| Message ID | 1428083429-7042-1-git-send-email-holler@ahsoftware.de |
|---|---|
| State | Superseded |
| Delegated to: | Pablo Neira |
| Headers | show |
Am 03.04.2015 um 19:50 schrieb Alexander Holler: > Context sensitive handling of "param-problem" and "redirect" is necessary > to allow usage of them as token or as string for icmp types. > > Without this patch, e.g. the following fails: > > nft add rule filter input icmp type redirect accept > nft add rule filter input icmpv6 type param-problem accept > > Signed-off-by: Alexander Holler <holler@ahsoftware.de> > --- Just in case of, I have not tested this extensively. So please be careful with that patch and review it. E.g. I'm not sure if I might have forgotten to set icmp_flag = 0 in another desctructor than those two I've added it too because I haven't tested rules which are using "redirect" or param-problem as token and not just as string to describe an icmp type as in the above two statements. Regards, Alexander Holler -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Am 03.04.2015 um 20:06 schrieb Alexander Holler: > Am 03.04.2015 um 19:50 schrieb Alexander Holler: >> Context sensitive handling of "param-problem" and "redirect" is necessary >> to allow usage of them as token or as string for icmp types. >> >> Without this patch, e.g. the following fails: >> >> nft add rule filter input icmp type redirect accept >> nft add rule filter input icmpv6 type param-problem accept >> >> Signed-off-by: Alexander Holler <holler@ahsoftware.de> >> --- > > Just in case of, I have not tested this extensively. > > So please be careful with that patch and review it. > > E.g. I'm not sure if I might have forgotten to set icmp_flag = 0 in > another desctructor than those two I've added it too because I haven't > tested rules which are using "redirect" or param-problem as token and > not just as string to describe an icmp type as in the above two statements. Also I'm soliloquizing, here is an update. Having had a second look at the parser, I think I indeed have forgotten a desctructor and this one should be changed too: -%destructor { stmt_free($$); } reject_stmt reject_stmt_alloc +%destructor { stmt_free($$); icmp_flag = 0; } reject_stmt reject_stmt_alloc I've now also written a small test-script which revealed an error in my kludges: -- test-kludges.nft -- #!/sbin/nft -f # small script to test the kludges (context sensitivity) for # for "redirect" and "param-problem". flush ruleset table filter { chain input { type filter hook input priority 0; icmp type redirect accept tcp dport 22223 reject with icmp type host-prohibited } } table ip6 filter { chain input { type filter hook input priority 0; icmpv6 type param-problem accept tcp dport 22224 reject with icmpv6 type admin-prohibited # THIS NOW FAILS: #icmpv6 param-problem 2 drop } } table nat { chain prerouting { type nat hook prerouting priority 0; tcp dport 22222 redirect to 22 } chain postrouting { type nat hook postrouting priority 0; } } -- test-kludges.nft -- I'll already have an idea how to fix that and will post a second version of the patch when I've found the time to change and test it. Regards, Alexander Holler -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/src/parser_bison.y b/src/parser_bison.y index b86381d..36a71d0 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -34,6 +34,8 @@ #include "parser_bison.h" +int icmp_flag; + void parser_init(struct parser_state *state, struct list_head *msgs) { memset(state, 0, sizeof(*state)); @@ -500,10 +502,10 @@ static void location_update(struct location *loc, struct location *rhs, int n) %destructor { expr_free($$); } arp_hdr_expr %type <val> arp_hdr_field %type <expr> ip_hdr_expr icmp_hdr_expr -%destructor { expr_free($$); } ip_hdr_expr icmp_hdr_expr +%destructor { expr_free($$); icmp_flag = 0; } ip_hdr_expr icmp_hdr_expr %type <val> ip_hdr_field icmp_hdr_field %type <expr> ip6_hdr_expr icmp6_hdr_expr -%destructor { expr_free($$); } ip6_hdr_expr icmp6_hdr_expr +%destructor { expr_free($$); icmp_flag = 0; } ip6_hdr_expr icmp6_hdr_expr %type <val> ip6_hdr_field icmp6_hdr_field %type <expr> auth_hdr_expr esp_hdr_expr comp_hdr_expr %destructor { expr_free($$); } auth_hdr_expr esp_hdr_expr comp_hdr_expr diff --git a/src/scanner.l b/src/scanner.l index 73c4f8b..3468276 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -100,6 +100,7 @@ static void reset_pos(struct parser_state *state, struct location *loc) /* avoid warnings with -Wmissing-prototypes */ extern int yyget_column(yyscan_t); extern void yyset_column(int, yyscan_t); +extern int icmp_flag; %} @@ -320,7 +321,14 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "snat" { return SNAT; } "dnat" { return DNAT; } "masquerade" { return MASQUERADE; } -"redirect" { return REDIRECT; } +"redirect" { + if (icmp_flag == 4) { + yylval->string = xstrdup(yytext); + return STRING; + } else + return REDIRECT; + } + "random" { return RANDOM; } "fully-random" { return FULLY_RANDOM; } "persistent" { return PERSISTENT; } @@ -358,7 +366,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "protocol" { return PROTOCOL; } "checksum" { return CHECKSUM; } -"icmp" { return ICMP; } +"icmp" { icmp_flag = 4; return ICMP; } "code" { return CODE; } "sequence" { return SEQUENCE; } "gateway" { return GATEWAY; } @@ -369,9 +377,16 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "flowlabel" { return FLOWLABEL; } "nexthdr" { return NEXTHDR; } "hoplimit" { return HOPLIMIT; } +"icmpv6" { icmp_flag = 6; return ICMP6; } +"param-problem" { + if (icmp_flag == 6) { + yylval->string = xstrdup(yytext); + return STRING; + } else + return PPTR; + } + -"icmpv6" { return ICMP6; } -"param-problem" { return PPTR; } "max-delay" { return MAXDELAY; } "ah" { return AH; }
Context sensitive handling of "param-problem" and "redirect" is necessary to allow usage of them as token or as string for icmp types. Without this patch, e.g. the following fails: nft add rule filter input icmp type redirect accept nft add rule filter input icmpv6 type param-problem accept Signed-off-by: Alexander Holler <holler@ahsoftware.de> --- src/parser_bison.y | 6 ++++-- src/scanner.l | 23 +++++++++++++++++++---- 2 files changed, 23 insertions(+), 6 deletions(-)