1 /* SPDX-License-Identifier: GPL-2.0 */
2 #include <linux/kernel.h>
3 #include <linux/init.h>
4 #include <linux/module.h>
5 #include <linux/seqlock.h>
6 #include <linux/netlink.h>
7 #include <linux/netfilter.h>
8 #include <linux/netfilter/nf_tables.h>
9 #include <net/netfilter/nf_tables.h>
10 #include <net/dst_metadata.h>
11 #include <net/ip_tunnels.h>
12 #include <net/vxlan.h>
13 #include <net/erspan.h>
14 #include <net/geneve.h>
15 
16 struct nft_tunnel {
17 	enum nft_tunnel_keys	key:8;
18 	enum nft_registers	dreg:8;
19 	enum nft_tunnel_mode	mode:8;
20 };
21 
nft_tunnel_get_eval(const struct nft_expr * expr,struct nft_regs * regs,const struct nft_pktinfo * pkt)22 static void nft_tunnel_get_eval(const struct nft_expr *expr,
23 				struct nft_regs *regs,
24 				const struct nft_pktinfo *pkt)
25 {
26 	const struct nft_tunnel *priv = nft_expr_priv(expr);
27 	u32 *dest = &regs->data[priv->dreg];
28 	struct ip_tunnel_info *tun_info;
29 
30 	tun_info = skb_tunnel_info(pkt->skb);
31 
32 	switch (priv->key) {
33 	case NFT_TUNNEL_PATH:
34 		if (!tun_info) {
35 			nft_reg_store8(dest, false);
36 			return;
37 		}
38 		if (priv->mode == NFT_TUNNEL_MODE_NONE ||
39 		    (priv->mode == NFT_TUNNEL_MODE_RX &&
40 		     !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
41 		    (priv->mode == NFT_TUNNEL_MODE_TX &&
42 		     (tun_info->mode & IP_TUNNEL_INFO_TX)))
43 			nft_reg_store8(dest, true);
44 		else
45 			nft_reg_store8(dest, false);
46 		break;
47 	case NFT_TUNNEL_ID:
48 		if (!tun_info) {
49 			regs->verdict.code = NFT_BREAK;
50 			return;
51 		}
52 		if (priv->mode == NFT_TUNNEL_MODE_NONE ||
53 		    (priv->mode == NFT_TUNNEL_MODE_RX &&
54 		     !(tun_info->mode & IP_TUNNEL_INFO_TX)) ||
55 		    (priv->mode == NFT_TUNNEL_MODE_TX &&
56 		     (tun_info->mode & IP_TUNNEL_INFO_TX)))
57 			*dest = ntohl(tunnel_id_to_key32(tun_info->key.tun_id));
58 		else
59 			regs->verdict.code = NFT_BREAK;
60 		break;
61 	default:
62 		WARN_ON(1);
63 		regs->verdict.code = NFT_BREAK;
64 	}
65 }
66 
67 static const struct nla_policy nft_tunnel_policy[NFTA_TUNNEL_MAX + 1] = {
68 	[NFTA_TUNNEL_KEY]	= { .type = NLA_U32 },
69 	[NFTA_TUNNEL_DREG]	= { .type = NLA_U32 },
70 	[NFTA_TUNNEL_MODE]	= { .type = NLA_U32 },
71 };
72 
nft_tunnel_get_init(const struct nft_ctx * ctx,const struct nft_expr * expr,const struct nlattr * const tb[])73 static int nft_tunnel_get_init(const struct nft_ctx *ctx,
74 			       const struct nft_expr *expr,
75 			       const struct nlattr * const tb[])
76 {
77 	struct nft_tunnel *priv = nft_expr_priv(expr);
78 	u32 len;
79 
80 	if (!tb[NFTA_TUNNEL_KEY] ||
81 	    !tb[NFTA_TUNNEL_DREG])
82 		return -EINVAL;
83 
84 	priv->key = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY]));
85 	switch (priv->key) {
86 	case NFT_TUNNEL_PATH:
87 		len = sizeof(u8);
88 		break;
89 	case NFT_TUNNEL_ID:
90 		len = sizeof(u32);
91 		break;
92 	default:
93 		return -EOPNOTSUPP;
94 	}
95 
96 	priv->dreg = nft_parse_register(tb[NFTA_TUNNEL_DREG]);
97 
98 	if (tb[NFTA_TUNNEL_MODE]) {
99 		priv->mode = ntohl(nla_get_be32(tb[NFTA_TUNNEL_MODE]));
100 		if (priv->mode > NFT_TUNNEL_MODE_MAX)
101 			return -EOPNOTSUPP;
102 	} else {
103 		priv->mode = NFT_TUNNEL_MODE_NONE;
104 	}
105 
106 	return nft_validate_register_store(ctx, priv->dreg, NULL,
107 					   NFT_DATA_VALUE, len);
108 }
109 
nft_tunnel_get_dump(struct sk_buff * skb,const struct nft_expr * expr)110 static int nft_tunnel_get_dump(struct sk_buff *skb,
111 			       const struct nft_expr *expr)
112 {
113 	const struct nft_tunnel *priv = nft_expr_priv(expr);
114 
115 	if (nla_put_be32(skb, NFTA_TUNNEL_KEY, htonl(priv->key)))
116 		goto nla_put_failure;
117 	if (nft_dump_register(skb, NFTA_TUNNEL_DREG, priv->dreg))
118 		goto nla_put_failure;
119 	if (nla_put_be32(skb, NFTA_TUNNEL_MODE, htonl(priv->mode)))
120 		goto nla_put_failure;
121 	return 0;
122 
123 nla_put_failure:
124 	return -1;
125 }
126 
127 static struct nft_expr_type nft_tunnel_type;
128 static const struct nft_expr_ops nft_tunnel_get_ops = {
129 	.type		= &nft_tunnel_type,
130 	.size		= NFT_EXPR_SIZE(sizeof(struct nft_tunnel)),
131 	.eval		= nft_tunnel_get_eval,
132 	.init		= nft_tunnel_get_init,
133 	.dump		= nft_tunnel_get_dump,
134 };
135 
136 static struct nft_expr_type nft_tunnel_type __read_mostly = {
137 	.name		= "tunnel",
138 	.ops		= &nft_tunnel_get_ops,
139 	.policy		= nft_tunnel_policy,
140 	.maxattr	= NFTA_TUNNEL_MAX,
141 	.owner		= THIS_MODULE,
142 };
143 
144 struct nft_tunnel_opts {
145 	union {
146 		struct vxlan_metadata	vxlan;
147 		struct erspan_metadata	erspan;
148 		u8	data[IP_TUNNEL_OPTS_MAX];
149 	} u;
150 	u32	len;
151 	__be16	flags;
152 };
153 
154 struct nft_tunnel_obj {
155 	struct metadata_dst	*md;
156 	struct nft_tunnel_opts	opts;
157 };
158 
159 static const struct nla_policy nft_tunnel_ip_policy[NFTA_TUNNEL_KEY_IP_MAX + 1] = {
160 	[NFTA_TUNNEL_KEY_IP_SRC]	= { .type = NLA_U32 },
161 	[NFTA_TUNNEL_KEY_IP_DST]	= { .type = NLA_U32 },
162 };
163 
nft_tunnel_obj_ip_init(const struct nft_ctx * ctx,const struct nlattr * attr,struct ip_tunnel_info * info)164 static int nft_tunnel_obj_ip_init(const struct nft_ctx *ctx,
165 				  const struct nlattr *attr,
166 				  struct ip_tunnel_info *info)
167 {
168 	struct nlattr *tb[NFTA_TUNNEL_KEY_IP_MAX + 1];
169 	int err;
170 
171 	err = nla_parse_nested_deprecated(tb, NFTA_TUNNEL_KEY_IP_MAX, attr,
172 					  nft_tunnel_ip_policy, NULL);
173 	if (err < 0)
174 		return err;
175 
176 	if (!tb[NFTA_TUNNEL_KEY_IP_DST])
177 		return -EINVAL;
178 
179 	if (tb[NFTA_TUNNEL_KEY_IP_SRC])
180 		info->key.u.ipv4.src = nla_get_be32(tb[NFTA_TUNNEL_KEY_IP_SRC]);
181 	if (tb[NFTA_TUNNEL_KEY_IP_DST])
182 		info->key.u.ipv4.dst = nla_get_be32(tb[NFTA_TUNNEL_KEY_IP_DST]);
183 
184 	return 0;
185 }
186 
187 static const struct nla_policy nft_tunnel_ip6_policy[NFTA_TUNNEL_KEY_IP6_MAX + 1] = {
188 	[NFTA_TUNNEL_KEY_IP6_SRC]	= { .len = sizeof(struct in6_addr), },
189 	[NFTA_TUNNEL_KEY_IP6_DST]	= { .len = sizeof(struct in6_addr), },
190 	[NFTA_TUNNEL_KEY_IP6_FLOWLABEL]	= { .type = NLA_U32, }
191 };
192 
nft_tunnel_obj_ip6_init(const struct nft_ctx * ctx,const struct nlattr * attr,struct ip_tunnel_info * info)193 static int nft_tunnel_obj_ip6_init(const struct nft_ctx *ctx,
194 				   const struct nlattr *attr,
195 				   struct ip_tunnel_info *info)
196 {
197 	struct nlattr *tb[NFTA_TUNNEL_KEY_IP6_MAX + 1];
198 	int err;
199 
200 	err = nla_parse_nested_deprecated(tb, NFTA_TUNNEL_KEY_IP6_MAX, attr,
201 					  nft_tunnel_ip6_policy, NULL);
202 	if (err < 0)
203 		return err;
204 
205 	if (!tb[NFTA_TUNNEL_KEY_IP6_DST])
206 		return -EINVAL;
207 
208 	if (tb[NFTA_TUNNEL_KEY_IP6_SRC]) {
209 		memcpy(&info->key.u.ipv6.src,
210 		       nla_data(tb[NFTA_TUNNEL_KEY_IP6_SRC]),
211 		       sizeof(struct in6_addr));
212 	}
213 	if (tb[NFTA_TUNNEL_KEY_IP6_DST]) {
214 		memcpy(&info->key.u.ipv6.dst,
215 		       nla_data(tb[NFTA_TUNNEL_KEY_IP6_DST]),
216 		       sizeof(struct in6_addr));
217 	}
218 	if (tb[NFTA_TUNNEL_KEY_IP6_FLOWLABEL])
219 		info->key.label = nla_get_be32(tb[NFTA_TUNNEL_KEY_IP6_FLOWLABEL]);
220 
221 	info->mode |= IP_TUNNEL_INFO_IPV6;
222 
223 	return 0;
224 }
225 
226 static const struct nla_policy nft_tunnel_opts_vxlan_policy[NFTA_TUNNEL_KEY_VXLAN_MAX + 1] = {
227 	[NFTA_TUNNEL_KEY_VXLAN_GBP]	= { .type = NLA_U32 },
228 };
229 
nft_tunnel_obj_vxlan_init(const struct nlattr * attr,struct nft_tunnel_opts * opts)230 static int nft_tunnel_obj_vxlan_init(const struct nlattr *attr,
231 				     struct nft_tunnel_opts *opts)
232 {
233 	struct nlattr *tb[NFTA_TUNNEL_KEY_VXLAN_MAX + 1];
234 	int err;
235 
236 	err = nla_parse_nested_deprecated(tb, NFTA_TUNNEL_KEY_VXLAN_MAX, attr,
237 					  nft_tunnel_opts_vxlan_policy, NULL);
238 	if (err < 0)
239 		return err;
240 
241 	if (!tb[NFTA_TUNNEL_KEY_VXLAN_GBP])
242 		return -EINVAL;
243 
244 	opts->u.vxlan.gbp = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_VXLAN_GBP]));
245 
246 	opts->len	= sizeof(struct vxlan_metadata);
247 	opts->flags	= TUNNEL_VXLAN_OPT;
248 
249 	return 0;
250 }
251 
252 static const struct nla_policy nft_tunnel_opts_erspan_policy[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1] = {
253 	[NFTA_TUNNEL_KEY_ERSPAN_VERSION]	= { .type = NLA_U32 },
254 	[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]	= { .type = NLA_U32 },
255 	[NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]		= { .type = NLA_U8 },
256 	[NFTA_TUNNEL_KEY_ERSPAN_V2_HWID]	= { .type = NLA_U8 },
257 };
258 
nft_tunnel_obj_erspan_init(const struct nlattr * attr,struct nft_tunnel_opts * opts)259 static int nft_tunnel_obj_erspan_init(const struct nlattr *attr,
260 				      struct nft_tunnel_opts *opts)
261 {
262 	struct nlattr *tb[NFTA_TUNNEL_KEY_ERSPAN_MAX + 1];
263 	uint8_t hwid, dir;
264 	int err, version;
265 
266 	err = nla_parse_nested_deprecated(tb, NFTA_TUNNEL_KEY_ERSPAN_MAX,
267 					  attr, nft_tunnel_opts_erspan_policy,
268 					  NULL);
269 	if (err < 0)
270 		return err;
271 
272 	if (!tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION])
273 		 return -EINVAL;
274 
275 	version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]));
276 	switch (version) {
277 	case ERSPAN_VERSION:
278 		if (!tb[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX])
279 			return -EINVAL;
280 
281 		opts->u.erspan.u.index =
282 			nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX]);
283 		break;
284 	case ERSPAN_VERSION2:
285 		if (!tb[NFTA_TUNNEL_KEY_ERSPAN_V2_DIR] ||
286 		    !tb[NFTA_TUNNEL_KEY_ERSPAN_V2_HWID])
287 			return -EINVAL;
288 
289 		hwid = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_V2_HWID]);
290 		dir = nla_get_u8(tb[NFTA_TUNNEL_KEY_ERSPAN_V2_DIR]);
291 
292 		set_hwid(&opts->u.erspan.u.md2, hwid);
293 		opts->u.erspan.u.md2.dir = dir;
294 		break;
295 	default:
296 		return -EOPNOTSUPP;
297 	}
298 	opts->u.erspan.version = version;
299 
300 	opts->len	= sizeof(struct erspan_metadata);
301 	opts->flags	= TUNNEL_ERSPAN_OPT;
302 
303 	return 0;
304 }
305 
306 static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GENEVE_MAX + 1] = {
307 	[NFTA_TUNNEL_KEY_GENEVE_CLASS]	= { .type = NLA_U16 },
308 	[NFTA_TUNNEL_KEY_GENEVE_TYPE]	= { .type = NLA_U8 },
309 	[NFTA_TUNNEL_KEY_GENEVE_DATA]	= { .type = NLA_BINARY, .len = 128 },
310 };
311 
nft_tunnel_obj_geneve_init(const struct nlattr * attr,struct nft_tunnel_opts * opts)312 static int nft_tunnel_obj_geneve_init(const struct nlattr *attr,
313 				      struct nft_tunnel_opts *opts)
314 {
315 	struct geneve_opt *opt = (struct geneve_opt *)opts->u.data + opts->len;
316 	struct nlattr *tb[NFTA_TUNNEL_KEY_GENEVE_MAX + 1];
317 	int err, data_len;
318 
319 	err = nla_parse_nested(tb, NFTA_TUNNEL_KEY_GENEVE_MAX, attr,
320 			       nft_tunnel_opts_geneve_policy, NULL);
321 	if (err < 0)
322 		return err;
323 
324 	if (!tb[NFTA_TUNNEL_KEY_GENEVE_CLASS] ||
325 	    !tb[NFTA_TUNNEL_KEY_GENEVE_TYPE] ||
326 	    !tb[NFTA_TUNNEL_KEY_GENEVE_DATA])
327 		return -EINVAL;
328 
329 	attr = tb[NFTA_TUNNEL_KEY_GENEVE_DATA];
330 	data_len = nla_len(attr);
331 	if (data_len % 4)
332 		return -EINVAL;
333 
334 	opts->len += sizeof(*opt) + data_len;
335 	if (opts->len > IP_TUNNEL_OPTS_MAX)
336 		return -EINVAL;
337 
338 	memcpy(opt->opt_data, nla_data(attr), data_len);
339 	opt->length = data_len / 4;
340 	opt->opt_class = nla_get_be16(tb[NFTA_TUNNEL_KEY_GENEVE_CLASS]);
341 	opt->type = nla_get_u8(tb[NFTA_TUNNEL_KEY_GENEVE_TYPE]);
342 	opts->flags = TUNNEL_GENEVE_OPT;
343 
344 	return 0;
345 }
346 
347 static const struct nla_policy nft_tunnel_opts_policy[NFTA_TUNNEL_KEY_OPTS_MAX + 1] = {
348 	[NFTA_TUNNEL_KEY_OPTS_UNSPEC]	= {
349 		.strict_start_type = NFTA_TUNNEL_KEY_OPTS_GENEVE },
350 	[NFTA_TUNNEL_KEY_OPTS_VXLAN]	= { .type = NLA_NESTED, },
351 	[NFTA_TUNNEL_KEY_OPTS_ERSPAN]	= { .type = NLA_NESTED, },
352 	[NFTA_TUNNEL_KEY_OPTS_GENEVE]	= { .type = NLA_NESTED, },
353 };
354 
nft_tunnel_obj_opts_init(const struct nft_ctx * ctx,const struct nlattr * attr,struct ip_tunnel_info * info,struct nft_tunnel_opts * opts)355 static int nft_tunnel_obj_opts_init(const struct nft_ctx *ctx,
356 				    const struct nlattr *attr,
357 				    struct ip_tunnel_info *info,
358 				    struct nft_tunnel_opts *opts)
359 {
360 	int err, rem, type = 0;
361 	struct nlattr *nla;
362 
363 	err = nla_validate_nested_deprecated(attr, NFTA_TUNNEL_KEY_OPTS_MAX,
364 					     nft_tunnel_opts_policy, NULL);
365 	if (err < 0)
366 		return err;
367 
368 	nla_for_each_attr(nla, nla_data(attr), nla_len(attr), rem) {
369 		switch (nla_type(nla)) {
370 		case NFTA_TUNNEL_KEY_OPTS_VXLAN:
371 			if (type)
372 				return -EINVAL;
373 			err = nft_tunnel_obj_vxlan_init(nla, opts);
374 			if (err)
375 				return err;
376 			type = TUNNEL_VXLAN_OPT;
377 			break;
378 		case NFTA_TUNNEL_KEY_OPTS_ERSPAN:
379 			if (type)
380 				return -EINVAL;
381 			err = nft_tunnel_obj_erspan_init(nla, opts);
382 			if (err)
383 				return err;
384 			type = TUNNEL_ERSPAN_OPT;
385 			break;
386 		case NFTA_TUNNEL_KEY_OPTS_GENEVE:
387 			if (type && type != TUNNEL_GENEVE_OPT)
388 				return -EINVAL;
389 			err = nft_tunnel_obj_geneve_init(nla, opts);
390 			if (err)
391 				return err;
392 			type = TUNNEL_GENEVE_OPT;
393 			break;
394 		default:
395 			return -EOPNOTSUPP;
396 		}
397 	}
398 
399 	return err;
400 }
401 
402 static const struct nla_policy nft_tunnel_key_policy[NFTA_TUNNEL_KEY_MAX + 1] = {
403 	[NFTA_TUNNEL_KEY_IP]	= { .type = NLA_NESTED, },
404 	[NFTA_TUNNEL_KEY_IP6]	= { .type = NLA_NESTED, },
405 	[NFTA_TUNNEL_KEY_ID]	= { .type = NLA_U32, },
406 	[NFTA_TUNNEL_KEY_FLAGS]	= { .type = NLA_U32, },
407 	[NFTA_TUNNEL_KEY_TOS]	= { .type = NLA_U8, },
408 	[NFTA_TUNNEL_KEY_TTL]	= { .type = NLA_U8, },
409 	[NFTA_TUNNEL_KEY_SPORT]	= { .type = NLA_U16, },
410 	[NFTA_TUNNEL_KEY_DPORT]	= { .type = NLA_U16, },
411 	[NFTA_TUNNEL_KEY_OPTS]	= { .type = NLA_NESTED, },
412 };
413 
nft_tunnel_obj_init(const struct nft_ctx * ctx,const struct nlattr * const tb[],struct nft_object * obj)414 static int nft_tunnel_obj_init(const struct nft_ctx *ctx,
415 			       const struct nlattr * const tb[],
416 			       struct nft_object *obj)
417 {
418 	struct nft_tunnel_obj *priv = nft_obj_data(obj);
419 	struct ip_tunnel_info info;
420 	struct metadata_dst *md;
421 	int err;
422 
423 	if (!tb[NFTA_TUNNEL_KEY_ID])
424 		return -EINVAL;
425 
426 	memset(&info, 0, sizeof(info));
427 	info.mode		= IP_TUNNEL_INFO_TX;
428 	info.key.tun_id		= key32_to_tunnel_id(nla_get_be32(tb[NFTA_TUNNEL_KEY_ID]));
429 	info.key.tun_flags	= TUNNEL_KEY | TUNNEL_CSUM | TUNNEL_NOCACHE;
430 
431 	if (tb[NFTA_TUNNEL_KEY_IP]) {
432 		err = nft_tunnel_obj_ip_init(ctx, tb[NFTA_TUNNEL_KEY_IP], &info);
433 		if (err < 0)
434 			return err;
435 	} else if (tb[NFTA_TUNNEL_KEY_IP6]) {
436 		err = nft_tunnel_obj_ip6_init(ctx, tb[NFTA_TUNNEL_KEY_IP6], &info);
437 		if (err < 0)
438 			return err;
439 	} else {
440 		return -EINVAL;
441 	}
442 
443 	if (tb[NFTA_TUNNEL_KEY_SPORT]) {
444 		info.key.tp_src = nla_get_be16(tb[NFTA_TUNNEL_KEY_SPORT]);
445 	}
446 	if (tb[NFTA_TUNNEL_KEY_DPORT]) {
447 		info.key.tp_dst = nla_get_be16(tb[NFTA_TUNNEL_KEY_DPORT]);
448 	}
449 
450 	if (tb[NFTA_TUNNEL_KEY_FLAGS]) {
451 		u32 tun_flags;
452 
453 		tun_flags = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_FLAGS]));
454 		if (tun_flags & ~NFT_TUNNEL_F_MASK)
455 			return -EOPNOTSUPP;
456 
457 		if (tun_flags & NFT_TUNNEL_F_ZERO_CSUM_TX)
458 			info.key.tun_flags &= ~TUNNEL_CSUM;
459 		if (tun_flags & NFT_TUNNEL_F_DONT_FRAGMENT)
460 			info.key.tun_flags |= TUNNEL_DONT_FRAGMENT;
461 		if (tun_flags & NFT_TUNNEL_F_SEQ_NUMBER)
462 			info.key.tun_flags |= TUNNEL_SEQ;
463 	}
464 	if (tb[NFTA_TUNNEL_KEY_TOS])
465 		info.key.tos = nla_get_u8(tb[NFTA_TUNNEL_KEY_TOS]);
466 	if (tb[NFTA_TUNNEL_KEY_TTL])
467 		info.key.ttl = nla_get_u8(tb[NFTA_TUNNEL_KEY_TTL]);
468 	else
469 		info.key.ttl = U8_MAX;
470 
471 	if (tb[NFTA_TUNNEL_KEY_OPTS]) {
472 		err = nft_tunnel_obj_opts_init(ctx, tb[NFTA_TUNNEL_KEY_OPTS],
473 					       &info, &priv->opts);
474 		if (err < 0)
475 			return err;
476 	}
477 
478 	md = metadata_dst_alloc(priv->opts.len, METADATA_IP_TUNNEL, GFP_KERNEL);
479 	if (!md)
480 		return -ENOMEM;
481 
482 	memcpy(&md->u.tun_info, &info, sizeof(info));
483 #ifdef CONFIG_DST_CACHE
484 	err = dst_cache_init(&md->u.tun_info.dst_cache, GFP_KERNEL);
485 	if (err < 0) {
486 		metadata_dst_free(md);
487 		return err;
488 	}
489 #endif
490 	ip_tunnel_info_opts_set(&md->u.tun_info, &priv->opts.u, priv->opts.len,
491 				priv->opts.flags);
492 	priv->md = md;
493 
494 	return 0;
495 }
496 
nft_tunnel_obj_eval(struct nft_object * obj,struct nft_regs * regs,const struct nft_pktinfo * pkt)497 static inline void nft_tunnel_obj_eval(struct nft_object *obj,
498 				       struct nft_regs *regs,
499 				       const struct nft_pktinfo *pkt)
500 {
501 	struct nft_tunnel_obj *priv = nft_obj_data(obj);
502 	struct sk_buff *skb = pkt->skb;
503 
504 	skb_dst_drop(skb);
505 	dst_hold((struct dst_entry *) priv->md);
506 	skb_dst_set(skb, (struct dst_entry *) priv->md);
507 }
508 
nft_tunnel_ip_dump(struct sk_buff * skb,struct ip_tunnel_info * info)509 static int nft_tunnel_ip_dump(struct sk_buff *skb, struct ip_tunnel_info *info)
510 {
511 	struct nlattr *nest;
512 
513 	if (info->mode & IP_TUNNEL_INFO_IPV6) {
514 		nest = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_IP6);
515 		if (!nest)
516 			return -1;
517 
518 		if (nla_put_in6_addr(skb, NFTA_TUNNEL_KEY_IP6_SRC,
519 				     &info->key.u.ipv6.src) < 0 ||
520 		    nla_put_in6_addr(skb, NFTA_TUNNEL_KEY_IP6_DST,
521 				     &info->key.u.ipv6.dst) < 0 ||
522 		    nla_put_be32(skb, NFTA_TUNNEL_KEY_IP6_FLOWLABEL,
523 				 info->key.label)) {
524 			nla_nest_cancel(skb, nest);
525 			return -1;
526 		}
527 
528 		nla_nest_end(skb, nest);
529 	} else {
530 		nest = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_IP);
531 		if (!nest)
532 			return -1;
533 
534 		if (nla_put_in_addr(skb, NFTA_TUNNEL_KEY_IP_SRC,
535 				    info->key.u.ipv4.src) < 0 ||
536 		    nla_put_in_addr(skb, NFTA_TUNNEL_KEY_IP_DST,
537 				    info->key.u.ipv4.dst) < 0) {
538 			nla_nest_cancel(skb, nest);
539 			return -1;
540 		}
541 
542 		nla_nest_end(skb, nest);
543 	}
544 
545 	return 0;
546 }
547 
nft_tunnel_opts_dump(struct sk_buff * skb,struct nft_tunnel_obj * priv)548 static int nft_tunnel_opts_dump(struct sk_buff *skb,
549 				struct nft_tunnel_obj *priv)
550 {
551 	struct nft_tunnel_opts *opts = &priv->opts;
552 	struct nlattr *nest, *inner;
553 
554 	nest = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS);
555 	if (!nest)
556 		return -1;
557 
558 	if (opts->flags & TUNNEL_VXLAN_OPT) {
559 		inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_VXLAN);
560 		if (!inner)
561 			goto failure;
562 		if (nla_put_be32(skb, NFTA_TUNNEL_KEY_VXLAN_GBP,
563 				 htonl(opts->u.vxlan.gbp)))
564 			goto inner_failure;
565 		nla_nest_end(skb, inner);
566 	} else if (opts->flags & TUNNEL_ERSPAN_OPT) {
567 		inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_ERSPAN);
568 		if (!inner)
569 			goto failure;
570 		if (nla_put_be32(skb, NFTA_TUNNEL_KEY_ERSPAN_VERSION,
571 				 htonl(opts->u.erspan.version)))
572 			goto inner_failure;
573 		switch (opts->u.erspan.version) {
574 		case ERSPAN_VERSION:
575 			if (nla_put_be32(skb, NFTA_TUNNEL_KEY_ERSPAN_V1_INDEX,
576 					 opts->u.erspan.u.index))
577 				goto inner_failure;
578 			break;
579 		case ERSPAN_VERSION2:
580 			if (nla_put_u8(skb, NFTA_TUNNEL_KEY_ERSPAN_V2_HWID,
581 				       get_hwid(&opts->u.erspan.u.md2)) ||
582 			    nla_put_u8(skb, NFTA_TUNNEL_KEY_ERSPAN_V2_DIR,
583 				       opts->u.erspan.u.md2.dir))
584 				goto inner_failure;
585 			break;
586 		}
587 		nla_nest_end(skb, inner);
588 	} else if (opts->flags & TUNNEL_GENEVE_OPT) {
589 		struct geneve_opt *opt;
590 		int offset = 0;
591 
592 		inner = nla_nest_start_noflag(skb, NFTA_TUNNEL_KEY_OPTS_GENEVE);
593 		if (!inner)
594 			goto failure;
595 		while (opts->len > offset) {
596 			opt = (struct geneve_opt *)opts->u.data + offset;
597 			if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS,
598 					 opt->opt_class) ||
599 			    nla_put_u8(skb, NFTA_TUNNEL_KEY_GENEVE_TYPE,
600 				       opt->type) ||
601 			    nla_put(skb, NFTA_TUNNEL_KEY_GENEVE_DATA,
602 				    opt->length * 4, opt->opt_data))
603 				goto inner_failure;
604 			offset += sizeof(*opt) + opt->length * 4;
605 		}
606 		nla_nest_end(skb, inner);
607 	}
608 	nla_nest_end(skb, nest);
609 	return 0;
610 
611 inner_failure:
612 	nla_nest_cancel(skb, inner);
613 failure:
614 	nla_nest_cancel(skb, nest);
615 	return -1;
616 }
617 
nft_tunnel_ports_dump(struct sk_buff * skb,struct ip_tunnel_info * info)618 static int nft_tunnel_ports_dump(struct sk_buff *skb,
619 				 struct ip_tunnel_info *info)
620 {
621 	if (nla_put_be16(skb, NFTA_TUNNEL_KEY_SPORT, info->key.tp_src) < 0 ||
622 	    nla_put_be16(skb, NFTA_TUNNEL_KEY_DPORT, info->key.tp_dst) < 0)
623 		return -1;
624 
625 	return 0;
626 }
627 
nft_tunnel_flags_dump(struct sk_buff * skb,struct ip_tunnel_info * info)628 static int nft_tunnel_flags_dump(struct sk_buff *skb,
629 				 struct ip_tunnel_info *info)
630 {
631 	u32 flags = 0;
632 
633 	if (info->key.tun_flags & TUNNEL_DONT_FRAGMENT)
634 		flags |= NFT_TUNNEL_F_DONT_FRAGMENT;
635 	if (!(info->key.tun_flags & TUNNEL_CSUM))
636 		flags |= NFT_TUNNEL_F_ZERO_CSUM_TX;
637 	if (info->key.tun_flags & TUNNEL_SEQ)
638 		flags |= NFT_TUNNEL_F_SEQ_NUMBER;
639 
640 	if (nla_put_be32(skb, NFTA_TUNNEL_KEY_FLAGS, htonl(flags)) < 0)
641 		return -1;
642 
643 	return 0;
644 }
645 
nft_tunnel_obj_dump(struct sk_buff * skb,struct nft_object * obj,bool reset)646 static int nft_tunnel_obj_dump(struct sk_buff *skb,
647 			       struct nft_object *obj, bool reset)
648 {
649 	struct nft_tunnel_obj *priv = nft_obj_data(obj);
650 	struct ip_tunnel_info *info = &priv->md->u.tun_info;
651 
652 	if (nla_put_be32(skb, NFTA_TUNNEL_KEY_ID,
653 			 tunnel_id_to_key32(info->key.tun_id)) ||
654 	    nft_tunnel_ip_dump(skb, info) < 0 ||
655 	    nft_tunnel_ports_dump(skb, info) < 0 ||
656 	    nft_tunnel_flags_dump(skb, info) < 0 ||
657 	    nla_put_u8(skb, NFTA_TUNNEL_KEY_TOS, info->key.tos) ||
658 	    nla_put_u8(skb, NFTA_TUNNEL_KEY_TTL, info->key.ttl) ||
659 	    nft_tunnel_opts_dump(skb, priv) < 0)
660 		goto nla_put_failure;
661 
662 	return 0;
663 
664 nla_put_failure:
665 	return -1;
666 }
667 
nft_tunnel_obj_destroy(const struct nft_ctx * ctx,struct nft_object * obj)668 static void nft_tunnel_obj_destroy(const struct nft_ctx *ctx,
669 				   struct nft_object *obj)
670 {
671 	struct nft_tunnel_obj *priv = nft_obj_data(obj);
672 
673 	metadata_dst_free(priv->md);
674 }
675 
676 static struct nft_object_type nft_tunnel_obj_type;
677 static const struct nft_object_ops nft_tunnel_obj_ops = {
678 	.type		= &nft_tunnel_obj_type,
679 	.size		= sizeof(struct nft_tunnel_obj),
680 	.eval		= nft_tunnel_obj_eval,
681 	.init		= nft_tunnel_obj_init,
682 	.destroy	= nft_tunnel_obj_destroy,
683 	.dump		= nft_tunnel_obj_dump,
684 };
685 
686 static struct nft_object_type nft_tunnel_obj_type __read_mostly = {
687 	.type		= NFT_OBJECT_TUNNEL,
688 	.ops		= &nft_tunnel_obj_ops,
689 	.maxattr	= NFTA_TUNNEL_KEY_MAX,
690 	.policy		= nft_tunnel_key_policy,
691 	.owner		= THIS_MODULE,
692 };
693 
nft_tunnel_module_init(void)694 static int __init nft_tunnel_module_init(void)
695 {
696 	int err;
697 
698 	err = nft_register_expr(&nft_tunnel_type);
699 	if (err < 0)
700 		return err;
701 
702 	err = nft_register_obj(&nft_tunnel_obj_type);
703 	if (err < 0)
704 		nft_unregister_expr(&nft_tunnel_type);
705 
706 	return err;
707 }
708 
nft_tunnel_module_exit(void)709 static void __exit nft_tunnel_module_exit(void)
710 {
711 	nft_unregister_obj(&nft_tunnel_obj_type);
712 	nft_unregister_expr(&nft_tunnel_type);
713 }
714 
715 module_init(nft_tunnel_module_init);
716 module_exit(nft_tunnel_module_exit);
717 
718 MODULE_LICENSE("GPL");
719 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
720 MODULE_ALIAS_NFT_EXPR("tunnel");
721 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_TUNNEL);
722 MODULE_DESCRIPTION("nftables tunnel expression support");
723