Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
netfilter.c
Go to the documentation of this file.
1 /* IPv4 specific functions of netfilter core */
2 #include <linux/kernel.h>
3 #include <linux/netfilter.h>
4 #include <linux/netfilter_ipv4.h>
5 #include <linux/ip.h>
6 #include <linux/skbuff.h>
7 #include <linux/gfp.h>
8 #include <linux/export.h>
9 #include <net/route.h>
10 #include <net/xfrm.h>
11 #include <net/ip.h>
12 #include <net/netfilter/nf_queue.h>
13 
14 /* route_me_harder function, used by iptable_nat, iptable_mangle + ip_queue */
15 int ip_route_me_harder(struct sk_buff *skb, unsigned int addr_type)
16 {
17  struct net *net = dev_net(skb_dst(skb)->dev);
18  const struct iphdr *iph = ip_hdr(skb);
19  struct rtable *rt;
20  struct flowi4 fl4 = {};
21  __be32 saddr = iph->saddr;
22  __u8 flags = skb->sk ? inet_sk_flowi_flags(skb->sk) : 0;
23  unsigned int hh_len;
24 
25  if (addr_type == RTN_UNSPEC)
26  addr_type = inet_addr_type(net, saddr);
27  if (addr_type == RTN_LOCAL || addr_type == RTN_UNICAST)
28  flags |= FLOWI_FLAG_ANYSRC;
29  else
30  saddr = 0;
31 
32  /* some non-standard hacks like ipt_REJECT.c:send_reset() can cause
33  * packets with foreign saddr to appear on the NF_INET_LOCAL_OUT hook.
34  */
35  fl4.daddr = iph->daddr;
36  fl4.saddr = saddr;
37  fl4.flowi4_tos = RT_TOS(iph->tos);
38  fl4.flowi4_oif = skb->sk ? skb->sk->sk_bound_dev_if : 0;
39  fl4.flowi4_mark = skb->mark;
40  fl4.flowi4_flags = flags;
41  rt = ip_route_output_key(net, &fl4);
42  if (IS_ERR(rt))
43  return -1;
44 
45  /* Drop old route. */
46  skb_dst_drop(skb);
47  skb_dst_set(skb, &rt->dst);
48 
49  if (skb_dst(skb)->error)
50  return -1;
51 
52 #ifdef CONFIG_XFRM
53  if (!(IPCB(skb)->flags & IPSKB_XFRM_TRANSFORMED) &&
54  xfrm_decode_session(skb, flowi4_to_flowi(&fl4), AF_INET) == 0) {
55  struct dst_entry *dst = skb_dst(skb);
56  skb_dst_set(skb, NULL);
57  dst = xfrm_lookup(net, dst, flowi4_to_flowi(&fl4), skb->sk, 0);
58  if (IS_ERR(dst))
59  return -1;
60  skb_dst_set(skb, dst);
61  }
62 #endif
63 
64  /* Change in oif may mean change in hh_len. */
65  hh_len = skb_dst(skb)->dev->hard_header_len;
66  if (skb_headroom(skb) < hh_len &&
67  pskb_expand_head(skb, HH_DATA_ALIGN(hh_len - skb_headroom(skb)),
68  0, GFP_ATOMIC))
69  return -1;
70 
71  return 0;
72 }
73 EXPORT_SYMBOL(ip_route_me_harder);
74 
75 /*
76  * Extra routing may needed on local out, as the QUEUE target never
77  * returns control to the table.
78  */
79 
80 struct ip_rt_info {
81  __be32 daddr;
82  __be32 saddr;
83  u_int8_t tos;
84  u_int32_t mark;
85 };
86 
87 static void nf_ip_saveroute(const struct sk_buff *skb,
88  struct nf_queue_entry *entry)
89 {
90  struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
91 
92  if (entry->hook == NF_INET_LOCAL_OUT) {
93  const struct iphdr *iph = ip_hdr(skb);
94 
95  rt_info->tos = iph->tos;
96  rt_info->daddr = iph->daddr;
97  rt_info->saddr = iph->saddr;
98  rt_info->mark = skb->mark;
99  }
100 }
101 
102 static int nf_ip_reroute(struct sk_buff *skb,
103  const struct nf_queue_entry *entry)
104 {
105  const struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
106 
107  if (entry->hook == NF_INET_LOCAL_OUT) {
108  const struct iphdr *iph = ip_hdr(skb);
109 
110  if (!(iph->tos == rt_info->tos &&
111  skb->mark == rt_info->mark &&
112  iph->daddr == rt_info->daddr &&
113  iph->saddr == rt_info->saddr))
114  return ip_route_me_harder(skb, RTN_UNSPEC);
115  }
116  return 0;
117 }
118 
119 __sum16 nf_ip_checksum(struct sk_buff *skb, unsigned int hook,
120  unsigned int dataoff, u_int8_t protocol)
121 {
122  const struct iphdr *iph = ip_hdr(skb);
123  __sum16 csum = 0;
124 
125  switch (skb->ip_summed) {
126  case CHECKSUM_COMPLETE:
127  if (hook != NF_INET_PRE_ROUTING && hook != NF_INET_LOCAL_IN)
128  break;
129  if ((protocol == 0 && !csum_fold(skb->csum)) ||
130  !csum_tcpudp_magic(iph->saddr, iph->daddr,
131  skb->len - dataoff, protocol,
132  skb->csum)) {
133  skb->ip_summed = CHECKSUM_UNNECESSARY;
134  break;
135  }
136  /* fall through */
137  case CHECKSUM_NONE:
138  if (protocol == 0)
139  skb->csum = 0;
140  else
141  skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr,
142  skb->len - dataoff,
143  protocol, 0);
144  csum = __skb_checksum_complete(skb);
145  }
146  return csum;
147 }
148 EXPORT_SYMBOL(nf_ip_checksum);
149 
150 static __sum16 nf_ip_checksum_partial(struct sk_buff *skb, unsigned int hook,
151  unsigned int dataoff, unsigned int len,
152  u_int8_t protocol)
153 {
154  const struct iphdr *iph = ip_hdr(skb);
155  __sum16 csum = 0;
156 
157  switch (skb->ip_summed) {
158  case CHECKSUM_COMPLETE:
159  if (len == skb->len - dataoff)
160  return nf_ip_checksum(skb, hook, dataoff, protocol);
161  /* fall through */
162  case CHECKSUM_NONE:
163  skb->csum = csum_tcpudp_nofold(iph->saddr, iph->daddr, protocol,
164  skb->len - dataoff, 0);
165  skb->ip_summed = CHECKSUM_NONE;
166  return __skb_checksum_complete_head(skb, dataoff + len);
167  }
168  return csum;
169 }
170 
171 static int nf_ip_route(struct net *net, struct dst_entry **dst,
172  struct flowi *fl, bool strict __always_unused)
173 {
174  struct rtable *rt = ip_route_output_key(net, &fl->u.ip4);
175  if (IS_ERR(rt))
176  return PTR_ERR(rt);
177  *dst = &rt->dst;
178  return 0;
179 }
180 
181 static const struct nf_afinfo nf_ip_afinfo = {
182  .family = AF_INET,
183  .checksum = nf_ip_checksum,
184  .checksum_partial = nf_ip_checksum_partial,
185  .route = nf_ip_route,
186  .saveroute = nf_ip_saveroute,
187  .reroute = nf_ip_reroute,
188  .route_key_size = sizeof(struct ip_rt_info),
189 };
190 
191 static int __init ipv4_netfilter_init(void)
192 {
193  return nf_register_afinfo(&nf_ip_afinfo);
194 }
195 
196 static void __exit ipv4_netfilter_fini(void)
197 {
198  nf_unregister_afinfo(&nf_ip_afinfo);
199 }
200 
201 module_init(ipv4_netfilter_init);
202 module_exit(ipv4_netfilter_fini);
Generated on Thu Jan 10 2013 14:58:34 for Linux Kernel by   doxygen 1.8.2