1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * net/ipv6/fib6_rules.c IPv6 Routing Policy Rules 4 * 5 * Copyright (C)2003-2006 Helsinki University of Technology 6 * Copyright (C)2003-2006 USAGI/WIDE Project 7 * 8 * Authors 9 * Thomas Graf <tgraf@suug.ch> 10 * Ville Nuorvala <vnuorval@tcs.hut.fi> 11 */ 12 13 #include <linux/netdevice.h> 14 #include <linux/notifier.h> 15 #include <linux/export.h> 16 #include <linux/indirect_call_wrapper.h> 17 18 #include <net/fib_rules.h> 19 #include <net/inet_dscp.h> 20 #include <net/ipv6.h> 21 #include <net/addrconf.h> 22 #include <net/ip6_route.h> 23 #include <net/netlink.h> 24 25 struct fib6_rule { 26 struct fib_rule common; 27 struct rt6key src; 28 struct rt6key dst; 29 __be32 flowlabel; 30 __be32 flowlabel_mask; 31 dscp_t dscp; 32 dscp_t dscp_mask; 33 u8 dscp_full:1; /* DSCP or TOS selector */ 34 }; 35 36 static bool fib6_rule_matchall(const struct fib_rule *rule) 37 { 38 struct fib6_rule *r = container_of(rule, struct fib6_rule, common); 39 40 if (r->dst.plen || r->src.plen || r->dscp || r->flowlabel_mask) 41 return false; 42 return fib_rule_matchall(rule); 43 } 44 45 bool fib6_rule_default(const struct fib_rule *rule) 46 { 47 if (!fib6_rule_matchall(rule) || rule->action != FR_ACT_TO_TBL || 48 rule->l3mdev) 49 return false; 50 if (rule->table != RT6_TABLE_LOCAL && rule->table != RT6_TABLE_MAIN) 51 return false; 52 return true; 53 } 54 EXPORT_SYMBOL_GPL(fib6_rule_default); 55 56 int fib6_rules_dump(struct net *net, struct notifier_block *nb, 57 struct netlink_ext_ack *extack) 58 { 59 return fib_rules_dump(net, nb, AF_INET6, extack); 60 } 61 62 unsigned int fib6_rules_seq_read(const struct net *net) 63 { 64 return fib_rules_seq_read(net, AF_INET6); 65 } 66 67 /* called with rcu lock held; no reference taken on fib6_info */ 68 int fib6_lookup(struct net *net, int oif, struct flowi6 *fl6, 69 struct fib6_result *res, int flags) 70 { 71 int err; 72 73 if (net->ipv6.fib6_has_custom_rules) { 74 struct fib_lookup_arg arg = { 75 .lookup_ptr = fib6_table_lookup, 76 .lookup_data = &oif, 77 .result = res, 78 .flags = FIB_LOOKUP_NOREF, 79 }; 80 81 l3mdev_update_flow(net, flowi6_to_flowi(fl6)); 82 83 err = fib_rules_lookup(net->ipv6.fib6_rules_ops, 84 flowi6_to_flowi(fl6), flags, &arg); 85 } else { 86 err = fib6_table_lookup(net, net->ipv6.fib6_local_tbl, oif, 87 fl6, res, flags); 88 if (err || res->f6i == net->ipv6.fib6_null_entry) 89 err = fib6_table_lookup(net, net->ipv6.fib6_main_tbl, 90 oif, fl6, res, flags); 91 } 92 93 return err; 94 } 95 96 struct dst_entry *fib6_rule_lookup(struct net *net, struct flowi6 *fl6, 97 const struct sk_buff *skb, 98 int flags, pol_lookup_t lookup) 99 { 100 if (net->ipv6.fib6_has_custom_rules) { 101 struct fib6_result res = {}; 102 struct fib_lookup_arg arg = { 103 .lookup_ptr = lookup, 104 .lookup_data = skb, 105 .result = &res, 106 .flags = FIB_LOOKUP_NOREF, 107 }; 108 109 /* update flow if oif or iif point to device enslaved to l3mdev */ 110 l3mdev_update_flow(net, flowi6_to_flowi(fl6)); 111 112 fib_rules_lookup(net->ipv6.fib6_rules_ops, 113 flowi6_to_flowi(fl6), flags, &arg); 114 115 if (res.rt6) 116 return &res.rt6->dst; 117 } else { 118 struct rt6_info *rt; 119 120 rt = pol_lookup_func(lookup, 121 net, net->ipv6.fib6_local_tbl, fl6, skb, flags); 122 if (rt != net->ipv6.ip6_null_entry && rt->dst.error != -EAGAIN) 123 return &rt->dst; 124 ip6_rt_put_flags(rt, flags); 125 rt = pol_lookup_func(lookup, 126 net, net->ipv6.fib6_main_tbl, fl6, skb, flags); 127 if (rt->dst.error != -EAGAIN) 128 return &rt->dst; 129 ip6_rt_put_flags(rt, flags); 130 } 131 132 if (!(flags & RT6_LOOKUP_F_DST_NOREF)) 133 dst_hold(&net->ipv6.ip6_null_entry->dst); 134 return &net->ipv6.ip6_null_entry->dst; 135 } 136 137 static int fib6_rule_saddr(struct net *net, struct fib_rule *rule, int flags, 138 struct flowi6 *flp6, const struct net_device *dev) 139 { 140 struct fib6_rule *r = (struct fib6_rule *)rule; 141 142 /* If we need to find a source address for this traffic, 143 * we check the result if it meets requirement of the rule. 144 */ 145 if ((rule->flags & FIB_RULE_FIND_SADDR) && 146 r->src.plen && !(flags & RT6_LOOKUP_F_HAS_SADDR)) { 147 struct in6_addr saddr; 148 149 if (ipv6_dev_get_saddr(net, dev, &flp6->daddr, 150 rt6_flags2srcprefs(flags), &saddr)) 151 return -EAGAIN; 152 153 if (!ipv6_prefix_equal(&saddr, &r->src.addr, r->src.plen)) 154 return -EAGAIN; 155 156 flp6->saddr = saddr; 157 } 158 159 return 0; 160 } 161 162 static int fib6_rule_action_alt(struct fib_rule *rule, struct flowi *flp, 163 int flags, struct fib_lookup_arg *arg) 164 { 165 struct fib6_result *res = arg->result; 166 struct flowi6 *flp6 = &flp->u.ip6; 167 struct net *net = rule->fr_net; 168 struct fib6_table *table; 169 int err, *oif; 170 u32 tb_id; 171 172 switch (rule->action) { 173 case FR_ACT_TO_TBL: 174 break; 175 case FR_ACT_UNREACHABLE: 176 return -ENETUNREACH; 177 case FR_ACT_PROHIBIT: 178 return -EACCES; 179 case FR_ACT_BLACKHOLE: 180 default: 181 return -EINVAL; 182 } 183 184 tb_id = fib_rule_get_table(rule, arg); 185 table = fib6_get_table(net, tb_id); 186 if (!table) 187 return -EAGAIN; 188 189 oif = (int *)arg->lookup_data; 190 err = fib6_table_lookup(net, table, *oif, flp6, res, flags); 191 if (!err && res->f6i != net->ipv6.fib6_null_entry) 192 err = fib6_rule_saddr(net, rule, flags, flp6, 193 res->nh->fib_nh_dev); 194 else 195 err = -EAGAIN; 196 197 return err; 198 } 199 200 static int __fib6_rule_action(struct fib_rule *rule, struct flowi *flp, 201 int flags, struct fib_lookup_arg *arg) 202 { 203 struct fib6_result *res = arg->result; 204 struct flowi6 *flp6 = &flp->u.ip6; 205 struct rt6_info *rt = NULL; 206 struct fib6_table *table; 207 struct net *net = rule->fr_net; 208 pol_lookup_t lookup = arg->lookup_ptr; 209 int err = 0; 210 u32 tb_id; 211 212 switch (rule->action) { 213 case FR_ACT_TO_TBL: 214 break; 215 case FR_ACT_UNREACHABLE: 216 err = -ENETUNREACH; 217 rt = net->ipv6.ip6_null_entry; 218 goto discard_pkt; 219 default: 220 case FR_ACT_BLACKHOLE: 221 err = -EINVAL; 222 rt = net->ipv6.ip6_blk_hole_entry; 223 goto discard_pkt; 224 case FR_ACT_PROHIBIT: 225 err = -EACCES; 226 rt = net->ipv6.ip6_prohibit_entry; 227 goto discard_pkt; 228 } 229 230 tb_id = fib_rule_get_table(rule, arg); 231 table = fib6_get_table(net, tb_id); 232 if (!table) { 233 err = -EAGAIN; 234 goto out; 235 } 236 237 rt = pol_lookup_func(lookup, 238 net, table, flp6, arg->lookup_data, flags); 239 if (rt != net->ipv6.ip6_null_entry) { 240 struct inet6_dev *idev = ip6_dst_idev(&rt->dst); 241 242 if (!idev) 243 goto again; 244 err = fib6_rule_saddr(net, rule, flags, flp6, 245 idev->dev); 246 247 if (err == -EAGAIN) 248 goto again; 249 250 err = rt->dst.error; 251 if (err != -EAGAIN) 252 goto out; 253 } 254 again: 255 ip6_rt_put_flags(rt, flags); 256 err = -EAGAIN; 257 rt = NULL; 258 goto out; 259 260 discard_pkt: 261 if (!(flags & RT6_LOOKUP_F_DST_NOREF)) 262 dst_hold(&rt->dst); 263 out: 264 res->rt6 = rt; 265 return err; 266 } 267 268 INDIRECT_CALLABLE_SCOPE int fib6_rule_action(struct fib_rule *rule, 269 struct flowi *flp, int flags, 270 struct fib_lookup_arg *arg) 271 { 272 if (arg->lookup_ptr == fib6_table_lookup) 273 return fib6_rule_action_alt(rule, flp, flags, arg); 274 275 return __fib6_rule_action(rule, flp, flags, arg); 276 } 277 278 INDIRECT_CALLABLE_SCOPE bool fib6_rule_suppress(struct fib_rule *rule, 279 int flags, 280 struct fib_lookup_arg *arg) 281 { 282 struct fib6_result *res = arg->result; 283 struct rt6_info *rt = res->rt6; 284 struct net_device *dev = NULL; 285 286 if (!rt) 287 return false; 288 289 if (rt->rt6i_idev) 290 dev = rt->rt6i_idev->dev; 291 292 /* do not accept result if the route does 293 * not meet the required prefix length 294 */ 295 if (rt->rt6i_dst.plen <= rule->suppress_prefixlen) 296 goto suppress_route; 297 298 /* do not accept result if the route uses a device 299 * belonging to a forbidden interface group 300 */ 301 if (rule->suppress_ifgroup != -1 && dev && dev->group == rule->suppress_ifgroup) 302 goto suppress_route; 303 304 return false; 305 306 suppress_route: 307 ip6_rt_put_flags(rt, flags); 308 return true; 309 } 310 311 INDIRECT_CALLABLE_SCOPE int fib6_rule_match(struct fib_rule *rule, 312 struct flowi *fl, int flags) 313 { 314 struct fib6_rule *r = (struct fib6_rule *) rule; 315 struct flowi6 *fl6 = &fl->u.ip6; 316 317 if (r->dst.plen && 318 !ipv6_prefix_equal(&fl6->daddr, &r->dst.addr, r->dst.plen)) 319 return 0; 320 321 /* 322 * If FIB_RULE_FIND_SADDR is set and we do not have a 323 * source address for the traffic, we defer check for 324 * source address. 325 */ 326 if (r->src.plen) { 327 if (flags & RT6_LOOKUP_F_HAS_SADDR) { 328 if (!ipv6_prefix_equal(&fl6->saddr, &r->src.addr, 329 r->src.plen)) 330 return 0; 331 } else if (!(r->common.flags & FIB_RULE_FIND_SADDR)) 332 return 0; 333 } 334 335 if ((r->dscp ^ ip6_dscp(fl6->flowlabel)) & r->dscp_mask) 336 return 0; 337 338 if ((r->flowlabel ^ flowi6_get_flowlabel(fl6)) & r->flowlabel_mask) 339 return 0; 340 341 if (rule->ip_proto && (rule->ip_proto != fl6->flowi6_proto)) 342 return 0; 343 344 if (!fib_rule_port_match(&rule->sport_range, rule->sport_mask, 345 fl6->fl6_sport)) 346 return 0; 347 348 if (!fib_rule_port_match(&rule->dport_range, rule->dport_mask, 349 fl6->fl6_dport)) 350 return 0; 351 352 return 1; 353 } 354 355 static int fib6_nl2rule_dscp(const struct nlattr *nla, struct fib6_rule *rule6, 356 struct netlink_ext_ack *extack) 357 { 358 if (rule6->dscp) { 359 NL_SET_ERR_MSG(extack, "Cannot specify both TOS and DSCP"); 360 return -EINVAL; 361 } 362 363 rule6->dscp = inet_dsfield_to_dscp(nla_get_u8(nla) << 2); 364 rule6->dscp_mask = inet_dsfield_to_dscp(INET_DSCP_MASK); 365 rule6->dscp_full = true; 366 367 return 0; 368 } 369 370 static int fib6_nl2rule_dscp_mask(const struct nlattr *nla, 371 struct fib6_rule *rule6, 372 struct netlink_ext_ack *extack) 373 { 374 dscp_t dscp_mask; 375 376 if (!rule6->dscp_full) { 377 NL_SET_ERR_MSG_ATTR(extack, nla, 378 "Cannot specify DSCP mask without DSCP value"); 379 return -EINVAL; 380 } 381 382 dscp_mask = inet_dsfield_to_dscp(nla_get_u8(nla) << 2); 383 if (rule6->dscp & ~dscp_mask) { 384 NL_SET_ERR_MSG_ATTR(extack, nla, "Invalid DSCP mask"); 385 return -EINVAL; 386 } 387 388 rule6->dscp_mask = dscp_mask; 389 390 return 0; 391 } 392 393 static int fib6_nl2rule_flowlabel(struct nlattr **tb, struct fib6_rule *rule6, 394 struct netlink_ext_ack *extack) 395 { 396 __be32 flowlabel, flowlabel_mask; 397 398 if (NL_REQ_ATTR_CHECK(extack, NULL, tb, FRA_FLOWLABEL) || 399 NL_REQ_ATTR_CHECK(extack, NULL, tb, FRA_FLOWLABEL_MASK)) 400 return -EINVAL; 401 402 flowlabel = nla_get_be32(tb[FRA_FLOWLABEL]); 403 flowlabel_mask = nla_get_be32(tb[FRA_FLOWLABEL_MASK]); 404 405 if (flowlabel_mask & ~IPV6_FLOWLABEL_MASK) { 406 NL_SET_ERR_MSG_ATTR(extack, tb[FRA_FLOWLABEL_MASK], 407 "Invalid flow label mask"); 408 return -EINVAL; 409 } 410 411 if (flowlabel & ~flowlabel_mask) { 412 NL_SET_ERR_MSG(extack, "Flow label and mask do not match"); 413 return -EINVAL; 414 } 415 416 rule6->flowlabel = flowlabel; 417 rule6->flowlabel_mask = flowlabel_mask; 418 419 return 0; 420 } 421 422 static int fib6_rule_configure(struct fib_rule *rule, struct sk_buff *skb, 423 struct fib_rule_hdr *frh, 424 struct nlattr **tb, 425 struct netlink_ext_ack *extack) 426 { 427 struct fib6_rule *rule6 = (struct fib6_rule *)rule; 428 struct net *net = rule->fr_net; 429 int err = -EINVAL; 430 431 if (!inet_validate_dscp(frh->tos)) { 432 NL_SET_ERR_MSG(extack, 433 "Invalid dsfield (tos): ECN bits must be 0"); 434 goto errout; 435 } 436 rule6->dscp = inet_dsfield_to_dscp(frh->tos); 437 rule6->dscp_mask = frh->tos ? inet_dsfield_to_dscp(INET_DSCP_MASK) : 0; 438 439 if (tb[FRA_DSCP] && fib6_nl2rule_dscp(tb[FRA_DSCP], rule6, extack) < 0) 440 goto errout; 441 442 if (tb[FRA_DSCP_MASK] && 443 fib6_nl2rule_dscp_mask(tb[FRA_DSCP_MASK], rule6, extack) < 0) 444 goto errout; 445 446 if ((tb[FRA_FLOWLABEL] || tb[FRA_FLOWLABEL_MASK]) && 447 fib6_nl2rule_flowlabel(tb, rule6, extack) < 0) 448 goto errout; 449 450 if (rule->action == FR_ACT_TO_TBL && !rule->l3mdev) { 451 if (rule->table == RT6_TABLE_UNSPEC) { 452 NL_SET_ERR_MSG(extack, "Invalid table"); 453 goto errout; 454 } 455 456 if (fib6_new_table(net, rule->table) == NULL) { 457 err = -ENOBUFS; 458 goto errout; 459 } 460 } 461 462 if (frh->src_len) 463 rule6->src.addr = nla_get_in6_addr(tb[FRA_SRC]); 464 465 if (frh->dst_len) 466 rule6->dst.addr = nla_get_in6_addr(tb[FRA_DST]); 467 468 rule6->src.plen = frh->src_len; 469 rule6->dst.plen = frh->dst_len; 470 471 if (fib_rule_requires_fldissect(rule)) 472 net->ipv6.fib6_rules_require_fldissect++; 473 474 net->ipv6.fib6_has_custom_rules = true; 475 err = 0; 476 errout: 477 return err; 478 } 479 480 static int fib6_rule_delete(struct fib_rule *rule) 481 { 482 struct net *net = rule->fr_net; 483 484 if (net->ipv6.fib6_rules_require_fldissect && 485 fib_rule_requires_fldissect(rule)) 486 net->ipv6.fib6_rules_require_fldissect--; 487 488 return 0; 489 } 490 491 static int fib6_rule_compare(struct fib_rule *rule, struct fib_rule_hdr *frh, 492 struct nlattr **tb) 493 { 494 struct fib6_rule *rule6 = (struct fib6_rule *) rule; 495 496 if (frh->src_len && (rule6->src.plen != frh->src_len)) 497 return 0; 498 499 if (frh->dst_len && (rule6->dst.plen != frh->dst_len)) 500 return 0; 501 502 if (frh->tos && 503 (rule6->dscp_full || 504 inet_dscp_to_dsfield(rule6->dscp) != frh->tos)) 505 return 0; 506 507 if (tb[FRA_DSCP]) { 508 dscp_t dscp; 509 510 dscp = inet_dsfield_to_dscp(nla_get_u8(tb[FRA_DSCP]) << 2); 511 if (!rule6->dscp_full || rule6->dscp != dscp) 512 return 0; 513 } 514 515 if (tb[FRA_DSCP_MASK]) { 516 dscp_t dscp_mask; 517 518 dscp_mask = inet_dsfield_to_dscp(nla_get_u8(tb[FRA_DSCP_MASK]) << 2); 519 if (!rule6->dscp_full || rule6->dscp_mask != dscp_mask) 520 return 0; 521 } 522 523 if (tb[FRA_FLOWLABEL] && 524 nla_get_be32(tb[FRA_FLOWLABEL]) != rule6->flowlabel) 525 return 0; 526 527 if (tb[FRA_FLOWLABEL_MASK] && 528 nla_get_be32(tb[FRA_FLOWLABEL_MASK]) != rule6->flowlabel_mask) 529 return 0; 530 531 if (frh->src_len && 532 nla_memcmp(tb[FRA_SRC], &rule6->src.addr, sizeof(struct in6_addr))) 533 return 0; 534 535 if (frh->dst_len && 536 nla_memcmp(tb[FRA_DST], &rule6->dst.addr, sizeof(struct in6_addr))) 537 return 0; 538 539 return 1; 540 } 541 542 static int fib6_rule_fill(struct fib_rule *rule, struct sk_buff *skb, 543 struct fib_rule_hdr *frh) 544 { 545 struct fib6_rule *rule6 = (struct fib6_rule *) rule; 546 547 frh->dst_len = rule6->dst.plen; 548 frh->src_len = rule6->src.plen; 549 550 if (rule6->dscp_full) { 551 frh->tos = 0; 552 if (nla_put_u8(skb, FRA_DSCP, 553 inet_dscp_to_dsfield(rule6->dscp) >> 2) || 554 nla_put_u8(skb, FRA_DSCP_MASK, 555 inet_dscp_to_dsfield(rule6->dscp_mask) >> 2)) 556 goto nla_put_failure; 557 } else { 558 frh->tos = inet_dscp_to_dsfield(rule6->dscp); 559 } 560 561 if (rule6->flowlabel_mask && 562 (nla_put_be32(skb, FRA_FLOWLABEL, rule6->flowlabel) || 563 nla_put_be32(skb, FRA_FLOWLABEL_MASK, rule6->flowlabel_mask))) 564 goto nla_put_failure; 565 566 if ((rule6->dst.plen && 567 nla_put_in6_addr(skb, FRA_DST, &rule6->dst.addr)) || 568 (rule6->src.plen && 569 nla_put_in6_addr(skb, FRA_SRC, &rule6->src.addr))) 570 goto nla_put_failure; 571 return 0; 572 573 nla_put_failure: 574 return -ENOBUFS; 575 } 576 577 static size_t fib6_rule_nlmsg_payload(struct fib_rule *rule) 578 { 579 return nla_total_size(16) /* dst */ 580 + nla_total_size(16) /* src */ 581 + nla_total_size(1) /* dscp */ 582 + nla_total_size(1) /* dscp mask */ 583 + nla_total_size(4) /* flowlabel */ 584 + nla_total_size(4); /* flowlabel mask */ 585 } 586 587 static void fib6_rule_flush_cache(struct fib_rules_ops *ops) 588 { 589 rt_genid_bump_ipv6(ops->fro_net); 590 } 591 592 static const struct fib_rules_ops __net_initconst fib6_rules_ops_template = { 593 .family = AF_INET6, 594 .rule_size = sizeof(struct fib6_rule), 595 .addr_size = sizeof(struct in6_addr), 596 .action = fib6_rule_action, 597 .match = fib6_rule_match, 598 .suppress = fib6_rule_suppress, 599 .configure = fib6_rule_configure, 600 .delete = fib6_rule_delete, 601 .compare = fib6_rule_compare, 602 .fill = fib6_rule_fill, 603 .nlmsg_payload = fib6_rule_nlmsg_payload, 604 .flush_cache = fib6_rule_flush_cache, 605 .nlgroup = RTNLGRP_IPV6_RULE, 606 .owner = THIS_MODULE, 607 .fro_net = &init_net, 608 }; 609 610 static int __net_init fib6_rules_net_init(struct net *net) 611 { 612 struct fib_rules_ops *ops; 613 int err; 614 615 ops = fib_rules_register(&fib6_rules_ops_template, net); 616 if (IS_ERR(ops)) 617 return PTR_ERR(ops); 618 619 err = fib_default_rule_add(ops, 0, RT6_TABLE_LOCAL); 620 if (err) 621 goto out_fib6_rules_ops; 622 623 err = fib_default_rule_add(ops, 0x7FFE, RT6_TABLE_MAIN); 624 if (err) 625 goto out_fib6_rules_ops; 626 627 net->ipv6.fib6_rules_ops = ops; 628 net->ipv6.fib6_rules_require_fldissect = 0; 629 out: 630 return err; 631 632 out_fib6_rules_ops: 633 fib_rules_unregister(ops); 634 goto out; 635 } 636 637 static void __net_exit fib6_rules_net_exit_batch(struct list_head *net_list) 638 { 639 struct net *net; 640 641 rtnl_lock(); 642 list_for_each_entry(net, net_list, exit_list) { 643 fib_rules_unregister(net->ipv6.fib6_rules_ops); 644 cond_resched(); 645 } 646 rtnl_unlock(); 647 } 648 649 static struct pernet_operations fib6_rules_net_ops = { 650 .init = fib6_rules_net_init, 651 .exit_batch = fib6_rules_net_exit_batch, 652 }; 653 654 int __init fib6_rules_init(void) 655 { 656 return register_pernet_subsys(&fib6_rules_net_ops); 657 } 658 659 660 void fib6_rules_cleanup(void) 661 { 662 unregister_pernet_subsys(&fib6_rules_net_ops); 663 } 664