sys fw: allow to apply operators on Meta and Ct expressions

Allow to apply operators (==, !=) on Meta (mark, skuid, skgid, etc) and
Conntrack Mark expressions.

daemon/firewall/nftables/exprs/ct.go

@@ -24,7 +24,7 @@ import (
 // nft --debug netlink add rule mangle prerouting ct mark 123
 // [ ct load mark => reg 1 ]
 // [ cmp eq reg 1 0x0000007b ]
-func NewExprCtMark(setMark bool, value string) (*[]expr.Any, error) {
+func NewExprCtMark(setMark bool, value string, cmpOp *expr.CmpOp) (*[]expr.Any, error) {
 	mark, err := strconv.Atoi(value)
 	if err != nil {
 		return nil, fmt.Errorf("Invalid conntrack mark: %s (%s)", err, value)
@@ -44,7 +44,7 @@ func NewExprCtMark(setMark bool, value string) (*[]expr.Any, error) {
 	}...)
 	if setMark == false {
 		exprCtMark = append(exprCtMark, []expr.Any{
-			&expr.Cmp{Op: expr.CmpOpEq, Register: 1, Data: binaryutil.NativeEndian.PutUint32(uint32(mark))},
+			&expr.Cmp{Op: *cmpOp, Register: 1, Data: binaryutil.NativeEndian.PutUint32(uint32(mark))},
 		}...)
 	}
 

daemon/firewall/nftables/exprs/meta.go

@@ -11,7 +11,7 @@ import (
 
 // NewExprMeta creates a new meta selector to match or set packet metainformation.
 // https://wiki.nftables.org/wiki-nftables/index.php/Matching_packet_metainformation
-func NewExprMeta(values []*config.ExprValues) (*[]expr.Any, error) {
+func NewExprMeta(values []*config.ExprValues, cmpOp *expr.CmpOp) (*[]expr.Any, error) {
 	setMark := false
 	metaExpr := []expr.Any{}
 
@@ -44,7 +44,7 @@ func NewExprMeta(values []*config.ExprValues) (*[]expr.Any, error) {
 			metaExpr = append(metaExpr, []expr.Any{
 				&expr.Meta{Key: metaKey, Register: 1, SourceRegister: setMark},
 				&expr.Cmp{
-					Op:       expr.CmpOpEq,
+					Op:       *cmpOp,
 					Register: 1,
 					Data:     binaryutil.NativeEndian.PutUint32(metaVal),
 				}}...)
@@ -64,7 +64,7 @@ func NewExprMeta(values []*config.ExprValues) (*[]expr.Any, error) {
 			return &[]expr.Any{
 				&expr.Meta{Key: expr.MetaKeyNFTRACE, Register: 1},
 				&expr.Cmp{
-					Op:       expr.CmpOpEq,
+					Op:       *cmpOp,
 					Register: 1,
 					Data:     binaryutil.NativeEndian.PutUint32(uint32(mark)),
 				},

daemon/firewall/nftables/parser.go

@@ -37,7 +37,7 @@ func (n *Nft) parseExpression(table, chain, family string, expression *config.Ex
 	switch expression.Statement.Name {
 
 	case exprs.NFT_CT:
-		exprCt := n.buildConntrackRule(expression.Statement.Values)
+		exprCt := n.buildConntrackRule(expression.Statement.Values, &cmpOp)
 		if exprCt == nil {
 			log.Warning("%s Ct statement error", logTag)
 			return nil
@@ -45,7 +45,7 @@ func (n *Nft) parseExpression(table, chain, family string, expression *config.Ex
 		exprList = append(exprList, *exprCt...)
 
 	case exprs.NFT_META:
-		metaExpr, err := exprs.NewExprMeta(expression.Statement.Values)
+		metaExpr, err := exprs.NewExprMeta(expression.Statement.Values, &cmpOp)
 		if err != nil {
 			log.Warning("%s meta statement error: %s", logTag, err)
 			return nil

daemon/firewall/nftables/rule_helpers.go

@@ -99,7 +99,7 @@ func (n *Nft) buildICMPRule(table, family string, icmpProtoVersion string, icmpO
 	return &ICMPrule
 }
 
-func (n *Nft) buildConntrackRule(ctOptions []*config.ExprValues) *[]expr.Any {
+func (n *Nft) buildConntrackRule(ctOptions []*config.ExprValues, cmpOp *expr.CmpOp) *[]expr.Any {
 	exprList := []expr.Any{}
 
 	setMark := false
@@ -122,7 +122,7 @@ func (n *Nft) buildConntrackRule(ctOptions []*config.ExprValues) *[]expr.Any {
 		case exprs.NFT_CT_SET_MARK:
 			setMark = true
 		case exprs.NFT_CT_MARK:
-			ctExprMark, err := exprs.NewExprCtMark(setMark, ctOption.Value)
+			ctExprMark, err := exprs.NewExprCtMark(setMark, ctOption.Value, cmpOp)
 			if err != nil {
 				log.Warning("%s ct mark error: %s", logTag, err)
 				return nil