2019-05-27 15:55:01 +09:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2015-01-19 06:35:14 +09:00
|
|
|
/*
|
|
|
|
|
* net/sched/act_connmark.c netfilter connmark retriever action
|
|
|
|
|
* skb mark is over-written
|
|
|
|
|
*
|
|
|
|
|
* Copyright (c) 2011 Felix Fietkau <nbd@openwrt.org>
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include <linux/module.h>
|
|
|
|
|
#include <linux/init.h>
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
|
#include <linux/skbuff.h>
|
|
|
|
|
#include <linux/rtnetlink.h>
|
|
|
|
|
#include <linux/pkt_cls.h>
|
|
|
|
|
#include <linux/ip.h>
|
|
|
|
|
#include <linux/ipv6.h>
|
|
|
|
|
#include <net/netlink.h>
|
|
|
|
|
#include <net/pkt_sched.h>
|
|
|
|
|
#include <net/act_api.h>
|
2019-03-20 23:00:05 +09:00
|
|
|
#include <net/pkt_cls.h>
|
2015-01-19 06:35:14 +09:00
|
|
|
#include <uapi/linux/tc_act/tc_connmark.h>
|
|
|
|
|
#include <net/tc_act/tc_connmark.h>
|
|
|
|
|
|
|
|
|
|
#include <net/netfilter/nf_conntrack.h>
|
|
|
|
|
#include <net/netfilter/nf_conntrack_core.h>
|
|
|
|
|
#include <net/netfilter/nf_conntrack_zones.h>
|
|
|
|
|
|
netns: make struct pernet_operations::id unsigned int
Make struct pernet_operations::id unsigned.
There are 2 reasons to do so:
1)
This field is really an index into an zero based array and
thus is unsigned entity. Using negative value is out-of-bound
access by definition.
2)
On x86_64 unsigned 32-bit data which are mixed with pointers
via array indexing or offsets added or subtracted to pointers
are preffered to signed 32-bit data.
"int" being used as an array index needs to be sign-extended
to 64-bit before being used.
void f(long *p, int i)
{
g(p[i]);
}
roughly translates to
movsx rsi, esi
mov rdi, [rsi+...]
call g
MOVSX is 3 byte instruction which isn't necessary if the variable is
unsigned because x86_64 is zero extending by default.
Now, there is net_generic() function which, you guessed it right, uses
"int" as an array index:
static inline void *net_generic(const struct net *net, int id)
{
...
ptr = ng->ptr[id - 1];
...
}
And this function is used a lot, so those sign extensions add up.
Patch snipes ~1730 bytes on allyesconfig kernel (without all junk
messing with code generation):
add/remove: 0/0 grow/shrink: 70/598 up/down: 396/-2126 (-1730)
Unfortunately some functions actually grow bigger.
This is a semmingly random artefact of code generation with register
allocator being used differently. gcc decides that some variable
needs to live in new r8+ registers and every access now requires REX
prefix. Or it is shifted into r12, so [r12+0] addressing mode has to be
used which is longer than [r8]
However, overall balance is in negative direction:
add/remove: 0/0 grow/shrink: 70/598 up/down: 396/-2126 (-1730)
function old new delta
nfsd4_lock 3886 3959 +73
tipc_link_build_proto_msg 1096 1140 +44
mac80211_hwsim_new_radio 2776 2808 +32
tipc_mon_rcv 1032 1058 +26
svcauth_gss_legacy_init 1413 1429 +16
tipc_bcbase_select_primary 379 392 +13
nfsd4_exchange_id 1247 1260 +13
nfsd4_setclientid_confirm 782 793 +11
...
put_client_renew_locked 494 480 -14
ip_set_sockfn_get 730 716 -14
geneve_sock_add 829 813 -16
nfsd4_sequence_done 721 703 -18
nlmclnt_lookup_host 708 686 -22
nfsd4_lockt 1085 1063 -22
nfs_get_client 1077 1050 -27
tcf_bpf_init 1106 1076 -30
nfsd4_encode_fattr 5997 5930 -67
Total: Before=154856051, After=154854321, chg -0.00%
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-11-17 10:58:21 +09:00
|
|
|
static unsigned int connmark_net_id;
|
2016-07-26 08:09:41 +09:00
|
|
|
static struct tc_action_ops act_connmark_ops;
|
2016-02-23 08:57:53 +09:00
|
|
|
|
2018-08-12 22:34:49 +09:00
|
|
|
static int tcf_connmark_act(struct sk_buff *skb, const struct tc_action *a,
|
|
|
|
|
struct tcf_result *res)
|
2015-01-19 06:35:14 +09:00
|
|
|
{
|
|
|
|
|
const struct nf_conntrack_tuple_hash *thash;
|
|
|
|
|
struct nf_conntrack_tuple tuple;
|
|
|
|
|
enum ip_conntrack_info ctinfo;
|
2016-07-26 08:09:41 +09:00
|
|
|
struct tcf_connmark_info *ca = to_connmark(a);
|
2015-08-09 04:40:01 +09:00
|
|
|
struct nf_conntrack_zone zone;
|
2015-01-19 06:35:14 +09:00
|
|
|
struct nf_conn *c;
|
|
|
|
|
int proto;
|
|
|
|
|
|
|
|
|
|
spin_lock(&ca->tcf_lock);
|
2016-06-06 19:32:53 +09:00
|
|
|
tcf_lastuse_update(&ca->tcf_tm);
|
2015-01-19 06:35:14 +09:00
|
|
|
bstats_update(&ca->tcf_bstats, skb);
|
|
|
|
|
|
sched: consistently handle layer3 header accesses in the presence of VLANs
[ Upstream commit d7bf2ebebc2bd61ab95e2a8e33541ef282f303d4 ]
There are a couple of places in net/sched/ that check skb->protocol and act
on the value there. However, in the presence of VLAN tags, the value stored
in skb->protocol can be inconsistent based on whether VLAN acceleration is
enabled. The commit quoted in the Fixes tag below fixed the users of
skb->protocol to use a helper that will always see the VLAN ethertype.
However, most of the callers don't actually handle the VLAN ethertype, but
expect to find the IP header type in the protocol field. This means that
things like changing the ECN field, or parsing diffserv values, stops
working if there's a VLAN tag, or if there are multiple nested VLAN
tags (QinQ).
To fix this, change the helper to take an argument that indicates whether
the caller wants to skip the VLAN tags or not. When skipping VLAN tags, we
make sure to skip all of them, so behaviour is consistent even in QinQ
mode.
To make the helper usable from the ECN code, move it to if_vlan.h instead
of pkt_sched.h.
v3:
- Remove empty lines
- Move vlan variable definitions inside loop in skb_protocol()
- Also use skb_protocol() helper in IP{,6}_ECN_decapsulate() and
bpf_skb_ecn_set_ce()
v2:
- Use eth_type_vlan() helper in skb_protocol()
- Also fix code that reads skb->protocol directly
- Change a couple of 'if/else if' statements to switch constructs to avoid
calling the helper twice
Reported-by: Ilya Ponetayev <i.ponetaev@ndmsystems.com>
Fixes: d8b9605d2697 ("net: sched: fix skb->protocol use in case of accelerated vlan path")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-04 05:26:43 +09:00
|
|
|
switch (skb_protocol(skb, true)) {
|
|
|
|
|
case htons(ETH_P_IP):
|
2015-01-19 06:35:14 +09:00
|
|
|
if (skb->len < sizeof(struct iphdr))
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
proto = NFPROTO_IPV4;
|
sched: consistently handle layer3 header accesses in the presence of VLANs
[ Upstream commit d7bf2ebebc2bd61ab95e2a8e33541ef282f303d4 ]
There are a couple of places in net/sched/ that check skb->protocol and act
on the value there. However, in the presence of VLAN tags, the value stored
in skb->protocol can be inconsistent based on whether VLAN acceleration is
enabled. The commit quoted in the Fixes tag below fixed the users of
skb->protocol to use a helper that will always see the VLAN ethertype.
However, most of the callers don't actually handle the VLAN ethertype, but
expect to find the IP header type in the protocol field. This means that
things like changing the ECN field, or parsing diffserv values, stops
working if there's a VLAN tag, or if there are multiple nested VLAN
tags (QinQ).
To fix this, change the helper to take an argument that indicates whether
the caller wants to skip the VLAN tags or not. When skipping VLAN tags, we
make sure to skip all of them, so behaviour is consistent even in QinQ
mode.
To make the helper usable from the ECN code, move it to if_vlan.h instead
of pkt_sched.h.
v3:
- Remove empty lines
- Move vlan variable definitions inside loop in skb_protocol()
- Also use skb_protocol() helper in IP{,6}_ECN_decapsulate() and
bpf_skb_ecn_set_ce()
v2:
- Use eth_type_vlan() helper in skb_protocol()
- Also fix code that reads skb->protocol directly
- Change a couple of 'if/else if' statements to switch constructs to avoid
calling the helper twice
Reported-by: Ilya Ponetayev <i.ponetaev@ndmsystems.com>
Fixes: d8b9605d2697 ("net: sched: fix skb->protocol use in case of accelerated vlan path")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-04 05:26:43 +09:00
|
|
|
break;
|
|
|
|
|
case htons(ETH_P_IPV6):
|
2015-01-19 06:35:14 +09:00
|
|
|
if (skb->len < sizeof(struct ipv6hdr))
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
proto = NFPROTO_IPV6;
|
sched: consistently handle layer3 header accesses in the presence of VLANs
[ Upstream commit d7bf2ebebc2bd61ab95e2a8e33541ef282f303d4 ]
There are a couple of places in net/sched/ that check skb->protocol and act
on the value there. However, in the presence of VLAN tags, the value stored
in skb->protocol can be inconsistent based on whether VLAN acceleration is
enabled. The commit quoted in the Fixes tag below fixed the users of
skb->protocol to use a helper that will always see the VLAN ethertype.
However, most of the callers don't actually handle the VLAN ethertype, but
expect to find the IP header type in the protocol field. This means that
things like changing the ECN field, or parsing diffserv values, stops
working if there's a VLAN tag, or if there are multiple nested VLAN
tags (QinQ).
To fix this, change the helper to take an argument that indicates whether
the caller wants to skip the VLAN tags or not. When skipping VLAN tags, we
make sure to skip all of them, so behaviour is consistent even in QinQ
mode.
To make the helper usable from the ECN code, move it to if_vlan.h instead
of pkt_sched.h.
v3:
- Remove empty lines
- Move vlan variable definitions inside loop in skb_protocol()
- Also use skb_protocol() helper in IP{,6}_ECN_decapsulate() and
bpf_skb_ecn_set_ce()
v2:
- Use eth_type_vlan() helper in skb_protocol()
- Also fix code that reads skb->protocol directly
- Change a couple of 'if/else if' statements to switch constructs to avoid
calling the helper twice
Reported-by: Ilya Ponetayev <i.ponetaev@ndmsystems.com>
Fixes: d8b9605d2697 ("net: sched: fix skb->protocol use in case of accelerated vlan path")
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-07-04 05:26:43 +09:00
|
|
|
break;
|
|
|
|
|
default:
|
2015-01-19 06:35:14 +09:00
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
c = nf_ct_get(skb, &ctinfo);
|
|
|
|
|
if (c) {
|
|
|
|
|
skb->mark = c->mark;
|
|
|
|
|
/* using overlimits stats to count how many packets marked */
|
|
|
|
|
ca->tcf_qstats.overlimits++;
|
|
|
|
|
goto out;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
|
2015-09-19 04:33:04 +09:00
|
|
|
proto, ca->net, &tuple))
|
2015-01-19 06:35:14 +09:00
|
|
|
goto out;
|
|
|
|
|
|
2015-08-09 04:40:01 +09:00
|
|
|
zone.id = ca->zone;
|
netfilter: nf_conntrack: add direction support for zones
This work adds a direction parameter to netfilter zones, so identity
separation can be performed only in original/reply or both directions
(default). This basically opens up the possibility of doing NAT with
conflicting IP address/port tuples from multiple, isolated tenants
on a host (e.g. from a netns) without requiring each tenant to NAT
twice resp. to use its own dedicated IP address to SNAT to, meaning
overlapping tuples can be made unique with the zone identifier in
original direction, where the NAT engine will then allocate a unique
tuple in the commonly shared default zone for the reply direction.
In some restricted, local DNAT cases, also port redirection could be
used for making the reply traffic unique w/o requiring SNAT.
The consensus we've reached and discussed at NFWS and since the initial
implementation [1] was to directly integrate the direction meta data
into the existing zones infrastructure, as opposed to the ct->mark
approach we proposed initially.
As we pass the nf_conntrack_zone object directly around, we don't have
to touch all call-sites, but only those, that contain equality checks
of zones. Thus, based on the current direction (original or reply),
we either return the actual id, or the default NF_CT_DEFAULT_ZONE_ID.
CT expectations are direction-agnostic entities when expectations are
being compared among themselves, so we can only use the identifier
in this case.
Note that zone identifiers can not be included into the hash mix
anymore as they don't contain a "stable" value that would be equal
for both directions at all times, f.e. if only zone->id would
unconditionally be xor'ed into the table slot hash, then replies won't
find the corresponding conntracking entry anymore.
If no particular direction is specified when configuring zones, the
behaviour is exactly as we expect currently (both directions).
Support has been added for the CT netlink interface as well as the
x_tables raw CT target, which both already offer existing interfaces
to user space for the configuration of zones.
Below a minimal, simplified collision example (script in [2]) with
netperf sessions:
+--- tenant-1 ---+ mark := 1
| netperf |--+
+----------------+ | CT zone := mark [ORIGINAL]
[ip,sport] := X +--------------+ +--- gateway ---+
| mark routing |--| SNAT |-- ... +
+--------------+ +---------------+ |
+--- tenant-2 ---+ | ~~~|~~~
| netperf |--+ +-----------+ |
+----------------+ mark := 2 | netserver |------ ... +
[ip,sport] := X +-----------+
[ip,port] := Y
On the gateway netns, example:
iptables -t raw -A PREROUTING -j CT --zone mark --zone-dir ORIGINAL
iptables -t nat -A POSTROUTING -o <dev> -j SNAT --to-source <ip> --random-fully
iptables -t mangle -A PREROUTING -m conntrack --ctdir ORIGINAL -j CONNMARK --save-mark
iptables -t mangle -A POSTROUTING -m conntrack --ctdir REPLY -j CONNMARK --restore-mark
conntrack dump from gateway netns:
netperf -H 10.1.1.2 -t TCP_STREAM -l60 -p12865,5555 from each tenant netns
tcp 6 431995 ESTABLISHED src=40.1.1.1 dst=10.1.1.2 sport=5555 dport=12865 zone-orig=1
src=10.1.1.2 dst=10.1.1.1 sport=12865 dport=1024
[ASSURED] mark=1 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp 6 431994 ESTABLISHED src=40.1.1.1 dst=10.1.1.2 sport=5555 dport=12865 zone-orig=2
src=10.1.1.2 dst=10.1.1.1 sport=12865 dport=5555
[ASSURED] mark=2 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp 6 299 ESTABLISHED src=40.1.1.1 dst=10.1.1.2 sport=39438 dport=33768 zone-orig=1
src=10.1.1.2 dst=10.1.1.1 sport=33768 dport=39438
[ASSURED] mark=1 secctx=system_u:object_r:unlabeled_t:s0 use=1
tcp 6 300 ESTABLISHED src=40.1.1.1 dst=10.1.1.2 sport=32889 dport=40206 zone-orig=2
src=10.1.1.2 dst=10.1.1.1 sport=40206 dport=32889
[ASSURED] mark=2 secctx=system_u:object_r:unlabeled_t:s0 use=2
Taking this further, test script in [2] creates 200 tenants and runs
original-tuple colliding netperf sessions each. A conntrack -L dump in
the gateway netns also confirms 200 overlapping entries, all in ESTABLISHED
state as expected.
I also did run various other tests with some permutations of the script,
to mention some: SNAT in random/random-fully/persistent mode, no zones (no
overlaps), static zones (original, reply, both directions), etc.
[1] http://thread.gmane.org/gmane.comp.security.firewalls.netfilter.devel/57412/
[2] https://paste.fedoraproject.org/242835/65657871/
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2015-08-14 23:03:39 +09:00
|
|
|
zone.dir = NF_CT_DEFAULT_ZONE_DIR;
|
2015-08-09 04:40:01 +09:00
|
|
|
|
2015-09-19 04:33:03 +09:00
|
|
|
thash = nf_conntrack_find_get(ca->net, &zone, &tuple);
|
2015-01-19 06:35:14 +09:00
|
|
|
if (!thash)
|
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
|
|
c = nf_ct_tuplehash_to_ctrack(thash);
|
|
|
|
|
/* using overlimits stats to count how many packets marked */
|
|
|
|
|
ca->tcf_qstats.overlimits++;
|
|
|
|
|
skb->mark = c->mark;
|
|
|
|
|
nf_ct_put(c);
|
|
|
|
|
|
|
|
|
|
out:
|
|
|
|
|
spin_unlock(&ca->tcf_lock);
|
|
|
|
|
return ca->tcf_action;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static const struct nla_policy connmark_policy[TCA_CONNMARK_MAX + 1] = {
|
|
|
|
|
[TCA_CONNMARK_PARMS] = { .len = sizeof(struct tc_connmark) },
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int tcf_connmark_init(struct net *net, struct nlattr *nla,
|
2016-07-26 08:09:41 +09:00
|
|
|
struct nlattr *est, struct tc_action **a,
|
2018-07-05 23:24:25 +09:00
|
|
|
int ovr, int bind, bool rtnl_held,
|
net/sched: prepare TC actions to properly validate the control action
- pass a pointer to struct tcf_proto in each actions's init() handler,
to allow validating the control action, checking whether the chain
exists and (eventually) refcounting it.
- remove code that validates the control action after a successful call
to the action's init() handler, and replace it with a test that forbids
addition of actions having 'goto_chain' and NULL goto_chain pointer at
the same time.
- add tcf_action_check_ctrlact(), that will validate the control action
and eventually allocate the action 'goto_chain' within the init()
handler.
- add tcf_action_set_ctrlact(), that will assign the control action and
swap the current 'goto_chain' pointer with the new given one.
This disallows 'goto_chain' on actions that don't initialize it properly
in their init() handler, i.e. calling tcf_action_check_ctrlact() after
successful IDR reservation and then calling tcf_action_set_ctrlact()
to assign 'goto_chain' and 'tcf_action' consistently.
By doing this, the kernel does not leak anymore refcounts when a valid
'goto chain' handle is replaced in TC actions, causing kmemleak splats
like the following one:
# tc chain add dev dd0 chain 42 ingress protocol ip flower \
> ip_proto tcp action drop
# tc chain add dev dd0 chain 43 ingress protocol ip flower \
> ip_proto udp action drop
# tc filter add dev dd0 ingress matchall \
> action gact goto chain 42 index 66
# tc filter replace dev dd0 ingress matchall \
> action gact goto chain 43 index 66
# echo scan >/sys/kernel/debug/kmemleak
<...>
unreferenced object 0xffff93c0ee09f000 (size 1024):
comm "tc", pid 2565, jiffies 4295339808 (age 65.426s)
hex dump (first 32 bytes):
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 08 00 06 00 00 00 00 00 00 00 00 00 ................
backtrace:
[<000000009b63f92d>] tc_ctl_chain+0x3d2/0x4c0
[<00000000683a8d72>] rtnetlink_rcv_msg+0x263/0x2d0
[<00000000ddd88f8e>] netlink_rcv_skb+0x4a/0x110
[<000000006126a348>] netlink_unicast+0x1a0/0x250
[<00000000b3340877>] netlink_sendmsg+0x2c1/0x3c0
[<00000000a25a2171>] sock_sendmsg+0x36/0x40
[<00000000f19ee1ec>] ___sys_sendmsg+0x280/0x2f0
[<00000000d0422042>] __sys_sendmsg+0x5e/0xa0
[<000000007a6c61f9>] do_syscall_64+0x5b/0x180
[<00000000ccd07542>] entry_SYSCALL_64_after_hwframe+0x44/0xa9
[<0000000013eaa334>] 0xffffffffffffffff
Fixes: db50514f9a9c ("net: sched: add termination action to allow goto chain")
Fixes: 97763dc0f401 ("net_sched: reject unknown tcfa_action values")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-20 22:59:59 +09:00
|
|
|
struct tcf_proto *tp,
|
2018-02-16 00:54:56 +09:00
|
|
|
struct netlink_ext_ack *extack)
|
2015-01-19 06:35:14 +09:00
|
|
|
{
|
2016-02-23 08:57:53 +09:00
|
|
|
struct tc_action_net *tn = net_generic(net, connmark_net_id);
|
2015-01-19 06:35:14 +09:00
|
|
|
struct nlattr *tb[TCA_CONNMARK_MAX + 1];
|
2019-03-20 23:00:05 +09:00
|
|
|
struct tcf_chain *goto_ch = NULL;
|
2015-01-19 06:35:14 +09:00
|
|
|
struct tcf_connmark_info *ci;
|
|
|
|
|
struct tc_connmark *parm;
|
2019-03-20 23:00:05 +09:00
|
|
|
int ret = 0, err;
|
2019-08-01 22:02:51 +09:00
|
|
|
u32 index;
|
2015-01-19 06:35:14 +09:00
|
|
|
|
|
|
|
|
if (!nla)
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 21:07:28 +09:00
|
|
|
ret = nla_parse_nested_deprecated(tb, TCA_CONNMARK_MAX, nla,
|
|
|
|
|
connmark_policy, NULL);
|
2015-01-19 06:35:14 +09:00
|
|
|
if (ret < 0)
|
|
|
|
|
return ret;
|
|
|
|
|
|
2017-03-11 00:55:32 +09:00
|
|
|
if (!tb[TCA_CONNMARK_PARMS])
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
2015-01-19 06:35:14 +09:00
|
|
|
parm = nla_data(tb[TCA_CONNMARK_PARMS]);
|
2019-08-01 22:02:51 +09:00
|
|
|
index = parm->index;
|
|
|
|
|
ret = tcf_idr_check_alloc(tn, &index, a, bind);
|
2018-07-05 23:24:32 +09:00
|
|
|
if (!ret) {
|
2019-08-01 22:02:51 +09:00
|
|
|
ret = tcf_idr_create(tn, index, est, a,
|
2017-08-30 15:31:59 +09:00
|
|
|
&act_connmark_ops, bind, false);
|
2018-07-05 23:24:32 +09:00
|
|
|
if (ret) {
|
2019-08-01 22:02:51 +09:00
|
|
|
tcf_idr_cleanup(tn, index);
|
2015-01-19 06:35:14 +09:00
|
|
|
return ret;
|
2018-07-05 23:24:32 +09:00
|
|
|
}
|
2015-01-19 06:35:14 +09:00
|
|
|
|
2016-07-26 08:09:41 +09:00
|
|
|
ci = to_connmark(*a);
|
2019-03-20 23:00:05 +09:00
|
|
|
err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch,
|
|
|
|
|
extack);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
goto release_idr;
|
|
|
|
|
tcf_action_set_ctrlact(*a, parm->action, goto_ch);
|
2015-09-19 04:33:03 +09:00
|
|
|
ci->net = net;
|
2015-01-19 06:35:14 +09:00
|
|
|
ci->zone = parm->zone;
|
|
|
|
|
|
|
|
|
|
ret = ACT_P_CREATED;
|
2018-07-05 23:24:32 +09:00
|
|
|
} else if (ret > 0) {
|
2016-07-26 08:09:41 +09:00
|
|
|
ci = to_connmark(*a);
|
2015-01-19 06:35:14 +09:00
|
|
|
if (bind)
|
|
|
|
|
return 0;
|
2018-07-05 23:24:30 +09:00
|
|
|
if (!ovr) {
|
|
|
|
|
tcf_idr_release(*a, bind);
|
2015-01-19 06:35:14 +09:00
|
|
|
return -EEXIST;
|
2018-07-05 23:24:30 +09:00
|
|
|
}
|
2019-03-20 23:00:05 +09:00
|
|
|
err = tcf_action_check_ctrlact(parm->action, tp, &goto_ch,
|
|
|
|
|
extack);
|
|
|
|
|
if (err < 0)
|
|
|
|
|
goto release_idr;
|
2015-01-19 06:35:14 +09:00
|
|
|
/* replacing action and zone */
|
2018-08-30 02:15:36 +09:00
|
|
|
spin_lock_bh(&ci->tcf_lock);
|
2019-03-20 23:00:05 +09:00
|
|
|
goto_ch = tcf_action_set_ctrlact(*a, parm->action, goto_ch);
|
2015-01-19 06:35:14 +09:00
|
|
|
ci->zone = parm->zone;
|
2018-08-30 02:15:36 +09:00
|
|
|
spin_unlock_bh(&ci->tcf_lock);
|
2019-03-20 23:00:05 +09:00
|
|
|
if (goto_ch)
|
|
|
|
|
tcf_chain_put_by_act(goto_ch);
|
2018-07-05 23:24:32 +09:00
|
|
|
ret = 0;
|
2015-01-19 06:35:14 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
2019-03-20 23:00:05 +09:00
|
|
|
release_idr:
|
|
|
|
|
tcf_idr_release(*a, bind);
|
|
|
|
|
return err;
|
2015-01-19 06:35:14 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static inline int tcf_connmark_dump(struct sk_buff *skb, struct tc_action *a,
|
|
|
|
|
int bind, int ref)
|
|
|
|
|
{
|
|
|
|
|
unsigned char *b = skb_tail_pointer(skb);
|
2016-07-26 08:09:41 +09:00
|
|
|
struct tcf_connmark_info *ci = to_connmark(a);
|
2015-01-19 06:35:14 +09:00
|
|
|
struct tc_connmark opt = {
|
|
|
|
|
.index = ci->tcf_index,
|
2018-07-05 23:24:24 +09:00
|
|
|
.refcnt = refcount_read(&ci->tcf_refcnt) - ref,
|
|
|
|
|
.bindcnt = atomic_read(&ci->tcf_bindcnt) - bind,
|
2015-01-19 06:35:14 +09:00
|
|
|
};
|
|
|
|
|
struct tcf_t t;
|
|
|
|
|
|
2018-08-30 02:15:36 +09:00
|
|
|
spin_lock_bh(&ci->tcf_lock);
|
|
|
|
|
opt.action = ci->tcf_action;
|
|
|
|
|
opt.zone = ci->zone;
|
2015-01-19 06:35:14 +09:00
|
|
|
if (nla_put(skb, TCA_CONNMARK_PARMS, sizeof(opt), &opt))
|
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
|
2016-06-06 19:32:55 +09:00
|
|
|
tcf_tm_dump(&t, &ci->tcf_tm);
|
2016-04-26 17:06:18 +09:00
|
|
|
if (nla_put_64bit(skb, TCA_CONNMARK_TM, sizeof(t), &t,
|
|
|
|
|
TCA_CONNMARK_PAD))
|
2015-01-19 06:35:14 +09:00
|
|
|
goto nla_put_failure;
|
2018-08-30 02:15:36 +09:00
|
|
|
spin_unlock_bh(&ci->tcf_lock);
|
2015-01-19 06:35:14 +09:00
|
|
|
|
|
|
|
|
return skb->len;
|
2018-08-30 02:15:36 +09:00
|
|
|
|
2015-01-19 06:35:14 +09:00
|
|
|
nla_put_failure:
|
2018-08-30 02:15:36 +09:00
|
|
|
spin_unlock_bh(&ci->tcf_lock);
|
2015-01-19 06:35:14 +09:00
|
|
|
nlmsg_trim(skb, b);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
2016-02-23 08:57:53 +09:00
|
|
|
static int tcf_connmark_walker(struct net *net, struct sk_buff *skb,
|
|
|
|
|
struct netlink_callback *cb, int type,
|
2018-02-16 00:54:58 +09:00
|
|
|
const struct tc_action_ops *ops,
|
|
|
|
|
struct netlink_ext_ack *extack)
|
2016-02-23 08:57:53 +09:00
|
|
|
{
|
|
|
|
|
struct tc_action_net *tn = net_generic(net, connmark_net_id);
|
|
|
|
|
|
2018-02-16 00:54:59 +09:00
|
|
|
return tcf_generic_walker(tn, skb, cb, type, ops, extack);
|
2016-02-23 08:57:53 +09:00
|
|
|
}
|
|
|
|
|
|
2018-08-30 02:15:35 +09:00
|
|
|
static int tcf_connmark_search(struct net *net, struct tc_action **a, u32 index)
|
2016-02-23 08:57:53 +09:00
|
|
|
{
|
|
|
|
|
struct tc_action_net *tn = net_generic(net, connmark_net_id);
|
|
|
|
|
|
2017-08-30 15:31:59 +09:00
|
|
|
return tcf_idr_search(tn, a, index);
|
2016-02-23 08:57:53 +09:00
|
|
|
}
|
|
|
|
|
|
2015-01-19 06:35:14 +09:00
|
|
|
static struct tc_action_ops act_connmark_ops = {
|
|
|
|
|
.kind = "connmark",
|
2019-02-10 21:25:00 +09:00
|
|
|
.id = TCA_ID_CONNMARK,
|
2015-01-19 06:35:14 +09:00
|
|
|
.owner = THIS_MODULE,
|
2018-08-12 22:34:49 +09:00
|
|
|
.act = tcf_connmark_act,
|
2015-01-19 06:35:14 +09:00
|
|
|
.dump = tcf_connmark_dump,
|
|
|
|
|
.init = tcf_connmark_init,
|
2016-02-23 08:57:53 +09:00
|
|
|
.walk = tcf_connmark_walker,
|
|
|
|
|
.lookup = tcf_connmark_search,
|
2016-07-26 08:09:41 +09:00
|
|
|
.size = sizeof(struct tcf_connmark_info),
|
2016-02-23 08:57:53 +09:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static __net_init int connmark_init_net(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
struct tc_action_net *tn = net_generic(net, connmark_net_id);
|
|
|
|
|
|
2019-08-26 02:01:32 +09:00
|
|
|
return tc_action_net_init(net, tn, &act_connmark_ops);
|
2016-02-23 08:57:53 +09:00
|
|
|
}
|
|
|
|
|
|
2017-12-12 08:35:03 +09:00
|
|
|
static void __net_exit connmark_exit_net(struct list_head *net_list)
|
2016-02-23 08:57:53 +09:00
|
|
|
{
|
2017-12-12 08:35:03 +09:00
|
|
|
tc_action_net_exit(net_list, connmark_net_id);
|
2016-02-23 08:57:53 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct pernet_operations connmark_net_ops = {
|
|
|
|
|
.init = connmark_init_net,
|
2017-12-12 08:35:03 +09:00
|
|
|
.exit_batch = connmark_exit_net,
|
2016-02-23 08:57:53 +09:00
|
|
|
.id = &connmark_net_id,
|
|
|
|
|
.size = sizeof(struct tc_action_net),
|
2015-01-19 06:35:14 +09:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int __init connmark_init_module(void)
|
|
|
|
|
{
|
2016-02-23 08:57:53 +09:00
|
|
|
return tcf_register_action(&act_connmark_ops, &connmark_net_ops);
|
2015-01-19 06:35:14 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __exit connmark_cleanup_module(void)
|
|
|
|
|
{
|
2016-02-23 08:57:53 +09:00
|
|
|
tcf_unregister_action(&act_connmark_ops, &connmark_net_ops);
|
2015-01-19 06:35:14 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
module_init(connmark_init_module);
|
|
|
|
|
module_exit(connmark_cleanup_module);
|
|
|
|
|
MODULE_AUTHOR("Felix Fietkau <nbd@openwrt.org>");
|
|
|
|
|
MODULE_DESCRIPTION("Connection tracking mark restoring");
|
|
|
|
|
MODULE_LICENSE("GPL");
|