From patchwork Wed Jul 11 22:50:43 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
X-Patchwork-Submitter: =?utf-8?b?TcOhdMOpIEVja2w=?= <ecklm94@gmail.com>
X-Patchwork-Id: 942727
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netfilter-devel-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=fail (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="tTbo7UU6"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 41QvT73Yz2z9s1R
	for <incoming@patchwork.ozlabs.org>;
	Thu, 12 Jul 2018 08:51:55 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S2390644AbeGKW61 (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Wed, 11 Jul 2018 18:58:27 -0400
Received: from mail-wm0-f41.google.com ([74.125.82.41]:39426 "EHLO
	mail-wm0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S2387885AbeGKW60 (ORCPT
	<rfc822;netfilter-devel@vger.kernel.org>);
	Wed, 11 Jul 2018 18:58:26 -0400
Received: by mail-wm0-f41.google.com with SMTP id h20-v6so4043898wmb.4
	for <netfilter-devel@vger.kernel.org>;
	Wed, 11 Jul 2018 15:51:53 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=5DNLg8h5OVEw1YklzngycjG5fs4/Vx4dogV24cxCpx0=;
	b=tTbo7UU6V3lpD8fq+ZK4d/nKUyp1lqHYLqQgsv/ygERTfEEC8Z2hXocF3FLVNYa02e
	L+gxPf9ajtAKdF37fIRCujIKy+xRciA3DyDOCZLZ3CPpifOqWzkLgY5bdvqIwIZmkJCQ
	tZ6eeHvOgphrlTo/GMiuV9gyT+9lshkVoMxWiLGkuYfs5lSZP/E0C80kukvhZMoo/iCT
	XdDiHWPFVJl8L1f2BycgJKzd9BURl6rphUsVV9s2Z4nUk6k90wlgdZtuFpOz5zOwHipC
	v0sP0aQ42dc0k5HAFEOKY6wDjbSJRSKFiLpbhTP+naEA3ojSJg5kH4Iop8rSBtft7D4t
	HEgg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=5DNLg8h5OVEw1YklzngycjG5fs4/Vx4dogV24cxCpx0=;
	b=kFg9O9ba75uxwBj35W92Ke/CzinkcPrpz6NyK6VBtrlEp3elh5b3bnfb+2pAGu5C35
	OWTsimGcoXHwM4vKBVLfnLf890QDQCXpy6NhMVpyY+7PsNiipoUdaG8uxniWqMR8sEDV
	13GRArH1N1p39Z30GNabJdHp8w5RkOjhQ8QIVaRVHsm1chNrJ1z3o6H/BFE/rBWqALSy
	J0hCX0kUYI4xPgxwLI6j2KOAUj6r2reXfxWTL+PTms6p0LBUFsOTcE27Es4erhU/7OTk
	ZEoh8DXpxXFPrziO4Z3Yrg9aSdQgbwMPCXP/9kMAjx+q2bY8mtmrrNb9F24KKRlsIxx9
	1WTw==
X-Gm-Message-State: AOUpUlFsWKa//PSDX1hg5yz/0CakgDFrWznj78mQThqCXyAad4rUhiOm
	ShWGWcyLAjCtZzEWGruLXNyA8W3Y
X-Google-Smtp-Source: 
 AAOMgpfP1W7SSS5RNnGXPGboa0x2M4Oj128N0iWUvz5CMDEfDQv5dFGp95TU2mDLkxxAsfLA5GXd5g==
X-Received: by 2002:a1c:7501:: with SMTP id
	o1-v6mr225771wmc.133.1531349512443;
	Wed, 11 Jul 2018 15:51:52 -0700 (PDT)
Received: from ecklm-lapos.localdomain (ecklm-pi.sch.bme.hu.
	[152.66.179.182]) by smtp.gmail.com with ESMTPSA id
	w4-v6sm3419893wrt.40.2018.07.11.15.51.51
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 11 Jul 2018 15:51:52 -0700 (PDT)
From: =?utf-8?b?TcOhdMOpIEVja2w=?= <ecklm94@gmail.com>
To: netfilter-devel@vger.kernel.org
Cc: phil@nwl.cc
Subject: [PATCH nft] Expose socket mark via socket expression
Date: Thu, 12 Jul 2018 00:50:43 +0200
Message-Id: <20180711225042.5352-1-ecklm94@gmail.com>
X-Mailer: git-send-email 2.18.0
In-Reply-To: <20180711225018.dqknqgi2hif2n5cb@sch.bme.hu>
References: <20180711225018.dqknqgi2hif2n5cb@sch.bme.hu>
MIME-Version: 1.0
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

It can be used like ct mark or meta mark except it cannot be set.
doc and tests are included.

Signed-off-by: Máté Eckl <ecklm94@gmail.com>
---
 doc/nft.xml                         | 23 +++++++++++++++++++++++
 include/linux/netfilter/nf_tables.h |  5 +++--
 src/evaluate.c                      |  6 +++++-
 src/parser_bison.y                  |  2 ++
 src/parser_json.c                   |  2 ++
 src/socket.c                        |  8 +++++++-
 tests/py/inet/socket.t              |  2 ++
 tests/py/inet/socket.t.json         | 14 ++++++++++++++
 tests/py/inet/socket.t.payload      | 15 +++++++++++++++
 9 files changed, 73 insertions(+), 4 deletions(-)

diff --git a/doc/nft.xml b/doc/nft.xml
index 190a8ee..0625d04 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -3058,6 +3058,13 @@ raw prerouting meta secpath exists accept
 								</entry>
 								<entry>boolean (1 bit)</entry> <!-- From the aspect of the user at least. -->
 							</row>
+							<row>
+								<entry>mark</entry>
+								<entry>
+									Value of the socket mark (SOL_SOCKET, SO_MARK) or 0 if there is no corresponding socket.
+								</entry>
+								<entry>mark</entry>
+							</row>
 						</tbody>
 					</tgroup>
 				</table>
@@ -3073,6 +3080,22 @@ table inet x {
         socket transparent 1 mark set 0x00000001 accept
     }
 }
+
+# Trace packets that corresponds to a socket with a mark value of 15
+table inet x {
+    chain y {
+        type filter hook prerouting priority -150; policy accept;
+        socket mark 0x0000000f nftrace set 1
+    }
+}
+
+# Set packet mark to socket mark
+table inet x {
+    chain y {
+        type filter hook prerouting priority -150; policy accept;
+        tcp dport 8080 mark set socket mark
+    }
+}
 					</programlisting>
 				</example>
 			</para>
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 88e0ca1..ad42d05 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -923,11 +923,12 @@ enum nft_socket_attributes {
 /*
  * enum nft_socket_keys - nf_tables socket expression keys
  *
- * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
+ * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
+ * @NFT_SOCKET_MARK: Value of the socket mark
  */
 enum nft_socket_keys {
 	NFT_SOCKET_TRANSPARENT,
-
+	NFT_SOCKET_MARK,
 	__NFT_SOCKET_MAX
 };
 #define NFT_SOCKET_MAX	(__NFT_SOCKET_MAX - 1)
diff --git a/src/evaluate.c b/src/evaluate.c
index 61cdff0..2b0e6fa 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -1719,8 +1719,12 @@ static int expr_evaluate_meta(struct eval_ctx *ctx, struct expr **exprp)
 
 static int expr_evaluate_socket(struct eval_ctx *ctx, struct expr **expr)
 {
+	int maxval = 0;
+
+	if((*expr)->socket.key == NFT_SOCKET_TRANSPARENT)
+		maxval = 1;
 	__expr_set_context(&ctx->ectx, (*expr)->dtype, (*expr)->byteorder,
-			   (*expr)->len, 1);
+			   (*expr)->len, maxval);
 	return 0;
 }
 
diff --git a/src/parser_bison.y b/src/parser_bison.y
index 98bfeba..0ee2ebd 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -2487,6 +2487,7 @@ primary_stmt_expr	:	symbol_expr		{ $$ = $1; }
 			|	hash_expr               { $$ = $1; }
 			|	payload_expr		{ $$ = $1; }
 			|	keyword_expr		{ $$ = $1; }
+			|	socket_expr			{ $$ = $1; }
 			;
 
 shift_stmt_expr		:	primary_stmt_expr
@@ -3575,6 +3576,7 @@ socket_expr		:	SOCKET	socket_key
 			;
 
 socket_key 		: TRANSPARENT { $$ = NFT_SOCKET_TRANSPARENT; }
+			|	MARK { $$ = NFT_SOCKET_MARK; }
 			;
 
 offset_opt		:	/* empty */	{ $$ = 0; }
diff --git a/src/parser_json.c b/src/parser_json.c
index 8f29aaf..80364d9 100644
--- a/src/parser_json.c
+++ b/src/parser_json.c
@@ -358,6 +358,8 @@ static struct expr *json_parse_socket_expr(struct json_ctx *ctx,
 
 	if (!strcmp(key, "transparent"))
 		keyval = NFT_SOCKET_TRANSPARENT;
+	else if (!strcmp(key, "mark"))
+		keyval = NFT_SOCKET_MARK;
 
 	if (keyval == -1) {
 		json_error(ctx, "Invalid socket key value.");
diff --git a/src/socket.c b/src/socket.c
index 7cfe5a9..c963699 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -18,7 +18,13 @@ const struct socket_template socket_templates[] = {
 					   .dtype = &integer_type,
 					   .len = BITS_PER_BYTE,
 					   .byteorder = BYTEORDER_HOST_ENDIAN,
-					  }
+					  },
+	[NFT_SOCKET_MARK]		= {
+					   .token = "mark",
+					   .dtype = &mark_type,
+					   .len = 4 * BITS_PER_BYTE,
+					   .byteorder = BYTEORDER_HOST_ENDIAN,
+					  },
 };
 
 static void socket_expr_print(const struct expr *expr, struct output_ctx *octx)
diff --git a/tests/py/inet/socket.t b/tests/py/inet/socket.t
index 8edfa78..91846e8 100644
--- a/tests/py/inet/socket.t
+++ b/tests/py/inet/socket.t
@@ -7,3 +7,5 @@
 socket transparent 0;ok
 socket transparent 1;ok
 socket transparent 2;fail
+
+socket mark 0x00000005;ok
diff --git a/tests/py/inet/socket.t.json b/tests/py/inet/socket.t.json
index c1ac1d1..235c3e9 100644
--- a/tests/py/inet/socket.t.json
+++ b/tests/py/inet/socket.t.json
@@ -26,3 +26,17 @@
     }
 ]
 
+# socket mark 0x00000005
+[
+    {
+        "match": {
+            "left": {
+                "socket": {
+                    "key": "mark"
+                }
+            },
+            "right": 5
+        }
+    }
+]
+
diff --git a/tests/py/inet/socket.t.payload b/tests/py/inet/socket.t.payload
index acad2ac..687b7a4 100644
--- a/tests/py/inet/socket.t.payload
+++ b/tests/py/inet/socket.t.payload
@@ -28,3 +28,18 @@ inet sockin sockchain
   [ socket load transparent => reg 1 ]
   [ cmp eq reg 1 0x00000001 ]
 
+# socket mark 0x00000005
+ip sockip4 sockchain 
+  [ socket load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+
+# socket mark 0x00000005
+ip6 sockip6 sockchain 
+  [ socket load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+
+# socket mark 0x00000005
+inet sockin sockchain 
+  [ socket load mark => reg 1 ]
+  [ cmp eq reg 1 0x00000005 ]
+