Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d877f071 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nf_tables: add nft_dup expression 



This new expression uses the nf_dup engine to clone packets to a given gateway.
Unlike xt_TEE, we use an index to indicate output interface which should be
fine at this stage.

Moreover, change to the preemtion-safe this_cpu_read(nf_skb_duplicated) from
nf_dup_ipv{4,6} to silence a lockdep splat.

Based on the original tee expression from Arturo Borrero Gonzalez, although
this patch has diverted quite a bit from this initial effort due to the
change to support maps.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent bbde9fc1

include/net/netfilter/nft_dup.h

0 → 100644
+9 −0
Original line number Diff line number Diff line 
#ifndef _NFT_DUP_H_

#define _NFT_DUP_H_



struct nft_dup_inet {

	enum nft_registers	sreg_addr:8;

	enum nft_registers	sreg_dev:8;

};



#endif /* _NFT_DUP_H_ */

include/uapi/linux/netfilter/nf_tables.h

+14 −0
Original line number Diff line number Diff line
@@ -935,6 +935,20 @@ enum nft_redir_attributes { 
};

#define NFTA_REDIR_MAX		(__NFTA_REDIR_MAX - 1)



/**

 * enum nft_dup_attributes - nf_tables dup expression netlink attributes

 *

 * @NFTA_DUP_SREG_ADDR: source register of address (NLA_U32: nft_registers)

 * @NFTA_DUP_SREG_DEV: source register of output interface (NLA_U32: nft_register)

 */

enum nft_dup_attributes {

	NFTA_DUP_UNSPEC,

	NFTA_DUP_SREG_ADDR,

	NFTA_DUP_SREG_DEV,

	__NFTA_DUP_MAX

};

#define NFTA_DUP_MAX		(__NFTA_DUP_MAX - 1)



/**

 * enum nft_gen_attributes - nf_tables ruleset generation attributes

 *

net/ipv4/netfilter/Kconfig

+6 −0
Original line number Diff line number Diff line
@@ -58,6 +58,12 @@ config NFT_REJECT_IPV4 
	default NFT_REJECT

	tristate



config NFT_DUP_IPV4

	tristate "IPv4 nf_tables packet duplication support"

	select NF_DUP_IPV4

	help

	  This module enables IPv4 packet duplication support for nf_tables.



endif # NF_TABLES_IPV4



config NF_TABLES_ARP

net/ipv4/netfilter/Makefile

+1 −0
Original line number Diff line number Diff line
@@ -41,6 +41,7 @@ obj-$(CONFIG_NFT_CHAIN_NAT_IPV4) += nft_chain_nat_ipv4.o 
obj-$(CONFIG_NFT_REJECT_IPV4) += nft_reject_ipv4.o

obj-$(CONFIG_NFT_MASQ_IPV4) += nft_masq_ipv4.o

obj-$(CONFIG_NFT_REDIR_IPV4) += nft_redir_ipv4.o

obj-$(CONFIG_NFT_DUP_IPV4) += nft_dup_ipv4.o

obj-$(CONFIG_NF_TABLES_ARP) += nf_tables_arp.o



# generic IP tables

net/ipv4/netfilter/nf_dup_ipv4.c

+1 −1
Original line number Diff line number Diff line
@@ -69,7 +69,7 @@ void nf_dup_ipv4(struct sk_buff *skb, unsigned int hooknum, 
{

	struct iphdr *iph;



	if (__this_cpu_read(nf_skb_duplicated))

	if (this_cpu_read(nf_skb_duplicated))

		return;

	/*

	 * Copy the skb, and route the copy. Will later return %XT_CONTINUE for