1 // SPDX-License-Identifier: GPL-2.0-or-later
3 * net/sched/cls_api.c Packet classifier API.
5 * Authors: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru>
9 * Eduardo J. Blanco <ejbs@netlabs.com.uy> :990222: kmod support
12 #include <linux/module.h>
13 #include <linux/types.h>
14 #include <linux/kernel.h>
15 #include <linux/string.h>
16 #include <linux/errno.h>
17 #include <linux/err.h>
18 #include <linux/skbuff.h>
19 #include <linux/init.h>
20 #include <linux/kmod.h>
21 #include <linux/slab.h>
22 #include <linux/idr.h>
23 #include <linux/rhashtable.h>
24 #include <net/net_namespace.h>
26 #include <net/netlink.h>
27 #include <net/pkt_sched.h>
28 #include <net/pkt_cls.h>
29 #include <net/tc_act/tc_pedit.h>
30 #include <net/tc_act/tc_mirred.h>
31 #include <net/tc_act/tc_vlan.h>
32 #include <net/tc_act/tc_tunnel_key.h>
33 #include <net/tc_act/tc_csum.h>
34 #include <net/tc_act/tc_gact.h>
35 #include <net/tc_act/tc_police.h>
36 #include <net/tc_act/tc_sample.h>
37 #include <net/tc_act/tc_skbedit.h>
38 #include <net/tc_act/tc_ct.h>
39 #include <net/tc_act/tc_mpls.h>
40 #include <net/flow_offload.h>
42 extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1];
44 /* The list of all installed classifier types */
45 static LIST_HEAD(tcf_proto_base);
47 /* Protects list of registered TC modules. It is pure SMP lock. */
48 static DEFINE_RWLOCK(cls_mod_lock);
50 /* Find classifier type by string name */
52 static const struct tcf_proto_ops *__tcf_proto_lookup_ops(const char *kind)
54 const struct tcf_proto_ops *t, *res = NULL;
57 read_lock(&cls_mod_lock);
58 list_for_each_entry(t, &tcf_proto_base, head) {
59 if (strcmp(kind, t->kind) == 0) {
60 if (try_module_get(t->owner))
65 read_unlock(&cls_mod_lock);
70 static const struct tcf_proto_ops *
71 tcf_proto_lookup_ops(const char *kind, bool rtnl_held,
72 struct netlink_ext_ack *extack)
74 const struct tcf_proto_ops *ops;
76 ops = __tcf_proto_lookup_ops(kind);
82 request_module("cls_%s", kind);
85 ops = __tcf_proto_lookup_ops(kind);
86 /* We dropped the RTNL semaphore in order to perform
87 * the module load. So, even if we succeeded in loading
88 * the module we have to replay the request. We indicate
92 module_put(ops->owner);
93 return ERR_PTR(-EAGAIN);
96 NL_SET_ERR_MSG(extack, "TC classifier not found");
97 return ERR_PTR(-ENOENT);
100 /* Register(unregister) new classifier type */
102 int register_tcf_proto_ops(struct tcf_proto_ops *ops)
104 struct tcf_proto_ops *t;
107 write_lock(&cls_mod_lock);
108 list_for_each_entry(t, &tcf_proto_base, head)
109 if (!strcmp(ops->kind, t->kind))
112 list_add_tail(&ops->head, &tcf_proto_base);
115 write_unlock(&cls_mod_lock);
118 EXPORT_SYMBOL(register_tcf_proto_ops);
120 static struct workqueue_struct *tc_filter_wq;
122 int unregister_tcf_proto_ops(struct tcf_proto_ops *ops)
124 struct tcf_proto_ops *t;
127 /* Wait for outstanding call_rcu()s, if any, from a
128 * tcf_proto_ops's destroy() handler.
131 flush_workqueue(tc_filter_wq);
133 write_lock(&cls_mod_lock);
134 list_for_each_entry(t, &tcf_proto_base, head) {
141 write_unlock(&cls_mod_lock);
144 EXPORT_SYMBOL(unregister_tcf_proto_ops);
146 bool tcf_queue_work(struct rcu_work *rwork, work_func_t func)
148 INIT_RCU_WORK(rwork, func);
149 return queue_rcu_work(tc_filter_wq, rwork);
151 EXPORT_SYMBOL(tcf_queue_work);
153 /* Select new prio value from the range, managed by kernel. */
155 static inline u32 tcf_auto_prio(struct tcf_proto *tp)
157 u32 first = TC_H_MAKE(0xC0000000U, 0U);
160 first = tp->prio - 1;
162 return TC_H_MAJ(first);
165 static bool tcf_proto_is_unlocked(const char *kind)
167 const struct tcf_proto_ops *ops;
170 ops = tcf_proto_lookup_ops(kind, false, NULL);
171 /* On error return false to take rtnl lock. Proto lookup/create
172 * functions will perform lookup again and properly handle errors.
177 ret = !!(ops->flags & TCF_PROTO_OPS_DOIT_UNLOCKED);
178 module_put(ops->owner);
182 static struct tcf_proto *tcf_proto_create(const char *kind, u32 protocol,
183 u32 prio, struct tcf_chain *chain,
185 struct netlink_ext_ack *extack)
187 struct tcf_proto *tp;
190 tp = kzalloc(sizeof(*tp), GFP_KERNEL);
192 return ERR_PTR(-ENOBUFS);
194 tp->ops = tcf_proto_lookup_ops(kind, rtnl_held, extack);
195 if (IS_ERR(tp->ops)) {
196 err = PTR_ERR(tp->ops);
199 tp->classify = tp->ops->classify;
200 tp->protocol = protocol;
203 spin_lock_init(&tp->lock);
204 refcount_set(&tp->refcnt, 1);
206 err = tp->ops->init(tp);
208 module_put(tp->ops->owner);
218 static void tcf_proto_get(struct tcf_proto *tp)
220 refcount_inc(&tp->refcnt);
223 static void tcf_chain_put(struct tcf_chain *chain);
225 static void tcf_proto_destroy(struct tcf_proto *tp, bool rtnl_held,
226 struct netlink_ext_ack *extack)
228 tp->ops->destroy(tp, rtnl_held, extack);
229 tcf_chain_put(tp->chain);
230 module_put(tp->ops->owner);
234 static void tcf_proto_put(struct tcf_proto *tp, bool rtnl_held,
235 struct netlink_ext_ack *extack)
237 if (refcount_dec_and_test(&tp->refcnt))
238 tcf_proto_destroy(tp, rtnl_held, extack);
241 static int walker_check_empty(struct tcf_proto *tp, void *fh,
242 struct tcf_walker *arg)
245 arg->nonempty = true;
251 static bool tcf_proto_is_empty(struct tcf_proto *tp, bool rtnl_held)
253 struct tcf_walker walker = { .fn = walker_check_empty, };
256 tp->ops->walk(tp, &walker, rtnl_held);
257 return !walker.nonempty;
262 static bool tcf_proto_check_delete(struct tcf_proto *tp, bool rtnl_held)
264 spin_lock(&tp->lock);
265 if (tcf_proto_is_empty(tp, rtnl_held))
267 spin_unlock(&tp->lock);
271 static void tcf_proto_mark_delete(struct tcf_proto *tp)
273 spin_lock(&tp->lock);
275 spin_unlock(&tp->lock);
278 static bool tcf_proto_is_deleting(struct tcf_proto *tp)
282 spin_lock(&tp->lock);
283 deleting = tp->deleting;
284 spin_unlock(&tp->lock);
289 #define ASSERT_BLOCK_LOCKED(block) \
290 lockdep_assert_held(&(block)->lock)
292 struct tcf_filter_chain_list_item {
293 struct list_head list;
294 tcf_chain_head_change_t *chain_head_change;
295 void *chain_head_change_priv;
298 static struct tcf_chain *tcf_chain_create(struct tcf_block *block,
301 struct tcf_chain *chain;
303 ASSERT_BLOCK_LOCKED(block);
305 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
308 list_add_tail(&chain->list, &block->chain_list);
309 mutex_init(&chain->filter_chain_lock);
310 chain->block = block;
311 chain->index = chain_index;
314 block->chain0.chain = chain;
318 static void tcf_chain_head_change_item(struct tcf_filter_chain_list_item *item,
319 struct tcf_proto *tp_head)
321 if (item->chain_head_change)
322 item->chain_head_change(tp_head, item->chain_head_change_priv);
325 static void tcf_chain0_head_change(struct tcf_chain *chain,
326 struct tcf_proto *tp_head)
328 struct tcf_filter_chain_list_item *item;
329 struct tcf_block *block = chain->block;
334 mutex_lock(&block->lock);
335 list_for_each_entry(item, &block->chain0.filter_chain_list, list)
336 tcf_chain_head_change_item(item, tp_head);
337 mutex_unlock(&block->lock);
340 /* Returns true if block can be safely freed. */
342 static bool tcf_chain_detach(struct tcf_chain *chain)
344 struct tcf_block *block = chain->block;
346 ASSERT_BLOCK_LOCKED(block);
348 list_del(&chain->list);
350 block->chain0.chain = NULL;
352 if (list_empty(&block->chain_list) &&
353 refcount_read(&block->refcnt) == 0)
359 static void tcf_block_destroy(struct tcf_block *block)
361 mutex_destroy(&block->lock);
362 kfree_rcu(block, rcu);
365 static void tcf_chain_destroy(struct tcf_chain *chain, bool free_block)
367 struct tcf_block *block = chain->block;
369 mutex_destroy(&chain->filter_chain_lock);
370 kfree_rcu(chain, rcu);
372 tcf_block_destroy(block);
375 static void tcf_chain_hold(struct tcf_chain *chain)
377 ASSERT_BLOCK_LOCKED(chain->block);
382 static bool tcf_chain_held_by_acts_only(struct tcf_chain *chain)
384 ASSERT_BLOCK_LOCKED(chain->block);
386 /* In case all the references are action references, this
387 * chain should not be shown to the user.
389 return chain->refcnt == chain->action_refcnt;
392 static struct tcf_chain *tcf_chain_lookup(struct tcf_block *block,
395 struct tcf_chain *chain;
397 ASSERT_BLOCK_LOCKED(block);
399 list_for_each_entry(chain, &block->chain_list, list) {
400 if (chain->index == chain_index)
406 static int tc_chain_notify(struct tcf_chain *chain, struct sk_buff *oskb,
407 u32 seq, u16 flags, int event, bool unicast);
409 static struct tcf_chain *__tcf_chain_get(struct tcf_block *block,
410 u32 chain_index, bool create,
413 struct tcf_chain *chain = NULL;
414 bool is_first_reference;
416 mutex_lock(&block->lock);
417 chain = tcf_chain_lookup(block, chain_index);
419 tcf_chain_hold(chain);
423 chain = tcf_chain_create(block, chain_index);
429 ++chain->action_refcnt;
430 is_first_reference = chain->refcnt - chain->action_refcnt == 1;
431 mutex_unlock(&block->lock);
433 /* Send notification only in case we got the first
434 * non-action reference. Until then, the chain acts only as
435 * a placeholder for actions pointing to it and user ought
436 * not know about them.
438 if (is_first_reference && !by_act)
439 tc_chain_notify(chain, NULL, 0, NLM_F_CREATE | NLM_F_EXCL,
440 RTM_NEWCHAIN, false);
445 mutex_unlock(&block->lock);
449 static struct tcf_chain *tcf_chain_get(struct tcf_block *block, u32 chain_index,
452 return __tcf_chain_get(block, chain_index, create, false);
455 struct tcf_chain *tcf_chain_get_by_act(struct tcf_block *block, u32 chain_index)
457 return __tcf_chain_get(block, chain_index, true, true);
459 EXPORT_SYMBOL(tcf_chain_get_by_act);
461 static void tc_chain_tmplt_del(const struct tcf_proto_ops *tmplt_ops,
463 static int tc_chain_notify_delete(const struct tcf_proto_ops *tmplt_ops,
464 void *tmplt_priv, u32 chain_index,
465 struct tcf_block *block, struct sk_buff *oskb,
466 u32 seq, u16 flags, bool unicast);
468 static void __tcf_chain_put(struct tcf_chain *chain, bool by_act,
469 bool explicitly_created)
471 struct tcf_block *block = chain->block;
472 const struct tcf_proto_ops *tmplt_ops;
473 bool free_block = false;
477 mutex_lock(&block->lock);
478 if (explicitly_created) {
479 if (!chain->explicitly_created) {
480 mutex_unlock(&block->lock);
483 chain->explicitly_created = false;
487 chain->action_refcnt--;
489 /* tc_chain_notify_delete can't be called while holding block lock.
490 * However, when block is unlocked chain can be changed concurrently, so
491 * save these to temporary variables.
493 refcnt = --chain->refcnt;
494 tmplt_ops = chain->tmplt_ops;
495 tmplt_priv = chain->tmplt_priv;
497 /* The last dropped non-action reference will trigger notification. */
498 if (refcnt - chain->action_refcnt == 0 && !by_act) {
499 tc_chain_notify_delete(tmplt_ops, tmplt_priv, chain->index,
500 block, NULL, 0, 0, false);
501 /* Last reference to chain, no need to lock. */
502 chain->flushing = false;
506 free_block = tcf_chain_detach(chain);
507 mutex_unlock(&block->lock);
510 tc_chain_tmplt_del(tmplt_ops, tmplt_priv);
511 tcf_chain_destroy(chain, free_block);
515 static void tcf_chain_put(struct tcf_chain *chain)
517 __tcf_chain_put(chain, false, false);
520 void tcf_chain_put_by_act(struct tcf_chain *chain)
522 __tcf_chain_put(chain, true, false);
524 EXPORT_SYMBOL(tcf_chain_put_by_act);
526 static void tcf_chain_put_explicitly_created(struct tcf_chain *chain)
528 __tcf_chain_put(chain, false, true);
531 static void tcf_chain_flush(struct tcf_chain *chain, bool rtnl_held)
533 struct tcf_proto *tp, *tp_next;
535 mutex_lock(&chain->filter_chain_lock);
536 tp = tcf_chain_dereference(chain->filter_chain, chain);
537 RCU_INIT_POINTER(chain->filter_chain, NULL);
538 tcf_chain0_head_change(chain, NULL);
539 chain->flushing = true;
540 mutex_unlock(&chain->filter_chain_lock);
543 tp_next = rcu_dereference_protected(tp->next, 1);
544 tcf_proto_put(tp, rtnl_held, NULL);
549 static int tcf_block_setup(struct tcf_block *block,
550 struct flow_block_offload *bo);
552 static void tc_indr_block_ing_cmd(struct net_device *dev,
553 struct tcf_block *block,
554 flow_indr_block_bind_cb_t *cb,
556 enum flow_block_command command)
558 struct flow_block_offload bo = {
560 .binder_type = FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS,
562 .block_shared = tcf_block_non_null_shared(block),
564 INIT_LIST_HEAD(&bo.cb_list);
569 bo.block = &block->flow_block;
571 down_write(&block->cb_lock);
572 cb(dev, cb_priv, TC_SETUP_BLOCK, &bo);
574 tcf_block_setup(block, &bo);
575 up_write(&block->cb_lock);
578 static struct tcf_block *tc_dev_ingress_block(struct net_device *dev)
580 const struct Qdisc_class_ops *cops;
583 if (!dev_ingress_queue(dev))
586 qdisc = dev_ingress_queue(dev)->qdisc_sleeping;
590 cops = qdisc->ops->cl_ops;
594 if (!cops->tcf_block)
597 return cops->tcf_block(qdisc, TC_H_MIN_INGRESS, NULL);
600 static void tc_indr_block_get_and_ing_cmd(struct net_device *dev,
601 flow_indr_block_bind_cb_t *cb,
603 enum flow_block_command command)
605 struct tcf_block *block = tc_dev_ingress_block(dev);
607 tc_indr_block_ing_cmd(dev, block, cb, cb_priv, command);
610 static void tc_indr_block_call(struct tcf_block *block,
611 struct net_device *dev,
612 struct tcf_block_ext_info *ei,
613 enum flow_block_command command,
614 struct netlink_ext_ack *extack)
616 struct flow_block_offload bo = {
618 .binder_type = ei->binder_type,
620 .block = &block->flow_block,
621 .block_shared = tcf_block_shared(block),
624 INIT_LIST_HEAD(&bo.cb_list);
626 flow_indr_block_call(dev, &bo, command);
627 tcf_block_setup(block, &bo);
630 static bool tcf_block_offload_in_use(struct tcf_block *block)
632 return atomic_read(&block->offloadcnt);
635 static int tcf_block_offload_cmd(struct tcf_block *block,
636 struct net_device *dev,
637 struct tcf_block_ext_info *ei,
638 enum flow_block_command command,
639 struct netlink_ext_ack *extack)
641 struct flow_block_offload bo = {};
644 bo.net = dev_net(dev);
645 bo.command = command;
646 bo.binder_type = ei->binder_type;
647 bo.block = &block->flow_block;
648 bo.block_shared = tcf_block_shared(block);
650 INIT_LIST_HEAD(&bo.cb_list);
652 err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_BLOCK, &bo);
656 return tcf_block_setup(block, &bo);
659 static int tcf_block_offload_bind(struct tcf_block *block, struct Qdisc *q,
660 struct tcf_block_ext_info *ei,
661 struct netlink_ext_ack *extack)
663 struct net_device *dev = q->dev_queue->dev;
666 down_write(&block->cb_lock);
667 if (!dev->netdev_ops->ndo_setup_tc)
668 goto no_offload_dev_inc;
670 /* If tc offload feature is disabled and the block we try to bind
671 * to already has some offloaded filters, forbid to bind.
673 if (!tc_can_offload(dev) && tcf_block_offload_in_use(block)) {
674 NL_SET_ERR_MSG(extack, "Bind to offloaded block failed as dev has offload disabled");
679 err = tcf_block_offload_cmd(block, dev, ei, FLOW_BLOCK_BIND, extack);
680 if (err == -EOPNOTSUPP)
681 goto no_offload_dev_inc;
685 tc_indr_block_call(block, dev, ei, FLOW_BLOCK_BIND, extack);
686 up_write(&block->cb_lock);
690 if (tcf_block_offload_in_use(block)) {
695 block->nooffloaddevcnt++;
696 tc_indr_block_call(block, dev, ei, FLOW_BLOCK_BIND, extack);
698 up_write(&block->cb_lock);
702 static void tcf_block_offload_unbind(struct tcf_block *block, struct Qdisc *q,
703 struct tcf_block_ext_info *ei)
705 struct net_device *dev = q->dev_queue->dev;
708 down_write(&block->cb_lock);
709 tc_indr_block_call(block, dev, ei, FLOW_BLOCK_UNBIND, NULL);
711 if (!dev->netdev_ops->ndo_setup_tc)
712 goto no_offload_dev_dec;
713 err = tcf_block_offload_cmd(block, dev, ei, FLOW_BLOCK_UNBIND, NULL);
714 if (err == -EOPNOTSUPP)
715 goto no_offload_dev_dec;
716 up_write(&block->cb_lock);
720 WARN_ON(block->nooffloaddevcnt-- == 0);
721 up_write(&block->cb_lock);
725 tcf_chain0_head_change_cb_add(struct tcf_block *block,
726 struct tcf_block_ext_info *ei,
727 struct netlink_ext_ack *extack)
729 struct tcf_filter_chain_list_item *item;
730 struct tcf_chain *chain0;
732 item = kmalloc(sizeof(*item), GFP_KERNEL);
734 NL_SET_ERR_MSG(extack, "Memory allocation for head change callback item failed");
737 item->chain_head_change = ei->chain_head_change;
738 item->chain_head_change_priv = ei->chain_head_change_priv;
740 mutex_lock(&block->lock);
741 chain0 = block->chain0.chain;
743 tcf_chain_hold(chain0);
745 list_add(&item->list, &block->chain0.filter_chain_list);
746 mutex_unlock(&block->lock);
749 struct tcf_proto *tp_head;
751 mutex_lock(&chain0->filter_chain_lock);
753 tp_head = tcf_chain_dereference(chain0->filter_chain, chain0);
755 tcf_chain_head_change_item(item, tp_head);
757 mutex_lock(&block->lock);
758 list_add(&item->list, &block->chain0.filter_chain_list);
759 mutex_unlock(&block->lock);
761 mutex_unlock(&chain0->filter_chain_lock);
762 tcf_chain_put(chain0);
769 tcf_chain0_head_change_cb_del(struct tcf_block *block,
770 struct tcf_block_ext_info *ei)
772 struct tcf_filter_chain_list_item *item;
774 mutex_lock(&block->lock);
775 list_for_each_entry(item, &block->chain0.filter_chain_list, list) {
776 if ((!ei->chain_head_change && !ei->chain_head_change_priv) ||
777 (item->chain_head_change == ei->chain_head_change &&
778 item->chain_head_change_priv == ei->chain_head_change_priv)) {
779 if (block->chain0.chain)
780 tcf_chain_head_change_item(item, NULL);
781 list_del(&item->list);
782 mutex_unlock(&block->lock);
788 mutex_unlock(&block->lock);
793 spinlock_t idr_lock; /* Protects idr */
797 static unsigned int tcf_net_id;
799 static int tcf_block_insert(struct tcf_block *block, struct net *net,
800 struct netlink_ext_ack *extack)
802 struct tcf_net *tn = net_generic(net, tcf_net_id);
805 idr_preload(GFP_KERNEL);
806 spin_lock(&tn->idr_lock);
807 err = idr_alloc_u32(&tn->idr, block, &block->index, block->index,
809 spin_unlock(&tn->idr_lock);
815 static void tcf_block_remove(struct tcf_block *block, struct net *net)
817 struct tcf_net *tn = net_generic(net, tcf_net_id);
819 spin_lock(&tn->idr_lock);
820 idr_remove(&tn->idr, block->index);
821 spin_unlock(&tn->idr_lock);
824 static struct tcf_block *tcf_block_create(struct net *net, struct Qdisc *q,
826 struct netlink_ext_ack *extack)
828 struct tcf_block *block;
830 block = kzalloc(sizeof(*block), GFP_KERNEL);
832 NL_SET_ERR_MSG(extack, "Memory allocation for block failed");
833 return ERR_PTR(-ENOMEM);
835 mutex_init(&block->lock);
836 init_rwsem(&block->cb_lock);
837 flow_block_init(&block->flow_block);
838 INIT_LIST_HEAD(&block->chain_list);
839 INIT_LIST_HEAD(&block->owner_list);
840 INIT_LIST_HEAD(&block->chain0.filter_chain_list);
842 refcount_set(&block->refcnt, 1);
844 block->index = block_index;
846 /* Don't store q pointer for blocks which are shared */
847 if (!tcf_block_shared(block))
852 static struct tcf_block *tcf_block_lookup(struct net *net, u32 block_index)
854 struct tcf_net *tn = net_generic(net, tcf_net_id);
856 return idr_find(&tn->idr, block_index);
859 static struct tcf_block *tcf_block_refcnt_get(struct net *net, u32 block_index)
861 struct tcf_block *block;
864 block = tcf_block_lookup(net, block_index);
865 if (block && !refcount_inc_not_zero(&block->refcnt))
872 static struct tcf_chain *
873 __tcf_get_next_chain(struct tcf_block *block, struct tcf_chain *chain)
875 mutex_lock(&block->lock);
877 chain = list_is_last(&chain->list, &block->chain_list) ?
878 NULL : list_next_entry(chain, list);
880 chain = list_first_entry_or_null(&block->chain_list,
881 struct tcf_chain, list);
883 /* skip all action-only chains */
884 while (chain && tcf_chain_held_by_acts_only(chain))
885 chain = list_is_last(&chain->list, &block->chain_list) ?
886 NULL : list_next_entry(chain, list);
889 tcf_chain_hold(chain);
890 mutex_unlock(&block->lock);
895 /* Function to be used by all clients that want to iterate over all chains on
896 * block. It properly obtains block->lock and takes reference to chain before
897 * returning it. Users of this function must be tolerant to concurrent chain
898 * insertion/deletion or ensure that no concurrent chain modification is
899 * possible. Note that all netlink dump callbacks cannot guarantee to provide
900 * consistent dump because rtnl lock is released each time skb is filled with
901 * data and sent to user-space.
905 tcf_get_next_chain(struct tcf_block *block, struct tcf_chain *chain)
907 struct tcf_chain *chain_next = __tcf_get_next_chain(block, chain);
910 tcf_chain_put(chain);
914 EXPORT_SYMBOL(tcf_get_next_chain);
916 static struct tcf_proto *
917 __tcf_get_next_proto(struct tcf_chain *chain, struct tcf_proto *tp)
922 mutex_lock(&chain->filter_chain_lock);
925 tp = tcf_chain_dereference(chain->filter_chain, chain);
926 } else if (tcf_proto_is_deleting(tp)) {
927 /* 'deleting' flag is set and chain->filter_chain_lock was
928 * unlocked, which means next pointer could be invalid. Restart
932 tp = tcf_chain_dereference(chain->filter_chain, chain);
934 for (; tp; tp = tcf_chain_dereference(tp->next, chain))
935 if (!tp->deleting && tp->prio >= prio)
938 tp = tcf_chain_dereference(tp->next, chain);
944 mutex_unlock(&chain->filter_chain_lock);
949 /* Function to be used by all clients that want to iterate over all tp's on
950 * chain. Users of this function must be tolerant to concurrent tp
951 * insertion/deletion or ensure that no concurrent chain modification is
952 * possible. Note that all netlink dump callbacks cannot guarantee to provide
953 * consistent dump because rtnl lock is released each time skb is filled with
954 * data and sent to user-space.
958 tcf_get_next_proto(struct tcf_chain *chain, struct tcf_proto *tp,
961 struct tcf_proto *tp_next = __tcf_get_next_proto(chain, tp);
964 tcf_proto_put(tp, rtnl_held, NULL);
968 EXPORT_SYMBOL(tcf_get_next_proto);
970 static void tcf_block_flush_all_chains(struct tcf_block *block, bool rtnl_held)
972 struct tcf_chain *chain;
974 /* Last reference to block. At this point chains cannot be added or
975 * removed concurrently.
977 for (chain = tcf_get_next_chain(block, NULL);
979 chain = tcf_get_next_chain(block, chain)) {
980 tcf_chain_put_explicitly_created(chain);
981 tcf_chain_flush(chain, rtnl_held);
985 /* Lookup Qdisc and increments its reference counter.
986 * Set parent, if necessary.
989 static int __tcf_qdisc_find(struct net *net, struct Qdisc **q,
990 u32 *parent, int ifindex, bool rtnl_held,
991 struct netlink_ext_ack *extack)
993 const struct Qdisc_class_ops *cops;
994 struct net_device *dev;
997 if (ifindex == TCM_IFINDEX_MAGIC_BLOCK)
1003 dev = dev_get_by_index_rcu(net, ifindex);
1012 *parent = (*q)->handle;
1014 *q = qdisc_lookup_rcu(dev, TC_H_MAJ(*parent));
1016 NL_SET_ERR_MSG(extack, "Parent Qdisc doesn't exists");
1022 *q = qdisc_refcount_inc_nz(*q);
1024 NL_SET_ERR_MSG(extack, "Parent Qdisc doesn't exists");
1029 /* Is it classful? */
1030 cops = (*q)->ops->cl_ops;
1032 NL_SET_ERR_MSG(extack, "Qdisc not classful");
1037 if (!cops->tcf_block) {
1038 NL_SET_ERR_MSG(extack, "Class doesn't support blocks");
1044 /* At this point we know that qdisc is not noop_qdisc,
1045 * which means that qdisc holds a reference to net_device
1046 * and we hold a reference to qdisc, so it is safe to release
1058 qdisc_put_unlocked(*q);
1064 static int __tcf_qdisc_cl_find(struct Qdisc *q, u32 parent, unsigned long *cl,
1065 int ifindex, struct netlink_ext_ack *extack)
1067 if (ifindex == TCM_IFINDEX_MAGIC_BLOCK)
1070 /* Do we search for filter, attached to class? */
1071 if (TC_H_MIN(parent)) {
1072 const struct Qdisc_class_ops *cops = q->ops->cl_ops;
1074 *cl = cops->find(q, parent);
1076 NL_SET_ERR_MSG(extack, "Specified class doesn't exist");
1084 static struct tcf_block *__tcf_block_find(struct net *net, struct Qdisc *q,
1085 unsigned long cl, int ifindex,
1087 struct netlink_ext_ack *extack)
1089 struct tcf_block *block;
1091 if (ifindex == TCM_IFINDEX_MAGIC_BLOCK) {
1092 block = tcf_block_refcnt_get(net, block_index);
1094 NL_SET_ERR_MSG(extack, "Block of given index was not found");
1095 return ERR_PTR(-EINVAL);
1098 const struct Qdisc_class_ops *cops = q->ops->cl_ops;
1100 block = cops->tcf_block(q, cl, extack);
1102 return ERR_PTR(-EINVAL);
1104 if (tcf_block_shared(block)) {
1105 NL_SET_ERR_MSG(extack, "This filter block is shared. Please use the block index to manipulate the filters");
1106 return ERR_PTR(-EOPNOTSUPP);
1109 /* Always take reference to block in order to support execution
1110 * of rules update path of cls API without rtnl lock. Caller
1111 * must release block when it is finished using it. 'if' block
1112 * of this conditional obtain reference to block by calling
1113 * tcf_block_refcnt_get().
1115 refcount_inc(&block->refcnt);
1121 static void __tcf_block_put(struct tcf_block *block, struct Qdisc *q,
1122 struct tcf_block_ext_info *ei, bool rtnl_held)
1124 if (refcount_dec_and_mutex_lock(&block->refcnt, &block->lock)) {
1125 /* Flushing/putting all chains will cause the block to be
1126 * deallocated when last chain is freed. However, if chain_list
1127 * is empty, block has to be manually deallocated. After block
1128 * reference counter reached 0, it is no longer possible to
1129 * increment it or add new chains to block.
1131 bool free_block = list_empty(&block->chain_list);
1133 mutex_unlock(&block->lock);
1134 if (tcf_block_shared(block))
1135 tcf_block_remove(block, block->net);
1138 tcf_block_offload_unbind(block, q, ei);
1141 tcf_block_destroy(block);
1143 tcf_block_flush_all_chains(block, rtnl_held);
1145 tcf_block_offload_unbind(block, q, ei);
1149 static void tcf_block_refcnt_put(struct tcf_block *block, bool rtnl_held)
1151 __tcf_block_put(block, NULL, NULL, rtnl_held);
1155 * Set q, parent, cl when appropriate.
1158 static struct tcf_block *tcf_block_find(struct net *net, struct Qdisc **q,
1159 u32 *parent, unsigned long *cl,
1160 int ifindex, u32 block_index,
1161 struct netlink_ext_ack *extack)
1163 struct tcf_block *block;
1168 err = __tcf_qdisc_find(net, q, parent, ifindex, true, extack);
1172 err = __tcf_qdisc_cl_find(*q, *parent, cl, ifindex, extack);
1176 block = __tcf_block_find(net, *q, *cl, ifindex, block_index, extack);
1177 if (IS_ERR(block)) {
1178 err = PTR_ERR(block);
1189 return ERR_PTR(err);
1192 static void tcf_block_release(struct Qdisc *q, struct tcf_block *block,
1195 if (!IS_ERR_OR_NULL(block))
1196 tcf_block_refcnt_put(block, rtnl_held);
1202 qdisc_put_unlocked(q);
1206 struct tcf_block_owner_item {
1207 struct list_head list;
1209 enum flow_block_binder_type binder_type;
1213 tcf_block_owner_netif_keep_dst(struct tcf_block *block,
1215 enum flow_block_binder_type binder_type)
1217 if (block->keep_dst &&
1218 binder_type != FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS &&
1219 binder_type != FLOW_BLOCK_BINDER_TYPE_CLSACT_EGRESS)
1220 netif_keep_dst(qdisc_dev(q));
1223 void tcf_block_netif_keep_dst(struct tcf_block *block)
1225 struct tcf_block_owner_item *item;
1227 block->keep_dst = true;
1228 list_for_each_entry(item, &block->owner_list, list)
1229 tcf_block_owner_netif_keep_dst(block, item->q,
1232 EXPORT_SYMBOL(tcf_block_netif_keep_dst);
1234 static int tcf_block_owner_add(struct tcf_block *block,
1236 enum flow_block_binder_type binder_type)
1238 struct tcf_block_owner_item *item;
1240 item = kmalloc(sizeof(*item), GFP_KERNEL);
1244 item->binder_type = binder_type;
1245 list_add(&item->list, &block->owner_list);
1249 static void tcf_block_owner_del(struct tcf_block *block,
1251 enum flow_block_binder_type binder_type)
1253 struct tcf_block_owner_item *item;
1255 list_for_each_entry(item, &block->owner_list, list) {
1256 if (item->q == q && item->binder_type == binder_type) {
1257 list_del(&item->list);
1265 int tcf_block_get_ext(struct tcf_block **p_block, struct Qdisc *q,
1266 struct tcf_block_ext_info *ei,
1267 struct netlink_ext_ack *extack)
1269 struct net *net = qdisc_net(q);
1270 struct tcf_block *block = NULL;
1273 if (ei->block_index)
1274 /* block_index not 0 means the shared block is requested */
1275 block = tcf_block_refcnt_get(net, ei->block_index);
1278 block = tcf_block_create(net, q, ei->block_index, extack);
1280 return PTR_ERR(block);
1281 if (tcf_block_shared(block)) {
1282 err = tcf_block_insert(block, net, extack);
1284 goto err_block_insert;
1288 err = tcf_block_owner_add(block, q, ei->binder_type);
1290 goto err_block_owner_add;
1292 tcf_block_owner_netif_keep_dst(block, q, ei->binder_type);
1294 err = tcf_chain0_head_change_cb_add(block, ei, extack);
1296 goto err_chain0_head_change_cb_add;
1298 err = tcf_block_offload_bind(block, q, ei, extack);
1300 goto err_block_offload_bind;
1305 err_block_offload_bind:
1306 tcf_chain0_head_change_cb_del(block, ei);
1307 err_chain0_head_change_cb_add:
1308 tcf_block_owner_del(block, q, ei->binder_type);
1309 err_block_owner_add:
1311 tcf_block_refcnt_put(block, true);
1314 EXPORT_SYMBOL(tcf_block_get_ext);
1316 static void tcf_chain_head_change_dflt(struct tcf_proto *tp_head, void *priv)
1318 struct tcf_proto __rcu **p_filter_chain = priv;
1320 rcu_assign_pointer(*p_filter_chain, tp_head);
1323 int tcf_block_get(struct tcf_block **p_block,
1324 struct tcf_proto __rcu **p_filter_chain, struct Qdisc *q,
1325 struct netlink_ext_ack *extack)
1327 struct tcf_block_ext_info ei = {
1328 .chain_head_change = tcf_chain_head_change_dflt,
1329 .chain_head_change_priv = p_filter_chain,
1332 WARN_ON(!p_filter_chain);
1333 return tcf_block_get_ext(p_block, q, &ei, extack);
1335 EXPORT_SYMBOL(tcf_block_get);
1337 /* XXX: Standalone actions are not allowed to jump to any chain, and bound
1338 * actions should be all removed after flushing.
1340 void tcf_block_put_ext(struct tcf_block *block, struct Qdisc *q,
1341 struct tcf_block_ext_info *ei)
1345 tcf_chain0_head_change_cb_del(block, ei);
1346 tcf_block_owner_del(block, q, ei->binder_type);
1348 __tcf_block_put(block, q, ei, true);
1350 EXPORT_SYMBOL(tcf_block_put_ext);
1352 void tcf_block_put(struct tcf_block *block)
1354 struct tcf_block_ext_info ei = {0, };
1358 tcf_block_put_ext(block, block->q, &ei);
1361 EXPORT_SYMBOL(tcf_block_put);
1364 tcf_block_playback_offloads(struct tcf_block *block, flow_setup_cb_t *cb,
1365 void *cb_priv, bool add, bool offload_in_use,
1366 struct netlink_ext_ack *extack)
1368 struct tcf_chain *chain, *chain_prev;
1369 struct tcf_proto *tp, *tp_prev;
1372 lockdep_assert_held(&block->cb_lock);
1374 for (chain = __tcf_get_next_chain(block, NULL);
1377 chain = __tcf_get_next_chain(block, chain),
1378 tcf_chain_put(chain_prev)) {
1379 for (tp = __tcf_get_next_proto(chain, NULL); tp;
1381 tp = __tcf_get_next_proto(chain, tp),
1382 tcf_proto_put(tp_prev, true, NULL)) {
1383 if (tp->ops->reoffload) {
1384 err = tp->ops->reoffload(tp, add, cb, cb_priv,
1387 goto err_playback_remove;
1388 } else if (add && offload_in_use) {
1390 NL_SET_ERR_MSG(extack, "Filter HW offload failed - classifier without re-offloading support");
1391 goto err_playback_remove;
1398 err_playback_remove:
1399 tcf_proto_put(tp, true, NULL);
1400 tcf_chain_put(chain);
1401 tcf_block_playback_offloads(block, cb, cb_priv, false, offload_in_use,
1406 static int tcf_block_bind(struct tcf_block *block,
1407 struct flow_block_offload *bo)
1409 struct flow_block_cb *block_cb, *next;
1412 lockdep_assert_held(&block->cb_lock);
1414 list_for_each_entry(block_cb, &bo->cb_list, list) {
1415 err = tcf_block_playback_offloads(block, block_cb->cb,
1416 block_cb->cb_priv, true,
1417 tcf_block_offload_in_use(block),
1424 list_splice(&bo->cb_list, &block->flow_block.cb_list);
1429 list_for_each_entry_safe(block_cb, next, &bo->cb_list, list) {
1431 list_del(&block_cb->list);
1432 tcf_block_playback_offloads(block, block_cb->cb,
1433 block_cb->cb_priv, false,
1434 tcf_block_offload_in_use(block),
1437 flow_block_cb_free(block_cb);
1443 static void tcf_block_unbind(struct tcf_block *block,
1444 struct flow_block_offload *bo)
1446 struct flow_block_cb *block_cb, *next;
1448 lockdep_assert_held(&block->cb_lock);
1450 list_for_each_entry_safe(block_cb, next, &bo->cb_list, list) {
1451 tcf_block_playback_offloads(block, block_cb->cb,
1452 block_cb->cb_priv, false,
1453 tcf_block_offload_in_use(block),
1455 list_del(&block_cb->list);
1456 flow_block_cb_free(block_cb);
1460 static int tcf_block_setup(struct tcf_block *block,
1461 struct flow_block_offload *bo)
1465 switch (bo->command) {
1466 case FLOW_BLOCK_BIND:
1467 err = tcf_block_bind(block, bo);
1469 case FLOW_BLOCK_UNBIND:
1471 tcf_block_unbind(block, bo);
1481 /* Main classifier routine: scans classifier chain attached
1482 * to this qdisc, (optionally) tests for protocol and asks
1483 * specific classifiers.
1485 int tcf_classify(struct sk_buff *skb, const struct tcf_proto *tp,
1486 struct tcf_result *res, bool compat_mode)
1488 #ifdef CONFIG_NET_CLS_ACT
1489 const int max_reclassify_loop = 4;
1490 const struct tcf_proto *orig_tp = tp;
1491 const struct tcf_proto *first_tp;
1496 for (; tp; tp = rcu_dereference_bh(tp->next)) {
1497 __be16 protocol = tc_skb_protocol(skb);
1500 if (tp->protocol != protocol &&
1501 tp->protocol != htons(ETH_P_ALL))
1504 err = tp->classify(skb, tp, res);
1505 #ifdef CONFIG_NET_CLS_ACT
1506 if (unlikely(err == TC_ACT_RECLASSIFY && !compat_mode)) {
1509 } else if (unlikely(TC_ACT_EXT_CMP(err, TC_ACT_GOTO_CHAIN))) {
1510 first_tp = res->goto_tp;
1518 return TC_ACT_UNSPEC; /* signal: continue lookup */
1519 #ifdef CONFIG_NET_CLS_ACT
1521 if (unlikely(limit++ >= max_reclassify_loop)) {
1522 net_notice_ratelimited("%u: reclassify loop, rule prio %u, protocol %02x\n",
1523 tp->chain->block->index,
1525 ntohs(tp->protocol));
1533 EXPORT_SYMBOL(tcf_classify);
1535 struct tcf_chain_info {
1536 struct tcf_proto __rcu **pprev;
1537 struct tcf_proto __rcu *next;
1540 static struct tcf_proto *tcf_chain_tp_prev(struct tcf_chain *chain,
1541 struct tcf_chain_info *chain_info)
1543 return tcf_chain_dereference(*chain_info->pprev, chain);
1546 static int tcf_chain_tp_insert(struct tcf_chain *chain,
1547 struct tcf_chain_info *chain_info,
1548 struct tcf_proto *tp)
1550 if (chain->flushing)
1553 if (*chain_info->pprev == chain->filter_chain)
1554 tcf_chain0_head_change(chain, tp);
1556 RCU_INIT_POINTER(tp->next, tcf_chain_tp_prev(chain, chain_info));
1557 rcu_assign_pointer(*chain_info->pprev, tp);
1562 static void tcf_chain_tp_remove(struct tcf_chain *chain,
1563 struct tcf_chain_info *chain_info,
1564 struct tcf_proto *tp)
1566 struct tcf_proto *next = tcf_chain_dereference(chain_info->next, chain);
1568 tcf_proto_mark_delete(tp);
1569 if (tp == chain->filter_chain)
1570 tcf_chain0_head_change(chain, next);
1571 RCU_INIT_POINTER(*chain_info->pprev, next);
1574 static struct tcf_proto *tcf_chain_tp_find(struct tcf_chain *chain,
1575 struct tcf_chain_info *chain_info,
1576 u32 protocol, u32 prio,
1577 bool prio_allocate);
1579 /* Try to insert new proto.
1580 * If proto with specified priority already exists, free new proto
1581 * and return existing one.
1584 static struct tcf_proto *tcf_chain_tp_insert_unique(struct tcf_chain *chain,
1585 struct tcf_proto *tp_new,
1586 u32 protocol, u32 prio,
1589 struct tcf_chain_info chain_info;
1590 struct tcf_proto *tp;
1593 mutex_lock(&chain->filter_chain_lock);
1595 tp = tcf_chain_tp_find(chain, &chain_info,
1596 protocol, prio, false);
1598 err = tcf_chain_tp_insert(chain, &chain_info, tp_new);
1599 mutex_unlock(&chain->filter_chain_lock);
1602 tcf_proto_destroy(tp_new, rtnl_held, NULL);
1605 tcf_proto_destroy(tp_new, rtnl_held, NULL);
1606 tp_new = ERR_PTR(err);
1612 static void tcf_chain_tp_delete_empty(struct tcf_chain *chain,
1613 struct tcf_proto *tp, bool rtnl_held,
1614 struct netlink_ext_ack *extack)
1616 struct tcf_chain_info chain_info;
1617 struct tcf_proto *tp_iter;
1618 struct tcf_proto **pprev;
1619 struct tcf_proto *next;
1621 mutex_lock(&chain->filter_chain_lock);
1623 /* Atomically find and remove tp from chain. */
1624 for (pprev = &chain->filter_chain;
1625 (tp_iter = tcf_chain_dereference(*pprev, chain));
1626 pprev = &tp_iter->next) {
1627 if (tp_iter == tp) {
1628 chain_info.pprev = pprev;
1629 chain_info.next = tp_iter->next;
1630 WARN_ON(tp_iter->deleting);
1634 /* Verify that tp still exists and no new filters were inserted
1636 * Mark tp for deletion if it is empty.
1638 if (!tp_iter || !tcf_proto_check_delete(tp, rtnl_held)) {
1639 mutex_unlock(&chain->filter_chain_lock);
1643 next = tcf_chain_dereference(chain_info.next, chain);
1644 if (tp == chain->filter_chain)
1645 tcf_chain0_head_change(chain, next);
1646 RCU_INIT_POINTER(*chain_info.pprev, next);
1647 mutex_unlock(&chain->filter_chain_lock);
1649 tcf_proto_put(tp, rtnl_held, extack);
1652 static struct tcf_proto *tcf_chain_tp_find(struct tcf_chain *chain,
1653 struct tcf_chain_info *chain_info,
1654 u32 protocol, u32 prio,
1657 struct tcf_proto **pprev;
1658 struct tcf_proto *tp;
1660 /* Check the chain for existence of proto-tcf with this priority */
1661 for (pprev = &chain->filter_chain;
1662 (tp = tcf_chain_dereference(*pprev, chain));
1663 pprev = &tp->next) {
1664 if (tp->prio >= prio) {
1665 if (tp->prio == prio) {
1666 if (prio_allocate ||
1667 (tp->protocol != protocol && protocol))
1668 return ERR_PTR(-EINVAL);
1675 chain_info->pprev = pprev;
1677 chain_info->next = tp->next;
1680 chain_info->next = NULL;
1685 static int tcf_fill_node(struct net *net, struct sk_buff *skb,
1686 struct tcf_proto *tp, struct tcf_block *block,
1687 struct Qdisc *q, u32 parent, void *fh,
1688 u32 portid, u32 seq, u16 flags, int event,
1692 struct nlmsghdr *nlh;
1693 unsigned char *b = skb_tail_pointer(skb);
1695 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*tcm), flags);
1697 goto out_nlmsg_trim;
1698 tcm = nlmsg_data(nlh);
1699 tcm->tcm_family = AF_UNSPEC;
1703 tcm->tcm_ifindex = qdisc_dev(q)->ifindex;
1704 tcm->tcm_parent = parent;
1706 tcm->tcm_ifindex = TCM_IFINDEX_MAGIC_BLOCK;
1707 tcm->tcm_block_index = block->index;
1709 tcm->tcm_info = TC_H_MAKE(tp->prio, tp->protocol);
1710 if (nla_put_string(skb, TCA_KIND, tp->ops->kind))
1711 goto nla_put_failure;
1712 if (nla_put_u32(skb, TCA_CHAIN, tp->chain->index))
1713 goto nla_put_failure;
1715 tcm->tcm_handle = 0;
1717 if (tp->ops->dump &&
1718 tp->ops->dump(net, tp, fh, skb, tcm, rtnl_held) < 0)
1719 goto nla_put_failure;
1721 nlh->nlmsg_len = skb_tail_pointer(skb) - b;
1730 static int tfilter_notify(struct net *net, struct sk_buff *oskb,
1731 struct nlmsghdr *n, struct tcf_proto *tp,
1732 struct tcf_block *block, struct Qdisc *q,
1733 u32 parent, void *fh, int event, bool unicast,
1736 struct sk_buff *skb;
1737 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
1740 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1744 if (tcf_fill_node(net, skb, tp, block, q, parent, fh, portid,
1745 n->nlmsg_seq, n->nlmsg_flags, event,
1752 err = netlink_unicast(net->rtnl, skb, portid, MSG_DONTWAIT);
1754 err = rtnetlink_send(skb, net, portid, RTNLGRP_TC,
1755 n->nlmsg_flags & NLM_F_ECHO);
1762 static int tfilter_del_notify(struct net *net, struct sk_buff *oskb,
1763 struct nlmsghdr *n, struct tcf_proto *tp,
1764 struct tcf_block *block, struct Qdisc *q,
1765 u32 parent, void *fh, bool unicast, bool *last,
1766 bool rtnl_held, struct netlink_ext_ack *extack)
1768 struct sk_buff *skb;
1769 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
1772 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1776 if (tcf_fill_node(net, skb, tp, block, q, parent, fh, portid,
1777 n->nlmsg_seq, n->nlmsg_flags, RTM_DELTFILTER,
1779 NL_SET_ERR_MSG(extack, "Failed to build del event notification");
1784 err = tp->ops->delete(tp, fh, last, rtnl_held, extack);
1791 err = netlink_unicast(net->rtnl, skb, portid, MSG_DONTWAIT);
1793 err = rtnetlink_send(skb, net, portid, RTNLGRP_TC,
1794 n->nlmsg_flags & NLM_F_ECHO);
1796 NL_SET_ERR_MSG(extack, "Failed to send filter delete notification");
1803 static void tfilter_notify_chain(struct net *net, struct sk_buff *oskb,
1804 struct tcf_block *block, struct Qdisc *q,
1805 u32 parent, struct nlmsghdr *n,
1806 struct tcf_chain *chain, int event,
1809 struct tcf_proto *tp;
1811 for (tp = tcf_get_next_proto(chain, NULL, rtnl_held);
1812 tp; tp = tcf_get_next_proto(chain, tp, rtnl_held))
1813 tfilter_notify(net, oskb, n, tp, block,
1814 q, parent, NULL, event, false, rtnl_held);
1817 static void tfilter_put(struct tcf_proto *tp, void *fh)
1819 if (tp->ops->put && fh)
1820 tp->ops->put(tp, fh);
1823 static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
1824 struct netlink_ext_ack *extack)
1826 struct net *net = sock_net(skb->sk);
1827 struct nlattr *tca[TCA_MAX + 1];
1834 struct Qdisc *q = NULL;
1835 struct tcf_chain_info chain_info;
1836 struct tcf_chain *chain = NULL;
1837 struct tcf_block *block;
1838 struct tcf_proto *tp;
1843 bool rtnl_held = false;
1845 if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN))
1851 err = nlmsg_parse_deprecated(n, sizeof(*t), tca, TCA_MAX,
1852 rtm_tca_policy, extack);
1857 protocol = TC_H_MIN(t->tcm_info);
1858 prio = TC_H_MAJ(t->tcm_info);
1859 prio_allocate = false;
1860 parent = t->tcm_parent;
1866 /* If no priority is provided by the user,
1869 if (n->nlmsg_flags & NLM_F_CREATE) {
1870 prio = TC_H_MAKE(0x80000000U, 0U);
1871 prio_allocate = true;
1873 NL_SET_ERR_MSG(extack, "Invalid filter command with priority of zero");
1878 /* Find head of filter chain. */
1880 err = __tcf_qdisc_find(net, &q, &parent, t->tcm_ifindex, false, extack);
1884 /* Take rtnl mutex if rtnl_held was set to true on previous iteration,
1885 * block is shared (no qdisc found), qdisc is not unlocked, classifier
1886 * type is not specified, classifier is not unlocked.
1889 (q && !(q->ops->cl_ops->flags & QDISC_CLASS_OPS_DOIT_UNLOCKED)) ||
1890 !tca[TCA_KIND] || !tcf_proto_is_unlocked(nla_data(tca[TCA_KIND]))) {
1895 err = __tcf_qdisc_cl_find(q, parent, &cl, t->tcm_ifindex, extack);
1899 block = __tcf_block_find(net, q, cl, t->tcm_ifindex, t->tcm_block_index,
1901 if (IS_ERR(block)) {
1902 err = PTR_ERR(block);
1906 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0;
1907 if (chain_index > TC_ACT_EXT_VAL_MASK) {
1908 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit");
1912 chain = tcf_chain_get(block, chain_index, true);
1914 NL_SET_ERR_MSG(extack, "Cannot create specified filter chain");
1919 mutex_lock(&chain->filter_chain_lock);
1920 tp = tcf_chain_tp_find(chain, &chain_info, protocol,
1921 prio, prio_allocate);
1923 NL_SET_ERR_MSG(extack, "Filter with specified priority/protocol not found");
1929 struct tcf_proto *tp_new = NULL;
1931 if (chain->flushing) {
1936 /* Proto-tcf does not exist, create new one */
1938 if (tca[TCA_KIND] == NULL || !protocol) {
1939 NL_SET_ERR_MSG(extack, "Filter kind and protocol must be specified");
1944 if (!(n->nlmsg_flags & NLM_F_CREATE)) {
1945 NL_SET_ERR_MSG(extack, "Need both RTM_NEWTFILTER and NLM_F_CREATE to create a new filter");
1951 prio = tcf_auto_prio(tcf_chain_tp_prev(chain,
1954 mutex_unlock(&chain->filter_chain_lock);
1955 tp_new = tcf_proto_create(nla_data(tca[TCA_KIND]),
1956 protocol, prio, chain, rtnl_held,
1958 if (IS_ERR(tp_new)) {
1959 err = PTR_ERR(tp_new);
1964 tp = tcf_chain_tp_insert_unique(chain, tp_new, protocol, prio,
1971 mutex_unlock(&chain->filter_chain_lock);
1974 if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], tp->ops->kind)) {
1975 NL_SET_ERR_MSG(extack, "Specified filter kind does not match existing one");
1980 fh = tp->ops->get(tp, t->tcm_handle);
1983 if (!(n->nlmsg_flags & NLM_F_CREATE)) {
1984 NL_SET_ERR_MSG(extack, "Need both RTM_NEWTFILTER and NLM_F_CREATE to create a new filter");
1988 } else if (n->nlmsg_flags & NLM_F_EXCL) {
1989 tfilter_put(tp, fh);
1990 NL_SET_ERR_MSG(extack, "Filter already exists");
1995 if (chain->tmplt_ops && chain->tmplt_ops != tp->ops) {
1996 NL_SET_ERR_MSG(extack, "Chain template is set to a different filter kind");
2001 err = tp->ops->change(net, skb, tp, cl, t->tcm_handle, tca, &fh,
2002 n->nlmsg_flags & NLM_F_CREATE ? TCA_ACT_NOREPLACE : TCA_ACT_REPLACE,
2005 tfilter_notify(net, skb, n, tp, block, q, parent, fh,
2006 RTM_NEWTFILTER, false, rtnl_held);
2007 tfilter_put(tp, fh);
2008 /* q pointer is NULL for shared blocks */
2010 q->flags &= ~TCQ_F_CAN_BYPASS;
2014 if (err && tp_created)
2015 tcf_chain_tp_delete_empty(chain, tp, rtnl_held, NULL);
2018 if (tp && !IS_ERR(tp))
2019 tcf_proto_put(tp, rtnl_held, NULL);
2021 tcf_chain_put(chain);
2023 tcf_block_release(q, block, rtnl_held);
2028 if (err == -EAGAIN) {
2029 /* Take rtnl lock in case EAGAIN is caused by concurrent flush
2033 /* Replay the request. */
2039 mutex_unlock(&chain->filter_chain_lock);
2043 static int tc_del_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
2044 struct netlink_ext_ack *extack)
2046 struct net *net = sock_net(skb->sk);
2047 struct nlattr *tca[TCA_MAX + 1];
2053 struct Qdisc *q = NULL;
2054 struct tcf_chain_info chain_info;
2055 struct tcf_chain *chain = NULL;
2056 struct tcf_block *block = NULL;
2057 struct tcf_proto *tp = NULL;
2058 unsigned long cl = 0;
2061 bool rtnl_held = false;
2063 if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN))
2066 err = nlmsg_parse_deprecated(n, sizeof(*t), tca, TCA_MAX,
2067 rtm_tca_policy, extack);
2072 protocol = TC_H_MIN(t->tcm_info);
2073 prio = TC_H_MAJ(t->tcm_info);
2074 parent = t->tcm_parent;
2076 if (prio == 0 && (protocol || t->tcm_handle || tca[TCA_KIND])) {
2077 NL_SET_ERR_MSG(extack, "Cannot flush filters with protocol, handle or kind set");
2081 /* Find head of filter chain. */
2083 err = __tcf_qdisc_find(net, &q, &parent, t->tcm_ifindex, false, extack);
2087 /* Take rtnl mutex if flushing whole chain, block is shared (no qdisc
2088 * found), qdisc is not unlocked, classifier type is not specified,
2089 * classifier is not unlocked.
2092 (q && !(q->ops->cl_ops->flags & QDISC_CLASS_OPS_DOIT_UNLOCKED)) ||
2093 !tca[TCA_KIND] || !tcf_proto_is_unlocked(nla_data(tca[TCA_KIND]))) {
2098 err = __tcf_qdisc_cl_find(q, parent, &cl, t->tcm_ifindex, extack);
2102 block = __tcf_block_find(net, q, cl, t->tcm_ifindex, t->tcm_block_index,
2104 if (IS_ERR(block)) {
2105 err = PTR_ERR(block);
2109 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0;
2110 if (chain_index > TC_ACT_EXT_VAL_MASK) {
2111 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit");
2115 chain = tcf_chain_get(block, chain_index, false);
2117 /* User requested flush on non-existent chain. Nothing to do,
2118 * so just return success.
2124 NL_SET_ERR_MSG(extack, "Cannot find specified filter chain");
2130 tfilter_notify_chain(net, skb, block, q, parent, n,
2131 chain, RTM_DELTFILTER, rtnl_held);
2132 tcf_chain_flush(chain, rtnl_held);
2137 mutex_lock(&chain->filter_chain_lock);
2138 tp = tcf_chain_tp_find(chain, &chain_info, protocol,
2140 if (!tp || IS_ERR(tp)) {
2141 NL_SET_ERR_MSG(extack, "Filter with specified priority/protocol not found");
2142 err = tp ? PTR_ERR(tp) : -ENOENT;
2144 } else if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], tp->ops->kind)) {
2145 NL_SET_ERR_MSG(extack, "Specified filter kind does not match existing one");
2148 } else if (t->tcm_handle == 0) {
2149 tcf_chain_tp_remove(chain, &chain_info, tp);
2150 mutex_unlock(&chain->filter_chain_lock);
2152 tcf_proto_put(tp, rtnl_held, NULL);
2153 tfilter_notify(net, skb, n, tp, block, q, parent, fh,
2154 RTM_DELTFILTER, false, rtnl_held);
2158 mutex_unlock(&chain->filter_chain_lock);
2160 fh = tp->ops->get(tp, t->tcm_handle);
2163 NL_SET_ERR_MSG(extack, "Specified filter handle not found");
2168 err = tfilter_del_notify(net, skb, n, tp, block,
2169 q, parent, fh, false, &last,
2175 tcf_chain_tp_delete_empty(chain, tp, rtnl_held, extack);
2180 if (tp && !IS_ERR(tp))
2181 tcf_proto_put(tp, rtnl_held, NULL);
2182 tcf_chain_put(chain);
2184 tcf_block_release(q, block, rtnl_held);
2192 mutex_unlock(&chain->filter_chain_lock);
2196 static int tc_get_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
2197 struct netlink_ext_ack *extack)
2199 struct net *net = sock_net(skb->sk);
2200 struct nlattr *tca[TCA_MAX + 1];
2206 struct Qdisc *q = NULL;
2207 struct tcf_chain_info chain_info;
2208 struct tcf_chain *chain = NULL;
2209 struct tcf_block *block = NULL;
2210 struct tcf_proto *tp = NULL;
2211 unsigned long cl = 0;
2214 bool rtnl_held = false;
2216 err = nlmsg_parse_deprecated(n, sizeof(*t), tca, TCA_MAX,
2217 rtm_tca_policy, extack);
2222 protocol = TC_H_MIN(t->tcm_info);
2223 prio = TC_H_MAJ(t->tcm_info);
2224 parent = t->tcm_parent;
2227 NL_SET_ERR_MSG(extack, "Invalid filter command with priority of zero");
2231 /* Find head of filter chain. */
2233 err = __tcf_qdisc_find(net, &q, &parent, t->tcm_ifindex, false, extack);
2237 /* Take rtnl mutex if block is shared (no qdisc found), qdisc is not
2238 * unlocked, classifier type is not specified, classifier is not
2241 if ((q && !(q->ops->cl_ops->flags & QDISC_CLASS_OPS_DOIT_UNLOCKED)) ||
2242 !tca[TCA_KIND] || !tcf_proto_is_unlocked(nla_data(tca[TCA_KIND]))) {
2247 err = __tcf_qdisc_cl_find(q, parent, &cl, t->tcm_ifindex, extack);
2251 block = __tcf_block_find(net, q, cl, t->tcm_ifindex, t->tcm_block_index,
2253 if (IS_ERR(block)) {
2254 err = PTR_ERR(block);
2258 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0;
2259 if (chain_index > TC_ACT_EXT_VAL_MASK) {
2260 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit");
2264 chain = tcf_chain_get(block, chain_index, false);
2266 NL_SET_ERR_MSG(extack, "Cannot find specified filter chain");
2271 mutex_lock(&chain->filter_chain_lock);
2272 tp = tcf_chain_tp_find(chain, &chain_info, protocol,
2274 mutex_unlock(&chain->filter_chain_lock);
2275 if (!tp || IS_ERR(tp)) {
2276 NL_SET_ERR_MSG(extack, "Filter with specified priority/protocol not found");
2277 err = tp ? PTR_ERR(tp) : -ENOENT;
2279 } else if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], tp->ops->kind)) {
2280 NL_SET_ERR_MSG(extack, "Specified filter kind does not match existing one");
2285 fh = tp->ops->get(tp, t->tcm_handle);
2288 NL_SET_ERR_MSG(extack, "Specified filter handle not found");
2291 err = tfilter_notify(net, skb, n, tp, block, q, parent,
2292 fh, RTM_NEWTFILTER, true, rtnl_held);
2294 NL_SET_ERR_MSG(extack, "Failed to send filter notify message");
2297 tfilter_put(tp, fh);
2300 if (tp && !IS_ERR(tp))
2301 tcf_proto_put(tp, rtnl_held, NULL);
2302 tcf_chain_put(chain);
2304 tcf_block_release(q, block, rtnl_held);
2312 struct tcf_dump_args {
2313 struct tcf_walker w;
2314 struct sk_buff *skb;
2315 struct netlink_callback *cb;
2316 struct tcf_block *block;
2321 static int tcf_node_dump(struct tcf_proto *tp, void *n, struct tcf_walker *arg)
2323 struct tcf_dump_args *a = (void *)arg;
2324 struct net *net = sock_net(a->skb->sk);
2326 return tcf_fill_node(net, a->skb, tp, a->block, a->q, a->parent,
2327 n, NETLINK_CB(a->cb->skb).portid,
2328 a->cb->nlh->nlmsg_seq, NLM_F_MULTI,
2329 RTM_NEWTFILTER, true);
2332 static bool tcf_chain_dump(struct tcf_chain *chain, struct Qdisc *q, u32 parent,
2333 struct sk_buff *skb, struct netlink_callback *cb,
2334 long index_start, long *p_index)
2336 struct net *net = sock_net(skb->sk);
2337 struct tcf_block *block = chain->block;
2338 struct tcmsg *tcm = nlmsg_data(cb->nlh);
2339 struct tcf_proto *tp, *tp_prev;
2340 struct tcf_dump_args arg;
2342 for (tp = __tcf_get_next_proto(chain, NULL);
2345 tp = __tcf_get_next_proto(chain, tp),
2346 tcf_proto_put(tp_prev, true, NULL),
2348 if (*p_index < index_start)
2350 if (TC_H_MAJ(tcm->tcm_info) &&
2351 TC_H_MAJ(tcm->tcm_info) != tp->prio)
2353 if (TC_H_MIN(tcm->tcm_info) &&
2354 TC_H_MIN(tcm->tcm_info) != tp->protocol)
2356 if (*p_index > index_start)
2357 memset(&cb->args[1], 0,
2358 sizeof(cb->args) - sizeof(cb->args[0]));
2359 if (cb->args[1] == 0) {
2360 if (tcf_fill_node(net, skb, tp, block, q, parent, NULL,
2361 NETLINK_CB(cb->skb).portid,
2362 cb->nlh->nlmsg_seq, NLM_F_MULTI,
2363 RTM_NEWTFILTER, true) <= 0)
2369 arg.w.fn = tcf_node_dump;
2374 arg.parent = parent;
2376 arg.w.skip = cb->args[1] - 1;
2378 arg.w.cookie = cb->args[2];
2379 tp->ops->walk(tp, &arg.w, true);
2380 cb->args[2] = arg.w.cookie;
2381 cb->args[1] = arg.w.count + 1;
2388 tcf_proto_put(tp, true, NULL);
2392 /* called with RTNL */
2393 static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb)
2395 struct tcf_chain *chain, *chain_prev;
2396 struct net *net = sock_net(skb->sk);
2397 struct nlattr *tca[TCA_MAX + 1];
2398 struct Qdisc *q = NULL;
2399 struct tcf_block *block;
2400 struct tcmsg *tcm = nlmsg_data(cb->nlh);
2406 if (nlmsg_len(cb->nlh) < sizeof(*tcm))
2409 err = nlmsg_parse_deprecated(cb->nlh, sizeof(*tcm), tca, TCA_MAX,
2414 if (tcm->tcm_ifindex == TCM_IFINDEX_MAGIC_BLOCK) {
2415 block = tcf_block_refcnt_get(net, tcm->tcm_block_index);
2418 /* If we work with block index, q is NULL and parent value
2419 * will never be used in the following code. The check
2420 * in tcf_fill_node prevents it. However, compiler does not
2421 * see that far, so set parent to zero to silence the warning
2422 * about parent being uninitialized.
2426 const struct Qdisc_class_ops *cops;
2427 struct net_device *dev;
2428 unsigned long cl = 0;
2430 dev = __dev_get_by_index(net, tcm->tcm_ifindex);
2434 parent = tcm->tcm_parent;
2439 q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent));
2443 cops = q->ops->cl_ops;
2446 if (!cops->tcf_block)
2448 if (TC_H_MIN(tcm->tcm_parent)) {
2449 cl = cops->find(q, tcm->tcm_parent);
2453 block = cops->tcf_block(q, cl, NULL);
2456 if (tcf_block_shared(block))
2460 index_start = cb->args[0];
2463 for (chain = __tcf_get_next_chain(block, NULL);
2466 chain = __tcf_get_next_chain(block, chain),
2467 tcf_chain_put(chain_prev)) {
2468 if (tca[TCA_CHAIN] &&
2469 nla_get_u32(tca[TCA_CHAIN]) != chain->index)
2471 if (!tcf_chain_dump(chain, q, parent, skb, cb,
2472 index_start, &index)) {
2473 tcf_chain_put(chain);
2479 if (tcm->tcm_ifindex == TCM_IFINDEX_MAGIC_BLOCK)
2480 tcf_block_refcnt_put(block, true);
2481 cb->args[0] = index;
2484 /* If we did no progress, the error (EMSGSIZE) is real */
2485 if (skb->len == 0 && err)
2490 static int tc_chain_fill_node(const struct tcf_proto_ops *tmplt_ops,
2491 void *tmplt_priv, u32 chain_index,
2492 struct net *net, struct sk_buff *skb,
2493 struct tcf_block *block,
2494 u32 portid, u32 seq, u16 flags, int event)
2496 unsigned char *b = skb_tail_pointer(skb);
2497 const struct tcf_proto_ops *ops;
2498 struct nlmsghdr *nlh;
2505 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*tcm), flags);
2507 goto out_nlmsg_trim;
2508 tcm = nlmsg_data(nlh);
2509 tcm->tcm_family = AF_UNSPEC;
2512 tcm->tcm_handle = 0;
2514 tcm->tcm_ifindex = qdisc_dev(block->q)->ifindex;
2515 tcm->tcm_parent = block->q->handle;
2517 tcm->tcm_ifindex = TCM_IFINDEX_MAGIC_BLOCK;
2518 tcm->tcm_block_index = block->index;
2521 if (nla_put_u32(skb, TCA_CHAIN, chain_index))
2522 goto nla_put_failure;
2525 if (nla_put_string(skb, TCA_KIND, ops->kind))
2526 goto nla_put_failure;
2527 if (ops->tmplt_dump(skb, net, priv) < 0)
2528 goto nla_put_failure;
2531 nlh->nlmsg_len = skb_tail_pointer(skb) - b;
2540 static int tc_chain_notify(struct tcf_chain *chain, struct sk_buff *oskb,
2541 u32 seq, u16 flags, int event, bool unicast)
2543 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
2544 struct tcf_block *block = chain->block;
2545 struct net *net = block->net;
2546 struct sk_buff *skb;
2549 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2553 if (tc_chain_fill_node(chain->tmplt_ops, chain->tmplt_priv,
2554 chain->index, net, skb, block, portid,
2555 seq, flags, event) <= 0) {
2561 err = netlink_unicast(net->rtnl, skb, portid, MSG_DONTWAIT);
2563 err = rtnetlink_send(skb, net, portid, RTNLGRP_TC,
2564 flags & NLM_F_ECHO);
2571 static int tc_chain_notify_delete(const struct tcf_proto_ops *tmplt_ops,
2572 void *tmplt_priv, u32 chain_index,
2573 struct tcf_block *block, struct sk_buff *oskb,
2574 u32 seq, u16 flags, bool unicast)
2576 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
2577 struct net *net = block->net;
2578 struct sk_buff *skb;
2580 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2584 if (tc_chain_fill_node(tmplt_ops, tmplt_priv, chain_index, net, skb,
2585 block, portid, seq, flags, RTM_DELCHAIN) <= 0) {
2591 return netlink_unicast(net->rtnl, skb, portid, MSG_DONTWAIT);
2593 return rtnetlink_send(skb, net, portid, RTNLGRP_TC, flags & NLM_F_ECHO);
2596 static int tc_chain_tmplt_add(struct tcf_chain *chain, struct net *net,
2597 struct nlattr **tca,
2598 struct netlink_ext_ack *extack)
2600 const struct tcf_proto_ops *ops;
2603 /* If kind is not set, user did not specify template. */
2607 ops = tcf_proto_lookup_ops(nla_data(tca[TCA_KIND]), true, extack);
2609 return PTR_ERR(ops);
2610 if (!ops->tmplt_create || !ops->tmplt_destroy || !ops->tmplt_dump) {
2611 NL_SET_ERR_MSG(extack, "Chain templates are not supported with specified classifier");
2615 tmplt_priv = ops->tmplt_create(net, chain, tca, extack);
2616 if (IS_ERR(tmplt_priv)) {
2617 module_put(ops->owner);
2618 return PTR_ERR(tmplt_priv);
2620 chain->tmplt_ops = ops;
2621 chain->tmplt_priv = tmplt_priv;
2625 static void tc_chain_tmplt_del(const struct tcf_proto_ops *tmplt_ops,
2628 /* If template ops are set, no work to do for us. */
2632 tmplt_ops->tmplt_destroy(tmplt_priv);
2633 module_put(tmplt_ops->owner);
2636 /* Add/delete/get a chain */
2638 static int tc_ctl_chain(struct sk_buff *skb, struct nlmsghdr *n,
2639 struct netlink_ext_ack *extack)
2641 struct net *net = sock_net(skb->sk);
2642 struct nlattr *tca[TCA_MAX + 1];
2646 struct Qdisc *q = NULL;
2647 struct tcf_chain *chain = NULL;
2648 struct tcf_block *block;
2652 if (n->nlmsg_type != RTM_GETCHAIN &&
2653 !netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN))
2657 err = nlmsg_parse_deprecated(n, sizeof(*t), tca, TCA_MAX,
2658 rtm_tca_policy, extack);
2663 parent = t->tcm_parent;
2666 block = tcf_block_find(net, &q, &parent, &cl,
2667 t->tcm_ifindex, t->tcm_block_index, extack);
2669 return PTR_ERR(block);
2671 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0;
2672 if (chain_index > TC_ACT_EXT_VAL_MASK) {
2673 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit");
2678 mutex_lock(&block->lock);
2679 chain = tcf_chain_lookup(block, chain_index);
2680 if (n->nlmsg_type == RTM_NEWCHAIN) {
2682 if (tcf_chain_held_by_acts_only(chain)) {
2683 /* The chain exists only because there is
2684 * some action referencing it.
2686 tcf_chain_hold(chain);
2688 NL_SET_ERR_MSG(extack, "Filter chain already exists");
2690 goto errout_block_locked;
2693 if (!(n->nlmsg_flags & NLM_F_CREATE)) {
2694 NL_SET_ERR_MSG(extack, "Need both RTM_NEWCHAIN and NLM_F_CREATE to create a new chain");
2696 goto errout_block_locked;
2698 chain = tcf_chain_create(block, chain_index);
2700 NL_SET_ERR_MSG(extack, "Failed to create filter chain");
2702 goto errout_block_locked;
2706 if (!chain || tcf_chain_held_by_acts_only(chain)) {
2707 NL_SET_ERR_MSG(extack, "Cannot find specified filter chain");
2709 goto errout_block_locked;
2711 tcf_chain_hold(chain);
2714 if (n->nlmsg_type == RTM_NEWCHAIN) {
2715 /* Modifying chain requires holding parent block lock. In case
2716 * the chain was successfully added, take a reference to the
2717 * chain. This ensures that an empty chain does not disappear at
2718 * the end of this function.
2720 tcf_chain_hold(chain);
2721 chain->explicitly_created = true;
2723 mutex_unlock(&block->lock);
2725 switch (n->nlmsg_type) {
2727 err = tc_chain_tmplt_add(chain, net, tca, extack);
2729 tcf_chain_put_explicitly_created(chain);
2733 tc_chain_notify(chain, NULL, 0, NLM_F_CREATE | NLM_F_EXCL,
2734 RTM_NEWCHAIN, false);
2737 tfilter_notify_chain(net, skb, block, q, parent, n,
2738 chain, RTM_DELTFILTER, true);
2739 /* Flush the chain first as the user requested chain removal. */
2740 tcf_chain_flush(chain, true);
2741 /* In case the chain was successfully deleted, put a reference
2742 * to the chain previously taken during addition.
2744 tcf_chain_put_explicitly_created(chain);
2747 err = tc_chain_notify(chain, skb, n->nlmsg_seq,
2748 n->nlmsg_seq, n->nlmsg_type, true);
2750 NL_SET_ERR_MSG(extack, "Failed to send chain notify message");
2754 NL_SET_ERR_MSG(extack, "Unsupported message type");
2759 tcf_chain_put(chain);
2761 tcf_block_release(q, block, true);
2763 /* Replay the request. */
2767 errout_block_locked:
2768 mutex_unlock(&block->lock);
2772 /* called with RTNL */
2773 static int tc_dump_chain(struct sk_buff *skb, struct netlink_callback *cb)
2775 struct net *net = sock_net(skb->sk);
2776 struct nlattr *tca[TCA_MAX + 1];
2777 struct Qdisc *q = NULL;
2778 struct tcf_block *block;
2779 struct tcmsg *tcm = nlmsg_data(cb->nlh);
2780 struct tcf_chain *chain;
2786 if (nlmsg_len(cb->nlh) < sizeof(*tcm))
2789 err = nlmsg_parse_deprecated(cb->nlh, sizeof(*tcm), tca, TCA_MAX,
2790 rtm_tca_policy, cb->extack);
2794 if (tcm->tcm_ifindex == TCM_IFINDEX_MAGIC_BLOCK) {
2795 block = tcf_block_refcnt_get(net, tcm->tcm_block_index);
2798 /* If we work with block index, q is NULL and parent value
2799 * will never be used in the following code. The check
2800 * in tcf_fill_node prevents it. However, compiler does not
2801 * see that far, so set parent to zero to silence the warning
2802 * about parent being uninitialized.
2806 const struct Qdisc_class_ops *cops;
2807 struct net_device *dev;
2808 unsigned long cl = 0;
2810 dev = __dev_get_by_index(net, tcm->tcm_ifindex);
2814 parent = tcm->tcm_parent;
2819 q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent));
2823 cops = q->ops->cl_ops;
2826 if (!cops->tcf_block)
2828 if (TC_H_MIN(tcm->tcm_parent)) {
2829 cl = cops->find(q, tcm->tcm_parent);
2833 block = cops->tcf_block(q, cl, NULL);
2836 if (tcf_block_shared(block))
2840 index_start = cb->args[0];
2843 mutex_lock(&block->lock);
2844 list_for_each_entry(chain, &block->chain_list, list) {
2845 if ((tca[TCA_CHAIN] &&
2846 nla_get_u32(tca[TCA_CHAIN]) != chain->index))
2848 if (index < index_start) {
2852 if (tcf_chain_held_by_acts_only(chain))
2854 err = tc_chain_fill_node(chain->tmplt_ops, chain->tmplt_priv,
2855 chain->index, net, skb, block,
2856 NETLINK_CB(cb->skb).portid,
2857 cb->nlh->nlmsg_seq, NLM_F_MULTI,
2863 mutex_unlock(&block->lock);
2865 if (tcm->tcm_ifindex == TCM_IFINDEX_MAGIC_BLOCK)
2866 tcf_block_refcnt_put(block, true);
2867 cb->args[0] = index;
2870 /* If we did no progress, the error (EMSGSIZE) is real */
2871 if (skb->len == 0 && err)
2876 void tcf_exts_destroy(struct tcf_exts *exts)
2878 #ifdef CONFIG_NET_CLS_ACT
2879 tcf_action_destroy(exts->actions, TCA_ACT_UNBIND);
2880 kfree(exts->actions);
2881 exts->nr_actions = 0;
2884 EXPORT_SYMBOL(tcf_exts_destroy);
2886 int tcf_exts_validate(struct net *net, struct tcf_proto *tp, struct nlattr **tb,
2887 struct nlattr *rate_tlv, struct tcf_exts *exts, bool ovr,
2888 bool rtnl_held, struct netlink_ext_ack *extack)
2890 #ifdef CONFIG_NET_CLS_ACT
2892 struct tc_action *act;
2893 size_t attr_size = 0;
2895 if (exts->police && tb[exts->police]) {
2896 act = tcf_action_init_1(net, tp, tb[exts->police],
2897 rate_tlv, "police", ovr,
2898 TCA_ACT_BIND, rtnl_held,
2901 return PTR_ERR(act);
2903 act->type = exts->type = TCA_OLD_COMPAT;
2904 exts->actions[0] = act;
2905 exts->nr_actions = 1;
2906 } else if (exts->action && tb[exts->action]) {
2909 err = tcf_action_init(net, tp, tb[exts->action],
2910 rate_tlv, NULL, ovr, TCA_ACT_BIND,
2911 exts->actions, &attr_size,
2915 exts->nr_actions = err;
2919 if ((exts->action && tb[exts->action]) ||
2920 (exts->police && tb[exts->police])) {
2921 NL_SET_ERR_MSG(extack, "Classifier actions are not supported per compile options (CONFIG_NET_CLS_ACT)");
2928 EXPORT_SYMBOL(tcf_exts_validate);
2930 void tcf_exts_change(struct tcf_exts *dst, struct tcf_exts *src)
2932 #ifdef CONFIG_NET_CLS_ACT
2933 struct tcf_exts old = *dst;
2936 tcf_exts_destroy(&old);
2939 EXPORT_SYMBOL(tcf_exts_change);
2941 #ifdef CONFIG_NET_CLS_ACT
2942 static struct tc_action *tcf_exts_first_act(struct tcf_exts *exts)
2944 if (exts->nr_actions == 0)
2947 return exts->actions[0];
2951 int tcf_exts_dump(struct sk_buff *skb, struct tcf_exts *exts)
2953 #ifdef CONFIG_NET_CLS_ACT
2954 struct nlattr *nest;
2956 if (exts->action && tcf_exts_has_actions(exts)) {
2958 * again for backward compatible mode - we want
2959 * to work with both old and new modes of entering
2960 * tc data even if iproute2 was newer - jhs
2962 if (exts->type != TCA_OLD_COMPAT) {
2963 nest = nla_nest_start_noflag(skb, exts->action);
2965 goto nla_put_failure;
2967 if (tcf_action_dump(skb, exts->actions, 0, 0) < 0)
2968 goto nla_put_failure;
2969 nla_nest_end(skb, nest);
2970 } else if (exts->police) {
2971 struct tc_action *act = tcf_exts_first_act(exts);
2972 nest = nla_nest_start_noflag(skb, exts->police);
2973 if (nest == NULL || !act)
2974 goto nla_put_failure;
2975 if (tcf_action_dump_old(skb, act, 0, 0) < 0)
2976 goto nla_put_failure;
2977 nla_nest_end(skb, nest);
2983 nla_nest_cancel(skb, nest);
2989 EXPORT_SYMBOL(tcf_exts_dump);
2992 int tcf_exts_dump_stats(struct sk_buff *skb, struct tcf_exts *exts)
2994 #ifdef CONFIG_NET_CLS_ACT
2995 struct tc_action *a = tcf_exts_first_act(exts);
2996 if (a != NULL && tcf_action_copy_stats(skb, a, 1) < 0)
3001 EXPORT_SYMBOL(tcf_exts_dump_stats);
3003 static void tcf_block_offload_inc(struct tcf_block *block, u32 *flags)
3005 if (*flags & TCA_CLS_FLAGS_IN_HW)
3007 *flags |= TCA_CLS_FLAGS_IN_HW;
3008 atomic_inc(&block->offloadcnt);
3011 static void tcf_block_offload_dec(struct tcf_block *block, u32 *flags)
3013 if (!(*flags & TCA_CLS_FLAGS_IN_HW))
3015 *flags &= ~TCA_CLS_FLAGS_IN_HW;
3016 atomic_dec(&block->offloadcnt);
3019 static void tc_cls_offload_cnt_update(struct tcf_block *block,
3020 struct tcf_proto *tp, u32 *cnt,
3021 u32 *flags, u32 diff, bool add)
3023 lockdep_assert_held(&block->cb_lock);
3025 spin_lock(&tp->lock);
3028 tcf_block_offload_inc(block, flags);
3033 tcf_block_offload_dec(block, flags);
3035 spin_unlock(&tp->lock);
3039 tc_cls_offload_cnt_reset(struct tcf_block *block, struct tcf_proto *tp,
3040 u32 *cnt, u32 *flags)
3042 lockdep_assert_held(&block->cb_lock);
3044 spin_lock(&tp->lock);
3045 tcf_block_offload_dec(block, flags);
3047 spin_unlock(&tp->lock);
3051 __tc_setup_cb_call(struct tcf_block *block, enum tc_setup_type type,
3052 void *type_data, bool err_stop)
3054 struct flow_block_cb *block_cb;
3058 list_for_each_entry(block_cb, &block->flow_block.cb_list, list) {
3059 err = block_cb->cb(type, type_data, block_cb->cb_priv);
3070 int tc_setup_cb_call(struct tcf_block *block, enum tc_setup_type type,
3071 void *type_data, bool err_stop, bool rtnl_held)
3075 down_read(&block->cb_lock);
3076 ok_count = __tc_setup_cb_call(block, type, type_data, err_stop);
3077 up_read(&block->cb_lock);
3080 EXPORT_SYMBOL(tc_setup_cb_call);
3082 /* Non-destructive filter add. If filter that wasn't already in hardware is
3083 * successfully offloaded, increment block offloads counter. On failure,
3084 * previously offloaded filter is considered to be intact and offloads counter
3085 * is not decremented.
3088 int tc_setup_cb_add(struct tcf_block *block, struct tcf_proto *tp,
3089 enum tc_setup_type type, void *type_data, bool err_stop,
3090 u32 *flags, unsigned int *in_hw_count, bool rtnl_held)
3094 down_read(&block->cb_lock);
3095 /* Make sure all netdevs sharing this block are offload-capable. */
3096 if (block->nooffloaddevcnt && err_stop) {
3097 ok_count = -EOPNOTSUPP;
3101 ok_count = __tc_setup_cb_call(block, type, type_data, err_stop);
3103 tc_cls_offload_cnt_update(block, tp, in_hw_count, flags,
3106 up_read(&block->cb_lock);
3107 return ok_count < 0 ? ok_count : 0;
3109 EXPORT_SYMBOL(tc_setup_cb_add);
3111 /* Destructive filter replace. If filter that wasn't already in hardware is
3112 * successfully offloaded, increment block offload counter. On failure,
3113 * previously offloaded filter is considered to be destroyed and offload counter
3117 int tc_setup_cb_replace(struct tcf_block *block, struct tcf_proto *tp,
3118 enum tc_setup_type type, void *type_data, bool err_stop,
3119 u32 *old_flags, unsigned int *old_in_hw_count,
3120 u32 *new_flags, unsigned int *new_in_hw_count,
3125 down_read(&block->cb_lock);
3126 /* Make sure all netdevs sharing this block are offload-capable. */
3127 if (block->nooffloaddevcnt && err_stop) {
3128 ok_count = -EOPNOTSUPP;
3132 tc_cls_offload_cnt_reset(block, tp, old_in_hw_count, old_flags);
3134 ok_count = __tc_setup_cb_call(block, type, type_data, err_stop);
3136 tc_cls_offload_cnt_update(block, tp, new_in_hw_count, new_flags,
3139 up_read(&block->cb_lock);
3140 return ok_count < 0 ? ok_count : 0;
3142 EXPORT_SYMBOL(tc_setup_cb_replace);
3144 /* Destroy filter and decrement block offload counter, if filter was previously
3148 int tc_setup_cb_destroy(struct tcf_block *block, struct tcf_proto *tp,
3149 enum tc_setup_type type, void *type_data, bool err_stop,
3150 u32 *flags, unsigned int *in_hw_count, bool rtnl_held)
3154 down_read(&block->cb_lock);
3155 ok_count = __tc_setup_cb_call(block, type, type_data, err_stop);
3157 tc_cls_offload_cnt_reset(block, tp, in_hw_count, flags);
3158 up_read(&block->cb_lock);
3159 return ok_count < 0 ? ok_count : 0;
3161 EXPORT_SYMBOL(tc_setup_cb_destroy);
3163 int tc_setup_cb_reoffload(struct tcf_block *block, struct tcf_proto *tp,
3164 bool add, flow_setup_cb_t *cb,
3165 enum tc_setup_type type, void *type_data,
3166 void *cb_priv, u32 *flags, unsigned int *in_hw_count)
3168 int err = cb(type, type_data, cb_priv);
3171 if (add && tc_skip_sw(*flags))
3174 tc_cls_offload_cnt_update(block, tp, in_hw_count, flags, 1,
3180 EXPORT_SYMBOL(tc_setup_cb_reoffload);
3182 int tc_setup_flow_action(struct flow_action *flow_action,
3183 const struct tcf_exts *exts)
3185 const struct tc_action *act;
3192 tcf_exts_for_each_action(i, act, exts) {
3193 struct flow_action_entry *entry;
3195 entry = &flow_action->entries[j];
3196 if (is_tcf_gact_ok(act)) {
3197 entry->id = FLOW_ACTION_ACCEPT;
3198 } else if (is_tcf_gact_shot(act)) {
3199 entry->id = FLOW_ACTION_DROP;
3200 } else if (is_tcf_gact_trap(act)) {
3201 entry->id = FLOW_ACTION_TRAP;
3202 } else if (is_tcf_gact_goto_chain(act)) {
3203 entry->id = FLOW_ACTION_GOTO;
3204 entry->chain_index = tcf_gact_goto_chain_index(act);
3205 } else if (is_tcf_mirred_egress_redirect(act)) {
3206 entry->id = FLOW_ACTION_REDIRECT;
3207 entry->dev = tcf_mirred_dev(act);
3208 } else if (is_tcf_mirred_egress_mirror(act)) {
3209 entry->id = FLOW_ACTION_MIRRED;
3210 entry->dev = tcf_mirred_dev(act);
3211 } else if (is_tcf_mirred_ingress_redirect(act)) {
3212 entry->id = FLOW_ACTION_REDIRECT_INGRESS;
3213 entry->dev = tcf_mirred_dev(act);
3214 } else if (is_tcf_mirred_ingress_mirror(act)) {
3215 entry->id = FLOW_ACTION_MIRRED_INGRESS;
3216 entry->dev = tcf_mirred_dev(act);
3217 } else if (is_tcf_vlan(act)) {
3218 switch (tcf_vlan_action(act)) {
3219 case TCA_VLAN_ACT_PUSH:
3220 entry->id = FLOW_ACTION_VLAN_PUSH;
3221 entry->vlan.vid = tcf_vlan_push_vid(act);
3222 entry->vlan.proto = tcf_vlan_push_proto(act);
3223 entry->vlan.prio = tcf_vlan_push_prio(act);
3225 case TCA_VLAN_ACT_POP:
3226 entry->id = FLOW_ACTION_VLAN_POP;
3228 case TCA_VLAN_ACT_MODIFY:
3229 entry->id = FLOW_ACTION_VLAN_MANGLE;
3230 entry->vlan.vid = tcf_vlan_push_vid(act);
3231 entry->vlan.proto = tcf_vlan_push_proto(act);
3232 entry->vlan.prio = tcf_vlan_push_prio(act);
3237 } else if (is_tcf_tunnel_set(act)) {
3238 entry->id = FLOW_ACTION_TUNNEL_ENCAP;
3239 entry->tunnel = tcf_tunnel_info(act);
3240 } else if (is_tcf_tunnel_release(act)) {
3241 entry->id = FLOW_ACTION_TUNNEL_DECAP;
3242 } else if (is_tcf_pedit(act)) {
3243 for (k = 0; k < tcf_pedit_nkeys(act); k++) {
3244 switch (tcf_pedit_cmd(act, k)) {
3245 case TCA_PEDIT_KEY_EX_CMD_SET:
3246 entry->id = FLOW_ACTION_MANGLE;
3248 case TCA_PEDIT_KEY_EX_CMD_ADD:
3249 entry->id = FLOW_ACTION_ADD;
3254 entry->mangle.htype = tcf_pedit_htype(act, k);
3255 entry->mangle.mask = tcf_pedit_mask(act, k);
3256 entry->mangle.val = tcf_pedit_val(act, k);
3257 entry->mangle.offset = tcf_pedit_offset(act, k);
3258 entry = &flow_action->entries[++j];
3260 } else if (is_tcf_csum(act)) {
3261 entry->id = FLOW_ACTION_CSUM;
3262 entry->csum_flags = tcf_csum_update_flags(act);
3263 } else if (is_tcf_skbedit_mark(act)) {
3264 entry->id = FLOW_ACTION_MARK;
3265 entry->mark = tcf_skbedit_mark(act);
3266 } else if (is_tcf_sample(act)) {
3267 entry->id = FLOW_ACTION_SAMPLE;
3268 entry->sample.psample_group =
3269 tcf_sample_psample_group(act);
3270 entry->sample.trunc_size = tcf_sample_trunc_size(act);
3271 entry->sample.truncate = tcf_sample_truncate(act);
3272 entry->sample.rate = tcf_sample_rate(act);
3273 } else if (is_tcf_police(act)) {
3274 entry->id = FLOW_ACTION_POLICE;
3275 entry->police.burst = tcf_police_tcfp_burst(act);
3276 entry->police.rate_bytes_ps =
3277 tcf_police_rate_bytes_ps(act);
3278 } else if (is_tcf_ct(act)) {
3279 entry->id = FLOW_ACTION_CT;
3280 entry->ct.action = tcf_ct_action(act);
3281 entry->ct.zone = tcf_ct_zone(act);
3282 } else if (is_tcf_mpls(act)) {
3283 switch (tcf_mpls_action(act)) {
3284 case TCA_MPLS_ACT_PUSH:
3285 entry->id = FLOW_ACTION_MPLS_PUSH;
3286 entry->mpls_push.proto = tcf_mpls_proto(act);
3287 entry->mpls_push.label = tcf_mpls_label(act);
3288 entry->mpls_push.tc = tcf_mpls_tc(act);
3289 entry->mpls_push.bos = tcf_mpls_bos(act);
3290 entry->mpls_push.ttl = tcf_mpls_ttl(act);
3292 case TCA_MPLS_ACT_POP:
3293 entry->id = FLOW_ACTION_MPLS_POP;
3294 entry->mpls_pop.proto = tcf_mpls_proto(act);
3296 case TCA_MPLS_ACT_MODIFY:
3297 entry->id = FLOW_ACTION_MPLS_MANGLE;
3298 entry->mpls_mangle.label = tcf_mpls_label(act);
3299 entry->mpls_mangle.tc = tcf_mpls_tc(act);
3300 entry->mpls_mangle.bos = tcf_mpls_bos(act);
3301 entry->mpls_mangle.ttl = tcf_mpls_ttl(act);
3306 } else if (is_tcf_skbedit_ptype(act)) {
3307 entry->id = FLOW_ACTION_PTYPE;
3308 entry->ptype = tcf_skbedit_ptype(act);
3313 if (!is_tcf_pedit(act))
3320 EXPORT_SYMBOL(tc_setup_flow_action);
3322 unsigned int tcf_exts_num_actions(struct tcf_exts *exts)
3324 unsigned int num_acts = 0;
3325 struct tc_action *act;
3328 tcf_exts_for_each_action(i, act, exts) {
3329 if (is_tcf_pedit(act))
3330 num_acts += tcf_pedit_nkeys(act);
3336 EXPORT_SYMBOL(tcf_exts_num_actions);
3338 static __net_init int tcf_net_init(struct net *net)
3340 struct tcf_net *tn = net_generic(net, tcf_net_id);
3342 spin_lock_init(&tn->idr_lock);
3347 static void __net_exit tcf_net_exit(struct net *net)
3349 struct tcf_net *tn = net_generic(net, tcf_net_id);
3351 idr_destroy(&tn->idr);
3354 static struct pernet_operations tcf_net_ops = {
3355 .init = tcf_net_init,
3356 .exit = tcf_net_exit,
3358 .size = sizeof(struct tcf_net),
3361 static struct flow_indr_block_ing_entry block_ing_entry = {
3362 .cb = tc_indr_block_get_and_ing_cmd,
3363 .list = LIST_HEAD_INIT(block_ing_entry.list),
3366 static int __init tc_filter_init(void)
3370 tc_filter_wq = alloc_ordered_workqueue("tc_filter_workqueue", 0);
3374 err = register_pernet_subsys(&tcf_net_ops);
3376 goto err_register_pernet_subsys;
3378 flow_indr_add_block_ing_cb(&block_ing_entry);
3380 rtnl_register(PF_UNSPEC, RTM_NEWTFILTER, tc_new_tfilter, NULL,
3381 RTNL_FLAG_DOIT_UNLOCKED);
3382 rtnl_register(PF_UNSPEC, RTM_DELTFILTER, tc_del_tfilter, NULL,
3383 RTNL_FLAG_DOIT_UNLOCKED);
3384 rtnl_register(PF_UNSPEC, RTM_GETTFILTER, tc_get_tfilter,
3385 tc_dump_tfilter, RTNL_FLAG_DOIT_UNLOCKED);
3386 rtnl_register(PF_UNSPEC, RTM_NEWCHAIN, tc_ctl_chain, NULL, 0);
3387 rtnl_register(PF_UNSPEC, RTM_DELCHAIN, tc_ctl_chain, NULL, 0);
3388 rtnl_register(PF_UNSPEC, RTM_GETCHAIN, tc_ctl_chain,
3393 err_register_pernet_subsys:
3394 destroy_workqueue(tc_filter_wq);
3398 subsys_initcall(tc_filter_init);
projects / linux-2.6-block.git / blob