Mirrors_Framework/nuttx
1
0
Fork 0
mirror of https://github.com/apache/nuttx.git synced 2025-12-13 15:12:38 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity

net/netlink: Add NETLINK_NETFILTER's CONNTRACK support

Browse Source 
Now we only supports conntrack info from NAT entries, to let our apps in user space know the mapping status in NAT.

Signed-off-by: Zhe Weng <wengzhe@xiaomi.com>
This commit is contained in:
Zhe Weng
2024-03-20 11:22:24 +08:00
committed by Xiang Xiao
parent 9b77bb16c9
commit 3a844d8dd7
9 changed files with 959 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

173
include/netpacket/netlink.h
View File

@@ -437,6 +437,160 @@
#define RTM_F_CLONED 0x200 /* This route is cloned */ #define RTM_F_CLONED 0x200 /* This route is cloned */
/* Attribute definitions for struct nfattr **********************************/
/* Macros to handle attribute lists */
#define NFNL_NFA_NEST 0x8000
#define NFA_TYPE(attr) ((attr)->nfa_type & 0x7fff)
#define NFA_MASK (sizeof(uint32_t) - 1)
#define NFA_ALIGN(n) (((n) + NFA_MASK) & ~NFA_MASK)
#define NFA_OK(nfa, n) \
((n) >= (int)sizeof(struct nfattr) && \
(nfa)->nfa_len >= sizeof(struct nfattr) && \
(nfa)->nfa_len <= (n))
#define NFA_NEXT(nfa, attrlen) \
((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \
(FAR struct nfattr *)(((FAR char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len)))
#define NFA_LENGTH(len) ((sizeof(struct nfattr)) + (len))
#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len))
#define NFA_DATA(nfa) ((FAR void *)(((FAR char *)(nfa)) + NFA_LENGTH(0)))
#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0))
/* Definitions for struct nfgenmsg ******************************************/
#define NFM_NFA(n) ((FAR struct nfattr *) \
(((FAR char *)(n)) + \
NLMSG_ALIGN(sizeof(struct nfgenmsg))))
#define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg))
/* Definitions for NETLINK_NETFILTER ****************************************/
#define NFNETLINK_V0 0
/* netfilter netlink message types are split in two pieces:
* 8 bit subsystem, 8bit operation.
*/
#define NFNL_SUBSYS_ID(x) (((x) & 0xff00) >> 8)
#define NFNL_MSG_TYPE(x) ((x) & 0x00ff)
/* subsystems */
#define NFNL_SUBSYS_NONE 0
#define NFNL_SUBSYS_CTNETLINK 1
#define NFNL_SUBSYS_CTNETLINK_EXP 2
#define NFNL_SUBSYS_QUEUE 3
#define NFNL_SUBSYS_ULOG 4
#define NFNL_SUBSYS_OSF 5
#define NFNL_SUBSYS_IPSET 6
#define NFNL_SUBSYS_ACCT 7
#define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8
#define NFNL_SUBSYS_CTHELPER 9
#define NFNL_SUBSYS_NFTABLES 10
#define NFNL_SUBSYS_NFT_COMPAT 11
#define NFNL_SUBSYS_HOOK 12
#define NFNL_SUBSYS_COUNT 13
/* NETLINK_NETFILTER: subsystem CTNL (ip conntrack netlink) message types */
#define IPCTNL_MSG_CT_NEW 0
#define IPCTNL_MSG_CT_GET 1
#define IPCTNL_MSG_CT_DELETE 2
#define IPCTNL_MSG_CT_GET_CTRZERO 3
#define IPCTNL_MSG_CT_GET_STATS_CPU 4
#define IPCTNL_MSG_CT_GET_STATS 5
#define IPCTNL_MSG_CT_GET_DYING 6
#define IPCTNL_MSG_CT_GET_UNCONFIRMED 7
#define IPCTNL_MSG_MAX 8
/* NETLINK_NETFILTER: Conntrack attributes */
#define CTA_UNSPEC 0
#define CTA_TUPLE_ORIG 1
#define CTA_TUPLE_REPLY 2
#define CTA_STATUS 3
#define CTA_PROTOINFO 4
#define CTA_HELP 5
#define CTA_NAT_SRC 6
#define CTA_TIMEOUT 7
#define CTA_MARK 8
#define CTA_COUNTERS_ORIG 9
#define CTA_COUNTERS_REPLY 10
#define CTA_USE 11
#define CTA_ID 12
#define CTA_NAT_DST 13
#define CTA_TUPLE_MASTER 14
#define CTA_SEQ_ADJ_ORIG 15
#define CTA_NAT_SEQ_ADJ_ORIG CTA_SEQ_ADJ_ORIG
#define CTA_SEQ_ADJ_REPLY 16
#define CTA_NAT_SEQ_ADJ_REPLY CTA_SEQ_ADJ_REPLY
#define CTA_ZONE 18
#define CTA_SECCTX 19
#define CTA_TIMESTAMP 20
#define CTA_MARK_MASK 21
#define CTA_LABELS 22
#define CTA_LABELS_MASK 23
#define CTA_SYNPROXY 24
#define CTA_FILTER 25
#define CTA_STATUS_MASK 26
#define CTA_MAX 26
/* NETLINK_NETFILTER: Conntrack tuple attributes */
#define CTA_TUPLE_UNSPEC 0
#define CTA_TUPLE_IP 1
#define CTA_TUPLE_PROTO 2
#define CTA_TUPLE_ZONE 3
#define CTA_TUPLE_MAX 3
/* NETLINK_NETFILTER: Conntrack IP attributes */
#define CTA_IP_UNSPEC 0
#define CTA_IP_V4_SRC 1
#define CTA_IP_V4_DST 2
#define CTA_IP_V6_SRC 3
#define CTA_IP_V6_DST 4
#define CTA_IP_MAX 4
/* NETLINK_NETFILTER: Conntrack protocol attributes */
#define CTA_PROTO_UNSPEC 0
#define CTA_PROTO_NUM 1
#define CTA_PROTO_SRC_PORT 2
#define CTA_PROTO_DST_PORT 3
#define CTA_PROTO_ICMP_ID 4
#define CTA_PROTO_ICMP_TYPE 5
#define CTA_PROTO_ICMP_CODE 6
#define CTA_PROTO_ICMPV6_ID 7
#define CTA_PROTO_ICMPV6_TYPE 8
#define CTA_PROTO_ICMPV6_CODE 9
#define CTA_PROTO_MAX 9
/* NFnetlink multicast groups (userspace) */
#define NF_NETLINK_CONNTRACK_NEW 0x00000001
#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002
#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004
#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008
#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010
#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020
/* NFnetlink multicast groups */
#define NFNLGRP_NONE 0
#define NFNLGRP_CONNTRACK_NEW 1
#define NFNLGRP_CONNTRACK_UPDATE 2
#define NFNLGRP_CONNTRACK_DESTROY 3
#define NFNLGRP_CONNTRACK_EXP_NEW 4
#define NFNLGRP_CONNTRACK_EXP_UPDATE 5
#define NFNLGRP_CONNTRACK_EXP_DESTROY 6
#define NFNLGRP_NFTABLES 7
#define NFNLGRP_ACCT_QUOTA 8
#define NFNLGRP_NFTRACE 9
#define NFNLGRP_MAX 9
/**************************************************************************** /****************************************************************************
* Public Type Definitions * Public Type Definitions
****************************************************************************/ ****************************************************************************/
@@ -584,6 +738,25 @@ struct nla_bitfield32
uint32_t selector; uint32_t selector;
}; };
/* NETLINK_NETFILTER Message Structures *************************************/
/* These attributes should be manipulated using only the NFA_* */
struct nfattr
{
uint16_t nfa_len;
uint16_t nfa_type;
};
/* General form of address family dependent message. */
struct nfgenmsg
{
uint8_t nfgen_family; /* AF_xxx */
uint8_t version; /* nfnetlink version */
uint16_t res_id; /* resource id */
};
/**************************************************************************** /****************************************************************************
* Neighbor Discovery userland options * Neighbor Discovery userland options
*/ */

9
net/nat/ipv4_nat_entry.c
View File

@@ -33,6 +33,7 @@
#include <nuttx/nuttx.h> #include <nuttx/nuttx.h>
#include "nat/nat.h" #include "nat/nat.h"
#include "netlink/netlink.h"
#ifdef CONFIG_NET_NAT44 #ifdef CONFIG_NET_NAT44
@@ -145,6 +146,10 @@ ipv4_nat_entry_create(uint8_t protocol,
hashtable_add(g_nat44_outbound, &entry->hash_outbound, hashtable_add(g_nat44_outbound, &entry->hash_outbound,
ipv4_nat_outbound_key(local_ip, local_port, protocol)); ipv4_nat_outbound_key(local_ip, local_port, protocol));
#ifdef CONFIG_NETLINK_NETFILTER
netlink_conntrack_notify(IPCTNL_MSG_CT_NEW, PF_INET, entry);
#endif
return entry; return entry;
} }
@@ -175,6 +180,10 @@ static void ipv4_nat_entry_delete(FAR ipv4_nat_entry_t *entry)
entry->local_port, entry->local_port,
entry->protocol)); entry->protocol));
#ifdef CONFIG_NETLINK_NETFILTER
netlink_conntrack_notify(IPCTNL_MSG_CT_DELETE, PF_INET, entry);
#endif
kmm_free(entry); kmm_free(entry);
} }

9
net/nat/ipv6_nat_entry.c
View File

@@ -34,6 +34,7 @@
#include "inet/inet.h" #include "inet/inet.h"
#include "nat/nat.h" #include "nat/nat.h"
#include "netlink/netlink.h"
#ifdef CONFIG_NET_NAT66 #ifdef CONFIG_NET_NAT66
@@ -135,6 +136,10 @@ ipv6_nat_entry_create(uint8_t protocol, const net_ipv6addr_t external_ip,
hashtable_add(g_nat66_outbound, &entry->hash_outbound, hashtable_add(g_nat66_outbound, &entry->hash_outbound,
ipv6_nat_hash_key(local_ip, local_port, protocol)); ipv6_nat_hash_key(local_ip, local_port, protocol));
#ifdef CONFIG_NETLINK_NETFILTER
netlink_conntrack_notify(IPCTNL_MSG_CT_NEW, PF_INET6, entry);
#endif
return entry; return entry;
} }
@@ -168,6 +173,10 @@ static void ipv6_nat_entry_delete(FAR ipv6_nat_entry_t *entry)
entry->local_port, entry->local_port,
entry->protocol)); entry->protocol));
#ifdef CONFIG_NETLINK_NETFILTER
netlink_conntrack_notify(IPCTNL_MSG_CT_DELETE, PF_INET6, entry);
#endif
kmm_free(entry); kmm_free(entry);
} }

4
net/netlink/CMakeLists.txt
View File

@@ -27,5 +27,9 @@ if(CONFIG_NET_NETLINK)
list(APPEND SRCS netlink_route.c netlink_attr.c) list(APPEND SRCS netlink_route.c netlink_attr.c)
endif() endif()
if(CONFIG_NETLINK_NETFILTER)
list(APPEND SRCS netlink_netfilter.c)
endif()
target_sources(net PRIVATE ${SRCS}) target_sources(net PRIVATE ${SRCS})
endif() endif()

9
net/netlink/Kconfig
View File

@@ -117,6 +117,15 @@ config NETLINK_VALIDATE_POLICY
you pass in are valid. you pass in are valid.
endif # NETLINK_ROUTE endif # NETLINK_ROUTE
config NETLINK_NETFILTER
bool "Netlink Netfilter protocol"
default n
depends on NET_NAT
---help---
Support the NETLINK_NETFILTER protocol option, mainly
for conntrack with NAT.
endmenu # Netlink Protocols endmenu # Netlink Protocols
endif # NET_NETLINK endif # NET_NETLINK
endmenu # Netlink Socket Support endmenu # Netlink Socket Support

4
net/netlink/Make.defs
View File

@@ -29,6 +29,10 @@ ifeq ($(CONFIG_NETLINK_ROUTE),y)
NET_CSRCS += netlink_route.c netlink_attr.c NET_CSRCS += netlink_route.c netlink_attr.c
endif endif
ifeq ($(CONFIG_NETLINK_NETFILTER),y)
NET_CSRCS += netlink_netfilter.c
endif
# Include netlink build support # Include netlink build support
DEPPATH += --dep-path netlink DEPPATH += --dep-path netlink

35
net/netlink/netlink.h
View File

@@ -543,7 +543,40 @@ int nla_parse(FAR struct nlattr **tb, int maxtype,
FAR const struct nlattr *head, FAR const struct nlattr *head,
int len, FAR const struct nla_policy *policy, int len, FAR const struct nla_policy *policy,
FAR struct netlink_ext_ack *extack); FAR struct netlink_ext_ack *extack);
#endif #endif /* CONFIG_NETLINK_ROUTE */
/****************************************************************************
* Name: netlink_netfilter_sendto
*
* Description:
* Perform the sendto() operation for the NETLINK_NETFILTER protocol.
*
****************************************************************************/
#ifdef CONFIG_NETLINK_NETFILTER
ssize_t netlink_netfilter_sendto(NETLINK_HANDLE handle,
FAR const struct nlmsghdr *nlmsg,
size_t len, int flags,
FAR const struct sockaddr_nl *to,
socklen_t tolen);
/****************************************************************************
* Name: netlink_conntrack_notify
*
* Description:
* Perform the conntrack broadcast for the NETLINK_NETFILTER protocol.
*
* Input Parameters:
* type - The type of the message, IPCTNL_MSG_CT_*
* domain - The domain of the message
* nat_entry - The NAT entry
*
****************************************************************************/
void netlink_conntrack_notify(uint8_t type, uint8_t domain,
FAR const void *nat_entry);
#endif /* CONFIG_NETLINK_NETFILTER */
#undef EXTERN #undef EXTERN
#ifdef __cplusplus #ifdef __cplusplus

703
net/netlink/netlink_netfilter.c Normal file
View File

File diff suppressed because it is too large Load Diff

14
net/netlink/netlink_sockif.c
View File

@@ -129,6 +129,11 @@ static int netlink_setup(FAR struct socket *psock)
break; break;
#endif #endif
#ifdef CONFIG_NETLINK_NETFILTER
case NETLINK_NETFILTER:
break;
#endif
default: default:
return -EPROTONOSUPPORT; return -EPROTONOSUPPORT;
} }
@@ -621,6 +626,15 @@ static ssize_t netlink_sendmsg(FAR struct socket *psock,
break; break;
#endif #endif
#ifdef CONFIG_NETLINK_NETFILTER
case NETLINK_NETFILTER:
ret = netlink_netfilter_sendto(conn, nlmsg,
msg->msg_iov->iov_len, flags,
(FAR const struct sockaddr_nl *)to,
tolen);
break;
#endif
default: default:
ret = -EOPNOTSUPP; ret = -EOPNOTSUPP;
break; break;