From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 02/25] netfilter: nft_meta: add pkttype support
Date: Wed, 10 Sep 2014 17:10:19 +0200 [thread overview]
Message-ID: <1410361842-4656-3-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1410361842-4656-1-git-send-email-pablo@netfilter.org>
From: Ana Rey <anarey@gmail.com>
Add pkttype support for ip, ipv6 and inet families of tables.
This allows you to fetch the meta packet type based on the link layer
information. The loopback traffic is a special case, the packet type
is guessed from the network layer header.
No special handling for bridge and arp since we're not going to see
such traffic in the loopback interface.
Joint work with Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
Signed-off-by: Ana Rey <anarey@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_meta.c | 28 ++++++++++++++++++++++++++++
2 files changed, 30 insertions(+)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 801bdd1..98144cd 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -571,6 +571,7 @@ enum nft_exthdr_attributes {
* @NFT_META_L4PROTO: layer 4 protocol number
* @NFT_META_BRI_IIFNAME: packet input bridge interface name
* @NFT_META_BRI_OIFNAME: packet output bridge interface name
+ * @NFT_META_PKTTYPE: packet type (skb->pkt_type), special handling for loopback
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -592,6 +593,7 @@ enum nft_meta_keys {
NFT_META_L4PROTO,
NFT_META_BRI_IIFNAME,
NFT_META_BRI_OIFNAME,
+ NFT_META_PKTTYPE,
};
/**
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 852b178..4f2862f 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -14,6 +14,9 @@
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
#include <net/dst.h>
#include <net/sock.h>
#include <net/tcp_states.h> /* for TCP_TIME_WAIT */
@@ -124,6 +127,30 @@ void nft_meta_get_eval(const struct nft_expr *expr,
dest->data[0] = skb->secmark;
break;
#endif
+ case NFT_META_PKTTYPE:
+ if (skb->pkt_type != PACKET_LOOPBACK) {
+ dest->data[0] = skb->pkt_type;
+ break;
+ }
+
+ switch (pkt->ops->pf) {
+ case NFPROTO_IPV4:
+ if (ipv4_is_multicast(ip_hdr(skb)->daddr))
+ dest->data[0] = PACKET_MULTICAST;
+ else
+ dest->data[0] = PACKET_BROADCAST;
+ break;
+ case NFPROTO_IPV6:
+ if (ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF)
+ dest->data[0] = PACKET_MULTICAST;
+ else
+ dest->data[0] = PACKET_BROADCAST;
+ break;
+ default:
+ WARN_ON(1);
+ goto err;
+ }
+ break;
default:
WARN_ON(1);
goto err;
@@ -195,6 +222,7 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
#ifdef CONFIG_NETWORK_SECMARK
case NFT_META_SECMARK:
#endif
+ case NFT_META_PKTTYPE:
break;
default:
return -EOPNOTSUPP;
--
1.7.10.4
next prev parent reply other threads:[~2014-09-10 15:10 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-10 15:10 [PATCH 00/25] nf-next pull request Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 01/25] uapi: netfilter_arp: use __u8 instead of u_int8_t Pablo Neira Ayuso
2014-09-10 15:10 ` Pablo Neira Ayuso [this message]
2014-09-10 15:10 ` [PATCH 03/25] netfilter: nft_meta: Add cpu attribute support Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 04/25] netfilter: ipset: Removed invalid IPSET_ATTR_MARKMASK validation Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 05/25] netfilter: ipset: netnet,netportnet: Fix value range support for IPv4 Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 06/25] netfilter: ipset: Resolve missing-field-initializer warnings Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 07/25] netfilter: ipset: Fix warn: integer overflows 'sizeof(*map) + size * set->dsize' Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 08/25] netfilter: nfnetlink_acct: add filter support to nfacct counter list/reset Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 09/25] netfilter: nat: move specific NAT IPv4 to core Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 10/25] netfilter: nft_chain_nat_ipv4: use generic IPv4 NAT code from core Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 11/25] netfilter: nat: move specific NAT IPv6 to core Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 12/25] netfilter: nft_chain_nat_ipv6: use generic IPv6 NAT code from core Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 13/25] netfilter: nf_tables: refactor rule deletion helper Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 14/25] netfilter: nf_tables: add helper to unregister chain hooks Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 15/25] netfilter: nf_tables: rename nf_table_delrule_by_chain() Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 16/25] netfilter: nf_tables: add devgroup support in meta expresion Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 17/25] ipvs: reduce stack usage for sockopt data Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 18/25] netfilter: xt_string: Remove unnecessary initialization of struct ts_state Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 19/25] netfilter: nf_tables: add helpers to schedule objects deletion Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 20/25] netfilter: nf_tables: extend NFT_MSG_DELTABLE to support flushing the ruleset Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 21/25] netfilter: nft_nat: include a flag attribute Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 22/25] netfilter: ebtables: create audit records for replaces Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 23/25] netfilter: nf_nat: generalize IPv4 masquerading support for nf_tables Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 24/25] netfilter: nf_nat: generalize IPv6 " Pablo Neira Ayuso
2014-09-10 15:10 ` [PATCH 25/25] netfilter: nf_tables: add new nft_masq expression Pablo Neira Ayuso
2014-09-10 19:47 ` [PATCH 00/25] nf-next pull request David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1410361842-4656-3-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).