1 /* 2 * net/core/fib_rules.c Generic Routing Rules 3 * 4 * This program is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU General Public License as 6 * published by the Free Software Foundation, version 2. 7 * 8 * Authors: Thomas Graf <tgraf@suug.ch> 9 */ 10 11 #include <linux/types.h> 12 #include <linux/kernel.h> 13 #include <linux/slab.h> 14 #include <linux/list.h> 15 #include <linux/module.h> 16 #include <net/net_namespace.h> 17 #include <net/sock.h> 18 #include <net/fib_rules.h> 19 #include <net/ip_tunnels.h> 20 21 static const struct fib_kuid_range fib_kuid_range_unset = { 22 KUIDT_INIT(0), 23 KUIDT_INIT(~0), 24 }; 25 26 bool fib_rule_matchall(const struct fib_rule *rule) 27 { 28 if (rule->iifindex || rule->oifindex || rule->mark || rule->tun_id || 29 rule->flags) 30 return false; 31 if (rule->suppress_ifgroup != -1 || rule->suppress_prefixlen != -1) 32 return false; 33 if (!uid_eq(rule->uid_range.start, fib_kuid_range_unset.start) || 34 !uid_eq(rule->uid_range.end, fib_kuid_range_unset.end)) 35 return false; 36 return true; 37 } 38 EXPORT_SYMBOL_GPL(fib_rule_matchall); 39 40 int fib_default_rule_add(struct fib_rules_ops *ops, 41 u32 pref, u32 table, u32 flags) 42 { 43 struct fib_rule *r; 44 45 r = kzalloc(ops->rule_size, GFP_KERNEL); 46 if (r == NULL) 47 return -ENOMEM; 48 49 refcount_set(&r->refcnt, 1); 50 r->action = FR_ACT_TO_TBL; 51 r->pref = pref; 52 r->table = table; 53 r->flags = flags; 54 r->proto = RTPROT_KERNEL; 55 r->fr_net = ops->fro_net; 56 r->uid_range = fib_kuid_range_unset; 57 58 r->suppress_prefixlen = -1; 59 r->suppress_ifgroup = -1; 60 61 /* The lock is not required here, the list in unreacheable 62 * at the moment this function is called */ 63 list_add_tail(&r->list, &ops->rules_list); 64 return 0; 65 } 66 EXPORT_SYMBOL(fib_default_rule_add); 67 68 static u32 fib_default_rule_pref(struct fib_rules_ops *ops) 69 { 70 struct list_head *pos; 71 struct fib_rule *rule; 72 73 if (!list_empty(&ops->rules_list)) { 74 pos = ops->rules_list.next; 75 if (pos->next != &ops->rules_list) { 76 rule = list_entry(pos->next, struct fib_rule, list); 77 if (rule->pref) 78 return rule->pref - 1; 79 } 80 } 81 82 return 0; 83 } 84 85 static void notify_rule_change(int event, struct fib_rule *rule, 86 struct fib_rules_ops *ops, struct nlmsghdr *nlh, 87 u32 pid); 88 89 static struct fib_rules_ops *lookup_rules_ops(struct net *net, int family) 90 { 91 struct fib_rules_ops *ops; 92 93 rcu_read_lock(); 94 list_for_each_entry_rcu(ops, &net->rules_ops, list) { 95 if (ops->family == family) { 96 if (!try_module_get(ops->owner)) 97 ops = NULL; 98 rcu_read_unlock(); 99 return ops; 100 } 101 } 102 rcu_read_unlock(); 103 104 return NULL; 105 } 106 107 static void rules_ops_put(struct fib_rules_ops *ops) 108 { 109 if (ops) 110 module_put(ops->owner); 111 } 112 113 static void flush_route_cache(struct fib_rules_ops *ops) 114 { 115 if (ops->flush_cache) 116 ops->flush_cache(ops); 117 } 118 119 static int __fib_rules_register(struct fib_rules_ops *ops) 120 { 121 int err = -EEXIST; 122 struct fib_rules_ops *o; 123 struct net *net; 124 125 net = ops->fro_net; 126 127 if (ops->rule_size < sizeof(struct fib_rule)) 128 return -EINVAL; 129 130 if (ops->match == NULL || ops->configure == NULL || 131 ops->compare == NULL || ops->fill == NULL || 132 ops->action == NULL) 133 return -EINVAL; 134 135 spin_lock(&net->rules_mod_lock); 136 list_for_each_entry(o, &net->rules_ops, list) 137 if (ops->family == o->family) 138 goto errout; 139 140 list_add_tail_rcu(&ops->list, &net->rules_ops); 141 err = 0; 142 errout: 143 spin_unlock(&net->rules_mod_lock); 144 145 return err; 146 } 147 148 struct fib_rules_ops * 149 fib_rules_register(const struct fib_rules_ops *tmpl, struct net *net) 150 { 151 struct fib_rules_ops *ops; 152 int err; 153 154 ops = kmemdup(tmpl, sizeof(*ops), GFP_KERNEL); 155 if (ops == NULL) 156 return ERR_PTR(-ENOMEM); 157 158 INIT_LIST_HEAD(&ops->rules_list); 159 ops->fro_net = net; 160 161 err = __fib_rules_register(ops); 162 if (err) { 163 kfree(ops); 164 ops = ERR_PTR(err); 165 } 166 167 return ops; 168 } 169 EXPORT_SYMBOL_GPL(fib_rules_register); 170 171 static void fib_rules_cleanup_ops(struct fib_rules_ops *ops) 172 { 173 struct fib_rule *rule, *tmp; 174 175 list_for_each_entry_safe(rule, tmp, &ops->rules_list, list) { 176 list_del_rcu(&rule->list); 177 if (ops->delete) 178 ops->delete(rule); 179 fib_rule_put(rule); 180 } 181 } 182 183 void fib_rules_unregister(struct fib_rules_ops *ops) 184 { 185 struct net *net = ops->fro_net; 186 187 spin_lock(&net->rules_mod_lock); 188 list_del_rcu(&ops->list); 189 spin_unlock(&net->rules_mod_lock); 190 191 fib_rules_cleanup_ops(ops); 192 kfree_rcu(ops, rcu); 193 } 194 EXPORT_SYMBOL_GPL(fib_rules_unregister); 195 196 static int uid_range_set(struct fib_kuid_range *range) 197 { 198 return uid_valid(range->start) && uid_valid(range->end); 199 } 200 201 static struct fib_kuid_range nla_get_kuid_range(struct nlattr **tb) 202 { 203 struct fib_rule_uid_range *in; 204 struct fib_kuid_range out; 205 206 in = (struct fib_rule_uid_range *)nla_data(tb[FRA_UID_RANGE]); 207 208 out.start = make_kuid(current_user_ns(), in->start); 209 out.end = make_kuid(current_user_ns(), in->end); 210 211 return out; 212 } 213 214 static int nla_put_uid_range(struct sk_buff *skb, struct fib_kuid_range *range) 215 { 216 struct fib_rule_uid_range out = { 217 from_kuid_munged(current_user_ns(), range->start), 218 from_kuid_munged(current_user_ns(), range->end) 219 }; 220 221 return nla_put(skb, FRA_UID_RANGE, sizeof(out), &out); 222 } 223 224 static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops, 225 struct flowi *fl, int flags, 226 struct fib_lookup_arg *arg) 227 { 228 int ret = 0; 229 230 if (rule->iifindex && (rule->iifindex != fl->flowi_iif)) 231 goto out; 232 233 if (rule->oifindex && (rule->oifindex != fl->flowi_oif)) 234 goto out; 235 236 if ((rule->mark ^ fl->flowi_mark) & rule->mark_mask) 237 goto out; 238 239 if (rule->tun_id && (rule->tun_id != fl->flowi_tun_key.tun_id)) 240 goto out; 241 242 if (rule->l3mdev && !l3mdev_fib_rule_match(rule->fr_net, fl, arg)) 243 goto out; 244 245 if (uid_lt(fl->flowi_uid, rule->uid_range.start) || 246 uid_gt(fl->flowi_uid, rule->uid_range.end)) 247 goto out; 248 249 ret = ops->match(rule, fl, flags); 250 out: 251 return (rule->flags & FIB_RULE_INVERT) ? !ret : ret; 252 } 253 254 int fib_rules_lookup(struct fib_rules_ops *ops, struct flowi *fl, 255 int flags, struct fib_lookup_arg *arg) 256 { 257 struct fib_rule *rule; 258 int err; 259 260 rcu_read_lock(); 261 262 list_for_each_entry_rcu(rule, &ops->rules_list, list) { 263 jumped: 264 if (!fib_rule_match(rule, ops, fl, flags, arg)) 265 continue; 266 267 if (rule->action == FR_ACT_GOTO) { 268 struct fib_rule *target; 269 270 target = rcu_dereference(rule->ctarget); 271 if (target == NULL) { 272 continue; 273 } else { 274 rule = target; 275 goto jumped; 276 } 277 } else if (rule->action == FR_ACT_NOP) 278 continue; 279 else 280 err = ops->action(rule, fl, flags, arg); 281 282 if (!err && ops->suppress && ops->suppress(rule, arg)) 283 continue; 284 285 if (err != -EAGAIN) { 286 if ((arg->flags & FIB_LOOKUP_NOREF) || 287 likely(refcount_inc_not_zero(&rule->refcnt))) { 288 arg->rule = rule; 289 goto out; 290 } 291 break; 292 } 293 } 294 295 err = -ESRCH; 296 out: 297 rcu_read_unlock(); 298 299 return err; 300 } 301 EXPORT_SYMBOL_GPL(fib_rules_lookup); 302 303 static int call_fib_rule_notifier(struct notifier_block *nb, struct net *net, 304 enum fib_event_type event_type, 305 struct fib_rule *rule, int family) 306 { 307 struct fib_rule_notifier_info info = { 308 .info.family = family, 309 .rule = rule, 310 }; 311 312 return call_fib_notifier(nb, net, event_type, &info.info); 313 } 314 315 static int call_fib_rule_notifiers(struct net *net, 316 enum fib_event_type event_type, 317 struct fib_rule *rule, 318 struct fib_rules_ops *ops, 319 struct netlink_ext_ack *extack) 320 { 321 struct fib_rule_notifier_info info = { 322 .info.family = ops->family, 323 .info.extack = extack, 324 .rule = rule, 325 }; 326 327 ops->fib_rules_seq++; 328 return call_fib_notifiers(net, event_type, &info.info); 329 } 330 331 /* Called with rcu_read_lock() */ 332 int fib_rules_dump(struct net *net, struct notifier_block *nb, int family) 333 { 334 struct fib_rules_ops *ops; 335 struct fib_rule *rule; 336 337 ops = lookup_rules_ops(net, family); 338 if (!ops) 339 return -EAFNOSUPPORT; 340 list_for_each_entry_rcu(rule, &ops->rules_list, list) 341 call_fib_rule_notifier(nb, net, FIB_EVENT_RULE_ADD, rule, 342 family); 343 rules_ops_put(ops); 344 345 return 0; 346 } 347 EXPORT_SYMBOL_GPL(fib_rules_dump); 348 349 unsigned int fib_rules_seq_read(struct net *net, int family) 350 { 351 unsigned int fib_rules_seq; 352 struct fib_rules_ops *ops; 353 354 ASSERT_RTNL(); 355 356 ops = lookup_rules_ops(net, family); 357 if (!ops) 358 return 0; 359 fib_rules_seq = ops->fib_rules_seq; 360 rules_ops_put(ops); 361 362 return fib_rules_seq; 363 } 364 EXPORT_SYMBOL_GPL(fib_rules_seq_read); 365 366 static int validate_rulemsg(struct fib_rule_hdr *frh, struct nlattr **tb, 367 struct fib_rules_ops *ops) 368 { 369 int err = -EINVAL; 370 371 if (frh->src_len) 372 if (tb[FRA_SRC] == NULL || 373 frh->src_len > (ops->addr_size * 8) || 374 nla_len(tb[FRA_SRC]) != ops->addr_size) 375 goto errout; 376 377 if (frh->dst_len) 378 if (tb[FRA_DST] == NULL || 379 frh->dst_len > (ops->addr_size * 8) || 380 nla_len(tb[FRA_DST]) != ops->addr_size) 381 goto errout; 382 383 err = 0; 384 errout: 385 return err; 386 } 387 388 static int rule_exists(struct fib_rules_ops *ops, struct fib_rule_hdr *frh, 389 struct nlattr **tb, struct fib_rule *rule) 390 { 391 struct fib_rule *r; 392 393 list_for_each_entry(r, &ops->rules_list, list) { 394 if (r->action != rule->action) 395 continue; 396 397 if (r->table != rule->table) 398 continue; 399 400 if (r->pref != rule->pref) 401 continue; 402 403 if (memcmp(r->iifname, rule->iifname, IFNAMSIZ)) 404 continue; 405 406 if (memcmp(r->oifname, rule->oifname, IFNAMSIZ)) 407 continue; 408 409 if (r->mark != rule->mark) 410 continue; 411 412 if (r->mark_mask != rule->mark_mask) 413 continue; 414 415 if (r->tun_id != rule->tun_id) 416 continue; 417 418 if (r->fr_net != rule->fr_net) 419 continue; 420 421 if (r->l3mdev != rule->l3mdev) 422 continue; 423 424 if (!uid_eq(r->uid_range.start, rule->uid_range.start) || 425 !uid_eq(r->uid_range.end, rule->uid_range.end)) 426 continue; 427 428 if (!ops->compare(r, frh, tb)) 429 continue; 430 return 1; 431 } 432 return 0; 433 } 434 435 int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr *nlh, 436 struct netlink_ext_ack *extack) 437 { 438 struct net *net = sock_net(skb->sk); 439 struct fib_rule_hdr *frh = nlmsg_data(nlh); 440 struct fib_rules_ops *ops = NULL; 441 struct fib_rule *rule, *r, *last = NULL; 442 struct nlattr *tb[FRA_MAX+1]; 443 int err = -EINVAL, unresolved = 0; 444 445 if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) 446 goto errout; 447 448 ops = lookup_rules_ops(net, frh->family); 449 if (ops == NULL) { 450 err = -EAFNOSUPPORT; 451 goto errout; 452 } 453 454 err = nlmsg_parse(nlh, sizeof(*frh), tb, FRA_MAX, ops->policy, extack); 455 if (err < 0) 456 goto errout; 457 458 err = validate_rulemsg(frh, tb, ops); 459 if (err < 0) 460 goto errout; 461 462 rule = kzalloc(ops->rule_size, GFP_KERNEL); 463 if (rule == NULL) { 464 err = -ENOMEM; 465 goto errout; 466 } 467 refcount_set(&rule->refcnt, 1); 468 rule->fr_net = net; 469 rule->proto = frh->proto; 470 471 rule->pref = tb[FRA_PRIORITY] ? nla_get_u32(tb[FRA_PRIORITY]) 472 : fib_default_rule_pref(ops); 473 474 if (tb[FRA_IIFNAME]) { 475 struct net_device *dev; 476 477 rule->iifindex = -1; 478 nla_strlcpy(rule->iifname, tb[FRA_IIFNAME], IFNAMSIZ); 479 dev = __dev_get_by_name(net, rule->iifname); 480 if (dev) 481 rule->iifindex = dev->ifindex; 482 } 483 484 if (tb[FRA_OIFNAME]) { 485 struct net_device *dev; 486 487 rule->oifindex = -1; 488 nla_strlcpy(rule->oifname, tb[FRA_OIFNAME], IFNAMSIZ); 489 dev = __dev_get_by_name(net, rule->oifname); 490 if (dev) 491 rule->oifindex = dev->ifindex; 492 } 493 494 if (tb[FRA_FWMARK]) { 495 rule->mark = nla_get_u32(tb[FRA_FWMARK]); 496 if (rule->mark) 497 /* compatibility: if the mark value is non-zero all bits 498 * are compared unless a mask is explicitly specified. 499 */ 500 rule->mark_mask = 0xFFFFFFFF; 501 } 502 503 if (tb[FRA_FWMASK]) 504 rule->mark_mask = nla_get_u32(tb[FRA_FWMASK]); 505 506 if (tb[FRA_TUN_ID]) 507 rule->tun_id = nla_get_be64(tb[FRA_TUN_ID]); 508 509 err = -EINVAL; 510 if (tb[FRA_L3MDEV]) { 511 #ifdef CONFIG_NET_L3_MASTER_DEV 512 rule->l3mdev = nla_get_u8(tb[FRA_L3MDEV]); 513 if (rule->l3mdev != 1) 514 #endif 515 goto errout_free; 516 } 517 518 rule->action = frh->action; 519 rule->flags = frh->flags; 520 rule->table = frh_get_table(frh, tb); 521 if (tb[FRA_SUPPRESS_PREFIXLEN]) 522 rule->suppress_prefixlen = nla_get_u32(tb[FRA_SUPPRESS_PREFIXLEN]); 523 else 524 rule->suppress_prefixlen = -1; 525 526 if (tb[FRA_SUPPRESS_IFGROUP]) 527 rule->suppress_ifgroup = nla_get_u32(tb[FRA_SUPPRESS_IFGROUP]); 528 else 529 rule->suppress_ifgroup = -1; 530 531 if (tb[FRA_GOTO]) { 532 if (rule->action != FR_ACT_GOTO) 533 goto errout_free; 534 535 rule->target = nla_get_u32(tb[FRA_GOTO]); 536 /* Backward jumps are prohibited to avoid endless loops */ 537 if (rule->target <= rule->pref) 538 goto errout_free; 539 540 list_for_each_entry(r, &ops->rules_list, list) { 541 if (r->pref == rule->target) { 542 RCU_INIT_POINTER(rule->ctarget, r); 543 break; 544 } 545 } 546 547 if (rcu_dereference_protected(rule->ctarget, 1) == NULL) 548 unresolved = 1; 549 } else if (rule->action == FR_ACT_GOTO) 550 goto errout_free; 551 552 if (rule->l3mdev && rule->table) 553 goto errout_free; 554 555 if (tb[FRA_UID_RANGE]) { 556 if (current_user_ns() != net->user_ns) { 557 err = -EPERM; 558 goto errout_free; 559 } 560 561 rule->uid_range = nla_get_kuid_range(tb); 562 563 if (!uid_range_set(&rule->uid_range) || 564 !uid_lte(rule->uid_range.start, rule->uid_range.end)) 565 goto errout_free; 566 } else { 567 rule->uid_range = fib_kuid_range_unset; 568 } 569 570 if ((nlh->nlmsg_flags & NLM_F_EXCL) && 571 rule_exists(ops, frh, tb, rule)) { 572 err = -EEXIST; 573 goto errout_free; 574 } 575 576 err = ops->configure(rule, skb, frh, tb); 577 if (err < 0) 578 goto errout_free; 579 580 list_for_each_entry(r, &ops->rules_list, list) { 581 if (r->pref > rule->pref) 582 break; 583 last = r; 584 } 585 586 if (last) 587 list_add_rcu(&rule->list, &last->list); 588 else 589 list_add_rcu(&rule->list, &ops->rules_list); 590 591 if (ops->unresolved_rules) { 592 /* 593 * There are unresolved goto rules in the list, check if 594 * any of them are pointing to this new rule. 595 */ 596 list_for_each_entry(r, &ops->rules_list, list) { 597 if (r->action == FR_ACT_GOTO && 598 r->target == rule->pref && 599 rtnl_dereference(r->ctarget) == NULL) { 600 rcu_assign_pointer(r->ctarget, rule); 601 if (--ops->unresolved_rules == 0) 602 break; 603 } 604 } 605 } 606 607 if (rule->action == FR_ACT_GOTO) 608 ops->nr_goto_rules++; 609 610 if (unresolved) 611 ops->unresolved_rules++; 612 613 if (rule->tun_id) 614 ip_tunnel_need_metadata(); 615 616 call_fib_rule_notifiers(net, FIB_EVENT_RULE_ADD, rule, ops, extack); 617 notify_rule_change(RTM_NEWRULE, rule, ops, nlh, NETLINK_CB(skb).portid); 618 flush_route_cache(ops); 619 rules_ops_put(ops); 620 return 0; 621 622 errout_free: 623 kfree(rule); 624 errout: 625 rules_ops_put(ops); 626 return err; 627 } 628 EXPORT_SYMBOL_GPL(fib_nl_newrule); 629 630 int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr *nlh, 631 struct netlink_ext_ack *extack) 632 { 633 struct net *net = sock_net(skb->sk); 634 struct fib_rule_hdr *frh = nlmsg_data(nlh); 635 struct fib_rules_ops *ops = NULL; 636 struct fib_rule *rule, *r; 637 struct nlattr *tb[FRA_MAX+1]; 638 struct fib_kuid_range range; 639 int err = -EINVAL; 640 641 if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh))) 642 goto errout; 643 644 ops = lookup_rules_ops(net, frh->family); 645 if (ops == NULL) { 646 err = -EAFNOSUPPORT; 647 goto errout; 648 } 649 650 err = nlmsg_parse(nlh, sizeof(*frh), tb, FRA_MAX, ops->policy, extack); 651 if (err < 0) 652 goto errout; 653 654 err = validate_rulemsg(frh, tb, ops); 655 if (err < 0) 656 goto errout; 657 658 if (tb[FRA_UID_RANGE]) { 659 range = nla_get_kuid_range(tb); 660 if (!uid_range_set(&range)) { 661 err = -EINVAL; 662 goto errout; 663 } 664 } else { 665 range = fib_kuid_range_unset; 666 } 667 668 list_for_each_entry(rule, &ops->rules_list, list) { 669 if (frh->proto && (frh->proto != rule->proto)) 670 continue; 671 672 if (frh->action && (frh->action != rule->action)) 673 continue; 674 675 if (frh_get_table(frh, tb) && 676 (frh_get_table(frh, tb) != rule->table)) 677 continue; 678 679 if (tb[FRA_PRIORITY] && 680 (rule->pref != nla_get_u32(tb[FRA_PRIORITY]))) 681 continue; 682 683 if (tb[FRA_IIFNAME] && 684 nla_strcmp(tb[FRA_IIFNAME], rule->iifname)) 685 continue; 686 687 if (tb[FRA_OIFNAME] && 688 nla_strcmp(tb[FRA_OIFNAME], rule->oifname)) 689 continue; 690 691 if (tb[FRA_FWMARK] && 692 (rule->mark != nla_get_u32(tb[FRA_FWMARK]))) 693 continue; 694 695 if (tb[FRA_FWMASK] && 696 (rule->mark_mask != nla_get_u32(tb[FRA_FWMASK]))) 697 continue; 698 699 if (tb[FRA_TUN_ID] && 700 (rule->tun_id != nla_get_be64(tb[FRA_TUN_ID]))) 701 continue; 702 703 if (tb[FRA_L3MDEV] && 704 (rule->l3mdev != nla_get_u8(tb[FRA_L3MDEV]))) 705 continue; 706 707 if (uid_range_set(&range) && 708 (!uid_eq(rule->uid_range.start, range.start) || 709 !uid_eq(rule->uid_range.end, range.end))) 710 continue; 711 712 if (!ops->compare(rule, frh, tb)) 713 continue; 714 715 if (rule->flags & FIB_RULE_PERMANENT) { 716 err = -EPERM; 717 goto errout; 718 } 719 720 if (ops->delete) { 721 err = ops->delete(rule); 722 if (err) 723 goto errout; 724 } 725 726 if (rule->tun_id) 727 ip_tunnel_unneed_metadata(); 728 729 list_del_rcu(&rule->list); 730 731 if (rule->action == FR_ACT_GOTO) { 732 ops->nr_goto_rules--; 733 if (rtnl_dereference(rule->ctarget) == NULL) 734 ops->unresolved_rules--; 735 } 736 737 /* 738 * Check if this rule is a target to any of them. If so, 739 * adjust to the next one with the same preference or 740 * disable them. As this operation is eventually very 741 * expensive, it is only performed if goto rules, except 742 * current if it is goto rule, have actually been added. 743 */ 744 if (ops->nr_goto_rules > 0) { 745 struct fib_rule *n; 746 747 n = list_next_entry(rule, list); 748 if (&n->list == &ops->rules_list || n->pref != rule->pref) 749 n = NULL; 750 list_for_each_entry(r, &ops->rules_list, list) { 751 if (rtnl_dereference(r->ctarget) != rule) 752 continue; 753 rcu_assign_pointer(r->ctarget, n); 754 if (!n) 755 ops->unresolved_rules++; 756 } 757 } 758 759 call_fib_rule_notifiers(net, FIB_EVENT_RULE_DEL, rule, ops, 760 NULL); 761 notify_rule_change(RTM_DELRULE, rule, ops, nlh, 762 NETLINK_CB(skb).portid); 763 fib_rule_put(rule); 764 flush_route_cache(ops); 765 rules_ops_put(ops); 766 return 0; 767 } 768 769 err = -ENOENT; 770 errout: 771 rules_ops_put(ops); 772 return err; 773 } 774 EXPORT_SYMBOL_GPL(fib_nl_delrule); 775 776 static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops, 777 struct fib_rule *rule) 778 { 779 size_t payload = NLMSG_ALIGN(sizeof(struct fib_rule_hdr)) 780 + nla_total_size(IFNAMSIZ) /* FRA_IIFNAME */ 781 + nla_total_size(IFNAMSIZ) /* FRA_OIFNAME */ 782 + nla_total_size(4) /* FRA_PRIORITY */ 783 + nla_total_size(4) /* FRA_TABLE */ 784 + nla_total_size(4) /* FRA_SUPPRESS_PREFIXLEN */ 785 + nla_total_size(4) /* FRA_SUPPRESS_IFGROUP */ 786 + nla_total_size(4) /* FRA_FWMARK */ 787 + nla_total_size(4) /* FRA_FWMASK */ 788 + nla_total_size_64bit(8) /* FRA_TUN_ID */ 789 + nla_total_size(sizeof(struct fib_kuid_range)); 790 791 if (ops->nlmsg_payload) 792 payload += ops->nlmsg_payload(rule); 793 794 return payload; 795 } 796 797 static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule, 798 u32 pid, u32 seq, int type, int flags, 799 struct fib_rules_ops *ops) 800 { 801 struct nlmsghdr *nlh; 802 struct fib_rule_hdr *frh; 803 804 nlh = nlmsg_put(skb, pid, seq, type, sizeof(*frh), flags); 805 if (nlh == NULL) 806 return -EMSGSIZE; 807 808 frh = nlmsg_data(nlh); 809 frh->family = ops->family; 810 frh->table = rule->table; 811 if (nla_put_u32(skb, FRA_TABLE, rule->table)) 812 goto nla_put_failure; 813 if (nla_put_u32(skb, FRA_SUPPRESS_PREFIXLEN, rule->suppress_prefixlen)) 814 goto nla_put_failure; 815 frh->res1 = 0; 816 frh->action = rule->action; 817 frh->flags = rule->flags; 818 frh->proto = rule->proto; 819 820 if (rule->action == FR_ACT_GOTO && 821 rcu_access_pointer(rule->ctarget) == NULL) 822 frh->flags |= FIB_RULE_UNRESOLVED; 823 824 if (rule->iifname[0]) { 825 if (nla_put_string(skb, FRA_IIFNAME, rule->iifname)) 826 goto nla_put_failure; 827 if (rule->iifindex == -1) 828 frh->flags |= FIB_RULE_IIF_DETACHED; 829 } 830 831 if (rule->oifname[0]) { 832 if (nla_put_string(skb, FRA_OIFNAME, rule->oifname)) 833 goto nla_put_failure; 834 if (rule->oifindex == -1) 835 frh->flags |= FIB_RULE_OIF_DETACHED; 836 } 837 838 if ((rule->pref && 839 nla_put_u32(skb, FRA_PRIORITY, rule->pref)) || 840 (rule->mark && 841 nla_put_u32(skb, FRA_FWMARK, rule->mark)) || 842 ((rule->mark_mask || rule->mark) && 843 nla_put_u32(skb, FRA_FWMASK, rule->mark_mask)) || 844 (rule->target && 845 nla_put_u32(skb, FRA_GOTO, rule->target)) || 846 (rule->tun_id && 847 nla_put_be64(skb, FRA_TUN_ID, rule->tun_id, FRA_PAD)) || 848 (rule->l3mdev && 849 nla_put_u8(skb, FRA_L3MDEV, rule->l3mdev)) || 850 (uid_range_set(&rule->uid_range) && 851 nla_put_uid_range(skb, &rule->uid_range))) 852 goto nla_put_failure; 853 854 if (rule->suppress_ifgroup != -1) { 855 if (nla_put_u32(skb, FRA_SUPPRESS_IFGROUP, rule->suppress_ifgroup)) 856 goto nla_put_failure; 857 } 858 859 if (ops->fill(rule, skb, frh) < 0) 860 goto nla_put_failure; 861 862 nlmsg_end(skb, nlh); 863 return 0; 864 865 nla_put_failure: 866 nlmsg_cancel(skb, nlh); 867 return -EMSGSIZE; 868 } 869 870 static int dump_rules(struct sk_buff *skb, struct netlink_callback *cb, 871 struct fib_rules_ops *ops) 872 { 873 int idx = 0; 874 struct fib_rule *rule; 875 int err = 0; 876 877 rcu_read_lock(); 878 list_for_each_entry_rcu(rule, &ops->rules_list, list) { 879 if (idx < cb->args[1]) 880 goto skip; 881 882 err = fib_nl_fill_rule(skb, rule, NETLINK_CB(cb->skb).portid, 883 cb->nlh->nlmsg_seq, RTM_NEWRULE, 884 NLM_F_MULTI, ops); 885 if (err) 886 break; 887 skip: 888 idx++; 889 } 890 rcu_read_unlock(); 891 cb->args[1] = idx; 892 rules_ops_put(ops); 893 894 return err; 895 } 896 897 static int fib_nl_dumprule(struct sk_buff *skb, struct netlink_callback *cb) 898 { 899 struct net *net = sock_net(skb->sk); 900 struct fib_rules_ops *ops; 901 int idx = 0, family; 902 903 family = rtnl_msg_family(cb->nlh); 904 if (family != AF_UNSPEC) { 905 /* Protocol specific dump request */ 906 ops = lookup_rules_ops(net, family); 907 if (ops == NULL) 908 return -EAFNOSUPPORT; 909 910 dump_rules(skb, cb, ops); 911 912 return skb->len; 913 } 914 915 rcu_read_lock(); 916 list_for_each_entry_rcu(ops, &net->rules_ops, list) { 917 if (idx < cb->args[0] || !try_module_get(ops->owner)) 918 goto skip; 919 920 if (dump_rules(skb, cb, ops) < 0) 921 break; 922 923 cb->args[1] = 0; 924 skip: 925 idx++; 926 } 927 rcu_read_unlock(); 928 cb->args[0] = idx; 929 930 return skb->len; 931 } 932 933 static void notify_rule_change(int event, struct fib_rule *rule, 934 struct fib_rules_ops *ops, struct nlmsghdr *nlh, 935 u32 pid) 936 { 937 struct net *net; 938 struct sk_buff *skb; 939 int err = -ENOBUFS; 940 941 net = ops->fro_net; 942 skb = nlmsg_new(fib_rule_nlmsg_size(ops, rule), GFP_KERNEL); 943 if (skb == NULL) 944 goto errout; 945 946 err = fib_nl_fill_rule(skb, rule, pid, nlh->nlmsg_seq, event, 0, ops); 947 if (err < 0) { 948 /* -EMSGSIZE implies BUG in fib_rule_nlmsg_size() */ 949 WARN_ON(err == -EMSGSIZE); 950 kfree_skb(skb); 951 goto errout; 952 } 953 954 rtnl_notify(skb, net, pid, ops->nlgroup, nlh, GFP_KERNEL); 955 return; 956 errout: 957 if (err < 0) 958 rtnl_set_sk_err(net, ops->nlgroup, err); 959 } 960 961 static void attach_rules(struct list_head *rules, struct net_device *dev) 962 { 963 struct fib_rule *rule; 964 965 list_for_each_entry(rule, rules, list) { 966 if (rule->iifindex == -1 && 967 strcmp(dev->name, rule->iifname) == 0) 968 rule->iifindex = dev->ifindex; 969 if (rule->oifindex == -1 && 970 strcmp(dev->name, rule->oifname) == 0) 971 rule->oifindex = dev->ifindex; 972 } 973 } 974 975 static void detach_rules(struct list_head *rules, struct net_device *dev) 976 { 977 struct fib_rule *rule; 978 979 list_for_each_entry(rule, rules, list) { 980 if (rule->iifindex == dev->ifindex) 981 rule->iifindex = -1; 982 if (rule->oifindex == dev->ifindex) 983 rule->oifindex = -1; 984 } 985 } 986 987 988 static int fib_rules_event(struct notifier_block *this, unsigned long event, 989 void *ptr) 990 { 991 struct net_device *dev = netdev_notifier_info_to_dev(ptr); 992 struct net *net = dev_net(dev); 993 struct fib_rules_ops *ops; 994 995 ASSERT_RTNL(); 996 997 switch (event) { 998 case NETDEV_REGISTER: 999 list_for_each_entry(ops, &net->rules_ops, list) 1000 attach_rules(&ops->rules_list, dev); 1001 break; 1002 1003 case NETDEV_CHANGENAME: 1004 list_for_each_entry(ops, &net->rules_ops, list) { 1005 detach_rules(&ops->rules_list, dev); 1006 attach_rules(&ops->rules_list, dev); 1007 } 1008 break; 1009 1010 case NETDEV_UNREGISTER: 1011 list_for_each_entry(ops, &net->rules_ops, list) 1012 detach_rules(&ops->rules_list, dev); 1013 break; 1014 } 1015 1016 return NOTIFY_DONE; 1017 } 1018 1019 static struct notifier_block fib_rules_notifier = { 1020 .notifier_call = fib_rules_event, 1021 }; 1022 1023 static int __net_init fib_rules_net_init(struct net *net) 1024 { 1025 INIT_LIST_HEAD(&net->rules_ops); 1026 spin_lock_init(&net->rules_mod_lock); 1027 return 0; 1028 } 1029 1030 static void __net_exit fib_rules_net_exit(struct net *net) 1031 { 1032 WARN_ON_ONCE(!list_empty(&net->rules_ops)); 1033 } 1034 1035 static struct pernet_operations fib_rules_net_ops = { 1036 .init = fib_rules_net_init, 1037 .exit = fib_rules_net_exit, 1038 .async = true, 1039 }; 1040 1041 static int __init fib_rules_init(void) 1042 { 1043 int err; 1044 rtnl_register(PF_UNSPEC, RTM_NEWRULE, fib_nl_newrule, NULL, 0); 1045 rtnl_register(PF_UNSPEC, RTM_DELRULE, fib_nl_delrule, NULL, 0); 1046 rtnl_register(PF_UNSPEC, RTM_GETRULE, NULL, fib_nl_dumprule, 0); 1047 1048 err = register_pernet_subsys(&fib_rules_net_ops); 1049 if (err < 0) 1050 goto fail; 1051 1052 err = register_netdevice_notifier(&fib_rules_notifier); 1053 if (err < 0) 1054 goto fail_unregister; 1055 1056 return 0; 1057 1058 fail_unregister: 1059 unregister_pernet_subsys(&fib_rules_net_ops); 1060 fail: 1061 rtnl_unregister(PF_UNSPEC, RTM_NEWRULE); 1062 rtnl_unregister(PF_UNSPEC, RTM_DELRULE); 1063 rtnl_unregister(PF_UNSPEC, RTM_GETRULE); 1064 return err; 1065 } 1066 1067 subsys_initcall(fib_rules_init); 1068