1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2014 Pablo Neira Ayuso <pablo@netfilter.org>
6 #include <linux/kernel.h>
7 #include <linux/init.h>
8 #include <linux/module.h>
9 #include <linux/netlink.h>
10 #include <linux/netfilter.h>
11 #include <linux/netfilter/nf_tables.h>
12 #include <net/netfilter/nf_tables.h>
13 #include <net/netfilter/nft_reject.h>
14 #include <net/netfilter/ipv4/nf_reject.h>
15 #include <net/netfilter/ipv6/nf_reject.h>
18 #include <net/ip6_checksum.h>
19 #include <linux/netfilter_bridge.h>
20 #include <linux/netfilter_ipv6.h>
21 #include "../br_private.h"
23 static void nft_reject_br_push_etherhdr(struct sk_buff *oldskb,
28 eth = skb_push(nskb, ETH_HLEN);
29 skb_reset_mac_header(nskb);
30 ether_addr_copy(eth->h_source, eth_hdr(oldskb)->h_dest);
31 ether_addr_copy(eth->h_dest, eth_hdr(oldskb)->h_source);
32 eth->h_proto = eth_hdr(oldskb)->h_proto;
33 skb_pull(nskb, ETH_HLEN);
35 if (skb_vlan_tag_present(oldskb)) {
36 u16 vid = skb_vlan_tag_get(oldskb);
38 __vlan_hwaccel_put_tag(nskb, oldskb->vlan_proto, vid);
42 static int nft_bridge_iphdr_validate(struct sk_buff *skb)
47 if (!pskb_may_pull(skb, sizeof(struct iphdr)))
51 if (iph->ihl < 5 || iph->version != 4)
54 len = ntohs(iph->tot_len);
57 else if (len < (iph->ihl*4))
60 if (!pskb_may_pull(skb, iph->ihl*4))
66 /* We cannot use oldskb->dev, it can be either bridge device (NF_BRIDGE INPUT)
67 * or the bridge port (NF_BRIDGE PREROUTING).
69 static void nft_reject_br_send_v4_tcp_reset(struct net *net,
70 struct sk_buff *oldskb,
71 const struct net_device *dev,
76 const struct tcphdr *oth;
79 if (!nft_bridge_iphdr_validate(oldskb))
82 oth = nf_reject_ip_tcphdr_get(oldskb, &_oth, hook);
86 nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct tcphdr) +
87 LL_MAX_HEADER, GFP_ATOMIC);
91 skb_reserve(nskb, LL_MAX_HEADER);
92 niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_TCP,
93 net->ipv4.sysctl_ip_default_ttl);
94 nf_reject_ip_tcphdr_put(nskb, oldskb, oth);
95 niph->tot_len = htons(nskb->len);
98 nft_reject_br_push_etherhdr(oldskb, nskb);
100 br_forward(br_port_get_rcu(dev), nskb, false, true);
103 static void nft_reject_br_send_v4_unreach(struct net *net,
104 struct sk_buff *oldskb,
105 const struct net_device *dev,
108 struct sk_buff *nskb;
110 struct icmphdr *icmph;
115 if (!nft_bridge_iphdr_validate(oldskb))
118 /* IP header checks: fragment. */
119 if (ip_hdr(oldskb)->frag_off & htons(IP_OFFSET))
122 /* RFC says return as much as we can without exceeding 576 bytes. */
123 len = min_t(unsigned int, 536, oldskb->len);
125 if (!pskb_may_pull(oldskb, len))
128 if (pskb_trim_rcsum(oldskb, ntohs(ip_hdr(oldskb)->tot_len)))
131 proto = ip_hdr(oldskb)->protocol;
133 if (!skb_csum_unnecessary(oldskb) &&
134 nf_reject_verify_csum(proto) &&
135 nf_ip_checksum(oldskb, hook, ip_hdrlen(oldskb), proto))
138 nskb = alloc_skb(sizeof(struct iphdr) + sizeof(struct icmphdr) +
139 LL_MAX_HEADER + len, GFP_ATOMIC);
143 skb_reserve(nskb, LL_MAX_HEADER);
144 niph = nf_reject_iphdr_put(nskb, oldskb, IPPROTO_ICMP,
145 net->ipv4.sysctl_ip_default_ttl);
147 skb_reset_transport_header(nskb);
148 icmph = skb_put_zero(nskb, sizeof(struct icmphdr));
149 icmph->type = ICMP_DEST_UNREACH;
152 skb_put_data(nskb, skb_network_header(oldskb), len);
154 csum = csum_partial((void *)icmph, len + sizeof(struct icmphdr), 0);
155 icmph->checksum = csum_fold(csum);
157 niph->tot_len = htons(nskb->len);
160 nft_reject_br_push_etherhdr(oldskb, nskb);
162 br_forward(br_port_get_rcu(dev), nskb, false, true);
165 static int nft_bridge_ip6hdr_validate(struct sk_buff *skb)
170 if (!pskb_may_pull(skb, sizeof(struct ipv6hdr)))
174 if (hdr->version != 6)
177 pkt_len = ntohs(hdr->payload_len);
178 if (pkt_len + sizeof(struct ipv6hdr) > skb->len)
184 static void nft_reject_br_send_v6_tcp_reset(struct net *net,
185 struct sk_buff *oldskb,
186 const struct net_device *dev,
189 struct sk_buff *nskb;
190 const struct tcphdr *oth;
192 unsigned int otcplen;
193 struct ipv6hdr *nip6h;
195 if (!nft_bridge_ip6hdr_validate(oldskb))
198 oth = nf_reject_ip6_tcphdr_get(oldskb, &_oth, &otcplen, hook);
202 nskb = alloc_skb(sizeof(struct ipv6hdr) + sizeof(struct tcphdr) +
203 LL_MAX_HEADER, GFP_ATOMIC);
207 skb_reserve(nskb, LL_MAX_HEADER);
208 nip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_TCP,
209 net->ipv6.devconf_all->hop_limit);
210 nf_reject_ip6_tcphdr_put(nskb, oldskb, oth, otcplen);
211 nip6h->payload_len = htons(nskb->len - sizeof(struct ipv6hdr));
213 nft_reject_br_push_etherhdr(oldskb, nskb);
215 br_forward(br_port_get_rcu(dev), nskb, false, true);
218 static bool reject6_br_csum_ok(struct sk_buff *skb, int hook)
220 const struct ipv6hdr *ip6h = ipv6_hdr(skb);
223 u8 proto = ip6h->nexthdr;
225 if (skb_csum_unnecessary(skb))
228 if (ip6h->payload_len &&
229 pskb_trim_rcsum(skb, ntohs(ip6h->payload_len) + sizeof(*ip6h)))
232 ip6h = ipv6_hdr(skb);
233 thoff = ipv6_skip_exthdr(skb, ((u8*)(ip6h+1) - skb->data), &proto, &fo);
234 if (thoff < 0 || thoff >= skb->len || (fo & htons(~0x7)) != 0)
237 if (!nf_reject_verify_csum(proto))
240 return nf_ip6_checksum(skb, hook, thoff, proto) == 0;
243 static void nft_reject_br_send_v6_unreach(struct net *net,
244 struct sk_buff *oldskb,
245 const struct net_device *dev,
248 struct sk_buff *nskb;
249 struct ipv6hdr *nip6h;
250 struct icmp6hdr *icmp6h;
253 if (!nft_bridge_ip6hdr_validate(oldskb))
256 /* Include "As much of invoking packet as possible without the ICMPv6
257 * packet exceeding the minimum IPv6 MTU" in the ICMP payload.
259 len = min_t(unsigned int, 1220, oldskb->len);
261 if (!pskb_may_pull(oldskb, len))
264 if (!reject6_br_csum_ok(oldskb, hook))
267 nskb = alloc_skb(sizeof(struct ipv6hdr) + sizeof(struct icmp6hdr) +
268 LL_MAX_HEADER + len, GFP_ATOMIC);
272 skb_reserve(nskb, LL_MAX_HEADER);
273 nip6h = nf_reject_ip6hdr_put(nskb, oldskb, IPPROTO_ICMPV6,
274 net->ipv6.devconf_all->hop_limit);
276 skb_reset_transport_header(nskb);
277 icmp6h = skb_put_zero(nskb, sizeof(struct icmp6hdr));
278 icmp6h->icmp6_type = ICMPV6_DEST_UNREACH;
279 icmp6h->icmp6_code = code;
281 skb_put_data(nskb, skb_network_header(oldskb), len);
282 nip6h->payload_len = htons(nskb->len - sizeof(struct ipv6hdr));
284 icmp6h->icmp6_cksum =
285 csum_ipv6_magic(&nip6h->saddr, &nip6h->daddr,
286 nskb->len - sizeof(struct ipv6hdr),
289 nskb->len - sizeof(struct ipv6hdr),
292 nft_reject_br_push_etherhdr(oldskb, nskb);
294 br_forward(br_port_get_rcu(dev), nskb, false, true);
297 static void nft_reject_bridge_eval(const struct nft_expr *expr,
298 struct nft_regs *regs,
299 const struct nft_pktinfo *pkt)
301 struct nft_reject *priv = nft_expr_priv(expr);
302 const unsigned char *dest = eth_hdr(pkt->skb)->h_dest;
304 if (is_broadcast_ether_addr(dest) ||
305 is_multicast_ether_addr(dest))
308 switch (eth_hdr(pkt->skb)->h_proto) {
309 case htons(ETH_P_IP):
310 switch (priv->type) {
311 case NFT_REJECT_ICMP_UNREACH:
312 nft_reject_br_send_v4_unreach(nft_net(pkt), pkt->skb,
317 case NFT_REJECT_TCP_RST:
318 nft_reject_br_send_v4_tcp_reset(nft_net(pkt), pkt->skb,
322 case NFT_REJECT_ICMPX_UNREACH:
323 nft_reject_br_send_v4_unreach(nft_net(pkt), pkt->skb,
326 nft_reject_icmp_code(priv->icmp_code));
330 case htons(ETH_P_IPV6):
331 switch (priv->type) {
332 case NFT_REJECT_ICMP_UNREACH:
333 nft_reject_br_send_v6_unreach(nft_net(pkt), pkt->skb,
338 case NFT_REJECT_TCP_RST:
339 nft_reject_br_send_v6_tcp_reset(nft_net(pkt), pkt->skb,
343 case NFT_REJECT_ICMPX_UNREACH:
344 nft_reject_br_send_v6_unreach(nft_net(pkt), pkt->skb,
347 nft_reject_icmpv6_code(priv->icmp_code));
352 /* No explicit way to reject this protocol, drop it. */
356 regs->verdict.code = NF_DROP;
359 static int nft_reject_bridge_validate(const struct nft_ctx *ctx,
360 const struct nft_expr *expr,
361 const struct nft_data **data)
363 return nft_chain_validate_hooks(ctx->chain, (1 << NF_BR_PRE_ROUTING) |
364 (1 << NF_BR_LOCAL_IN));
367 static int nft_reject_bridge_init(const struct nft_ctx *ctx,
368 const struct nft_expr *expr,
369 const struct nlattr * const tb[])
371 struct nft_reject *priv = nft_expr_priv(expr);
374 if (tb[NFTA_REJECT_TYPE] == NULL)
377 priv->type = ntohl(nla_get_be32(tb[NFTA_REJECT_TYPE]));
378 switch (priv->type) {
379 case NFT_REJECT_ICMP_UNREACH:
380 case NFT_REJECT_ICMPX_UNREACH:
381 if (tb[NFTA_REJECT_ICMP_CODE] == NULL)
384 icmp_code = nla_get_u8(tb[NFTA_REJECT_ICMP_CODE]);
385 if (priv->type == NFT_REJECT_ICMPX_UNREACH &&
386 icmp_code > NFT_REJECT_ICMPX_MAX)
389 priv->icmp_code = icmp_code;
391 case NFT_REJECT_TCP_RST:
399 static int nft_reject_bridge_dump(struct sk_buff *skb,
400 const struct nft_expr *expr)
402 const struct nft_reject *priv = nft_expr_priv(expr);
404 if (nla_put_be32(skb, NFTA_REJECT_TYPE, htonl(priv->type)))
405 goto nla_put_failure;
407 switch (priv->type) {
408 case NFT_REJECT_ICMP_UNREACH:
409 case NFT_REJECT_ICMPX_UNREACH:
410 if (nla_put_u8(skb, NFTA_REJECT_ICMP_CODE, priv->icmp_code))
411 goto nla_put_failure;
423 static struct nft_expr_type nft_reject_bridge_type;
424 static const struct nft_expr_ops nft_reject_bridge_ops = {
425 .type = &nft_reject_bridge_type,
426 .size = NFT_EXPR_SIZE(sizeof(struct nft_reject)),
427 .eval = nft_reject_bridge_eval,
428 .init = nft_reject_bridge_init,
429 .dump = nft_reject_bridge_dump,
430 .validate = nft_reject_bridge_validate,
433 static struct nft_expr_type nft_reject_bridge_type __read_mostly = {
434 .family = NFPROTO_BRIDGE,
436 .ops = &nft_reject_bridge_ops,
437 .policy = nft_reject_policy,
438 .maxattr = NFTA_REJECT_MAX,
439 .owner = THIS_MODULE,
442 static int __init nft_reject_bridge_module_init(void)
444 return nft_register_expr(&nft_reject_bridge_type);
447 static void __exit nft_reject_bridge_module_exit(void)
449 nft_unregister_expr(&nft_reject_bridge_type);
452 module_init(nft_reject_bridge_module_init);
453 module_exit(nft_reject_bridge_module_exit);
455 MODULE_LICENSE("GPL");
456 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
457 MODULE_ALIAS_NFT_AF_EXPR(AF_BRIDGE, "reject");
458 MODULE_DESCRIPTION("Reject packets from bridge via nftables");