From patchwork Wed Dec  3 12:55:34 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Pablo Neira Ayuso <pablo@netfilter.org>
X-Patchwork-Id: 417405
X-Patchwork-Delegate: pablo@netfilter.org
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 5EE2D1400D2
	for <incoming@patchwork.ozlabs.org>;
	Wed,  3 Dec 2014 23:54:42 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752527AbaLCMyd (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Wed, 3 Dec 2014 07:54:33 -0500
Received: from mail.us.es ([193.147.175.20]:48610 "EHLO mail.us.es"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1752375AbaLCMxc (ORCPT <rfc822; netfilter-devel@vger.kernel.org>);
	Wed, 3 Dec 2014 07:53:32 -0500
Received: (qmail 4529 invoked from network); 3 Dec 2014 13:53:31 +0100
Received: from unknown (HELO us.es) (192.168.2.11)
	by us.es with SMTP; 3 Dec 2014 13:53:31 +0100
Received: (qmail 15271 invoked by uid 507); 3 Dec 2014 12:53:31 -0000
X-Qmail-Scanner-Diagnostics: from 127.0.0.1 by antivirus1 (envelope-from
	<pablo@netfilter.org>, uid 501) with qmail-scanner-2.10
	(clamdscan: 0.98.5/19717. spamassassin: 3.3.2.  
	Clear:RC:1(127.0.0.1):SA:0(-103.2/7.5):.
	Processed in 1.912054 secs); 03 Dec 2014 12:53:31 -0000
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on antivirus1
X-Spam-Level: 
X-Spam-Status: No, score=-103.2 required=7.5 tests=BAYES_50,SMTPAUTH_US,
	USER_IN_WHITELIST autolearn=disabled version=3.3.2
X-Spam-ASN: AS12715 87.216.0.0/16
X-Envelope-From: pablo@netfilter.org
Received: from unknown (HELO antivirus1) (127.0.0.1)
	by us.es with SMTP; 3 Dec 2014 12:53:29 -0000
Received: from 192.168.1.13 (192.168.1.13)
	by antivirus1 (F-Secure/fsigk_smtp/412/antivirus1);
	Wed, 03 Dec 2014 13:53:29 +0100 (CET)
X-Virus-Status: clean(F-Secure/fsigk_smtp/412/antivirus1)
Received: (qmail 12283 invoked from network); 3 Dec 2014 13:53:29 +0100
Received: from 129.166.216.87.static.jazztel.es (HELO salvia.here)
	(pneira@us.es@87.216.166.129)
	by mail.us.es with SMTP; 3 Dec 2014 13:53:29 +0100
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 04/12] netfilter: nf_tables_bridge: set the pktinfo for
	IPv4/IPv6 traffic
Date: Wed,  3 Dec 2014 13:55:34 +0100
Message-Id: <1417611342-25257-5-git-send-email-pablo@netfilter.org>
X-Mailer: git-send-email 1.7.10.4
In-Reply-To: <1417611342-25257-1-git-send-email-pablo@netfilter.org>
References: <1417611342-25257-1-git-send-email-pablo@netfilter.org>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

From: Alvaro Neira <alvaroneay@gmail.com>

This patch adds the missing bits to allow to match per meta l4proto from
the bridge. Example:

  nft add rule bridge filter input ether type {ip, ip6} meta l4proto udp counter

Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/bridge/netfilter/nf_tables_bridge.c |   40 ++++++++++++++++++++++++++++++-
 1 file changed, 39 insertions(+), 1 deletion(-)

diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index d468c19..19473a9 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -16,6 +16,8 @@
 #include <net/netfilter/nf_tables_bridge.h>
 #include <linux/ip.h>
 #include <linux/ipv6.h>
+#include <net/netfilter/nf_tables_ipv4.h>
+#include <net/netfilter/nf_tables_ipv6.h>
 
 int nft_bridge_iphdr_validate(struct sk_buff *skb)
 {
@@ -62,6 +64,32 @@ int nft_bridge_ip6hdr_validate(struct sk_buff *skb)
 }
 EXPORT_SYMBOL_GPL(nft_bridge_ip6hdr_validate);
 
+static inline void nft_bridge_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
+					       const struct nf_hook_ops *ops,
+					       struct sk_buff *skb,
+					       const struct net_device *in,
+					       const struct net_device *out)
+{
+	if (nft_bridge_iphdr_validate(skb))
+		nft_set_pktinfo_ipv4(pkt, ops, skb, in, out);
+	else
+		nft_set_pktinfo(pkt, ops, skb, in, out);
+}
+
+static inline void nft_bridge_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
+					      const struct nf_hook_ops *ops,
+					      struct sk_buff *skb,
+					      const struct net_device *in,
+					      const struct net_device *out)
+{
+#if IS_ENABLED(CONFIG_IPV6)
+	if (nft_bridge_ip6hdr_validate(skb) &&
+	    nft_set_pktinfo_ipv6(pkt, ops, skb, in, out) == 0)
+		return;
+#endif
+	nft_set_pktinfo(pkt, ops, skb, in, out);
+}
+
 static unsigned int
 nft_do_chain_bridge(const struct nf_hook_ops *ops,
 		    struct sk_buff *skb,
@@ -71,7 +99,17 @@ nft_do_chain_bridge(const struct nf_hook_ops *ops,
 {
 	struct nft_pktinfo pkt;
 
-	nft_set_pktinfo(&pkt, ops, skb, in, out);
+	switch (eth_hdr(skb)->h_proto) {
+	case htons(ETH_P_IP):
+		nft_bridge_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
+		break;
+	case htons(ETH_P_IPV6):
+		nft_bridge_set_pktinfo_ipv6(&pkt, ops, skb, in, out);
+		break;
+	default:
+		nft_set_pktinfo(&pkt, ops, skb, in, out);
+		break;
+	}
 
 	return nft_do_chain(&pkt, ops);
 }