nf_dup_netdev.c - cachepc-linux - Fork of AMDESE/linux with modifications for CachePC side-channel attack

	cachepc-linux Fork of AMDESE/linux with modifications for CachePC side-channel attack
	git clone https://git.sinitax.com/sinitax/cachepc-linux
	Log \| Files \| Refs \| README \| LICENSE \| sfeed.txt
nf_dup_netdev.c (2266B)
      1// SPDX-License-Identifier: GPL-2.0-only
      2/*
      3 * Copyright (c) 2015 Pablo Neira Ayuso <pablo@netfilter.org>
      4 */
      5
      6#include <linux/kernel.h>
      7#include <linux/init.h>
      8#include <linux/module.h>
      9#include <linux/netlink.h>
     10#include <linux/netfilter.h>
     11#include <linux/netfilter/nf_tables.h>
     12#include <net/netfilter/nf_tables.h>
     13#include <net/netfilter/nf_tables_offload.h>
     14#include <net/netfilter/nf_dup_netdev.h>
     15
     16#define NF_RECURSION_LIMIT	2
     17
     18static DEFINE_PER_CPU(u8, nf_dup_skb_recursion);
     19
     20static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev,
     21				enum nf_dev_hooks hook)
     22{
     23	if (__this_cpu_read(nf_dup_skb_recursion) > NF_RECURSION_LIMIT)
     24		goto err;
     25
     26	if (hook == NF_NETDEV_INGRESS && skb_mac_header_was_set(skb)) {
     27		if (skb_cow_head(skb, skb->mac_len))
     28			goto err;
     29
     30		skb_push(skb, skb->mac_len);
     31	}
     32
     33	skb->dev = dev;
     34	skb_clear_tstamp(skb);
     35	__this_cpu_inc(nf_dup_skb_recursion);
     36	dev_queue_xmit(skb);
     37	__this_cpu_dec(nf_dup_skb_recursion);
     38	return;
     39err:
     40	kfree_skb(skb);
     41}
     42
     43void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif)
     44{
     45	struct net_device *dev;
     46
     47	dev = dev_get_by_index_rcu(nft_net(pkt), oif);
     48	if (!dev) {
     49		kfree_skb(pkt->skb);
     50		return;
     51	}
     52
     53	nf_do_netdev_egress(pkt->skb, dev, nft_hook(pkt));
     54}
     55EXPORT_SYMBOL_GPL(nf_fwd_netdev_egress);
     56
     57void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif)
     58{
     59	struct net_device *dev;
     60	struct sk_buff *skb;
     61
     62	dev = dev_get_by_index_rcu(nft_net(pkt), oif);
     63	if (dev == NULL)
     64		return;
     65
     66	skb = skb_clone(pkt->skb, GFP_ATOMIC);
     67	if (skb)
     68		nf_do_netdev_egress(skb, dev, nft_hook(pkt));
     69}
     70EXPORT_SYMBOL_GPL(nf_dup_netdev_egress);
     71
     72int nft_fwd_dup_netdev_offload(struct nft_offload_ctx *ctx,
     73			       struct nft_flow_rule *flow,
     74			       enum flow_action_id id, int oif)
     75{
     76	struct flow_action_entry *entry;
     77	struct net_device *dev;
     78
     79	/* nft_flow_rule_destroy() releases the reference on this device. */
     80	dev = dev_get_by_index(ctx->net, oif);
     81	if (!dev)
     82		return -EOPNOTSUPP;
     83
     84	entry = &flow->rule->action.entries[ctx->num_actions++];
     85	entry->id = id;
     86	entry->dev = dev;
     87
     88	return 0;
     89}
     90EXPORT_SYMBOL_GPL(nft_fwd_dup_netdev_offload);
     91
     92MODULE_LICENSE("GPL");
     93MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
     94MODULE_DESCRIPTION("Netfilter packet duplication support");