lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Sun,  8 Dec 2019 12:41:30 +0800
From:   Xin Long <lucien.xin@...il.com>
To:     network dev <netdev@...r.kernel.org>,
        netfilter-devel@...r.kernel.org
Cc:     davem@...emloft.net, Pablo Neira Ayuso <pablo@...filter.org>
Subject: [PATCH nf-next 0/7] netfilter: nft_tunnel: reinforce key opts support

This patchset improves quite a few places to make vxlan/erspan
opts in nft_tunnel work with userspace nftables/libnftnl, and
also keep consistent with the support for vxlan/erspan opts in
act_tunnel_key, cls_flower and ip_tunnel_core.

Meanwhile, add support for geneve opts in nft_tunnel. One patch
for nftables and one for libnftnl will be posted here for the
testing. With them, nft_tunnel can be set and used by:

  # nft add table ip filter
  # nft add chain ip filter input { type filter hook input priority 0 \; }
  # nft add tunnel filter vxlan_01 { type vxlan\; id 2\; \
    ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
    sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
    opts \"ffff\"\; }
  # nft add tunnel filter erspan_01 { type erspan\; id 2\; \
    ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
    sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
    opts \"1:1:0:0\"\; }
  # nft add tunnel filter erspan_02 { type erspan\; id 2\; \
    ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
    sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
    opts \"2:0:1:1\"\; }
  # nft add tunnel filter geneve_01 { type geneve\; id 2\; \
    ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
    sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
    opts \"1:1:1212121234567890\"\; }
  # nft add tunnel filter geneve_02 { type geneve\; id 2\; \
    ip saddr 192.168.1.1\; ip daddr 192.168.1.2\; \
    sport 9000\; dport 9001\; dscp 1234\; ttl 64\; flags 1\; \
    opts \"1:1:34567890,2:2:12121212,3:3:1212121234567890\"\; }
  # nft list tunnels table filter
  # nft add rule filter input ip protocol udp tunnel name geneve_02
  # nft add rule filter input meta l4proto udp tunnel id 2 drop
  # nft add rule filter input meta l4proto udp tunnel path 0 drop
  # nft list chain filter input -a

Xin Long (7):
  netfilter: nft_tunnel: parse ERSPAN_VERSION attr as u8
  netfilter: nft_tunnel: parse VXLAN_GBP attr as u32 in nft_tunnel
  netfilter: nft_tunnel: no need to call htons() when dumping ports
  netfilter: nft_tunnel: also dump ERSPAN_VERSION
  netfilter: nft_tunnel: also dump OPTS_ERSPAN/VXLAN
  netfilter: nft_tunnel: add the missing nla_nest_cancel()
  netfilter: nft_tunnel: add support for geneve opts

 include/uapi/linux/netfilter/nf_tables.h |  10 ++
 net/netfilter/nft_tunnel.c               | 170 +++++++++++++++++++++++++------
 2 files changed, 151 insertions(+), 29 deletions(-)

-- 
2.1.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ