[PATCH nf-next 15/19] netfilter: nft: add payload application

Boris Sukholitko <boris.sukholitko@xxxxxxxxxxxx> · Wed, 3 May 2023 15:55:48 +0300

nf_flow_offload_apply_payload function is defined in the new
nft_conntrack_ext.c file. It applies payload changes using
nft_payload_mangle helper.

Signed-off-by: Boris Sukholitko <boris.sukholitko@xxxxxxxxxxxx>
---
 include/net/netfilter/nf_tables.h | 13 +++++++++++++
 net/netfilter/Makefile            |  2 ++
 net/netfilter/nft_conntrack_ext.c | 26 ++++++++++++++++++++++++++
 3 files changed, 41 insertions(+)
 create mode 100644 net/netfilter/nft_conntrack_ext.c

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index ffcbe25d6bd2..48357db14602 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1757,10 +1757,23 @@ static inline void nfct_nft_ext_add(struct nf_conn *ct)
 	if (ext)
 		memset(ext, 0, sizeof(*ext));
 }
+
+int nf_flow_offload_apply_payload(struct sk_buff *skb,
+				  struct nf_conn *ct,
+				  enum ip_conntrack_dir dir,
+				  unsigned int thoff);
 #else
 static inline void nfct_nft_ext_add(struct nf_conn *ct)
 {
 }
+
+static inline int nf_flow_offload_apply_payload(struct sk_buff *skb,
+						struct nf_conn *ct,
+						enum ip_conntrack_dir dir,
+						unsigned int thoff)
+{
+	return 0;
+}
 #endif
 
 #endif /* _NET_NF_TABLES_H */
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index d4958e7e7631..c28bf8eaa759 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -135,6 +135,8 @@ obj-$(CONFIG_NFT_SYNPROXY)	+= nft_synproxy.o
 
 obj-$(CONFIG_NFT_NAT)		+= nft_chain_nat.o
 
+obj-$(CONFIG_NFT_CONNTRACK_EXT)	+= nft_conntrack_ext.o
+
 # nf_tables netdev
 obj-$(CONFIG_NFT_DUP_NETDEV)	+= nft_dup_netdev.o
 obj-$(CONFIG_NFT_FWD_NETDEV)	+= nft_fwd_netdev.o
diff --git a/net/netfilter/nft_conntrack_ext.c b/net/netfilter/nft_conntrack_ext.c
new file mode 100644
index 000000000000..0dabd2a84422
--- /dev/null
+++ b/net/netfilter/nft_conntrack_ext.c
@@ -0,0 +1,26 @@
+// SPDX-License-Identifier: GPL-2.0
+#include <net/netfilter/nf_tables.h>
+
+int nf_flow_offload_apply_payload(struct sk_buff *skb,
+				  struct nf_conn *ct,
+				  enum ip_conntrack_dir dir,
+				  unsigned int thoff)
+{
+	struct nf_conn_nft_ext_entry *en;
+	struct nf_conn_nft_ext *ncft;
+	struct nft_pktinfo pkt;
+
+	ncft = nf_ct_ext_find(ct, NF_CT_EXT_NFT_EXT);
+	if (!ncft)
+		return 0;
+
+	en = &ncft->nfte_entries[dir];
+	if (en->nfte_type != NFT_EXT_PAYLOAD_SET)
+		return 0;
+
+	memset(&pkt, 0, sizeof(pkt));
+	pkt.skb = skb;
+	pkt.thoff = thoff;
+	return nft_payload_mangle(&en->nfte_payload, &pkt, &en->nfte_data);
+}
+EXPORT_SYMBOL_GPL(nf_flow_offload_apply_payload);
-- 
2.32.0

Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature




