Received: by 10.192.165.148 with SMTP id m20csp3273034imm; Mon, 23 Apr 2018 03:50:53 -0700 (PDT) X-Google-Smtp-Source: AIpwx4802EdhXuG36fpRpsEoXwXhMCj5AfqQX5YDDmtFRWuylfrrSOK2E2eGev9iVP4EAJLItyUH X-Received: by 10.99.120.195 with SMTP id t186mr8726974pgc.97.1524480653896; Mon, 23 Apr 2018 03:50:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1524480653; cv=none; d=google.com; s=arc-20160816; b=jDFLBYDE3X0gAEUtiR0iuhw98/Dg9Fb7wFF64notvRvYXSA2GwuXs1LHF1YQBWhWVg vz0vBaEZtFsfIuzykN0YpuQcem3bwDvDPy5v5mdK1UCK/p4WUxZiKgmckklHEKZiGghN NMTlmMFoH1Si8C5e3nIdL9f1XqOCboG7TS5zsKFdvEw+TkVKpoTNF8Sxk5MXEakyKq5B R8RRyNkc8I2SBfKPYokdmCs3nHhGqPR+0vI4NOng00lJOr5QamLFNgmAVWOc2TEPBjq4 h04MfNE0umoThlZkVeu/ZSxKsDexM/9v/TnTUgMW15jKaV/DpiveDtkv+oFG+AFyMI8T mhjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:in-reply-to:message-id:date :subject:cc:to:from:dkim-signature:arc-authentication-results; bh=qGfLZHGergbVRK7KRT+QMQ2+IGNRGESKfCOiEayTyvw=; b=gVF8J+/uDNs9hYSI2LBv92M+ojBQgXhkk7khMk17r3ja/QClr0lwshc1eNiozBoRrb KOtazM1ELCthqxOmaptd6XzF4hMggRxueA2F9bh+3Be+E1gPtUJxlxHxBq3v8NjyZDW+ WlqQefYnMhJq5/aNWf+9j/BPxg7NZlGazNt0N3K0aN9Kf/XdZbHBLi85D8igvG7FlF9c o3yb8fefi95Igh0DkVNCsQRs86i1bnefQdtpDll8QY3FAUb3a6wV0rOAKxASUAL2s+gq bVJ+sBiZCUifqDMJ2IMd4Aggu9TLcwGuzRJk4J7LGxMOt1cAa26E5ZvwPeuIVVBEvqd0 9WUw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ckikhKxG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k189si9783102pgc.388.2018.04.23.03.50.39; Mon, 23 Apr 2018 03:50:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=ckikhKxG; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754831AbeDWKtK (ORCPT + 99 others); Mon, 23 Apr 2018 06:49:10 -0400 Received: from mail-wr0-f195.google.com ([209.85.128.195]:44206 "EHLO mail-wr0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754078AbeDWKsd (ORCPT ); Mon, 23 Apr 2018 06:48:33 -0400 Received: by mail-wr0-f195.google.com with SMTP id o15-v6so39890688wro.11; Mon, 23 Apr 2018 03:48:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=qGfLZHGergbVRK7KRT+QMQ2+IGNRGESKfCOiEayTyvw=; b=ckikhKxGRLfqN9aCd7E4vKev0mDLK6YFDPDaZLoEE+5UsJp5Bm9u1IAabpI0TZERsZ 4E7fo/MwIRVQY5+GQv2JokVcYI2BfzTkwXXcWZVubtFFscDaeHg/LPSgzy8jlGW1vo7B 9AkNt4FW29hjoe5E9jzrXicGr3MX+BDUlmAGb+mjCRLnw635xelyDCdQUgNc05E4iOL9 s/EVO7H2ZMbi2LebaYqqF1p1lnq5iQb+on0/RWQaAw4YPa2LoUjmFhKn/UwaX+vTzpKE 5rwKnQ5modOO20BOt7XntxmJkvKz5HkYl4j8QnPu2q1n2P3zyPnlsoS2wK9+l6rDhEgw 8SvQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=qGfLZHGergbVRK7KRT+QMQ2+IGNRGESKfCOiEayTyvw=; b=YbUhfgIipZdkd4zYq957DeLojvpEqJ20Tz7ec4EufuRUF3USL4YpLI1LN0A4MW5Yns sXR1uytINapCnSF1yQ9WG8HwD19BskXko7hTNvUBHY95c3Y5dzr1ctUQELiVQESE00Jy 6IolZDxMhiZh2MQWyyfjZqOKN6zFPWcsnVNmoMTFK5lRaFutn7rThFwGGg3kgZ87zubq XsUNKBs12jpgIbHl36edFq2AtOLUjAQ62AAnop5eD34Cq+XigW9G5RiDiy5RrlZmbhx1 U8ZIRtdtTSH+Lv97imC1JFHHDkDntTEg5XEMpPBA+FE/rvdjUKzNdFdZcmjhgmCk8r0D /kPQ== X-Gm-Message-State: ALQs6tB/vQRZ5UjQGu0tAs0+yg2xjuESt47RYTAwne47eHf7Wr9rKoTc lyYKW7gMK5FQNzPUXNjbAJrU0R1M X-Received: by 2002:adf:88c2:: with SMTP id g2-v6mr17057838wrg.78.1524480512023; Mon, 23 Apr 2018 03:48:32 -0700 (PDT) Received: from localhost.localdomain ([192.135.27.140]) by smtp.gmail.com with ESMTPSA id e185sm8684793wmg.5.2018.04.23.03.48.30 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 23 Apr 2018 03:48:31 -0700 (PDT) From: Ahmed Abdelsalam To: pablo@netfilter.org, fw@strlen.de, davem@davemloft.net, dav.lebrun@gmail.com, linux-kernel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org Cc: Ahmed Abdelsalam Subject: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID Date: Mon, 23 Apr 2018 05:48:22 -0500 Message-Id: <1524480503-1883-2-git-send-email-amsalam20@gmail.com> X-Mailer: git-send-email 2.1.4 In-Reply-To: <1524480503-1883-1-git-send-email-amsalam20@gmail.com> References: <1524480503-1883-1-git-send-email-amsalam20@gmail.com> Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org IPv6 Segment Routing Header (SRH) contains a list of SIDs to be crossed by SR encapsulated packet. Each SID is encoded as an IPv6 prefix. When a Firewall receives an SR encapsulated packet, it should be able to identify which node previously processed the packet (previous SID), which node is going to process the packet next (next SID), and which node is the last to process the packet (last SID) which represent the final destination of the packet in case of inline SR mode. An example use-case of using these features could be SID list that includes two firewalls. When the second firewall receives a packet, it can check whether the packet has been processed by the first firewall or not. Based on that check, it decides to apply all rules, apply just subset of the rules, or totally skip all rules and forward the packet to the next SID. This patch extends SRH match to support matching previous SID, next SID, and last SID. Signed-off-by: Ahmed Abdelsalam --- include/uapi/linux/netfilter_ipv6/ip6t_srh.h | 22 +++++++++++++-- net/ipv6/netfilter/ip6t_srh.c | 41 +++++++++++++++++++++++++++- 2 files changed, 60 insertions(+), 3 deletions(-) diff --git a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h index f3cc0ef..9808382 100644 --- a/include/uapi/linux/netfilter_ipv6/ip6t_srh.h +++ b/include/uapi/linux/netfilter_ipv6/ip6t_srh.h @@ -17,7 +17,10 @@ #define IP6T_SRH_LAST_GT 0x0100 #define IP6T_SRH_LAST_LT 0x0200 #define IP6T_SRH_TAG 0x0400 -#define IP6T_SRH_MASK 0x07FF +#define IP6T_SRH_PSID 0x0800 +#define IP6T_SRH_NSID 0x1000 +#define IP6T_SRH_LSID 0x2000 +#define IP6T_SRH_MASK 0x3FFF /* Values for "mt_invflags" field in struct ip6t_srh */ #define IP6T_SRH_INV_NEXTHDR 0x0001 @@ -31,7 +34,10 @@ #define IP6T_SRH_INV_LAST_GT 0x0100 #define IP6T_SRH_INV_LAST_LT 0x0200 #define IP6T_SRH_INV_TAG 0x0400 -#define IP6T_SRH_INV_MASK 0x07FF +#define IP6T_SRH_INV_PSID 0x0800 +#define IP6T_SRH_INV_NSID 0x1000 +#define IP6T_SRH_INV_LSID 0x2000 +#define IP6T_SRH_INV_MASK 0x3FFF /** * struct ip6t_srh - SRH match options @@ -40,6 +46,12 @@ * @ segs_left: Segments left field of SRH * @ last_entry: Last entry field of SRH * @ tag: Tag field of SRH + * @ psid_addr: Address of previous SID in SRH SID list + * @ nsid_addr: Address of NEXT SID in SRH SID list + * @ lsid_addr: Address of LAST SID in SRH SID list + * @ psid_msk: Mask of previous SID in SRH SID list + * @ nsid_msk: Mask of next SID in SRH SID list + * @ lsid_msk: MAsk of last SID in SRH SID list * @ mt_flags: match options * @ mt_invflags: Invert the sense of match options */ @@ -50,6 +62,12 @@ struct ip6t_srh { __u8 segs_left; __u8 last_entry; __u16 tag; + struct in6_addr psid_addr; + struct in6_addr nsid_addr; + struct in6_addr lsid_addr; + struct in6_addr psid_msk; + struct in6_addr nsid_msk; + struct in6_addr lsid_msk; __u16 mt_flags; __u16 mt_invflags; }; diff --git a/net/ipv6/netfilter/ip6t_srh.c b/net/ipv6/netfilter/ip6t_srh.c index 33719d5..2b5cc73 100644 --- a/net/ipv6/netfilter/ip6t_srh.c +++ b/net/ipv6/netfilter/ip6t_srh.c @@ -30,7 +30,9 @@ static bool srh_mt6(const struct sk_buff *skb, struct xt_action_param *par) const struct ip6t_srh *srhinfo = par->matchinfo; struct ipv6_sr_hdr *srh; struct ipv6_sr_hdr _srh; - int hdrlen, srhoff = 0; + int hdrlen, psidoff, nsidoff, lsidoff, srhoff = 0; + struct in6_addr *psid, *nsid, *lsid; + struct in6_addr _psid, _nsid, _lsid; if (ipv6_find_hdr(skb, &srhoff, IPPROTO_ROUTING, NULL, NULL) < 0) return false; @@ -114,6 +116,43 @@ static bool srh_mt6(const struct sk_buff *skb, struct xt_action_param *par) if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_TAG, !(srh->tag == srhinfo->tag))) return false; + + /* Previous SID matching */ + if (srhinfo->mt_flags & IP6T_SRH_PSID) { + if (srh->segments_left == srh->first_segment) + return false; + psidoff = srhoff + sizeof(struct ipv6_sr_hdr) + + ((srh->segments_left + 1) * sizeof(struct in6_addr)); + psid = skb_header_pointer(skb, psidoff, sizeof(_psid), &_psid); + if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_PSID, + ipv6_masked_addr_cmp(psid, &srhinfo->psid_msk, + &srhinfo->psid_addr))) + return false; + } + + /* Next SID matching */ + if (srhinfo->mt_flags & IP6T_SRH_NSID) { + if (srh->segments_left == 0) + return false; + nsidoff = srhoff + sizeof(struct ipv6_sr_hdr) + + ((srh->segments_left - 1) * sizeof(struct in6_addr)); + nsid = skb_header_pointer(skb, nsidoff, sizeof(_nsid), &_nsid); + if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_NSID, + ipv6_masked_addr_cmp(nsid, &srhinfo->nsid_msk, + &srhinfo->nsid_addr))) + return false; + } + + /* Last SID matching */ + if (srhinfo->mt_flags & IP6T_SRH_LSID) { + lsidoff = srhoff + sizeof(struct ipv6_sr_hdr); + lsid = skb_header_pointer(skb, lsidoff, sizeof(_lsid), &_lsid); + if (NF_SRH_INVF(srhinfo, IP6T_SRH_INV_LSID, + ipv6_masked_addr_cmp(lsid, &srhinfo->lsid_msk, + &srhinfo->lsid_addr))) + return false; + } + return true; } -- 2.1.4