Commit 583d3f5a authored by David S. Miller's avatar David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following patchset contains Netfilter updates for net-next, they are:

1) default CONFIG_NETFILTER_INGRESS to y for easier compile-testing of all
   options.

2) Allow to bind a table to net_device. This introduces the internal
   NFT_AF_NEEDS_DEV flag to perform a mandatory check for this binding.
   This is required by the next patch.

3) Add the 'netdev' table family, this new table allows you to create ingress
   filter basechains. This provides access to the existing nf_tables features
   from ingress.

4) Kill unused argument from compat_find_calc_{match,target} in ip_tables
   and ip6_tables, from Florian Westphal.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 5289e4a0 ed6c4136
...@@ -819,6 +819,7 @@ unsigned int nft_do_chain(struct nft_pktinfo *pkt, ...@@ -819,6 +819,7 @@ unsigned int nft_do_chain(struct nft_pktinfo *pkt,
* @use: number of chain references to this table * @use: number of chain references to this table
* @flags: table flag (see enum nft_table_flags) * @flags: table flag (see enum nft_table_flags)
* @name: name of the table * @name: name of the table
* @dev: this table is bound to this device (if any)
*/ */
struct nft_table { struct nft_table {
struct list_head list; struct list_head list;
...@@ -828,6 +829,11 @@ struct nft_table { ...@@ -828,6 +829,11 @@ struct nft_table {
u32 use; u32 use;
u16 flags; u16 flags;
char name[NFT_TABLE_MAXNAMELEN]; char name[NFT_TABLE_MAXNAMELEN];
struct net_device *dev;
};
enum nft_af_flags {
NFT_AF_NEEDS_DEV = (1 << 0),
}; };
/** /**
...@@ -838,6 +844,7 @@ struct nft_table { ...@@ -838,6 +844,7 @@ struct nft_table {
* @nhooks: number of hooks in this family * @nhooks: number of hooks in this family
* @owner: module owner * @owner: module owner
* @tables: used internally * @tables: used internally
* @flags: family flags
* @nops: number of hook ops in this family * @nops: number of hook ops in this family
* @hook_ops_init: initialization function for chain hook ops * @hook_ops_init: initialization function for chain hook ops
* @hooks: hookfn overrides for packet validation * @hooks: hookfn overrides for packet validation
...@@ -848,6 +855,7 @@ struct nft_af_info { ...@@ -848,6 +855,7 @@ struct nft_af_info {
unsigned int nhooks; unsigned int nhooks;
struct module *owner; struct module *owner;
struct list_head tables; struct list_head tables;
u32 flags;
unsigned int nops; unsigned int nops;
void (*hook_ops_init)(struct nf_hook_ops *, void (*hook_ops_init)(struct nf_hook_ops *,
unsigned int); unsigned int);
......
...@@ -13,6 +13,7 @@ struct netns_nftables { ...@@ -13,6 +13,7 @@ struct netns_nftables {
struct nft_af_info *inet; struct nft_af_info *inet;
struct nft_af_info *arp; struct nft_af_info *arp;
struct nft_af_info *bridge; struct nft_af_info *bridge;
struct nft_af_info *netdev;
unsigned int base_seq; unsigned int base_seq;
u8 gencursor; u8 gencursor;
}; };
......
...@@ -146,12 +146,14 @@ enum nft_table_flags { ...@@ -146,12 +146,14 @@ enum nft_table_flags {
* @NFTA_TABLE_NAME: name of the table (NLA_STRING) * @NFTA_TABLE_NAME: name of the table (NLA_STRING)
* @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32) * @NFTA_TABLE_FLAGS: bitmask of enum nft_table_flags (NLA_U32)
* @NFTA_TABLE_USE: number of chains in this table (NLA_U32) * @NFTA_TABLE_USE: number of chains in this table (NLA_U32)
* @NFTA_TABLE_DEV: net device name (NLA_STRING)
*/ */
enum nft_table_attributes { enum nft_table_attributes {
NFTA_TABLE_UNSPEC, NFTA_TABLE_UNSPEC,
NFTA_TABLE_NAME, NFTA_TABLE_NAME,
NFTA_TABLE_FLAGS, NFTA_TABLE_FLAGS,
NFTA_TABLE_USE, NFTA_TABLE_USE,
NFTA_TABLE_DEV,
__NFTA_TABLE_MAX __NFTA_TABLE_MAX
}; };
#define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1) #define NFTA_TABLE_MAX (__NFTA_TABLE_MAX - 1)
......
...@@ -1444,7 +1444,6 @@ static int ...@@ -1444,7 +1444,6 @@ static int
compat_find_calc_match(struct xt_entry_match *m, compat_find_calc_match(struct xt_entry_match *m,
const char *name, const char *name,
const struct ipt_ip *ip, const struct ipt_ip *ip,
unsigned int hookmask,
int *size) int *size)
{ {
struct xt_match *match; struct xt_match *match;
...@@ -1513,8 +1512,7 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e, ...@@ -1513,8 +1512,7 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
entry_offset = (void *)e - (void *)base; entry_offset = (void *)e - (void *)base;
j = 0; j = 0;
xt_ematch_foreach(ematch, e) { xt_ematch_foreach(ematch, e) {
ret = compat_find_calc_match(ematch, name, ret = compat_find_calc_match(ematch, name, &e->ip, &off);
&e->ip, e->comefrom, &off);
if (ret != 0) if (ret != 0)
goto release_matches; goto release_matches;
++j; ++j;
......
...@@ -1459,7 +1459,6 @@ static int ...@@ -1459,7 +1459,6 @@ static int
compat_find_calc_match(struct xt_entry_match *m, compat_find_calc_match(struct xt_entry_match *m,
const char *name, const char *name,
const struct ip6t_ip6 *ipv6, const struct ip6t_ip6 *ipv6,
unsigned int hookmask,
int *size) int *size)
{ {
struct xt_match *match; struct xt_match *match;
...@@ -1528,8 +1527,7 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e, ...@@ -1528,8 +1527,7 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
entry_offset = (void *)e - (void *)base; entry_offset = (void *)e - (void *)base;
j = 0; j = 0;
xt_ematch_foreach(ematch, e) { xt_ematch_foreach(ematch, e) {
ret = compat_find_calc_match(ematch, name, ret = compat_find_calc_match(ematch, name, &e->ipv6, &off);
&e->ipv6, e->comefrom, &off);
if (ret != 0) if (ret != 0)
goto release_matches; goto release_matches;
++j; ++j;
......
...@@ -3,6 +3,7 @@ menu "Core Netfilter Configuration" ...@@ -3,6 +3,7 @@ menu "Core Netfilter Configuration"
config NETFILTER_INGRESS config NETFILTER_INGRESS
bool "Netfilter ingress support" bool "Netfilter ingress support"
default y
select NET_INGRESS select NET_INGRESS
help help
This allows you to classify packets from ingress using the Netfilter This allows you to classify packets from ingress using the Netfilter
...@@ -455,6 +456,11 @@ config NF_TABLES_INET ...@@ -455,6 +456,11 @@ config NF_TABLES_INET
help help
This option enables support for a mixed IPv4/IPv6 "inet" table. This option enables support for a mixed IPv4/IPv6 "inet" table.
config NF_TABLES_NETDEV
tristate "Netfilter nf_tables netdev tables support"
help
This option enables support for the "netdev" table.
config NFT_EXTHDR config NFT_EXTHDR
tristate "Netfilter nf_tables IPv6 exthdr module" tristate "Netfilter nf_tables IPv6 exthdr module"
help help
......
...@@ -75,6 +75,7 @@ nf_tables-objs += nft_bitwise.o nft_byteorder.o nft_payload.o ...@@ -75,6 +75,7 @@ nf_tables-objs += nft_bitwise.o nft_byteorder.o nft_payload.o
obj-$(CONFIG_NF_TABLES) += nf_tables.o obj-$(CONFIG_NF_TABLES) += nf_tables.o
obj-$(CONFIG_NF_TABLES_INET) += nf_tables_inet.o obj-$(CONFIG_NF_TABLES_INET) += nf_tables_inet.o
obj-$(CONFIG_NF_TABLES_NETDEV) += nf_tables_netdev.o
obj-$(CONFIG_NFT_COMPAT) += nft_compat.o obj-$(CONFIG_NFT_COMPAT) += nft_compat.o
obj-$(CONFIG_NFT_EXTHDR) += nft_exthdr.o obj-$(CONFIG_NFT_EXTHDR) += nft_exthdr.o
obj-$(CONFIG_NFT_META) += nft_meta.o obj-$(CONFIG_NFT_META) += nft_meta.o
......
...@@ -399,6 +399,8 @@ static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = { ...@@ -399,6 +399,8 @@ static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
[NFTA_TABLE_NAME] = { .type = NLA_STRING, [NFTA_TABLE_NAME] = { .type = NLA_STRING,
.len = NFT_TABLE_MAXNAMELEN - 1 }, .len = NFT_TABLE_MAXNAMELEN - 1 },
[NFTA_TABLE_FLAGS] = { .type = NLA_U32 }, [NFTA_TABLE_FLAGS] = { .type = NLA_U32 },
[NFTA_TABLE_DEV] = { .type = NLA_STRING,
.len = IFNAMSIZ - 1 },
}; };
static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
...@@ -423,6 +425,10 @@ static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net, ...@@ -423,6 +425,10 @@ static int nf_tables_fill_table_info(struct sk_buff *skb, struct net *net,
nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use))) nla_put_be32(skb, NFTA_TABLE_USE, htonl(table->use)))
goto nla_put_failure; goto nla_put_failure;
if (table->dev &&
nla_put_string(skb, NFTA_TABLE_DEV, table->dev->name))
goto nla_put_failure;
nlmsg_end(skb, nlh); nlmsg_end(skb, nlh);
return 0; return 0;
...@@ -608,6 +614,11 @@ static int nf_tables_updtable(struct nft_ctx *ctx) ...@@ -608,6 +614,11 @@ static int nf_tables_updtable(struct nft_ctx *ctx)
if (flags == ctx->table->flags) if (flags == ctx->table->flags)
return 0; return 0;
if ((ctx->afi->flags & NFT_AF_NEEDS_DEV) &&
ctx->nla[NFTA_TABLE_DEV] &&
nla_strcmp(ctx->nla[NFTA_TABLE_DEV], ctx->table->dev->name))
return -EOPNOTSUPP;
trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE, trans = nft_trans_alloc(ctx, NFT_MSG_NEWTABLE,
sizeof(struct nft_trans_table)); sizeof(struct nft_trans_table));
if (trans == NULL) if (trans == NULL)
...@@ -645,6 +656,7 @@ static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb, ...@@ -645,6 +656,7 @@ static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
struct nft_table *table; struct nft_table *table;
struct net *net = sock_net(skb->sk); struct net *net = sock_net(skb->sk);
int family = nfmsg->nfgen_family; int family = nfmsg->nfgen_family;
struct net_device *dev = NULL;
u32 flags = 0; u32 flags = 0;
struct nft_ctx ctx; struct nft_ctx ctx;
int err; int err;
...@@ -679,30 +691,50 @@ static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb, ...@@ -679,30 +691,50 @@ static int nf_tables_newtable(struct sock *nlsk, struct sk_buff *skb,
return -EINVAL; return -EINVAL;
} }
if (afi->flags & NFT_AF_NEEDS_DEV) {
char ifname[IFNAMSIZ];
if (!nla[NFTA_TABLE_DEV])
return -EOPNOTSUPP;
nla_strlcpy(ifname, nla[NFTA_TABLE_DEV], IFNAMSIZ);
dev = dev_get_by_name(net, ifname);
if (!dev)
return -ENOENT;
} else if (nla[NFTA_TABLE_DEV]) {
return -EOPNOTSUPP;
}
err = -EAFNOSUPPORT;
if (!try_module_get(afi->owner)) if (!try_module_get(afi->owner))
return -EAFNOSUPPORT; goto err1;
err = -ENOMEM; err = -ENOMEM;
table = kzalloc(sizeof(*table), GFP_KERNEL); table = kzalloc(sizeof(*table), GFP_KERNEL);
if (table == NULL) if (table == NULL)
goto err1; goto err2;
nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN); nla_strlcpy(table->name, name, NFT_TABLE_MAXNAMELEN);
INIT_LIST_HEAD(&table->chains); INIT_LIST_HEAD(&table->chains);
INIT_LIST_HEAD(&table->sets); INIT_LIST_HEAD(&table->sets);
table->flags = flags; table->flags = flags;
table->dev = dev;
nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla); nft_ctx_init(&ctx, skb, nlh, afi, table, NULL, nla);
err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE); err = nft_trans_table_add(&ctx, NFT_MSG_NEWTABLE);
if (err < 0) if (err < 0)
goto err2; goto err3;
list_add_tail_rcu(&table->list, &afi->tables); list_add_tail_rcu(&table->list, &afi->tables);
return 0; return 0;
err2: err3:
kfree(table); kfree(table);
err1: err2:
module_put(afi->owner); module_put(afi->owner);
err1:
if (dev != NULL)
dev_put(dev);
return err; return err;
} }
...@@ -806,6 +838,9 @@ static void nf_tables_table_destroy(struct nft_ctx *ctx) ...@@ -806,6 +838,9 @@ static void nf_tables_table_destroy(struct nft_ctx *ctx)
{ {
BUG_ON(ctx->table->use > 0); BUG_ON(ctx->table->use > 0);
if (ctx->table->dev)
dev_put(ctx->table->dev);
kfree(ctx->table); kfree(ctx->table);
module_put(ctx->afi->owner); module_put(ctx->afi->owner);
} }
...@@ -1361,6 +1396,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb, ...@@ -1361,6 +1396,7 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb,
ops->priority = priority; ops->priority = priority;
ops->priv = chain; ops->priv = chain;
ops->hook = afi->hooks[ops->hooknum]; ops->hook = afi->hooks[ops->hooknum];
ops->dev = table->dev;
if (hookfn) if (hookfn)
ops->hook = hookfn; ops->hook = hookfn;
if (afi->hook_ops_init) if (afi->hook_ops_init)
......
/*
* Copyright (c) 2015 Pablo Neira Ayuso <pablo@netfilter.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/init.h>
#include <linux/module.h>
#include <net/netfilter/nf_tables.h>
#include <linux/ip.h>
#include <linux/ipv6.h>
#include <net/netfilter/nf_tables_ipv4.h>
#include <net/netfilter/nf_tables_ipv6.h>
static inline void
nft_netdev_set_pktinfo_ipv4(struct nft_pktinfo *pkt,
const struct nf_hook_ops *ops, struct sk_buff *skb,
const struct nf_hook_state *state)
{
struct iphdr *iph, _iph;
u32 len, thoff;
nft_set_pktinfo(pkt, ops, skb, state);
iph = skb_header_pointer(skb, skb_network_offset(skb), sizeof(*iph),
&_iph);
if (!iph)
return;
iph = ip_hdr(skb);
if (iph->ihl < 5 || iph->version != 4)
return;
len = ntohs(iph->tot_len);
thoff = iph->ihl * 4;
if (skb->len < len)
return;
else if (len < thoff)
return;
pkt->tprot = iph->protocol;
pkt->xt.thoff = thoff;
pkt->xt.fragoff = ntohs(iph->frag_off) & IP_OFFSET;
}
static inline void
__nft_netdev_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
const struct nf_hook_ops *ops,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
#if IS_ENABLED(CONFIG_IPV6)
struct ipv6hdr *ip6h, _ip6h;
unsigned int thoff = 0;
unsigned short frag_off;
int protohdr;
u32 pkt_len;
ip6h = skb_header_pointer(skb, skb_network_offset(skb), sizeof(*ip6h),
&_ip6h);
if (!ip6h)
return;
if (ip6h->version != 6)
return;
pkt_len = ntohs(ip6h->payload_len);
if (pkt_len + sizeof(*ip6h) > skb->len)
return;
protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, NULL);
if (protohdr < 0)
return;
pkt->tprot = protohdr;
pkt->xt.thoff = thoff;
pkt->xt.fragoff = frag_off;
#endif
}
static inline void nft_netdev_set_pktinfo_ipv6(struct nft_pktinfo *pkt,
const struct nf_hook_ops *ops,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
nft_set_pktinfo(pkt, ops, skb, state);
__nft_netdev_set_pktinfo_ipv6(pkt, ops, skb, state);
}
static unsigned int
nft_do_chain_netdev(const struct nf_hook_ops *ops, struct sk_buff *skb,
const struct nf_hook_state *state)
{
struct nft_pktinfo pkt;
switch (eth_hdr(skb)->h_proto) {
case htons(ETH_P_IP):
nft_netdev_set_pktinfo_ipv4(&pkt, ops, skb, state);
break;
case htons(ETH_P_IPV6):
nft_netdev_set_pktinfo_ipv6(&pkt, ops, skb, state);
break;
default:
nft_set_pktinfo(&pkt, ops, skb, state);
break;
}
return nft_do_chain(&pkt, ops);
}
static struct nft_af_info nft_af_netdev __read_mostly = {
.family = NFPROTO_NETDEV,
.nhooks = NF_NETDEV_NUMHOOKS,
.owner = THIS_MODULE,
.flags = NFT_AF_NEEDS_DEV,
.nops = 1,
.hooks = {
[NF_NETDEV_INGRESS] = nft_do_chain_netdev,
},
};
static int nf_tables_netdev_init_net(struct net *net)
{
net->nft.netdev = kmalloc(sizeof(struct nft_af_info), GFP_KERNEL);
if (net->nft.netdev == NULL)
return -ENOMEM;
memcpy(net->nft.netdev, &nft_af_netdev, sizeof(nft_af_netdev));
if (nft_register_afinfo(net, net->nft.netdev) < 0)
goto err;
return 0;
err:
kfree(net->nft.netdev);
return -ENOMEM;
}
static void nf_tables_netdev_exit_net(struct net *net)
{
nft_unregister_afinfo(net->nft.netdev);
kfree(net->nft.netdev);
}
static struct pernet_operations nf_tables_netdev_net_ops = {
.init = nf_tables_netdev_init_net,
.exit = nf_tables_netdev_exit_net,
};
static const struct nf_chain_type nft_filter_chain_netdev = {
.name = "filter",
.type = NFT_CHAIN_T_DEFAULT,
.family = NFPROTO_NETDEV,
.owner = THIS_MODULE,
.hook_mask = (1 << NF_NETDEV_INGRESS),
};
static int __init nf_tables_netdev_init(void)
{
int ret;
nft_register_chain_type(&nft_filter_chain_netdev);
ret = register_pernet_subsys(&nf_tables_netdev_net_ops);
if (ret < 0)
nft_unregister_chain_type(&nft_filter_chain_netdev);
return ret;
}
static void __exit nf_tables_netdev_exit(void)
{
unregister_pernet_subsys(&nf_tables_netdev_net_ops);
nft_unregister_chain_type(&nft_filter_chain_netdev);
}
module_init(nf_tables_netdev_init);
module_exit(nf_tables_netdev_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_ALIAS_NFT_FAMILY(5); /* NFPROTO_NETDEV */
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment