mirror of
https://gitee.com/bianbu-linux/linux-6.6
synced 2025-04-24 14:07:52 -04:00
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for net: 1) Fix PPPoE and QinQ with flowtable inet family. 2) Missing register validation in nf_tables. 3) Initialize registers to avoid stack memleak to userspace. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller
commit
4fa331b45d
5 changed files with 53 additions and 24 deletions
|
|
@ -10,6 +10,8 @@
|
||||||
#include <linux/netfilter/nf_conntrack_tuple_common.h>
|
#include <linux/netfilter/nf_conntrack_tuple_common.h>
|
||||||
#include <net/flow_offload.h>
|
#include <net/flow_offload.h>
|
||||||
#include <net/dst.h>
|
#include <net/dst.h>
|
||||||
|
#include <linux/if_pppox.h>
|
||||||
|
#include <linux/ppp_defs.h>
|
||||||
|
|
||||||
struct nf_flowtable;
|
struct nf_flowtable;
|
||||||
struct nf_flow_rule;
|
struct nf_flow_rule;
|
||||||
|
|
@ -317,4 +319,20 @@ int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow,
|
||||||
int nf_flow_table_offload_init(void);
|
int nf_flow_table_offload_init(void);
|
||||||
void nf_flow_table_offload_exit(void);
|
void nf_flow_table_offload_exit(void);
|
||||||
|
|
||||||
|
static inline __be16 nf_flow_pppoe_proto(const struct sk_buff *skb)
|
||||||
|
{
|
||||||
|
__be16 proto;
|
||||||
|
|
||||||
|
proto = *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
|
||||||
|
sizeof(struct pppoe_hdr)));
|
||||||
|
switch (proto) {
|
||||||
|
case htons(PPP_IP):
|
||||||
|
return htons(ETH_P_IP);
|
||||||
|
case htons(PPP_IPV6):
|
||||||
|
return htons(ETH_P_IPV6);
|
||||||
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
|
}
|
||||||
|
|
||||||
#endif /* _NF_FLOW_TABLE_H */
|
#endif /* _NF_FLOW_TABLE_H */
|
||||||
|
|
|
||||||
|
|
@ -6,12 +6,29 @@
|
||||||
#include <linux/rhashtable.h>
|
#include <linux/rhashtable.h>
|
||||||
#include <net/netfilter/nf_flow_table.h>
|
#include <net/netfilter/nf_flow_table.h>
|
||||||
#include <net/netfilter/nf_tables.h>
|
#include <net/netfilter/nf_tables.h>
|
||||||
|
#include <linux/if_vlan.h>
|
||||||
|
|
||||||
static unsigned int
|
static unsigned int
|
||||||
nf_flow_offload_inet_hook(void *priv, struct sk_buff *skb,
|
nf_flow_offload_inet_hook(void *priv, struct sk_buff *skb,
|
||||||
const struct nf_hook_state *state)
|
const struct nf_hook_state *state)
|
||||||
{
|
{
|
||||||
|
struct vlan_ethhdr *veth;
|
||||||
|
__be16 proto;
|
||||||
|
|
||||||
switch (skb->protocol) {
|
switch (skb->protocol) {
|
||||||
|
case htons(ETH_P_8021Q):
|
||||||
|
veth = (struct vlan_ethhdr *)skb_mac_header(skb);
|
||||||
|
proto = veth->h_vlan_encapsulated_proto;
|
||||||
|
break;
|
||||||
|
case htons(ETH_P_PPP_SES):
|
||||||
|
proto = nf_flow_pppoe_proto(skb);
|
||||||
|
break;
|
||||||
|
default:
|
||||||
|
proto = skb->protocol;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
switch (proto) {
|
||||||
case htons(ETH_P_IP):
|
case htons(ETH_P_IP):
|
||||||
return nf_flow_offload_ip_hook(priv, skb, state);
|
return nf_flow_offload_ip_hook(priv, skb, state);
|
||||||
case htons(ETH_P_IPV6):
|
case htons(ETH_P_IPV6):
|
||||||
|
|
|
||||||
|
|
@ -8,8 +8,6 @@
|
||||||
#include <linux/ipv6.h>
|
#include <linux/ipv6.h>
|
||||||
#include <linux/netdevice.h>
|
#include <linux/netdevice.h>
|
||||||
#include <linux/if_ether.h>
|
#include <linux/if_ether.h>
|
||||||
#include <linux/if_pppox.h>
|
|
||||||
#include <linux/ppp_defs.h>
|
|
||||||
#include <net/ip.h>
|
#include <net/ip.h>
|
||||||
#include <net/ipv6.h>
|
#include <net/ipv6.h>
|
||||||
#include <net/ip6_route.h>
|
#include <net/ip6_route.h>
|
||||||
|
|
@ -239,22 +237,6 @@ static unsigned int nf_flow_xmit_xfrm(struct sk_buff *skb,
|
||||||
return NF_STOLEN;
|
return NF_STOLEN;
|
||||||
}
|
}
|
||||||
|
|
||||||
static inline __be16 nf_flow_pppoe_proto(const struct sk_buff *skb)
|
|
||||||
{
|
|
||||||
__be16 proto;
|
|
||||||
|
|
||||||
proto = *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
|
|
||||||
sizeof(struct pppoe_hdr)));
|
|
||||||
switch (proto) {
|
|
||||||
case htons(PPP_IP):
|
|
||||||
return htons(ETH_P_IP);
|
|
||||||
case htons(PPP_IPV6):
|
|
||||||
return htons(ETH_P_IPV6);
|
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
|
||||||
}
|
|
||||||
|
|
||||||
static bool nf_flow_skb_encap_protocol(const struct sk_buff *skb, __be16 proto,
|
static bool nf_flow_skb_encap_protocol(const struct sk_buff *skb, __be16 proto,
|
||||||
u32 *offset)
|
u32 *offset)
|
||||||
{
|
{
|
||||||
|
|
|
||||||
|
|
@ -9275,17 +9275,23 @@ int nft_parse_u32_check(const struct nlattr *attr, int max, u32 *dest)
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(nft_parse_u32_check);
|
EXPORT_SYMBOL_GPL(nft_parse_u32_check);
|
||||||
|
|
||||||
static unsigned int nft_parse_register(const struct nlattr *attr)
|
static unsigned int nft_parse_register(const struct nlattr *attr, u32 *preg)
|
||||||
{
|
{
|
||||||
unsigned int reg;
|
unsigned int reg;
|
||||||
|
|
||||||
reg = ntohl(nla_get_be32(attr));
|
reg = ntohl(nla_get_be32(attr));
|
||||||
switch (reg) {
|
switch (reg) {
|
||||||
case NFT_REG_VERDICT...NFT_REG_4:
|
case NFT_REG_VERDICT...NFT_REG_4:
|
||||||
return reg * NFT_REG_SIZE / NFT_REG32_SIZE;
|
*preg = reg * NFT_REG_SIZE / NFT_REG32_SIZE;
|
||||||
|
break;
|
||||||
|
case NFT_REG32_00...NFT_REG32_15:
|
||||||
|
*preg = reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
|
||||||
|
break;
|
||||||
default:
|
default:
|
||||||
return reg + NFT_REG_SIZE / NFT_REG32_SIZE - NFT_REG32_00;
|
return -ERANGE;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
@ -9327,7 +9333,10 @@ int nft_parse_register_load(const struct nlattr *attr, u8 *sreg, u32 len)
|
||||||
u32 reg;
|
u32 reg;
|
||||||
int err;
|
int err;
|
||||||
|
|
||||||
reg = nft_parse_register(attr);
|
err = nft_parse_register(attr, ®);
|
||||||
|
if (err < 0)
|
||||||
|
return err;
|
||||||
|
|
||||||
err = nft_validate_register_load(reg, len);
|
err = nft_validate_register_load(reg, len);
|
||||||
if (err < 0)
|
if (err < 0)
|
||||||
return err;
|
return err;
|
||||||
|
|
@ -9382,7 +9391,10 @@ int nft_parse_register_store(const struct nft_ctx *ctx,
|
||||||
int err;
|
int err;
|
||||||
u32 reg;
|
u32 reg;
|
||||||
|
|
||||||
reg = nft_parse_register(attr);
|
err = nft_parse_register(attr, ®);
|
||||||
|
if (err < 0)
|
||||||
|
return err;
|
||||||
|
|
||||||
err = nft_validate_register_store(ctx, reg, data, type, len);
|
err = nft_validate_register_store(ctx, reg, data, type, len);
|
||||||
if (err < 0)
|
if (err < 0)
|
||||||
return err;
|
return err;
|
||||||
|
|
|
||||||
|
|
@ -201,7 +201,7 @@ nft_do_chain(struct nft_pktinfo *pkt, void *priv)
|
||||||
const struct nft_rule_dp *rule, *last_rule;
|
const struct nft_rule_dp *rule, *last_rule;
|
||||||
const struct net *net = nft_net(pkt);
|
const struct net *net = nft_net(pkt);
|
||||||
const struct nft_expr *expr, *last;
|
const struct nft_expr *expr, *last;
|
||||||
struct nft_regs regs;
|
struct nft_regs regs = {};
|
||||||
unsigned int stackptr = 0;
|
unsigned int stackptr = 0;
|
||||||
struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE];
|
struct nft_jumpstack jumpstack[NFT_JUMP_STACK_SIZE];
|
||||||
bool genbit = READ_ONCE(net->nft.gencursor);
|
bool genbit = READ_ONCE(net->nft.gencursor);
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue