mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-10 07:10:27 +00:00
netfilter: nf_conntrack: Add a struct net parameter to l4_pkt_to_tuple
As gre does not have the srckey in the packet gre_pkt_to_tuple needs to perform a lookup in it's per network namespace tables. Pass in the proper network namespace to all pkt_to_tuple implementations to ensure gre (and any similar protocols) can get this right. Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
a4ffe319ae
commit
a31f1adc09
@ -191,7 +191,8 @@ int nf_conntrack_hash_check_insert(struct nf_conn *ct);
|
|||||||
bool nf_ct_delete(struct nf_conn *ct, u32 pid, int report);
|
bool nf_ct_delete(struct nf_conn *ct, u32 pid, int report);
|
||||||
|
|
||||||
bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff,
|
bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff,
|
||||||
u_int16_t l3num, struct nf_conntrack_tuple *tuple);
|
u_int16_t l3num, struct net *net,
|
||||||
|
struct nf_conntrack_tuple *tuple);
|
||||||
bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
|
bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
|
||||||
const struct nf_conntrack_tuple *orig);
|
const struct nf_conntrack_tuple *orig);
|
||||||
|
|
||||||
|
@ -41,6 +41,7 @@ void nf_conntrack_cleanup_end(void);
|
|||||||
|
|
||||||
bool nf_ct_get_tuple(const struct sk_buff *skb, unsigned int nhoff,
|
bool nf_ct_get_tuple(const struct sk_buff *skb, unsigned int nhoff,
|
||||||
unsigned int dataoff, u_int16_t l3num, u_int8_t protonum,
|
unsigned int dataoff, u_int16_t l3num, u_int8_t protonum,
|
||||||
|
struct net *net,
|
||||||
struct nf_conntrack_tuple *tuple,
|
struct nf_conntrack_tuple *tuple,
|
||||||
const struct nf_conntrack_l3proto *l3proto,
|
const struct nf_conntrack_l3proto *l3proto,
|
||||||
const struct nf_conntrack_l4proto *l4proto);
|
const struct nf_conntrack_l4proto *l4proto);
|
||||||
|
@ -26,7 +26,7 @@ struct nf_conntrack_l4proto {
|
|||||||
/* Try to fill in the third arg: dataoff is offset past network protocol
|
/* Try to fill in the third arg: dataoff is offset past network protocol
|
||||||
hdr. Return true if possible. */
|
hdr. Return true if possible. */
|
||||||
bool (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int dataoff,
|
bool (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int dataoff,
|
||||||
struct nf_conntrack_tuple *tuple);
|
struct net *net, struct nf_conntrack_tuple *tuple);
|
||||||
|
|
||||||
/* Invert the per-proto part of the tuple: ie. turn xmit into reply.
|
/* Invert the per-proto part of the tuple: ie. turn xmit into reply.
|
||||||
* Some packets can't be inverted: return 0 in that case.
|
* Some packets can't be inverted: return 0 in that case.
|
||||||
|
@ -30,7 +30,7 @@ static inline struct nf_icmp_net *icmp_pernet(struct net *net)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static bool icmp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
|
static bool icmp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
|
||||||
struct nf_conntrack_tuple *tuple)
|
struct net *net, struct nf_conntrack_tuple *tuple)
|
||||||
{
|
{
|
||||||
const struct icmphdr *hp;
|
const struct icmphdr *hp;
|
||||||
struct icmphdr _hdr;
|
struct icmphdr _hdr;
|
||||||
@ -144,7 +144,7 @@ icmp_error_message(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
|
|||||||
if (!nf_ct_get_tuplepr(skb,
|
if (!nf_ct_get_tuplepr(skb,
|
||||||
skb_network_offset(skb) + ip_hdrlen(skb)
|
skb_network_offset(skb) + ip_hdrlen(skb)
|
||||||
+ sizeof(struct icmphdr),
|
+ sizeof(struct icmphdr),
|
||||||
PF_INET, &origtuple)) {
|
PF_INET, net, &origtuple)) {
|
||||||
pr_debug("icmp_error_message: failed to get tuple\n");
|
pr_debug("icmp_error_message: failed to get tuple\n");
|
||||||
return -NF_ACCEPT;
|
return -NF_ACCEPT;
|
||||||
}
|
}
|
||||||
|
@ -36,6 +36,7 @@ static inline struct nf_icmp_net *icmpv6_pernet(struct net *net)
|
|||||||
|
|
||||||
static bool icmpv6_pkt_to_tuple(const struct sk_buff *skb,
|
static bool icmpv6_pkt_to_tuple(const struct sk_buff *skb,
|
||||||
unsigned int dataoff,
|
unsigned int dataoff,
|
||||||
|
struct net *net,
|
||||||
struct nf_conntrack_tuple *tuple)
|
struct nf_conntrack_tuple *tuple)
|
||||||
{
|
{
|
||||||
const struct icmp6hdr *hp;
|
const struct icmp6hdr *hp;
|
||||||
@ -159,7 +160,7 @@ icmpv6_error_message(struct net *net, struct nf_conn *tmpl,
|
|||||||
skb_network_offset(skb)
|
skb_network_offset(skb)
|
||||||
+ sizeof(struct ipv6hdr)
|
+ sizeof(struct ipv6hdr)
|
||||||
+ sizeof(struct icmp6hdr),
|
+ sizeof(struct icmp6hdr),
|
||||||
PF_INET6, &origtuple)) {
|
PF_INET6, net, &origtuple)) {
|
||||||
pr_debug("icmpv6_error: Can't get tuple\n");
|
pr_debug("icmpv6_error: Can't get tuple\n");
|
||||||
return -NF_ACCEPT;
|
return -NF_ACCEPT;
|
||||||
}
|
}
|
||||||
|
@ -168,6 +168,7 @@ nf_ct_get_tuple(const struct sk_buff *skb,
|
|||||||
unsigned int dataoff,
|
unsigned int dataoff,
|
||||||
u_int16_t l3num,
|
u_int16_t l3num,
|
||||||
u_int8_t protonum,
|
u_int8_t protonum,
|
||||||
|
struct net *net,
|
||||||
struct nf_conntrack_tuple *tuple,
|
struct nf_conntrack_tuple *tuple,
|
||||||
const struct nf_conntrack_l3proto *l3proto,
|
const struct nf_conntrack_l3proto *l3proto,
|
||||||
const struct nf_conntrack_l4proto *l4proto)
|
const struct nf_conntrack_l4proto *l4proto)
|
||||||
@ -181,12 +182,13 @@ nf_ct_get_tuple(const struct sk_buff *skb,
|
|||||||
tuple->dst.protonum = protonum;
|
tuple->dst.protonum = protonum;
|
||||||
tuple->dst.dir = IP_CT_DIR_ORIGINAL;
|
tuple->dst.dir = IP_CT_DIR_ORIGINAL;
|
||||||
|
|
||||||
return l4proto->pkt_to_tuple(skb, dataoff, tuple);
|
return l4proto->pkt_to_tuple(skb, dataoff, net, tuple);
|
||||||
}
|
}
|
||||||
EXPORT_SYMBOL_GPL(nf_ct_get_tuple);
|
EXPORT_SYMBOL_GPL(nf_ct_get_tuple);
|
||||||
|
|
||||||
bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff,
|
bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff,
|
||||||
u_int16_t l3num, struct nf_conntrack_tuple *tuple)
|
u_int16_t l3num,
|
||||||
|
struct net *net, struct nf_conntrack_tuple *tuple)
|
||||||
{
|
{
|
||||||
struct nf_conntrack_l3proto *l3proto;
|
struct nf_conntrack_l3proto *l3proto;
|
||||||
struct nf_conntrack_l4proto *l4proto;
|
struct nf_conntrack_l4proto *l4proto;
|
||||||
@ -205,7 +207,7 @@ bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff,
|
|||||||
|
|
||||||
l4proto = __nf_ct_l4proto_find(l3num, protonum);
|
l4proto = __nf_ct_l4proto_find(l3num, protonum);
|
||||||
|
|
||||||
ret = nf_ct_get_tuple(skb, nhoff, protoff, l3num, protonum, tuple,
|
ret = nf_ct_get_tuple(skb, nhoff, protoff, l3num, protonum, net, tuple,
|
||||||
l3proto, l4proto);
|
l3proto, l4proto);
|
||||||
|
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
@ -1029,7 +1031,7 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl,
|
|||||||
u32 hash;
|
u32 hash;
|
||||||
|
|
||||||
if (!nf_ct_get_tuple(skb, skb_network_offset(skb),
|
if (!nf_ct_get_tuple(skb, skb_network_offset(skb),
|
||||||
dataoff, l3num, protonum, &tuple, l3proto,
|
dataoff, l3num, protonum, net, &tuple, l3proto,
|
||||||
l4proto)) {
|
l4proto)) {
|
||||||
pr_debug("resolve_normal_ct: Can't get tuple\n");
|
pr_debug("resolve_normal_ct: Can't get tuple\n");
|
||||||
return NULL;
|
return NULL;
|
||||||
|
@ -398,7 +398,7 @@ static inline struct dccp_net *dccp_pernet(struct net *net)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static bool dccp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
|
static bool dccp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
|
||||||
struct nf_conntrack_tuple *tuple)
|
struct net *net, struct nf_conntrack_tuple *tuple)
|
||||||
{
|
{
|
||||||
struct dccp_hdr _hdr, *dh;
|
struct dccp_hdr _hdr, *dh;
|
||||||
|
|
||||||
|
@ -45,7 +45,7 @@ static inline struct nf_generic_net *generic_pernet(struct net *net)
|
|||||||
|
|
||||||
static bool generic_pkt_to_tuple(const struct sk_buff *skb,
|
static bool generic_pkt_to_tuple(const struct sk_buff *skb,
|
||||||
unsigned int dataoff,
|
unsigned int dataoff,
|
||||||
struct nf_conntrack_tuple *tuple)
|
struct net *net, struct nf_conntrack_tuple *tuple)
|
||||||
{
|
{
|
||||||
tuple->src.u.all = 0;
|
tuple->src.u.all = 0;
|
||||||
tuple->dst.u.all = 0;
|
tuple->dst.u.all = 0;
|
||||||
|
@ -190,9 +190,8 @@ static bool gre_invert_tuple(struct nf_conntrack_tuple *tuple,
|
|||||||
|
|
||||||
/* gre hdr info to tuple */
|
/* gre hdr info to tuple */
|
||||||
static bool gre_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
|
static bool gre_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
|
||||||
struct nf_conntrack_tuple *tuple)
|
struct net *net, struct nf_conntrack_tuple *tuple)
|
||||||
{
|
{
|
||||||
struct net *net = dev_net(skb->dev ? skb->dev : skb_dst(skb)->dev);
|
|
||||||
const struct gre_hdr_pptp *pgrehdr;
|
const struct gre_hdr_pptp *pgrehdr;
|
||||||
struct gre_hdr_pptp _pgrehdr;
|
struct gre_hdr_pptp _pgrehdr;
|
||||||
__be16 srckey;
|
__be16 srckey;
|
||||||
|
@ -156,7 +156,7 @@ static inline struct sctp_net *sctp_pernet(struct net *net)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
|
static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
|
||||||
struct nf_conntrack_tuple *tuple)
|
struct net *net, struct nf_conntrack_tuple *tuple)
|
||||||
{
|
{
|
||||||
const struct sctphdr *hp;
|
const struct sctphdr *hp;
|
||||||
struct sctphdr _hdr;
|
struct sctphdr _hdr;
|
||||||
|
@ -277,7 +277,7 @@ static inline struct nf_tcp_net *tcp_pernet(struct net *net)
|
|||||||
}
|
}
|
||||||
|
|
||||||
static bool tcp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
|
static bool tcp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
|
||||||
struct nf_conntrack_tuple *tuple)
|
struct net *net, struct nf_conntrack_tuple *tuple)
|
||||||
{
|
{
|
||||||
const struct tcphdr *hp;
|
const struct tcphdr *hp;
|
||||||
struct tcphdr _hdr;
|
struct tcphdr _hdr;
|
||||||
|
@ -38,6 +38,7 @@ static inline struct nf_udp_net *udp_pernet(struct net *net)
|
|||||||
|
|
||||||
static bool udp_pkt_to_tuple(const struct sk_buff *skb,
|
static bool udp_pkt_to_tuple(const struct sk_buff *skb,
|
||||||
unsigned int dataoff,
|
unsigned int dataoff,
|
||||||
|
struct net *net,
|
||||||
struct nf_conntrack_tuple *tuple)
|
struct nf_conntrack_tuple *tuple)
|
||||||
{
|
{
|
||||||
const struct udphdr *hp;
|
const struct udphdr *hp;
|
||||||
|
@ -48,6 +48,7 @@ static inline struct udplite_net *udplite_pernet(struct net *net)
|
|||||||
|
|
||||||
static bool udplite_pkt_to_tuple(const struct sk_buff *skb,
|
static bool udplite_pkt_to_tuple(const struct sk_buff *skb,
|
||||||
unsigned int dataoff,
|
unsigned int dataoff,
|
||||||
|
struct net *net,
|
||||||
struct nf_conntrack_tuple *tuple)
|
struct nf_conntrack_tuple *tuple)
|
||||||
{
|
{
|
||||||
const struct udphdr *hp;
|
const struct udphdr *hp;
|
||||||
|
@ -332,7 +332,7 @@ connlimit_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
|||||||
tuple_ptr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
|
tuple_ptr = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
|
||||||
zone = nf_ct_zone(ct);
|
zone = nf_ct_zone(ct);
|
||||||
} else if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
|
} else if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
|
||||||
par->family, &tuple)) {
|
par->family, net, &tuple)) {
|
||||||
goto hotdrop;
|
goto hotdrop;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -345,7 +345,7 @@ ovs_ct_expect_find(struct net *net, const struct nf_conntrack_zone *zone,
|
|||||||
{
|
{
|
||||||
struct nf_conntrack_tuple tuple;
|
struct nf_conntrack_tuple tuple;
|
||||||
|
|
||||||
if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, &tuple))
|
if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto, net, &tuple))
|
||||||
return NULL;
|
return NULL;
|
||||||
return __nf_ct_expect_find(net, zone, &tuple);
|
return __nf_ct_expect_find(net, zone, &tuple);
|
||||||
}
|
}
|
||||||
|
@ -68,7 +68,7 @@ static int tcf_connmark(struct sk_buff *skb, const struct tc_action *a,
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
|
if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb),
|
||||||
proto, &tuple))
|
proto, ca->net, &tuple))
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
zone.id = ca->zone;
|
zone.id = ca->zone;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user