nft_fwd_netdev.c source code [linux/net/netfilter/nft_fwd_netdev.c]

1	// SPDX-License-Identifier: GPL-2.0-only
2	/*
3	* Copyright (c) 2015 Pablo Neira Ayuso <pablo@netfilter.org>
4	*/
5
6	#include <linux/kernel.h>
7	#include <linux/init.h>
8	#include <linux/module.h>
9	#include <linux/netlink.h>
10	#include <linux/netfilter.h>
11	#include <linux/netfilter/nf_tables.h>
12	#include <linux/ip.h>
13	#include <linux/ipv6.h>
14	#include <net/netfilter/nf_tables.h>
15	#include <net/netfilter/nf_tables_offload.h>
16	#include <net/netfilter/nf_dup_netdev.h>
17	#include <net/neighbour.h>
18	#include <net/ip.h>
19
20	struct nft_fwd_netdev {
21	u8 sreg_dev;
22	};
23
24	static void nft_fwd_netdev_eval(const struct nft_expr *expr,
25	struct nft_regs *regs,
26	const struct nft_pktinfo *pkt)
27	{
28	struct nft_fwd_netdev *priv = nft_expr_priv(expr);
29	int oif = regs->data[priv->sreg_dev];
30	struct sk_buff *skb = pkt->skb;
31
32	/ This is used by ifb only. /
33	skb->skb_iif = skb->dev->ifindex;
34	skb_set_redirected(skb, from_ingress: nft_hook(pkt) == NF_NETDEV_INGRESS);
35
36	nf_fwd_netdev_egress(pkt, oif);
37	regs->verdict.code = NF_STOLEN;
38	}
39
40	static const struct nla_policy nft_fwd_netdev_policy[NFTA_FWD_MAX + `1`] = {
41	[NFTA_FWD_SREG_DEV] = { .type = NLA_U32 },
42	[NFTA_FWD_SREG_ADDR] = { .type = NLA_U32 },
43	[NFTA_FWD_NFPROTO] = NLA_POLICY_MAX(NLA_BE32, `255`),
44	};
45
46	static int nft_fwd_netdev_init(const struct nft_ctx *ctx,
47	const struct nft_expr *expr,
48	const struct nlattr * const tb[])
49	{
50	struct nft_fwd_netdev *priv = nft_expr_priv(expr);
51
52	if (tb[NFTA_FWD_SREG_DEV] == NULL)
53	return -EINVAL;
54
55	return nft_parse_register_load(attr: tb[NFTA_FWD_SREG_DEV], sreg: &priv->sreg_dev,
56	len: sizeof(int));
57	}
58
59	static int nft_fwd_netdev_dump(struct sk_buff *skb,
60	const struct nft_expr *expr, bool reset)
61	{
62	struct nft_fwd_netdev *priv = nft_expr_priv(expr);
63
64	if (nft_dump_register(skb, attr: NFTA_FWD_SREG_DEV, reg: priv->sreg_dev))
65	goto nla_put_failure;
66
67	return `0`;
68
69	nla_put_failure:
70	return -`1`;
71	}
72
73	static int nft_fwd_netdev_offload(struct nft_offload_ctx *ctx,
74	struct nft_flow_rule *flow,
75	const struct nft_expr *expr)
76	{
77	const struct nft_fwd_netdev *priv = nft_expr_priv(expr);
78	int oif = ctx->regs[priv->sreg_dev].data.data[`0`];
79
80	return nft_fwd_dup_netdev_offload(ctx, flow, id: FLOW_ACTION_REDIRECT, oif);
81	}
82
83	static bool nft_fwd_netdev_offload_action(const struct nft_expr *expr)
84	{
85	return true;
86	}
87
88	struct nft_fwd_neigh {
89	u8 sreg_dev;
90	u8 sreg_addr;
91	u8 nfproto;
92	};
93
94	static void nft_fwd_neigh_eval(const struct nft_expr *expr,
95	struct nft_regs *regs,
96	const struct nft_pktinfo *pkt)
97	{
98	struct nft_fwd_neigh *priv = nft_expr_priv(expr);
99	void *addr = &regs->data[priv->sreg_addr];
100	int oif = regs->data[priv->sreg_dev];
101	unsigned int verdict = NF_STOLEN;
102	struct sk_buff *skb = pkt->skb;
103	struct net_device *dev;
104	int neigh_table;
105
106	switch (priv->nfproto) {
107	case NFPROTO_IPV4: {
108	struct iphdr *iph;
109
110	if (skb->protocol != htons(ETH_P_IP)) {
111	verdict = NFT_BREAK;
112	goto out;
113	}
114	if (skb_try_make_writable(skb, write_len: sizeof(*iph))) {
115	verdict = NF_DROP;
116	goto out;
117	}
118	iph = ip_hdr(skb);
119	ip_decrease_ttl(iph);
120	neigh_table = NEIGH_ARP_TABLE;
121	break;
122	}
123	case NFPROTO_IPV6: {
124	struct ipv6hdr *ip6h;
125
126	if (skb->protocol != htons(ETH_P_IPV6)) {
127	verdict = NFT_BREAK;
128	goto out;
129	}
130	if (skb_try_make_writable(skb, write_len: sizeof(*ip6h))) {
131	verdict = NF_DROP;
132	goto out;
133	}
134	ip6h = ipv6_hdr(skb);
135	ip6h->hop_limit--;
136	neigh_table = NEIGH_ND_TABLE;
137	break;
138	}
139	default:
140	verdict = NFT_BREAK;
141	goto out;
142	}
143
144	dev = dev_get_by_index_rcu(net: nft_net(pkt), ifindex: oif);
145	if (dev == NULL)
146	return;
147
148	skb->dev = dev;
149	skb_clear_tstamp(skb);
150	neigh_xmit(fam: neigh_table, dev, addr, skb);
151	out:
152	regs->verdict.code = verdict;
153	}
154
155	static int nft_fwd_neigh_init(const struct nft_ctx *ctx,
156	const struct nft_expr *expr,
157	const struct nlattr * const tb[])
158	{
159	struct nft_fwd_neigh *priv = nft_expr_priv(expr);
160	unsigned int addr_len;
161	int err;
162
163	if (!tb[NFTA_FWD_SREG_DEV] \|\|
164	!tb[NFTA_FWD_SREG_ADDR] \|\|
165	!tb[NFTA_FWD_NFPROTO])
166	return -EINVAL;
167
168	priv->nfproto = ntohl(nla_get_be32(tb[NFTA_FWD_NFPROTO]));
169
170	switch (priv->nfproto) {
171	case NFPROTO_IPV4:
172	addr_len = sizeof(struct in_addr);
173	break;
174	case NFPROTO_IPV6:
175	addr_len = sizeof(struct in6_addr);
176	break;
177	default:
178	return -EOPNOTSUPP;
179	}
180
181	err = nft_parse_register_load(attr: tb[NFTA_FWD_SREG_DEV], sreg: &priv->sreg_dev,
182	len: sizeof(int));
183	if (err < `0`)
184	return err;
185
186	return nft_parse_register_load(attr: tb[NFTA_FWD_SREG_ADDR], sreg: &priv->sreg_addr,
187	len: addr_len);
188	}
189
190	static int nft_fwd_neigh_dump(struct sk_buff *skb,
191	const struct nft_expr *expr, bool reset)
192	{
193	struct nft_fwd_neigh *priv = nft_expr_priv(expr);
194
195	if (nft_dump_register(skb, attr: NFTA_FWD_SREG_DEV, reg: priv->sreg_dev) \|\|
196	nft_dump_register(skb, attr: NFTA_FWD_SREG_ADDR, reg: priv->sreg_addr) \|\|
197	nla_put_be32(skb, attrtype: NFTA_FWD_NFPROTO, htonl(priv->nfproto)))
198	goto nla_put_failure;
199
200	return `0`;
201
202	nla_put_failure:
203	return -`1`;
204	}
205
206	static int nft_fwd_validate(const struct nft_ctx *ctx,
207	const struct nft_expr *expr,
208	const struct nft_data **data)
209	{
210	return nft_chain_validate_hooks(chain: ctx->chain, hook_flags: (`1` << NF_NETDEV_INGRESS) \|
211	(`1` << NF_NETDEV_EGRESS));
212	}
213
214	static struct nft_expr_type nft_fwd_netdev_type;
215	static const struct nft_expr_ops nft_fwd_neigh_netdev_ops = {
216	.type = &nft_fwd_netdev_type,
217	.size = NFT_EXPR_SIZE(sizeof(struct nft_fwd_neigh)),
218	.eval = nft_fwd_neigh_eval,
219	.init = nft_fwd_neigh_init,
220	.dump = nft_fwd_neigh_dump,
221	.validate = nft_fwd_validate,
222	.reduce = NFT_REDUCE_READONLY,
223	};
224
225	static const struct nft_expr_ops nft_fwd_netdev_ops = {
226	.type = &nft_fwd_netdev_type,
227	.size = NFT_EXPR_SIZE(sizeof(struct nft_fwd_netdev)),
228	.eval = nft_fwd_netdev_eval,
229	.init = nft_fwd_netdev_init,
230	.dump = nft_fwd_netdev_dump,
231	.validate = nft_fwd_validate,
232	.reduce = NFT_REDUCE_READONLY,
233	.offload = nft_fwd_netdev_offload,
234	.offload_action = nft_fwd_netdev_offload_action,
235	};
236
237	static const struct nft_expr_ops *
238	nft_fwd_select_ops(const struct nft_ctx *ctx,
239	const struct nlattr * const tb[])
240	{
241	if (tb[NFTA_FWD_SREG_ADDR])
242	return &nft_fwd_neigh_netdev_ops;
243	if (tb[NFTA_FWD_SREG_DEV])
244	return &nft_fwd_netdev_ops;
245
246	return ERR_PTR(error: -EOPNOTSUPP);
247	}
248
249	static struct nft_expr_type nft_fwd_netdev_type __read_mostly = {
250	.family = NFPROTO_NETDEV,
251	.name = "fwd",
252	.select_ops = nft_fwd_select_ops,
253	.policy = nft_fwd_netdev_policy,
254	.maxattr = NFTA_FWD_MAX,
255	.owner = THIS_MODULE,
256	};
257
258	static int __init nft_fwd_netdev_module_init(void)
259	{
260	return nft_register_expr(&nft_fwd_netdev_type);
261	}
262
263	static void __exit nft_fwd_netdev_module_exit(void)
264	{
265	nft_unregister_expr(&nft_fwd_netdev_type);
266	}
267
268	module_init(nft_fwd_netdev_module_init);
269	module_exit(nft_fwd_netdev_module_exit);
270
271	MODULE_LICENSE("GPL");
272	MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
273	MODULE_DESCRIPTION("nftables netdev packet forwarding support");
274	MODULE_ALIAS_NFT_AF_EXPR(`5`, "fwd");
275

source code of linux/net/netfilter/nft_fwd_netdev.c