netfilter: use skb_ip_totlen and iph_totlen

There are also quite some places in netfilter that may process IPv4 TCP
GSO packets, we need to replace them too.

In length_mt(), we have to use u_int32_t/int to accept skb_ip_totlen()
return value, otherwise it may overflow and mismatch. This change will
also help us add selftest for IPv4 BIG TCP in the following patch.

Note that we don't need to replace the one in tcpmss_tg4(), as it will
return if there is data after tcphdr in tcpmss_mangle_packet(). The
same in mangle_contents() in nf_nat_helper.c, it returns false when
skb->len + extra > 65535 in enlarge_skb().

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

diff --git a/include/net/netfilter/nf_tables_ipv4.h b/include/net/netfilter/nf_tables_ipv4.h
index 112708f7a6b4fc2f5257af2661e359addc9086af..947973623dc77e1f73bf26e9f7f548d3bd186cd9 100644 (file)
--- a/include/net/netfilter/nf_tables_ipv4.h
+++ b/include/net/netfilter/nf_tables_ipv4.h
@@ -29,7 +29,7 @@ static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt)
        if (iph->ihl < 5 || iph->version != 4)
                return -1;
 
-       len = ntohs(iph->tot_len);
+       len = iph_totlen(pkt->skb, iph);
        thoff = iph->ihl * 4;
        if (pkt->skb->len < len)
                return -1;
@@ -64,7 +64,7 @@ static inline int nft_set_pktinfo_ipv4_ingress(struct nft_pktinfo *pkt)
        if (iph->ihl < 5 || iph->version != 4)
                goto inhdr_error;
 
-       len = ntohs(iph->tot_len);
+       len = iph_totlen(pkt->skb, iph);
        thoff = iph->ihl * 4;
        if (pkt->skb->len < len) {
                __IP_INC_STATS(nft_net(pkt), IPSTATS_MIB_INTRUNCATEDPKTS);

diff --git a/net/netfilter/ipvs/ip_vs_xmit.c b/net/netfilter/ipvs/ip_vs_xmit.c
index 0291713798842f4af005c9806f79e0101b3c19d8..80448885c3d717dfa99bb224c7bda56e74c33c24 100644 (file)
--- a/net/netfilter/ipvs/ip_vs_xmit.c
+++ b/net/netfilter/ipvs/ip_vs_xmit.c
@@ -994,7 +994,7 @@ ip_vs_prepare_tunneled_skb(struct sk_buff *skb, int skb_af,
                old_dsfield = ipv4_get_dsfield(old_iph);
                *ttl = old_iph->ttl;
                if (payload_len)
-                       *payload_len = ntohs(old_iph->tot_len);
+                       *payload_len = skb_ip_totlen(skb);
        }
 
        /* Implement full-functionality option for ECN encapsulation */

diff --git a/net/netfilter/nf_log_syslog.c b/net/netfilter/nf_log_syslog.c
index cb894f0d63e9d300a47bfc1c723a0a79c8913c75..c66689ad2b491977876aa47e6d4201de29244950 100644 (file)
--- a/net/netfilter/nf_log_syslog.c
+++ b/net/netfilter/nf_log_syslog.c
@@ -322,7 +322,7 @@ dump_ipv4_packet(struct net *net, struct nf_log_buf *m,
 
        /* Max length: 46 "LEN=65535 TOS=0xFF PREC=0xFF TTL=255 ID=65535 " */
        nf_log_buf_add(m, "LEN=%u TOS=0x%02X PREC=0x%02X TTL=%u ID=%u ",
-                      ntohs(ih->tot_len), ih->tos & IPTOS_TOS_MASK,
+                      iph_totlen(skb, ih), ih->tos & IPTOS_TOS_MASK,
                       ih->tos & IPTOS_PREC_MASK, ih->ttl, ntohs(ih->id));
 
        /* Max length: 6 "CE DF MF " */

diff --git a/net/netfilter/xt_length.c b/net/netfilter/xt_length.c
index 1873da3a945abbc6e8849e4555b42acdd34cff2d..b3d623a52885ba3a3434ff2649cc17055d4d9ee6 100644 (file)
--- a/net/netfilter/xt_length.c
+++ b/net/netfilter/xt_length.c
@@ -21,7 +21,7 @@ static bool
 length_mt(const struct sk_buff *skb, struct xt_action_param *par)
 {
        const struct xt_length_info *info = par->matchinfo;
-       u_int16_t pktlen = ntohs(ip_hdr(skb)->tot_len);
+       u32 pktlen = skb_ip_totlen(skb);
 
        return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
 }