search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'rproc-v6.14' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc...
[linux.git] / net / ipv6 / netfilter / ip6t_SYNPROXY.c
blobd51d0c3e5fe9154bcefd6c7e7eb11336a4185b5f
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2013 Patrick McHardy <kaber@trash.net>
4 */
5
6 #include <linux/netfilter_ipv6/ip6_tables.h>
7 #include <linux/netfilter/x_tables.h>
8 #include <linux/netfilter/xt_SYNPROXY.h>
9
10 #include <net/netfilter/nf_synproxy.h>
11
12 static unsigned int
13 synproxy_tg6(struct sk_buff *skb, const struct xt_action_param *par)
14 {
15 const struct xt_synproxy_info *info = par->targinfo;
16 struct net *net = xt_net(par);
17 struct synproxy_net *snet = synproxy_pernet(net);
18 struct synproxy_options opts = {};
19 struct tcphdr *th, _th;
20
21 if (nf_ip6_checksum(skb, xt_hooknum(par), par->thoff, IPPROTO_TCP))
22 return NF_DROP;
23
24 th = skb_header_pointer(skb, par->thoff, sizeof(_th), &_th);
25 if (th == NULL)
26 return NF_DROP;
27
28 if (!synproxy_parse_options(skb, par->thoff, th, &opts))
29 return NF_DROP;
30
31 if (th->syn && !(th->ack || th->fin || th->rst)) {
32 /* Initial SYN from client */
33 this_cpu_inc(snet->stats->syn_received);
34
35 if (th->ece && th->cwr)
36 opts.options |= XT_SYNPROXY_OPT_ECN;
37
38 opts.options &= info->options;
39 opts.mss_encode = opts.mss_option;
40 opts.mss_option = info->mss;
41 if (opts.options & XT_SYNPROXY_OPT_TIMESTAMP)
42 synproxy_init_timestamp_cookie(info, &opts);
43 else
44 opts.options &= ~(XT_SYNPROXY_OPT_WSCALE |
45 XT_SYNPROXY_OPT_SACK_PERM |
46 XT_SYNPROXY_OPT_ECN);
47
48 synproxy_send_client_synack_ipv6(net, skb, th, &opts);
49 consume_skb(skb);
50 return NF_STOLEN;
51
52 } else if (th->ack && !(th->fin || th->rst || th->syn)) {
53 /* ACK from client */
54 if (synproxy_recv_client_ack_ipv6(net, skb, th, &opts,
55 ntohl(th->seq))) {
56 consume_skb(skb);
57 return NF_STOLEN;
58 } else {
59 return NF_DROP;
60 }
61 }
62
63 return XT_CONTINUE;
64 }
65
66 static int synproxy_tg6_check(const struct xt_tgchk_param *par)
67 {
68 struct synproxy_net *snet = synproxy_pernet(par->net);
69 const struct ip6t_entry *e = par->entryinfo;
70 int err;
71
72 if (!(e->ipv6.flags & IP6T_F_PROTO) ||
73 e->ipv6.proto != IPPROTO_TCP ||
74 e->ipv6.invflags & XT_INV_PROTO)
75 return -EINVAL;
76
77 err = nf_ct_netns_get(par->net, par->family);
78 if (err)
79 return err;
80
81 err = nf_synproxy_ipv6_init(snet, par->net);
82 if (err) {
83 nf_ct_netns_put(par->net, par->family);
84 return err;
85 }
86
87 return err;
88 }
89
90 static void synproxy_tg6_destroy(const struct xt_tgdtor_param *par)
91 {
92 struct synproxy_net *snet = synproxy_pernet(par->net);
93
94 nf_synproxy_ipv6_fini(snet, par->net);
95 nf_ct_netns_put(par->net, par->family);
96 }
97
98 static struct xt_target synproxy_tg6_reg __read_mostly = {
99 .name = "SYNPROXY",
100 .family = NFPROTO_IPV6,
101 .hooks = (1 << NF_INET_LOCAL_IN) | (1 << NF_INET_FORWARD),
102 .target = synproxy_tg6,
103 .targetsize = sizeof(struct xt_synproxy_info),
104 .checkentry = synproxy_tg6_check,
105 .destroy = synproxy_tg6_destroy,
106 .me = THIS_MODULE,
107 };
108
109 static int __init synproxy_tg6_init(void)
110 {
111 return xt_register_target(&synproxy_tg6_reg);
112 }
113
114 static void __exit synproxy_tg6_exit(void)
115 {
116 xt_unregister_target(&synproxy_tg6_reg);
117 }
118
119 module_init(synproxy_tg6_init);
120 module_exit(synproxy_tg6_exit);
121
122 MODULE_LICENSE("GPL");
123 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
124 MODULE_DESCRIPTION("Intercept IPv6 TCP connections and establish them using syncookies");
Linux Kernel