From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netdev@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org, kaber@trash.net, davem@davemloft.net
Subject: [PATCH] filter: add SKF_AD_NLATTR_NEST to look for nested attributes
Date: Mon, 17 Nov 2008 09:31:37 +0100 [thread overview]
Message-ID: <20081117083136.10840.70283.stgit@Decadence> (raw)
SKF_AD_NLATTR allows us to find the first matching attribute in a
stream of netlink attributes from one offset to the end of the
netlink message. This is not suitable to look for a specific
matching inside a set of nested attributes.
For example, in ctnetlink messages, if we look for the CTA_V6_SRC
attribute in a message that talks about an IPv4 connection,
SKF_AD_NLATTR returns the offset of CTA_STATUS which has the same
value of CTA_V6_SRC but outside the nest. To differenciate
CTA_STATUS and CTA_V6_SRC, we would have to make assumptions on the
size of the attribute and the usual offset, resulting in horrible
BSF code.
This patch adds SKF_AD_NLATTR_NEST, which is a variant of
SKF_AD_NLATTR, that looks for an attribute inside the limits of
a nested attributes, but not further.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/linux/filter.h | 3 ++-
net/core/filter.c | 15 +++++++++++++++
2 files changed, 17 insertions(+), 1 deletions(-)
diff --git a/include/linux/filter.h b/include/linux/filter.h
index b6ea9aa..1354aaf 100644
--- a/include/linux/filter.h
+++ b/include/linux/filter.h
@@ -122,7 +122,8 @@ struct sock_fprog /* Required for SO_ATTACH_FILTER. */
#define SKF_AD_PKTTYPE 4
#define SKF_AD_IFINDEX 8
#define SKF_AD_NLATTR 12
-#define SKF_AD_MAX 16
+#define SKF_AD_NLATTR_NEST 16
+#define SKF_AD_MAX 20
#define SKF_NET_OFF (-0x100000)
#define SKF_LL_OFF (-0x200000)
diff --git a/net/core/filter.c b/net/core/filter.c
index df37443..2f9c7ea 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -319,6 +319,21 @@ load_b:
A = 0;
continue;
}
+ case SKF_AD_NLATTR_NEST: {
+ struct nlattr *nla;
+
+ if (skb_is_nonlinear(skb))
+ return 0;
+ if (A > skb->len - sizeof(struct nlattr))
+ return 0;
+
+ nla = nla_find_nested((struct nlattr *)&skb->data[A],X);
+ if (nla)
+ A = (void *)nla - (void *)skb->data;
+ else
+ A = 0;
+ continue;
+ }
default:
return 0;
}
next reply other threads:[~2008-11-17 8:31 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-11-17 8:31 Pablo Neira Ayuso [this message]
2008-11-17 8:36 ` [PATCH] filter: add SKF_AD_NLATTR_NEST to look for nested attributes David Miller
2008-11-17 14:35 ` Patrick McHardy
-- strict thread matches above, loose matches on Subject: below --
2008-11-18 3:01 Pablo Neira Ayuso
2008-11-18 10:49 ` Patrick McHardy
2008-11-20 8:49 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20081117083136.10840.70283.stgit@Decadence \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=kaber@trash.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.