2008-01-15 07:40:53 +00:00
|
|
|
/*
|
|
|
|
* xt_conntrack - Netfilter module to match connection tracking
|
|
|
|
* information. (Superset of Rusty's minimalistic state match.)
|
2005-04-16 22:20:36 +00:00
|
|
|
*
|
2008-01-15 07:40:53 +00:00
|
|
|
* (C) 2001 Marc Boucher (marc@mbsi.ca).
|
2013-04-06 13:24:29 +00:00
|
|
|
* (C) 2006-2012 Patrick McHardy <kaber@trash.net>
|
2008-01-15 07:40:53 +00:00
|
|
|
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
|
2005-04-16 22:20:36 +00:00
|
|
|
*
|
2008-01-15 07:40:53 +00:00
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
* published by the Free Software Foundation.
|
2005-04-16 22:20:36 +00:00
|
|
|
*/
|
2010-03-17 15:04:40 +00:00
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
2005-04-16 22:20:36 +00:00
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/skbuff.h>
|
2008-01-15 07:40:53 +00:00
|
|
|
#include <net/ipv6.h>
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 21:30:04 +00:00
|
|
|
#include <linux/netfilter/x_tables.h>
|
|
|
|
#include <linux/netfilter/xt_conntrack.h>
|
2007-03-14 23:37:25 +00:00
|
|
|
#include <net/netfilter/nf_conntrack.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
|
2009-06-12 16:56:14 +00:00
|
|
|
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
|
2008-01-15 07:42:28 +00:00
|
|
|
MODULE_DESCRIPTION("Xtables: connection tracking state match");
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 21:30:04 +00:00
|
|
|
MODULE_ALIAS("ipt_conntrack");
|
2008-01-15 07:40:53 +00:00
|
|
|
MODULE_ALIAS("ip6t_conntrack");
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2008-01-15 07:40:53 +00:00
|
|
|
static bool
|
|
|
|
conntrack_addrcmp(const union nf_inet_addr *kaddr,
|
|
|
|
const union nf_inet_addr *uaddr,
|
|
|
|
const union nf_inet_addr *umask, unsigned int l3proto)
|
|
|
|
{
|
2008-10-08 09:35:01 +00:00
|
|
|
if (l3proto == NFPROTO_IPV4)
|
2008-02-27 20:20:41 +00:00
|
|
|
return ((kaddr->ip ^ uaddr->ip) & umask->ip) == 0;
|
2008-10-08 09:35:01 +00:00
|
|
|
else if (l3proto == NFPROTO_IPV6)
|
2008-01-15 07:40:53 +00:00
|
|
|
return ipv6_masked_addr_cmp(&kaddr->in6, &umask->in6,
|
|
|
|
&uaddr->in6) == 0;
|
|
|
|
else
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool
|
|
|
|
conntrack_mt_origsrc(const struct nf_conn *ct,
|
2009-06-29 12:31:46 +00:00
|
|
|
const struct xt_conntrack_mtinfo2 *info,
|
2008-10-08 09:35:00 +00:00
|
|
|
u_int8_t family)
|
2008-01-15 07:40:53 +00:00
|
|
|
{
|
|
|
|
return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3,
|
|
|
|
&info->origsrc_addr, &info->origsrc_mask, family);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool
|
|
|
|
conntrack_mt_origdst(const struct nf_conn *ct,
|
2009-06-29 12:31:46 +00:00
|
|
|
const struct xt_conntrack_mtinfo2 *info,
|
2008-10-08 09:35:00 +00:00
|
|
|
u_int8_t family)
|
2008-01-15 07:40:53 +00:00
|
|
|
{
|
|
|
|
return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3,
|
|
|
|
&info->origdst_addr, &info->origdst_mask, family);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool
|
|
|
|
conntrack_mt_replsrc(const struct nf_conn *ct,
|
2009-06-29 12:31:46 +00:00
|
|
|
const struct xt_conntrack_mtinfo2 *info,
|
2008-10-08 09:35:00 +00:00
|
|
|
u_int8_t family)
|
2008-01-15 07:40:53 +00:00
|
|
|
{
|
|
|
|
return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3,
|
|
|
|
&info->replsrc_addr, &info->replsrc_mask, family);
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool
|
|
|
|
conntrack_mt_repldst(const struct nf_conn *ct,
|
2009-06-29 12:31:46 +00:00
|
|
|
const struct xt_conntrack_mtinfo2 *info,
|
2008-10-08 09:35:00 +00:00
|
|
|
u_int8_t family)
|
2008-01-15 07:40:53 +00:00
|
|
|
{
|
|
|
|
return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3,
|
|
|
|
&info->repldst_addr, &info->repldst_mask, family);
|
|
|
|
}
|
|
|
|
|
2008-01-31 11:58:24 +00:00
|
|
|
static inline bool
|
2009-06-29 12:31:46 +00:00
|
|
|
ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
|
2008-01-31 11:58:24 +00:00
|
|
|
const struct nf_conn *ct)
|
|
|
|
{
|
|
|
|
const struct nf_conntrack_tuple *tuple;
|
|
|
|
|
|
|
|
tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
|
|
|
|
if ((info->match_flags & XT_CONNTRACK_PROTO) &&
|
2008-04-14 09:15:52 +00:00
|
|
|
(nf_ct_protonum(ct) == info->l4proto) ^
|
2008-01-31 11:58:24 +00:00
|
|
|
!(info->invert_flags & XT_CONNTRACK_PROTO))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* Shortcut to match all recognized protocols by using ->src.all. */
|
|
|
|
if ((info->match_flags & XT_CONNTRACK_ORIGSRC_PORT) &&
|
|
|
|
(tuple->src.u.all == info->origsrc_port) ^
|
|
|
|
!(info->invert_flags & XT_CONNTRACK_ORIGSRC_PORT))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if ((info->match_flags & XT_CONNTRACK_ORIGDST_PORT) &&
|
|
|
|
(tuple->dst.u.all == info->origdst_port) ^
|
|
|
|
!(info->invert_flags & XT_CONNTRACK_ORIGDST_PORT))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
|
|
|
|
|
|
|
|
if ((info->match_flags & XT_CONNTRACK_REPLSRC_PORT) &&
|
|
|
|
(tuple->src.u.all == info->replsrc_port) ^
|
|
|
|
!(info->invert_flags & XT_CONNTRACK_REPLSRC_PORT))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if ((info->match_flags & XT_CONNTRACK_REPLDST_PORT) &&
|
|
|
|
(tuple->dst.u.all == info->repldst_port) ^
|
|
|
|
!(info->invert_flags & XT_CONNTRACK_REPLDST_PORT))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2010-12-15 08:46:26 +00:00
|
|
|
static inline bool
|
|
|
|
port_match(u16 min, u16 max, u16 port, bool invert)
|
|
|
|
{
|
|
|
|
return (port >= min && port <= max) ^ invert;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline bool
|
|
|
|
ct_proto_port_check_v3(const struct xt_conntrack_mtinfo3 *info,
|
|
|
|
const struct nf_conn *ct)
|
|
|
|
{
|
|
|
|
const struct nf_conntrack_tuple *tuple;
|
|
|
|
|
|
|
|
tuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
|
|
|
|
if ((info->match_flags & XT_CONNTRACK_PROTO) &&
|
|
|
|
(nf_ct_protonum(ct) == info->l4proto) ^
|
|
|
|
!(info->invert_flags & XT_CONNTRACK_PROTO))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
/* Shortcut to match all recognized protocols by using ->src.all. */
|
|
|
|
if ((info->match_flags & XT_CONNTRACK_ORIGSRC_PORT) &&
|
|
|
|
!port_match(info->origsrc_port, info->origsrc_port_high,
|
|
|
|
ntohs(tuple->src.u.all),
|
|
|
|
info->invert_flags & XT_CONNTRACK_ORIGSRC_PORT))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if ((info->match_flags & XT_CONNTRACK_ORIGDST_PORT) &&
|
|
|
|
!port_match(info->origdst_port, info->origdst_port_high,
|
|
|
|
ntohs(tuple->dst.u.all),
|
|
|
|
info->invert_flags & XT_CONNTRACK_ORIGDST_PORT))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
tuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
|
|
|
|
|
|
|
|
if ((info->match_flags & XT_CONNTRACK_REPLSRC_PORT) &&
|
|
|
|
!port_match(info->replsrc_port, info->replsrc_port_high,
|
|
|
|
ntohs(tuple->src.u.all),
|
|
|
|
info->invert_flags & XT_CONNTRACK_REPLSRC_PORT))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if ((info->match_flags & XT_CONNTRACK_REPLDST_PORT) &&
|
|
|
|
!port_match(info->repldst_port, info->repldst_port_high,
|
|
|
|
ntohs(tuple->dst.u.all),
|
|
|
|
info->invert_flags & XT_CONNTRACK_REPLDST_PORT))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2008-01-15 07:40:53 +00:00
|
|
|
static bool
|
2009-07-07 18:42:08 +00:00
|
|
|
conntrack_mt(const struct sk_buff *skb, struct xt_action_param *par,
|
netfilter: xtables: fix conntrack match v1 ipt-save output
commit d6d3f08b0fd998b647a05540cedd11a067b72867
(netfilter: xtables: conntrack match revision 2) does break the
v1 conntrack match iptables-save output in a subtle way.
Problem is as follows:
up = kmalloc(sizeof(*up), GFP_KERNEL);
[..]
/*
* The strategy here is to minimize the overhead of v1 matching,
* by prebuilding a v2 struct and putting the pointer into the
* v1 dataspace.
*/
memcpy(up, info, offsetof(typeof(*info), state_mask));
[..]
*(void **)info = up;
As the v2 struct pointer is saved in the match data space,
it clobbers the first structure member (->origsrc_addr).
Because the _v1 match function grabs this pointer and does not actually
look at the v1 origsrc, run time functionality does not break.
But iptables -nvL (or iptables-save) cannot know that v1 origsrc_addr
has been overloaded in this way:
$ iptables -p tcp -A OUTPUT -m conntrack --ctorigsrc 10.0.0.1 -j ACCEPT
$ iptables-save
-A OUTPUT -p tcp -m conntrack --ctorigsrc 128.173.134.206 -j ACCEPT
(128.173... is the address to the v2 match structure).
To fix this, we take advantage of the fact that the v1 and v2 structures
are identical with exception of the last two structure members (u8 in v1,
u16 in v2).
We extract them as early as possible and prevent the v2 matching function
from looking at those two members directly.
Previously reported by Michel Messerschmidt via Ben Hutchings, also
see Debian Bug tracker #556587.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-11-23 09:43:57 +00:00
|
|
|
u16 state_mask, u16 status_mask)
|
2008-01-15 07:40:53 +00:00
|
|
|
{
|
2009-06-29 12:31:46 +00:00
|
|
|
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
|
2008-01-15 07:40:53 +00:00
|
|
|
enum ip_conntrack_info ctinfo;
|
|
|
|
const struct nf_conn *ct;
|
|
|
|
unsigned int statebit;
|
|
|
|
|
|
|
|
ct = nf_ct_get(skb, &ctinfo);
|
|
|
|
|
netfilter: kill the fake untracked conntrack objects
resurrect an old patch from Pablo Neira to remove the untracked objects.
Currently, there are four possible states of an skb wrt. conntrack.
1. No conntrack attached, ct is NULL.
2. Normal (kmem cache allocated) ct attached.
3. a template (kmalloc'd), not in any hash tables at any point in time
4. the 'untracked' conntrack, a percpu nf_conn object, tagged via
IPS_UNTRACKED_BIT in ct->status.
Untracked is supposed to be identical to case 1. It exists only
so users can check
-m conntrack --ctstate UNTRACKED vs.
-m conntrack --ctstate INVALID
e.g. attempts to set connmark on INVALID or UNTRACKED conntracks is
supposed to be a no-op.
Thus currently we need to check
ct == NULL || nf_ct_is_untracked(ct)
in a lot of places in order to avoid altering untracked objects.
The other consequence of the percpu untracked object is that all
-j NOTRACK (and, later, kfree_skb of such skbs) result in an atomic op
(inc/dec the untracked conntracks refcount).
This adds a new kernel-private ctinfo state, IP_CT_UNTRACKED, to
make the distinction instead.
The (few) places that care about packet invalid (ct is NULL) vs.
packet untracked now need to test ct == NULL vs. ctinfo == IP_CT_UNTRACKED,
but all other places can omit the nf_ct_is_untracked() check.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-04-14 18:31:08 +00:00
|
|
|
if (ct)
|
|
|
|
statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
|
|
|
|
else if (ctinfo == IP_CT_UNTRACKED)
|
|
|
|
statebit = XT_CONNTRACK_STATE_UNTRACKED;
|
|
|
|
else
|
2008-01-15 07:40:53 +00:00
|
|
|
statebit = XT_CONNTRACK_STATE_INVALID;
|
|
|
|
|
|
|
|
if (info->match_flags & XT_CONNTRACK_STATE) {
|
|
|
|
if (ct != NULL) {
|
|
|
|
if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
|
|
|
|
statebit |= XT_CONNTRACK_STATE_SNAT;
|
|
|
|
if (test_bit(IPS_DST_NAT_BIT, &ct->status))
|
|
|
|
statebit |= XT_CONNTRACK_STATE_DNAT;
|
|
|
|
}
|
netfilter: xtables: fix conntrack match v1 ipt-save output
commit d6d3f08b0fd998b647a05540cedd11a067b72867
(netfilter: xtables: conntrack match revision 2) does break the
v1 conntrack match iptables-save output in a subtle way.
Problem is as follows:
up = kmalloc(sizeof(*up), GFP_KERNEL);
[..]
/*
* The strategy here is to minimize the overhead of v1 matching,
* by prebuilding a v2 struct and putting the pointer into the
* v1 dataspace.
*/
memcpy(up, info, offsetof(typeof(*info), state_mask));
[..]
*(void **)info = up;
As the v2 struct pointer is saved in the match data space,
it clobbers the first structure member (->origsrc_addr).
Because the _v1 match function grabs this pointer and does not actually
look at the v1 origsrc, run time functionality does not break.
But iptables -nvL (or iptables-save) cannot know that v1 origsrc_addr
has been overloaded in this way:
$ iptables -p tcp -A OUTPUT -m conntrack --ctorigsrc 10.0.0.1 -j ACCEPT
$ iptables-save
-A OUTPUT -p tcp -m conntrack --ctorigsrc 128.173.134.206 -j ACCEPT
(128.173... is the address to the v2 match structure).
To fix this, we take advantage of the fact that the v1 and v2 structures
are identical with exception of the last two structure members (u8 in v1,
u16 in v2).
We extract them as early as possible and prevent the v2 matching function
from looking at those two members directly.
Previously reported by Michel Messerschmidt via Ben Hutchings, also
see Debian Bug tracker #556587.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-11-23 09:43:57 +00:00
|
|
|
if (!!(state_mask & statebit) ^
|
2008-01-15 07:40:53 +00:00
|
|
|
!(info->invert_flags & XT_CONNTRACK_STATE))
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (ct == NULL)
|
|
|
|
return info->match_flags & XT_CONNTRACK_STATE;
|
2008-01-31 11:58:24 +00:00
|
|
|
if ((info->match_flags & XT_CONNTRACK_DIRECTION) &&
|
|
|
|
(CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) ^
|
2011-04-04 15:06:21 +00:00
|
|
|
!(info->invert_flags & XT_CONNTRACK_DIRECTION))
|
2008-01-15 07:40:53 +00:00
|
|
|
return false;
|
|
|
|
|
|
|
|
if (info->match_flags & XT_CONNTRACK_ORIGSRC)
|
2016-11-03 09:56:21 +00:00
|
|
|
if (conntrack_mt_origsrc(ct, info, xt_family(par)) ^
|
2008-01-15 07:40:53 +00:00
|
|
|
!(info->invert_flags & XT_CONNTRACK_ORIGSRC))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (info->match_flags & XT_CONNTRACK_ORIGDST)
|
2016-11-03 09:56:21 +00:00
|
|
|
if (conntrack_mt_origdst(ct, info, xt_family(par)) ^
|
2008-01-15 07:40:53 +00:00
|
|
|
!(info->invert_flags & XT_CONNTRACK_ORIGDST))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (info->match_flags & XT_CONNTRACK_REPLSRC)
|
2016-11-03 09:56:21 +00:00
|
|
|
if (conntrack_mt_replsrc(ct, info, xt_family(par)) ^
|
2008-01-15 07:40:53 +00:00
|
|
|
!(info->invert_flags & XT_CONNTRACK_REPLSRC))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (info->match_flags & XT_CONNTRACK_REPLDST)
|
2016-11-03 09:56:21 +00:00
|
|
|
if (conntrack_mt_repldst(ct, info, xt_family(par)) ^
|
2008-01-15 07:40:53 +00:00
|
|
|
!(info->invert_flags & XT_CONNTRACK_REPLDST))
|
|
|
|
return false;
|
|
|
|
|
2010-12-15 08:46:26 +00:00
|
|
|
if (par->match->revision != 3) {
|
|
|
|
if (!ct_proto_port_check(info, ct))
|
|
|
|
return false;
|
|
|
|
} else {
|
|
|
|
if (!ct_proto_port_check_v3(par->matchinfo, ct))
|
|
|
|
return false;
|
|
|
|
}
|
2008-01-31 11:58:24 +00:00
|
|
|
|
2008-01-15 07:40:53 +00:00
|
|
|
if ((info->match_flags & XT_CONNTRACK_STATUS) &&
|
netfilter: xtables: fix conntrack match v1 ipt-save output
commit d6d3f08b0fd998b647a05540cedd11a067b72867
(netfilter: xtables: conntrack match revision 2) does break the
v1 conntrack match iptables-save output in a subtle way.
Problem is as follows:
up = kmalloc(sizeof(*up), GFP_KERNEL);
[..]
/*
* The strategy here is to minimize the overhead of v1 matching,
* by prebuilding a v2 struct and putting the pointer into the
* v1 dataspace.
*/
memcpy(up, info, offsetof(typeof(*info), state_mask));
[..]
*(void **)info = up;
As the v2 struct pointer is saved in the match data space,
it clobbers the first structure member (->origsrc_addr).
Because the _v1 match function grabs this pointer and does not actually
look at the v1 origsrc, run time functionality does not break.
But iptables -nvL (or iptables-save) cannot know that v1 origsrc_addr
has been overloaded in this way:
$ iptables -p tcp -A OUTPUT -m conntrack --ctorigsrc 10.0.0.1 -j ACCEPT
$ iptables-save
-A OUTPUT -p tcp -m conntrack --ctorigsrc 128.173.134.206 -j ACCEPT
(128.173... is the address to the v2 match structure).
To fix this, we take advantage of the fact that the v1 and v2 structures
are identical with exception of the last two structure members (u8 in v1,
u16 in v2).
We extract them as early as possible and prevent the v2 matching function
from looking at those two members directly.
Previously reported by Michel Messerschmidt via Ben Hutchings, also
see Debian Bug tracker #556587.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-11-23 09:43:57 +00:00
|
|
|
(!!(status_mask & ct->status) ^
|
2008-01-15 07:40:53 +00:00
|
|
|
!(info->invert_flags & XT_CONNTRACK_STATUS)))
|
|
|
|
return false;
|
|
|
|
|
|
|
|
if (info->match_flags & XT_CONNTRACK_EXPIRES) {
|
2016-08-03 00:45:07 +00:00
|
|
|
unsigned long expires = nf_ct_expires(ct) / HZ;
|
2008-01-15 07:40:53 +00:00
|
|
|
|
|
|
|
if ((expires >= info->expires_min &&
|
|
|
|
expires <= info->expires_max) ^
|
|
|
|
!(info->invert_flags & XT_CONNTRACK_EXPIRES))
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
|
2009-06-29 12:31:46 +00:00
|
|
|
static bool
|
2009-07-07 18:42:08 +00:00
|
|
|
conntrack_mt_v1(const struct sk_buff *skb, struct xt_action_param *par)
|
2009-06-29 12:31:46 +00:00
|
|
|
{
|
netfilter: xtables: fix conntrack match v1 ipt-save output
commit d6d3f08b0fd998b647a05540cedd11a067b72867
(netfilter: xtables: conntrack match revision 2) does break the
v1 conntrack match iptables-save output in a subtle way.
Problem is as follows:
up = kmalloc(sizeof(*up), GFP_KERNEL);
[..]
/*
* The strategy here is to minimize the overhead of v1 matching,
* by prebuilding a v2 struct and putting the pointer into the
* v1 dataspace.
*/
memcpy(up, info, offsetof(typeof(*info), state_mask));
[..]
*(void **)info = up;
As the v2 struct pointer is saved in the match data space,
it clobbers the first structure member (->origsrc_addr).
Because the _v1 match function grabs this pointer and does not actually
look at the v1 origsrc, run time functionality does not break.
But iptables -nvL (or iptables-save) cannot know that v1 origsrc_addr
has been overloaded in this way:
$ iptables -p tcp -A OUTPUT -m conntrack --ctorigsrc 10.0.0.1 -j ACCEPT
$ iptables-save
-A OUTPUT -p tcp -m conntrack --ctorigsrc 128.173.134.206 -j ACCEPT
(128.173... is the address to the v2 match structure).
To fix this, we take advantage of the fact that the v1 and v2 structures
are identical with exception of the last two structure members (u8 in v1,
u16 in v2).
We extract them as early as possible and prevent the v2 matching function
from looking at those two members directly.
Previously reported by Michel Messerschmidt via Ben Hutchings, also
see Debian Bug tracker #556587.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-11-23 09:43:57 +00:00
|
|
|
const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
|
2009-06-29 12:31:46 +00:00
|
|
|
|
netfilter: xtables: fix conntrack match v1 ipt-save output
commit d6d3f08b0fd998b647a05540cedd11a067b72867
(netfilter: xtables: conntrack match revision 2) does break the
v1 conntrack match iptables-save output in a subtle way.
Problem is as follows:
up = kmalloc(sizeof(*up), GFP_KERNEL);
[..]
/*
* The strategy here is to minimize the overhead of v1 matching,
* by prebuilding a v2 struct and putting the pointer into the
* v1 dataspace.
*/
memcpy(up, info, offsetof(typeof(*info), state_mask));
[..]
*(void **)info = up;
As the v2 struct pointer is saved in the match data space,
it clobbers the first structure member (->origsrc_addr).
Because the _v1 match function grabs this pointer and does not actually
look at the v1 origsrc, run time functionality does not break.
But iptables -nvL (or iptables-save) cannot know that v1 origsrc_addr
has been overloaded in this way:
$ iptables -p tcp -A OUTPUT -m conntrack --ctorigsrc 10.0.0.1 -j ACCEPT
$ iptables-save
-A OUTPUT -p tcp -m conntrack --ctorigsrc 128.173.134.206 -j ACCEPT
(128.173... is the address to the v2 match structure).
To fix this, we take advantage of the fact that the v1 and v2 structures
are identical with exception of the last two structure members (u8 in v1,
u16 in v2).
We extract them as early as possible and prevent the v2 matching function
from looking at those two members directly.
Previously reported by Michel Messerschmidt via Ben Hutchings, also
see Debian Bug tracker #556587.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-11-23 09:43:57 +00:00
|
|
|
return conntrack_mt(skb, par, info->state_mask, info->status_mask);
|
|
|
|
}
|
|
|
|
|
|
|
|
static bool
|
2009-07-07 18:42:08 +00:00
|
|
|
conntrack_mt_v2(const struct sk_buff *skb, struct xt_action_param *par)
|
netfilter: xtables: fix conntrack match v1 ipt-save output
commit d6d3f08b0fd998b647a05540cedd11a067b72867
(netfilter: xtables: conntrack match revision 2) does break the
v1 conntrack match iptables-save output in a subtle way.
Problem is as follows:
up = kmalloc(sizeof(*up), GFP_KERNEL);
[..]
/*
* The strategy here is to minimize the overhead of v1 matching,
* by prebuilding a v2 struct and putting the pointer into the
* v1 dataspace.
*/
memcpy(up, info, offsetof(typeof(*info), state_mask));
[..]
*(void **)info = up;
As the v2 struct pointer is saved in the match data space,
it clobbers the first structure member (->origsrc_addr).
Because the _v1 match function grabs this pointer and does not actually
look at the v1 origsrc, run time functionality does not break.
But iptables -nvL (or iptables-save) cannot know that v1 origsrc_addr
has been overloaded in this way:
$ iptables -p tcp -A OUTPUT -m conntrack --ctorigsrc 10.0.0.1 -j ACCEPT
$ iptables-save
-A OUTPUT -p tcp -m conntrack --ctorigsrc 128.173.134.206 -j ACCEPT
(128.173... is the address to the v2 match structure).
To fix this, we take advantage of the fact that the v1 and v2 structures
are identical with exception of the last two structure members (u8 in v1,
u16 in v2).
We extract them as early as possible and prevent the v2 matching function
from looking at those two members directly.
Previously reported by Michel Messerschmidt via Ben Hutchings, also
see Debian Bug tracker #556587.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-11-23 09:43:57 +00:00
|
|
|
{
|
|
|
|
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
|
|
|
|
|
|
|
|
return conntrack_mt(skb, par, info->state_mask, info->status_mask);
|
2009-06-29 12:31:46 +00:00
|
|
|
}
|
|
|
|
|
2010-12-15 08:46:26 +00:00
|
|
|
static bool
|
|
|
|
conntrack_mt_v3(const struct sk_buff *skb, struct xt_action_param *par)
|
|
|
|
{
|
|
|
|
const struct xt_conntrack_mtinfo3 *info = par->matchinfo;
|
|
|
|
|
|
|
|
return conntrack_mt(skb, par, info->state_mask, info->status_mask);
|
|
|
|
}
|
|
|
|
|
2010-03-19 16:16:42 +00:00
|
|
|
static int conntrack_mt_check(const struct xt_mtchk_param *par)
|
2006-03-22 21:56:08 +00:00
|
|
|
{
|
2010-03-19 16:32:59 +00:00
|
|
|
int ret;
|
|
|
|
|
2016-11-15 20:36:40 +00:00
|
|
|
ret = nf_ct_netns_get(par->net, par->family);
|
2010-03-21 03:05:56 +00:00
|
|
|
if (ret < 0)
|
2010-03-17 15:04:40 +00:00
|
|
|
pr_info("cannot load conntrack support for proto=%u\n",
|
|
|
|
par->family);
|
2010-03-21 03:05:56 +00:00
|
|
|
return ret;
|
2006-03-22 21:56:08 +00:00
|
|
|
}
|
|
|
|
|
2008-10-08 09:35:19 +00:00
|
|
|
static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
|
2006-03-22 21:56:08 +00:00
|
|
|
{
|
2016-11-15 20:36:40 +00:00
|
|
|
nf_ct_netns_put(par->net, par->family);
|
2006-03-22 21:56:08 +00:00
|
|
|
}
|
|
|
|
|
2008-01-15 07:40:53 +00:00
|
|
|
static struct xt_match conntrack_mt_reg[] __read_mostly = {
|
|
|
|
{
|
|
|
|
.name = "conntrack",
|
|
|
|
.revision = 1,
|
2008-10-08 09:35:20 +00:00
|
|
|
.family = NFPROTO_UNSPEC,
|
2008-01-15 07:40:53 +00:00
|
|
|
.matchsize = sizeof(struct xt_conntrack_mtinfo1),
|
2009-06-29 12:31:46 +00:00
|
|
|
.match = conntrack_mt_v1,
|
netfilter: xtables: fix conntrack match v1 ipt-save output
commit d6d3f08b0fd998b647a05540cedd11a067b72867
(netfilter: xtables: conntrack match revision 2) does break the
v1 conntrack match iptables-save output in a subtle way.
Problem is as follows:
up = kmalloc(sizeof(*up), GFP_KERNEL);
[..]
/*
* The strategy here is to minimize the overhead of v1 matching,
* by prebuilding a v2 struct and putting the pointer into the
* v1 dataspace.
*/
memcpy(up, info, offsetof(typeof(*info), state_mask));
[..]
*(void **)info = up;
As the v2 struct pointer is saved in the match data space,
it clobbers the first structure member (->origsrc_addr).
Because the _v1 match function grabs this pointer and does not actually
look at the v1 origsrc, run time functionality does not break.
But iptables -nvL (or iptables-save) cannot know that v1 origsrc_addr
has been overloaded in this way:
$ iptables -p tcp -A OUTPUT -m conntrack --ctorigsrc 10.0.0.1 -j ACCEPT
$ iptables-save
-A OUTPUT -p tcp -m conntrack --ctorigsrc 128.173.134.206 -j ACCEPT
(128.173... is the address to the v2 match structure).
To fix this, we take advantage of the fact that the v1 and v2 structures
are identical with exception of the last two structure members (u8 in v1,
u16 in v2).
We extract them as early as possible and prevent the v2 matching function
from looking at those two members directly.
Previously reported by Michel Messerschmidt via Ben Hutchings, also
see Debian Bug tracker #556587.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-11-23 09:43:57 +00:00
|
|
|
.checkentry = conntrack_mt_check,
|
|
|
|
.destroy = conntrack_mt_destroy,
|
2009-06-29 12:31:46 +00:00
|
|
|
.me = THIS_MODULE,
|
|
|
|
},
|
|
|
|
{
|
|
|
|
.name = "conntrack",
|
|
|
|
.revision = 2,
|
|
|
|
.family = NFPROTO_UNSPEC,
|
|
|
|
.matchsize = sizeof(struct xt_conntrack_mtinfo2),
|
netfilter: xtables: fix conntrack match v1 ipt-save output
commit d6d3f08b0fd998b647a05540cedd11a067b72867
(netfilter: xtables: conntrack match revision 2) does break the
v1 conntrack match iptables-save output in a subtle way.
Problem is as follows:
up = kmalloc(sizeof(*up), GFP_KERNEL);
[..]
/*
* The strategy here is to minimize the overhead of v1 matching,
* by prebuilding a v2 struct and putting the pointer into the
* v1 dataspace.
*/
memcpy(up, info, offsetof(typeof(*info), state_mask));
[..]
*(void **)info = up;
As the v2 struct pointer is saved in the match data space,
it clobbers the first structure member (->origsrc_addr).
Because the _v1 match function grabs this pointer and does not actually
look at the v1 origsrc, run time functionality does not break.
But iptables -nvL (or iptables-save) cannot know that v1 origsrc_addr
has been overloaded in this way:
$ iptables -p tcp -A OUTPUT -m conntrack --ctorigsrc 10.0.0.1 -j ACCEPT
$ iptables-save
-A OUTPUT -p tcp -m conntrack --ctorigsrc 128.173.134.206 -j ACCEPT
(128.173... is the address to the v2 match structure).
To fix this, we take advantage of the fact that the v1 and v2 structures
are identical with exception of the last two structure members (u8 in v1,
u16 in v2).
We extract them as early as possible and prevent the v2 matching function
from looking at those two members directly.
Previously reported by Michel Messerschmidt via Ben Hutchings, also
see Debian Bug tracker #556587.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-11-23 09:43:57 +00:00
|
|
|
.match = conntrack_mt_v2,
|
2008-01-15 07:40:53 +00:00
|
|
|
.checkentry = conntrack_mt_check,
|
|
|
|
.destroy = conntrack_mt_destroy,
|
|
|
|
.me = THIS_MODULE,
|
|
|
|
},
|
2010-12-15 08:46:26 +00:00
|
|
|
{
|
|
|
|
.name = "conntrack",
|
|
|
|
.revision = 3,
|
|
|
|
.family = NFPROTO_UNSPEC,
|
|
|
|
.matchsize = sizeof(struct xt_conntrack_mtinfo3),
|
|
|
|
.match = conntrack_mt_v3,
|
|
|
|
.checkentry = conntrack_mt_check,
|
|
|
|
.destroy = conntrack_mt_destroy,
|
|
|
|
.me = THIS_MODULE,
|
|
|
|
},
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
2007-12-05 07:24:03 +00:00
|
|
|
static int __init conntrack_mt_init(void)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-01-15 07:40:53 +00:00
|
|
|
return xt_register_matches(conntrack_mt_reg,
|
|
|
|
ARRAY_SIZE(conntrack_mt_reg));
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2007-12-05 07:24:03 +00:00
|
|
|
static void __exit conntrack_mt_exit(void)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-01-15 07:40:53 +00:00
|
|
|
xt_unregister_matches(conntrack_mt_reg, ARRAY_SIZE(conntrack_mt_reg));
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2007-12-05 07:24:03 +00:00
|
|
|
module_init(conntrack_mt_init);
|
|
|
|
module_exit(conntrack_mt_exit);
|