]> git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/blob - net/netfilter/nf_flow_table_ip.c
projects / mirror_ubuntu-focal-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ACPI / PCI: fix acpi_pci_irq_enable() memory leak
[mirror_ubuntu-focal-kernel.git] / net / netfilter / nf_flow_table_ip.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 #include <linux/kernel.h>
3 #include <linux/init.h>
4 #include <linux/module.h>
5 #include <linux/netfilter.h>
6 #include <linux/rhashtable.h>
7 #include <linux/ip.h>
8 #include <linux/ipv6.h>
9 #include <linux/netdevice.h>
10 #include <net/ip.h>
11 #include <net/ipv6.h>
12 #include <net/ip6_route.h>
13 #include <net/neighbour.h>
14 #include <net/netfilter/nf_flow_table.h>
15 /* For layer 4 checksum field offset. */
16 #include <linux/tcp.h>
17 #include <linux/udp.h>
18
19 static int nf_flow_state_check(struct flow_offload *flow, int proto,
20 struct sk_buff *skb, unsigned int thoff)
21 {
22 struct tcphdr *tcph;
23
24 if (proto != IPPROTO_TCP)
25 return 0;
26
27 if (!pskb_may_pull(skb, thoff + sizeof(*tcph)))
28 return -1;
29
30 tcph = (void *)(skb_network_header(skb) + thoff);
31 if (unlikely(tcph->fin || tcph->rst)) {
32 flow_offload_teardown(flow);
33 return -1;
34 }
35
36 return 0;
37 }
38
39 static int nf_flow_nat_ip_tcp(struct sk_buff *skb, unsigned int thoff,
40 __be32 addr, __be32 new_addr)
41 {
42 struct tcphdr *tcph;
43
44 if (!pskb_may_pull(skb, thoff + sizeof(*tcph)) ||
45 skb_try_make_writable(skb, thoff + sizeof(*tcph)))
46 return -1;
47
48 tcph = (void *)(skb_network_header(skb) + thoff);
49 inet_proto_csum_replace4(&tcph->check, skb, addr, new_addr, true);
50
51 return 0;
52 }
53
54 static int nf_flow_nat_ip_udp(struct sk_buff *skb, unsigned int thoff,
55 __be32 addr, __be32 new_addr)
56 {
57 struct udphdr *udph;
58
59 if (!pskb_may_pull(skb, thoff + sizeof(*udph)) ||
60 skb_try_make_writable(skb, thoff + sizeof(*udph)))
61 return -1;
62
63 udph = (void *)(skb_network_header(skb) + thoff);
64 if (udph->check || skb->ip_summed == CHECKSUM_PARTIAL) {
65 inet_proto_csum_replace4(&udph->check, skb, addr,
66 new_addr, true);
67 if (!udph->check)
68 udph->check = CSUM_MANGLED_0;
69 }
70
71 return 0;
72 }
73
74 static int nf_flow_nat_ip_l4proto(struct sk_buff *skb, struct iphdr *iph,
75 unsigned int thoff, __be32 addr,
76 __be32 new_addr)
77 {
78 switch (iph->protocol) {
79 case IPPROTO_TCP:
80 if (nf_flow_nat_ip_tcp(skb, thoff, addr, new_addr) < 0)
81 return NF_DROP;
82 break;
83 case IPPROTO_UDP:
84 if (nf_flow_nat_ip_udp(skb, thoff, addr, new_addr) < 0)
85 return NF_DROP;
86 break;
87 }
88
89 return 0;
90 }
91
92 static int nf_flow_snat_ip(const struct flow_offload *flow, struct sk_buff *skb,
93 struct iphdr *iph, unsigned int thoff,
94 enum flow_offload_tuple_dir dir)
95 {
96 __be32 addr, new_addr;
97
98 switch (dir) {
99 case FLOW_OFFLOAD_DIR_ORIGINAL:
100 addr = iph->saddr;
101 new_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_v4.s_addr;
102 iph->saddr = new_addr;
103 break;
104 case FLOW_OFFLOAD_DIR_REPLY:
105 addr = iph->daddr;
106 new_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_v4.s_addr;
107 iph->daddr = new_addr;
108 break;
109 default:
110 return -1;
111 }
112 csum_replace4(&iph->check, addr, new_addr);
113
114 return nf_flow_nat_ip_l4proto(skb, iph, thoff, addr, new_addr);
115 }
116
117 static int nf_flow_dnat_ip(const struct flow_offload *flow, struct sk_buff *skb,
118 struct iphdr *iph, unsigned int thoff,
119 enum flow_offload_tuple_dir dir)
120 {
121 __be32 addr, new_addr;
122
123 switch (dir) {
124 case FLOW_OFFLOAD_DIR_ORIGINAL:
125 addr = iph->daddr;
126 new_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.src_v4.s_addr;
127 iph->daddr = new_addr;
128 break;
129 case FLOW_OFFLOAD_DIR_REPLY:
130 addr = iph->saddr;
131 new_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_v4.s_addr;
132 iph->saddr = new_addr;
133 break;
134 default:
135 return -1;
136 }
137 csum_replace4(&iph->check, addr, new_addr);
138
139 return nf_flow_nat_ip_l4proto(skb, iph, thoff, addr, new_addr);
140 }
141
142 static int nf_flow_nat_ip(const struct flow_offload *flow, struct sk_buff *skb,
143 unsigned int thoff, enum flow_offload_tuple_dir dir)
144 {
145 struct iphdr *iph = ip_hdr(skb);
146
147 if (flow->flags & FLOW_OFFLOAD_SNAT &&
148 (nf_flow_snat_port(flow, skb, thoff, iph->protocol, dir) < 0 ||
149 nf_flow_snat_ip(flow, skb, iph, thoff, dir) < 0))
150 return -1;
151 if (flow->flags & FLOW_OFFLOAD_DNAT &&
152 (nf_flow_dnat_port(flow, skb, thoff, iph->protocol, dir) < 0 ||
153 nf_flow_dnat_ip(flow, skb, iph, thoff, dir) < 0))
154 return -1;
155
156 return 0;
157 }
158
159 static bool ip_has_options(unsigned int thoff)
160 {
161 return thoff != sizeof(struct iphdr);
162 }
163
164 static int nf_flow_tuple_ip(struct sk_buff *skb, const struct net_device *dev,
165 struct flow_offload_tuple *tuple)
166 {
167 struct flow_ports *ports;
168 unsigned int thoff;
169 struct iphdr *iph;
170
171 if (!pskb_may_pull(skb, sizeof(*iph)))
172 return -1;
173
174 iph = ip_hdr(skb);
175 thoff = iph->ihl * 4;
176
177 if (ip_is_fragment(iph) ||
178 unlikely(ip_has_options(thoff)))
179 return -1;
180
181 if (iph->protocol != IPPROTO_TCP &&
182 iph->protocol != IPPROTO_UDP)
183 return -1;
184
185 if (iph->ttl <= 1)
186 return -1;
187
188 thoff = iph->ihl * 4;
189 if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
190 return -1;
191
192 ports = (struct flow_ports *)(skb_network_header(skb) + thoff);
193
194 tuple->src_v4.s_addr = iph->saddr;
195 tuple->dst_v4.s_addr = iph->daddr;
196 tuple->src_port = ports->source;
197 tuple->dst_port = ports->dest;
198 tuple->l3proto = AF_INET;
199 tuple->l4proto = iph->protocol;
200 tuple->iifidx = dev->ifindex;
201
202 return 0;
203 }
204
205 /* Based on ip_exceeds_mtu(). */
206 static bool nf_flow_exceeds_mtu(const struct sk_buff *skb, unsigned int mtu)
207 {
208 if (skb->len <= mtu)
209 return false;
210
211 if (skb_is_gso(skb) && skb_gso_validate_network_len(skb, mtu))
212 return false;
213
214 return true;
215 }
216
217 unsigned int
218 nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
219 const struct nf_hook_state *state)
220 {
221 struct flow_offload_tuple_rhash *tuplehash;
222 struct nf_flowtable *flow_table = priv;
223 struct flow_offload_tuple tuple = {};
224 enum flow_offload_tuple_dir dir;
225 struct flow_offload *flow;
226 struct net_device *outdev;
227 struct rtable *rt;
228 unsigned int thoff;
229 struct iphdr *iph;
230 __be32 nexthop;
231
232 if (skb->protocol != htons(ETH_P_IP))
233 return NF_ACCEPT;
234
235 if (nf_flow_tuple_ip(skb, state->in, &tuple) < 0)
236 return NF_ACCEPT;
237
238 tuplehash = flow_offload_lookup(flow_table, &tuple);
239 if (tuplehash == NULL)
240 return NF_ACCEPT;
241
242 dir = tuplehash->tuple.dir;
243 flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
244 rt = (struct rtable *)flow->tuplehash[dir].tuple.dst_cache;
245 outdev = rt->dst.dev;
246
247 if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)))
248 return NF_ACCEPT;
249
250 if (skb_try_make_writable(skb, sizeof(*iph)))
251 return NF_DROP;
252
253 thoff = ip_hdr(skb)->ihl * 4;
254 if (nf_flow_state_check(flow, ip_hdr(skb)->protocol, skb, thoff))
255 return NF_ACCEPT;
256
257 if (nf_flow_nat_ip(flow, skb, thoff, dir) < 0)
258 return NF_DROP;
259
260 flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
261 iph = ip_hdr(skb);
262 ip_decrease_ttl(iph);
263
264 skb->dev = outdev;
265 nexthop = rt_nexthop(rt, flow->tuplehash[!dir].tuple.src_v4.s_addr);
266 skb_dst_set_noref(skb, &rt->dst);
267 neigh_xmit(NEIGH_ARP_TABLE, outdev, &nexthop, skb);
268
269 return NF_STOLEN;
270 }
271 EXPORT_SYMBOL_GPL(nf_flow_offload_ip_hook);
272
273 static int nf_flow_nat_ipv6_tcp(struct sk_buff *skb, unsigned int thoff,
274 struct in6_addr *addr,
275 struct in6_addr *new_addr)
276 {
277 struct tcphdr *tcph;
278
279 if (!pskb_may_pull(skb, thoff + sizeof(*tcph)) ||
280 skb_try_make_writable(skb, thoff + sizeof(*tcph)))
281 return -1;
282
283 tcph = (void *)(skb_network_header(skb) + thoff);
284 inet_proto_csum_replace16(&tcph->check, skb, addr->s6_addr32,
285 new_addr->s6_addr32, true);
286
287 return 0;
288 }
289
290 static int nf_flow_nat_ipv6_udp(struct sk_buff *skb, unsigned int thoff,
291 struct in6_addr *addr,
292 struct in6_addr *new_addr)
293 {
294 struct udphdr *udph;
295
296 if (!pskb_may_pull(skb, thoff + sizeof(*udph)) ||
297 skb_try_make_writable(skb, thoff + sizeof(*udph)))
298 return -1;
299
300 udph = (void *)(skb_network_header(skb) + thoff);
301 if (udph->check || skb->ip_summed == CHECKSUM_PARTIAL) {
302 inet_proto_csum_replace16(&udph->check, skb, addr->s6_addr32,
303 new_addr->s6_addr32, true);
304 if (!udph->check)
305 udph->check = CSUM_MANGLED_0;
306 }
307
308 return 0;
309 }
310
311 static int nf_flow_nat_ipv6_l4proto(struct sk_buff *skb, struct ipv6hdr *ip6h,
312 unsigned int thoff, struct in6_addr *addr,
313 struct in6_addr *new_addr)
314 {
315 switch (ip6h->nexthdr) {
316 case IPPROTO_TCP:
317 if (nf_flow_nat_ipv6_tcp(skb, thoff, addr, new_addr) < 0)
318 return NF_DROP;
319 break;
320 case IPPROTO_UDP:
321 if (nf_flow_nat_ipv6_udp(skb, thoff, addr, new_addr) < 0)
322 return NF_DROP;
323 break;
324 }
325
326 return 0;
327 }
328
329 static int nf_flow_snat_ipv6(const struct flow_offload *flow,
330 struct sk_buff *skb, struct ipv6hdr *ip6h,
331 unsigned int thoff,
332 enum flow_offload_tuple_dir dir)
333 {
334 struct in6_addr addr, new_addr;
335
336 switch (dir) {
337 case FLOW_OFFLOAD_DIR_ORIGINAL:
338 addr = ip6h->saddr;
339 new_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_v6;
340 ip6h->saddr = new_addr;
341 break;
342 case FLOW_OFFLOAD_DIR_REPLY:
343 addr = ip6h->daddr;
344 new_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_v6;
345 ip6h->daddr = new_addr;
346 break;
347 default:
348 return -1;
349 }
350
351 return nf_flow_nat_ipv6_l4proto(skb, ip6h, thoff, &addr, &new_addr);
352 }
353
354 static int nf_flow_dnat_ipv6(const struct flow_offload *flow,
355 struct sk_buff *skb, struct ipv6hdr *ip6h,
356 unsigned int thoff,
357 enum flow_offload_tuple_dir dir)
358 {
359 struct in6_addr addr, new_addr;
360
361 switch (dir) {
362 case FLOW_OFFLOAD_DIR_ORIGINAL:
363 addr = ip6h->daddr;
364 new_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.src_v6;
365 ip6h->daddr = new_addr;
366 break;
367 case FLOW_OFFLOAD_DIR_REPLY:
368 addr = ip6h->saddr;
369 new_addr = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_v6;
370 ip6h->saddr = new_addr;
371 break;
372 default:
373 return -1;
374 }
375
376 return nf_flow_nat_ipv6_l4proto(skb, ip6h, thoff, &addr, &new_addr);
377 }
378
379 static int nf_flow_nat_ipv6(const struct flow_offload *flow,
380 struct sk_buff *skb,
381 enum flow_offload_tuple_dir dir)
382 {
383 struct ipv6hdr *ip6h = ipv6_hdr(skb);
384 unsigned int thoff = sizeof(*ip6h);
385
386 if (flow->flags & FLOW_OFFLOAD_SNAT &&
387 (nf_flow_snat_port(flow, skb, thoff, ip6h->nexthdr, dir) < 0 ||
388 nf_flow_snat_ipv6(flow, skb, ip6h, thoff, dir) < 0))
389 return -1;
390 if (flow->flags & FLOW_OFFLOAD_DNAT &&
391 (nf_flow_dnat_port(flow, skb, thoff, ip6h->nexthdr, dir) < 0 ||
392 nf_flow_dnat_ipv6(flow, skb, ip6h, thoff, dir) < 0))
393 return -1;
394
395 return 0;
396 }
397
398 static int nf_flow_tuple_ipv6(struct sk_buff *skb, const struct net_device *dev,
399 struct flow_offload_tuple *tuple)
400 {
401 struct flow_ports *ports;
402 struct ipv6hdr *ip6h;
403 unsigned int thoff;
404
405 if (!pskb_may_pull(skb, sizeof(*ip6h)))
406 return -1;
407
408 ip6h = ipv6_hdr(skb);
409
410 if (ip6h->nexthdr != IPPROTO_TCP &&
411 ip6h->nexthdr != IPPROTO_UDP)
412 return -1;
413
414 if (ip6h->hop_limit <= 1)
415 return -1;
416
417 thoff = sizeof(*ip6h);
418 if (!pskb_may_pull(skb, thoff + sizeof(*ports)))
419 return -1;
420
421 ports = (struct flow_ports *)(skb_network_header(skb) + thoff);
422
423 tuple->src_v6 = ip6h->saddr;
424 tuple->dst_v6 = ip6h->daddr;
425 tuple->src_port = ports->source;
426 tuple->dst_port = ports->dest;
427 tuple->l3proto = AF_INET6;
428 tuple->l4proto = ip6h->nexthdr;
429 tuple->iifidx = dev->ifindex;
430
431 return 0;
432 }
433
434 unsigned int
435 nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
436 const struct nf_hook_state *state)
437 {
438 struct flow_offload_tuple_rhash *tuplehash;
439 struct nf_flowtable *flow_table = priv;
440 struct flow_offload_tuple tuple = {};
441 enum flow_offload_tuple_dir dir;
442 const struct in6_addr *nexthop;
443 struct flow_offload *flow;
444 struct net_device *outdev;
445 struct ipv6hdr *ip6h;
446 struct rt6_info *rt;
447
448 if (skb->protocol != htons(ETH_P_IPV6))
449 return NF_ACCEPT;
450
451 if (nf_flow_tuple_ipv6(skb, state->in, &tuple) < 0)
452 return NF_ACCEPT;
453
454 tuplehash = flow_offload_lookup(flow_table, &tuple);
455 if (tuplehash == NULL)
456 return NF_ACCEPT;
457
458 dir = tuplehash->tuple.dir;
459 flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
460 rt = (struct rt6_info *)flow->tuplehash[dir].tuple.dst_cache;
461 outdev = rt->dst.dev;
462
463 if (unlikely(nf_flow_exceeds_mtu(skb, flow->tuplehash[dir].tuple.mtu)))
464 return NF_ACCEPT;
465
466 if (nf_flow_state_check(flow, ipv6_hdr(skb)->nexthdr, skb,
467 sizeof(*ip6h)))
468 return NF_ACCEPT;
469
470 if (skb_try_make_writable(skb, sizeof(*ip6h)))
471 return NF_DROP;
472
473 if (nf_flow_nat_ipv6(flow, skb, dir) < 0)
474 return NF_DROP;
475
476 flow->timeout = (u32)jiffies + NF_FLOW_TIMEOUT;
477 ip6h = ipv6_hdr(skb);
478 ip6h->hop_limit--;
479
480 skb->dev = outdev;
481 nexthop = rt6_nexthop(rt, &flow->tuplehash[!dir].tuple.src_v6);
482 skb_dst_set_noref(skb, &rt->dst);
483 neigh_xmit(NEIGH_ND_TABLE, outdev, nexthop, skb);
484
485 return NF_STOLEN;
486 }
487 EXPORT_SYMBOL_GPL(nf_flow_offload_ipv6_hook);
Ubuntu Focal Linux kernel mirror