netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: wenxu@ucloud.cn
To: nikolay@cumulusnetworks.com, pablo@netfilter.org
Cc: netfilter-devel@vger.kernel.org, bridge@lists.linux-foundation.org
Subject: [PATCH 4/7 nf-next v2] netfilter: nft_meta_bridge: add NFT_META_BRI_IIFPVID support
Date: Fri,  5 Jul 2019 21:16:35 +0800	[thread overview]
Message-ID: <1562332598-17415-4-git-send-email-wenxu@ucloud.cn> (raw)
In-Reply-To: <1562332598-17415-1-git-send-email-wenxu@ucloud.cn>

From: wenxu <wenxu@ucloud.cn>

nft add table bridge firewall
nft add chain bridge firewall zones { type filter hook prerouting priority - 300 \; }
nft add rule bridge firewall zones counter ct zone set vlan id map { 100 : 1, 200 : 2 }

As above set the bridge port with pvid, the received packet don't contain
the vlan tag which means the packet should belong to vlan 200 through pvid.
With this pacth user can get the pvid of bridge ports.

So add the following rule for as the first rule in the chain of zones.

nft add rule bridge firewall zones counter meta vlan set meta briifpvid

Signed-off-by: wenxu <wenxu@ucloud.cn>
Reviewed-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
---
 include/uapi/linux/netfilter/nf_tables.h |  2 ++
 net/bridge/netfilter/nft_meta_bridge.c   | 15 +++++++++++++++
 2 files changed, 17 insertions(+)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index c6c8ec5..8a1bd0b 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -795,6 +795,7 @@ enum nft_exthdr_attributes {
  * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
  * @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
  * @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
+ * @NFT_META_BRI_IIFPVID: packet input bridge port pvid
  */
 enum nft_meta_keys {
 	NFT_META_LEN,
@@ -825,6 +826,7 @@ enum nft_meta_keys {
 	NFT_META_SECPATH,
 	NFT_META_IIFKIND,
 	NFT_META_OIFKIND,
+	NFT_META_BRI_IIFPVID,
 };
 
 /**
diff --git a/net/bridge/netfilter/nft_meta_bridge.c b/net/bridge/netfilter/nft_meta_bridge.c
index 2ea8acb..9487d42 100644
--- a/net/bridge/netfilter/nft_meta_bridge.c
+++ b/net/bridge/netfilter/nft_meta_bridge.c
@@ -7,6 +7,7 @@
 #include <linux/netfilter/nf_tables.h>
 #include <net/netfilter/nf_tables.h>
 #include <net/netfilter/nft_meta.h>
+#include <linux/if_bridge.h>
 
 static const struct net_device *
 nft_meta_get_bridge(const struct net_device *dev)
@@ -37,6 +38,17 @@ static void nft_meta_bridge_get_eval(const struct nft_expr *expr,
 		if (!br_dev)
 			goto err;
 		break;
+	case NFT_META_BRI_IIFPVID: {
+		u16 p_pvid;
+
+		br_dev = nft_meta_get_bridge(in);
+		if (!br_dev || !br_vlan_enabled(br_dev))
+			goto err;
+
+		br_vlan_get_pvid_rcu(in, &p_pvid);
+		nft_reg_store16(dest, p_pvid);
+		return;
+	}
 	default:
 		goto out;
 	}
@@ -62,6 +74,9 @@ static int nft_meta_bridge_get_init(const struct nft_ctx *ctx,
 	case NFT_META_BRI_OIFNAME:
 		len = IFNAMSIZ;
 		break;
+	case NFT_META_BRI_IIFPVID:
+		len = sizeof(u16);
+		break;
 	default:
 		return nft_meta_get_init(ctx, expr, tb);
 	}
-- 
1.8.3.1


  parent reply	other threads:[~2019-07-05 13:16 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-07-05 13:16 [PATCH 1/7 nf-next v2] netfilter: separate bridge meta key from nft_meta into meta_bridge wenxu
2019-07-05 13:16 ` [PATCH 2/7 nf-next v2] netfilter: nft_meta_bridge: Remove the br_private.h header wenxu
2019-07-05 20:45   ` Pablo Neira Ayuso
2019-07-05 13:16 ` [PATCH 3/7 nf-next v2] bridge: add br_vlan_get_pvid_rcu() wenxu
2019-07-05 20:45   ` Pablo Neira Ayuso
2019-07-05 13:16 ` wenxu [this message]
2019-07-05 20:45   ` [PATCH 4/7 nf-next v2] netfilter: nft_meta_bridge: add NFT_META_BRI_IIFPVID support Pablo Neira Ayuso
     [not found]   ` <20190813195427.vmootvj5rmxgihml@salvia>
2019-08-13 19:54     ` Pablo Neira Ayuso
2019-07-05 13:16 ` [PATCH 5/7 nf-next v2] bridge: add br_vlan_get_proto() wenxu
2019-07-05 20:45   ` Pablo Neira Ayuso
2019-07-05 13:16 ` [PATCH 6/7 nf-next v2] netfilter: nft_meta_bridge: Add NFT_META_BRI_IIFVPROTO support wenxu
2019-07-05 20:45   ` Pablo Neira Ayuso
2019-07-05 13:16 ` [PATCH nf-next v2] netfilter:nft_meta: add NFT_META_VLAN support wenxu
2019-07-06 12:02   ` Nikolay Aleksandrov
2019-07-06 14:29     ` wenxu
2019-07-07 10:12       ` Nikolay Aleksandrov
2019-07-07 10:13         ` Nikolay Aleksandrov
2019-07-05 20:44 ` [PATCH 1/7 nf-next v2] netfilter: separate bridge meta key from nft_meta into meta_bridge Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1562332598-17415-4-git-send-email-wenxu@ucloud.cn \
    --to=wenxu@ucloud.cn \
    --cc=bridge@lists.linux-foundation.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=nikolay@cumulusnetworks.com \
    --cc=pablo@netfilter.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).