Commit | Line | Data |
---|---|---|
d2912cb1 | 1 | // SPDX-License-Identifier: GPL-2.0-only |
f6d0cbcf FW |
2 | |
3 | #include <linux/kernel.h> | |
4 | #include <linux/init.h> | |
5 | #include <linux/module.h> | |
6 | #include <linux/netlink.h> | |
7 | #include <linux/netfilter.h> | |
8 | #include <linux/netfilter/nf_tables.h> | |
9 | #include <net/netfilter/nf_tables_core.h> | |
10 | #include <net/netfilter/nf_tables.h> | |
11 | #include <net/netfilter/nft_fib.h> | |
12 | ||
13 | #include <net/ip_fib.h> | |
14 | #include <net/route.h> | |
15 | ||
16 | /* don't try to find route from mcast/bcast/zeronet */ | |
17 | static __be32 get_saddr(__be32 addr) | |
18 | { | |
19 | if (ipv4_is_multicast(addr) || ipv4_is_lbcast(addr) || | |
20 | ipv4_is_zeronet(addr)) | |
21 | return 0; | |
22 | return addr; | |
23 | } | |
24 | ||
f6d0cbcf FW |
25 | #define DSCP_BITS 0xfc |
26 | ||
27 | void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs, | |
28 | const struct nft_pktinfo *pkt) | |
29 | { | |
30 | const struct nft_fib *priv = nft_expr_priv(expr); | |
f347ec85 | 31 | int noff = skb_network_offset(pkt->skb); |
f6d0cbcf FW |
32 | u32 *dst = ®s->data[priv->dreg]; |
33 | const struct net_device *dev = NULL; | |
f347ec85 | 34 | struct iphdr *iph, _iph; |
f6d0cbcf FW |
35 | __be32 addr; |
36 | ||
37 | if (priv->flags & NFTA_FIB_F_IIF) | |
0e5a1c7e | 38 | dev = nft_in(pkt); |
f6d0cbcf | 39 | else if (priv->flags & NFTA_FIB_F_OIF) |
0e5a1c7e | 40 | dev = nft_out(pkt); |
f6d0cbcf | 41 | |
f347ec85 PBG |
42 | iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph); |
43 | if (!iph) { | |
44 | regs->verdict.code = NFT_BREAK; | |
45 | return; | |
46 | } | |
47 | ||
f6d0cbcf FW |
48 | if (priv->flags & NFTA_FIB_F_DADDR) |
49 | addr = iph->daddr; | |
50 | else | |
51 | addr = iph->saddr; | |
52 | ||
0e5a1c7e | 53 | *dst = inet_dev_addr_type(nft_net(pkt), dev, addr); |
f6d0cbcf FW |
54 | } |
55 | EXPORT_SYMBOL_GPL(nft_fib4_eval_type); | |
56 | ||
f6d0cbcf FW |
57 | void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs, |
58 | const struct nft_pktinfo *pkt) | |
59 | { | |
60 | const struct nft_fib *priv = nft_expr_priv(expr); | |
f347ec85 | 61 | int noff = skb_network_offset(pkt->skb); |
f6d0cbcf | 62 | u32 *dest = ®s->data[priv->dreg]; |
f347ec85 | 63 | struct iphdr *iph, _iph; |
f6d0cbcf FW |
64 | struct fib_result res; |
65 | struct flowi4 fl4 = { | |
66 | .flowi4_scope = RT_SCOPE_UNIVERSE, | |
67 | .flowi4_iif = LOOPBACK_IFINDEX, | |
1fcc064b | 68 | .flowi4_uid = sock_net_uid(nft_net(pkt), NULL), |
f6d0cbcf FW |
69 | }; |
70 | const struct net_device *oif; | |
9f18b6b6 | 71 | const struct net_device *found; |
f6d0cbcf FW |
72 | |
73 | /* | |
74 | * Do not set flowi4_oif, it restricts results (for example, asking | |
75 | * for oif 3 will get RTN_UNICAST result even if the daddr exits | |
76 | * on another interface. | |
77 | * | |
78 | * Search results for the desired outinterface instead. | |
79 | */ | |
80 | if (priv->flags & NFTA_FIB_F_OIF) | |
0e5a1c7e | 81 | oif = nft_out(pkt); |
f6d0cbcf | 82 | else if (priv->flags & NFTA_FIB_F_IIF) |
0e5a1c7e | 83 | oif = nft_in(pkt); |
f6d0cbcf FW |
84 | else |
85 | oif = NULL; | |
86 | ||
2a8a7c0e | 87 | if (priv->flags & NFTA_FIB_F_IIF) |
acc641ab | 88 | fl4.flowi4_l3mdev = l3mdev_master_ifindex_rcu(oif); |
2a8a7c0e | 89 | |
6443ebc3 LZ |
90 | if (nft_hook(pkt) == NF_INET_PRE_ROUTING && |
91 | nft_fib_is_loopback(pkt->skb, nft_in(pkt))) { | |
e633508a | 92 | nft_fib_store_result(dest, priv, nft_in(pkt)); |
f6d0cbcf FW |
93 | return; |
94 | } | |
95 | ||
f347ec85 PBG |
96 | iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph); |
97 | if (!iph) { | |
98 | regs->verdict.code = NFT_BREAK; | |
99 | return; | |
100 | } | |
101 | ||
3b760dcb LZ |
102 | if (ipv4_is_zeronet(iph->saddr)) { |
103 | if (ipv4_is_lbcast(iph->daddr) || | |
104 | ipv4_is_local_multicast(iph->daddr)) { | |
e633508a | 105 | nft_fib_store_result(dest, priv, pkt->skb->dev); |
3b760dcb LZ |
106 | return; |
107 | } | |
f6d0cbcf FW |
108 | } |
109 | ||
110 | if (priv->flags & NFTA_FIB_F_MARK) | |
111 | fl4.flowi4_mark = pkt->skb->mark; | |
112 | ||
113 | fl4.flowi4_tos = iph->tos & DSCP_BITS; | |
114 | ||
115 | if (priv->flags & NFTA_FIB_F_DADDR) { | |
116 | fl4.daddr = iph->daddr; | |
117 | fl4.saddr = get_saddr(iph->saddr); | |
118 | } else { | |
be8be04e PNA |
119 | if (nft_hook(pkt) == NF_INET_FORWARD && |
120 | priv->flags & NFTA_FIB_F_IIF) | |
121 | fl4.flowi4_iif = nft_out(pkt)->ifindex; | |
122 | ||
f6d0cbcf FW |
123 | fl4.daddr = iph->saddr; |
124 | fl4.saddr = get_saddr(iph->daddr); | |
125 | } | |
126 | ||
e0ffdbc7 LZ |
127 | *dest = 0; |
128 | ||
0e5a1c7e | 129 | if (fib_lookup(nft_net(pkt), &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE)) |
f6d0cbcf FW |
130 | return; |
131 | ||
132 | switch (res.type) { | |
133 | case RTN_UNICAST: | |
134 | break; | |
6443ebc3 | 135 | case RTN_LOCAL: /* Should not see RTN_LOCAL here */ |
f6d0cbcf FW |
136 | return; |
137 | default: | |
138 | break; | |
139 | } | |
140 | ||
971095c6 JC |
141 | if (!oif) { |
142 | found = FIB_RES_DEV(res); | |
9f18b6b6 DA |
143 | } else { |
144 | if (!fib_info_nh_uses_dev(res.fi, oif)) | |
145 | return; | |
9f18b6b6 | 146 | found = oif; |
f6d0cbcf | 147 | } |
9f18b6b6 | 148 | |
e633508a | 149 | nft_fib_store_result(dest, priv, found); |
f6d0cbcf FW |
150 | } |
151 | EXPORT_SYMBOL_GPL(nft_fib4_eval); | |
152 | ||
153 | static struct nft_expr_type nft_fib4_type; | |
154 | ||
155 | static const struct nft_expr_ops nft_fib4_type_ops = { | |
156 | .type = &nft_fib4_type, | |
157 | .size = NFT_EXPR_SIZE(sizeof(struct nft_fib)), | |
158 | .eval = nft_fib4_eval_type, | |
159 | .init = nft_fib_init, | |
160 | .dump = nft_fib_dump, | |
161 | .validate = nft_fib_validate, | |
3c1eb413 | 162 | .reduce = nft_fib_reduce, |
f6d0cbcf FW |
163 | }; |
164 | ||
165 | static const struct nft_expr_ops nft_fib4_ops = { | |
166 | .type = &nft_fib4_type, | |
167 | .size = NFT_EXPR_SIZE(sizeof(struct nft_fib)), | |
168 | .eval = nft_fib4_eval, | |
169 | .init = nft_fib_init, | |
170 | .dump = nft_fib_dump, | |
171 | .validate = nft_fib_validate, | |
3c1eb413 | 172 | .reduce = nft_fib_reduce, |
f6d0cbcf FW |
173 | }; |
174 | ||
175 | static const struct nft_expr_ops * | |
176 | nft_fib4_select_ops(const struct nft_ctx *ctx, | |
177 | const struct nlattr * const tb[]) | |
178 | { | |
179 | enum nft_fib_result result; | |
180 | ||
181 | if (!tb[NFTA_FIB_RESULT]) | |
182 | return ERR_PTR(-EINVAL); | |
183 | ||
11583438 | 184 | result = ntohl(nla_get_be32(tb[NFTA_FIB_RESULT])); |
f6d0cbcf FW |
185 | |
186 | switch (result) { | |
187 | case NFT_FIB_RESULT_OIF: | |
188 | return &nft_fib4_ops; | |
189 | case NFT_FIB_RESULT_OIFNAME: | |
190 | return &nft_fib4_ops; | |
191 | case NFT_FIB_RESULT_ADDRTYPE: | |
192 | return &nft_fib4_type_ops; | |
193 | default: | |
194 | return ERR_PTR(-EOPNOTSUPP); | |
195 | } | |
196 | } | |
197 | ||
198 | static struct nft_expr_type nft_fib4_type __read_mostly = { | |
199 | .name = "fib", | |
d4ef3835 | 200 | .select_ops = nft_fib4_select_ops, |
f6d0cbcf FW |
201 | .policy = nft_fib_policy, |
202 | .maxattr = NFTA_FIB_MAX, | |
203 | .family = NFPROTO_IPV4, | |
204 | .owner = THIS_MODULE, | |
205 | }; | |
206 | ||
207 | static int __init nft_fib4_module_init(void) | |
208 | { | |
209 | return nft_register_expr(&nft_fib4_type); | |
210 | } | |
211 | ||
212 | static void __exit nft_fib4_module_exit(void) | |
213 | { | |
214 | nft_unregister_expr(&nft_fib4_type); | |
215 | } | |
216 | ||
217 | module_init(nft_fib4_module_init); | |
218 | module_exit(nft_fib4_module_exit); | |
219 | MODULE_LICENSE("GPL"); | |
220 | MODULE_AUTHOR("Florian Westphal <fw@strlen.de>"); | |
221 | MODULE_ALIAS_NFT_AF_EXPR(2, "fib"); | |
4cacc395 | 222 | MODULE_DESCRIPTION("nftables fib / ip route lookup support"); |