static void HMARK_ip4_save(const void *ip, const struct xt_entry_target *target)
{
const struct xt_hmark_info *info =
(const struct xt_hmark_info *)target->data;
int ret;
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK)) {
ret = xtables_ipmask_to_cidr(&info->src_mask.in);
printf(" --hmark-src-prefix %d", ret);
}
if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK)) {
ret = xtables_ipmask_to_cidr(&info->dst_mask.in);
printf(" --hmark-dst-prefix %d", ret);
}
HMARK_save(info);
}
static int hmark_tg_check(const struct xt_tgchk_param *par)
{
const struct xt_hmark_info *info = par->targinfo;
if (!info->hmodulus) {
pr_info("xt_HMARK: hash modulus can't be zero\n");
return -EINVAL;
}
if (info->proto_mask &&
(info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))) {
pr_info("xt_HMARK: proto mask must be zero with L3 mode\n");
return -EINVAL;
}
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK) &&
(info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT_MASK) |
XT_HMARK_FLAG(XT_HMARK_DPORT_MASK)))) {
pr_info("xt_HMARK: spi-mask and port-mask can't be combined\n");
return -EINVAL;
}
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI) &&
(info->flags & (XT_HMARK_FLAG(XT_HMARK_SPORT) |
XT_HMARK_FLAG(XT_HMARK_DPORT)))) {
pr_info("xt_HMARK: spi-set and port-set can't be combined\n");
return -EINVAL;
}
return 0;
}
static void HMARK_ip4_print(const void *ip,
const struct xt_entry_target *target, int numeric)
{
const struct xt_hmark_info *info =
(const struct xt_hmark_info *)target->data;
printf(" HMARK ");
if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS))
printf("mod %u ", info->hmodulus);
if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET))
printf("+ 0x%x ", info->hoffset);
if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT))
printf("ct, ");
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SADDR_MASK))
printf("src-prefix %u ",
xtables_ipmask_to_cidr(&info->src_mask.in));
if (info->flags & XT_HMARK_FLAG(XT_HMARK_DADDR_MASK))
printf("dst-prefix %u ",
xtables_ipmask_to_cidr(&info->dst_mask.in));
HMARK_print(info);
}
static void HMARK_print(const struct xt_hmark_info *info)
{
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK))
printf("sport-mask 0x%x ", htons(info->port_mask.p16.src));
if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK))
printf("dport-mask 0x%x ", htons(info->port_mask.p16.dst));
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK))
printf("spi-mask 0x%x ", htonl(info->port_mask.v32));
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT))
printf("sport 0x%x ", htons(info->port_set.p16.src));
if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT))
printf("dport 0x%x ", htons(info->port_set.p16.dst));
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI))
printf("spi 0x%x ", htonl(info->port_set.v32));
if (info->flags & XT_HMARK_FLAG(XT_HMARK_PROTO_MASK))
printf("proto-mask 0x%x ", info->proto_mask);
if (info->flags & XT_HMARK_FLAG(XT_HMARK_RND))
printf("rnd 0x%x ", info->hashrnd);
}
static int
hmark_pkt_set_htuple_ipv6(const struct sk_buff *skb, struct hmark_tuple *t,
const struct xt_hmark_info *info)
{
struct ipv6hdr *ip6, _ip6;
int flag = IP6T_FH_F_AUTH;
unsigned int nhoff = 0;
u16 fragoff = 0;
int nexthdr;
ip6 = (struct ipv6hdr *) (skb->data + skb_network_offset(skb));
nexthdr = ipv6_find_hdr(skb, &nhoff, -1, &fragoff, &flag);
if (nexthdr < 0)
return 0;
/* No need to check for icmp errors on fragments */
if ((flag & IP6T_FH_F_FRAG) || (nexthdr != IPPROTO_ICMPV6))
goto noicmp;
/* Use inner header in case of ICMP errors */
if (get_inner6_hdr(skb, &nhoff)) {
ip6 = skb_header_pointer(skb, nhoff, sizeof(_ip6), &_ip6);
if (ip6 == NULL)
return -1;
/* If AH present, use SPI like in ESP. */
flag = IP6T_FH_F_AUTH;
nexthdr = ipv6_find_hdr(skb, &nhoff, -1, &fragoff, &flag);
if (nexthdr < 0)
return -1;
}
noicmp:
t->src = hmark_addr6_mask(ip6->saddr.s6_addr32, info->src_mask.all);
t->dst = hmark_addr6_mask(ip6->daddr.s6_addr32, info->dst_mask.all);
if (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))
return 0;
t->proto = nexthdr;
if (t->proto == IPPROTO_ICMPV6)
return 0;
if (flag & IP6T_FH_F_FRAG)
return 0;
hmark_set_tuple_ports(skb, nhoff, t, info);
return 0;
}
static unsigned int
hmark_tg_v4(struct sk_buff *skb, const struct xt_action_param *par)
{
const struct xt_hmark_info *info = par->targinfo;
struct hmark_tuple t;
memset(&t, 0, sizeof(struct hmark_tuple));
if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT)) {
if (hmark_ct_set_htuple(skb, &t, info) < 0)
return XT_CONTINUE;
} else {
if (hmark_pkt_set_htuple_ipv4(skb, &t, info) < 0)
return XT_CONTINUE;
}
skb->mark = hmark_hash(&t, info);
return XT_CONTINUE;
}
static int
hmark_pkt_set_htuple_ipv4(const struct sk_buff *skb, struct hmark_tuple *t,
const struct xt_hmark_info *info)
{
struct iphdr *ip, _ip;
int nhoff = skb_network_offset(skb);
ip = (struct iphdr *) (skb->data + nhoff);
if (ip->protocol == IPPROTO_ICMP) {
/* Use inner header in case of ICMP errors */
if (get_inner_hdr(skb, ip->ihl * 4, &nhoff)) {
ip = skb_header_pointer(skb, nhoff, sizeof(_ip), &_ip);
if (ip == NULL)
return -1;
}
}
t->src = (__force u32) ip->saddr;
t->dst = (__force u32) ip->daddr;
t->src &= info->src_mask.ip;
t->dst &= info->dst_mask.ip;
if (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))
return 0;
t->proto = ip->protocol;
/* ICMP has no ports, skip */
if (t->proto == IPPROTO_ICMP)
return 0;
/* follow-up fragments don't contain ports, skip all fragments */
if (ip->frag_off & htons(IP_MF | IP_OFFSET))
return 0;
hmark_set_tuple_ports(skb, (ip->ihl * 4) + nhoff, t, info);
return 0;
}
static int
hmark_ct_set_htuple(const struct sk_buff *skb, struct hmark_tuple *t,
const struct xt_hmark_info *info)
{
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
enum ip_conntrack_info ctinfo;
struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
struct nf_conntrack_tuple *otuple;
struct nf_conntrack_tuple *rtuple;
if (ct == NULL || nf_ct_is_untracked(ct))
return -1;
otuple = &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple;
rtuple = &ct->tuplehash[IP_CT_DIR_REPLY].tuple;
t->src = hmark_addr_mask(otuple->src.l3num, otuple->src.u3.all,
info->src_mask.all);
t->dst = hmark_addr_mask(otuple->src.l3num, rtuple->src.u3.all,
info->dst_mask.all);
if (info->flags & XT_HMARK_FLAG(XT_HMARK_METHOD_L3))
return 0;
t->proto = nf_ct_protonum(ct);
if (t->proto != IPPROTO_ICMP) {
t->uports.p16.src = otuple->src.u.all;
t->uports.p16.dst = rtuple->src.u.all;
t->uports.v32 = (t->uports.v32 & info->port_mask.v32) |
info->port_set.v32;
if (t->uports.p16.dst < t->uports.p16.src)
swap(t->uports.p16.dst, t->uports.p16.src);
}
return 0;
#else
return -1;
#endif
}
static int
hmark_parse(const char *type, size_t len, struct xt_hmark_info *info,
unsigned int *xflags)
{
if (strncasecmp(type, "ct", len) == 0) {
info->flags |= XT_HMARK_FLAG(XT_HMARK_CT);
*xflags |= (1 << O_HMARK_CT);
} else if (strncasecmp(type, "src", len) == 0) {
memset(&info->src_mask, 0xff, sizeof(info->src_mask));
info->flags |= XT_HMARK_FLAG(XT_HMARK_SADDR_MASK);
*xflags |= (1 << O_HMARK_SADDR_MASK);
} else if (strncasecmp(type, "dst", len) == 0) {
memset(&info->dst_mask, 0xff, sizeof(info->dst_mask));
info->flags |= XT_HMARK_FLAG(XT_HMARK_DADDR_MASK);
*xflags |= (1 << O_HMARK_DADDR_MASK);
} else if (strncasecmp(type, "sport", len) == 0) {
memset(&info->port_mask.p16.src, 0xff,
sizeof(info->port_mask.p16.src));
info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT_MASK);
*xflags |= (1 << O_HMARK_SPORT_MASK);
} else if (strncasecmp(type, "dport", len) == 0) {
memset(&info->port_mask.p16.dst, 0xff,
sizeof(info->port_mask.p16.dst));
info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT_MASK);
*xflags |= (1 << O_HMARK_DPORT_MASK);
} else if (strncasecmp(type, "proto", len) == 0) {
memset(&info->proto_mask, 0xff, sizeof(info->proto_mask));
info->flags |= XT_HMARK_FLAG(XT_HMARK_PROTO_MASK);
*xflags |= (1 << O_HMARK_PROTO_MASK);
} else if (strncasecmp(type, "spi", len) == 0) {
memset(&info->port_mask.v32, 0xff, sizeof(info->port_mask.v32));
info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI_MASK);
*xflags |= (1 << O_HMARK_SPI_MASK);
} else
return 0;
return 1;
}
static void HMARK_save(const struct xt_hmark_info *info)
{
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT_MASK))
printf(" --hmark-sport-mask 0x%04x",
htons(info->port_mask.p16.src));
if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT_MASK))
printf(" --hmark-dport-mask 0x%04x",
htons(info->port_mask.p16.dst));
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI_MASK))
printf(" --hmark-spi-mask 0x%08x",
htonl(info->port_mask.v32));
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPORT))
printf(" --hmark-sport 0x%04x",
htons(info->port_set.p16.src));
if (info->flags & XT_HMARK_FLAG(XT_HMARK_DPORT))
printf(" --hmark-dport 0x%04x",
htons(info->port_set.p16.dst));
if (info->flags & XT_HMARK_FLAG(XT_HMARK_SPI))
printf(" --hmark-spi 0x%08x", htonl(info->port_set.v32));
if (info->flags & XT_HMARK_FLAG(XT_HMARK_PROTO_MASK))
printf(" --hmark-proto-mask 0x%02x", info->proto_mask);
if (info->flags & XT_HMARK_FLAG(XT_HMARK_RND))
printf(" --hmark-rnd 0x%08x", info->hashrnd);
if (info->flags & XT_HMARK_FLAG(XT_HMARK_MODULUS))
printf(" --hmark-mod %u", info->hmodulus);
if (info->flags & XT_HMARK_FLAG(XT_HMARK_OFFSET))
printf(" --hmark-offset %u", info->hoffset);
if (info->flags & XT_HMARK_FLAG(XT_HMARK_CT))
printf(" --hmark-tuple ct");
}
static void HMARK_parse(struct xt_option_call *cb, int plen)
{
struct xt_hmark_info *info = cb->data;
xtables_option_parse(cb);
switch (cb->entry->id) {
case O_HMARK_TYPE:
hmark_parse_type(cb);
break;
case O_HMARK_SADDR_MASK:
info->flags |= XT_HMARK_FLAG(XT_HMARK_SADDR_MASK);
break;
case O_HMARK_DADDR_MASK:
info->flags |= XT_HMARK_FLAG(XT_HMARK_DADDR_MASK);
break;
case O_HMARK_SPI:
info->port_set.v32 = htonl(cb->val.u32);
info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI);
break;
case O_HMARK_SPORT:
info->port_set.p16.src = htons(cb->val.u16);
info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT);
break;
case O_HMARK_DPORT:
info->port_set.p16.dst = htons(cb->val.u16);
info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT);
break;
case O_HMARK_SPORT_MASK:
info->port_mask.p16.src = htons(cb->val.u16);
info->flags |= XT_HMARK_FLAG(XT_HMARK_SPORT_MASK);
break;
case O_HMARK_DPORT_MASK:
info->port_mask.p16.dst = htons(cb->val.u16);
info->flags |= XT_HMARK_FLAG(XT_HMARK_DPORT_MASK);
break;
case O_HMARK_SPI_MASK:
info->port_mask.v32 = htonl(cb->val.u32);
info->flags |= XT_HMARK_FLAG(XT_HMARK_SPI_MASK);
break;
case O_HMARK_PROTO_MASK:
info->flags |= XT_HMARK_FLAG(XT_HMARK_PROTO_MASK);
break;
case O_HMARK_RND:
info->flags |= XT_HMARK_FLAG(XT_HMARK_RND);
break;
case O_HMARK_MODULUS:
info->flags |= XT_HMARK_FLAG(XT_HMARK_MODULUS);
break;
case O_HMARK_OFFSET:
info->flags |= XT_HMARK_FLAG(XT_HMARK_OFFSET);
break;
case O_HMARK_CT:
info->flags |= XT_HMARK_FLAG(XT_HMARK_CT);
break;
}
cb->xflags |= (1 << cb->entry->id);
}
