[PATCH] xt_connmark: Add bit mapping for bit-shift operation.

Jack Ma <jack.ma@xxxxxxxxxxxxxxxxxxx> · Fri, 6 Apr 2018 15:45:16 +1200

With the additiona of bit-shift operations, we are able
to shift ct/skbmark based on user requirements. However,
this change might also cause the most left/right hand-
side mark to be accidentially lost during shift operations.

This patch adds the ability to 'grep' ceratin bits based
on ctmask or nfmask out of the original mark. Then apply
shift operations to achieve a new mapping between ctmark
and skb->mark.

For example.

If someone would like save the fourth F bits of ctmark 0xFFF(F)000F
into the seventh hexadecimal (0) skb->mark 0xABC000(0)E.

new_targetmark = (ctmark & ctmask) >> 12;
(new) skb->mark = (skb->mark &~nfmask) ^
                   new_targetmark;

This will preserve the other bits that are not related to
this operation.

Reviewed-by: Florian Westphal <fw@xxxxxxxxx>
Signed-off-by: Jack Ma <jack.ma@xxxxxxxxxxxxxxxxxxx>
---
 net/netfilter/xt_connmark.c | 19 +++++++++++--------
 1 file changed, 11 insertions(+), 8 deletions(-)

diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 773da82190dc..710bc2bfe020 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -43,6 +43,7 @@ connmark_tg_shift(struct sk_buff *skb,
 	enum ip_conntrack_info ctinfo;
 	struct nf_conn *ct;
 	u_int32_t newmark;
+	u_int32_t new_targetmark;
 
 	ct = nf_ct_get(skb, &ctinfo);
 	if (ct == NULL)
@@ -61,24 +62,26 @@ connmark_tg_shift(struct sk_buff *skb,
 		}
 		break;
 	case XT_CONNMARK_SAVE:
-		newmark = (ct->mark & ~info->ctmask) ^
-			  (skb->mark & info->nfmask);
+		new_targetmark = (skb->mark & info->nfmask);
 		if (shift_dir == D_SHIFT_RIGHT)
-			newmark >>= shift_bits;
+			new_targetmark >>= shift_bits;
 		else
-			newmark <<= shift_bits;
+			new_targetmark <<= shift_bits;
+		newmark = (ct->mark & ~info->ctmask) ^
+			  new_targetmark;
 		if (ct->mark != newmark) {
 			ct->mark = newmark;
 			nf_conntrack_event_cache(IPCT_MARK, ct);
 		}
 		break;
 	case XT_CONNMARK_RESTORE:
-		newmark = (skb->mark & ~info->nfmask) ^
-			  (ct->mark & info->ctmask);
+		new_targetmark = (ct->mark & info->ctmask);
 		if (shift_dir == D_SHIFT_RIGHT)
-			newmark >>= shift_bits;
+			new_targetmark >>= shift_bits;
 		else
-			newmark <<= shift_bits;
+			new_targetmark <<= shift_bits;
+		newmark = (skb->mark & ~info->nfmask) ^
+			  new_targetmark;
 		skb->mark = newmark;
 		break;
 	}
-- 
2.13.0

--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html






