From: Pablo Neira Ayuso <pablo@netfilter.org>
To: wenxu@ucloud.cn
Cc: fw@strlen.de, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next v3 5/9] netfilter: nft_tunnel: support NFT_TUNNEL_SRC/DST_IP match
Date: Tue, 13 Aug 2019 20:19:30 +0200 [thread overview]
Message-ID: <20190813181930.ljrisiq2iszcddlk@salvia> (raw)
In-Reply-To: <1564668086-16260-6-git-send-email-wenxu@ucloud.cn>
On Thu, Aug 01, 2019 at 10:01:22PM +0800, wenxu@ucloud.cn wrote:
> From: wenxu <wenxu@ucloud.cn>
>
> Add new two NFT_TUNNEL_SRC/DST_IP match in nft_tunnel
>
> Signed-off-by: wenxu <wenxu@ucloud.cn>
> ---
> v3: no change
>
> include/uapi/linux/netfilter/nf_tables.h | 2 ++
> net/netfilter/nft_tunnel.c | 46 +++++++++++++++++++++++++-------
> 2 files changed, 38 insertions(+), 10 deletions(-)
>
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 82abaa1..173690a 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -1765,6 +1765,8 @@ enum nft_tunnel_key_attributes {
> enum nft_tunnel_keys {
> NFT_TUNNEL_PATH,
> NFT_TUNNEL_ID,
> + NFT_TUNNEL_SRC_IP,
> + NFT_TUNNEL_DST_IP,
> __NFT_TUNNEL_MAX
> };
> #define NFT_TUNNEL_MAX (__NFT_TUNNEL_MAX - 1)
> diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> index 3d4c2ae..e218163 100644
> --- a/net/netfilter/nft_tunnel.c
> +++ b/net/netfilter/nft_tunnel.c
> @@ -18,6 +18,18 @@ struct nft_tunnel {
> enum nft_tunnel_mode mode:8;
> };
>
> +bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode, u8 tun_mode)
> +{
> + if (priv_mode == NFT_TUNNEL_MODE_NONE ||
> + (priv_mode == NFT_TUNNEL_MODE_RX &&
> + !(tun_mode & IP_TUNNEL_INFO_TX)) ||
> + (priv_mode == NFT_TUNNEL_MODE_TX &&
> + (tun_mode & IP_TUNNEL_INFO_TX)))
> + return true;
> +
> + return false;
> +}
Make an initial patch to add nft_tunnel_mode_validate().
> static void nft_tunnel_get_eval(const struct nft_expr *expr,
> struct nft_regs *regs,
> const struct nft_pktinfo *pkt)
> @@ -34,11 +46,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
> nft_reg_store8(dest, false);
> return;
> }
> - if (priv->mode == NFT_TUNNEL_MODE_NONE ||
> - (priv->mode == NFT_TUNNEL_MODE_RX &&
> - !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
> - (priv->mode == NFT_TUNNEL_MODE_TX &&
> - (tun_info->mode & IP_TUNNEL_INFO_TX)))
> + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> nft_reg_store8(dest, true);
> else
> nft_reg_store8(dest, false);
[...]
> + case NFT_TUNNEL_DST_IP:
> + if (!tun_info) {
> + regs->verdict.code = NFT_BREAK;
> + return;
> + }
> + if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> + *dest = ntohl(tun_info->key.u.ipv4.dst);
No need to convert this from network to host endianess.
> + else
> + regs->verdict.code = NFT_BREAK;
> + break;
> default:
> WARN_ON(1);
> regs->verdict.code = NFT_BREAK;
> @@ -86,6 +110,8 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx,
> len = sizeof(u8);
> break;
> case NFT_TUNNEL_ID:
> + case NFT_TUNNEL_SRC_IP:
> + case NFT_TUNNEL_DST_IP:
Missing policy updates, ie. nft_tunnel_key_policy.
I would take an initial patchset with two patches to add support for
this to the tunnel extension.
IPv6 is missing though, you could add it too to this patchset so this
becomes a patchset compose of three patches, I'd suggest.
next prev parent reply other threads:[~2019-08-13 18:19 UTC|newest]
Thread overview: 22+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-01 14:01 [PATCH nf-next v3 0/9] netfilter: nf_tables_offload: support more expr and obj offload wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 1/9] netfilter: nf_flow_offload: add net in offload_ctx wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 2/9] netfilter: nf_tables_offload: add offload_actions callback wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 3/9] netfilter: nft_fwd_netdev: add fw_netdev action support wenxu
2019-08-07 12:15 ` kbuild test robot
2019-08-08 6:06 ` wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 4/9] netfilter: nft_payload: add nft_set_payload offload support wenxu
2019-08-07 12:18 ` kbuild test robot
2019-08-08 6:07 ` wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 5/9] netfilter: nft_tunnel: support NFT_TUNNEL_SRC/DST_IP match wenxu
2019-08-13 18:19 ` Pablo Neira Ayuso [this message]
2019-08-14 7:54 ` wenxu
2019-08-14 8:00 ` Pablo Neira Ayuso
2019-08-14 8:19 ` Pablo Neira Ayuso
2019-08-14 8:28 ` wenxu
2019-08-14 9:17 ` Pablo Neira Ayuso
2019-08-14 8:22 ` wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 6/9] netfilter: nft_tunnel: support tunnel meta match offload wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 7/9] netfilter: nft_tunnel: add NFTA_TUNNEL_KEY_RELEASE action wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 8/9] netfilter: nft_objref: add nft_objref_type offload wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 9/9] netfilter: nft_tunnel: support nft_tunnel_obj offload wenxu
2019-08-13 10:58 ` [PATCH nf-next v3 0/9] netfilter: nf_tables_offload: support more expr and obj offload wenxu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190813181930.ljrisiq2iszcddlk@salvia \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=wenxu@ucloud.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).