All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Christian Göttsche" <cgzones@googlemail.com>
To: netfilter-devel@vger.kernel.org
Subject: [RFC 2/4] src: add ability to set/get secmarks to/from connection
Date: Wed, 20 Nov 2019 18:43:55 +0100	[thread overview]
Message-ID: <20191120174357.26112-2-cgzones@googlemail.com> (raw)
In-Reply-To: <20191120174357.26112-1-cgzones@googlemail.com>

Labeling established and related packets requires the secmark to be stored in the connection.
Add the ability to store and retrieve secmarks like:

    ...
    chain input {
        ...

        # label new incoming packets
        ct state new meta secmark set tcp dport map @secmapping_in

        # add label to connection
        ct state new ct secmark set meta secmark

        # set label for est/rel packets from connection
        ct state established,related meta secmark set ct secmark

        ...
    }
    ...
    chain output {
        ...

        # label new outgoing packets
        ct state new meta secmark set tcp dport map @secmapping_out

        # add label to connection
        ct state new ct secmark set meta secmark

        # set label for est/rel packets from connection
        ct state established,related meta secmark set ct secmark

        ...
        }
    ...

improves: 3bc84e5c1fdd1ff011af9788fe174e0514c2c9ea

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 src/ct.c           |  2 ++
 src/evaluate.c     | 10 ++++++++++
 src/meta.c         |  2 ++
 src/parser_bison.y | 14 +++++++++++---
 4 files changed, 25 insertions(+), 3 deletions(-)

diff --git a/src/ct.c b/src/ct.c
index ed458e6b..9e6a8351 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -299,6 +299,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
 					      BYTEORDER_BIG_ENDIAN, 128),
 	[NFT_CT_DST_IP6]	= CT_TEMPLATE("ip6 daddr", &ip6addr_type,
 					      BYTEORDER_BIG_ENDIAN, 128),
+	[NFT_CT_SECMARK]	= CT_TEMPLATE("secmark", &integer_type,
+					      BYTEORDER_HOST_ENDIAN, 32),
 };
 
 static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
diff --git a/src/evaluate.c b/src/evaluate.c
index e54eaf1a..740d3c30 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1794,6 +1794,16 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
 		if (expr_is_singleton(right))
 			relational_expr_pctx_update(&ctx->pctx, rel);
 
+		/*
+		 * Statements like 'ct secmark 12 counter' are parsed as
+		 * relational expression with implicit operator.
+		 * Make them invalid.
+		 */
+		if ((left->etype == EXPR_META && left->meta.key == NFT_META_SECMARK)
+			|| (left->etype == EXPR_CT && left->ct.key == NFT_CT_SECMARK))
+			return expr_error(ctx->msgs, *expr,
+                                          "secmark is invalid with hardcoded ids");
+
 		/* fall through */
 	case OP_NEQ:
 		switch (right->etype) {
diff --git a/src/meta.c b/src/meta.c
index 69a897a9..796d8e94 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -698,6 +698,8 @@ const struct meta_template meta_templates[] = {
 	[NFT_META_TIME_HOUR]	= META_TEMPLATE("hour", &hour_type,
 						4 * BITS_PER_BYTE,
 						BYTEORDER_HOST_ENDIAN),
+	[NFT_META_SECMARK]	= META_TEMPLATE("secmark", &integer_type,
+						32, BYTEORDER_HOST_ENDIAN),
 };
 
 static bool meta_key_is_unqualified(enum nft_meta_keys key)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 631b7d68..707f4671 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4190,9 +4190,16 @@ meta_stmt		:	META	meta_key	SET	stmt_expr
 			{
 				switch ($2) {
 				case NFT_META_SECMARK:
-					$$ = objref_stmt_alloc(&@$);
-					$$->objref.type = NFT_OBJECT_SECMARK;
-					$$->objref.expr = $4;
+					switch ($4->etype) {
+					case EXPR_CT:
+						$$ = meta_stmt_alloc(&@$, $2, $4);
+						break;
+					default:
+						$$ = objref_stmt_alloc(&@$);
+						$$->objref.type = NFT_OBJECT_SECMARK;
+						$$->objref.expr = $4;
+						break;
+					}
 					break;
 				default:
 					$$ = meta_stmt_alloc(&@$, $2, $4);
@@ -4388,6 +4395,7 @@ ct_key			:	L3PROTOCOL	{ $$ = NFT_CT_L3PROTOCOL; }
 			|	PROTO_DST	{ $$ = NFT_CT_PROTO_DST; }
 			|	LABEL		{ $$ = NFT_CT_LABELS; }
 			|	EVENT		{ $$ = NFT_CT_EVENTMASK; }
+			|	SECMARK		{ $$ = NFT_CT_SECMARK; }
 			|	ct_key_dir_optional
 			;
 
-- 
2.24.0


  reply	other threads:[~2019-11-20 17:44 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-11-20 17:43 [RFC 1/4] statement: make secmark statements idempotent Christian Göttsche
2019-11-20 17:43 ` Christian Göttsche [this message]
2019-11-21 13:06   ` [RFC 2/4] src: add ability to set/get secmarks to/from connection Pablo Neira Ayuso
2019-11-21 13:27     ` Pablo Neira Ayuso
2019-11-20 17:43 ` [RFC 3/4] files: add example secmark config Christian Göttsche
2019-11-21 13:06   ` Pablo Neira Ayuso
2019-11-20 17:43 ` [RFC 4/4] src: add ability to reset secmarks Christian Göttsche
2019-11-21 13:08   ` Pablo Neira Ayuso
2019-11-21 13:05 ` [RFC 1/4] statement: make secmark statements idempotent Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20191120174357.26112-2-cgzones@googlemail.com \
    --to=cgzones@googlemail.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.