meta-openembedded/meta-networking/recipes-filter/nftables/files/0006-payload-enforce-ip-ip6-protocol-depending-on-icmp-or.patch - openbmc/openbmc - Gitiles

 From f21a7a4849b50c30341ec571813bd7fe37040ad3 Mon Sep 17 00:00:00 2001
 From: Florian Westphal <fw@strlen.de>
 Date: Thu, 18 May 2017 13:30:54 +0200
 Subject: [PATCH 4/4] payload: enforce ip/ip6 protocol depending on icmp or
  icmpv6

 After some discussion with Pablo we agreed to treat icmp/icmpv6 specially.

 in the case of a rule like 'tcp dport 22' the inet, bridge and netdev
 families only care about the lower layer protocol.

 In the icmpv6 case however we'd like to also enforce an ipv6 protocol check
 (and ipv4 check in icmp case).

 This extends payload_gen_special_dependency() to consider this.
 With this patch:

 add rule $pf filter input meta l4proto icmpv6
 add rule $pf filter input meta l4proto icmpv6 icmpv6 type echo-request
 add rule $pf filter input icmpv6 type echo-request

 will work in all tables and all families.
 For inet/bridge/netdev, an ipv6 protocol dependency is added; this will
 not match ipv4 packets with ip->protocol == icmpv6, EXCEPT in the case
 of the ip family.

 Its still possible to match icmpv6-in-ipv4 in inet/bridge/netdev with an
 explicit dependency:

 add rule inet f i ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type ...

 Implicit dependencies won't get removed at the moment, so
   bridge ... icmp type echo-request
 will be shown as
   ether type ip meta l4proto 1 icmp type echo-request

 Signed-off-by: Florian Westphal <fw@strlen.de>
 ---
 Upstream-Status: Backport
 Signed-off-by: André Draszik <adraszik@tycoint.com>
  src/payload.c | 27 +++++++++++++++++++++++----
  1 file changed, 23 insertions(+), 4 deletions(-)

 diff --git a/src/payload.c b/src/payload.c
 index 38db15e..8796ee5 100644
 --- a/src/payload.c
 +++ b/src/payload.c
 @@ -264,10 +264,29 @@ payload_gen_special_dependency(struct eval_ctx *ctx, const struct expr *expr)
  	case PROTO_BASE_LL_HDR:
  		return payload_get_get_ll_hdr(ctx);
  	case PROTO_BASE_TRANSPORT_HDR:
 -		if (expr->payload.desc == &proto_icmp)
 -			return &proto_ip;
 -		if (expr->payload.desc == &proto_icmp6)
 -			return &proto_ip6;
 +		if (expr->payload.desc == &proto_icmp ||
 +		    expr->payload.desc == &proto_icmp6) {
 +			const struct proto_desc *desc, *desc_upper;
 +			struct stmt *nstmt;
 +
 +			desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
 +			if (!desc) {
 +				desc = payload_get_get_ll_hdr(ctx);
 +				if (!desc)
 +					break;
 +			}
 +
 +			desc_upper = &proto_ip6;
 +			if (expr->payload.desc == &proto_icmp)
 +				desc_upper = &proto_ip;
 +
 +			if (payload_add_dependency(ctx, desc, desc_upper,
 +						   expr, &nstmt) < 0)
 +				return NULL;
 +
 +			list_add_tail(&nstmt->list, &ctx->stmt->list);
 +			return desc_upper;
 +		}
  		return &proto_inet_service;
  	default:
  		break;
 --
 2.11.0
	From f21a7a4849b50c30341ec571813bd7fe37040ad3 Mon Sep 17 00:00:00 2001
	From: Florian Westphal <fw@strlen.de>
	Date: Thu, 18 May 2017 13:30:54 +0200
	Subject: [PATCH 4/4] payload: enforce ip/ip6 protocol depending on icmp or
	icmpv6

	After some discussion with Pablo we agreed to treat icmp/icmpv6 specially.

	in the case of a rule like 'tcp dport 22' the inet, bridge and netdev
	families only care about the lower layer protocol.

	In the icmpv6 case however we'd like to also enforce an ipv6 protocol check
	(and ipv4 check in icmp case).

	This extends payload_gen_special_dependency() to consider this.
	With this patch:

	add rule $pf filter input meta l4proto icmpv6
	add rule $pf filter input meta l4proto icmpv6 icmpv6 type echo-request
	add rule $pf filter input icmpv6 type echo-request

	will work in all tables and all families.
	For inet/bridge/netdev, an ipv6 protocol dependency is added; this will
	not match ipv4 packets with ip->protocol == icmpv6, EXCEPT in the case
	of the ip family.

	Its still possible to match icmpv6-in-ipv4 in inet/bridge/netdev with an
	explicit dependency:

	add rule inet f i ip protocol ipv6-icmp meta l4proto ipv6-icmp icmpv6 type ...

	Implicit dependencies won't get removed at the moment, so
	bridge ... icmp type echo-request
	will be shown as
	ether type ip meta l4proto 1 icmp type echo-request

	Signed-off-by: Florian Westphal <fw@strlen.de>
	---
	Upstream-Status: Backport
	Signed-off-by: André Draszik <adraszik@tycoint.com>
	src/payload.c \| 27 +++++++++++++++++++++++----
	1 file changed, 23 insertions(+), 4 deletions(-)

	diff --git a/src/payload.c b/src/payload.c
	index 38db15e..8796ee5 100644
	--- a/src/payload.c
	+++ b/src/payload.c
	@@ -264,10 +264,29 @@ payload_gen_special_dependency(struct eval_ctx ctx, const struct expr expr)
	case PROTO_BASE_LL_HDR:
	return payload_get_get_ll_hdr(ctx);
	case PROTO_BASE_TRANSPORT_HDR:
	- if (expr->payload.desc == &proto_icmp)
	- return &proto_ip;
	- if (expr->payload.desc == &proto_icmp6)
	- return &proto_ip6;
	+ if (expr->payload.desc == &proto_icmp \|\|
	+ expr->payload.desc == &proto_icmp6) {
	+ const struct proto_desc desc, desc_upper;
	+ struct stmt *nstmt;
	+
	+ desc = ctx->pctx.protocol[PROTO_BASE_LL_HDR].desc;
	+ if (!desc) {
	+ desc = payload_get_get_ll_hdr(ctx);
	+ if (!desc)
	+ break;
	+ }
	+
	+ desc_upper = &proto_ip6;
	+ if (expr->payload.desc == &proto_icmp)
	+ desc_upper = &proto_ip;
	+
	+ if (payload_add_dependency(ctx, desc, desc_upper,
	+ expr, &nstmt) < 0)
	+ return NULL;
	+
	+ list_add_tail(&nstmt->list, &ctx->stmt->list);
	+ return desc_upper;
	+ }
	return &proto_inet_service;
	default:
	break;
	--
	2.11.0