network: firewall integration with NFT sets

New directives `NFTSet=`, `IPv4NFTSet=` and `IPv6NFTSet=` provide a method for integrating configuration of dynamic networks into firewall rules with NFT sets. /etc/systemd/network/eth.network ``` [DHCPv4] ... NFTSet=netdev:filter:eth_ipv4_address ``` ``` table netdev filter { set eth_ipv4_address { type ipv4_addr flags interval } chain eth_ingress { type filter hook ingress device "eth0" priority filter; policy drop; ip saddr != @eth_ipv4_address drop accept } } ``` ``` sudo nft list set netdev filter eth_ipv4_address table netdev filter { set eth_ipv4_address { type ipv4_addr flags interval elements = { 10.0.0.0/24 } } } ```
author: Topi Miettinen <toiwoton@gmail.com> 2022-05-22 14:09:06 +0300
committer: Topi Miettinen <topimiettinen@users.noreply.github.com> 2022-06-08 16:12:25 +0000
commit: ab51fd9dbdc59f9a37acd8acaea3e9088d092bba (patch)
tree: 82dbd77f4def265280ea0bb5463cd105f6cd3fcb /src/basic/parse-util.c
parent: e8f1b50f271f5e28b99182c56eb1b8c704456c34 (diff)
download: systemd-ab51fd9dbdc59f9a37acd8acaea3e9088d092bba.tar.gz
1 files changed, 35 insertions, 0 deletions
diff --git a/src/basic/parse-util.c b/src/basic/parse-util.c
index 35fbb5ec6a..0c7c562d17 100644
--- a/src/basic/parse-util.c
+++ b/src/basic/parse-util.c
@@ -750,3 +750,38 @@ int parse_loadavg_fixed_point(const char *s, loadavg_t *ret) {
 
         return store_loadavg_fixed_point(i, f, ret);
 }
+
+static bool nft_first_char_bad(const char c) {
+        if ((c >= 'a' && c <= 'z') ||
+            (c >= 'A' && c <= 'Z'))
+                return false;
+        return true;
+}
+
+static bool nft_next_char_bad(const char c) {
+        if ((c >= 'a' && c <= 'z') ||
+            (c >= 'A' && c <= 'Z') ||
+            (c >= '0' && c <= '9') ||
+            c == '/' || c == '\\' || c == '_' || c == '.')
+                return false;
+        return true;
+}
+
+/* Limitations are described in https://www.netfilter.org/projects/nftables/manpage.html and
+ * https://bugzilla.netfilter.org/show_bug.cgi?id=1175 */
+bool nft_identifier_bad(const char *id) {
+        assert(id);
+
+        size_t len;
+        len = strlen(id);
+        if (len == 0 || len > 31)
+                return true;
+
+        if (nft_first_char_bad(id[0]))
+                return true;
+
+        for (size_t i = 1; i < len; i++)
+                if (nft_next_char_bad(id[i]))
+                        return true;
+        return false;
+}
author	Topi Miettinen <toiwoton@gmail.com>	2022-05-22 14:09:06 +0300
committer	Topi Miettinen <topimiettinen@users.noreply.github.com>	2022-06-08 16:12:25 +0000
commit	ab51fd9dbdc59f9a37acd8acaea3e9088d092bba (patch)
tree	82dbd77f4def265280ea0bb5463cd105f6cd3fcb /src/basic/parse-util.c
parent	e8f1b50f271f5e28b99182c56eb1b8c704456c34 (diff)
download	systemd-ab51fd9dbdc59f9a37acd8acaea3e9088d092bba.tar.gz