Commit 133dc203 authored by Phil Sutter's avatar Phil Sutter Committed by Pablo Neira Ayuso

netfilter: nft_exthdr: Support SCTP chunks

Chunks are SCTP header extensions similar in implementation to IPv6
extension headers or TCP options. Reusing exthdr expression to find and
extract field values from them is therefore pretty straightforward.

For now, this supports extracting data from chunks at a fixed offset
(and length) only - chunks themselves are an extensible data structure;
in order to make all fields available, a nested extension search is
needed.
Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent af9207ad
...@@ -813,11 +813,13 @@ enum nft_exthdr_flags { ...@@ -813,11 +813,13 @@ enum nft_exthdr_flags {
* @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers * @NFT_EXTHDR_OP_IPV6: match against ipv6 extension headers
* @NFT_EXTHDR_OP_TCP: match against tcp options * @NFT_EXTHDR_OP_TCP: match against tcp options
* @NFT_EXTHDR_OP_IPV4: match against ipv4 options * @NFT_EXTHDR_OP_IPV4: match against ipv4 options
* @NFT_EXTHDR_OP_SCTP: match against sctp chunks
*/ */
enum nft_exthdr_op { enum nft_exthdr_op {
NFT_EXTHDR_OP_IPV6, NFT_EXTHDR_OP_IPV6,
NFT_EXTHDR_OP_TCPOPT, NFT_EXTHDR_OP_TCPOPT,
NFT_EXTHDR_OP_IPV4, NFT_EXTHDR_OP_IPV4,
NFT_EXTHDR_OP_SCTP,
__NFT_EXTHDR_OP_MAX __NFT_EXTHDR_OP_MAX
}; };
#define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1)
......
...@@ -10,8 +10,10 @@ ...@@ -10,8 +10,10 @@
#include <linux/netlink.h> #include <linux/netlink.h>
#include <linux/netfilter.h> #include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h> #include <linux/netfilter/nf_tables.h>
#include <linux/sctp.h>
#include <net/netfilter/nf_tables_core.h> #include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tables.h> #include <net/netfilter/nf_tables.h>
#include <net/sctp/sctp.h>
#include <net/tcp.h> #include <net/tcp.h>
struct nft_exthdr { struct nft_exthdr {
...@@ -300,6 +302,43 @@ static void nft_exthdr_tcp_set_eval(const struct nft_expr *expr, ...@@ -300,6 +302,43 @@ static void nft_exthdr_tcp_set_eval(const struct nft_expr *expr,
} }
} }
static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
unsigned int offset = pkt->xt.thoff + sizeof(struct sctphdr);
struct nft_exthdr *priv = nft_expr_priv(expr);
u32 *dest = &regs->data[priv->dreg];
const struct sctp_chunkhdr *sch;
struct sctp_chunkhdr _sch;
do {
sch = skb_header_pointer(pkt->skb, offset, sizeof(_sch), &_sch);
if (!sch || !sch->length)
break;
if (sch->type == priv->type) {
if (priv->flags & NFT_EXTHDR_F_PRESENT) {
nft_reg_store8(dest, true);
return;
}
if (priv->offset + priv->len > ntohs(sch->length) ||
offset + ntohs(sch->length) > pkt->skb->len)
break;
dest[priv->len / NFT_REG32_SIZE] = 0;
memcpy(dest, (char *)sch + priv->offset, priv->len);
return;
}
offset += SCTP_PAD4(ntohs(sch->length));
} while (offset < pkt->skb->len);
if (priv->flags & NFT_EXTHDR_F_PRESENT)
nft_reg_store8(dest, false);
else
regs->verdict.code = NFT_BREAK;
}
static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = { static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {
[NFTA_EXTHDR_DREG] = { .type = NLA_U32 }, [NFTA_EXTHDR_DREG] = { .type = NLA_U32 },
[NFTA_EXTHDR_TYPE] = { .type = NLA_U8 }, [NFTA_EXTHDR_TYPE] = { .type = NLA_U8 },
...@@ -499,6 +538,14 @@ static const struct nft_expr_ops nft_exthdr_tcp_set_ops = { ...@@ -499,6 +538,14 @@ static const struct nft_expr_ops nft_exthdr_tcp_set_ops = {
.dump = nft_exthdr_dump_set, .dump = nft_exthdr_dump_set,
}; };
static const struct nft_expr_ops nft_exthdr_sctp_ops = {
.type = &nft_exthdr_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
.eval = nft_exthdr_sctp_eval,
.init = nft_exthdr_init,
.dump = nft_exthdr_dump,
};
static const struct nft_expr_ops * static const struct nft_expr_ops *
nft_exthdr_select_ops(const struct nft_ctx *ctx, nft_exthdr_select_ops(const struct nft_ctx *ctx,
const struct nlattr * const tb[]) const struct nlattr * const tb[])
...@@ -529,6 +576,10 @@ nft_exthdr_select_ops(const struct nft_ctx *ctx, ...@@ -529,6 +576,10 @@ nft_exthdr_select_ops(const struct nft_ctx *ctx,
return &nft_exthdr_ipv4_ops; return &nft_exthdr_ipv4_ops;
} }
break; break;
case NFT_EXTHDR_OP_SCTP:
if (tb[NFTA_EXTHDR_DREG])
return &nft_exthdr_sctp_ops;
break;
} }
return ERR_PTR(-EOPNOTSUPP); return ERR_PTR(-EOPNOTSUPP);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment