[PATCH nf-next 17/19] netfilter: nftables: payload save mechanism

Boris Sukholitko <boris.sukholitko@xxxxxxxxxxxx> · Wed, 3 May 2023 15:55:50 +0300

nf_flow_offload_save_payload saves the payload in the nftables
conntrack extension so that nf_flow_offload_apply_payload can apply it
later.

Signed-off-by: Boris Sukholitko <boris.sukholitko@xxxxxxxxxxxx>
---
 include/net/netfilter/nf_tables.h | 11 +++++++++++
 net/netfilter/nft_conntrack_ext.c | 30 ++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 48357db14602..6bfb38738838 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1762,6 +1762,10 @@ int nf_flow_offload_apply_payload(struct sk_buff *skb,
 				  struct nf_conn *ct,
 				  enum ip_conntrack_dir dir,
 				  unsigned int thoff);
+
+int nf_flow_offload_save_payload(struct sk_buff *skb,
+				 const struct nft_payload_set *priv,
+				 const u32 *src);
 #else
 static inline void nfct_nft_ext_add(struct nf_conn *ct)
 {
@@ -1774,6 +1778,13 @@ static inline int nf_flow_offload_apply_payload(struct sk_buff *skb,
 {
 	return 0;
 }
+
+static inline int nf_flow_offload_save_payload(struct sk_buff *skb,
+					       const struct nft_payload_set *priv,
+					       const u32 *src)
+{
+	return -1;
+}
 #endif
 
 #endif /* _NET_NF_TABLES_H */
diff --git a/net/netfilter/nft_conntrack_ext.c b/net/netfilter/nft_conntrack_ext.c
index 0dabd2a84422..750aeaaf2928 100644
--- a/net/netfilter/nft_conntrack_ext.c
+++ b/net/netfilter/nft_conntrack_ext.c
@@ -1,6 +1,36 @@
 // SPDX-License-Identifier: GPL-2.0
 #include <net/netfilter/nf_tables.h>
 
+int nf_flow_offload_save_payload(struct sk_buff *skb,
+				 const struct nft_payload_set *priv,
+				 const u32 *src)
+{
+	struct nf_conn_nft_ext_entry *en;
+	enum ip_conntrack_info ctinfo;
+	struct nf_conn_nft_ext *ncft;
+	struct nf_conn *ct;
+
+	ct = nf_ct_get(skb, &ctinfo);
+	if (!ct)
+		goto err;
+
+	ncft = nf_ct_ext_find(ct, NF_CT_EXT_NFT_EXT);
+	if (!ncft)
+		goto err;
+
+	en = &ncft->nfte_entries[CTINFO2DIR(ctinfo)];
+	if (en->nfte_type != NFT_EXT_UNDEFINED)
+		goto err;
+
+	en->nfte_type = NFT_EXT_PAYLOAD_SET;
+	en->nfte_data = *src;
+	memcpy(&en->nfte_payload, priv, sizeof(*priv));
+	return 0;
+err:
+	return -1;
+}
+EXPORT_SYMBOL_GPL(nf_flow_offload_save_payload);
+
 int nf_flow_offload_apply_payload(struct sk_buff *skb,
 				  struct nf_conn *ct,
 				  enum ip_conntrack_dir dir,
-- 
2.32.0

Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature




