From: Pablo Neira Ayuso <pablo@netfilter.org>
To: "Christian Göttsche" <cgzones@googlemail.com>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [RFC 2/4] src: add ability to set/get secmarks to/from connection
Date: Thu, 21 Nov 2019 14:27:37 +0100 [thread overview]
Message-ID: <20191121132737.gkbv4rthnd5nerde@salvia> (raw)
In-Reply-To: <20191121130634.nohe3p7coyx3pd7u@salvia>
[-- Attachment #1: Type: text/plain, Size: 1748 bytes --]
On Thu, Nov 21, 2019 at 02:06:34PM +0100, Pablo Neira Ayuso wrote:
> On Wed, Nov 20, 2019 at 06:43:55PM +0100, Christian Göttsche wrote:
> > Labeling established and related packets requires the secmark to be stored in the connection.
> > Add the ability to store and retrieve secmarks like:
> >
> > ...
> > chain input {
> > ...
> >
> > # label new incoming packets
> > ct state new meta secmark set tcp dport map @secmapping_in
> >
> > # add label to connection
> > ct state new ct secmark set meta secmark
> >
> > # set label for est/rel packets from connection
> > ct state established,related meta secmark set ct secmark
> >
> > ...
> > }
> > ...
> > chain output {
> > ...
> >
> > # label new outgoing packets
> > ct state new meta secmark set tcp dport map @secmapping_out
> >
> > # add label to connection
> > ct state new ct secmark set meta secmark
> >
> > # set label for est/rel packets from connection
> > ct state established,related meta secmark set ct secmark
> >
> > ...
> > }
> > ...
>
> I have applied this with minor changes on the evaluation side. Just
> follow up with another patch in case you find any issue.
Actually, I'm keeping back 2/4. I'm attaching the update I made.
I think it's good to disallow this:
ct secmark 12
meta secmark 12
but you also have to check from the evaluation phase that ct and meta
statements do not allow setting a constant value, ie.
ct secmark set 12
meta secmark set 12
From the objref statement evaluation step, you can check if this
expression is a constant through flags.
Thanks.
[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 4590 bytes --]
commit 785049e16782f7afb658927e5fee3b1da761f97d
Author: Christian Göttsche <cgzones@googlemail.com>
Date: Wed Nov 20 18:43:55 2019 +0100
src: add ability to set/get secmarks to/from connection
Labeling established and related packets requires the secmark to be stored in the connection.
Add the ability to store and retrieve secmarks like:
...
chain input {
...
# label new incoming packets
ct state new meta secmark set tcp dport map @secmapping_in
# add label to connection
ct state new ct secmark set meta secmark
# set label for est/rel packets from connection
ct state established,related meta secmark set ct secmark
...
}
...
chain output {
...
# label new outgoing packets
ct state new meta secmark set tcp dport map @secmapping_out
# add label to connection
ct state new ct secmark set meta secmark
# set label for est/rel packets from connection
ct state established,related meta secmark set ct secmark
...
}
...
This patch also disallow constant value on the right hand side.
# nft add rule x y meta secmark 12
Error: Cannot be used with right hand side constant value
add rule x y meta secmark 12
~~~~~~~~~~~~ ^^
# nft add rule x y ct secmark 12
Error: Cannot be used with right hand side constant value
add rule x y ct secmark 12
~~~~~~~~~~ ^^
This patch improves 3bc84e5c1fdd ("src: add support for setting secmark").
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
diff --git a/src/ct.c b/src/ct.c
index ed458e6b679b..9e6a8351ffb2 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -299,6 +299,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = {
BYTEORDER_BIG_ENDIAN, 128),
[NFT_CT_DST_IP6] = CT_TEMPLATE("ip6 daddr", &ip6addr_type,
BYTEORDER_BIG_ENDIAN, 128),
+ [NFT_CT_SECMARK] = CT_TEMPLATE("secmark", &integer_type,
+ BYTEORDER_HOST_ENDIAN, 32),
};
static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto,
diff --git a/src/evaluate.c b/src/evaluate.c
index e54eaf1a7110..00f6c6a4cc3e 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1784,6 +1784,18 @@ static int expr_evaluate_relational(struct eval_ctx *ctx, struct expr **expr)
left->dtype->desc,
right->dtype->desc);
+ /*
+ * Statements like 'ct secmark 12' are parsed as relational,
+ * disallow constant value on the right hand side.
+ */
+ if (((left->etype == EXPR_META &&
+ left->meta.key == NFT_META_SECMARK) ||
+ (left->etype == EXPR_CT &&
+ left->ct.key == NFT_CT_SECMARK)) &&
+ right->flags & EXPR_F_CONSTANT)
+ return expr_binary_error(ctx->msgs, right, left,
+ "Cannot be used with right hand side constant value");
+
switch (rel->op) {
case OP_EQ:
case OP_IMPLICIT:
diff --git a/src/meta.c b/src/meta.c
index 69a897a92686..796d8e941486 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -698,6 +698,8 @@ const struct meta_template meta_templates[] = {
[NFT_META_TIME_HOUR] = META_TEMPLATE("hour", &hour_type,
4 * BITS_PER_BYTE,
BYTEORDER_HOST_ENDIAN),
+ [NFT_META_SECMARK] = META_TEMPLATE("secmark", &integer_type,
+ 32, BYTEORDER_HOST_ENDIAN),
};
static bool meta_key_is_unqualified(enum nft_meta_keys key)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 631b7d684555..707f46716ed3 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -4190,9 +4190,16 @@ meta_stmt : META meta_key SET stmt_expr
{
switch ($2) {
case NFT_META_SECMARK:
- $$ = objref_stmt_alloc(&@$);
- $$->objref.type = NFT_OBJECT_SECMARK;
- $$->objref.expr = $4;
+ switch ($4->etype) {
+ case EXPR_CT:
+ $$ = meta_stmt_alloc(&@$, $2, $4);
+ break;
+ default:
+ $$ = objref_stmt_alloc(&@$);
+ $$->objref.type = NFT_OBJECT_SECMARK;
+ $$->objref.expr = $4;
+ break;
+ }
break;
default:
$$ = meta_stmt_alloc(&@$, $2, $4);
@@ -4388,6 +4395,7 @@ ct_key : L3PROTOCOL { $$ = NFT_CT_L3PROTOCOL; }
| PROTO_DST { $$ = NFT_CT_PROTO_DST; }
| LABEL { $$ = NFT_CT_LABELS; }
| EVENT { $$ = NFT_CT_EVENTMASK; }
+ | SECMARK { $$ = NFT_CT_SECMARK; }
| ct_key_dir_optional
;
next prev parent reply other threads:[~2019-11-21 13:27 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-20 17:43 [RFC 1/4] statement: make secmark statements idempotent Christian Göttsche
2019-11-20 17:43 ` [RFC 2/4] src: add ability to set/get secmarks to/from connection Christian Göttsche
2019-11-21 13:06 ` Pablo Neira Ayuso
2019-11-21 13:27 ` Pablo Neira Ayuso [this message]
2019-11-20 17:43 ` [RFC 3/4] files: add example secmark config Christian Göttsche
2019-11-21 13:06 ` Pablo Neira Ayuso
2019-11-20 17:43 ` [RFC 4/4] src: add ability to reset secmarks Christian Göttsche
2019-11-21 13:08 ` Pablo Neira Ayuso
2019-11-21 13:05 ` [RFC 1/4] statement: make secmark statements idempotent Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191121132737.gkbv4rthnd5nerde@salvia \
--to=pablo@netfilter.org \
--cc=cgzones@googlemail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.