summaryrefslogtreecommitdiffstats
path: root/src/netlink_delinearize.c
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-09 13:08:37 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2024-04-09 13:08:37 +0000
commit971e619d8602fa52b1bfcb3ea65b7ab96be85318 (patch)
tree26feb2498c72b796e07b86349d17f544046de279 /src/netlink_delinearize.c
parentInitial commit. (diff)
downloadnftables-971e619d8602fa52b1bfcb3ea65b7ab96be85318.tar.xz
nftables-971e619d8602fa52b1bfcb3ea65b7ab96be85318.zip
Adding upstream version 1.0.9.upstream/1.0.9upstream
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to '')
-rw-r--r--src/netlink_delinearize.c3512
1 files changed, 3512 insertions, 0 deletions
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
new file mode 100644
index 0000000..e214510
--- /dev/null
+++ b/src/netlink_delinearize.c
@@ -0,0 +1,3512 @@
+/*
+ * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2013 Pablo Neira Ayuso <pablo@netfilter.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Development of this code funded by Astaro AG (http://www.astaro.com/)
+ */
+
+#include <nft.h>
+
+#include <limits.h>
+#include <linux/netfilter/nf_tables.h>
+#include <arpa/inet.h>
+#include <linux/netfilter/nf_nat.h>
+#include <linux/netfilter.h>
+#include <net/ethernet.h>
+#include <netlink.h>
+#include <rule.h>
+#include <statement.h>
+#include <expression.h>
+#include <gmputil.h>
+#include <utils.h>
+#include <erec.h>
+#include <sys/socket.h>
+#include <libnftnl/udata.h>
+#include <cache.h>
+#include <xt.h>
+
+struct dl_proto_ctx *dl_proto_ctx(struct rule_pp_ctx *ctx)
+{
+ return ctx->dl;
+}
+
+static struct dl_proto_ctx *dl_proto_ctx_outer(struct rule_pp_ctx *ctx)
+{
+ return &ctx->_dl[0];
+}
+
+static int netlink_parse_expr(const struct nftnl_expr *nle,
+ struct netlink_parse_ctx *ctx);
+
+static void __fmtstring(3, 4) netlink_error(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const char *fmt, ...)
+{
+ struct error_record *erec;
+ va_list ap;
+
+ va_start(ap, fmt);
+ erec = erec_vcreate(EREC_ERROR, loc, fmt, ap);
+ va_end(ap);
+ erec_queue(erec, ctx->msgs);
+}
+
+static unsigned int netlink_parse_register(const struct nftnl_expr *nle,
+ unsigned int attr)
+{
+ unsigned int reg;
+
+ reg = nftnl_expr_get_u32(nle, attr);
+ /* Translate 128bit registers to corresponding 32bit registers */
+ if (reg >= NFT_REG_1 && reg <= NFT_REG_4)
+ reg = 1 + (reg - NFT_REG_1) * (NFT_REG_SIZE / NFT_REG32_SIZE);
+ else if (reg >= NFT_REG32_00)
+ reg = 1 + reg - NFT_REG32_00;
+
+ return reg;
+}
+
+static void netlink_set_register(struct netlink_parse_ctx *ctx,
+ enum nft_registers reg,
+ struct expr *expr)
+{
+ if (reg == NFT_REG_VERDICT || reg > MAX_REGS) {
+ netlink_error(ctx, &expr->location,
+ "Invalid destination register %u", reg);
+ expr_free(expr);
+ return;
+ }
+
+ expr_free(ctx->registers[reg]);
+
+ ctx->registers[reg] = expr;
+}
+
+static struct expr *netlink_get_register(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ enum nft_registers reg)
+{
+ struct expr *expr;
+
+ if (reg == NFT_REG_VERDICT || reg > MAX_REGS) {
+ netlink_error(ctx, loc, "Invalid source register %u", reg);
+ return NULL;
+ }
+
+ expr = ctx->registers[reg];
+ if (expr != NULL)
+ expr = expr_clone(expr);
+
+ return expr;
+}
+
+static void netlink_release_registers(struct netlink_parse_ctx *ctx)
+{
+ int i;
+
+ for (i = 0; i <= MAX_REGS; i++)
+ expr_free(ctx->registers[i]);
+}
+
+static struct expr *netlink_parse_concat_expr(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ unsigned int reg,
+ unsigned int len)
+{
+ struct expr *concat, *expr;
+ unsigned int consumed;
+
+ concat = concat_expr_alloc(loc);
+ while (len > 0) {
+ expr = netlink_get_register(ctx, loc, reg);
+ if (expr == NULL) {
+ netlink_error(ctx, loc,
+ "Relational expression size mismatch");
+ goto err;
+ }
+ compound_expr_add(concat, expr);
+
+ consumed = netlink_padded_len(expr->len);
+ assert(consumed > 0);
+ len -= consumed;
+ reg += netlink_register_space(expr->len);
+ }
+ return concat;
+
+err:
+ expr_free(concat);
+ return NULL;
+}
+
+static struct expr *netlink_parse_concat_key(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ unsigned int reg,
+ const struct expr *key)
+{
+ uint32_t type = key->dtype->type;
+ unsigned int n, len = key->len;
+ struct expr *concat, *expr;
+ unsigned int consumed;
+
+ concat = concat_expr_alloc(loc);
+ n = div_round_up(fls(type), TYPE_BITS);
+
+ while (len > 0) {
+ const struct datatype *i;
+
+ expr = netlink_get_register(ctx, loc, reg);
+ if (expr == NULL) {
+ netlink_error(ctx, loc,
+ "Concat expression size mismatch");
+ goto err;
+ }
+
+ if (n > 0 && concat_subtype_id(type, --n)) {
+ i = concat_subtype_lookup(type, n);
+
+ expr_set_type(expr, i, i->byteorder);
+ }
+
+ compound_expr_add(concat, expr);
+
+ consumed = netlink_padded_len(expr->len);
+ assert(consumed > 0);
+ len -= consumed;
+ reg += netlink_register_space(expr->len);
+ }
+
+ return concat;
+
+err:
+ expr_free(concat);
+ return NULL;
+}
+
+static struct expr *netlink_parse_concat_data(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ unsigned int reg,
+ unsigned int len,
+ struct expr *data)
+{
+ struct expr *concat, *expr, *i;
+
+ concat = concat_expr_alloc(loc);
+ while (len > 0) {
+ expr = netlink_get_register(ctx, loc, reg);
+ if (expr == NULL) {
+ netlink_error(ctx, loc,
+ "Relational expression size mismatch");
+ goto err;
+ }
+ i = constant_expr_splice(data, expr->len);
+ data->len -= netlink_padding_len(expr->len);
+ compound_expr_add(concat, i);
+
+ len -= netlink_padded_len(expr->len);
+ reg += netlink_register_space(expr->len);
+ expr_free(expr);
+ }
+ return concat;
+
+err:
+ expr_free(concat);
+ return NULL;
+}
+
+static void netlink_parse_chain_verdict(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ struct expr *expr,
+ enum nft_verdicts verdict)
+{
+ char chain_name[NFT_CHAIN_MAXNAMELEN] = {};
+ struct chain *chain;
+
+ expr_chain_export(expr->chain, chain_name);
+ chain = chain_binding_lookup(ctx->table, chain_name);
+
+ /* Special case: 'nft list chain x y' needs to pull in implicit chains */
+ if (!chain && !strncmp(chain_name, "__chain", strlen("__chain"))) {
+ nft_chain_cache_update(ctx->nlctx, ctx->table, chain_name);
+ chain = chain_binding_lookup(ctx->table, chain_name);
+ }
+
+ if (chain) {
+ ctx->stmt = chain_stmt_alloc(loc, chain, verdict);
+ expr_free(expr);
+ } else {
+ ctx->stmt = verdict_stmt_alloc(loc, expr);
+ }
+}
+
+static void netlink_parse_immediate(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct nft_data_delinearize nld;
+ enum nft_registers dreg;
+ struct expr *expr;
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_IMM_VERDICT)) {
+ nld.verdict = nftnl_expr_get_u32(nle, NFTNL_EXPR_IMM_VERDICT);
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_IMM_CHAIN)) {
+ nld.chain = nftnl_expr_get(nle, NFTNL_EXPR_IMM_CHAIN,
+ &nld.len);
+ }
+ } else if (nftnl_expr_is_set(nle, NFTNL_EXPR_IMM_DATA)) {
+ nld.value = nftnl_expr_get(nle, NFTNL_EXPR_IMM_DATA, &nld.len);
+ }
+
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_IMM_DREG);
+ expr = netlink_alloc_data(loc, &nld, dreg);
+
+ if (dreg == NFT_REG_VERDICT) {
+ switch (expr->verdict) {
+ case NFT_JUMP:
+ netlink_parse_chain_verdict(ctx, loc, expr, NFT_JUMP);
+ break;
+ case NFT_GOTO:
+ netlink_parse_chain_verdict(ctx, loc, expr, NFT_GOTO);
+ break;
+ default:
+ ctx->stmt = verdict_stmt_alloc(loc, expr);
+ break;
+ }
+ } else {
+ netlink_set_register(ctx, dreg, expr);
+ }
+}
+
+static void netlink_parse_xfrm(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers dreg;
+ enum nft_xfrm_keys key;
+ struct expr *expr;
+ uint32_t spnum;
+ uint8_t dir;
+
+ key = nftnl_expr_get_u32(nle, NFTNL_EXPR_XFRM_KEY);
+ dir = nftnl_expr_get_u8(nle, NFTNL_EXPR_XFRM_DIR);
+ spnum = nftnl_expr_get_u32(nle, NFTNL_EXPR_XFRM_SPNUM);
+ expr = xfrm_expr_alloc(loc, dir, spnum, key);
+
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_XFRM_DREG);
+ netlink_set_register(ctx, dreg, expr);
+}
+
+static enum ops netlink_parse_range_op(const struct nftnl_expr *nle)
+{
+ switch (nftnl_expr_get_u32(nle, NFTNL_EXPR_RANGE_OP)) {
+ case NFT_RANGE_EQ:
+ return OP_EQ;
+ case NFT_RANGE_NEQ:
+ return OP_NEQ;
+ default:
+ return OP_INVALID;
+ }
+}
+
+static void netlink_parse_range(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct expr *expr, *left, *right, *from, *to;
+ struct nft_data_delinearize nld;
+ enum nft_registers sreg;
+ enum ops op;
+
+ sreg = netlink_parse_register(nle, NFTNL_EXPR_RANGE_SREG);
+ left = netlink_get_register(ctx, loc, sreg);
+ if (left == NULL)
+ return netlink_error(ctx, loc,
+ "Relational expression has no left hand side");
+
+ op = netlink_parse_range_op(nle);
+
+ nld.value = nftnl_expr_get(nle, NFTNL_EXPR_RANGE_FROM_DATA, &nld.len);
+ from = netlink_alloc_value(loc, &nld);
+
+ nld.value = nftnl_expr_get(nle, NFTNL_EXPR_RANGE_TO_DATA, &nld.len);
+ to = netlink_alloc_value(loc, &nld);
+
+ right = range_expr_alloc(loc, from, to);
+ expr = relational_expr_alloc(loc, op, left, right);
+ ctx->stmt = expr_stmt_alloc(loc, expr);
+}
+
+static enum ops netlink_parse_cmp_op(const struct nftnl_expr *nle)
+{
+ switch (nftnl_expr_get_u32(nle, NFTNL_EXPR_CMP_OP)) {
+ case NFT_CMP_EQ:
+ return OP_EQ;
+ case NFT_CMP_NEQ:
+ return OP_NEQ;
+ case NFT_CMP_LT:
+ return OP_LT;
+ case NFT_CMP_LTE:
+ return OP_LTE;
+ case NFT_CMP_GT:
+ return OP_GT;
+ case NFT_CMP_GTE:
+ return OP_GTE;
+ default:
+ return OP_INVALID;
+ }
+}
+
+static void netlink_parse_cmp(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct nft_data_delinearize nld;
+ enum nft_registers sreg;
+ struct expr *expr, *left, *right, *tmp;
+ enum ops op;
+
+ sreg = netlink_parse_register(nle, NFTNL_EXPR_CMP_SREG);
+ left = netlink_get_register(ctx, loc, sreg);
+ if (left == NULL)
+ return netlink_error(ctx, loc,
+ "Relational expression has no left "
+ "hand side");
+
+ op = netlink_parse_cmp_op(nle);
+
+ nld.value = nftnl_expr_get(nle, NFTNL_EXPR_CMP_DATA, &nld.len);
+ right = netlink_alloc_value(loc, &nld);
+
+ if (left->len > right->len &&
+ expr_basetype(left) != &string_type) {
+ mpz_lshift_ui(right->value, left->len - right->len);
+ right = prefix_expr_alloc(loc, right, right->len);
+ right->prefix->len = left->len;
+ } else if (left->len > 0 && left->len < right->len) {
+ expr_free(left);
+ left = netlink_parse_concat_expr(ctx, loc, sreg, right->len);
+ if (left == NULL)
+ goto err_free;
+ tmp = netlink_parse_concat_data(ctx, loc, sreg, right->len, right);
+ if (tmp == NULL)
+ goto err_free;
+ expr_free(right);
+ right = tmp;
+ }
+
+ expr = relational_expr_alloc(loc, op, left, right);
+ ctx->stmt = expr_stmt_alloc(loc, expr);
+ return;
+err_free:
+ expr_free(left);
+ expr_free(right);
+}
+
+static void netlink_parse_lookup(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers sreg, dreg;
+ const char *name;
+ struct expr *expr, *left, *right;
+ struct set *set;
+ uint32_t flag;
+
+ name = nftnl_expr_get_str(nle, NFTNL_EXPR_LOOKUP_SET);
+ set = set_cache_find(ctx->table, name);
+ if (set == NULL)
+ return netlink_error(ctx, loc,
+ "Unknown set '%s' in lookup expression",
+ name);
+
+ sreg = netlink_parse_register(nle, NFTNL_EXPR_LOOKUP_SREG);
+ left = netlink_get_register(ctx, loc, sreg);
+ if (left == NULL)
+ return netlink_error(ctx, loc,
+ "Lookup expression has no left hand side");
+
+ if (left->len < set->key->len) {
+ expr_free(left);
+ left = netlink_parse_concat_expr(ctx, loc, sreg, set->key->len);
+ if (left == NULL)
+ return;
+ }
+
+ right = set_ref_expr_alloc(loc, set);
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOOKUP_DREG)) {
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_LOOKUP_DREG);
+ expr = map_expr_alloc(loc, left, right);
+ if (dreg != NFT_REG_VERDICT)
+ return netlink_set_register(ctx, dreg, expr);
+ } else {
+ expr = relational_expr_alloc(loc, OP_EQ, left, right);
+ }
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOOKUP_FLAGS)) {
+ flag = nftnl_expr_get_u32(nle, NFTNL_EXPR_LOOKUP_FLAGS);
+ if (flag & NFT_LOOKUP_F_INV)
+ expr->op = OP_NEQ;
+ }
+
+ ctx->stmt = expr_stmt_alloc(loc, expr);
+}
+
+static struct expr *netlink_parse_bitwise_bool(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle,
+ enum nft_registers sreg,
+ struct expr *left)
+
+{
+ struct nft_data_delinearize nld;
+ struct expr *expr, *mask, *xor, *or;
+ mpz_t m, x, o;
+
+ expr = left;
+
+ nld.value = nftnl_expr_get(nle, NFTNL_EXPR_BITWISE_MASK, &nld.len);
+ mask = netlink_alloc_value(loc, &nld);
+ mpz_init_set(m, mask->value);
+
+ nld.value = nftnl_expr_get(nle, NFTNL_EXPR_BITWISE_XOR, &nld.len);
+ xor = netlink_alloc_value(loc, &nld);
+ mpz_init_set(x, xor->value);
+
+ mpz_init_set_ui(o, 0);
+ if (mpz_scan0(m, 0) != mask->len || mpz_cmp_ui(x, 0)) {
+ /* o = (m & x) ^ x */
+ mpz_and(o, m, x);
+ mpz_xor(o, o, x);
+ /* x &= m */
+ mpz_and(x, x, m);
+ /* m |= o */
+ mpz_ior(m, m, o);
+ }
+
+ if (left->len > 0 && mpz_scan0(m, 0) >= left->len) {
+ /* mask encompasses the entire value */
+ expr_free(mask);
+ } else {
+ mpz_set(mask->value, m);
+ expr = binop_expr_alloc(loc, OP_AND, expr, mask);
+ expr->len = left->len;
+ }
+
+ if (mpz_cmp_ui(x, 0)) {
+ mpz_set(xor->value, x);
+ expr = binop_expr_alloc(loc, OP_XOR, expr, xor);
+ expr->len = left->len;
+ } else
+ expr_free(xor);
+
+ if (mpz_cmp_ui(o, 0)) {
+ nld.value = nftnl_expr_get(nle, NFTNL_EXPR_BITWISE_XOR,
+ &nld.len);
+
+ or = netlink_alloc_value(loc, &nld);
+ mpz_set(or->value, o);
+ expr = binop_expr_alloc(loc, OP_OR, expr, or);
+ expr->len = left->len;
+ }
+
+ mpz_clear(m);
+ mpz_clear(x);
+ mpz_clear(o);
+
+ return expr;
+}
+
+static struct expr *netlink_parse_bitwise_shift(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle,
+ enum ops op,
+ enum nft_registers sreg,
+ struct expr *left)
+{
+ struct nft_data_delinearize nld;
+ struct expr *expr, *right;
+
+ nld.value = nftnl_expr_get(nle, NFTNL_EXPR_BITWISE_DATA, &nld.len);
+ right = netlink_alloc_value(loc, &nld);
+ right->byteorder = BYTEORDER_HOST_ENDIAN;
+
+ expr = binop_expr_alloc(loc, op, left, right);
+ expr->len = nftnl_expr_get_u32(nle, NFTNL_EXPR_BITWISE_LEN) * BITS_PER_BYTE;
+
+ return expr;
+}
+
+static void netlink_parse_bitwise(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers sreg, dreg;
+ struct expr *expr, *left;
+ enum nft_bitwise_ops op;
+
+ sreg = netlink_parse_register(nle, NFTNL_EXPR_BITWISE_SREG);
+ left = netlink_get_register(ctx, loc, sreg);
+ if (left == NULL)
+ return netlink_error(ctx, loc,
+ "Bitwise expression has no left "
+ "hand side");
+
+ op = nftnl_expr_get_u32(nle, NFTNL_EXPR_BITWISE_OP);
+
+ switch (op) {
+ case NFT_BITWISE_BOOL:
+ expr = netlink_parse_bitwise_bool(ctx, loc, nle, sreg,
+ left);
+ break;
+ case NFT_BITWISE_LSHIFT:
+ expr = netlink_parse_bitwise_shift(ctx, loc, nle, OP_LSHIFT,
+ sreg, left);
+ break;
+ case NFT_BITWISE_RSHIFT:
+ expr = netlink_parse_bitwise_shift(ctx, loc, nle, OP_RSHIFT,
+ sreg, left);
+ break;
+ default:
+ BUG("invalid bitwise operation %u\n", op);
+ }
+
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_BITWISE_DREG);
+ netlink_set_register(ctx, dreg, expr);
+}
+
+static void netlink_parse_byteorder(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers sreg, dreg;
+ struct expr *expr, *arg;
+ enum ops op;
+
+ sreg = netlink_parse_register(nle, NFTNL_EXPR_BYTEORDER_SREG);
+ arg = netlink_get_register(ctx, loc, sreg);
+ if (arg == NULL)
+ return netlink_error(ctx, loc,
+ "Byteorder expression has no left "
+ "hand side");
+
+ switch (nftnl_expr_get_u32(nle, NFTNL_EXPR_BYTEORDER_OP)) {
+ case NFT_BYTEORDER_NTOH:
+ op = OP_NTOH;
+ break;
+ case NFT_BYTEORDER_HTON:
+ op = OP_HTON;
+ break;
+ default:
+ BUG("invalid byteorder operation %u\n",
+ nftnl_expr_get_u32(nle, NFTNL_EXPR_BYTEORDER_OP));
+ }
+
+ expr = unary_expr_alloc(loc, op, arg);
+ expr->len = arg->len;
+
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_BYTEORDER_DREG);
+ netlink_set_register(ctx, dreg, expr);
+}
+
+static void netlink_parse_payload_expr(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers dreg;
+ uint32_t base, offset, len;
+ struct expr *expr;
+
+ base = nftnl_expr_get_u32(nle, NFTNL_EXPR_PAYLOAD_BASE) + 1;
+
+ if (base == NFT_PAYLOAD_TUN_HEADER + 1)
+ base = NFT_PAYLOAD_INNER_HEADER + 1;
+
+ offset = nftnl_expr_get_u32(nle, NFTNL_EXPR_PAYLOAD_OFFSET) * BITS_PER_BYTE;
+ len = nftnl_expr_get_u32(nle, NFTNL_EXPR_PAYLOAD_LEN) * BITS_PER_BYTE;
+
+ expr = payload_expr_alloc(loc, NULL, 0);
+ payload_init_raw(expr, base, offset, len);
+
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_PAYLOAD_DREG);
+
+ if (ctx->inner)
+ ctx->inner_reg = dreg;
+
+ netlink_set_register(ctx, dreg, expr);
+}
+
+static void netlink_parse_inner(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ const struct proto_desc *inner_desc;
+ const struct nftnl_expr *inner_nle;
+ uint32_t hdrsize, flags, type;
+ struct expr *expr;
+
+ hdrsize = nftnl_expr_get_u32(nle, NFTNL_EXPR_INNER_HDRSIZE);
+ type = nftnl_expr_get_u32(nle, NFTNL_EXPR_INNER_TYPE);
+ flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_INNER_FLAGS);
+
+ inner_nle = nftnl_expr_get(nle, NFTNL_EXPR_INNER_EXPR, NULL);
+ if (!inner_nle) {
+ netlink_error(ctx, loc, "Could not parse inner expression");
+ return;
+ }
+
+ inner_desc = proto_find_inner(type, hdrsize, flags);
+
+ ctx->inner = true;
+ if (netlink_parse_expr(inner_nle, ctx) < 0) {
+ ctx->inner = false;
+ return;
+ }
+ ctx->inner = false;
+
+ expr = netlink_get_register(ctx, loc, ctx->inner_reg);
+ assert(expr);
+
+ if (expr->etype == EXPR_PAYLOAD &&
+ expr->payload.base == PROTO_BASE_INNER_HDR) {
+ const struct proto_hdr_template *tmpl;
+ unsigned int i;
+
+ for (i = 1; i < array_size(inner_desc->templates); i++) {
+ tmpl = &inner_desc->templates[i];
+
+ if (tmpl->len == 0)
+ return;
+
+ if (tmpl->offset != expr->payload.offset ||
+ tmpl->len != expr->len)
+ continue;
+
+ expr->payload.desc = inner_desc;
+ expr->payload.tmpl = tmpl;
+ break;
+ }
+ }
+
+ switch (expr->etype) {
+ case EXPR_PAYLOAD:
+ expr->payload.inner_desc = inner_desc;
+ break;
+ case EXPR_META:
+ expr->meta.inner_desc = inner_desc;
+ break;
+ default:
+ assert(0);
+ break;
+ }
+
+ netlink_set_register(ctx, ctx->inner_reg, expr);
+}
+
+static void netlink_parse_payload_stmt(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers sreg;
+ uint32_t base, offset, len;
+ struct expr *expr, *val;
+ struct stmt *stmt;
+
+ base = nftnl_expr_get_u32(nle, NFTNL_EXPR_PAYLOAD_BASE) + 1;
+ offset = nftnl_expr_get_u32(nle, NFTNL_EXPR_PAYLOAD_OFFSET) * BITS_PER_BYTE;
+ len = nftnl_expr_get_u32(nle, NFTNL_EXPR_PAYLOAD_LEN) * BITS_PER_BYTE;
+
+ sreg = netlink_parse_register(nle, NFTNL_EXPR_PAYLOAD_SREG);
+ val = netlink_get_register(ctx, loc, sreg);
+ if (val == NULL)
+ return netlink_error(ctx, loc,
+ "payload statement has no expression");
+
+ expr = payload_expr_alloc(loc, NULL, 0);
+ payload_init_raw(expr, base, offset, len);
+
+ stmt = payload_stmt_alloc(loc, expr, val);
+ rule_stmt_append(ctx->rule, stmt);
+}
+
+static void netlink_parse_payload(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_PAYLOAD_DREG))
+ netlink_parse_payload_expr(ctx, loc, nle);
+ else
+ netlink_parse_payload_stmt(ctx, loc, nle);
+}
+
+static void netlink_parse_exthdr(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ uint32_t offset, len, flags;
+ enum nft_registers dreg;
+ enum nft_exthdr_op op;
+ uint8_t type;
+ struct expr *expr;
+
+ type = nftnl_expr_get_u8(nle, NFTNL_EXPR_EXTHDR_TYPE);
+ offset = nftnl_expr_get_u32(nle, NFTNL_EXPR_EXTHDR_OFFSET) * BITS_PER_BYTE;
+ len = nftnl_expr_get_u32(nle, NFTNL_EXPR_EXTHDR_LEN) * BITS_PER_BYTE;
+ op = nftnl_expr_get_u32(nle, NFTNL_EXPR_EXTHDR_OP);
+ flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_EXTHDR_FLAGS);
+
+ expr = exthdr_expr_alloc(loc, NULL, 0);
+ exthdr_init_raw(expr, type, offset, len, op, flags);
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_EXTHDR_DREG)) {
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_EXTHDR_DREG);
+ netlink_set_register(ctx, dreg, expr);
+ } else if (nftnl_expr_is_set(nle, NFTNL_EXPR_EXTHDR_SREG)) {
+ enum nft_registers sreg;
+ struct stmt *stmt;
+ struct expr *val;
+
+ sreg = netlink_parse_register(nle, NFTNL_EXPR_EXTHDR_SREG);
+ val = netlink_get_register(ctx, loc, sreg);
+ if (val == NULL) {
+ expr_free(expr);
+ return netlink_error(ctx, loc,
+ "exthdr statement has no expression");
+ }
+
+ expr_set_type(val, expr->dtype, expr->byteorder);
+
+ stmt = exthdr_stmt_alloc(loc, expr, val);
+ rule_stmt_append(ctx->rule, stmt);
+ } else {
+ struct stmt *stmt = optstrip_stmt_alloc(loc, expr);
+
+ rule_stmt_append(ctx->rule, stmt);
+ }
+}
+
+static void netlink_parse_hash(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers sreg, dreg;
+ struct expr *expr, *hexpr;
+ uint32_t mod, seed, len, offset;
+ enum nft_hash_types type;
+ bool seed_set;
+
+ type = nftnl_expr_get_u32(nle, NFTNL_EXPR_HASH_TYPE);
+ offset = nftnl_expr_get_u32(nle, NFTNL_EXPR_HASH_OFFSET);
+ seed_set = nftnl_expr_is_set(nle, NFTNL_EXPR_HASH_SEED);
+ seed = nftnl_expr_get_u32(nle, NFTNL_EXPR_HASH_SEED);
+ mod = nftnl_expr_get_u32(nle, NFTNL_EXPR_HASH_MODULUS);
+
+ expr = hash_expr_alloc(loc, mod, seed_set, seed, offset, type);
+
+ if (type != NFT_HASH_SYM) {
+ sreg = netlink_parse_register(nle, NFTNL_EXPR_HASH_SREG);
+ hexpr = netlink_get_register(ctx, loc, sreg);
+
+ if (hexpr == NULL) {
+ netlink_error(ctx, loc,
+ "hash statement has no expression");
+ goto out_err;
+ }
+ len = nftnl_expr_get_u32(nle,
+ NFTNL_EXPR_HASH_LEN) * BITS_PER_BYTE;
+ if (hexpr->len < len) {
+ expr_free(hexpr);
+ hexpr = netlink_parse_concat_expr(ctx, loc, sreg, len);
+ if (hexpr == NULL)
+ goto out_err;
+ }
+ expr->hash.expr = hexpr;
+ }
+
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_HASH_DREG);
+ netlink_set_register(ctx, dreg, expr);
+ return;
+out_err:
+ expr_free(expr);
+}
+
+static void netlink_parse_fib(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers dreg;
+ struct expr *expr;
+ uint32_t flags, result;
+
+ flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_FIB_FLAGS);
+ result = nftnl_expr_get_u32(nle, NFTNL_EXPR_FIB_RESULT);
+
+ expr = fib_expr_alloc(loc, flags, result);
+
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_FIB_DREG);
+ netlink_set_register(ctx, dreg, expr);
+}
+
+static void netlink_parse_meta_expr(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers dreg;
+ uint32_t key;
+ struct expr *expr;
+
+ key = nftnl_expr_get_u32(nle, NFTNL_EXPR_META_KEY);
+ expr = meta_expr_alloc(loc, key);
+
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_META_DREG);
+ if (ctx->inner)
+ ctx->inner_reg = dreg;
+
+ netlink_set_register(ctx, dreg, expr);
+}
+
+static void netlink_parse_socket(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers dreg;
+ uint32_t key, level;
+ struct expr * expr;
+
+ key = nftnl_expr_get_u32(nle, NFTNL_EXPR_SOCKET_KEY);
+ level = nftnl_expr_get_u32(nle, NFTNL_EXPR_SOCKET_LEVEL);
+ expr = socket_expr_alloc(loc, key, level);
+
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_SOCKET_DREG);
+ netlink_set_register(ctx, dreg, expr);
+}
+
+static void netlink_parse_osf(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers dreg;
+ struct expr *expr;
+ uint32_t flags;
+ uint8_t ttl;
+
+ ttl = nftnl_expr_get_u8(nle, NFTNL_EXPR_OSF_TTL);
+ flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_OSF_FLAGS);
+ expr = osf_expr_alloc(loc, ttl, flags);
+
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_OSF_DREG);
+ netlink_set_register(ctx, dreg, expr);
+}
+
+static void netlink_parse_meta_stmt(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers sreg;
+ uint32_t key;
+ struct stmt *stmt;
+ struct expr *expr;
+
+ sreg = netlink_parse_register(nle, NFTNL_EXPR_META_SREG);
+ expr = netlink_get_register(ctx, loc, sreg);
+ if (expr == NULL)
+ return netlink_error(ctx, loc,
+ "meta statement has no expression");
+
+ key = nftnl_expr_get_u32(nle, NFTNL_EXPR_META_KEY);
+ stmt = meta_stmt_alloc(loc, key, expr);
+
+ if (stmt->meta.tmpl)
+ expr_set_type(expr, stmt->meta.tmpl->dtype, stmt->meta.tmpl->byteorder);
+
+ ctx->stmt = stmt;
+}
+
+static void netlink_parse_meta(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_META_DREG))
+ netlink_parse_meta_expr(ctx, loc, nle);
+ else
+ netlink_parse_meta_stmt(ctx, loc, nle);
+}
+
+static void netlink_parse_rt(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers dreg;
+ uint32_t key;
+ struct expr *expr;
+
+ key = nftnl_expr_get_u32(nle, NFTNL_EXPR_RT_KEY);
+ expr = rt_expr_alloc(loc, key, false);
+
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_RT_DREG);
+ netlink_set_register(ctx, dreg, expr);
+}
+
+static void netlink_parse_numgen(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ uint32_t type, until, offset;
+ enum nft_registers dreg;
+ struct expr *expr;
+
+ type = nftnl_expr_get_u32(nle, NFTNL_EXPR_NG_TYPE);
+ until = nftnl_expr_get_u32(nle, NFTNL_EXPR_NG_MODULUS);
+ offset = nftnl_expr_get_u32(nle, NFTNL_EXPR_NG_OFFSET);
+
+ expr = numgen_expr_alloc(loc, type, until, offset);
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_NG_DREG);
+ netlink_set_register(ctx, dreg, expr);
+}
+
+static void netlink_parse_notrack(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ ctx->stmt = notrack_stmt_alloc(loc);
+}
+
+static void netlink_parse_flow_offload(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ const char *table_name;
+
+ table_name = xstrdup(nftnl_expr_get_str(nle, NFTNL_EXPR_FLOW_TABLE_NAME));
+ ctx->stmt = flow_offload_stmt_alloc(loc, table_name);
+}
+
+static void netlink_parse_ct_stmt(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers sreg;
+ uint32_t key;
+ struct stmt *stmt;
+ struct expr *expr;
+ int8_t dir = -1;
+
+ sreg = netlink_parse_register(nle, NFTNL_EXPR_CT_SREG);
+ expr = netlink_get_register(ctx, loc, sreg);
+ if (expr == NULL)
+ return netlink_error(ctx, loc,
+ "ct statement has no expression");
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_CT_DIR))
+ dir = nftnl_expr_get_u8(nle, NFTNL_EXPR_CT_DIR);
+
+ key = nftnl_expr_get_u32(nle, NFTNL_EXPR_CT_KEY);
+ stmt = ct_stmt_alloc(loc, key, dir, expr);
+ expr_set_type(expr, stmt->ct.tmpl->dtype, stmt->ct.tmpl->byteorder);
+
+ ctx->stmt = stmt;
+}
+
+static void netlink_parse_ct_expr(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct expr *expr = NULL;
+ enum nft_registers dreg;
+ int8_t dir = -1;
+ uint32_t key;
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_CT_DIR))
+ dir = nftnl_expr_get_u8(nle, NFTNL_EXPR_CT_DIR);
+
+ key = nftnl_expr_get_u32(nle, NFTNL_EXPR_CT_KEY);
+ expr = ct_expr_alloc(loc, key, dir);
+
+ dreg = netlink_parse_register(nle, NFTNL_EXPR_CT_DREG);
+ netlink_set_register(ctx, dreg, expr);
+}
+
+static void netlink_parse_ct(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_CT_DREG))
+ netlink_parse_ct_expr(ctx, loc, nle);
+ else
+ netlink_parse_ct_stmt(ctx, loc, nle);
+}
+
+static void netlink_parse_connlimit(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct stmt *stmt;
+
+ stmt = connlimit_stmt_alloc(loc);
+ stmt->connlimit.count =
+ nftnl_expr_get_u32(nle, NFTNL_EXPR_CONNLIMIT_COUNT);
+ stmt->connlimit.flags =
+ nftnl_expr_get_u32(nle, NFTNL_EXPR_CONNLIMIT_FLAGS);
+
+ ctx->stmt = stmt;
+}
+
+static void netlink_parse_counter(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct stmt *stmt;
+
+ stmt = counter_stmt_alloc(loc);
+ stmt->counter.packets = nftnl_expr_get_u64(nle, NFTNL_EXPR_CTR_PACKETS);
+ stmt->counter.bytes = nftnl_expr_get_u64(nle, NFTNL_EXPR_CTR_BYTES);
+
+ ctx->stmt = stmt;
+}
+
+static void netlink_parse_last(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct stmt *stmt;
+
+ stmt = last_stmt_alloc(loc);
+ stmt->last.used = nftnl_expr_get_u64(nle, NFTNL_EXPR_LAST_MSECS);
+ stmt->last.set = nftnl_expr_get_u32(nle, NFTNL_EXPR_LAST_SET);
+
+ ctx->stmt = stmt;
+}
+
+static void netlink_parse_log(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct stmt *stmt;
+ const char *prefix;
+
+ stmt = log_stmt_alloc(loc);
+ prefix = nftnl_expr_get_str(nle, NFTNL_EXPR_LOG_PREFIX);
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOG_PREFIX)) {
+ stmt->log.prefix = constant_expr_alloc(&internal_location,
+ &string_type,
+ BYTEORDER_HOST_ENDIAN,
+ (strlen(prefix) + 1) * BITS_PER_BYTE,
+ prefix);
+ stmt->log.flags |= STMT_LOG_PREFIX;
+ }
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOG_GROUP)) {
+ stmt->log.group = nftnl_expr_get_u16(nle, NFTNL_EXPR_LOG_GROUP);
+ stmt->log.flags |= STMT_LOG_GROUP;
+ }
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOG_SNAPLEN)) {
+ stmt->log.snaplen =
+ nftnl_expr_get_u32(nle, NFTNL_EXPR_LOG_SNAPLEN);
+ stmt->log.flags |= STMT_LOG_SNAPLEN;
+ }
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOG_QTHRESHOLD)) {
+ stmt->log.qthreshold =
+ nftnl_expr_get_u16(nle, NFTNL_EXPR_LOG_QTHRESHOLD);
+ stmt->log.flags |= STMT_LOG_QTHRESHOLD;
+ }
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOG_LEVEL)) {
+ stmt->log.level =
+ nftnl_expr_get_u32(nle, NFTNL_EXPR_LOG_LEVEL);
+ stmt->log.flags |= STMT_LOG_LEVEL;
+ }
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_LOG_FLAGS)) {
+ stmt->log.logflags =
+ nftnl_expr_get_u32(nle, NFTNL_EXPR_LOG_FLAGS);
+ }
+
+ ctx->stmt = stmt;
+}
+
+static void netlink_parse_limit(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct stmt *stmt;
+
+ stmt = limit_stmt_alloc(loc);
+ stmt->limit.rate = nftnl_expr_get_u64(nle, NFTNL_EXPR_LIMIT_RATE);
+ stmt->limit.unit = nftnl_expr_get_u64(nle, NFTNL_EXPR_LIMIT_UNIT);
+ stmt->limit.type = nftnl_expr_get_u32(nle, NFTNL_EXPR_LIMIT_TYPE);
+ stmt->limit.burst = nftnl_expr_get_u32(nle, NFTNL_EXPR_LIMIT_BURST);
+ stmt->limit.flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_LIMIT_FLAGS);
+
+ ctx->stmt = stmt;
+}
+
+static void netlink_parse_quota(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct stmt *stmt;
+
+ stmt = quota_stmt_alloc(loc);
+ stmt->quota.bytes = nftnl_expr_get_u64(nle, NFTNL_EXPR_QUOTA_BYTES);
+ stmt->quota.used =
+ nftnl_expr_get_u64(nle, NFTNL_EXPR_QUOTA_CONSUMED);
+ stmt->quota.flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_QUOTA_FLAGS);
+
+ ctx->stmt = stmt;
+}
+
+static void netlink_parse_reject(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *expr)
+{
+ struct stmt *stmt;
+ uint8_t icmp_code;
+
+ stmt = reject_stmt_alloc(loc);
+ stmt->reject.type = nftnl_expr_get_u32(expr, NFTNL_EXPR_REJECT_TYPE);
+ icmp_code = nftnl_expr_get_u8(expr, NFTNL_EXPR_REJECT_CODE);
+ stmt->reject.icmp_code = icmp_code;
+ stmt->reject.expr = constant_expr_alloc(loc, &integer_type,
+ BYTEORDER_HOST_ENDIAN, 8,
+ &icmp_code);
+ ctx->stmt = stmt;
+}
+
+static bool is_nat_addr_map(const struct expr *addr, uint8_t family,
+ struct stmt *stmt)
+{
+ const struct expr *mappings, *data;
+ const struct set *set;
+
+ if (!addr ||
+ expr_ops(addr)->type != EXPR_MAP)
+ return false;
+
+ mappings = addr->right;
+ if (expr_ops(mappings)->type != EXPR_SET_REF)
+ return false;
+
+ set = mappings->set;
+ data = set->data;
+
+ if (!(data->flags & EXPR_F_INTERVAL))
+ return false;
+
+ stmt->nat.family = family;
+
+ /* if we're dealing with an address:address map,
+ * the length will be bit_sizeof(addr) + 32 (one register).
+ */
+ switch (family) {
+ case NFPROTO_IPV4:
+ if (data->len == 32 + 32) {
+ stmt->nat.type_flags |= STMT_NAT_F_INTERVAL;
+ return true;
+ } else if (data->len == 32 + 32 + 32 + 32) {
+ stmt->nat.type_flags |= STMT_NAT_F_INTERVAL |
+ STMT_NAT_F_CONCAT;
+ return true;
+ }
+ break;
+ case NFPROTO_IPV6:
+ if (data->len == 128 + 128) {
+ stmt->nat.type_flags |= STMT_NAT_F_INTERVAL;
+ return true;
+ } else if (data->len == 128 + 32 + 128 + 32) {
+ stmt->nat.type_flags |= STMT_NAT_F_INTERVAL |
+ STMT_NAT_F_CONCAT;
+ return true;
+ }
+ }
+
+ return false;
+}
+
+static bool is_nat_proto_map(const struct expr *addr, uint8_t family)
+{
+ const struct expr *mappings, *data;
+ const struct set *set;
+
+ if (!addr ||
+ expr_ops(addr)->type != EXPR_MAP)
+ return false;
+
+ mappings = addr->right;
+ if (expr_ops(mappings)->type != EXPR_SET_REF)
+ return false;
+
+ set = mappings->set;
+ data = set->data;
+
+ /* if we're dealing with an address:inet_service map,
+ * the length will be bit_sizeof(addr) + 32 (one register).
+ */
+ switch (family) {
+ case NFPROTO_IPV4:
+ return data->len == 32 + 32;
+ case NFPROTO_IPV6:
+ return data->len == 128 + 32;
+ }
+
+ return false;
+}
+
+static void netlink_parse_nat(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct stmt *stmt;
+ struct expr *addr, *proto;
+ enum nft_registers reg1, reg2;
+ int family;
+
+ stmt = nat_stmt_alloc(loc,
+ nftnl_expr_get_u32(nle, NFTNL_EXPR_NAT_TYPE));
+
+ family = nftnl_expr_get_u32(nle, NFTNL_EXPR_NAT_FAMILY);
+
+ if (ctx->table->handle.family == NFPROTO_INET)
+ stmt->nat.family = family;
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_NAT_FLAGS))
+ stmt->nat.flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_NAT_FLAGS);
+
+ if (stmt->nat.flags & NF_NAT_RANGE_NETMAP)
+ stmt->nat.type_flags |= STMT_NAT_F_PREFIX;
+
+ addr = NULL;
+ reg1 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_ADDR_MIN);
+ if (reg1) {
+ addr = netlink_get_register(ctx, loc, reg1);
+ if (addr == NULL) {
+ netlink_error(ctx, loc,
+ "NAT statement has no address expression");
+ goto out_err;
+ }
+
+ if (family == NFPROTO_IPV4)
+ expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN);
+ else
+ expr_set_type(addr, &ip6addr_type,
+ BYTEORDER_BIG_ENDIAN);
+ stmt->nat.addr = addr;
+ }
+
+ if (is_nat_addr_map(addr, family, stmt)) {
+ stmt->nat.family = family;
+ ctx->stmt = stmt;
+ return;
+ }
+
+ reg2 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_ADDR_MAX);
+ if (reg2 && reg2 != reg1) {
+ addr = netlink_get_register(ctx, loc, reg2);
+ if (addr == NULL) {
+ netlink_error(ctx, loc,
+ "NAT statement has no address expression");
+ goto out_err;
+ }
+
+ if (family == NFPROTO_IPV4)
+ expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN);
+ else
+ expr_set_type(addr, &ip6addr_type,
+ BYTEORDER_BIG_ENDIAN);
+ if (stmt->nat.addr != NULL) {
+ addr = range_expr_alloc(loc, stmt->nat.addr, addr);
+ addr = range_expr_to_prefix(addr);
+ }
+ stmt->nat.addr = addr;
+ }
+
+ if (is_nat_proto_map(addr, family)) {
+ stmt->nat.family = family;
+ stmt->nat.type_flags |= STMT_NAT_F_CONCAT;
+ ctx->stmt = stmt;
+ return;
+ }
+
+ reg1 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_PROTO_MIN);
+ if (reg1) {
+ proto = netlink_get_register(ctx, loc, reg1);
+ if (proto == NULL) {
+ netlink_error(ctx, loc,
+ "NAT statement has no proto expression");
+ goto out_err;
+ }
+
+ expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
+ stmt->nat.proto = proto;
+ }
+
+ reg2 = netlink_parse_register(nle, NFTNL_EXPR_NAT_REG_PROTO_MAX);
+ if (reg2 && reg2 != reg1) {
+ proto = netlink_get_register(ctx, loc, reg2);
+ if (proto == NULL) {
+ netlink_error(ctx, loc,
+ "NAT statement has no proto expression");
+ goto out_err;
+ }
+
+ expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
+ if (stmt->nat.proto != NULL)
+ proto = range_expr_alloc(loc, stmt->nat.proto, proto);
+ stmt->nat.proto = proto;
+ }
+
+ ctx->stmt = stmt;
+ return;
+out_err:
+ stmt_free(stmt);
+}
+
+static void netlink_parse_synproxy(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct stmt *stmt;
+
+ stmt = synproxy_stmt_alloc(loc);
+ stmt->synproxy.mss = nftnl_expr_get_u16(nle, NFTNL_EXPR_SYNPROXY_MSS);
+ stmt->synproxy.wscale = nftnl_expr_get_u8(nle,
+ NFTNL_EXPR_SYNPROXY_WSCALE);
+ stmt->synproxy.flags = nftnl_expr_get_u32(nle,
+ NFTNL_EXPR_SYNPROXY_FLAGS);
+
+ ctx->stmt = stmt;
+}
+
+static void netlink_parse_tproxy(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct stmt *stmt;
+ struct expr *addr, *port;
+ enum nft_registers reg;
+
+ stmt = tproxy_stmt_alloc(loc);
+ stmt->tproxy.family = nftnl_expr_get_u32(nle, NFTNL_EXPR_TPROXY_FAMILY);
+ stmt->tproxy.table_family = ctx->table->handle.family;
+
+ reg = netlink_parse_register(nle, NFTNL_EXPR_TPROXY_REG_ADDR);
+ if (reg) {
+ addr = netlink_get_register(ctx, loc, reg);
+ if (addr == NULL)
+ goto err;
+
+ switch (stmt->tproxy.family) {
+ case NFPROTO_IPV4:
+ expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN);
+ break;
+ case NFPROTO_IPV6:
+ expr_set_type(addr, &ip6addr_type, BYTEORDER_BIG_ENDIAN);
+ break;
+ default:
+ netlink_error(ctx, loc,
+ "tproxy address must be IPv4 or IPv6");
+ goto err;
+ }
+ stmt->tproxy.addr = addr;
+ }
+
+ reg = netlink_parse_register(nle, NFTNL_EXPR_TPROXY_REG_PORT);
+ if (reg) {
+ port = netlink_get_register(ctx, loc, reg);
+ if (port == NULL)
+ goto err;
+ expr_set_type(port, &inet_service_type, BYTEORDER_BIG_ENDIAN);
+ stmt->tproxy.port = port;
+ }
+
+ ctx->stmt = stmt;
+ return;
+err:
+ stmt_free(stmt);
+}
+
+static void netlink_parse_masq(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers reg1, reg2;
+ struct expr *proto;
+ struct stmt *stmt;
+ uint32_t flags = 0;
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_MASQ_FLAGS))
+ flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_MASQ_FLAGS);
+
+ stmt = nat_stmt_alloc(loc, NFT_NAT_MASQ);
+ stmt->nat.flags = flags;
+
+ reg1 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MIN);
+ if (reg1) {
+ proto = netlink_get_register(ctx, loc, reg1);
+ if (proto == NULL) {
+ netlink_error(ctx, loc,
+ "MASQUERADE statement has no proto expression");
+ goto out_err;
+ }
+ expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
+ stmt->nat.proto = proto;
+ }
+
+ reg2 = netlink_parse_register(nle, NFTNL_EXPR_MASQ_REG_PROTO_MAX);
+ if (reg2 && reg2 != reg1) {
+ proto = netlink_get_register(ctx, loc, reg2);
+ if (proto == NULL) {
+ netlink_error(ctx, loc,
+ "MASQUERADE statement has no proto expression");
+ goto out_err;
+ }
+ expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
+ if (stmt->nat.proto != NULL)
+ proto = range_expr_alloc(loc, stmt->nat.proto, proto);
+ stmt->nat.proto = proto;
+ }
+
+ ctx->stmt = stmt;
+ return;
+out_err:
+ stmt_free(stmt);
+}
+
+static void netlink_parse_redir(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct stmt *stmt;
+ struct expr *proto;
+ enum nft_registers reg1, reg2;
+ uint32_t flags;
+
+ stmt = nat_stmt_alloc(loc, NFT_NAT_REDIR);
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_REDIR_FLAGS)) {
+ flags = nftnl_expr_get_u32(nle, NFTNL_EXPR_REDIR_FLAGS);
+ stmt->nat.flags = flags;
+ }
+
+ reg1 = netlink_parse_register(nle, NFTNL_EXPR_REDIR_REG_PROTO_MIN);
+ if (reg1) {
+ proto = netlink_get_register(ctx, loc, reg1);
+ if (proto == NULL) {
+ netlink_error(ctx, loc,
+ "redirect statement has no proto expression");
+ goto out_err;
+ }
+
+ expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
+ stmt->nat.proto = proto;
+ }
+
+ reg2 = netlink_parse_register(nle, NFTNL_EXPR_REDIR_REG_PROTO_MAX);
+ if (reg2 && reg2 != reg1) {
+ proto = netlink_get_register(ctx, loc, reg2);
+ if (proto == NULL) {
+ netlink_error(ctx, loc,
+ "redirect statement has no proto expression");
+ goto out_err;
+ }
+
+ expr_set_type(proto, &inet_service_type, BYTEORDER_BIG_ENDIAN);
+ if (stmt->nat.proto != NULL)
+ proto = range_expr_alloc(loc, stmt->nat.proto,
+ proto);
+ stmt->nat.proto = proto;
+ }
+
+ ctx->stmt = stmt;
+ return;
+out_err:
+ stmt_free(stmt);
+}
+
+static void netlink_parse_dup(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers reg1, reg2;
+ struct expr *addr, *dev;
+ struct stmt *stmt;
+
+ stmt = dup_stmt_alloc(loc);
+
+ reg1 = netlink_parse_register(nle, NFTNL_EXPR_DUP_SREG_ADDR);
+ if (reg1) {
+ addr = netlink_get_register(ctx, loc, reg1);
+ if (addr == NULL) {
+ netlink_error(ctx, loc,
+ "DUP statement has no destination expression");
+ goto out_err;
+ }
+
+ switch (ctx->table->handle.family) {
+ case NFPROTO_IPV4:
+ expr_set_type(addr, &ipaddr_type, BYTEORDER_BIG_ENDIAN);
+ break;
+ case NFPROTO_IPV6:
+ expr_set_type(addr, &ip6addr_type,
+ BYTEORDER_BIG_ENDIAN);
+ break;
+ }
+ stmt->dup.to = addr;
+ }
+
+ reg2 = netlink_parse_register(nle, NFTNL_EXPR_DUP_SREG_DEV);
+ if (reg2) {
+ dev = netlink_get_register(ctx, loc, reg2);
+ if (dev == NULL) {
+ netlink_error(ctx, loc,
+ "DUP statement has no output expression");
+ goto out_err;
+ }
+
+ expr_set_type(dev, &ifindex_type, BYTEORDER_HOST_ENDIAN);
+ if (stmt->dup.to == NULL)
+ stmt->dup.to = dev;
+ else
+ stmt->dup.dev = dev;
+ }
+
+ ctx->stmt = stmt;
+ return;
+out_err:
+ stmt_free(stmt);
+}
+
+static void netlink_parse_fwd(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ enum nft_registers reg1, reg2;
+ struct expr *dev, *addr;
+ struct stmt *stmt;
+
+ stmt = fwd_stmt_alloc(loc);
+
+ reg1 = netlink_parse_register(nle, NFTNL_EXPR_FWD_SREG_DEV);
+ if (reg1) {
+ dev = netlink_get_register(ctx, loc, reg1);
+ if (dev == NULL) {
+ netlink_error(ctx, loc,
+ "fwd statement has no output expression");
+ goto out_err;
+ }
+
+ expr_set_type(dev, &ifindex_type, BYTEORDER_HOST_ENDIAN);
+ stmt->fwd.dev = dev;
+ }
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_FWD_NFPROTO)) {
+ stmt->fwd.family =
+ nftnl_expr_get_u32(nle, NFTNL_EXPR_FWD_NFPROTO);
+ }
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_FWD_SREG_ADDR)) {
+ reg2 = netlink_parse_register(nle, NFTNL_EXPR_FWD_SREG_ADDR);
+ if (reg2) {
+ addr = netlink_get_register(ctx, loc, reg2);
+ if (addr == NULL) {
+ netlink_error(ctx, loc,
+ "fwd statement has no output expression");
+ goto out_err;
+ }
+
+ switch (stmt->fwd.family) {
+ case AF_INET:
+ expr_set_type(addr, &ipaddr_type,
+ BYTEORDER_BIG_ENDIAN);
+ break;
+ case AF_INET6:
+ expr_set_type(addr, &ip6addr_type,
+ BYTEORDER_BIG_ENDIAN);
+ break;
+ default:
+ netlink_error(ctx, loc,
+ "fwd statement has no family");
+ goto out_err;
+ }
+ stmt->fwd.addr = addr;
+ }
+ }
+
+ ctx->stmt = stmt;
+ return;
+out_err:
+ stmt_free(stmt);
+}
+
+static void netlink_parse_queue(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct expr *expr;
+ uint16_t flags;
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_QUEUE_SREG_QNUM)) {
+ enum nft_registers reg = netlink_parse_register(nle, NFTNL_EXPR_QUEUE_SREG_QNUM);
+
+ expr = netlink_get_register(ctx, loc, reg);
+ if (!expr) {
+ netlink_error(ctx, loc, "queue statement has no sreg expression");
+ return;
+ }
+ } else {
+ uint16_t total = nftnl_expr_get_u16(nle, NFTNL_EXPR_QUEUE_TOTAL);
+ uint16_t num = nftnl_expr_get_u16(nle, NFTNL_EXPR_QUEUE_NUM);
+
+ expr = constant_expr_alloc(loc, &integer_type,
+ BYTEORDER_HOST_ENDIAN, 16, &num);
+
+ if (total > 1) {
+ struct expr *high;
+
+ total += num - 1;
+ high = constant_expr_alloc(loc, &integer_type,
+ BYTEORDER_HOST_ENDIAN, 16, &total);
+ expr = range_expr_alloc(loc, expr, high);
+ }
+ }
+
+ flags = nftnl_expr_get_u16(nle, NFTNL_EXPR_QUEUE_FLAGS);
+ ctx->stmt = queue_stmt_alloc(loc, expr, flags);
+}
+
+struct dynset_parse_ctx {
+ struct netlink_parse_ctx *nlctx;
+ const struct location *loc;
+ struct list_head stmt_list;
+};
+
+static int dynset_parse_expressions(struct nftnl_expr *e, void *data)
+{
+ struct dynset_parse_ctx *dynset_parse_ctx = data;
+ struct netlink_parse_ctx *ctx = dynset_parse_ctx->nlctx;
+ const struct location *loc = dynset_parse_ctx->loc;
+ struct stmt *stmt;
+
+ if (netlink_parse_expr(e, ctx) < 0 || !ctx->stmt) {
+ netlink_error(ctx, loc, "Could not parse dynset stmt");
+ return -1;
+ }
+ stmt = ctx->stmt;
+
+ list_add_tail(&stmt->list, &dynset_parse_ctx->stmt_list);
+
+ return 0;
+}
+
+static void netlink_parse_dynset(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ struct dynset_parse_ctx dynset_parse_ctx = {
+ .nlctx = ctx,
+ .loc = loc,
+ };
+ struct expr *expr, *expr_data = NULL;
+ enum nft_registers sreg, sreg_data;
+ struct stmt *stmt, *dstmt, *next;
+ const struct nftnl_expr *dnle;
+ struct set *set;
+ const char *name;
+
+ init_list_head(&dynset_parse_ctx.stmt_list);
+
+ name = nftnl_expr_get_str(nle, NFTNL_EXPR_DYNSET_SET_NAME);
+ set = set_cache_find(ctx->table, name);
+ if (set == NULL)
+ return netlink_error(ctx, loc,
+ "Unknown set '%s' in dynset statement",
+ name);
+
+ sreg = netlink_parse_register(nle, NFTNL_EXPR_DYNSET_SREG_KEY);
+ expr = netlink_get_register(ctx, loc, sreg);
+ if (expr == NULL)
+ return netlink_error(ctx, loc,
+ "Dynset statement has no key expression");
+
+ if (expr->len < set->key->len) {
+ expr_free(expr);
+ expr = netlink_parse_concat_key(ctx, loc, sreg, set->key);
+ if (expr == NULL)
+ return;
+ } else if (expr->dtype == &invalid_type) {
+ expr_set_type(expr, datatype_get(set->key->dtype), set->key->byteorder);
+ }
+
+ expr = set_elem_expr_alloc(&expr->location, expr);
+ expr->timeout = nftnl_expr_get_u64(nle, NFTNL_EXPR_DYNSET_TIMEOUT);
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_DYNSET_EXPR)) {
+ dstmt = NULL;
+ dnle = nftnl_expr_get(nle, NFTNL_EXPR_DYNSET_EXPR, NULL);
+ if (dnle != NULL) {
+ if (netlink_parse_expr(dnle, ctx) < 0)
+ goto out_err;
+ if (ctx->stmt == NULL) {
+ netlink_error(ctx, loc,
+ "Could not parse dynset stmt");
+ goto out_err;
+ }
+ dstmt = ctx->stmt;
+ list_add_tail(&dstmt->list,
+ &dynset_parse_ctx.stmt_list);
+ }
+ } else if (nftnl_expr_is_set(nle, NFTNL_EXPR_DYNSET_EXPRESSIONS)) {
+ if (nftnl_expr_expr_foreach(nle, dynset_parse_expressions,
+ &dynset_parse_ctx) < 0)
+ goto out_err;
+ }
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_DYNSET_SREG_DATA)) {
+ sreg_data = netlink_parse_register(nle, NFTNL_EXPR_DYNSET_SREG_DATA);
+ expr_data = netlink_get_register(ctx, loc, sreg_data);
+
+ if (expr_data && expr_data->len < set->data->len) {
+ expr_free(expr_data);
+ expr_data = netlink_parse_concat_expr(ctx, loc, sreg_data, set->data->len);
+ if (expr_data == NULL)
+ netlink_error(ctx, loc,
+ "Could not parse dynset map data expressions");
+ }
+ }
+
+ if (expr_data != NULL) {
+ expr_set_type(expr_data, set->data->dtype, set->data->byteorder);
+ stmt = map_stmt_alloc(loc);
+ stmt->map.set = set_ref_expr_alloc(loc, set);
+ stmt->map.key = expr;
+ stmt->map.data = expr_data;
+ stmt->map.op = nftnl_expr_get_u32(nle, NFTNL_EXPR_DYNSET_OP);
+ list_splice_tail(&dynset_parse_ctx.stmt_list,
+ &stmt->map.stmt_list);
+ } else {
+ if (!list_empty(&dynset_parse_ctx.stmt_list) &&
+ set_is_anonymous(set->flags)) {
+ stmt = meter_stmt_alloc(loc);
+ stmt->meter.set = set_ref_expr_alloc(loc, set);
+ stmt->meter.key = expr;
+ stmt->meter.stmt = list_first_entry(&dynset_parse_ctx.stmt_list,
+ struct stmt, list);
+ stmt->meter.size = set->desc.size;
+ } else {
+ stmt = set_stmt_alloc(loc);
+ stmt->set.set = set_ref_expr_alloc(loc, set);
+ stmt->set.op = nftnl_expr_get_u32(nle, NFTNL_EXPR_DYNSET_OP);
+ stmt->set.key = expr;
+ list_splice_tail(&dynset_parse_ctx.stmt_list,
+ &stmt->set.stmt_list);
+ }
+ }
+
+ ctx->stmt = stmt;
+ return;
+out_err:
+ list_for_each_entry_safe(dstmt, next, &dynset_parse_ctx.stmt_list, list)
+ stmt_free(dstmt);
+
+ expr_free(expr);
+}
+
+static void netlink_parse_objref(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ uint32_t type = nftnl_expr_get_u32(nle, NFTNL_EXPR_OBJREF_IMM_TYPE);
+ struct expr *expr;
+ struct stmt *stmt;
+
+ if (nftnl_expr_is_set(nle, NFTNL_EXPR_OBJREF_IMM_NAME)) {
+ struct nft_data_delinearize nld;
+
+ type = nftnl_expr_get_u32(nle, NFTNL_EXPR_OBJREF_IMM_TYPE);
+ nld.value = nftnl_expr_get(nle, NFTNL_EXPR_OBJREF_IMM_NAME,
+ &nld.len);
+ expr = netlink_alloc_value(&netlink_location, &nld);
+ datatype_set(expr, &string_type);
+ expr->byteorder = BYTEORDER_HOST_ENDIAN;
+ } else if (nftnl_expr_is_set(nle, NFTNL_EXPR_OBJREF_SET_SREG)) {
+ struct expr *left, *right;
+ enum nft_registers sreg;
+ const char *name;
+ struct set *set;
+
+ name = nftnl_expr_get_str(nle, NFTNL_EXPR_OBJREF_SET_NAME);
+ set = set_cache_find(ctx->table, name);
+ if (set == NULL)
+ return netlink_error(ctx, loc,
+ "Unknown set '%s' in objref expression",
+ name);
+
+ sreg = netlink_parse_register(nle, NFTNL_EXPR_OBJREF_SET_SREG);
+ left = netlink_get_register(ctx, loc, sreg);
+ if (left == NULL)
+ return netlink_error(ctx, loc,
+ "objref expression has no left hand side");
+
+ if (left->len < set->key->len) {
+ expr_free(left);
+ left = netlink_parse_concat_expr(ctx, loc, sreg, set->key->len);
+ if (left == NULL)
+ return;
+ }
+
+ right = set_ref_expr_alloc(loc, set);
+ expr = map_expr_alloc(loc, left, right);
+ expr_set_type(expr, &string_type, BYTEORDER_HOST_ENDIAN);
+ type = set->objtype;
+ } else {
+ netlink_error(ctx, loc, "unknown objref expression type %u",
+ type);
+ return;
+ }
+
+ stmt = objref_stmt_alloc(loc);
+ stmt->objref.type = type;
+ stmt->objref.expr = expr;
+ ctx->stmt = stmt;
+}
+
+struct expr_handler {
+ const char *name;
+ void (*parse)(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle);
+};
+
+static const struct expr_handler netlink_parsers[] = {
+ { .name = "immediate", .parse = netlink_parse_immediate },
+ { .name = "cmp", .parse = netlink_parse_cmp },
+ { .name = "lookup", .parse = netlink_parse_lookup },
+ { .name = "bitwise", .parse = netlink_parse_bitwise },
+ { .name = "byteorder", .parse = netlink_parse_byteorder },
+ { .name = "payload", .parse = netlink_parse_payload },
+ { .name = "inner", .parse = netlink_parse_inner },
+ { .name = "exthdr", .parse = netlink_parse_exthdr },
+ { .name = "meta", .parse = netlink_parse_meta },
+ { .name = "socket", .parse = netlink_parse_socket },
+ { .name = "osf", .parse = netlink_parse_osf },
+ { .name = "rt", .parse = netlink_parse_rt },
+ { .name = "ct", .parse = netlink_parse_ct },
+ { .name = "connlimit", .parse = netlink_parse_connlimit },
+ { .name = "counter", .parse = netlink_parse_counter },
+ { .name = "last", .parse = netlink_parse_last },
+ { .name = "log", .parse = netlink_parse_log },
+ { .name = "limit", .parse = netlink_parse_limit },
+ { .name = "range", .parse = netlink_parse_range },
+ { .name = "reject", .parse = netlink_parse_reject },
+ { .name = "nat", .parse = netlink_parse_nat },
+ { .name = "tproxy", .parse = netlink_parse_tproxy },
+ { .name = "notrack", .parse = netlink_parse_notrack },
+ { .name = "masq", .parse = netlink_parse_masq },
+ { .name = "redir", .parse = netlink_parse_redir },
+ { .name = "dup", .parse = netlink_parse_dup },
+ { .name = "queue", .parse = netlink_parse_queue },
+ { .name = "dynset", .parse = netlink_parse_dynset },
+ { .name = "fwd", .parse = netlink_parse_fwd },
+ { .name = "target", .parse = netlink_parse_target },
+ { .name = "match", .parse = netlink_parse_match },
+ { .name = "objref", .parse = netlink_parse_objref },
+ { .name = "quota", .parse = netlink_parse_quota },
+ { .name = "numgen", .parse = netlink_parse_numgen },
+ { .name = "hash", .parse = netlink_parse_hash },
+ { .name = "fib", .parse = netlink_parse_fib },
+ { .name = "tcpopt", .parse = netlink_parse_exthdr },
+ { .name = "flow_offload", .parse = netlink_parse_flow_offload },
+ { .name = "xfrm", .parse = netlink_parse_xfrm },
+ { .name = "synproxy", .parse = netlink_parse_synproxy },
+};
+
+static int netlink_parse_expr(const struct nftnl_expr *nle,
+ struct netlink_parse_ctx *ctx)
+{
+ const char *type = nftnl_expr_get_str(nle, NFTNL_EXPR_NAME);
+ struct location loc;
+ unsigned int i;
+
+ memset(&loc, 0, sizeof(loc));
+ loc.indesc = &indesc_netlink;
+ loc.nle = nle;
+
+ for (i = 0; i < array_size(netlink_parsers); i++) {
+ if (strcmp(type, netlink_parsers[i].name))
+ continue;
+
+ netlink_parsers[i].parse(ctx, &loc, nle);
+
+ return 0;
+ }
+ netlink_error(ctx, &loc, "unknown expression type '%s'", type);
+
+ return 0;
+}
+
+static int netlink_parse_rule_expr(struct nftnl_expr *nle, void *arg)
+{
+ struct netlink_parse_ctx *ctx = arg;
+ int err;
+
+ err = netlink_parse_expr(nle, ctx);
+ if (err < 0)
+ return err;
+ if (ctx->stmt != NULL) {
+ rule_stmt_append(ctx->rule, ctx->stmt);
+ ctx->stmt = NULL;
+ }
+ return 0;
+}
+
+struct stmt *netlink_parse_set_expr(const struct set *set,
+ const struct nft_cache *cache,
+ const struct nftnl_expr *nle)
+{
+ struct netlink_parse_ctx ctx, *pctx = &ctx;
+ struct handle h = {};
+
+ handle_merge(&h, &set->handle);
+ pctx->rule = rule_alloc(&netlink_location, &h);
+ pctx->table = table_cache_find(&cache->table_cache,
+ set->handle.table.name,
+ set->handle.family);
+ assert(pctx->table != NULL);
+
+ if (netlink_parse_expr(nle, pctx) < 0)
+ return NULL;
+
+ init_list_head(&pctx->rule->stmts);
+ rule_free(pctx->rule);
+
+ return pctx->stmt;
+}
+
+static bool meta_outer_may_dependency_kill(struct rule_pp_ctx *ctx,
+ const struct expr *expr)
+{
+ struct dl_proto_ctx *dl_outer = dl_proto_ctx_outer(ctx);
+ struct stmt *stmt = dl_outer->pdctx.pdeps[expr->payload.inner_desc->base];
+ struct expr *dep;
+ uint8_t l4proto;
+
+ if (!stmt)
+ return false;
+
+ dep = stmt->expr;
+
+ if (dep->left->meta.key != NFT_META_L4PROTO)
+ return false;
+
+ l4proto = mpz_get_uint8(dep->right->value);
+
+ switch (l4proto) {
+ case IPPROTO_GRE:
+ if (expr->payload.inner_desc == &proto_gre ||
+ expr->payload.inner_desc == &proto_gretap)
+ return true;
+ break;
+ default:
+ break;
+ }
+
+ return false;
+}
+
+static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp);
+
+static void payload_match_expand(struct rule_pp_ctx *ctx,
+ struct expr *expr,
+ struct expr *payload)
+{
+ struct expr *left = payload, *right = expr->right, *tmp;
+ struct list_head list = LIST_HEAD_INIT(list);
+ struct dl_proto_ctx *dl = dl_proto_ctx(ctx);
+ enum proto_bases base = left->payload.base;
+ struct expr *nexpr = NULL;
+ struct stmt *nstmt;
+
+ payload_expr_expand(&list, left, &dl->pctx);
+
+ list_for_each_entry(left, &list, list) {
+ tmp = constant_expr_splice(right, left->len);
+ expr_set_type(tmp, left->dtype, left->byteorder);
+
+ if (left->payload.tmpl && (left->len < left->payload.tmpl->len)) {
+ mpz_lshift_ui(tmp->value, left->payload.tmpl->len - left->len);
+ tmp->len = left->payload.tmpl->len;
+ tmp = prefix_expr_alloc(&tmp->location, tmp, left->len);
+ }
+
+ nexpr = relational_expr_alloc(&expr->location, expr->op,
+ left, tmp);
+ if (expr->op == OP_EQ)
+ relational_expr_pctx_update(&dl->pctx, nexpr);
+
+ nstmt = expr_stmt_alloc(&ctx->stmt->location, nexpr);
+ list_add_tail(&nstmt->list, &ctx->stmt->list);
+
+ assert(left->etype == EXPR_PAYLOAD);
+ assert(left->payload.base);
+ assert(base == left->payload.base);
+
+ if (expr->left->payload.inner_desc) {
+ if (expr->left->payload.inner_desc == expr->left->payload.desc) {
+ nexpr->left->payload.desc = expr->left->payload.desc;
+ nexpr->left->payload.tmpl = expr->left->payload.tmpl;
+ }
+ nexpr->left->payload.inner_desc = expr->left->payload.inner_desc;
+
+ if (meta_outer_may_dependency_kill(ctx, expr->left)) {
+ struct dl_proto_ctx *dl_outer = dl_proto_ctx_outer(ctx);
+
+ payload_dependency_release(&dl_outer->pdctx, expr->left->payload.inner_desc->base);
+ }
+ }
+
+ if (payload_is_stacked(dl->pctx.protocol[base].desc, nexpr))
+ base--;
+
+ /* Remember the first payload protocol expression to
+ * kill it later on if made redundant by a higher layer
+ * payload expression.
+ */
+ payload_dependency_kill(&dl->pdctx, nexpr->left,
+ dl->pctx.family);
+ if (expr->op == OP_EQ && left->flags & EXPR_F_PROTOCOL)
+ payload_dependency_store(&dl->pdctx, nstmt, base);
+ }
+ list_del(&ctx->stmt->list);
+ stmt_free(ctx->stmt);
+ ctx->stmt = NULL;
+}
+
+static void payload_icmp_check(struct rule_pp_ctx *rctx, struct expr *expr, const struct expr *value)
+{
+ struct dl_proto_ctx *dl = dl_proto_ctx(rctx);
+ const struct proto_hdr_template *tmpl;
+ const struct proto_desc *desc;
+ uint8_t icmp_type;
+ unsigned int i;
+
+ assert(expr->etype == EXPR_PAYLOAD);
+ assert(value->etype == EXPR_VALUE);
+
+ if (expr->payload.base != PROTO_BASE_TRANSPORT_HDR)
+ return;
+
+ /* icmp(v6) type is 8 bit, if value is smaller or larger, this is not
+ * a protocol dependency.
+ */
+ if (expr->len != 8 || value->len != 8 || dl->pctx.th_dep.icmp.type)
+ return;
+
+ desc = dl->pctx.protocol[expr->payload.base].desc;
+ if (desc == NULL)
+ return;
+
+ /* not icmp? ignore. */
+ if (desc != &proto_icmp && desc != &proto_icmp6)
+ return;
+
+ assert(desc->base == expr->payload.base);
+
+ icmp_type = mpz_get_uint8(value->value);
+
+ for (i = 1; i < array_size(desc->templates); i++) {
+ tmpl = &desc->templates[i];
+
+ if (tmpl->len == 0)
+ return;
+
+ if (tmpl->offset != expr->payload.offset ||
+ tmpl->len != expr->len)
+ continue;
+
+ /* Matches but doesn't load a protocol key -> ignore. */
+ if (desc->protocol_key != i)
+ return;
+
+ expr->payload.desc = desc;
+ expr->payload.tmpl = tmpl;
+ dl->pctx.th_dep.icmp.type = icmp_type;
+ return;
+ }
+}
+
+static void payload_match_postprocess(struct rule_pp_ctx *ctx,
+ struct expr *expr,
+ struct expr *payload)
+{
+ struct dl_proto_ctx *dl = dl_proto_ctx(ctx);
+
+ switch (expr->op) {
+ case OP_EQ:
+ case OP_NEQ:
+ if (expr->right->etype == EXPR_VALUE) {
+ payload_match_expand(ctx, expr, payload);
+ break;
+ } else if (expr->right->etype == EXPR_SET_REF) {
+ struct set *set = expr->right->set;
+
+ if (set_is_anonymous(set->flags) &&
+ set->init &&
+ !list_empty(&set->init->expressions)) {
+ struct expr *elem;
+
+ elem = list_first_entry(&set->init->expressions, struct expr, list);
+
+ if (elem->etype == EXPR_SET_ELEM &&
+ elem->key->etype == EXPR_VALUE)
+ payload_icmp_check(ctx, payload, elem->key);
+ }
+ }
+ /* Fall through */
+ default:
+ payload_expr_complete(payload, &dl->pctx);
+ expr_set_type(expr->right, payload->dtype,
+ payload->byteorder);
+ payload_dependency_kill(&dl->pdctx, payload, dl->pctx.family);
+ break;
+ }
+}
+
+static uint8_t ether_type_to_nfproto(uint16_t l3proto)
+{
+ switch(l3proto) {
+ case ETH_P_IP:
+ return NFPROTO_IPV4;
+ case ETH_P_IPV6:
+ return NFPROTO_IPV6;
+ default:
+ break;
+ }
+
+ return NFPROTO_UNSPEC;
+}
+
+static bool __meta_dependency_may_kill(const struct expr *dep, uint8_t *nfproto)
+{
+ uint16_t l3proto;
+
+ switch (dep->left->etype) {
+ case EXPR_META:
+ switch (dep->left->meta.key) {
+ case NFT_META_NFPROTO:
+ *nfproto = mpz_get_uint8(dep->right->value);
+ break;
+ case NFT_META_PROTOCOL:
+ l3proto = mpz_get_uint16(dep->right->value);
+ *nfproto = ether_type_to_nfproto(l3proto);
+ break;
+ default:
+ return true;
+ }
+ break;
+ case EXPR_PAYLOAD:
+ if (dep->left->payload.base != PROTO_BASE_LL_HDR)
+ return true;
+
+ if (dep->left->dtype != &ethertype_type)
+ return true;
+
+ l3proto = mpz_get_uint16(dep->right->value);
+ *nfproto = ether_type_to_nfproto(l3proto);
+ break;
+ default:
+ return true;
+ }
+
+ return false;
+}
+
+/* We have seen a protocol key expression that restricts matching at the network
+ * base, leave it in place since this is meaningful in bridge, inet and netdev
+ * families. Exceptions are ICMP and ICMPv6 where this code assumes that can
+ * only happen with IPv4 and IPv6.
+ */
+static bool meta_may_dependency_kill(struct payload_dep_ctx *ctx,
+ unsigned int family,
+ const struct expr *expr)
+{
+ uint8_t l4proto, nfproto = NFPROTO_UNSPEC;
+ struct expr *dep = payload_dependency_get(ctx, PROTO_BASE_NETWORK_HDR);
+
+ if (!dep)
+ return true;
+
+ if (__meta_dependency_may_kill(dep, &nfproto))
+ return true;
+
+ switch (family) {
+ case NFPROTO_INET:
+ case NFPROTO_NETDEV:
+ case NFPROTO_BRIDGE:
+ break;
+ case NFPROTO_IPV4:
+ case NFPROTO_IPV6:
+ return family == nfproto;
+ default:
+ return true;
+ }
+
+ if (expr->left->meta.key != NFT_META_L4PROTO)
+ return true;
+
+ l4proto = mpz_get_uint8(expr->right->value);
+
+ switch (l4proto) {
+ case IPPROTO_ICMP:
+ case IPPROTO_ICMPV6:
+ break;
+ default:
+ return false;
+ }
+
+ if ((nfproto == NFPROTO_IPV4 && l4proto == IPPROTO_ICMPV6) ||
+ (nfproto == NFPROTO_IPV6 && l4proto == IPPROTO_ICMP))
+ return false;
+
+ return true;
+}
+
+static void ct_meta_common_postprocess(struct rule_pp_ctx *ctx,
+ const struct expr *expr,
+ enum proto_bases base)
+{
+ struct dl_proto_ctx *dl = dl_proto_ctx(ctx);
+ const struct expr *left = expr->left;
+ struct expr *right = expr->right;
+
+ if (right->etype == EXPR_SET || right->etype == EXPR_SET_REF)
+ expr_set_type(right, left->dtype, left->byteorder);
+
+ switch (expr->op) {
+ case OP_EQ:
+ if (expr->right->etype == EXPR_RANGE ||
+ expr->right->etype == EXPR_SET ||
+ expr->right->etype == EXPR_SET_REF)
+ break;
+
+ relational_expr_pctx_update(&dl->pctx, expr);
+
+ if (base < PROTO_BASE_TRANSPORT_HDR) {
+ if (payload_dependency_exists(&dl->pdctx, base) &&
+ meta_may_dependency_kill(&dl->pdctx,
+ dl->pctx.family, expr))
+ payload_dependency_release(&dl->pdctx, base);
+
+ if (left->flags & EXPR_F_PROTOCOL)
+ payload_dependency_store(&dl->pdctx, ctx->stmt, base);
+ }
+ break;
+ default:
+ break;
+ }
+}
+
+static void meta_match_postprocess(struct rule_pp_ctx *ctx,
+ const struct expr *expr)
+{
+ const struct expr *left = expr->left;
+
+ ct_meta_common_postprocess(ctx, expr, left->meta.base);
+}
+
+static void ct_match_postprocess(struct rule_pp_ctx *ctx,
+ const struct expr *expr)
+{
+ const struct expr *left = expr->left;
+
+ ct_meta_common_postprocess(ctx, expr, left->ct.base);
+}
+
+/* Convert a bitmask to a prefix length */
+static unsigned int expr_mask_to_prefix(const struct expr *expr)
+{
+ unsigned long n;
+
+ n = mpz_scan1(expr->value, 0);
+ if (n == ULONG_MAX)
+ return 0;
+ return mpz_scan0(expr->value, n + 1) - n;
+}
+
+/* Return true if a bitmask can be expressed as a prefix length */
+static bool expr_mask_is_prefix(const struct expr *expr)
+{
+ unsigned long n1, n2;
+
+ n1 = mpz_scan1(expr->value, 0);
+ if (n1 == ULONG_MAX)
+ return true;
+ n2 = mpz_scan0(expr->value, n1 + 1);
+ if (n2 < expr->len || n2 == ULONG_MAX)
+ return false;
+ return true;
+}
+
+/* Convert a series of inclusive OR expressions into a list */
+static struct expr *binop_tree_to_list(struct expr *list, struct expr *expr)
+{
+ if (expr->etype == EXPR_BINOP && expr->op == OP_OR) {
+ if (list == NULL)
+ list = list_expr_alloc(&expr->location);
+ list = binop_tree_to_list(list, expr->left);
+ list = binop_tree_to_list(list, expr->right);
+ } else {
+ if (list == NULL)
+ return expr_get(expr);
+ compound_expr_add(list, expr_get(expr));
+ }
+
+ return list;
+}
+
+static void binop_adjust_one(const struct expr *binop, struct expr *value,
+ unsigned int shift)
+{
+ struct expr *left = binop->left;
+
+ assert(value->len >= binop->right->len);
+
+ mpz_rshift_ui(value->value, shift);
+ switch (left->etype) {
+ case EXPR_PAYLOAD:
+ case EXPR_EXTHDR:
+ value->len = left->len;
+ break;
+ default:
+ BUG("unknown expression type %s\n", expr_name(left));
+ break;
+ }
+}
+
+static void binop_adjust(const struct expr *binop, struct expr *right,
+ unsigned int shift)
+{
+ struct expr *i;
+
+ switch (right->etype) {
+ case EXPR_VALUE:
+ binop_adjust_one(binop, right, shift);
+ break;
+ case EXPR_SET_REF:
+ if (!set_is_anonymous(right->set->flags))
+ break;
+
+ list_for_each_entry(i, &right->set->init->expressions, list) {
+ switch (i->key->etype) {
+ case EXPR_VALUE:
+ binop_adjust_one(binop, i->key, shift);
+ break;
+ case EXPR_RANGE:
+ binop_adjust_one(binop, i->key->left, shift);
+ binop_adjust_one(binop, i->key->right, shift);
+ break;
+ case EXPR_SET_ELEM:
+ binop_adjust(binop, i->key->key, shift);
+ break;
+ default:
+ BUG("unknown expression type %s\n", expr_name(i->key));
+ }
+ }
+ break;
+ case EXPR_RANGE:
+ binop_adjust_one(binop, right->left, shift);
+ binop_adjust_one(binop, right->right, shift);
+ break;
+ default:
+ BUG("unknown expression type %s\n", expr_name(right));
+ break;
+ }
+}
+
+static void __binop_postprocess(struct rule_pp_ctx *ctx,
+ struct expr *expr,
+ struct expr *left,
+ struct expr *mask,
+ struct expr **expr_binop)
+{
+ struct dl_proto_ctx *dl = dl_proto_ctx(ctx);
+ struct expr *binop = *expr_binop;
+ unsigned int shift;
+
+ assert(binop->etype == EXPR_BINOP);
+
+ if ((left->etype == EXPR_PAYLOAD &&
+ payload_expr_trim(left, mask, &dl->pctx, &shift)) ||
+ (left->etype == EXPR_EXTHDR &&
+ exthdr_find_template(left, mask, &shift))) {
+ struct expr *right = NULL;
+
+ /* mask is implicit, binop needs to be removed.
+ *
+ * Fix all values of the expression according to the mask
+ * and then process the payload instruction using the real
+ * sizes and offsets we're interested in.
+ *
+ * Finally, convert the expression to 1) by replacing
+ * the binop with the binop payload/exthdr expression.
+ */
+ switch (expr->etype) {
+ case EXPR_BINOP:
+ case EXPR_RELATIONAL:
+ right = expr->right;
+ binop_adjust(binop, right, shift);
+ break;
+ case EXPR_MAP:
+ right = expr->mappings;
+ binop_adjust(binop, right, shift);
+ break;
+ default:
+ break;
+ }
+
+ assert(binop->left == left);
+ *expr_binop = expr_get(left);
+
+ if (left->etype == EXPR_PAYLOAD)
+ payload_match_postprocess(ctx, expr, left);
+ else if (left->etype == EXPR_EXTHDR && right)
+ expr_set_type(right, left->dtype, left->byteorder);
+
+ expr_free(binop);
+ }
+}
+
+static void binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr,
+ struct expr **expr_binop)
+{
+ struct expr *binop = *expr_binop;
+ struct expr *left = binop->left;
+ struct expr *mask = binop->right;
+
+ __binop_postprocess(ctx, expr, left, mask, expr_binop);
+}
+
+static void map_binop_postprocess(struct rule_pp_ctx *ctx, struct expr *expr)
+{
+ struct expr *binop = expr->map;
+
+ if (binop->op != OP_AND)
+ return;
+
+ if (binop->left->etype == EXPR_PAYLOAD &&
+ binop->right->etype == EXPR_VALUE)
+ binop_postprocess(ctx, expr, &expr->map);
+}
+
+static bool is_shift_by_zero(const struct expr *binop)
+{
+ struct expr *rhs;
+
+ if (binop->op != OP_RSHIFT && binop->op != OP_LSHIFT)
+ return false;
+
+ rhs = binop->right;
+ if (rhs->etype != EXPR_VALUE || rhs->len > 64)
+ return false;
+
+ return mpz_get_uint64(rhs->value) == 0;
+}
+
+static void relational_binop_postprocess(struct rule_pp_ctx *ctx,
+ struct expr **exprp)
+{
+ struct expr *expr = *exprp, *binop = expr->left, *right = expr->right;
+
+ if (binop->op == OP_AND && (expr->op == OP_NEQ || expr->op == OP_EQ) &&
+ right->dtype->basetype &&
+ right->dtype->basetype->type == TYPE_BITMASK) {
+ switch (right->etype) {
+ case EXPR_VALUE:
+ if (!mpz_cmp_ui(right->value, 0)) {
+ /* Flag comparison: data & flags != 0
+ *
+ * Split the flags into a list of flag values and convert the
+ * op to OP_EQ.
+ */
+ expr_free(right);
+
+ expr->left = expr_get(binop->left);
+ expr->right = binop_tree_to_list(NULL, binop->right);
+ switch (expr->op) {
+ case OP_NEQ:
+ expr->op = OP_IMPLICIT;
+ break;
+ case OP_EQ:
+ expr->op = OP_NEG;
+ break;
+ default:
+ BUG("unknown operation type %d\n", expr->op);
+ }
+ expr_free(binop);
+ } else if (binop->right->etype == EXPR_VALUE &&
+ right->etype == EXPR_VALUE &&
+ !mpz_cmp(right->value, binop->right->value)) {
+ /* Skip flag / flag representation for:
+ * data & flag == flag
+ * data & flag != flag
+ */
+ ;
+ } else {
+ *exprp = flagcmp_expr_alloc(&expr->location, expr->op,
+ expr_get(binop->left),
+ binop_tree_to_list(NULL, binop->right),
+ expr_get(right));
+ expr_free(expr);
+ }
+ break;
+ case EXPR_BINOP:
+ *exprp = flagcmp_expr_alloc(&expr->location, expr->op,
+ expr_get(binop->left),
+ binop_tree_to_list(NULL, binop->right),
+ binop_tree_to_list(NULL, right));
+ expr_free(expr);
+ break;
+ default:
+ break;
+ }
+ } else if (binop->left->dtype->flags & DTYPE_F_PREFIX &&
+ binop->op == OP_AND && expr->right->etype == EXPR_VALUE &&
+ expr_mask_is_prefix(binop->right)) {
+ expr->left = expr_get(binop->left);
+ expr->right = prefix_expr_alloc(&expr->location,
+ expr_get(right),
+ expr_mask_to_prefix(binop->right));
+ expr_free(right);
+ expr_free(binop);
+ } else if (binop->op == OP_AND &&
+ binop->right->etype == EXPR_VALUE) {
+ /*
+ * This *might* be a payload match testing header fields that
+ * have non byte divisible offsets and/or bit lengths.
+ *
+ * Thus we need to deal with two different cases.
+ *
+ * 1 the simple version:
+ * relation
+ * payload value|setlookup
+ *
+ * expr: relation, left: payload, right: value, e.g. tcp dport == 22.
+ *
+ * 2. The '&' version (this is what we're looking at now).
+ * relation
+ * binop value1|setlookup
+ * payload value2
+ *
+ * expr: relation, left: binop, right: value, e.g.
+ * ip saddr 10.0.0.0/8
+ *
+ * payload_expr_trim will figure out if the mask is needed to match
+ * templates.
+ */
+ binop_postprocess(ctx, expr, &expr->left);
+ } else if (binop->op == OP_RSHIFT && binop->left->op == OP_AND &&
+ binop->right->etype == EXPR_VALUE && binop->left->right->etype == EXPR_VALUE) {
+ /* Handle 'ip version @s4' and similar, i.e. set lookups where the lhs needs
+ * fixups to mask out unwanted bits AND a shift.
+ */
+
+ binop_postprocess(ctx, binop, &binop->left);
+ if (is_shift_by_zero(binop)) {
+ struct expr *lhs = binop->left;
+
+ expr_get(lhs);
+ expr_free(binop);
+ expr->left = lhs;
+ }
+ }
+}
+
+static bool payload_binop_postprocess(struct rule_pp_ctx *ctx,
+ struct expr **exprp)
+{
+ struct expr *expr = *exprp;
+
+ if (expr->op != OP_RSHIFT)
+ return false;
+
+ if (expr->left->etype == EXPR_UNARY) {
+ /*
+ * If the payload value was originally in a different byte-order
+ * from the payload expression, there will be a byte-order
+ * conversion to remove.
+ */
+ struct expr *left = expr_get(expr->left->arg);
+ expr_free(expr->left);
+ expr->left = left;
+ }
+
+ if (expr->left->etype != EXPR_BINOP || expr->left->op != OP_AND)
+ return false;
+
+ if (expr->left->left->etype != EXPR_PAYLOAD)
+ return false;
+
+ expr_set_type(expr->right, &integer_type,
+ BYTEORDER_HOST_ENDIAN);
+ expr_postprocess(ctx, &expr->right);
+
+ binop_postprocess(ctx, expr, &expr->left);
+ *exprp = expr_get(expr->left);
+ expr_free(expr);
+
+ return true;
+}
+
+static struct expr *string_wildcard_expr_alloc(struct location *loc,
+ const struct expr *mask,
+ const struct expr *expr)
+{
+ unsigned int len = div_round_up(expr->len, BITS_PER_BYTE);
+ char data[len + 2];
+ int pos;
+
+ mpz_export_data(data, expr->value, BYTEORDER_HOST_ENDIAN, len);
+ pos = div_round_up(expr_mask_to_prefix(mask), BITS_PER_BYTE);
+ data[pos] = '*';
+ data[pos + 1] = '\0';
+
+ return constant_expr_alloc(loc, expr->dtype, BYTEORDER_HOST_ENDIAN,
+ expr->len + BITS_PER_BYTE, data);
+}
+
+/* This calculates the string length and checks if it is nul-terminated, this
+ * function is quite a hack :)
+ */
+static bool __expr_postprocess_string(struct expr **exprp)
+{
+ struct expr *expr = *exprp;
+ unsigned int len = div_round_up(expr->len, BITS_PER_BYTE);
+ char data[len + 1];
+
+ mpz_export_data(data, expr->value, BYTEORDER_HOST_ENDIAN, len);
+
+ if (data[len - 1] != '\0')
+ return false;
+
+ len = strlen(data);
+ if (len && data[len - 1] == '*') {
+ data[len - 1] = '\\';
+ data[len] = '*';
+ data[len + 1] = '\0';
+ expr = constant_expr_alloc(&expr->location, expr->dtype,
+ BYTEORDER_HOST_ENDIAN,
+ (len + 2) * BITS_PER_BYTE, data);
+ expr_free(*exprp);
+ *exprp = expr;
+ }
+
+ return true;
+}
+
+static struct expr *expr_postprocess_string(struct expr *expr)
+{
+ struct expr *mask, *out;
+
+ assert(expr_basetype(expr)->type == TYPE_STRING);
+ if (__expr_postprocess_string(&expr))
+ return expr;
+
+ mask = constant_expr_alloc(&expr->location, &integer_type,
+ BYTEORDER_HOST_ENDIAN,
+ expr->len + BITS_PER_BYTE, NULL);
+ mpz_clear(mask->value);
+ mpz_init_bitmask(mask->value, expr->len);
+ out = string_wildcard_expr_alloc(&expr->location, mask, expr);
+ expr_free(expr);
+ expr_free(mask);
+ return out;
+}
+
+static void expr_postprocess(struct rule_pp_ctx *ctx, struct expr **exprp)
+{
+ struct dl_proto_ctx *dl = dl_proto_ctx(ctx);
+ struct expr *expr = *exprp, *i;
+
+ switch (expr->etype) {
+ case EXPR_MAP:
+ switch (expr->map->etype) {
+ case EXPR_BINOP:
+ map_binop_postprocess(ctx, expr);
+ break;
+ default:
+ break;
+ }
+
+ expr_postprocess(ctx, &expr->map);
+ expr_postprocess(ctx, &expr->mappings);
+ break;
+ case EXPR_MAPPING:
+ expr_postprocess(ctx, &expr->left);
+ expr_postprocess(ctx, &expr->right);
+ break;
+ case EXPR_SET:
+ list_for_each_entry(i, &expr->expressions, list)
+ expr_postprocess(ctx, &i);
+ break;
+ case EXPR_CONCAT: {
+ unsigned int type = expr->dtype->type, ntype = 0;
+ int off = expr->dtype->subtypes;
+ const struct datatype *dtype;
+ LIST_HEAD(tmp);
+ struct expr *n;
+
+ ctx->flags |= RULE_PP_IN_CONCATENATION;
+ list_for_each_entry_safe(i, n, &expr->expressions, list) {
+ if (type) {
+ dtype = concat_subtype_lookup(type, --off);
+ expr_set_type(i, dtype, dtype->byteorder);
+ }
+ list_del(&i->list);
+ expr_postprocess(ctx, &i);
+ list_add_tail(&i->list, &tmp);
+
+ ntype = concat_subtype_add(ntype, i->dtype->type);
+ }
+ ctx->flags &= ~RULE_PP_IN_CONCATENATION;
+ list_splice(&tmp, &expr->expressions);
+ __datatype_set(expr, concat_type_alloc(ntype));
+ break;
+ }
+ case EXPR_UNARY:
+ expr_postprocess(ctx, &expr->arg);
+ expr_set_type(expr, expr->arg->dtype, !expr->arg->byteorder);
+ break;
+ case EXPR_BINOP:
+ if (payload_binop_postprocess(ctx, exprp))
+ break;
+
+ expr_postprocess(ctx, &expr->left);
+ switch (expr->op) {
+ case OP_LSHIFT:
+ case OP_RSHIFT:
+ expr_set_type(expr->right, &integer_type,
+ BYTEORDER_HOST_ENDIAN);
+ break;
+ case OP_AND:
+ if (expr->right->len > expr->left->len) {
+ expr_set_type(expr->right, expr->left->dtype,
+ BYTEORDER_HOST_ENDIAN);
+ } else {
+ expr_set_type(expr->right, expr->left->dtype,
+ expr->left->byteorder);
+ }
+
+ /* Do not process OP_AND in ordinary rule context.
+ *
+ * Removal needs to be performed as part of the relational
+ * operation because the RHS constant might need to be adjusted
+ * (shifted).
+ *
+ * This is different in set element context or concatenations:
+ * There is no relational operation (eq, neq and so on), thus
+ * it needs to be processed right away.
+ */
+ if ((ctx->flags & RULE_PP_REMOVE_OP_AND) &&
+ expr->left->etype == EXPR_PAYLOAD &&
+ expr->right->etype == EXPR_VALUE) {
+ __binop_postprocess(ctx, expr, expr->left, expr->right, exprp);
+ return;
+ }
+ break;
+ default:
+ if (expr->right->len > expr->left->len) {
+ expr_set_type(expr->right, expr->left->dtype,
+ BYTEORDER_HOST_ENDIAN);
+ } else {
+ expr_set_type(expr->right, expr->left->dtype,
+ expr->left->byteorder);
+ }
+ }
+ expr_postprocess(ctx, &expr->right);
+
+ switch (expr->op) {
+ case OP_LSHIFT:
+ case OP_RSHIFT:
+ expr_set_type(expr, &xinteger_type,
+ BYTEORDER_HOST_ENDIAN);
+ break;
+ default:
+ expr_set_type(expr, expr->left->dtype,
+ expr->left->byteorder);
+ }
+
+ break;
+ case EXPR_RELATIONAL:
+ switch (expr->left->etype) {
+ case EXPR_PAYLOAD:
+ payload_match_postprocess(ctx, expr, expr->left);
+ return;
+ case EXPR_CONCAT:
+ if (expr->right->etype == EXPR_SET_REF) {
+ assert(expr->left->dtype == &invalid_type);
+ assert(expr->right->dtype != &invalid_type);
+
+ datatype_set(expr->left, expr->right->dtype);
+ }
+ expr_postprocess(ctx, &expr->left);
+ break;
+ default:
+ expr_postprocess(ctx, &expr->left);
+ break;
+ }
+
+ expr_set_type(expr->right, expr->left->dtype, expr->left->byteorder);
+ expr_postprocess(ctx, &expr->right);
+
+ switch (expr->left->etype) {
+ case EXPR_CT:
+ ct_match_postprocess(ctx, expr);
+ break;
+ case EXPR_META:
+ meta_match_postprocess(ctx, expr);
+ break;
+ case EXPR_BINOP:
+ relational_binop_postprocess(ctx, exprp);
+ break;
+ default:
+ break;
+ }
+ break;
+ case EXPR_PAYLOAD:
+ payload_expr_complete(expr, &dl->pctx);
+ if (expr->payload.inner_desc) {
+ if (meta_outer_may_dependency_kill(ctx, expr)) {
+ struct dl_proto_ctx *dl_outer = dl_proto_ctx_outer(ctx);
+
+ payload_dependency_release(&dl_outer->pdctx, expr->payload.inner_desc->base);
+ }
+ }
+ payload_dependency_kill(&dl->pdctx, expr, dl->pctx.family);
+ break;
+ case EXPR_VALUE:
+ // FIXME
+ if (expr->byteorder == BYTEORDER_HOST_ENDIAN)
+ mpz_switch_byteorder(expr->value, expr->len / BITS_PER_BYTE);
+
+ if (expr_basetype(expr)->type == TYPE_STRING)
+ *exprp = expr_postprocess_string(expr);
+
+ expr = *exprp;
+ if (expr->dtype->basetype != NULL &&
+ expr->dtype->basetype->type == TYPE_BITMASK)
+ *exprp = bitmask_expr_to_binops(expr);
+
+ break;
+ case EXPR_RANGE:
+ expr_postprocess(ctx, &expr->left);
+ expr_postprocess(ctx, &expr->right);
+ break;
+ case EXPR_PREFIX:
+ expr_postprocess(ctx, &expr->prefix);
+ break;
+ case EXPR_SET_ELEM:
+ ctx->flags |= RULE_PP_IN_SET_ELEM;
+ expr_postprocess(ctx, &expr->key);
+ ctx->flags &= ~RULE_PP_IN_SET_ELEM;
+ break;
+ case EXPR_EXTHDR:
+ exthdr_dependency_kill(&dl->pdctx, expr, dl->pctx.family);
+ break;
+ case EXPR_SET_REF:
+ case EXPR_META:
+ case EXPR_RT:
+ case EXPR_VERDICT:
+ case EXPR_NUMGEN:
+ case EXPR_FIB:
+ case EXPR_SOCKET:
+ case EXPR_OSF:
+ case EXPR_XFRM:
+ break;
+ case EXPR_HASH:
+ if (expr->hash.expr)
+ expr_postprocess(ctx, &expr->hash.expr);
+ break;
+ case EXPR_CT:
+ ct_expr_update_type(&dl->pctx, expr);
+ break;
+ default:
+ BUG("unknown expression type %s\n", expr_name(expr));
+ }
+}
+
+static void stmt_reject_postprocess(struct rule_pp_ctx *rctx)
+{
+ struct dl_proto_ctx *dl = dl_proto_ctx(rctx);
+ const struct proto_desc *desc, *base;
+ struct stmt *stmt = rctx->stmt;
+ int protocol;
+
+ switch (dl->pctx.family) {
+ case NFPROTO_IPV4:
+ stmt->reject.family = dl->pctx.family;
+ datatype_set(stmt->reject.expr, &icmp_code_type);
+ if (stmt->reject.type == NFT_REJECT_TCP_RST &&
+ payload_dependency_exists(&dl->pdctx,
+ PROTO_BASE_TRANSPORT_HDR))
+ payload_dependency_release(&dl->pdctx,
+ PROTO_BASE_TRANSPORT_HDR);
+ break;
+ case NFPROTO_IPV6:
+ stmt->reject.family = dl->pctx.family;
+ datatype_set(stmt->reject.expr, &icmpv6_code_type);
+ if (stmt->reject.type == NFT_REJECT_TCP_RST &&
+ payload_dependency_exists(&dl->pdctx,
+ PROTO_BASE_TRANSPORT_HDR))
+ payload_dependency_release(&dl->pdctx,
+ PROTO_BASE_TRANSPORT_HDR);
+ break;
+ case NFPROTO_INET:
+ case NFPROTO_BRIDGE:
+ case NFPROTO_NETDEV:
+ if (stmt->reject.type == NFT_REJECT_ICMPX_UNREACH) {
+ datatype_set(stmt->reject.expr, &icmpx_code_type);
+ break;
+ }
+
+ /* always print full icmp(6) name, simple 'reject' might be ambiguious
+ * because ipv4 vs. ipv6 info might be lost
+ */
+ stmt->reject.verbose_print = 1;
+
+ base = dl->pctx.protocol[PROTO_BASE_LL_HDR].desc;
+ desc = dl->pctx.protocol[PROTO_BASE_NETWORK_HDR].desc;
+ protocol = proto_find_num(base, desc);
+ switch (protocol) {
+ case NFPROTO_IPV4: /* INET */
+ case __constant_htons(ETH_P_IP): /* BRIDGE, NETDEV */
+ stmt->reject.family = NFPROTO_IPV4;
+ datatype_set(stmt->reject.expr, &icmp_code_type);
+ break;
+ case NFPROTO_IPV6: /* INET */
+ case __constant_htons(ETH_P_IPV6): /* BRIDGE, NETDEV */
+ stmt->reject.family = NFPROTO_IPV6;
+ datatype_set(stmt->reject.expr, &icmpv6_code_type);
+ break;
+ default:
+ break;
+ }
+
+ if (payload_dependency_exists(&dl->pdctx, PROTO_BASE_NETWORK_HDR))
+ payload_dependency_release(&dl->pdctx,
+ PROTO_BASE_NETWORK_HDR);
+ break;
+ default:
+ break;
+ }
+}
+
+static bool expr_may_merge_range(struct expr *expr, struct expr *prev,
+ enum ops *op)
+{
+ struct expr *left, *prev_left;
+
+ if (prev->etype == EXPR_RELATIONAL &&
+ expr->etype == EXPR_RELATIONAL) {
+ /* ct and meta needs an unary to swap byteorder, in this case
+ * we have to explore the inner branch in this tree.
+ */
+ if (expr->left->etype == EXPR_UNARY)
+ left = expr->left->arg;
+ else
+ left = expr->left;
+
+ if (prev->left->etype == EXPR_UNARY)
+ prev_left = prev->left->arg;
+ else
+ prev_left = prev->left;
+
+ if (left->etype == prev_left->etype) {
+ if (expr->op == OP_LTE && prev->op == OP_GTE) {
+ *op = OP_EQ;
+ return true;
+ } else if (expr->op == OP_GT && prev->op == OP_LT) {
+ *op = OP_NEQ;
+ return true;
+ }
+ }
+ }
+
+ return false;
+}
+
+static void expr_postprocess_range(struct rule_pp_ctx *ctx, enum ops op)
+{
+ struct dl_proto_ctx *dl = dl_proto_ctx(ctx);
+ struct stmt *nstmt, *stmt = ctx->stmt;
+ struct expr *nexpr, *rel;
+
+ nexpr = range_expr_alloc(&dl->pdctx.prev->location,
+ expr_clone(dl->pdctx.prev->expr->right),
+ expr_clone(stmt->expr->right));
+ expr_set_type(nexpr, stmt->expr->right->dtype,
+ stmt->expr->right->byteorder);
+
+ rel = relational_expr_alloc(&dl->pdctx.prev->location, op,
+ expr_clone(stmt->expr->left), nexpr);
+
+ nstmt = expr_stmt_alloc(&stmt->location, rel);
+ list_add_tail(&nstmt->list, &stmt->list);
+
+ list_del(&dl->pdctx.prev->list);
+ stmt_free(dl->pdctx.prev);
+
+ list_del(&stmt->list);
+ stmt_free(stmt);
+ ctx->stmt = nstmt;
+}
+
+static void stmt_expr_postprocess(struct rule_pp_ctx *ctx)
+{
+ struct dl_proto_ctx *dl = dl_proto_ctx(ctx);
+ enum ops op;
+
+ expr_postprocess(ctx, &ctx->stmt->expr);
+
+ if (dl->pdctx.prev && ctx->stmt &&
+ ctx->stmt->ops->type == dl->pdctx.prev->ops->type &&
+ expr_may_merge_range(ctx->stmt->expr, dl->pdctx.prev->expr, &op))
+ expr_postprocess_range(ctx, op);
+}
+
+static void stmt_payload_binop_pp(struct rule_pp_ctx *ctx, struct expr *binop)
+{
+ struct dl_proto_ctx *dl = dl_proto_ctx(ctx);
+ struct expr *payload = binop->left;
+ struct expr *mask = binop->right;
+ unsigned int shift;
+
+ assert(payload->etype == EXPR_PAYLOAD);
+ if (payload_expr_trim(payload, mask, &dl->pctx, &shift)) {
+ binop_adjust(binop, mask, shift);
+ payload_expr_complete(payload, &dl->pctx);
+ expr_set_type(mask, payload->dtype,
+ payload->byteorder);
+ }
+}
+
+/**
+ * stmt_payload_binop_postprocess - decode payload set binop
+ *
+ * @ctx: rule postprocessing context
+ *
+ * This helper has to be called if expr_postprocess() failed to
+ * decode the payload operation.
+ *
+ * Usually a failure to decode means that userspace had to munge
+ * the original payload expression because it has an odd size or
+ * a non-byte divisible offset/length.
+ *
+ * If that was the case, the 'value' expression is not a value but
+ * a binop expression with a munged payload expression on the left
+ * and a mask to clear the real payload offset/length.
+ *
+ * So chech if we have one of the following binops:
+ * I)
+ * binop (|)
+ * binop(&) value/set
+ * payload value(mask)
+ *
+ * This is the normal case, the | RHS is the value the user wants
+ * to set, the & RHS is the mask value that discards bits we need
+ * to clear but retains everything unrelated to the set operation.
+ *
+ * IIa)
+ * binop (&)
+ * payload mask
+ *
+ * User specified a zero set value -- netlink bitwise decoding
+ * discarded the redundant "| 0" part. This is identical to I),
+ * we can just set value to 0 after we inferred the real payload size.
+ *
+ * IIb)
+ * binop (|)
+ * payload value/set
+ *
+ * This happens when user wants to set all bits, netlink bitwise
+ * decoding changed '(payload & mask) ^ bits_to_set' into
+ * 'payload | bits_to_set', discarding the redundant "& 0xfff...".
+ */
+static void stmt_payload_binop_postprocess(struct rule_pp_ctx *ctx)
+{
+ struct expr *expr, *binop, *payload, *value, *mask;
+ struct stmt *stmt = ctx->stmt;
+ mpz_t bitmask;
+
+ expr = stmt->payload.val;
+
+ if (expr->etype != EXPR_BINOP)
+ return;
+
+ switch (expr->left->etype) {
+ case EXPR_BINOP: {/* I? */
+ mpz_t tmp;
+
+ if (expr->op != OP_OR)
+ return;
+
+ value = expr->right;
+ if (value->etype != EXPR_VALUE)
+ return;
+
+ binop = expr->left;
+ if (binop->op != OP_AND)
+ return;
+
+ payload = binop->left;
+ if (payload->etype != EXPR_PAYLOAD)
+ return;
+
+ if (!payload_expr_cmp(stmt->payload.expr, payload))
+ return;
+
+ mask = binop->right;
+ if (mask->etype != EXPR_VALUE)
+ return;
+
+ mpz_init(tmp);
+ mpz_set(tmp, mask->value);
+
+ mpz_init_bitmask(bitmask, payload->len);
+ mpz_xor(bitmask, bitmask, mask->value);
+ mpz_xor(bitmask, bitmask, value->value);
+ mpz_set(mask->value, bitmask);
+ mpz_clear(bitmask);
+
+ binop_postprocess(ctx, expr, &expr->left);
+ if (!payload_is_known(payload)) {
+ mpz_set(mask->value, tmp);
+ mpz_clear(tmp);
+ return;
+ }
+
+ mpz_clear(tmp);
+ expr_free(stmt->payload.expr);
+ stmt->payload.expr = expr_get(payload);
+ stmt->payload.val = expr_get(expr->right);
+ expr_free(expr);
+ break;
+ }
+ case EXPR_PAYLOAD: /* II? */
+ value = expr->right;
+ if (value->etype != EXPR_VALUE)
+ return;
+
+ switch (expr->op) {
+ case OP_AND: /* IIa */
+ payload = expr->left;
+ mpz_init_bitmask(bitmask, payload->len);
+ mpz_xor(bitmask, bitmask, value->value);
+ mpz_set(value->value, bitmask);
+ mpz_clear(bitmask);
+ break;
+ case OP_OR: /* IIb */
+ break;
+ default: /* No idea */
+ return;
+ }
+
+ stmt_payload_binop_pp(ctx, expr);
+ if (!payload_is_known(expr->left))
+ return;
+
+ expr_free(stmt->payload.expr);
+
+ switch (expr->op) {
+ case OP_AND:
+ /* Mask was used to match payload, i.e.
+ * user asked to set zero value.
+ */
+ mpz_set_ui(value->value, 0);
+ break;
+ default:
+ break;
+ }
+
+ stmt->payload.expr = expr_get(expr->left);
+ stmt->payload.val = expr_get(expr->right);
+ expr_free(expr);
+ break;
+ default: /* No idea */
+ break;
+ }
+}
+
+static void stmt_payload_postprocess(struct rule_pp_ctx *ctx)
+{
+ struct dl_proto_ctx *dl = dl_proto_ctx(ctx);
+ struct stmt *stmt = ctx->stmt;
+
+ payload_expr_complete(stmt->payload.expr, &dl->pctx);
+ if (!payload_is_known(stmt->payload.expr))
+ stmt_payload_binop_postprocess(ctx);
+
+ expr_postprocess(ctx, &stmt->payload.expr);
+
+ expr_set_type(stmt->payload.val,
+ stmt->payload.expr->dtype,
+ stmt->payload.expr->byteorder);
+
+ expr_postprocess(ctx, &stmt->payload.val);
+}
+
+static void stmt_queue_postprocess(struct rule_pp_ctx *ctx)
+{
+ struct stmt *stmt = ctx->stmt;
+ struct expr *e = stmt->queue.queue;
+
+ if (e == NULL || e->etype == EXPR_VALUE ||
+ e->etype == EXPR_RANGE)
+ return;
+
+ expr_postprocess(ctx, &stmt->queue.queue);
+}
+
+/*
+ * We can only remove payload dependencies if they occur without
+ * a statement with side effects in between.
+ *
+ * For instance:
+ * 'ip protocol tcp tcp dport 22 counter' is same as
+ * 'tcp dport 22 counter'.
+ *
+ * 'ip protocol tcp counter tcp dport 22' cannot be written as
+ * 'counter tcp dport 22' (that would be counter ip protocol tcp, but
+ * that counts every packet, not just ip/tcp).
+ */
+static void
+rule_maybe_reset_payload_deps(struct payload_dep_ctx *pdctx, enum stmt_types t)
+{
+ if (t == STMT_EXPRESSION)
+ return;
+
+ payload_dependency_reset(pdctx);
+}
+
+static bool has_inner_desc(const struct expr *expr)
+{
+ struct expr *i;
+
+ switch (expr->etype) {
+ case EXPR_BINOP:
+ return has_inner_desc(expr->left);
+ case EXPR_CONCAT:
+ list_for_each_entry(i, &expr->expressions, list) {
+ if (has_inner_desc(i))
+ return true;
+ }
+ break;
+ case EXPR_META:
+ return expr->meta.inner_desc;
+ case EXPR_PAYLOAD:
+ return expr->payload.inner_desc;
+ case EXPR_SET_ELEM:
+ return has_inner_desc(expr->key);
+ default:
+ break;
+ }
+
+ return false;
+}
+
+static struct dl_proto_ctx *rule_update_dl_proto_ctx(struct rule_pp_ctx *rctx)
+{
+ const struct stmt *stmt = rctx->stmt;
+ bool inner = false;
+
+ switch (stmt->ops->type) {
+ case STMT_EXPRESSION:
+ if (has_inner_desc(stmt->expr->left))
+ inner = true;
+ break;
+ case STMT_SET:
+ if (has_inner_desc(stmt->set.key))
+ inner = true;
+ break;
+ default:
+ break;
+ }
+
+ if (inner)
+ rctx->dl = &rctx->_dl[1];
+ else
+ rctx->dl = &rctx->_dl[0];
+
+ return rctx->dl;
+}
+
+static void rule_parse_postprocess(struct netlink_parse_ctx *ctx, struct rule *rule)
+{
+ struct stmt *stmt, *next;
+ struct dl_proto_ctx *dl;
+ struct rule_pp_ctx rctx;
+ struct expr *expr;
+
+ memset(&rctx, 0, sizeof(rctx));
+ proto_ctx_init(&rctx._dl[0].pctx, rule->handle.family, ctx->debug_mask, false);
+ /* use NFPROTO_BRIDGE to set up proto_eth as base protocol. */
+ proto_ctx_init(&rctx._dl[1].pctx, NFPROTO_BRIDGE, ctx->debug_mask, true);
+
+ list_for_each_entry_safe(stmt, next, &rule->stmts, list) {
+ enum stmt_types type = stmt->ops->type;
+
+ rctx.stmt = stmt;
+ dl = rule_update_dl_proto_ctx(&rctx);
+
+ switch (type) {
+ case STMT_EXPRESSION:
+ stmt_expr_postprocess(&rctx);
+ break;
+ case STMT_PAYLOAD:
+ stmt_payload_postprocess(&rctx);
+ break;
+ case STMT_METER:
+ expr_postprocess(&rctx, &stmt->meter.key);
+ break;
+ case STMT_META:
+ if (stmt->meta.expr != NULL)
+ expr_postprocess(&rctx, &stmt->meta.expr);
+ break;
+ case STMT_CT:
+ if (stmt->ct.expr != NULL) {
+ expr_postprocess(&rctx, &stmt->ct.expr);
+
+ if (stmt->ct.expr->etype == EXPR_BINOP &&
+ stmt->ct.key == NFT_CT_EVENTMASK) {
+ expr = binop_tree_to_list(NULL, stmt->ct.expr);
+ expr_free(stmt->ct.expr);
+ stmt->ct.expr = expr;
+ }
+ }
+ break;
+ case STMT_NAT:
+ if (stmt->nat.addr != NULL)
+ expr_postprocess(&rctx, &stmt->nat.addr);
+ if (stmt->nat.proto != NULL)
+ expr_postprocess(&rctx, &stmt->nat.proto);
+ break;
+ case STMT_TPROXY:
+ if (stmt->tproxy.addr)
+ expr_postprocess(&rctx, &stmt->tproxy.addr);
+ if (stmt->tproxy.port) {
+ payload_dependency_reset(&dl->pdctx);
+ expr_postprocess(&rctx, &stmt->tproxy.port);
+ }
+ break;
+ case STMT_REJECT:
+ stmt_reject_postprocess(&rctx);
+ break;
+ case STMT_SET:
+ expr_postprocess(&rctx, &stmt->set.key);
+ break;
+ case STMT_MAP:
+ expr_postprocess(&rctx, &stmt->map.key);
+ expr_postprocess(&rctx, &stmt->map.data);
+ break;
+ case STMT_DUP:
+ if (stmt->dup.to != NULL)
+ expr_postprocess(&rctx, &stmt->dup.to);
+ if (stmt->dup.dev != NULL)
+ expr_postprocess(&rctx, &stmt->dup.dev);
+ break;
+ case STMT_FWD:
+ expr_postprocess(&rctx, &stmt->fwd.dev);
+ if (stmt->fwd.addr != NULL)
+ expr_postprocess(&rctx, &stmt->fwd.addr);
+ break;
+ case STMT_XT:
+ stmt_xt_postprocess(&rctx, stmt, rule);
+ break;
+ case STMT_OBJREF:
+ expr_postprocess(&rctx, &stmt->objref.expr);
+ break;
+ case STMT_QUEUE:
+ stmt_queue_postprocess(&rctx);
+ break;
+ default:
+ break;
+ }
+
+ dl->pdctx.prev = rctx.stmt;
+
+ rule_maybe_reset_payload_deps(&dl->pdctx, type);
+ }
+}
+
+static int parse_rule_udata_cb(const struct nftnl_udata *attr, void *data)
+{
+ unsigned char *value = nftnl_udata_get(attr);
+ uint8_t type = nftnl_udata_type(attr);
+ uint8_t len = nftnl_udata_len(attr);
+ const struct nftnl_udata **tb = data;
+
+ switch (type) {
+ case NFTNL_UDATA_RULE_COMMENT:
+ if (value[len - 1] != '\0')
+ return -1;
+ break;
+ default:
+ return 0;
+ }
+ tb[type] = attr;
+ return 0;
+}
+
+static char *nftnl_rule_get_comment(const struct nftnl_rule *nlr)
+{
+ const struct nftnl_udata *tb[NFTNL_UDATA_RULE_MAX + 1] = {};
+ const void *data;
+ uint32_t len;
+
+ if (!nftnl_rule_is_set(nlr, NFTNL_RULE_USERDATA))
+ return NULL;
+
+ data = nftnl_rule_get_data(nlr, NFTNL_RULE_USERDATA, &len);
+
+ if (nftnl_udata_parse(data, len, parse_rule_udata_cb, tb) < 0)
+ return NULL;
+
+ if (!tb[NFTNL_UDATA_RULE_COMMENT])
+ return NULL;
+
+ return xstrdup(nftnl_udata_get(tb[NFTNL_UDATA_RULE_COMMENT]));
+}
+
+struct rule *netlink_delinearize_rule(struct netlink_ctx *ctx,
+ struct nftnl_rule *nlr)
+{
+ struct netlink_parse_ctx _ctx, *pctx = &_ctx;
+ struct handle h;
+
+ memset(&_ctx, 0, sizeof(_ctx));
+ _ctx.msgs = ctx->msgs;
+ _ctx.debug_mask = ctx->nft->debug_mask;
+ _ctx.nlctx = ctx;
+
+ memset(&h, 0, sizeof(h));
+ h.family = nftnl_rule_get_u32(nlr, NFTNL_RULE_FAMILY);
+ h.table.name = xstrdup(nftnl_rule_get_str(nlr, NFTNL_RULE_TABLE));
+ h.chain.name = xstrdup(nftnl_rule_get_str(nlr, NFTNL_RULE_CHAIN));
+ h.handle.id = nftnl_rule_get_u64(nlr, NFTNL_RULE_HANDLE);
+
+ if (nftnl_rule_is_set(nlr, NFTNL_RULE_POSITION))
+ h.position.id = nftnl_rule_get_u64(nlr, NFTNL_RULE_POSITION);
+
+ pctx->rule = rule_alloc(&netlink_location, &h);
+ pctx->table = table_cache_find(&ctx->nft->cache.table_cache,
+ h.table.name, h.family);
+ if (!pctx->table) {
+ errno = ENOENT;
+ return NULL;
+ }
+
+ pctx->rule->comment = nftnl_rule_get_comment(nlr);
+
+ nftnl_expr_foreach(nlr, netlink_parse_rule_expr, pctx);
+
+ rule_parse_postprocess(pctx, pctx->rule);
+ netlink_release_registers(pctx);
+ return pctx->rule;
+}