Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching
On Fri, Jun 01, 2018 at 09:36:01AM +0200, Pablo Neira Ayuso wrote: > On Wed, May 30, 2018 at 12:13:22PM +0200, Máté Eckl wrote: > > Now it can only match the transparent flag of an ip/ipv6 socket. > > Applied with minor comestic changes, thanks. I took v3, just for the record. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching
On Wed, May 30, 2018 at 12:13:22PM +0200, Máté Eckl wrote: > Now it can only match the transparent flag of an ip/ipv6 socket. Applied with minor comestic changes, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching
Hi Máté, Thank you for the patch! Yet something to improve: [auto build test ERROR on nf-next/master] url: https://github.com/0day-ci/linux/commits/M-t-Eckl/netfilter-nft-add-support-for-native-socket-matching/20180601-080238 base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master config: i386-allmodconfig (attached as .config) compiler: gcc-7 (Debian 7.3.0-16) 7.3.0 reproduce: # save the attached .config to linux build tree make ARCH=i386 All errors (new ones prefixed by >>): In file included from net/netfilter/nft_socket.c:7:0: include/net/netfilter/nf_socket.h: In function 'nf_sk_is_transparent': >> include/net/netfilter/nf_socket.h:12:12: error: dereferencing pointer to >> incomplete type 'struct sock' switch (sk->sk_state) { ^~ >> include/net/netfilter/nf_socket.h:13:7: error: 'TCP_TIME_WAIT' undeclared >> (first use in this function); did you mean 'BPF_TCP_TIME_WAIT'? case TCP_TIME_WAIT: ^ BPF_TCP_TIME_WAIT include/net/netfilter/nf_socket.h:13:7: note: each undeclared identifier is reported only once for each function it appears in >> include/net/netfilter/nf_socket.h:14:10: error: implicit declaration of >> function 'inet_twsk'; did you mean 'in_task'? >> [-Werror=implicit-function-declaration] return inet_twsk(sk)->tw_transparent; ^ in_task >> include/net/netfilter/nf_socket.h:14:23: error: invalid type argument of >> '->' (have 'int') return inet_twsk(sk)->tw_transparent; ^~ >> include/net/netfilter/nf_socket.h:15:7: error: 'TCP_NEW_SYN_RECV' undeclared >> (first use in this function); did you mean 'BPF_TCP_NEW_SYN_RECV'? case TCP_NEW_SYN_RECV: ^~~~ BPF_TCP_NEW_SYN_RECV >> include/net/netfilter/nf_socket.h:16:10: error: implicit declaration of >> function 'inet_rsk'; did you mean 'in_task'? >> [-Werror=implicit-function-declaration] return inet_rsk(inet_reqsk(sk))->no_srccheck; ^~~~ in_task >> include/net/netfilter/nf_socket.h:16:19: error: implicit declaration of >> function 'inet_reqsk'; did you mean 'net_eq'? >> [-Werror=implicit-function-declaration] return inet_rsk(inet_reqsk(sk))->no_srccheck; ^~ net_eq include/net/netfilter/nf_socket.h:16:34: error: invalid type argument of '->' (have 'int') return inet_rsk(inet_reqsk(sk))->no_srccheck; ^~ >> include/net/netfilter/nf_socket.h:18:10: error: implicit declaration of >> function 'inet_sk'; did you mean 'in_task'? >> [-Werror=implicit-function-declaration] return inet_sk(sk)->transparent; ^~~ in_task include/net/netfilter/nf_socket.h:18:21: error: invalid type argument of '->' (have 'int') return inet_sk(sk)->transparent; ^~ In file included from include/net/inet_sock.h:27:0, from net/netfilter/nft_socket.c:8: include/net/request_sock.h: At top level: >> include/net/request_sock.h:72:36: error: conflicting types for 'inet_reqsk' static inline struct request_sock *inet_reqsk(const struct sock *sk) ^~ In file included from net/netfilter/nft_socket.c:7:0: include/net/netfilter/nf_socket.h:16:19: note: previous implicit declaration of 'inet_reqsk' was here return inet_rsk(inet_reqsk(sk))->no_srccheck; ^~ In file included from net/netfilter/nft_socket.c:8:0: >> include/net/inet_sock.h:107:41: error: conflicting types for 'inet_rsk' static inline struct inet_request_sock *inet_rsk(const struct request_sock *sk) ^~~~ In file included from net/netfilter/nft_socket.c:7:0: include/net/netfilter/nf_socket.h:16:10: note: previous implicit declaration of 'inet_rsk' was here return inet_rsk(inet_reqsk(sk))->no_srccheck; ^~~~ In file included from net/netfilter/nft_socket.c:8:0: >> include/net/inet_sock.h:273:33: error: conflicting types for 'inet_sk' static inline struct inet_sock *inet_sk(const struct sock *sk) ^~~ In file included from net/netfilter/nft_socket.c:7:0: include/net/netfilter/nf_socket.h:18:10: note: previous implicit declaration of 'inet_sk' was here return inet_sk(sk)->transparent; ^~~ include/net/netfilter/nf_socket.h: In function 'nf_sk_is_transparent': include/net/netfilter/nf_socket.h:20:1: warning: control reaches end of non-void function [-Wreturn-type] } ^ cc1: some warnings being treated as errors vim +12 include/net/netfilter/nf_socket.h 8db4c5be Pablo Neira Ayuso 2016-10-27 9 8db4c5be Pablo Neira Ayuso 2016-10-27 10 static inline bool nf_sk_is_transparent(struct sock *sk) 8db4c5be Pablo
Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching
On Wed, May 30, 2018 at 12:20:44PM +0200, Pablo Neira Ayuso wrote: > On Wed, May 30, 2018 at 12:13:22PM +0200, Máté Eckl wrote: > > + if(!sk) { > > + nft_reg_store8(dest, 0); > > + return; > > + } > > + > > + skb->sk = sk; // So that subsequent socket matching not to require > > other lookups > > Remove this comment. Or use the more orthodox comment style: /* So that subsequent socket matching not to require other lookups. */ skb->sk = sk; Thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching
On Wed, May 30, 2018 at 12:13:22PM +0200, Máté Eckl wrote: > Now it can only match the transparent flag of an ip/ipv6 socket. > > Signed-off-by: Máté Eckl > --- > include/uapi/linux/netfilter/nf_tables.h | 28 + > net/netfilter/Kconfig| 9 ++ > net/netfilter/Makefile | 1 + > net/netfilter/nft_socket.c | 143 +++ > 4 files changed, 181 insertions(+) > create mode 100644 net/netfilter/nft_socket.c > > diff --git a/include/uapi/linux/netfilter/nf_tables.h > b/include/uapi/linux/netfilter/nf_tables.h > index 9c71f024f9cc..96ab31539bf6 100644 > --- a/include/uapi/linux/netfilter/nf_tables.h > +++ b/include/uapi/linux/netfilter/nf_tables.h > @@ -904,6 +904,34 @@ enum nft_rt_attributes { > }; > #define NFTA_RT_MAX (__NFTA_RT_MAX - 1) > > +/** > + * enum nft_socket_attributes - nf_tables socket expression netlink > attributes > + * > + * @NFTA_SOCKET_KEY: socket key to match > + * @NFTA_SOCKET_DREG: destination register > + */ > +enum nft_socket_attributes { > + NFTA_SOCKET_UNSPEC, > + > + NFTA_SOCKET_KEY, > + NFTA_SOCKET_DREG, > + > + __NFTA_SOCKET_MAX > +}; > +#define NFTA_SOCKET_MAX (__NFTA_SOCKET_MAX - 1) > + > +/* > + * enum nft_socket_keys - nf_tables socket expression keys > + * > + * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_ > + */ > +enum nft_socket_keys { > + NFT_SOCKET_TRANSPARENT, > + > + __NFT_SOCKET_MAX > +}; > +#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1) > + > /** > * enum nft_ct_keys - nf_tables ct expression keys > * > diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig > index 3ec8886850b2..276e1e32f44e 100644 > --- a/net/netfilter/Kconfig > +++ b/net/netfilter/Kconfig > @@ -613,6 +613,15 @@ config NFT_FIB_INET > The lookup will be delegated to the IPv4 or IPv6 FIB depending > on the protocol of the packet. > > +config NFT_SOCKET > + tristate "Netfilter nf_tables socket match support" > + depends on IPV6 || IPV6=n > + select NF_SOCKET_IPV4 > + select NF_SOCKET_IPV6 if IPV6 > + help > + This option allows matching for the presence or absence of a > + corresponding socket and its attributes. > + > if NF_TABLES_NETDEV > > config NF_DUP_NETDEV > diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile > index 9b3434360d49..eec169555731 100644 > --- a/net/netfilter/Makefile > +++ b/net/netfilter/Makefile > @@ -102,6 +102,7 @@ obj-$(CONFIG_NFT_FIB) += nft_fib.o > obj-$(CONFIG_NFT_FIB_INET) += nft_fib_inet.o > obj-$(CONFIG_NFT_FIB_NETDEV) += nft_fib_netdev.o > obj-$(CONFIG_NF_OSF) += nf_osf.o > +obj-$(CONFIG_NFT_SOCKET) += nft_socket.o > > # nf_tables netdev > obj-$(CONFIG_NFT_DUP_NETDEV) += nft_dup_netdev.o > diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c > new file mode 100644 > index ..dd389b37334a > --- /dev/null > +++ b/net/netfilter/nft_socket.c > @@ -0,0 +1,143 @@ > +// SPDX-License-Identifier: GPL-2.0 > + > +#include > +#include > +#include > +#include > +#include > +#include > + > +struct nft_socket { > + enum nft_socket_keyskey:8; > + union { > + enum nft_registers dreg:8; > + }; > +}; > + > +static void nft_socket_eval(const struct nft_expr *expr, > + struct nft_regs *regs, > + const struct nft_pktinfo *pkt) > +{ > + const struct nft_socket *priv = nft_expr_priv(expr); > + struct sk_buff *skb = pkt->skb; > + struct sock *sk = skb->sk; > + u32 *dest = >data[priv->dreg]; > + > + if (!sk) > + switch(nft_pf(pkt)) { > + case NFPROTO_IPV4: > + sk = nf_sk_lookup_slow_v4(nft_net(pkt), skb, > nft_in(pkt)); > + break; > +#if IS_ENABLED(CONFIG_NF_SOCKET_IPV6) > + case NFPROTO_IPV6: > + sk = nf_sk_lookup_slow_v6(nft_net(pkt), skb, > nft_in(pkt)); > + break; > +#endif > + default: > + WARN_ON_ONCE(1); > + regs->verdict.code = NFT_BREAK; > + return; > + } > + > + if(!sk) { > + nft_reg_store8(dest, 0); > + return; > + } > + > + skb->sk = sk; // So that subsequent socket matching not to require > other lookups Remove this comment. > + > + switch(priv->key) { > + case NFT_SOCKET_TRANSPARENT: > + nft_reg_store8(dest, nf_sk_is_transparent(sk)); > + break; > + default: > + WARN_ON(1); > + regs->verdict.code = NFT_BREAK; > + } > +} > + > +static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = { > + [NFTA_SOCKET_KEY] = { .type = NLA_U32 }, > + [NFTA_SOCKET_DREG] = { .type = NLA_U32 }, > +}; > + > +static int nft_socket_init(const struct nft_ctx *ctx,