netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* Generated value for filtering from two arguments received from the command line
@ 2025-02-06 11:10 Alexey Kashavkin
  2025-03-07 12:56 ` Alexey Kashavkin
  0 siblings, 1 reply; 3+ messages in thread
From: Alexey Kashavkin @ 2025-02-06 11:10 UTC (permalink / raw)
  To: netfilter-devel

Hi,

I am developing on adding the IPSO option IPOPT_SEC (RFC1108[1]) for filtering as IP options. I take the same as in ipopt.c as a basis. According to the IPSO option fields I will have the following fields in the nft - TYPE, LENTH and PROTECTION AUTHORITY FLAGS, but for this I planned use existing fields (type, length, value).

The PROTECTION AUTHORITY FLAGS field will be a generated field.

What I mean is, the following command line example adds clarification:

# nft add rule ip ipopt_t ipopt_c ip option sec arg1 NUM arg2 NUM counter


In parser_bison.y I added:

ip_hdr_expr     :   IP  ip_hdr_field    close_scope_ip
           {
               $$ = payload_expr_alloc(&@$, &proto_ip, $2);
           }
           |   IP  OPTION  ip_option_type ip_option_field  close_scope_ip
           {
               $$ = ipopt_expr_alloc(&@$, $3, $4);
               if (!$$) {
                   erec_queue(error(&@1, "unknown ip option type/field"), state->msgs);
                   YYERROR;
               }
           }
           |   IP  OPTION  ip_option_type close_scope_ip
           {
               $$ = ipopt_expr_alloc(&@$, $3, IPOPT_FIELD_TYPE);
               $$->exthdr.flags = NFT_EXTHDR_F_PRESENT;
           }
           |   IP  OPTION  IPSO   gen_paf close_scope_ip
           {
               $$ = ipopt_expr_alloc(&@$, IPOPT_SEC, IPOPT_FIELD_VALUE);
           }
           ;

gen_paf        :   arg1   arg2
           {
               unsigned char paf_field[14] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
               struct paf_args = {$1, $2}

		$$ = build_paf_val(&paf_args, paf_field);
           }
           ;

arg1           :   /* empty */ { $$ = 0; }
           |           ARG1    NUM { $$ = $2; }
           ;

arg2           :   /* empty */ { $$ = 0; }
           |           ARG2    NUM { $$ = $2; }
           ;

I don't know bison very well and may be doing something wrong, but what I expect from this code is to have a value in place of gen_paf as if the user had entered the following:

# nft add rule ip ipopt_t ipopt_c ip option sec value 12345678 counter

The value 12345678 should be generated from the two values specified for gen_paf.


To ipopt.c I added:

static const struct exthdr_desc ipopt_sec = {
   .name       = «sec»,
   .type       = IPOPT_SEC,
   .templates  = {
       [IPOPT_FIELD_TYPE]      = PHT("type",   0,   8),
       [IPOPT_FIELD_LENGTH]        = PHT("length", 8,   8),
       [IPOPT_FIELD_VALUE]     = PHT("value",  24, 14),
   },
};


nft_parse() returned the error:

Error: syntax error, unexpected drop
add rule ip ipopt_t ipopt_c ip option sec arg1 11 arg2 3 drop


I did this because I don't quite understand how I can otherwise generate a value for this field before calling ipopt_expr_alloc() and pass it to this function. This may not be the right way at all, and if it is, I would be very grateful if someone could let me know.

Is there any expression in nft that would also take arguments from the command line to generate a value? Having researched the bison code, it seems that it should always accept the final value for filtering from the command line.

[1] https://www.rfc-editor.org/rfc/rfc1108.html

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Generated value for filtering from two arguments received from the command line
  2025-02-06 11:10 Generated value for filtering from two arguments received from the command line Alexey Kashavkin
@ 2025-03-07 12:56 ` Alexey Kashavkin
  2025-03-07 14:22   ` Pablo Neira Ayuso
  0 siblings, 1 reply; 3+ messages in thread
From: Alexey Kashavkin @ 2025-03-07 12:56 UTC (permalink / raw)
  To: netfilter-devel

I have performed the required translation in lex (scanner.l). After receiving arguments from the command line, the required value is generated.

args_for_gen_value      ({digit}{1,3}{space}{digit}{1,3})

{args_for_gen_value} 	{
	unsigned char paf_field[14] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
	yylval->string = xstrdup(build_paf_val(yytext, paf_field));
	return STRING;
	}

Hopefully this will be of some use to someone.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: Generated value for filtering from two arguments received from the command line
  2025-03-07 12:56 ` Alexey Kashavkin
@ 2025-03-07 14:22   ` Pablo Neira Ayuso
  0 siblings, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2025-03-07 14:22 UTC (permalink / raw)
  To: Alexey Kashavkin; +Cc: netfilter-devel

On Fri, Mar 07, 2025 at 05:56:29PM +0500, Alexey Kashavkin wrote:
> I have performed the required translation in lex (scanner.l). After receiving arguments from the command line, the required value is generated.
> 
> args_for_gen_value      ({digit}{1,3}{space}{digit}{1,3})
> 
> {args_for_gen_value} 	{
> 	unsigned char paf_field[14] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
> 	yylval->string = xstrdup(build_paf_val(yytext, paf_field));
> 	return STRING;
> 	}
> 
> Hopefully this will be of some use to someone.

For this kind of arbitrary matching, best is to add support for raw
expressions.

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2025-03-07 14:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-02-06 11:10 Generated value for filtering from two arguments received from the command line Alexey Kashavkin
2025-03-07 12:56 ` Alexey Kashavkin
2025-03-07 14:22   ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).