提交 c078ca3b 编写于 作者: P Phil Sutter 提交者: Pablo Neira Ayuso

netfilter: nft_exthdr: Add support for existence check

If NFT_EXTHDR_F_PRESENT is set, exthdr will not copy any header field
data into *dest, but instead set it to 1 if the header is found and 0
otherwise.
Signed-off-by: NPhil Sutter <phil@nwl.cc>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
上级 6e7bc478
...@@ -704,6 +704,10 @@ enum nft_payload_attributes { ...@@ -704,6 +704,10 @@ enum nft_payload_attributes {
}; };
#define NFTA_PAYLOAD_MAX (__NFTA_PAYLOAD_MAX - 1) #define NFTA_PAYLOAD_MAX (__NFTA_PAYLOAD_MAX - 1)
enum nft_exthdr_flags {
NFT_EXTHDR_F_PRESENT = (1 << 0),
};
/** /**
* enum nft_exthdr_attributes - nf_tables IPv6 extension header expression netlink attributes * enum nft_exthdr_attributes - nf_tables IPv6 extension header expression netlink attributes
* *
...@@ -711,6 +715,7 @@ enum nft_payload_attributes { ...@@ -711,6 +715,7 @@ enum nft_payload_attributes {
* @NFTA_EXTHDR_TYPE: extension header type (NLA_U8) * @NFTA_EXTHDR_TYPE: extension header type (NLA_U8)
* @NFTA_EXTHDR_OFFSET: extension header offset (NLA_U32) * @NFTA_EXTHDR_OFFSET: extension header offset (NLA_U32)
* @NFTA_EXTHDR_LEN: extension header length (NLA_U32) * @NFTA_EXTHDR_LEN: extension header length (NLA_U32)
* @NFTA_EXTHDR_FLAGS: extension header flags (NLA_U32)
*/ */
enum nft_exthdr_attributes { enum nft_exthdr_attributes {
NFTA_EXTHDR_UNSPEC, NFTA_EXTHDR_UNSPEC,
...@@ -718,6 +723,7 @@ enum nft_exthdr_attributes { ...@@ -718,6 +723,7 @@ enum nft_exthdr_attributes {
NFTA_EXTHDR_TYPE, NFTA_EXTHDR_TYPE,
NFTA_EXTHDR_OFFSET, NFTA_EXTHDR_OFFSET,
NFTA_EXTHDR_LEN, NFTA_EXTHDR_LEN,
NFTA_EXTHDR_FLAGS,
__NFTA_EXTHDR_MAX __NFTA_EXTHDR_MAX
}; };
#define NFTA_EXTHDR_MAX (__NFTA_EXTHDR_MAX - 1) #define NFTA_EXTHDR_MAX (__NFTA_EXTHDR_MAX - 1)
......
...@@ -23,6 +23,7 @@ struct nft_exthdr { ...@@ -23,6 +23,7 @@ struct nft_exthdr {
u8 offset; u8 offset;
u8 len; u8 len;
enum nft_registers dreg:8; enum nft_registers dreg:8;
u8 flags;
}; };
static void nft_exthdr_eval(const struct nft_expr *expr, static void nft_exthdr_eval(const struct nft_expr *expr,
...@@ -35,8 +36,12 @@ static void nft_exthdr_eval(const struct nft_expr *expr, ...@@ -35,8 +36,12 @@ static void nft_exthdr_eval(const struct nft_expr *expr,
int err; int err;
err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL); err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
if (err < 0) if (priv->flags & NFT_EXTHDR_F_PRESENT) {
*dest = (err >= 0);
return;
} else if (err < 0) {
goto err; goto err;
}
offset += priv->offset; offset += priv->offset;
dest[priv->len / NFT_REG32_SIZE] = 0; dest[priv->len / NFT_REG32_SIZE] = 0;
...@@ -52,6 +57,7 @@ static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = { ...@@ -52,6 +57,7 @@ static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {
[NFTA_EXTHDR_TYPE] = { .type = NLA_U8 }, [NFTA_EXTHDR_TYPE] = { .type = NLA_U8 },
[NFTA_EXTHDR_OFFSET] = { .type = NLA_U32 }, [NFTA_EXTHDR_OFFSET] = { .type = NLA_U32 },
[NFTA_EXTHDR_LEN] = { .type = NLA_U32 }, [NFTA_EXTHDR_LEN] = { .type = NLA_U32 },
[NFTA_EXTHDR_FLAGS] = { .type = NLA_U32 },
}; };
static int nft_exthdr_init(const struct nft_ctx *ctx, static int nft_exthdr_init(const struct nft_ctx *ctx,
...@@ -59,7 +65,7 @@ static int nft_exthdr_init(const struct nft_ctx *ctx, ...@@ -59,7 +65,7 @@ static int nft_exthdr_init(const struct nft_ctx *ctx,
const struct nlattr * const tb[]) const struct nlattr * const tb[])
{ {
struct nft_exthdr *priv = nft_expr_priv(expr); struct nft_exthdr *priv = nft_expr_priv(expr);
u32 offset, len; u32 offset, len, flags = 0;
int err; int err;
if (tb[NFTA_EXTHDR_DREG] == NULL || if (tb[NFTA_EXTHDR_DREG] == NULL ||
...@@ -76,10 +82,20 @@ static int nft_exthdr_init(const struct nft_ctx *ctx, ...@@ -76,10 +82,20 @@ static int nft_exthdr_init(const struct nft_ctx *ctx,
if (err < 0) if (err < 0)
return err; return err;
if (tb[NFTA_EXTHDR_FLAGS]) {
err = nft_parse_u32_check(tb[NFTA_EXTHDR_FLAGS], U8_MAX, &flags);
if (err < 0)
return err;
if (flags & ~NFT_EXTHDR_F_PRESENT)
return -EINVAL;
}
priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]); priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
priv->offset = offset; priv->offset = offset;
priv->len = len; priv->len = len;
priv->dreg = nft_parse_register(tb[NFTA_EXTHDR_DREG]); priv->dreg = nft_parse_register(tb[NFTA_EXTHDR_DREG]);
priv->flags = flags;
return nft_validate_register_store(ctx, priv->dreg, NULL, return nft_validate_register_store(ctx, priv->dreg, NULL,
NFT_DATA_VALUE, priv->len); NFT_DATA_VALUE, priv->len);
...@@ -97,6 +113,8 @@ static int nft_exthdr_dump(struct sk_buff *skb, const struct nft_expr *expr) ...@@ -97,6 +113,8 @@ static int nft_exthdr_dump(struct sk_buff *skb, const struct nft_expr *expr)
goto nla_put_failure; goto nla_put_failure;
if (nla_put_be32(skb, NFTA_EXTHDR_LEN, htonl(priv->len))) if (nla_put_be32(skb, NFTA_EXTHDR_LEN, htonl(priv->len)))
goto nla_put_failure; goto nla_put_failure;
if (nla_put_be32(skb, NFTA_EXTHDR_FLAGS, htonl(priv->flags)))
goto nla_put_failure;
return 0; return 0;
nla_put_failure: nla_put_failure:
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册