1 // SPDX-License-Identifier: GPL-2.0-only
4 * Generic part shared by ipv4 and ipv6 backends.
7 #include <linux/kernel.h>
8 #include <linux/init.h>
9 #include <linux/module.h>
10 #include <linux/netlink.h>
11 #include <linux/netfilter.h>
12 #include <linux/netfilter/nf_tables.h>
13 #include <net/netfilter/nf_tables_core.h>
14 #include <net/netfilter/nf_tables.h>
18 static const struct nla_policy nft_xfrm_policy[NFTA_XFRM_MAX + 1] = {
19 [NFTA_XFRM_KEY] = { .type = NLA_U32 },
20 [NFTA_XFRM_DIR] = { .type = NLA_U8 },
21 [NFTA_XFRM_SPNUM] = { .type = NLA_U32 },
22 [NFTA_XFRM_DREG] = { .type = NLA_U32 },
26 enum nft_xfrm_keys key:8;
32 static int nft_xfrm_get_init(const struct nft_ctx *ctx,
33 const struct nft_expr *expr,
34 const struct nlattr * const tb[])
36 struct nft_xfrm *priv = nft_expr_priv(expr);
41 if (!tb[NFTA_XFRM_KEY] || !tb[NFTA_XFRM_DIR] || !tb[NFTA_XFRM_DREG])
44 switch (ctx->family) {
53 priv->key = ntohl(nla_get_u32(tb[NFTA_XFRM_KEY]));
55 case NFT_XFRM_KEY_REQID:
56 case NFT_XFRM_KEY_SPI:
59 case NFT_XFRM_KEY_DADDR_IP4:
60 case NFT_XFRM_KEY_SADDR_IP4:
61 len = sizeof(struct in_addr);
63 case NFT_XFRM_KEY_DADDR_IP6:
64 case NFT_XFRM_KEY_SADDR_IP6:
65 len = sizeof(struct in6_addr);
71 dir = nla_get_u8(tb[NFTA_XFRM_DIR]);
81 if (tb[NFTA_XFRM_SPNUM])
82 spnum = ntohl(nla_get_be32(tb[NFTA_XFRM_SPNUM]));
84 if (spnum >= XFRM_MAX_DEPTH)
89 return nft_parse_register_store(ctx, tb[NFTA_XFRM_DREG], &priv->dreg,
90 NULL, NFT_DATA_VALUE, len);
93 /* Return true if key asks for daddr/saddr and current
94 * state does have a valid address (BEET, TUNNEL).
96 static bool xfrm_state_addr_ok(enum nft_xfrm_keys k, u8 family, u8 mode)
99 case NFT_XFRM_KEY_DADDR_IP4:
100 case NFT_XFRM_KEY_SADDR_IP4:
101 if (family == NFPROTO_IPV4)
104 case NFT_XFRM_KEY_DADDR_IP6:
105 case NFT_XFRM_KEY_SADDR_IP6:
106 if (family == NFPROTO_IPV6)
113 return mode == XFRM_MODE_BEET || mode == XFRM_MODE_TUNNEL;
116 static void nft_xfrm_state_get_key(const struct nft_xfrm *priv,
117 struct nft_regs *regs,
118 const struct xfrm_state *state)
120 u32 *dest = ®s->data[priv->dreg];
122 if (!xfrm_state_addr_ok(priv->key,
124 state->props.mode)) {
125 regs->verdict.code = NFT_BREAK;
130 case NFT_XFRM_KEY_UNSPEC:
131 case __NFT_XFRM_KEY_MAX:
134 case NFT_XFRM_KEY_DADDR_IP4:
135 *dest = state->id.daddr.a4;
137 case NFT_XFRM_KEY_DADDR_IP6:
138 memcpy(dest, &state->id.daddr.in6, sizeof(struct in6_addr));
140 case NFT_XFRM_KEY_SADDR_IP4:
141 *dest = state->props.saddr.a4;
143 case NFT_XFRM_KEY_SADDR_IP6:
144 memcpy(dest, &state->props.saddr.in6, sizeof(struct in6_addr));
146 case NFT_XFRM_KEY_REQID:
147 *dest = state->props.reqid;
149 case NFT_XFRM_KEY_SPI:
150 *dest = state->id.spi;
154 regs->verdict.code = NFT_BREAK;
157 static void nft_xfrm_get_eval_in(const struct nft_xfrm *priv,
158 struct nft_regs *regs,
159 const struct nft_pktinfo *pkt)
161 const struct sec_path *sp = skb_sec_path(pkt->skb);
162 const struct xfrm_state *state;
164 if (sp == NULL || sp->len <= priv->spnum) {
165 regs->verdict.code = NFT_BREAK;
169 state = sp->xvec[priv->spnum];
170 nft_xfrm_state_get_key(priv, regs, state);
173 static void nft_xfrm_get_eval_out(const struct nft_xfrm *priv,
174 struct nft_regs *regs,
175 const struct nft_pktinfo *pkt)
177 const struct dst_entry *dst = skb_dst(pkt->skb);
180 for (i = 0; dst && dst->xfrm;
181 dst = ((const struct xfrm_dst *)dst)->child, i++) {
185 nft_xfrm_state_get_key(priv, regs, dst->xfrm);
189 regs->verdict.code = NFT_BREAK;
192 static void nft_xfrm_get_eval(const struct nft_expr *expr,
193 struct nft_regs *regs,
194 const struct nft_pktinfo *pkt)
196 const struct nft_xfrm *priv = nft_expr_priv(expr);
200 nft_xfrm_get_eval_in(priv, regs, pkt);
202 case XFRM_POLICY_OUT:
203 nft_xfrm_get_eval_out(priv, regs, pkt);
207 regs->verdict.code = NFT_BREAK;
212 static int nft_xfrm_get_dump(struct sk_buff *skb,
213 const struct nft_expr *expr)
215 const struct nft_xfrm *priv = nft_expr_priv(expr);
217 if (nft_dump_register(skb, NFTA_XFRM_DREG, priv->dreg))
220 if (nla_put_be32(skb, NFTA_XFRM_KEY, htonl(priv->key)))
222 if (nla_put_u8(skb, NFTA_XFRM_DIR, priv->dir))
224 if (nla_put_be32(skb, NFTA_XFRM_SPNUM, htonl(priv->spnum)))
230 static int nft_xfrm_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
231 const struct nft_data **data)
233 const struct nft_xfrm *priv = nft_expr_priv(expr);
238 hooks = (1 << NF_INET_FORWARD) |
239 (1 << NF_INET_LOCAL_IN) |
240 (1 << NF_INET_PRE_ROUTING);
242 case XFRM_POLICY_OUT:
243 hooks = (1 << NF_INET_FORWARD) |
244 (1 << NF_INET_LOCAL_OUT) |
245 (1 << NF_INET_POST_ROUTING);
252 return nft_chain_validate_hooks(ctx->chain, hooks);
256 static struct nft_expr_type nft_xfrm_type;
257 static const struct nft_expr_ops nft_xfrm_get_ops = {
258 .type = &nft_xfrm_type,
259 .size = NFT_EXPR_SIZE(sizeof(struct nft_xfrm)),
260 .eval = nft_xfrm_get_eval,
261 .init = nft_xfrm_get_init,
262 .dump = nft_xfrm_get_dump,
263 .validate = nft_xfrm_validate,
266 static struct nft_expr_type nft_xfrm_type __read_mostly = {
268 .ops = &nft_xfrm_get_ops,
269 .policy = nft_xfrm_policy,
270 .maxattr = NFTA_XFRM_MAX,
271 .owner = THIS_MODULE,
274 static int __init nft_xfrm_module_init(void)
276 return nft_register_expr(&nft_xfrm_type);
279 static void __exit nft_xfrm_module_exit(void)
281 nft_unregister_expr(&nft_xfrm_type);
284 module_init(nft_xfrm_module_init);
285 module_exit(nft_xfrm_module_exit);
287 MODULE_LICENSE("GPL");
288 MODULE_DESCRIPTION("nf_tables: xfrm/IPSec matching");
289 MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
290 MODULE_AUTHOR("Máté Eckl <ecklm94@gmail.com>");
291 MODULE_ALIAS_NFT_EXPR("xfrm");
projects / linux-2.6-microblaze.git / blob