1 #ifndef _NF_FLOW_TABLE_H 2 #define _NF_FLOW_TABLE_H 3 4 #include <linux/in.h> 5 #include <linux/in6.h> 6 #include <linux/netdevice.h> 7 #include <linux/rhashtable-types.h> 8 #include <linux/rcupdate.h> 9 #include <linux/netfilter.h> 10 #include <linux/netfilter/nf_conntrack_tuple_common.h> 11 #include <net/flow_offload.h> 12 #include <net/dst.h> 13 #include <linux/if_pppox.h> 14 #include <linux/ppp_defs.h> 15 16 struct nf_flowtable; 17 struct nf_flow_rule; 18 struct flow_offload; 19 enum flow_offload_tuple_dir; 20 21 struct nf_flow_key { 22 struct flow_dissector_key_meta meta; 23 struct flow_dissector_key_control control; 24 struct flow_dissector_key_control enc_control; 25 struct flow_dissector_key_basic basic; 26 struct flow_dissector_key_vlan vlan; 27 struct flow_dissector_key_vlan cvlan; 28 union { 29 struct flow_dissector_key_ipv4_addrs ipv4; 30 struct flow_dissector_key_ipv6_addrs ipv6; 31 }; 32 struct flow_dissector_key_keyid enc_key_id; 33 union { 34 struct flow_dissector_key_ipv4_addrs enc_ipv4; 35 struct flow_dissector_key_ipv6_addrs enc_ipv6; 36 }; 37 struct flow_dissector_key_tcp tcp; 38 struct flow_dissector_key_ports tp; 39 } __aligned(BITS_PER_LONG / 8); /* Ensure that we can do comparisons as longs. */ 40 41 struct nf_flow_match { 42 struct flow_dissector dissector; 43 struct nf_flow_key key; 44 struct nf_flow_key mask; 45 }; 46 47 struct nf_flow_rule { 48 struct nf_flow_match match; 49 struct flow_rule *rule; 50 }; 51 52 struct nf_flowtable_type { 53 struct list_head list; 54 int family; 55 int (*init)(struct nf_flowtable *ft); 56 bool (*gc)(const struct flow_offload *flow); 57 int (*setup)(struct nf_flowtable *ft, 58 struct net_device *dev, 59 enum flow_block_command cmd); 60 int (*action)(struct net *net, 61 struct flow_offload *flow, 62 enum flow_offload_tuple_dir dir, 63 struct nf_flow_rule *flow_rule); 64 void (*free)(struct nf_flowtable *ft); 65 void (*get)(struct nf_flowtable *ft); 66 void (*put)(struct nf_flowtable *ft); 67 nf_hookfn *hook; 68 struct module *owner; 69 }; 70 71 enum nf_flowtable_flags { 72 NF_FLOWTABLE_HW_OFFLOAD = 0x1, /* NFT_FLOWTABLE_HW_OFFLOAD */ 73 NF_FLOWTABLE_COUNTER = 0x2, /* NFT_FLOWTABLE_COUNTER */ 74 }; 75 76 struct nf_flowtable { 77 unsigned int flags; /* readonly in datapath */ 78 int priority; /* control path (padding hole) */ 79 struct rhashtable rhashtable; /* datapath, read-mostly members come first */ 80 81 struct list_head list; /* slowpath parts */ 82 const struct nf_flowtable_type *type; 83 struct delayed_work gc_work; 84 struct flow_block flow_block; 85 struct rw_semaphore flow_block_lock; /* Guards flow_block */ 86 possible_net_t net; 87 }; 88 89 static inline bool nf_flowtable_hw_offload(struct nf_flowtable *flowtable) 90 { 91 return flowtable->flags & NF_FLOWTABLE_HW_OFFLOAD; 92 } 93 94 enum flow_offload_tuple_dir { 95 FLOW_OFFLOAD_DIR_ORIGINAL = IP_CT_DIR_ORIGINAL, 96 FLOW_OFFLOAD_DIR_REPLY = IP_CT_DIR_REPLY, 97 }; 98 #define FLOW_OFFLOAD_DIR_MAX IP_CT_DIR_MAX 99 100 enum flow_offload_xmit_type { 101 FLOW_OFFLOAD_XMIT_UNSPEC = 0, 102 FLOW_OFFLOAD_XMIT_NEIGH, 103 FLOW_OFFLOAD_XMIT_XFRM, 104 FLOW_OFFLOAD_XMIT_DIRECT, 105 FLOW_OFFLOAD_XMIT_TC, 106 }; 107 108 #define NF_FLOW_TABLE_ENCAP_MAX 2 109 110 struct flow_offload_tuple { 111 union { 112 struct in_addr src_v4; 113 struct in6_addr src_v6; 114 }; 115 union { 116 struct in_addr dst_v4; 117 struct in6_addr dst_v6; 118 }; 119 struct { 120 __be16 src_port; 121 __be16 dst_port; 122 }; 123 124 int iifidx; 125 126 u8 l3proto; 127 u8 l4proto; 128 struct { 129 u16 id; 130 __be16 proto; 131 } encap[NF_FLOW_TABLE_ENCAP_MAX]; 132 133 /* All members above are keys for lookups, see flow_offload_hash(). */ 134 struct { } __hash; 135 136 u8 dir:2, 137 xmit_type:3, 138 encap_num:2, 139 in_vlan_ingress:2; 140 u16 mtu; 141 union { 142 struct { 143 struct dst_entry *dst_cache; 144 u32 dst_cookie; 145 }; 146 struct { 147 u32 ifidx; 148 u32 hw_ifidx; 149 u8 h_source[ETH_ALEN]; 150 u8 h_dest[ETH_ALEN]; 151 } out; 152 struct { 153 u32 iifidx; 154 } tc; 155 }; 156 }; 157 158 struct flow_offload_tuple_rhash { 159 struct rhash_head node; 160 struct flow_offload_tuple tuple; 161 }; 162 163 enum nf_flow_flags { 164 NF_FLOW_SNAT, 165 NF_FLOW_DNAT, 166 NF_FLOW_CLOSING, 167 NF_FLOW_TEARDOWN, 168 NF_FLOW_HW, 169 NF_FLOW_HW_DYING, 170 NF_FLOW_HW_DEAD, 171 NF_FLOW_HW_PENDING, 172 NF_FLOW_HW_BIDIRECTIONAL, 173 NF_FLOW_HW_ESTABLISHED, 174 }; 175 176 enum flow_offload_type { 177 NF_FLOW_OFFLOAD_UNSPEC = 0, 178 NF_FLOW_OFFLOAD_ROUTE, 179 }; 180 181 struct flow_offload { 182 struct flow_offload_tuple_rhash tuplehash[FLOW_OFFLOAD_DIR_MAX]; 183 struct nf_conn *ct; 184 unsigned long flags; 185 u16 type; 186 u32 timeout; 187 struct rcu_head rcu_head; 188 }; 189 190 #define NF_FLOW_TIMEOUT (30 * HZ) 191 #define nf_flowtable_time_stamp (u32)jiffies 192 193 unsigned long flow_offload_get_timeout(struct flow_offload *flow); 194 195 static inline __s32 nf_flow_timeout_delta(unsigned int timeout) 196 { 197 return (__s32)(timeout - nf_flowtable_time_stamp); 198 } 199 200 struct nf_flow_route { 201 struct { 202 struct dst_entry *dst; 203 struct { 204 u32 ifindex; 205 struct { 206 u16 id; 207 __be16 proto; 208 } encap[NF_FLOW_TABLE_ENCAP_MAX]; 209 u8 num_encaps:2, 210 ingress_vlans:2; 211 } in; 212 struct { 213 u32 ifindex; 214 u32 hw_ifindex; 215 u8 h_source[ETH_ALEN]; 216 u8 h_dest[ETH_ALEN]; 217 } out; 218 enum flow_offload_xmit_type xmit_type; 219 } tuple[FLOW_OFFLOAD_DIR_MAX]; 220 }; 221 222 struct flow_offload *flow_offload_alloc(struct nf_conn *ct); 223 void flow_offload_free(struct flow_offload *flow); 224 225 static inline int 226 nf_flow_table_offload_add_cb(struct nf_flowtable *flow_table, 227 flow_setup_cb_t *cb, void *cb_priv) 228 { 229 struct flow_block *block = &flow_table->flow_block; 230 struct flow_block_cb *block_cb; 231 int err = 0; 232 233 down_write(&flow_table->flow_block_lock); 234 block_cb = flow_block_cb_lookup(block, cb, cb_priv); 235 if (block_cb) { 236 err = -EEXIST; 237 goto unlock; 238 } 239 240 block_cb = flow_block_cb_alloc(cb, cb_priv, cb_priv, NULL); 241 if (IS_ERR(block_cb)) { 242 err = PTR_ERR(block_cb); 243 goto unlock; 244 } 245 246 list_add_tail(&block_cb->list, &block->cb_list); 247 up_write(&flow_table->flow_block_lock); 248 249 if (flow_table->type->get) 250 flow_table->type->get(flow_table); 251 return 0; 252 253 unlock: 254 up_write(&flow_table->flow_block_lock); 255 return err; 256 } 257 258 static inline void 259 nf_flow_table_offload_del_cb(struct nf_flowtable *flow_table, 260 flow_setup_cb_t *cb, void *cb_priv) 261 { 262 struct flow_block *block = &flow_table->flow_block; 263 struct flow_block_cb *block_cb; 264 265 down_write(&flow_table->flow_block_lock); 266 block_cb = flow_block_cb_lookup(block, cb, cb_priv); 267 if (block_cb) { 268 list_del(&block_cb->list); 269 flow_block_cb_free(block_cb); 270 } else { 271 WARN_ON(true); 272 } 273 up_write(&flow_table->flow_block_lock); 274 275 if (flow_table->type->put) 276 flow_table->type->put(flow_table); 277 } 278 279 void flow_offload_route_init(struct flow_offload *flow, 280 struct nf_flow_route *route); 281 282 int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow); 283 void flow_offload_refresh(struct nf_flowtable *flow_table, 284 struct flow_offload *flow, bool force); 285 286 struct flow_offload_tuple_rhash *flow_offload_lookup(struct nf_flowtable *flow_table, 287 struct flow_offload_tuple *tuple); 288 void nf_flow_table_gc_run(struct nf_flowtable *flow_table); 289 void nf_flow_table_gc_cleanup(struct nf_flowtable *flowtable, 290 struct net_device *dev); 291 void nf_flow_table_cleanup(struct net_device *dev); 292 293 int nf_flow_table_init(struct nf_flowtable *flow_table); 294 void nf_flow_table_free(struct nf_flowtable *flow_table); 295 296 void flow_offload_teardown(struct flow_offload *flow); 297 298 void nf_flow_snat_port(const struct flow_offload *flow, 299 struct sk_buff *skb, unsigned int thoff, 300 u8 protocol, enum flow_offload_tuple_dir dir); 301 void nf_flow_dnat_port(const struct flow_offload *flow, 302 struct sk_buff *skb, unsigned int thoff, 303 u8 protocol, enum flow_offload_tuple_dir dir); 304 305 struct flow_ports { 306 __be16 source, dest; 307 }; 308 309 struct nf_flowtable *nf_flowtable_by_dev(const struct net_device *dev); 310 int nf_flow_offload_xdp_setup(struct nf_flowtable *flowtable, 311 struct net_device *dev, 312 enum flow_block_command cmd); 313 314 unsigned int nf_flow_offload_ip_hook(void *priv, struct sk_buff *skb, 315 const struct nf_hook_state *state); 316 unsigned int nf_flow_offload_ipv6_hook(void *priv, struct sk_buff *skb, 317 const struct nf_hook_state *state); 318 319 #if (IS_BUILTIN(CONFIG_NF_FLOW_TABLE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF)) || \ 320 (IS_MODULE(CONFIG_NF_FLOW_TABLE) && IS_ENABLED(CONFIG_DEBUG_INFO_BTF_MODULES)) 321 extern int nf_flow_register_bpf(void); 322 #else 323 static inline int nf_flow_register_bpf(void) 324 { 325 return 0; 326 } 327 #endif 328 329 #define MODULE_ALIAS_NF_FLOWTABLE(family) \ 330 MODULE_ALIAS("nf-flowtable-" __stringify(family)) 331 332 void nf_flow_offload_add(struct nf_flowtable *flowtable, 333 struct flow_offload *flow); 334 void nf_flow_offload_del(struct nf_flowtable *flowtable, 335 struct flow_offload *flow); 336 void nf_flow_offload_stats(struct nf_flowtable *flowtable, 337 struct flow_offload *flow); 338 339 void nf_flow_table_offload_flush(struct nf_flowtable *flowtable); 340 void nf_flow_table_offload_flush_cleanup(struct nf_flowtable *flowtable); 341 342 int nf_flow_table_offload_setup(struct nf_flowtable *flowtable, 343 struct net_device *dev, 344 enum flow_block_command cmd); 345 int nf_flow_rule_route_ipv4(struct net *net, struct flow_offload *flow, 346 enum flow_offload_tuple_dir dir, 347 struct nf_flow_rule *flow_rule); 348 int nf_flow_rule_route_ipv6(struct net *net, struct flow_offload *flow, 349 enum flow_offload_tuple_dir dir, 350 struct nf_flow_rule *flow_rule); 351 352 int nf_flow_table_offload_init(void); 353 void nf_flow_table_offload_exit(void); 354 355 static inline __be16 __nf_flow_pppoe_proto(const struct sk_buff *skb) 356 { 357 __be16 proto; 358 359 proto = *((__be16 *)(skb_mac_header(skb) + ETH_HLEN + 360 sizeof(struct pppoe_hdr))); 361 switch (proto) { 362 case htons(PPP_IP): 363 return htons(ETH_P_IP); 364 case htons(PPP_IPV6): 365 return htons(ETH_P_IPV6); 366 } 367 368 return 0; 369 } 370 371 static inline bool nf_flow_pppoe_proto(struct sk_buff *skb, __be16 *inner_proto) 372 { 373 if (!pskb_may_pull(skb, PPPOE_SES_HLEN)) 374 return false; 375 376 *inner_proto = __nf_flow_pppoe_proto(skb); 377 378 return true; 379 } 380 381 #define NF_FLOW_TABLE_STAT_INC(net, count) __this_cpu_inc((net)->ft.stat->count) 382 #define NF_FLOW_TABLE_STAT_DEC(net, count) __this_cpu_dec((net)->ft.stat->count) 383 #define NF_FLOW_TABLE_STAT_INC_ATOMIC(net, count) \ 384 this_cpu_inc((net)->ft.stat->count) 385 #define NF_FLOW_TABLE_STAT_DEC_ATOMIC(net, count) \ 386 this_cpu_dec((net)->ft.stat->count) 387 388 #ifdef CONFIG_NF_FLOW_TABLE_PROCFS 389 int nf_flow_table_init_proc(struct net *net); 390 void nf_flow_table_fini_proc(struct net *net); 391 #else 392 static inline int nf_flow_table_init_proc(struct net *net) 393 { 394 return 0; 395 } 396 397 static inline void nf_flow_table_fini_proc(struct net *net) 398 { 399 } 400 #endif /* CONFIG_NF_FLOW_TABLE_PROCFS */ 401 402 #endif /* _NF_FLOW_TABLE_H */ 403