lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <1515761845-31323-3-git-send-email-eyal.birger@gmail.com>
Date:   Fri, 12 Jan 2018 14:57:25 +0200
From:   Eyal Birger <eyal.birger@...il.com>
To:     netdev@...r.kernel.org, pablo@...filter.org, jhs@...atatu.com
Cc:     coreteam@...filter.org, shmulik@...anetworks.com,
        Eyal Birger <eyal@...anetworks.com>
Subject: [PATCH net-next 2/2] net: sched: add xfrm policy ematch

From: Eyal Birger <eyal@...anetworks.com>

Allows classification based on the incoming IPSec policy used during
decpsulation.

This allows similar matching capabilities to those provided by netfilter
xt_policy module, and uses the same data strcuture - but from a tc entry
point.

Signed-off-by: Eyal Birger <eyal@...anetworks.com>
---
 include/uapi/linux/pkt_cls.h |   3 +-
 net/sched/Kconfig            |  10 ++++
 net/sched/Makefile           |   1 +
 net/sched/em_policy.c        | 117 +++++++++++++++++++++++++++++++++++++++++++
 4 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100644 net/sched/em_policy.c

diff --git a/include/uapi/linux/pkt_cls.h b/include/uapi/linux/pkt_cls.h
index 46c5066..963842c 100644
--- a/include/uapi/linux/pkt_cls.h
+++ b/include/uapi/linux/pkt_cls.h
@@ -555,7 +555,8 @@ enum {
 #define	TCF_EM_VLAN		6
 #define	TCF_EM_CANID		7
 #define	TCF_EM_IPSET		8
-#define	TCF_EM_MAX		8
+#define	TCF_EM_POLICY		9
+#define	TCF_EM_MAX		9
 
 enum {
 	TCF_EM_PROG_TC
diff --git a/net/sched/Kconfig b/net/sched/Kconfig
index c03d86a..0670f53 100644
--- a/net/sched/Kconfig
+++ b/net/sched/Kconfig
@@ -658,6 +658,16 @@ config NET_EMATCH_IPSET
 	  To compile this code as a module, choose M here: the
 	  module will be called em_ipset.
 
+config NET_EMATCH_POLICY
+	tristate "Policy"
+	depends on NET_EMATCH && NETFILTER_XT_MATCH_POLICY
+	---help---
+	  Say Y here if you want to be able to classify packets based on
+	  IPsec policy that was used during decapsulation
+
+	  To compile this code as a module, choose M here: the
+	  module will be called em_policy.
+
 config NET_CLS_ACT
 	bool "Actions"
 	select NET_CLS
diff --git a/net/sched/Makefile b/net/sched/Makefile
index 5b63544..7ca02a1 100644
--- a/net/sched/Makefile
+++ b/net/sched/Makefile
@@ -75,3 +75,4 @@ obj-$(CONFIG_NET_EMATCH_META)	+= em_meta.o
 obj-$(CONFIG_NET_EMATCH_TEXT)	+= em_text.o
 obj-$(CONFIG_NET_EMATCH_CANID)	+= em_canid.o
 obj-$(CONFIG_NET_EMATCH_IPSET)	+= em_ipset.o
+obj-$(CONFIG_NET_EMATCH_POLICY)	+= em_policy.o
diff --git a/net/sched/em_policy.c b/net/sched/em_policy.c
new file mode 100644
index 0000000..94ef318
--- /dev/null
+++ b/net/sched/em_policy.c
@@ -0,0 +1,117 @@
+/*
+ * net/sched/em_policy.c IPSec Policy Ematch
+ *
+ * (c) 2018 Eyal Birger <eyal.birger@...il.com>
+ *
+ * Parts taken from netfilter/xt_policy.h:
+ * Copyright (c) 2004,2005 Patrick McHardy, <kaber@...sh.net>
+ *
+ * This program is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU General Public License
+ * as published by the Free Software Foundation; either version
+ * 2 of the License, or (at your option) any later version.
+ */
+
+#include <linux/gfp.h>
+#include <linux/module.h>
+#include <linux/types.h>
+#include <linux/kernel.h>
+#include <linux/string.h>
+#include <linux/skbuff.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/xt_policy.h>
+#include <net/pkt_cls.h>
+#include <net/netfilter/xt_policy.h>
+
+static int em_policy_change(struct net *net, void *data, int data_len,
+			    struct tcf_ematch *em)
+{
+	const struct xt_policy_info *info = (const void *)data;
+	__u16 dir_flags;
+
+	if (data_len != sizeof(*info))
+		return -EINVAL;
+
+	if (info->len > XT_POLICY_MAX_ELEM) {
+		pr_info("too many policy elements\n");
+		return -EINVAL;
+	}
+
+	dir_flags = info->flags & (XT_POLICY_MATCH_IN | XT_POLICY_MATCH_OUT);
+	if (dir_flags != XT_POLICY_MATCH_IN) {
+		pr_info("Only incoming policy can be matched\n");
+		return -EINVAL;
+	}
+
+	em->datalen = sizeof(*info);
+	em->data = (unsigned long)kmemdup(data, em->datalen, GFP_KERNEL);
+	if (!em->data)
+		return -ENOMEM;
+
+	return 0;
+}
+
+static void em_policy_destroy(struct tcf_ematch *em)
+{
+	const struct xt_policy_info *info = (const void *)em->data;
+
+	if (!info)
+		return;
+
+	kfree((void *)em->data);
+}
+
+static int em_policy_match(struct sk_buff *skb, struct tcf_ematch *em,
+			   struct tcf_pkt_info *info)
+{
+	const struct xt_policy_info *pol = (const void *)em->data;
+	unsigned short pf;
+	int ret;
+
+	switch (tc_skb_protocol(skb)) {
+	case htons(ETH_P_IP):
+		pf = NFPROTO_IPV4;
+		break;
+	case htons(ETH_P_IPV6):
+		pf = NFPROTO_IPV6;
+		break;
+	default:
+		return false;
+	}
+
+	ret = xt_policy_match_policy_in(skb, pol, pf);
+	if (ret < 0)
+		ret = pol->flags & XT_POLICY_MATCH_NONE ? true : false;
+	else if (pol->flags & XT_POLICY_MATCH_NONE)
+		ret = false;
+
+	return ret;
+}
+
+static struct tcf_ematch_ops em_policy_ops = {
+	.kind	  = TCF_EM_POLICY,
+	.change	  = em_policy_change,
+	.destroy  = em_policy_destroy,
+	.match	  = em_policy_match,
+	.owner	  = THIS_MODULE,
+	.link	  = LIST_HEAD_INIT(em_policy_ops.link)
+};
+
+static int __init init_em_policy(void)
+{
+	return tcf_em_register(&em_policy_ops);
+}
+
+static void __exit exit_em_policy(void)
+{
+	tcf_em_unregister(&em_policy_ops);
+}
+
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Eyal Birger <eyal.birger@...il.com>");
+MODULE_DESCRIPTION("TC extended match for IPSec policies");
+
+module_init(init_em_policy);
+module_exit(exit_em_policy);
+
+MODULE_ALIAS_TCF_EMATCH(TCF_EM_POLICY);
-- 
2.7.4

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ