提交 83abe3a3 编写于 作者: F Florian Westphal 提交者: Zhengchao Shao

netfilter: nat: remove csum_recalc hook

mainline inclusion
from mainline-v5.1-rc1
commit dac3fe72
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7O0PV
CVE: NA

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=dac3fe72596f91011afc649a9d181b18466dd895

--------------------------------

We can now use direct calls.
Signed-off-by: NFlorian Westphal <fw@strlen.de>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>

Conflicts:
	include/net/netfilter/nf_nat_l3proto.h
	net/ipv4/netfilter/nf_nat_l3proto_ipv4.c
	net/ipv6/netfilter/nf_nat_l3proto_ipv6.c
	net/netfilter/Makefile
	net/netfilter/nf_nat_helper.c
	net/netfilter/nf_nat_proto.c
Signed-off-by: NZhengchao Shao <shaozhengchao@huawei.com>
上级 0c49500f
...@@ -22,10 +22,6 @@ struct nf_nat_l3proto { ...@@ -22,10 +22,6 @@ struct nf_nat_l3proto {
const struct nf_conntrack_tuple *t, const struct nf_conntrack_tuple *t,
enum nf_nat_manip_type maniptype); enum nf_nat_manip_type maniptype);
void (*csum_recalc)(struct sk_buff *skb, u8 proto,
void *data, __sum16 *check,
int datalen, int oldlen);
void (*decode_session)(struct sk_buff *skb, void (*decode_session)(struct sk_buff *skb,
const struct nf_conn *ct, const struct nf_conn *ct,
enum ip_conntrack_dir dir, enum ip_conntrack_dir dir,
...@@ -54,4 +50,8 @@ void nf_nat_l3proto_ipv4_unregister_fn(struct net *net, const struct nf_hook_ops ...@@ -54,4 +50,8 @@ void nf_nat_l3proto_ipv4_unregister_fn(struct net *net, const struct nf_hook_ops
int nf_nat_l3proto_ipv6_register_fn(struct net *net, const struct nf_hook_ops *ops); int nf_nat_l3proto_ipv6_register_fn(struct net *net, const struct nf_hook_ops *ops);
void nf_nat_l3proto_ipv6_unregister_fn(struct net *net, const struct nf_hook_ops *ops); void nf_nat_l3proto_ipv6_unregister_fn(struct net *net, const struct nf_hook_ops *ops);
void nf_nat_csum_recalc(struct sk_buff *skb,
u8 nfproto, u8 proto, void *data, __sum16 *check,
int datalen, int oldlen);
#endif /* _NF_NAT_L3PROTO_H */ #endif /* _NF_NAT_L3PROTO_H */
...@@ -123,24 +123,6 @@ static void nf_nat_ipv4_csum_update(struct sk_buff *skb, ...@@ -123,24 +123,6 @@ static void nf_nat_ipv4_csum_update(struct sk_buff *skb,
inet_proto_csum_replace4(check, skb, oldip, newip, true); inet_proto_csum_replace4(check, skb, oldip, newip, true);
} }
static void nf_nat_ipv4_csum_recalc(struct sk_buff *skb,
u8 proto, void *data, __sum16 *check,
int datalen, int oldlen)
{
if (skb->ip_summed != CHECKSUM_PARTIAL) {
const struct iphdr *iph = ip_hdr(skb);
skb->ip_summed = CHECKSUM_PARTIAL;
skb->csum_start = skb_headroom(skb) + skb_network_offset(skb) +
ip_hdrlen(skb);
skb->csum_offset = (void *)check - data;
*check = ~csum_tcpudp_magic(iph->saddr, iph->daddr, datalen,
proto, 0);
} else
inet_proto_csum_replace2(check, skb,
htons(oldlen), htons(datalen), true);
}
#if IS_ENABLED(CONFIG_NF_CT_NETLINK) #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
static int nf_nat_ipv4_nlattr_to_range(struct nlattr *tb[], static int nf_nat_ipv4_nlattr_to_range(struct nlattr *tb[],
struct nf_nat_range2 *range) struct nf_nat_range2 *range)
...@@ -165,7 +147,6 @@ static const struct nf_nat_l3proto nf_nat_l3proto_ipv4 = { ...@@ -165,7 +147,6 @@ static const struct nf_nat_l3proto nf_nat_l3proto_ipv4 = {
.secure_port = nf_nat_ipv4_secure_port, .secure_port = nf_nat_ipv4_secure_port,
.manip_pkt = nf_nat_ipv4_manip_pkt, .manip_pkt = nf_nat_ipv4_manip_pkt,
.csum_update = nf_nat_ipv4_csum_update, .csum_update = nf_nat_ipv4_csum_update,
.csum_recalc = nf_nat_ipv4_csum_recalc,
#if IS_ENABLED(CONFIG_NF_CT_NETLINK) #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
.nlattr_to_range = nf_nat_ipv4_nlattr_to_range, .nlattr_to_range = nf_nat_ipv4_nlattr_to_range,
#endif #endif
......
...@@ -131,24 +131,6 @@ static void nf_nat_ipv6_csum_update(struct sk_buff *skb, ...@@ -131,24 +131,6 @@ static void nf_nat_ipv6_csum_update(struct sk_buff *skb,
newip->s6_addr32, true); newip->s6_addr32, true);
} }
static void nf_nat_ipv6_csum_recalc(struct sk_buff *skb,
u8 proto, void *data, __sum16 *check,
int datalen, int oldlen)
{
if (skb->ip_summed != CHECKSUM_PARTIAL) {
const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
skb->ip_summed = CHECKSUM_PARTIAL;
skb->csum_start = skb_headroom(skb) + skb_network_offset(skb) +
(data - (void *)skb->data);
skb->csum_offset = (void *)check - data;
*check = ~csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr,
datalen, proto, 0);
} else
inet_proto_csum_replace2(check, skb,
htons(oldlen), htons(datalen), true);
}
#if IS_ENABLED(CONFIG_NF_CT_NETLINK) #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
static int nf_nat_ipv6_nlattr_to_range(struct nlattr *tb[], static int nf_nat_ipv6_nlattr_to_range(struct nlattr *tb[],
struct nf_nat_range2 *range) struct nf_nat_range2 *range)
...@@ -175,7 +157,6 @@ static const struct nf_nat_l3proto nf_nat_l3proto_ipv6 = { ...@@ -175,7 +157,6 @@ static const struct nf_nat_l3proto nf_nat_l3proto_ipv6 = {
.in_range = nf_nat_ipv6_in_range, .in_range = nf_nat_ipv6_in_range,
.manip_pkt = nf_nat_ipv6_manip_pkt, .manip_pkt = nf_nat_ipv6_manip_pkt,
.csum_update = nf_nat_ipv6_csum_update, .csum_update = nf_nat_ipv6_csum_update,
.csum_recalc = nf_nat_ipv6_csum_recalc,
#if IS_ENABLED(CONFIG_NF_CT_NETLINK) #if IS_ENABLED(CONFIG_NF_CT_NETLINK)
.nlattr_to_range = nf_nat_ipv6_nlattr_to_range, .nlattr_to_range = nf_nat_ipv6_nlattr_to_range,
#endif #endif
......
...@@ -48,7 +48,7 @@ obj-$(CONFIG_NF_CONNTRACK_SIP) += nf_conntrack_sip.o ...@@ -48,7 +48,7 @@ obj-$(CONFIG_NF_CONNTRACK_SIP) += nf_conntrack_sip.o
obj-$(CONFIG_NF_CONNTRACK_TFTP) += nf_conntrack_tftp.o obj-$(CONFIG_NF_CONNTRACK_TFTP) += nf_conntrack_tftp.o
nf_nat-y := nf_nat_core.o nf_nat_proto_unknown.o nf_nat_proto_common.o \ nf_nat-y := nf_nat_core.o nf_nat_proto_unknown.o nf_nat_proto_common.o \
nf_nat_proto_udp.o nf_nat_proto_tcp.o nf_nat_helper.o nf_nat_proto_udp.o nf_nat_proto_tcp.o nf_nat_helper.o nf_nat_proto.o
# NAT protocols (nf_nat) # NAT protocols (nf_nat)
nf_nat-$(CONFIG_NF_NAT_PROTO_DCCP) += nf_nat_proto_dccp.o nf_nat-$(CONFIG_NF_NAT_PROTO_DCCP) += nf_nat_proto_dccp.o
......
...@@ -98,7 +98,6 @@ bool __nf_nat_mangle_tcp_packet(struct sk_buff *skb, ...@@ -98,7 +98,6 @@ bool __nf_nat_mangle_tcp_packet(struct sk_buff *skb,
const char *rep_buffer, const char *rep_buffer,
unsigned int rep_len, bool adjust) unsigned int rep_len, bool adjust)
{ {
const struct nf_nat_l3proto *l3proto;
struct tcphdr *tcph; struct tcphdr *tcph;
int oldlen, datalen; int oldlen, datalen;
...@@ -120,9 +119,8 @@ bool __nf_nat_mangle_tcp_packet(struct sk_buff *skb, ...@@ -120,9 +119,8 @@ bool __nf_nat_mangle_tcp_packet(struct sk_buff *skb,
datalen = skb->len - protoff; datalen = skb->len - protoff;
l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct)); nf_nat_csum_recalc(skb, nf_ct_l3num(ct), IPPROTO_TCP,
l3proto->csum_recalc(skb, IPPROTO_TCP, tcph, &tcph->check, tcph, &tcph->check, datalen, oldlen);
datalen, oldlen);
if (adjust && rep_len != match_len) if (adjust && rep_len != match_len)
nf_ct_seqadj_set(ct, ctinfo, tcph->seq, nf_ct_seqadj_set(ct, ctinfo, tcph->seq,
...@@ -152,7 +150,6 @@ nf_nat_mangle_udp_packet(struct sk_buff *skb, ...@@ -152,7 +150,6 @@ nf_nat_mangle_udp_packet(struct sk_buff *skb,
const char *rep_buffer, const char *rep_buffer,
unsigned int rep_len) unsigned int rep_len)
{ {
const struct nf_nat_l3proto *l3proto;
struct udphdr *udph; struct udphdr *udph;
int datalen, oldlen; int datalen, oldlen;
...@@ -178,9 +175,8 @@ nf_nat_mangle_udp_packet(struct sk_buff *skb, ...@@ -178,9 +175,8 @@ nf_nat_mangle_udp_packet(struct sk_buff *skb,
if (!udph->check && skb->ip_summed != CHECKSUM_PARTIAL) if (!udph->check && skb->ip_summed != CHECKSUM_PARTIAL)
return true; return true;
l3proto = __nf_nat_l3proto_find(nf_ct_l3num(ct)); nf_nat_csum_recalc(skb, nf_ct_l3num(ct), IPPROTO_TCP,
l3proto->csum_recalc(skb, IPPROTO_UDP, udph, &udph->check, udph, &udph->check, datalen, oldlen);
datalen, oldlen);
return true; return true;
} }
......
// SPDX-License-Identifier: GPL-2.0-only
/* (C) 1999-2001 Paul `Rusty' Russell
* (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
*/
#include <linux/types.h>
#include <linux/init.h>
#include <linux/ipv6.h>
#include <linux/netfilter_ipv6.h>
#include <net/checksum.h>
#include <net/ip6_checksum.h>
#include <net/ip6_route.h>
#include <net/xfrm.h>
#include <net/ipv6.h>
static void nf_nat_ipv4_csum_recalc(struct sk_buff *skb,
u8 proto, void *data, __sum16 *check,
int datalen, int oldlen)
{
if (skb->ip_summed != CHECKSUM_PARTIAL) {
const struct iphdr *iph = ip_hdr(skb);
skb->ip_summed = CHECKSUM_PARTIAL;
skb->csum_start = skb_headroom(skb) + skb_network_offset(skb) +
ip_hdrlen(skb);
skb->csum_offset = (void *)check - data;
*check = ~csum_tcpudp_magic(iph->saddr, iph->daddr, datalen,
proto, 0);
} else {
inet_proto_csum_replace2(check, skb,
htons(oldlen), htons(datalen), true);
}
}
#if IS_ENABLED(CONFIG_IPV6)
static void nf_nat_ipv6_csum_recalc(struct sk_buff *skb,
u8 proto, void *data, __sum16 *check,
int datalen, int oldlen)
{
if (skb->ip_summed != CHECKSUM_PARTIAL) {
const struct ipv6hdr *ipv6h = ipv6_hdr(skb);
skb->ip_summed = CHECKSUM_PARTIAL;
skb->csum_start = skb_headroom(skb) + skb_network_offset(skb) +
(data - (void *)skb->data);
skb->csum_offset = (void *)check - data;
*check = ~csum_ipv6_magic(&ipv6h->saddr, &ipv6h->daddr,
datalen, proto, 0);
} else {
inet_proto_csum_replace2(check, skb,
htons(oldlen), htons(datalen), true);
}
}
#endif
void nf_nat_csum_recalc(struct sk_buff *skb,
u8 nfproto, u8 proto, void *data, __sum16 *check,
int datalen, int oldlen)
{
switch (nfproto) {
case NFPROTO_IPV4:
nf_nat_ipv4_csum_recalc(skb, proto, data, check,
datalen, oldlen);
return;
#if IS_ENABLED(CONFIG_IPV6)
case NFPROTO_IPV6:
nf_nat_ipv6_csum_recalc(skb, proto, data, check,
datalen, oldlen);
return;
#endif
}
WARN_ON_ONCE(1);
}
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册