netfilter: nft_socket: add wildcard support (67407a40) · Commits · EulixOS / Software / Kernel

include/uapi/linux/netfilter/nf_tables.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -1010,10 +1010,12 @@ enum nft_socket_attributes {
		*
		* @NFT_SOCKET_TRANSPARENT: Value of the IP(V6)_TRANSPARENT socket option
		* @NFT_SOCKET_MARK: Value of the socket mark
		* @NFT_SOCKET_WILDCARD: Whether the socket is zero-bound (e.g. 0.0.0.0 or ::0)
		*/
		enum nft_socket_keys {
		NFT_SOCKET_TRANSPARENT,
		NFT_SOCKET_MARK,
		NFT_SOCKET_WILDCARD,
		__NFT_SOCKET_MAX
		};
		#define NFT_SOCKET_MAX (__NFT_SOCKET_MAX - 1)

+27 −0

Original line number	Diff line number	Diff line
		@@ -14,6 +14,25 @@ struct nft_socket {
		};
		};

		static void nft_socket_wildcard(const struct nft_pktinfo *pkt,
		struct nft_regs regs, struct sock sk,
		u32 *dest)
		{
		switch (nft_pf(pkt)) {
		case NFPROTO_IPV4:
		nft_reg_store8(dest, inet_sk(sk)->inet_rcv_saddr == 0);
		break;
		#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
		case NFPROTO_IPV6:
		nft_reg_store8(dest, ipv6_addr_any(&sk->sk_v6_rcv_saddr));
		break;
		#endif
		default:
		regs->verdict.code = NFT_BREAK;
		return;
		}
		}

		static void nft_socket_eval(const struct nft_expr *expr,
		struct nft_regs *regs,
		const struct nft_pktinfo *pkt)
		@@ -59,6 +78,13 @@ static void nft_socket_eval(const struct nft_expr *expr,
		return;
		}
		break;
		case NFT_SOCKET_WILDCARD:
		if (!sk_fullsock(sk)) {
		regs->verdict.code = NFT_BREAK;
		return;
		}
		nft_socket_wildcard(pkt, regs, sk, dest);
		break;
		default:
		WARN_ON(1);
		regs->verdict.code = NFT_BREAK;
		@@ -97,6 +123,7 @@ static int nft_socket_init(const struct nft_ctx *ctx,
		priv->key = ntohl(nla_get_u32(tb[NFTA_SOCKET_KEY]));
		switch(priv->key) {
		case NFT_SOCKET_TRANSPARENT:
		case NFT_SOCKET_WILDCARD:
		len = sizeof(u8);
		break;
		case NFT_SOCKET_MARK: