From f9dcdc7fefcab5ec9b15b0f3c87dfebef37ecaa3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= Date: Tue, 8 May 2018 09:40:43 +0200 Subject: kernel: mark source kernel for netfilter backports MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This helps keeping track on patches & adding new kernels in the future. Signed-off-by: Rafał Miłecki --- .../314-v4.16-netfilter-meta-secpath-support.patch | 101 +++++++++++++++++++++ 1 file changed, 101 insertions(+) create mode 100644 target/linux/generic/backport-4.14/314-v4.16-netfilter-meta-secpath-support.patch (limited to 'target/linux/generic/backport-4.14/314-v4.16-netfilter-meta-secpath-support.patch') diff --git a/target/linux/generic/backport-4.14/314-v4.16-netfilter-meta-secpath-support.patch b/target/linux/generic/backport-4.14/314-v4.16-netfilter-meta-secpath-support.patch new file mode 100644 index 0000000000..d755c17fc3 --- /dev/null +++ b/target/linux/generic/backport-4.14/314-v4.16-netfilter-meta-secpath-support.patch @@ -0,0 +1,101 @@ +From: Florian Westphal +Date: Wed, 6 Dec 2017 16:18:16 +0100 +Subject: [PATCH] netfilter: meta: secpath support + +replacement for iptables "-m policy --dir in --policy {ipsec,none}". + +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +--- + +--- a/include/uapi/linux/netfilter/nf_tables.h ++++ b/include/uapi/linux/netfilter/nf_tables.h +@@ -777,6 +777,7 @@ enum nft_exthdr_attributes { + * @NFT_META_OIFGROUP: packet output interface group + * @NFT_META_CGROUP: socket control group (skb->sk->sk_classid) + * @NFT_META_PRANDOM: a 32bit pseudo-random number ++ * @NFT_META_SECPATH: boolean, secpath_exists (!!skb->sp) + */ + enum nft_meta_keys { + NFT_META_LEN, +@@ -804,6 +805,7 @@ enum nft_meta_keys { + NFT_META_OIFGROUP, + NFT_META_CGROUP, + NFT_META_PRANDOM, ++ NFT_META_SECPATH, + }; + + /** +--- a/net/netfilter/nft_meta.c ++++ b/net/netfilter/nft_meta.c +@@ -210,6 +210,11 @@ void nft_meta_get_eval(const struct nft_ + *dest = prandom_u32_state(state); + break; + } ++#ifdef CONFIG_XFRM ++ case NFT_META_SECPATH: ++ nft_reg_store8(dest, !!skb->sp); ++ break; ++#endif + default: + WARN_ON(1); + goto err; +@@ -308,6 +313,11 @@ int nft_meta_get_init(const struct nft_c + prandom_init_once(&nft_prandom_state); + len = sizeof(u32); + break; ++#ifdef CONFIG_XFRM ++ case NFT_META_SECPATH: ++ len = sizeof(u8); ++ break; ++#endif + default: + return -EOPNOTSUPP; + } +@@ -318,6 +328,38 @@ int nft_meta_get_init(const struct nft_c + } + EXPORT_SYMBOL_GPL(nft_meta_get_init); + ++static int nft_meta_get_validate(const struct nft_ctx *ctx, ++ const struct nft_expr *expr, ++ const struct nft_data **data) ++{ ++#ifdef CONFIG_XFRM ++ const struct nft_meta *priv = nft_expr_priv(expr); ++ unsigned int hooks; ++ ++ if (priv->key != NFT_META_SECPATH) ++ return 0; ++ ++ switch (ctx->afi->family) { ++ case NFPROTO_NETDEV: ++ hooks = 1 << NF_NETDEV_INGRESS; ++ break; ++ case NFPROTO_IPV4: ++ case NFPROTO_IPV6: ++ case NFPROTO_INET: ++ hooks = (1 << NF_INET_PRE_ROUTING) | ++ (1 << NF_INET_LOCAL_IN) | ++ (1 << NF_INET_FORWARD); ++ break; ++ default: ++ return -EOPNOTSUPP; ++ } ++ ++ return nft_chain_validate_hooks(ctx->chain, hooks); ++#else ++ return 0; ++#endif ++} ++ + int nft_meta_set_validate(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nft_data **data) +@@ -434,6 +476,7 @@ static const struct nft_expr_ops nft_met + .eval = nft_meta_get_eval, + .init = nft_meta_get_init, + .dump = nft_meta_get_dump, ++ .validate = nft_meta_get_validate, + }; + + static const struct nft_expr_ops nft_meta_set_ops = { -- cgit v1.2.3