From: Phil Sutter <phil@nwl.cc>
To: netfilter-devel@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>
Subject: [iptables PATCH v2 2/2] nft-ruleparse: parse meta mark set as MARK target
Date: Sat, 5 Aug 2023 01:15:37 +0200 [thread overview]
Message-ID: <20230804231537.17705-2-phil@nwl.cc> (raw)
In-Reply-To: <20230804231537.17705-1-phil@nwl.cc>
From: Florian Westphal <fw@strlen.de>
Mixing nftables and iptables-nft in the same table doesn't work,
but some people do this.
v1.8.8 ignored rules it could not represent in iptables syntax,
v1.8.9 bails in this case.
Add parsing of meta mark expressions so iptables-nft can render them
as -j MARK rules.
This is flawed, nft has features that have no corresponding
syntax in iptables, but we can't undo this.
Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1659
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
iptables/nft-ruleparse.c | 40 ++++++++++++++++++++++++++++------------
1 file changed, 28 insertions(+), 12 deletions(-)
diff --git a/iptables/nft-ruleparse.c b/iptables/nft-ruleparse.c
index a5eb6d098084a..c8322f936acd9 100644
--- a/iptables/nft-ruleparse.c
+++ b/iptables/nft-ruleparse.c
@@ -146,11 +146,6 @@ static bool nft_parse_meta_set_common(struct nft_xt_ctx* ctx,
return false;
}
- if (sreg->immediate.data[0] == 0) {
- ctx->errmsg = "meta sreg immediate is 0";
- return false;
- }
-
return true;
}
@@ -159,7 +154,6 @@ static void nft_parse_meta_set(struct nft_xt_ctx *ctx,
{
struct nft_xt_ctx_reg *sreg;
enum nft_registers sregnum;
- const char *targname;
sregnum = nftnl_expr_get_u32(e, NFTNL_EXPR_META_SREG);
sreg = nft_xt_ctx_get_sreg(ctx, sregnum);
@@ -171,21 +165,43 @@ static void nft_parse_meta_set(struct nft_xt_ctx *ctx,
if (!nft_parse_meta_set_common(ctx, sreg))
return;
- targname = "TRACE";
+ if (sreg->immediate.data[0] == 0) {
+ ctx->errmsg = "meta sreg immediate is 0";
+ return;
+ }
+
+ if (!nft_create_target(ctx, "TRACE"))
+ ctx->errmsg = "target TRACE not found";
break;
case NFT_META_BRI_BROUTE:
if (!nft_parse_meta_set_common(ctx, sreg))
return;
ctx->cs->jumpto = "DROP";
- return;
+ break;
+ case NFT_META_MARK: {
+ struct xt_mark_tginfo2 *mt;
+
+ if (!nft_parse_meta_set_common(ctx, sreg))
+ return;
+
+ mt = nft_create_target(ctx, "MARK");
+ if (!mt) {
+ ctx->errmsg = "target MARK not found";
+ return;
+ }
+
+ mt->mark = sreg->immediate.data[0];
+ if (sreg->bitwise.set)
+ mt->mask = sreg->bitwise.mask[0];
+ else
+ mt->mask = ~0u;
+ break;
+ }
default:
ctx->errmsg = "meta sreg key not supported";
- return;
+ break;
}
-
- if (!nft_create_target(ctx, targname))
- ctx->errmsg = "target TRACE not found";
}
static void nft_parse_meta(struct nft_xt_ctx *ctx, struct nftnl_expr *e)
--
2.40.0
next prev parent reply other threads:[~2023-08-04 23:15 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-04 23:15 [iptables PATCH v2 1/2] nft-ruleparse: Introduce nft_create_target() Phil Sutter
2023-08-04 23:15 ` Phil Sutter [this message]
2023-08-10 11:54 ` Phil Sutter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230804231537.17705-2-phil@nwl.cc \
--to=phil@nwl.cc \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).