Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains the first batch of Netfilter updates for
your net-next tree.

1) Define pr_fmt() in nf_conntrack, from Weongyo Jeong.

2) Define and register netfilter's afinfo for the bridge family,
   this comes in preparation for native nfqueue's bridge for nft,
   from Stephane Bryant.

3) Add new attributes to store layer 2 and VLAN headers to nfqueue,
   also from Stephane Bryant.

4) Parse new NFQA_VLAN and NFQA_L2HDR nfqueue netlink attributes
   coming from userspace, from Stephane Bryant.

5) Use net->ipv6.devconf_all->hop_limit instead of hardcoded hop_limit
   in IPv6 SYNPROXY, from Liping Zhang.

6) Remove unnecessary check for dst == NULL in nf_reject_ipv6,
   from Haishuang Yan.

7) Deinline ctnetlink event report functions, from Florian Westphal.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller 2016-04-12 22:34:56 -04:00
commit da0caadf0a
8 changed files with 298 additions and 129 deletions

View File

@ -73,6 +73,8 @@ void nf_conntrack_unregister_notifier(struct net *net,
struct nf_ct_event_notifier *nb); struct nf_ct_event_notifier *nb);
void nf_ct_deliver_cached_events(struct nf_conn *ct); void nf_ct_deliver_cached_events(struct nf_conn *ct);
int nf_conntrack_eventmask_report(unsigned int eventmask, struct nf_conn *ct,
u32 portid, int report);
static inline void static inline void
nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct) nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
@ -90,70 +92,26 @@ nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
set_bit(event, &e->cache); set_bit(event, &e->cache);
} }
static inline int
nf_conntrack_eventmask_report(unsigned int eventmask,
struct nf_conn *ct,
u32 portid,
int report)
{
int ret = 0;
struct net *net = nf_ct_net(ct);
struct nf_ct_event_notifier *notify;
struct nf_conntrack_ecache *e;
rcu_read_lock();
notify = rcu_dereference(net->ct.nf_conntrack_event_cb);
if (notify == NULL)
goto out_unlock;
e = nf_ct_ecache_find(ct);
if (e == NULL)
goto out_unlock;
if (nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct)) {
struct nf_ct_event item = {
.ct = ct,
.portid = e->portid ? e->portid : portid,
.report = report
};
/* This is a resent of a destroy event? If so, skip missed */
unsigned long missed = e->portid ? 0 : e->missed;
if (!((eventmask | missed) & e->ctmask))
goto out_unlock;
ret = notify->fcn(eventmask | missed, &item);
if (unlikely(ret < 0 || missed)) {
spin_lock_bh(&ct->lock);
if (ret < 0) {
/* This is a destroy event that has been
* triggered by a process, we store the PORTID
* to include it in the retransmission. */
if (eventmask & (1 << IPCT_DESTROY) &&
e->portid == 0 && portid != 0)
e->portid = portid;
else
e->missed |= eventmask;
} else
e->missed &= ~missed;
spin_unlock_bh(&ct->lock);
}
}
out_unlock:
rcu_read_unlock();
return ret;
}
static inline int static inline int
nf_conntrack_event_report(enum ip_conntrack_events event, struct nf_conn *ct, nf_conntrack_event_report(enum ip_conntrack_events event, struct nf_conn *ct,
u32 portid, int report) u32 portid, int report)
{ {
const struct net *net = nf_ct_net(ct);
if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb))
return 0;
return nf_conntrack_eventmask_report(1 << event, ct, portid, report); return nf_conntrack_eventmask_report(1 << event, ct, portid, report);
} }
static inline int static inline int
nf_conntrack_event(enum ip_conntrack_events event, struct nf_conn *ct) nf_conntrack_event(enum ip_conntrack_events event, struct nf_conn *ct)
{ {
const struct net *net = nf_ct_net(ct);
if (!rcu_access_pointer(net->ct.nf_conntrack_event_cb))
return 0;
return nf_conntrack_eventmask_report(1 << event, ct, 0, 0); return nf_conntrack_eventmask_report(1 << event, ct, 0, 0);
} }
@ -172,43 +130,9 @@ int nf_ct_expect_register_notifier(struct net *net,
void nf_ct_expect_unregister_notifier(struct net *net, void nf_ct_expect_unregister_notifier(struct net *net,
struct nf_exp_event_notifier *nb); struct nf_exp_event_notifier *nb);
static inline void void nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
nf_ct_expect_event_report(enum ip_conntrack_expect_events event, struct nf_conntrack_expect *exp,
struct nf_conntrack_expect *exp, u32 portid, int report);
u32 portid,
int report)
{
struct net *net = nf_ct_exp_net(exp);
struct nf_exp_event_notifier *notify;
struct nf_conntrack_ecache *e;
rcu_read_lock();
notify = rcu_dereference(net->ct.nf_expect_event_cb);
if (notify == NULL)
goto out_unlock;
e = nf_ct_ecache_find(exp->master);
if (e == NULL)
goto out_unlock;
if (e->expmask & (1 << event)) {
struct nf_exp_event item = {
.exp = exp,
.portid = portid,
.report = report
};
notify->fcn(1 << event, &item);
}
out_unlock:
rcu_read_unlock();
}
static inline void
nf_ct_expect_event(enum ip_conntrack_expect_events event,
struct nf_conntrack_expect *exp)
{
nf_ct_expect_event_report(event, exp, 0, 0);
}
int nf_conntrack_ecache_pernet_init(struct net *net); int nf_conntrack_ecache_pernet_init(struct net *net);
void nf_conntrack_ecache_pernet_fini(struct net *net); void nf_conntrack_ecache_pernet_fini(struct net *net);
@ -245,8 +169,6 @@ static inline int nf_conntrack_event_report(enum ip_conntrack_events event,
u32 portid, u32 portid,
int report) { return 0; } int report) { return 0; }
static inline void nf_ct_deliver_cached_events(const struct nf_conn *ct) {} static inline void nf_ct_deliver_cached_events(const struct nf_conn *ct) {}
static inline void nf_ct_expect_event(enum ip_conntrack_expect_events event,
struct nf_conntrack_expect *exp) {}
static inline void nf_ct_expect_event_report(enum ip_conntrack_expect_events e, static inline void nf_ct_expect_event_report(enum ip_conntrack_expect_events e,
struct nf_conntrack_expect *exp, struct nf_conntrack_expect *exp,
u32 portid, u32 portid,

View File

@ -30,6 +30,14 @@ struct nfqnl_msg_packet_timestamp {
__aligned_be64 usec; __aligned_be64 usec;
}; };
enum nfqnl_vlan_attr {
NFQA_VLAN_UNSPEC,
NFQA_VLAN_PROTO, /* __be16 skb vlan_proto */
NFQA_VLAN_TCI, /* __be16 skb htons(vlan_tci) */
__NFQA_VLAN_MAX,
};
#define NFQA_VLAN_MAX (__NFQA_VLAN_MAX + 1)
enum nfqnl_attr_type { enum nfqnl_attr_type {
NFQA_UNSPEC, NFQA_UNSPEC,
NFQA_PACKET_HDR, NFQA_PACKET_HDR,
@ -50,6 +58,8 @@ enum nfqnl_attr_type {
NFQA_UID, /* __u32 sk uid */ NFQA_UID, /* __u32 sk uid */
NFQA_GID, /* __u32 sk gid */ NFQA_GID, /* __u32 sk gid */
NFQA_SECCTX, /* security context string */ NFQA_SECCTX, /* security context string */
NFQA_VLAN, /* nested attribute: packet vlan info */
NFQA_L2HDR, /* full L2 header */
__NFQA_MAX __NFQA_MAX
}; };

View File

@ -162,15 +162,57 @@ static const struct nf_chain_type filter_bridge = {
(1 << NF_BR_POST_ROUTING), (1 << NF_BR_POST_ROUTING),
}; };
static void nf_br_saveroute(const struct sk_buff *skb,
struct nf_queue_entry *entry)
{
}
static int nf_br_reroute(struct net *net, struct sk_buff *skb,
const struct nf_queue_entry *entry)
{
return 0;
}
static __sum16 nf_br_checksum(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, u_int8_t protocol)
{
return 0;
}
static __sum16 nf_br_checksum_partial(struct sk_buff *skb, unsigned int hook,
unsigned int dataoff, unsigned int len,
u_int8_t protocol)
{
return 0;
}
static int nf_br_route(struct net *net, struct dst_entry **dst,
struct flowi *fl, bool strict __always_unused)
{
return 0;
}
static const struct nf_afinfo nf_br_afinfo = {
.family = AF_BRIDGE,
.checksum = nf_br_checksum,
.checksum_partial = nf_br_checksum_partial,
.route = nf_br_route,
.saveroute = nf_br_saveroute,
.reroute = nf_br_reroute,
.route_key_size = 0,
};
static int __init nf_tables_bridge_init(void) static int __init nf_tables_bridge_init(void)
{ {
int ret; int ret;
nf_register_afinfo(&nf_br_afinfo);
nft_register_chain_type(&filter_bridge); nft_register_chain_type(&filter_bridge);
ret = register_pernet_subsys(&nf_tables_bridge_net_ops); ret = register_pernet_subsys(&nf_tables_bridge_net_ops);
if (ret < 0) if (ret < 0) {
nft_unregister_chain_type(&filter_bridge); nft_unregister_chain_type(&filter_bridge);
nf_unregister_afinfo(&nf_br_afinfo);
}
return ret; return ret;
} }
@ -178,6 +220,7 @@ static void __exit nf_tables_bridge_exit(void)
{ {
unregister_pernet_subsys(&nf_tables_bridge_net_ops); unregister_pernet_subsys(&nf_tables_bridge_net_ops);
nft_unregister_chain_type(&filter_bridge); nft_unregister_chain_type(&filter_bridge);
nf_unregister_afinfo(&nf_br_afinfo);
} }
module_init(nf_tables_bridge_init); module_init(nf_tables_bridge_init);

View File

@ -20,15 +20,16 @@
#include <net/netfilter/nf_conntrack_synproxy.h> #include <net/netfilter/nf_conntrack_synproxy.h>
static struct ipv6hdr * static struct ipv6hdr *
synproxy_build_ip(struct sk_buff *skb, const struct in6_addr *saddr, synproxy_build_ip(struct net *net, struct sk_buff *skb,
const struct in6_addr *daddr) const struct in6_addr *saddr,
const struct in6_addr *daddr)
{ {
struct ipv6hdr *iph; struct ipv6hdr *iph;
skb_reset_network_header(skb); skb_reset_network_header(skb);
iph = (struct ipv6hdr *)skb_put(skb, sizeof(*iph)); iph = (struct ipv6hdr *)skb_put(skb, sizeof(*iph));
ip6_flow_hdr(iph, 0, 0); ip6_flow_hdr(iph, 0, 0);
iph->hop_limit = 64; //XXX iph->hop_limit = net->ipv6.devconf_all->hop_limit;
iph->nexthdr = IPPROTO_TCP; iph->nexthdr = IPPROTO_TCP;
iph->saddr = *saddr; iph->saddr = *saddr;
iph->daddr = *daddr; iph->daddr = *daddr;
@ -37,13 +38,12 @@ synproxy_build_ip(struct sk_buff *skb, const struct in6_addr *saddr,
} }
static void static void
synproxy_send_tcp(const struct synproxy_net *snet, synproxy_send_tcp(struct net *net,
const struct sk_buff *skb, struct sk_buff *nskb, const struct sk_buff *skb, struct sk_buff *nskb,
struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo, struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo,
struct ipv6hdr *niph, struct tcphdr *nth, struct ipv6hdr *niph, struct tcphdr *nth,
unsigned int tcp_hdr_size) unsigned int tcp_hdr_size)
{ {
struct net *net = nf_ct_net(snet->tmpl);
struct dst_entry *dst; struct dst_entry *dst;
struct flowi6 fl6; struct flowi6 fl6;
@ -84,7 +84,7 @@ free_nskb:
} }
static void static void
synproxy_send_client_synack(const struct synproxy_net *snet, synproxy_send_client_synack(struct net *net,
const struct sk_buff *skb, const struct tcphdr *th, const struct sk_buff *skb, const struct tcphdr *th,
const struct synproxy_options *opts) const struct synproxy_options *opts)
{ {
@ -103,7 +103,7 @@ synproxy_send_client_synack(const struct synproxy_net *snet,
return; return;
skb_reserve(nskb, MAX_TCP_HEADER); skb_reserve(nskb, MAX_TCP_HEADER);
niph = synproxy_build_ip(nskb, &iph->daddr, &iph->saddr); niph = synproxy_build_ip(net, nskb, &iph->daddr, &iph->saddr);
skb_reset_transport_header(nskb); skb_reset_transport_header(nskb);
nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size); nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size);
@ -121,15 +121,16 @@ synproxy_send_client_synack(const struct synproxy_net *snet,
synproxy_build_options(nth, opts); synproxy_build_options(nth, opts);
synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY, synproxy_send_tcp(net, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
niph, nth, tcp_hdr_size); niph, nth, tcp_hdr_size);
} }
static void static void
synproxy_send_server_syn(const struct synproxy_net *snet, synproxy_send_server_syn(struct net *net,
const struct sk_buff *skb, const struct tcphdr *th, const struct sk_buff *skb, const struct tcphdr *th,
const struct synproxy_options *opts, u32 recv_seq) const struct synproxy_options *opts, u32 recv_seq)
{ {
struct synproxy_net *snet = synproxy_pernet(net);
struct sk_buff *nskb; struct sk_buff *nskb;
struct ipv6hdr *iph, *niph; struct ipv6hdr *iph, *niph;
struct tcphdr *nth; struct tcphdr *nth;
@ -144,7 +145,7 @@ synproxy_send_server_syn(const struct synproxy_net *snet,
return; return;
skb_reserve(nskb, MAX_TCP_HEADER); skb_reserve(nskb, MAX_TCP_HEADER);
niph = synproxy_build_ip(nskb, &iph->saddr, &iph->daddr); niph = synproxy_build_ip(net, nskb, &iph->saddr, &iph->daddr);
skb_reset_transport_header(nskb); skb_reset_transport_header(nskb);
nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size); nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size);
@ -165,12 +166,12 @@ synproxy_send_server_syn(const struct synproxy_net *snet,
synproxy_build_options(nth, opts); synproxy_build_options(nth, opts);
synproxy_send_tcp(snet, skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW, synproxy_send_tcp(net, skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW,
niph, nth, tcp_hdr_size); niph, nth, tcp_hdr_size);
} }
static void static void
synproxy_send_server_ack(const struct synproxy_net *snet, synproxy_send_server_ack(struct net *net,
const struct ip_ct_tcp *state, const struct ip_ct_tcp *state,
const struct sk_buff *skb, const struct tcphdr *th, const struct sk_buff *skb, const struct tcphdr *th,
const struct synproxy_options *opts) const struct synproxy_options *opts)
@ -189,7 +190,7 @@ synproxy_send_server_ack(const struct synproxy_net *snet,
return; return;
skb_reserve(nskb, MAX_TCP_HEADER); skb_reserve(nskb, MAX_TCP_HEADER);
niph = synproxy_build_ip(nskb, &iph->daddr, &iph->saddr); niph = synproxy_build_ip(net, nskb, &iph->daddr, &iph->saddr);
skb_reset_transport_header(nskb); skb_reset_transport_header(nskb);
nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size); nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size);
@ -205,11 +206,11 @@ synproxy_send_server_ack(const struct synproxy_net *snet,
synproxy_build_options(nth, opts); synproxy_build_options(nth, opts);
synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size); synproxy_send_tcp(net, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
} }
static void static void
synproxy_send_client_ack(const struct synproxy_net *snet, synproxy_send_client_ack(struct net *net,
const struct sk_buff *skb, const struct tcphdr *th, const struct sk_buff *skb, const struct tcphdr *th,
const struct synproxy_options *opts) const struct synproxy_options *opts)
{ {
@ -227,7 +228,7 @@ synproxy_send_client_ack(const struct synproxy_net *snet,
return; return;
skb_reserve(nskb, MAX_TCP_HEADER); skb_reserve(nskb, MAX_TCP_HEADER);
niph = synproxy_build_ip(nskb, &iph->saddr, &iph->daddr); niph = synproxy_build_ip(net, nskb, &iph->saddr, &iph->daddr);
skb_reset_transport_header(nskb); skb_reset_transport_header(nskb);
nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size); nth = (struct tcphdr *)skb_put(nskb, tcp_hdr_size);
@ -243,15 +244,16 @@ synproxy_send_client_ack(const struct synproxy_net *snet,
synproxy_build_options(nth, opts); synproxy_build_options(nth, opts);
synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY, synproxy_send_tcp(net, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
niph, nth, tcp_hdr_size); niph, nth, tcp_hdr_size);
} }
static bool static bool
synproxy_recv_client_ack(const struct synproxy_net *snet, synproxy_recv_client_ack(struct net *net,
const struct sk_buff *skb, const struct tcphdr *th, const struct sk_buff *skb, const struct tcphdr *th,
struct synproxy_options *opts, u32 recv_seq) struct synproxy_options *opts, u32 recv_seq)
{ {
struct synproxy_net *snet = synproxy_pernet(net);
int mss; int mss;
mss = __cookie_v6_check(ipv6_hdr(skb), th, ntohl(th->ack_seq) - 1); mss = __cookie_v6_check(ipv6_hdr(skb), th, ntohl(th->ack_seq) - 1);
@ -267,7 +269,7 @@ synproxy_recv_client_ack(const struct synproxy_net *snet,
if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP) if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP)
synproxy_check_timestamp_cookie(opts); synproxy_check_timestamp_cookie(opts);
synproxy_send_server_syn(snet, skb, th, opts, recv_seq); synproxy_send_server_syn(net, skb, th, opts, recv_seq);
return true; return true;
} }
@ -275,7 +277,8 @@ static unsigned int
synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par) synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
{ {
const struct xt_synproxy_info *info = par->targinfo; const struct xt_synproxy_info *info = par->targinfo;
struct synproxy_net *snet = synproxy_pernet(par->net); struct net *net = par->net;
struct synproxy_net *snet = synproxy_pernet(net);
struct synproxy_options opts = {}; struct synproxy_options opts = {};
struct tcphdr *th, _th; struct tcphdr *th, _th;
@ -304,12 +307,12 @@ synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
XT_SYNPROXY_OPT_SACK_PERM | XT_SYNPROXY_OPT_SACK_PERM |
XT_SYNPROXY_OPT_ECN); XT_SYNPROXY_OPT_ECN);
synproxy_send_client_synack(snet, skb, th, &opts); synproxy_send_client_synack(net, skb, th, &opts);
return NF_DROP; return NF_DROP;
} else if (th->ack && !(th->fin || th->rst || th->syn)) { } else if (th->ack && !(th->fin || th->rst || th->syn)) {
/* ACK from client */ /* ACK from client */
synproxy_recv_client_ack(snet, skb, th, &opts, ntohl(th->seq)); synproxy_recv_client_ack(net, skb, th, &opts, ntohl(th->seq));
return NF_DROP; return NF_DROP;
} }
@ -320,7 +323,8 @@ static unsigned int ipv6_synproxy_hook(void *priv,
struct sk_buff *skb, struct sk_buff *skb,
const struct nf_hook_state *nhs) const struct nf_hook_state *nhs)
{ {
struct synproxy_net *snet = synproxy_pernet(nhs->net); struct net *net = nhs->net;
struct synproxy_net *snet = synproxy_pernet(net);
enum ip_conntrack_info ctinfo; enum ip_conntrack_info ctinfo;
struct nf_conn *ct; struct nf_conn *ct;
struct nf_conn_synproxy *synproxy; struct nf_conn_synproxy *synproxy;
@ -384,7 +388,7 @@ static unsigned int ipv6_synproxy_hook(void *priv,
* therefore we need to add 1 to make the SYN sequence * therefore we need to add 1 to make the SYN sequence
* number match the one of first SYN. * number match the one of first SYN.
*/ */
if (synproxy_recv_client_ack(snet, skb, th, &opts, if (synproxy_recv_client_ack(net, skb, th, &opts,
ntohl(th->seq) + 1)) ntohl(th->seq) + 1))
this_cpu_inc(snet->stats->cookie_retrans); this_cpu_inc(snet->stats->cookie_retrans);
@ -410,12 +414,12 @@ static unsigned int ipv6_synproxy_hook(void *priv,
XT_SYNPROXY_OPT_SACK_PERM); XT_SYNPROXY_OPT_SACK_PERM);
swap(opts.tsval, opts.tsecr); swap(opts.tsval, opts.tsecr);
synproxy_send_server_ack(snet, state, skb, th, &opts); synproxy_send_server_ack(net, state, skb, th, &opts);
nf_ct_seqadj_init(ct, ctinfo, synproxy->isn - ntohl(th->seq)); nf_ct_seqadj_init(ct, ctinfo, synproxy->isn - ntohl(th->seq));
swap(opts.tsval, opts.tsecr); swap(opts.tsval, opts.tsecr);
synproxy_send_client_ack(snet, skb, th, &opts); synproxy_send_client_ack(net, skb, th, &opts);
consume_skb(skb); consume_skb(skb);
return NF_STOLEN; return NF_STOLEN;

View File

@ -158,7 +158,7 @@ void nf_send_reset6(struct net *net, struct sk_buff *oldskb, int hook)
fl6.fl6_dport = otcph->source; fl6.fl6_dport = otcph->source;
security_skb_classify_flow(oldskb, flowi6_to_flowi(&fl6)); security_skb_classify_flow(oldskb, flowi6_to_flowi(&fl6));
dst = ip6_route_output(net, NULL, &fl6); dst = ip6_route_output(net, NULL, &fl6);
if (dst == NULL || dst->error) { if (dst->error) {
dst_release(dst); dst_release(dst);
return; return;
} }

View File

@ -12,6 +12,8 @@
* published by the Free Software Foundation. * published by the Free Software Foundation.
*/ */
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/types.h> #include <linux/types.h>
#include <linux/netfilter.h> #include <linux/netfilter.h>
#include <linux/module.h> #include <linux/module.h>
@ -966,7 +968,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
if (!l4proto->new(ct, skb, dataoff, timeouts)) { if (!l4proto->new(ct, skb, dataoff, timeouts)) {
nf_conntrack_free(ct); nf_conntrack_free(ct);
pr_debug("init conntrack: can't track with proto module\n"); pr_debug("can't track with proto module\n");
return NULL; return NULL;
} }
@ -988,7 +990,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl,
spin_lock(&nf_conntrack_expect_lock); spin_lock(&nf_conntrack_expect_lock);
exp = nf_ct_find_expectation(net, zone, tuple); exp = nf_ct_find_expectation(net, zone, tuple);
if (exp) { if (exp) {
pr_debug("conntrack: expectation arrives ct=%p exp=%p\n", pr_debug("expectation arrives ct=%p exp=%p\n",
ct, exp); ct, exp);
/* Welcome, Mr. Bond. We've been expecting you... */ /* Welcome, Mr. Bond. We've been expecting you... */
__set_bit(IPS_EXPECTED_BIT, &ct->status); __set_bit(IPS_EXPECTED_BIT, &ct->status);
@ -1053,7 +1055,7 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl,
if (!nf_ct_get_tuple(skb, skb_network_offset(skb), if (!nf_ct_get_tuple(skb, skb_network_offset(skb),
dataoff, l3num, protonum, net, &tuple, l3proto, dataoff, l3num, protonum, net, &tuple, l3proto,
l4proto)) { l4proto)) {
pr_debug("resolve_normal_ct: Can't get tuple\n"); pr_debug("Can't get tuple\n");
return NULL; return NULL;
} }
@ -1079,14 +1081,13 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl,
} else { } else {
/* Once we've had two way comms, always ESTABLISHED. */ /* Once we've had two way comms, always ESTABLISHED. */
if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
pr_debug("nf_conntrack_in: normal packet for %p\n", ct); pr_debug("normal packet for %p\n", ct);
*ctinfo = IP_CT_ESTABLISHED; *ctinfo = IP_CT_ESTABLISHED;
} else if (test_bit(IPS_EXPECTED_BIT, &ct->status)) { } else if (test_bit(IPS_EXPECTED_BIT, &ct->status)) {
pr_debug("nf_conntrack_in: related packet for %p\n", pr_debug("related packet for %p\n", ct);
ct);
*ctinfo = IP_CT_RELATED; *ctinfo = IP_CT_RELATED;
} else { } else {
pr_debug("nf_conntrack_in: new packet for %p\n", ct); pr_debug("new packet for %p\n", ct);
*ctinfo = IP_CT_NEW; *ctinfo = IP_CT_NEW;
} }
*set_reply = 0; *set_reply = 0;

View File

@ -113,6 +113,60 @@ static void ecache_work(struct work_struct *work)
schedule_delayed_work(&ctnet->ecache_dwork, delay); schedule_delayed_work(&ctnet->ecache_dwork, delay);
} }
int nf_conntrack_eventmask_report(unsigned int eventmask, struct nf_conn *ct,
u32 portid, int report)
{
int ret = 0;
struct net *net = nf_ct_net(ct);
struct nf_ct_event_notifier *notify;
struct nf_conntrack_ecache *e;
rcu_read_lock();
notify = rcu_dereference(net->ct.nf_conntrack_event_cb);
if (!notify)
goto out_unlock;
e = nf_ct_ecache_find(ct);
if (!e)
goto out_unlock;
if (nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct)) {
struct nf_ct_event item = {
.ct = ct,
.portid = e->portid ? e->portid : portid,
.report = report
};
/* This is a resent of a destroy event? If so, skip missed */
unsigned long missed = e->portid ? 0 : e->missed;
if (!((eventmask | missed) & e->ctmask))
goto out_unlock;
ret = notify->fcn(eventmask | missed, &item);
if (unlikely(ret < 0 || missed)) {
spin_lock_bh(&ct->lock);
if (ret < 0) {
/* This is a destroy event that has been
* triggered by a process, we store the PORTID
* to include it in the retransmission.
*/
if (eventmask & (1 << IPCT_DESTROY) &&
e->portid == 0 && portid != 0)
e->portid = portid;
else
e->missed |= eventmask;
} else {
e->missed &= ~missed;
}
spin_unlock_bh(&ct->lock);
}
}
out_unlock:
rcu_read_unlock();
return ret;
}
EXPORT_SYMBOL_GPL(nf_conntrack_eventmask_report);
/* deliver cached events and clear cache entry - must be called with locally /* deliver cached events and clear cache entry - must be called with locally
* disabled softirqs */ * disabled softirqs */
void nf_ct_deliver_cached_events(struct nf_conn *ct) void nf_ct_deliver_cached_events(struct nf_conn *ct)
@ -167,6 +221,36 @@ out_unlock:
} }
EXPORT_SYMBOL_GPL(nf_ct_deliver_cached_events); EXPORT_SYMBOL_GPL(nf_ct_deliver_cached_events);
void nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
struct nf_conntrack_expect *exp,
u32 portid, int report)
{
struct net *net = nf_ct_exp_net(exp);
struct nf_exp_event_notifier *notify;
struct nf_conntrack_ecache *e;
rcu_read_lock();
notify = rcu_dereference(net->ct.nf_expect_event_cb);
if (!notify)
goto out_unlock;
e = nf_ct_ecache_find(exp->master);
if (!e)
goto out_unlock;
if (e->expmask & (1 << event)) {
struct nf_exp_event item = {
.exp = exp,
.portid = portid,
.report = report
};
notify->fcn(1 << event, &item);
}
out_unlock:
rcu_read_unlock();
}
int nf_conntrack_register_notifier(struct net *net, int nf_conntrack_register_notifier(struct net *net,
struct nf_ct_event_notifier *new) struct nf_ct_event_notifier *new)
{ {

View File

@ -295,6 +295,59 @@ static u32 nfqnl_get_sk_secctx(struct sk_buff *skb, char **secdata)
return seclen; return seclen;
} }
static u32 nfqnl_get_bridge_size(struct nf_queue_entry *entry)
{
struct sk_buff *entskb = entry->skb;
u32 nlalen = 0;
if (entry->state.pf != PF_BRIDGE || !skb_mac_header_was_set(entskb))
return 0;
if (skb_vlan_tag_present(entskb))
nlalen += nla_total_size(nla_total_size(sizeof(__be16)) +
nla_total_size(sizeof(__be16)));
if (entskb->network_header > entskb->mac_header)
nlalen += nla_total_size((entskb->network_header -
entskb->mac_header));
return nlalen;
}
static int nfqnl_put_bridge(struct nf_queue_entry *entry, struct sk_buff *skb)
{
struct sk_buff *entskb = entry->skb;
if (entry->state.pf != PF_BRIDGE || !skb_mac_header_was_set(entskb))
return 0;
if (skb_vlan_tag_present(entskb)) {
struct nlattr *nest;
nest = nla_nest_start(skb, NFQA_VLAN | NLA_F_NESTED);
if (!nest)
goto nla_put_failure;
if (nla_put_be16(skb, NFQA_VLAN_TCI, htons(entskb->vlan_tci)) ||
nla_put_be16(skb, NFQA_VLAN_PROTO, entskb->vlan_proto))
goto nla_put_failure;
nla_nest_end(skb, nest);
}
if (entskb->mac_header < entskb->network_header) {
int len = (int)(entskb->network_header - entskb->mac_header);
if (nla_put(skb, NFQA_L2HDR, len, skb_mac_header(entskb)))
goto nla_put_failure;
}
return 0;
nla_put_failure:
return -1;
}
static struct sk_buff * static struct sk_buff *
nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue, nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
struct nf_queue_entry *entry, struct nf_queue_entry *entry,
@ -334,6 +387,8 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
if (entskb->tstamp.tv64) if (entskb->tstamp.tv64)
size += nla_total_size(sizeof(struct nfqnl_msg_packet_timestamp)); size += nla_total_size(sizeof(struct nfqnl_msg_packet_timestamp));
size += nfqnl_get_bridge_size(entry);
if (entry->state.hook <= NF_INET_FORWARD || if (entry->state.hook <= NF_INET_FORWARD ||
(entry->state.hook == NF_INET_POST_ROUTING && entskb->sk == NULL)) (entry->state.hook == NF_INET_POST_ROUTING && entskb->sk == NULL))
csum_verify = !skb_csum_unnecessary(entskb); csum_verify = !skb_csum_unnecessary(entskb);
@ -497,6 +552,9 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
} }
} }
if (nfqnl_put_bridge(entry, skb) < 0)
goto nla_put_failure;
if (entskb->tstamp.tv64) { if (entskb->tstamp.tv64) {
struct nfqnl_msg_packet_timestamp ts; struct nfqnl_msg_packet_timestamp ts;
struct timespec64 kts = ktime_to_timespec64(skb->tstamp); struct timespec64 kts = ktime_to_timespec64(skb->tstamp);
@ -911,12 +969,18 @@ static struct notifier_block nfqnl_rtnl_notifier = {
.notifier_call = nfqnl_rcv_nl_event, .notifier_call = nfqnl_rcv_nl_event,
}; };
static const struct nla_policy nfqa_vlan_policy[NFQA_VLAN_MAX + 1] = {
[NFQA_VLAN_TCI] = { .type = NLA_U16},
[NFQA_VLAN_PROTO] = { .type = NLA_U16},
};
static const struct nla_policy nfqa_verdict_policy[NFQA_MAX+1] = { static const struct nla_policy nfqa_verdict_policy[NFQA_MAX+1] = {
[NFQA_VERDICT_HDR] = { .len = sizeof(struct nfqnl_msg_verdict_hdr) }, [NFQA_VERDICT_HDR] = { .len = sizeof(struct nfqnl_msg_verdict_hdr) },
[NFQA_MARK] = { .type = NLA_U32 }, [NFQA_MARK] = { .type = NLA_U32 },
[NFQA_PAYLOAD] = { .type = NLA_UNSPEC }, [NFQA_PAYLOAD] = { .type = NLA_UNSPEC },
[NFQA_CT] = { .type = NLA_UNSPEC }, [NFQA_CT] = { .type = NLA_UNSPEC },
[NFQA_EXP] = { .type = NLA_UNSPEC }, [NFQA_EXP] = { .type = NLA_UNSPEC },
[NFQA_VLAN] = { .type = NLA_NESTED },
}; };
static const struct nla_policy nfqa_verdict_batch_policy[NFQA_MAX+1] = { static const struct nla_policy nfqa_verdict_batch_policy[NFQA_MAX+1] = {
@ -1030,6 +1094,40 @@ static struct nf_conn *nfqnl_ct_parse(struct nfnl_ct_hook *nfnl_ct,
return ct; return ct;
} }
static int nfqa_parse_bridge(struct nf_queue_entry *entry,
const struct nlattr * const nfqa[])
{
if (nfqa[NFQA_VLAN]) {
struct nlattr *tb[NFQA_VLAN_MAX + 1];
int err;
err = nla_parse_nested(tb, NFQA_VLAN_MAX, nfqa[NFQA_VLAN],
nfqa_vlan_policy);
if (err < 0)
return err;
if (!tb[NFQA_VLAN_TCI] || !tb[NFQA_VLAN_PROTO])
return -EINVAL;
entry->skb->vlan_tci = ntohs(nla_get_be16(tb[NFQA_VLAN_TCI]));
entry->skb->vlan_proto = nla_get_be16(tb[NFQA_VLAN_PROTO]);
}
if (nfqa[NFQA_L2HDR]) {
int mac_header_len = entry->skb->network_header -
entry->skb->mac_header;
if (mac_header_len != nla_len(nfqa[NFQA_L2HDR]))
return -EINVAL;
else if (mac_header_len > 0)
memcpy(skb_mac_header(entry->skb),
nla_data(nfqa[NFQA_L2HDR]),
mac_header_len);
}
return 0;
}
static int nfqnl_recv_verdict(struct net *net, struct sock *ctnl, static int nfqnl_recv_verdict(struct net *net, struct sock *ctnl,
struct sk_buff *skb, struct sk_buff *skb,
const struct nlmsghdr *nlh, const struct nlmsghdr *nlh,
@ -1045,6 +1143,7 @@ static int nfqnl_recv_verdict(struct net *net, struct sock *ctnl,
struct nfnl_ct_hook *nfnl_ct; struct nfnl_ct_hook *nfnl_ct;
struct nf_conn *ct = NULL; struct nf_conn *ct = NULL;
struct nfnl_queue_net *q = nfnl_queue_pernet(net); struct nfnl_queue_net *q = nfnl_queue_pernet(net);
int err;
queue = instance_lookup(q, queue_num); queue = instance_lookup(q, queue_num);
if (!queue) if (!queue)
@ -1071,6 +1170,12 @@ static int nfqnl_recv_verdict(struct net *net, struct sock *ctnl,
ct = nfqnl_ct_parse(nfnl_ct, nlh, nfqa, entry, &ctinfo); ct = nfqnl_ct_parse(nfnl_ct, nlh, nfqa, entry, &ctinfo);
} }
if (entry->state.pf == PF_BRIDGE) {
err = nfqa_parse_bridge(entry, nfqa);
if (err < 0)
return err;
}
if (nfqa[NFQA_PAYLOAD]) { if (nfqa[NFQA_PAYLOAD]) {
u16 payload_len = nla_len(nfqa[NFQA_PAYLOAD]); u16 payload_len = nla_len(nfqa[NFQA_PAYLOAD]);
int diff = payload_len - entry->skb->len; int diff = payload_len - entry->skb->len;