2 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
3 * Copyright (c) 2016 Pablo Neira Ayuso <pablo@netfilter.org>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
9 * Development of this code funded by Astaro AG (http://www.astaro.com/)
12 #include <linux/kernel.h>
13 #include <linux/if_vlan.h>
14 #include <linux/init.h>
15 #include <linux/module.h>
16 #include <linux/netlink.h>
17 #include <linux/netfilter.h>
18 #include <linux/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_tables_core.h>
20 #include <net/netfilter/nf_tables.h>
21 /* For layer 4 checksum field offset. */
22 #include <linux/tcp.h>
23 #include <linux/udp.h>
24 #include <linux/icmpv6.h>
26 /* add vlan header into the user buffer for if tag was removed by offloads */
28 nft_payload_copy_vlan(u32 *d, const struct sk_buff *skb, u8 offset, u8 len)
30 int mac_off = skb_mac_header(skb) - skb->data;
31 u8 vlan_len, *vlanh, *dst_u8 = (u8 *) d;
32 struct vlan_ethhdr veth;
35 if (offset < ETH_HLEN) {
36 u8 ethlen = min_t(u8, len, ETH_HLEN - offset);
38 if (skb_copy_bits(skb, mac_off, &veth, ETH_HLEN))
41 veth.h_vlan_proto = skb->vlan_proto;
43 memcpy(dst_u8, vlanh + offset, ethlen);
51 } else if (offset >= VLAN_ETH_HLEN) {
56 veth.h_vlan_TCI = htons(skb_vlan_tag_get(skb));
57 veth.h_vlan_encapsulated_proto = skb->protocol;
61 vlan_len = min_t(u8, len, VLAN_ETH_HLEN - offset);
62 memcpy(dst_u8, vlanh, vlan_len);
70 return skb_copy_bits(skb, offset + mac_off, dst_u8, len) == 0;
73 static void nft_payload_eval(const struct nft_expr *expr,
74 struct nft_regs *regs,
75 const struct nft_pktinfo *pkt)
77 const struct nft_payload *priv = nft_expr_priv(expr);
78 const struct sk_buff *skb = pkt->skb;
79 u32 *dest = ®s->data[priv->dreg];
82 if (priv->len % NFT_REG32_SIZE)
83 dest[priv->len / NFT_REG32_SIZE] = 0;
86 case NFT_PAYLOAD_LL_HEADER:
87 if (!skb_mac_header_was_set(skb))
90 if (skb_vlan_tag_present(skb)) {
91 if (!nft_payload_copy_vlan(dest, skb,
92 priv->offset, priv->len))
96 offset = skb_mac_header(skb) - skb->data;
98 case NFT_PAYLOAD_NETWORK_HEADER:
99 offset = skb_network_offset(skb);
101 case NFT_PAYLOAD_TRANSPORT_HEADER:
104 offset = pkt->xt.thoff;
109 offset += priv->offset;
111 if (skb_copy_bits(skb, offset, dest, priv->len) < 0)
115 regs->verdict.code = NFT_BREAK;
118 static const struct nla_policy nft_payload_policy[NFTA_PAYLOAD_MAX + 1] = {
119 [NFTA_PAYLOAD_SREG] = { .type = NLA_U32 },
120 [NFTA_PAYLOAD_DREG] = { .type = NLA_U32 },
121 [NFTA_PAYLOAD_BASE] = { .type = NLA_U32 },
122 [NFTA_PAYLOAD_OFFSET] = { .type = NLA_U32 },
123 [NFTA_PAYLOAD_LEN] = { .type = NLA_U32 },
124 [NFTA_PAYLOAD_CSUM_TYPE] = { .type = NLA_U32 },
125 [NFTA_PAYLOAD_CSUM_OFFSET] = { .type = NLA_U32 },
126 [NFTA_PAYLOAD_CSUM_FLAGS] = { .type = NLA_U32 },
129 static int nft_payload_init(const struct nft_ctx *ctx,
130 const struct nft_expr *expr,
131 const struct nlattr * const tb[])
133 struct nft_payload *priv = nft_expr_priv(expr);
135 priv->base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
136 priv->offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET]));
137 priv->len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));
139 return nft_parse_register_store(ctx, tb[NFTA_PAYLOAD_DREG],
140 &priv->dreg, NULL, NFT_DATA_VALUE,
144 static int nft_payload_dump(struct sk_buff *skb, const struct nft_expr *expr)
146 const struct nft_payload *priv = nft_expr_priv(expr);
148 if (nft_dump_register(skb, NFTA_PAYLOAD_DREG, priv->dreg) ||
149 nla_put_be32(skb, NFTA_PAYLOAD_BASE, htonl(priv->base)) ||
150 nla_put_be32(skb, NFTA_PAYLOAD_OFFSET, htonl(priv->offset)) ||
151 nla_put_be32(skb, NFTA_PAYLOAD_LEN, htonl(priv->len)))
152 goto nla_put_failure;
159 static const struct nft_expr_ops nft_payload_ops = {
160 .type = &nft_payload_type,
161 .size = NFT_EXPR_SIZE(sizeof(struct nft_payload)),
162 .eval = nft_payload_eval,
163 .init = nft_payload_init,
164 .dump = nft_payload_dump,
167 const struct nft_expr_ops nft_payload_fast_ops = {
168 .type = &nft_payload_type,
169 .size = NFT_EXPR_SIZE(sizeof(struct nft_payload)),
170 .eval = nft_payload_eval,
171 .init = nft_payload_init,
172 .dump = nft_payload_dump,
175 static inline void nft_csum_replace(__sum16 *sum, __wsum fsum, __wsum tsum)
177 *sum = csum_fold(csum_add(csum_sub(~csum_unfold(*sum), fsum), tsum));
179 *sum = CSUM_MANGLED_0;
182 static bool nft_payload_udp_checksum(struct sk_buff *skb, unsigned int thoff)
184 struct udphdr *uh, _uh;
186 uh = skb_header_pointer(skb, thoff, sizeof(_uh), &_uh);
190 return (__force bool)uh->check;
193 static int nft_payload_l4csum_offset(const struct nft_pktinfo *pkt,
195 unsigned int *l4csum_offset)
200 switch (pkt->tprot) {
202 *l4csum_offset = offsetof(struct tcphdr, check);
205 if (!nft_payload_udp_checksum(skb, pkt->xt.thoff))
208 case IPPROTO_UDPLITE:
209 *l4csum_offset = offsetof(struct udphdr, check);
212 *l4csum_offset = offsetof(struct icmp6hdr, icmp6_cksum);
218 *l4csum_offset += pkt->xt.thoff;
222 static int nft_payload_l4csum_update(const struct nft_pktinfo *pkt,
224 __wsum fsum, __wsum tsum)
229 /* If we cannot determine layer 4 checksum offset or this packet doesn't
230 * require layer 4 checksum recalculation, skip this packet.
232 if (nft_payload_l4csum_offset(pkt, skb, &l4csum_offset) < 0)
235 if (skb_copy_bits(skb, l4csum_offset, &sum, sizeof(sum)) < 0)
238 /* Checksum mangling for an arbitrary amount of bytes, based on
239 * inet_proto_csum_replace*() functions.
241 if (skb->ip_summed != CHECKSUM_PARTIAL) {
242 nft_csum_replace(&sum, fsum, tsum);
243 if (skb->ip_summed == CHECKSUM_COMPLETE) {
244 skb->csum = ~csum_add(csum_sub(~(skb->csum), fsum),
248 sum = ~csum_fold(csum_add(csum_sub(csum_unfold(sum), fsum),
252 if (!skb_make_writable(skb, l4csum_offset + sizeof(sum)) ||
253 skb_store_bits(skb, l4csum_offset, &sum, sizeof(sum)) < 0)
259 static int nft_payload_csum_inet(struct sk_buff *skb, const u32 *src,
260 __wsum fsum, __wsum tsum, int csum_offset)
264 if (skb_copy_bits(skb, csum_offset, &sum, sizeof(sum)) < 0)
267 nft_csum_replace(&sum, fsum, tsum);
268 if (!skb_make_writable(skb, csum_offset + sizeof(sum)) ||
269 skb_store_bits(skb, csum_offset, &sum, sizeof(sum)) < 0)
275 static void nft_payload_set_eval(const struct nft_expr *expr,
276 struct nft_regs *regs,
277 const struct nft_pktinfo *pkt)
279 const struct nft_payload_set *priv = nft_expr_priv(expr);
280 struct sk_buff *skb = pkt->skb;
281 const u32 *src = ®s->data[priv->sreg];
282 int offset, csum_offset;
285 switch (priv->base) {
286 case NFT_PAYLOAD_LL_HEADER:
287 if (!skb_mac_header_was_set(skb))
289 offset = skb_mac_header(skb) - skb->data;
291 case NFT_PAYLOAD_NETWORK_HEADER:
292 offset = skb_network_offset(skb);
294 case NFT_PAYLOAD_TRANSPORT_HEADER:
297 offset = pkt->xt.thoff;
303 csum_offset = offset + priv->csum_offset;
304 offset += priv->offset;
306 if ((priv->csum_type == NFT_PAYLOAD_CSUM_INET || priv->csum_flags) &&
307 (priv->base != NFT_PAYLOAD_TRANSPORT_HEADER ||
308 skb->ip_summed != CHECKSUM_PARTIAL)) {
309 fsum = skb_checksum(skb, offset, priv->len, 0);
310 tsum = csum_partial(src, priv->len, 0);
312 if (priv->csum_type == NFT_PAYLOAD_CSUM_INET &&
313 nft_payload_csum_inet(skb, src, fsum, tsum, csum_offset))
316 if (priv->csum_flags &&
317 nft_payload_l4csum_update(pkt, skb, fsum, tsum) < 0)
321 if (!skb_make_writable(skb, max(offset + priv->len, 0)) ||
322 skb_store_bits(skb, offset, src, priv->len) < 0)
327 regs->verdict.code = NFT_BREAK;
330 static int nft_payload_set_init(const struct nft_ctx *ctx,
331 const struct nft_expr *expr,
332 const struct nlattr * const tb[])
334 struct nft_payload_set *priv = nft_expr_priv(expr);
335 u32 csum_offset, csum_type = NFT_PAYLOAD_CSUM_NONE;
338 priv->base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
339 priv->offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET]));
340 priv->len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));
342 if (tb[NFTA_PAYLOAD_CSUM_TYPE])
343 csum_type = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_TYPE]));
344 if (tb[NFTA_PAYLOAD_CSUM_OFFSET]) {
345 err = nft_parse_u32_check(tb[NFTA_PAYLOAD_CSUM_OFFSET], U8_MAX,
350 priv->csum_offset = csum_offset;
352 if (tb[NFTA_PAYLOAD_CSUM_FLAGS]) {
355 flags = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_FLAGS]));
356 if (flags & ~NFT_PAYLOAD_L4CSUM_PSEUDOHDR)
359 priv->csum_flags = flags;
363 case NFT_PAYLOAD_CSUM_NONE:
364 case NFT_PAYLOAD_CSUM_INET:
369 priv->csum_type = csum_type;
371 return nft_parse_register_load(tb[NFTA_PAYLOAD_SREG], &priv->sreg,
375 static int nft_payload_set_dump(struct sk_buff *skb, const struct nft_expr *expr)
377 const struct nft_payload_set *priv = nft_expr_priv(expr);
379 if (nft_dump_register(skb, NFTA_PAYLOAD_SREG, priv->sreg) ||
380 nla_put_be32(skb, NFTA_PAYLOAD_BASE, htonl(priv->base)) ||
381 nla_put_be32(skb, NFTA_PAYLOAD_OFFSET, htonl(priv->offset)) ||
382 nla_put_be32(skb, NFTA_PAYLOAD_LEN, htonl(priv->len)) ||
383 nla_put_be32(skb, NFTA_PAYLOAD_CSUM_TYPE, htonl(priv->csum_type)) ||
384 nla_put_be32(skb, NFTA_PAYLOAD_CSUM_OFFSET,
385 htonl(priv->csum_offset)) ||
386 nla_put_be32(skb, NFTA_PAYLOAD_CSUM_FLAGS, htonl(priv->csum_flags)))
387 goto nla_put_failure;
394 static const struct nft_expr_ops nft_payload_set_ops = {
395 .type = &nft_payload_type,
396 .size = NFT_EXPR_SIZE(sizeof(struct nft_payload_set)),
397 .eval = nft_payload_set_eval,
398 .init = nft_payload_set_init,
399 .dump = nft_payload_set_dump,
402 static const struct nft_expr_ops *
403 nft_payload_select_ops(const struct nft_ctx *ctx,
404 const struct nlattr * const tb[])
406 enum nft_payload_bases base;
407 unsigned int offset, len;
410 if (tb[NFTA_PAYLOAD_BASE] == NULL ||
411 tb[NFTA_PAYLOAD_OFFSET] == NULL ||
412 tb[NFTA_PAYLOAD_LEN] == NULL)
413 return ERR_PTR(-EINVAL);
415 base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
417 case NFT_PAYLOAD_LL_HEADER:
418 case NFT_PAYLOAD_NETWORK_HEADER:
419 case NFT_PAYLOAD_TRANSPORT_HEADER:
422 return ERR_PTR(-EOPNOTSUPP);
425 if (tb[NFTA_PAYLOAD_SREG] != NULL) {
426 if (tb[NFTA_PAYLOAD_DREG] != NULL)
427 return ERR_PTR(-EINVAL);
428 return &nft_payload_set_ops;
431 if (tb[NFTA_PAYLOAD_DREG] == NULL)
432 return ERR_PTR(-EINVAL);
434 err = nft_parse_u32_check(tb[NFTA_PAYLOAD_OFFSET], U8_MAX, &offset);
438 err = nft_parse_u32_check(tb[NFTA_PAYLOAD_LEN], U8_MAX, &len);
442 if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) &&
443 base != NFT_PAYLOAD_LL_HEADER)
444 return &nft_payload_fast_ops;
446 return &nft_payload_ops;
449 struct nft_expr_type nft_payload_type __read_mostly = {
451 .select_ops = nft_payload_select_ops,
452 .policy = nft_payload_policy,
453 .maxattr = NFTA_PAYLOAD_MAX,
454 .owner = THIS_MODULE,
projects / linux-stable / blob