git.openpandora.org / pandora-kernel.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: bbde9fc)
netfilter: nf_tables: add nft_dup expression
authorPablo Neira Ayuso <pablo@netfilter.org>
Sun, 31 May 2015 16:04:11 +0000 (18:04 +0200)
committerPablo Neira Ayuso <pablo@netfilter.org>
Fri, 7 Aug 2015 09:49:49 +0000 (11:49 +0200)
This new expression uses the nf_dup engine to clone packets to a given gateway.
Unlike xt_TEE, we use an index to indicate output interface which should be
fine at this stage.

Moreover, change to the preemtion-safe this_cpu_read(nf_skb_duplicated) from
nf_dup_ipv{4,6} to silence a lockdep splat.

Based on the original tee expression from Arturo Borrero Gonzalez, although
this patch has diverted quite a bit from this initial effort due to the
change to support maps.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
include/net/netfilter/nft_dup.h [new file with mode: 0644] patch | blob
include/uapi/linux/netfilter/nf_tables.h patch | blob | history
net/ipv4/netfilter/Kconfig patch | blob | history
net/ipv4/netfilter/Makefile patch | blob | history
net/ipv4/netfilter/nf_dup_ipv4.c patch | blob | history
net/ipv4/netfilter/nft_dup_ipv4.c [new file with mode: 0644] patch | blob
net/ipv6/netfilter/Kconfig patch | blob | history
net/ipv6/netfilter/Makefile patch | blob | history
net/ipv6/netfilter/nf_dup_ipv6.c patch | blob | history
net/ipv6/netfilter/nft_dup_ipv6.c [new file with mode: 0644] patch | blob

diff --git a/include/net/netfilter/nft_dup.h b/include/net/netfilter/nft_dup.h
new file mode 100644 (file)
index 0000000..6b84cf6
--- /dev/null
+++ b/include/net/netfilter/nft_dup.h
@@ -0,0 +1,9 @@
+#ifndef _NFT_DUP_H_
+#define _NFT_DUP_H_
+
+struct nft_dup_inet {
+       enum nft_registers      sreg_addr:8;
+       enum nft_registers      sreg_dev:8;
+};
+
+#endif /* _NFT_DUP_H_ */
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index a99e6a9..2ef35f2 100644 (file)
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -935,6 +935,20 @@ enum nft_redir_attributes {
 };
 #define NFTA_REDIR_MAX         (__NFTA_REDIR_MAX - 1)
 
+/**
+ * enum nft_dup_attributes - nf_tables dup expression netlink attributes
+ *
+ * @NFTA_DUP_SREG_ADDR: source register of address (NLA_U32: nft_registers)
+ * @NFTA_DUP_SREG_DEV: source register of output interface (NLA_U32: nft_register)
+ */
+enum nft_dup_attributes {
+       NFTA_DUP_UNSPEC,
+       NFTA_DUP_SREG_ADDR,
+       NFTA_DUP_SREG_DEV,
+       __NFTA_DUP_MAX
+};
+#define NFTA_DUP_MAX           (__NFTA_DUP_MAX - 1)
+
 /**
  * enum nft_gen_attributes - nf_tables ruleset generation attributes
  *
diff --cc net/ipv4/netfilter/Kconfig
Simple merge
diff --cc net/ipv4/netfilter/Makefile
Simple merge
diff --cc net/ipv4/netfilter/nf_dup_ipv4.c
Simple merge
diff --cc net/ipv4/netfilter/nft_dup_ipv4.c
Simple merge
diff --cc net/ipv6/netfilter/Kconfig
Simple merge
diff --cc net/ipv6/netfilter/Makefile
Simple merge
diff --cc net/ipv6/netfilter/nf_dup_ipv6.c
Simple merge
diff --cc net/ipv6/netfilter/nft_dup_ipv6.c
Simple merge
Pandora Kernel Repository