From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 17/53] netfilter: introduce nft_set_pktinfo_{ipv4, ipv6}_validate()
Date: Mon, 26 Sep 2016 01:06:27 +0200 [thread overview]
Message-ID: <1474844823-2026-18-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1474844823-2026-1-git-send-email-pablo@netfilter.org>
These functions are extracted from the netdev family, they initialize
the pktinfo structure and validate that the IPv4 and IPv6 headers are
well-formed given that these functions are called from a path where
layer 3 sanitization did not happen yet.
These functions are placed in include/net/netfilter/nf_tables_ipv{4,6}.h
so they can be reused by a follow up patch to use them from the bridge
family too.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables_ipv4.h | 42 ++++++++++++++++++
include/net/netfilter/nf_tables_ipv6.h | 49 +++++++++++++++++++++
net/netfilter/nf_tables_netdev.c | 79 +---------------------------------
3 files changed, 93 insertions(+), 77 deletions(-)
diff --git a/include/net/netfilter/nf_tables_ipv4.h b/include/net/netfilter/nf_tables_ipv4.h
index af952f7843ee..968f00b82fb5 100644
--- a/include/net/netfilter/nf_tables_ipv4.h
+++ b/include/net/netfilter/nf_tables_ipv4.h
@@ -20,6 +20,48 @@ nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
pkt->xt.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
}
+static inline int
+__nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+{
+ struct iphdr *iph, _iph;
+ u32 len, thoff;
+
+ iph = skb_header_pointer(skb, skb_network_offset(skb), sizeof(*iph),
+ &_iph);
+ if (!iph)
+ return -1;
+
+ iph = ip_hdr(skb);
+ if (iph->ihl < 5 || iph->version != 4)
+ return -1;
+
+ len = ntohs(iph->tot_len);
+ thoff = iph->ihl * 4;
+ if (skb->len < len)
+ return -1;
+ else if (len < thoff)
+ return -1;
+
+ pkt->tprot_set = true;
+ pkt->tprot = iph->protocol;
+ pkt->xt.thoff = thoff;
+ pkt->xt.fragoff = ntohs(iph->frag_off) & IP_OFFSET;
+
+ return 0;
+}
+
+static inline void
+nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+{
+ nft_set_pktinfo(pkt, skb, state);
+ if (__nft_set_pktinfo_ipv4_validate(pkt, skb, state) < 0)
+ nft_set_pktinfo_proto_unspec(pkt, skb);
+}
+
extern struct nft_af_info nft_af_ipv4;
#endif
diff --git a/include/net/netfilter/nf_tables_ipv6.h b/include/net/netfilter/nf_tables_ipv6.h
index 1e0ffd5aea47..39b7b717b540 100644
--- a/include/net/netfilter/nf_tables_ipv6.h
+++ b/include/net/netfilter/nf_tables_ipv6.h
@@ -28,6 +28,55 @@ nft_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
return 0;
}
+static inline int
+__nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+{
+#if IS_ENABLED(CONFIG_IPV6)
+ struct ipv6hdr *ip6h, _ip6h;
+ unsigned int thoff = 0;
+ unsigned short frag_off;
+ int protohdr;
+ u32 pkt_len;
+
+ ip6h = skb_header_pointer(skb, skb_network_offset(skb), sizeof(*ip6h),
+ &_ip6h);
+ if (!ip6h)
+ return -1;
+
+ if (ip6h->version != 6)
+ return -1;
+
+ pkt_len = ntohs(ip6h->payload_len);
+ if (pkt_len + sizeof(*ip6h) > skb->len)
+ return -1;
+
+ protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, NULL);
+ if (protohdr < 0)
+ return -1;
+
+ pkt->tprot_set = true;
+ pkt->tprot = protohdr;
+ pkt->xt.thoff = thoff;
+ pkt->xt.fragoff = frag_off;
+
+ return 0;
+#else
+ return -1;
+#endif
+}
+
+static inline void
+nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt,
+ struct sk_buff *skb,
+ const struct nf_hook_state *state)
+{
+ nft_set_pktinfo(pkt, skb, state);
+ if (__nft_set_pktinfo_ipv6_validate(pkt, skb, state) < 0)
+ nft_set_pktinfo_proto_unspec(pkt, skb);
+}
+
extern struct nft_af_info nft_af_ipv6;
#endif
diff --git a/net/netfilter/nf_tables_netdev.c b/net/netfilter/nf_tables_netdev.c
index 8de502b0c37b..3e5475a833a5 100644
--- a/net/netfilter/nf_tables_netdev.c
+++ b/net/netfilter/nf_tables_netdev.c
@@ -15,81 +15,6 @@
#include <net/netfilter/nf_tables_ipv4.h>
#include <net/netfilter/nf_tables_ipv6.h>
-static inline void
-nft_netdev_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
- struct sk_buff *skb,
- const struct nf_hook_state *state)
-{
- struct iphdr *iph, _iph;
- u32 len, thoff;
-
- nft_set_pktinfo(pkt, skb, state);
-
- iph = skb_header_pointer(skb, skb_network_offset(skb), sizeof(*iph),
- &_iph);
- if (!iph)
- return;
-
- iph = ip_hdr(skb);
- if (iph->ihl < 5 || iph->version != 4)
- return;
-
- len = ntohs(iph->tot_len);
- thoff = iph->ihl * 4;
- if (skb->len < len)
- return;
- else if (len < thoff)
- return;
-
- pkt->tprot_set = true;
- pkt->tprot = iph->protocol;
- pkt->xt.thoff = thoff;
- pkt->xt.fragoff = ntohs(iph->frag_off) & IP_OFFSET;
-}
-
-static inline void
-__nft_netdev_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
- struct sk_buff *skb,
- const struct nf_hook_state *state)
-{
-#if IS_ENABLED(CONFIG_IPV6)
- struct ipv6hdr *ip6h, _ip6h;
- unsigned int thoff = 0;
- unsigned short frag_off;
- int protohdr;
- u32 pkt_len;
-
- ip6h = skb_header_pointer(skb, skb_network_offset(skb), sizeof(*ip6h),
- &_ip6h);
- if (!ip6h)
- return;
-
- if (ip6h->version != 6)
- return;
-
- pkt_len = ntohs(ip6h->payload_len);
- if (pkt_len + sizeof(*ip6h) > skb->len)
- return;
-
- protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, NULL);
- if (protohdr < 0)
- return;
-
- pkt->tprot_set = true;
- pkt->tprot = protohdr;
- pkt->xt.thoff = thoff;
- pkt->xt.fragoff = frag_off;
-#endif
-}
-
-static inline void nft_netdev_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
- struct sk_buff *skb,
- const struct nf_hook_state *state)
-{
- nft_set_pktinfo(pkt, skb, state);
- __nft_netdev_set_pktinfo_ipv6(pkt, skb, state);
-}
-
static unsigned int
nft_do_chain_netdev(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state)
@@ -98,10 +23,10 @@ nft_do_chain_netdev(void *priv, struct sk_buff *skb,
switch (skb->protocol) {
case htons(ETH_P_IP):
- nft_netdev_set_pktinfo_ipv4(&pkt, skb, state);
+ nft_set_pktinfo_ipv4_validate(&pkt, skb, state);
break;
case htons(ETH_P_IPV6):
- nft_netdev_set_pktinfo_ipv6(&pkt, skb, state);
+ nft_set_pktinfo_ipv6_validate(&pkt, skb, state);
break;
default:
nft_set_pktinfo_unspec(&pkt, skb, state);
--
2.1.4
next prev parent reply other threads:[~2016-09-25 23:06 UTC|newest]
Thread overview: 55+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-09-25 23:06 [PATCH 00/53] Netfilter updates for net-next Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 01/53] netfilter: gre: Use consistent GRE_* macros instead of ones defined by netfilter Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 02/53] netfilter: gre: Use consistent GRE and PTTP header structure instead of the " Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 03/53] netfilter: nf_ct_sip: correct parsing of continuation lines in SIP headers Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 04/53] netfilter: nf_ct_sip: correct allowed characters in Call-ID SIP header Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 05/53] netfilter: ftp: Remove the useless dlen==0 condition check in find_pattern Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 06/53] netfilter: ftp: Remove the useless code Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 07/53] netfilter: nft_numgen: rename until attribute by modulus Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 08/53] netfilter: nft_quota: fix overquota logic Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 09/53] netfilter: nft_quota: introduce nft_overquota() Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 10/53] netfilter: nf_ct_sip: allow tab character in SIP headers Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 11/53] netfilter: nft_queue: check the validation of queues_total and queuenum Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 12/53] netfilter: nf_conntrack: remove unused ctl_table_path member in nf_conntrack_l3proto Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 13/53] netfilter: nft_hash: Add hash offset value Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 14/53] netfilter: nft_dynset: allow to invert match criteria Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 15/53] netfilter: nf_tables: ensure proper initialization of nft_pktinfo fields Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 16/53] netfilter: nf_tables_ipv6: setup pktinfo transport field on failure to parse Pablo Neira Ayuso
2016-09-25 23:06 ` Pablo Neira Ayuso [this message]
2016-09-25 23:06 ` [PATCH 18/53] netfilter: nf_tables_bridge: use nft_set_pktinfo_ipv{4, 6}_validate Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 19/53] netfilter: nf_tables: don't drop IPv6 packets that cannot parse transport Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 20/53] netfilter: nf_conntrack: simplify __nf_ct_try_assign_helper() return logic Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 21/53] netfilter: Add the missed return value check of register_netdevice_notifier Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 22/53] netfilter: Add the missed return value check of nft_register_chain_type Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 23/53] netfilter: nf_queue: get rid of dependency on IP6_NF_IPTABLES Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 24/53] netfilter: conntrack: remove packet hotpath stats Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 25/53] netfilter: nft_numgen: fix race between num generate and store it Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 26/53] netfilter: nft_hash: fix hash overflow validation Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 27/53] netfilter: nft_numgen: add number generation offset Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 28/53] netfilter: nf_tables: validate maximum value of u32 netlink attributes Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 29/53] netfilter: nft_queue: add _SREG_QNUM attr to select the queue number Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 30/53] netfilter: nf_queue: improve queue range support for bridge family Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 31/53] netfilter: nf_tables: improve nft payload fast eval Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 32/53] netfilter: nf_tables: check tprot_set first when we use xt.thoff Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 33/53] netfilter: Enhance the codes used to get random once Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 34/53] netfilter: xt_helper: Use sizeof(variable) instead of literal number Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 35/53] netfilter: nft_lookup: remove superfluous element found check Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 36/53] netfilter: xt_TCPMSS: Refactor the codes to decrease one condition check and more readable Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 37/53] netfilter: bridge: add and use br_nf_hook_thresh Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 38/53] netfilter: call nf_hook_state_init with rcu_read_lock held Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 39/53] netfilter: call nf_hook_ingress with rcu_read_lock Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 40/53] netfilter: Remove explicit rcu_read_lock in nf_hook_slow Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 41/53] netfilter: Only allow sane values in nf_register_net_hook Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 42/53] netfilter: nf_queue: whitespace cleanup Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 43/53] netfilter: replace list_head with single linked list Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 44/53] netfilter: seqadj: Fix the wrong ack adjust for the RST packet without ack Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 45/53] netfilter: nft_ct: unnecessary to require dir when use ct l3proto/protocol Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 46/53] netfilter: nft_ct: report error if mark and dir specified simultaneously Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 47/53] netfilter: xt_hashlimit: Prepare for revision 2 Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 48/53] netfilter: xt_hashlimit: Create revision 2 to support higher pps rates Pablo Neira Ayuso
2016-09-25 23:06 ` [PATCH 49/53] netfilter: evict stale entries when user reads /proc/net/nf_conntrack Pablo Neira Ayuso
2016-09-25 23:07 ` [PATCH 50/53] netfilter: xt_socket: fix transparent match for IPv6 request sockets Pablo Neira Ayuso
2016-09-25 23:07 ` [PATCH 51/53] netfilter: nf_tables: add range expression Pablo Neira Ayuso
2016-09-25 23:07 ` [PATCH 52/53] netfilter: nft_log: complete NFTA_LOG_FLAGS attr support Pablo Neira Ayuso
2016-09-25 23:07 ` [PATCH 53/53] netfilter: nf_log: get rid of XT_LOG_* macros Pablo Neira Ayuso
2016-09-26 1:05 ` [PATCH 00/53] Netfilter updates for net-next David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1474844823-2026-18-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).