* [PATCH iptables-nft 1/2] nft: support ttl/hoplimit dissection
@ 2022-09-12 8:58 Florian Westphal
2022-09-12 8:58 ` [PATCH iptables] tests: add ebtables among testcase Florian Westphal
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Florian Westphal @ 2022-09-12 8:58 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
xlate raw "nft ... ttl eq 1" and so on to the ttl/hl matches.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft-ipv4.c | 3 ++
iptables/nft-ipv6.c | 3 ++
iptables/nft-shared.c | 68 +++++++++++++++++++++++++++++++++++++++++++
iptables/nft-shared.h | 2 ++
4 files changed, 76 insertions(+)
diff --git a/iptables/nft-ipv4.c b/iptables/nft-ipv4.c
index 59c4a41f1a05..1865d1515296 100644
--- a/iptables/nft-ipv4.c
+++ b/iptables/nft-ipv4.c
@@ -206,6 +206,9 @@ static void nft_ipv4_parse_payload(struct nft_xt_ctx *ctx,
if (inv)
cs->fw.ip.invflags |= IPT_INV_FRAG;
break;
+ case offsetof(struct iphdr, ttl):
+ nft_parse_hl(ctx, e, cs);
+ break;
default:
DEBUGP("unknown payload offset %d\n", ctx->payload.offset);
break;
diff --git a/iptables/nft-ipv6.c b/iptables/nft-ipv6.c
index 9a29d18bc215..0ab1f9719344 100644
--- a/iptables/nft-ipv6.c
+++ b/iptables/nft-ipv6.c
@@ -169,6 +169,9 @@ static void nft_ipv6_parse_payload(struct nft_xt_ctx *ctx,
cs->fw6.ipv6.proto = proto;
if (inv)
cs->fw6.ipv6.invflags |= IP6T_INV_PROTO;
+ case offsetof(struct ip6_hdr, ip6_hlim):
+ nft_parse_hl(ctx, e, cs);
+ break;
default:
DEBUGP("unknown payload offset %d\n", ctx->payload.offset);
break;
diff --git a/iptables/nft-shared.c b/iptables/nft-shared.c
index 79c93fe82c60..71e2f18dab92 100644
--- a/iptables/nft-shared.c
+++ b/iptables/nft-shared.c
@@ -27,6 +27,8 @@
#include <linux/netfilter/xt_mark.h>
#include <linux/netfilter/xt_pkttype.h>
+#include <linux/netfilter_ipv6/ip6t_hl.h>
+
#include <libmnl/libmnl.h>
#include <libnftnl/rule.h>
#include <libnftnl/expr.h>
@@ -1449,3 +1451,69 @@ void nft_check_xt_legacy(int family, bool is_ipt_save)
prefix, prefix, is_ipt_save ? "-save" : "");
fclose(fp);
}
+
+int nft_parse_hl(struct nft_xt_ctx *ctx,
+ struct nftnl_expr *e,
+ struct iptables_command_state *cs)
+{
+ struct xtables_match *match;
+ struct ip6t_hl_info *info;
+ uint8_t hl, mode;
+ int op;
+
+ hl = nftnl_expr_get_u8(e, NFTNL_EXPR_CMP_DATA);
+ op = nftnl_expr_get_u32(e, NFTNL_EXPR_CMP_OP);
+
+ switch (op) {
+ case NFT_CMP_NEQ:
+ mode = IP6T_HL_NE;
+ break;
+ case NFT_CMP_EQ:
+ mode = IP6T_HL_EQ;
+ break;
+ case NFT_CMP_LT:
+ mode = IP6T_HL_LT;
+ break;
+ case NFT_CMP_GT:
+ mode = IP6T_HL_GT;
+ break;
+ case NFT_CMP_LTE:
+ mode = IP6T_HL_LT;
+ if (hl == 255)
+ return -1;
+ hl++;
+ break;
+ case NFT_CMP_GTE:
+ mode = IP6T_HL_GT;
+ if (hl == 0)
+ return -1;
+ hl--;
+ break;
+ default:
+ return -1;
+ }
+
+ /* ipt_ttl_info and ip6t_hl_info have same layout,
+ * IPT_TTL_x and IP6T_HL_x are aliases as well, so
+ * just use HL for both ipv4 and ipv6.
+ */
+ switch (ctx->h->family) {
+ case NFPROTO_IPV4:
+ match = nft_create_match(ctx, ctx->cs, "ttl");
+ break;
+ case NFPROTO_IPV6:
+ match = nft_create_match(ctx, ctx->cs, "hl");
+ break;
+ default:
+ return -1;
+ }
+
+ if (!match)
+ return -1;
+
+ info = (void*)match->m->data;
+ info->hop_limit = hl;
+ info->mode = mode;
+
+ return 0;
+}
diff --git a/iptables/nft-shared.h b/iptables/nft-shared.h
index b04049047116..0718dc23e8b7 100644
--- a/iptables/nft-shared.h
+++ b/iptables/nft-shared.h
@@ -212,6 +212,8 @@ void xtables_restore_parse(struct nft_handle *h,
void nft_check_xt_legacy(int family, bool is_ipt_save);
+int nft_parse_hl(struct nft_xt_ctx *ctx, struct nftnl_expr *e, struct iptables_command_state *cs);
+
#define min(x, y) ((x) < (y) ? (x) : (y))
#define max(x, y) ((x) > (y) ? (x) : (y))
--
2.37.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH iptables] tests: add ebtables among testcase
2022-09-12 8:58 [PATCH iptables-nft 1/2] nft: support ttl/hoplimit dissection Florian Westphal
@ 2022-09-12 8:58 ` Florian Westphal
2022-09-12 8:58 ` [PATCH iptables-nft 2/2] nft: prefer payload to ttl/hl module Florian Westphal
2022-09-13 12:10 ` [PATCH iptables-nft 1/2] nft: support ttl/hoplimit dissection Phil Sutter
2 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2022-09-12 8:58 UTC (permalink / raw)
To: netfilter-devel; +Cc: Yi Chen, Florian Westphal
From: Yi Chen <yiche@redhat.com>
Validate that matching works as expected.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
.../testcases/ebtables/0008-ebtables-among_0 | 98 +++++++++++++++++++
1 file changed, 98 insertions(+)
create mode 100755 iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0
diff --git a/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 b/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0
new file mode 100755
index 000000000000..b5df972559e4
--- /dev/null
+++ b/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0
@@ -0,0 +1,98 @@
+#!/bin/sh
+
+case "$XT_MULTI" in
+*xtables-nft-multi)
+ ;;
+*)
+ echo "skip $XT_MULTI"
+ exit 0
+ ;;
+esac
+
+sfx=$(mktemp -u "XXXXXXXX")
+nsa="nsa-$sfx"
+nsb="nsb-$sfx"
+nsc="nsc-$sfx"
+
+cleanup()
+{
+ ip netns del "$nsa"
+ ip netns del "$nsb"
+ ip netns del "$nsc"
+}
+
+trap cleanup EXIT
+
+assert_fail()
+{
+ if [ $1 -eq 0 ]; then
+ echo "FAILED: $2"
+ exit 1
+ fi
+}
+
+assert_pass()
+{
+ if [ $1 -ne 0 ]; then
+ echo "FAILED: $2"
+ exit 2
+ fi
+}
+
+ip netns add "$nsa"
+ip netns add "$nsb"
+ip netns add "$nsc"
+
+ip link add name c_b netns "$nsc" type veth peer name b_c netns "$nsb"
+ip link add name s_b netns "$nsa" type veth peer name b_s netns "$nsb"
+ip netns exec "$nsb" ip link add name br0 type bridge
+
+ip -net "$nsb" link set b_c up
+ip netns exec "$nsb" ip link set b_s up
+ip netns exec "$nsb" ip addr add 10.167.11.254/24 dev br0
+ip netns exec "$nsb" ip link set br0 up
+ip netns exec "$nsb" ip link set b_c master br0
+ip netns exec "$nsb" ip link set b_s master br0
+ip netns exec "$nsc" ip addr add 10.167.11.2/24 dev c_b
+ip netns exec "$nsc" ip link set c_b up
+ip -net "$nsa" addr add 10.167.11.1/24 dev s_b
+ip -net "$nsa" link set s_b up
+
+ip netns exec "$nsc" ping -q 10.167.11.1 -c1 >/dev/null || exit 1
+
+bf_bridge_mac1=`ip netns exec "$nsb" cat /sys/class/net/b_s/address`
+bf_bridge_mac0=`ip netns exec "$nsb" cat /sys/class/net/b_c/address`
+bf_client_mac1=`ip netns exec "$nsc" cat /sys/class/net/c_b/address`
+bf_server_mac1=`ip netns exec "$nsa" cat /sys/class/net/s_b/address`
+
+bf_server_ip1="10.167.11.1"
+bf_bridge_ip0="10.167.11.254"
+bf_client_ip1="10.167.11.2"
+pktsize=64
+
+# --among-src [mac,IP]
+ip netns exec "$nsb" $XT_MULTI ebtables -F
+ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-dst $bf_server_ip1 --among-src $bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1 -j DROP > /dev/null
+ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null
+assert_fail $? "--among-src [match]"
+
+# ip netns exec "$nsb" $XT_MULTI ebtables -L --Ln --Lc
+
+ip netns exec "$nsb" $XT_MULTI ebtables -F
+ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-dst $bf_server_ip1 --among-src ! $bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1 -j DROP > /dev/null
+ip netns exec "$nsc" ping $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null
+assert_pass $? "--among-src [not match]"
+
+# --among-dst [mac,IP]
+ip netns exec "$nsb" $XT_MULTI ebtables -F
+ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-src $bf_client_ip1 --among-dst $bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1 -j DROP > /dev/null
+ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null
+assert_fail $? "--among-dst [match]"
+
+# --among-dst ! [mac,IP]
+ip netns exec "$nsb" $XT_MULTI ebtables -F
+ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-src $bf_client_ip1 --among-dst ! $bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1 -j DROP > /dev/null
+ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null
+assert_pass $? "--among-dst [not match]"
+
+exit 0
--
2.37.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH iptables-nft 2/2] nft: prefer payload to ttl/hl module
2022-09-12 8:58 [PATCH iptables-nft 1/2] nft: support ttl/hoplimit dissection Florian Westphal
2022-09-12 8:58 ` [PATCH iptables] tests: add ebtables among testcase Florian Westphal
@ 2022-09-12 8:58 ` Florian Westphal
2022-09-13 12:10 ` [PATCH iptables-nft 1/2] nft: support ttl/hoplimit dissection Phil Sutter
2 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2022-09-12 8:58 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
Signed-off-by: Florian Westphal <fw@strlen.de>
---
iptables/nft.c | 43 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 43 insertions(+)
diff --git a/iptables/nft.c b/iptables/nft.c
index a7f712b1d580..f31c1603eb9e 100644
--- a/iptables/nft.c
+++ b/iptables/nft.c
@@ -43,6 +43,8 @@
#include <linux/netfilter/xt_mark.h>
#include <linux/netfilter/xt_pkttype.h>
+#include <linux/netfilter_ipv6/ip6t_hl.h>
+
#include <libmnl/libmnl.h>
#include <libnftnl/gen.h>
#include <libnftnl/table.h>
@@ -1465,6 +1467,41 @@ static int add_nft_pkttype(struct nft_handle *h, struct nftnl_rule *r,
return 0;
}
+static int add_nft_hl(struct nft_handle *h, struct nftnl_rule *r,
+ struct xt_entry_match *m, uint8_t offset)
+{
+ struct ip6t_hl_info *info = (void *)m->data;
+ struct nftnl_expr *expr;
+ uint8_t reg;
+ uint8_t op;
+
+ switch (info->mode) {
+ case IP6T_HL_NE:
+ op = NFT_CMP_NEQ;
+ break;
+ case IP6T_HL_EQ:
+ op = NFT_CMP_EQ;
+ break;
+ case IP6T_HL_LT:
+ op = NFT_CMP_LT;
+ break;
+ case IP6T_HL_GT:
+ op = NFT_CMP_GT;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ expr = gen_payload(h, NFT_PAYLOAD_NETWORK_HEADER, offset, 1, ®);
+ if (!expr)
+ return -ENOMEM;
+
+ nftnl_rule_add_expr(r, expr);
+ add_cmp_u8(r, info->hop_limit, op, reg);
+
+ return 0;
+}
+
int add_match(struct nft_handle *h,
struct nftnl_rule *r, struct xt_entry_match *m)
{
@@ -1483,6 +1520,12 @@ int add_match(struct nft_handle *h,
return add_nft_mark(h, r, m);
else if (!strcmp(m->u.user.name, "pkttype"))
return add_nft_pkttype(h, r, m);
+ else if (!strcmp(m->u.user.name, "hl"))
+ return add_nft_hl(h, r, m,
+ offsetof(struct ip6_hdr, ip6_hlim));
+ else if (!strcmp(m->u.user.name, "ttl"))
+ return add_nft_hl(h, r, m,
+ offsetof(struct iphdr, ttl));
expr = nftnl_expr_alloc("match");
if (expr == NULL)
--
2.37.3
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH iptables-nft 1/2] nft: support ttl/hoplimit dissection
2022-09-12 8:58 [PATCH iptables-nft 1/2] nft: support ttl/hoplimit dissection Florian Westphal
2022-09-12 8:58 ` [PATCH iptables] tests: add ebtables among testcase Florian Westphal
2022-09-12 8:58 ` [PATCH iptables-nft 2/2] nft: prefer payload to ttl/hl module Florian Westphal
@ 2022-09-13 12:10 ` Phil Sutter
2 siblings, 0 replies; 5+ messages in thread
From: Phil Sutter @ 2022-09-13 12:10 UTC (permalink / raw)
To: Florian Westphal; +Cc: netfilter-devel
On Mon, Sep 12, 2022 at 10:58:44AM +0200, Florian Westphal wrote:
> xlate raw "nft ... ttl eq 1" and so on to the ttl/hl matches.
>
> Signed-off-by: Florian Westphal <fw@strlen.de>
Series:
Reviewed-by: Phil Sutter <phil@nwl.cc>
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH iptables] tests: add ebtables among testcase
@ 2022-08-03 7:14 Florian Westphal
0 siblings, 0 replies; 5+ messages in thread
From: Florian Westphal @ 2022-08-03 7:14 UTC (permalink / raw)
To: netfilter-devel; +Cc: Yi Chen, Florian Westphal
From: Yi Chen <yiche@redhat.com>
Validate that matching works as expected.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
.../testcases/ebtables/0008-ebtables-among_0 | 98 +++++++++++++++++++
1 file changed, 98 insertions(+)
create mode 100755 iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0
diff --git a/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0 b/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0
new file mode 100755
index 000000000000..b5df972559e4
--- /dev/null
+++ b/iptables/tests/shell/testcases/ebtables/0008-ebtables-among_0
@@ -0,0 +1,98 @@
+#!/bin/sh
+
+case "$XT_MULTI" in
+*xtables-nft-multi)
+ ;;
+*)
+ echo "skip $XT_MULTI"
+ exit 0
+ ;;
+esac
+
+sfx=$(mktemp -u "XXXXXXXX")
+nsa="nsa-$sfx"
+nsb="nsb-$sfx"
+nsc="nsc-$sfx"
+
+cleanup()
+{
+ ip netns del "$nsa"
+ ip netns del "$nsb"
+ ip netns del "$nsc"
+}
+
+trap cleanup EXIT
+
+assert_fail()
+{
+ if [ $1 -eq 0 ]; then
+ echo "FAILED: $2"
+ exit 1
+ fi
+}
+
+assert_pass()
+{
+ if [ $1 -ne 0 ]; then
+ echo "FAILED: $2"
+ exit 2
+ fi
+}
+
+ip netns add "$nsa"
+ip netns add "$nsb"
+ip netns add "$nsc"
+
+ip link add name c_b netns "$nsc" type veth peer name b_c netns "$nsb"
+ip link add name s_b netns "$nsa" type veth peer name b_s netns "$nsb"
+ip netns exec "$nsb" ip link add name br0 type bridge
+
+ip -net "$nsb" link set b_c up
+ip netns exec "$nsb" ip link set b_s up
+ip netns exec "$nsb" ip addr add 10.167.11.254/24 dev br0
+ip netns exec "$nsb" ip link set br0 up
+ip netns exec "$nsb" ip link set b_c master br0
+ip netns exec "$nsb" ip link set b_s master br0
+ip netns exec "$nsc" ip addr add 10.167.11.2/24 dev c_b
+ip netns exec "$nsc" ip link set c_b up
+ip -net "$nsa" addr add 10.167.11.1/24 dev s_b
+ip -net "$nsa" link set s_b up
+
+ip netns exec "$nsc" ping -q 10.167.11.1 -c1 >/dev/null || exit 1
+
+bf_bridge_mac1=`ip netns exec "$nsb" cat /sys/class/net/b_s/address`
+bf_bridge_mac0=`ip netns exec "$nsb" cat /sys/class/net/b_c/address`
+bf_client_mac1=`ip netns exec "$nsc" cat /sys/class/net/c_b/address`
+bf_server_mac1=`ip netns exec "$nsa" cat /sys/class/net/s_b/address`
+
+bf_server_ip1="10.167.11.1"
+bf_bridge_ip0="10.167.11.254"
+bf_client_ip1="10.167.11.2"
+pktsize=64
+
+# --among-src [mac,IP]
+ip netns exec "$nsb" $XT_MULTI ebtables -F
+ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-dst $bf_server_ip1 --among-src $bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1 -j DROP > /dev/null
+ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null
+assert_fail $? "--among-src [match]"
+
+# ip netns exec "$nsb" $XT_MULTI ebtables -L --Ln --Lc
+
+ip netns exec "$nsb" $XT_MULTI ebtables -F
+ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-dst $bf_server_ip1 --among-src ! $bf_bridge_mac0=$bf_bridge_ip0,$bf_client_mac1=$bf_client_ip1 -j DROP > /dev/null
+ip netns exec "$nsc" ping $bf_server_ip1 -c 1 -s $pktsize -W 1 >/dev/null
+assert_pass $? "--among-src [not match]"
+
+# --among-dst [mac,IP]
+ip netns exec "$nsb" $XT_MULTI ebtables -F
+ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-src $bf_client_ip1 --among-dst $bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1 -j DROP > /dev/null
+ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null
+assert_fail $? "--among-dst [match]"
+
+# --among-dst ! [mac,IP]
+ip netns exec "$nsb" $XT_MULTI ebtables -F
+ip netns exec "$nsb" $XT_MULTI ebtables -A FORWARD -p ip --ip-src $bf_client_ip1 --among-dst ! $bf_client_mac1=$bf_client_ip1,$bf_server_mac1=$bf_server_ip1 -j DROP > /dev/null
+ip netns exec "$nsc" ping -q $bf_server_ip1 -c 1 -s $pktsize -W 1 > /dev/null
+assert_pass $? "--among-dst [not match]"
+
+exit 0
--
2.37.1
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-09-13 12:11 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-09-12 8:58 [PATCH iptables-nft 1/2] nft: support ttl/hoplimit dissection Florian Westphal
2022-09-12 8:58 ` [PATCH iptables] tests: add ebtables among testcase Florian Westphal
2022-09-12 8:58 ` [PATCH iptables-nft 2/2] nft: prefer payload to ttl/hl module Florian Westphal
2022-09-13 12:10 ` [PATCH iptables-nft 1/2] nft: support ttl/hoplimit dissection Phil Sutter
-- strict thread matches above, loose matches on Subject: below --
2022-08-03 7:14 [PATCH iptables] tests: add ebtables among testcase Florian Westphal
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).