Re: [PATCH nf-next] netfilter: Add native tproxy support for nf_tables

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Wed, 20 Jun 2018 14:18:25 +0200

A few comments on top of Florian's.

On Wed, Jun 20, 2018 at 12:41:29PM +0200, Máté Eckl wrote:
[...]
> +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> +static void nft_tproxy_eval_v6(const struct nft_expr *expr,
> +			    struct nft_regs *regs,
> +			    const struct nft_pktinfo *pkt)

Hm, better place IPv6 code in net/netfilter/nft_tproxy_ipv6.c ?

@Florian, do you prefer this monolitic style maybe?

I mean, I'll be fine either way.

[...]
> +static int nft_tproxy_init(const struct nft_ctx *ctx,
> +			   const struct nft_expr *expr,
> +			   const struct nlattr * const tb[])
> +{

I'm missing nf_defrag_ipv6_enable() calls from your _init() path.

> +	struct nft_tproxy *priv = nft_expr_priv(expr);
> +	unsigned int alen = 0, plen = 0;
> +	int err;
> +
> +	if (!tb[NFTA_TPROXY_FAMILY])
> +		return -EINVAL;
> +
> +	switch(ctx->family) {
> +	case NFPROTO_IPV4:
> +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> +	case NFPROTO_IPV6:
> +#endif
> +	case NFPROTO_INET:
> +		break;
> +	default:
> +		return -EOPNOTSUPP;
> +	}
> +
> +	priv->family = ntohl(nla_get_be32(tb[NFTA_TPROXY_FAMILY]));
> +	if ((priv->family == NFPROTO_IPV4 && ctx->family == NFPROTO_IPV6) ||
> +	    (priv->family == NFPROTO_IPV6 && ctx->family == NFPROTO_IPV4))
> +		return -EINVAL;
> +
> +	switch (priv->family) {
> +	case NFPROTO_IPV4:
> +		alen = FIELD_SIZEOF(union nf_inet_addr, in);
> +		break;
> +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> +	case NFPROTO_IPV6:
> +		alen = FIELD_SIZEOF(union nf_inet_addr, in6);
> +		break;
> +#endif
> +	case NFPROTO_INET:
> +		/* No address is specified here */
> +		break;
> +	default:
> +		return -EOPNOTSUPP;
> +	}
> +
> +	if (tb[NFTA_TPROXY_REG_ADDR]) {
> +		priv->sreg_addr = nft_parse_register(tb[NFTA_TPROXY_REG_ADDR]);
> +		err = nft_validate_register_load(priv->sreg_addr, alen);
> +		if (err < 0)
> +			return err;
> +	}
> +
> +	plen = sizeof(u16);
> +	if (tb[NFTA_TPROXY_REG_PORT]) {
> +		priv->sreg_port = nft_parse_register(tb[NFTA_TPROXY_REG_PORT]);
> +		err = nft_validate_register_load(priv->sreg_port, plen);
> +		if (err < 0)
> +			return err;
> +	}

How does this work if neither if neither address nor port are set?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html