netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: "Anders K. Pedersen | Cohaesio" <akp@cohaesio.com>
To: "netfilter-devel@vger.kernel.org" <netfilter-devel@vger.kernel.org>
Subject: [PATCH nft] meta: support for nexthop and nexthop6
Date: Wed, 14 Sep 2016 05:48:48 +0000	[thread overview]
Message-ID: <1473832128.1006.37.camel@cohaesio.com> (raw)

From: Anders K. Pedersen <akp@cohaesio.com>

Add meta support for IPv4 nexthop and IPv6 nexthop6 (i.e. the directly
connected IP address that an outgoing packet is sent to), which can be used
either for matching or accounting, eg.

 # nft add rule filter postrouting \
	ip daddr 192.168.1.0/24 meta nexthop != 192.168.0.1 drop

This will drop any traffic to 192.168.1.0/24 that is not routed via
192.168.0.1.

 # nft add rule filter postrouting \
	flow table acct { meta nexthop timeout 600s counter }
 # nft add rule ip6 filter postrouting \
	flow table acct { meta nexthop6 timeout 600s counter }

These rules count outgoing traffic per nexthop. Note that the timeout
releases an entry if no traffic is seen for this nexthop within 10 minutes.

Signed-off-by: Anders K. Pedersen <akp@cohaesio.com>
---
 doc/nft.xml                         | 12 ++++++++++++
 include/linux/netfilter/nf_tables.h |  2 ++
 src/meta.c                          |  8 ++++++++
 src/parser_bison.y                  |  4 ++++
 src/scanner.l                       |  2 ++
 5 files changed, 28 insertions(+)

diff --git a/doc/nft.xml b/doc/nft.xml
index 3b215f8..c391a88 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -978,6 +978,8 @@ filter output ip6 daddr ::1
 						<arg>l4proto</arg>
 						<arg>protocol</arg>
 						<arg>priority</arg>
+						<arg>nexthop</arg>
+						<arg>nexthop6</arg>
 					</group>
 				</cmdsynopsis>
 				<cmdsynopsis>
@@ -1134,6 +1136,16 @@ filter output ip6 daddr ::1
 								<entry>pseudo-random number</entry>
 								<entry>integer (32 bits)</entry>
 							</row>
+							<row>
+								<entry>nexthop</entry>
+								<entry>next hop address for the IPv4 packet</entry>
+								<entry>ipv4_addr</entry>
+							</row>
+							<row>
+								<entry>nexthop6</entry>
+								<entry>next hop address for the IPv6 packet</entry>
+								<entry>ipv6_addr</entry>
+							</row>
 						</tbody>
 					</tgroup>
 				</table>
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 8a63f22..da39228 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -721,6 +721,8 @@ enum nft_meta_keys {
 	NFT_META_OIFGROUP,
 	NFT_META_CGROUP,
 	NFT_META_PRANDOM,
+	NFT_META_NEXTHOP,
+	NFT_META_NEXTHOP6,
 };
 
 /**
diff --git a/src/meta.c b/src/meta.c
index 87eafee..31bf0ea 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -432,6 +432,12 @@ static const struct meta_template meta_templates[] = {
 	[NFT_META_PRANDOM]	= META_TEMPLATE("random",    &integer_type,
 						4 * BITS_PER_BYTE,
 						BYTEORDER_BIG_ENDIAN), /* avoid conversion; doesn't have endianess */
+	[NFT_META_NEXTHOP]	= META_TEMPLATE("nexthop",    &ipaddr_type,
+						4 * BITS_PER_BYTE,
+						BYTEORDER_BIG_ENDIAN),
+	[NFT_META_NEXTHOP6]	= META_TEMPLATE("nexthop6",   &ip6addr_type,
+						16 * BITS_PER_BYTE,
+						BYTEORDER_BIG_ENDIAN),
 };
 
 static bool meta_key_is_qualified(enum nft_meta_keys key)
@@ -443,6 +449,8 @@ static bool meta_key_is_qualified(enum nft_meta_keys key)
 	case NFT_META_PROTOCOL:
 	case NFT_META_PRIORITY:
 	case NFT_META_PRANDOM:
+	case NFT_META_NEXTHOP:
+	case NFT_META_NEXTHOP6:
 		return true;
 	default:
 		return false;
diff --git a/src/parser_bison.y b/src/parser_bison.y
index aac10dc..ce84ca2 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -339,6 +339,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
 %token IIFGROUP			"iifgroup"
 %token OIFGROUP			"oifgroup"
 %token CGROUP			"cgroup"
+%token NEXTHOP			"nexthop"
+%token NEXTHOP6			"nexthop6"
 
 %token CT			"ct"
 %token DIRECTION		"direction"
@@ -2438,6 +2440,8 @@ meta_key_qualified	:	LENGTH		{ $$ = NFT_META_LEN; }
 			|	PROTOCOL	{ $$ = NFT_META_PROTOCOL; }
 			|	PRIORITY	{ $$ = NFT_META_PRIORITY; }
 			|	RANDOM		{ $$ = NFT_META_PRANDOM; }
+			|	NEXTHOP		{ $$ = NFT_META_NEXTHOP; }
+			|	NEXTHOP6	{ $$ = NFT_META_NEXTHOP6; }
 			;
 
 meta_key_unqualified	:	MARK		{ $$ = NFT_META_MARK; }
diff --git a/src/scanner.l b/src/scanner.l
index 8b5a383..cc618dd 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -455,6 +455,8 @@ addrstring	({macaddr}|{ip4addr}|{ip6addr})
 "iifgroup"		{ return IIFGROUP; }
 "oifgroup"		{ return OIFGROUP; }
 "cgroup"		{ return CGROUP; }
+"nexthop"		{ return NEXTHOP; }
+"nexthop6"		{ return NEXTHOP6; }
 
 "ct"			{ return CT; }
 "direction"		{ return DIRECTION; }

                 reply	other threads:[~2016-09-14  5:57 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1473832128.1006.37.camel@cohaesio.com \
    --to=akp@cohaesio.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).