From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [nft PATCH 0/3] Boolean comparison and exthdr existence match support
Date: Tue, 17 Jan 2017 23:10:04 +0100 [thread overview]
Message-ID: <20170117221007.14951-1-phil@nwl.cc> (raw)
The following series adds two distinct features to nftables, though
since the second one depends on presence of the first one this is
submitted as a series.
Patch 1 adds support for a boolean variant of relational expression.
It's OP is strictly implicit and determined by RHS being a boolean
expression. It depends on a related kernel patch adding support for
NFT_CMP_BOOL to nft_cmp.c.
Patch 2 extends exthdr expression by a private flags field which will be
used in patch 3. It depends on a related patch for libnftnl to handle
the new field.
Patch 3 then adds support for checking extension header presence to
exthdr expression by making use of the previously introduced exthdr flag
NFT_EXTHDR_F_PRESENT. It's ideally used together with a boolean
relational expression for a syntax of e.g.:
| exthdr hbh exists
to match on hop-by-hop options presence or:
| exthdr frag missing
to match on packets without fragmentation header present.
Phil Sutter (3):
Implement boolean comparison in relational expression
exthdr: Add support for exthdr specific flags
exthdr: Implement exthdr existence check
include/expression.h | 10 +++++++++
include/exthdr.h | 4 ++++
include/linux/netfilter/nf_tables.h | 1 +
include/netlink.h | 2 ++
src/evaluate.c | 13 ++++++++++++
src/expression.c | 39 ++++++++++++++++++++++++++++++++++
src/exthdr.c | 10 +++++++--
src/netlink.c | 20 ++++++++++++++++++
src/netlink_delinearize.c | 12 +++++++++--
src/netlink_linearize.c | 4 ++++
src/parser_bison.y | 42 +++++++++++++++++++++++++++++++++++++
src/scanner.l | 7 +++++++
12 files changed, 160 insertions(+), 4 deletions(-)
--
2.11.0
next reply other threads:[~2017-01-17 22:07 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-17 22:10 Phil Sutter [this message]
2017-01-17 22:10 ` [nft PATCH 1/3] Implement boolean comparison in relational expression Phil Sutter
2017-01-17 22:10 ` [nft PATCH 2/3] exthdr: Add support for exthdr specific flags Phil Sutter
2017-01-17 22:10 ` [nft PATCH 3/3] exthdr: Implement exthdr existence check Phil Sutter
2017-01-23 12:57 ` [nft PATCH 0/3] Boolean comparison and exthdr existence match support Pablo Neira Ayuso
2017-02-06 14:26 ` Phil Sutter
2017-02-06 17:16 ` Pablo Neira Ayuso
2017-02-07 2:28 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170117221007.14951-1-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.