From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: fw@strlen.de
Subject: [PATCH nft 03/10] src: support for RFC2732 IPv6 address format with brackets
Date: Wed, 17 Aug 2016 15:29:54 +0200 [thread overview]
Message-ID: <1471440601-5327-4-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1471440601-5327-1-git-send-email-pablo@netfilter.org>
The statement:
dnat to 2001:838:35f:1:::80
is very confusing as it is not so easy to identify where address ends
and the port starts. This even harder to read with ranges.
So this patch adds squared brackets as RFC2732 to enclose the IPv6
address.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/scanner.l | 7 +++++++
src/statement.c | 22 ++++++++++++++++++++--
tests/py/ip6/dnat.t | 5 +++--
tests/py/ip6/dnat.t.payload.ip6 | 14 ++++++++++++--
tests/py/ip6/snat.t | 4 ++--
tests/py/ip6/snat.t.payload.ip6 | 4 ++--
6 files changed, 46 insertions(+), 10 deletions(-)
diff --git a/src/scanner.l b/src/scanner.l
index 613c3c9..3ad4dd9 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -169,6 +169,7 @@ v60 (::)
macaddr (([[:xdigit:]]{1,2}:){5}[[:xdigit:]]{1,2})
ip4addr (([[:digit:]]{1,3}"."){3}([[:digit:]]{1,3}))
ip6addr ({v680}|{v67}|{v66}|{v65}|{v64}|{v63}|{v62}|{v61}|{v60})
+ip6addr_rfc2732 (\[{ip6addr}\])
addrstring ({macaddr}|{ip4addr}|{ip6addr})
@@ -475,6 +476,12 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
return STRING;
}
+{ip6addr_rfc2732} {
+ yytext[yyleng - 1] = '\0';
+ yylval->string = xstrdup(yytext + 1);
+ return STRING;
+ }
+
{timestring} {
yylval->string = xstrdup(yytext);
return STRING;
diff --git a/src/statement.c b/src/statement.c
index ccc16bb..fbe74a6 100644
--- a/src/statement.c
+++ b/src/statement.c
@@ -397,8 +397,26 @@ static void nat_stmt_print(const struct stmt *stmt)
};
printf("%s to ", nat_types[stmt->nat.type]);
- if (stmt->nat.addr)
- expr_print(stmt->nat.addr);
+ if (stmt->nat.addr) {
+ if (stmt->nat.proto) {
+ if (stmt->nat.addr->ops->type == EXPR_VALUE &&
+ stmt->nat.addr->dtype->type == TYPE_IP6ADDR) {
+ printf("[");
+ expr_print(stmt->nat.addr);
+ printf("]");
+ } else if (stmt->nat.addr->ops->type == EXPR_RANGE &&
+ stmt->nat.addr->left->dtype->type == TYPE_IP6ADDR) {
+ printf("[");
+ expr_print(stmt->nat.addr->left);
+ printf("]-[");
+ expr_print(stmt->nat.addr->right);
+ printf("]");
+ }
+ } else {
+ expr_print(stmt->nat.addr);
+ }
+ }
+
if (stmt->nat.proto) {
printf(":");
expr_print(stmt->nat.proto);
diff --git a/tests/py/ip6/dnat.t b/tests/py/ip6/dnat.t
index b256e01..78d6d0a 100644
--- a/tests/py/ip6/dnat.t
+++ b/tests/py/ip6/dnat.t
@@ -2,5 +2,6 @@
*ip6;test-ip6;prerouting
-tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:::80-100;ok
-tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:: :100;ok;tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:::100
+tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100;ok
+tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100;ok;tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100
+tcp dport 80-90 dnat to [2001:838:35f:1::]:80;ok
diff --git a/tests/py/ip6/dnat.t.payload.ip6 b/tests/py/ip6/dnat.t.payload.ip6
index 494ade3..8bd5819 100644
--- a/tests/py/ip6/dnat.t.payload.ip6
+++ b/tests/py/ip6/dnat.t.payload.ip6
@@ -1,4 +1,4 @@
-# tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:::80-100
+# tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100
ip6 test-ip6 prerouting
[ payload load 1b @ network header + 6 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
@@ -11,7 +11,7 @@ ip6 test-ip6 prerouting
[ immediate reg 4 0x00006400 ]
[ nat dnat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 ]
-# tcp dport 80-90 dnat to 2001:838:35f:1::-2001:838:35f:2:: :100
+# tcp dport 80-90 dnat to [2001:838:35f:1::]-[2001:838:35f:2::]:100
ip6 test-ip6 prerouting
[ payload load 1b @ network header + 6 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
@@ -23,3 +23,13 @@ ip6 test-ip6 prerouting
[ immediate reg 3 0x00006400 ]
[ nat dnat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 0 ]
+# tcp dport 80-90 dnat to [2001:838:35f:1::]:80
+ip6 test-ip6 prerouting
+ [ payload load 1b @ network header + 6 => reg 1 ]
+ [ cmp eq reg 1 0x00000006 ]
+ [ payload load 2b @ transport header + 2 => reg 1 ]
+ [ cmp gte reg 1 0x00005000 ]
+ [ cmp lte reg 1 0x00005a00 ]
+ [ immediate reg 1 0x38080120 0x01005f03 0x00000000 0x00000000 ]
+ [ immediate reg 2 0x00005000 ]
+ [ nat dnat ip6 addr_min reg 1 addr_max reg 0 proto_min reg 2 proto_max reg 0 ]
diff --git a/tests/py/ip6/snat.t b/tests/py/ip6/snat.t
index b85d9af..c259f93 100644
--- a/tests/py/ip6/snat.t
+++ b/tests/py/ip6/snat.t
@@ -2,5 +2,5 @@
*ip6;test-ip6;postrouting
-tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:: :80-100;ok;tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:::80-100
-tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:::100;ok
+tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100;ok;tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100
+tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:100;ok
diff --git a/tests/py/ip6/snat.t.payload.ip6 b/tests/py/ip6/snat.t.payload.ip6
index fbc99c1..ea40363 100644
--- a/tests/py/ip6/snat.t.payload.ip6
+++ b/tests/py/ip6/snat.t.payload.ip6
@@ -1,4 +1,4 @@
-# tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:: :80-100
+# tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:80-100
ip6 test-ip6 postrouting
[ payload load 1b @ network header + 6 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
@@ -11,7 +11,7 @@ ip6 test-ip6 postrouting
[ immediate reg 4 0x00006400 ]
[ nat snat ip6 addr_min reg 1 addr_max reg 2 proto_min reg 3 proto_max reg 4 ]
-# tcp dport 80-90 snat to 2001:838:35f:1::-2001:838:35f:2:::100
+# tcp dport 80-90 snat to [2001:838:35f:1::]-[2001:838:35f:2::]:100
ip6 test-ip6 postrouting
[ payload load 1b @ network header + 6 => reg 1 ]
[ cmp eq reg 1 0x00000006 ]
--
2.1.4
next prev parent reply other threads:[~2016-08-17 13:30 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-08-17 13:29 [PATCH nft 00/10 nft] syntax updates Pablo Neira Ayuso
2016-08-17 13:29 ` [PATCH nft 01/10] src: quote user-defined strings when used from rule selectors Pablo Neira Ayuso
2016-08-17 13:29 ` [PATCH nft 02/10] src: add 'to' for snat and dnat Pablo Neira Ayuso
2016-08-17 13:29 ` Pablo Neira Ayuso [this message]
2016-08-17 13:29 ` [PATCH nft 04/10] parser_bison: missing token string in QUOTED_ASTERISK and ASTERISK_STRING Pablo Neira Ayuso
2016-08-17 13:29 ` [PATCH nft 05/10] scanner: allow strings starting by underscores and dots Pablo Neira Ayuso
2016-08-17 13:29 ` [PATCH nft 06/10] scanner: remove range expression Pablo Neira Ayuso
2016-08-17 13:29 ` [PATCH nft 07/10] src: rename datatype name from tc_handle to classid Pablo Neira Ayuso
2016-08-17 13:29 ` [PATCH nft 08/10] src: simplify classid printing using %x instead of %04x Pablo Neira Ayuso
2016-08-17 13:30 ` [PATCH nft 09/10] src: meta priority support using tc classid Pablo Neira Ayuso
2016-08-17 13:30 ` [PATCH nft 10/10] parser_bison: redirect to :port for consistency with nat/masq statement Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1471440601-5327-4-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).