From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: netdev@vger.kernel.org, cake@lists.bufferbloat.net
Cc: netfilter-devel@vger.kernel.org
Subject: [Cake] [PATCH net-next v16 4/8] netfilter: Add nf_ct_get_tuple_skb callback
Date: Mon, 28 May 2018 16:27:46 +0200 [thread overview]
Message-ID: <152751766686.30935.14644567905547700823.stgit@alrua-kau> (raw)
In-Reply-To: <152751762093.30935.15398977119837536494.stgit@alrua-kau>
This adds a callback to netfilter to extract a conntrack tuple from an skb
that works before the _nfct skb field has been initialised (e.g., in an
ingress qdisc). The tuple is copied to the caller to avoid issues with
reference counting.
The callback will return false when conntrack is not loaded, allowing it to
be accessed without incurring a module dependency on conntrack. This is
used by the NAT mode in sch_cake.
Cc: netfilter-devel@vger.kernel.org
Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk>
---
include/linux/netfilter.h | 6 ++++++
net/netfilter/core.c | 21 +++++++++++++++++++++
net/netfilter/nf_conntrack_core.c | 37 +++++++++++++++++++++++++++++++++++++
3 files changed, 64 insertions(+)
diff --git a/include/linux/netfilter.h b/include/linux/netfilter.h
index 85a1a0b32c66..7cbe7e9ce527 100644
--- a/include/linux/netfilter.h
+++ b/include/linux/netfilter.h
@@ -375,6 +375,12 @@ nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu;
void nf_ct_attach(struct sk_buff *, const struct sk_buff *);
extern void (*nf_ct_destroy)(struct nf_conntrack *) __rcu;
+
+struct nf_conntrack_tuple;
+extern bool (*skb_ct_get_tuple)(struct nf_conntrack_tuple *,
+ const struct sk_buff *) __rcu;
+bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple,
+ const struct sk_buff *skb);
#else
static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
#endif
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 0f6b8172fb9a..520565198f0e 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -572,6 +572,27 @@ void nf_conntrack_destroy(struct nf_conntrack *nfct)
}
EXPORT_SYMBOL(nf_conntrack_destroy);
+bool (*skb_ct_get_tuple)(struct nf_conntrack_tuple *,
+ const struct sk_buff *) __rcu __read_mostly;
+EXPORT_SYMBOL(skb_ct_get_tuple);
+
+bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple,
+ const struct sk_buff *skb)
+{
+ bool (*get_tuple)(const struct sk_buff *, struct nf_conntrack_tuple *);
+ bool ret = false;
+
+ rcu_read_lock();
+ get_tuple = rcu_dereference(skb_ct_get_tuple);
+ if (!get_tuple)
+ goto out;
+ ret = get_tuple(dst_tuple, skb);
+out:
+ rcu_read_unlock();
+ return ret;
+}
+EXPORT_SYMBOL(nf_ct_get_tuple_skb);
+
/* Built-in default zone used e.g. by modules. */
const struct nf_conntrack_zone nf_ct_zone_dflt = {
.id = NF_CT_DEFAULT_ZONE_ID,
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 41ff04ee2554..eee5c76f638c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1611,6 +1611,41 @@ static void nf_conntrack_attach(struct sk_buff *nskb, const struct sk_buff *skb)
nf_conntrack_get(skb_nfct(nskb));
}
+static bool nf_conntrack_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple,
+ const struct sk_buff *skb)
+{
+ const struct nf_conntrack_tuple *src_tuple;
+ const struct nf_conntrack_tuple_hash *hash;
+ struct nf_conntrack_tuple srctuple;
+ enum ip_conntrack_info ctinfo;
+ struct nf_conn *ct;
+
+ ct = nf_ct_get(skb, &ctinfo);
+ if (ct) {
+ src_tuple = nf_ct_tuple(ct, CTINFO2DIR(ctinfo));
+ memcpy(dst_tuple, src_tuple, sizeof(*dst_tuple));
+ return true;
+ }
+
+ if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
+ NFPROTO_IPV4, dev_net(skb->dev),
+ &srctuple))
+ return false;
+
+ hash = nf_conntrack_find_get(dev_net(skb->dev),
+ &nf_ct_zone_dflt,
+ &srctuple);
+ if (!hash)
+ return false;
+
+ ct = nf_ct_tuplehash_to_ctrack(hash);
+ src_tuple = nf_ct_tuple(ct, !hash->tuple.dst.dir);
+ memcpy(dst_tuple, src_tuple, sizeof(*dst_tuple));
+ nf_ct_put(ct);
+
+ return true;
+}
+
/* Bring out ya dead! */
static struct nf_conn *
get_next_corpse(int (*iter)(struct nf_conn *i, void *data),
@@ -1808,6 +1843,7 @@ void nf_conntrack_cleanup_start(void)
{
conntrack_gc_work.exiting = true;
RCU_INIT_POINTER(ip_ct_attach, NULL);
+ RCU_INIT_POINTER(skb_ct_get_tuple, NULL);
}
void nf_conntrack_cleanup_end(void)
@@ -2135,6 +2171,7 @@ void nf_conntrack_init_end(void)
/* For use by REJECT target */
RCU_INIT_POINTER(ip_ct_attach, nf_conntrack_attach);
RCU_INIT_POINTER(nf_ct_destroy, destroy_conntrack);
+ RCU_INIT_POINTER(skb_ct_get_tuple, nf_conntrack_get_tuple_skb);
}
/*
next prev parent reply other threads:[~2018-05-28 14:27 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-28 14:27 [Cake] [PATCH net-next v16 0/8] sched: Add Common Applications Kept Enhanced (cake) qdisc Toke Høiland-Jørgensen
2018-05-28 14:27 ` Toke Høiland-Jørgensen [this message]
2018-05-28 19:49 ` [Cake] [PATCH net-next v16 4/8] netfilter: Add nf_ct_get_tuple_skb callback Pablo Neira Ayuso
2018-05-28 21:28 ` Toke Høiland-Jørgensen
2018-05-30 6:11 ` kbuild test robot
2018-05-30 8:33 ` kbuild test robot
2018-05-28 14:27 ` [Cake] [PATCH net-next v16 6/8] sch_cake: Add DiffServ handling Toke Høiland-Jørgensen
2018-05-28 14:27 ` [Cake] [PATCH net-next v16 5/8] sch_cake: Add NAT awareness to packet classifier Toke Høiland-Jørgensen
2018-05-28 19:51 ` Pablo Neira Ayuso
2018-05-28 22:19 ` Toke Høiland-Jørgensen
2018-05-28 14:27 ` [Cake] [PATCH net-next v16 1/8] sched: Add Common Applications Kept Enhanced (cake) qdisc Toke Høiland-Jørgensen
2018-05-28 14:27 ` [Cake] [PATCH net-next v16 3/8] sch_cake: Add optional ACK filter Toke Høiland-Jørgensen
2018-05-28 14:27 ` [Cake] [PATCH net-next v16 2/8] sch_cake: Add ingress mode Toke Høiland-Jørgensen
2018-05-28 14:27 ` [Cake] [PATCH net-next v16 7/8] sch_cake: Add overhead compensation support to the rate shaper Toke Høiland-Jørgensen
2018-05-28 14:27 ` [Cake] [PATCH net-next v16 8/8] sch_cake: Conditionally split GSO segments Toke Høiland-Jørgensen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cake.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=152751766686.30935.14644567905547700823.stgit@alrua-kau \
--to=toke@toke.dk \
--cc=cake@lists.bufferbloat.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox