1 // SPDX-License-Identifier: GPL-2.0
2 
3 #include <linux/skbuff.h>
4 #include <linux/netfilter.h>
5 #include <linux/netfilter_ipv4.h>
6 #include <linux/netfilter_ipv6.h>
7 #include <linux/netfilter/nfnetlink.h>
8 #include <linux/netfilter/nf_tables.h>
9 #include <net/netfilter/nf_tables.h>
10 #include <net/netfilter/nf_tables_ipv4.h>
11 #include <net/netfilter/nf_tables_ipv6.h>
12 #include <net/route.h>
13 #include <net/ip.h>
14 
15 #ifdef CONFIG_NF_TABLES_IPV4
nf_route_table_hook4(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)16 static unsigned int nf_route_table_hook4(void *priv,
17 					 struct sk_buff *skb,
18 					 const struct nf_hook_state *state)
19 {
20 	const struct iphdr *iph;
21 	struct nft_pktinfo pkt;
22 	__be32 saddr, daddr;
23 	unsigned int ret;
24 	u32 mark;
25 	int err;
26 	u8 tos;
27 
28 	nft_set_pktinfo(&pkt, skb, state);
29 	nft_set_pktinfo_ipv4(&pkt);
30 
31 	mark = skb->mark;
32 	iph = ip_hdr(skb);
33 	saddr = iph->saddr;
34 	daddr = iph->daddr;
35 	tos = iph->tos;
36 
37 	ret = nft_do_chain(&pkt, priv);
38 	if (ret == NF_ACCEPT) {
39 		iph = ip_hdr(skb);
40 
41 		if (iph->saddr != saddr ||
42 		    iph->daddr != daddr ||
43 		    skb->mark != mark ||
44 		    iph->tos != tos) {
45 			err = ip_route_me_harder(state->net, state->sk, skb, RTN_UNSPEC);
46 			if (err < 0)
47 				ret = NF_DROP_ERR(err);
48 		}
49 	}
50 	return ret;
51 }
52 
53 static const struct nft_chain_type nft_chain_route_ipv4 = {
54 	.name		= "route",
55 	.type		= NFT_CHAIN_T_ROUTE,
56 	.family		= NFPROTO_IPV4,
57 	.hook_mask	= (1 << NF_INET_LOCAL_OUT),
58 	.hooks		= {
59 		[NF_INET_LOCAL_OUT]	= nf_route_table_hook4,
60 	},
61 };
62 #endif
63 
64 #ifdef CONFIG_NF_TABLES_IPV6
nf_route_table_hook6(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)65 static unsigned int nf_route_table_hook6(void *priv,
66 					 struct sk_buff *skb,
67 					 const struct nf_hook_state *state)
68 {
69 	struct in6_addr saddr, daddr;
70 	struct nft_pktinfo pkt;
71 	u32 mark, flowlabel;
72 	unsigned int ret;
73 	u8 hop_limit;
74 	int err;
75 
76 	nft_set_pktinfo(&pkt, skb, state);
77 	nft_set_pktinfo_ipv6(&pkt);
78 
79 	/* save source/dest address, mark, hoplimit, flowlabel, priority */
80 	memcpy(&saddr, &ipv6_hdr(skb)->saddr, sizeof(saddr));
81 	memcpy(&daddr, &ipv6_hdr(skb)->daddr, sizeof(daddr));
82 	mark = skb->mark;
83 	hop_limit = ipv6_hdr(skb)->hop_limit;
84 
85 	/* flowlabel and prio (includes version, which shouldn't change either)*/
86 	flowlabel = *((u32 *)ipv6_hdr(skb));
87 
88 	ret = nft_do_chain(&pkt, priv);
89 	if (ret == NF_ACCEPT &&
90 	    (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) ||
91 	     memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) ||
92 	     skb->mark != mark ||
93 	     ipv6_hdr(skb)->hop_limit != hop_limit ||
94 	     flowlabel != *((u32 *)ipv6_hdr(skb)))) {
95 		err = nf_ip6_route_me_harder(state->net, state->sk, skb);
96 		if (err < 0)
97 			ret = NF_DROP_ERR(err);
98 	}
99 
100 	return ret;
101 }
102 
103 static const struct nft_chain_type nft_chain_route_ipv6 = {
104 	.name		= "route",
105 	.type		= NFT_CHAIN_T_ROUTE,
106 	.family		= NFPROTO_IPV6,
107 	.hook_mask	= (1 << NF_INET_LOCAL_OUT),
108 	.hooks		= {
109 		[NF_INET_LOCAL_OUT]	= nf_route_table_hook6,
110 	},
111 };
112 #endif
113 
114 #ifdef CONFIG_NF_TABLES_INET
nf_route_table_inet(void * priv,struct sk_buff * skb,const struct nf_hook_state * state)115 static unsigned int nf_route_table_inet(void *priv,
116 					struct sk_buff *skb,
117 					const struct nf_hook_state *state)
118 {
119 	struct nft_pktinfo pkt;
120 
121 	switch (state->pf) {
122 	case NFPROTO_IPV4:
123 		return nf_route_table_hook4(priv, skb, state);
124 	case NFPROTO_IPV6:
125 		return nf_route_table_hook6(priv, skb, state);
126 	default:
127 		nft_set_pktinfo(&pkt, skb, state);
128 		break;
129 	}
130 
131 	return nft_do_chain(&pkt, priv);
132 }
133 
134 static const struct nft_chain_type nft_chain_route_inet = {
135 	.name		= "route",
136 	.type		= NFT_CHAIN_T_ROUTE,
137 	.family		= NFPROTO_INET,
138 	.hook_mask	= (1 << NF_INET_LOCAL_OUT),
139 	.hooks		= {
140 		[NF_INET_LOCAL_OUT]	= nf_route_table_inet,
141 	},
142 };
143 #endif
144 
nft_chain_route_init(void)145 void __init nft_chain_route_init(void)
146 {
147 #ifdef CONFIG_NF_TABLES_IPV6
148 	nft_register_chain_type(&nft_chain_route_ipv6);
149 #endif
150 #ifdef CONFIG_NF_TABLES_IPV4
151 	nft_register_chain_type(&nft_chain_route_ipv4);
152 #endif
153 #ifdef CONFIG_NF_TABLES_INET
154 	nft_register_chain_type(&nft_chain_route_inet);
155 #endif
156 }
157 
nft_chain_route_fini(void)158 void __exit nft_chain_route_fini(void)
159 {
160 #ifdef CONFIG_NF_TABLES_IPV6
161 	nft_unregister_chain_type(&nft_chain_route_ipv6);
162 #endif
163 #ifdef CONFIG_NF_TABLES_IPV4
164 	nft_unregister_chain_type(&nft_chain_route_ipv4);
165 #endif
166 #ifdef CONFIG_NF_TABLES_INET
167 	nft_unregister_chain_type(&nft_chain_route_inet);
168 #endif
169 }
170