search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
printf: Remove unused 'bprintf'
[drm/drm-misc.git] / net / core / fib_rules.c
blob34185d138c95ab29269a733155cbd3feb9d96b00
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * net/core/fib_rules.c Generic Routing Rules
4 *
5 * Authors: Thomas Graf <tgraf@suug.ch>
6 */
7
8 #include <linux/types.h>
9 #include <linux/kernel.h>
10 #include <linux/slab.h>
11 #include <linux/list.h>
12 #include <linux/module.h>
13 #include <net/net_namespace.h>
14 #include <net/inet_dscp.h>
15 #include <net/sock.h>
16 #include <net/fib_rules.h>
17 #include <net/ip_tunnels.h>
18 #include <linux/indirect_call_wrapper.h>
19
20 #if defined(CONFIG_IPV6) && defined(CONFIG_IPV6_MULTIPLE_TABLES)
21 #ifdef CONFIG_IP_MULTIPLE_TABLES
22 #define INDIRECT_CALL_MT(f, f2, f1, ...) \
23 INDIRECT_CALL_INET(f, f2, f1, __VA_ARGS__)
24 #else
25 #define INDIRECT_CALL_MT(f, f2, f1, ...) INDIRECT_CALL_1(f, f2, __VA_ARGS__)
26 #endif
27 #elif defined(CONFIG_IP_MULTIPLE_TABLES)
28 #define INDIRECT_CALL_MT(f, f2, f1, ...) INDIRECT_CALL_1(f, f1, __VA_ARGS__)
29 #else
30 #define INDIRECT_CALL_MT(f, f2, f1, ...) f(__VA_ARGS__)
31 #endif
32
33 static const struct fib_kuid_range fib_kuid_range_unset = {
34 KUIDT_INIT(0),
35 KUIDT_INIT(~0),
36 };
37
38 bool fib_rule_matchall(const struct fib_rule *rule)
39 {
40 if (rule->iifindex || rule->oifindex || rule->mark || rule->tun_id ||
41 rule->flags)
42 return false;
43 if (rule->suppress_ifgroup != -1 || rule->suppress_prefixlen != -1)
44 return false;
45 if (!uid_eq(rule->uid_range.start, fib_kuid_range_unset.start) ||
46 !uid_eq(rule->uid_range.end, fib_kuid_range_unset.end))
47 return false;
48 if (fib_rule_port_range_set(&rule->sport_range))
49 return false;
50 if (fib_rule_port_range_set(&rule->dport_range))
51 return false;
52 return true;
53 }
54 EXPORT_SYMBOL_GPL(fib_rule_matchall);
55
56 int fib_default_rule_add(struct fib_rules_ops *ops,
57 u32 pref, u32 table)
58 {
59 struct fib_rule *r;
60
61 r = kzalloc(ops->rule_size, GFP_KERNEL_ACCOUNT);
62 if (r == NULL)
63 return -ENOMEM;
64
65 refcount_set(&r->refcnt, 1);
66 r->action = FR_ACT_TO_TBL;
67 r->pref = pref;
68 r->table = table;
69 r->proto = RTPROT_KERNEL;
70 r->fr_net = ops->fro_net;
71 r->uid_range = fib_kuid_range_unset;
72
73 r->suppress_prefixlen = -1;
74 r->suppress_ifgroup = -1;
75
76 /* The lock is not required here, the list in unreachable
77 * at the moment this function is called */
78 list_add_tail(&r->list, &ops->rules_list);
79 return 0;
80 }
81 EXPORT_SYMBOL(fib_default_rule_add);
82
83 static u32 fib_default_rule_pref(struct fib_rules_ops *ops)
84 {
85 struct list_head *pos;
86 struct fib_rule *rule;
87
88 if (!list_empty(&ops->rules_list)) {
89 pos = ops->rules_list.next;
90 if (pos->next != &ops->rules_list) {
91 rule = list_entry(pos->next, struct fib_rule, list);
92 if (rule->pref)
93 return rule->pref - 1;
94 }
95 }
96
97 return 0;
98 }
99
100 static void notify_rule_change(int event, struct fib_rule *rule,
101 struct fib_rules_ops *ops, struct nlmsghdr *nlh,
102 u32 pid);
103
104 static struct fib_rules_ops *lookup_rules_ops(const struct net *net,
105 int family)
106 {
107 struct fib_rules_ops *ops;
108
109 rcu_read_lock();
110 list_for_each_entry_rcu(ops, &net->rules_ops, list) {
111 if (ops->family == family) {
112 if (!try_module_get(ops->owner))
113 ops = NULL;
114 rcu_read_unlock();
115 return ops;
116 }
117 }
118 rcu_read_unlock();
119
120 return NULL;
121 }
122
123 static void rules_ops_put(struct fib_rules_ops *ops)
124 {
125 if (ops)
126 module_put(ops->owner);
127 }
128
129 static void flush_route_cache(struct fib_rules_ops *ops)
130 {
131 if (ops->flush_cache)
132 ops->flush_cache(ops);
133 }
134
135 static int __fib_rules_register(struct fib_rules_ops *ops)
136 {
137 int err = -EEXIST;
138 struct fib_rules_ops *o;
139 struct net *net;
140
141 net = ops->fro_net;
142
143 if (ops->rule_size < sizeof(struct fib_rule))
144 return -EINVAL;
145
146 if (ops->match == NULL || ops->configure == NULL ||
147 ops->compare == NULL || ops->fill == NULL ||
148 ops->action == NULL)
149 return -EINVAL;
150
151 spin_lock(&net->rules_mod_lock);
152 list_for_each_entry(o, &net->rules_ops, list)
153 if (ops->family == o->family)
154 goto errout;
155
156 list_add_tail_rcu(&ops->list, &net->rules_ops);
157 err = 0;
158 errout:
159 spin_unlock(&net->rules_mod_lock);
160
161 return err;
162 }
163
164 struct fib_rules_ops *
165 fib_rules_register(const struct fib_rules_ops *tmpl, struct net *net)
166 {
167 struct fib_rules_ops *ops;
168 int err;
169
170 ops = kmemdup(tmpl, sizeof(*ops), GFP_KERNEL);
171 if (ops == NULL)
172 return ERR_PTR(-ENOMEM);
173
174 INIT_LIST_HEAD(&ops->rules_list);
175 ops->fro_net = net;
176
177 err = __fib_rules_register(ops);
178 if (err) {
179 kfree(ops);
180 ops = ERR_PTR(err);
181 }
182
183 return ops;
184 }
185 EXPORT_SYMBOL_GPL(fib_rules_register);
186
187 static void fib_rules_cleanup_ops(struct fib_rules_ops *ops)
188 {
189 struct fib_rule *rule, *tmp;
190
191 list_for_each_entry_safe(rule, tmp, &ops->rules_list, list) {
192 list_del_rcu(&rule->list);
193 if (ops->delete)
194 ops->delete(rule);
195 fib_rule_put(rule);
196 }
197 }
198
199 void fib_rules_unregister(struct fib_rules_ops *ops)
200 {
201 struct net *net = ops->fro_net;
202
203 spin_lock(&net->rules_mod_lock);
204 list_del_rcu(&ops->list);
205 spin_unlock(&net->rules_mod_lock);
206
207 fib_rules_cleanup_ops(ops);
208 kfree_rcu(ops, rcu);
209 }
210 EXPORT_SYMBOL_GPL(fib_rules_unregister);
211
212 static int uid_range_set(struct fib_kuid_range *range)
213 {
214 return uid_valid(range->start) && uid_valid(range->end);
215 }
216
217 static struct fib_kuid_range nla_get_kuid_range(struct nlattr **tb)
218 {
219 struct fib_rule_uid_range *in;
220 struct fib_kuid_range out;
221
222 in = (struct fib_rule_uid_range *)nla_data(tb[FRA_UID_RANGE]);
223
224 out.start = make_kuid(current_user_ns(), in->start);
225 out.end = make_kuid(current_user_ns(), in->end);
226
227 return out;
228 }
229
230 static int nla_put_uid_range(struct sk_buff *skb, struct fib_kuid_range *range)
231 {
232 struct fib_rule_uid_range out = {
233 from_kuid_munged(current_user_ns(), range->start),
234 from_kuid_munged(current_user_ns(), range->end)
235 };
236
237 return nla_put(skb, FRA_UID_RANGE, sizeof(out), &out);
238 }
239
240 static int nla_get_port_range(struct nlattr *pattr,
241 struct fib_rule_port_range *port_range)
242 {
243 const struct fib_rule_port_range *pr = nla_data(pattr);
244
245 if (!fib_rule_port_range_valid(pr))
246 return -EINVAL;
247
248 port_range->start = pr->start;
249 port_range->end = pr->end;
250
251 return 0;
252 }
253
254 static int nla_put_port_range(struct sk_buff *skb, int attrtype,
255 struct fib_rule_port_range *range)
256 {
257 return nla_put(skb, attrtype, sizeof(*range), range);
258 }
259
260 static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
261 struct flowi *fl, int flags,
262 struct fib_lookup_arg *arg)
263 {
264 int ret = 0;
265
266 if (rule->iifindex && (rule->iifindex != fl->flowi_iif))
267 goto out;
268
269 if (rule->oifindex && (rule->oifindex != fl->flowi_oif))
270 goto out;
271
272 if ((rule->mark ^ fl->flowi_mark) & rule->mark_mask)
273 goto out;
274
275 if (rule->tun_id && (rule->tun_id != fl->flowi_tun_key.tun_id))
276 goto out;
277
278 if (rule->l3mdev && !l3mdev_fib_rule_match(rule->fr_net, fl, arg))
279 goto out;
280
281 if (uid_lt(fl->flowi_uid, rule->uid_range.start) ||
282 uid_gt(fl->flowi_uid, rule->uid_range.end))
283 goto out;
284
285 ret = INDIRECT_CALL_MT(ops->match,
286 fib6_rule_match,
287 fib4_rule_match,
288 rule, fl, flags);
289 out:
290 return (rule->flags & FIB_RULE_INVERT) ? !ret : ret;
291 }
292
293 int fib_rules_lookup(struct fib_rules_ops *ops, struct flowi *fl,
294 int flags, struct fib_lookup_arg *arg)
295 {
296 struct fib_rule *rule;
297 int err;
298
299 rcu_read_lock();
300
301 list_for_each_entry_rcu(rule, &ops->rules_list, list) {
302 jumped:
303 if (!fib_rule_match(rule, ops, fl, flags, arg))
304 continue;
305
306 if (rule->action == FR_ACT_GOTO) {
307 struct fib_rule *target;
308
309 target = rcu_dereference(rule->ctarget);
310 if (target == NULL) {
311 continue;
312 } else {
313 rule = target;
314 goto jumped;
315 }
316 } else if (rule->action == FR_ACT_NOP)
317 continue;
318 else
319 err = INDIRECT_CALL_MT(ops->action,
320 fib6_rule_action,
321 fib4_rule_action,
322 rule, fl, flags, arg);
323
324 if (!err && ops->suppress && INDIRECT_CALL_MT(ops->suppress,
325 fib6_rule_suppress,
326 fib4_rule_suppress,
327 rule, flags, arg))
328 continue;
329
330 if (err != -EAGAIN) {
331 if ((arg->flags & FIB_LOOKUP_NOREF) ||
332 likely(refcount_inc_not_zero(&rule->refcnt))) {
333 arg->rule = rule;
334 goto out;
335 }
336 break;
337 }
338 }
339
340 err = -ESRCH;
341 out:
342 rcu_read_unlock();
343
344 return err;
345 }
346 EXPORT_SYMBOL_GPL(fib_rules_lookup);
347
348 static int call_fib_rule_notifier(struct notifier_block *nb,
349 enum fib_event_type event_type,
350 struct fib_rule *rule, int family,
351 struct netlink_ext_ack *extack)
352 {
353 struct fib_rule_notifier_info info = {
354 .info.family = family,
355 .info.extack = extack,
356 .rule = rule,
357 };
358
359 return call_fib_notifier(nb, event_type, &info.info);
360 }
361
362 static int call_fib_rule_notifiers(struct net *net,
363 enum fib_event_type event_type,
364 struct fib_rule *rule,
365 struct fib_rules_ops *ops,
366 struct netlink_ext_ack *extack)
367 {
368 struct fib_rule_notifier_info info = {
369 .info.family = ops->family,
370 .info.extack = extack,
371 .rule = rule,
372 };
373
374 ASSERT_RTNL();
375 /* Paired with READ_ONCE() in fib_rules_seq() */
376 WRITE_ONCE(ops->fib_rules_seq, ops->fib_rules_seq + 1);
377 return call_fib_notifiers(net, event_type, &info.info);
378 }
379
380 /* Called with rcu_read_lock() */
381 int fib_rules_dump(struct net *net, struct notifier_block *nb, int family,
382 struct netlink_ext_ack *extack)
383 {
384 struct fib_rules_ops *ops;
385 struct fib_rule *rule;
386 int err = 0;
387
388 ops = lookup_rules_ops(net, family);
389 if (!ops)
390 return -EAFNOSUPPORT;
391 list_for_each_entry_rcu(rule, &ops->rules_list, list) {
392 err = call_fib_rule_notifier(nb, FIB_EVENT_RULE_ADD,
393 rule, family, extack);
394 if (err)
395 break;
396 }
397 rules_ops_put(ops);
398
399 return err;
400 }
401 EXPORT_SYMBOL_GPL(fib_rules_dump);
402
403 unsigned int fib_rules_seq_read(const struct net *net, int family)
404 {
405 unsigned int fib_rules_seq;
406 struct fib_rules_ops *ops;
407
408 ops = lookup_rules_ops(net, family);
409 if (!ops)
410 return 0;
411 /* Paired with WRITE_ONCE() in call_fib_rule_notifiers() */
412 fib_rules_seq = READ_ONCE(ops->fib_rules_seq);
413 rules_ops_put(ops);
414
415 return fib_rules_seq;
416 }
417 EXPORT_SYMBOL_GPL(fib_rules_seq_read);
418
419 static struct fib_rule *rule_find(struct fib_rules_ops *ops,
420 struct fib_rule_hdr *frh,
421 struct nlattr **tb,
422 struct fib_rule *rule,
423 bool user_priority)
424 {
425 struct fib_rule *r;
426
427 list_for_each_entry(r, &ops->rules_list, list) {
428 if (rule->action && r->action != rule->action)
429 continue;
430
431 if (rule->table && r->table != rule->table)
432 continue;
433
434 if (user_priority && r->pref != rule->pref)
435 continue;
436
437 if (rule->iifname[0] &&
438 memcmp(r->iifname, rule->iifname, IFNAMSIZ))
439 continue;
440
441 if (rule->oifname[0] &&
442 memcmp(r->oifname, rule->oifname, IFNAMSIZ))
443 continue;
444
445 if (rule->mark && r->mark != rule->mark)
446 continue;
447
448 if (rule->suppress_ifgroup != -1 &&
449 r->suppress_ifgroup != rule->suppress_ifgroup)
450 continue;
451
452 if (rule->suppress_prefixlen != -1 &&
453 r->suppress_prefixlen != rule->suppress_prefixlen)
454 continue;
455
456 if (rule->mark_mask && r->mark_mask != rule->mark_mask)
457 continue;
458
459 if (rule->tun_id && r->tun_id != rule->tun_id)
460 continue;
461
462 if (r->fr_net != rule->fr_net)
463 continue;
464
465 if (rule->l3mdev && r->l3mdev != rule->l3mdev)
466 continue;
467
468 if (uid_range_set(&rule->uid_range) &&
469 (!uid_eq(r->uid_range.start, rule->uid_range.start) ||
470 !uid_eq(r->uid_range.end, rule->uid_range.end)))
471 continue;
472
473 if (rule->ip_proto && r->ip_proto != rule->ip_proto)
474 continue;
475
476 if (rule->proto && r->proto != rule->proto)
477 continue;
478
479 if (fib_rule_port_range_set(&rule->sport_range) &&
480 !fib_rule_port_range_compare(&r->sport_range,
481 &rule->sport_range))
482 continue;
483
484 if (fib_rule_port_range_set(&rule->dport_range) &&
485 !fib_rule_port_range_compare(&r->dport_range,
486 &rule->dport_range))
487 continue;
488
489 if (!ops->compare(r, frh, tb))
490 continue;
491 return r;
492 }
493
494 return NULL;
495 }
496
497 #ifdef CONFIG_NET_L3_MASTER_DEV
498 static int fib_nl2rule_l3mdev(struct nlattr *nla, struct fib_rule *nlrule,
499 struct netlink_ext_ack *extack)
500 {
501 nlrule->l3mdev = nla_get_u8(nla);
502 if (nlrule->l3mdev != 1) {
503 NL_SET_ERR_MSG(extack, "Invalid l3mdev attribute");
504 return -1;
505 }
506
507 return 0;
508 }
509 #else
510 static int fib_nl2rule_l3mdev(struct nlattr *nla, struct fib_rule *nlrule,
511 struct netlink_ext_ack *extack)
512 {
513 NL_SET_ERR_MSG(extack, "l3mdev support is not enabled in kernel");
514 return -1;
515 }
516 #endif
517
518 static int fib_nl2rule(struct sk_buff *skb, struct nlmsghdr *nlh,
519 struct netlink_ext_ack *extack,
520 struct fib_rules_ops *ops,
521 struct nlattr *tb[],
522 struct fib_rule **rule,
523 bool *user_priority)
524 {
525 struct net *net = sock_net(skb->sk);
526 struct fib_rule_hdr *frh = nlmsg_data(nlh);
527 struct fib_rule *nlrule = NULL;
528 int err = -EINVAL;
529
530 if (frh->src_len)
531 if (!tb[FRA_SRC] ||
532 frh->src_len > (ops->addr_size * 8) ||
533 nla_len(tb[FRA_SRC]) != ops->addr_size) {
534 NL_SET_ERR_MSG(extack, "Invalid source address");
535 goto errout;
536 }
537
538 if (frh->dst_len)
539 if (!tb[FRA_DST] ||
540 frh->dst_len > (ops->addr_size * 8) ||
541 nla_len(tb[FRA_DST]) != ops->addr_size) {
542 NL_SET_ERR_MSG(extack, "Invalid dst address");
543 goto errout;
544 }
545
546 nlrule = kzalloc(ops->rule_size, GFP_KERNEL_ACCOUNT);
547 if (!nlrule) {
548 err = -ENOMEM;
549 goto errout;
550 }
551 refcount_set(&nlrule->refcnt, 1);
552 nlrule->fr_net = net;
553
554 if (tb[FRA_PRIORITY]) {
555 nlrule->pref = nla_get_u32(tb[FRA_PRIORITY]);
556 *user_priority = true;
557 } else {
558 nlrule->pref = fib_default_rule_pref(ops);
559 }
560
561 nlrule->proto = nla_get_u8_default(tb[FRA_PROTOCOL], RTPROT_UNSPEC);
562
563 if (tb[FRA_IIFNAME]) {
564 struct net_device *dev;
565
566 nlrule->iifindex = -1;
567 nla_strscpy(nlrule->iifname, tb[FRA_IIFNAME], IFNAMSIZ);
568 dev = __dev_get_by_name(net, nlrule->iifname);
569 if (dev)
570 nlrule->iifindex = dev->ifindex;
571 }
572
573 if (tb[FRA_OIFNAME]) {
574 struct net_device *dev;
575
576 nlrule->oifindex = -1;
577 nla_strscpy(nlrule->oifname, tb[FRA_OIFNAME], IFNAMSIZ);
578 dev = __dev_get_by_name(net, nlrule->oifname);
579 if (dev)
580 nlrule->oifindex = dev->ifindex;
581 }
582
583 if (tb[FRA_FWMARK]) {
584 nlrule->mark = nla_get_u32(tb[FRA_FWMARK]);
585 if (nlrule->mark)
586 /* compatibility: if the mark value is non-zero all bits
587 * are compared unless a mask is explicitly specified.
588 */
589 nlrule->mark_mask = 0xFFFFFFFF;
590 }
591
592 if (tb[FRA_FWMASK])
593 nlrule->mark_mask = nla_get_u32(tb[FRA_FWMASK]);
594
595 if (tb[FRA_TUN_ID])
596 nlrule->tun_id = nla_get_be64(tb[FRA_TUN_ID]);
597
598 if (tb[FRA_L3MDEV] &&
599 fib_nl2rule_l3mdev(tb[FRA_L3MDEV], nlrule, extack) < 0)
600 goto errout_free;
601
602 nlrule->action = frh->action;
603 nlrule->flags = frh->flags;
604 nlrule->table = frh_get_table(frh, tb);
605 if (tb[FRA_SUPPRESS_PREFIXLEN])
606 nlrule->suppress_prefixlen = nla_get_u32(tb[FRA_SUPPRESS_PREFIXLEN]);
607 else
608 nlrule->suppress_prefixlen = -1;
609
610 if (tb[FRA_SUPPRESS_IFGROUP])
611 nlrule->suppress_ifgroup = nla_get_u32(tb[FRA_SUPPRESS_IFGROUP]);
612 else
613 nlrule->suppress_ifgroup = -1;
614
615 if (tb[FRA_GOTO]) {
616 if (nlrule->action != FR_ACT_GOTO) {
617 NL_SET_ERR_MSG(extack, "Unexpected goto");
618 goto errout_free;
619 }
620
621 nlrule->target = nla_get_u32(tb[FRA_GOTO]);
622 /* Backward jumps are prohibited to avoid endless loops */
623 if (nlrule->target <= nlrule->pref) {
624 NL_SET_ERR_MSG(extack, "Backward goto not supported");
625 goto errout_free;
626 }
627 } else if (nlrule->action == FR_ACT_GOTO) {
628 NL_SET_ERR_MSG(extack, "Missing goto target for action goto");
629 goto errout_free;
630 }
631
632 if (nlrule->l3mdev && nlrule->table) {
633 NL_SET_ERR_MSG(extack, "l3mdev and table are mutually exclusive");
634 goto errout_free;
635 }
636
637 if (tb[FRA_UID_RANGE]) {
638 if (current_user_ns() != net->user_ns) {
639 err = -EPERM;
640 NL_SET_ERR_MSG(extack, "No permission to set uid");
641 goto errout_free;
642 }
643
644 nlrule->uid_range = nla_get_kuid_range(tb);
645
646 if (!uid_range_set(&nlrule->uid_range) ||
647 !uid_lte(nlrule->uid_range.start, nlrule->uid_range.end)) {
648 NL_SET_ERR_MSG(extack, "Invalid uid range");
649 goto errout_free;
650 }
651 } else {
652 nlrule->uid_range = fib_kuid_range_unset;
653 }
654
655 if (tb[FRA_IP_PROTO])
656 nlrule->ip_proto = nla_get_u8(tb[FRA_IP_PROTO]);
657
658 if (tb[FRA_SPORT_RANGE]) {
659 err = nla_get_port_range(tb[FRA_SPORT_RANGE],
660 &nlrule->sport_range);
661 if (err) {
662 NL_SET_ERR_MSG(extack, "Invalid sport range");
663 goto errout_free;
664 }
665 }
666
667 if (tb[FRA_DPORT_RANGE]) {
668 err = nla_get_port_range(tb[FRA_DPORT_RANGE],
669 &nlrule->dport_range);
670 if (err) {
671 NL_SET_ERR_MSG(extack, "Invalid dport range");
672 goto errout_free;
673 }
674 }
675
676 *rule = nlrule;
677
678 return 0;
679
680 errout_free:
681 kfree(nlrule);
682 errout:
683 return err;
684 }
685
686 static int rule_exists(struct fib_rules_ops *ops, struct fib_rule_hdr *frh,
687 struct nlattr **tb, struct fib_rule *rule)
688 {
689 struct fib_rule *r;
690
691 list_for_each_entry(r, &ops->rules_list, list) {
692 if (r->action != rule->action)
693 continue;
694
695 if (r->table != rule->table)
696 continue;
697
698 if (r->pref != rule->pref)
699 continue;
700
701 if (memcmp(r->iifname, rule->iifname, IFNAMSIZ))
702 continue;
703
704 if (memcmp(r->oifname, rule->oifname, IFNAMSIZ))
705 continue;
706
707 if (r->mark != rule->mark)
708 continue;
709
710 if (r->suppress_ifgroup != rule->suppress_ifgroup)
711 continue;
712
713 if (r->suppress_prefixlen != rule->suppress_prefixlen)
714 continue;
715
716 if (r->mark_mask != rule->mark_mask)
717 continue;
718
719 if (r->tun_id != rule->tun_id)
720 continue;
721
722 if (r->fr_net != rule->fr_net)
723 continue;
724
725 if (r->l3mdev != rule->l3mdev)
726 continue;
727
728 if (!uid_eq(r->uid_range.start, rule->uid_range.start) ||
729 !uid_eq(r->uid_range.end, rule->uid_range.end))
730 continue;
731
732 if (r->ip_proto != rule->ip_proto)
733 continue;
734
735 if (r->proto != rule->proto)
736 continue;
737
738 if (!fib_rule_port_range_compare(&r->sport_range,
739 &rule->sport_range))
740 continue;
741
742 if (!fib_rule_port_range_compare(&r->dport_range,
743 &rule->dport_range))
744 continue;
745
746 if (!ops->compare(r, frh, tb))
747 continue;
748 return 1;
749 }
750 return 0;
751 }
752
753 static const struct nla_policy fib_rule_policy[FRA_MAX + 1] = {
754 [FRA_UNSPEC] = { .strict_start_type = FRA_DPORT_RANGE + 1 },
755 [FRA_IIFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 },
756 [FRA_OIFNAME] = { .type = NLA_STRING, .len = IFNAMSIZ - 1 },
757 [FRA_PRIORITY] = { .type = NLA_U32 },
758 [FRA_FWMARK] = { .type = NLA_U32 },
759 [FRA_FLOW] = { .type = NLA_U32 },
760 [FRA_TUN_ID] = { .type = NLA_U64 },
761 [FRA_FWMASK] = { .type = NLA_U32 },
762 [FRA_TABLE] = { .type = NLA_U32 },
763 [FRA_SUPPRESS_PREFIXLEN] = { .type = NLA_U32 },
764 [FRA_SUPPRESS_IFGROUP] = { .type = NLA_U32 },
765 [FRA_GOTO] = { .type = NLA_U32 },
766 [FRA_L3MDEV] = { .type = NLA_U8 },
767 [FRA_UID_RANGE] = { .len = sizeof(struct fib_rule_uid_range) },
768 [FRA_PROTOCOL] = { .type = NLA_U8 },
769 [FRA_IP_PROTO] = { .type = NLA_U8 },
770 [FRA_SPORT_RANGE] = { .len = sizeof(struct fib_rule_port_range) },
771 [FRA_DPORT_RANGE] = { .len = sizeof(struct fib_rule_port_range) },
772 [FRA_DSCP] = NLA_POLICY_MAX(NLA_U8, INET_DSCP_MASK >> 2),
773 };
774
775 int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh,
776 struct netlink_ext_ack *extack)
777 {
778 struct net *net = sock_net(skb->sk);
779 struct fib_rule_hdr *frh = nlmsg_data(nlh);
780 struct fib_rules_ops *ops = NULL;
781 struct fib_rule *rule = NULL, *r, *last = NULL;
782 struct nlattr *tb[FRA_MAX + 1];
783 int err = -EINVAL, unresolved = 0;
784 bool user_priority = false;
785
786 if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) {
787 NL_SET_ERR_MSG(extack, "Invalid msg length");
788 goto errout;
789 }
790
791 ops = lookup_rules_ops(net, frh->family);
792 if (!ops) {
793 err = -EAFNOSUPPORT;
794 NL_SET_ERR_MSG(extack, "Rule family not supported");
795 goto errout;
796 }
797
798 err = nlmsg_parse_deprecated(nlh, sizeof(*frh), tb, FRA_MAX,
799 fib_rule_policy, extack);
800 if (err < 0) {
801 NL_SET_ERR_MSG(extack, "Error parsing msg");
802 goto errout;
803 }
804
805 err = fib_nl2rule(skb, nlh, extack, ops, tb, &rule, &user_priority);
806 if (err)
807 goto errout;
808
809 if ((nlh->nlmsg_flags & NLM_F_EXCL) &&
810 rule_exists(ops, frh, tb, rule)) {
811 err = -EEXIST;
812 goto errout_free;
813 }
814
815 err = ops->configure(rule, skb, frh, tb, extack);
816 if (err < 0)
817 goto errout_free;
818
819 err = call_fib_rule_notifiers(net, FIB_EVENT_RULE_ADD, rule, ops,
820 extack);
821 if (err < 0)
822 goto errout_free;
823
824 list_for_each_entry(r, &ops->rules_list, list) {
825 if (r->pref == rule->target) {
826 RCU_INIT_POINTER(rule->ctarget, r);
827 break;
828 }
829 }
830
831 if (rcu_dereference_protected(rule->ctarget, 1) == NULL)
832 unresolved = 1;
833
834 list_for_each_entry(r, &ops->rules_list, list) {
835 if (r->pref > rule->pref)
836 break;
837 last = r;
838 }
839
840 if (last)
841 list_add_rcu(&rule->list, &last->list);
842 else
843 list_add_rcu(&rule->list, &ops->rules_list);
844
845 if (ops->unresolved_rules) {
846 /*
847 * There are unresolved goto rules in the list, check if
848 * any of them are pointing to this new rule.
849 */
850 list_for_each_entry(r, &ops->rules_list, list) {
851 if (r->action == FR_ACT_GOTO &&
852 r->target == rule->pref &&
853 rtnl_dereference(r->ctarget) == NULL) {
854 rcu_assign_pointer(r->ctarget, rule);
855 if (--ops->unresolved_rules == 0)
856 break;
857 }
858 }
859 }
860
861 if (rule->action == FR_ACT_GOTO)
862 ops->nr_goto_rules++;
863
864 if (unresolved)
865 ops->unresolved_rules++;
866
867 if (rule->tun_id)
868 ip_tunnel_need_metadata();
869
870 notify_rule_change(RTM_NEWRULE, rule, ops, nlh, NETLINK_CB(skb).portid);
871 flush_route_cache(ops);
872 rules_ops_put(ops);
873 return 0;
874
875 errout_free:
876 kfree(rule);
877 errout:
878 rules_ops_put(ops);
879 return err;
880 }
881 EXPORT_SYMBOL_GPL(fib_nl_newrule);
882
883 int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh,
884 struct netlink_ext_ack *extack)
885 {
886 struct net *net = sock_net(skb->sk);
887 struct fib_rule_hdr *frh = nlmsg_data(nlh);
888 struct fib_rules_ops *ops = NULL;
889 struct fib_rule *rule = NULL, *r, *nlrule = NULL;
890 struct nlattr *tb[FRA_MAX+1];
891 int err = -EINVAL;
892 bool user_priority = false;
893
894 if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) {
895 NL_SET_ERR_MSG(extack, "Invalid msg length");
896 goto errout;
897 }
898
899 ops = lookup_rules_ops(net, frh->family);
900 if (ops == NULL) {
901 err = -EAFNOSUPPORT;
902 NL_SET_ERR_MSG(extack, "Rule family not supported");
903 goto errout;
904 }
905
906 err = nlmsg_parse_deprecated(nlh, sizeof(*frh), tb, FRA_MAX,
907 fib_rule_policy, extack);
908 if (err < 0) {
909 NL_SET_ERR_MSG(extack, "Error parsing msg");
910 goto errout;
911 }
912
913 err = fib_nl2rule(skb, nlh, extack, ops, tb, &nlrule, &user_priority);
914 if (err)
915 goto errout;
916
917 rule = rule_find(ops, frh, tb, nlrule, user_priority);
918 if (!rule) {
919 err = -ENOENT;
920 goto errout;
921 }
922
923 if (rule->flags & FIB_RULE_PERMANENT) {
924 err = -EPERM;
925 goto errout;
926 }
927
928 if (ops->delete) {
929 err = ops->delete(rule);
930 if (err)
931 goto errout;
932 }
933
934 if (rule->tun_id)
935 ip_tunnel_unneed_metadata();
936
937 list_del_rcu(&rule->list);
938
939 if (rule->action == FR_ACT_GOTO) {
940 ops->nr_goto_rules--;
941 if (rtnl_dereference(rule->ctarget) == NULL)
942 ops->unresolved_rules--;
943 }
944
945 /*
946 * Check if this rule is a target to any of them. If so,
947 * adjust to the next one with the same preference or
948 * disable them. As this operation is eventually very
949 * expensive, it is only performed if goto rules, except
950 * current if it is goto rule, have actually been added.
951 */
952 if (ops->nr_goto_rules > 0) {
953 struct fib_rule *n;
954
955 n = list_next_entry(rule, list);
956 if (&n->list == &ops->rules_list || n->pref != rule->pref)
957 n = NULL;
958 list_for_each_entry(r, &ops->rules_list, list) {
959 if (rtnl_dereference(r->ctarget) != rule)
960 continue;
961 rcu_assign_pointer(r->ctarget, n);
962 if (!n)
963 ops->unresolved_rules++;
964 }
965 }
966
967 call_fib_rule_notifiers(net, FIB_EVENT_RULE_DEL, rule, ops,
968 NULL);
969 notify_rule_change(RTM_DELRULE, rule, ops, nlh,
970 NETLINK_CB(skb).portid);
971 fib_rule_put(rule);
972 flush_route_cache(ops);
973 rules_ops_put(ops);
974 kfree(nlrule);
975 return 0;
976
977 errout:
978 kfree(nlrule);
979 rules_ops_put(ops);
980 return err;
981 }
982 EXPORT_SYMBOL_GPL(fib_nl_delrule);
983
984 static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
985 struct fib_rule *rule)
986 {
987 size_t payload = NLMSG_ALIGN(sizeof(struct fib_rule_hdr))
988 + nla_total_size(IFNAMSIZ) /* FRA_IIFNAME */
989 + nla_total_size(IFNAMSIZ) /* FRA_OIFNAME */
990 + nla_total_size(4) /* FRA_PRIORITY */
991 + nla_total_size(4) /* FRA_TABLE */
992 + nla_total_size(4) /* FRA_SUPPRESS_PREFIXLEN */
993 + nla_total_size(4) /* FRA_SUPPRESS_IFGROUP */
994 + nla_total_size(4) /* FRA_FWMARK */
995 + nla_total_size(4) /* FRA_FWMASK */
996 + nla_total_size_64bit(8) /* FRA_TUN_ID */
997 + nla_total_size(sizeof(struct fib_kuid_range))
998 + nla_total_size(1) /* FRA_PROTOCOL */
999 + nla_total_size(1) /* FRA_IP_PROTO */
1000 + nla_total_size(sizeof(struct fib_rule_port_range)) /* FRA_SPORT_RANGE */
1001 + nla_total_size(sizeof(struct fib_rule_port_range)); /* FRA_DPORT_RANGE */
1002
1003 if (ops->nlmsg_payload)
1004 payload += ops->nlmsg_payload(rule);
1005
1006 return payload;
1007 }
1008
1009 static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
1010 u32 pid, u32 seq, int type, int flags,
1011 struct fib_rules_ops *ops)
1012 {
1013 struct nlmsghdr *nlh;
1014 struct fib_rule_hdr *frh;
1015
1016 nlh = nlmsg_put(skb, pid, seq, type, sizeof(*frh), flags);
1017 if (nlh == NULL)
1018 return -EMSGSIZE;
1019
1020 frh = nlmsg_data(nlh);
1021 frh->family = ops->family;
1022 frh->table = rule->table < 256 ? rule->table : RT_TABLE_COMPAT;
1023 if (nla_put_u32(skb, FRA_TABLE, rule->table))
1024 goto nla_put_failure;
1025 if (nla_put_u32(skb, FRA_SUPPRESS_PREFIXLEN, rule->suppress_prefixlen))
1026 goto nla_put_failure;
1027 frh->res1 = 0;
1028 frh->res2 = 0;
1029 frh->action = rule->action;
1030 frh->flags = rule->flags;
1031
1032 if (nla_put_u8(skb, FRA_PROTOCOL, rule->proto))
1033 goto nla_put_failure;
1034
1035 if (rule->action == FR_ACT_GOTO &&
1036 rcu_access_pointer(rule->ctarget) == NULL)
1037 frh->flags |= FIB_RULE_UNRESOLVED;
1038
1039 if (rule->iifname[0]) {
1040 if (nla_put_string(skb, FRA_IIFNAME, rule->iifname))
1041 goto nla_put_failure;
1042 if (rule->iifindex == -1)
1043 frh->flags |= FIB_RULE_IIF_DETACHED;
1044 }
1045
1046 if (rule->oifname[0]) {
1047 if (nla_put_string(skb, FRA_OIFNAME, rule->oifname))
1048 goto nla_put_failure;
1049 if (rule->oifindex == -1)
1050 frh->flags |= FIB_RULE_OIF_DETACHED;
1051 }
1052
1053 if ((rule->pref &&
1054 nla_put_u32(skb, FRA_PRIORITY, rule->pref)) ||
1055 (rule->mark &&
1056 nla_put_u32(skb, FRA_FWMARK, rule->mark)) ||
1057 ((rule->mark_mask || rule->mark) &&
1058 nla_put_u32(skb, FRA_FWMASK, rule->mark_mask)) ||
1059 (rule->target &&
1060 nla_put_u32(skb, FRA_GOTO, rule->target)) ||
1061 (rule->tun_id &&
1062 nla_put_be64(skb, FRA_TUN_ID, rule->tun_id, FRA_PAD)) ||
1063 (rule->l3mdev &&
1064 nla_put_u8(skb, FRA_L3MDEV, rule->l3mdev)) ||
1065 (uid_range_set(&rule->uid_range) &&
1066 nla_put_uid_range(skb, &rule->uid_range)) ||
1067 (fib_rule_port_range_set(&rule->sport_range) &&
1068 nla_put_port_range(skb, FRA_SPORT_RANGE, &rule->sport_range)) ||
1069 (fib_rule_port_range_set(&rule->dport_range) &&
1070 nla_put_port_range(skb, FRA_DPORT_RANGE, &rule->dport_range)) ||
1071 (rule->ip_proto && nla_put_u8(skb, FRA_IP_PROTO, rule->ip_proto)))
1072 goto nla_put_failure;
1073
1074 if (rule->suppress_ifgroup != -1) {
1075 if (nla_put_u32(skb, FRA_SUPPRESS_IFGROUP, rule->suppress_ifgroup))
1076 goto nla_put_failure;
1077 }
1078
1079 if (ops->fill(rule, skb, frh) < 0)
1080 goto nla_put_failure;
1081
1082 nlmsg_end(skb, nlh);
1083 return 0;
1084
1085 nla_put_failure:
1086 nlmsg_cancel(skb, nlh);
1087 return -EMSGSIZE;
1088 }
1089
1090 static int dump_rules(struct sk_buff *skb, struct netlink_callback *cb,
1091 struct fib_rules_ops *ops)
1092 {
1093 int idx = 0;
1094 struct fib_rule *rule;
1095 int err = 0;
1096
1097 rcu_read_lock();
1098 list_for_each_entry_rcu(rule, &ops->rules_list, list) {
1099 if (idx < cb->args[1])
1100 goto skip;
1101
1102 err = fib_nl_fill_rule(skb, rule, NETLINK_CB(cb->skb).portid,
1103 cb->nlh->nlmsg_seq, RTM_NEWRULE,
1104 NLM_F_MULTI, ops);
1105 if (err)
1106 break;
1107 skip:
1108 idx++;
1109 }
1110 rcu_read_unlock();
1111 cb->args[1] = idx;
1112 rules_ops_put(ops);
1113
1114 return err;
1115 }
1116
1117 static int fib_valid_dumprule_req(const struct nlmsghdr *nlh,
1118 struct netlink_ext_ack *extack)
1119 {
1120 struct fib_rule_hdr *frh;
1121
1122 if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) {
1123 NL_SET_ERR_MSG(extack, "Invalid header for fib rule dump request");
1124 return -EINVAL;
1125 }
1126
1127 frh = nlmsg_data(nlh);
1128 if (frh->dst_len || frh->src_len || frh->tos || frh->table ||
1129 frh->res1 || frh->res2 || frh->action || frh->flags) {
1130 NL_SET_ERR_MSG(extack,
1131 "Invalid values in header for fib rule dump request");
1132 return -EINVAL;
1133 }
1134
1135 if (nlmsg_attrlen(nlh, sizeof(*frh))) {
1136 NL_SET_ERR_MSG(extack, "Invalid data after header in fib rule dump request");
1137 return -EINVAL;
1138 }
1139
1140 return 0;
1141 }
1142
1143 static int fib_nl_dumprule(struct sk_buff *skb, struct netlink_callback *cb)
1144 {
1145 const struct nlmsghdr *nlh = cb->nlh;
1146 struct net *net = sock_net(skb->sk);
1147 struct fib_rules_ops *ops;
1148 int err, idx = 0, family;
1149
1150 if (cb->strict_check) {
1151 err = fib_valid_dumprule_req(nlh, cb->extack);
1152
1153 if (err < 0)
1154 return err;
1155 }
1156
1157 family = rtnl_msg_family(nlh);
1158 if (family != AF_UNSPEC) {
1159 /* Protocol specific dump request */
1160 ops = lookup_rules_ops(net, family);
1161 if (ops == NULL)
1162 return -EAFNOSUPPORT;
1163
1164 return dump_rules(skb, cb, ops);
1165 }
1166
1167 err = 0;
1168 rcu_read_lock();
1169 list_for_each_entry_rcu(ops, &net->rules_ops, list) {
1170 if (idx < cb->args[0] || !try_module_get(ops->owner))
1171 goto skip;
1172
1173 err = dump_rules(skb, cb, ops);
1174 if (err < 0)
1175 break;
1176
1177 cb->args[1] = 0;
1178 skip:
1179 idx++;
1180 }
1181 rcu_read_unlock();
1182 cb->args[0] = idx;
1183
1184 return err;
1185 }
1186
1187 static void notify_rule_change(int event, struct fib_rule *rule,
1188 struct fib_rules_ops *ops, struct nlmsghdr *nlh,
1189 u32 pid)
1190 {
1191 struct net *net;
1192 struct sk_buff *skb;
1193 int err = -ENOMEM;
1194
1195 net = ops->fro_net;
1196 skb = nlmsg_new(fib_rule_nlmsg_size(ops, rule), GFP_KERNEL);
1197 if (skb == NULL)
1198 goto errout;
1199
1200 err = fib_nl_fill_rule(skb, rule, pid, nlh->nlmsg_seq, event, 0, ops);
1201 if (err < 0) {
1202 /* -EMSGSIZE implies BUG in fib_rule_nlmsg_size() */
1203 WARN_ON(err == -EMSGSIZE);
1204 kfree_skb(skb);
1205 goto errout;
1206 }
1207
1208 rtnl_notify(skb, net, pid, ops->nlgroup, nlh, GFP_KERNEL);
1209 return;
1210 errout:
1211 rtnl_set_sk_err(net, ops->nlgroup, err);
1212 }
1213
1214 static void attach_rules(struct list_head *rules, struct net_device *dev)
1215 {
1216 struct fib_rule *rule;
1217
1218 list_for_each_entry(rule, rules, list) {
1219 if (rule->iifindex == -1 &&
1220 strcmp(dev->name, rule->iifname) == 0)
1221 rule->iifindex = dev->ifindex;
1222 if (rule->oifindex == -1 &&
1223 strcmp(dev->name, rule->oifname) == 0)
1224 rule->oifindex = dev->ifindex;
1225 }
1226 }
1227
1228 static void detach_rules(struct list_head *rules, struct net_device *dev)
1229 {
1230 struct fib_rule *rule;
1231
1232 list_for_each_entry(rule, rules, list) {
1233 if (rule->iifindex == dev->ifindex)
1234 rule->iifindex = -1;
1235 if (rule->oifindex == dev->ifindex)
1236 rule->oifindex = -1;
1237 }
1238 }
1239
1240
1241 static int fib_rules_event(struct notifier_block *this, unsigned long event,
1242 void *ptr)
1243 {
1244 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
1245 struct net *net = dev_net(dev);
1246 struct fib_rules_ops *ops;
1247
1248 ASSERT_RTNL();
1249
1250 switch (event) {
1251 case NETDEV_REGISTER:
1252 list_for_each_entry(ops, &net->rules_ops, list)
1253 attach_rules(&ops->rules_list, dev);
1254 break;
1255
1256 case NETDEV_CHANGENAME:
1257 list_for_each_entry(ops, &net->rules_ops, list) {
1258 detach_rules(&ops->rules_list, dev);
1259 attach_rules(&ops->rules_list, dev);
1260 }
1261 break;
1262
1263 case NETDEV_UNREGISTER:
1264 list_for_each_entry(ops, &net->rules_ops, list)
1265 detach_rules(&ops->rules_list, dev);
1266 break;
1267 }
1268
1269 return NOTIFY_DONE;
1270 }
1271
1272 static struct notifier_block fib_rules_notifier = {
1273 .notifier_call = fib_rules_event,
1274 };
1275
1276 static int __net_init fib_rules_net_init(struct net *net)
1277 {
1278 INIT_LIST_HEAD(&net->rules_ops);
1279 spin_lock_init(&net->rules_mod_lock);
1280 return 0;
1281 }
1282
1283 static void __net_exit fib_rules_net_exit(struct net *net)
1284 {
1285 WARN_ON_ONCE(!list_empty(&net->rules_ops));
1286 }
1287
1288 static struct pernet_operations fib_rules_net_ops = {
1289 .init = fib_rules_net_init,
1290 .exit = fib_rules_net_exit,
1291 };
1292
1293 static const struct rtnl_msg_handler fib_rules_rtnl_msg_handlers[] __initconst = {
1294 {.msgtype = RTM_NEWRULE, .doit = fib_nl_newrule},
1295 {.msgtype = RTM_DELRULE, .doit = fib_nl_delrule},
1296 {.msgtype = RTM_GETRULE, .dumpit = fib_nl_dumprule,
1297 .flags = RTNL_FLAG_DUMP_UNLOCKED},
1298 };
1299
1300 static int __init fib_rules_init(void)
1301 {
1302 int err;
1303
1304 rtnl_register_many(fib_rules_rtnl_msg_handlers);
1305
1306 err = register_pernet_subsys(&fib_rules_net_ops);
1307 if (err < 0)
1308 goto fail;
1309
1310 err = register_netdevice_notifier(&fib_rules_notifier);
1311 if (err < 0)
1312 goto fail_unregister;
1313
1314 return 0;
1315
1316 fail_unregister:
1317 unregister_pernet_subsys(&fib_rules_net_ops);
1318 fail:
1319 rtnl_unregister_many(fib_rules_rtnl_msg_handlers);
1320 return err;
1321 }
1322
1323 subsys_initcall(fib_rules_init);
Kernel DRM miscellaneous fixes and cross-tree changes