* [iptables 1/2] extensions: libip6t_srh: support matching previous, next and last SID
@ 2018-04-23 10:48 Ahmed Abdelsalam
2018-04-23 10:48 ` [nf-next] netfilter: extend SRH match to " Ahmed Abdelsalam
2018-04-23 10:48 ` [iptables 2/2] extensions: libip6t_srh: add test-cases for " Ahmed Abdelsalam
0 siblings, 2 replies; 7+ messages in thread
From: Ahmed Abdelsalam @ 2018-04-23 10:48 UTC (permalink / raw)
To: pablo, fw, davem, dav.lebrun, linux-kernel, netfilter-devel,
coreteam, netdev
Cc: Ahmed Abdelsalam
This patch extends the libip6t_srh shared library to support matching
previous SID, next SID, and last SID.
Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
---
extensions/libip6t_srh.c | 65 ++++++++++++++++++++++++++++++++-
include/linux/netfilter_ipv6/ip6t_srh.h | 22 ++++++++++-
2 files changed, 84 insertions(+), 3 deletions(-)
diff --git a/extensions/libip6t_srh.c b/extensions/libip6t_srh.c
index ac0ae08..5acc2ee 100644
--- a/extensions/libip6t_srh.c
+++ b/extensions/libip6t_srh.c
@@ -22,6 +22,9 @@ enum {
O_SRH_LAST_GT,
O_SRH_LAST_LT,
O_SRH_TAG,
+ O_SRH_PSID,
+ O_SRH_NSID,
+ O_SRH_LSID,
};
static void srh_help(void)
@@ -38,7 +41,10 @@ static void srh_help(void)
"[!] --srh-last-entry-eq last_entry Last Entry value of SRH\n"
"[!] --srh-last-entry-gt last_entry Last Entry value of SRH\n"
"[!] --srh-last-entry-lt last_entry Last Entry value of SRH\n"
-"[!] --srh-tag tag Tag value of SRH\n");
+"[!] --srh-tag tag Tag value of SRH\n"
+"[!] --srh-psid addr[/mask] SRH previous SID\n"
+"[!] --srh-nsid addr[/mask] SRH next SID\n"
+"[!] --srh-lsid addr[/mask] SRH Last SID\n");
}
#define s struct ip6t_srh
@@ -65,6 +71,12 @@ static const struct xt_option_entry srh_opts[] = {
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, last_entry)},
{ .name = "srh-tag", .id = O_SRH_TAG, .type = XTTYPE_UINT16,
.flags = XTOPT_INVERT | XTOPT_PUT, XTOPT_POINTER(s, tag)},
+ { .name = "srh-psid", .id = O_SRH_PSID, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_INVERT},
+ { .name = "srh-nsid", .id = O_SRH_NSID, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_INVERT},
+ { .name = "srh-lsid", .id = O_SRH_LSID, .type = XTTYPE_HOSTMASK,
+ .flags = XTOPT_INVERT},
{ }
};
#undef s
@@ -75,6 +87,12 @@ static void srh_init(struct xt_entry_match *m)
srhinfo->mt_flags = 0;
srhinfo->mt_invflags = 0;
+ memset(srhinfo->psid_addr.s6_addr, 0, sizeof(srhinfo->psid_addr.s6_addr));
+ memset(srhinfo->nsid_addr.s6_addr, 0, sizeof(srhinfo->nsid_addr.s6_addr));
+ memset(srhinfo->lsid_addr.s6_addr, 0, sizeof(srhinfo->lsid_addr.s6_addr));
+ memset(srhinfo->psid_msk.s6_addr, 0, sizeof(srhinfo->psid_msk.s6_addr));
+ memset(srhinfo->nsid_msk.s6_addr, 0, sizeof(srhinfo->nsid_msk.s6_addr));
+ memset(srhinfo->lsid_msk.s6_addr, 0, sizeof(srhinfo->lsid_msk.s6_addr));
}
static void srh_parse(struct xt_option_call *cb)
@@ -138,6 +156,27 @@ static void srh_parse(struct xt_option_call *cb)
if (cb->invert)
srhinfo->mt_invflags |= IP6T_SRH_INV_TAG;
break;
+ case O_SRH_PSID:
+ srhinfo->mt_flags |= IP6T_SRH_PSID;
+ srhinfo->psid_addr = cb->val.haddr.in6;
+ srhinfo->psid_msk = cb->val.hmask.in6;
+ if (cb->invert)
+ srhinfo->mt_invflags |= IP6T_SRH_INV_PSID;
+ break;
+ case O_SRH_NSID:
+ srhinfo->mt_flags |= IP6T_SRH_NSID;
+ srhinfo->nsid_addr = cb->val.haddr.in6;
+ srhinfo->nsid_msk = cb->val.hmask.in6;
+ if (cb->invert)
+ srhinfo->mt_invflags |= IP6T_SRH_INV_NSID;
+ break;
+ case O_SRH_LSID:
+ srhinfo->mt_flags |= IP6T_SRH_LSID;
+ srhinfo->lsid_addr = cb->val.haddr.in6;
+ srhinfo->lsid_msk = cb->val.hmask.in6;
+ if (cb->invert)
+ srhinfo->mt_invflags |= IP6T_SRH_INV_LSID;
+ break;
}
}
@@ -180,6 +219,18 @@ static void srh_print(const void *ip, const struct xt_entry_match *match,
if (srhinfo->mt_flags & IP6T_SRH_TAG)
printf(" tag:%s%d", srhinfo->mt_invflags & IP6T_SRH_INV_TAG ? "!" : "",
srhinfo->tag);
+ if (srhinfo->mt_flags & IP6T_SRH_PSID)
+ printf(" psid %s %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_PSID ? "!" : "",
+ xtables_ip6addr_to_numeric(&srhinfo->psid_addr),
+ xtables_ip6mask_to_cidr(&srhinfo->psid_msk));
+ if (srhinfo->mt_flags & IP6T_SRH_NSID)
+ printf(" nsid %s %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_NSID ? "!" : "",
+ xtables_ip6addr_to_numeric(&srhinfo->nsid_addr),
+ xtables_ip6mask_to_cidr(&srhinfo->nsid_msk));
+ if (srhinfo->mt_flags & IP6T_SRH_LSID)
+ printf(" lsid %s %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_LSID ? "!" : "",
+ xtables_ip6addr_to_numeric(&srhinfo->lsid_addr),
+ xtables_ip6mask_to_cidr(&srhinfo->lsid_msk));
}
static void srh_save(const void *ip, const struct xt_entry_match *match)
@@ -219,6 +270,18 @@ static void srh_save(const void *ip, const struct xt_entry_match *match)
if (srhinfo->mt_flags & IP6T_SRH_TAG)
printf("%s --srh-tag %u", (srhinfo->mt_invflags & IP6T_SRH_INV_TAG) ? " !" : "",
srhinfo->tag);
+ if (srhinfo->mt_flags & IP6T_SRH_PSID)
+ printf("%s --srh-psid %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_PSID ? " !" : "",
+ xtables_ip6addr_to_numeric(&srhinfo->psid_addr),
+ xtables_ip6mask_to_cidr(&srhinfo->psid_msk));
+ if (srhinfo->mt_flags & IP6T_SRH_NSID)
+ printf("%s --srh-nsid %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_NSID ? " !" : "",
+ xtables_ip6addr_to_numeric(&srhinfo->nsid_addr),
+ xtables_ip6mask_to_cidr(&srhinfo->nsid_msk));
+ if (srhinfo->mt_flags & IP6T_SRH_LSID)
+ printf("%s --srh-lsid %s/%u", srhinfo->mt_invflags & IP6T_SRH_INV_LSID ? " !" : "",
+ xtables_ip6addr_to_numeric(&srhinfo->lsid_addr),
+ xtables_ip6mask_to_cidr(&srhinfo->lsid_msk));
}
static struct xtables_match srh_mt6_reg = {
diff --git a/include/linux/netfilter_ipv6/ip6t_srh.h b/include/linux/netfilter_ipv6/ip6t_srh.h
index 087efa1..3d77241 100644
--- a/include/linux/netfilter_ipv6/ip6t_srh.h
+++ b/include/linux/netfilter_ipv6/ip6t_srh.h
@@ -16,7 +16,10 @@
#define IP6T_SRH_LAST_GT 0x0100
#define IP6T_SRH_LAST_LT 0x0200
#define IP6T_SRH_TAG 0x0400
-#define IP6T_SRH_MASK 0x07FF
+#define IP6T_SRH_PSID 0x0800
+#define IP6T_SRH_NSID 0x1000
+#define IP6T_SRH_LSID 0x2000
+#define IP6T_SRH_MASK 0x3FFF
/* Values for "mt_invflags" field in struct ip6t_srh */
#define IP6T_SRH_INV_NEXTHDR 0x0001
@@ -30,7 +33,10 @@
#define IP6T_SRH_INV_LAST_GT 0x0100
#define IP6T_SRH_INV_LAST_LT 0x0200
#define IP6T_SRH_INV_TAG 0x0400
-#define IP6T_SRH_INV_MASK 0x07FF
+#define IP6T_SRH_INV_PSID 0x0800
+#define IP6T_SRH_INV_NSID 0x1000
+#define IP6T_SRH_INV_LSID 0x2000
+#define IP6T_SRH_INV_MASK 0x3FFF
/**
* struct ip6t_srh - SRH match options
@@ -39,6 +45,12 @@
* @ segs_left: Segments left field of SRH
* @ last_entry: Last entry field of SRH
* @ tag: Tag field of SRH
+ * @ psid_addr: Address of previous SID in SRH SID list
+ * @ nsid_addr: Address of NEXT SID in SRH SID list
+ * @ lsid_addr: Address of LAST SID in SRH SID list
+ * @ psid_msk: Mask of previous SID in SRH SID list
+ * @ nsid_msk: Mask of next SID in SRH SID list
+ * @ lsid_msk: MAsk of last SID in SRH SID list
* @ mt_flags: match options
* @ mt_invflags: Invert the sense of match options
*/
@@ -49,6 +61,12 @@ struct ip6t_srh {
__u8 segs_left;
__u8 last_entry;
__u16 tag;
+ struct in6_addr psid_addr;
+ struct in6_addr nsid_addr;
+ struct in6_addr lsid_addr;
+ struct in6_addr psid_msk;
+ struct in6_addr nsid_msk;
+ struct in6_addr lsid_msk;
__u16 mt_flags;
__u16 mt_invflags;
};
--
2.1.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [nf-next] netfilter: extend SRH match to support matching previous, next and last SID
2018-04-23 10:48 [iptables 1/2] extensions: libip6t_srh: support matching previous, next and last SID Ahmed Abdelsalam
@ 2018-04-23 10:48 ` Ahmed Abdelsalam
2018-04-23 17:30 ` Pablo Neira Ayuso
2018-04-23 10:48 ` [iptables 2/2] extensions: libip6t_srh: add test-cases for " Ahmed Abdelsalam
1 sibling, 1 reply; 7+ messages in thread
From: Ahmed Abdelsalam @ 2018-04-23 10:48 UTC (permalink / raw)
To: pablo, fw, davem, dav.lebrun, linux-kernel, netfilter-devel,
coreteam, netdev
Cc: Ahmed Abdelsalam
IPv6 Segment Routing Header (SRH) contains a list of SIDs to be crossed by
SR encapsulated packet. Each SID is encoded as an IPv6 prefix.
When a Firewall receives an SR encapsulated packet, it should be able to
identify which node previously processed the packet (previous SID), which
node is going to process the packet next (next SID), and which node is the
last to process the packet (last SID) which represent the final destination
of the packet in case of inline SR mode.
An example use-case of using these features could be SID list that includes
two firewalls. When the second firewall receives a packet, it can check
whether the packet has been processed by the first firewall or not. Based on
that check, it decides to apply all rules, apply just subset of the rules,
or totally skip all rules and forward the packet to the next SID.
This patch extends SRH match to support matching previous SID, next SID, and
last SID.
Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
---
include/uapi/linux/netfilter_ipv6/ip6t_srh.h | 22 +++++++++++++--
net/ipv6/netfilter/ip6t_srh.c | 41 +++++++++++++++++++++++++++-
2 files changed, 60 insertions(+), 3 deletions(-)
diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
index f3cc0ef..9808382 100644
--- a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
+++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
@@ -17,7 +17,10 @@
#define IP6T_SRH_LAST_GT 0x0100
#define IP6T_SRH_LAST_LT 0x0200
#define IP6T_SRH_TAG 0x0400
-#define IP6T_SRH_MASK 0x07FF
+#define IP6T_SRH_PSID 0x0800
+#define IP6T_SRH_NSID 0x1000
+#define IP6T_SRH_LSID 0x2000
+#define IP6T_SRH_MASK 0x3FFF
/* Values for "mt_invflags" field in struct ip6t_srh */
#define IP6T_SRH_INV_NEXTHDR 0x0001
@@ -31,7 +34,10 @@
#define IP6T_SRH_INV_LAST_GT 0x0100
#define IP6T_SRH_INV_LAST_LT 0x0200
#define IP6T_SRH_INV_TAG 0x0400
-#define IP6T_SRH_INV_MASK 0x07FF
+#define IP6T_SRH_INV_PSID 0x0800
+#define IP6T_SRH_INV_NSID 0x1000
+#define IP6T_SRH_INV_LSID 0x2000
+#define IP6T_SRH_INV_MASK 0x3FFF
/**
* struct ip6t_srh - SRH match options
@@ -40,6 +46,12 @@
* @ segs_left: Segments left field of SRH
* @ last_entry: Last entry field of SRH
* @ tag: Tag field of SRH
+ * @ psid_addr: Address of previous SID in SRH SID list
+ * @ nsid_addr: Address of NEXT SID in SRH SID list
+ * @ lsid_addr: Address of LAST SID in SRH SID list
+ * @ psid_msk: Mask of previous SID in SRH SID list
+ * @ nsid_msk: Mask of next SID in SRH SID list
+ * @ lsid_msk: MAsk of last SID in SRH SID list
* @ mt_flags: match options
* @ mt_invflags: Invert the sense of match options
*/
@@ -50,6 +62,12 @@ struct ip6t_srh {
__u8 segs_left;
__u8 last_entry;
__u16 tag;
+ struct in6_addr psid_addr;
+ struct in6_addr nsid_addr;
+ struct in6_addr lsid_addr;
+ struct in6_addr psid_msk;
+ struct in6_addr nsid_msk;
+ struct in6_addr lsid_msk;
__u16 mt_flags;
__u16 mt_invflags;
};
diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
index 33719d5..2b5cc73 100644
--- a/net/ipv6/netfilter/ip6t_srh.c
+++ b/net/ipv6/netfilter/ip6t_srh.c
@@ -30,7 +30,9 @@ static bool srh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
const struct ip6t_srh *srhinfo = par->matchinfo;
struct ipv6_sr_hdr *srh;
struct ipv6_sr_hdr _srh;
- int hdrlen, srhoff = 0;
+ int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0;
+ struct in6_addr *psid, *nsid, *lsid;
+ struct in6_addr _psid, _nsid, _lsid;
if (ipv6_find_hdr(skb, &srhoff, IPPROTO_ROUTING, NULL, NULL) < 0)
return false;
@@ -114,6 +116,43 @@ static bool srh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_TAG,
!(srh->tag == srhinfo->tag)))
return false;
+
+ /* Previous SID matching */
+ if (srhinfo->mt_flags & IP6T_SRH_PSID) {
+ if (srh->segments_left == srh->first_segment)
+ return false;
+ psidoff = srhoff + sizeof(struct ipv6_sr_hdr) +
+ ((srh->segments_left + 1) * sizeof(struct in6_addr));
+ psid = skb_header_pointer(skb, psidoff, sizeof(_psid), &_psid);
+ if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_PSID,
+ ipv6_masked_addr_cmp(psid, &srhinfo->psid_msk,
+ &srhinfo->psid_addr)))
+ return false;
+ }
+
+ /* Next SID matching */
+ if (srhinfo->mt_flags & IP6T_SRH_NSID) {
+ if (srh->segments_left == 0)
+ return false;
+ nsidoff = srhoff + sizeof(struct ipv6_sr_hdr) +
+ ((srh->segments_left - 1) * sizeof(struct in6_addr));
+ nsid = skb_header_pointer(skb, nsidoff, sizeof(_nsid), &_nsid);
+ if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_NSID,
+ ipv6_masked_addr_cmp(nsid, &srhinfo->nsid_msk,
+ &srhinfo->nsid_addr)))
+ return false;
+ }
+
+ /* Last SID matching */
+ if (srhinfo->mt_flags & IP6T_SRH_LSID) {
+ lsidoff = srhoff + sizeof(struct ipv6_sr_hdr);
+ lsid = skb_header_pointer(skb, lsidoff, sizeof(_lsid), &_lsid);
+ if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LSID,
+ ipv6_masked_addr_cmp(lsid, &srhinfo->lsid_msk,
+ &srhinfo->lsid_addr)))
+ return false;
+ }
+
return true;
}
--
2.1.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID
2018-04-23 10:48 ` [nf-next] netfilter: extend SRH match to " Ahmed Abdelsalam
@ 2018-04-23 17:30 ` Pablo Neira Ayuso
2018-04-23 20:01 ` Ahmed Abdelsalam
0 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2018-04-23 17:30 UTC (permalink / raw)
To: Ahmed Abdelsalam
Cc: fw, davem, dav.lebrun, linux-kernel, netfilter-devel, coreteam,
netdev
On Mon, Apr 23, 2018 at 05:48:22AM -0500, Ahmed Abdelsalam wrote:
> IPv6 Segment Routing Header (SRH) contains a list of SIDs to be crossed by
> SR encapsulated packet. Each SID is encoded as an IPv6 prefix.
>
> When a Firewall receives an SR encapsulated packet, it should be able to
> identify which node previously processed the packet (previous SID), which
> node is going to process the packet next (next SID), and which node is the
> last to process the packet (last SID) which represent the final destination
> of the packet in case of inline SR mode.
>
> An example use-case of using these features could be SID list that includes
> two firewalls. When the second firewall receives a packet, it can check
> whether the packet has been processed by the first firewall or not. Based on
> that check, it decides to apply all rules, apply just subset of the rules,
> or totally skip all rules and forward the packet to the next SID.
>
> This patch extends SRH match to support matching previous SID, next SID, and
> last SID.
>
> Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
> ---
> include/uapi/linux/netfilter_ipv6/ip6t_srh.h | 22 +++++++++++++--
> net/ipv6/netfilter/ip6t_srh.c | 41 +++++++++++++++++++++++++++-
> 2 files changed, 60 insertions(+), 3 deletions(-)
>
> diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> index f3cc0ef..9808382 100644
> --- a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> +++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> @@ -17,7 +17,10 @@
> #define IP6T_SRH_LAST_GT 0x0100
> #define IP6T_SRH_LAST_LT 0x0200
> #define IP6T_SRH_TAG 0x0400
> -#define IP6T_SRH_MASK 0x07FF
> +#define IP6T_SRH_PSID 0x0800
> +#define IP6T_SRH_NSID 0x1000
> +#define IP6T_SRH_LSID 0x2000
> +#define IP6T_SRH_MASK 0x3FFF
>
> /* Values for "mt_invflags" field in struct ip6t_srh */
> #define IP6T_SRH_INV_NEXTHDR 0x0001
> @@ -31,7 +34,10 @@
> #define IP6T_SRH_INV_LAST_GT 0x0100
> #define IP6T_SRH_INV_LAST_LT 0x0200
> #define IP6T_SRH_INV_TAG 0x0400
> -#define IP6T_SRH_INV_MASK 0x07FF
> +#define IP6T_SRH_INV_PSID 0x0800
> +#define IP6T_SRH_INV_NSID 0x1000
> +#define IP6T_SRH_INV_LSID 0x2000
> +#define IP6T_SRH_INV_MASK 0x3FFF
>
> /**
> * struct ip6t_srh - SRH match options
> @@ -40,6 +46,12 @@
> * @ segs_left: Segments left field of SRH
> * @ last_entry: Last entry field of SRH
> * @ tag: Tag field of SRH
> + * @ psid_addr: Address of previous SID in SRH SID list
> + * @ nsid_addr: Address of NEXT SID in SRH SID list
> + * @ lsid_addr: Address of LAST SID in SRH SID list
> + * @ psid_msk: Mask of previous SID in SRH SID list
> + * @ nsid_msk: Mask of next SID in SRH SID list
> + * @ lsid_msk: MAsk of last SID in SRH SID list
> * @ mt_flags: match options
> * @ mt_invflags: Invert the sense of match options
> */
> @@ -50,6 +62,12 @@ struct ip6t_srh {
> __u8 segs_left;
> __u8 last_entry;
> __u16 tag;
> + struct in6_addr psid_addr;
> + struct in6_addr nsid_addr;
> + struct in6_addr lsid_addr;
> + struct in6_addr psid_msk;
> + struct in6_addr nsid_msk;
> + struct in6_addr lsid_msk;
This is changing something exposed through UAPI, so you will need a
new revision for this.
> __u16 mt_flags;
> __u16 mt_invflags;
> };
> diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
> index 33719d5..2b5cc73 100644
> --- a/net/ipv6/netfilter/ip6t_srh.c
> +++ b/net/ipv6/netfilter/ip6t_srh.c
> @@ -30,7 +30,9 @@ static bool srh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
> const struct ip6t_srh *srhinfo = par->matchinfo;
> struct ipv6_sr_hdr *srh;
> struct ipv6_sr_hdr _srh;
> - int hdrlen, srhoff = 0;
> + int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0;
> + struct in6_addr *psid, *nsid, *lsid;
> + struct in6_addr _psid, _nsid, _lsid;
Could you rearrange variable definitions? ie. longest line first, eg.
int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0;
const struct ip6t_srh *srhinfo = par->matchinfo;
struct in6_addr *psid, *nsid, *lsid;
struct ipv6_sr_hdr *srh;
struct ipv6_sr_hdr _srh;
Thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID
2018-04-23 17:30 ` Pablo Neira Ayuso
@ 2018-04-23 20:01 ` Ahmed Abdelsalam
2018-04-23 20:08 ` Florian Westphal
0 siblings, 1 reply; 7+ messages in thread
From: Ahmed Abdelsalam @ 2018-04-23 20:01 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: fw, davem, dav.lebrun, linux-kernel, netfilter-devel, coreteam,
netdev
On Mon, 23 Apr 2018 19:30:47 +0200
Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> On Mon, Apr 23, 2018 at 05:48:22AM -0500, Ahmed Abdelsalam wrote:
> > Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
> > ---
> > include/uapi/linux/netfilter_ipv6/ip6t_srh.h | 22 +++++++++++++--
> > net/ipv6/netfilter/ip6t_srh.c | 41 +++++++++++++++++++++++++++-
> > 2 files changed, 60 insertions(+), 3 deletions(-)
> >
> > diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> > index f3cc0ef..9808382 100644
> > --- a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> > +++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h
> > @@ -17,7 +17,10 @@
> > #define IP6T_SRH_LAST_GT 0x0100
> > #define IP6T_SRH_LAST_LT 0x0200
> > #define IP6T_SRH_TAG 0x0400
> > -#define IP6T_SRH_MASK 0x07FF
> > +#define IP6T_SRH_PSID 0x0800
> > +#define IP6T_SRH_NSID 0x1000
> > +#define IP6T_SRH_LSID 0x2000
> > +#define IP6T_SRH_MASK 0x3FFF
> >
> > /* Values for "mt_invflags" field in struct ip6t_srh */
> > #define IP6T_SRH_INV_NEXTHDR 0x0001
> > @@ -31,7 +34,10 @@
> > #define IP6T_SRH_INV_LAST_GT 0x0100
> > #define IP6T_SRH_INV_LAST_LT 0x0200
> > #define IP6T_SRH_INV_TAG 0x0400
> > -#define IP6T_SRH_INV_MASK 0x07FF
> > +#define IP6T_SRH_INV_PSID 0x0800
> > +#define IP6T_SRH_INV_NSID 0x1000
> > +#define IP6T_SRH_INV_LSID 0x2000
> > +#define IP6T_SRH_INV_MASK 0x3FFF
> >
> > /**
> > * struct ip6t_srh - SRH match options
> > @@ -40,6 +46,12 @@
> > * @ segs_left: Segments left field of SRH
> > * @ last_entry: Last entry field of SRH
> > * @ tag: Tag field of SRH
> > + * @ psid_addr: Address of previous SID in SRH SID list
> > + * @ nsid_addr: Address of NEXT SID in SRH SID list
> > + * @ lsid_addr: Address of LAST SID in SRH SID list
> > + * @ psid_msk: Mask of previous SID in SRH SID list
> > + * @ nsid_msk: Mask of next SID in SRH SID list
> > + * @ lsid_msk: MAsk of last SID in SRH SID list
> > * @ mt_flags: match options
> > * @ mt_invflags: Invert the sense of match options
> > */
> > @@ -50,6 +62,12 @@ struct ip6t_srh {
> > __u8 segs_left;
> > __u8 last_entry;
> > __u16 tag;
> > + struct in6_addr psid_addr;
> > + struct in6_addr nsid_addr;
> > + struct in6_addr lsid_addr;
> > + struct in6_addr psid_msk;
> > + struct in6_addr nsid_msk;
> > + struct in6_addr lsid_msk;
>
> This is changing something exposed through UAPI, so you will need a
> new revision for this.
Could you please advice what should be done in this case?
>
> > __u16 mt_flags;
> > __u16 mt_invflags;
> > };
> > diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c
> > index 33719d5..2b5cc73 100644
> > --- a/net/ipv6/netfilter/ip6t_srh.c
> > +++ b/net/ipv6/netfilter/ip6t_srh.c
> > @@ -30,7 +30,9 @@ static bool srh_mt6(const struct sk_buff *skb, struct xt_action_param *par)
> > const struct ip6t_srh *srhinfo = par->matchinfo;
> > struct ipv6_sr_hdr *srh;
> > struct ipv6_sr_hdr _srh;
> > - int hdrlen, srhoff = 0;
> > + int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0;
> > + struct in6_addr *psid, *nsid, *lsid;
> > + struct in6_addr _psid, _nsid, _lsid;
>
> Could you rearrange variable definitions? ie. longest line first, eg.
>
> int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0;
> const struct ip6t_srh *srhinfo = par->matchinfo;
> struct in6_addr *psid, *nsid, *lsid;
> struct ipv6_sr_hdr *srh;
> struct ipv6_sr_hdr _srh;
>
Ok I will re-arrange them in reverse christmas tree form.
Ahmed
--
Ahmed Abdelsalam <amsalam20@gmail.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID
2018-04-23 20:01 ` Ahmed Abdelsalam
@ 2018-04-23 20:08 ` Florian Westphal
2018-04-23 20:16 ` Ahmed Abdelsalam
0 siblings, 1 reply; 7+ messages in thread
From: Florian Westphal @ 2018-04-23 20:08 UTC (permalink / raw)
To: Ahmed Abdelsalam
Cc: Pablo Neira Ayuso, fw, davem, dav.lebrun, linux-kernel,
netfilter-devel, coreteam, netdev
Ahmed Abdelsalam <amsalam20@gmail.com> wrote:
> > > @@ -50,6 +62,12 @@ struct ip6t_srh {
> > > __u8 segs_left;
> > > __u8 last_entry;
> > > __u16 tag;
> > > + struct in6_addr psid_addr;
> > > + struct in6_addr nsid_addr;
> > > + struct in6_addr lsid_addr;
> > > + struct in6_addr psid_msk;
> > > + struct in6_addr nsid_msk;
> > > + struct in6_addr lsid_msk;
> >
> > This is changing something exposed through UAPI, so you will need a
> > new revision for this.
>
> Could you please advice what should be done in this case?
You need to add
struct ip6t_srh_v1 {
/* copy of struct ip6t_srh here */
/* new fields go here */
};
Look at xt_conntrack.c, conntrack_mt_reg[] for an example of
multi-revision match.
You can probably re-origanise code to avoid too much duplication.
See 5a786232eb69a1f870ddc0cfd69d5bdef241a2ea in nf.git for an example,
it makes v0 into a v1 struct at runtime and re-uses new v1 code
for old v0.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID
2018-04-23 20:08 ` Florian Westphal
@ 2018-04-23 20:16 ` Ahmed Abdelsalam
0 siblings, 0 replies; 7+ messages in thread
From: Ahmed Abdelsalam @ 2018-04-23 20:16 UTC (permalink / raw)
To: Florian Westphal
Cc: Pablo Neira Ayuso, davem, dav.lebrun, linux-kernel,
netfilter-devel, coreteam, netdev
On Mon, 23 Apr 2018 22:08:44 +0200
Florian Westphal <fw@strlen.de> wrote:
> Ahmed Abdelsalam <amsalam20@gmail.com> wrote:
> > > > @@ -50,6 +62,12 @@ struct ip6t_srh {
> > > > __u8 segs_left;
> > > > __u8 last_entry;
> > > > __u16 tag;
> > > > + struct in6_addr psid_addr;
> > > > + struct in6_addr nsid_addr;
> > > > + struct in6_addr lsid_addr;
> > > > + struct in6_addr psid_msk;
> > > > + struct in6_addr nsid_msk;
> > > > + struct in6_addr lsid_msk;
> > >
> > > This is changing something exposed through UAPI, so you will need a
> > > new revision for this.
> >
> > Could you please advice what should be done in this case?
>
> You need to add
> struct ip6t_srh_v1 {
> /* copy of struct ip6t_srh here */
>
> /* new fields go here */
> };
>
>
> Look at xt_conntrack.c, conntrack_mt_reg[] for an example of
> multi-revision match.
>
> You can probably re-origanise code to avoid too much duplication.
> See 5a786232eb69a1f870ddc0cfd69d5bdef241a2ea in nf.git for an example,
> it makes v0 into a v1 struct at runtime and re-uses new v1 code
> for old v0.
>
>
Thanks Florian!
--
Ahmed Abdelsalam <amsalam20@gmail.com>
^ permalink raw reply [flat|nested] 7+ messages in thread
* [iptables 2/2] extensions: libip6t_srh: add test-cases for matching previous, next and last SID
2018-04-23 10:48 [iptables 1/2] extensions: libip6t_srh: support matching previous, next and last SID Ahmed Abdelsalam
2018-04-23 10:48 ` [nf-next] netfilter: extend SRH match to " Ahmed Abdelsalam
@ 2018-04-23 10:48 ` Ahmed Abdelsalam
1 sibling, 0 replies; 7+ messages in thread
From: Ahmed Abdelsalam @ 2018-04-23 10:48 UTC (permalink / raw)
To: pablo, fw, davem, dav.lebrun, linux-kernel, netfilter-devel,
coreteam, netdev
Cc: Ahmed Abdelsalam
This patch adds some test-cases to "libip6t_srh.t" for matching previous SID,
next SID, and last SID.
Signed-off-by: Ahmed Abdelsalam <amsalam20@gmail.com>
---
extensions/libip6t_srh.t | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/extensions/libip6t_srh.t b/extensions/libip6t_srh.t
index 08897d5..88a379e 100644
--- a/extensions/libip6t_srh.t
+++ b/extensions/libip6t_srh.t
@@ -23,4 +23,8 @@
-m srh ! --srh-tag 0;=;OK
-m srh --srh-next-hdr 17 --srh-segs-left-eq 1 --srh-last-entry-eq 4 --srh-tag 0;=;OK
-m srh ! --srh-next-hdr 17 ! --srh-segs-left-eq 0 --srh-tag 0;=;OK
+-m srh --srh-psid A::2/64 --srh-nsid B2::/128 --srh-lsid C::/0;=;OK
+-m srh ! --srh-psid A::2/64 ! --srh-nsid B2::/128 ! --srh-lsid C::/0;=;OK
+-m srh --srh-psid A::2 --srh-nsid B2:: --srh-lsid C::;=;OK
+-m srh ! --srh-psid A::2 ! --srh-nsid B2:: ! --srh-lsid C::;=;OK
-m srh;=;OK
--
2.1.4
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2018-04-23 20:16 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-04-23 10:48 [iptables 1/2] extensions: libip6t_srh: support matching previous, next and last SID Ahmed Abdelsalam
2018-04-23 10:48 ` [nf-next] netfilter: extend SRH match to " Ahmed Abdelsalam
2018-04-23 17:30 ` Pablo Neira Ayuso
2018-04-23 20:01 ` Ahmed Abdelsalam
2018-04-23 20:08 ` Florian Westphal
2018-04-23 20:16 ` Ahmed Abdelsalam
2018-04-23 10:48 ` [iptables 2/2] extensions: libip6t_srh: add test-cases for " Ahmed Abdelsalam
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).