net: sched: Introduce connmark action

This tc action allows you to retrieve the connection tracking mark This action has been used heavily by openwrt for a few years now. There are known limitations currently: doesn't work for initial packets, since we only query the ct table. Fine given use case is for returning packets no implicit defrag. frags should be rare so fix later.. won't work for more complex tasks, e.g. lookup of other extensions since we have no means to store results we still have a 2nd lookup later on via normal conntrack path. This shouldn't break anything though since skb->nfct isn't altered. V2: remove unnecessary braces (Jiri) change the action identifier to 14 (Jiri) Fix some stylistic issues caught by checkpatch V3: Move module params to bottom (Cong) Get rid of tcf_hashinfo_init and friends and conform to newer API (Cong) Acked-by: Jiri Pirko <jiri@resnulli.us> Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Felix Fietkau <nbd@openwrt.org> 2015-01-18 16:35:14 -0500
committer: David S. Miller <davem@davemloft.net> 2015-01-19 16:02:06 -0500
commit: 22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae (patch)
tree: 0f25f92070e4208f89b8cbc59eda605347dfc95b /net/sched
parent: cbcd1fa72c7cc4ac5b8c8554731fdb06ac7ddaa8 (diff)
3 files changed, 204 insertions, 0 deletions
diff --git a/net/sched/Kconfig b/net/sched/Kconfig
index 466943551581..475e35e261ec 100644
--- a/net/sched/Kconfig
+++ b/net/sched/Kconfig
@@ -710,6 +710,17 @@ config NET_ACT_BPF
          To compile this code as a module, choose M here: the
          module will be called act_bpf.
+config NET_ACT_CONNMARK
+        tristate "Netfilter Connection Mark Retriever"
+        depends on NET_CLS_ACT && NETFILTER && IP_NF_IPTABLES
+        ---help---
+          Say Y here to allow retrieving of conn mark
+          If unsure, say N.
+          To compile this code as a module, choose M here: the
+          module will be called act_connmark.
 config NET_CLS_IND
        bool "Incoming device classification"
        depends on NET_CLS_U32 || NET_CLS_FW
diff --git a/net/sched/Makefile b/net/sched/Makefile
index 7ca2b4e76312..7ca7f4c1b8c2 100644
--- a/net/sched/Makefile
+++ b/net/sched/Makefile
@@ -18,6 +18,7 @@ obj-$(CONFIG_NET_ACT_SKBEDIT)	+= act_skbedit.o
 obj-$(CONFIG_NET_ACT_CSUM)      += act_csum.o
 obj-$(CONFIG_NET_ACT_VLAN)      += act_vlan.o
 obj-$(CONFIG_NET_ACT_BPF)       += act_bpf.o
+obj-$(CONFIG_NET_ACT_CONNMARK)  += act_connmark.o
 obj-$(CONFIG_NET_SCH_FIFO)      += sch_fifo.o
 obj-$(CONFIG_NET_SCH_CBQ)       += sch_cbq.o
 obj-$(CONFIG_NET_SCH_HTB)       += sch_htb.o
diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c
new file mode 100644
index 000000000000..8e472518f9f6
--- /dev/null
+++ b/net/sched/act_connmark.c
@@ -0,0 +1,192 @@
+/*
+ * net/sched/act_connmark.c  netfilter connmark retriever action
+ * skb mark is over-written
+ *
+ * Copyright (c) 2011 Felix Fietkau <nbd@openwrt.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License as published by
+ * the Free Software Foundation; either version 2 of the License, or
+ * (at your option) any later version.
+*/
+#include <linux/module.h>
+#include <linux/init.h>
+#include <linux/kernel.h>
+#include <linux/skbuff.h>
+#include <linux/rtnetlink.h>
+#include <linux/pkt_cls.h>
+#include <linux/ip.h>
+#include <linux/ipv6.h>
+#include <net/netlink.h>
+#include <net/pkt_sched.h>
+#include <net/act_api.h>
+#include <uapi/linux/tc_act/tc_connmark.h>
+#include <net/tc_act/tc_connmark.h>
+#include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_zones.h>
+#define CONNMARK_TAB_MASK     3
+static int tcf_connmark(struct sk_buff *skb, const struct tc_action *a,
+                        struct tcf_result *res)
+{
+        const struct nf_conntrack_tuple_hash *thash;
+        struct nf_conntrack_tuple tuple;
+        enum ip_conntrack_info ctinfo;
+        struct tcf_connmark_info *ca = a->priv;
+        struct nf_conn *c;
+        int proto;
+        spin_lock(&ca->tcf_lock);
+        ca->tcf_tm.lastuse = jiffies;
+        bstats_update(&ca->tcf_bstats, skb);
+        if (skb->protocol == htons(ETH_P_IP)) {
+                if (skb->len < sizeof(struct iphdr))
+                        goto out;
+                proto = NFPROTO_IPV4;
+        } else if (skb->protocol == htons(ETH_P_IPV6)) {
+                if (skb->len < sizeof(struct ipv6hdr))
+                        goto out;
+                proto = NFPROTO_IPV6;
+        } else {
+                goto out;
+        }
+        c = nf_ct_get(skb, &ctinfo);
+        if (c) {
+                skb->mark = c->mark;
+                /* using overlimits stats to count how many packets marked */
+                ca->tcf_qstats.overlimits++;
+                nf_ct_put(c);
+                goto out;
+        }
+        if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
+                               proto, &tuple))
+                goto out;
+        thash = nf_conntrack_find_get(dev_net(skb->dev), ca->zone, &tuple);
+        if (!thash)
+                goto out;
+        c = nf_ct_tuplehash_to_ctrack(thash);
+        /* using overlimits stats to count how many packets marked */
+        ca->tcf_qstats.overlimits++;
+        skb->mark = c->mark;
+        nf_ct_put(c);
+out:
+        skb->nfct = NULL;
+        spin_unlock(&ca->tcf_lock);
+        return ca->tcf_action;
+}
+static const struct nla_policy connmark_policy[TCA_CONNMARK_MAX + 1] = {
+        [TCA_CONNMARK_PARMS] = { .len = sizeof(struct tc_connmark) },
+};
+static int tcf_connmark_init(struct net *net, struct nlattr *nla,
+                             struct nlattr *est, struct tc_action *a,
+                             int ovr, int bind)
+{
+        struct nlattr *tb[TCA_CONNMARK_MAX + 1];
+        struct tcf_connmark_info *ci;
+        struct tc_connmark *parm;
+        int ret = 0;
+        if (!nla)
+                return -EINVAL;
+        ret = nla_parse_nested(tb, TCA_CONNMARK_MAX, nla, connmark_policy);
+        if (ret < 0)
+                return ret;
+        parm = nla_data(tb[TCA_CONNMARK_PARMS]);
+        if (!tcf_hash_check(parm->index, a, bind)) {
+                ret = tcf_hash_create(parm->index, est, a, sizeof(*ci), bind);
+                if (ret)
+                        return ret;
+                ci = to_connmark(a);
+                ci->tcf_action = parm->action;
+                ci->zone = parm->zone;
+                tcf_hash_insert(a);
+                ret = ACT_P_CREATED;
+        } else {
+                ci = to_connmark(a);
+                if (bind)
+                        return 0;
+                tcf_hash_release(a, bind);
+                if (!ovr)
+                        return -EEXIST;
+                /* replacing action and zone */
+                ci->tcf_action = parm->action;
+                ci->zone = parm->zone;
+        }
+        return ret;
+}
+static inline int tcf_connmark_dump(struct sk_buff *skb, struct tc_action *a,
+                                    int bind, int ref)
+{
+        unsigned char *b = skb_tail_pointer(skb);
+        struct tcf_connmark_info *ci = a->priv;
+        struct tc_connmark opt = {
+                .index   = ci->tcf_index,
+                .refcnt  = ci->tcf_refcnt - ref,
+                .bindcnt = ci->tcf_bindcnt - bind,
+                .action  = ci->tcf_action,
+                .zone   = ci->zone,
+        };
+        struct tcf_t t;
+        if (nla_put(skb, TCA_CONNMARK_PARMS, sizeof(opt), &opt))
+                goto nla_put_failure;
+        t.install = jiffies_to_clock_t(jiffies - ci->tcf_tm.install);
+        t.lastuse = jiffies_to_clock_t(jiffies - ci->tcf_tm.lastuse);
+        t.expires = jiffies_to_clock_t(ci->tcf_tm.expires);
+        if (nla_put(skb, TCA_CONNMARK_TM, sizeof(t), &t))
+                goto nla_put_failure;
+        return skb->len;
+nla_put_failure:
+        nlmsg_trim(skb, b);
+        return -1;
+}
+static struct tc_action_ops act_connmark_ops = {
+        .kind           =       "connmark",
+        .type           =       TCA_ACT_CONNMARK,
+        .owner          =       THIS_MODULE,
+        .act            =       tcf_connmark,
+        .dump           =       tcf_connmark_dump,
+        .init           =       tcf_connmark_init,
+};
+static int __init connmark_init_module(void)
+{
+        return tcf_register_action(&act_connmark_ops, CONNMARK_TAB_MASK);
+}
+static void __exit connmark_cleanup_module(void)
+{
+        tcf_unregister_action(&act_connmark_ops);
+}
+module_init(connmark_init_module);
+module_exit(connmark_cleanup_module);
+MODULE_AUTHOR("Felix Fietkau <nbd@openwrt.org>");
+MODULE_DESCRIPTION("Connection tracking mark restoring");
+MODULE_LICENSE("GPL");
author	Felix Fietkau <nbd@openwrt.org>	2015-01-18 16:35:14 -0500
committer	David S. Miller <davem@davemloft.net>	2015-01-19 16:02:06 -0500
commit	22a5dc0e5e3e8fef804230cd73ed7b0afd4c7bae (patch)
tree	0f25f92070e4208f89b8cbc59eda605347dfc95b /net/sched
parent	cbcd1fa72c7cc4ac5b8c8554731fdb06ac7ddaa8 (diff)

diff --git a/net/sched/Kconfig b/net/sched/Kconfig index 466943551581..475e35e261ec 100644 --- a/net/sched/Kconfig +++ b/net/sched/Kconfig
@@ -710,6 +710,17 @@ config NET_ACT_BPF
710	To compile this code as a module, choose M here: the	710	To compile this code as a module, choose M here: the
711	module will be called act_bpf.	711	module will be called act_bpf.
712		712
		713	config NET_ACT_CONNMARK
		714	tristate "Netfilter Connection Mark Retriever"
		715	depends on NET_CLS_ACT && NETFILTER && IP_NF_IPTABLES
		716	---help---
		717	Say Y here to allow retrieving of conn mark
		718
		719	If unsure, say N.
		720
		721	To compile this code as a module, choose M here: the
		722	module will be called act_connmark.
		723
713	config NET_CLS_IND	724	config NET_CLS_IND
714	bool "Incoming device classification"	725	bool "Incoming device classification"
715	depends on NET_CLS_U32 \|\| NET_CLS_FW	726	depends on NET_CLS_U32 \|\| NET_CLS_FW


diff --git a/net/sched/Makefile b/net/sched/Makefile index 7ca2b4e76312..7ca7f4c1b8c2 100644 --- a/net/sched/Makefile +++ b/net/sched/Makefile
@@ -18,6 +18,7 @@ obj-$(CONFIG_NET_ACT_SKBEDIT) += act_skbedit.o
18	obj-$(CONFIG_NET_ACT_CSUM) += act_csum.o	18	obj-$(CONFIG_NET_ACT_CSUM) += act_csum.o
19	obj-$(CONFIG_NET_ACT_VLAN) += act_vlan.o	19	obj-$(CONFIG_NET_ACT_VLAN) += act_vlan.o
20	obj-$(CONFIG_NET_ACT_BPF) += act_bpf.o	20	obj-$(CONFIG_NET_ACT_BPF) += act_bpf.o
		21	obj-$(CONFIG_NET_ACT_CONNMARK) += act_connmark.o
21	obj-$(CONFIG_NET_SCH_FIFO) += sch_fifo.o	22	obj-$(CONFIG_NET_SCH_FIFO) += sch_fifo.o
22	obj-$(CONFIG_NET_SCH_CBQ) += sch_cbq.o	23	obj-$(CONFIG_NET_SCH_CBQ) += sch_cbq.o
23	obj-$(CONFIG_NET_SCH_HTB) += sch_htb.o	24	obj-$(CONFIG_NET_SCH_HTB) += sch_htb.o


diff --git a/net/sched/act_connmark.c b/net/sched/act_connmark.c new file mode 100644 index 000000000000..8e472518f9f6 --- /dev/null +++ b/net/sched/act_connmark.c
@@ -0,0 +1,192 @@
		1	/*
		2	* net/sched/act_connmark.c netfilter connmark retriever action
		3	* skb mark is over-written
		4	*
		5	* Copyright (c) 2011 Felix Fietkau <nbd@openwrt.org>
		6	*
		7	* This program is free software; you can redistribute it and/or modify
		8	* it under the terms of the GNU General Public License as published by
		9	* the Free Software Foundation; either version 2 of the License, or
		10	* (at your option) any later version.
		11	*/
		12
		13	#include <linux/module.h>
		14	#include <linux/init.h>
		15	#include <linux/kernel.h>
		16	#include <linux/skbuff.h>
		17	#include <linux/rtnetlink.h>
		18	#include <linux/pkt_cls.h>
		19	#include <linux/ip.h>
		20	#include <linux/ipv6.h>
		21	#include <net/netlink.h>
		22	#include <net/pkt_sched.h>
		23	#include <net/act_api.h>
		24	#include <uapi/linux/tc_act/tc_connmark.h>
		25	#include <net/tc_act/tc_connmark.h>
		26
		27	#include <net/netfilter/nf_conntrack.h>
		28	#include <net/netfilter/nf_conntrack_core.h>
		29	#include <net/netfilter/nf_conntrack_zones.h>
		30
		31	#define CONNMARK_TAB_MASK 3
		32
		33	static int tcf_connmark(struct sk_buff skb, const struct tc_action a,
		34	struct tcf_result *res)
		35	{
		36	const struct nf_conntrack_tuple_hash *thash;
		37	struct nf_conntrack_tuple tuple;
		38	enum ip_conntrack_info ctinfo;
		39	struct tcf_connmark_info *ca = a->priv;
		40	struct nf_conn *c;
		41	int proto;
		42
		43	spin_lock(&ca->tcf_lock);
		44	ca->tcf_tm.lastuse = jiffies;
		45	bstats_update(&ca->tcf_bstats, skb);
		46
		47	if (skb->protocol == htons(ETH_P_IP)) {
		48	if (skb->len < sizeof(struct iphdr))
		49	goto out;
		50
		51	proto = NFPROTO_IPV4;
		52	} else if (skb->protocol == htons(ETH_P_IPV6)) {
		53	if (skb->len < sizeof(struct ipv6hdr))
		54	goto out;
		55
		56	proto = NFPROTO_IPV6;
		57	} else {
		58	goto out;
		59	}
		60
		61	c = nf_ct_get(skb, &ctinfo);
		62	if (c) {
		63	skb->mark = c->mark;
		64	/* using overlimits stats to count how many packets marked */
		65	ca->tcf_qstats.overlimits++;
		66	nf_ct_put(c);
		67	goto out;
		68	}
		69
		70	if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
		71	proto, &tuple))
		72	goto out;
		73
		74	thash = nf_conntrack_find_get(dev_net(skb->dev), ca->zone, &tuple);
		75	if (!thash)
		76	goto out;
		77
		78	c = nf_ct_tuplehash_to_ctrack(thash);
		79	/* using overlimits stats to count how many packets marked */
		80	ca->tcf_qstats.overlimits++;
		81	skb->mark = c->mark;
		82	nf_ct_put(c);
		83
		84	out:
		85	skb->nfct = NULL;
		86	spin_unlock(&ca->tcf_lock);
		87	return ca->tcf_action;
		88	}
		89
		90	static const struct nla_policy connmark_policy[TCA_CONNMARK_MAX + 1] = {
		91	[TCA_CONNMARK_PARMS] = { .len = sizeof(struct tc_connmark) },
		92	};
		93
		94	static int tcf_connmark_init(struct net net, struct nlattr nla,
		95	struct nlattr est, struct tc_action a,
		96	int ovr, int bind)
		97	{
		98	struct nlattr *tb[TCA_CONNMARK_MAX + 1];
		99	struct tcf_connmark_info *ci;
		100	struct tc_connmark *parm;
		101	int ret = 0;
		102
		103	if (!nla)
		104	return -EINVAL;
		105
		106	ret = nla_parse_nested(tb, TCA_CONNMARK_MAX, nla, connmark_policy);
		107	if (ret < 0)
		108	return ret;
		109
		110	parm = nla_data(tb[TCA_CONNMARK_PARMS]);
		111
		112	if (!tcf_hash_check(parm->index, a, bind)) {
		113	ret = tcf_hash_create(parm->index, est, a, sizeof(*ci), bind);
		114	if (ret)
		115	return ret;
		116
		117	ci = to_connmark(a);
		118	ci->tcf_action = parm->action;
		119	ci->zone = parm->zone;
		120
		121	tcf_hash_insert(a);
		122	ret = ACT_P_CREATED;
		123	} else {
		124	ci = to_connmark(a);
		125	if (bind)
		126	return 0;
		127	tcf_hash_release(a, bind);
		128	if (!ovr)
		129	return -EEXIST;
		130	/* replacing action and zone */
		131	ci->tcf_action = parm->action;
		132	ci->zone = parm->zone;
		133	}
		134
		135	return ret;
		136	}
		137
		138	static inline int tcf_connmark_dump(struct sk_buff skb, struct tc_action a,
		139	int bind, int ref)
		140	{
		141	unsigned char *b = skb_tail_pointer(skb);
		142	struct tcf_connmark_info *ci = a->priv;
		143
		144	struct tc_connmark opt = {
		145	.index = ci->tcf_index,
		146	.refcnt = ci->tcf_refcnt - ref,
		147	.bindcnt = ci->tcf_bindcnt - bind,
		148	.action = ci->tcf_action,
		149	.zone = ci->zone,
		150	};
		151	struct tcf_t t;
		152
		153	if (nla_put(skb, TCA_CONNMARK_PARMS, sizeof(opt), &opt))
		154	goto nla_put_failure;
		155
		156	t.install = jiffies_to_clock_t(jiffies - ci->tcf_tm.install);
		157	t.lastuse = jiffies_to_clock_t(jiffies - ci->tcf_tm.lastuse);
		158	t.expires = jiffies_to_clock_t(ci->tcf_tm.expires);
		159	if (nla_put(skb, TCA_CONNMARK_TM, sizeof(t), &t))
		160	goto nla_put_failure;
		161
		162	return skb->len;
		163	nla_put_failure:
		164	nlmsg_trim(skb, b);
		165	return -1;
		166	}
		167
		168	static struct tc_action_ops act_connmark_ops = {
		169	.kind = "connmark",
		170	.type = TCA_ACT_CONNMARK,
		171	.owner = THIS_MODULE,
		172	.act = tcf_connmark,
		173	.dump = tcf_connmark_dump,
		174	.init = tcf_connmark_init,
		175	};
		176
		177	static int __init connmark_init_module(void)
		178	{
		179	return tcf_register_action(&act_connmark_ops, CONNMARK_TAB_MASK);
		180	}
		181
		182	static void __exit connmark_cleanup_module(void)
		183	{
		184	tcf_unregister_action(&act_connmark_ops);
		185	}
		186
		187	module_init(connmark_init_module);
		188	module_exit(connmark_cleanup_module);
		189	MODULE_AUTHOR("Felix Fietkau <nbd@openwrt.org>");
		190	MODULE_DESCRIPTION("Connection tracking mark restoring");
		191	MODULE_LICENSE("GPL");
		192