From: Willem de Bruijn <willemb@google.com>
To: netfilter-devel@vger.kernel.org, pablo@netfilter.org, kaber@trash.net
Cc: Willem de Bruijn <willemb@google.com>
Subject: [PATCH] [RFC] netfilter: add xt_skbuff xtables match
Date: Fri, 7 Dec 2012 19:04:04 -0500 [thread overview]
Message-ID: <1354925044-15135-1-git-send-email-willemb@google.com> (raw)
In-Reply-To: <1354735339-13402-2-git-send-email-willemb@google.com>
Add an iptables match based on skb fields, such as mark, priority,
input interface and rxhash. The match supports range based matching
on one field, with optional inversion and masking.
v2: switches from xt_priority to xt_skbuff. Pablo, is this what
you had in mind? It doesn't perfectly duplicate the values from
nftables xt_meta. Needs more testing to cover the field-specific
codepaths.
Tested by inserting
iptables -t mangle -A PREROUTING -s $SRC -j MARK --set-mark 10
iptables -A INPUT -m skbuff --min 10 --max 10 -j TRACE
The userspace tool needs work, too. For one, I just hardcoded the
field_id to be skb_field_mark for this test. That's why it's missing
from the command line.
Signed-off-by: Willem de Bruijn <willemb@google.com>
---
include/linux/netfilter/xt_skbuff.h | 33 ++++++++
net/netfilter/Kconfig | 9 ++
net/netfilter/Makefile | 1 +
net/netfilter/xt_skbuff.c | 141 +++++++++++++++++++++++++++++++++++
4 files changed, 184 insertions(+), 0 deletions(-)
create mode 100644 include/linux/netfilter/xt_skbuff.h
create mode 100644 net/netfilter/xt_skbuff.c
diff --git a/include/linux/netfilter/xt_skbuff.h b/include/linux/netfilter/xt_skbuff.h
new file mode 100644
index 0000000..10eb8d8
--- /dev/null
+++ b/include/linux/netfilter/xt_skbuff.h
@@ -0,0 +1,33 @@
+#ifndef _XT_SKBUFF_H
+#define _XT_SKBUFF_H
+
+#include <linux/types.h>
+
+enum xt_skbuff_field_selector {
+ skb_field_csum = 0,
+ skb_field_hatype,
+ skb_field_iif,
+ skb_field_len,
+ skb_field_mark,
+ skb_field_pkt_type,
+ skb_field_priority,
+ skb_field_protocol,
+ skb_field_queue_mapping,
+ skb_field_rt_classid,
+ skb_field_rxhash,
+ skb_field_secmark,
+ skb_field_sk_uid,
+ skb_field_sk_gid,
+ skb_field_tstamp,
+ skb_field_vlan_tci,
+};
+
+struct xt_skbuff_info {
+ __u16 field_id; /* an xt_skbuff_field_selector value */
+ __u8 invert;
+ __u64 min;
+ __u64 max;
+ __u64 mask;
+};
+
+#endif /*_XT_SKBUFF_H */
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index fefa514..3a07a86 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -1093,6 +1093,15 @@ config NETFILTER_XT_MATCH_PKTTYPE
To compile it as a module, choose M here. If unsure, say N.
+config NETFILTER_XT_MATCH_SKBUFF
+ tristate '"skbuff" match support'
+ depends on NETFILTER_ADVANCED
+ help
+ This option adds a match based on the value of a chosen sk_buff
+ field.
+
+ To compile it as a module, choose M here. If unsure, say N.
+
config NETFILTER_XT_MATCH_QUOTA
tristate '"quota" match support'
depends on NETFILTER_ADVANCED
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 3259697..9bc95e0 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -129,6 +129,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_RATEEST) += xt_rateest.o
obj-$(CONFIG_NETFILTER_XT_MATCH_REALM) += xt_realm.o
obj-$(CONFIG_NETFILTER_XT_MATCH_RECENT) += xt_recent.o
obj-$(CONFIG_NETFILTER_XT_MATCH_SCTP) += xt_sctp.o
+obj-$(CONFIG_NETFILTER_XT_MATCH_SKBUFF) += xt_skbuff.o
obj-$(CONFIG_NETFILTER_XT_MATCH_SOCKET) += xt_socket.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATE) += xt_state.o
obj-$(CONFIG_NETFILTER_XT_MATCH_STATISTIC) += xt_statistic.o
diff --git a/net/netfilter/xt_skbuff.c b/net/netfilter/xt_skbuff.c
new file mode 100644
index 0000000..5ca30eb
--- /dev/null
+++ b/net/netfilter/xt_skbuff.c
@@ -0,0 +1,141 @@
+/* Xtables module to match packets based on sk_buff fields.
+ * Copyright 2012 Google Inc.
+ * Written by Willem de Bruijn <willemb@google.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ */
+
+#include <linux/module.h>
+#include <linux/skbuff.h>
+#include <net/sock.h>
+
+#include <linux/netfilter/xt_skbuff.h>
+#include <linux/netfilter/x_tables.h>
+
+MODULE_AUTHOR("Willem de Bruijn <willemb@google.com>");
+MODULE_DESCRIPTION("Xtables: skbuff match");
+MODULE_LICENSE("GPL");
+MODULE_ALIAS("ipt_priority");
+MODULE_ALIAS("ip6t_priority");
+
+static bool skbuff_mt(const struct sk_buff *skb,
+ struct xt_action_param *par)
+{
+ const struct xt_skbuff_info *info = par->matchinfo;
+ u64 value;
+
+ switch (info->field_id) {
+ case skb_field_csum:
+ if (skb->ip_summed != CHECKSUM_COMPLETE)
+ return false;
+ value = skb->csum;
+ break;
+ case skb_field_hatype:
+ if (!skb->dev)
+ return false;
+ value = skb->dev->type;
+ break;
+ case skb_field_iif:
+ value = skb->skb_iif;
+ break;
+ case skb_field_len:
+ value = skb->len;
+ break;
+ case skb_field_mark:
+ value = skb->mark;
+ break;
+ case skb_field_pkt_type:
+ value = skb->pkt_type;
+ break;
+ case skb_field_priority:
+ value = skb->priority;
+ break;
+ case skb_field_protocol:
+ value = skb->protocol;
+ break;
+ case skb_field_queue_mapping:
+ value = skb->queue_mapping;
+ break;
+ case skb_field_rt_classid:
+#ifdef CONFIG_NET_CLS_ROUTE
+ const struct dst_entry *dst;
+
+ rcu_read_lock();
+ dst = skb_dst(skb);
+ if (dst)
+ value = dst->tclassid;
+ rcu_read_unlock();
+ if (!dst)
+ return false;
+ break;
+#else
+ return false;
+#endif
+ case skb_field_rxhash:
+ value = skb->rxhash;
+ break;
+ case skb_field_secmark:
+#ifdef CONFIG_NETWORK_SECMARK
+ value = skb->secmark;
+ break;
+#else
+ return false;
+#endif
+ case skb_field_sk_uid:
+ if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
+ return false;
+ value = skb->sk->sk_socket->file->f_cred->fsuid;
+ break;
+ case skb_field_sk_gid:
+ if (!skb->sk || !skb->sk->sk_socket || !skb->sk->sk_socket->file)
+ return false;
+ value = skb->sk->sk_socket->file->f_cred->fsgid;
+ break;
+ case skb_field_tstamp:
+ value = skb->tstamp.tv64;
+ break;
+ case skb_field_vlan_tci:
+ value = skb->vlan_tci;
+ break;
+ default:
+ return false;
+ }
+
+ value &= info->mask;
+ return (value >= info->min && value <= info->max) ^ info->invert;
+}
+
+static int skbuff_mt_check(const struct xt_mtchk_param *par)
+{
+ const struct xt_skbuff_info *info = par->matchinfo;
+
+ if (info->field_id > skb_field_vlan_tci)
+ return -EINVAL;
+
+ return 0;
+}
+
+static struct xt_match skbuff_mt_reg __read_mostly = {
+ .name = "skbuff",
+ .revision = 0,
+ .family = NFPROTO_UNSPEC,
+ .match = skbuff_mt,
+ .matchsize = sizeof(struct xt_skbuff_info),
+ .checkentry = skbuff_mt_check,
+ .me = THIS_MODULE,
+};
+
+static int __init skbuff_mt_init(void)
+{
+ return xt_register_match(&skbuff_mt_reg);
+}
+
+static void __exit skbuff_mt_exit(void)
+{
+ xt_unregister_match(&skbuff_mt_reg);
+}
+
+module_init(skbuff_mt_init);
+module_exit(skbuff_mt_exit);
--
1.7.7.3
next prev parent reply other threads:[~2012-12-08 0:04 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-12-05 19:22 [PATCH rfc] netfilter: two xtables matches Willem de Bruijn
2012-12-05 19:22 ` [PATCH 1/2] netfilter: add xt_priority xtables match Willem de Bruijn
2012-12-08 0:04 ` Willem de Bruijn [this message]
2012-12-08 3:23 ` [PATCH] [RFC] netfilter: add xt_skbuff " Pablo Neira Ayuso
2012-12-09 20:24 ` Willem de Bruijn
2012-12-09 20:28 ` [PATCH] " Willem de Bruijn
2012-12-05 19:22 ` [PATCH 2/2] netfilter: add xt_bpf " Willem de Bruijn
2012-12-05 19:48 ` Pablo Neira Ayuso
2012-12-05 20:10 ` Willem de Bruijn
2012-12-07 13:16 ` Pablo Neira Ayuso
2012-12-07 16:56 ` Willem de Bruijn
2012-12-08 3:31 ` Pablo Neira Ayuso
2012-12-08 16:02 ` Daniel Borkmann
2012-12-09 21:52 ` [PATCH next] iptables: add xt_bpf match Willem de Bruijn
2013-01-08 3:21 ` Pablo Neira Ayuso
2013-01-09 1:58 ` Willem de Bruijn
2013-01-09 9:52 ` Pablo Neira Ayuso
2013-01-10 0:08 ` Willem de Bruijn
2013-01-10 0:08 ` [PATCH next v2] " Willem de Bruijn
2013-01-10 0:15 ` [PATCH next v3] " Willem de Bruijn
2013-01-17 23:53 ` Pablo Neira Ayuso
2013-01-18 16:48 ` Willem de Bruijn
2013-01-18 17:17 ` [PATCH next] " Willem de Bruijn
2013-01-21 11:28 ` Pablo Neira Ayuso
2013-01-21 11:33 ` Pablo Neira Ayuso
2013-01-21 11:42 ` Florian Westphal
2013-01-21 12:03 ` Pablo Neira Ayuso
2013-01-21 16:02 ` Willem de Bruijn
2013-01-21 13:44 ` [PATCH next v3] " Pablo Neira Ayuso
2013-01-22 8:46 ` Florian Westphal
2013-01-22 9:46 ` Jozsef Kadlecsik
2013-01-22 10:03 ` Maciej Żenczykowski
2013-01-22 11:11 ` Pablo Neira Ayuso
2013-01-23 15:59 ` Willem de Bruijn
2013-01-23 16:21 ` Pablo Neira Ayuso
2013-01-23 16:38 ` Willem de Bruijn
2013-01-23 18:56 ` Pablo Neira Ayuso
2013-02-18 3:44 ` [PATCH] utils: bpf_compile Willem de Bruijn
2013-02-20 10:38 ` Daniel Borkmann
2013-02-21 4:35 ` Willem de Bruijn
2013-02-21 13:43 ` Daniel Borkmann
2013-03-12 15:44 ` [PATCH next] " Willem de Bruijn
2013-04-01 22:20 ` Pablo Neira Ayuso
2013-04-03 15:32 ` Willem de Bruijn
2013-04-04 9:34 ` Pablo Neira Ayuso
2013-02-18 3:52 ` [PATCH next v3] iptables: add xt_bpf match Willem de Bruijn
2013-02-24 2:15 ` Maciej Żenczykowski
2013-02-27 20:39 ` Willem de Bruijn
2012-12-05 19:28 ` [PATCH rfc] netfilter: two xtables matches Willem de Bruijn
2012-12-05 20:00 ` Jan Engelhardt
2012-12-05 21:45 ` Willem de Bruijn
2012-12-05 21:50 ` Willem de Bruijn
2012-12-05 22:35 ` Jan Engelhardt
2012-12-06 5:22 ` Pablo Neira Ayuso
2012-12-06 21:12 ` Willem de Bruijn
2012-12-07 7:22 ` Pablo Neira Ayuso
2012-12-07 13:20 ` Pablo Neira Ayuso
2012-12-07 17:26 ` Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1354925044-15135-1-git-send-email-willemb@google.com \
--to=willemb@google.com \
--cc=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).