[PATCH] netfilter: nft_paylaod: add base type NFT_PAYLOAD_LL_HEADER_NO_TAG

wenxu@xxxxxxxxx · Mon, 10 Jun 2019 15:21:20 +0800

From: wenxu <wenxu@xxxxxxxxx>

nft add rule bridge firewall rule-100-ingress ip protocol icmp drop

The rule like above "ip protocol icmp", the packet will not be
matched, It tracelate base=NFT_PAYLOAD_LL_HEADER off=12 &&
base=NFT_PAYLOAD_NETWORK_HEADER  off=11
if the packet contained with tag info. But the user don't care about
the vlan tag.

Signed-off-by: wenxu <wenxu@xxxxxxxxx>
---
 include/uapi/linux/netfilter/nf_tables.h |  2 ++
 net/netfilter/nft_payload.c              | 10 +++++++++-
 2 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 505393c..345787f 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -673,11 +673,13 @@ enum nft_dynset_attributes {
  * @NFT_PAYLOAD_LL_HEADER: link layer header
  * @NFT_PAYLOAD_NETWORK_HEADER: network header
  * @NFT_PAYLOAD_TRANSPORT_HEADER: transport header
+ * @NFT_PAYLOAD_LL_HEADER_NO_TAG: link layer header ignore vlan tag
  */
 enum nft_payload_bases {
 	NFT_PAYLOAD_LL_HEADER,
 	NFT_PAYLOAD_NETWORK_HEADER,
 	NFT_PAYLOAD_TRANSPORT_HEADER,
+	NFT_PAYLOAD_LL_HEADER_NO_TAG,
 };
 
 /**
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c
index 1465b7d..3cc7398 100644
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -93,6 +93,12 @@ void nft_payload_eval(const struct nft_expr *expr,
 		}
 		offset = skb_mac_header(skb) - skb->data;
 		break;
+	case NFT_PAYLOAD_LL_HEADER_NO_TAG:
+		if (!skb_mac_header_was_set(skb))
+			goto err;
+
+		offset = skb_mac_header(skb) - skb->data;
+		break;
 	case NFT_PAYLOAD_NETWORK_HEADER:
 		offset = skb_network_offset(skb);
 		break;
@@ -403,6 +409,7 @@ static int nft_payload_set_dump(struct sk_buff *skb, const struct nft_expr *expr
 	case NFT_PAYLOAD_LL_HEADER:
 	case NFT_PAYLOAD_NETWORK_HEADER:
 	case NFT_PAYLOAD_TRANSPORT_HEADER:
+	case NFT_PAYLOAD_LL_HEADER_NO_TAG:
 		break;
 	default:
 		return ERR_PTR(-EOPNOTSUPP);
@@ -421,7 +428,8 @@ static int nft_payload_set_dump(struct sk_buff *skb, const struct nft_expr *expr
 	len    = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));
 
 	if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) &&
-	    base != NFT_PAYLOAD_LL_HEADER)
+	    base != NFT_PAYLOAD_LL_HEADER &&
+	    base != NFT_PAYLOAD_LL_HEADER_NO_TAG)
 		return &nft_payload_fast_ops;
 	else
 		return &nft_payload_ops;
-- 
1.8.3.1







