From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: fw@strlen.de, fmyhr@fhmtech.com, stefanh@hafenthal.de
Subject: [PATCH nf-next 2/2] netfilter: nftables: add NFT_CT_HELPER_OBJNAME
Date: Tue, 9 Mar 2021 22:01:34 +0100 [thread overview]
Message-ID: <20210309210134.13620-3-pablo@netfilter.org> (raw)
In-Reply-To: <20210309210134.13620-1-pablo@netfilter.org>
Conntrack helper assignments refer to the helper object name, while
NFT_CT_HELPER (now NFT_CT_HELPER_TYPE) refers to the helper type.
This patch allows to match on helper object name so the ct helper
matching and the assignment are consistent.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_conntrack_helper.h | 1 +
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nf_conntrack_helper.c | 1 +
net/netfilter/nft_ct.c | 26 ++++++++++++++++++---
4 files changed, 27 insertions(+), 3 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index 37f0fbefb060..c0020d5206cd 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -70,6 +70,7 @@ struct nf_conntrack_helper {
struct nf_conn_help {
/* Helper. if any */
struct nf_conntrack_helper __rcu *helper;
+ const char *objname;
struct hlist_head expectations;
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 481e32c1b1b2..1cca009858bf 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1065,6 +1065,7 @@ enum nft_socket_keys {
* @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
* @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
* @NFT_CT_ID: conntrack id
+ * @NFT_CT_HELPER_OBJNAME: connection tracking helper object assigned to conntrack
*/
enum nft_ct_keys {
NFT_CT_STATE,
@@ -1092,6 +1093,7 @@ enum nft_ct_keys {
NFT_CT_SRC_IP6,
NFT_CT_DST_IP6,
NFT_CT_ID,
+ NFT_CT_HELPER_OBJNAME,
__NFT_CT_MAX
};
#define NFT_CT_MAX (__NFT_CT_MAX - 1)
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 118f415928ae..c14b0733485b 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -311,6 +311,7 @@ void nf_ct_helper_destroy(struct nf_conn *ct)
if (helper && helper->destroy)
helper->destroy(ct);
rcu_read_unlock();
+ kfree(help->objname);
}
}
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index a9041dce9345..a412de6de9ca 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -219,6 +219,17 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
goto err;
memcpy(dest, tuple->dst.u3.ip6, sizeof(struct in6_addr));
return;
+ case NFT_CT_HELPER_OBJNAME:
+ if (!ct->master)
+ goto err;
+ help = nfct_help(ct->master);
+ if (!help)
+ goto err;
+ helper = rcu_dereference(help->helper);
+ if (!helper || !help->objname)
+ goto err;
+ strncpy((char *)dest, help->objname, NF_CT_HELPER_NAME_LEN);
+ return;
default:
break;
}
@@ -1063,6 +1074,7 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj,
struct nf_conn *ct = (struct nf_conn *)skb_nfct(pkt->skb);
struct nf_conntrack_helper *to_assign = NULL;
struct nf_conn_help *help;
+ const char *objname;
if (!ct ||
nf_ct_is_confirmed(ct) ||
@@ -1088,11 +1100,19 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj,
if (test_bit(IPS_HELPER_BIT, &ct->status))
return;
+ objname = kstrdup(obj->key.name, GFP_ATOMIC);
+ if (!objname)
+ return;
+
help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
- if (help) {
- rcu_assign_pointer(help->helper, to_assign);
- set_bit(IPS_HELPER_BIT, &ct->status);
+ if (!help) {
+ kfree(objname);
+ return;
}
+
+ help->objname = objname;
+ rcu_assign_pointer(help->helper, to_assign);
+ set_bit(IPS_HELPER_BIT, &ct->status);
}
static int nft_ct_helper_obj_dump(struct sk_buff *skb,
--
2.20.1
next prev parent reply other threads:[~2021-03-09 21:02 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-03-09 21:01 [PATCH RFC nf-next 0/2] ct helper object name matching Pablo Neira Ayuso
2021-03-09 21:01 ` [PATCH nf-next 1/2] netfilter: nftables: rename NFT_CT_HELPER to NFT_CT_HELPER_TYPE Pablo Neira Ayuso
2021-03-09 21:01 ` Pablo Neira Ayuso [this message]
2021-03-09 21:18 ` [PATCH RFC nf-next 0/2] ct helper object name matching Florian Westphal
2021-03-09 21:24 ` Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210309210134.13620-3-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=fmyhr@fhmtech.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=stefanh@hafenthal.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).