From patchwork Wed Dec 5 19:22:18 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Willem de Bruijn X-Patchwork-Id: 203927 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 61F8E2C0098 for ; Thu, 6 Dec 2012 06:22:38 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752361Ab2LETWf (ORCPT ); Wed, 5 Dec 2012 14:22:35 -0500 Received: from mail-yh0-f74.google.com ([209.85.213.74]:49213 "EHLO mail-yh0-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751875Ab2LETWd (ORCPT ); Wed, 5 Dec 2012 14:22:33 -0500 Received: by mail-yh0-f74.google.com with SMTP id 10so548331yhl.1 for ; Wed, 05 Dec 2012 11:22:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references; bh=k1erZpD6OfH9mUnCrqltHiVQ01dIjkV1XpHyadjtXk0=; b=Q39zZZfqpzqOuOk/UQN6sE+HLi6QiHhvhstIZbrUvLe88yOAOvSztKEcXsIm9wg6GW EVM4aKVnZUGAA0fHimnO0sm2KNrDbJObYEyiRZEPbN1WcGk1qlsYd+eaAKgthVliiC0E DLwOsWOryjsDPa7wPlPfaGEqrno9y1oCGO6X1//l3dsIjCGfjKl4ZLhwalC5nGPswobb yfYsXFb5vv1H0dqhQcc79ZQqqvZhJnhDWeU6QUtU4v+APhC2ZAyl+UhcIk8uVzKnmJb2 GIIgaSjrkQkvZpioo9hv1y3fIWTh2kF1sIbdJ2LOAXjab5W/pCtzgfbBT23aoFOWOn1/ k8pw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=from:to:cc:subject:date:message-id:x-mailer:in-reply-to:references :x-gm-message-state; bh=k1erZpD6OfH9mUnCrqltHiVQ01dIjkV1XpHyadjtXk0=; b=EY2E5LtWgqxvDlrNl+lLCPAn6NaEbYkcJI9GYFakDqrS7k6Klt/8kHR+thrxfEsevQ 4eVYyYocWaawxpGGO9gqC3U2z4EeU81ELy3MbPobf5WVvR1tFK8QPh30mBYfK0ZWP4Ce 8Jnner37cb120VvgLNPaobrG+LH1n81DeYo3ZoRCquWmyU8VP+plRJA0bfpLfE776bv5 UQeM9AJFQ/X/4WrOp0xoIvQGgSb+47dhsWOhwNaE3U5Jjx9s09+91OKnQ7OHzW6LwkOI knD3sKNnrt0mQf02v9jTVAun8EhVT3Z7BKqIoOIWDoDz+ZPZ3awkK6YqKK/LDybCJX3h jV6Q== Received: by 10.236.86.2 with SMTP id v2mr11445823yhe.36.1354735353611; Wed, 05 Dec 2012 11:22:33 -0800 (PST) Received: from wpzn3.hot.corp.google.com (216-239-44-65.google.com [216.239.44.65]) by gmr-mx.google.com with ESMTPS id i27si451189yhb.0.2012.12.05.11.22.33 (version=TLSv1/SSLv3 cipher=AES128-SHA); Wed, 05 Dec 2012 11:22:33 -0800 (PST) Received: from gopher.nyc.corp.google.com (gopher.nyc.corp.google.com [172.26.106.37]) by wpzn3.hot.corp.google.com (Postfix) with ESMTP id C685B100047; Wed, 5 Dec 2012 11:22:32 -0800 (PST) Received: by gopher.nyc.corp.google.com (Postfix, from userid 29878) id 606C71E13EE; Wed, 5 Dec 2012 14:22:32 -0500 (EST) From: Willem de Bruijn To: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org, edumazet@google.com, davem@davemloft.net, kaber@trash.net, pablo@netfilter.org Cc: Willem de Bruijn Subject: [PATCH 1/2] netfilter: add xt_priority xtables match Date: Wed, 5 Dec 2012 14:22:18 -0500 Message-Id: <1354735339-13402-2-git-send-email-willemb@google.com> X-Mailer: git-send-email 1.7.7.3 In-Reply-To: <1354735339-13402-1-git-send-email-willemb@google.com> References: <1354735339-13402-1-git-send-email-willemb@google.com> X-Gm-Message-State: ALoCoQkF3nptWTz9yyyuQXauf6MYMuDkmPE/vuHooB8BDtsvNtQDfUuWceeoLOhefNqlCu2UC6m2sl+KNbNYzmVAvaoCDzQEtthMWTOVqXs3wFI3570eoaqO8s9iHMUzbK/xN9SvDTe6F3m0pRX8Y+x6dmhlp+ZC6q8RK+whsEPU+EawclND2TsoPY1RBCIVN9EEhL3BlGO0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org Add an iptables match based on the skb->priority field. This field can be set by socket option SO_PRIORITY, among others. The match supports range based matching on packet priority, with optional inversion. Before matching, a mask can be applied to the priority field to handle the case where different regions of the bitfield are reserved for unrelated uses. --- include/linux/netfilter/xt_priority.h | 13 ++++++++ net/netfilter/Kconfig | 9 ++++++ net/netfilter/Makefile | 1 + net/netfilter/xt_priority.c | 51 +++++++++++++++++++++++++++++++++ 4 files changed, 74 insertions(+), 0 deletions(-) create mode 100644 include/linux/netfilter/xt_priority.h create mode 100644 net/netfilter/xt_priority.c diff --git a/include/linux/netfilter/xt_priority.h b/include/linux/netfilter/xt_priority.h new file mode 100644 index 0000000..da9a288 --- /dev/null +++ b/include/linux/netfilter/xt_priority.h @@ -0,0 +1,13 @@ +#ifndef _XT_PRIORITY_H +#define _XT_PRIORITY_H + +#include + +struct xt_priority_info { + __u32 min; + __u32 max; + __u32 mask; + __u8 invert; +}; + +#endif /*_XT_PRIORITY_H */ diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index fefa514..c9739c6 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -1093,6 +1093,15 @@ config NETFILTER_XT_MATCH_PKTTYPE To compile it as a module, choose M here. If unsure, say N. +config NETFILTER_XT_MATCH_PRIORITY + tristate '"priority" match support' + depends on NETFILTER_ADVANCED + help + This option adds a match based on the value of the sk_buff + priority field. + + To compile it as a module, choose M here. If unsure, say N. + config NETFILTER_XT_MATCH_QUOTA tristate '"quota" match support' depends on NETFILTER_ADVANCED diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 3259697..8e5602f 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -124,6 +124,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o obj-$(CONFIG_NETFILTER_XT_MATCH_PHYSDEV) += xt_physdev.o obj-$(CONFIG_NETFILTER_XT_MATCH_PKTTYPE) += xt_pkttype.o obj-$(CONFIG_NETFILTER_XT_MATCH_POLICY) += xt_policy.o +obj-$(CONFIG_NETFILTER_XT_MATCH_PRIORITY) += xt_priority.o obj-$(CONFIG_NETFILTER_XT_MATCH_QUOTA) += xt_quota.o obj-$(CONFIG_NETFILTER_XT_MATCH_RATEEST) += xt_rateest.o obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o diff --git a/net/netfilter/xt_priority.c b/net/netfilter/xt_priority.c new file mode 100644 index 0000000..4982eee --- /dev/null +++ b/net/netfilter/xt_priority.c @@ -0,0 +1,51 @@ +/* Xtables module to match packets based on their sk_buff priority field. + * Copyright 2012 Google Inc. + * Written by Willem de Bruijn + * + * This program is free software; you can redistribute it and/or modify + * it under the terms of the GNU General Public License version 2 as + * published by the Free Software Foundation. + */ + +#include +#include + +#include +#include + +MODULE_AUTHOR("Willem de Bruijn "); +MODULE_DESCRIPTION("Xtables: priority filter match"); +MODULE_LICENSE("GPL"); +MODULE_ALIAS("ipt_priority"); +MODULE_ALIAS("ip6t_priority"); + +static bool priority_mt(const struct sk_buff *skb, + struct xt_action_param *par) +{ + const struct xt_priority_info *info = par->matchinfo; + + __u32 priority = skb->priority & info->mask; + return (priority >= info->min && priority <= info->max) ^ info->invert; +} + +static struct xt_match priority_mt_reg __read_mostly = { + .name = "priority", + .revision = 0, + .family = NFPROTO_UNSPEC, + .match = priority_mt, + .matchsize = sizeof(struct xt_priority_info), + .me = THIS_MODULE, +}; + +static int __init priority_mt_init(void) +{ + return xt_register_match(&priority_mt_reg); +} + +static void __exit priority_mt_exit(void) +{ + xt_unregister_match(&priority_mt_reg); +} + +module_init(priority_mt_init); +module_exit(priority_mt_exit);