Re: [PATCH nf-next 4/5] netfilter: nft_tunnel: support NFT_TUNNEL_IPV6_SRC/DST match

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Fri, 15 Nov 2019 23:56:18 +0100

On Thu, Oct 24, 2019 at 06:35:35PM +0800, wenxu@xxxxxxxxx wrote:
> From: wenxu <wenxu@xxxxxxxxx>
> 
> Add new two NFT_TUNNEL_IPV6_SRC/DST match in nft_tunnel
> 
> Signed-off-by: wenxu <wenxu@xxxxxxxxx>
> ---
>  include/uapi/linux/netfilter/nf_tables.h |  2 ++
>  net/netfilter/nft_tunnel.c               | 28 ++++++++++++++++++++++++++++
>  2 files changed, 30 insertions(+)
> 
> diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
> index 7f65019..584868d 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -1777,6 +1777,8 @@ enum nft_tunnel_keys {
>  	NFT_TUNNEL_ID,
>  	NFT_TUNNEL_IPV4_SRC,
>  	NFT_TUNNEL_IPV4_DST,
> +	NFT_TUNNEL_IPV6_SRC,
> +	NFT_TUNNEL_IPV6_DST,
>  	__NFT_TUNNEL_MAX
>  };
>  #define NFT_TUNNEL_MAX	(__NFT_TUNNEL_MAX - 1)
> diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c
> index 580b51b..0a3005d 100644
> --- a/net/netfilter/nft_tunnel.c
> +++ b/net/netfilter/nft_tunnel.c
> @@ -96,6 +96,30 @@ static void nft_tunnel_get_eval(const struct nft_expr *expr,
>  		else
>  			regs->verdict.code = NFT_BREAK;
>  		break;
> +	case NFT_TUNNEL_IPV6_SRC:
> +		if (!tun_info) {
> +			regs->verdict.code = NFT_BREAK;
> +			return;
> +		}
> +		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
> +					     NFT_INET_IPV6_TYPE))

And here, add nft_tunnel_mode_match_ip6().

> +			memcpy(dest, &tun_info->key.u.ipv6.src,
> +			       sizeof(struct in6_addr));
> +		else
> +			regs->verdict.code = NFT_BREAK;
> +		break;
> +	case NFT_TUNNEL_IPV6_DST:
> +		if (!tun_info) {
> +			regs->verdict.code = NFT_BREAK;
> +			return;
> +		}
> +		if (nft_tunnel_mode_validate(priv->mode, tun_info->mode,
> +					     NFT_INET_IPV6_TYPE))
> +			memcpy(dest, &tun_info->key.u.ipv6.dst,
> +			       sizeof(struct in6_addr));
> +		else
> +			regs->verdict.code = NFT_BREAK;
> +		break;
>  	default:
>  		WARN_ON(1);
>  		regs->verdict.code = NFT_BREAK;
> @@ -129,6 +153,10 @@ static int nft_tunnel_get_init(const struct nft_ctx *ctx,
>  	case NFT_TUNNEL_IPV4_DST:
>  		len = sizeof(u32);
>  		break;
> +	case NFT_TUNNEL_IPV6_SRC:
> +	case NFT_TUNNEL_IPV6_DST:
> +		len = sizeof(struct in6_addr);
> +		break;
>  	default:
>  		return -EOPNOTSUPP;
>  	}
> -- 
> 1.8.3.1
> 