2019-06-04 10:11:33 +02:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-only
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
/*
|
|
|
|
* Copyright (C)2003,2004 USAGI/WIDE Project
|
|
|
|
*
|
|
|
|
* Author:
|
|
|
|
* Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
#include <linux/timer.h>
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/netfilter.h>
|
|
|
|
#include <linux/in6.h>
|
|
|
|
#include <linux/icmpv6.h>
|
|
|
|
#include <linux/ipv6.h>
|
|
|
|
#include <net/ipv6.h>
|
|
|
|
#include <net/ip6_checksum.h>
|
|
|
|
#include <linux/seq_file.h>
|
|
|
|
#include <linux/netfilter_ipv6.h>
|
|
|
|
#include <net/netfilter/nf_conntrack_tuple.h>
|
2006-11-29 02:35:06 +01:00
|
|
|
#include <net/netfilter/nf_conntrack_l4proto.h>
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
#include <net/netfilter/nf_conntrack_core.h>
|
2018-06-29 07:46:50 +02:00
|
|
|
#include <net/netfilter/nf_conntrack_timeout.h>
|
2010-02-15 18:13:33 +01:00
|
|
|
#include <net/netfilter/nf_conntrack_zones.h>
|
2007-12-18 07:38:49 +01:00
|
|
|
#include <net/netfilter/nf_log.h>
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
|
2017-11-12 20:42:01 +01:00
|
|
|
static const unsigned int nf_ct_icmpv6_timeout = 30*HZ;
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
|
2019-01-15 22:03:33 +01:00
|
|
|
bool icmpv6_pkt_to_tuple(const struct sk_buff *skb,
|
|
|
|
unsigned int dataoff,
|
|
|
|
struct net *net,
|
|
|
|
struct nf_conntrack_tuple *tuple)
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
{
|
2008-01-31 13:53:05 +01:00
|
|
|
const struct icmp6hdr *hp;
|
|
|
|
struct icmp6hdr _hdr;
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
|
|
|
|
hp = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
|
|
|
|
if (hp == NULL)
|
2008-04-14 11:15:53 +02:00
|
|
|
return false;
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
tuple->dst.u.icmp.type = hp->icmp6_type;
|
|
|
|
tuple->src.u.icmp.id = hp->icmp6_identifier;
|
|
|
|
tuple->dst.u.icmp.code = hp->icmp6_code;
|
|
|
|
|
2008-04-14 11:15:53 +02:00
|
|
|
return true;
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
}
|
|
|
|
|
2006-01-05 21:19:05 +01:00
|
|
|
/* Add 1; spaces filled with 0. */
|
2008-01-31 13:53:05 +01:00
|
|
|
static const u_int8_t invmap[] = {
|
2006-01-05 21:19:05 +01:00
|
|
|
[ICMPV6_ECHO_REQUEST - 128] = ICMPV6_ECHO_REPLY + 1,
|
|
|
|
[ICMPV6_ECHO_REPLY - 128] = ICMPV6_ECHO_REQUEST + 1,
|
2009-02-09 23:33:03 +01:00
|
|
|
[ICMPV6_NI_QUERY - 128] = ICMPV6_NI_REPLY + 1,
|
2015-10-11 18:32:17 +02:00
|
|
|
[ICMPV6_NI_REPLY - 128] = ICMPV6_NI_QUERY + 1
|
2006-01-05 21:19:05 +01:00
|
|
|
};
|
|
|
|
|
2009-02-09 23:33:20 +01:00
|
|
|
static const u_int8_t noct_valid_new[] = {
|
|
|
|
[ICMPV6_MGM_QUERY - 130] = 1,
|
2015-10-11 18:32:17 +02:00
|
|
|
[ICMPV6_MGM_REPORT - 130] = 1,
|
2009-02-09 23:33:20 +01:00
|
|
|
[ICMPV6_MGM_REDUCTION - 130] = 1,
|
|
|
|
[NDISC_ROUTER_SOLICITATION - 130] = 1,
|
|
|
|
[NDISC_ROUTER_ADVERTISEMENT - 130] = 1,
|
|
|
|
[NDISC_NEIGHBOUR_SOLICITATION - 130] = 1,
|
|
|
|
[NDISC_NEIGHBOUR_ADVERTISEMENT - 130] = 1,
|
|
|
|
[ICMPV6_MLD2_REPORT - 130] = 1
|
|
|
|
};
|
|
|
|
|
2019-01-15 22:03:38 +01:00
|
|
|
bool nf_conntrack_invert_icmpv6_tuple(struct nf_conntrack_tuple *tuple,
|
|
|
|
const struct nf_conntrack_tuple *orig)
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
{
|
2005-12-05 22:32:50 +01:00
|
|
|
int type = orig->dst.u.icmp.type - 128;
|
|
|
|
if (type < 0 || type >= sizeof(invmap) || !invmap[type])
|
2008-04-14 11:15:53 +02:00
|
|
|
return false;
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
|
|
|
|
tuple->src.u.icmp.id = orig->src.u.icmp.id;
|
|
|
|
tuple->dst.u.icmp.type = invmap[type] - 1;
|
|
|
|
tuple->dst.u.icmp.code = orig->dst.u.icmp.code;
|
2008-04-14 11:15:53 +02:00
|
|
|
return true;
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
}
|
|
|
|
|
2012-02-28 18:23:31 +01:00
|
|
|
static unsigned int *icmpv6_get_timeouts(struct net *net)
|
|
|
|
{
|
2018-11-02 00:11:34 +01:00
|
|
|
return &nf_icmpv6_pernet(net)->timeout;
|
2012-02-28 18:23:31 +01:00
|
|
|
}
|
|
|
|
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
/* Returns verdict for packet, or -1 for invalid. */
|
2019-01-15 22:03:32 +01:00
|
|
|
int nf_conntrack_icmpv6_packet(struct nf_conn *ct,
|
|
|
|
struct sk_buff *skb,
|
|
|
|
enum ip_conntrack_info ctinfo,
|
|
|
|
const struct nf_hook_state *state)
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
{
|
2018-06-29 07:46:50 +02:00
|
|
|
unsigned int *timeout = nf_ct_timeout_lookup(ct);
|
2018-09-12 15:19:08 +02:00
|
|
|
static const u8 valid_new[] = {
|
|
|
|
[ICMPV6_ECHO_REQUEST - 128] = 1,
|
|
|
|
[ICMPV6_NI_QUERY - 128] = 1
|
|
|
|
};
|
|
|
|
|
2018-09-17 12:02:54 +02:00
|
|
|
if (state->pf != NFPROTO_IPV6)
|
|
|
|
return -NF_ACCEPT;
|
|
|
|
|
2018-09-12 15:19:08 +02:00
|
|
|
if (!nf_ct_is_confirmed(ct)) {
|
|
|
|
int type = ct->tuplehash[0].tuple.dst.u.icmp.type - 128;
|
|
|
|
|
|
|
|
if (type < 0 || type >= sizeof(valid_new) || !valid_new[type]) {
|
|
|
|
/* Can't create a new ICMPv6 `conn' with this. */
|
|
|
|
pr_debug("icmpv6: can't create new conn with type %u\n",
|
|
|
|
type + 128);
|
|
|
|
nf_ct_dump_tuple_ipv6(&ct->tuplehash[0].tuple);
|
|
|
|
return -NF_ACCEPT;
|
|
|
|
}
|
|
|
|
}
|
2018-06-29 07:46:50 +02:00
|
|
|
|
|
|
|
if (!timeout)
|
|
|
|
timeout = icmpv6_get_timeouts(nf_ct_net(ct));
|
|
|
|
|
2009-06-08 15:53:43 +02:00
|
|
|
/* Do not immediately delete the connection after the first
|
|
|
|
successful reply to avoid excessive conntrackd traffic
|
|
|
|
and also to handle correctly ICMP echo reply duplicates. */
|
2012-02-28 18:23:31 +01:00
|
|
|
nf_ct_refresh_acct(ct, ctinfo, skb, *timeout);
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
|
|
|
|
return NF_ACCEPT;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2018-09-12 15:19:07 +02:00
|
|
|
static void icmpv6_error_log(const struct sk_buff *skb,
|
|
|
|
const struct nf_hook_state *state,
|
|
|
|
const char *msg)
|
2017-10-11 10:47:40 +02:00
|
|
|
{
|
2018-09-12 15:19:07 +02:00
|
|
|
nf_l4proto_log_invalid(skb, state->net, state->pf,
|
|
|
|
IPPROTO_ICMPV6, "%s", msg);
|
2017-10-11 10:47:40 +02:00
|
|
|
}
|
|
|
|
|
2018-09-12 15:19:11 +02:00
|
|
|
int nf_conntrack_icmpv6_error(struct nf_conn *tmpl,
|
|
|
|
struct sk_buff *skb,
|
|
|
|
unsigned int dataoff,
|
|
|
|
const struct nf_hook_state *state)
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
{
|
2019-03-25 23:11:54 +01:00
|
|
|
union nf_inet_addr outer_daddr;
|
2008-01-31 13:53:05 +01:00
|
|
|
const struct icmp6hdr *icmp6h;
|
|
|
|
struct icmp6hdr _ih;
|
2009-02-09 23:33:20 +01:00
|
|
|
int type;
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
|
|
|
|
icmp6h = skb_header_pointer(skb, dataoff, sizeof(_ih), &_ih);
|
|
|
|
if (icmp6h == NULL) {
|
2018-09-12 15:19:07 +02:00
|
|
|
icmpv6_error_log(skb, state, "short packet");
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
return -NF_ACCEPT;
|
|
|
|
}
|
|
|
|
|
2018-09-12 15:19:07 +02:00
|
|
|
if (state->hook == NF_INET_PRE_ROUTING &&
|
|
|
|
state->net->ct.sysctl_checksum &&
|
|
|
|
nf_ip6_checksum(skb, state->hook, dataoff, IPPROTO_ICMPV6)) {
|
|
|
|
icmpv6_error_log(skb, state, "ICMPv6 checksum failed");
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
return -NF_ACCEPT;
|
|
|
|
}
|
|
|
|
|
2009-02-09 23:33:20 +01:00
|
|
|
type = icmp6h->icmp6_type - 130;
|
|
|
|
if (type >= 0 && type < sizeof(noct_valid_new) &&
|
|
|
|
noct_valid_new[type]) {
|
netfilter: kill the fake untracked conntrack objects
resurrect an old patch from Pablo Neira to remove the untracked objects.
Currently, there are four possible states of an skb wrt. conntrack.
1. No conntrack attached, ct is NULL.
2. Normal (kmem cache allocated) ct attached.
3. a template (kmalloc'd), not in any hash tables at any point in time
4. the 'untracked' conntrack, a percpu nf_conn object, tagged via
IPS_UNTRACKED_BIT in ct->status.
Untracked is supposed to be identical to case 1. It exists only
so users can check
-m conntrack --ctstate UNTRACKED vs.
-m conntrack --ctstate INVALID
e.g. attempts to set connmark on INVALID or UNTRACKED conntracks is
supposed to be a no-op.
Thus currently we need to check
ct == NULL || nf_ct_is_untracked(ct)
in a lot of places in order to avoid altering untracked objects.
The other consequence of the percpu untracked object is that all
-j NOTRACK (and, later, kfree_skb of such skbs) result in an atomic op
(inc/dec the untracked conntracks refcount).
This adds a new kernel-private ctinfo state, IP_CT_UNTRACKED, to
make the distinction instead.
The (few) places that care about packet invalid (ct is NULL) vs.
packet untracked now need to test ct == NULL vs. ctinfo == IP_CT_UNTRACKED,
but all other places can omit the nf_ct_is_untracked() check.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-04-14 20:31:08 +02:00
|
|
|
nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
|
2009-02-09 23:33:20 +01:00
|
|
|
return NF_ACCEPT;
|
|
|
|
}
|
|
|
|
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
/* is not error message ? */
|
|
|
|
if (icmp6h->icmp6_type >= 128)
|
|
|
|
return NF_ACCEPT;
|
|
|
|
|
2019-03-25 23:11:54 +01:00
|
|
|
memcpy(&outer_daddr.ip6, &ipv6_hdr(skb)->daddr,
|
|
|
|
sizeof(outer_daddr.ip6));
|
|
|
|
dataoff += sizeof(*icmp6h);
|
|
|
|
return nf_conntrack_inet_error(tmpl, skb, dataoff, state,
|
|
|
|
IPPROTO_ICMPV6, &outer_daddr);
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
}
|
|
|
|
|
2012-10-29 17:23:10 +01:00
|
|
|
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
#include <linux/netfilter/nfnetlink.h>
|
|
|
|
#include <linux/netfilter/nfnetlink_conntrack.h>
|
2007-09-28 23:37:41 +02:00
|
|
|
static int icmpv6_tuple_to_nlattr(struct sk_buff *skb,
|
2006-01-05 21:19:05 +01:00
|
|
|
const struct nf_conntrack_tuple *t)
|
|
|
|
{
|
2012-04-02 02:28:52 +02:00
|
|
|
if (nla_put_be16(skb, CTA_PROTO_ICMPV6_ID, t->src.u.icmp.id) ||
|
|
|
|
nla_put_u8(skb, CTA_PROTO_ICMPV6_TYPE, t->dst.u.icmp.type) ||
|
|
|
|
nla_put_u8(skb, CTA_PROTO_ICMPV6_CODE, t->dst.u.icmp.code))
|
|
|
|
goto nla_put_failure;
|
2006-01-05 21:19:05 +01:00
|
|
|
return 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2006-01-05 21:19:05 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2007-09-28 23:39:55 +02:00
|
|
|
static const struct nla_policy icmpv6_nla_policy[CTA_PROTO_MAX+1] = {
|
|
|
|
[CTA_PROTO_ICMPV6_TYPE] = { .type = NLA_U8 },
|
|
|
|
[CTA_PROTO_ICMPV6_CODE] = { .type = NLA_U8 },
|
|
|
|
[CTA_PROTO_ICMPV6_ID] = { .type = NLA_U16 },
|
2006-01-05 21:19:05 +01:00
|
|
|
};
|
|
|
|
|
2007-09-28 23:37:41 +02:00
|
|
|
static int icmpv6_nlattr_to_tuple(struct nlattr *tb[],
|
2006-01-05 21:19:05 +01:00
|
|
|
struct nf_conntrack_tuple *tuple)
|
|
|
|
{
|
2009-11-23 23:17:06 +01:00
|
|
|
if (!tb[CTA_PROTO_ICMPV6_TYPE] ||
|
|
|
|
!tb[CTA_PROTO_ICMPV6_CODE] ||
|
|
|
|
!tb[CTA_PROTO_ICMPV6_ID])
|
2006-01-05 21:19:05 +01:00
|
|
|
return -EINVAL;
|
|
|
|
|
2007-12-18 07:29:45 +01:00
|
|
|
tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMPV6_TYPE]);
|
|
|
|
tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMPV6_CODE]);
|
|
|
|
tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMPV6_ID]);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-11-23 23:17:06 +01:00
|
|
|
if (tuple->dst.u.icmp.type < 128 ||
|
|
|
|
tuple->dst.u.icmp.type - 128 >= sizeof(invmap) ||
|
|
|
|
!invmap[tuple->dst.u.icmp.type - 128])
|
2006-01-05 21:19:05 +01:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
2009-03-25 21:53:39 +01:00
|
|
|
|
2017-11-02 19:41:09 +01:00
|
|
|
static unsigned int icmpv6_nlattr_tuple_size(void)
|
2009-03-25 21:53:39 +01:00
|
|
|
{
|
2017-11-02 19:41:09 +01:00
|
|
|
static unsigned int size __read_mostly;
|
|
|
|
|
|
|
|
if (!size)
|
|
|
|
size = nla_policy_len(icmpv6_nla_policy, CTA_PROTO_MAX + 1);
|
|
|
|
|
|
|
|
return size;
|
2009-03-25 21:53:39 +01:00
|
|
|
}
|
2006-01-05 21:19:05 +01:00
|
|
|
#endif
|
|
|
|
|
2018-08-31 12:36:01 +02:00
|
|
|
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
|
2012-02-28 19:13:48 +01:00
|
|
|
|
|
|
|
#include <linux/netfilter/nfnetlink.h>
|
|
|
|
#include <linux/netfilter/nfnetlink_cttimeout.h>
|
|
|
|
|
2012-05-28 23:04:23 +02:00
|
|
|
static int icmpv6_timeout_nlattr_to_obj(struct nlattr *tb[],
|
|
|
|
struct net *net, void *data)
|
2012-02-28 19:13:48 +01:00
|
|
|
{
|
|
|
|
unsigned int *timeout = data;
|
2018-11-02 00:11:34 +01:00
|
|
|
struct nf_icmp_net *in = nf_icmpv6_pernet(net);
|
2012-02-28 19:13:48 +01:00
|
|
|
|
2018-06-29 07:46:50 +02:00
|
|
|
if (!timeout)
|
|
|
|
timeout = icmpv6_get_timeouts(net);
|
2012-02-28 19:13:48 +01:00
|
|
|
if (tb[CTA_TIMEOUT_ICMPV6_TIMEOUT]) {
|
|
|
|
*timeout =
|
|
|
|
ntohl(nla_get_be32(tb[CTA_TIMEOUT_ICMPV6_TIMEOUT])) * HZ;
|
|
|
|
} else {
|
|
|
|
/* Set default ICMPv6 timeout. */
|
2012-05-28 23:04:23 +02:00
|
|
|
*timeout = in->timeout;
|
2012-02-28 19:13:48 +01:00
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
icmpv6_timeout_obj_to_nlattr(struct sk_buff *skb, const void *data)
|
|
|
|
{
|
|
|
|
const unsigned int *timeout = data;
|
|
|
|
|
2012-04-02 02:28:52 +02:00
|
|
|
if (nla_put_be32(skb, CTA_TIMEOUT_ICMPV6_TIMEOUT, htonl(*timeout / HZ)))
|
|
|
|
goto nla_put_failure;
|
2012-02-28 19:13:48 +01:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
nla_put_failure:
|
|
|
|
return -ENOSPC;
|
|
|
|
}
|
|
|
|
|
|
|
|
static const struct nla_policy
|
|
|
|
icmpv6_timeout_nla_policy[CTA_TIMEOUT_ICMPV6_MAX+1] = {
|
|
|
|
[CTA_TIMEOUT_ICMPV6_TIMEOUT] = { .type = NLA_U32 },
|
|
|
|
};
|
2018-08-31 12:36:01 +02:00
|
|
|
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
|
2012-02-28 19:13:48 +01:00
|
|
|
|
2019-01-15 22:03:45 +01:00
|
|
|
void nf_conntrack_icmpv6_init_net(struct net *net)
|
2012-06-21 06:36:50 +02:00
|
|
|
{
|
2018-11-02 00:11:34 +01:00
|
|
|
struct nf_icmp_net *in = nf_icmpv6_pernet(net);
|
2012-06-21 06:36:50 +02:00
|
|
|
|
|
|
|
in->timeout = nf_ct_icmpv6_timeout;
|
2012-06-29 07:23:24 +02:00
|
|
|
}
|
|
|
|
|
2017-11-07 07:20:09 +01:00
|
|
|
const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 =
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
{
|
2006-11-29 02:35:06 +01:00
|
|
|
.l4proto = IPPROTO_ICMPV6,
|
2012-10-29 17:23:10 +01:00
|
|
|
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
|
2007-09-28 23:37:41 +02:00
|
|
|
.tuple_to_nlattr = icmpv6_tuple_to_nlattr,
|
2009-03-25 21:53:39 +01:00
|
|
|
.nlattr_tuple_size = icmpv6_nlattr_tuple_size,
|
2007-09-28 23:37:41 +02:00
|
|
|
.nlattr_to_tuple = icmpv6_nlattr_to_tuple,
|
2007-09-28 23:39:55 +02:00
|
|
|
.nla_policy = icmpv6_nla_policy,
|
2006-01-05 21:19:05 +01:00
|
|
|
#endif
|
2018-08-31 12:36:01 +02:00
|
|
|
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
|
2012-02-28 19:13:48 +01:00
|
|
|
.ctnl_timeout = {
|
|
|
|
.nlattr_to_obj = icmpv6_timeout_nlattr_to_obj,
|
|
|
|
.obj_to_nlattr = icmpv6_timeout_obj_to_nlattr,
|
|
|
|
.nlattr_max = CTA_TIMEOUT_ICMP_MAX,
|
|
|
|
.obj_size = sizeof(unsigned int),
|
|
|
|
.nla_policy = icmpv6_timeout_nla_policy,
|
|
|
|
},
|
2018-08-31 12:36:01 +02:00
|
|
|
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
|
[NETFILTER]: Add nf_conntrack subsystem.
The existing connection tracking subsystem in netfilter can only
handle ipv4. There were basically two choices present to add
connection tracking support for ipv6. We could either duplicate all
of the ipv4 connection tracking code into an ipv6 counterpart, or (the
choice taken by these patches) we could design a generic layer that
could handle both ipv4 and ipv6 and thus requiring only one sub-protocol
(TCP, UDP, etc.) connection tracking helper module to be written.
In fact nf_conntrack is capable of working with any layer 3
protocol.
The existing ipv4 specific conntrack code could also not deal
with the pecularities of doing connection tracking on ipv6,
which is also cured here. For example, these issues include:
1) ICMPv6 handling, which is used for neighbour discovery in
ipv6 thus some messages such as these should not participate
in connection tracking since effectively they are like ARP
messages
2) fragmentation must be handled differently in ipv6, because
the simplistic "defrag, connection track and NAT, refrag"
(which the existing ipv4 connection tracking does) approach simply
isn't feasible in ipv6
3) ipv6 extension header parsing must occur at the correct spots
before and after connection tracking decisions, and there were
no provisions for this in the existing connection tracking
design
4) ipv6 has no need for stateful NAT
The ipv4 specific conntrack layer is kept around, until all of
the ipv4 specific conntrack helpers are ported over to nf_conntrack
and it is feature complete. Once that occurs, the old conntrack
stuff will get placed into the feature-removal-schedule and we will
fully kill it off 6 months later.
Signed-off-by: Yasuyuki Kozakai <yasuyuki.kozakai@toshiba.co.jp>
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Arnaldo Carvalho de Melo <acme@mandriva.com>
2005-11-10 01:38:16 +01:00
|
|
|
};
|