diff mbox series

[nf-next,v2,2/4] netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match

Message ID 1573890564-16500-3-git-send-email-wenxu@ucloud.cn
State Deferred
Delegated to: Pablo Neira
Headers show
Series netfilter: nft_tunnel: support tunnel match expr offload | expand

Commit Message

wenxu Nov. 16, 2019, 7:49 a.m. UTC 
From: wenxu <wenxu@ucloud.cn>

Add new two NFT_TUNNEL_IPV4_SRC/DST match in nft_tunnel

Signed-off-by: wenxu <wenxu@ucloud.cn>
---
v2: add nft_tunnel_mode_match_ip

 include/uapi/linux/netfilter/nf_tables.h |  2 ++
 net/netfilter/nft_tunnel.c               | 32 ++++++++++++++++++++++++++++++++
 2 files changed, 34 insertions(+)
diff mbox series

Patch

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index bb9b049..1621d72 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1777,6 +1777,8 @@  enum nft_tunnel_key_attributes {
 enum nft_tunnel_keys {
 	NFT_TUNNEL_PATH,
 	NFT_TUNNEL_ID,
+	NFT_TUNNEL_IPV4_SRC,
+	NFT_TUNNEL_IPV4_DST,
 	__NFT_TUNNEL_MAX
 };
 #define NFT_TUNNEL_MAX	(__NFT_TUNNEL_MAX - 1)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 921555f5..67f7718 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -31,6 +31,16 @@  static bool nft_tunnel_mode_match(enum nft_tunnel_mode priv_mode,
 	return false;
 }
 
+static bool nft_tunnel_mode_match_ip(enum nft_tunnel_mode priv_mode,
+				     struct ip_tunnel_info *tun_info)
+{
+	if (nft_tunnel_mode_match(priv_mode, tun_info->mode) &&
+	    ip_tunnel_info_af(tun_info) == AF_INET)
+		return true;
+
+	return false;
+}
+
 static void nft_tunnel_get_eval(const struct nft_expr *expr,
 				struct nft_regs *regs,
 				const struct nft_pktinfo *pkt)
@@ -60,6 +70,26 @@  static void nft_tunnel_get_eval(const struct nft_expr *expr,
 		else
 			regs->verdict.code = NFT_BREAK;
 		break;
+	case NFT_TUNNEL_IPV4_SRC:
+		if (!tun_info) {
+			regs->verdict.code = NFT_BREAK;
+			return;
+		}
+		if (nft_tunnel_mode_match_ip(priv->mode, tun_info))
+			*dest = tun_info->key.u.ipv4.src;
+		else
+			regs->verdict.code = NFT_BREAK;
+		break;
+	case NFT_TUNNEL_IPV4_DST:
+		if (!tun_info) {
+			regs->verdict.code = NFT_BREAK;
+			return;
+		}
+		if (nft_tunnel_mode_match_ip(priv->mode, tun_info))
+			*dest = tun_info->key.u.ipv4.dst;
+		else
+			regs->verdict.code = NFT_BREAK;
+		break;
 	default:
 		WARN_ON(1);
 		regs->verdict.code = NFT_BREAK;
@@ -89,6 +119,8 @@  static int nft_tunnel_get_init(const struct nft_ctx *ctx,
 		len = sizeof(u8);
 		break;
 	case NFT_TUNNEL_ID:
+	case NFT_TUNNEL_IPV4_SRC:
+	case NFT_TUNNEL_IPV4_DST:
 		len = sizeof(u32);
 		break;
 	default: