[PATCH ]net: sched/cls_flow.c : allow nfct-* keys work on ingress interfaces

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH ]net: sched/cls_flow.c : allow nfct-* keys work on ingress interfaces
@ 2015-12-11  9:55 Igor Gavrilov
  2015-12-13 14:01 ` Jamal Hadi Salim
  0 siblings, 1 reply; 2+ messages in thread
From: Igor Gavrilov @ 2015-12-11  9:55 UTC (permalink / raw)
  To: netdev

[-- Attachment #1: Type: text/plain, Size: 118 bytes --]

Improved CTTUPLE macro with code from sched/act_connmark.c, so it be
able to get unNATed addresses from nf_conntrack.

[-- Attachment #2: cls_flow.patch --]
[-- Type: application/octet-stream, Size: 3438 bytes --]

--- net/sched/cls_flow.c.orig	2015-12-11 12:51:32.541673211 +0200
+++ net/sched/cls_flow.c	2015-12-11 13:46:58.153601838 +0200
@@ -31,6 +31,8 @@
 
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 #include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_zones.h>
 #endif
 
 struct flow_head {
@@ -133,16 +135,47 @@ static u32 flow_get_nfct(const struct sk
 }
 
 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
-#define CTTUPLE(skb, member)						\
+#define CTTUPLE(skb, direction, member)					\
 ({									\
 	enum ip_conntrack_info ctinfo;					\
-	const struct nf_conn *ct = nf_ct_get(skb, &ctinfo);		\
-	if (ct == NULL)							\
+	struct nf_conntrack_tuple tuple;				\
+	struct nf_conntrack_zone zone;					\
+	const struct nf_conntrack_tuple_hash *thash;			\
+	__be32 result;							\
+	int proto;							\
+	struct nf_conn *ct = nf_ct_get(skb, &ctinfo);			\
+	if (ct == NULL) {						\
+		switch (tc_skb_protocol(skb)) {				\
+		case htons(ETH_P_IP):					\
+			proto = NFPROTO_IPV4;				\
+			break;						\
+		case htons(ETH_P_IPV6):					\
+			proto = NFPROTO_IPV6;				\
+			break;						\
+		default:						\
+			goto fallback;					\
+		}							\
+									\
+	if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto,	\
+		dev_net(skb->dev), &tuple))				\
 		goto fallback;						\
-	ct->tuplehash[CTINFO2DIR(ctinfo)].tuple.member;			\
+	zone.id = NF_CT_DEFAULT_ZONE_ID;				\
+	zone.dir = NF_CT_DEFAULT_ZONE_DIR;				\
+									\
+	thash = nf_conntrack_find_get(dev_net(skb->dev), &zone, &tuple);\
+	if (!thash)							\
+		goto fallback;						\
+	ct = nf_ct_tuplehash_to_ctrack(thash);				\
+	result = ct->tuplehash[(thash->tuple.dst.dir == IP_CT_DIR_REPLY) ? \
+		 IP_CT_DIR_ORIGINAL : IP_CT_DIR_REPLY].tuple.src.member;\
+	nf_ct_put(ct);							\
+	} else {							\
+	result = ct->tuplehash[CTINFO2DIR(ctinfo)].tuple.direction.member;\
+	}								\
+	result;								\
 })
 #else
-#define CTTUPLE(skb, member)						\
+#define CTTUPLE(skb, direction, member)					\
 ({									\
 	goto fallback;							\
 	0;								\
@@ -153,9 +186,9 @@ static u32 flow_get_nfct_src(const struc
 {
 	switch (tc_skb_protocol(skb)) {
 	case htons(ETH_P_IP):
-		return ntohl(CTTUPLE(skb, src.u3.ip));
+		return ntohl(CTTUPLE(skb, src, u3.ip));
 	case htons(ETH_P_IPV6):
-		return ntohl(CTTUPLE(skb, src.u3.ip6[3]));
+		return ntohl(CTTUPLE(skb, src, u3.ip6[3]));
 	}
 fallback:
 	return flow_get_src(skb, flow);
@@ -165,9 +198,9 @@ static u32 flow_get_nfct_dst(const struc
 {
 	switch (tc_skb_protocol(skb)) {
 	case htons(ETH_P_IP):
-		return ntohl(CTTUPLE(skb, dst.u3.ip));
+		return ntohl(CTTUPLE(skb, dst, u3.ip));
 	case htons(ETH_P_IPV6):
-		return ntohl(CTTUPLE(skb, dst.u3.ip6[3]));
+		return ntohl(CTTUPLE(skb, dst, u3.ip6[3]));
 	}
 fallback:
 	return flow_get_dst(skb, flow);
@@ -175,14 +208,14 @@ fallback:
 
 static u32 flow_get_nfct_proto_src(const struct sk_buff *skb, const struct flow_keys *flow)
 {
-	return ntohs(CTTUPLE(skb, src.u.all));
+	return ntohs(CTTUPLE(skb, src, u.all));
 fallback:
 	return flow_get_proto_src(skb, flow);
 }
 
 static u32 flow_get_nfct_proto_dst(const struct sk_buff *skb, const struct flow_keys *flow)
 {
-	return ntohs(CTTUPLE(skb, dst.u.all));
+	return ntohs(CTTUPLE(skb, dst, u.all));
 fallback:
 	return flow_get_proto_dst(skb, flow);
 }

Signed-off-by: Igor Gavrilov <i.o.gavrilov@gmail.com>

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH ]net: sched/cls_flow.c : allow nfct-* keys work on ingress interfaces
  2015-12-11  9:55 [PATCH ]net: sched/cls_flow.c : allow nfct-* keys work on ingress interfaces Igor Gavrilov
@ 2015-12-13 14:01 ` Jamal Hadi Salim
  0 siblings, 0 replies; 2+ messages in thread
From: Jamal Hadi Salim @ 2015-12-13 14:01 UTC (permalink / raw)
  To: Igor Gavrilov, netdev

Hi Igor,

On 15-12-11 04:55 AM, Igor Gavrilov wrote:
> Improved CTTUPLE macro with code from sched/act_connmark.c, so it be
> able to get unNATed addresses from nf_conntrack.
>

1) Question: Have you tested the patch or you just cutnpasted
from connmark.c? By inspection the patch looks ok technically
but if you havent tested, please verify it.
2)The macros have indentation issues around
if (ct == NULL) {} else { }
just use the proper indent rules.

3) Please use proper formatting on submitting patches (such as putting
the From at the top etc). Look at:
Maybe you should use git facilities?

If you meet all the above requirements, please resubmit and
add my Acked-by

cheers,
jamal

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2015-12-13 14:01 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2015-12-11  9:55 [PATCH ]net: sched/cls_flow.c : allow nfct-* keys work on ingress interfaces Igor Gavrilov
2015-12-13 14:01 ` Jamal Hadi Salim

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).