Commit f4401262 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: flowtable: fast NAT functions never fail 



Simplify existing fast NAT routines by returning void. After the
skb_try_make_writable() call consolidation, these routines cannot ever
fail.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 4f08f173

include/net/netfilter/nf_flow_table.h

+6 −6
Original line number Diff line number Diff line
@@ -229,10 +229,10 @@ void nf_flow_table_free(struct nf_flowtable *flow_table); 


void flow_offload_teardown(struct flow_offload *flow);



int nf_flow_snat_port(const struct flow_offload *flow,

void nf_flow_snat_port(const struct flow_offload *flow,

		       struct sk_buff *skb, unsigned int thoff,

		       u8 protocol, enum flow_offload_tuple_dir dir);

int nf_flow_dnat_port(const struct flow_offload *flow,

void nf_flow_dnat_port(const struct flow_offload *flow,

		       struct sk_buff *skb, unsigned int thoff,

		       u8 protocol, enum flow_offload_tuple_dir dir);

net/netfilter/nf_flow_table_core.c

+16 −25
Original line number Diff line number Diff line
@@ -389,19 +389,16 @@ static void nf_flow_offload_work_gc(struct work_struct *work) 
	queue_delayed_work(system_power_efficient_wq, &flow_table->gc_work, HZ);

}





static int nf_flow_nat_port_tcp(struct sk_buff *skb, unsigned int thoff,

static void nf_flow_nat_port_tcp(struct sk_buff *skb, unsigned int thoff,

				 __be16 port, __be16 new_port)

{

	struct tcphdr *tcph;



	tcph = (void *)(skb_network_header(skb) + thoff);

	inet_proto_csum_replace2(&tcph->check, skb, port, new_port, false);



	return 0;

}



static int nf_flow_nat_port_udp(struct sk_buff *skb, unsigned int thoff,

static void nf_flow_nat_port_udp(struct sk_buff *skb, unsigned int thoff,

				 __be16 port, __be16 new_port)

{

	struct udphdr *udph;
@@ -413,28 +410,22 @@ static int nf_flow_nat_port_udp(struct sk_buff *skb, unsigned int thoff, 
		if (!udph->check)

			udph->check = CSUM_MANGLED_0;

	}



	return 0;

}



static int nf_flow_nat_port(struct sk_buff *skb, unsigned int thoff,

static void nf_flow_nat_port(struct sk_buff *skb, unsigned int thoff,

			     u8 protocol, __be16 port, __be16 new_port)

{

	switch (protocol) {

	case IPPROTO_TCP:

		if (nf_flow_nat_port_tcp(skb, thoff, port, new_port) < 0)

			return NF_DROP;

		nf_flow_nat_port_tcp(skb, thoff, port, new_port);

		break;

	case IPPROTO_UDP:

		if (nf_flow_nat_port_udp(skb, thoff, port, new_port) < 0)

			return NF_DROP;

		nf_flow_nat_port_udp(skb, thoff, port, new_port);

		break;

	}



	return 0;

}



int nf_flow_snat_port(const struct flow_offload *flow,

void nf_flow_snat_port(const struct flow_offload *flow,

		       struct sk_buff *skb, unsigned int thoff,

		       u8 protocol, enum flow_offload_tuple_dir dir)

{
@@ -456,13 +447,13 @@ int nf_flow_snat_port(const struct flow_offload *flow, 
		break;

	}



	return nf_flow_nat_port(skb, thoff, protocol, port, new_port);

	nf_flow_nat_port(skb, thoff, protocol, port, new_port);

}

EXPORT_SYMBOL_GPL(nf_flow_snat_port);



int nf_flow_dnat_port(const struct flow_offload *flow,

		      struct sk_buff *skb, unsigned int thoff,

		      u8 protocol, enum flow_offload_tuple_dir dir)

void nf_flow_dnat_port(const struct flow_offload *flow, struct sk_buff *skb,

		       unsigned int thoff, u8 protocol,

		       enum flow_offload_tuple_dir dir)

{

	struct flow_ports *hdr;

	__be16 port, new_port;
@@ -482,7 +473,7 @@ int nf_flow_dnat_port(const struct flow_offload *flow, 
		break;

	}



	return nf_flow_nat_port(skb, thoff, protocol, port, new_port);

	nf_flow_nat_port(skb, thoff, protocol, port, new_port);

}

EXPORT_SYMBOL_GPL(nf_flow_dnat_port);

net/netfilter/nf_flow_table_ip.c

+62 −85
Original line number Diff line number Diff line
@@ -34,18 +34,16 @@ static int nf_flow_state_check(struct flow_offload *flow, int proto, 
	return 0;

}



static int nf_flow_nat_ip_tcp(struct sk_buff *skb, unsigned int thoff,

static void nf_flow_nat_ip_tcp(struct sk_buff *skb, unsigned int thoff,

			       __be32 addr, __be32 new_addr)

{

	struct tcphdr *tcph;



	tcph = (void *)(skb_network_header(skb) + thoff);

	inet_proto_csum_replace4(&tcph->check, skb, addr, new_addr, true);



	return 0;

}



static int nf_flow_nat_ip_udp(struct sk_buff *skb, unsigned int thoff,

static void nf_flow_nat_ip_udp(struct sk_buff *skb, unsigned int thoff,

			       __be32 addr, __be32 new_addr)

{

	struct udphdr *udph;
@@ -57,31 +55,25 @@ static int nf_flow_nat_ip_udp(struct sk_buff *skb, unsigned int thoff, 
		if (!udph->check)

			udph->check = CSUM_MANGLED_0;

	}



	return 0;

}



static int nf_flow_nat_ip_l4proto(struct sk_buff *skb, struct iphdr *iph,

static void nf_flow_nat_ip_l4proto(struct sk_buff *skb, struct iphdr *iph,

				   unsigned int thoff, __be32 addr,

				   __be32 new_addr)

{

	switch (iph->protocol) {

	case IPPROTO_TCP:

		if (nf_flow_nat_ip_tcp(skb, thoff, addr, new_addr) < 0)

			return NF_DROP;

		nf_flow_nat_ip_tcp(skb, thoff, addr, new_addr);

		break;

	case IPPROTO_UDP:

		if (nf_flow_nat_ip_udp(skb, thoff, addr, new_addr) < 0)

			return NF_DROP;

		nf_flow_nat_ip_udp(skb, thoff, addr, new_addr);

		break;

	}



	return 0;

}



static int nf_flow_snat_ip(const struct flow_offload *flow, struct sk_buff *skb,

			   struct iphdr *iph, unsigned int thoff,

			   enum flow_offload_tuple_dir dir)

static void nf_flow_snat_ip(const struct flow_offload *flow,

			    struct sk_buff *skb, struct iphdr *iph,

			    unsigned int thoff, enum flow_offload_tuple_dir dir)

{

	__be32 addr, new_addr;
@@ -99,12 +91,12 @@ static int nf_flow_snat_ip(const struct flow_offload *flow, struct sk_buff *skb, 
	}

	csum_replace4(&iph->check, addr, new_addr);



	return nf_flow_nat_ip_l4proto(skb, iph, thoff, addr, new_addr);

	nf_flow_nat_ip_l4proto(skb, iph, thoff, addr, new_addr);

}



static int nf_flow_dnat_ip(const struct flow_offload *flow, struct sk_buff *skb,

			   struct iphdr *iph, unsigned int thoff,

			   enum flow_offload_tuple_dir dir)

static void nf_flow_dnat_ip(const struct flow_offload *flow,

			    struct sk_buff *skb, struct iphdr *iph,

			    unsigned int thoff, enum flow_offload_tuple_dir dir)

{

	__be32 addr, new_addr;
@@ -122,24 +114,21 @@ static int nf_flow_dnat_ip(const struct flow_offload *flow, struct sk_buff *skb, 
	}

	csum_replace4(&iph->check, addr, new_addr);



	return nf_flow_nat_ip_l4proto(skb, iph, thoff, addr, new_addr);

	nf_flow_nat_ip_l4proto(skb, iph, thoff, addr, new_addr);

}



static int nf_flow_nat_ip(const struct flow_offload *flow, struct sk_buff *skb,

static void nf_flow_nat_ip(const struct flow_offload *flow, struct sk_buff *skb,

			  unsigned int thoff, enum flow_offload_tuple_dir dir,

			  struct iphdr *iph)

{

	if (test_bit(NF_FLOW_SNAT, &flow->flags) &&

	    (nf_flow_snat_port(flow, skb, thoff, iph->protocol, dir) < 0 ||

	     nf_flow_snat_ip(flow, skb, iph, thoff, dir) < 0))

		return -1;



	if (test_bit(NF_FLOW_DNAT, &flow->flags) &&

	    (nf_flow_dnat_port(flow, skb, thoff, iph->protocol, dir) < 0 ||

	     nf_flow_dnat_ip(flow, skb, iph, thoff, dir) < 0))

		return -1;



	return 0;

	if (test_bit(NF_FLOW_SNAT, &flow->flags)) {

		nf_flow_snat_port(flow, skb, thoff, iph->protocol, dir);

		nf_flow_snat_ip(flow, skb, iph, thoff, dir);

	}

	if (test_bit(NF_FLOW_DNAT, &flow->flags)) {

		nf_flow_dnat_port(flow, skb, thoff, iph->protocol, dir);

		nf_flow_dnat_ip(flow, skb, iph, thoff, dir);

	}

}



static bool ip_has_options(unsigned int thoff)
@@ -276,8 +265,7 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, 
		return NF_DROP;



	iph = ip_hdr(skb);

	if (nf_flow_nat_ip(flow, skb, thoff, dir, iph) < 0)

		return NF_DROP;

	nf_flow_nat_ip(flow, skb, thoff, dir, iph);



	ip_decrease_ttl(iph);

	skb->tstamp = 0;
@@ -301,20 +289,19 @@ nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, 
}

EXPORT_SYMBOL_GPL(nf_flow_offload_ip_hook);



static int nf_flow_nat_ipv6_tcp(struct sk_buff *skb, unsigned int thoff,

static void nf_flow_nat_ipv6_tcp(struct sk_buff *skb, unsigned int thoff,

				 struct in6_addr *addr,

				struct in6_addr *new_addr)

				 struct in6_addr *new_addr,

				 struct ipv6hdr *ip6h)

{

	struct tcphdr *tcph;



	tcph = (void *)(skb_network_header(skb) + thoff);

	inet_proto_csum_replace16(&tcph->check, skb, addr->s6_addr32,

				  new_addr->s6_addr32, true);



	return 0;

}



static int nf_flow_nat_ipv6_udp(struct sk_buff *skb, unsigned int thoff,

static void nf_flow_nat_ipv6_udp(struct sk_buff *skb, unsigned int thoff,

				 struct in6_addr *addr,

				 struct in6_addr *new_addr)

{
@@ -327,29 +314,23 @@ static int nf_flow_nat_ipv6_udp(struct sk_buff *skb, unsigned int thoff, 
		if (!udph->check)

			udph->check = CSUM_MANGLED_0;

	}



	return 0;

}



static int nf_flow_nat_ipv6_l4proto(struct sk_buff *skb, struct ipv6hdr *ip6h,

static void nf_flow_nat_ipv6_l4proto(struct sk_buff *skb, struct ipv6hdr *ip6h,

				     unsigned int thoff, struct in6_addr *addr,

				     struct in6_addr *new_addr)

{

	switch (ip6h->nexthdr) {

	case IPPROTO_TCP:

		if (nf_flow_nat_ipv6_tcp(skb, thoff, addr, new_addr) < 0)

			return NF_DROP;

		nf_flow_nat_ipv6_tcp(skb, thoff, addr, new_addr, ip6h);

		break;

	case IPPROTO_UDP:

		if (nf_flow_nat_ipv6_udp(skb, thoff, addr, new_addr) < 0)

			return NF_DROP;

		nf_flow_nat_ipv6_udp(skb, thoff, addr, new_addr);

		break;

	}



	return 0;

}



static int nf_flow_snat_ipv6(const struct flow_offload *flow,

static void nf_flow_snat_ipv6(const struct flow_offload *flow,

			      struct sk_buff *skb, struct ipv6hdr *ip6h,

			      unsigned int thoff,

			      enum flow_offload_tuple_dir dir)
@@ -369,10 +350,10 @@ static int nf_flow_snat_ipv6(const struct flow_offload *flow, 
		break;

	}



	return nf_flow_nat_ipv6_l4proto(skb, ip6h, thoff, &addr, &new_addr);

	nf_flow_nat_ipv6_l4proto(skb, ip6h, thoff, &addr, &new_addr);

}



static int nf_flow_dnat_ipv6(const struct flow_offload *flow,

static void nf_flow_dnat_ipv6(const struct flow_offload *flow,

			      struct sk_buff *skb, struct ipv6hdr *ip6h,

			      unsigned int thoff,

			      enum flow_offload_tuple_dir dir)
@@ -392,27 +373,24 @@ static int nf_flow_dnat_ipv6(const struct flow_offload *flow, 
		break;

	}



	return nf_flow_nat_ipv6_l4proto(skb, ip6h, thoff, &addr, &new_addr);

	nf_flow_nat_ipv6_l4proto(skb, ip6h, thoff, &addr, &new_addr);

}



static int nf_flow_nat_ipv6(const struct flow_offload *flow,

static void nf_flow_nat_ipv6(const struct flow_offload *flow,

			     struct sk_buff *skb,

			     enum flow_offload_tuple_dir dir,

			     struct ipv6hdr *ip6h)

{

	unsigned int thoff = sizeof(*ip6h);



	if (test_bit(NF_FLOW_SNAT, &flow->flags) &&

	    (nf_flow_snat_port(flow, skb, thoff, ip6h->nexthdr, dir) < 0 ||

	     nf_flow_snat_ipv6(flow, skb, ip6h, thoff, dir) < 0))

		return -1;



	if (test_bit(NF_FLOW_DNAT, &flow->flags) &&

	    (nf_flow_dnat_port(flow, skb, thoff, ip6h->nexthdr, dir) < 0 ||

	     nf_flow_dnat_ipv6(flow, skb, ip6h, thoff, dir) < 0))

		return -1;



	return 0;

	if (test_bit(NF_FLOW_SNAT, &flow->flags)) {

		nf_flow_snat_port(flow, skb, thoff, ip6h->nexthdr, dir);

		nf_flow_snat_ipv6(flow, skb, ip6h, thoff, dir);

	}

	if (test_bit(NF_FLOW_DNAT, &flow->flags)) {

		nf_flow_dnat_port(flow, skb, thoff, ip6h->nexthdr, dir);

		nf_flow_dnat_ipv6(flow, skb, ip6h, thoff, dir);

	}

}



static int nf_flow_tuple_ipv6(struct sk_buff *skb, const struct net_device *dev,
@@ -507,8 +485,7 @@ nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, 
		return NF_DROP;



	ip6h = ipv6_hdr(skb);

	if (nf_flow_nat_ipv6(flow, skb, dir, ip6h) < 0)

		return NF_DROP;

	nf_flow_nat_ipv6(flow, skb, dir, ip6h);



	ip6h->hop_limit--;

	skb->tstamp = 0;