Re: [PATCH v3] netfilter: nf_tables: add pkttype support to meta expression

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Wed, 6 Aug 2014 10:52:33 +0200

On Tue, Aug 05, 2014 at 08:27:22PM +0200, Ana Rey wrote:
> From: Álvaro Neira Ayuso <alvaroneay@xxxxxxxxx>
> 
> Add pkttype support for all families of tables.

Please, include in the description something like:

This allows you to fetch the meta packet type based on the link layer
information. The loopback traffic is a special case, the packet type
is guessed from the network layer header.

No special handling for bridge and arp since we're not going to see
such traffic in the loopback interface.

> diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
> index 852b178..c46d9ac 100644
> --- a/net/netfilter/nft_meta.c
> +++ b/net/netfilter/nft_meta.c
> @@ -14,6 +14,9 @@
>  #include <linux/netlink.h>
>  #include <linux/netfilter.h>
>  #include <linux/netfilter/nf_tables.h>
> +#include <linux/in.h>
> +#include <linux/ip.h>
> +#include <linux/ipv6.h>
>  #include <net/dst.h>
>  #include <net/sock.h>
>  #include <net/tcp_states.h> /* for TCP_TIME_WAIT */
> @@ -124,6 +127,36 @@ void nft_meta_get_eval(const struct nft_expr *expr,
>  		dest->data[0] = skb->secmark;
>  		break;
>  #endif
> +	case NFT_META_PKTTYPE:
> +		if (skb->pkt_type != PACKET_LOOPBACK) {
> +			dest->data[0] = skb->pkt_type;
> +			break;
> +		}
> +
> +		switch (pkt->ops->pf) {
> +		case NFPROTO_IPV4:
> +			if (ipv4_is_multicast(ip_hdr(skb)->daddr))
> +				dest->data[0] = PACKET_MULTICAST;
> +			else
> +				dest->data[0] = PACKET_HOST;

Please, replace the PACKET_HOST by PACKET_BROADCAST so this looks
exactly like xt_pkttype.

> +			break;
> +		case NFPROTO_IPV6:
> +			if (ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF)
> +				dest->data[0] = PACKET_MULTICAST;
> +			else
> +				dest->data[0] = PACKET_HOST;
> +			break;
> +		case NFPROTO_INET:
> +			if (ipv6_hdr(skb)->daddr.s6_addr[0] == 0xFF ||
> +			    ipv4_is_multicast(ip_hdr(skb)->daddr))
> +				dest->data[0] = PACKET_MULTICAST;
> +			else
> +				dest->data[0] = PACKET_HOST;
> +			break;

We're almost there. You have to remove NFPROTO_INET, the pkt->ops->pf
is already allowing you to indentify the family. So the NFPROTO_INET
part seems dead code to me, remove it.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html