netfilter: push reasm skb through instead of original frag skbs
Pushing original fragments through causes several problems. For example for matching, frags may not be matched correctly. Take following example: <example> On HOSTA do: ip6tables -I INPUT -p icmpv6 -j DROP ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT and on HOSTB you do: ping6 HOSTA -s2000 (MTU is 1500) Incoming echo requests will be filtered out on HOSTA. This issue does not occur with smaller packets than MTU (where fragmentation does not happen) </example> As was discussed previously, the only correct solution seems to be to use reassembled skb instead of separete frags. Doing this has positive side effects in reducing sk_buff by one pointer (nfct_reasm) and also the reams dances in ipvs and conntrack can be removed. Future plan is to remove net/ipv6/netfilter/nf_conntrack_reasm.c entirely and use code in net/ipv6/reassembly.c instead. Signed-off-by: Jiri Pirko <jiri@resnulli.us> Acked-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Marcelo Ricardo Leitner <mleitner@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net>
此提交包含在:
Jiri Pirko
@@ -169,64 +169,13 @@ out:
|
||||
return nf_conntrack_confirm(skb);
|
||||
}
|
||||
|
||||
static unsigned int __ipv6_conntrack_in(struct net *net,
|
||||
unsigned int hooknum,
|
||||
struct sk_buff *skb,
|
||||
const struct net_device *in,
|
||||
const struct net_device *out,
|
||||
int (*okfn)(struct sk_buff *))
|
||||
{
|
||||
struct sk_buff *reasm = skb->nfct_reasm;
|
||||
const struct nf_conn_help *help;
|
||||
struct nf_conn *ct;
|
||||
enum ip_conntrack_info ctinfo;
|
||||
|
||||
/* This packet is fragmented and has reassembled packet. */
|
||||
if (reasm) {
|
||||
/* Reassembled packet isn't parsed yet ? */
|
||||
if (!reasm->nfct) {
|
||||
unsigned int ret;
|
||||
|
||||
ret = nf_conntrack_in(net, PF_INET6, hooknum, reasm);
|
||||
if (ret != NF_ACCEPT)
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Conntrack helpers need the entire reassembled packet in the
|
||||
* POST_ROUTING hook. In case of unconfirmed connections NAT
|
||||
* might reassign a helper, so the entire packet is also
|
||||
* required.
|
||||
*/
|
||||
ct = nf_ct_get(reasm, &ctinfo);
|
||||
if (ct != NULL && !nf_ct_is_untracked(ct)) {
|
||||
help = nfct_help(ct);
|
||||
if ((help && help->helper) || !nf_ct_is_confirmed(ct)) {
|
||||
nf_conntrack_get_reasm(reasm);
|
||||
NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm,
|
||||
(struct net_device *)in,
|
||||
(struct net_device *)out,
|
||||
okfn, NF_IP6_PRI_CONNTRACK + 1);
|
||||
return NF_DROP_ERR(-ECANCELED);
|
||||
}
|
||||
}
|
||||
|
||||
nf_conntrack_get(reasm->nfct);
|
||||
skb->nfct = reasm->nfct;
|
||||
skb->nfctinfo = reasm->nfctinfo;
|
||||
return NF_ACCEPT;
|
||||
}
|
||||
|
||||
return nf_conntrack_in(net, PF_INET6, hooknum, skb);
|
||||
}
|
||||
|
||||
static unsigned int ipv6_conntrack_in(const struct nf_hook_ops *ops,
|
||||
struct sk_buff *skb,
|
||||
const struct net_device *in,
|
||||
const struct net_device *out,
|
||||
int (*okfn)(struct sk_buff *))
|
||||
{
|
||||
return __ipv6_conntrack_in(dev_net(in), ops->hooknum, skb, in, out,
|
||||
okfn);
|
||||
return nf_conntrack_in(dev_net(in), PF_INET6, ops->hooknum, skb);
|
||||
}
|
||||
|
||||
static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops,
|
||||
@@ -240,8 +189,7 @@ static unsigned int ipv6_conntrack_local(const struct nf_hook_ops *ops,
|
||||
net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");
|
||||
return NF_ACCEPT;
|
||||
}
|
||||
return __ipv6_conntrack_in(dev_net(out), ops->hooknum, skb, in, out,
|
||||
okfn);
|
||||
return nf_conntrack_in(dev_net(out), PF_INET6, ops->hooknum, skb);
|
||||
}
|
||||
|
||||
static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
|
||||
|
||||
@@ -633,31 +633,16 @@ ret_orig:
|
||||
return skb;
|
||||
}
|
||||
|
||||
void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb,
|
||||
struct net_device *in, struct net_device *out,
|
||||
int (*okfn)(struct sk_buff *))
|
||||
void nf_ct_frag6_consume_orig(struct sk_buff *skb)
|
||||
{
|
||||
struct sk_buff *s, *s2;
|
||||
unsigned int ret = 0;
|
||||
|
||||
for (s = NFCT_FRAG6_CB(skb)->orig; s;) {
|
||||
nf_conntrack_put_reasm(s->nfct_reasm);
|
||||
nf_conntrack_get_reasm(skb);
|
||||
s->nfct_reasm = skb;
|
||||
|
||||
s2 = s->next;
|
||||
s->next = NULL;
|
||||
|
||||
if (ret != -ECANCELED)
|
||||
ret = NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, s,
|
||||
in, out, okfn,
|
||||
NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
|
||||
else
|
||||
kfree_skb(s);
|
||||
|
||||
consume_skb(s);
|
||||
s = s2;
|
||||
}
|
||||
nf_conntrack_put_reasm(skb);
|
||||
}
|
||||
|
||||
static int nf_ct_net_init(struct net *net)
|
||||
|
||||
@@ -75,8 +75,11 @@ static unsigned int ipv6_defrag(const struct nf_hook_ops *ops,
|
||||
if (reasm == skb)
|
||||
return NF_ACCEPT;
|
||||
|
||||
nf_ct_frag6_output(ops->hooknum, reasm, (struct net_device *)in,
|
||||
(struct net_device *)out, okfn);
|
||||
nf_ct_frag6_consume_orig(reasm);
|
||||
|
||||
NF_HOOK_THRESH(NFPROTO_IPV6, ops->hooknum, reasm,
|
||||
(struct net_device *) in, (struct net_device *) out,
|
||||
okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1);
|
||||
|
||||
return NF_STOLEN;
|
||||
}
|
||||
|
||||
新增問題並參考
封鎖使用者