| Message ID | 20220204102637.4272-1-nicolas.dichtel@6wind.com |
|---|---|
| State | Deferred |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | [libnetfilter_queue] libnetfilter_queue: add support of skb->priority | expand |
Le 04/02/2022 à 11:26, Nicolas Dichtel a écrit : > Available since linux v5.18. > > Link: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id= > Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> > --- Should I send another patch for the 'set' part? In this case, a nfq_set_verdict3(). The name is a bit ugly ;-) Any suggestions?
Nicolas Dichtel <nicolas.dichtel@6wind.com> wrote: > > Le 04/02/2022 à 11:26, Nicolas Dichtel a écrit : > > Available since linux v5.18. > > > > Link: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id= > > Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> > > --- > > Should I send another patch for the 'set' part? > In this case, a nfq_set_verdict3(). The name is a bit ugly ;-) > Any suggestions? I think we should just let the old api die and tell users to use the mnl interface, that allows to add the new attribute as soon as its available.
On Fri, Feb 04, 2022 at 01:01:26PM +0100, Florian Westphal wrote: > Nicolas Dichtel <nicolas.dichtel@6wind.com> wrote: > > > > Le 04/02/2022 à 11:26, Nicolas Dichtel a écrit : > > > Available since linux v5.18. > > > > > > Link: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id= > > > Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> > > > --- > > > > Should I send another patch for the 'set' part? > > In this case, a nfq_set_verdict3(). The name is a bit ugly ;-) > > Any suggestions? > > I think we should just let the old api die and tell users > to use the mnl interface, that allows to add the new attribute > as soon as its available. We have to provide a simple API based on mnl which ressembles the existing old API. Feedback in these years is that there are a users that do not need to know about netlink details / advanced handling.
Le 04/02/2022 à 15:20, Pablo Neira Ayuso a écrit : > On Fri, Feb 04, 2022 at 01:01:26PM +0100, Florian Westphal wrote: >> Nicolas Dichtel <nicolas.dichtel@6wind.com> wrote: >>> >>> Le 04/02/2022 à 11:26, Nicolas Dichtel a écrit : >>>> Available since linux v5.18. >>>> >>>> Link: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id= >>>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> >>>> --- >>> >>> Should I send another patch for the 'set' part? >>> In this case, a nfq_set_verdict3(). The name is a bit ugly ;-) >>> Any suggestions? >> >> I think we should just let the old api die and tell users >> to use the mnl interface, that allows to add the new attribute >> as soon as its available. > > We have to provide a simple API based on mnl which ressembles the > existing old API. > > Feedback in these years is that there are a users that do not need to > know about netlink details / advanced handling. If I understand well, libnetfilter_queue is deprecated? If this is right, maybe it could be advertised on the project page: https://netfilter.org/projects/libnetfilter_queue/index.html Regards, Nicolas
On Wed, Feb 23, 2022 at 10:01:48AM +0100, Nicolas Dichtel wrote: > > Le 04/02/2022 à 15:20, Pablo Neira Ayuso a écrit : > > On Fri, Feb 04, 2022 at 01:01:26PM +0100, Florian Westphal wrote: > >> Nicolas Dichtel <nicolas.dichtel@6wind.com> wrote: > >>> > >>> Le 04/02/2022 à 11:26, Nicolas Dichtel a écrit : > >>>> Available since linux v5.18. > >>>> > >>>> Link: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id= > >>>> Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> > >>>> --- > >>> > >>> Should I send another patch for the 'set' part? > >>> In this case, a nfq_set_verdict3(). The name is a bit ugly ;-) > >>> Any suggestions? > >> > >> I think we should just let the old api die and tell users > >> to use the mnl interface, that allows to add the new attribute > >> as soon as its available. > > > > We have to provide a simple API based on mnl which ressembles the > > existing old API. > > > > Feedback in these years is that there are a users that do not need to > > know about netlink details / advanced handling. > > If I understand well, libnetfilter_queue is deprecated? This library is not deprecated. > If this is right, maybe it could be advertised on the project page: > https://netfilter.org/projects/libnetfilter_queue/index.html Documentation already mentions this: https://netfilter.org/projects/libnetfilter_queue/doxygen/html/
Le 23/02/2022 à 11:24, Pablo Neira Ayuso a écrit : [snip] >> If I understand well, libnetfilter_queue is deprecated? > > This library is not deprecated. Oh ok, sorry for my misunderstanding. So my patch is relevant?
diff --git a/include/libnetfilter_queue/libnetfilter_queue.h b/include/libnetfilter_queue/libnetfilter_queue.h index a19122f10ec6..8a191dfdfeaf 100644 --- a/include/libnetfilter_queue/libnetfilter_queue.h +++ b/include/libnetfilter_queue/libnetfilter_queue.h @@ -96,6 +96,8 @@ extern struct nfqnl_msg_packet_hdr * extern uint32_t nfq_get_nfmark(struct nfq_data *nfad); +extern uint32_t nfq_get_priority(struct nfq_data *nfad); + extern int nfq_get_timestamp(struct nfq_data *nfad, struct timeval *tv); /* return 0 if not set */ @@ -132,6 +134,7 @@ enum { NFQ_XML_UID = (1 << 6), NFQ_XML_GID = (1 << 7), NFQ_XML_SECCTX = (1 << 8), + NFQ_XML_PRIORITY= (1 << 9), NFQ_XML_ALL = ~0U, }; diff --git a/include/linux/netfilter/nfnetlink_queue.h b/include/linux/netfilter/nfnetlink_queue.h index 8e2e4697ffb0..ef7c97f21a15 100644 --- a/include/linux/netfilter/nfnetlink_queue.h +++ b/include/linux/netfilter/nfnetlink_queue.h @@ -1,3 +1,4 @@ +/* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ #ifndef _NFNETLINK_QUEUE_H #define _NFNETLINK_QUEUE_H @@ -30,6 +31,14 @@ struct nfqnl_msg_packet_timestamp { __aligned_be64 usec; }; +enum nfqnl_vlan_attr { + NFQA_VLAN_UNSPEC, + NFQA_VLAN_PROTO, /* __be16 skb vlan_proto */ + NFQA_VLAN_TCI, /* __be16 skb htons(vlan_tci) */ + __NFQA_VLAN_MAX, +}; +#define NFQA_VLAN_MAX (__NFQA_VLAN_MAX - 1) + enum nfqnl_attr_type { NFQA_UNSPEC, NFQA_PACKET_HDR, @@ -49,7 +58,10 @@ enum nfqnl_attr_type { NFQA_EXP, /* nfnetlink_conntrack.h */ NFQA_UID, /* __u32 sk uid */ NFQA_GID, /* __u32 sk gid */ - NFQA_SECCTX, + NFQA_SECCTX, /* security context string */ + NFQA_VLAN, /* nested attribute: packet vlan info */ + NFQA_L2HDR, /* full L2 header */ + NFQA_PRIORITY, /* skb->priority */ __NFQA_MAX }; @@ -111,5 +123,7 @@ enum nfqnl_attr_config { #define NFQA_SKB_CSUMNOTREADY (1 << 0) /* packet is GSO (i.e., exceeds device mtu) */ #define NFQA_SKB_GSO (1 << 1) +/* csum not validated (incoming device doesn't support hw checksum, etc.) */ +#define NFQA_SKB_CSUM_NOTVERIFIED (1 << 2) #endif /* _NFNETLINK_QUEUE_H */ diff --git a/src/libnetfilter_queue.c b/src/libnetfilter_queue.c index a1701431d5d9..b5a3b399f5ea 100644 --- a/src/libnetfilter_queue.c +++ b/src/libnetfilter_queue.c @@ -1017,6 +1017,18 @@ uint32_t nfq_get_nfmark(struct nfq_data *nfad) return ntohl(nfnl_get_data(nfad->data, NFQA_MARK, uint32_t)); } +/** + * nfq_get_priority - get the packet priority + * \param nfad Netlink packet data handle passed to callback function + * + * \return the packet priority currently assigned to the given queued packet. + */ +EXPORT_SYMBOL +uint32_t nfq_get_priority(struct nfq_data *nfad) +{ + return ntohl(nfnl_get_data(nfad->data, NFQA_PRIORITY, uint32_t)); +} + /** * nfq_get_timestamp - get the packet timestamp * \param nfad Netlink packet data handle passed to callback function @@ -1403,6 +1415,7 @@ do { \ * - NFQ_XML_PHYSDEV: include the physical device information * - NFQ_XML_PAYLOAD: include the payload (in hexadecimal) * - NFQ_XML_TIME: include the timestamp + * - NFQ_XML_PRIORITY: include the packet priority * - NFQ_XML_ALL: include all the logging information (all flags set) * * You can combine this flags with an binary OR. @@ -1416,7 +1429,7 @@ int nfq_snprintf_xml(char *buf, size_t rem, struct nfq_data *tb, int flags) { struct nfqnl_msg_packet_hdr *ph; struct nfqnl_msg_packet_hw *hwph; - uint32_t mark, ifi; + uint32_t mark, ifi, priority; uint32_t uid, gid; int size, offset = 0, len = 0, ret; unsigned char *data; @@ -1507,6 +1520,12 @@ int nfq_snprintf_xml(char *buf, size_t rem, struct nfq_data *tb, int flags) SNPRINTF_FAILURE(size, rem, offset, len); } + priority = nfq_get_priority(tb); + if (priority && (flags & NFQ_XML_PRIORITY)) { + size = snprintf(buf + offset, rem, "<priority>%u</priority>", priority); + SNPRINTF_FAILURE(size, rem, offset, len); + } + ifi = nfq_get_indev(tb); if (ifi && (flags & NFQ_XML_DEV)) { size = snprintf(buf + offset, rem, "<indev>%u</indev>", ifi);
Available since linux v5.18. Link: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id= Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com> --- .../libnetfilter_queue/libnetfilter_queue.h | 3 +++ include/linux/netfilter/nfnetlink_queue.h | 16 +++++++++++++- src/libnetfilter_queue.c | 21 ++++++++++++++++++- 3 files changed, 38 insertions(+), 2 deletions(-)