From patchwork Tue Sep 13 21:16:01 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Maximilian Riemensberger X-Patchwork-Id: 1677553 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:3::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=0EiHz4FY; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=cadami-net.20210112.gappssmtp.com header.i=@cadami-net.20210112.gappssmtp.com header.a=rsa-sha256 header.s=20210112 header.b=cHfatv5u; dkim-atps=neutral Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4MRxF41JQYz1yhR for ; Wed, 14 Sep 2022 07:19:51 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=grLrcw0pwKl/DkDmIbEJt98d+Qlm1Ili4wIM4J02XaU=; b=0EiHz4FYt0kMkK StABK9wc/zMirQJ3b6NKGaN3plYyglMEdd4iyGLW/FM27AttUs5ncmoWox0nROvH+9Bzaveg/KNnP 0jyKKkkL9wZss3tjCXV1ybMmhbX0RG2V/dJayBgcDDVBU4beu0/M5LjnCJKA0kMbZwAFNi18aLj0Y PJGFN3nh+eOBvR+TK3mjLTN3BAG06suui9NoN/kZ+a1mMcqF0jvM1ml7yPDyCcJxDcbkWAuET0j9z JMB50Tktc/zDYcoNdrLGSbv/Z5M1BgGRXwYWgNCdMeEXXGWOtp/iYxR3DnIik/RHGLJGvu+Wzl89C K0tIYAYVLgr2zl8eJ61g==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1oYDHW-00H0Ip-3K; Tue, 13 Sep 2022 21:17:23 +0000 Received: from mail-ej1-x634.google.com ([2a00:1450:4864:20::634]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1oYDGK-00GzMS-ME for openwrt-devel@lists.openwrt.org; Tue, 13 Sep 2022 21:16:10 +0000 Received: by mail-ej1-x634.google.com with SMTP id 13so1389524ejn.3 for ; Tue, 13 Sep 2022 14:16:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cadami-net.20210112.gappssmtp.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date; bh=rVXAvzhQdEo0L0E6XkVQv2swN9cr832148yTTpbge2A=; b=cHfatv5uR0t3vfBtff5/zeploKxk7G/T7e2lWZ1o8CQAymGce+B0eRYU56fs4ZrpBO XP/zKIjmQYUI3LIcTbVzzEjUoOW8/+EBMpJ8/4Ghhu/yaaEQNJwQZ3EvfQN4274zk2WS RXzY96eoUHc9lvtbdgFmufeQKiR3A5O4xm5Uej/Fa/JJ5fBGsbAJknVJXdZHCdmeLL8M y4Ebp5B525gZIQ2RYBEErQKSWft36yL8hTawcDcOURW0fCxAHPEM3eDBQAVb6MS/oKZQ 8E/wtMkFtxThqwKPVHMB4Yc/DhO9jZAilC1sCiMVHRZk6IFhBOqdXjkSR3pnHuch4MB2 zkdQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc:subject:date; bh=rVXAvzhQdEo0L0E6XkVQv2swN9cr832148yTTpbge2A=; b=oPLs4zs03NGq/pC2rQ585r0/mafZN/9nsc2nGCwNOyhjktrY8f6COw/293xG8iUsXv rGjfxzEeRvJC1qVjgzdaX7WMrXspfvKg71ky+Ad7nFCllnNDzADSQuSrnTjpz4Caim8P suriGKkPRn0xCWIru8MEKvmTbhXVz2nzA1MrVgDDlJlmwaTecsRz5iC+fIpcFHjjMm81 0y8VuHJh4uqLDNa8FWVGjwHZ+PeF8YTCCgvBELzhR5cXGY5QXvK/bOWb8wSyjZVPyLwE ZHzGmWnqwH8e3DQZAo6aFFD5sMtiH+nambu7RtYDkMA7ULROvh270djow+9XBAuesFyh bXjA== X-Gm-Message-State: ACgBeo3NjCjVgNyHg4sGEs8JJM1vsLNOkJNAig+aRqw67F2oNb+mlP46 UD9zr8HJXmu/nNH/M9tjnMrSoSWJWWqsOQ== X-Google-Smtp-Source: AA6agR7Msc4FZZ8VrYu2rxG1CtzvqVtQAvOVwog3C2sZaDEOZlnbiaTGjAA1wFvmfp90Iayq8oKDDA== X-Received: by 2002:a17:907:701:b0:780:2c44:e4dd with SMTP id xb1-20020a170907070100b007802c44e4ddmr356023ejb.589.1663103764428; Tue, 13 Sep 2022 14:16:04 -0700 (PDT) Received: from hix.fritz.box (dslb-084-057-087-244.084.057.pools.vodafone-ip.de. [84.57.87.244]) by smtp.gmail.com with ESMTPSA id n26-20020aa7c45a000000b0044f1e64e9f4sm8564264edr.17.2022.09.13.14.16.03 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 13 Sep 2022 14:16:04 -0700 (PDT) From: Maximilian Riemensberger To: openwrt-devel@lists.openwrt.org Cc: Felix Fietkau , Maximilian Riemensberger Subject: [PATCH] bridge: Support nf_call_{ip,ip6,arp}tables attributes Date: Tue, 13 Sep 2022 23:16:01 +0200 Message-Id: <20220913211601.30750-1-riemensberger@cadami.net> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220913_141608_996517_36A305FD X-CRM114-Status: GOOD ( 12.20 ) X-Spam-Score: 0.0 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: The bridge driver allows passing bridged frames to netfilter. Add bridge config options nf_call_iptables, nf_call_ip6tables, nf_call_arptables to opt in. Signed-off-by: Maximilian Riemensberger --- bridge.c | 15 +++++++++++++++ system-dummy.c | 6 ++++-- system-linux.c | 3 +++ system.h | 4 ++++ 4 files changed, 26 insertions(+ [...] Content analysis details: (0.0 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:634 listed in] [list.dnswl.org] 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 SPF_NONE SPF: sender does not publish an SPF Record -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org The bridge driver allows passing bridged frames to netfilter. Add bridge config options nf_call_iptables, nf_call_ip6tables, nf_call_arptables to opt in. Signed-off-by: Maximilian Riemensberger --- bridge.c | 15 +++++++++++++++ system-dummy.c | 6 ++++-- system-linux.c | 3 +++ system.h | 4 ++++ 4 files changed, 26 insertions(+), 2 deletions(-) diff --git a/bridge.c b/bridge.c index 7e61b9d..153e41f 100644 --- a/bridge.c +++ b/bridge.c @@ -43,6 +43,9 @@ enum { BRIDGE_ATTR_HAS_VLANS, BRIDGE_ATTR_STP_KERNEL, BRIDGE_ATTR_STP_PROTO, + BRIDGE_ATTR_NF_CALL_IPTABLES, + BRIDGE_ATTR_NF_CALL_IP6TABLES, + BRIDGE_ATTR_NF_CALL_ARPTABLES, __BRIDGE_ATTR_MAX }; @@ -66,6 +69,9 @@ static const struct blobmsg_policy bridge_attrs[__BRIDGE_ATTR_MAX] = { [BRIDGE_ATTR_HAS_VLANS] = { "__has_vlans", BLOBMSG_TYPE_BOOL }, /* internal */ [BRIDGE_ATTR_STP_KERNEL] = { "stp_kernel", BLOBMSG_TYPE_BOOL }, [BRIDGE_ATTR_STP_PROTO] = { "stp_proto", BLOBMSG_TYPE_STRING }, + [BRIDGE_ATTR_NF_CALL_IPTABLES] = { "nf_call_iptables", BLOBMSG_TYPE_BOOL }, + [BRIDGE_ATTR_NF_CALL_IP6TABLES] = { "nf_call_ip6tables", BLOBMSG_TYPE_BOOL }, + [BRIDGE_ATTR_NF_CALL_ARPTABLES] = { "nf_call_arptables", BLOBMSG_TYPE_BOOL }, }; static const struct uci_blob_param_info bridge_attr_info[__BRIDGE_ATTR_MAX] = { @@ -1114,6 +1120,15 @@ bridge_apply_settings(struct bridge_state *bst, struct blob_attr **tb) if ((cur = tb[BRIDGE_ATTR_VLAN_FILTERING])) cfg->vlan_filtering = blobmsg_get_bool(cur); + + if ((cur = tb[BRIDGE_ATTR_NF_CALL_IPTABLES])) + cfg->nf_call_iptables = blobmsg_get_bool(cur); + + if ((cur = tb[BRIDGE_ATTR_NF_CALL_IP6TABLES])) + cfg->nf_call_ip6tables = blobmsg_get_bool(cur); + + if ((cur = tb[BRIDGE_ATTR_NF_CALL_ARPTABLES])) + cfg->nf_call_arptables = blobmsg_get_bool(cur); } static enum dev_change_type diff --git a/system-dummy.c b/system-dummy.c index b13bc87..811404d 100644 --- a/system-dummy.c +++ b/system-dummy.c @@ -32,8 +32,10 @@ int system_init(void) int system_bridge_addbr(struct device *bridge, struct bridge_config *cfg) { - D(SYSTEM, "brctl addbr %s vlan_filtering=%d\n", - bridge->ifname, cfg->vlan_filtering); + D(SYSTEM, + "brctl addbr %s vlan_filtering=%d nf_call_iptables=%d nf_call_ip6tables=%d nf_call_arptables=%d\n", + bridge->ifname, cfg->vlan_filtering, cfg->nf_call_iptables, + cfg->nf_call_ip6tables, cfg->nf_call_arptables); return 0; } diff --git a/system-linux.c b/system-linux.c index 0f13a99..71e9ec6 100644 --- a/system-linux.c +++ b/system-linux.c @@ -1342,6 +1342,9 @@ int system_bridge_addbr(struct device *bridge, struct bridge_config *cfg) } nla_put_u8(msg, IFLA_BR_VLAN_FILTERING, !!cfg->vlan_filtering); + nla_put_u8(msg, IFLA_BR_NF_CALL_IPTABLES, !!cfg->nf_call_iptables); + nla_put_u8(msg, IFLA_BR_NF_CALL_IP6TABLES, !!cfg->nf_call_ip6tables); + nla_put_u8(msg, IFLA_BR_NF_CALL_ARPTABLES, !!cfg->nf_call_arptables); nla_put_u16(msg, IFLA_BR_PRIORITY, cfg->priority); nla_put_u32(msg, IFLA_BR_HELLO_TIME, sec_to_jiffies(cfg->hello_time)); nla_put_u32(msg, IFLA_BR_MAX_AGE, sec_to_jiffies(cfg->max_age)); diff --git a/system.h b/system.h index 0f08c26..c551b13 100644 --- a/system.h +++ b/system.h @@ -208,6 +208,10 @@ struct bridge_config { int hash_max; bool vlan_filtering; + + bool nf_call_iptables; + bool nf_call_ip6tables; + bool nf_call_arptables; }; enum macvlan_opt {