From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
Cc: kaber@trash.net, netfilter-devel@vger.kernel.org
Subject: Re: [RFC 2/3] netfilter: nf_tables: Add meta expression key for bridge interface name
Date: Tue, 8 Apr 2014 10:06:42 +0200 [thread overview]
Message-ID: <20140408080642.GA3904@localhost> (raw)
In-Reply-To: <1395911972-17259-3-git-send-email-tomasz.bursztyka@linux.intel.com>
Hi Tomasz,
On Thu, Mar 27, 2014 at 11:19:31AM +0200, Tomasz Bursztyka wrote:
> NFT_META_IBRIFNAME to get packet input bridge interface name
> NFT_META_OBRIFNAME to get packet output bridge interface name
>
> Such meta key are accessible only through NFPROTO_BRIDGE family, on a
> dedicated nft meta module: nft_meta_bridge.
>
> Suggested-by: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
> ---
> include/uapi/linux/netfilter/nf_tables.h | 4 +
> net/bridge/Makefile | 1 +
> net/bridge/netfilter/Kconfig | 12 ++-
> net/bridge/netfilter/Makefile | 1 +
> net/bridge/netfilter/nft_meta_bridge.c | 162 +++++++++++++++++++++++++++++++
> 5 files changed, 179 insertions(+), 1 deletion(-)
> create mode 100644 net/bridge/netfilter/nft_meta_bridge.c
>
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 83c985a..6b84a2e 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -533,6 +533,8 @@ enum nft_exthdr_attributes {
> * @NFT_META_SECMARK: packet secmark (skb->secmark)
> * @NFT_META_NFPROTO: netfilter protocol
> * @NFT_META_L4PROTO: layer 4 protocol number
> + * @NFT_META_BRI_IIFNAME: packet input bridge interface name
> + * @NFT_META_BRI_OIFNAME: packet output bridge interface name
> */
> enum nft_meta_keys {
> NFT_META_LEN,
> @@ -552,6 +554,8 @@ enum nft_meta_keys {
> NFT_META_SECMARK,
> NFT_META_NFPROTO,
> NFT_META_L4PROTO,
> + NFT_META_BRI_IIFNAME,
> + NFT_META_BRI_OIFNAME,
> };
>
> /**
> diff --git a/net/bridge/Makefile b/net/bridge/Makefile
> index e85498b2f..58acd82 100644
> --- a/net/bridge/Makefile
> +++ b/net/bridge/Makefile
> @@ -16,4 +16,5 @@ bridge-$(CONFIG_BRIDGE_IGMP_SNOOPING) += br_multicast.o br_mdb.o
>
> bridge-$(CONFIG_BRIDGE_VLAN_FILTERING) += br_vlan.o
>
> +obj-$(CONFIG_NF_TABLES_BRIDGE) += netfilter/
> obj-$(CONFIG_BRIDGE_NF_EBTABLES) += netfilter/
> diff --git a/net/bridge/netfilter/Kconfig b/net/bridge/netfilter/Kconfig
> index 5ca74a0..906783d 100644
> --- a/net/bridge/netfilter/Kconfig
> +++ b/net/bridge/netfilter/Kconfig
> @@ -2,10 +2,20 @@
> # Bridge netfilter configuration
> #
> #
> -config NF_TABLES_BRIDGE
> +menuconfig NF_TABLES_BRIDGE
> depends on NF_TABLES
> tristate "Ethernet Bridge nf_tables support"
>
> +if NF_TABLES_BRIDGE
> +
> +config NFT_BRIDGE_META
> + tristate "Netfilter nf_table bridge meta support"
> + depends on NFT_META
> + help
> + Add support for bridge dedicated meta key.
... like the bridge port name.
> +
> +endif # NF_TABLES_BRIDGE
> +
> menuconfig BRIDGE_NF_EBTABLES
> tristate "Ethernet Bridge tables (ebtables) support"
> depends on BRIDGE && NETFILTER
> diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile
> index ea7629f..6f2f394 100644
> --- a/net/bridge/netfilter/Makefile
> +++ b/net/bridge/netfilter/Makefile
> @@ -3,6 +3,7 @@
> #
>
> obj-$(CONFIG_NF_TABLES_BRIDGE) += nf_tables_bridge.o
> +obj-$(CONFIG_NFT_BRIDGE_META) += nft_meta_bridge.o
>
> obj-$(CONFIG_BRIDGE_NF_EBTABLES) += ebtables.o
>
> diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c
> new file mode 100644
> index 0000000..411a6b5
> --- /dev/null
> +++ b/net/bridge/netfilter/nft_meta_bridge.c
> @@ -0,0 +1,162 @@
> +/*
> + * Copyright (c) 2012 Intel Corporation
> + *
> + * This program is free software; you can redistribute it and/or modify
> + * it under the terms of the GNU General Public License version 2 as
> + * published by the Free Software Foundation.
> + *
> + */
> +
> +#include <linux/kernel.h>
> +#include <linux/init.h>
> +#include <linux/module.h>
> +#include <linux/netlink.h>
> +#include <linux/netfilter.h>
> +#include <linux/netfilter/nf_tables.h>
> +#include <net/netfilter/nf_tables.h>
> +#include <net/netfilter/nft_meta.h>
> +
> +#include "../br_private.h"
> +
> +static void nft_meta_bridge_get_eval(const struct nft_expr *expr,
> + struct nft_data data[NFT_REG_MAX + 1],
> + const struct nft_pktinfo *pkt)
> +{
> + const struct nft_meta *priv = nft_expr_priv(expr);
> + const struct net_device *in = pkt->in, *out = pkt->out;
> + struct nft_data *dest = &data[priv->dreg];
> + const struct net_bridge_port *p;
> +
> + if (pkt->ops->pf != NFPROTO_BRIDGE)
> + goto out;
Is this possible or just defensive? I think we only allow the
selection of this expression flavour when the bridge family is used.
> + switch (priv->key) {
> + case NFT_META_BRI_IIFNAME:
> + if (in == NULL || (p = br_port_get_rcu(in)) == NULL)
> + goto err;
> + break;
> + case NFT_META_BRI_OIFNAME:
> + if (out == NULL || (p = br_port_get_rcu(out)) == NULL)
> + goto err;
> + break;
> + default:
> + goto out;
> + }
> +
> + strncpy((char *)dest->data, p->br->dev->name, sizeof(dest->data));
> + return;
> +out:
> + return nft_meta_get_eval(expr, data, pkt);
> +err:
> + data[NFT_REG_VERDICT].verdict = NFT_BREAK;
> +}
> +
> +static int nft_meta_bridge_init_validate_get(uint32_t key)
> +{
> + switch (key) {
> + case NFT_META_BRI_IIFNAME:
> + case NFT_META_BRI_OIFNAME:
> + return 0;
> + default:
> + break;
> + }
> +
> + return nft_meta_init_validate_get(key);
> +}
> +
> +static int nft_meta_bridge_init(const struct nft_ctx *ctx,
> + const struct nft_expr *expr,
> + const struct nlattr * const tb[])
> +{
> + struct nft_meta *priv = nft_expr_priv(expr);
> + int err;
> +
> + priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
> +
> + if (tb[NFTA_META_DREG]) {
> + err = nft_meta_bridge_init_validate_get(priv->key);
> + if (err < 0)
> + return err;
> +
> + priv->dreg = ntohl(nla_get_be32(tb[NFTA_META_DREG]));
> + err = nft_validate_output_register(priv->dreg);
> + if (err < 0)
> + return err;
> +
> + return nft_validate_data_load(ctx, priv->dreg, NULL,
> + NFT_DATA_VALUE);
> + }
> +
> + err = nft_meta_init_validate_set(priv->key);
> + if (err < 0)
> + return err;
> +
> + priv->sreg = ntohl(nla_get_be32(tb[NFTA_META_SREG]));
> + err = nft_validate_input_register(priv->sreg);
> + if (err < 0)
> + return err;
Please, also rework this so we have one _init function for the get and
the set variants, ie. nft_meta_bridge_get_init and
nft_meta_bridge_set_init, I'd suggest.
Apart from that, this patch looks fine to me. Thanks.
next prev parent reply other threads:[~2014-04-08 8:06 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-27 9:19 [RFC 0/3] Add support for meta keys, bridge family specific Tomasz Bursztyka
2014-03-27 9:19 ` [RFC 1/3] netfilter: nf_tables: Make public core function of META expression Tomasz Bursztyka
2014-03-27 9:19 ` [RFC 2/3] netfilter: nf_tables: Add meta expression key for bridge interface name Tomasz Bursztyka
2014-04-08 8:06 ` Pablo Neira Ayuso [this message]
2014-04-08 8:20 ` Tomasz Bursztyka
2014-04-08 8:34 ` Pablo Neira Ayuso
2014-04-08 9:04 ` Tomasz Bursztyka
2014-03-27 9:19 ` [RFC 3/3] netfilter: nftables: Return preferably given family expression if any Tomasz Bursztyka
2014-03-27 9:26 ` Patrick McHardy
2014-03-27 11:00 ` Tomasz Bursztyka
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140408080642.GA3904@localhost \
--to=pablo@netfilter.org \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=tomasz.bursztyka@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.