search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'rproc-v6.14' of git://git.kernel.org/pub/scm/linux/kernel/git/remoteproc...
[linux.git] / net / netfilter / nft_fwd_netdev.c
blob152a9fb4d23af5b5b3385d5c552d38b8581a8d22
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2015 Pablo Neira Ayuso <pablo@netfilter.org>
4 */
5
6 #include <linux/kernel.h>
7 #include <linux/init.h>
8 #include <linux/module.h>
9 #include <linux/netlink.h>
10 #include <linux/netfilter.h>
11 #include <linux/netfilter/nf_tables.h>
12 #include <linux/ip.h>
13 #include <linux/ipv6.h>
14 #include <net/netfilter/nf_tables.h>
15 #include <net/netfilter/nf_tables_offload.h>
16 #include <net/netfilter/nf_dup_netdev.h>
17 #include <net/neighbour.h>
18 #include <net/ip.h>
19
20 struct nft_fwd_netdev {
21 u8 sreg_dev;
22 };
23
24 static void nft_fwd_netdev_eval(const struct nft_expr *expr,
25 struct nft_regs *regs,
26 const struct nft_pktinfo *pkt)
27 {
28 struct nft_fwd_netdev *priv = nft_expr_priv(expr);
29 int oif = regs->data[priv->sreg_dev];
30 struct sk_buff *skb = pkt->skb;
31
32 /* This is used by ifb only. */
33 skb->skb_iif = skb->dev->ifindex;
34 skb_set_redirected(skb, nft_hook(pkt) == NF_NETDEV_INGRESS);
35
36 nf_fwd_netdev_egress(pkt, oif);
37 regs->verdict.code = NF_STOLEN;
38 }
39
40 static const struct nla_policy nft_fwd_netdev_policy[NFTA_FWD_MAX + 1] = {
41 [NFTA_FWD_SREG_DEV] = { .type = NLA_U32 },
42 [NFTA_FWD_SREG_ADDR] = { .type = NLA_U32 },
43 [NFTA_FWD_NFPROTO] = NLA_POLICY_MAX(NLA_BE32, 255),
44 };
45
46 static int nft_fwd_netdev_init(const struct nft_ctx *ctx,
47 const struct nft_expr *expr,
48 const struct nlattr * const tb[])
49 {
50 struct nft_fwd_netdev *priv = nft_expr_priv(expr);
51
52 if (tb[NFTA_FWD_SREG_DEV] == NULL)
53 return -EINVAL;
54
55 return nft_parse_register_load(ctx, tb[NFTA_FWD_SREG_DEV], &priv->sreg_dev,
56 sizeof(int));
57 }
58
59 static int nft_fwd_netdev_dump(struct sk_buff *skb,
60 const struct nft_expr *expr, bool reset)
61 {
62 struct nft_fwd_netdev *priv = nft_expr_priv(expr);
63
64 if (nft_dump_register(skb, NFTA_FWD_SREG_DEV, priv->sreg_dev))
65 goto nla_put_failure;
66
67 return 0;
68
69 nla_put_failure:
70 return -1;
71 }
72
73 static int nft_fwd_netdev_offload(struct nft_offload_ctx *ctx,
74 struct nft_flow_rule *flow,
75 const struct nft_expr *expr)
76 {
77 const struct nft_fwd_netdev *priv = nft_expr_priv(expr);
78 int oif = ctx->regs[priv->sreg_dev].data.data[0];
79
80 return nft_fwd_dup_netdev_offload(ctx, flow, FLOW_ACTION_REDIRECT, oif);
81 }
82
83 static bool nft_fwd_netdev_offload_action(const struct nft_expr *expr)
84 {
85 return true;
86 }
87
88 struct nft_fwd_neigh {
89 u8 sreg_dev;
90 u8 sreg_addr;
91 u8 nfproto;
92 };
93
94 static void nft_fwd_neigh_eval(const struct nft_expr *expr,
95 struct nft_regs *regs,
96 const struct nft_pktinfo *pkt)
97 {
98 struct nft_fwd_neigh *priv = nft_expr_priv(expr);
99 void *addr = &regs->data[priv->sreg_addr];
100 int oif = regs->data[priv->sreg_dev];
101 unsigned int verdict = NF_STOLEN;
102 struct sk_buff *skb = pkt->skb;
103 struct net_device *dev;
104 int neigh_table;
105
106 switch (priv->nfproto) {
107 case NFPROTO_IPV4: {
108 struct iphdr *iph;
109
110 if (skb->protocol != htons(ETH_P_IP)) {
111 verdict = NFT_BREAK;
112 goto out;
113 }
114 if (skb_try_make_writable(skb, sizeof(*iph))) {
115 verdict = NF_DROP;
116 goto out;
117 }
118 iph = ip_hdr(skb);
119 ip_decrease_ttl(iph);
120 neigh_table = NEIGH_ARP_TABLE;
121 break;
122 }
123 case NFPROTO_IPV6: {
124 struct ipv6hdr *ip6h;
125
126 if (skb->protocol != htons(ETH_P_IPV6)) {
127 verdict = NFT_BREAK;
128 goto out;
129 }
130 if (skb_try_make_writable(skb, sizeof(*ip6h))) {
131 verdict = NF_DROP;
132 goto out;
133 }
134 ip6h = ipv6_hdr(skb);
135 ip6h->hop_limit--;
136 neigh_table = NEIGH_ND_TABLE;
137 break;
138 }
139 default:
140 verdict = NFT_BREAK;
141 goto out;
142 }
143
144 dev = dev_get_by_index_rcu(nft_net(pkt), oif);
145 if (dev == NULL)
146 return;
147
148 skb->dev = dev;
149 skb_clear_tstamp(skb);
150 neigh_xmit(neigh_table, dev, addr, skb);
151 out:
152 regs->verdict.code = verdict;
153 }
154
155 static int nft_fwd_neigh_init(const struct nft_ctx *ctx,
156 const struct nft_expr *expr,
157 const struct nlattr * const tb[])
158 {
159 struct nft_fwd_neigh *priv = nft_expr_priv(expr);
160 unsigned int addr_len;
161 int err;
162
163 if (!tb[NFTA_FWD_SREG_DEV] ||
164 !tb[NFTA_FWD_SREG_ADDR] ||
165 !tb[NFTA_FWD_NFPROTO])
166 return -EINVAL;
167
168 priv->nfproto = ntohl(nla_get_be32(tb[NFTA_FWD_NFPROTO]));
169
170 switch (priv->nfproto) {
171 case NFPROTO_IPV4:
172 addr_len = sizeof(struct in_addr);
173 break;
174 case NFPROTO_IPV6:
175 addr_len = sizeof(struct in6_addr);
176 break;
177 default:
178 return -EOPNOTSUPP;
179 }
180
181 err = nft_parse_register_load(ctx, tb[NFTA_FWD_SREG_DEV], &priv->sreg_dev,
182 sizeof(int));
183 if (err < 0)
184 return err;
185
186 return nft_parse_register_load(ctx, tb[NFTA_FWD_SREG_ADDR], &priv->sreg_addr,
187 addr_len);
188 }
189
190 static int nft_fwd_neigh_dump(struct sk_buff *skb,
191 const struct nft_expr *expr, bool reset)
192 {
193 struct nft_fwd_neigh *priv = nft_expr_priv(expr);
194
195 if (nft_dump_register(skb, NFTA_FWD_SREG_DEV, priv->sreg_dev) ||
196 nft_dump_register(skb, NFTA_FWD_SREG_ADDR, priv->sreg_addr) ||
197 nla_put_be32(skb, NFTA_FWD_NFPROTO, htonl(priv->nfproto)))
198 goto nla_put_failure;
199
200 return 0;
201
202 nla_put_failure:
203 return -1;
204 }
205
206 static int nft_fwd_validate(const struct nft_ctx *ctx,
207 const struct nft_expr *expr)
208 {
209 return nft_chain_validate_hooks(ctx->chain, (1 << NF_NETDEV_INGRESS) |
210 (1 << NF_NETDEV_EGRESS));
211 }
212
213 static struct nft_expr_type nft_fwd_netdev_type;
214 static const struct nft_expr_ops nft_fwd_neigh_netdev_ops = {
215 .type = &nft_fwd_netdev_type,
216 .size = NFT_EXPR_SIZE(sizeof(struct nft_fwd_neigh)),
217 .eval = nft_fwd_neigh_eval,
218 .init = nft_fwd_neigh_init,
219 .dump = nft_fwd_neigh_dump,
220 .validate = nft_fwd_validate,
221 .reduce = NFT_REDUCE_READONLY,
222 };
223
224 static const struct nft_expr_ops nft_fwd_netdev_ops = {
225 .type = &nft_fwd_netdev_type,
226 .size = NFT_EXPR_SIZE(sizeof(struct nft_fwd_netdev)),
227 .eval = nft_fwd_netdev_eval,
228 .init = nft_fwd_netdev_init,
229 .dump = nft_fwd_netdev_dump,
230 .validate = nft_fwd_validate,
231 .reduce = NFT_REDUCE_READONLY,
232 .offload = nft_fwd_netdev_offload,
233 .offload_action = nft_fwd_netdev_offload_action,
234 };
235
236 static const struct nft_expr_ops *
237 nft_fwd_select_ops(const struct nft_ctx *ctx,
238 const struct nlattr * const tb[])
239 {
240 if (tb[NFTA_FWD_SREG_ADDR])
241 return &nft_fwd_neigh_netdev_ops;
242 if (tb[NFTA_FWD_SREG_DEV])
243 return &nft_fwd_netdev_ops;
244
245 return ERR_PTR(-EOPNOTSUPP);
246 }
247
248 static struct nft_expr_type nft_fwd_netdev_type __read_mostly = {
249 .family = NFPROTO_NETDEV,
250 .name = "fwd",
251 .select_ops = nft_fwd_select_ops,
252 .policy = nft_fwd_netdev_policy,
253 .maxattr = NFTA_FWD_MAX,
254 .owner = THIS_MODULE,
255 };
256
257 static int __init nft_fwd_netdev_module_init(void)
258 {
259 return nft_register_expr(&nft_fwd_netdev_type);
260 }
261
262 static void __exit nft_fwd_netdev_module_exit(void)
263 {
264 nft_unregister_expr(&nft_fwd_netdev_type);
265 }
266
267 module_init(nft_fwd_netdev_module_init);
268 module_exit(nft_fwd_netdev_module_exit);
269
270 MODULE_LICENSE("GPL");
271 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
272 MODULE_DESCRIPTION("nftables netdev packet forwarding support");
273 MODULE_ALIAS_NFT_AF_EXPR(5, "fwd");
Linux Kernel