* [PATCH] netfilter: nft_ct: add notrack support
@ 2016-10-20 16:07 Pablo Neira Ayuso
2016-10-20 16:07 ` [PATCH libnftnl] src: add notrack expression Pablo Neira Ayuso
2016-10-20 16:07 ` [PATCH nft] src: add notrack support Pablo Neira Ayuso
0 siblings, 2 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2016-10-20 16:07 UTC (permalink / raw)
To: netfilter-devel
This patch adds notrack support.
I decided to add a new expression, given that this doesn't fit into the
existing set operation. Notrack doesn't need a source register, and an
hypothetical NFT_CT_NOTRACK key makes no sense since matching the
untracked state is done through NFT_CT_STATE.
I'm placing this new notrack expression into nft_ct.c, I think a single
module is too much.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_ct.c | 50 +++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 49 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index d7b0d171172a..6837348c8993 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c
@@ -1,5 +1,6 @@
/*
* Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2016 Pablo Neira Ayuso <pablo@netfilter.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
@@ -518,15 +519,61 @@ static struct nft_expr_type nft_ct_type __read_mostly = {
.owner = THIS_MODULE,
};
+static void nft_notrack_eval(const struct nft_expr *expr,
+ struct nft_regs *regs,
+ const struct nft_pktinfo *pkt)
+{
+ struct sk_buff *skb = pkt->skb;
+ enum ip_conntrack_info ctinfo;
+ struct nf_conn *ct;
+
+ ct = nf_ct_get(pkt->skb, &ctinfo);
+ /* Previously seen (loopback or untracked)? Ignore. */
+ if (ct)
+ return;
+
+ ct = nf_ct_untracked_get();
+ atomic_inc(&ct->ct_general.use);
+ skb->nfct = &ct->ct_general;
+ skb->nfctinfo = IP_CT_NEW;
+}
+
+static struct nft_expr_type nft_notrack_type;
+static const struct nft_expr_ops nft_notrack_ops = {
+ .type = &nft_notrack_type,
+ .size = NFT_EXPR_SIZE(0),
+ .eval = nft_notrack_eval,
+};
+
+static struct nft_expr_type nft_notrack_type __read_mostly = {
+ .name = "notrack",
+ .ops = &nft_notrack_ops,
+ .owner = THIS_MODULE,
+};
+
static int __init nft_ct_module_init(void)
{
+ int err;
+
BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE > NFT_REG_SIZE);
- return nft_register_expr(&nft_ct_type);
+ err = nft_register_expr(&nft_ct_type);
+ if (err < 0)
+ return err;
+
+ err = nft_register_expr(&nft_notrack_type);
+ if (err < 0)
+ goto err1;
+
+ return 0;
+err1:
+ nft_unregister_expr(&nft_ct_type);
+ return err;
}
static void __exit nft_ct_module_exit(void)
{
+ nft_unregister_expr(&nft_notrack_type);
nft_unregister_expr(&nft_ct_type);
}
@@ -536,3 +583,4 @@ module_exit(nft_ct_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_EXPR("ct");
+MODULE_ALIAS_NFT_EXPR("notrack");
--
2.1.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH libnftnl] src: add notrack expression
2016-10-20 16:07 [PATCH] netfilter: nft_ct: add notrack support Pablo Neira Ayuso
@ 2016-10-20 16:07 ` Pablo Neira Ayuso
2016-10-20 16:07 ` [PATCH nft] src: add notrack support Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2016-10-20 16:07 UTC (permalink / raw)
To: netfilter-devel
Register this simple expression with no attributes. Make sure libnftnl
doesn't crash when no build and parse indirections are defined, as it
is the case for this expression.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
src/expr.c | 7 +++++--
src/expr_ops.c | 5 +++++
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/src/expr.c b/src/expr.c
index 51413ab70397..2779b3c42217 100644
--- a/src/expr.c
+++ b/src/expr.c
@@ -213,13 +213,15 @@ bool nftnl_expr_cmp(const struct nftnl_expr *e1, const struct nftnl_expr *e2)
}
EXPORT_SYMBOL(nftnl_expr_cmp);
-void
-nftnl_expr_build_payload(struct nlmsghdr *nlh, struct nftnl_expr *expr)
+void nftnl_expr_build_payload(struct nlmsghdr *nlh, struct nftnl_expr *expr)
{
struct nlattr *nest;
mnl_attr_put_strz(nlh, NFTA_EXPR_NAME, expr->ops->name);
+ if (!expr->ops->build)
+ return;
+
nest = mnl_attr_nest_start(nlh, NFTA_EXPR_DATA);
expr->ops->build(nlh, expr);
mnl_attr_nest_end(nlh, nest);
@@ -261,6 +263,7 @@ struct nftnl_expr *nftnl_expr_parse(struct nlattr *attr)
goto err1;
if (tb[NFTA_EXPR_DATA] &&
+ expr->ops->parse &&
expr->ops->parse(expr, tb[NFTA_EXPR_DATA]) < 0)
goto err2;
diff --git a/src/expr_ops.c b/src/expr_ops.c
index 55748d64989a..96b1f8df9d3b 100644
--- a/src/expr_ops.c
+++ b/src/expr_ops.c
@@ -31,6 +31,10 @@ extern struct expr_ops expr_ops_target;
extern struct expr_ops expr_ops_dynset;
extern struct expr_ops expr_ops_hash;
+static struct expr_ops expr_ops_notrack = {
+ .name = "notrack",
+};
+
static struct expr_ops *expr_ops[] = {
&expr_ops_bitwise,
&expr_ops_byteorder,
@@ -49,6 +53,7 @@ static struct expr_ops *expr_ops[] = {
&expr_ops_meta,
&expr_ops_ng,
&expr_ops_nat,
+ &expr_ops_notrack,
&expr_ops_payload,
&expr_ops_range,
&expr_ops_redir,
--
2.1.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [PATCH nft] src: add notrack support
2016-10-20 16:07 [PATCH] netfilter: nft_ct: add notrack support Pablo Neira Ayuso
2016-10-20 16:07 ` [PATCH libnftnl] src: add notrack expression Pablo Neira Ayuso
@ 2016-10-20 16:07 ` Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2016-10-20 16:07 UTC (permalink / raw)
To: netfilter-devel
This patch adds the notrack statement, to skip connection tracking for
certain packets.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/ct.h | 3 +++
include/statement.h | 2 ++
src/ct.c | 16 ++++++++++++++++
src/evaluate.c | 1 +
src/netlink_delinearize.c | 8 ++++++++
src/netlink_linearize.c | 11 +++++++++++
src/parser_bison.y | 6 ++++++
src/scanner.l | 2 ++
8 files changed, 49 insertions(+)
diff --git a/include/ct.h b/include/ct.h
index 945fcc4d829d..8c006588ef3b 100644
--- a/include/ct.h
+++ b/include/ct.h
@@ -29,4 +29,7 @@ extern void ct_expr_update_type(struct proto_ctx *ctx, struct expr *expr);
extern struct error_record *ct_dir_parse(const struct location *loc,
const char *str, int8_t *dir);
+
+extern struct stmt *notrack_stmt_alloc(const struct location *loc);
+
#endif /* NFTABLES_CT_H */
diff --git a/include/statement.h b/include/statement.h
index e278b70637c4..fe83717f0697 100644
--- a/include/statement.h
+++ b/include/statement.h
@@ -208,6 +208,7 @@ extern struct stmt *xt_stmt_alloc(const struct location *loc);
* @STMT_FWD: forward statement
* @STMT_XT: XT statement
* @STMT_QUOTA: quota statement
+ * @STMT_NOTRACK: notrack statement
*/
enum stmt_types {
STMT_INVALID,
@@ -230,6 +231,7 @@ enum stmt_types {
STMT_FWD,
STMT_XT,
STMT_QUOTA,
+ STMT_NOTRACK,
};
/**
diff --git a/src/ct.c b/src/ct.c
index a68293896ed6..a05cb0bdec42 100644
--- a/src/ct.c
+++ b/src/ct.c
@@ -379,6 +379,22 @@ struct stmt *ct_stmt_alloc(const struct location *loc, enum nft_ct_keys key,
return stmt;
}
+static void notrack_stmt_print(const struct stmt *stmt)
+{
+ printf("notrack");
+}
+
+static const struct stmt_ops notrack_stmt_ops = {
+ .type = STMT_NOTRACK,
+ .name = "notrack",
+ .print = notrack_stmt_print,
+};
+
+struct stmt *notrack_stmt_alloc(const struct location *loc)
+{
+ return stmt_alloc(loc, ¬rack_stmt_ops);
+}
+
static void __init ct_init(void)
{
datatype_register(&ct_state_type);
diff --git a/src/evaluate.c b/src/evaluate.c
index 45af3298537c..208bbdba69c1 100644
--- a/src/evaluate.c
+++ b/src/evaluate.c
@@ -2443,6 +2443,7 @@ int stmt_evaluate(struct eval_ctx *ctx, struct stmt *stmt)
case STMT_COUNTER:
case STMT_LIMIT:
case STMT_QUOTA:
+ case STMT_NOTRACK:
return 0;
case STMT_EXPRESSION:
return stmt_evaluate_expr(ctx, stmt);
diff --git a/src/netlink_delinearize.c b/src/netlink_delinearize.c
index d8d1d7d7aaa7..978ef51c4ad9 100644
--- a/src/netlink_delinearize.c
+++ b/src/netlink_delinearize.c
@@ -601,6 +601,13 @@ static void netlink_parse_numgen(struct netlink_parse_ctx *ctx,
netlink_set_register(ctx, dreg, expr);
}
+static void netlink_parse_notrack(struct netlink_parse_ctx *ctx,
+ const struct location *loc,
+ const struct nftnl_expr *nle)
+{
+ ctx->stmt = notrack_stmt_alloc(loc);
+}
+
static void netlink_parse_ct_stmt(struct netlink_parse_ctx *ctx,
const struct location *loc,
const struct nftnl_expr *nle)
@@ -1092,6 +1099,7 @@ static const struct {
{ .name = "range", .parse = netlink_parse_range },
{ .name = "reject", .parse = netlink_parse_reject },
{ .name = "nat", .parse = netlink_parse_nat },
+ { .name = "notrack", .parse = netlink_parse_notrack },
{ .name = "masq", .parse = netlink_parse_masq },
{ .name = "redir", .parse = netlink_parse_redir },
{ .name = "dup", .parse = netlink_parse_dup },
diff --git a/src/netlink_linearize.c b/src/netlink_linearize.c
index 0072dca091ea..0af144f37016 100644
--- a/src/netlink_linearize.c
+++ b/src/netlink_linearize.c
@@ -1063,6 +1063,15 @@ static void netlink_gen_ct_stmt(struct netlink_linearize_ctx *ctx,
nftnl_rule_add_expr(ctx->nlr, nle);
}
+static void netlink_gen_notrack_stmt(struct netlink_linearize_ctx *ctx,
+ const struct stmt *stmt)
+{
+ struct nftnl_expr *nle;
+
+ nle = alloc_nft_expr("notrack");
+ nftnl_rule_add_expr(ctx->nlr, nle);
+}
+
static void netlink_gen_set_stmt(struct netlink_linearize_ctx *ctx,
const struct stmt *stmt)
{
@@ -1158,6 +1167,8 @@ static void netlink_gen_stmt(struct netlink_linearize_ctx *ctx,
nle = netlink_gen_stmt_stateful(ctx, stmt);
nftnl_rule_add_expr(ctx->nlr, nle);
break;
+ case STMT_NOTRACK:
+ return netlink_gen_notrack_stmt(ctx, stmt);
default:
BUG("unknown statement type %s\n", stmt->ops->name);
}
diff --git a/src/parser_bison.y b/src/parser_bison.y
index baf0a539efa0..4108dff7e228 100644
--- a/src/parser_bison.y
+++ b/src/parser_bison.y
@@ -420,6 +420,8 @@ static void location_update(struct location *loc, struct location *rhs, int n)
%token XML "xml"
%token JSON "json"
+%token NOTRACK "notrack"
+
%type <string> identifier type_identifier string comment_spec
%destructor { xfree($$); } identifier type_identifier string comment_spec
@@ -2534,6 +2536,10 @@ ct_stmt : CT ct_key SET expr
{
$$ = ct_stmt_alloc(&@$, $2, $4);
}
+ | NOTRACK
+ {
+ $$ = notrack_stmt_alloc(&@$);
+ }
;
payload_stmt : payload_expr SET expr
diff --git a/src/scanner.l b/src/scanner.l
index 8b5a383bd095..29e7502d6cda 100644
--- a/src/scanner.l
+++ b/src/scanner.l
@@ -477,6 +477,8 @@ addrstring ({macaddr}|{ip4addr}|{ip6addr})
"dup" { return DUP; }
"fwd" { return FWD; }
+"notrack" { return NOTRACK; }
+
"xml" { return XML; }
"json" { return JSON; }
--
2.1.4
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2016-10-20 16:07 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-10-20 16:07 [PATCH] netfilter: nft_ct: add notrack support Pablo Neira Ayuso
2016-10-20 16:07 ` [PATCH libnftnl] src: add notrack expression Pablo Neira Ayuso
2016-10-20 16:07 ` [PATCH nft] src: add notrack support Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.