Commit f6931f5f authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso

netfilter: meta: secpath support

replacement for iptables "-m policy --dir in --policy {ipsec,none}".
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent b3a61254
...@@ -777,6 +777,7 @@ enum nft_exthdr_attributes { ...@@ -777,6 +777,7 @@ enum nft_exthdr_attributes {
* @NFT_META_OIFGROUP: packet output interface group * @NFT_META_OIFGROUP: packet output interface group
* @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
* @NFT_META_PRANDOM: a 32bit pseudo-random number * @NFT_META_PRANDOM: a 32bit pseudo-random number
* @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
*/ */
enum nft_meta_keys { enum nft_meta_keys {
NFT_META_LEN, NFT_META_LEN,
...@@ -804,6 +805,7 @@ enum nft_meta_keys { ...@@ -804,6 +805,7 @@ enum nft_meta_keys {
NFT_META_OIFGROUP, NFT_META_OIFGROUP,
NFT_META_CGROUP, NFT_META_CGROUP,
NFT_META_PRANDOM, NFT_META_PRANDOM,
NFT_META_SECPATH,
}; };
/** /**
......
...@@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_expr *expr, ...@@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_expr *expr,
*dest = prandom_u32_state(state); *dest = prandom_u32_state(state);
break; break;
} }
#ifdef CONFIG_XFRM
case NFT_META_SECPATH:
nft_reg_store8(dest, !!skb->sp);
break;
#endif
default: default:
WARN_ON(1); WARN_ON(1);
goto err; goto err;
...@@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_ctx *ctx, ...@@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
prandom_init_once(&nft_prandom_state); prandom_init_once(&nft_prandom_state);
len = sizeof(u32); len = sizeof(u32);
break; break;
#ifdef CONFIG_XFRM
case NFT_META_SECPATH:
len = sizeof(u8);
break;
#endif
default: default:
return -EOPNOTSUPP; return -EOPNOTSUPP;
} }
...@@ -318,6 +328,38 @@ int nft_meta_get_init(const struct nft_ctx *ctx, ...@@ -318,6 +328,38 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
} }
EXPORT_SYMBOL_GPL(nft_meta_get_init); EXPORT_SYMBOL_GPL(nft_meta_get_init);
static int nft_meta_get_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nft_data **data)
{
#ifdef CONFIG_XFRM
const struct nft_meta *priv = nft_expr_priv(expr);
unsigned int hooks;
if (priv->key != NFT_META_SECPATH)
return 0;
switch (ctx->afi->family) {
case NFPROTO_NETDEV:
hooks = 1 << NF_NETDEV_INGRESS;
break;
case NFPROTO_IPV4:
case NFPROTO_IPV6:
case NFPROTO_INET:
hooks = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_LOCAL_IN) |
(1 << NF_INET_FORWARD);
break;
default:
return -EOPNOTSUPP;
}
return nft_chain_validate_hooks(ctx->chain, hooks);
#else
return 0;
#endif
}
int nft_meta_set_validate(const struct nft_ctx *ctx, int nft_meta_set_validate(const struct nft_ctx *ctx,
const struct nft_expr *expr, const struct nft_expr *expr,
const struct nft_data **data) const struct nft_data **data)
...@@ -434,6 +476,7 @@ static const struct nft_expr_ops nft_meta_get_ops = { ...@@ -434,6 +476,7 @@ static const struct nft_expr_ops nft_meta_get_ops = {
.eval = nft_meta_get_eval, .eval = nft_meta_get_eval,
.init = nft_meta_get_init, .init = nft_meta_get_init,
.dump = nft_meta_get_dump, .dump = nft_meta_get_dump,
.validate = nft_meta_get_validate,
}; };
static const struct nft_expr_ops nft_meta_set_ops = { static const struct nft_expr_ops nft_meta_set_ops = {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment