Skip to content

Commit ef078ef

Browse files
LorenzoBianconiNobody
LorenzoBianconi
authored and
Nobody
committed
net: netfilter: reports ct direction in CT lookup helpers for XDP and TC-BPF
Report connection tracking tuple direction in bpf_skb_ct_lookup/bpf_xdp_ct_lookup helpers. Direction will be used to implement snat/dnat through xdp ebpf program. Signed-off-by: Lorenzo Bianconi <[email protected]>
1 parent 2cef9ce commit ef078ef

File tree

1 file changed

+15
-7
lines changed

1 file changed

+15
-7
lines changed

net/netfilter/nf_conntrack_bpf.c

Lines changed: 15 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,7 @@
3838
* @l4proto - Layer 4 protocol
3939
* Values:
4040
* IPPROTO_TCP, IPPROTO_UDP
41+
* @dir: - connection tracking tuple direction.
4142
* @reserved - Reserved member, will be reused for more options in future
4243
* Values:
4344
* 0
@@ -46,7 +47,8 @@ struct bpf_ct_opts {
4647
s32 netns_id;
4748
s32 error;
4849
u8 l4proto;
49-
u8 reserved[3];
50+
u8 dir;
51+
u8 reserved[2];
5052
};
5153

5254
enum {
@@ -56,10 +58,11 @@ enum {
5658
static struct nf_conn *__bpf_nf_ct_lookup(struct net *net,
5759
struct bpf_sock_tuple *bpf_tuple,
5860
u32 tuple_len, u8 protonum,
59-
s32 netns_id)
61+
s32 netns_id, u8 *dir)
6062
{
6163
struct nf_conntrack_tuple_hash *hash;
6264
struct nf_conntrack_tuple tuple;
65+
struct nf_conn *ct;
6366

6467
if (unlikely(protonum != IPPROTO_TCP && protonum != IPPROTO_UDP))
6568
return ERR_PTR(-EPROTO);
@@ -99,7 +102,12 @@ static struct nf_conn *__bpf_nf_ct_lookup(struct net *net,
99102
put_net(net);
100103
if (!hash)
101104
return ERR_PTR(-ENOENT);
102-
return nf_ct_tuplehash_to_ctrack(hash);
105+
106+
ct = nf_ct_tuplehash_to_ctrack(hash);
107+
if (dir)
108+
*dir = NF_CT_DIRECTION(hash);
109+
110+
return ct;
103111
}
104112

105113
__diag_push();
@@ -135,13 +143,13 @@ bpf_xdp_ct_lookup(struct xdp_md *xdp_ctx, struct bpf_sock_tuple *bpf_tuple,
135143
if (!opts)
136144
return NULL;
137145
if (!bpf_tuple || opts->reserved[0] || opts->reserved[1] ||
138-
opts->reserved[2] || opts__sz != NF_BPF_CT_OPTS_SZ) {
146+
opts__sz != NF_BPF_CT_OPTS_SZ) {
139147
opts->error = -EINVAL;
140148
return NULL;
141149
}
142150
caller_net = dev_net(ctx->rxq->dev);
143151
nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple, tuple__sz, opts->l4proto,
144-
opts->netns_id);
152+
opts->netns_id, &opts->dir);
145153
if (IS_ERR(nfct)) {
146154
opts->error = PTR_ERR(nfct);
147155
return NULL;
@@ -178,13 +186,13 @@ bpf_skb_ct_lookup(struct __sk_buff *skb_ctx, struct bpf_sock_tuple *bpf_tuple,
178186
if (!opts)
179187
return NULL;
180188
if (!bpf_tuple || opts->reserved[0] || opts->reserved[1] ||
181-
opts->reserved[2] || opts__sz != NF_BPF_CT_OPTS_SZ) {
189+
opts__sz != NF_BPF_CT_OPTS_SZ) {
182190
opts->error = -EINVAL;
183191
return NULL;
184192
}
185193
caller_net = skb->dev ? dev_net(skb->dev) : sock_net(skb->sk);
186194
nfct = __bpf_nf_ct_lookup(caller_net, bpf_tuple, tuple__sz, opts->l4proto,
187-
opts->netns_id);
195+
opts->netns_id, &opts->dir);
188196
if (IS_ERR(nfct)) {
189197
opts->error = PTR_ERR(nfct);
190198
return NULL;

0 commit comments

Comments
 (0)