]> git.proxmox.com Git - mirror_ubuntu-jammy-kernel.git/blob - net/netfilter/nft_flow_offload.c
projects / mirror_ubuntu-jammy-kernel.git / blob
? search:


651364d93efd5d3fb556996affe537e4f544b6cd
[mirror_ubuntu-jammy-kernel.git] / net / netfilter / nft_flow_offload.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 #include <linux/kernel.h>
3 #include <linux/module.h>
4 #include <linux/init.h>
5 #include <linux/netlink.h>
6 #include <linux/netfilter.h>
7 #include <linux/workqueue.h>
8 #include <linux/spinlock.h>
9 #include <linux/netfilter/nf_conntrack_common.h>
10 #include <linux/netfilter/nf_tables.h>
11 #include <net/ip.h> /* for ipv4 options. */
12 #include <net/netfilter/nf_tables.h>
13 #include <net/netfilter/nf_tables_core.h>
14 #include <net/netfilter/nf_conntrack_core.h>
15 #include <net/netfilter/nf_conntrack_extend.h>
16 #include <net/netfilter/nf_flow_table.h>
17
18 struct nft_flow_offload {
19 struct nft_flowtable *flowtable;
20 };
21
22 static enum flow_offload_xmit_type nft_xmit_type(struct dst_entry *dst)
23 {
24 if (dst_xfrm(dst))
25 return FLOW_OFFLOAD_XMIT_XFRM;
26
27 return FLOW_OFFLOAD_XMIT_NEIGH;
28 }
29
30 static void nft_default_forward_path(struct nf_flow_route *route,
31 struct dst_entry *dst_cache,
32 enum ip_conntrack_dir dir)
33 {
34 route->tuple[!dir].in.ifindex = dst_cache->dev->ifindex;
35 route->tuple[dir].dst = dst_cache;
36 route->tuple[dir].xmit_type = nft_xmit_type(dst_cache);
37 }
38
39 static int nft_dev_fill_forward_path(const struct nf_flow_route *route,
40 const struct dst_entry *dst_cache,
41 const struct nf_conn *ct,
42 enum ip_conntrack_dir dir, u8 *ha,
43 struct net_device_path_stack *stack)
44 {
45 const void *daddr = &ct->tuplehash[!dir].tuple.src.u3;
46 struct net_device *dev = dst_cache->dev;
47 struct neighbour *n;
48 u8 nud_state;
49
50 n = dst_neigh_lookup(dst_cache, daddr);
51 if (!n)
52 return -1;
53
54 read_lock_bh(&n->lock);
55 nud_state = n->nud_state;
56 ether_addr_copy(ha, n->ha);
57 read_unlock_bh(&n->lock);
58 neigh_release(n);
59
60 if (!(nud_state & NUD_VALID))
61 return -1;
62
63 return dev_fill_forward_path(dev, ha, stack);
64 }
65
66 struct nft_forward_info {
67 const struct net_device *indev;
68 const struct net_device *outdev;
69 struct id {
70 __u16 id;
71 __be16 proto;
72 } encap[NF_FLOW_TABLE_ENCAP_MAX];
73 u8 num_encaps;
74 u8 h_source[ETH_ALEN];
75 u8 h_dest[ETH_ALEN];
76 enum flow_offload_xmit_type xmit_type;
77 };
78
79 static void nft_dev_path_info(const struct net_device_path_stack *stack,
80 struct nft_forward_info *info,
81 unsigned char *ha)
82 {
83 const struct net_device_path *path;
84 int i;
85
86 memcpy(info->h_dest, ha, ETH_ALEN);
87
88 for (i = 0; i < stack->num_paths; i++) {
89 path = &stack->path[i];
90 switch (path->type) {
91 case DEV_PATH_ETHERNET:
92 case DEV_PATH_VLAN:
93 info->indev = path->dev;
94 if (is_zero_ether_addr(info->h_source))
95 memcpy(info->h_source, path->dev->dev_addr, ETH_ALEN);
96
97 if (path->type == DEV_PATH_ETHERNET)
98 break;
99
100 /* DEV_PATH_VLAN */
101 if (info->num_encaps >= NF_FLOW_TABLE_ENCAP_MAX) {
102 info->indev = NULL;
103 break;
104 }
105 info->outdev = path->dev;
106 info->encap[info->num_encaps].id = path->encap.id;
107 info->encap[info->num_encaps].proto = path->encap.proto;
108 info->num_encaps++;
109 break;
110 case DEV_PATH_BRIDGE:
111 if (is_zero_ether_addr(info->h_source))
112 memcpy(info->h_source, path->dev->dev_addr, ETH_ALEN);
113
114 switch (path->bridge.vlan_mode) {
115 case DEV_PATH_BR_VLAN_TAG:
116 info->encap[info->num_encaps].id = path->bridge.vlan_id;
117 info->encap[info->num_encaps].proto = path->bridge.vlan_proto;
118 info->num_encaps++;
119 break;
120 case DEV_PATH_BR_VLAN_UNTAG:
121 info->num_encaps--;
122 break;
123 case DEV_PATH_BR_VLAN_KEEP:
124 break;
125 }
126 info->xmit_type = FLOW_OFFLOAD_XMIT_DIRECT;
127 break;
128 default:
129 info->indev = NULL;
130 break;
131 }
132 }
133 if (!info->outdev)
134 info->outdev = info->indev;
135 }
136
137 static bool nft_flowtable_find_dev(const struct net_device *dev,
138 struct nft_flowtable *ft)
139 {
140 struct nft_hook *hook;
141 bool found = false;
142
143 list_for_each_entry_rcu(hook, &ft->hook_list, list) {
144 if (hook->ops.dev != dev)
145 continue;
146
147 found = true;
148 break;
149 }
150
151 return found;
152 }
153
154 static void nft_dev_forward_path(struct nf_flow_route *route,
155 const struct nf_conn *ct,
156 enum ip_conntrack_dir dir,
157 struct nft_flowtable *ft)
158 {
159 const struct dst_entry *dst = route->tuple[dir].dst;
160 struct net_device_path_stack stack;
161 struct nft_forward_info info = {};
162 unsigned char ha[ETH_ALEN];
163 int i;
164
165 if (nft_dev_fill_forward_path(route, dst, ct, dir, ha, &stack) >= 0)
166 nft_dev_path_info(&stack, &info, ha);
167
168 if (!info.indev || !nft_flowtable_find_dev(info.indev, ft))
169 return;
170
171 route->tuple[!dir].in.ifindex = info.indev->ifindex;
172 for (i = 0; i < info.num_encaps; i++) {
173 route->tuple[!dir].in.encap[i].id = info.encap[i].id;
174 route->tuple[!dir].in.encap[i].proto = info.encap[i].proto;
175 }
176 route->tuple[!dir].in.num_encaps = info.num_encaps;
177
178 if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT) {
179 memcpy(route->tuple[dir].out.h_source, info.h_source, ETH_ALEN);
180 memcpy(route->tuple[dir].out.h_dest, info.h_dest, ETH_ALEN);
181 route->tuple[dir].out.ifindex = info.outdev->ifindex;
182 route->tuple[dir].xmit_type = info.xmit_type;
183 }
184 }
185
186 static int nft_flow_route(const struct nft_pktinfo *pkt,
187 const struct nf_conn *ct,
188 struct nf_flow_route *route,
189 enum ip_conntrack_dir dir,
190 struct nft_flowtable *ft)
191 {
192 struct dst_entry *this_dst = skb_dst(pkt->skb);
193 struct dst_entry *other_dst = NULL;
194 struct flowi fl;
195
196 memset(&fl, 0, sizeof(fl));
197 switch (nft_pf(pkt)) {
198 case NFPROTO_IPV4:
199 fl.u.ip4.daddr = ct->tuplehash[dir].tuple.src.u3.ip;
200 fl.u.ip4.flowi4_oif = nft_in(pkt)->ifindex;
201 break;
202 case NFPROTO_IPV6:
203 fl.u.ip6.daddr = ct->tuplehash[dir].tuple.src.u3.in6;
204 fl.u.ip6.flowi6_oif = nft_in(pkt)->ifindex;
205 break;
206 }
207
208 nf_route(nft_net(pkt), &other_dst, &fl, false, nft_pf(pkt));
209 if (!other_dst)
210 return -ENOENT;
211
212 nft_default_forward_path(route, this_dst, dir);
213 nft_default_forward_path(route, other_dst, !dir);
214
215 if (route->tuple[dir].xmit_type == FLOW_OFFLOAD_XMIT_NEIGH &&
216 route->tuple[!dir].xmit_type == FLOW_OFFLOAD_XMIT_NEIGH) {
217 nft_dev_forward_path(route, ct, dir, ft);
218 nft_dev_forward_path(route, ct, !dir, ft);
219 }
220
221 return 0;
222 }
223
224 static bool nft_flow_offload_skip(struct sk_buff *skb, int family)
225 {
226 if (skb_sec_path(skb))
227 return true;
228
229 if (family == NFPROTO_IPV4) {
230 const struct ip_options *opt;
231
232 opt = &(IPCB(skb)->opt);
233
234 if (unlikely(opt->optlen))
235 return true;
236 }
237
238 return false;
239 }
240
241 static void nft_flow_offload_eval(const struct nft_expr *expr,
242 struct nft_regs *regs,
243 const struct nft_pktinfo *pkt)
244 {
245 struct nft_flow_offload *priv = nft_expr_priv(expr);
246 struct nf_flowtable *flowtable = &priv->flowtable->data;
247 struct tcphdr _tcph, *tcph = NULL;
248 struct nf_flow_route route = {};
249 enum ip_conntrack_info ctinfo;
250 struct flow_offload *flow;
251 enum ip_conntrack_dir dir;
252 struct nf_conn *ct;
253 int ret;
254
255 if (nft_flow_offload_skip(pkt->skb, nft_pf(pkt)))
256 goto out;
257
258 ct = nf_ct_get(pkt->skb, &ctinfo);
259 if (!ct)
260 goto out;
261
262 switch (ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum) {
263 case IPPROTO_TCP:
264 tcph = skb_header_pointer(pkt->skb, pkt->xt.thoff,
265 sizeof(_tcph), &_tcph);
266 if (unlikely(!tcph || tcph->fin || tcph->rst))
267 goto out;
268 break;
269 case IPPROTO_UDP:
270 break;
271 default:
272 goto out;
273 }
274
275 if (nf_ct_ext_exist(ct, NF_CT_EXT_HELPER) ||
276 ct->status & (IPS_SEQ_ADJUST | IPS_NAT_CLASH))
277 goto out;
278
279 if (!nf_ct_is_confirmed(ct))
280 goto out;
281
282 if (test_and_set_bit(IPS_OFFLOAD_BIT, &ct->status))
283 goto out;
284
285 dir = CTINFO2DIR(ctinfo);
286 if (nft_flow_route(pkt, ct, &route, dir, priv->flowtable) < 0)
287 goto err_flow_route;
288
289 flow = flow_offload_alloc(ct);
290 if (!flow)
291 goto err_flow_alloc;
292
293 if (flow_offload_route_init(flow, &route) < 0)
294 goto err_flow_add;
295
296 if (tcph) {
297 ct->proto.tcp.seen[0].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
298 ct->proto.tcp.seen[1].flags |= IP_CT_TCP_FLAG_BE_LIBERAL;
299 }
300
301 ret = flow_offload_add(flowtable, flow);
302 if (ret < 0)
303 goto err_flow_add;
304
305 dst_release(route.tuple[!dir].dst);
306 return;
307
308 err_flow_add:
309 flow_offload_free(flow);
310 err_flow_alloc:
311 dst_release(route.tuple[!dir].dst);
312 err_flow_route:
313 clear_bit(IPS_OFFLOAD_BIT, &ct->status);
314 out:
315 regs->verdict.code = NFT_BREAK;
316 }
317
318 static int nft_flow_offload_validate(const struct nft_ctx *ctx,
319 const struct nft_expr *expr,
320 const struct nft_data **data)
321 {
322 unsigned int hook_mask = (1 << NF_INET_FORWARD);
323
324 return nft_chain_validate_hooks(ctx->chain, hook_mask);
325 }
326
327 static const struct nla_policy nft_flow_offload_policy[NFTA_FLOW_MAX + 1] = {
328 [NFTA_FLOW_TABLE_NAME] = { .type = NLA_STRING,
329 .len = NFT_NAME_MAXLEN - 1 },
330 };
331
332 static int nft_flow_offload_init(const struct nft_ctx *ctx,
333 const struct nft_expr *expr,
334 const struct nlattr * const tb[])
335 {
336 struct nft_flow_offload *priv = nft_expr_priv(expr);
337 u8 genmask = nft_genmask_next(ctx->net);
338 struct nft_flowtable *flowtable;
339
340 if (!tb[NFTA_FLOW_TABLE_NAME])
341 return -EINVAL;
342
343 flowtable = nft_flowtable_lookup(ctx->table, tb[NFTA_FLOW_TABLE_NAME],
344 genmask);
345 if (IS_ERR(flowtable))
346 return PTR_ERR(flowtable);
347
348 priv->flowtable = flowtable;
349 flowtable->use++;
350
351 return nf_ct_netns_get(ctx->net, ctx->family);
352 }
353
354 static void nft_flow_offload_deactivate(const struct nft_ctx *ctx,
355 const struct nft_expr *expr,
356 enum nft_trans_phase phase)
357 {
358 struct nft_flow_offload *priv = nft_expr_priv(expr);
359
360 nf_tables_deactivate_flowtable(ctx, priv->flowtable, phase);
361 }
362
363 static void nft_flow_offload_activate(const struct nft_ctx *ctx,
364 const struct nft_expr *expr)
365 {
366 struct nft_flow_offload *priv = nft_expr_priv(expr);
367
368 priv->flowtable->use++;
369 }
370
371 static void nft_flow_offload_destroy(const struct nft_ctx *ctx,
372 const struct nft_expr *expr)
373 {
374 nf_ct_netns_put(ctx->net, ctx->family);
375 }
376
377 static int nft_flow_offload_dump(struct sk_buff *skb, const struct nft_expr *expr)
378 {
379 struct nft_flow_offload *priv = nft_expr_priv(expr);
380
381 if (nla_put_string(skb, NFTA_FLOW_TABLE_NAME, priv->flowtable->name))
382 goto nla_put_failure;
383
384 return 0;
385
386 nla_put_failure:
387 return -1;
388 }
389
390 static struct nft_expr_type nft_flow_offload_type;
391 static const struct nft_expr_ops nft_flow_offload_ops = {
392 .type = &nft_flow_offload_type,
393 .size = NFT_EXPR_SIZE(sizeof(struct nft_flow_offload)),
394 .eval = nft_flow_offload_eval,
395 .init = nft_flow_offload_init,
396 .activate = nft_flow_offload_activate,
397 .deactivate = nft_flow_offload_deactivate,
398 .destroy = nft_flow_offload_destroy,
399 .validate = nft_flow_offload_validate,
400 .dump = nft_flow_offload_dump,
401 };
402
403 static struct nft_expr_type nft_flow_offload_type __read_mostly = {
404 .name = "flow_offload",
405 .ops = &nft_flow_offload_ops,
406 .policy = nft_flow_offload_policy,
407 .maxattr = NFTA_FLOW_MAX,
408 .owner = THIS_MODULE,
409 };
410
411 static int flow_offload_netdev_event(struct notifier_block *this,
412 unsigned long event, void *ptr)
413 {
414 struct net_device *dev = netdev_notifier_info_to_dev(ptr);
415
416 if (event != NETDEV_DOWN)
417 return NOTIFY_DONE;
418
419 nf_flow_table_cleanup(dev);
420
421 return NOTIFY_DONE;
422 }
423
424 static struct notifier_block flow_offload_netdev_notifier = {
425 .notifier_call = flow_offload_netdev_event,
426 };
427
428 static int __init nft_flow_offload_module_init(void)
429 {
430 int err;
431
432 err = register_netdevice_notifier(&flow_offload_netdev_notifier);
433 if (err)
434 goto err;
435
436 err = nft_register_expr(&nft_flow_offload_type);
437 if (err < 0)
438 goto register_expr;
439
440 return 0;
441
442 register_expr:
443 unregister_netdevice_notifier(&flow_offload_netdev_notifier);
444 err:
445 return err;
446 }
447
448 static void __exit nft_flow_offload_module_exit(void)
449 {
450 nft_unregister_expr(&nft_flow_offload_type);
451 unregister_netdevice_notifier(&flow_offload_netdev_notifier);
452 }
453
454 module_init(nft_flow_offload_module_init);
455 module_exit(nft_flow_offload_module_exit);
456
457 MODULE_LICENSE("GPL");
458 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
459 MODULE_ALIAS_NFT_EXPR("flow_offload");
460 MODULE_DESCRIPTION("nftables hardware flow offload module");
Ubuntu Jammy Linux kernel mirror