* [PATCH] netfilter: nft_meta: Add NFT_META_L3MASTER meta type
@ 2019-01-15 5:10 wenxu
2019-01-15 11:17 ` Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: wenxu @ 2019-01-15 5:10 UTC (permalink / raw)
To: pablo, dsahern, fw; +Cc: netfilter-devel, netdev
From: wenxu <wenxu@ucloud.cn>
In the ip_rcv the skb go through the PREROUTING hook first,
Then jump in vrf device go through the same hook again.
When conntrack dnat work with vrf, there will be some conflict for rules.
Because the package go through the hook twice with different nf status
ip link add user1 type vrf table 1
ip link add user2 type vrf table 2
ip l set dev tun1 master user1
ip l set dev tun2 master user2
nft add table firewall
nft add chain firewall zones { type filter hook prerouting priority - 300 \; }
nft add rule firewall zones counter ct zone set iif map { "tun1" : 1, "tun2" : 2 }
nft add chain firewall rule-1000-ingress
nft add rule firewall rule-1000-ingress ct zone 1 tcp dport 22 ct state new counter accept
nft add rule firewall rule-1000-ingress counter drop
nft add chain firewall rule-1000-egress
nft add rule firewall rule-1000-egress tcp dport 22 ct state new counter drop
nft add rule firewall rule-1000-egress counter accept
nft add chain firewall rules-all { type filter hook prerouting priority - 150 \; }
nft add rule firewall rules-all ip daddr vmap { "2.2.2.11" : jump rule-1000-ingress }
nft add rule firewall rules-all ct zone vmap { 1 : jump rule-1000-egress }
nft add rule firewall dnat-all ct zone vmap { 1 : jump dnat-1000 }
nft add rule firewall dnat-1000 ip daddr 2.2.2.11 counter dnat to 10.0.0.7
For a package with ip daddr 2.2.2.11 and tcp dport 22, first time accept in the
rule-1000-ingress and dnat to 10.0.0.7. Then second time the packet goto the wrong
chain rule-1000-egress which leads the packet drop
so with this patch userspace can add the 'don't re-do entire ruleset for vrf' policy
itself like the following
nft add rule firewall rules-all meta l3master true counter accept
Signed-off-by: wenxu <wenxu@ucloud.cn>
---
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_meta.c | 8 ++++++++
2 files changed, 10 insertions(+)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 7de4f1b..dc45972 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -789,6 +789,7 @@ enum nft_exthdr_attributes {
* @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
* @NFT_META_PRANDOM: a 32bit pseudo-random number
* @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
+ * @NFT_META_L3MASTER: boolean, netif_is_l3_master(dev)
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -817,6 +818,7 @@ enum nft_meta_keys {
NFT_META_CGROUP,
NFT_META_PRANDOM,
NFT_META_SECPATH,
+ NFT_META_L3MASTER,
};
/**
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 6df486c..84c8151 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -244,6 +244,11 @@ void nft_meta_get_eval(const struct nft_expr *expr,
strncpy((char *)dest, p->br->dev->name, IFNAMSIZ);
return;
#endif
+ case NFT_META_L3MASTER:
+ if (in == NULL)
+ goto err;
+ nft_reg_store8(dest, netif_is_l3_master(in));
+ break;
default:
WARN_ON(1);
goto err;
@@ -359,6 +364,9 @@ static int nft_meta_get_init(const struct nft_ctx *ctx,
len = IFNAMSIZ;
break;
#endif
+ case NFT_META_L3MASTER:
+ len = sizeof(u8);
+ break;
default:
return -EOPNOTSUPP;
}
--
1.8.3.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] netfilter: nft_meta: Add NFT_META_L3MASTER meta type
2019-01-15 5:10 [PATCH] netfilter: nft_meta: Add NFT_META_L3MASTER meta type wenxu
@ 2019-01-15 11:17 ` Florian Westphal
2019-01-15 15:19 ` wenxu
0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2019-01-15 11:17 UTC (permalink / raw)
To: wenxu; +Cc: pablo, dsahern, fw, netfilter-devel, netdev
wenxu@ucloud.cn <wenxu@ucloud.cn> wrote:
> From: wenxu <wenxu@ucloud.cn>
> so with this patch userspace can add the 'don't re-do entire ruleset for vrf' policy
> itself like the following
>
> nft add rule firewall rules-all meta l3master true counter accept
I wonder if we need to support this also for output interface, and if
this should be specific to vrf or not.
Example:
meta iifl3master exists accept
meta oifl3master exists accept
or
meta iifkind "vrf" accept
meta oifkind "vrf" accept
(the latter could e.g. place rtnl_op ".kind" in the register)
Not sure if that would ever be useful beyond vrf.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] netfilter: nft_meta: Add NFT_META_L3MASTER meta type
2019-01-15 11:17 ` Florian Westphal
@ 2019-01-15 15:19 ` wenxu
0 siblings, 0 replies; 3+ messages in thread
From: wenxu @ 2019-01-15 15:19 UTC (permalink / raw)
To: Florian Westphal; +Cc: pablo, dsahern, netfilter-devel, netdev
On 2019/1/15 下午7:17, Florian Westphal wrote:
> wenxu@ucloud.cn <wenxu@ucloud.cn> wrote:
>> From: wenxu <wenxu@ucloud.cn>
>> so with this patch userspace can add the 'don't re-do entire ruleset for vrf' policy
>> itself like the following
>>
>> nft add rule firewall rules-all meta l3master true counter accept
> I wonder if we need to support this also for output interface, and if
> this should be specific to vrf or not.
>
> Example:
>
> meta iifl3master exists accept
> meta oifl3master exists accept
> or
> meta iifkind "vrf" accept
> meta oifkind "vrf" accept
>
> (the latter could e.g. place rtnl_op ".kind" in the register)
>
> Not sure if that would ever be useful beyond vrf.
>
yes, iifkind type mus useful for most other cases.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-01-15 15:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-15 5:10 [PATCH] netfilter: nft_meta: Add NFT_META_L3MASTER meta type wenxu
2019-01-15 11:17 ` Florian Westphal
2019-01-15 15:19 ` wenxu
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).