netfilter: nft_reject: support for IPv6 and TCP reset

This patch moves nft_reject_ipv4 to nft_reject and adds support for IPv6 protocol. This patch uses functions included in nf_reject.h to implement reject by TCP reset. The code has to be build as a module if NF_TABLES_IPV6 is also a module to avoid compilation error due to usage of IPv6 functions. This has been done in Kconfig by using the construct: depends on NF_TABLES_IPV6 || !NF_TABLES_IPV6 This seems a bit weird in terms of syntax but works perfectly. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Eric Leblond <eric@regit.org> 2013-12-29 06:28:14 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2013-12-30 12:15:38 -0500
commit: bee11dc78fc8a41299be5ce04b1c76b0057af450 (patch)
tree: 0717e96f0f1cbfca4373dc0fa867b3b888267f16 /net/netfilter
parent: cc70d069e2b9cece683206c0f6a1d1484414e577 (diff)
3 files changed, 151 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index 01f9f64c4cec..a1dec61a727e 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -465,6 +465,12 @@ config NFT_QUEUE
          This is required if you intend to use the userspace queueing
          infrastructure (also known as NFQUEUE) from nftables.
+config NFT_REJECT
+        depends on NF_TABLES
+        depends on NF_TABLES_IPV6 || !NF_TABLES_IPV6
+        default m if NETFILTER_ADVANCED=n
+        tristate "Netfilter nf_tables reject support"
 config NFT_COMPAT
        depends on NF_TABLES
        depends on NETFILTER_XTABLES
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index dcc818a59ff5..39e4a7b78dd9 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -77,6 +77,7 @@ obj-$(CONFIG_NFT_CT)		+= nft_ct.o
 obj-$(CONFIG_NFT_LIMIT)         += nft_limit.o
 obj-$(CONFIG_NFT_NAT)           += nft_nat.o
 obj-$(CONFIG_NFT_QUEUE)         += nft_queue.o
+obj-$(CONFIG_NFT_REJECT)        += nft_reject.o
 obj-$(CONFIG_NFT_RBTREE)        += nft_rbtree.o
 obj-$(CONFIG_NFT_HASH)          += nft_hash.o
 obj-$(CONFIG_NFT_COUNTER)       += nft_counter.o
diff --git a/net/netfilter/nft_reject.c b/net/netfilter/nft_reject.c
new file mode 100644
index 000000000000..0d690d4101d2
--- /dev/null
+++ b/net/netfilter/nft_reject.c
@@ -0,0 +1,144 @@
+/*
+ * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
+ * Copyright (c) 2013 Eric Leblond <eric@regit.org>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
+ *
+ * Development of this code funded by Astaro AG (http://www.astaro.com/)
+ */
+#include <linux/kernel.h>
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/netlink.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nf_tables.h>
+#include <net/netfilter/nf_tables.h>
+#include <net/icmp.h>
+#include <net/netfilter/ipv4/nf_reject.h>
+#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
+#include <net/netfilter/ipv6/nf_reject.h>
+#endif
+struct nft_reject {
+        enum nft_reject_types   type:8;
+        u8                      icmp_code;
+        u8                      family;
+};
+static void nft_reject_eval(const struct nft_expr *expr,
+                              struct nft_data data[NFT_REG_MAX + 1],
+                              const struct nft_pktinfo *pkt)
+{
+        struct nft_reject *priv = nft_expr_priv(expr);
+        struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);
+        switch (priv->type) {
+        case NFT_REJECT_ICMP_UNREACH:
+                if (priv->family == NFPROTO_IPV4)
+                        nf_send_unreach(pkt->skb, priv->icmp_code);
+#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
+                else if (priv->family == NFPROTO_IPV6)
+                        nf_send_unreach6(net, pkt->skb, priv->icmp_code,
+                                      pkt->hooknum);
+#endif
+                break;
+        case NFT_REJECT_TCP_RST:
+                if (priv->family == NFPROTO_IPV4)
+                        nf_send_reset(pkt->skb, pkt->hooknum);
+#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
+                else if (priv->family == NFPROTO_IPV6)
+                        nf_send_reset6(net, pkt->skb, pkt->hooknum);
+#endif
+                break;
+        }
+        data[NFT_REG_VERDICT].verdict = NF_DROP;
+}
+static const struct nla_policy nft_reject_policy[NFTA_REJECT_MAX + 1] = {
+        [NFTA_REJECT_TYPE]              = { .type = NLA_U32 },
+        [NFTA_REJECT_ICMP_CODE]         = { .type = NLA_U8 },
+};
+static int nft_reject_init(const struct nft_ctx *ctx,
+                           const struct nft_expr *expr,
+                           const struct nlattr * const tb[])
+{
+        struct nft_reject *priv = nft_expr_priv(expr);
+        if (tb[NFTA_REJECT_TYPE] == NULL)
+                return -EINVAL;
+        priv->family = ctx->afi->family;
+        priv->type = ntohl(nla_get_be32(tb[NFTA_REJECT_TYPE]));
+        switch (priv->type) {
+        case NFT_REJECT_ICMP_UNREACH:
+                if (tb[NFTA_REJECT_ICMP_CODE] == NULL)
+                        return -EINVAL;
+                priv->icmp_code = nla_get_u8(tb[NFTA_REJECT_ICMP_CODE]);
+        case NFT_REJECT_TCP_RST:
+                break;
+        default:
+                return -EINVAL;
+        }
+        return 0;
+}
+static int nft_reject_dump(struct sk_buff *skb, const struct nft_expr *expr)
+{
+        const struct nft_reject *priv = nft_expr_priv(expr);
+        if (nla_put_be32(skb, NFTA_REJECT_TYPE, htonl(priv->type)))
+                goto nla_put_failure;
+        switch (priv->type) {
+        case NFT_REJECT_ICMP_UNREACH:
+                if (nla_put_u8(skb, NFTA_REJECT_ICMP_CODE, priv->icmp_code))
+                        goto nla_put_failure;
+                break;
+        }
+        return 0;
+nla_put_failure:
+        return -1;
+}
+static struct nft_expr_type nft_reject_type;
+static const struct nft_expr_ops nft_reject_ops = {
+        .type           = &nft_reject_type,
+        .size           = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
+        .eval           = nft_reject_eval,
+        .init           = nft_reject_init,
+        .dump           = nft_reject_dump,
+};
+static struct nft_expr_type nft_reject_type __read_mostly = {
+        .name           = "reject",
+        .ops            = &nft_reject_ops,
+        .policy         = nft_reject_policy,
+        .maxattr        = NFTA_REJECT_MAX,
+        .owner          = THIS_MODULE,
+};
+static int __init nft_reject_module_init(void)
+{
+        return nft_register_expr(&nft_reject_type);
+}
+static void __exit nft_reject_module_exit(void)
+{
+        nft_unregister_expr(&nft_reject_type);
+}
+module_init(nft_reject_module_init);
+module_exit(nft_reject_module_exit);
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
+MODULE_ALIAS_NFT_EXPR("reject");
author	Eric Leblond <eric@regit.org>	2013-12-29 06:28:14 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2013-12-30 12:15:38 -0500
commit	bee11dc78fc8a41299be5ce04b1c76b0057af450 (patch)
tree	0717e96f0f1cbfca4373dc0fa867b3b888267f16 /net/netfilter
parent	cc70d069e2b9cece683206c0f6a1d1484414e577 (diff)

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 01f9f64c4cec..a1dec61a727e 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -465,6 +465,12 @@ config NFT_QUEUE
465	This is required if you intend to use the userspace queueing	465	This is required if you intend to use the userspace queueing
466	infrastructure (also known as NFQUEUE) from nftables.	466	infrastructure (also known as NFQUEUE) from nftables.
467		467
		468	config NFT_REJECT
		469	depends on NF_TABLES
		470	depends on NF_TABLES_IPV6 \|\| !NF_TABLES_IPV6
		471	default m if NETFILTER_ADVANCED=n
		472	tristate "Netfilter nf_tables reject support"
		473
468	config NFT_COMPAT	474	config NFT_COMPAT
469	depends on NF_TABLES	475	depends on NF_TABLES
470	depends on NETFILTER_XTABLES	476	depends on NETFILTER_XTABLES


diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index dcc818a59ff5..39e4a7b78dd9 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -77,6 +77,7 @@ obj-$(CONFIG_NFT_CT) += nft_ct.o
77	obj-$(CONFIG_NFT_LIMIT) += nft_limit.o	77	obj-$(CONFIG_NFT_LIMIT) += nft_limit.o
78	obj-$(CONFIG_NFT_NAT) += nft_nat.o	78	obj-$(CONFIG_NFT_NAT) += nft_nat.o
79	obj-$(CONFIG_NFT_QUEUE) += nft_queue.o	79	obj-$(CONFIG_NFT_QUEUE) += nft_queue.o
		80	obj-$(CONFIG_NFT_REJECT) += nft_reject.o
80	obj-$(CONFIG_NFT_RBTREE) += nft_rbtree.o	81	obj-$(CONFIG_NFT_RBTREE) += nft_rbtree.o
81	obj-$(CONFIG_NFT_HASH) += nft_hash.o	82	obj-$(CONFIG_NFT_HASH) += nft_hash.o
82	obj-$(CONFIG_NFT_COUNTER) += nft_counter.o	83	obj-$(CONFIG_NFT_COUNTER) += nft_counter.o


diff --git a/net/netfilter/nft_reject.c b/net/netfilter/nft_reject.c new file mode 100644 index 000000000000..0d690d4101d2 --- /dev/null +++ b/net/netfilter/nft_reject.c
@@ -0,0 +1,144 @@
		1	/*
		2	* Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
		3	* Copyright (c) 2013 Eric Leblond <eric@regit.org>
		4	*
		5	* This program is free software; you can redistribute it and/or modify
		6	* it under the terms of the GNU General Public License version 2 as
		7	* published by the Free Software Foundation.
		8	*
		9	* Development of this code funded by Astaro AG (http://www.astaro.com/)
		10	*/
		11
		12	#include <linux/kernel.h>
		13	#include <linux/init.h>
		14	#include <linux/module.h>
		15	#include <linux/netlink.h>
		16	#include <linux/netfilter.h>
		17	#include <linux/netfilter/nf_tables.h>
		18	#include <net/netfilter/nf_tables.h>
		19	#include <net/icmp.h>
		20	#include <net/netfilter/ipv4/nf_reject.h>
		21
		22	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
		23	#include <net/netfilter/ipv6/nf_reject.h>
		24	#endif
		25
		26	struct nft_reject {
		27	enum nft_reject_types type:8;
		28	u8 icmp_code;
		29	u8 family;
		30	};
		31
		32	static void nft_reject_eval(const struct nft_expr *expr,
		33	struct nft_data data[NFT_REG_MAX + 1],
		34	const struct nft_pktinfo *pkt)
		35	{
		36	struct nft_reject *priv = nft_expr_priv(expr);
		37	struct net *net = dev_net((pkt->in != NULL) ? pkt->in : pkt->out);
		38
		39	switch (priv->type) {
		40	case NFT_REJECT_ICMP_UNREACH:
		41	if (priv->family == NFPROTO_IPV4)
		42	nf_send_unreach(pkt->skb, priv->icmp_code);
		43	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
		44	else if (priv->family == NFPROTO_IPV6)
		45	nf_send_unreach6(net, pkt->skb, priv->icmp_code,
		46	pkt->hooknum);
		47	#endif
		48	break;
		49	case NFT_REJECT_TCP_RST:
		50	if (priv->family == NFPROTO_IPV4)
		51	nf_send_reset(pkt->skb, pkt->hooknum);
		52	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
		53	else if (priv->family == NFPROTO_IPV6)
		54	nf_send_reset6(net, pkt->skb, pkt->hooknum);
		55	#endif
		56	break;
		57	}
		58
		59	data[NFT_REG_VERDICT].verdict = NF_DROP;
		60	}
		61
		62	static const struct nla_policy nft_reject_policy[NFTA_REJECT_MAX + 1] = {
		63	[NFTA_REJECT_TYPE] = { .type = NLA_U32 },
		64	[NFTA_REJECT_ICMP_CODE] = { .type = NLA_U8 },
		65	};
		66
		67	static int nft_reject_init(const struct nft_ctx *ctx,
		68	const struct nft_expr *expr,
		69	const struct nlattr * const tb[])
		70	{
		71	struct nft_reject *priv = nft_expr_priv(expr);
		72
		73	if (tb[NFTA_REJECT_TYPE] == NULL)
		74	return -EINVAL;
		75
		76	priv->family = ctx->afi->family;
		77	priv->type = ntohl(nla_get_be32(tb[NFTA_REJECT_TYPE]));
		78	switch (priv->type) {
		79	case NFT_REJECT_ICMP_UNREACH:
		80	if (tb[NFTA_REJECT_ICMP_CODE] == NULL)
		81	return -EINVAL;
		82	priv->icmp_code = nla_get_u8(tb[NFTA_REJECT_ICMP_CODE]);
		83	case NFT_REJECT_TCP_RST:
		84	break;
		85	default:
		86	return -EINVAL;
		87	}
		88
		89	return 0;
		90	}
		91
		92	static int nft_reject_dump(struct sk_buff skb, const struct nft_expr expr)
		93	{
		94	const struct nft_reject *priv = nft_expr_priv(expr);
		95
		96	if (nla_put_be32(skb, NFTA_REJECT_TYPE, htonl(priv->type)))
		97	goto nla_put_failure;
		98
		99	switch (priv->type) {
		100	case NFT_REJECT_ICMP_UNREACH:
		101	if (nla_put_u8(skb, NFTA_REJECT_ICMP_CODE, priv->icmp_code))
		102	goto nla_put_failure;
		103	break;
		104	}
		105
		106	return 0;
		107
		108	nla_put_failure:
		109	return -1;
		110	}
		111
		112	static struct nft_expr_type nft_reject_type;
		113	static const struct nft_expr_ops nft_reject_ops = {
		114	.type = &nft_reject_type,
		115	.size = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
		116	.eval = nft_reject_eval,
		117	.init = nft_reject_init,
		118	.dump = nft_reject_dump,
		119	};
		120
		121	static struct nft_expr_type nft_reject_type __read_mostly = {
		122	.name = "reject",
		123	.ops = &nft_reject_ops,
		124	.policy = nft_reject_policy,
		125	.maxattr = NFTA_REJECT_MAX,
		126	.owner = THIS_MODULE,
		127	};
		128
		129	static int __init nft_reject_module_init(void)
		130	{
		131	return nft_register_expr(&nft_reject_type);
		132	}
		133
		134	static void __exit nft_reject_module_exit(void)
		135	{
		136	nft_unregister_expr(&nft_reject_type);
		137	}
		138
		139	module_init(nft_reject_module_init);
		140	module_exit(nft_reject_module_exit);
		141
		142	MODULE_LICENSE("GPL");
		143	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
		144	MODULE_ALIAS_NFT_EXPR("reject");