From patchwork Mon Apr 23 10:48:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ahmed Abdelsalam X-Patchwork-Id: 902883 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="jV7cddWO"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40V39f3lsrz9ry1 for ; Mon, 23 Apr 2018 20:49:10 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754692AbeDWKsd (ORCPT ); Mon, 23 Apr 2018 06:48:33 -0400 Received: from mail-wr0-f194.google.com ([209.85.128.194]:45451 "EHLO mail-wr0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754653AbeDWKsc (ORCPT ); Mon, 23 Apr 2018 06:48:32 -0400 Received: by mail-wr0-f194.google.com with SMTP id p5-v6so12116039wre.12; Mon, 23 Apr 2018 03:48:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=r7pvhW11EhQDdLj/Yw4FX9Abiutn/Gw7A87DCHwaZ7w=; b=jV7cddWOqlISAdEoc2TStlx16ncWw27lFDG6FE2hbbNt+qoE3VmpWRY17ipVAMHfIy LUJitA9G33K5dmDF7JgihEV4KiW50GRXrLVkW84f5Hum3bLSCAo8Hbr/xbXO/vNW6A/c p5l5gYO8si3BzDV+7T6Iy+98yx6g7o+OhLsO1KIBXjeRR3RR9Q5h8id6sJrBHblGGdZ7 9mXPUj0trHcHQY9kb9dy3jwomhVUIh86/BqGcb0BVMkpj6qAlkHe75NvQkhQECoXSXyT txOW//Ww0VFkD+UQ9HFn9NfLZkuRvE8nghL74Jd4OD1m6y6P96pf1vHc/nHcj0MqKtFm h5EA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=r7pvhW11EhQDdLj/Yw4FX9Abiutn/Gw7A87DCHwaZ7w=; b=PkjfWDfG+SCD08UZ32RW0gKcZBdjoNKBWUboKpDJtF5DTb9Dq+CBR7NUXAxAkvCJK9 I9mJkL+d62Fv6xGA1ZKb8Ps4vd74lNUW/MffnWvnU5v1GxnsetkVmtuEEgpO2Lc0qUCI vWX58ud7rmmlRAOjDlYuHjArHnFQS3QhZDamvTx/5NhhFjbAorPtEJzPZalXqCAcm0xx QzDgli0Rg7O8XZIlY3PLxERUT8UTPfQ9C/rctHH7X1lXV9Hye7IAFHume5QGieR2nN5f z2lxgHYoJiOW+gQCvxHQSl73kDH1VxRYESoIcjlUSQoGNsdIzYIb1HMGdFPd0A2+jGy6 fH5A== X-Gm-Message-State: ALQs6tDyxLJC5i5u8/NOS1dK1tLbuH1WxNBsyM4lFEbNA2t6aJlretAX BM1YT8UvhrJ/sA/nLFH18Rf4C+J6 X-Google-Smtp-Source: AIpwx4+dxc3oAX3Q+yQva7SF1dR3mY+P5qa5RYASOEOWVCgHPC6crZKQuIEDp1qDuO6hk5oCb3Jfdw== X-Received: by 2002:adf:86ac:: with SMTP id 41-v6mr16578721wrx.260.1524480510636; Mon, 23 Apr 2018 03:48:30 -0700 (PDT) Received: from localhost.localdomain ([192.135.27.140]) by smtp.gmail.com with ESMTPSA id e185sm8684793wmg.5.2018.04.23.03.48.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 23 Apr 2018 03:48:29 -0700 (PDT) From: Ahmed Abdelsalam To: pablo@netfilter.org, fw@strlen.de, davem@davemloft.net, dav.lebrun@gmail.com, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org Cc: Ahmed Abdelsalam Subject: [iptables 1/2] extensions: libip6t_srh: support matching previous, next and last SID Date: Mon, 23 Apr 2018 05:48:21 -0500 Message-Id: <1524480503-1883-1-git-send-email-amsalam20@gmail.com> X-Mailer: git-send-email 2.1.4 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org This patch extends the libip6t_srh shared library to support matching previous SID, next SID, and last SID. Signed-off-by: Ahmed Abdelsalam --- extensions/libip6t_srh.c | 65 ++++++++++++++++++++++++++++++++- include/linux/netfilter_ipv6/ip6t_srh.h | 22 ++++++++++- 2 files changed, 84 insertions(+), 3 deletions(-) diff --git a/extensions/libip6t_srh.c b/extensions/libip6t_srh.c index ac0ae08..5acc2ee 100644 --- a/extensions/libip6t_srh.c +++ b/extensions/libip6t_srh.c @@ -22,6 +22,9 @@ enum { O_SRH_LAST_GT, O_SRH_LAST_LT, O_SRH_TAG, + O_SRH_PSID, + O_SRH_NSID, + O_SRH_LSID, }; static void srh_help(void) @@ -38,7 +41,10 @@ static void srh_help(void) "[!] --srh-last-entry-eq last_entry Last Entry value of SRH\n" "[!] --srh-last-entry-gt last_entry Last Entry value of SRH\n" "[!] --srh-last-entry-lt last_entry Last Entry value of SRH\n" -"[!] --srh-tag tag Tag value of SRH\n"); +"[!] --srh-tag tag Tag value of SRH\n" +"[!] --srh-psid addr[/mask] SRH previous SID\n" +"[!] --srh-nsid addr[/mask] SRH next SID\n" +"[!] --srh-lsid addr[/mask] SRH Last SID\n"); } #define s struct ip6t_srh @@ -65,6 +71,12 @@ static const struct xt_option_entry srh_opts[] = { .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, last_entry)}, { .name = "srh-tag", .id = O_SRH_TAG, .type = XTTYPE_UINT16, .flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, tag)}, + { .name = "srh-psid", .id = O_SRH_PSID, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + { .name = "srh-nsid", .id = O_SRH_NSID, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, + { .name = "srh-lsid", .id = O_SRH_LSID, .type = XTTYPE_HOSTMASK, + .flags = XTOPT_INVERT}, { } }; #undef s @@ -75,6 +87,12 @@ static void srh_init(struct xt_entry_match *m) srhinfo->mt_flags = 0; srhinfo->mt_invflags = 0; + memset(srhinfo->psid_addr.s6_addr, 0, sizeof(srhinfo->psid_addr.s6_addr)); + memset(srhinfo->nsid_addr.s6_addr, 0, sizeof(srhinfo->nsid_addr.s6_addr)); + memset(srhinfo->lsid_addr.s6_addr, 0, sizeof(srhinfo->lsid_addr.s6_addr)); + memset(srhinfo->psid_msk.s6_addr, 0, sizeof(srhinfo->psid_msk.s6_addr)); + memset(srhinfo->nsid_msk.s6_addr, 0, sizeof(srhinfo->nsid_msk.s6_addr)); + memset(srhinfo->lsid_msk.s6_addr, 0, sizeof(srhinfo->lsid_msk.s6_addr)); } static void srh_parse(struct xt_option_call *cb) @@ -138,6 +156,27 @@ static void srh_parse(struct xt_option_call *cb) if (cb->invert) srhinfo->mt_invflags |= IP6T_SRH_INV_TAG; break; + case O_SRH_PSID: + srhinfo->mt_flags |= IP6T_SRH_PSID; + srhinfo->psid_addr = cb->val.haddr.in6; + srhinfo->psid_msk = cb->val.hmask.in6; + if (cb->invert) + srhinfo->mt_invflags |= IP6T_SRH_INV_PSID; + break; + case O_SRH_NSID: + srhinfo->mt_flags |= IP6T_SRH_NSID; + srhinfo->nsid_addr = cb->val.haddr.in6; + srhinfo->nsid_msk = cb->val.hmask.in6; + if (cb->invert) + srhinfo->mt_invflags |= IP6T_SRH_INV_NSID; + break; + case O_SRH_LSID: + srhinfo->mt_flags |= IP6T_SRH_LSID; + srhinfo->lsid_addr = cb->val.haddr.in6; + srhinfo->lsid_msk = cb->val.hmask.in6; + if (cb->invert) + srhinfo->mt_invflags |= IP6T_SRH_INV_LSID; + break; } } @@ -180,6 +219,18 @@ static void srh_print(const void *ip, const struct xt_entry_match *match, if (srhinfo->mt_flags & IP6T_SRH_TAG) printf(" tag:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_TAG ? "!" : "", srhinfo->tag); + if (srhinfo->mt_flags & IP6T_SRH_PSID) + printf(" psid %s %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_PSID ? "!" : "", + xtables_ip6addr_to_numeric(&srhinfo->psid_addr), + xtables_ip6mask_to_cidr(&srhinfo->psid_msk)); + if (srhinfo->mt_flags & IP6T_SRH_NSID) + printf(" nsid %s %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_NSID ? "!" : "", + xtables_ip6addr_to_numeric(&srhinfo->nsid_addr), + xtables_ip6mask_to_cidr(&srhinfo->nsid_msk)); + if (srhinfo->mt_flags & IP6T_SRH_LSID) + printf(" lsid %s %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_LSID ? "!" : "", + xtables_ip6addr_to_numeric(&srhinfo->lsid_addr), + xtables_ip6mask_to_cidr(&srhinfo->lsid_msk)); } static void srh_save(const void *ip, const struct xt_entry_match *match) @@ -219,6 +270,18 @@ static void srh_save(const void *ip, const struct xt_entry_match *match) if (srhinfo->mt_flags & IP6T_SRH_TAG) printf("%s --srh-tag %u", (srhinfo->mt_invflags & IP6T_SRH_INV_TAG) ? " !" : "", srhinfo->tag); + if (srhinfo->mt_flags & IP6T_SRH_PSID) + printf("%s --srh-psid %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_PSID ? " !" : "", + xtables_ip6addr_to_numeric(&srhinfo->psid_addr), + xtables_ip6mask_to_cidr(&srhinfo->psid_msk)); + if (srhinfo->mt_flags & IP6T_SRH_NSID) + printf("%s --srh-nsid %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_NSID ? " !" : "", + xtables_ip6addr_to_numeric(&srhinfo->nsid_addr), + xtables_ip6mask_to_cidr(&srhinfo->nsid_msk)); + if (srhinfo->mt_flags & IP6T_SRH_LSID) + printf("%s --srh-lsid %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_LSID ? " !" : "", + xtables_ip6addr_to_numeric(&srhinfo->lsid_addr), + xtables_ip6mask_to_cidr(&srhinfo->lsid_msk)); } static struct xtables_match srh_mt6_reg = { diff --git a/include/linux/netfilter_ipv6/ip6t_srh.h b/include/linux/netfilter_ipv6/ip6t_srh.h index 087efa1..3d77241 100644 --- a/include/linux/netfilter_ipv6/ip6t_srh.h +++ b/include/linux/netfilter_ipv6/ip6t_srh.h @@ -16,7 +16,10 @@ #define IP6T_SRH_LAST_GT 0x0100 #define IP6T_SRH_LAST_LT 0x0200 #define IP6T_SRH_TAG 0x0400 -#define IP6T_SRH_MASK 0x07FF +#define IP6T_SRH_PSID 0x0800 +#define IP6T_SRH_NSID 0x1000 +#define IP6T_SRH_LSID 0x2000 +#define IP6T_SRH_MASK 0x3FFF /* Values for "mt_invflags" field in struct ip6t_srh */ #define IP6T_SRH_INV_NEXTHDR 0x0001 @@ -30,7 +33,10 @@ #define IP6T_SRH_INV_LAST_GT 0x0100 #define IP6T_SRH_INV_LAST_LT 0x0200 #define IP6T_SRH_INV_TAG 0x0400 -#define IP6T_SRH_INV_MASK 0x07FF +#define IP6T_SRH_INV_PSID 0x0800 +#define IP6T_SRH_INV_NSID 0x1000 +#define IP6T_SRH_INV_LSID 0x2000 +#define IP6T_SRH_INV_MASK 0x3FFF /** * struct ip6t_srh - SRH match options @@ -39,6 +45,12 @@ * @ segs_left: Segments left field of SRH * @ last_entry: Last entry field of SRH * @ tag: Tag field of SRH + * @ psid_addr: Address of previous SID in SRH SID list + * @ nsid_addr: Address of NEXT SID in SRH SID list + * @ lsid_addr: Address of LAST SID in SRH SID list + * @ psid_msk: Mask of previous SID in SRH SID list + * @ nsid_msk: Mask of next SID in SRH SID list + * @ lsid_msk: MAsk of last SID in SRH SID list * @ mt_flags: match options * @ mt_invflags: Invert the sense of match options */ @@ -49,6 +61,12 @@ struct ip6t_srh { __u8 segs_left; __u8 last_entry; __u16 tag; + struct in6_addr psid_addr; + struct in6_addr nsid_addr; + struct in6_addr lsid_addr; + struct in6_addr psid_msk; + struct in6_addr nsid_msk; + struct in6_addr lsid_msk; __u16 mt_flags; __u16 mt_invflags; };