Re: [nft PATCH 2/3] src: add xt compat support

[Pablo Neira Ayuso <pablo@netfilter.org>]

On Fri, Mar 27, 2015 at 01:00:37PM +0100, Arturo Borrero Gonzalez wrote:
> On 25 March 2015 at 20:44, Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > On Wed, Mar 25, 2015 at 08:16:02PM +0100, Arturo Borrero Gonzalez wrote:
> >> diff --git a/include/xt.h b/include/xt.h
> >> new file mode 100644
> >> index 0000000..414f3d1
> >> --- /dev/null
> >> +++ b/include/xt.h
> >> @@ -0,0 +1,100 @@
> >> +#ifndef _NFT_XT_H_
> >> +#define _NFT_XT_H_
> >> +
> >> +#include <arpa/inet.h>
> >> +#include <netinet/in.h>
> >> +#include <limits.h>
> >> +#include <net/if.h>
> >> +#include <net/ethernet.h>
> >> +
> >> +struct netlink_linearize_ctx;
> >> +struct netlink_parse_ctx;
> >> +struct nft_rule_expr;
> >> +struct rule_pp_ctx;
> >> +struct rule;
> >> +
> >> +#ifdef HAVE_LIBXTABLES
> >> +
> >> +#include <linux/netfilter_ipv4/ip_tables.h>
> >> +#include <linux/netfilter_ipv6/ip6_tables.h>
> >> +#include <linux/netfilter_arp/arp_tables.h>
> >> +
> >> +/* Fake ebt_entry */
> >> +struct ebt_entry {
> >
> > I think you can avoid this if you:
> >
> > #include <linux/netfilter_bridge/ebtables.h>
> >
> 
> Can't include <linux/netfilter_bridge/ebtables.h> because it includes
> <linux/if.h> and clash with <net/if.h>

There must be a clean way to fix this without embedding the ebt_entry
structure.

> I will put a comment in the code.
> 
> >
> >> +                                    struct stmt *stmt, struct rule *rule) {}
> >> +
> >> +#endif /* HAVE_LIBXTABLES */
> >> +
> >> +#endif /* _NFT_XT_H_ */
> >> +xt_opts                      :       /* empty */     { $$ = NULL; }
> >> +                     |       XTOPTS          { $$ = $1; }
> >> +                     ;
> >> +
> >> +xt_name                      :       STRING          { $$ = $1; }
> >> +                     |       STATE           { $$ = xstrdup("state"); }
> >> +                     |       COMMENT         { $$ = xstrdup("comment"); }
> >> +                     |       AH              { $$ = xstrdup("ah"); }
> >> +                     |       ESP             { $$ = xstrdup("esp"); }
> >> +                     |       TCP             { $$ = xstrdup("tcp"); }
> >> +                     |       UDP             { $$ = xstrdup("udp"); }
> >> +                     |       UDPLITE         { $$ = xstrdup("udplite"); }
> >> +                     |       SCTP            { $$ = xstrdup("sctp"); }
> >> +                     |       ICMP            { $$ = xstrdup("icmp"); }
> >> +                     |       IP              { $$ = xstrdup("ip"); }
> >> +                     |       VLAN            { $$ = xstrdup("vlan"); }
> >> +                     |       LOG             { $$ = xstrdup("log"); }
> >> +                     |       _802_3          { $$ = xstrdup("802_3"); }
> >
> > This _802_3 should not be clashing with anything else, the problem is
> > somewhere else.
> >
> 
> % sudo nft add rule bridge filter FORWARD xt match 802_3 [--802_3-sap 0x01  ]
> <cmdline>:1:41-43: Error: syntax error, unexpected number
> add rule bridge filter FORWARD xt match 802_3 [--802_3-sap 0x01 ]
>                                         ^^^
> 
> I have to admit I don't know where to look. Do you have any hint?

I know see the problem, the scanner doesn't consider that a string can
start by a number, we have a similar problem with the expiration time.
Well, I would keep it there until we find a better solution. Please,
check if we have more extensions with this pattern.

Thanks Arturo.