Generated value for filtering from two arguments received from the command line

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Alexey Kashavkin <akashavkin@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: Generated value for filtering from two arguments received from the command line
Date: Thu, 6 Feb 2025 14:10:23 +0300	[thread overview]
Message-ID: <AA705D8C-131B-4305-81A6-840C38AE6E54@gmail.com> (raw)

Hi,

I am developing on adding the IPSO option IPOPT_SEC (RFC1108[1]) for filtering as IP options. I take the same as in ipopt.c as a basis. According to the IPSO option fields I will have the following fields in the nft - TYPE, LENTH and PROTECTION AUTHORITY FLAGS, but for this I planned use existing fields (type, length, value).

The PROTECTION AUTHORITY FLAGS field will be a generated field.

What I mean is, the following command line example adds clarification:

# nft add rule ip ipopt_t ipopt_c ip option sec arg1 NUM arg2 NUM counter

In parser_bison.y I added:

ip_hdr_expr     :   IP  ip_hdr_field    close_scope_ip
           {
               $$ = payload_expr_alloc(&@$, &proto_ip, $2);
           }
           |   IP  OPTION  ip_option_type ip_option_field  close_scope_ip
           {
               $$ = ipopt_expr_alloc(&@$, $3, $4);
               if (!$$) {
                   erec_queue(error(&@1, "unknown ip option type/field"), state->msgs);
                   YYERROR;
               }
           }
           |   IP  OPTION  ip_option_type close_scope_ip
           {
               $$ = ipopt_expr_alloc(&@$, $3, IPOPT_FIELD_TYPE);
               $$->exthdr.flags = NFT_EXTHDR_F_PRESENT;
           }
           |   IP  OPTION  IPSO   gen_paf close_scope_ip
           {
               $$ = ipopt_expr_alloc(&@$, IPOPT_SEC, IPOPT_FIELD_VALUE);
           }
           ;

gen_paf        :   arg1   arg2
           {
               unsigned char paf_field[14] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
               struct paf_args = {$1, $2}

		$$ = build_paf_val(&paf_args, paf_field);
           }
           ;

arg1           :   /* empty */ { $$ = 0; }
           |           ARG1    NUM { $$ = $2; }
           ;

arg2           :   /* empty */ { $$ = 0; }
           |           ARG2    NUM { $$ = $2; }
           ;

I don't know bison very well and may be doing something wrong, but what I expect from this code is to have a value in place of gen_paf as if the user had entered the following:

# nft add rule ip ipopt_t ipopt_c ip option sec value 12345678 counter

The value 12345678 should be generated from the two values specified for gen_paf.

To ipopt.c I added:

static const struct exthdr_desc ipopt_sec = {
   .name       = «sec»,
   .type       = IPOPT_SEC,
   .templates  = {
       [IPOPT_FIELD_TYPE]      = PHT("type",   0,   8),
       [IPOPT_FIELD_LENGTH]        = PHT("length", 8,   8),
       [IPOPT_FIELD_VALUE]     = PHT("value",  24, 14),
   },
};

nft_parse() returned the error:

Error: syntax error, unexpected drop
add rule ip ipopt_t ipopt_c ip option sec arg1 11 arg2 3 drop

I did this because I don't quite understand how I can otherwise generate a value for this field before calling ipopt_expr_alloc() and pass it to this function. This may not be the right way at all, and if it is, I would be very grateful if someone could let me know.

Is there any expression in nft that would also take arguments from the command line to generate a value? Having researched the bison code, it seems that it should always accept the final value for filtering from the command line.

[1] https://www.rfc-editor.org/rfc/rfc1108.html

next             reply	other threads:[~2025-02-06 11:10 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-02-06 11:10 Alexey Kashavkin [this message]
2025-03-07 12:56 ` Generated value for filtering from two arguments received from the command line Alexey Kashavkin
2025-03-07 14:22   ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=AA705D8C-131B-4305-81A6-840C38AE6E54@gmail.com \
    --to=akashavkin@gmail.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).