[nft] Expose socket mark via socket expression

Message ID 20180711225042.5352-1-ecklm94@gmail.com
State Changes Requested
Delegated to: Pablo Neira
Headers show
Series
  • [nft] Expose socket mark via socket expression
Related show

Commit Message

Máté Eckl July 11, 2018, 10:50 p.m.
It can be used like ct mark or meta mark except it cannot be set.
doc and tests are included.

Signed-off-by: Máté Eckl <ecklm94@gmail.com>
---
 doc/nft.xml                         | 23 +++++++++++++++++++++++
 include/linux/netfilter/nf_tables.h |  5 +++--
 src/evaluate.c                      |  6 +++++-
 src/parser_bison.y                  |  2 ++
 src/parser_json.c                   |  2 ++
 src/socket.c                        |  8 +++++++-
 tests/py/inet/socket.t              |  2 ++
 tests/py/inet/socket.t.json         | 14 ++++++++++++++
 tests/py/inet/socket.t.payload      | 15 +++++++++++++++
 9 files changed, 73 insertions(+), 4 deletions(-)

Patch

diff --git a/doc/nft.xml b/doc/nft.xml
index 190a8ee..0625d04 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -3058,6 +3058,13 @@  raw prerouting meta secpath exists accept
 								</entry>
 								<entry>boolean (1 bit)</entry> <!-- From the aspect of the user at least. -->
 							</row>
+							<row>
+								<entry>mark</entry>
+								<entry>
+									Value of the socket mark (SOL_SOCKET, SO_MARK) or 0 if there is no corresponding socket.
+								</entry>
+								<entry>mark</entry>
+							</row>
 						</tbody>
 					</tgroup>
 				</table>
@@ -3073,6 +3080,22 @@  table inet x {
         socket transparent 1 mark set 0x00000001 accept
     }
 }
+
+# Trace packets that corresponds to a socket with a mark value of 15
+table inet x {
+    chain y {
+        type filter hook prerouting priority -150; policy accept;
+        socket mark 0x0000000f nftrace set 1
+    }
+}
+
+# Set packet mark to socket mark
+table inet x {
+    chain y {
+        type filter hook prerouting priority -150; policy accept;
+        tcp dport 8080 mark set socket mark
+    }
+}
 					</programlisting>
 				</example>
 			</para>
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 88e0ca1..ad42d05 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -923,11 +923,12 @@  enum nft_socket_attributes {
 /*
  * enum nft_socket_keys - nf_tables socket expression keys
  *
- * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
+ * @NFT_SOCKET_MARK: Value of the socket mark
  */
 enum nft_socket_keys {
 	NFT_SOCKET_TRANSPARENT,
-
+	NFT_SOCKET_MARK,
 	__NFT_SOCKET_MAX
 };
 #define NFT_SOCKET_MAX	(__NFT_SOCKET_MAX - 1)
diff --git a/src/evaluate.c b/src/evaluate.c
index 61cdff0..2b0e6fa 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1719,8 +1719,12 @@  static int expr_evaluate_meta(struct eval_ctx *ctx, struct expr **exprp)
 
 static int expr_evaluate_socket(struct eval_ctx *ctx, struct expr **expr)
 {
+	int maxval = 0;
+
+	if((*expr)->socket.key == NFT_SOCKET_TRANSPARENT)
+		maxval = 1;
 	__expr_set_context(&ctx->ectx, (*expr)->dtype, (*expr)->byteorder,
-			   (*expr)->len, 1);
+			   (*expr)->len, maxval);
 	return 0;
 }
 
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 98bfeba..0ee2ebd 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2487,6 +2487,7 @@  primary_stmt_expr	:	symbol_expr		{ $$ = $1; }
 			|	hash_expr               { $$ = $1; }
 			|	payload_expr		{ $$ = $1; }
 			|	keyword_expr		{ $$ = $1; }
+			|	socket_expr			{ $$ = $1; }
 			;
 
 shift_stmt_expr		:	primary_stmt_expr
@@ -3575,6 +3576,7 @@  socket_expr		:	SOCKET	socket_key
 			;
 
 socket_key 		: TRANSPARENT { $$ = NFT_SOCKET_TRANSPARENT; }
+			|	MARK { $$ = NFT_SOCKET_MARK; }
 			;
 
 offset_opt		:	/* empty */	{ $$ = 0; }
diff --git a/src/parser_json.c b/src/parser_json.c
index 8f29aaf..80364d9 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -358,6 +358,8 @@  static struct expr *json_parse_socket_expr(struct json_ctx *ctx,
 
 	if (!strcmp(key, "transparent"))
 		keyval = NFT_SOCKET_TRANSPARENT;
+	else if (!strcmp(key, "mark"))
+		keyval = NFT_SOCKET_MARK;
 
 	if (keyval == -1) {
 		json_error(ctx, "Invalid socket key value.");
diff --git a/src/socket.c b/src/socket.c
index 7cfe5a9..c963699 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -18,7 +18,13 @@  const struct socket_template socket_templates[] = {
 					   .dtype = &integer_type,
 					   .len = BITS_PER_BYTE,
 					   .byteorder = BYTEORDER_HOST_ENDIAN,
-					  }
+					  },
+	[NFT_SOCKET_MARK]		= {
+					   .token = "mark",
+					   .dtype = &mark_type,
+					   .len = 4 * BITS_PER_BYTE,
+					   .byteorder = BYTEORDER_HOST_ENDIAN,
+					  },
 };
 
 static void socket_expr_print(const struct expr *expr, struct output_ctx *octx)
diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t
index 8edfa78..91846e8 100644
--- a/tests/py/inet/socket.t
+++ b/tests/py/inet/socket.t
@@ -7,3 +7,5 @@ 
 socket transparent 0;ok
 socket transparent 1;ok
 socket transparent 2;fail
+
+socket mark 0x00000005;ok
diff --git a/tests/py/inet/socket.t.json b/tests/py/inet/socket.t.json
index c1ac1d1..235c3e9 100644
--- a/tests/py/inet/socket.t.json
+++ b/tests/py/inet/socket.t.json
@@ -26,3 +26,17 @@ 
     }
 ]
 
+# socket mark 0x00000005
+[
+    {
+        "match": {
+            "left": {
+                "socket": {
+                    "key": "mark"
+                }
+            },
+            "right": 5
+        }
+    }
+]
+
diff --git a/tests/py/inet/socket.t.payload b/tests/py/inet/socket.t.payload
index acad2ac..687b7a4 100644
--- a/tests/py/inet/socket.t.payload
+++ b/tests/py/inet/socket.t.payload
@@ -28,3 +28,18 @@  inet sockin sockchain
   [ socket load transparent => reg 1 ]
   [ cmp eq reg 1 0x00000001 ]
 
+# socket mark 0x00000005
+ip sockip4 sockchain 
+  [ socket load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+
+# socket mark 0x00000005
+ip6 sockip6 sockchain 
+  [ socket load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+
+# socket mark 0x00000005
+inet sockin sockchain 
+  [ socket load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+