Re: [PATCH netfilter: nft] add connmark module

[Pablo Neira Ayuso <pablo@netfilter.org>]

Hi,

On Mon, Jan 06, 2014 at 01:29:12PM +0100, Kristian Evensen wrote:
> From: Kristian Evensen <kristian.evensen@gmail.com>
> 
> This patch adds a connmark module to nftables, which enables setting, storing
> and restoring the connection mark (ctmark) of a tracked connection. It works in
> the same way as xt_CONNMARK.
> 
> Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
> ---
>  include/uapi/linux/netfilter/nf_tables.h |  35 +++++++
>  net/netfilter/Kconfig                    |  10 ++
>  net/netfilter/Makefile                   |   1 +
>  net/netfilter/nft_connmark.c             | 169 +++++++++++++++++++++++++++++++
>  4 files changed, 215 insertions(+)
>  create mode 100644 net/netfilter/nft_connmark.c
> 
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index aa86a152..ccf9f9f 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -682,6 +682,41 @@ enum nft_queue_attributes {
>  #define NFT_QUEUE_FLAG_MASK		0x03
>  
>  /**
> + * enum nft_connmark_types - nf_tables connmark expression types
> + *
> + * @NFT_CONNMARK_SAVE: save connmark
> + * @NFT_CONNMARK_RESTORE: restore connmark
> + * @NFT_CONNMARK_SET: set connmark (iptables set-xmark)
> + */
> +enum nft_connmark_types {
> +	NFT_CONNMARK_SAVE,
> +	NFT_CONNMARK_RESTORE,
> +	NFT_CONNMARK_SET
> +};
> +
> +/**
> + * enum nft_connmark_attributes - nf_tables connmark expression netlink
> + * attributes
> + *
> + * @NFTA_CONNMARK_MODE: conntrack action (save, set or restore) (NLA_U8)
> + * @NFTA_CONNMARK_CTMARK: conntrack ctmark (NLA_U32)
> + * @NFTA_CONNMARK_CTMASK: conntrack ctmask (NLA_U32)
> + * @NFTA_CONNMARK_NFMASK: conntrack nfmask (NLA_U32)
> + */
> +
> +enum nft_connmark_attributes {
> +	NFTA_CONNMARK_UNSPEC,
> +	NFTA_CONNMARK_MODE,
> +	NFTA_CONNMARK_CTMARK,
> +	NFTA_CONNMARK_CTMASK,
> +	NFTA_CONNMARK_NFMASK,
> +	__NFTA_CONNMARK_MAX,
> +};
> +#define NFTA_CONNMARK_MAX		(__NFTA_CONNMARK_MAX - 1)
> +
> +#define NFT_CONNMARK_DEFAULT_MASK	0xFFFFFFFF
> +
> +/**
>   * enum nft_reject_types - nf_tables reject expression reject types
>   *
>   * @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index 0609514..d3ff630 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -471,6 +471,16 @@ config NFT_COUNTER
>  	  This option adds the "counter" expression that you can use to
>  	  include packet and byte counters in a rule.
>  
> +config NFT_CONNMARK
> +	depends on NF_TABLES
> +	depends on NF_CONNTRACK
> +	depends on NETFILTER_ADVANCED
> +	select NF_CONNTRACK_MARK
> +	tristate "Netfilter nf_tables conntrack module"
> +	help
> +		This option adds the "connmark" expression that can be used to
> +		set, save or restore a mark on a tracked connection.
> +
>  config NFT_LOG
>  	depends on NF_TABLES
>  	tristate "Netfilter nf_tables log module"
> diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
> index 39e4a7b..5097a2f 100644
> --- a/net/netfilter/Makefile
> +++ b/net/netfilter/Makefile
> @@ -71,6 +71,7 @@ nf_tables-objs += nft_bitwise.o nft_byteorder.o nft_payload.o
>  
>  obj-$(CONFIG_NF_TABLES)		+= nf_tables.o
>  obj-$(CONFIG_NFT_COMPAT)	+= nft_compat.o
> +obj-$(CONFIG_NFT_CONNMARK)	+= nft_connmark.o
>  obj-$(CONFIG_NFT_EXTHDR)	+= nft_exthdr.o
>  obj-$(CONFIG_NFT_META)		+= nft_meta.o
>  obj-$(CONFIG_NFT_CT)		+= nft_ct.o
> diff --git a/net/netfilter/nft_connmark.c b/net/netfilter/nft_connmark.c
> new file mode 100644
> index 0000000..04d56d1
> --- /dev/null
> +++ b/net/netfilter/nft_connmark.c
> @@ -0,0 +1,169 @@
> +/* Copyright (c) 2013 Kristian Evensen <kristian.evensen@gmail.com>
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + */
> +
> +#include <linux/kernel.h>
> +#include <linux/init.h>
> +#include <linux/module.h>
> +#include <linux/netlink.h>
> +#include <linux/netfilter.h>
> +#include <linux/netfilter/nf_tables.h>
> +#include <net/netfilter/nf_tables.h>
> +#include <net/netfilter/nf_conntrack.h>
> +#include <net/netfilter/nf_conntrack_ecache.h>
> +
> +struct nft_connmark {
> +	u32 ctmask;
> +	union{
> +		u32 ctmark;
> +		u32 nfmask;
> +	};
> +	u8  mode;
> +};
> +
> +static void nft_connmark_eval(const struct nft_expr *expr,
> +			   struct nft_data data[NFT_REG_MAX + 1],
> +			   const struct nft_pktinfo *pkt)
> +{
> +	struct nft_connmark *priv = nft_expr_priv(expr);
> +	enum ip_conntrack_info ctinfo;
> +	struct nf_conn *ct;
> +	u_int32_t newmark;
> +
> +	ct = nf_ct_get(pkt->skb, &ctinfo);
> +	if (ct == NULL)
> +		return;
> +
> +	switch (priv->mode) {
> +	case NFT_CONNMARK_SET:
> +		newmark = (ct->mark & ~priv->ctmask) ^ priv->ctmark;
> +		if (ct->mark != newmark) {
> +			ct->mark = newmark;
> +			nf_conntrack_event_cache(IPCT_MARK, ct);
> +		}
> +		break;
> +	case NFT_CONNMARK_SAVE:
> +		newmark = (ct->mark & ~priv->ctmask) ^
> +			  (pkt->skb->mark & priv->nfmask);
> +
> +		if (ct->mark != newmark) {
> +			ct->mark = newmark;
> +			nf_conntrack_event_cache(IPCT_MARK, ct);
> +		}
> +		break;
> +	case NFT_CONNMARK_RESTORE:
> +		newmark = (pkt->skb->mark & ~priv->nfmask) ^
> +			  (ct->mark & priv->ctmask);
> +		pkt->skb->mark = newmark;

We already have expressions for bitmask operations and to fetch the
packet mark into a register. These operations can be implemented in
the existing meta expressions as NFT_META_CONNMARK.

Note that we now have two meta flavours:

http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git/commit/net/netfilter/nft_meta.c?id=e035b77ac7be430a5fef8c9c23f60b6b50ec81c5

So the idea is to make a patch that allows us to retrieve and to set
the connmark value.

Thanks.