Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
xt_TEE.c
Go to the documentation of this file.
1 /*
2  * "TEE" target extension for Xtables
3  * Copyright © Sebastian Claßen, 2007
4  * Jan Engelhardt, 2007-2010
5  *
6  * based on ipt_ROUTE.c from Cédric de Launois
7  * <[email protected]>
8  *
9  * This program is free software; you can redistribute it and/or
10  * modify it under the terms of the GNU General Public License
11  * version 2 or later, as published by the Free Software Foundation.
12  */
13 #include <linux/ip.h>
14 #include <linux/module.h>
15 #include <linux/percpu.h>
16 #include <linux/route.h>
17 #include <linux/skbuff.h>
18 #include <linux/notifier.h>
19 #include <net/checksum.h>
20 #include <net/icmp.h>
21 #include <net/ip.h>
22 #include <net/ipv6.h>
23 #include <net/ip6_route.h>
24 #include <net/route.h>
25 #include <linux/netfilter/x_tables.h>
26 #include <linux/netfilter/xt_TEE.h>
27 
28 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
29 # define WITH_CONNTRACK 1
30 # include <net/netfilter/nf_conntrack.h>
31 #endif
32 
33 struct xt_tee_priv {
34  struct notifier_block notifier;
35  struct xt_tee_tginfo *tginfo;
36  int oif;
37 };
38 
39 static const union nf_inet_addr tee_zero_address;
40 static DEFINE_PER_CPU(bool, tee_active);
41 
42 static struct net *pick_net(struct sk_buff *skb)
43 {
44 #ifdef CONFIG_NET_NS
45  const struct dst_entry *dst;
46 
47  if (skb->dev != NULL)
48  return dev_net(skb->dev);
49  dst = skb_dst(skb);
50  if (dst != NULL && dst->dev != NULL)
51  return dev_net(dst->dev);
52 #endif
53  return &init_net;
54 }
55 
56 static bool
57 tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
58 {
59  const struct iphdr *iph = ip_hdr(skb);
60  struct net *net = pick_net(skb);
61  struct rtable *rt;
62  struct flowi4 fl4;
63 
64  memset(&fl4, 0, sizeof(fl4));
65  if (info->priv) {
66  if (info->priv->oif == -1)
67  return false;
68  fl4.flowi4_oif = info->priv->oif;
69  }
70  fl4.daddr = info->gw.ip;
71  fl4.flowi4_tos = RT_TOS(iph->tos);
72  fl4.flowi4_scope = RT_SCOPE_UNIVERSE;
73  fl4.flowi4_flags = FLOWI_FLAG_KNOWN_NH;
74  rt = ip_route_output_key(net, &fl4);
75  if (IS_ERR(rt))
76  return false;
77 
78  skb_dst_drop(skb);
79  skb_dst_set(skb, &rt->dst);
80  skb->dev = rt->dst.dev;
81  skb->protocol = htons(ETH_P_IP);
82  return true;
83 }
84 
85 static unsigned int
86 tee_tg4(struct sk_buff *skb, const struct xt_action_param *par)
87 {
88  const struct xt_tee_tginfo *info = par->targinfo;
89  struct iphdr *iph;
90 
91  if (__this_cpu_read(tee_active))
92  return XT_CONTINUE;
93  /*
94  * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
95  * the original skb, which should continue on its way as if nothing has
96  * happened. The copy should be independently delivered to the TEE
97  * --gateway.
98  */
99  skb = pskb_copy(skb, GFP_ATOMIC);
100  if (skb == NULL)
101  return XT_CONTINUE;
102 
103 #ifdef WITH_CONNTRACK
104  /* Avoid counting cloned packets towards the original connection. */
105  nf_conntrack_put(skb->nfct);
106  skb->nfct = &nf_ct_untracked_get()->ct_general;
107  skb->nfctinfo = IP_CT_NEW;
108  nf_conntrack_get(skb->nfct);
109 #endif
110  /*
111  * If we are in PREROUTING/INPUT, the checksum must be recalculated
112  * since the length could have changed as a result of defragmentation.
113  *
114  * We also decrease the TTL to mitigate potential TEE loops
115  * between two hosts.
116  *
117  * Set %IP_DF so that the original source is notified of a potentially
118  * decreased MTU on the clone route. IPv6 does this too.
119  */
120  iph = ip_hdr(skb);
121  iph->frag_off |= htons(IP_DF);
122  if (par->hooknum == NF_INET_PRE_ROUTING ||
123  par->hooknum == NF_INET_LOCAL_IN)
124  --iph->ttl;
125  ip_send_check(iph);
126 
127  if (tee_tg_route4(skb, info)) {
128  __this_cpu_write(tee_active, true);
129  ip_local_out(skb);
130  __this_cpu_write(tee_active, false);
131  } else {
132  kfree_skb(skb);
133  }
134  return XT_CONTINUE;
135 }
136 
137 #if IS_ENABLED(CONFIG_IPV6)
138 static bool
139 tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
140 {
141  const struct ipv6hdr *iph = ipv6_hdr(skb);
142  struct net *net = pick_net(skb);
143  struct dst_entry *dst;
144  struct flowi6 fl6;
145 
146  memset(&fl6, 0, sizeof(fl6));
147  if (info->priv) {
148  if (info->priv->oif == -1)
149  return false;
150  fl6.flowi6_oif = info->priv->oif;
151  }
152  fl6.daddr = info->gw.in6;
153  fl6.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
154  (iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
155  dst = ip6_route_output(net, NULL, &fl6);
156  if (dst->error) {
157  dst_release(dst);
158  return false;
159  }
160  skb_dst_drop(skb);
161  skb_dst_set(skb, dst);
162  skb->dev = dst->dev;
163  skb->protocol = htons(ETH_P_IPV6);
164  return true;
165 }
166 
167 static unsigned int
168 tee_tg6(struct sk_buff *skb, const struct xt_action_param *par)
169 {
170  const struct xt_tee_tginfo *info = par->targinfo;
171 
172  if (__this_cpu_read(tee_active))
173  return XT_CONTINUE;
174  skb = pskb_copy(skb, GFP_ATOMIC);
175  if (skb == NULL)
176  return XT_CONTINUE;
177 
178 #ifdef WITH_CONNTRACK
179  nf_conntrack_put(skb->nfct);
180  skb->nfct = &nf_ct_untracked_get()->ct_general;
181  skb->nfctinfo = IP_CT_NEW;
182  nf_conntrack_get(skb->nfct);
183 #endif
184  if (par->hooknum == NF_INET_PRE_ROUTING ||
185  par->hooknum == NF_INET_LOCAL_IN) {
186  struct ipv6hdr *iph = ipv6_hdr(skb);
187  --iph->hop_limit;
188  }
189  if (tee_tg_route6(skb, info)) {
190  __this_cpu_write(tee_active, true);
191  ip6_local_out(skb);
192  __this_cpu_write(tee_active, false);
193  } else {
194  kfree_skb(skb);
195  }
196  return XT_CONTINUE;
197 }
198 #endif
199 
200 static int tee_netdev_event(struct notifier_block *this, unsigned long event,
201  void *ptr)
202 {
203  struct net_device *dev = ptr;
204  struct xt_tee_priv *priv;
205 
206  priv = container_of(this, struct xt_tee_priv, notifier);
207  switch (event) {
208  case NETDEV_REGISTER:
209  if (!strcmp(dev->name, priv->tginfo->oif))
210  priv->oif = dev->ifindex;
211  break;
212  case NETDEV_UNREGISTER:
213  if (dev->ifindex == priv->oif)
214  priv->oif = -1;
215  break;
216  case NETDEV_CHANGENAME:
217  if (!strcmp(dev->name, priv->tginfo->oif))
218  priv->oif = dev->ifindex;
219  else if (dev->ifindex == priv->oif)
220  priv->oif = -1;
221  break;
222  }
223 
224  return NOTIFY_DONE;
225 }
226 
227 static int tee_tg_check(const struct xt_tgchk_param *par)
228 {
229  struct xt_tee_tginfo *info = par->targinfo;
230  struct xt_tee_priv *priv;
231 
232  /* 0.0.0.0 and :: not allowed */
233  if (memcmp(&info->gw, &tee_zero_address,
234  sizeof(tee_zero_address)) == 0)
235  return -EINVAL;
236 
237  if (info->oif[0]) {
238  if (info->oif[sizeof(info->oif)-1] != '\0')
239  return -EINVAL;
240 
241  priv = kzalloc(sizeof(*priv), GFP_KERNEL);
242  if (priv == NULL)
243  return -ENOMEM;
244 
245  priv->tginfo = info;
246  priv->oif = -1;
247  priv->notifier.notifier_call = tee_netdev_event;
248  info->priv = priv;
249 
250  register_netdevice_notifier(&priv->notifier);
251  } else
252  info->priv = NULL;
253 
254  return 0;
255 }
256 
257 static void tee_tg_destroy(const struct xt_tgdtor_param *par)
258 {
259  struct xt_tee_tginfo *info = par->targinfo;
260 
261  if (info->priv) {
262  unregister_netdevice_notifier(&info->priv->notifier);
263  kfree(info->priv);
264  }
265 }
266 
267 static struct xt_target tee_tg_reg[] __read_mostly = {
268  {
269  .name = "TEE",
270  .revision = 1,
271  .family = NFPROTO_IPV4,
272  .target = tee_tg4,
273  .targetsize = sizeof(struct xt_tee_tginfo),
274  .checkentry = tee_tg_check,
275  .destroy = tee_tg_destroy,
276  .me = THIS_MODULE,
277  },
278 #if IS_ENABLED(CONFIG_IPV6)
279  {
280  .name = "TEE",
281  .revision = 1,
282  .family = NFPROTO_IPV6,
283  .target = tee_tg6,
284  .targetsize = sizeof(struct xt_tee_tginfo),
285  .checkentry = tee_tg_check,
286  .destroy = tee_tg_destroy,
287  .me = THIS_MODULE,
288  },
289 #endif
290 };
291 
292 static int __init tee_tg_init(void)
293 {
294  return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
295 }
296 
297 static void __exit tee_tg_exit(void)
298 {
299  xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
300 }
301 
302 module_init(tee_tg_init);
303 module_exit(tee_tg_exit);
304 MODULE_AUTHOR("Sebastian Claßen <[email protected]>");
305 MODULE_AUTHOR("Jan Engelhardt <[email protected]>");
306 MODULE_DESCRIPTION("Xtables: Reroute packet copy");
307 MODULE_LICENSE("GPL");
308 MODULE_ALIAS("ipt_TEE");
309 MODULE_ALIAS("ip6t_TEE");
Generated on Thu Jan 10 2013 15:01:01 for Linux Kernel by   doxygen 1.8.2