lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <CADo-kff8vOq8YzvB8R+LOCUyfhx9+=QRhsLLa-eP9M+i3m5rcQ@mail.gmail.com>
Date:	Mon, 14 Dec 2015 10:43:35 +0200
From:	Igor Gavrilov <i.o.gavrilov@...il.com>
To:	netdev@...r.kernel.org
Cc:	Jamal Hadi Salim <jhs@...atatu.com>
Subject: [PATCH net-next] sched/cls_flow.c

From: Igor Gavrilov <i.o.gavrilov@...il.com>

Improved CTTUPLE macro with code from sched/act_connmark.c, so it be
able to get unNATed addresses from nf_conntrack on ingress interface.

Signed-off-by: Igor Gavrilov <i.o.gavrilov@...il.com>
Acked-by: Jamal Hadi Salim <jhs@...atatu.com>
---
--- net/sched/cls_flow.c.orig   2015-12-11 12:51:32.541673211 +0200
+++ net/sched/cls_flow.c        2015-12-14 12:01:50.719174387 +0200
@@ -31,6 +31,8 @@

 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 #include <net/netfilter/nf_conntrack.h>
+#include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_zones.h>
 #endif

 struct flow_head {
@@ -133,16 +135,48 @@ static u32 flow_get_nfct(const struct sk
 }

 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
-#define CTTUPLE(skb, member)                                           \
+#define CTTUPLE(skb, direction, member)
         \
 ({                                                                     \
        enum ip_conntrack_info ctinfo;                                  \
-       const struct nf_conn *ct = nf_ct_get(skb, &ctinfo);             \
-       if (ct == NULL)                                                 \
-               goto fallback;                                          \
-       ct->tuplehash[CTINFO2DIR(ctinfo)].tuple.member;                 \
+       struct nf_conntrack_tuple tuple;                                \
+       struct nf_conntrack_zone zone;                                  \
+       const struct nf_conntrack_tuple_hash *thash;                    \
+       __be32 result;                                                  \
+       int proto;                                                      \
+       struct nf_conn *ct = nf_ct_get(skb, &ctinfo);                   \
+       if (ct == NULL) {                                               \
+               switch (tc_skb_protocol(skb)) {                         \
+               case htons(ETH_P_IP):                                   \
+                       proto = NFPROTO_IPV4;                           \
+                       break;                                          \
+               case htons(ETH_P_IPV6):                                 \
+                       proto = NFPROTO_IPV6;                           \
+                       break;                                          \
+               default:                                                \
+                       goto fallback;                                  \
+               }                                                       \
+                                                                       \
+               if (!nf_ct_get_tuplepr(skb, skb_network_offset(skb), proto,\
+                       dev_net(skb->dev), &tuple))                     \
+                       goto fallback;                                  \
+               zone.id = NF_CT_DEFAULT_ZONE_ID;                        \
+               zone.dir = NF_CT_DEFAULT_ZONE_DIR;                      \
+                                                                       \
+               thash = nf_conntrack_find_get(dev_net(skb->dev), &zone, \
+                       &tuple);                                        \
+               if (!thash)                                             \
+                       goto fallback;                                  \
+               ct = nf_ct_tuplehash_to_ctrack(thash);                  \
+               result = ct->tuplehash[(thash->tuple.dst.dir ==
IP_CT_DIR_REPLY) ? \
+                IP_CT_DIR_ORIGINAL : IP_CT_DIR_REPLY].tuple.src.member;\
+               nf_ct_put(ct);                                          \
+       } else {                                                        \
+               result =
ct->tuplehash[CTINFO2DIR(ctinfo)].tuple.direction.member;\
+       }                                                               \
+       result;                                                         \
 })
 #else
-#define CTTUPLE(skb, member)                                           \
+#define CTTUPLE(skb, direction, member)
         \
 ({                                                                     \
        goto fallback;                                                  \
        0;                                                              \
@@ -153,9 +187,9 @@ static u32 flow_get_nfct_src(const struc
 {
        switch (tc_skb_protocol(skb)) {
        case htons(ETH_P_IP):
-               return ntohl(CTTUPLE(skb, src.u3.ip));
+               return ntohl(CTTUPLE(skb, src, u3.ip));
        case htons(ETH_P_IPV6):
-               return ntohl(CTTUPLE(skb, src.u3.ip6[3]));
+               return ntohl(CTTUPLE(skb, src, u3.ip6[3]));
        }
 fallback:
        return flow_get_src(skb, flow);
@@ -165,9 +199,9 @@ static u32 flow_get_nfct_dst(const struc
 {
        switch (tc_skb_protocol(skb)) {
        case htons(ETH_P_IP):
-               return ntohl(CTTUPLE(skb, dst.u3.ip));
+               return ntohl(CTTUPLE(skb, dst, u3.ip));
        case htons(ETH_P_IPV6):
-               return ntohl(CTTUPLE(skb, dst.u3.ip6[3]));
+               return ntohl(CTTUPLE(skb, dst, u3.ip6[3]));
        }
 fallback:
        return flow_get_dst(skb, flow);
@@ -175,14 +209,14 @@ fallback:

 static u32 flow_get_nfct_proto_src(const struct sk_buff *skb, const
struct flow_keys *flow)
 {
-       return ntohs(CTTUPLE(skb, src.u.all));
+       return ntohs(CTTUPLE(skb, src, u.all));
 fallback:
        return flow_get_proto_src(skb, flow);
 }

 static u32 flow_get_nfct_proto_dst(const struct sk_buff *skb, const
struct flow_keys *flow)
 {
-       return ntohs(CTTUPLE(skb, dst.u.all));
+       return ntohs(CTTUPLE(skb, dst, u.all));
 fallback:
        return flow_get_proto_dst(skb, flow);
 }
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ