Netfilter-Devel Archive on lore.kernel.org
 help / color / Atom feed
From: Pablo Neira Ayuso <pablo@netfilter.org>
To: wenxu@ucloud.cn
Cc: fw@strlen.de, netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf-next v3 5/9] netfilter: nft_tunnel: support NFT_TUNNEL_SRC/DST_IP match
Date: Tue, 13 Aug 2019 20:19:30 +0200
Message-ID: <20190813181930.ljrisiq2iszcddlk@salvia> (raw)
In-Reply-To: <1564668086-16260-6-git-send-email-wenxu@ucloud.cn>

On Thu, Aug 01, 2019 at 10:01:22PM +0800, wenxu@ucloud.cn wrote:
> From: wenxu <wenxu@ucloud.cn>
> 
> Add new two NFT_TUNNEL_SRC/DST_IP match in nft_tunnel
> 
> Signed-off-by: wenxu <wenxu@ucloud.cn>
> ---
> v3: no change
> 
>  include/uapi/linux/netfilter/nf_tables.h |  2 ++
>  net/netfilter/nft_tunnel.c               | 46 +++++++++++++++++++++++++-------
>  2 files changed, 38 insertions(+), 10 deletions(-)
> 
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 82abaa1..173690a 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -1765,6 +1765,8 @@ enum nft_tunnel_key_attributes {
>  enum nft_tunnel_keys {
>  	NFT_TUNNEL_PATH,
>  	NFT_TUNNEL_ID,
> +	NFT_TUNNEL_SRC_IP,
> +	NFT_TUNNEL_DST_IP,
>  	__NFT_TUNNEL_MAX
>  };
>  #define NFT_TUNNEL_MAX	(__NFT_TUNNEL_MAX - 1)
> diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> index 3d4c2ae..e218163 100644
> --- a/net/netfilter/nft_tunnel.c
> +++ b/net/netfilter/nft_tunnel.c
> @@ -18,6 +18,18 @@ struct nft_tunnel {
>  	enum nft_tunnel_mode	mode:8;
>  };
>  
> +bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode, u8 tun_mode)
> +{
> +	if (priv_mode == NFT_TUNNEL_MODE_NONE ||
> +	    (priv_mode == NFT_TUNNEL_MODE_RX &&
> +	     !(tun_mode & IP_TUNNEL_INFO_TX)) ||
> +	    (priv_mode == NFT_TUNNEL_MODE_TX &&
> +	     (tun_mode & IP_TUNNEL_INFO_TX)))
> +		return true;
> +
> +	return false;
> +}

Make an initial patch to add nft_tunnel_mode_validate().

>  static void nft_tunnel_get_eval(const struct nft_expr *expr,
>  				struct nft_regs *regs,
>  				const struct nft_pktinfo *pkt)
> @@ -34,11 +46,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
>  			nft_reg_store8(dest, false);
>  			return;
>  		}
> -		if (priv->mode == NFT_TUNNEL_MODE_NONE ||
> -		    (priv->mode == NFT_TUNNEL_MODE_RX &&
> -		     !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
> -		    (priv->mode == NFT_TUNNEL_MODE_TX &&
> -		     (tun_info->mode & IP_TUNNEL_INFO_TX)))
> +		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
>  			nft_reg_store8(dest, true);
>  		else
>  			nft_reg_store8(dest, false);
[...]
> +	case NFT_TUNNEL_DST_IP:
> +		if (!tun_info) {
> +			regs->verdict.code = NFT_BREAK;
> +			return;
> +		}
> +		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> +			*dest = ntohl(tun_info->key.u.ipv4.dst);

No need to convert this from network to host endianess.

> +		else
> +			regs->verdict.code = NFT_BREAK;
> +		break;
>  	default:
>  		WARN_ON(1);
>  		regs->verdict.code = NFT_BREAK;
> @@ -86,6 +110,8 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx,
>  		len = sizeof(u8);
>  		break;
>  	case NFT_TUNNEL_ID:
> +	case NFT_TUNNEL_SRC_IP:
> +	case NFT_TUNNEL_DST_IP:

Missing policy updates, ie. nft_tunnel_key_policy.

I would take an initial patchset with two patches to add support for
this to the tunnel extension.

IPv6 is missing though, you could add it too to this patchset so this
becomes a patchset compose of three patches, I'd suggest.

  reply index

Thread overview: 22+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-08-01 14:01 [PATCH nf-next v3 0/9] netfilter: nf_tables_offload: support more expr and obj offload wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 1/9] netfilter: nf_flow_offload: add net in offload_ctx wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 2/9] netfilter: nf_tables_offload: add offload_actions callback wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 3/9] netfilter: nft_fwd_netdev: add fw_netdev action support wenxu
2019-08-07 12:15   ` kbuild test robot
2019-08-08  6:06     ` wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 4/9] netfilter: nft_payload: add nft_set_payload offload support wenxu
2019-08-07 12:18   ` kbuild test robot
2019-08-08  6:07     ` wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 5/9] netfilter: nft_tunnel: support NFT_TUNNEL_SRC/DST_IP match wenxu
2019-08-13 18:19   ` Pablo Neira Ayuso [this message]
2019-08-14  7:54     ` wenxu
2019-08-14  8:00       ` Pablo Neira Ayuso
2019-08-14  8:19         ` Pablo Neira Ayuso
2019-08-14  8:28           ` wenxu
2019-08-14  9:17             ` Pablo Neira Ayuso
2019-08-14  8:22         ` wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 6/9] netfilter: nft_tunnel: support tunnel meta match offload wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 7/9] netfilter: nft_tunnel: add NFTA_TUNNEL_KEY_RELEASE action wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 8/9] netfilter: nft_objref: add nft_objref_type offload wenxu
2019-08-01 14:01 ` [PATCH nf-next v3 9/9] netfilter: nft_tunnel: support nft_tunnel_obj offload wenxu
2019-08-13 10:58 ` [PATCH nf-next v3 0/9] netfilter: nf_tables_offload: support more expr and obj offload wenxu

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190813181930.ljrisiq2iszcddlk@salvia \
    --to=pablo@netfilter.org \
    --cc=fw@strlen.de \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=wenxu@ucloud.cn \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Netfilter-Devel Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/netfilter-devel/0 netfilter-devel/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 netfilter-devel netfilter-devel/ https://lore.kernel.org/netfilter-devel \
		netfilter-devel@vger.kernel.org netfilter-devel@archiver.kernel.org
	public-inbox-index netfilter-devel


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.netfilter-devel


AGPL code for this site: git clone https://public-inbox.org/ public-inbox