Skip to content

Commit 7890cbe

Browse files
Florian Westphalummakynes
Florian Westphal
authored and
ummakynes
committed
netfilter: exthdr: add support for tcp option removal
This allows to replace a tcp option with nop padding to selectively disable a particular tcp option. Optstrip mode is chosen when userspace passes the exthdr expression with neither a source nor a destination register attribute. This is identical to xtables TCPOPTSTRIP extension. The only difference is that TCPOPTSTRIP allows to pass in a bitmap of options to remove rather than a single number. Unlike TCPOPTSTRIP this expression can be used multiple times in the same rule to get the same effect. We could add a new nested attribute later on in case there is a use case for single-expression-multi-remove. Signed-off-by: Florian Westphal <[email protected]> Signed-off-by: Pablo Neira Ayuso <[email protected]>
1 parent 20ff320 commit 7890cbe

File tree

1 file changed

+95
-1
lines changed

1 file changed

+95
-1
lines changed

net/netfilter/nft_exthdr.c

Lines changed: 95 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -308,6 +308,63 @@ static void nft_exthdr_tcp_set_eval(const struct nft_expr *expr,
308308
regs->verdict.code = NFT_BREAK;
309309
}
310310

311+
static void nft_exthdr_tcp_strip_eval(const struct nft_expr *expr,
312+
struct nft_regs *regs,
313+
const struct nft_pktinfo *pkt)
314+
{
315+
u8 buff[sizeof(struct tcphdr) + MAX_TCP_OPTION_SPACE];
316+
struct nft_exthdr *priv = nft_expr_priv(expr);
317+
unsigned int i, tcphdr_len, optl;
318+
struct tcphdr *tcph;
319+
u8 *opt;
320+
321+
tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len);
322+
if (!tcph)
323+
goto err;
324+
325+
if (skb_ensure_writable(pkt->skb, nft_thoff(pkt) + tcphdr_len))
326+
goto drop;
327+
328+
opt = (u8 *)nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len);
329+
if (!opt)
330+
goto err;
331+
for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) {
332+
unsigned int j;
333+
334+
optl = optlen(opt, i);
335+
if (priv->type != opt[i])
336+
continue;
337+
338+
if (i + optl > tcphdr_len)
339+
goto drop;
340+
341+
for (j = 0; j < optl; ++j) {
342+
u16 n = TCPOPT_NOP;
343+
u16 o = opt[i+j];
344+
345+
if ((i + j) % 2 == 0) {
346+
o <<= 8;
347+
n <<= 8;
348+
}
349+
inet_proto_csum_replace2(&tcph->check, pkt->skb, htons(o),
350+
htons(n), false);
351+
}
352+
memset(opt + i, TCPOPT_NOP, optl);
353+
return;
354+
}
355+
356+
/* option not found, continue. This allows to do multiple
357+
* option removals per rule.
358+
*/
359+
return;
360+
err:
361+
regs->verdict.code = NFT_BREAK;
362+
return;
363+
drop:
364+
/* can't remove, no choice but to drop */
365+
regs->verdict.code = NF_DROP;
366+
}
367+
311368
static void nft_exthdr_sctp_eval(const struct nft_expr *expr,
312369
struct nft_regs *regs,
313370
const struct nft_pktinfo *pkt)
@@ -457,6 +514,28 @@ static int nft_exthdr_tcp_set_init(const struct nft_ctx *ctx,
457514
priv->len);
458515
}
459516

517+
static int nft_exthdr_tcp_strip_init(const struct nft_ctx *ctx,
518+
const struct nft_expr *expr,
519+
const struct nlattr * const tb[])
520+
{
521+
struct nft_exthdr *priv = nft_expr_priv(expr);
522+
523+
if (tb[NFTA_EXTHDR_SREG] ||
524+
tb[NFTA_EXTHDR_DREG] ||
525+
tb[NFTA_EXTHDR_FLAGS] ||
526+
tb[NFTA_EXTHDR_OFFSET] ||
527+
tb[NFTA_EXTHDR_LEN])
528+
return -EINVAL;
529+
530+
if (!tb[NFTA_EXTHDR_TYPE])
531+
return -EINVAL;
532+
533+
priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
534+
priv->op = NFT_EXTHDR_OP_TCPOPT;
535+
536+
return 0;
537+
}
538+
460539
static int nft_exthdr_ipv4_init(const struct nft_ctx *ctx,
461540
const struct nft_expr *expr,
462541
const struct nlattr * const tb[])
@@ -517,6 +596,13 @@ static int nft_exthdr_dump_set(struct sk_buff *skb, const struct nft_expr *expr)
517596
return nft_exthdr_dump_common(skb, priv);
518597
}
519598

599+
static int nft_exthdr_dump_strip(struct sk_buff *skb, const struct nft_expr *expr)
600+
{
601+
const struct nft_exthdr *priv = nft_expr_priv(expr);
602+
603+
return nft_exthdr_dump_common(skb, priv);
604+
}
605+
520606
static const struct nft_expr_ops nft_exthdr_ipv6_ops = {
521607
.type = &nft_exthdr_type,
522608
.size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
@@ -549,6 +635,14 @@ static const struct nft_expr_ops nft_exthdr_tcp_set_ops = {
549635
.dump = nft_exthdr_dump_set,
550636
};
551637

638+
static const struct nft_expr_ops nft_exthdr_tcp_strip_ops = {
639+
.type = &nft_exthdr_type,
640+
.size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
641+
.eval = nft_exthdr_tcp_strip_eval,
642+
.init = nft_exthdr_tcp_strip_init,
643+
.dump = nft_exthdr_dump_strip,
644+
};
645+
552646
static const struct nft_expr_ops nft_exthdr_sctp_ops = {
553647
.type = &nft_exthdr_type,
554648
.size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
@@ -576,7 +670,7 @@ nft_exthdr_select_ops(const struct nft_ctx *ctx,
576670
return &nft_exthdr_tcp_set_ops;
577671
if (tb[NFTA_EXTHDR_DREG])
578672
return &nft_exthdr_tcp_ops;
579-
break;
673+
return &nft_exthdr_tcp_strip_ops;
580674
case NFT_EXTHDR_OP_IPV6:
581675
if (tb[NFTA_EXTHDR_DREG])
582676
return &nft_exthdr_ipv6_ops;

0 commit comments

Comments
 (0)