netfilter: move tee_active to core

This prepares for a TEE like expression in nftables. We want to ensure only one duplicate is sent, so both will use the same percpu variable to detect duplication. The other use case is detection of recursive call to xtables, but since we don't want dependency from nft to xtables core its put into core.c instead of the x_tables core. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: move tee_active to core
This prepares for a TEE like expression in nftables. We want to ensure only one duplicate is sent, so both will use the same percpu variable to detect duplication. The other use case is detection of recursive call to xtables, but since we don't want dependency from nft to xtables core its put into core.c instead of the x_tables core. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Florian Westphal · Pablo Neira Ayuso
1 parent 98d1bd802c
Showing 3 changed files with 20 additions and 7 deletions Side-by-side Diff
include/linux/netfilter.h
net/netfilter/core.c
net/netfilter/xt_TEE.c
@@ -390,5 +390,16 @@
 static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
 #endif
  
+/**
+ * nf_skb_duplicated - TEE target has sent a packet
+ *
+ * When a xtables target sends a packet, the OUTPUT and POSTROUTING
+ * hooks are traversed again, i.e. nft and xtables are invoked recursively.
+ *
+ * This is used by xtables TEE target to prevent the duplicated skb from
+ * being duplicated again.
+ */
+DECLARE_PER_CPU(bool, nf_skb_duplicated);
+
 #endif /*__LINUX_NETFILTER_H*/
@@ -34,6 +34,9 @@
 const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
 EXPORT_SYMBOL_GPL(nf_ipv6_ops);
  
+DEFINE_PER_CPU(bool, nf_skb_duplicated);
+EXPORT_SYMBOL_GPL(nf_skb_duplicated);
+
 int nf_register_afinfo(const struct nf_afinfo *afinfo)
 {
 	mutex_lock(&afinfo_mutex);
@@ -37,7 +37,6 @@
 };
  
 static const union nf_inet_addr tee_zero_address;
-static DEFINE_PER_CPU(bool, tee_active);
  
 static struct net *pick_net(struct sk_buff *skb)
 {
@@ -88,7 +87,7 @@
 	const struct xt_tee_tginfo *info = par->targinfo;
 	struct iphdr *iph;
  
-	if (__this_cpu_read(tee_active))
+	if (__this_cpu_read(nf_skb_duplicated))
 		return XT_CONTINUE;
 	/*
 	 * Copy the skb, and route the copy. Will later return %XT_CONTINUE for
  
@@ -125,9 +124,9 @@
 	ip_send_check(iph);
  
 	if (tee_tg_route4(skb, info)) {
-		__this_cpu_write(tee_active, true);
+		__this_cpu_write(nf_skb_duplicated, true);
 		ip_local_out(skb);
-		__this_cpu_write(tee_active, false);
+		__this_cpu_write(nf_skb_duplicated, false);
 	} else {
 		kfree_skb(skb);
 	}
@@ -170,7 +169,7 @@
 {
 	const struct xt_tee_tginfo *info = par->targinfo;
  
-	if (__this_cpu_read(tee_active))
+	if (__this_cpu_read(nf_skb_duplicated))
 		return XT_CONTINUE;
 	skb = pskb_copy(skb, GFP_ATOMIC);
 	if (skb == NULL)
  
@@ -188,9 +187,9 @@
 		--iph->hop_limit;
 	}
 	if (tee_tg_route6(skb, info)) {
-		__this_cpu_write(tee_active, true);
+		__this_cpu_write(nf_skb_duplicated, true);
 		ip6_local_out(skb);
-		__this_cpu_write(tee_active, false);
+		__this_cpu_write(nf_skb_duplicated, false);
 	} else {
 		kfree_skb(skb);
 	}
...	...	@@ -390,5 +390,16 @@
390	390	static inline void nf_ct_attach(struct sk_buff new, struct sk_buff skb) {}
391	391	#endif
392	392
	393	+/**
	394	+ * nf_skb_duplicated - TEE target has sent a packet
	395	+ *
	396	+ * When a xtables target sends a packet, the OUTPUT and POSTROUTING
	397	+ * hooks are traversed again, i.e. nft and xtables are invoked recursively.
	398	+ *
	399	+ * This is used by xtables TEE target to prevent the duplicated skb from
	400	+ * being duplicated again.
	401	+ */
	402	+DECLARE_PER_CPU(bool, nf_skb_duplicated);
	403	+
393	404	#endif /__LINUX_NETFILTER_H/
...	...	@@ -34,6 +34,9 @@
34	34	const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
35	35	EXPORT_SYMBOL_GPL(nf_ipv6_ops);
36	36
	37	+DEFINE_PER_CPU(bool, nf_skb_duplicated);
	38	+EXPORT_SYMBOL_GPL(nf_skb_duplicated);
	39	+
37	40	int nf_register_afinfo(const struct nf_afinfo *afinfo)
38	41	{
39	42	mutex_lock(&afinfo_mutex);
...	...	@@ -37,7 +37,6 @@
37	37	};
38	38
39	39	static const union nf_inet_addr tee_zero_address;
40		-static DEFINE_PER_CPU(bool, tee_active);
41	40
42	41	static struct net pick_net(struct sk_buff skb)
43	42	{
...	...	@@ -88,7 +87,7 @@
88	87	const struct xt_tee_tginfo *info = par->targinfo;
89	88	struct iphdr *iph;
90	89
91		- if (__this_cpu_read(tee_active))
	90	+ if (__this_cpu_read(nf_skb_duplicated))
92	91	return XT_CONTINUE;
93	92	/*
94	93	* Copy the skb, and route the copy. Will later return %XT_CONTINUE for
95	94
...	...	@@ -125,9 +124,9 @@
125	124	ip_send_check(iph);
126	125
127	126	if (tee_tg_route4(skb, info)) {
128		- __this_cpu_write(tee_active, true);
	127	+ __this_cpu_write(nf_skb_duplicated, true);
129	128	ip_local_out(skb);
130		- __this_cpu_write(tee_active, false);
	129	+ __this_cpu_write(nf_skb_duplicated, false);
131	130	} else {
132	131	kfree_skb(skb);
133	132	}
...	...	@@ -170,7 +169,7 @@
170	169	{
171	170	const struct xt_tee_tginfo *info = par->targinfo;
172	171
173		- if (__this_cpu_read(tee_active))
	172	+ if (__this_cpu_read(nf_skb_duplicated))
174	173	return XT_CONTINUE;
175	174	skb = pskb_copy(skb, GFP_ATOMIC);
176	175	if (skb == NULL)
177	176
...	...	@@ -188,9 +187,9 @@
188	187	--iph->hop_limit;
189	188	}
190	189	if (tee_tg_route6(skb, info)) {
191		- __this_cpu_write(tee_active, true);
	190	+ __this_cpu_write(nf_skb_duplicated, true);
192	191	ip6_local_out(skb);
193		- __this_cpu_write(tee_active, false);
	192	+ __this_cpu_write(nf_skb_duplicated, false);
194	193	} else {
195	194	kfree_skb(skb);
196	195	}