Commit 83d213fd authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso

netfilter: conntrack: deconstify packet callback skb pointer

Only two protocols need the ->error() function: icmp and icmpv6.
This is because icmp error mssages might be RELATED to an existing
connection (e.g. PMTUD, port unreachable and the like), and their
->error() handlers do this.

The error callback is already optional, so remove it for
udp and call them from ->packet() instead.

As the error() callback can call checksum functions that write to
skb->csum*, the const qualifier has to be removed as well.
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 9976fc6e
...@@ -43,7 +43,7 @@ struct nf_conntrack_l4proto { ...@@ -43,7 +43,7 @@ struct nf_conntrack_l4proto {
/* Returns verdict for packet, or -1 for invalid. */ /* Returns verdict for packet, or -1 for invalid. */
int (*packet)(struct nf_conn *ct, int (*packet)(struct nf_conn *ct,
const struct sk_buff *skb, struct sk_buff *skb,
unsigned int dataoff, unsigned int dataoff,
enum ip_conntrack_info ctinfo, enum ip_conntrack_info ctinfo,
const struct nf_hook_state *state); const struct nf_hook_state *state);
......
...@@ -435,7 +435,7 @@ static u64 dccp_ack_seq(const struct dccp_hdr *dh) ...@@ -435,7 +435,7 @@ static u64 dccp_ack_seq(const struct dccp_hdr *dh)
ntohl(dhack->dccph_ack_nr_low); ntohl(dhack->dccph_ack_nr_low);
} }
static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, static int dccp_packet(struct nf_conn *ct, struct sk_buff *skb,
unsigned int dataoff, enum ip_conntrack_info ctinfo, unsigned int dataoff, enum ip_conntrack_info ctinfo,
const struct nf_hook_state *state) const struct nf_hook_state *state)
{ {
......
...@@ -44,7 +44,7 @@ static bool generic_pkt_to_tuple(const struct sk_buff *skb, ...@@ -44,7 +44,7 @@ static bool generic_pkt_to_tuple(const struct sk_buff *skb,
/* Returns verdict for packet, or -1 for invalid. */ /* Returns verdict for packet, or -1 for invalid. */
static int generic_packet(struct nf_conn *ct, static int generic_packet(struct nf_conn *ct,
const struct sk_buff *skb, struct sk_buff *skb,
unsigned int dataoff, unsigned int dataoff,
enum ip_conntrack_info ctinfo, enum ip_conntrack_info ctinfo,
const struct nf_hook_state *state) const struct nf_hook_state *state)
......
...@@ -233,7 +233,7 @@ static unsigned int *gre_get_timeouts(struct net *net) ...@@ -233,7 +233,7 @@ static unsigned int *gre_get_timeouts(struct net *net)
/* Returns verdict for packet, and may modify conntrack */ /* Returns verdict for packet, and may modify conntrack */
static int gre_packet(struct nf_conn *ct, static int gre_packet(struct nf_conn *ct,
const struct sk_buff *skb, struct sk_buff *skb,
unsigned int dataoff, unsigned int dataoff,
enum ip_conntrack_info ctinfo, enum ip_conntrack_info ctinfo,
const struct nf_hook_state *state) const struct nf_hook_state *state)
......
...@@ -74,7 +74,7 @@ static bool icmp_invert_tuple(struct nf_conntrack_tuple *tuple, ...@@ -74,7 +74,7 @@ static bool icmp_invert_tuple(struct nf_conntrack_tuple *tuple,
/* Returns verdict for packet, or -1 for invalid. */ /* Returns verdict for packet, or -1 for invalid. */
static int icmp_packet(struct nf_conn *ct, static int icmp_packet(struct nf_conn *ct,
const struct sk_buff *skb, struct sk_buff *skb,
unsigned int dataoff, unsigned int dataoff,
enum ip_conntrack_info ctinfo, enum ip_conntrack_info ctinfo,
const struct nf_hook_state *state) const struct nf_hook_state *state)
......
...@@ -92,10 +92,10 @@ static unsigned int *icmpv6_get_timeouts(struct net *net) ...@@ -92,10 +92,10 @@ static unsigned int *icmpv6_get_timeouts(struct net *net)
/* Returns verdict for packet, or -1 for invalid. */ /* Returns verdict for packet, or -1 for invalid. */
static int icmpv6_packet(struct nf_conn *ct, static int icmpv6_packet(struct nf_conn *ct,
const struct sk_buff *skb, struct sk_buff *skb,
unsigned int dataoff, unsigned int dataoff,
enum ip_conntrack_info ctinfo, enum ip_conntrack_info ctinfo,
const struct nf_hook_state *state) const struct nf_hook_state *state)
{ {
unsigned int *timeout = nf_ct_timeout_lookup(ct); unsigned int *timeout = nf_ct_timeout_lookup(ct);
static const u8 valid_new[] = { static const u8 valid_new[] = {
......
...@@ -332,7 +332,7 @@ sctp_new(struct nf_conn *ct, const struct sk_buff *skb, ...@@ -332,7 +332,7 @@ sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
/* Returns verdict for packet, or -NF_ACCEPT for invalid. */ /* Returns verdict for packet, or -NF_ACCEPT for invalid. */
static int sctp_packet(struct nf_conn *ct, static int sctp_packet(struct nf_conn *ct,
const struct sk_buff *skb, struct sk_buff *skb,
unsigned int dataoff, unsigned int dataoff,
enum ip_conntrack_info ctinfo, enum ip_conntrack_info ctinfo,
const struct nf_hook_state *state) const struct nf_hook_state *state)
......
...@@ -844,7 +844,7 @@ static noinline bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb, ...@@ -844,7 +844,7 @@ static noinline bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
/* Returns verdict for packet, or -1 for invalid. */ /* Returns verdict for packet, or -1 for invalid. */
static int tcp_packet(struct nf_conn *ct, static int tcp_packet(struct nf_conn *ct,
const struct sk_buff *skb, struct sk_buff *skb,
unsigned int dataoff, unsigned int dataoff,
enum ip_conntrack_info ctinfo, enum ip_conntrack_info ctinfo,
const struct nf_hook_state *state) const struct nf_hook_state *state)
......
...@@ -42,15 +42,65 @@ static unsigned int *udp_get_timeouts(struct net *net) ...@@ -42,15 +42,65 @@ static unsigned int *udp_get_timeouts(struct net *net)
return udp_pernet(net)->timeouts; return udp_pernet(net)->timeouts;
} }
static void udp_error_log(const struct sk_buff *skb,
const struct nf_hook_state *state,
const char *msg)
{
nf_l4proto_log_invalid(skb, state->net, state->pf,
IPPROTO_UDP, "%s", msg);
}
static bool udp_error(struct sk_buff *skb,
unsigned int dataoff,
const struct nf_hook_state *state)
{
unsigned int udplen = skb->len - dataoff;
const struct udphdr *hdr;
struct udphdr _hdr;
/* Header is too small? */
hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
if (!hdr) {
udp_error_log(skb, state, "short packet");
return true;
}
/* Truncated/malformed packets */
if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) {
udp_error_log(skb, state, "truncated/malformed packet");
return true;
}
/* Packet with no checksum */
if (!hdr->check)
return false;
/* Checksum invalid? Ignore.
* We skip checking packets on the outgoing path
* because the checksum is assumed to be correct.
* FIXME: Source route IP option packets --RR */
if (state->hook == NF_INET_PRE_ROUTING &&
state->net->ct.sysctl_checksum &&
nf_checksum(skb, state->hook, dataoff, IPPROTO_UDP, state->pf)) {
udp_error_log(skb, state, "bad checksum");
return true;
}
return false;
}
/* Returns verdict for packet, and may modify conntracktype */ /* Returns verdict for packet, and may modify conntracktype */
static int udp_packet(struct nf_conn *ct, static int udp_packet(struct nf_conn *ct,
const struct sk_buff *skb, struct sk_buff *skb,
unsigned int dataoff, unsigned int dataoff,
enum ip_conntrack_info ctinfo, enum ip_conntrack_info ctinfo,
const struct nf_hook_state *state) const struct nf_hook_state *state)
{ {
unsigned int *timeouts; unsigned int *timeouts;
if (udp_error(skb, dataoff, state))
return -NF_ACCEPT;
timeouts = nf_ct_timeout_lookup(ct); timeouts = nf_ct_timeout_lookup(ct);
if (!timeouts) if (!timeouts)
timeouts = udp_get_timeouts(nf_ct_net(ct)); timeouts = udp_get_timeouts(nf_ct_net(ct));
...@@ -79,9 +129,9 @@ static void udplite_error_log(const struct sk_buff *skb, ...@@ -79,9 +129,9 @@ static void udplite_error_log(const struct sk_buff *skb,
IPPROTO_UDPLITE, "%s", msg); IPPROTO_UDPLITE, "%s", msg);
} }
static int udplite_error(struct nf_conn *tmpl, struct sk_buff *skb, static bool udplite_error(struct sk_buff *skb,
unsigned int dataoff, unsigned int dataoff,
const struct nf_hook_state *state) const struct nf_hook_state *state)
{ {
unsigned int udplen = skb->len - dataoff; unsigned int udplen = skb->len - dataoff;
const struct udphdr *hdr; const struct udphdr *hdr;
...@@ -92,7 +142,7 @@ static int udplite_error(struct nf_conn *tmpl, struct sk_buff *skb, ...@@ -92,7 +142,7 @@ static int udplite_error(struct nf_conn *tmpl, struct sk_buff *skb,
hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
if (!hdr) { if (!hdr) {
udplite_error_log(skb, state, "short packet"); udplite_error_log(skb, state, "short packet");
return -NF_ACCEPT; return true;
} }
cscov = ntohs(hdr->len); cscov = ntohs(hdr->len);
...@@ -100,13 +150,13 @@ static int udplite_error(struct nf_conn *tmpl, struct sk_buff *skb, ...@@ -100,13 +150,13 @@ static int udplite_error(struct nf_conn *tmpl, struct sk_buff *skb,
cscov = udplen; cscov = udplen;
} else if (cscov < sizeof(*hdr) || cscov > udplen) { } else if (cscov < sizeof(*hdr) || cscov > udplen) {
udplite_error_log(skb, state, "invalid checksum coverage"); udplite_error_log(skb, state, "invalid checksum coverage");
return -NF_ACCEPT; return true;
} }
/* UDPLITE mandates checksums */ /* UDPLITE mandates checksums */
if (!hdr->check) { if (!hdr->check) {
udplite_error_log(skb, state, "checksum missing"); udplite_error_log(skb, state, "checksum missing");
return -NF_ACCEPT; return true;
} }
/* Checksum invalid? Ignore. */ /* Checksum invalid? Ignore. */
...@@ -115,58 +165,43 @@ static int udplite_error(struct nf_conn *tmpl, struct sk_buff *skb, ...@@ -115,58 +165,43 @@ static int udplite_error(struct nf_conn *tmpl, struct sk_buff *skb,
nf_checksum_partial(skb, state->hook, dataoff, cscov, IPPROTO_UDP, nf_checksum_partial(skb, state->hook, dataoff, cscov, IPPROTO_UDP,
state->pf)) { state->pf)) {
udplite_error_log(skb, state, "bad checksum"); udplite_error_log(skb, state, "bad checksum");
return -NF_ACCEPT; return true;
} }
return NF_ACCEPT; return false;
} }
#endif
static void udp_error_log(const struct sk_buff *skb, /* Returns verdict for packet, and may modify conntracktype */
const struct nf_hook_state *state, static int udplite_packet(struct nf_conn *ct,
const char *msg) struct sk_buff *skb,
{ unsigned int dataoff,
nf_l4proto_log_invalid(skb, state->net, state->pf, enum ip_conntrack_info ctinfo,
IPPROTO_UDP, "%s", msg); const struct nf_hook_state *state)
}
static int udp_error(struct nf_conn *tmpl, struct sk_buff *skb,
unsigned int dataoff,
const struct nf_hook_state *state)
{ {
unsigned int udplen = skb->len - dataoff; unsigned int *timeouts;
const struct udphdr *hdr;
struct udphdr _hdr;
/* Header is too small? */
hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
if (hdr == NULL) {
udp_error_log(skb, state, "short packet");
return -NF_ACCEPT;
}
/* Truncated/malformed packets */ if (udplite_error(skb, dataoff, state))
if (ntohs(hdr->len) > udplen || ntohs(hdr->len) < sizeof(*hdr)) {
udp_error_log(skb, state, "truncated/malformed packet");
return -NF_ACCEPT; return -NF_ACCEPT;
}
/* Packet with no checksum */ timeouts = nf_ct_timeout_lookup(ct);
if (!hdr->check) if (!timeouts)
return NF_ACCEPT; timeouts = udp_get_timeouts(nf_ct_net(ct));
/* Checksum invalid? Ignore. /* If we've seen traffic both ways, this is some kind of UDP
* We skip checking packets on the outgoing path stream. Extend timeout. */
* because the checksum is assumed to be correct. if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
* FIXME: Source route IP option packets --RR */ nf_ct_refresh_acct(ct, ctinfo, skb,
if (state->net->ct.sysctl_checksum && state->hook == NF_INET_PRE_ROUTING && timeouts[UDP_CT_REPLIED]);
nf_checksum(skb, state->hook, dataoff, IPPROTO_UDP, state->pf)) { /* Also, more likely to be important, and not a probe */
udp_error_log(skb, state, "bad checksum"); if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
return -NF_ACCEPT; nf_conntrack_event_cache(IPCT_ASSURED, ct);
} else {
nf_ct_refresh_acct(ct, ctinfo, skb,
timeouts[UDP_CT_UNREPLIED]);
} }
return NF_ACCEPT; return NF_ACCEPT;
} }
#endif
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
...@@ -281,7 +316,6 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 = ...@@ -281,7 +316,6 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 =
.l4proto = IPPROTO_UDP, .l4proto = IPPROTO_UDP,
.allow_clash = true, .allow_clash = true,
.packet = udp_packet, .packet = udp_packet,
.error = udp_error,
#if IS_ENABLED(CONFIG_NF_CT_NETLINK) #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
...@@ -308,8 +342,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 = ...@@ -308,8 +342,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 =
.l3proto = PF_INET, .l3proto = PF_INET,
.l4proto = IPPROTO_UDPLITE, .l4proto = IPPROTO_UDPLITE,
.allow_clash = true, .allow_clash = true,
.packet = udp_packet, .packet = udplite_packet,
.error = udplite_error,
#if IS_ENABLED(CONFIG_NF_CT_NETLINK) #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
...@@ -337,7 +370,6 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 = ...@@ -337,7 +370,6 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 =
.l4proto = IPPROTO_UDP, .l4proto = IPPROTO_UDP,
.allow_clash = true, .allow_clash = true,
.packet = udp_packet, .packet = udp_packet,
.error = udp_error,
#if IS_ENABLED(CONFIG_NF_CT_NETLINK) #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
...@@ -364,8 +396,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 = ...@@ -364,8 +396,7 @@ const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 =
.l3proto = PF_INET6, .l3proto = PF_INET6,
.l4proto = IPPROTO_UDPLITE, .l4proto = IPPROTO_UDPLITE,
.allow_clash = true, .allow_clash = true,
.packet = udp_packet, .packet = udplite_packet,
.error = udplite_error,
#if IS_ENABLED(CONFIG_NF_CT_NETLINK) #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment