[PATCH nf-next 0/2] nf_tables inner tunnel header match support

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

This patchset adds support for matching on inner header fields that are
usually encapsulated by tunnel protocols.

The inner expression provides a packet parser for the tunneled packet
which uses a userspace description of the expected inner headers. Then,
the inner expression (only payload and meta supported at this stage) is
used to match on the inner header protocol fields, using the new link,
network and transport offsets as well as inner metadata.

This patchset adds support for VxLAN, more tunnel protocol can be
supported via userspace updates only.

The existing userspace nftables codebase is used to match on inner
ethernet link layer, IPv4/IPv6 header and transport header fields. This
patchset generalizes protocol tracking for outer and inner headers
existing codebase.

As an example, the bytecode that nft generates using this new expression
looks like this:

# nft --debug=netlink add rule netdev x y udp dport 4789 vxlan ip saddr 1.2.3.4
netdev x y
  [ meta load l4proto => reg 1 ]
  [ cmp eq reg 1 0x00000011 ]
  [ payload load 2b @ transport header + 2 => reg 1 ]
  [ cmp eq reg 1 0x0000b512 ]
  [ inner type 1 hdrsize 8 flags f [ meta load protocol => reg 1 ] ]
  [ cmp eq reg 1 0x00000008 ]
  [ inner type 1 hdrsize 8 flags f [ payload load 4b @ network header + 12 => reg 1 ] ]
  [ cmp eq reg 1 0x04030201 ]

Use of tunnel protocol inner header fields in set/maps and concatenations is
also supported.

Pablo Neira Ayuso (2):
  netfilter: nft_inner: support for inner tunnel header matching
  netfilter: nft_meta: add inner match support

 include/net/netfilter/nf_tables.h        |   5 +
 include/net/netfilter/nf_tables_core.h   |  24 ++
 include/net/netfilter/nft_meta.h         |   6 +
 include/uapi/linux/netfilter/nf_tables.h |  26 ++
 net/netfilter/Makefile                   |   3 +-
 net/netfilter/nf_tables_api.c            |  37 +++
 net/netfilter/nf_tables_core.c           |   1 +
 net/netfilter/nft_inner.c                | 320 +++++++++++++++++++++++
 net/netfilter/nft_meta.c                 |  65 +++++
 net/netfilter/nft_payload.c              |  89 ++++++-
 10 files changed, 574 insertions(+), 2 deletions(-)
 create mode 100644 net/netfilter/nft_inner.c

-- 
2.30.2
[Index of Archives]     [Netfitler Users]     [Berkeley Packet Filter]     [LARTC]     [Bugtraq]     [Yosemite Forum]

  Powered by Linux