2019-03-27 17:22:25 +09:00
|
|
|
// SPDX-License-Identifier: GPL-2.0
|
|
|
|
|
|
|
|
|
|
#include <linux/skbuff.h>
|
|
|
|
|
#include <linux/netfilter.h>
|
|
|
|
|
#include <linux/netfilter_ipv4.h>
|
|
|
|
|
#include <linux/netfilter_ipv6.h>
|
|
|
|
|
#include <linux/netfilter/nfnetlink.h>
|
|
|
|
|
#include <linux/netfilter/nf_tables.h>
|
|
|
|
|
#include <net/netfilter/nf_tables.h>
|
|
|
|
|
#include <net/netfilter/nf_tables_ipv4.h>
|
|
|
|
|
#include <net/netfilter/nf_tables_ipv6.h>
|
|
|
|
|
#include <net/route.h>
|
|
|
|
|
#include <net/ip.h>
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_NF_TABLES_IPV4
|
|
|
|
|
static unsigned int nf_route_table_hook4(void *priv,
|
|
|
|
|
struct sk_buff *skb,
|
|
|
|
|
const struct nf_hook_state *state)
|
|
|
|
|
{
|
|
|
|
|
const struct iphdr *iph;
|
|
|
|
|
struct nft_pktinfo pkt;
|
|
|
|
|
__be32 saddr, daddr;
|
|
|
|
|
unsigned int ret;
|
|
|
|
|
u32 mark;
|
|
|
|
|
int err;
|
|
|
|
|
u8 tos;
|
|
|
|
|
|
|
|
|
|
nft_set_pktinfo(&pkt, skb, state);
|
|
|
|
|
nft_set_pktinfo_ipv4(&pkt, skb);
|
|
|
|
|
|
|
|
|
|
mark = skb->mark;
|
|
|
|
|
iph = ip_hdr(skb);
|
|
|
|
|
saddr = iph->saddr;
|
|
|
|
|
daddr = iph->daddr;
|
|
|
|
|
tos = iph->tos;
|
|
|
|
|
|
|
|
|
|
ret = nft_do_chain(&pkt, priv);
|
|
|
|
|
if (ret == NF_ACCEPT) {
|
|
|
|
|
iph = ip_hdr(skb);
|
|
|
|
|
|
|
|
|
|
if (iph->saddr != saddr ||
|
|
|
|
|
iph->daddr != daddr ||
|
|
|
|
|
skb->mark != mark ||
|
|
|
|
|
iph->tos != tos) {
|
netfilter: use actual socket sk rather than skb sk when routing harder
[ Upstream commit 46d6c5ae953cc0be38efd0e469284df7c4328cf8 ]
If netfilter changes the packet mark when mangling, the packet is
rerouted using the route_me_harder set of functions. Prior to this
commit, there's one big difference between route_me_harder and the
ordinary initial routing functions, described in the comment above
__ip_queue_xmit():
/* Note: skb->sk can be different from sk, in case of tunnels */
int __ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
That function goes on to correctly make use of sk->sk_bound_dev_if,
rather than skb->sk->sk_bound_dev_if. And indeed the comment is true: a
tunnel will receive a packet in ndo_start_xmit with an initial skb->sk.
It will make some transformations to that packet, and then it will send
the encapsulated packet out of a *new* socket. That new socket will
basically always have a different sk_bound_dev_if (otherwise there'd be
a routing loop). So for the purposes of routing the encapsulated packet,
the routing information as it pertains to the socket should come from
that socket's sk, rather than the packet's original skb->sk. For that
reason __ip_queue_xmit() and related functions all do the right thing.
One might argue that all tunnels should just call skb_orphan(skb) before
transmitting the encapsulated packet into the new socket. But tunnels do
*not* do this -- and this is wisely avoided in skb_scrub_packet() too --
because features like TSQ rely on skb->destructor() being called when
that buffer space is truely available again. Calling skb_orphan(skb) too
early would result in buffers filling up unnecessarily and accounting
info being all wrong. Instead, additional routing must take into account
the new sk, just as __ip_queue_xmit() notes.
So, this commit addresses the problem by fishing the correct sk out of
state->sk -- it's already set properly in the call to nf_hook() in
__ip_local_out(), which receives the sk as part of its normal
functionality. So we make sure to plumb state->sk through the various
route_me_harder functions, and then make correct use of it following the
example of __ip_queue_xmit().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-10-29 11:56:06 +09:00
|
|
|
err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC);
|
2019-03-27 17:22:25 +09:00
|
|
|
if (err < 0)
|
|
|
|
|
ret = NF_DROP_ERR(err);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const struct nft_chain_type nft_chain_route_ipv4 = {
|
|
|
|
|
.name = "route",
|
|
|
|
|
.type = NFT_CHAIN_T_ROUTE,
|
|
|
|
|
.family = NFPROTO_IPV4,
|
|
|
|
|
.hook_mask = (1 << NF_INET_LOCAL_OUT),
|
|
|
|
|
.hooks = {
|
|
|
|
|
[NF_INET_LOCAL_OUT] = nf_route_table_hook4,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_NF_TABLES_IPV6
|
|
|
|
|
static unsigned int nf_route_table_hook6(void *priv,
|
|
|
|
|
struct sk_buff *skb,
|
|
|
|
|
const struct nf_hook_state *state)
|
|
|
|
|
{
|
|
|
|
|
struct in6_addr saddr, daddr;
|
|
|
|
|
struct nft_pktinfo pkt;
|
|
|
|
|
u32 mark, flowlabel;
|
|
|
|
|
unsigned int ret;
|
|
|
|
|
u8 hop_limit;
|
|
|
|
|
int err;
|
|
|
|
|
|
|
|
|
|
nft_set_pktinfo(&pkt, skb, state);
|
|
|
|
|
nft_set_pktinfo_ipv6(&pkt, skb);
|
|
|
|
|
|
|
|
|
|
/* save source/dest address, mark, hoplimit, flowlabel, priority */
|
|
|
|
|
memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr));
|
|
|
|
|
memcpy(&daddr, &ipv6_hdr(skb)->daddr, sizeof(daddr));
|
|
|
|
|
mark = skb->mark;
|
|
|
|
|
hop_limit = ipv6_hdr(skb)->hop_limit;
|
|
|
|
|
|
|
|
|
|
/* flowlabel and prio (includes version, which shouldn't change either)*/
|
|
|
|
|
flowlabel = *((u32 *)ipv6_hdr(skb));
|
|
|
|
|
|
|
|
|
|
ret = nft_do_chain(&pkt, priv);
|
|
|
|
|
if (ret == NF_ACCEPT &&
|
|
|
|
|
(memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) ||
|
|
|
|
|
memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) ||
|
|
|
|
|
skb->mark != mark ||
|
|
|
|
|
ipv6_hdr(skb)->hop_limit != hop_limit ||
|
|
|
|
|
flowlabel != *((u32 *)ipv6_hdr(skb)))) {
|
netfilter: use actual socket sk rather than skb sk when routing harder
[ Upstream commit 46d6c5ae953cc0be38efd0e469284df7c4328cf8 ]
If netfilter changes the packet mark when mangling, the packet is
rerouted using the route_me_harder set of functions. Prior to this
commit, there's one big difference between route_me_harder and the
ordinary initial routing functions, described in the comment above
__ip_queue_xmit():
/* Note: skb->sk can be different from sk, in case of tunnels */
int __ip_queue_xmit(struct sock *sk, struct sk_buff *skb, struct flowi *fl,
That function goes on to correctly make use of sk->sk_bound_dev_if,
rather than skb->sk->sk_bound_dev_if. And indeed the comment is true: a
tunnel will receive a packet in ndo_start_xmit with an initial skb->sk.
It will make some transformations to that packet, and then it will send
the encapsulated packet out of a *new* socket. That new socket will
basically always have a different sk_bound_dev_if (otherwise there'd be
a routing loop). So for the purposes of routing the encapsulated packet,
the routing information as it pertains to the socket should come from
that socket's sk, rather than the packet's original skb->sk. For that
reason __ip_queue_xmit() and related functions all do the right thing.
One might argue that all tunnels should just call skb_orphan(skb) before
transmitting the encapsulated packet into the new socket. But tunnels do
*not* do this -- and this is wisely avoided in skb_scrub_packet() too --
because features like TSQ rely on skb->destructor() being called when
that buffer space is truely available again. Calling skb_orphan(skb) too
early would result in buffers filling up unnecessarily and accounting
info being all wrong. Instead, additional routing must take into account
the new sk, just as __ip_queue_xmit() notes.
So, this commit addresses the problem by fishing the correct sk out of
state->sk -- it's already set properly in the call to nf_hook() in
__ip_local_out(), which receives the sk as part of its normal
functionality. So we make sure to plumb state->sk through the various
route_me_harder functions, and then make correct use of it following the
example of __ip_queue_xmit().
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Reviewed-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-10-29 11:56:06 +09:00
|
|
|
err = nf_ip6_route_me_harder(state->net, state->sk, skb);
|
2019-03-27 17:22:25 +09:00
|
|
|
if (err < 0)
|
|
|
|
|
ret = NF_DROP_ERR(err);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const struct nft_chain_type nft_chain_route_ipv6 = {
|
|
|
|
|
.name = "route",
|
|
|
|
|
.type = NFT_CHAIN_T_ROUTE,
|
|
|
|
|
.family = NFPROTO_IPV6,
|
|
|
|
|
.hook_mask = (1 << NF_INET_LOCAL_OUT),
|
|
|
|
|
.hooks = {
|
|
|
|
|
[NF_INET_LOCAL_OUT] = nf_route_table_hook6,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifdef CONFIG_NF_TABLES_INET
|
|
|
|
|
static unsigned int nf_route_table_inet(void *priv,
|
|
|
|
|
struct sk_buff *skb,
|
|
|
|
|
const struct nf_hook_state *state)
|
|
|
|
|
{
|
|
|
|
|
struct nft_pktinfo pkt;
|
|
|
|
|
|
|
|
|
|
switch (state->pf) {
|
|
|
|
|
case NFPROTO_IPV4:
|
|
|
|
|
return nf_route_table_hook4(priv, skb, state);
|
|
|
|
|
case NFPROTO_IPV6:
|
|
|
|
|
return nf_route_table_hook6(priv, skb, state);
|
|
|
|
|
default:
|
|
|
|
|
nft_set_pktinfo(&pkt, skb, state);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nft_do_chain(&pkt, priv);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const struct nft_chain_type nft_chain_route_inet = {
|
|
|
|
|
.name = "route",
|
|
|
|
|
.type = NFT_CHAIN_T_ROUTE,
|
|
|
|
|
.family = NFPROTO_INET,
|
|
|
|
|
.hook_mask = (1 << NF_INET_LOCAL_OUT),
|
|
|
|
|
.hooks = {
|
|
|
|
|
[NF_INET_LOCAL_OUT] = nf_route_table_inet,
|
|
|
|
|
},
|
|
|
|
|
};
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
void __init nft_chain_route_init(void)
|
|
|
|
|
{
|
|
|
|
|
#ifdef CONFIG_NF_TABLES_IPV6
|
|
|
|
|
nft_register_chain_type(&nft_chain_route_ipv6);
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef CONFIG_NF_TABLES_IPV4
|
|
|
|
|
nft_register_chain_type(&nft_chain_route_ipv4);
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef CONFIG_NF_TABLES_INET
|
|
|
|
|
nft_register_chain_type(&nft_chain_route_inet);
|
|
|
|
|
#endif
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
void __exit nft_chain_route_fini(void)
|
|
|
|
|
{
|
|
|
|
|
#ifdef CONFIG_NF_TABLES_IPV6
|
|
|
|
|
nft_unregister_chain_type(&nft_chain_route_ipv6);
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef CONFIG_NF_TABLES_IPV4
|
|
|
|
|
nft_unregister_chain_type(&nft_chain_route_ipv4);
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef CONFIG_NF_TABLES_INET
|
|
|
|
|
nft_unregister_chain_type(&nft_chain_route_inet);
|
|
|
|
|
#endif
|
|
|
|
|
}
|