* [PATCH nf-next] netfilter: meta: secpath support
2017-12-01 12:40 [PATCH next] nftables: add inbound ipsec matching Florian Westphal
@ 2017-12-01 12:40 ` Florian Westphal
2017-12-01 12:40 ` Florian Westphal
` (3 more replies)
2017-12-01 12:40 ` [PATCH libnftnl] " Florian Westphal
2017-12-01 12:40 ` [PATCH nft] meta: add " Florian Westphal
2 siblings, 4 replies; 10+ messages in thread
From: Florian Westphal @ 2017-12-01 12:40 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
replacement for iptables "-m policy --dir in --policy {ipsec,none}".
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_meta.c | 39 ++++++++++++++++++++++++++++++++
2 files changed, 41 insertions(+)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index a3ee277b17a1..2efbf9744c2a 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -777,6 +777,7 @@ enum nft_exthdr_attributes {
* @NFT_META_OIFGROUP: packet output interface group
* @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
* @NFT_META_PRANDOM: a 32bit pseudo-random number
+ * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -804,6 +805,7 @@ enum nft_meta_keys {
NFT_META_OIFGROUP,
NFT_META_CGROUP,
NFT_META_PRANDOM,
+ NFT_META_SECPATH,
};
/**
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 5a60eb23a7ed..63a013ad4077 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_expr *expr,
*dest = prandom_u32_state(state);
break;
}
+#ifdef CONFIG_XFRM
+ case NFT_META_SECPATH:
+ nft_reg_store8(dest, !!skb->sp);
+ break;
+#endif
default:
WARN_ON(1);
goto err;
@@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
prandom_init_once(&nft_prandom_state);
len = sizeof(u32);
break;
+#ifdef CONFIG_XFRM
+ case NFT_META_SECPATH:
+ len = sizeof(u8);
+ break;
+#endif
default:
return -EOPNOTSUPP;
}
@@ -318,6 +328,34 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
}
EXPORT_SYMBOL_GPL(nft_meta_get_init);
+int nft_meta_get_validate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr,
+ const struct nft_data **data)
+{
+ const struct nft_meta *priv = nft_expr_priv(expr);
+ unsigned int hooks;
+
+ if (priv->key != NFT_META_SECPATH)
+ return 0;
+
+ switch (ctx->afi->family) {
+ case NFPROTO_NETDEV:
+ hooks = 1 << NF_NETDEV_INGRESS;
+ break;
+ case NFPROTO_IPV4:
+ case NFPROTO_IPV6:
+ case NFPROTO_INET:
+ hooks = (1 << NF_INET_PRE_ROUTING) |
+ (1 << NF_INET_LOCAL_IN) |
+ (1 << NF_INET_FORWARD);
+ break;
+ default:
+ return -EOPNOTSUPP;
+ }
+
+ return nft_chain_validate_hooks(ctx->chain, hooks);
+}
+
int nft_meta_set_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nft_data **data)
@@ -434,6 +472,7 @@ static const struct nft_expr_ops nft_meta_get_ops = {
.eval = nft_meta_get_eval,
.init = nft_meta_get_init,
.dump = nft_meta_get_dump,
+ .validate = nft_meta_get_validate,
};
static const struct nft_expr_ops nft_meta_set_ops = {
--
2.13.6
^ permalink raw reply related [flat|nested] 10+ messages in thread* Re: [PATCH nf-next] netfilter: meta: secpath support
2017-12-01 12:40 ` [PATCH nf-next] netfilter: meta: secpath support Florian Westphal
@ 2017-12-01 12:40 ` Florian Westphal
2017-12-01 12:53 ` Arturo Borrero Gonzalez
` (2 subsequent siblings)
3 siblings, 0 replies; 10+ messages in thread
From: Florian Westphal @ 2017-12-01 12:40 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
Florian Westphal <fw@strlen.de> wrote:
> +int nft_meta_get_validate(const struct nft_ctx *ctx,
> + const struct nft_expr *expr,
> + const struct nft_data **data)
Sigh, this should be static of course.
I will not send a v2 for now.
^ permalink raw reply [flat|nested] 10+ messages in thread* Re: [PATCH nf-next] netfilter: meta: secpath support
2017-12-01 12:40 ` [PATCH nf-next] netfilter: meta: secpath support Florian Westphal
2017-12-01 12:40 ` Florian Westphal
@ 2017-12-01 12:53 ` Arturo Borrero Gonzalez
2017-12-01 13:07 ` Florian Westphal
2017-12-13 7:16 ` [RFC PATCH] netfilter: meta: nft_meta_get_validate() can be static kbuild test robot
2017-12-13 7:16 ` [PATCH nf-next] netfilter: meta: secpath support kbuild test robot
3 siblings, 1 reply; 10+ messages in thread
From: Arturo Borrero Gonzalez @ 2017-12-01 12:53 UTC (permalink / raw)
To: Florian Westphal; +Cc: Netfilter Development Mailing list
On 1 December 2017 at 13:40, Florian Westphal <fw@strlen.de> wrote:
> replacement for iptables "-m policy --dir in --policy {ipsec,none}".
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> include/uapi/linux/netfilter/nf_tables.h | 2 ++
> net/netfilter/nft_meta.c | 39 ++++++++++++++++++++++++++++++++
> 2 files changed, 41 insertions(+)
>
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index a3ee277b17a1..2efbf9744c2a 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -777,6 +777,7 @@ enum nft_exthdr_attributes {
> * @NFT_META_OIFGROUP: packet output interface group
> * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
> * @NFT_META_PRANDOM: a 32bit pseudo-random number
> + * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
> */
> enum nft_meta_keys {
> NFT_META_LEN,
> @@ -804,6 +805,7 @@ enum nft_meta_keys {
> NFT_META_OIFGROUP,
> NFT_META_CGROUP,
> NFT_META_PRANDOM,
> + NFT_META_SECPATH,
> };
>
> /**
> diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
> index 5a60eb23a7ed..63a013ad4077 100644
> --- a/net/netfilter/nft_meta.c
> +++ b/net/netfilter/nft_meta.c
> @@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_expr *expr,
> *dest = prandom_u32_state(state);
> break;
> }
> +#ifdef CONFIG_XFRM
> + case NFT_META_SECPATH:
> + nft_reg_store8(dest, !!skb->sp);
> + break;
> +#endif
> default:
> WARN_ON(1);
> goto err;
> @@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
> prandom_init_once(&nft_prandom_state);
> len = sizeof(u32);
> break;
> +#ifdef CONFIG_XFRM
> + case NFT_META_SECPATH:
> + len = sizeof(u8);
> + break;
> +#endif
> default:
> return -EOPNOTSUPP;
> }
> @@ -318,6 +328,34 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
> }
> EXPORT_SYMBOL_GPL(nft_meta_get_init);
>
> +int nft_meta_get_validate(const struct nft_ctx *ctx,
> + const struct nft_expr *expr,
> + const struct nft_data **data)
> +{
> + const struct nft_meta *priv = nft_expr_priv(expr);
> + unsigned int hooks;
> +
> + if (priv->key != NFT_META_SECPATH)
> + return 0;
> +
Would it worth adding here something like this?
#ifnfdef CONFIG_XFRM
return -EOPNOTSUPP;
#endif
I mean, if CONFIG_XFRM is not defined, then _get_eval() is doing nothing, right?
> + switch (ctx->afi->family) {
> + case NFPROTO_NETDEV:
> + hooks = 1 << NF_NETDEV_INGRESS;
> + break;
> + case NFPROTO_IPV4:
> + case NFPROTO_IPV6:
> + case NFPROTO_INET:
> + hooks = (1 << NF_INET_PRE_ROUTING) |
> + (1 << NF_INET_LOCAL_IN) |
> + (1 << NF_INET_FORWARD);
> + break;
> + default:
> + return -EOPNOTSUPP;
> + }
> +
> + return nft_chain_validate_hooks(ctx->chain, hooks);
> +}
^ permalink raw reply [flat|nested] 10+ messages in thread* [RFC PATCH] netfilter: meta: nft_meta_get_validate() can be static
2017-12-01 12:40 ` [PATCH nf-next] netfilter: meta: secpath support Florian Westphal
2017-12-01 12:40 ` Florian Westphal
2017-12-01 12:53 ` Arturo Borrero Gonzalez
@ 2017-12-13 7:16 ` kbuild test robot
2017-12-13 16:42 ` Pablo Neira Ayuso
2017-12-13 7:16 ` [PATCH nf-next] netfilter: meta: secpath support kbuild test robot
3 siblings, 1 reply; 10+ messages in thread
From: kbuild test robot @ 2017-12-13 7:16 UTC (permalink / raw)
To: Florian Westphal; +Cc: kbuild-all, netfilter-devel, Florian Westphal
Fixes: dce1fc524886 ("netfilter: meta: secpath support")
Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
---
nft_meta.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 63a013a..993157e 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -328,9 +328,9 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
}
EXPORT_SYMBOL_GPL(nft_meta_get_init);
-int nft_meta_get_validate(const struct nft_ctx *ctx,
- const struct nft_expr *expr,
- const struct nft_data **data)
+static int nft_meta_get_validate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr,
+ const struct nft_data **data)
{
const struct nft_meta *priv = nft_expr_priv(expr);
unsigned int hooks;
^ permalink raw reply related [flat|nested] 10+ messages in thread* Re: [PATCH nf-next] netfilter: meta: secpath support
2017-12-01 12:40 ` [PATCH nf-next] netfilter: meta: secpath support Florian Westphal
` (2 preceding siblings ...)
2017-12-13 7:16 ` [RFC PATCH] netfilter: meta: nft_meta_get_validate() can be static kbuild test robot
@ 2017-12-13 7:16 ` kbuild test robot
3 siblings, 0 replies; 10+ messages in thread
From: kbuild test robot @ 2017-12-13 7:16 UTC (permalink / raw)
To: Florian Westphal; +Cc: kbuild-all, netfilter-devel, Florian Westphal
Hi Florian,
I love your patch! Perhaps something to improve:
[auto build test WARNING on nf-next/master]
url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-meta-secpath-support/20171204-124857
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
reproduce:
# apt-get install sparse
make ARCH=x86_64 allmodconfig
make C=1 CF=-D__CHECK_ENDIAN__
sparse warnings: (new ones prefixed by >>)
Please review and possibly fold the followup patch.
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
^ permalink raw reply [flat|nested] 10+ messages in thread
* [PATCH libnftnl] meta: secpath support
2017-12-01 12:40 [PATCH next] nftables: add inbound ipsec matching Florian Westphal
2017-12-01 12:40 ` [PATCH nf-next] netfilter: meta: secpath support Florian Westphal
@ 2017-12-01 12:40 ` Florian Westphal
2017-12-01 12:40 ` [PATCH nft] meta: add " Florian Westphal
2 siblings, 0 replies; 10+ messages in thread
From: Florian Westphal @ 2017-12-01 12:40 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
---
include/linux/netfilter/nf_tables.h | 2 ++
src/expr/meta.c | 3 ++-
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index 874fa3f239eb..64d4a25f8409 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -775,6 +775,7 @@ enum nft_exthdr_attributes {
* @NFT_META_OIFGROUP: packet output interface group
* @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
* @NFT_META_PRANDOM: a 32bit pseudo-random number
+ * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -802,6 +803,7 @@ enum nft_meta_keys {
NFT_META_OIFGROUP,
NFT_META_CGROUP,
NFT_META_PRANDOM,
+ NFT_META_SECPATH,
};
/**
diff --git a/src/expr/meta.c b/src/expr/meta.c
index 2c758412bf2e..de82105de44f 100644
--- a/src/expr/meta.c
+++ b/src/expr/meta.c
@@ -22,7 +22,7 @@
#include <libnftnl/rule.h>
#ifndef NFT_META_MAX
-#define NFT_META_MAX (NFT_META_PRANDOM + 1)
+#define NFT_META_MAX (NFT_META_SECPATH + 1)
#endif
struct nftnl_expr_meta {
@@ -158,6 +158,7 @@ static const char *meta_key2str_array[NFT_META_MAX] = {
[NFT_META_OIFGROUP] = "oifgroup",
[NFT_META_CGROUP] = "cgroup",
[NFT_META_PRANDOM] = "prandom",
+ [NFT_META_SECPATH] = "secpath",
};
static const char *meta_key2str(uint8_t key)
--
2.13.6
^ permalink raw reply related [flat|nested] 10+ messages in thread* [PATCH nft] meta: add secpath support
2017-12-01 12:40 [PATCH next] nftables: add inbound ipsec matching Florian Westphal
2017-12-01 12:40 ` [PATCH nf-next] netfilter: meta: secpath support Florian Westphal
2017-12-01 12:40 ` [PATCH libnftnl] " Florian Westphal
@ 2017-12-01 12:40 ` Florian Westphal
2 siblings, 0 replies; 10+ messages in thread
From: Florian Westphal @ 2017-12-01 12:40 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This can be used to check if a packet has a secpath attached to it, i.e.
was subject to ipsec processing. Example:
add rule inet raw prerouting meta secpath exists accept
Signed-off-by: Florian Westphal <fw@strlen.de>
---
doc/nft.xml | 10 ++++++++++
include/linux/netfilter/nf_tables.h | 2 ++
src/meta.c | 3 +++
tests/py/inet/meta.t | 2 ++
tests/py/inet/meta.t.payload | 9 +++++++++
5 files changed, 26 insertions(+)
diff --git a/doc/nft.xml b/doc/nft.xml
index a1bfecd2654f..b9f7a909d244 100644
--- a/doc/nft.xml
+++ b/doc/nft.xml
@@ -2503,6 +2503,7 @@ filter output icmpv6 type { echo-request, echo-reply }
<arg>oifgroup</arg>
<arg>cgroup</arg>
<arg>random</arg>
+ <arg>secpath</arg>
</group>
</cmdsynopsis>
</para>
@@ -2640,6 +2641,12 @@ filter output icmpv6 type { echo-request, echo-reply }
<entry>pseudo-random number</entry>
<entry>integer (32 bits)</entry>
</row>
+ <row>
+ <entry>secpath</entry>
+ <entry>boolean</entry>
+ <entry>boolean (1 bit)</entry>
+ </row>
+
</tbody>
</tgroup>
</table>
@@ -2724,6 +2731,9 @@ filter output meta oif eth0
# unqualified meta expression
filter output oif eth0
+
+# packed was subject to ipsec processing
+raw prerouting meta secpath exists accept
</programlisting>
</example>
</para>
diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h
index f32894431f82..c990bc987c2e 100644
--- a/include/linux/netfilter/nf_tables.h
+++ b/include/linux/netfilter/nf_tables.h
@@ -773,6 +773,7 @@ enum nft_exthdr_attributes {
* @NFT_META_OIFGROUP: packet output interface group
* @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
* @NFT_META_PRANDOM: a 32bit pseudo-random number
+ * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -800,6 +801,7 @@ enum nft_meta_keys {
NFT_META_OIFGROUP,
NFT_META_CGROUP,
NFT_META_PRANDOM,
+ NFT_META_SECPATH,
};
/**
diff --git a/src/meta.c b/src/meta.c
index 28aebe396f17..ac3e0333a489 100644
--- a/src/meta.c
+++ b/src/meta.c
@@ -428,6 +428,8 @@ static const struct meta_template meta_templates[] = {
[NFT_META_PRANDOM] = META_TEMPLATE("random", &integer_type,
4 * BITS_PER_BYTE,
BYTEORDER_BIG_ENDIAN), /* avoid conversion; doesn't have endianess */
+ [NFT_META_SECPATH] = META_TEMPLATE("secpath", &boolean_type,
+ BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN),
};
static bool meta_key_is_qualified(enum nft_meta_keys key)
@@ -439,6 +441,7 @@ static bool meta_key_is_qualified(enum nft_meta_keys key)
case NFT_META_PROTOCOL:
case NFT_META_PRIORITY:
case NFT_META_PRANDOM:
+ case NFT_META_SECPATH:
return true;
default:
return false;
diff --git a/tests/py/inet/meta.t b/tests/py/inet/meta.t
index bd225e3d8bc4..d68896dc0b9e 100644
--- a/tests/py/inet/meta.t
+++ b/tests/py/inet/meta.t
@@ -12,3 +12,5 @@ meta nfproto ipv4 tcp dport 22;ok
meta nfproto ipv4 ip saddr 1.2.3.4;ok;ip saddr 1.2.3.4
meta nfproto ipv6 meta l4proto tcp;ok;meta nfproto ipv6 meta l4proto 6
meta nfproto ipv4 counter ip saddr 1.2.3.4;ok
+meta secpath exists;ok
+meta secpath missing;ok
diff --git a/tests/py/inet/meta.t.payload b/tests/py/inet/meta.t.payload
index 0323b30f487b..2d0a66fa5cf5 100644
--- a/tests/py/inet/meta.t.payload
+++ b/tests/py/inet/meta.t.payload
@@ -64,3 +64,12 @@ inet test-inet input
[ payload load 4b @ network header + 12 => reg 1 ]
[ cmp eq reg 1 0x04030201 ]
+# meta secpath exists
+inet test-inet input
+ [ meta load secpath => reg 1 ]
+ [ cmp eq reg 1 0x00000001 ]
+
+# meta secpath missing
+inet test-inet input
+ [ meta load secpath => reg 1 ]
+ [ cmp eq reg 1 0x00000000 ]
--
2.13.6
^ permalink raw reply related [flat|nested] 10+ messages in thread