net/netfilter/nft_fib.c

   1 /*
   2  * This program is free software; you can redistribute it and/or modify
   3  * it under the terms of the GNU General Public License version 2 as
   4  * published by the Free Software Foundation.
   5  *
   6  * Generic part shared by ipv4 and ipv6 backends.
   7  */
   8
   9 #include <linux/kernel.h>
  10 #include <linux/init.h>
  11 #include <linux/module.h>
  12 #include <linux/netlink.h>
  13 #include <linux/netfilter.h>
  14 #include <linux/netfilter/nf_tables.h>
  15 #include <net/netfilter/nf_tables_core.h>
  16 #include <net/netfilter/nf_tables.h>
  17 #include <net/netfilter/nft_fib.h>
  18
  19 const struct nla_policy nft_fib_policy[NFTA_FIB_MAX + 1] = {
  20         [NFTA_FIB_DREG]         = { .type = NLA_U32 },
  21         [NFTA_FIB_RESULT]       = { .type = NLA_U32 },
  22         [NFTA_FIB_FLAGS]        = { .type = NLA_U32 },
  23 };
  24 EXPORT_SYMBOL(nft_fib_policy);
  25
  26 #define NFTA_FIB_F_ALL (NFTA_FIB_F_SADDR | NFTA_FIB_F_DADDR | \
  27                         NFTA_FIB_F_MARK | NFTA_FIB_F_IIF | NFTA_FIB_F_OIF)
  28
  29 int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
  30                      const struct nft_data **data)
  31 {
  32         const struct nft_fib *priv = nft_expr_priv(expr);
  33         unsigned int hooks;
  34
  35         switch (priv->result) {
  36         case NFT_FIB_RESULT_OIF: /* fallthrough */
  37         case NFT_FIB_RESULT_OIFNAME:
  38                 hooks = (1 << NF_INET_PRE_ROUTING);
  39                 break;
  40         case NFT_FIB_RESULT_ADDRTYPE:
  41                 if (priv->flags & NFTA_FIB_F_IIF)
  42                         hooks = (1 << NF_INET_PRE_ROUTING) |
  43                                 (1 << NF_INET_LOCAL_IN) |
  44                                 (1 << NF_INET_FORWARD);
  45                 else if (priv->flags & NFTA_FIB_F_OIF)
  46                         hooks = (1 << NF_INET_LOCAL_OUT) |
  47                                 (1 << NF_INET_POST_ROUTING) |
  48                                 (1 << NF_INET_FORWARD);
  49                 else
  50                         hooks = (1 << NF_INET_LOCAL_IN) |
  51                                 (1 << NF_INET_LOCAL_OUT) |
  52                                 (1 << NF_INET_FORWARD) |
  53                                 (1 << NF_INET_PRE_ROUTING) |
  54                                 (1 << NF_INET_POST_ROUTING);
  55
  56                 break;
  57         default:
  58                 return -EINVAL;
  59         }
  60
  61         return nft_chain_validate_hooks(ctx->chain, hooks);
  62 }
  63 EXPORT_SYMBOL_GPL(nft_fib_validate);
  64
  65 int nft_fib_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
  66                  const struct nlattr * const tb[])
  67 {
  68         struct nft_fib *priv = nft_expr_priv(expr);
  69         unsigned int len;
  70         int err;
  71
  72         if (!tb[NFTA_FIB_DREG] || !tb[NFTA_FIB_RESULT] || !tb[NFTA_FIB_FLAGS])
  73                 return -EINVAL;
  74
  75         priv->flags = ntohl(nla_get_be32(tb[NFTA_FIB_FLAGS]));
  76
  77         if (priv->flags == 0 || (priv->flags & ~NFTA_FIB_F_ALL))
  78                 return -EINVAL;
  79
  80         if ((priv->flags & (NFTA_FIB_F_SADDR | NFTA_FIB_F_DADDR)) ==
  81                            (NFTA_FIB_F_SADDR | NFTA_FIB_F_DADDR))
  82                 return -EINVAL;
  83         if ((priv->flags & (NFTA_FIB_F_IIF | NFTA_FIB_F_OIF)) ==
  84                            (NFTA_FIB_F_IIF | NFTA_FIB_F_OIF))
  85                 return -EINVAL;
  86         if ((priv->flags & (NFTA_FIB_F_SADDR | NFTA_FIB_F_DADDR)) == 0)
  87                 return -EINVAL;
  88
  89         priv->result = ntohl(nla_get_be32(tb[NFTA_FIB_RESULT]));
  90         priv->dreg = nft_parse_register(tb[NFTA_FIB_DREG]);
  91
  92         switch (priv->result) {
  93         case NFT_FIB_RESULT_OIF:
  94                 if (priv->flags & NFTA_FIB_F_OIF)
  95                         return -EINVAL;
  96                 len = sizeof(int);
  97                 break;
  98         case NFT_FIB_RESULT_OIFNAME:
  99                 if (priv->flags & NFTA_FIB_F_OIF)
 100                         return -EINVAL;
 101                 len = IFNAMSIZ;
 102                 break;
 103         case NFT_FIB_RESULT_ADDRTYPE:
 104                 len = sizeof(u32);
 105                 break;
 106         default:
 107                 return -EINVAL;
 108         }
 109
 110         err = nft_validate_register_store(ctx, priv->dreg, NULL,
 111                                           NFT_DATA_VALUE, len);
 112         if (err < 0)
 113                 return err;
 114
 115         return nft_fib_validate(ctx, expr, NULL);
 116 }
 117 EXPORT_SYMBOL_GPL(nft_fib_init);
 118
 119 int nft_fib_dump(struct sk_buff *skb, const struct nft_expr *expr)
 120 {
 121         const struct nft_fib *priv = nft_expr_priv(expr);
 122
 123         if (nft_dump_register(skb, NFTA_FIB_DREG, priv->dreg))
 124                 return -1;
 125
 126         if (nla_put_be32(skb, NFTA_FIB_RESULT, htonl(priv->result)))
 127                 return -1;
 128
 129         if (nla_put_be32(skb, NFTA_FIB_FLAGS, htonl(priv->flags)))
 130                 return -1;
 131
 132         return 0;
 133 }
 134 EXPORT_SYMBOL_GPL(nft_fib_dump);
 135
 136 void nft_fib_store_result(void *reg, enum nft_fib_result r,
 137                           const struct nft_pktinfo *pkt, int index)
 138 {
 139         struct net_device *dev;
 140         u32 *dreg = reg;
 141
 142         switch (r) {
 143         case NFT_FIB_RESULT_OIF:
 144                 *dreg = index;
 145                 break;
 146         case NFT_FIB_RESULT_OIFNAME:
 147                 dev = dev_get_by_index_rcu(nft_net(pkt), index);
 148                 strncpy(reg, dev ? dev->name : "", IFNAMSIZ);
 149                 break;
 150         default:
 151                 WARN_ON_ONCE(1);
 152                 *dreg = 0;
 153                 break;
 154         }
 155 }
 156 EXPORT_SYMBOL_GPL(nft_fib_store_result);
 157
 158 MODULE_LICENSE("GPL");
 159 MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");