lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Thu, 23 Jun 2022 20:42:48 +0800
From:   Wei Han <lailitty@...mail.com>
To:     pablo@...filter.org, kadlec@...filter.org, fw@...len.de,
        davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
        pabeni@...hat.com
Cc:     netfilter-devel@...r.kernel.org, coreteam@...filter.org,
        netdev@...r.kernel.org, linux-kernel@...r.kernel.org,
        lailitty@...mail.com, linux-staging@...ts.linux.dev
Subject: [PATCH] netfilter: xt_esp: add support for ESP match in NAT Traversal

when the ESP packets traversing Network Address Translators,
which are encapsulated and decapsulated inside UDP packets,
so we need to get ESP data in UDP.

Signed-off-by: Wei Han <lailitty@...mail.com>
---
 net/netfilter/xt_esp.c | 54 +++++++++++++++++++++++++++++++++++-------
 1 file changed, 45 insertions(+), 9 deletions(-)

diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 2a1c0ad0ff07..c3feb79a830a 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -8,12 +8,14 @@
 #include <linux/skbuff.h>
 #include <linux/in.h>
 #include <linux/ip.h>
+#include <linux/ipv6.h>
 
 #include <linux/netfilter/xt_esp.h>
 #include <linux/netfilter/x_tables.h>
 
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
+#include <net/ip.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yon Uriarte <yon@...aro.de>");
@@ -39,17 +41,53 @@ static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	struct ip_esp_hdr _esp;
 	const struct xt_esp *espinfo = par->matchinfo;
 
+	const struct iphdr *iph = NULL;
+	const struct ipv6hdr *ip6h = NULL;
+	const struct udphdr *udph = NULL;
+	struct udphdr _udph;
+	int proto = -1;
+
 	/* Must not be a fragment. */
 	if (par->fragoff != 0)
 		return false;
 
-	eh = skb_header_pointer(skb, par->thoff, sizeof(_esp), &_esp);
-	if (eh == NULL) {
-		/* We've been asked to examine this packet, and we
-		 * can't.  Hence, no choice but to drop.
-		 */
-		pr_debug("Dropping evil ESP tinygram.\n");
-		par->hotdrop = true;
+	if (xt_family(par) == NFPROTO_IPV6) {
+		ip6h = ipv6_hdr(skb);
+		if (!ip6h)
+			return false;
+		proto = ip6h->nexthdr;
+	} else {
+		iph = ip_hdr(skb);
+		if (!iph)
+			return false;
+		proto = iph->protocol;
+	}
+
+	if (proto == IPPROTO_UDP) {
+		//for NAT-T
+		udph = skb_header_pointer(skb, par->thoff, sizeof(_udph), &_udph);
+		if (udph && (udph->source == htons(4500) || udph->dest == htons(4500))) {
+			/* Not deal with above data it don't conflict with SPI
+			 * 1.IKE Header Format for Port 4500(Non-ESP Marker 0x00000000)
+			 * 2.NAT-Keepalive Packet Format(0xFF)
+			 */
+			eh = (struct ip_esp_hdr *)((char *)udph + sizeof(struct udphdr));
+		} else {
+			return false;
+		}
+	} else if (proto == IPPROTO_ESP) {
+		//not NAT-T
+		eh = skb_header_pointer(skb, par->thoff, sizeof(_esp), &_esp);
+		if (!eh) {
+			/* We've been asked to examine this packet, and we
+			 * can't.  Hence, no choice but to drop.
+			 */
+			pr_debug("Dropping evil ESP tinygram.\n");
+			par->hotdrop = true;
+			return false;
+		}
+	} else {
+		//not esp data
 		return false;
 	}
 
@@ -76,7 +114,6 @@ static struct xt_match esp_mt_reg[] __read_mostly = {
 		.checkentry	= esp_mt_check,
 		.match		= esp_mt,
 		.matchsize	= sizeof(struct xt_esp),
-		.proto		= IPPROTO_ESP,
 		.me		= THIS_MODULE,
 	},
 	{
@@ -85,7 +122,6 @@ static struct xt_match esp_mt_reg[] __read_mostly = {
 		.checkentry	= esp_mt_check,
 		.match		= esp_mt,
 		.matchsize	= sizeof(struct xt_esp),
-		.proto		= IPPROTO_ESP,
 		.me		= THIS_MODULE,
 	},
 };
-- 
2.17.1

Powered by blists - more mailing lists