diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-10-13 18:06:06 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-10-14 12:00:04 -0400 |
| commit | 0ca743a5599199152a31a7146b83213c786c2eb2 (patch) | |
| tree | fd5cd87e1e1cf3f43d5868304c7c45f9bf11cef5 /net/ipv6 | |
| parent | 9370761c56b66aa5c65e069a7b010111a025018d (diff) | |
netfilter: nf_tables: add compatibility layer for x_tables
This patch adds the x_tables compatibility layer. This allows you
to use existing x_tables matches and targets from nf_tables.
This compatibility later allows us to use existing matches/targets
for features that are still missing in nf_tables. We can progressively
replace them with native nf_tables extensions. It also provides the
userspace compatibility software that allows you to express the
rule-set using the iptables syntax but using the nf_tables kernel
components.
In order to get this compatibility layer working, I've done the
following things:
* add NFNL_SUBSYS_NFT_COMPAT: this new nfnetlink subsystem is used
to query the x_tables match/target revision, so we don't need to
use the native x_table getsockopt interface.
* emulate xt structures: this required extending the struct nft_pktinfo
to include the fragment offset, which is already obtained from
ip[6]_tables and that is used by some matches/targets.
* add support for default policy to base chains, required to emulate
x_tables.
* add NFTA_CHAIN_USE attribute to obtain the number of references to
chains, required by x_tables emulation.
* add chain packet/byte counters using per-cpu.
* support 32-64 bits compat.
For historical reasons, this patch includes the following patches
that were posted in the netfilter-devel mailing list.
From Pablo Neira Ayuso:
* nf_tables: add default policy to base chains
* netfilter: nf_tables: add NFTA_CHAIN_USE attribute
* nf_tables: nft_compat: private data of target and matches in contiguous area
* nf_tables: validate hooks for compat match/target
* nf_tables: nft_compat: release cached matches/targets
* nf_tables: x_tables support as a compile time option
* nf_tables: fix alias for xtables over nftables module
* nf_tables: add packet and byte counters per chain
* nf_tables: fix per-chain counter stats if no counters are passed
* nf_tables: don't bump chain stats
* nf_tables: add protocol and flags for xtables over nf_tables
* nf_tables: add ip[6]t_entry emulation
* nf_tables: move specific layer 3 compat code to nf_tables_ipv[4|6]
* nf_tables: support 32bits-64bits x_tables compat
* nf_tables: fix compilation if CONFIG_COMPAT is disabled
From Patrick McHardy:
* nf_tables: move policy to struct nft_base_chain
* nf_tables: send notifications for base chain policy changes
From Alexander Primak:
* nf_tables: remove the duplicate NF_INET_LOCAL_OUT
From Nicolas Dichtel:
* nf_tables: fix compilation when nf-netlink is a module
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv6')
| -rw-r--r-- | net/ipv6/netfilter/nf_tables_ipv6.c | 33 | ||||
| -rw-r--r-- | net/ipv6/netfilter/nft_chain_route_ipv6.c | 8 |
2 files changed, 34 insertions, 7 deletions
diff --git a/net/ipv6/netfilter/nf_tables_ipv6.c b/net/ipv6/netfilter/nf_tables_ipv6.c index 3631d6238e6f..42f905a808a3 100644 --- a/net/ipv6/netfilter/nf_tables_ipv6.c +++ b/net/ipv6/netfilter/nf_tables_ipv6.c | |||
| @@ -14,6 +14,7 @@ | |||
| 14 | #include <linux/ipv6.h> | 14 | #include <linux/ipv6.h> |
| 15 | #include <linux/netfilter_ipv6.h> | 15 | #include <linux/netfilter_ipv6.h> |
| 16 | #include <net/netfilter/nf_tables.h> | 16 | #include <net/netfilter/nf_tables.h> |
| 17 | #include <net/netfilter/nf_tables_ipv6.h> | ||
| 17 | 18 | ||
| 18 | static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops, | 19 | static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops, |
| 19 | struct sk_buff *skb, | 20 | struct sk_buff *skb, |
| @@ -21,14 +22,18 @@ static unsigned int nft_ipv6_output(const struct nf_hook_ops *ops, | |||
| 21 | const struct net_device *out, | 22 | const struct net_device *out, |
| 22 | int (*okfn)(struct sk_buff *)) | 23 | int (*okfn)(struct sk_buff *)) |
| 23 | { | 24 | { |
| 25 | struct nft_pktinfo pkt; | ||
| 26 | |||
| 24 | if (unlikely(skb->len < sizeof(struct ipv6hdr))) { | 27 | if (unlikely(skb->len < sizeof(struct ipv6hdr))) { |
| 25 | if (net_ratelimit()) | 28 | if (net_ratelimit()) |
| 26 | pr_info("nf_tables_ipv6: ignoring short SOCK_RAW " | 29 | pr_info("nf_tables_ipv6: ignoring short SOCK_RAW " |
| 27 | "packet\n"); | 30 | "packet\n"); |
| 28 | return NF_ACCEPT; | 31 | return NF_ACCEPT; |
| 29 | } | 32 | } |
| 33 | if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0) | ||
| 34 | return NF_DROP; | ||
| 30 | 35 | ||
| 31 | return nft_do_chain(ops, skb, in, out, okfn); | 36 | return nft_do_chain_pktinfo(&pkt, ops); |
| 32 | } | 37 | } |
| 33 | 38 | ||
| 34 | static struct nft_af_info nft_af_ipv6 __read_mostly = { | 39 | static struct nft_af_info nft_af_ipv6 __read_mostly = { |
| @@ -40,6 +45,22 @@ static struct nft_af_info nft_af_ipv6 __read_mostly = { | |||
| 40 | }, | 45 | }, |
| 41 | }; | 46 | }; |
| 42 | 47 | ||
| 48 | static unsigned int | ||
| 49 | nft_do_chain_ipv6(const struct nf_hook_ops *ops, | ||
| 50 | struct sk_buff *skb, | ||
| 51 | const struct net_device *in, | ||
| 52 | const struct net_device *out, | ||
| 53 | int (*okfn)(struct sk_buff *)) | ||
| 54 | { | ||
| 55 | struct nft_pktinfo pkt; | ||
| 56 | |||
| 57 | /* malformed packet, drop it */ | ||
| 58 | if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0) | ||
| 59 | return NF_DROP; | ||
| 60 | |||
| 61 | return nft_do_chain_pktinfo(&pkt, ops); | ||
| 62 | } | ||
| 63 | |||
| 43 | static struct nf_chain_type filter_ipv6 = { | 64 | static struct nf_chain_type filter_ipv6 = { |
| 44 | .family = NFPROTO_IPV6, | 65 | .family = NFPROTO_IPV6, |
| 45 | .name = "filter", | 66 | .name = "filter", |
| @@ -50,11 +71,11 @@ static struct nf_chain_type filter_ipv6 = { | |||
| 50 | (1 << NF_INET_PRE_ROUTING) | | 71 | (1 << NF_INET_PRE_ROUTING) | |
| 51 | (1 << NF_INET_POST_ROUTING), | 72 | (1 << NF_INET_POST_ROUTING), |
| 52 | .fn = { | 73 | .fn = { |
| 53 | [NF_INET_LOCAL_IN] = nft_do_chain, | 74 | [NF_INET_LOCAL_IN] = nft_do_chain_ipv6, |
| 54 | [NF_INET_LOCAL_OUT] = nft_do_chain, | 75 | [NF_INET_LOCAL_OUT] = nft_ipv6_output, |
| 55 | [NF_INET_FORWARD] = nft_do_chain, | 76 | [NF_INET_FORWARD] = nft_do_chain_ipv6, |
| 56 | [NF_INET_PRE_ROUTING] = nft_do_chain, | 77 | [NF_INET_PRE_ROUTING] = nft_do_chain_ipv6, |
| 57 | [NF_INET_POST_ROUTING] = nft_do_chain, | 78 | [NF_INET_POST_ROUTING] = nft_do_chain_ipv6, |
| 58 | }, | 79 | }, |
| 59 | }; | 80 | }; |
| 60 | 81 | ||
diff --git a/net/ipv6/netfilter/nft_chain_route_ipv6.c b/net/ipv6/netfilter/nft_chain_route_ipv6.c index 4cdc992fa067..3fe40f0456ad 100644 --- a/net/ipv6/netfilter/nft_chain_route_ipv6.c +++ b/net/ipv6/netfilter/nft_chain_route_ipv6.c | |||
| @@ -19,6 +19,7 @@ | |||
| 19 | #include <linux/netfilter/nfnetlink.h> | 19 | #include <linux/netfilter/nfnetlink.h> |
| 20 | #include <linux/netfilter/nf_tables.h> | 20 | #include <linux/netfilter/nf_tables.h> |
| 21 | #include <net/netfilter/nf_tables.h> | 21 | #include <net/netfilter/nf_tables.h> |
| 22 | #include <net/netfilter/nf_tables_ipv6.h> | ||
| 22 | #include <net/route.h> | 23 | #include <net/route.h> |
| 23 | 24 | ||
| 24 | static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops, | 25 | static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops, |
| @@ -28,10 +29,15 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops, | |||
| 28 | int (*okfn)(struct sk_buff *)) | 29 | int (*okfn)(struct sk_buff *)) |
| 29 | { | 30 | { |
| 30 | unsigned int ret; | 31 | unsigned int ret; |
| 32 | struct nft_pktinfo pkt; | ||
| 31 | struct in6_addr saddr, daddr; | 33 | struct in6_addr saddr, daddr; |
| 32 | u_int8_t hop_limit; | 34 | u_int8_t hop_limit; |
| 33 | u32 mark, flowlabel; | 35 | u32 mark, flowlabel; |
| 34 | 36 | ||
| 37 | /* malformed packet, drop it */ | ||
| 38 | if (nft_set_pktinfo_ipv6(&pkt, ops, skb, in, out) < 0) | ||
| 39 | return NF_DROP; | ||
| 40 | |||
| 35 | /* save source/dest address, mark, hoplimit, flowlabel, priority */ | 41 | /* save source/dest address, mark, hoplimit, flowlabel, priority */ |
| 36 | memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr)); | 42 | memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr)); |
| 37 | memcpy(&daddr, &ipv6_hdr(skb)->daddr, sizeof(daddr)); | 43 | memcpy(&daddr, &ipv6_hdr(skb)->daddr, sizeof(daddr)); |
| @@ -41,7 +47,7 @@ static unsigned int nf_route_table_hook(const struct nf_hook_ops *ops, | |||
| 41 | /* flowlabel and prio (includes version, which shouldn't change either */ | 47 | /* flowlabel and prio (includes version, which shouldn't change either */ |
| 42 | flowlabel = *((u32 *)ipv6_hdr(skb)); | 48 | flowlabel = *((u32 *)ipv6_hdr(skb)); |
| 43 | 49 | ||
| 44 | ret = nft_do_chain(ops, skb, in, out, okfn); | 50 | ret = nft_do_chain_pktinfo(&pkt, ops); |
| 45 | if (ret != NF_DROP && ret != NF_QUEUE && | 51 | if (ret != NF_DROP && ret != NF_QUEUE && |
| 46 | (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) || | 52 | (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) || |
| 47 | memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) || | 53 | memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) || |