netfilter: add connlabel conntrack extension

similar to connmarks, except labels are bit-based; i.e. all labels may be attached to a flow at the same time. Up to 128 labels are supported. Supporting more labels is possible, but requires increasing the ct offset delta from u8 to u16 type due to increased extension sizes. Mapping of bit-identifier to label name is done in userspace. The extension is enabled at run-time once "-m connlabel" netfilter rules are added. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Florian Westphal <fw@strlen.de> 2013-01-11 01:30:44 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2013-01-17 18:28:15 -0500
commit: c539f01717c239cfa0921dd43927afc976f1eedc (patch)
tree: e0e4881913acb233f6ea83d93eb69da446084101 /include
parent: 7266507d89991fa1e989283e4e032c6d9357fe26 (diff)
4 files changed, 75 insertions, 0 deletions
diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
index 8b4d1fc29096..977bc8a46444 100644
--- a/include/net/netfilter/nf_conntrack_extend.h
+++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -23,6 +23,9 @@ enum nf_ct_ext_id {
 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
        NF_CT_EXT_TIMEOUT,
 #endif
+#ifdef CONFIG_NF_CONNTRACK_LABELS
+        NF_CT_EXT_LABELS,
+#endif
        NF_CT_EXT_NUM,
 };
@@ -33,6 +36,7 @@ enum nf_ct_ext_id {
 #define NF_CT_EXT_ZONE_TYPE struct nf_conntrack_zone
 #define NF_CT_EXT_TSTAMP_TYPE struct nf_conn_tstamp
 #define NF_CT_EXT_TIMEOUT_TYPE struct nf_conn_timeout
+#define NF_CT_EXT_LABELS_TYPE struct nf_conn_labels
 /* Extensions: optional stuff which isn't permanently in struct. */
 struct nf_ct_ext {
diff --git a/include/net/netfilter/nf_conntrack_labels.h b/include/net/netfilter/nf_conntrack_labels.h
new file mode 100644
index 000000000000..b94fe31c7b39
--- /dev/null
+++ b/include/net/netfilter/nf_conntrack_labels.h
@@ -0,0 +1,55 @@
+#include <linux/types.h>
+#include <net/net_namespace.h>
+#include <linux/netfilter/nf_conntrack_common.h>
+#include <linux/netfilter/nf_conntrack_tuple_common.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_extend.h>
+#include <uapi/linux/netfilter/xt_connlabel.h>
+struct nf_conn_labels {
+        u8 words;
+        unsigned long bits[];
+};
+static inline struct nf_conn_labels *nf_ct_labels_find(const struct nf_conn *ct)
+{
+#ifdef CONFIG_NF_CONNTRACK_LABELS
+        return nf_ct_ext_find(ct, NF_CT_EXT_LABELS);
+#else
+        return NULL;
+#endif
+}
+static inline struct nf_conn_labels *nf_ct_labels_ext_add(struct nf_conn *ct)
+{
+#ifdef CONFIG_NF_CONNTRACK_LABELS
+        struct nf_conn_labels *cl_ext;
+        struct net *net = nf_ct_net(ct);
+        u8 words;
+        words = ACCESS_ONCE(net->ct.label_words);
+        if (words == 0 || WARN_ON_ONCE(words > 8))
+                return NULL;
+        cl_ext = nf_ct_ext_add_length(ct, NF_CT_EXT_LABELS,
+                                      words * sizeof(long), GFP_ATOMIC);
+        if (cl_ext != NULL)
+                cl_ext->words = words;
+        return cl_ext;
+#else
+        return NULL;
+#endif
+}
+bool nf_connlabel_match(const struct nf_conn *ct, u16 bit);
+int nf_connlabel_set(struct nf_conn *ct, u16 bit);
+#ifdef CONFIG_NF_CONNTRACK_LABELS
+int nf_conntrack_labels_init(struct net *net);
+void nf_conntrack_labels_fini(struct net *net);
+#else
+static inline int nf_conntrack_labels_init(struct net *n) { return 0; }
+static inline void nf_conntrack_labels_fini(struct net *net) {}
+#endif
diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h
index 923cb20051ed..c9c0c538b68b 100644
--- a/include/net/netns/conntrack.h
+++ b/include/net/netns/conntrack.h
@@ -84,6 +84,10 @@ struct netns_ct {
        int                     sysctl_auto_assign_helper;
        bool                    auto_assign_helper_warned;
        struct nf_ip_net        nf_ct_proto;
+#if defined(CONFIG_NF_CONNTRACK_LABELS)
+        unsigned int            labels_used;
+        u8                      label_words;
+#endif
 #ifdef CONFIG_NF_NAT_NEEDED
        struct hlist_head       *nat_bysource;
        unsigned int            nat_htable_size;
diff --git a/include/uapi/linux/netfilter/xt_connlabel.h b/include/uapi/linux/netfilter/xt_connlabel.h
new file mode 100644
index 000000000000..c4bc9ee9b330
--- /dev/null
+++ b/include/uapi/linux/netfilter/xt_connlabel.h
@@ -0,0 +1,12 @@
+#include <linux/types.h>
+#define XT_CONNLABEL_MAXBIT 127
+enum xt_connlabel_mtopts {
+        XT_CONNLABEL_OP_INVERT = 1 << 0,
+        XT_CONNLABEL_OP_SET    = 1 << 1,
+};
+struct xt_connlabel_mtinfo {
+        __u16 bit;
+        __u16 options;
+};
author	Florian Westphal <fw@strlen.de>	2013-01-11 01:30:44 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2013-01-17 18:28:15 -0500
commit	c539f01717c239cfa0921dd43927afc976f1eedc (patch)
tree	e0e4881913acb233f6ea83d93eb69da446084101 /include
parent	7266507d89991fa1e989283e4e032c6d9357fe26 (diff)

diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h index 8b4d1fc29096..977bc8a46444 100644 --- a/include/net/netfilter/nf_conntrack_extend.h +++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -23,6 +23,9 @@ enum nf_ct_ext_id {
23	#ifdef CONFIG_NF_CONNTRACK_TIMEOUT	23	#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
24	NF_CT_EXT_TIMEOUT,	24	NF_CT_EXT_TIMEOUT,
25	#endif	25	#endif
		26	#ifdef CONFIG_NF_CONNTRACK_LABELS
		27	NF_CT_EXT_LABELS,
		28	#endif
26	NF_CT_EXT_NUM,	29	NF_CT_EXT_NUM,
27	};	30	};
28		31
@@ -33,6 +36,7 @@ enum nf_ct_ext_id {
33	#define NF_CT_EXT_ZONE_TYPE struct nf_conntrack_zone	36	#define NF_CT_EXT_ZONE_TYPE struct nf_conntrack_zone
34	#define NF_CT_EXT_TSTAMP_TYPE struct nf_conn_tstamp	37	#define NF_CT_EXT_TSTAMP_TYPE struct nf_conn_tstamp
35	#define NF_CT_EXT_TIMEOUT_TYPE struct nf_conn_timeout	38	#define NF_CT_EXT_TIMEOUT_TYPE struct nf_conn_timeout
		39	#define NF_CT_EXT_LABELS_TYPE struct nf_conn_labels
36		40
37	/* Extensions: optional stuff which isn't permanently in struct. */	41	/* Extensions: optional stuff which isn't permanently in struct. */
38	struct nf_ct_ext {	42	struct nf_ct_ext {


diff --git a/include/net/netfilter/nf_conntrack_labels.h b/include/net/netfilter/nf_conntrack_labels.h new file mode 100644 index 000000000000..b94fe31c7b39 --- /dev/null +++ b/include/net/netfilter/nf_conntrack_labels.h
@@ -0,0 +1,55 @@
		1	#include <linux/types.h>
		2	#include <net/net_namespace.h>
		3	#include <linux/netfilter/nf_conntrack_common.h>
		4	#include <linux/netfilter/nf_conntrack_tuple_common.h>
		5	#include <net/netfilter/nf_conntrack.h>
		6	#include <net/netfilter/nf_conntrack_extend.h>
		7
		8	#include <uapi/linux/netfilter/xt_connlabel.h>
		9
		10	struct nf_conn_labels {
		11	u8 words;
		12	unsigned long bits[];
		13	};
		14
		15	static inline struct nf_conn_labels nf_ct_labels_find(const struct nf_conn ct)
		16	{
		17	#ifdef CONFIG_NF_CONNTRACK_LABELS
		18	return nf_ct_ext_find(ct, NF_CT_EXT_LABELS);
		19	#else
		20	return NULL;
		21	#endif
		22	}
		23
		24	static inline struct nf_conn_labels nf_ct_labels_ext_add(struct nf_conn ct)
		25	{
		26	#ifdef CONFIG_NF_CONNTRACK_LABELS
		27	struct nf_conn_labels *cl_ext;
		28	struct net *net = nf_ct_net(ct);
		29	u8 words;
		30
		31	words = ACCESS_ONCE(net->ct.label_words);
		32	if (words == 0 \|\| WARN_ON_ONCE(words > 8))
		33	return NULL;
		34
		35	cl_ext = nf_ct_ext_add_length(ct, NF_CT_EXT_LABELS,
		36	words * sizeof(long), GFP_ATOMIC);
		37	if (cl_ext != NULL)
		38	cl_ext->words = words;
		39
		40	return cl_ext;
		41	#else
		42	return NULL;
		43	#endif
		44	}
		45
		46	bool nf_connlabel_match(const struct nf_conn *ct, u16 bit);
		47	int nf_connlabel_set(struct nf_conn *ct, u16 bit);
		48
		49	#ifdef CONFIG_NF_CONNTRACK_LABELS
		50	int nf_conntrack_labels_init(struct net *net);
		51	void nf_conntrack_labels_fini(struct net *net);
		52	#else
		53	static inline int nf_conntrack_labels_init(struct net *n) { return 0; }
		54	static inline void nf_conntrack_labels_fini(struct net *net) {}
		55	#endif


diff --git a/include/net/netns/conntrack.h b/include/net/netns/conntrack.h index 923cb20051ed..c9c0c538b68b 100644 --- a/include/net/netns/conntrack.h +++ b/include/net/netns/conntrack.h
@@ -84,6 +84,10 @@ struct netns_ct {
84	int sysctl_auto_assign_helper;	84	int sysctl_auto_assign_helper;
85	bool auto_assign_helper_warned;	85	bool auto_assign_helper_warned;
86	struct nf_ip_net nf_ct_proto;	86	struct nf_ip_net nf_ct_proto;
		87	#if defined(CONFIG_NF_CONNTRACK_LABELS)
		88	unsigned int labels_used;
		89	u8 label_words;
		90	#endif
87	#ifdef CONFIG_NF_NAT_NEEDED	91	#ifdef CONFIG_NF_NAT_NEEDED
88	struct hlist_head *nat_bysource;	92	struct hlist_head *nat_bysource;
89	unsigned int nat_htable_size;	93	unsigned int nat_htable_size;


diff --git a/include/uapi/linux/netfilter/xt_connlabel.h b/include/uapi/linux/netfilter/xt_connlabel.h new file mode 100644 index 000000000000..c4bc9ee9b330 --- /dev/null +++ b/include/uapi/linux/netfilter/xt_connlabel.h
@@ -0,0 +1,12 @@
		1	#include <linux/types.h>
		2
		3	#define XT_CONNLABEL_MAXBIT 127
		4	enum xt_connlabel_mtopts {
		5	XT_CONNLABEL_OP_INVERT = 1 << 0,
		6	XT_CONNLABEL_OP_SET = 1 << 1,
		7	};
		8
		9	struct xt_connlabel_mtinfo {
		10	__u16 bit;
		11	__u16 options;
		12	};