1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2009 Patrick McHardy <kaber@trash.net> 4 * 5 * Development of this code funded by Astaro AG (http://www.astaro.com/) 6 */ 7 8 #include <linux/kernel.h> 9 #include <linux/init.h> 10 #include <linux/list.h> 11 #include <linux/rbtree.h> 12 #include <linux/netlink.h> 13 #include <linux/netfilter.h> 14 #include <linux/netfilter/nf_tables.h> 15 #include <net/netfilter/nf_tables.h> 16 #include <net/netfilter/nf_tables_core.h> 17 18 struct nft_lookup { 19 struct nft_set *set; 20 u8 sreg; 21 u8 dreg; 22 bool invert; 23 struct nft_set_binding binding; 24 }; 25 26 void nft_lookup_eval(const struct nft_expr *expr, 27 struct nft_regs *regs, 28 const struct nft_pktinfo *pkt) 29 { 30 const struct nft_lookup *priv = nft_expr_priv(expr); 31 const struct nft_set *set = priv->set; 32 const struct nft_set_ext *ext = NULL; 33 const struct net *net = nft_net(pkt); 34 bool found; 35 36 found = set->ops->lookup(net, set, ®s->data[priv->sreg], &ext) ^ 37 priv->invert; 38 if (!found) { 39 ext = nft_set_catchall_lookup(net, set); 40 if (!ext) { 41 regs->verdict.code = NFT_BREAK; 42 return; 43 } 44 } 45 46 if (ext) { 47 if (set->flags & NFT_SET_MAP) 48 nft_data_copy(®s->data[priv->dreg], 49 nft_set_ext_data(ext), set->dlen); 50 51 nft_set_elem_update_expr(ext, regs, pkt); 52 } 53 } 54 55 static const struct nla_policy nft_lookup_policy[NFTA_LOOKUP_MAX + 1] = { 56 [NFTA_LOOKUP_SET] = { .type = NLA_STRING, 57 .len = NFT_SET_MAXNAMELEN - 1 }, 58 [NFTA_LOOKUP_SET_ID] = { .type = NLA_U32 }, 59 [NFTA_LOOKUP_SREG] = { .type = NLA_U32 }, 60 [NFTA_LOOKUP_DREG] = { .type = NLA_U32 }, 61 [NFTA_LOOKUP_FLAGS] = { .type = NLA_U32 }, 62 }; 63 64 static int nft_lookup_init(const struct nft_ctx *ctx, 65 const struct nft_expr *expr, 66 const struct nlattr * const tb[]) 67 { 68 struct nft_lookup *priv = nft_expr_priv(expr); 69 u8 genmask = nft_genmask_next(ctx->net); 70 struct nft_set *set; 71 u32 flags; 72 int err; 73 74 if (tb[NFTA_LOOKUP_SET] == NULL || 75 tb[NFTA_LOOKUP_SREG] == NULL) 76 return -EINVAL; 77 78 set = nft_set_lookup_global(ctx->net, ctx->table, tb[NFTA_LOOKUP_SET], 79 tb[NFTA_LOOKUP_SET_ID], genmask); 80 if (IS_ERR(set)) 81 return PTR_ERR(set); 82 83 err = nft_parse_register_load(tb[NFTA_LOOKUP_SREG], &priv->sreg, 84 set->klen); 85 if (err < 0) 86 return err; 87 88 if (tb[NFTA_LOOKUP_FLAGS]) { 89 flags = ntohl(nla_get_be32(tb[NFTA_LOOKUP_FLAGS])); 90 91 if (flags & ~NFT_LOOKUP_F_INV) 92 return -EINVAL; 93 94 if (flags & NFT_LOOKUP_F_INV) { 95 if (set->flags & NFT_SET_MAP) 96 return -EINVAL; 97 priv->invert = true; 98 } 99 } 100 101 if (tb[NFTA_LOOKUP_DREG] != NULL) { 102 if (priv->invert) 103 return -EINVAL; 104 if (!(set->flags & NFT_SET_MAP)) 105 return -EINVAL; 106 107 err = nft_parse_register_store(ctx, tb[NFTA_LOOKUP_DREG], 108 &priv->dreg, NULL, set->dtype, 109 set->dlen); 110 if (err < 0) 111 return err; 112 } else if (set->flags & NFT_SET_MAP) 113 return -EINVAL; 114 115 priv->binding.flags = set->flags & NFT_SET_MAP; 116 117 err = nf_tables_bind_set(ctx, set, &priv->binding); 118 if (err < 0) 119 return err; 120 121 priv->set = set; 122 return 0; 123 } 124 125 static void nft_lookup_deactivate(const struct nft_ctx *ctx, 126 const struct nft_expr *expr, 127 enum nft_trans_phase phase) 128 { 129 struct nft_lookup *priv = nft_expr_priv(expr); 130 131 nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase); 132 } 133 134 static void nft_lookup_activate(const struct nft_ctx *ctx, 135 const struct nft_expr *expr) 136 { 137 struct nft_lookup *priv = nft_expr_priv(expr); 138 139 priv->set->use++; 140 } 141 142 static void nft_lookup_destroy(const struct nft_ctx *ctx, 143 const struct nft_expr *expr) 144 { 145 struct nft_lookup *priv = nft_expr_priv(expr); 146 147 nf_tables_destroy_set(ctx, priv->set); 148 } 149 150 static int nft_lookup_dump(struct sk_buff *skb, const struct nft_expr *expr) 151 { 152 const struct nft_lookup *priv = nft_expr_priv(expr); 153 u32 flags = priv->invert ? NFT_LOOKUP_F_INV : 0; 154 155 if (nla_put_string(skb, NFTA_LOOKUP_SET, priv->set->name)) 156 goto nla_put_failure; 157 if (nft_dump_register(skb, NFTA_LOOKUP_SREG, priv->sreg)) 158 goto nla_put_failure; 159 if (priv->set->flags & NFT_SET_MAP) 160 if (nft_dump_register(skb, NFTA_LOOKUP_DREG, priv->dreg)) 161 goto nla_put_failure; 162 if (nla_put_be32(skb, NFTA_LOOKUP_FLAGS, htonl(flags))) 163 goto nla_put_failure; 164 return 0; 165 166 nla_put_failure: 167 return -1; 168 } 169 170 static int nft_lookup_validate_setelem(const struct nft_ctx *ctx, 171 struct nft_set *set, 172 const struct nft_set_iter *iter, 173 struct nft_set_elem *elem) 174 { 175 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv); 176 struct nft_ctx *pctx = (struct nft_ctx *)ctx; 177 const struct nft_data *data; 178 int err; 179 180 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) && 181 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END) 182 return 0; 183 184 data = nft_set_ext_data(ext); 185 switch (data->verdict.code) { 186 case NFT_JUMP: 187 case NFT_GOTO: 188 pctx->level++; 189 err = nft_chain_validate(ctx, data->verdict.chain); 190 if (err < 0) 191 return err; 192 pctx->level--; 193 break; 194 default: 195 break; 196 } 197 198 return 0; 199 } 200 201 static int nft_lookup_validate(const struct nft_ctx *ctx, 202 const struct nft_expr *expr, 203 const struct nft_data **d) 204 { 205 const struct nft_lookup *priv = nft_expr_priv(expr); 206 struct nft_set_iter iter; 207 208 if (!(priv->set->flags & NFT_SET_MAP) || 209 priv->set->dtype != NFT_DATA_VERDICT) 210 return 0; 211 212 iter.genmask = nft_genmask_next(ctx->net); 213 iter.skip = 0; 214 iter.count = 0; 215 iter.err = 0; 216 iter.fn = nft_lookup_validate_setelem; 217 218 priv->set->ops->walk(ctx, priv->set, &iter); 219 if (iter.err < 0) 220 return iter.err; 221 222 return 0; 223 } 224 225 static const struct nft_expr_ops nft_lookup_ops = { 226 .type = &nft_lookup_type, 227 .size = NFT_EXPR_SIZE(sizeof(struct nft_lookup)), 228 .eval = nft_lookup_eval, 229 .init = nft_lookup_init, 230 .activate = nft_lookup_activate, 231 .deactivate = nft_lookup_deactivate, 232 .destroy = nft_lookup_destroy, 233 .dump = nft_lookup_dump, 234 .validate = nft_lookup_validate, 235 }; 236 237 struct nft_expr_type nft_lookup_type __read_mostly = { 238 .name = "lookup", 239 .ops = &nft_lookup_ops, 240 .policy = nft_lookup_policy, 241 .maxattr = NFTA_LOOKUP_MAX, 242 .owner = THIS_MODULE, 243 }; 244