Merge branch 'inet_diag-TCP-MD5'
Ivan Delalande says:
====================
inet_diag: report TCP MD5 signing keys and addresses
Allow userspace to retrieve MD5 signature keys and addresses configured
on TCP sockets through inet_diag.
Thanks to Eric Dumazet and Stephen Hemminger for their useful
explanations and feedback.
v5: - memset the whole netlink payload after it has been nla_reserve-d
in tcp_diag_put_md5sig (a third memset had to be added for
tcpm_key so we might as well have just one for entire region).
- move the nla_total_size call from inet_sk_attr_size to the
idiag_get_aux_size defined by protocols as they could add multiple
netlink attributes,
- add check for net_admin in tcp_diag_get_aux_size.
v4: - add new struct tcp_diag_md5sig to report the data instead of
tcp_md5sig to avoid wasting 112 bytes on every tcpm_addr,
- memset tcpm_addr on IPv4 addresses to avoid leaks,
- style fix in inet_diag_dump_one_icsk.
v3: - rename inet_diag_*md5sig in tcp_diag.c to tcp_diag_* for
consistency,
- don't lock the socket in tcp_diag_put_md5sig,
- add checks on md5sig_count in tcp_diag_put_md5sig to not create
the netlink attribute if the list is empty, and to avoid overflows
or memory leaks if the list has changed in the meantime.
v2: - move changes to tcp_diag.c and extend inet_diag_handler to allow
protocols to provide additional data on INET_DIAG_INFO,
- lock socket before calling tcp_diag_put_md5sig.
I also have a patch for iproute2/ss to test this change, making it print
this new attribute. I'm planning to polish and send it if this series
gets applied.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller
commit
d49e3a9f5e
|
|
@ -25,6 +25,13 @@ struct inet_diag_handler {
|
|||
struct inet_diag_msg *r,
|
||||
void *info);
|
||||
|
||||
int (*idiag_get_aux)(struct sock *sk,
|
||||
bool net_admin,
|
||||
struct sk_buff *skb);
|
||||
|
||||
size_t (*idiag_get_aux_size)(struct sock *sk,
|
||||
bool net_admin);
|
||||
|
||||
int (*destroy)(struct sk_buff *in_skb,
|
||||
const struct inet_diag_req_v2 *req);
|
||||
|
||||
|
|
|
|||
|
|
@ -143,6 +143,7 @@ enum {
|
|||
INET_DIAG_MARK,
|
||||
INET_DIAG_BBRINFO,
|
||||
INET_DIAG_CLASS_ID,
|
||||
INET_DIAG_MD5SIG,
|
||||
__INET_DIAG_MAX,
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -256,4 +256,13 @@ struct tcp_md5sig {
|
|||
__u8 tcpm_key[TCP_MD5SIG_MAXKEYLEN]; /* key (binary) */
|
||||
};
|
||||
|
||||
/* INET_DIAG_MD5SIG */
|
||||
struct tcp_diag_md5sig {
|
||||
__u8 tcpm_family;
|
||||
__u8 tcpm_prefixlen;
|
||||
__u16 tcpm_keylen;
|
||||
__be32 tcpm_addr[4];
|
||||
__u8 tcpm_key[TCP_MD5SIG_MAXKEYLEN];
|
||||
};
|
||||
|
||||
#endif /* _UAPI_LINUX_TCP_H */
|
||||
|
|
|
|||
|
|
@ -93,8 +93,17 @@ void inet_diag_msg_common_fill(struct inet_diag_msg *r, struct sock *sk)
|
|||
}
|
||||
EXPORT_SYMBOL_GPL(inet_diag_msg_common_fill);
|
||||
|
||||
static size_t inet_sk_attr_size(void)
|
||||
static size_t inet_sk_attr_size(struct sock *sk,
|
||||
const struct inet_diag_req_v2 *req,
|
||||
bool net_admin)
|
||||
{
|
||||
const struct inet_diag_handler *handler;
|
||||
size_t aux = 0;
|
||||
|
||||
handler = inet_diag_table[req->sdiag_protocol];
|
||||
if (handler && handler->idiag_get_aux_size)
|
||||
aux = handler->idiag_get_aux_size(sk, net_admin);
|
||||
|
||||
return nla_total_size(sizeof(struct tcp_info))
|
||||
+ nla_total_size(1) /* INET_DIAG_SHUTDOWN */
|
||||
+ nla_total_size(1) /* INET_DIAG_TOS */
|
||||
|
|
@ -105,6 +114,7 @@ static size_t inet_sk_attr_size(void)
|
|||
+ nla_total_size(SK_MEMINFO_VARS * sizeof(u32))
|
||||
+ nla_total_size(TCP_CA_NAME_MAX)
|
||||
+ nla_total_size(sizeof(struct tcpvegas_info))
|
||||
+ aux
|
||||
+ 64;
|
||||
}
|
||||
|
||||
|
|
@ -260,6 +270,10 @@ int inet_sk_diag_fill(struct sock *sk, struct inet_connection_sock *icsk,
|
|||
|
||||
handler->idiag_get_info(sk, r, info);
|
||||
|
||||
if (ext & (1 << (INET_DIAG_INFO - 1)) && handler->idiag_get_aux)
|
||||
if (handler->idiag_get_aux(sk, net_admin, skb) < 0)
|
||||
goto errout;
|
||||
|
||||
if (sk->sk_state < TCP_TIME_WAIT) {
|
||||
union tcp_cc_info info;
|
||||
size_t sz = 0;
|
||||
|
|
@ -449,6 +463,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo,
|
|||
const struct nlmsghdr *nlh,
|
||||
const struct inet_diag_req_v2 *req)
|
||||
{
|
||||
bool net_admin = netlink_net_capable(in_skb, CAP_NET_ADMIN);
|
||||
struct net *net = sock_net(in_skb->sk);
|
||||
struct sk_buff *rep;
|
||||
struct sock *sk;
|
||||
|
|
@ -458,7 +473,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo,
|
|||
if (IS_ERR(sk))
|
||||
return PTR_ERR(sk);
|
||||
|
||||
rep = nlmsg_new(inet_sk_attr_size(), GFP_KERNEL);
|
||||
rep = nlmsg_new(inet_sk_attr_size(sk, req, net_admin), GFP_KERNEL);
|
||||
if (!rep) {
|
||||
err = -ENOMEM;
|
||||
goto out;
|
||||
|
|
@ -467,8 +482,7 @@ int inet_diag_dump_one_icsk(struct inet_hashinfo *hashinfo,
|
|||
err = sk_diag_fill(sk, rep, req,
|
||||
sk_user_ns(NETLINK_CB(in_skb).sk),
|
||||
NETLINK_CB(in_skb).portid,
|
||||
nlh->nlmsg_seq, 0, nlh,
|
||||
netlink_net_capable(in_skb, CAP_NET_ADMIN));
|
||||
nlh->nlmsg_seq, 0, nlh, net_admin);
|
||||
if (err < 0) {
|
||||
WARN_ON(err == -EMSGSIZE);
|
||||
nlmsg_free(rep);
|
||||
|
|
|
|||
|
|
@ -16,6 +16,7 @@
|
|||
|
||||
#include <linux/tcp.h>
|
||||
|
||||
#include <net/netlink.h>
|
||||
#include <net/tcp.h>
|
||||
|
||||
static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r,
|
||||
|
|
@ -36,6 +37,100 @@ static void tcp_diag_get_info(struct sock *sk, struct inet_diag_msg *r,
|
|||
tcp_get_info(sk, info);
|
||||
}
|
||||
|
||||
#ifdef CONFIG_TCP_MD5SIG
|
||||
static void tcp_diag_md5sig_fill(struct tcp_diag_md5sig *info,
|
||||
const struct tcp_md5sig_key *key)
|
||||
{
|
||||
info->tcpm_family = key->family;
|
||||
info->tcpm_prefixlen = key->prefixlen;
|
||||
info->tcpm_keylen = key->keylen;
|
||||
memcpy(info->tcpm_key, key->key, key->keylen);
|
||||
|
||||
if (key->family == AF_INET)
|
||||
info->tcpm_addr[0] = key->addr.a4.s_addr;
|
||||
#if IS_ENABLED(CONFIG_IPV6)
|
||||
else if (key->family == AF_INET6)
|
||||
memcpy(&info->tcpm_addr, &key->addr.a6,
|
||||
sizeof(info->tcpm_addr));
|
||||
#endif
|
||||
}
|
||||
|
||||
static int tcp_diag_put_md5sig(struct sk_buff *skb,
|
||||
const struct tcp_md5sig_info *md5sig)
|
||||
{
|
||||
const struct tcp_md5sig_key *key;
|
||||
struct tcp_diag_md5sig *info;
|
||||
struct nlattr *attr;
|
||||
int md5sig_count = 0;
|
||||
|
||||
hlist_for_each_entry_rcu(key, &md5sig->head, node)
|
||||
md5sig_count++;
|
||||
if (md5sig_count == 0)
|
||||
return 0;
|
||||
|
||||
attr = nla_reserve(skb, INET_DIAG_MD5SIG,
|
||||
md5sig_count * sizeof(struct tcp_diag_md5sig));
|
||||
if (!attr)
|
||||
return -EMSGSIZE;
|
||||
|
||||
info = nla_data(attr);
|
||||
memset(info, 0, md5sig_count * sizeof(struct tcp_diag_md5sig));
|
||||
hlist_for_each_entry_rcu(key, &md5sig->head, node) {
|
||||
tcp_diag_md5sig_fill(info++, key);
|
||||
if (--md5sig_count == 0)
|
||||
break;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
static int tcp_diag_get_aux(struct sock *sk, bool net_admin,
|
||||
struct sk_buff *skb)
|
||||
{
|
||||
#ifdef CONFIG_TCP_MD5SIG
|
||||
if (net_admin) {
|
||||
struct tcp_md5sig_info *md5sig;
|
||||
int err = 0;
|
||||
|
||||
rcu_read_lock();
|
||||
md5sig = rcu_dereference(tcp_sk(sk)->md5sig_info);
|
||||
if (md5sig)
|
||||
err = tcp_diag_put_md5sig(skb, md5sig);
|
||||
rcu_read_unlock();
|
||||
if (err < 0)
|
||||
return err;
|
||||
}
|
||||
#endif
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static size_t tcp_diag_get_aux_size(struct sock *sk, bool net_admin)
|
||||
{
|
||||
size_t size = 0;
|
||||
|
||||
#ifdef CONFIG_TCP_MD5SIG
|
||||
if (net_admin && sk_fullsock(sk)) {
|
||||
const struct tcp_md5sig_info *md5sig;
|
||||
const struct tcp_md5sig_key *key;
|
||||
size_t md5sig_count = 0;
|
||||
|
||||
rcu_read_lock();
|
||||
md5sig = rcu_dereference(tcp_sk(sk)->md5sig_info);
|
||||
if (md5sig) {
|
||||
hlist_for_each_entry_rcu(key, &md5sig->head, node)
|
||||
md5sig_count++;
|
||||
}
|
||||
rcu_read_unlock();
|
||||
size += nla_total_size(md5sig_count *
|
||||
sizeof(struct tcp_diag_md5sig));
|
||||
}
|
||||
#endif
|
||||
|
||||
return size;
|
||||
}
|
||||
|
||||
static void tcp_diag_dump(struct sk_buff *skb, struct netlink_callback *cb,
|
||||
const struct inet_diag_req_v2 *r, struct nlattr *bc)
|
||||
{
|
||||
|
|
@ -68,13 +163,15 @@ static int tcp_diag_destroy(struct sk_buff *in_skb,
|
|||
#endif
|
||||
|
||||
static const struct inet_diag_handler tcp_diag_handler = {
|
||||
.dump = tcp_diag_dump,
|
||||
.dump_one = tcp_diag_dump_one,
|
||||
.idiag_get_info = tcp_diag_get_info,
|
||||
.idiag_type = IPPROTO_TCP,
|
||||
.idiag_info_size = sizeof(struct tcp_info),
|
||||
.dump = tcp_diag_dump,
|
||||
.dump_one = tcp_diag_dump_one,
|
||||
.idiag_get_info = tcp_diag_get_info,
|
||||
.idiag_get_aux = tcp_diag_get_aux,
|
||||
.idiag_get_aux_size = tcp_diag_get_aux_size,
|
||||
.idiag_type = IPPROTO_TCP,
|
||||
.idiag_info_size = sizeof(struct tcp_info),
|
||||
#ifdef CONFIG_INET_DIAG_DESTROY
|
||||
.destroy = tcp_diag_destroy,
|
||||
.destroy = tcp_diag_destroy,
|
||||
#endif
|
||||
};
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue