From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [nft PATCH 3/3] exthdr: Implement exthdr existence check
Date: Tue, 17 Jan 2017 23:10:07 +0100 [thread overview]
Message-ID: <20170117221007.14951-4-phil@nwl.cc> (raw)
In-Reply-To: <20170117221007.14951-1-phil@nwl.cc>
This is meant to be used as LHS of a boolean relational expression, like
the following example matching on fragment header presence:
| exthdr frag exists
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/exthdr.h | 4 ++++
src/expression.c | 1 +
src/exthdr.c | 6 +++++-
src/parser_bison.y | 24 ++++++++++++++++++++++++
src/scanner.l | 2 ++
5 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/include/exthdr.h b/include/exthdr.h
index d17841bc46159..f45cdf9b1886a 100644
--- a/include/exthdr.h
+++ b/include/exthdr.h
@@ -85,4 +85,8 @@ extern const struct exthdr_desc exthdr_frag;
extern const struct exthdr_desc exthdr_dst;
extern const struct exthdr_desc exthdr_mh;
+enum nft_exthdr_flags {
+ NFT_EXTHDR_F_PRESENT = (1 << 0),
+};
+
#endif /* NFTABLES_EXTHDR_H */
diff --git a/src/expression.c b/src/expression.c
index 8842a7836fc07..9034420ae0db4 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -1002,6 +1002,7 @@ static void boolean_expr_print(const struct expr *expr)
switch (expr->dtype->type) {
case TYPE_FIB_ADDR: /* fib expr */
case TYPE_IFINDEX: /* fib expr */
+ case TYPE_INET_PROTOCOL: /* exthdr exists expr */
printf(expr->boolean ? "exists" : "missing");
break;
default:
diff --git a/src/exthdr.c b/src/exthdr.c
index 32bf3558115c5..37d7700f328c8 100644
--- a/src/exthdr.c
+++ b/src/exthdr.c
@@ -24,7 +24,11 @@
static void exthdr_expr_print(const struct expr *expr)
{
- printf("%s %s", expr->exthdr.desc->name, expr->exthdr.tmpl->token);
+ if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT)
+ printf("exthdr %s", expr->exthdr.desc->name);
+ else
+ printf("%s %s", expr->exthdr.desc->name,
+ expr->exthdr.tmpl->token);
}
static bool exthdr_expr_cmp(const struct expr *e1, const struct expr *e2)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 3205cc407ffa8..e819affadbf05 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -139,6 +139,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
const struct datatype *datatype;
struct handle_spec handle_spec;
struct position_spec position_spec;
+ const struct exthdr_desc *exthdr_desc;
}
%token TOKEN_EOF 0 "end of file"
@@ -431,6 +432,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%token TRUE "true"
%token FALSE "false"
+%token EXTHDR "exthdr"
+
%type <val> boolean_spec
%type <expr> boolean_expr
%destructor { expr_free($$); } boolean_expr
@@ -633,6 +636,10 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%type <quota> quota_config
%destructor { xfree($$); } quota_config
+%type <expr> exthdr_exists_expr
+%destructor { expr_free($$); } exthdr_exists_expr
+%type <exthdr_desc> exthdr_spec
+
%%
input : /* empty */
@@ -2260,6 +2267,7 @@ primary_expr : symbol_expr { $$ = $1; }
| integer_expr { $$ = $1; }
| payload_expr { $$ = $1; }
| exthdr_expr { $$ = $1; }
+ | exthdr_exists_expr { $$ = $1; }
| meta_expr { $$ = $1; }
| rt_expr { $$ = $1; }
| ct_expr { $$ = $1; }
@@ -3316,4 +3324,20 @@ mh_hdr_field : NEXTHDR { $$ = MHHDR_NEXTHDR; }
| CHECKSUM { $$ = MHHDR_CHECKSUM; }
;
+exthdr_exists_expr : EXTHDR exthdr_spec
+ {
+ /* Assume that NEXTHDR template is always
+ * the fist one in list of templates.
+ */
+ $$ = exthdr_expr_alloc(&@$, $2, 1);
+ $$->exthdr.flags = NFT_EXTHDR_F_PRESENT;
+ }
+ ;
+
+exthdr_spec : HBH { $$ = &exthdr_hbh; }
+ | RT { $$ = &exthdr_rt; }
+ | FRAG { $$ = &exthdr_frag; }
+ | DST { $$ = &exthdr_dst; }
+ | MH { $$ = &exthdr_mh; }
+ ;
%%
diff --git a/src/scanner.l b/src/scanner.l
index debc18fad37ef..bd6edaac1224b 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -487,6 +487,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"true" { return TRUE; }
"false" { return FALSE; }
+"exthdr" { return EXTHDR; }
+
{addrstring} {
yylval->string = xstrdup(yytext);
return STRING;
--
2.11.0
next prev parent reply other threads:[~2017-01-17 22:07 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-17 22:10 [nft PATCH 0/3] Boolean comparison and exthdr existence match support Phil Sutter
2017-01-17 22:10 ` [nft PATCH 1/3] Implement boolean comparison in relational expression Phil Sutter
2017-01-17 22:10 ` [nft PATCH 2/3] exthdr: Add support for exthdr specific flags Phil Sutter
2017-01-17 22:10 ` Phil Sutter [this message]
2017-01-23 12:57 ` [nft PATCH 0/3] Boolean comparison and exthdr existence match support Pablo Neira Ayuso
2017-02-06 14:26 ` Phil Sutter
2017-02-06 17:16 ` Pablo Neira Ayuso
2017-02-07 2:28 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170117221007.14951-4-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.