1 /* 2 * net/sched/cls_api.c Packet classifier API. 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU General Public License 6 * as published by the Free Software Foundation; either version 7 * 2 of the License, or (at your option) any later version. 8 * 9 * Authors: Alexey Kuznetsov, <kuznet@ms2.inr.ac.ru> 10 * 11 * Changes: 12 * 13 * Eduardo J. Blanco <ejbs@netlabs.com.uy> :990222: kmod support 14 * 15 */ 16 17 #include <linux/module.h> 18 #include <linux/types.h> 19 #include <linux/kernel.h> 20 #include <linux/string.h> 21 #include <linux/errno.h> 22 #include <linux/err.h> 23 #include <linux/skbuff.h> 24 #include <linux/init.h> 25 #include <linux/kmod.h> 26 #include <linux/slab.h> 27 #include <linux/idr.h> 28 #include <net/net_namespace.h> 29 #include <net/sock.h> 30 #include <net/netlink.h> 31 #include <net/pkt_sched.h> 32 #include <net/pkt_cls.h> 33 34 extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1]; 35 36 /* The list of all installed classifier types */ 37 static LIST_HEAD(tcf_proto_base); 38 39 /* Protects list of registered TC modules. It is pure SMP lock. */ 40 static DEFINE_RWLOCK(cls_mod_lock); 41 42 /* Find classifier type by string name */ 43 44 static const struct tcf_proto_ops *__tcf_proto_lookup_ops(const char *kind) 45 { 46 const struct tcf_proto_ops *t, *res = NULL; 47 48 if (kind) { 49 read_lock(&cls_mod_lock); 50 list_for_each_entry(t, &tcf_proto_base, head) { 51 if (strcmp(kind, t->kind) == 0) { 52 if (try_module_get(t->owner)) 53 res = t; 54 break; 55 } 56 } 57 read_unlock(&cls_mod_lock); 58 } 59 return res; 60 } 61 62 static const struct tcf_proto_ops * 63 tcf_proto_lookup_ops(const char *kind, struct netlink_ext_ack *extack) 64 { 65 const struct tcf_proto_ops *ops; 66 67 ops = __tcf_proto_lookup_ops(kind); 68 if (ops) 69 return ops; 70 #ifdef CONFIG_MODULES 71 rtnl_unlock(); 72 request_module("cls_%s", kind); 73 rtnl_lock(); 74 ops = __tcf_proto_lookup_ops(kind); 75 /* We dropped the RTNL semaphore in order to perform 76 * the module load. So, even if we succeeded in loading 77 * the module we have to replay the request. We indicate 78 * this using -EAGAIN. 79 */ 80 if (ops) { 81 module_put(ops->owner); 82 return ERR_PTR(-EAGAIN); 83 } 84 #endif 85 NL_SET_ERR_MSG(extack, "TC classifier not found"); 86 return ERR_PTR(-ENOENT); 87 } 88 89 /* Register(unregister) new classifier type */ 90 91 int register_tcf_proto_ops(struct tcf_proto_ops *ops) 92 { 93 struct tcf_proto_ops *t; 94 int rc = -EEXIST; 95 96 write_lock(&cls_mod_lock); 97 list_for_each_entry(t, &tcf_proto_base, head) 98 if (!strcmp(ops->kind, t->kind)) 99 goto out; 100 101 list_add_tail(&ops->head, &tcf_proto_base); 102 rc = 0; 103 out: 104 write_unlock(&cls_mod_lock); 105 return rc; 106 } 107 EXPORT_SYMBOL(register_tcf_proto_ops); 108 109 static struct workqueue_struct *tc_filter_wq; 110 111 int unregister_tcf_proto_ops(struct tcf_proto_ops *ops) 112 { 113 struct tcf_proto_ops *t; 114 int rc = -ENOENT; 115 116 /* Wait for outstanding call_rcu()s, if any, from a 117 * tcf_proto_ops's destroy() handler. 118 */ 119 rcu_barrier(); 120 flush_workqueue(tc_filter_wq); 121 122 write_lock(&cls_mod_lock); 123 list_for_each_entry(t, &tcf_proto_base, head) { 124 if (t == ops) { 125 list_del(&t->head); 126 rc = 0; 127 break; 128 } 129 } 130 write_unlock(&cls_mod_lock); 131 return rc; 132 } 133 EXPORT_SYMBOL(unregister_tcf_proto_ops); 134 135 bool tcf_queue_work(struct rcu_work *rwork, work_func_t func) 136 { 137 INIT_RCU_WORK(rwork, func); 138 return queue_rcu_work(tc_filter_wq, rwork); 139 } 140 EXPORT_SYMBOL(tcf_queue_work); 141 142 /* Select new prio value from the range, managed by kernel. */ 143 144 static inline u32 tcf_auto_prio(struct tcf_proto *tp) 145 { 146 u32 first = TC_H_MAKE(0xC0000000U, 0U); 147 148 if (tp) 149 first = tp->prio - 1; 150 151 return TC_H_MAJ(first); 152 } 153 154 static struct tcf_proto *tcf_proto_create(const char *kind, u32 protocol, 155 u32 prio, struct tcf_chain *chain, 156 struct netlink_ext_ack *extack) 157 { 158 struct tcf_proto *tp; 159 int err; 160 161 tp = kzalloc(sizeof(*tp), GFP_KERNEL); 162 if (!tp) 163 return ERR_PTR(-ENOBUFS); 164 165 tp->ops = tcf_proto_lookup_ops(kind, extack); 166 if (IS_ERR(tp->ops)) { 167 err = PTR_ERR(tp->ops); 168 goto errout; 169 } 170 tp->classify = tp->ops->classify; 171 tp->protocol = protocol; 172 tp->prio = prio; 173 tp->chain = chain; 174 175 err = tp->ops->init(tp); 176 if (err) { 177 module_put(tp->ops->owner); 178 goto errout; 179 } 180 return tp; 181 182 errout: 183 kfree(tp); 184 return ERR_PTR(err); 185 } 186 187 static void tcf_proto_destroy(struct tcf_proto *tp, 188 struct netlink_ext_ack *extack) 189 { 190 tp->ops->destroy(tp, extack); 191 module_put(tp->ops->owner); 192 kfree_rcu(tp, rcu); 193 } 194 195 struct tcf_filter_chain_list_item { 196 struct list_head list; 197 tcf_chain_head_change_t *chain_head_change; 198 void *chain_head_change_priv; 199 }; 200 201 static struct tcf_chain *tcf_chain_create(struct tcf_block *block, 202 u32 chain_index) 203 { 204 struct tcf_chain *chain; 205 206 chain = kzalloc(sizeof(*chain), GFP_KERNEL); 207 if (!chain) 208 return NULL; 209 list_add_tail(&chain->list, &block->chain_list); 210 chain->block = block; 211 chain->index = chain_index; 212 chain->refcnt = 1; 213 if (!chain->index) 214 block->chain0.chain = chain; 215 return chain; 216 } 217 218 static void tcf_chain_head_change_item(struct tcf_filter_chain_list_item *item, 219 struct tcf_proto *tp_head) 220 { 221 if (item->chain_head_change) 222 item->chain_head_change(tp_head, item->chain_head_change_priv); 223 } 224 225 static void tcf_chain0_head_change(struct tcf_chain *chain, 226 struct tcf_proto *tp_head) 227 { 228 struct tcf_filter_chain_list_item *item; 229 struct tcf_block *block = chain->block; 230 231 if (chain->index) 232 return; 233 list_for_each_entry(item, &block->chain0.filter_chain_list, list) 234 tcf_chain_head_change_item(item, tp_head); 235 } 236 237 static void tcf_chain_destroy(struct tcf_chain *chain) 238 { 239 struct tcf_block *block = chain->block; 240 241 list_del(&chain->list); 242 if (!chain->index) 243 block->chain0.chain = NULL; 244 kfree(chain); 245 if (list_empty(&block->chain_list) && !refcount_read(&block->refcnt)) 246 kfree_rcu(block, rcu); 247 } 248 249 static void tcf_chain_hold(struct tcf_chain *chain) 250 { 251 ++chain->refcnt; 252 } 253 254 static bool tcf_chain_held_by_acts_only(struct tcf_chain *chain) 255 { 256 /* In case all the references are action references, this 257 * chain should not be shown to the user. 258 */ 259 return chain->refcnt == chain->action_refcnt; 260 } 261 262 static struct tcf_chain *tcf_chain_lookup(struct tcf_block *block, 263 u32 chain_index) 264 { 265 struct tcf_chain *chain; 266 267 list_for_each_entry(chain, &block->chain_list, list) { 268 if (chain->index == chain_index) 269 return chain; 270 } 271 return NULL; 272 } 273 274 static int tc_chain_notify(struct tcf_chain *chain, struct sk_buff *oskb, 275 u32 seq, u16 flags, int event, bool unicast); 276 277 static struct tcf_chain *__tcf_chain_get(struct tcf_block *block, 278 u32 chain_index, bool create, 279 bool by_act) 280 { 281 struct tcf_chain *chain = tcf_chain_lookup(block, chain_index); 282 283 if (chain) { 284 tcf_chain_hold(chain); 285 } else { 286 if (!create) 287 return NULL; 288 chain = tcf_chain_create(block, chain_index); 289 if (!chain) 290 return NULL; 291 } 292 293 if (by_act) 294 ++chain->action_refcnt; 295 296 /* Send notification only in case we got the first 297 * non-action reference. Until then, the chain acts only as 298 * a placeholder for actions pointing to it and user ought 299 * not know about them. 300 */ 301 if (chain->refcnt - chain->action_refcnt == 1 && !by_act) 302 tc_chain_notify(chain, NULL, 0, NLM_F_CREATE | NLM_F_EXCL, 303 RTM_NEWCHAIN, false); 304 305 return chain; 306 } 307 308 static struct tcf_chain *tcf_chain_get(struct tcf_block *block, u32 chain_index, 309 bool create) 310 { 311 return __tcf_chain_get(block, chain_index, create, false); 312 } 313 314 struct tcf_chain *tcf_chain_get_by_act(struct tcf_block *block, u32 chain_index) 315 { 316 return __tcf_chain_get(block, chain_index, true, true); 317 } 318 EXPORT_SYMBOL(tcf_chain_get_by_act); 319 320 static void tc_chain_tmplt_del(struct tcf_chain *chain); 321 322 static void __tcf_chain_put(struct tcf_chain *chain, bool by_act) 323 { 324 if (by_act) 325 chain->action_refcnt--; 326 chain->refcnt--; 327 328 /* The last dropped non-action reference will trigger notification. */ 329 if (chain->refcnt - chain->action_refcnt == 0 && !by_act) 330 tc_chain_notify(chain, NULL, 0, 0, RTM_DELCHAIN, false); 331 332 if (chain->refcnt == 0) { 333 tc_chain_tmplt_del(chain); 334 tcf_chain_destroy(chain); 335 } 336 } 337 338 static void tcf_chain_put(struct tcf_chain *chain) 339 { 340 __tcf_chain_put(chain, false); 341 } 342 343 void tcf_chain_put_by_act(struct tcf_chain *chain) 344 { 345 __tcf_chain_put(chain, true); 346 } 347 EXPORT_SYMBOL(tcf_chain_put_by_act); 348 349 static void tcf_chain_put_explicitly_created(struct tcf_chain *chain) 350 { 351 if (chain->explicitly_created) 352 tcf_chain_put(chain); 353 } 354 355 static void tcf_chain_flush(struct tcf_chain *chain) 356 { 357 struct tcf_proto *tp = rtnl_dereference(chain->filter_chain); 358 359 tcf_chain0_head_change(chain, NULL); 360 while (tp) { 361 RCU_INIT_POINTER(chain->filter_chain, tp->next); 362 tcf_proto_destroy(tp, NULL); 363 tp = rtnl_dereference(chain->filter_chain); 364 tcf_chain_put(chain); 365 } 366 } 367 368 static bool tcf_block_offload_in_use(struct tcf_block *block) 369 { 370 return block->offloadcnt; 371 } 372 373 static int tcf_block_offload_cmd(struct tcf_block *block, 374 struct net_device *dev, 375 struct tcf_block_ext_info *ei, 376 enum tc_block_command command, 377 struct netlink_ext_ack *extack) 378 { 379 struct tc_block_offload bo = {}; 380 381 bo.command = command; 382 bo.binder_type = ei->binder_type; 383 bo.block = block; 384 bo.extack = extack; 385 return dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_BLOCK, &bo); 386 } 387 388 static int tcf_block_offload_bind(struct tcf_block *block, struct Qdisc *q, 389 struct tcf_block_ext_info *ei, 390 struct netlink_ext_ack *extack) 391 { 392 struct net_device *dev = q->dev_queue->dev; 393 int err; 394 395 if (!dev->netdev_ops->ndo_setup_tc) 396 goto no_offload_dev_inc; 397 398 /* If tc offload feature is disabled and the block we try to bind 399 * to already has some offloaded filters, forbid to bind. 400 */ 401 if (!tc_can_offload(dev) && tcf_block_offload_in_use(block)) { 402 NL_SET_ERR_MSG(extack, "Bind to offloaded block failed as dev has offload disabled"); 403 return -EOPNOTSUPP; 404 } 405 406 err = tcf_block_offload_cmd(block, dev, ei, TC_BLOCK_BIND, extack); 407 if (err == -EOPNOTSUPP) 408 goto no_offload_dev_inc; 409 return err; 410 411 no_offload_dev_inc: 412 if (tcf_block_offload_in_use(block)) 413 return -EOPNOTSUPP; 414 block->nooffloaddevcnt++; 415 return 0; 416 } 417 418 static void tcf_block_offload_unbind(struct tcf_block *block, struct Qdisc *q, 419 struct tcf_block_ext_info *ei) 420 { 421 struct net_device *dev = q->dev_queue->dev; 422 int err; 423 424 if (!dev->netdev_ops->ndo_setup_tc) 425 goto no_offload_dev_dec; 426 err = tcf_block_offload_cmd(block, dev, ei, TC_BLOCK_UNBIND, NULL); 427 if (err == -EOPNOTSUPP) 428 goto no_offload_dev_dec; 429 return; 430 431 no_offload_dev_dec: 432 WARN_ON(block->nooffloaddevcnt-- == 0); 433 } 434 435 static int 436 tcf_chain0_head_change_cb_add(struct tcf_block *block, 437 struct tcf_block_ext_info *ei, 438 struct netlink_ext_ack *extack) 439 { 440 struct tcf_chain *chain0 = block->chain0.chain; 441 struct tcf_filter_chain_list_item *item; 442 443 item = kmalloc(sizeof(*item), GFP_KERNEL); 444 if (!item) { 445 NL_SET_ERR_MSG(extack, "Memory allocation for head change callback item failed"); 446 return -ENOMEM; 447 } 448 item->chain_head_change = ei->chain_head_change; 449 item->chain_head_change_priv = ei->chain_head_change_priv; 450 if (chain0 && chain0->filter_chain) 451 tcf_chain_head_change_item(item, chain0->filter_chain); 452 list_add(&item->list, &block->chain0.filter_chain_list); 453 return 0; 454 } 455 456 static void 457 tcf_chain0_head_change_cb_del(struct tcf_block *block, 458 struct tcf_block_ext_info *ei) 459 { 460 struct tcf_chain *chain0 = block->chain0.chain; 461 struct tcf_filter_chain_list_item *item; 462 463 list_for_each_entry(item, &block->chain0.filter_chain_list, list) { 464 if ((!ei->chain_head_change && !ei->chain_head_change_priv) || 465 (item->chain_head_change == ei->chain_head_change && 466 item->chain_head_change_priv == ei->chain_head_change_priv)) { 467 if (chain0) 468 tcf_chain_head_change_item(item, NULL); 469 list_del(&item->list); 470 kfree(item); 471 return; 472 } 473 } 474 WARN_ON(1); 475 } 476 477 struct tcf_net { 478 spinlock_t idr_lock; /* Protects idr */ 479 struct idr idr; 480 }; 481 482 static unsigned int tcf_net_id; 483 484 static int tcf_block_insert(struct tcf_block *block, struct net *net, 485 struct netlink_ext_ack *extack) 486 { 487 struct tcf_net *tn = net_generic(net, tcf_net_id); 488 int err; 489 490 idr_preload(GFP_KERNEL); 491 spin_lock(&tn->idr_lock); 492 err = idr_alloc_u32(&tn->idr, block, &block->index, block->index, 493 GFP_NOWAIT); 494 spin_unlock(&tn->idr_lock); 495 idr_preload_end(); 496 497 return err; 498 } 499 500 static void tcf_block_remove(struct tcf_block *block, struct net *net) 501 { 502 struct tcf_net *tn = net_generic(net, tcf_net_id); 503 504 spin_lock(&tn->idr_lock); 505 idr_remove(&tn->idr, block->index); 506 spin_unlock(&tn->idr_lock); 507 } 508 509 static struct tcf_block *tcf_block_create(struct net *net, struct Qdisc *q, 510 u32 block_index, 511 struct netlink_ext_ack *extack) 512 { 513 struct tcf_block *block; 514 515 block = kzalloc(sizeof(*block), GFP_KERNEL); 516 if (!block) { 517 NL_SET_ERR_MSG(extack, "Memory allocation for block failed"); 518 return ERR_PTR(-ENOMEM); 519 } 520 INIT_LIST_HEAD(&block->chain_list); 521 INIT_LIST_HEAD(&block->cb_list); 522 INIT_LIST_HEAD(&block->owner_list); 523 INIT_LIST_HEAD(&block->chain0.filter_chain_list); 524 525 refcount_set(&block->refcnt, 1); 526 block->net = net; 527 block->index = block_index; 528 529 /* Don't store q pointer for blocks which are shared */ 530 if (!tcf_block_shared(block)) 531 block->q = q; 532 return block; 533 } 534 535 static struct tcf_block *tcf_block_lookup(struct net *net, u32 block_index) 536 { 537 struct tcf_net *tn = net_generic(net, tcf_net_id); 538 539 return idr_find(&tn->idr, block_index); 540 } 541 542 static struct tcf_block *tcf_block_refcnt_get(struct net *net, u32 block_index) 543 { 544 struct tcf_block *block; 545 546 rcu_read_lock(); 547 block = tcf_block_lookup(net, block_index); 548 if (block && !refcount_inc_not_zero(&block->refcnt)) 549 block = NULL; 550 rcu_read_unlock(); 551 552 return block; 553 } 554 555 static void tcf_block_flush_all_chains(struct tcf_block *block) 556 { 557 struct tcf_chain *chain; 558 559 /* Hold a refcnt for all chains, so that they don't disappear 560 * while we are iterating. 561 */ 562 list_for_each_entry(chain, &block->chain_list, list) 563 tcf_chain_hold(chain); 564 565 list_for_each_entry(chain, &block->chain_list, list) 566 tcf_chain_flush(chain); 567 } 568 569 static void tcf_block_put_all_chains(struct tcf_block *block) 570 { 571 struct tcf_chain *chain, *tmp; 572 573 /* At this point, all the chains should have refcnt >= 1. */ 574 list_for_each_entry_safe(chain, tmp, &block->chain_list, list) { 575 tcf_chain_put_explicitly_created(chain); 576 tcf_chain_put(chain); 577 } 578 } 579 580 static void __tcf_block_put(struct tcf_block *block, struct Qdisc *q, 581 struct tcf_block_ext_info *ei) 582 { 583 if (refcount_dec_and_test(&block->refcnt)) { 584 /* Flushing/putting all chains will cause the block to be 585 * deallocated when last chain is freed. However, if chain_list 586 * is empty, block has to be manually deallocated. After block 587 * reference counter reached 0, it is no longer possible to 588 * increment it or add new chains to block. 589 */ 590 bool free_block = list_empty(&block->chain_list); 591 592 if (tcf_block_shared(block)) 593 tcf_block_remove(block, block->net); 594 if (!free_block) 595 tcf_block_flush_all_chains(block); 596 597 if (q) 598 tcf_block_offload_unbind(block, q, ei); 599 600 if (free_block) 601 kfree_rcu(block, rcu); 602 else 603 tcf_block_put_all_chains(block); 604 } else if (q) { 605 tcf_block_offload_unbind(block, q, ei); 606 } 607 } 608 609 static void tcf_block_refcnt_put(struct tcf_block *block) 610 { 611 __tcf_block_put(block, NULL, NULL); 612 } 613 614 /* Find tcf block. 615 * Set q, parent, cl when appropriate. 616 */ 617 618 static struct tcf_block *tcf_block_find(struct net *net, struct Qdisc **q, 619 u32 *parent, unsigned long *cl, 620 int ifindex, u32 block_index, 621 struct netlink_ext_ack *extack) 622 { 623 struct tcf_block *block; 624 int err = 0; 625 626 if (ifindex == TCM_IFINDEX_MAGIC_BLOCK) { 627 block = tcf_block_refcnt_get(net, block_index); 628 if (!block) { 629 NL_SET_ERR_MSG(extack, "Block of given index was not found"); 630 return ERR_PTR(-EINVAL); 631 } 632 } else { 633 const struct Qdisc_class_ops *cops; 634 struct net_device *dev; 635 636 rcu_read_lock(); 637 638 /* Find link */ 639 dev = dev_get_by_index_rcu(net, ifindex); 640 if (!dev) { 641 rcu_read_unlock(); 642 return ERR_PTR(-ENODEV); 643 } 644 645 /* Find qdisc */ 646 if (!*parent) { 647 *q = dev->qdisc; 648 *parent = (*q)->handle; 649 } else { 650 *q = qdisc_lookup_rcu(dev, TC_H_MAJ(*parent)); 651 if (!*q) { 652 NL_SET_ERR_MSG(extack, "Parent Qdisc doesn't exists"); 653 err = -EINVAL; 654 goto errout_rcu; 655 } 656 } 657 658 *q = qdisc_refcount_inc_nz(*q); 659 if (!*q) { 660 NL_SET_ERR_MSG(extack, "Parent Qdisc doesn't exists"); 661 err = -EINVAL; 662 goto errout_rcu; 663 } 664 665 /* Is it classful? */ 666 cops = (*q)->ops->cl_ops; 667 if (!cops) { 668 NL_SET_ERR_MSG(extack, "Qdisc not classful"); 669 err = -EINVAL; 670 goto errout_rcu; 671 } 672 673 if (!cops->tcf_block) { 674 NL_SET_ERR_MSG(extack, "Class doesn't support blocks"); 675 err = -EOPNOTSUPP; 676 goto errout_rcu; 677 } 678 679 /* At this point we know that qdisc is not noop_qdisc, 680 * which means that qdisc holds a reference to net_device 681 * and we hold a reference to qdisc, so it is safe to release 682 * rcu read lock. 683 */ 684 rcu_read_unlock(); 685 686 /* Do we search for filter, attached to class? */ 687 if (TC_H_MIN(*parent)) { 688 *cl = cops->find(*q, *parent); 689 if (*cl == 0) { 690 NL_SET_ERR_MSG(extack, "Specified class doesn't exist"); 691 err = -ENOENT; 692 goto errout_qdisc; 693 } 694 } 695 696 /* And the last stroke */ 697 block = cops->tcf_block(*q, *cl, extack); 698 if (!block) { 699 err = -EINVAL; 700 goto errout_qdisc; 701 } 702 if (tcf_block_shared(block)) { 703 NL_SET_ERR_MSG(extack, "This filter block is shared. Please use the block index to manipulate the filters"); 704 err = -EOPNOTSUPP; 705 goto errout_qdisc; 706 } 707 708 /* Always take reference to block in order to support execution 709 * of rules update path of cls API without rtnl lock. Caller 710 * must release block when it is finished using it. 'if' block 711 * of this conditional obtain reference to block by calling 712 * tcf_block_refcnt_get(). 713 */ 714 refcount_inc(&block->refcnt); 715 } 716 717 return block; 718 719 errout_rcu: 720 rcu_read_unlock(); 721 errout_qdisc: 722 if (*q) { 723 qdisc_put(*q); 724 *q = NULL; 725 } 726 return ERR_PTR(err); 727 } 728 729 static void tcf_block_release(struct Qdisc *q, struct tcf_block *block) 730 { 731 if (!IS_ERR_OR_NULL(block)) 732 tcf_block_refcnt_put(block); 733 734 if (q) 735 qdisc_put(q); 736 } 737 738 struct tcf_block_owner_item { 739 struct list_head list; 740 struct Qdisc *q; 741 enum tcf_block_binder_type binder_type; 742 }; 743 744 static void 745 tcf_block_owner_netif_keep_dst(struct tcf_block *block, 746 struct Qdisc *q, 747 enum tcf_block_binder_type binder_type) 748 { 749 if (block->keep_dst && 750 binder_type != TCF_BLOCK_BINDER_TYPE_CLSACT_INGRESS && 751 binder_type != TCF_BLOCK_BINDER_TYPE_CLSACT_EGRESS) 752 netif_keep_dst(qdisc_dev(q)); 753 } 754 755 void tcf_block_netif_keep_dst(struct tcf_block *block) 756 { 757 struct tcf_block_owner_item *item; 758 759 block->keep_dst = true; 760 list_for_each_entry(item, &block->owner_list, list) 761 tcf_block_owner_netif_keep_dst(block, item->q, 762 item->binder_type); 763 } 764 EXPORT_SYMBOL(tcf_block_netif_keep_dst); 765 766 static int tcf_block_owner_add(struct tcf_block *block, 767 struct Qdisc *q, 768 enum tcf_block_binder_type binder_type) 769 { 770 struct tcf_block_owner_item *item; 771 772 item = kmalloc(sizeof(*item), GFP_KERNEL); 773 if (!item) 774 return -ENOMEM; 775 item->q = q; 776 item->binder_type = binder_type; 777 list_add(&item->list, &block->owner_list); 778 return 0; 779 } 780 781 static void tcf_block_owner_del(struct tcf_block *block, 782 struct Qdisc *q, 783 enum tcf_block_binder_type binder_type) 784 { 785 struct tcf_block_owner_item *item; 786 787 list_for_each_entry(item, &block->owner_list, list) { 788 if (item->q == q && item->binder_type == binder_type) { 789 list_del(&item->list); 790 kfree(item); 791 return; 792 } 793 } 794 WARN_ON(1); 795 } 796 797 int tcf_block_get_ext(struct tcf_block **p_block, struct Qdisc *q, 798 struct tcf_block_ext_info *ei, 799 struct netlink_ext_ack *extack) 800 { 801 struct net *net = qdisc_net(q); 802 struct tcf_block *block = NULL; 803 int err; 804 805 if (ei->block_index) 806 /* block_index not 0 means the shared block is requested */ 807 block = tcf_block_refcnt_get(net, ei->block_index); 808 809 if (!block) { 810 block = tcf_block_create(net, q, ei->block_index, extack); 811 if (IS_ERR(block)) 812 return PTR_ERR(block); 813 if (tcf_block_shared(block)) { 814 err = tcf_block_insert(block, net, extack); 815 if (err) 816 goto err_block_insert; 817 } 818 } 819 820 err = tcf_block_owner_add(block, q, ei->binder_type); 821 if (err) 822 goto err_block_owner_add; 823 824 tcf_block_owner_netif_keep_dst(block, q, ei->binder_type); 825 826 err = tcf_chain0_head_change_cb_add(block, ei, extack); 827 if (err) 828 goto err_chain0_head_change_cb_add; 829 830 err = tcf_block_offload_bind(block, q, ei, extack); 831 if (err) 832 goto err_block_offload_bind; 833 834 *p_block = block; 835 return 0; 836 837 err_block_offload_bind: 838 tcf_chain0_head_change_cb_del(block, ei); 839 err_chain0_head_change_cb_add: 840 tcf_block_owner_del(block, q, ei->binder_type); 841 err_block_owner_add: 842 err_block_insert: 843 tcf_block_refcnt_put(block); 844 return err; 845 } 846 EXPORT_SYMBOL(tcf_block_get_ext); 847 848 static void tcf_chain_head_change_dflt(struct tcf_proto *tp_head, void *priv) 849 { 850 struct tcf_proto __rcu **p_filter_chain = priv; 851 852 rcu_assign_pointer(*p_filter_chain, tp_head); 853 } 854 855 int tcf_block_get(struct tcf_block **p_block, 856 struct tcf_proto __rcu **p_filter_chain, struct Qdisc *q, 857 struct netlink_ext_ack *extack) 858 { 859 struct tcf_block_ext_info ei = { 860 .chain_head_change = tcf_chain_head_change_dflt, 861 .chain_head_change_priv = p_filter_chain, 862 }; 863 864 WARN_ON(!p_filter_chain); 865 return tcf_block_get_ext(p_block, q, &ei, extack); 866 } 867 EXPORT_SYMBOL(tcf_block_get); 868 869 /* XXX: Standalone actions are not allowed to jump to any chain, and bound 870 * actions should be all removed after flushing. 871 */ 872 void tcf_block_put_ext(struct tcf_block *block, struct Qdisc *q, 873 struct tcf_block_ext_info *ei) 874 { 875 if (!block) 876 return; 877 tcf_chain0_head_change_cb_del(block, ei); 878 tcf_block_owner_del(block, q, ei->binder_type); 879 880 __tcf_block_put(block, q, ei); 881 } 882 EXPORT_SYMBOL(tcf_block_put_ext); 883 884 void tcf_block_put(struct tcf_block *block) 885 { 886 struct tcf_block_ext_info ei = {0, }; 887 888 if (!block) 889 return; 890 tcf_block_put_ext(block, block->q, &ei); 891 } 892 893 EXPORT_SYMBOL(tcf_block_put); 894 895 struct tcf_block_cb { 896 struct list_head list; 897 tc_setup_cb_t *cb; 898 void *cb_ident; 899 void *cb_priv; 900 unsigned int refcnt; 901 }; 902 903 void *tcf_block_cb_priv(struct tcf_block_cb *block_cb) 904 { 905 return block_cb->cb_priv; 906 } 907 EXPORT_SYMBOL(tcf_block_cb_priv); 908 909 struct tcf_block_cb *tcf_block_cb_lookup(struct tcf_block *block, 910 tc_setup_cb_t *cb, void *cb_ident) 911 { struct tcf_block_cb *block_cb; 912 913 list_for_each_entry(block_cb, &block->cb_list, list) 914 if (block_cb->cb == cb && block_cb->cb_ident == cb_ident) 915 return block_cb; 916 return NULL; 917 } 918 EXPORT_SYMBOL(tcf_block_cb_lookup); 919 920 void tcf_block_cb_incref(struct tcf_block_cb *block_cb) 921 { 922 block_cb->refcnt++; 923 } 924 EXPORT_SYMBOL(tcf_block_cb_incref); 925 926 unsigned int tcf_block_cb_decref(struct tcf_block_cb *block_cb) 927 { 928 return --block_cb->refcnt; 929 } 930 EXPORT_SYMBOL(tcf_block_cb_decref); 931 932 static int 933 tcf_block_playback_offloads(struct tcf_block *block, tc_setup_cb_t *cb, 934 void *cb_priv, bool add, bool offload_in_use, 935 struct netlink_ext_ack *extack) 936 { 937 struct tcf_chain *chain; 938 struct tcf_proto *tp; 939 int err; 940 941 list_for_each_entry(chain, &block->chain_list, list) { 942 for (tp = rtnl_dereference(chain->filter_chain); tp; 943 tp = rtnl_dereference(tp->next)) { 944 if (tp->ops->reoffload) { 945 err = tp->ops->reoffload(tp, add, cb, cb_priv, 946 extack); 947 if (err && add) 948 goto err_playback_remove; 949 } else if (add && offload_in_use) { 950 err = -EOPNOTSUPP; 951 NL_SET_ERR_MSG(extack, "Filter HW offload failed - classifier without re-offloading support"); 952 goto err_playback_remove; 953 } 954 } 955 } 956 957 return 0; 958 959 err_playback_remove: 960 tcf_block_playback_offloads(block, cb, cb_priv, false, offload_in_use, 961 extack); 962 return err; 963 } 964 965 struct tcf_block_cb *__tcf_block_cb_register(struct tcf_block *block, 966 tc_setup_cb_t *cb, void *cb_ident, 967 void *cb_priv, 968 struct netlink_ext_ack *extack) 969 { 970 struct tcf_block_cb *block_cb; 971 int err; 972 973 /* Replay any already present rules */ 974 err = tcf_block_playback_offloads(block, cb, cb_priv, true, 975 tcf_block_offload_in_use(block), 976 extack); 977 if (err) 978 return ERR_PTR(err); 979 980 block_cb = kzalloc(sizeof(*block_cb), GFP_KERNEL); 981 if (!block_cb) 982 return ERR_PTR(-ENOMEM); 983 block_cb->cb = cb; 984 block_cb->cb_ident = cb_ident; 985 block_cb->cb_priv = cb_priv; 986 list_add(&block_cb->list, &block->cb_list); 987 return block_cb; 988 } 989 EXPORT_SYMBOL(__tcf_block_cb_register); 990 991 int tcf_block_cb_register(struct tcf_block *block, 992 tc_setup_cb_t *cb, void *cb_ident, 993 void *cb_priv, struct netlink_ext_ack *extack) 994 { 995 struct tcf_block_cb *block_cb; 996 997 block_cb = __tcf_block_cb_register(block, cb, cb_ident, cb_priv, 998 extack); 999 return PTR_ERR_OR_ZERO(block_cb); 1000 } 1001 EXPORT_SYMBOL(tcf_block_cb_register); 1002 1003 void __tcf_block_cb_unregister(struct tcf_block *block, 1004 struct tcf_block_cb *block_cb) 1005 { 1006 tcf_block_playback_offloads(block, block_cb->cb, block_cb->cb_priv, 1007 false, tcf_block_offload_in_use(block), 1008 NULL); 1009 list_del(&block_cb->list); 1010 kfree(block_cb); 1011 } 1012 EXPORT_SYMBOL(__tcf_block_cb_unregister); 1013 1014 void tcf_block_cb_unregister(struct tcf_block *block, 1015 tc_setup_cb_t *cb, void *cb_ident) 1016 { 1017 struct tcf_block_cb *block_cb; 1018 1019 block_cb = tcf_block_cb_lookup(block, cb, cb_ident); 1020 if (!block_cb) 1021 return; 1022 __tcf_block_cb_unregister(block, block_cb); 1023 } 1024 EXPORT_SYMBOL(tcf_block_cb_unregister); 1025 1026 static int tcf_block_cb_call(struct tcf_block *block, enum tc_setup_type type, 1027 void *type_data, bool err_stop) 1028 { 1029 struct tcf_block_cb *block_cb; 1030 int ok_count = 0; 1031 int err; 1032 1033 /* Make sure all netdevs sharing this block are offload-capable. */ 1034 if (block->nooffloaddevcnt && err_stop) 1035 return -EOPNOTSUPP; 1036 1037 list_for_each_entry(block_cb, &block->cb_list, list) { 1038 err = block_cb->cb(type, type_data, block_cb->cb_priv); 1039 if (err) { 1040 if (err_stop) 1041 return err; 1042 } else { 1043 ok_count++; 1044 } 1045 } 1046 return ok_count; 1047 } 1048 1049 /* Main classifier routine: scans classifier chain attached 1050 * to this qdisc, (optionally) tests for protocol and asks 1051 * specific classifiers. 1052 */ 1053 int tcf_classify(struct sk_buff *skb, const struct tcf_proto *tp, 1054 struct tcf_result *res, bool compat_mode) 1055 { 1056 __be16 protocol = tc_skb_protocol(skb); 1057 #ifdef CONFIG_NET_CLS_ACT 1058 const int max_reclassify_loop = 4; 1059 const struct tcf_proto *orig_tp = tp; 1060 const struct tcf_proto *first_tp; 1061 int limit = 0; 1062 1063 reclassify: 1064 #endif 1065 for (; tp; tp = rcu_dereference_bh(tp->next)) { 1066 int err; 1067 1068 if (tp->protocol != protocol && 1069 tp->protocol != htons(ETH_P_ALL)) 1070 continue; 1071 1072 err = tp->classify(skb, tp, res); 1073 #ifdef CONFIG_NET_CLS_ACT 1074 if (unlikely(err == TC_ACT_RECLASSIFY && !compat_mode)) { 1075 first_tp = orig_tp; 1076 goto reset; 1077 } else if (unlikely(TC_ACT_EXT_CMP(err, TC_ACT_GOTO_CHAIN))) { 1078 first_tp = res->goto_tp; 1079 goto reset; 1080 } 1081 #endif 1082 if (err >= 0) 1083 return err; 1084 } 1085 1086 return TC_ACT_UNSPEC; /* signal: continue lookup */ 1087 #ifdef CONFIG_NET_CLS_ACT 1088 reset: 1089 if (unlikely(limit++ >= max_reclassify_loop)) { 1090 net_notice_ratelimited("%u: reclassify loop, rule prio %u, protocol %02x\n", 1091 tp->chain->block->index, 1092 tp->prio & 0xffff, 1093 ntohs(tp->protocol)); 1094 return TC_ACT_SHOT; 1095 } 1096 1097 tp = first_tp; 1098 protocol = tc_skb_protocol(skb); 1099 goto reclassify; 1100 #endif 1101 } 1102 EXPORT_SYMBOL(tcf_classify); 1103 1104 struct tcf_chain_info { 1105 struct tcf_proto __rcu **pprev; 1106 struct tcf_proto __rcu *next; 1107 }; 1108 1109 static struct tcf_proto *tcf_chain_tp_prev(struct tcf_chain_info *chain_info) 1110 { 1111 return rtnl_dereference(*chain_info->pprev); 1112 } 1113 1114 static void tcf_chain_tp_insert(struct tcf_chain *chain, 1115 struct tcf_chain_info *chain_info, 1116 struct tcf_proto *tp) 1117 { 1118 if (*chain_info->pprev == chain->filter_chain) 1119 tcf_chain0_head_change(chain, tp); 1120 RCU_INIT_POINTER(tp->next, tcf_chain_tp_prev(chain_info)); 1121 rcu_assign_pointer(*chain_info->pprev, tp); 1122 tcf_chain_hold(chain); 1123 } 1124 1125 static void tcf_chain_tp_remove(struct tcf_chain *chain, 1126 struct tcf_chain_info *chain_info, 1127 struct tcf_proto *tp) 1128 { 1129 struct tcf_proto *next = rtnl_dereference(chain_info->next); 1130 1131 if (tp == chain->filter_chain) 1132 tcf_chain0_head_change(chain, next); 1133 RCU_INIT_POINTER(*chain_info->pprev, next); 1134 tcf_chain_put(chain); 1135 } 1136 1137 static struct tcf_proto *tcf_chain_tp_find(struct tcf_chain *chain, 1138 struct tcf_chain_info *chain_info, 1139 u32 protocol, u32 prio, 1140 bool prio_allocate) 1141 { 1142 struct tcf_proto **pprev; 1143 struct tcf_proto *tp; 1144 1145 /* Check the chain for existence of proto-tcf with this priority */ 1146 for (pprev = &chain->filter_chain; 1147 (tp = rtnl_dereference(*pprev)); pprev = &tp->next) { 1148 if (tp->prio >= prio) { 1149 if (tp->prio == prio) { 1150 if (prio_allocate || 1151 (tp->protocol != protocol && protocol)) 1152 return ERR_PTR(-EINVAL); 1153 } else { 1154 tp = NULL; 1155 } 1156 break; 1157 } 1158 } 1159 chain_info->pprev = pprev; 1160 chain_info->next = tp ? tp->next : NULL; 1161 return tp; 1162 } 1163 1164 static int tcf_fill_node(struct net *net, struct sk_buff *skb, 1165 struct tcf_proto *tp, struct tcf_block *block, 1166 struct Qdisc *q, u32 parent, void *fh, 1167 u32 portid, u32 seq, u16 flags, int event) 1168 { 1169 struct tcmsg *tcm; 1170 struct nlmsghdr *nlh; 1171 unsigned char *b = skb_tail_pointer(skb); 1172 1173 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*tcm), flags); 1174 if (!nlh) 1175 goto out_nlmsg_trim; 1176 tcm = nlmsg_data(nlh); 1177 tcm->tcm_family = AF_UNSPEC; 1178 tcm->tcm__pad1 = 0; 1179 tcm->tcm__pad2 = 0; 1180 if (q) { 1181 tcm->tcm_ifindex = qdisc_dev(q)->ifindex; 1182 tcm->tcm_parent = parent; 1183 } else { 1184 tcm->tcm_ifindex = TCM_IFINDEX_MAGIC_BLOCK; 1185 tcm->tcm_block_index = block->index; 1186 } 1187 tcm->tcm_info = TC_H_MAKE(tp->prio, tp->protocol); 1188 if (nla_put_string(skb, TCA_KIND, tp->ops->kind)) 1189 goto nla_put_failure; 1190 if (nla_put_u32(skb, TCA_CHAIN, tp->chain->index)) 1191 goto nla_put_failure; 1192 if (!fh) { 1193 tcm->tcm_handle = 0; 1194 } else { 1195 if (tp->ops->dump && tp->ops->dump(net, tp, fh, skb, tcm) < 0) 1196 goto nla_put_failure; 1197 } 1198 nlh->nlmsg_len = skb_tail_pointer(skb) - b; 1199 return skb->len; 1200 1201 out_nlmsg_trim: 1202 nla_put_failure: 1203 nlmsg_trim(skb, b); 1204 return -1; 1205 } 1206 1207 static int tfilter_notify(struct net *net, struct sk_buff *oskb, 1208 struct nlmsghdr *n, struct tcf_proto *tp, 1209 struct tcf_block *block, struct Qdisc *q, 1210 u32 parent, void *fh, int event, bool unicast) 1211 { 1212 struct sk_buff *skb; 1213 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0; 1214 1215 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 1216 if (!skb) 1217 return -ENOBUFS; 1218 1219 if (tcf_fill_node(net, skb, tp, block, q, parent, fh, portid, 1220 n->nlmsg_seq, n->nlmsg_flags, event) <= 0) { 1221 kfree_skb(skb); 1222 return -EINVAL; 1223 } 1224 1225 if (unicast) 1226 return netlink_unicast(net->rtnl, skb, portid, MSG_DONTWAIT); 1227 1228 return rtnetlink_send(skb, net, portid, RTNLGRP_TC, 1229 n->nlmsg_flags & NLM_F_ECHO); 1230 } 1231 1232 static int tfilter_del_notify(struct net *net, struct sk_buff *oskb, 1233 struct nlmsghdr *n, struct tcf_proto *tp, 1234 struct tcf_block *block, struct Qdisc *q, 1235 u32 parent, void *fh, bool unicast, bool *last, 1236 struct netlink_ext_ack *extack) 1237 { 1238 struct sk_buff *skb; 1239 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0; 1240 int err; 1241 1242 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 1243 if (!skb) 1244 return -ENOBUFS; 1245 1246 if (tcf_fill_node(net, skb, tp, block, q, parent, fh, portid, 1247 n->nlmsg_seq, n->nlmsg_flags, RTM_DELTFILTER) <= 0) { 1248 NL_SET_ERR_MSG(extack, "Failed to build del event notification"); 1249 kfree_skb(skb); 1250 return -EINVAL; 1251 } 1252 1253 err = tp->ops->delete(tp, fh, last, extack); 1254 if (err) { 1255 kfree_skb(skb); 1256 return err; 1257 } 1258 1259 if (unicast) 1260 return netlink_unicast(net->rtnl, skb, portid, MSG_DONTWAIT); 1261 1262 err = rtnetlink_send(skb, net, portid, RTNLGRP_TC, 1263 n->nlmsg_flags & NLM_F_ECHO); 1264 if (err < 0) 1265 NL_SET_ERR_MSG(extack, "Failed to send filter delete notification"); 1266 return err; 1267 } 1268 1269 static void tfilter_notify_chain(struct net *net, struct sk_buff *oskb, 1270 struct tcf_block *block, struct Qdisc *q, 1271 u32 parent, struct nlmsghdr *n, 1272 struct tcf_chain *chain, int event) 1273 { 1274 struct tcf_proto *tp; 1275 1276 for (tp = rtnl_dereference(chain->filter_chain); 1277 tp; tp = rtnl_dereference(tp->next)) 1278 tfilter_notify(net, oskb, n, tp, block, 1279 q, parent, NULL, event, false); 1280 } 1281 1282 static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n, 1283 struct netlink_ext_ack *extack) 1284 { 1285 struct net *net = sock_net(skb->sk); 1286 struct nlattr *tca[TCA_MAX + 1]; 1287 struct tcmsg *t; 1288 u32 protocol; 1289 u32 prio; 1290 bool prio_allocate; 1291 u32 parent; 1292 u32 chain_index; 1293 struct Qdisc *q = NULL; 1294 struct tcf_chain_info chain_info; 1295 struct tcf_chain *chain = NULL; 1296 struct tcf_block *block; 1297 struct tcf_proto *tp; 1298 unsigned long cl; 1299 void *fh; 1300 int err; 1301 int tp_created; 1302 1303 if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) 1304 return -EPERM; 1305 1306 replay: 1307 tp_created = 0; 1308 1309 err = nlmsg_parse(n, sizeof(*t), tca, TCA_MAX, rtm_tca_policy, extack); 1310 if (err < 0) 1311 return err; 1312 1313 t = nlmsg_data(n); 1314 protocol = TC_H_MIN(t->tcm_info); 1315 prio = TC_H_MAJ(t->tcm_info); 1316 prio_allocate = false; 1317 parent = t->tcm_parent; 1318 cl = 0; 1319 1320 if (prio == 0) { 1321 /* If no priority is provided by the user, 1322 * we allocate one. 1323 */ 1324 if (n->nlmsg_flags & NLM_F_CREATE) { 1325 prio = TC_H_MAKE(0x80000000U, 0U); 1326 prio_allocate = true; 1327 } else { 1328 NL_SET_ERR_MSG(extack, "Invalid filter command with priority of zero"); 1329 return -ENOENT; 1330 } 1331 } 1332 1333 /* Find head of filter chain. */ 1334 1335 block = tcf_block_find(net, &q, &parent, &cl, 1336 t->tcm_ifindex, t->tcm_block_index, extack); 1337 if (IS_ERR(block)) { 1338 err = PTR_ERR(block); 1339 goto errout; 1340 } 1341 1342 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0; 1343 if (chain_index > TC_ACT_EXT_VAL_MASK) { 1344 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit"); 1345 err = -EINVAL; 1346 goto errout; 1347 } 1348 chain = tcf_chain_get(block, chain_index, true); 1349 if (!chain) { 1350 NL_SET_ERR_MSG(extack, "Cannot create specified filter chain"); 1351 err = -ENOMEM; 1352 goto errout; 1353 } 1354 1355 tp = tcf_chain_tp_find(chain, &chain_info, protocol, 1356 prio, prio_allocate); 1357 if (IS_ERR(tp)) { 1358 NL_SET_ERR_MSG(extack, "Filter with specified priority/protocol not found"); 1359 err = PTR_ERR(tp); 1360 goto errout; 1361 } 1362 1363 if (tp == NULL) { 1364 /* Proto-tcf does not exist, create new one */ 1365 1366 if (tca[TCA_KIND] == NULL || !protocol) { 1367 NL_SET_ERR_MSG(extack, "Filter kind and protocol must be specified"); 1368 err = -EINVAL; 1369 goto errout; 1370 } 1371 1372 if (!(n->nlmsg_flags & NLM_F_CREATE)) { 1373 NL_SET_ERR_MSG(extack, "Need both RTM_NEWTFILTER and NLM_F_CREATE to create a new filter"); 1374 err = -ENOENT; 1375 goto errout; 1376 } 1377 1378 if (prio_allocate) 1379 prio = tcf_auto_prio(tcf_chain_tp_prev(&chain_info)); 1380 1381 tp = tcf_proto_create(nla_data(tca[TCA_KIND]), 1382 protocol, prio, chain, extack); 1383 if (IS_ERR(tp)) { 1384 err = PTR_ERR(tp); 1385 goto errout; 1386 } 1387 tp_created = 1; 1388 } else if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], tp->ops->kind)) { 1389 NL_SET_ERR_MSG(extack, "Specified filter kind does not match existing one"); 1390 err = -EINVAL; 1391 goto errout; 1392 } 1393 1394 fh = tp->ops->get(tp, t->tcm_handle); 1395 1396 if (!fh) { 1397 if (!(n->nlmsg_flags & NLM_F_CREATE)) { 1398 NL_SET_ERR_MSG(extack, "Need both RTM_NEWTFILTER and NLM_F_CREATE to create a new filter"); 1399 err = -ENOENT; 1400 goto errout; 1401 } 1402 } else if (n->nlmsg_flags & NLM_F_EXCL) { 1403 NL_SET_ERR_MSG(extack, "Filter already exists"); 1404 err = -EEXIST; 1405 goto errout; 1406 } 1407 1408 if (chain->tmplt_ops && chain->tmplt_ops != tp->ops) { 1409 NL_SET_ERR_MSG(extack, "Chain template is set to a different filter kind"); 1410 err = -EINVAL; 1411 goto errout; 1412 } 1413 1414 err = tp->ops->change(net, skb, tp, cl, t->tcm_handle, tca, &fh, 1415 n->nlmsg_flags & NLM_F_CREATE ? TCA_ACT_NOREPLACE : TCA_ACT_REPLACE, 1416 extack); 1417 if (err == 0) { 1418 if (tp_created) 1419 tcf_chain_tp_insert(chain, &chain_info, tp); 1420 tfilter_notify(net, skb, n, tp, block, q, parent, fh, 1421 RTM_NEWTFILTER, false); 1422 } else { 1423 if (tp_created) 1424 tcf_proto_destroy(tp, NULL); 1425 } 1426 1427 errout: 1428 if (chain) 1429 tcf_chain_put(chain); 1430 tcf_block_release(q, block); 1431 if (err == -EAGAIN) 1432 /* Replay the request. */ 1433 goto replay; 1434 return err; 1435 } 1436 1437 static int tc_del_tfilter(struct sk_buff *skb, struct nlmsghdr *n, 1438 struct netlink_ext_ack *extack) 1439 { 1440 struct net *net = sock_net(skb->sk); 1441 struct nlattr *tca[TCA_MAX + 1]; 1442 struct tcmsg *t; 1443 u32 protocol; 1444 u32 prio; 1445 u32 parent; 1446 u32 chain_index; 1447 struct Qdisc *q = NULL; 1448 struct tcf_chain_info chain_info; 1449 struct tcf_chain *chain = NULL; 1450 struct tcf_block *block; 1451 struct tcf_proto *tp = NULL; 1452 unsigned long cl = 0; 1453 void *fh = NULL; 1454 int err; 1455 1456 if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) 1457 return -EPERM; 1458 1459 err = nlmsg_parse(n, sizeof(*t), tca, TCA_MAX, rtm_tca_policy, extack); 1460 if (err < 0) 1461 return err; 1462 1463 t = nlmsg_data(n); 1464 protocol = TC_H_MIN(t->tcm_info); 1465 prio = TC_H_MAJ(t->tcm_info); 1466 parent = t->tcm_parent; 1467 1468 if (prio == 0 && (protocol || t->tcm_handle || tca[TCA_KIND])) { 1469 NL_SET_ERR_MSG(extack, "Cannot flush filters with protocol, handle or kind set"); 1470 return -ENOENT; 1471 } 1472 1473 /* Find head of filter chain. */ 1474 1475 block = tcf_block_find(net, &q, &parent, &cl, 1476 t->tcm_ifindex, t->tcm_block_index, extack); 1477 if (IS_ERR(block)) { 1478 err = PTR_ERR(block); 1479 goto errout; 1480 } 1481 1482 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0; 1483 if (chain_index > TC_ACT_EXT_VAL_MASK) { 1484 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit"); 1485 err = -EINVAL; 1486 goto errout; 1487 } 1488 chain = tcf_chain_get(block, chain_index, false); 1489 if (!chain) { 1490 /* User requested flush on non-existent chain. Nothing to do, 1491 * so just return success. 1492 */ 1493 if (prio == 0) { 1494 err = 0; 1495 goto errout; 1496 } 1497 NL_SET_ERR_MSG(extack, "Cannot find specified filter chain"); 1498 err = -ENOENT; 1499 goto errout; 1500 } 1501 1502 if (prio == 0) { 1503 tfilter_notify_chain(net, skb, block, q, parent, n, 1504 chain, RTM_DELTFILTER); 1505 tcf_chain_flush(chain); 1506 err = 0; 1507 goto errout; 1508 } 1509 1510 tp = tcf_chain_tp_find(chain, &chain_info, protocol, 1511 prio, false); 1512 if (!tp || IS_ERR(tp)) { 1513 NL_SET_ERR_MSG(extack, "Filter with specified priority/protocol not found"); 1514 err = tp ? PTR_ERR(tp) : -ENOENT; 1515 goto errout; 1516 } else if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], tp->ops->kind)) { 1517 NL_SET_ERR_MSG(extack, "Specified filter kind does not match existing one"); 1518 err = -EINVAL; 1519 goto errout; 1520 } 1521 1522 fh = tp->ops->get(tp, t->tcm_handle); 1523 1524 if (!fh) { 1525 if (t->tcm_handle == 0) { 1526 tcf_chain_tp_remove(chain, &chain_info, tp); 1527 tfilter_notify(net, skb, n, tp, block, q, parent, fh, 1528 RTM_DELTFILTER, false); 1529 tcf_proto_destroy(tp, extack); 1530 err = 0; 1531 } else { 1532 NL_SET_ERR_MSG(extack, "Specified filter handle not found"); 1533 err = -ENOENT; 1534 } 1535 } else { 1536 bool last; 1537 1538 err = tfilter_del_notify(net, skb, n, tp, block, 1539 q, parent, fh, false, &last, 1540 extack); 1541 if (err) 1542 goto errout; 1543 if (last) { 1544 tcf_chain_tp_remove(chain, &chain_info, tp); 1545 tcf_proto_destroy(tp, extack); 1546 } 1547 } 1548 1549 errout: 1550 if (chain) 1551 tcf_chain_put(chain); 1552 tcf_block_release(q, block); 1553 return err; 1554 } 1555 1556 static int tc_get_tfilter(struct sk_buff *skb, struct nlmsghdr *n, 1557 struct netlink_ext_ack *extack) 1558 { 1559 struct net *net = sock_net(skb->sk); 1560 struct nlattr *tca[TCA_MAX + 1]; 1561 struct tcmsg *t; 1562 u32 protocol; 1563 u32 prio; 1564 u32 parent; 1565 u32 chain_index; 1566 struct Qdisc *q = NULL; 1567 struct tcf_chain_info chain_info; 1568 struct tcf_chain *chain = NULL; 1569 struct tcf_block *block; 1570 struct tcf_proto *tp = NULL; 1571 unsigned long cl = 0; 1572 void *fh = NULL; 1573 int err; 1574 1575 err = nlmsg_parse(n, sizeof(*t), tca, TCA_MAX, rtm_tca_policy, extack); 1576 if (err < 0) 1577 return err; 1578 1579 t = nlmsg_data(n); 1580 protocol = TC_H_MIN(t->tcm_info); 1581 prio = TC_H_MAJ(t->tcm_info); 1582 parent = t->tcm_parent; 1583 1584 if (prio == 0) { 1585 NL_SET_ERR_MSG(extack, "Invalid filter command with priority of zero"); 1586 return -ENOENT; 1587 } 1588 1589 /* Find head of filter chain. */ 1590 1591 block = tcf_block_find(net, &q, &parent, &cl, 1592 t->tcm_ifindex, t->tcm_block_index, extack); 1593 if (IS_ERR(block)) { 1594 err = PTR_ERR(block); 1595 goto errout; 1596 } 1597 1598 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0; 1599 if (chain_index > TC_ACT_EXT_VAL_MASK) { 1600 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit"); 1601 err = -EINVAL; 1602 goto errout; 1603 } 1604 chain = tcf_chain_get(block, chain_index, false); 1605 if (!chain) { 1606 NL_SET_ERR_MSG(extack, "Cannot find specified filter chain"); 1607 err = -EINVAL; 1608 goto errout; 1609 } 1610 1611 tp = tcf_chain_tp_find(chain, &chain_info, protocol, 1612 prio, false); 1613 if (!tp || IS_ERR(tp)) { 1614 NL_SET_ERR_MSG(extack, "Filter with specified priority/protocol not found"); 1615 err = tp ? PTR_ERR(tp) : -ENOENT; 1616 goto errout; 1617 } else if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], tp->ops->kind)) { 1618 NL_SET_ERR_MSG(extack, "Specified filter kind does not match existing one"); 1619 err = -EINVAL; 1620 goto errout; 1621 } 1622 1623 fh = tp->ops->get(tp, t->tcm_handle); 1624 1625 if (!fh) { 1626 NL_SET_ERR_MSG(extack, "Specified filter handle not found"); 1627 err = -ENOENT; 1628 } else { 1629 err = tfilter_notify(net, skb, n, tp, block, q, parent, 1630 fh, RTM_NEWTFILTER, true); 1631 if (err < 0) 1632 NL_SET_ERR_MSG(extack, "Failed to send filter notify message"); 1633 } 1634 1635 errout: 1636 if (chain) 1637 tcf_chain_put(chain); 1638 tcf_block_release(q, block); 1639 return err; 1640 } 1641 1642 struct tcf_dump_args { 1643 struct tcf_walker w; 1644 struct sk_buff *skb; 1645 struct netlink_callback *cb; 1646 struct tcf_block *block; 1647 struct Qdisc *q; 1648 u32 parent; 1649 }; 1650 1651 static int tcf_node_dump(struct tcf_proto *tp, void *n, struct tcf_walker *arg) 1652 { 1653 struct tcf_dump_args *a = (void *)arg; 1654 struct net *net = sock_net(a->skb->sk); 1655 1656 return tcf_fill_node(net, a->skb, tp, a->block, a->q, a->parent, 1657 n, NETLINK_CB(a->cb->skb).portid, 1658 a->cb->nlh->nlmsg_seq, NLM_F_MULTI, 1659 RTM_NEWTFILTER); 1660 } 1661 1662 static bool tcf_chain_dump(struct tcf_chain *chain, struct Qdisc *q, u32 parent, 1663 struct sk_buff *skb, struct netlink_callback *cb, 1664 long index_start, long *p_index) 1665 { 1666 struct net *net = sock_net(skb->sk); 1667 struct tcf_block *block = chain->block; 1668 struct tcmsg *tcm = nlmsg_data(cb->nlh); 1669 struct tcf_dump_args arg; 1670 struct tcf_proto *tp; 1671 1672 for (tp = rtnl_dereference(chain->filter_chain); 1673 tp; tp = rtnl_dereference(tp->next), (*p_index)++) { 1674 if (*p_index < index_start) 1675 continue; 1676 if (TC_H_MAJ(tcm->tcm_info) && 1677 TC_H_MAJ(tcm->tcm_info) != tp->prio) 1678 continue; 1679 if (TC_H_MIN(tcm->tcm_info) && 1680 TC_H_MIN(tcm->tcm_info) != tp->protocol) 1681 continue; 1682 if (*p_index > index_start) 1683 memset(&cb->args[1], 0, 1684 sizeof(cb->args) - sizeof(cb->args[0])); 1685 if (cb->args[1] == 0) { 1686 if (tcf_fill_node(net, skb, tp, block, q, parent, NULL, 1687 NETLINK_CB(cb->skb).portid, 1688 cb->nlh->nlmsg_seq, NLM_F_MULTI, 1689 RTM_NEWTFILTER) <= 0) 1690 return false; 1691 1692 cb->args[1] = 1; 1693 } 1694 if (!tp->ops->walk) 1695 continue; 1696 arg.w.fn = tcf_node_dump; 1697 arg.skb = skb; 1698 arg.cb = cb; 1699 arg.block = block; 1700 arg.q = q; 1701 arg.parent = parent; 1702 arg.w.stop = 0; 1703 arg.w.skip = cb->args[1] - 1; 1704 arg.w.count = 0; 1705 arg.w.cookie = cb->args[2]; 1706 tp->ops->walk(tp, &arg.w); 1707 cb->args[2] = arg.w.cookie; 1708 cb->args[1] = arg.w.count + 1; 1709 if (arg.w.stop) 1710 return false; 1711 } 1712 return true; 1713 } 1714 1715 /* called with RTNL */ 1716 static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb) 1717 { 1718 struct net *net = sock_net(skb->sk); 1719 struct nlattr *tca[TCA_MAX + 1]; 1720 struct Qdisc *q = NULL; 1721 struct tcf_block *block; 1722 struct tcf_chain *chain; 1723 struct tcmsg *tcm = nlmsg_data(cb->nlh); 1724 long index_start; 1725 long index; 1726 u32 parent; 1727 int err; 1728 1729 if (nlmsg_len(cb->nlh) < sizeof(*tcm)) 1730 return skb->len; 1731 1732 err = nlmsg_parse(cb->nlh, sizeof(*tcm), tca, TCA_MAX, NULL, 1733 cb->extack); 1734 if (err) 1735 return err; 1736 1737 if (tcm->tcm_ifindex == TCM_IFINDEX_MAGIC_BLOCK) { 1738 block = tcf_block_refcnt_get(net, tcm->tcm_block_index); 1739 if (!block) 1740 goto out; 1741 /* If we work with block index, q is NULL and parent value 1742 * will never be used in the following code. The check 1743 * in tcf_fill_node prevents it. However, compiler does not 1744 * see that far, so set parent to zero to silence the warning 1745 * about parent being uninitialized. 1746 */ 1747 parent = 0; 1748 } else { 1749 const struct Qdisc_class_ops *cops; 1750 struct net_device *dev; 1751 unsigned long cl = 0; 1752 1753 dev = __dev_get_by_index(net, tcm->tcm_ifindex); 1754 if (!dev) 1755 return skb->len; 1756 1757 parent = tcm->tcm_parent; 1758 if (!parent) { 1759 q = dev->qdisc; 1760 parent = q->handle; 1761 } else { 1762 q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent)); 1763 } 1764 if (!q) 1765 goto out; 1766 cops = q->ops->cl_ops; 1767 if (!cops) 1768 goto out; 1769 if (!cops->tcf_block) 1770 goto out; 1771 if (TC_H_MIN(tcm->tcm_parent)) { 1772 cl = cops->find(q, tcm->tcm_parent); 1773 if (cl == 0) 1774 goto out; 1775 } 1776 block = cops->tcf_block(q, cl, NULL); 1777 if (!block) 1778 goto out; 1779 if (tcf_block_shared(block)) 1780 q = NULL; 1781 } 1782 1783 index_start = cb->args[0]; 1784 index = 0; 1785 1786 list_for_each_entry(chain, &block->chain_list, list) { 1787 if (tca[TCA_CHAIN] && 1788 nla_get_u32(tca[TCA_CHAIN]) != chain->index) 1789 continue; 1790 if (!tcf_chain_dump(chain, q, parent, skb, cb, 1791 index_start, &index)) { 1792 err = -EMSGSIZE; 1793 break; 1794 } 1795 } 1796 1797 if (tcm->tcm_ifindex == TCM_IFINDEX_MAGIC_BLOCK) 1798 tcf_block_refcnt_put(block); 1799 cb->args[0] = index; 1800 1801 out: 1802 /* If we did no progress, the error (EMSGSIZE) is real */ 1803 if (skb->len == 0 && err) 1804 return err; 1805 return skb->len; 1806 } 1807 1808 static int tc_chain_fill_node(struct tcf_chain *chain, struct net *net, 1809 struct sk_buff *skb, struct tcf_block *block, 1810 u32 portid, u32 seq, u16 flags, int event) 1811 { 1812 unsigned char *b = skb_tail_pointer(skb); 1813 const struct tcf_proto_ops *ops; 1814 struct nlmsghdr *nlh; 1815 struct tcmsg *tcm; 1816 void *priv; 1817 1818 ops = chain->tmplt_ops; 1819 priv = chain->tmplt_priv; 1820 1821 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*tcm), flags); 1822 if (!nlh) 1823 goto out_nlmsg_trim; 1824 tcm = nlmsg_data(nlh); 1825 tcm->tcm_family = AF_UNSPEC; 1826 tcm->tcm__pad1 = 0; 1827 tcm->tcm__pad2 = 0; 1828 tcm->tcm_handle = 0; 1829 if (block->q) { 1830 tcm->tcm_ifindex = qdisc_dev(block->q)->ifindex; 1831 tcm->tcm_parent = block->q->handle; 1832 } else { 1833 tcm->tcm_ifindex = TCM_IFINDEX_MAGIC_BLOCK; 1834 tcm->tcm_block_index = block->index; 1835 } 1836 1837 if (nla_put_u32(skb, TCA_CHAIN, chain->index)) 1838 goto nla_put_failure; 1839 1840 if (ops) { 1841 if (nla_put_string(skb, TCA_KIND, ops->kind)) 1842 goto nla_put_failure; 1843 if (ops->tmplt_dump(skb, net, priv) < 0) 1844 goto nla_put_failure; 1845 } 1846 1847 nlh->nlmsg_len = skb_tail_pointer(skb) - b; 1848 return skb->len; 1849 1850 out_nlmsg_trim: 1851 nla_put_failure: 1852 nlmsg_trim(skb, b); 1853 return -EMSGSIZE; 1854 } 1855 1856 static int tc_chain_notify(struct tcf_chain *chain, struct sk_buff *oskb, 1857 u32 seq, u16 flags, int event, bool unicast) 1858 { 1859 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0; 1860 struct tcf_block *block = chain->block; 1861 struct net *net = block->net; 1862 struct sk_buff *skb; 1863 1864 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 1865 if (!skb) 1866 return -ENOBUFS; 1867 1868 if (tc_chain_fill_node(chain, net, skb, block, portid, 1869 seq, flags, event) <= 0) { 1870 kfree_skb(skb); 1871 return -EINVAL; 1872 } 1873 1874 if (unicast) 1875 return netlink_unicast(net->rtnl, skb, portid, MSG_DONTWAIT); 1876 1877 return rtnetlink_send(skb, net, portid, RTNLGRP_TC, flags & NLM_F_ECHO); 1878 } 1879 1880 static int tc_chain_tmplt_add(struct tcf_chain *chain, struct net *net, 1881 struct nlattr **tca, 1882 struct netlink_ext_ack *extack) 1883 { 1884 const struct tcf_proto_ops *ops; 1885 void *tmplt_priv; 1886 1887 /* If kind is not set, user did not specify template. */ 1888 if (!tca[TCA_KIND]) 1889 return 0; 1890 1891 ops = tcf_proto_lookup_ops(nla_data(tca[TCA_KIND]), extack); 1892 if (IS_ERR(ops)) 1893 return PTR_ERR(ops); 1894 if (!ops->tmplt_create || !ops->tmplt_destroy || !ops->tmplt_dump) { 1895 NL_SET_ERR_MSG(extack, "Chain templates are not supported with specified classifier"); 1896 return -EOPNOTSUPP; 1897 } 1898 1899 tmplt_priv = ops->tmplt_create(net, chain, tca, extack); 1900 if (IS_ERR(tmplt_priv)) { 1901 module_put(ops->owner); 1902 return PTR_ERR(tmplt_priv); 1903 } 1904 chain->tmplt_ops = ops; 1905 chain->tmplt_priv = tmplt_priv; 1906 return 0; 1907 } 1908 1909 static void tc_chain_tmplt_del(struct tcf_chain *chain) 1910 { 1911 const struct tcf_proto_ops *ops = chain->tmplt_ops; 1912 1913 /* If template ops are set, no work to do for us. */ 1914 if (!ops) 1915 return; 1916 1917 ops->tmplt_destroy(chain->tmplt_priv); 1918 module_put(ops->owner); 1919 } 1920 1921 /* Add/delete/get a chain */ 1922 1923 static int tc_ctl_chain(struct sk_buff *skb, struct nlmsghdr *n, 1924 struct netlink_ext_ack *extack) 1925 { 1926 struct net *net = sock_net(skb->sk); 1927 struct nlattr *tca[TCA_MAX + 1]; 1928 struct tcmsg *t; 1929 u32 parent; 1930 u32 chain_index; 1931 struct Qdisc *q = NULL; 1932 struct tcf_chain *chain = NULL; 1933 struct tcf_block *block; 1934 unsigned long cl; 1935 int err; 1936 1937 if (n->nlmsg_type != RTM_GETCHAIN && 1938 !netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN)) 1939 return -EPERM; 1940 1941 replay: 1942 err = nlmsg_parse(n, sizeof(*t), tca, TCA_MAX, rtm_tca_policy, extack); 1943 if (err < 0) 1944 return err; 1945 1946 t = nlmsg_data(n); 1947 parent = t->tcm_parent; 1948 cl = 0; 1949 1950 block = tcf_block_find(net, &q, &parent, &cl, 1951 t->tcm_ifindex, t->tcm_block_index, extack); 1952 if (IS_ERR(block)) 1953 return PTR_ERR(block); 1954 1955 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0; 1956 if (chain_index > TC_ACT_EXT_VAL_MASK) { 1957 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit"); 1958 err = -EINVAL; 1959 goto errout_block; 1960 } 1961 chain = tcf_chain_lookup(block, chain_index); 1962 if (n->nlmsg_type == RTM_NEWCHAIN) { 1963 if (chain) { 1964 if (tcf_chain_held_by_acts_only(chain)) { 1965 /* The chain exists only because there is 1966 * some action referencing it. 1967 */ 1968 tcf_chain_hold(chain); 1969 } else { 1970 NL_SET_ERR_MSG(extack, "Filter chain already exists"); 1971 err = -EEXIST; 1972 goto errout_block; 1973 } 1974 } else { 1975 if (!(n->nlmsg_flags & NLM_F_CREATE)) { 1976 NL_SET_ERR_MSG(extack, "Need both RTM_NEWCHAIN and NLM_F_CREATE to create a new chain"); 1977 err = -ENOENT; 1978 goto errout_block; 1979 } 1980 chain = tcf_chain_create(block, chain_index); 1981 if (!chain) { 1982 NL_SET_ERR_MSG(extack, "Failed to create filter chain"); 1983 err = -ENOMEM; 1984 goto errout_block; 1985 } 1986 } 1987 } else { 1988 if (!chain || tcf_chain_held_by_acts_only(chain)) { 1989 NL_SET_ERR_MSG(extack, "Cannot find specified filter chain"); 1990 err = -EINVAL; 1991 goto errout_block; 1992 } 1993 tcf_chain_hold(chain); 1994 } 1995 1996 switch (n->nlmsg_type) { 1997 case RTM_NEWCHAIN: 1998 err = tc_chain_tmplt_add(chain, net, tca, extack); 1999 if (err) 2000 goto errout; 2001 /* In case the chain was successfully added, take a reference 2002 * to the chain. This ensures that an empty chain 2003 * does not disappear at the end of this function. 2004 */ 2005 tcf_chain_hold(chain); 2006 chain->explicitly_created = true; 2007 tc_chain_notify(chain, NULL, 0, NLM_F_CREATE | NLM_F_EXCL, 2008 RTM_NEWCHAIN, false); 2009 break; 2010 case RTM_DELCHAIN: 2011 tfilter_notify_chain(net, skb, block, q, parent, n, 2012 chain, RTM_DELTFILTER); 2013 /* Flush the chain first as the user requested chain removal. */ 2014 tcf_chain_flush(chain); 2015 /* In case the chain was successfully deleted, put a reference 2016 * to the chain previously taken during addition. 2017 */ 2018 tcf_chain_put_explicitly_created(chain); 2019 chain->explicitly_created = false; 2020 break; 2021 case RTM_GETCHAIN: 2022 err = tc_chain_notify(chain, skb, n->nlmsg_seq, 2023 n->nlmsg_seq, n->nlmsg_type, true); 2024 if (err < 0) 2025 NL_SET_ERR_MSG(extack, "Failed to send chain notify message"); 2026 break; 2027 default: 2028 err = -EOPNOTSUPP; 2029 NL_SET_ERR_MSG(extack, "Unsupported message type"); 2030 goto errout; 2031 } 2032 2033 errout: 2034 tcf_chain_put(chain); 2035 errout_block: 2036 tcf_block_release(q, block); 2037 if (err == -EAGAIN) 2038 /* Replay the request. */ 2039 goto replay; 2040 return err; 2041 } 2042 2043 /* called with RTNL */ 2044 static int tc_dump_chain(struct sk_buff *skb, struct netlink_callback *cb) 2045 { 2046 struct net *net = sock_net(skb->sk); 2047 struct nlattr *tca[TCA_MAX + 1]; 2048 struct Qdisc *q = NULL; 2049 struct tcf_block *block; 2050 struct tcf_chain *chain; 2051 struct tcmsg *tcm = nlmsg_data(cb->nlh); 2052 long index_start; 2053 long index; 2054 u32 parent; 2055 int err; 2056 2057 if (nlmsg_len(cb->nlh) < sizeof(*tcm)) 2058 return skb->len; 2059 2060 err = nlmsg_parse(cb->nlh, sizeof(*tcm), tca, TCA_MAX, rtm_tca_policy, 2061 cb->extack); 2062 if (err) 2063 return err; 2064 2065 if (tcm->tcm_ifindex == TCM_IFINDEX_MAGIC_BLOCK) { 2066 block = tcf_block_refcnt_get(net, tcm->tcm_block_index); 2067 if (!block) 2068 goto out; 2069 /* If we work with block index, q is NULL and parent value 2070 * will never be used in the following code. The check 2071 * in tcf_fill_node prevents it. However, compiler does not 2072 * see that far, so set parent to zero to silence the warning 2073 * about parent being uninitialized. 2074 */ 2075 parent = 0; 2076 } else { 2077 const struct Qdisc_class_ops *cops; 2078 struct net_device *dev; 2079 unsigned long cl = 0; 2080 2081 dev = __dev_get_by_index(net, tcm->tcm_ifindex); 2082 if (!dev) 2083 return skb->len; 2084 2085 parent = tcm->tcm_parent; 2086 if (!parent) { 2087 q = dev->qdisc; 2088 parent = q->handle; 2089 } else { 2090 q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent)); 2091 } 2092 if (!q) 2093 goto out; 2094 cops = q->ops->cl_ops; 2095 if (!cops) 2096 goto out; 2097 if (!cops->tcf_block) 2098 goto out; 2099 if (TC_H_MIN(tcm->tcm_parent)) { 2100 cl = cops->find(q, tcm->tcm_parent); 2101 if (cl == 0) 2102 goto out; 2103 } 2104 block = cops->tcf_block(q, cl, NULL); 2105 if (!block) 2106 goto out; 2107 if (tcf_block_shared(block)) 2108 q = NULL; 2109 } 2110 2111 index_start = cb->args[0]; 2112 index = 0; 2113 2114 list_for_each_entry(chain, &block->chain_list, list) { 2115 if ((tca[TCA_CHAIN] && 2116 nla_get_u32(tca[TCA_CHAIN]) != chain->index)) 2117 continue; 2118 if (index < index_start) { 2119 index++; 2120 continue; 2121 } 2122 if (tcf_chain_held_by_acts_only(chain)) 2123 continue; 2124 err = tc_chain_fill_node(chain, net, skb, block, 2125 NETLINK_CB(cb->skb).portid, 2126 cb->nlh->nlmsg_seq, NLM_F_MULTI, 2127 RTM_NEWCHAIN); 2128 if (err <= 0) 2129 break; 2130 index++; 2131 } 2132 2133 if (tcm->tcm_ifindex == TCM_IFINDEX_MAGIC_BLOCK) 2134 tcf_block_refcnt_put(block); 2135 cb->args[0] = index; 2136 2137 out: 2138 /* If we did no progress, the error (EMSGSIZE) is real */ 2139 if (skb->len == 0 && err) 2140 return err; 2141 return skb->len; 2142 } 2143 2144 void tcf_exts_destroy(struct tcf_exts *exts) 2145 { 2146 #ifdef CONFIG_NET_CLS_ACT 2147 tcf_action_destroy(exts->actions, TCA_ACT_UNBIND); 2148 kfree(exts->actions); 2149 exts->nr_actions = 0; 2150 #endif 2151 } 2152 EXPORT_SYMBOL(tcf_exts_destroy); 2153 2154 int tcf_exts_validate(struct net *net, struct tcf_proto *tp, struct nlattr **tb, 2155 struct nlattr *rate_tlv, struct tcf_exts *exts, bool ovr, 2156 struct netlink_ext_ack *extack) 2157 { 2158 #ifdef CONFIG_NET_CLS_ACT 2159 { 2160 struct tc_action *act; 2161 size_t attr_size = 0; 2162 2163 if (exts->police && tb[exts->police]) { 2164 act = tcf_action_init_1(net, tp, tb[exts->police], 2165 rate_tlv, "police", ovr, 2166 TCA_ACT_BIND, true, extack); 2167 if (IS_ERR(act)) 2168 return PTR_ERR(act); 2169 2170 act->type = exts->type = TCA_OLD_COMPAT; 2171 exts->actions[0] = act; 2172 exts->nr_actions = 1; 2173 } else if (exts->action && tb[exts->action]) { 2174 int err; 2175 2176 err = tcf_action_init(net, tp, tb[exts->action], 2177 rate_tlv, NULL, ovr, TCA_ACT_BIND, 2178 exts->actions, &attr_size, true, 2179 extack); 2180 if (err < 0) 2181 return err; 2182 exts->nr_actions = err; 2183 } 2184 exts->net = net; 2185 } 2186 #else 2187 if ((exts->action && tb[exts->action]) || 2188 (exts->police && tb[exts->police])) { 2189 NL_SET_ERR_MSG(extack, "Classifier actions are not supported per compile options (CONFIG_NET_CLS_ACT)"); 2190 return -EOPNOTSUPP; 2191 } 2192 #endif 2193 2194 return 0; 2195 } 2196 EXPORT_SYMBOL(tcf_exts_validate); 2197 2198 void tcf_exts_change(struct tcf_exts *dst, struct tcf_exts *src) 2199 { 2200 #ifdef CONFIG_NET_CLS_ACT 2201 struct tcf_exts old = *dst; 2202 2203 *dst = *src; 2204 tcf_exts_destroy(&old); 2205 #endif 2206 } 2207 EXPORT_SYMBOL(tcf_exts_change); 2208 2209 #ifdef CONFIG_NET_CLS_ACT 2210 static struct tc_action *tcf_exts_first_act(struct tcf_exts *exts) 2211 { 2212 if (exts->nr_actions == 0) 2213 return NULL; 2214 else 2215 return exts->actions[0]; 2216 } 2217 #endif 2218 2219 int tcf_exts_dump(struct sk_buff *skb, struct tcf_exts *exts) 2220 { 2221 #ifdef CONFIG_NET_CLS_ACT 2222 struct nlattr *nest; 2223 2224 if (exts->action && tcf_exts_has_actions(exts)) { 2225 /* 2226 * again for backward compatible mode - we want 2227 * to work with both old and new modes of entering 2228 * tc data even if iproute2 was newer - jhs 2229 */ 2230 if (exts->type != TCA_OLD_COMPAT) { 2231 nest = nla_nest_start(skb, exts->action); 2232 if (nest == NULL) 2233 goto nla_put_failure; 2234 2235 if (tcf_action_dump(skb, exts->actions, 0, 0) < 0) 2236 goto nla_put_failure; 2237 nla_nest_end(skb, nest); 2238 } else if (exts->police) { 2239 struct tc_action *act = tcf_exts_first_act(exts); 2240 nest = nla_nest_start(skb, exts->police); 2241 if (nest == NULL || !act) 2242 goto nla_put_failure; 2243 if (tcf_action_dump_old(skb, act, 0, 0) < 0) 2244 goto nla_put_failure; 2245 nla_nest_end(skb, nest); 2246 } 2247 } 2248 return 0; 2249 2250 nla_put_failure: 2251 nla_nest_cancel(skb, nest); 2252 return -1; 2253 #else 2254 return 0; 2255 #endif 2256 } 2257 EXPORT_SYMBOL(tcf_exts_dump); 2258 2259 2260 int tcf_exts_dump_stats(struct sk_buff *skb, struct tcf_exts *exts) 2261 { 2262 #ifdef CONFIG_NET_CLS_ACT 2263 struct tc_action *a = tcf_exts_first_act(exts); 2264 if (a != NULL && tcf_action_copy_stats(skb, a, 1) < 0) 2265 return -1; 2266 #endif 2267 return 0; 2268 } 2269 EXPORT_SYMBOL(tcf_exts_dump_stats); 2270 2271 static int tc_exts_setup_cb_egdev_call(struct tcf_exts *exts, 2272 enum tc_setup_type type, 2273 void *type_data, bool err_stop) 2274 { 2275 int ok_count = 0; 2276 #ifdef CONFIG_NET_CLS_ACT 2277 const struct tc_action *a; 2278 struct net_device *dev; 2279 int i, ret; 2280 2281 if (!tcf_exts_has_actions(exts)) 2282 return 0; 2283 2284 for (i = 0; i < exts->nr_actions; i++) { 2285 a = exts->actions[i]; 2286 if (!a->ops->get_dev) 2287 continue; 2288 dev = a->ops->get_dev(a); 2289 if (!dev) 2290 continue; 2291 ret = tc_setup_cb_egdev_call(dev, type, type_data, err_stop); 2292 a->ops->put_dev(dev); 2293 if (ret < 0) 2294 return ret; 2295 ok_count += ret; 2296 } 2297 #endif 2298 return ok_count; 2299 } 2300 2301 int tc_setup_cb_call(struct tcf_block *block, struct tcf_exts *exts, 2302 enum tc_setup_type type, void *type_data, bool err_stop) 2303 { 2304 int ok_count; 2305 int ret; 2306 2307 ret = tcf_block_cb_call(block, type, type_data, err_stop); 2308 if (ret < 0) 2309 return ret; 2310 ok_count = ret; 2311 2312 if (!exts || ok_count) 2313 return ok_count; 2314 ret = tc_exts_setup_cb_egdev_call(exts, type, type_data, err_stop); 2315 if (ret < 0) 2316 return ret; 2317 ok_count += ret; 2318 2319 return ok_count; 2320 } 2321 EXPORT_SYMBOL(tc_setup_cb_call); 2322 2323 static __net_init int tcf_net_init(struct net *net) 2324 { 2325 struct tcf_net *tn = net_generic(net, tcf_net_id); 2326 2327 spin_lock_init(&tn->idr_lock); 2328 idr_init(&tn->idr); 2329 return 0; 2330 } 2331 2332 static void __net_exit tcf_net_exit(struct net *net) 2333 { 2334 struct tcf_net *tn = net_generic(net, tcf_net_id); 2335 2336 idr_destroy(&tn->idr); 2337 } 2338 2339 static struct pernet_operations tcf_net_ops = { 2340 .init = tcf_net_init, 2341 .exit = tcf_net_exit, 2342 .id = &tcf_net_id, 2343 .size = sizeof(struct tcf_net), 2344 }; 2345 2346 static int __init tc_filter_init(void) 2347 { 2348 int err; 2349 2350 tc_filter_wq = alloc_ordered_workqueue("tc_filter_workqueue", 0); 2351 if (!tc_filter_wq) 2352 return -ENOMEM; 2353 2354 err = register_pernet_subsys(&tcf_net_ops); 2355 if (err) 2356 goto err_register_pernet_subsys; 2357 2358 rtnl_register(PF_UNSPEC, RTM_NEWTFILTER, tc_new_tfilter, NULL, 0); 2359 rtnl_register(PF_UNSPEC, RTM_DELTFILTER, tc_del_tfilter, NULL, 0); 2360 rtnl_register(PF_UNSPEC, RTM_GETTFILTER, tc_get_tfilter, 2361 tc_dump_tfilter, 0); 2362 rtnl_register(PF_UNSPEC, RTM_NEWCHAIN, tc_ctl_chain, NULL, 0); 2363 rtnl_register(PF_UNSPEC, RTM_DELCHAIN, tc_ctl_chain, NULL, 0); 2364 rtnl_register(PF_UNSPEC, RTM_GETCHAIN, tc_ctl_chain, 2365 tc_dump_chain, 0); 2366 2367 return 0; 2368 2369 err_register_pernet_subsys: 2370 destroy_workqueue(tc_filter_wq); 2371 return err; 2372 } 2373 2374 subsys_initcall(tc_filter_init); 2375