subject:"Re\: \[PATCH v2 nf\-next\] netfilter\: nft\: add support for native socket matching"

Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching

2018-06-01 Thread Pablo Neira Ayuso

On Fri, Jun 01, 2018 at 09:36:01AM +0200, Pablo Neira Ayuso wrote:
> On Wed, May 30, 2018 at 12:13:22PM +0200, Máté Eckl wrote:
> > Now it can only match the transparent flag of an ip/ipv6 socket.
> 
> Applied with minor comestic changes, thanks.

I took v3, just for the record.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching

2018-06-01 Thread Pablo Neira Ayuso

On Wed, May 30, 2018 at 12:13:22PM +0200, Máté Eckl wrote:
> Now it can only match the transparent flag of an ip/ipv6 socket.

Applied with minor comestic changes, thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching

2018-05-31 Thread kbuild test robot

Hi Máté,

Thank you for the patch! Yet something to improve:

[auto build test ERROR on nf-next/master]

url:
https://github.com/0day-ci/linux/commits/M-t-Eckl/netfilter-nft-add-support-for-native-socket-matching/20180601-080238
base:   https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: i386-allmodconfig (attached as .config)
compiler: gcc-7 (Debian 7.3.0-16) 7.3.0
reproduce:
# save the attached .config to linux build tree
make ARCH=i386 

All errors (new ones prefixed by >>):

   In file included from net/netfilter/nft_socket.c:7:0:
   include/net/netfilter/nf_socket.h: In function 'nf_sk_is_transparent':
>> include/net/netfilter/nf_socket.h:12:12: error: dereferencing pointer to 
>> incomplete type 'struct sock'
 switch (sk->sk_state) {
   ^~
>> include/net/netfilter/nf_socket.h:13:7: error: 'TCP_TIME_WAIT' undeclared 
>> (first use in this function); did you mean 'BPF_TCP_TIME_WAIT'?
 case TCP_TIME_WAIT:
  ^
  BPF_TCP_TIME_WAIT
   include/net/netfilter/nf_socket.h:13:7: note: each undeclared identifier is 
reported only once for each function it appears in
>> include/net/netfilter/nf_socket.h:14:10: error: implicit declaration of 
>> function 'inet_twsk'; did you mean 'in_task'? 
>> [-Werror=implicit-function-declaration]
  return inet_twsk(sk)->tw_transparent;
 ^
 in_task
>> include/net/netfilter/nf_socket.h:14:23: error: invalid type argument of 
>> '->' (have 'int')
  return inet_twsk(sk)->tw_transparent;
  ^~
>> include/net/netfilter/nf_socket.h:15:7: error: 'TCP_NEW_SYN_RECV' undeclared 
>> (first use in this function); did you mean 'BPF_TCP_NEW_SYN_RECV'?
 case TCP_NEW_SYN_RECV:
  ^~~~
  BPF_TCP_NEW_SYN_RECV
>> include/net/netfilter/nf_socket.h:16:10: error: implicit declaration of 
>> function 'inet_rsk'; did you mean 'in_task'? 
>> [-Werror=implicit-function-declaration]
  return inet_rsk(inet_reqsk(sk))->no_srccheck;
 ^~~~
 in_task
>> include/net/netfilter/nf_socket.h:16:19: error: implicit declaration of 
>> function 'inet_reqsk'; did you mean 'net_eq'? 
>> [-Werror=implicit-function-declaration]
  return inet_rsk(inet_reqsk(sk))->no_srccheck;
  ^~
  net_eq
   include/net/netfilter/nf_socket.h:16:34: error: invalid type argument of 
'->' (have 'int')
  return inet_rsk(inet_reqsk(sk))->no_srccheck;
 ^~
>> include/net/netfilter/nf_socket.h:18:10: error: implicit declaration of 
>> function 'inet_sk'; did you mean 'in_task'? 
>> [-Werror=implicit-function-declaration]
  return inet_sk(sk)->transparent;
 ^~~
 in_task
   include/net/netfilter/nf_socket.h:18:21: error: invalid type argument of 
'->' (have 'int')
  return inet_sk(sk)->transparent;
^~
   In file included from include/net/inet_sock.h:27:0,
from net/netfilter/nft_socket.c:8:
   include/net/request_sock.h: At top level:
>> include/net/request_sock.h:72:36: error: conflicting types for 'inet_reqsk'
static inline struct request_sock *inet_reqsk(const struct sock *sk)
   ^~
   In file included from net/netfilter/nft_socket.c:7:0:
   include/net/netfilter/nf_socket.h:16:19: note: previous implicit declaration 
of 'inet_reqsk' was here
  return inet_rsk(inet_reqsk(sk))->no_srccheck;
  ^~
   In file included from net/netfilter/nft_socket.c:8:0:
>> include/net/inet_sock.h:107:41: error: conflicting types for 'inet_rsk'
static inline struct inet_request_sock *inet_rsk(const struct request_sock 
*sk)
^~~~
   In file included from net/netfilter/nft_socket.c:7:0:
   include/net/netfilter/nf_socket.h:16:10: note: previous implicit declaration 
of 'inet_rsk' was here
  return inet_rsk(inet_reqsk(sk))->no_srccheck;
 ^~~~
   In file included from net/netfilter/nft_socket.c:8:0:
>> include/net/inet_sock.h:273:33: error: conflicting types for 'inet_sk'
static inline struct inet_sock *inet_sk(const struct sock *sk)
^~~
   In file included from net/netfilter/nft_socket.c:7:0:
   include/net/netfilter/nf_socket.h:18:10: note: previous implicit declaration 
of 'inet_sk' was here
  return inet_sk(sk)->transparent;
 ^~~
   include/net/netfilter/nf_socket.h: In function 'nf_sk_is_transparent':
   include/net/netfilter/nf_socket.h:20:1: warning: control reaches end of 
non-void function [-Wreturn-type]
}
^
   cc1: some warnings being treated as errors

vim +12 include/net/netfilter/nf_socket.h

8db4c5be Pablo Neira Ayuso 2016-10-27   9  
8db4c5be Pablo Neira Ayuso 2016-10-27  10  static inline bool 
nf_sk_is_transparent(struct sock *sk)
8db4c5be Pablo

Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching

2018-05-30 Thread Pablo Neira Ayuso

On Wed, May 30, 2018 at 12:20:44PM +0200, Pablo Neira Ayuso wrote:
> On Wed, May 30, 2018 at 12:13:22PM +0200, Máté Eckl wrote:
> > +   if(!sk) {
> > +   nft_reg_store8(dest, 0);
> > +   return;
> > +   }
> > +
> > +   skb->sk = sk; // So that subsequent socket matching not to require 
> > other lookups
> 
> Remove this comment.

Or use the more orthodox comment style:

/* So that subsequent socket matching not to require other lookups. */
skb->sk = sk;

Thanks!
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching

2018-05-30 Thread Pablo Neira Ayuso

On Wed, May 30, 2018 at 12:13:22PM +0200, Máté Eckl wrote:
> Now it can only match the transparent flag of an ip/ipv6 socket.
> 
> Signed-off-by: Máté Eckl 
> ---
>  include/uapi/linux/netfilter/nf_tables.h |  28 +
>  net/netfilter/Kconfig|   9 ++
>  net/netfilter/Makefile   |   1 +
>  net/netfilter/nft_socket.c   | 143 +++
>  4 files changed, 181 insertions(+)
>  create mode 100644 net/netfilter/nft_socket.c
> 
> diff --git a/include/uapi/linux/netfilter/nf_tables.h 
> b/include/uapi/linux/netfilter/nf_tables.h
> index 9c71f024f9cc..96ab31539bf6 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -904,6 +904,34 @@ enum nft_rt_attributes {
>  };
>  #define NFTA_RT_MAX  (__NFTA_RT_MAX - 1)
>  
> +/**
> + * enum nft_socket_attributes - nf_tables socket expression netlink 
> attributes
> + *
> + * @NFTA_SOCKET_KEY: socket key to match
> + * @NFTA_SOCKET_DREG: destination register
> + */
> +enum nft_socket_attributes {
> + NFTA_SOCKET_UNSPEC,
> +
> + NFTA_SOCKET_KEY,
> + NFTA_SOCKET_DREG,
> +
> + __NFTA_SOCKET_MAX
> +};
> +#define NFTA_SOCKET_MAX  (__NFTA_SOCKET_MAX - 1)
> +
> +/*
> + * enum nft_socket_keys - nf_tables socket expression keys
> + *
> + * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option_
> + */
> +enum nft_socket_keys {
> + NFT_SOCKET_TRANSPARENT,
> +
> + __NFT_SOCKET_MAX
> +};
> +#define NFT_SOCKET_MAX   (__NFT_SOCKET_MAX - 1)
> +
>  /**
>   * enum nft_ct_keys - nf_tables ct expression keys
>   *
> diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
> index 3ec8886850b2..276e1e32f44e 100644
> --- a/net/netfilter/Kconfig
> +++ b/net/netfilter/Kconfig
> @@ -613,6 +613,15 @@ config NFT_FIB_INET
> The lookup will be delegated to the IPv4 or IPv6 FIB depending
> on the protocol of the packet.
>  
> +config NFT_SOCKET
> + tristate "Netfilter nf_tables socket match support"
> + depends on IPV6 || IPV6=n
> + select NF_SOCKET_IPV4
> + select NF_SOCKET_IPV6 if IPV6
> + help
> +   This option allows matching for the presence or absence of a
> +   corresponding socket and its attributes.
> +
>  if NF_TABLES_NETDEV
>  
>  config NF_DUP_NETDEV
> diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
> index 9b3434360d49..eec169555731 100644
> --- a/net/netfilter/Makefile
> +++ b/net/netfilter/Makefile
> @@ -102,6 +102,7 @@ obj-$(CONFIG_NFT_FIB) += nft_fib.o
>  obj-$(CONFIG_NFT_FIB_INET)   += nft_fib_inet.o
>  obj-$(CONFIG_NFT_FIB_NETDEV) += nft_fib_netdev.o
>  obj-$(CONFIG_NF_OSF) += nf_osf.o
> +obj-$(CONFIG_NFT_SOCKET) += nft_socket.o
>  
>  # nf_tables netdev
>  obj-$(CONFIG_NFT_DUP_NETDEV) += nft_dup_netdev.o
> diff --git a/net/netfilter/nft_socket.c b/net/netfilter/nft_socket.c
> new file mode 100644
> index ..dd389b37334a
> --- /dev/null
> +++ b/net/netfilter/nft_socket.c
> @@ -0,0 +1,143 @@
> +// SPDX-License-Identifier: GPL-2.0
> +
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +#include 
> +
> +struct nft_socket {
> + enum nft_socket_keyskey:8;
> + union {
> + enum nft_registers  dreg:8;
> + };
> +};
> +
> +static void nft_socket_eval(const struct nft_expr *expr,
> + struct nft_regs *regs,
> + const struct nft_pktinfo *pkt)
> +{
> + const struct nft_socket *priv = nft_expr_priv(expr);
> + struct sk_buff *skb = pkt->skb;
> + struct sock *sk = skb->sk;
> + u32 *dest = >data[priv->dreg];
> +
> + if (!sk)
> + switch(nft_pf(pkt)) {
> + case NFPROTO_IPV4:
> + sk = nf_sk_lookup_slow_v4(nft_net(pkt), skb, 
> nft_in(pkt));
> + break;
> +#if IS_ENABLED(CONFIG_NF_SOCKET_IPV6)
> + case NFPROTO_IPV6:
> + sk = nf_sk_lookup_slow_v6(nft_net(pkt), skb, 
> nft_in(pkt));
> + break;
> +#endif
> + default:
> + WARN_ON_ONCE(1);
> + regs->verdict.code = NFT_BREAK;
> + return;
> + }
> +
> + if(!sk) {
> + nft_reg_store8(dest, 0);
> + return;
> + }
> +
> + skb->sk = sk; // So that subsequent socket matching not to require 
> other lookups

Remove this comment.

> +
> + switch(priv->key) {
> + case NFT_SOCKET_TRANSPARENT:
> + nft_reg_store8(dest, nf_sk_is_transparent(sk));
> + break;
> + default:
> + WARN_ON(1);
> + regs->verdict.code = NFT_BREAK;
> + }
> +}
> +
> +static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = {
> + [NFTA_SOCKET_KEY]   = { .type = NLA_U32 },
> + [NFTA_SOCKET_DREG]  = { .type = NLA_U32 },
> +};
> +
> +static int nft_socket_init(const struct nft_ctx *ctx,

Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching

Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching

Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching

Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching

Re: [PATCH v2 nf-next] netfilter: nft: add support for native socket matching

5 matches

Site Navigation

Mail list logo

Footer information