netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [RFC] l2tp for nftables
@ 2016-07-24 17:25 Pablo Neira Ayuso
  2016-07-24 17:30 ` Pablo Neira Ayuso
  0 siblings, 1 reply; 2+ messages in thread
From: Pablo Neira Ayuso @ 2016-07-24 17:25 UTC (permalink / raw)
  To: James Chapman; +Cc: netfilter-devel

Hi James,

I'm looking what is missing to add l2tp for nftables, after a quick
glance this is what I found.

The L2TPv3 over IP (after quick reading of the RFC) seems easy to add.
I'm attaching a patch for the header layout definition (still parser
side is missing, so this patch is incomplete).

For L2TP over UDP, we need more infrastructure to match based the
content of UDP tunnels. I think the port should be one of the key to
look up for the possible protocol there, I can see 1701 is the L2TP
port. Then, we can add a definition to match the L2TP_HDR_T_BIT and
the version. On top of that, the sid and tid fields depend on the
version number, so we need to have a way to register different
interpretations based on the type, that should be possible from the
evaluation phase (just after the parsing). Thus, the design changes
with regards to xt_l2tp since in nft, the user will explicitly specify
what L2TP over UDP protocol version whats to match (in xt_l2tp this
occurs transparently to the user, in runtime from the packet path).

Does this assesment look correct to you?

Thanks!

^ permalink raw reply	[flat|nested] 2+ messages in thread
* Re: [RFC] l2tp for nftables
  2016-07-24 17:25 [RFC] l2tp for nftables Pablo Neira Ayuso
@ 2016-07-24 17:30 ` Pablo Neira Ayuso
  0 siblings, 0 replies; 2+ messages in thread
From: Pablo Neira Ayuso @ 2016-07-24 17:30 UTC (permalink / raw)
  To: James Chapman; +Cc: netfilter-devel

[-- Attachment #1: Type: text/plain, Size: 399 bytes --]

On Sun, Jul 24, 2016 at 07:25:30PM +0200, Pablo Neira Ayuso wrote:
> Hi James,
> 
> I'm looking what is missing to add l2tp for nftables, after a quick
> glance this is what I found.
> 
> The L2TPv3 over IP (after quick reading of the RFC) seems easy to add.
> I'm attaching a patch for the header layout definition (still parser
> side is missing, so this patch is incomplete).

Forgot attachment.

[-- Attachment #2: 0001-add-l2tp.patch --]
[-- Type: text/x-diff, Size: 3206 bytes --]

>From 33da2458d250cedb8e2f1bded636e2fcec86c7b5 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 24 Jul 2016 19:10:02 +0200
Subject: [PATCH] proto: add support l2tp protocol

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
Patch incomplete, parser side is missing.

 include/headers.h | 15 +++++++++++++++
 include/proto.h   | 11 +++++++++++
 src/proto.c       | 23 +++++++++++++++++++++++
 3 files changed, 49 insertions(+)

diff --git a/include/headers.h b/include/headers.h
index 469d674..8faff26 100644
--- a/include/headers.h
+++ b/include/headers.h
@@ -130,4 +130,19 @@ struct ip6_mh {
 /* RFC 5142 */
 #define IP6_MH_TYPE_HASM	12	/* Home Agent Switch Message	*/
 
+struct l2tphdr {
+	uint32_t	sid;
+	uint16_t	flags:12,
+			ver:4;
+	uint16_t	length;
+	uint32_t	cid;
+	uint16_t	ns;
+	uint16_t	nr;
+};
+
+/* RFC 3931 */
+#ifndef IPPROTO_L2TP
+# define IPPROTO_L2TP		115
+#endif
+
 #endif /* NFTABLES_HEADERS_H */
diff --git a/include/proto.h b/include/proto.h
index 4fa54a7..dc250e6 100644
--- a/include/proto.h
+++ b/include/proto.h
@@ -293,6 +293,16 @@ enum sctp_hdr_fields {
 	SCTPHDR_CHECKSUM,
 };
 
+enum l2tp_hdr_fields {
+	L2TPHDR_SID,
+	L2TPHDR_FLAGS,
+	L2TPHDR_VERSION,
+	L2TPHDR_LENGTH,
+	L2TPHDR_CID,
+	L2TPHDR_NS,
+	L2TPHDR_NR,
+};
+
 extern const struct proto_desc proto_icmp;
 extern const struct proto_desc proto_ah;
 extern const struct proto_desc proto_esp;
@@ -303,6 +313,7 @@ extern const struct proto_desc proto_tcp;
 extern const struct proto_desc proto_dccp;
 extern const struct proto_desc proto_sctp;
 extern const struct proto_desc proto_icmp6;
+extern const struct proto_desc proto_l2tp;
 
 extern const struct proto_desc proto_ip;
 extern const struct proto_desc proto_ip6;
diff --git a/src/proto.c b/src/proto.c
index 4c12977..1ee128b 100644
--- a/src/proto.c
+++ b/src/proto.c
@@ -508,6 +508,27 @@ const struct proto_desc proto_sctp = {
 };
 
 /*
+ * L2TPv3 (RFC3931)
+ */
+
+#define L2TPHDR_FIELD(__name, __member) \
+	HDR_FIELD(__name, struct l2tphdr, __member)
+
+const struct proto_desc proto_l2tp = {
+	.name		= "l2tp",
+	.base		= PROTO_BASE_TRANSPORT_HDR,
+	.templates	= {
+		[L2TPHDR_SID]		= L2TPHDR_FIELD("sid", sid),
+		[L2TPHDR_FLAGS]		= HDR_BITFIELD("flags", &integer_type, 32, 44),
+		[L2TPHDR_VERSION]	= HDR_BITFIELD("version", &integer_type, 44, 48),
+		[L2TPHDR_LENGTH]	= L2TPHDR_FIELD("length", length),
+		[L2TPHDR_CID]		= L2TPHDR_FIELD("cid", cid),
+		[L2TPHDR_NS]		= L2TPHDR_FIELD("ns", ns),
+		[L2TPHDR_NR]		= L2TPHDR_FIELD("nr", nr),
+	},
+};
+
+/*
  * IPv4
  */
 
@@ -593,6 +614,7 @@ const struct proto_desc proto_ip = {
 		PROTO_LINK(IPPROTO_TCP,		&proto_tcp),
 		PROTO_LINK(IPPROTO_DCCP,	&proto_dccp),
 		PROTO_LINK(IPPROTO_SCTP,	&proto_sctp),
+		PROTO_LINK(IPPROTO_L2TP,	&proto_l2tp),
 	},
 	.templates	= {
 		[IPHDR_VERSION]		= HDR_BITFIELD("version", &integer_type, 0, 4),
@@ -701,6 +723,7 @@ const struct proto_desc proto_ip6 = {
 		PROTO_LINK(IPPROTO_DCCP,	&proto_dccp),
 		PROTO_LINK(IPPROTO_SCTP,	&proto_sctp),
 		PROTO_LINK(IPPROTO_ICMPV6,	&proto_icmp6),
+		PROTO_LINK(IPPROTO_L2TP,	&proto_l2tp),
 	},
 	.templates	= {
 		[IP6HDR_VERSION]	= HDR_BITFIELD("version", &integer_type, 0, 4),
-- 
2.1.4


^ permalink raw reply related	[flat|nested] 2+ messages in thread
end of thread, other threads:[~2016-07-24 17:30 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-07-24 17:25 [RFC] l2tp for nftables Pablo Neira Ayuso
2016-07-24 17:30 ` Pablo Neira Ayuso

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).