net/sched/em_ipset.c

62306a36Sopenharmony_ci// SPDX-License-Identifier: GPL-2.0-only
62306a36Sopenharmony_ci/*
62306a36Sopenharmony_ci * net/sched/em_ipset.c	ipset ematch
62306a36Sopenharmony_ci *
62306a36Sopenharmony_ci * Copyright (c) 2012 Florian Westphal <fw@strlen.de>
62306a36Sopenharmony_ci */
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci#include <linux/gfp.h>
62306a36Sopenharmony_ci#include <linux/module.h>
62306a36Sopenharmony_ci#include <linux/types.h>
62306a36Sopenharmony_ci#include <linux/kernel.h>
62306a36Sopenharmony_ci#include <linux/string.h>
62306a36Sopenharmony_ci#include <linux/skbuff.h>
62306a36Sopenharmony_ci#include <linux/netfilter/xt_set.h>
62306a36Sopenharmony_ci#include <linux/ipv6.h>
62306a36Sopenharmony_ci#include <net/ip.h>
62306a36Sopenharmony_ci#include <net/pkt_cls.h>
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistatic int em_ipset_change(struct net *net, void *data, int data_len,
62306a36Sopenharmony_ci			   struct tcf_ematch *em)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci	struct xt_set_info *set = data;
62306a36Sopenharmony_ci	ip_set_id_t index;
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	if (data_len != sizeof(*set))
62306a36Sopenharmony_ci		return -EINVAL;
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	index = ip_set_nfnl_get_byindex(net, set->index);
62306a36Sopenharmony_ci	if (index == IPSET_INVALID_ID)
62306a36Sopenharmony_ci		return -ENOENT;
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	em->datalen = sizeof(*set);
62306a36Sopenharmony_ci	em->data = (unsigned long)kmemdup(data, em->datalen, GFP_KERNEL);
62306a36Sopenharmony_ci	if (em->data)
62306a36Sopenharmony_ci		return 0;
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	ip_set_nfnl_put(net, index);
62306a36Sopenharmony_ci	return -ENOMEM;
62306a36Sopenharmony_ci}
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistatic void em_ipset_destroy(struct tcf_ematch *em)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci	const struct xt_set_info *set = (const void *) em->data;
62306a36Sopenharmony_ci	if (set) {
62306a36Sopenharmony_ci		ip_set_nfnl_put(em->net, set->index);
62306a36Sopenharmony_ci		kfree((void *) em->data);
62306a36Sopenharmony_ci	}
62306a36Sopenharmony_ci}
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistatic int em_ipset_match(struct sk_buff *skb, struct tcf_ematch *em,
62306a36Sopenharmony_ci			  struct tcf_pkt_info *info)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci	struct ip_set_adt_opt opt;
62306a36Sopenharmony_ci	struct xt_action_param acpar;
62306a36Sopenharmony_ci	const struct xt_set_info *set = (const void *) em->data;
62306a36Sopenharmony_ci	struct net_device *dev, *indev = NULL;
62306a36Sopenharmony_ci	struct nf_hook_state state = {
62306a36Sopenharmony_ci		.net	= em->net,
62306a36Sopenharmony_ci	};
62306a36Sopenharmony_ci	int ret, network_offset;
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	switch (skb_protocol(skb, true)) {
62306a36Sopenharmony_ci	case htons(ETH_P_IP):
62306a36Sopenharmony_ci		state.pf = NFPROTO_IPV4;
62306a36Sopenharmony_ci		if (!pskb_network_may_pull(skb, sizeof(struct iphdr)))
62306a36Sopenharmony_ci			return 0;
62306a36Sopenharmony_ci		acpar.thoff = ip_hdrlen(skb);
62306a36Sopenharmony_ci		break;
62306a36Sopenharmony_ci	case htons(ETH_P_IPV6):
62306a36Sopenharmony_ci		state.pf = NFPROTO_IPV6;
62306a36Sopenharmony_ci		if (!pskb_network_may_pull(skb, sizeof(struct ipv6hdr)))
62306a36Sopenharmony_ci			return 0;
62306a36Sopenharmony_ci		/* doesn't call ipv6_find_hdr() because ipset doesn't use thoff, yet */
62306a36Sopenharmony_ci		acpar.thoff = sizeof(struct ipv6hdr);
62306a36Sopenharmony_ci		break;
62306a36Sopenharmony_ci	default:
62306a36Sopenharmony_ci		return 0;
62306a36Sopenharmony_ci	}
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	opt.family = state.pf;
62306a36Sopenharmony_ci	opt.dim = set->dim;
62306a36Sopenharmony_ci	opt.flags = set->flags;
62306a36Sopenharmony_ci	opt.cmdflags = 0;
62306a36Sopenharmony_ci	opt.ext.timeout = ~0u;
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	network_offset = skb_network_offset(skb);
62306a36Sopenharmony_ci	skb_pull(skb, network_offset);
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	dev = skb->dev;
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	rcu_read_lock();
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	if (skb->skb_iif)
62306a36Sopenharmony_ci		indev = dev_get_by_index_rcu(em->net, skb->skb_iif);
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	state.in      = indev ? indev : dev;
62306a36Sopenharmony_ci	state.out     = dev;
62306a36Sopenharmony_ci	acpar.state   = &state;
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	ret = ip_set_test(set->index, skb, &acpar, &opt);
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	rcu_read_unlock();
62306a36Sopenharmony_ci
62306a36Sopenharmony_ci	skb_push(skb, network_offset);
62306a36Sopenharmony_ci	return ret;
62306a36Sopenharmony_ci}
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistatic struct tcf_ematch_ops em_ipset_ops = {
62306a36Sopenharmony_ci	.kind	  = TCF_EM_IPSET,
62306a36Sopenharmony_ci	.change	  = em_ipset_change,
62306a36Sopenharmony_ci	.destroy  = em_ipset_destroy,
62306a36Sopenharmony_ci	.match	  = em_ipset_match,
62306a36Sopenharmony_ci	.owner	  = THIS_MODULE,
62306a36Sopenharmony_ci	.link	  = LIST_HEAD_INIT(em_ipset_ops.link)
62306a36Sopenharmony_ci};
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistatic int __init init_em_ipset(void)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci	return tcf_em_register(&em_ipset_ops);
62306a36Sopenharmony_ci}
62306a36Sopenharmony_ci
62306a36Sopenharmony_cistatic void __exit exit_em_ipset(void)
62306a36Sopenharmony_ci{
62306a36Sopenharmony_ci	tcf_em_unregister(&em_ipset_ops);
62306a36Sopenharmony_ci}
62306a36Sopenharmony_ci
62306a36Sopenharmony_ciMODULE_LICENSE("GPL");
62306a36Sopenharmony_ciMODULE_AUTHOR("Florian Westphal <fw@strlen.de>");
62306a36Sopenharmony_ciMODULE_DESCRIPTION("TC extended match for IP sets");
62306a36Sopenharmony_ci
62306a36Sopenharmony_cimodule_init(init_em_ipset);
62306a36Sopenharmony_cimodule_exit(exit_em_ipset);
62306a36Sopenharmony_ci
62306a36Sopenharmony_ciMODULE_ALIAS_TCF_EMATCH(TCF_EM_IPSET);