1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17#include <linux/module.h>
18#include <linux/types.h>
19#include <linux/kernel.h>
20#include <linux/string.h>
21#include <linux/errno.h>
22#include <linux/err.h>
23#include <linux/skbuff.h>
24#include <linux/init.h>
25#include <linux/kmod.h>
26#include <linux/slab.h>
27#include <linux/idr.h>
28#include <linux/jhash.h>
29#include <linux/rculist.h>
30#include <net/net_namespace.h>
31#include <net/sock.h>
32#include <net/netlink.h>
33#include <net/pkt_sched.h>
34#include <net/pkt_cls.h>
35#include <net/tc_act/tc_pedit.h>
36#include <net/tc_act/tc_mirred.h>
37#include <net/tc_act/tc_vlan.h>
38#include <net/tc_act/tc_tunnel_key.h>
39#include <net/tc_act/tc_csum.h>
40#include <net/tc_act/tc_gact.h>
41#include <net/tc_act/tc_police.h>
42#include <net/tc_act/tc_sample.h>
43#include <net/tc_act/tc_skbedit.h>
44#include <net/tc_act/tc_ct.h>
45#include <net/tc_act/tc_mpls.h>
46#include <net/tc_act/tc_gate.h>
47#include <net/flow_offload.h>
48
49extern const struct nla_policy rtm_tca_policy[TCA_MAX + 1];
50
51
52static LIST_HEAD(tcf_proto_base);
53
54
55static DEFINE_RWLOCK(cls_mod_lock);
56
57static u32 destroy_obj_hashfn(const struct tcf_proto *tp)
58{
59 return jhash_3words(tp->chain->index, tp->prio,
60 (__force __u32)tp->protocol, 0);
61}
62
63static void tcf_proto_signal_destroying(struct tcf_chain *chain,
64 struct tcf_proto *tp)
65{
66 struct tcf_block *block = chain->block;
67
68 mutex_lock(&block->proto_destroy_lock);
69 hash_add_rcu(block->proto_destroy_ht, &tp->destroy_ht_node,
70 destroy_obj_hashfn(tp));
71 mutex_unlock(&block->proto_destroy_lock);
72}
73
74static bool tcf_proto_cmp(const struct tcf_proto *tp1,
75 const struct tcf_proto *tp2)
76{
77 return tp1->chain->index == tp2->chain->index &&
78 tp1->prio == tp2->prio &&
79 tp1->protocol == tp2->protocol;
80}
81
82static bool tcf_proto_exists_destroying(struct tcf_chain *chain,
83 struct tcf_proto *tp)
84{
85 u32 hash = destroy_obj_hashfn(tp);
86 struct tcf_proto *iter;
87 bool found = false;
88
89 rcu_read_lock();
90 hash_for_each_possible_rcu(chain->block->proto_destroy_ht, iter,
91 destroy_ht_node, hash) {
92 if (tcf_proto_cmp(tp, iter)) {
93 found = true;
94 break;
95 }
96 }
97 rcu_read_unlock();
98
99 return found;
100}
101
102static void
103tcf_proto_signal_destroyed(struct tcf_chain *chain, struct tcf_proto *tp)
104{
105 struct tcf_block *block = chain->block;
106
107 mutex_lock(&block->proto_destroy_lock);
108 if (hash_hashed(&tp->destroy_ht_node))
109 hash_del_rcu(&tp->destroy_ht_node);
110 mutex_unlock(&block->proto_destroy_lock);
111}
112
113
114
115static const struct tcf_proto_ops *__tcf_proto_lookup_ops(const char *kind)
116{
117 const struct tcf_proto_ops *t, *res = NULL;
118
119 if (kind) {
120 read_lock(&cls_mod_lock);
121 list_for_each_entry(t, &tcf_proto_base, head) {
122 if (strcmp(kind, t->kind) == 0) {
123 if (try_module_get(t->owner))
124 res = t;
125 break;
126 }
127 }
128 read_unlock(&cls_mod_lock);
129 }
130 return res;
131}
132
133static const struct tcf_proto_ops *
134tcf_proto_lookup_ops(const char *kind, bool rtnl_held,
135 struct netlink_ext_ack *extack)
136{
137 const struct tcf_proto_ops *ops;
138
139 ops = __tcf_proto_lookup_ops(kind);
140 if (ops)
141 return ops;
142#ifdef CONFIG_MODULES
143 if (rtnl_held)
144 rtnl_unlock();
145 request_module("cls_%s", kind);
146 if (rtnl_held)
147 rtnl_lock();
148 ops = __tcf_proto_lookup_ops(kind);
149
150
151
152
153
154 if (ops) {
155 module_put(ops->owner);
156 return ERR_PTR(-EAGAIN);
157 }
158#endif
159 NL_SET_ERR_MSG(extack, "TC classifier not found");
160 return ERR_PTR(-ENOENT);
161}
162
163
164
165int register_tcf_proto_ops(struct tcf_proto_ops *ops)
166{
167 struct tcf_proto_ops *t;
168 int rc = -EEXIST;
169
170 write_lock(&cls_mod_lock);
171 list_for_each_entry(t, &tcf_proto_base, head)
172 if (!strcmp(ops->kind, t->kind))
173 goto out;
174
175 list_add_tail(&ops->head, &tcf_proto_base);
176 rc = 0;
177out:
178 write_unlock(&cls_mod_lock);
179 return rc;
180}
181EXPORT_SYMBOL(register_tcf_proto_ops);
182
183static struct workqueue_struct *tc_filter_wq;
184
185int unregister_tcf_proto_ops(struct tcf_proto_ops *ops)
186{
187 struct tcf_proto_ops *t;
188 int rc = -ENOENT;
189
190
191
192
193 rcu_barrier();
194 flush_workqueue(tc_filter_wq);
195
196 write_lock(&cls_mod_lock);
197 list_for_each_entry(t, &tcf_proto_base, head) {
198 if (t == ops) {
199 list_del(&t->head);
200 rc = 0;
201 break;
202 }
203 }
204 write_unlock(&cls_mod_lock);
205 return rc;
206}
207EXPORT_SYMBOL(unregister_tcf_proto_ops);
208
209bool tcf_queue_work(struct rcu_work *rwork, work_func_t func)
210{
211 INIT_RCU_WORK(rwork, func);
212 return queue_rcu_work(tc_filter_wq, rwork);
213}
214EXPORT_SYMBOL(tcf_queue_work);
215
216
217
218static inline u32 tcf_auto_prio(struct tcf_proto *tp)
219{
220 u32 first = TC_H_MAKE(0xC0000000U, 0U);
221
222 if (tp)
223 first = tp->prio - 1;
224
225 return TC_H_MAJ(first);
226}
227
228static bool tcf_proto_check_kind(struct nlattr *kind, char *name)
229{
230 if (kind)
231 return nla_strlcpy(name, kind, IFNAMSIZ) >= IFNAMSIZ;
232 memset(name, 0, IFNAMSIZ);
233 return false;
234}
235
236static bool tcf_proto_is_unlocked(const char *kind)
237{
238 const struct tcf_proto_ops *ops;
239 bool ret;
240
241 if (strlen(kind) == 0)
242 return false;
243
244 ops = tcf_proto_lookup_ops(kind, false, NULL);
245
246
247
248 if (IS_ERR(ops))
249 return false;
250
251 ret = !!(ops->flags & TCF_PROTO_OPS_DOIT_UNLOCKED);
252 module_put(ops->owner);
253 return ret;
254}
255
256static struct tcf_proto *tcf_proto_create(const char *kind, u32 protocol,
257 u32 prio, struct tcf_chain *chain,
258 bool rtnl_held,
259 struct netlink_ext_ack *extack)
260{
261 struct tcf_proto *tp;
262 int err;
263
264 tp = kzalloc(sizeof(*tp), GFP_KERNEL);
265 if (!tp)
266 return ERR_PTR(-ENOBUFS);
267
268 tp->ops = tcf_proto_lookup_ops(kind, rtnl_held, extack);
269 if (IS_ERR(tp->ops)) {
270 err = PTR_ERR(tp->ops);
271 goto errout;
272 }
273 tp->classify = tp->ops->classify;
274 tp->protocol = protocol;
275 tp->prio = prio;
276 tp->chain = chain;
277 spin_lock_init(&tp->lock);
278 refcount_set(&tp->refcnt, 1);
279
280 err = tp->ops->init(tp);
281 if (err) {
282 module_put(tp->ops->owner);
283 goto errout;
284 }
285 return tp;
286
287errout:
288 kfree(tp);
289 return ERR_PTR(err);
290}
291
292static void tcf_proto_get(struct tcf_proto *tp)
293{
294 refcount_inc(&tp->refcnt);
295}
296
297static void tcf_chain_put(struct tcf_chain *chain);
298
299static void tcf_proto_destroy(struct tcf_proto *tp, bool rtnl_held,
300 bool sig_destroy, struct netlink_ext_ack *extack)
301{
302 tp->ops->destroy(tp, rtnl_held, extack);
303 if (sig_destroy)
304 tcf_proto_signal_destroyed(tp->chain, tp);
305 tcf_chain_put(tp->chain);
306 module_put(tp->ops->owner);
307 kfree_rcu(tp, rcu);
308}
309
310static void tcf_proto_put(struct tcf_proto *tp, bool rtnl_held,
311 struct netlink_ext_ack *extack)
312{
313 if (refcount_dec_and_test(&tp->refcnt))
314 tcf_proto_destroy(tp, rtnl_held, true, extack);
315}
316
317static bool tcf_proto_check_delete(struct tcf_proto *tp)
318{
319 if (tp->ops->delete_empty)
320 return tp->ops->delete_empty(tp);
321
322 tp->deleting = true;
323 return tp->deleting;
324}
325
326static void tcf_proto_mark_delete(struct tcf_proto *tp)
327{
328 spin_lock(&tp->lock);
329 tp->deleting = true;
330 spin_unlock(&tp->lock);
331}
332
333static bool tcf_proto_is_deleting(struct tcf_proto *tp)
334{
335 bool deleting;
336
337 spin_lock(&tp->lock);
338 deleting = tp->deleting;
339 spin_unlock(&tp->lock);
340
341 return deleting;
342}
343
344#define ASSERT_BLOCK_LOCKED(block) \
345 lockdep_assert_held(&(block)->lock)
346
347struct tcf_filter_chain_list_item {
348 struct list_head list;
349 tcf_chain_head_change_t *chain_head_change;
350 void *chain_head_change_priv;
351};
352
353static struct tcf_chain *tcf_chain_create(struct tcf_block *block,
354 u32 chain_index)
355{
356 struct tcf_chain *chain;
357
358 ASSERT_BLOCK_LOCKED(block);
359
360 chain = kzalloc(sizeof(*chain), GFP_KERNEL);
361 if (!chain)
362 return NULL;
363 list_add_tail_rcu(&chain->list, &block->chain_list);
364 mutex_init(&chain->filter_chain_lock);
365 chain->block = block;
366 chain->index = chain_index;
367 chain->refcnt = 1;
368 if (!chain->index)
369 block->chain0.chain = chain;
370 return chain;
371}
372
373static void tcf_chain_head_change_item(struct tcf_filter_chain_list_item *item,
374 struct tcf_proto *tp_head)
375{
376 if (item->chain_head_change)
377 item->chain_head_change(tp_head, item->chain_head_change_priv);
378}
379
380static void tcf_chain0_head_change(struct tcf_chain *chain,
381 struct tcf_proto *tp_head)
382{
383 struct tcf_filter_chain_list_item *item;
384 struct tcf_block *block = chain->block;
385
386 if (chain->index)
387 return;
388
389 mutex_lock(&block->lock);
390 list_for_each_entry(item, &block->chain0.filter_chain_list, list)
391 tcf_chain_head_change_item(item, tp_head);
392 mutex_unlock(&block->lock);
393}
394
395
396
397static bool tcf_chain_detach(struct tcf_chain *chain)
398{
399 struct tcf_block *block = chain->block;
400
401 ASSERT_BLOCK_LOCKED(block);
402
403 list_del_rcu(&chain->list);
404 if (!chain->index)
405 block->chain0.chain = NULL;
406
407 if (list_empty(&block->chain_list) &&
408 refcount_read(&block->refcnt) == 0)
409 return true;
410
411 return false;
412}
413
414static void tcf_block_destroy(struct tcf_block *block)
415{
416 mutex_destroy(&block->lock);
417 mutex_destroy(&block->proto_destroy_lock);
418 kfree_rcu(block, rcu);
419}
420
421static void tcf_chain_destroy(struct tcf_chain *chain, bool free_block)
422{
423 struct tcf_block *block = chain->block;
424
425 mutex_destroy(&chain->filter_chain_lock);
426 kfree_rcu(chain, rcu);
427 if (free_block)
428 tcf_block_destroy(block);
429}
430
431static void tcf_chain_hold(struct tcf_chain *chain)
432{
433 ASSERT_BLOCK_LOCKED(chain->block);
434
435 ++chain->refcnt;
436}
437
438static bool tcf_chain_held_by_acts_only(struct tcf_chain *chain)
439{
440 ASSERT_BLOCK_LOCKED(chain->block);
441
442
443
444
445 return chain->refcnt == chain->action_refcnt;
446}
447
448static struct tcf_chain *tcf_chain_lookup(struct tcf_block *block,
449 u32 chain_index)
450{
451 struct tcf_chain *chain;
452
453 ASSERT_BLOCK_LOCKED(block);
454
455 list_for_each_entry(chain, &block->chain_list, list) {
456 if (chain->index == chain_index)
457 return chain;
458 }
459 return NULL;
460}
461
462#if IS_ENABLED(CONFIG_NET_TC_SKB_EXT)
463static struct tcf_chain *tcf_chain_lookup_rcu(const struct tcf_block *block,
464 u32 chain_index)
465{
466 struct tcf_chain *chain;
467
468 list_for_each_entry_rcu(chain, &block->chain_list, list) {
469 if (chain->index == chain_index)
470 return chain;
471 }
472 return NULL;
473}
474#endif
475
476static int tc_chain_notify(struct tcf_chain *chain, struct sk_buff *oskb,
477 u32 seq, u16 flags, int event, bool unicast);
478
479static struct tcf_chain *__tcf_chain_get(struct tcf_block *block,
480 u32 chain_index, bool create,
481 bool by_act)
482{
483 struct tcf_chain *chain = NULL;
484 bool is_first_reference;
485
486 mutex_lock(&block->lock);
487 chain = tcf_chain_lookup(block, chain_index);
488 if (chain) {
489 tcf_chain_hold(chain);
490 } else {
491 if (!create)
492 goto errout;
493 chain = tcf_chain_create(block, chain_index);
494 if (!chain)
495 goto errout;
496 }
497
498 if (by_act)
499 ++chain->action_refcnt;
500 is_first_reference = chain->refcnt - chain->action_refcnt == 1;
501 mutex_unlock(&block->lock);
502
503
504
505
506
507
508 if (is_first_reference && !by_act)
509 tc_chain_notify(chain, NULL, 0, NLM_F_CREATE | NLM_F_EXCL,
510 RTM_NEWCHAIN, false);
511
512 return chain;
513
514errout:
515 mutex_unlock(&block->lock);
516 return chain;
517}
518
519static struct tcf_chain *tcf_chain_get(struct tcf_block *block, u32 chain_index,
520 bool create)
521{
522 return __tcf_chain_get(block, chain_index, create, false);
523}
524
525struct tcf_chain *tcf_chain_get_by_act(struct tcf_block *block, u32 chain_index)
526{
527 return __tcf_chain_get(block, chain_index, true, true);
528}
529EXPORT_SYMBOL(tcf_chain_get_by_act);
530
531static void tc_chain_tmplt_del(const struct tcf_proto_ops *tmplt_ops,
532 void *tmplt_priv);
533static int tc_chain_notify_delete(const struct tcf_proto_ops *tmplt_ops,
534 void *tmplt_priv, u32 chain_index,
535 struct tcf_block *block, struct sk_buff *oskb,
536 u32 seq, u16 flags, bool unicast);
537
538static void __tcf_chain_put(struct tcf_chain *chain, bool by_act,
539 bool explicitly_created)
540{
541 struct tcf_block *block = chain->block;
542 const struct tcf_proto_ops *tmplt_ops;
543 bool free_block = false;
544 unsigned int refcnt;
545 void *tmplt_priv;
546
547 mutex_lock(&block->lock);
548 if (explicitly_created) {
549 if (!chain->explicitly_created) {
550 mutex_unlock(&block->lock);
551 return;
552 }
553 chain->explicitly_created = false;
554 }
555
556 if (by_act)
557 chain->action_refcnt--;
558
559
560
561
562
563 refcnt = --chain->refcnt;
564 tmplt_ops = chain->tmplt_ops;
565 tmplt_priv = chain->tmplt_priv;
566
567
568 if (refcnt - chain->action_refcnt == 0 && !by_act) {
569 tc_chain_notify_delete(tmplt_ops, tmplt_priv, chain->index,
570 block, NULL, 0, 0, false);
571
572 chain->flushing = false;
573 }
574
575 if (refcnt == 0)
576 free_block = tcf_chain_detach(chain);
577 mutex_unlock(&block->lock);
578
579 if (refcnt == 0) {
580 tc_chain_tmplt_del(tmplt_ops, tmplt_priv);
581 tcf_chain_destroy(chain, free_block);
582 }
583}
584
585static void tcf_chain_put(struct tcf_chain *chain)
586{
587 __tcf_chain_put(chain, false, false);
588}
589
590void tcf_chain_put_by_act(struct tcf_chain *chain)
591{
592 __tcf_chain_put(chain, true, false);
593}
594EXPORT_SYMBOL(tcf_chain_put_by_act);
595
596static void tcf_chain_put_explicitly_created(struct tcf_chain *chain)
597{
598 __tcf_chain_put(chain, false, true);
599}
600
601static void tcf_chain_flush(struct tcf_chain *chain, bool rtnl_held)
602{
603 struct tcf_proto *tp, *tp_next;
604
605 mutex_lock(&chain->filter_chain_lock);
606 tp = tcf_chain_dereference(chain->filter_chain, chain);
607 while (tp) {
608 tp_next = rcu_dereference_protected(tp->next, 1);
609 tcf_proto_signal_destroying(chain, tp);
610 tp = tp_next;
611 }
612 tp = tcf_chain_dereference(chain->filter_chain, chain);
613 RCU_INIT_POINTER(chain->filter_chain, NULL);
614 tcf_chain0_head_change(chain, NULL);
615 chain->flushing = true;
616 mutex_unlock(&chain->filter_chain_lock);
617
618 while (tp) {
619 tp_next = rcu_dereference_protected(tp->next, 1);
620 tcf_proto_put(tp, rtnl_held, NULL);
621 tp = tp_next;
622 }
623}
624
625static int tcf_block_setup(struct tcf_block *block,
626 struct flow_block_offload *bo);
627
628static void tcf_block_offload_init(struct flow_block_offload *bo,
629 struct net_device *dev, struct Qdisc *sch,
630 enum flow_block_command command,
631 enum flow_block_binder_type binder_type,
632 struct flow_block *flow_block,
633 bool shared, struct netlink_ext_ack *extack)
634{
635 bo->net = dev_net(dev);
636 bo->command = command;
637 bo->binder_type = binder_type;
638 bo->block = flow_block;
639 bo->block_shared = shared;
640 bo->extack = extack;
641 bo->sch = sch;
642 INIT_LIST_HEAD(&bo->cb_list);
643}
644
645static void tcf_block_unbind(struct tcf_block *block,
646 struct flow_block_offload *bo);
647
648static void tc_block_indr_cleanup(struct flow_block_cb *block_cb)
649{
650 struct tcf_block *block = block_cb->indr.data;
651 struct net_device *dev = block_cb->indr.dev;
652 struct Qdisc *sch = block_cb->indr.sch;
653 struct netlink_ext_ack extack = {};
654 struct flow_block_offload bo;
655
656 tcf_block_offload_init(&bo, dev, sch, FLOW_BLOCK_UNBIND,
657 block_cb->indr.binder_type,
658 &block->flow_block, tcf_block_shared(block),
659 &extack);
660 rtnl_lock();
661 down_write(&block->cb_lock);
662 list_del(&block_cb->driver_list);
663 list_move(&block_cb->list, &bo.cb_list);
664 tcf_block_unbind(block, &bo);
665 up_write(&block->cb_lock);
666 rtnl_unlock();
667}
668
669static bool tcf_block_offload_in_use(struct tcf_block *block)
670{
671 return atomic_read(&block->offloadcnt);
672}
673
674static int tcf_block_offload_cmd(struct tcf_block *block,
675 struct net_device *dev, struct Qdisc *sch,
676 struct tcf_block_ext_info *ei,
677 enum flow_block_command command,
678 struct netlink_ext_ack *extack)
679{
680 struct flow_block_offload bo = {};
681
682 tcf_block_offload_init(&bo, dev, sch, command, ei->binder_type,
683 &block->flow_block, tcf_block_shared(block),
684 extack);
685
686 if (dev->netdev_ops->ndo_setup_tc) {
687 int err;
688
689 err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_BLOCK, &bo);
690 if (err < 0) {
691 if (err != -EOPNOTSUPP)
692 NL_SET_ERR_MSG(extack, "Driver ndo_setup_tc failed");
693 return err;
694 }
695
696 return tcf_block_setup(block, &bo);
697 }
698
699 flow_indr_dev_setup_offload(dev, sch, TC_SETUP_BLOCK, block, &bo,
700 tc_block_indr_cleanup);
701 tcf_block_setup(block, &bo);
702
703 return -EOPNOTSUPP;
704}
705
706static int tcf_block_offload_bind(struct tcf_block *block, struct Qdisc *q,
707 struct tcf_block_ext_info *ei,
708 struct netlink_ext_ack *extack)
709{
710 struct net_device *dev = q->dev_queue->dev;
711 int err;
712
713 down_write(&block->cb_lock);
714
715
716
717
718 if (dev->netdev_ops->ndo_setup_tc &&
719 !tc_can_offload(dev) &&
720 tcf_block_offload_in_use(block)) {
721 NL_SET_ERR_MSG(extack, "Bind to offloaded block failed as dev has offload disabled");
722 err = -EOPNOTSUPP;
723 goto err_unlock;
724 }
725
726 err = tcf_block_offload_cmd(block, dev, q, ei, FLOW_BLOCK_BIND, extack);
727 if (err == -EOPNOTSUPP)
728 goto no_offload_dev_inc;
729 if (err)
730 goto err_unlock;
731
732 up_write(&block->cb_lock);
733 return 0;
734
735no_offload_dev_inc:
736 if (tcf_block_offload_in_use(block))
737 goto err_unlock;
738
739 err = 0;
740 block->nooffloaddevcnt++;
741err_unlock:
742 up_write(&block->cb_lock);
743 return err;
744}
745
746static void tcf_block_offload_unbind(struct tcf_block *block, struct Qdisc *q,
747 struct tcf_block_ext_info *ei)
748{
749 struct net_device *dev = q->dev_queue->dev;
750 int err;
751
752 down_write(&block->cb_lock);
753 err = tcf_block_offload_cmd(block, dev, q, ei, FLOW_BLOCK_UNBIND, NULL);
754 if (err == -EOPNOTSUPP)
755 goto no_offload_dev_dec;
756 up_write(&block->cb_lock);
757 return;
758
759no_offload_dev_dec:
760 WARN_ON(block->nooffloaddevcnt-- == 0);
761 up_write(&block->cb_lock);
762}
763
764static int
765tcf_chain0_head_change_cb_add(struct tcf_block *block,
766 struct tcf_block_ext_info *ei,
767 struct netlink_ext_ack *extack)
768{
769 struct tcf_filter_chain_list_item *item;
770 struct tcf_chain *chain0;
771
772 item = kmalloc(sizeof(*item), GFP_KERNEL);
773 if (!item) {
774 NL_SET_ERR_MSG(extack, "Memory allocation for head change callback item failed");
775 return -ENOMEM;
776 }
777 item->chain_head_change = ei->chain_head_change;
778 item->chain_head_change_priv = ei->chain_head_change_priv;
779
780 mutex_lock(&block->lock);
781 chain0 = block->chain0.chain;
782 if (chain0)
783 tcf_chain_hold(chain0);
784 else
785 list_add(&item->list, &block->chain0.filter_chain_list);
786 mutex_unlock(&block->lock);
787
788 if (chain0) {
789 struct tcf_proto *tp_head;
790
791 mutex_lock(&chain0->filter_chain_lock);
792
793 tp_head = tcf_chain_dereference(chain0->filter_chain, chain0);
794 if (tp_head)
795 tcf_chain_head_change_item(item, tp_head);
796
797 mutex_lock(&block->lock);
798 list_add(&item->list, &block->chain0.filter_chain_list);
799 mutex_unlock(&block->lock);
800
801 mutex_unlock(&chain0->filter_chain_lock);
802 tcf_chain_put(chain0);
803 }
804
805 return 0;
806}
807
808static void
809tcf_chain0_head_change_cb_del(struct tcf_block *block,
810 struct tcf_block_ext_info *ei)
811{
812 struct tcf_filter_chain_list_item *item;
813
814 mutex_lock(&block->lock);
815 list_for_each_entry(item, &block->chain0.filter_chain_list, list) {
816 if ((!ei->chain_head_change && !ei->chain_head_change_priv) ||
817 (item->chain_head_change == ei->chain_head_change &&
818 item->chain_head_change_priv == ei->chain_head_change_priv)) {
819 if (block->chain0.chain)
820 tcf_chain_head_change_item(item, NULL);
821 list_del(&item->list);
822 mutex_unlock(&block->lock);
823
824 kfree(item);
825 return;
826 }
827 }
828 mutex_unlock(&block->lock);
829 WARN_ON(1);
830}
831
832struct tcf_net {
833 spinlock_t idr_lock;
834 struct idr idr;
835};
836
837static unsigned int tcf_net_id;
838
839static int tcf_block_insert(struct tcf_block *block, struct net *net,
840 struct netlink_ext_ack *extack)
841{
842 struct tcf_net *tn = net_generic(net, tcf_net_id);
843 int err;
844
845 idr_preload(GFP_KERNEL);
846 spin_lock(&tn->idr_lock);
847 err = idr_alloc_u32(&tn->idr, block, &block->index, block->index,
848 GFP_NOWAIT);
849 spin_unlock(&tn->idr_lock);
850 idr_preload_end();
851
852 return err;
853}
854
855static void tcf_block_remove(struct tcf_block *block, struct net *net)
856{
857 struct tcf_net *tn = net_generic(net, tcf_net_id);
858
859 spin_lock(&tn->idr_lock);
860 idr_remove(&tn->idr, block->index);
861 spin_unlock(&tn->idr_lock);
862}
863
864static struct tcf_block *tcf_block_create(struct net *net, struct Qdisc *q,
865 u32 block_index,
866 struct netlink_ext_ack *extack)
867{
868 struct tcf_block *block;
869
870 block = kzalloc(sizeof(*block), GFP_KERNEL);
871 if (!block) {
872 NL_SET_ERR_MSG(extack, "Memory allocation for block failed");
873 return ERR_PTR(-ENOMEM);
874 }
875 mutex_init(&block->lock);
876 mutex_init(&block->proto_destroy_lock);
877 init_rwsem(&block->cb_lock);
878 flow_block_init(&block->flow_block);
879 INIT_LIST_HEAD(&block->chain_list);
880 INIT_LIST_HEAD(&block->owner_list);
881 INIT_LIST_HEAD(&block->chain0.filter_chain_list);
882
883 refcount_set(&block->refcnt, 1);
884 block->net = net;
885 block->index = block_index;
886
887
888 if (!tcf_block_shared(block))
889 block->q = q;
890 return block;
891}
892
893static struct tcf_block *tcf_block_lookup(struct net *net, u32 block_index)
894{
895 struct tcf_net *tn = net_generic(net, tcf_net_id);
896
897 return idr_find(&tn->idr, block_index);
898}
899
900static struct tcf_block *tcf_block_refcnt_get(struct net *net, u32 block_index)
901{
902 struct tcf_block *block;
903
904 rcu_read_lock();
905 block = tcf_block_lookup(net, block_index);
906 if (block && !refcount_inc_not_zero(&block->refcnt))
907 block = NULL;
908 rcu_read_unlock();
909
910 return block;
911}
912
913static struct tcf_chain *
914__tcf_get_next_chain(struct tcf_block *block, struct tcf_chain *chain)
915{
916 mutex_lock(&block->lock);
917 if (chain)
918 chain = list_is_last(&chain->list, &block->chain_list) ?
919 NULL : list_next_entry(chain, list);
920 else
921 chain = list_first_entry_or_null(&block->chain_list,
922 struct tcf_chain, list);
923
924
925 while (chain && tcf_chain_held_by_acts_only(chain))
926 chain = list_is_last(&chain->list, &block->chain_list) ?
927 NULL : list_next_entry(chain, list);
928
929 if (chain)
930 tcf_chain_hold(chain);
931 mutex_unlock(&block->lock);
932
933 return chain;
934}
935
936
937
938
939
940
941
942
943
944
945struct tcf_chain *
946tcf_get_next_chain(struct tcf_block *block, struct tcf_chain *chain)
947{
948 struct tcf_chain *chain_next = __tcf_get_next_chain(block, chain);
949
950 if (chain)
951 tcf_chain_put(chain);
952
953 return chain_next;
954}
955EXPORT_SYMBOL(tcf_get_next_chain);
956
957static struct tcf_proto *
958__tcf_get_next_proto(struct tcf_chain *chain, struct tcf_proto *tp)
959{
960 u32 prio = 0;
961
962 ASSERT_RTNL();
963 mutex_lock(&chain->filter_chain_lock);
964
965 if (!tp) {
966 tp = tcf_chain_dereference(chain->filter_chain, chain);
967 } else if (tcf_proto_is_deleting(tp)) {
968
969
970
971
972 prio = tp->prio + 1;
973 tp = tcf_chain_dereference(chain->filter_chain, chain);
974
975 for (; tp; tp = tcf_chain_dereference(tp->next, chain))
976 if (!tp->deleting && tp->prio >= prio)
977 break;
978 } else {
979 tp = tcf_chain_dereference(tp->next, chain);
980 }
981
982 if (tp)
983 tcf_proto_get(tp);
984
985 mutex_unlock(&chain->filter_chain_lock);
986
987 return tp;
988}
989
990
991
992
993
994
995
996
997
998struct tcf_proto *
999tcf_get_next_proto(struct tcf_chain *chain, struct tcf_proto *tp,
1000 bool rtnl_held)
1001{
1002 struct tcf_proto *tp_next = __tcf_get_next_proto(chain, tp);
1003
1004 if (tp)
1005 tcf_proto_put(tp, rtnl_held, NULL);
1006
1007 return tp_next;
1008}
1009EXPORT_SYMBOL(tcf_get_next_proto);
1010
1011static void tcf_block_flush_all_chains(struct tcf_block *block, bool rtnl_held)
1012{
1013 struct tcf_chain *chain;
1014
1015
1016
1017
1018 for (chain = tcf_get_next_chain(block, NULL);
1019 chain;
1020 chain = tcf_get_next_chain(block, chain)) {
1021 tcf_chain_put_explicitly_created(chain);
1022 tcf_chain_flush(chain, rtnl_held);
1023 }
1024}
1025
1026
1027
1028
1029
1030static int __tcf_qdisc_find(struct net *net, struct Qdisc **q,
1031 u32 *parent, int ifindex, bool rtnl_held,
1032 struct netlink_ext_ack *extack)
1033{
1034 const struct Qdisc_class_ops *cops;
1035 struct net_device *dev;
1036 int err = 0;
1037
1038 if (ifindex == TCM_IFINDEX_MAGIC_BLOCK)
1039 return 0;
1040
1041 rcu_read_lock();
1042
1043
1044 dev = dev_get_by_index_rcu(net, ifindex);
1045 if (!dev) {
1046 rcu_read_unlock();
1047 return -ENODEV;
1048 }
1049
1050
1051 if (!*parent) {
1052 *q = dev->qdisc;
1053 *parent = (*q)->handle;
1054 } else {
1055 *q = qdisc_lookup_rcu(dev, TC_H_MAJ(*parent));
1056 if (!*q) {
1057 NL_SET_ERR_MSG(extack, "Parent Qdisc doesn't exists");
1058 err = -EINVAL;
1059 goto errout_rcu;
1060 }
1061 }
1062
1063 *q = qdisc_refcount_inc_nz(*q);
1064 if (!*q) {
1065 NL_SET_ERR_MSG(extack, "Parent Qdisc doesn't exists");
1066 err = -EINVAL;
1067 goto errout_rcu;
1068 }
1069
1070
1071 cops = (*q)->ops->cl_ops;
1072 if (!cops) {
1073 NL_SET_ERR_MSG(extack, "Qdisc not classful");
1074 err = -EINVAL;
1075 goto errout_qdisc;
1076 }
1077
1078 if (!cops->tcf_block) {
1079 NL_SET_ERR_MSG(extack, "Class doesn't support blocks");
1080 err = -EOPNOTSUPP;
1081 goto errout_qdisc;
1082 }
1083
1084errout_rcu:
1085
1086
1087
1088
1089
1090 rcu_read_unlock();
1091 return err;
1092
1093errout_qdisc:
1094 rcu_read_unlock();
1095
1096 if (rtnl_held)
1097 qdisc_put(*q);
1098 else
1099 qdisc_put_unlocked(*q);
1100 *q = NULL;
1101
1102 return err;
1103}
1104
1105static int __tcf_qdisc_cl_find(struct Qdisc *q, u32 parent, unsigned long *cl,
1106 int ifindex, struct netlink_ext_ack *extack)
1107{
1108 if (ifindex == TCM_IFINDEX_MAGIC_BLOCK)
1109 return 0;
1110
1111
1112 if (TC_H_MIN(parent)) {
1113 const struct Qdisc_class_ops *cops = q->ops->cl_ops;
1114
1115 *cl = cops->find(q, parent);
1116 if (*cl == 0) {
1117 NL_SET_ERR_MSG(extack, "Specified class doesn't exist");
1118 return -ENOENT;
1119 }
1120 }
1121
1122 return 0;
1123}
1124
1125static struct tcf_block *__tcf_block_find(struct net *net, struct Qdisc *q,
1126 unsigned long cl, int ifindex,
1127 u32 block_index,
1128 struct netlink_ext_ack *extack)
1129{
1130 struct tcf_block *block;
1131
1132 if (ifindex == TCM_IFINDEX_MAGIC_BLOCK) {
1133 block = tcf_block_refcnt_get(net, block_index);
1134 if (!block) {
1135 NL_SET_ERR_MSG(extack, "Block of given index was not found");
1136 return ERR_PTR(-EINVAL);
1137 }
1138 } else {
1139 const struct Qdisc_class_ops *cops = q->ops->cl_ops;
1140
1141 block = cops->tcf_block(q, cl, extack);
1142 if (!block)
1143 return ERR_PTR(-EINVAL);
1144
1145 if (tcf_block_shared(block)) {
1146 NL_SET_ERR_MSG(extack, "This filter block is shared. Please use the block index to manipulate the filters");
1147 return ERR_PTR(-EOPNOTSUPP);
1148 }
1149
1150
1151
1152
1153
1154
1155
1156 refcount_inc(&block->refcnt);
1157 }
1158
1159 return block;
1160}
1161
1162static void __tcf_block_put(struct tcf_block *block, struct Qdisc *q,
1163 struct tcf_block_ext_info *ei, bool rtnl_held)
1164{
1165 if (refcount_dec_and_mutex_lock(&block->refcnt, &block->lock)) {
1166
1167
1168
1169
1170
1171
1172 bool free_block = list_empty(&block->chain_list);
1173
1174 mutex_unlock(&block->lock);
1175 if (tcf_block_shared(block))
1176 tcf_block_remove(block, block->net);
1177
1178 if (q)
1179 tcf_block_offload_unbind(block, q, ei);
1180
1181 if (free_block)
1182 tcf_block_destroy(block);
1183 else
1184 tcf_block_flush_all_chains(block, rtnl_held);
1185 } else if (q) {
1186 tcf_block_offload_unbind(block, q, ei);
1187 }
1188}
1189
1190static void tcf_block_refcnt_put(struct tcf_block *block, bool rtnl_held)
1191{
1192 __tcf_block_put(block, NULL, NULL, rtnl_held);
1193}
1194
1195
1196
1197
1198
1199static struct tcf_block *tcf_block_find(struct net *net, struct Qdisc **q,
1200 u32 *parent, unsigned long *cl,
1201 int ifindex, u32 block_index,
1202 struct netlink_ext_ack *extack)
1203{
1204 struct tcf_block *block;
1205 int err = 0;
1206
1207 ASSERT_RTNL();
1208
1209 err = __tcf_qdisc_find(net, q, parent, ifindex, true, extack);
1210 if (err)
1211 goto errout;
1212
1213 err = __tcf_qdisc_cl_find(*q, *parent, cl, ifindex, extack);
1214 if (err)
1215 goto errout_qdisc;
1216
1217 block = __tcf_block_find(net, *q, *cl, ifindex, block_index, extack);
1218 if (IS_ERR(block)) {
1219 err = PTR_ERR(block);
1220 goto errout_qdisc;
1221 }
1222
1223 return block;
1224
1225errout_qdisc:
1226 if (*q)
1227 qdisc_put(*q);
1228errout:
1229 *q = NULL;
1230 return ERR_PTR(err);
1231}
1232
1233static void tcf_block_release(struct Qdisc *q, struct tcf_block *block,
1234 bool rtnl_held)
1235{
1236 if (!IS_ERR_OR_NULL(block))
1237 tcf_block_refcnt_put(block, rtnl_held);
1238
1239 if (q) {
1240 if (rtnl_held)
1241 qdisc_put(q);
1242 else
1243 qdisc_put_unlocked(q);
1244 }
1245}
1246
1247struct tcf_block_owner_item {
1248 struct list_head list;
1249 struct Qdisc *q;
1250 enum flow_block_binder_type binder_type;
1251};
1252
1253static void
1254tcf_block_owner_netif_keep_dst(struct tcf_block *block,
1255 struct Qdisc *q,
1256 enum flow_block_binder_type binder_type)
1257{
1258 if (block->keep_dst &&
1259 binder_type != FLOW_BLOCK_BINDER_TYPE_CLSACT_INGRESS &&
1260 binder_type != FLOW_BLOCK_BINDER_TYPE_CLSACT_EGRESS)
1261 netif_keep_dst(qdisc_dev(q));
1262}
1263
1264void tcf_block_netif_keep_dst(struct tcf_block *block)
1265{
1266 struct tcf_block_owner_item *item;
1267
1268 block->keep_dst = true;
1269 list_for_each_entry(item, &block->owner_list, list)
1270 tcf_block_owner_netif_keep_dst(block, item->q,
1271 item->binder_type);
1272}
1273EXPORT_SYMBOL(tcf_block_netif_keep_dst);
1274
1275static int tcf_block_owner_add(struct tcf_block *block,
1276 struct Qdisc *q,
1277 enum flow_block_binder_type binder_type)
1278{
1279 struct tcf_block_owner_item *item;
1280
1281 item = kmalloc(sizeof(*item), GFP_KERNEL);
1282 if (!item)
1283 return -ENOMEM;
1284 item->q = q;
1285 item->binder_type = binder_type;
1286 list_add(&item->list, &block->owner_list);
1287 return 0;
1288}
1289
1290static void tcf_block_owner_del(struct tcf_block *block,
1291 struct Qdisc *q,
1292 enum flow_block_binder_type binder_type)
1293{
1294 struct tcf_block_owner_item *item;
1295
1296 list_for_each_entry(item, &block->owner_list, list) {
1297 if (item->q == q && item->binder_type == binder_type) {
1298 list_del(&item->list);
1299 kfree(item);
1300 return;
1301 }
1302 }
1303 WARN_ON(1);
1304}
1305
1306int tcf_block_get_ext(struct tcf_block **p_block, struct Qdisc *q,
1307 struct tcf_block_ext_info *ei,
1308 struct netlink_ext_ack *extack)
1309{
1310 struct net *net = qdisc_net(q);
1311 struct tcf_block *block = NULL;
1312 int err;
1313
1314 if (ei->block_index)
1315
1316 block = tcf_block_refcnt_get(net, ei->block_index);
1317
1318 if (!block) {
1319 block = tcf_block_create(net, q, ei->block_index, extack);
1320 if (IS_ERR(block))
1321 return PTR_ERR(block);
1322 if (tcf_block_shared(block)) {
1323 err = tcf_block_insert(block, net, extack);
1324 if (err)
1325 goto err_block_insert;
1326 }
1327 }
1328
1329 err = tcf_block_owner_add(block, q, ei->binder_type);
1330 if (err)
1331 goto err_block_owner_add;
1332
1333 tcf_block_owner_netif_keep_dst(block, q, ei->binder_type);
1334
1335 err = tcf_chain0_head_change_cb_add(block, ei, extack);
1336 if (err)
1337 goto err_chain0_head_change_cb_add;
1338
1339 err = tcf_block_offload_bind(block, q, ei, extack);
1340 if (err)
1341 goto err_block_offload_bind;
1342
1343 *p_block = block;
1344 return 0;
1345
1346err_block_offload_bind:
1347 tcf_chain0_head_change_cb_del(block, ei);
1348err_chain0_head_change_cb_add:
1349 tcf_block_owner_del(block, q, ei->binder_type);
1350err_block_owner_add:
1351err_block_insert:
1352 tcf_block_refcnt_put(block, true);
1353 return err;
1354}
1355EXPORT_SYMBOL(tcf_block_get_ext);
1356
1357static void tcf_chain_head_change_dflt(struct tcf_proto *tp_head, void *priv)
1358{
1359 struct tcf_proto __rcu **p_filter_chain = priv;
1360
1361 rcu_assign_pointer(*p_filter_chain, tp_head);
1362}
1363
1364int tcf_block_get(struct tcf_block **p_block,
1365 struct tcf_proto __rcu **p_filter_chain, struct Qdisc *q,
1366 struct netlink_ext_ack *extack)
1367{
1368 struct tcf_block_ext_info ei = {
1369 .chain_head_change = tcf_chain_head_change_dflt,
1370 .chain_head_change_priv = p_filter_chain,
1371 };
1372
1373 WARN_ON(!p_filter_chain);
1374 return tcf_block_get_ext(p_block, q, &ei, extack);
1375}
1376EXPORT_SYMBOL(tcf_block_get);
1377
1378
1379
1380
1381void tcf_block_put_ext(struct tcf_block *block, struct Qdisc *q,
1382 struct tcf_block_ext_info *ei)
1383{
1384 if (!block)
1385 return;
1386 tcf_chain0_head_change_cb_del(block, ei);
1387 tcf_block_owner_del(block, q, ei->binder_type);
1388
1389 __tcf_block_put(block, q, ei, true);
1390}
1391EXPORT_SYMBOL(tcf_block_put_ext);
1392
1393void tcf_block_put(struct tcf_block *block)
1394{
1395 struct tcf_block_ext_info ei = {0, };
1396
1397 if (!block)
1398 return;
1399 tcf_block_put_ext(block, block->q, &ei);
1400}
1401
1402EXPORT_SYMBOL(tcf_block_put);
1403
1404static int
1405tcf_block_playback_offloads(struct tcf_block *block, flow_setup_cb_t *cb,
1406 void *cb_priv, bool add, bool offload_in_use,
1407 struct netlink_ext_ack *extack)
1408{
1409 struct tcf_chain *chain, *chain_prev;
1410 struct tcf_proto *tp, *tp_prev;
1411 int err;
1412
1413 lockdep_assert_held(&block->cb_lock);
1414
1415 for (chain = __tcf_get_next_chain(block, NULL);
1416 chain;
1417 chain_prev = chain,
1418 chain = __tcf_get_next_chain(block, chain),
1419 tcf_chain_put(chain_prev)) {
1420 for (tp = __tcf_get_next_proto(chain, NULL); tp;
1421 tp_prev = tp,
1422 tp = __tcf_get_next_proto(chain, tp),
1423 tcf_proto_put(tp_prev, true, NULL)) {
1424 if (tp->ops->reoffload) {
1425 err = tp->ops->reoffload(tp, add, cb, cb_priv,
1426 extack);
1427 if (err && add)
1428 goto err_playback_remove;
1429 } else if (add && offload_in_use) {
1430 err = -EOPNOTSUPP;
1431 NL_SET_ERR_MSG(extack, "Filter HW offload failed - classifier without re-offloading support");
1432 goto err_playback_remove;
1433 }
1434 }
1435 }
1436
1437 return 0;
1438
1439err_playback_remove:
1440 tcf_proto_put(tp, true, NULL);
1441 tcf_chain_put(chain);
1442 tcf_block_playback_offloads(block, cb, cb_priv, false, offload_in_use,
1443 extack);
1444 return err;
1445}
1446
1447static int tcf_block_bind(struct tcf_block *block,
1448 struct flow_block_offload *bo)
1449{
1450 struct flow_block_cb *block_cb, *next;
1451 int err, i = 0;
1452
1453 lockdep_assert_held(&block->cb_lock);
1454
1455 list_for_each_entry(block_cb, &bo->cb_list, list) {
1456 err = tcf_block_playback_offloads(block, block_cb->cb,
1457 block_cb->cb_priv, true,
1458 tcf_block_offload_in_use(block),
1459 bo->extack);
1460 if (err)
1461 goto err_unroll;
1462 if (!bo->unlocked_driver_cb)
1463 block->lockeddevcnt++;
1464
1465 i++;
1466 }
1467 list_splice(&bo->cb_list, &block->flow_block.cb_list);
1468
1469 return 0;
1470
1471err_unroll:
1472 list_for_each_entry_safe(block_cb, next, &bo->cb_list, list) {
1473 if (i-- > 0) {
1474 list_del(&block_cb->list);
1475 tcf_block_playback_offloads(block, block_cb->cb,
1476 block_cb->cb_priv, false,
1477 tcf_block_offload_in_use(block),
1478 NULL);
1479 if (!bo->unlocked_driver_cb)
1480 block->lockeddevcnt--;
1481 }
1482 flow_block_cb_free(block_cb);
1483 }
1484
1485 return err;
1486}
1487
1488static void tcf_block_unbind(struct tcf_block *block,
1489 struct flow_block_offload *bo)
1490{
1491 struct flow_block_cb *block_cb, *next;
1492
1493 lockdep_assert_held(&block->cb_lock);
1494
1495 list_for_each_entry_safe(block_cb, next, &bo->cb_list, list) {
1496 tcf_block_playback_offloads(block, block_cb->cb,
1497 block_cb->cb_priv, false,
1498 tcf_block_offload_in_use(block),
1499 NULL);
1500 list_del(&block_cb->list);
1501 flow_block_cb_free(block_cb);
1502 if (!bo->unlocked_driver_cb)
1503 block->lockeddevcnt--;
1504 }
1505}
1506
1507static int tcf_block_setup(struct tcf_block *block,
1508 struct flow_block_offload *bo)
1509{
1510 int err;
1511
1512 switch (bo->command) {
1513 case FLOW_BLOCK_BIND:
1514 err = tcf_block_bind(block, bo);
1515 break;
1516 case FLOW_BLOCK_UNBIND:
1517 err = 0;
1518 tcf_block_unbind(block, bo);
1519 break;
1520 default:
1521 WARN_ON_ONCE(1);
1522 err = -EOPNOTSUPP;
1523 }
1524
1525 return err;
1526}
1527
1528
1529
1530
1531
1532static inline int __tcf_classify(struct sk_buff *skb,
1533 const struct tcf_proto *tp,
1534 const struct tcf_proto *orig_tp,
1535 struct tcf_result *res,
1536 bool compat_mode,
1537 u32 *last_executed_chain)
1538{
1539#ifdef CONFIG_NET_CLS_ACT
1540 const int max_reclassify_loop = 4;
1541 const struct tcf_proto *first_tp;
1542 int limit = 0;
1543
1544reclassify:
1545#endif
1546 for (; tp; tp = rcu_dereference_bh(tp->next)) {
1547 __be16 protocol = skb_protocol(skb, false);
1548 int err;
1549
1550 if (tp->protocol != protocol &&
1551 tp->protocol != htons(ETH_P_ALL))
1552 continue;
1553
1554 err = tp->classify(skb, tp, res);
1555#ifdef CONFIG_NET_CLS_ACT
1556 if (unlikely(err == TC_ACT_RECLASSIFY && !compat_mode)) {
1557 first_tp = orig_tp;
1558 *last_executed_chain = first_tp->chain->index;
1559 goto reset;
1560 } else if (unlikely(TC_ACT_EXT_CMP(err, TC_ACT_GOTO_CHAIN))) {
1561 first_tp = res->goto_tp;
1562 *last_executed_chain = err & TC_ACT_EXT_VAL_MASK;
1563 goto reset;
1564 }
1565#endif
1566 if (err >= 0)
1567 return err;
1568 }
1569
1570 return TC_ACT_UNSPEC;
1571#ifdef CONFIG_NET_CLS_ACT
1572reset:
1573 if (unlikely(limit++ >= max_reclassify_loop)) {
1574 net_notice_ratelimited("%u: reclassify loop, rule prio %u, protocol %02x\n",
1575 tp->chain->block->index,
1576 tp->prio & 0xffff,
1577 ntohs(tp->protocol));
1578 return TC_ACT_SHOT;
1579 }
1580
1581 tp = first_tp;
1582 goto reclassify;
1583#endif
1584}
1585
1586int tcf_classify(struct sk_buff *skb, const struct tcf_proto *tp,
1587 struct tcf_result *res, bool compat_mode)
1588{
1589 u32 last_executed_chain = 0;
1590
1591 return __tcf_classify(skb, tp, tp, res, compat_mode,
1592 &last_executed_chain);
1593}
1594EXPORT_SYMBOL(tcf_classify);
1595
1596int tcf_classify_ingress(struct sk_buff *skb,
1597 const struct tcf_block *ingress_block,
1598 const struct tcf_proto *tp,
1599 struct tcf_result *res, bool compat_mode)
1600{
1601#if !IS_ENABLED(CONFIG_NET_TC_SKB_EXT)
1602 u32 last_executed_chain = 0;
1603
1604 return __tcf_classify(skb, tp, tp, res, compat_mode,
1605 &last_executed_chain);
1606#else
1607 u32 last_executed_chain = tp ? tp->chain->index : 0;
1608 const struct tcf_proto *orig_tp = tp;
1609 struct tc_skb_ext *ext;
1610 int ret;
1611
1612 ext = skb_ext_find(skb, TC_SKB_EXT);
1613
1614 if (ext && ext->chain) {
1615 struct tcf_chain *fchain;
1616
1617 fchain = tcf_chain_lookup_rcu(ingress_block, ext->chain);
1618 if (!fchain)
1619 return TC_ACT_SHOT;
1620
1621
1622 skb_ext_del(skb, TC_SKB_EXT);
1623
1624 tp = rcu_dereference_bh(fchain->filter_chain);
1625 last_executed_chain = fchain->index;
1626 }
1627
1628 ret = __tcf_classify(skb, tp, orig_tp, res, compat_mode,
1629 &last_executed_chain);
1630
1631
1632 if (ret == TC_ACT_UNSPEC && last_executed_chain) {
1633 ext = skb_ext_add(skb, TC_SKB_EXT);
1634 if (WARN_ON_ONCE(!ext))
1635 return TC_ACT_SHOT;
1636 ext->chain = last_executed_chain;
1637 ext->mru = qdisc_skb_cb(skb)->mru;
1638 }
1639
1640 return ret;
1641#endif
1642}
1643EXPORT_SYMBOL(tcf_classify_ingress);
1644
1645struct tcf_chain_info {
1646 struct tcf_proto __rcu **pprev;
1647 struct tcf_proto __rcu *next;
1648};
1649
1650static struct tcf_proto *tcf_chain_tp_prev(struct tcf_chain *chain,
1651 struct tcf_chain_info *chain_info)
1652{
1653 return tcf_chain_dereference(*chain_info->pprev, chain);
1654}
1655
1656static int tcf_chain_tp_insert(struct tcf_chain *chain,
1657 struct tcf_chain_info *chain_info,
1658 struct tcf_proto *tp)
1659{
1660 if (chain->flushing)
1661 return -EAGAIN;
1662
1663 if (*chain_info->pprev == chain->filter_chain)
1664 tcf_chain0_head_change(chain, tp);
1665 tcf_proto_get(tp);
1666 RCU_INIT_POINTER(tp->next, tcf_chain_tp_prev(chain, chain_info));
1667 rcu_assign_pointer(*chain_info->pprev, tp);
1668
1669 return 0;
1670}
1671
1672static void tcf_chain_tp_remove(struct tcf_chain *chain,
1673 struct tcf_chain_info *chain_info,
1674 struct tcf_proto *tp)
1675{
1676 struct tcf_proto *next = tcf_chain_dereference(chain_info->next, chain);
1677
1678 tcf_proto_mark_delete(tp);
1679 if (tp == chain->filter_chain)
1680 tcf_chain0_head_change(chain, next);
1681 RCU_INIT_POINTER(*chain_info->pprev, next);
1682}
1683
1684static struct tcf_proto *tcf_chain_tp_find(struct tcf_chain *chain,
1685 struct tcf_chain_info *chain_info,
1686 u32 protocol, u32 prio,
1687 bool prio_allocate);
1688
1689
1690
1691
1692
1693
1694static struct tcf_proto *tcf_chain_tp_insert_unique(struct tcf_chain *chain,
1695 struct tcf_proto *tp_new,
1696 u32 protocol, u32 prio,
1697 bool rtnl_held)
1698{
1699 struct tcf_chain_info chain_info;
1700 struct tcf_proto *tp;
1701 int err = 0;
1702
1703 mutex_lock(&chain->filter_chain_lock);
1704
1705 if (tcf_proto_exists_destroying(chain, tp_new)) {
1706 mutex_unlock(&chain->filter_chain_lock);
1707 tcf_proto_destroy(tp_new, rtnl_held, false, NULL);
1708 return ERR_PTR(-EAGAIN);
1709 }
1710
1711 tp = tcf_chain_tp_find(chain, &chain_info,
1712 protocol, prio, false);
1713 if (!tp)
1714 err = tcf_chain_tp_insert(chain, &chain_info, tp_new);
1715 mutex_unlock(&chain->filter_chain_lock);
1716
1717 if (tp) {
1718 tcf_proto_destroy(tp_new, rtnl_held, false, NULL);
1719 tp_new = tp;
1720 } else if (err) {
1721 tcf_proto_destroy(tp_new, rtnl_held, false, NULL);
1722 tp_new = ERR_PTR(err);
1723 }
1724
1725 return tp_new;
1726}
1727
1728static void tcf_chain_tp_delete_empty(struct tcf_chain *chain,
1729 struct tcf_proto *tp, bool rtnl_held,
1730 struct netlink_ext_ack *extack)
1731{
1732 struct tcf_chain_info chain_info;
1733 struct tcf_proto *tp_iter;
1734 struct tcf_proto **pprev;
1735 struct tcf_proto *next;
1736
1737 mutex_lock(&chain->filter_chain_lock);
1738
1739
1740 for (pprev = &chain->filter_chain;
1741 (tp_iter = tcf_chain_dereference(*pprev, chain));
1742 pprev = &tp_iter->next) {
1743 if (tp_iter == tp) {
1744 chain_info.pprev = pprev;
1745 chain_info.next = tp_iter->next;
1746 WARN_ON(tp_iter->deleting);
1747 break;
1748 }
1749 }
1750
1751
1752
1753
1754 if (!tp_iter || !tcf_proto_check_delete(tp)) {
1755 mutex_unlock(&chain->filter_chain_lock);
1756 return;
1757 }
1758
1759 tcf_proto_signal_destroying(chain, tp);
1760 next = tcf_chain_dereference(chain_info.next, chain);
1761 if (tp == chain->filter_chain)
1762 tcf_chain0_head_change(chain, next);
1763 RCU_INIT_POINTER(*chain_info.pprev, next);
1764 mutex_unlock(&chain->filter_chain_lock);
1765
1766 tcf_proto_put(tp, rtnl_held, extack);
1767}
1768
1769static struct tcf_proto *tcf_chain_tp_find(struct tcf_chain *chain,
1770 struct tcf_chain_info *chain_info,
1771 u32 protocol, u32 prio,
1772 bool prio_allocate)
1773{
1774 struct tcf_proto **pprev;
1775 struct tcf_proto *tp;
1776
1777
1778 for (pprev = &chain->filter_chain;
1779 (tp = tcf_chain_dereference(*pprev, chain));
1780 pprev = &tp->next) {
1781 if (tp->prio >= prio) {
1782 if (tp->prio == prio) {
1783 if (prio_allocate ||
1784 (tp->protocol != protocol && protocol))
1785 return ERR_PTR(-EINVAL);
1786 } else {
1787 tp = NULL;
1788 }
1789 break;
1790 }
1791 }
1792 chain_info->pprev = pprev;
1793 if (tp) {
1794 chain_info->next = tp->next;
1795 tcf_proto_get(tp);
1796 } else {
1797 chain_info->next = NULL;
1798 }
1799 return tp;
1800}
1801
1802static int tcf_fill_node(struct net *net, struct sk_buff *skb,
1803 struct tcf_proto *tp, struct tcf_block *block,
1804 struct Qdisc *q, u32 parent, void *fh,
1805 u32 portid, u32 seq, u16 flags, int event,
1806 bool terse_dump, bool rtnl_held)
1807{
1808 struct tcmsg *tcm;
1809 struct nlmsghdr *nlh;
1810 unsigned char *b = skb_tail_pointer(skb);
1811
1812 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*tcm), flags);
1813 if (!nlh)
1814 goto out_nlmsg_trim;
1815 tcm = nlmsg_data(nlh);
1816 tcm->tcm_family = AF_UNSPEC;
1817 tcm->tcm__pad1 = 0;
1818 tcm->tcm__pad2 = 0;
1819 if (q) {
1820 tcm->tcm_ifindex = qdisc_dev(q)->ifindex;
1821 tcm->tcm_parent = parent;
1822 } else {
1823 tcm->tcm_ifindex = TCM_IFINDEX_MAGIC_BLOCK;
1824 tcm->tcm_block_index = block->index;
1825 }
1826 tcm->tcm_info = TC_H_MAKE(tp->prio, tp->protocol);
1827 if (nla_put_string(skb, TCA_KIND, tp->ops->kind))
1828 goto nla_put_failure;
1829 if (nla_put_u32(skb, TCA_CHAIN, tp->chain->index))
1830 goto nla_put_failure;
1831 if (!fh) {
1832 tcm->tcm_handle = 0;
1833 } else if (terse_dump) {
1834 if (tp->ops->terse_dump) {
1835 if (tp->ops->terse_dump(net, tp, fh, skb, tcm,
1836 rtnl_held) < 0)
1837 goto nla_put_failure;
1838 } else {
1839 goto cls_op_not_supp;
1840 }
1841 } else {
1842 if (tp->ops->dump &&
1843 tp->ops->dump(net, tp, fh, skb, tcm, rtnl_held) < 0)
1844 goto nla_put_failure;
1845 }
1846 nlh->nlmsg_len = skb_tail_pointer(skb) - b;
1847 return skb->len;
1848
1849out_nlmsg_trim:
1850nla_put_failure:
1851cls_op_not_supp:
1852 nlmsg_trim(skb, b);
1853 return -1;
1854}
1855
1856static int tfilter_notify(struct net *net, struct sk_buff *oskb,
1857 struct nlmsghdr *n, struct tcf_proto *tp,
1858 struct tcf_block *block, struct Qdisc *q,
1859 u32 parent, void *fh, int event, bool unicast,
1860 bool rtnl_held)
1861{
1862 struct sk_buff *skb;
1863 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
1864 int err = 0;
1865
1866 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1867 if (!skb)
1868 return -ENOBUFS;
1869
1870 if (tcf_fill_node(net, skb, tp, block, q, parent, fh, portid,
1871 n->nlmsg_seq, n->nlmsg_flags, event,
1872 false, rtnl_held) <= 0) {
1873 kfree_skb(skb);
1874 return -EINVAL;
1875 }
1876
1877 if (unicast)
1878 err = netlink_unicast(net->rtnl, skb, portid, MSG_DONTWAIT);
1879 else
1880 err = rtnetlink_send(skb, net, portid, RTNLGRP_TC,
1881 n->nlmsg_flags & NLM_F_ECHO);
1882
1883 if (err > 0)
1884 err = 0;
1885 return err;
1886}
1887
1888static int tfilter_del_notify(struct net *net, struct sk_buff *oskb,
1889 struct nlmsghdr *n, struct tcf_proto *tp,
1890 struct tcf_block *block, struct Qdisc *q,
1891 u32 parent, void *fh, bool unicast, bool *last,
1892 bool rtnl_held, struct netlink_ext_ack *extack)
1893{
1894 struct sk_buff *skb;
1895 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
1896 int err;
1897
1898 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1899 if (!skb)
1900 return -ENOBUFS;
1901
1902 if (tcf_fill_node(net, skb, tp, block, q, parent, fh, portid,
1903 n->nlmsg_seq, n->nlmsg_flags, RTM_DELTFILTER,
1904 false, rtnl_held) <= 0) {
1905 NL_SET_ERR_MSG(extack, "Failed to build del event notification");
1906 kfree_skb(skb);
1907 return -EINVAL;
1908 }
1909
1910 err = tp->ops->delete(tp, fh, last, rtnl_held, extack);
1911 if (err) {
1912 kfree_skb(skb);
1913 return err;
1914 }
1915
1916 if (unicast)
1917 err = netlink_unicast(net->rtnl, skb, portid, MSG_DONTWAIT);
1918 else
1919 err = rtnetlink_send(skb, net, portid, RTNLGRP_TC,
1920 n->nlmsg_flags & NLM_F_ECHO);
1921 if (err < 0)
1922 NL_SET_ERR_MSG(extack, "Failed to send filter delete notification");
1923
1924 if (err > 0)
1925 err = 0;
1926 return err;
1927}
1928
1929static void tfilter_notify_chain(struct net *net, struct sk_buff *oskb,
1930 struct tcf_block *block, struct Qdisc *q,
1931 u32 parent, struct nlmsghdr *n,
1932 struct tcf_chain *chain, int event,
1933 bool rtnl_held)
1934{
1935 struct tcf_proto *tp;
1936
1937 for (tp = tcf_get_next_proto(chain, NULL, rtnl_held);
1938 tp; tp = tcf_get_next_proto(chain, tp, rtnl_held))
1939 tfilter_notify(net, oskb, n, tp, block,
1940 q, parent, NULL, event, false, rtnl_held);
1941}
1942
1943static void tfilter_put(struct tcf_proto *tp, void *fh)
1944{
1945 if (tp->ops->put && fh)
1946 tp->ops->put(tp, fh);
1947}
1948
1949static int tc_new_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
1950 struct netlink_ext_ack *extack)
1951{
1952 struct net *net = sock_net(skb->sk);
1953 struct nlattr *tca[TCA_MAX + 1];
1954 char name[IFNAMSIZ];
1955 struct tcmsg *t;
1956 u32 protocol;
1957 u32 prio;
1958 bool prio_allocate;
1959 u32 parent;
1960 u32 chain_index;
1961 struct Qdisc *q = NULL;
1962 struct tcf_chain_info chain_info;
1963 struct tcf_chain *chain = NULL;
1964 struct tcf_block *block;
1965 struct tcf_proto *tp;
1966 unsigned long cl;
1967 void *fh;
1968 int err;
1969 int tp_created;
1970 bool rtnl_held = false;
1971
1972 if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN))
1973 return -EPERM;
1974
1975replay:
1976 tp_created = 0;
1977
1978 err = nlmsg_parse_deprecated(n, sizeof(*t), tca, TCA_MAX,
1979 rtm_tca_policy, extack);
1980 if (err < 0)
1981 return err;
1982
1983 t = nlmsg_data(n);
1984 protocol = TC_H_MIN(t->tcm_info);
1985 prio = TC_H_MAJ(t->tcm_info);
1986 prio_allocate = false;
1987 parent = t->tcm_parent;
1988 tp = NULL;
1989 cl = 0;
1990 block = NULL;
1991
1992 if (prio == 0) {
1993
1994
1995
1996 if (n->nlmsg_flags & NLM_F_CREATE) {
1997 prio = TC_H_MAKE(0x80000000U, 0U);
1998 prio_allocate = true;
1999 } else {
2000 NL_SET_ERR_MSG(extack, "Invalid filter command with priority of zero");
2001 return -ENOENT;
2002 }
2003 }
2004
2005
2006
2007 err = __tcf_qdisc_find(net, &q, &parent, t->tcm_ifindex, false, extack);
2008 if (err)
2009 return err;
2010
2011 if (tcf_proto_check_kind(tca[TCA_KIND], name)) {
2012 NL_SET_ERR_MSG(extack, "Specified TC filter name too long");
2013 err = -EINVAL;
2014 goto errout;
2015 }
2016
2017
2018
2019
2020
2021 if (rtnl_held ||
2022 (q && !(q->ops->cl_ops->flags & QDISC_CLASS_OPS_DOIT_UNLOCKED)) ||
2023 !tcf_proto_is_unlocked(name)) {
2024 rtnl_held = true;
2025 rtnl_lock();
2026 }
2027
2028 err = __tcf_qdisc_cl_find(q, parent, &cl, t->tcm_ifindex, extack);
2029 if (err)
2030 goto errout;
2031
2032 block = __tcf_block_find(net, q, cl, t->tcm_ifindex, t->tcm_block_index,
2033 extack);
2034 if (IS_ERR(block)) {
2035 err = PTR_ERR(block);
2036 goto errout;
2037 }
2038 block->classid = parent;
2039
2040 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0;
2041 if (chain_index > TC_ACT_EXT_VAL_MASK) {
2042 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit");
2043 err = -EINVAL;
2044 goto errout;
2045 }
2046 chain = tcf_chain_get(block, chain_index, true);
2047 if (!chain) {
2048 NL_SET_ERR_MSG(extack, "Cannot create specified filter chain");
2049 err = -ENOMEM;
2050 goto errout;
2051 }
2052
2053 mutex_lock(&chain->filter_chain_lock);
2054 tp = tcf_chain_tp_find(chain, &chain_info, protocol,
2055 prio, prio_allocate);
2056 if (IS_ERR(tp)) {
2057 NL_SET_ERR_MSG(extack, "Filter with specified priority/protocol not found");
2058 err = PTR_ERR(tp);
2059 goto errout_locked;
2060 }
2061
2062 if (tp == NULL) {
2063 struct tcf_proto *tp_new = NULL;
2064
2065 if (chain->flushing) {
2066 err = -EAGAIN;
2067 goto errout_locked;
2068 }
2069
2070
2071
2072 if (tca[TCA_KIND] == NULL || !protocol) {
2073 NL_SET_ERR_MSG(extack, "Filter kind and protocol must be specified");
2074 err = -EINVAL;
2075 goto errout_locked;
2076 }
2077
2078 if (!(n->nlmsg_flags & NLM_F_CREATE)) {
2079 NL_SET_ERR_MSG(extack, "Need both RTM_NEWTFILTER and NLM_F_CREATE to create a new filter");
2080 err = -ENOENT;
2081 goto errout_locked;
2082 }
2083
2084 if (prio_allocate)
2085 prio = tcf_auto_prio(tcf_chain_tp_prev(chain,
2086 &chain_info));
2087
2088 mutex_unlock(&chain->filter_chain_lock);
2089 tp_new = tcf_proto_create(name, protocol, prio, chain,
2090 rtnl_held, extack);
2091 if (IS_ERR(tp_new)) {
2092 err = PTR_ERR(tp_new);
2093 goto errout_tp;
2094 }
2095
2096 tp_created = 1;
2097 tp = tcf_chain_tp_insert_unique(chain, tp_new, protocol, prio,
2098 rtnl_held);
2099 if (IS_ERR(tp)) {
2100 err = PTR_ERR(tp);
2101 goto errout_tp;
2102 }
2103 } else {
2104 mutex_unlock(&chain->filter_chain_lock);
2105 }
2106
2107 if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], tp->ops->kind)) {
2108 NL_SET_ERR_MSG(extack, "Specified filter kind does not match existing one");
2109 err = -EINVAL;
2110 goto errout;
2111 }
2112
2113 fh = tp->ops->get(tp, t->tcm_handle);
2114
2115 if (!fh) {
2116 if (!(n->nlmsg_flags & NLM_F_CREATE)) {
2117 NL_SET_ERR_MSG(extack, "Need both RTM_NEWTFILTER and NLM_F_CREATE to create a new filter");
2118 err = -ENOENT;
2119 goto errout;
2120 }
2121 } else if (n->nlmsg_flags & NLM_F_EXCL) {
2122 tfilter_put(tp, fh);
2123 NL_SET_ERR_MSG(extack, "Filter already exists");
2124 err = -EEXIST;
2125 goto errout;
2126 }
2127
2128 if (chain->tmplt_ops && chain->tmplt_ops != tp->ops) {
2129 NL_SET_ERR_MSG(extack, "Chain template is set to a different filter kind");
2130 err = -EINVAL;
2131 goto errout;
2132 }
2133
2134 err = tp->ops->change(net, skb, tp, cl, t->tcm_handle, tca, &fh,
2135 n->nlmsg_flags & NLM_F_CREATE ? TCA_ACT_NOREPLACE : TCA_ACT_REPLACE,
2136 rtnl_held, extack);
2137 if (err == 0) {
2138 tfilter_notify(net, skb, n, tp, block, q, parent, fh,
2139 RTM_NEWTFILTER, false, rtnl_held);
2140 tfilter_put(tp, fh);
2141
2142 if (q)
2143 q->flags &= ~TCQ_F_CAN_BYPASS;
2144 }
2145
2146errout:
2147 if (err && tp_created)
2148 tcf_chain_tp_delete_empty(chain, tp, rtnl_held, NULL);
2149errout_tp:
2150 if (chain) {
2151 if (tp && !IS_ERR(tp))
2152 tcf_proto_put(tp, rtnl_held, NULL);
2153 if (!tp_created)
2154 tcf_chain_put(chain);
2155 }
2156 tcf_block_release(q, block, rtnl_held);
2157
2158 if (rtnl_held)
2159 rtnl_unlock();
2160
2161 if (err == -EAGAIN) {
2162
2163
2164
2165 rtnl_held = true;
2166
2167 goto replay;
2168 }
2169 return err;
2170
2171errout_locked:
2172 mutex_unlock(&chain->filter_chain_lock);
2173 goto errout;
2174}
2175
2176static int tc_del_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
2177 struct netlink_ext_ack *extack)
2178{
2179 struct net *net = sock_net(skb->sk);
2180 struct nlattr *tca[TCA_MAX + 1];
2181 char name[IFNAMSIZ];
2182 struct tcmsg *t;
2183 u32 protocol;
2184 u32 prio;
2185 u32 parent;
2186 u32 chain_index;
2187 struct Qdisc *q = NULL;
2188 struct tcf_chain_info chain_info;
2189 struct tcf_chain *chain = NULL;
2190 struct tcf_block *block = NULL;
2191 struct tcf_proto *tp = NULL;
2192 unsigned long cl = 0;
2193 void *fh = NULL;
2194 int err;
2195 bool rtnl_held = false;
2196
2197 if (!netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN))
2198 return -EPERM;
2199
2200 err = nlmsg_parse_deprecated(n, sizeof(*t), tca, TCA_MAX,
2201 rtm_tca_policy, extack);
2202 if (err < 0)
2203 return err;
2204
2205 t = nlmsg_data(n);
2206 protocol = TC_H_MIN(t->tcm_info);
2207 prio = TC_H_MAJ(t->tcm_info);
2208 parent = t->tcm_parent;
2209
2210 if (prio == 0 && (protocol || t->tcm_handle || tca[TCA_KIND])) {
2211 NL_SET_ERR_MSG(extack, "Cannot flush filters with protocol, handle or kind set");
2212 return -ENOENT;
2213 }
2214
2215
2216
2217 err = __tcf_qdisc_find(net, &q, &parent, t->tcm_ifindex, false, extack);
2218 if (err)
2219 return err;
2220
2221 if (tcf_proto_check_kind(tca[TCA_KIND], name)) {
2222 NL_SET_ERR_MSG(extack, "Specified TC filter name too long");
2223 err = -EINVAL;
2224 goto errout;
2225 }
2226
2227
2228
2229
2230 if (!prio ||
2231 (q && !(q->ops->cl_ops->flags & QDISC_CLASS_OPS_DOIT_UNLOCKED)) ||
2232 !tcf_proto_is_unlocked(name)) {
2233 rtnl_held = true;
2234 rtnl_lock();
2235 }
2236
2237 err = __tcf_qdisc_cl_find(q, parent, &cl, t->tcm_ifindex, extack);
2238 if (err)
2239 goto errout;
2240
2241 block = __tcf_block_find(net, q, cl, t->tcm_ifindex, t->tcm_block_index,
2242 extack);
2243 if (IS_ERR(block)) {
2244 err = PTR_ERR(block);
2245 goto errout;
2246 }
2247
2248 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0;
2249 if (chain_index > TC_ACT_EXT_VAL_MASK) {
2250 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit");
2251 err = -EINVAL;
2252 goto errout;
2253 }
2254 chain = tcf_chain_get(block, chain_index, false);
2255 if (!chain) {
2256
2257
2258
2259 if (prio == 0) {
2260 err = 0;
2261 goto errout;
2262 }
2263 NL_SET_ERR_MSG(extack, "Cannot find specified filter chain");
2264 err = -ENOENT;
2265 goto errout;
2266 }
2267
2268 if (prio == 0) {
2269 tfilter_notify_chain(net, skb, block, q, parent, n,
2270 chain, RTM_DELTFILTER, rtnl_held);
2271 tcf_chain_flush(chain, rtnl_held);
2272 err = 0;
2273 goto errout;
2274 }
2275
2276 mutex_lock(&chain->filter_chain_lock);
2277 tp = tcf_chain_tp_find(chain, &chain_info, protocol,
2278 prio, false);
2279 if (!tp || IS_ERR(tp)) {
2280 NL_SET_ERR_MSG(extack, "Filter with specified priority/protocol not found");
2281 err = tp ? PTR_ERR(tp) : -ENOENT;
2282 goto errout_locked;
2283 } else if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], tp->ops->kind)) {
2284 NL_SET_ERR_MSG(extack, "Specified filter kind does not match existing one");
2285 err = -EINVAL;
2286 goto errout_locked;
2287 } else if (t->tcm_handle == 0) {
2288 tcf_proto_signal_destroying(chain, tp);
2289 tcf_chain_tp_remove(chain, &chain_info, tp);
2290 mutex_unlock(&chain->filter_chain_lock);
2291
2292 tcf_proto_put(tp, rtnl_held, NULL);
2293 tfilter_notify(net, skb, n, tp, block, q, parent, fh,
2294 RTM_DELTFILTER, false, rtnl_held);
2295 err = 0;
2296 goto errout;
2297 }
2298 mutex_unlock(&chain->filter_chain_lock);
2299
2300 fh = tp->ops->get(tp, t->tcm_handle);
2301
2302 if (!fh) {
2303 NL_SET_ERR_MSG(extack, "Specified filter handle not found");
2304 err = -ENOENT;
2305 } else {
2306 bool last;
2307
2308 err = tfilter_del_notify(net, skb, n, tp, block,
2309 q, parent, fh, false, &last,
2310 rtnl_held, extack);
2311
2312 if (err)
2313 goto errout;
2314 if (last)
2315 tcf_chain_tp_delete_empty(chain, tp, rtnl_held, extack);
2316 }
2317
2318errout:
2319 if (chain) {
2320 if (tp && !IS_ERR(tp))
2321 tcf_proto_put(tp, rtnl_held, NULL);
2322 tcf_chain_put(chain);
2323 }
2324 tcf_block_release(q, block, rtnl_held);
2325
2326 if (rtnl_held)
2327 rtnl_unlock();
2328
2329 return err;
2330
2331errout_locked:
2332 mutex_unlock(&chain->filter_chain_lock);
2333 goto errout;
2334}
2335
2336static int tc_get_tfilter(struct sk_buff *skb, struct nlmsghdr *n,
2337 struct netlink_ext_ack *extack)
2338{
2339 struct net *net = sock_net(skb->sk);
2340 struct nlattr *tca[TCA_MAX + 1];
2341 char name[IFNAMSIZ];
2342 struct tcmsg *t;
2343 u32 protocol;
2344 u32 prio;
2345 u32 parent;
2346 u32 chain_index;
2347 struct Qdisc *q = NULL;
2348 struct tcf_chain_info chain_info;
2349 struct tcf_chain *chain = NULL;
2350 struct tcf_block *block = NULL;
2351 struct tcf_proto *tp = NULL;
2352 unsigned long cl = 0;
2353 void *fh = NULL;
2354 int err;
2355 bool rtnl_held = false;
2356
2357 err = nlmsg_parse_deprecated(n, sizeof(*t), tca, TCA_MAX,
2358 rtm_tca_policy, extack);
2359 if (err < 0)
2360 return err;
2361
2362 t = nlmsg_data(n);
2363 protocol = TC_H_MIN(t->tcm_info);
2364 prio = TC_H_MAJ(t->tcm_info);
2365 parent = t->tcm_parent;
2366
2367 if (prio == 0) {
2368 NL_SET_ERR_MSG(extack, "Invalid filter command with priority of zero");
2369 return -ENOENT;
2370 }
2371
2372
2373
2374 err = __tcf_qdisc_find(net, &q, &parent, t->tcm_ifindex, false, extack);
2375 if (err)
2376 return err;
2377
2378 if (tcf_proto_check_kind(tca[TCA_KIND], name)) {
2379 NL_SET_ERR_MSG(extack, "Specified TC filter name too long");
2380 err = -EINVAL;
2381 goto errout;
2382 }
2383
2384
2385
2386
2387 if ((q && !(q->ops->cl_ops->flags & QDISC_CLASS_OPS_DOIT_UNLOCKED)) ||
2388 !tcf_proto_is_unlocked(name)) {
2389 rtnl_held = true;
2390 rtnl_lock();
2391 }
2392
2393 err = __tcf_qdisc_cl_find(q, parent, &cl, t->tcm_ifindex, extack);
2394 if (err)
2395 goto errout;
2396
2397 block = __tcf_block_find(net, q, cl, t->tcm_ifindex, t->tcm_block_index,
2398 extack);
2399 if (IS_ERR(block)) {
2400 err = PTR_ERR(block);
2401 goto errout;
2402 }
2403
2404 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0;
2405 if (chain_index > TC_ACT_EXT_VAL_MASK) {
2406 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit");
2407 err = -EINVAL;
2408 goto errout;
2409 }
2410 chain = tcf_chain_get(block, chain_index, false);
2411 if (!chain) {
2412 NL_SET_ERR_MSG(extack, "Cannot find specified filter chain");
2413 err = -EINVAL;
2414 goto errout;
2415 }
2416
2417 mutex_lock(&chain->filter_chain_lock);
2418 tp = tcf_chain_tp_find(chain, &chain_info, protocol,
2419 prio, false);
2420 mutex_unlock(&chain->filter_chain_lock);
2421 if (!tp || IS_ERR(tp)) {
2422 NL_SET_ERR_MSG(extack, "Filter with specified priority/protocol not found");
2423 err = tp ? PTR_ERR(tp) : -ENOENT;
2424 goto errout;
2425 } else if (tca[TCA_KIND] && nla_strcmp(tca[TCA_KIND], tp->ops->kind)) {
2426 NL_SET_ERR_MSG(extack, "Specified filter kind does not match existing one");
2427 err = -EINVAL;
2428 goto errout;
2429 }
2430
2431 fh = tp->ops->get(tp, t->tcm_handle);
2432
2433 if (!fh) {
2434 NL_SET_ERR_MSG(extack, "Specified filter handle not found");
2435 err = -ENOENT;
2436 } else {
2437 err = tfilter_notify(net, skb, n, tp, block, q, parent,
2438 fh, RTM_NEWTFILTER, true, rtnl_held);
2439 if (err < 0)
2440 NL_SET_ERR_MSG(extack, "Failed to send filter notify message");
2441 }
2442
2443 tfilter_put(tp, fh);
2444errout:
2445 if (chain) {
2446 if (tp && !IS_ERR(tp))
2447 tcf_proto_put(tp, rtnl_held, NULL);
2448 tcf_chain_put(chain);
2449 }
2450 tcf_block_release(q, block, rtnl_held);
2451
2452 if (rtnl_held)
2453 rtnl_unlock();
2454
2455 return err;
2456}
2457
2458struct tcf_dump_args {
2459 struct tcf_walker w;
2460 struct sk_buff *skb;
2461 struct netlink_callback *cb;
2462 struct tcf_block *block;
2463 struct Qdisc *q;
2464 u32 parent;
2465 bool terse_dump;
2466};
2467
2468static int tcf_node_dump(struct tcf_proto *tp, void *n, struct tcf_walker *arg)
2469{
2470 struct tcf_dump_args *a = (void *)arg;
2471 struct net *net = sock_net(a->skb->sk);
2472
2473 return tcf_fill_node(net, a->skb, tp, a->block, a->q, a->parent,
2474 n, NETLINK_CB(a->cb->skb).portid,
2475 a->cb->nlh->nlmsg_seq, NLM_F_MULTI,
2476 RTM_NEWTFILTER, a->terse_dump, true);
2477}
2478
2479static bool tcf_chain_dump(struct tcf_chain *chain, struct Qdisc *q, u32 parent,
2480 struct sk_buff *skb, struct netlink_callback *cb,
2481 long index_start, long *p_index, bool terse)
2482{
2483 struct net *net = sock_net(skb->sk);
2484 struct tcf_block *block = chain->block;
2485 struct tcmsg *tcm = nlmsg_data(cb->nlh);
2486 struct tcf_proto *tp, *tp_prev;
2487 struct tcf_dump_args arg;
2488
2489 for (tp = __tcf_get_next_proto(chain, NULL);
2490 tp;
2491 tp_prev = tp,
2492 tp = __tcf_get_next_proto(chain, tp),
2493 tcf_proto_put(tp_prev, true, NULL),
2494 (*p_index)++) {
2495 if (*p_index < index_start)
2496 continue;
2497 if (TC_H_MAJ(tcm->tcm_info) &&
2498 TC_H_MAJ(tcm->tcm_info) != tp->prio)
2499 continue;
2500 if (TC_H_MIN(tcm->tcm_info) &&
2501 TC_H_MIN(tcm->tcm_info) != tp->protocol)
2502 continue;
2503 if (*p_index > index_start)
2504 memset(&cb->args[1], 0,
2505 sizeof(cb->args) - sizeof(cb->args[0]));
2506 if (cb->args[1] == 0) {
2507 if (tcf_fill_node(net, skb, tp, block, q, parent, NULL,
2508 NETLINK_CB(cb->skb).portid,
2509 cb->nlh->nlmsg_seq, NLM_F_MULTI,
2510 RTM_NEWTFILTER, false, true) <= 0)
2511 goto errout;
2512 cb->args[1] = 1;
2513 }
2514 if (!tp->ops->walk)
2515 continue;
2516 arg.w.fn = tcf_node_dump;
2517 arg.skb = skb;
2518 arg.cb = cb;
2519 arg.block = block;
2520 arg.q = q;
2521 arg.parent = parent;
2522 arg.w.stop = 0;
2523 arg.w.skip = cb->args[1] - 1;
2524 arg.w.count = 0;
2525 arg.w.cookie = cb->args[2];
2526 arg.terse_dump = terse;
2527 tp->ops->walk(tp, &arg.w, true);
2528 cb->args[2] = arg.w.cookie;
2529 cb->args[1] = arg.w.count + 1;
2530 if (arg.w.stop)
2531 goto errout;
2532 }
2533 return true;
2534
2535errout:
2536 tcf_proto_put(tp, true, NULL);
2537 return false;
2538}
2539
2540static const u32 tca_dump_flags_terse = TCA_DUMP_FLAGS_TERSE;
2541static const struct nla_policy tcf_tfilter_dump_policy[TCA_MAX + 1] = {
2542 [TCA_DUMP_FLAGS] = NLA_POLICY_BITFIELD32_PTR(&tca_dump_flags_terse),
2543};
2544
2545
2546static int tc_dump_tfilter(struct sk_buff *skb, struct netlink_callback *cb)
2547{
2548 struct tcf_chain *chain, *chain_prev;
2549 struct net *net = sock_net(skb->sk);
2550 struct nlattr *tca[TCA_MAX + 1];
2551 struct Qdisc *q = NULL;
2552 struct tcf_block *block;
2553 struct tcmsg *tcm = nlmsg_data(cb->nlh);
2554 bool terse_dump = false;
2555 long index_start;
2556 long index;
2557 u32 parent;
2558 int err;
2559
2560 if (nlmsg_len(cb->nlh) < sizeof(*tcm))
2561 return skb->len;
2562
2563 err = nlmsg_parse_deprecated(cb->nlh, sizeof(*tcm), tca, TCA_MAX,
2564 tcf_tfilter_dump_policy, cb->extack);
2565 if (err)
2566 return err;
2567
2568 if (tca[TCA_DUMP_FLAGS]) {
2569 struct nla_bitfield32 flags =
2570 nla_get_bitfield32(tca[TCA_DUMP_FLAGS]);
2571
2572 terse_dump = flags.value & TCA_DUMP_FLAGS_TERSE;
2573 }
2574
2575 if (tcm->tcm_ifindex == TCM_IFINDEX_MAGIC_BLOCK) {
2576 block = tcf_block_refcnt_get(net, tcm->tcm_block_index);
2577 if (!block)
2578 goto out;
2579
2580
2581
2582
2583
2584
2585 parent = 0;
2586 } else {
2587 const struct Qdisc_class_ops *cops;
2588 struct net_device *dev;
2589 unsigned long cl = 0;
2590
2591 dev = __dev_get_by_index(net, tcm->tcm_ifindex);
2592 if (!dev)
2593 return skb->len;
2594
2595 parent = tcm->tcm_parent;
2596 if (!parent)
2597 q = dev->qdisc;
2598 else
2599 q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent));
2600 if (!q)
2601 goto out;
2602 cops = q->ops->cl_ops;
2603 if (!cops)
2604 goto out;
2605 if (!cops->tcf_block)
2606 goto out;
2607 if (TC_H_MIN(tcm->tcm_parent)) {
2608 cl = cops->find(q, tcm->tcm_parent);
2609 if (cl == 0)
2610 goto out;
2611 }
2612 block = cops->tcf_block(q, cl, NULL);
2613 if (!block)
2614 goto out;
2615 parent = block->classid;
2616 if (tcf_block_shared(block))
2617 q = NULL;
2618 }
2619
2620 index_start = cb->args[0];
2621 index = 0;
2622
2623 for (chain = __tcf_get_next_chain(block, NULL);
2624 chain;
2625 chain_prev = chain,
2626 chain = __tcf_get_next_chain(block, chain),
2627 tcf_chain_put(chain_prev)) {
2628 if (tca[TCA_CHAIN] &&
2629 nla_get_u32(tca[TCA_CHAIN]) != chain->index)
2630 continue;
2631 if (!tcf_chain_dump(chain, q, parent, skb, cb,
2632 index_start, &index, terse_dump)) {
2633 tcf_chain_put(chain);
2634 err = -EMSGSIZE;
2635 break;
2636 }
2637 }
2638
2639 if (tcm->tcm_ifindex == TCM_IFINDEX_MAGIC_BLOCK)
2640 tcf_block_refcnt_put(block, true);
2641 cb->args[0] = index;
2642
2643out:
2644
2645 if (skb->len == 0 && err)
2646 return err;
2647 return skb->len;
2648}
2649
2650static int tc_chain_fill_node(const struct tcf_proto_ops *tmplt_ops,
2651 void *tmplt_priv, u32 chain_index,
2652 struct net *net, struct sk_buff *skb,
2653 struct tcf_block *block,
2654 u32 portid, u32 seq, u16 flags, int event)
2655{
2656 unsigned char *b = skb_tail_pointer(skb);
2657 const struct tcf_proto_ops *ops;
2658 struct nlmsghdr *nlh;
2659 struct tcmsg *tcm;
2660 void *priv;
2661
2662 ops = tmplt_ops;
2663 priv = tmplt_priv;
2664
2665 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*tcm), flags);
2666 if (!nlh)
2667 goto out_nlmsg_trim;
2668 tcm = nlmsg_data(nlh);
2669 tcm->tcm_family = AF_UNSPEC;
2670 tcm->tcm__pad1 = 0;
2671 tcm->tcm__pad2 = 0;
2672 tcm->tcm_handle = 0;
2673 if (block->q) {
2674 tcm->tcm_ifindex = qdisc_dev(block->q)->ifindex;
2675 tcm->tcm_parent = block->q->handle;
2676 } else {
2677 tcm->tcm_ifindex = TCM_IFINDEX_MAGIC_BLOCK;
2678 tcm->tcm_block_index = block->index;
2679 }
2680
2681 if (nla_put_u32(skb, TCA_CHAIN, chain_index))
2682 goto nla_put_failure;
2683
2684 if (ops) {
2685 if (nla_put_string(skb, TCA_KIND, ops->kind))
2686 goto nla_put_failure;
2687 if (ops->tmplt_dump(skb, net, priv) < 0)
2688 goto nla_put_failure;
2689 }
2690
2691 nlh->nlmsg_len = skb_tail_pointer(skb) - b;
2692 return skb->len;
2693
2694out_nlmsg_trim:
2695nla_put_failure:
2696 nlmsg_trim(skb, b);
2697 return -EMSGSIZE;
2698}
2699
2700static int tc_chain_notify(struct tcf_chain *chain, struct sk_buff *oskb,
2701 u32 seq, u16 flags, int event, bool unicast)
2702{
2703 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
2704 struct tcf_block *block = chain->block;
2705 struct net *net = block->net;
2706 struct sk_buff *skb;
2707 int err = 0;
2708
2709 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2710 if (!skb)
2711 return -ENOBUFS;
2712
2713 if (tc_chain_fill_node(chain->tmplt_ops, chain->tmplt_priv,
2714 chain->index, net, skb, block, portid,
2715 seq, flags, event) <= 0) {
2716 kfree_skb(skb);
2717 return -EINVAL;
2718 }
2719
2720 if (unicast)
2721 err = netlink_unicast(net->rtnl, skb, portid, MSG_DONTWAIT);
2722 else
2723 err = rtnetlink_send(skb, net, portid, RTNLGRP_TC,
2724 flags & NLM_F_ECHO);
2725
2726 if (err > 0)
2727 err = 0;
2728 return err;
2729}
2730
2731static int tc_chain_notify_delete(const struct tcf_proto_ops *tmplt_ops,
2732 void *tmplt_priv, u32 chain_index,
2733 struct tcf_block *block, struct sk_buff *oskb,
2734 u32 seq, u16 flags, bool unicast)
2735{
2736 u32 portid = oskb ? NETLINK_CB(oskb).portid : 0;
2737 struct net *net = block->net;
2738 struct sk_buff *skb;
2739
2740 skb = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
2741 if (!skb)
2742 return -ENOBUFS;
2743
2744 if (tc_chain_fill_node(tmplt_ops, tmplt_priv, chain_index, net, skb,
2745 block, portid, seq, flags, RTM_DELCHAIN) <= 0) {
2746 kfree_skb(skb);
2747 return -EINVAL;
2748 }
2749
2750 if (unicast)
2751 return netlink_unicast(net->rtnl, skb, portid, MSG_DONTWAIT);
2752
2753 return rtnetlink_send(skb, net, portid, RTNLGRP_TC, flags & NLM_F_ECHO);
2754}
2755
2756static int tc_chain_tmplt_add(struct tcf_chain *chain, struct net *net,
2757 struct nlattr **tca,
2758 struct netlink_ext_ack *extack)
2759{
2760 const struct tcf_proto_ops *ops;
2761 char name[IFNAMSIZ];
2762 void *tmplt_priv;
2763
2764
2765 if (!tca[TCA_KIND])
2766 return 0;
2767
2768 if (tcf_proto_check_kind(tca[TCA_KIND], name)) {
2769 NL_SET_ERR_MSG(extack, "Specified TC chain template name too long");
2770 return -EINVAL;
2771 }
2772
2773 ops = tcf_proto_lookup_ops(name, true, extack);
2774 if (IS_ERR(ops))
2775 return PTR_ERR(ops);
2776 if (!ops->tmplt_create || !ops->tmplt_destroy || !ops->tmplt_dump) {
2777 NL_SET_ERR_MSG(extack, "Chain templates are not supported with specified classifier");
2778 return -EOPNOTSUPP;
2779 }
2780
2781 tmplt_priv = ops->tmplt_create(net, chain, tca, extack);
2782 if (IS_ERR(tmplt_priv)) {
2783 module_put(ops->owner);
2784 return PTR_ERR(tmplt_priv);
2785 }
2786 chain->tmplt_ops = ops;
2787 chain->tmplt_priv = tmplt_priv;
2788 return 0;
2789}
2790
2791static void tc_chain_tmplt_del(const struct tcf_proto_ops *tmplt_ops,
2792 void *tmplt_priv)
2793{
2794
2795 if (!tmplt_ops)
2796 return;
2797
2798 tmplt_ops->tmplt_destroy(tmplt_priv);
2799 module_put(tmplt_ops->owner);
2800}
2801
2802
2803
2804static int tc_ctl_chain(struct sk_buff *skb, struct nlmsghdr *n,
2805 struct netlink_ext_ack *extack)
2806{
2807 struct net *net = sock_net(skb->sk);
2808 struct nlattr *tca[TCA_MAX + 1];
2809 struct tcmsg *t;
2810 u32 parent;
2811 u32 chain_index;
2812 struct Qdisc *q = NULL;
2813 struct tcf_chain *chain = NULL;
2814 struct tcf_block *block;
2815 unsigned long cl;
2816 int err;
2817
2818 if (n->nlmsg_type != RTM_GETCHAIN &&
2819 !netlink_ns_capable(skb, net->user_ns, CAP_NET_ADMIN))
2820 return -EPERM;
2821
2822replay:
2823 err = nlmsg_parse_deprecated(n, sizeof(*t), tca, TCA_MAX,
2824 rtm_tca_policy, extack);
2825 if (err < 0)
2826 return err;
2827
2828 t = nlmsg_data(n);
2829 parent = t->tcm_parent;
2830 cl = 0;
2831
2832 block = tcf_block_find(net, &q, &parent, &cl,
2833 t->tcm_ifindex, t->tcm_block_index, extack);
2834 if (IS_ERR(block))
2835 return PTR_ERR(block);
2836
2837 chain_index = tca[TCA_CHAIN] ? nla_get_u32(tca[TCA_CHAIN]) : 0;
2838 if (chain_index > TC_ACT_EXT_VAL_MASK) {
2839 NL_SET_ERR_MSG(extack, "Specified chain index exceeds upper limit");
2840 err = -EINVAL;
2841 goto errout_block;
2842 }
2843
2844 mutex_lock(&block->lock);
2845 chain = tcf_chain_lookup(block, chain_index);
2846 if (n->nlmsg_type == RTM_NEWCHAIN) {
2847 if (chain) {
2848 if (tcf_chain_held_by_acts_only(chain)) {
2849
2850
2851
2852 tcf_chain_hold(chain);
2853 } else {
2854 NL_SET_ERR_MSG(extack, "Filter chain already exists");
2855 err = -EEXIST;
2856 goto errout_block_locked;
2857 }
2858 } else {
2859 if (!(n->nlmsg_flags & NLM_F_CREATE)) {
2860 NL_SET_ERR_MSG(extack, "Need both RTM_NEWCHAIN and NLM_F_CREATE to create a new chain");
2861 err = -ENOENT;
2862 goto errout_block_locked;
2863 }
2864 chain = tcf_chain_create(block, chain_index);
2865 if (!chain) {
2866 NL_SET_ERR_MSG(extack, "Failed to create filter chain");
2867 err = -ENOMEM;
2868 goto errout_block_locked;
2869 }
2870 }
2871 } else {
2872 if (!chain || tcf_chain_held_by_acts_only(chain)) {
2873 NL_SET_ERR_MSG(extack, "Cannot find specified filter chain");
2874 err = -EINVAL;
2875 goto errout_block_locked;
2876 }
2877 tcf_chain_hold(chain);
2878 }
2879
2880 if (n->nlmsg_type == RTM_NEWCHAIN) {
2881
2882
2883
2884
2885
2886 tcf_chain_hold(chain);
2887 chain->explicitly_created = true;
2888 }
2889 mutex_unlock(&block->lock);
2890
2891 switch (n->nlmsg_type) {
2892 case RTM_NEWCHAIN:
2893 err = tc_chain_tmplt_add(chain, net, tca, extack);
2894 if (err) {
2895 tcf_chain_put_explicitly_created(chain);
2896 goto errout;
2897 }
2898
2899 tc_chain_notify(chain, NULL, 0, NLM_F_CREATE | NLM_F_EXCL,
2900 RTM_NEWCHAIN, false);
2901 break;
2902 case RTM_DELCHAIN:
2903 tfilter_notify_chain(net, skb, block, q, parent, n,
2904 chain, RTM_DELTFILTER, true);
2905
2906 tcf_chain_flush(chain, true);
2907
2908
2909
2910 tcf_chain_put_explicitly_created(chain);
2911 break;
2912 case RTM_GETCHAIN:
2913 err = tc_chain_notify(chain, skb, n->nlmsg_seq,
2914 n->nlmsg_seq, n->nlmsg_type, true);
2915 if (err < 0)
2916 NL_SET_ERR_MSG(extack, "Failed to send chain notify message");
2917 break;
2918 default:
2919 err = -EOPNOTSUPP;
2920 NL_SET_ERR_MSG(extack, "Unsupported message type");
2921 goto errout;
2922 }
2923
2924errout:
2925 tcf_chain_put(chain);
2926errout_block:
2927 tcf_block_release(q, block, true);
2928 if (err == -EAGAIN)
2929
2930 goto replay;
2931 return err;
2932
2933errout_block_locked:
2934 mutex_unlock(&block->lock);
2935 goto errout_block;
2936}
2937
2938
2939static int tc_dump_chain(struct sk_buff *skb, struct netlink_callback *cb)
2940{
2941 struct net *net = sock_net(skb->sk);
2942 struct nlattr *tca[TCA_MAX + 1];
2943 struct Qdisc *q = NULL;
2944 struct tcf_block *block;
2945 struct tcmsg *tcm = nlmsg_data(cb->nlh);
2946 struct tcf_chain *chain;
2947 long index_start;
2948 long index;
2949 u32 parent;
2950 int err;
2951
2952 if (nlmsg_len(cb->nlh) < sizeof(*tcm))
2953 return skb->len;
2954
2955 err = nlmsg_parse_deprecated(cb->nlh, sizeof(*tcm), tca, TCA_MAX,
2956 rtm_tca_policy, cb->extack);
2957 if (err)
2958 return err;
2959
2960 if (tcm->tcm_ifindex == TCM_IFINDEX_MAGIC_BLOCK) {
2961 block = tcf_block_refcnt_get(net, tcm->tcm_block_index);
2962 if (!block)
2963 goto out;
2964
2965
2966
2967
2968
2969
2970 parent = 0;
2971 } else {
2972 const struct Qdisc_class_ops *cops;
2973 struct net_device *dev;
2974 unsigned long cl = 0;
2975
2976 dev = __dev_get_by_index(net, tcm->tcm_ifindex);
2977 if (!dev)
2978 return skb->len;
2979
2980 parent = tcm->tcm_parent;
2981 if (!parent) {
2982 q = dev->qdisc;
2983 parent = q->handle;
2984 } else {
2985 q = qdisc_lookup(dev, TC_H_MAJ(tcm->tcm_parent));
2986 }
2987 if (!q)
2988 goto out;
2989 cops = q->ops->cl_ops;
2990 if (!cops)
2991 goto out;
2992 if (!cops->tcf_block)
2993 goto out;
2994 if (TC_H_MIN(tcm->tcm_parent)) {
2995 cl = cops->find(q, tcm->tcm_parent);
2996 if (cl == 0)
2997 goto out;
2998 }
2999 block = cops->tcf_block(q, cl, NULL);
3000 if (!block)
3001 goto out;
3002 if (tcf_block_shared(block))
3003 q = NULL;
3004 }
3005
3006 index_start = cb->args[0];
3007 index = 0;
3008
3009 mutex_lock(&block->lock);
3010 list_for_each_entry(chain, &block->chain_list, list) {
3011 if ((tca[TCA_CHAIN] &&
3012 nla_get_u32(tca[TCA_CHAIN]) != chain->index))
3013 continue;
3014 if (index < index_start) {
3015 index++;
3016 continue;
3017 }
3018 if (tcf_chain_held_by_acts_only(chain))
3019 continue;
3020 err = tc_chain_fill_node(chain->tmplt_ops, chain->tmplt_priv,
3021 chain->index, net, skb, block,
3022 NETLINK_CB(cb->skb).portid,
3023 cb->nlh->nlmsg_seq, NLM_F_MULTI,
3024 RTM_NEWCHAIN);
3025 if (err <= 0)
3026 break;
3027 index++;
3028 }
3029 mutex_unlock(&block->lock);
3030
3031 if (tcm->tcm_ifindex == TCM_IFINDEX_MAGIC_BLOCK)
3032 tcf_block_refcnt_put(block, true);
3033 cb->args[0] = index;
3034
3035out:
3036
3037 if (skb->len == 0 && err)
3038 return err;
3039 return skb->len;
3040}
3041
3042void tcf_exts_destroy(struct tcf_exts *exts)
3043{
3044#ifdef CONFIG_NET_CLS_ACT
3045 if (exts->actions) {
3046 tcf_action_destroy(exts->actions, TCA_ACT_UNBIND);
3047 kfree(exts->actions);
3048 }
3049 exts->nr_actions = 0;
3050#endif
3051}
3052EXPORT_SYMBOL(tcf_exts_destroy);
3053
3054int tcf_exts_validate(struct net *net, struct tcf_proto *tp, struct nlattr **tb,
3055 struct nlattr *rate_tlv, struct tcf_exts *exts, bool ovr,
3056 bool rtnl_held, struct netlink_ext_ack *extack)
3057{
3058#ifdef CONFIG_NET_CLS_ACT
3059 {
3060 struct tc_action *act;
3061 size_t attr_size = 0;
3062
3063 if (exts->police && tb[exts->police]) {
3064 act = tcf_action_init_1(net, tp, tb[exts->police],
3065 rate_tlv, "police", ovr,
3066 TCA_ACT_BIND, rtnl_held,
3067 extack);
3068 if (IS_ERR(act))
3069 return PTR_ERR(act);
3070
3071 act->type = exts->type = TCA_OLD_COMPAT;
3072 exts->actions[0] = act;
3073 exts->nr_actions = 1;
3074 } else if (exts->action && tb[exts->action]) {
3075 int err;
3076
3077 err = tcf_action_init(net, tp, tb[exts->action],
3078 rate_tlv, NULL, ovr, TCA_ACT_BIND,
3079 exts->actions, &attr_size,
3080 rtnl_held, extack);
3081 if (err < 0)
3082 return err;
3083 exts->nr_actions = err;
3084 }
3085 }
3086#else
3087 if ((exts->action && tb[exts->action]) ||
3088 (exts->police && tb[exts->police])) {
3089 NL_SET_ERR_MSG(extack, "Classifier actions are not supported per compile options (CONFIG_NET_CLS_ACT)");
3090 return -EOPNOTSUPP;
3091 }
3092#endif
3093
3094 return 0;
3095}
3096EXPORT_SYMBOL(tcf_exts_validate);
3097
3098void tcf_exts_change(struct tcf_exts *dst, struct tcf_exts *src)
3099{
3100#ifdef CONFIG_NET_CLS_ACT
3101 struct tcf_exts old = *dst;
3102
3103 *dst = *src;
3104 tcf_exts_destroy(&old);
3105#endif
3106}
3107EXPORT_SYMBOL(tcf_exts_change);
3108
3109#ifdef CONFIG_NET_CLS_ACT
3110static struct tc_action *tcf_exts_first_act(struct tcf_exts *exts)
3111{
3112 if (exts->nr_actions == 0)
3113 return NULL;
3114 else
3115 return exts->actions[0];
3116}
3117#endif
3118
3119int tcf_exts_dump(struct sk_buff *skb, struct tcf_exts *exts)
3120{
3121#ifdef CONFIG_NET_CLS_ACT
3122 struct nlattr *nest;
3123
3124 if (exts->action && tcf_exts_has_actions(exts)) {
3125
3126
3127
3128
3129
3130 if (exts->type != TCA_OLD_COMPAT) {
3131 nest = nla_nest_start_noflag(skb, exts->action);
3132 if (nest == NULL)
3133 goto nla_put_failure;
3134
3135 if (tcf_action_dump(skb, exts->actions, 0, 0, false)
3136 < 0)
3137 goto nla_put_failure;
3138 nla_nest_end(skb, nest);
3139 } else if (exts->police) {
3140 struct tc_action *act = tcf_exts_first_act(exts);
3141 nest = nla_nest_start_noflag(skb, exts->police);
3142 if (nest == NULL || !act)
3143 goto nla_put_failure;
3144 if (tcf_action_dump_old(skb, act, 0, 0) < 0)
3145 goto nla_put_failure;
3146 nla_nest_end(skb, nest);
3147 }
3148 }
3149 return 0;
3150
3151nla_put_failure:
3152 nla_nest_cancel(skb, nest);
3153 return -1;
3154#else
3155 return 0;
3156#endif
3157}
3158EXPORT_SYMBOL(tcf_exts_dump);
3159
3160int tcf_exts_terse_dump(struct sk_buff *skb, struct tcf_exts *exts)
3161{
3162#ifdef CONFIG_NET_CLS_ACT
3163 struct nlattr *nest;
3164
3165 if (!exts->action || !tcf_exts_has_actions(exts))
3166 return 0;
3167
3168 nest = nla_nest_start_noflag(skb, exts->action);
3169 if (!nest)
3170 goto nla_put_failure;
3171
3172 if (tcf_action_dump(skb, exts->actions, 0, 0, true) < 0)
3173 goto nla_put_failure;
3174 nla_nest_end(skb, nest);
3175 return 0;
3176
3177nla_put_failure:
3178 nla_nest_cancel(skb, nest);
3179 return -1;
3180#else
3181 return 0;
3182#endif
3183}
3184EXPORT_SYMBOL(tcf_exts_terse_dump);
3185
3186int tcf_exts_dump_stats(struct sk_buff *skb, struct tcf_exts *exts)
3187{
3188#ifdef CONFIG_NET_CLS_ACT
3189 struct tc_action *a = tcf_exts_first_act(exts);
3190 if (a != NULL && tcf_action_copy_stats(skb, a, 1) < 0)
3191 return -1;
3192#endif
3193 return 0;
3194}
3195EXPORT_SYMBOL(tcf_exts_dump_stats);
3196
3197static void tcf_block_offload_inc(struct tcf_block *block, u32 *flags)
3198{
3199 if (*flags & TCA_CLS_FLAGS_IN_HW)
3200 return;
3201 *flags |= TCA_CLS_FLAGS_IN_HW;
3202 atomic_inc(&block->offloadcnt);
3203}
3204
3205static void tcf_block_offload_dec(struct tcf_block *block, u32 *flags)
3206{
3207 if (!(*flags & TCA_CLS_FLAGS_IN_HW))
3208 return;
3209 *flags &= ~TCA_CLS_FLAGS_IN_HW;
3210 atomic_dec(&block->offloadcnt);
3211}
3212
3213static void tc_cls_offload_cnt_update(struct tcf_block *block,
3214 struct tcf_proto *tp, u32 *cnt,
3215 u32 *flags, u32 diff, bool add)
3216{
3217 lockdep_assert_held(&block->cb_lock);
3218
3219 spin_lock(&tp->lock);
3220 if (add) {
3221 if (!*cnt)
3222 tcf_block_offload_inc(block, flags);
3223 *cnt += diff;
3224 } else {
3225 *cnt -= diff;
3226 if (!*cnt)
3227 tcf_block_offload_dec(block, flags);
3228 }
3229 spin_unlock(&tp->lock);
3230}
3231
3232static void
3233tc_cls_offload_cnt_reset(struct tcf_block *block, struct tcf_proto *tp,
3234 u32 *cnt, u32 *flags)
3235{
3236 lockdep_assert_held(&block->cb_lock);
3237
3238 spin_lock(&tp->lock);
3239 tcf_block_offload_dec(block, flags);
3240 *cnt = 0;
3241 spin_unlock(&tp->lock);
3242}
3243
3244static int
3245__tc_setup_cb_call(struct tcf_block *block, enum tc_setup_type type,
3246 void *type_data, bool err_stop)
3247{
3248 struct flow_block_cb *block_cb;
3249 int ok_count = 0;
3250 int err;
3251
3252 list_for_each_entry(block_cb, &block->flow_block.cb_list, list) {
3253 err = block_cb->cb(type, type_data, block_cb->cb_priv);
3254 if (err) {
3255 if (err_stop)
3256 return err;
3257 } else {
3258 ok_count++;
3259 }
3260 }
3261 return ok_count;
3262}
3263
3264int tc_setup_cb_call(struct tcf_block *block, enum tc_setup_type type,
3265 void *type_data, bool err_stop, bool rtnl_held)
3266{
3267 bool take_rtnl = READ_ONCE(block->lockeddevcnt) && !rtnl_held;
3268 int ok_count;
3269
3270retry:
3271 if (take_rtnl)
3272 rtnl_lock();
3273 down_read(&block->cb_lock);
3274
3275
3276
3277
3278 if (!rtnl_held && !take_rtnl && block->lockeddevcnt) {
3279 up_read(&block->cb_lock);
3280 take_rtnl = true;
3281 goto retry;
3282 }
3283
3284 ok_count = __tc_setup_cb_call(block, type, type_data, err_stop);
3285
3286 up_read(&block->cb_lock);
3287 if (take_rtnl)
3288 rtnl_unlock();
3289 return ok_count;
3290}
3291EXPORT_SYMBOL(tc_setup_cb_call);
3292
3293
3294
3295
3296
3297
3298
3299int tc_setup_cb_add(struct tcf_block *block, struct tcf_proto *tp,
3300 enum tc_setup_type type, void *type_data, bool err_stop,
3301 u32 *flags, unsigned int *in_hw_count, bool rtnl_held)
3302{
3303 bool take_rtnl = READ_ONCE(block->lockeddevcnt) && !rtnl_held;
3304 int ok_count;
3305
3306retry:
3307 if (take_rtnl)
3308 rtnl_lock();
3309 down_read(&block->cb_lock);
3310
3311
3312
3313
3314 if (!rtnl_held && !take_rtnl && block->lockeddevcnt) {
3315 up_read(&block->cb_lock);
3316 take_rtnl = true;
3317 goto retry;
3318 }
3319
3320
3321 if (block->nooffloaddevcnt && err_stop) {
3322 ok_count = -EOPNOTSUPP;
3323 goto err_unlock;
3324 }
3325
3326 ok_count = __tc_setup_cb_call(block, type, type_data, err_stop);
3327 if (ok_count < 0)
3328 goto err_unlock;
3329
3330 if (tp->ops->hw_add)
3331 tp->ops->hw_add(tp, type_data);
3332 if (ok_count > 0)
3333 tc_cls_offload_cnt_update(block, tp, in_hw_count, flags,
3334 ok_count, true);
3335err_unlock:
3336 up_read(&block->cb_lock);
3337 if (take_rtnl)
3338 rtnl_unlock();
3339 return ok_count < 0 ? ok_count : 0;
3340}
3341EXPORT_SYMBOL(tc_setup_cb_add);
3342
3343
3344
3345
3346
3347
3348
3349int tc_setup_cb_replace(struct tcf_block *block, struct tcf_proto *tp,
3350 enum tc_setup_type type, void *type_data, bool err_stop,
3351 u32 *old_flags, unsigned int *old_in_hw_count,
3352 u32 *new_flags, unsigned int *new_in_hw_count,
3353 bool rtnl_held)
3354{
3355 bool take_rtnl = READ_ONCE(block->lockeddevcnt) && !rtnl_held;
3356 int ok_count;
3357
3358retry:
3359 if (take_rtnl)
3360 rtnl_lock();
3361 down_read(&block->cb_lock);
3362
3363
3364
3365
3366 if (!rtnl_held && !take_rtnl && block->lockeddevcnt) {
3367 up_read(&block->cb_lock);
3368 take_rtnl = true;
3369 goto retry;
3370 }
3371
3372
3373 if (block->nooffloaddevcnt && err_stop) {
3374 ok_count = -EOPNOTSUPP;
3375 goto err_unlock;
3376 }
3377
3378 tc_cls_offload_cnt_reset(block, tp, old_in_hw_count, old_flags);
3379 if (tp->ops->hw_del)
3380 tp->ops->hw_del(tp, type_data);
3381
3382 ok_count = __tc_setup_cb_call(block, type, type_data, err_stop);
3383 if (ok_count < 0)
3384 goto err_unlock;
3385
3386 if (tp->ops->hw_add)
3387 tp->ops->hw_add(tp, type_data);
3388 if (ok_count > 0)
3389 tc_cls_offload_cnt_update(block, tp, new_in_hw_count,
3390 new_flags, ok_count, true);
3391err_unlock:
3392 up_read(&block->cb_lock);
3393 if (take_rtnl)
3394 rtnl_unlock();
3395 return ok_count < 0 ? ok_count : 0;
3396}
3397EXPORT_SYMBOL(tc_setup_cb_replace);
3398
3399
3400
3401
3402
3403int tc_setup_cb_destroy(struct tcf_block *block, struct tcf_proto *tp,
3404 enum tc_setup_type type, void *type_data, bool err_stop,
3405 u32 *flags, unsigned int *in_hw_count, bool rtnl_held)
3406{
3407 bool take_rtnl = READ_ONCE(block->lockeddevcnt) && !rtnl_held;
3408 int ok_count;
3409
3410retry:
3411 if (take_rtnl)
3412 rtnl_lock();
3413 down_read(&block->cb_lock);
3414
3415
3416
3417
3418 if (!rtnl_held && !take_rtnl && block->lockeddevcnt) {
3419 up_read(&block->cb_lock);
3420 take_rtnl = true;
3421 goto retry;
3422 }
3423
3424 ok_count = __tc_setup_cb_call(block, type, type_data, err_stop);
3425
3426 tc_cls_offload_cnt_reset(block, tp, in_hw_count, flags);
3427 if (tp->ops->hw_del)
3428 tp->ops->hw_del(tp, type_data);
3429
3430 up_read(&block->cb_lock);
3431 if (take_rtnl)
3432 rtnl_unlock();
3433 return ok_count < 0 ? ok_count : 0;
3434}
3435EXPORT_SYMBOL(tc_setup_cb_destroy);
3436
3437int tc_setup_cb_reoffload(struct tcf_block *block, struct tcf_proto *tp,
3438 bool add, flow_setup_cb_t *cb,
3439 enum tc_setup_type type, void *type_data,
3440 void *cb_priv, u32 *flags, unsigned int *in_hw_count)
3441{
3442 int err = cb(type, type_data, cb_priv);
3443
3444 if (err) {
3445 if (add && tc_skip_sw(*flags))
3446 return err;
3447 } else {
3448 tc_cls_offload_cnt_update(block, tp, in_hw_count, flags, 1,
3449 add);
3450 }
3451
3452 return 0;
3453}
3454EXPORT_SYMBOL(tc_setup_cb_reoffload);
3455
3456static int tcf_act_get_cookie(struct flow_action_entry *entry,
3457 const struct tc_action *act)
3458{
3459 struct tc_cookie *cookie;
3460 int err = 0;
3461
3462 rcu_read_lock();
3463 cookie = rcu_dereference(act->act_cookie);
3464 if (cookie) {
3465 entry->cookie = flow_action_cookie_create(cookie->data,
3466 cookie->len,
3467 GFP_ATOMIC);
3468 if (!entry->cookie)
3469 err = -ENOMEM;
3470 }
3471 rcu_read_unlock();
3472 return err;
3473}
3474
3475static void tcf_act_put_cookie(struct flow_action_entry *entry)
3476{
3477 flow_action_cookie_destroy(entry->cookie);
3478}
3479
3480void tc_cleanup_flow_action(struct flow_action *flow_action)
3481{
3482 struct flow_action_entry *entry;
3483 int i;
3484
3485 flow_action_for_each(i, entry, flow_action) {
3486 tcf_act_put_cookie(entry);
3487 if (entry->destructor)
3488 entry->destructor(entry->destructor_priv);
3489 }
3490}
3491EXPORT_SYMBOL(tc_cleanup_flow_action);
3492
3493static void tcf_mirred_get_dev(struct flow_action_entry *entry,
3494 const struct tc_action *act)
3495{
3496#ifdef CONFIG_NET_CLS_ACT
3497 entry->dev = act->ops->get_dev(act, &entry->destructor);
3498 if (!entry->dev)
3499 return;
3500 entry->destructor_priv = entry->dev;
3501#endif
3502}
3503
3504static void tcf_tunnel_encap_put_tunnel(void *priv)
3505{
3506 struct ip_tunnel_info *tunnel = priv;
3507
3508 kfree(tunnel);
3509}
3510
3511static int tcf_tunnel_encap_get_tunnel(struct flow_action_entry *entry,
3512 const struct tc_action *act)
3513{
3514 entry->tunnel = tcf_tunnel_info_copy(act);
3515 if (!entry->tunnel)
3516 return -ENOMEM;
3517 entry->destructor = tcf_tunnel_encap_put_tunnel;
3518 entry->destructor_priv = entry->tunnel;
3519 return 0;
3520}
3521
3522static void tcf_sample_get_group(struct flow_action_entry *entry,
3523 const struct tc_action *act)
3524{
3525#ifdef CONFIG_NET_CLS_ACT
3526 entry->sample.psample_group =
3527 act->ops->get_psample_group(act, &entry->destructor);
3528 entry->destructor_priv = entry->sample.psample_group;
3529#endif
3530}
3531
3532static void tcf_gate_entry_destructor(void *priv)
3533{
3534 struct action_gate_entry *oe = priv;
3535
3536 kfree(oe);
3537}
3538
3539static int tcf_gate_get_entries(struct flow_action_entry *entry,
3540 const struct tc_action *act)
3541{
3542 entry->gate.entries = tcf_gate_get_list(act);
3543
3544 if (!entry->gate.entries)
3545 return -EINVAL;
3546
3547 entry->destructor = tcf_gate_entry_destructor;
3548 entry->destructor_priv = entry->gate.entries;
3549
3550 return 0;
3551}
3552
3553static enum flow_action_hw_stats tc_act_hw_stats(u8 hw_stats)
3554{
3555 if (WARN_ON_ONCE(hw_stats > TCA_ACT_HW_STATS_ANY))
3556 return FLOW_ACTION_HW_STATS_DONT_CARE;
3557 else if (!hw_stats)
3558 return FLOW_ACTION_HW_STATS_DISABLED;
3559
3560 return hw_stats;
3561}
3562
3563int tc_setup_flow_action(struct flow_action *flow_action,
3564 const struct tcf_exts *exts)
3565{
3566 struct tc_action *act;
3567 int i, j, k, err = 0;
3568
3569 BUILD_BUG_ON(TCA_ACT_HW_STATS_ANY != FLOW_ACTION_HW_STATS_ANY);
3570 BUILD_BUG_ON(TCA_ACT_HW_STATS_IMMEDIATE != FLOW_ACTION_HW_STATS_IMMEDIATE);
3571 BUILD_BUG_ON(TCA_ACT_HW_STATS_DELAYED != FLOW_ACTION_HW_STATS_DELAYED);
3572
3573 if (!exts)
3574 return 0;
3575
3576 j = 0;
3577 tcf_exts_for_each_action(i, act, exts) {
3578 struct flow_action_entry *entry;
3579
3580 entry = &flow_action->entries[j];
3581 spin_lock_bh(&act->tcfa_lock);
3582 err = tcf_act_get_cookie(entry, act);
3583 if (err)
3584 goto err_out_locked;
3585
3586 entry->hw_stats = tc_act_hw_stats(act->hw_stats);
3587
3588 if (is_tcf_gact_ok(act)) {
3589 entry->id = FLOW_ACTION_ACCEPT;
3590 } else if (is_tcf_gact_shot(act)) {
3591 entry->id = FLOW_ACTION_DROP;
3592 } else if (is_tcf_gact_trap(act)) {
3593 entry->id = FLOW_ACTION_TRAP;
3594 } else if (is_tcf_gact_goto_chain(act)) {
3595 entry->id = FLOW_ACTION_GOTO;
3596 entry->chain_index = tcf_gact_goto_chain_index(act);
3597 } else if (is_tcf_mirred_egress_redirect(act)) {
3598 entry->id = FLOW_ACTION_REDIRECT;
3599 tcf_mirred_get_dev(entry, act);
3600 } else if (is_tcf_mirred_egress_mirror(act)) {
3601 entry->id = FLOW_ACTION_MIRRED;
3602 tcf_mirred_get_dev(entry, act);
3603 } else if (is_tcf_mirred_ingress_redirect(act)) {
3604 entry->id = FLOW_ACTION_REDIRECT_INGRESS;
3605 tcf_mirred_get_dev(entry, act);
3606 } else if (is_tcf_mirred_ingress_mirror(act)) {
3607 entry->id = FLOW_ACTION_MIRRED_INGRESS;
3608 tcf_mirred_get_dev(entry, act);
3609 } else if (is_tcf_vlan(act)) {
3610 switch (tcf_vlan_action(act)) {
3611 case TCA_VLAN_ACT_PUSH:
3612 entry->id = FLOW_ACTION_VLAN_PUSH;
3613 entry->vlan.vid = tcf_vlan_push_vid(act);
3614 entry->vlan.proto = tcf_vlan_push_proto(act);
3615 entry->vlan.prio = tcf_vlan_push_prio(act);
3616 break;
3617 case TCA_VLAN_ACT_POP:
3618 entry->id = FLOW_ACTION_VLAN_POP;
3619 break;
3620 case TCA_VLAN_ACT_MODIFY:
3621 entry->id = FLOW_ACTION_VLAN_MANGLE;
3622 entry->vlan.vid = tcf_vlan_push_vid(act);
3623 entry->vlan.proto = tcf_vlan_push_proto(act);
3624 entry->vlan.prio = tcf_vlan_push_prio(act);
3625 break;
3626 default:
3627 err = -EOPNOTSUPP;
3628 goto err_out_locked;
3629 }
3630 } else if (is_tcf_tunnel_set(act)) {
3631 entry->id = FLOW_ACTION_TUNNEL_ENCAP;
3632 err = tcf_tunnel_encap_get_tunnel(entry, act);
3633 if (err)
3634 goto err_out_locked;
3635 } else if (is_tcf_tunnel_release(act)) {
3636 entry->id = FLOW_ACTION_TUNNEL_DECAP;
3637 } else if (is_tcf_pedit(act)) {
3638 for (k = 0; k < tcf_pedit_nkeys(act); k++) {
3639 switch (tcf_pedit_cmd(act, k)) {
3640 case TCA_PEDIT_KEY_EX_CMD_SET:
3641 entry->id = FLOW_ACTION_MANGLE;
3642 break;
3643 case TCA_PEDIT_KEY_EX_CMD_ADD:
3644 entry->id = FLOW_ACTION_ADD;
3645 break;
3646 default:
3647 err = -EOPNOTSUPP;
3648 goto err_out_locked;
3649 }
3650 entry->mangle.htype = tcf_pedit_htype(act, k);
3651 entry->mangle.mask = tcf_pedit_mask(act, k);
3652 entry->mangle.val = tcf_pedit_val(act, k);
3653 entry->mangle.offset = tcf_pedit_offset(act, k);
3654 entry->hw_stats = tc_act_hw_stats(act->hw_stats);
3655 entry = &flow_action->entries[++j];
3656 }
3657 } else if (is_tcf_csum(act)) {
3658 entry->id = FLOW_ACTION_CSUM;
3659 entry->csum_flags = tcf_csum_update_flags(act);
3660 } else if (is_tcf_skbedit_mark(act)) {
3661 entry->id = FLOW_ACTION_MARK;
3662 entry->mark = tcf_skbedit_mark(act);
3663 } else if (is_tcf_sample(act)) {
3664 entry->id = FLOW_ACTION_SAMPLE;
3665 entry->sample.trunc_size = tcf_sample_trunc_size(act);
3666 entry->sample.truncate = tcf_sample_truncate(act);
3667 entry->sample.rate = tcf_sample_rate(act);
3668 tcf_sample_get_group(entry, act);
3669 } else if (is_tcf_police(act)) {
3670 entry->id = FLOW_ACTION_POLICE;
3671 entry->police.burst = tcf_police_burst(act);
3672 entry->police.rate_bytes_ps =
3673 tcf_police_rate_bytes_ps(act);
3674 entry->police.mtu = tcf_police_tcfp_mtu(act);
3675 entry->police.index = act->tcfa_index;
3676 } else if (is_tcf_ct(act)) {
3677 entry->id = FLOW_ACTION_CT;
3678 entry->ct.action = tcf_ct_action(act);
3679 entry->ct.zone = tcf_ct_zone(act);
3680 entry->ct.flow_table = tcf_ct_ft(act);
3681 } else if (is_tcf_mpls(act)) {
3682 switch (tcf_mpls_action(act)) {
3683 case TCA_MPLS_ACT_PUSH:
3684 entry->id = FLOW_ACTION_MPLS_PUSH;
3685 entry->mpls_push.proto = tcf_mpls_proto(act);
3686 entry->mpls_push.label = tcf_mpls_label(act);
3687 entry->mpls_push.tc = tcf_mpls_tc(act);
3688 entry->mpls_push.bos = tcf_mpls_bos(act);
3689 entry->mpls_push.ttl = tcf_mpls_ttl(act);
3690 break;
3691 case TCA_MPLS_ACT_POP:
3692 entry->id = FLOW_ACTION_MPLS_POP;
3693 entry->mpls_pop.proto = tcf_mpls_proto(act);
3694 break;
3695 case TCA_MPLS_ACT_MODIFY:
3696 entry->id = FLOW_ACTION_MPLS_MANGLE;
3697 entry->mpls_mangle.label = tcf_mpls_label(act);
3698 entry->mpls_mangle.tc = tcf_mpls_tc(act);
3699 entry->mpls_mangle.bos = tcf_mpls_bos(act);
3700 entry->mpls_mangle.ttl = tcf_mpls_ttl(act);
3701 break;
3702 default:
3703 goto err_out_locked;
3704 }
3705 } else if (is_tcf_skbedit_ptype(act)) {
3706 entry->id = FLOW_ACTION_PTYPE;
3707 entry->ptype = tcf_skbedit_ptype(act);
3708 } else if (is_tcf_skbedit_priority(act)) {
3709 entry->id = FLOW_ACTION_PRIORITY;
3710 entry->priority = tcf_skbedit_priority(act);
3711 } else if (is_tcf_gate(act)) {
3712 entry->id = FLOW_ACTION_GATE;
3713 entry->gate.index = tcf_gate_index(act);
3714 entry->gate.prio = tcf_gate_prio(act);
3715 entry->gate.basetime = tcf_gate_basetime(act);
3716 entry->gate.cycletime = tcf_gate_cycletime(act);
3717 entry->gate.cycletimeext = tcf_gate_cycletimeext(act);
3718 entry->gate.num_entries = tcf_gate_num_entries(act);
3719 err = tcf_gate_get_entries(entry, act);
3720 if (err)
3721 goto err_out_locked;
3722 } else {
3723 err = -EOPNOTSUPP;
3724 goto err_out_locked;
3725 }
3726 spin_unlock_bh(&act->tcfa_lock);
3727
3728 if (!is_tcf_pedit(act))
3729 j++;
3730 }
3731
3732err_out:
3733 if (err)
3734 tc_cleanup_flow_action(flow_action);
3735
3736 return err;
3737err_out_locked:
3738 spin_unlock_bh(&act->tcfa_lock);
3739 goto err_out;
3740}
3741EXPORT_SYMBOL(tc_setup_flow_action);
3742
3743unsigned int tcf_exts_num_actions(struct tcf_exts *exts)
3744{
3745 unsigned int num_acts = 0;
3746 struct tc_action *act;
3747 int i;
3748
3749 tcf_exts_for_each_action(i, act, exts) {
3750 if (is_tcf_pedit(act))
3751 num_acts += tcf_pedit_nkeys(act);
3752 else
3753 num_acts++;
3754 }
3755 return num_acts;
3756}
3757EXPORT_SYMBOL(tcf_exts_num_actions);
3758
3759#ifdef CONFIG_NET_CLS_ACT
3760static int tcf_qevent_parse_block_index(struct nlattr *block_index_attr,
3761 u32 *p_block_index,
3762 struct netlink_ext_ack *extack)
3763{
3764 *p_block_index = nla_get_u32(block_index_attr);
3765 if (!*p_block_index) {
3766 NL_SET_ERR_MSG(extack, "Block number may not be zero");
3767 return -EINVAL;
3768 }
3769
3770 return 0;
3771}
3772
3773int tcf_qevent_init(struct tcf_qevent *qe, struct Qdisc *sch,
3774 enum flow_block_binder_type binder_type,
3775 struct nlattr *block_index_attr,
3776 struct netlink_ext_ack *extack)
3777{
3778 u32 block_index;
3779 int err;
3780
3781 if (!block_index_attr)
3782 return 0;
3783
3784 err = tcf_qevent_parse_block_index(block_index_attr, &block_index, extack);
3785 if (err)
3786 return err;
3787
3788 if (!block_index)
3789 return 0;
3790
3791 qe->info.binder_type = binder_type;
3792 qe->info.chain_head_change = tcf_chain_head_change_dflt;
3793 qe->info.chain_head_change_priv = &qe->filter_chain;
3794 qe->info.block_index = block_index;
3795
3796 return tcf_block_get_ext(&qe->block, sch, &qe->info, extack);
3797}
3798EXPORT_SYMBOL(tcf_qevent_init);
3799
3800void tcf_qevent_destroy(struct tcf_qevent *qe, struct Qdisc *sch)
3801{
3802 if (qe->info.block_index)
3803 tcf_block_put_ext(qe->block, sch, &qe->info);
3804}
3805EXPORT_SYMBOL(tcf_qevent_destroy);
3806
3807int tcf_qevent_validate_change(struct tcf_qevent *qe, struct nlattr *block_index_attr,
3808 struct netlink_ext_ack *extack)
3809{
3810 u32 block_index;
3811 int err;
3812
3813 if (!block_index_attr)
3814 return 0;
3815
3816 err = tcf_qevent_parse_block_index(block_index_attr, &block_index, extack);
3817 if (err)
3818 return err;
3819
3820
3821 if (block_index != qe->info.block_index) {
3822 NL_SET_ERR_MSG(extack, "Change of blocks is not supported");
3823 return -EINVAL;
3824 }
3825
3826 return 0;
3827}
3828EXPORT_SYMBOL(tcf_qevent_validate_change);
3829
3830struct sk_buff *tcf_qevent_handle(struct tcf_qevent *qe, struct Qdisc *sch, struct sk_buff *skb,
3831 struct sk_buff **to_free, int *ret)
3832{
3833 struct tcf_result cl_res;
3834 struct tcf_proto *fl;
3835
3836 if (!qe->info.block_index)
3837 return skb;
3838
3839 fl = rcu_dereference_bh(qe->filter_chain);
3840
3841 switch (tcf_classify(skb, fl, &cl_res, false)) {
3842 case TC_ACT_SHOT:
3843 qdisc_qstats_drop(sch);
3844 __qdisc_drop(skb, to_free);
3845 *ret = __NET_XMIT_BYPASS;
3846 return NULL;
3847 case TC_ACT_STOLEN:
3848 case TC_ACT_QUEUED:
3849 case TC_ACT_TRAP:
3850 __qdisc_drop(skb, to_free);
3851 *ret = __NET_XMIT_STOLEN;
3852 return NULL;
3853 case TC_ACT_REDIRECT:
3854 skb_do_redirect(skb);
3855 *ret = __NET_XMIT_STOLEN;
3856 return NULL;
3857 }
3858
3859 return skb;
3860}
3861EXPORT_SYMBOL(tcf_qevent_handle);
3862
3863int tcf_qevent_dump(struct sk_buff *skb, int attr_name, struct tcf_qevent *qe)
3864{
3865 if (!qe->info.block_index)
3866 return 0;
3867 return nla_put_u32(skb, attr_name, qe->info.block_index);
3868}
3869EXPORT_SYMBOL(tcf_qevent_dump);
3870#endif
3871
3872static __net_init int tcf_net_init(struct net *net)
3873{
3874 struct tcf_net *tn = net_generic(net, tcf_net_id);
3875
3876 spin_lock_init(&tn->idr_lock);
3877 idr_init(&tn->idr);
3878 return 0;
3879}
3880
3881static void __net_exit tcf_net_exit(struct net *net)
3882{
3883 struct tcf_net *tn = net_generic(net, tcf_net_id);
3884
3885 idr_destroy(&tn->idr);
3886}
3887
3888static struct pernet_operations tcf_net_ops = {
3889 .init = tcf_net_init,
3890 .exit = tcf_net_exit,
3891 .id = &tcf_net_id,
3892 .size = sizeof(struct tcf_net),
3893};
3894
3895static int __init tc_filter_init(void)
3896{
3897 int err;
3898
3899 tc_filter_wq = alloc_ordered_workqueue("tc_filter_workqueue", 0);
3900 if (!tc_filter_wq)
3901 return -ENOMEM;
3902
3903 err = register_pernet_subsys(&tcf_net_ops);
3904 if (err)
3905 goto err_register_pernet_subsys;
3906
3907 rtnl_register(PF_UNSPEC, RTM_NEWTFILTER, tc_new_tfilter, NULL,
3908 RTNL_FLAG_DOIT_UNLOCKED);
3909 rtnl_register(PF_UNSPEC, RTM_DELTFILTER, tc_del_tfilter, NULL,
3910 RTNL_FLAG_DOIT_UNLOCKED);
3911 rtnl_register(PF_UNSPEC, RTM_GETTFILTER, tc_get_tfilter,
3912 tc_dump_tfilter, RTNL_FLAG_DOIT_UNLOCKED);
3913 rtnl_register(PF_UNSPEC, RTM_NEWCHAIN, tc_ctl_chain, NULL, 0);
3914 rtnl_register(PF_UNSPEC, RTM_DELCHAIN, tc_ctl_chain, NULL, 0);
3915 rtnl_register(PF_UNSPEC, RTM_GETCHAIN, tc_ctl_chain,
3916 tc_dump_chain, 0);
3917
3918 return 0;
3919
3920err_register_pernet_subsys:
3921 destroy_workqueue(tc_filter_wq);
3922 return err;
3923}
3924
3925subsys_initcall(tc_filter_init);
3926
