1 /* 2 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net> 3 * Copyright (c) 2014 Intel Corporation 4 * Author: Tomasz Bursztyka <tomasz.bursztyka@linux.intel.com> 5 * 6 * This program is free software; you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License version 2 as 8 * published by the Free Software Foundation. 9 * 10 * Development of this code funded by Astaro AG (http://www.astaro.com/) 11 */ 12 13 #include <linux/kernel.h> 14 #include <linux/netlink.h> 15 #include <linux/netfilter.h> 16 #include <linux/netfilter/nf_tables.h> 17 #include <linux/in.h> 18 #include <linux/ip.h> 19 #include <linux/ipv6.h> 20 #include <linux/smp.h> 21 #include <linux/static_key.h> 22 #include <net/dst.h> 23 #include <net/sock.h> 24 #include <net/tcp_states.h> /* for TCP_TIME_WAIT */ 25 #include <net/netfilter/nf_tables.h> 26 #include <net/netfilter/nf_tables_core.h> 27 28 #include <uapi/linux/netfilter_bridge.h> /* NF_BR_PRE_ROUTING */ 29 30 struct nft_meta { 31 enum nft_meta_keys key:8; 32 union { 33 enum nft_registers dreg:8; 34 enum nft_registers sreg:8; 35 }; 36 }; 37 38 static DEFINE_PER_CPU(struct rnd_state, nft_prandom_state); 39 40 #ifdef CONFIG_NF_TABLES_BRIDGE 41 #include "../bridge/br_private.h" 42 #endif 43 44 void nft_meta_get_eval(const struct nft_expr *expr, 45 struct nft_regs *regs, 46 const struct nft_pktinfo *pkt) 47 { 48 const struct nft_meta *priv = nft_expr_priv(expr); 49 const struct sk_buff *skb = pkt->skb; 50 const struct net_device *in = nft_in(pkt), *out = nft_out(pkt); 51 struct sock *sk; 52 u32 *dest = ®s->data[priv->dreg]; 53 #ifdef CONFIG_NF_TABLES_BRIDGE 54 const struct net_bridge_port *p; 55 #endif 56 57 switch (priv->key) { 58 case NFT_META_LEN: 59 *dest = skb->len; 60 break; 61 case NFT_META_PROTOCOL: 62 nft_reg_store16(dest, (__force u16)skb->protocol); 63 break; 64 case NFT_META_NFPROTO: 65 nft_reg_store8(dest, nft_pf(pkt)); 66 break; 67 case NFT_META_L4PROTO: 68 if (!pkt->tprot_set) 69 goto err; 70 nft_reg_store8(dest, pkt->tprot); 71 break; 72 case NFT_META_PRIORITY: 73 *dest = skb->priority; 74 break; 75 case NFT_META_MARK: 76 *dest = skb->mark; 77 break; 78 case NFT_META_IIF: 79 if (in == NULL) 80 goto err; 81 *dest = in->ifindex; 82 break; 83 case NFT_META_OIF: 84 if (out == NULL) 85 goto err; 86 *dest = out->ifindex; 87 break; 88 case NFT_META_IIFNAME: 89 if (in == NULL) 90 goto err; 91 strncpy((char *)dest, in->name, IFNAMSIZ); 92 break; 93 case NFT_META_OIFNAME: 94 if (out == NULL) 95 goto err; 96 strncpy((char *)dest, out->name, IFNAMSIZ); 97 break; 98 case NFT_META_IIFTYPE: 99 if (in == NULL) 100 goto err; 101 nft_reg_store16(dest, in->type); 102 break; 103 case NFT_META_OIFTYPE: 104 if (out == NULL) 105 goto err; 106 nft_reg_store16(dest, out->type); 107 break; 108 case NFT_META_SKUID: 109 sk = skb_to_full_sk(skb); 110 if (!sk || !sk_fullsock(sk) || 111 !net_eq(nft_net(pkt), sock_net(sk))) 112 goto err; 113 114 read_lock_bh(&sk->sk_callback_lock); 115 if (sk->sk_socket == NULL || 116 sk->sk_socket->file == NULL) { 117 read_unlock_bh(&sk->sk_callback_lock); 118 goto err; 119 } 120 121 *dest = from_kuid_munged(&init_user_ns, 122 sk->sk_socket->file->f_cred->fsuid); 123 read_unlock_bh(&sk->sk_callback_lock); 124 break; 125 case NFT_META_SKGID: 126 sk = skb_to_full_sk(skb); 127 if (!sk || !sk_fullsock(sk) || 128 !net_eq(nft_net(pkt), sock_net(sk))) 129 goto err; 130 131 read_lock_bh(&sk->sk_callback_lock); 132 if (sk->sk_socket == NULL || 133 sk->sk_socket->file == NULL) { 134 read_unlock_bh(&sk->sk_callback_lock); 135 goto err; 136 } 137 *dest = from_kgid_munged(&init_user_ns, 138 sk->sk_socket->file->f_cred->fsgid); 139 read_unlock_bh(&sk->sk_callback_lock); 140 break; 141 #ifdef CONFIG_IP_ROUTE_CLASSID 142 case NFT_META_RTCLASSID: { 143 const struct dst_entry *dst = skb_dst(skb); 144 145 if (dst == NULL) 146 goto err; 147 *dest = dst->tclassid; 148 break; 149 } 150 #endif 151 #ifdef CONFIG_NETWORK_SECMARK 152 case NFT_META_SECMARK: 153 *dest = skb->secmark; 154 break; 155 #endif 156 case NFT_META_PKTTYPE: 157 if (skb->pkt_type != PACKET_LOOPBACK) { 158 nft_reg_store8(dest, skb->pkt_type); 159 break; 160 } 161 162 switch (nft_pf(pkt)) { 163 case NFPROTO_IPV4: 164 if (ipv4_is_multicast(ip_hdr(skb)->daddr)) 165 nft_reg_store8(dest, PACKET_MULTICAST); 166 else 167 nft_reg_store8(dest, PACKET_BROADCAST); 168 break; 169 case NFPROTO_IPV6: 170 nft_reg_store8(dest, PACKET_MULTICAST); 171 break; 172 case NFPROTO_NETDEV: 173 switch (skb->protocol) { 174 case htons(ETH_P_IP): { 175 int noff = skb_network_offset(skb); 176 struct iphdr *iph, _iph; 177 178 iph = skb_header_pointer(skb, noff, 179 sizeof(_iph), &_iph); 180 if (!iph) 181 goto err; 182 183 if (ipv4_is_multicast(iph->daddr)) 184 nft_reg_store8(dest, PACKET_MULTICAST); 185 else 186 nft_reg_store8(dest, PACKET_BROADCAST); 187 188 break; 189 } 190 case htons(ETH_P_IPV6): 191 nft_reg_store8(dest, PACKET_MULTICAST); 192 break; 193 default: 194 WARN_ON_ONCE(1); 195 goto err; 196 } 197 break; 198 default: 199 WARN_ON_ONCE(1); 200 goto err; 201 } 202 break; 203 case NFT_META_CPU: 204 *dest = raw_smp_processor_id(); 205 break; 206 case NFT_META_IIFGROUP: 207 if (in == NULL) 208 goto err; 209 *dest = in->group; 210 break; 211 case NFT_META_OIFGROUP: 212 if (out == NULL) 213 goto err; 214 *dest = out->group; 215 break; 216 #ifdef CONFIG_CGROUP_NET_CLASSID 217 case NFT_META_CGROUP: 218 sk = skb_to_full_sk(skb); 219 if (!sk || !sk_fullsock(sk) || 220 !net_eq(nft_net(pkt), sock_net(sk))) 221 goto err; 222 *dest = sock_cgroup_classid(&sk->sk_cgrp_data); 223 break; 224 #endif 225 case NFT_META_PRANDOM: { 226 struct rnd_state *state = this_cpu_ptr(&nft_prandom_state); 227 *dest = prandom_u32_state(state); 228 break; 229 } 230 #ifdef CONFIG_XFRM 231 case NFT_META_SECPATH: 232 nft_reg_store8(dest, secpath_exists(skb)); 233 break; 234 #endif 235 #ifdef CONFIG_NF_TABLES_BRIDGE 236 case NFT_META_BRI_IIFNAME: 237 if (in == NULL || (p = br_port_get_rcu(in)) == NULL) 238 goto err; 239 strncpy((char *)dest, p->br->dev->name, IFNAMSIZ); 240 return; 241 case NFT_META_BRI_OIFNAME: 242 if (out == NULL || (p = br_port_get_rcu(out)) == NULL) 243 goto err; 244 strncpy((char *)dest, p->br->dev->name, IFNAMSIZ); 245 return; 246 #endif 247 case NFT_META_IIFKIND: 248 if (in == NULL || in->rtnl_link_ops == NULL) 249 goto err; 250 strncpy((char *)dest, in->rtnl_link_ops->kind, IFNAMSIZ); 251 break; 252 case NFT_META_OIFKIND: 253 if (out == NULL || out->rtnl_link_ops == NULL) 254 goto err; 255 strncpy((char *)dest, out->rtnl_link_ops->kind, IFNAMSIZ); 256 break; 257 default: 258 WARN_ON(1); 259 goto err; 260 } 261 return; 262 263 err: 264 regs->verdict.code = NFT_BREAK; 265 } 266 267 static void nft_meta_set_eval(const struct nft_expr *expr, 268 struct nft_regs *regs, 269 const struct nft_pktinfo *pkt) 270 { 271 const struct nft_meta *meta = nft_expr_priv(expr); 272 struct sk_buff *skb = pkt->skb; 273 u32 *sreg = ®s->data[meta->sreg]; 274 u32 value = *sreg; 275 u8 value8; 276 277 switch (meta->key) { 278 case NFT_META_MARK: 279 skb->mark = value; 280 break; 281 case NFT_META_PRIORITY: 282 skb->priority = value; 283 break; 284 case NFT_META_PKTTYPE: 285 value8 = nft_reg_load8(sreg); 286 287 if (skb->pkt_type != value8 && 288 skb_pkt_type_ok(value8) && 289 skb_pkt_type_ok(skb->pkt_type)) 290 skb->pkt_type = value8; 291 break; 292 case NFT_META_NFTRACE: 293 value8 = nft_reg_load8(sreg); 294 295 skb->nf_trace = !!value8; 296 break; 297 #ifdef CONFIG_NETWORK_SECMARK 298 case NFT_META_SECMARK: 299 skb->secmark = value; 300 break; 301 #endif 302 default: 303 WARN_ON(1); 304 } 305 } 306 307 static const struct nla_policy nft_meta_policy[NFTA_META_MAX + 1] = { 308 [NFTA_META_DREG] = { .type = NLA_U32 }, 309 [NFTA_META_KEY] = { .type = NLA_U32 }, 310 [NFTA_META_SREG] = { .type = NLA_U32 }, 311 }; 312 313 static int nft_meta_get_init(const struct nft_ctx *ctx, 314 const struct nft_expr *expr, 315 const struct nlattr * const tb[]) 316 { 317 struct nft_meta *priv = nft_expr_priv(expr); 318 unsigned int len; 319 320 priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY])); 321 switch (priv->key) { 322 case NFT_META_PROTOCOL: 323 case NFT_META_IIFTYPE: 324 case NFT_META_OIFTYPE: 325 len = sizeof(u16); 326 break; 327 case NFT_META_NFPROTO: 328 case NFT_META_L4PROTO: 329 case NFT_META_LEN: 330 case NFT_META_PRIORITY: 331 case NFT_META_MARK: 332 case NFT_META_IIF: 333 case NFT_META_OIF: 334 case NFT_META_SKUID: 335 case NFT_META_SKGID: 336 #ifdef CONFIG_IP_ROUTE_CLASSID 337 case NFT_META_RTCLASSID: 338 #endif 339 #ifdef CONFIG_NETWORK_SECMARK 340 case NFT_META_SECMARK: 341 #endif 342 case NFT_META_PKTTYPE: 343 case NFT_META_CPU: 344 case NFT_META_IIFGROUP: 345 case NFT_META_OIFGROUP: 346 #ifdef CONFIG_CGROUP_NET_CLASSID 347 case NFT_META_CGROUP: 348 #endif 349 len = sizeof(u32); 350 break; 351 case NFT_META_IIFNAME: 352 case NFT_META_OIFNAME: 353 case NFT_META_IIFKIND: 354 case NFT_META_OIFKIND: 355 len = IFNAMSIZ; 356 break; 357 case NFT_META_PRANDOM: 358 prandom_init_once(&nft_prandom_state); 359 len = sizeof(u32); 360 break; 361 #ifdef CONFIG_XFRM 362 case NFT_META_SECPATH: 363 len = sizeof(u8); 364 break; 365 #endif 366 #ifdef CONFIG_NF_TABLES_BRIDGE 367 case NFT_META_BRI_IIFNAME: 368 case NFT_META_BRI_OIFNAME: 369 if (ctx->family != NFPROTO_BRIDGE) 370 return -EOPNOTSUPP; 371 len = IFNAMSIZ; 372 break; 373 #endif 374 default: 375 return -EOPNOTSUPP; 376 } 377 378 priv->dreg = nft_parse_register(tb[NFTA_META_DREG]); 379 return nft_validate_register_store(ctx, priv->dreg, NULL, 380 NFT_DATA_VALUE, len); 381 } 382 383 static int nft_meta_get_validate(const struct nft_ctx *ctx, 384 const struct nft_expr *expr, 385 const struct nft_data **data) 386 { 387 #ifdef CONFIG_XFRM 388 const struct nft_meta *priv = nft_expr_priv(expr); 389 unsigned int hooks; 390 391 if (priv->key != NFT_META_SECPATH) 392 return 0; 393 394 switch (ctx->family) { 395 case NFPROTO_NETDEV: 396 hooks = 1 << NF_NETDEV_INGRESS; 397 break; 398 case NFPROTO_IPV4: 399 case NFPROTO_IPV6: 400 case NFPROTO_INET: 401 hooks = (1 << NF_INET_PRE_ROUTING) | 402 (1 << NF_INET_LOCAL_IN) | 403 (1 << NF_INET_FORWARD); 404 break; 405 default: 406 return -EOPNOTSUPP; 407 } 408 409 return nft_chain_validate_hooks(ctx->chain, hooks); 410 #else 411 return 0; 412 #endif 413 } 414 415 static int nft_meta_set_validate(const struct nft_ctx *ctx, 416 const struct nft_expr *expr, 417 const struct nft_data **data) 418 { 419 struct nft_meta *priv = nft_expr_priv(expr); 420 unsigned int hooks; 421 422 if (priv->key != NFT_META_PKTTYPE) 423 return 0; 424 425 switch (ctx->family) { 426 case NFPROTO_BRIDGE: 427 hooks = 1 << NF_BR_PRE_ROUTING; 428 break; 429 case NFPROTO_NETDEV: 430 hooks = 1 << NF_NETDEV_INGRESS; 431 break; 432 case NFPROTO_IPV4: 433 case NFPROTO_IPV6: 434 case NFPROTO_INET: 435 hooks = 1 << NF_INET_PRE_ROUTING; 436 break; 437 default: 438 return -EOPNOTSUPP; 439 } 440 441 return nft_chain_validate_hooks(ctx->chain, hooks); 442 } 443 444 static int nft_meta_set_init(const struct nft_ctx *ctx, 445 const struct nft_expr *expr, 446 const struct nlattr * const tb[]) 447 { 448 struct nft_meta *priv = nft_expr_priv(expr); 449 unsigned int len; 450 int err; 451 452 priv->key = ntohl(nla_get_be32(tb[NFTA_META_KEY])); 453 switch (priv->key) { 454 case NFT_META_MARK: 455 case NFT_META_PRIORITY: 456 #ifdef CONFIG_NETWORK_SECMARK 457 case NFT_META_SECMARK: 458 #endif 459 len = sizeof(u32); 460 break; 461 case NFT_META_NFTRACE: 462 len = sizeof(u8); 463 break; 464 case NFT_META_PKTTYPE: 465 len = sizeof(u8); 466 break; 467 default: 468 return -EOPNOTSUPP; 469 } 470 471 priv->sreg = nft_parse_register(tb[NFTA_META_SREG]); 472 err = nft_validate_register_load(priv->sreg, len); 473 if (err < 0) 474 return err; 475 476 if (priv->key == NFT_META_NFTRACE) 477 static_branch_inc(&nft_trace_enabled); 478 479 return 0; 480 } 481 482 static int nft_meta_get_dump(struct sk_buff *skb, 483 const struct nft_expr *expr) 484 { 485 const struct nft_meta *priv = nft_expr_priv(expr); 486 487 if (nla_put_be32(skb, NFTA_META_KEY, htonl(priv->key))) 488 goto nla_put_failure; 489 if (nft_dump_register(skb, NFTA_META_DREG, priv->dreg)) 490 goto nla_put_failure; 491 return 0; 492 493 nla_put_failure: 494 return -1; 495 } 496 497 static int nft_meta_set_dump(struct sk_buff *skb, const struct nft_expr *expr) 498 { 499 const struct nft_meta *priv = nft_expr_priv(expr); 500 501 if (nla_put_be32(skb, NFTA_META_KEY, htonl(priv->key))) 502 goto nla_put_failure; 503 if (nft_dump_register(skb, NFTA_META_SREG, priv->sreg)) 504 goto nla_put_failure; 505 506 return 0; 507 508 nla_put_failure: 509 return -1; 510 } 511 512 static void nft_meta_set_destroy(const struct nft_ctx *ctx, 513 const struct nft_expr *expr) 514 { 515 const struct nft_meta *priv = nft_expr_priv(expr); 516 517 if (priv->key == NFT_META_NFTRACE) 518 static_branch_dec(&nft_trace_enabled); 519 } 520 521 static const struct nft_expr_ops nft_meta_get_ops = { 522 .type = &nft_meta_type, 523 .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)), 524 .eval = nft_meta_get_eval, 525 .init = nft_meta_get_init, 526 .dump = nft_meta_get_dump, 527 .validate = nft_meta_get_validate, 528 }; 529 530 static const struct nft_expr_ops nft_meta_set_ops = { 531 .type = &nft_meta_type, 532 .size = NFT_EXPR_SIZE(sizeof(struct nft_meta)), 533 .eval = nft_meta_set_eval, 534 .init = nft_meta_set_init, 535 .destroy = nft_meta_set_destroy, 536 .dump = nft_meta_set_dump, 537 .validate = nft_meta_set_validate, 538 }; 539 540 static const struct nft_expr_ops * 541 nft_meta_select_ops(const struct nft_ctx *ctx, 542 const struct nlattr * const tb[]) 543 { 544 if (tb[NFTA_META_KEY] == NULL) 545 return ERR_PTR(-EINVAL); 546 547 if (tb[NFTA_META_DREG] && tb[NFTA_META_SREG]) 548 return ERR_PTR(-EINVAL); 549 550 if (tb[NFTA_META_DREG]) 551 return &nft_meta_get_ops; 552 553 if (tb[NFTA_META_SREG]) 554 return &nft_meta_set_ops; 555 556 return ERR_PTR(-EINVAL); 557 } 558 559 struct nft_expr_type nft_meta_type __read_mostly = { 560 .name = "meta", 561 .select_ops = nft_meta_select_ops, 562 .policy = nft_meta_policy, 563 .maxattr = NFTA_META_MAX, 564 .owner = THIS_MODULE, 565 }; 566 567 #ifdef CONFIG_NETWORK_SECMARK 568 struct nft_secmark { 569 u32 secid; 570 char *ctx; 571 }; 572 573 static const struct nla_policy nft_secmark_policy[NFTA_SECMARK_MAX + 1] = { 574 [NFTA_SECMARK_CTX] = { .type = NLA_STRING, .len = NFT_SECMARK_CTX_MAXLEN }, 575 }; 576 577 static int nft_secmark_compute_secid(struct nft_secmark *priv) 578 { 579 u32 tmp_secid = 0; 580 int err; 581 582 err = security_secctx_to_secid(priv->ctx, strlen(priv->ctx), &tmp_secid); 583 if (err) 584 return err; 585 586 if (!tmp_secid) 587 return -ENOENT; 588 589 err = security_secmark_relabel_packet(tmp_secid); 590 if (err) 591 return err; 592 593 priv->secid = tmp_secid; 594 return 0; 595 } 596 597 static void nft_secmark_obj_eval(struct nft_object *obj, struct nft_regs *regs, 598 const struct nft_pktinfo *pkt) 599 { 600 const struct nft_secmark *priv = nft_obj_data(obj); 601 struct sk_buff *skb = pkt->skb; 602 603 skb->secmark = priv->secid; 604 } 605 606 static int nft_secmark_obj_init(const struct nft_ctx *ctx, 607 const struct nlattr * const tb[], 608 struct nft_object *obj) 609 { 610 struct nft_secmark *priv = nft_obj_data(obj); 611 int err; 612 613 if (tb[NFTA_SECMARK_CTX] == NULL) 614 return -EINVAL; 615 616 priv->ctx = nla_strdup(tb[NFTA_SECMARK_CTX], GFP_KERNEL); 617 if (!priv->ctx) 618 return -ENOMEM; 619 620 err = nft_secmark_compute_secid(priv); 621 if (err) { 622 kfree(priv->ctx); 623 return err; 624 } 625 626 security_secmark_refcount_inc(); 627 628 return 0; 629 } 630 631 static int nft_secmark_obj_dump(struct sk_buff *skb, struct nft_object *obj, 632 bool reset) 633 { 634 struct nft_secmark *priv = nft_obj_data(obj); 635 int err; 636 637 if (nla_put_string(skb, NFTA_SECMARK_CTX, priv->ctx)) 638 return -1; 639 640 if (reset) { 641 err = nft_secmark_compute_secid(priv); 642 if (err) 643 return err; 644 } 645 646 return 0; 647 } 648 649 static void nft_secmark_obj_destroy(const struct nft_ctx *ctx, struct nft_object *obj) 650 { 651 struct nft_secmark *priv = nft_obj_data(obj); 652 653 security_secmark_refcount_dec(); 654 655 kfree(priv->ctx); 656 } 657 658 static const struct nft_object_ops nft_secmark_obj_ops = { 659 .type = &nft_secmark_obj_type, 660 .size = sizeof(struct nft_secmark), 661 .init = nft_secmark_obj_init, 662 .eval = nft_secmark_obj_eval, 663 .dump = nft_secmark_obj_dump, 664 .destroy = nft_secmark_obj_destroy, 665 }; 666 struct nft_object_type nft_secmark_obj_type __read_mostly = { 667 .type = NFT_OBJECT_SECMARK, 668 .ops = &nft_secmark_obj_ops, 669 .maxattr = NFTA_SECMARK_MAX, 670 .policy = nft_secmark_policy, 671 .owner = THIS_MODULE, 672 }; 673 #endif /* CONFIG_NETWORK_SECMARK */ 674