From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [nft PATCH 0/3] Boolean comparison and exthdr existence match support
Date: Tue, 17 Jan 2017 23:10:04 +0100 [thread overview]
Message-ID: <20170117221007.14951-1-phil@nwl.cc> (raw)
The following series adds two distinct features to nftables, though
since the second one depends on presence of the first one this is
submitted as a series.
Patch 1 adds support for a boolean variant of relational expression.
It's OP is strictly implicit and determined by RHS being a boolean
expression. It depends on a related kernel patch adding support for
NFT_CMP_BOOL to nft_cmp.c.
Patch 2 extends exthdr expression by a private flags field which will be
used in patch 3. It depends on a related patch for libnftnl to handle
the new field.
Patch 3 then adds support for checking extension header presence to
exthdr expression by making use of the previously introduced exthdr flag
NFT_EXTHDR_F_PRESENT. It's ideally used together with a boolean
relational expression for a syntax of e.g.:
| exthdr hbh exists
to match on hop-by-hop options presence or:
| exthdr frag missing
to match on packets without fragmentation header present.
Phil Sutter (3):
Implement boolean comparison in relational expression
exthdr: Add support for exthdr specific flags
exthdr: Implement exthdr existence check
include/expression.h | 10 +++++++++
include/exthdr.h | 4 ++++
include/linux/netfilter/nf_tables.h | 1 +
include/netlink.h | 2 ++
src/evaluate.c | 13 ++++++++++++
src/expression.c | 39 ++++++++++++++++++++++++++++++++++
src/exthdr.c | 10 +++++++--
src/netlink.c | 20 ++++++++++++++++++
src/netlink_delinearize.c | 12 +++++++++--
src/netlink_linearize.c | 4 ++++
src/parser_bison.y | 42 +++++++++++++++++++++++++++++++++++++
src/scanner.l | 7 +++++++
12 files changed, 160 insertions(+), 4 deletions(-)
--
2.11.0
next reply other threads:[~2017-01-17 22:07 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-17 22:10 Phil Sutter [this message]
2017-01-17 22:10 ` [nft PATCH 1/3] Implement boolean comparison in relational expression Phil Sutter
2017-01-17 22:10 ` [nft PATCH 2/3] exthdr: Add support for exthdr specific flags Phil Sutter
2017-01-17 22:10 ` [nft PATCH 3/3] exthdr: Implement exthdr existence check Phil Sutter
2017-01-23 12:57 ` [nft PATCH 0/3] Boolean comparison and exthdr existence match support Pablo Neira Ayuso
2017-02-06 14:26 ` Phil Sutter
2017-02-06 17:16 ` Pablo Neira Ayuso
2017-02-07 2:28 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170117221007.14951-1-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).