From: Stephane Bryant <stephane.ml.bryant@gmail.com>
To: pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org, stephane <stephane.ml.bryant@gmail.com>
Subject: [PATCH nf-next v3 2/3] netfilter: bridge: pass L2 header and VLAN as netlink attributes in queues to userspace
Date: Sat, 20 Feb 2016 10:07:09 +0100 [thread overview]
Message-ID: <1455959230-3680-2-git-send-email-stephane.ml.bryant@gmail.com> (raw)
In-Reply-To: <1455959230-3680-1-git-send-email-stephane.ml.bryant@gmail.com>
From: stephane <stephane.ml.bryant@gmail.com>
-this creates 2 netlink attribute NLQA_VLAN and NLQA_L2HDR
-these are filled up for the PF_BRIDGE family on the way to userspace
Signed-off-by: Stephane Bryant <stephane.ml.bryant@gmail.com>
---
include/uapi/linux/netfilter/nfnetlink_queue.h | 7 ++++
net/netfilter/nfnetlink_queue.c | 53 ++++++++++++++++++++++++++
2 files changed, 60 insertions(+)
diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index b67a853..211fcdc 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -30,6 +30,11 @@ struct nfqnl_msg_packet_timestamp {
__aligned_be64 usec;
};
+struct nfqnl_msg_vlan {
+ __be16 proto;
+ __u16 tci;
+} __attribute__ ((packed));
+
enum nfqnl_attr_type {
NFQA_UNSPEC,
NFQA_PACKET_HDR,
@@ -50,6 +55,8 @@ enum nfqnl_attr_type {
NFQA_UID, /* __u32 sk uid */
NFQA_GID, /* __u32 sk gid */
NFQA_SECCTX, /* security context string */
+ NFQA_VLAN, /* packet vlan info */
+ NFQA_L2HDR, /* full L2 header */
__NFQA_MAX
};
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 1d39365..b40cdb4 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -295,6 +295,54 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
return seclen;
}
+static u32 nfqnl_get_bridge_nla_len(struct nf_queue_entry *entry)
+{
+ u32 nlalen = 0;
+ struct sk_buff *entskb = entry->skb;
+
+ if ((entry->state.pf != PF_BRIDGE) || (!skb_mac_header_was_set(entskb)))
+ return 0;
+
+ if (skb_vlan_tag_present(entskb))
+ nlalen += nla_total_size(sizeof(struct nfqnl_msg_vlan));
+
+ if (entskb->network_header > entskb->mac_header)
+ nlalen += nla_total_size((entskb->network_header -
+ entskb->mac_header));
+
+ return nlalen;
+}
+
+static int nfqnl_put_bridge_nla(struct nf_queue_entry *entry,
+ struct sk_buff *skb)
+{
+ struct sk_buff *entskb = entry->skb;
+
+ if ((entry->state.pf != PF_BRIDGE) || (!skb_mac_header_was_set(entskb)))
+ return 0;
+
+ if (skb_vlan_tag_present(entskb)) {
+ struct nfqnl_msg_vlan pvlan;
+
+ pvlan.tci = entskb->vlan_tci;
+ pvlan.proto = entskb->vlan_proto;
+ if (nla_put(skb, NFQA_VLAN, sizeof(pvlan), &pvlan))
+ goto nla_put_failure;
+ }
+
+ if (entskb->mac_header < entskb->network_header) {
+ int len = (int)(entskb->network_header - entskb->mac_header);
+
+ if (nla_put(skb, NFQA_L2HDR, len, skb_mac_header(entskb)))
+ goto nla_put_failure;
+ }
+
+ return 0;
+
+nla_put_failure:
+ return -1;
+}
+
static struct sk_buff *
nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
struct nf_queue_entry *entry,
@@ -334,6 +382,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
if (entskb->tstamp.tv64)
size += nla_total_size(sizeof(struct nfqnl_msg_packet_timestamp));
+ size += nfqnl_get_bridge_nla_len(entry);
+
if (entry->state.hook <= NF_INET_FORWARD ||
(entry->state.hook == NF_INET_POST_ROUTING && entskb->sk == NULL))
csum_verify = !skb_csum_unnecessary(entskb);
@@ -499,6 +549,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
}
}
+ if (nfqnl_put_bridge_nla(entry, skb))
+ goto nla_put_failure;
+
if (entskb->tstamp.tv64) {
struct nfqnl_msg_packet_timestamp ts;
struct timespec64 kts = ktime_to_timespec64(skb->tstamp);
--
2.1.4
next prev parent reply other threads:[~2016-02-20 9:07 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-02-20 9:07 [PATCH nf-next v3 1/3] netfilter: bridge: add nf_afinfo to enable queuing to userspace Stephane Bryant
2016-02-20 9:07 ` Stephane Bryant [this message]
2016-02-29 12:40 ` [PATCH nf-next v3 2/3] netfilter: bridge: pass L2 header and VLAN as netlink attributes in queues " Pablo Neira Ayuso
2016-03-05 18:32 ` stéphane bryant
2016-02-20 9:07 ` [PATCH nf-next v3 3/3] netfilter: bridge: nf queue verdict to use NFQA_VLAN and NFQA_L2HDR Stephane Bryant
2016-02-20 9:56 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1455959230-3680-2-git-send-email-stephane.ml.bryant@gmail.com \
--to=stephane.ml.bryant@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.