[mirror_ubuntu-jammy-kernel.git] / include / net / netfilter / nf_flow_table.h

#ifndef _NF_FLOW_TABLE_H
#define _NF_FLOW_TABLE_H

#include <linux/in.h>
#include <linux/in6.h>
#include <linux/netdevice.h>
#include <linux/rhashtable-types.h>
#include <linux/rcupdate.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_conntrack_tuple_common.h>
#include <net/flow_offload.h>
#include <net/dst.h>

struct nf_flowtable;
struct nf_flow_rule;
struct flow_offload;
enum flow_offload_tuple_dir;

struct nf_flow_key {
	struct flow_dissector_key_meta			meta;
	struct flow_dissector_key_control		control;
	struct flow_dissector_key_control		enc_control;
	struct flow_dissector_key_basic			basic;
	union {
		struct flow_dissector_key_ipv4_addrs	ipv4;
		struct flow_dissector_key_ipv6_addrs	ipv6;
	};
	struct flow_dissector_key_keyid			enc_key_id;
	union {
		struct flow_dissector_key_ipv4_addrs	enc_ipv4;
		struct flow_dissector_key_ipv6_addrs	enc_ipv6;
	};
	struct flow_dissector_key_tcp			tcp;
	struct flow_dissector_key_ports			tp;
} __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */

struct nf_flow_match {
	struct flow_dissector	dissector;
	struct nf_flow_key	key;
	struct nf_flow_key	mask;
};

struct nf_flow_rule {
	struct nf_flow_match	match;
	struct flow_rule	*rule;
};

struct nf_flowtable_type {
	struct list_head		list;
	int				family;
	int				(*init)(struct nf_flowtable *ft);
	int				(*setup)(struct nf_flowtable *ft,
						 struct net_device *dev,
						 enum flow_block_command cmd);
	int				(*action)(struct net *net,
						  const struct flow_offload *flow,
						  enum flow_offload_tuple_dir dir,
						  struct nf_flow_rule *flow_rule);
	void				(*free)(struct nf_flowtable *ft);
	nf_hookfn			*hook;
	struct module			*owner;
};

enum nf_flowtable_flags {
	NF_FLOWTABLE_HW_OFFLOAD		= 0x1,	/* NFT_FLOWTABLE_HW_OFFLOAD */
	NF_FLOWTABLE_COUNTER		= 0x2,	/* NFT_FLOWTABLE_COUNTER */
};

struct nf_flowtable {
	struct list_head		list;
	struct rhashtable		rhashtable;
	int				priority;
	const struct nf_flowtable_type	*type;
	struct delayed_work		gc_work;
	unsigned int			flags;
	struct flow_block		flow_block;
	struct rw_semaphore		flow_block_lock; /* Guards flow_block */
	possible_net_t			net;
};

static inline bool nf_flowtable_hw_offload(struct nf_flowtable *flowtable)
{
	return flowtable->flags & NF_FLOWTABLE_HW_OFFLOAD;
}

enum flow_offload_tuple_dir {
	FLOW_OFFLOAD_DIR_ORIGINAL = IP_CT_DIR_ORIGINAL,
	FLOW_OFFLOAD_DIR_REPLY = IP_CT_DIR_REPLY,
};
#define FLOW_OFFLOAD_DIR_MAX	IP_CT_DIR_MAX

enum flow_offload_xmit_type {
	FLOW_OFFLOAD_XMIT_NEIGH		= 0,
	FLOW_OFFLOAD_XMIT_XFRM,
	FLOW_OFFLOAD_XMIT_DIRECT,
};

#define NF_FLOW_TABLE_ENCAP_MAX		2

struct flow_offload_tuple {
	union {
		struct in_addr		src_v4;
		struct in6_addr		src_v6;
	};
	union {
		struct in_addr		dst_v4;
		struct in6_addr		dst_v6;
	};
	struct {
		__be16			src_port;
		__be16			dst_port;
	};

	int				iifidx;

	u8				l3proto;
	u8				l4proto;
	struct {
		u16			id;
		__be16			proto;
	} encap[NF_FLOW_TABLE_ENCAP_MAX];

	/* All members above are keys for lookups, see flow_offload_hash(). */
	struct { }			__hash;

	u8				dir:4,
					xmit_type:2,
					encap_num:2;
	u16				mtu;
	union {
		struct dst_entry	*dst_cache;
		struct {
			u32		ifidx;
			u8		h_source[ETH_ALEN];
			u8		h_dest[ETH_ALEN];
		} out;
	};
};

struct flow_offload_tuple_rhash {
	struct rhash_head		node;
	struct flow_offload_tuple	tuple;
};

enum nf_flow_flags {
	NF_FLOW_SNAT,
	NF_FLOW_DNAT,
	NF_FLOW_TEARDOWN,
	NF_FLOW_HW,
	NF_FLOW_HW_DYING,
	NF_FLOW_HW_DEAD,
	NF_FLOW_HW_REFRESH,
	NF_FLOW_HW_PENDING,
};

enum flow_offload_type {
	NF_FLOW_OFFLOAD_UNSPEC	= 0,
	NF_FLOW_OFFLOAD_ROUTE,
};

struct flow_offload {
	struct flow_offload_tuple_rhash		tuplehash[FLOW_OFFLOAD_DIR_MAX];
	struct nf_conn				*ct;
	unsigned long				flags;
	u16					type;
	u32					timeout;
	struct rcu_head				rcu_head;
};

#define NF_FLOW_TIMEOUT (30 * HZ)
#define nf_flowtable_time_stamp	(u32)jiffies

static inline __s32 nf_flow_timeout_delta(unsigned int timeout)
{
	return (__s32)(timeout - nf_flowtable_time_stamp);
}

struct nf_flow_route {
	struct {
		struct dst_entry		*dst;
		struct {
			u32			ifindex;
			struct {
				u16		id;
				__be16		proto;
			} encap[NF_FLOW_TABLE_ENCAP_MAX];
			u8			num_encaps;
		} in;
		struct {
			u32			ifindex;
			u8			h_source[ETH_ALEN];
			u8			h_dest[ETH_ALEN];
		} out;
		enum flow_offload_xmit_type	xmit_type;
	} tuple[FLOW_OFFLOAD_DIR_MAX];
};

struct flow_offload *flow_offload_alloc(struct nf_conn *ct);
void flow_offload_free(struct flow_offload *flow);

static inline int
nf_flow_table_offload_add_cb(struct nf_flowtable *flow_table,
			     flow_setup_cb_t *cb, void *cb_priv)
{
	struct flow_block *block = &flow_table->flow_block;
	struct flow_block_cb *block_cb;
	int err = 0;

	down_write(&flow_table->flow_block_lock);
	block_cb = flow_block_cb_lookup(block, cb, cb_priv);
	if (block_cb) {
		err = -EEXIST;
		goto unlock;
	}

	block_cb = flow_block_cb_alloc(cb, cb_priv, cb_priv, NULL);
	if (IS_ERR(block_cb)) {
		err = PTR_ERR(block_cb);
		goto unlock;
	}

	list_add_tail(&block_cb->list, &block->cb_list);

unlock:
	up_write(&flow_table->flow_block_lock);
	return err;
}

static inline void
nf_flow_table_offload_del_cb(struct nf_flowtable *flow_table,
			     flow_setup_cb_t *cb, void *cb_priv)
{
	struct flow_block *block = &flow_table->flow_block;
	struct flow_block_cb *block_cb;

	down_write(&flow_table->flow_block_lock);
	block_cb = flow_block_cb_lookup(block, cb, cb_priv);
	if (block_cb) {
		list_del(&block_cb->list);
		flow_block_cb_free(block_cb);
	} else {
		WARN_ON(true);
	}
	up_write(&flow_table->flow_block_lock);
}

int flow_offload_route_init(struct flow_offload *flow,
			    const struct nf_flow_route *route);

int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow);
void flow_offload_refresh(struct nf_flowtable *flow_table,
			  struct flow_offload *flow);

struct flow_offload_tuple_rhash *flow_offload_lookup(struct nf_flowtable *flow_table,
						     struct flow_offload_tuple *tuple);
void nf_flow_table_gc_cleanup(struct nf_flowtable *flowtable,
			      struct net_device *dev);
void nf_flow_table_cleanup(struct net_device *dev);

int nf_flow_table_init(struct nf_flowtable *flow_table);
void nf_flow_table_free(struct nf_flowtable *flow_table);

void flow_offload_teardown(struct flow_offload *flow);

void nf_flow_snat_port(const struct flow_offload *flow,
		       struct sk_buff *skb, unsigned int thoff,
		       u8 protocol, enum flow_offload_tuple_dir dir);
void nf_flow_dnat_port(const struct flow_offload *flow,
		       struct sk_buff *skb, unsigned int thoff,
		       u8 protocol, enum flow_offload_tuple_dir dir);

struct flow_ports {
	__be16 source, dest;
};

unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
				     const struct nf_hook_state *state);
unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
				       const struct nf_hook_state *state);

#define MODULE_ALIAS_NF_FLOWTABLE(family)	\
	MODULE_ALIAS("nf-flowtable-" __stringify(family))

void nf_flow_offload_add(struct nf_flowtable *flowtable,
			 struct flow_offload *flow);
void nf_flow_offload_del(struct nf_flowtable *flowtable,
			 struct flow_offload *flow);
void nf_flow_offload_stats(struct nf_flowtable *flowtable,
			   struct flow_offload *flow);

void nf_flow_table_offload_flush(struct nf_flowtable *flowtable);
int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
				struct net_device *dev,
				enum flow_block_command cmd);
int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow,
			    enum flow_offload_tuple_dir dir,
			    struct nf_flow_rule *flow_rule);
int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow,
			    enum flow_offload_tuple_dir dir,
			    struct nf_flow_rule *flow_rule);

int nf_flow_table_offload_init(void);
void nf_flow_table_offload_exit(void);

#endif /* _NF_FLOW_TABLE_H */
Commit	Line	Data
	1	#ifndef _NF_FLOW_TABLE_H
	2	#define _NF_FLOW_TABLE_H
	3
	4	#include <linux/in.h>
	5	#include <linux/in6.h>
	6	#include <linux/netdevice.h>
	7	#include <linux/rhashtable-types.h>
	8	#include <linux/rcupdate.h>
	9	#include <linux/netfilter.h>
	10	#include <linux/netfilter/nf_conntrack_tuple_common.h>
	11	#include <net/flow_offload.h>
	12	#include <net/dst.h>
	13
	14	struct nf_flowtable;
	15	struct nf_flow_rule;
	16	struct flow_offload;
	17	enum flow_offload_tuple_dir;
	18
	19	struct nf_flow_key {
	20	struct flow_dissector_key_meta meta;
	21	struct flow_dissector_key_control control;
	22	struct flow_dissector_key_control enc_control;
	23	struct flow_dissector_key_basic basic;
	24	union {
	25	struct flow_dissector_key_ipv4_addrs ipv4;
	26	struct flow_dissector_key_ipv6_addrs ipv6;
	27	};
	28	struct flow_dissector_key_keyid enc_key_id;
	29	union {
	30	struct flow_dissector_key_ipv4_addrs enc_ipv4;
	31	struct flow_dissector_key_ipv6_addrs enc_ipv6;
	32	};
	33	struct flow_dissector_key_tcp tcp;
	34	struct flow_dissector_key_ports tp;
	35	} __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
	36
	37	struct nf_flow_match {
	38	struct flow_dissector dissector;
	39	struct nf_flow_key key;
	40	struct nf_flow_key mask;
	41	};
	42
	43	struct nf_flow_rule {
	44	struct nf_flow_match match;
	45	struct flow_rule *rule;
	46	};
	47
	48	struct nf_flowtable_type {
	49	struct list_head list;
	50	int family;
	51	int (init)(struct nf_flowtable ft);
	52	int (setup)(struct nf_flowtable ft,
	53	struct net_device *dev,
	54	enum flow_block_command cmd);
	55	int (action)(struct net net,
	56	const struct flow_offload *flow,
	57	enum flow_offload_tuple_dir dir,
	58	struct nf_flow_rule *flow_rule);
	59	void (free)(struct nf_flowtable ft);
	60	nf_hookfn *hook;
	61	struct module *owner;
	62	};
	63
	64	enum nf_flowtable_flags {
	65	NF_FLOWTABLE_HW_OFFLOAD = 0x1, /* NFT_FLOWTABLE_HW_OFFLOAD */
	66	NF_FLOWTABLE_COUNTER = 0x2, /* NFT_FLOWTABLE_COUNTER */
	67	};
	68
	69	struct nf_flowtable {
	70	struct list_head list;
	71	struct rhashtable rhashtable;
	72	int priority;
	73	const struct nf_flowtable_type *type;
	74	struct delayed_work gc_work;
	75	unsigned int flags;
	76	struct flow_block flow_block;
	77	struct rw_semaphore flow_block_lock; /* Guards flow_block */
	78	possible_net_t net;
	79	};
	80
	81	static inline bool nf_flowtable_hw_offload(struct nf_flowtable *flowtable)
	82	{
	83	return flowtable->flags & NF_FLOWTABLE_HW_OFFLOAD;
	84	}
	85
	86	enum flow_offload_tuple_dir {
	87	FLOW_OFFLOAD_DIR_ORIGINAL = IP_CT_DIR_ORIGINAL,
	88	FLOW_OFFLOAD_DIR_REPLY = IP_CT_DIR_REPLY,
	89	};
	90	#define FLOW_OFFLOAD_DIR_MAX IP_CT_DIR_MAX
	91
	92	enum flow_offload_xmit_type {
	93	FLOW_OFFLOAD_XMIT_NEIGH = 0,
	94	FLOW_OFFLOAD_XMIT_XFRM,
	95	FLOW_OFFLOAD_XMIT_DIRECT,
	96	};
	97
	98	#define NF_FLOW_TABLE_ENCAP_MAX 2
	99
	100	struct flow_offload_tuple {
	101	union {
	102	struct in_addr src_v4;
	103	struct in6_addr src_v6;
	104	};
	105	union {
	106	struct in_addr dst_v4;
	107	struct in6_addr dst_v6;
	108	};
	109	struct {
	110	__be16 src_port;
	111	__be16 dst_port;
	112	};
	113
	114	int iifidx;
	115
	116	u8 l3proto;
	117	u8 l4proto;
	118	struct {
	119	u16 id;
	120	__be16 proto;
	121	} encap[NF_FLOW_TABLE_ENCAP_MAX];
	122
	123	/* All members above are keys for lookups, see flow_offload_hash(). */
	124	struct { } __hash;
	125
	126	u8 dir:4,
	127	xmit_type:2,
	128	encap_num:2;
	129	u16 mtu;
	130	union {
	131	struct dst_entry *dst_cache;
	132	struct {
	133	u32 ifidx;
	134	u8 h_source[ETH_ALEN];
	135	u8 h_dest[ETH_ALEN];
	136	} out;
	137	};
	138	};
	139
	140	struct flow_offload_tuple_rhash {
	141	struct rhash_head node;
	142	struct flow_offload_tuple tuple;
	143	};
	144
	145	enum nf_flow_flags {
	146	NF_FLOW_SNAT,
	147	NF_FLOW_DNAT,
	148	NF_FLOW_TEARDOWN,
	149	NF_FLOW_HW,
	150	NF_FLOW_HW_DYING,
	151	NF_FLOW_HW_DEAD,
	152	NF_FLOW_HW_REFRESH,
	153	NF_FLOW_HW_PENDING,
	154	};
	155
	156	enum flow_offload_type {
	157	NF_FLOW_OFFLOAD_UNSPEC = 0,
	158	NF_FLOW_OFFLOAD_ROUTE,
	159	};
	160
	161	struct flow_offload {
	162	struct flow_offload_tuple_rhash tuplehash[FLOW_OFFLOAD_DIR_MAX];
	163	struct nf_conn *ct;
	164	unsigned long flags;
	165	u16 type;
	166	u32 timeout;
	167	struct rcu_head rcu_head;
	168	};
	169
	170	#define NF_FLOW_TIMEOUT (30 * HZ)
	171	#define nf_flowtable_time_stamp (u32)jiffies
	172
	173	static inline __s32 nf_flow_timeout_delta(unsigned int timeout)
	174	{
	175	return (__s32)(timeout - nf_flowtable_time_stamp);
	176	}
	177
	178	struct nf_flow_route {
	179	struct {
	180	struct dst_entry *dst;
	181	struct {
	182	u32 ifindex;
	183	struct {
	184	u16 id;
	185	__be16 proto;
	186	} encap[NF_FLOW_TABLE_ENCAP_MAX];
	187	u8 num_encaps;
	188	} in;
	189	struct {
	190	u32 ifindex;
	191	u8 h_source[ETH_ALEN];
	192	u8 h_dest[ETH_ALEN];
	193	} out;
	194	enum flow_offload_xmit_type xmit_type;
	195	} tuple[FLOW_OFFLOAD_DIR_MAX];
	196	};
	197
	198	struct flow_offload flow_offload_alloc(struct nf_conn ct);
	199	void flow_offload_free(struct flow_offload *flow);
	200
	201	static inline int
	202	nf_flow_table_offload_add_cb(struct nf_flowtable *flow_table,
	203	flow_setup_cb_t cb, void cb_priv)
	204	{
	205	struct flow_block *block = &flow_table->flow_block;
	206	struct flow_block_cb *block_cb;
	207	int err = 0;
	208
	209	down_write(&flow_table->flow_block_lock);
	210	block_cb = flow_block_cb_lookup(block, cb, cb_priv);
	211	if (block_cb) {
	212	err = -EEXIST;
	213	goto unlock;
	214	}
	215
	216	block_cb = flow_block_cb_alloc(cb, cb_priv, cb_priv, NULL);
	217	if (IS_ERR(block_cb)) {
	218	err = PTR_ERR(block_cb);
	219	goto unlock;
	220	}
	221
	222	list_add_tail(&block_cb->list, &block->cb_list);
	223
	224	unlock:
	225	up_write(&flow_table->flow_block_lock);
	226	return err;
	227	}
	228
	229	static inline void
	230	nf_flow_table_offload_del_cb(struct nf_flowtable *flow_table,
	231	flow_setup_cb_t cb, void cb_priv)
	232	{
	233	struct flow_block *block = &flow_table->flow_block;
	234	struct flow_block_cb *block_cb;
	235
	236	down_write(&flow_table->flow_block_lock);
	237	block_cb = flow_block_cb_lookup(block, cb, cb_priv);
	238	if (block_cb) {
	239	list_del(&block_cb->list);
	240	flow_block_cb_free(block_cb);
	241	} else {
	242	WARN_ON(true);
	243	}
	244	up_write(&flow_table->flow_block_lock);
	245	}
	246
	247	int flow_offload_route_init(struct flow_offload *flow,
	248	const struct nf_flow_route *route);
	249
	250	int flow_offload_add(struct nf_flowtable flow_table, struct flow_offload flow);
	251	void flow_offload_refresh(struct nf_flowtable *flow_table,
	252	struct flow_offload *flow);
	253
	254	struct flow_offload_tuple_rhash flow_offload_lookup(struct nf_flowtable flow_table,
	255	struct flow_offload_tuple *tuple);
	256	void nf_flow_table_gc_cleanup(struct nf_flowtable *flowtable,
	257	struct net_device *dev);
	258	void nf_flow_table_cleanup(struct net_device *dev);
	259
	260	int nf_flow_table_init(struct nf_flowtable *flow_table);
	261	void nf_flow_table_free(struct nf_flowtable *flow_table);
	262
	263	void flow_offload_teardown(struct flow_offload *flow);
	264
	265	void nf_flow_snat_port(const struct flow_offload *flow,
	266	struct sk_buff *skb, unsigned int thoff,
	267	u8 protocol, enum flow_offload_tuple_dir dir);
	268	void nf_flow_dnat_port(const struct flow_offload *flow,
	269	struct sk_buff *skb, unsigned int thoff,
	270	u8 protocol, enum flow_offload_tuple_dir dir);
	271
	272	struct flow_ports {
	273	__be16 source, dest;
	274	};
	275
	276	unsigned int nf_flow_offload_ip_hook(void priv, struct sk_buff skb,
	277	const struct nf_hook_state *state);
	278	unsigned int nf_flow_offload_ipv6_hook(void priv, struct sk_buff skb,
	279	const struct nf_hook_state *state);
	280
	281	#define MODULE_ALIAS_NF_FLOWTABLE(family) \
	282	MODULE_ALIAS("nf-flowtable-" __stringify(family))
	283
	284	void nf_flow_offload_add(struct nf_flowtable *flowtable,
	285	struct flow_offload *flow);
	286	void nf_flow_offload_del(struct nf_flowtable *flowtable,
	287	struct flow_offload *flow);
	288	void nf_flow_offload_stats(struct nf_flowtable *flowtable,
	289	struct flow_offload *flow);
	290
	291	void nf_flow_table_offload_flush(struct nf_flowtable *flowtable);
	292	int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
	293	struct net_device *dev,
	294	enum flow_block_command cmd);
	295	int nf_flow_rule_route_ipv4(struct net net, const struct flow_offload flow,
	296	enum flow_offload_tuple_dir dir,
	297	struct nf_flow_rule *flow_rule);
	298	int nf_flow_rule_route_ipv6(struct net net, const struct flow_offload flow,
	299	enum flow_offload_tuple_dir dir,
	300	struct nf_flow_rule *flow_rule);
	301
	302	int nf_flow_table_offload_init(void);
	303	void nf_flow_table_offload_exit(void);
	304
	305	#endif /* _NF_FLOW_TABLE_H */