projects / linux-block.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Merge tag 'for-linus-iommufd' of git://git.kernel.org/pub/scm/linux/kernel/git/jgg...
[linux-block.git] / net / netfilter / nft_meta.c
CommitLineData
d2912cb1 1// SPDX-License-Identifier: GPL-2.0-only
96518518 2/*
ef1f7df9 3 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
bd2bbdb4
FW		 4 * Copyright (c) 2014 Intel Corporation
5 * Author: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
96518518 6 *
96518518
PM		 7 * Development of this code funded by Astaro AG (http://www.astaro.com/)
8 */
9
10#include <linux/kernel.h>
96518518
PM		 11#include <linux/netlink.h>
12#include <linux/netfilter.h>
13#include <linux/netfilter/nf_tables.h>
e2a093ff
AR		 14#include <linux/in.h>
15#include <linux/ip.h>
16#include <linux/ipv6.h>
b1fd94e7 17#include <linux/random.h>
afc5be30 18#include <linux/smp.h>
e639f7ab 19#include <linux/static_key.h>
96518518 20#include <net/dst.h>
c14ceb0e 21#include <net/ip.h>
96518518
PM		 22#include <net/sock.h>
23#include <net/tcp_states.h> /* for TCP_TIME_WAIT */
24#include <net/netfilter/nf_tables.h>
e639f7ab 25#include <net/netfilter/nf_tables_core.h>
30e103fe 26#include <net/netfilter/nft_meta.h>
c9626a2c 27#include <net/netfilter/nf_tables_offload.h>
96518518 28
b4aae759
FW		 29#include <uapi/linux/netfilter_bridge.h> /* NF_BR_PRE_ROUTING */
30
63d10e12
AJ		 31#define NFT_META_SECS_PER_MINUTE 60
32#define NFT_META_SECS_PER_HOUR 3600
33#define NFT_META_SECS_PER_DAY 86400
34#define NFT_META_DAYS_PER_WEEK 7
35
db8f6f5c 36static u8 nft_meta_weekday(void)
63d10e12 37{
db8f6f5c 38 time64_t secs = ktime_get_real_seconds();
63d10e12
AJ		 39 unsigned int dse;
40 u8 wday;
41
42 secs -= NFT_META_SECS_PER_MINUTE * sys_tz.tz_minuteswest;
6408c40c 43 dse = div_u64(secs, NFT_META_SECS_PER_DAY);
63d10e12
AJ		 44 wday = (4 + dse) % NFT_META_DAYS_PER_WEEK;
45
46 return wday;
47}
48
6408c40c 49static u32 nft_meta_hour(time64_t secs)
63d10e12
AJ		 50{
51 struct tm tm;
52
53 time64_to_tm(secs, 0, &tm);
54
55 return tm.tm_hour * NFT_META_SECS_PER_HOUR
56 + tm.tm_min * NFT_META_SECS_PER_MINUTE
57 + tm.tm_sec;
58}
59
db8f6f5c
FW		 60static noinline_for_stack void
61nft_meta_get_eval_time(enum nft_meta_keys key,
62 u32 *dest)
63{
64 switch (key) {
65 case NFT_META_TIME_NS:
c301f098 66 nft_reg_store64((u64 *)dest, ktime_get_real_ns());
db8f6f5c
FW		 67 break;
68 case NFT_META_TIME_DAY:
69 nft_reg_store8(dest, nft_meta_weekday());
70 break;
71 case NFT_META_TIME_HOUR:
72 *dest = nft_meta_hour(ktime_get_real_seconds());
73 break;
74 default:
75 break;
76 }
77}
78
4a54594a
FW		 79static noinline bool
80nft_meta_get_eval_pkttype_lo(const struct nft_pktinfo *pkt,
81 u32 *dest)
82{
83 const struct sk_buff *skb = pkt->skb;
84
85 switch (nft_pf(pkt)) {
86 case NFPROTO_IPV4:
87 if (ipv4_is_multicast(ip_hdr(skb)->daddr))
88 nft_reg_store8(dest, PACKET_MULTICAST);
89 else
90 nft_reg_store8(dest, PACKET_BROADCAST);
91 break;
92 case NFPROTO_IPV6:
93 nft_reg_store8(dest, PACKET_MULTICAST);
94 break;
95 case NFPROTO_NETDEV:
96 switch (skb->protocol) {
97 case htons(ETH_P_IP): {
98 int noff = skb_network_offset(skb);
99 struct iphdr *iph, _iph;
100
101 iph = skb_header_pointer(skb, noff,
102 sizeof(_iph), &_iph);
103 if (!iph)
104 return false;
105
106 if (ipv4_is_multicast(iph->daddr))
107 nft_reg_store8(dest, PACKET_MULTICAST);
108 else
109 nft_reg_store8(dest, PACKET_BROADCAST);
110
111 break;
112 }
113 case htons(ETH_P_IPV6):
114 nft_reg_store8(dest, PACKET_MULTICAST);
115 break;
116 default:
117 WARN_ON_ONCE(1);
118 return false;
119 }
120 break;
121 default:
122 WARN_ON_ONCE(1);
123 return false;
124 }
125
126 return true;
127}
128
726b44f0
FW		 129static noinline bool
130nft_meta_get_eval_skugid(enum nft_meta_keys key,
131 u32 *dest,
132 const struct nft_pktinfo *pkt)
133{
134 struct sock *sk = skb_to_full_sk(pkt->skb);
135 struct socket *sock;
136
137 if (!sk || !sk_fullsock(sk) || !net_eq(nft_net(pkt), sock_net(sk)))
138 return false;
139
140 read_lock_bh(&sk->sk_callback_lock);
141 sock = sk->sk_socket;
142 if (!sock || !sock->file) {
143 read_unlock_bh(&sk->sk_callback_lock);
144 return false;
145 }
146
147 switch (key) {
148 case NFT_META_SKUID:
0c92411b 149 *dest = from_kuid_munged(sock_net(sk)->user_ns,
726b44f0
FW		 150 sock->file->f_cred->fsuid);
151 break;
152 case NFT_META_SKGID:
0c92411b 153 *dest = from_kgid_munged(sock_net(sk)->user_ns,
726b44f0
FW		 154 sock->file->f_cred->fsgid);
155 break;
156 default:
157 break;
158 }
159
160 read_unlock_bh(&sk->sk_callback_lock);
161 return true;
162}
163
b1327fbc
FW		 164#ifdef CONFIG_CGROUP_NET_CLASSID
165static noinline bool
166nft_meta_get_eval_cgroup(u32 *dest, const struct nft_pktinfo *pkt)
167{
168 struct sock *sk = skb_to_full_sk(pkt->skb);
169
170 if (!sk || !sk_fullsock(sk) || !net_eq(nft_net(pkt), sock_net(sk)))
171 return false;
172
173 *dest = sock_cgroup_classid(&sk->sk_cgrp_data);
174 return true;
175}
176#endif
177
a4150a1f
FW		 178static noinline bool nft_meta_get_eval_kind(enum nft_meta_keys key,
179 u32 *dest,
180 const struct nft_pktinfo *pkt)
181{
182 const struct net_device *in = nft_in(pkt), *out = nft_out(pkt);
183
184 switch (key) {
185 case NFT_META_IIFKIND:
186 if (!in || !in->rtnl_link_ops)
187 return false;
ad156c23 188 strscpy_pad((char *)dest, in->rtnl_link_ops->kind, IFNAMSIZ);
a4150a1f
FW		 189 break;
190 case NFT_META_OIFKIND:
191 if (!out || !out->rtnl_link_ops)
192 return false;
ad156c23 193 strscpy_pad((char *)dest, out->rtnl_link_ops->kind, IFNAMSIZ);
a4150a1f
FW		 194 break;
195 default:
196 return false;
197 }
198
199 return true;
200}
201
8724e819
FW		 202static void nft_meta_store_ifindex(u32 *dest, const struct net_device *dev)
203{
204 *dest = dev ? dev->ifindex : 0;
205}
206
207static void nft_meta_store_ifname(u32 *dest, const struct net_device *dev)
208{
ad156c23 209 strscpy_pad((char *)dest, dev ? dev->name : "", IFNAMSIZ);
8724e819
FW		 210}
211
212static bool nft_meta_store_iftype(u32 *dest, const struct net_device *dev)
213{
214 if (!dev)
215 return false;
216
217 nft_reg_store16(dest, dev->type);
218 return true;
219}
220
221static bool nft_meta_store_ifgroup(u32 *dest, const struct net_device *dev)
222{
223 if (!dev)
224 return false;
225
226 *dest = dev->group;
227 return true;
228}
229
230static bool nft_meta_get_eval_ifname(enum nft_meta_keys key, u32 *dest,
231 const struct nft_pktinfo *pkt)
232{
233 switch (key) {
234 case NFT_META_IIFNAME:
235 nft_meta_store_ifname(dest, nft_in(pkt));
236 break;
237 case NFT_META_OIFNAME:
238 nft_meta_store_ifname(dest, nft_out(pkt));
239 break;
240 case NFT_META_IIF:
241 nft_meta_store_ifindex(dest, nft_in(pkt));
242 break;
243 case NFT_META_OIF:
244 nft_meta_store_ifindex(dest, nft_out(pkt));
245 break;
56fa9501
PNA		 246 case NFT_META_IFTYPE:
247 if (!nft_meta_store_iftype(dest, pkt->skb->dev))
248 return false;
249 break;
250 case __NFT_META_IIFTYPE:
8724e819
FW		 251 if (!nft_meta_store_iftype(dest, nft_in(pkt)))
252 return false;
253 break;
254 case NFT_META_OIFTYPE:
255 if (!nft_meta_store_iftype(dest, nft_out(pkt)))
256 return false;
257 break;
258 case NFT_META_IIFGROUP:
78470d9d 259 if (!nft_meta_store_ifgroup(dest, nft_in(pkt)))
8724e819
FW		 260 return false;
261 break;
262 case NFT_META_OIFGROUP:
263 if (!nft_meta_store_ifgroup(dest, nft_out(pkt)))
264 return false;
265 break;
266 default:
267 return false;
268 }
269
270 return true;
271}
272
01a0fc82
FW		 273#ifdef CONFIG_IP_ROUTE_CLASSID
274static noinline bool
275nft_meta_get_eval_rtclassid(const struct sk_buff *skb, u32 *dest)
276{
277 const struct dst_entry *dst = skb_dst(skb);
278
279 if (!dst)
280 return false;
281
282 *dest = dst->tclassid;
283 return true;
284}
285#endif
286
c14ceb0e
FW		 287static noinline u32 nft_meta_get_eval_sdif(const struct nft_pktinfo *pkt)
288{
289 switch (nft_pf(pkt)) {
290 case NFPROTO_IPV4:
291 return inet_sdif(pkt->skb);
292 case NFPROTO_IPV6:
293 return inet6_sdif(pkt->skb);
294 }
295
296 return 0;
297}
298
299static noinline void
300nft_meta_get_eval_sdifname(u32 *dest, const struct nft_pktinfo *pkt)
301{
302 u32 sdif = nft_meta_get_eval_sdif(pkt);
303 const struct net_device *dev;
304
305 dev = sdif ? dev_get_by_index_rcu(nft_net(pkt), sdif) : NULL;
306 nft_meta_store_ifname(dest, dev);
307}
308
222440b4
FW		 309void nft_meta_get_eval(const struct nft_expr *expr,
310 struct nft_regs *regs,
311 const struct nft_pktinfo *pkt)
96518518
PM		 312{
313 const struct nft_meta *priv = nft_expr_priv(expr);
314 const struct sk_buff *skb = pkt->skb;
49499c3e 315 u32 *dest = &regs->data[priv->dreg];
96518518
PM		 316
317 switch (priv->key) {
318 case NFT_META_LEN:
fad136ea 319 *dest = skb->len;
96518518
PM		 320 break;
321 case NFT_META_PROTOCOL:
10596608 322 nft_reg_store16(dest, (__force u16)skb->protocol);
96518518 323 break;
124edfa9 324 case NFT_META_NFPROTO:
10596608 325 nft_reg_store8(dest, nft_pf(pkt));
124edfa9 326 break;
4566bf27 327 case NFT_META_L4PROTO:
b5bdc6f9 328 if (!(pkt->flags & NFT_PKTINFO_L4PROTO))
beac5afa 329 goto err;
10596608 330 nft_reg_store8(dest, pkt->tprot);
4566bf27 331 break;
96518518 332 case NFT_META_PRIORITY:
fad136ea 333 *dest = skb->priority;
96518518
PM		 334 break;
335 case NFT_META_MARK:
fad136ea 336 *dest = skb->mark;
96518518
PM		 337 break;
338 case NFT_META_IIF:
96518518 339 case NFT_META_OIF:
96518518 340 case NFT_META_IIFNAME:
96518518 341 case NFT_META_OIFNAME:
96518518 342 case NFT_META_IIFTYPE:
96518518 343 case NFT_META_OIFTYPE:
8724e819
FW		 344 case NFT_META_IIFGROUP:
345 case NFT_META_OIFGROUP:
346 if (!nft_meta_get_eval_ifname(priv->key, dest, pkt))
96518518 347 goto err;
96518518
PM		 348 break;
349 case NFT_META_SKUID:
96518518 350 case NFT_META_SKGID:
726b44f0 351 if (!nft_meta_get_eval_skugid(priv->key, dest, pkt))
96518518 352 goto err;
96518518 353 break;
06efbd6d 354#ifdef CONFIG_IP_ROUTE_CLASSID
01a0fc82
FW		 355 case NFT_META_RTCLASSID:
356 if (!nft_meta_get_eval_rtclassid(skb, dest))
96518518 357 goto err;
96518518 358 break;
96518518
PM		 359#endif
360#ifdef CONFIG_NETWORK_SECMARK
361 case NFT_META_SECMARK:
fad136ea 362 *dest = skb->secmark;
96518518
PM		 363 break;
364#endif
e2a093ff
AR		 365 case NFT_META_PKTTYPE:
366 if (skb->pkt_type != PACKET_LOOPBACK) {
10596608 367 nft_reg_store8(dest, skb->pkt_type);
e2a093ff
AR		 368 break;
369 }
370
4a54594a 371 if (!nft_meta_get_eval_pkttype_lo(pkt, dest))
e2a093ff 372 goto err;
e2a093ff 373 break;
afc5be30 374 case NFT_META_CPU:
fad136ea 375 *dest = raw_smp_processor_id();
afc5be30 376 break;
e181a543 377#ifdef CONFIG_CGROUP_NET_CLASSID
ce674173 378 case NFT_META_CGROUP:
b1327fbc 379 if (!nft_meta_get_eval_cgroup(dest, pkt))
c5035c77 380 goto err;
ce674173 381 break;
e181a543 382#endif
6b2faee0 383 case NFT_META_PRANDOM:
b1fd94e7 384 *dest = get_random_u32();
b07edbe1 385 break;
f6931f5f
FW		 386#ifdef CONFIG_XFRM
387 case NFT_META_SECPATH:
7af8f4ca 388 nft_reg_store8(dest, secpath_exists(skb));
f6931f5f
FW		 389 break;
390#endif
0fb4d219 391 case NFT_META_IIFKIND:
0fb4d219 392 case NFT_META_OIFKIND:
a4150a1f 393 if (!nft_meta_get_eval_kind(priv->key, dest, pkt))
0fb4d219 394 goto err;
0fb4d219 395 break;
63d10e12 396 case NFT_META_TIME_NS:
63d10e12 397 case NFT_META_TIME_DAY:
63d10e12 398 case NFT_META_TIME_HOUR:
db8f6f5c 399 nft_meta_get_eval_time(priv->key, dest);
63d10e12 400 break;
c14ceb0e
FW		 401 case NFT_META_SDIF:
402 *dest = nft_meta_get_eval_sdif(pkt);
403 break;
404 case NFT_META_SDIFNAME:
405 nft_meta_get_eval_sdifname(dest, pkt);
406 break;
96518518
PM		 407 default:
408 WARN_ON(1);
409 goto err;
410 }
411 return;
412
413err:
a55e22e9 414 regs->verdict.code = NFT_BREAK;
96518518 415}
30e103fe 416EXPORT_SYMBOL_GPL(nft_meta_get_eval);
96518518 417
30e103fe 418void nft_meta_set_eval(const struct nft_expr *expr,
419 struct nft_regs *regs,
420 const struct nft_pktinfo *pkt)
e035b77a
ABG		 421{
422 const struct nft_meta *meta = nft_expr_priv(expr);
423 struct sk_buff *skb = pkt->skb;
10596608
LZ		 424 u32 *sreg = &regs->data[meta->sreg];
425 u32 value = *sreg;
97a0549b 426 u8 value8;
e035b77a
ABG		 427
428 switch (meta->key) {
429 case NFT_META_MARK:
430 skb->mark = value;
431 break;
432 case NFT_META_PRIORITY:
433 skb->priority = value;
434 break;
b4aae759 435 case NFT_META_PKTTYPE:
97a0549b 436 value8 = nft_reg_load8(sreg);
10596608 437
97a0549b
TY		 438 if (skb->pkt_type != value8 &&
439 skb_pkt_type_ok(value8) &&
10596608 440 skb_pkt_type_ok(skb->pkt_type))
97a0549b 441 skb->pkt_type = value8;
b4aae759 442 break;
e035b77a 443 case NFT_META_NFTRACE:
97a0549b
TY		 444 value8 = nft_reg_load8(sreg);
445
446 skb->nf_trace = !!value8;
e035b77a 447 break;
b473a1f5
CG		 448#ifdef CONFIG_NETWORK_SECMARK
449 case NFT_META_SECMARK:
450 skb->secmark = value;
451 break;
452#endif
e035b77a
ABG		 453 default:
454 WARN_ON(1);
455 }
456}
30e103fe 457EXPORT_SYMBOL_GPL(nft_meta_set_eval);
e035b77a 458
30e103fe 459const struct nla_policy nft_meta_policy[NFTA_META_MAX + 1] = {
96518518 460 [NFTA_META_DREG] = { .type = NLA_U32 },
a412dbf4 461 [NFTA_META_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
e035b77a 462 [NFTA_META_SREG] = { .type = NLA_U32 },
96518518 463};
30e103fe 464EXPORT_SYMBOL_GPL(nft_meta_policy);
96518518 465
30e103fe 466int nft_meta_get_init(const struct nft_ctx *ctx,
467 const struct nft_expr *expr,
468 const struct nlattr * const tb[])
96518518 469{
d2caa696 470 struct nft_meta *priv = nft_expr_priv(expr);
45d9bcda 471 unsigned int len;
96518518 472
d2caa696
PM		 473 priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
474 switch (priv->key) {
96518518 475 case NFT_META_PROTOCOL:
45d9bcda
PM		 476 case NFT_META_IIFTYPE:
477 case NFT_META_OIFTYPE:
478 len = sizeof(u16);
479 break;
124edfa9 480 case NFT_META_NFPROTO:
4566bf27 481 case NFT_META_L4PROTO:
45d9bcda 482 case NFT_META_LEN:
96518518
PM		 483 case NFT_META_PRIORITY:
484 case NFT_META_MARK:
485 case NFT_META_IIF:
486 case NFT_META_OIF:
c14ceb0e 487 case NFT_META_SDIF:
96518518
PM		 488 case NFT_META_SKUID:
489 case NFT_META_SKGID:
06efbd6d 490#ifdef CONFIG_IP_ROUTE_CLASSID
96518518
PM		 491 case NFT_META_RTCLASSID:
492#endif
493#ifdef CONFIG_NETWORK_SECMARK
494 case NFT_META_SECMARK:
495#endif
e2a093ff 496 case NFT_META_PKTTYPE:
afc5be30 497 case NFT_META_CPU:
3045d760
AR		 498 case NFT_META_IIFGROUP:
499 case NFT_META_OIFGROUP:
e181a543 500#ifdef CONFIG_CGROUP_NET_CLASSID
ce674173 501 case NFT_META_CGROUP:
e181a543 502#endif
45d9bcda
PM		 503 len = sizeof(u32);
504 break;
505 case NFT_META_IIFNAME:
506 case NFT_META_OIFNAME:
0fb4d219 507 case NFT_META_IIFKIND:
508 case NFT_META_OIFKIND:
c14ceb0e 509 case NFT_META_SDIFNAME:
45d9bcda 510 len = IFNAMSIZ;
d2caa696 511 break;
b07edbe1 512 case NFT_META_PRANDOM:
b07edbe1
FW		 513 len = sizeof(u32);
514 break;
f6931f5f
FW		 515#ifdef CONFIG_XFRM
516 case NFT_META_SECPATH:
517 len = sizeof(u8);
518 break;
519#endif
63d10e12
AJ		 520 case NFT_META_TIME_NS:
521 len = sizeof(u64);
522 break;
523 case NFT_META_TIME_DAY:
524 len = sizeof(u8);
525 break;
526 case NFT_META_TIME_HOUR:
527 len = sizeof(u32);
528 break;
96518518
PM		 529 default:
530 return -EOPNOTSUPP;
531 }
532
34cc9e52 533 priv->len = len;
345023b0
PNA		 534 return nft_parse_register_store(ctx, tb[NFTA_META_DREG], &priv->dreg,
535 NULL, NFT_DATA_VALUE, len);
e035b77a 536}
30e103fe 537EXPORT_SYMBOL_GPL(nft_meta_get_init);
e035b77a 538
c14ceb0e 539static int nft_meta_get_validate_sdif(const struct nft_ctx *ctx)
f6931f5f 540{
f6931f5f
FW		 541 unsigned int hooks;
542
c14ceb0e
FW		 543 switch (ctx->family) {
544 case NFPROTO_IPV4:
545 case NFPROTO_IPV6:
546 case NFPROTO_INET:
547 hooks = (1 << NF_INET_LOCAL_IN) |
548 (1 << NF_INET_FORWARD);
549 break;
550 default:
551 return -EOPNOTSUPP;
552 }
553
554 return nft_chain_validate_hooks(ctx->chain, hooks);
555}
556
557static int nft_meta_get_validate_xfrm(const struct nft_ctx *ctx)
558{
559#ifdef CONFIG_XFRM
560 unsigned int hooks;
f6931f5f 561
36596dad 562 switch (ctx->family) {
f6931f5f
FW		 563 case NFPROTO_NETDEV:
564 hooks = 1 << NF_NETDEV_INGRESS;
565 break;
566 case NFPROTO_IPV4:
567 case NFPROTO_IPV6:
568 case NFPROTO_INET:
569 hooks = (1 << NF_INET_PRE_ROUTING) |
570 (1 << NF_INET_LOCAL_IN) |
571 (1 << NF_INET_FORWARD);
572 break;
573 default:
574 return -EOPNOTSUPP;
575 }
576
577 return nft_chain_validate_hooks(ctx->chain, hooks);
578#else
579 return 0;
580#endif
581}
582
c14ceb0e
FW		 583static int nft_meta_get_validate(const struct nft_ctx *ctx,
584 const struct nft_expr *expr,
585 const struct nft_data **data)
586{
587 const struct nft_meta *priv = nft_expr_priv(expr);
588
589 switch (priv->key) {
590 case NFT_META_SECPATH:
591 return nft_meta_get_validate_xfrm(ctx);
592 case NFT_META_SDIF:
593 case NFT_META_SDIFNAME:
594 return nft_meta_get_validate_sdif(ctx);
595 default:
596 break;
597 }
598
599 return 0;
600}
601
30e103fe 602int nft_meta_set_validate(const struct nft_ctx *ctx,
603 const struct nft_expr *expr,
604 const struct nft_data **data)
b4aae759 605{
960fa72f 606 struct nft_meta *priv = nft_expr_priv(expr);
b4aae759
FW		 607 unsigned int hooks;
608
960fa72f
LZ		 609 if (priv->key != NFT_META_PKTTYPE)
610 return 0;
611
36596dad 612 switch (ctx->family) {
b4aae759
FW		 613 case NFPROTO_BRIDGE:
614 hooks = 1 << NF_BR_PRE_ROUTING;
615 break;
616 case NFPROTO_NETDEV:
617 hooks = 1 << NF_NETDEV_INGRESS;
618 break;
96d9f2a7
LZ		 619 case NFPROTO_IPV4:
620 case NFPROTO_IPV6:
621 case NFPROTO_INET:
622 hooks = 1 << NF_INET_PRE_ROUTING;
623 break;
b4aae759
FW		 624 default:
625 return -EOPNOTSUPP;
626 }
627
628 return nft_chain_validate_hooks(ctx->chain, hooks);
629}
30e103fe 630EXPORT_SYMBOL_GPL(nft_meta_set_validate);
b4aae759 631
30e103fe 632int nft_meta_set_init(const struct nft_ctx *ctx,
633 const struct nft_expr *expr,
634 const struct nlattr * const tb[])
e035b77a
ABG		 635{
636 struct nft_meta *priv = nft_expr_priv(expr);
d07db988 637 unsigned int len;
e035b77a
ABG		 638 int err;
639
640 priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
d2caa696
PM		 641 switch (priv->key) {
642 case NFT_META_MARK:
643 case NFT_META_PRIORITY:
b473a1f5
CG		 644#ifdef CONFIG_NETWORK_SECMARK
645 case NFT_META_SECMARK:
646#endif
d07db988
PM		 647 len = sizeof(u32);
648 break;
d2caa696 649 case NFT_META_NFTRACE:
d07db988 650 len = sizeof(u8);
d2caa696 651 break;
b4aae759 652 case NFT_META_PKTTYPE:
b4aae759
FW		 653 len = sizeof(u8);
654 break;
d2caa696
PM		 655 default:
656 return -EOPNOTSUPP;
e035b77a
ABG		 657 }
658
34cc9e52 659 priv->len = len;
4f16d25c 660 err = nft_parse_register_load(tb[NFTA_META_SREG], &priv->sreg, len);
b38895c5
PNA		 661 if (err < 0)
662 return err;
e035b77a 663
e639f7ab
FW		 664 if (priv->key == NFT_META_NFTRACE)
665 static_branch_inc(&nft_trace_enabled);
666
e035b77a 667 return 0;
96518518 668}
30e103fe 669EXPORT_SYMBOL_GPL(nft_meta_set_init);
96518518 670
30e103fe 671int nft_meta_get_dump(struct sk_buff *skb,
7d34aa3e 672 const struct nft_expr *expr, bool reset)
96518518
PM		 673{
674 const struct nft_meta *priv = nft_expr_priv(expr);
675
e035b77a
ABG		 676 if (nla_put_be32(skb, NFTA_META_KEY, htonl(priv->key)))
677 goto nla_put_failure;
b1c96ed3 678 if (nft_dump_register(skb, NFTA_META_DREG, priv->dreg))
96518518 679 goto nla_put_failure;
e035b77a
ABG		 680 return 0;
681
682nla_put_failure:
683 return -1;
684}
30e103fe 685EXPORT_SYMBOL_GPL(nft_meta_get_dump);
e035b77a 686
7d34aa3e
PS		 687int nft_meta_set_dump(struct sk_buff *skb,
688 const struct nft_expr *expr, bool reset)
e035b77a
ABG		 689{
690 const struct nft_meta *priv = nft_expr_priv(expr);
691
96518518
PM		 692 if (nla_put_be32(skb, NFTA_META_KEY, htonl(priv->key)))
693 goto nla_put_failure;
b1c96ed3 694 if (nft_dump_register(skb, NFTA_META_SREG, priv->sreg))
e035b77a
ABG		 695 goto nla_put_failure;
696
96518518
PM		 697 return 0;
698
699nla_put_failure:
700 return -1;
701}
30e103fe 702EXPORT_SYMBOL_GPL(nft_meta_set_dump);
96518518 703
30e103fe 704void nft_meta_set_destroy(const struct nft_ctx *ctx,
705 const struct nft_expr *expr)
e639f7ab
FW		 706{
707 const struct nft_meta *priv = nft_expr_priv(expr);
708
709 if (priv->key == NFT_META_NFTRACE)
710 static_branch_dec(&nft_trace_enabled);
711}
30e103fe 712EXPORT_SYMBOL_GPL(nft_meta_set_destroy);
e639f7ab 713
c9626a2c
PNA		 714static int nft_meta_get_offload(struct nft_offload_ctx *ctx,
715 struct nft_flow_rule *flow,
716 const struct nft_expr *expr)
717{
718 const struct nft_meta *priv = nft_expr_priv(expr);
719 struct nft_offload_reg *reg = &ctx->regs[priv->dreg];
720
721 switch (priv->key) {
722 case NFT_META_PROTOCOL:
a5d45bc0
PNA		 723 NFT_OFFLOAD_MATCH_EXACT(FLOW_DISSECTOR_KEY_BASIC, basic, n_proto,
724 sizeof(__u16), reg);
c9626a2c
PNA		 725 nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK);
726 break;
727 case NFT_META_L4PROTO:
a5d45bc0
PNA		 728 NFT_OFFLOAD_MATCH_EXACT(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto,
729 sizeof(__u8), reg);
c9626a2c
PNA		 730 nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT);
731 break;
25da5eb3 732 case NFT_META_IIF:
a5d45bc0
PNA		 733 NFT_OFFLOAD_MATCH_EXACT(FLOW_DISSECTOR_KEY_META, meta,
734 ingress_ifindex, sizeof(__u32), reg);
25da5eb3 735 break;
8819efc9 736 case NFT_META_IIFTYPE:
a5d45bc0
PNA		 737 NFT_OFFLOAD_MATCH_EXACT(FLOW_DISSECTOR_KEY_META, meta,
738 ingress_iftype, sizeof(__u16), reg);
8819efc9 739 break;
c9626a2c
PNA		 740 default:
741 return -EOPNOTSUPP;
742 }
743
744 return 0;
745}
746
aaa7b20b
FW		 747bool nft_meta_get_reduce(struct nft_regs_track *track,
748 const struct nft_expr *expr)
9b17afb2
PNA		 749{
750 const struct nft_meta *priv = nft_expr_priv(expr);
751 const struct nft_meta *meta;
752
34cc9e52
PNA		 753 if (!nft_reg_track_cmp(track, expr, priv->dreg)) {
754 nft_reg_track_update(track, expr, priv->dreg, priv->len);
9b17afb2
PNA		 755 return false;
756 }
757
758 meta = nft_expr_priv(track->regs[priv->dreg].selector);
759 if (priv->key != meta->key ||
760 priv->dreg != meta->dreg) {
34cc9e52 761 nft_reg_track_update(track, expr, priv->dreg, priv->len);
9b17afb2
PNA		 762 return false;
763 }
764
765 if (!track->regs[priv->dreg].bitwise)
766 return true;
767
be5650f8 768 return nft_expr_reduce_bitwise(track, expr);
9b17afb2 769}
aaa7b20b 770EXPORT_SYMBOL_GPL(nft_meta_get_reduce);
9b17afb2 771
e035b77a 772static const struct nft_expr_ops nft_meta_get_ops = {
ef1f7df9 773 .type = &nft_meta_type,
96518518 774 .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
e035b77a 775 .eval = nft_meta_get_eval,
d2caa696 776 .init = nft_meta_get_init,
e035b77a 777 .dump = nft_meta_get_dump,
9b17afb2 778 .reduce = nft_meta_get_reduce,
f6931f5f 779 .validate = nft_meta_get_validate,
c9626a2c 780 .offload = nft_meta_get_offload,
ef1f7df9
PM		 781};
782
4a80e026
PNA		 783static bool nft_meta_set_reduce(struct nft_regs_track *track,
784 const struct nft_expr *expr)
785{
786 int i;
787
788 for (i = 0; i < NFT_REG32_NUM; i++) {
789 if (!track->regs[i].selector)
790 continue;
791
792 if (track->regs[i].selector->ops != &nft_meta_get_ops)
793 continue;
794
34cc9e52 795 __nft_reg_track_cancel(track, i);
4a80e026
PNA		 796 }
797
798 return false;
799}
800
e035b77a
ABG		 801static const struct nft_expr_ops nft_meta_set_ops = {
802 .type = &nft_meta_type,
803 .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
804 .eval = nft_meta_set_eval,
d2caa696 805 .init = nft_meta_set_init,
e639f7ab 806 .destroy = nft_meta_set_destroy,
e035b77a 807 .dump = nft_meta_set_dump,
4a80e026 808 .reduce = nft_meta_set_reduce,
960fa72f 809 .validate = nft_meta_set_validate,
e035b77a
ABG		 810};
811
812static const struct nft_expr_ops *
813nft_meta_select_ops(const struct nft_ctx *ctx,
814 const struct nlattr * const tb[])
815{
816 if (tb[NFTA_META_KEY] == NULL)
817 return ERR_PTR(-EINVAL);
818
819 if (tb[NFTA_META_DREG] && tb[NFTA_META_SREG])
820 return ERR_PTR(-EINVAL);
821
dfee0e99 822#if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) && IS_MODULE(CONFIG_NFT_BRIDGE_META)
0ef1efd1
PNA		 823 if (ctx->family == NFPROTO_BRIDGE)
824 return ERR_PTR(-EAGAIN);
825#endif
e035b77a
ABG		 826 if (tb[NFTA_META_DREG])
827 return &nft_meta_get_ops;
828
829 if (tb[NFTA_META_SREG])
830 return &nft_meta_set_ops;
831
832 return ERR_PTR(-EINVAL);
833}
834
a150d122
PNA		 835static int nft_meta_inner_init(const struct nft_ctx *ctx,
836 const struct nft_expr *expr,
837 const struct nlattr * const tb[])
838{
839 struct nft_meta *priv = nft_expr_priv(expr);
840 unsigned int len;
841
c4ab9da8
DO		 842 if (!tb[NFTA_META_KEY] || !tb[NFTA_META_DREG])
843 return -EINVAL;
844
a150d122
PNA		 845 priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
846 switch (priv->key) {
847 case NFT_META_PROTOCOL:
848 len = sizeof(u16);
849 break;
850 case NFT_META_L4PROTO:
851 len = sizeof(u32);
852 break;
853 default:
854 return -EOPNOTSUPP;
855 }
856 priv->len = len;
857
858 return nft_parse_register_store(ctx, tb[NFTA_META_DREG], &priv->dreg,
859 NULL, NFT_DATA_VALUE, len);
860}
861
862void nft_meta_inner_eval(const struct nft_expr *expr,
863 struct nft_regs *regs,
864 const struct nft_pktinfo *pkt,
865 struct nft_inner_tun_ctx *tun_ctx)
866{
867 const struct nft_meta *priv = nft_expr_priv(expr);
868 u32 *dest = &regs->data[priv->dreg];
869
870 switch (priv->key) {
871 case NFT_META_PROTOCOL:
872 nft_reg_store16(dest, (__force u16)tun_ctx->llproto);
873 break;
874 case NFT_META_L4PROTO:
875 if (!(tun_ctx->flags & NFT_PAYLOAD_CTX_INNER_TH))
876 goto err;
877
878 nft_reg_store8(dest, tun_ctx->l4proto);
879 break;
880 default:
881 WARN_ON_ONCE(1);
882 goto err;
883 }
884 return;
885
886err:
887 regs->verdict.code = NFT_BREAK;
888}
889EXPORT_SYMBOL_GPL(nft_meta_inner_eval);
890
891static const struct nft_expr_ops nft_meta_inner_ops = {
892 .type = &nft_meta_type,
893 .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
894 .init = nft_meta_inner_init,
895 .dump = nft_meta_get_dump,
896 /* direct call to nft_meta_inner_eval(). */
897};
898
8a22543c 899struct nft_expr_type nft_meta_type __read_mostly = {
ef1f7df9 900 .name = "meta",
d4ef3835 901 .select_ops = nft_meta_select_ops,
a150d122 902 .inner_ops = &nft_meta_inner_ops,
96518518
PM		 903 .policy = nft_meta_policy,
904 .maxattr = NFTA_META_MAX,
ef1f7df9 905 .owner = THIS_MODULE,
96518518 906};
fb961945
CG		 907
908#ifdef CONFIG_NETWORK_SECMARK
909struct nft_secmark {
910 u32 secid;
911 char *ctx;
912};
913
914static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = {
915 [NFTA_SECMARK_CTX] = { .type = NLA_STRING, .len = NFT_SECMARK_CTX_MAXLEN },
916};
917
918static int nft_secmark_compute_secid(struct nft_secmark *priv)
919{
920 u32 tmp_secid = 0;
921 int err;
922
923 err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid);
924 if (err)
925 return err;
926
927 if (!tmp_secid)
928 return -ENOENT;
929
930 err = security_secmark_relabel_packet(tmp_secid);
931 if (err)
932 return err;
933
934 priv->secid = tmp_secid;
935 return 0;
936}
937
938static void nft_secmark_obj_eval(struct nft_object *obj, struct nft_regs *regs,
939 const struct nft_pktinfo *pkt)
940{
941 const struct nft_secmark *priv = nft_obj_data(obj);
942 struct sk_buff *skb = pkt->skb;
943
944 skb->secmark = priv->secid;
945}
946
947static int nft_secmark_obj_init(const struct nft_ctx *ctx,
948 const struct nlattr * const tb[],
949 struct nft_object *obj)
950{
951 struct nft_secmark *priv = nft_obj_data(obj);
952 int err;
953
954 if (tb[NFTA_SECMARK_CTX] == NULL)
955 return -EINVAL;
956
957 priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL);
958 if (!priv->ctx)
959 return -ENOMEM;
960
961 err = nft_secmark_compute_secid(priv);
962 if (err) {
963 kfree(priv->ctx);
964 return err;
965 }
966
967 security_secmark_refcount_inc();
968
969 return 0;
970}
971
972static int nft_secmark_obj_dump(struct sk_buff *skb, struct nft_object *obj,
973 bool reset)
974{
975 struct nft_secmark *priv = nft_obj_data(obj);
976 int err;
977
978 if (nla_put_string(skb, NFTA_SECMARK_CTX, priv->ctx))
979 return -1;
980
981 if (reset) {
982 err = nft_secmark_compute_secid(priv);
983 if (err)
984 return err;
985 }
986
987 return 0;
988}
989
990static void nft_secmark_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
991{
992 struct nft_secmark *priv = nft_obj_data(obj);
993
994 security_secmark_refcount_dec();
995
996 kfree(priv->ctx);
997}
998
999static const struct nft_object_ops nft_secmark_obj_ops = {
1000 .type = &nft_secmark_obj_type,
1001 .size = sizeof(struct nft_secmark),
1002 .init = nft_secmark_obj_init,
1003 .eval = nft_secmark_obj_eval,
1004 .dump = nft_secmark_obj_dump,
1005 .destroy = nft_secmark_obj_destroy,
1006};
1007struct nft_object_type nft_secmark_obj_type __read_mostly = {
1008 .type = NFT_OBJECT_SECMARK,
1009 .ops = &nft_secmark_obj_ops,
1010 .maxattr = NFTA_SECMARK_MAX,
1011 .policy = nft_secmark_policy,
1012 .owner = THIS_MODULE,
1013};
1014#endif /* CONFIG_NETWORK_SECMARK */
Linux 6.x block layer and io_uring tree(s)