Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dbb5281a authored by Stephen Suryaputra's avatar Stephen Suryaputra Committed by Pablo Neira Ayuso
Browse files

netfilter: nf_tables: add support for matching IPv4 options 



This is the kernel change for the overall changes with this description:
Add capability to have rules matching IPv4 options. This is developed
mainly to support dropping of IP packets with loose and/or strict source
route route options.

Signed-off-by: default avatarStephen Suryaputra <ssuryaextr@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent f76c7bfc

include/uapi/linux/netfilter/nf_tables.h

+2 −0
Original line number Diff line number Diff line
@@ -730,10 +730,12 @@ enum nft_exthdr_flags { 
 *

 * @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers

 * @NFT_EXTHDR_OP_TCP: match against tcp options

 * @NFT_EXTHDR_OP_IPV4: match against ipv4 options

 */

enum nft_exthdr_op {

	NFT_EXTHDR_OP_IPV6,

	NFT_EXTHDR_OP_TCPOPT,

	NFT_EXTHDR_OP_IPV4,

	__NFT_EXTHDR_OP_MAX

};

#define NFT_EXTHDR_OP_MAX	(__NFT_EXTHDR_OP_MAX - 1)

net/ipv4/ip_options.c

+1 −0
Original line number Diff line number Diff line
@@ -473,6 +473,7 @@ int __ip_options_compile(struct net *net, 
		*info = htonl((pp_ptr-iph)<<24);

	return -EINVAL;

}

EXPORT_SYMBOL(__ip_options_compile);



int ip_options_compile(struct net *net,

		       struct ip_options *opt, struct sk_buff *skb)

net/netfilter/nft_exthdr.c

+133 −0
Original line number Diff line number Diff line
@@ -62,6 +62,103 @@ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr, 
	regs->verdict.code = NFT_BREAK;

}



/* find the offset to specified option.

 *

 * If target header is found, its offset is set in *offset and return option

 * number. Otherwise, return negative error.

 *

 * If the first fragment doesn't contain the End of Options it is considered

 * invalid.

 */

static int ipv4_find_option(struct net *net, struct sk_buff *skb,

			    unsigned int *offset, int target)

{

	unsigned char optbuf[sizeof(struct ip_options) + 40];

	struct ip_options *opt = (struct ip_options *)optbuf;

	struct iphdr *iph, _iph;

	unsigned int start;

	bool found = false;

	__be32 info;

	int optlen;



	iph = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);

	if (!iph)

		return -EBADMSG;

	start = sizeof(struct iphdr);



	optlen = iph->ihl * 4 - (int)sizeof(struct iphdr);

	if (optlen <= 0)

		return -ENOENT;



	memset(opt, 0, sizeof(struct ip_options));

	/* Copy the options since __ip_options_compile() modifies

	 * the options.

	 */

	if (skb_copy_bits(skb, start, opt->__data, optlen))

		return -EBADMSG;

	opt->optlen = optlen;



	if (__ip_options_compile(net, opt, NULL, &info))

		return -EBADMSG;



	switch (target) {

	case IPOPT_SSRR:

	case IPOPT_LSRR:

		if (!opt->srr)

			break;

		found = target == IPOPT_SSRR ? opt->is_strictroute :

					       !opt->is_strictroute;

		if (found)

			*offset = opt->srr + start;

		break;

	case IPOPT_RR:

		if (!opt->rr)

			break;

		*offset = opt->rr + start;

		found = true;

		break;

	case IPOPT_RA:

		if (!opt->router_alert)

			break;

		*offset = opt->router_alert + start;

		found = true;

		break;

	default:

		return -EOPNOTSUPP;

	}

	return found ? target : -ENOENT;

}



static void nft_exthdr_ipv4_eval(const struct nft_expr *expr,

				 struct nft_regs *regs,

				 const struct nft_pktinfo *pkt)

{

	struct nft_exthdr *priv = nft_expr_priv(expr);

	u32 *dest = &regs->data[priv->dreg];

	struct sk_buff *skb = pkt->skb;

	unsigned int offset;

	int err;



	if (skb->protocol != htons(ETH_P_IP))

		goto err;



	err = ipv4_find_option(nft_net(pkt), skb, &offset, priv->type);

	if (priv->flags & NFT_EXTHDR_F_PRESENT) {

		*dest = (err >= 0);

		return;

	} else if (err < 0) {

		goto err;

	}

	offset += priv->offset;



	dest[priv->len / NFT_REG32_SIZE] = 0;

	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)

		goto err;

	return;

err:

	regs->verdict.code = NFT_BREAK;

}



static void *

nft_tcp_header_pointer(const struct nft_pktinfo *pkt,

		       unsigned int len, void *buffer, unsigned int *tcphdr_len)
@@ -315,6 +412,28 @@ static int nft_exthdr_tcp_set_init(const struct nft_ctx *ctx, 
	return nft_validate_register_load(priv->sreg, priv->len);

}



static int nft_exthdr_ipv4_init(const struct nft_ctx *ctx,

				const struct nft_expr *expr,

				const struct nlattr * const tb[])

{

	struct nft_exthdr *priv = nft_expr_priv(expr);

	int err = nft_exthdr_init(ctx, expr, tb);



	if (err < 0)

		return err;



	switch (priv->type) {

	case IPOPT_SSRR:

	case IPOPT_LSRR:

	case IPOPT_RR:

	case IPOPT_RA:

		break;

	default:

		return -EOPNOTSUPP;

	}

	return 0;

}



static int nft_exthdr_dump_common(struct sk_buff *skb, const struct nft_exthdr *priv)

{

	if (nla_put_u8(skb, NFTA_EXTHDR_TYPE, priv->type))
@@ -361,6 +480,14 @@ static const struct nft_expr_ops nft_exthdr_ipv6_ops = { 
	.dump		= nft_exthdr_dump,

};



static const struct nft_expr_ops nft_exthdr_ipv4_ops = {

	.type		= &nft_exthdr_type,

	.size		= NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),

	.eval		= nft_exthdr_ipv4_eval,

	.init		= nft_exthdr_ipv4_init,

	.dump		= nft_exthdr_dump,

};



static const struct nft_expr_ops nft_exthdr_tcp_ops = {

	.type		= &nft_exthdr_type,

	.size		= NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
@@ -401,6 +528,12 @@ nft_exthdr_select_ops(const struct nft_ctx *ctx, 
		if (tb[NFTA_EXTHDR_DREG])

			return &nft_exthdr_ipv6_ops;

		break;

	case NFT_EXTHDR_OP_IPV4:

		if (ctx->family != NFPROTO_IPV6) {

			if (tb[NFTA_EXTHDR_DREG])

				return &nft_exthdr_ipv4_ops;

		}

		break;

	}



	return ERR_PTR(-EOPNOTSUPP);