command_state(struct nft_handle *h,
struct nft_xt_ctx ctx = {
.cs = cs,
.h = h,
+ .table = nftnl_rule_get_str(r, NFTNL_RULE_TABLE),
};
iter = nftnl_expr_iter_create(r);
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 684d7e40c3bf3..55e7f3c7c1da4 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -51,6 +51,7 @@ struct nft_xt_ctx {
struct nftnl_expr_iter *iter;
struct nft_handle *h;
uint32_t flags;
+ const char *table;
uint32_t reg;
struct {
--
2.23.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [iptables PATCH v2 11/12] nft: Support parsing lookup expression
2019-09-27 14:04 [iptables PATCH v2 00/12] Implement among match support Phil Sutter
` (9 preceding siblings ...)
2019-09-27 14:04 ` [iptables PATCH v2 10/12] nft: Embed rule's table name in nft_xt_ctx Phil Sutter
@ 2019-09-27 14:04 ` Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 12/12] nft: bridge: Rudimental among extension support Phil Sutter
11 siblings, 0 replies; 13+ messages in thread
From: Phil Sutter @ 2019-09-27 14:04 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Add required glue code to support family specific lookup expression
parsers implemented as family_ops callback.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft-shared.c | 9 +++++++++
iptables/nft-shared.h | 2 ++
iptables/nft.c | 5 ++++-
3 files changed, 15 insertions(+), 1 deletion(-)
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 19630c1e2990c..78e422781723f 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -588,6 +588,13 @@ static void nft_parse_limit(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
ctx->h->ops->parse_match(match, ctx->cs);
}
+static void nft_parse_lookup(struct nft_xt_ctx *ctx, struct nft_handle *h,
+ struct nftnl_expr *e)
+{
+ if (ctx->h->ops->parse_lookup)
+ ctx->h->ops->parse_lookup(ctx, e, NULL);
+}
+
void nft_rule_to_iptables_command_state(struct nft_handle *h,
const struct nftnl_rule *r,
struct iptables_command_state *cs)
@@ -628,6 +635,8 @@ void nft_rule_to_iptables_command_state(struct nft_handle *h,
nft_parse_target(&ctx, expr);
else if (strcmp(name, "limit") == 0)
nft_parse_limit(&ctx, expr);
+ else if (strcmp(name, "lookup") == 0)
+ nft_parse_lookup(&ctx, h, expr);
expr = nftnl_expr_iter_next(iter);
}
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index 55e7f3c7c1da4..b7539365acf89 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -86,6 +86,8 @@ struct nft_family_ops {
void *data);
void (*parse_cmp)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
void *data);
+ void (*parse_lookup)(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
+ void *data);
void (*parse_immediate)(const char *jumpto, bool nft_goto, void *data);
void (*print_table_header)(const char *tablename);
diff --git a/iptables/nft.c b/iptables/nft.c
index 7cab4a236aaa7..71171b106febe 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1085,6 +1085,8 @@ int add_match(struct nft_handle *h,
if (!strcmp(m->u.user.name, "limit"))
return add_nft_limit(r, m);
+ else if (!strcmp(m->u.user.name, "among"))
+ return add_nft_among(h, r, m);
expr = nftnl_expr_alloc("match");
if (expr == NULL)
@@ -3697,7 +3699,8 @@ static const char *supported_exprs[] = {
"cmp",
"bitwise",
"counter",
- "immediate"
+ "immediate",
+ "lookup"
};
--
2.23.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [iptables PATCH v2 12/12] nft: bridge: Rudimental among extension support
2019-09-27 14:04 [iptables PATCH v2 00/12] Implement among match support Phil Sutter
` (10 preceding siblings ...)
2019-09-27 14:04 ` [iptables PATCH v2 11/12] nft: Support parsing lookup expression Phil Sutter
@ 2019-09-27 14:04 ` Phil Sutter
11 siblings, 0 replies; 13+ messages in thread
From: Phil Sutter @ 2019-09-27 14:04 UTC (permalink / raw
To: Pablo Neira Ayuso; +Cc: netfilter-devel
Support among match as far as possible given the limitations of nftables
sets, namely limited to homogeneous MAC address only or MAC and IP
address only matches.
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
Changes since v1:
- Fix for overlong lines.
- Use nftnl_set_list_lookup_byname() from libnftnl.
---
extensions/libebt_among.c | 278 ++++++++++++++++++++++++++++++++++++++
extensions/libebt_among.t | 16 +++
iptables/ebtables-nft.8 | 66 ++++-----
iptables/nft-bridge.c | 222 ++++++++++++++++++++++++++++++
iptables/nft-bridge.h | 21 +++
iptables/nft.c | 147 ++++++++++++++++++++
iptables/xtables-eb.c | 1 +
7 files changed, 720 insertions(+), 31 deletions(-)
create mode 100644 extensions/libebt_among.c
create mode 100644 extensions/libebt_among.t
diff --git a/extensions/libebt_among.c b/extensions/libebt_among.c
new file mode 100644
index 0000000000000..81875fa02f3c4
--- /dev/null
+++ b/extensions/libebt_among.c
@@ -0,0 +1,278 @@
+/* ebt_among
+ *
+ * Authors:
+ * Grzegorz Borowiak <grzes@gnu.univ.gda.pl>
+ *
+ * August, 2003
+ */
+
+#include <stdio.h>
+#include <string.h>
+#include <stdlib.h>
+#include <getopt.h>
+#include <ctype.h>
+#include <unistd.h>
+#include <netinet/ether.h>
+#include <linux/if_ether.h>
+#include <linux/netfilter_bridge/ebt_among.h>
+#include <sys/mman.h>
+#include <sys/stat.h>
+#include <fcntl.h>
+#include <xtables.h>
+#include "iptables/nft.h"
+#include "iptables/nft-bridge.h"
+
+#define AMONG_DST '1'
+#define AMONG_SRC '2'
+#define AMONG_DST_F '3'
+#define AMONG_SRC_F '4'
+
+static const struct option bramong_opts[] = {
+ {"among-dst", required_argument, 0, AMONG_DST},
+ {"among-src", required_argument, 0, AMONG_SRC},
+ {"among-dst-file", required_argument, 0, AMONG_DST_F},
+ {"among-src-file", required_argument, 0, AMONG_SRC_F},
+ {0}
+};
+
+static void bramong_print_help(void)
+{
+ printf(
+"`among' options:\n"
+"--among-dst [!] list : matches if ether dst is in list\n"
+"--among-src [!] list : matches if ether src is in list\n"
+"--among-dst-file [!] file : obtain dst list from file\n"
+"--among-src-file [!] file : obtain src list from file\n"
+"list has form:\n"
+" xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip],yy:yy:yy:yy:yy:yy[=ip.ip.ip.ip]"
+",...,zz:zz:zz:zz:zz:zz[=ip.ip.ip.ip][,]\n"
+"Things in brackets are optional.\n"
+"If you want to allow two (or more) IP addresses to one MAC address, you\n"
+"can specify two (or more) pairs with the same MAC, e.g.\n"
+" 00:00:00:fa:eb:fe=153.19.120.250,00:00:00:fa:eb:fe=192.168.0.1\n"
+ );
+}
+
+static int
+parse_nft_among_pairs(char *buf, struct nft_among_pair **pairsp,
+ int *cntp, bool *ipp)
+{
+ struct nft_among_pair *pairs;
+ int cnt = 0, i, idx = 0;
+ bool ip = false;
+ char *p;
+
+ if (*buf)
+ cnt++;
+ for (p = buf; *p; p++) {
+ if (*p == ',')
+ cnt++;
+ }
+ if (!cnt)
+ return -1;
+
+ pairs = xtables_calloc(cnt, sizeof(*pairs));
+ p = strtok(buf, ",");
+ while (p) {
+ struct nft_among_pair tmpair = {};
+ unsigned int tmp[ETH_ALEN] = {};
+ char *sep = index(p, '=');
+
+ if (sep) {
+ if (idx > 0 && !ip)
+ xtables_error(PARAMETER_PROBLEM,
+ "among: Mixed MAC and MAC=IP not allowed.");
+ ip = true;
+ *sep = '\0';
+ if (sscanf(sep + 1, "%d.%d.%d.%d",
+ &tmp[0], &tmp[1], &tmp[2], &tmp[3]) != 4)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid IP address '%s'\n",
+ sep + 1);
+ for (i = 0; i < 4; i++) {
+ if (tmp[i] > 255)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid IP address '%s'\n",
+ sep + 1);
+ tmpair.ip[i] = tmp[i];
+ }
+ } else if (idx > 0 && ip) {
+ xtables_error(PARAMETER_PROBLEM,
+ "among: Mixed MAC and MAC=IP not allowed.");
+ }
+ if (sscanf(p, "%x:%x:%x:%x:%x:%x",
+ &tmp[0], &tmp[1], &tmp[2],
+ &tmp[3], &tmp[4], &tmp[5]) != 6)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid MAC address '%s'\n", p);
+ for (i = 0; i < ETH_ALEN; i++) {
+ if (tmp[i] > 255)
+ xtables_error(PARAMETER_PROBLEM,
+ "Invalid MAC address '%s'\n", p);
+ tmpair.mac[i] = tmp[i];
+ }
+ for (i = 0; i < idx; i++) {
+ if (memcmp(tmpair.buf, pairs[i].buf,
+ sizeof(tmpair.buf)) < 0)
+ break;
+ }
+ memmove(pairs + i + 1, pairs + i, sizeof(*pairs) * (idx - i));
+ memcpy(pairs + i, &tmpair, sizeof(tmpair));
+ idx++;
+ p = strtok(NULL, ",");
+ }
+
+ if (pairsp)
+ *pairsp = pairs;
+ if (cntp)
+ *cntp = cnt;
+ if (ipp)
+ *ipp = ip;
+ return 0;
+}
+
+static int bramong_parse(int c, char **argv, int invert,
+ unsigned int *flags, const void *entry,
+ struct xt_entry_match **match)
+{
+ struct nft_among_data *data = (struct nft_among_data *)(*match)->data;
+ struct xt_entry_match *new_match;
+ struct nft_among_pair *pairs;
+ struct stat stats;
+ bool dst = false;
+ int fd = -1, cnt;
+ size_t new_size;
+ long flen = 0;
+ int poff;
+ bool ip;
+ int ret;
+
+ switch (c) {
+ case AMONG_DST_F:
+ dst = true;
+ /* fall through */
+ case AMONG_SRC_F:
+ if ((fd = open(optarg, O_RDONLY)) == -1)
+ xtables_error(PARAMETER_PROBLEM,
+ "Couldn't open file '%s'", optarg);
+ fstat(fd, &stats);
+ flen = stats.st_size;
+ /* use mmap because the file will probably be big */
+ optarg = mmap(0, flen, PROT_READ | PROT_WRITE,
+ MAP_PRIVATE, fd, 0);
+ if (optarg == MAP_FAILED)
+ xtables_error(PARAMETER_PROBLEM,
+ "Couldn't map file to memory");
+ if (optarg[flen-1] != '\n')
+ xtables_error(PARAMETER_PROBLEM,
+ "File should end with a newline");
+ if (strchr(optarg, '\n') != optarg+flen-1)
+ xtables_error(PARAMETER_PROBLEM,
+ "File should only contain one line");
+ optarg[flen-1] = '\0';
+ /* fall through */
+ case AMONG_DST:
+ if (c == AMONG_DST)
+ dst = true;
+ /* fall through */
+ case AMONG_SRC:
+ break;
+ default:
+ return 0;
+ }
+
+ ret = parse_nft_among_pairs(optarg, &pairs, &cnt, &ip);
+ if (ret)
+ return 0;
+ new_size = data->src.cnt + data->dst.cnt + cnt;
+ new_size *= sizeof(struct nft_among_pair);
+ new_size += XT_ALIGN(sizeof(struct xt_entry_match)) +
+ sizeof(struct nft_among_data);
+ new_match = xtables_calloc(1, new_size);
+ memcpy(new_match, *match, (*match)->u.match_size);
+ new_match->u.match_size = new_size;
+
+ data = (struct nft_among_data *)new_match->data;
+ if (dst) {
+ data->dst.cnt = cnt;
+ data->dst.inv = invert;
+ data->dst.ip = ip;
+ poff = data->src.cnt;
+ } else {
+ data->src.cnt = cnt;
+ data->src.inv = invert;
+ data->src.ip = ip;
+ poff = 0;
+ memmove(data->pairs + cnt, data->pairs,
+ data->dst.cnt * sizeof(struct nft_among_pair));
+ }
+ memcpy(data->pairs + poff, pairs, cnt * sizeof(struct nft_among_pair));
+ free(pairs);
+ free(*match);
+ *match = new_match;
+
+ if (c == AMONG_DST_F || c == AMONG_SRC_F) {
+ munmap(argv, flen);
+ close(fd);
+ }
+ return 1;
+}
+
+static void __bramong_print(struct nft_among_pair *pairs,
+ int cnt, bool inv, bool ip)
+{
+ const char *isep = "", *sep;
+ int i, j;
+
+ if (inv)
+ printf("! ");
+
+ for (i = 0; i < cnt; i++) {
+ printf("%s", isep);
+ isep = ",";
+
+ for (sep = "", j = 0; j < ETH_ALEN; sep = ":", j++)
+ printf("%s%02x", sep, pairs[i].mac[j]);
+
+ if (!ip)
+ continue;
+ for (sep = "=", j = 0; j < 4; sep = ".", j++)
+ printf("%s%u", sep, pairs[i].ip[j]);
+ }
+ printf(" ");
+}
+
+static void bramong_print(const void *ip, const struct xt_entry_match *match,
+ int numeric)
+{
+ struct nft_among_data *data = (struct nft_among_data *)match->data;
+
+ if (data->src.cnt) {
+ printf("--among-src ");
+ __bramong_print(data->pairs,
+ data->src.cnt, data->src.inv, data->src.ip);
+ }
+ if (data->dst.cnt) {
+ printf("--among-dst ");
+ __bramong_print(data->pairs + data->src.cnt,
+ data->dst.cnt, data->dst.inv, data->dst.ip);
+ }
+}
+
+static struct xtables_match bramong_match = {
+ .name = "among",
+ .revision = 0,
+ .version = XTABLES_VERSION,
+ .family = NFPROTO_BRIDGE,
+ .size = XT_ALIGN(sizeof(struct nft_among_data)),
+ .userspacesize = XT_ALIGN(sizeof(struct nft_among_data)),
+ .help = bramong_print_help,
+ .parse = bramong_parse,
+ .print = bramong_print,
+ .extra_opts = bramong_opts,
+};
+
+void _init(void)
+{
+ xtables_register_match(&bramong_match);
+}
diff --git a/extensions/libebt_among.t b/extensions/libebt_among.t
new file mode 100644
index 0000000000000..cfdbbcaf3555d
--- /dev/null
+++ b/extensions/libebt_among.t
@@ -0,0 +1,16 @@
+:INPUT,FORWARD,OUTPUT
+--among-dst de:ad:00:be:ee:ff,c0:ff:ee:00:ba:be;--among-dst c0:ff:ee:00:ba:be,de:ad:00:be:ee:ff;OK
+--among-dst ! c0:ff:ee:00:ba:be,de:ad:00:be:ee:ff;=;OK
+--among-src be:ef:00:c0:ff:ee,c0:ff:ee:00:ba:be,de:ad:00:be:ee:ff;=;OK
+--among-src de:ad:00:be:ee:ff=10.0.0.1,c0:ff:ee:00:ba:be=192.168.1.1;--among-src c0:ff:ee:00:ba:be=192.168.1.1,de:ad:00:be:ee:ff=10.0.0.1;OK
+--among-src ! c0:ff:ee:00:ba:be=192.168.1.1,de:ad:00:be:ee:ff=10.0.0.1;=;OK
+--among-src de:ad:00:be:ee:ff --among-dst c0:ff:ee:00:ba:be;=;OK
+--among-src de:ad:00:be:ee:ff=10.0.0.1 --among-dst c0:ff:ee:00:ba:be=192.168.1.1;=;OK
+--among-src ! de:ad:00:be:ee:ff --among-dst c0:ff:ee:00:ba:be;=;OK
+--among-src de:ad:00:be:ee:ff=10.0.0.1 --among-dst ! c0:ff:ee:00:ba:be=192.168.1.1;=;OK
+--among-src ! de:ad:00:be:ee:ff --among-dst c0:ff:ee:00:ba:be=192.168.1.1;=;OK
+--among-src de:ad:00:be:ee:ff=10.0.0.1 --among-dst ! c0:ff:ee:00:ba:be=192.168.1.1;=;OK
+--among-src;=;FAIL
+--among-src 00:11=10.0.0.1;=;FAIL
+--among-src de:ad:00:be:ee:ff=10.256.0.1;=;FAIL
+--among-src de:ad:00:be:ee:ff,c0:ff:ee:00:ba:be=192.168.1.1;=;FAIL
diff --git a/iptables/ebtables-nft.8 b/iptables/ebtables-nft.8
index db8b2ab28cca5..a91f0c1aacb0f 100644
--- a/iptables/ebtables-nft.8
+++ b/iptables/ebtables-nft.8
@@ -522,35 +522,39 @@ If the 802.3 DSAP and SSAP values are 0xaa then the SNAP type field must
be consulted to determine the payload protocol. This is a two byte
(hexadecimal) argument. Only 802.3 frames with DSAP/SSAP 0xaa are
checked for type.
-.\" .SS among
-.\" Match a MAC address or MAC/IP address pair versus a list of MAC addresses
-.\" and MAC/IP address pairs.
-.\" A list entry has the following format:
-.\" .IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple"
-.\" list entries are separated by a comma, specifying an IP address corresponding to
-.\" the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
-.\" but different IP address (and vice versa) can be specified. If the MAC address doesn't
-.\" match any entry from the list, the frame doesn't match the rule (unless "!" was used).
-.\" .TP
-.\" .BR "--among-dst " "[!] \fIlist\fP"
-.\" Compare the MAC destination to the given list. If the Ethernet frame has type
-.\" .IR IPv4 " or " ARP ,
-.\" then comparison with MAC/IP destination address pairs from the
-.\" list is possible.
-.\" .TP
-.\" .BR "--among-src " "[!] \fIlist\fP"
-.\" Compare the MAC source to the given list. If the Ethernet frame has type
-.\" .IR IPv4 " or " ARP ,
-.\" then comparison with MAC/IP source address pairs from the list
-.\" is possible.
-.\" .TP
-.\" .BR "--among-dst-file " "[!] \fIfile\fP"
-.\" Same as
-.\" .BR --among-dst " but the list is read in from the specified file."
-.\" .TP
-.\" .BR "--among-src-file " "[!] \fIfile\fP"
-.\" Same as
-.\" .BR --among-src " but the list is read in from the specified file."
+.SS among
+Match a MAC address or MAC/IP address pair versus a list of MAC addresses
+and MAC/IP address pairs.
+A list entry has the following format:
+.IR xx:xx:xx:xx:xx:xx[=ip.ip.ip.ip][,] ". Multiple"
+list entries are separated by a comma, specifying an IP address corresponding to
+the MAC address is optional. Multiple MAC/IP address pairs with the same MAC address
+but different IP address (and vice versa) can be specified. If the MAC address doesn't
+match any entry from the list, the frame doesn't match the rule (unless "!" was used).
+.TP
+.BR "--among-dst " "[!] \fIlist\fP"
+Compare the MAC destination to the given list. If the Ethernet frame has type
+.IR IPv4 " or " ARP ,
+then comparison with MAC/IP destination address pairs from the
+list is possible.
+.TP
+.BR "--among-src " "[!] \fIlist\fP"
+Compare the MAC source to the given list. If the Ethernet frame has type
+.IR IPv4 " or " ARP ,
+then comparison with MAC/IP source address pairs from the list
+is possible.
+.TP
+.BR "--among-dst-file " "[!] \fIfile\fP"
+Same as
+.BR --among-dst " but the list is read in from the specified file."
+.TP
+.BR "--among-src-file " "[!] \fIfile\fP"
+Same as
+.BR --among-src " but the list is read in from the specified file."
+.PP
+Note that in this implementation of ebtables, among lists uses must be
+internally homogeneous regarding whether IP addresses are present or not. Mixed
+use of MAC addresses and MAC/IP address pairs is not supported yet.
.SS arp
Specify (R)ARP fields. The protocol must be specified as
.IR ARP " or " RARP .
@@ -1108,8 +1112,8 @@ arp message and the hardware address length in the arp header is 6 bytes.
The version of ebtables this man page ships with does not support the
.B broute
table. Also there is no support for
-.BR among " and " string
-matches. And finally, this list is probably not complete.
+.B string
+match. And finally, this list is probably not complete.
.SH SEE ALSO
.BR xtables-nft "(8), " iptables "(8), " ip (8)
.PP
diff --git a/iptables/nft-bridge.c b/iptables/nft-bridge.c
index 20ce92a6d5242..bc9851409dbe3 100644
--- a/iptables/nft-bridge.c
+++ b/iptables/nft-bridge.c
@@ -17,6 +17,8 @@
#include <libiptc/libxtc.h>
#include <linux/netfilter/nf_tables.h>
+#include <libnftnl/set.h>
+
#include "nft-shared.h"
#include "nft-bridge.h"
#include "nft.h"
@@ -291,6 +293,225 @@ static void nft_bridge_parse_immediate(const char *jumpto, bool nft_goto,
cs->jumpto = jumpto;
}
+/* return 0 if saddr, 1 if daddr, -1 on error */
+static int
+lookup_check_ether_payload(uint32_t base, uint32_t offset, uint32_t len)
+{
+ if (base != 0 || len != ETH_ALEN)
+ return -1;
+
+ switch (offset) {
+ case offsetof(struct ether_header, ether_dhost):
+ return 1;
+ case offsetof(struct ether_header, ether_shost):
+ return 0;
+ default:
+ return -1;
+ }
+}
+
+/* return 0 if saddr, 1 if daddr, -1 on error */
+static int
+lookup_check_iphdr_payload(uint32_t base, uint32_t offset, uint32_t len)
+{
+ if (base != 1 || len != 4)
+ return -1;
+
+ switch (offset) {
+ case offsetof(struct iphdr, daddr):
+ return 1;
+ case offsetof(struct iphdr, saddr):
+ return 0;
+ default:
+ return -1;
+ }
+}
+
+/* Make sure previous payload expression(s) is/are consistent and extract if
+ * matching on source or destination address and if matching on MAC and IP or
+ * only MAC address. */
+static int lookup_analyze_payloads(const struct nft_xt_ctx *ctx,
+ bool *dst, bool *ip)
+{
+ int val, val2 = -1;
+
+ if (ctx->flags & NFT_XT_CTX_PREV_PAYLOAD) {
+ val = lookup_check_ether_payload(ctx->prev_payload.base,
+ ctx->prev_payload.offset,
+ ctx->prev_payload.len);
+ if (val < 0) {
+ DEBUGP("unknown payload base/offset/len %d/%d/%d\n",
+ ctx->prev_payload.base, ctx->prev_payload.offset,
+ ctx->prev_payload.len);
+ return -1;
+ }
+ if (!(ctx->flags & NFT_XT_CTX_PAYLOAD)) {
+ DEBUGP("Previous but no current payload?\n");
+ return -1;
+ }
+ val2 = lookup_check_iphdr_payload(ctx->payload.base,
+ ctx->payload.offset,
+ ctx->payload.len);
+ if (val2 < 0) {
+ DEBUGP("unknown payload base/offset/len %d/%d/%d\n",
+ ctx->payload.base, ctx->payload.offset,
+ ctx->payload.len);
+ return -1;
+ } else if (val != val2) {
+ DEBUGP("mismatching payload match offsets\n");
+ return -1;
+ }
+ } else if (ctx->flags & NFT_XT_CTX_PAYLOAD) {
+ val = lookup_check_ether_payload(ctx->payload.base,
+ ctx->payload.offset,
+ ctx->payload.len);
+ if (val < 0) {
+ DEBUGP("unknown payload base/offset/len %d/%d/%d\n",
+ ctx->payload.base, ctx->payload.offset,
+ ctx->payload.len);
+ return -1;
+ }
+ } else {
+ DEBUGP("unknown LHS of lookup expression\n");
+ return -1;
+ }
+
+ if (dst)
+ *dst = (val == 1);
+ if (ip)
+ *ip = (val2 != -1);
+ return 0;
+}
+
+static struct nft_among_pair *
+set_elems_to_among_pairs(const struct nftnl_set *s, int cnt)
+{
+ struct nftnl_set_elems_iter *iter = nftnl_set_elems_iter_create(s);
+ struct nft_among_pair *pairs;
+ struct nftnl_set_elem *elem;
+ int idx, tmpcnt = 0;
+ const char *buf;
+ uint32_t buflen;
+
+ if (!iter) {
+ fprintf(stderr, "BUG: set elems iter allocation failed\n");
+ exit(EXIT_FAILURE);
+ }
+
+ pairs = xtables_calloc(cnt, sizeof(*pairs));
+
+ while ((elem = nftnl_set_elems_iter_next(iter))) {
+ buf = nftnl_set_elem_get(elem, NFTNL_SET_ELEM_KEY, &buflen);
+ if (!buf) {
+ fprintf(stderr, "BUG: set elem without key\n");
+ exit(EXIT_FAILURE);
+ }
+ for (idx = 0; idx < tmpcnt; idx++) {
+ if (memcmp(buf, pairs[idx].buf, buflen) < 0)
+ break;
+ }
+ memmove(pairs + idx + 1, pairs + idx,
+ sizeof(*pairs) * (tmpcnt - idx));
+ memcpy(pairs[idx].buf, buf, buflen);
+ tmpcnt++;
+ }
+ nftnl_set_elems_iter_destroy(iter);
+
+ return pairs;
+}
+
+static void nft_bridge_parse_lookup(struct nft_xt_ctx *ctx, struct nftnl_expr *e,
+ void *data)
+{
+ struct xtables_match *match = NULL;
+ struct nft_among_data *among_data;
+ struct nft_among_pair *pairs;
+ struct nftnl_set_list *slist;
+ bool is_dst, have_ip, inv;
+ struct ebt_match *ematch;
+ const char *set_name;
+ struct nftnl_set *s;
+ int poff, cnt;
+ size_t size;
+
+ if (lookup_analyze_payloads(ctx, &is_dst, &have_ip))
+ return;
+
+ set_name = nftnl_expr_get_str(e, NFTNL_EXPR_LOOKUP_SET);
+
+ slist = nft_set_list_get(ctx->h, ctx->table, set_name);
+ if (!slist)
+ return;
+
+ s = nftnl_set_list_lookup_byname(slist, set_name);
+ if (!s) {
+ fprintf(stderr,
+ "BUG: set '%s' in lookup expression not found\n",
+ set_name);
+ exit(EXIT_FAILURE);
+ }
+
+ cnt = nftnl_set_get_u32(s, NFTNL_SET_DESC_SIZE);
+
+ for (ematch = ctx->cs->match_list; ematch; ematch = ematch->next) {
+ if (!ematch->ismatch || strcmp(ematch->u.match->name, "among"))
+ continue;
+
+ match = ematch->u.match;
+ among_data = (struct nft_among_data *)match->m->data;
+
+ size = cnt + among_data->src.cnt + among_data->dst.cnt;
+ size *= sizeof(struct nft_among_pair);
+ size += XT_ALIGN(sizeof(struct xt_entry_match)) +
+ sizeof(struct nft_among_data);
+
+ match->m = xtables_realloc(match->m, size);
+ break;
+ }
+ if (!match) {
+ match = xtables_find_match("among", XTF_TRY_LOAD,
+ &ctx->cs->matches);
+ size = XT_ALIGN(sizeof(struct xt_entry_match)) +
+ sizeof(struct nft_among_data) +
+ cnt * sizeof(struct nft_among_pair);
+ match->m = xtables_calloc(1, size);
+ strcpy(match->m->u.user.name, match->name);
+ match->m->u.user.revision = match->revision;
+ xs_init_match(match);
+
+ if (ctx->h->ops->parse_match != NULL)
+ ctx->h->ops->parse_match(match, ctx->cs);
+ }
+ if (match == NULL)
+ return;
+
+ match->m->u.match_size = size;
+
+ inv = !!(nftnl_expr_get_u32(e, NFTNL_EXPR_LOOKUP_FLAGS) &
+ NFT_LOOKUP_F_INV);
+
+ among_data = (struct nft_among_data *)match->m->data;
+ if (is_dst) {
+ among_data->dst.cnt = cnt;
+ among_data->dst.inv = inv;
+ among_data->dst.ip = have_ip;
+ poff = among_data->src.cnt;
+ } else {
+ among_data->src.cnt = cnt;
+ among_data->src.inv = inv;
+ among_data->src.ip = have_ip;
+ poff = 0;
+ memmove(among_data->pairs + cnt, among_data->pairs,
+ among_data->dst.cnt * sizeof(struct nft_among_pair));
+ }
+
+ pairs = set_elems_to_among_pairs(s, cnt);
+ memcpy(among_data->pairs + poff, pairs, cnt * sizeof(*pairs));
+ free(pairs);
+
+ ctx->flags &= ~(NFT_XT_CTX_PAYLOAD | NFT_XT_CTX_PREV_PAYLOAD);
+}
+
static void parse_watcher(void *object, struct ebt_match **match_list,
bool ismatch)
{
@@ -742,6 +963,7 @@ struct nft_family_ops nft_family_ops_bridge = {
.parse_meta = nft_bridge_parse_meta,
.parse_payload = nft_bridge_parse_payload,
.parse_immediate = nft_bridge_parse_immediate,
+ .parse_lookup = nft_bridge_parse_lookup,
.parse_match = nft_bridge_parse_match,
.parse_target = nft_bridge_parse_target,
.print_table_header = nft_bridge_print_table_header,
diff --git a/iptables/nft-bridge.h b/iptables/nft-bridge.h
index d90066f1030a2..15a437574988a 100644
--- a/iptables/nft-bridge.h
+++ b/iptables/nft-bridge.h
@@ -122,4 +122,25 @@ void ebt_add_watcher(struct xtables_target *watcher,
struct iptables_command_state *cs);
int ebt_command_default(struct iptables_command_state *cs);
+struct nft_among_pair {
+ union {
+ struct {
+ unsigned char mac[ETH_ALEN];
+ unsigned char pad[2];
+ unsigned char ip[4];
+ };
+ unsigned char buf[ETH_ALEN + 2 + 4];
+ } __attribute__((packed));
+};
+
+struct nft_among_data {
+ struct {
+ int cnt;
+ bool inv;
+ bool ip;
+ } src, dst;
+ /* first source, then dest pairs */
+ struct nft_among_pair pairs[0];
+};
+
#endif
diff --git a/iptables/nft.c b/iptables/nft.c
index 71171b106febe..5c0ab36692fee 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -1077,6 +1077,153 @@ static int add_nft_limit(struct nftnl_rule *r, struct xt_entry_match *m)
return 0;
}
+static struct nftnl_set *add_anon_set(struct nft_handle *h, const char *table,
+ uint32_t flags, uint32_t key_type,
+ uint32_t key_len, uint32_t size)
+{
+ static uint32_t set_id = 0;
+ struct nftnl_set *s;
+
+ s = nftnl_set_alloc();
+ if (!s)
+ return NULL;
+
+ nftnl_set_set_u32(s, NFTNL_SET_FAMILY, h->family);
+ nftnl_set_set_str(s, NFTNL_SET_TABLE, table);
+ nftnl_set_set_str(s, NFTNL_SET_NAME, "__set%d");
+ nftnl_set_set_u32(s, NFTNL_SET_ID, ++set_id);
+ nftnl_set_set_u32(s, NFTNL_SET_FLAGS,
+ NFT_SET_ANONYMOUS | NFT_SET_CONSTANT | flags);
+ nftnl_set_set_u32(s, NFTNL_SET_KEY_TYPE, key_type);
+ nftnl_set_set_u32(s, NFTNL_SET_KEY_LEN, key_len);
+ nftnl_set_set_u32(s, NFTNL_SET_DESC_SIZE, size);
+
+ return batch_set_add(h, NFT_COMPAT_SET_ADD, s) ? s : NULL;
+}
+
+static struct nftnl_expr *
+gen_payload(uint32_t base, uint32_t offset, uint32_t len, uint32_t dreg)
+{
+ struct nftnl_expr *e = nftnl_expr_alloc("payload");
+
+ if (!e)
+ return NULL;
+ nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_BASE, base);
+ nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_OFFSET, offset);
+ nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_LEN, len);
+ nftnl_expr_set_u32(e, NFTNL_EXPR_PAYLOAD_DREG, dreg);
+ return e;
+}
+
+static struct nftnl_expr *
+gen_lookup(uint32_t sreg, const char *set_name, uint32_t set_id, uint32_t flags)
+{
+ struct nftnl_expr *e = nftnl_expr_alloc("lookup");
+
+ if (!e)
+ return NULL;
+ nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_SREG, sreg);
+ nftnl_expr_set_str(e, NFTNL_EXPR_LOOKUP_SET, set_name);
+ nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_SET_ID, set_id);
+ nftnl_expr_set_u32(e, NFTNL_EXPR_LOOKUP_FLAGS, flags);
+ return e;
+}
+
+/* simplified nftables:include/netlink.h, netlink_padded_len() */
+#define NETLINK_ALIGN 4
+
+/* from nftables:include/datatype.h, TYPE_BITS */
+#define CONCAT_TYPE_BITS 6
+
+/* from nftables:include/datatype.h, enum datatypes */
+#define NFT_DATATYPE_IPADDR 7
+#define NFT_DATATYPE_ETHERADDR 9
+
+static int __add_nft_among(struct nft_handle *h, const char *table,
+ struct nftnl_rule *r, struct nft_among_pair *pairs,
+ int cnt, bool dst, bool inv, bool ip)
+{
+ uint32_t set_id, type = NFT_DATATYPE_ETHERADDR, len = ETH_ALEN;
+ /* { !dst, dst } */
+ static const int eth_addr_off[] = {
+ offsetof(struct ether_header, ether_shost),
+ offsetof(struct ether_header, ether_dhost)
+ };
+ static const int ip_addr_off[] = {
+ offsetof(struct iphdr, saddr),
+ offsetof(struct iphdr, daddr)
+ };
+ struct nftnl_expr *e;
+ struct nftnl_set *s;
+ int idx = 0;
+
+ if (ip) {
+ type = type << CONCAT_TYPE_BITS | NFT_DATATYPE_IPADDR;
+ len += sizeof(struct in_addr) + NETLINK_ALIGN - 1;
+ len &= ~(NETLINK_ALIGN - 1);
+ }
+
+ s = add_anon_set(h, table, 0, type, len, cnt);
+ if (!s)
+ return -ENOMEM;
+ set_id = nftnl_set_get_u32(s, NFTNL_SET_ID);
+
+ for (idx = 0; idx < cnt; idx++) {
+ struct nftnl_set_elem *elem = nftnl_set_elem_alloc();
+
+ if (!elem)
+ return -ENOMEM;
+ nftnl_set_elem_set(elem, NFTNL_SET_ELEM_KEY,
+ pairs[idx].buf, len);
+ nftnl_set_elem_add(s, elem);
+ }
+
+ e = gen_payload(NFT_PAYLOAD_LL_HEADER,
+ eth_addr_off[dst], ETH_ALEN, NFT_REG_1);
+ if (!e)
+ return -ENOMEM;
+ nftnl_rule_add_expr(r, e);
+
+ if (ip) {
+ e = gen_payload(NFT_PAYLOAD_NETWORK_HEADER, ip_addr_off[dst],
+ sizeof(struct in_addr), NFT_REG32_02);
+ if (!e)
+ return -ENOMEM;
+ nftnl_rule_add_expr(r, e);
+ }
+
+ e = gen_lookup(NFT_REG_1, "__set%d", set_id, inv);
+ if (!e)
+ return -ENOMEM;
+ nftnl_rule_add_expr(r, e);
+
+ return 0;
+}
+
+static int add_nft_among(struct nft_handle *h,
+ struct nftnl_rule *r, struct xt_entry_match *m)
+{
+ struct nft_among_data *data = (struct nft_among_data *)m->data;
+ const char *table = nftnl_rule_get(r, NFTNL_RULE_TABLE);
+
+ if ((data->src.cnt && data->src.ip) ||
+ (data->dst.cnt && data->dst.ip)) {
+ uint16_t eth_p_ip = htons(ETH_P_IP);
+
+ add_meta(r, NFT_META_PROTOCOL);
+ add_cmp_ptr(r, NFT_CMP_EQ, ð_p_ip, 2);
+ }
+
+ if (data->src.cnt)
+ __add_nft_among(h, table, r, data->pairs, data->src.cnt,
+ false, data->src.inv, data->src.ip);
+ if (data->dst.cnt)
+ __add_nft_among(h, table, r, data->pairs + data->src.cnt,
+ data->dst.cnt, true, data->dst.inv,
+ data->dst.ip);
+ return 0;
+}
+
int add_match(struct nft_handle *h,
struct nftnl_rule *r, struct xt_entry_match *m)
{
diff --git a/iptables/xtables-eb.c b/iptables/xtables-eb.c
index 3b03daef28eb3..6eedc0ecbe069 100644
--- a/iptables/xtables-eb.c
+++ b/iptables/xtables-eb.c
@@ -594,6 +594,7 @@ void ebt_load_match_extensions(void)
ebt_load_match("pkttype");
ebt_load_match("vlan");
ebt_load_match("stp");
+ ebt_load_match("among");
ebt_load_watcher("log");
ebt_load_watcher("nflog");
--
2.23.0
^ permalink raw reply related [flat|nested] 13+ messages in thread
end of thread, other threads:[~2019-09-27 14:05 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2019-09-27 14:04 [iptables PATCH v2 00/12] Implement among match support Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 01/12] nft: family_ops: Pass nft_handle to 'add' callback Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 02/12] nft: family_ops: Pass nft_handle to 'rule_find' callback Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 03/12] nft: family_ops: Pass nft_handle to 'print_rule' callback Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 04/12] nft: family_ops: Pass nft_handle to 'rule_to_cs' callback Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 05/12] nft: Keep nft_handle pointer in nft_xt_ctx Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 06/12] nft: Eliminate pointless calls to nft_family_ops_lookup() Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 07/12] nft: Fetch sets when updating rule cache Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 08/12] nft: Support NFT_COMPAT_SET_ADD Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 09/12] nft: Bore up nft_parse_payload() Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 10/12] nft: Embed rule's table name in nft_xt_ctx Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 11/12] nft: Support parsing lookup expression Phil Sutter
2019-09-27 14:04 ` [iptables PATCH v2 12/12] nft: bridge: Rudimental among extension support Phil Sutter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.