netfilter: add connlabel conntrack extension
similar to connmarks, except labels are bit-based; i.e. all labels may be attached to a flow at the same time. Up to 128 labels are supported. Supporting more labels is possible, but requires increasing the ct offset delta from u8 to u16 type due to increased extension sizes. Mapping of bit-identifier to label name is done in userspace. The extension is enabled at run-time once "-m connlabel" netfilter rules are added. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Florian Westphal
committed by
Pablo Neira Ayuso
Pablo Neira Ayuso
parent
7266507d89
commit
c539f01717
@@ -22,6 +22,9 @@ enum nf_ct_ext_id {
|
||||
#endif
|
||||
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
|
||||
NF_CT_EXT_TIMEOUT,
|
||||
#endif
|
||||
#ifdef CONFIG_NF_CONNTRACK_LABELS
|
||||
NF_CT_EXT_LABELS,
|
||||
#endif
|
||||
NF_CT_EXT_NUM,
|
||||
};
|
||||
@@ -33,6 +36,7 @@ enum nf_ct_ext_id {
|
||||
#define NF_CT_EXT_ZONE_TYPE struct nf_conntrack_zone
|
||||
#define NF_CT_EXT_TSTAMP_TYPE struct nf_conn_tstamp
|
||||
#define NF_CT_EXT_TIMEOUT_TYPE struct nf_conn_timeout
|
||||
#define NF_CT_EXT_LABELS_TYPE struct nf_conn_labels
|
||||
|
||||
/* Extensions: optional stuff which isn't permanently in struct. */
|
||||
struct nf_ct_ext {
|
||||
|
||||
55
include/net/netfilter/nf_conntrack_labels.h
Normal file
55
include/net/netfilter/nf_conntrack_labels.h
Normal file
@@ -0,0 +1,55 @@
|
||||
#include <linux/types.h>
|
||||
#include <net/net_namespace.h>
|
||||
#include <linux/netfilter/nf_conntrack_common.h>
|
||||
#include <linux/netfilter/nf_conntrack_tuple_common.h>
|
||||
#include <net/netfilter/nf_conntrack.h>
|
||||
#include <net/netfilter/nf_conntrack_extend.h>
|
||||
|
||||
#include <uapi/linux/netfilter/xt_connlabel.h>
|
||||
|
||||
struct nf_conn_labels {
|
||||
u8 words;
|
||||
unsigned long bits[];
|
||||
};
|
||||
|
||||
static inline struct nf_conn_labels *nf_ct_labels_find(const struct nf_conn *ct)
|
||||
{
|
||||
#ifdef CONFIG_NF_CONNTRACK_LABELS
|
||||
return nf_ct_ext_find(ct, NF_CT_EXT_LABELS);
|
||||
#else
|
||||
return NULL;
|
||||
#endif
|
||||
}
|
||||
|
||||
static inline struct nf_conn_labels *nf_ct_labels_ext_add(struct nf_conn *ct)
|
||||
{
|
||||
#ifdef CONFIG_NF_CONNTRACK_LABELS
|
||||
struct nf_conn_labels *cl_ext;
|
||||
struct net *net = nf_ct_net(ct);
|
||||
u8 words;
|
||||
|
||||
words = ACCESS_ONCE(net->ct.label_words);
|
||||
if (words == 0 || WARN_ON_ONCE(words > 8))
|
||||
return NULL;
|
||||
|
||||
cl_ext = nf_ct_ext_add_length(ct, NF_CT_EXT_LABELS,
|
||||
words * sizeof(long), GFP_ATOMIC);
|
||||
if (cl_ext != NULL)
|
||||
cl_ext->words = words;
|
||||
|
||||
return cl_ext;
|
||||
#else
|
||||
return NULL;
|
||||
#endif
|
||||
}
|
||||
|
||||
bool nf_connlabel_match(const struct nf_conn *ct, u16 bit);
|
||||
int nf_connlabel_set(struct nf_conn *ct, u16 bit);
|
||||
|
||||
#ifdef CONFIG_NF_CONNTRACK_LABELS
|
||||
int nf_conntrack_labels_init(struct net *net);
|
||||
void nf_conntrack_labels_fini(struct net *net);
|
||||
#else
|
||||
static inline int nf_conntrack_labels_init(struct net *n) { return 0; }
|
||||
static inline void nf_conntrack_labels_fini(struct net *net) {}
|
||||
#endif
|
||||
Reference in New Issue
Block a user