1 // SPDX-License-Identifier: GPL-2.0-only
3 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
4 * Copyright (c) 2016 Pablo Neira Ayuso <pablo@netfilter.org>
6 * Development of this code funded by Astaro AG (http://www.astaro.com/)
9 #include <linux/kernel.h>
10 #include <linux/if_vlan.h>
11 #include <linux/init.h>
12 #include <linux/module.h>
13 #include <linux/netlink.h>
14 #include <linux/netfilter.h>
15 #include <linux/netfilter/nf_tables.h>
16 #include <net/netfilter/nf_tables_core.h>
17 #include <net/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_tables_offload.h>
19 /* For layer 4 checksum field offset. */
20 #include <linux/tcp.h>
21 #include <linux/udp.h>
23 #include <linux/icmpv6.h>
25 #include <linux/ipv6.h>
26 #include <net/sctp/checksum.h>
28 static bool nft_payload_rebuild_vlan_hdr(const struct sk_buff *skb, int mac_off,
29 struct vlan_ethhdr *veth)
31 if (skb_copy_bits(skb, mac_off, veth, ETH_HLEN))
34 veth->h_vlan_proto = skb->vlan_proto;
35 veth->h_vlan_TCI = htons(skb_vlan_tag_get(skb));
36 veth->h_vlan_encapsulated_proto = skb->protocol;
41 /* add vlan header into the user buffer for if tag was removed by offloads */
43 nft_payload_copy_vlan(u32 *d, const struct sk_buff *skb, u8 offset, u8 len)
45 int mac_off = skb_mac_header(skb) - skb->data;
46 u8 *vlanh, *dst_u8 = (u8 *) d;
47 struct vlan_ethhdr veth;
50 if ((skb->protocol == htons(ETH_P_8021AD) ||
51 skb->protocol == htons(ETH_P_8021Q)) &&
52 offset >= VLAN_ETH_HLEN && offset < VLAN_ETH_HLEN + VLAN_HLEN)
53 vlan_hlen += VLAN_HLEN;
56 if (offset < VLAN_ETH_HLEN + vlan_hlen) {
60 skb_copy_bits(skb, mac_off, &veth, VLAN_ETH_HLEN) < 0)
62 else if (!nft_payload_rebuild_vlan_hdr(skb, mac_off, &veth))
65 if (offset + len > VLAN_ETH_HLEN + vlan_hlen)
66 ethlen -= offset + len - VLAN_ETH_HLEN - vlan_hlen;
68 memcpy(dst_u8, vlanh + offset - vlan_hlen, ethlen);
75 offset = ETH_HLEN + vlan_hlen;
77 offset -= VLAN_HLEN + vlan_hlen;
80 return skb_copy_bits(skb, offset + mac_off, dst_u8, len) == 0;
83 static int __nft_payload_inner_offset(struct nft_pktinfo *pkt)
85 unsigned int thoff = nft_thoff(pkt);
87 if (!(pkt->flags & NFT_PKTINFO_L4PROTO) || pkt->fragoff)
92 pkt->inneroff = thoff + sizeof(struct udphdr);
95 struct tcphdr *th, _tcph;
97 th = skb_header_pointer(pkt->skb, thoff, sizeof(_tcph), &_tcph);
101 pkt->inneroff = thoff + __tcp_hdrlen(th);
105 u32 offset = sizeof(struct gre_base_hdr);
106 struct gre_base_hdr *gre, _gre;
109 gre = skb_header_pointer(pkt->skb, thoff, sizeof(_gre), &_gre);
113 version = gre->flags & GRE_VERSION;
116 if (gre->flags & GRE_ROUTING)
119 if (gre->flags & GRE_CSUM) {
120 offset += sizeof_field(struct gre_full_hdr, csum) +
121 sizeof_field(struct gre_full_hdr, reserved1);
123 if (gre->flags & GRE_KEY)
124 offset += sizeof_field(struct gre_full_hdr, key);
126 if (gre->flags & GRE_SEQ)
127 offset += sizeof_field(struct gre_full_hdr, seq);
133 pkt->inneroff = thoff + offset;
137 pkt->inneroff = thoff;
143 pkt->flags |= NFT_PKTINFO_INNER;
148 int nft_payload_inner_offset(const struct nft_pktinfo *pkt)
150 if (!(pkt->flags & NFT_PKTINFO_INNER) &&
151 __nft_payload_inner_offset((struct nft_pktinfo *)pkt) < 0)
154 return pkt->inneroff;
157 void nft_payload_eval(const struct nft_expr *expr,
158 struct nft_regs *regs,
159 const struct nft_pktinfo *pkt)
161 const struct nft_payload *priv = nft_expr_priv(expr);
162 const struct sk_buff *skb = pkt->skb;
163 u32 *dest = ®s->data[priv->dreg];
166 if (priv->len % NFT_REG32_SIZE)
167 dest[priv->len / NFT_REG32_SIZE] = 0;
169 switch (priv->base) {
170 case NFT_PAYLOAD_LL_HEADER:
171 if (!skb_mac_header_was_set(skb))
174 if (skb_vlan_tag_present(skb) &&
175 priv->offset >= offsetof(struct ethhdr, h_proto)) {
176 if (!nft_payload_copy_vlan(dest, skb,
177 priv->offset, priv->len))
181 offset = skb_mac_header(skb) - skb->data;
183 case NFT_PAYLOAD_NETWORK_HEADER:
184 offset = skb_network_offset(skb);
186 case NFT_PAYLOAD_TRANSPORT_HEADER:
187 if (!(pkt->flags & NFT_PKTINFO_L4PROTO) || pkt->fragoff)
189 offset = nft_thoff(pkt);
191 case NFT_PAYLOAD_INNER_HEADER:
192 offset = nft_payload_inner_offset(pkt);
200 offset += priv->offset;
202 if (skb_copy_bits(skb, offset, dest, priv->len) < 0)
206 regs->verdict.code = NFT_BREAK;
209 static const struct nla_policy nft_payload_policy[NFTA_PAYLOAD_MAX + 1] = {
210 [NFTA_PAYLOAD_SREG] = { .type = NLA_U32 },
211 [NFTA_PAYLOAD_DREG] = { .type = NLA_U32 },
212 [NFTA_PAYLOAD_BASE] = { .type = NLA_U32 },
213 [NFTA_PAYLOAD_OFFSET] = NLA_POLICY_MAX(NLA_BE32, 255),
214 [NFTA_PAYLOAD_LEN] = NLA_POLICY_MAX(NLA_BE32, 255),
215 [NFTA_PAYLOAD_CSUM_TYPE] = { .type = NLA_U32 },
216 [NFTA_PAYLOAD_CSUM_OFFSET] = NLA_POLICY_MAX(NLA_BE32, 255),
217 [NFTA_PAYLOAD_CSUM_FLAGS] = { .type = NLA_U32 },
220 static int nft_payload_init(const struct nft_ctx *ctx,
221 const struct nft_expr *expr,
222 const struct nlattr * const tb[])
224 struct nft_payload *priv = nft_expr_priv(expr);
226 priv->base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
227 priv->offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET]));
228 priv->len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));
230 return nft_parse_register_store(ctx, tb[NFTA_PAYLOAD_DREG],
231 &priv->dreg, NULL, NFT_DATA_VALUE,
235 static int nft_payload_dump(struct sk_buff *skb,
236 const struct nft_expr *expr, bool reset)
238 const struct nft_payload *priv = nft_expr_priv(expr);
240 if (nft_dump_register(skb, NFTA_PAYLOAD_DREG, priv->dreg) ||
241 nla_put_be32(skb, NFTA_PAYLOAD_BASE, htonl(priv->base)) ||
242 nla_put_be32(skb, NFTA_PAYLOAD_OFFSET, htonl(priv->offset)) ||
243 nla_put_be32(skb, NFTA_PAYLOAD_LEN, htonl(priv->len)))
244 goto nla_put_failure;
251 static bool nft_payload_reduce(struct nft_regs_track *track,
252 const struct nft_expr *expr)
254 const struct nft_payload *priv = nft_expr_priv(expr);
255 const struct nft_payload *payload;
257 if (!nft_reg_track_cmp(track, expr, priv->dreg)) {
258 nft_reg_track_update(track, expr, priv->dreg, priv->len);
262 payload = nft_expr_priv(track->regs[priv->dreg].selector);
263 if (priv->base != payload->base ||
264 priv->offset != payload->offset ||
265 priv->len != payload->len) {
266 nft_reg_track_update(track, expr, priv->dreg, priv->len);
270 if (!track->regs[priv->dreg].bitwise)
273 return nft_expr_reduce_bitwise(track, expr);
276 static bool nft_payload_offload_mask(struct nft_offload_reg *reg,
277 u32 priv_len, u32 field_len)
279 unsigned int remainder, delta, k;
280 struct nft_data mask = {};
281 __be32 remainder_mask;
283 if (priv_len == field_len) {
284 memset(®->mask, 0xff, priv_len);
286 } else if (priv_len > field_len) {
290 memset(&mask, 0xff, field_len);
291 remainder = priv_len % sizeof(u32);
293 k = priv_len / sizeof(u32);
294 delta = field_len - priv_len;
295 remainder_mask = htonl(~((1 << (delta * BITS_PER_BYTE)) - 1));
296 mask.data[k] = (__force u32)remainder_mask;
299 memcpy(®->mask, &mask, field_len);
304 static int nft_payload_offload_ll(struct nft_offload_ctx *ctx,
305 struct nft_flow_rule *flow,
306 const struct nft_payload *priv)
308 struct nft_offload_reg *reg = &ctx->regs[priv->dreg];
310 switch (priv->offset) {
311 case offsetof(struct ethhdr, h_source):
312 if (!nft_payload_offload_mask(reg, priv->len, ETH_ALEN))
315 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ETH_ADDRS, eth_addrs,
318 case offsetof(struct ethhdr, h_dest):
319 if (!nft_payload_offload_mask(reg, priv->len, ETH_ALEN))
322 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_ETH_ADDRS, eth_addrs,
325 case offsetof(struct ethhdr, h_proto):
326 if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
329 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic,
330 n_proto, sizeof(__be16), reg);
331 nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK);
333 case offsetof(struct vlan_ethhdr, h_vlan_TCI):
334 if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
337 NFT_OFFLOAD_MATCH_FLAGS(FLOW_DISSECTOR_KEY_VLAN, vlan,
338 vlan_tci, sizeof(__be16), reg,
339 NFT_OFFLOAD_F_NETWORK2HOST);
341 case offsetof(struct vlan_ethhdr, h_vlan_encapsulated_proto):
342 if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
345 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_VLAN, vlan,
346 vlan_tpid, sizeof(__be16), reg);
347 nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK);
349 case offsetof(struct vlan_ethhdr, h_vlan_TCI) + sizeof(struct vlan_hdr):
350 if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
353 NFT_OFFLOAD_MATCH_FLAGS(FLOW_DISSECTOR_KEY_CVLAN, cvlan,
354 vlan_tci, sizeof(__be16), reg,
355 NFT_OFFLOAD_F_NETWORK2HOST);
357 case offsetof(struct vlan_ethhdr, h_vlan_encapsulated_proto) +
358 sizeof(struct vlan_hdr):
359 if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
362 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_CVLAN, cvlan,
363 vlan_tpid, sizeof(__be16), reg);
364 nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_NETWORK);
373 static int nft_payload_offload_ip(struct nft_offload_ctx *ctx,
374 struct nft_flow_rule *flow,
375 const struct nft_payload *priv)
377 struct nft_offload_reg *reg = &ctx->regs[priv->dreg];
379 switch (priv->offset) {
380 case offsetof(struct iphdr, saddr):
381 if (!nft_payload_offload_mask(reg, priv->len,
382 sizeof(struct in_addr)))
385 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4, src,
386 sizeof(struct in_addr), reg);
387 nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV4_ADDRS);
389 case offsetof(struct iphdr, daddr):
390 if (!nft_payload_offload_mask(reg, priv->len,
391 sizeof(struct in_addr)))
394 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV4_ADDRS, ipv4, dst,
395 sizeof(struct in_addr), reg);
396 nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV4_ADDRS);
398 case offsetof(struct iphdr, protocol):
399 if (!nft_payload_offload_mask(reg, priv->len, sizeof(__u8)))
402 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto,
404 nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT);
413 static int nft_payload_offload_ip6(struct nft_offload_ctx *ctx,
414 struct nft_flow_rule *flow,
415 const struct nft_payload *priv)
417 struct nft_offload_reg *reg = &ctx->regs[priv->dreg];
419 switch (priv->offset) {
420 case offsetof(struct ipv6hdr, saddr):
421 if (!nft_payload_offload_mask(reg, priv->len,
422 sizeof(struct in6_addr)))
425 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6, src,
426 sizeof(struct in6_addr), reg);
427 nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV6_ADDRS);
429 case offsetof(struct ipv6hdr, daddr):
430 if (!nft_payload_offload_mask(reg, priv->len,
431 sizeof(struct in6_addr)))
434 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_IPV6_ADDRS, ipv6, dst,
435 sizeof(struct in6_addr), reg);
436 nft_flow_rule_set_addr_type(flow, FLOW_DISSECTOR_KEY_IPV6_ADDRS);
438 case offsetof(struct ipv6hdr, nexthdr):
439 if (!nft_payload_offload_mask(reg, priv->len, sizeof(__u8)))
442 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_BASIC, basic, ip_proto,
444 nft_offload_set_dependency(ctx, NFT_OFFLOAD_DEP_TRANSPORT);
453 static int nft_payload_offload_nh(struct nft_offload_ctx *ctx,
454 struct nft_flow_rule *flow,
455 const struct nft_payload *priv)
459 switch (ctx->dep.l3num) {
460 case htons(ETH_P_IP):
461 err = nft_payload_offload_ip(ctx, flow, priv);
463 case htons(ETH_P_IPV6):
464 err = nft_payload_offload_ip6(ctx, flow, priv);
473 static int nft_payload_offload_tcp(struct nft_offload_ctx *ctx,
474 struct nft_flow_rule *flow,
475 const struct nft_payload *priv)
477 struct nft_offload_reg *reg = &ctx->regs[priv->dreg];
479 switch (priv->offset) {
480 case offsetof(struct tcphdr, source):
481 if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
484 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, src,
485 sizeof(__be16), reg);
487 case offsetof(struct tcphdr, dest):
488 if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
491 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, dst,
492 sizeof(__be16), reg);
501 static int nft_payload_offload_udp(struct nft_offload_ctx *ctx,
502 struct nft_flow_rule *flow,
503 const struct nft_payload *priv)
505 struct nft_offload_reg *reg = &ctx->regs[priv->dreg];
507 switch (priv->offset) {
508 case offsetof(struct udphdr, source):
509 if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
512 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, src,
513 sizeof(__be16), reg);
515 case offsetof(struct udphdr, dest):
516 if (!nft_payload_offload_mask(reg, priv->len, sizeof(__be16)))
519 NFT_OFFLOAD_MATCH(FLOW_DISSECTOR_KEY_PORTS, tp, dst,
520 sizeof(__be16), reg);
529 static int nft_payload_offload_th(struct nft_offload_ctx *ctx,
530 struct nft_flow_rule *flow,
531 const struct nft_payload *priv)
535 switch (ctx->dep.protonum) {
537 err = nft_payload_offload_tcp(ctx, flow, priv);
540 err = nft_payload_offload_udp(ctx, flow, priv);
549 static int nft_payload_offload(struct nft_offload_ctx *ctx,
550 struct nft_flow_rule *flow,
551 const struct nft_expr *expr)
553 const struct nft_payload *priv = nft_expr_priv(expr);
556 switch (priv->base) {
557 case NFT_PAYLOAD_LL_HEADER:
558 err = nft_payload_offload_ll(ctx, flow, priv);
560 case NFT_PAYLOAD_NETWORK_HEADER:
561 err = nft_payload_offload_nh(ctx, flow, priv);
563 case NFT_PAYLOAD_TRANSPORT_HEADER:
564 err = nft_payload_offload_th(ctx, flow, priv);
573 static const struct nft_expr_ops nft_payload_ops = {
574 .type = &nft_payload_type,
575 .size = NFT_EXPR_SIZE(sizeof(struct nft_payload)),
576 .eval = nft_payload_eval,
577 .init = nft_payload_init,
578 .dump = nft_payload_dump,
579 .reduce = nft_payload_reduce,
580 .offload = nft_payload_offload,
583 const struct nft_expr_ops nft_payload_fast_ops = {
584 .type = &nft_payload_type,
585 .size = NFT_EXPR_SIZE(sizeof(struct nft_payload)),
586 .eval = nft_payload_eval,
587 .init = nft_payload_init,
588 .dump = nft_payload_dump,
589 .reduce = nft_payload_reduce,
590 .offload = nft_payload_offload,
593 void nft_payload_inner_eval(const struct nft_expr *expr, struct nft_regs *regs,
594 const struct nft_pktinfo *pkt,
595 struct nft_inner_tun_ctx *tun_ctx)
597 const struct nft_payload *priv = nft_expr_priv(expr);
598 const struct sk_buff *skb = pkt->skb;
599 u32 *dest = ®s->data[priv->dreg];
602 if (priv->len % NFT_REG32_SIZE)
603 dest[priv->len / NFT_REG32_SIZE] = 0;
605 switch (priv->base) {
606 case NFT_PAYLOAD_TUN_HEADER:
607 if (!(tun_ctx->flags & NFT_PAYLOAD_CTX_INNER_TUN))
610 offset = tun_ctx->inner_tunoff;
612 case NFT_PAYLOAD_LL_HEADER:
613 if (!(tun_ctx->flags & NFT_PAYLOAD_CTX_INNER_LL))
616 offset = tun_ctx->inner_lloff;
618 case NFT_PAYLOAD_NETWORK_HEADER:
619 if (!(tun_ctx->flags & NFT_PAYLOAD_CTX_INNER_NH))
622 offset = tun_ctx->inner_nhoff;
624 case NFT_PAYLOAD_TRANSPORT_HEADER:
625 if (!(tun_ctx->flags & NFT_PAYLOAD_CTX_INNER_TH))
628 offset = tun_ctx->inner_thoff;
634 offset += priv->offset;
636 if (skb_copy_bits(skb, offset, dest, priv->len) < 0)
641 regs->verdict.code = NFT_BREAK;
644 static int nft_payload_inner_init(const struct nft_ctx *ctx,
645 const struct nft_expr *expr,
646 const struct nlattr * const tb[])
648 struct nft_payload *priv = nft_expr_priv(expr);
651 base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
653 case NFT_PAYLOAD_TUN_HEADER:
654 case NFT_PAYLOAD_LL_HEADER:
655 case NFT_PAYLOAD_NETWORK_HEADER:
656 case NFT_PAYLOAD_TRANSPORT_HEADER:
663 priv->offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET]));
664 priv->len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));
666 return nft_parse_register_store(ctx, tb[NFTA_PAYLOAD_DREG],
667 &priv->dreg, NULL, NFT_DATA_VALUE,
671 static const struct nft_expr_ops nft_payload_inner_ops = {
672 .type = &nft_payload_type,
673 .size = NFT_EXPR_SIZE(sizeof(struct nft_payload)),
674 .init = nft_payload_inner_init,
675 .dump = nft_payload_dump,
676 /* direct call to nft_payload_inner_eval(). */
679 static inline void nft_csum_replace(__sum16 *sum, __wsum fsum, __wsum tsum)
681 *sum = csum_fold(csum_add(csum_sub(~csum_unfold(*sum), fsum), tsum));
683 *sum = CSUM_MANGLED_0;
686 static bool nft_payload_udp_checksum(struct sk_buff *skb, unsigned int thoff)
688 struct udphdr *uh, _uh;
690 uh = skb_header_pointer(skb, thoff, sizeof(_uh), &_uh);
694 return (__force bool)uh->check;
697 static int nft_payload_l4csum_offset(const struct nft_pktinfo *pkt,
699 unsigned int *l4csum_offset)
704 switch (pkt->tprot) {
706 *l4csum_offset = offsetof(struct tcphdr, check);
709 if (!nft_payload_udp_checksum(skb, nft_thoff(pkt)))
712 case IPPROTO_UDPLITE:
713 *l4csum_offset = offsetof(struct udphdr, check);
716 *l4csum_offset = offsetof(struct icmp6hdr, icmp6_cksum);
722 *l4csum_offset += nft_thoff(pkt);
726 static int nft_payload_csum_sctp(struct sk_buff *skb, int offset)
730 if (skb_ensure_writable(skb, offset + sizeof(*sh)))
733 sh = (struct sctphdr *)(skb->data + offset);
734 sh->checksum = sctp_compute_cksum(skb, offset);
735 skb->ip_summed = CHECKSUM_UNNECESSARY;
739 static int nft_payload_l4csum_update(const struct nft_pktinfo *pkt,
741 __wsum fsum, __wsum tsum)
746 /* If we cannot determine layer 4 checksum offset or this packet doesn't
747 * require layer 4 checksum recalculation, skip this packet.
749 if (nft_payload_l4csum_offset(pkt, skb, &l4csum_offset) < 0)
752 if (skb_copy_bits(skb, l4csum_offset, &sum, sizeof(sum)) < 0)
755 /* Checksum mangling for an arbitrary amount of bytes, based on
756 * inet_proto_csum_replace*() functions.
758 if (skb->ip_summed != CHECKSUM_PARTIAL) {
759 nft_csum_replace(&sum, fsum, tsum);
760 if (skb->ip_summed == CHECKSUM_COMPLETE) {
761 skb->csum = ~csum_add(csum_sub(~(skb->csum), fsum),
765 sum = ~csum_fold(csum_add(csum_sub(csum_unfold(sum), fsum),
769 if (skb_ensure_writable(skb, l4csum_offset + sizeof(sum)) ||
770 skb_store_bits(skb, l4csum_offset, &sum, sizeof(sum)) < 0)
776 static int nft_payload_csum_inet(struct sk_buff *skb, const u32 *src,
777 __wsum fsum, __wsum tsum, int csum_offset)
781 if (skb_copy_bits(skb, csum_offset, &sum, sizeof(sum)) < 0)
784 nft_csum_replace(&sum, fsum, tsum);
785 if (skb_ensure_writable(skb, csum_offset + sizeof(sum)) ||
786 skb_store_bits(skb, csum_offset, &sum, sizeof(sum)) < 0)
792 struct nft_payload_set {
793 enum nft_payload_bases base:8;
802 static void nft_payload_set_eval(const struct nft_expr *expr,
803 struct nft_regs *regs,
804 const struct nft_pktinfo *pkt)
806 const struct nft_payload_set *priv = nft_expr_priv(expr);
807 struct sk_buff *skb = pkt->skb;
808 const u32 *src = ®s->data[priv->sreg];
809 int offset, csum_offset;
812 switch (priv->base) {
813 case NFT_PAYLOAD_LL_HEADER:
814 if (!skb_mac_header_was_set(skb))
816 offset = skb_mac_header(skb) - skb->data;
818 case NFT_PAYLOAD_NETWORK_HEADER:
819 offset = skb_network_offset(skb);
821 case NFT_PAYLOAD_TRANSPORT_HEADER:
822 if (!(pkt->flags & NFT_PKTINFO_L4PROTO) || pkt->fragoff)
824 offset = nft_thoff(pkt);
826 case NFT_PAYLOAD_INNER_HEADER:
827 offset = nft_payload_inner_offset(pkt);
836 csum_offset = offset + priv->csum_offset;
837 offset += priv->offset;
839 if ((priv->csum_type == NFT_PAYLOAD_CSUM_INET || priv->csum_flags) &&
840 ((priv->base != NFT_PAYLOAD_TRANSPORT_HEADER &&
841 priv->base != NFT_PAYLOAD_INNER_HEADER) ||
842 skb->ip_summed != CHECKSUM_PARTIAL)) {
843 fsum = skb_checksum(skb, offset, priv->len, 0);
844 tsum = csum_partial(src, priv->len, 0);
846 if (priv->csum_type == NFT_PAYLOAD_CSUM_INET &&
847 nft_payload_csum_inet(skb, src, fsum, tsum, csum_offset))
850 if (priv->csum_flags &&
851 nft_payload_l4csum_update(pkt, skb, fsum, tsum) < 0)
855 if (skb_ensure_writable(skb, max(offset + priv->len, 0)) ||
856 skb_store_bits(skb, offset, src, priv->len) < 0)
859 if (priv->csum_type == NFT_PAYLOAD_CSUM_SCTP &&
860 pkt->tprot == IPPROTO_SCTP &&
861 skb->ip_summed != CHECKSUM_PARTIAL) {
862 if (pkt->fragoff == 0 &&
863 nft_payload_csum_sctp(skb, nft_thoff(pkt)))
869 regs->verdict.code = NFT_BREAK;
872 static int nft_payload_set_init(const struct nft_ctx *ctx,
873 const struct nft_expr *expr,
874 const struct nlattr * const tb[])
876 struct nft_payload_set *priv = nft_expr_priv(expr);
877 u32 csum_offset, csum_type = NFT_PAYLOAD_CSUM_NONE;
880 priv->base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
881 priv->offset = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_OFFSET]));
882 priv->len = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_LEN]));
884 if (tb[NFTA_PAYLOAD_CSUM_TYPE])
885 csum_type = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_TYPE]));
886 if (tb[NFTA_PAYLOAD_CSUM_OFFSET]) {
887 err = nft_parse_u32_check(tb[NFTA_PAYLOAD_CSUM_OFFSET], U8_MAX,
892 priv->csum_offset = csum_offset;
894 if (tb[NFTA_PAYLOAD_CSUM_FLAGS]) {
897 flags = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_CSUM_FLAGS]));
898 if (flags & ~NFT_PAYLOAD_L4CSUM_PSEUDOHDR)
901 priv->csum_flags = flags;
905 case NFT_PAYLOAD_CSUM_NONE:
906 case NFT_PAYLOAD_CSUM_INET:
908 case NFT_PAYLOAD_CSUM_SCTP:
909 if (priv->base != NFT_PAYLOAD_TRANSPORT_HEADER)
912 if (priv->csum_offset != offsetof(struct sctphdr, checksum))
918 priv->csum_type = csum_type;
920 return nft_parse_register_load(tb[NFTA_PAYLOAD_SREG], &priv->sreg,
924 static int nft_payload_set_dump(struct sk_buff *skb,
925 const struct nft_expr *expr, bool reset)
927 const struct nft_payload_set *priv = nft_expr_priv(expr);
929 if (nft_dump_register(skb, NFTA_PAYLOAD_SREG, priv->sreg) ||
930 nla_put_be32(skb, NFTA_PAYLOAD_BASE, htonl(priv->base)) ||
931 nla_put_be32(skb, NFTA_PAYLOAD_OFFSET, htonl(priv->offset)) ||
932 nla_put_be32(skb, NFTA_PAYLOAD_LEN, htonl(priv->len)) ||
933 nla_put_be32(skb, NFTA_PAYLOAD_CSUM_TYPE, htonl(priv->csum_type)) ||
934 nla_put_be32(skb, NFTA_PAYLOAD_CSUM_OFFSET,
935 htonl(priv->csum_offset)) ||
936 nla_put_be32(skb, NFTA_PAYLOAD_CSUM_FLAGS, htonl(priv->csum_flags)))
937 goto nla_put_failure;
944 static bool nft_payload_set_reduce(struct nft_regs_track *track,
945 const struct nft_expr *expr)
949 for (i = 0; i < NFT_REG32_NUM; i++) {
950 if (!track->regs[i].selector)
953 if (track->regs[i].selector->ops != &nft_payload_ops &&
954 track->regs[i].selector->ops != &nft_payload_fast_ops)
957 __nft_reg_track_cancel(track, i);
963 static const struct nft_expr_ops nft_payload_set_ops = {
964 .type = &nft_payload_type,
965 .size = NFT_EXPR_SIZE(sizeof(struct nft_payload_set)),
966 .eval = nft_payload_set_eval,
967 .init = nft_payload_set_init,
968 .dump = nft_payload_set_dump,
969 .reduce = nft_payload_set_reduce,
972 static const struct nft_expr_ops *
973 nft_payload_select_ops(const struct nft_ctx *ctx,
974 const struct nlattr * const tb[])
976 enum nft_payload_bases base;
977 unsigned int offset, len;
980 if (tb[NFTA_PAYLOAD_BASE] == NULL ||
981 tb[NFTA_PAYLOAD_OFFSET] == NULL ||
982 tb[NFTA_PAYLOAD_LEN] == NULL)
983 return ERR_PTR(-EINVAL);
985 base = ntohl(nla_get_be32(tb[NFTA_PAYLOAD_BASE]));
987 case NFT_PAYLOAD_LL_HEADER:
988 case NFT_PAYLOAD_NETWORK_HEADER:
989 case NFT_PAYLOAD_TRANSPORT_HEADER:
990 case NFT_PAYLOAD_INNER_HEADER:
993 return ERR_PTR(-EOPNOTSUPP);
996 if (tb[NFTA_PAYLOAD_SREG] != NULL) {
997 if (tb[NFTA_PAYLOAD_DREG] != NULL)
998 return ERR_PTR(-EINVAL);
999 return &nft_payload_set_ops;
1002 if (tb[NFTA_PAYLOAD_DREG] == NULL)
1003 return ERR_PTR(-EINVAL);
1005 err = nft_parse_u32_check(tb[NFTA_PAYLOAD_OFFSET], U8_MAX, &offset);
1007 return ERR_PTR(err);
1009 err = nft_parse_u32_check(tb[NFTA_PAYLOAD_LEN], U8_MAX, &len);
1011 return ERR_PTR(err);
1013 if (len <= 4 && is_power_of_2(len) && IS_ALIGNED(offset, len) &&
1014 base != NFT_PAYLOAD_LL_HEADER && base != NFT_PAYLOAD_INNER_HEADER)
1015 return &nft_payload_fast_ops;
1017 return &nft_payload_ops;
1020 struct nft_expr_type nft_payload_type __read_mostly = {
1022 .select_ops = nft_payload_select_ops,
1023 .inner_ops = &nft_payload_inner_ops,
1024 .policy = nft_payload_policy,
1025 .maxattr = NFTA_PAYLOAD_MAX,
1026 .owner = THIS_MODULE,
projects / platform / kernel / linux-starfive.git / blob