OpenWrt – Blame information for rev 2
?pathlinks?
Rev | Author | Line No. | Line |
---|---|---|---|
1 | office | 1 | From: Florian Westphal <fw@strlen.de> |
2 | Date: Wed, 6 Dec 2017 16:18:16 +0100 |
||
3 | Subject: [PATCH] netfilter: meta: secpath support |
||
4 | |||
5 | replacement for iptables "-m policy --dir in --policy {ipsec,none}". |
||
6 | |||
7 | Signed-off-by: Florian Westphal <fw@strlen.de> |
||
8 | Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
||
9 | --- |
||
10 | |||
11 | --- a/include/uapi/linux/netfilter/nf_tables.h |
||
12 | +++ b/include/uapi/linux/netfilter/nf_tables.h |
||
13 | @@ -777,6 +777,7 @@ enum nft_exthdr_attributes { |
||
14 | * @NFT_META_OIFGROUP: packet output interface group |
||
15 | * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) |
||
16 | * @NFT_META_PRANDOM: a 32bit pseudo-random number |
||
17 | + * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) |
||
18 | */ |
||
19 | enum nft_meta_keys { |
||
20 | NFT_META_LEN, |
||
21 | @@ -804,6 +805,7 @@ enum nft_meta_keys { |
||
22 | NFT_META_OIFGROUP, |
||
23 | NFT_META_CGROUP, |
||
24 | NFT_META_PRANDOM, |
||
25 | + NFT_META_SECPATH, |
||
26 | }; |
||
27 | |||
28 | /** |
||
29 | --- a/net/netfilter/nft_meta.c |
||
30 | +++ b/net/netfilter/nft_meta.c |
||
31 | @@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_ |
||
32 | *dest = prandom_u32_state(state); |
||
33 | break; |
||
34 | } |
||
35 | +#ifdef CONFIG_XFRM |
||
36 | + case NFT_META_SECPATH: |
||
37 | + nft_reg_store8(dest, !!skb->sp); |
||
38 | + break; |
||
39 | +#endif |
||
40 | default: |
||
41 | WARN_ON(1); |
||
42 | goto err; |
||
43 | @@ -310,6 +315,11 @@ int nft_meta_get_init(const struct nft_c |
||
44 | prandom_init_once(&nft_prandom_state); |
||
45 | len = sizeof(u32); |
||
46 | break; |
||
47 | +#ifdef CONFIG_XFRM |
||
48 | + case NFT_META_SECPATH: |
||
49 | + len = sizeof(u8); |
||
50 | + break; |
||
51 | +#endif |
||
52 | default: |
||
53 | return -EOPNOTSUPP; |
||
54 | } |
||
55 | @@ -320,6 +330,38 @@ int nft_meta_get_init(const struct nft_c |
||
56 | } |
||
57 | EXPORT_SYMBOL_GPL(nft_meta_get_init); |
||
58 | |||
59 | +static int nft_meta_get_validate(const struct nft_ctx *ctx, |
||
60 | + const struct nft_expr *expr, |
||
61 | + const struct nft_data **data) |
||
62 | +{ |
||
63 | +#ifdef CONFIG_XFRM |
||
64 | + const struct nft_meta *priv = nft_expr_priv(expr); |
||
65 | + unsigned int hooks; |
||
66 | + |
||
67 | + if (priv->key != NFT_META_SECPATH) |
||
68 | + return 0; |
||
69 | + |
||
70 | + switch (ctx->afi->family) { |
||
71 | + case NFPROTO_NETDEV: |
||
72 | + hooks = 1 << NF_NETDEV_INGRESS; |
||
73 | + break; |
||
74 | + case NFPROTO_IPV4: |
||
75 | + case NFPROTO_IPV6: |
||
76 | + case NFPROTO_INET: |
||
77 | + hooks = (1 << NF_INET_PRE_ROUTING) | |
||
78 | + (1 << NF_INET_LOCAL_IN) | |
||
79 | + (1 << NF_INET_FORWARD); |
||
80 | + break; |
||
81 | + default: |
||
82 | + return -EOPNOTSUPP; |
||
83 | + } |
||
84 | + |
||
85 | + return nft_chain_validate_hooks(ctx->chain, hooks); |
||
86 | +#else |
||
87 | + return 0; |
||
88 | +#endif |
||
89 | +} |
||
90 | + |
||
91 | int nft_meta_set_validate(const struct nft_ctx *ctx, |
||
92 | const struct nft_expr *expr, |
||
93 | const struct nft_data **data) |
||
94 | @@ -436,6 +478,7 @@ static const struct nft_expr_ops nft_met |
||
95 | .eval = nft_meta_get_eval, |
||
96 | .init = nft_meta_get_init, |
||
97 | .dump = nft_meta_get_dump, |
||
98 | + .validate = nft_meta_get_validate, |
||
99 | }; |
||
100 | |||
101 | static const struct nft_expr_ops nft_meta_set_ops = { |