From: Phil Sutter <phil@nwl.cc>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: [nft PATCH 3/3] exthdr: Implement exthdr existence check
Date: Tue, 17 Jan 2017 23:10:07 +0100 [thread overview]
Message-ID: <20170117221007.14951-4-phil@nwl.cc> (raw)
In-Reply-To: <20170117221007.14951-1-phil@nwl.cc>
This is meant to be used as LHS of a boolean relational expression, like
the following example matching on fragment header presence:
| exthdr frag exists
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
include/exthdr.h | 4 ++++
src/expression.c | 1 +
src/exthdr.c | 6 +++++-
src/parser_bison.y | 24 ++++++++++++++++++++++++
src/scanner.l | 2 ++
5 files changed, 36 insertions(+), 1 deletion(-)
diff --git a/include/exthdr.h b/include/exthdr.h
index d17841bc46159..f45cdf9b1886a 100644
--- a/include/exthdr.h
+++ b/include/exthdr.h
@@ -85,4 +85,8 @@ extern const struct exthdr_desc exthdr_frag;
extern const struct exthdr_desc exthdr_dst;
extern const struct exthdr_desc exthdr_mh;
+enum nft_exthdr_flags {
+ NFT_EXTHDR_F_PRESENT = (1 << 0),
+};
+
#endif /* NFTABLES_EXTHDR_H */
diff --git a/src/expression.c b/src/expression.c
index 8842a7836fc07..9034420ae0db4 100644
--- a/src/expression.c
+++ b/src/expression.c
@@ -1002,6 +1002,7 @@ static void boolean_expr_print(const struct expr *expr)
switch (expr->dtype->type) {
case TYPE_FIB_ADDR: /* fib expr */
case TYPE_IFINDEX: /* fib expr */
+ case TYPE_INET_PROTOCOL: /* exthdr exists expr */
printf(expr->boolean ? "exists" : "missing");
break;
default:
diff --git a/src/exthdr.c b/src/exthdr.c
index 32bf3558115c5..37d7700f328c8 100644
--- a/src/exthdr.c
+++ b/src/exthdr.c
@@ -24,7 +24,11 @@
static void exthdr_expr_print(const struct expr *expr)
{
- printf("%s %s", expr->exthdr.desc->name, expr->exthdr.tmpl->token);
+ if (expr->exthdr.flags & NFT_EXTHDR_F_PRESENT)
+ printf("exthdr %s", expr->exthdr.desc->name);
+ else
+ printf("%s %s", expr->exthdr.desc->name,
+ expr->exthdr.tmpl->token);
}
static bool exthdr_expr_cmp(const struct expr *e1, const struct expr *e2)
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 3205cc407ffa8..e819affadbf05 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -139,6 +139,7 @@ static void location_update(struct location *loc, struct location *rhs, int n)
const struct datatype *datatype;
struct handle_spec handle_spec;
struct position_spec position_spec;
+ const struct exthdr_desc *exthdr_desc;
}
%token TOKEN_EOF 0 "end of file"
@@ -431,6 +432,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%token TRUE "true"
%token FALSE "false"
+%token EXTHDR "exthdr"
+
%type <val> boolean_spec
%type <expr> boolean_expr
%destructor { expr_free($$); } boolean_expr
@@ -633,6 +636,10 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%type <quota> quota_config
%destructor { xfree($$); } quota_config
+%type <expr> exthdr_exists_expr
+%destructor { expr_free($$); } exthdr_exists_expr
+%type <exthdr_desc> exthdr_spec
+
%%
input : /* empty */
@@ -2260,6 +2267,7 @@ primary_expr : symbol_expr { $$ = $1; }
| integer_expr { $$ = $1; }
| payload_expr { $$ = $1; }
| exthdr_expr { $$ = $1; }
+ | exthdr_exists_expr { $$ = $1; }
| meta_expr { $$ = $1; }
| rt_expr { $$ = $1; }
| ct_expr { $$ = $1; }
@@ -3316,4 +3324,20 @@ mh_hdr_field : NEXTHDR { $$ = MHHDR_NEXTHDR; }
| CHECKSUM { $$ = MHHDR_CHECKSUM; }
;
+exthdr_exists_expr : EXTHDR exthdr_spec
+ {
+ /* Assume that NEXTHDR template is always
+ * the fist one in list of templates.
+ */
+ $$ = exthdr_expr_alloc(&@$, $2, 1);
+ $$->exthdr.flags = NFT_EXTHDR_F_PRESENT;
+ }
+ ;
+
+exthdr_spec : HBH { $$ = &exthdr_hbh; }
+ | RT { $$ = &exthdr_rt; }
+ | FRAG { $$ = &exthdr_frag; }
+ | DST { $$ = &exthdr_dst; }
+ | MH { $$ = &exthdr_mh; }
+ ;
%%
diff --git a/src/scanner.l b/src/scanner.l
index debc18fad37ef..bd6edaac1224b 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -487,6 +487,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"true" { return TRUE; }
"false" { return FALSE; }
+"exthdr" { return EXTHDR; }
+
{addrstring} {
yylval->string = xstrdup(yytext);
return STRING;
--
2.11.0
next prev parent reply other threads:[~2017-01-17 22:07 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-01-17 22:10 [nft PATCH 0/3] Boolean comparison and exthdr existence match support Phil Sutter
2017-01-17 22:10 ` [nft PATCH 1/3] Implement boolean comparison in relational expression Phil Sutter
2017-01-17 22:10 ` [nft PATCH 2/3] exthdr: Add support for exthdr specific flags Phil Sutter
2017-01-17 22:10 ` Phil Sutter [this message]
2017-01-23 12:57 ` [nft PATCH 0/3] Boolean comparison and exthdr existence match support Pablo Neira Ayuso
2017-02-06 14:26 ` Phil Sutter
2017-02-06 17:16 ` Pablo Neira Ayuso
2017-02-07 2:28 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170117221007.14951-4-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).