1 /* 2 * net/sched/cls_api.c Packet classifier API. 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU General Public License 6 * as published by the Free Software Foundation; either version 7 * 2 of the License, or (at your option) any later version. 8 * 9 * Authors: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru> 10 * 11 * Changes: 12 * 13 * Eduardo J. Blanco <ejbs@netlabs.com.uy> :990222: kmod support 14 * 15 */ 16 17 #include <linux/module.h> 18 #include <linux/types.h> 19 #include <linux/kernel.h> 20 #include <linux/string.h> 21 #include <linux/errno.h> 22 #include <linux/err.h> 23 #include <linux/skbuff.h> 24 #include <linux/init.h> 25 #include <linux/kmod.h> 26 #include <linux/slab.h> 27 #include <linux/idr.h> 28 #include <net/net_namespace.h> 29 #include <net/sock.h> 30 #include <net/netlink.h> 31 #include <net/pkt_sched.h> 32 #include <net/pkt_cls.h> 33 34 /* The list of all installed classifier types */ 35 static LIST_HEAD(tcf_proto_base); 36 37 /* Protects list of registered TC modules. It is pure SMP lock. */ 38 static DEFINE_RWLOCK(cls_mod_lock); 39 40 /* Find classifier type by string name */ 41 42 static const struct tcf_proto_ops *tcf_proto_lookup_ops(const char *kind) 43 { 44 const struct tcf_proto_ops *t, *res = NULL; 45 46 if (kind) { 47 read_lock(&cls_mod_lock); 48 list_for_each_entry(t, &tcf_proto_base, head) { 49 if (strcmp(kind, t->kind) == 0) { 50 if (try_module_get(t->owner)) 51 res = t; 52 break; 53 } 54 } 55 read_unlock(&cls_mod_lock); 56 } 57 return res; 58 } 59 60 /* Register(unregister) new classifier type */ 61 62 int register_tcf_proto_ops(struct tcf_proto_ops *ops) 63 { 64 struct tcf_proto_ops *t; 65 int rc = -EEXIST; 66 67 write_lock(&cls_mod_lock); 68 list_for_each_entry(t, &tcf_proto_base, head) 69 if (!strcmp(ops->kind, t->kind)) 70 goto out; 71 72 list_add_tail(&ops->head, &tcf_proto_base); 73 rc = 0; 74 out: 75 write_unlock(&cls_mod_lock); 76 return rc; 77 } 78 EXPORT_SYMBOL(register_tcf_proto_ops); 79 80 static struct workqueue_struct *tc_filter_wq; 81 82 int unregister_tcf_proto_ops(struct tcf_proto_ops *ops) 83 { 84 struct tcf_proto_ops *t; 85 int rc = -ENOENT; 86 87 /* Wait for outstanding call_rcu()s, if any, from a 88 * tcf_proto_ops's destroy() handler. 89 */ 90 rcu_barrier(); 91 flush_workqueue(tc_filter_wq); 92 93 write_lock(&cls_mod_lock); 94 list_for_each_entry(t, &tcf_proto_base, head) { 95 if (t == ops) { 96 list_del(&t->head); 97 rc = 0; 98 break; 99 } 100 } 101 write_unlock(&cls_mod_lock); 102 return rc; 103 } 104 EXPORT_SYMBOL(unregister_tcf_proto_ops); 105 106 bool tcf_queue_work(struct rcu_work *rwork, work_func_t func) 107 { 108 INIT_RCU_WORK(rwork, func); 109 return queue_rcu_work(tc_filter_wq, rwork); 110 } 111 EXPORT_SYMBOL(tcf_queue_work); 112 113 /* Select new prio value from the range, managed by kernel. */ 114 115 static inline u32 tcf_auto_prio(struct tcf_proto *tp) 116 { 117 u32 first = TC_H_MAKE(0xC0000000U, 0U); 118 119 if (tp) 120 first = tp->prio - 1; 121 122 return TC_H_MAJ(first); 123 } 124 125 static struct tcf_proto *tcf_proto_create(const char *kind, u32 protocol, 126 u32 prio, struct tcf_chain *chain, 127 struct netlink_ext_ack *extack) 128 { 129 struct tcf_proto *tp; 130 int err; 131 132 tp = kzalloc(sizeof(*tp), GFP_KERNEL); 133 if (!tp) 134 return ERR_PTR(-ENOBUFS); 135 136 err = -ENOENT; 137 tp->ops = tcf_proto_lookup_ops(kind); 138 if (!tp->ops) { 139 #ifdef CONFIG_MODULES 140 rtnl_unlock(); 141 request_module("cls_%s", kind); 142 rtnl_lock(); 143 tp->ops = tcf_proto_lookup_ops(kind); 144 /* We dropped the RTNL semaphore in order to perform 145 * the module load. So, even if we succeeded in loading 146 * the module we have to replay the request. We indicate 147 * this using -EAGAIN. 148 */ 149 if (tp->ops) { 150 module_put(tp->ops->owner); 151 err = -EAGAIN; 152 } else { 153 NL_SET_ERR_MSG(extack, "TC classifier not found"); 154 err = -ENOENT; 155 } 156 #endif 157 goto errout; 158 } 159 tp->classify = tp->ops->classify; 160 tp->protocol = protocol; 161 tp->prio = prio; 162 tp->chain = chain; 163 164 err = tp->ops->init(tp); 165 if (err) { 166 module_put(tp->ops->owner); 167 goto errout; 168 } 169 return tp; 170 171 errout: 172 kfree(tp); 173 return ERR_PTR(err); 174 } 175 176 static void tcf_proto_destroy(struct tcf_proto *tp, 177 struct netlink_ext_ack *extack) 178 { 179 tp->ops->destroy(tp, extack); 180 module_put(tp->ops->owner); 181 kfree_rcu(tp, rcu); 182 } 183 184 struct tcf_filter_chain_list_item { 185 struct list_head list; 186 tcf_chain_head_change_t *chain_head_change; 187 void *chain_head_change_priv; 188 }; 189 190 static struct tcf_chain *tcf_chain_create(struct tcf_block *block, 191 u32 chain_index) 192 { 193 struct tcf_chain *chain; 194 195 chain = kzalloc(sizeof(*chain), GFP_KERNEL); 196 if (!chain) 197 return NULL; 198 INIT_LIST_HEAD(&chain->filter_chain_list); 199 list_add_tail(&chain->list, &block->chain_list); 200 chain->block = block; 201 chain->index = chain_index; 202 chain->refcnt = 1; 203 return chain; 204 } 205 206 static void tcf_chain_head_change_item(struct tcf_filter_chain_list_item *item, 207 struct tcf_proto *tp_head) 208 { 209 if (item->chain_head_change) 210 item->chain_head_change(tp_head, item->chain_head_change_priv); 211 } 212 static void tcf_chain_head_change(struct tcf_chain *chain, 213 struct tcf_proto *tp_head) 214 { 215 struct tcf_filter_chain_list_item *item; 216 217 list_for_each_entry(item, &chain->filter_chain_list, list) 218 tcf_chain_head_change_item(item, tp_head); 219 } 220 221 static void tcf_chain_flush(struct tcf_chain *chain) 222 { 223 struct tcf_proto *tp = rtnl_dereference(chain->filter_chain); 224 225 tcf_chain_head_change(chain, NULL); 226 while (tp) { 227 RCU_INIT_POINTER(chain->filter_chain, tp->next); 228 tcf_proto_destroy(tp, NULL); 229 tp = rtnl_dereference(chain->filter_chain); 230 tcf_chain_put(chain); 231 } 232 } 233 234 static void tcf_chain_destroy(struct tcf_chain *chain) 235 { 236 struct tcf_block *block = chain->block; 237 238 list_del(&chain->list); 239 kfree(chain); 240 if (list_empty(&block->chain_list)) 241 kfree(block); 242 } 243 244 static void tcf_chain_hold(struct tcf_chain *chain) 245 { 246 ++chain->refcnt; 247 } 248 249 struct tcf_chain *tcf_chain_get(struct tcf_block *block, u32 chain_index, 250 bool create) 251 { 252 struct tcf_chain *chain; 253 254 list_for_each_entry(chain, &block->chain_list, list) { 255 if (chain->index == chain_index) { 256 tcf_chain_hold(chain); 257 return chain; 258 } 259 } 260 261 return create ? tcf_chain_create(block, chain_index) : NULL; 262 } 263 EXPORT_SYMBOL(tcf_chain_get); 264 265 void tcf_chain_put(struct tcf_chain *chain) 266 { 267 if (--chain->refcnt == 0) 268 tcf_chain_destroy(chain); 269 } 270 EXPORT_SYMBOL(tcf_chain_put); 271 272 static bool tcf_block_offload_in_use(struct tcf_block *block) 273 { 274 return block->offloadcnt; 275 } 276 277 static int tcf_block_offload_cmd(struct tcf_block *block, 278 struct net_device *dev, 279 struct tcf_block_ext_info *ei, 280 enum tc_block_command command, 281 struct netlink_ext_ack *extack) 282 { 283 struct tc_block_offload bo = {}; 284 285 bo.command = command; 286 bo.binder_type = ei->binder_type; 287 bo.block = block; 288 bo.extack = extack; 289 return dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_BLOCK, &bo); 290 } 291 292 static int tcf_block_offload_bind(struct tcf_block *block, struct Qdisc *q, 293 struct tcf_block_ext_info *ei, 294 struct netlink_ext_ack *extack) 295 { 296 struct net_device *dev = q->dev_queue->dev; 297 int err; 298 299 if (!dev->netdev_ops->ndo_setup_tc) 300 goto no_offload_dev_inc; 301 302 /* If tc offload feature is disabled and the block we try to bind 303 * to already has some offloaded filters, forbid to bind. 304 */ 305 if (!tc_can_offload(dev) && tcf_block_offload_in_use(block)) { 306 NL_SET_ERR_MSG(extack, "Bind to offloaded block failed as dev has offload disabled"); 307 return -EOPNOTSUPP; 308 } 309 310 err = tcf_block_offload_cmd(block, dev, ei, TC_BLOCK_BIND, extack); 311 if (err == -EOPNOTSUPP) 312 goto no_offload_dev_inc; 313 return err; 314 315 no_offload_dev_inc: 316 if (tcf_block_offload_in_use(block)) 317 return -EOPNOTSUPP; 318 block->nooffloaddevcnt++; 319 return 0; 320 } 321 322 static void tcf_block_offload_unbind(struct tcf_block *block, struct Qdisc *q, 323 struct tcf_block_ext_info *ei) 324 { 325 struct net_device *dev = q->dev_queue->dev; 326 int err; 327 328 if (!dev->netdev_ops->ndo_setup_tc) 329 goto no_offload_dev_dec; 330 err = tcf_block_offload_cmd(block, dev, ei, TC_BLOCK_UNBIND, NULL); 331 if (err == -EOPNOTSUPP) 332 goto no_offload_dev_dec; 333 return; 334 335 no_offload_dev_dec: 336 WARN_ON(block->nooffloaddevcnt-- == 0); 337 } 338 339 static int 340 tcf_chain_head_change_cb_add(struct tcf_chain *chain, 341 struct tcf_block_ext_info *ei, 342 struct netlink_ext_ack *extack) 343 { 344 struct tcf_filter_chain_list_item *item; 345 346 item = kmalloc(sizeof(*item), GFP_KERNEL); 347 if (!item) { 348 NL_SET_ERR_MSG(extack, "Memory allocation for head change callback item failed"); 349 return -ENOMEM; 350 } 351 item->chain_head_change = ei->chain_head_change; 352 item->chain_head_change_priv = ei->chain_head_change_priv; 353 if (chain->filter_chain) 354 tcf_chain_head_change_item(item, chain->filter_chain); 355 list_add(&item->list, &chain->filter_chain_list); 356 return 0; 357 } 358 359 static void 360 tcf_chain_head_change_cb_del(struct tcf_chain *chain, 361 struct tcf_block_ext_info *ei) 362 { 363 struct tcf_filter_chain_list_item *item; 364 365 list_for_each_entry(item, &chain->filter_chain_list, list) { 366 if ((!ei->chain_head_change && !ei->chain_head_change_priv) || 367 (item->chain_head_change == ei->chain_head_change && 368 item->chain_head_change_priv == ei->chain_head_change_priv)) { 369 tcf_chain_head_change_item(item, NULL); 370 list_del(&item->list); 371 kfree(item); 372 return; 373 } 374 } 375 WARN_ON(1); 376 } 377 378 struct tcf_net { 379 struct idr idr; 380 }; 381 382 static unsigned int tcf_net_id; 383 384 static int tcf_block_insert(struct tcf_block *block, struct net *net, 385 struct netlink_ext_ack *extack) 386 { 387 struct tcf_net *tn = net_generic(net, tcf_net_id); 388 389 return idr_alloc_u32(&tn->idr, block, &block->index, block->index, 390 GFP_KERNEL); 391 } 392 393 static void tcf_block_remove(struct tcf_block *block, struct net *net) 394 { 395 struct tcf_net *tn = net_generic(net, tcf_net_id); 396 397 idr_remove(&tn->idr, block->index); 398 } 399 400 static struct tcf_block *tcf_block_create(struct net *net, struct Qdisc *q, 401 u32 block_index, 402 struct netlink_ext_ack *extack) 403 { 404 struct tcf_block *block; 405 struct tcf_chain *chain; 406 int err; 407 408 block = kzalloc(sizeof(*block), GFP_KERNEL); 409 if (!block) { 410 NL_SET_ERR_MSG(extack, "Memory allocation for block failed"); 411 return ERR_PTR(-ENOMEM); 412 } 413 INIT_LIST_HEAD(&block->chain_list); 414 INIT_LIST_HEAD(&block->cb_list); 415 INIT_LIST_HEAD(&block->owner_list); 416 417 /* Create chain 0 by default, it has to be always present. */ 418 chain = tcf_chain_create(block, 0); 419 if (!chain) { 420 NL_SET_ERR_MSG(extack, "Failed to create new tcf chain"); 421 err = -ENOMEM; 422 goto err_chain_create; 423 } 424 block->refcnt = 1; 425 block->net = net; 426 block->index = block_index; 427 428 /* Don't store q pointer for blocks which are shared */ 429 if (!tcf_block_shared(block)) 430 block->q = q; 431 return block; 432 433 err_chain_create: 434 kfree(block); 435 return ERR_PTR(err); 436 } 437 438 static struct tcf_block *tcf_block_lookup(struct net *net, u32 block_index) 439 { 440 struct tcf_net *tn = net_generic(net, tcf_net_id); 441 442 return idr_find(&tn->idr, block_index); 443 } 444 445 /* Find tcf block. 446 * Set q, parent, cl when appropriate. 447 */ 448 449 static struct tcf_block *tcf_block_find(struct net *net, struct Qdisc **q, 450 u32 *parent, unsigned long *cl, 451 int ifindex, u32 block_index, 452 struct netlink_ext_ack *extack) 453 { 454 struct tcf_block *block; 455 456 if (ifindex == TCM_IFINDEX_MAGIC_BLOCK) { 457 block = tcf_block_lookup(net, block_index); 458 if (!block) { 459 NL_SET_ERR_MSG(extack, "Block of given index was not found"); 460 return ERR_PTR(-EINVAL); 461 } 462 } else { 463 const struct Qdisc_class_ops *cops; 464 struct net_device *dev; 465 466 /* Find link */ 467 dev = __dev_get_by_index(net, ifindex); 468 if (!dev) 469 return ERR_PTR(-ENODEV); 470 471 /* Find qdisc */ 472 if (!*parent) { 473 *q = dev->qdisc; 474 *parent = (*q)->handle; 475 } else { 476 *q = qdisc_lookup(dev, TC_H_MAJ(*parent)); 477 if (!*q) { 478 NL_SET_ERR_MSG(extack, "Parent Qdisc doesn't exists"); 479 return ERR_PTR(-EINVAL); 480 } 481 } 482 483 /* Is it classful? */ 484 cops = (*q)->ops->cl_ops; 485 if (!cops) { 486 NL_SET_ERR_MSG(extack, "Qdisc not classful"); 487 return ERR_PTR(-EINVAL); 488 } 489 490 if (!cops->tcf_block) { 491 NL_SET_ERR_MSG(extack, "Class doesn't support blocks"); 492 return ERR_PTR(-EOPNOTSUPP); 493 } 494 495 /* Do we search for filter, attached to class? */ 496 if (TC_H_MIN(*parent)) { 497 *cl = cops->find(*q, *parent); 498 if (*cl == 0) { 499 NL_SET_ERR_MSG(extack, "Specified class doesn't exist"); 500 return ERR_PTR(-ENOENT); 501 } 502 } 503 504 /* And the last stroke */ 505 block = cops->tcf_block(*q, *cl, extack); 506 if (!block) 507 return ERR_PTR(-EINVAL); 508 if (tcf_block_shared(block)) { 509 NL_SET_ERR_MSG(extack, "This filter block is shared. Please use the block index to manipulate the filters"); 510 return ERR_PTR(-EOPNOTSUPP); 511 } 512 } 513 514 return block; 515 } 516 517 static struct tcf_chain *tcf_block_chain_zero(struct tcf_block *block) 518 { 519 return list_first_entry(&block->chain_list, struct tcf_chain, list); 520 } 521 522 struct tcf_block_owner_item { 523 struct list_head list; 524 struct Qdisc *q; 525 enum tcf_block_binder_type binder_type; 526 }; 527 528 static void 529 tcf_block_owner_netif_keep_dst(struct tcf_block *block, 530 struct Qdisc *q, 531 enum tcf_block_binder_type binder_type) 532 { 533 if (block->keep_dst && 534 binder_type != TCF_BLOCK_BINDER_TYPE_CLSACT_INGRESS && 535 binder_type != TCF_BLOCK_BINDER_TYPE_CLSACT_EGRESS) 536 netif_keep_dst(qdisc_dev(q)); 537 } 538 539 void tcf_block_netif_keep_dst(struct tcf_block *block) 540 { 541 struct tcf_block_owner_item *item; 542 543 block->keep_dst = true; 544 list_for_each_entry(item, &block->owner_list, list) 545 tcf_block_owner_netif_keep_dst(block, item->q, 546 item->binder_type); 547 } 548 EXPORT_SYMBOL(tcf_block_netif_keep_dst); 549 550 static int tcf_block_owner_add(struct tcf_block *block, 551 struct Qdisc *q, 552 enum tcf_block_binder_type binder_type) 553 { 554 struct tcf_block_owner_item *item; 555 556 item = kmalloc(sizeof(*item), GFP_KERNEL); 557 if (!item) 558 return -ENOMEM; 559 item->q = q; 560 item->binder_type = binder_type; 561 list_add(&item->list, &block->owner_list); 562 return 0; 563 } 564 565 static void tcf_block_owner_del(struct tcf_block *block, 566 struct Qdisc *q, 567 enum tcf_block_binder_type binder_type) 568 { 569 struct tcf_block_owner_item *item; 570 571 list_for_each_entry(item, &block->owner_list, list) { 572 if (item->q == q && item->binder_type == binder_type) { 573 list_del(&item->list); 574 kfree(item); 575 return; 576 } 577 } 578 WARN_ON(1); 579 } 580 581 int tcf_block_get_ext(struct tcf_block **p_block, struct Qdisc *q, 582 struct tcf_block_ext_info *ei, 583 struct netlink_ext_ack *extack) 584 { 585 struct net *net = qdisc_net(q); 586 struct tcf_block *block = NULL; 587 bool created = false; 588 int err; 589 590 if (ei->block_index) { 591 /* block_index not 0 means the shared block is requested */ 592 block = tcf_block_lookup(net, ei->block_index); 593 if (block) 594 block->refcnt++; 595 } 596 597 if (!block) { 598 block = tcf_block_create(net, q, ei->block_index, extack); 599 if (IS_ERR(block)) 600 return PTR_ERR(block); 601 created = true; 602 if (tcf_block_shared(block)) { 603 err = tcf_block_insert(block, net, extack); 604 if (err) 605 goto err_block_insert; 606 } 607 } 608 609 err = tcf_block_owner_add(block, q, ei->binder_type); 610 if (err) 611 goto err_block_owner_add; 612 613 tcf_block_owner_netif_keep_dst(block, q, ei->binder_type); 614 615 err = tcf_chain_head_change_cb_add(tcf_block_chain_zero(block), 616 ei, extack); 617 if (err) 618 goto err_chain_head_change_cb_add; 619 620 err = tcf_block_offload_bind(block, q, ei, extack); 621 if (err) 622 goto err_block_offload_bind; 623 624 *p_block = block; 625 return 0; 626 627 err_block_offload_bind: 628 tcf_chain_head_change_cb_del(tcf_block_chain_zero(block), ei); 629 err_chain_head_change_cb_add: 630 tcf_block_owner_del(block, q, ei->binder_type); 631 err_block_owner_add: 632 if (created) { 633 if (tcf_block_shared(block)) 634 tcf_block_remove(block, net); 635 err_block_insert: 636 kfree(tcf_block_chain_zero(block)); 637 kfree(block); 638 } else { 639 block->refcnt--; 640 } 641 return err; 642 } 643 EXPORT_SYMBOL(tcf_block_get_ext); 644 645 static void tcf_chain_head_change_dflt(struct tcf_proto *tp_head, void *priv) 646 { 647 struct tcf_proto __rcu **p_filter_chain = priv; 648 649 rcu_assign_pointer(*p_filter_chain, tp_head); 650 } 651 652 int tcf_block_get(struct tcf_block **p_block, 653 struct tcf_proto __rcu **p_filter_chain, struct Qdisc *q, 654 struct netlink_ext_ack *extack) 655 { 656 struct tcf_block_ext_info ei = { 657 .chain_head_change = tcf_chain_head_change_dflt, 658 .chain_head_change_priv = p_filter_chain, 659 }; 660 661 WARN_ON(!p_filter_chain); 662 return tcf_block_get_ext(p_block, q, &ei, extack); 663 } 664 EXPORT_SYMBOL(tcf_block_get); 665 666 /* XXX: Standalone actions are not allowed to jump to any chain, and bound 667 * actions should be all removed after flushing. 668 */ 669 void tcf_block_put_ext(struct tcf_block *block, struct Qdisc *q, 670 struct tcf_block_ext_info *ei) 671 { 672 struct tcf_chain *chain, *tmp; 673 674 if (!block) 675 return; 676 tcf_chain_head_change_cb_del(tcf_block_chain_zero(block), ei); 677 tcf_block_owner_del(block, q, ei->binder_type); 678 679 if (--block->refcnt == 0) { 680 if (tcf_block_shared(block)) 681 tcf_block_remove(block, block->net); 682 683 /* Hold a refcnt for all chains, so that they don't disappear 684 * while we are iterating. 685 */ 686 list_for_each_entry(chain, &block->chain_list, list) 687 tcf_chain_hold(chain); 688 689 list_for_each_entry(chain, &block->chain_list, list) 690 tcf_chain_flush(chain); 691 } 692 693 tcf_block_offload_unbind(block, q, ei); 694 695 if (block->refcnt == 0) { 696 /* At this point, all the chains should have refcnt >= 1. */ 697 list_for_each_entry_safe(chain, tmp, &block->chain_list, list) 698 tcf_chain_put(chain); 699 700 /* Finally, put chain 0 and allow block to be freed. */ 701 tcf_chain_put(tcf_block_chain_zero(block)); 702 } 703 } 704 EXPORT_SYMBOL(tcf_block_put_ext); 705 706 void tcf_block_put(struct tcf_block *block) 707 { 708 struct tcf_block_ext_info ei = {0, }; 709 710 if (!block) 711 return; 712 tcf_block_put_ext(block, block->q, &ei); 713 } 714 715 EXPORT_SYMBOL(tcf_block_put); 716 717 struct tcf_block_cb { 718 struct list_head list; 719 tc_setup_cb_t *cb; 720 void *cb_ident; 721 void *cb_priv; 722 unsigned int refcnt; 723 }; 724 725 void *tcf_block_cb_priv(struct tcf_block_cb *block_cb) 726 { 727 return block_cb->cb_priv; 728 } 729 EXPORT_SYMBOL(tcf_block_cb_priv); 730 731 struct tcf_block_cb *tcf_block_cb_lookup(struct tcf_block *block, 732 tc_setup_cb_t *cb, void *cb_ident) 733 { struct tcf_block_cb *block_cb; 734 735 list_for_each_entry(block_cb, &block->cb_list, list) 736 if (block_cb->cb == cb && block_cb->cb_ident == cb_ident) 737 return block_cb; 738 return NULL; 739 } 740 EXPORT_SYMBOL(tcf_block_cb_lookup); 741 742 void tcf_block_cb_incref(struct tcf_block_cb *block_cb) 743 { 744 block_cb->refcnt++; 745 } 746 EXPORT_SYMBOL(tcf_block_cb_incref); 747 748 unsigned int tcf_block_cb_decref(struct tcf_block_cb *block_cb) 749 { 750 return --block_cb->refcnt; 751 } 752 EXPORT_SYMBOL(tcf_block_cb_decref); 753 754 static int 755 tcf_block_playback_offloads(struct tcf_block *block, tc_setup_cb_t *cb, 756 void *cb_priv, bool add, bool offload_in_use, 757 struct netlink_ext_ack *extack) 758 { 759 struct tcf_chain *chain; 760 struct tcf_proto *tp; 761 int err; 762 763 list_for_each_entry(chain, &block->chain_list, list) { 764 for (tp = rtnl_dereference(chain->filter_chain); tp; 765 tp = rtnl_dereference(tp->next)) { 766 if (tp->ops->reoffload) { 767 err = tp->ops->reoffload(tp, add, cb, cb_priv, 768 extack); 769 if (err && add) 770 goto err_playback_remove; 771 } else if (add && offload_in_use) { 772 err = -EOPNOTSUPP; 773 NL_SET_ERR_MSG(extack, "Filter HW offload failed - classifier without re-offloading support"); 774 goto err_playback_remove; 775 } 776 } 777 } 778 779 return 0; 780 781 err_playback_remove: 782 tcf_block_playback_offloads(block, cb, cb_priv, false, offload_in_use, 783 extack); 784 return err; 785 } 786 787 struct tcf_block_cb *__tcf_block_cb_register(struct tcf_block *block, 788 tc_setup_cb_t *cb, void *cb_ident, 789 void *cb_priv, 790 struct netlink_ext_ack *extack) 791 { 792 struct tcf_block_cb *block_cb; 793 int err; 794 795 /* Replay any already present rules */ 796 err = tcf_block_playback_offloads(block, cb, cb_priv, true, 797 tcf_block_offload_in_use(block), 798 extack); 799 if (err) 800 return ERR_PTR(err); 801 802 block_cb = kzalloc(sizeof(*block_cb), GFP_KERNEL); 803 if (!block_cb) 804 return ERR_PTR(-ENOMEM); 805 block_cb->cb = cb; 806 block_cb->cb_ident = cb_ident; 807 block_cb->cb_priv = cb_priv; 808 list_add(&block_cb->list, &block->cb_list); 809 return block_cb; 810 } 811 EXPORT_SYMBOL(__tcf_block_cb_register); 812 813 int tcf_block_cb_register(struct tcf_block *block, 814 tc_setup_cb_t *cb, void *cb_ident, 815 void *cb_priv, struct netlink_ext_ack *extack) 816 { 817 struct tcf_block_cb *block_cb; 818 819 block_cb = __tcf_block_cb_register(block, cb, cb_ident, cb_priv, 820 extack); 821 return IS_ERR(block_cb) ? PTR_ERR(block_cb) : 0; 822 } 823 EXPORT_SYMBOL(tcf_block_cb_register); 824 825 void __tcf_block_cb_unregister(struct tcf_block *block, 826 struct tcf_block_cb *block_cb) 827 { 828 tcf_block_playback_offloads(block, block_cb->cb, block_cb->cb_priv, 829 false, tcf_block_offload_in_use(block), 830 NULL); 831 list_del(&block_cb->list); 832 kfree(block_cb); 833 } 834 EXPORT_SYMBOL(__tcf_block_cb_unregister); 835 836 void tcf_block_cb_unregister(struct tcf_block *block, 837 tc_setup_cb_t *cb, void *cb_ident) 838 { 839 struct tcf_block_cb *block_cb; 840 841 block_cb = tcf_block_cb_lookup(block, cb, cb_ident); 842 if (!block_cb) 843 return; 844 __tcf_block_cb_unregister(block, block_cb); 845 } 846 EXPORT_SYMBOL(tcf_block_cb_unregister); 847 848 static int tcf_block_cb_call(struct tcf_block *block, enum tc_setup_type type, 849 void *type_data, bool err_stop) 850 { 851 struct tcf_block_cb *block_cb; 852 int ok_count = 0; 853 int err; 854 855 /* Make sure all netdevs sharing this block are offload-capable. */ 856 if (block->nooffloaddevcnt && err_stop) 857 return -EOPNOTSUPP; 858 859 list_for_each_entry(block_cb, &block->cb_list, list) { 860 err = block_cb->cb(type, type_data, block_cb->cb_priv); 861 if (err) { 862 if (err_stop) 863 return err; 864 } else { 865 ok_count++; 866 } 867 } 868 return ok_count; 869 } 870 871 /* Main classifier routine: scans classifier chain attached 872 * to this qdisc, (optionally) tests for protocol and asks 873 * specific classifiers. 874 */ 875 int tcf_classify(struct sk_buff *skb, const struct tcf_proto *tp, 876 struct tcf_result *res, bool compat_mode) 877 { 878 __be16 protocol = tc_skb_protocol(skb); 879 #ifdef CONFIG_NET_CLS_ACT 880 const int max_reclassify_loop = 4; 881 const struct tcf_proto *orig_tp = tp; 882 const struct tcf_proto *first_tp; 883 int limit = 0; 884 885 reclassify: 886 #endif 887 for (; tp; tp = rcu_dereference_bh(tp->next)) { 888 int err; 889 890 if (tp->protocol != protocol && 891 tp->protocol != htons(ETH_P_ALL)) 892 continue; 893 894 err = tp->classify(skb, tp, res); 895 #ifdef CONFIG_NET_CLS_ACT 896 if (unlikely(err == TC_ACT_RECLASSIFY && !compat_mode)) { 897 first_tp = orig_tp; 898 goto reset; 899 } else if (unlikely(TC_ACT_EXT_CMP(err, TC_ACT_GOTO_CHAIN))) { 900 first_tp = res->goto_tp; 901 goto reset; 902 } 903 #endif 904 if (err >= 0) 905 return err; 906 } 907 908 return TC_ACT_UNSPEC; /* signal: continue lookup */ 909 #ifdef CONFIG_NET_CLS_ACT 910 reset: 911 if (unlikely(limit++ >= max_reclassify_loop)) { 912 net_notice_ratelimited("%u: reclassify loop, rule prio %u, protocol %02x\n", 913 tp->chain->block->index, 914 tp->prio & 0xffff, 915 ntohs(tp->protocol)); 916 return TC_ACT_SHOT; 917 } 918 919 tp = first_tp; 920 protocol = tc_skb_protocol(skb); 921 goto reclassify; 922 #endif 923 } 924 EXPORT_SYMBOL(tcf_classify); 925 926 struct tcf_chain_info { 927 struct tcf_proto __rcu **pprev; 928 struct tcf_proto __rcu *next; 929 }; 930 931 static struct tcf_proto *tcf_chain_tp_prev(struct tcf_chain_info *chain_info) 932 { 933 return rtnl_dereference(*chain_info->pprev); 934 } 935 936 static void tcf_chain_tp_insert(struct tcf_chain *chain, 937 struct tcf_chain_info *chain_info, 938 struct tcf_proto *tp) 939 { 940 if (*chain_info->pprev == chain->filter_chain) 941 tcf_chain_head_change(chain, tp); 942 RCU_INIT_POINTER(tp->next, tcf_chain_tp_prev(chain_info)); 943 rcu_assign_pointer(*chain_info->pprev, tp); 944 tcf_chain_hold(chain); 945 } 946 947 static void tcf_chain_tp_remove(struct tcf_chain *chain, 948 struct tcf_chain_info *chain_info, 949 struct tcf_proto *tp) 950 { 951 struct tcf_proto *next = rtnl_dereference(chain_info->next); 952 953 if (tp == chain->filter_chain) 954 tcf_chain_head_change(chain, next); 955 RCU_INIT_POINTER(*chain_info->pprev, next); 956 tcf_chain_put(chain); 957 } 958 959 static struct tcf_proto *tcf_chain_tp_find(struct tcf_chain *chain, 960 struct tcf_chain_info *chain_info, 961 u32 protocol, u32 prio, 962 bool prio_allocate) 963 { 964 struct tcf_proto **pprev; 965 struct tcf_proto *tp; 966 967 /* Check the chain for existence of proto-tcf with this priority */ 968 for (pprev = &chain->filter_chain; 969 (tp = rtnl_dereference(*pprev)); pprev = &tp->next) { 970 if (tp->prio >= prio) { 971 if (tp->prio == prio) { 972 if (prio_allocate || 973 (tp->protocol != protocol && protocol)) 974 return ERR_PTR(-EINVAL); 975 } else { 976 tp = NULL; 977 } 978 break; 979 } 980 } 981 chain_info->pprev = pprev; 982 chain_info->next = tp ? tp->next : NULL; 983 return tp; 984 } 985 986 static int tcf_fill_node(struct net *net, struct sk_buff *skb, 987 struct tcf_proto *tp, struct tcf_block *block, 988 struct Qdisc *q, u32 parent, void *fh, 989 u32 portid, u32 seq, u16 flags, int event) 990 { 991 struct tcmsg *tcm; 992 struct nlmsghdr *nlh; 993 unsigned char *b = skb_tail_pointer(skb); 994 995 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*tcm), flags); 996 if (!nlh) 997 goto out_nlmsg_trim; 998 tcm = nlmsg_data(nlh); 999 tcm->tcm_family = AF_UNSPEC; 1000 tcm->tcm__pad1 = 0; 1001 tcm->tcm__pad2 = 0; 1002 if (q) { 1003 tcm->tcm_ifindex = qdisc_dev(q)->ifindex; 1004 tcm->tcm_parent = parent; 1005 } else { 1006 tcm->tcm_ifindex = TCM_IFINDEX_MAGIC_BLOCK; 1007 tcm->tcm_block_index = block->index; 1008 } 1009 tcm->tcm_info = TC_H_MAKE(tp->prio, tp->protocol); 1010 if (nla_put_string(skb, TCA_KIND, tp->ops->kind)) 1011 goto nla_put_failure; 1012 if (nla_put_u32(skb, TCA_CHAIN, tp->chain->index)) 1013 goto nla_put_failure; 1014 if (!fh) { 1015 tcm->tcm_handle = 0; 1016 } else { 1017 if (tp->ops->dump && tp->ops->dump(net, tp, fh, skb, tcm) < 0) 1018 goto nla_put_failure; 1019 } 1020 nlh->nlmsg_len = skb_tail_pointer(skb) - b; 1021 return skb->len; 1022 1023 out_nlmsg_trim: 1024 nla_put_failure: 1025 nlmsg_trim(skb, b); 1026 return -1; 1027 } 1028 1029 static int tfilter_notify(struct net *net, struct sk_buff *oskb, 1030 struct nlmsghdr *n, struct tcf_proto *tp, 1031 struct tcf_block *block, struct Qdisc *q, 1032 u32 parent, void *fh, int event, bool unicast) 1033 { 1034 struct sk_buff *skb; 1035 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0; 1036 1037 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 1038 if (!skb) 1039 return -ENOBUFS; 1040 1041 if (tcf_fill_node(net, skb, tp, block, q, parent, fh, portid, 1042 n->nlmsg_seq, n->nlmsg_flags, event) <= 0) { 1043 kfree_skb(skb); 1044 return -EINVAL; 1045 } 1046 1047 if (unicast) 1048 return netlink_unicast(net->rtnl, skb, portid, MSG_DONTWAIT); 1049 1050 return rtnetlink_send(skb, net, portid, RTNLGRP_TC, 1051 n->nlmsg_flags & NLM_F_ECHO); 1052 } 1053 1054 static int tfilter_del_notify(struct net *net, struct sk_buff *oskb, 1055 struct nlmsghdr *n, struct tcf_proto *tp, 1056 struct tcf_block *block, struct Qdisc *q, 1057 u32 parent, void *fh, bool unicast, bool *last, 1058 struct netlink_ext_ack *extack) 1059 { 1060 struct sk_buff *skb; 1061 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0; 1062 int err; 1063 1064 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 1065 if (!skb) 1066 return -ENOBUFS; 1067 1068 if (tcf_fill_node(net, skb, tp, block, q, parent, fh, portid, 1069 n->nlmsg_seq, n->nlmsg_flags, RTM_DELTFILTER) <= 0) { 1070 NL_SET_ERR_MSG(extack, "Failed to build del event notification"); 1071 kfree_skb(skb); 1072 return -EINVAL; 1073 } 1074 1075 err = tp->ops->delete(tp, fh, last, extack); 1076 if (err) { 1077 kfree_skb(skb); 1078 return err; 1079 } 1080 1081 if (unicast) 1082 return netlink_unicast(net->rtnl, skb, portid, MSG_DONTWAIT); 1083 1084 err = rtnetlink_send(skb, net, portid, RTNLGRP_TC, 1085 n->nlmsg_flags & NLM_F_ECHO); 1086 if (err < 0) 1087 NL_SET_ERR_MSG(extack, "Failed to send filter delete notification"); 1088 return err; 1089 } 1090 1091 static void tfilter_notify_chain(struct net *net, struct sk_buff *oskb, 1092 struct tcf_block *block, struct Qdisc *q, 1093 u32 parent, struct nlmsghdr *n, 1094 struct tcf_chain *chain, int event) 1095 { 1096 struct tcf_proto *tp; 1097 1098 for (tp = rtnl_dereference(chain->filter_chain); 1099 tp; tp = rtnl_dereference(tp->next)) 1100 tfilter_notify(net, oskb, n, tp, block, 1101 q, parent, 0, event, false); 1102 } 1103 1104 static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n, 1105 struct netlink_ext_ack *extack) 1106 { 1107 struct net *net = sock_net(skb->sk); 1108 struct nlattr *tca[TCA_MAX + 1]; 1109 struct tcmsg *t; 1110 u32 protocol; 1111 u32 prio; 1112 bool prio_allocate; 1113 u32 parent; 1114 u32 chain_index; 1115 struct Qdisc *q = NULL; 1116 struct tcf_chain_info chain_info; 1117 struct tcf_chain *chain = NULL; 1118 struct tcf_block *block; 1119 struct tcf_proto *tp; 1120 unsigned long cl; 1121 void *fh; 1122 int err; 1123 int tp_created; 1124 1125 if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) 1126 return -EPERM; 1127 1128 replay: 1129 tp_created = 0; 1130 1131 err = nlmsg_parse(n, sizeof(*t), tca, TCA_MAX, NULL, extack); 1132 if (err < 0) 1133 return err; 1134 1135 t = nlmsg_data(n); 1136 protocol = TC_H_MIN(t->tcm_info); 1137 prio = TC_H_MAJ(t->tcm_info); 1138 prio_allocate = false; 1139 parent = t->tcm_parent; 1140 cl = 0; 1141 1142 if (prio == 0) { 1143 /* If no priority is provided by the user, 1144 * we allocate one. 1145 */ 1146 if (n->nlmsg_flags & NLM_F_CREATE) { 1147 prio = TC_H_MAKE(0x80000000U, 0U); 1148 prio_allocate = true; 1149 } else { 1150 NL_SET_ERR_MSG(extack, "Invalid filter command with priority of zero"); 1151 return -ENOENT; 1152 } 1153 } 1154 1155 /* Find head of filter chain. */ 1156 1157 block = tcf_block_find(net, &q, &parent, &cl, 1158 t->tcm_ifindex, t->tcm_block_index, extack); 1159 if (IS_ERR(block)) { 1160 err = PTR_ERR(block); 1161 goto errout; 1162 } 1163 1164 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0; 1165 if (chain_index > TC_ACT_EXT_VAL_MASK) { 1166 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit"); 1167 err = -EINVAL; 1168 goto errout; 1169 } 1170 chain = tcf_chain_get(block, chain_index, true); 1171 if (!chain) { 1172 NL_SET_ERR_MSG(extack, "Cannot find specified filter chain"); 1173 err = -ENOMEM; 1174 goto errout; 1175 } 1176 1177 tp = tcf_chain_tp_find(chain, &chain_info, protocol, 1178 prio, prio_allocate); 1179 if (IS_ERR(tp)) { 1180 NL_SET_ERR_MSG(extack, "Filter with specified priority/protocol not found"); 1181 err = PTR_ERR(tp); 1182 goto errout; 1183 } 1184 1185 if (tp == NULL) { 1186 /* Proto-tcf does not exist, create new one */ 1187 1188 if (tca[TCA_KIND] == NULL || !protocol) { 1189 NL_SET_ERR_MSG(extack, "Filter kind and protocol must be specified"); 1190 err = -EINVAL; 1191 goto errout; 1192 } 1193 1194 if (!(n->nlmsg_flags & NLM_F_CREATE)) { 1195 NL_SET_ERR_MSG(extack, "Need both RTM_NEWTFILTER and NLM_F_CREATE to create a new filter"); 1196 err = -ENOENT; 1197 goto errout; 1198 } 1199 1200 if (prio_allocate) 1201 prio = tcf_auto_prio(tcf_chain_tp_prev(&chain_info)); 1202 1203 tp = tcf_proto_create(nla_data(tca[TCA_KIND]), 1204 protocol, prio, chain, extack); 1205 if (IS_ERR(tp)) { 1206 err = PTR_ERR(tp); 1207 goto errout; 1208 } 1209 tp_created = 1; 1210 } else if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], tp->ops->kind)) { 1211 NL_SET_ERR_MSG(extack, "Specified filter kind does not match existing one"); 1212 err = -EINVAL; 1213 goto errout; 1214 } 1215 1216 fh = tp->ops->get(tp, t->tcm_handle); 1217 1218 if (!fh) { 1219 if (!(n->nlmsg_flags & NLM_F_CREATE)) { 1220 NL_SET_ERR_MSG(extack, "Need both RTM_NEWTFILTER and NLM_F_CREATE to create a new filter"); 1221 err = -ENOENT; 1222 goto errout; 1223 } 1224 } else if (n->nlmsg_flags & NLM_F_EXCL) { 1225 NL_SET_ERR_MSG(extack, "Filter already exists"); 1226 err = -EEXIST; 1227 goto errout; 1228 } 1229 1230 err = tp->ops->change(net, skb, tp, cl, t->tcm_handle, tca, &fh, 1231 n->nlmsg_flags & NLM_F_CREATE ? TCA_ACT_NOREPLACE : TCA_ACT_REPLACE, 1232 extack); 1233 if (err == 0) { 1234 if (tp_created) 1235 tcf_chain_tp_insert(chain, &chain_info, tp); 1236 tfilter_notify(net, skb, n, tp, block, q, parent, fh, 1237 RTM_NEWTFILTER, false); 1238 } else { 1239 if (tp_created) 1240 tcf_proto_destroy(tp, NULL); 1241 } 1242 1243 errout: 1244 if (chain) 1245 tcf_chain_put(chain); 1246 if (err == -EAGAIN) 1247 /* Replay the request. */ 1248 goto replay; 1249 return err; 1250 } 1251 1252 static int tc_del_tfilter(struct sk_buff *skb, struct nlmsghdr *n, 1253 struct netlink_ext_ack *extack) 1254 { 1255 struct net *net = sock_net(skb->sk); 1256 struct nlattr *tca[TCA_MAX + 1]; 1257 struct tcmsg *t; 1258 u32 protocol; 1259 u32 prio; 1260 u32 parent; 1261 u32 chain_index; 1262 struct Qdisc *q = NULL; 1263 struct tcf_chain_info chain_info; 1264 struct tcf_chain *chain = NULL; 1265 struct tcf_block *block; 1266 struct tcf_proto *tp = NULL; 1267 unsigned long cl = 0; 1268 void *fh = NULL; 1269 int err; 1270 1271 if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) 1272 return -EPERM; 1273 1274 err = nlmsg_parse(n, sizeof(*t), tca, TCA_MAX, NULL, extack); 1275 if (err < 0) 1276 return err; 1277 1278 t = nlmsg_data(n); 1279 protocol = TC_H_MIN(t->tcm_info); 1280 prio = TC_H_MAJ(t->tcm_info); 1281 parent = t->tcm_parent; 1282 1283 if (prio == 0 && (protocol || t->tcm_handle || tca[TCA_KIND])) { 1284 NL_SET_ERR_MSG(extack, "Cannot flush filters with protocol, handle or kind set"); 1285 return -ENOENT; 1286 } 1287 1288 /* Find head of filter chain. */ 1289 1290 block = tcf_block_find(net, &q, &parent, &cl, 1291 t->tcm_ifindex, t->tcm_block_index, extack); 1292 if (IS_ERR(block)) { 1293 err = PTR_ERR(block); 1294 goto errout; 1295 } 1296 1297 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0; 1298 if (chain_index > TC_ACT_EXT_VAL_MASK) { 1299 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit"); 1300 err = -EINVAL; 1301 goto errout; 1302 } 1303 chain = tcf_chain_get(block, chain_index, false); 1304 if (!chain) { 1305 NL_SET_ERR_MSG(extack, "Cannot find specified filter chain"); 1306 err = -EINVAL; 1307 goto errout; 1308 } 1309 1310 if (prio == 0) { 1311 tfilter_notify_chain(net, skb, block, q, parent, n, 1312 chain, RTM_DELTFILTER); 1313 tcf_chain_flush(chain); 1314 err = 0; 1315 goto errout; 1316 } 1317 1318 tp = tcf_chain_tp_find(chain, &chain_info, protocol, 1319 prio, false); 1320 if (!tp || IS_ERR(tp)) { 1321 NL_SET_ERR_MSG(extack, "Filter with specified priority/protocol not found"); 1322 err = tp ? PTR_ERR(tp) : -ENOENT; 1323 goto errout; 1324 } else if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], tp->ops->kind)) { 1325 NL_SET_ERR_MSG(extack, "Specified filter kind does not match existing one"); 1326 err = -EINVAL; 1327 goto errout; 1328 } 1329 1330 fh = tp->ops->get(tp, t->tcm_handle); 1331 1332 if (!fh) { 1333 if (t->tcm_handle == 0) { 1334 tcf_chain_tp_remove(chain, &chain_info, tp); 1335 tfilter_notify(net, skb, n, tp, block, q, parent, fh, 1336 RTM_DELTFILTER, false); 1337 tcf_proto_destroy(tp, extack); 1338 err = 0; 1339 } else { 1340 NL_SET_ERR_MSG(extack, "Specified filter handle not found"); 1341 err = -ENOENT; 1342 } 1343 } else { 1344 bool last; 1345 1346 err = tfilter_del_notify(net, skb, n, tp, block, 1347 q, parent, fh, false, &last, 1348 extack); 1349 if (err) 1350 goto errout; 1351 if (last) { 1352 tcf_chain_tp_remove(chain, &chain_info, tp); 1353 tcf_proto_destroy(tp, extack); 1354 } 1355 } 1356 1357 errout: 1358 if (chain) 1359 tcf_chain_put(chain); 1360 return err; 1361 } 1362 1363 static int tc_get_tfilter(struct sk_buff *skb, struct nlmsghdr *n, 1364 struct netlink_ext_ack *extack) 1365 { 1366 struct net *net = sock_net(skb->sk); 1367 struct nlattr *tca[TCA_MAX + 1]; 1368 struct tcmsg *t; 1369 u32 protocol; 1370 u32 prio; 1371 u32 parent; 1372 u32 chain_index; 1373 struct Qdisc *q = NULL; 1374 struct tcf_chain_info chain_info; 1375 struct tcf_chain *chain = NULL; 1376 struct tcf_block *block; 1377 struct tcf_proto *tp = NULL; 1378 unsigned long cl = 0; 1379 void *fh = NULL; 1380 int err; 1381 1382 err = nlmsg_parse(n, sizeof(*t), tca, TCA_MAX, NULL, extack); 1383 if (err < 0) 1384 return err; 1385 1386 t = nlmsg_data(n); 1387 protocol = TC_H_MIN(t->tcm_info); 1388 prio = TC_H_MAJ(t->tcm_info); 1389 parent = t->tcm_parent; 1390 1391 if (prio == 0) { 1392 NL_SET_ERR_MSG(extack, "Invalid filter command with priority of zero"); 1393 return -ENOENT; 1394 } 1395 1396 /* Find head of filter chain. */ 1397 1398 block = tcf_block_find(net, &q, &parent, &cl, 1399 t->tcm_ifindex, t->tcm_block_index, extack); 1400 if (IS_ERR(block)) { 1401 err = PTR_ERR(block); 1402 goto errout; 1403 } 1404 1405 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0; 1406 if (chain_index > TC_ACT_EXT_VAL_MASK) { 1407 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit"); 1408 err = -EINVAL; 1409 goto errout; 1410 } 1411 chain = tcf_chain_get(block, chain_index, false); 1412 if (!chain) { 1413 NL_SET_ERR_MSG(extack, "Cannot find specified filter chain"); 1414 err = -EINVAL; 1415 goto errout; 1416 } 1417 1418 tp = tcf_chain_tp_find(chain, &chain_info, protocol, 1419 prio, false); 1420 if (!tp || IS_ERR(tp)) { 1421 NL_SET_ERR_MSG(extack, "Filter with specified priority/protocol not found"); 1422 err = tp ? PTR_ERR(tp) : -ENOENT; 1423 goto errout; 1424 } else if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], tp->ops->kind)) { 1425 NL_SET_ERR_MSG(extack, "Specified filter kind does not match existing one"); 1426 err = -EINVAL; 1427 goto errout; 1428 } 1429 1430 fh = tp->ops->get(tp, t->tcm_handle); 1431 1432 if (!fh) { 1433 NL_SET_ERR_MSG(extack, "Specified filter handle not found"); 1434 err = -ENOENT; 1435 } else { 1436 err = tfilter_notify(net, skb, n, tp, block, q, parent, 1437 fh, RTM_NEWTFILTER, true); 1438 if (err < 0) 1439 NL_SET_ERR_MSG(extack, "Failed to send filter notify message"); 1440 } 1441 1442 errout: 1443 if (chain) 1444 tcf_chain_put(chain); 1445 return err; 1446 } 1447 1448 struct tcf_dump_args { 1449 struct tcf_walker w; 1450 struct sk_buff *skb; 1451 struct netlink_callback *cb; 1452 struct tcf_block *block; 1453 struct Qdisc *q; 1454 u32 parent; 1455 }; 1456 1457 static int tcf_node_dump(struct tcf_proto *tp, void *n, struct tcf_walker *arg) 1458 { 1459 struct tcf_dump_args *a = (void *)arg; 1460 struct net *net = sock_net(a->skb->sk); 1461 1462 return tcf_fill_node(net, a->skb, tp, a->block, a->q, a->parent, 1463 n, NETLINK_CB(a->cb->skb).portid, 1464 a->cb->nlh->nlmsg_seq, NLM_F_MULTI, 1465 RTM_NEWTFILTER); 1466 } 1467 1468 static bool tcf_chain_dump(struct tcf_chain *chain, struct Qdisc *q, u32 parent, 1469 struct sk_buff *skb, struct netlink_callback *cb, 1470 long index_start, long *p_index) 1471 { 1472 struct net *net = sock_net(skb->sk); 1473 struct tcf_block *block = chain->block; 1474 struct tcmsg *tcm = nlmsg_data(cb->nlh); 1475 struct tcf_dump_args arg; 1476 struct tcf_proto *tp; 1477 1478 for (tp = rtnl_dereference(chain->filter_chain); 1479 tp; tp = rtnl_dereference(tp->next), (*p_index)++) { 1480 if (*p_index < index_start) 1481 continue; 1482 if (TC_H_MAJ(tcm->tcm_info) && 1483 TC_H_MAJ(tcm->tcm_info) != tp->prio) 1484 continue; 1485 if (TC_H_MIN(tcm->tcm_info) && 1486 TC_H_MIN(tcm->tcm_info) != tp->protocol) 1487 continue; 1488 if (*p_index > index_start) 1489 memset(&cb->args[1], 0, 1490 sizeof(cb->args) - sizeof(cb->args[0])); 1491 if (cb->args[1] == 0) { 1492 if (tcf_fill_node(net, skb, tp, block, q, parent, 0, 1493 NETLINK_CB(cb->skb).portid, 1494 cb->nlh->nlmsg_seq, NLM_F_MULTI, 1495 RTM_NEWTFILTER) <= 0) 1496 return false; 1497 1498 cb->args[1] = 1; 1499 } 1500 if (!tp->ops->walk) 1501 continue; 1502 arg.w.fn = tcf_node_dump; 1503 arg.skb = skb; 1504 arg.cb = cb; 1505 arg.block = block; 1506 arg.q = q; 1507 arg.parent = parent; 1508 arg.w.stop = 0; 1509 arg.w.skip = cb->args[1] - 1; 1510 arg.w.count = 0; 1511 arg.w.cookie = cb->args[2]; 1512 tp->ops->walk(tp, &arg.w); 1513 cb->args[2] = arg.w.cookie; 1514 cb->args[1] = arg.w.count + 1; 1515 if (arg.w.stop) 1516 return false; 1517 } 1518 return true; 1519 } 1520 1521 /* called with RTNL */ 1522 static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb) 1523 { 1524 struct net *net = sock_net(skb->sk); 1525 struct nlattr *tca[TCA_MAX + 1]; 1526 struct Qdisc *q = NULL; 1527 struct tcf_block *block; 1528 struct tcf_chain *chain; 1529 struct tcmsg *tcm = nlmsg_data(cb->nlh); 1530 long index_start; 1531 long index; 1532 u32 parent; 1533 int err; 1534 1535 if (nlmsg_len(cb->nlh) < sizeof(*tcm)) 1536 return skb->len; 1537 1538 err = nlmsg_parse(cb->nlh, sizeof(*tcm), tca, TCA_MAX, NULL, NULL); 1539 if (err) 1540 return err; 1541 1542 if (tcm->tcm_ifindex == TCM_IFINDEX_MAGIC_BLOCK) { 1543 block = tcf_block_lookup(net, tcm->tcm_block_index); 1544 if (!block) 1545 goto out; 1546 /* If we work with block index, q is NULL and parent value 1547 * will never be used in the following code. The check 1548 * in tcf_fill_node prevents it. However, compiler does not 1549 * see that far, so set parent to zero to silence the warning 1550 * about parent being uninitialized. 1551 */ 1552 parent = 0; 1553 } else { 1554 const struct Qdisc_class_ops *cops; 1555 struct net_device *dev; 1556 unsigned long cl = 0; 1557 1558 dev = __dev_get_by_index(net, tcm->tcm_ifindex); 1559 if (!dev) 1560 return skb->len; 1561 1562 parent = tcm->tcm_parent; 1563 if (!parent) { 1564 q = dev->qdisc; 1565 parent = q->handle; 1566 } else { 1567 q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent)); 1568 } 1569 if (!q) 1570 goto out; 1571 cops = q->ops->cl_ops; 1572 if (!cops) 1573 goto out; 1574 if (!cops->tcf_block) 1575 goto out; 1576 if (TC_H_MIN(tcm->tcm_parent)) { 1577 cl = cops->find(q, tcm->tcm_parent); 1578 if (cl == 0) 1579 goto out; 1580 } 1581 block = cops->tcf_block(q, cl, NULL); 1582 if (!block) 1583 goto out; 1584 if (tcf_block_shared(block)) 1585 q = NULL; 1586 } 1587 1588 index_start = cb->args[0]; 1589 index = 0; 1590 1591 list_for_each_entry(chain, &block->chain_list, list) { 1592 if (tca[TCA_CHAIN] && 1593 nla_get_u32(tca[TCA_CHAIN]) != chain->index) 1594 continue; 1595 if (!tcf_chain_dump(chain, q, parent, skb, cb, 1596 index_start, &index)) { 1597 err = -EMSGSIZE; 1598 break; 1599 } 1600 } 1601 1602 cb->args[0] = index; 1603 1604 out: 1605 /* If we did no progress, the error (EMSGSIZE) is real */ 1606 if (skb->len == 0 && err) 1607 return err; 1608 return skb->len; 1609 } 1610 1611 void tcf_exts_destroy(struct tcf_exts *exts) 1612 { 1613 #ifdef CONFIG_NET_CLS_ACT 1614 tcf_action_destroy(exts->actions, TCA_ACT_UNBIND); 1615 kfree(exts->actions); 1616 exts->nr_actions = 0; 1617 #endif 1618 } 1619 EXPORT_SYMBOL(tcf_exts_destroy); 1620 1621 int tcf_exts_validate(struct net *net, struct tcf_proto *tp, struct nlattr **tb, 1622 struct nlattr *rate_tlv, struct tcf_exts *exts, bool ovr, 1623 struct netlink_ext_ack *extack) 1624 { 1625 #ifdef CONFIG_NET_CLS_ACT 1626 { 1627 struct tc_action *act; 1628 size_t attr_size = 0; 1629 1630 if (exts->police && tb[exts->police]) { 1631 act = tcf_action_init_1(net, tp, tb[exts->police], 1632 rate_tlv, "police", ovr, 1633 TCA_ACT_BIND, true, extack); 1634 if (IS_ERR(act)) 1635 return PTR_ERR(act); 1636 1637 act->type = exts->type = TCA_OLD_COMPAT; 1638 exts->actions[0] = act; 1639 exts->nr_actions = 1; 1640 } else if (exts->action && tb[exts->action]) { 1641 int err; 1642 1643 err = tcf_action_init(net, tp, tb[exts->action], 1644 rate_tlv, NULL, ovr, TCA_ACT_BIND, 1645 exts->actions, &attr_size, true, 1646 extack); 1647 if (err < 0) 1648 return err; 1649 exts->nr_actions = err; 1650 } 1651 exts->net = net; 1652 } 1653 #else 1654 if ((exts->action && tb[exts->action]) || 1655 (exts->police && tb[exts->police])) { 1656 NL_SET_ERR_MSG(extack, "Classifier actions are not supported per compile options (CONFIG_NET_CLS_ACT)"); 1657 return -EOPNOTSUPP; 1658 } 1659 #endif 1660 1661 return 0; 1662 } 1663 EXPORT_SYMBOL(tcf_exts_validate); 1664 1665 void tcf_exts_change(struct tcf_exts *dst, struct tcf_exts *src) 1666 { 1667 #ifdef CONFIG_NET_CLS_ACT 1668 struct tcf_exts old = *dst; 1669 1670 *dst = *src; 1671 tcf_exts_destroy(&old); 1672 #endif 1673 } 1674 EXPORT_SYMBOL(tcf_exts_change); 1675 1676 #ifdef CONFIG_NET_CLS_ACT 1677 static struct tc_action *tcf_exts_first_act(struct tcf_exts *exts) 1678 { 1679 if (exts->nr_actions == 0) 1680 return NULL; 1681 else 1682 return exts->actions[0]; 1683 } 1684 #endif 1685 1686 int tcf_exts_dump(struct sk_buff *skb, struct tcf_exts *exts) 1687 { 1688 #ifdef CONFIG_NET_CLS_ACT 1689 struct nlattr *nest; 1690 1691 if (exts->action && tcf_exts_has_actions(exts)) { 1692 /* 1693 * again for backward compatible mode - we want 1694 * to work with both old and new modes of entering 1695 * tc data even if iproute2 was newer - jhs 1696 */ 1697 if (exts->type != TCA_OLD_COMPAT) { 1698 nest = nla_nest_start(skb, exts->action); 1699 if (nest == NULL) 1700 goto nla_put_failure; 1701 1702 if (tcf_action_dump(skb, exts->actions, 0, 0) < 0) 1703 goto nla_put_failure; 1704 nla_nest_end(skb, nest); 1705 } else if (exts->police) { 1706 struct tc_action *act = tcf_exts_first_act(exts); 1707 nest = nla_nest_start(skb, exts->police); 1708 if (nest == NULL || !act) 1709 goto nla_put_failure; 1710 if (tcf_action_dump_old(skb, act, 0, 0) < 0) 1711 goto nla_put_failure; 1712 nla_nest_end(skb, nest); 1713 } 1714 } 1715 return 0; 1716 1717 nla_put_failure: 1718 nla_nest_cancel(skb, nest); 1719 return -1; 1720 #else 1721 return 0; 1722 #endif 1723 } 1724 EXPORT_SYMBOL(tcf_exts_dump); 1725 1726 1727 int tcf_exts_dump_stats(struct sk_buff *skb, struct tcf_exts *exts) 1728 { 1729 #ifdef CONFIG_NET_CLS_ACT 1730 struct tc_action *a = tcf_exts_first_act(exts); 1731 if (a != NULL && tcf_action_copy_stats(skb, a, 1) < 0) 1732 return -1; 1733 #endif 1734 return 0; 1735 } 1736 EXPORT_SYMBOL(tcf_exts_dump_stats); 1737 1738 static int tc_exts_setup_cb_egdev_call(struct tcf_exts *exts, 1739 enum tc_setup_type type, 1740 void *type_data, bool err_stop) 1741 { 1742 int ok_count = 0; 1743 #ifdef CONFIG_NET_CLS_ACT 1744 const struct tc_action *a; 1745 struct net_device *dev; 1746 int i, ret; 1747 1748 if (!tcf_exts_has_actions(exts)) 1749 return 0; 1750 1751 for (i = 0; i < exts->nr_actions; i++) { 1752 a = exts->actions[i]; 1753 if (!a->ops->get_dev) 1754 continue; 1755 dev = a->ops->get_dev(a); 1756 if (!dev) 1757 continue; 1758 ret = tc_setup_cb_egdev_call(dev, type, type_data, err_stop); 1759 if (ret < 0) 1760 return ret; 1761 ok_count += ret; 1762 } 1763 #endif 1764 return ok_count; 1765 } 1766 1767 int tc_setup_cb_call(struct tcf_block *block, struct tcf_exts *exts, 1768 enum tc_setup_type type, void *type_data, bool err_stop) 1769 { 1770 int ok_count; 1771 int ret; 1772 1773 ret = tcf_block_cb_call(block, type, type_data, err_stop); 1774 if (ret < 0) 1775 return ret; 1776 ok_count = ret; 1777 1778 if (!exts || ok_count) 1779 return ok_count; 1780 ret = tc_exts_setup_cb_egdev_call(exts, type, type_data, err_stop); 1781 if (ret < 0) 1782 return ret; 1783 ok_count += ret; 1784 1785 return ok_count; 1786 } 1787 EXPORT_SYMBOL(tc_setup_cb_call); 1788 1789 static __net_init int tcf_net_init(struct net *net) 1790 { 1791 struct tcf_net *tn = net_generic(net, tcf_net_id); 1792 1793 idr_init(&tn->idr); 1794 return 0; 1795 } 1796 1797 static void __net_exit tcf_net_exit(struct net *net) 1798 { 1799 struct tcf_net *tn = net_generic(net, tcf_net_id); 1800 1801 idr_destroy(&tn->idr); 1802 } 1803 1804 static struct pernet_operations tcf_net_ops = { 1805 .init = tcf_net_init, 1806 .exit = tcf_net_exit, 1807 .id = &tcf_net_id, 1808 .size = sizeof(struct tcf_net), 1809 }; 1810 1811 static int __init tc_filter_init(void) 1812 { 1813 int err; 1814 1815 tc_filter_wq = alloc_ordered_workqueue("tc_filter_workqueue", 0); 1816 if (!tc_filter_wq) 1817 return -ENOMEM; 1818 1819 err = register_pernet_subsys(&tcf_net_ops); 1820 if (err) 1821 goto err_register_pernet_subsys; 1822 1823 rtnl_register(PF_UNSPEC, RTM_NEWTFILTER, tc_new_tfilter, NULL, 0); 1824 rtnl_register(PF_UNSPEC, RTM_DELTFILTER, tc_del_tfilter, NULL, 0); 1825 rtnl_register(PF_UNSPEC, RTM_GETTFILTER, tc_get_tfilter, 1826 tc_dump_tfilter, 0); 1827 1828 return 0; 1829 1830 err_register_pernet_subsys: 1831 destroy_workqueue(tc_filter_wq); 1832 return err; 1833 } 1834 1835 subsys_initcall(tc_filter_init); 1836