From patchwork Thu Jan 10 05:16:08 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: wenxu X-Patchwork-Id: 1022745 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=ucloud.cn Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43ZvNq1fj0z9sN8 for ; Thu, 10 Jan 2019 16:16:27 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726759AbfAJFQZ (ORCPT ); Thu, 10 Jan 2019 00:16:25 -0500 Received: from m97179.mail.qiye.163.com ([220.181.97.179]:35514 "EHLO m97179.mail.qiye.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725379AbfAJFQZ (ORCPT ); Thu, 10 Jan 2019 00:16:25 -0500 Received: from 10.19.61.167master (unknown [123.59.132.129]) by m97179.mail.qiye.163.com (Hmail) with ESMTPA id 4A68BE013A7; Thu, 10 Jan 2019 13:16:19 +0800 (CST) From: wenxu@ucloud.cn To: pablo@netfilter.org Cc: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org Subject: [PATCH v2] netfilter: x_tables: add xt_tunnel match Date: Thu, 10 Jan 2019 13:16:08 +0800 Message-Id: <1547097368-31835-1-git-send-email-wenxu@ucloud.cn> X-Mailer: git-send-email 1.8.3.1 X-HM-Spam-Status: e1kIGBQJHllBS1VLV1koWUFJQjdXWS1ZQUlXWQkOFx4IWUFZMjUtOjcyP0 FLVUtZBg++ X-HM-Sender-Digest: e1kMHhlZQR0aFwgeV1kSHx4VD1lBWUc6MxQ6Cxw5OjkMIywMTTQ9FTcS SC8KCzdVSlVKTk9MS0JMSExCSEJMVTMWGhIXVQweFQMOOw4YFxQOH1UYFUVZV1kSC1lBWUpJSFVO QlVKSElVSklCWVdZCAFZQU9OSU03Bg++ X-HM-Tid: 0a68363091f520bdkuqy4a68be013a7 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: wenxu This patch allows us to match on the tunnel metadata that is available of the packet. We can use this to validate if the packet comes from/goes to tunnel and the corresponding tunnel ID in the iptables. Signed-off-by: wenxu --- include/uapi/linux/netfilter/xt_tunnel.h | 12 +++++++ net/netfilter/Kconfig | 10 ++++++ net/netfilter/Makefile | 1 + net/netfilter/xt_tunnel.c | 56 ++++++++++++++++++++++++++++++++ 4 files changed, 79 insertions(+) create mode 100644 include/uapi/linux/netfilter/xt_tunnel.h create mode 100644 net/netfilter/xt_tunnel.c diff --git a/include/uapi/linux/netfilter/xt_tunnel.h b/include/uapi/linux/netfilter/xt_tunnel.h new file mode 100644 index 0000000..5231afa --- /dev/null +++ b/include/uapi/linux/netfilter/xt_tunnel.h @@ -0,0 +1,12 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ +#ifndef _XT_TUNNEL_H +#define _XT_TUNNEL_H + +#include + +struct xt_tunnel_mtinfo { + __u32 key, mask; + __u8 invert; +}; + +#endif /*_XT_TUNNEL_H*/ diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index beb3a69..ee52a75 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -1586,6 +1586,16 @@ config NETFILTER_XT_MATCH_U32 Details and examples are in the kernel module source. +config NETFILTER_XT_MATCH_TUNNEL + tristate '"tunnel" match support' + depends on NETFILTER_ADVANCED + help + This option adds a "tunnel" match, which allows you to match based on + the packet tunnel_id + + If you want to compile it as a module, say M here. + If unsure, say N. + endif # NETFILTER_XTABLES endmenu diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 1ae65a3..965541c 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -198,6 +198,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_STRING) += xt_string.o obj-$(CONFIG_NETFILTER_XT_MATCH_TCPMSS) += xt_tcpmss.o obj-$(CONFIG_NETFILTER_XT_MATCH_TIME) += xt_time.o obj-$(CONFIG_NETFILTER_XT_MATCH_U32) += xt_u32.o +obj-$(CONFIG_NETFILTER_XT_MATCH_TUNNEL) += xt_tunnel.o # ipset obj-$(CONFIG_IP_SET) += ipset/ diff --git a/net/netfilter/xt_tunnel.c b/net/netfilter/xt_tunnel.c new file mode 100644 index 0000000..0ca1dce --- /dev/null +++ b/net/netfilter/xt_tunnel.c @@ -0,0 +1,56 @@ +/* SPDX-License-Identifier: GPL-2.0 */ +#include +#include +#include +#include + +#include +#include + +MODULE_LICENSE("GPL"); +MODULE_AUTHOR("wenxu "); +MODULE_DESCRIPTION("Xtables: packet tunnel match"); +MODULE_ALIAS("ipt_tunnel"); +MODULE_ALIAS("ip6t_tunnel"); + +static bool +tunnel_mt(const struct sk_buff *skb, struct xt_action_param *par) +{ + const struct xt_tunnel_mtinfo *info = par->matchinfo; + struct ip_tunnel_info *tun_info; + u32 key; + + tun_info = skb_tunnel_info(skb); + if (tun_info) { + key = ntohl(tunnel_id_to_key32(tun_info->key.tun_id)); + return ((key & info->mask) == info->key) ^ info->invert; + } + + return info->invert; +} + +static struct xt_match tunnel_mt_reg __read_mostly = { + .name = "tunnel", + .revision = 0, + .family = NFPROTO_UNSPEC, + .match = tunnel_mt, + .matchsize = sizeof(struct xt_tunnel_mtinfo), + .hooks = ((1 << NF_INET_PRE_ROUTING) | + (1 << NF_INET_POST_ROUTING) | + (1 << NF_INET_LOCAL_OUT) | + (1 << NF_INET_FORWARD)), + .me = THIS_MODULE, +}; + +static int __init tunnel_mt_init(void) +{ + return xt_register_match(&tunnel_mt_reg); +} + +static void __exit tunnel_mt_exit(void) +{ + xt_unregister_match(&tunnel_mt_reg); +} + +module_init(tunnel_mt_init); +module_exit(tunnel_mt_exit);