From patchwork Sun Apr 15 23:13:31 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jack Ma X-Patchwork-Id: 898351 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=alliedtelesis.co.nz Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=alliedtelesis.co.nz header.i=@alliedtelesis.co.nz header.b="t9d4/p40"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40PS4R5hs5z9s1R for ; Mon, 16 Apr 2018 09:13:43 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751919AbeDOXNl (ORCPT ); Sun, 15 Apr 2018 19:13:41 -0400 Received: from gate2.alliedtelesis.co.nz ([202.36.163.20]:45945 "EHLO gate2.alliedtelesis.co.nz" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750960AbeDOXNl (ORCPT ); Sun, 15 Apr 2018 19:13:41 -0400 Received: from mmarshal3.atlnz.lc (mmarshal3.atlnz.lc [10.32.18.43]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by gate2.alliedtelesis.co.nz (Postfix) with ESMTPS id 895118364E; Mon, 16 Apr 2018 11:13:38 +1200 (NZST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=alliedtelesis.co.nz; s=mail; t=1523834018; bh=yOFSXgOsmcuCOKbqEhv+NHG3D6OOhfsojpRqurT4j94=; h=From:To:Cc:Subject:Date; b=t9d4/p40WY7AwrHrH1lCnTo1ZAolNU1LtMO7wEM+Ve+NKFltzUYIimiMuVHQC/zU/ +trkMPExn9v8eiKGwBQNkd86b9isE+wkvI7EsHhp3garxNTTWYLLonCWA7A9XclZ5k iVuOcyHbL5u+n3iQFsTRGIcDNAsdvBrdWuZH6Ht4= Received: from smtp (Not Verified[10.32.16.33]) by mmarshal3.atlnz.lc with Trustwave SEG (v7, 5, 8, 10121) id ; Mon, 16 Apr 2018 11:13:37 +1200 Received: from jackm-dl.ws.atlnz.lc (jackm-dl.ws.atlnz.lc [10.33.21.13]) by smtp (Postfix) with ESMTP id 818B213ED1C; Mon, 16 Apr 2018 11:13:33 +1200 (NZST) Received: by jackm-dl.ws.atlnz.lc (Postfix, from userid 1748) id 50B20A3D3C; Mon, 16 Apr 2018 11:13:33 +1200 (NZST) From: Jack Ma To: netfilter-devel@vger.kernel.org Cc: fw@strlen.de, pablo@netfilter.org, Jack Ma Subject: [PATCH] xt_connmark: Add bit mapping for bit-shift operation. Date: Mon, 16 Apr 2018 11:13:31 +1200 Message-Id: <20180415231331.14867-1-jack.ma@alliedtelesis.co.nz> X-Mailer: git-send-email 2.13.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org With the additiona of bit-shift operations, we are able to shift ct/skbmark based on user requirements. However, this change might also cause the most left/right hand- side mark to be accidentially lost during shift operations. This patch adds the ability to 'grep' ceratin bits based on ctmask or nfmask out of the original mark. Then apply shift operations to achieve a new mapping between ctmark and skb->mark. For example. If someone would like save the fourth F bits of ctmark 0xFFF(F)000F into the seventh hexadecimal (0) skb->mark 0xABC000(0)E. new_targetmark = (ctmark & ctmask) >> 12; (new) skb->mark = (skb->mark &~nfmask) ^ new_targetmark; This will preserve the other bits that are not related to this operation. Reviewed-by: Florian Westphal Signed-off-by: Jack Ma --- net/netfilter/xt_connmark.c | 32 +++++++++++++++++++------------- 1 file changed, 19 insertions(+), 13 deletions(-) diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c index 773da82190dc..4247f437dcae 100644 --- a/net/netfilter/xt_connmark.c +++ b/net/netfilter/xt_connmark.c @@ -37,20 +37,22 @@ MODULE_ALIAS("ip6t_connmark"); static unsigned int connmark_tg_shift(struct sk_buff *skb, - const struct xt_connmark_tginfo1 *info, + u8 mode, u32 ctmark, + u32 ctmask, u32 nfmask, u8 shift_bits, u8 shift_dir) { enum ip_conntrack_info ctinfo; struct nf_conn *ct; u_int32_t newmark; + u_int32_t new_targetmark; ct = nf_ct_get(skb, &ctinfo); if (ct == NULL) return XT_CONTINUE; - switch (info->mode) { + switch (mode) { case XT_CONNMARK_SET: - newmark = (ct->mark & ~info->ctmask) ^ info->ctmark; + newmark = (ct->mark & ~ctmask) ^ ctmark; if (shift_dir == D_SHIFT_RIGHT) newmark >>= shift_bits; else @@ -61,24 +63,26 @@ connmark_tg_shift(struct sk_buff *skb, } break; case XT_CONNMARK_SAVE: - newmark = (ct->mark & ~info->ctmask) ^ - (skb->mark & info->nfmask); + new_targetmark = (skb->mark & nfmask); if (shift_dir == D_SHIFT_RIGHT) - newmark >>= shift_bits; + new_targetmark >>= shift_bits; else - newmark <<= shift_bits; + new_targetmark <<= shift_bits; + newmark = (ct->mark & ~ctmask) ^ + new_targetmark; if (ct->mark != newmark) { ct->mark = newmark; nf_conntrack_event_cache(IPCT_MARK, ct); } break; case XT_CONNMARK_RESTORE: - newmark = (skb->mark & ~info->nfmask) ^ - (ct->mark & info->ctmask); + new_targetmark = (ct->mark & ctmask); if (shift_dir == D_SHIFT_RIGHT) - newmark >>= shift_bits; + new_targetmark >>= shift_bits; else - newmark <<= shift_bits; + new_targetmark <<= shift_bits; + newmark = (skb->mark & ~nfmask) ^ + new_targetmark; skb->mark = newmark; break; } @@ -90,7 +94,8 @@ connmark_tg(struct sk_buff *skb, const struct xt_action_param *par) { const struct xt_connmark_tginfo1 *info = par->targinfo; - return connmark_tg_shift(skb, info, 0, 0); + return connmark_tg_shift(skb, info->mode, info->ctmark, + info->ctmask, info->nfmask, 0, 0); } static unsigned int @@ -98,7 +103,8 @@ connmark_tg_v2(struct sk_buff *skb, const struct xt_action_param *par) { const struct xt_connmark_tginfo2 *info = par->targinfo; - return connmark_tg_shift(skb, (const struct xt_connmark_tginfo1 *)info, + return connmark_tg_shift(skb, info->mode, info->ctmark, + info->ctmask, info->nfmask, info->shift_bits, info->shift_dir); }