]> git.ipfire.org Git - thirdparty/linux.git/blob - net/netfilter/nf_flow_table_core.c
projects / thirdparty / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
io_uring: reset -EBUSY error when io sq thread is waken up
[thirdparty/linux.git] / net / netfilter / nf_flow_table_core.c
1 // SPDX-License-Identifier: GPL-2.0-only
2 #include <linux/kernel.h>
3 #include <linux/init.h>
4 #include <linux/module.h>
5 #include <linux/netfilter.h>
6 #include <linux/rhashtable.h>
7 #include <linux/netdevice.h>
8 #include <net/ip.h>
9 #include <net/ip6_route.h>
10 #include <net/netfilter/nf_tables.h>
11 #include <net/netfilter/nf_flow_table.h>
12 #include <net/netfilter/nf_conntrack.h>
13 #include <net/netfilter/nf_conntrack_core.h>
14 #include <net/netfilter/nf_conntrack_l4proto.h>
15 #include <net/netfilter/nf_conntrack_tuple.h>
16
17 static DEFINE_MUTEX(flowtable_lock);
18 static LIST_HEAD(flowtables);
19
20 static void
21 flow_offload_fill_dir(struct flow_offload *flow,
22 enum flow_offload_tuple_dir dir)
23 {
24 struct flow_offload_tuple *ft = &flow->tuplehash[dir].tuple;
25 struct nf_conntrack_tuple *ctt = &flow->ct->tuplehash[dir].tuple;
26
27 ft->dir = dir;
28
29 switch (ctt->src.l3num) {
30 case NFPROTO_IPV4:
31 ft->src_v4 = ctt->src.u3.in;
32 ft->dst_v4 = ctt->dst.u3.in;
33 break;
34 case NFPROTO_IPV6:
35 ft->src_v6 = ctt->src.u3.in6;
36 ft->dst_v6 = ctt->dst.u3.in6;
37 break;
38 }
39
40 ft->l3proto = ctt->src.l3num;
41 ft->l4proto = ctt->dst.protonum;
42 ft->src_port = ctt->src.u.tcp.port;
43 ft->dst_port = ctt->dst.u.tcp.port;
44 }
45
46 struct flow_offload *flow_offload_alloc(struct nf_conn *ct)
47 {
48 struct flow_offload *flow;
49
50 if (unlikely(nf_ct_is_dying(ct) ||
51 !atomic_inc_not_zero(&ct->ct_general.use)))
52 return NULL;
53
54 flow = kzalloc(sizeof(*flow), GFP_ATOMIC);
55 if (!flow)
56 goto err_ct_refcnt;
57
58 flow->ct = ct;
59
60 flow_offload_fill_dir(flow, FLOW_OFFLOAD_DIR_ORIGINAL);
61 flow_offload_fill_dir(flow, FLOW_OFFLOAD_DIR_REPLY);
62
63 if (ct->status & IPS_SRC_NAT)
64 __set_bit(NF_FLOW_SNAT, &flow->flags);
65 if (ct->status & IPS_DST_NAT)
66 __set_bit(NF_FLOW_DNAT, &flow->flags);
67
68 return flow;
69
70 err_ct_refcnt:
71 nf_ct_put(ct);
72
73 return NULL;
74 }
75 EXPORT_SYMBOL_GPL(flow_offload_alloc);
76
77 static int flow_offload_fill_route(struct flow_offload *flow,
78 const struct nf_flow_route *route,
79 enum flow_offload_tuple_dir dir)
80 {
81 struct flow_offload_tuple *flow_tuple = &flow->tuplehash[dir].tuple;
82 struct dst_entry *other_dst = route->tuple[!dir].dst;
83 struct dst_entry *dst = route->tuple[dir].dst;
84
85 if (!dst_hold_safe(route->tuple[dir].dst))
86 return -1;
87
88 switch (flow_tuple->l3proto) {
89 case NFPROTO_IPV4:
90 flow_tuple->mtu = ip_dst_mtu_maybe_forward(dst, true);
91 break;
92 case NFPROTO_IPV6:
93 flow_tuple->mtu = ip6_dst_mtu_forward(dst);
94 break;
95 }
96
97 flow_tuple->iifidx = other_dst->dev->ifindex;
98 flow_tuple->dst_cache = dst;
99
100 return 0;
101 }
102
103 int flow_offload_route_init(struct flow_offload *flow,
104 const struct nf_flow_route *route)
105 {
106 int err;
107
108 err = flow_offload_fill_route(flow, route, FLOW_OFFLOAD_DIR_ORIGINAL);
109 if (err < 0)
110 return err;
111
112 err = flow_offload_fill_route(flow, route, FLOW_OFFLOAD_DIR_REPLY);
113 if (err < 0)
114 goto err_route_reply;
115
116 flow->type = NF_FLOW_OFFLOAD_ROUTE;
117
118 return 0;
119
120 err_route_reply:
121 dst_release(route->tuple[FLOW_OFFLOAD_DIR_ORIGINAL].dst);
122
123 return err;
124 }
125 EXPORT_SYMBOL_GPL(flow_offload_route_init);
126
127 static void flow_offload_fixup_tcp(struct ip_ct_tcp *tcp)
128 {
129 tcp->state = TCP_CONNTRACK_ESTABLISHED;
130 tcp->seen[0].td_maxwin = 0;
131 tcp->seen[1].td_maxwin = 0;
132 }
133
134 #define NF_FLOWTABLE_TCP_PICKUP_TIMEOUT (120 * HZ)
135 #define NF_FLOWTABLE_UDP_PICKUP_TIMEOUT (30 * HZ)
136
137 static void flow_offload_fixup_ct_timeout(struct nf_conn *ct)
138 {
139 const struct nf_conntrack_l4proto *l4proto;
140 int l4num = nf_ct_protonum(ct);
141 unsigned int timeout;
142
143 l4proto = nf_ct_l4proto_find(l4num);
144 if (!l4proto)
145 return;
146
147 if (l4num == IPPROTO_TCP)
148 timeout = NF_FLOWTABLE_TCP_PICKUP_TIMEOUT;
149 else if (l4num == IPPROTO_UDP)
150 timeout = NF_FLOWTABLE_UDP_PICKUP_TIMEOUT;
151 else
152 return;
153
154 if (nf_flow_timeout_delta(ct->timeout) > (__s32)timeout)
155 ct->timeout = nfct_time_stamp + timeout;
156 }
157
158 static void flow_offload_fixup_ct_state(struct nf_conn *ct)
159 {
160 if (nf_ct_protonum(ct) == IPPROTO_TCP)
161 flow_offload_fixup_tcp(&ct->proto.tcp);
162 }
163
164 static void flow_offload_fixup_ct(struct nf_conn *ct)
165 {
166 flow_offload_fixup_ct_state(ct);
167 flow_offload_fixup_ct_timeout(ct);
168 }
169
170 static void flow_offload_route_release(struct flow_offload *flow)
171 {
172 dst_release(flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_cache);
173 dst_release(flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_cache);
174 }
175
176 void flow_offload_free(struct flow_offload *flow)
177 {
178 switch (flow->type) {
179 case NF_FLOW_OFFLOAD_ROUTE:
180 flow_offload_route_release(flow);
181 break;
182 default:
183 break;
184 }
185 nf_ct_put(flow->ct);
186 kfree_rcu(flow, rcu_head);
187 }
188 EXPORT_SYMBOL_GPL(flow_offload_free);
189
190 static u32 flow_offload_hash(const void *data, u32 len, u32 seed)
191 {
192 const struct flow_offload_tuple *tuple = data;
193
194 return jhash(tuple, offsetof(struct flow_offload_tuple, dir), seed);
195 }
196
197 static u32 flow_offload_hash_obj(const void *data, u32 len, u32 seed)
198 {
199 const struct flow_offload_tuple_rhash *tuplehash = data;
200
201 return jhash(&tuplehash->tuple, offsetof(struct flow_offload_tuple, dir), seed);
202 }
203
204 static int flow_offload_hash_cmp(struct rhashtable_compare_arg *arg,
205 const void *ptr)
206 {
207 const struct flow_offload_tuple *tuple = arg->key;
208 const struct flow_offload_tuple_rhash *x = ptr;
209
210 if (memcmp(&x->tuple, tuple, offsetof(struct flow_offload_tuple, dir)))
211 return 1;
212
213 return 0;
214 }
215
216 static const struct rhashtable_params nf_flow_offload_rhash_params = {
217 .head_offset = offsetof(struct flow_offload_tuple_rhash, node),
218 .hashfn = flow_offload_hash,
219 .obj_hashfn = flow_offload_hash_obj,
220 .obj_cmpfn = flow_offload_hash_cmp,
221 .automatic_shrinking = true,
222 };
223
224 int flow_offload_add(struct nf_flowtable *flow_table, struct flow_offload *flow)
225 {
226 int err;
227
228 flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
229
230 err = rhashtable_insert_fast(&flow_table->rhashtable,
231 &flow->tuplehash[0].node,
232 nf_flow_offload_rhash_params);
233 if (err < 0)
234 return err;
235
236 err = rhashtable_insert_fast(&flow_table->rhashtable,
237 &flow->tuplehash[1].node,
238 nf_flow_offload_rhash_params);
239 if (err < 0) {
240 rhashtable_remove_fast(&flow_table->rhashtable,
241 &flow->tuplehash[0].node,
242 nf_flow_offload_rhash_params);
243 return err;
244 }
245
246 if (nf_flowtable_hw_offload(flow_table)) {
247 __set_bit(NF_FLOW_HW, &flow->flags);
248 nf_flow_offload_add(flow_table, flow);
249 }
250
251 return 0;
252 }
253 EXPORT_SYMBOL_GPL(flow_offload_add);
254
255 void flow_offload_refresh(struct nf_flowtable *flow_table,
256 struct flow_offload *flow)
257 {
258 flow->timeout = nf_flowtable_time_stamp + NF_FLOW_TIMEOUT;
259
260 if (likely(!nf_flowtable_hw_offload(flow_table) ||
261 !test_and_clear_bit(NF_FLOW_HW_REFRESH, &flow->flags)))
262 return;
263
264 nf_flow_offload_add(flow_table, flow);
265 }
266 EXPORT_SYMBOL_GPL(flow_offload_refresh);
267
268 static inline bool nf_flow_has_expired(const struct flow_offload *flow)
269 {
270 return nf_flow_timeout_delta(flow->timeout) <= 0;
271 }
272
273 static void flow_offload_del(struct nf_flowtable *flow_table,
274 struct flow_offload *flow)
275 {
276 rhashtable_remove_fast(&flow_table->rhashtable,
277 &flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].node,
278 nf_flow_offload_rhash_params);
279 rhashtable_remove_fast(&flow_table->rhashtable,
280 &flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].node,
281 nf_flow_offload_rhash_params);
282
283 clear_bit(IPS_OFFLOAD_BIT, &flow->ct->status);
284
285 if (nf_flow_has_expired(flow))
286 flow_offload_fixup_ct(flow->ct);
287 else if (test_bit(NF_FLOW_TEARDOWN, &flow->flags))
288 flow_offload_fixup_ct_timeout(flow->ct);
289
290 flow_offload_free(flow);
291 }
292
293 void flow_offload_teardown(struct flow_offload *flow)
294 {
295 set_bit(NF_FLOW_TEARDOWN, &flow->flags);
296
297 flow_offload_fixup_ct_state(flow->ct);
298 }
299 EXPORT_SYMBOL_GPL(flow_offload_teardown);
300
301 struct flow_offload_tuple_rhash *
302 flow_offload_lookup(struct nf_flowtable *flow_table,
303 struct flow_offload_tuple *tuple)
304 {
305 struct flow_offload_tuple_rhash *tuplehash;
306 struct flow_offload *flow;
307 int dir;
308
309 tuplehash = rhashtable_lookup(&flow_table->rhashtable, tuple,
310 nf_flow_offload_rhash_params);
311 if (!tuplehash)
312 return NULL;
313
314 dir = tuplehash->tuple.dir;
315 flow = container_of(tuplehash, struct flow_offload, tuplehash[dir]);
316 if (test_bit(NF_FLOW_TEARDOWN, &flow->flags))
317 return NULL;
318
319 if (unlikely(nf_ct_is_dying(flow->ct)))
320 return NULL;
321
322 return tuplehash;
323 }
324 EXPORT_SYMBOL_GPL(flow_offload_lookup);
325
326 static int
327 nf_flow_table_iterate(struct nf_flowtable *flow_table,
328 void (*iter)(struct flow_offload *flow, void *data),
329 void *data)
330 {
331 struct flow_offload_tuple_rhash *tuplehash;
332 struct rhashtable_iter hti;
333 struct flow_offload *flow;
334 int err = 0;
335
336 rhashtable_walk_enter(&flow_table->rhashtable, &hti);
337 rhashtable_walk_start(&hti);
338
339 while ((tuplehash = rhashtable_walk_next(&hti))) {
340 if (IS_ERR(tuplehash)) {
341 if (PTR_ERR(tuplehash) != -EAGAIN) {
342 err = PTR_ERR(tuplehash);
343 break;
344 }
345 continue;
346 }
347 if (tuplehash->tuple.dir)
348 continue;
349
350 flow = container_of(tuplehash, struct flow_offload, tuplehash[0]);
351
352 iter(flow, data);
353 }
354 rhashtable_walk_stop(&hti);
355 rhashtable_walk_exit(&hti);
356
357 return err;
358 }
359
360 static void nf_flow_offload_gc_step(struct flow_offload *flow, void *data)
361 {
362 struct nf_flowtable *flow_table = data;
363
364 if (nf_flow_has_expired(flow) || nf_ct_is_dying(flow->ct) ||
365 test_bit(NF_FLOW_TEARDOWN, &flow->flags)) {
366 if (test_bit(NF_FLOW_HW, &flow->flags)) {
367 if (!test_bit(NF_FLOW_HW_DYING, &flow->flags))
368 nf_flow_offload_del(flow_table, flow);
369 else if (test_bit(NF_FLOW_HW_DEAD, &flow->flags))
370 flow_offload_del(flow_table, flow);
371 } else {
372 flow_offload_del(flow_table, flow);
373 }
374 } else if (test_bit(NF_FLOW_HW, &flow->flags)) {
375 nf_flow_offload_stats(flow_table, flow);
376 }
377 }
378
379 static void nf_flow_offload_work_gc(struct work_struct *work)
380 {
381 struct nf_flowtable *flow_table;
382
383 flow_table = container_of(work, struct nf_flowtable, gc_work.work);
384 nf_flow_table_iterate(flow_table, nf_flow_offload_gc_step, flow_table);
385 queue_delayed_work(system_power_efficient_wq, &flow_table->gc_work, HZ);
386 }
387
388 int nf_flow_table_offload_add_cb(struct nf_flowtable *flow_table,
389 flow_setup_cb_t *cb, void *cb_priv)
390 {
391 struct flow_block *block = &flow_table->flow_block;
392 struct flow_block_cb *block_cb;
393 int err = 0;
394
395 down_write(&flow_table->flow_block_lock);
396 block_cb = flow_block_cb_lookup(block, cb, cb_priv);
397 if (block_cb) {
398 err = -EEXIST;
399 goto unlock;
400 }
401
402 block_cb = flow_block_cb_alloc(cb, cb_priv, cb_priv, NULL);
403 if (IS_ERR(block_cb)) {
404 err = PTR_ERR(block_cb);
405 goto unlock;
406 }
407
408 list_add_tail(&block_cb->list, &block->cb_list);
409
410 unlock:
411 up_write(&flow_table->flow_block_lock);
412 return err;
413 }
414 EXPORT_SYMBOL_GPL(nf_flow_table_offload_add_cb);
415
416 void nf_flow_table_offload_del_cb(struct nf_flowtable *flow_table,
417 flow_setup_cb_t *cb, void *cb_priv)
418 {
419 struct flow_block *block = &flow_table->flow_block;
420 struct flow_block_cb *block_cb;
421
422 down_write(&flow_table->flow_block_lock);
423 block_cb = flow_block_cb_lookup(block, cb, cb_priv);
424 if (block_cb) {
425 list_del(&block_cb->list);
426 flow_block_cb_free(block_cb);
427 } else {
428 WARN_ON(true);
429 }
430 up_write(&flow_table->flow_block_lock);
431 }
432 EXPORT_SYMBOL_GPL(nf_flow_table_offload_del_cb);
433
434 static int nf_flow_nat_port_tcp(struct sk_buff *skb, unsigned int thoff,
435 __be16 port, __be16 new_port)
436 {
437 struct tcphdr *tcph;
438
439 if (!pskb_may_pull(skb, thoff + sizeof(*tcph)) ||
440 skb_try_make_writable(skb, thoff + sizeof(*tcph)))
441 return -1;
442
443 tcph = (void *)(skb_network_header(skb) + thoff);
444 inet_proto_csum_replace2(&tcph->check, skb, port, new_port, true);
445
446 return 0;
447 }
448
449 static int nf_flow_nat_port_udp(struct sk_buff *skb, unsigned int thoff,
450 __be16 port, __be16 new_port)
451 {
452 struct udphdr *udph;
453
454 if (!pskb_may_pull(skb, thoff + sizeof(*udph)) ||
455 skb_try_make_writable(skb, thoff + sizeof(*udph)))
456 return -1;
457
458 udph = (void *)(skb_network_header(skb) + thoff);
459 if (udph->check || skb->ip_summed == CHECKSUM_PARTIAL) {
460 inet_proto_csum_replace2(&udph->check, skb, port,
461 new_port, true);
462 if (!udph->check)
463 udph->check = CSUM_MANGLED_0;
464 }
465
466 return 0;
467 }
468
469 static int nf_flow_nat_port(struct sk_buff *skb, unsigned int thoff,
470 u8 protocol, __be16 port, __be16 new_port)
471 {
472 switch (protocol) {
473 case IPPROTO_TCP:
474 if (nf_flow_nat_port_tcp(skb, thoff, port, new_port) < 0)
475 return NF_DROP;
476 break;
477 case IPPROTO_UDP:
478 if (nf_flow_nat_port_udp(skb, thoff, port, new_port) < 0)
479 return NF_DROP;
480 break;
481 }
482
483 return 0;
484 }
485
486 int nf_flow_snat_port(const struct flow_offload *flow,
487 struct sk_buff *skb, unsigned int thoff,
488 u8 protocol, enum flow_offload_tuple_dir dir)
489 {
490 struct flow_ports *hdr;
491 __be16 port, new_port;
492
493 if (!pskb_may_pull(skb, thoff + sizeof(*hdr)) ||
494 skb_try_make_writable(skb, thoff + sizeof(*hdr)))
495 return -1;
496
497 hdr = (void *)(skb_network_header(skb) + thoff);
498
499 switch (dir) {
500 case FLOW_OFFLOAD_DIR_ORIGINAL:
501 port = hdr->source;
502 new_port = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.dst_port;
503 hdr->source = new_port;
504 break;
505 case FLOW_OFFLOAD_DIR_REPLY:
506 port = hdr->dest;
507 new_port = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.src_port;
508 hdr->dest = new_port;
509 break;
510 default:
511 return -1;
512 }
513
514 return nf_flow_nat_port(skb, thoff, protocol, port, new_port);
515 }
516 EXPORT_SYMBOL_GPL(nf_flow_snat_port);
517
518 int nf_flow_dnat_port(const struct flow_offload *flow,
519 struct sk_buff *skb, unsigned int thoff,
520 u8 protocol, enum flow_offload_tuple_dir dir)
521 {
522 struct flow_ports *hdr;
523 __be16 port, new_port;
524
525 if (!pskb_may_pull(skb, thoff + sizeof(*hdr)) ||
526 skb_try_make_writable(skb, thoff + sizeof(*hdr)))
527 return -1;
528
529 hdr = (void *)(skb_network_header(skb) + thoff);
530
531 switch (dir) {
532 case FLOW_OFFLOAD_DIR_ORIGINAL:
533 port = hdr->dest;
534 new_port = flow->tuplehash[FLOW_OFFLOAD_DIR_REPLY].tuple.src_port;
535 hdr->dest = new_port;
536 break;
537 case FLOW_OFFLOAD_DIR_REPLY:
538 port = hdr->source;
539 new_port = flow->tuplehash[FLOW_OFFLOAD_DIR_ORIGINAL].tuple.dst_port;
540 hdr->source = new_port;
541 break;
542 default:
543 return -1;
544 }
545
546 return nf_flow_nat_port(skb, thoff, protocol, port, new_port);
547 }
548 EXPORT_SYMBOL_GPL(nf_flow_dnat_port);
549
550 int nf_flow_table_init(struct nf_flowtable *flowtable)
551 {
552 int err;
553
554 INIT_DEFERRABLE_WORK(&flowtable->gc_work, nf_flow_offload_work_gc);
555 flow_block_init(&flowtable->flow_block);
556 init_rwsem(&flowtable->flow_block_lock);
557
558 err = rhashtable_init(&flowtable->rhashtable,
559 &nf_flow_offload_rhash_params);
560 if (err < 0)
561 return err;
562
563 queue_delayed_work(system_power_efficient_wq,
564 &flowtable->gc_work, HZ);
565
566 mutex_lock(&flowtable_lock);
567 list_add(&flowtable->list, &flowtables);
568 mutex_unlock(&flowtable_lock);
569
570 return 0;
571 }
572 EXPORT_SYMBOL_GPL(nf_flow_table_init);
573
574 static void nf_flow_table_do_cleanup(struct flow_offload *flow, void *data)
575 {
576 struct net_device *dev = data;
577
578 if (!dev) {
579 flow_offload_teardown(flow);
580 return;
581 }
582
583 if (net_eq(nf_ct_net(flow->ct), dev_net(dev)) &&
584 (flow->tuplehash[0].tuple.iifidx == dev->ifindex ||
585 flow->tuplehash[1].tuple.iifidx == dev->ifindex))
586 flow_offload_teardown(flow);
587 }
588
589 static void nf_flow_table_iterate_cleanup(struct nf_flowtable *flowtable,
590 struct net_device *dev)
591 {
592 nf_flow_table_iterate(flowtable, nf_flow_table_do_cleanup, dev);
593 flush_delayed_work(&flowtable->gc_work);
594 nf_flow_table_offload_flush(flowtable);
595 }
596
597 void nf_flow_table_cleanup(struct net_device *dev)
598 {
599 struct nf_flowtable *flowtable;
600
601 mutex_lock(&flowtable_lock);
602 list_for_each_entry(flowtable, &flowtables, list)
603 nf_flow_table_iterate_cleanup(flowtable, dev);
604 mutex_unlock(&flowtable_lock);
605 }
606 EXPORT_SYMBOL_GPL(nf_flow_table_cleanup);
607
608 void nf_flow_table_free(struct nf_flowtable *flow_table)
609 {
610 mutex_lock(&flowtable_lock);
611 list_del(&flow_table->list);
612 mutex_unlock(&flowtable_lock);
613
614 cancel_delayed_work_sync(&flow_table->gc_work);
615 nf_flow_table_iterate(flow_table, nf_flow_table_do_cleanup, NULL);
616 nf_flow_table_iterate(flow_table, nf_flow_offload_gc_step, flow_table);
617 nf_flow_table_offload_flush(flow_table);
618 if (nf_flowtable_hw_offload(flow_table))
619 nf_flow_table_iterate(flow_table, nf_flow_offload_gc_step,
620 flow_table);
621 rhashtable_destroy(&flow_table->rhashtable);
622 }
623 EXPORT_SYMBOL_GPL(nf_flow_table_free);
624
625 static int __init nf_flow_table_module_init(void)
626 {
627 return nf_flow_table_offload_init();
628 }
629
630 static void __exit nf_flow_table_module_exit(void)
631 {
632 nf_flow_table_offload_exit();
633 }
634
635 module_init(nf_flow_table_module_init);
636 module_exit(nf_flow_table_module_exit);
637
638 MODULE_LICENSE("GPL");
639 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
A mirror of Linus' kernel repository