[linux-2.6-block.git] / net / ipv4 / netfilter / nft_fib_ipv4.c

// SPDX-License-Identifier: GPL-2.0-only

#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nft_fib.h>

#include <net/ip_fib.h>
#include <net/route.h>

/* don't try to find route from mcast/bcast/zeronet */
static __be32 get_saddr(__be32 addr)
{
	if (ipv4_is_multicast(addr) || ipv4_is_lbcast(addr) ||
	    ipv4_is_zeronet(addr))
		return 0;
	return addr;
}

#define DSCP_BITS     0xfc

void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs,
			const struct nft_pktinfo *pkt)
{
	const struct nft_fib *priv = nft_expr_priv(expr);
	int noff = skb_network_offset(pkt->skb);
	u32 *dst = &regs->data[priv->dreg];
	const struct net_device *dev = NULL;
	struct iphdr *iph, _iph;
	__be32 addr;

	if (priv->flags & NFTA_FIB_F_IIF)
		dev = nft_in(pkt);
	else if (priv->flags & NFTA_FIB_F_OIF)
		dev = nft_out(pkt);

	iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph);
	if (!iph) {
		regs->verdict.code = NFT_BREAK;
		return;
	}

	if (priv->flags & NFTA_FIB_F_DADDR)
		addr = iph->daddr;
	else
		addr = iph->saddr;

	*dst = inet_dev_addr_type(nft_net(pkt), dev, addr);
}
EXPORT_SYMBOL_GPL(nft_fib4_eval_type);

void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
		   const struct nft_pktinfo *pkt)
{
	const struct nft_fib *priv = nft_expr_priv(expr);
	int noff = skb_network_offset(pkt->skb);
	u32 *dest = &regs->data[priv->dreg];
	struct iphdr *iph, _iph;
	struct fib_result res;
	struct flowi4 fl4 = {
		.flowi4_scope = RT_SCOPE_UNIVERSE,
		.flowi4_iif = LOOPBACK_IFINDEX,
	};
	const struct net_device *oif;
	const struct net_device *found;

	/*
	 * Do not set flowi4_oif, it restricts results (for example, asking
	 * for oif 3 will get RTN_UNICAST result even if the daddr exits
	 * on another interface.
	 *
	 * Search results for the desired outinterface instead.
	 */
	if (priv->flags & NFTA_FIB_F_OIF)
		oif = nft_out(pkt);
	else if (priv->flags & NFTA_FIB_F_IIF)
		oif = nft_in(pkt);
	else
		oif = NULL;

	if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
	    nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
		nft_fib_store_result(dest, priv, nft_in(pkt));
		return;
	}

	iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph);
	if (!iph) {
		regs->verdict.code = NFT_BREAK;
		return;
	}

	if (ipv4_is_zeronet(iph->saddr)) {
		if (ipv4_is_lbcast(iph->daddr) ||
		    ipv4_is_local_multicast(iph->daddr)) {
			nft_fib_store_result(dest, priv, pkt->skb->dev);
			return;
		}
	}

	if (priv->flags & NFTA_FIB_F_MARK)
		fl4.flowi4_mark = pkt->skb->mark;

	fl4.flowi4_tos = iph->tos & DSCP_BITS;

	if (priv->flags & NFTA_FIB_F_DADDR) {
		fl4.daddr = iph->daddr;
		fl4.saddr = get_saddr(iph->saddr);
	} else {
		fl4.daddr = iph->saddr;
		fl4.saddr = get_saddr(iph->daddr);
	}

	*dest = 0;

	if (fib_lookup(nft_net(pkt), &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE))
		return;

	switch (res.type) {
	case RTN_UNICAST:
		break;
	case RTN_LOCAL: /* Should not see RTN_LOCAL here */
		return;
	default:
		break;
	}

       if (!oif) {
               found = FIB_RES_DEV(res);
	} else {
		if (!fib_info_nh_uses_dev(res.fi, oif))
			return;

		found = oif;
	}

	nft_fib_store_result(dest, priv, found);
}
EXPORT_SYMBOL_GPL(nft_fib4_eval);

static struct nft_expr_type nft_fib4_type;

static const struct nft_expr_ops nft_fib4_type_ops = {
	.type		= &nft_fib4_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_fib)),
	.eval		= nft_fib4_eval_type,
	.init		= nft_fib_init,
	.dump		= nft_fib_dump,
	.validate	= nft_fib_validate,
};

static const struct nft_expr_ops nft_fib4_ops = {
	.type		= &nft_fib4_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_fib)),
	.eval		= nft_fib4_eval,
	.init		= nft_fib_init,
	.dump		= nft_fib_dump,
	.validate	= nft_fib_validate,
};

static const struct nft_expr_ops *
nft_fib4_select_ops(const struct nft_ctx *ctx,
		    const struct nlattr * const tb[])
{
	enum nft_fib_result result;

	if (!tb[NFTA_FIB_RESULT])
		return ERR_PTR(-EINVAL);

	result = ntohl(nla_get_be32(tb[NFTA_FIB_RESULT]));

	switch (result) {
	case NFT_FIB_RESULT_OIF:
		return &nft_fib4_ops;
	case NFT_FIB_RESULT_OIFNAME:
		return &nft_fib4_ops;
	case NFT_FIB_RESULT_ADDRTYPE:
		return &nft_fib4_type_ops;
	default:
		return ERR_PTR(-EOPNOTSUPP);
	}
}

static struct nft_expr_type nft_fib4_type __read_mostly = {
	.name		= "fib",
	.select_ops	= nft_fib4_select_ops,
	.policy		= nft_fib_policy,
	.maxattr	= NFTA_FIB_MAX,
	.family		= NFPROTO_IPV4,
	.owner		= THIS_MODULE,
};

static int __init nft_fib4_module_init(void)
{
	return nft_register_expr(&nft_fib4_type);
}

static void __exit nft_fib4_module_exit(void)
{
	nft_unregister_expr(&nft_fib4_type);
}

module_init(nft_fib4_module_init);
module_exit(nft_fib4_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
MODULE_ALIAS_NFT_AF_EXPR(2, "fib");
Commit	Line	Data
d2912cb1	1	// SPDX-License-Identifier: GPL-2.0-only
f6d0cbcf FW	2
	3	#include <linux/kernel.h>
	4	#include <linux/init.h>
	5	#include <linux/module.h>
	6	#include <linux/netlink.h>
	7	#include <linux/netfilter.h>
	8	#include <linux/netfilter/nf_tables.h>
	9	#include <net/netfilter/nf_tables_core.h>
	10	#include <net/netfilter/nf_tables.h>
	11	#include <net/netfilter/nft_fib.h>
	12
	13	#include <net/ip_fib.h>
	14	#include <net/route.h>
	15
	16	/* don't try to find route from mcast/bcast/zeronet */
	17	static __be32 get_saddr(__be32 addr)
	18	{
	19	if (ipv4_is_multicast(addr) \|\| ipv4_is_lbcast(addr) \|\|
	20	ipv4_is_zeronet(addr))
	21	return 0;
	22	return addr;
	23	}
	24
f6d0cbcf FW	25	#define DSCP_BITS 0xfc
	26
	27	void nft_fib4_eval_type(const struct nft_expr expr, struct nft_regs regs,
	28	const struct nft_pktinfo *pkt)
	29	{
	30	const struct nft_fib *priv = nft_expr_priv(expr);
f347ec85	31	int noff = skb_network_offset(pkt->skb);
f6d0cbcf FW	32	u32 *dst = &regs->data[priv->dreg];
f6d0cbcf FW	33	const struct net_device *dev = NULL;
f347ec85	34	struct iphdr *iph, _iph;
f6d0cbcf FW	35	__be32 addr;
	36
	37	if (priv->flags & NFTA_FIB_F_IIF)
0e5a1c7e	38	dev = nft_in(pkt);
f6d0cbcf	39	else if (priv->flags & NFTA_FIB_F_OIF)
0e5a1c7e	40	dev = nft_out(pkt);
f6d0cbcf	41
f347ec85 PBG	42	iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph);
	43	if (!iph) {
	44	regs->verdict.code = NFT_BREAK;
	45	return;
	46	}
	47
f6d0cbcf FW	48	if (priv->flags & NFTA_FIB_F_DADDR)
	49	addr = iph->daddr;
	50	else
	51	addr = iph->saddr;
	52
0e5a1c7e	53	*dst = inet_dev_addr_type(nft_net(pkt), dev, addr);
f6d0cbcf FW	54	}
	55	EXPORT_SYMBOL_GPL(nft_fib4_eval_type);
	56
f6d0cbcf FW	57	void nft_fib4_eval(const struct nft_expr expr, struct nft_regs regs,
	58	const struct nft_pktinfo *pkt)
	59	{
	60	const struct nft_fib *priv = nft_expr_priv(expr);
f347ec85	61	int noff = skb_network_offset(pkt->skb);
f6d0cbcf	62	u32 *dest = &regs->data[priv->dreg];
f347ec85	63	struct iphdr *iph, _iph;
f6d0cbcf FW	64	struct fib_result res;
	65	struct flowi4 fl4 = {
	66	.flowi4_scope = RT_SCOPE_UNIVERSE,
	67	.flowi4_iif = LOOPBACK_IFINDEX,
	68	};
	69	const struct net_device *oif;
9f18b6b6	70	const struct net_device *found;
f6d0cbcf FW	71
	72	/*
	73	* Do not set flowi4_oif, it restricts results (for example, asking
	74	* for oif 3 will get RTN_UNICAST result even if the daddr exits
	75	* on another interface.
	76	*
	77	* Search results for the desired outinterface instead.
	78	*/
	79	if (priv->flags & NFTA_FIB_F_OIF)
0e5a1c7e	80	oif = nft_out(pkt);
f6d0cbcf	81	else if (priv->flags & NFTA_FIB_F_IIF)
0e5a1c7e	82	oif = nft_in(pkt);
f6d0cbcf FW	83	else
	84	oif = NULL;
	85
6443ebc3 LZ	86	if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
6443ebc3 LZ	87	nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
e633508a	88	nft_fib_store_result(dest, priv, nft_in(pkt));
f6d0cbcf FW	89	return;
	90	}
	91
f347ec85 PBG	92	iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph);
	93	if (!iph) {
	94	regs->verdict.code = NFT_BREAK;
	95	return;
	96	}
	97
3b760dcb LZ	98	if (ipv4_is_zeronet(iph->saddr)) {
	99	if (ipv4_is_lbcast(iph->daddr) \|\|
	100	ipv4_is_local_multicast(iph->daddr)) {
e633508a	101	nft_fib_store_result(dest, priv, pkt->skb->dev);
3b760dcb LZ	102	return;
3b760dcb LZ	103	}
f6d0cbcf FW	104	}
	105
	106	if (priv->flags & NFTA_FIB_F_MARK)
	107	fl4.flowi4_mark = pkt->skb->mark;
	108
	109	fl4.flowi4_tos = iph->tos & DSCP_BITS;
	110
	111	if (priv->flags & NFTA_FIB_F_DADDR) {
	112	fl4.daddr = iph->daddr;
	113	fl4.saddr = get_saddr(iph->saddr);
	114	} else {
	115	fl4.daddr = iph->saddr;
	116	fl4.saddr = get_saddr(iph->daddr);
	117	}
	118
e0ffdbc7 LZ	119	*dest = 0;
e0ffdbc7 LZ	120
0e5a1c7e	121	if (fib_lookup(nft_net(pkt), &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE))
f6d0cbcf FW	122	return;
	123
	124	switch (res.type) {
	125	case RTN_UNICAST:
	126	break;
6443ebc3	127	case RTN_LOCAL: /* Should not see RTN_LOCAL here */
f6d0cbcf FW	128	return;
	129	default:
	130	break;
	131	}
	132
	133	if (!oif) {
	134	found = FIB_RES_DEV(res);
9f18b6b6 DA	135	} else {
	136	if (!fib_info_nh_uses_dev(res.fi, oif))
	137	return;
f6d0cbcf	138
9f18b6b6	139	found = oif;
f6d0cbcf	140	}
9f18b6b6	141
e633508a	142	nft_fib_store_result(dest, priv, found);
f6d0cbcf FW	143	}
	144	EXPORT_SYMBOL_GPL(nft_fib4_eval);
	145
	146	static struct nft_expr_type nft_fib4_type;
	147
	148	static const struct nft_expr_ops nft_fib4_type_ops = {
	149	.type = &nft_fib4_type,
	150	.size = NFT_EXPR_SIZE(sizeof(struct nft_fib)),
	151	.eval = nft_fib4_eval_type,
	152	.init = nft_fib_init,
	153	.dump = nft_fib_dump,
	154	.validate = nft_fib_validate,
	155	};
	156
	157	static const struct nft_expr_ops nft_fib4_ops = {
	158	.type = &nft_fib4_type,
	159	.size = NFT_EXPR_SIZE(sizeof(struct nft_fib)),
	160	.eval = nft_fib4_eval,
	161	.init = nft_fib_init,
	162	.dump = nft_fib_dump,
	163	.validate = nft_fib_validate,
	164	};
	165
	166	static const struct nft_expr_ops *
	167	nft_fib4_select_ops(const struct nft_ctx *ctx,
	168	const struct nlattr * const tb[])
	169	{
	170	enum nft_fib_result result;
	171
	172	if (!tb[NFTA_FIB_RESULT])
	173	return ERR_PTR(-EINVAL);
	174
11583438	175	result = ntohl(nla_get_be32(tb[NFTA_FIB_RESULT]));
f6d0cbcf FW	176
	177	switch (result) {
	178	case NFT_FIB_RESULT_OIF:
	179	return &nft_fib4_ops;
	180	case NFT_FIB_RESULT_OIFNAME:
	181	return &nft_fib4_ops;
	182	case NFT_FIB_RESULT_ADDRTYPE:
	183	return &nft_fib4_type_ops;
	184	default:
	185	return ERR_PTR(-EOPNOTSUPP);
	186	}
	187	}
	188
	189	static struct nft_expr_type nft_fib4_type __read_mostly = {
	190	.name = "fib",
d4ef3835	191	.select_ops = nft_fib4_select_ops,
f6d0cbcf FW	192	.policy = nft_fib_policy,
	193	.maxattr = NFTA_FIB_MAX,
	194	.family = NFPROTO_IPV4,
	195	.owner = THIS_MODULE,
	196	};
	197
	198	static int __init nft_fib4_module_init(void)
	199	{
	200	return nft_register_expr(&nft_fib4_type);
	201	}
	202
	203	static void __exit nft_fib4_module_exit(void)
	204	{
	205	nft_unregister_expr(&nft_fib4_type);
	206	}
	207
	208	module_init(nft_fib4_module_init);
	209	module_exit(nft_fib4_module_exit);
	210	MODULE_LICENSE("GPL");
	211	MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
	212	MODULE_ALIAS_NFT_AF_EXPR(2, "fib");