From: Daniel Mack <daniel@zonque.org>
To: pablo@netfilter.org
Cc: daniel@iogearbox.net, netfilter-devel@vger.kernel.org,
netdev@vger.kernel.org, fw@strlen.de,
balazs.scheidler@balabit.com, Daniel Mack <daniel@zonque.org>
Subject: [PATCH RFC 1/3] netfilter: add socket to struct nft_pktinfo
Date: Wed, 16 Sep 2015 17:42:58 +0200 [thread overview]
Message-ID: <1442418180-14322-2-git-send-email-daniel@zonque.org> (raw)
In-Reply-To: <1442418180-14322-1-git-send-email-daniel@zonque.org>
The high-level netfilter hook API already enables users to pass a socket,
but that information is lost when the chains are walked.
In order to let internal eval callbacks use the passed filter rather than
skb->sk, add a pointer of type 'struct sock' to 'struct nft_pktinfo' and
set that field via nft_set_pktinfo().
This allows us to run filter chains from situations where skb->sk is unset.
Fall back to skb->sk in case state->sk is NULL, so filter callbacks can be
written in a generic way.
Signed-off-by: Daniel Mack <daniel@zonque.org>
---
include/net/netfilter/nf_tables.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index aa8bee7..05e97ed 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -13,6 +13,7 @@
#define NFT_JUMP_STACK_SIZE 16
struct nft_pktinfo {
+ struct sock *sk;
struct sk_buff *skb;
const struct net_device *in;
const struct net_device *out;
@@ -29,6 +30,7 @@ static inline void nft_set_pktinfo(struct nft_pktinfo *pkt,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
+ pkt->sk = state->sk ?: skb->sk;
pkt->skb = skb;
pkt->in = pkt->xt.in = state->in;
pkt->out = pkt->xt.out = state->out;
--
2.5.0
next prev parent reply other threads:[~2015-09-16 15:42 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-16 15:42 [PATCH RFC 0/3] Allow postponed netfilter handling for socket matches Daniel Mack
2015-09-16 15:42 ` Daniel Mack [this message]
2015-09-16 15:42 ` [PATCH RFC 2/3] netfilter: nft_meta: mark skbs for postponed filter processing Daniel Mack
2015-09-16 15:43 ` [PATCH RFC 3/3] net: tcp_ipv4: re-run netfilter chains for marked skbs Daniel Mack
2015-09-16 21:21 ` [PATCH RFC 0/3] Allow postponed netfilter handling for socket matches Florian Westphal
2015-09-17 10:04 ` Daniel Mack
2015-09-17 16:00 ` Florian Westphal
2015-09-21 16:52 ` Daniel Mack
2015-09-21 19:05 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1442418180-14322-2-git-send-email-daniel@zonque.org \
--to=daniel@zonque.org \
--cc=balazs.scheidler@balabit.com \
--cc=daniel@iogearbox.net \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.