netfilter: nftables_offload: set address type in control dissector

author Pablo Neira Ayuso <pablo@netfilter.org>

Wed, 25 Nov 2020 22:50:07 +0000 (23:50 +0100)

committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>

Fri, 11 Dec 2020 12:23:33 +0000 (13:23 +0100)
author Pablo Neira Ayuso <pablo@netfilter.org>
Wed, 25 Nov 2020 22:50:07 +0000 (23:50 +0100)
committer Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 11 Dec 2020 12:23:33 +0000 (13:23 +0100)
diff --git a/include/net/netfilter/nf_tables_offload.h b/include/net/netfilter/nf_tables_offload.h

index 03cf5856d76f28cfcc706529312d73354d0625f1..d0bb9e3bcec1cca6d14a929fcf8370fb8ffce79f 100644 (file)
--- a/include/net/netfilter/nf_tables_offload.h
+++ b/include/net/netfilter/nf_tables_offload.h
@@ -37,6 +37,7 @@ void nft_offload_update_dependency(struct nft_offload_ctx *ctx,
  
  struct nft_flow_key {
         struct flow_dissector_key_basic                 basic;
+       struct flow_dissector_key_control               control;
         union {
                 struct flow_dissector_key_ipv4_addrs    ipv4;
                 struct flow_dissector_key_ipv6_addrs    ipv6;
@@ -61,6 +62,9 @@ struct nft_flow_rule {
  
  #define NFT_OFFLOAD_F_ACTION   (1 << 0)
  
+void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow,
+                                enum flow_dissector_key_id addr_type);
+
  struct nft_rule;
  struct nft_flow_rule *nft_flow_rule_create(struct net *net, const struct nft_rule *rule);
  void nft_flow_rule_destroy(struct nft_flow_rule *flow);
diff --git a/net/netfilter/nf_tables_offload.c b/net/netfilter/nf_tables_offload.c

index c480549a7f94635ff58b951ec3fa039bba3cd3d3..3aa4306ca39f6e99d38f63e0df9d54ccdfae38f6 100644 (file)
--- a/net/netfilter/nf_tables_offload.c
+++ b/net/netfilter/nf_tables_offload.c
@@ -28,6 +28,23 @@ static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions)
         return flow;
  }
  
+void nft_flow_rule_set_addr_type(struct nft_flow_rule *flow,
+                                enum flow_dissector_key_id addr_type)
+{
+       struct nft_flow_match *match = &flow->match;
+       struct nft_flow_key *mask = &match->mask;
+       struct nft_flow_key *key = &match->key;
+
+       if (match->dissector.used_keys & BIT(FLOW_DISSECTOR_KEY_CONTROL))
+               return;
+
+       key->control.addr_type = addr_type;
+       mask->control.addr_type = 0xffff;
+       match->dissector.used_keys |= BIT(FLOW_DISSECTOR_KEY_CONTROL);
+       match->dissector.offset[FLOW_DISSECTOR_KEY_CONTROL] =
+               offsetof(struct nft_flow_key, control);
+}
+
  struct nft_flow_rule *nft_flow_rule_create(struct net *net,
                                            const struct nft_rule *rule)
  {
diff --git a/net/netfilter/nft_payload.c b/net/netfilter/nft_payload.c

index 62dc728bf93c92fdda8f98cdba41308a3188ef34..921f8f45b17f417a574c4ddea167bc270c05c7df 100644 (file)
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -197,6 +197,7 @@ static int nft_payload_offload_ip(struct nft_offload_ctx *ctx,
  
                 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4, src,
                                   sizeof(struct in_addr), reg);
+               nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV4_ADDRS);
                 break;
         case offsetof(struct iphdr, daddr):
                 if (priv->len != sizeof(struct in_addr))
@@ -204,6 +205,7 @@ static int nft_payload_offload_ip(struct nft_offload_ctx *ctx,
  
                 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4, dst,
                                   sizeof(struct in_addr), reg);
+               nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV4_ADDRS);
                 break;
         case offsetof(struct iphdr, protocol):
                 if (priv->len != sizeof(__u8))
@@ -233,6 +235,7 @@ static int nft_payload_offload_ip6(struct nft_offload_ctx *ctx,
  
                 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6, src,
                                   sizeof(struct in6_addr), reg);
+               nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV6_ADDRS);
                 break;
         case offsetof(struct ipv6hdr, daddr):
                 if (priv->len != sizeof(struct in6_addr))
@@ -240,6 +243,7 @@ static int nft_payload_offload_ip6(struct nft_offload_ctx *ctx,
  
                 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6, dst,
                                   sizeof(struct in6_addr), reg);
+               nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV6_ADDRS);
                 break;
         case offsetof(struct ipv6hdr, nexthdr):
                 if (priv->len != sizeof(__u8))
author	Pablo Neira Ayuso <pablo@netfilter.org>
	Wed, 25 Nov 2020 22:50:07 +0000 (23:50 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Fri, 11 Dec 2020 12:23:33 +0000 (13:23 +0100)
include/net/netfilter/nf_tables_offload.h		patch \| blob \| history
net/netfilter/nf_tables_offload.c		patch \| blob \| history
net/netfilter/nft_payload.c		patch \| blob \| history