[mirror_ubuntu-bionic-kernel.git] / net / netfilter / nft_exthdr.c

/*
 * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 *
 * Development of this code funded by Astaro AG (http://www.astaro.com/)
 */

#include <asm/unaligned.h>
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/tcp.h>

struct nft_exthdr {
	u8			type;
	u8			offset;
	u8			len;
	u8			op;
	enum nft_registers	dreg:8;
	enum nft_registers	sreg:8;
	u8			flags;
};

static unsigned int optlen(const u8 *opt, unsigned int offset)
{
	/* Beware zero-length options: make finite progress */
	if (opt[offset] <= TCPOPT_NOP || opt[offset + 1] == 0)
		return 1;
	else
		return opt[offset + 1];
}

static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
				 struct nft_regs *regs,
				 const struct nft_pktinfo *pkt)
{
	struct nft_exthdr *priv = nft_expr_priv(expr);
	u32 *dest = &regs->data[priv->dreg];
	unsigned int offset = 0;
	int err;

	err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
	if (priv->flags & NFT_EXTHDR_F_PRESENT) {
		*dest = (err >= 0);
		return;
	} else if (err < 0) {
		goto err;
	}
	offset += priv->offset;

	dest[priv->len / NFT_REG32_SIZE] = 0;
	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
		goto err;
	return;
err:
	regs->verdict.code = NFT_BREAK;
}

static void *
nft_tcp_header_pointer(const struct nft_pktinfo *pkt,
		       unsigned int len, void *buffer, unsigned int *tcphdr_len)
{
	struct tcphdr *tcph;

	if (!pkt->tprot_set || pkt->tprot != IPPROTO_TCP)
		return NULL;

	tcph = skb_header_pointer(pkt->skb, pkt->xt.thoff, sizeof(*tcph), buffer);
	if (!tcph)
		return NULL;

	*tcphdr_len = __tcp_hdrlen(tcph);
	if (*tcphdr_len < sizeof(*tcph) || *tcphdr_len > len)
		return NULL;

	return skb_header_pointer(pkt->skb, pkt->xt.thoff, *tcphdr_len, buffer);
}

static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
				struct nft_regs *regs,
				const struct nft_pktinfo *pkt)
{
	u8 buff[sizeof(struct tcphdr) + MAX_TCP_OPTION_SPACE];
	struct nft_exthdr *priv = nft_expr_priv(expr);
	unsigned int i, optl, tcphdr_len, offset;
	u32 *dest = &regs->data[priv->dreg];
	struct tcphdr *tcph;
	u8 *opt;

	tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len);
	if (!tcph)
		goto err;

	opt = (u8 *)tcph;
	for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) {
		optl = optlen(opt, i);

		if (priv->type != opt[i])
			continue;

		if (i + optl > tcphdr_len || priv->len + priv->offset > optl)
			goto err;

		offset = i + priv->offset;
		if (priv->flags & NFT_EXTHDR_F_PRESENT) {
			*dest = 1;
		} else {
			dest[priv->len / NFT_REG32_SIZE] = 0;
			memcpy(dest, opt + offset, priv->len);
		}

		return;
	}

err:
	if (priv->flags & NFT_EXTHDR_F_PRESENT)
		*dest = 0;
	else
		regs->verdict.code = NFT_BREAK;
}

static void nft_exthdr_tcp_set_eval(const struct nft_expr *expr,
				    struct nft_regs *regs,
				    const struct nft_pktinfo *pkt)
{
	u8 buff[sizeof(struct tcphdr) + MAX_TCP_OPTION_SPACE];
	struct nft_exthdr *priv = nft_expr_priv(expr);
	unsigned int i, optl, tcphdr_len, offset;
	struct tcphdr *tcph;
	u8 *opt;
	u32 src;

	tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len);
	if (!tcph)
		return;

	opt = (u8 *)tcph;
	for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) {
		union {
			u8 octet;
			__be16 v16;
			__be32 v32;
		} old, new;

		optl = optlen(opt, i);

		if (priv->type != opt[i])
			continue;

		if (i + optl > tcphdr_len || priv->len + priv->offset > optl)
			return;

		if (!skb_make_writable(pkt->skb, pkt->xt.thoff + i + priv->len))
			return;

		tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff,
					      &tcphdr_len);
		if (!tcph)
			return;

		src = regs->data[priv->sreg];
		offset = i + priv->offset;

		switch (priv->len) {
		case 2:
			old.v16 = get_unaligned((u16 *)(opt + offset));
			new.v16 = src;

			switch (priv->type) {
			case TCPOPT_MSS:
				/* increase can cause connection to stall */
				if (ntohs(old.v16) <= ntohs(new.v16))
					return;
			break;
			}

			if (old.v16 == new.v16)
				return;

			put_unaligned(new.v16, (u16*)(opt + offset));
			inet_proto_csum_replace2(&tcph->check, pkt->skb,
						 old.v16, new.v16, false);
			break;
		case 4:
			new.v32 = src;
			old.v32 = get_unaligned((u32 *)(opt + offset));

			if (old.v32 == new.v32)
				return;

			put_unaligned(new.v32, (u32*)(opt + offset));
			inet_proto_csum_replace4(&tcph->check, pkt->skb,
						 old.v32, new.v32, false);
			break;
		default:
			WARN_ON_ONCE(1);
			break;
		}

		return;
	}
}

static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {
	[NFTA_EXTHDR_DREG]		= { .type = NLA_U32 },
	[NFTA_EXTHDR_TYPE]		= { .type = NLA_U8 },
	[NFTA_EXTHDR_OFFSET]		= { .type = NLA_U32 },
	[NFTA_EXTHDR_LEN]		= { .type = NLA_U32 },
	[NFTA_EXTHDR_FLAGS]		= { .type = NLA_U32 },
	[NFTA_EXTHDR_OP]		= { .type = NLA_U32 },
	[NFTA_EXTHDR_SREG]		= { .type = NLA_U32 },
};

static int nft_exthdr_init(const struct nft_ctx *ctx,
			   const struct nft_expr *expr,
			   const struct nlattr * const tb[])
{
	struct nft_exthdr *priv = nft_expr_priv(expr);
	u32 offset, len, flags = 0, op = NFT_EXTHDR_OP_IPV6;
	int err;

	if (!tb[NFTA_EXTHDR_DREG] ||
	    !tb[NFTA_EXTHDR_TYPE] ||
	    !tb[NFTA_EXTHDR_OFFSET] ||
	    !tb[NFTA_EXTHDR_LEN])
		return -EINVAL;

	err = nft_parse_u32_check(tb[NFTA_EXTHDR_OFFSET], U8_MAX, &offset);
	if (err < 0)
		return err;

	err = nft_parse_u32_check(tb[NFTA_EXTHDR_LEN], U8_MAX, &len);
	if (err < 0)
		return err;

	if (tb[NFTA_EXTHDR_FLAGS]) {
		err = nft_parse_u32_check(tb[NFTA_EXTHDR_FLAGS], U8_MAX, &flags);
		if (err < 0)
			return err;

		if (flags & ~NFT_EXTHDR_F_PRESENT)
			return -EINVAL;
	}

	if (tb[NFTA_EXTHDR_OP]) {
		err = nft_parse_u32_check(tb[NFTA_EXTHDR_OP], U8_MAX, &op);
		if (err < 0)
			return err;
	}

	priv->type   = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
	priv->offset = offset;
	priv->len    = len;
	priv->dreg   = nft_parse_register(tb[NFTA_EXTHDR_DREG]);
	priv->flags  = flags;
	priv->op     = op;

	return nft_validate_register_store(ctx, priv->dreg, NULL,
					   NFT_DATA_VALUE, priv->len);
}

static int nft_exthdr_tcp_set_init(const struct nft_ctx *ctx,
				   const struct nft_expr *expr,
				   const struct nlattr * const tb[])
{
	struct nft_exthdr *priv = nft_expr_priv(expr);
	u32 offset, len, flags = 0, op = NFT_EXTHDR_OP_IPV6;
	int err;

	if (!tb[NFTA_EXTHDR_SREG] ||
	    !tb[NFTA_EXTHDR_TYPE] ||
	    !tb[NFTA_EXTHDR_OFFSET] ||
	    !tb[NFTA_EXTHDR_LEN])
		return -EINVAL;

	if (tb[NFTA_EXTHDR_DREG] || tb[NFTA_EXTHDR_FLAGS])
		return -EINVAL;

	err = nft_parse_u32_check(tb[NFTA_EXTHDR_OFFSET], U8_MAX, &offset);
	if (err < 0)
		return err;

	err = nft_parse_u32_check(tb[NFTA_EXTHDR_LEN], U8_MAX, &len);
	if (err < 0)
		return err;

	if (offset < 2)
		return -EOPNOTSUPP;

	switch (len) {
	case 2: break;
	case 4: break;
	default:
		return -EOPNOTSUPP;
	}

	err = nft_parse_u32_check(tb[NFTA_EXTHDR_OP], U8_MAX, &op);
	if (err < 0)
		return err;

	priv->type   = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
	priv->offset = offset;
	priv->len    = len;
	priv->sreg   = nft_parse_register(tb[NFTA_EXTHDR_SREG]);
	priv->flags  = flags;
	priv->op     = op;

	return nft_validate_register_load(priv->sreg, priv->len);
}

static int nft_exthdr_dump_common(struct sk_buff *skb, const struct nft_exthdr *priv)
{
	if (nla_put_u8(skb, NFTA_EXTHDR_TYPE, priv->type))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_EXTHDR_OFFSET, htonl(priv->offset)))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_EXTHDR_LEN, htonl(priv->len)))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_EXTHDR_FLAGS, htonl(priv->flags)))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_EXTHDR_OP, htonl(priv->op)))
		goto nla_put_failure;
	return 0;

nla_put_failure:
	return -1;
}

static int nft_exthdr_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
	const struct nft_exthdr *priv = nft_expr_priv(expr);

	if (nft_dump_register(skb, NFTA_EXTHDR_DREG, priv->dreg))
		return -1;

	return nft_exthdr_dump_common(skb, priv);
}

static int nft_exthdr_dump_set(struct sk_buff *skb, const struct nft_expr *expr)
{
	const struct nft_exthdr *priv = nft_expr_priv(expr);

	if (nft_dump_register(skb, NFTA_EXTHDR_SREG, priv->sreg))
		return -1;

	return nft_exthdr_dump_common(skb, priv);
}

static struct nft_expr_type nft_exthdr_type;
static const struct nft_expr_ops nft_exthdr_ipv6_ops = {
	.type		= &nft_exthdr_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
	.eval		= nft_exthdr_ipv6_eval,
	.init		= nft_exthdr_init,
	.dump		= nft_exthdr_dump,
};

static const struct nft_expr_ops nft_exthdr_tcp_ops = {
	.type		= &nft_exthdr_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
	.eval		= nft_exthdr_tcp_eval,
	.init		= nft_exthdr_init,
	.dump		= nft_exthdr_dump,
};

static const struct nft_expr_ops nft_exthdr_tcp_set_ops = {
	.type		= &nft_exthdr_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
	.eval		= nft_exthdr_tcp_set_eval,
	.init		= nft_exthdr_tcp_set_init,
	.dump		= nft_exthdr_dump_set,
};

static const struct nft_expr_ops *
nft_exthdr_select_ops(const struct nft_ctx *ctx,
		      const struct nlattr * const tb[])
{
	u32 op;

	if (!tb[NFTA_EXTHDR_OP])
		return &nft_exthdr_ipv6_ops;

	if (tb[NFTA_EXTHDR_SREG] && tb[NFTA_EXTHDR_DREG])
		return ERR_PTR(-EOPNOTSUPP);

	op = ntohl(nla_get_be32(tb[NFTA_EXTHDR_OP]));
	switch (op) {
	case NFT_EXTHDR_OP_TCPOPT:
		if (tb[NFTA_EXTHDR_SREG])
			return &nft_exthdr_tcp_set_ops;
		if (tb[NFTA_EXTHDR_DREG])
			return &nft_exthdr_tcp_ops;
		break;
	case NFT_EXTHDR_OP_IPV6:
		if (tb[NFTA_EXTHDR_DREG])
			return &nft_exthdr_ipv6_ops;
		break;
	}

	return ERR_PTR(-EOPNOTSUPP);
}

static struct nft_expr_type nft_exthdr_type __read_mostly = {
	.name		= "exthdr",
	.select_ops	= nft_exthdr_select_ops,
	.policy		= nft_exthdr_policy,
	.maxattr	= NFTA_EXTHDR_MAX,
	.owner		= THIS_MODULE,
};

static int __init nft_exthdr_module_init(void)
{
	return nft_register_expr(&nft_exthdr_type);
}

static void __exit nft_exthdr_module_exit(void)
{
	nft_unregister_expr(&nft_exthdr_type);
}

module_init(nft_exthdr_module_init);
module_exit(nft_exthdr_module_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_EXPR("exthdr");
Commit	Line	Data
96518518 PM	1	/*
	2	* Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
	3	*
	4	* This program is free software; you can redistribute it and/or modify
	5	* it under the terms of the GNU General Public License version 2 as
	6	* published by the Free Software Foundation.
	7	*
	8	* Development of this code funded by Astaro AG (http://www.astaro.com/)
	9	*/
	10
99d1712b	11	#include <asm/unaligned.h>
96518518 PM	12	#include <linux/kernel.h>
	13	#include <linux/init.h>
	14	#include <linux/module.h>
	15	#include <linux/netlink.h>
	16	#include <linux/netfilter.h>
	17	#include <linux/netfilter/nf_tables.h>
	18	#include <net/netfilter/nf_tables.h>
935b7f64	19	#include <net/tcp.h>
96518518 PM	20
	21	struct nft_exthdr {
	22	u8 type;
	23	u8 offset;
	24	u8 len;
935b7f64	25	u8 op;
96518518	26	enum nft_registers dreg:8;
99d1712b	27	enum nft_registers sreg:8;
c078ca3b	28	u8 flags;
96518518 PM	29	};
96518518 PM	30
935b7f64 MM	31	static unsigned int optlen(const u8 *opt, unsigned int offset)
	32	{
	33	/* Beware zero-length options: make finite progress */
	34	if (opt[offset] <= TCPOPT_NOP \|\| opt[offset + 1] == 0)
	35	return 1;
	36	else
	37	return opt[offset + 1];
	38	}
	39
	40	static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
	41	struct nft_regs *regs,
	42	const struct nft_pktinfo *pkt)
96518518 PM	43	{
96518518 PM	44	struct nft_exthdr *priv = nft_expr_priv(expr);
49499c3e	45	u32 *dest = &regs->data[priv->dreg];
540436c8	46	unsigned int offset = 0;
96518518 PM	47	int err;
	48
	49	err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
c078ca3b PS	50	if (priv->flags & NFT_EXTHDR_F_PRESENT) {
	51	*dest = (err >= 0);
	52	return;
	53	} else if (err < 0) {
96518518	54	goto err;
c078ca3b	55	}
96518518 PM	56	offset += priv->offset;
96518518 PM	57
49499c3e	58	dest[priv->len / NFT_REG32_SIZE] = 0;
fad136ea	59	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
96518518 PM	60	goto err;
	61	return;
	62	err:
a55e22e9	63	regs->verdict.code = NFT_BREAK;
96518518 PM	64	}
96518518 PM	65
a1817700 FW	66	static void *
	67	nft_tcp_header_pointer(const struct nft_pktinfo *pkt,
	68	unsigned int len, void buffer, unsigned int tcphdr_len)
	69	{
	70	struct tcphdr *tcph;
	71
	72	if (!pkt->tprot_set \|\| pkt->tprot != IPPROTO_TCP)
	73	return NULL;
	74
	75	tcph = skb_header_pointer(pkt->skb, pkt->xt.thoff, sizeof(*tcph), buffer);
	76	if (!tcph)
	77	return NULL;
	78
	79	*tcphdr_len = __tcp_hdrlen(tcph);
	80	if (tcphdr_len < sizeof(tcph) \|\| *tcphdr_len > len)
	81	return NULL;
	82
	83	return skb_header_pointer(pkt->skb, pkt->xt.thoff, *tcphdr_len, buffer);
	84	}
	85
935b7f64 MM	86	static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
	87	struct nft_regs *regs,
	88	const struct nft_pktinfo *pkt)
	89	{
	90	u8 buff[sizeof(struct tcphdr) + MAX_TCP_OPTION_SPACE];
	91	struct nft_exthdr *priv = nft_expr_priv(expr);
	92	unsigned int i, optl, tcphdr_len, offset;
	93	u32 *dest = &regs->data[priv->dreg];
	94	struct tcphdr *tcph;
	95	u8 *opt;
	96
a1817700	97	tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len);
935b7f64 MM	98	if (!tcph)
	99	goto err;
	100
	101	opt = (u8 *)tcph;
	102	for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) {
	103	optl = optlen(opt, i);
	104
	105	if (priv->type != opt[i])
	106	continue;
	107
	108	if (i + optl > tcphdr_len \|\| priv->len + priv->offset > optl)
	109	goto err;
	110
	111	offset = i + priv->offset;
3c1fece8 PS	112	if (priv->flags & NFT_EXTHDR_F_PRESENT) {
	113	*dest = 1;
	114	} else {
	115	dest[priv->len / NFT_REG32_SIZE] = 0;
	116	memcpy(dest, opt + offset, priv->len);
	117	}
935b7f64 MM	118
	119	return;
	120	}
	121
	122	err:
3c1fece8 PS	123	if (priv->flags & NFT_EXTHDR_F_PRESENT)
	124	*dest = 0;
	125	else
	126	regs->verdict.code = NFT_BREAK;
935b7f64 MM	127	}
935b7f64 MM	128
99d1712b FW	129	static void nft_exthdr_tcp_set_eval(const struct nft_expr *expr,
	130	struct nft_regs *regs,
	131	const struct nft_pktinfo *pkt)
	132	{
	133	u8 buff[sizeof(struct tcphdr) + MAX_TCP_OPTION_SPACE];
	134	struct nft_exthdr *priv = nft_expr_priv(expr);
	135	unsigned int i, optl, tcphdr_len, offset;
	136	struct tcphdr *tcph;
	137	u8 *opt;
	138	u32 src;
	139
	140	tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len);
	141	if (!tcph)
	142	return;
	143
	144	opt = (u8 *)tcph;
	145	for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) {
	146	union {
	147	u8 octet;
	148	__be16 v16;
	149	__be32 v32;
	150	} old, new;
	151
	152	optl = optlen(opt, i);
	153
	154	if (priv->type != opt[i])
	155	continue;
	156
	157	if (i + optl > tcphdr_len \|\| priv->len + priv->offset > optl)
	158	return;
	159
	160	if (!skb_make_writable(pkt->skb, pkt->xt.thoff + i + priv->len))
	161	return;
	162
	163	tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff,
	164	&tcphdr_len);
	165	if (!tcph)
	166	return;
	167
	168	src = regs->data[priv->sreg];
	169	offset = i + priv->offset;
	170
	171	switch (priv->len) {
	172	case 2:
	173	old.v16 = get_unaligned((u16 *)(opt + offset));
	174	new.v16 = src;
	175
	176	switch (priv->type) {
	177	case TCPOPT_MSS:
	178	/* increase can cause connection to stall */
	179	if (ntohs(old.v16) <= ntohs(new.v16))
	180	return;
	181	break;
	182	}
	183
	184	if (old.v16 == new.v16)
	185	return;
	186
	187	put_unaligned(new.v16, (u16*)(opt + offset));
	188	inet_proto_csum_replace2(&tcph->check, pkt->skb,
	189	old.v16, new.v16, false);
	190	break;
	191	case 4:
	192	new.v32 = src;
193	old.v32 = get_unaligned((u32 *)(opt + offset));
194
195	if (old.v32 == new.v32)
196	return;
197
198	put_unaligned(new.v32, (u32*)(opt + offset));
199	inet_proto_csum_replace4(&tcph->check, pkt->skb,
200	old.v32, new.v32, false);
201	break;
202	default:
203	WARN_ON_ONCE(1);
204	break;
205	}
206
207	return;
208	}
209	}
210
96518518 PM	211	static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {
	212	[NFTA_EXTHDR_DREG] = { .type = NLA_U32 },
	213	[NFTA_EXTHDR_TYPE] = { .type = NLA_U8 },
	214	[NFTA_EXTHDR_OFFSET] = { .type = NLA_U32 },
	215	[NFTA_EXTHDR_LEN] = { .type = NLA_U32 },
c078ca3b	216	[NFTA_EXTHDR_FLAGS] = { .type = NLA_U32 },
f5b5702a FW	217	[NFTA_EXTHDR_OP] = { .type = NLA_U32 },
f5b5702a FW	218	[NFTA_EXTHDR_SREG] = { .type = NLA_U32 },
96518518 PM	219	};
	220
	221	static int nft_exthdr_init(const struct nft_ctx *ctx,
	222	const struct nft_expr *expr,
	223	const struct nlattr * const tb[])
	224	{
	225	struct nft_exthdr *priv = nft_expr_priv(expr);
935b7f64	226	u32 offset, len, flags = 0, op = NFT_EXTHDR_OP_IPV6;
21a9e0f1	227	int err;
96518518	228
935b7f64 MM	229	if (!tb[NFTA_EXTHDR_DREG] \|\|
	230	!tb[NFTA_EXTHDR_TYPE] \|\|
	231	!tb[NFTA_EXTHDR_OFFSET] \|\|
	232	!tb[NFTA_EXTHDR_LEN])
96518518 PM	233	return -EINVAL;
96518518 PM	234
36b701fa LGL	235	err = nft_parse_u32_check(tb[NFTA_EXTHDR_OFFSET], U8_MAX, &offset);
	236	if (err < 0)
	237	return err;
4da449ae	238
36b701fa LGL	239	err = nft_parse_u32_check(tb[NFTA_EXTHDR_LEN], U8_MAX, &len);
	240	if (err < 0)
	241	return err;
4da449ae	242
c078ca3b PS	243	if (tb[NFTA_EXTHDR_FLAGS]) {
	244	err = nft_parse_u32_check(tb[NFTA_EXTHDR_FLAGS], U8_MAX, &flags);
	245	if (err < 0)
	246	return err;
	247
	248	if (flags & ~NFT_EXTHDR_F_PRESENT)
	249	return -EINVAL;
	250	}
	251
935b7f64 MM	252	if (tb[NFTA_EXTHDR_OP]) {
	253	err = nft_parse_u32_check(tb[NFTA_EXTHDR_OP], U8_MAX, &op);
	254	if (err < 0)
	255	return err;
	256	}
	257
96518518	258	priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
4da449ae LGL	259	priv->offset = offset;
4da449ae LGL	260	priv->len = len;
b1c96ed3	261	priv->dreg = nft_parse_register(tb[NFTA_EXTHDR_DREG]);
c078ca3b	262	priv->flags = flags;
935b7f64	263	priv->op = op;
96518518	264
1ec10212 PM	265	return nft_validate_register_store(ctx, priv->dreg, NULL,
1ec10212 PM	266	NFT_DATA_VALUE, priv->len);
96518518 PM	267	}
96518518 PM	268
99d1712b FW	269	static int nft_exthdr_tcp_set_init(const struct nft_ctx *ctx,
	270	const struct nft_expr *expr,
	271	const struct nlattr * const tb[])
	272	{
	273	struct nft_exthdr *priv = nft_expr_priv(expr);
	274	u32 offset, len, flags = 0, op = NFT_EXTHDR_OP_IPV6;
	275	int err;
	276
	277	if (!tb[NFTA_EXTHDR_SREG] \|\|
	278	!tb[NFTA_EXTHDR_TYPE] \|\|
	279	!tb[NFTA_EXTHDR_OFFSET] \|\|
	280	!tb[NFTA_EXTHDR_LEN])
	281	return -EINVAL;
	282
	283	if (tb[NFTA_EXTHDR_DREG] \|\| tb[NFTA_EXTHDR_FLAGS])
	284	return -EINVAL;
	285
	286	err = nft_parse_u32_check(tb[NFTA_EXTHDR_OFFSET], U8_MAX, &offset);
	287	if (err < 0)
	288	return err;
	289
	290	err = nft_parse_u32_check(tb[NFTA_EXTHDR_LEN], U8_MAX, &len);
	291	if (err < 0)
	292	return err;
	293
	294	if (offset < 2)
	295	return -EOPNOTSUPP;
	296
	297	switch (len) {
	298	case 2: break;
	299	case 4: break;
	300	default:
	301	return -EOPNOTSUPP;
	302	}
	303
	304	err = nft_parse_u32_check(tb[NFTA_EXTHDR_OP], U8_MAX, &op);
	305	if (err < 0)
	306	return err;
	307
	308	priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
	309	priv->offset = offset;
	310	priv->len = len;
	311	priv->sreg = nft_parse_register(tb[NFTA_EXTHDR_SREG]);
	312	priv->flags = flags;
	313	priv->op = op;
	314
	315	return nft_validate_register_load(priv->sreg, priv->len);
	316	}
	317
5e7d695a	318	static int nft_exthdr_dump_common(struct sk_buff skb, const struct nft_exthdr priv)
96518518	319	{
96518518 PM	320	if (nla_put_u8(skb, NFTA_EXTHDR_TYPE, priv->type))
	321	goto nla_put_failure;
	322	if (nla_put_be32(skb, NFTA_EXTHDR_OFFSET, htonl(priv->offset)))
	323	goto nla_put_failure;
	324	if (nla_put_be32(skb, NFTA_EXTHDR_LEN, htonl(priv->len)))
	325	goto nla_put_failure;
c078ca3b PS	326	if (nla_put_be32(skb, NFTA_EXTHDR_FLAGS, htonl(priv->flags)))
c078ca3b PS	327	goto nla_put_failure;
935b7f64 MM	328	if (nla_put_be32(skb, NFTA_EXTHDR_OP, htonl(priv->op)))
935b7f64 MM	329	goto nla_put_failure;
96518518 PM	330	return 0;
	331
	332	nla_put_failure:
	333	return -1;
	334	}
	335
5e7d695a FW	336	static int nft_exthdr_dump(struct sk_buff skb, const struct nft_expr expr)
	337	{
	338	const struct nft_exthdr *priv = nft_expr_priv(expr);
	339
	340	if (nft_dump_register(skb, NFTA_EXTHDR_DREG, priv->dreg))
	341	return -1;
	342
	343	return nft_exthdr_dump_common(skb, priv);
	344	}
	345
99d1712b FW	346	static int nft_exthdr_dump_set(struct sk_buff skb, const struct nft_expr expr)
	347	{
	348	const struct nft_exthdr *priv = nft_expr_priv(expr);
	349
	350	if (nft_dump_register(skb, NFTA_EXTHDR_SREG, priv->sreg))
	351	return -1;
	352
	353	return nft_exthdr_dump_common(skb, priv);
	354	}
	355
ef1f7df9	356	static struct nft_expr_type nft_exthdr_type;
935b7f64 MM	357	static const struct nft_expr_ops nft_exthdr_ipv6_ops = {
	358	.type = &nft_exthdr_type,
	359	.size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
	360	.eval = nft_exthdr_ipv6_eval,
	361	.init = nft_exthdr_init,
	362	.dump = nft_exthdr_dump,
	363	};
	364
	365	static const struct nft_expr_ops nft_exthdr_tcp_ops = {
ef1f7df9	366	.type = &nft_exthdr_type,
96518518	367	.size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
935b7f64	368	.eval = nft_exthdr_tcp_eval,
96518518 PM	369	.init = nft_exthdr_init,
96518518 PM	370	.dump = nft_exthdr_dump,
ef1f7df9 PM	371	};
ef1f7df9 PM	372
99d1712b FW	373	static const struct nft_expr_ops nft_exthdr_tcp_set_ops = {
	374	.type = &nft_exthdr_type,
	375	.size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
	376	.eval = nft_exthdr_tcp_set_eval,
	377	.init = nft_exthdr_tcp_set_init,
	378	.dump = nft_exthdr_dump_set,
	379	};
	380
935b7f64 MM	381	static const struct nft_expr_ops *
	382	nft_exthdr_select_ops(const struct nft_ctx *ctx,
	383	const struct nlattr * const tb[])
	384	{
	385	u32 op;
	386
	387	if (!tb[NFTA_EXTHDR_OP])
	388	return &nft_exthdr_ipv6_ops;
	389
99d1712b FW	390	if (tb[NFTA_EXTHDR_SREG] && tb[NFTA_EXTHDR_DREG])
	391	return ERR_PTR(-EOPNOTSUPP);
	392
5fd02ebe	393	op = ntohl(nla_get_be32(tb[NFTA_EXTHDR_OP]));
935b7f64 MM	394	switch (op) {
935b7f64 MM	395	case NFT_EXTHDR_OP_TCPOPT:
99d1712b FW	396	if (tb[NFTA_EXTHDR_SREG])
	397	return &nft_exthdr_tcp_set_ops;
	398	if (tb[NFTA_EXTHDR_DREG])
	399	return &nft_exthdr_tcp_ops;
	400	break;
935b7f64	401	case NFT_EXTHDR_OP_IPV6:
99d1712b FW	402	if (tb[NFTA_EXTHDR_DREG])
	403	return &nft_exthdr_ipv6_ops;
	404	break;
935b7f64 MM	405	}
	406
	407	return ERR_PTR(-EOPNOTSUPP);
	408	}
	409
ef1f7df9 PM	410	static struct nft_expr_type nft_exthdr_type __read_mostly = {
ef1f7df9 PM	411	.name = "exthdr",
d4ef3835	412	.select_ops = nft_exthdr_select_ops,
96518518 PM	413	.policy = nft_exthdr_policy,
96518518 PM	414	.maxattr = NFTA_EXTHDR_MAX,
ef1f7df9	415	.owner = THIS_MODULE,
96518518 PM	416	};
	417
	418	static int __init nft_exthdr_module_init(void)
	419	{
ef1f7df9	420	return nft_register_expr(&nft_exthdr_type);
96518518 PM	421	}
	422
	423	static void __exit nft_exthdr_module_exit(void)
	424	{
ef1f7df9	425	nft_unregister_expr(&nft_exthdr_type);
96518518 PM	426	}
	427
	428	module_init(nft_exthdr_module_init);
	429	module_exit(nft_exthdr_module_exit);
	430
	431	MODULE_LICENSE("GPL");
	432	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
	433	MODULE_ALIAS_NFT_EXPR("exthdr");