1 | // SPDX-License-Identifier: GPL-2.0-only |
2 | /* |
3 | * Copyright (c) 2015 Pablo Neira Ayuso <pablo@netfilter.org> |
4 | */ |
5 | |
6 | #include <linux/kernel.h> |
7 | #include <linux/init.h> |
8 | #include <linux/module.h> |
9 | #include <linux/netlink.h> |
10 | #include <linux/netfilter.h> |
11 | #include <linux/netfilter/nf_tables.h> |
12 | #include <linux/ip.h> |
13 | #include <linux/ipv6.h> |
14 | #include <net/netfilter/nf_tables.h> |
15 | #include <net/netfilter/nf_tables_offload.h> |
16 | #include <net/netfilter/nf_dup_netdev.h> |
17 | #include <net/neighbour.h> |
18 | #include <net/ip.h> |
19 | |
20 | struct nft_fwd_netdev { |
21 | u8 sreg_dev; |
22 | }; |
23 | |
24 | static void nft_fwd_netdev_eval(const struct nft_expr *expr, |
25 | struct nft_regs *regs, |
26 | const struct nft_pktinfo *pkt) |
27 | { |
28 | struct nft_fwd_netdev *priv = nft_expr_priv(expr); |
29 | int oif = regs->data[priv->sreg_dev]; |
30 | struct sk_buff *skb = pkt->skb; |
31 | |
32 | /* This is used by ifb only. */ |
33 | skb->skb_iif = skb->dev->ifindex; |
34 | skb_set_redirected(skb, from_ingress: nft_hook(pkt) == NF_NETDEV_INGRESS); |
35 | |
36 | nf_fwd_netdev_egress(pkt, oif); |
37 | regs->verdict.code = NF_STOLEN; |
38 | } |
39 | |
40 | static const struct nla_policy nft_fwd_netdev_policy[NFTA_FWD_MAX + 1] = { |
41 | [NFTA_FWD_SREG_DEV] = { .type = NLA_U32 }, |
42 | [NFTA_FWD_SREG_ADDR] = { .type = NLA_U32 }, |
43 | [NFTA_FWD_NFPROTO] = NLA_POLICY_MAX(NLA_BE32, 255), |
44 | }; |
45 | |
46 | static int nft_fwd_netdev_init(const struct nft_ctx *ctx, |
47 | const struct nft_expr *expr, |
48 | const struct nlattr * const tb[]) |
49 | { |
50 | struct nft_fwd_netdev *priv = nft_expr_priv(expr); |
51 | |
52 | if (tb[NFTA_FWD_SREG_DEV] == NULL) |
53 | return -EINVAL; |
54 | |
55 | return nft_parse_register_load(attr: tb[NFTA_FWD_SREG_DEV], sreg: &priv->sreg_dev, |
56 | len: sizeof(int)); |
57 | } |
58 | |
59 | static int nft_fwd_netdev_dump(struct sk_buff *skb, |
60 | const struct nft_expr *expr, bool reset) |
61 | { |
62 | struct nft_fwd_netdev *priv = nft_expr_priv(expr); |
63 | |
64 | if (nft_dump_register(skb, attr: NFTA_FWD_SREG_DEV, reg: priv->sreg_dev)) |
65 | goto nla_put_failure; |
66 | |
67 | return 0; |
68 | |
69 | nla_put_failure: |
70 | return -1; |
71 | } |
72 | |
73 | static int nft_fwd_netdev_offload(struct nft_offload_ctx *ctx, |
74 | struct nft_flow_rule *flow, |
75 | const struct nft_expr *expr) |
76 | { |
77 | const struct nft_fwd_netdev *priv = nft_expr_priv(expr); |
78 | int oif = ctx->regs[priv->sreg_dev].data.data[0]; |
79 | |
80 | return nft_fwd_dup_netdev_offload(ctx, flow, id: FLOW_ACTION_REDIRECT, oif); |
81 | } |
82 | |
83 | static bool nft_fwd_netdev_offload_action(const struct nft_expr *expr) |
84 | { |
85 | return true; |
86 | } |
87 | |
88 | struct nft_fwd_neigh { |
89 | u8 sreg_dev; |
90 | u8 sreg_addr; |
91 | u8 nfproto; |
92 | }; |
93 | |
94 | static void nft_fwd_neigh_eval(const struct nft_expr *expr, |
95 | struct nft_regs *regs, |
96 | const struct nft_pktinfo *pkt) |
97 | { |
98 | struct nft_fwd_neigh *priv = nft_expr_priv(expr); |
99 | void *addr = ®s->data[priv->sreg_addr]; |
100 | int oif = regs->data[priv->sreg_dev]; |
101 | unsigned int verdict = NF_STOLEN; |
102 | struct sk_buff *skb = pkt->skb; |
103 | struct net_device *dev; |
104 | int neigh_table; |
105 | |
106 | switch (priv->nfproto) { |
107 | case NFPROTO_IPV4: { |
108 | struct iphdr *iph; |
109 | |
110 | if (skb->protocol != htons(ETH_P_IP)) { |
111 | verdict = NFT_BREAK; |
112 | goto out; |
113 | } |
114 | if (skb_try_make_writable(skb, write_len: sizeof(*iph))) { |
115 | verdict = NF_DROP; |
116 | goto out; |
117 | } |
118 | iph = ip_hdr(skb); |
119 | ip_decrease_ttl(iph); |
120 | neigh_table = NEIGH_ARP_TABLE; |
121 | break; |
122 | } |
123 | case NFPROTO_IPV6: { |
124 | struct ipv6hdr *ip6h; |
125 | |
126 | if (skb->protocol != htons(ETH_P_IPV6)) { |
127 | verdict = NFT_BREAK; |
128 | goto out; |
129 | } |
130 | if (skb_try_make_writable(skb, write_len: sizeof(*ip6h))) { |
131 | verdict = NF_DROP; |
132 | goto out; |
133 | } |
134 | ip6h = ipv6_hdr(skb); |
135 | ip6h->hop_limit--; |
136 | neigh_table = NEIGH_ND_TABLE; |
137 | break; |
138 | } |
139 | default: |
140 | verdict = NFT_BREAK; |
141 | goto out; |
142 | } |
143 | |
144 | dev = dev_get_by_index_rcu(net: nft_net(pkt), ifindex: oif); |
145 | if (dev == NULL) |
146 | return; |
147 | |
148 | skb->dev = dev; |
149 | skb_clear_tstamp(skb); |
150 | neigh_xmit(fam: neigh_table, dev, addr, skb); |
151 | out: |
152 | regs->verdict.code = verdict; |
153 | } |
154 | |
155 | static int nft_fwd_neigh_init(const struct nft_ctx *ctx, |
156 | const struct nft_expr *expr, |
157 | const struct nlattr * const tb[]) |
158 | { |
159 | struct nft_fwd_neigh *priv = nft_expr_priv(expr); |
160 | unsigned int addr_len; |
161 | int err; |
162 | |
163 | if (!tb[NFTA_FWD_SREG_DEV] || |
164 | !tb[NFTA_FWD_SREG_ADDR] || |
165 | !tb[NFTA_FWD_NFPROTO]) |
166 | return -EINVAL; |
167 | |
168 | priv->nfproto = ntohl(nla_get_be32(tb[NFTA_FWD_NFPROTO])); |
169 | |
170 | switch (priv->nfproto) { |
171 | case NFPROTO_IPV4: |
172 | addr_len = sizeof(struct in_addr); |
173 | break; |
174 | case NFPROTO_IPV6: |
175 | addr_len = sizeof(struct in6_addr); |
176 | break; |
177 | default: |
178 | return -EOPNOTSUPP; |
179 | } |
180 | |
181 | err = nft_parse_register_load(attr: tb[NFTA_FWD_SREG_DEV], sreg: &priv->sreg_dev, |
182 | len: sizeof(int)); |
183 | if (err < 0) |
184 | return err; |
185 | |
186 | return nft_parse_register_load(attr: tb[NFTA_FWD_SREG_ADDR], sreg: &priv->sreg_addr, |
187 | len: addr_len); |
188 | } |
189 | |
190 | static int nft_fwd_neigh_dump(struct sk_buff *skb, |
191 | const struct nft_expr *expr, bool reset) |
192 | { |
193 | struct nft_fwd_neigh *priv = nft_expr_priv(expr); |
194 | |
195 | if (nft_dump_register(skb, attr: NFTA_FWD_SREG_DEV, reg: priv->sreg_dev) || |
196 | nft_dump_register(skb, attr: NFTA_FWD_SREG_ADDR, reg: priv->sreg_addr) || |
197 | nla_put_be32(skb, attrtype: NFTA_FWD_NFPROTO, htonl(priv->nfproto))) |
198 | goto nla_put_failure; |
199 | |
200 | return 0; |
201 | |
202 | nla_put_failure: |
203 | return -1; |
204 | } |
205 | |
206 | static int nft_fwd_validate(const struct nft_ctx *ctx, |
207 | const struct nft_expr *expr, |
208 | const struct nft_data **data) |
209 | { |
210 | return nft_chain_validate_hooks(chain: ctx->chain, hook_flags: (1 << NF_NETDEV_INGRESS) | |
211 | (1 << NF_NETDEV_EGRESS)); |
212 | } |
213 | |
214 | static struct nft_expr_type nft_fwd_netdev_type; |
215 | static const struct nft_expr_ops nft_fwd_neigh_netdev_ops = { |
216 | .type = &nft_fwd_netdev_type, |
217 | .size = NFT_EXPR_SIZE(sizeof(struct nft_fwd_neigh)), |
218 | .eval = nft_fwd_neigh_eval, |
219 | .init = nft_fwd_neigh_init, |
220 | .dump = nft_fwd_neigh_dump, |
221 | .validate = nft_fwd_validate, |
222 | .reduce = NFT_REDUCE_READONLY, |
223 | }; |
224 | |
225 | static const struct nft_expr_ops nft_fwd_netdev_ops = { |
226 | .type = &nft_fwd_netdev_type, |
227 | .size = NFT_EXPR_SIZE(sizeof(struct nft_fwd_netdev)), |
228 | .eval = nft_fwd_netdev_eval, |
229 | .init = nft_fwd_netdev_init, |
230 | .dump = nft_fwd_netdev_dump, |
231 | .validate = nft_fwd_validate, |
232 | .reduce = NFT_REDUCE_READONLY, |
233 | .offload = nft_fwd_netdev_offload, |
234 | .offload_action = nft_fwd_netdev_offload_action, |
235 | }; |
236 | |
237 | static const struct nft_expr_ops * |
238 | nft_fwd_select_ops(const struct nft_ctx *ctx, |
239 | const struct nlattr * const tb[]) |
240 | { |
241 | if (tb[NFTA_FWD_SREG_ADDR]) |
242 | return &nft_fwd_neigh_netdev_ops; |
243 | if (tb[NFTA_FWD_SREG_DEV]) |
244 | return &nft_fwd_netdev_ops; |
245 | |
246 | return ERR_PTR(error: -EOPNOTSUPP); |
247 | } |
248 | |
249 | static struct nft_expr_type nft_fwd_netdev_type __read_mostly = { |
250 | .family = NFPROTO_NETDEV, |
251 | .name = "fwd" , |
252 | .select_ops = nft_fwd_select_ops, |
253 | .policy = nft_fwd_netdev_policy, |
254 | .maxattr = NFTA_FWD_MAX, |
255 | .owner = THIS_MODULE, |
256 | }; |
257 | |
258 | static int __init nft_fwd_netdev_module_init(void) |
259 | { |
260 | return nft_register_expr(&nft_fwd_netdev_type); |
261 | } |
262 | |
263 | static void __exit nft_fwd_netdev_module_exit(void) |
264 | { |
265 | nft_unregister_expr(&nft_fwd_netdev_type); |
266 | } |
267 | |
268 | module_init(nft_fwd_netdev_module_init); |
269 | module_exit(nft_fwd_netdev_module_exit); |
270 | |
271 | MODULE_LICENSE("GPL" ); |
272 | MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>" ); |
273 | MODULE_DESCRIPTION("nftables netdev packet forwarding support" ); |
274 | MODULE_ALIAS_NFT_AF_EXPR(5, "fwd" ); |
275 | |