| Message ID | 20180406034516.17700-1-jack.ma@alliedtelesis.co.nz |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | xt_connmark: Add bit mapping for bit-shift operation. | expand |
Jack Ma <jack.ma@alliedtelesis.co.nz> wrote: > With the additiona of bit-shift operations, we are able > to shift ct/skbmark based on user requirements. However, > this change might also cause the most left/right hand- > side mark to be accidentially lost during shift operations. > > This patch adds the ability to 'grep' ceratin bits based > on ctmask or nfmask out of the original mark. Then apply > shift operations to achieve a new mapping between ctmark > and skb->mark. > > For example. > > If someone would like save the fourth F bits of ctmark 0xFFF(F)000F > into the seventh hexadecimal (0) skb->mark 0xABC000(0)E. > > new_targetmark = (ctmark & ctmask) >> 12; > (new) skb->mark = (skb->mark &~nfmask) ^ > new_targetmark; > > This will preserve the other bits that are not related to > this operation. > > Reviewed-by: Florian Westphal <fw@strlen.de> I don't recall having seen this patch before. That being said, it looks ok to me. You might have mentioned that this patch is for 'nf' tree, after having merged -next, as this patch changes user-visible behaviour (which should be fine in this case as the original change isn't part of 4.16). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Fri, Apr 06, 2018 at 11:14:12AM +0200, Florian Westphal wrote: > Jack Ma <jack.ma@alliedtelesis.co.nz> wrote: > > With the additiona of bit-shift operations, we are able > > to shift ct/skbmark based on user requirements. However, > > this change might also cause the most left/right hand- > > side mark to be accidentially lost during shift operations. > > > > This patch adds the ability to 'grep' ceratin bits based > > on ctmask or nfmask out of the original mark. Then apply > > shift operations to achieve a new mapping between ctmark > > and skb->mark. > > > > For example. > > > > If someone would like save the fourth F bits of ctmark 0xFFF(F)000F > > into the seventh hexadecimal (0) skb->mark 0xABC000(0)E. > > > > new_targetmark = (ctmark & ctmask) >> 12; > > (new) skb->mark = (skb->mark &~nfmask) ^ > > new_targetmark; > > > > This will preserve the other bits that are not related to > > this operation. > > > > Reviewed-by: Florian Westphal <fw@strlen.de> > > I don't recall having seen this patch before. > > That being said, it looks ok to me. > > You might have mentioned that this patch is for 'nf' tree, after > having merged -next, as this patch changes user-visible behaviour > (which should be fine in this case as the original change isn't part > of 4.16). Applied to nf.git including the Fixes: tag. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c index 773da82190dc..710bc2bfe020 100644 --- a/net/netfilter/xt_connmark.c +++ b/net/netfilter/xt_connmark.c @@ -43,6 +43,7 @@ connmark_tg_shift(struct sk_buff *skb, enum ip_conntrack_info ctinfo; struct nf_conn *ct; u_int32_t newmark; + u_int32_t new_targetmark; ct = nf_ct_get(skb, &ctinfo); if (ct == NULL) @@ -61,24 +62,26 @@ connmark_tg_shift(struct sk_buff *skb, } break; case XT_CONNMARK_SAVE: - newmark = (ct->mark & ~info->ctmask) ^ - (skb->mark & info->nfmask); + new_targetmark = (skb->mark & info->nfmask); if (shift_dir == D_SHIFT_RIGHT) - newmark >>= shift_bits; + new_targetmark >>= shift_bits; else - newmark <<= shift_bits; + new_targetmark <<= shift_bits; + newmark = (ct->mark & ~info->ctmask) ^ + new_targetmark; if (ct->mark != newmark) { ct->mark = newmark; nf_conntrack_event_cache(IPCT_MARK, ct); } break; case XT_CONNMARK_RESTORE: - newmark = (skb->mark & ~info->nfmask) ^ - (ct->mark & info->ctmask); + new_targetmark = (ct->mark & info->ctmask); if (shift_dir == D_SHIFT_RIGHT) - newmark >>= shift_bits; + new_targetmark >>= shift_bits; else - newmark <<= shift_bits; + new_targetmark <<= shift_bits; + newmark = (skb->mark & ~info->nfmask) ^ + new_targetmark; skb->mark = newmark; break; }
With the additiona of bit-shift operations, we are able to shift ct/skbmark based on user requirements. However, this change might also cause the most left/right hand- side mark to be accidentially lost during shift operations. This patch adds the ability to 'grep' ceratin bits based on ctmask or nfmask out of the original mark. Then apply shift operations to achieve a new mapping between ctmark and skb->mark. For example. If someone would like save the fourth F bits of ctmark 0xFFF(F)000F into the seventh hexadecimal (0) skb->mark 0xABC000(0)E. new_targetmark = (ctmark & ctmask) >> 12; (new) skb->mark = (skb->mark &~nfmask) ^ new_targetmark; This will preserve the other bits that are not related to this operation. Reviewed-by: Florian Westphal <fw@strlen.de> Signed-off-by: Jack Ma <jack.ma@alliedtelesis.co.nz> --- net/netfilter/xt_connmark.c | 19 +++++++++++-------- 1 file changed, 11 insertions(+), 8 deletions(-)