[linux-block.git] / net / netfilter / nft_tproxy.c

/* SPDX-License-Identifier: GPL-2.0 */
#include <linux/module.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tproxy.h>
#include <net/inet_sock.h>
#include <net/tcp.h>
#include <linux/if_ether.h>
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
#endif

struct nft_tproxy {
	u8	sreg_addr;
	u8	sreg_port;
	u8	family;
};

static void nft_tproxy_eval_v4(const struct nft_expr *expr,
			       struct nft_regs *regs,
			       const struct nft_pktinfo *pkt)
{
	const struct nft_tproxy *priv = nft_expr_priv(expr);
	struct sk_buff *skb = pkt->skb;
	const struct iphdr *iph = ip_hdr(skb);
	struct udphdr _hdr, *hp;
	__be32 taddr = 0;
	__be16 tport = 0;
	struct sock *sk;

	if (pkt->tprot != IPPROTO_TCP &&
	    pkt->tprot != IPPROTO_UDP) {
		regs->verdict.code = NFT_BREAK;
		return;
	}

	hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
	if (!hp) {
		regs->verdict.code = NFT_BREAK;
		return;
	}

	/* check if there's an ongoing connection on the packet addresses, this
	 * happens if the redirect already happened and the current packet
	 * belongs to an already established connection
	 */
	sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, iph->protocol,
				   iph->saddr, iph->daddr,
				   hp->source, hp->dest,
				   skb->dev, NF_TPROXY_LOOKUP_ESTABLISHED);

	if (priv->sreg_addr)
		taddr = nft_reg_load_be32(&regs->data[priv->sreg_addr]);
	taddr = nf_tproxy_laddr4(skb, taddr, iph->daddr);

	if (priv->sreg_port)
		tport = nft_reg_load_be16(&regs->data[priv->sreg_port]);
	if (!tport)
		tport = hp->dest;

	/* UDP has no TCP_TIME_WAIT state, so we never enter here */
	if (sk && sk->sk_state == TCP_TIME_WAIT) {
		/* reopening a TIME_WAIT connection needs special handling */
		sk = nf_tproxy_handle_time_wait4(nft_net(pkt), skb, taddr, tport, sk);
	} else if (!sk) {
		/* no, there's no established connection, check if
		 * there's a listener on the redirected addr/port
		 */
		sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, iph->protocol,
					   iph->saddr, taddr,
					   hp->source, tport,
					   skb->dev, NF_TPROXY_LOOKUP_LISTENER);
	}

	if (sk && nf_tproxy_sk_is_transparent(sk))
		nf_tproxy_assign_sock(skb, sk);
	else
		regs->verdict.code = NFT_BREAK;
}

#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
static void nft_tproxy_eval_v6(const struct nft_expr *expr,
			       struct nft_regs *regs,
			       const struct nft_pktinfo *pkt)
{
	const struct nft_tproxy *priv = nft_expr_priv(expr);
	struct sk_buff *skb = pkt->skb;
	const struct ipv6hdr *iph = ipv6_hdr(skb);
	int thoff = nft_thoff(pkt);
	struct udphdr _hdr, *hp;
	struct in6_addr taddr;
	__be16 tport = 0;
	struct sock *sk;
	int l4proto;

	memset(&taddr, 0, sizeof(taddr));

	if (pkt->tprot != IPPROTO_TCP &&
	    pkt->tprot != IPPROTO_UDP) {
		regs->verdict.code = NFT_BREAK;
		return;
	}
	l4proto = pkt->tprot;

	hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
	if (hp == NULL) {
		regs->verdict.code = NFT_BREAK;
		return;
	}

	/* check if there's an ongoing connection on the packet addresses, this
	 * happens if the redirect already happened and the current packet
	 * belongs to an already established connection
	 */
	sk = nf_tproxy_get_sock_v6(nft_net(pkt), skb, thoff, l4proto,
				   &iph->saddr, &iph->daddr,
				   hp->source, hp->dest,
				   nft_in(pkt), NF_TPROXY_LOOKUP_ESTABLISHED);

	if (priv->sreg_addr)
		memcpy(&taddr, &regs->data[priv->sreg_addr], sizeof(taddr));
	taddr = *nf_tproxy_laddr6(skb, &taddr, &iph->daddr);

	if (priv->sreg_port)
		tport = nft_reg_load_be16(&regs->data[priv->sreg_port]);
	if (!tport)
		tport = hp->dest;

	/* UDP has no TCP_TIME_WAIT state, so we never enter here */
	if (sk && sk->sk_state == TCP_TIME_WAIT) {
		/* reopening a TIME_WAIT connection needs special handling */
		sk = nf_tproxy_handle_time_wait6(skb, l4proto, thoff,
						 nft_net(pkt),
						 &taddr,
						 tport,
						 sk);
	} else if (!sk) {
		/* no there's no established connection, check if
		 * there's a listener on the redirected addr/port
		 */
		sk = nf_tproxy_get_sock_v6(nft_net(pkt), skb, thoff,
					   l4proto, &iph->saddr, &taddr,
					   hp->source, tport,
					   nft_in(pkt), NF_TPROXY_LOOKUP_LISTENER);
	}

	/* NOTE: assign_sock consumes our sk reference */
	if (sk && nf_tproxy_sk_is_transparent(sk))
		nf_tproxy_assign_sock(skb, sk);
	else
		regs->verdict.code = NFT_BREAK;
}
#endif

static void nft_tproxy_eval(const struct nft_expr *expr,
			    struct nft_regs *regs,
			    const struct nft_pktinfo *pkt)
{
	const struct nft_tproxy *priv = nft_expr_priv(expr);

	switch (nft_pf(pkt)) {
	case NFPROTO_IPV4:
		switch (priv->family) {
		case NFPROTO_IPV4:
		case NFPROTO_UNSPEC:
			nft_tproxy_eval_v4(expr, regs, pkt);
			return;
		}
		break;
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
	case NFPROTO_IPV6:
		switch (priv->family) {
		case NFPROTO_IPV6:
		case NFPROTO_UNSPEC:
			nft_tproxy_eval_v6(expr, regs, pkt);
			return;
		}
#endif
	}
	regs->verdict.code = NFT_BREAK;
}

static const struct nla_policy nft_tproxy_policy[NFTA_TPROXY_MAX + 1] = {
	[NFTA_TPROXY_FAMILY]   = { .type = NLA_U32 },
	[NFTA_TPROXY_REG_ADDR] = { .type = NLA_U32 },
	[NFTA_TPROXY_REG_PORT] = { .type = NLA_U32 },
};

static int nft_tproxy_init(const struct nft_ctx *ctx,
			   const struct nft_expr *expr,
			   const struct nlattr * const tb[])
{
	struct nft_tproxy *priv = nft_expr_priv(expr);
	unsigned int alen = 0;
	int err;

	if (!tb[NFTA_TPROXY_FAMILY] ||
	    (!tb[NFTA_TPROXY_REG_ADDR] && !tb[NFTA_TPROXY_REG_PORT]))
		return -EINVAL;

	priv->family = ntohl(nla_get_be32(tb[NFTA_TPROXY_FAMILY]));

	switch (ctx->family) {
	case NFPROTO_IPV4:
		if (priv->family != NFPROTO_IPV4)
			return -EINVAL;
		break;
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
	case NFPROTO_IPV6:
		if (priv->family != NFPROTO_IPV6)
			return -EINVAL;
		break;
#endif
	case NFPROTO_INET:
		break;
	default:
		return -EOPNOTSUPP;
	}

	/* Address is specified but the rule family is not set accordingly */
	if (priv->family == NFPROTO_UNSPEC && tb[NFTA_TPROXY_REG_ADDR])
		return -EINVAL;

	switch (priv->family) {
	case NFPROTO_IPV4:
		alen = sizeof_field(union nf_inet_addr, in);
		err = nf_defrag_ipv4_enable(ctx->net);
		if (err)
			return err;
		break;
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
	case NFPROTO_IPV6:
		alen = sizeof_field(union nf_inet_addr, in6);
		err = nf_defrag_ipv6_enable(ctx->net);
		if (err)
			return err;
		break;
#endif
	case NFPROTO_UNSPEC:
		/* No address is specified here */
		err = nf_defrag_ipv4_enable(ctx->net);
		if (err)
			return err;
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
		err = nf_defrag_ipv6_enable(ctx->net);
		if (err)
			return err;
#endif
		break;
	default:
		return -EOPNOTSUPP;
	}

	if (tb[NFTA_TPROXY_REG_ADDR]) {
		err = nft_parse_register_load(tb[NFTA_TPROXY_REG_ADDR],
					      &priv->sreg_addr, alen);
		if (err < 0)
			return err;
	}

	if (tb[NFTA_TPROXY_REG_PORT]) {
		err = nft_parse_register_load(tb[NFTA_TPROXY_REG_PORT],
					      &priv->sreg_port, sizeof(u16));
		if (err < 0)
			return err;
	}

	return 0;
}

static void nft_tproxy_destroy(const struct nft_ctx *ctx,
			       const struct nft_expr *expr)
{
	const struct nft_tproxy *priv = nft_expr_priv(expr);

	switch (priv->family) {
	case NFPROTO_IPV4:
		nf_defrag_ipv4_disable(ctx->net);
		break;
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
	case NFPROTO_IPV6:
		nf_defrag_ipv6_disable(ctx->net);
		break;
#endif
	case NFPROTO_UNSPEC:
		nf_defrag_ipv4_disable(ctx->net);
#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
		nf_defrag_ipv6_disable(ctx->net);
#endif
		break;
	}
}

static int nft_tproxy_dump(struct sk_buff *skb,
			   const struct nft_expr *expr, bool reset)
{
	const struct nft_tproxy *priv = nft_expr_priv(expr);

	if (nla_put_be32(skb, NFTA_TPROXY_FAMILY, htonl(priv->family)))
		return -1;

	if (priv->sreg_addr &&
	    nft_dump_register(skb, NFTA_TPROXY_REG_ADDR, priv->sreg_addr))
		return -1;

	if (priv->sreg_port &&
	    nft_dump_register(skb, NFTA_TPROXY_REG_PORT, priv->sreg_port))
			return -1;

	return 0;
}

static int nft_tproxy_validate(const struct nft_ctx *ctx,
			       const struct nft_expr *expr,
			       const struct nft_data **data)
{
	return nft_chain_validate_hooks(ctx->chain, 1 << NF_INET_PRE_ROUTING);
}

static struct nft_expr_type nft_tproxy_type;
static const struct nft_expr_ops nft_tproxy_ops = {
	.type		= &nft_tproxy_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_tproxy)),
	.eval		= nft_tproxy_eval,
	.init		= nft_tproxy_init,
	.destroy	= nft_tproxy_destroy,
	.dump		= nft_tproxy_dump,
	.reduce		= NFT_REDUCE_READONLY,
	.validate	= nft_tproxy_validate,
};

static struct nft_expr_type nft_tproxy_type __read_mostly = {
	.name		= "tproxy",
	.ops		= &nft_tproxy_ops,
	.policy		= nft_tproxy_policy,
	.maxattr	= NFTA_TPROXY_MAX,
	.owner		= THIS_MODULE,
};

static int __init nft_tproxy_module_init(void)
{
	return nft_register_expr(&nft_tproxy_type);
}

static void __exit nft_tproxy_module_exit(void)
{
	nft_unregister_expr(&nft_tproxy_type);
}

module_init(nft_tproxy_module_init);
module_exit(nft_tproxy_module_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Máté Eckl");
MODULE_DESCRIPTION("nf_tables tproxy support module");
MODULE_ALIAS_NFT_EXPR("tproxy");
Commit	Line	Data
4ed8eb65 ME	1	/* SPDX-License-Identifier: GPL-2.0 */
	2	#include <linux/module.h>
	3	#include <linux/netfilter/nf_tables.h>
	4	#include <net/netfilter/nf_tables.h>
	5	#include <net/netfilter/nf_tables_core.h>
	6	#include <net/netfilter/nf_tproxy.h>
	7	#include <net/inet_sock.h>
	8	#include <net/tcp.h>
	9	#include <linux/if_ether.h>
	10	#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
	11	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
	12	#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
	13	#endif
	14
	15	struct nft_tproxy {
4f16d25c PNA	16	u8 sreg_addr;
	17	u8 sreg_port;
	18	u8 family;
4ed8eb65 ME	19	};
	20
	21	static void nft_tproxy_eval_v4(const struct nft_expr *expr,
	22	struct nft_regs *regs,
	23	const struct nft_pktinfo *pkt)
	24	{
	25	const struct nft_tproxy *priv = nft_expr_priv(expr);
	26	struct sk_buff *skb = pkt->skb;
	27	const struct iphdr *iph = ip_hdr(skb);
	28	struct udphdr _hdr, *hp;
	29	__be32 taddr = 0;
	30	__be16 tport = 0;
	31	struct sock *sk;
	32
52f0f4e1 PNA	33	if (pkt->tprot != IPPROTO_TCP &&
	34	pkt->tprot != IPPROTO_UDP) {
	35	regs->verdict.code = NFT_BREAK;
	36	return;
	37	}
	38
4ed8eb65 ME	39	hp = skb_header_pointer(skb, ip_hdrlen(skb), sizeof(_hdr), &_hdr);
	40	if (!hp) {
	41	regs->verdict.code = NFT_BREAK;
	42	return;
	43	}
	44
	45	/* check if there's an ongoing connection on the packet addresses, this
	46	* happens if the redirect already happened and the current packet
	47	* belongs to an already established connection
	48	*/
	49	sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, iph->protocol,
	50	iph->saddr, iph->daddr,
	51	hp->source, hp->dest,
	52	skb->dev, NF_TPROXY_LOOKUP_ESTABLISHED);
	53
	54	if (priv->sreg_addr)
7278b3c1	55	taddr = nft_reg_load_be32(&regs->data[priv->sreg_addr]);
4ed8eb65 ME	56	taddr = nf_tproxy_laddr4(skb, taddr, iph->daddr);
	57
	58	if (priv->sreg_port)
7278b3c1	59	tport = nft_reg_load_be16(&regs->data[priv->sreg_port]);
4ed8eb65 ME	60	if (!tport)
	61	tport = hp->dest;
	62
	63	/* UDP has no TCP_TIME_WAIT state, so we never enter here */
	64	if (sk && sk->sk_state == TCP_TIME_WAIT) {
	65	/* reopening a TIME_WAIT connection needs special handling */
	66	sk = nf_tproxy_handle_time_wait4(nft_net(pkt), skb, taddr, tport, sk);
	67	} else if (!sk) {
	68	/* no, there's no established connection, check if
	69	* there's a listener on the redirected addr/port
	70	*/
	71	sk = nf_tproxy_get_sock_v4(nft_net(pkt), skb, iph->protocol,
	72	iph->saddr, taddr,
	73	hp->source, tport,
	74	skb->dev, NF_TPROXY_LOOKUP_LISTENER);
	75	}
	76
	77	if (sk && nf_tproxy_sk_is_transparent(sk))
	78	nf_tproxy_assign_sock(skb, sk);
	79	else
	80	regs->verdict.code = NFT_BREAK;
	81	}
	82
	83	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
	84	static void nft_tproxy_eval_v6(const struct nft_expr *expr,
	85	struct nft_regs *regs,
	86	const struct nft_pktinfo *pkt)
	87	{
	88	const struct nft_tproxy *priv = nft_expr_priv(expr);
	89	struct sk_buff *skb = pkt->skb;
	90	const struct ipv6hdr *iph = ipv6_hdr(skb);
2d7b4ace	91	int thoff = nft_thoff(pkt);
4ed8eb65	92	struct udphdr _hdr, *hp;
2d7b4ace	93	struct in6_addr taddr;
4ed8eb65 ME	94	__be16 tport = 0;
	95	struct sock *sk;
	96	int l4proto;
	97
90d827f0 ME	98	memset(&taddr, 0, sizeof(taddr));
90d827f0 ME	99
52f0f4e1 PNA	100	if (pkt->tprot != IPPROTO_TCP &&
52f0f4e1 PNA	101	pkt->tprot != IPPROTO_UDP) {
4ed8eb65 ME	102	regs->verdict.code = NFT_BREAK;
	103	return;
	104	}
	105	l4proto = pkt->tprot;
	106
	107	hp = skb_header_pointer(skb, thoff, sizeof(_hdr), &_hdr);
	108	if (hp == NULL) {
	109	regs->verdict.code = NFT_BREAK;
	110	return;
	111	}
	112
	113	/* check if there's an ongoing connection on the packet addresses, this
	114	* happens if the redirect already happened and the current packet
	115	* belongs to an already established connection
	116	*/
	117	sk = nf_tproxy_get_sock_v6(nft_net(pkt), skb, thoff, l4proto,
	118	&iph->saddr, &iph->daddr,
	119	hp->source, hp->dest,
	120	nft_in(pkt), NF_TPROXY_LOOKUP_ESTABLISHED);
	121
	122	if (priv->sreg_addr)
	123	memcpy(&taddr, &regs->data[priv->sreg_addr], sizeof(taddr));
	124	taddr = *nf_tproxy_laddr6(skb, &taddr, &iph->daddr);
	125
	126	if (priv->sreg_port)
7278b3c1	127	tport = nft_reg_load_be16(&regs->data[priv->sreg_port]);
4ed8eb65 ME	128	if (!tport)
	129	tport = hp->dest;
	130
	131	/* UDP has no TCP_TIME_WAIT state, so we never enter here */
	132	if (sk && sk->sk_state == TCP_TIME_WAIT) {
	133	/* reopening a TIME_WAIT connection needs special handling */
	134	sk = nf_tproxy_handle_time_wait6(skb, l4proto, thoff,
	135	nft_net(pkt),
	136	&taddr,
	137	tport,
	138	sk);
	139	} else if (!sk) {
	140	/* no there's no established connection, check if
	141	* there's a listener on the redirected addr/port
	142	*/
	143	sk = nf_tproxy_get_sock_v6(nft_net(pkt), skb, thoff,
	144	l4proto, &iph->saddr, &taddr,
	145	hp->source, tport,
	146	nft_in(pkt), NF_TPROXY_LOOKUP_LISTENER);
	147	}
	148
	149	/* NOTE: assign_sock consumes our sk reference */
	150	if (sk && nf_tproxy_sk_is_transparent(sk))
	151	nf_tproxy_assign_sock(skb, sk);
	152	else
	153	regs->verdict.code = NFT_BREAK;
	154	}
	155	#endif
	156
	157	static void nft_tproxy_eval(const struct nft_expr *expr,
	158	struct nft_regs *regs,
	159	const struct nft_pktinfo *pkt)
	160	{
	161	const struct nft_tproxy *priv = nft_expr_priv(expr);
	162
	163	switch (nft_pf(pkt)) {
	164	case NFPROTO_IPV4:
	165	switch (priv->family) {
	166	case NFPROTO_IPV4:
	167	case NFPROTO_UNSPEC:
	168	nft_tproxy_eval_v4(expr, regs, pkt);
	169	return;
	170	}
	171	break;
	172	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
	173	case NFPROTO_IPV6:
	174	switch (priv->family) {
	175	case NFPROTO_IPV6:
	176	case NFPROTO_UNSPEC:
	177	nft_tproxy_eval_v6(expr, regs, pkt);
	178	return;
	179	}
	180	#endif
	181	}
	182	regs->verdict.code = NFT_BREAK;
	183	}
	184
	185	static const struct nla_policy nft_tproxy_policy[NFTA_TPROXY_MAX + 1] = {
	186	[NFTA_TPROXY_FAMILY] = { .type = NLA_U32 },
	187	[NFTA_TPROXY_REG_ADDR] = { .type = NLA_U32 },
	188	[NFTA_TPROXY_REG_PORT] = { .type = NLA_U32 },
	189	};
	190
	191	static int nft_tproxy_init(const struct nft_ctx *ctx,
192	const struct nft_expr *expr,
193	const struct nlattr * const tb[])
194	{
195	struct nft_tproxy *priv = nft_expr_priv(expr);
196	unsigned int alen = 0;
197	int err;
198
199	if (!tb[NFTA_TPROXY_FAMILY] \|\|
200	(!tb[NFTA_TPROXY_REG_ADDR] && !tb[NFTA_TPROXY_REG_PORT]))
201	return -EINVAL;
202
203	priv->family = ntohl(nla_get_be32(tb[NFTA_TPROXY_FAMILY]));
204
205	switch (ctx->family) {
206	case NFPROTO_IPV4:
207	if (priv->family != NFPROTO_IPV4)
208	return -EINVAL;
209	break;
210	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
211	case NFPROTO_IPV6:
212	if (priv->family != NFPROTO_IPV6)
213	return -EINVAL;
214	break;
215	#endif
216	case NFPROTO_INET:
217	break;
218	default:
219	return -EOPNOTSUPP;
220	}
221
222	/* Address is specified but the rule family is not set accordingly */
223	if (priv->family == NFPROTO_UNSPEC && tb[NFTA_TPROXY_REG_ADDR])
224	return -EINVAL;
225
226	switch (priv->family) {
227	case NFPROTO_IPV4:
c593642c	228	alen = sizeof_field(union nf_inet_addr, in);
4ed8eb65 ME	229	err = nf_defrag_ipv4_enable(ctx->net);
	230	if (err)
	231	return err;
	232	break;
	233	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
	234	case NFPROTO_IPV6:
c593642c	235	alen = sizeof_field(union nf_inet_addr, in6);
4ed8eb65 ME	236	err = nf_defrag_ipv6_enable(ctx->net);
	237	if (err)
	238	return err;
	239	break;
	240	#endif
	241	case NFPROTO_UNSPEC:
	242	/* No address is specified here */
	243	err = nf_defrag_ipv4_enable(ctx->net);
	244	if (err)
	245	return err;
033eab53	246	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
4ed8eb65 ME	247	err = nf_defrag_ipv6_enable(ctx->net);
	248	if (err)
	249	return err;
033eab53	250	#endif
4ed8eb65 ME	251	break;
	252	default:
	253	return -EOPNOTSUPP;
	254	}
	255
	256	if (tb[NFTA_TPROXY_REG_ADDR]) {
4f16d25c PNA	257	err = nft_parse_register_load(tb[NFTA_TPROXY_REG_ADDR],
4f16d25c PNA	258	&priv->sreg_addr, alen);
4ed8eb65 ME	259	if (err < 0)
	260	return err;
	261	}
	262
	263	if (tb[NFTA_TPROXY_REG_PORT]) {
4f16d25c PNA	264	err = nft_parse_register_load(tb[NFTA_TPROXY_REG_PORT],
4f16d25c PNA	265	&priv->sreg_port, sizeof(u16));
4ed8eb65 ME	266	if (err < 0)
	267	return err;
	268	}
	269
	270	return 0;
	271	}
	272
de8c1211 FW	273	static void nft_tproxy_destroy(const struct nft_ctx *ctx,
	274	const struct nft_expr *expr)
	275	{
	276	const struct nft_tproxy *priv = nft_expr_priv(expr);
	277
	278	switch (priv->family) {
	279	case NFPROTO_IPV4:
	280	nf_defrag_ipv4_disable(ctx->net);
	281	break;
	282	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
	283	case NFPROTO_IPV6:
	284	nf_defrag_ipv6_disable(ctx->net);
	285	break;
	286	#endif
	287	case NFPROTO_UNSPEC:
	288	nf_defrag_ipv4_disable(ctx->net);
	289	#if IS_ENABLED(CONFIG_NF_TABLES_IPV6)
	290	nf_defrag_ipv6_disable(ctx->net);
	291	#endif
	292	break;
	293	}
	294	}
	295
4ed8eb65	296	static int nft_tproxy_dump(struct sk_buff *skb,
7d34aa3e	297	const struct nft_expr *expr, bool reset)
4ed8eb65 ME	298	{
	299	const struct nft_tproxy *priv = nft_expr_priv(expr);
	300
	301	if (nla_put_be32(skb, NFTA_TPROXY_FAMILY, htonl(priv->family)))
	302	return -1;
	303
	304	if (priv->sreg_addr &&
	305	nft_dump_register(skb, NFTA_TPROXY_REG_ADDR, priv->sreg_addr))
	306	return -1;
	307
	308	if (priv->sreg_port &&
	309	nft_dump_register(skb, NFTA_TPROXY_REG_PORT, priv->sreg_port))
	310	return -1;
	311
	312	return 0;
	313	}
	314
18bbc321 FW	315	static int nft_tproxy_validate(const struct nft_ctx *ctx,
	316	const struct nft_expr *expr,
	317	const struct nft_data **data)
	318	{
	319	return nft_chain_validate_hooks(ctx->chain, 1 << NF_INET_PRE_ROUTING);
	320	}
	321
4ed8eb65 ME	322	static struct nft_expr_type nft_tproxy_type;
	323	static const struct nft_expr_ops nft_tproxy_ops = {
	324	.type = &nft_tproxy_type,
	325	.size = NFT_EXPR_SIZE(sizeof(struct nft_tproxy)),
	326	.eval = nft_tproxy_eval,
	327	.init = nft_tproxy_init,
de8c1211	328	.destroy = nft_tproxy_destroy,
4ed8eb65	329	.dump = nft_tproxy_dump,
b2d30654	330	.reduce = NFT_REDUCE_READONLY,
18bbc321	331	.validate = nft_tproxy_validate,
4ed8eb65 ME	332	};
	333
	334	static struct nft_expr_type nft_tproxy_type __read_mostly = {
	335	.name = "tproxy",
	336	.ops = &nft_tproxy_ops,
	337	.policy = nft_tproxy_policy,
	338	.maxattr = NFTA_TPROXY_MAX,
	339	.owner = THIS_MODULE,
	340	};
	341
	342	static int __init nft_tproxy_module_init(void)
	343	{
	344	return nft_register_expr(&nft_tproxy_type);
	345	}
	346
	347	static void __exit nft_tproxy_module_exit(void)
	348	{
	349	nft_unregister_expr(&nft_tproxy_type);
	350	}
	351
	352	module_init(nft_tproxy_module_init);
	353	module_exit(nft_tproxy_module_exit);
	354
	355	MODULE_LICENSE("GPL");
	356	MODULE_AUTHOR("Máté Eckl");
	357	MODULE_DESCRIPTION("nf_tables tproxy support module");
	358	MODULE_ALIAS_NFT_EXPR("tproxy");