mirror of
https://github.com/padavanonly/immortalwrt-mt798x.git
synced 2025-12-16 16:56:38 +00:00
add hnat support for iptables count
This commit is contained in:
padavanonly
parent
b7a3bc6f34
commit
4a03dade45
@ -554,15 +554,60 @@ unsigned int do_hnat_ge_to_ext(struct sk_buff *skb, const char *func)
|
||||
return -1;
|
||||
}
|
||||
|
||||
|
||||
static void mtk_hnat_nf_update_ipt(struct sk_buff *skb)
|
||||
{
|
||||
|
||||
struct nf_conn *ct;
|
||||
struct nf_conn_acct *acct;
|
||||
struct nf_conn_counter *counter;
|
||||
enum ip_conntrack_info ctinfo;
|
||||
struct hnat_accounting diff;
|
||||
|
||||
if (skb->protocol == htons(ETH_P_IPV6) && !hnat_priv->ipv6_en) {
|
||||
return ;
|
||||
}
|
||||
|
||||
if (skb_hnat_alg(skb) || unlikely(!is_magic_tag_valid(skb) ||
|
||||
!IS_SPACE_AVAILABLE_HEAD(skb)))
|
||||
return ;
|
||||
|
||||
if (unlikely(!skb_mac_header_was_set(skb)))
|
||||
return ;
|
||||
|
||||
if (unlikely(!skb_hnat_is_hashed(skb)))
|
||||
return ;
|
||||
|
||||
if (unlikely(skb->mark == HNAT_EXCEPTION_TAG))
|
||||
return ;
|
||||
|
||||
|
||||
ct = nf_ct_get(skb, &ctinfo);
|
||||
if (ct) {
|
||||
if (!hnat_get_count(hnat_priv, skb_hnat_ppe(skb), skb_hnat_entry(skb), &diff))
|
||||
return;
|
||||
|
||||
acct = nf_conn_acct_find(ct);
|
||||
if (acct) {
|
||||
counter = acct->counter;
|
||||
atomic64_set(&counter[CTINFO2DIR(ctinfo)].diff_packets, diff.packets);
|
||||
atomic64_set(&counter[CTINFO2DIR(ctinfo)].diff_bytes, diff.bytes);
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
|
||||
static void pre_routing_print(struct sk_buff *skb, const struct net_device *in,
|
||||
const struct net_device *out, const char *func)
|
||||
{
|
||||
{
|
||||
trace_printk(
|
||||
"[%s]: %s(iif=0x%x CB2=0x%x)-->%s (ppe_hash=0x%x) sport=0x%x reason=0x%x alg=0x%x from %s\n",
|
||||
__func__, in->name, skb_hnat_iface(skb),
|
||||
HNAT_SKB_CB2(skb)->magic, out->name, skb_hnat_entry(skb),
|
||||
skb_hnat_sport(skb), skb_hnat_reason(skb), skb_hnat_alg(skb),
|
||||
func);
|
||||
|
||||
}
|
||||
|
||||
static void post_routing_print(struct sk_buff *skb, const struct net_device *in,
|
||||
@ -801,13 +846,32 @@ static unsigned int is_ppe_support_type(struct sk_buff *skb)
|
||||
return 0;
|
||||
}
|
||||
|
||||
static unsigned int
|
||||
mtk_hnat_nf_conntrack(void *priv, struct sk_buff *skb,
|
||||
const struct nf_hook_state *state)
|
||||
{
|
||||
if (!skb)
|
||||
goto drop;
|
||||
|
||||
if (unlikely(skb_hnat_reason(skb) == HIT_BIND_KEEPALIVE_DUP_OLD_HDR))
|
||||
mtk_hnat_nf_update_ipt(skb);
|
||||
|
||||
return NF_ACCEPT;
|
||||
|
||||
drop:
|
||||
|
||||
return NF_DROP;
|
||||
|
||||
}
|
||||
|
||||
|
||||
static unsigned int
|
||||
mtk_hnat_ipv6_nf_pre_routing(void *priv, struct sk_buff *skb,
|
||||
const struct nf_hook_state *state)
|
||||
{
|
||||
if (!skb)
|
||||
goto drop;
|
||||
|
||||
|
||||
if (!is_magic_tag_valid(skb))
|
||||
return NF_ACCEPT;
|
||||
|
||||
@ -820,6 +884,7 @@ mtk_hnat_ipv6_nf_pre_routing(void *priv, struct sk_buff *skb,
|
||||
|
||||
pre_routing_print(skb, state->in, state->out, __func__);
|
||||
|
||||
|
||||
/* packets from external devices -> xxx ,step 1 , learning stage & bound stage*/
|
||||
if (do_ext2ge_fast_try(state->in, skb)) {
|
||||
if (!do_hnat_ext_to_ge(skb, state->in, __func__))
|
||||
@ -875,7 +940,8 @@ mtk_hnat_ipv4_nf_pre_routing(void *priv, struct sk_buff *skb,
|
||||
|
||||
if (!skb)
|
||||
goto drop;
|
||||
|
||||
|
||||
|
||||
if (!is_magic_tag_valid(skb))
|
||||
return NF_ACCEPT;
|
||||
|
||||
@ -896,6 +962,7 @@ mtk_hnat_ipv4_nf_pre_routing(void *priv, struct sk_buff *skb,
|
||||
|
||||
|
||||
pre_routing_print(skb, state->in, state->out, __func__);
|
||||
|
||||
|
||||
/* packets from external devices -> xxx ,step 1 , learning stage & bound stage*/
|
||||
if (do_ext2ge_fast_try(state->in, skb)) {
|
||||
@ -934,7 +1001,8 @@ mtk_hnat_br_nf_local_in(void *priv, struct sk_buff *skb,
|
||||
|
||||
if (!skb)
|
||||
goto drop;
|
||||
|
||||
|
||||
|
||||
if (!is_magic_tag_valid(skb))
|
||||
return NF_ACCEPT;
|
||||
|
||||
@ -2072,6 +2140,8 @@ static void mtk_hnat_dscp_update(struct sk_buff *skb, struct foe_entry *entry)
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
|
||||
static void mtk_hnat_nf_update(struct sk_buff *skb)
|
||||
{
|
||||
struct nf_conn *ct;
|
||||
@ -2314,6 +2384,7 @@ mtk_pong_hqos_handler(void *priv, struct sk_buff *skb,
|
||||
|
||||
if (!skb)
|
||||
goto drop;
|
||||
|
||||
|
||||
if (!is_magic_tag_valid(skb))
|
||||
return NF_ACCEPT;
|
||||
@ -2432,6 +2503,18 @@ static struct nf_hook_ops mtk_hnat_nf_ops[] __read_mostly = {
|
||||
.hooknum = NF_INET_PRE_ROUTING,
|
||||
.priority = NF_IP_PRI_FIRST + 1,
|
||||
},
|
||||
{
|
||||
.hook = mtk_hnat_nf_conntrack,
|
||||
.pf = NFPROTO_IPV4,
|
||||
.hooknum = NF_INET_PRE_ROUTING,
|
||||
.priority = NF_IP_PRI_MANGLE-1,
|
||||
},
|
||||
{
|
||||
.hook = mtk_hnat_nf_conntrack,
|
||||
.pf = NFPROTO_IPV6,
|
||||
.hooknum = NF_INET_PRE_ROUTING,
|
||||
.priority = NF_IP_PRI_MANGLE-1,
|
||||
},
|
||||
{
|
||||
.hook = mtk_hnat_ipv6_nf_post_routing,
|
||||
.pf = NFPROTO_IPV6,
|
||||
|
||||
@ -0,0 +1,127 @@
|
||||
--- a/include/net/netfilter/nf_conntrack_acct.h 2024-01-04 22:35:10.790631711 +0800
|
||||
+++ b/include/net/netfilter/nf_conntrack_acct.h 2024-01-04 22:16:10.301488000 +0800
|
||||
@@ -14,6 +14,8 @@
|
||||
struct nf_conn_counter {
|
||||
atomic64_t packets;
|
||||
atomic64_t bytes;
|
||||
+ atomic64_t diff_packets;
|
||||
+ atomic64_t diff_bytes;
|
||||
};
|
||||
|
||||
struct nf_conn_acct {
|
||||
|
||||
--- a/net/ipv4/netfilter/ip_tables.c 2024-01-01 02:04:02.972938000 +0800
|
||||
+++ b/net/ipv4/netfilter/ip_tables.c 2024-01-05 19:30:17.431634011 +0800
|
||||
@@ -27,6 +27,8 @@
|
||||
#include <linux/netfilter_ipv4/ip_tables.h>
|
||||
#include <net/netfilter/nf_log.h>
|
||||
#include "../../netfilter/xt_repldata.h"
|
||||
+#include <net/netfilter/nf_conntrack.h>
|
||||
+#include <net/netfilter/nf_conntrack_acct.h>
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
|
||||
@@ -291,7 +293,12 @@
|
||||
const struct xt_table_info *private;
|
||||
struct xt_action_param acpar;
|
||||
unsigned int addend;
|
||||
-
|
||||
+
|
||||
+ struct nf_conn *ct;
|
||||
+ struct nf_conn_acct *acct;
|
||||
+ struct nf_conn_counter *conn_counter;
|
||||
+ enum ip_conntrack_info ctinfo;
|
||||
+
|
||||
/* Initialization */
|
||||
WARN_ON(!(table->valid_hooks & (1 << hook)));
|
||||
local_bh_disable();
|
||||
@@ -302,9 +309,19 @@
|
||||
e = get_entry(table_base, private->hook_entry[hook]);
|
||||
if (ipt_handle_default_rule(e, &verdict)) {
|
||||
struct xt_counters *counter;
|
||||
-
|
||||
counter = xt_get_this_cpu_counter(&e->counters);
|
||||
ADD_COUNTER(*counter, skb->len, 1);
|
||||
+
|
||||
+ ct = nf_ct_get(skb, &ctinfo);
|
||||
+ if (ct) {
|
||||
+ acct = nf_conn_acct_find(ct);
|
||||
+ if (acct) {
|
||||
+ conn_counter = acct->counter;
|
||||
+ ADD_COUNTER(*counter,
|
||||
+ atomic64_read(&conn_counter[CTINFO2DIR(ctinfo)].diff_bytes),atomic64_read(&conn_counter[CTINFO2DIR(ctinfo)].diff_packets));
|
||||
+ }}
|
||||
+
|
||||
+
|
||||
local_bh_enable();
|
||||
return verdict;
|
||||
}
|
||||
@@ -360,6 +377,15 @@
|
||||
|
||||
counter = xt_get_this_cpu_counter(&e->counters);
|
||||
ADD_COUNTER(*counter, skb->len, 1);
|
||||
+ ct = nf_ct_get(skb, &ctinfo);
|
||||
+ if (ct) {
|
||||
+ acct = nf_conn_acct_find(ct);
|
||||
+ if (acct) {
|
||||
+ conn_counter = acct->counter;
|
||||
+ ADD_COUNTER(*counter,
|
||||
+ atomic64_read(&conn_counter[CTINFO2DIR(ctinfo)].diff_bytes),atomic64_read(&conn_counter[CTINFO2DIR(ctinfo)].diff_packets));
|
||||
+ }
|
||||
+ }
|
||||
|
||||
t = ipt_get_target_c(e);
|
||||
WARN_ON(!t->u.kernel.target);
|
||||
--- a/net/ipv6/netfilter/ip6_tables.c 2023-08-30 22:27:28.000000000 +0800
|
||||
+++ b/net/ipv6/netfilter/ip6_tables.c 2024-01-05 19:21:37.364542288 +0800
|
||||
@@ -31,6 +31,8 @@
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
#include <net/netfilter/nf_log.h>
|
||||
#include "../../netfilter/xt_repldata.h"
|
||||
+#include <net/netfilter/nf_conntrack.h>
|
||||
+#include <net/netfilter/nf_conntrack_acct.h>
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
|
||||
@@ -262,7 +264,12 @@
|
||||
const struct xt_table_info *private;
|
||||
struct xt_action_param acpar;
|
||||
unsigned int addend;
|
||||
-
|
||||
+
|
||||
+ struct nf_conn *ct;
|
||||
+ struct nf_conn_acct *acct;
|
||||
+ struct nf_conn_counter *conn_counter;
|
||||
+ enum ip_conntrack_info ctinfo;
|
||||
+
|
||||
/* Initialization */
|
||||
stackidx = 0;
|
||||
indev = state->in ? state->in->name : nulldevname;
|
||||
@@ -285,6 +292,7 @@
|
||||
cpu = smp_processor_id();
|
||||
table_base = private->entries;
|
||||
jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
|
||||
+
|
||||
|
||||
/* Switch to alternate jumpstack if we're being invoked via TEE.
|
||||
* TEE issues XT_CONTINUE verdict on original skb so we must not
|
||||
@@ -321,7 +329,17 @@
|
||||
|
||||
counter = xt_get_this_cpu_counter(&e->counters);
|
||||
ADD_COUNTER(*counter, skb->len, 1);
|
||||
-
|
||||
+
|
||||
+ ct = nf_ct_get(skb, &ctinfo);
|
||||
+ if (ct) {
|
||||
+ acct = nf_conn_acct_find(ct);
|
||||
+ if (acct) {
|
||||
+ conn_counter = acct->counter;
|
||||
+ ADD_COUNTER(*counter,
|
||||
+ atomic64_read(&conn_counter[CTINFO2DIR(ctinfo)].diff_bytes),atomic64_read(&conn_counter[CTINFO2DIR(ctinfo)].diff_packets));
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
t = ip6t_get_target_c(e);
|
||||
WARN_ON(!t->u.kernel.target);
|
||||
|
||||
|
||||
Loading…
Reference in New Issue
Block a user