xref: /linux/net/netfilter/nft_lookup.c (revision 84b9b44b) 
1 // SPDX-License-Identifier: GPL-2.0-only
2 /*
3  * Copyright (c) 2009 Patrick McHardy <kaber@trash.net>
4  *
5  * Development of this code funded by Astaro AG (http://www.astaro.com/)
6  */
7 
8 #include <linux/kernel.h>
9 #include <linux/init.h>
10 #include <linux/list.h>
11 #include <linux/rbtree.h>
12 #include <linux/netlink.h>
13 #include <linux/netfilter.h>
14 #include <linux/netfilter/nf_tables.h>
15 #include <net/netfilter/nf_tables.h>
16 #include <net/netfilter/nf_tables_core.h>
17 
18 struct nft_lookup {
19 	struct nft_set			*set;
20 	u8				sreg;
21 	u8				dreg;
22 	bool				invert;
23 	struct nft_set_binding		binding;
24 };
25 
26 #ifdef CONFIG_RETPOLINE
27 bool nft_set_do_lookup(const struct net *net, const struct nft_set *set,
28 		       const u32 *key, const struct nft_set_ext **ext)
29 {
30 	if (set->ops == &nft_set_hash_fast_type.ops)
31 		return nft_hash_lookup_fast(net, set, key, ext);
32 	if (set->ops == &nft_set_hash_type.ops)
33 		return nft_hash_lookup(net, set, key, ext);
34 
35 	if (set->ops == &nft_set_rhash_type.ops)
36 		return nft_rhash_lookup(net, set, key, ext);
37 
38 	if (set->ops == &nft_set_bitmap_type.ops)
39 		return nft_bitmap_lookup(net, set, key, ext);
40 
41 	if (set->ops == &nft_set_pipapo_type.ops)
42 		return nft_pipapo_lookup(net, set, key, ext);
43 #if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
44 	if (set->ops == &nft_set_pipapo_avx2_type.ops)
45 		return nft_pipapo_avx2_lookup(net, set, key, ext);
46 #endif
47 
48 	if (set->ops == &nft_set_rbtree_type.ops)
49 		return nft_rbtree_lookup(net, set, key, ext);
50 
51 	WARN_ON_ONCE(1);
52 	return set->ops->lookup(net, set, key, ext);
53 }
54 EXPORT_SYMBOL_GPL(nft_set_do_lookup);
55 #endif
56 
57 void nft_lookup_eval(const struct nft_expr *expr,
58 		     struct nft_regs *regs,
59 		     const struct nft_pktinfo *pkt)
60 {
61 	const struct nft_lookup *priv = nft_expr_priv(expr);
62 	const struct nft_set *set = priv->set;
63 	const struct nft_set_ext *ext = NULL;
64 	const struct net *net = nft_net(pkt);
65 	bool found;
66 
67 	found =	nft_set_do_lookup(net, set, &regs->data[priv->sreg], &ext) ^
68 				  priv->invert;
69 	if (!found) {
70 		ext = nft_set_catchall_lookup(net, set);
71 		if (!ext) {
72 			regs->verdict.code = NFT_BREAK;
73 			return;
74 		}
75 	}
76 
77 	if (ext) {
78 		if (set->flags & NFT_SET_MAP)
79 			nft_data_copy(&regs->data[priv->dreg],
80 				      nft_set_ext_data(ext), set->dlen);
81 
82 		nft_set_elem_update_expr(ext, regs, pkt);
83 	}
84 }
85 
86 static const struct nla_policy nft_lookup_policy[NFTA_LOOKUP_MAX + 1] = {
87 	[NFTA_LOOKUP_SET]	= { .type = NLA_STRING,
88 				    .len = NFT_SET_MAXNAMELEN - 1 },
89 	[NFTA_LOOKUP_SET_ID]	= { .type = NLA_U32 },
90 	[NFTA_LOOKUP_SREG]	= { .type = NLA_U32 },
91 	[NFTA_LOOKUP_DREG]	= { .type = NLA_U32 },
92 	[NFTA_LOOKUP_FLAGS]	= { .type = NLA_U32 },
93 };
94 
95 static int nft_lookup_init(const struct nft_ctx *ctx,
96 			   const struct nft_expr *expr,
97 			   const struct nlattr * const tb[])
98 {
99 	struct nft_lookup *priv = nft_expr_priv(expr);
100 	u8 genmask = nft_genmask_next(ctx->net);
101 	struct nft_set *set;
102 	u32 flags;
103 	int err;
104 
105 	if (tb[NFTA_LOOKUP_SET] == NULL ||
106 	    tb[NFTA_LOOKUP_SREG] == NULL)
107 		return -EINVAL;
108 
109 	set = nft_set_lookup_global(ctx->net, ctx->table, tb[NFTA_LOOKUP_SET],
110 				    tb[NFTA_LOOKUP_SET_ID], genmask);
111 	if (IS_ERR(set))
112 		return PTR_ERR(set);
113 
114 	err = nft_parse_register_load(tb[NFTA_LOOKUP_SREG], &priv->sreg,
115 				      set->klen);
116 	if (err < 0)
117 		return err;
118 
119 	if (tb[NFTA_LOOKUP_FLAGS]) {
120 		flags = ntohl(nla_get_be32(tb[NFTA_LOOKUP_FLAGS]));
121 
122 		if (flags & ~NFT_LOOKUP_F_INV)
123 			return -EINVAL;
124 
125 		if (flags & NFT_LOOKUP_F_INV) {
126 			if (set->flags & NFT_SET_MAP)
127 				return -EINVAL;
128 			priv->invert = true;
129 		}
130 	}
131 
132 	if (tb[NFTA_LOOKUP_DREG] != NULL) {
133 		if (priv->invert)
134 			return -EINVAL;
135 		if (!(set->flags & NFT_SET_MAP))
136 			return -EINVAL;
137 
138 		err = nft_parse_register_store(ctx, tb[NFTA_LOOKUP_DREG],
139 					       &priv->dreg, NULL, set->dtype,
140 					       set->dlen);
141 		if (err < 0)
142 			return err;
143 	} else if (set->flags & NFT_SET_MAP)
144 		return -EINVAL;
145 
146 	priv->binding.flags = set->flags & NFT_SET_MAP;
147 
148 	err = nf_tables_bind_set(ctx, set, &priv->binding);
149 	if (err < 0)
150 		return err;
151 
152 	priv->set = set;
153 	return 0;
154 }
155 
156 static void nft_lookup_deactivate(const struct nft_ctx *ctx,
157 				  const struct nft_expr *expr,
158 				  enum nft_trans_phase phase)
159 {
160 	struct nft_lookup *priv = nft_expr_priv(expr);
161 
162 	nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
163 }
164 
165 static void nft_lookup_activate(const struct nft_ctx *ctx,
166 				const struct nft_expr *expr)
167 {
168 	struct nft_lookup *priv = nft_expr_priv(expr);
169 
170 	nf_tables_activate_set(ctx, priv->set);
171 }
172 
173 static void nft_lookup_destroy(const struct nft_ctx *ctx,
174 			       const struct nft_expr *expr)
175 {
176 	struct nft_lookup *priv = nft_expr_priv(expr);
177 
178 	nf_tables_destroy_set(ctx, priv->set);
179 }
180 
181 static int nft_lookup_dump(struct sk_buff *skb,
182 			   const struct nft_expr *expr, bool reset)
183 {
184 	const struct nft_lookup *priv = nft_expr_priv(expr);
185 	u32 flags = priv->invert ? NFT_LOOKUP_F_INV : 0;
186 
187 	if (nla_put_string(skb, NFTA_LOOKUP_SET, priv->set->name))
188 		goto nla_put_failure;
189 	if (nft_dump_register(skb, NFTA_LOOKUP_SREG, priv->sreg))
190 		goto nla_put_failure;
191 	if (priv->set->flags & NFT_SET_MAP)
192 		if (nft_dump_register(skb, NFTA_LOOKUP_DREG, priv->dreg))
193 			goto nla_put_failure;
194 	if (nla_put_be32(skb, NFTA_LOOKUP_FLAGS, htonl(flags)))
195 		goto nla_put_failure;
196 	return 0;
197 
198 nla_put_failure:
199 	return -1;
200 }
201 
202 static int nft_lookup_validate(const struct nft_ctx *ctx,
203 			       const struct nft_expr *expr,
204 			       const struct nft_data **d)
205 {
206 	const struct nft_lookup *priv = nft_expr_priv(expr);
207 	struct nft_set_iter iter;
208 
209 	if (!(priv->set->flags & NFT_SET_MAP) ||
210 	    priv->set->dtype != NFT_DATA_VERDICT)
211 		return 0;
212 
213 	iter.genmask	= nft_genmask_next(ctx->net);
214 	iter.skip	= 0;
215 	iter.count	= 0;
216 	iter.err	= 0;
217 	iter.fn		= nft_setelem_validate;
218 
219 	priv->set->ops->walk(ctx, priv->set, &iter);
220 	if (!iter.err)
221 		iter.err = nft_set_catchall_validate(ctx, priv->set);
222 
223 	if (iter.err < 0)
224 		return iter.err;
225 
226 	return 0;
227 }
228 
229 static bool nft_lookup_reduce(struct nft_regs_track *track,
230 			      const struct nft_expr *expr)
231 {
232 	const struct nft_lookup *priv = nft_expr_priv(expr);
233 
234 	if (priv->set->flags & NFT_SET_MAP)
235 		nft_reg_track_cancel(track, priv->dreg, priv->set->dlen);
236 
237 	return false;
238 }
239 
240 static const struct nft_expr_ops nft_lookup_ops = {
241 	.type		= &nft_lookup_type,
242 	.size		= NFT_EXPR_SIZE(sizeof(struct nft_lookup)),
243 	.eval		= nft_lookup_eval,
244 	.init		= nft_lookup_init,
245 	.activate	= nft_lookup_activate,
246 	.deactivate	= nft_lookup_deactivate,
247 	.destroy	= nft_lookup_destroy,
248 	.dump		= nft_lookup_dump,
249 	.validate	= nft_lookup_validate,
250 	.reduce		= nft_lookup_reduce,
251 };
252 
253 struct nft_expr_type nft_lookup_type __read_mostly = {
254 	.name		= "lookup",
255 	.ops		= &nft_lookup_ops,
256 	.policy		= nft_lookup_policy,
257 	.maxattr	= NFTA_LOOKUP_MAX,
258 	.owner		= THIS_MODULE,
259 };
260