mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-27 04:47:05 +00:00
fcd53c51d0
Now that the egress function can be called from egress hook, we need
to avoid recursive calls into the nf_tables traverser, else crash.
Fixes: f87b9464d1
("netfilter: nft_fwd_netdev: Support egress hook")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
94 lines
2.2 KiB
C
94 lines
2.2 KiB
C
// SPDX-License-Identifier: GPL-2.0-only
|
|
/*
|
|
* Copyright (c) 2015 Pablo Neira Ayuso <pablo@netfilter.org>
|
|
*/
|
|
|
|
#include <linux/kernel.h>
|
|
#include <linux/init.h>
|
|
#include <linux/module.h>
|
|
#include <linux/netlink.h>
|
|
#include <linux/netfilter.h>
|
|
#include <linux/netfilter/nf_tables.h>
|
|
#include <net/netfilter/nf_tables.h>
|
|
#include <net/netfilter/nf_tables_offload.h>
|
|
#include <net/netfilter/nf_dup_netdev.h>
|
|
|
|
#define NF_RECURSION_LIMIT 2
|
|
|
|
static DEFINE_PER_CPU(u8, nf_dup_skb_recursion);
|
|
|
|
static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev,
|
|
enum nf_dev_hooks hook)
|
|
{
|
|
if (__this_cpu_read(nf_dup_skb_recursion) > NF_RECURSION_LIMIT)
|
|
goto err;
|
|
|
|
if (hook == NF_NETDEV_INGRESS && skb_mac_header_was_set(skb)) {
|
|
if (skb_cow_head(skb, skb->mac_len))
|
|
goto err;
|
|
|
|
skb_push(skb, skb->mac_len);
|
|
}
|
|
|
|
skb->dev = dev;
|
|
skb_clear_tstamp(skb);
|
|
__this_cpu_inc(nf_dup_skb_recursion);
|
|
dev_queue_xmit(skb);
|
|
__this_cpu_dec(nf_dup_skb_recursion);
|
|
return;
|
|
err:
|
|
kfree_skb(skb);
|
|
}
|
|
|
|
void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif)
|
|
{
|
|
struct net_device *dev;
|
|
|
|
dev = dev_get_by_index_rcu(nft_net(pkt), oif);
|
|
if (!dev) {
|
|
kfree_skb(pkt->skb);
|
|
return;
|
|
}
|
|
|
|
nf_do_netdev_egress(pkt->skb, dev, nft_hook(pkt));
|
|
}
|
|
EXPORT_SYMBOL_GPL(nf_fwd_netdev_egress);
|
|
|
|
void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif)
|
|
{
|
|
struct net_device *dev;
|
|
struct sk_buff *skb;
|
|
|
|
dev = dev_get_by_index_rcu(nft_net(pkt), oif);
|
|
if (dev == NULL)
|
|
return;
|
|
|
|
skb = skb_clone(pkt->skb, GFP_ATOMIC);
|
|
if (skb)
|
|
nf_do_netdev_egress(skb, dev, nft_hook(pkt));
|
|
}
|
|
EXPORT_SYMBOL_GPL(nf_dup_netdev_egress);
|
|
|
|
int nft_fwd_dup_netdev_offload(struct nft_offload_ctx *ctx,
|
|
struct nft_flow_rule *flow,
|
|
enum flow_action_id id, int oif)
|
|
{
|
|
struct flow_action_entry *entry;
|
|
struct net_device *dev;
|
|
|
|
/* nft_flow_rule_destroy() releases the reference on this device. */
|
|
dev = dev_get_by_index(ctx->net, oif);
|
|
if (!dev)
|
|
return -EOPNOTSUPP;
|
|
|
|
entry = &flow->rule->action.entries[ctx->num_actions++];
|
|
entry->id = id;
|
|
entry->dev = dev;
|
|
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL_GPL(nft_fwd_dup_netdev_offload);
|
|
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
|
|
MODULE_DESCRIPTION("Netfilter packet duplication support");
|