/
meta.go
138 lines (122 loc) · 3.41 KB
/
meta.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
package exprs
import (
"fmt"
"strconv"
"github.com/evilsocket/opensnitch/daemon/firewall/config"
"github.com/google/nftables/binaryutil"
"github.com/google/nftables/expr"
)
// NewExprMeta creates a new meta selector to match or set packet metainformation.
// https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation
func NewExprMeta(values []*config.ExprValues, cmpOp *expr.CmpOp) (*[]expr.Any, error) {
setMark := false
metaExpr := []expr.Any{}
for _, meta := range values {
switch meta.Key {
case NFT_META_SET_MARK:
setMark = true
continue
case NFT_META_MARK:
metaKey, err := getMetaKey(meta.Key)
if err != nil {
return nil, err
}
metaVal, err := getMetaValue(meta.Value)
if err != nil {
return nil, err
}
if setMark {
metaExpr = append(metaExpr, []expr.Any{
&expr.Immediate{
Register: 1,
Data: binaryutil.NativeEndian.PutUint32(uint32(metaVal)),
}}...)
metaExpr = append(metaExpr, []expr.Any{
&expr.Meta{Key: metaKey, Register: 1, SourceRegister: setMark}}...)
} else {
metaExpr = append(metaExpr, []expr.Any{
&expr.Meta{Key: metaKey, Register: 1, SourceRegister: setMark},
&expr.Cmp{
Op: *cmpOp,
Register: 1,
Data: binaryutil.NativeEndian.PutUint32(uint32(metaVal)),
}}...)
}
setMark = false
return &metaExpr, nil
case NFT_META_L4PROTO:
mexpr, err := NewExprProtocol(meta.Key)
if err != nil {
return nil, err
}
metaExpr = append(metaExpr, *mexpr...)
return &metaExpr, nil
case NFT_META_PRIORITY,
NFT_META_SKUID, NFT_META_SKGID,
NFT_META_PROTOCOL:
metaKey, err := getMetaKey(meta.Key)
if err != nil {
return nil, err
}
metaVal, err := getProtocolCode(meta.Value)
if err != nil {
return nil, err
}
metaExpr = append(metaExpr, []expr.Any{
&expr.Meta{Key: metaKey, Register: 1, SourceRegister: setMark},
&expr.Cmp{
Op: *cmpOp,
Register: 1,
Data: binaryutil.NativeEndian.PutUint32(uint32(metaVal)),
}}...)
setMark = false
return &metaExpr, nil
case NFT_META_NFTRACE:
mark, err := getMetaValue(meta.Value)
if err != nil {
return nil, err
}
if mark != 0 && mark != 1 {
return nil, fmt.Errorf("%s Invalid nftrace value: %d. Only 1 or 0 allowed", "nftables", mark)
}
// TODO: not working yet
return &[]expr.Any{
&expr.Meta{Key: expr.MetaKeyNFTRACE, Register: 1},
&expr.Cmp{
Op: *cmpOp,
Register: 1,
Data: binaryutil.NativeEndian.PutUint32(uint32(mark)),
},
}, nil
default:
// not supported yet
}
}
return nil, fmt.Errorf("%s meta keyword not supported yet, open a new issue on github", "nftables")
}
func getMetaValue(value string) (int, error) {
metaVal, err := strconv.Atoi(value)
if err != nil {
return 0, err
}
return metaVal, nil
}
// https://github.com/google/nftables/blob/main/expr/expr.go#L168
func getMetaKey(value string) (expr.MetaKey, error) {
switch value {
case NFT_META_MARK:
return expr.MetaKeyMARK, nil
case NFT_META_PRIORITY:
return expr.MetaKeyPRIORITY, nil
case NFT_META_SKUID:
return expr.MetaKeySKUID, nil
case NFT_META_SKGID:
return expr.MetaKeySKGID, nil
// ip, ip6, arp, vlan
case NFT_META_PROTOCOL:
return expr.MetaKeyPROTOCOL, nil
case NFT_META_L4PROTO:
return expr.MetaKeyL4PROTO, nil
}
return expr.MetaKeyPRANDOM, fmt.Errorf("meta key %s not supported (yet)", value)
}