{"id":809378,"url":"http://patchwork.ozlabs.org/api/patches/809378/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/patch/1504477589-12045-7-git-send-email-pablo@netfilter.org/","project":{"id":7,"url":"http://patchwork.ozlabs.org/api/projects/7/?format=json","name":"Linux network development","link_name":"netdev","list_id":"netdev.vger.kernel.org","list_email":"netdev@vger.kernel.org","web_url":null,"scm_url":null,"webscm_url":null,"list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<1504477589-12045-7-git-send-email-pablo@netfilter.org>","list_archive_url":null,"date":"2017-09-03T22:25:48","name":"[06/47] netfilter: nf_tables: add fib expression to the netdev family","commit_ref":null,"pull_url":null,"state":"accepted","archived":true,"hash":"4607463ef56e7ea2498e769152ded67467901315","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/?format=json","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"delegate":{"id":34,"url":"http://patchwork.ozlabs.org/api/users/34/?format=json","username":"davem","first_name":"David","last_name":"Miller","email":"davem@davemloft.net"},"mbox":"http://patchwork.ozlabs.org/project/netdev/patch/1504477589-12045-7-git-send-email-pablo@netfilter.org/mbox/","series":[{"id":1281,"url":"http://patchwork.ozlabs.org/api/series/1281/?format=json","web_url":"http://patchwork.ozlabs.org/project/netdev/list/?series=1281","date":"2017-09-03T22:25:42","name":"[01/47] netfilter: expect: add to hash table after expect init","version":1,"mbox":"http://patchwork.ozlabs.org/series/1281/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/809378/comments/","check":"pending","checks":"http://patchwork.ozlabs.org/api/patches/809378/checks/","tags":{},"related":[],"headers":{"Return-Path":"<netdev-owner@vger.kernel.org>","X-Original-To":"patchwork-incoming@ozlabs.org","Delivered-To":"patchwork-incoming@ozlabs.org","Authentication-Results":"ozlabs.org;\n\tspf=none (mailfrom) smtp.mailfrom=vger.kernel.org\n\t(client-ip=209.132.180.67; helo=vger.kernel.org;\n\tenvelope-from=netdev-owner@vger.kernel.org;\n\treceiver=<UNKNOWN>)","Received":["from vger.kernel.org (vger.kernel.org [209.132.180.67])\n\tby ozlabs.org (Postfix) with ESMTP id 3xlnf55Jpmz9s06\n\tfor <patchwork-incoming@ozlabs.org>;\n\tMon,  4 Sep 2017 08:27:09 +1000 (AEST)","(majordomo@vger.kernel.org) by vger.kernel.org via listexpand\n\tid S1753207AbdICW1H (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);\n\tSun, 3 Sep 2017 18:27:07 -0400","from mail.us.es ([193.147.175.20]:50810 \"EHLO mail.us.es\"\n\trhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP\n\tid S1753155AbdICW0n (ORCPT <rfc822;netdev@vger.kernel.org>);\n\tSun, 3 Sep 2017 18:26:43 -0400","from antivirus1-rhel7.int (unknown [192.168.2.11])\n\tby mail.us.es (Postfix) with ESMTP id 61E3E190F65\n\tfor <netdev@vger.kernel.org>; Mon,  4 Sep 2017 00:26:16 +0200 (CEST)","from antivirus1-rhel7.int (localhost [127.0.0.1])\n\tby antivirus1-rhel7.int (Postfix) with ESMTP id 4BBF2B5030\n\tfor <netdev@vger.kernel.org>; Mon,  4 Sep 2017 00:26:16 +0200 (CEST)","by antivirus1-rhel7.int (Postfix, from userid 99)\n\tid 4121DB502C; Mon,  4 Sep 2017 00:26:16 +0200 (CEST)","from antivirus1-rhel7.int (localhost [127.0.0.1])\n\tby antivirus1-rhel7.int (Postfix) with ESMTP id 2B33DB502A;\n\tMon,  4 Sep 2017 00:26:14 +0200 (CEST)","from 192.168.1.97 (192.168.1.97) by antivirus1-rhel7.int\n\t(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int); \n\tMon, 04 Sep 2017 00:26:14 +0200 (CEST)","from salvia.here (unknown [31.4.193.113])\n\t(Authenticated sender: pneira@us.es)\n\tby entrada.int (Postfix) with ESMTPA id CE48B4265A22;\n\tMon,  4 Sep 2017 00:26:13 +0200 (CEST)"],"X-Spam-Checker-Version":"SpamAssassin 3.4.1 (2015-04-28) on\n\tantivirus1-rhel7.int","X-Spam-Level":"","X-Spam-Status":"No, score=-108.2 required=7.5 tests=ALL_TRUSTED,BAYES_50,\n\tSMTPAUTH_US2,USER_IN_WHITELIST autolearn=disabled version=3.4.1","X-Virus-Status":"clean(F-Secure/fsigk_smtp/550/antivirus1-rhel7.int)","X-SMTPAUTHUS":"auth mail.us.es","From":"Pablo Neira Ayuso <pablo@netfilter.org>","To":"netfilter-devel@vger.kernel.org","Cc":"davem@davemloft.net, netdev@vger.kernel.org","Subject":"[PATCH 06/47] netfilter: nf_tables: add fib expression to the\n\tnetdev family","Date":"Mon,  4 Sep 2017 00:25:48 +0200","Message-Id":"<1504477589-12045-7-git-send-email-pablo@netfilter.org>","X-Mailer":"git-send-email 2.1.4","In-Reply-To":"<1504477589-12045-1-git-send-email-pablo@netfilter.org>","References":"<1504477589-12045-1-git-send-email-pablo@netfilter.org>","X-Virus-Scanned":"ClamAV using ClamSMTP","Sender":"netdev-owner@vger.kernel.org","Precedence":"bulk","List-ID":"<netdev.vger.kernel.org>","X-Mailing-List":"netdev@vger.kernel.org"},"content":"From: \"Pablo M. Bermudo Garay\" <pablombg@gmail.com>\n\nAdd fib expression support for netdev family. Like inet family, netdev\ndelegates the actual decision to the corresponding backend, either ipv4\nor ipv6.\n\nThis allows to perform very early reverse path filtering, among other\nthings.\n\nYou can find more information about fib expression in the f6d0cbcf09c5\n(\"<netfilter: nf_tables: add fib expression>\") commit message.\n\nSigned-off-by: Pablo M. Bermudo Garay <pablombg@gmail.com>\nSigned-off-by: Pablo Neira Ayuso <pablo@netfilter.org>\n---\n net/netfilter/Kconfig          |  9 +++++\n net/netfilter/Makefile         |  1 +\n net/netfilter/nft_fib_netdev.c | 87 ++++++++++++++++++++++++++++++++++++++++++\n 3 files changed, 97 insertions(+)\n create mode 100644 net/netfilter/nft_fib_netdev.c","diff":"diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig\nindex 9b28864cc36a..e4a13cc8a2e7 100644\n--- a/net/netfilter/Kconfig\n+++ b/net/netfilter/Kconfig\n@@ -636,6 +636,15 @@ config NFT_FWD_NETDEV\n \thelp\n \t  This option enables packet forwarding for the \"netdev\" family.\n \n+config NFT_FIB_NETDEV\n+\tdepends on NFT_FIB_IPV4\n+\tdepends on NFT_FIB_IPV6\n+\ttristate \"Netfilter nf_tables netdev fib lookups support\"\n+\thelp\n+\t  This option allows using the FIB expression from the netdev table.\n+\t  The lookup will be delegated to the IPv4 or IPv6 FIB depending\n+\t  on the protocol of the packet.\n+\n endif # NF_TABLES_NETDEV\n \n endif # NF_TABLES\ndiff --git a/net/netfilter/Makefile b/net/netfilter/Makefile\nindex 913380919301..d3891c93edd6 100644\n--- a/net/netfilter/Makefile\n+++ b/net/netfilter/Makefile\n@@ -100,6 +100,7 @@ obj-$(CONFIG_NFT_REDIR)\t\t+= nft_redir.o\n obj-$(CONFIG_NFT_HASH)\t\t+= nft_hash.o\n obj-$(CONFIG_NFT_FIB)\t\t+= nft_fib.o\n obj-$(CONFIG_NFT_FIB_INET)\t+= nft_fib_inet.o\n+obj-$(CONFIG_NFT_FIB_NETDEV)\t+= nft_fib_netdev.o\n \n # nf_tables netdev\n obj-$(CONFIG_NFT_DUP_NETDEV)\t+= nft_dup_netdev.o\ndiff --git a/net/netfilter/nft_fib_netdev.c b/net/netfilter/nft_fib_netdev.c\nnew file mode 100644\nindex 000000000000..3997ee36cfbd\n--- /dev/null\n+++ b/net/netfilter/nft_fib_netdev.c\n@@ -0,0 +1,87 @@\n+/*\n+ * Copyright (c) 2017 Pablo M. Bermudo Garay <pablombg@gmail.com>\n+ *\n+ * This program is free software; you can redistribute it and/or modify\n+ * it under the terms of the GNU General Public License version 2 as\n+ * published by the Free Software Foundation.\n+ *\n+ * This code is based on net/netfilter/nft_fib_inet.c, written by\n+ * Florian Westphal <fw@strlen.de>.\n+ */\n+\n+#include <linux/kernel.h>\n+#include <linux/init.h>\n+#include <linux/module.h>\n+#include <linux/netlink.h>\n+#include <linux/netfilter.h>\n+#include <linux/netfilter/nf_tables.h>\n+#include <net/netfilter/nf_tables_core.h>\n+#include <net/netfilter/nf_tables.h>\n+\n+#include <net/netfilter/nft_fib.h>\n+\n+static void nft_fib_netdev_eval(const struct nft_expr *expr,\n+\t\t\t\tstruct nft_regs *regs,\n+\t\t\t\tconst struct nft_pktinfo *pkt)\n+{\n+\tconst struct nft_fib *priv = nft_expr_priv(expr);\n+\n+\tswitch (ntohs(pkt->skb->protocol)) {\n+\tcase ETH_P_IP:\n+\t\tswitch (priv->result) {\n+\t\tcase NFT_FIB_RESULT_OIF:\n+\t\tcase NFT_FIB_RESULT_OIFNAME:\n+\t\t\treturn nft_fib4_eval(expr, regs, pkt);\n+\t\tcase NFT_FIB_RESULT_ADDRTYPE:\n+\t\t\treturn nft_fib4_eval_type(expr, regs, pkt);\n+\t\t}\n+\t\tbreak;\n+\tcase ETH_P_IPV6:\n+\t\tswitch (priv->result) {\n+\t\tcase NFT_FIB_RESULT_OIF:\n+\t\tcase NFT_FIB_RESULT_OIFNAME:\n+\t\t\treturn nft_fib6_eval(expr, regs, pkt);\n+\t\tcase NFT_FIB_RESULT_ADDRTYPE:\n+\t\t\treturn nft_fib6_eval_type(expr, regs, pkt);\n+\t\t}\n+\t\tbreak;\n+\t}\n+\n+\tregs->verdict.code = NFT_BREAK;\n+}\n+\n+static struct nft_expr_type nft_fib_netdev_type;\n+static const struct nft_expr_ops nft_fib_netdev_ops = {\n+\t.type\t\t= &nft_fib_netdev_type,\n+\t.size\t\t= NFT_EXPR_SIZE(sizeof(struct nft_fib)),\n+\t.eval\t\t= nft_fib_netdev_eval,\n+\t.init\t\t= nft_fib_init,\n+\t.dump\t\t= nft_fib_dump,\n+\t.validate\t= nft_fib_validate,\n+};\n+\n+static struct nft_expr_type nft_fib_netdev_type __read_mostly = {\n+\t.family\t\t= NFPROTO_NETDEV,\n+\t.name\t\t= \"fib\",\n+\t.ops\t\t= &nft_fib_netdev_ops,\n+\t.policy\t\t= nft_fib_policy,\n+\t.maxattr\t= NFTA_FIB_MAX,\n+\t.owner\t\t= THIS_MODULE,\n+};\n+\n+static int __init nft_fib_netdev_module_init(void)\n+{\n+\treturn nft_register_expr(&nft_fib_netdev_type);\n+}\n+\n+static void __exit nft_fib_netdev_module_exit(void)\n+{\n+\tnft_unregister_expr(&nft_fib_netdev_type);\n+}\n+\n+module_init(nft_fib_netdev_module_init);\n+module_exit(nft_fib_netdev_module_exit);\n+\n+MODULE_LICENSE(\"GPL\");\n+MODULE_AUTHOR(\"Pablo M. Bermudo Garay <pablombg@gmail.com>\");\n+MODULE_ALIAS_NFT_AF_EXPR(5, \"fib\");\n","prefixes":["06/47"]}