[mirror_ubuntu-artful-kernel.git] / net / ipv4 / netfilter / nft_fib_ipv4.c

/*
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nft_fib.h>

#include <net/ip_fib.h>
#include <net/route.h>

/* don't try to find route from mcast/bcast/zeronet */
static __be32 get_saddr(__be32 addr)
{
	if (ipv4_is_multicast(addr) || ipv4_is_lbcast(addr) ||
	    ipv4_is_zeronet(addr))
		return 0;
	return addr;
}

#define DSCP_BITS     0xfc

void nft_fib4_eval_type(const struct nft_expr *expr, struct nft_regs *regs,
			const struct nft_pktinfo *pkt)
{
	const struct nft_fib *priv = nft_expr_priv(expr);
	u32 *dst = &regs->data[priv->dreg];
	const struct net_device *dev = NULL;
	const struct iphdr *iph;
	__be32 addr;

	if (priv->flags & NFTA_FIB_F_IIF)
		dev = nft_in(pkt);
	else if (priv->flags & NFTA_FIB_F_OIF)
		dev = nft_out(pkt);

	iph = ip_hdr(pkt->skb);
	if (priv->flags & NFTA_FIB_F_DADDR)
		addr = iph->daddr;
	else
		addr = iph->saddr;

	*dst = inet_dev_addr_type(nft_net(pkt), dev, addr);
}
EXPORT_SYMBOL_GPL(nft_fib4_eval_type);

static int get_ifindex(const struct net_device *dev)
{
	return dev ? dev->ifindex : 0;
}

void nft_fib4_eval(const struct nft_expr *expr, struct nft_regs *regs,
		   const struct nft_pktinfo *pkt)
{
	const struct nft_fib *priv = nft_expr_priv(expr);
	u32 *dest = &regs->data[priv->dreg];
	const struct iphdr *iph;
	struct fib_result res;
	struct flowi4 fl4 = {
		.flowi4_scope = RT_SCOPE_UNIVERSE,
		.flowi4_iif = LOOPBACK_IFINDEX,
	};
	const struct net_device *oif;
	struct net_device *found;
#ifdef CONFIG_IP_ROUTE_MULTIPATH
	int i;
#endif

	/*
	 * Do not set flowi4_oif, it restricts results (for example, asking
	 * for oif 3 will get RTN_UNICAST result even if the daddr exits
	 * on another interface.
	 *
	 * Search results for the desired outinterface instead.
	 */
	if (priv->flags & NFTA_FIB_F_OIF)
		oif = nft_out(pkt);
	else if (priv->flags & NFTA_FIB_F_IIF)
		oif = nft_in(pkt);
	else
		oif = NULL;

	if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
	    nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
		nft_fib_store_result(dest, priv, pkt,
				     nft_in(pkt)->ifindex);
		return;
	}

	iph = ip_hdr(pkt->skb);
	if (ipv4_is_zeronet(iph->saddr)) {
		if (ipv4_is_lbcast(iph->daddr) ||
		    ipv4_is_local_multicast(iph->daddr)) {
			nft_fib_store_result(dest, priv, pkt,
					     get_ifindex(pkt->skb->dev));
			return;
		}
	}

	if (priv->flags & NFTA_FIB_F_MARK)
		fl4.flowi4_mark = pkt->skb->mark;

	fl4.flowi4_tos = iph->tos & DSCP_BITS;

	if (priv->flags & NFTA_FIB_F_DADDR) {
		fl4.daddr = iph->daddr;
		fl4.saddr = get_saddr(iph->saddr);
	} else {
		fl4.daddr = iph->saddr;
		fl4.saddr = get_saddr(iph->daddr);
	}

	*dest = 0;

	if (fib_lookup(nft_net(pkt), &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE))
		return;

	switch (res.type) {
	case RTN_UNICAST:
		break;
	case RTN_LOCAL: /* Should not see RTN_LOCAL here */
		return;
	default:
		break;
	}

       if (!oif) {
               found = FIB_RES_DEV(res);
               goto ok;
       }

#ifdef CONFIG_IP_ROUTE_MULTIPATH
	for (i = 0; i < res.fi->fib_nhs; i++) {
		struct fib_nh *nh = &res.fi->fib_nh[i];

		if (nh->nh_dev == oif) {
			found = nh->nh_dev;
			goto ok;
		}
	}
	return;
#else
	found = FIB_RES_DEV(res);
	if (found != oif)
		return;
#endif
ok:
	switch (priv->result) {
	case NFT_FIB_RESULT_OIF:
		*dest = found->ifindex;
		break;
	case NFT_FIB_RESULT_OIFNAME:
		strncpy((char *)dest, found->name, IFNAMSIZ);
		break;
	default:
		WARN_ON_ONCE(1);
		break;
	}
}
EXPORT_SYMBOL_GPL(nft_fib4_eval);

static struct nft_expr_type nft_fib4_type;

static const struct nft_expr_ops nft_fib4_type_ops = {
	.type		= &nft_fib4_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_fib)),
	.eval		= nft_fib4_eval_type,
	.init		= nft_fib_init,
	.dump		= nft_fib_dump,
	.validate	= nft_fib_validate,
};

static const struct nft_expr_ops nft_fib4_ops = {
	.type		= &nft_fib4_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_fib)),
	.eval		= nft_fib4_eval,
	.init		= nft_fib_init,
	.dump		= nft_fib_dump,
	.validate	= nft_fib_validate,
};

static const struct nft_expr_ops *
nft_fib4_select_ops(const struct nft_ctx *ctx,
		    const struct nlattr * const tb[])
{
	enum nft_fib_result result;

	if (!tb[NFTA_FIB_RESULT])
		return ERR_PTR(-EINVAL);

	result = ntohl(nla_get_be32(tb[NFTA_FIB_RESULT]));

	switch (result) {
	case NFT_FIB_RESULT_OIF:
		return &nft_fib4_ops;
	case NFT_FIB_RESULT_OIFNAME:
		return &nft_fib4_ops;
	case NFT_FIB_RESULT_ADDRTYPE:
		return &nft_fib4_type_ops;
	default:
		return ERR_PTR(-EOPNOTSUPP);
	}
}

static struct nft_expr_type nft_fib4_type __read_mostly = {
	.name		= "fib",
	.select_ops	= nft_fib4_select_ops,
	.policy		= nft_fib_policy,
	.maxattr	= NFTA_FIB_MAX,
	.family		= NFPROTO_IPV4,
	.owner		= THIS_MODULE,
};

static int __init nft_fib4_module_init(void)
{
	return nft_register_expr(&nft_fib4_type);
}

static void __exit nft_fib4_module_exit(void)
{
	nft_unregister_expr(&nft_fib4_type);
}

module_init(nft_fib4_module_init);
module_exit(nft_fib4_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
MODULE_ALIAS_NFT_AF_EXPR(2, "fib");
Commit	Line	Data
f6d0cbcf FW	1	/*
	2	* This program is free software; you can redistribute it and/or modify
	3	* it under the terms of the GNU General Public License version 2 as
	4	* published by the Free Software Foundation.
	5	*/
	6
	7	#include <linux/kernel.h>
	8	#include <linux/init.h>
	9	#include <linux/module.h>
	10	#include <linux/netlink.h>
	11	#include <linux/netfilter.h>
	12	#include <linux/netfilter/nf_tables.h>
	13	#include <net/netfilter/nf_tables_core.h>
	14	#include <net/netfilter/nf_tables.h>
	15	#include <net/netfilter/nft_fib.h>
	16
	17	#include <net/ip_fib.h>
	18	#include <net/route.h>
	19
	20	/* don't try to find route from mcast/bcast/zeronet */
	21	static __be32 get_saddr(__be32 addr)
	22	{
	23	if (ipv4_is_multicast(addr) \|\| ipv4_is_lbcast(addr) \|\|
	24	ipv4_is_zeronet(addr))
	25	return 0;
	26	return addr;
	27	}
	28
f6d0cbcf FW	29	#define DSCP_BITS 0xfc
	30
	31	void nft_fib4_eval_type(const struct nft_expr expr, struct nft_regs regs,
	32	const struct nft_pktinfo *pkt)
	33	{
	34	const struct nft_fib *priv = nft_expr_priv(expr);
	35	u32 *dst = &regs->data[priv->dreg];
	36	const struct net_device *dev = NULL;
	37	const struct iphdr *iph;
	38	__be32 addr;
	39
	40	if (priv->flags & NFTA_FIB_F_IIF)
0e5a1c7e	41	dev = nft_in(pkt);
f6d0cbcf	42	else if (priv->flags & NFTA_FIB_F_OIF)
0e5a1c7e	43	dev = nft_out(pkt);
f6d0cbcf FW	44
	45	iph = ip_hdr(pkt->skb);
	46	if (priv->flags & NFTA_FIB_F_DADDR)
	47	addr = iph->daddr;
	48	else
	49	addr = iph->saddr;
	50
0e5a1c7e	51	*dst = inet_dev_addr_type(nft_net(pkt), dev, addr);
f6d0cbcf FW	52	}
	53	EXPORT_SYMBOL_GPL(nft_fib4_eval_type);
	54
	55	static int get_ifindex(const struct net_device *dev)
	56	{
	57	return dev ? dev->ifindex : 0;
	58	}
	59
	60	void nft_fib4_eval(const struct nft_expr expr, struct nft_regs regs,
	61	const struct nft_pktinfo *pkt)
	62	{
	63	const struct nft_fib *priv = nft_expr_priv(expr);
	64	u32 *dest = &regs->data[priv->dreg];
	65	const struct iphdr *iph;
	66	struct fib_result res;
	67	struct flowi4 fl4 = {
	68	.flowi4_scope = RT_SCOPE_UNIVERSE,
	69	.flowi4_iif = LOOPBACK_IFINDEX,
	70	};
	71	const struct net_device *oif;
	72	struct net_device *found;
	73	#ifdef CONFIG_IP_ROUTE_MULTIPATH
	74	int i;
	75	#endif
	76
	77	/*
	78	* Do not set flowi4_oif, it restricts results (for example, asking
	79	* for oif 3 will get RTN_UNICAST result even if the daddr exits
	80	* on another interface.
	81	*
	82	* Search results for the desired outinterface instead.
	83	*/
	84	if (priv->flags & NFTA_FIB_F_OIF)
0e5a1c7e	85	oif = nft_out(pkt);
f6d0cbcf	86	else if (priv->flags & NFTA_FIB_F_IIF)
0e5a1c7e	87	oif = nft_in(pkt);
f6d0cbcf FW	88	else
	89	oif = NULL;
	90
6443ebc3 LZ	91	if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
6443ebc3 LZ	92	nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
055c4b34	93	nft_fib_store_result(dest, priv, pkt,
6443ebc3	94	nft_in(pkt)->ifindex);
f6d0cbcf FW	95	return;
	96	}
	97
	98	iph = ip_hdr(pkt->skb);
3b760dcb LZ	99	if (ipv4_is_zeronet(iph->saddr)) {
	100	if (ipv4_is_lbcast(iph->daddr) \|\|
	101	ipv4_is_local_multicast(iph->daddr)) {
055c4b34	102	nft_fib_store_result(dest, priv, pkt,
3b760dcb LZ	103	get_ifindex(pkt->skb->dev));
	104	return;
	105	}
f6d0cbcf FW	106	}
	107
	108	if (priv->flags & NFTA_FIB_F_MARK)
	109	fl4.flowi4_mark = pkt->skb->mark;
	110
	111	fl4.flowi4_tos = iph->tos & DSCP_BITS;
	112
	113	if (priv->flags & NFTA_FIB_F_DADDR) {
	114	fl4.daddr = iph->daddr;
	115	fl4.saddr = get_saddr(iph->saddr);
	116	} else {
	117	fl4.daddr = iph->saddr;
	118	fl4.saddr = get_saddr(iph->daddr);
	119	}
	120
e0ffdbc7 LZ	121	*dest = 0;
e0ffdbc7 LZ	122
0e5a1c7e	123	if (fib_lookup(nft_net(pkt), &fl4, &res, FIB_LOOKUP_IGNORE_LINKSTATE))
f6d0cbcf FW	124	return;
	125
	126	switch (res.type) {
	127	case RTN_UNICAST:
	128	break;
6443ebc3	129	case RTN_LOCAL: /* Should not see RTN_LOCAL here */
f6d0cbcf FW	130	return;
	131	default:
	132	break;
	133	}
	134
	135	if (!oif) {
	136	found = FIB_RES_DEV(res);
	137	goto ok;
	138	}
	139
	140	#ifdef CONFIG_IP_ROUTE_MULTIPATH
	141	for (i = 0; i < res.fi->fib_nhs; i++) {
	142	struct fib_nh *nh = &res.fi->fib_nh[i];
	143
	144	if (nh->nh_dev == oif) {
	145	found = nh->nh_dev;
	146	goto ok;
	147	}
	148	}
	149	return;
	150	#else
	151	found = FIB_RES_DEV(res);
	152	if (found != oif)
	153	return;
	154	#endif
	155	ok:
	156	switch (priv->result) {
	157	case NFT_FIB_RESULT_OIF:
	158	*dest = found->ifindex;
	159	break;
	160	case NFT_FIB_RESULT_OIFNAME:
	161	strncpy((char *)dest, found->name, IFNAMSIZ);
	162	break;
	163	default:
	164	WARN_ON_ONCE(1);
	165	break;
	166	}
	167	}
	168	EXPORT_SYMBOL_GPL(nft_fib4_eval);
	169
	170	static struct nft_expr_type nft_fib4_type;
	171
	172	static const struct nft_expr_ops nft_fib4_type_ops = {
	173	.type = &nft_fib4_type,
	174	.size = NFT_EXPR_SIZE(sizeof(struct nft_fib)),
	175	.eval = nft_fib4_eval_type,
	176	.init = nft_fib_init,
	177	.dump = nft_fib_dump,
	178	.validate = nft_fib_validate,
	179	};
	180
	181	static const struct nft_expr_ops nft_fib4_ops = {
	182	.type = &nft_fib4_type,
	183	.size = NFT_EXPR_SIZE(sizeof(struct nft_fib)),
	184	.eval = nft_fib4_eval,
	185	.init = nft_fib_init,
	186	.dump = nft_fib_dump,
	187	.validate = nft_fib_validate,
	188	};
	189
	190	static const struct nft_expr_ops *
	191	nft_fib4_select_ops(const struct nft_ctx *ctx,
	192	const struct nlattr * const tb[])
	193	{
194	enum nft_fib_result result;
195
196	if (!tb[NFTA_FIB_RESULT])
197	return ERR_PTR(-EINVAL);
198
11583438	199	result = ntohl(nla_get_be32(tb[NFTA_FIB_RESULT]));
f6d0cbcf FW	200
	201	switch (result) {
	202	case NFT_FIB_RESULT_OIF:
	203	return &nft_fib4_ops;
	204	case NFT_FIB_RESULT_OIFNAME:
	205	return &nft_fib4_ops;
	206	case NFT_FIB_RESULT_ADDRTYPE:
	207	return &nft_fib4_type_ops;
	208	default:
	209	return ERR_PTR(-EOPNOTSUPP);
	210	}
	211	}
	212
	213	static struct nft_expr_type nft_fib4_type __read_mostly = {
	214	.name = "fib",
d4ef3835	215	.select_ops = nft_fib4_select_ops,
f6d0cbcf FW	216	.policy = nft_fib_policy,
	217	.maxattr = NFTA_FIB_MAX,
	218	.family = NFPROTO_IPV4,
	219	.owner = THIS_MODULE,
	220	};
	221
	222	static int __init nft_fib4_module_init(void)
	223	{
	224	return nft_register_expr(&nft_fib4_type);
	225	}
	226
	227	static void __exit nft_fib4_module_exit(void)
	228	{
	229	nft_unregister_expr(&nft_fib4_type);
	230	}
	231
	232	module_init(nft_fib4_module_init);
	233	module_exit(nft_fib4_module_exit);
	234	MODULE_LICENSE("GPL");
	235	MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
	236	MODULE_ALIAS_NFT_AF_EXPR(2, "fib");