提交 4566bf27 编写于 作者: P Patrick McHardy 提交者: Pablo Neira Ayuso

netfilter: nft_meta: add l4proto support

For L3-proto independant rules we need to get at the L4 protocol value
directly. Add it to the nft_pktinfo struct and use the meta expression
to retrieve it.
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
上级 124edfa9
...@@ -16,6 +16,7 @@ struct nft_pktinfo { ...@@ -16,6 +16,7 @@ struct nft_pktinfo {
const struct nf_hook_ops *ops; const struct nf_hook_ops *ops;
u8 nhoff; u8 nhoff;
u8 thoff; u8 thoff;
u8 tprot;
/* for x_tables compatibility */ /* for x_tables compatibility */
struct xt_action_param xt; struct xt_action_param xt;
}; };
......
...@@ -15,8 +15,9 @@ nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt, ...@@ -15,8 +15,9 @@ nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
nft_set_pktinfo(pkt, ops, skb, in, out); nft_set_pktinfo(pkt, ops, skb, in, out);
pkt->xt.thoff = ip_hdrlen(pkt->skb);
ip = ip_hdr(pkt->skb); ip = ip_hdr(pkt->skb);
pkt->tprot = ip->protocol;
pkt->xt.thoff = ip_hdrlen(pkt->skb);
pkt->xt.fragoff = ntohs(ip->frag_off) & IP_OFFSET; pkt->xt.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
} }
......
...@@ -21,6 +21,7 @@ nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt, ...@@ -21,6 +21,7 @@ nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
if (protohdr < 0) if (protohdr < 0)
return -1; return -1;
pkt->tprot = protohdr;
pkt->xt.thoff = thoff; pkt->xt.thoff = thoff;
pkt->xt.fragoff = frag_off; pkt->xt.fragoff = frag_off;
......
...@@ -532,6 +532,7 @@ enum nft_exthdr_attributes { ...@@ -532,6 +532,7 @@ enum nft_exthdr_attributes {
* @NFT_META_RTCLASSID: realm value of packet's route (skb->dst->tclassid) * @NFT_META_RTCLASSID: realm value of packet's route (skb->dst->tclassid)
* @NFT_META_SECMARK: packet secmark (skb->secmark) * @NFT_META_SECMARK: packet secmark (skb->secmark)
* @NFT_META_NFPROTO: netfilter protocol * @NFT_META_NFPROTO: netfilter protocol
* @NFT_META_L4PROTO: layer 4 protocol number
*/ */
enum nft_meta_keys { enum nft_meta_keys {
NFT_META_LEN, NFT_META_LEN,
...@@ -550,6 +551,7 @@ enum nft_meta_keys { ...@@ -550,6 +551,7 @@ enum nft_meta_keys {
NFT_META_RTCLASSID, NFT_META_RTCLASSID,
NFT_META_SECMARK, NFT_META_SECMARK,
NFT_META_NFPROTO, NFT_META_NFPROTO,
NFT_META_L4PROTO,
}; };
/** /**
......
...@@ -46,6 +46,9 @@ static void nft_meta_get_eval(const struct nft_expr *expr, ...@@ -46,6 +46,9 @@ static void nft_meta_get_eval(const struct nft_expr *expr,
case NFT_META_NFPROTO: case NFT_META_NFPROTO:
dest->data[0] = pkt->ops->pf; dest->data[0] = pkt->ops->pf;
break; break;
case NFT_META_L4PROTO:
dest->data[0] = pkt->tprot;
break;
case NFT_META_PRIORITY: case NFT_META_PRIORITY:
dest->data[0] = skb->priority; dest->data[0] = skb->priority;
break; break;
...@@ -185,6 +188,7 @@ static int nft_meta_init_validate_get(uint32_t key) ...@@ -185,6 +188,7 @@ static int nft_meta_init_validate_get(uint32_t key)
case NFT_META_LEN: case NFT_META_LEN:
case NFT_META_PROTOCOL: case NFT_META_PROTOCOL:
case NFT_META_NFPROTO: case NFT_META_NFPROTO:
case NFT_META_L4PROTO:
case NFT_META_PRIORITY: case NFT_META_PRIORITY:
case NFT_META_MARK: case NFT_META_MARK:
case NFT_META_IIF: case NFT_META_IIF:
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册