Message ID | 20171201124021.20973-2-fw@strlen.de |
---|---|
State | Changes Requested |
Delegated to: | Pablo Neira |
Headers | show |
Series | [nf-next] netfilter: meta: secpath support | expand |
Florian Westphal <fw@strlen.de> wrote: > +int nft_meta_get_validate(const struct nft_ctx *ctx, > + const struct nft_expr *expr, > + const struct nft_data **data) Sigh, this should be static of course. I will not send a v2 for now. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 1 December 2017 at 13:40, Florian Westphal <fw@strlen.de> wrote: > replacement for iptables "-m policy --dir in --policy {ipsec,none}". > > Signed-off-by: Florian Westphal <fw@strlen.de> > --- > include/uapi/linux/netfilter/nf_tables.h | 2 ++ > net/netfilter/nft_meta.c | 39 ++++++++++++++++++++++++++++++++ > 2 files changed, 41 insertions(+) > > diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h > index a3ee277b17a1..2efbf9744c2a 100644 > --- a/include/uapi/linux/netfilter/nf_tables.h > +++ b/include/uapi/linux/netfilter/nf_tables.h > @@ -777,6 +777,7 @@ enum nft_exthdr_attributes { > * @NFT_META_OIFGROUP: packet output interface group > * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) > * @NFT_META_PRANDOM: a 32bit pseudo-random number > + * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) > */ > enum nft_meta_keys { > NFT_META_LEN, > @@ -804,6 +805,7 @@ enum nft_meta_keys { > NFT_META_OIFGROUP, > NFT_META_CGROUP, > NFT_META_PRANDOM, > + NFT_META_SECPATH, > }; > > /** > diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c > index 5a60eb23a7ed..63a013ad4077 100644 > --- a/net/netfilter/nft_meta.c > +++ b/net/netfilter/nft_meta.c > @@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_expr *expr, > *dest = prandom_u32_state(state); > break; > } > +#ifdef CONFIG_XFRM > + case NFT_META_SECPATH: > + nft_reg_store8(dest, !!skb->sp); > + break; > +#endif > default: > WARN_ON(1); > goto err; > @@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_ctx *ctx, > prandom_init_once(&nft_prandom_state); > len = sizeof(u32); > break; > +#ifdef CONFIG_XFRM > + case NFT_META_SECPATH: > + len = sizeof(u8); > + break; > +#endif > default: > return -EOPNOTSUPP; > } > @@ -318,6 +328,34 @@ int nft_meta_get_init(const struct nft_ctx *ctx, > } > EXPORT_SYMBOL_GPL(nft_meta_get_init); > > +int nft_meta_get_validate(const struct nft_ctx *ctx, > + const struct nft_expr *expr, > + const struct nft_data **data) > +{ > + const struct nft_meta *priv = nft_expr_priv(expr); > + unsigned int hooks; > + > + if (priv->key != NFT_META_SECPATH) > + return 0; > + Would it worth adding here something like this? #ifnfdef CONFIG_XFRM return -EOPNOTSUPP; #endif I mean, if CONFIG_XFRM is not defined, then _get_eval() is doing nothing, right? > + switch (ctx->afi->family) { > + case NFPROTO_NETDEV: > + hooks = 1 << NF_NETDEV_INGRESS; > + break; > + case NFPROTO_IPV4: > + case NFPROTO_IPV6: > + case NFPROTO_INET: > + hooks = (1 << NF_INET_PRE_ROUTING) | > + (1 << NF_INET_LOCAL_IN) | > + (1 << NF_INET_FORWARD); > + break; > + default: > + return -EOPNOTSUPP; > + } > + > + return nft_chain_validate_hooks(ctx->chain, hooks); > +} -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Arturo Borrero Gonzalez <arturo@netfilter.org> wrote: > > + if (priv->key != NFT_META_SECPATH) > > + return 0; > > + > > Would it worth adding here something like this? > > #ifnfdef CONFIG_XFRM > return -EOPNOTSUPP; > #endif > > I mean, if CONFIG_XFRM is not defined, then _get_eval() is doing nothing, right? Right, I'll add it. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Hi Florian, I love your patch! Perhaps something to improve: [auto build test WARNING on nf-next/master] url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-meta-secpath-support/20171204-124857 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master reproduce: # apt-get install sparse make ARCH=x86_64 allmodconfig make C=1 CF=-D__CHECK_ENDIAN__ sparse warnings: (new ones prefixed by >>) Please review and possibly fold the followup patch. --- 0-DAY kernel test infrastructure Open Source Technology Center https://lists.01.org/pipermail/kbuild-all Intel Corporation -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index a3ee277b17a1..2efbf9744c2a 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -777,6 +777,7 @@ enum nft_exthdr_attributes { * @NFT_META_OIFGROUP: packet output interface group * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) * @NFT_META_PRANDOM: a 32bit pseudo-random number + * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) */ enum nft_meta_keys { NFT_META_LEN, @@ -804,6 +805,7 @@ enum nft_meta_keys { NFT_META_OIFGROUP, NFT_META_CGROUP, NFT_META_PRANDOM, + NFT_META_SECPATH, }; /** diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index 5a60eb23a7ed..63a013ad4077 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_expr *expr, *dest = prandom_u32_state(state); break; } +#ifdef CONFIG_XFRM + case NFT_META_SECPATH: + nft_reg_store8(dest, !!skb->sp); + break; +#endif default: WARN_ON(1); goto err; @@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_ctx *ctx, prandom_init_once(&nft_prandom_state); len = sizeof(u32); break; +#ifdef CONFIG_XFRM + case NFT_META_SECPATH: + len = sizeof(u8); + break; +#endif default: return -EOPNOTSUPP; } @@ -318,6 +328,34 @@ int nft_meta_get_init(const struct nft_ctx *ctx, } EXPORT_SYMBOL_GPL(nft_meta_get_init); +int nft_meta_get_validate(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nft_data **data) +{ + const struct nft_meta *priv = nft_expr_priv(expr); + unsigned int hooks; + + if (priv->key != NFT_META_SECPATH) + return 0; + + switch (ctx->afi->family) { + case NFPROTO_NETDEV: + hooks = 1 << NF_NETDEV_INGRESS; + break; + case NFPROTO_IPV4: + case NFPROTO_IPV6: + case NFPROTO_INET: + hooks = (1 << NF_INET_PRE_ROUTING) | + (1 << NF_INET_LOCAL_IN) | + (1 << NF_INET_FORWARD); + break; + default: + return -EOPNOTSUPP; + } + + return nft_chain_validate_hooks(ctx->chain, hooks); +} + int nft_meta_set_validate(const struct nft_ctx *ctx, const struct nft_expr *expr, const struct nft_data **data) @@ -434,6 +472,7 @@ static const struct nft_expr_ops nft_meta_get_ops = { .eval = nft_meta_get_eval, .init = nft_meta_get_init, .dump = nft_meta_get_dump, + .validate = nft_meta_get_validate, }; static const struct nft_expr_ops nft_meta_set_ops = {
replacement for iptables "-m policy --dir in --policy {ipsec,none}". Signed-off-by: Florian Westphal <fw@strlen.de> --- include/uapi/linux/netfilter/nf_tables.h | 2 ++ net/netfilter/nft_meta.c | 39 ++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+)