From: Alvaro Neira Ayuso <alvaroneay@gmail.com>
To: netfilter-devel@vger.kernel.org
Subject: [PATCH nf 2/2 v4] bridge: set the pktinfo for IPv4/IPv6 traffic
Date: Wed, 26 Nov 2014 10:21:37 +0100 [thread overview]
Message-ID: <1416993697-18285-2-git-send-email-alvaroneay@gmail.com> (raw)
In-Reply-To: <1416993697-18285-1-git-send-email-alvaroneay@gmail.com>
This patch adds the missing bits to allow to match per meta l4proto from
the bridge. Example:
nft add rule bridge filter input ether type {ip, ip6} meta l4proto udp counter
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@gmail.com>
---
[changes in v4]
* refactor the code in two functions nft_bridge_set_pktinfo_ipv*
net/bridge/netfilter/nf_tables_bridge.c | 42 ++++++++++++++++++++++++++++++-
1 file changed, 41 insertions(+), 1 deletion(-)
diff --git a/net/bridge/netfilter/nf_tables_bridge.c b/net/bridge/netfilter/nf_tables_bridge.c
index d468c19..32341fd 100644
--- a/net/bridge/netfilter/nf_tables_bridge.c
+++ b/net/bridge/netfilter/nf_tables_bridge.c
@@ -16,6 +16,8 @@
#include <net/netfilter/nf_tables_bridge.h>
#include <linux/ip.h>
#include <linux/ipv6.h>
+#include <net/netfilter/nf_tables_ipv4.h>
+#include <net/netfilter/nf_tables_ipv6.h>
int nft_bridge_iphdr_validate(struct sk_buff *skb)
{
@@ -62,6 +64,34 @@ int nft_bridge_ip6hdr_validate(struct sk_buff *skb)
}
EXPORT_SYMBOL_GPL(nft_bridge_ip6hdr_validate);
+static inline int nft_bridge_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
+ const struct nf_hook_ops *ops,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out)
+{
+ if (!nft_bridge_iphdr_validate(skb))
+ nft_set_pktinfo(pkt, ops, skb, in, out);
+ else
+ nft_set_pktinfo_ipv4(pkt, ops, skb, in, out);
+
+ return 0;
+}
+
+static inline int nft_bridge_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
+ const struct nf_hook_ops *ops,
+ struct sk_buff *skb,
+ const struct net_device *in,
+ const struct net_device *out)
+{
+#if IS_ENABLED(CONFIG_IPV6)
+ if (nft_bridge_ip6hdr_validate(skb) &&
+ nft_set_pktinfo_ipv6(pkt, ops, skb, in, out) == 0)
+ return 1;
+#endif
+ return 0;
+}
+
static unsigned int
nft_do_chain_bridge(const struct nf_hook_ops *ops,
struct sk_buff *skb,
@@ -71,7 +101,17 @@ nft_do_chain_bridge(const struct nf_hook_ops *ops,
{
struct nft_pktinfo pkt;
- nft_set_pktinfo(&pkt, ops, skb, in, out);
+ switch (eth_hdr(skb)->h_proto) {
+ case htons(ETH_P_IP):
+ nft_bridge_set_pktinfo_ipv4(&pkt, ops, skb, in, out);
+ break;
+ case htons(ETH_P_IPV6):
+ if (nft_bridge_set_pktinfo_ipv6(&pkt, ops, skb, in, out) > 0)
+ break;
+ default:
+ nft_set_pktinfo(&pkt, ops, skb, in, out);
+ break;
+ }
return nft_do_chain(&pkt, ops);
}
--
1.7.10.4
next prev parent reply other threads:[~2014-11-26 9:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-26 9:21 [PATCH nf 1/2 v4] bridge: export nft_reject_ip*hdr_validate functions Alvaro Neira Ayuso
2014-11-26 9:21 ` Alvaro Neira Ayuso [this message]
2014-11-27 11:59 ` [PATCH nf 2/2 v4] bridge: set the pktinfo for IPv4/IPv6 traffic Pablo Neira Ayuso
2014-11-27 11:59 ` [PATCH nf 1/2 v4] bridge: export nft_reject_ip*hdr_validate functions Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1416993697-18285-2-git-send-email-alvaroneay@gmail.com \
--to=alvaroneay@gmail.com \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.