1 /* SPDX-License-Identifier: GPL-2.0 */
2 #include <linux/module.h>
3 #include <linux/netfilter/nf_tables.h>
4 #include <net/netfilter/nf_tables.h>
5 #include <net/netfilter/nf_tables_core.h>
6 #include <net/netfilter/nf_socket.h>
7 #include <net/inet_sock.h>
11 enum nft_socket_keys key:8;
13 enum nft_registers dreg:8;
17 static void nft_socket_eval(const struct nft_expr *expr,
18 struct nft_regs *regs,
19 const struct nft_pktinfo *pkt)
21 const struct nft_socket *priv = nft_expr_priv(expr);
22 struct sk_buff *skb = pkt->skb;
23 struct sock *sk = skb->sk;
24 u32 *dest = ®s->data[priv->dreg];
29 sk = nf_sk_lookup_slow_v4(nft_net(pkt), skb, nft_in(pkt));
31 #if IS_ENABLED(CONFIG_NF_SOCKET_IPV6)
33 sk = nf_sk_lookup_slow_v6(nft_net(pkt), skb, nft_in(pkt));
38 regs->verdict.code = NFT_BREAK;
43 nft_reg_store8(dest, 0);
47 /* So that subsequent socket matching not to require other lookups. */
51 case NFT_SOCKET_TRANSPARENT:
52 nft_reg_store8(dest, inet_sk_transparent(sk));
56 regs->verdict.code = NFT_BREAK;
60 static const struct nla_policy nft_socket_policy[NFTA_SOCKET_MAX + 1] = {
61 [NFTA_SOCKET_KEY] = { .type = NLA_U32 },
62 [NFTA_SOCKET_DREG] = { .type = NLA_U32 },
65 static int nft_socket_init(const struct nft_ctx *ctx,
66 const struct nft_expr *expr,
67 const struct nlattr * const tb[])
69 struct nft_socket *priv = nft_expr_priv(expr);
72 if (!tb[NFTA_SOCKET_DREG] || !tb[NFTA_SOCKET_KEY])
77 #if IS_ENABLED(CONFIG_NF_SOCKET_IPV6)
86 priv->key = ntohl(nla_get_u32(tb[NFTA_SOCKET_KEY]));
88 case NFT_SOCKET_TRANSPARENT:
95 priv->dreg = nft_parse_register(tb[NFTA_SOCKET_DREG]);
96 return nft_validate_register_store(ctx, priv->dreg, NULL,
100 static int nft_socket_dump(struct sk_buff *skb,
101 const struct nft_expr *expr)
103 const struct nft_socket *priv = nft_expr_priv(expr);
105 if (nla_put_u32(skb, NFTA_SOCKET_KEY, htonl(priv->key)))
107 if (nft_dump_register(skb, NFTA_SOCKET_DREG, priv->dreg))
112 static struct nft_expr_type nft_socket_type;
113 static const struct nft_expr_ops nft_socket_ops = {
114 .type = &nft_socket_type,
115 .size = NFT_EXPR_SIZE(sizeof(struct nft_socket)),
116 .eval = nft_socket_eval,
117 .init = nft_socket_init,
118 .dump = nft_socket_dump,
121 static struct nft_expr_type nft_socket_type __read_mostly = {
123 .ops = &nft_socket_ops,
124 .policy = nft_socket_policy,
125 .maxattr = NFTA_SOCKET_MAX,
126 .owner = THIS_MODULE,
129 static int __init nft_socket_module_init(void)
131 return nft_register_expr(&nft_socket_type);
134 static void __exit nft_socket_module_exit(void)
136 nft_unregister_expr(&nft_socket_type);
139 module_init(nft_socket_module_init);
140 module_exit(nft_socket_module_exit);
142 MODULE_LICENSE("GPL");
143 MODULE_AUTHOR("Máté Eckl");
144 MODULE_DESCRIPTION("nf_tables socket match module");
145 MODULE_ALIAS_NFT_EXPR("socket");