From c559cb37e09526e02da02724017d0f921a03a1c1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 28 Oct 2019 15:12:29 +0100 Subject: [PATCH] add secmark_raw for storing secmark id in packet state --- src/ct.c | 2 ++ src/evaluate.c | 2 ++ src/meta.c | 3 +++ src/parser_bison.y | 37 +++++++++++++++++++++++++++++-------- src/rule.c | 6 ++++++ src/scanner.l | 1 + 6 files changed, 43 insertions(+), 8 deletions(-) diff --git a/src/ct.c b/src/ct.c index ed458e6..9e6a835 100644 --- a/src/ct.c +++ b/src/ct.c @@ -299,6 +299,8 @@ const struct ct_template ct_templates[__NFT_CT_MAX] = { BYTEORDER_BIG_ENDIAN, 128), [NFT_CT_DST_IP6] = CT_TEMPLATE("ip6 daddr", &ip6addr_type, BYTEORDER_BIG_ENDIAN, 128), + [NFT_CT_SECMARK] = CT_TEMPLATE("secmark", &integer_type, + BYTEORDER_HOST_ENDIAN, 32), }; static void ct_print(enum nft_ct_keys key, int8_t dir, uint8_t nfproto, diff --git a/src/evaluate.c b/src/evaluate.c index a56cd2a..1b2f5e3 100644 --- a/src/evaluate.c +++ b/src/evaluate.c @@ -3944,8 +3944,10 @@ static int cmd_evaluate_reset(struct eval_ctx *ctx, struct cmd *cmd) switch (cmd->obj) { case CMD_OBJ_COUNTER: case CMD_OBJ_QUOTA: + case CMD_OBJ_SECMARK: case CMD_OBJ_COUNTERS: case CMD_OBJ_QUOTAS: + case CMD_OBJ_SECMARKS: if (cmd->handle.table.name == NULL) return 0; if (table_lookup(&cmd->handle, &ctx->nft->cache) == NULL) diff --git a/src/meta.c b/src/meta.c index f54b818..8093d67 100644 --- a/src/meta.c +++ b/src/meta.c @@ -709,6 +709,8 @@ const struct meta_template meta_templates[] = { [NFT_META_TIME_HOUR] = META_TEMPLATE("hour", &hour_type, 4 * BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN), + [NFT_META_SECMARK] = META_TEMPLATE("secmark", &integer_type, + 32, BYTEORDER_HOST_ENDIAN), }; static bool meta_key_is_unqualified(enum nft_meta_keys key) @@ -720,6 +722,7 @@ static bool meta_key_is_unqualified(enum nft_meta_keys key) case NFT_META_OIFNAME: case NFT_META_IIFGROUP: case NFT_META_OIFGROUP: + case NFT_META_SECMARK: return true; default: return false; diff --git a/src/parser_bison.y b/src/parser_bison.y index 11f0dc8..16fcea2 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -479,6 +479,7 @@ int nft_lex(void *, void *, void *); %token SECMARK "secmark" %token SECMARKS "secmarks" +%token SECMARK_RAW "secmark_raw" %token NANOSECOND "nanosecond" %token MICROSECOND "microsecond" @@ -748,7 +749,7 @@ int nft_lex(void *, void *, void *); %type meta_expr %destructor { expr_free($$); } meta_expr -%type meta_key meta_key_qualified meta_key_unqualified numgen_type +%type meta_key meta_key_qualified meta_key_unqualified meta_key_object numgen_type %type socket_expr %destructor { expr_free($$); } socket_expr @@ -1365,6 +1366,18 @@ reset_cmd : COUNTERS ruleset_spec { $$ = cmd_alloc(CMD_RESET, CMD_OBJ_QUOTA, &$2, &@$, NULL); } + | SECMARKS ruleset_spec + { + $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$2, &@$, NULL); + } + | SECMARKS TABLE table_spec + { + $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARKS, &$3, &@$, NULL); + } + | SECMARK obj_spec + { + $$ = cmd_alloc(CMD_RESET, CMD_OBJ_SECMARK, &$2, &@$, NULL); + } ; flush_cmd : TABLE table_spec @@ -4123,7 +4136,7 @@ meta_key_qualified : LENGTH { $$ = NFT_META_LEN; } | PROTOCOL { $$ = NFT_META_PROTOCOL; } | PRIORITY { $$ = NFT_META_PRIORITY; } | RANDOM { $$ = NFT_META_PRANDOM; } - | SECMARK { $$ = NFT_META_SECMARK; } + | SECMARK_RAW { $$ = NFT_META_SECMARK; } ; meta_key_unqualified : MARK { $$ = NFT_META_MARK; } @@ -4152,7 +4165,18 @@ meta_key_unqualified : MARK { $$ = NFT_META_MARK; } | HOUR { $$ = NFT_META_TIME_HOUR; } ; +meta_key_object : SECMARK { $$ = NFT_META_SECMARK; } + ; + meta_stmt : META meta_key SET stmt_expr + { + $$ = meta_stmt_alloc(&@$, $2, $4); + } + | meta_key_unqualified SET stmt_expr + { + $$ = meta_stmt_alloc(&@$, $1, $3); + } + | META meta_key_object SET stmt_expr { switch ($2) { case NFT_META_SECMARK: @@ -4161,14 +4185,10 @@ meta_stmt : META meta_key SET stmt_expr $$->objref.expr = $4; break; default: - $$ = meta_stmt_alloc(&@$, $2, $4); - break; + erec_queue(error(&@2, "invalid meta object name '%s'\n", $2), state->msgs); + YYERROR; } } - | meta_key_unqualified SET stmt_expr - { - $$ = meta_stmt_alloc(&@$, $1, $3); - } | META STRING SET stmt_expr { struct error_record *erec; @@ -4354,6 +4374,7 @@ ct_key : L3PROTOCOL { $$ = NFT_CT_L3PROTOCOL; } | PROTO_DST { $$ = NFT_CT_PROTO_DST; } | LABEL { $$ = NFT_CT_LABELS; } | EVENT { $$ = NFT_CT_EVENTMASK; } + | SECMARK_RAW { $$ = NFT_CT_SECMARK; } | ct_key_dir_optional ; diff --git a/src/rule.c b/src/rule.c index 64756bc..dbbec5e 100644 --- a/src/rule.c +++ b/src/rule.c @@ -2454,6 +2454,12 @@ static int do_command_reset(struct netlink_ctx *ctx, struct cmd *cmd) case CMD_OBJ_QUOTA: type = NFT_OBJECT_QUOTA; break; + case CMD_OBJ_SECMARKS: + dump = true; + /* fall through */ + case CMD_OBJ_SECMARK: + type = NFT_OBJECT_SECMARK; + break; default: BUG("invalid command object type %u\n", cmd->obj); } diff --git a/src/scanner.l b/src/scanner.l index 3de5a9e..feaa691 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -591,6 +591,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "secmark" { return SECMARK; } "secmarks" { return SECMARKS; } +"secmark_raw" { return SECMARK_RAW; } {addrstring} { yylval->string = xstrdup(yytext); -- 2.24.0.rc1