mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-08-26 10:49:33 +00:00
d3519cb89f
This patch adds a new ingress hook for the inet family. The inet ingress hook emulates the IP receive path code, therefore, unclean packets are drop before walking over the ruleset in this basechain. This patch also introduces the nft_base_chain_netdev() helper function to check if this hook is bound to one or more devices (through the hook list infrastructure). This check allows to perform the same handling for the inet ingress as it would be a netdev ingress chain from the control plane. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
445 lines
11 KiB
C
445 lines
11 KiB
C
#include <linux/init.h>
|
|
#include <linux/kernel.h>
|
|
#include <linux/netdevice.h>
|
|
#include <net/net_namespace.h>
|
|
#include <net/netfilter/nf_tables.h>
|
|
#include <linux/netfilter_ipv4.h>
|
|
#include <linux/netfilter_ipv6.h>
|
|
#include <linux/netfilter_bridge.h>
|
|
#include <linux/netfilter_arp.h>
|
|
#include <net/netfilter/nf_tables_ipv4.h>
|
|
#include <net/netfilter/nf_tables_ipv6.h>
|
|
|
|
#ifdef CONFIG_NF_TABLES_IPV4
|
|
static unsigned int nft_do_chain_ipv4(void *priv,
|
|
struct sk_buff *skb,
|
|
const struct nf_hook_state *state)
|
|
{
|
|
struct nft_pktinfo pkt;
|
|
|
|
nft_set_pktinfo(&pkt, skb, state);
|
|
nft_set_pktinfo_ipv4(&pkt, skb);
|
|
|
|
return nft_do_chain(&pkt, priv);
|
|
}
|
|
|
|
static const struct nft_chain_type nft_chain_filter_ipv4 = {
|
|
.name = "filter",
|
|
.type = NFT_CHAIN_T_DEFAULT,
|
|
.family = NFPROTO_IPV4,
|
|
.hook_mask = (1 << NF_INET_LOCAL_IN) |
|
|
(1 << NF_INET_LOCAL_OUT) |
|
|
(1 << NF_INET_FORWARD) |
|
|
(1 << NF_INET_PRE_ROUTING) |
|
|
(1 << NF_INET_POST_ROUTING),
|
|
.hooks = {
|
|
[NF_INET_LOCAL_IN] = nft_do_chain_ipv4,
|
|
[NF_INET_LOCAL_OUT] = nft_do_chain_ipv4,
|
|
[NF_INET_FORWARD] = nft_do_chain_ipv4,
|
|
[NF_INET_PRE_ROUTING] = nft_do_chain_ipv4,
|
|
[NF_INET_POST_ROUTING] = nft_do_chain_ipv4,
|
|
},
|
|
};
|
|
|
|
static void nft_chain_filter_ipv4_init(void)
|
|
{
|
|
nft_register_chain_type(&nft_chain_filter_ipv4);
|
|
}
|
|
static void nft_chain_filter_ipv4_fini(void)
|
|
{
|
|
nft_unregister_chain_type(&nft_chain_filter_ipv4);
|
|
}
|
|
|
|
#else
|
|
static inline void nft_chain_filter_ipv4_init(void) {}
|
|
static inline void nft_chain_filter_ipv4_fini(void) {}
|
|
#endif /* CONFIG_NF_TABLES_IPV4 */
|
|
|
|
#ifdef CONFIG_NF_TABLES_ARP
|
|
static unsigned int nft_do_chain_arp(void *priv, struct sk_buff *skb,
|
|
const struct nf_hook_state *state)
|
|
{
|
|
struct nft_pktinfo pkt;
|
|
|
|
nft_set_pktinfo(&pkt, skb, state);
|
|
nft_set_pktinfo_unspec(&pkt, skb);
|
|
|
|
return nft_do_chain(&pkt, priv);
|
|
}
|
|
|
|
static const struct nft_chain_type nft_chain_filter_arp = {
|
|
.name = "filter",
|
|
.type = NFT_CHAIN_T_DEFAULT,
|
|
.family = NFPROTO_ARP,
|
|
.owner = THIS_MODULE,
|
|
.hook_mask = (1 << NF_ARP_IN) |
|
|
(1 << NF_ARP_OUT),
|
|
.hooks = {
|
|
[NF_ARP_IN] = nft_do_chain_arp,
|
|
[NF_ARP_OUT] = nft_do_chain_arp,
|
|
},
|
|
};
|
|
|
|
static void nft_chain_filter_arp_init(void)
|
|
{
|
|
nft_register_chain_type(&nft_chain_filter_arp);
|
|
}
|
|
|
|
static void nft_chain_filter_arp_fini(void)
|
|
{
|
|
nft_unregister_chain_type(&nft_chain_filter_arp);
|
|
}
|
|
#else
|
|
static inline void nft_chain_filter_arp_init(void) {}
|
|
static inline void nft_chain_filter_arp_fini(void) {}
|
|
#endif /* CONFIG_NF_TABLES_ARP */
|
|
|
|
#ifdef CONFIG_NF_TABLES_IPV6
|
|
static unsigned int nft_do_chain_ipv6(void *priv,
|
|
struct sk_buff *skb,
|
|
const struct nf_hook_state *state)
|
|
{
|
|
struct nft_pktinfo pkt;
|
|
|
|
nft_set_pktinfo(&pkt, skb, state);
|
|
nft_set_pktinfo_ipv6(&pkt, skb);
|
|
|
|
return nft_do_chain(&pkt, priv);
|
|
}
|
|
|
|
static const struct nft_chain_type nft_chain_filter_ipv6 = {
|
|
.name = "filter",
|
|
.type = NFT_CHAIN_T_DEFAULT,
|
|
.family = NFPROTO_IPV6,
|
|
.hook_mask = (1 << NF_INET_LOCAL_IN) |
|
|
(1 << NF_INET_LOCAL_OUT) |
|
|
(1 << NF_INET_FORWARD) |
|
|
(1 << NF_INET_PRE_ROUTING) |
|
|
(1 << NF_INET_POST_ROUTING),
|
|
.hooks = {
|
|
[NF_INET_LOCAL_IN] = nft_do_chain_ipv6,
|
|
[NF_INET_LOCAL_OUT] = nft_do_chain_ipv6,
|
|
[NF_INET_FORWARD] = nft_do_chain_ipv6,
|
|
[NF_INET_PRE_ROUTING] = nft_do_chain_ipv6,
|
|
[NF_INET_POST_ROUTING] = nft_do_chain_ipv6,
|
|
},
|
|
};
|
|
|
|
static void nft_chain_filter_ipv6_init(void)
|
|
{
|
|
nft_register_chain_type(&nft_chain_filter_ipv6);
|
|
}
|
|
|
|
static void nft_chain_filter_ipv6_fini(void)
|
|
{
|
|
nft_unregister_chain_type(&nft_chain_filter_ipv6);
|
|
}
|
|
#else
|
|
static inline void nft_chain_filter_ipv6_init(void) {}
|
|
static inline void nft_chain_filter_ipv6_fini(void) {}
|
|
#endif /* CONFIG_NF_TABLES_IPV6 */
|
|
|
|
#ifdef CONFIG_NF_TABLES_INET
|
|
static unsigned int nft_do_chain_inet(void *priv, struct sk_buff *skb,
|
|
const struct nf_hook_state *state)
|
|
{
|
|
struct nft_pktinfo pkt;
|
|
|
|
nft_set_pktinfo(&pkt, skb, state);
|
|
|
|
switch (state->pf) {
|
|
case NFPROTO_IPV4:
|
|
nft_set_pktinfo_ipv4(&pkt, skb);
|
|
break;
|
|
case NFPROTO_IPV6:
|
|
nft_set_pktinfo_ipv6(&pkt, skb);
|
|
break;
|
|
default:
|
|
break;
|
|
}
|
|
|
|
return nft_do_chain(&pkt, priv);
|
|
}
|
|
|
|
static unsigned int nft_do_chain_inet_ingress(void *priv, struct sk_buff *skb,
|
|
const struct nf_hook_state *state)
|
|
{
|
|
struct nf_hook_state ingress_state = *state;
|
|
struct nft_pktinfo pkt;
|
|
|
|
switch (skb->protocol) {
|
|
case htons(ETH_P_IP):
|
|
/* Original hook is NFPROTO_NETDEV and NF_NETDEV_INGRESS. */
|
|
ingress_state.pf = NFPROTO_IPV4;
|
|
ingress_state.hook = NF_INET_INGRESS;
|
|
nft_set_pktinfo(&pkt, skb, &ingress_state);
|
|
|
|
if (nft_set_pktinfo_ipv4_ingress(&pkt, skb) < 0)
|
|
return NF_DROP;
|
|
break;
|
|
case htons(ETH_P_IPV6):
|
|
ingress_state.pf = NFPROTO_IPV6;
|
|
ingress_state.hook = NF_INET_INGRESS;
|
|
nft_set_pktinfo(&pkt, skb, &ingress_state);
|
|
|
|
if (nft_set_pktinfo_ipv6_ingress(&pkt, skb) < 0)
|
|
return NF_DROP;
|
|
break;
|
|
default:
|
|
return NF_ACCEPT;
|
|
}
|
|
|
|
return nft_do_chain(&pkt, priv);
|
|
}
|
|
|
|
static const struct nft_chain_type nft_chain_filter_inet = {
|
|
.name = "filter",
|
|
.type = NFT_CHAIN_T_DEFAULT,
|
|
.family = NFPROTO_INET,
|
|
.hook_mask = (1 << NF_INET_INGRESS) |
|
|
(1 << NF_INET_LOCAL_IN) |
|
|
(1 << NF_INET_LOCAL_OUT) |
|
|
(1 << NF_INET_FORWARD) |
|
|
(1 << NF_INET_PRE_ROUTING) |
|
|
(1 << NF_INET_POST_ROUTING),
|
|
.hooks = {
|
|
[NF_INET_INGRESS] = nft_do_chain_inet_ingress,
|
|
[NF_INET_LOCAL_IN] = nft_do_chain_inet,
|
|
[NF_INET_LOCAL_OUT] = nft_do_chain_inet,
|
|
[NF_INET_FORWARD] = nft_do_chain_inet,
|
|
[NF_INET_PRE_ROUTING] = nft_do_chain_inet,
|
|
[NF_INET_POST_ROUTING] = nft_do_chain_inet,
|
|
},
|
|
};
|
|
|
|
static void nft_chain_filter_inet_init(void)
|
|
{
|
|
nft_register_chain_type(&nft_chain_filter_inet);
|
|
}
|
|
|
|
static void nft_chain_filter_inet_fini(void)
|
|
{
|
|
nft_unregister_chain_type(&nft_chain_filter_inet);
|
|
}
|
|
#else
|
|
static inline void nft_chain_filter_inet_init(void) {}
|
|
static inline void nft_chain_filter_inet_fini(void) {}
|
|
#endif /* CONFIG_NF_TABLES_IPV6 */
|
|
|
|
#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE)
|
|
static unsigned int
|
|
nft_do_chain_bridge(void *priv,
|
|
struct sk_buff *skb,
|
|
const struct nf_hook_state *state)
|
|
{
|
|
struct nft_pktinfo pkt;
|
|
|
|
nft_set_pktinfo(&pkt, skb, state);
|
|
|
|
switch (eth_hdr(skb)->h_proto) {
|
|
case htons(ETH_P_IP):
|
|
nft_set_pktinfo_ipv4_validate(&pkt, skb);
|
|
break;
|
|
case htons(ETH_P_IPV6):
|
|
nft_set_pktinfo_ipv6_validate(&pkt, skb);
|
|
break;
|
|
default:
|
|
nft_set_pktinfo_unspec(&pkt, skb);
|
|
break;
|
|
}
|
|
|
|
return nft_do_chain(&pkt, priv);
|
|
}
|
|
|
|
static const struct nft_chain_type nft_chain_filter_bridge = {
|
|
.name = "filter",
|
|
.type = NFT_CHAIN_T_DEFAULT,
|
|
.family = NFPROTO_BRIDGE,
|
|
.hook_mask = (1 << NF_BR_PRE_ROUTING) |
|
|
(1 << NF_BR_LOCAL_IN) |
|
|
(1 << NF_BR_FORWARD) |
|
|
(1 << NF_BR_LOCAL_OUT) |
|
|
(1 << NF_BR_POST_ROUTING),
|
|
.hooks = {
|
|
[NF_BR_PRE_ROUTING] = nft_do_chain_bridge,
|
|
[NF_BR_LOCAL_IN] = nft_do_chain_bridge,
|
|
[NF_BR_FORWARD] = nft_do_chain_bridge,
|
|
[NF_BR_LOCAL_OUT] = nft_do_chain_bridge,
|
|
[NF_BR_POST_ROUTING] = nft_do_chain_bridge,
|
|
},
|
|
};
|
|
|
|
static void nft_chain_filter_bridge_init(void)
|
|
{
|
|
nft_register_chain_type(&nft_chain_filter_bridge);
|
|
}
|
|
|
|
static void nft_chain_filter_bridge_fini(void)
|
|
{
|
|
nft_unregister_chain_type(&nft_chain_filter_bridge);
|
|
}
|
|
#else
|
|
static inline void nft_chain_filter_bridge_init(void) {}
|
|
static inline void nft_chain_filter_bridge_fini(void) {}
|
|
#endif /* CONFIG_NF_TABLES_BRIDGE */
|
|
|
|
#ifdef CONFIG_NF_TABLES_NETDEV
|
|
static unsigned int nft_do_chain_netdev(void *priv, struct sk_buff *skb,
|
|
const struct nf_hook_state *state)
|
|
{
|
|
struct nft_pktinfo pkt;
|
|
|
|
nft_set_pktinfo(&pkt, skb, state);
|
|
|
|
switch (skb->protocol) {
|
|
case htons(ETH_P_IP):
|
|
nft_set_pktinfo_ipv4_validate(&pkt, skb);
|
|
break;
|
|
case htons(ETH_P_IPV6):
|
|
nft_set_pktinfo_ipv6_validate(&pkt, skb);
|
|
break;
|
|
default:
|
|
nft_set_pktinfo_unspec(&pkt, skb);
|
|
break;
|
|
}
|
|
|
|
return nft_do_chain(&pkt, priv);
|
|
}
|
|
|
|
static const struct nft_chain_type nft_chain_filter_netdev = {
|
|
.name = "filter",
|
|
.type = NFT_CHAIN_T_DEFAULT,
|
|
.family = NFPROTO_NETDEV,
|
|
.hook_mask = (1 << NF_NETDEV_INGRESS),
|
|
.hooks = {
|
|
[NF_NETDEV_INGRESS] = nft_do_chain_netdev,
|
|
},
|
|
};
|
|
|
|
static void nft_netdev_event(unsigned long event, struct net_device *dev,
|
|
struct nft_ctx *ctx)
|
|
{
|
|
struct nft_base_chain *basechain = nft_base_chain(ctx->chain);
|
|
struct nft_hook *hook, *found = NULL;
|
|
int n = 0;
|
|
|
|
if (event != NETDEV_UNREGISTER)
|
|
return;
|
|
|
|
list_for_each_entry(hook, &basechain->hook_list, list) {
|
|
if (hook->ops.dev == dev)
|
|
found = hook;
|
|
|
|
n++;
|
|
}
|
|
if (!found)
|
|
return;
|
|
|
|
if (n > 1) {
|
|
nf_unregister_net_hook(ctx->net, &found->ops);
|
|
list_del_rcu(&found->list);
|
|
kfree_rcu(found, rcu);
|
|
return;
|
|
}
|
|
|
|
/* UNREGISTER events are also happening on netns exit.
|
|
*
|
|
* Although nf_tables core releases all tables/chains, only this event
|
|
* handler provides guarantee that hook->ops.dev is still accessible,
|
|
* so we cannot skip exiting net namespaces.
|
|
*/
|
|
__nft_release_basechain(ctx);
|
|
}
|
|
|
|
static int nf_tables_netdev_event(struct notifier_block *this,
|
|
unsigned long event, void *ptr)
|
|
{
|
|
struct net_device *dev = netdev_notifier_info_to_dev(ptr);
|
|
struct nft_table *table;
|
|
struct nft_chain *chain, *nr;
|
|
struct nft_ctx ctx = {
|
|
.net = dev_net(dev),
|
|
};
|
|
|
|
if (event != NETDEV_UNREGISTER &&
|
|
event != NETDEV_CHANGENAME)
|
|
return NOTIFY_DONE;
|
|
|
|
mutex_lock(&ctx.net->nft.commit_mutex);
|
|
list_for_each_entry(table, &ctx.net->nft.tables, list) {
|
|
if (table->family != NFPROTO_NETDEV)
|
|
continue;
|
|
|
|
ctx.family = table->family;
|
|
ctx.table = table;
|
|
list_for_each_entry_safe(chain, nr, &table->chains, list) {
|
|
if (!nft_is_base_chain(chain))
|
|
continue;
|
|
|
|
ctx.chain = chain;
|
|
nft_netdev_event(event, dev, &ctx);
|
|
}
|
|
}
|
|
mutex_unlock(&ctx.net->nft.commit_mutex);
|
|
|
|
return NOTIFY_DONE;
|
|
}
|
|
|
|
static struct notifier_block nf_tables_netdev_notifier = {
|
|
.notifier_call = nf_tables_netdev_event,
|
|
};
|
|
|
|
static int nft_chain_filter_netdev_init(void)
|
|
{
|
|
int err;
|
|
|
|
nft_register_chain_type(&nft_chain_filter_netdev);
|
|
|
|
err = register_netdevice_notifier(&nf_tables_netdev_notifier);
|
|
if (err)
|
|
goto err_register_netdevice_notifier;
|
|
|
|
return 0;
|
|
|
|
err_register_netdevice_notifier:
|
|
nft_unregister_chain_type(&nft_chain_filter_netdev);
|
|
|
|
return err;
|
|
}
|
|
|
|
static void nft_chain_filter_netdev_fini(void)
|
|
{
|
|
nft_unregister_chain_type(&nft_chain_filter_netdev);
|
|
unregister_netdevice_notifier(&nf_tables_netdev_notifier);
|
|
}
|
|
#else
|
|
static inline int nft_chain_filter_netdev_init(void) { return 0; }
|
|
static inline void nft_chain_filter_netdev_fini(void) {}
|
|
#endif /* CONFIG_NF_TABLES_NETDEV */
|
|
|
|
int __init nft_chain_filter_init(void)
|
|
{
|
|
int err;
|
|
|
|
err = nft_chain_filter_netdev_init();
|
|
if (err < 0)
|
|
return err;
|
|
|
|
nft_chain_filter_ipv4_init();
|
|
nft_chain_filter_ipv6_init();
|
|
nft_chain_filter_arp_init();
|
|
nft_chain_filter_inet_init();
|
|
nft_chain_filter_bridge_init();
|
|
|
|
return 0;
|
|
}
|
|
|
|
void nft_chain_filter_fini(void)
|
|
{
|
|
nft_chain_filter_bridge_fini();
|
|
nft_chain_filter_inet_fini();
|
|
nft_chain_filter_arp_fini();
|
|
nft_chain_filter_ipv6_fini();
|
|
nft_chain_filter_ipv4_fini();
|
|
nft_chain_filter_netdev_fini();
|
|
}
|