1 #ifndef _NF_FLOW_TABLE_H
2 #define _NF_FLOW_TABLE_H
3 
4 #include <linux/in.h>
5 #include <linux/in6.h>
6 #include <linux/netdevice.h>
7 #include <linux/rhashtable-types.h>
8 #include <linux/rcupdate.h>
9 #include <linux/netfilter.h>
10 #include <linux/netfilter/nf_conntrack_tuple_common.h>
11 #include <net/flow_offload.h>
12 #include <net/dst.h>
13 
14 struct nf_flowtable;
15 struct nf_flow_rule;
16 struct flow_offload;
17 enum flow_offload_tuple_dir;
18 
19 struct nf_flow_key {
20 	struct flow_dissector_key_meta			meta;
21 	struct flow_dissector_key_control		control;
22 	struct flow_dissector_key_control		enc_control;
23 	struct flow_dissector_key_basic			basic;
24 	struct flow_dissector_key_vlan			vlan;
25 	struct flow_dissector_key_vlan			cvlan;
26 	union {
27 		struct flow_dissector_key_ipv4_addrs	ipv4;
28 		struct flow_dissector_key_ipv6_addrs	ipv6;
29 	};
30 	struct flow_dissector_key_keyid			enc_key_id;
31 	union {
32 		struct flow_dissector_key_ipv4_addrs	enc_ipv4;
33 		struct flow_dissector_key_ipv6_addrs	enc_ipv6;
34 	};
35 	struct flow_dissector_key_tcp			tcp;
36 	struct flow_dissector_key_ports			tp;
37 } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
38 
39 struct nf_flow_match {
40 	struct flow_dissector	dissector;
41 	struct nf_flow_key	key;
42 	struct nf_flow_key	mask;
43 };
44 
45 struct nf_flow_rule {
46 	struct nf_flow_match	match;
47 	struct flow_rule	*rule;
48 };
49 
50 struct nf_flowtable_type {
51 	struct list_head		list;
52 	int				family;
53 	int				(*init)(struct nf_flowtable *ft);
54 	int				(*setup)(struct nf_flowtable *ft,
55 						 struct net_device *dev,
56 						 enum flow_block_command cmd);
57 	int				(*action)(struct net *net,
58 						  const struct flow_offload *flow,
59 						  enum flow_offload_tuple_dir dir,
60 						  struct nf_flow_rule *flow_rule);
61 	void				(*free)(struct nf_flowtable *ft);
62 	nf_hookfn			*hook;
63 	struct module			*owner;
64 };
65 
66 enum nf_flowtable_flags {
67 	NF_FLOWTABLE_HW_OFFLOAD		= 0x1,	/* NFT_FLOWTABLE_HW_OFFLOAD */
68 	NF_FLOWTABLE_COUNTER		= 0x2,	/* NFT_FLOWTABLE_COUNTER */
69 };
70 
71 struct nf_flowtable {
72 	struct list_head		list;
73 	struct rhashtable		rhashtable;
74 	int				priority;
75 	const struct nf_flowtable_type	*type;
76 	struct delayed_work		gc_work;
77 	unsigned int			flags;
78 	struct flow_block		flow_block;
79 	struct rw_semaphore		flow_block_lock; /* Guards flow_block */
80 	possible_net_t			net;
81 };
82 
83 static inline bool nf_flowtable_hw_offload(struct nf_flowtable *flowtable)
84 {
85 	return flowtable->flags & NF_FLOWTABLE_HW_OFFLOAD;
86 }
87 
88 enum flow_offload_tuple_dir {
89 	FLOW_OFFLOAD_DIR_ORIGINAL = IP_CT_DIR_ORIGINAL,
90 	FLOW_OFFLOAD_DIR_REPLY = IP_CT_DIR_REPLY,
91 };
92 #define FLOW_OFFLOAD_DIR_MAX	IP_CT_DIR_MAX
93 
94 enum flow_offload_xmit_type {
95 	FLOW_OFFLOAD_XMIT_UNSPEC	= 0,
96 	FLOW_OFFLOAD_XMIT_NEIGH,
97 	FLOW_OFFLOAD_XMIT_XFRM,
98 	FLOW_OFFLOAD_XMIT_DIRECT,
99 };
100 
101 #define NF_FLOW_TABLE_ENCAP_MAX		2
102 
103 struct flow_offload_tuple {
104 	union {
105 		struct in_addr		src_v4;
106 		struct in6_addr		src_v6;
107 	};
108 	union {
109 		struct in_addr		dst_v4;
110 		struct in6_addr		dst_v6;
111 	};
112 	struct {
113 		__be16			src_port;
114 		__be16			dst_port;
115 	};
116 
117 	int				iifidx;
118 
119 	u8				l3proto;
120 	u8				l4proto;
121 	struct {
122 		u16			id;
123 		__be16			proto;
124 	} encap[NF_FLOW_TABLE_ENCAP_MAX];
125 
126 	/* All members above are keys for lookups, see flow_offload_hash(). */
127 	struct { }			__hash;
128 
129 	u8				dir:2,
130 					xmit_type:2,
131 					encap_num:2,
132 					in_vlan_ingress:2;
133 	u16				mtu;
134 	union {
135 		struct {
136 			struct dst_entry *dst_cache;
137 			u32		dst_cookie;
138 		};
139 		struct {
140 			u32		ifidx;
141 			u32		hw_ifidx;
142 			u8		h_source[ETH_ALEN];
143 			u8		h_dest[ETH_ALEN];
144 		} out;
145 	};
146 };
147 
148 struct flow_offload_tuple_rhash {
149 	struct rhash_head		node;
150 	struct flow_offload_tuple	tuple;
151 };
152 
153 enum nf_flow_flags {
154 	NF_FLOW_SNAT,
155 	NF_FLOW_DNAT,
156 	NF_FLOW_TEARDOWN,
157 	NF_FLOW_HW,
158 	NF_FLOW_HW_DYING,
159 	NF_FLOW_HW_DEAD,
160 	NF_FLOW_HW_REFRESH,
161 	NF_FLOW_HW_PENDING,
162 };
163 
164 enum flow_offload_type {
165 	NF_FLOW_OFFLOAD_UNSPEC	= 0,
166 	NF_FLOW_OFFLOAD_ROUTE,
167 };
168 
169 struct flow_offload {
170 	struct flow_offload_tuple_rhash		tuplehash[FLOW_OFFLOAD_DIR_MAX];
171 	struct nf_conn				*ct;
172 	unsigned long				flags;
173 	u16					type;
174 	u32					timeout;
175 	struct rcu_head				rcu_head;
176 };
177 
178 #define NF_FLOW_TIMEOUT (30 * HZ)
179 #define nf_flowtable_time_stamp	(u32)jiffies
180 
181 static inline __s32 nf_flow_timeout_delta(unsigned int timeout)
182 {
183 	return (__s32)(timeout - nf_flowtable_time_stamp);
184 }
185 
186 struct nf_flow_route {
187 	struct {
188 		struct dst_entry		*dst;
189 		struct {
190 			u32			ifindex;
191 			struct {
192 				u16		id;
193 				__be16		proto;
194 			} encap[NF_FLOW_TABLE_ENCAP_MAX];
195 			u8			num_encaps:2,
196 						ingress_vlans:2;
197 		} in;
198 		struct {
199 			u32			ifindex;
200 			u32			hw_ifindex;
201 			u8			h_source[ETH_ALEN];
202 			u8			h_dest[ETH_ALEN];
203 		} out;
204 		enum flow_offload_xmit_type	xmit_type;
205 	} tuple[FLOW_OFFLOAD_DIR_MAX];
206 };
207 
208 struct flow_offload *flow_offload_alloc(struct nf_conn *ct);
209 void flow_offload_free(struct flow_offload *flow);
210 
211 static inline int
212 nf_flow_table_offload_add_cb(struct nf_flowtable *flow_table,
213 			     flow_setup_cb_t *cb, void *cb_priv)
214 {
215 	struct flow_block *block = &flow_table->flow_block;
216 	struct flow_block_cb *block_cb;
217 	int err = 0;
218 
219 	down_write(&flow_table->flow_block_lock);
220 	block_cb = flow_block_cb_lookup(block, cb, cb_priv);
221 	if (block_cb) {
222 		err = -EEXIST;
223 		goto unlock;
224 	}
225 
226 	block_cb = flow_block_cb_alloc(cb, cb_priv, cb_priv, NULL);
227 	if (IS_ERR(block_cb)) {
228 		err = PTR_ERR(block_cb);
229 		goto unlock;
230 	}
231 
232 	list_add_tail(&block_cb->list, &block->cb_list);
233 
234 unlock:
235 	up_write(&flow_table->flow_block_lock);
236 	return err;
237 }
238 
239 static inline void
240 nf_flow_table_offload_del_cb(struct nf_flowtable *flow_table,
241 			     flow_setup_cb_t *cb, void *cb_priv)
242 {
243 	struct flow_block *block = &flow_table->flow_block;
244 	struct flow_block_cb *block_cb;
245 
246 	down_write(&flow_table->flow_block_lock);
247 	block_cb = flow_block_cb_lookup(block, cb, cb_priv);
248 	if (block_cb) {
249 		list_del(&block_cb->list);
250 		flow_block_cb_free(block_cb);
251 	} else {
252 		WARN_ON(true);
253 	}
254 	up_write(&flow_table->flow_block_lock);
255 }
256 
257 int flow_offload_route_init(struct flow_offload *flow,
258 			    const struct nf_flow_route *route);
259 
260 int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow);
261 void flow_offload_refresh(struct nf_flowtable *flow_table,
262 			  struct flow_offload *flow);
263 
264 struct flow_offload_tuple_rhash *flow_offload_lookup(struct nf_flowtable *flow_table,
265 						     struct flow_offload_tuple *tuple);
266 void nf_flow_table_gc_cleanup(struct nf_flowtable *flowtable,
267 			      struct net_device *dev);
268 void nf_flow_table_cleanup(struct net_device *dev);
269 
270 int nf_flow_table_init(struct nf_flowtable *flow_table);
271 void nf_flow_table_free(struct nf_flowtable *flow_table);
272 
273 void flow_offload_teardown(struct flow_offload *flow);
274 
275 void nf_flow_snat_port(const struct flow_offload *flow,
276 		       struct sk_buff *skb, unsigned int thoff,
277 		       u8 protocol, enum flow_offload_tuple_dir dir);
278 void nf_flow_dnat_port(const struct flow_offload *flow,
279 		       struct sk_buff *skb, unsigned int thoff,
280 		       u8 protocol, enum flow_offload_tuple_dir dir);
281 
282 struct flow_ports {
283 	__be16 source, dest;
284 };
285 
286 unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
287 				     const struct nf_hook_state *state);
288 unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
289 				       const struct nf_hook_state *state);
290 
291 #define MODULE_ALIAS_NF_FLOWTABLE(family)	\
292 	MODULE_ALIAS("nf-flowtable-" __stringify(family))
293 
294 void nf_flow_offload_add(struct nf_flowtable *flowtable,
295 			 struct flow_offload *flow);
296 void nf_flow_offload_del(struct nf_flowtable *flowtable,
297 			 struct flow_offload *flow);
298 void nf_flow_offload_stats(struct nf_flowtable *flowtable,
299 			   struct flow_offload *flow);
300 
301 void nf_flow_table_offload_flush(struct nf_flowtable *flowtable);
302 int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
303 				struct net_device *dev,
304 				enum flow_block_command cmd);
305 int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow,
306 			    enum flow_offload_tuple_dir dir,
307 			    struct nf_flow_rule *flow_rule);
308 int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow,
309 			    enum flow_offload_tuple_dir dir,
310 			    struct nf_flow_rule *flow_rule);
311 
312 int nf_flow_table_offload_init(void);
313 void nf_flow_table_offload_exit(void);
314 
315 #endif /* _NF_FLOW_TABLE_H */
316