* [PATCH nft 1/2,v2] parser_bison: missing tproxy syntax with port only for inet family
@ 2019-04-04 11:39 Pablo Neira Ayuso
2019-04-04 11:39 ` [PATCH nft 2/2] evaluate: improve error reporting in tproxy with " Pablo Neira Ayuso
0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2019-04-04 11:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: mirq-boogs, ffmancera, arturo
# nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000
Error: syntax error, unexpected colon
add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000
^
Syntax with no protocol for tproxy complains with:
# nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
Error: Conflicting network layer protocols.
add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
^^^^^^^^^^^^^^^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1310
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/parser_bison.y | 6 ++++++
tests/py/inet/tproxy.t | 5 +++--
tests/py/inet/tproxy.t.payload | 26 ++++++++++++++++++++++++++
tests/py/ip/tproxy.t | 2 +-
tests/py/ip/tproxy.t.payload | 8 ++++++++
tests/py/ip6/tproxy.t | 2 +-
tests/py/ip6/tproxy.t.payload | 7 +++++++
7 files changed, 52 insertions(+), 4 deletions(-)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 65b3fb3ebac2..50642b4e02f4 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2687,6 +2687,12 @@ tproxy_stmt : TPROXY TO stmt_expr
$$->tproxy.addr = $4;
$$->tproxy.port = $6;
}
+ | TPROXY nf_key_proto TO COLON stmt_expr
+ {
+ $$ = tproxy_stmt_alloc(&@$);
+ $$->tproxy.family = $2;
+ $$->tproxy.port = $5;
+ }
;
primary_stmt_expr : symbol_expr { $$ = $1; }
diff --git a/tests/py/inet/tproxy.t b/tests/py/inet/tproxy.t
index f80f77347b86..0ba78ef1826a 100644
--- a/tests/py/inet/tproxy.t
+++ b/tests/py/inet/tproxy.t
@@ -15,6 +15,7 @@ meta l4proto 6 tproxy ip6 to [2001:db8::1];ok
meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok
ip6 nexthdr 6 tproxy ip to 192.0.2.1;fail
-meta l4proto 17 tproxy ip to :50080;fail
-meta l4proto 17 tproxy ip6 to :50080;fail
+meta l4proto 17 tproxy ip to :50080;ok
+meta l4proto 17 tproxy ip6 to :50080;ok
meta l4proto 17 tproxy to :50080;ok
+ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000;ok
diff --git a/tests/py/inet/tproxy.t.payload b/tests/py/inet/tproxy.t.payload
index 4b18460d8b8d..8a6ba0365605 100644
--- a/tests/py/inet/tproxy.t.payload
+++ b/tests/py/inet/tproxy.t.payload
@@ -35,3 +35,29 @@ inet x y
[ immediate reg 1 0x0000a0c3 ]
[ tproxy port reg 1 ]
+# meta l4proto 17 tproxy ip to :50080
+inet x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x0000a0c3 ]
+ [ tproxy ip port reg 1 ]
+
+# meta l4proto 17 tproxy ip6 to :50080
+inet x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000011 ]
+ [ immediate reg 1 0x0000a0c3 ]
+ [ tproxy ip6 port reg 1 ]
+
+# ip daddr 0.0.0.0/0 meta l4proto tcp tproxy ip to :2000
+inet x y
+ [ meta load nfproto => reg 1 ]
+ [ cmp eq reg 1 0x00000002 ]
+ [ payload load 4b @ network header + 16 => reg 1 ]
+ [ bitwise reg 1 = (reg=1 & 0x00000000 ) ^ 0x00000000 ]
+ [ cmp eq reg 1 0x00000000 ]
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 1 0x0000d007 ]
+ [ tproxy ip port reg 1 ]
+
diff --git a/tests/py/ip/tproxy.t b/tests/py/ip/tproxy.t
index dbd8f5e90a04..966898c037b2 100644
--- a/tests/py/ip/tproxy.t
+++ b/tests/py/ip/tproxy.t
@@ -11,4 +11,4 @@ meta l4proto 6 tproxy to 192.0.2.1:50080;ok
ip protocol 6 tproxy to :50080;ok
meta l4proto 17 tproxy ip to 192.0.2.1;ok;meta l4proto 17 tproxy to 192.0.2.1
meta l4proto 6 tproxy ip to 192.0.2.1:50080;ok;meta l4proto 6 tproxy to 192.0.2.1:50080
-ip protocol 6 tproxy ip to :50080;fail
+ip protocol 6 tproxy ip to :50080;ok
diff --git a/tests/py/ip/tproxy.t.payload b/tests/py/ip/tproxy.t.payload
index 035651f48cb3..dfe830ec3715 100644
--- a/tests/py/ip/tproxy.t.payload
+++ b/tests/py/ip/tproxy.t.payload
@@ -34,3 +34,11 @@ ip x y
[ immediate reg 1 0x010200c0 ]
[ immediate reg 2 0x0000a0c3 ]
[ tproxy ip addr reg 1 port reg 2 ]
+
+# ip protocol 6 tproxy ip to :50080
+ip x y
+ [ payload load 1b @ network header + 9 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 1 0x0000a0c3 ]
+ [ tproxy ip port reg 1 ]
+
diff --git a/tests/py/ip6/tproxy.t b/tests/py/ip6/tproxy.t
index 4e48d81f13cc..48fe4ca76505 100644
--- a/tests/py/ip6/tproxy.t
+++ b/tests/py/ip6/tproxy.t
@@ -11,4 +11,4 @@ meta l4proto 17 tproxy to [2001:db8::1]:50080;ok
meta l4proto 6 tproxy to :50080;ok
meta l4proto 6 tproxy ip6 to [2001:db8::1];ok;meta l4proto 6 tproxy to [2001:db8::1]
meta l4proto 17 tproxy ip6 to [2001:db8::1]:50080;ok;meta l4proto 17 tproxy to [2001:db8::1]:50080
-meta l4proto 6 tproxy ip6 to :50080;fail
+meta l4proto 6 tproxy ip6 to :50080;ok
diff --git a/tests/py/ip6/tproxy.t.payload b/tests/py/ip6/tproxy.t.payload
index c78c8a1dd20a..9f28e80b4142 100644
--- a/tests/py/ip6/tproxy.t.payload
+++ b/tests/py/ip6/tproxy.t.payload
@@ -35,3 +35,10 @@ ip6 x y
[ immediate reg 2 0x0000a0c3 ]
[ tproxy ip6 addr reg 1 port reg 2 ]
+# meta l4proto 6 tproxy ip6 to :50080
+ip6 x y
+ [ meta load l4proto => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ immediate reg 1 0x0000a0c3 ]
+ [ tproxy ip6 port reg 1 ]
+
--
2.11.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* [PATCH nft 2/2] evaluate: improve error reporting in tproxy with inet family
2019-04-04 11:39 [PATCH nft 1/2,v2] parser_bison: missing tproxy syntax with port only for inet family Pablo Neira Ayuso
@ 2019-04-04 11:39 ` Pablo Neira Ayuso
0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2019-04-04 11:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: mirq-boogs, ffmancera, arturo
# nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
Error: conflicting protocols specified: ip vs. unknown. You must specify ip or ip6 family in tproxy statement
add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
~~~~~~~~ ^^^^^^^^^^^^^^^
instead of:
# nft add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
Error: Conflicting network layer protocols.
add rule inet filter divert ip daddr 0.0.0.0/0 meta l4proto tcp tproxy to :2000
^^^^^^^^^^^^^^^
Closes: https://bugzilla.netfilter.org/show_bug.cgi?id=1310
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/evaluate.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/src/evaluate.c b/src/evaluate.c
index 94377da99335..3a3f2468c826 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2606,8 +2606,11 @@ static int stmt_evaluate_tproxy(struct eval_ctx *ctx, struct stmt *stmt)
/* this prevents us from rules like
* ip protocol tcp tproxy ip6 to [dead::beef]
*/
- return stmt_error(ctx, stmt,
- "Conflicting network layer protocols.");
+ return stmt_binary_error(ctx, stmt,
+ &ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR],
+ "conflicting protocols specified: %s vs. %s. You must specify ip or ip6 family in tproxy statement",
+ ctx->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc->name,
+ family2str(stmt->tproxy.family));
if (stmt->tproxy.addr != NULL) {
if (stmt->tproxy.addr->etype == EXPR_RANGE)
--
2.11.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
end of thread, other threads:[~2019-04-04 11:39 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-04-04 11:39 [PATCH nft 1/2,v2] parser_bison: missing tproxy syntax with port only for inet family Pablo Neira Ayuso
2019-04-04 11:39 ` [PATCH nft 2/2] evaluate: improve error reporting in tproxy with " Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).