]>
Commit | Line | Data |
---|---|---|
1 | // SPDX-License-Identifier: GPL-2.0-only | |
2 | /* | |
3 | * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net> | |
4 | * Copyright (c) 2016 Pablo Neira Ayuso <pablo@netfilter.org> | |
5 | * | |
6 | * Development of this code funded by Astaro AG (http://www.astaro.com/) | |
7 | */ | |
8 | ||
9 | #include <linux/kernel.h> | |
10 | #include <linux/if_vlan.h> | |
11 | #include <linux/init.h> | |
12 | #include <linux/module.h> | |
13 | #include <linux/netlink.h> | |
14 | #include <linux/netfilter.h> | |
15 | #include <linux/netfilter/nf_tables.h> | |
16 | #include <net/netfilter/nf_tables_core.h> | |
17 | #include <net/netfilter/nf_tables.h> | |
18 | #include <net/netfilter/nf_tables_offload.h> | |
19 | /* For layer 4 checksum field offset. */ | |
20 | #include <linux/tcp.h> | |
21 | #include <linux/udp.h> | |
22 | #include <linux/icmpv6.h> | |
23 | #include <linux/ip.h> | |
24 | #include <linux/ipv6.h> | |
25 | #include <net/sctp/checksum.h> | |
26 | ||
27 | static bool nft_payload_rebuild_vlan_hdr(const struct sk_buff *skb, int mac_off, | |
28 | struct vlan_ethhdr *veth) | |
29 | { | |
30 | if (skb_copy_bits(skb, mac_off, veth, ETH_HLEN)) | |
31 | return false; | |
32 | ||
33 | veth->h_vlan_proto = skb->vlan_proto; | |
34 | veth->h_vlan_TCI = htons(skb_vlan_tag_get(skb)); | |
35 | veth->h_vlan_encapsulated_proto = skb->protocol; | |
36 | ||
37 | return true; | |
38 | } | |
39 | ||
40 | /* add vlan header into the user buffer for if tag was removed by offloads */ | |
41 | static bool | |
42 | nft_payload_copy_vlan(u32 *d, const struct sk_buff *skb, u8 offset, u8 len) | |
43 | { | |
44 | int mac_off = skb_mac_header(skb) - skb->data; | |
45 | u8 *vlanh, *dst_u8 = (u8 *) d; | |
46 | struct vlan_ethhdr veth; | |
47 | u8 vlan_hlen = 0; | |
48 | ||
49 | if ((skb->protocol == htons(ETH_P_8021AD) || | |
50 | skb->protocol == htons(ETH_P_8021Q)) && | |
51 | offset >= VLAN_ETH_HLEN && offset < VLAN_ETH_HLEN + VLAN_HLEN) | |
52 | vlan_hlen += VLAN_HLEN; | |
53 | ||
54 | vlanh = (u8 *) &veth; | |
55 | if (offset < VLAN_ETH_HLEN + vlan_hlen) { | |
56 | u8 ethlen = len; | |
57 | ||
58 | if (vlan_hlen && | |
59 | skb_copy_bits(skb, mac_off, &veth, VLAN_ETH_HLEN) < 0) | |
60 | return false; | |
61 | else if (!nft_payload_rebuild_vlan_hdr(skb, mac_off, &veth)) | |
62 | return false; | |
63 | ||
64 | if (offset + len > VLAN_ETH_HLEN + vlan_hlen) | |
65 | ethlen -= offset + len - VLAN_ETH_HLEN + vlan_hlen; | |
66 | ||
67 | memcpy(dst_u8, vlanh + offset - vlan_hlen, ethlen); | |
68 | ||
69 | len -= ethlen; | |
70 | if (len == 0) | |
71 | return true; | |
72 | ||
73 | dst_u8 += ethlen; | |
74 | offset = ETH_HLEN + vlan_hlen; | |
75 | } else { | |
76 | offset -= VLAN_HLEN + vlan_hlen; | |
77 | } | |
78 | ||
79 | return skb_copy_bits(skb, offset + mac_off, dst_u8, len) == 0; | |
80 | } | |
81 | ||
82 | void nft_payload_eval(const struct nft_expr *expr, | |
83 | struct nft_regs *regs, | |
84 | const struct nft_pktinfo *pkt) | |
85 | { | |
86 | const struct nft_payload *priv = nft_expr_priv(expr); | |
87 | const struct sk_buff *skb = pkt->skb; | |
88 | u32 *dest = ®s->data[priv->dreg]; | |
89 | int offset; | |
90 | ||
91 | if (priv->len % NFT_REG32_SIZE) | |
92 | dest[priv->len / NFT_REG32_SIZE] = 0; | |
93 | ||
94 | switch (priv->base) { | |
95 | case NFT_PAYLOAD_LL_HEADER: | |
96 | if (!skb_mac_header_was_set(skb)) | |
97 | goto err; | |
98 | ||
99 | if (skb_vlan_tag_present(skb)) { | |
100 | if (!nft_payload_copy_vlan(dest, skb, | |
101 | priv->offset, priv->len)) | |
102 | goto err; | |
103 | return; | |
104 | } | |
105 | offset = skb_mac_header(skb) - skb->data; | |
106 | break; | |
107 | case NFT_PAYLOAD_NETWORK_HEADER: | |
108 | offset = skb_network_offset(skb); | |
109 | break; | |
110 | case NFT_PAYLOAD_TRANSPORT_HEADER: | |
111 | if (!pkt->tprot_set) | |
112 | goto err; | |
113 | offset = pkt->xt.thoff; | |
114 | break; | |
115 | default: | |
116 | BUG(); | |
117 | } | |
118 | offset += priv->offset; | |
119 | ||
120 | if (skb_copy_bits(skb, offset, dest, priv->len) < 0) | |
121 | goto err; | |
122 | return; | |
123 | err: | |
124 | regs->verdict.code = NFT_BREAK; | |
125 | } | |
126 | ||
127 | static const struct nla_policy nft_payload_policy[NFTA_PAYLOAD_MAX + 1] = { | |
128 | [NFTA_PAYLOAD_SREG] = { .type = NLA_U32 }, | |
129 | [NFTA_PAYLOAD_DREG] = { .type = NLA_U32 }, | |
130 | [NFTA_PAYLOAD_BASE] = { .type = NLA_U32 }, | |
131 | [NFTA_PAYLOAD_OFFSET] = { .type = NLA_U32 }, | |
132 | [NFTA_PAYLOAD_LEN] = { .type = NLA_U32 }, | |
133 | [NFTA_PAYLOAD_CSUM_TYPE] = { .type = NLA_U32 }, | |
134 | [NFTA_PAYLOAD_CSUM_OFFSET] = { .type = NLA_U32 }, | |
135 | [NFTA_PAYLOAD_CSUM_FLAGS] = { .type = NLA_U32 }, | |
136 | }; | |
137 | ||
138 | static int nft_payload_init(const struct nft_ctx *ctx, | |
139 | const struct nft_expr *expr, | |
140 | const struct nlattr * const tb[]) | |
141 | { | |
142 | struct nft_payload *priv = nft_expr_priv(expr); | |
143 | ||
144 | priv->base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE])); | |
145 | priv->offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET])); | |
146 | priv->len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN])); | |
147 | ||
148 | return nft_parse_register_store(ctx, tb[NFTA_PAYLOAD_DREG], | |
149 | &priv->dreg, NULL, NFT_DATA_VALUE, | |
150 | priv->len); | |
151 | } | |
152 | ||
153 | static int nft_payload_dump(struct sk_buff *skb, const struct nft_expr *expr) | |
154 | { | |
155 | const struct nft_payload *priv = nft_expr_priv(expr); | |
156 | ||
157 | if (nft_dump_register(skb, NFTA_PAYLOAD_DREG, priv->dreg) || | |
158 | nla_put_be32(skb, NFTA_PAYLOAD_BASE, htonl(priv->base)) || | |
159 | nla_put_be32(skb, NFTA_PAYLOAD_OFFSET, htonl(priv->offset)) || | |
160 | nla_put_be32(skb, NFTA_PAYLOAD_LEN, htonl(priv->len))) | |
161 | goto nla_put_failure; | |
162 | return 0; | |
163 | ||
164 | nla_put_failure: | |
165 | return -1; | |
166 | } | |
167 | ||
168 | static bool nft_payload_offload_mask(struct nft_offload_reg *reg, | |
169 | u32 priv_len, u32 field_len) | |
170 | { | |
171 | unsigned int remainder, delta, k; | |
172 | struct nft_data mask = {}; | |
173 | __be32 remainder_mask; | |
174 | ||
175 | if (priv_len == field_len) { | |
176 | memset(®->mask, 0xff, priv_len); | |
177 | return true; | |
178 | } else if (priv_len > field_len) { | |
179 | return false; | |
180 | } | |
181 | ||
182 | memset(&mask, 0xff, field_len); | |
183 | remainder = priv_len % sizeof(u32); | |
184 | if (remainder) { | |
185 | k = priv_len / sizeof(u32); | |
186 | delta = field_len - priv_len; | |
187 | remainder_mask = htonl(~((1 << (delta * BITS_PER_BYTE)) - 1)); | |
188 | mask.data[k] = (__force u32)remainder_mask; | |
189 | } | |
190 | ||
191 | memcpy(®->mask, &mask, field_len); | |
192 | ||
193 | return true; | |
194 | } | |
195 | ||
196 | static int nft_payload_offload_ll(struct nft_offload_ctx *ctx, | |
197 | struct nft_flow_rule *flow, | |
198 | const struct nft_payload *priv) | |
199 | { | |
200 | struct nft_offload_reg *reg = &ctx->regs[priv->dreg]; | |
201 | ||
202 | switch (priv->offset) { | |
203 | case offsetof(struct ethhdr, h_source): | |
204 | if (!nft_payload_offload_mask(reg, priv->len, ETH_ALEN)) | |
205 | return -EOPNOTSUPP; | |
206 | ||
207 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ETH_ADDRS, eth_addrs, | |
208 | src, ETH_ALEN, reg); | |
209 | break; | |
210 | case offsetof(struct ethhdr, h_dest): | |
211 | if (!nft_payload_offload_mask(reg, priv->len, ETH_ALEN)) | |
212 | return -EOPNOTSUPP; | |
213 | ||
214 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ETH_ADDRS, eth_addrs, | |
215 | dst, ETH_ALEN, reg); | |
216 | break; | |
217 | case offsetof(struct ethhdr, h_proto): | |
218 | if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16))) | |
219 | return -EOPNOTSUPP; | |
220 | ||
221 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, | |
222 | n_proto, sizeof(__be16), reg); | |
223 | nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK); | |
224 | break; | |
225 | case offsetof(struct vlan_ethhdr, h_vlan_TCI): | |
226 | if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16))) | |
227 | return -EOPNOTSUPP; | |
228 | ||
229 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_VLAN, vlan, | |
230 | vlan_tci, sizeof(__be16), reg); | |
231 | break; | |
232 | case offsetof(struct vlan_ethhdr, h_vlan_encapsulated_proto): | |
233 | if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16))) | |
234 | return -EOPNOTSUPP; | |
235 | ||
236 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_VLAN, vlan, | |
237 | vlan_tpid, sizeof(__be16), reg); | |
238 | nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK); | |
239 | break; | |
240 | case offsetof(struct vlan_ethhdr, h_vlan_TCI) + sizeof(struct vlan_hdr): | |
241 | if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16))) | |
242 | return -EOPNOTSUPP; | |
243 | ||
244 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_CVLAN, cvlan, | |
245 | vlan_tci, sizeof(__be16), reg); | |
246 | break; | |
247 | case offsetof(struct vlan_ethhdr, h_vlan_encapsulated_proto) + | |
248 | sizeof(struct vlan_hdr): | |
249 | if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16))) | |
250 | return -EOPNOTSUPP; | |
251 | ||
252 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_CVLAN, cvlan, | |
253 | vlan_tpid, sizeof(__be16), reg); | |
254 | nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK); | |
255 | break; | |
256 | default: | |
257 | return -EOPNOTSUPP; | |
258 | } | |
259 | ||
260 | return 0; | |
261 | } | |
262 | ||
263 | static int nft_payload_offload_ip(struct nft_offload_ctx *ctx, | |
264 | struct nft_flow_rule *flow, | |
265 | const struct nft_payload *priv) | |
266 | { | |
267 | struct nft_offload_reg *reg = &ctx->regs[priv->dreg]; | |
268 | ||
269 | switch (priv->offset) { | |
270 | case offsetof(struct iphdr, saddr): | |
271 | if (!nft_payload_offload_mask(reg, priv->len, | |
272 | sizeof(struct in_addr))) | |
273 | return -EOPNOTSUPP; | |
274 | ||
275 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4, src, | |
276 | sizeof(struct in_addr), reg); | |
277 | nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV4_ADDRS); | |
278 | break; | |
279 | case offsetof(struct iphdr, daddr): | |
280 | if (!nft_payload_offload_mask(reg, priv->len, | |
281 | sizeof(struct in_addr))) | |
282 | return -EOPNOTSUPP; | |
283 | ||
284 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4, dst, | |
285 | sizeof(struct in_addr), reg); | |
286 | nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV4_ADDRS); | |
287 | break; | |
288 | case offsetof(struct iphdr, protocol): | |
289 | if (!nft_payload_offload_mask(reg, priv->len, sizeof(__u8))) | |
290 | return -EOPNOTSUPP; | |
291 | ||
292 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto, | |
293 | sizeof(__u8), reg); | |
294 | nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT); | |
295 | break; | |
296 | default: | |
297 | return -EOPNOTSUPP; | |
298 | } | |
299 | ||
300 | return 0; | |
301 | } | |
302 | ||
303 | static int nft_payload_offload_ip6(struct nft_offload_ctx *ctx, | |
304 | struct nft_flow_rule *flow, | |
305 | const struct nft_payload *priv) | |
306 | { | |
307 | struct nft_offload_reg *reg = &ctx->regs[priv->dreg]; | |
308 | ||
309 | switch (priv->offset) { | |
310 | case offsetof(struct ipv6hdr, saddr): | |
311 | if (!nft_payload_offload_mask(reg, priv->len, | |
312 | sizeof(struct in6_addr))) | |
313 | return -EOPNOTSUPP; | |
314 | ||
315 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6, src, | |
316 | sizeof(struct in6_addr), reg); | |
317 | nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV6_ADDRS); | |
318 | break; | |
319 | case offsetof(struct ipv6hdr, daddr): | |
320 | if (!nft_payload_offload_mask(reg, priv->len, | |
321 | sizeof(struct in6_addr))) | |
322 | return -EOPNOTSUPP; | |
323 | ||
324 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6, dst, | |
325 | sizeof(struct in6_addr), reg); | |
326 | nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV6_ADDRS); | |
327 | break; | |
328 | case offsetof(struct ipv6hdr, nexthdr): | |
329 | if (!nft_payload_offload_mask(reg, priv->len, sizeof(__u8))) | |
330 | return -EOPNOTSUPP; | |
331 | ||
332 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto, | |
333 | sizeof(__u8), reg); | |
334 | nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT); | |
335 | break; | |
336 | default: | |
337 | return -EOPNOTSUPP; | |
338 | } | |
339 | ||
340 | return 0; | |
341 | } | |
342 | ||
343 | static int nft_payload_offload_nh(struct nft_offload_ctx *ctx, | |
344 | struct nft_flow_rule *flow, | |
345 | const struct nft_payload *priv) | |
346 | { | |
347 | int err; | |
348 | ||
349 | switch (ctx->dep.l3num) { | |
350 | case htons(ETH_P_IP): | |
351 | err = nft_payload_offload_ip(ctx, flow, priv); | |
352 | break; | |
353 | case htons(ETH_P_IPV6): | |
354 | err = nft_payload_offload_ip6(ctx, flow, priv); | |
355 | break; | |
356 | default: | |
357 | return -EOPNOTSUPP; | |
358 | } | |
359 | ||
360 | return err; | |
361 | } | |
362 | ||
363 | static int nft_payload_offload_tcp(struct nft_offload_ctx *ctx, | |
364 | struct nft_flow_rule *flow, | |
365 | const struct nft_payload *priv) | |
366 | { | |
367 | struct nft_offload_reg *reg = &ctx->regs[priv->dreg]; | |
368 | ||
369 | switch (priv->offset) { | |
370 | case offsetof(struct tcphdr, source): | |
371 | if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16))) | |
372 | return -EOPNOTSUPP; | |
373 | ||
374 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, src, | |
375 | sizeof(__be16), reg); | |
376 | break; | |
377 | case offsetof(struct tcphdr, dest): | |
378 | if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16))) | |
379 | return -EOPNOTSUPP; | |
380 | ||
381 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, dst, | |
382 | sizeof(__be16), reg); | |
383 | break; | |
384 | default: | |
385 | return -EOPNOTSUPP; | |
386 | } | |
387 | ||
388 | return 0; | |
389 | } | |
390 | ||
391 | static int nft_payload_offload_udp(struct nft_offload_ctx *ctx, | |
392 | struct nft_flow_rule *flow, | |
393 | const struct nft_payload *priv) | |
394 | { | |
395 | struct nft_offload_reg *reg = &ctx->regs[priv->dreg]; | |
396 | ||
397 | switch (priv->offset) { | |
398 | case offsetof(struct udphdr, source): | |
399 | if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16))) | |
400 | return -EOPNOTSUPP; | |
401 | ||
402 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, src, | |
403 | sizeof(__be16), reg); | |
404 | break; | |
405 | case offsetof(struct udphdr, dest): | |
406 | if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16))) | |
407 | return -EOPNOTSUPP; | |
408 | ||
409 | NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, dst, | |
410 | sizeof(__be16), reg); | |
411 | break; | |
412 | default: | |
413 | return -EOPNOTSUPP; | |
414 | } | |
415 | ||
416 | return 0; | |
417 | } | |
418 | ||
419 | static int nft_payload_offload_th(struct nft_offload_ctx *ctx, | |
420 | struct nft_flow_rule *flow, | |
421 | const struct nft_payload *priv) | |
422 | { | |
423 | int err; | |
424 | ||
425 | switch (ctx->dep.protonum) { | |
426 | case IPPROTO_TCP: | |
427 | err = nft_payload_offload_tcp(ctx, flow, priv); | |
428 | break; | |
429 | case IPPROTO_UDP: | |
430 | err = nft_payload_offload_udp(ctx, flow, priv); | |
431 | break; | |
432 | default: | |
433 | return -EOPNOTSUPP; | |
434 | } | |
435 | ||
436 | return err; | |
437 | } | |
438 | ||
439 | static int nft_payload_offload(struct nft_offload_ctx *ctx, | |
440 | struct nft_flow_rule *flow, | |
441 | const struct nft_expr *expr) | |
442 | { | |
443 | const struct nft_payload *priv = nft_expr_priv(expr); | |
444 | int err; | |
445 | ||
446 | switch (priv->base) { | |
447 | case NFT_PAYLOAD_LL_HEADER: | |
448 | err = nft_payload_offload_ll(ctx, flow, priv); | |
449 | break; | |
450 | case NFT_PAYLOAD_NETWORK_HEADER: | |
451 | err = nft_payload_offload_nh(ctx, flow, priv); | |
452 | break; | |
453 | case NFT_PAYLOAD_TRANSPORT_HEADER: | |
454 | err = nft_payload_offload_th(ctx, flow, priv); | |
455 | break; | |
456 | default: | |
457 | err = -EOPNOTSUPP; | |
458 | break; | |
459 | } | |
460 | return err; | |
461 | } | |
462 | ||
463 | static const struct nft_expr_ops nft_payload_ops = { | |
464 | .type = &nft_payload_type, | |
465 | .size = NFT_EXPR_SIZE(sizeof(struct nft_payload)), | |
466 | .eval = nft_payload_eval, | |
467 | .init = nft_payload_init, | |
468 | .dump = nft_payload_dump, | |
469 | .offload = nft_payload_offload, | |
470 | }; | |
471 | ||
472 | const struct nft_expr_ops nft_payload_fast_ops = { | |
473 | .type = &nft_payload_type, | |
474 | .size = NFT_EXPR_SIZE(sizeof(struct nft_payload)), | |
475 | .eval = nft_payload_eval, | |
476 | .init = nft_payload_init, | |
477 | .dump = nft_payload_dump, | |
478 | .offload = nft_payload_offload, | |
479 | }; | |
480 | ||
481 | static inline void nft_csum_replace(__sum16 *sum, __wsum fsum, __wsum tsum) | |
482 | { | |
483 | *sum = csum_fold(csum_add(csum_sub(~csum_unfold(*sum), fsum), tsum)); | |
484 | if (*sum == 0) | |
485 | *sum = CSUM_MANGLED_0; | |
486 | } | |
487 | ||
488 | static bool nft_payload_udp_checksum(struct sk_buff *skb, unsigned int thoff) | |
489 | { | |
490 | struct udphdr *uh, _uh; | |
491 | ||
492 | uh = skb_header_pointer(skb, thoff, sizeof(_uh), &_uh); | |
493 | if (!uh) | |
494 | return false; | |
495 | ||
496 | return (__force bool)uh->check; | |
497 | } | |
498 | ||
499 | static int nft_payload_l4csum_offset(const struct nft_pktinfo *pkt, | |
500 | struct sk_buff *skb, | |
501 | unsigned int *l4csum_offset) | |
502 | { | |
503 | switch (pkt->tprot) { | |
504 | case IPPROTO_TCP: | |
505 | *l4csum_offset = offsetof(struct tcphdr, check); | |
506 | break; | |
507 | case IPPROTO_UDP: | |
508 | if (!nft_payload_udp_checksum(skb, pkt->xt.thoff)) | |
509 | return -1; | |
510 | fallthrough; | |
511 | case IPPROTO_UDPLITE: | |
512 | *l4csum_offset = offsetof(struct udphdr, check); | |
513 | break; | |
514 | case IPPROTO_ICMPV6: | |
515 | *l4csum_offset = offsetof(struct icmp6hdr, icmp6_cksum); | |
516 | break; | |
517 | default: | |
518 | return -1; | |
519 | } | |
520 | ||
521 | *l4csum_offset += pkt->xt.thoff; | |
522 | return 0; | |
523 | } | |
524 | ||
525 | static int nft_payload_csum_sctp(struct sk_buff *skb, int offset) | |
526 | { | |
527 | struct sctphdr *sh; | |
528 | ||
529 | if (skb_ensure_writable(skb, offset + sizeof(*sh))) | |
530 | return -1; | |
531 | ||
532 | sh = (struct sctphdr *)(skb->data + offset); | |
533 | sh->checksum = sctp_compute_cksum(skb, offset); | |
534 | skb->ip_summed = CHECKSUM_UNNECESSARY; | |
535 | return 0; | |
536 | } | |
537 | ||
538 | static int nft_payload_l4csum_update(const struct nft_pktinfo *pkt, | |
539 | struct sk_buff *skb, | |
540 | __wsum fsum, __wsum tsum) | |
541 | { | |
542 | int l4csum_offset; | |
543 | __sum16 sum; | |
544 | ||
545 | /* If we cannot determine layer 4 checksum offset or this packet doesn't | |
546 | * require layer 4 checksum recalculation, skip this packet. | |
547 | */ | |
548 | if (nft_payload_l4csum_offset(pkt, skb, &l4csum_offset) < 0) | |
549 | return 0; | |
550 | ||
551 | if (skb_copy_bits(skb, l4csum_offset, &sum, sizeof(sum)) < 0) | |
552 | return -1; | |
553 | ||
554 | /* Checksum mangling for an arbitrary amount of bytes, based on | |
555 | * inet_proto_csum_replace*() functions. | |
556 | */ | |
557 | if (skb->ip_summed != CHECKSUM_PARTIAL) { | |
558 | nft_csum_replace(&sum, fsum, tsum); | |
559 | if (skb->ip_summed == CHECKSUM_COMPLETE) { | |
560 | skb->csum = ~csum_add(csum_sub(~(skb->csum), fsum), | |
561 | tsum); | |
562 | } | |
563 | } else { | |
564 | sum = ~csum_fold(csum_add(csum_sub(csum_unfold(sum), fsum), | |
565 | tsum)); | |
566 | } | |
567 | ||
568 | if (skb_ensure_writable(skb, l4csum_offset + sizeof(sum)) || | |
569 | skb_store_bits(skb, l4csum_offset, &sum, sizeof(sum)) < 0) | |
570 | return -1; | |
571 | ||
572 | return 0; | |
573 | } | |
574 | ||
575 | static int nft_payload_csum_inet(struct sk_buff *skb, const u32 *src, | |
576 | __wsum fsum, __wsum tsum, int csum_offset) | |
577 | { | |
578 | __sum16 sum; | |
579 | ||
580 | if (skb_copy_bits(skb, csum_offset, &sum, sizeof(sum)) < 0) | |
581 | return -1; | |
582 | ||
583 | nft_csum_replace(&sum, fsum, tsum); | |
584 | if (skb_ensure_writable(skb, csum_offset + sizeof(sum)) || | |
585 | skb_store_bits(skb, csum_offset, &sum, sizeof(sum)) < 0) | |
586 | return -1; | |
587 | ||
588 | return 0; | |
589 | } | |
590 | ||
591 | static void nft_payload_set_eval(const struct nft_expr *expr, | |
592 | struct nft_regs *regs, | |
593 | const struct nft_pktinfo *pkt) | |
594 | { | |
595 | const struct nft_payload_set *priv = nft_expr_priv(expr); | |
596 | struct sk_buff *skb = pkt->skb; | |
597 | const u32 *src = ®s->data[priv->sreg]; | |
598 | int offset, csum_offset; | |
599 | __wsum fsum, tsum; | |
600 | ||
601 | switch (priv->base) { | |
602 | case NFT_PAYLOAD_LL_HEADER: | |
603 | if (!skb_mac_header_was_set(skb)) | |
604 | goto err; | |
605 | offset = skb_mac_header(skb) - skb->data; | |
606 | break; | |
607 | case NFT_PAYLOAD_NETWORK_HEADER: | |
608 | offset = skb_network_offset(skb); | |
609 | break; | |
610 | case NFT_PAYLOAD_TRANSPORT_HEADER: | |
611 | if (!pkt->tprot_set) | |
612 | goto err; | |
613 | offset = pkt->xt.thoff; | |
614 | break; | |
615 | default: | |
616 | BUG(); | |
617 | } | |
618 | ||
619 | csum_offset = offset + priv->csum_offset; | |
620 | offset += priv->offset; | |
621 | ||
622 | if ((priv->csum_type == NFT_PAYLOAD_CSUM_INET || priv->csum_flags) && | |
623 | (priv->base != NFT_PAYLOAD_TRANSPORT_HEADER || | |
624 | skb->ip_summed != CHECKSUM_PARTIAL)) { | |
625 | fsum = skb_checksum(skb, offset, priv->len, 0); | |
626 | tsum = csum_partial(src, priv->len, 0); | |
627 | ||
628 | if (priv->csum_type == NFT_PAYLOAD_CSUM_INET && | |
629 | nft_payload_csum_inet(skb, src, fsum, tsum, csum_offset)) | |
630 | goto err; | |
631 | ||
632 | if (priv->csum_flags && | |
633 | nft_payload_l4csum_update(pkt, skb, fsum, tsum) < 0) | |
634 | goto err; | |
635 | } | |
636 | ||
637 | if (skb_ensure_writable(skb, max(offset + priv->len, 0)) || | |
638 | skb_store_bits(skb, offset, src, priv->len) < 0) | |
639 | goto err; | |
640 | ||
641 | if (priv->csum_type == NFT_PAYLOAD_CSUM_SCTP && | |
642 | pkt->tprot == IPPROTO_SCTP && | |
643 | skb->ip_summed != CHECKSUM_PARTIAL) { | |
644 | if (nft_payload_csum_sctp(skb, pkt->xt.thoff)) | |
645 | goto err; | |
646 | } | |
647 | ||
648 | return; | |
649 | err: | |
650 | regs->verdict.code = NFT_BREAK; | |
651 | } | |
652 | ||
653 | static int nft_payload_set_init(const struct nft_ctx *ctx, | |
654 | const struct nft_expr *expr, | |
655 | const struct nlattr * const tb[]) | |
656 | { | |
657 | struct nft_payload_set *priv = nft_expr_priv(expr); | |
658 | ||
659 | priv->base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE])); | |
660 | priv->offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET])); | |
661 | priv->len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN])); | |
662 | ||
663 | if (tb[NFTA_PAYLOAD_CSUM_TYPE]) | |
664 | priv->csum_type = | |
665 | ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_TYPE])); | |
666 | if (tb[NFTA_PAYLOAD_CSUM_OFFSET]) | |
667 | priv->csum_offset = | |
668 | ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_OFFSET])); | |
669 | if (tb[NFTA_PAYLOAD_CSUM_FLAGS]) { | |
670 | u32 flags; | |
671 | ||
672 | flags = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_FLAGS])); | |
673 | if (flags & ~NFT_PAYLOAD_L4CSUM_PSEUDOHDR) | |
674 | return -EINVAL; | |
675 | ||
676 | priv->csum_flags = flags; | |
677 | } | |
678 | ||
679 | switch (priv->csum_type) { | |
680 | case NFT_PAYLOAD_CSUM_NONE: | |
681 | case NFT_PAYLOAD_CSUM_INET: | |
682 | break; | |
683 | case NFT_PAYLOAD_CSUM_SCTP: | |
684 | if (priv->base != NFT_PAYLOAD_TRANSPORT_HEADER) | |
685 | return -EINVAL; | |
686 | ||
687 | if (priv->csum_offset != offsetof(struct sctphdr, checksum)) | |
688 | return -EINVAL; | |
689 | break; | |
690 | default: | |
691 | return -EOPNOTSUPP; | |
692 | } | |
693 | ||
694 | return nft_parse_register_load(tb[NFTA_PAYLOAD_SREG], &priv->sreg, | |
695 | priv->len); | |
696 | } | |
697 | ||
698 | static int nft_payload_set_dump(struct sk_buff *skb, const struct nft_expr *expr) | |
699 | { | |
700 | const struct nft_payload_set *priv = nft_expr_priv(expr); | |
701 | ||
702 | if (nft_dump_register(skb, NFTA_PAYLOAD_SREG, priv->sreg) || | |
703 | nla_put_be32(skb, NFTA_PAYLOAD_BASE, htonl(priv->base)) || | |
704 | nla_put_be32(skb, NFTA_PAYLOAD_OFFSET, htonl(priv->offset)) || | |
705 | nla_put_be32(skb, NFTA_PAYLOAD_LEN, htonl(priv->len)) || | |
706 | nla_put_be32(skb, NFTA_PAYLOAD_CSUM_TYPE, htonl(priv->csum_type)) || | |
707 | nla_put_be32(skb, NFTA_PAYLOAD_CSUM_OFFSET, | |
708 | htonl(priv->csum_offset)) || | |
709 | nla_put_be32(skb, NFTA_PAYLOAD_CSUM_FLAGS, htonl(priv->csum_flags))) | |
710 | goto nla_put_failure; | |
711 | return 0; | |
712 | ||
713 | nla_put_failure: | |
714 | return -1; | |
715 | } | |
716 | ||
717 | static const struct nft_expr_ops nft_payload_set_ops = { | |
718 | .type = &nft_payload_type, | |
719 | .size = NFT_EXPR_SIZE(sizeof(struct nft_payload_set)), | |
720 | .eval = nft_payload_set_eval, | |
721 | .init = nft_payload_set_init, | |
722 | .dump = nft_payload_set_dump, | |
723 | }; | |
724 | ||
725 | static const struct nft_expr_ops * | |
726 | nft_payload_select_ops(const struct nft_ctx *ctx, | |
727 | const struct nlattr * const tb[]) | |
728 | { | |
729 | enum nft_payload_bases base; | |
730 | unsigned int offset, len; | |
731 | ||
732 | if (tb[NFTA_PAYLOAD_BASE] == NULL || | |
733 | tb[NFTA_PAYLOAD_OFFSET] == NULL || | |
734 | tb[NFTA_PAYLOAD_LEN] == NULL) | |
735 | return ERR_PTR(-EINVAL); | |
736 | ||
737 | base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE])); | |
738 | switch (base) { | |
739 | case NFT_PAYLOAD_LL_HEADER: | |
740 | case NFT_PAYLOAD_NETWORK_HEADER: | |
741 | case NFT_PAYLOAD_TRANSPORT_HEADER: | |
742 | break; | |
743 | default: | |
744 | return ERR_PTR(-EOPNOTSUPP); | |
745 | } | |
746 | ||
747 | if (tb[NFTA_PAYLOAD_SREG] != NULL) { | |
748 | if (tb[NFTA_PAYLOAD_DREG] != NULL) | |
749 | return ERR_PTR(-EINVAL); | |
750 | return &nft_payload_set_ops; | |
751 | } | |
752 | ||
753 | if (tb[NFTA_PAYLOAD_DREG] == NULL) | |
754 | return ERR_PTR(-EINVAL); | |
755 | ||
756 | offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET])); | |
757 | len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN])); | |
758 | ||
759 | if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) && | |
760 | base != NFT_PAYLOAD_LL_HEADER) | |
761 | return &nft_payload_fast_ops; | |
762 | else | |
763 | return &nft_payload_ops; | |
764 | } | |
765 | ||
766 | struct nft_expr_type nft_payload_type __read_mostly = { | |
767 | .name = "payload", | |
768 | .select_ops = nft_payload_select_ops, | |
769 | .policy = nft_payload_policy, | |
770 | .maxattr = NFTA_PAYLOAD_MAX, | |
771 | .owner = THIS_MODULE, | |
772 | }; |