From: Álvaro Neira Ayuso <alvaroneay@xxxxxxxxx>
Add pkttype support for all families of tables.
Joint work with Álvaro Neira Ayuso <alvaroneay@xxxxxxxxx>
Signed-off-by: Alvaro Neira Ayuso <alvaroneay@xxxxxxxxx>
Signed-off-by: Ana Rey <anarey@xxxxxxxxx>
---
[Changes in v3:]
* Add support for NFPROTO_INET when handing the loopback case.
(NFPROTO_BRIDGE and NFPROTO_ARP families do not make sense when
handing the loopback case)
* Delete the broadcast case when handing the lookback case. This does not make
sense.
* Fix the description of NFT_META_PKTTYPE key.
[Changes in v2]
Put "case NFT_META_PKTTYPE:" outside of the #ifdef CONFIG_NETWORK_SECMARK.
It was a mistake.
Thanks to Arturo Borrero Gonzalez <arturo.borrero.glez@xxxxxxxxx> for
reporting this mistake.
include/uapi/linux/netfilter/nf_tables.h | 2 ++
net/netfilter/nft_meta.c | 34 ++++++++++++++++++++++++++++++
2 files changed, 36 insertions(+)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 801bdd1..72ad208 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -571,6 +571,7 @@ enum nft_exthdr_attributes {
* @NFT_META_L4PROTO: layer 4 protocol number
* @NFT_META_BRI_IIFNAME: packet input bridge interface name
* @NFT_META_BRI_OIFNAME: packet output bridge interface name
+ * @NFT_META_PKTTYPE: Packet type
*/
enum nft_meta_keys {
NFT_META_LEN,
@@ -592,6 +593,7 @@ enum nft_meta_keys {
NFT_META_L4PROTO,
NFT_META_BRI_IIFNAME,
NFT_META_BRI_OIFNAME,
+ NFT_META_PKTTYPE,
};
/**
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index 852b178..c46d9ac 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -14,6 +14,9 @@
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
+#include <linux/in.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
#include <net/dst.h>
#include <net/sock.h>
#include <net/tcp_states.h> /* for TCP_TIME_WAIT */
@@ -124,6 +127,36 @@ void nft_meta_get_eval(const struct nft_expr *expr,
dest->data[0] = skb->secmark;
break;
#endif
+ case NFT_META_PKTTYPE:
+ if (skb->pkt_type != PACKET_LOOPBACK) {
+ dest->data[0] = skb->pkt_type;
+ break;
+ }
+
+ switch (pkt->ops->pf) {
+ case NFPROTO_IPV4:
+ if (ipv4_is_multicast(ip_hdr(skb)->daddr))
+ dest->data[0] = PACKET_MULTICAST;
+ else
+ dest->data[0] = PACKET_HOST;
+ break;
+ case NFPROTO_IPV6:
+ if (ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF)
+ dest->data[0] = PACKET_MULTICAST;
+ else
+ dest->data[0] = PACKET_HOST;
+ break;
+ case NFPROTO_INET:
+ if (ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF ||
+ ipv4_is_multicast(ip_hdr(skb)->daddr))
+ dest->data[0] = PACKET_MULTICAST;
+ else
+ dest->data[0] = PACKET_HOST;
+ break;
+ default:
+ goto err;
+ }
+ break;
default:
WARN_ON(1);
goto err;
@@ -195,6 +228,7 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
#ifdef CONFIG_NETWORK_SECMARK
case NFT_META_SECMARK:
#endif
+ case NFT_META_PKTTYPE:
break;
default:
return -EOPNOTSUPP;
--
1.7.10.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
