netfilter: flowtable: Fix QinQ and pppoe support for inet table

nf_flow_offload_inet_hook() does not check for 802.1q and PPPoE.
Fetch inner ethertype from these encapsulation protocols.

Fixes: 72efd585f7 ("netfilter: flowtable: add pppoe support")
Fixes: 4cd91f7c29 ("netfilter: flowtable: add vlan support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Pablo Neira Ayuso 2022-03-16 11:19:43 +01:00
parent dea2d93a8b
commit 0492d85763
3 changed files with 35 additions and 18 deletions

View File

@ -10,6 +10,8 @@
#include <linux/netfilter/nf_conntrack_tuple_common.h> #include <linux/netfilter/nf_conntrack_tuple_common.h>
#include <net/flow_offload.h> #include <net/flow_offload.h>
#include <net/dst.h> #include <net/dst.h>
#include <linux/if_pppox.h>
#include <linux/ppp_defs.h>
struct nf_flowtable; struct nf_flowtable;
struct nf_flow_rule; struct nf_flow_rule;
@ -317,4 +319,20 @@ int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow,
int nf_flow_table_offload_init(void); int nf_flow_table_offload_init(void);
void nf_flow_table_offload_exit(void); void nf_flow_table_offload_exit(void);
static inline __be16 nf_flow_pppoe_proto(const struct sk_buff *skb)
{
__be16 proto;
proto = *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
sizeof(struct pppoe_hdr)));
switch (proto) {
case htons(PPP_IP):
return htons(ETH_P_IP);
case htons(PPP_IPV6):
return htons(ETH_P_IPV6);
}
return 0;
}
#endif /* _NF_FLOW_TABLE_H */ #endif /* _NF_FLOW_TABLE_H */

View File

@ -6,12 +6,29 @@
#include <linux/rhashtable.h> #include <linux/rhashtable.h>
#include <net/netfilter/nf_flow_table.h> #include <net/netfilter/nf_flow_table.h>
#include <net/netfilter/nf_tables.h> #include <net/netfilter/nf_tables.h>
#include <linux/if_vlan.h>
static unsigned int static unsigned int
nf_flow_offload_inet_hook(void *priv, struct sk_buff *skb, nf_flow_offload_inet_hook(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state) const struct nf_hook_state *state)
{ {
struct vlan_ethhdr *veth;
__be16 proto;
switch (skb->protocol) { switch (skb->protocol) {
case htons(ETH_P_8021Q):
veth = (struct vlan_ethhdr *)skb_mac_header(skb);
proto = veth->h_vlan_encapsulated_proto;
break;
case htons(ETH_P_PPP_SES):
proto = nf_flow_pppoe_proto(skb);
break;
default:
proto = skb->protocol;
break;
}
switch (proto) {
case htons(ETH_P_IP): case htons(ETH_P_IP):
return nf_flow_offload_ip_hook(priv, skb, state); return nf_flow_offload_ip_hook(priv, skb, state);
case htons(ETH_P_IPV6): case htons(ETH_P_IPV6):

View File

@ -8,8 +8,6 @@
#include <linux/ipv6.h> #include <linux/ipv6.h>
#include <linux/netdevice.h> #include <linux/netdevice.h>
#include <linux/if_ether.h> #include <linux/if_ether.h>
#include <linux/if_pppox.h>
#include <linux/ppp_defs.h>
#include <net/ip.h> #include <net/ip.h>
#include <net/ipv6.h> #include <net/ipv6.h>
#include <net/ip6_route.h> #include <net/ip6_route.h>
@ -239,22 +237,6 @@ static unsigned int nf_flow_xmit_xfrm(struct sk_buff *skb,
return NF_STOLEN; return NF_STOLEN;
} }
static inline __be16 nf_flow_pppoe_proto(const struct sk_buff *skb)
{
__be16 proto;
proto = *((__be16 *)(skb_mac_header(skb) + ETH_HLEN +
sizeof(struct pppoe_hdr)));
switch (proto) {
case htons(PPP_IP):
return htons(ETH_P_IP);
case htons(PPP_IPV6):
return htons(ETH_P_IPV6);
}
return 0;
}
static bool nf_flow_skb_encap_protocol(const struct sk_buff *skb, __be16 proto, static bool nf_flow_skb_encap_protocol(const struct sk_buff *skb, __be16 proto,
u32 *offset) u32 *offset)
{ {