]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blob - net/netfilter/nft_fwd_netdev.c
projects / mirror_ubuntu-hirsute-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge tag 'v5.3-rc1' into patchwork
[mirror_ubuntu-hirsute-kernel.git] / net / netfilter / nft_fwd_netdev.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3 * Copyright (c) 2015 Pablo Neira Ayuso <pablo@netfilter.org>
4 */
5
6 #include <linux/kernel.h>
7 #include <linux/init.h>
8 #include <linux/module.h>
9 #include <linux/netlink.h>
10 #include <linux/netfilter.h>
11 #include <linux/netfilter/nf_tables.h>
12 #include <linux/ip.h>
13 #include <linux/ipv6.h>
14 #include <net/netfilter/nf_tables.h>
15 #include <net/netfilter/nf_dup_netdev.h>
16 #include <net/neighbour.h>
17 #include <net/ip.h>
18
19 struct nft_fwd_netdev {
20 enum nft_registers sreg_dev:8;
21 };
22
23 static void nft_fwd_netdev_eval(const struct nft_expr *expr,
24 struct nft_regs *regs,
25 const struct nft_pktinfo *pkt)
26 {
27 struct nft_fwd_netdev *priv = nft_expr_priv(expr);
28 int oif = regs->data[priv->sreg_dev];
29
30 nf_fwd_netdev_egress(pkt, oif);
31 regs->verdict.code = NF_STOLEN;
32 }
33
34 static const struct nla_policy nft_fwd_netdev_policy[NFTA_FWD_MAX + 1] = {
35 [NFTA_FWD_SREG_DEV] = { .type = NLA_U32 },
36 [NFTA_FWD_SREG_ADDR] = { .type = NLA_U32 },
37 [NFTA_FWD_NFPROTO] = { .type = NLA_U32 },
38 };
39
40 static int nft_fwd_netdev_init(const struct nft_ctx *ctx,
41 const struct nft_expr *expr,
42 const struct nlattr * const tb[])
43 {
44 struct nft_fwd_netdev *priv = nft_expr_priv(expr);
45
46 if (tb[NFTA_FWD_SREG_DEV] == NULL)
47 return -EINVAL;
48
49 priv->sreg_dev = nft_parse_register(tb[NFTA_FWD_SREG_DEV]);
50 return nft_validate_register_load(priv->sreg_dev, sizeof(int));
51 }
52
53 static int nft_fwd_netdev_dump(struct sk_buff *skb, const struct nft_expr *expr)
54 {
55 struct nft_fwd_netdev *priv = nft_expr_priv(expr);
56
57 if (nft_dump_register(skb, NFTA_FWD_SREG_DEV, priv->sreg_dev))
58 goto nla_put_failure;
59
60 return 0;
61
62 nla_put_failure:
63 return -1;
64 }
65
66 struct nft_fwd_neigh {
67 enum nft_registers sreg_dev:8;
68 enum nft_registers sreg_addr:8;
69 u8 nfproto;
70 };
71
72 static void nft_fwd_neigh_eval(const struct nft_expr *expr,
73 struct nft_regs *regs,
74 const struct nft_pktinfo *pkt)
75 {
76 struct nft_fwd_neigh *priv = nft_expr_priv(expr);
77 void *addr = &regs->data[priv->sreg_addr];
78 int oif = regs->data[priv->sreg_dev];
79 unsigned int verdict = NF_STOLEN;
80 struct sk_buff *skb = pkt->skb;
81 struct net_device *dev;
82 int neigh_table;
83
84 switch (priv->nfproto) {
85 case NFPROTO_IPV4: {
86 struct iphdr *iph;
87
88 if (skb->protocol != htons(ETH_P_IP)) {
89 verdict = NFT_BREAK;
90 goto out;
91 }
92 if (skb_try_make_writable(skb, sizeof(*iph))) {
93 verdict = NF_DROP;
94 goto out;
95 }
96 iph = ip_hdr(skb);
97 ip_decrease_ttl(iph);
98 neigh_table = NEIGH_ARP_TABLE;
99 break;
100 }
101 case NFPROTO_IPV6: {
102 struct ipv6hdr *ip6h;
103
104 if (skb->protocol != htons(ETH_P_IPV6)) {
105 verdict = NFT_BREAK;
106 goto out;
107 }
108 if (skb_try_make_writable(skb, sizeof(*ip6h))) {
109 verdict = NF_DROP;
110 goto out;
111 }
112 ip6h = ipv6_hdr(skb);
113 ip6h->hop_limit--;
114 neigh_table = NEIGH_ND_TABLE;
115 break;
116 }
117 default:
118 verdict = NFT_BREAK;
119 goto out;
120 }
121
122 dev = dev_get_by_index_rcu(nft_net(pkt), oif);
123 if (dev == NULL)
124 return;
125
126 skb->dev = dev;
127 neigh_xmit(neigh_table, dev, addr, skb);
128 out:
129 regs->verdict.code = verdict;
130 }
131
132 static int nft_fwd_neigh_init(const struct nft_ctx *ctx,
133 const struct nft_expr *expr,
134 const struct nlattr * const tb[])
135 {
136 struct nft_fwd_neigh *priv = nft_expr_priv(expr);
137 unsigned int addr_len;
138 int err;
139
140 if (!tb[NFTA_FWD_SREG_DEV] ||
141 !tb[NFTA_FWD_SREG_ADDR] ||
142 !tb[NFTA_FWD_NFPROTO])
143 return -EINVAL;
144
145 priv->sreg_dev = nft_parse_register(tb[NFTA_FWD_SREG_DEV]);
146 priv->sreg_addr = nft_parse_register(tb[NFTA_FWD_SREG_ADDR]);
147 priv->nfproto = ntohl(nla_get_be32(tb[NFTA_FWD_NFPROTO]));
148
149 switch (priv->nfproto) {
150 case NFPROTO_IPV4:
151 addr_len = sizeof(struct in_addr);
152 break;
153 case NFPROTO_IPV6:
154 addr_len = sizeof(struct in6_addr);
155 break;
156 default:
157 return -EOPNOTSUPP;
158 }
159
160 err = nft_validate_register_load(priv->sreg_dev, sizeof(int));
161 if (err < 0)
162 return err;
163
164 return nft_validate_register_load(priv->sreg_addr, addr_len);
165 }
166
167 static int nft_fwd_neigh_dump(struct sk_buff *skb, const struct nft_expr *expr)
168 {
169 struct nft_fwd_neigh *priv = nft_expr_priv(expr);
170
171 if (nft_dump_register(skb, NFTA_FWD_SREG_DEV, priv->sreg_dev) ||
172 nft_dump_register(skb, NFTA_FWD_SREG_ADDR, priv->sreg_addr) ||
173 nla_put_be32(skb, NFTA_FWD_NFPROTO, htonl(priv->nfproto)))
174 goto nla_put_failure;
175
176 return 0;
177
178 nla_put_failure:
179 return -1;
180 }
181
182 static struct nft_expr_type nft_fwd_netdev_type;
183 static const struct nft_expr_ops nft_fwd_neigh_netdev_ops = {
184 .type = &nft_fwd_netdev_type,
185 .size = NFT_EXPR_SIZE(sizeof(struct nft_fwd_neigh)),
186 .eval = nft_fwd_neigh_eval,
187 .init = nft_fwd_neigh_init,
188 .dump = nft_fwd_neigh_dump,
189 };
190
191 static const struct nft_expr_ops nft_fwd_netdev_ops = {
192 .type = &nft_fwd_netdev_type,
193 .size = NFT_EXPR_SIZE(sizeof(struct nft_fwd_netdev)),
194 .eval = nft_fwd_netdev_eval,
195 .init = nft_fwd_netdev_init,
196 .dump = nft_fwd_netdev_dump,
197 };
198
199 static const struct nft_expr_ops *
200 nft_fwd_select_ops(const struct nft_ctx *ctx,
201 const struct nlattr * const tb[])
202 {
203 if (tb[NFTA_FWD_SREG_ADDR])
204 return &nft_fwd_neigh_netdev_ops;
205 if (tb[NFTA_FWD_SREG_DEV])
206 return &nft_fwd_netdev_ops;
207
208 return ERR_PTR(-EOPNOTSUPP);
209 }
210
211 static struct nft_expr_type nft_fwd_netdev_type __read_mostly = {
212 .family = NFPROTO_NETDEV,
213 .name = "fwd",
214 .select_ops = nft_fwd_select_ops,
215 .policy = nft_fwd_netdev_policy,
216 .maxattr = NFTA_FWD_MAX,
217 .owner = THIS_MODULE,
218 };
219
220 static int __init nft_fwd_netdev_module_init(void)
221 {
222 return nft_register_expr(&nft_fwd_netdev_type);
223 }
224
225 static void __exit nft_fwd_netdev_module_exit(void)
226 {
227 nft_unregister_expr(&nft_fwd_netdev_type);
228 }
229
230 module_init(nft_fwd_netdev_module_init);
231 module_exit(nft_fwd_netdev_module_exit);
232
233 MODULE_LICENSE("GPL");
234 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
235 MODULE_ALIAS_NFT_AF_EXPR(5, "fwd");
Ubuntu Hirsute Linux kernel mirror