On Thu, Jul 12, 2018 at 12:34:14PM +0200, Fernando Fernandez Mancera wrote:
> Added _ADD and _REMOVE commands to nf_tables_api.c in order to use the
> nf_tables interface to add 'osf' signatures in nft.
> 
> Signed-off-by: Fernando Fernandez Mancera <ffmanc...@riseup.net>
> ---
>  include/net/netfilter/nf_tables_core.h   |   2 +
>  include/uapi/linux/netfilter/nf_osf.h    |   8 ++
>  include/uapi/linux/netfilter/nf_tables.h |  14 +++
>  include/uapi/linux/netfilter/xt_osf.h    |   7 +-
>  net/netfilter/nf_tables_api.c            | 110 +++++++++++++++++++++++
>  net/netfilter/nft_osf.c                  |   1 +
>  6 files changed, 136 insertions(+), 6 deletions(-)
> 
> diff --git a/include/net/netfilter/nf_tables_core.h 
> b/include/net/netfilter/nf_tables_core.h
> index e0c0c2558ec4..ee7eabc8d3e1 100644
> --- a/include/net/netfilter/nf_tables_core.h
> +++ b/include/net/netfilter/nf_tables_core.h
> @@ -65,4 +65,6 @@ extern const struct nft_expr_ops nft_payload_fast_ops;
>  extern struct static_key_false nft_counters_enabled;
>  extern struct static_key_false nft_trace_enabled;
>  
> +extern struct list_head nft_osf_fingers[2];
> +
>  #endif /* _NET_NF_TABLES_CORE_H */
> diff --git a/include/uapi/linux/netfilter/nf_osf.h 
> b/include/uapi/linux/netfilter/nf_osf.h
> index 79882b2f7f8e..35352c1cd994 100644
> --- a/include/uapi/linux/netfilter/nf_osf.h
> +++ b/include/uapi/linux/netfilter/nf_osf.h
> @@ -2,6 +2,8 @@
>  #define _NF_OSF_H
>  
>  #include <linux/types.h>
> +#include <linux/ip.h>
> +#include <linux/tcp.h>
>  
>  #define MAXGENRELEN  32
>  
> @@ -90,4 +92,10 @@ enum iana_options {
>       OSFOPT_EMPTY = 255,
>  };
>  
> +enum nf_osf_attr_type {
> +     OSF_ATTR_UNSPEC,
> +     OSF_ATTR_FINGER,
> +     OSF_ATTR_MAX,
> +};
> +
>  #endif /* _NF_OSF_H */
> diff --git a/include/uapi/linux/netfilter/nf_tables.h 
> b/include/uapi/linux/netfilter/nf_tables.h
> index c9bf74b94f37..beffa2010b20 100644
> --- a/include/uapi/linux/netfilter/nf_tables.h
> +++ b/include/uapi/linux/netfilter/nf_tables.h
> @@ -9,6 +9,8 @@
>  #define NFT_OBJ_MAXNAMELEN   NFT_NAME_MAXLEN
>  #define NFT_USERDATA_MAXLEN  256
>  
> +#define OSF_GENRE_SIZE               32
> +
>  /**
>   * enum nft_registers - nf_tables registers
>   *
> @@ -122,6 +124,8 @@ enum nf_tables_msg_types {
>       NFT_MSG_NEWFLOWTABLE,
>       NFT_MSG_GETFLOWTABLE,
>       NFT_MSG_DELFLOWTABLE,
> +     NFT_MSG_NEWOSF,
> +     NFT_MSG_DELOSF,
>       NFT_MSG_MAX,
>  };
>  
> @@ -1461,6 +1465,16 @@ enum nft_flowtable_hook_attributes {
>  };
>  #define NFTA_FLOWTABLE_HOOK_MAX      (__NFTA_FLOWTABLE_HOOK_MAX - 1)
>  
> +enum nft_osf_attributes {
> +     NFTA_OSF_UNSPEC,
> +     NFTA_OSF_GENRE,
> +     NFTA_OSF_FLAGS,
> +     NFTA_OSF_LOGLEVEL,
> +     NFTA_OSF_TTL,
> +     __NFTA_OSF_MAX,
> +};
> +#define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1)
> +
>  /**
>   * enum nft_device_attributes - nf_tables device netlink attributes
>   *
> diff --git a/include/uapi/linux/netfilter/xt_osf.h 
> b/include/uapi/linux/netfilter/xt_osf.h
> index 2f5d4e6d0434..b7c0f93fe9d4 100644
> --- a/include/uapi/linux/netfilter/xt_osf.h
> +++ b/include/uapi/linux/netfilter/xt_osf.h
> @@ -51,6 +51,7 @@
>  #define xt_osf_finger                nf_osf_finger
>  #define xt_osf_nlmsg         nf_osf_nlmsg
>  
> +#define xt_osf_attr_type     nf_osf_attr_type
>  /*
>   * Add/remove fingerprint from the kernel.
>   */
> @@ -60,10 +61,4 @@ enum xt_osf_msg_types {
>       OSF_MSG_MAX,
>  };
>  
> -enum xt_osf_attr_type {
> -     OSF_ATTR_UNSPEC,
> -     OSF_ATTR_FINGER,
> -     OSF_ATTR_MAX,
> -};
> -
>  #endif                               /* _XT_OSF_H */
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index ca4c4d994ddb..1783d8ef658c 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -17,6 +17,7 @@
>  #include <linux/netfilter.h>
>  #include <linux/netfilter/nfnetlink.h>
>  #include <linux/netfilter/nf_tables.h>
> +#include <linux/netfilter/nf_osf.h>
>  #include <net/netfilter/nf_flow_table.h>
>  #include <net/netfilter/nf_tables_core.h>
>  #include <net/netfilter/nf_tables.h>
> @@ -26,6 +27,7 @@
>  static LIST_HEAD(nf_tables_expressions);
>  static LIST_HEAD(nf_tables_objects);
>  static LIST_HEAD(nf_tables_flowtables);
> +

Por favor, evita este ruido en los parche.

>  static u64 table_handle;
>  
>  enum {
> @@ -5851,6 +5853,8 @@ static int nf_tables_flowtable_event(struct 
> notifier_block *this,
>       return NOTIFY_DONE;
>  }
>  
> +
> +

Estas dos líneas nuevas es también ruido, no pertenecen a este
problema.

>  static struct notifier_block nf_tables_flowtable_notifier = {
>       .notifier_call  = nf_tables_flowtable_event,
>  };
> @@ -5908,6 +5912,102 @@ static int nf_tables_getgen(struct net *net, struct 
> sock *nlsk,
>       return err;
>  }
>  
> +struct list_head nft_osf_fingers[2];
> +EXPORT_SYMBOL_GPL(nft_osf_fingers);
> +
> +static int nf_tables_newosf(struct net *net, struct sock *ctnl,
> +                         struct sk_buff *skb, const struct nlmsghdr *nlh,
> +                         const struct nlattr * const osf_attrs[],
> +                         struct netlink_ext_ack *extack)
> +{
> +     struct nf_osf_user_finger *f;
> +     struct nf_osf_finger *kf = NULL, *sf;
> +     int err = 0;
> +     int i = 0;
> +
> +     if (!capable(CAP_NET_ADMIN))
> +             return -EPERM;
> +     if (!osf_attrs[OSF_ATTR_FINGER])
> +             return -EINVAL;
> +
> +     if (!(nlh->nlmsg_flags & NLM_F_CREATE))
> +             return -EINVAL;
> +
> +     f = nla_data(osf_attrs[OSF_ATTR_FINGER]);
> +
> +     kf = kmalloc(sizeof(struct nf_osf_finger), GFP_KERNEL);
> +     if (!kf)
> +             return -ENOMEM;
> +
> +     for (i = 0; i < ARRAY_SIZE(nft_osf_fingers); ++i)
> +             INIT_LIST_HEAD(&nft_osf_fingers[i]);
> +
> +     memcpy(&kf->finger, f, sizeof(struct nf_osf_user_finger));
> +
> +     list_for_each_entry(sf, &nft_osf_fingers[!!f->df], finger_entry) {
> +             if (memcmp(&sf->finger, f, sizeof(struct nf_osf_user_finger)))
> +                     continue;
> +
> +             kfree(kf);
> +             kf = NULL;
> +
> +             if (nlh->nlmsg_flags & NLM_F_EXCL)
> +                     err = -EEXIST;
> +             break;
> +     }
> +
> +     /*
> +      * We are protected by nfnl mutex.
> +      */
> +     if (kf)
> +             list_add_tail_rcu(&kf->finger_entry, &nft_osf_fingers[!!f->df]);
> +
> +     return err;
> +}
> +
> +static int nf_tables_delosf(struct net *net, struct sock *ctnl,
> +                         struct sk_buff *skb,
> +                         const struct nlmsghdr *nlh,
> +                         const struct nlattr * const osf_attrs[],
> +                         struct netlink_ext_ack *extack)
> +{
> +     struct nf_osf_user_finger *f;
> +     struct nf_osf_finger *sf;
> +     int err = -ENOENT;
> +
> +     if (!capable(CAP_NET_ADMIN))
> +             return -EPERM;
> +
> +     if (!osf_attrs[OSF_ATTR_FINGER])
> +             return -EINVAL;
> +
> +     f = nla_data(osf_attrs[OSF_ATTR_FINGER]);
> +
> +     list_for_each_entry(sf, &nft_osf_fingers[!!f->df], finger_entry) {
> +             if (memcmp(&sf->finger, f, sizeof(struct nf_osf_user_finger)))
> +                     continue;
> +
> +             /*
> +              * We are protected by nfnl mutex.
> +              */
> +             list_del_rcu(&sf->finger_entry);
> +             kfree_rcu(sf, rcu_head);
> +
> +             err = 0;
> +             break;
> +     }
> +
> +     return err;
> +}
> +
> +static const struct nla_policy nft_osf_policy[NFTA_OSF_MAX + 1] = {
> +     [NFTA_OSF_GENRE]        = { .type = NLA_STRING, .len = OSF_GENRE_SIZE },
> +     [NFTA_OSF_FLAGS]        = { .type = NLA_U32 },
> +     [NFTA_OSF_LOGLEVEL]     = { .type = NLA_U32 },
> +     [NFTA_OSF_TTL]          = { .type = NLA_U32 },
> +};
> +
>  static const struct nfnl_callback nf_tables_cb[NFT_MSG_MAX] = {
>       [NFT_MSG_NEWTABLE] = {
>               .call_batch     = nf_tables_newtable,
> @@ -6022,6 +6122,16 @@ static const struct nfnl_callback 
> nf_tables_cb[NFT_MSG_MAX] = {
>               .attr_count     = NFTA_FLOWTABLE_MAX,
>               .policy         = nft_flowtable_policy,
>       },
> +     [NFT_MSG_NEWOSF] = {
> +             .call_batch     = nf_tables_newosf,
> +             .attr_count     = NFTA_OSF_MAX,
> +             .policy         = nft_osf_policy,
> +     },
> +     [NFT_MSG_DELOSF] = {
> +             .call_batch     = nf_tables_delosf,
> +             .attr_count     = NFTA_OSF_MAX,
> +             .policy         = nft_osf_policy,
> +     },
>  };
>  
>  static int nf_tables_validate(struct net *net)
> diff --git a/net/netfilter/nft_osf.c b/net/netfilter/nft_osf.c
> index 30c503f2bf53..cf8a38b052ad 100644
> --- a/net/netfilter/nft_osf.c
> +++ b/net/netfilter/nft_osf.c
> @@ -54,6 +54,7 @@ static int nft_osf_init(const struct nft_ctx *ctx,
>               return -EINVAL;
>       priv->ttl       = ntohl(nla_get_be32(tb[NFTA_OSF_TTL]));
>       priv->len = strlen(priv->genre);
> +

De nuevo línea innecesaria.

Intenta ser meticuloso con lo que presentas, pues da la sensación a
quien lo envías que no eres cuidadoso con los detalles...

>       return 0;
>  }
>  
> -- 
> 2.18.0
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majord...@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to