Re: [RFC PATCH nft] WIP: Introducing socket matching

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Eckl, Máté <ecklm94@xxxxxxxxx> wrote:
> > > --- a/src/meta.c
> > > +++ b/src/meta.c
> > > @@ -439,6 +439,8 @@ static const struct meta_template meta_templates[]
> = {
> > >                                               BYTEORDER_BIG_ENDIAN), /*
> avoid conversion; doesn't have endianess */
> > >       [NFT_META_SECPATH]      = META_TEMPLATE("secpath", &boolean_type,
> > >                                               BITS_PER_BYTE,
> BYTEORDER_HOST_ENDIAN),
> > > +     [NFT_META_SUBKEY_ISSET] = META_TEMPLATE("isset", &boolean_type,
> > > +                                             1 ,
> BYTEORDER_HOST_ENDIAN),
> 
> > The NFT_META_XXXXX define the elements that can be accessed, by the
> > meta expression, such as skb->secpath or skb->mark.
> 
> > E.g. when user says 'meta mark 42' then meta expression is created with
> > NFT_META_MARK key attribute, so kernel will know it has to fetch
> > skb->mark.
> 
> > So, this would be something like
> 
> >   [NFT_META_SK]  = META_TEMPLATE("sk", &boolean_type,
> >                                   BITS_PER_BYTE, BYTEORDER_HOST_ENDIAN),
> 
> Is it going to be something like one of the following?
> 
> 1)   if(skbuff->sk != NULL)
> OR
> 2)  if(skbuff->sk->socket != NULL)

1), then NFT_META_SK would fill destination register with 0 in case
sk_buff->sk is NULL, and 1 otherwise.

> And when matching flags, I guess I should examine
> `skbuff->sok->socket->ops`.

No need for that, see net/netfilter/xt_socket.c .

But you don't even need to change kernel code, you could implement
the userspace part and then pass xt_socket_mtinfo1 struct to the kernel.

I will help you to do this once the parser parts are set up.

> I am a bit confused about the different socket structures right now. Until
> now I tought that `struct sock` stores the metadata of a packet.

struct sk_buff stores the packet meta data (checksums, interface, header
pointers, payload, routing information and the like).

Incoming packets (before routing) have no socket (yet), in INPUT they
might have one.  Forwarded packets don't have a socket.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux