[PATCH libnftnl 0/2] add backend support to define ct helpers

[PATCH libnftnl 0/2] add backend support to define ct helpers

[Florian Westphal]

This adds libnftnl support to define connection tracking helpers.
Frontend (nft) support will follow soon.

 include/libnftnl/object.h           |   10 +
 include/linux/netfilter/nf_tables.h |   12 +-
 include/obj.h                       |    6 +
 src/Makefile.am                     |    1 
 src/libnftnl.map                    |    4 
 src/obj/ct_helper.c                 |  210 ++++++++++++++++++++++++++++++++++++
 src/object.c                        |   29 ++++
 7 files changed, 270 insertions(+), 2 deletions(-)

[PATCH libnftnl 1/2] object: extend set/get api for u8/u16 types

[Florian Westphal]

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/libnftnl/object.h |  4 ++++
 src/libnftnl.map          |  4 ++++
 src/object.c              | 26 ++++++++++++++++++++++++++
 3 files changed, 34 insertions(+)

diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h
index 074a37789734..ca3abeae66cc 100644
--- a/include/libnftnl/object.h
+++ b/include/libnftnl/object.h
@@ -44,12 +44,16 @@ void nftnl_obj_unset(struct nftnl_obj *ne, uint16_t attr);
 void nftnl_obj_set_data(struct nftnl_obj *ne, uint16_t attr, const void *data,
 			uint32_t data_len);
 void nftnl_obj_set(struct nftnl_obj *ne, uint16_t attr, const void *data);
+void nftnl_obj_set_u8(struct nftnl_obj *ne, uint16_t attr, uint8_t val);
+void nftnl_obj_set_u16(struct nftnl_obj *ne, uint16_t attr, uint16_t val);
 void nftnl_obj_set_u32(struct nftnl_obj *ne, uint16_t attr, uint32_t val);
 void nftnl_obj_set_u64(struct nftnl_obj *obj, uint16_t attr, uint64_t val);
 void nftnl_obj_set_str(struct nftnl_obj *ne, uint16_t attr, const char *str);
 const void *nftnl_obj_get_data(struct nftnl_obj *ne, uint16_t attr,
 			       uint32_t *data_len);
 const void *nftnl_obj_get(struct nftnl_obj *ne, uint16_t attr);
+uint8_t nftnl_obj_get_u8(struct nftnl_obj *ne, uint16_t attr);
+uint16_t nftnl_obj_get_u16(struct nftnl_obj *obj, uint16_t attr);
 uint32_t nftnl_obj_get_u32(struct nftnl_obj *ne, uint16_t attr);
 uint64_t nftnl_obj_get_u64(struct nftnl_obj *obj, uint16_t attr);
 const char *nftnl_obj_get_str(struct nftnl_obj *ne, uint16_t attr);
diff --git a/src/libnftnl.map b/src/libnftnl.map
index 4c082102aa29..1892c983eb50 100644
--- a/src/libnftnl.map
+++ b/src/libnftnl.map
@@ -278,9 +278,13 @@ global:
   nftnl_obj_unset;
   nftnl_obj_set;
   nftnl_obj_get;
+  nftnl_obj_set_u8;
+  nftnl_obj_set_u16;
   nftnl_obj_set_u32;
   nftnl_obj_set_u64;
   nftnl_obj_set_str;
+  nftnl_obj_get_u8;
+  nftnl_obj_get_u16;
   nftnl_obj_get_u32;
   nftnl_obj_get_str;
   nftnl_obj_get_u64;
diff --git a/src/object.c b/src/object.c
index 773eff6a5a18..e635f6a8ff0e 100644
--- a/src/object.c
+++ b/src/object.c
@@ -107,6 +107,18 @@ void nftnl_obj_set(struct nftnl_obj *obj, uint16_t attr, const void *data)
 }
 EXPORT_SYMBOL(nftnl_obj_set);
 
+void nftnl_obj_set_u8(struct nftnl_obj *obj, uint16_t attr, uint8_t val)
+{
+	nftnl_obj_set_data(obj, attr, &val, sizeof(uint8_t));
+}
+EXPORT_SYMBOL(nftnl_obj_set_u8);
+
+void nftnl_obj_set_u16(struct nftnl_obj *obj, uint16_t attr, uint16_t val)
+{
+	nftnl_obj_set_data(obj, attr, &val, sizeof(uint16_t));
+}
+EXPORT_SYMBOL(nftnl_obj_set_u16);
+
 void nftnl_obj_set_u32(struct nftnl_obj *obj, uint16_t attr, uint32_t val)
 {
 	nftnl_obj_set_data(obj, attr, &val, sizeof(uint32_t));
@@ -164,6 +176,20 @@ const void *nftnl_obj_get(struct nftnl_obj *obj, uint16_t attr)
 }
 EXPORT_SYMBOL(nftnl_obj_get);
 
+uint8_t nftnl_obj_get_u8(struct nftnl_obj *obj, uint16_t attr)
+{
+	const void *ret = nftnl_obj_get(obj, attr);
+	return ret == NULL ? 0 : *((uint8_t *)ret);
+}
+EXPORT_SYMBOL(nftnl_obj_get_u8);
+
+uint16_t nftnl_obj_get_u16(struct nftnl_obj *obj, uint16_t attr)
+{
+	const void *ret = nftnl_obj_get(obj, attr);
+	return ret == NULL ? 0 : *((uint16_t *)ret);
+}
+EXPORT_SYMBOL(nftnl_obj_get_u16);
+
 uint32_t nftnl_obj_get_u32(struct nftnl_obj *obj, uint16_t attr)
 {
 	const void *ret = nftnl_obj_get(obj, attr);
-- 
2.10.2

[PATCH libnftnl 2/2] src: ct helper support

[Florian Westphal]

add support for ct helper objects, these are used to assign helpers to
connections, similar to iptables -j CT --set-helper target.

Signed-off-by: Florian Westphal <fw@strlen.de>
---
 include/libnftnl/object.h           |   6 ++
 include/linux/netfilter/nf_tables.h |  12 ++-
 include/obj.h                       |   6 ++
 src/Makefile.am                     |   1 +
 src/obj/ct_helper.c                 | 210 ++++++++++++++++++++++++++++++++++++
 src/object.c                        |   3 +-
 6 files changed, 236 insertions(+), 2 deletions(-)
 create mode 100644 src/obj/ct_helper.c

diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h
index ca3abeae66cc..ccd9d19b9364 100644
--- a/include/libnftnl/object.h
+++ b/include/libnftnl/object.h
@@ -34,6 +34,12 @@ enum {
 	NFTNL_OBJ_QUOTA_FLAGS,
 };
 
+enum {
+	NFTNL_OBJ_CT_HELPER_NAME = NFTNL_OBJ_BASE,
+	NFTNL_OBJ_CT_HELPER_L3PROTO,
+	NFTNL_OBJ_CT_HELPER_L4PROTO,
+};
+
 struct nftnl_obj;
 
 struct nftnl_obj *nftnl_obj_alloc(void);
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index a9280a6541ac..8f3842690d17 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -1260,10 +1260,20 @@ enum nft_fib_flags {
 	NFTA_FIB_F_PRESENT	= 1 << 5,	/* check existence only */
 };
 
+enum nft_ct_helper_attributes {
+	NFTA_CT_HELPER_UNSPEC,
+	NFTA_CT_HELPER_NAME,
+	NFTA_CT_HELPER_L3PROTO,
+	NFTA_CT_HELPER_L4PROTO,
+	__NFTA_CT_HELPER_MAX,
+};
+#define NFTA_CT_HELPER_MAX	(__NFTA_CT_HELPER_MAX - 1)
+
 #define NFT_OBJECT_UNSPEC	0
 #define NFT_OBJECT_COUNTER	1
 #define NFT_OBJECT_QUOTA	2
-#define __NFT_OBJECT_MAX	3
+#define NFT_OBJECT_CT_HELPER	3
+#define __NFT_OBJECT_MAX	4
 #define NFT_OBJECT_MAX		(__NFT_OBJECT_MAX - 1)
 
 /**
diff --git a/include/obj.h b/include/obj.h
index edbf023f5cdd..d90919f2d86b 100644
--- a/include/obj.h
+++ b/include/obj.h
@@ -30,6 +30,11 @@ struct nftnl_obj {
 			uint64_t	consumed;
 			uint32_t        flags;
 		} quota;
+		struct nftnl_obj_ct_helper {
+			uint16_t	l3proto;
+			uint8_t		l4proto;
+			char		name[16];
+		} ct_helper;
 	} data;
 };
 
@@ -49,6 +54,7 @@ struct obj_ops {
 
 extern struct obj_ops obj_ops_counter;
 extern struct obj_ops obj_ops_quota;
+extern struct obj_ops obj_ops_ct_helper;
 
 #define nftnl_obj_data(obj) (void *)&obj->data
 
diff --git a/src/Makefile.am b/src/Makefile.am
index 485a8c4acbef..77b67b267672 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -53,5 +53,6 @@ libnftnl_la_SOURCES = utils.c		\
 		      expr/redir.c	\
 		      expr/hash.c	\
 		      obj/counter.c	\
+		      obj/ct_helper.c	\
 		      obj/quota.c	\
 		      libnftnl.map
diff --git a/src/obj/ct_helper.c b/src/obj/ct_helper.c
new file mode 100644
index 000000000000..d6d3111ecce8
--- /dev/null
+++ b/src/obj/ct_helper.c
@@ -0,0 +1,210 @@
+/*
+ * (C) 2017 Red Hat GmbH
+ * Author: Florian Westphal <fw@strlen.de>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published
+ * by the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+ */
+
+#include <stdio.h>
+#include <stdint.h>
+#include <arpa/inet.h>
+#include <errno.h>
+#include <inttypes.h>
+
+#include <linux/netfilter/nf_tables.h>
+
+#include "internal.h"
+#include <libmnl/libmnl.h>
+#include <libnftnl/object.h>
+
+#include "obj.h"
+
+static int nftnl_obj_ct_helper_set(struct nftnl_obj *e, uint16_t type,
+				   const void *data, uint32_t data_len)
+{
+	struct nftnl_obj_ct_helper *helper = nftnl_obj_data(e);
+
+	switch (type) {
+	case NFTNL_OBJ_CT_HELPER_NAME:
+		snprintf(helper->name, sizeof(helper->name), "%s", (const char *)data);
+		break;
+	case NFTNL_OBJ_CT_HELPER_L3PROTO:
+		helper->l3proto = *((uint16_t *)data);
+		break;
+	case NFTNL_OBJ_CT_HELPER_L4PROTO:
+		helper->l4proto = *((uint8_t *)data);
+		break;
+	default:
+		return -1;
+	}
+	return 0;
+}
+
+static const void *nftnl_obj_ct_helper_get(const struct nftnl_obj *e,
+					   uint16_t type, uint32_t *data_len)
+{
+	struct nftnl_obj_ct_helper *helper = nftnl_obj_data(e);
+
+	switch (type) {
+	case NFTNL_OBJ_CT_HELPER_NAME:
+		*data_len = strlen(helper->name);
+		return helper->name;
+	case NFTNL_OBJ_CT_HELPER_L3PROTO:
+		*data_len = sizeof(helper->l3proto);
+		return &helper->l3proto;
+	case NFTNL_OBJ_CT_HELPER_L4PROTO:
+		*data_len = sizeof(helper->l4proto);
+		return &helper->l4proto;
+	}
+	return NULL;
+}
+
+static int nftnl_obj_ct_helper_cb(const struct nlattr *attr, void *data)
+{
+	const struct nftnl_obj_ct_helper *helper = NULL;
+	int type = mnl_attr_get_type(attr);
+	const struct nlattr **tb = data;
+
+	if (mnl_attr_type_valid(attr, NFTA_CT_HELPER_MAX) < 0)
+		return MNL_CB_OK;
+
+	switch (type) {
+	case NFTA_CT_HELPER_NAME:
+		if (mnl_attr_validate(attr, MNL_TYPE_STRING) < 0)
+			abi_breakage();
+		if (mnl_attr_get_payload_len(attr) >= sizeof(helper->name))
+			abi_breakage();
+		break;
+	case NFTA_CT_HELPER_L3PROTO:
+		if (mnl_attr_validate(attr, MNL_TYPE_U16) < 0)
+			abi_breakage();
+		break;
+	case NFTA_CT_HELPER_L4PROTO:
+		if (mnl_attr_validate(attr, MNL_TYPE_U8) < 0)
+			abi_breakage();
+		break;
+	}
+
+	tb[type] = attr;
+	return MNL_CB_OK;
+}
+
+static void
+nftnl_obj_ct_helper_build(struct nlmsghdr *nlh, const struct nftnl_obj *e)
+{
+	struct nftnl_obj_ct_helper *helper = nftnl_obj_data(e);
+
+	if (e->flags & (1 << NFTNL_OBJ_CT_HELPER_NAME))
+		mnl_attr_put_str(nlh, NFTA_CT_HELPER_NAME, helper->name);
+	if (e->flags & (1 << NFTNL_OBJ_CT_HELPER_L3PROTO))
+		mnl_attr_put_u16(nlh, NFTA_CT_HELPER_L3PROTO, htons(helper->l3proto));
+	if (e->flags & (1 << NFTNL_OBJ_CT_HELPER_L4PROTO))
+		mnl_attr_put_u8(nlh, NFTA_CT_HELPER_L4PROTO, helper->l4proto);
+}
+
+static int
+nftnl_obj_ct_helper_parse(struct nftnl_obj *e, struct nlattr *attr)
+{
+	struct nftnl_obj_ct_helper *helper = nftnl_obj_data(e);
+	struct nlattr *tb[NFTA_CT_HELPER_MAX + 1] = {};
+
+	if (mnl_attr_parse_nested(attr, nftnl_obj_ct_helper_cb, tb) < 0)
+		return -1;
+
+	if (tb[NFTA_CT_HELPER_NAME]) {
+		snprintf(helper->name, sizeof(helper->name), "%s",
+			 mnl_attr_get_str(tb[NFTA_CT_HELPER_NAME]));
+		e->flags |= (1 << NFTNL_OBJ_CT_HELPER_NAME);
+	}
+	if (tb[NFTA_CT_HELPER_L3PROTO]) {
+		helper->l3proto = ntohs(mnl_attr_get_u16(tb[NFTA_CT_HELPER_L3PROTO]));
+		e->flags |= (1 << NFTNL_OBJ_CT_HELPER_L3PROTO);
+	}
+	if (tb[NFTA_CT_HELPER_L4PROTO]) {
+		helper->l4proto = mnl_attr_get_u8(tb[NFTA_CT_HELPER_L4PROTO]);
+		e->flags |= (1 << NFTNL_OBJ_CT_HELPER_L4PROTO);
+	}
+
+	return 0;
+}
+
+static int
+nftnl_obj_quota_json_parse(struct nftnl_obj *e, json_t *root,
+				 struct nftnl_parse_err *err)
+{
+#ifdef JSON_PARSING
+	uint64_t bytes;
+	uint32_t flags;
+
+	if (nftnl_jansson_parse_val(root, "bytes", NFTNL_TYPE_U64, &bytes,
+				  err) == 0)
+		nftnl_obj_set_u64(e, NFTNL_OBJ_QUOTA_BYTES, bytes);
+	if (nftnl_jansson_parse_val(root, "consumed", NFTNL_TYPE_U64, &bytes,
+				    err) == 0)
+		nftnl_obj_set_u64(e, NFTNL_OBJ_QUOTA_CONSUMED, bytes);
+	if (nftnl_jansson_parse_val(root, "flags", NFTNL_TYPE_U32, &flags,
+				  err) == 0)
+		nftnl_obj_set_u32(e, NFTNL_OBJ_QUOTA_FLAGS, flags);
+
+	return 0;
+#else
+	errno = EOPNOTSUPP;
+	return -1;
+#endif
+}
+
+static int nftnl_obj_ct_helper_export(char *buf, size_t size,
+				   const struct nftnl_obj *e, int type)
+{
+	struct nftnl_obj_ct_helper *helper = nftnl_obj_data(e);
+	NFTNL_BUF_INIT(b, buf, size);
+
+	if (e->flags & (1 << NFTNL_OBJ_CT_HELPER_NAME))
+		nftnl_buf_str(&b, type, helper->name, NAME);
+	if (e->flags & (1 << NFTNL_OBJ_CT_HELPER_L3PROTO))
+		nftnl_buf_u32(&b, type, helper->l3proto, FAMILY);
+	if (e->flags & (1 << NFTNL_OBJ_CT_HELPER_L4PROTO))
+		nftnl_buf_u32(&b, type, helper->l4proto, "service");
+
+	return nftnl_buf_done(&b);
+}
+
+static int nftnl_obj_ct_helper_snprintf_default(char *buf, size_t len,
+					       const struct nftnl_obj *e)
+{
+	struct nftnl_obj_ct_helper *helper = nftnl_obj_data(e);
+
+	return snprintf(buf, len, "name %s family %d protocol %d ",
+			helper->name, helper->l3proto, helper->l4proto);
+}
+
+static int nftnl_obj_ct_helper_snprintf(char *buf, size_t len, uint32_t type,
+				       uint32_t flags,
+				       const struct nftnl_obj *e)
+{
+	switch (type) {
+	case NFTNL_OUTPUT_DEFAULT:
+		return nftnl_obj_ct_helper_snprintf_default(buf, len, e);
+	case NFTNL_OUTPUT_JSON:
+		return nftnl_obj_ct_helper_export(buf, len, e, type);
+	default:
+		break;
+	}
+	return -1;
+}
+
+struct obj_ops obj_ops_ct_helper = {
+	.name		= "ct_helper",
+	.type		= NFT_OBJECT_CT_HELPER,
+	.alloc_len	= sizeof(struct nftnl_obj_ct_helper),
+	.max_attr	= NFTA_CT_HELPER_MAX,
+	.set		= nftnl_obj_ct_helper_set,
+	.get		= nftnl_obj_ct_helper_get,
+	.parse		= nftnl_obj_ct_helper_parse,
+	.build		= nftnl_obj_ct_helper_build,
+	.snprintf	= nftnl_obj_ct_helper_snprintf,
+	.json_parse	= nftnl_obj_quota_json_parse,
+};
diff --git a/src/object.c b/src/object.c
index e635f6a8ff0e..e1a5ac4757b6 100644
--- a/src/object.c
+++ b/src/object.c
@@ -28,11 +28,12 @@
 static struct obj_ops *obj_ops[] = {
 	[NFT_OBJECT_COUNTER]	= &obj_ops_counter,
 	[NFT_OBJECT_QUOTA]	= &obj_ops_quota,
+	[NFT_OBJECT_CT_HELPER]	= &obj_ops_ct_helper,
 };
 
 static struct obj_ops *nftnl_obj_ops_lookup(uint32_t type)
 {
-	if (type > NFT_OBJECT_QUOTA)
+	if (type > NFT_OBJECT_CT_HELPER)
 		return NULL;
 
 	return obj_ops[type];
-- 
2.10.2

Re: [PATCH libnftnl 0/2] add backend support to define ct helpers

[Pablo Neira Ayuso]

On Tue, Mar 14, 2017 at 08:53:59PM +0100, Florian Westphal wrote:
> This adds libnftnl support to define connection tracking helpers.
> Frontend (nft) support will follow soon.

Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>