Skip to content

Commit f6931f5

Browse files
Florian Westphalummakynes
Florian Westphal
authored and
ummakynes
committed
netfilter: meta: secpath support
replacement for iptables "-m policy --dir in --policy {ipsec,none}". Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent b3a6125 commit f6931f5

File tree

2 files changed

+45
-0
lines changed

2 files changed

+45
-0
lines changed

include/uapi/linux/netfilter/nf_tables.h

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -777,6 +777,7 @@ enum nft_exthdr_attributes {
777777
* @NFT_META_OIFGROUP: packet output interface group
778778
* @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
779779
* @NFT_META_PRANDOM: a 32bit pseudo-random number
780+
* @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
780781
*/
781782
enum nft_meta_keys {
782783
NFT_META_LEN,
@@ -804,6 +805,7 @@ enum nft_meta_keys {
804805
NFT_META_OIFGROUP,
805806
NFT_META_CGROUP,
806807
NFT_META_PRANDOM,
808+
NFT_META_SECPATH,
807809
};
808810

809811
/**

net/netfilter/nft_meta.c

Lines changed: 43 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_expr *expr,
210210
*dest = prandom_u32_state(state);
211211
break;
212212
}
213+
#ifdef CONFIG_XFRM
214+
case NFT_META_SECPATH:
215+
nft_reg_store8(dest, !!skb->sp);
216+
break;
217+
#endif
213218
default:
214219
WARN_ON(1);
215220
goto err;
@@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
308313
prandom_init_once(&nft_prandom_state);
309314
len = sizeof(u32);
310315
break;
316+
#ifdef CONFIG_XFRM
317+
case NFT_META_SECPATH:
318+
len = sizeof(u8);
319+
break;
320+
#endif
311321
default:
312322
return -EOPNOTSUPP;
313323
}
@@ -318,6 +328,38 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
318328
}
319329
EXPORT_SYMBOL_GPL(nft_meta_get_init);
320330

331+
static int nft_meta_get_validate(const struct nft_ctx *ctx,
332+
const struct nft_expr *expr,
333+
const struct nft_data **data)
334+
{
335+
#ifdef CONFIG_XFRM
336+
const struct nft_meta *priv = nft_expr_priv(expr);
337+
unsigned int hooks;
338+
339+
if (priv->key != NFT_META_SECPATH)
340+
return 0;
341+
342+
switch (ctx->afi->family) {
343+
case NFPROTO_NETDEV:
344+
hooks = 1 << NF_NETDEV_INGRESS;
345+
break;
346+
case NFPROTO_IPV4:
347+
case NFPROTO_IPV6:
348+
case NFPROTO_INET:
349+
hooks = (1 << NF_INET_PRE_ROUTING) |
350+
(1 << NF_INET_LOCAL_IN) |
351+
(1 << NF_INET_FORWARD);
352+
break;
353+
default:
354+
return -EOPNOTSUPP;
355+
}
356+
357+
return nft_chain_validate_hooks(ctx->chain, hooks);
358+
#else
359+
return 0;
360+
#endif
361+
}
362+
321363
int nft_meta_set_validate(const struct nft_ctx *ctx,
322364
const struct nft_expr *expr,
323365
const struct nft_data **data)
@@ -434,6 +476,7 @@ static const struct nft_expr_ops nft_meta_get_ops = {
434476
.eval = nft_meta_get_eval,
435477
.init = nft_meta_get_init,
436478
.dump = nft_meta_get_dump,
479+
.validate = nft_meta_get_validate,
437480
};
438481

439482
static const struct nft_expr_ops nft_meta_set_ops = {

0 commit comments

Comments
 (0)