From patchwork Mon May 7 20:57:23 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: =?utf-8?b?TcOhdMOpIEVja2w=?= X-Patchwork-Id: 909929 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="vY0M2HkW"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 40fw1V3Cpvz9s27 for ; Tue, 8 May 2018 06:57:50 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753027AbeEGU5u (ORCPT ); Mon, 7 May 2018 16:57:50 -0400 Received: from mail-wm0-f41.google.com ([74.125.82.41]:51099 "EHLO mail-wm0-f41.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752934AbeEGU5t (ORCPT ); Mon, 7 May 2018 16:57:49 -0400 Received: by mail-wm0-f41.google.com with SMTP id t11so15541053wmt.0 for ; Mon, 07 May 2018 13:57:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:subject:date:message-id:in-reply-to:references:mime-version :content-transfer-encoding; bh=0Ay0VIypBPx9Rskjo2vH6HBEizg7WLMCsx5ZNyzFKN0=; b=vY0M2HkWXzOD+tND+HqGgFPHHLJyR/+rKMBt5CJhaTe4cHCkTCxcE1Ul1lCMBTNjFp JWFz8+qskEjaPh6dtiB4T7faFDy80zRCexzjc7xKvWbSwp+WMsH1jLoIM1YmEMk48YZX XtaHAXbnwfVesDRsgGej15GIlK6x++lSk8D+X8sLkXpnJOaiFkLOP3etXzXnzYJe9oqz CDOGU73ZerkYKU6/IXU08OdRz10VbslbJPIvOlauCHijbMKob3xJzsdXCNpS478E6RDo KuFOtyc5lzkFYmQhHdLm8DbOvYFKjBGUvwMiHzinvOLdiqQBKc9/HkI92BmbNHAJOmGx IWjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=0Ay0VIypBPx9Rskjo2vH6HBEizg7WLMCsx5ZNyzFKN0=; b=bcuNMyktfbuA8HSNMwcIg3Yy2M0Tnv0C/9Br9yS0Gfh2re1pRf/0L62CAdhQITG06i QorqkfC8+IuKYNBPKjTXIpsqDCpw6MBdN5TQDJZXi4S3AEpBalfmF+vDV0YZ5Zj9UvcG WHJYAYQKKc2OJ67zIk9POB4IZq0C8Jg0A+NorJpMOTFFMYXyeucQKTfjYo/lQ4ztSb9p r6xg0zi0SSIYT0wx7WLQ/nLNI0zYn3Ym2tsvpCdFqV6ylKZt8yQW8Fb66F0qY08xF2f1 yao/ASfDi0EV1uUcMrZvltox9br3Q1QNykaQYbcOu9vhs0haDlMvPfHVms/5x3zgOjxb L/xg== X-Gm-Message-State: ALKqPwe3jpO2DhVj9lK9N1f55vPp8ThZcTqAre2WpxH0rjvBwJGZr2vF prjM2asvVJcuKGDzP5pja9C7PBqB X-Google-Smtp-Source: AB8JxZrfhdMdt9GZ+t8VmUtFkHG1di2pc37FbuCYNF46Vd/0Vu6S1kDMU2Y7WhXcDF7rWU/QVzIyVw== X-Received: by 2002:a1c:8981:: with SMTP id l123-v6mr1803152wmd.160.1525726667796; Mon, 07 May 2018 13:57:47 -0700 (PDT) Received: from ecklm-lapos.localdomain (ecklm-pi.sch.bme.hu. [152.66.210.28]) by smtp.gmail.com with ESMTPSA id m17-v6sm22786887wrh.3.2018.05.07.13.57.47 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 07 May 2018 13:57:47 -0700 (PDT) From: =?utf-8?b?TcOhdMOpIEVja2w=?= To: netfilter-devel@vger.kernel.org Subject: [RFC PATCH nft] WIP: Introducing socket matching Date: Mon, 7 May 2018 22:57:23 +0200 Message-Id: <20180507205723.28821-2-ecklm94@gmail.com> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180507205723.28821-1-ecklm94@gmail.com> References: <20180507205723.28821-1-ecklm94@gmail.com> MIME-Version: 1.0 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org Hi, I have been working on a skeleton for socket matching which is required by tproxy support. See the WIP patch below and please comment if you have something to note. My thoughts: * The parser is fine with this version of socket matching, matching the flags is still to be implemented. * We could treat this tproxy specifically all the way (eg. `tproxy socket`), but I think this solution is more extensible and flexible. Matching flags with this syntax makes other socket flags matchable and thus usable outside of the use-case of transparent proxying. * `isset` is probably not the best keyword to describe this, I have also thought of `present` but maybe you also have some suggestions. If we want to match socket flags this way, we need a keyword here. Regards, Máté -- 8< -- === Basic matching === eg.: `meta socket isset 1` This matches when there is a socket with the destination ip address assigned to it as local address. The new keyword `isset` represents a boolean, and it can later be reused for the pointer type meta attributes, where the attribute is not necessarily present at the time these rules are evaluated. For example sk_user_data, sk_security, etc. === Socket specific matching === `meta socket flags ` This would match when `meta socket isset` matches AND the given flags are set on the socket. Signed-off-by: Máté Eckl --- include/linux/netfilter/nf_tables.h | 2 ++ src/meta.c | 2 ++ src/parser_bison.y | 15 ++++++++++++++- src/scanner.l | 2 ++ 4 files changed, 20 insertions(+), 1 deletion(-) diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index 517a39a..0719726 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -788,6 +788,7 @@ enum nft_exthdr_attributes { * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) * @NFT_META_PRANDOM: a 32bit pseudo-random number * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) + * @NFT_META_SUBKEY_ISSET: boolean, the subkey is set */ enum nft_meta_keys { NFT_META_LEN, @@ -816,6 +817,7 @@ enum nft_meta_keys { NFT_META_CGROUP, NFT_META_PRANDOM, NFT_META_SECPATH, + NFT_META_SUBKEY_ISSET, }; /** diff --git a/src/meta.c b/src/meta.c index 3012efa..7bbe4b1 100644 --- a/src/meta.c +++ b/src/meta.c @@ -439,6 +439,8 @@ static const struct meta_template meta_templates[] = { BYTEORDER_BIG_ENDIAN), /* avoid conversion; doesn't have endianess */ [NFT_META_SECPATH] = META_TEMPLATE("secpath", &boolean_type, BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN), + [NFT_META_SUBKEY_ISSET] = META_TEMPLATE("isset", &boolean_type, + 1 , BYTEORDER_HOST_ENDIAN), }; static bool meta_key_is_qualified(enum nft_meta_keys key) diff --git a/src/parser_bison.y b/src/parser_bison.y index 7238a94..ecccd06 100644 --- a/src/parser_bison.y +++ b/src/parser_bison.y @@ -181,6 +181,7 @@ int nft_lex(void *, void *, void *); %token DASH "-" %token AT "@" %token VMAP "vmap" +%token ISSET "isset" %token INCLUDE "include" %token DEFINE "define" @@ -400,6 +401,7 @@ int nft_lex(void *, void *, void *); %token IIFGROUP "iifgroup" %token OIFGROUP "oifgroup" %token CGROUP "cgroup" +%token SOCKET "socket" %token CLASSID "classid" %token NEXTHOP "nexthop" @@ -689,7 +691,7 @@ int nft_lex(void *, void *, void *); %type meta_expr %destructor { expr_free($$); } meta_expr -%type meta_key meta_key_qualified meta_key_unqualified numgen_type +%type meta_key meta_key_qualified meta_key_unqualified meta_key_extended meta_subkey numgen_type %type nf_key_proto @@ -3452,6 +3454,10 @@ meta_expr : META meta_key $$ = meta_expr_alloc(&@$, key); } + | META meta_key_extended + { + $$ = meta_expr_alloc(&@$, $2); + } ; meta_key : meta_key_qualified @@ -3486,6 +3492,13 @@ meta_key_unqualified : MARK { $$ = NFT_META_MARK; } | CGROUP { $$ = NFT_META_CGROUP; } ; +meta_key_extended : SOCKET meta_subkey { $$ = $2; } +/* | SOCKET FLAGS { $$ = NFT_META_SOCKET_FLAGS; } +*/ ; + +meta_subkey : ISSET { $$ = NFT_META_SUBKEY_ISSET; } + ; + meta_stmt : META meta_key SET stmt_expr { $$ = meta_stmt_alloc(&@$, $2, $4); diff --git a/src/scanner.l b/src/scanner.l index 70366d1..1fe2424 100644 --- a/src/scanner.l +++ b/src/scanner.l @@ -231,6 +231,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "$" { return '$'; } "=" { return '='; } "vmap" { return VMAP; } +"isset" { return ISSET; } "include" { return INCLUDE; } "define" { return DEFINE; } @@ -495,6 +496,7 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr}) "iifgroup" { return IIFGROUP; } "oifgroup" { return OIFGROUP; } "cgroup" { return CGROUP; } +"socket" { return SOCKET; } "classid" { return CLASSID; } "nexthop" { return NEXTHOP; }