提交 0fb4d219 编写于 作者: W wenxu 提交者: Pablo Neira Ayuso

netfilter: nft_meta: Add NFT_META_I/OIFKIND meta type

In the ip_rcv the skb goes through the PREROUTING hook first, then kicks
in vrf device and go through the same hook again. When conntrack dnat
works with vrf, there will be some conflict with rules because the
packet goes through the hook twice with different nf status.

ip link add user1 type vrf table 1
ip link add user2 type vrf table 2
ip l set dev tun1 master user1
ip l set dev tun2 master user2

nft add table firewall
nft add chain firewall zones { type filter hook prerouting  priority - 300 \; }
nft add rule firewall zones counter ct zone set iif map { "tun1" : 1, "tun2" : 2 }
nft add chain firewall rule-1000-ingress
nft add rule firewall rule-1000-ingress ct zone 1 tcp dport 22 ct state new counter accept
nft add rule firewall rule-1000-ingress counter drop
nft add chain firewall rule-1000-egress
nft add rule firewall rule-1000-egress tcp dport 22 ct state new counter drop
nft add rule firewall rule-1000-egress counter accept

nft add chain firewall rules-all { type filter hook prerouting priority - 150 \; }
nft add rule firewall rules-all ip daddr vmap { "2.2.2.11" : jump rule-1000-ingress }
nft add rule firewall rules-all ct zone vmap { 1 : jump rule-1000-egress }

nft add rule firewall dnat-all ct zone vmap { 1 : jump dnat-1000 }
nft add rule firewall dnat-1000 ip daddr 2.2.2.11 counter dnat to 10.0.0.7

For a package with ip daddr 2.2.2.11 and tcp dport 22, first time accept in the
rule-1000-ingress and dnat to 10.0.0.7. Then second time the packet goto the wrong
chain rule-1000-egress which leads the packet drop

With this patch, userspace can add the 'don't re-do entire ruleset for
vrf' policy itself via:

nft add rule firewall rules-all meta iifkind "vrf" counter accept
Signed-off-by: Nwenxu <wenxu@ucloud.cn>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
上级 ba3fbe66
...@@ -791,6 +791,8 @@ enum nft_exthdr_attributes { ...@@ -791,6 +791,8 @@ enum nft_exthdr_attributes {
* @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
* @NFT_META_PRANDOM: a 32bit pseudo-random number * @NFT_META_PRANDOM: a 32bit pseudo-random number
* @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
* @NFT_META_IIFKIND: packet input interface kind name (dev->rtnl_link_ops->kind)
* @NFT_META_OIFKIND: packet output interface kind name (dev->rtnl_link_ops->kind)
*/ */
enum nft_meta_keys { enum nft_meta_keys {
NFT_META_LEN, NFT_META_LEN,
...@@ -819,6 +821,8 @@ enum nft_meta_keys { ...@@ -819,6 +821,8 @@ enum nft_meta_keys {
NFT_META_CGROUP, NFT_META_CGROUP,
NFT_META_PRANDOM, NFT_META_PRANDOM,
NFT_META_SECPATH, NFT_META_SECPATH,
NFT_META_IIFKIND,
NFT_META_OIFKIND,
}; };
/** /**
......
...@@ -244,6 +244,16 @@ void nft_meta_get_eval(const struct nft_expr *expr, ...@@ -244,6 +244,16 @@ void nft_meta_get_eval(const struct nft_expr *expr,
strncpy((char *)dest, p->br->dev->name, IFNAMSIZ); strncpy((char *)dest, p->br->dev->name, IFNAMSIZ);
return; return;
#endif #endif
case NFT_META_IIFKIND:
if (in == NULL || in->rtnl_link_ops == NULL)
goto err;
strncpy((char *)dest, in->rtnl_link_ops->kind, IFNAMSIZ);
break;
case NFT_META_OIFKIND:
if (out == NULL || out->rtnl_link_ops == NULL)
goto err;
strncpy((char *)dest, out->rtnl_link_ops->kind, IFNAMSIZ);
break;
default: default:
WARN_ON(1); WARN_ON(1);
goto err; goto err;
...@@ -340,6 +350,8 @@ static int nft_meta_get_init(const struct nft_ctx *ctx, ...@@ -340,6 +350,8 @@ static int nft_meta_get_init(const struct nft_ctx *ctx,
break; break;
case NFT_META_IIFNAME: case NFT_META_IIFNAME:
case NFT_META_OIFNAME: case NFT_META_OIFNAME:
case NFT_META_IIFKIND:
case NFT_META_OIFKIND:
len = IFNAMSIZ; len = IFNAMSIZ;
break; break;
case NFT_META_PRANDOM: case NFT_META_PRANDOM:
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册