Re: [PATCH netfilter: nft] add connmark module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

Thanks. I noticed the addition of the get/set operation while working
on the patch and was unsure about how to deal with setting the
connmark, but I decided to add it for completeness sake. Perhaps a
better idea would be to remove set from the module and only keep
save/restore? It would simplify the code as well.

-Kristian

On Mon, Jan 6, 2014 at 1:42 PM, Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
> Hi,
>
> On Mon, Jan 06, 2014 at 01:29:12PM +0100, Kristian Evensen wrote:
>> From: Kristian Evensen <kristian.evensen@xxxxxxxxx>
>>
>> This patch adds a connmark module to nftables, which enables setting, storing
>> and restoring the connection mark (ctmark) of a tracked connection. It works in
>> the same way as xt_CONNMARK.
>>
>> Signed-off-by: Kristian Evensen <kristian.evensen@xxxxxxxxx>
>> ---
>>  include/uapi/linux/netfilter/nf_tables.h |  35 +++++++
>>  net/netfilter/Kconfig                    |  10 ++
>>  net/netfilter/Makefile                   |   1 +
>>  net/netfilter/nft_connmark.c             | 169 +++++++++++++++++++++++++++++++
>>  4 files changed, 215 insertions(+)
>>  create mode 100644 net/netfilter/nft_connmark.c
>>
>> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
>> index aa86a152..ccf9f9f 100644
>> --- a/include/uapi/linux/netfilter/nf_tables.h
>> +++ b/include/uapi/linux/netfilter/nf_tables.h
>> @@ -682,6 +682,41 @@ enum nft_queue_attributes {
>>  #define NFT_QUEUE_FLAG_MASK          0x03
>>
>>  /**
>> + * enum nft_connmark_types - nf_tables connmark expression types
>> + *
>> + * @NFT_CONNMARK_SAVE: save connmark
>> + * @NFT_CONNMARK_RESTORE: restore connmark
>> + * @NFT_CONNMARK_SET: set connmark (iptables set-xmark)
>> + */
>> +enum nft_connmark_types {
>> +     NFT_CONNMARK_SAVE,
>> +     NFT_CONNMARK_RESTORE,
>> +     NFT_CONNMARK_SET
>> +};
>> +
>> +/**
>> + * enum nft_connmark_attributes - nf_tables connmark expression netlink
>> + * attributes
>> + *
>> + * @NFTA_CONNMARK_MODE: conntrack action (save, set or restore) (NLA_U8)
>> + * @NFTA_CONNMARK_CTMARK: conntrack ctmark (NLA_U32)
>> + * @NFTA_CONNMARK_CTMASK: conntrack ctmask (NLA_U32)
>> + * @NFTA_CONNMARK_NFMASK: conntrack nfmask (NLA_U32)
>> + */
>> +
>> +enum nft_connmark_attributes {
>> +     NFTA_CONNMARK_UNSPEC,
>> +     NFTA_CONNMARK_MODE,
>> +     NFTA_CONNMARK_CTMARK,
>> +     NFTA_CONNMARK_CTMASK,
>> +     NFTA_CONNMARK_NFMASK,
>> +     __NFTA_CONNMARK_MAX,
>> +};
>> +#define NFTA_CONNMARK_MAX            (__NFTA_CONNMARK_MAX - 1)
>> +
>> +#define NFT_CONNMARK_DEFAULT_MASK    0xFFFFFFFF
>> +
>> +/**
>>   * enum nft_reject_types - nf_tables reject expression reject types
>>   *
>>   * @NFT_REJECT_ICMP_UNREACH: reject using ICMP unreachable
>> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
>> index 0609514..d3ff630 100644
>> --- a/net/netfilter/Kconfig
>> +++ b/net/netfilter/Kconfig
>> @@ -471,6 +471,16 @@ config NFT_COUNTER
>>         This option adds the "counter" expression that you can use to
>>         include packet and byte counters in a rule.
>>
>> +config NFT_CONNMARK
>> +     depends on NF_TABLES
>> +     depends on NF_CONNTRACK
>> +     depends on NETFILTER_ADVANCED
>> +     select NF_CONNTRACK_MARK
>> +     tristate "Netfilter nf_tables conntrack module"
>> +     help
>> +             This option adds the "connmark" expression that can be used to
>> +             set, save or restore a mark on a tracked connection.
>> +
>>  config NFT_LOG
>>       depends on NF_TABLES
>>       tristate "Netfilter nf_tables log module"
>> diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
>> index 39e4a7b..5097a2f 100644
>> --- a/net/netfilter/Makefile
>> +++ b/net/netfilter/Makefile
>> @@ -71,6 +71,7 @@ nf_tables-objs += nft_bitwise.o nft_byteorder.o nft_payload.o
>>
>>  obj-$(CONFIG_NF_TABLES)              += nf_tables.o
>>  obj-$(CONFIG_NFT_COMPAT)     += nft_compat.o
>> +obj-$(CONFIG_NFT_CONNMARK)   += nft_connmark.o
>>  obj-$(CONFIG_NFT_EXTHDR)     += nft_exthdr.o
>>  obj-$(CONFIG_NFT_META)               += nft_meta.o
>>  obj-$(CONFIG_NFT_CT)         += nft_ct.o
>> diff --git a/net/netfilter/nft_connmark.c b/net/netfilter/nft_connmark.c
>> new file mode 100644
>> index 0000000..04d56d1
>> --- /dev/null
>> +++ b/net/netfilter/nft_connmark.c
>> @@ -0,0 +1,169 @@
>> +/* Copyright (c) 2013 Kristian Evensen <kristian.evensen@xxxxxxxxx>
>> + *
>> + * This program is free software; you can redistribute it and/or modify
>> + * it under the terms of the GNU General Public License version 2 as
>> + * published by the Free Software Foundation.
>> + */
>> +
>> +#include <linux/kernel.h>
>> +#include <linux/init.h>
>> +#include <linux/module.h>
>> +#include <linux/netlink.h>
>> +#include <linux/netfilter.h>
>> +#include <linux/netfilter/nf_tables.h>
>> +#include <net/netfilter/nf_tables.h>
>> +#include <net/netfilter/nf_conntrack.h>
>> +#include <net/netfilter/nf_conntrack_ecache.h>
>> +
>> +struct nft_connmark {
>> +     u32 ctmask;
>> +     union{
>> +             u32 ctmark;
>> +             u32 nfmask;
>> +     };
>> +     u8  mode;
>> +};
>> +
>> +static void nft_connmark_eval(const struct nft_expr *expr,
>> +                        struct nft_data data[NFT_REG_MAX + 1],
>> +                        const struct nft_pktinfo *pkt)
>> +{
>> +     struct nft_connmark *priv = nft_expr_priv(expr);
>> +     enum ip_conntrack_info ctinfo;
>> +     struct nf_conn *ct;
>> +     u_int32_t newmark;
>> +
>> +     ct = nf_ct_get(pkt->skb, &ctinfo);
>> +     if (ct == NULL)
>> +             return;
>> +
>> +     switch (priv->mode) {
>> +     case NFT_CONNMARK_SET:
>> +             newmark = (ct->mark & ~priv->ctmask) ^ priv->ctmark;
>> +             if (ct->mark != newmark) {
>> +                     ct->mark = newmark;
>> +                     nf_conntrack_event_cache(IPCT_MARK, ct);
>> +             }
>> +             break;
>> +     case NFT_CONNMARK_SAVE:
>> +             newmark = (ct->mark & ~priv->ctmask) ^
>> +                       (pkt->skb->mark & priv->nfmask);
>> +
>> +             if (ct->mark != newmark) {
>> +                     ct->mark = newmark;
>> +                     nf_conntrack_event_cache(IPCT_MARK, ct);
>> +             }
>> +             break;
>> +     case NFT_CONNMARK_RESTORE:
>> +             newmark = (pkt->skb->mark & ~priv->nfmask) ^
>> +                       (ct->mark & priv->ctmask);
>> +             pkt->skb->mark = newmark;
>
> We already have expressions for bitmask operations and to fetch the
> packet mark into a register. These operations can be implemented in
> the existing meta expressions as NFT_META_CONNMARK.
>
> Note that we now have two meta flavours:
>
> http://git.kernel.org/cgit/linux/kernel/git/pablo/nftables.git/commit/net/netfilter/nft_meta.c?id=e035b77ac7be430a5fef8c9c23f60b6b50ec81c5
>
> So the idea is to make a patch that allows us to retrieve and to set
> the connmark value.
>
> Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux