* [PATCH nf-next 0/5] netfilter: Prepare netfilter to future .flowi4_tos conversion.
@ 2024-11-14 16:03 Guillaume Nault
2024-11-14 16:03 ` [PATCH nf-next 1/5] netfilter: ipv4: Convert ip_route_me_harder() to dscp_t Guillaume Nault
` (5 more replies)
0 siblings, 6 replies; 7+ messages in thread
From: Guillaume Nault @ 2024-11-14 16:03 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik
Cc: netfilter-devel, David S. Miller, David Ahern, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, coreteam, netdev,
Ido Schimmel
There are multiple occasions where Netfilter code needs to perform
route lookups and initialise struct flowi4. As we're in the process of
converting the .flowi4_tos field to dscp_t, we need to convert the
users so that they have a dscp_t value at hand, rather than a __u8.
All netfilter users get the DSCP (TOS) value from IPv4 packet headers.
So we just need to use the new ip4h_dscp() helper to get a dscp_t
variable.
Converting .flowi4_tos to dscp_t will allow to detect regressions where
ECN bits are mistakenly treated as DSCP when doing route lookups.
Guillaume Nault (5):
netfilter: ipv4: Convert ip_route_me_harder() to dscp_t.
netfilter: flow_offload: Convert nft_flow_route() to dscp_t.
netfilter: rpfilter: Convert rpfilter_mt() to dscp_t.
netfilter: nft_fib: Convert nft_fib4_eval() to dscp_t.
netfilter: nf_dup4: Convert nf_dup_ipv4_route() to dscp_t.
net/ipv4/netfilter.c | 2 +-
net/ipv4/netfilter/ipt_rpfilter.c | 2 +-
net/ipv4/netfilter/nf_dup_ipv4.c | 2 +-
net/ipv4/netfilter/nft_fib_ipv4.c | 3 ++-
net/netfilter/nft_flow_offload.c | 4 ++--
5 files changed, 7 insertions(+), 6 deletions(-)
--
2.39.2
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH nf-next 1/5] netfilter: ipv4: Convert ip_route_me_harder() to dscp_t.
2024-11-14 16:03 [PATCH nf-next 0/5] netfilter: Prepare netfilter to future .flowi4_tos conversion Guillaume Nault
@ 2024-11-14 16:03 ` Guillaume Nault
2024-11-14 16:03 ` [PATCH nf-next 2/5] netfilter: flow_offload: Convert nft_flow_route() " Guillaume Nault
` (4 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Guillaume Nault @ 2024-11-14 16:03 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik
Cc: netfilter-devel, David S. Miller, David Ahern, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, coreteam, netdev,
Ido Schimmel
Use ip4h_dscp()instead of reading iph->tos directly.
ip4h_dscp() returns a dscp_t value which is temporarily converted back
to __u8 with inet_dscp_to_dsfield(). When converting ->flowi4_tos to
dscp_t in the future, we'll only have to remove that
inet_dscp_to_dsfield() call.
Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
net/ipv4/netfilter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/netfilter.c b/net/ipv4/netfilter.c
index e0aab66cd925..08bc3f2c0078 100644
--- a/net/ipv4/netfilter.c
+++ b/net/ipv4/netfilter.c
@@ -44,7 +44,7 @@ int ip_route_me_harder(struct net *net, struct sock *sk, struct sk_buff *skb, un
*/
fl4.daddr = iph->daddr;
fl4.saddr = saddr;
- fl4.flowi4_tos = iph->tos & INET_DSCP_MASK;
+ fl4.flowi4_tos = inet_dscp_to_dsfield(ip4h_dscp(iph));
fl4.flowi4_oif = sk ? sk->sk_bound_dev_if : 0;
fl4.flowi4_l3mdev = l3mdev_master_ifindex(dev);
fl4.flowi4_mark = skb->mark;
--
2.39.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nf-next 2/5] netfilter: flow_offload: Convert nft_flow_route() to dscp_t.
2024-11-14 16:03 [PATCH nf-next 0/5] netfilter: Prepare netfilter to future .flowi4_tos conversion Guillaume Nault
2024-11-14 16:03 ` [PATCH nf-next 1/5] netfilter: ipv4: Convert ip_route_me_harder() to dscp_t Guillaume Nault
@ 2024-11-14 16:03 ` Guillaume Nault
2024-11-14 16:03 ` [PATCH nf-next 3/5] netfilter: rpfilter: Convert rpfilter_mt() " Guillaume Nault
` (3 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Guillaume Nault @ 2024-11-14 16:03 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik
Cc: netfilter-devel, David S. Miller, David Ahern, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, coreteam, netdev,
Ido Schimmel
Use ip4h_dscp()instead of reading ip_hdr()->tos directly.
ip4h_dscp() returns a dscp_t value which is temporarily converted back
to __u8 with inet_dscp_to_dsfield(). When converting ->flowi4_tos to
dscp_t in the future, we'll only have to remove that
inet_dscp_to_dsfield() call.
Also, remove the comment about the net/ip.h include file, since it's
now required for the ip4h_dscp() helper too.
Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
net/netfilter/nft_flow_offload.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/nft_flow_offload.c b/net/netfilter/nft_flow_offload.c
index 65199c23c75c..3b474d235663 100644
--- a/net/netfilter/nft_flow_offload.c
+++ b/net/netfilter/nft_flow_offload.c
@@ -8,7 +8,7 @@
#include <linux/spinlock.h>
#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/netfilter/nf_tables.h>
-#include <net/ip.h> /* for ipv4 options. */
+#include <net/ip.h>
#include <net/inet_dscp.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
@@ -236,7 +236,7 @@ static int nft_flow_route(const struct nft_pktinfo *pkt,
fl.u.ip4.saddr = ct->tuplehash[!dir].tuple.src.u3.ip;
fl.u.ip4.flowi4_oif = nft_in(pkt)->ifindex;
fl.u.ip4.flowi4_iif = this_dst->dev->ifindex;
- fl.u.ip4.flowi4_tos = ip_hdr(pkt->skb)->tos & INET_DSCP_MASK;
+ fl.u.ip4.flowi4_tos = inet_dscp_to_dsfield(ip4h_dscp(ip_hdr(pkt->skb)));
fl.u.ip4.flowi4_mark = pkt->skb->mark;
fl.u.ip4.flowi4_flags = FLOWI_FLAG_ANYSRC;
break;
--
2.39.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nf-next 3/5] netfilter: rpfilter: Convert rpfilter_mt() to dscp_t.
2024-11-14 16:03 [PATCH nf-next 0/5] netfilter: Prepare netfilter to future .flowi4_tos conversion Guillaume Nault
2024-11-14 16:03 ` [PATCH nf-next 1/5] netfilter: ipv4: Convert ip_route_me_harder() to dscp_t Guillaume Nault
2024-11-14 16:03 ` [PATCH nf-next 2/5] netfilter: flow_offload: Convert nft_flow_route() " Guillaume Nault
@ 2024-11-14 16:03 ` Guillaume Nault
2024-11-14 16:03 ` [PATCH nf-next 4/5] netfilter: nft_fib: Convert nft_fib4_eval() " Guillaume Nault
` (2 subsequent siblings)
5 siblings, 0 replies; 7+ messages in thread
From: Guillaume Nault @ 2024-11-14 16:03 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik
Cc: netfilter-devel, David S. Miller, David Ahern, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, coreteam, netdev,
Ido Schimmel
Use ip4h_dscp() instead of reading iph->tos directly.
ip4h_dscp() returns a dscp_t value which is temporarily converted back
to __u8 with inet_dscp_to_dsfield(). When converting ->flowi4_tos to
dscp_t in the future, we'll only have to remove that
inet_dscp_to_dsfield() call.
Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
net/ipv4/netfilter/ipt_rpfilter.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/netfilter/ipt_rpfilter.c b/net/ipv4/netfilter/ipt_rpfilter.c
index 1ce7a1655b97..a27782d7653e 100644
--- a/net/ipv4/netfilter/ipt_rpfilter.c
+++ b/net/ipv4/netfilter/ipt_rpfilter.c
@@ -76,7 +76,7 @@ static bool rpfilter_mt(const struct sk_buff *skb, struct xt_action_param *par)
flow.daddr = iph->saddr;
flow.saddr = rpfilter_get_saddr(iph->daddr);
flow.flowi4_mark = info->flags & XT_RPFILTER_VALID_MARK ? skb->mark : 0;
- flow.flowi4_tos = iph->tos & INET_DSCP_MASK;
+ flow.flowi4_tos = inet_dscp_to_dsfield(ip4h_dscp(iph));
flow.flowi4_scope = RT_SCOPE_UNIVERSE;
flow.flowi4_l3mdev = l3mdev_master_ifindex_rcu(xt_in(par));
flow.flowi4_uid = sock_net_uid(xt_net(par), NULL);
--
2.39.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nf-next 4/5] netfilter: nft_fib: Convert nft_fib4_eval() to dscp_t.
2024-11-14 16:03 [PATCH nf-next 0/5] netfilter: Prepare netfilter to future .flowi4_tos conversion Guillaume Nault
` (2 preceding siblings ...)
2024-11-14 16:03 ` [PATCH nf-next 3/5] netfilter: rpfilter: Convert rpfilter_mt() " Guillaume Nault
@ 2024-11-14 16:03 ` Guillaume Nault
2024-11-14 16:03 ` [PATCH nf-next 5/5] netfilter: nf_dup4: Convert nf_dup_ipv4_route() " Guillaume Nault
2024-11-15 10:50 ` [PATCH nf-next 0/5] netfilter: Prepare netfilter to future .flowi4_tos conversion Pablo Neira Ayuso
5 siblings, 0 replies; 7+ messages in thread
From: Guillaume Nault @ 2024-11-14 16:03 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik
Cc: netfilter-devel, David S. Miller, David Ahern, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, coreteam, netdev,
Ido Schimmel
Use ip4h_dscp() instead of reading iph->tos directly.
ip4h_dscp() returns a dscp_t value which is temporarily converted back
to __u8 with inet_dscp_to_dsfield(). When converting ->flowi4_tos to
dscp_t in the future, we'll only have to remove that
inet_dscp_to_dsfield() call.
Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
net/ipv4/netfilter/nft_fib_ipv4.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/ipv4/netfilter/nft_fib_ipv4.c b/net/ipv4/netfilter/nft_fib_ipv4.c
index 09fff5d424ef..625adbc42037 100644
--- a/net/ipv4/netfilter/nft_fib_ipv4.c
+++ b/net/ipv4/netfilter/nft_fib_ipv4.c
@@ -11,6 +11,7 @@
#include <net/netfilter/nft_fib.h>
#include <net/inet_dscp.h>
+#include <net/ip.h>
#include <net/ip_fib.h>
#include <net/route.h>
@@ -107,7 +108,7 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
if (priv->flags & NFTA_FIB_F_MARK)
fl4.flowi4_mark = pkt->skb->mark;
- fl4.flowi4_tos = iph->tos & INET_DSCP_MASK;
+ fl4.flowi4_tos = inet_dscp_to_dsfield(ip4h_dscp(iph));
if (priv->flags & NFTA_FIB_F_DADDR) {
fl4.daddr = iph->daddr;
--
2.39.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH nf-next 5/5] netfilter: nf_dup4: Convert nf_dup_ipv4_route() to dscp_t.
2024-11-14 16:03 [PATCH nf-next 0/5] netfilter: Prepare netfilter to future .flowi4_tos conversion Guillaume Nault
` (3 preceding siblings ...)
2024-11-14 16:03 ` [PATCH nf-next 4/5] netfilter: nft_fib: Convert nft_fib4_eval() " Guillaume Nault
@ 2024-11-14 16:03 ` Guillaume Nault
2024-11-15 10:50 ` [PATCH nf-next 0/5] netfilter: Prepare netfilter to future .flowi4_tos conversion Pablo Neira Ayuso
5 siblings, 0 replies; 7+ messages in thread
From: Guillaume Nault @ 2024-11-14 16:03 UTC (permalink / raw)
To: Pablo Neira Ayuso, Jozsef Kadlecsik
Cc: netfilter-devel, David S. Miller, David Ahern, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, Simon Horman, coreteam, netdev,
Ido Schimmel
Use ip4h_dscp() instead of reading iph->tos directly.
ip4h_dscp() returns a dscp_t value which is temporarily converted back
to __u8 with inet_dscp_to_dsfield(). When converting ->flowi4_tos to
dscp_t in the future, we'll only have to remove that
inet_dscp_to_dsfield() call.
Signed-off-by: Guillaume Nault <gnault@redhat.com>
---
net/ipv4/netfilter/nf_dup_ipv4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c
index ec94ee1051c7..25e1e8eb18dd 100644
--- a/net/ipv4/netfilter/nf_dup_ipv4.c
+++ b/net/ipv4/netfilter/nf_dup_ipv4.c
@@ -33,7 +33,7 @@ static bool nf_dup_ipv4_route(struct net *net, struct sk_buff *skb,
fl4.flowi4_oif = oif;
fl4.daddr = gw->s_addr;
- fl4.flowi4_tos = iph->tos & INET_DSCP_MASK;
+ fl4.flowi4_tos = inet_dscp_to_dsfield(ip4h_dscp(iph));
fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
fl4.flowi4_flags = FLOWI_FLAG_KNOWN_NH;
rt = ip_route_output_key(net, &fl4);
--
2.39.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH nf-next 0/5] netfilter: Prepare netfilter to future .flowi4_tos conversion.
2024-11-14 16:03 [PATCH nf-next 0/5] netfilter: Prepare netfilter to future .flowi4_tos conversion Guillaume Nault
` (4 preceding siblings ...)
2024-11-14 16:03 ` [PATCH nf-next 5/5] netfilter: nf_dup4: Convert nf_dup_ipv4_route() " Guillaume Nault
@ 2024-11-15 10:50 ` Pablo Neira Ayuso
5 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2024-11-15 10:50 UTC (permalink / raw)
To: Guillaume Nault
Cc: Jozsef Kadlecsik, netfilter-devel, David S. Miller, David Ahern,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman, coreteam,
netdev, Ido Schimmel
On Thu, Nov 14, 2024 at 05:03:16PM +0100, Guillaume Nault wrote:
> There are multiple occasions where Netfilter code needs to perform
> route lookups and initialise struct flowi4. As we're in the process of
> converting the .flowi4_tos field to dscp_t, we need to convert the
> users so that they have a dscp_t value at hand, rather than a __u8.
>
> All netfilter users get the DSCP (TOS) value from IPv4 packet headers.
> So we just need to use the new ip4h_dscp() helper to get a dscp_t
> variable.
>
> Converting .flowi4_tos to dscp_t will allow to detect regressions where
> ECN bits are mistakenly treated as DSCP when doing route lookups.
Series applied, thanks
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2024-11-15 10:50 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-11-14 16:03 [PATCH nf-next 0/5] netfilter: Prepare netfilter to future .flowi4_tos conversion Guillaume Nault
2024-11-14 16:03 ` [PATCH nf-next 1/5] netfilter: ipv4: Convert ip_route_me_harder() to dscp_t Guillaume Nault
2024-11-14 16:03 ` [PATCH nf-next 2/5] netfilter: flow_offload: Convert nft_flow_route() " Guillaume Nault
2024-11-14 16:03 ` [PATCH nf-next 3/5] netfilter: rpfilter: Convert rpfilter_mt() " Guillaume Nault
2024-11-14 16:03 ` [PATCH nf-next 4/5] netfilter: nft_fib: Convert nft_fib4_eval() " Guillaume Nault
2024-11-14 16:03 ` [PATCH nf-next 5/5] netfilter: nf_dup4: Convert nf_dup_ipv4_route() " Guillaume Nault
2024-11-15 10:50 ` [PATCH nf-next 0/5] netfilter: Prepare netfilter to future .flowi4_tos conversion Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).