[PATCH nf-next 0/5] netfilter: nft_tunnel: support tunnel match expr offload

[PATCH nf-next 0/5] netfilter: nft_tunnel: support tunnel match expr offload

[wenxu]

From: wenxu <wenxu@ucloud.cn>

This series add NFT_TUNNEL_IPV4/6_SRC/DST match and tunnel expr offload.

wenxu (5):
  netfilter: nft_tunnel: add nft_tunnel_mode_validate function
  netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match
  netfilter: nft_tunnel: add inet type check in nft_tunnel_mode_validate
  netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match
  netfilter: nft_tunnel: add nft_tunnel_get_offload support

 include/net/netfilter/nf_tables_offload.h |   5 ++
 include/uapi/linux/netfilter/nf_tables.h  |   4 +
 net/netfilter/nft_tunnel.c                | 130 +++++++++++++++++++++++++++---
 3 files changed, 129 insertions(+), 10 deletions(-)

-- 
1.8.3.1

[PATCH nf-next 1/5] netfilter: nft_tunnel: add nft_tunnel_mode_validate function

[wenxu]

From: wenxu <wenxu@ucloud.cn>

Move mode validate  common code to nft_tunnel_mode_validate
function.

Signed-off-by: wenxu <wenxu@ucloud.cn>
---
 net/netfilter/nft_tunnel.c | 25 +++++++++++++++----------
 1 file changed, 15 insertions(+), 10 deletions(-)

diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 3d4c2ae..78b6e8f 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -18,6 +18,19 @@ struct nft_tunnel {
 	enum nft_tunnel_mode	mode:8;
 };
 
+static bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode,
+				     u8 tun_mode)
+{
+	if (priv_mode == NFT_TUNNEL_MODE_NONE ||
+	    (priv_mode == NFT_TUNNEL_MODE_RX &&
+	     !(tun_mode & IP_TUNNEL_INFO_TX)) ||
+	    (priv_mode == NFT_TUNNEL_MODE_TX &&
+	     (tun_mode & IP_TUNNEL_INFO_TX)))
+		return true;
+
+	return false;
+}
+
 static void nft_tunnel_get_eval(const struct nft_expr *expr,
 				struct nft_regs *regs,
 				const struct nft_pktinfo *pkt)
@@ -34,11 +47,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
 			nft_reg_store8(dest, false);
 			return;
 		}
-		if (priv->mode == NFT_TUNNEL_MODE_NONE ||
-		    (priv->mode == NFT_TUNNEL_MODE_RX &&
-		     !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
-		    (priv->mode == NFT_TUNNEL_MODE_TX &&
-		     (tun_info->mode & IP_TUNNEL_INFO_TX)))
+		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
 			nft_reg_store8(dest, true);
 		else
 			nft_reg_store8(dest, false);
@@ -48,11 +57,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
 			regs->verdict.code = NFT_BREAK;
 			return;
 		}
-		if (priv->mode == NFT_TUNNEL_MODE_NONE ||
-		    (priv->mode == NFT_TUNNEL_MODE_RX &&
-		     !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
-		    (priv->mode == NFT_TUNNEL_MODE_TX &&
-		     (tun_info->mode & IP_TUNNEL_INFO_TX)))
+		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
 			*dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id));
 		else
 			regs->verdict.code = NFT_BREAK;
-- 
1.8.3.1

[PATCH nf-next 2/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match

[wenxu]

From: wenxu <wenxu@ucloud.cn>

Add new two NFT_TUNNEL_IPV4_SRC/DST match in nft_tunnel

Signed-off-by: wenxu <wenxu@ucloud.cn>
---
 include/uapi/linux/netfilter/nf_tables.h |  2 ++
 net/netfilter/nft_tunnel.c               | 22 ++++++++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 81fed16..7f65019 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1775,6 +1775,8 @@ enum nft_tunnel_key_attributes {
 enum nft_tunnel_keys {
 	NFT_TUNNEL_PATH,
 	NFT_TUNNEL_ID,
+	NFT_TUNNEL_IPV4_SRC,
+	NFT_TUNNEL_IPV4_DST,
 	__NFT_TUNNEL_MAX
 };
 #define NFT_TUNNEL_MAX	(__NFT_TUNNEL_MAX - 1)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 78b6e8f..b60e855 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -62,6 +62,26 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
 		else
 			regs->verdict.code = NFT_BREAK;
 		break;
+	case NFT_TUNNEL_IPV4_SRC:
+		if (!tun_info) {
+			regs->verdict.code = NFT_BREAK;
+			return;
+		}
+		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+			*dest = tun_info->key.u.ipv4.src;
+		else
+			regs->verdict.code = NFT_BREAK;
+		break;
+	case NFT_TUNNEL_IPV4_DST:
+		if (!tun_info) {
+			regs->verdict.code = NFT_BREAK;
+			return;
+		}
+		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+			*dest = tun_info->key.u.ipv4.dst;
+		else
+			regs->verdict.code = NFT_BREAK;
+		break;
 	default:
 		WARN_ON(1);
 		regs->verdict.code = NFT_BREAK;
@@ -91,6 +111,8 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx,
 		len = sizeof(u8);
 		break;
 	case NFT_TUNNEL_ID:
+	case NFT_TUNNEL_IPV4_SRC:
+	case NFT_TUNNEL_IPV4_DST:
 		len = sizeof(u32);
 		break;
 	default:
-- 
1.8.3.1

[PATCH nf-next 3/5] netfilter: nft_tunnel: add inet type check in nft_tunnel_mode_validate

[wenxu]

From: wenxu <wenxu@ucloud.cn>

Add ipv6 tunnel check in nft_tunnel_mode_validate.

Signed-off-by: wenxu <wenxu@ucloud.cn>
---
 net/netfilter/nft_tunnel.c | 24 +++++++++++++++++++-----
 1 file changed, 19 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index b60e855..580b51b 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -18,9 +18,19 @@ struct nft_tunnel {
 	enum nft_tunnel_mode	mode:8;
 };
 
+enum nft_inet_type {
+	NFT_INET_NONE_TYPE,
+	NFT_INET_IPV4_TYPE,
+	NFT_INET_IPV6_TYPE,
+};
+
 static bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode,
-				     u8 tun_mode)
+				     u8 tun_mode, enum nft_inet_type type)
 {
+	if ((type == NFT_INET_IPV6_TYPE && !(tun_mode & IP_TUNNEL_INFO_IPV6)) ||
+	    (type == NFT_INET_IPV4_TYPE && (tun_mode & IP_TUNNEL_INFO_IPV6)))
+		return false;
+
 	if (priv_mode == NFT_TUNNEL_MODE_NONE ||
 	    (priv_mode == NFT_TUNNEL_MODE_RX &&
 	     !(tun_mode & IP_TUNNEL_INFO_TX)) ||
@@ -47,7 +57,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
 			nft_reg_store8(dest, false);
 			return;
 		}
-		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+					     NFT_INET_NONE_TYPE))
 			nft_reg_store8(dest, true);
 		else
 			nft_reg_store8(dest, false);
@@ -57,7 +68,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
 			regs->verdict.code = NFT_BREAK;
 			return;
 		}
-		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+					     NFT_INET_NONE_TYPE))
 			*dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id));
 		else
 			regs->verdict.code = NFT_BREAK;
@@ -67,7 +79,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
 			regs->verdict.code = NFT_BREAK;
 			return;
 		}
-		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+					     NFT_INET_IPV4_TYPE))
 			*dest = tun_info->key.u.ipv4.src;
 		else
 			regs->verdict.code = NFT_BREAK;
@@ -77,7 +90,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
 			regs->verdict.code = NFT_BREAK;
 			return;
 		}
-		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
+		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+					     NFT_INET_IPV4_TYPE))
 			*dest = tun_info->key.u.ipv4.dst;
 		else
 			regs->verdict.code = NFT_BREAK;
-- 
1.8.3.1

[PATCH nf-next 4/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match

[wenxu]

From: wenxu <wenxu@ucloud.cn>

Add new two NFT_TUNNEL_IPV6_SRC/DST match in nft_tunnel

Signed-off-by: wenxu <wenxu@ucloud.cn>
---
 include/uapi/linux/netfilter/nf_tables.h |  2 ++
 net/netfilter/nft_tunnel.c               | 28 ++++++++++++++++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 7f65019..584868d 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1777,6 +1777,8 @@ enum nft_tunnel_keys {
 	NFT_TUNNEL_ID,
 	NFT_TUNNEL_IPV4_SRC,
 	NFT_TUNNEL_IPV4_DST,
+	NFT_TUNNEL_IPV6_SRC,
+	NFT_TUNNEL_IPV6_DST,
 	__NFT_TUNNEL_MAX
 };
 #define NFT_TUNNEL_MAX	(__NFT_TUNNEL_MAX - 1)
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 580b51b..0a3005d 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -96,6 +96,30 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
 		else
 			regs->verdict.code = NFT_BREAK;
 		break;
+	case NFT_TUNNEL_IPV6_SRC:
+		if (!tun_info) {
+			regs->verdict.code = NFT_BREAK;
+			return;
+		}
+		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+					     NFT_INET_IPV6_TYPE))
+			memcpy(dest, &tun_info->key.u.ipv6.src,
+			       sizeof(struct in6_addr));
+		else
+			regs->verdict.code = NFT_BREAK;
+		break;
+	case NFT_TUNNEL_IPV6_DST:
+		if (!tun_info) {
+			regs->verdict.code = NFT_BREAK;
+			return;
+		}
+		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
+					     NFT_INET_IPV6_TYPE))
+			memcpy(dest, &tun_info->key.u.ipv6.dst,
+			       sizeof(struct in6_addr));
+		else
+			regs->verdict.code = NFT_BREAK;
+		break;
 	default:
 		WARN_ON(1);
 		regs->verdict.code = NFT_BREAK;
@@ -129,6 +153,10 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx,
 	case NFT_TUNNEL_IPV4_DST:
 		len = sizeof(u32);
 		break;
+	case NFT_TUNNEL_IPV6_SRC:
+	case NFT_TUNNEL_IPV6_DST:
+		len = sizeof(struct in6_addr);
+		break;
 	default:
 		return -EOPNOTSUPP;
 	}
-- 
1.8.3.1

[PATCH nf-next 5/5] netfilter: nft_tunnel: add nft_tunnel_get_offload support

[wenxu]

From: wenxu <wenxu@ucloud.cn>

Add tunnel meta match offload. Currently support for NFT_TUNNEL_ID
NFT_TUNNEL_IPV4_SRC/DST and NFT_TUNNEL_IPV6_SRC/DST

Signed-off-by: wenxu <wenxu@ucloud.cn>
---
 include/net/netfilter/nf_tables_offload.h |  5 ++++
 net/netfilter/nft_tunnel.c                | 41 +++++++++++++++++++++++++++++++
 2 files changed, 46 insertions(+)

diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h
index 03cf585..f99653b 100644
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -45,6 +45,11 @@ struct nft_flow_key {
 	struct flow_dissector_key_ip			ip;
 	struct flow_dissector_key_vlan			vlan;
 	struct flow_dissector_key_eth_addrs		eth_addrs;
+	struct flow_dissector_key_keyid			enc_key_id;
+	union {
+		struct flow_dissector_key_ipv4_addrs	enc_ipv4;
+		struct flow_dissector_key_ipv6_addrs	enc_ipv6;
+	};
 } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
 
 struct nft_flow_match {
diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
index 0a3005d..abfff56 100644
--- a/net/netfilter/nft_tunnel.c
+++ b/net/netfilter/nft_tunnel.c
@@ -11,6 +11,7 @@
 #include <net/ip_tunnels.h>
 #include <net/vxlan.h>
 #include <net/erspan.h>
+#include <net/netfilter/nf_tables_offload.h>
 
 struct nft_tunnel {
 	enum nft_tunnel_keys	key:8;
@@ -192,6 +193,45 @@ static int nft_tunnel_get_dump(struct sk_buff *skb,
 	return -1;
 }
 
+static int nft_tunnel_get_offload(struct nft_offload_ctx *ctx,
+				  struct nft_flow_rule *flow,
+				  const struct nft_expr *expr)
+{
+	const struct nft_tunnel *priv = nft_expr_priv(expr);
+	struct nft_offload_reg *reg = &ctx->regs[priv->dreg];
+
+	if (priv->mode == NFT_TUNNEL_MODE_TX)
+		return -EOPNOTSUPP;
+
+	switch (priv->key) {
+	case NFT_TUNNEL_ID:
+		NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_KEYID, enc_key_id,
+				  keyid, sizeof(__u32), reg);
+		break;
+	case NFT_TUNNEL_IPV4_SRC:
+		NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS, enc_ipv4,
+				  src, sizeof(__u32), reg);
+		break;
+	case NFT_TUNNEL_IPV4_DST:
+		NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV4_ADDRS, enc_ipv4,
+				  dst, sizeof(__u32), reg);
+		break;
+	case NFT_TUNNEL_IPV6_SRC:
+		NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS, enc_ipv6,
+				  src, sizeof(struct in6_addr), reg);
+		break;
+	case NFT_TUNNEL_IPV6_DST:
+		NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ENC_IPV6_ADDRS, enc_ipv6,
+				  dst, sizeof(struct in6_addr), reg);
+		break;
+	case NFT_TUNNEL_PATH:
+	default:
+		return -EOPNOTSUPP;
+	}
+
+	return 0;
+}
+
 static struct nft_expr_type nft_tunnel_type;
 static const struct nft_expr_ops nft_tunnel_get_ops = {
 	.type		= &nft_tunnel_type,
@@ -199,6 +239,7 @@ static int nft_tunnel_get_dump(struct sk_buff *skb,
 	.eval		= nft_tunnel_get_eval,
 	.init		= nft_tunnel_get_init,
 	.dump		= nft_tunnel_get_dump,
+	.offload	= nft_tunnel_get_offload,
 };
 
 static struct nft_expr_type nft_tunnel_type __read_mostly = {
-- 
1.8.3.1

Re: [PATCH nf-next 2/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV4_SRC/DST match

[kbuild test robot]

Hi,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on nf-next/master]

url:    https://github.com/0day-ci/linux/commits/wenxu-ucloud-cn/netfilter-nft_tunnel-support-tunnel-match-expr-offload/20191027-152013
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
reproduce:
        # apt-get install sparse
        # sparse version: v0.6.1-dirty
        make ARCH=x86_64 allmodconfig
        make C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__'

If you fix the issue, kindly add following tag
Reported-by: kbuild test robot <lkp@intel.com>


sparse warnings: (new ones prefixed by >>)

>> net/netfilter/nft_tunnel.c:71:31: sparse: sparse: incorrect type in assignment (different base types) @@    expected unsigned int [usertype] @@    got restrunsigned int [usertype] @@
>> net/netfilter/nft_tunnel.c:71:31: sparse:    expected unsigned int [usertype]
>> net/netfilter/nft_tunnel.c:71:31: sparse:    got restricted __be32 [usertype] src
   net/netfilter/nft_tunnel.c:81:31: sparse: sparse: incorrect type in assignment (different base types) @@    expected unsigned int [usertype] @@    got restrunsigned int [usertype] @@
   net/netfilter/nft_tunnel.c:81:31: sparse:    expected unsigned int [usertype]
>> net/netfilter/nft_tunnel.c:81:31: sparse:    got restricted __be32 [usertype] dst
   net/netfilter/nft_tunnel.c:531:54: sparse: sparse: cast from restricted __be16
   net/netfilter/nft_tunnel.c:531:54: sparse: sparse: incorrect type in argument 1 (different base types) @@    expected unsigned short [usertype] val @@    got resunsigned short [usertype] val @@
   net/netfilter/nft_tunnel.c:531:54: sparse:    expected unsigned short [usertype] val
   net/netfilter/nft_tunnel.c:531:54: sparse:    got restricted __be16 [usertype] tp_src
   net/netfilter/nft_tunnel.c:531:54: sparse: sparse: cast from restricted __be16
   net/netfilter/nft_tunnel.c:531:54: sparse: sparse: cast from restricted __be16
   net/netfilter/nft_tunnel.c:532:54: sparse: sparse: cast from restricted __be16
   net/netfilter/nft_tunnel.c:532:54: sparse: sparse: incorrect type in argument 1 (different base types) @@    expected unsigned short [usertype] val @@    got resunsigned short [usertype] val @@
   net/netfilter/nft_tunnel.c:532:54: sparse:    expected unsigned short [usertype] val
   net/netfilter/nft_tunnel.c:532:54: sparse:    got restricted __be16 [usertype] tp_dst
   net/netfilter/nft_tunnel.c:532:54: sparse: sparse: cast from restricted __be16
   net/netfilter/nft_tunnel.c:532:54: sparse: sparse: cast from restricted __be16

vim +71 net/netfilter/nft_tunnel.c

    33	
    34	static void nft_tunnel_get_eval(const struct nft_expr *expr,
    35					struct nft_regs *regs,
    36					const struct nft_pktinfo *pkt)
    37	{
    38		const struct nft_tunnel *priv = nft_expr_priv(expr);
    39		u32 *dest = &regs->data[priv->dreg];
    40		struct ip_tunnel_info *tun_info;
    41	
    42		tun_info = skb_tunnel_info(pkt->skb);
    43	
    44		switch (priv->key) {
    45		case NFT_TUNNEL_PATH:
    46			if (!tun_info) {
    47				nft_reg_store8(dest, false);
    48				return;
    49			}
    50			if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
    51				nft_reg_store8(dest, true);
    52			else
    53				nft_reg_store8(dest, false);
    54			break;
    55		case NFT_TUNNEL_ID:
    56			if (!tun_info) {
    57				regs->verdict.code = NFT_BREAK;
    58				return;
    59			}
    60			if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
    61				*dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id));
    62			else
    63				regs->verdict.code = NFT_BREAK;
    64			break;
    65		case NFT_TUNNEL_IPV4_SRC:
    66			if (!tun_info) {
    67				regs->verdict.code = NFT_BREAK;
    68				return;
    69			}
    70			if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
  > 71				*dest = tun_info->key.u.ipv4.src;
    72			else
    73				regs->verdict.code = NFT_BREAK;
    74			break;
    75		case NFT_TUNNEL_IPV4_DST:
    76			if (!tun_info) {
    77				regs->verdict.code = NFT_BREAK;
    78				return;
    79			}
    80			if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
  > 81				*dest = tun_info->key.u.ipv4.dst;
    82			else
    83				regs->verdict.code = NFT_BREAK;
    84			break;
    85		default:
    86			WARN_ON(1);
    87			regs->verdict.code = NFT_BREAK;
    88		}
    89	}
    90	

---
0-DAY kernel test infrastructure                Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all                   Intel Corporation

Re: [PATCH nf-next 1/5] netfilter: nft_tunnel: add nft_tunnel_mode_validate function

[Pablo Neira Ayuso]

On Thu, Oct 24, 2019 at 06:35:32PM +0800, wenxu@ucloud.cn wrote:
> From: wenxu <wenxu@ucloud.cn>
> 
> Move mode validate  common code to nft_tunnel_mode_validate
> function.
> 
> Signed-off-by: wenxu <wenxu@ucloud.cn>
> ---
>  net/netfilter/nft_tunnel.c | 25 +++++++++++++++----------
>  1 file changed, 15 insertions(+), 10 deletions(-)
> 
> diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> index 3d4c2ae..78b6e8f 100644
> --- a/net/netfilter/nft_tunnel.c
> +++ b/net/netfilter/nft_tunnel.c
> @@ -18,6 +18,19 @@ struct nft_tunnel {
>  	enum nft_tunnel_mode	mode:8;
>  };
>  
> +static bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode,
> +				     u8 tun_mode)
> +{
> +	if (priv_mode == NFT_TUNNEL_MODE_NONE ||
> +	    (priv_mode == NFT_TUNNEL_MODE_RX &&
> +	     !(tun_mode & IP_TUNNEL_INFO_TX)) ||
> +	    (priv_mode == NFT_TUNNEL_MODE_TX &&
> +	     (tun_mode & IP_TUNNEL_INFO_TX)))
> +		return true;
> +
> +	return false;
> +}
> +
>  static void nft_tunnel_get_eval(const struct nft_expr *expr,
>  				struct nft_regs *regs,
>  				const struct nft_pktinfo *pkt)
> @@ -34,11 +47,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
>  			nft_reg_store8(dest, false);
>  			return;
>  		}
> -		if (priv->mode == NFT_TUNNEL_MODE_NONE ||
> -		    (priv->mode == NFT_TUNNEL_MODE_RX &&
> -		     !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
> -		    (priv->mode == NFT_TUNNEL_MODE_TX &&
> -		     (tun_info->mode & IP_TUNNEL_INFO_TX)))
> +		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
>  			nft_reg_store8(dest, true);
>  		else
>  			nft_reg_store8(dest, false);

Probably simplify this?

        nft_reg_store8(dest, nft_tunnel_mode_match(priv->mode, tun_info->mode));

The idea is that nft_tunnel_mode_match() returns u8 to store 0 / 1 on
the register.

> @@ -48,11 +57,7 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
>  			regs->verdict.code = NFT_BREAK;
>  			return;
>  		}
> -		if (priv->mode == NFT_TUNNEL_MODE_NONE ||
> -		    (priv->mode == NFT_TUNNEL_MODE_RX &&
> -		     !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
> -		    (priv->mode == NFT_TUNNEL_MODE_TX &&
> -		     (tun_info->mode & IP_TUNNEL_INFO_TX)))
> +		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
>  			*dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id));
>  		else
>  			regs->verdict.code = NFT_BREAK;
> -- 
> 1.8.3.1
> 

Re: [PATCH nf-next 3/5] netfilter: nft_tunnel: add inet type check in nft_tunnel_mode_validate

[Pablo Neira Ayuso]

On Thu, Oct 24, 2019 at 06:35:34PM +0800, wenxu@ucloud.cn wrote:
> From: wenxu <wenxu@ucloud.cn>
> 
> Add ipv6 tunnel check in nft_tunnel_mode_validate.
> 
> Signed-off-by: wenxu <wenxu@ucloud.cn>
> ---
>  net/netfilter/nft_tunnel.c | 24 +++++++++++++++++++-----
>  1 file changed, 19 insertions(+), 5 deletions(-)
> 
> diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> index b60e855..580b51b 100644
> --- a/net/netfilter/nft_tunnel.c
> +++ b/net/netfilter/nft_tunnel.c
> @@ -18,9 +18,19 @@ struct nft_tunnel {
>  	enum nft_tunnel_mode	mode:8;
>  };
>  
> +enum nft_inet_type {
> +	NFT_INET_NONE_TYPE,
> +	NFT_INET_IPV4_TYPE,
> +	NFT_INET_IPV6_TYPE,
> +};
> +
>  static bool nft_tunnel_mode_validate(enum nft_tunnel_mode priv_mode,
> -				     u8 tun_mode)
> +				     u8 tun_mode, enum nft_inet_type type)
>  {
> +	if ((type == NFT_INET_IPV6_TYPE && !(tun_mode & IP_TUNNEL_INFO_IPV6)) ||
> +	    (type == NFT_INET_IPV4_TYPE && (tun_mode & IP_TUNNEL_INFO_IPV6)))
> +		return false;
> +
>  	if (priv_mode == NFT_TUNNEL_MODE_NONE ||
>  	    (priv_mode == NFT_TUNNEL_MODE_RX &&
>  	     !(tun_mode & IP_TUNNEL_INFO_TX)) ||
> @@ -47,7 +57,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
>  			nft_reg_store8(dest, false);
>  			return;
>  		}
> -		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> +		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
> +					     NFT_INET_NONE_TYPE))
>  			nft_reg_store8(dest, true);
>  		else
>  			nft_reg_store8(dest, false);
> @@ -57,7 +68,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
>  			regs->verdict.code = NFT_BREAK;
>  			return;
>  		}
> -		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> +		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
> +					     NFT_INET_NONE_TYPE))
>  			*dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id));
>  		else
>  			regs->verdict.code = NFT_BREAK;
> @@ -67,7 +79,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
>  			regs->verdict.code = NFT_BREAK;
>  			return;
>  		}
> -		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> +		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
> +					     NFT_INET_IPV4_TYPE))

Add nft_tunnel_mode_match_ip() that wraps on nft_tunnel_mode_match()
that I proposed on patch 1/5.

>  			*dest = tun_info->key.u.ipv4.src;
>  		else
>  			regs->verdict.code = NFT_BREAK;
> @@ -77,7 +90,8 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
>  			regs->verdict.code = NFT_BREAK;
>  			return;
>  		}
> -		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode))
> +		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
> +					     NFT_INET_IPV4_TYPE))
>  			*dest = tun_info->key.u.ipv4.dst;
>  		else
>  			regs->verdict.code = NFT_BREAK;
> -- 
> 1.8.3.1
> 

Re: [PATCH nf-next 4/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match

[Pablo Neira Ayuso]

On Thu, Oct 24, 2019 at 06:35:35PM +0800, wenxu@ucloud.cn wrote:
> From: wenxu <wenxu@ucloud.cn>
> 
> Add new two NFT_TUNNEL_IPV6_SRC/DST match in nft_tunnel
> 
> Signed-off-by: wenxu <wenxu@ucloud.cn>
> ---
>  include/uapi/linux/netfilter/nf_tables.h |  2 ++
>  net/netfilter/nft_tunnel.c               | 28 ++++++++++++++++++++++++++++
>  2 files changed, 30 insertions(+)
> 
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 7f65019..584868d 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -1777,6 +1777,8 @@ enum nft_tunnel_keys {
>  	NFT_TUNNEL_ID,
>  	NFT_TUNNEL_IPV4_SRC,
>  	NFT_TUNNEL_IPV4_DST,
> +	NFT_TUNNEL_IPV6_SRC,
> +	NFT_TUNNEL_IPV6_DST,
>  	__NFT_TUNNEL_MAX
>  };
>  #define NFT_TUNNEL_MAX	(__NFT_TUNNEL_MAX - 1)
> diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> index 580b51b..0a3005d 100644
> --- a/net/netfilter/nft_tunnel.c
> +++ b/net/netfilter/nft_tunnel.c
> @@ -96,6 +96,30 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
>  		else
>  			regs->verdict.code = NFT_BREAK;
>  		break;
> +	case NFT_TUNNEL_IPV6_SRC:
> +		if (!tun_info) {
> +			regs->verdict.code = NFT_BREAK;
> +			return;
> +		}
> +		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
> +					     NFT_INET_IPV6_TYPE))

And here, add nft_tunnel_mode_match_ip6().

> +			memcpy(dest, &tun_info->key.u.ipv6.src,
> +			       sizeof(struct in6_addr));
> +		else
> +			regs->verdict.code = NFT_BREAK;
> +		break;
> +	case NFT_TUNNEL_IPV6_DST:
> +		if (!tun_info) {
> +			regs->verdict.code = NFT_BREAK;
> +			return;
> +		}
> +		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
> +					     NFT_INET_IPV6_TYPE))
> +			memcpy(dest, &tun_info->key.u.ipv6.dst,
> +			       sizeof(struct in6_addr));
> +		else
> +			regs->verdict.code = NFT_BREAK;
> +		break;
>  	default:
>  		WARN_ON(1);
>  		regs->verdict.code = NFT_BREAK;
> @@ -129,6 +153,10 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx,
>  	case NFT_TUNNEL_IPV4_DST:
>  		len = sizeof(u32);
>  		break;
> +	case NFT_TUNNEL_IPV6_SRC:
> +	case NFT_TUNNEL_IPV6_DST:
> +		len = sizeof(struct in6_addr);
> +		break;
>  	default:
>  		return -EOPNOTSUPP;
>  	}
> -- 
> 1.8.3.1
>