kernel: backport a series of netfilter cleanup patches to 4.14
[openwrt/openwrt.git] / target / linux / generic / backport-4.14 / 314-netfilter-meta-secpath-support.patch
1 From: Florian Westphal <fw@strlen.de>
2 Date: Wed, 6 Dec 2017 16:18:16 +0100
3 Subject: [PATCH] netfilter: meta: secpath support
4
5 replacement for iptables "-m policy --dir in --policy {ipsec,none}".
6
7 Signed-off-by: Florian Westphal <fw@strlen.de>
8 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
9 ---
10
11 --- a/include/uapi/linux/netfilter/nf_tables.h
12 +++ b/include/uapi/linux/netfilter/nf_tables.h
13 @@ -777,6 +777,7 @@ enum nft_exthdr_attributes {
14 * @NFT_META_OIFGROUP: packet output interface group
15 * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid)
16 * @NFT_META_PRANDOM: a 32bit pseudo-random number
17 + * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp)
18 */
19 enum nft_meta_keys {
20 NFT_META_LEN,
21 @@ -804,6 +805,7 @@ enum nft_meta_keys {
22 NFT_META_OIFGROUP,
23 NFT_META_CGROUP,
24 NFT_META_PRANDOM,
25 + NFT_META_SECPATH,
26 };
27
28 /**
29 --- a/net/netfilter/nft_meta.c
30 +++ b/net/netfilter/nft_meta.c
31 @@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_
32 *dest = prandom_u32_state(state);
33 break;
34 }
35 +#ifdef CONFIG_XFRM
36 + case NFT_META_SECPATH:
37 + nft_reg_store8(dest, !!skb->sp);
38 + break;
39 +#endif
40 default:
41 WARN_ON(1);
42 goto err;
43 @@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_c
44 prandom_init_once(&nft_prandom_state);
45 len = sizeof(u32);
46 break;
47 +#ifdef CONFIG_XFRM
48 + case NFT_META_SECPATH:
49 + len = sizeof(u8);
50 + break;
51 +#endif
52 default:
53 return -EOPNOTSUPP;
54 }
55 @@ -318,6 +328,38 @@ int nft_meta_get_init(const struct nft_c
56 }
57 EXPORT_SYMBOL_GPL(nft_meta_get_init);
58
59 +static int nft_meta_get_validate(const struct nft_ctx *ctx,
60 + const struct nft_expr *expr,
61 + const struct nft_data **data)
62 +{
63 +#ifdef CONFIG_XFRM
64 + const struct nft_meta *priv = nft_expr_priv(expr);
65 + unsigned int hooks;
66 +
67 + if (priv->key != NFT_META_SECPATH)
68 + return 0;
69 +
70 + switch (ctx->afi->family) {
71 + case NFPROTO_NETDEV:
72 + hooks = 1 << NF_NETDEV_INGRESS;
73 + break;
74 + case NFPROTO_IPV4:
75 + case NFPROTO_IPV6:
76 + case NFPROTO_INET:
77 + hooks = (1 << NF_INET_PRE_ROUTING) |
78 + (1 << NF_INET_LOCAL_IN) |
79 + (1 << NF_INET_FORWARD);
80 + break;
81 + default:
82 + return -EOPNOTSUPP;
83 + }
84 +
85 + return nft_chain_validate_hooks(ctx->chain, hooks);
86 +#else
87 + return 0;
88 +#endif
89 +}
90 +
91 int nft_meta_set_validate(const struct nft_ctx *ctx,
92 const struct nft_expr *expr,
93 const struct nft_data **data)
94 @@ -434,6 +476,7 @@ static const struct nft_expr_ops nft_met
95 .eval = nft_meta_get_eval,
96 .init = nft_meta_get_init,
97 .dump = nft_meta_get_dump,
98 + .validate = nft_meta_get_validate,
99 };
100
101 static const struct nft_expr_ops nft_meta_set_ops = {