mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-12 21:57:43 +00:00
bbde9fc182
Extracted from the xtables TEE target. This creates two new modules for IPv4 and IPv6 that are shared between the TEE target and the new nf_tables dup expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
120 lines
3.2 KiB
C
120 lines
3.2 KiB
C
/*
|
|
* (C) 2007 by Sebastian Claßen <sebastian.classen@freenet.ag>
|
|
* (C) 2007-2010 by Jan Engelhardt <jengelh@medozas.de>
|
|
*
|
|
* Extracted from xt_TEE.c
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License version 2 or later, as
|
|
* published by the Free Software Foundation.
|
|
*/
|
|
#include <linux/ip.h>
|
|
#include <linux/module.h>
|
|
#include <linux/percpu.h>
|
|
#include <linux/route.h>
|
|
#include <linux/skbuff.h>
|
|
#include <net/checksum.h>
|
|
#include <net/icmp.h>
|
|
#include <net/ip.h>
|
|
#include <net/route.h>
|
|
#include <net/netfilter/ipv4/nf_dup_ipv4.h>
|
|
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
|
|
#include <net/netfilter/nf_conntrack.h>
|
|
#endif
|
|
|
|
static struct net *pick_net(struct sk_buff *skb)
|
|
{
|
|
#ifdef CONFIG_NET_NS
|
|
const struct dst_entry *dst;
|
|
|
|
if (skb->dev != NULL)
|
|
return dev_net(skb->dev);
|
|
dst = skb_dst(skb);
|
|
if (dst != NULL && dst->dev != NULL)
|
|
return dev_net(dst->dev);
|
|
#endif
|
|
return &init_net;
|
|
}
|
|
|
|
static bool nf_dup_ipv4_route(struct sk_buff *skb, const struct in_addr *gw,
|
|
int oif)
|
|
{
|
|
const struct iphdr *iph = ip_hdr(skb);
|
|
struct net *net = pick_net(skb);
|
|
struct rtable *rt;
|
|
struct flowi4 fl4;
|
|
|
|
memset(&fl4, 0, sizeof(fl4));
|
|
if (oif != -1)
|
|
fl4.flowi4_oif = oif;
|
|
|
|
fl4.daddr = gw->s_addr;
|
|
fl4.flowi4_tos = RT_TOS(iph->tos);
|
|
fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
|
|
fl4.flowi4_flags = FLOWI_FLAG_KNOWN_NH;
|
|
rt = ip_route_output_key(net, &fl4);
|
|
if (IS_ERR(rt))
|
|
return false;
|
|
|
|
skb_dst_drop(skb);
|
|
skb_dst_set(skb, &rt->dst);
|
|
skb->dev = rt->dst.dev;
|
|
skb->protocol = htons(ETH_P_IP);
|
|
|
|
return true;
|
|
}
|
|
|
|
void nf_dup_ipv4(struct sk_buff *skb, unsigned int hooknum,
|
|
const struct in_addr *gw, int oif)
|
|
{
|
|
struct iphdr *iph;
|
|
|
|
if (__this_cpu_read(nf_skb_duplicated))
|
|
return;
|
|
/*
|
|
* Copy the skb, and route the copy. Will later return %XT_CONTINUE for
|
|
* the original skb, which should continue on its way as if nothing has
|
|
* happened. The copy should be independently delivered to the gateway.
|
|
*/
|
|
skb = pskb_copy(skb, GFP_ATOMIC);
|
|
if (skb == NULL)
|
|
return;
|
|
|
|
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
|
|
/* Avoid counting cloned packets towards the original connection. */
|
|
nf_conntrack_put(skb->nfct);
|
|
skb->nfct = &nf_ct_untracked_get()->ct_general;
|
|
skb->nfctinfo = IP_CT_NEW;
|
|
nf_conntrack_get(skb->nfct);
|
|
#endif
|
|
/*
|
|
* If we are in PREROUTING/INPUT, the checksum must be recalculated
|
|
* since the length could have changed as a result of defragmentation.
|
|
*
|
|
* We also decrease the TTL to mitigate potential loops between two
|
|
* hosts.
|
|
*
|
|
* Set %IP_DF so that the original source is notified of a potentially
|
|
* decreased MTU on the clone route. IPv6 does this too.
|
|
*/
|
|
iph = ip_hdr(skb);
|
|
iph->frag_off |= htons(IP_DF);
|
|
if (hooknum == NF_INET_PRE_ROUTING ||
|
|
hooknum == NF_INET_LOCAL_IN)
|
|
--iph->ttl;
|
|
ip_send_check(iph);
|
|
|
|
if (nf_dup_ipv4_route(skb, gw, oif)) {
|
|
__this_cpu_write(nf_skb_duplicated, true);
|
|
ip_local_out(skb);
|
|
__this_cpu_write(nf_skb_duplicated, false);
|
|
} else {
|
|
kfree_skb(skb);
|
|
}
|
|
}
|
|
EXPORT_SYMBOL_GPL(nf_dup_ipv4);
|
|
|
|
MODULE_AUTHOR("Sebastian Claßen <sebastian.classen@freenet.ag>");
|
|
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
|
|
MODULE_DESCRIPTION("nf_dup_ipv4: Duplicate IPv4 packet");
|
|
MODULE_LICENSE("GPL");
|