From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 03/38] netfilter: nft_ct: labels get support
Date: Mon, 17 Mar 2014 13:42:23 +0100 [thread overview]
Message-ID: <1395060178-11833-4-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1395060178-11833-1-git-send-email-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
This also adds NF_CT_LABELS_MAX_SIZE so it can be re-used
as BUILD_BUG_ON in nft_ct.
At this time, nft doesn't yet support writing to the label area;
when this changes the label->words handling needs to be moved
out of xt_connlabel.c into nf_conntrack_labels.c.
Also removes a useless run-time check: words cannot grow beyond
4 (32 bit) or 2 (64bit) since xt_connlabel enforces a maximum of
128 labels.
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_conntrack_labels.h | 4 +++-
include/uapi/linux/netfilter/nf_tables.h | 1 +
net/netfilter/nf_conntrack_netlink.c | 5 ++---
net/netfilter/nft_ct.c | 24 ++++++++++++++++++++++++
4 files changed, 30 insertions(+), 4 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_labels.h b/include/net/netfilter/nf_conntrack_labels.h
index c985695..dec6336 100644
--- a/include/net/netfilter/nf_conntrack_labels.h
+++ b/include/net/netfilter/nf_conntrack_labels.h
@@ -7,6 +7,8 @@
#include <uapi/linux/netfilter/xt_connlabel.h>
+#define NF_CT_LABELS_MAX_SIZE ((XT_CONNLABEL_MAXBIT + 1) / BITS_PER_BYTE)
+
struct nf_conn_labels {
u8 words;
unsigned long bits[];
@@ -29,7 +31,7 @@ static inline struct nf_conn_labels *nf_ct_labels_ext_add(struct nf_conn *ct)
u8 words;
words = ACCESS_ONCE(net->ct.label_words);
- if (words == 0 || WARN_ON_ONCE(words > 8))
+ if (words == 0)
return NULL;
cl_ext = nf_ct_ext_add_length(ct, NF_CT_EXT_LABELS,
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 83c985a..c84c452 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -601,6 +601,7 @@ enum nft_ct_keys {
NFT_CT_PROTOCOL,
NFT_CT_PROTO_SRC,
NFT_CT_PROTO_DST,
+ NFT_CT_LABELS,
};
/**
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index bb322d0..47e9369 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -966,7 +966,6 @@ ctnetlink_parse_help(const struct nlattr *attr, char **helper_name,
return 0;
}
-#define __CTA_LABELS_MAX_LENGTH ((XT_CONNLABEL_MAXBIT + 1) / BITS_PER_BYTE)
static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
[CTA_TUPLE_ORIG] = { .type = NLA_NESTED },
[CTA_TUPLE_REPLY] = { .type = NLA_NESTED },
@@ -984,9 +983,9 @@ static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
[CTA_ZONE] = { .type = NLA_U16 },
[CTA_MARK_MASK] = { .type = NLA_U32 },
[CTA_LABELS] = { .type = NLA_BINARY,
- .len = __CTA_LABELS_MAX_LENGTH },
+ .len = NF_CT_LABELS_MAX_SIZE },
[CTA_LABELS_MASK] = { .type = NLA_BINARY,
- .len = __CTA_LABELS_MAX_LENGTH },
+ .len = NF_CT_LABELS_MAX_SIZE },
};
static int
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 46e2754..e59b08f 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -19,6 +19,7 @@
#include <net/netfilter/nf_conntrack_tuple.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_ecache.h>
+#include <net/netfilter/nf_conntrack_labels.h>
struct nft_ct {
enum nft_ct_keys key:8;
@@ -97,6 +98,26 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
goto err;
strncpy((char *)dest->data, helper->name, sizeof(dest->data));
return;
+#ifdef CONFIG_NF_CONNTRACK_LABELS
+ case NFT_CT_LABELS: {
+ struct nf_conn_labels *labels = nf_ct_labels_find(ct);
+ unsigned int size;
+
+ if (!labels) {
+ memset(dest->data, 0, sizeof(dest->data));
+ return;
+ }
+
+ BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE > sizeof(dest->data));
+ size = labels->words * sizeof(long);
+
+ memcpy(dest->data, labels->bits, size);
+ if (size < sizeof(dest->data))
+ memset(((char *) dest->data) + size, 0,
+ sizeof(dest->data) - size);
+ return;
+ }
+#endif
}
tuple = &ct->tuplehash[priv->dir].tuple;
@@ -221,6 +242,9 @@ static int nft_ct_init_validate_get(const struct nft_expr *expr,
#ifdef CONFIG_NF_CONNTRACK_SECMARK
case NFT_CT_SECMARK:
#endif
+#ifdef CONFIG_NF_CONNTRACK_LABELS
+ case NFT_CT_LABELS:
+#endif
case NFT_CT_EXPIRATION:
case NFT_CT_HELPER:
if (tb[NFTA_CT_DIRECTION] != NULL)
--
1.7.10.4
next prev parent reply other threads:[~2014-03-17 12:42 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-17 12:42 [PATCH 00/38] Netfilter/IPVS updates for net-next Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 01/38] netfilter: remove double colon Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 02/38] netfilter: xt_ipcomp: Use ntohs to ease sparse warning Pablo Neira Ayuso
2014-03-17 12:42 ` Pablo Neira Ayuso [this message]
2014-03-17 12:42 ` [PATCH 04/38] netfilter: ip_set: rename nfnl_dereference()/nfnl_set() Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 05/38] netfilter: nfnetlink: add rcu_dereference_protected() helpers Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 06/38] netfilter: nf_tables: add nft_dereference() macro Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 07/38] netfilter: nf_tables: accept QUEUE/DROP verdict parameters Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 08/38] netfilter: nfnetlink_log: remove unused code Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 09/38] netfilter: nf_tables: add optional user data area to rules Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 10/38] netfilter: ipset: Follow manual page behavior for SET target on list:set Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 11/38] netfilter: ipset: Add hash: fix coccinelle warnings Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 12/38] netfilter: ipset: add hash:ip,mark data type to ipset Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 13/38] netfilter: ipset: add markmask for hash:ip,mark data type Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 14/38] netfilter: ipset: Prepare the kernel for create option flags when no extension is needed Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 15/38] netfilter: ipset: kernel: uapi: fix MARKMASK attr ABI breakage Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 16/38] netfilter: ipset: move registration message to init from net_init Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 17/38] netfilter: ipset: add forceadd kernel support for hash set types Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 18/38] sections, ipvs: Remove useless __read_mostly for ipvs genl_ops Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 19/38] ipvs: Reduce checkpatch noise in ip_vs_lblc.c Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 20/38] netfilter: trivial code cleanup and doc changes Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 21/38] netfilter: conntrack: spinlock per cpu to protect special lists Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 22/38] netfilter: avoid race with exp->master ct Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 23/38] netfilter: conntrack: seperate expect locking from nf_conntrack_lock Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 24/38] netfilter: conntrack: remove central spinlock nf_conntrack_lock Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 25/38] netfilter: nft_hash: bug fixes and resizing Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 26/38] netfilter: nf_tables: clean up nf_tables_trans_add() argument order Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 27/38] netfilter: nf_tables: restore context for expression destructors Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 28/38] netfilter: nf_tables: restore notifications for anonymous set destruction Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 29/38] netfilter: nft_ct: remove family from struct nft_ct Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 30/38] netfilter: nft_nat: fix family validation Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 31/38] netfilter: connlimit: factor hlist search into new function Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 32/38] netfilter: connlimit: improve packet-to-closed-connection logic Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 33/38] netfilter: connlimit: move insertion of new element out of count function Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 34/38] netfilter: connlimit: use kmem_cache for conn objects Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 35/38] netfilter: Convert uses of __constant_<foo> to <foo> Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 36/38] netfilter: connlimit: use keyed locks Pablo Neira Ayuso
2014-03-17 12:54 ` David Laight
2014-03-17 14:26 ` Florian Westphal
2014-03-17 14:40 ` David Laight
2014-03-17 14:00 ` Eric Dumazet
2014-03-17 14:23 ` Florian Westphal
2014-03-18 13:46 ` Jesper Dangaard Brouer
2014-03-18 14:01 ` Eric Dumazet
2014-03-17 12:42 ` [PATCH 37/38] netfilter: connlimit: make same_source_net signed Pablo Neira Ayuso
2014-03-17 12:42 ` [PATCH 38/38] netfilter: connlimit: use rbtree for per-host conntrack obj storage Pablo Neira Ayuso
2014-03-17 19:19 ` [PATCH 00/38] Netfilter/IPVS updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1395060178-11833-4-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).