2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License version 2 as
4 * published by the Free Software Foundation.
6 * Generic part shared by ipv4 and ipv6 backends.
9 #include <linux/kernel.h>
10 #include <linux/init.h>
11 #include <linux/module.h>
12 #include <linux/netlink.h>
13 #include <linux/netfilter.h>
14 #include <linux/netfilter/nf_tables.h>
15 #include <net/netfilter/nf_tables_core.h>
16 #include <net/netfilter/nf_tables.h>
20 static const struct nla_policy nft_xfrm_policy[NFTA_XFRM_MAX + 1] = {
21 [NFTA_XFRM_KEY] = { .type = NLA_U32 },
22 [NFTA_XFRM_DIR] = { .type = NLA_U8 },
23 [NFTA_XFRM_SPNUM] = { .type = NLA_U32 },
24 [NFTA_XFRM_DREG] = { .type = NLA_U32 },
28 enum nft_xfrm_keys key:8;
29 enum nft_registers dreg:8;
34 static int nft_xfrm_get_init(const struct nft_ctx *ctx,
35 const struct nft_expr *expr,
36 const struct nlattr * const tb[])
38 struct nft_xfrm *priv = nft_expr_priv(expr);
43 if (!tb[NFTA_XFRM_KEY] || !tb[NFTA_XFRM_DIR] || !tb[NFTA_XFRM_DREG])
46 switch (ctx->family) {
55 priv->key = ntohl(nla_get_u32(tb[NFTA_XFRM_KEY]));
57 case NFT_XFRM_KEY_REQID:
58 case NFT_XFRM_KEY_SPI:
61 case NFT_XFRM_KEY_DADDR_IP4:
62 case NFT_XFRM_KEY_SADDR_IP4:
63 len = sizeof(struct in_addr);
65 case NFT_XFRM_KEY_DADDR_IP6:
66 case NFT_XFRM_KEY_SADDR_IP6:
67 len = sizeof(struct in6_addr);
73 dir = nla_get_u8(tb[NFTA_XFRM_DIR]);
83 if (tb[NFTA_XFRM_SPNUM])
84 spnum = ntohl(nla_get_be32(tb[NFTA_XFRM_SPNUM]));
86 if (spnum >= XFRM_MAX_DEPTH)
91 priv->dreg = nft_parse_register(tb[NFTA_XFRM_DREG]);
92 return nft_validate_register_store(ctx, priv->dreg, NULL,
96 /* Return true if key asks for daddr/saddr and current
97 * state does have a valid address (BEET, TUNNEL).
99 static bool xfrm_state_addr_ok(enum nft_xfrm_keys k, u8 family, u8 mode)
102 case NFT_XFRM_KEY_DADDR_IP4:
103 case NFT_XFRM_KEY_SADDR_IP4:
104 if (family == NFPROTO_IPV4)
107 case NFT_XFRM_KEY_DADDR_IP6:
108 case NFT_XFRM_KEY_SADDR_IP6:
109 if (family == NFPROTO_IPV6)
116 return mode == XFRM_MODE_BEET || mode == XFRM_MODE_TUNNEL;
119 static void nft_xfrm_state_get_key(const struct nft_xfrm *priv,
120 struct nft_regs *regs,
121 const struct xfrm_state *state)
123 u32 *dest = ®s->data[priv->dreg];
125 if (!xfrm_state_addr_ok(priv->key,
127 state->props.mode)) {
128 regs->verdict.code = NFT_BREAK;
133 case NFT_XFRM_KEY_UNSPEC:
134 case __NFT_XFRM_KEY_MAX:
137 case NFT_XFRM_KEY_DADDR_IP4:
138 *dest = state->id.daddr.a4;
140 case NFT_XFRM_KEY_DADDR_IP6:
141 memcpy(dest, &state->id.daddr.in6, sizeof(struct in6_addr));
143 case NFT_XFRM_KEY_SADDR_IP4:
144 *dest = state->props.saddr.a4;
146 case NFT_XFRM_KEY_SADDR_IP6:
147 memcpy(dest, &state->props.saddr.in6, sizeof(struct in6_addr));
149 case NFT_XFRM_KEY_REQID:
150 *dest = state->props.reqid;
152 case NFT_XFRM_KEY_SPI:
153 *dest = state->id.spi;
157 regs->verdict.code = NFT_BREAK;
160 static void nft_xfrm_get_eval_in(const struct nft_xfrm *priv,
161 struct nft_regs *regs,
162 const struct nft_pktinfo *pkt)
164 const struct sec_path *sp = skb_sec_path(pkt->skb);
165 const struct xfrm_state *state;
167 if (sp == NULL || sp->len <= priv->spnum) {
168 regs->verdict.code = NFT_BREAK;
172 state = sp->xvec[priv->spnum];
173 nft_xfrm_state_get_key(priv, regs, state);
176 static void nft_xfrm_get_eval_out(const struct nft_xfrm *priv,
177 struct nft_regs *regs,
178 const struct nft_pktinfo *pkt)
180 const struct dst_entry *dst = skb_dst(pkt->skb);
183 for (i = 0; dst && dst->xfrm;
184 dst = ((const struct xfrm_dst *)dst)->child, i++) {
188 nft_xfrm_state_get_key(priv, regs, dst->xfrm);
192 regs->verdict.code = NFT_BREAK;
195 static void nft_xfrm_get_eval(const struct nft_expr *expr,
196 struct nft_regs *regs,
197 const struct nft_pktinfo *pkt)
199 const struct nft_xfrm *priv = nft_expr_priv(expr);
203 nft_xfrm_get_eval_in(priv, regs, pkt);
205 case XFRM_POLICY_OUT:
206 nft_xfrm_get_eval_out(priv, regs, pkt);
210 regs->verdict.code = NFT_BREAK;
215 static int nft_xfrm_get_dump(struct sk_buff *skb,
216 const struct nft_expr *expr)
218 const struct nft_xfrm *priv = nft_expr_priv(expr);
220 if (nft_dump_register(skb, NFTA_XFRM_DREG, priv->dreg))
223 if (nla_put_be32(skb, NFTA_XFRM_KEY, htonl(priv->key)))
225 if (nla_put_u8(skb, NFTA_XFRM_DIR, priv->dir))
227 if (nla_put_be32(skb, NFTA_XFRM_SPNUM, htonl(priv->spnum)))
233 static int nft_xfrm_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
234 const struct nft_data **data)
236 const struct nft_xfrm *priv = nft_expr_priv(expr);
241 hooks = (1 << NF_INET_FORWARD) |
242 (1 << NF_INET_LOCAL_IN) |
243 (1 << NF_INET_PRE_ROUTING);
245 case XFRM_POLICY_OUT:
246 hooks = (1 << NF_INET_FORWARD) |
247 (1 << NF_INET_LOCAL_OUT) |
248 (1 << NF_INET_POST_ROUTING);
255 return nft_chain_validate_hooks(ctx->chain, hooks);
259 static struct nft_expr_type nft_xfrm_type;
260 static const struct nft_expr_ops nft_xfrm_get_ops = {
261 .type = &nft_xfrm_type,
262 .size = NFT_EXPR_SIZE(sizeof(struct nft_xfrm)),
263 .eval = nft_xfrm_get_eval,
264 .init = nft_xfrm_get_init,
265 .dump = nft_xfrm_get_dump,
266 .validate = nft_xfrm_validate,
269 static struct nft_expr_type nft_xfrm_type __read_mostly = {
271 .ops = &nft_xfrm_get_ops,
272 .policy = nft_xfrm_policy,
273 .maxattr = NFTA_XFRM_MAX,
274 .owner = THIS_MODULE,
277 static int __init nft_xfrm_module_init(void)
279 return nft_register_expr(&nft_xfrm_type);
282 static void __exit nft_xfrm_module_exit(void)
284 nft_unregister_expr(&nft_xfrm_type);
287 module_init(nft_xfrm_module_init);
288 module_exit(nft_xfrm_module_exit);
290 MODULE_LICENSE("GPL");
291 MODULE_DESCRIPTION("nf_tables: xfrm/IPSec matching");
292 MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
293 MODULE_AUTHOR("Máté Eckl <ecklm94@gmail.com>");
294 MODULE_ALIAS_NFT_EXPR("xfrm");