diff options
| author | Florian Westphal <fw@strlen.de> | 2016-04-26 05:59:53 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2016-05-05 10:27:59 -0400 |
| commit | 1ad8f48df6f683f186b03b51381419ac4aec73d3 (patch) | |
| tree | 25dee67758a9e5c3832aa3fc55f8c7b8260200d2 /net | |
| parent | 92b4423e3a0bc5d43ecde4bcad871f8b5ba04efd (diff) | |
netfilter: nftables: add connlabel set support
Conntrack labels are currently sized depending on the iptables
ruleset, i.e. if we're asked to test or set bits 1, 2, and 65 then we
would allocate enough room to store at least bit 65.
However, with nft, the input is just a register with arbitrary runtime
content.
We therefore ask for the upper ceiling we currently have, which is
enough room to store 128 bits.
Alternatively, we could alter nf_connlabel_replace to increase
net->ct.label_words at run time, but since 128 bits is not that
big we'd only save sizeof(long) so it doesn't seem worth it for now.
This follows a similar approach that xtables 'connlabel'
match uses, so when user inputs
ct label set bar
then we will set the bit used by the 'bar' label and leave the rest alone.
This is done by passing the sreg content to nf_connlabels_replace
as both value and mask argument.
Labels (bits) already set thus cannot be re-set to zero, but
this is not supported by xtables connlabel match either.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nft_ct.c | 30 |
1 files changed, 30 insertions, 0 deletions
diff --git a/net/netfilter/nft_ct.c b/net/netfilter/nft_ct.c index 25998facefd0..137e308d5b24 100644 --- a/net/netfilter/nft_ct.c +++ b/net/netfilter/nft_ct.c | |||
| @@ -198,6 +198,14 @@ static void nft_ct_set_eval(const struct nft_expr *expr, | |||
| 198 | } | 198 | } |
| 199 | break; | 199 | break; |
| 200 | #endif | 200 | #endif |
| 201 | #ifdef CONFIG_NF_CONNTRACK_LABELS | ||
| 202 | case NFT_CT_LABELS: | ||
| 203 | nf_connlabels_replace(ct, | ||
| 204 | ®s->data[priv->sreg], | ||
| 205 | ®s->data[priv->sreg], | ||
| 206 | NF_CT_LABELS_MAX_SIZE / sizeof(u32)); | ||
| 207 | break; | ||
| 208 | #endif | ||
| 201 | default: | 209 | default: |
| 202 | break; | 210 | break; |
| 203 | } | 211 | } |
| @@ -365,6 +373,16 @@ static int nft_ct_set_init(const struct nft_ctx *ctx, | |||
| 365 | len = FIELD_SIZEOF(struct nf_conn, mark); | 373 | len = FIELD_SIZEOF(struct nf_conn, mark); |
| 366 | break; | 374 | break; |
| 367 | #endif | 375 | #endif |
| 376 | #ifdef CONFIG_NF_CONNTRACK_LABELS | ||
| 377 | case NFT_CT_LABELS: | ||
| 378 | if (tb[NFTA_CT_DIRECTION]) | ||
| 379 | return -EINVAL; | ||
| 380 | len = NF_CT_LABELS_MAX_SIZE; | ||
| 381 | err = nf_connlabels_get(ctx->net, (len * BITS_PER_BYTE) - 1); | ||
| 382 | if (err) | ||
| 383 | return err; | ||
| 384 | break; | ||
| 385 | #endif | ||
| 368 | default: | 386 | default: |
| 369 | return -EOPNOTSUPP; | 387 | return -EOPNOTSUPP; |
| 370 | } | 388 | } |
| @@ -384,6 +402,18 @@ static int nft_ct_set_init(const struct nft_ctx *ctx, | |||
| 384 | static void nft_ct_destroy(const struct nft_ctx *ctx, | 402 | static void nft_ct_destroy(const struct nft_ctx *ctx, |
| 385 | const struct nft_expr *expr) | 403 | const struct nft_expr *expr) |
| 386 | { | 404 | { |
| 405 | struct nft_ct *priv = nft_expr_priv(expr); | ||
| 406 | |||
| 407 | switch (priv->key) { | ||
| 408 | #ifdef CONFIG_NF_CONNTRACK_LABELS | ||
| 409 | case NFT_CT_LABELS: | ||
| 410 | nf_connlabels_put(ctx->net); | ||
| 411 | break; | ||
| 412 | #endif | ||
| 413 | default: | ||
| 414 | break; | ||
| 415 | } | ||
| 416 | |||
| 387 | nft_ct_l3proto_module_put(ctx->afi->family); | 417 | nft_ct_l3proto_module_put(ctx->afi->family); |
| 388 | } | 418 | } |
| 389 | 419 | ||