From e5fb6d4e48d282b97a8957cc70a7653bdbb51f37 Mon Sep 17 00:00:00 2001 From: wiegratz Date: Mon, 22 Jan 2024 12:26:50 +0100 Subject: [PATCH] expr: fix sctp chunks also adds space-keys test for all keys with spaces --- resources/test/json/space-keys.json | 266 ++++++++++++++++++++++++++++ resources/test/nft/space-keys.nft | 41 +++++ src/expr.rs | 1 + 3 files changed, 308 insertions(+) create mode 100644 resources/test/json/space-keys.json create mode 100644 resources/test/nft/space-keys.nft diff --git a/resources/test/json/space-keys.json b/resources/test/json/space-keys.json new file mode 100644 index 0000000..af8536d --- /dev/null +++ b/resources/test/json/space-keys.json @@ -0,0 +1,266 @@ +{ + "nftables": [ + { + "metainfo": { + "version": "1.0.7", + "release_name": "Old Doc Yak", + "json_schema_version": 1 + } + }, + { + "table": { + "family": "ip", + "name": "filter", + "handle": 1 + } + }, + { + "ct expectation": { + "family": "ip", + "name": "e_pgsql", + "table": "filter", + "handle": 4, + "protocol": "tcp", + "dport": 5432, + "timeout": 3600000, + "size": 12, + "l3proto": "ip" + } + }, + { + "ct helper": { + "family": "ip", + "name": "ftp-standard", + "table": "filter", + "handle": 5, + "type": "ftp", + "protocol": "tcp", + "l3proto": "ip" + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "INPUT", + "handle": 1, + "type": "filter", + "hook": "input", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "FORWARD", + "handle": 2, + "type": "filter", + "hook": "forward", + "prio": 0, + "policy": "accept" + } + }, + { + "chain": { + "family": "ip", + "table": "filter", + "name": "OUTPUT", + "handle": 3, + "type": "filter", + "hook": "output", + "prio": 0, + "policy": "accept" + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "INPUT", + "handle": 6, + "expr": [ + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 22 + } + }, + { + "ct count": { + "val": 10 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "INPUT", + "handle": 7, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": "new" + } + }, + { + "match": { + "op": "==", + "left": { + "payload": { + "protocol": "tcp", + "field": "dport" + } + }, + "right": 8888 + } + }, + { + "ct expectation": "e_pgsql" + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "INPUT", + "handle": 8, + "expr": [ + { + "match": { + "op": "in", + "left": { + "ct": { + "key": "state" + } + }, + "right": [ + "established", + "related" + ] + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "accept": null + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "FORWARD", + "handle": 9, + "expr": [ + { + "match": { + "op": "in", + "left": { + "payload": { + "protocol": "tcp", + "field": "flags" + } + }, + "right": "syn" + } + }, + { + "counter": { + "packets": 0, + "bytes": 0 + } + }, + { + "mangle": { + "key": { + "tcp option": { + "name": "maxseg", + "field": "size" + } + }, + "value": { + "rt": { + "key": "mtu" + } + } + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "FORWARD", + "handle": 10, + "expr": [ + { + "match": { + "op": "==", + "left": { + "sctp chunk": { + "name": "data", + "field": "flags" + } + }, + "right": 2 + } + } + ] + } + }, + { + "rule": { + "family": "ip", + "table": "filter", + "chain": "FORWARD", + "handle": 11, + "expr": [ + { + "match": { + "op": "==", + "left": { + "ct": { + "key": "helper" + } + }, + "right": "ftp-standard" + } + }, + { + "accept": null + } + ] + } + } + ] +} \ No newline at end of file diff --git a/resources/test/nft/space-keys.nft b/resources/test/nft/space-keys.nft new file mode 100644 index 0000000..fd9ac0c --- /dev/null +++ b/resources/test/nft/space-keys.nft @@ -0,0 +1,41 @@ +# this tests various key names with spaces: +# * ct count +# * ct expectation +# * ct helper +# * ct timeout +# * sctp chunk +# * tcp option +# nft rule snippets are taken from wiki.nftables.org + +table ip filter { + ct expectation e_pgsql { + protocol tcp + dport 5432 + timeout 1h + size 12 + l3proto ip + } + + ct helper ftp-standard { + type "ftp" protocol tcp + l3proto ip + } + + chain INPUT { + type filter hook input priority filter; policy accept; + tcp dport 22 ct count 10 accept + ct state new tcp dport 8888 ct expectation set "e_pgsql" + ct state established,related counter packets 0 bytes 0 accept + } + + chain FORWARD { + type filter hook forward priority filter; policy accept; + tcp flags syn counter packets 0 bytes 0 tcp option maxseg size set rt mtu + sctp chunk data flags 2 + ct helper "ftp-standard" accept + } + + chain OUTPUT { + type filter hook output priority filter; policy accept; + } +} diff --git a/src/expr.rs b/src/expr.rs index 13e35d6..6f03a12 100644 --- a/src/expr.rs +++ b/src/expr.rs @@ -39,6 +39,7 @@ pub enum NamedExpression { Exthdr(Exthdr), #[serde(rename = "tcp option")] TcpOption(TcpOption), + #[serde(rename = "sctp chunk")] SctpChunk(SctpChunk), Meta(Meta), RT(RT),