[PATCH RFC nf-next 0/2] ct helper object name matching

[PATCH RFC nf-next 0/2] ct helper object name matching

[Pablo Neira Ayuso]

Hi,

[ Compile tested-only and userspace update is missing ]

This patchset adds NFT_CT_HELPER_OBJNAME to match on the helper object name, ie.

From nftables, existing (inconsistent) syntax can be left in place for
backward compatibility. The new proposed syntax would more explicitly
refer to match the user wants to do, e.g.

	ct helper name set "ftp-21"
	ct helper name "ftp-21"

For NFT_CT_HELPER_TYPE (formerly NFT_CT_HELPER), syntax would be:

	ct helper type "ftp"

It should be also possible to support for:

	ct helper type set "ftp"

via implicit object, this infrastructure is missing in the kernel
though, the idea would be to create an implicit object that is attached
to the rule.  Such object would be released when the rule is removed.

Let me know.

Pablo Neira Ayuso (2):
  netfilter: nftables: rename NFT_CT_HELPER to NFT_CT_HELPER_TYPE
  netfilter: nftables: add NFT_CT_HELPER_OBJNAME

 include/net/netfilter/nf_conntrack_helper.h |  1 +
 include/uapi/linux/netfilter/nf_tables.h    |  7 +++--
 net/netfilter/nf_conntrack_helper.c         |  1 +
 net/netfilter/nft_ct.c                      | 30 +++++++++++++++++----
 4 files changed, 32 insertions(+), 7 deletions(-)

-- 
2.20.1

[PATCH nf-next 1/2] netfilter: nftables: rename NFT_CT_HELPER to NFT_CT_HELPER_TYPE

[Pablo Neira Ayuso]

The existing NFT_CT_HELPER allows to match on the helper type, rename
this attribute to support for matching on the helper object name.

NFT_CT_HELPER is left in place for backward compatibility.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/uapi/linux/netfilter/nf_tables.h | 5 +++--
 net/netfilter/nft_ct.c                   | 4 ++--
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 79bab7a36b30..481e32c1b1b2 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1047,7 +1047,7 @@ enum nft_socket_keys {
  * @NFT_CT_MARK: conntrack mark value
  * @NFT_CT_SECMARK: conntrack secmark value
  * @NFT_CT_EXPIRATION: relative conntrack expiration time in ms
- * @NFT_CT_HELPER: connection tracking helper assigned to conntrack
+ * @NFT_CT_HELPER_TYPE: connection tracking helper type assigned to conntrack
  * @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol
  * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address, deprecated)
  * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address, deprecated)
@@ -1073,7 +1073,8 @@ enum nft_ct_keys {
 	NFT_CT_MARK,
 	NFT_CT_SECMARK,
 	NFT_CT_EXPIRATION,
-	NFT_CT_HELPER,
+	NFT_CT_HELPER_TYPE,
+#define NFT_CT_HELPER	NFT_CT_HELPER_TYPE
 	NFT_CT_L3PROTOCOL,
 	NFT_CT_SRC,
 	NFT_CT_DST,
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 882fe8648653..a9041dce9345 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -107,7 +107,7 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
 	case NFT_CT_EXPIRATION:
 		*dest = jiffies_to_msecs(nf_ct_expires(ct));
 		return;
-	case NFT_CT_HELPER:
+	case NFT_CT_HELPER_TYPE:
 		if (ct->master == NULL)
 			goto err;
 		help = nfct_help(ct->master);
@@ -418,7 +418,7 @@ static int nft_ct_get_init(const struct nft_ctx *ctx,
 		len = NF_CT_LABELS_MAX_SIZE;
 		break;
 #endif
-	case NFT_CT_HELPER:
+	case NFT_CT_HELPER_TYPE:
 		if (tb[NFTA_CT_DIRECTION] != NULL)
 			return -EINVAL;
 		len = NF_CT_HELPER_NAME_LEN;
-- 
2.20.1

[PATCH nf-next 2/2] netfilter: nftables: add NFT_CT_HELPER_OBJNAME

[Pablo Neira Ayuso]

Conntrack helper assignments refer to the helper object name, while
NFT_CT_HELPER (now NFT_CT_HELPER_TYPE) refers to the helper type.

This patch allows to match on helper object name so the ct helper
matching and the assignment are consistent.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/net/netfilter/nf_conntrack_helper.h |  1 +
 include/uapi/linux/netfilter/nf_tables.h    |  2 ++
 net/netfilter/nf_conntrack_helper.c         |  1 +
 net/netfilter/nft_ct.c                      | 26 ++++++++++++++++++---
 4 files changed, 27 insertions(+), 3 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index 37f0fbefb060..c0020d5206cd 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -70,6 +70,7 @@ struct nf_conntrack_helper {
 struct nf_conn_help {
 	/* Helper. if any */
 	struct nf_conntrack_helper __rcu *helper;
+	const char *objname;
 
 	struct hlist_head expectations;
 
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 481e32c1b1b2..1cca009858bf 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1065,6 +1065,7 @@ enum nft_socket_keys {
  * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
  * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
  * @NFT_CT_ID: conntrack id
+ * @NFT_CT_HELPER_OBJNAME: connection tracking helper object assigned to conntrack
  */
 enum nft_ct_keys {
 	NFT_CT_STATE,
@@ -1092,6 +1093,7 @@ enum nft_ct_keys {
 	NFT_CT_SRC_IP6,
 	NFT_CT_DST_IP6,
 	NFT_CT_ID,
+	NFT_CT_HELPER_OBJNAME,
 	__NFT_CT_MAX
 };
 #define NFT_CT_MAX		(__NFT_CT_MAX - 1)
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 118f415928ae..c14b0733485b 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -311,6 +311,7 @@ void nf_ct_helper_destroy(struct nf_conn *ct)
 		if (helper && helper->destroy)
 			helper->destroy(ct);
 		rcu_read_unlock();
+		kfree(help->objname);
 	}
 }
 
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index a9041dce9345..a412de6de9ca 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -219,6 +219,17 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
 			goto err;
 		memcpy(dest, tuple->dst.u3.ip6, sizeof(struct in6_addr));
 		return;
+	case NFT_CT_HELPER_OBJNAME:
+		if (!ct->master)
+			goto err;
+		help = nfct_help(ct->master);
+		if (!help)
+			goto err;
+		helper = rcu_dereference(help->helper);
+		if (!helper || !help->objname)
+			goto err;
+		strncpy((char *)dest, help->objname, NF_CT_HELPER_NAME_LEN);
+		return;
 	default:
 		break;
 	}
@@ -1063,6 +1074,7 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj,
 	struct nf_conn *ct = (struct nf_conn *)skb_nfct(pkt->skb);
 	struct nf_conntrack_helper *to_assign = NULL;
 	struct nf_conn_help *help;
+	const char *objname;
 
 	if (!ct ||
 	    nf_ct_is_confirmed(ct) ||
@@ -1088,11 +1100,19 @@ static void nft_ct_helper_obj_eval(struct nft_object *obj,
 	if (test_bit(IPS_HELPER_BIT, &ct->status))
 		return;
 
+	objname = kstrdup(obj->key.name, GFP_ATOMIC);
+	if (!objname)
+		return;
+
 	help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
-	if (help) {
-		rcu_assign_pointer(help->helper, to_assign);
-		set_bit(IPS_HELPER_BIT, &ct->status);
+	if (!help) {
+		kfree(objname);
+		return;
 	}
+
+	help->objname = objname;
+	rcu_assign_pointer(help->helper, to_assign);
+	set_bit(IPS_HELPER_BIT, &ct->status);
 }
 
 static int nft_ct_helper_obj_dump(struct sk_buff *skb,
-- 
2.20.1

Re: [PATCH RFC nf-next 0/2] ct helper object name matching

[Florian Westphal]

Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> From nftables, existing (inconsistent) syntax can be left in place for
> backward compatibility. The new proposed syntax would more explicitly
> refer to match the user wants to do, e.g.
> 
> 	ct helper name set "ftp-21"

That would be same as 'ct helper set "ftp-21" that we use at the
moment, i.e. this generates same byte code, correct?

> 	ct helper name "ftp-21"

I see, kernel ct extension gains a pointer to the objref name.

> For NFT_CT_HELPER_TYPE (formerly NFT_CT_HELPER), syntax would be:
> 
> 	ct helper type "ftp"

That would be the 'new' name for existing 'ct helper', so same bytecode,
correct?

> It should be also possible to support for:
> 
> 	ct helper type set "ftp"

IIRC another argument for objref usage was that this won't work
with set infra.

> via implicit object, this infrastructure is missing in the kernel
> though, the idea would be to create an implicit object that is attached
> to the rule.  Such object would be released when the rule is removed.

Ah, I see.

Yes, that would work.

> Let me know.

Looks good to me.

Re: [PATCH RFC nf-next 0/2] ct helper object name matching

[Pablo Neira Ayuso]

On Tue, Mar 09, 2021 at 10:18:17PM +0100, Florian Westphal wrote:
> Pablo Neira Ayuso <pablo@netfilter.org> wrote:
> > From nftables, existing (inconsistent) syntax can be left in place for
> > backward compatibility. The new proposed syntax would more explicitly
> > refer to match the user wants to do, e.g.
> > 
> > 	ct helper name set "ftp-21"
> 
> That would be same as 'ct helper set "ftp-21" that we use at the
> moment, i.e. this generates same byte code, correct?

Yes.

> > 	ct helper name "ftp-21"
> 
> I see, kernel ct extension gains a pointer to the objref name.
> 
> > For NFT_CT_HELPER_TYPE (formerly NFT_CT_HELPER), syntax would be:
> > 
> > 	ct helper type "ftp"
> 
> That would be the 'new' name for existing 'ct helper', so same bytecode,
> correct?

Yes.

> > It should be also possible to support for:
> > 
> > 	ct helper type set "ftp"
> 
> IIRC another argument for objref usage was that this won't work
> with set infra.

Right. The (missing) implicit object support would make it fit into
the set infrastructure.

> > via implicit object, this infrastructure is missing in the kernel
> > though, the idea would be to create an implicit object that is attached
> > to the rule.  Such object would be released when the rule is removed.
> 
> Ah, I see.
> 
> Yes, that would work.
> 
> > Let me know.
> 
> Looks good to me.

Thanks for reviewing.