cachepc-linux

Fork of AMDESE/linux with modifications for CachePC side-channel attack
git clone https://git.sinitax.com/sinitax/cachepc-linux
Log | Files | Refs | README | LICENSE | sfeed.txt

nft_reject_inet.c (2954B)

      1// SPDX-License-Identifier: GPL-2.0-only
      2/*
      3 * Copyright (c) 2014 Patrick McHardy <kaber@trash.net>
      4 */
      5
      6#include <linux/kernel.h>
      7#include <linux/init.h>
      8#include <linux/module.h>
      9#include <linux/netlink.h>
     10#include <linux/netfilter.h>
     11#include <linux/netfilter/nf_tables.h>
     12#include <net/netfilter/nf_tables.h>
     13#include <net/netfilter/nft_reject.h>
     14#include <net/netfilter/ipv4/nf_reject.h>
     15#include <net/netfilter/ipv6/nf_reject.h>
     16
     17static void nft_reject_inet_eval(const struct nft_expr *expr,
     18				 struct nft_regs *regs,
     19				 const struct nft_pktinfo *pkt)
     20{
     21	struct nft_reject *priv = nft_expr_priv(expr);
     22
     23	switch (nft_pf(pkt)) {
     24	case NFPROTO_IPV4:
     25		switch (priv->type) {
     26		case NFT_REJECT_ICMP_UNREACH:
     27			nf_send_unreach(pkt->skb, priv->icmp_code,
     28					nft_hook(pkt));
     29			break;
     30		case NFT_REJECT_TCP_RST:
     31			nf_send_reset(nft_net(pkt), nft_sk(pkt),
     32				      pkt->skb, nft_hook(pkt));
     33			break;
     34		case NFT_REJECT_ICMPX_UNREACH:
     35			nf_send_unreach(pkt->skb,
     36					nft_reject_icmp_code(priv->icmp_code),
     37					nft_hook(pkt));
     38			break;
     39		}
     40		break;
     41	case NFPROTO_IPV6:
     42		switch (priv->type) {
     43		case NFT_REJECT_ICMP_UNREACH:
     44			nf_send_unreach6(nft_net(pkt), pkt->skb,
     45					 priv->icmp_code, nft_hook(pkt));
     46			break;
     47		case NFT_REJECT_TCP_RST:
     48			nf_send_reset6(nft_net(pkt), nft_sk(pkt),
     49				       pkt->skb, nft_hook(pkt));
     50			break;
     51		case NFT_REJECT_ICMPX_UNREACH:
     52			nf_send_unreach6(nft_net(pkt), pkt->skb,
     53					 nft_reject_icmpv6_code(priv->icmp_code),
     54					 nft_hook(pkt));
     55			break;
     56		}
     57		break;
     58	}
     59
     60	regs->verdict.code = NF_DROP;
     61}
     62
     63static int nft_reject_inet_validate(const struct nft_ctx *ctx,
     64				    const struct nft_expr *expr,
     65				    const struct nft_data **data)
     66{
     67	return nft_chain_validate_hooks(ctx->chain,
     68					(1 << NF_INET_LOCAL_IN) |
     69					(1 << NF_INET_FORWARD) |
     70					(1 << NF_INET_LOCAL_OUT) |
     71					(1 << NF_INET_PRE_ROUTING) |
     72					(1 << NF_INET_INGRESS));
     73}
     74
     75static struct nft_expr_type nft_reject_inet_type;
     76static const struct nft_expr_ops nft_reject_inet_ops = {
     77	.type		= &nft_reject_inet_type,
     78	.size		= NFT_EXPR_SIZE(sizeof(struct nft_reject)),
     79	.eval		= nft_reject_inet_eval,
     80	.init		= nft_reject_init,
     81	.dump		= nft_reject_dump,
     82	.validate	= nft_reject_inet_validate,
     83	.reduce		= NFT_REDUCE_READONLY,
     84};
     85
     86static struct nft_expr_type nft_reject_inet_type __read_mostly = {
     87	.family		= NFPROTO_INET,
     88	.name		= "reject",
     89	.ops		= &nft_reject_inet_ops,
     90	.policy		= nft_reject_policy,
     91	.maxattr	= NFTA_REJECT_MAX,
     92	.owner		= THIS_MODULE,
     93};
     94
     95static int __init nft_reject_inet_module_init(void)
     96{
     97	return nft_register_expr(&nft_reject_inet_type);
     98}
     99
    100static void __exit nft_reject_inet_module_exit(void)
    101{
    102	nft_unregister_expr(&nft_reject_inet_type);
    103}
    104
    105module_init(nft_reject_inet_module_init);
    106module_exit(nft_reject_inet_module_exit);
    107
    108MODULE_LICENSE("GPL");
    109MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
    110MODULE_ALIAS_NFT_AF_EXPR(1, "reject");
    111MODULE_DESCRIPTION("Netfilter nftables reject inet support");