expr: fix sctp chunks

also adds space-keys test for all keys with spaces
namib-project · Jan 22, 2024 · e5fb6d4 · e5fb6d4
1 parent cb8937a
commit e5fb6d4
Show file tree

Hide file tree

Showing 3 changed files with 308 additions and 0 deletions.
diff --git a/resources/test/json/space-keys.json b/resources/test/json/space-keys.json
@@ -0,0 +1,266 @@
+{
+  "nftables": [
+    {
+      "metainfo": {
+        "version": "1.0.7",
+        "release_name": "Old Doc Yak",
+        "json_schema_version": 1
+      }
+    },
+    {
+      "table": {
+        "family": "ip",
+        "name": "filter",
+        "handle": 1
+      }
+    },
+    {
+      "ct expectation": {
+        "family": "ip",
+        "name": "e_pgsql",
+        "table": "filter",
+        "handle": 4,
+        "protocol": "tcp",
+        "dport": 5432,
+        "timeout": 3600000,
+        "size": 12,
+        "l3proto": "ip"
+      }
+    },
+    {
+      "ct helper": {
+        "family": "ip",
+        "name": "ftp-standard",
+        "table": "filter",
+        "handle": 5,
+        "type": "ftp",
+        "protocol": "tcp",
+        "l3proto": "ip"
+      }
+    },
+    {
+      "chain": {
+        "family": "ip",
+        "table": "filter",
+        "name": "INPUT",
+        "handle": 1,
+        "type": "filter",
+        "hook": "input",
+        "prio": 0,
+        "policy": "accept"
+      }
+    },
+    {
+      "chain": {
+        "family": "ip",
+        "table": "filter",
+        "name": "FORWARD",
+        "handle": 2,
+        "type": "filter",
+        "hook": "forward",
+        "prio": 0,
+        "policy": "accept"
+      }
+    },
+    {
+      "chain": {
+        "family": "ip",
+        "table": "filter",
+        "name": "OUTPUT",
+        "handle": 3,
+        "type": "filter",
+        "hook": "output",
+        "prio": 0,
+        "policy": "accept"
+      }
+    },
+    {
+      "rule": {
+        "family": "ip",
+        "table": "filter",
+        "chain": "INPUT",
+        "handle": 6,
+        "expr": [
+          {
+            "match": {
+              "op": "==",
+              "left": {
+                "payload": {
+                  "protocol": "tcp",
+                  "field": "dport"
+                }
+              },
+              "right": 22
+            }
+          },
+          {
+            "ct count": {
+              "val": 10
+            }
+          },
+          {
+            "accept": null
+          }
+        ]
+      }
+    },
+    {
+      "rule": {
+        "family": "ip",
+        "table": "filter",
+        "chain": "INPUT",
+        "handle": 7,
+        "expr": [
+          {
+            "match": {
+              "op": "in",
+              "left": {
+                "ct": {
+                  "key": "state"
+                }
+              },
+              "right": "new"
+            }
+          },
+          {
+            "match": {
+              "op": "==",
+              "left": {
+                "payload": {
+                  "protocol": "tcp",
+                  "field": "dport"
+                }
+              },
+              "right": 8888
+            }
+          },
+          {
+            "ct expectation": "e_pgsql"
+          }
+        ]
+      }
+    },
+    {
+      "rule": {
+        "family": "ip",
+        "table": "filter",
+        "chain": "INPUT",
+        "handle": 8,
+        "expr": [
+          {
+            "match": {
+              "op": "in",
+              "left": {
+                "ct": {
+                  "key": "state"
+                }
+              },
+              "right": [
+                "established",
+                "related"
+              ]
+            }
+          },
+          {
+            "counter": {
+              "packets": 0,
+              "bytes": 0
+            }
+          },
+          {
+            "accept": null
+          }
+        ]
+      }
+    },
+    {
+      "rule": {
+        "family": "ip",
+        "table": "filter",
+        "chain": "FORWARD",
+        "handle": 9,
+        "expr": [
+          {
+            "match": {
+              "op": "in",
+              "left": {
+                "payload": {
+                  "protocol": "tcp",
+                  "field": "flags"
+                }
+              },
+              "right": "syn"
+            }
+          },
+          {
+            "counter": {
+              "packets": 0,
+              "bytes": 0
+            }
+          },
+          {
+            "mangle": {
+              "key": {
+                "tcp option": {
+                  "name": "maxseg",
+                  "field": "size"
+                }
+              },
+              "value": {
+                "rt": {
+                  "key": "mtu"
+                }
+              }
+            }
+          }
+        ]
+      }
+    },
+    {
+      "rule": {
+        "family": "ip",
+        "table": "filter",
+        "chain": "FORWARD",
+        "handle": 10,
+        "expr": [
+          {
+            "match": {
+              "op": "==",
+              "left": {
+                "sctp chunk": {
+                  "name": "data",
+                  "field": "flags"
+                }
+              },
+              "right": 2
+            }
+          }
+        ]
+      }
+    },
+    {
+      "rule": {
+        "family": "ip",
+        "table": "filter",
+        "chain": "FORWARD",
+        "handle": 11,
+        "expr": [
+          {
+            "match": {
+              "op": "==",
+              "left": {
+                "ct": {
+                  "key": "helper"
+                }
+              },
+              "right": "ftp-standard"
+            }
+          },
+          {
+            "accept": null
+          }
+        ]
+      }
+    }
+  ]
+}
diff --git a/resources/test/nft/space-keys.nft b/resources/test/nft/space-keys.nft
@@ -0,0 +1,41 @@
+# this tests various key names with spaces: 
+#   * ct count
+#   * ct expectation
+#   * ct helper
+#   * ct timeout
+#   * sctp chunk
+#   * tcp option
+# nft rule snippets are taken from wiki.nftables.org
+
+table ip filter {
+	ct expectation e_pgsql {
+		protocol tcp
+		dport 5432
+		timeout 1h
+		size 12
+		l3proto ip
+	}
+
+	ct helper ftp-standard {
+		type "ftp" protocol tcp
+		l3proto ip
+	}
+
+	chain INPUT {
+		type filter hook input priority filter; policy accept;
+		tcp dport 22 ct count 10 accept
+		ct state new tcp dport 8888 ct expectation set "e_pgsql"
+		ct state established,related counter packets 0 bytes 0 accept
+	}
+
+	chain FORWARD {
+		type filter hook forward priority filter; policy accept;
+		tcp flags syn counter packets 0 bytes 0 tcp option maxseg size set rt mtu
+		sctp chunk data flags 2
+		ct helper "ftp-standard" accept
+	}
+
+	chain OUTPUT {
+		type filter hook output priority filter; policy accept;
+	}
+}
diff --git a/src/expr.rs b/src/expr.rs
@@ -39,6 +39,7 @@ pub enum NamedExpression {
     Exthdr(Exthdr),
     #[serde(rename = "tcp option")]
     TcpOption(TcpOption),
+    #[serde(rename = "sctp chunk")]
     SctpChunk(SctpChunk),
     Meta(Meta),
     RT(RT),