[mirror_ubuntu-jammy-kernel.git] / net / netfilter / nf_tables_offload.c

/* SPDX-License-Identifier: GPL-2.0 */
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netfilter.h>
#include <net/flow_offload.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_offload.h>
#include <net/pkt_cls.h>

static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions)
{
	struct nft_flow_rule *flow;

	flow = kzalloc(sizeof(struct nft_flow_rule), GFP_KERNEL);
	if (!flow)
		return NULL;

	flow->rule = flow_rule_alloc(num_actions);
	if (!flow->rule) {
		kfree(flow);
		return NULL;
	}

	flow->rule->match.dissector	= &flow->match.dissector;
	flow->rule->match.mask		= &flow->match.mask;
	flow->rule->match.key		= &flow->match.key;

	return flow;
}

struct nft_flow_rule *nft_flow_rule_create(const struct nft_rule *rule)
{
	struct nft_offload_ctx ctx = {
		.dep	= {
			.type	= NFT_OFFLOAD_DEP_UNSPEC,
		},
	};
	struct nft_flow_rule *flow;
	int num_actions = 0, err;
	struct nft_expr *expr;

	expr = nft_expr_first(rule);
	while (expr->ops && expr != nft_expr_last(rule)) {
		if (expr->ops->offload_flags & NFT_OFFLOAD_F_ACTION)
			num_actions++;

		expr = nft_expr_next(expr);
	}

	flow = nft_flow_rule_alloc(num_actions);
	if (!flow)
		return ERR_PTR(-ENOMEM);

	expr = nft_expr_first(rule);
	while (expr->ops && expr != nft_expr_last(rule)) {
		if (!expr->ops->offload) {
			err = -EOPNOTSUPP;
			goto err_out;
		}
		err = expr->ops->offload(&ctx, flow, expr);
		if (err < 0)
			goto err_out;

		expr = nft_expr_next(expr);
	}
	flow->proto = ctx.dep.l3num;

	return flow;
err_out:
	nft_flow_rule_destroy(flow);

	return ERR_PTR(err);
}

void nft_flow_rule_destroy(struct nft_flow_rule *flow)
{
	kfree(flow->rule);
	kfree(flow);
}

void nft_offload_set_dependency(struct nft_offload_ctx *ctx,
				enum nft_offload_dep_type type)
{
	ctx->dep.type = type;
}

void nft_offload_update_dependency(struct nft_offload_ctx *ctx,
				   const void *data, u32 len)
{
	switch (ctx->dep.type) {
	case NFT_OFFLOAD_DEP_NETWORK:
		WARN_ON(len != sizeof(__u16));
		memcpy(&ctx->dep.l3num, data, sizeof(__u16));
		break;
	case NFT_OFFLOAD_DEP_TRANSPORT:
		WARN_ON(len != sizeof(__u8));
		memcpy(&ctx->dep.protonum, data, sizeof(__u8));
		break;
	default:
		break;
	}
	ctx->dep.type = NFT_OFFLOAD_DEP_UNSPEC;
}

static void nft_flow_offload_common_init(struct flow_cls_common_offload *common,
					 __be16 proto,
					struct netlink_ext_ack *extack)
{
	common->protocol = proto;
	common->extack = extack;
}

static int nft_setup_cb_call(struct nft_base_chain *basechain,
			     enum tc_setup_type type, void *type_data)
{
	struct flow_block_cb *block_cb;
	int err;

	list_for_each_entry(block_cb, &basechain->cb_list, list) {
		err = block_cb->cb(type, type_data, block_cb->cb_priv);
		if (err < 0)
			return err;
	}
	return 0;
}

static int nft_flow_offload_rule(struct nft_trans *trans,
				 enum flow_cls_command command)
{
	struct nft_flow_rule *flow = nft_trans_flow_rule(trans);
	struct nft_rule *rule = nft_trans_rule(trans);
	struct flow_cls_offload cls_flow = {};
	struct nft_base_chain *basechain;
	struct netlink_ext_ack extack;
	__be16 proto = ETH_P_ALL;

	if (!nft_is_base_chain(trans->ctx.chain))
		return -EOPNOTSUPP;

	basechain = nft_base_chain(trans->ctx.chain);

	if (flow)
		proto = flow->proto;

	nft_flow_offload_common_init(&cls_flow.common, proto, &extack);
	cls_flow.command = command;
	cls_flow.cookie = (unsigned long) rule;
	if (flow)
		cls_flow.rule = flow->rule;

	return nft_setup_cb_call(basechain, TC_SETUP_CLSFLOWER, &cls_flow);
}

static int nft_flow_offload_bind(struct flow_block_offload *bo,
				 struct nft_base_chain *basechain)
{
	list_splice(&bo->cb_list, &basechain->cb_list);
	return 0;
}

static int nft_flow_offload_unbind(struct flow_block_offload *bo,
				   struct nft_base_chain *basechain)
{
	struct flow_block_cb *block_cb, *next;

	list_for_each_entry_safe(block_cb, next, &bo->cb_list, list) {
		list_del(&block_cb->list);
		flow_block_cb_free(block_cb);
	}

	return 0;
}

#define FLOW_SETUP_BLOCK TC_SETUP_BLOCK

static int nft_flow_offload_chain(struct nft_trans *trans,
				  enum flow_block_command cmd)
{
	struct nft_chain *chain = trans->ctx.chain;
	struct netlink_ext_ack extack = {};
	struct flow_block_offload bo = {};
	struct nft_base_chain *basechain;
	struct net_device *dev;
	int err;

	if (!nft_is_base_chain(chain))
		return -EOPNOTSUPP;

	basechain = nft_base_chain(chain);
	dev = basechain->ops.dev;
	if (!dev || !dev->netdev_ops->ndo_setup_tc)
		return -EOPNOTSUPP;

	/* Only default policy to accept is supported for now. */
	if (cmd == FLOW_BLOCK_BIND &&
	    nft_trans_chain_policy(trans) != -1 &&
	    nft_trans_chain_policy(trans) != NF_ACCEPT)
		return -EOPNOTSUPP;

	bo.command = cmd;
	bo.binder_type = FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS;
	bo.extack = &extack;
	INIT_LIST_HEAD(&bo.cb_list);

	err = dev->netdev_ops->ndo_setup_tc(dev, FLOW_SETUP_BLOCK, &bo);
	if (err < 0)
		return err;

	switch (cmd) {
	case FLOW_BLOCK_BIND:
		err = nft_flow_offload_bind(&bo, basechain);
		break;
	case FLOW_BLOCK_UNBIND:
		err = nft_flow_offload_unbind(&bo, basechain);
		break;
	}

	return err;
}

int nft_flow_rule_offload_commit(struct net *net)
{
	struct nft_trans *trans;
	int err = 0;

	list_for_each_entry(trans, &net->nft.commit_list, list) {
		if (trans->ctx.family != NFPROTO_NETDEV)
			continue;

		switch (trans->msg_type) {
		case NFT_MSG_NEWCHAIN:
			if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))
				continue;

			err = nft_flow_offload_chain(trans, FLOW_BLOCK_BIND);
			break;
		case NFT_MSG_DELCHAIN:
			if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))
				continue;

			err = nft_flow_offload_chain(trans, FLOW_BLOCK_UNBIND);
			break;
		case NFT_MSG_NEWRULE:
			if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))
				continue;

			if (trans->ctx.flags & NLM_F_REPLACE ||
			    !(trans->ctx.flags & NLM_F_APPEND))
				return -EOPNOTSUPP;

			err = nft_flow_offload_rule(trans, FLOW_CLS_REPLACE);
			nft_flow_rule_destroy(nft_trans_flow_rule(trans));
			break;
		case NFT_MSG_DELRULE:
			if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))
				continue;

			err = nft_flow_offload_rule(trans, FLOW_CLS_DESTROY);
			break;
		}

		if (err)
			return err;
	}

	return err;
}
Commit	Line	Data
c9626a2c PNA	1	/* SPDX-License-Identifier: GPL-2.0 */
	2	#include <linux/init.h>
	3	#include <linux/module.h>
	4	#include <linux/netfilter.h>
	5	#include <net/flow_offload.h>
	6	#include <net/netfilter/nf_tables.h>
	7	#include <net/netfilter/nf_tables_offload.h>
	8	#include <net/pkt_cls.h>
	9
	10	static struct nft_flow_rule *nft_flow_rule_alloc(int num_actions)
	11	{
	12	struct nft_flow_rule *flow;
	13
	14	flow = kzalloc(sizeof(struct nft_flow_rule), GFP_KERNEL);
	15	if (!flow)
	16	return NULL;
	17
	18	flow->rule = flow_rule_alloc(num_actions);
	19	if (!flow->rule) {
	20	kfree(flow);
	21	return NULL;
	22	}
	23
	24	flow->rule->match.dissector = &flow->match.dissector;
	25	flow->rule->match.mask = &flow->match.mask;
	26	flow->rule->match.key = &flow->match.key;
	27
	28	return flow;
	29	}
	30
	31	struct nft_flow_rule nft_flow_rule_create(const struct nft_rule rule)
	32	{
	33	struct nft_offload_ctx ctx = {
	34	.dep = {
	35	.type = NFT_OFFLOAD_DEP_UNSPEC,
	36	},
	37	};
	38	struct nft_flow_rule *flow;
	39	int num_actions = 0, err;
	40	struct nft_expr *expr;
	41
	42	expr = nft_expr_first(rule);
	43	while (expr->ops && expr != nft_expr_last(rule)) {
	44	if (expr->ops->offload_flags & NFT_OFFLOAD_F_ACTION)
	45	num_actions++;
	46
	47	expr = nft_expr_next(expr);
	48	}
	49
	50	flow = nft_flow_rule_alloc(num_actions);
	51	if (!flow)
	52	return ERR_PTR(-ENOMEM);
	53
	54	expr = nft_expr_first(rule);
	55	while (expr->ops && expr != nft_expr_last(rule)) {
	56	if (!expr->ops->offload) {
	57	err = -EOPNOTSUPP;
	58	goto err_out;
	59	}
	60	err = expr->ops->offload(&ctx, flow, expr);
	61	if (err < 0)
	62	goto err_out;
	63
	64	expr = nft_expr_next(expr);
65	}
66	flow->proto = ctx.dep.l3num;
67
68	return flow;
69	err_out:
70	nft_flow_rule_destroy(flow);
71
72	return ERR_PTR(err);
73	}
74
75	void nft_flow_rule_destroy(struct nft_flow_rule *flow)
76	{
77	kfree(flow->rule);
78	kfree(flow);
79	}
80
81	void nft_offload_set_dependency(struct nft_offload_ctx *ctx,
82	enum nft_offload_dep_type type)
83	{
84	ctx->dep.type = type;
85	}
86
87	void nft_offload_update_dependency(struct nft_offload_ctx *ctx,
88	const void *data, u32 len)
89	{
90	switch (ctx->dep.type) {
91	case NFT_OFFLOAD_DEP_NETWORK:
92	WARN_ON(len != sizeof(__u16));
93	memcpy(&ctx->dep.l3num, data, sizeof(__u16));
94	break;
95	case NFT_OFFLOAD_DEP_TRANSPORT:
96	WARN_ON(len != sizeof(__u8));
97	memcpy(&ctx->dep.protonum, data, sizeof(__u8));
98	break;
99	default:
100	break;
101	}
102	ctx->dep.type = NFT_OFFLOAD_DEP_UNSPEC;
103	}
104
105	static void nft_flow_offload_common_init(struct flow_cls_common_offload *common,
106	__be16 proto,
107	struct netlink_ext_ack *extack)
108	{
109	common->protocol = proto;
110	common->extack = extack;
111	}
112
113	static int nft_setup_cb_call(struct nft_base_chain *basechain,
114	enum tc_setup_type type, void *type_data)
115	{
116	struct flow_block_cb *block_cb;
117	int err;
118
119	list_for_each_entry(block_cb, &basechain->cb_list, list) {
120	err = block_cb->cb(type, type_data, block_cb->cb_priv);
121	if (err < 0)
122	return err;
123	}
124	return 0;
125	}
126
127	static int nft_flow_offload_rule(struct nft_trans *trans,
128	enum flow_cls_command command)
129	{
130	struct nft_flow_rule *flow = nft_trans_flow_rule(trans);
131	struct nft_rule *rule = nft_trans_rule(trans);
132	struct flow_cls_offload cls_flow = {};
133	struct nft_base_chain *basechain;
134	struct netlink_ext_ack extack;
135	__be16 proto = ETH_P_ALL;
136
137	if (!nft_is_base_chain(trans->ctx.chain))
138	return -EOPNOTSUPP;
139
140	basechain = nft_base_chain(trans->ctx.chain);
141
142	if (flow)
143	proto = flow->proto;
144
145	nft_flow_offload_common_init(&cls_flow.common, proto, &extack);
146	cls_flow.command = command;
147	cls_flow.cookie = (unsigned long) rule;
148	if (flow)
149	cls_flow.rule = flow->rule;
150
151	return nft_setup_cb_call(basechain, TC_SETUP_CLSFLOWER, &cls_flow);
152	}
153
154	static int nft_flow_offload_bind(struct flow_block_offload *bo,
155	struct nft_base_chain *basechain)
156	{
157	list_splice(&bo->cb_list, &basechain->cb_list);
158	return 0;
159	}
160
161	static int nft_flow_offload_unbind(struct flow_block_offload *bo,
162	struct nft_base_chain *basechain)
163	{
164	struct flow_block_cb block_cb, next;
165
166	list_for_each_entry_safe(block_cb, next, &bo->cb_list, list) {
167	list_del(&block_cb->list);
168	flow_block_cb_free(block_cb);
169	}
170
171	return 0;
172	}
173
174	#define FLOW_SETUP_BLOCK TC_SETUP_BLOCK
175
176	static int nft_flow_offload_chain(struct nft_trans *trans,
177	enum flow_block_command cmd)
178	{
179	struct nft_chain *chain = trans->ctx.chain;
180	struct netlink_ext_ack extack = {};
181	struct flow_block_offload bo = {};
182	struct nft_base_chain *basechain;
183	struct net_device *dev;
184	int err;
185
186	if (!nft_is_base_chain(chain))
187	return -EOPNOTSUPP;
188
189	basechain = nft_base_chain(chain);
190	dev = basechain->ops.dev;
191	if (!dev \|\| !dev->netdev_ops->ndo_setup_tc)
192	return -EOPNOTSUPP;
193
194	/* Only default policy to accept is supported for now. */
195	if (cmd == FLOW_BLOCK_BIND &&
196	nft_trans_chain_policy(trans) != -1 &&
197	nft_trans_chain_policy(trans) != NF_ACCEPT)
198	return -EOPNOTSUPP;
199
200	bo.command = cmd;
201	bo.binder_type = FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS;
202	bo.extack = &extack;
203	INIT_LIST_HEAD(&bo.cb_list);
204
205	err = dev->netdev_ops->ndo_setup_tc(dev, FLOW_SETUP_BLOCK, &bo);
206	if (err < 0)
207	return err;
208
209	switch (cmd) {
210	case FLOW_BLOCK_BIND:
211	err = nft_flow_offload_bind(&bo, basechain);
212	break;
213	case FLOW_BLOCK_UNBIND:
214	err = nft_flow_offload_unbind(&bo, basechain);
215	break;
216	}
217
218	return err;
219	}
220
221	int nft_flow_rule_offload_commit(struct net *net)
222	{
223	struct nft_trans *trans;
224	int err = 0;
225
226	list_for_each_entry(trans, &net->nft.commit_list, list) {
227	if (trans->ctx.family != NFPROTO_NETDEV)
228	continue;
229
230	switch (trans->msg_type) {
231	case NFT_MSG_NEWCHAIN:
232	if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))
233	continue;
234
235	err = nft_flow_offload_chain(trans, FLOW_BLOCK_BIND);
236	break;
237	case NFT_MSG_DELCHAIN:
238	if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))
239	continue;
240
241	err = nft_flow_offload_chain(trans, FLOW_BLOCK_UNBIND);
242	break;
243	case NFT_MSG_NEWRULE:
244	if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))
245	continue;
246
247	if (trans->ctx.flags & NLM_F_REPLACE \|\|
248	!(trans->ctx.flags & NLM_F_APPEND))
249	return -EOPNOTSUPP;
250
251	err = nft_flow_offload_rule(trans, FLOW_CLS_REPLACE);
252	nft_flow_rule_destroy(nft_trans_flow_rule(trans));
253	break;
254	case NFT_MSG_DELRULE:
255	if (!(trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD))
256	continue;
257
258	err = nft_flow_offload_rule(trans, FLOW_CLS_DESTROY);
259	break;
260	}
261
262	if (err)
263	return err;
264	}
265
266	return err;
267	}