From patchwork Fri Jan 12 12:57:25 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eyal Birger X-Patchwork-Id: 859890 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="MLZantP9"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zJ2qH4ffCz9s75 for ; Fri, 12 Jan 2018 23:58:19 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933509AbeALM6R (ORCPT ); Fri, 12 Jan 2018 07:58:17 -0500 Received: from mail-wm0-f67.google.com ([74.125.82.67]:35093 "EHLO mail-wm0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932976AbeALM6Q (ORCPT ); Fri, 12 Jan 2018 07:58:16 -0500 Received: by mail-wm0-f67.google.com with SMTP id r78so11762624wme.0 for ; Fri, 12 Jan 2018 04:58:16 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=CWPMcTbd1qqtll16cHyeAMH/V20K70elgOWa4Ti4FDc=; b=MLZantP9qtkbyqLlVj4rNOiL8YZ81LkvhWpIzeSydxUEISuwWnkyNejHZuTLY/lzs2 eilxcqwGQn80YbaQDyo90XWdlcEoOEoNqt72OKI4j4OAvU94Uy9R+MhmLPt/LEq8/aot n/qCJilu0+8gdlU5Kl4zGLoPYv6VEVMlintl+B7k1EIz4GpVstMXYNUF0pqbDX1I2VCo ndJOxeSUD4rojTFMLciNQRpc6/w4aFmErgl/uMU7kF97Hd8oVEWwFoQqxJF0PU/joeWe AfZtCsqB+T9vp8yjH35nTL09eAHD12iTsnue20hL6NyLsob9XhBSGdGZxFepTgsNfKab tPJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=CWPMcTbd1qqtll16cHyeAMH/V20K70elgOWa4Ti4FDc=; b=f7EnPwKtiYBspka6BujVTSwupA7SrxRX51FpjPuXAAkXaK89UKy8v4tCCftGXgs31o suRv5GxzSBalx8MwZ4fyOudOWZNO7BfNGaPe2g5sySqod/82gufFTqtgwOJ8HjBV5V4o mcWnwdAPuuZb8jEO6Sfwy1l9LhHzFFcvCgtb+keE7Vpjxz6tX7cE0fzVeXUkD4QJy6Io 0LlULoN0bTcl3LD8c8B8DBQw6mG55ScSy+dZ2BUiZ2H9Eq0dtYIrLbEXaWm6w5hWqEc8 IVKwEmRT4yMxLcI2AjGHz7JtY69ScxxoAqtuX31bbgL0bcO0w1FTiJtG9Lhpe4FvV8MV QYJA== X-Gm-Message-State: AKwxyteJxPRqsV0AOyZGRxKRL9VPXsJs3iVQX5UubzCkHgn/f5loRzmB mqQENR8X+1JZ3rO5hqx6OL8ffr7ytCI= X-Google-Smtp-Source: ACJfBovksz8uIjf9udcyVKT2ANXO4lgOcYbgOU6j+HhprQZ3FOGLnSCBTEsLs8ySKuiBt3SUFeGtdA== X-Received: by 10.28.9.77 with SMTP id 74mr3633427wmj.110.1515761895141; Fri, 12 Jan 2018 04:58:15 -0800 (PST) Received: from localhost.localdomain (85.65.196.133.dynamic.barak-online.net. [85.65.196.133]) by smtp.gmail.com with ESMTPSA id v75sm2026595wrc.45.2018.01.12.04.58.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 12 Jan 2018 04:58:14 -0800 (PST) From: Eyal Birger To: netdev@vger.kernel.org, pablo@netfilter.org, jhs@mojatatu.com Cc: coreteam@netfilter.org, shmulik@metanetworks.com, Eyal Birger Subject: [PATCH net-next 2/2] net: sched: add xfrm policy ematch Date: Fri, 12 Jan 2018 14:57:25 +0200 Message-Id: <1515761845-31323-3-git-send-email-eyal.birger@gmail.com> X-Mailer: git-send-email 2.7.4 In-Reply-To: <1515761845-31323-1-git-send-email-eyal.birger@gmail.com> References: <1515761845-31323-1-git-send-email-eyal.birger@gmail.com> Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eyal Birger Allows classification based on the incoming IPSec policy used during decpsulation. This allows similar matching capabilities to those provided by netfilter xt_policy module, and uses the same data strcuture - but from a tc entry point. Signed-off-by: Eyal Birger --- include/uapi/linux/pkt_cls.h | 3 +- net/sched/Kconfig | 10 ++++ net/sched/Makefile | 1 + net/sched/em_policy.c | 117 +++++++++++++++++++++++++++++++++++++++++++ 4 files changed, 130 insertions(+), 1 deletion(-) create mode 100644 net/sched/em_policy.c diff --git a/include/uapi/linux/pkt_cls.h b/include/uapi/linux/pkt_cls.h index 46c5066..963842c 100644 --- a/include/uapi/linux/pkt_cls.h +++ b/include/uapi/linux/pkt_cls.h @@ -555,7 +555,8 @@ enum { #define TCF_EM_VLAN 6 #define TCF_EM_CANID 7 #define TCF_EM_IPSET 8 -#define TCF_EM_MAX 8 +#define TCF_EM_POLICY 9 +#define TCF_EM_MAX 9 enum { TCF_EM_PROG_TC diff --git a/net/sched/Kconfig b/net/sched/Kconfig index c03d86a..0670f53 100644 --- a/net/sched/Kconfig +++ b/net/sched/Kconfig @@ -658,6 +658,16 @@ config NET_EMATCH_IPSET To compile this code as a module, choose M here: the module will be called em_ipset. +config NET_EMATCH_POLICY + tristate "Policy" + depends on NET_EMATCH && NETFILTER_XT_MATCH_POLICY + ---help--- + Say Y here if you want to be able to classify packets based on + IPsec policy that was used during decapsulation + + To compile this code as a module, choose M here: the + module will be called em_policy. + config NET_CLS_ACT bool "Actions" select NET_CLS diff --git a/net/sched/Makefile b/net/sched/Makefile index 5b63544..7ca02a1 100644 --- a/net/sched/Makefile +++ b/net/sched/Makefile @@ -75,3 +75,4 @@ obj-$(CONFIG_NET_EMATCH_META) += em_meta.o obj-$(CONFIG_NET_EMATCH_TEXT) += em_text.o obj-$(CONFIG_NET_EMATCH_CANID) += em_canid.o obj-$(CONFIG_NET_EMATCH_IPSET) += em_ipset.o +obj-$(CONFIG_NET_EMATCH_POLICY) += em_policy.o diff --git a/net/sched/em_policy.c b/net/sched/em_policy.c new file mode 100644 index 0000000..94ef318 --- /dev/null +++ b/net/sched/em_policy.c @@ -0,0 +1,117 @@ +/* + * net/sched/em_policy.c IPSec Policy Ematch + * + * (c) 2018 Eyal Birger + * + * Parts taken from netfilter/xt_policy.h: + * Copyright (c) 2004,2005 Patrick McHardy, + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version + * 2 of the License, or (at your option) any later version. + */ + +#include +#include +#include +#include +#include +#include +#include +#include +#include +#include + +static int em_policy_change(struct net *net, void *data, int data_len, + struct tcf_ematch *em) +{ + const struct xt_policy_info *info = (const void *)data; + __u16 dir_flags; + + if (data_len != sizeof(*info)) + return -EINVAL; + + if (info->len > XT_POLICY_MAX_ELEM) { + pr_info("too many policy elements\n"); + return -EINVAL; + } + + dir_flags = info->flags & (XT_POLICY_MATCH_IN | XT_POLICY_MATCH_OUT); + if (dir_flags != XT_POLICY_MATCH_IN) { + pr_info("Only incoming policy can be matched\n"); + return -EINVAL; + } + + em->datalen = sizeof(*info); + em->data = (unsigned long)kmemdup(data, em->datalen, GFP_KERNEL); + if (!em->data) + return -ENOMEM; + + return 0; +} + +static void em_policy_destroy(struct tcf_ematch *em) +{ + const struct xt_policy_info *info = (const void *)em->data; + + if (!info) + return; + + kfree((void *)em->data); +} + +static int em_policy_match(struct sk_buff *skb, struct tcf_ematch *em, + struct tcf_pkt_info *info) +{ + const struct xt_policy_info *pol = (const void *)em->data; + unsigned short pf; + int ret; + + switch (tc_skb_protocol(skb)) { + case htons(ETH_P_IP): + pf = NFPROTO_IPV4; + break; + case htons(ETH_P_IPV6): + pf = NFPROTO_IPV6; + break; + default: + return false; + } + + ret = xt_policy_match_policy_in(skb, pol, pf); + if (ret < 0) + ret = pol->flags & XT_POLICY_MATCH_NONE ? true : false; + else if (pol->flags & XT_POLICY_MATCH_NONE) + ret = false; + + return ret; +} + +static struct tcf_ematch_ops em_policy_ops = { + .kind = TCF_EM_POLICY, + .change = em_policy_change, + .destroy = em_policy_destroy, + .match = em_policy_match, + .owner = THIS_MODULE, + .link = LIST_HEAD_INIT(em_policy_ops.link) +}; + +static int __init init_em_policy(void) +{ + return tcf_em_register(&em_policy_ops); +} + +static void __exit exit_em_policy(void) +{ + tcf_em_unregister(&em_policy_ops); +} + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("Eyal Birger "); +MODULE_DESCRIPTION("TC extended match for IPSec policies"); + +module_init(init_em_policy); +module_exit(exit_em_policy); + +MODULE_ALIAS_TCF_EMATCH(TCF_EM_POLICY);