2 * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <asm/unaligned.h>
12 #include <linux/kernel.h>
13 #include <linux/init.h>
14 #include <linux/module.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_tables.h>
26 enum nft_registers dreg
:8;
27 enum nft_registers sreg
:8;
31 static unsigned int optlen(const u8
*opt
, unsigned int offset
)
33 /* Beware zero-length options: make finite progress */
34 if (opt
[offset
] <= TCPOPT_NOP
|| opt
[offset
+ 1] == 0)
37 return opt
[offset
+ 1];
40 static void nft_exthdr_ipv6_eval(const struct nft_expr
*expr
,
41 struct nft_regs
*regs
,
42 const struct nft_pktinfo
*pkt
)
44 struct nft_exthdr
*priv
= nft_expr_priv(expr
);
45 u32
*dest
= ®s
->data
[priv
->dreg
];
46 unsigned int offset
= 0;
49 err
= ipv6_find_hdr(pkt
->skb
, &offset
, priv
->type
, NULL
, NULL
);
50 if (priv
->flags
& NFT_EXTHDR_F_PRESENT
) {
56 offset
+= priv
->offset
;
58 dest
[priv
->len
/ NFT_REG32_SIZE
] = 0;
59 if (skb_copy_bits(pkt
->skb
, offset
, dest
, priv
->len
) < 0)
63 regs
->verdict
.code
= NFT_BREAK
;
67 nft_tcp_header_pointer(const struct nft_pktinfo
*pkt
,
68 unsigned int len
, void *buffer
, unsigned int *tcphdr_len
)
72 if (!pkt
->tprot_set
|| pkt
->tprot
!= IPPROTO_TCP
)
75 tcph
= skb_header_pointer(pkt
->skb
, pkt
->xt
.thoff
, sizeof(*tcph
), buffer
);
79 *tcphdr_len
= __tcp_hdrlen(tcph
);
80 if (*tcphdr_len
< sizeof(*tcph
) || *tcphdr_len
> len
)
83 return skb_header_pointer(pkt
->skb
, pkt
->xt
.thoff
, *tcphdr_len
, buffer
);
86 static void nft_exthdr_tcp_eval(const struct nft_expr
*expr
,
87 struct nft_regs
*regs
,
88 const struct nft_pktinfo
*pkt
)
90 u8 buff
[sizeof(struct tcphdr
) + MAX_TCP_OPTION_SPACE
];
91 struct nft_exthdr
*priv
= nft_expr_priv(expr
);
92 unsigned int i
, optl
, tcphdr_len
, offset
;
93 u32
*dest
= ®s
->data
[priv
->dreg
];
97 tcph
= nft_tcp_header_pointer(pkt
, sizeof(buff
), buff
, &tcphdr_len
);
102 for (i
= sizeof(*tcph
); i
< tcphdr_len
- 1; i
+= optl
) {
103 optl
= optlen(opt
, i
);
105 if (priv
->type
!= opt
[i
])
108 if (i
+ optl
> tcphdr_len
|| priv
->len
+ priv
->offset
> optl
)
111 offset
= i
+ priv
->offset
;
112 if (priv
->flags
& NFT_EXTHDR_F_PRESENT
) {
115 dest
[priv
->len
/ NFT_REG32_SIZE
] = 0;
116 memcpy(dest
, opt
+ offset
, priv
->len
);
123 if (priv
->flags
& NFT_EXTHDR_F_PRESENT
)
126 regs
->verdict
.code
= NFT_BREAK
;
129 static void nft_exthdr_tcp_set_eval(const struct nft_expr
*expr
,
130 struct nft_regs
*regs
,
131 const struct nft_pktinfo
*pkt
)
133 u8 buff
[sizeof(struct tcphdr
) + MAX_TCP_OPTION_SPACE
];
134 struct nft_exthdr
*priv
= nft_expr_priv(expr
);
135 unsigned int i
, optl
, tcphdr_len
, offset
;
140 tcph
= nft_tcp_header_pointer(pkt
, sizeof(buff
), buff
, &tcphdr_len
);
145 for (i
= sizeof(*tcph
); i
< tcphdr_len
- 1; i
+= optl
) {
152 optl
= optlen(opt
, i
);
154 if (priv
->type
!= opt
[i
])
157 if (i
+ optl
> tcphdr_len
|| priv
->len
+ priv
->offset
> optl
)
160 if (!skb_make_writable(pkt
->skb
, pkt
->xt
.thoff
+ i
+ priv
->len
))
163 tcph
= nft_tcp_header_pointer(pkt
, sizeof(buff
), buff
,
168 src
= regs
->data
[priv
->sreg
];
169 offset
= i
+ priv
->offset
;
173 old
.v16
= get_unaligned((u16
*)(opt
+ offset
));
176 switch (priv
->type
) {
178 /* increase can cause connection to stall */
179 if (ntohs(old
.v16
) <= ntohs(new.v16
))
184 if (old
.v16
== new.v16
)
187 put_unaligned(new.v16
, (u16
*)(opt
+ offset
));
188 inet_proto_csum_replace2(&tcph
->check
, pkt
->skb
,
189 old
.v16
, new.v16
, false);
193 old
.v32
= get_unaligned((u32
*)(opt
+ offset
));
195 if (old
.v32
== new.v32
)
198 put_unaligned(new.v32
, (u32
*)(opt
+ offset
));
199 inet_proto_csum_replace4(&tcph
->check
, pkt
->skb
,
200 old
.v32
, new.v32
, false);
211 static const struct nla_policy nft_exthdr_policy
[NFTA_EXTHDR_MAX
+ 1] = {
212 [NFTA_EXTHDR_DREG
] = { .type
= NLA_U32
},
213 [NFTA_EXTHDR_TYPE
] = { .type
= NLA_U8
},
214 [NFTA_EXTHDR_OFFSET
] = { .type
= NLA_U32
},
215 [NFTA_EXTHDR_LEN
] = { .type
= NLA_U32
},
216 [NFTA_EXTHDR_FLAGS
] = { .type
= NLA_U32
},
217 [NFTA_EXTHDR_OP
] = { .type
= NLA_U32
},
218 [NFTA_EXTHDR_SREG
] = { .type
= NLA_U32
},
221 static int nft_exthdr_init(const struct nft_ctx
*ctx
,
222 const struct nft_expr
*expr
,
223 const struct nlattr
* const tb
[])
225 struct nft_exthdr
*priv
= nft_expr_priv(expr
);
226 u32 offset
, len
, flags
= 0, op
= NFT_EXTHDR_OP_IPV6
;
229 if (!tb
[NFTA_EXTHDR_DREG
] ||
230 !tb
[NFTA_EXTHDR_TYPE
] ||
231 !tb
[NFTA_EXTHDR_OFFSET
] ||
232 !tb
[NFTA_EXTHDR_LEN
])
235 err
= nft_parse_u32_check(tb
[NFTA_EXTHDR_OFFSET
], U8_MAX
, &offset
);
239 err
= nft_parse_u32_check(tb
[NFTA_EXTHDR_LEN
], U8_MAX
, &len
);
243 if (tb
[NFTA_EXTHDR_FLAGS
]) {
244 err
= nft_parse_u32_check(tb
[NFTA_EXTHDR_FLAGS
], U8_MAX
, &flags
);
248 if (flags
& ~NFT_EXTHDR_F_PRESENT
)
252 if (tb
[NFTA_EXTHDR_OP
]) {
253 err
= nft_parse_u32_check(tb
[NFTA_EXTHDR_OP
], U8_MAX
, &op
);
258 priv
->type
= nla_get_u8(tb
[NFTA_EXTHDR_TYPE
]);
259 priv
->offset
= offset
;
261 priv
->dreg
= nft_parse_register(tb
[NFTA_EXTHDR_DREG
]);
265 return nft_validate_register_store(ctx
, priv
->dreg
, NULL
,
266 NFT_DATA_VALUE
, priv
->len
);
269 static int nft_exthdr_tcp_set_init(const struct nft_ctx
*ctx
,
270 const struct nft_expr
*expr
,
271 const struct nlattr
* const tb
[])
273 struct nft_exthdr
*priv
= nft_expr_priv(expr
);
274 u32 offset
, len
, flags
= 0, op
= NFT_EXTHDR_OP_IPV6
;
277 if (!tb
[NFTA_EXTHDR_SREG
] ||
278 !tb
[NFTA_EXTHDR_TYPE
] ||
279 !tb
[NFTA_EXTHDR_OFFSET
] ||
280 !tb
[NFTA_EXTHDR_LEN
])
283 if (tb
[NFTA_EXTHDR_DREG
] || tb
[NFTA_EXTHDR_FLAGS
])
286 err
= nft_parse_u32_check(tb
[NFTA_EXTHDR_OFFSET
], U8_MAX
, &offset
);
290 err
= nft_parse_u32_check(tb
[NFTA_EXTHDR_LEN
], U8_MAX
, &len
);
304 err
= nft_parse_u32_check(tb
[NFTA_EXTHDR_OP
], U8_MAX
, &op
);
308 priv
->type
= nla_get_u8(tb
[NFTA_EXTHDR_TYPE
]);
309 priv
->offset
= offset
;
311 priv
->sreg
= nft_parse_register(tb
[NFTA_EXTHDR_SREG
]);
315 return nft_validate_register_load(priv
->sreg
, priv
->len
);
318 static int nft_exthdr_dump_common(struct sk_buff
*skb
, const struct nft_exthdr
*priv
)
320 if (nla_put_u8(skb
, NFTA_EXTHDR_TYPE
, priv
->type
))
321 goto nla_put_failure
;
322 if (nla_put_be32(skb
, NFTA_EXTHDR_OFFSET
, htonl(priv
->offset
)))
323 goto nla_put_failure
;
324 if (nla_put_be32(skb
, NFTA_EXTHDR_LEN
, htonl(priv
->len
)))
325 goto nla_put_failure
;
326 if (nla_put_be32(skb
, NFTA_EXTHDR_FLAGS
, htonl(priv
->flags
)))
327 goto nla_put_failure
;
328 if (nla_put_be32(skb
, NFTA_EXTHDR_OP
, htonl(priv
->op
)))
329 goto nla_put_failure
;
336 static int nft_exthdr_dump(struct sk_buff
*skb
, const struct nft_expr
*expr
)
338 const struct nft_exthdr
*priv
= nft_expr_priv(expr
);
340 if (nft_dump_register(skb
, NFTA_EXTHDR_DREG
, priv
->dreg
))
343 return nft_exthdr_dump_common(skb
, priv
);
346 static int nft_exthdr_dump_set(struct sk_buff
*skb
, const struct nft_expr
*expr
)
348 const struct nft_exthdr
*priv
= nft_expr_priv(expr
);
350 if (nft_dump_register(skb
, NFTA_EXTHDR_SREG
, priv
->sreg
))
353 return nft_exthdr_dump_common(skb
, priv
);
356 static struct nft_expr_type nft_exthdr_type
;
357 static const struct nft_expr_ops nft_exthdr_ipv6_ops
= {
358 .type
= &nft_exthdr_type
,
359 .size
= NFT_EXPR_SIZE(sizeof(struct nft_exthdr
)),
360 .eval
= nft_exthdr_ipv6_eval
,
361 .init
= nft_exthdr_init
,
362 .dump
= nft_exthdr_dump
,
365 static const struct nft_expr_ops nft_exthdr_tcp_ops
= {
366 .type
= &nft_exthdr_type
,
367 .size
= NFT_EXPR_SIZE(sizeof(struct nft_exthdr
)),
368 .eval
= nft_exthdr_tcp_eval
,
369 .init
= nft_exthdr_init
,
370 .dump
= nft_exthdr_dump
,
373 static const struct nft_expr_ops nft_exthdr_tcp_set_ops
= {
374 .type
= &nft_exthdr_type
,
375 .size
= NFT_EXPR_SIZE(sizeof(struct nft_exthdr
)),
376 .eval
= nft_exthdr_tcp_set_eval
,
377 .init
= nft_exthdr_tcp_set_init
,
378 .dump
= nft_exthdr_dump_set
,
381 static const struct nft_expr_ops
*
382 nft_exthdr_select_ops(const struct nft_ctx
*ctx
,
383 const struct nlattr
* const tb
[])
387 if (!tb
[NFTA_EXTHDR_OP
])
388 return &nft_exthdr_ipv6_ops
;
390 if (tb
[NFTA_EXTHDR_SREG
] && tb
[NFTA_EXTHDR_DREG
])
391 return ERR_PTR(-EOPNOTSUPP
);
393 op
= ntohl(nla_get_be32(tb
[NFTA_EXTHDR_OP
]));
395 case NFT_EXTHDR_OP_TCPOPT
:
396 if (tb
[NFTA_EXTHDR_SREG
])
397 return &nft_exthdr_tcp_set_ops
;
398 if (tb
[NFTA_EXTHDR_DREG
])
399 return &nft_exthdr_tcp_ops
;
401 case NFT_EXTHDR_OP_IPV6
:
402 if (tb
[NFTA_EXTHDR_DREG
])
403 return &nft_exthdr_ipv6_ops
;
407 return ERR_PTR(-EOPNOTSUPP
);
410 static struct nft_expr_type nft_exthdr_type __read_mostly
= {
412 .select_ops
= nft_exthdr_select_ops
,
413 .policy
= nft_exthdr_policy
,
414 .maxattr
= NFTA_EXTHDR_MAX
,
415 .owner
= THIS_MODULE
,
418 static int __init
nft_exthdr_module_init(void)
420 return nft_register_expr(&nft_exthdr_type
);
423 static void __exit
nft_exthdr_module_exit(void)
425 nft_unregister_expr(&nft_exthdr_type
);
428 module_init(nft_exthdr_module_init
);
429 module_exit(nft_exthdr_module_exit
);
431 MODULE_LICENSE("GPL");
432 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
433 MODULE_ALIAS_NFT_EXPR("exthdr");