1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 #include <asm/unaligned.h>
9 #include <linux/kernel.h>
10 #include <linux/netlink.h>
11 #include <linux/netfilter.h>
12 #include <linux/netfilter/nf_tables.h>
13 #include <net/netfilter/nf_tables_core.h>
14 #include <net/netfilter/nf_tables.h>
27 static unsigned int optlen(const u8 *opt, unsigned int offset)
29 /* Beware zero-length options: make finite progress */
30 if (opt[offset] <= TCPOPT_NOP || opt[offset + 1] == 0)
33 return opt[offset + 1];
36 static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
37 struct nft_regs *regs,
38 const struct nft_pktinfo *pkt)
40 struct nft_exthdr *priv = nft_expr_priv(expr);
41 u32 *dest = ®s->data[priv->dreg];
42 unsigned int offset = 0;
45 if (pkt->skb->protocol != htons(ETH_P_IPV6))
48 err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
49 if (priv->flags & NFT_EXTHDR_F_PRESENT) {
50 nft_reg_store8(dest, err >= 0);
55 offset += priv->offset;
57 dest[priv->len / NFT_REG32_SIZE] = 0;
58 if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
62 regs->verdict.code = NFT_BREAK;
65 /* find the offset to specified option.
67 * If target header is found, its offset is set in *offset and return option
68 * number. Otherwise, return negative error.
70 * If the first fragment doesn't contain the End of Options it is considered
73 static int ipv4_find_option(struct net *net, struct sk_buff *skb,
74 unsigned int *offset, int target)
76 unsigned char optbuf[sizeof(struct ip_options) + 40];
77 struct ip_options *opt = (struct ip_options *)optbuf;
78 struct iphdr *iph, _iph;
84 iph = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
87 start = sizeof(struct iphdr);
89 optlen = iph->ihl * 4 - (int)sizeof(struct iphdr);
93 memset(opt, 0, sizeof(struct ip_options));
94 /* Copy the options since __ip_options_compile() modifies
97 if (skb_copy_bits(skb, start, opt->__data, optlen))
101 if (__ip_options_compile(net, opt, NULL, &info))
109 found = target == IPOPT_SSRR ? opt->is_strictroute :
110 !opt->is_strictroute;
112 *offset = opt->srr + start;
117 *offset = opt->rr + start;
121 if (!opt->router_alert)
123 *offset = opt->router_alert + start;
129 return found ? target : -ENOENT;
132 static void nft_exthdr_ipv4_eval(const struct nft_expr *expr,
133 struct nft_regs *regs,
134 const struct nft_pktinfo *pkt)
136 struct nft_exthdr *priv = nft_expr_priv(expr);
137 u32 *dest = ®s->data[priv->dreg];
138 struct sk_buff *skb = pkt->skb;
142 if (skb->protocol != htons(ETH_P_IP))
145 err = ipv4_find_option(nft_net(pkt), skb, &offset, priv->type);
146 if (priv->flags & NFT_EXTHDR_F_PRESENT) {
147 nft_reg_store8(dest, err >= 0);
149 } else if (err < 0) {
152 offset += priv->offset;
154 dest[priv->len / NFT_REG32_SIZE] = 0;
155 if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
159 regs->verdict.code = NFT_BREAK;
163 nft_tcp_header_pointer(const struct nft_pktinfo *pkt,
164 unsigned int len, void *buffer, unsigned int *tcphdr_len)
168 if (!pkt->tprot_set || pkt->tprot != IPPROTO_TCP)
171 tcph = skb_header_pointer(pkt->skb, pkt->xt.thoff, sizeof(*tcph), buffer);
175 *tcphdr_len = __tcp_hdrlen(tcph);
176 if (*tcphdr_len < sizeof(*tcph) || *tcphdr_len > len)
179 return skb_header_pointer(pkt->skb, pkt->xt.thoff, *tcphdr_len, buffer);
182 static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
183 struct nft_regs *regs,
184 const struct nft_pktinfo *pkt)
186 u8 buff[sizeof(struct tcphdr) + MAX_TCP_OPTION_SPACE];
187 struct nft_exthdr *priv = nft_expr_priv(expr);
188 unsigned int i, optl, tcphdr_len, offset;
189 u32 *dest = ®s->data[priv->dreg];
193 tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len);
198 for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) {
199 optl = optlen(opt, i);
201 if (priv->type != opt[i])
204 if (i + optl > tcphdr_len || priv->len + priv->offset > optl)
207 offset = i + priv->offset;
208 if (priv->flags & NFT_EXTHDR_F_PRESENT) {
211 dest[priv->len / NFT_REG32_SIZE] = 0;
212 memcpy(dest, opt + offset, priv->len);
219 if (priv->flags & NFT_EXTHDR_F_PRESENT)
222 regs->verdict.code = NFT_BREAK;
225 static void nft_exthdr_tcp_set_eval(const struct nft_expr *expr,
226 struct nft_regs *regs,
227 const struct nft_pktinfo *pkt)
229 u8 buff[sizeof(struct tcphdr) + MAX_TCP_OPTION_SPACE];
230 struct nft_exthdr *priv = nft_expr_priv(expr);
231 unsigned int i, optl, tcphdr_len, offset;
235 tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len);
240 for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) {
246 optl = optlen(opt, i);
248 if (priv->type != opt[i])
251 if (i + optl > tcphdr_len || priv->len + priv->offset > optl)
254 if (skb_ensure_writable(pkt->skb,
255 pkt->xt.thoff + i + priv->len))
258 tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff,
263 offset = i + priv->offset;
267 old.v16 = get_unaligned((u16 *)(opt + offset));
268 new.v16 = (__force __be16)nft_reg_load16(
269 ®s->data[priv->sreg]);
271 switch (priv->type) {
273 /* increase can cause connection to stall */
274 if (ntohs(old.v16) <= ntohs(new.v16))
279 if (old.v16 == new.v16)
282 put_unaligned(new.v16, (u16*)(opt + offset));
283 inet_proto_csum_replace2(&tcph->check, pkt->skb,
284 old.v16, new.v16, false);
287 new.v32 = regs->data[priv->sreg];
288 old.v32 = get_unaligned((u32 *)(opt + offset));
290 if (old.v32 == new.v32)
293 put_unaligned(new.v32, (u32*)(opt + offset));
294 inet_proto_csum_replace4(&tcph->check, pkt->skb,
295 old.v32, new.v32, false);
306 static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {
307 [NFTA_EXTHDR_DREG] = { .type = NLA_U32 },
308 [NFTA_EXTHDR_TYPE] = { .type = NLA_U8 },
309 [NFTA_EXTHDR_OFFSET] = { .type = NLA_U32 },
310 [NFTA_EXTHDR_LEN] = { .type = NLA_U32 },
311 [NFTA_EXTHDR_FLAGS] = { .type = NLA_U32 },
312 [NFTA_EXTHDR_OP] = { .type = NLA_U32 },
313 [NFTA_EXTHDR_SREG] = { .type = NLA_U32 },
316 static int nft_exthdr_init(const struct nft_ctx *ctx,
317 const struct nft_expr *expr,
318 const struct nlattr * const tb[])
320 struct nft_exthdr *priv = nft_expr_priv(expr);
321 u32 offset, len, flags = 0, op = NFT_EXTHDR_OP_IPV6;
324 if (!tb[NFTA_EXTHDR_DREG] ||
325 !tb[NFTA_EXTHDR_TYPE] ||
326 !tb[NFTA_EXTHDR_OFFSET] ||
327 !tb[NFTA_EXTHDR_LEN])
330 err = nft_parse_u32_check(tb[NFTA_EXTHDR_OFFSET], U8_MAX, &offset);
334 err = nft_parse_u32_check(tb[NFTA_EXTHDR_LEN], U8_MAX, &len);
338 if (tb[NFTA_EXTHDR_FLAGS]) {
339 err = nft_parse_u32_check(tb[NFTA_EXTHDR_FLAGS], U8_MAX, &flags);
343 if (flags & ~NFT_EXTHDR_F_PRESENT)
347 if (tb[NFTA_EXTHDR_OP]) {
348 err = nft_parse_u32_check(tb[NFTA_EXTHDR_OP], U8_MAX, &op);
353 priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
354 priv->offset = offset;
359 return nft_parse_register_store(ctx, tb[NFTA_EXTHDR_DREG],
360 &priv->dreg, NULL, NFT_DATA_VALUE,
364 static int nft_exthdr_tcp_set_init(const struct nft_ctx *ctx,
365 const struct nft_expr *expr,
366 const struct nlattr * const tb[])
368 struct nft_exthdr *priv = nft_expr_priv(expr);
369 u32 offset, len, flags = 0, op = NFT_EXTHDR_OP_IPV6;
372 if (!tb[NFTA_EXTHDR_SREG] ||
373 !tb[NFTA_EXTHDR_TYPE] ||
374 !tb[NFTA_EXTHDR_OFFSET] ||
375 !tb[NFTA_EXTHDR_LEN])
378 if (tb[NFTA_EXTHDR_DREG] || tb[NFTA_EXTHDR_FLAGS])
381 err = nft_parse_u32_check(tb[NFTA_EXTHDR_OFFSET], U8_MAX, &offset);
385 err = nft_parse_u32_check(tb[NFTA_EXTHDR_LEN], U8_MAX, &len);
399 err = nft_parse_u32_check(tb[NFTA_EXTHDR_OP], U8_MAX, &op);
403 priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
404 priv->offset = offset;
409 return nft_parse_register_load(tb[NFTA_EXTHDR_SREG], &priv->sreg,
413 static int nft_exthdr_ipv4_init(const struct nft_ctx *ctx,
414 const struct nft_expr *expr,
415 const struct nlattr * const tb[])
417 struct nft_exthdr *priv = nft_expr_priv(expr);
418 int err = nft_exthdr_init(ctx, expr, tb);
423 switch (priv->type) {
435 static int nft_exthdr_dump_common(struct sk_buff *skb, const struct nft_exthdr *priv)
437 if (nla_put_u8(skb, NFTA_EXTHDR_TYPE, priv->type))
438 goto nla_put_failure;
439 if (nla_put_be32(skb, NFTA_EXTHDR_OFFSET, htonl(priv->offset)))
440 goto nla_put_failure;
441 if (nla_put_be32(skb, NFTA_EXTHDR_LEN, htonl(priv->len)))
442 goto nla_put_failure;
443 if (nla_put_be32(skb, NFTA_EXTHDR_FLAGS, htonl(priv->flags)))
444 goto nla_put_failure;
445 if (nla_put_be32(skb, NFTA_EXTHDR_OP, htonl(priv->op)))
446 goto nla_put_failure;
453 static int nft_exthdr_dump(struct sk_buff *skb, const struct nft_expr *expr)
455 const struct nft_exthdr *priv = nft_expr_priv(expr);
457 if (nft_dump_register(skb, NFTA_EXTHDR_DREG, priv->dreg))
460 return nft_exthdr_dump_common(skb, priv);
463 static int nft_exthdr_dump_set(struct sk_buff *skb, const struct nft_expr *expr)
465 const struct nft_exthdr *priv = nft_expr_priv(expr);
467 if (nft_dump_register(skb, NFTA_EXTHDR_SREG, priv->sreg))
470 return nft_exthdr_dump_common(skb, priv);
473 static const struct nft_expr_ops nft_exthdr_ipv6_ops = {
474 .type = &nft_exthdr_type,
475 .size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
476 .eval = nft_exthdr_ipv6_eval,
477 .init = nft_exthdr_init,
478 .dump = nft_exthdr_dump,
481 static const struct nft_expr_ops nft_exthdr_ipv4_ops = {
482 .type = &nft_exthdr_type,
483 .size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
484 .eval = nft_exthdr_ipv4_eval,
485 .init = nft_exthdr_ipv4_init,
486 .dump = nft_exthdr_dump,
489 static const struct nft_expr_ops nft_exthdr_tcp_ops = {
490 .type = &nft_exthdr_type,
491 .size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
492 .eval = nft_exthdr_tcp_eval,
493 .init = nft_exthdr_init,
494 .dump = nft_exthdr_dump,
497 static const struct nft_expr_ops nft_exthdr_tcp_set_ops = {
498 .type = &nft_exthdr_type,
499 .size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
500 .eval = nft_exthdr_tcp_set_eval,
501 .init = nft_exthdr_tcp_set_init,
502 .dump = nft_exthdr_dump_set,
505 static const struct nft_expr_ops *
506 nft_exthdr_select_ops(const struct nft_ctx *ctx,
507 const struct nlattr * const tb[])
511 if (!tb[NFTA_EXTHDR_OP])
512 return &nft_exthdr_ipv6_ops;
514 if (tb[NFTA_EXTHDR_SREG] && tb[NFTA_EXTHDR_DREG])
515 return ERR_PTR(-EOPNOTSUPP);
517 op = ntohl(nla_get_be32(tb[NFTA_EXTHDR_OP]));
519 case NFT_EXTHDR_OP_TCPOPT:
520 if (tb[NFTA_EXTHDR_SREG])
521 return &nft_exthdr_tcp_set_ops;
522 if (tb[NFTA_EXTHDR_DREG])
523 return &nft_exthdr_tcp_ops;
525 case NFT_EXTHDR_OP_IPV6:
526 if (tb[NFTA_EXTHDR_DREG])
527 return &nft_exthdr_ipv6_ops;
529 case NFT_EXTHDR_OP_IPV4:
530 if (ctx->family != NFPROTO_IPV6) {
531 if (tb[NFTA_EXTHDR_DREG])
532 return &nft_exthdr_ipv4_ops;
537 return ERR_PTR(-EOPNOTSUPP);
540 struct nft_expr_type nft_exthdr_type __read_mostly = {
542 .select_ops = nft_exthdr_select_ops,
543 .policy = nft_exthdr_policy,
544 .maxattr = NFTA_EXTHDR_MAX,
545 .owner = THIS_MODULE,
projects / releases.git / blob