You cannot select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
openwrt/target/linux/generic/pending-5.4/611-netfilter_match_bypass_...

107 lines
3.4 KiB
Diff

From: Felix Fietkau <nbd@nbd.name>
Subject: netfilter: match bypass default table
Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
net/ipv4/netfilter/ip_tables.c | 79 +++++++++++++++++++++++++++++++-----------
1 file changed, 58 insertions(+), 21 deletions(-)
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
kernel: add support for kernel 5.4 The following patches were removed because they are integrated in the upstream kernel 5.4: * backport-5.4/047-v4.21-mtd-keep-original-flags-for-every-struct-mtd_info.patch * backport-5.4/048-v4.21-mtd-improve-calculating-partition-boundaries-when-ch.patch * backport-5.4/080-v5.1-0001-bcma-keep-a-direct-pointer-to-the-struct-device.patch * backport-5.4/080-v5.1-0002-bcma-use-dev_-printing-functions.patch * backport-5.4/095-Allow-class-e-address-assignment-via-ifconfig-ioctl.patch * backport-5.4/101-arm-cns3xxx-use-actual-size-reads-for-PCIe.patch * backport-5.4/200-v5.2-usb-dwc2-Set-lpm-mode-parameters-depend-on-HW-configuration.patch * backport-5.4/210-arm64-sve-Disentangle-uapi-asm-ptrace.h-from-uapi-as.patch * backport-5.4/380-v5.3-net-sched-Introduce-act_ctinfo-action.patch * backport-5.4/450-v5.0-mtd-spinand-winbond-Add-support-for-W25N01GV.patch * backport-5.4/451-v5.0-mtd-spinand-Add-initial-support-for-Toshiba-TC58CVG2.patch * backport-5.4/452-v5.0-mtd-spinand-add-support-for-GigaDevice-GD5FxGQ4xA.patch * backport-5.4/455-v5.1-mtd-spinand-Add-support-for-all-Toshiba-Memory-produ.patch * backport-5.4/456-v5.1-mtd-spinand-Add-support-for-GigaDevice-GD5F1GQ4UExxG.patch * backport-5.4/460-v5.0-mtd-spi-nor-Add-support-for-mx25u12835f.patch * backport-5.4/460-v5.3-mtd-spinand-Define-macros-for-page-read-ops-with-thr.patch * backport-5.4/461-v5.3-mtd-spinand-Add-support-for-two-byte-device-IDs.patch * backport-5.4/462-v5.3-mtd-spinand-Add-support-for-GigaDevice-GD5F1GQ4UFxxG.patch * backport-5.4/463-v5.3-mtd-spinand-Add-initial-support-for-Paragon-PN26G0xA.patch * backport-5.4/700-v5.1-net-phylink-only-call-mac_config-during-resolve-when.patch * backport-5.4/701-v5.2-net-phylink-ensure-inband-AN-works-correctly.patch * backport-5.4/702-v4.20-net-ethernet-Add-helper-for-MACs-which-support-asym-.patch * backport-5.4/703-v4.20-net-ethernet-Add-helper-for-set_pauseparam-for-Asym-.patch * backport-5.4/704-v4.20-net-phy-Stop-with-excessive-soft-reset.patch * backport-5.4/705-v5.1-net-phy-provide-full-set-of-accessor-functions-to-MM.patch * backport-5.4/706-v5.1-net-phy-add-register-modifying-helpers-returning-1-o.patch * backport-5.4/707-v5.1-net-phy-add-genphy_c45_check_and_restart_aneg.patch * backport-5.4/708-v5.3-net-phylink-remove-netdev-from-phylink-mii-ioctl-emu.patch * backport-5.4/709-v5.3-net-phylink-support-for-link-gpio-interrupt.patch * backport-5.4/710-v5.3-net-phy-allow-Clause-45-access-via-mii-ioctl.patch * backport-5.4/711-v5.3-net-sfp-add-mandatory-attach-detach-methods-for-sfp-.patch * backport-5.4/712-v5.3-net-sfp-remove-sfp-bus-use-of-netdevs.patch * backport-5.4/713-v5.2-net-phylink-avoid-reducing-support-mask.patch * backport-5.4/714-v5.3-net-sfp-Stop-SFP-polling-and-interrupt-handling-duri.patch * backport-5.4/715-v5.3-net-phylink-don-t-start-and-stop-SGMII-PHYs-in-SFP-m.patch * backport-5.4/740-v5.5-net-phy-avoid-matching-all-ones-clause-45-PHY-IDs.patch * backport-5.4/741-v5.5-net-phylink-fix-link-mode-modification-in-PHY-mode.patch * pending-5.4/103-MIPS-perf-ath79-Fix-perfcount-IRQ-assignment.patch * pending-5.4/131-spi-use-gpio_set_value_cansleep-for-setting-chipsele.patch * pending-5.4/132-spi-spi-gpio-fix-crash-when-num-chipselects-is-0.patch * pending-5.4/220-optimize_inlining.patch * pending-5.4/341-MIPS-mm-remove-no-op-dma_map_ops-where-possible.patch * pending-5.4/475-mtd-spi-nor-Add-Winbond-w25q128jv-support.patch * pending-5.4/477-mtd-add-spi-nor-add-mx25u3235f.patch * pending-5.4/479-mtd-spi-nor-add-eon-en25qh64.patch Some bigger changes were done to this feature and we did not port this patch yet: * hack-5.4/207-disable-modorder.patch This depends on BOOTMEM which was removed from the kernel, this needs some bigger changes: * hack-5.4/930-crashlog.patch A different version of the FPU disable patch was merged upstream, OpenWrt needs some adaptations. * pending-5.4/304-mips_disable_fpu.patch - no crashlog support yet as a required file got deleted upstream - Removed patch below, which is now seen as a recursive dependency [1] - Removed patch below due to build error [2] - fix still required to avoid identical function def [3] - Fixes included from Blocktrron - Fixes included from Chunkeey - Fix included from nbd regarding "dst leak in Flow Offload" [1] target/linux/generic/hack-5.4/260-crypto_test_dependencies.patch [2] target/linux/generic/hack-5.4/207-disable-modorder.patch [3] target/linux/generic/pending-5.4/613-netfilter_optional_tcp_window_check.patch Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com> Signed-off-by: David Bauer <mail@david-bauer.net> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com> Signed-off-by: Robert Marko <robimarko@gmail.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
5 years ago
@@ -246,6 +246,33 @@ struct ipt_entry *ipt_next_entry(const s
return (void *)entry + entry->next_offset;
}
+static bool
+ipt_handle_default_rule(struct ipt_entry *e, unsigned int *verdict)
+{
+ struct xt_entry_target *t;
+ struct xt_standard_target *st;
+
+ if (e->target_offset != sizeof(struct ipt_entry))
+ return false;
+
+ if (!(e->ip.flags & IPT_F_NO_DEF_MATCH))
+ return false;
+
+ t = ipt_get_target(e);
+ if (t->u.kernel.target->target)
+ return false;
+
+ st = (struct xt_standard_target *) t;
+ if (st->verdict == XT_RETURN)
+ return false;
+
+ if (st->verdict >= 0)
+ return false;
+
+ *verdict = (unsigned)(-st->verdict) - 1;
+ return true;
+}
+
/* Returns one of the generic firewall policies, like NF_ACCEPT. */
unsigned int
ipt_do_table(struct sk_buff *skb,
kernel: add support for kernel 5.4 The following patches were removed because they are integrated in the upstream kernel 5.4: * backport-5.4/047-v4.21-mtd-keep-original-flags-for-every-struct-mtd_info.patch * backport-5.4/048-v4.21-mtd-improve-calculating-partition-boundaries-when-ch.patch * backport-5.4/080-v5.1-0001-bcma-keep-a-direct-pointer-to-the-struct-device.patch * backport-5.4/080-v5.1-0002-bcma-use-dev_-printing-functions.patch * backport-5.4/095-Allow-class-e-address-assignment-via-ifconfig-ioctl.patch * backport-5.4/101-arm-cns3xxx-use-actual-size-reads-for-PCIe.patch * backport-5.4/200-v5.2-usb-dwc2-Set-lpm-mode-parameters-depend-on-HW-configuration.patch * backport-5.4/210-arm64-sve-Disentangle-uapi-asm-ptrace.h-from-uapi-as.patch * backport-5.4/380-v5.3-net-sched-Introduce-act_ctinfo-action.patch * backport-5.4/450-v5.0-mtd-spinand-winbond-Add-support-for-W25N01GV.patch * backport-5.4/451-v5.0-mtd-spinand-Add-initial-support-for-Toshiba-TC58CVG2.patch * backport-5.4/452-v5.0-mtd-spinand-add-support-for-GigaDevice-GD5FxGQ4xA.patch * backport-5.4/455-v5.1-mtd-spinand-Add-support-for-all-Toshiba-Memory-produ.patch * backport-5.4/456-v5.1-mtd-spinand-Add-support-for-GigaDevice-GD5F1GQ4UExxG.patch * backport-5.4/460-v5.0-mtd-spi-nor-Add-support-for-mx25u12835f.patch * backport-5.4/460-v5.3-mtd-spinand-Define-macros-for-page-read-ops-with-thr.patch * backport-5.4/461-v5.3-mtd-spinand-Add-support-for-two-byte-device-IDs.patch * backport-5.4/462-v5.3-mtd-spinand-Add-support-for-GigaDevice-GD5F1GQ4UFxxG.patch * backport-5.4/463-v5.3-mtd-spinand-Add-initial-support-for-Paragon-PN26G0xA.patch * backport-5.4/700-v5.1-net-phylink-only-call-mac_config-during-resolve-when.patch * backport-5.4/701-v5.2-net-phylink-ensure-inband-AN-works-correctly.patch * backport-5.4/702-v4.20-net-ethernet-Add-helper-for-MACs-which-support-asym-.patch * backport-5.4/703-v4.20-net-ethernet-Add-helper-for-set_pauseparam-for-Asym-.patch * backport-5.4/704-v4.20-net-phy-Stop-with-excessive-soft-reset.patch * backport-5.4/705-v5.1-net-phy-provide-full-set-of-accessor-functions-to-MM.patch * backport-5.4/706-v5.1-net-phy-add-register-modifying-helpers-returning-1-o.patch * backport-5.4/707-v5.1-net-phy-add-genphy_c45_check_and_restart_aneg.patch * backport-5.4/708-v5.3-net-phylink-remove-netdev-from-phylink-mii-ioctl-emu.patch * backport-5.4/709-v5.3-net-phylink-support-for-link-gpio-interrupt.patch * backport-5.4/710-v5.3-net-phy-allow-Clause-45-access-via-mii-ioctl.patch * backport-5.4/711-v5.3-net-sfp-add-mandatory-attach-detach-methods-for-sfp-.patch * backport-5.4/712-v5.3-net-sfp-remove-sfp-bus-use-of-netdevs.patch * backport-5.4/713-v5.2-net-phylink-avoid-reducing-support-mask.patch * backport-5.4/714-v5.3-net-sfp-Stop-SFP-polling-and-interrupt-handling-duri.patch * backport-5.4/715-v5.3-net-phylink-don-t-start-and-stop-SGMII-PHYs-in-SFP-m.patch * backport-5.4/740-v5.5-net-phy-avoid-matching-all-ones-clause-45-PHY-IDs.patch * backport-5.4/741-v5.5-net-phylink-fix-link-mode-modification-in-PHY-mode.patch * pending-5.4/103-MIPS-perf-ath79-Fix-perfcount-IRQ-assignment.patch * pending-5.4/131-spi-use-gpio_set_value_cansleep-for-setting-chipsele.patch * pending-5.4/132-spi-spi-gpio-fix-crash-when-num-chipselects-is-0.patch * pending-5.4/220-optimize_inlining.patch * pending-5.4/341-MIPS-mm-remove-no-op-dma_map_ops-where-possible.patch * pending-5.4/475-mtd-spi-nor-Add-Winbond-w25q128jv-support.patch * pending-5.4/477-mtd-add-spi-nor-add-mx25u3235f.patch * pending-5.4/479-mtd-spi-nor-add-eon-en25qh64.patch Some bigger changes were done to this feature and we did not port this patch yet: * hack-5.4/207-disable-modorder.patch This depends on BOOTMEM which was removed from the kernel, this needs some bigger changes: * hack-5.4/930-crashlog.patch A different version of the FPU disable patch was merged upstream, OpenWrt needs some adaptations. * pending-5.4/304-mips_disable_fpu.patch - no crashlog support yet as a required file got deleted upstream - Removed patch below, which is now seen as a recursive dependency [1] - Removed patch below due to build error [2] - fix still required to avoid identical function def [3] - Fixes included from Blocktrron - Fixes included from Chunkeey - Fix included from nbd regarding "dst leak in Flow Offload" [1] target/linux/generic/hack-5.4/260-crypto_test_dependencies.patch [2] target/linux/generic/hack-5.4/207-disable-modorder.patch [3] target/linux/generic/pending-5.4/613-netfilter_optional_tcp_window_check.patch Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com> Signed-off-by: David Bauer <mail@david-bauer.net> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com> Signed-off-by: Robert Marko <robimarko@gmail.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
5 years ago
@@ -266,27 +293,28 @@ ipt_do_table(struct sk_buff *skb,
unsigned int addend;
/* Initialization */
+ WARN_ON(!(table->valid_hooks & (1 << hook)));
+ local_bh_disable();
+ private = READ_ONCE(table->private); /* Address dependency. */
+ cpu = smp_processor_id();
+ table_base = private->entries;
+
+ e = get_entry(table_base, private->hook_entry[hook]);
+ if (ipt_handle_default_rule(e, &verdict)) {
+ struct xt_counters *counter;
+
+ counter = xt_get_this_cpu_counter(&e->counters);
+ ADD_COUNTER(*counter, skb->len, 1);
+ local_bh_enable();
+ return verdict;
+ }
+
stackidx = 0;
ip = ip_hdr(skb);
indev = state->in ? state->in->name : nulldevname;
outdev = state->out ? state->out->name : nulldevname;
- /* We handle fragments by dealing with the first fragment as
- * if it was a normal packet. All other fragments are treated
- * normally, except that they will NEVER match rules that ask
- * things we don't know, ie. tcp syn flag or ports). If the
- * rule is also a fragment-specific rule, non-fragments won't
- * match it. */
- acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
- acpar.thoff = ip_hdrlen(skb);
- acpar.hotdrop = false;
- acpar.state = state;
- WARN_ON(!(table->valid_hooks & (1 << hook)));
- local_bh_disable();
addend = xt_write_recseq_begin();
- private = READ_ONCE(table->private); /* Address dependency. */
- cpu = smp_processor_id();
- table_base = private->entries;
jumpstack = (struct ipt_entry **)private->jumpstack[cpu];
/* Switch to alternate jumpstack if we're being invoked via TEE.
kernel: add support for kernel 5.4 The following patches were removed because they are integrated in the upstream kernel 5.4: * backport-5.4/047-v4.21-mtd-keep-original-flags-for-every-struct-mtd_info.patch * backport-5.4/048-v4.21-mtd-improve-calculating-partition-boundaries-when-ch.patch * backport-5.4/080-v5.1-0001-bcma-keep-a-direct-pointer-to-the-struct-device.patch * backport-5.4/080-v5.1-0002-bcma-use-dev_-printing-functions.patch * backport-5.4/095-Allow-class-e-address-assignment-via-ifconfig-ioctl.patch * backport-5.4/101-arm-cns3xxx-use-actual-size-reads-for-PCIe.patch * backport-5.4/200-v5.2-usb-dwc2-Set-lpm-mode-parameters-depend-on-HW-configuration.patch * backport-5.4/210-arm64-sve-Disentangle-uapi-asm-ptrace.h-from-uapi-as.patch * backport-5.4/380-v5.3-net-sched-Introduce-act_ctinfo-action.patch * backport-5.4/450-v5.0-mtd-spinand-winbond-Add-support-for-W25N01GV.patch * backport-5.4/451-v5.0-mtd-spinand-Add-initial-support-for-Toshiba-TC58CVG2.patch * backport-5.4/452-v5.0-mtd-spinand-add-support-for-GigaDevice-GD5FxGQ4xA.patch * backport-5.4/455-v5.1-mtd-spinand-Add-support-for-all-Toshiba-Memory-produ.patch * backport-5.4/456-v5.1-mtd-spinand-Add-support-for-GigaDevice-GD5F1GQ4UExxG.patch * backport-5.4/460-v5.0-mtd-spi-nor-Add-support-for-mx25u12835f.patch * backport-5.4/460-v5.3-mtd-spinand-Define-macros-for-page-read-ops-with-thr.patch * backport-5.4/461-v5.3-mtd-spinand-Add-support-for-two-byte-device-IDs.patch * backport-5.4/462-v5.3-mtd-spinand-Add-support-for-GigaDevice-GD5F1GQ4UFxxG.patch * backport-5.4/463-v5.3-mtd-spinand-Add-initial-support-for-Paragon-PN26G0xA.patch * backport-5.4/700-v5.1-net-phylink-only-call-mac_config-during-resolve-when.patch * backport-5.4/701-v5.2-net-phylink-ensure-inband-AN-works-correctly.patch * backport-5.4/702-v4.20-net-ethernet-Add-helper-for-MACs-which-support-asym-.patch * backport-5.4/703-v4.20-net-ethernet-Add-helper-for-set_pauseparam-for-Asym-.patch * backport-5.4/704-v4.20-net-phy-Stop-with-excessive-soft-reset.patch * backport-5.4/705-v5.1-net-phy-provide-full-set-of-accessor-functions-to-MM.patch * backport-5.4/706-v5.1-net-phy-add-register-modifying-helpers-returning-1-o.patch * backport-5.4/707-v5.1-net-phy-add-genphy_c45_check_and_restart_aneg.patch * backport-5.4/708-v5.3-net-phylink-remove-netdev-from-phylink-mii-ioctl-emu.patch * backport-5.4/709-v5.3-net-phylink-support-for-link-gpio-interrupt.patch * backport-5.4/710-v5.3-net-phy-allow-Clause-45-access-via-mii-ioctl.patch * backport-5.4/711-v5.3-net-sfp-add-mandatory-attach-detach-methods-for-sfp-.patch * backport-5.4/712-v5.3-net-sfp-remove-sfp-bus-use-of-netdevs.patch * backport-5.4/713-v5.2-net-phylink-avoid-reducing-support-mask.patch * backport-5.4/714-v5.3-net-sfp-Stop-SFP-polling-and-interrupt-handling-duri.patch * backport-5.4/715-v5.3-net-phylink-don-t-start-and-stop-SGMII-PHYs-in-SFP-m.patch * backport-5.4/740-v5.5-net-phy-avoid-matching-all-ones-clause-45-PHY-IDs.patch * backport-5.4/741-v5.5-net-phylink-fix-link-mode-modification-in-PHY-mode.patch * pending-5.4/103-MIPS-perf-ath79-Fix-perfcount-IRQ-assignment.patch * pending-5.4/131-spi-use-gpio_set_value_cansleep-for-setting-chipsele.patch * pending-5.4/132-spi-spi-gpio-fix-crash-when-num-chipselects-is-0.patch * pending-5.4/220-optimize_inlining.patch * pending-5.4/341-MIPS-mm-remove-no-op-dma_map_ops-where-possible.patch * pending-5.4/475-mtd-spi-nor-Add-Winbond-w25q128jv-support.patch * pending-5.4/477-mtd-add-spi-nor-add-mx25u3235f.patch * pending-5.4/479-mtd-spi-nor-add-eon-en25qh64.patch Some bigger changes were done to this feature and we did not port this patch yet: * hack-5.4/207-disable-modorder.patch This depends on BOOTMEM which was removed from the kernel, this needs some bigger changes: * hack-5.4/930-crashlog.patch A different version of the FPU disable patch was merged upstream, OpenWrt needs some adaptations. * pending-5.4/304-mips_disable_fpu.patch - no crashlog support yet as a required file got deleted upstream - Removed patch below, which is now seen as a recursive dependency [1] - Removed patch below due to build error [2] - fix still required to avoid identical function def [3] - Fixes included from Blocktrron - Fixes included from Chunkeey - Fix included from nbd regarding "dst leak in Flow Offload" [1] target/linux/generic/hack-5.4/260-crypto_test_dependencies.patch [2] target/linux/generic/hack-5.4/207-disable-modorder.patch [3] target/linux/generic/pending-5.4/613-netfilter_optional_tcp_window_check.patch Signed-off-by: Koen Vandeputte <koen.vandeputte@ncentric.com> Signed-off-by: David Bauer <mail@david-bauer.net> Signed-off-by: Christian Lamparter <chunkeey@gmail.com> Signed-off-by: Ansuel Smith <ansuelsmth@gmail.com> Signed-off-by: Robert Marko <robimarko@gmail.com> Signed-off-by: Hauke Mehrtens <hauke@hauke-m.de>
5 years ago
@@ -299,7 +327,16 @@ ipt_do_table(struct sk_buff *skb,
if (static_key_false(&xt_tee_enabled))
jumpstack += private->stacksize * __this_cpu_read(nf_skb_duplicated);
- e = get_entry(table_base, private->hook_entry[hook]);
+ /* We handle fragments by dealing with the first fragment as
+ * if it was a normal packet. All other fragments are treated
+ * normally, except that they will NEVER match rules that ask
+ * things we don't know, ie. tcp syn flag or ports). If the
+ * rule is also a fragment-specific rule, non-fragments won't
+ * match it. */
+ acpar.fragoff = ntohs(ip->frag_off) & IP_OFFSET;
+ acpar.thoff = ip_hdrlen(skb);
+ acpar.hotdrop = false;
+ acpar.state = state;
do {
const struct xt_entry_target *t;