From 6c17eb46b5793f8f7750331e9a8ae8d3ba812292 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 11 Aug 2011 15:43:57 +0200 Subject: [PATCH 1/6] xt_psd: restore skb_header_pointer functionality for UDP --- doc/changelog.txt | 1 + extensions/xt_psd.c | 29 +++++++++++++++++++---------- 2 files changed, 20 insertions(+), 10 deletions(-) diff --git a/doc/changelog.txt b/doc/changelog.txt index f8826c7..7c9c649 100644 --- a/doc/changelog.txt +++ b/doc/changelog.txt @@ -3,6 +3,7 @@ HEAD ==== - xt_TARPIT: fix kernel warning about RTAX_HOPLIMIT being used - xt_TEE: abort build when the feature is already provided by mainline +- xt_psd: restore functionality with UDP v1.37 (2011-06-25) diff --git a/extensions/xt_psd.c b/extensions/xt_psd.c index 59e3780..940b7da 100644 --- a/extensions/xt_psd.c +++ b/extensions/xt_psd.c @@ -104,7 +104,9 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match) { const struct iphdr *iph; const struct tcphdr *tcph; + const struct udphdr *udph; struct tcphdr _tcph; + struct udphdr _udph; struct in_addr addr; u_int16_t src_port,dest_port; u_int8_t tcp_flags, proto; @@ -135,18 +137,25 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match) addr.s_addr = iph->saddr; - tcph = skb_header_pointer(pskb, match->thoff, sizeof(_tcph), &_tcph); - if (tcph == NULL) - return false; + if (proto == IPPROTO_TCP) { + tcph = skb_header_pointer(pskb, match->thoff, + sizeof(_tcph), &_tcph); + if (tcph == NULL) + return false; - /* Yep, it's dirty */ - src_port = tcph->source; - dest_port = tcph->dest; - - if (proto == IPPROTO_TCP) + /* Yep, it's dirty */ + src_port = tcph->source; + dest_port = tcph->dest; tcp_flags = *((u_int8_t*)tcph + 13); - else - tcp_flags = 0x00; + } else if (proto == IPPROTO_UDP) { + udph = skb_header_pointer(pskb, match->thoff, + sizeof(_udph), &_udph); + if (udph == NULL) + return false; + src_port = udph->source; + dest_port = udph->dest; + tcp_flags = 0; + } /* We're using IP address 0.0.0.0 for a special purpose here, so don't let * them spoof us. [DHCP needs this feature - HW] */ From 21da1dfea539c26323505b7501fc2b1cd6c66d3a Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 11 Aug 2011 15:44:35 +0200 Subject: [PATCH 2/6] xt_psd: cleanup and reduce number of condition checks --- extensions/xt_psd.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/extensions/xt_psd.c b/extensions/xt_psd.c index 940b7da..62b7991 100644 --- a/extensions/xt_psd.c +++ b/extensions/xt_psd.c @@ -127,12 +127,6 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match) /* TCP or UDP ? */ proto = iph->protocol; - - if (proto != IPPROTO_TCP && proto != IPPROTO_UDP) { - pr_debug("protocol not supported\n"); - return false; - } - /* Get the source address, source & destination ports, and TCP flags */ addr.s_addr = iph->saddr; @@ -155,6 +149,9 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match) src_port = udph->source; dest_port = udph->dest; tcp_flags = 0; + } else { + pr_debug("protocol not supported\n"); + return false; } /* We're using IP address 0.0.0.0 for a special purpose here, so don't let From 7e92ce7ce65aa22c10c350bcfbc1c5896d919453 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 11 Aug 2011 15:45:35 +0200 Subject: [PATCH 3/6] xt_psd: move early bail-out code above skb_header_pointer --- extensions/xt_psd.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/extensions/xt_psd.c b/extensions/xt_psd.c index 62b7991..b038f48 100644 --- a/extensions/xt_psd.c +++ b/extensions/xt_psd.c @@ -130,6 +130,12 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match) /* Get the source address, source & destination ports, and TCP flags */ addr.s_addr = iph->saddr; + /* We're using IP address 0.0.0.0 for a special purpose here, so don't let + * them spoof us. [DHCP needs this feature - HW] */ + if (addr.s_addr == 0) { + pr_debug("spoofed source address (0.0.0.0)\n"); + return false; + } if (proto == IPPROTO_TCP) { tcph = skb_header_pointer(pskb, match->thoff, @@ -154,13 +160,6 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match) return false; } - /* We're using IP address 0.0.0.0 for a special purpose here, so don't let - * them spoof us. [DHCP needs this feature - HW] */ - if (addr.s_addr == 0) { - pr_debug("spoofed source address (0.0.0.0)\n"); - return false; - } - /* Use jiffies here not to depend on someone setting the time while we're * running; we need to be careful with possible return value overflows. */ now = jiffies; From a141cc311cf549da9289f648a306c05b215afb22 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 11 Aug 2011 15:47:20 +0200 Subject: [PATCH 4/6] xt_psd: support UDPLITE --- doc/changelog.txt | 1 + extensions/xt_psd.c | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/doc/changelog.txt b/doc/changelog.txt index 7c9c649..9ee6d9f 100644 --- a/doc/changelog.txt +++ b/doc/changelog.txt @@ -4,6 +4,7 @@ HEAD - xt_TARPIT: fix kernel warning about RTAX_HOPLIMIT being used - xt_TEE: abort build when the feature is already provided by mainline - xt_psd: restore functionality with UDP +- xt_psd: support UDPLITE v1.37 (2011-06-25) diff --git a/extensions/xt_psd.c b/extensions/xt_psd.c index b038f48..63ba586 100644 --- a/extensions/xt_psd.c +++ b/extensions/xt_psd.c @@ -147,7 +147,7 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match) src_port = tcph->source; dest_port = tcph->dest; tcp_flags = *((u_int8_t*)tcph + 13); - } else if (proto == IPPROTO_UDP) { + } else if (proto == IPPROTO_UDP || proto == IPPROTO_UDPLITE) { udph = skb_header_pointer(pskb, match->thoff, sizeof(_udph), &_udph); if (udph == NULL) From 071c95b7506cb30d365544d22d3261d1048e2d7f Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 11 Aug 2011 15:49:40 +0200 Subject: [PATCH 5/6] xt_psd: compact temporary skb buffers --- extensions/xt_psd.c | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/extensions/xt_psd.c b/extensions/xt_psd.c index 63ba586..04d1453 100644 --- a/extensions/xt_psd.c +++ b/extensions/xt_psd.c @@ -105,8 +105,10 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match) const struct iphdr *iph; const struct tcphdr *tcph; const struct udphdr *udph; - struct tcphdr _tcph; - struct udphdr _udph; + union { + struct tcphdr tcph; + struct udphdr udph; + } _buf; struct in_addr addr; u_int16_t src_port,dest_port; u_int8_t tcp_flags, proto; @@ -139,7 +141,7 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match) if (proto == IPPROTO_TCP) { tcph = skb_header_pointer(pskb, match->thoff, - sizeof(_tcph), &_tcph); + sizeof(_buf.tcph), &_buf.tcph); if (tcph == NULL) return false; @@ -149,7 +151,7 @@ xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match) tcp_flags = *((u_int8_t*)tcph + 13); } else if (proto == IPPROTO_UDP || proto == IPPROTO_UDPLITE) { udph = skb_header_pointer(pskb, match->thoff, - sizeof(_udph), &_udph); + sizeof(_buf.udph), &_buf.udph); if (udph == NULL) return false; src_port = udph->source; From 01d864f4fc69c7cb46017328aac2dd1b62436dd8 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Thu, 11 Aug 2011 15:50:08 +0200 Subject: [PATCH 6/6] xt_psd: resolve compiler warning xt_psd.c: In function "xt_psd_match": xt_psd.c:253:27: warning: "tcph" may be used uninitialized in this function [-Wuninitialized] --- extensions/xt_psd.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/extensions/xt_psd.c b/extensions/xt_psd.c index 04d1453..46b2831 100644 --- a/extensions/xt_psd.c +++ b/extensions/xt_psd.c @@ -103,7 +103,7 @@ static bool xt_psd_match(const struct sk_buff *pskb, struct xt_action_param *match) { const struct iphdr *iph; - const struct tcphdr *tcph; + const struct tcphdr *tcph = NULL; const struct udphdr *udph; union { struct tcphdr tcph;