From ea63a05272f5400d73498daa5932afd0aa65e79f Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Mon, 6 Aug 2018 13:35:00 +0200 Subject: obj: add tunnel support Signed-off-by: Pablo Neira Ayuso --- include/libnftnl/object.h | 19 ++++++++++ include/linux/netfilter/nf_tables.h | 69 ++++++++++++++++++++++++++++++++++++- include/obj.h | 29 ++++++++++++++++ 3 files changed, 116 insertions(+), 1 deletion(-) (limited to 'include') diff --git a/include/libnftnl/object.h b/include/libnftnl/object.h index 93a40d0..6f9edfd 100644 --- a/include/libnftnl/object.h +++ b/include/libnftnl/object.h @@ -49,6 +49,25 @@ enum { NFTNL_OBJ_LIMIT_FLAGS, }; +enum { + NFTNL_OBJ_TUNNEL_ID = NFTNL_OBJ_BASE, + NFTNL_OBJ_TUNNEL_IPV4_SRC, + NFTNL_OBJ_TUNNEL_IPV4_DST, + NFTNL_OBJ_TUNNEL_IPV6_SRC, + NFTNL_OBJ_TUNNEL_IPV6_DST, + NFTNL_OBJ_TUNNEL_IPV6_FLOWLABEL, + NFTNL_OBJ_TUNNEL_SPORT, + NFTNL_OBJ_TUNNEL_DPORT, + NFTNL_OBJ_TUNNEL_FLAGS, + NFTNL_OBJ_TUNNEL_TOS, + NFTNL_OBJ_TUNNEL_TTL, + NFTNL_OBJ_TUNNEL_VXLAN_GBP, + NFTNL_OBJ_TUNNEL_ERSPAN_VERSION, + NFTNL_OBJ_TUNNEL_ERSPAN_V1_INDEX, + NFTNL_OBJ_TUNNEL_ERSPAN_V2_HWID, + NFTNL_OBJ_TUNNEL_ERSPAN_V2_DIR, +}; + struct nftnl_obj; struct nftnl_obj *nftnl_obj_alloc(void); diff --git a/include/linux/netfilter/nf_tables.h b/include/linux/netfilter/nf_tables.h index cc21ef0..0450fc0 100644 --- a/include/linux/netfilter/nf_tables.h +++ b/include/linux/netfilter/nf_tables.h @@ -1401,7 +1401,8 @@ enum nft_ct_helper_attributes { #define NFT_OBJECT_CT_HELPER 3 #define NFT_OBJECT_LIMIT 4 #define NFT_OBJECT_CONNLIMIT 5 -#define __NFT_OBJECT_MAX 6 +#define NFT_OBJECT_TUNNEL 6 +#define __NFT_OBJECT_MAX 7 #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) /** @@ -1562,4 +1563,70 @@ enum nft_ng_types { }; #define NFT_NG_MAX (__NFT_NG_MAX - 1) +enum nft_tunnel_key_ip_attributes { + NFTA_TUNNEL_KEY_IP_UNSPEC, + NFTA_TUNNEL_KEY_IP_SRC, + NFTA_TUNNEL_KEY_IP_DST, + __NFTA_TUNNEL_KEY_IP_MAX +}; +#define NFTA_TUNNEL_KEY_IP_MAX (__NFTA_TUNNEL_KEY_IP_MAX - 1) + +enum nft_tunnel_ip6_attributes { + NFTA_TUNNEL_KEY_IP6_UNSPEC, + NFTA_TUNNEL_KEY_IP6_SRC, + NFTA_TUNNEL_KEY_IP6_DST, + NFTA_TUNNEL_KEY_IP6_FLOWLABEL, + __NFTA_TUNNEL_KEY_IP6_MAX +}; +#define NFTA_TUNNEL_KEY_IP6_MAX (__NFTA_TUNNEL_KEY_IP6_MAX - 1) + +enum nft_tunnel_opts_attributes { + NFTA_TUNNEL_KEY_OPTS_UNSPEC, + NFTA_TUNNEL_KEY_OPTS_VXLAN, + NFTA_TUNNEL_KEY_OPTS_ERSPAN, + __NFTA_TUNNEL_KEY_OPTS_MAX +}; +#define NFTA_TUNNEL_KEY_OPTS_MAX (__NFTA_TUNNEL_KEY_OPTS_MAX - 1) + +enum nft_tunnel_opts_vxlan_attributes { + NFTA_TUNNEL_KEY_VXLAN_UNSPEC, + NFTA_TUNNEL_KEY_VXLAN_GBP, + __NFTA_TUNNEL_KEY_VXLAN_MAX +}; +#define NFTA_TUNNEL_KEY_VXLAN_MAX (__NFTA_TUNNEL_KEY_VXLAN_MAX - 1) + +enum nft_tunnel_opts_erspan_attributes { + NFTA_TUNNEL_KEY_ERSPAN_UNSPEC, + NFTA_TUNNEL_KEY_ERSPAN_VERSION, + NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX, + NFTA_TUNNEL_KEY_ERSPAN_V2_HWID, + NFTA_TUNNEL_KEY_ERSPAN_V2_DIR, + __NFTA_TUNNEL_KEY_ERSPAN_MAX +}; +#define NFTA_TUNNEL_KEY_ERSPAN_MAX (__NFTA_TUNNEL_KEY_ERSPAN_MAX - 1) + +enum nft_tunnel_flags { + NFT_TUNNEL_F_ZERO_CSUM_TX = (1 << 0), + NFT_TUNNEL_F_DONT_FRAGMENT = (1 << 1), + NFT_TUNNEL_F_SEQ_NUMBER = (1 << 2), +}; +#define NFT_TUNNEL_F_MASK (NFT_TUNNEL_F_ZERO_CSUM_TX | \ + NFT_TUNNEL_F_DONT_FRAGMENT | \ + NFT_TUNNEL_F_SEQ_NUMBER) + +enum nft_tunnel_key_attributes { + NFTA_TUNNEL_KEY_UNSPEC, + NFTA_TUNNEL_KEY_ID, + NFTA_TUNNEL_KEY_IP, + NFTA_TUNNEL_KEY_IP6, + NFTA_TUNNEL_KEY_FLAGS, + NFTA_TUNNEL_KEY_TOS, + NFTA_TUNNEL_KEY_TTL, + NFTA_TUNNEL_KEY_SPORT, + NFTA_TUNNEL_KEY_DPORT, + NFTA_TUNNEL_KEY_OPTS, + __NFTA_TUNNEL_KEY_MAX +}; +#define NFTA_TUNNEL_KEY_MAX (__NFTA_TUNNEL_KEY_MAX - 1) + #endif /* _LINUX_NF_TABLES_H */ diff --git a/include/obj.h b/include/obj.h index 4a728c8..9363a69 100644 --- a/include/obj.h +++ b/include/obj.h @@ -43,6 +43,34 @@ struct nftnl_obj { uint32_t type; uint32_t flags; } limit; + struct nftnl_obj_tunnel { + uint32_t id; + uint32_t src_v4; + uint32_t dst_v4; + struct in6_addr src_v6; + struct in6_addr dst_v6; + uint16_t sport; + uint16_t dport; + uint32_t flowlabel; + uint32_t tun_flags; + uint8_t tun_tos; + uint8_t tun_ttl; + union { + struct { + uint32_t gbp; + } tun_vxlan; + struct { + uint32_t version; + union { + uint32_t v1_index; + struct { + uint8_t hwid; + uint8_t dir; + } v2; + } u; + } tun_erspan; + } u; + } tunnel; } data; }; @@ -64,6 +92,7 @@ extern struct obj_ops obj_ops_counter; extern struct obj_ops obj_ops_quota; extern struct obj_ops obj_ops_ct_helper; extern struct obj_ops obj_ops_limit; +extern struct obj_ops obj_ops_tunnel; #define nftnl_obj_data(obj) (void *)&obj->data -- cgit v1.2.3