13b49e2e9SPablo Neira Ayuso #ifndef _NF_FLOW_TABLE_H 23b49e2e9SPablo Neira Ayuso #define _NF_FLOW_TABLE_H 33b49e2e9SPablo Neira Ayuso 4ac2a6666SPablo Neira Ayuso #include <linux/in.h> 5ac2a6666SPablo Neira Ayuso #include <linux/in6.h> 6ac2a6666SPablo Neira Ayuso #include <linux/netdevice.h> 70eb71a9dSNeilBrown #include <linux/rhashtable-types.h> 8ac2a6666SPablo Neira Ayuso #include <linux/rcupdate.h> 9a1b2f04eSJeremy Sowden #include <linux/netfilter.h> 10af81f9e7SFelix Fietkau #include <linux/netfilter/nf_conntrack_tuple_common.h> 118bb69f3bSPablo Neira Ayuso #include <net/flow_offload.h> 12ac2a6666SPablo Neira Ayuso #include <net/dst.h> 133b49e2e9SPablo Neira Ayuso 143b49e2e9SPablo Neira Ayuso struct nf_flowtable; 15c29f74e0SPablo Neira Ayuso struct nf_flow_rule; 16c29f74e0SPablo Neira Ayuso struct flow_offload; 17c29f74e0SPablo Neira Ayuso enum flow_offload_tuple_dir; 183b49e2e9SPablo Neira Ayuso 199c26ba9bSPaul Blakey struct nf_flow_key { 209c26ba9bSPaul Blakey struct flow_dissector_key_meta meta; 219c26ba9bSPaul Blakey struct flow_dissector_key_control control; 22cfab6dbdSwenxu struct flow_dissector_key_control enc_control; 239c26ba9bSPaul Blakey struct flow_dissector_key_basic basic; 249c26ba9bSPaul Blakey union { 259c26ba9bSPaul Blakey struct flow_dissector_key_ipv4_addrs ipv4; 269c26ba9bSPaul Blakey struct flow_dissector_key_ipv6_addrs ipv6; 279c26ba9bSPaul Blakey }; 28cfab6dbdSwenxu struct flow_dissector_key_keyid enc_key_id; 29cfab6dbdSwenxu union { 30cfab6dbdSwenxu struct flow_dissector_key_ipv4_addrs enc_ipv4; 31cfab6dbdSwenxu struct flow_dissector_key_ipv6_addrs enc_ipv6; 32cfab6dbdSwenxu }; 339c26ba9bSPaul Blakey struct flow_dissector_key_tcp tcp; 349c26ba9bSPaul Blakey struct flow_dissector_key_ports tp; 359c26ba9bSPaul Blakey } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */ 369c26ba9bSPaul Blakey 379c26ba9bSPaul Blakey struct nf_flow_match { 389c26ba9bSPaul Blakey struct flow_dissector dissector; 399c26ba9bSPaul Blakey struct nf_flow_key key; 409c26ba9bSPaul Blakey struct nf_flow_key mask; 419c26ba9bSPaul Blakey }; 429c26ba9bSPaul Blakey 439c26ba9bSPaul Blakey struct nf_flow_rule { 449c26ba9bSPaul Blakey struct nf_flow_match match; 459c26ba9bSPaul Blakey struct flow_rule *rule; 469c26ba9bSPaul Blakey }; 479c26ba9bSPaul Blakey 483b49e2e9SPablo Neira Ayuso struct nf_flowtable_type { 493b49e2e9SPablo Neira Ayuso struct list_head list; 503b49e2e9SPablo Neira Ayuso int family; 51a268de77SFelix Fietkau int (*init)(struct nf_flowtable *ft); 528bb69f3bSPablo Neira Ayuso int (*setup)(struct nf_flowtable *ft, 538bb69f3bSPablo Neira Ayuso struct net_device *dev, 548bb69f3bSPablo Neira Ayuso enum flow_block_command cmd); 55c29f74e0SPablo Neira Ayuso int (*action)(struct net *net, 56c29f74e0SPablo Neira Ayuso const struct flow_offload *flow, 57c29f74e0SPablo Neira Ayuso enum flow_offload_tuple_dir dir, 58c29f74e0SPablo Neira Ayuso struct nf_flow_rule *flow_rule); 59b408c5b0SPablo Neira Ayuso void (*free)(struct nf_flowtable *ft); 603b49e2e9SPablo Neira Ayuso nf_hookfn *hook; 613b49e2e9SPablo Neira Ayuso struct module *owner; 623b49e2e9SPablo Neira Ayuso }; 633b49e2e9SPablo Neira Ayuso 648bb69f3bSPablo Neira Ayuso enum nf_flowtable_flags { 65cfbd1125SPablo Neira Ayuso NF_FLOWTABLE_HW_OFFLOAD = 0x1, /* NFT_FLOWTABLE_HW_OFFLOAD */ 6653c2b289SPablo Neira Ayuso NF_FLOWTABLE_COUNTER = 0x2, /* NFT_FLOWTABLE_COUNTER */ 678bb69f3bSPablo Neira Ayuso }; 688bb69f3bSPablo Neira Ayuso 693b49e2e9SPablo Neira Ayuso struct nf_flowtable { 7084453a90SFelix Fietkau struct list_head list; 713b49e2e9SPablo Neira Ayuso struct rhashtable rhashtable; 7271a8a63bSPablo Neira Ayuso int priority; 733b49e2e9SPablo Neira Ayuso const struct nf_flowtable_type *type; 743b49e2e9SPablo Neira Ayuso struct delayed_work gc_work; 758bb69f3bSPablo Neira Ayuso unsigned int flags; 768bb69f3bSPablo Neira Ayuso struct flow_block flow_block; 77422c032aSPaul Blakey struct rw_semaphore flow_block_lock; /* Guards flow_block */ 788bb69f3bSPablo Neira Ayuso possible_net_t net; 793b49e2e9SPablo Neira Ayuso }; 803b49e2e9SPablo Neira Ayuso 81a5449cdcSPablo Neira Ayuso static inline bool nf_flowtable_hw_offload(struct nf_flowtable *flowtable) 82a5449cdcSPablo Neira Ayuso { 83a5449cdcSPablo Neira Ayuso return flowtable->flags & NF_FLOWTABLE_HW_OFFLOAD; 84a5449cdcSPablo Neira Ayuso } 85a5449cdcSPablo Neira Ayuso 86ac2a6666SPablo Neira Ayuso enum flow_offload_tuple_dir { 87af81f9e7SFelix Fietkau FLOW_OFFLOAD_DIR_ORIGINAL = IP_CT_DIR_ORIGINAL, 88af81f9e7SFelix Fietkau FLOW_OFFLOAD_DIR_REPLY = IP_CT_DIR_REPLY, 89af81f9e7SFelix Fietkau FLOW_OFFLOAD_DIR_MAX = IP_CT_DIR_MAX 90ac2a6666SPablo Neira Ayuso }; 91ac2a6666SPablo Neira Ayuso 92ac2a6666SPablo Neira Ayuso struct flow_offload_tuple { 93ac2a6666SPablo Neira Ayuso union { 94ac2a6666SPablo Neira Ayuso struct in_addr src_v4; 95ac2a6666SPablo Neira Ayuso struct in6_addr src_v6; 96ac2a6666SPablo Neira Ayuso }; 97ac2a6666SPablo Neira Ayuso union { 98ac2a6666SPablo Neira Ayuso struct in_addr dst_v4; 99ac2a6666SPablo Neira Ayuso struct in6_addr dst_v6; 100ac2a6666SPablo Neira Ayuso }; 101ac2a6666SPablo Neira Ayuso struct { 102ac2a6666SPablo Neira Ayuso __be16 src_port; 103ac2a6666SPablo Neira Ayuso __be16 dst_port; 104ac2a6666SPablo Neira Ayuso }; 105ac2a6666SPablo Neira Ayuso 106ac2a6666SPablo Neira Ayuso int iifidx; 107ac2a6666SPablo Neira Ayuso 108ac2a6666SPablo Neira Ayuso u8 l3proto; 109ac2a6666SPablo Neira Ayuso u8 l4proto; 110*dbc859d9SPablo Neira Ayuso 111*dbc859d9SPablo Neira Ayuso /* All members above are keys for lookups, see flow_offload_hash(). */ 112*dbc859d9SPablo Neira Ayuso struct { } __hash; 113*dbc859d9SPablo Neira Ayuso 114ac2a6666SPablo Neira Ayuso u8 dir; 115ac2a6666SPablo Neira Ayuso 1164f3780c0SFelix Fietkau u16 mtu; 1174f3780c0SFelix Fietkau 118ac2a6666SPablo Neira Ayuso struct dst_entry *dst_cache; 119ac2a6666SPablo Neira Ayuso }; 120ac2a6666SPablo Neira Ayuso 121ac2a6666SPablo Neira Ayuso struct flow_offload_tuple_rhash { 122ac2a6666SPablo Neira Ayuso struct rhash_head node; 123ac2a6666SPablo Neira Ayuso struct flow_offload_tuple tuple; 124ac2a6666SPablo Neira Ayuso }; 125ac2a6666SPablo Neira Ayuso 126355a8b13SPablo Neira Ayuso enum nf_flow_flags { 127355a8b13SPablo Neira Ayuso NF_FLOW_SNAT, 128355a8b13SPablo Neira Ayuso NF_FLOW_DNAT, 129355a8b13SPablo Neira Ayuso NF_FLOW_TEARDOWN, 130355a8b13SPablo Neira Ayuso NF_FLOW_HW, 131355a8b13SPablo Neira Ayuso NF_FLOW_HW_DYING, 132355a8b13SPablo Neira Ayuso NF_FLOW_HW_DEAD, 133f698fe40SPablo Neira Ayuso NF_FLOW_HW_REFRESH, 1342c889795SPaul Blakey NF_FLOW_HW_PENDING, 135355a8b13SPablo Neira Ayuso }; 136ac2a6666SPablo Neira Ayuso 137f1363e05SPablo Neira Ayuso enum flow_offload_type { 138f1363e05SPablo Neira Ayuso NF_FLOW_OFFLOAD_UNSPEC = 0, 139f1363e05SPablo Neira Ayuso NF_FLOW_OFFLOAD_ROUTE, 140f1363e05SPablo Neira Ayuso }; 141f1363e05SPablo Neira Ayuso 142ac2a6666SPablo Neira Ayuso struct flow_offload { 143ac2a6666SPablo Neira Ayuso struct flow_offload_tuple_rhash tuplehash[FLOW_OFFLOAD_DIR_MAX]; 144b32d2f34SPablo Neira Ayuso struct nf_conn *ct; 145355a8b13SPablo Neira Ayuso unsigned long flags; 146f1363e05SPablo Neira Ayuso u16 type; 147ac2a6666SPablo Neira Ayuso u32 timeout; 14862248df8SPablo Neira Ayuso struct rcu_head rcu_head; 149ac2a6666SPablo Neira Ayuso }; 150ac2a6666SPablo Neira Ayuso 151ac2a6666SPablo Neira Ayuso #define NF_FLOW_TIMEOUT (30 * HZ) 152fb46f1b7SPablo Neira Ayuso #define nf_flowtable_time_stamp (u32)jiffies 153fb46f1b7SPablo Neira Ayuso 154fb46f1b7SPablo Neira Ayuso static inline __s32 nf_flow_timeout_delta(unsigned int timeout) 155fb46f1b7SPablo Neira Ayuso { 156fb46f1b7SPablo Neira Ayuso return (__s32)(timeout - nf_flowtable_time_stamp); 157fb46f1b7SPablo Neira Ayuso } 158ac2a6666SPablo Neira Ayuso 159ac2a6666SPablo Neira Ayuso struct nf_flow_route { 160ac2a6666SPablo Neira Ayuso struct { 161ac2a6666SPablo Neira Ayuso struct dst_entry *dst; 162ac2a6666SPablo Neira Ayuso } tuple[FLOW_OFFLOAD_DIR_MAX]; 163ac2a6666SPablo Neira Ayuso }; 164ac2a6666SPablo Neira Ayuso 165f1363e05SPablo Neira Ayuso struct flow_offload *flow_offload_alloc(struct nf_conn *ct); 166ac2a6666SPablo Neira Ayuso void flow_offload_free(struct flow_offload *flow); 167ac2a6666SPablo Neira Ayuso 168505ee3a1SAlaa Hleihel static inline int 169505ee3a1SAlaa Hleihel nf_flow_table_offload_add_cb(struct nf_flowtable *flow_table, 170505ee3a1SAlaa Hleihel flow_setup_cb_t *cb, void *cb_priv) 171505ee3a1SAlaa Hleihel { 172505ee3a1SAlaa Hleihel struct flow_block *block = &flow_table->flow_block; 173505ee3a1SAlaa Hleihel struct flow_block_cb *block_cb; 174505ee3a1SAlaa Hleihel int err = 0; 175505ee3a1SAlaa Hleihel 176505ee3a1SAlaa Hleihel down_write(&flow_table->flow_block_lock); 177505ee3a1SAlaa Hleihel block_cb = flow_block_cb_lookup(block, cb, cb_priv); 178505ee3a1SAlaa Hleihel if (block_cb) { 179505ee3a1SAlaa Hleihel err = -EEXIST; 180505ee3a1SAlaa Hleihel goto unlock; 181505ee3a1SAlaa Hleihel } 182505ee3a1SAlaa Hleihel 183505ee3a1SAlaa Hleihel block_cb = flow_block_cb_alloc(cb, cb_priv, cb_priv, NULL); 184505ee3a1SAlaa Hleihel if (IS_ERR(block_cb)) { 185505ee3a1SAlaa Hleihel err = PTR_ERR(block_cb); 186505ee3a1SAlaa Hleihel goto unlock; 187505ee3a1SAlaa Hleihel } 188505ee3a1SAlaa Hleihel 189505ee3a1SAlaa Hleihel list_add_tail(&block_cb->list, &block->cb_list); 190505ee3a1SAlaa Hleihel 191505ee3a1SAlaa Hleihel unlock: 192505ee3a1SAlaa Hleihel up_write(&flow_table->flow_block_lock); 193505ee3a1SAlaa Hleihel return err; 194505ee3a1SAlaa Hleihel } 195505ee3a1SAlaa Hleihel 196505ee3a1SAlaa Hleihel static inline void 197505ee3a1SAlaa Hleihel nf_flow_table_offload_del_cb(struct nf_flowtable *flow_table, 198505ee3a1SAlaa Hleihel flow_setup_cb_t *cb, void *cb_priv) 199505ee3a1SAlaa Hleihel { 200505ee3a1SAlaa Hleihel struct flow_block *block = &flow_table->flow_block; 201505ee3a1SAlaa Hleihel struct flow_block_cb *block_cb; 202505ee3a1SAlaa Hleihel 203505ee3a1SAlaa Hleihel down_write(&flow_table->flow_block_lock); 204505ee3a1SAlaa Hleihel block_cb = flow_block_cb_lookup(block, cb, cb_priv); 205505ee3a1SAlaa Hleihel if (block_cb) { 206505ee3a1SAlaa Hleihel list_del(&block_cb->list); 207505ee3a1SAlaa Hleihel flow_block_cb_free(block_cb); 208505ee3a1SAlaa Hleihel } else { 209505ee3a1SAlaa Hleihel WARN_ON(true); 210505ee3a1SAlaa Hleihel } 211505ee3a1SAlaa Hleihel up_write(&flow_table->flow_block_lock); 212505ee3a1SAlaa Hleihel } 213978703f4SPaul Blakey 214f1363e05SPablo Neira Ayuso int flow_offload_route_init(struct flow_offload *flow, 215f1363e05SPablo Neira Ayuso const struct nf_flow_route *route); 216f1363e05SPablo Neira Ayuso 217ac2a6666SPablo Neira Ayuso int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow); 2188b3646d6SPaul Blakey void flow_offload_refresh(struct nf_flowtable *flow_table, 2198b3646d6SPaul Blakey struct flow_offload *flow); 2208b3646d6SPaul Blakey 221ac2a6666SPablo Neira Ayuso struct flow_offload_tuple_rhash *flow_offload_lookup(struct nf_flowtable *flow_table, 222ac2a6666SPablo Neira Ayuso struct flow_offload_tuple *tuple); 223a8284c68SPablo Neira Ayuso void nf_flow_table_gc_cleanup(struct nf_flowtable *flowtable, 224a8284c68SPablo Neira Ayuso struct net_device *dev); 2255f1be84aSTaehee Yoo void nf_flow_table_cleanup(struct net_device *dev); 226c0ea1bcbSPablo Neira Ayuso 227a268de77SFelix Fietkau int nf_flow_table_init(struct nf_flowtable *flow_table); 228b408c5b0SPablo Neira Ayuso void nf_flow_table_free(struct nf_flowtable *flow_table); 229ac2a6666SPablo Neira Ayuso 23059c466ddSFelix Fietkau void flow_offload_teardown(struct flow_offload *flow); 231ac2a6666SPablo Neira Ayuso 232ac2a6666SPablo Neira Ayuso int nf_flow_snat_port(const struct flow_offload *flow, 233ac2a6666SPablo Neira Ayuso struct sk_buff *skb, unsigned int thoff, 234ac2a6666SPablo Neira Ayuso u8 protocol, enum flow_offload_tuple_dir dir); 235ac2a6666SPablo Neira Ayuso int nf_flow_dnat_port(const struct flow_offload *flow, 236ac2a6666SPablo Neira Ayuso struct sk_buff *skb, unsigned int thoff, 237ac2a6666SPablo Neira Ayuso u8 protocol, enum flow_offload_tuple_dir dir); 238ac2a6666SPablo Neira Ayuso 239ac2a6666SPablo Neira Ayuso struct flow_ports { 240ac2a6666SPablo Neira Ayuso __be16 source, dest; 241ac2a6666SPablo Neira Ayuso }; 242ac2a6666SPablo Neira Ayuso 2437c23b629SPablo Neira Ayuso unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, 2447c23b629SPablo Neira Ayuso const struct nf_hook_state *state); 2457c23b629SPablo Neira Ayuso unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, 2467c23b629SPablo Neira Ayuso const struct nf_hook_state *state); 2477c23b629SPablo Neira Ayuso 248ac2a6666SPablo Neira Ayuso #define MODULE_ALIAS_NF_FLOWTABLE(family) \ 249ac2a6666SPablo Neira Ayuso MODULE_ALIAS("nf-flowtable-" __stringify(family)) 250ac2a6666SPablo Neira Ayuso 251c29f74e0SPablo Neira Ayuso void nf_flow_offload_add(struct nf_flowtable *flowtable, 252c29f74e0SPablo Neira Ayuso struct flow_offload *flow); 253c29f74e0SPablo Neira Ayuso void nf_flow_offload_del(struct nf_flowtable *flowtable, 254c29f74e0SPablo Neira Ayuso struct flow_offload *flow); 255c29f74e0SPablo Neira Ayuso void nf_flow_offload_stats(struct nf_flowtable *flowtable, 256c29f74e0SPablo Neira Ayuso struct flow_offload *flow); 257c29f74e0SPablo Neira Ayuso 258c29f74e0SPablo Neira Ayuso void nf_flow_table_offload_flush(struct nf_flowtable *flowtable); 259c29f74e0SPablo Neira Ayuso int nf_flow_table_offload_setup(struct nf_flowtable *flowtable, 2608bb69f3bSPablo Neira Ayuso struct net_device *dev, 261c29f74e0SPablo Neira Ayuso enum flow_block_command cmd); 2625c27d8d7SPablo Neira Ayuso int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow, 2635c27d8d7SPablo Neira Ayuso enum flow_offload_tuple_dir dir, 2645c27d8d7SPablo Neira Ayuso struct nf_flow_rule *flow_rule); 2655c27d8d7SPablo Neira Ayuso int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow, 266c29f74e0SPablo Neira Ayuso enum flow_offload_tuple_dir dir, 267c29f74e0SPablo Neira Ayuso struct nf_flow_rule *flow_rule); 268c29f74e0SPablo Neira Ayuso 269c29f74e0SPablo Neira Ayuso int nf_flow_table_offload_init(void); 270c29f74e0SPablo Neira Ayuso void nf_flow_table_offload_exit(void); 2718bb69f3bSPablo Neira Ayuso 2720286fbc6SJeremy Sowden #endif /* _NF_FLOW_TABLE_H */ 273