Hi Anders,
On Wed, Sep 14, 2016 at 05:47:08AM +0000, Anders K. Pedersen | Cohaesio wrote:
> From: Anders K. Pedersen <akp@xxxxxxxxxxxx>
>
> Add meta support for IPv4 nexthop and IPv6 nexthop6 (i.e. the directly
> connected IP address that an outgoing packet is sent to), which can be used
> either for matching or accounting, eg.
>
> # nft add rule filter postrouting \
> ip daddr 192.168.1.0/24 meta nexthop != 192.168.0.1 drop
>
> This will drop any traffic to 192.168.1.0/24 that is not routed via
> 192.168.0.1.
>
> # nft add rule filter postrouting \
> flow table acct { meta nexthop timeout 600s counter }
> # nft add rule ip6 filter postrouting \
> flow table acct { meta nexthop6 timeout 600s counter }
>
> These rules count outgoing traffic per nexthop. Note that the timeout
> releases an entry if no traffic is seen for this nexthop within 10 minutes.
>
> Signed-off-by: Anders K. Pedersen <akp@xxxxxxxxxxxx>
> ---
> include/uapi/linux/netfilter/nf_tables.h | 2 ++
> net/netfilter/nft_meta.c | 23 +++++++++++++++++++++++
> 2 files changed, 25 insertions(+)
>
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 24161e2..6ef8ac9 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -721,6 +721,8 @@ enum nft_meta_keys {
> NFT_META_OIFGROUP,
> NFT_META_CGROUP,
> NFT_META_PRANDOM,
> + NFT_META_NEXTHOP,
> + NFT_META_NEXTHOP6,
> };
Florian is working on explicitly fib lookup expression, for the
existing route attached to the skbuff, I think we can add
nft_rt_ipv4.c, nft_rt_ipv6.c and nft_rt_inet.c expressions instead for
this? One per family, have a look at nft_meta_bridge.c for reference,
it should look similar.
I think many other rt fields could be useful with a valid usecase.
BTW, proposed syntax is:
# nft add rule filter postrouting \
flow table acct { rt ip nexthop timeout 600s counter }
# nft add rule ip6 filter postrouting \
flow table acct { rt ip6 nexthop timeout 600s counter }
Then, for the inet family:
# nft add rule inet filter postrouting \
ether type ip flow table acct { rt ip nexthop timeout 600s counter }
This one should bail out if:
# nft add rule inet filter postrouting \
ether type ip flow table acct { rt ip6 nexthop timeout 600s counter }
~~ ^^^
they don't match, this is just a bit of code at
nftables/src/evaluate.c
Thus, we pass an explicit NFTA_RT_FAMILY attribute to explicitly
indicate the family type so we can use this from the inet table too.
You need to add a expr/rt.c expression to libnftnl, it is boiler plate
code you can use meta expression as reference.
>From nft, you have to add a new EXPR_RT, there will be code missing in
evaluate.c, netlink_linearize.c and netlink_delinearize.c
> /**
> diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
> index 2863f34..a283c80 100644
> --- a/net/netfilter/nft_meta.c
> +++ b/net/netfilter/nft_meta.c
> @@ -188,6 +190,23 @@ void nft_meta_get_eval(const struct nft_expr *expr,
> *dest = prandom_u32_state(state);
> break;
> }
> + case NFT_META_NEXTHOP: {
> + const struct rtable *rt = skb_rtable(skb);
> +
> + if (pkt->pf != NFPROTO_IPV4 || !rt)
With the approach above, we will not need to check for pkt->pf !=
NFPROTO_IPV4, given this will be checked from the _init() path of the
expression.
It will be a bit more code though.
Would you have a look at this? Let me know, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
