netfilter: nft_payload: support for inner header matching / mangling

enum {

	NFT_PKTINFO_L4PROTO	= (1 << 0),

	NFT_PKTINFO_INNER	= (1 << 1),

};

struct nft_pktinfo {

	u8				tprot;

	u16				fragoff;

	unsigned int			thoff;

	unsigned int			inneroff;

};

static inline struct sock *nft_sk(const struct nft_pktinfo *pkt)

 * @NFT_PAYLOAD_LL_HEADER: link layer header

 * @NFT_PAYLOAD_NETWORK_HEADER: network header

 * @NFT_PAYLOAD_TRANSPORT_HEADER: transport header

 * @NFT_PAYLOAD_INNER_HEADER: inner header / payload

 */

enum nft_payload_bases {

	NFT_PAYLOAD_LL_HEADER,

	NFT_PAYLOAD_NETWORK_HEADER,

	NFT_PAYLOAD_TRANSPORT_HEADER,

	NFT_PAYLOAD_INNER_HEADER,

};

/**

#include <linux/icmpv6.h>

#include <linux/ip.h>

#include <linux/ipv6.h>

#include <linux/ip.h>

#include <net/sctp/checksum.h>

static bool nft_payload_rebuild_vlan_hdr(const struct sk_buff *skb, int mac_off,

	return skb_copy_bits(skb, offset + mac_off, dst_u8, len) == 0;

}

static int __nft_payload_inner_offset(struct nft_pktinfo *pkt)

{

	unsigned int thoff = nft_thoff(pkt);

	if (!(pkt->flags & NFT_PKTINFO_L4PROTO))

		return -1;

	switch (pkt->tprot) {

	case IPPROTO_UDP:

		pkt->inneroff = thoff + sizeof(struct udphdr);

		break;

	case IPPROTO_TCP: {

		struct tcphdr *th, _tcph;

		th = skb_header_pointer(pkt->skb, thoff, sizeof(_tcph), &_tcph);

		if (!th)

			return -1;

		pkt->inneroff = thoff + __tcp_hdrlen(th);

		}

		break;

	default:

		return -1;

	}

	pkt->flags |= NFT_PKTINFO_INNER;

	return 0;

}

static int nft_payload_inner_offset(const struct nft_pktinfo *pkt)

{

	if (!(pkt->flags & NFT_PKTINFO_INNER) &&

	    __nft_payload_inner_offset((struct nft_pktinfo *)pkt) < 0)

		return -1;

	return pkt->inneroff;

}

void nft_payload_eval(const struct nft_expr *expr,

		      struct nft_regs *regs,

		      const struct nft_pktinfo *pkt)

			goto err;

		offset = nft_thoff(pkt);

		break;

	case NFT_PAYLOAD_INNER_HEADER:

		offset = nft_payload_inner_offset(pkt);

		if (offset < 0)

			goto err;

		break;

	default:

		BUG();

	}

			goto err;

		offset = nft_thoff(pkt);

		break;

	case NFT_PAYLOAD_INNER_HEADER:

		offset = nft_payload_inner_offset(pkt);

		if (offset < 0)

			goto err;

		break;

	default:

		BUG();

	}

	offset += priv->offset;

	if ((priv->csum_type == NFT_PAYLOAD_CSUM_INET || priv->csum_flags) &&

	    (priv->base != NFT_PAYLOAD_TRANSPORT_HEADER ||

	    ((priv->base != NFT_PAYLOAD_TRANSPORT_HEADER &&

	      priv->base != NFT_PAYLOAD_INNER_HEADER) ||

	     skb->ip_summed != CHECKSUM_PARTIAL)) {

		fsum = skb_checksum(skb, offset, priv->len, 0);

		tsum = csum_partial(src, priv->len, 0);

	case NFT_PAYLOAD_LL_HEADER:

	case NFT_PAYLOAD_NETWORK_HEADER:

	case NFT_PAYLOAD_TRANSPORT_HEADER:

	case NFT_PAYLOAD_INNER_HEADER:

		break;

	default:

		return ERR_PTR(-EOPNOTSUPP);

	len    = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));

	if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) &&

	    base != NFT_PAYLOAD_LL_HEADER)

	    base != NFT_PAYLOAD_LL_HEADER && base != NFT_PAYLOAD_INNER_HEADER)

		return &nft_payload_fast_ops;

	else

		return &nft_payload_ops;