[NETFILTER]: Linearize iptables targets.

Adjusts the IPTables targets to handle non-linear packets.
ipt_ULOG untested.

net/ipv4/netfilter/ipt_DSCP.c

@@ -23,37 +23,31 @@ MODULE_LICENSE("GPL");
 
 static unsigned int
 target(struct sk_buff **pskb,
-       unsigned int hooknum,
        const struct net_device *in,
        const struct net_device *out,
+       unsigned int hooknum,
        const void *targinfo,
        void *userinfo)
 {
-	struct iphdr *iph = (*pskb)->nh.iph;
 	const struct ipt_DSCP_info *dinfo = targinfo;
 	u_int8_t sh_dscp = ((dinfo->dscp << IPT_DSCP_SHIFT) & IPT_DSCP_MASK);
 
 
-	if ((iph->tos & IPT_DSCP_MASK) != sh_dscp) {
+	if (((*pskb)->nh.iph->tos & IPT_DSCP_MASK) != sh_dscp) {
 		u_int16_t diffs[2];
 
-		/* raw socket (tcpdump) may have clone of incoming
-		 * skb: don't disturb it --RR */
-		if (skb_cloned(*pskb) && !(*pskb)->sk) {
-			struct sk_buff *nskb = skb_copy(*pskb, GFP_ATOMIC);
-			if (!nskb)
-				return NF_DROP;
-			kfree_skb(*pskb);
-			*pskb = nskb;
-			iph = (*pskb)->nh.iph;
-		}
-
-		diffs[0] = htons(iph->tos) ^ 0xFFFF;
-		iph->tos = (iph->tos & ~IPT_DSCP_MASK) | sh_dscp;
-		diffs[1] = htons(iph->tos);
-		iph->check = csum_fold(csum_partial((char *)diffs,
-		                                    sizeof(diffs),
-		                                    iph->check^0xFFFF));
+		if (!skb_ip_make_writable(pskb, sizeof(struct iphdr)))
+			return NF_DROP;
+
+		diffs[0] = htons((*pskb)->nh.iph->tos) ^ 0xFFFF;
+		(*pskb)->nh.iph->tos = ((*pskb)->nh.iph->tos & ~IPT_DSCP_MASK)
+			| sh_dscp;
+		diffs[1] = htons((*pskb)->nh.iph->tos);
+		(*pskb)->nh.iph->check
+			= csum_fold(csum_partial((char *)diffs,
+						 sizeof(diffs),
+						 (*pskb)->nh.iph->check
+						 ^ 0xFFFF));
 		(*pskb)->nfcache |= NFC_ALTERED;
 	}
 	return IPT_CONTINUE;

net/ipv4/netfilter/ipt_ECN.c

@@ -19,105 +19,85 @@
 MODULE_LICENSE("GPL");
 
 /* set ECT codepoint from IP header.
- * 	return 0 in case there was no ECT codepoint
- * 	return 1 in case ECT codepoint has been overwritten
- * 	return < 0 in case there was error */
+ * 	return 0 if there was an error. */
 static inline int
-set_ect_ip(struct sk_buff **pskb, struct iphdr *iph,
-	   const struct ipt_ECN_info *einfo)
+set_ect_ip(struct sk_buff **pskb, const struct ipt_ECN_info *einfo)
 {
-	if ((iph->tos & IPT_ECN_IP_MASK)
+	if (((*pskb)->nh.iph->tos & IPT_ECN_IP_MASK)
 	    != (einfo->ip_ect & IPT_ECN_IP_MASK)) {
 		u_int16_t diffs[2];
 
-		/* raw socket (tcpdump) may have clone of incoming
-		 * skb: don't disturb it --RR */
-		if (skb_cloned(*pskb) && !(*pskb)->sk) {
-			struct sk_buff *nskb = skb_copy(*pskb, GFP_ATOMIC);
-			if (!nskb)
-				return NF_DROP;
-			kfree_skb(*pskb);
-			*pskb = nskb;
-			iph = (*pskb)->nh.iph;
-		}
-
-		diffs[0] = htons(iph->tos) ^ 0xFFFF;
-		iph->tos = iph->tos & ~IPT_ECN_IP_MASK;
-		iph->tos = iph->tos | (einfo->ip_ect & IPT_ECN_IP_MASK);
-		diffs[1] = htons(iph->tos);
-		iph->check = csum_fold(csum_partial((char *)diffs,
-		                                    sizeof(diffs),
-		                                    iph->check^0xFFFF));
+		if (!skb_ip_make_writable(pskb, sizeof(struct iphdr)))
+			return 0;
+
+		diffs[0] = htons((*pskb)->nh.iph->tos) ^ 0xFFFF;
+		(*pskb)->nh.iph->tos &= ~IPT_ECN_IP_MASK;
+		(*pskb)->nh.iph->tos |= (einfo->ip_ect & IPT_ECN_IP_MASK);
+		diffs[1] = htons((*pskb)->nh.iph->tos);
+		(*pskb)->nh.iph->check
+			= csum_fold(csum_partial((char *)diffs,
+						 sizeof(diffs),
+						 (*pskb)->nh.iph->check
+						 ^0xFFFF));
 		(*pskb)->nfcache |= NFC_ALTERED;
-
-		return 1;
 	} 
-	return 0;
+	return 1;
 }
 
+/* Return 0 if there was an error. */
 static inline int
-set_ect_tcp(struct sk_buff **pskb, struct iphdr *iph,
-	    const struct ipt_ECN_info *einfo)
+set_ect_tcp(struct sk_buff **pskb, const struct ipt_ECN_info *einfo)
 {
-
-	struct tcphdr *tcph = (void *) iph + iph->ihl * 4;
-	u_int16_t *tcpflags = (u_int16_t *)tcph + 6;
+	struct tcphdr tcph;
 	u_int16_t diffs[2];
 
-	/* raw socket (tcpdump) may have clone of incoming
-	 * skb: don't disturb it --RR */
-	if (skb_cloned(*pskb) && !(*pskb)->sk) {
-		struct sk_buff *nskb = skb_copy(*pskb, GFP_ATOMIC);
-		if (!nskb)
-			return NF_DROP;
-		kfree_skb(*pskb);
-		*pskb = nskb;
-		iph = (*pskb)->nh.iph;
-	}
+	/* Not enought header? */
+	if (skb_copy_bits(*pskb, (*pskb)->nh.iph->ihl*4, &tcph, sizeof(tcph))
+	    < 0)
+		return 0;
 
-	diffs[0] = *tcpflags;
+	diffs[0] = ((u_int16_t *)&tcph)[6];
+	if (einfo->operation & IPT_ECN_OP_SET_ECE)
+		tcph.ece = einfo->proto.tcp.ece;
 
-	if (einfo->operation & IPT_ECN_OP_SET_ECE
-	    && tcph->ece != einfo->proto.tcp.ece) {
-		tcph->ece = einfo->proto.tcp.ece;
-	}
+	if (einfo->operation & IPT_ECN_OP_SET_CWR)
+		tcph.cwr = einfo->proto.tcp.cwr;
+	diffs[1] = ((u_int16_t *)&tcph)[6];
 
-	if (einfo->operation & IPT_ECN_OP_SET_CWR
-	    && tcph->cwr != einfo->proto.tcp.cwr) {
-		tcph->cwr = einfo->proto.tcp.cwr;
-	}
-	
-	if (diffs[0] != *tcpflags) {
+	/* Only mangle if it's changed. */
+	if (diffs[0] != diffs[1]) {
 		diffs[0] = diffs[0] ^ 0xFFFF;
-		diffs[1] = *tcpflags;
-		tcph->check = csum_fold(csum_partial((char *)diffs,
+		if (!skb_ip_make_writable(pskb,
+					  (*pskb)->nh.iph->ihl*4+sizeof(tcph)))
+			return 0;
+		tcph.check = csum_fold(csum_partial((char *)diffs,
 		                                    sizeof(diffs),
-		                                    tcph->check^0xFFFF));
+		                                    tcph.check^0xFFFF));
+		memcpy((*pskb)->data + (*pskb)->nh.iph->ihl*4,
+		       &tcph, sizeof(tcph));
 		(*pskb)->nfcache |= NFC_ALTERED;
-
-		return 1;
 	}
-
-	return 0;
+	return 1;
 }
 
 static unsigned int
 target(struct sk_buff **pskb,
-       unsigned int hooknum,
        const struct net_device *in,
        const struct net_device *out,
+       unsigned int hooknum,
        const void *targinfo,
        void *userinfo)
 {
-	struct iphdr *iph = (*pskb)->nh.iph;
 	const struct ipt_ECN_info *einfo = targinfo;
 
 	if (einfo->operation & IPT_ECN_OP_SET_IP)
-		set_ect_ip(pskb, iph, einfo);
+		if (!set_ect_ip(pskb, einfo))
+			return NF_DROP;
 
 	if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR)
-	    && iph->protocol == IPPROTO_TCP)
-		set_ect_tcp(pskb, iph, einfo);
+	    && (*pskb)->nh.iph->protocol == IPPROTO_TCP)
+		if (!set_ect_tcp(pskb, einfo))
+			return NF_DROP;
 
 	return IPT_CONTINUE;
 }

net/ipv4/netfilter/ipt_MARK.c

@@ -9,9 +9,9 @@
 
 static unsigned int
 target(struct sk_buff **pskb,
-       unsigned int hooknum,
        const struct net_device *in,
        const struct net_device *out,
+       unsigned int hooknum,
        const void *targinfo,
        void *userinfo)
 {

net/ipv4/netfilter/ipt_MASQUERADE.c

@@ -57,9 +57,9 @@ masquerade_check(const char *tablename,
 
 static unsigned int
 masquerade_target(struct sk_buff **pskb,
-		  unsigned int hooknum,
 		  const struct net_device *in,
 		  const struct net_device *out,
+		  unsigned int hooknum,
 		  const void *targinfo,
 		  void *userinfo)
 {

net/ipv4/netfilter/ipt_MIRROR.c

@@ -65,18 +65,22 @@ static int route_mirror(struct sk_buff *skb)
 	return 0;
 }
 
-static void
-ip_rewrite(struct sk_buff *skb)
+static int ip_rewrite(struct sk_buff **pskb)
 {
-	struct iphdr *iph = skb->nh.iph;
-	u32 odaddr = iph->saddr;
-	u32 osaddr = iph->daddr;
+	u32 odaddr, osaddr;
 
-	skb->nfcache |= NFC_ALTERED;
+	if (!skb_ip_make_writable(pskb, sizeof(struct iphdr)))
+		return 0;
+
+	odaddr = (*pskb)->nh.iph->saddr;
+	osaddr = (*pskb)->nh.iph->daddr;
+
+	(*pskb)->nfcache |= NFC_ALTERED;
 
 	/* Rewrite IP header */
-	iph->daddr = odaddr;
-	iph->saddr = osaddr;
+	(*pskb)->nh.iph->daddr = odaddr;
+	(*pskb)->nh.iph->saddr = osaddr;
+	return 1;
 }
 
 /* Stolen from ip_finish_output2 */
@@ -100,29 +104,28 @@ static void ip_direct_send(struct sk_buff *skb)
 }
 
 static unsigned int ipt_mirror_target(struct sk_buff **pskb,
-				      unsigned int hooknum,
 				      const struct net_device *in,
 				      const struct net_device *out,
+				      unsigned int hooknum,
 				      const void *targinfo,
 				      void *userinfo)
 {
-	if (((*pskb)->dst != NULL) &&
-	    route_mirror(*pskb)) {
-
-		ip_rewrite(*pskb);
+	if (((*pskb)->dst != NULL) && route_mirror(*pskb)) {
+		if (!ip_rewrite(pskb))
+			return NF_DROP;
 
 		/* If we are not at FORWARD hook (INPUT/PREROUTING),
 		 * the TTL isn't decreased by the IP stack */
 		if (hooknum != NF_IP_FORWARD) {
-			struct iphdr *iph = (*pskb)->nh.iph;
-			if (iph->ttl <= 1) {
+			if ((*pskb)->nh.iph->ttl <= 1) {
 				/* this will traverse normal stack, and 
 				 * thus call conntrack on the icmp packet */
 				icmp_send(*pskb, ICMP_TIME_EXCEEDED, 
 					  ICMP_EXC_TTL, 0);
 				return NF_DROP;
 			}
-			ip_decrease_ttl(iph);
+			/* Made writable by ip_rewrite */
+			ip_decrease_ttl((*pskb)->nh.iph);
 		}
 
 		/* Don't let conntrack code see this packet:

net/ipv4/netfilter/ipt_REDIRECT.c

@@ -53,9 +53,9 @@ redirect_check(const char *tablename,
 
 static unsigned int
 redirect_target(struct sk_buff **pskb,
-		unsigned int hooknum,
 		const struct net_device *in,
 		const struct net_device *out,
+		unsigned int hooknum,
 		const void *targinfo,
 		void *userinfo)
 {

net/ipv4/netfilter/ipt_TCPMSS.c

@@ -36,9 +36,9 @@ optlen(const u_int8_t *opt, unsigned int offset)
 
 static unsigned int
 ipt_tcpmss_target(struct sk_buff **pskb,
-		  unsigned int hooknum,
 		  const struct net_device *in,
 		  const struct net_device *out,
+		  unsigned int hooknum,
 		  const void *targinfo,
 		  void *userinfo)
 {
@@ -49,15 +49,8 @@ ipt_tcpmss_target(struct sk_buff **pskb,
 	unsigned int i;
 	u_int8_t *opt;
 
-	/* raw socket (tcpdump) may have clone of incoming skb: don't
-	   disturb it --RR */
-	if (skb_cloned(*pskb) && !(*pskb)->sk) {
-		struct sk_buff *nskb = skb_copy(*pskb, GFP_ATOMIC);
-		if (!nskb)
-			return NF_DROP;
-		kfree_skb(*pskb);
-		*pskb = nskb;
-	}
+	if (!skb_ip_make_writable(pskb, (*pskb)->len))
+		return NF_DROP;
 
 	iph = (*pskb)->nh.iph;
 	tcplen = (*pskb)->len - iph->ihl*4;

net/ipv4/netfilter/ipt_TOS.c

@@ -9,35 +9,30 @@
 
 static unsigned int
 target(struct sk_buff **pskb,
-       unsigned int hooknum,
        const struct net_device *in,
        const struct net_device *out,
+       unsigned int hooknum,
        const void *targinfo,
        void *userinfo)
 {
-	struct iphdr *iph = (*pskb)->nh.iph;
 	const struct ipt_tos_target_info *tosinfo = targinfo;
 
-	if ((iph->tos & IPTOS_TOS_MASK) != tosinfo->tos) {
+	if (((*pskb)->nh.iph->tos & IPTOS_TOS_MASK) != tosinfo->tos) {
 		u_int16_t diffs[2];
 
-		/* raw socket (tcpdump) may have clone of incoming
-                   skb: don't disturb it --RR */
-		if (skb_cloned(*pskb) && !(*pskb)->sk) {
-			struct sk_buff *nskb = skb_copy(*pskb, GFP_ATOMIC);
-			if (!nskb)
-				return NF_DROP;
-			kfree_skb(*pskb);
-			*pskb = nskb;
-			iph = (*pskb)->nh.iph;
-		}
+		if (!skb_ip_make_writable(pskb, sizeof(struct iphdr)))
+			return NF_DROP;
 
-		diffs[0] = htons(iph->tos) ^ 0xFFFF;
-		iph->tos = (iph->tos & IPTOS_PREC_MASK) | tosinfo->tos;
-		diffs[1] = htons(iph->tos);
-		iph->check = csum_fold(csum_partial((char *)diffs,
-		                                    sizeof(diffs),
-		                                    iph->check^0xFFFF));
+		diffs[0] = htons((*pskb)->nh.iph->tos) ^ 0xFFFF;
+		(*pskb)->nh.iph->tos
+			= ((*pskb)->nh.iph->tos & IPTOS_PREC_MASK)
+			| tosinfo->tos;
+		diffs[1] = htons((*pskb)->nh.iph->tos);
+		(*pskb)->nh.iph->check
+			= csum_fold(csum_partial((char *)diffs,
+						 sizeof(diffs),
+						 (*pskb)->nh.iph->check
+						 ^0xFFFF));
 		(*pskb)->nfcache |= NFC_ALTERED;
 	}
 	return IPT_CONTINUE;

net/ipv4/netfilter/ipt_ULOG.c

@@ -155,9 +155,9 @@ struct sk_buff *ulog_alloc_skb(unsigned int size)
 }
 
 static unsigned int ipt_ulog_target(struct sk_buff **pskb,
-				    unsigned int hooknum,
 				    const struct net_device *in,
 				    const struct net_device *out,
+				    unsigned int hooknum,
 				    const void *targinfo, void *userinfo)
 {
 	ulog_buff_t *ub;
@@ -238,8 +238,9 @@ static unsigned int ipt_ulog_target(struct sk_buff **pskb,
 	else
 		pm->outdev_name[0] = '\0';
 
-	if (copy_len)
-		memcpy(pm->payload, (*pskb)->data, copy_len);
+	/* copy_len <= (*pskb)->len, so can't fail. */
+	if (skb_copy_bits(*pskb, 0, pm->payload, copy_len) < 0)
+		BUG();
 	
 	/* check if we are building multi-part messages */
 	if (ub->qlen > 1) {