1
2
3
4
5
6
7
8#include <linux/kernel.h>
9#include <linux/init.h>
10#include <linux/list.h>
11#include <linux/rbtree.h>
12#include <linux/netlink.h>
13#include <linux/netfilter.h>
14#include <linux/netfilter/nf_tables.h>
15#include <net/netfilter/nf_tables.h>
16#include <net/netfilter/nf_tables_core.h>
17
18struct nft_lookup {
19 struct nft_set *set;
20 u8 sreg;
21 u8 dreg;
22 bool invert;
23 struct nft_set_binding binding;
24};
25
26#ifdef CONFIG_RETPOLINE
27bool nft_set_do_lookup(const struct net *net, const struct nft_set *set,
28 const u32 *key, const struct nft_set_ext **ext)
29{
30 if (set->ops == &nft_set_hash_fast_type.ops)
31 return nft_hash_lookup_fast(net, set, key, ext);
32 if (set->ops == &nft_set_hash_type.ops)
33 return nft_hash_lookup(net, set, key, ext);
34
35 if (set->ops == &nft_set_rhash_type.ops)
36 return nft_rhash_lookup(net, set, key, ext);
37
38 if (set->ops == &nft_set_bitmap_type.ops)
39 return nft_bitmap_lookup(net, set, key, ext);
40
41 if (set->ops == &nft_set_pipapo_type.ops)
42 return nft_pipapo_lookup(net, set, key, ext);
43#if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
44 if (set->ops == &nft_set_pipapo_avx2_type.ops)
45 return nft_pipapo_avx2_lookup(net, set, key, ext);
46#endif
47
48 if (set->ops == &nft_set_rbtree_type.ops)
49 return nft_rbtree_lookup(net, set, key, ext);
50
51 WARN_ON_ONCE(1);
52 return set->ops->lookup(net, set, key, ext);
53}
54EXPORT_SYMBOL_GPL(nft_set_do_lookup);
55#endif
56
57void nft_lookup_eval(const struct nft_expr *expr,
58 struct nft_regs *regs,
59 const struct nft_pktinfo *pkt)
60{
61 const struct nft_lookup *priv = nft_expr_priv(expr);
62 const struct nft_set *set = priv->set;
63 const struct nft_set_ext *ext = NULL;
64 const struct net *net = nft_net(pkt);
65 bool found;
66
67 found = nft_set_do_lookup(net, set, ®s->data[priv->sreg], &ext) ^
68 priv->invert;
69 if (!found) {
70 ext = nft_set_catchall_lookup(net, set);
71 if (!ext) {
72 regs->verdict.code = NFT_BREAK;
73 return;
74 }
75 }
76
77 if (ext) {
78 if (set->flags & NFT_SET_MAP)
79 nft_data_copy(®s->data[priv->dreg],
80 nft_set_ext_data(ext), set->dlen);
81
82 nft_set_elem_update_expr(ext, regs, pkt);
83 }
84}
85
86static const struct nla_policy nft_lookup_policy[NFTA_LOOKUP_MAX + 1] = {
87 [NFTA_LOOKUP_SET] = { .type = NLA_STRING,
88 .len = NFT_SET_MAXNAMELEN - 1 },
89 [NFTA_LOOKUP_SET_ID] = { .type = NLA_U32 },
90 [NFTA_LOOKUP_SREG] = { .type = NLA_U32 },
91 [NFTA_LOOKUP_DREG] = { .type = NLA_U32 },
92 [NFTA_LOOKUP_FLAGS] = { .type = NLA_U32 },
93};
94
95static int nft_lookup_init(const struct nft_ctx *ctx,
96 const struct nft_expr *expr,
97 const struct nlattr * const tb[])
98{
99 struct nft_lookup *priv = nft_expr_priv(expr);
100 u8 genmask = nft_genmask_next(ctx->net);
101 struct nft_set *set;
102 u32 flags;
103 int err;
104
105 if (tb[NFTA_LOOKUP_SET] == NULL ||
106 tb[NFTA_LOOKUP_SREG] == NULL)
107 return -EINVAL;
108
109 set = nft_set_lookup_global(ctx->net, ctx->table, tb[NFTA_LOOKUP_SET],
110 tb[NFTA_LOOKUP_SET_ID], genmask);
111 if (IS_ERR(set))
112 return PTR_ERR(set);
113
114 err = nft_parse_register_load(tb[NFTA_LOOKUP_SREG], &priv->sreg,
115 set->klen);
116 if (err < 0)
117 return err;
118
119 if (tb[NFTA_LOOKUP_FLAGS]) {
120 flags = ntohl(nla_get_be32(tb[NFTA_LOOKUP_FLAGS]));
121
122 if (flags & ~NFT_LOOKUP_F_INV)
123 return -EINVAL;
124
125 if (flags & NFT_LOOKUP_F_INV) {
126 if (set->flags & NFT_SET_MAP)
127 return -EINVAL;
128 priv->invert = true;
129 }
130 }
131
132 if (tb[NFTA_LOOKUP_DREG] != NULL) {
133 if (priv->invert)
134 return -EINVAL;
135 if (!(set->flags & NFT_SET_MAP))
136 return -EINVAL;
137
138 err = nft_parse_register_store(ctx, tb[NFTA_LOOKUP_DREG],
139 &priv->dreg, NULL, set->dtype,
140 set->dlen);
141 if (err < 0)
142 return err;
143 } else if (set->flags & NFT_SET_MAP)
144 return -EINVAL;
145
146 priv->binding.flags = set->flags & NFT_SET_MAP;
147
148 err = nf_tables_bind_set(ctx, set, &priv->binding);
149 if (err < 0)
150 return err;
151
152 priv->set = set;
153 return 0;
154}
155
156static void nft_lookup_deactivate(const struct nft_ctx *ctx,
157 const struct nft_expr *expr,
158 enum nft_trans_phase phase)
159{
160 struct nft_lookup *priv = nft_expr_priv(expr);
161
162 nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
163}
164
165static void nft_lookup_activate(const struct nft_ctx *ctx,
166 const struct nft_expr *expr)
167{
168 struct nft_lookup *priv = nft_expr_priv(expr);
169
170 priv->set->use++;
171}
172
173static void nft_lookup_destroy(const struct nft_ctx *ctx,
174 const struct nft_expr *expr)
175{
176 struct nft_lookup *priv = nft_expr_priv(expr);
177
178 nf_tables_destroy_set(ctx, priv->set);
179}
180
181static int nft_lookup_dump(struct sk_buff *skb, const struct nft_expr *expr)
182{
183 const struct nft_lookup *priv = nft_expr_priv(expr);
184 u32 flags = priv->invert ? NFT_LOOKUP_F_INV : 0;
185
186 if (nla_put_string(skb, NFTA_LOOKUP_SET, priv->set->name))
187 goto nla_put_failure;
188 if (nft_dump_register(skb, NFTA_LOOKUP_SREG, priv->sreg))
189 goto nla_put_failure;
190 if (priv->set->flags & NFT_SET_MAP)
191 if (nft_dump_register(skb, NFTA_LOOKUP_DREG, priv->dreg))
192 goto nla_put_failure;
193 if (nla_put_be32(skb, NFTA_LOOKUP_FLAGS, htonl(flags)))
194 goto nla_put_failure;
195 return 0;
196
197nla_put_failure:
198 return -1;
199}
200
201static int nft_lookup_validate_setelem(const struct nft_ctx *ctx,
202 struct nft_set *set,
203 const struct nft_set_iter *iter,
204 struct nft_set_elem *elem)
205{
206 const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
207 struct nft_ctx *pctx = (struct nft_ctx *)ctx;
208 const struct nft_data *data;
209 int err;
210
211 if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
212 *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
213 return 0;
214
215 data = nft_set_ext_data(ext);
216 switch (data->verdict.code) {
217 case NFT_JUMP:
218 case NFT_GOTO:
219 pctx->level++;
220 err = nft_chain_validate(ctx, data->verdict.chain);
221 if (err < 0)
222 return err;
223 pctx->level--;
224 break;
225 default:
226 break;
227 }
228
229 return 0;
230}
231
232static int nft_lookup_validate(const struct nft_ctx *ctx,
233 const struct nft_expr *expr,
234 const struct nft_data **d)
235{
236 const struct nft_lookup *priv = nft_expr_priv(expr);
237 struct nft_set_iter iter;
238
239 if (!(priv->set->flags & NFT_SET_MAP) ||
240 priv->set->dtype != NFT_DATA_VERDICT)
241 return 0;
242
243 iter.genmask = nft_genmask_next(ctx->net);
244 iter.skip = 0;
245 iter.count = 0;
246 iter.err = 0;
247 iter.fn = nft_lookup_validate_setelem;
248
249 priv->set->ops->walk(ctx, priv->set, &iter);
250 if (iter.err < 0)
251 return iter.err;
252
253 return 0;
254}
255
256static const struct nft_expr_ops nft_lookup_ops = {
257 .type = &nft_lookup_type,
258 .size = NFT_EXPR_SIZE(sizeof(struct nft_lookup)),
259 .eval = nft_lookup_eval,
260 .init = nft_lookup_init,
261 .activate = nft_lookup_activate,
262 .deactivate = nft_lookup_deactivate,
263 .destroy = nft_lookup_destroy,
264 .dump = nft_lookup_dump,
265 .validate = nft_lookup_validate,
266};
267
268struct nft_expr_type nft_lookup_type __read_mostly = {
269 .name = "lookup",
270 .ops = &nft_lookup_ops,
271 .policy = nft_lookup_policy,
272 .maxattr = NFTA_LOOKUP_MAX,
273 .owner = THIS_MODULE,
274};
275
