1 #ifndef _NF_FLOW_TABLE_H
2 #define _NF_FLOW_TABLE_H
3 
4 #include <linux/in.h>
5 #include <linux/in6.h>
6 #include <linux/netdevice.h>
7 #include <linux/rhashtable-types.h>
8 #include <linux/rcupdate.h>
9 #include <linux/netfilter.h>
10 #include <linux/netfilter/nf_conntrack_tuple_common.h>
11 #include <net/flow_offload.h>
12 #include <net/dst.h>
13 
14 struct nf_flowtable;
15 struct nf_flow_rule;
16 struct flow_offload;
17 enum flow_offload_tuple_dir;
18 
19 struct nf_flow_key {
20 	struct flow_dissector_key_meta			meta;
21 	struct flow_dissector_key_control		control;
22 	struct flow_dissector_key_control		enc_control;
23 	struct flow_dissector_key_basic			basic;
24 	union {
25 		struct flow_dissector_key_ipv4_addrs	ipv4;
26 		struct flow_dissector_key_ipv6_addrs	ipv6;
27 	};
28 	struct flow_dissector_key_keyid			enc_key_id;
29 	union {
30 		struct flow_dissector_key_ipv4_addrs	enc_ipv4;
31 		struct flow_dissector_key_ipv6_addrs	enc_ipv6;
32 	};
33 	struct flow_dissector_key_tcp			tcp;
34 	struct flow_dissector_key_ports			tp;
35 } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */
36 
37 struct nf_flow_match {
38 	struct flow_dissector	dissector;
39 	struct nf_flow_key	key;
40 	struct nf_flow_key	mask;
41 };
42 
43 struct nf_flow_rule {
44 	struct nf_flow_match	match;
45 	struct flow_rule	*rule;
46 };
47 
48 struct nf_flowtable_type {
49 	struct list_head		list;
50 	int				family;
51 	int				(*init)(struct nf_flowtable *ft);
52 	int				(*setup)(struct nf_flowtable *ft,
53 						 struct net_device *dev,
54 						 enum flow_block_command cmd);
55 	int				(*action)(struct net *net,
56 						  const struct flow_offload *flow,
57 						  enum flow_offload_tuple_dir dir,
58 						  struct nf_flow_rule *flow_rule);
59 	void				(*free)(struct nf_flowtable *ft);
60 	nf_hookfn			*hook;
61 	struct module			*owner;
62 };
63 
64 enum nf_flowtable_flags {
65 	NF_FLOWTABLE_HW_OFFLOAD		= 0x1,	/* NFT_FLOWTABLE_HW_OFFLOAD */
66 	NF_FLOWTABLE_COUNTER		= 0x2,	/* NFT_FLOWTABLE_COUNTER */
67 };
68 
69 struct nf_flowtable {
70 	struct list_head		list;
71 	struct rhashtable		rhashtable;
72 	int				priority;
73 	const struct nf_flowtable_type	*type;
74 	struct delayed_work		gc_work;
75 	unsigned int			flags;
76 	struct flow_block		flow_block;
77 	struct rw_semaphore		flow_block_lock; /* Guards flow_block */
78 	possible_net_t			net;
79 };
80 
81 static inline bool nf_flowtable_hw_offload(struct nf_flowtable *flowtable)
82 {
83 	return flowtable->flags & NF_FLOWTABLE_HW_OFFLOAD;
84 }
85 
86 enum flow_offload_tuple_dir {
87 	FLOW_OFFLOAD_DIR_ORIGINAL = IP_CT_DIR_ORIGINAL,
88 	FLOW_OFFLOAD_DIR_REPLY = IP_CT_DIR_REPLY,
89 	FLOW_OFFLOAD_DIR_MAX = IP_CT_DIR_MAX
90 };
91 
92 struct flow_offload_tuple {
93 	union {
94 		struct in_addr		src_v4;
95 		struct in6_addr		src_v6;
96 	};
97 	union {
98 		struct in_addr		dst_v4;
99 		struct in6_addr		dst_v6;
100 	};
101 	struct {
102 		__be16			src_port;
103 		__be16			dst_port;
104 	};
105 
106 	int				iifidx;
107 
108 	u8				l3proto;
109 	u8				l4proto;
110 	u8				dir;
111 
112 	u16				mtu;
113 
114 	struct dst_entry		*dst_cache;
115 };
116 
117 struct flow_offload_tuple_rhash {
118 	struct rhash_head		node;
119 	struct flow_offload_tuple	tuple;
120 };
121 
122 enum nf_flow_flags {
123 	NF_FLOW_SNAT,
124 	NF_FLOW_DNAT,
125 	NF_FLOW_TEARDOWN,
126 	NF_FLOW_HW,
127 	NF_FLOW_HW_DYING,
128 	NF_FLOW_HW_DEAD,
129 	NF_FLOW_HW_REFRESH,
130 	NF_FLOW_HW_PENDING,
131 };
132 
133 enum flow_offload_type {
134 	NF_FLOW_OFFLOAD_UNSPEC	= 0,
135 	NF_FLOW_OFFLOAD_ROUTE,
136 };
137 
138 struct flow_offload {
139 	struct flow_offload_tuple_rhash		tuplehash[FLOW_OFFLOAD_DIR_MAX];
140 	struct nf_conn				*ct;
141 	unsigned long				flags;
142 	u16					type;
143 	u32					timeout;
144 	struct rcu_head				rcu_head;
145 };
146 
147 #define NF_FLOW_TIMEOUT (30 * HZ)
148 #define nf_flowtable_time_stamp	(u32)jiffies
149 
150 static inline __s32 nf_flow_timeout_delta(unsigned int timeout)
151 {
152 	return (__s32)(timeout - nf_flowtable_time_stamp);
153 }
154 
155 struct nf_flow_route {
156 	struct {
157 		struct dst_entry	*dst;
158 	} tuple[FLOW_OFFLOAD_DIR_MAX];
159 };
160 
161 struct flow_offload *flow_offload_alloc(struct nf_conn *ct);
162 void flow_offload_free(struct flow_offload *flow);
163 
164 int nf_flow_table_offload_add_cb(struct nf_flowtable *flow_table,
165 				 flow_setup_cb_t *cb, void *cb_priv);
166 void nf_flow_table_offload_del_cb(struct nf_flowtable *flow_table,
167 				  flow_setup_cb_t *cb, void *cb_priv);
168 
169 int flow_offload_route_init(struct flow_offload *flow,
170 			    const struct nf_flow_route *route);
171 
172 int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow);
173 void flow_offload_refresh(struct nf_flowtable *flow_table,
174 			  struct flow_offload *flow);
175 
176 struct flow_offload_tuple_rhash *flow_offload_lookup(struct nf_flowtable *flow_table,
177 						     struct flow_offload_tuple *tuple);
178 void nf_flow_table_gc_cleanup(struct nf_flowtable *flowtable,
179 			      struct net_device *dev);
180 void nf_flow_table_cleanup(struct net_device *dev);
181 
182 int nf_flow_table_init(struct nf_flowtable *flow_table);
183 void nf_flow_table_free(struct nf_flowtable *flow_table);
184 
185 void flow_offload_teardown(struct flow_offload *flow);
186 
187 int nf_flow_snat_port(const struct flow_offload *flow,
188 		      struct sk_buff *skb, unsigned int thoff,
189 		      u8 protocol, enum flow_offload_tuple_dir dir);
190 int nf_flow_dnat_port(const struct flow_offload *flow,
191 		      struct sk_buff *skb, unsigned int thoff,
192 		      u8 protocol, enum flow_offload_tuple_dir dir);
193 
194 struct flow_ports {
195 	__be16 source, dest;
196 };
197 
198 unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb,
199 				     const struct nf_hook_state *state);
200 unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb,
201 				       const struct nf_hook_state *state);
202 
203 #define MODULE_ALIAS_NF_FLOWTABLE(family)	\
204 	MODULE_ALIAS("nf-flowtable-" __stringify(family))
205 
206 void nf_flow_offload_add(struct nf_flowtable *flowtable,
207 			 struct flow_offload *flow);
208 void nf_flow_offload_del(struct nf_flowtable *flowtable,
209 			 struct flow_offload *flow);
210 void nf_flow_offload_stats(struct nf_flowtable *flowtable,
211 			   struct flow_offload *flow);
212 
213 void nf_flow_table_offload_flush(struct nf_flowtable *flowtable);
214 int nf_flow_table_offload_setup(struct nf_flowtable *flowtable,
215 				struct net_device *dev,
216 				enum flow_block_command cmd);
217 int nf_flow_rule_route_ipv4(struct net *net, const struct flow_offload *flow,
218 			    enum flow_offload_tuple_dir dir,
219 			    struct nf_flow_rule *flow_rule);
220 int nf_flow_rule_route_ipv6(struct net *net, const struct flow_offload *flow,
221 			    enum flow_offload_tuple_dir dir,
222 			    struct nf_flow_rule *flow_rule);
223 
224 int nf_flow_table_offload_init(void);
225 void nf_flow_table_offload_exit(void);
226 
227 #endif /* _NF_FLOW_TABLE_H */
228