The secmark object reference requires a json parser function and it was missing. In addition, extends the shell testcases. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=1630 Signed-off-by: Fernando Fernandez Mancera <ffmancera@xxxxxxxxxx> --- src/parser_json.c | 18 ++++++++++++++++++ .../shell/testcases/json/0005secmark_objref_0 | 9 +++++++++ .../json/dumps/0005secmark_objref_0.nft | 18 ++++++++++++++++++ 3 files changed, 45 insertions(+) create mode 100755 tests/shell/testcases/json/0005secmark_objref_0 create mode 100644 tests/shell/testcases/json/dumps/0005secmark_objref_0.nft diff --git a/src/parser_json.c b/src/parser_json.c index 46dca9fd..1ffca2d1 100644 --- a/src/parser_json.c +++ b/src/parser_json.c @@ -1966,6 +1966,23 @@ static struct stmt *json_parse_dup_stmt(struct json_ctx *ctx, return stmt; } +static struct stmt *json_parse_secmark_stmt(struct json_ctx *ctx, + const char *key, json_t *value) +{ + struct stmt *stmt; + + stmt = objref_stmt_alloc(int_loc); + stmt->objref.type = NFT_OBJECT_SECMARK; + stmt->objref.expr = json_parse_stmt_expr(ctx, value); + if (!stmt->objref.expr) { + json_error(ctx, "Invalid secmark reference."); + stmt_free(stmt); + return NULL; + } + + return stmt; +} + static int json_parse_nat_flag(struct json_ctx *ctx, json_t *root, int *flags) { @@ -2727,6 +2744,7 @@ static struct stmt *json_parse_stmt(struct json_ctx *ctx, json_t *root) { "tproxy", json_parse_tproxy_stmt }, { "synproxy", json_parse_synproxy_stmt }, { "reset", json_parse_optstrip_stmt }, + { "secmark", json_parse_secmark_stmt }, }; const char *type; unsigned int i; diff --git a/tests/shell/testcases/json/0005secmark_objref_0 b/tests/shell/testcases/json/0005secmark_objref_0 new file mode 100755 index 00000000..ae967435 --- /dev/null +++ b/tests/shell/testcases/json/0005secmark_objref_0 @@ -0,0 +1,9 @@ +#!/bin/bash + +set -e + +$NFT flush ruleset + +RULESET='{"nftables": [{"metainfo": {"version": "1.0.5", "release_name": "Lester Gooch #4", "json_schema_version": 1}}, {"table": {"family": "inet", "name": "x", "handle": 4}}, {"secmark": {"family": "inet", "name": "ssh_server", "table": "x", "handle": 1, "context": "system_u:object_r:ssh_server_packet_t:s0"}}, {"chain": {"family": "inet", "table": "x", "name": "y", "handle": 2, "type": "filter", "hook": "input", "prio": -225, "policy": "accept"}}, {"chain": {"family": "inet", "table": "x", "name": "z", "handle": 3, "type": "filter", "hook": "output", "prio": 225, "policy": "accept"}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 4, "expr": [{"match": {"op": "==", "left": {"payload": {"protocol": "tcp", "field": "dport"}}, "right": 2222}}, {"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"secmark": "ssh_server"}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 5, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"mangle": {"key": {"ct": {"key": "secmark"}}, "value": {"meta": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "y", "handle": 6, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": ["established", "related"]}}, {"mangle": {"key": {"meta": {"key": "secmark"}}, "value": {"ct": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "z", "handle": 7, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": "new"}}, {"mangle": {"key": {"ct": {"key": "secmark"}}, "value": {"meta": {"key": "secmark"}}}}]}}, {"rule": {"family": "inet", "table": "x", "chain": "z", "handle": 8, "expr": [{"match": {"op": "in", "left": {"ct": {"key": "state"}}, "right": ["established", "related"]}}, {"mangle": {"key": {"meta": {"key": "secmark"}}, "value": {"ct": {"key": "secmark"}}}}]}}]}' + +$NFT -j -f - <<< $RULESET diff --git a/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft b/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft new file mode 100644 index 00000000..4c218e93 --- /dev/null +++ b/tests/shell/testcases/json/dumps/0005secmark_objref_0.nft @@ -0,0 +1,18 @@ +table inet x { + secmark ssh_server { + "system_u:object_r:ssh_server_packet_t:s0" + } + + chain y { + type filter hook input priority -225; policy accept; + tcp dport 2222 ct state new meta secmark set "ssh_server" + ct state new ct secmark set meta secmark + ct state established,related meta secmark set ct secmark + } + + chain z { + type filter hook output priority 225; policy accept; + ct state new ct secmark set meta secmark + ct state established,related meta secmark set ct secmark + } +} -- 2.30.2
