1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
4 * Copyright (c) 2014 Intel Corporation
5 * Author: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com>
7 * Development of this code funded by Astaro AG (http://www.astaro.com/)
10 #include <linux/kernel.h>
11 #include <linux/netlink.h>
12 #include <linux/netfilter.h>
13 #include <linux/netfilter/nf_tables.h>
16 #include <linux/ipv6.h>
17 #include <linux/smp.h>
18 #include <linux/static_key.h>
21 #include <net/tcp_states.h> /* for TCP_TIME_WAIT */
22 #include <net/netfilter/nf_tables.h>
23 #include <net/netfilter/nf_tables_core.h>
25 #include <uapi/linux/netfilter_bridge.h> /* NF_BR_PRE_ROUTING */
28 enum nft_meta_keys key:8;
30 enum nft_registers dreg:8;
31 enum nft_registers sreg:8;
35 static DEFINE_PER_CPU(struct rnd_state, nft_prandom_state);
37 #ifdef CONFIG_NF_TABLES_BRIDGE
38 #include "../bridge/br_private.h"
41 void nft_meta_get_eval(const struct nft_expr *expr,
42 struct nft_regs *regs,
43 const struct nft_pktinfo *pkt)
45 const struct nft_meta *priv = nft_expr_priv(expr);
46 const struct sk_buff *skb = pkt->skb;
47 const struct net_device *in = nft_in(pkt), *out = nft_out(pkt);
49 u32 *dest = ®s->data[priv->dreg];
50 #ifdef CONFIG_NF_TABLES_BRIDGE
51 const struct net_bridge_port *p;
58 case NFT_META_PROTOCOL:
59 nft_reg_store16(dest, (__force u16)skb->protocol);
61 case NFT_META_NFPROTO:
62 nft_reg_store8(dest, nft_pf(pkt));
64 case NFT_META_L4PROTO:
67 nft_reg_store8(dest, pkt->tprot);
69 case NFT_META_PRIORITY:
70 *dest = skb->priority;
85 case NFT_META_IIFNAME:
88 strncpy((char *)dest, in->name, IFNAMSIZ);
90 case NFT_META_OIFNAME:
93 strncpy((char *)dest, out->name, IFNAMSIZ);
95 case NFT_META_IIFTYPE:
98 nft_reg_store16(dest, in->type);
100 case NFT_META_OIFTYPE:
103 nft_reg_store16(dest, out->type);
106 sk = skb_to_full_sk(skb);
107 if (!sk || !sk_fullsock(sk) ||
108 !net_eq(nft_net(pkt), sock_net(sk)))
111 read_lock_bh(&sk->sk_callback_lock);
112 if (sk->sk_socket == NULL ||
113 sk->sk_socket->file == NULL) {
114 read_unlock_bh(&sk->sk_callback_lock);
118 *dest = from_kuid_munged(&init_user_ns,
119 sk->sk_socket->file->f_cred->fsuid);
120 read_unlock_bh(&sk->sk_callback_lock);
123 sk = skb_to_full_sk(skb);
124 if (!sk || !sk_fullsock(sk) ||
125 !net_eq(nft_net(pkt), sock_net(sk)))
128 read_lock_bh(&sk->sk_callback_lock);
129 if (sk->sk_socket == NULL ||
130 sk->sk_socket->file == NULL) {
131 read_unlock_bh(&sk->sk_callback_lock);
134 *dest = from_kgid_munged(&init_user_ns,
135 sk->sk_socket->file->f_cred->fsgid);
136 read_unlock_bh(&sk->sk_callback_lock);
138 #ifdef CONFIG_IP_ROUTE_CLASSID
139 case NFT_META_RTCLASSID: {
140 const struct dst_entry *dst = skb_dst(skb);
144 *dest = dst->tclassid;
148 #ifdef CONFIG_NETWORK_SECMARK
149 case NFT_META_SECMARK:
150 *dest = skb->secmark;
153 case NFT_META_PKTTYPE:
154 if (skb->pkt_type != PACKET_LOOPBACK) {
155 nft_reg_store8(dest, skb->pkt_type);
159 switch (nft_pf(pkt)) {
161 if (ipv4_is_multicast(ip_hdr(skb)->daddr))
162 nft_reg_store8(dest, PACKET_MULTICAST);
164 nft_reg_store8(dest, PACKET_BROADCAST);
167 nft_reg_store8(dest, PACKET_MULTICAST);
170 switch (skb->protocol) {
171 case htons(ETH_P_IP): {
172 int noff = skb_network_offset(skb);
173 struct iphdr *iph, _iph;
175 iph = skb_header_pointer(skb, noff,
176 sizeof(_iph), &_iph);
180 if (ipv4_is_multicast(iph->daddr))
181 nft_reg_store8(dest, PACKET_MULTICAST);
183 nft_reg_store8(dest, PACKET_BROADCAST);
187 case htons(ETH_P_IPV6):
188 nft_reg_store8(dest, PACKET_MULTICAST);
201 *dest = raw_smp_processor_id();
203 case NFT_META_IIFGROUP:
208 case NFT_META_OIFGROUP:
213 #ifdef CONFIG_CGROUP_NET_CLASSID
214 case NFT_META_CGROUP:
215 sk = skb_to_full_sk(skb);
216 if (!sk || !sk_fullsock(sk) ||
217 !net_eq(nft_net(pkt), sock_net(sk)))
219 *dest = sock_cgroup_classid(&sk->sk_cgrp_data);
222 case NFT_META_PRANDOM: {
223 struct rnd_state *state = this_cpu_ptr(&nft_prandom_state);
224 *dest = prandom_u32_state(state);
228 case NFT_META_SECPATH:
229 nft_reg_store8(dest, secpath_exists(skb));
232 #ifdef CONFIG_NF_TABLES_BRIDGE
233 case NFT_META_BRI_IIFNAME:
234 if (in == NULL || (p = br_port_get_rcu(in)) == NULL)
236 strncpy((char *)dest, p->br->dev->name, IFNAMSIZ);
238 case NFT_META_BRI_OIFNAME:
239 if (out == NULL || (p = br_port_get_rcu(out)) == NULL)
241 strncpy((char *)dest, p->br->dev->name, IFNAMSIZ);
244 case NFT_META_IIFKIND:
245 if (in == NULL || in->rtnl_link_ops == NULL)
247 strncpy((char *)dest, in->rtnl_link_ops->kind, IFNAMSIZ);
249 case NFT_META_OIFKIND:
250 if (out == NULL || out->rtnl_link_ops == NULL)
252 strncpy((char *)dest, out->rtnl_link_ops->kind, IFNAMSIZ);
261 regs->verdict.code = NFT_BREAK;
264 static void nft_meta_set_eval(const struct nft_expr *expr,
265 struct nft_regs *regs,
266 const struct nft_pktinfo *pkt)
268 const struct nft_meta *meta = nft_expr_priv(expr);
269 struct sk_buff *skb = pkt->skb;
270 u32 *sreg = ®s->data[meta->sreg];
278 case NFT_META_PRIORITY:
279 skb->priority = value;
281 case NFT_META_PKTTYPE:
282 value8 = nft_reg_load8(sreg);
284 if (skb->pkt_type != value8 &&
285 skb_pkt_type_ok(value8) &&
286 skb_pkt_type_ok(skb->pkt_type))
287 skb->pkt_type = value8;
289 case NFT_META_NFTRACE:
290 value8 = nft_reg_load8(sreg);
292 skb->nf_trace = !!value8;
294 #ifdef CONFIG_NETWORK_SECMARK
295 case NFT_META_SECMARK:
296 skb->secmark = value;
304 static const struct nla_policy nft_meta_policy[NFTA_META_MAX + 1] = {
305 [NFTA_META_DREG] = { .type = NLA_U32 },
306 [NFTA_META_KEY] = { .type = NLA_U32 },
307 [NFTA_META_SREG] = { .type = NLA_U32 },
310 static int nft_meta_get_init(const struct nft_ctx *ctx,
311 const struct nft_expr *expr,
312 const struct nlattr * const tb[])
314 struct nft_meta *priv = nft_expr_priv(expr);
317 priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
319 case NFT_META_PROTOCOL:
320 case NFT_META_IIFTYPE:
321 case NFT_META_OIFTYPE:
324 case NFT_META_NFPROTO:
325 case NFT_META_L4PROTO:
327 case NFT_META_PRIORITY:
333 #ifdef CONFIG_IP_ROUTE_CLASSID
334 case NFT_META_RTCLASSID:
336 #ifdef CONFIG_NETWORK_SECMARK
337 case NFT_META_SECMARK:
339 case NFT_META_PKTTYPE:
341 case NFT_META_IIFGROUP:
342 case NFT_META_OIFGROUP:
343 #ifdef CONFIG_CGROUP_NET_CLASSID
344 case NFT_META_CGROUP:
348 case NFT_META_IIFNAME:
349 case NFT_META_OIFNAME:
350 case NFT_META_IIFKIND:
351 case NFT_META_OIFKIND:
354 case NFT_META_PRANDOM:
355 prandom_init_once(&nft_prandom_state);
359 case NFT_META_SECPATH:
363 #ifdef CONFIG_NF_TABLES_BRIDGE
364 case NFT_META_BRI_IIFNAME:
365 case NFT_META_BRI_OIFNAME:
366 if (ctx->family != NFPROTO_BRIDGE)
375 priv->dreg = nft_parse_register(tb[NFTA_META_DREG]);
376 return nft_validate_register_store(ctx, priv->dreg, NULL,
377 NFT_DATA_VALUE, len);
380 static int nft_meta_get_validate(const struct nft_ctx *ctx,
381 const struct nft_expr *expr,
382 const struct nft_data **data)
385 const struct nft_meta *priv = nft_expr_priv(expr);
388 if (priv->key != NFT_META_SECPATH)
391 switch (ctx->family) {
393 hooks = 1 << NF_NETDEV_INGRESS;
398 hooks = (1 << NF_INET_PRE_ROUTING) |
399 (1 << NF_INET_LOCAL_IN) |
400 (1 << NF_INET_FORWARD);
406 return nft_chain_validate_hooks(ctx->chain, hooks);
412 static int nft_meta_set_validate(const struct nft_ctx *ctx,
413 const struct nft_expr *expr,
414 const struct nft_data **data)
416 struct nft_meta *priv = nft_expr_priv(expr);
419 if (priv->key != NFT_META_PKTTYPE)
422 switch (ctx->family) {
424 hooks = 1 << NF_BR_PRE_ROUTING;
427 hooks = 1 << NF_NETDEV_INGRESS;
432 hooks = 1 << NF_INET_PRE_ROUTING;
438 return nft_chain_validate_hooks(ctx->chain, hooks);
441 static int nft_meta_set_init(const struct nft_ctx *ctx,
442 const struct nft_expr *expr,
443 const struct nlattr * const tb[])
445 struct nft_meta *priv = nft_expr_priv(expr);
449 priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY]));
452 case NFT_META_PRIORITY:
453 #ifdef CONFIG_NETWORK_SECMARK
454 case NFT_META_SECMARK:
458 case NFT_META_NFTRACE:
461 case NFT_META_PKTTYPE:
468 priv->sreg = nft_parse_register(tb[NFTA_META_SREG]);
469 err = nft_validate_register_load(priv->sreg, len);
473 if (priv->key == NFT_META_NFTRACE)
474 static_branch_inc(&nft_trace_enabled);
479 static int nft_meta_get_dump(struct sk_buff *skb,
480 const struct nft_expr *expr)
482 const struct nft_meta *priv = nft_expr_priv(expr);
484 if (nla_put_be32(skb, NFTA_META_KEY, htonl(priv->key)))
485 goto nla_put_failure;
486 if (nft_dump_register(skb, NFTA_META_DREG, priv->dreg))
487 goto nla_put_failure;
494 static int nft_meta_set_dump(struct sk_buff *skb, const struct nft_expr *expr)
496 const struct nft_meta *priv = nft_expr_priv(expr);
498 if (nla_put_be32(skb, NFTA_META_KEY, htonl(priv->key)))
499 goto nla_put_failure;
500 if (nft_dump_register(skb, NFTA_META_SREG, priv->sreg))
501 goto nla_put_failure;
509 static void nft_meta_set_destroy(const struct nft_ctx *ctx,
510 const struct nft_expr *expr)
512 const struct nft_meta *priv = nft_expr_priv(expr);
514 if (priv->key == NFT_META_NFTRACE)
515 static_branch_dec(&nft_trace_enabled);
518 static const struct nft_expr_ops nft_meta_get_ops = {
519 .type = &nft_meta_type,
520 .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
521 .eval = nft_meta_get_eval,
522 .init = nft_meta_get_init,
523 .dump = nft_meta_get_dump,
524 .validate = nft_meta_get_validate,
527 static const struct nft_expr_ops nft_meta_set_ops = {
528 .type = &nft_meta_type,
529 .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)),
530 .eval = nft_meta_set_eval,
531 .init = nft_meta_set_init,
532 .destroy = nft_meta_set_destroy,
533 .dump = nft_meta_set_dump,
534 .validate = nft_meta_set_validate,
537 static const struct nft_expr_ops *
538 nft_meta_select_ops(const struct nft_ctx *ctx,
539 const struct nlattr * const tb[])
541 if (tb[NFTA_META_KEY] == NULL)
542 return ERR_PTR(-EINVAL);
544 if (tb[NFTA_META_DREG] && tb[NFTA_META_SREG])
545 return ERR_PTR(-EINVAL);
547 if (tb[NFTA_META_DREG])
548 return &nft_meta_get_ops;
550 if (tb[NFTA_META_SREG])
551 return &nft_meta_set_ops;
553 return ERR_PTR(-EINVAL);
556 struct nft_expr_type nft_meta_type __read_mostly = {
558 .select_ops = nft_meta_select_ops,
559 .policy = nft_meta_policy,
560 .maxattr = NFTA_META_MAX,
561 .owner = THIS_MODULE,
564 #ifdef CONFIG_NETWORK_SECMARK
570 static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = {
571 [NFTA_SECMARK_CTX] = { .type = NLA_STRING, .len = NFT_SECMARK_CTX_MAXLEN },
574 static int nft_secmark_compute_secid(struct nft_secmark *priv)
579 err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid);
586 err = security_secmark_relabel_packet(tmp_secid);
590 priv->secid = tmp_secid;
594 static void nft_secmark_obj_eval(struct nft_object *obj, struct nft_regs *regs,
595 const struct nft_pktinfo *pkt)
597 const struct nft_secmark *priv = nft_obj_data(obj);
598 struct sk_buff *skb = pkt->skb;
600 skb->secmark = priv->secid;
603 static int nft_secmark_obj_init(const struct nft_ctx *ctx,
604 const struct nlattr * const tb[],
605 struct nft_object *obj)
607 struct nft_secmark *priv = nft_obj_data(obj);
610 if (tb[NFTA_SECMARK_CTX] == NULL)
613 priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL);
617 err = nft_secmark_compute_secid(priv);
623 security_secmark_refcount_inc();
628 static int nft_secmark_obj_dump(struct sk_buff *skb, struct nft_object *obj,
631 struct nft_secmark *priv = nft_obj_data(obj);
634 if (nla_put_string(skb, NFTA_SECMARK_CTX, priv->ctx))
638 err = nft_secmark_compute_secid(priv);
646 static void nft_secmark_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj)
648 struct nft_secmark *priv = nft_obj_data(obj);
650 security_secmark_refcount_dec();
655 static const struct nft_object_ops nft_secmark_obj_ops = {
656 .type = &nft_secmark_obj_type,
657 .size = sizeof(struct nft_secmark),
658 .init = nft_secmark_obj_init,
659 .eval = nft_secmark_obj_eval,
660 .dump = nft_secmark_obj_dump,
661 .destroy = nft_secmark_obj_destroy,
663 struct nft_object_type nft_secmark_obj_type __read_mostly = {
664 .type = NFT_OBJECT_SECMARK,
665 .ops = &nft_secmark_obj_ops,
666 .maxattr = NFTA_SECMARK_MAX,
667 .policy = nft_secmark_policy,
668 .owner = THIS_MODULE,
670 #endif /* CONFIG_NETWORK_SECMARK */
projects / linux.git / blob