1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
4 * Copyright (c) 2014 Intel Corporation
5 * Author: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
7 * Development of this code funded by Astaro AG (http://www.astaro.com/)
10 #include <linux/kernel.h>
11 #include <linux/netlink.h>
12 #include <linux/netfilter.h>
13 #include <linux/netfilter/nf_tables.h>
16 #include <linux/ipv6.h>
17 #include <linux/smp.h>
18 #include <linux/static_key.h>
22 #include <net/tcp_states.h> /* for TCP_TIME_WAIT */
23 #include <net/netfilter/nf_tables.h>
24 #include <net/netfilter/nf_tables_core.h>
25 #include <net/netfilter/nft_meta.h>
26 #include <net/netfilter/nf_tables_offload.h>
28 #include <uapi/linux/netfilter_bridge.h> /* NF_BR_PRE_ROUTING */
30 #define NFT_META_SECS_PER_MINUTE 60
31 #define NFT_META_SECS_PER_HOUR 3600
32 #define NFT_META_SECS_PER_DAY 86400
33 #define NFT_META_DAYS_PER_WEEK 7
35 static DEFINE_PER_CPU(struct rnd_state, nft_prandom_state);
37 static u8 nft_meta_weekday(void)
39 time64_t secs = ktime_get_real_seconds();
43 secs -= NFT_META_SECS_PER_MINUTE * sys_tz.tz_minuteswest;
44 dse = div_u64(secs, NFT_META_SECS_PER_DAY);
45 wday = (4 + dse) % NFT_META_DAYS_PER_WEEK;
50 static u32 nft_meta_hour(time64_t secs)
54 time64_to_tm(secs, 0, &tm);
56 return tm.tm_hour * NFT_META_SECS_PER_HOUR
57 + tm.tm_min * NFT_META_SECS_PER_MINUTE
61 static noinline_for_stack void
62 nft_meta_get_eval_time(enum nft_meta_keys key,
66 case NFT_META_TIME_NS:
67 nft_reg_store64(dest, ktime_get_real_ns());
69 case NFT_META_TIME_DAY:
70 nft_reg_store8(dest, nft_meta_weekday());
72 case NFT_META_TIME_HOUR:
73 *dest = nft_meta_hour(ktime_get_real_seconds());
81 nft_meta_get_eval_pkttype_lo(const struct nft_pktinfo *pkt,
84 const struct sk_buff *skb = pkt->skb;
86 switch (nft_pf(pkt)) {
88 if (ipv4_is_multicast(ip_hdr(skb)->daddr))
89 nft_reg_store8(dest, PACKET_MULTICAST);
91 nft_reg_store8(dest, PACKET_BROADCAST);
94 nft_reg_store8(dest, PACKET_MULTICAST);
97 switch (skb->protocol) {
98 case htons(ETH_P_IP): {
99 int noff = skb_network_offset(skb);
100 struct iphdr *iph, _iph;
102 iph = skb_header_pointer(skb, noff,
103 sizeof(_iph), &_iph);
107 if (ipv4_is_multicast(iph->daddr))
108 nft_reg_store8(dest, PACKET_MULTICAST);
110 nft_reg_store8(dest, PACKET_BROADCAST);
114 case htons(ETH_P_IPV6):
115 nft_reg_store8(dest, PACKET_MULTICAST);
131 nft_meta_get_eval_skugid(enum nft_meta_keys key,
133 const struct nft_pktinfo *pkt)
135 struct sock *sk = skb_to_full_sk(pkt->skb);
138 if (!sk || !sk_fullsock(sk) || !net_eq(nft_net(pkt), sock_net(sk)))
141 read_lock_bh(&sk->sk_callback_lock);
142 sock = sk->sk_socket;
143 if (!sock || !sock->file) {
144 read_unlock_bh(&sk->sk_callback_lock);
150 *dest = from_kuid_munged(sock_net(sk)->user_ns,
151 sock->file->f_cred->fsuid);
154 *dest = from_kgid_munged(sock_net(sk)->user_ns,
155 sock->file->f_cred->fsgid);
161 read_unlock_bh(&sk->sk_callback_lock);
165 #ifdef CONFIG_CGROUP_NET_CLASSID
167 nft_meta_get_eval_cgroup(u32 *dest, const struct nft_pktinfo *pkt)
169 struct sock *sk = skb_to_full_sk(pkt->skb);
171 if (!sk || !sk_fullsock(sk) || !net_eq(nft_net(pkt), sock_net(sk)))
174 *dest = sock_cgroup_classid(&sk->sk_cgrp_data);
179 static noinline bool nft_meta_get_eval_kind(enum nft_meta_keys key,
181 const struct nft_pktinfo *pkt)
183 const struct net_device *in = nft_in(pkt), *out = nft_out(pkt);
186 case NFT_META_IIFKIND:
187 if (!in || !in->rtnl_link_ops)
189 strncpy((char *)dest, in->rtnl_link_ops->kind, IFNAMSIZ);
191 case NFT_META_OIFKIND:
192 if (!out || !out->rtnl_link_ops)
194 strncpy((char *)dest, out->rtnl_link_ops->kind, IFNAMSIZ);
203 static void nft_meta_store_ifindex(u32 *dest, const struct net_device *dev)
205 *dest = dev ? dev->ifindex : 0;
208 static void nft_meta_store_ifname(u32 *dest, const struct net_device *dev)
210 strncpy((char *)dest, dev ? dev->name : "", IFNAMSIZ);
213 static bool nft_meta_store_iftype(u32 *dest, const struct net_device *dev)
218 nft_reg_store16(dest, dev->type);
222 static bool nft_meta_store_ifgroup(u32 *dest, const struct net_device *dev)
231 static bool nft_meta_get_eval_ifname(enum nft_meta_keys key, u32 *dest,
232 const struct nft_pktinfo *pkt)
235 case NFT_META_IIFNAME:
236 nft_meta_store_ifname(dest, nft_in(pkt));
238 case NFT_META_OIFNAME:
239 nft_meta_store_ifname(dest, nft_out(pkt));
242 nft_meta_store_ifindex(dest, nft_in(pkt));
245 nft_meta_store_ifindex(dest, nft_out(pkt));
247 case NFT_META_IFTYPE:
248 if (!nft_meta_store_iftype(dest, pkt->skb->dev))
251 case __NFT_META_IIFTYPE:
252 if (!nft_meta_store_iftype(dest, nft_in(pkt)))
255 case NFT_META_OIFTYPE:
256 if (!nft_meta_store_iftype(dest, nft_out(pkt)))
259 case NFT_META_IIFGROUP:
260 if (!nft_meta_store_ifgroup(dest, nft_in(pkt)))
263 case NFT_META_OIFGROUP:
264 if (!nft_meta_store_ifgroup(dest, nft_out(pkt)))
274 static noinline u32 nft_prandom_u32(void)
276 struct rnd_state *state = this_cpu_ptr(&nft_prandom_state);
278 return prandom_u32_state(state);
281 #ifdef CONFIG_IP_ROUTE_CLASSID
283 nft_meta_get_eval_rtclassid(const struct sk_buff *skb, u32 *dest)
285 const struct dst_entry *dst = skb_dst(skb);
290 *dest = dst->tclassid;
295 static noinline u32 nft_meta_get_eval_sdif(const struct nft_pktinfo *pkt)
297 switch (nft_pf(pkt)) {
299 return inet_sdif(pkt->skb);
301 return inet6_sdif(pkt->skb);
308 nft_meta_get_eval_sdifname(u32 *dest, const struct nft_pktinfo *pkt)
310 u32 sdif = nft_meta_get_eval_sdif(pkt);
311 const struct net_device *dev;
313 dev = sdif ? dev_get_by_index_rcu(nft_net(pkt), sdif) : NULL;
314 nft_meta_store_ifname(dest, dev);
317 void nft_meta_get_eval(const struct nft_expr *expr,
318 struct nft_regs *regs,
319 const struct nft_pktinfo *pkt)
321 const struct nft_meta *priv = nft_expr_priv(expr);
322 const struct sk_buff *skb = pkt->skb;
323 u32 *dest = ®s->data[priv->dreg];
329 case NFT_META_PROTOCOL:
330 nft_reg_store16(dest, (__force u16)skb->protocol);
332 case NFT_META_NFPROTO:
333 nft_reg_store8(dest, nft_pf(pkt));
335 case NFT_META_L4PROTO:
336 if (!(pkt->flags & NFT_PKTINFO_L4PROTO))
338 nft_reg_store8(dest, pkt->tprot);
340 case NFT_META_PRIORITY:
341 *dest = skb->priority;
348 case NFT_META_IIFNAME:
349 case NFT_META_OIFNAME:
350 case NFT_META_IIFTYPE:
351 case NFT_META_OIFTYPE:
352 case NFT_META_IIFGROUP:
353 case NFT_META_OIFGROUP:
354 if (!nft_meta_get_eval_ifname(priv->key, dest, pkt))
359 if (!nft_meta_get_eval_skugid(priv->key, dest, pkt))
362 #ifdef CONFIG_IP_ROUTE_CLASSID
363 case NFT_META_RTCLASSID:
364 if (!nft_meta_get_eval_rtclassid(skb, dest))
368 #ifdef CONFIG_NETWORK_SECMARK
369 case NFT_META_SECMARK:
370 *dest = skb->secmark;
373 case NFT_META_PKTTYPE:
374 if (skb->pkt_type != PACKET_LOOPBACK) {
375 nft_reg_store8(dest, skb->pkt_type);
379 if (!nft_meta_get_eval_pkttype_lo(pkt, dest))
383 *dest = raw_smp_processor_id();
385 #ifdef CONFIG_CGROUP_NET_CLASSID
386 case NFT_META_CGROUP:
387 if (!nft_meta_get_eval_cgroup(dest, pkt))
391 case NFT_META_PRANDOM:
392 *dest = nft_prandom_u32();
395 case NFT_META_SECPATH:
396 nft_reg_store8(dest, secpath_exists(skb));
399 case NFT_META_IIFKIND:
400 case NFT_META_OIFKIND:
401 if (!nft_meta_get_eval_kind(priv->key, dest, pkt))
404 case NFT_META_TIME_NS:
405 case NFT_META_TIME_DAY:
406 case NFT_META_TIME_HOUR:
407 nft_meta_get_eval_time(priv->key, dest);
410 *dest = nft_meta_get_eval_sdif(pkt);
412 case NFT_META_SDIFNAME:
413 nft_meta_get_eval_sdifname(dest, pkt);
422 regs->verdict.code = NFT_BREAK;
424 EXPORT_SYMBOL_GPL(nft_meta_get_eval);
426 void nft_meta_set_eval(const struct nft_expr *expr,
427 struct nft_regs *regs,
428 const struct nft_pktinfo *pkt)
430 const struct nft_meta *meta = nft_expr_priv(expr);
431 struct sk_buff *skb = pkt->skb;
432 u32 *sreg = ®s->data[meta->sreg];
440 case NFT_META_PRIORITY:
441 skb->priority = value;
443 case NFT_META_PKTTYPE:
444 value8 = nft_reg_load8(sreg);
446 if (skb->pkt_type != value8 &&
447 skb_pkt_type_ok(value8) &&
448 skb_pkt_type_ok(skb->pkt_type))
449 skb->pkt_type = value8;
451 case NFT_META_NFTRACE:
452 value8 = nft_reg_load8(sreg);
454 skb->nf_trace = !!value8;
456 #ifdef CONFIG_NETWORK_SECMARK
457 case NFT_META_SECMARK:
458 skb->secmark = value;
465 EXPORT_SYMBOL_GPL(nft_meta_set_eval);
467 const struct nla_policy nft_meta_policy[NFTA_META_MAX + 1] = {
468 [NFTA_META_DREG] = { .type = NLA_U32 },
469 [NFTA_META_KEY] = { .type = NLA_U32 },
470 [NFTA_META_SREG] = { .type = NLA_U32 },
472 EXPORT_SYMBOL_GPL(nft_meta_policy);
474 int nft_meta_get_init(const struct nft_ctx *ctx,
475 const struct nft_expr *expr,
476 const struct nlattr * const tb[])
478 struct nft_meta *priv = nft_expr_priv(expr);
481 priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
483 case NFT_META_PROTOCOL:
484 case NFT_META_IIFTYPE:
485 case NFT_META_OIFTYPE:
488 case NFT_META_NFPROTO:
489 case NFT_META_L4PROTO:
491 case NFT_META_PRIORITY:
498 #ifdef CONFIG_IP_ROUTE_CLASSID
499 case NFT_META_RTCLASSID:
501 #ifdef CONFIG_NETWORK_SECMARK
502 case NFT_META_SECMARK:
504 case NFT_META_PKTTYPE:
506 case NFT_META_IIFGROUP:
507 case NFT_META_OIFGROUP:
508 #ifdef CONFIG_CGROUP_NET_CLASSID
509 case NFT_META_CGROUP:
513 case NFT_META_IIFNAME:
514 case NFT_META_OIFNAME:
515 case NFT_META_IIFKIND:
516 case NFT_META_OIFKIND:
517 case NFT_META_SDIFNAME:
520 case NFT_META_PRANDOM:
521 prandom_init_once(&nft_prandom_state);
525 case NFT_META_SECPATH:
529 case NFT_META_TIME_NS:
532 case NFT_META_TIME_DAY:
535 case NFT_META_TIME_HOUR:
542 return nft_parse_register_store(ctx, tb[NFTA_META_DREG], &priv->dreg,
543 NULL, NFT_DATA_VALUE, len);
545 EXPORT_SYMBOL_GPL(nft_meta_get_init);
547 static int nft_meta_get_validate_sdif(const struct nft_ctx *ctx)
551 switch (ctx->family) {
555 hooks = (1 << NF_INET_LOCAL_IN) |
556 (1 << NF_INET_FORWARD);
562 return nft_chain_validate_hooks(ctx->chain, hooks);
565 static int nft_meta_get_validate_xfrm(const struct nft_ctx *ctx)
570 switch (ctx->family) {
572 hooks = 1 << NF_NETDEV_INGRESS;
577 hooks = (1 << NF_INET_PRE_ROUTING) |
578 (1 << NF_INET_LOCAL_IN) |
579 (1 << NF_INET_FORWARD);
585 return nft_chain_validate_hooks(ctx->chain, hooks);
591 static int nft_meta_get_validate(const struct nft_ctx *ctx,
592 const struct nft_expr *expr,
593 const struct nft_data **data)
595 const struct nft_meta *priv = nft_expr_priv(expr);
598 case NFT_META_SECPATH:
599 return nft_meta_get_validate_xfrm(ctx);
601 case NFT_META_SDIFNAME:
602 return nft_meta_get_validate_sdif(ctx);
610 int nft_meta_set_validate(const struct nft_ctx *ctx,
611 const struct nft_expr *expr,
612 const struct nft_data **data)
614 struct nft_meta *priv = nft_expr_priv(expr);
617 if (priv->key != NFT_META_PKTTYPE)
620 switch (ctx->family) {
622 hooks = 1 << NF_BR_PRE_ROUTING;
625 hooks = 1 << NF_NETDEV_INGRESS;
630 hooks = 1 << NF_INET_PRE_ROUTING;
636 return nft_chain_validate_hooks(ctx->chain, hooks);
638 EXPORT_SYMBOL_GPL(nft_meta_set_validate);
640 int nft_meta_set_init(const struct nft_ctx *ctx,
641 const struct nft_expr *expr,
642 const struct nlattr * const tb[])
644 struct nft_meta *priv = nft_expr_priv(expr);
648 priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
651 case NFT_META_PRIORITY:
652 #ifdef CONFIG_NETWORK_SECMARK
653 case NFT_META_SECMARK:
657 case NFT_META_NFTRACE:
660 case NFT_META_PKTTYPE:
667 err = nft_parse_register_load(tb[NFTA_META_SREG], &priv->sreg, len);
671 if (priv->key == NFT_META_NFTRACE)
672 static_branch_inc(&nft_trace_enabled);
676 EXPORT_SYMBOL_GPL(nft_meta_set_init);
678 int nft_meta_get_dump(struct sk_buff *skb,
679 const struct nft_expr *expr)
681 const struct nft_meta *priv = nft_expr_priv(expr);
683 if (nla_put_be32(skb, NFTA_META_KEY, htonl(priv->key)))
684 goto nla_put_failure;
685 if (nft_dump_register(skb, NFTA_META_DREG, priv->dreg))
686 goto nla_put_failure;
692 EXPORT_SYMBOL_GPL(nft_meta_get_dump);
694 int nft_meta_set_dump(struct sk_buff *skb, const struct nft_expr *expr)
696 const struct nft_meta *priv = nft_expr_priv(expr);
698 if (nla_put_be32(skb, NFTA_META_KEY, htonl(priv->key)))
699 goto nla_put_failure;
700 if (nft_dump_register(skb, NFTA_META_SREG, priv->sreg))
701 goto nla_put_failure;
708 EXPORT_SYMBOL_GPL(nft_meta_set_dump);
710 void nft_meta_set_destroy(const struct nft_ctx *ctx,
711 const struct nft_expr *expr)
713 const struct nft_meta *priv = nft_expr_priv(expr);
715 if (priv->key == NFT_META_NFTRACE)
716 static_branch_dec(&nft_trace_enabled);
718 EXPORT_SYMBOL_GPL(nft_meta_set_destroy);
720 static int nft_meta_get_offload(struct nft_offload_ctx *ctx,
721 struct nft_flow_rule *flow,
722 const struct nft_expr *expr)
724 const struct nft_meta *priv = nft_expr_priv(expr);
725 struct nft_offload_reg *reg = &ctx->regs[priv->dreg];
728 case NFT_META_PROTOCOL:
729 NFT_OFFLOAD_MATCH_EXACT(FLOW_DISSECTOR_KEY_BASIC, basic, n_proto,
731 nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK);
733 case NFT_META_L4PROTO:
734 NFT_OFFLOAD_MATCH_EXACT(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto,
736 nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT);
739 NFT_OFFLOAD_MATCH_EXACT(FLOW_DISSECTOR_KEY_META, meta,
740 ingress_ifindex, sizeof(__u32), reg);
742 case NFT_META_IIFTYPE:
743 NFT_OFFLOAD_MATCH_EXACT(FLOW_DISSECTOR_KEY_META, meta,
744 ingress_iftype, sizeof(__u16), reg);
753 static bool nft_meta_get_reduce(struct nft_regs_track *track,
754 const struct nft_expr *expr)
756 const struct nft_meta *priv = nft_expr_priv(expr);
757 const struct nft_meta *meta;
759 if (!track->regs[priv->dreg].selector ||
760 track->regs[priv->dreg].selector->ops != expr->ops) {
761 track->regs[priv->dreg].selector = expr;
762 track->regs[priv->dreg].bitwise = NULL;
766 meta = nft_expr_priv(track->regs[priv->dreg].selector);
767 if (priv->key != meta->key ||
768 priv->dreg != meta->dreg) {
769 track->regs[priv->dreg].selector = expr;
770 track->regs[priv->dreg].bitwise = NULL;
774 if (!track->regs[priv->dreg].bitwise)
777 return nft_expr_reduce_bitwise(track, expr);
780 static const struct nft_expr_ops nft_meta_get_ops = {
781 .type = &nft_meta_type,
782 .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
783 .eval = nft_meta_get_eval,
784 .init = nft_meta_get_init,
785 .dump = nft_meta_get_dump,
786 .reduce = nft_meta_get_reduce,
787 .validate = nft_meta_get_validate,
788 .offload = nft_meta_get_offload,
791 static bool nft_meta_set_reduce(struct nft_regs_track *track,
792 const struct nft_expr *expr)
796 for (i = 0; i < NFT_REG32_NUM; i++) {
797 if (!track->regs[i].selector)
800 if (track->regs[i].selector->ops != &nft_meta_get_ops)
803 track->regs[i].selector = NULL;
804 track->regs[i].bitwise = NULL;
810 static const struct nft_expr_ops nft_meta_set_ops = {
811 .type = &nft_meta_type,
812 .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
813 .eval = nft_meta_set_eval,
814 .init = nft_meta_set_init,
815 .destroy = nft_meta_set_destroy,
816 .dump = nft_meta_set_dump,
817 .reduce = nft_meta_set_reduce,
818 .validate = nft_meta_set_validate,
821 static const struct nft_expr_ops *
822 nft_meta_select_ops(const struct nft_ctx *ctx,
823 const struct nlattr * const tb[])
825 if (tb[NFTA_META_KEY] == NULL)
826 return ERR_PTR(-EINVAL);
828 if (tb[NFTA_META_DREG] && tb[NFTA_META_SREG])
829 return ERR_PTR(-EINVAL);
831 #if IS_ENABLED(CONFIG_NF_TABLES_BRIDGE) && IS_MODULE(CONFIG_NFT_BRIDGE_META)
832 if (ctx->family == NFPROTO_BRIDGE)
833 return ERR_PTR(-EAGAIN);
835 if (tb[NFTA_META_DREG])
836 return &nft_meta_get_ops;
838 if (tb[NFTA_META_SREG])
839 return &nft_meta_set_ops;
841 return ERR_PTR(-EINVAL);
844 struct nft_expr_type nft_meta_type __read_mostly = {
846 .select_ops = nft_meta_select_ops,
847 .policy = nft_meta_policy,
848 .maxattr = NFTA_META_MAX,
849 .owner = THIS_MODULE,
852 #ifdef CONFIG_NETWORK_SECMARK
858 static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = {
859 [NFTA_SECMARK_CTX] = { .type = NLA_STRING, .len = NFT_SECMARK_CTX_MAXLEN },
862 static int nft_secmark_compute_secid(struct nft_secmark *priv)
867 err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid);
874 err = security_secmark_relabel_packet(tmp_secid);
878 priv->secid = tmp_secid;
882 static void nft_secmark_obj_eval(struct nft_object *obj, struct nft_regs *regs,
883 const struct nft_pktinfo *pkt)
885 const struct nft_secmark *priv = nft_obj_data(obj);
886 struct sk_buff *skb = pkt->skb;
888 skb->secmark = priv->secid;
891 static int nft_secmark_obj_init(const struct nft_ctx *ctx,
892 const struct nlattr * const tb[],
893 struct nft_object *obj)
895 struct nft_secmark *priv = nft_obj_data(obj);
898 if (tb[NFTA_SECMARK_CTX] == NULL)
901 priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL);
905 err = nft_secmark_compute_secid(priv);
911 security_secmark_refcount_inc();
916 static int nft_secmark_obj_dump(struct sk_buff *skb, struct nft_object *obj,
919 struct nft_secmark *priv = nft_obj_data(obj);
922 if (nla_put_string(skb, NFTA_SECMARK_CTX, priv->ctx))
926 err = nft_secmark_compute_secid(priv);
934 static void nft_secmark_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
936 struct nft_secmark *priv = nft_obj_data(obj);
938 security_secmark_refcount_dec();
943 static const struct nft_object_ops nft_secmark_obj_ops = {
944 .type = &nft_secmark_obj_type,
945 .size = sizeof(struct nft_secmark),
946 .init = nft_secmark_obj_init,
947 .eval = nft_secmark_obj_eval,
948 .dump = nft_secmark_obj_dump,
949 .destroy = nft_secmark_obj_destroy,
951 struct nft_object_type nft_secmark_obj_type __read_mostly = {
952 .type = NFT_OBJECT_SECMARK,
953 .ops = &nft_secmark_obj_ops,
954 .maxattr = NFTA_SECMARK_MAX,
955 .policy = nft_secmark_policy,
956 .owner = THIS_MODULE,
958 #endif /* CONFIG_NETWORK_SECMARK */
projects / linux-2.6-microblaze.git / blob