[v2,nf-next,4/5] netfilter: nft: rt nexthop for IPv6 family

Message ID	1476902449.1161.23.camel@cohaesio.com
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> From: "Anders K. Pedersen \| Cohaesio" <akp@cohaesio.com> To: "netfilter-devel@vger.kernel.org" <netfilter-devel@vger.kernel.org>, "pablo@netfilter.org" <pablo@netfilter.org> Subject: [PATCH v2 nf-next 4/5] netfilter: nft: rt nexthop for IPv6 family Thread-Topic: [PATCH v2 nf-next 4/5] netfilter: nft: rt nexthop for IPv6 family Thread-Index: AQHSKjhQSDX8K1zpCEexJ2MAX2elHg== Date: Wed, 19 Oct 2016 18:40:49 +0000 Message-ID: <1476902449.1161.23.camel@cohaesio.com> References: <1476902043.1161.14.camel@cohaesio.com> In-Reply-To: <1476902043.1161.14.camel@cohaesio.com> Accept-Language: en-US, da-DK Content-Language: en-US Content-Type: text/plain; charset="utf-8" Content-ID: <4E7D1B6CEBC99149B013536EE3CB7BBC@surftown.com> Content-Transfer-Encoding: base64 MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk

Message ID

1476902449.1161.23.camel@cohaesio.com

State

Accepted

Delegated to:

Pablo Neira

Headers

From: "Anders K. Pedersen | Cohaesio" <akp@cohaesio.com>
To: "netfilter-devel@vger.kernel.org" <netfilter-devel@vger.kernel.org>,
	"pablo@netfilter.org" <pablo@netfilter.org>
Subject: [PATCH v2 nf-next 4/5] netfilter: nft: rt nexthop for IPv6 family
Thread-Topic: [PATCH v2 nf-next 4/5] netfilter: nft: rt nexthop for IPv6
	family
Thread-Index: AQHSKjhQSDX8K1zpCEexJ2MAX2elHg==
Date: Wed, 19 Oct 2016 18:40:49 +0000
Message-ID: <1476902449.1161.23.camel@cohaesio.com>
References: <1476902043.1161.14.camel@cohaesio.com>
In-Reply-To: <1476902043.1161.14.camel@cohaesio.com>
Accept-Language: en-US, da-DK
Content-Language: en-US
Content-Type: text/plain; charset="utf-8"
Content-ID: <4E7D1B6CEBC99149B013536EE3CB7BBC@surftown.com>
Content-Transfer-Encoding: base64
MIME-Version: 1.0
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Commit Message

Anders K. Pedersen | Cohaesio Oct. 19, 2016, 6:40 p.m. UTC

From: Anders K. Pedersen <akp@cohaesio.com>


Add nftables IPv6 family support for an "rt ip6 nexthop" expression
allowing usage of the routing nexthop (i.e. the directly connected IP
address that an outgoing packet is sent to) for matching or accounting, eg.

 # nft add rule ip6 filter postrouting \
	ip6 daddr fd01::/16 rt ip6 nexthop != fd00::1 drop

This will drop any traffic to fd01::/16 that is not routed via fd00::1.

 # nft add rule ip6 filter postrouting \
	flow table acct { rt ip6 nexthop timeout 600s counter }

This rule counts outgoing traffic per nexthop. Note that the timeout
releases an entry if no traffic is seen for this nexthop within 10 minutes.

Signed-off-by: Anders K. Pedersen <akp@cohaesio.com>

---
v2
- remove nft_rt_ipv6_select_ops

 net/ipv6/netfilter/Kconfig               |   4 +
 net/ipv6/netfilter/Makefile              |   1 +
 net/ipv6/netfilter/nft_rt_ipv6.c         | 110 ++++++++++++++++++++++++
 3 files changed, 115 insertions(+)

diff --git a/net/ipv6/netfilter/Kconfig b/net/ipv6/netfilter/Kconfig
index e10a04c..8d3527e 100644
--- a/net/ipv6/netfilter/Kconfig
+++ b/net/ipv6/netfilter/Kconfig
@@ -42,6 +42,10 @@  config NFT_CHAIN_ROUTE_IPV6
 	  fields such as the source, destination, flowlabel, hop-limit and
 	  the packet mark.
 
+config NFT_RT_IPV6
+	default NFT_RT
+	tristate
+
 config NFT_REJECT_IPV6
 	select NF_REJECT_IPV6
 	default NFT_REJECT
diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile
index b4f7d0b..6958c35 100644
--- a/net/ipv6/netfilter/Makefile
+++ b/net/ipv6/netfilter/Makefile
@@ -36,6 +36,7 @@  obj-$(CONFIG_NF_DUP_IPV6) += nf_dup_ipv6.o
 obj-$(CONFIG_NF_TABLES_IPV6) += nf_tables_ipv6.o
 obj-$(CONFIG_NFT_CHAIN_ROUTE_IPV6) += nft_chain_route_ipv6.o
 obj-$(CONFIG_NFT_CHAIN_NAT_IPV6) += nft_chain_nat_ipv6.o
+obj-$(CONFIG_NFT_RT_IPV6) += nft_rt_ipv6.o
 obj-$(CONFIG_NFT_REJECT_IPV6) += nft_reject_ipv6.o
 obj-$(CONFIG_NFT_MASQ_IPV6) += nft_masq_ipv6.o
 obj-$(CONFIG_NFT_REDIR_IPV6) += nft_redir_ipv6.o
diff --git a/net/ipv6/netfilter/nft_rt_ipv6.c b/net/ipv6/netfilter/nft_rt_ipv6.c
new file mode 100644
index 0000000..32d8ec8
--- /dev/null
+++ b/net/ipv6/netfilter/nft_rt_ipv6.c
@@ -0,0 +1,110 @@ 
+/*
+ * Copyright (c) 2016 Anders K. Pedersen <akp@cohaesio.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ */
+
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/ip6_route.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/netfilter/nft_rt.h>
+
+static void nft_rt_ipv6_get_eval(const struct nft_expr *expr,
+				 struct nft_regs *regs,
+				 const struct nft_pktinfo *pkt)
+{
+	const struct nft_rt *priv = nft_expr_priv(expr);
+	const struct sk_buff *skb = pkt->skb;
+	u32 *dest = &regs->data[priv->dreg];
+
+	switch (priv->key) {
+	case NFT_RT_NEXTHOP: {
+		struct rt6_info *rt = (struct rt6_info *)skb_dst(skb);
+
+		if (!rt)
+			goto err;
+		memcpy(dest, rt6_nexthop(rt, &ipv6_hdr(skb)->daddr),
+		       sizeof(struct in6_addr));
+		break;
+	}
+	default:
+		return nft_rt_get_eval(expr, regs, pkt);
+	}
+
+	return;
+err:
+	regs->verdict.code = NFT_BREAK;
+}
+
+static int nft_rt_ipv6_get_init(const struct nft_ctx *ctx,
+				const struct nft_expr *expr,
+				const struct nlattr * const tb[])
+{
+	struct nft_rt *priv = nft_expr_priv(expr);
+	unsigned int len;
+
+	if (tb[NFTA_RT_KEY] == NULL ||
+	    tb[NFTA_RT_DREG] == NULL ||
+	    tb[NFTA_RT_FAMILY] == NULL)
+		return -EINVAL;
+
+	priv->key = ntohl(nla_get_be32(tb[NFTA_RT_KEY]));
+	switch (priv->key) {
+	case NFT_RT_NEXTHOP:
+		len = sizeof(struct in6_addr);
+		break;
+	default:
+		return nft_rt_get_init(ctx, expr, tb);
+	}
+
+	priv->family = ntohl(nla_get_be32(tb[NFTA_RT_FAMILY]));
+	if (priv->family != NFPROTO_IPV6)
+		return -EINVAL;
+
+	priv->dreg = nft_parse_register(tb[NFTA_RT_DREG]);
+	return nft_validate_register_store(ctx, priv->dreg, NULL,
+					   NFT_DATA_VALUE, len);
+}
+
+static struct nft_expr_type nft_rt_ipv6_type;
+static const struct nft_expr_ops nft_rt_ipv6_get_ops = {
+	.type		= &nft_rt_ipv6_type,
+	.size		= NFT_EXPR_SIZE(sizeof(struct nft_rt)),
+	.eval		= nft_rt_ipv6_get_eval,
+	.init		= nft_rt_ipv6_get_init,
+	.dump		= nft_rt_get_dump,
+};
+
+static struct nft_expr_type nft_rt_ipv6_type __read_mostly = {
+	.family         = NFPROTO_IPV6,
+	.name           = "rt",
+	.ops		= &nft_rt_ipv6_get_ops,
+	.policy         = nft_rt_policy,
+	.maxattr        = NFTA_RT_MAX,
+	.owner          = THIS_MODULE,
+};
+
+static int __init nft_rt_ipv6_module_init(void)
+{
+	return nft_register_expr(&nft_rt_ipv6_type);
+}
+
+static void __exit nft_rt_ipv6_module_exit(void)
+{
+	nft_unregister_expr(&nft_rt_ipv6_type);
+}
+
+module_init(nft_rt_ipv6_module_init);
+module_exit(nft_rt_ipv6_module_exit);
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Anders K. Pedersen <akp@cohaesio.com>");
+MODULE_ALIAS_NFT_AF_EXPR(AF_INET6, "rt");

[v2,nf-next,4/5] netfilter: nft: rt nexthop for IPv6 family

Commit Message

Patch