netfilter: nft_socket: add wildcard support

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Add NFT_SOCKET_WILDCARD to match to wildcard socket listener.

Signed-off-by: Balazs Scheidler <bazsi77@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Balazs Scheidler and committed by

Pablo Neira Ayuso 5 years ago 67407a40 f5143e10

+29

2 changed files

expand all

include

uapi

linux

netfilter

nf_tables.h

net

netfilter

nft_socket.c

include/uapi/linux/netfilter/nf_tables.h

··· 1010 1010 * 1011 1011 * @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option 1012 1012 * @NFT_SOCKET_MARK: Value of the socket mark 1013 + * @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0) 1013 1014 */ 1014 1015 enum nft_socket_keys { 1015 1016 NFT_SOCKET_TRANSPARENT, 1016 1017 NFT_SOCKET_MARK, 1018 + NFT_SOCKET_WILDCARD, 1017 1019 __NFT_SOCKET_MAX 1018 1020 }; 1019 1021 #define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)

+27

net/netfilter/nft_socket.c

··· 14 14 }; 15 15 }; 16 16 17 + static void nft_socket_wildcard(const struct nft_pktinfo *pkt, 18 + struct nft_regs *regs, struct sock *sk, 19 + u32 *dest) 20 + { 21 + switch (nft_pf(pkt)) { 22 + case NFPROTO_IPV4: 23 + nft_reg_store8(dest, inet_sk(sk)->inet_rcv_saddr == 0); 24 + break; 25 + #if IS_ENABLED(CONFIG_NF_TABLES_IPV6) 26 + case NFPROTO_IPV6: 27 + nft_reg_store8(dest, ipv6_addr_any(&sk->sk_v6_rcv_saddr)); 28 + break; 29 + #endif 30 + default: 31 + regs->verdict.code = NFT_BREAK; 32 + return; 33 + } 34 + } 35 + 17 36 static void nft_socket_eval(const struct nft_expr *expr, 18 37 struct nft_regs *regs, 19 38 const struct nft_pktinfo *pkt) ··· 78 59 return; 79 60 } 80 61 break; 62 + case NFT_SOCKET_WILDCARD: 63 + if (!sk_fullsock(sk)) { 64 + regs->verdict.code = NFT_BREAK; 65 + return; 66 + } 67 + nft_socket_wildcard(pkt, regs, sk, dest); 68 + break; 81 69 default: 82 70 WARN_ON(1); 83 71 regs->verdict.code = NFT_BREAK; ··· 123 97 priv->key = ntohl(nla_get_u32(tb[NFTA_SOCKET_KEY])); 124 98 switch(priv->key) { 125 99 case NFT_SOCKET_TRANSPARENT: 100 + case NFT_SOCKET_WILDCARD: 126 101 len = sizeof(u8); 127 102 break; 128 103 case NFT_SOCKET_MARK: