Re: [PATCH nf-next] netfilter: Add native tproxy support for nf_tables

[Pablo Neira Ayuso]

A few comments on top of Florian's.

On Wed, Jun 20, 2018 at 12:41:29PM +0200, Máté Eckl wrote:
[...]
> +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> +static void nft_tproxy_eval_v6(const struct nft_expr *expr,
> +                         struct nft_regs *regs,
> +                         const struct nft_pktinfo *pkt)

Hm, better place IPv6 code in net/netfilter/nft_tproxy_ipv6.c ?

@Florian, do you prefer this monolitic style maybe?

I mean, I'll be fine either way.

[...]
> +static int nft_tproxy_init(const struct nft_ctx *ctx,
> +                        const struct nft_expr *expr,
> +                        const struct nlattr * const tb[])
> +{

I'm missing nf_defrag_ipv6_enable() calls from your _init() path.

> +     struct nft_tproxy *priv = nft_expr_priv(expr);
> +     unsigned int alen = 0, plen = 0;
> +     int err;
> +
> +     if (!tb[NFTA_TPROXY_FAMILY])
> +             return -EINVAL;
> +
> +     switch(ctx->family) {
> +     case NFPROTO_IPV4:
> +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> +     case NFPROTO_IPV6:
> +#endif
> +     case NFPROTO_INET:
> +             break;
> +     default:
> +             return -EOPNOTSUPP;
> +     }
> +
> +     priv->family = ntohl(nla_get_be32(tb[NFTA_TPROXY_FAMILY]));
> +     if ((priv->family == NFPROTO_IPV4 && ctx->family == NFPROTO_IPV6) ||
> +         (priv->family == NFPROTO_IPV6 && ctx->family == NFPROTO_IPV4))
> +             return -EINVAL;
> +
> +     switch (priv->family) {
> +     case NFPROTO_IPV4:
> +             alen = FIELD_SIZEOF(union nf_inet_addr, in);
> +             break;
> +#if IS_ENABLED(CONFIG_NF_TPROXY_IPV6)
> +     case NFPROTO_IPV6:
> +             alen = FIELD_SIZEOF(union nf_inet_addr, in6);
> +             break;
> +#endif
> +     case NFPROTO_INET:
> +             /* No address is specified here */
> +             break;
> +     default:
> +             return -EOPNOTSUPP;
> +     }
> +
> +     if (tb[NFTA_TPROXY_REG_ADDR]) {
> +             priv->sreg_addr = nft_parse_register(tb[NFTA_TPROXY_REG_ADDR]);
> +             err = nft_validate_register_load(priv->sreg_addr, alen);
> +             if (err < 0)
> +                     return err;
> +     }
> +
> +     plen = sizeof(u16);
> +     if (tb[NFTA_TPROXY_REG_PORT]) {
> +             priv->sreg_port = nft_parse_register(tb[NFTA_TPROXY_REG_PORT]);
> +             err = nft_validate_register_load(priv->sreg_port, plen);
> +             if (err < 0)
> +                     return err;
> +     }

How does this work if neither if neither address nor port are set?
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html