From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com
Subject: [PATCH net-next 00/10] Netfilter updates for net-next
Date: Wed, 26 Oct 2022 15:22:17 +0200 [thread overview]
Message-ID: <20221026132227.3287-1-pablo@netfilter.org> (raw)
Hi,
The following patchset contains Netfilter updates for net-next:
1) Move struct nft_payload_set definition to .c file where it is
only used.
2) Shrink transport and inner header offset fields in the nft_pktinfo
structure to 16-bits, from Florian Westphal.
3) Get rid of nft_objref Kbuild toggle, make it built-in into
nf_tables. This expression is used to instantiate conntrack helpers
in nftables. After removing the conntrack helper auto-assignment
toggle it this feature became more important so move it to the nf_tables
core module. Also from Florian.
4) Extend the existing function to calculate payload inner header offset
to deal with the GRE and IPIP transport protocols.
6) Add inner expression support for nf_tables. This new expression
provides a packet parser for tunneled packets which uses a userspace
description of the expected inner headers. The inner expression
invokes the payload expression (via direct call) to match on the
inner header protocol fields using the inner link, network and
transport header offsets.
An example of the bytecode generated from userspace to match on
IP source encapsulated in a VxLAN packet:
# nft --debug=netlink add rule netdev x y udp dport 4789 vxlan ip saddr 1.2.3.4
netdev x y
[ meta load l4proto => reg 1 ]
[ cmp eq reg 1 0x00000011 ]
[ payload load 2b @ transport header + 2 => reg 1 ]
[ cmp eq reg 1 0x0000b512 ]
[ inner type vxlan hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
[ cmp eq reg 1 0x00000008 ]
[ inner type vxlan hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ]
[ cmp eq reg 1 0x04030201 ]
7) Store inner link, network and transport header offsets in percpu
area to parse inner packet header once only. Matching on a different
tunnel type invalidates existing offsets in the percpu area and it
invokes the inner tunnel parser again.
8) Add support for inner meta matching. This support for
NFTA_META_PROTOCOL, which specifies the inner ethertype, and
NFT_META_L4PROTO, which specifies the inner transport protocol.
9) Extend nft_inner to parse GENEVE optional fields to calculate the
link layer offset.
10) Update inner expression so tunnel offset points to GRE header
to normalize tunnel header handling. This also allows to perform
different interpretations of the GRE header from userspace.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git
Thanks.
----------------------------------------------------------------
The following changes since commit d6dd508080a3cdc0ab34ebf66c3734f2dff907ad:
bnx2: Use kmalloc_size_roundup() to match ksize() usage (2022-10-25 12:59:04 +0200)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next.git HEAD
for you to fetch changes up to 91619eb60aeccd3181d9b88975add706a9b763c1:
netfilter: nft_inner: set tunnel offset to GRE header offset (2022-10-25 13:48:42 +0200)
----------------------------------------------------------------
Florian Westphal (2):
netfilter: nf_tables: reduce nft_pktinfo by 8 bytes
netfilter: nft_objref: make it builtin
Pablo Neira Ayuso (8):
netfilter: nft_payload: move struct nft_payload_set definition where it belongs
netfilter: nft_payload: access GRE payload via inner offset
netfilter: nft_payload: access ipip payload for inner offset
netfilter: nft_inner: support for inner tunnel header matching
netfilter: nft_inner: add percpu inner context
netfilter: nft_meta: add inner match support
netfilter: nft_inner: add geneve support
netfilter: nft_inner: set tunnel offset to GRE header offset
include/net/netfilter/nf_tables.h | 10 +-
include/net/netfilter/nf_tables_core.h | 36 ++-
include/net/netfilter/nf_tables_ipv4.h | 4 +
include/net/netfilter/nf_tables_ipv6.h | 6 +-
include/net/netfilter/nft_meta.h | 6 +
include/uapi/linux/netfilter/nf_tables.h | 27 +++
net/netfilter/Kconfig | 6 -
net/netfilter/Makefile | 4 +-
net/netfilter/nf_tables_api.c | 37 +++
net/netfilter/nf_tables_core.c | 2 +
net/netfilter/nft_inner.c | 384 +++++++++++++++++++++++++++++++
net/netfilter/nft_meta.c | 62 +++++
net/netfilter/nft_objref.c | 22 +-
net/netfilter/nft_payload.c | 134 ++++++++++-
14 files changed, 695 insertions(+), 45 deletions(-)
create mode 100644 net/netfilter/nft_inner.c
next reply other threads:[~2022-10-26 13:23 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-26 13:22 Pablo Neira Ayuso [this message]
2022-10-26 13:22 ` [PATCH net-next 01/10] netfilter: nft_payload: move struct nft_payload_set definition where it belongs Pablo Neira Ayuso
2022-10-28 4:10 ` patchwork-bot+netdevbpf
2022-10-26 13:22 ` [PATCH net-next 02/10] netfilter: nf_tables: reduce nft_pktinfo by 8 bytes Pablo Neira Ayuso
2022-10-26 13:22 ` [PATCH net-next 03/10] netfilter: nft_objref: make it builtin Pablo Neira Ayuso
2022-10-26 13:22 ` [PATCH net-next 04/10] netfilter: nft_payload: access GRE payload via inner offset Pablo Neira Ayuso
2022-10-28 3:35 ` Jakub Kicinski
2022-10-26 13:22 ` [PATCH net-next 05/10] netfilter: nft_payload: access ipip payload for " Pablo Neira Ayuso
2022-10-26 13:22 ` [PATCH net-next 06/10] netfilter: nft_inner: support for inner tunnel header matching Pablo Neira Ayuso
2022-10-26 13:22 ` [PATCH net-next 07/10] netfilter: nft_inner: add percpu inner context Pablo Neira Ayuso
2022-10-26 13:22 ` [PATCH net-next 08/10] netfilter: nft_meta: add inner match support Pablo Neira Ayuso
2022-10-26 13:22 ` [PATCH net-next 09/10] netfilter: nft_inner: add geneve support Pablo Neira Ayuso
2022-10-26 13:22 ` [PATCH net-next 10/10] netfilter: nft_inner: set tunnel offset to GRE header offset Pablo Neira Ayuso
-- strict thread matches above, loose matches on Subject: below --
2023-08-22 15:43 [PATCH net-next 00/10] netfilter updates for net-next Florian Westphal
2021-08-11 8:48 [PATCH net-next 00/10] Netfilter " Pablo Neira Ayuso
2021-03-22 23:56 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221026132227.3287-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).