renegade-project/linux-next
2
0
Fork 0
mirror of https://github.com/edk2-porting/linux-next.git synced 2025-01-23 14:13:58 +08:00
Code

netfilter: nft_meta: add l4proto support

Browse Source 
For L3-proto independant rules we need to get at the L4 protocol value
directly. Add it to the nft_pktinfo struct and use the meta expression
to retrieve it.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Patrick McHardy 2014-01-03 12:16:18 +00:00 committed by Pablo Neira Ayuso
parent 124edfa9e0
commit 4566bf2706
5 changed files with 10 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
include/net/netfilter/nf_tables.h
View File

@ -16,6 +16,7 @@ struct nft_pktinfo {
const struct nf_hook_ops *ops; const struct nf_hook_ops *ops;
u8 nhoff; u8 nhoff;
u8 thoff; u8 thoff;
u8 tprot;
/* for x_tables compatibility */ /* for x_tables compatibility */
struct xt_action_param xt; struct xt_action_param xt;
}; };

3
include/net/netfilter/nf_tables_ipv4.h
View File

@ -15,8 +15,9 @@ nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
nft_set_pktinfo(pkt, ops, skb, in, out); nft_set_pktinfo(pkt, ops, skb, in, out);
pkt->xt.thoff = ip_hdrlen(pkt->skb);
ip = ip_hdr(pkt->skb); ip = ip_hdr(pkt->skb);
pkt->tprot = ip->protocol;
pkt->xt.thoff = ip_hdrlen(pkt->skb);
pkt->xt.fragoff = ntohs(ip->frag_off) & IP_OFFSET; pkt->xt.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
} }

1
include/net/netfilter/nf_tables_ipv6.h
View File

@ -21,6 +21,7 @@ nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
if (protohdr < 0) if (protohdr < 0)
return -1; return -1;
pkt->tprot = protohdr;
pkt->xt.thoff = thoff; pkt->xt.thoff = thoff;
pkt->xt.fragoff = frag_off; pkt->xt.fragoff = frag_off;

2
include/uapi/linux/netfilter/nf_tables.h
View File

@ -532,6 +532,7 @@ enum nft_exthdr_attributes {
* @NFT_META_RTCLASSID: realm value of packet's route (skb->dst->tclassid) * @NFT_META_RTCLASSID: realm value of packet's route (skb->dst->tclassid)
* @NFT_META_SECMARK: packet secmark (skb->secmark) * @NFT_META_SECMARK: packet secmark (skb->secmark)
* @NFT_META_NFPROTO: netfilter protocol * @NFT_META_NFPROTO: netfilter protocol
* @NFT_META_L4PROTO: layer 4 protocol number
*/ */
enum nft_meta_keys { enum nft_meta_keys {
NFT_META_LEN, NFT_META_LEN,
@ -550,6 +551,7 @@ enum nft_meta_keys {
NFT_META_RTCLASSID, NFT_META_RTCLASSID,
NFT_META_SECMARK, NFT_META_SECMARK,
NFT_META_NFPROTO, NFT_META_NFPROTO,
NFT_META_L4PROTO,
}; };
/** /**

4
net/netfilter/nft_meta.c
View File

@ -46,6 +46,9 @@ static void nft_meta_get_eval(const struct nft_expr *expr,
case NFT_META_NFPROTO: case NFT_META_NFPROTO:
dest->data[0] = pkt->ops->pf; dest->data[0] = pkt->ops->pf;
break; break;
case NFT_META_L4PROTO:
dest->data[0] = pkt->tprot;
break;
case NFT_META_PRIORITY: case NFT_META_PRIORITY:
dest->data[0] = skb->priority; dest->data[0] = skb->priority;
break; break;
@ -185,6 +188,7 @@ static int nft_meta_init_validate_get(uint32_t key)
case NFT_META_LEN: case NFT_META_LEN:
case NFT_META_PROTOCOL: case NFT_META_PROTOCOL:
case NFT_META_NFPROTO: case NFT_META_NFPROTO:
case NFT_META_L4PROTO:
case NFT_META_PRIORITY: case NFT_META_PRIORITY:
case NFT_META_MARK: case NFT_META_MARK:
case NFT_META_IIF: case NFT_META_IIF: