[linux-block.git] / net / netfilter / nft_fib.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 *
 * Generic part shared by ipv4 and ipv6 backends.
 */

#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nft_fib.h>

#define NFTA_FIB_F_ALL (NFTA_FIB_F_SADDR | NFTA_FIB_F_DADDR | \
			NFTA_FIB_F_MARK | NFTA_FIB_F_IIF | NFTA_FIB_F_OIF | \
			NFTA_FIB_F_PRESENT)

const struct nla_policy nft_fib_policy[NFTA_FIB_MAX + 1] = {
	[NFTA_FIB_DREG]		= { .type = NLA_U32 },
	[NFTA_FIB_RESULT]	= { .type = NLA_U32 },
	[NFTA_FIB_FLAGS]	=
		NLA_POLICY_MASK(NLA_BE32, NFTA_FIB_F_ALL),
};
EXPORT_SYMBOL(nft_fib_policy);

int nft_fib_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
		     const struct nft_data **data)
{
	const struct nft_fib *priv = nft_expr_priv(expr);
	unsigned int hooks;

	switch (priv->result) {
	case NFT_FIB_RESULT_OIF:
	case NFT_FIB_RESULT_OIFNAME:
		hooks = (1 << NF_INET_PRE_ROUTING) |
			(1 << NF_INET_LOCAL_IN) |
			(1 << NF_INET_FORWARD);
		break;
	case NFT_FIB_RESULT_ADDRTYPE:
		if (priv->flags & NFTA_FIB_F_IIF)
			hooks = (1 << NF_INET_PRE_ROUTING) |
				(1 << NF_INET_LOCAL_IN) |
				(1 << NF_INET_FORWARD);
		else if (priv->flags & NFTA_FIB_F_OIF)
			hooks = (1 << NF_INET_LOCAL_OUT) |
				(1 << NF_INET_POST_ROUTING) |
				(1 << NF_INET_FORWARD);
		else
			hooks = (1 << NF_INET_LOCAL_IN) |
				(1 << NF_INET_LOCAL_OUT) |
				(1 << NF_INET_FORWARD) |
				(1 << NF_INET_PRE_ROUTING) |
				(1 << NF_INET_POST_ROUTING);

		break;
	default:
		return -EINVAL;
	}

	return nft_chain_validate_hooks(ctx->chain, hooks);
}
EXPORT_SYMBOL_GPL(nft_fib_validate);

int nft_fib_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
		 const struct nlattr * const tb[])
{
	struct nft_fib *priv = nft_expr_priv(expr);
	unsigned int len;
	int err;

	if (!tb[NFTA_FIB_DREG] || !tb[NFTA_FIB_RESULT] || !tb[NFTA_FIB_FLAGS])
		return -EINVAL;

	priv->flags = ntohl(nla_get_be32(tb[NFTA_FIB_FLAGS]));

	if (priv->flags == 0)
		return -EINVAL;

	if ((priv->flags & (NFTA_FIB_F_SADDR | NFTA_FIB_F_DADDR)) ==
			   (NFTA_FIB_F_SADDR | NFTA_FIB_F_DADDR))
		return -EINVAL;
	if ((priv->flags & (NFTA_FIB_F_IIF | NFTA_FIB_F_OIF)) ==
			   (NFTA_FIB_F_IIF | NFTA_FIB_F_OIF))
		return -EINVAL;
	if ((priv->flags & (NFTA_FIB_F_SADDR | NFTA_FIB_F_DADDR)) == 0)
		return -EINVAL;

	priv->result = ntohl(nla_get_be32(tb[NFTA_FIB_RESULT]));

	switch (priv->result) {
	case NFT_FIB_RESULT_OIF:
		if (priv->flags & NFTA_FIB_F_OIF)
			return -EINVAL;
		len = sizeof(int);
		break;
	case NFT_FIB_RESULT_OIFNAME:
		if (priv->flags & NFTA_FIB_F_OIF)
			return -EINVAL;
		len = IFNAMSIZ;
		break;
	case NFT_FIB_RESULT_ADDRTYPE:
		len = sizeof(u32);
		break;
	default:
		return -EINVAL;
	}

	err = nft_parse_register_store(ctx, tb[NFTA_FIB_DREG], &priv->dreg,
				       NULL, NFT_DATA_VALUE, len);
	if (err < 0)
		return err;

	return 0;
}
EXPORT_SYMBOL_GPL(nft_fib_init);

int nft_fib_dump(struct sk_buff *skb, const struct nft_expr *expr, bool reset)
{
	const struct nft_fib *priv = nft_expr_priv(expr);

	if (nft_dump_register(skb, NFTA_FIB_DREG, priv->dreg))
		return -1;

	if (nla_put_be32(skb, NFTA_FIB_RESULT, htonl(priv->result)))
		return -1;

	if (nla_put_be32(skb, NFTA_FIB_FLAGS, htonl(priv->flags)))
		return -1;

	return 0;
}
EXPORT_SYMBOL_GPL(nft_fib_dump);

void nft_fib_store_result(void *reg, const struct nft_fib *priv,
			  const struct net_device *dev)
{
	u32 *dreg = reg;
	int index;

	switch (priv->result) {
	case NFT_FIB_RESULT_OIF:
		index = dev ? dev->ifindex : 0;
		if (priv->flags & NFTA_FIB_F_PRESENT)
			nft_reg_store8(dreg, !!index);
		else
			*dreg = index;

		break;
	case NFT_FIB_RESULT_OIFNAME:
		if (priv->flags & NFTA_FIB_F_PRESENT)
			nft_reg_store8(dreg, !!dev);
		else
			strscpy_pad(reg, dev ? dev->name : "", IFNAMSIZ);
		break;
	default:
		WARN_ON_ONCE(1);
		*dreg = 0;
		break;
	}
}
EXPORT_SYMBOL_GPL(nft_fib_store_result);

bool nft_fib_reduce(struct nft_regs_track *track,
		    const struct nft_expr *expr)
{
	const struct nft_fib *priv = nft_expr_priv(expr);
	unsigned int len = NFT_REG32_SIZE;
	const struct nft_fib *fib;

	switch (priv->result) {
	case NFT_FIB_RESULT_OIF:
		break;
	case NFT_FIB_RESULT_OIFNAME:
		if (priv->flags & NFTA_FIB_F_PRESENT)
			len = NFT_REG32_SIZE;
		else
			len = IFNAMSIZ;
		break;
	case NFT_FIB_RESULT_ADDRTYPE:
	     break;
	default:
		WARN_ON_ONCE(1);
		break;
	}

	if (!nft_reg_track_cmp(track, expr, priv->dreg)) {
		nft_reg_track_update(track, expr, priv->dreg, len);
		return false;
	}

	fib = nft_expr_priv(track->regs[priv->dreg].selector);
	if (priv->result != fib->result ||
	    priv->flags != fib->flags) {
		nft_reg_track_update(track, expr, priv->dreg, len);
		return false;
	}

	if (!track->regs[priv->dreg].bitwise)
		return true;

	return false;
}
EXPORT_SYMBOL_GPL(nft_fib_reduce);

MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Query routing table from nftables");
MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
Commit	Line	Data
d2912cb1	1	// SPDX-License-Identifier: GPL-2.0-only
f6d0cbcf	2	/*
f6d0cbcf FW	3	*
	4	* Generic part shared by ipv4 and ipv6 backends.
	5	*/
	6
	7	#include <linux/kernel.h>
	8	#include <linux/init.h>
	9	#include <linux/module.h>
	10	#include <linux/netlink.h>
	11	#include <linux/netfilter.h>
	12	#include <linux/netfilter/nf_tables.h>
	13	#include <net/netfilter/nf_tables_core.h>
	14	#include <net/netfilter/nf_tables.h>
	15	#include <net/netfilter/nft_fib.h>
	16
100a11b6 FW	17	#define NFTA_FIB_F_ALL (NFTA_FIB_F_SADDR \| NFTA_FIB_F_DADDR \| \
	18	NFTA_FIB_F_MARK \| NFTA_FIB_F_IIF \| NFTA_FIB_F_OIF \| \
	19	NFTA_FIB_F_PRESENT)
	20
f6d0cbcf FW	21	const struct nla_policy nft_fib_policy[NFTA_FIB_MAX + 1] = {
	22	[NFTA_FIB_DREG] = { .type = NLA_U32 },
	23	[NFTA_FIB_RESULT] = { .type = NLA_U32 },
100a11b6 FW	24	[NFTA_FIB_FLAGS] =
100a11b6 FW	25	NLA_POLICY_MASK(NLA_BE32, NFTA_FIB_F_ALL),
f6d0cbcf FW	26	};
	27	EXPORT_SYMBOL(nft_fib_policy);
	28
f6d0cbcf FW	29	int nft_fib_validate(const struct nft_ctx ctx, const struct nft_expr expr,
	30	const struct nft_data **data)
	31	{
	32	const struct nft_fib *priv = nft_expr_priv(expr);
	33	unsigned int hooks;
	34
	35	switch (priv->result) {
954d8297	36	case NFT_FIB_RESULT_OIF:
f6d0cbcf	37	case NFT_FIB_RESULT_OIFNAME:
e8ded22e EG	38	hooks = (1 << NF_INET_PRE_ROUTING) \|
	39	(1 << NF_INET_LOCAL_IN) \|
	40	(1 << NF_INET_FORWARD);
f6d0cbcf FW	41	break;
	42	case NFT_FIB_RESULT_ADDRTYPE:
	43	if (priv->flags & NFTA_FIB_F_IIF)
	44	hooks = (1 << NF_INET_PRE_ROUTING) \|
	45	(1 << NF_INET_LOCAL_IN) \|
	46	(1 << NF_INET_FORWARD);
	47	else if (priv->flags & NFTA_FIB_F_OIF)
	48	hooks = (1 << NF_INET_LOCAL_OUT) \|
	49	(1 << NF_INET_POST_ROUTING) \|
	50	(1 << NF_INET_FORWARD);
	51	else
	52	hooks = (1 << NF_INET_LOCAL_IN) \|
	53	(1 << NF_INET_LOCAL_OUT) \|
	54	(1 << NF_INET_FORWARD) \|
	55	(1 << NF_INET_PRE_ROUTING) \|
	56	(1 << NF_INET_POST_ROUTING);
	57
	58	break;
	59	default:
	60	return -EINVAL;
	61	}
	62
	63	return nft_chain_validate_hooks(ctx->chain, hooks);
	64	}
	65	EXPORT_SYMBOL_GPL(nft_fib_validate);
	66
	67	int nft_fib_init(const struct nft_ctx ctx, const struct nft_expr expr,
	68	const struct nlattr * const tb[])
	69	{
	70	struct nft_fib *priv = nft_expr_priv(expr);
	71	unsigned int len;
	72	int err;
	73
	74	if (!tb[NFTA_FIB_DREG] \|\| !tb[NFTA_FIB_RESULT] \|\| !tb[NFTA_FIB_FLAGS])
	75	return -EINVAL;
	76
	77	priv->flags = ntohl(nla_get_be32(tb[NFTA_FIB_FLAGS]));
	78
100a11b6	79	if (priv->flags == 0)
f6d0cbcf FW	80	return -EINVAL;
	81
	82	if ((priv->flags & (NFTA_FIB_F_SADDR \| NFTA_FIB_F_DADDR)) ==
	83	(NFTA_FIB_F_SADDR \| NFTA_FIB_F_DADDR))
	84	return -EINVAL;
	85	if ((priv->flags & (NFTA_FIB_F_IIF \| NFTA_FIB_F_OIF)) ==
	86	(NFTA_FIB_F_IIF \| NFTA_FIB_F_OIF))
	87	return -EINVAL;
	88	if ((priv->flags & (NFTA_FIB_F_SADDR \| NFTA_FIB_F_DADDR)) == 0)
	89	return -EINVAL;
	90
11583438	91	priv->result = ntohl(nla_get_be32(tb[NFTA_FIB_RESULT]));
f6d0cbcf FW	92
	93	switch (priv->result) {
	94	case NFT_FIB_RESULT_OIF:
	95	if (priv->flags & NFTA_FIB_F_OIF)
	96	return -EINVAL;
	97	len = sizeof(int);
	98	break;
	99	case NFT_FIB_RESULT_OIFNAME:
	100	if (priv->flags & NFTA_FIB_F_OIF)
	101	return -EINVAL;
	102	len = IFNAMSIZ;
	103	break;
	104	case NFT_FIB_RESULT_ADDRTYPE:
	105	len = sizeof(u32);
	106	break;
	107	default:
	108	return -EINVAL;
	109	}
	110
345023b0 PNA	111	err = nft_parse_register_store(ctx, tb[NFTA_FIB_DREG], &priv->dreg,
345023b0 PNA	112	NULL, NFT_DATA_VALUE, len);
f6d0cbcf FW	113	if (err < 0)
	114	return err;
	115
c56e3956	116	return 0;
f6d0cbcf FW	117	}
	118	EXPORT_SYMBOL_GPL(nft_fib_init);
	119
7d34aa3e	120	int nft_fib_dump(struct sk_buff skb, const struct nft_expr expr, bool reset)
f6d0cbcf FW	121	{
	122	const struct nft_fib *priv = nft_expr_priv(expr);
	123
	124	if (nft_dump_register(skb, NFTA_FIB_DREG, priv->dreg))
	125	return -1;
	126
	127	if (nla_put_be32(skb, NFTA_FIB_RESULT, htonl(priv->result)))
	128	return -1;
	129
	130	if (nla_put_be32(skb, NFTA_FIB_FLAGS, htonl(priv->flags)))
	131	return -1;
	132
	133	return 0;
	134	}
	135	EXPORT_SYMBOL_GPL(nft_fib_dump);
	136
055c4b34	137	void nft_fib_store_result(void reg, const struct nft_fib priv,
e633508a	138	const struct net_device *dev)
f6d0cbcf	139	{
f6d0cbcf	140	u32 *dreg = reg;
e633508a	141	int index;
f6d0cbcf	142
055c4b34	143	switch (priv->result) {
f6d0cbcf	144	case NFT_FIB_RESULT_OIF:
e633508a	145	index = dev ? dev->ifindex : 0;
63331e37 FW	146	if (priv->flags & NFTA_FIB_F_PRESENT)
	147	nft_reg_store8(dreg, !!index);
	148	else
	149	*dreg = index;
	150
f6d0cbcf FW	151	break;
f6d0cbcf FW	152	case NFT_FIB_RESULT_OIFNAME:
055c4b34	153	if (priv->flags & NFTA_FIB_F_PRESENT)
63331e37	154	nft_reg_store8(dreg, !!dev);
055c4b34	155	else
7457af8b	156	strscpy_pad(reg, dev ? dev->name : "", IFNAMSIZ);
f6d0cbcf FW	157	break;
	158	default:
	159	WARN_ON_ONCE(1);
	160	*dreg = 0;
	161	break;
	162	}
	163	}
	164	EXPORT_SYMBOL_GPL(nft_fib_store_result);
	165
3c1eb413 FW	166	bool nft_fib_reduce(struct nft_regs_track *track,
	167	const struct nft_expr *expr)
	168	{
	169	const struct nft_fib *priv = nft_expr_priv(expr);
	170	unsigned int len = NFT_REG32_SIZE;
	171	const struct nft_fib *fib;
	172
	173	switch (priv->result) {
	174	case NFT_FIB_RESULT_OIF:
	175	break;
	176	case NFT_FIB_RESULT_OIFNAME:
	177	if (priv->flags & NFTA_FIB_F_PRESENT)
	178	len = NFT_REG32_SIZE;
	179	else
	180	len = IFNAMSIZ;
	181	break;
	182	case NFT_FIB_RESULT_ADDRTYPE:
	183	break;
	184	default:
	185	WARN_ON_ONCE(1);
	186	break;
	187	}
	188
	189	if (!nft_reg_track_cmp(track, expr, priv->dreg)) {
	190	nft_reg_track_update(track, expr, priv->dreg, len);
	191	return false;
	192	}
	193
	194	fib = nft_expr_priv(track->regs[priv->dreg].selector);
	195	if (priv->result != fib->result \|\|
	196	priv->flags != fib->flags) {
	197	nft_reg_track_update(track, expr, priv->dreg, len);
	198	return false;
	199	}
	200
	201	if (!track->regs[priv->dreg].bitwise)
	202	return true;
	203
	204	return false;
	205	}
	206	EXPORT_SYMBOL_GPL(nft_fib_reduce);
	207
f6d0cbcf	208	MODULE_LICENSE("GPL");
94090b23	209	MODULE_DESCRIPTION("Query routing table from nftables");
f6d0cbcf	210	MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");