Re: [PATCH nf-next] netfilter: Add native tproxy support for nf_tables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Wed, Jun 20, 2018 at 02:18:25PM +0200, Pablo Neira Ayuso wrote:
> A few comments on top of Florian's.
> 
> On Wed, Jun 20, 2018 at 12:41:29PM +0200, Máté Eckl wrote:
> [...]
> > +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> > +static void nft_tproxy_eval_v6(const struct nft_expr *expr,
> > +			    struct nft_regs *regs,
> > +			    const struct nft_pktinfo *pkt)
> 
> Hm, better place IPv6 code in net/netfilter/nft_tproxy_ipv6.c ?
> 
> @Florian, do you prefer this monolitic style maybe?
> 
> I mean, I'll be fine either way.
> 
> [...]
> > +static int nft_tproxy_init(const struct nft_ctx *ctx,
> > +			   const struct nft_expr *expr,
> > +			   const struct nlattr * const tb[])
> > +{
> 
> I'm missing nf_defrag_ipv6_enable() calls from your _init() path.

I added them.

> > +	struct nft_tproxy *priv = nft_expr_priv(expr);
> > +	unsigned int alen = 0, plen = 0;
> > +	int err;
> > +
> > +	if (!tb[NFTA_TPROXY_FAMILY])
> > +		return -EINVAL;
> > +
> > +	switch(ctx->family) {
> > +	case NFPROTO_IPV4:
> > +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> > +	case NFPROTO_IPV6:
> > +#endif
> > +	case NFPROTO_INET:
> > +		break;
> > +	default:
> > +		return -EOPNOTSUPP;
> > +	}
> > +
> > +	priv->family = ntohl(nla_get_be32(tb[NFTA_TPROXY_FAMILY]));
> > +	if ((priv->family == NFPROTO_IPV4 && ctx->family == NFPROTO_IPV6) ||
> > +	    (priv->family == NFPROTO_IPV6 && ctx->family == NFPROTO_IPV4))
> > +		return -EINVAL;
> > +
> > +	switch (priv->family) {
> > +	case NFPROTO_IPV4:
> > +		alen = FIELD_SIZEOF(union nf_inet_addr, in);
> > +		break;
> > +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> > +	case NFPROTO_IPV6:
> > +		alen = FIELD_SIZEOF(union nf_inet_addr, in6);
> > +		break;
> > +#endif
> > +	case NFPROTO_INET:
> > +		/* No address is specified here */
> > +		break;
> > +	default:
> > +		return -EOPNOTSUPP;
> > +	}
> > +
> > +	if (tb[NFTA_TPROXY_REG_ADDR]) {
> > +		priv->sreg_addr = nft_parse_register(tb[NFTA_TPROXY_REG_ADDR]);
> > +		err = nft_validate_register_load(priv->sreg_addr, alen);
> > +		if (err < 0)
> > +			return err;
> > +	}
> > +
> > +	plen = sizeof(u16);
> > +	if (tb[NFTA_TPROXY_REG_PORT]) {
> > +		priv->sreg_port = nft_parse_register(tb[NFTA_TPROXY_REG_PORT]);
> > +		err = nft_validate_register_load(priv->sreg_port, plen);
> > +		if (err < 0)
> > +			return err;
> > +	}
> 
> How does this work if neither if neither address nor port are set?

It uses the original destination ip address and port for socket lookup. Florian
already drew my attention to that it does not make any sense, so I'll remove this
scenario, address or port will have to be specified.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Netfitler Users]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux