The following patches implement the necessary support for the mixed IPv4/IPv6
"inet" family. The patchset consists of two major parts:
- introduction of generic protocol contexts
- support for the inet family and nfproto/l4proto meta expression types
The generic protocol contexts are a generalization of the payload contexts.
Since not only the payload expression, but also the ct and meta expression
can imply higher or lower layer protocols, the context tracking is
generalized. A small patch for the ct expression for context dependant
parsing of ct-src, ct-dst, ct-proto-src and ct-proto-dst is also included.
Support for the inet family mainly consist of adding a mapping for the
parser and netlink support for "inet" <-> NFPROTO_INET and adding support
for the meta nfproto and l4proto types.
With this in place, we can create rules like:
inet filter output tcp dport ssh counter
to match on ssh traffic for both IPv4 and IPv6.
inet filter output nfproto ipv4 tcp dport ssh
to match on ssh traffic for only IPv4.
Sets etc. have been verified to work as expected.
I've rebased the patches on the next-3.14 branch and will push them to
the nftables tree shortly.
Patrick McHardy (12):
expr: replace PAYLOAD_PROTOCOL_EXPR by generic flag
nftables: generic procotol contexts
expr: add protocol context update callback
proto: add helper function to update protocol context
proto: add debugging for protocol context updates
ct expr: protocol context updates and dynamic typing
include: resync nftables.h with kernel
nftables: add support for the "inet" family
netlink_delinearize: remove implied meta expressions
proto: add support for meta templates
meta: add nfproto support
meta: add l4proto support
include/ct.h | 1 +
include/datatype.h | 3 +
include/expression.h | 18 +-
include/exthdr.h | 6 +-
include/linux/netfilter.h | 22 +-
include/linux/netfilter/nf_tables.h | 116 ++++-
include/nftables.h | 1 +
include/payload.h | 288 +-----------
include/proto.h | 304 +++++++++++++
include/rule.h | 2 +-
src/Makefile.in | 1 +
src/ct.c | 58 +++
src/datatype.c | 18 +
src/evaluate.c | 47 +-
src/exthdr.c | 26 +-
src/main.c | 6 +-
src/meta.c | 70 +++
src/netlink_delinearize.c | 43 +-
src/parser.y | 43 +-
src/payload.c | 855 +++---------------------------------
src/proto.c | 814 ++++++++++++++++++++++++++++++++++
src/rule.c | 3 +
src/scanner.l | 4 +
23 files changed, 1581 insertions(+), 1168 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
