Jack Ma <Jack.Ma@xxxxxxxxxxxxxxxxxxx> wrote:
> Hi Florian,
>
> I attached two 'draft' patches in this email :)
>
> Thanks,
> Jack
> From 6d811e63c9c777ed4287bc4547134c99e939b49d Mon Sep 17 00:00:00 2001
> From: Jack Ma <jack.ma@xxxxxxxxxxxxxxxxxxx>
> Date: Mon, 12 Feb 2018 13:41:29 +1300
> Subject: [PATCH] libxt_CONNMARK: Support bit-shifting for --restore,set and
> save-mark
>
> Added bit-shifting operations for --restore & set & save-mark.
>
> Signed-off-by: Jack Ma <jack.ma@xxxxxxxxxxxxxxxxxxx>
> Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
Please don't add a Signoff from me, since I am not the author
and not in the delivery path.
> +" --left-shift-mark value Left shift the ctmark with bits\n"
> +" --right-shift-mark value Right shift the ctmark with bits\n"
>
> @@ -253,36 +288,101 @@ connmark_tg_print(const void *ip, const struct xt_entry_target *target,
Caution, you will need a new vresion of the connmark target, see
below in the kernel patch.
You'll also need to update that 'save' variant which should produce
output suitable for iptables-restore.
> diff --git a/include/linux/netfilter/xt_connmark.h b/include/linux/netfilter/xt_connmark.h
> index efc17a83..2010a40c 100644
> --- a/include/linux/netfilter/xt_connmark.h
> +++ b/include/linux/netfilter/xt_connmark.h
> @@ -20,7 +20,7 @@ enum {
>
> struct xt_connmark_tginfo1 {
> __u32 ctmark, ctmask, nfmask;
> - __u8 mode;
> + __u8 shift_dir, shift_bits, mode;
> };
Struct layout is changing, this breaks old userspace.
You will need to add
struct xt_connmark_tginfo2 {
__u32 ctmark, ctmask, nfmask;
__u8 mode, shift ...
> struct xt_connmark_mtinfo1 {
> diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
> index ec377cc6a369..31cb0acb6208 100644
> --- a/net/netfilter/xt_connmark.c
> +++ b/net/netfilter/xt_connmark.c
> @@ -51,7 +51,10 @@ connmark_tg(struct sk_buff *skb, const struct xt_action_param *par)
> case XT_CONNMARK_SET:
> newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
> if (ct->mark != newmark) {
> - ct->mark = newmark;
> + if (info->shift_dir == D_SHIFT_RIGHT)
> + ct->mark = newmark >> info->shift_bits;
> + else
> + ct->mark = newmark << info->shift_bits;
You should be able to create a first patch that can refactor connmark_tg
to accept either struct layout.
Check for example commit
bea74641e3786d51dcf1175527cc1781420961c9
and see how it adds a new struct and then uses the revision number
to either use old or new layout before accessing the structure.
Other than that it looks ok to me.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
