]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blob - net/ipv6/netfilter/nft_fib_ipv6.c
projects / mirror_ubuntu-jammy-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel...
[mirror_ubuntu-jammy-kernel.git] / net / ipv6 / netfilter / nft_fib_ipv6.c
1 /*
2 * This program is free software; you can redistribute it and/or modify
3 * it under the terms of the GNU General Public License version 2 as
4 * published by the Free Software Foundation.
5 */
6
7 #include <linux/kernel.h>
8 #include <linux/init.h>
9 #include <linux/module.h>
10 #include <linux/netlink.h>
11 #include <linux/netfilter.h>
12 #include <linux/netfilter/nf_tables.h>
13 #include <linux/netfilter_ipv6.h>
14 #include <net/netfilter/nf_tables_core.h>
15 #include <net/netfilter/nf_tables.h>
16 #include <net/netfilter/nft_fib.h>
17
18 #include <net/ip6_fib.h>
19 #include <net/ip6_route.h>
20
21 static int get_ifindex(const struct net_device *dev)
22 {
23 return dev ? dev->ifindex : 0;
24 }
25
26 static int nft_fib6_flowi_init(struct flowi6 *fl6, const struct nft_fib *priv,
27 const struct nft_pktinfo *pkt,
28 const struct net_device *dev,
29 struct ipv6hdr *iph)
30 {
31 int lookup_flags = 0;
32
33 if (priv->flags & NFTA_FIB_F_DADDR) {
34 fl6->daddr = iph->daddr;
35 fl6->saddr = iph->saddr;
36 } else {
37 fl6->daddr = iph->saddr;
38 fl6->saddr = iph->daddr;
39 }
40
41 if (ipv6_addr_type(&fl6->daddr) & IPV6_ADDR_LINKLOCAL) {
42 lookup_flags |= RT6_LOOKUP_F_IFACE;
43 fl6->flowi6_oif = get_ifindex(dev ? dev : pkt->skb->dev);
44 }
45
46 if (ipv6_addr_type(&fl6->saddr) & IPV6_ADDR_UNICAST)
47 lookup_flags |= RT6_LOOKUP_F_HAS_SADDR;
48
49 if (priv->flags & NFTA_FIB_F_MARK)
50 fl6->flowi6_mark = pkt->skb->mark;
51
52 fl6->flowlabel = (*(__be32 *)iph) & IPV6_FLOWINFO_MASK;
53
54 return lookup_flags;
55 }
56
57 static u32 __nft_fib6_eval_type(const struct nft_fib *priv,
58 const struct nft_pktinfo *pkt,
59 struct ipv6hdr *iph)
60 {
61 const struct net_device *dev = NULL;
62 int route_err, addrtype;
63 struct rt6_info *rt;
64 struct flowi6 fl6 = {
65 .flowi6_iif = LOOPBACK_IFINDEX,
66 .flowi6_proto = pkt->tprot,
67 };
68 u32 ret = 0;
69
70 if (priv->flags & NFTA_FIB_F_IIF)
71 dev = nft_in(pkt);
72 else if (priv->flags & NFTA_FIB_F_OIF)
73 dev = nft_out(pkt);
74
75 nft_fib6_flowi_init(&fl6, priv, pkt, dev, iph);
76
77 if (dev && nf_ipv6_chk_addr(nft_net(pkt), &fl6.daddr, dev, true))
78 ret = RTN_LOCAL;
79
80 route_err = nf_ip6_route(nft_net(pkt), (struct dst_entry **)&rt,
81 flowi6_to_flowi(&fl6), false);
82 if (route_err)
83 goto err;
84
85 if (rt->rt6i_flags & RTF_REJECT) {
86 route_err = rt->dst.error;
87 dst_release(&rt->dst);
88 goto err;
89 }
90
91 if (ipv6_anycast_destination((struct dst_entry *)rt, &fl6.daddr))
92 ret = RTN_ANYCAST;
93 else if (!dev && rt->rt6i_flags & RTF_LOCAL)
94 ret = RTN_LOCAL;
95
96 dst_release(&rt->dst);
97
98 if (ret)
99 return ret;
100
101 addrtype = ipv6_addr_type(&fl6.daddr);
102
103 if (addrtype & IPV6_ADDR_MULTICAST)
104 return RTN_MULTICAST;
105 if (addrtype & IPV6_ADDR_UNICAST)
106 return RTN_UNICAST;
107
108 return RTN_UNSPEC;
109 err:
110 switch (route_err) {
111 case -EINVAL:
112 return RTN_BLACKHOLE;
113 case -EACCES:
114 return RTN_PROHIBIT;
115 case -EAGAIN:
116 return RTN_THROW;
117 default:
118 break;
119 }
120
121 return RTN_UNREACHABLE;
122 }
123
124 void nft_fib6_eval_type(const struct nft_expr *expr, struct nft_regs *regs,
125 const struct nft_pktinfo *pkt)
126 {
127 const struct nft_fib *priv = nft_expr_priv(expr);
128 int noff = skb_network_offset(pkt->skb);
129 u32 *dest = &regs->data[priv->dreg];
130 struct ipv6hdr *iph, _iph;
131
132 iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph);
133 if (!iph) {
134 regs->verdict.code = NFT_BREAK;
135 return;
136 }
137
138 *dest = __nft_fib6_eval_type(priv, pkt, iph);
139 }
140 EXPORT_SYMBOL_GPL(nft_fib6_eval_type);
141
142 void nft_fib6_eval(const struct nft_expr *expr, struct nft_regs *regs,
143 const struct nft_pktinfo *pkt)
144 {
145 const struct nft_fib *priv = nft_expr_priv(expr);
146 int noff = skb_network_offset(pkt->skb);
147 const struct net_device *oif = NULL;
148 u32 *dest = &regs->data[priv->dreg];
149 struct ipv6hdr *iph, _iph;
150 struct flowi6 fl6 = {
151 .flowi6_iif = LOOPBACK_IFINDEX,
152 .flowi6_proto = pkt->tprot,
153 };
154 struct rt6_info *rt;
155 int lookup_flags;
156
157 if (priv->flags & NFTA_FIB_F_IIF)
158 oif = nft_in(pkt);
159 else if (priv->flags & NFTA_FIB_F_OIF)
160 oif = nft_out(pkt);
161
162 iph = skb_header_pointer(pkt->skb, noff, sizeof(_iph), &_iph);
163 if (!iph) {
164 regs->verdict.code = NFT_BREAK;
165 return;
166 }
167
168 lookup_flags = nft_fib6_flowi_init(&fl6, priv, pkt, oif, iph);
169
170 if (nft_hook(pkt) == NF_INET_PRE_ROUTING &&
171 nft_fib_is_loopback(pkt->skb, nft_in(pkt))) {
172 nft_fib_store_result(dest, priv, nft_in(pkt));
173 return;
174 }
175
176 *dest = 0;
177 rt = (void *)ip6_route_lookup(nft_net(pkt), &fl6, pkt->skb,
178 lookup_flags);
179 if (rt->dst.error)
180 goto put_rt_err;
181
182 /* Should not see RTF_LOCAL here */
183 if (rt->rt6i_flags & (RTF_REJECT | RTF_ANYCAST | RTF_LOCAL))
184 goto put_rt_err;
185
186 if (oif && oif != rt->rt6i_idev->dev)
187 goto put_rt_err;
188
189 nft_fib_store_result(dest, priv, rt->rt6i_idev->dev);
190 put_rt_err:
191 ip6_rt_put(rt);
192 }
193 EXPORT_SYMBOL_GPL(nft_fib6_eval);
194
195 static struct nft_expr_type nft_fib6_type;
196
197 static const struct nft_expr_ops nft_fib6_type_ops = {
198 .type = &nft_fib6_type,
199 .size = NFT_EXPR_SIZE(sizeof(struct nft_fib)),
200 .eval = nft_fib6_eval_type,
201 .init = nft_fib_init,
202 .dump = nft_fib_dump,
203 .validate = nft_fib_validate,
204 };
205
206 static const struct nft_expr_ops nft_fib6_ops = {
207 .type = &nft_fib6_type,
208 .size = NFT_EXPR_SIZE(sizeof(struct nft_fib)),
209 .eval = nft_fib6_eval,
210 .init = nft_fib_init,
211 .dump = nft_fib_dump,
212 .validate = nft_fib_validate,
213 };
214
215 static const struct nft_expr_ops *
216 nft_fib6_select_ops(const struct nft_ctx *ctx,
217 const struct nlattr * const tb[])
218 {
219 enum nft_fib_result result;
220
221 if (!tb[NFTA_FIB_RESULT])
222 return ERR_PTR(-EINVAL);
223
224 result = ntohl(nla_get_be32(tb[NFTA_FIB_RESULT]));
225
226 switch (result) {
227 case NFT_FIB_RESULT_OIF:
228 return &nft_fib6_ops;
229 case NFT_FIB_RESULT_OIFNAME:
230 return &nft_fib6_ops;
231 case NFT_FIB_RESULT_ADDRTYPE:
232 return &nft_fib6_type_ops;
233 default:
234 return ERR_PTR(-EOPNOTSUPP);
235 }
236 }
237
238 static struct nft_expr_type nft_fib6_type __read_mostly = {
239 .name = "fib",
240 .select_ops = nft_fib6_select_ops,
241 .policy = nft_fib_policy,
242 .maxattr = NFTA_FIB_MAX,
243 .family = NFPROTO_IPV6,
244 .owner = THIS_MODULE,
245 };
246
247 static int __init nft_fib6_module_init(void)
248 {
249 return nft_register_expr(&nft_fib6_type);
250 }
251
252 static void __exit nft_fib6_module_exit(void)
253 {
254 nft_unregister_expr(&nft_fib6_type);
255 }
256 module_init(nft_fib6_module_init);
257 module_exit(nft_fib6_module_exit);
258
259 MODULE_LICENSE("GPL");
260 MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
261 MODULE_ALIAS_NFT_AF_EXPR(10, "fib");
Ubuntu Jammy Linux kernel mirror