[PATCH 30/30] netfilter: nft_ct: add NFT_CT_{SRC,DST}_{IP,IP6}

[PATCH 00/30] Netfilter/IPVS updates for net-next · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 01/30] netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 03/30] netfilter: xt_cluster: get rid of xt_cluster_ipv6_is_multicast · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 02/30] netfilter: nfnetlink_acct: remove useless parameter · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 04/30] netfilter: nf_conntrack_broadcast: remove useless parameter · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 05/30] netfilter: ipt_ah: return boolean instead of integer · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 06/30] netfilter: unlock xt_table earlier in __do_replace · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 07/30] netfilter: x_tables: check standard verdicts in core · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 08/30] netfilter: x_tables: check error target size too · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 09/30] netfilter: x_tables: move hook entry checks into core · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 10/30] netfilter: x_tables: enforce unique and ascending entry points · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 11/30] netfilter: x_tables: cap allocations at 512 mbyte · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 12/30] netfilter: x_tables: limit allocation requests for blob rule heads · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 13/30] netfilter: x_tables: add counters allocation wrapper · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 14/30] netfilter: compat: prepare xt_compat_init_offsets to return errors · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 15/30] netfilter: compat: reject huge allocation requests · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 16/30] netfilter: x_tables: make sure compat af mutex is held · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 17/30] netfilter: x_tables: ensure last rule in base chain matches underflow/policy · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 19/30] netfilter: xt_limit: Spelling s/maxmum/maximum/ · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 18/30] netfilter: make xt_rateest hash table per net · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 21/30] netfilter: nf_flow_table: clean up flow_offload_alloc · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 20/30] netfilter: nf_flow_table: use IP_CT_DIR_* values for FLOW_OFFLOAD_DIR_* · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 22/30] ipv6: make ip6_dst_mtu_forward inline · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 23/30] netfilter: nf_flow_table: cache mtu in struct flow_offload_tuple · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 24/30] netfilter: nf_flow_table: rename nf_flow_table.c to nf_flow_table_core.c · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 25/30] netfilter: x_tables: fix build with CONFIG_COMPAT=n · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 26/30] ipvs: use true and false for boolean values · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 27/30] netfilter: nf_tables: handle rt0 and rt2 properly · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 28/30] netfilter: Refactor nf_conncount · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 29/30] netfilter: conncount: Support count only use case · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
[PATCH 30/30] netfilter: nft_ct: add NFT_CT_{SRC,DST}_{IP,IP6} · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-12
Re: [PATCH 00/30] Netfilter/IPVS updates for net-next · David Miller <davem@davemloft.net> · 2018-03-12
Re: [PATCH 00/30] Netfilter/IPVS updates for net-next · Felix Fietkau <nbd@nbd.name> · 2018-03-12
Re: [PATCH 00/30] Netfilter/IPVS updates for net-next · David Miller <davem@davemloft.net> · 2018-03-12
Re: [PATCH 00/30] Netfilter/IPVS updates for net-next · Felix Fietkau <nbd@nbd.name> · 2018-03-12
Re: [PATCH 00/30] Netfilter/IPVS updates for net-next · Florian Westphal <fw@strlen.de> · 2018-03-13
Re: [PATCH 00/30] Netfilter/IPVS updates for net-next · David Miller <davem@davemloft.net> · 2018-03-13
Re: [PATCH 00/30] Netfilter/IPVS updates for net-next · Florian Westphal <fw@strlen.de> · 2018-03-13
Re: [PATCH 00/30] Netfilter/IPVS updates for net-next · Pablo Neira Ayuso <pablo@netfilter.org> · 2018-03-14
Re: [PATCH 00/30] Netfilter/IPVS updates for net-next · David Miller <davem@davemloft.net> · 2018-03-16
Re: [PATCH 00/30] Netfilter/IPVS updates for net-next · Guy Shattah <hidden> · 2018-03-16
Re: [PATCH 00/30] Netfilter/IPVS updates for net-next · David Miller <davem@davemloft.net> · 2018-03-16

STALE3023d REVIEWED: 1 (1M)

Revisions (10)

2014-03-17 v1 [diff vs current]
2015-09-22 v1 [diff vs current]
2017-05-01 v1 [diff vs current]
2018-01-08 v1 [diff vs current]
2018-01-19 v1 [diff vs current]
2018-03-12 v1 current
2018-05-06 v1 [diff vs current]
2018-07-20 v1 [diff vs current]
2019-01-28 v1 [diff vs current]
2019-10-26 v1 [diff vs current]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: 2018-03-12 17:59:51
Subsystem: netfilter, networking [general], the rest · Maintainers: Pablo Neira Ayuso, Florian Westphal, "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds

All existing keys, except the NFT_CT_SRC and NFT_CT_DST are assumed to
have strict datatypes. This is causing problems with sets and
concatenations given the specific length of these keys is not known.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Florian Westphal <fw@strlen.de>
---
 include/uapi/linux/netfilter/nf_tables.h | 12 ++++++++--
 net/netfilter/nft_ct.c                   | 38 ++++++++++++++++++++++++++++++++
 2 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index bb2135c8ad73..09f4eb1928f0 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h

@@ -912,8 +912,8 @@ enum nft_rt_attributes {
  * @NFT_CT_EXPIRATION: relative conntrack expiration time in ms
  * @NFT_CT_HELPER: connection tracking helper assigned to conntrack
  * @NFT_CT_L3PROTOCOL: conntrack layer 3 protocol
- * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address)
- * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address)
+ * @NFT_CT_SRC: conntrack layer 3 protocol source (IPv4/IPv6 address, deprecated)
+ * @NFT_CT_DST: conntrack layer 3 protocol destination (IPv4/IPv6 address, deprecated)
  * @NFT_CT_PROTOCOL: conntrack layer 4 protocol
  * @NFT_CT_PROTO_SRC: conntrack layer 4 protocol source
  * @NFT_CT_PROTO_DST: conntrack layer 4 protocol destination

@@ -923,6 +923,10 @@ enum nft_rt_attributes {
  * @NFT_CT_AVGPKT: conntrack average bytes per packet
  * @NFT_CT_ZONE: conntrack zone
  * @NFT_CT_EVENTMASK: ctnetlink events to be generated for this conntrack
+ * @NFT_CT_SRC_IP: conntrack layer 3 protocol source (IPv4 address)
+ * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address)
+ * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
+ * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
  */
 enum nft_ct_keys {
 	NFT_CT_STATE,

@@ -944,6 +948,10 @@ enum nft_ct_keys {
 	NFT_CT_AVGPKT,
 	NFT_CT_ZONE,
 	NFT_CT_EVENTMASK,
+	NFT_CT_SRC_IP,
+	NFT_CT_DST_IP,
+	NFT_CT_SRC_IP6,
+	NFT_CT_DST_IP6,
 };
 
 /**

diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c
index 6ab274b14484..ea737fd789e8 100644
--- a/net/netfilter/nft_ct.c
+++ b/net/netfilter/nft_ct.c

@@ -196,6 +196,26 @@ static void nft_ct_get_eval(const struct nft_expr *expr,
 	case NFT_CT_PROTO_DST:
 		nft_reg_store16(dest, (__force u16)tuple->dst.u.all);
 		return;
+	case NFT_CT_SRC_IP:
+		if (nf_ct_l3num(ct) != NFPROTO_IPV4)
+			goto err;
+		*dest = tuple->src.u3.ip;
+		return;
+	case NFT_CT_DST_IP:
+		if (nf_ct_l3num(ct) != NFPROTO_IPV4)
+			goto err;
+		*dest = tuple->dst.u3.ip;
+		return;
+	case NFT_CT_SRC_IP6:
+		if (nf_ct_l3num(ct) != NFPROTO_IPV6)
+			goto err;
+		memcpy(dest, tuple->src.u3.ip6, sizeof(struct in6_addr));
+		return;
+	case NFT_CT_DST_IP6:
+		if (nf_ct_l3num(ct) != NFPROTO_IPV6)
+			goto err;
+		memcpy(dest, tuple->dst.u3.ip6, sizeof(struct in6_addr));
+		return;
 	default:
 		break;
 	}

@@ -419,6 +439,20 @@ static int nft_ct_get_init(const struct nft_ctx *ctx,
 			return -EAFNOSUPPORT;
 		}
 		break;
+	case NFT_CT_SRC_IP:
+	case NFT_CT_DST_IP:
+		if (tb[NFTA_CT_DIRECTION] == NULL)
+			return -EINVAL;
+
+		len = FIELD_SIZEOF(struct nf_conntrack_tuple, src.u3.ip);
+		break;
+	case NFT_CT_SRC_IP6:
+	case NFT_CT_DST_IP6:
+		if (tb[NFTA_CT_DIRECTION] == NULL)
+			return -EINVAL;
+
+		len = FIELD_SIZEOF(struct nf_conntrack_tuple, src.u3.ip6);
+		break;
 	case NFT_CT_PROTO_SRC:
 	case NFT_CT_PROTO_DST:
 		if (tb[NFTA_CT_DIRECTION] == NULL)

@@ -588,6 +622,10 @@ static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
 	switch (priv->key) {
 	case NFT_CT_SRC:
 	case NFT_CT_DST:
+	case NFT_CT_SRC_IP:
+	case NFT_CT_DST_IP:
+	case NFT_CT_SRC_IP6:
+	case NFT_CT_DST_IP6:
 	case NFT_CT_PROTO_SRC:
 	case NFT_CT_PROTO_DST:
 		if (nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))

-- 
2.11.0

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help