[PATCH nf-next,RFC 0/1] nf_tables inner match support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

This is an early RFC to show progress on the inner match support, which
allows to match on inner header fields that are usually encapsulated by
tunnel protocols.

The inner expression provides a parser for the tunneled packet which
uses a userspace description of the expected inner headers, then the
inner expression (only payload supported at this stage) is used to match
on the inner header protocol fields, using the new link, network and
transport offsets.

Only VxLAN is supported in this patchset, I have work-in-progress with
other type of tunnel protocols, such as IPIP and GRE.

Currently nft generated bytecode to match on ethernet link layer and
IPv4/IPv6 header fields. More work in userspace is required to
generalize protocol tracking and implicit dependencies by reusing the
existing codebase. Matching on VxLAN containing a VLAN frame is also
broken, for the same reason. Maybe VxLAN containing VLAN is not top
priority to support at this stage, but the goal is to allow for such
flexibility by allowing users to fetch this new feature via userspace
tool update.

As an example, the bytecode that nft generates using this new expression
looks like this:

# nft --debug=netlink add rule x y udp dport 7777 vxlan ip saddr 1.2.3.4
ip x y
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000011 ]
  [ payload load 2b @ transport header + 2 => reg 1 ]
  [ cmp eq reg 1 0x0000611e ]
  [ inner hdrsize 8 flags f type 1 nfproto 2 [ payload load 4b @ network header + 12 => reg 1 ] ]
  [ cmp eq reg 1 0x04030201 ]

Comments welcome.

Pablo Neira Ayuso (1):
  netfilter: nft_inner: support for inner header matching

 include/net/netfilter/nf_tables.h        |   5 +
 include/net/netfilter/nf_tables_core.h   |  22 ++
 include/uapi/linux/netfilter/nf_tables.h |  27 ++
 net/netfilter/Makefile                   |   2 +-
 net/netfilter/nf_tables_api.c            |  37 +++
 net/netfilter/nf_tables_core.c           |   1 +
 net/netfilter/nft_inner.c                | 303 +++++++++++++++++++++++
 net/netfilter/nft_payload.c              | 113 ++++++++-
 8 files changed, 508 insertions(+), 2 deletions(-)
 create mode 100644 net/netfilter/nft_inner.c

-- 
2.30.2
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux