1 #ifndef _NF_FLOW_TABLE_H 2 #define _NF_FLOW_TABLE_H 3 4 #include <linux/in.h> 5 #include <linux/in6.h> 6 #include <linux/netdevice.h> 7 #include <linux/rhashtable-types.h> 8 #include <linux/rcupdate.h> 9 #include <linux/netfilter.h> 10 #include <linux/netfilter/nf_conntrack_tuple_common.h> 11 #include <net/flow_offload.h> 12 #include <net/dst.h> 13 #include <linux/if_pppox.h> 14 #include <linux/ppp_defs.h> 15 16 struct nf_flowtable; 17 struct nf_flow_rule; 18 struct flow_offload; 19 enum flow_offload_tuple_dir; 20 21 struct nf_flow_key { 22 struct flow_dissector_key_meta meta; 23 struct flow_dissector_key_control control; 24 struct flow_dissector_key_control enc_control; 25 struct flow_dissector_key_basic basic; 26 struct flow_dissector_key_vlan vlan; 27 struct flow_dissector_key_vlan cvlan; 28 union { 29 struct flow_dissector_key_ipv4_addrs ipv4; 30 struct flow_dissector_key_ipv6_addrs ipv6; 31 }; 32 struct flow_dissector_key_keyid enc_key_id; 33 union { 34 struct flow_dissector_key_ipv4_addrs enc_ipv4; 35 struct flow_dissector_key_ipv6_addrs enc_ipv6; 36 }; 37 struct flow_dissector_key_tcp tcp; 38 struct flow_dissector_key_ports tp; 39 } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */ 40 41 struct nf_flow_match { 42 struct flow_dissector dissector; 43 struct nf_flow_key key; 44 struct nf_flow_key mask; 45 }; 46 47 struct nf_flow_rule { 48 struct nf_flow_match match; 49 struct flow_rule *rule; 50 }; 51 52 struct nf_flowtable_type { 53 struct list_head list; 54 int family; 55 int (*init)(struct nf_flowtable *ft); 56 int (*setup)(struct nf_flowtable *ft, 57 struct net_device *dev, 58 enum flow_block_command cmd); 59 int (*action)(struct net *net, 60 const struct flow_offload *flow, 61 enum flow_offload_tuple_dir dir, 62 struct nf_flow_rule *flow_rule); 63 void (*free)(struct nf_flowtable *ft); 64 nf_hookfn *hook; 65 struct module *owner; 66 }; 67 68 enum nf_flowtable_flags { 69 NF_FLOWTABLE_HW_OFFLOAD = 0x1, /* NFT_FLOWTABLE_HW_OFFLOAD */ 70 NF_FLOWTABLE_COUNTER = 0x2, /* NFT_FLOWTABLE_COUNTER */ 71 }; 72 73 struct nf_flowtable { 74 struct list_head list; 75 struct rhashtable rhashtable; 76 int priority; 77 const struct nf_flowtable_type *type; 78 struct delayed_work gc_work; 79 unsigned int flags; 80 struct flow_block flow_block; 81 struct rw_semaphore flow_block_lock; /* Guards flow_block */ 82 possible_net_t net; 83 }; 84 85 static inline bool nf_flowtable_hw_offload(struct nf_flowtable *flowtable) 86 { 87 return flowtable->flags & NF_FLOWTABLE_HW_OFFLOAD; 88 } 89 90 enum flow_offload_tuple_dir { 91 FLOW_OFFLOAD_DIR_ORIGINAL = IP_CT_DIR_ORIGINAL, 92 FLOW_OFFLOAD_DIR_REPLY = IP_CT_DIR_REPLY, 93 }; 94 #define FLOW_OFFLOAD_DIR_MAX IP_CT_DIR_MAX 95 96 enum flow_offload_xmit_type { 97 FLOW_OFFLOAD_XMIT_UNSPEC = 0, 98 FLOW_OFFLOAD_XMIT_NEIGH, 99 FLOW_OFFLOAD_XMIT_XFRM, 100 FLOW_OFFLOAD_XMIT_DIRECT, 101 FLOW_OFFLOAD_XMIT_TC, 102 }; 103 104 #define NF_FLOW_TABLE_ENCAP_MAX 2 105 106 struct flow_offload_tuple { 107 union { 108 struct in_addr src_v4; 109 struct in6_addr src_v6; 110 }; 111 union { 112 struct in_addr dst_v4; 113 struct in6_addr dst_v6; 114 }; 115 struct { 116 __be16 src_port; 117 __be16 dst_port; 118 }; 119 120 int iifidx; 121 122 u8 l3proto; 123 u8 l4proto; 124 struct { 125 u16 id; 126 __be16 proto; 127 } encap[NF_FLOW_TABLE_ENCAP_MAX]; 128 129 /* All members above are keys for lookups, see flow_offload_hash(). */ 130 struct { } __hash; 131 132 u8 dir:2, 133 xmit_type:3, 134 encap_num:2, 135 in_vlan_ingress:2; 136 u16 mtu; 137 union { 138 struct { 139 struct dst_entry *dst_cache; 140 u32 dst_cookie; 141 }; 142 struct { 143 u32 ifidx; 144 u32 hw_ifidx; 145 u8 h_source[ETH_ALEN]; 146 u8 h_dest[ETH_ALEN]; 147 } out; 148 struct { 149 u32 iifidx; 150 } tc; 151 }; 152 }; 153 154 struct flow_offload_tuple_rhash { 155 struct rhash_head node; 156 struct flow_offload_tuple tuple; 157 }; 158 159 enum nf_flow_flags { 160 NF_FLOW_SNAT, 161 NF_FLOW_DNAT, 162 NF_FLOW_TEARDOWN, 163 NF_FLOW_HW, 164 NF_FLOW_HW_DYING, 165 NF_FLOW_HW_DEAD, 166 NF_FLOW_HW_PENDING, 167 }; 168 169 enum flow_offload_type { 170 NF_FLOW_OFFLOAD_UNSPEC = 0, 171 NF_FLOW_OFFLOAD_ROUTE, 172 }; 173 174 struct flow_offload { 175 struct flow_offload_tuple_rhash tuplehash[FLOW_OFFLOAD_DIR_MAX]; 176 struct nf_conn *ct; 177 unsigned long flags; 178 u16 type; 179 u32 timeout; 180 struct rcu_head rcu_head; 181 }; 182 183 #define NF_FLOW_TIMEOUT (30 * HZ) 184 #define nf_flowtable_time_stamp (u32)jiffies 185 186 unsigned long flow_offload_get_timeout(struct flow_offload *flow); 187 188 static inline __s32 nf_flow_timeout_delta(unsigned int timeout) 189 { 190 return (__s32)(timeout - nf_flowtable_time_stamp); 191 } 192 193 struct nf_flow_route { 194 struct { 195 struct dst_entry *dst; 196 struct { 197 u32 ifindex; 198 struct { 199 u16 id; 200 __be16 proto; 201 } encap[NF_FLOW_TABLE_ENCAP_MAX]; 202 u8 num_encaps:2, 203 ingress_vlans:2; 204 } in; 205 struct { 206 u32 ifindex; 207 u32 hw_ifindex; 208 u8 h_source[ETH_ALEN]; 209 u8 h_dest[ETH_ALEN]; 210 } out; 211 enum flow_offload_xmit_type xmit_type; 212 } tuple[FLOW_OFFLOAD_DIR_MAX]; 213 }; 214 215 struct flow_offload *flow_offload_alloc(struct nf_conn *ct); 216 void flow_offload_free(struct flow_offload *flow); 217 218 static inline int 219 nf_flow_table_offload_add_cb(struct nf_flowtable *flow_table, 220 flow_setup_cb_t *cb, void *cb_priv) 221 { 222 struct flow_block *block = &flow_table->flow_block; 223 struct flow_block_cb *block_cb; 224 int err = 0; 225 226 down_write(&flow_table->flow_block_lock); 227 block_cb = flow_block_cb_lookup(block, cb, cb_priv); 228 if (block_cb) { 229 err = -EEXIST; 230 goto unlock; 231 } 232 233 block_cb = flow_block_cb_alloc(cb, cb_priv, cb_priv, NULL); 234 if (IS_ERR(block_cb)) { 235 err = PTR_ERR(block_cb); 236 goto unlock; 237 } 238 239 list_add_tail(&block_cb->list, &block->cb_list); 240 241 unlock: 242 up_write(&flow_table->flow_block_lock); 243 return err; 244 } 245 246 static inline void 247 nf_flow_table_offload_del_cb(struct nf_flowtable *flow_table, 248 flow_setup_cb_t *cb, void *cb_priv) 249 { 250 struct flow_block *block = &flow_table->flow_block; 251 struct flow_block_cb *block_cb; 252 253 down_write(&flow_table->flow_block_lock); 254 block_cb = flow_block_cb_lookup(block, cb, cb_priv); 255 if (block_cb) { 256 list_del(&block_cb->list); 257 flow_block_cb_free(block_cb); 258 } else { 259 WARN_ON(true); 260 } 261 up_write(&flow_table->flow_block_lock); 262 } 263 264 int flow_offload_route_init(struct flow_offload *flow, 265 const struct nf_flow_route *route); 266 267 int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow); 268 void flow_offload_refresh(struct nf_flowtable *flow_table, 269 struct flow_offload *flow); 270 271 struct flow_offload_tuple_rhash *flow_offload_lookup(struct nf_flowtable *flow_table, 272 struct flow_offload_tuple *tuple); 273 void nf_flow_table_gc_run(struct nf_flowtable *flow_table); 274 void nf_flow_table_gc_cleanup(struct nf_flowtable *flowtable, 275 struct net_device *dev); 276 void nf_flow_table_cleanup(struct net_device *dev); 277 278 int nf_flow_table_init(struct nf_flowtable *flow_table); 279 void nf_flow_table_free(struct nf_flowtable *flow_table); 280 281 void flow_offload_teardown(struct flow_offload *flow); 282 283 void nf_flow_snat_port(const struct flow_offload *flow, 284 struct sk_buff *skb, unsigned int thoff, 285 u8 protocol, enum flow_offload_tuple_dir dir); 286 void nf_flow_dnat_port(const struct flow_offload *flow, 287 struct sk_buff *skb, unsigned int thoff, 288 u8 protocol, enum flow_offload_tuple_dir dir); 289 290 struct flow_ports { 291 __be16 source, dest; 292 }; 293 294 unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, 295 const struct nf_hook_state *state); 296 unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, 297 const struct nf_hook_state *state); 298 299 #define MODULE_ALIAS_NF_FLOWTABLE(family) \ 300 MODULE_ALIAS("nf-flowtable-" __stringify(family)) 301 302 void nf_flow_offload_add(struct nf_flowtable *flowtable, 303 struct flow_offload *flow); 304 void nf_flow_offload_del(struct nf_flowtable *flowtable, 305 struct flow_offload *flow); 306 void nf_flow_offload_stats(struct nf_flowtable *flowtable, 307 struct flow_offload *flow); 308 309 void nf_flow_table_offload_flush(struct nf_flowtable *flowtable); 310 void nf_flow_table_offload_flush_cleanup(struct nf_flowtable *flowtable); 311 312 int nf_flow_table_offload_setup(struct nf_flowtable *flowtable, 313 struct net_device *dev, 314 enum flow_block_command cmd); 315 int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow, 316 enum flow_offload_tuple_dir dir, 317 struct nf_flow_rule *flow_rule); 318 int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow, 319 enum flow_offload_tuple_dir dir, 320 struct nf_flow_rule *flow_rule); 321 322 int nf_flow_table_offload_init(void); 323 void nf_flow_table_offload_exit(void); 324 325 static inline __be16 nf_flow_pppoe_proto(const struct sk_buff *skb) 326 { 327 __be16 proto; 328 329 proto = *((__be16 *)(skb_mac_header(skb) + ETH_HLEN + 330 sizeof(struct pppoe_hdr))); 331 switch (proto) { 332 case htons(PPP_IP): 333 return htons(ETH_P_IP); 334 case htons(PPP_IPV6): 335 return htons(ETH_P_IPV6); 336 } 337 338 return 0; 339 } 340 341 #define NF_FLOW_TABLE_STAT_INC(net, count) __this_cpu_inc((net)->ft.stat->count) 342 #define NF_FLOW_TABLE_STAT_DEC(net, count) __this_cpu_dec((net)->ft.stat->count) 343 #define NF_FLOW_TABLE_STAT_INC_ATOMIC(net, count) \ 344 this_cpu_inc((net)->ft.stat->count) 345 #define NF_FLOW_TABLE_STAT_DEC_ATOMIC(net, count) \ 346 this_cpu_dec((net)->ft.stat->count) 347 348 #ifdef CONFIG_NF_FLOW_TABLE_PROCFS 349 int nf_flow_table_init_proc(struct net *net); 350 void nf_flow_table_fini_proc(struct net *net); 351 #else 352 static inline int nf_flow_table_init_proc(struct net *net) 353 { 354 return 0; 355 } 356 357 static inline void nf_flow_table_fini_proc(struct net *net) 358 { 359 } 360 #endif /* CONFIG_NF_FLOW_TABLE_PROCFS */ 361 362 #endif /* _NF_FLOW_TABLE_H */ 363