[mirror_ubuntu-hirsute-kernel.git] / net / netfilter / nft_exthdr.c

// SPDX-License-Identifier: GPL-2.0-only
/*
 * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
 *
 * Development of this code funded by Astaro AG (http://www.astaro.com/)
 */

#include <asm/unaligned.h>
#include <linux/kernel.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
#include <net/netfilter/nf_tables.h>
#include <net/tcp.h>

struct nft_exthdr {
	u8			type;
	u8			offset;
	u8			len;
	u8			op;
	enum nft_registers	dreg:8;
	enum nft_registers	sreg:8;
	u8			flags;
};

static unsigned int optlen(const u8 *opt, unsigned int offset)
{
	/* Beware zero-length options: make finite progress */
	if (opt[offset] <= TCPOPT_NOP || opt[offset + 1] == 0)
		return 1;
	else
		return opt[offset + 1];
}

static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
				 struct nft_regs *regs,
				 const struct nft_pktinfo *pkt)
{
	struct nft_exthdr *priv = nft_expr_priv(expr);
	u32 *dest = &regs->data[priv->dreg];
	unsigned int offset = 0;
	int err;

	err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
	if (priv->flags & NFT_EXTHDR_F_PRESENT) {
		*dest = (err >= 0);
		return;
	} else if (err < 0) {
		goto err;
	}
	offset += priv->offset;

	dest[priv->len / NFT_REG32_SIZE] = 0;
	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
		goto err;
	return;
err:
	regs->verdict.code = NFT_BREAK;
}

/* find the offset to specified option.
 *
 * If target header is found, its offset is set in *offset and return option
 * number. Otherwise, return negative error.
 *
 * If the first fragment doesn't contain the End of Options it is considered
 * invalid.
 */
static int ipv4_find_option(struct net *net, struct sk_buff *skb,
			    unsigned int *offset, int target)
{
	unsigned char optbuf[sizeof(struct ip_options) + 40];
	struct ip_options *opt = (struct ip_options *)optbuf;
	struct iphdr *iph, _iph;
	unsigned int start;
	bool found = false;
	__be32 info;
	int optlen;

	iph = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
	if (!iph)
		return -EBADMSG;
	start = sizeof(struct iphdr);

	optlen = iph->ihl * 4 - (int)sizeof(struct iphdr);
	if (optlen <= 0)
		return -ENOENT;

	memset(opt, 0, sizeof(struct ip_options));
	/* Copy the options since __ip_options_compile() modifies
	 * the options.
	 */
	if (skb_copy_bits(skb, start, opt->__data, optlen))
		return -EBADMSG;
	opt->optlen = optlen;

	if (__ip_options_compile(net, opt, NULL, &info))
		return -EBADMSG;

	switch (target) {
	case IPOPT_SSRR:
	case IPOPT_LSRR:
		if (!opt->srr)
			break;
		found = target == IPOPT_SSRR ? opt->is_strictroute :
					       !opt->is_strictroute;
		if (found)
			*offset = opt->srr + start;
		break;
	case IPOPT_RR:
		if (!opt->rr)
			break;
		*offset = opt->rr + start;
		found = true;
		break;
	case IPOPT_RA:
		if (!opt->router_alert)
			break;
		*offset = opt->router_alert + start;
		found = true;
		break;
	default:
		return -EOPNOTSUPP;
	}
	return found ? target : -ENOENT;
}

static void nft_exthdr_ipv4_eval(const struct nft_expr *expr,
				 struct nft_regs *regs,
				 const struct nft_pktinfo *pkt)
{
	struct nft_exthdr *priv = nft_expr_priv(expr);
	u32 *dest = &regs->data[priv->dreg];
	struct sk_buff *skb = pkt->skb;
	unsigned int offset;
	int err;

	if (skb->protocol != htons(ETH_P_IP))
		goto err;

	err = ipv4_find_option(nft_net(pkt), skb, &offset, priv->type);
	if (priv->flags & NFT_EXTHDR_F_PRESENT) {
		*dest = (err >= 0);
		return;
	} else if (err < 0) {
		goto err;
	}
	offset += priv->offset;

	dest[priv->len / NFT_REG32_SIZE] = 0;
	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
		goto err;
	return;
err:
	regs->verdict.code = NFT_BREAK;
}

static void *
nft_tcp_header_pointer(const struct nft_pktinfo *pkt,
		       unsigned int len, void *buffer, unsigned int *tcphdr_len)
{
	struct tcphdr *tcph;

	if (!pkt->tprot_set || pkt->tprot != IPPROTO_TCP)
		return NULL;

	tcph = skb_header_pointer(pkt->skb, pkt->xt.thoff, sizeof(*tcph), buffer);
	if (!tcph)
		return NULL;

	*tcphdr_len = __tcp_hdrlen(tcph);
	if (*tcphdr_len < sizeof(*tcph) || *tcphdr_len > len)
		return NULL;

	return skb_header_pointer(pkt->skb, pkt->xt.thoff, *tcphdr_len, buffer);
}

static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
				struct nft_regs *regs,
				const struct nft_pktinfo *pkt)
{
	u8 buff[sizeof(struct tcphdr) + MAX_TCP_OPTION_SPACE];
	struct nft_exthdr *priv = nft_expr_priv(expr);
	unsigned int i, optl, tcphdr_len, offset;
	u32 *dest = &regs->data[priv->dreg];
	struct tcphdr *tcph;
	u8 *opt;

	tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len);
	if (!tcph)
		goto err;

	opt = (u8 *)tcph;
	for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) {
		optl = optlen(opt, i);

		if (priv->type != opt[i])
			continue;

		if (i + optl > tcphdr_len || priv->len + priv->offset > optl)
			goto err;

		offset = i + priv->offset;
		if (priv->flags & NFT_EXTHDR_F_PRESENT) {
			*dest = 1;
		} else {
			dest[priv->len / NFT_REG32_SIZE] = 0;
			memcpy(dest, opt + offset, priv->len);
		}

		return;
	}

err:
	if (priv->flags & NFT_EXTHDR_F_PRESENT)
		*dest = 0;
	else
		regs->verdict.code = NFT_BREAK;
}

static void nft_exthdr_tcp_set_eval(const struct nft_expr *expr,
				    struct nft_regs *regs,
				    const struct nft_pktinfo *pkt)
{
	u8 buff[sizeof(struct tcphdr) + MAX_TCP_OPTION_SPACE];
	struct nft_exthdr *priv = nft_expr_priv(expr);
	unsigned int i, optl, tcphdr_len, offset;
	struct tcphdr *tcph;
	u8 *opt;
	u32 src;

	tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len);
	if (!tcph)
		return;

	opt = (u8 *)tcph;
	for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) {
		union {
			u8 octet;
			__be16 v16;
			__be32 v32;
		} old, new;

		optl = optlen(opt, i);

		if (priv->type != opt[i])
			continue;

		if (i + optl > tcphdr_len || priv->len + priv->offset > optl)
			return;

		if (skb_ensure_writable(pkt->skb,
					pkt->xt.thoff + i + priv->len))
			return;

		tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff,
					      &tcphdr_len);
		if (!tcph)
			return;

		src = regs->data[priv->sreg];
		offset = i + priv->offset;

		switch (priv->len) {
		case 2:
			old.v16 = get_unaligned((u16 *)(opt + offset));
			new.v16 = src;

			switch (priv->type) {
			case TCPOPT_MSS:
				/* increase can cause connection to stall */
				if (ntohs(old.v16) <= ntohs(new.v16))
					return;
			break;
			}

			if (old.v16 == new.v16)
				return;

			put_unaligned(new.v16, (u16*)(opt + offset));
			inet_proto_csum_replace2(&tcph->check, pkt->skb,
						 old.v16, new.v16, false);
			break;
		case 4:
			new.v32 = src;
			old.v32 = get_unaligned((u32 *)(opt + offset));

			if (old.v32 == new.v32)
				return;

			put_unaligned(new.v32, (u32*)(opt + offset));
			inet_proto_csum_replace4(&tcph->check, pkt->skb,
						 old.v32, new.v32, false);
			break;
		default:
			WARN_ON_ONCE(1);
			break;
		}

		return;
	}
}

static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {
	[NFTA_EXTHDR_DREG]		= { .type = NLA_U32 },
	[NFTA_EXTHDR_TYPE]		= { .type = NLA_U8 },
	[NFTA_EXTHDR_OFFSET]		= { .type = NLA_U32 },
	[NFTA_EXTHDR_LEN]		= { .type = NLA_U32 },
	[NFTA_EXTHDR_FLAGS]		= { .type = NLA_U32 },
	[NFTA_EXTHDR_OP]		= { .type = NLA_U32 },
	[NFTA_EXTHDR_SREG]		= { .type = NLA_U32 },
};

static int nft_exthdr_init(const struct nft_ctx *ctx,
			   const struct nft_expr *expr,
			   const struct nlattr * const tb[])
{
	struct nft_exthdr *priv = nft_expr_priv(expr);
	u32 offset, len, flags = 0, op = NFT_EXTHDR_OP_IPV6;
	int err;

	if (!tb[NFTA_EXTHDR_DREG] ||
	    !tb[NFTA_EXTHDR_TYPE] ||
	    !tb[NFTA_EXTHDR_OFFSET] ||
	    !tb[NFTA_EXTHDR_LEN])
		return -EINVAL;

	err = nft_parse_u32_check(tb[NFTA_EXTHDR_OFFSET], U8_MAX, &offset);
	if (err < 0)
		return err;

	err = nft_parse_u32_check(tb[NFTA_EXTHDR_LEN], U8_MAX, &len);
	if (err < 0)
		return err;

	if (tb[NFTA_EXTHDR_FLAGS]) {
		err = nft_parse_u32_check(tb[NFTA_EXTHDR_FLAGS], U8_MAX, &flags);
		if (err < 0)
			return err;

		if (flags & ~NFT_EXTHDR_F_PRESENT)
			return -EINVAL;
	}

	if (tb[NFTA_EXTHDR_OP]) {
		err = nft_parse_u32_check(tb[NFTA_EXTHDR_OP], U8_MAX, &op);
		if (err < 0)
			return err;
	}

	priv->type   = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
	priv->offset = offset;
	priv->len    = len;
	priv->dreg   = nft_parse_register(tb[NFTA_EXTHDR_DREG]);
	priv->flags  = flags;
	priv->op     = op;

	return nft_validate_register_store(ctx, priv->dreg, NULL,
					   NFT_DATA_VALUE, priv->len);
}

static int nft_exthdr_tcp_set_init(const struct nft_ctx *ctx,
				   const struct nft_expr *expr,
				   const struct nlattr * const tb[])
{
	struct nft_exthdr *priv = nft_expr_priv(expr);
	u32 offset, len, flags = 0, op = NFT_EXTHDR_OP_IPV6;
	int err;

	if (!tb[NFTA_EXTHDR_SREG] ||
	    !tb[NFTA_EXTHDR_TYPE] ||
	    !tb[NFTA_EXTHDR_OFFSET] ||
	    !tb[NFTA_EXTHDR_LEN])
		return -EINVAL;

	if (tb[NFTA_EXTHDR_DREG] || tb[NFTA_EXTHDR_FLAGS])
		return -EINVAL;

	err = nft_parse_u32_check(tb[NFTA_EXTHDR_OFFSET], U8_MAX, &offset);
	if (err < 0)
		return err;

	err = nft_parse_u32_check(tb[NFTA_EXTHDR_LEN], U8_MAX, &len);
	if (err < 0)
		return err;

	if (offset < 2)
		return -EOPNOTSUPP;

	switch (len) {
	case 2: break;
	case 4: break;
	default:
		return -EOPNOTSUPP;
	}

	err = nft_parse_u32_check(tb[NFTA_EXTHDR_OP], U8_MAX, &op);
	if (err < 0)
		return err;

	priv->type   = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
	priv->offset = offset;
	priv->len    = len;
	priv->sreg   = nft_parse_register(tb[NFTA_EXTHDR_SREG]);
	priv->flags  = flags;
	priv->op     = op;

	return nft_validate_register_load(priv->sreg, priv->len);
}

static int nft_exthdr_ipv4_init(const struct nft_ctx *ctx,
				const struct nft_expr *expr,
				const struct nlattr * const tb[])
{
	struct nft_exthdr *priv = nft_expr_priv(expr);
	int err = nft_exthdr_init(ctx, expr, tb);

	if (err < 0)
		return err;

	switch (priv->type) {
	case IPOPT_SSRR:
	case IPOPT_LSRR:
	case IPOPT_RR:
	case IPOPT_RA:
		break;
	default:
		return -EOPNOTSUPP;
	}
	return 0;
}

static int nft_exthdr_dump_common(struct sk_buff *skb, const struct nft_exthdr *priv)
{
	if (nla_put_u8(skb, NFTA_EXTHDR_TYPE, priv->type))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_EXTHDR_OFFSET, htonl(priv->offset)))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_EXTHDR_LEN, htonl(priv->len)))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_EXTHDR_FLAGS, htonl(priv->flags)))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_EXTHDR_OP, htonl(priv->op)))
		goto nla_put_failure;
	return 0;

nla_put_failure:
	return -1;
}

static int nft_exthdr_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
	const struct nft_exthdr *priv = nft_expr_priv(expr);

	if (nft_dump_register(skb, NFTA_EXTHDR_DREG, priv->dreg))
		return -1;

	return nft_exthdr_dump_common(skb, priv);
}

static int nft_exthdr_dump_set(struct sk_buff *skb, const struct nft_expr *expr)
{
	const struct nft_exthdr *priv = nft_expr_priv(expr);

	if (nft_dump_register(skb, NFTA_EXTHDR_SREG, priv->sreg))
		return -1;

	return nft_exthdr_dump_common(skb, priv);
}

static const struct nft_expr_ops nft_exthdr_ipv6_ops = {
	.type		= &nft_exthdr_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
	.eval		= nft_exthdr_ipv6_eval,
	.init		= nft_exthdr_init,
	.dump		= nft_exthdr_dump,
};

static const struct nft_expr_ops nft_exthdr_ipv4_ops = {
	.type		= &nft_exthdr_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
	.eval		= nft_exthdr_ipv4_eval,
	.init		= nft_exthdr_ipv4_init,
	.dump		= nft_exthdr_dump,
};

static const struct nft_expr_ops nft_exthdr_tcp_ops = {
	.type		= &nft_exthdr_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
	.eval		= nft_exthdr_tcp_eval,
	.init		= nft_exthdr_init,
	.dump		= nft_exthdr_dump,
};

static const struct nft_expr_ops nft_exthdr_tcp_set_ops = {
	.type		= &nft_exthdr_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
	.eval		= nft_exthdr_tcp_set_eval,
	.init		= nft_exthdr_tcp_set_init,
	.dump		= nft_exthdr_dump_set,
};

static const struct nft_expr_ops *
nft_exthdr_select_ops(const struct nft_ctx *ctx,
		      const struct nlattr * const tb[])
{
	u32 op;

	if (!tb[NFTA_EXTHDR_OP])
		return &nft_exthdr_ipv6_ops;

	if (tb[NFTA_EXTHDR_SREG] && tb[NFTA_EXTHDR_DREG])
		return ERR_PTR(-EOPNOTSUPP);

	op = ntohl(nla_get_be32(tb[NFTA_EXTHDR_OP]));
	switch (op) {
	case NFT_EXTHDR_OP_TCPOPT:
		if (tb[NFTA_EXTHDR_SREG])
			return &nft_exthdr_tcp_set_ops;
		if (tb[NFTA_EXTHDR_DREG])
			return &nft_exthdr_tcp_ops;
		break;
	case NFT_EXTHDR_OP_IPV6:
		if (tb[NFTA_EXTHDR_DREG])
			return &nft_exthdr_ipv6_ops;
		break;
	case NFT_EXTHDR_OP_IPV4:
		if (ctx->family != NFPROTO_IPV6) {
			if (tb[NFTA_EXTHDR_DREG])
				return &nft_exthdr_ipv4_ops;
		}
		break;
	}

	return ERR_PTR(-EOPNOTSUPP);
}

struct nft_expr_type nft_exthdr_type __read_mostly = {
	.name		= "exthdr",
	.select_ops	= nft_exthdr_select_ops,
	.policy		= nft_exthdr_policy,
	.maxattr	= NFTA_EXTHDR_MAX,
	.owner		= THIS_MODULE,
};
Commit	Line	Data
d2912cb1	1	// SPDX-License-Identifier: GPL-2.0-only
96518518 PM	2	/*
	3	* Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
	4	*
96518518 PM	5	* Development of this code funded by Astaro AG (http://www.astaro.com/)
	6	*/
	7
99d1712b	8	#include <asm/unaligned.h>
96518518	9	#include <linux/kernel.h>
96518518 PM	10	#include <linux/netlink.h>
	11	#include <linux/netfilter.h>
	12	#include <linux/netfilter/nf_tables.h>
d0103158	13	#include <net/netfilter/nf_tables_core.h>
96518518	14	#include <net/netfilter/nf_tables.h>
935b7f64	15	#include <net/tcp.h>
96518518 PM	16
	17	struct nft_exthdr {
	18	u8 type;
	19	u8 offset;
	20	u8 len;
935b7f64	21	u8 op;
96518518	22	enum nft_registers dreg:8;
99d1712b	23	enum nft_registers sreg:8;
c078ca3b	24	u8 flags;
96518518 PM	25	};
96518518 PM	26
935b7f64 MM	27	static unsigned int optlen(const u8 *opt, unsigned int offset)
	28	{
	29	/* Beware zero-length options: make finite progress */
	30	if (opt[offset] <= TCPOPT_NOP \|\| opt[offset + 1] == 0)
	31	return 1;
	32	else
	33	return opt[offset + 1];
	34	}
	35
	36	static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
	37	struct nft_regs *regs,
	38	const struct nft_pktinfo *pkt)
96518518 PM	39	{
96518518 PM	40	struct nft_exthdr *priv = nft_expr_priv(expr);
49499c3e	41	u32 *dest = &regs->data[priv->dreg];
540436c8	42	unsigned int offset = 0;
96518518 PM	43	int err;
	44
	45	err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
c078ca3b PS	46	if (priv->flags & NFT_EXTHDR_F_PRESENT) {
	47	*dest = (err >= 0);
	48	return;
	49	} else if (err < 0) {
96518518	50	goto err;
c078ca3b	51	}
96518518 PM	52	offset += priv->offset;
96518518 PM	53
49499c3e	54	dest[priv->len / NFT_REG32_SIZE] = 0;
fad136ea	55	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
96518518 PM	56	goto err;
	57	return;
	58	err:
a55e22e9	59	regs->verdict.code = NFT_BREAK;
96518518 PM	60	}
96518518 PM	61
dbb5281a SS	62	/* find the offset to specified option.
	63	*
	64	* If target header is found, its offset is set in *offset and return option
	65	* number. Otherwise, return negative error.
	66	*
	67	* If the first fragment doesn't contain the End of Options it is considered
	68	* invalid.
	69	*/
	70	static int ipv4_find_option(struct net net, struct sk_buff skb,
	71	unsigned int *offset, int target)
	72	{
	73	unsigned char optbuf[sizeof(struct ip_options) + 40];
	74	struct ip_options opt = (struct ip_options )optbuf;
	75	struct iphdr *iph, _iph;
	76	unsigned int start;
	77	bool found = false;
	78	__be32 info;
	79	int optlen;
	80
	81	iph = skb_header_pointer(skb, 0, sizeof(_iph), &_iph);
	82	if (!iph)
	83	return -EBADMSG;
	84	start = sizeof(struct iphdr);
	85
	86	optlen = iph->ihl * 4 - (int)sizeof(struct iphdr);
	87	if (optlen <= 0)
	88	return -ENOENT;
	89
	90	memset(opt, 0, sizeof(struct ip_options));
	91	/* Copy the options since __ip_options_compile() modifies
	92	* the options.
	93	*/
	94	if (skb_copy_bits(skb, start, opt->__data, optlen))
	95	return -EBADMSG;
	96	opt->optlen = optlen;
	97
	98	if (__ip_options_compile(net, opt, NULL, &info))
	99	return -EBADMSG;
	100
	101	switch (target) {
	102	case IPOPT_SSRR:
	103	case IPOPT_LSRR:
	104	if (!opt->srr)
	105	break;
	106	found = target == IPOPT_SSRR ? opt->is_strictroute :
	107	!opt->is_strictroute;
	108	if (found)
	109	*offset = opt->srr + start;
	110	break;
	111	case IPOPT_RR:
	112	if (!opt->rr)
	113	break;
	114	*offset = opt->rr + start;
	115	found = true;
	116	break;
	117	case IPOPT_RA:
	118	if (!opt->router_alert)
	119	break;
	120	*offset = opt->router_alert + start;
	121	found = true;
	122	break;
	123	default:
	124	return -EOPNOTSUPP;
	125	}
126	return found ? target : -ENOENT;
127	}
128
129	static void nft_exthdr_ipv4_eval(const struct nft_expr *expr,
130	struct nft_regs *regs,
131	const struct nft_pktinfo *pkt)
132	{
133	struct nft_exthdr *priv = nft_expr_priv(expr);
134	u32 *dest = &regs->data[priv->dreg];
135	struct sk_buff *skb = pkt->skb;
136	unsigned int offset;
137	int err;
138
139	if (skb->protocol != htons(ETH_P_IP))
140	goto err;
141
142	err = ipv4_find_option(nft_net(pkt), skb, &offset, priv->type);
143	if (priv->flags & NFT_EXTHDR_F_PRESENT) {
144	*dest = (err >= 0);
145	return;
146	} else if (err < 0) {
147	goto err;
148	}
149	offset += priv->offset;
150
151	dest[priv->len / NFT_REG32_SIZE] = 0;
152	if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
153	goto err;
154	return;
155	err:
156	regs->verdict.code = NFT_BREAK;
157	}
158
a1817700 FW	159	static void *
	160	nft_tcp_header_pointer(const struct nft_pktinfo *pkt,
	161	unsigned int len, void buffer, unsigned int tcphdr_len)
	162	{
	163	struct tcphdr *tcph;
	164
	165	if (!pkt->tprot_set \|\| pkt->tprot != IPPROTO_TCP)
	166	return NULL;
	167
	168	tcph = skb_header_pointer(pkt->skb, pkt->xt.thoff, sizeof(*tcph), buffer);
	169	if (!tcph)
	170	return NULL;
	171
	172	*tcphdr_len = __tcp_hdrlen(tcph);
	173	if (tcphdr_len < sizeof(tcph) \|\| *tcphdr_len > len)
	174	return NULL;
	175
	176	return skb_header_pointer(pkt->skb, pkt->xt.thoff, *tcphdr_len, buffer);
	177	}
	178
935b7f64 MM	179	static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
	180	struct nft_regs *regs,
	181	const struct nft_pktinfo *pkt)
	182	{
	183	u8 buff[sizeof(struct tcphdr) + MAX_TCP_OPTION_SPACE];
	184	struct nft_exthdr *priv = nft_expr_priv(expr);
	185	unsigned int i, optl, tcphdr_len, offset;
	186	u32 *dest = &regs->data[priv->dreg];
	187	struct tcphdr *tcph;
	188	u8 *opt;
	189
a1817700	190	tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len);
935b7f64 MM	191	if (!tcph)
	192	goto err;
	193
	194	opt = (u8 *)tcph;
	195	for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) {
	196	optl = optlen(opt, i);
	197
	198	if (priv->type != opt[i])
	199	continue;
	200
	201	if (i + optl > tcphdr_len \|\| priv->len + priv->offset > optl)
	202	goto err;
	203
	204	offset = i + priv->offset;
3c1fece8 PS	205	if (priv->flags & NFT_EXTHDR_F_PRESENT) {
	206	*dest = 1;
	207	} else {
	208	dest[priv->len / NFT_REG32_SIZE] = 0;
	209	memcpy(dest, opt + offset, priv->len);
	210	}
935b7f64 MM	211
	212	return;
	213	}
	214
	215	err:
3c1fece8 PS	216	if (priv->flags & NFT_EXTHDR_F_PRESENT)
	217	*dest = 0;
	218	else
	219	regs->verdict.code = NFT_BREAK;
935b7f64 MM	220	}
935b7f64 MM	221
99d1712b FW	222	static void nft_exthdr_tcp_set_eval(const struct nft_expr *expr,
	223	struct nft_regs *regs,
	224	const struct nft_pktinfo *pkt)
	225	{
	226	u8 buff[sizeof(struct tcphdr) + MAX_TCP_OPTION_SPACE];
	227	struct nft_exthdr *priv = nft_expr_priv(expr);
	228	unsigned int i, optl, tcphdr_len, offset;
	229	struct tcphdr *tcph;
	230	u8 *opt;
	231	u32 src;
	232
	233	tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff, &tcphdr_len);
	234	if (!tcph)
	235	return;
	236
	237	opt = (u8 *)tcph;
	238	for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) {
	239	union {
	240	u8 octet;
	241	__be16 v16;
	242	__be32 v32;
	243	} old, new;
	244
	245	optl = optlen(opt, i);
	246
	247	if (priv->type != opt[i])
	248	continue;
	249
	250	if (i + optl > tcphdr_len \|\| priv->len + priv->offset > optl)
	251	return;
	252
7418ee4c FW	253	if (skb_ensure_writable(pkt->skb,
7418ee4c FW	254	pkt->xt.thoff + i + priv->len))
99d1712b FW	255	return;
	256
	257	tcph = nft_tcp_header_pointer(pkt, sizeof(buff), buff,
	258	&tcphdr_len);
	259	if (!tcph)
	260	return;
	261
	262	src = regs->data[priv->sreg];
	263	offset = i + priv->offset;
	264
	265	switch (priv->len) {
	266	case 2:
	267	old.v16 = get_unaligned((u16 *)(opt + offset));
	268	new.v16 = src;
	269
	270	switch (priv->type) {
	271	case TCPOPT_MSS:
	272	/* increase can cause connection to stall */
	273	if (ntohs(old.v16) <= ntohs(new.v16))
	274	return;
	275	break;
	276	}
	277
	278	if (old.v16 == new.v16)
	279	return;
	280
	281	put_unaligned(new.v16, (u16*)(opt + offset));
	282	inet_proto_csum_replace2(&tcph->check, pkt->skb,
	283	old.v16, new.v16, false);
	284	break;
	285	case 4:
	286	new.v32 = src;
	287	old.v32 = get_unaligned((u32 *)(opt + offset));
	288
	289	if (old.v32 == new.v32)
	290	return;
	291
	292	put_unaligned(new.v32, (u32*)(opt + offset));
	293	inet_proto_csum_replace4(&tcph->check, pkt->skb,
	294	old.v32, new.v32, false);
	295	break;
	296	default:
	297	WARN_ON_ONCE(1);
	298	break;
	299	}
	300
	301	return;
	302	}
	303	}
	304
96518518 PM	305	static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {
	306	[NFTA_EXTHDR_DREG] = { .type = NLA_U32 },
	307	[NFTA_EXTHDR_TYPE] = { .type = NLA_U8 },
	308	[NFTA_EXTHDR_OFFSET] = { .type = NLA_U32 },
	309	[NFTA_EXTHDR_LEN] = { .type = NLA_U32 },
c078ca3b	310	[NFTA_EXTHDR_FLAGS] = { .type = NLA_U32 },
f5b5702a FW	311	[NFTA_EXTHDR_OP] = { .type = NLA_U32 },
f5b5702a FW	312	[NFTA_EXTHDR_SREG] = { .type = NLA_U32 },
96518518 PM	313	};
	314
	315	static int nft_exthdr_init(const struct nft_ctx *ctx,
	316	const struct nft_expr *expr,
	317	const struct nlattr * const tb[])
	318	{
	319	struct nft_exthdr *priv = nft_expr_priv(expr);
935b7f64	320	u32 offset, len, flags = 0, op = NFT_EXTHDR_OP_IPV6;
21a9e0f1	321	int err;
96518518	322
935b7f64 MM	323	if (!tb[NFTA_EXTHDR_DREG] \|\|
	324	!tb[NFTA_EXTHDR_TYPE] \|\|
	325	!tb[NFTA_EXTHDR_OFFSET] \|\|
	326	!tb[NFTA_EXTHDR_LEN])
96518518 PM	327	return -EINVAL;
96518518 PM	328
36b701fa LGL	329	err = nft_parse_u32_check(tb[NFTA_EXTHDR_OFFSET], U8_MAX, &offset);
	330	if (err < 0)
	331	return err;
4da449ae	332
36b701fa LGL	333	err = nft_parse_u32_check(tb[NFTA_EXTHDR_LEN], U8_MAX, &len);
	334	if (err < 0)
	335	return err;
4da449ae	336
c078ca3b PS	337	if (tb[NFTA_EXTHDR_FLAGS]) {
	338	err = nft_parse_u32_check(tb[NFTA_EXTHDR_FLAGS], U8_MAX, &flags);
	339	if (err < 0)
	340	return err;
	341
	342	if (flags & ~NFT_EXTHDR_F_PRESENT)
	343	return -EINVAL;
	344	}
	345
935b7f64 MM	346	if (tb[NFTA_EXTHDR_OP]) {
	347	err = nft_parse_u32_check(tb[NFTA_EXTHDR_OP], U8_MAX, &op);
	348	if (err < 0)
	349	return err;
	350	}
	351
96518518	352	priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
4da449ae LGL	353	priv->offset = offset;
4da449ae LGL	354	priv->len = len;
b1c96ed3	355	priv->dreg = nft_parse_register(tb[NFTA_EXTHDR_DREG]);
c078ca3b	356	priv->flags = flags;
935b7f64	357	priv->op = op;
96518518	358
1ec10212 PM	359	return nft_validate_register_store(ctx, priv->dreg, NULL,
1ec10212 PM	360	NFT_DATA_VALUE, priv->len);
96518518 PM	361	}
96518518 PM	362
99d1712b FW	363	static int nft_exthdr_tcp_set_init(const struct nft_ctx *ctx,
	364	const struct nft_expr *expr,
	365	const struct nlattr * const tb[])
	366	{
	367	struct nft_exthdr *priv = nft_expr_priv(expr);
	368	u32 offset, len, flags = 0, op = NFT_EXTHDR_OP_IPV6;
	369	int err;
	370
	371	if (!tb[NFTA_EXTHDR_SREG] \|\|
	372	!tb[NFTA_EXTHDR_TYPE] \|\|
	373	!tb[NFTA_EXTHDR_OFFSET] \|\|
	374	!tb[NFTA_EXTHDR_LEN])
	375	return -EINVAL;
	376
	377	if (tb[NFTA_EXTHDR_DREG] \|\| tb[NFTA_EXTHDR_FLAGS])
	378	return -EINVAL;
	379
	380	err = nft_parse_u32_check(tb[NFTA_EXTHDR_OFFSET], U8_MAX, &offset);
	381	if (err < 0)
	382	return err;
	383
	384	err = nft_parse_u32_check(tb[NFTA_EXTHDR_LEN], U8_MAX, &len);
	385	if (err < 0)
	386	return err;
	387
	388	if (offset < 2)
	389	return -EOPNOTSUPP;
	390
	391	switch (len) {
	392	case 2: break;
	393	case 4: break;
	394	default:
	395	return -EOPNOTSUPP;
	396	}
	397
	398	err = nft_parse_u32_check(tb[NFTA_EXTHDR_OP], U8_MAX, &op);
	399	if (err < 0)
	400	return err;
	401
	402	priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
	403	priv->offset = offset;
	404	priv->len = len;
	405	priv->sreg = nft_parse_register(tb[NFTA_EXTHDR_SREG]);
	406	priv->flags = flags;
	407	priv->op = op;
	408
	409	return nft_validate_register_load(priv->sreg, priv->len);
	410	}
	411
dbb5281a SS	412	static int nft_exthdr_ipv4_init(const struct nft_ctx *ctx,
	413	const struct nft_expr *expr,
	414	const struct nlattr * const tb[])
	415	{
	416	struct nft_exthdr *priv = nft_expr_priv(expr);
	417	int err = nft_exthdr_init(ctx, expr, tb);
	418
	419	if (err < 0)
	420	return err;
	421
	422	switch (priv->type) {
	423	case IPOPT_SSRR:
	424	case IPOPT_LSRR:
	425	case IPOPT_RR:
	426	case IPOPT_RA:
	427	break;
	428	default:
	429	return -EOPNOTSUPP;
	430	}
	431	return 0;
	432	}
	433
5e7d695a	434	static int nft_exthdr_dump_common(struct sk_buff skb, const struct nft_exthdr priv)
96518518	435	{
96518518 PM	436	if (nla_put_u8(skb, NFTA_EXTHDR_TYPE, priv->type))
	437	goto nla_put_failure;
	438	if (nla_put_be32(skb, NFTA_EXTHDR_OFFSET, htonl(priv->offset)))
	439	goto nla_put_failure;
	440	if (nla_put_be32(skb, NFTA_EXTHDR_LEN, htonl(priv->len)))
	441	goto nla_put_failure;
c078ca3b PS	442	if (nla_put_be32(skb, NFTA_EXTHDR_FLAGS, htonl(priv->flags)))
c078ca3b PS	443	goto nla_put_failure;
935b7f64 MM	444	if (nla_put_be32(skb, NFTA_EXTHDR_OP, htonl(priv->op)))
935b7f64 MM	445	goto nla_put_failure;
96518518 PM	446	return 0;
	447
	448	nla_put_failure:
	449	return -1;
	450	}
	451
5e7d695a FW	452	static int nft_exthdr_dump(struct sk_buff skb, const struct nft_expr expr)
	453	{
	454	const struct nft_exthdr *priv = nft_expr_priv(expr);
	455
	456	if (nft_dump_register(skb, NFTA_EXTHDR_DREG, priv->dreg))
	457	return -1;
	458
	459	return nft_exthdr_dump_common(skb, priv);
	460	}
	461
99d1712b FW	462	static int nft_exthdr_dump_set(struct sk_buff skb, const struct nft_expr expr)
	463	{
	464	const struct nft_exthdr *priv = nft_expr_priv(expr);
	465
	466	if (nft_dump_register(skb, NFTA_EXTHDR_SREG, priv->sreg))
	467	return -1;
	468
	469	return nft_exthdr_dump_common(skb, priv);
	470	}
	471
935b7f64 MM	472	static const struct nft_expr_ops nft_exthdr_ipv6_ops = {
	473	.type = &nft_exthdr_type,
	474	.size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
	475	.eval = nft_exthdr_ipv6_eval,
	476	.init = nft_exthdr_init,
	477	.dump = nft_exthdr_dump,
	478	};
	479
dbb5281a SS	480	static const struct nft_expr_ops nft_exthdr_ipv4_ops = {
	481	.type = &nft_exthdr_type,
	482	.size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
	483	.eval = nft_exthdr_ipv4_eval,
	484	.init = nft_exthdr_ipv4_init,
	485	.dump = nft_exthdr_dump,
	486	};
	487
935b7f64	488	static const struct nft_expr_ops nft_exthdr_tcp_ops = {
ef1f7df9	489	.type = &nft_exthdr_type,
96518518	490	.size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
935b7f64	491	.eval = nft_exthdr_tcp_eval,
96518518 PM	492	.init = nft_exthdr_init,
96518518 PM	493	.dump = nft_exthdr_dump,
ef1f7df9 PM	494	};
ef1f7df9 PM	495
99d1712b FW	496	static const struct nft_expr_ops nft_exthdr_tcp_set_ops = {
	497	.type = &nft_exthdr_type,
	498	.size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
	499	.eval = nft_exthdr_tcp_set_eval,
	500	.init = nft_exthdr_tcp_set_init,
	501	.dump = nft_exthdr_dump_set,
	502	};
	503
935b7f64 MM	504	static const struct nft_expr_ops *
	505	nft_exthdr_select_ops(const struct nft_ctx *ctx,
	506	const struct nlattr * const tb[])
	507	{
	508	u32 op;
	509
	510	if (!tb[NFTA_EXTHDR_OP])
	511	return &nft_exthdr_ipv6_ops;
	512
99d1712b FW	513	if (tb[NFTA_EXTHDR_SREG] && tb[NFTA_EXTHDR_DREG])
	514	return ERR_PTR(-EOPNOTSUPP);
	515
5fd02ebe	516	op = ntohl(nla_get_be32(tb[NFTA_EXTHDR_OP]));
935b7f64 MM	517	switch (op) {
935b7f64 MM	518	case NFT_EXTHDR_OP_TCPOPT:
99d1712b FW	519	if (tb[NFTA_EXTHDR_SREG])
	520	return &nft_exthdr_tcp_set_ops;
	521	if (tb[NFTA_EXTHDR_DREG])
	522	return &nft_exthdr_tcp_ops;
	523	break;
935b7f64	524	case NFT_EXTHDR_OP_IPV6:
99d1712b FW	525	if (tb[NFTA_EXTHDR_DREG])
	526	return &nft_exthdr_ipv6_ops;
	527	break;
dbb5281a SS	528	case NFT_EXTHDR_OP_IPV4:
	529	if (ctx->family != NFPROTO_IPV6) {
	530	if (tb[NFTA_EXTHDR_DREG])
	531	return &nft_exthdr_ipv4_ops;
	532	}
	533	break;
935b7f64 MM	534	}
	535
	536	return ERR_PTR(-EOPNOTSUPP);
	537	}
	538
d0103158	539	struct nft_expr_type nft_exthdr_type __read_mostly = {
ef1f7df9	540	.name = "exthdr",
d4ef3835	541	.select_ops = nft_exthdr_select_ops,
96518518 PM	542	.policy = nft_exthdr_policy,
96518518 PM	543	.maxattr = NFTA_EXTHDR_MAX,
ef1f7df9	544	.owner = THIS_MODULE,
96518518	545	};