[linux-block.git] / net / netfilter / nft_immediate.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
 *
 * Development of this code funded by Astaro AG (http://www.astaro.com/)
 */

#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_offload.h>

void nft_immediate_eval(const struct nft_expr *expr,
			struct nft_regs *regs,
			const struct nft_pktinfo *pkt)
{
	const struct nft_immediate_expr *priv = nft_expr_priv(expr);

	nft_data_copy(&regs->data[priv->dreg], &priv->data, priv->dlen);
}

static const struct nla_policy nft_immediate_policy[NFTA_IMMEDIATE_MAX + 1] = {
	[NFTA_IMMEDIATE_DREG]	= { .type = NLA_U32 },
	[NFTA_IMMEDIATE_DATA]	= { .type = NLA_NESTED },
};

static enum nft_data_types nft_reg_to_type(const struct nlattr *nla)
{
	enum nft_data_types type;
	u8 reg;

	reg = ntohl(nla_get_be32(nla));
	if (reg == NFT_REG_VERDICT)
		type = NFT_DATA_VERDICT;
	else
		type = NFT_DATA_VALUE;

	return type;
}

static int nft_immediate_init(const struct nft_ctx *ctx,
			      const struct nft_expr *expr,
			      const struct nlattr * const tb[])
{
	struct nft_immediate_expr *priv = nft_expr_priv(expr);
	struct nft_data_desc desc = {
		.size	= sizeof(priv->data),
	};
	int err;

	if (tb[NFTA_IMMEDIATE_DREG] == NULL ||
	    tb[NFTA_IMMEDIATE_DATA] == NULL)
		return -EINVAL;

	desc.type = nft_reg_to_type(tb[NFTA_IMMEDIATE_DREG]);
	err = nft_data_init(ctx, &priv->data, &desc, tb[NFTA_IMMEDIATE_DATA]);
	if (err < 0)
		return err;

	priv->dlen = desc.len;

	err = nft_parse_register_store(ctx, tb[NFTA_IMMEDIATE_DREG],
				       &priv->dreg, &priv->data, desc.type,
				       desc.len);
	if (err < 0)
		goto err1;

	if (priv->dreg == NFT_REG_VERDICT) {
		struct nft_chain *chain = priv->data.verdict.chain;

		switch (priv->data.verdict.code) {
		case NFT_JUMP:
		case NFT_GOTO:
			if (nft_chain_is_bound(chain)) {
				err = -EBUSY;
				goto err1;
			}
			chain->bound = true;
			break;
		default:
			break;
		}
	}

	return 0;

err1:
	nft_data_release(&priv->data, desc.type);
	return err;
}

static void nft_immediate_activate(const struct nft_ctx *ctx,
				   const struct nft_expr *expr)
{
	const struct nft_immediate_expr *priv = nft_expr_priv(expr);

	return nft_data_hold(&priv->data, nft_dreg_to_type(priv->dreg));
}

static void nft_immediate_deactivate(const struct nft_ctx *ctx,
				     const struct nft_expr *expr,
				     enum nft_trans_phase phase)
{
	const struct nft_immediate_expr *priv = nft_expr_priv(expr);

	if (phase == NFT_TRANS_COMMIT)
		return;

	return nft_data_release(&priv->data, nft_dreg_to_type(priv->dreg));
}

static void nft_immediate_destroy(const struct nft_ctx *ctx,
				  const struct nft_expr *expr)
{
	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
	const struct nft_data *data = &priv->data;
	struct nft_rule *rule, *n;
	struct nft_ctx chain_ctx;
	struct nft_chain *chain;

	if (priv->dreg != NFT_REG_VERDICT)
		return;

	switch (data->verdict.code) {
	case NFT_JUMP:
	case NFT_GOTO:
		chain = data->verdict.chain;

		if (!nft_chain_is_bound(chain))
			break;

		chain_ctx = *ctx;
		chain_ctx.chain = chain;

		list_for_each_entry_safe(rule, n, &chain->rules, list)
			nf_tables_rule_release(&chain_ctx, rule);

		nf_tables_chain_destroy(&chain_ctx);
		break;
	default:
		break;
	}
}

static int nft_immediate_dump(struct sk_buff *skb,
			      const struct nft_expr *expr, bool reset)
{
	const struct nft_immediate_expr *priv = nft_expr_priv(expr);

	if (nft_dump_register(skb, NFTA_IMMEDIATE_DREG, priv->dreg))
		goto nla_put_failure;

	return nft_data_dump(skb, NFTA_IMMEDIATE_DATA, &priv->data,
			     nft_dreg_to_type(priv->dreg), priv->dlen);

nla_put_failure:
	return -1;
}

static int nft_immediate_validate(const struct nft_ctx *ctx,
				  const struct nft_expr *expr,
				  const struct nft_data **d)
{
	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
	struct nft_ctx *pctx = (struct nft_ctx *)ctx;
	const struct nft_data *data;
	int err;

	if (priv->dreg != NFT_REG_VERDICT)
		return 0;

	data = &priv->data;

	switch (data->verdict.code) {
	case NFT_JUMP:
	case NFT_GOTO:
		pctx->level++;
		err = nft_chain_validate(ctx, data->verdict.chain);
		if (err < 0)
			return err;
		pctx->level--;
		break;
	default:
		break;
	}

	return 0;
}

static int nft_immediate_offload_verdict(struct nft_offload_ctx *ctx,
					 struct nft_flow_rule *flow,
					 const struct nft_immediate_expr *priv)
{
	struct flow_action_entry *entry;
	const struct nft_data *data;

	entry = &flow->rule->action.entries[ctx->num_actions++];

	data = &priv->data;
	switch (data->verdict.code) {
	case NF_ACCEPT:
		entry->id = FLOW_ACTION_ACCEPT;
		break;
	case NF_DROP:
		entry->id = FLOW_ACTION_DROP;
		break;
	default:
		return -EOPNOTSUPP;
	}

	return 0;
}

static int nft_immediate_offload(struct nft_offload_ctx *ctx,
				 struct nft_flow_rule *flow,
				 const struct nft_expr *expr)
{
	const struct nft_immediate_expr *priv = nft_expr_priv(expr);

	if (priv->dreg == NFT_REG_VERDICT)
		return nft_immediate_offload_verdict(ctx, flow, priv);

	memcpy(&ctx->regs[priv->dreg].data, &priv->data, sizeof(priv->data));

	return 0;
}

static bool nft_immediate_offload_action(const struct nft_expr *expr)
{
	const struct nft_immediate_expr *priv = nft_expr_priv(expr);

	if (priv->dreg == NFT_REG_VERDICT)
		return true;

	return false;
}

static bool nft_immediate_reduce(struct nft_regs_track *track,
				 const struct nft_expr *expr)
{
	const struct nft_immediate_expr *priv = nft_expr_priv(expr);

	if (priv->dreg != NFT_REG_VERDICT)
		nft_reg_track_cancel(track, priv->dreg, priv->dlen);

	return false;
}

static const struct nft_expr_ops nft_imm_ops = {
	.type		= &nft_imm_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_immediate_expr)),
	.eval		= nft_immediate_eval,
	.init		= nft_immediate_init,
	.activate	= nft_immediate_activate,
	.deactivate	= nft_immediate_deactivate,
	.destroy	= nft_immediate_destroy,
	.dump		= nft_immediate_dump,
	.validate	= nft_immediate_validate,
	.reduce		= nft_immediate_reduce,
	.offload	= nft_immediate_offload,
	.offload_action	= nft_immediate_offload_action,
};

struct nft_expr_type nft_imm_type __read_mostly = {
	.name		= "immediate",
	.ops		= &nft_imm_ops,
	.policy		= nft_immediate_policy,
	.maxattr	= NFTA_IMMEDIATE_MAX,
	.owner		= THIS_MODULE,
};
Commit	Line	Data
d2912cb1	1	// SPDX-License-Identifier: GPL-2.0-only
96518518	2	/*
ef1f7df9	3	* Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
96518518	4	*
96518518 PM	5	* Development of this code funded by Astaro AG (http://www.astaro.com/)
	6	*/
	7
	8	#include <linux/kernel.h>
	9	#include <linux/init.h>
	10	#include <linux/module.h>
	11	#include <linux/netlink.h>
	12	#include <linux/netfilter.h>
	13	#include <linux/netfilter/nf_tables.h>
	14	#include <net/netfilter/nf_tables_core.h>
	15	#include <net/netfilter/nf_tables.h>
c9626a2c	16	#include <net/netfilter/nf_tables_offload.h>
96518518	17
10870dd8 FW	18	void nft_immediate_eval(const struct nft_expr *expr,
	19	struct nft_regs *regs,
	20	const struct nft_pktinfo *pkt)
96518518 PM	21	{
	22	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
	23
49499c3e	24	nft_data_copy(&regs->data[priv->dreg], &priv->data, priv->dlen);
96518518 PM	25	}
	26
	27	static const struct nla_policy nft_immediate_policy[NFTA_IMMEDIATE_MAX + 1] = {
	28	[NFTA_IMMEDIATE_DREG] = { .type = NLA_U32 },
	29	[NFTA_IMMEDIATE_DATA] = { .type = NLA_NESTED },
	30	};
	31
341b6941 PNA	32	static enum nft_data_types nft_reg_to_type(const struct nlattr *nla)
	33	{
	34	enum nft_data_types type;
	35	u8 reg;
	36
	37	reg = ntohl(nla_get_be32(nla));
	38	if (reg == NFT_REG_VERDICT)
	39	type = NFT_DATA_VERDICT;
	40	else
	41	type = NFT_DATA_VALUE;
	42
	43	return type;
	44	}
	45
96518518 PM	46	static int nft_immediate_init(const struct nft_ctx *ctx,
	47	const struct nft_expr *expr,
	48	const struct nlattr * const tb[])
	49	{
	50	struct nft_immediate_expr *priv = nft_expr_priv(expr);
341b6941 PNA	51	struct nft_data_desc desc = {
	52	.size = sizeof(priv->data),
	53	};
96518518 PM	54	int err;
	55
	56	if (tb[NFTA_IMMEDIATE_DREG] == NULL \|\|
	57	tb[NFTA_IMMEDIATE_DATA] == NULL)
	58	return -EINVAL;
	59
341b6941 PNA	60	desc.type = nft_reg_to_type(tb[NFTA_IMMEDIATE_DREG]);
341b6941 PNA	61	err = nft_data_init(ctx, &priv->data, &desc, tb[NFTA_IMMEDIATE_DATA]);
96518518 PM	62	if (err < 0)
96518518 PM	63	return err;
36b701fa	64
96518518 PM	65	priv->dlen = desc.len;
96518518 PM	66
345023b0 PNA	67	err = nft_parse_register_store(ctx, tb[NFTA_IMMEDIATE_DREG],
	68	&priv->dreg, &priv->data, desc.type,
	69	desc.len);
96518518 PM	70	if (err < 0)
	71	goto err1;
	72
d0e2c7de PNA	73	if (priv->dreg == NFT_REG_VERDICT) {
	74	struct nft_chain *chain = priv->data.verdict.chain;
	75
	76	switch (priv->data.verdict.code) {
	77	case NFT_JUMP:
	78	case NFT_GOTO:
	79	if (nft_chain_is_bound(chain)) {
	80	err = -EBUSY;
	81	goto err1;
	82	}
	83	chain->bound = true;
	84	break;
	85	default:
	86	break;
	87	}
	88	}
	89
96518518 PM	90	return 0;
	91
	92	err1:
59105446	93	nft_data_release(&priv->data, desc.type);
96518518 PM	94	return err;
	95	}
	96
bb7b40ae PNA	97	static void nft_immediate_activate(const struct nft_ctx *ctx,
	98	const struct nft_expr *expr)
	99	{
	100	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
	101
	102	return nft_data_hold(&priv->data, nft_dreg_to_type(priv->dreg));
	103	}
	104
	105	static void nft_immediate_deactivate(const struct nft_ctx *ctx,
f6ac8585 PNA	106	const struct nft_expr *expr,
f6ac8585 PNA	107	enum nft_trans_phase phase)
96518518 PM	108	{
96518518 PM	109	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
59105446	110
f6ac8585 PNA	111	if (phase == NFT_TRANS_COMMIT)
	112	return;
	113
59105446	114	return nft_data_release(&priv->data, nft_dreg_to_type(priv->dreg));
96518518 PM	115	}
96518518 PM	116
d0e2c7de PNA	117	static void nft_immediate_destroy(const struct nft_ctx *ctx,
	118	const struct nft_expr *expr)
	119	{
	120	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
	121	const struct nft_data *data = &priv->data;
336f531a	122	struct nft_rule rule, n;
d0e2c7de PNA	123	struct nft_ctx chain_ctx;
d0e2c7de PNA	124	struct nft_chain *chain;
d0e2c7de PNA	125
	126	if (priv->dreg != NFT_REG_VERDICT)
	127	return;
	128
	129	switch (data->verdict.code) {
	130	case NFT_JUMP:
	131	case NFT_GOTO:
	132	chain = data->verdict.chain;
	133
	134	if (!nft_chain_is_bound(chain))
	135	break;
	136
	137	chain_ctx = *ctx;
	138	chain_ctx.chain = chain;
	139
336f531a	140	list_for_each_entry_safe(rule, n, &chain->rules, list)
d0e2c7de PNA	141	nf_tables_rule_release(&chain_ctx, rule);
	142
	143	nf_tables_chain_destroy(&chain_ctx);
	144	break;
	145	default:
	146	break;
	147	}
	148	}
	149
7d34aa3e PS	150	static int nft_immediate_dump(struct sk_buff *skb,
7d34aa3e PS	151	const struct nft_expr *expr, bool reset)
96518518 PM	152	{
	153	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
	154
b1c96ed3	155	if (nft_dump_register(skb, NFTA_IMMEDIATE_DREG, priv->dreg))
96518518 PM	156	goto nla_put_failure;
	157
	158	return nft_data_dump(skb, NFTA_IMMEDIATE_DATA, &priv->data,
	159	nft_dreg_to_type(priv->dreg), priv->dlen);
	160
	161	nla_put_failure:
	162	return -1;
	163	}
	164
0ca743a5 PNA	165	static int nft_immediate_validate(const struct nft_ctx *ctx,
0ca743a5 PNA	166	const struct nft_expr *expr,
a654de8f	167	const struct nft_data **d)
20a69341 PM	168	{
20a69341 PM	169	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
26b2f552	170	struct nft_ctx pctx = (struct nft_ctx )ctx;
a654de8f PNA	171	const struct nft_data *data;
a654de8f PNA	172	int err;
20a69341	173
a654de8f PNA	174	if (priv->dreg != NFT_REG_VERDICT)
	175	return 0;
	176
	177	data = &priv->data;
	178
	179	switch (data->verdict.code) {
	180	case NFT_JUMP:
	181	case NFT_GOTO:
26b2f552	182	pctx->level++;
a654de8f PNA	183	err = nft_chain_validate(ctx, data->verdict.chain);
	184	if (err < 0)
	185	return err;
26b2f552	186	pctx->level--;
a654de8f PNA	187	break;
	188	default:
	189	break;
	190	}
0ca743a5 PNA	191
0ca743a5 PNA	192	return 0;
20a69341 PM	193	}
20a69341 PM	194
43dd16ef PNA	195	static int nft_immediate_offload_verdict(struct nft_offload_ctx *ctx,
	196	struct nft_flow_rule *flow,
	197	const struct nft_immediate_expr *priv)
c9626a2c	198	{
c9626a2c PNA	199	struct flow_action_entry *entry;
	200	const struct nft_data *data;
	201
c9626a2c PNA	202	entry = &flow->rule->action.entries[ctx->num_actions++];
	203
	204	data = &priv->data;
	205	switch (data->verdict.code) {
	206	case NF_ACCEPT:
	207	entry->id = FLOW_ACTION_ACCEPT;
	208	break;
	209	case NF_DROP:
	210	entry->id = FLOW_ACTION_DROP;
	211	break;
	212	default:
	213	return -EOPNOTSUPP;
	214	}
	215
	216	return 0;
	217	}
	218
43dd16ef PNA	219	static int nft_immediate_offload(struct nft_offload_ctx *ctx,
	220	struct nft_flow_rule *flow,
	221	const struct nft_expr *expr)
	222	{
	223	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
	224
	225	if (priv->dreg == NFT_REG_VERDICT)
	226	return nft_immediate_offload_verdict(ctx, flow, priv);
	227
	228	memcpy(&ctx->regs[priv->dreg].data, &priv->data, sizeof(priv->data));
	229
	230	return 0;
	231	}
	232
b1a5983f PNA	233	static bool nft_immediate_offload_action(const struct nft_expr *expr)
	234	{
	235	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
	236
	237	if (priv->dreg == NFT_REG_VERDICT)
	238	return true;
	239
	240	return false;
	241	}
	242
71ef842d PNA	243	static bool nft_immediate_reduce(struct nft_regs_track *track,
	244	const struct nft_expr *expr)
	245	{
	246	const struct nft_immediate_expr *priv = nft_expr_priv(expr);
	247
	248	if (priv->dreg != NFT_REG_VERDICT)
	249	nft_reg_track_cancel(track, priv->dreg, priv->dlen);
	250
	251	return false;
	252	}
	253
ef1f7df9 PM	254	static const struct nft_expr_ops nft_imm_ops = {
ef1f7df9 PM	255	.type = &nft_imm_type,
96518518	256	.size = NFT_EXPR_SIZE(sizeof(struct nft_immediate_expr)),
96518518 PM	257	.eval = nft_immediate_eval,
96518518 PM	258	.init = nft_immediate_init,
bb7b40ae PNA	259	.activate = nft_immediate_activate,
bb7b40ae PNA	260	.deactivate = nft_immediate_deactivate,
d0e2c7de	261	.destroy = nft_immediate_destroy,
96518518	262	.dump = nft_immediate_dump,
0ca743a5	263	.validate = nft_immediate_validate,
71ef842d	264	.reduce = nft_immediate_reduce,
c9626a2c	265	.offload = nft_immediate_offload,
b1a5983f	266	.offload_action = nft_immediate_offload_action,
ef1f7df9 PM	267	};
ef1f7df9 PM	268
4e24877e	269	struct nft_expr_type nft_imm_type __read_mostly = {
ef1f7df9 PM	270	.name = "immediate",
ef1f7df9 PM	271	.ops = &nft_imm_ops,
96518518 PM	272	.policy = nft_immediate_policy,
96518518 PM	273	.maxattr = NFTA_IMMEDIATE_MAX,
ef1f7df9	274	.owner = THIS_MODULE,
96518518	275	};