[linux-2.6-block.git] / net / netfilter / nf_dup_netdev.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * Copyright (c) 2015 Pablo Neira Ayuso <pablo@netfilter.org>
 */

#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_offload.h>
#include <net/netfilter/nf_dup_netdev.h>

#define NF_RECURSION_LIMIT	2

static DEFINE_PER_CPU(u8, nf_dup_skb_recursion);

static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev,
				enum nf_dev_hooks hook)
{
	if (__this_cpu_read(nf_dup_skb_recursion) > NF_RECURSION_LIMIT)
		goto err;

	if (hook == NF_NETDEV_INGRESS && skb_mac_header_was_set(skb)) {
		if (skb_cow_head(skb, skb->mac_len))
			goto err;

		skb_push(skb, skb->mac_len);
	}

	skb->dev = dev;
	skb_clear_tstamp(skb);
	__this_cpu_inc(nf_dup_skb_recursion);
	dev_queue_xmit(skb);
	__this_cpu_dec(nf_dup_skb_recursion);
	return;
err:
	kfree_skb(skb);
}

void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif)
{
	struct net_device *dev;

	dev = dev_get_by_index_rcu(nft_net(pkt), oif);
	if (!dev) {
		kfree_skb(pkt->skb);
		return;
	}

	nf_do_netdev_egress(pkt->skb, dev, nft_hook(pkt));
}
EXPORT_SYMBOL_GPL(nf_fwd_netdev_egress);

void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif)
{
	struct net_device *dev;
	struct sk_buff *skb;

	dev = dev_get_by_index_rcu(nft_net(pkt), oif);
	if (dev == NULL)
		return;

	skb = skb_clone(pkt->skb, GFP_ATOMIC);
	if (skb)
		nf_do_netdev_egress(skb, dev, nft_hook(pkt));
}
EXPORT_SYMBOL_GPL(nf_dup_netdev_egress);

int nft_fwd_dup_netdev_offload(struct nft_offload_ctx *ctx,
			       struct nft_flow_rule *flow,
			       enum flow_action_id id, int oif)
{
	struct flow_action_entry *entry;
	struct net_device *dev;

	/* nft_flow_rule_destroy() releases the reference on this device. */
	dev = dev_get_by_index(ctx->net, oif);
	if (!dev)
		return -EOPNOTSUPP;

	entry = &flow->rule->action.entries[ctx->num_actions++];
	entry->id = id;
	entry->dev = dev;

	return 0;
}
EXPORT_SYMBOL_GPL(nft_fwd_dup_netdev_offload);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
MODULE_DESCRIPTION("Netfilter packet duplication support");
Commit	Line	Data
d2912cb1	1	// SPDX-License-Identifier: GPL-2.0-only
502061f8 PNA	2	/*
502061f8 PNA	3	* Copyright (c) 2015 Pablo Neira Ayuso <pablo@netfilter.org>
502061f8 PNA	4	*/
	5
	6	#include <linux/kernel.h>
	7	#include <linux/init.h>
	8	#include <linux/module.h>
	9	#include <linux/netlink.h>
	10	#include <linux/netfilter.h>
	11	#include <linux/netfilter/nf_tables.h>
	12	#include <net/netfilter/nf_tables.h>
be2861dc	13	#include <net/netfilter/nf_tables_offload.h>
a32770b1	14	#include <net/netfilter/nf_dup_netdev.h>
502061f8	15
fcd53c51 FW	16	#define NF_RECURSION_LIMIT 2
	17
	18	static DEFINE_PER_CPU(u8, nf_dup_skb_recursion);
	19
574a5b85 FW	20	static void nf_do_netdev_egress(struct sk_buff skb, struct net_device dev,
574a5b85 FW	21	enum nf_dev_hooks hook)
3bf32761	22	{
fcd53c51 FW	23	if (__this_cpu_read(nf_dup_skb_recursion) > NF_RECURSION_LIMIT)
	24	goto err;
	25
574a5b85	26	if (hook == NF_NETDEV_INGRESS && skb_mac_header_was_set(skb)) {
fcd53c51 FW	27	if (skb_cow_head(skb, skb->mac_len))
	28	goto err;
	29
3bf32761	30	skb_push(skb, skb->mac_len);
574a5b85	31	}
3bf32761 FW	32
3bf32761 FW	33	skb->dev = dev;
de799101	34	skb_clear_tstamp(skb);
fcd53c51	35	__this_cpu_inc(nf_dup_skb_recursion);
3bf32761	36	dev_queue_xmit(skb);
fcd53c51 FW	37	__this_cpu_dec(nf_dup_skb_recursion);
	38	return;
	39	err:
	40	kfree_skb(skb);
3bf32761 FW	41	}
	42
	43	void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif)
	44	{
	45	struct net_device *dev;
	46
	47	dev = dev_get_by_index_rcu(nft_net(pkt), oif);
	48	if (!dev) {
	49	kfree_skb(pkt->skb);
	50	return;
	51	}
	52
574a5b85	53	nf_do_netdev_egress(pkt->skb, dev, nft_hook(pkt));
3bf32761 FW	54	}
	55	EXPORT_SYMBOL_GPL(nf_fwd_netdev_egress);
	56
502061f8 PNA	57	void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif)
	58	{
	59	struct net_device *dev;
	60	struct sk_buff *skb;
	61
0e5a1c7e	62	dev = dev_get_by_index_rcu(nft_net(pkt), oif);
502061f8 PNA	63	if (dev == NULL)
	64	return;
	65
	66	skb = skb_clone(pkt->skb, GFP_ATOMIC);
3bf32761	67	if (skb)
574a5b85	68	nf_do_netdev_egress(skb, dev, nft_hook(pkt));
502061f8 PNA	69	}
	70	EXPORT_SYMBOL_GPL(nf_dup_netdev_egress);
	71
be2861dc PNA	72	int nft_fwd_dup_netdev_offload(struct nft_offload_ctx *ctx,
	73	struct nft_flow_rule *flow,
	74	enum flow_action_id id, int oif)
	75	{
	76	struct flow_action_entry *entry;
	77	struct net_device *dev;
	78
	79	/* nft_flow_rule_destroy() releases the reference on this device. */
	80	dev = dev_get_by_index(ctx->net, oif);
	81	if (!dev)
	82	return -EOPNOTSUPP;
	83
	84	entry = &flow->rule->action.entries[ctx->num_actions++];
	85	entry->id = id;
	86	entry->dev = dev;
	87
	88	return 0;
	89	}
	90	EXPORT_SYMBOL_GPL(nft_fwd_dup_netdev_offload);
	91
502061f8 PNA	92	MODULE_LICENSE("GPL");
502061f8 PNA	93	MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
4cacc395	94	MODULE_DESCRIPTION("Netfilter packet duplication support");