Commit f347ec85 authored by Pablo M. Bermudo Garay's avatar Pablo M. Bermudo Garay Committed by Pablo Neira Ayuso

netfilter: nf_tables: fib: use skb_header_pointer

This is a preparatory patch for adding fib support to the netdev family.

The netdev family receives the packets from ingress hook. At this point
we have no guarantee that the ip header is linear. So this patch
replaces ip_hdr with skb_header_pointer in order to address that
possible situation.
Signed-off-by: default avatarPablo M. Bermudo Garay <pablombg@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 784b4e61
...@@ -32,9 +32,10 @@ void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -32,9 +32,10 @@ void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs,
const struct nft_pktinfo *pkt) const struct nft_pktinfo *pkt)
{ {
const struct nft_fib *priv = nft_expr_priv(expr); const struct nft_fib *priv = nft_expr_priv(expr);
int noff = skb_network_offset(pkt->skb);
u32 *dst = &regs->data[priv->dreg]; u32 *dst = &regs->data[priv->dreg];
const struct net_device *dev = NULL; const struct net_device *dev = NULL;
const struct iphdr *iph; struct iphdr *iph, _iph;
__be32 addr; __be32 addr;
if (priv->flags & NFTA_FIB_F_IIF) if (priv->flags & NFTA_FIB_F_IIF)
...@@ -42,7 +43,12 @@ void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -42,7 +43,12 @@ void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs,
else if (priv->flags & NFTA_FIB_F_OIF) else if (priv->flags & NFTA_FIB_F_OIF)
dev = nft_out(pkt); dev = nft_out(pkt);
iph = ip_hdr(pkt->skb); iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph);
if (!iph) {
regs->verdict.code = NFT_BREAK;
return;
}
if (priv->flags & NFTA_FIB_F_DADDR) if (priv->flags & NFTA_FIB_F_DADDR)
addr = iph->daddr; addr = iph->daddr;
else else
...@@ -61,8 +67,9 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -61,8 +67,9 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
const struct nft_pktinfo *pkt) const struct nft_pktinfo *pkt)
{ {
const struct nft_fib *priv = nft_expr_priv(expr); const struct nft_fib *priv = nft_expr_priv(expr);
int noff = skb_network_offset(pkt->skb);
u32 *dest = &regs->data[priv->dreg]; u32 *dest = &regs->data[priv->dreg];
const struct iphdr *iph; struct iphdr *iph, _iph;
struct fib_result res; struct fib_result res;
struct flowi4 fl4 = { struct flowi4 fl4 = {
.flowi4_scope = RT_SCOPE_UNIVERSE, .flowi4_scope = RT_SCOPE_UNIVERSE,
...@@ -95,7 +102,12 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -95,7 +102,12 @@ void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
return; return;
} }
iph = ip_hdr(pkt->skb); iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph);
if (!iph) {
regs->verdict.code = NFT_BREAK;
return;
}
if (ipv4_is_zeronet(iph->saddr)) { if (ipv4_is_zeronet(iph->saddr)) {
if (ipv4_is_lbcast(iph->daddr) || if (ipv4_is_lbcast(iph->daddr) ||
ipv4_is_local_multicast(iph->daddr)) { ipv4_is_local_multicast(iph->daddr)) {
......
...@@ -25,9 +25,9 @@ static int get_ifindex(const struct net_device *dev) ...@@ -25,9 +25,9 @@ static int get_ifindex(const struct net_device *dev)
static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv, static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv,
const struct nft_pktinfo *pkt, const struct nft_pktinfo *pkt,
const struct net_device *dev) const struct net_device *dev,
struct ipv6hdr *iph)
{ {
const struct ipv6hdr *iph = ipv6_hdr(pkt->skb);
int lookup_flags = 0; int lookup_flags = 0;
if (priv->flags & NFTA_FIB_F_DADDR) { if (priv->flags & NFTA_FIB_F_DADDR) {
...@@ -55,7 +55,8 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv, ...@@ -55,7 +55,8 @@ static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv,
} }
static u32 __nft_fib6_eval_type(const struct nft_fib *priv, static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
const struct nft_pktinfo *pkt) const struct nft_pktinfo *pkt,
struct ipv6hdr *iph)
{ {
const struct net_device *dev = NULL; const struct net_device *dev = NULL;
const struct nf_ipv6_ops *v6ops; const struct nf_ipv6_ops *v6ops;
...@@ -77,7 +78,7 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv, ...@@ -77,7 +78,7 @@ static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
else if (priv->flags & NFTA_FIB_F_OIF) else if (priv->flags & NFTA_FIB_F_OIF)
dev = nft_out(pkt); dev = nft_out(pkt);
nft_fib6_flowi_init(&fl6, priv, pkt, dev); nft_fib6_flowi_init(&fl6, priv, pkt, dev, iph);
v6ops = nf_get_ipv6_ops(); v6ops = nf_get_ipv6_ops();
if (dev && v6ops && v6ops->chk_addr(nft_net(pkt), &fl6.daddr, dev, true)) if (dev && v6ops && v6ops->chk_addr(nft_net(pkt), &fl6.daddr, dev, true))
...@@ -131,9 +132,17 @@ void nft_fib6_eval_type(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -131,9 +132,17 @@ void nft_fib6_eval_type(const struct nft_expr *expr, struct nft_regs *regs,
const struct nft_pktinfo *pkt) const struct nft_pktinfo *pkt)
{ {
const struct nft_fib *priv = nft_expr_priv(expr); const struct nft_fib *priv = nft_expr_priv(expr);
int noff = skb_network_offset(pkt->skb);
u32 *dest = &regs->data[priv->dreg]; u32 *dest = &regs->data[priv->dreg];
struct ipv6hdr *iph, _iph;
iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph);
if (!iph) {
regs->verdict.code = NFT_BREAK;
return;
}
*dest = __nft_fib6_eval_type(priv, pkt); *dest = __nft_fib6_eval_type(priv, pkt, iph);
} }
EXPORT_SYMBOL_GPL(nft_fib6_eval_type); EXPORT_SYMBOL_GPL(nft_fib6_eval_type);
...@@ -141,8 +150,10 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -141,8 +150,10 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
const struct nft_pktinfo *pkt) const struct nft_pktinfo *pkt)
{ {
const struct nft_fib *priv = nft_expr_priv(expr); const struct nft_fib *priv = nft_expr_priv(expr);
int noff = skb_network_offset(pkt->skb);
const struct net_device *oif = NULL; const struct net_device *oif = NULL;
u32 *dest = &regs->data[priv->dreg]; u32 *dest = &regs->data[priv->dreg];
struct ipv6hdr *iph, _iph;
struct flowi6 fl6 = { struct flowi6 fl6 = {
.flowi6_iif = LOOPBACK_IFINDEX, .flowi6_iif = LOOPBACK_IFINDEX,
.flowi6_proto = pkt->tprot, .flowi6_proto = pkt->tprot,
...@@ -155,7 +166,13 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -155,7 +166,13 @@ void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
else if (priv->flags & NFTA_FIB_F_OIF) else if (priv->flags & NFTA_FIB_F_OIF)
oif = nft_out(pkt); oif = nft_out(pkt);
lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif); iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph);
if (!iph) {
regs->verdict.code = NFT_BREAK;
return;
}
lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph);
if (nft_hook(pkt) == NF_INET_PRE_ROUTING && if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
nft_fib_is_loopback(pkt->skb, nft_in(pkt))) { nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment