netfilter: nft_osf: Add ttl option support

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Add ttl option support to the nftables "osf" expression.

Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Fernando Fernandez Mancera and committed by

Pablo Neira Ayuso 7 years ago a218dc82 ea9cf2a5

+42 -25

4 changed files

expand all

include

linux

netfilter

nfnetlink_osf.h

uapi

linux

netfilter

nf_tables.h

net

netfilter

nfnetlink_osf.c

nft_osf.c

+2 -1

include/linux/netfilter/nfnetlink_osf.h

··· 27 27 const struct list_head *nf_osf_fingers); 28 28 29 29 const char *nf_osf_find(const struct sk_buff *skb, 30 - const struct list_head *nf_osf_fingers); 30 + const struct list_head *nf_osf_fingers, 31 + const int ttl_check); 31 32 32 33 #endif /* _NFOSF_H */

include/uapi/linux/netfilter/nf_tables.h

··· 1511 1511 }; 1512 1512 #define NFTA_FLOWTABLE_HOOK_MAX (__NFTA_FLOWTABLE_HOOK_MAX - 1) 1513 1513 1514 + /** 1515 + * enum nft_osf_attributes - nftables osf expression netlink attributes 1516 + * 1517 + * @NFTA_OSF_DREG: destination register (NLA_U32: nft_registers) 1518 + * @NFTA_OSF_TTL: Value of the TTL osf option (NLA_U8) 1519 + */ 1514 1520 enum nft_osf_attributes { 1515 1521 NFTA_OSF_UNSPEC, 1516 1522 NFTA_OSF_DREG, 1523 + NFTA_OSF_TTL, 1517 1524 __NFTA_OSF_MAX, 1518 1525 }; 1519 1526 #define NFTA_OSF_MAX (__NFTA_OSF_MAX - 1)

+19 -23

net/netfilter/nfnetlink_osf.c

··· 30 30 static inline int nf_osf_ttl(const struct sk_buff *skb, 31 31 int ttl_check, unsigned char f_ttl) 32 32 { 33 + struct in_device *in_dev = __in_dev_get_rcu(skb->dev); 33 34 const struct iphdr *ip = ip_hdr(skb); 35 + int ret = 0; 34 36 35 - if (ttl_check != -1) { 36 - if (ttl_check == NF_OSF_TTL_TRUE) 37 - return ip->ttl == f_ttl; 38 - if (ttl_check == NF_OSF_TTL_NOCHECK) 39 - return 1; 40 - else if (ip->ttl <= f_ttl) 41 - return 1; 42 - else { 43 - struct in_device *in_dev = __in_dev_get_rcu(skb->dev); 44 - int ret = 0; 37 + if (ttl_check == NF_OSF_TTL_TRUE) 38 + return ip->ttl == f_ttl; 39 + if (ttl_check == NF_OSF_TTL_NOCHECK) 40 + return 1; 41 + else if (ip->ttl <= f_ttl) 42 + return 1; 45 43 46 - for_ifa(in_dev) { 47 - if (inet_ifa_match(ip->saddr, ifa)) { 48 - ret = (ip->ttl == f_ttl); 49 - break; 50 - } 51 - } 52 - endfor_ifa(in_dev); 53 - 54 - return ret; 44 + for_ifa(in_dev) { 45 + if (inet_ifa_match(ip->saddr, ifa)) { 46 + ret = (ip->ttl == f_ttl); 47 + break; 55 48 } 56 49 } 57 50 58 - return ip->ttl == f_ttl; 51 + endfor_ifa(in_dev); 52 + 53 + return ret; 59 54 } 60 55 61 56 struct nf_osf_hdr_ctx { ··· 208 213 if (!tcp) 209 214 return false; 210 215 211 - ttl_check = (info->flags & NF_OSF_TTL) ? info->ttl : -1; 216 + ttl_check = (info->flags & NF_OSF_TTL) ? info->ttl : 0; 212 217 213 218 list_for_each_entry_rcu(kf, &nf_osf_fingers[ctx.df], finger_entry) { 214 219 ··· 252 257 EXPORT_SYMBOL_GPL(nf_osf_match); 253 258 254 259 const char *nf_osf_find(const struct sk_buff *skb, 255 - const struct list_head *nf_osf_fingers) 260 + const struct list_head *nf_osf_fingers, 261 + const int ttl_check) 256 262 { 257 263 const struct iphdr *ip = ip_hdr(skb); 258 264 const struct nf_osf_user_finger *f; ··· 271 275 272 276 list_for_each_entry_rcu(kf, &nf_osf_fingers[ctx.df], finger_entry) { 273 277 f = &kf->finger; 274 - if (!nf_osf_match_one(skb, f, -1, &ctx)) 278 + if (!nf_osf_match_one(skb, f, ttl_check, &ctx)) 275 279 continue; 276 280 277 281 genre = f->genre;

+14 -1

net/netfilter/nft_osf.c

··· 6 6 7 7 struct nft_osf { 8 8 enum nft_registers dreg:8; 9 + u8 ttl; 9 10 }; 10 11 11 12 static const struct nla_policy nft_osf_policy[NFTA_OSF_MAX + 1] = { 12 13 [NFTA_OSF_DREG] = { .type = NLA_U32 }, 14 + [NFTA_OSF_TTL] = { .type = NLA_U8 }, 13 15 }; 14 16 15 17 static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs, ··· 35 33 return; 36 34 } 37 35 38 - os_name = nf_osf_find(skb, nf_osf_fingers); 36 + os_name = nf_osf_find(skb, nf_osf_fingers, priv->ttl); 39 37 if (!os_name) 40 38 strncpy((char *)dest, "unknown", NFT_OSF_MAXGENRELEN); 41 39 else ··· 48 46 { 49 47 struct nft_osf *priv = nft_expr_priv(expr); 50 48 int err; 49 + u8 ttl; 50 + 51 + if (nla_get_u8(tb[NFTA_OSF_TTL])) { 52 + ttl = nla_get_u8(tb[NFTA_OSF_TTL]); 53 + if (ttl > 2) 54 + return -EINVAL; 55 + priv->ttl = ttl; 56 + } 51 57 52 58 priv->dreg = nft_parse_register(tb[NFTA_OSF_DREG]); 53 59 err = nft_validate_register_store(ctx, priv->dreg, NULL, ··· 69 59 static int nft_osf_dump(struct sk_buff *skb, const struct nft_expr *expr) 70 60 { 71 61 const struct nft_osf *priv = nft_expr_priv(expr); 62 + 63 + if (nla_put_u8(skb, NFTA_OSF_TTL, priv->ttl)) 64 + goto nla_put_failure; 72 65 73 66 if (nft_dump_register(skb, NFTA_OSF_DREG, priv->dreg)) 74 67 goto nla_put_failure;