The xt_dccp iptables module supports the matching of DCCP packets based on the presence or absence of DCCP options. Extend nft_exthdr to add this functionality to nftables. Link: https://bugzilla.netfilter.org/show_bug.cgi?id=930 Signed-off-by: Jeremy Sowden <jeremy@xxxxxxxxxx> --- include/uapi/linux/netfilter/nf_tables.h | 2 + net/netfilter/nft_exthdr.c | 105 +++++++++++++++++++++++ 2 files changed, 107 insertions(+) diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h index 9c6f02c26054..1406952e7139 100644 --- a/include/uapi/linux/netfilter/nf_tables.h +++ b/include/uapi/linux/netfilter/nf_tables.h @@ -859,12 +859,14 @@ enum nft_exthdr_flags { * @NFT_EXTHDR_OP_TCP: match against tcp options * @NFT_EXTHDR_OP_IPV4: match against ipv4 options * @NFT_EXTHDR_OP_SCTP: match against sctp chunks + * @NFT_EXTHDR_OP_DCCP: match against dccp otions */ enum nft_exthdr_op { NFT_EXTHDR_OP_IPV6, NFT_EXTHDR_OP_TCPOPT, NFT_EXTHDR_OP_IPV4, NFT_EXTHDR_OP_SCTP, + NFT_EXTHDR_OP_DCCP, __NFT_EXTHDR_OP_MAX }; #define NFT_EXTHDR_OP_MAX (__NFT_EXTHDR_OP_MAX - 1) diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c index a54a7f772cec..204feefbb7ea 100644 --- a/net/netfilter/nft_exthdr.c +++ b/net/netfilter/nft_exthdr.c @@ -10,6 +10,7 @@ #include <linux/netlink.h> #include <linux/netfilter.h> #include <linux/netfilter/nf_tables.h> +#include <linux/dccp.h> #include <linux/sctp.h> #include <net/netfilter/nf_tables_core.h> #include <net/netfilter/nf_tables.h> @@ -25,6 +26,17 @@ struct nft_exthdr { u8 flags; }; +struct nft_exthdr_dccp { + struct nft_exthdr exthdr; + /* A buffer into which to copy the DCCP packet options for parsing. The + * options are located between the packet header and its data. The + * offset of the data from the start of the header is stored in an 8-bit + * field as the number of 32-bit words, so the options will definitely + * be shorter than `4 * U8_MAX` bytes. + */ + u8 optbuf[4 * U8_MAX]; +}; + static unsigned int optlen(const u8 *opt, unsigned int offset) { /* Beware zero-length options: make finite progress */ @@ -406,6 +418,70 @@ static void nft_exthdr_sctp_eval(const struct nft_expr *expr, regs->verdict.code = NFT_BREAK; } +static void nft_exthdr_dccp_eval(const struct nft_expr *expr, + struct nft_regs *regs, + const struct nft_pktinfo *pkt) +{ + struct nft_exthdr_dccp *priv_dccp = nft_expr_priv(expr); + struct nft_exthdr *priv = &priv_dccp->exthdr; + u32 *dest = ®s->data[priv->dreg]; + unsigned int optoff, optlen, i; + const struct dccp_hdr *dh; + struct dccp_hdr _dh; + const u8 *options; + + if (pkt->tprot != IPPROTO_DCCP || pkt->fragoff) + goto err; + + dh = skb_header_pointer(pkt->skb, nft_thoff(pkt), sizeof(_dh), &_dh); + if (!dh) + goto err; + + if (dh->dccph_doff * 4 < __dccp_hdr_len(dh)) + goto err; + + optoff = __dccp_hdr_len(dh); + optlen = dh->dccph_doff * 4 - optoff; + + if (!optlen) + goto err; + + options = skb_header_pointer(pkt->skb, nft_thoff(pkt) + optoff, optlen, + priv_dccp->optbuf); + if (!options) + goto err; + + for (i = 0; i < optlen; ) { + /* Options 0 - 31 are 1B in the length. Options 32 et seq. are + * at least 2B long. In all cases, the first byte contains the + * option type. In multi-byte options, the second byte contains + * the option length, which must be at least two; if it is + * greater than two, there are `len - 2` following bytes of + * option data. + */ + unsigned int len; + + if (options[i] > 31 && (optlen - i < 2 || options[i + 1] < 2)) + goto err; + + len = options[i] > 31 ? options[i + 1] : 1; + + if (optlen - i < len) + goto err; + + if (options[i] != priv->type) { + i += len; + continue; + } + + *dest = 1; + return; + } + +err: + *dest = 0; +} + static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = { [NFTA_EXTHDR_DREG] = { .type = NLA_U32 }, [NFTA_EXTHDR_TYPE] = { .type = NLA_U8 }, @@ -557,6 +633,22 @@ static int nft_exthdr_ipv4_init(const struct nft_ctx *ctx, return 0; } +static int nft_exthdr_dccp_init(const struct nft_ctx *ctx, + const struct nft_expr *expr, + const struct nlattr * const tb[]) +{ + struct nft_exthdr *priv = nft_expr_priv(expr); + int err = nft_exthdr_init(ctx, expr, tb); + + if (err < 0) + return err; + + if (!(priv->flags & NFT_EXTHDR_F_PRESENT)) + return -EOPNOTSUPP; + + return 0; +} + static int nft_exthdr_dump_common(struct sk_buff *skb, const struct nft_exthdr *priv) { if (nla_put_u8(skb, NFTA_EXTHDR_TYPE, priv->type)) @@ -686,6 +778,15 @@ static const struct nft_expr_ops nft_exthdr_sctp_ops = { .reduce = nft_exthdr_reduce, }; +static const struct nft_expr_ops nft_exthdr_dccp_ops = { + .type = &nft_exthdr_type, + .size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr_dccp)), + .eval = nft_exthdr_dccp_eval, + .init = nft_exthdr_dccp_init, + .dump = nft_exthdr_dump, + .reduce = nft_exthdr_reduce, +}; + static const struct nft_expr_ops * nft_exthdr_select_ops(const struct nft_ctx *ctx, const struct nlattr * const tb[]) @@ -720,6 +821,10 @@ nft_exthdr_select_ops(const struct nft_ctx *ctx, if (tb[NFTA_EXTHDR_DREG]) return &nft_exthdr_sctp_ops; break; + case NFT_EXTHDR_OP_DCCP: + if (tb[NFTA_EXTHDR_DREG]) + return &nft_exthdr_dccp_ops; + break; } return ERR_PTR(-EOPNOTSUPP); -- 2.39.2
