From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Kevin 'ldir' Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk>
Cc: "netfilter-devel@vger.kernel.org" <netfilter-devel@vger.kernel.org>
Subject: Re: [RFC nf-next v2 1/2] netfilter: connmark: introduce savedscp
Date: Tue, 30 Apr 2019 14:29:13 +0200 [thread overview]
Message-ID: <20190430122913.lyz7qjh5eebx7lpk@salvia> (raw)
In-Reply-To: <20190409142333.68403-2-ldir@darbyshire-bryant.me.uk>
On Tue, Apr 09, 2019 at 02:23:46PM +0000, Kevin 'ldir' Darbyshire-Bryant wrote:
> diff --git a/include/uapi/linux/netfilter/xt_connmark.h b/include/uapi/linux/netfilter/xt_connmark.h
> index 1aa5c955ee1e..24272cac2d37 100644
> --- a/include/uapi/linux/netfilter/xt_connmark.h
> +++ b/include/uapi/linux/netfilter/xt_connmark.h
> @@ -16,7 +16,8 @@
> enum {
> XT_CONNMARK_SET = 0,
> XT_CONNMARK_SAVE,
> - XT_CONNMARK_RESTORE
> + XT_CONNMARK_RESTORE,
> + XT_CONNMARK_SAVEDSCP
I'd prefer you implement this in nftables, more comments below.
> };
>
> enum {
> diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
> index 29c38aa7f726..6c63cf476342 100644
> --- a/net/netfilter/xt_connmark.c
> +++ b/net/netfilter/xt_connmark.c
> @@ -42,6 +42,7 @@ connmark_tg_shift(struct sk_buff *skb, const struct xt_connmark_tginfo2 *info)
> u_int32_t new_targetmark;
> struct nf_conn *ct;
> u_int32_t newmark;
> + u8 dscp;
>
> ct = nf_ct_get(skb, &ctinfo);
> if (ct == NULL)
> @@ -74,6 +75,34 @@ connmark_tg_shift(struct sk_buff *skb, const struct xt_connmark_tginfo2 *info)
> nf_conntrack_event_cache(IPCT_MARK, ct);
> }
> break;
> + case XT_CONNMARK_SAVEDSCP:
Could you add a new revision and a new flag field for this? so it just
adds the dscp to the mark as you need.
> + if (!info->ctmark)
> + goto out;
> +
> + if (skb->protocol == htons(ETH_P_IP)) {
> + if (skb->len < sizeof(struct iphdr))
> + goto out;
> +
> + dscp = ipv4_get_dsfield(ip_hdr(skb)) >> 2;
> +
> + } else if (skb->protocol == htons(ETH_P_IPV6)) {
> + if (skb->len < sizeof(struct ipv6hdr))
> + goto out;
This is already guaranteed to have a valid IP header in place, no need
for this check.
> +
> + dscp = ipv6_get_dsfield(ipv6_hdr(skb)) >> 2;
> +
> + } else { /* protocol doesn't have diffserv - get out! */
> + goto out;
> + }
> +
> + newmark = (ct->mark & ~info->ctmark) ^
> + (info->ctmask | (dscp << info->shift_bits));
> +
> + if (ct->mark != newmark) {
> + ct->mark = newmark;
> + nf_conntrack_event_cache(IPCT_MARK, ct);
> + }
> + break;
> case XT_CONNMARK_RESTORE:
> new_targetmark = (ct->mark & info->ctmask);
> if (info->shift_dir == D_SHIFT_RIGHT)
> @@ -86,6 +115,7 @@ connmark_tg_shift(struct sk_buff *skb, const struct xt_connmark_tginfo2 *info)
> skb->mark = newmark;
> break;
> }
> +out:
> return XT_CONTINUE;
> }
>
> --
> 2.20.1 (Apple Git-117)
>
next prev parent reply other threads:[~2019-04-30 12:29 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-03-24 14:23 [RFC PATCH 0/1] netfilter: xt_connmark: add savedscp-mark action Kevin 'ldir' Darbyshire-Bryant
2019-03-24 14:23 ` [PATCH 1/1] netfilter: connmark: introduce savedscp Kevin 'ldir' Darbyshire-Bryant
2019-04-08 22:39 ` Pablo Neira Ayuso
2019-04-08 23:16 ` Kevin 'ldir' Darbyshire-Bryant
2019-04-09 14:23 ` [RFC nf-next v2 0/2] xt_connmark: add savedscp-mark action Kevin 'ldir' Darbyshire-Bryant
2019-04-09 14:23 ` [RFC nf-next v2 1/2] netfilter: connmark: introduce savedscp Kevin 'ldir' Darbyshire-Bryant
2019-04-30 12:29 ` Pablo Neira Ayuso [this message]
2019-04-30 20:40 ` Kevin 'ldir' Darbyshire-Bryant
2019-04-09 14:23 ` [RFC nf-next 2/2] iptables: connmark - add savedscp option Kevin 'ldir' Darbyshire-Bryant
2019-12-03 16:06 ` [PATCH 0/1] netfilter: connmark: introduce set-dscpmark Kevin Darbyshire-Bryant
2019-12-03 16:06 ` [PATCH 1/1] " Kevin Darbyshire-Bryant
2019-12-09 23:57 ` Kevin 'ldir' Darbyshire-Bryant
2019-12-05 8:56 ` [PATCH 0/1] " Jeremy Sowden
2019-12-05 9:46 ` Kevin 'ldir' Darbyshire-Bryant
2019-12-06 8:54 ` Jeremy Sowden
2019-12-05 10:49 ` Florian Westphal
2019-12-05 22:00 ` Jeremy Sowden
2019-12-09 21:42 ` [RFC PATCH nf-next] netfilter: conntrack: add support for storing DiffServ code-point as CT mark Jeremy Sowden
2019-12-09 21:42 ` [RFC PATCH nftables] Add "ct dscpmark" conntrack statement Jeremy Sowden
2019-12-09 22:47 ` [RFC PATCH nf-next] netfilter: conntrack: add support for storing DiffServ code-point as CT mark Florian Westphal
2019-12-09 23:23 ` Jeremy Sowden
2019-12-10 1:25 ` Florian Westphal
2019-12-10 11:01 ` Jeremy Sowden
2019-12-10 11:32 ` Florian Westphal
2019-12-10 19:52 ` Jeremy Sowden
2019-12-11 13:01 ` [PATCH nf-next v2] netfilter: connmark: introduce set-dscpmark Kevin Darbyshire-Bryant
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190430122913.lyz7qjh5eebx7lpk@salvia \
--to=pablo@netfilter.org \
--cc=ldir@darbyshire-bryant.me.uk \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).