Generated value for filtering from two arguments received from the command line

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

I am developing on adding the IPSO option IPOPT_SEC (RFC1108[1]) for filtering as IP options. I take the same as in ipopt.c as a basis. According to the IPSO option fields I will have the following fields in the nft - TYPE, LENTH and PROTECTION AUTHORITY FLAGS, but for this I planned use existing fields (type, length, value).

The PROTECTION AUTHORITY FLAGS field will be a generated field.

What I mean is, the following command line example adds clarification:

# nft add rule ip ipopt_t ipopt_c ip option sec arg1 NUM arg2 NUM counter


In parser_bison.y I added:

ip_hdr_expr     :   IP  ip_hdr_field    close_scope_ip
           {
               $$ = payload_expr_alloc(&@$, &proto_ip, $2);
           }
           |   IP  OPTION  ip_option_type ip_option_field  close_scope_ip
           {
               $$ = ipopt_expr_alloc(&@$, $3, $4);
               if (!$$) {
                   erec_queue(error(&@1, "unknown ip option type/field"), state->msgs);
                   YYERROR;
               }
           }
           |   IP  OPTION  ip_option_type close_scope_ip
           {
               $$ = ipopt_expr_alloc(&@$, $3, IPOPT_FIELD_TYPE);
               $$->exthdr.flags = NFT_EXTHDR_F_PRESENT;
           }
           |   IP  OPTION  IPSO   gen_paf close_scope_ip
           {
               $$ = ipopt_expr_alloc(&@$, IPOPT_SEC, IPOPT_FIELD_VALUE);
           }
           ;

gen_paf        :   arg1   arg2
           {
               unsigned char paf_field[14] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0};
               struct paf_args = {$1, $2}

		$$ = build_paf_val(&paf_args, paf_field);
           }
           ;

arg1           :   /* empty */ { $$ = 0; }
           |           ARG1    NUM { $$ = $2; }
           ;

arg2           :   /* empty */ { $$ = 0; }
           |           ARG2    NUM { $$ = $2; }
           ;

I don't know bison very well and may be doing something wrong, but what I expect from this code is to have a value in place of gen_paf as if the user had entered the following:

# nft add rule ip ipopt_t ipopt_c ip option sec value 12345678 counter

The value 12345678 should be generated from the two values specified for gen_paf.


To ipopt.c I added:

static const struct exthdr_desc ipopt_sec = {
   .name       = «sec»,
   .type       = IPOPT_SEC,
   .templates  = {
       [IPOPT_FIELD_TYPE]      = PHT("type",   0,   8),
       [IPOPT_FIELD_LENGTH]        = PHT("length", 8,   8),
       [IPOPT_FIELD_VALUE]     = PHT("value",  24, 14),
   },
};


nft_parse() returned the error:

Error: syntax error, unexpected drop
add rule ip ipopt_t ipopt_c ip option sec arg1 11 arg2 3 drop


I did this because I don't quite understand how I can otherwise generate a value for this field before calling ipopt_expr_alloc() and pass it to this function. This may not be the right way at all, and if it is, I would be very grateful if someone could let me know.

Is there any expression in nft that would also take arguments from the command line to generate a value? Having researched the bison code, it seems that it should always accept the final value for filtering from the command line.

[1] https://www.rfc-editor.org/rfc/rfc1108.html
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux