diff options
| author | Rafał Miłecki <rafal@milecki.pl> | 2018-05-08 09:40:43 +0200 |
|---|---|---|
| committer | Rafał Miłecki <rafal@milecki.pl> | 2018-05-08 09:42:07 +0200 |
| commit | f9dcdc7fefcab5ec9b15b0f3c87dfebef37ecaa3 (patch) | |
| tree | 36fd6f2cc4324384f9af19994fb69a20d95f8daf /target/linux/generic/backport-4.14/314-v4.16-netfilter-meta-secpath-support.patch | |
| parent | 004cc22e4ef8187dd80d5d6be5a2575453ef3699 (diff) | |
| download | upstream-f9dcdc7fefcab5ec9b15b0f3c87dfebef37ecaa3.tar.gz upstream-f9dcdc7fefcab5ec9b15b0f3c87dfebef37ecaa3.tar.bz2 upstream-f9dcdc7fefcab5ec9b15b0f3c87dfebef37ecaa3.zip | |
kernel: mark source kernel for netfilter backports
This helps keeping track on patches & adding new kernels in the future.
Signed-off-by: Rafał Miłecki <rafal@milecki.pl>
Diffstat (limited to 'target/linux/generic/backport-4.14/314-v4.16-netfilter-meta-secpath-support.patch')
| -rw-r--r-- | target/linux/generic/backport-4.14/314-v4.16-netfilter-meta-secpath-support.patch | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/target/linux/generic/backport-4.14/314-v4.16-netfilter-meta-secpath-support.patch b/target/linux/generic/backport-4.14/314-v4.16-netfilter-meta-secpath-support.patch new file mode 100644 index 0000000000..d755c17fc3 --- /dev/null +++ b/target/linux/generic/backport-4.14/314-v4.16-netfilter-meta-secpath-support.patch @@ -0,0 +1,101 @@ +From: Florian Westphal <fw@strlen.de> +Date: Wed, 6 Dec 2017 16:18:16 +0100 +Subject: [PATCH] netfilter: meta: secpath support + +replacement for iptables "-m policy --dir in --policy {ipsec,none}". + +Signed-off-by: Florian Westphal <fw@strlen.de> +Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> +--- + +--- a/include/uapi/linux/netfilter/nf_tables.h ++++ b/include/uapi/linux/netfilter/nf_tables.h +@@ -777,6 +777,7 @@ enum nft_exthdr_attributes { + * @NFT_META_OIFGROUP: packet output interface group + * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) + * @NFT_META_PRANDOM: a 32bit pseudo-random number ++ * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) + */ + enum nft_meta_keys { + NFT_META_LEN, +@@ -804,6 +805,7 @@ enum nft_meta_keys { + NFT_META_OIFGROUP, + NFT_META_CGROUP, + NFT_META_PRANDOM, ++ NFT_META_SECPATH, + }; + + /** +--- a/net/netfilter/nft_meta.c ++++ b/net/netfilter/nft_meta.c +@@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_ + *dest = prandom_u32_state(state); + break; + } ++#ifdef CONFIG_XFRM ++ case NFT_META_SECPATH: ++ nft_reg_store8(dest, !!skb->sp); ++ break; ++#endif + default: + WARN_ON(1); + goto err; +@@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_c + prandom_init_once(&nft_prandom_state); + len = sizeof(u32); + break; ++#ifdef CONFIG_XFRM ++ case NFT_META_SECPATH: ++ len = sizeof(u8); ++ break; ++#endif + default: + return -EOPNOTSUPP; + } +@@ -318,6 +328,38 @@ int nft_meta_get_init(const struct nft_c + } + EXPORT_SYMBOL_GPL(nft_meta_get_init); + ++static int nft_meta_get_validate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr, ++ const struct nft_data **data) ++{ ++#ifdef CONFIG_XFRM ++ const struct nft_meta *priv = nft_expr_priv(expr); ++ unsigned int hooks; ++ ++ if (priv->key != NFT_META_SECPATH) ++ return 0; ++ ++ switch (ctx->afi->family) { ++ case NFPROTO_NETDEV: ++ hooks = 1 << NF_NETDEV_INGRESS; ++ break; ++ case NFPROTO_IPV4: ++ case NFPROTO_IPV6: ++ case NFPROTO_INET: ++ hooks = (1 << NF_INET_PRE_ROUTING) | ++ (1 << NF_INET_LOCAL_IN) | ++ (1 << NF_INET_FORWARD); ++ break; ++ default: ++ return -EOPNOTSUPP; ++ } ++ ++ return nft_chain_validate_hooks(ctx->chain, hooks); ++#else ++ return 0; ++#endif ++} ++ + int nft_meta_set_validate(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nft_data **data) +@@ -434,6 +476,7 @@ static const struct nft_expr_ops nft_met + .eval = nft_meta_get_eval, + .init = nft_meta_get_init, + .dump = nft_meta_get_dump, ++ .validate = nft_meta_get_validate, + }; + + static const struct nft_expr_ops nft_meta_set_ops = { |