diff mbox series

netfilter: xt_esp: add support for ESP match in NAT Traversal

Message ID tencent_DDE91CB7412D427A442DB4362364DC04F20A@qq.com (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series netfilter: xt_esp: add support for ESP match in NAT Traversal | expand

Checks

Context Check Description
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 0 this patch: 0
netdev/cc_maintainers success CCed 10 of 10 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 0 this patch: 0
netdev/checkpatch warning WARNING: line length of 82 exceeds 80 columns WARNING: line length of 87 exceeds 80 columns WARNING: line length of 89 exceeds 80 columns
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Wei Han June 23, 2022, 12:42 p.m. UTC 
when the ESP packets traversing Network Address Translators,
which are encapsulated and decapsulated inside UDP packets,
so we need to get ESP data in UDP.

Signed-off-by: Wei Han <lailitty@foxmail.com>
---
 net/netfilter/xt_esp.c | 54 +++++++++++++++++++++++++++++++++++-------
 1 file changed, 45 insertions(+), 9 deletions(-)

Comments

Pablo Neira Ayuso June 23, 2022, 7:36 p.m. UTC | #1 
On Thu, Jun 23, 2022 at 08:42:48PM +0800, Wei Han wrote:
> when the ESP packets traversing Network Address Translators,
> which are encapsulated and decapsulated inside UDP packets,
> so we need to get ESP data in UDP.
> 
> Signed-off-by: Wei Han <lailitty@foxmail.com>
> ---
>  net/netfilter/xt_esp.c | 54 +++++++++++++++++++++++++++++++++++-------
>  1 file changed, 45 insertions(+), 9 deletions(-)
> 
> diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
> index 2a1c0ad0ff07..c3feb79a830a 100644
> --- a/net/netfilter/xt_esp.c
> +++ b/net/netfilter/xt_esp.c
> @@ -8,12 +8,14 @@
>  #include <linux/skbuff.h>
>  #include <linux/in.h>
>  #include <linux/ip.h>
> +#include <linux/ipv6.h>
>  
>  #include <linux/netfilter/xt_esp.h>
>  #include <linux/netfilter/x_tables.h>
>  
>  #include <linux/netfilter_ipv4/ip_tables.h>
>  #include <linux/netfilter_ipv6/ip6_tables.h>
> +#include <net/ip.h>
>  
>  MODULE_LICENSE("GPL");
>  MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
> @@ -39,17 +41,53 @@ static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par)
>  	struct ip_esp_hdr _esp;
>  	const struct xt_esp *espinfo = par->matchinfo;
>  
> +	const struct iphdr *iph = NULL;
> +	const struct ipv6hdr *ip6h = NULL;
> +	const struct udphdr *udph = NULL;
> +	struct udphdr _udph;
> +	int proto = -1;
> +
>  	/* Must not be a fragment. */
>  	if (par->fragoff != 0)
>  		return false;
>  
> -	eh = skb_header_pointer(skb, par->thoff, sizeof(_esp), &_esp);
> -	if (eh == NULL) {
> -		/* We've been asked to examine this packet, and we
> -		 * can't.  Hence, no choice but to drop.
> -		 */
> -		pr_debug("Dropping evil ESP tinygram.\n");
> -		par->hotdrop = true;
> +	if (xt_family(par) == NFPROTO_IPV6) {
> +		ip6h = ipv6_hdr(skb);
> +		if (!ip6h)
> +			return false;
> +		proto = ip6h->nexthdr;
> +	} else {
> +		iph = ip_hdr(skb);
> +		if (!iph)
> +			return false;
> +		proto = iph->protocol;
> +	}
> +
> +	if (proto == IPPROTO_UDP) {
> +		//for NAT-T
> +		udph = skb_header_pointer(skb, par->thoff, sizeof(_udph), &_udph);
> +		if (udph && (udph->source == htons(4500) || udph->dest == htons(4500))) {
> +			/* Not deal with above data it don't conflict with SPI
> +			 * 1.IKE Header Format for Port 4500(Non-ESP Marker 0x00000000)
> +			 * 2.NAT-Keepalive Packet Format(0xFF)
> +			 */
> +			eh = (struct ip_esp_hdr *)((char *)udph + sizeof(struct udphdr));

this is not safe, skbuff might not be linear.

> +		} else {
> +			return false;
> +		}
> +	} else if (proto == IPPROTO_ESP) {
> +		//not NAT-T
> +		eh = skb_header_pointer(skb, par->thoff, sizeof(_esp), &_esp);
> +		if (!eh) {
> +			/* We've been asked to examine this packet, and we
> +			 * can't.  Hence, no choice but to drop.
> +			 */
> +			pr_debug("Dropping evil ESP tinygram.\n");
> +			par->hotdrop = true;
> +			return false;
> +		}

This is loose, the user does not have a way to restrict to either
ESP over UDP or native ESP. I don't think this is going to look nice
from iptables syntax perspective to restrict either one or another
mode.

> +	} else {
> +		//not esp data
>  		return false;
>  	}
>  
> @@ -76,7 +114,6 @@ static struct xt_match esp_mt_reg[] __read_mostly = {
>  		.checkentry	= esp_mt_check,
>  		.match		= esp_mt,
>  		.matchsize	= sizeof(struct xt_esp),
> -		.proto		= IPPROTO_ESP,
>  		.me		= THIS_MODULE,
>  	},
>  	{
> @@ -85,7 +122,6 @@ static struct xt_match esp_mt_reg[] __read_mostly = {
>  		.checkentry	= esp_mt_check,
>  		.match		= esp_mt,
>  		.matchsize	= sizeof(struct xt_esp),
> -		.proto		= IPPROTO_ESP,
>  		.me		= THIS_MODULE,
>  	},
>  };
> -- 
> 2.17.1
>
Wei Han June 24, 2022, 12:05 p.m. UTC | #2 
Thank you for your reply, please see my answer below.

On Thu, Jun 23, 2022 at 09:36:41PM +0200, Pablo Neira Ayuso wrote:
> On Thu, Jun 23, 2022 at 08:42:48PM +0800, Wei Han wrote:
> > when the ESP packets traversing Network Address Translators,
> > which are encapsulated and decapsulated inside UDP packets,
> > so we need to get ESP data in UDP.
> > 
> > Signed-off-by: Wei Han <lailitty@foxmail.com>
> > ---
> >  net/netfilter/xt_esp.c | 54 +++++++++++++++++++++++++++++++++++-------
> >  1 file changed, 45 insertions(+), 9 deletions(-)
> > 
> > diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
> > index 2a1c0ad0ff07..c3feb79a830a 100644
> > --- a/net/netfilter/xt_esp.c
> > +++ b/net/netfilter/xt_esp.c
> > @@ -8,12 +8,14 @@
> >  #include <linux/skbuff.h>
> >  #include <linux/in.h>
> >  #include <linux/ip.h>
> > +#include <linux/ipv6.h>
> >  
> >  #include <linux/netfilter/xt_esp.h>
> >  #include <linux/netfilter/x_tables.h>
> >  
> >  #include <linux/netfilter_ipv4/ip_tables.h>
> >  #include <linux/netfilter_ipv6/ip6_tables.h>
> > +#include <net/ip.h>
> >  
> >  MODULE_LICENSE("GPL");
> >  MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
> > @@ -39,17 +41,53 @@ static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par)
> >  	struct ip_esp_hdr _esp;
> >  	const struct xt_esp *espinfo = par->matchinfo;
> >  
> > +	const struct iphdr *iph = NULL;
> > +	const struct ipv6hdr *ip6h = NULL;
> > +	const struct udphdr *udph = NULL;
> > +	struct udphdr _udph;
> > +	int proto = -1;
> > +
> >  	/* Must not be a fragment. */
> >  	if (par->fragoff != 0)
> >  		return false;
> >  
> > -	eh = skb_header_pointer(skb, par->thoff, sizeof(_esp), &_esp);
> > -	if (eh == NULL) {
> > -		/* We've been asked to examine this packet, and we
> > -		 * can't.  Hence, no choice but to drop.
> > -		 */
> > -		pr_debug("Dropping evil ESP tinygram.\n");
> > -		par->hotdrop = true;
> > +	if (xt_family(par) == NFPROTO_IPV6) {
> > +		ip6h = ipv6_hdr(skb);
> > +		if (!ip6h)
> > +			return false;
> > +		proto = ip6h->nexthdr;
> > +	} else {
> > +		iph = ip_hdr(skb);
> > +		if (!iph)
> > +			return false;
> > +		proto = iph->protocol;
> > +	}
> > +
> > +	if (proto == IPPROTO_UDP) {
> > +		//for NAT-T
> > +		udph = skb_header_pointer(skb, par->thoff, sizeof(_udph), &_udph);
> > +		if (udph && (udph->source == htons(4500) || udph->dest == htons(4500))) {
> > +			/* Not deal with above data it don't conflict with SPI
> > +			 * 1.IKE Header Format for Port 4500(Non-ESP Marker 0x00000000)
> > +			 * 2.NAT-Keepalive Packet Format(0xFF)
> > +			 */
> > +			eh = (struct ip_esp_hdr *)((char *)udph + sizeof(struct udphdr));
> 
> this is not safe, skbuff might not be linear.
>
  Will be modified to "eh = skb_header_pointer(skb, par->thoff + sizeof(struct udphdr), sizeof(_esp), &_esp);"
> > +		} else {
> > +			return false;
> > +		}
> > +	} else if (proto == IPPROTO_ESP) {
> > +		//not NAT-T
> > +		eh = skb_header_pointer(skb, par->thoff, sizeof(_esp), &_esp);
> > +		if (!eh) {
> > +			/* We've been asked to examine this packet, and we
> > +			 * can't.  Hence, no choice but to drop.
> > +			 */
> > +			pr_debug("Dropping evil ESP tinygram.\n");
> > +			par->hotdrop = true;
> > +			return false;
> > +		}
> 
> This is loose, the user does not have a way to restrict to either
> ESP over UDP or native ESP. I don't think this is going to look nice
> from iptables syntax perspective to restrict either one or another
> mode.
>
  This match original purpose is check the ESP packet's SPI value, so I
  think the user maybe not need to pay attention that the packet is 
  ESP over UDP or native ESP just get SPI and check it, this patch is 
  only want to add support for get SPI in ESP over UDP.And the iptables rules like:
  "iptables -A INPUT -m esp --espspi 0x12345678 -j ACCEPT"
> > +	} else {
> > +		//not esp data
> >  		return false;
> >  	}
> >  
> > @@ -76,7 +114,6 @@ static struct xt_match esp_mt_reg[] __read_mostly = {
> >  		.checkentry	= esp_mt_check,
> >  		.match		= esp_mt,
> >  		.matchsize	= sizeof(struct xt_esp),
> > -		.proto		= IPPROTO_ESP,
> >  		.me		= THIS_MODULE,
> >  	},
> >  	{
> > @@ -85,7 +122,6 @@ static struct xt_match esp_mt_reg[] __read_mostly = {
> >  		.checkentry	= esp_mt_check,
> >  		.match		= esp_mt,
> >  		.matchsize	= sizeof(struct xt_esp),
> > -		.proto		= IPPROTO_ESP,
> >  		.me		= THIS_MODULE,
> >  	},
> >  };
> > -- 
> > 2.17.1
> >
Pablo Neira Ayuso June 27, 2022, 5:22 p.m. UTC | #3 
On Fri, Jun 24, 2022 at 08:05:30PM +0800, Wei Han wrote:
> On Thu, Jun 23, 2022 at 09:36:41PM +0200, Pablo Neira Ayuso wrote:
[...]
> > > +		} else {
> > > +			return false;
> > > +		}
> > > +	} else if (proto == IPPROTO_ESP) {
> > > +		//not NAT-T
> > > +		eh = skb_header_pointer(skb, par->thoff, sizeof(_esp), &_esp);
> > > +		if (!eh) {
> > > +			/* We've been asked to examine this packet, and we
> > > +			 * can't.  Hence, no choice but to drop.
> > > +			 */
> > > +			pr_debug("Dropping evil ESP tinygram.\n");
> > > +			par->hotdrop = true;
> > > +			return false;
> > > +		}
> > 
> > This is loose, the user does not have a way to restrict to either
> > ESP over UDP or native ESP. I don't think this is going to look nice
> > from iptables syntax perspective to restrict either one or another
> > mode.
> >
>   This match original purpose is check the ESP packet's SPI value, so I
>   think the user maybe not need to pay attention that the packet is 
>   ESP over UDP or native ESP just get SPI and check it, this patch is 
>   only want to add support for get SPI in ESP over UDP.And the iptables rules like:
>   "iptables -A INPUT -m esp --espspi 0x12345678 -j ACCEPT"

This rule would be now allowing UDP traffic to go through, even if the
user does not need it. An explicit policy entry to allow NAT-T would
be preferred.

There is another issue, although I suppose there is a standard UDP
port for this, user might decide to select a different one, in that
case, this would break. And I don't see an easy way to allow user to
select the UDP port in the iptables case.
diff mbox series

Patch

diff --git a/net/netfilter/xt_esp.c b/net/netfilter/xt_esp.c
index 2a1c0ad0ff07..c3feb79a830a 100644
--- a/net/netfilter/xt_esp.c
+++ b/net/netfilter/xt_esp.c
@@ -8,12 +8,14 @@ 
 #include <linux/skbuff.h>
 #include <linux/in.h>
 #include <linux/ip.h>
+#include <linux/ipv6.h>
 
 #include <linux/netfilter/xt_esp.h>
 #include <linux/netfilter/x_tables.h>
 
 #include <linux/netfilter_ipv4/ip_tables.h>
 #include <linux/netfilter_ipv6/ip6_tables.h>
+#include <net/ip.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
@@ -39,17 +41,53 @@  static bool esp_mt(const struct sk_buff *skb, struct xt_action_param *par)
 	struct ip_esp_hdr _esp;
 	const struct xt_esp *espinfo = par->matchinfo;
 
+	const struct iphdr *iph = NULL;
+	const struct ipv6hdr *ip6h = NULL;
+	const struct udphdr *udph = NULL;
+	struct udphdr _udph;
+	int proto = -1;
+
 	/* Must not be a fragment. */
 	if (par->fragoff != 0)
 		return false;
 
-	eh = skb_header_pointer(skb, par->thoff, sizeof(_esp), &_esp);
-	if (eh == NULL) {
-		/* We've been asked to examine this packet, and we
-		 * can't.  Hence, no choice but to drop.
-		 */
-		pr_debug("Dropping evil ESP tinygram.\n");
-		par->hotdrop = true;
+	if (xt_family(par) == NFPROTO_IPV6) {
+		ip6h = ipv6_hdr(skb);
+		if (!ip6h)
+			return false;
+		proto = ip6h->nexthdr;
+	} else {
+		iph = ip_hdr(skb);
+		if (!iph)
+			return false;
+		proto = iph->protocol;
+	}
+
+	if (proto == IPPROTO_UDP) {
+		//for NAT-T
+		udph = skb_header_pointer(skb, par->thoff, sizeof(_udph), &_udph);
+		if (udph && (udph->source == htons(4500) || udph->dest == htons(4500))) {
+			/* Not deal with above data it don't conflict with SPI
+			 * 1.IKE Header Format for Port 4500(Non-ESP Marker 0x00000000)
+			 * 2.NAT-Keepalive Packet Format(0xFF)
+			 */
+			eh = (struct ip_esp_hdr *)((char *)udph + sizeof(struct udphdr));
+		} else {
+			return false;
+		}
+	} else if (proto == IPPROTO_ESP) {
+		//not NAT-T
+		eh = skb_header_pointer(skb, par->thoff, sizeof(_esp), &_esp);
+		if (!eh) {
+			/* We've been asked to examine this packet, and we
+			 * can't.  Hence, no choice but to drop.
+			 */
+			pr_debug("Dropping evil ESP tinygram.\n");
+			par->hotdrop = true;
+			return false;
+		}
+	} else {
+		//not esp data
 		return false;
 	}
 
@@ -76,7 +114,6 @@  static struct xt_match esp_mt_reg[] __read_mostly = {
 		.checkentry	= esp_mt_check,
 		.match		= esp_mt,
 		.matchsize	= sizeof(struct xt_esp),
-		.proto		= IPPROTO_ESP,
 		.me		= THIS_MODULE,
 	},
 	{
@@ -85,7 +122,6 @@  static struct xt_match esp_mt_reg[] __read_mostly = {
 		.checkentry	= esp_mt_check,
 		.match		= esp_mt,
 		.matchsize	= sizeof(struct xt_esp),
-		.proto		= IPPROTO_ESP,
 		.me		= THIS_MODULE,
 	},
 };