Commit | Line | Data |
---|---|---|
ad49d86e FFM |
1 | // SPDX-License-Identifier: GPL-2.0 |
2 | #include <linux/types.h> | |
3 | #include <net/ip.h> | |
4 | #include <net/tcp.h> | |
5 | #include <net/netlink.h> | |
6 | #include <net/netfilter/nf_tables.h> | |
7 | #include <net/netfilter/nf_conntrack.h> | |
8 | #include <net/netfilter/nf_conntrack_synproxy.h> | |
9 | #include <net/netfilter/nf_synproxy.h> | |
10 | #include <linux/netfilter/nf_tables.h> | |
11 | #include <linux/netfilter/nf_synproxy.h> | |
12 | ||
13 | struct nft_synproxy { | |
14 | struct nf_synproxy_info info; | |
15 | }; | |
16 | ||
17 | static const struct nla_policy nft_synproxy_policy[NFTA_SYNPROXY_MAX + 1] = { | |
18 | [NFTA_SYNPROXY_MSS] = { .type = NLA_U16 }, | |
19 | [NFTA_SYNPROXY_WSCALE] = { .type = NLA_U8 }, | |
20 | [NFTA_SYNPROXY_FLAGS] = { .type = NLA_U32 }, | |
21 | }; | |
22 | ||
23 | static void nft_synproxy_tcp_options(struct synproxy_options *opts, | |
24 | const struct tcphdr *tcp, | |
25 | struct synproxy_net *snet, | |
26 | struct nf_synproxy_info *info, | |
ee394f96 | 27 | const struct nft_synproxy *priv) |
ad49d86e FFM |
28 | { |
29 | this_cpu_inc(snet->stats->syn_received); | |
30 | if (tcp->ece && tcp->cwr) | |
31 | opts->options |= NF_SYNPROXY_OPT_ECN; | |
32 | ||
33 | opts->options &= priv->info.options; | |
8c0bb787 FFM |
34 | opts->mss_encode = opts->mss_option; |
35 | opts->mss_option = info->mss; | |
ad49d86e FFM |
36 | if (opts->options & NF_SYNPROXY_OPT_TIMESTAMP) |
37 | synproxy_init_timestamp_cookie(info, opts); | |
38 | else | |
39 | opts->options &= ~(NF_SYNPROXY_OPT_WSCALE | | |
40 | NF_SYNPROXY_OPT_SACK_PERM | | |
41 | NF_SYNPROXY_OPT_ECN); | |
42 | } | |
43 | ||
ee394f96 | 44 | static void nft_synproxy_eval_v4(const struct nft_synproxy *priv, |
ad49d86e FFM |
45 | struct nft_regs *regs, |
46 | const struct nft_pktinfo *pkt, | |
47 | const struct tcphdr *tcp, | |
48 | struct tcphdr *_tcph, | |
49 | struct synproxy_options *opts) | |
50 | { | |
ad49d86e FFM |
51 | struct nf_synproxy_info info = priv->info; |
52 | struct net *net = nft_net(pkt); | |
53 | struct synproxy_net *snet = synproxy_pernet(net); | |
54 | struct sk_buff *skb = pkt->skb; | |
55 | ||
56 | if (tcp->syn) { | |
57 | /* Initial SYN from client */ | |
58 | nft_synproxy_tcp_options(opts, tcp, snet, &info, priv); | |
59 | synproxy_send_client_synack(net, skb, tcp, opts); | |
60 | consume_skb(skb); | |
61 | regs->verdict.code = NF_STOLEN; | |
62 | } else if (tcp->ack) { | |
63 | /* ACK from client */ | |
64 | if (synproxy_recv_client_ack(net, skb, tcp, opts, | |
65 | ntohl(tcp->seq))) { | |
66 | consume_skb(skb); | |
67 | regs->verdict.code = NF_STOLEN; | |
68 | } else { | |
69 | regs->verdict.code = NF_DROP; | |
70 | } | |
71 | } | |
72 | } | |
73 | ||
74 | #if IS_ENABLED(CONFIG_NF_TABLES_IPV6) | |
ee394f96 | 75 | static void nft_synproxy_eval_v6(const struct nft_synproxy *priv, |
ad49d86e FFM |
76 | struct nft_regs *regs, |
77 | const struct nft_pktinfo *pkt, | |
78 | const struct tcphdr *tcp, | |
79 | struct tcphdr *_tcph, | |
80 | struct synproxy_options *opts) | |
81 | { | |
ad49d86e FFM |
82 | struct nf_synproxy_info info = priv->info; |
83 | struct net *net = nft_net(pkt); | |
84 | struct synproxy_net *snet = synproxy_pernet(net); | |
85 | struct sk_buff *skb = pkt->skb; | |
86 | ||
87 | if (tcp->syn) { | |
88 | /* Initial SYN from client */ | |
89 | nft_synproxy_tcp_options(opts, tcp, snet, &info, priv); | |
90 | synproxy_send_client_synack_ipv6(net, skb, tcp, opts); | |
91 | consume_skb(skb); | |
92 | regs->verdict.code = NF_STOLEN; | |
93 | } else if (tcp->ack) { | |
94 | /* ACK from client */ | |
95 | if (synproxy_recv_client_ack_ipv6(net, skb, tcp, opts, | |
96 | ntohl(tcp->seq))) { | |
97 | consume_skb(skb); | |
98 | regs->verdict.code = NF_STOLEN; | |
99 | } else { | |
100 | regs->verdict.code = NF_DROP; | |
101 | } | |
102 | } | |
103 | } | |
104 | #endif /* CONFIG_NF_TABLES_IPV6*/ | |
105 | ||
ee394f96 FFM |
106 | static void nft_synproxy_do_eval(const struct nft_synproxy *priv, |
107 | struct nft_regs *regs, | |
108 | const struct nft_pktinfo *pkt) | |
ad49d86e FFM |
109 | { |
110 | struct synproxy_options opts = {}; | |
111 | struct sk_buff *skb = pkt->skb; | |
2d7b4ace | 112 | int thoff = nft_thoff(pkt); |
ad49d86e FFM |
113 | const struct tcphdr *tcp; |
114 | struct tcphdr _tcph; | |
115 | ||
116 | if (pkt->tprot != IPPROTO_TCP) { | |
117 | regs->verdict.code = NFT_BREAK; | |
118 | return; | |
119 | } | |
120 | ||
121 | if (nf_ip_checksum(skb, nft_hook(pkt), thoff, IPPROTO_TCP)) { | |
122 | regs->verdict.code = NF_DROP; | |
123 | return; | |
124 | } | |
125 | ||
2d7b4ace | 126 | tcp = skb_header_pointer(skb, thoff, |
ad49d86e FFM |
127 | sizeof(struct tcphdr), |
128 | &_tcph); | |
129 | if (!tcp) { | |
130 | regs->verdict.code = NF_DROP; | |
131 | return; | |
132 | } | |
133 | ||
134 | if (!synproxy_parse_options(skb, thoff, tcp, &opts)) { | |
135 | regs->verdict.code = NF_DROP; | |
136 | return; | |
137 | } | |
138 | ||
139 | switch (skb->protocol) { | |
140 | case htons(ETH_P_IP): | |
ee394f96 | 141 | nft_synproxy_eval_v4(priv, regs, pkt, tcp, &_tcph, &opts); |
ad49d86e FFM |
142 | return; |
143 | #if IS_ENABLED(CONFIG_NF_TABLES_IPV6) | |
144 | case htons(ETH_P_IPV6): | |
ee394f96 | 145 | nft_synproxy_eval_v6(priv, regs, pkt, tcp, &_tcph, &opts); |
ad49d86e FFM |
146 | return; |
147 | #endif | |
148 | } | |
149 | regs->verdict.code = NFT_BREAK; | |
150 | } | |
151 | ||
ee394f96 FFM |
152 | static int nft_synproxy_do_init(const struct nft_ctx *ctx, |
153 | const struct nlattr * const tb[], | |
154 | struct nft_synproxy *priv) | |
ad49d86e FFM |
155 | { |
156 | struct synproxy_net *snet = synproxy_pernet(ctx->net); | |
ad49d86e FFM |
157 | u32 flags; |
158 | int err; | |
159 | ||
160 | if (tb[NFTA_SYNPROXY_MSS]) | |
161 | priv->info.mss = ntohs(nla_get_be16(tb[NFTA_SYNPROXY_MSS])); | |
162 | if (tb[NFTA_SYNPROXY_WSCALE]) | |
163 | priv->info.wscale = nla_get_u8(tb[NFTA_SYNPROXY_WSCALE]); | |
164 | if (tb[NFTA_SYNPROXY_FLAGS]) { | |
165 | flags = ntohl(nla_get_be32(tb[NFTA_SYNPROXY_FLAGS])); | |
166 | if (flags & ~NF_SYNPROXY_OPT_MASK) | |
167 | return -EOPNOTSUPP; | |
168 | priv->info.options = flags; | |
169 | } | |
170 | ||
171 | err = nf_ct_netns_get(ctx->net, ctx->family); | |
172 | if (err) | |
173 | return err; | |
174 | ||
175 | switch (ctx->family) { | |
176 | case NFPROTO_IPV4: | |
177 | err = nf_synproxy_ipv4_init(snet, ctx->net); | |
178 | if (err) | |
179 | goto nf_ct_failure; | |
180 | break; | |
181 | #if IS_ENABLED(CONFIG_NF_TABLES_IPV6) | |
182 | case NFPROTO_IPV6: | |
183 | err = nf_synproxy_ipv6_init(snet, ctx->net); | |
184 | if (err) | |
185 | goto nf_ct_failure; | |
186 | break; | |
187 | #endif | |
188 | case NFPROTO_INET: | |
189 | case NFPROTO_BRIDGE: | |
190 | err = nf_synproxy_ipv4_init(snet, ctx->net); | |
191 | if (err) | |
192 | goto nf_ct_failure; | |
193 | err = nf_synproxy_ipv6_init(snet, ctx->net); | |
2b4e5fb4 PNA |
194 | if (err) { |
195 | nf_synproxy_ipv4_fini(snet, ctx->net); | |
ad49d86e | 196 | goto nf_ct_failure; |
2b4e5fb4 | 197 | } |
ad49d86e FFM |
198 | break; |
199 | } | |
200 | ||
201 | return 0; | |
202 | ||
203 | nf_ct_failure: | |
204 | nf_ct_netns_put(ctx->net, ctx->family); | |
205 | return err; | |
206 | } | |
207 | ||
ee394f96 | 208 | static void nft_synproxy_do_destroy(const struct nft_ctx *ctx) |
ad49d86e FFM |
209 | { |
210 | struct synproxy_net *snet = synproxy_pernet(ctx->net); | |
211 | ||
212 | switch (ctx->family) { | |
213 | case NFPROTO_IPV4: | |
214 | nf_synproxy_ipv4_fini(snet, ctx->net); | |
215 | break; | |
216 | #if IS_ENABLED(CONFIG_NF_TABLES_IPV6) | |
217 | case NFPROTO_IPV6: | |
218 | nf_synproxy_ipv6_fini(snet, ctx->net); | |
219 | break; | |
220 | #endif | |
221 | case NFPROTO_INET: | |
222 | case NFPROTO_BRIDGE: | |
223 | nf_synproxy_ipv4_fini(snet, ctx->net); | |
224 | nf_synproxy_ipv6_fini(snet, ctx->net); | |
225 | break; | |
226 | } | |
227 | nf_ct_netns_put(ctx->net, ctx->family); | |
228 | } | |
229 | ||
ee394f96 | 230 | static int nft_synproxy_do_dump(struct sk_buff *skb, struct nft_synproxy *priv) |
ad49d86e | 231 | { |
ad49d86e FFM |
232 | if (nla_put_be16(skb, NFTA_SYNPROXY_MSS, htons(priv->info.mss)) || |
233 | nla_put_u8(skb, NFTA_SYNPROXY_WSCALE, priv->info.wscale) || | |
234 | nla_put_be32(skb, NFTA_SYNPROXY_FLAGS, htonl(priv->info.options))) | |
235 | goto nla_put_failure; | |
236 | ||
237 | return 0; | |
238 | ||
239 | nla_put_failure: | |
240 | return -1; | |
241 | } | |
242 | ||
ee394f96 FFM |
243 | static void nft_synproxy_eval(const struct nft_expr *expr, |
244 | struct nft_regs *regs, | |
245 | const struct nft_pktinfo *pkt) | |
246 | { | |
247 | const struct nft_synproxy *priv = nft_expr_priv(expr); | |
248 | ||
249 | nft_synproxy_do_eval(priv, regs, pkt); | |
250 | } | |
251 | ||
ad49d86e FFM |
252 | static int nft_synproxy_validate(const struct nft_ctx *ctx, |
253 | const struct nft_expr *expr, | |
254 | const struct nft_data **data) | |
255 | { | |
256 | return nft_chain_validate_hooks(ctx->chain, (1 << NF_INET_LOCAL_IN) | | |
257 | (1 << NF_INET_FORWARD)); | |
258 | } | |
259 | ||
ee394f96 FFM |
260 | static int nft_synproxy_init(const struct nft_ctx *ctx, |
261 | const struct nft_expr *expr, | |
262 | const struct nlattr * const tb[]) | |
263 | { | |
264 | struct nft_synproxy *priv = nft_expr_priv(expr); | |
265 | ||
266 | return nft_synproxy_do_init(ctx, tb, priv); | |
267 | } | |
268 | ||
269 | static void nft_synproxy_destroy(const struct nft_ctx *ctx, | |
270 | const struct nft_expr *expr) | |
271 | { | |
272 | nft_synproxy_do_destroy(ctx); | |
273 | } | |
274 | ||
7d34aa3e PS |
275 | static int nft_synproxy_dump(struct sk_buff *skb, |
276 | const struct nft_expr *expr, bool reset) | |
ee394f96 FFM |
277 | { |
278 | struct nft_synproxy *priv = nft_expr_priv(expr); | |
279 | ||
280 | return nft_synproxy_do_dump(skb, priv); | |
281 | } | |
282 | ||
ad49d86e FFM |
283 | static struct nft_expr_type nft_synproxy_type; |
284 | static const struct nft_expr_ops nft_synproxy_ops = { | |
285 | .eval = nft_synproxy_eval, | |
286 | .size = NFT_EXPR_SIZE(sizeof(struct nft_synproxy)), | |
287 | .init = nft_synproxy_init, | |
288 | .destroy = nft_synproxy_destroy, | |
289 | .dump = nft_synproxy_dump, | |
290 | .type = &nft_synproxy_type, | |
291 | .validate = nft_synproxy_validate, | |
b2d30654 | 292 | .reduce = NFT_REDUCE_READONLY, |
ad49d86e FFM |
293 | }; |
294 | ||
295 | static struct nft_expr_type nft_synproxy_type __read_mostly = { | |
296 | .ops = &nft_synproxy_ops, | |
297 | .name = "synproxy", | |
298 | .owner = THIS_MODULE, | |
299 | .policy = nft_synproxy_policy, | |
300 | .maxattr = NFTA_SYNPROXY_MAX, | |
301 | }; | |
302 | ||
ee394f96 FFM |
303 | static int nft_synproxy_obj_init(const struct nft_ctx *ctx, |
304 | const struct nlattr * const tb[], | |
305 | struct nft_object *obj) | |
306 | { | |
307 | struct nft_synproxy *priv = nft_obj_data(obj); | |
308 | ||
309 | return nft_synproxy_do_init(ctx, tb, priv); | |
310 | } | |
311 | ||
312 | static void nft_synproxy_obj_destroy(const struct nft_ctx *ctx, | |
313 | struct nft_object *obj) | |
314 | { | |
315 | nft_synproxy_do_destroy(ctx); | |
316 | } | |
317 | ||
318 | static int nft_synproxy_obj_dump(struct sk_buff *skb, | |
319 | struct nft_object *obj, bool reset) | |
320 | { | |
321 | struct nft_synproxy *priv = nft_obj_data(obj); | |
322 | ||
323 | return nft_synproxy_do_dump(skb, priv); | |
324 | } | |
325 | ||
326 | static void nft_synproxy_obj_eval(struct nft_object *obj, | |
327 | struct nft_regs *regs, | |
328 | const struct nft_pktinfo *pkt) | |
329 | { | |
330 | const struct nft_synproxy *priv = nft_obj_data(obj); | |
331 | ||
332 | nft_synproxy_do_eval(priv, regs, pkt); | |
333 | } | |
334 | ||
335 | static void nft_synproxy_obj_update(struct nft_object *obj, | |
336 | struct nft_object *newobj) | |
337 | { | |
338 | struct nft_synproxy *newpriv = nft_obj_data(newobj); | |
339 | struct nft_synproxy *priv = nft_obj_data(obj); | |
340 | ||
341 | priv->info = newpriv->info; | |
342 | } | |
343 | ||
344 | static struct nft_object_type nft_synproxy_obj_type; | |
345 | static const struct nft_object_ops nft_synproxy_obj_ops = { | |
346 | .type = &nft_synproxy_obj_type, | |
347 | .size = sizeof(struct nft_synproxy), | |
348 | .init = nft_synproxy_obj_init, | |
349 | .destroy = nft_synproxy_obj_destroy, | |
350 | .dump = nft_synproxy_obj_dump, | |
351 | .eval = nft_synproxy_obj_eval, | |
352 | .update = nft_synproxy_obj_update, | |
353 | }; | |
354 | ||
355 | static struct nft_object_type nft_synproxy_obj_type __read_mostly = { | |
356 | .type = NFT_OBJECT_SYNPROXY, | |
357 | .ops = &nft_synproxy_obj_ops, | |
358 | .maxattr = NFTA_SYNPROXY_MAX, | |
359 | .policy = nft_synproxy_policy, | |
360 | .owner = THIS_MODULE, | |
361 | }; | |
362 | ||
ad49d86e FFM |
363 | static int __init nft_synproxy_module_init(void) |
364 | { | |
ee394f96 FFM |
365 | int err; |
366 | ||
367 | err = nft_register_obj(&nft_synproxy_obj_type); | |
368 | if (err < 0) | |
369 | return err; | |
370 | ||
371 | err = nft_register_expr(&nft_synproxy_type); | |
372 | if (err < 0) | |
373 | goto err; | |
374 | ||
375 | return 0; | |
376 | ||
377 | err: | |
378 | nft_unregister_obj(&nft_synproxy_obj_type); | |
379 | return err; | |
ad49d86e FFM |
380 | } |
381 | ||
382 | static void __exit nft_synproxy_module_exit(void) | |
383 | { | |
ee394f96 FFM |
384 | nft_unregister_expr(&nft_synproxy_type); |
385 | nft_unregister_obj(&nft_synproxy_obj_type); | |
ad49d86e FFM |
386 | } |
387 | ||
388 | module_init(nft_synproxy_module_init); | |
389 | module_exit(nft_synproxy_module_exit); | |
390 | ||
391 | MODULE_LICENSE("GPL"); | |
392 | MODULE_AUTHOR("Fernando Fernandez <ffmancera@riseup.net>"); | |
393 | MODULE_ALIAS_NFT_EXPR("synproxy"); | |
ee394f96 | 394 | MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_SYNPROXY); |
4cacc395 | 395 | MODULE_DESCRIPTION("nftables SYNPROXY expression support"); |