Google Git
Sign in
android-kvm / linux / 2cd8bdb5efc1e0d5b11a4b7ba6b922fd2736a87f / . / net / netfilter / nft_xfrm.c
blob: 452f8587addadce5a2e1f480d5685eb70c5760b0 [file] [log] [blame]
Thomas Gleixnerd2912cb2019-06-04 10:11:33 +0200[diff] [blame]1// SPDX-License-Identifier: GPL-2.0-only
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]2/*
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]3 *
4 * Generic part shared by ipv4 and ipv6 backends.
5 */
6
7#include <linux/kernel.h>
8#include <linux/init.h>
9#include <linux/module.h>
10#include <linux/netlink.h>
11#include <linux/netfilter.h>
12#include <linux/netfilter/nf_tables.h>
13#include <net/netfilter/nf_tables_core.h>
14#include <net/netfilter/nf_tables.h>
15#include <linux/in.h>
16#include <net/xfrm.h>
17
18static const struct nla_policy nft_xfrm_policy[NFTA_XFRM_MAX + 1] = {
Florian Westphala412dbf2023-06-21 21:11:03 +0200[diff] [blame]19 [NFTA_XFRM_KEY] = NLA_POLICY_MAX(NLA_BE32, 255),
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]20 [NFTA_XFRM_DIR] = { .type = NLA_U8 },
Florian Westphala412dbf2023-06-21 21:11:03 +0200[diff] [blame]21 [NFTA_XFRM_SPNUM] = NLA_POLICY_MAX(NLA_BE32, 255),
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]22 [NFTA_XFRM_DREG] = { .type = NLA_U32 },
23};
24
25struct nft_xfrm {
26 enum nft_xfrm_keys key:8;
Pablo Neira Ayuso345023b2021-01-25 18:27:22 +0100[diff] [blame]27 u8 dreg;
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]28 u8 dir;
29 u8 spnum;
Pablo Neira Ayuso48f19102022-03-14 18:23:10 +0100[diff] [blame]30 u8 len;
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]31};
32
33static int nft_xfrm_get_init(const struct nft_ctx *ctx,
34 const struct nft_expr *expr,
35 const struct nlattr * const tb[])
36{
37 struct nft_xfrm *priv = nft_expr_priv(expr);
38 unsigned int len = 0;
39 u32 spnum = 0;
40 u8 dir;
41
42 if (!tb[NFTA_XFRM_KEY] || !tb[NFTA_XFRM_DIR] || !tb[NFTA_XFRM_DREG])
43 return -EINVAL;
44
45 switch (ctx->family) {
46 case NFPROTO_IPV4:
47 case NFPROTO_IPV6:
48 case NFPROTO_INET:
49 break;
50 default:
51 return -EOPNOTSUPP;
52 }
53
Florian Westphald86473b2022-06-23 15:05:11 +0200[diff] [blame]54 priv->key = ntohl(nla_get_be32(tb[NFTA_XFRM_KEY]));
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]55 switch (priv->key) {
56 case NFT_XFRM_KEY_REQID:
57 case NFT_XFRM_KEY_SPI:
58 len = sizeof(u32);
59 break;
60 case NFT_XFRM_KEY_DADDR_IP4:
61 case NFT_XFRM_KEY_SADDR_IP4:
62 len = sizeof(struct in_addr);
63 break;
64 case NFT_XFRM_KEY_DADDR_IP6:
65 case NFT_XFRM_KEY_SADDR_IP6:
66 len = sizeof(struct in6_addr);
67 break;
68 default:
69 return -EINVAL;
70 }
71
72 dir = nla_get_u8(tb[NFTA_XFRM_DIR]);
73 switch (dir) {
74 case XFRM_POLICY_IN:
75 case XFRM_POLICY_OUT:
76 priv->dir = dir;
77 break;
78 default:
79 return -EINVAL;
80 }
81
82 if (tb[NFTA_XFRM_SPNUM])
83 spnum = ntohl(nla_get_be32(tb[NFTA_XFRM_SPNUM]));
84
85 if (spnum >= XFRM_MAX_DEPTH)
86 return -ERANGE;
87
88 priv->spnum = spnum;
89
Pablo Neira Ayuso48f19102022-03-14 18:23:10 +0100[diff] [blame]90 priv->len = len;
Pablo Neira Ayuso345023b2021-01-25 18:27:22 +0100[diff] [blame]91 return nft_parse_register_store(ctx, tb[NFTA_XFRM_DREG], &priv->dreg,
92 NULL, NFT_DATA_VALUE, len);
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]93}
94
95/* Return true if key asks for daddr/saddr and current
96 * state does have a valid address (BEET, TUNNEL).
97 */
98static bool xfrm_state_addr_ok(enum nft_xfrm_keys k, u8 family, u8 mode)
99{
100 switch (k) {
101 case NFT_XFRM_KEY_DADDR_IP4:
102 case NFT_XFRM_KEY_SADDR_IP4:
103 if (family == NFPROTO_IPV4)
104 break;
105 return false;
106 case NFT_XFRM_KEY_DADDR_IP6:
107 case NFT_XFRM_KEY_SADDR_IP6:
108 if (family == NFPROTO_IPV6)
109 break;
110 return false;
111 default:
112 return true;
113 }
114
115 return mode == XFRM_MODE_BEET || mode == XFRM_MODE_TUNNEL;
116}
117
118static void nft_xfrm_state_get_key(const struct nft_xfrm *priv,
119 struct nft_regs *regs,
Florian Westphal1321a6a2018-10-10 17:25:47 +0200[diff] [blame]120 const struct xfrm_state *state)
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]121{
122 u32 *dest = &regs->data[priv->dreg];
123
Florian Westphal1321a6a2018-10-10 17:25:47 +0200[diff] [blame]124 if (!xfrm_state_addr_ok(priv->key,
125 state->props.family,
126 state->props.mode)) {
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]127 regs->verdict.code = NFT_BREAK;
128 return;
129 }
130
131 switch (priv->key) {
132 case NFT_XFRM_KEY_UNSPEC:
133 case __NFT_XFRM_KEY_MAX:
134 WARN_ON_ONCE(1);
135 break;
136 case NFT_XFRM_KEY_DADDR_IP4:
Florian Westphald86473b2022-06-23 15:05:11 +0200[diff] [blame]137 *dest = (__force __u32)state->id.daddr.a4;
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]138 return;
139 case NFT_XFRM_KEY_DADDR_IP6:
140 memcpy(dest, &state->id.daddr.in6, sizeof(struct in6_addr));
141 return;
142 case NFT_XFRM_KEY_SADDR_IP4:
Florian Westphald86473b2022-06-23 15:05:11 +0200[diff] [blame]143 *dest = (__force __u32)state->props.saddr.a4;
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]144 return;
145 case NFT_XFRM_KEY_SADDR_IP6:
146 memcpy(dest, &state->props.saddr.in6, sizeof(struct in6_addr));
147 return;
148 case NFT_XFRM_KEY_REQID:
149 *dest = state->props.reqid;
150 return;
151 case NFT_XFRM_KEY_SPI:
Florian Westphald86473b2022-06-23 15:05:11 +0200[diff] [blame]152 *dest = (__force __u32)state->id.spi;
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]153 return;
154 }
155
156 regs->verdict.code = NFT_BREAK;
157}
158
159static void nft_xfrm_get_eval_in(const struct nft_xfrm *priv,
160 struct nft_regs *regs,
161 const struct nft_pktinfo *pkt)
162{
Florian Westphal2294be0f2018-12-18 17:15:20 +0100[diff] [blame]163 const struct sec_path *sp = skb_sec_path(pkt->skb);
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]164 const struct xfrm_state *state;
165
166 if (sp == NULL || sp->len <= priv->spnum) {
167 regs->verdict.code = NFT_BREAK;
168 return;
169 }
170
171 state = sp->xvec[priv->spnum];
Florian Westphal1321a6a2018-10-10 17:25:47 +0200[diff] [blame]172 nft_xfrm_state_get_key(priv, regs, state);
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]173}
174
175static void nft_xfrm_get_eval_out(const struct nft_xfrm *priv,
176 struct nft_regs *regs,
177 const struct nft_pktinfo *pkt)
178{
179 const struct dst_entry *dst = skb_dst(pkt->skb);
180 int i;
181
182 for (i = 0; dst && dst->xfrm;
183 dst = ((const struct xfrm_dst *)dst)->child, i++) {
184 if (i < priv->spnum)
185 continue;
186
Florian Westphal1321a6a2018-10-10 17:25:47 +0200[diff] [blame]187 nft_xfrm_state_get_key(priv, regs, dst->xfrm);
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]188 return;
189 }
190
191 regs->verdict.code = NFT_BREAK;
192}
193
194static void nft_xfrm_get_eval(const struct nft_expr *expr,
195 struct nft_regs *regs,
196 const struct nft_pktinfo *pkt)
197{
198 const struct nft_xfrm *priv = nft_expr_priv(expr);
199
200 switch (priv->dir) {
201 case XFRM_POLICY_IN:
202 nft_xfrm_get_eval_in(priv, regs, pkt);
203 break;
204 case XFRM_POLICY_OUT:
205 nft_xfrm_get_eval_out(priv, regs, pkt);
206 break;
207 default:
208 WARN_ON_ONCE(1);
209 regs->verdict.code = NFT_BREAK;
210 break;
211 }
212}
213
214static int nft_xfrm_get_dump(struct sk_buff *skb,
Phil Sutter7d34aa32022-10-14 23:45:58 +0200[diff] [blame]215 const struct nft_expr *expr, bool reset)
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]216{
217 const struct nft_xfrm *priv = nft_expr_priv(expr);
218
219 if (nft_dump_register(skb, NFTA_XFRM_DREG, priv->dreg))
220 return -1;
221
222 if (nla_put_be32(skb, NFTA_XFRM_KEY, htonl(priv->key)))
223 return -1;
224 if (nla_put_u8(skb, NFTA_XFRM_DIR, priv->dir))
225 return -1;
226 if (nla_put_be32(skb, NFTA_XFRM_SPNUM, htonl(priv->spnum)))
227 return -1;
228
229 return 0;
230}
231
232static int nft_xfrm_validate(const struct nft_ctx *ctx, const struct nft_expr *expr,
233 const struct nft_data **data)
234{
235 const struct nft_xfrm *priv = nft_expr_priv(expr);
236 unsigned int hooks;
237
238 switch (priv->dir) {
239 case XFRM_POLICY_IN:
240 hooks = (1 << NF_INET_FORWARD) |
241 (1 << NF_INET_LOCAL_IN) |
242 (1 << NF_INET_PRE_ROUTING);
243 break;
244 case XFRM_POLICY_OUT:
245 hooks = (1 << NF_INET_FORWARD) |
246 (1 << NF_INET_LOCAL_OUT) |
247 (1 << NF_INET_POST_ROUTING);
248 break;
249 default:
250 WARN_ON_ONCE(1);
251 return -EINVAL;
252 }
253
254 return nft_chain_validate_hooks(ctx->chain, hooks);
255}
256
Pablo Neira Ayuso48f19102022-03-14 18:23:10 +0100[diff] [blame]257static bool nft_xfrm_reduce(struct nft_regs_track *track,
258 const struct nft_expr *expr)
259{
260 const struct nft_xfrm *priv = nft_expr_priv(expr);
261 const struct nft_xfrm *xfrm;
262
263 if (!nft_reg_track_cmp(track, expr, priv->dreg)) {
264 nft_reg_track_update(track, expr, priv->dreg, priv->len);
265 return false;
266 }
267
268 xfrm = nft_expr_priv(track->regs[priv->dreg].selector);
269 if (priv->key != xfrm->key ||
270 priv->dreg != xfrm->dreg ||
271 priv->dir != xfrm->dir ||
272 priv->spnum != xfrm->spnum) {
273 nft_reg_track_update(track, expr, priv->dreg, priv->len);
274 return false;
275 }
276
277 if (!track->regs[priv->dreg].bitwise)
278 return true;
279
280 return nft_expr_reduce_bitwise(track, expr);
281}
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]282
283static struct nft_expr_type nft_xfrm_type;
284static const struct nft_expr_ops nft_xfrm_get_ops = {
285 .type = &nft_xfrm_type,
286 .size = NFT_EXPR_SIZE(sizeof(struct nft_xfrm)),
287 .eval = nft_xfrm_get_eval,
288 .init = nft_xfrm_get_init,
289 .dump = nft_xfrm_get_dump,
290 .validate = nft_xfrm_validate,
Pablo Neira Ayuso48f19102022-03-14 18:23:10 +0100[diff] [blame]291 .reduce = nft_xfrm_reduce,
Florian Westphal6c472602018-09-03 18:09:40 +0200[diff] [blame]292};
293
294static struct nft_expr_type nft_xfrm_type __read_mostly = {
295 .name = "xfrm",
296 .ops = &nft_xfrm_get_ops,
297 .policy = nft_xfrm_policy,
298 .maxattr = NFTA_XFRM_MAX,
299 .owner = THIS_MODULE,
300};
301
302static int __init nft_xfrm_module_init(void)
303{
304 return nft_register_expr(&nft_xfrm_type);
305}
306
307static void __exit nft_xfrm_module_exit(void)
308{
309 nft_unregister_expr(&nft_xfrm_type);
310}
311
312module_init(nft_xfrm_module_init);
313module_exit(nft_xfrm_module_exit);
314
315MODULE_LICENSE("GPL");
316MODULE_DESCRIPTION("nf_tables: xfrm/IPSec matching");
317MODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
318MODULE_AUTHOR("Máté Eckl <ecklm94@gmail.com>");
319MODULE_ALIAS_NFT_EXPR("xfrm");