net/core/fib_rules.c

   1 /*
   2  * net/core/fib_rules.c         Generic Routing Rules
   3  *
   4  *      This program is free software; you can redistribute it and/or
   5  *      modify it under the terms of the GNU General Public License as
   6  *      published by the Free Software Foundation, version 2.
   7  *
   8  * Authors:     Thomas Graf <tgraf@suug.ch>
   9  */
  10
  11 #include <linux/types.h>
  12 #include <linux/kernel.h>
  13 #include <linux/list.h>
  14 #include <net/fib_rules.h>
  15
  16 static LIST_HEAD(rules_ops);
  17 static DEFINE_SPINLOCK(rules_mod_lock);
  18
  19 static void notify_rule_change(int event, struct fib_rule *rule,
  20                                struct fib_rules_ops *ops, struct nlmsghdr *nlh,
  21                                u32 pid);
  22
  23 static struct fib_rules_ops *lookup_rules_ops(int family)
  24 {
  25         struct fib_rules_ops *ops;
  26
  27         rcu_read_lock();
  28         list_for_each_entry_rcu(ops, &rules_ops, list) {
  29                 if (ops->family == family) {
  30                         if (!try_module_get(ops->owner))
  31                                 ops = NULL;
  32                         rcu_read_unlock();
  33                         return ops;
  34                 }
  35         }
  36         rcu_read_unlock();
  37
  38         return NULL;
  39 }
  40
  41 static void rules_ops_put(struct fib_rules_ops *ops)
  42 {
  43         if (ops)
  44                 module_put(ops->owner);
  45 }
  46
  47 int fib_rules_register(struct fib_rules_ops *ops)
  48 {
  49         int err = -EEXIST;
  50         struct fib_rules_ops *o;
  51
  52         if (ops->rule_size < sizeof(struct fib_rule))
  53                 return -EINVAL;
  54
  55         if (ops->match == NULL || ops->configure == NULL ||
  56             ops->compare == NULL || ops->fill == NULL ||
  57             ops->action == NULL)
  58                 return -EINVAL;
  59
  60         spin_lock(&rules_mod_lock);
  61         list_for_each_entry(o, &rules_ops, list)
  62                 if (ops->family == o->family)
  63                         goto errout;
  64
  65         list_add_tail_rcu(&ops->list, &rules_ops);
  66         err = 0;
  67 errout:
  68         spin_unlock(&rules_mod_lock);
  69
  70         return err;
  71 }
  72
  73 EXPORT_SYMBOL_GPL(fib_rules_register);
  74
  75 static void cleanup_ops(struct fib_rules_ops *ops)
  76 {
  77         struct fib_rule *rule, *tmp;
  78
  79         list_for_each_entry_safe(rule, tmp, ops->rules_list, list) {
  80                 list_del_rcu(&rule->list);
  81                 fib_rule_put(rule);
  82         }
  83 }
  84
  85 int fib_rules_unregister(struct fib_rules_ops *ops)
  86 {
  87         int err = 0;
  88         struct fib_rules_ops *o;
  89
  90         spin_lock(&rules_mod_lock);
  91         list_for_each_entry(o, &rules_ops, list) {
  92                 if (o == ops) {
  93                         list_del_rcu(&o->list);
  94                         cleanup_ops(ops);
  95                         goto out;
  96                 }
  97         }
  98
  99         err = -ENOENT;
 100 out:
 101         spin_unlock(&rules_mod_lock);
 102
 103         synchronize_rcu();
 104
 105         return err;
 106 }
 107
 108 EXPORT_SYMBOL_GPL(fib_rules_unregister);
 109
 110 static int fib_rule_match(struct fib_rule *rule, struct fib_rules_ops *ops,
 111                           struct flowi *fl, int flags)
 112 {
 113         int ret = 0;
 114
 115         if (rule->ifindex && (rule->ifindex != fl->iif))
 116                 goto out;
 117
 118         if ((rule->mark ^ fl->mark) & rule->mark_mask)
 119                 goto out;
 120
 121         ret = ops->match(rule, fl, flags);
 122 out:
 123         return (rule->flags & FIB_RULE_INVERT) ? !ret : ret;
 124 }
 125
 126 int fib_rules_lookup(struct fib_rules_ops *ops, struct flowi *fl,
 127                      int flags, struct fib_lookup_arg *arg)
 128 {
 129         struct fib_rule *rule;
 130         int err;
 131
 132         rcu_read_lock();
 133
 134         list_for_each_entry_rcu(rule, ops->rules_list, list) {
 135 jumped:
 136                 if (!fib_rule_match(rule, ops, fl, flags))
 137                         continue;
 138
 139                 if (rule->action == FR_ACT_GOTO) {
 140                         struct fib_rule *target;
 141
 142                         target = rcu_dereference(rule->ctarget);
 143                         if (target == NULL) {
 144                                 continue;
 145                         } else {
 146                                 rule = target;
 147                                 goto jumped;
 148                         }
 149                 } else if (rule->action == FR_ACT_NOP)
 150                         continue;
 151                 else
 152                         err = ops->action(rule, fl, flags, arg);
 153
 154                 if (err != -EAGAIN) {
 155                         fib_rule_get(rule);
 156                         arg->rule = rule;
 157                         goto out;
 158                 }
 159         }
 160
 161         err = -ESRCH;
 162 out:
 163         rcu_read_unlock();
 164
 165         return err;
 166 }
 167
 168 EXPORT_SYMBOL_GPL(fib_rules_lookup);
 169
 170 static int validate_rulemsg(struct fib_rule_hdr *frh, struct nlattr **tb,
 171                             struct fib_rules_ops *ops)
 172 {
 173         int err = -EINVAL;
 174
 175         if (frh->src_len)
 176                 if (tb[FRA_SRC] == NULL ||
 177                     frh->src_len > (ops->addr_size * 8) ||
 178                     nla_len(tb[FRA_SRC]) != ops->addr_size)
 179                         goto errout;
 180
 181         if (frh->dst_len)
 182                 if (tb[FRA_DST] == NULL ||
 183                     frh->dst_len > (ops->addr_size * 8) ||
 184                     nla_len(tb[FRA_DST]) != ops->addr_size)
 185                         goto errout;
 186
 187         err = 0;
 188 errout:
 189         return err;
 190 }
 191
 192 static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
 193 {
 194         struct fib_rule_hdr *frh = nlmsg_data(nlh);
 195         struct fib_rules_ops *ops = NULL;
 196         struct fib_rule *rule, *r, *last = NULL;
 197         struct nlattr *tb[FRA_MAX+1];
 198         int err = -EINVAL, unresolved = 0;
 199
 200         if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh)))
 201                 goto errout;
 202
 203         ops = lookup_rules_ops(frh->family);
 204         if (ops == NULL) {
 205                 err = EAFNOSUPPORT;
 206                 goto errout;
 207         }
 208
 209         err = nlmsg_parse(nlh, sizeof(*frh), tb, FRA_MAX, ops->policy);
 210         if (err < 0)
 211                 goto errout;
 212
 213         err = validate_rulemsg(frh, tb, ops);
 214         if (err < 0)
 215                 goto errout;
 216
 217         rule = kzalloc(ops->rule_size, GFP_KERNEL);
 218         if (rule == NULL) {
 219                 err = -ENOMEM;
 220                 goto errout;
 221         }
 222
 223         if (tb[FRA_PRIORITY])
 224                 rule->pref = nla_get_u32(tb[FRA_PRIORITY]);
 225
 226         if (tb[FRA_IFNAME]) {
 227                 struct net_device *dev;
 228
 229                 rule->ifindex = -1;
 230                 nla_strlcpy(rule->ifname, tb[FRA_IFNAME], IFNAMSIZ);
 231                 dev = __dev_get_by_name(rule->ifname);
 232                 if (dev)
 233                         rule->ifindex = dev->ifindex;
 234         }
 235
 236         if (tb[FRA_FWMARK]) {
 237                 rule->mark = nla_get_u32(tb[FRA_FWMARK]);
 238                 if (rule->mark)
 239                         /* compatibility: if the mark value is non-zero all bits
 240                          * are compared unless a mask is explicitly specified.
 241                          */
 242                         rule->mark_mask = 0xFFFFFFFF;
 243         }
 244
 245         if (tb[FRA_FWMASK])
 246                 rule->mark_mask = nla_get_u32(tb[FRA_FWMASK]);
 247
 248         rule->action = frh->action;
 249         rule->flags = frh->flags;
 250         rule->table = frh_get_table(frh, tb);
 251
 252         if (!rule->pref && ops->default_pref)
 253                 rule->pref = ops->default_pref();
 254
 255         err = -EINVAL;
 256         if (tb[FRA_GOTO]) {
 257                 if (rule->action != FR_ACT_GOTO)
 258                         goto errout_free;
 259
 260                 rule->target = nla_get_u32(tb[FRA_GOTO]);
 261                 /* Backward jumps are prohibited to avoid endless loops */
 262                 if (rule->target <= rule->pref)
 263                         goto errout_free;
 264
 265                 list_for_each_entry(r, ops->rules_list, list) {
 266                         if (r->pref == rule->target) {
 267                                 rule->ctarget = r;
 268                                 break;
 269                         }
 270                 }
 271
 272                 if (rule->ctarget == NULL)
 273                         unresolved = 1;
 274         } else if (rule->action == FR_ACT_GOTO)
 275                 goto errout_free;
 276
 277         err = ops->configure(rule, skb, nlh, frh, tb);
 278         if (err < 0)
 279                 goto errout_free;
 280
 281         list_for_each_entry(r, ops->rules_list, list) {
 282                 if (r->pref > rule->pref)
 283                         break;
 284                 last = r;
 285         }
 286
 287         fib_rule_get(rule);
 288
 289         if (ops->unresolved_rules) {
 290                 /*
 291                  * There are unresolved goto rules in the list, check if
 292                  * any of them are pointing to this new rule.
 293                  */
 294                 list_for_each_entry(r, ops->rules_list, list) {
 295                         if (r->action == FR_ACT_GOTO &&
 296                             r->target == rule->pref) {
 297                                 BUG_ON(r->ctarget != NULL);
 298                                 rcu_assign_pointer(r->ctarget, rule);
 299                                 if (--ops->unresolved_rules == 0)
 300                                         break;
 301                         }
 302                 }
 303         }
 304
 305         if (rule->action == FR_ACT_GOTO)
 306                 ops->nr_goto_rules++;
 307
 308         if (unresolved)
 309                 ops->unresolved_rules++;
 310
 311         if (last)
 312                 list_add_rcu(&rule->list, &last->list);
 313         else
 314                 list_add_rcu(&rule->list, ops->rules_list);
 315
 316         notify_rule_change(RTM_NEWRULE, rule, ops, nlh, NETLINK_CB(skb).pid);
 317         rules_ops_put(ops);
 318         return 0;
 319
 320 errout_free:
 321         kfree(rule);
 322 errout:
 323         rules_ops_put(ops);
 324         return err;
 325 }
 326
 327 static int fib_nl_delrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg)
 328 {
 329         struct fib_rule_hdr *frh = nlmsg_data(nlh);
 330         struct fib_rules_ops *ops = NULL;
 331         struct fib_rule *rule, *tmp;
 332         struct nlattr *tb[FRA_MAX+1];
 333         int err = -EINVAL;
 334
 335         if (nlh->nlmsg_len < nlmsg_msg_size(sizeof(*frh)))
 336                 goto errout;
 337
 338         ops = lookup_rules_ops(frh->family);
 339         if (ops == NULL) {
 340                 err = EAFNOSUPPORT;
 341                 goto errout;
 342         }
 343
 344         err = nlmsg_parse(nlh, sizeof(*frh), tb, FRA_MAX, ops->policy);
 345         if (err < 0)
 346                 goto errout;
 347
 348         err = validate_rulemsg(frh, tb, ops);
 349         if (err < 0)
 350                 goto errout;
 351
 352         list_for_each_entry(rule, ops->rules_list, list) {
 353                 if (frh->action && (frh->action != rule->action))
 354                         continue;
 355
 356                 if (frh->table && (frh_get_table(frh, tb) != rule->table))
 357                         continue;
 358
 359                 if (tb[FRA_PRIORITY] &&
 360                     (rule->pref != nla_get_u32(tb[FRA_PRIORITY])))
 361                         continue;
 362
 363                 if (tb[FRA_IFNAME] &&
 364                     nla_strcmp(tb[FRA_IFNAME], rule->ifname))
 365                         continue;
 366
 367                 if (tb[FRA_FWMARK] &&
 368                     (rule->mark != nla_get_u32(tb[FRA_FWMARK])))
 369                         continue;
 370
 371                 if (tb[FRA_FWMASK] &&
 372                     (rule->mark_mask != nla_get_u32(tb[FRA_FWMASK])))
 373                         continue;
 374
 375                 if (!ops->compare(rule, frh, tb))
 376                         continue;
 377
 378                 if (rule->flags & FIB_RULE_PERMANENT) {
 379                         err = -EPERM;
 380                         goto errout;
 381                 }
 382
 383                 list_del_rcu(&rule->list);
 384
 385                 if (rule->action == FR_ACT_GOTO)
 386                         ops->nr_goto_rules--;
 387
 388                 /*
 389                  * Check if this rule is a target to any of them. If so,
 390                  * disable them. As this operation is eventually very
 391                  * expensive, it is only performed if goto rules have
 392                  * actually been added.
 393                  */
 394                 if (ops->nr_goto_rules > 0) {
 395                         list_for_each_entry(tmp, ops->rules_list, list) {
 396                                 if (tmp->ctarget == rule) {
 397                                         rcu_assign_pointer(tmp->ctarget, NULL);
 398                                         ops->unresolved_rules++;
 399                                 }
 400                         }
 401                 }
 402
 403                 synchronize_rcu();
 404                 notify_rule_change(RTM_DELRULE, rule, ops, nlh,
 405                                    NETLINK_CB(skb).pid);
 406                 fib_rule_put(rule);
 407                 rules_ops_put(ops);
 408                 return 0;
 409         }
 410
 411         err = -ENOENT;
 412 errout:
 413         rules_ops_put(ops);
 414         return err;
 415 }
 416
 417 static inline size_t fib_rule_nlmsg_size(struct fib_rules_ops *ops,
 418                                          struct fib_rule *rule)
 419 {
 420         size_t payload = NLMSG_ALIGN(sizeof(struct fib_rule_hdr))
 421                          + nla_total_size(IFNAMSIZ) /* FRA_IFNAME */
 422                          + nla_total_size(4) /* FRA_PRIORITY */
 423                          + nla_total_size(4) /* FRA_TABLE */
 424                          + nla_total_size(4) /* FRA_FWMARK */
 425                          + nla_total_size(4); /* FRA_FWMASK */
 426
 427         if (ops->nlmsg_payload)
 428                 payload += ops->nlmsg_payload(rule);
 429
 430         return payload;
 431 }
 432
 433 static int fib_nl_fill_rule(struct sk_buff *skb, struct fib_rule *rule,
 434                             u32 pid, u32 seq, int type, int flags,
 435                             struct fib_rules_ops *ops)
 436 {
 437         struct nlmsghdr *nlh;
 438         struct fib_rule_hdr *frh;
 439
 440         nlh = nlmsg_put(skb, pid, seq, type, sizeof(*frh), flags);
 441         if (nlh == NULL)
 442                 return -EMSGSIZE;
 443
 444         frh = nlmsg_data(nlh);
 445         frh->table = rule->table;
 446         NLA_PUT_U32(skb, FRA_TABLE, rule->table);
 447         frh->res1 = 0;
 448         frh->res2 = 0;
 449         frh->action = rule->action;
 450         frh->flags = rule->flags;
 451
 452         if (rule->action == FR_ACT_GOTO && rule->ctarget == NULL)
 453                 frh->flags |= FIB_RULE_UNRESOLVED;
 454
 455         if (rule->ifname[0]) {
 456                 NLA_PUT_STRING(skb, FRA_IFNAME, rule->ifname);
 457
 458                 if (rule->ifindex == -1)
 459                         frh->flags |= FIB_RULE_DEV_DETACHED;
 460         }
 461
 462         if (rule->pref)
 463                 NLA_PUT_U32(skb, FRA_PRIORITY, rule->pref);
 464
 465         if (rule->mark)
 466                 NLA_PUT_U32(skb, FRA_FWMARK, rule->mark);
 467
 468         if (rule->mark_mask || rule->mark)
 469                 NLA_PUT_U32(skb, FRA_FWMASK, rule->mark_mask);
 470
 471         if (rule->target)
 472                 NLA_PUT_U32(skb, FRA_GOTO, rule->target);
 473
 474         if (ops->fill(rule, skb, nlh, frh) < 0)
 475                 goto nla_put_failure;
 476
 477         return nlmsg_end(skb, nlh);
 478
 479 nla_put_failure:
 480         nlmsg_cancel(skb, nlh);
 481         return -EMSGSIZE;
 482 }
 483
 484 static int dump_rules(struct sk_buff *skb, struct netlink_callback *cb,
 485                       struct fib_rules_ops *ops)
 486 {
 487         int idx = 0;
 488         struct fib_rule *rule;
 489
 490         rcu_read_lock();
 491         list_for_each_entry_rcu(rule, ops->rules_list, list) {
 492                 if (idx < cb->args[1])
 493                         goto skip;
 494
 495                 if (fib_nl_fill_rule(skb, rule, NETLINK_CB(cb->skb).pid,
 496                                      cb->nlh->nlmsg_seq, RTM_NEWRULE,
 497                                      NLM_F_MULTI, ops) < 0)
 498                         break;
 499 skip:
 500                 idx++;
 501         }
 502         rcu_read_unlock();
 503         cb->args[1] = idx;
 504         rules_ops_put(ops);
 505
 506         return skb->len;
 507 }
 508
 509 static int fib_nl_dumprule(struct sk_buff *skb, struct netlink_callback *cb)
 510 {
 511         struct fib_rules_ops *ops;
 512         int idx = 0, family;
 513
 514         family = rtnl_msg_family(cb->nlh);
 515         if (family != AF_UNSPEC) {
 516                 /* Protocol specific dump request */
 517                 ops = lookup_rules_ops(family);
 518                 if (ops == NULL)
 519                         return -EAFNOSUPPORT;
 520
 521                 return dump_rules(skb, cb, ops);
 522         }
 523
 524         rcu_read_lock();
 525         list_for_each_entry_rcu(ops, &rules_ops, list) {
 526                 if (idx < cb->args[0] || !try_module_get(ops->owner))
 527                         goto skip;
 528
 529                 if (dump_rules(skb, cb, ops) < 0)
 530                         break;
 531
 532                 cb->args[1] = 0;
 533         skip:
 534                 idx++;
 535         }
 536         rcu_read_unlock();
 537         cb->args[0] = idx;
 538
 539         return skb->len;
 540 }
 541
 542 static void notify_rule_change(int event, struct fib_rule *rule,
 543                                struct fib_rules_ops *ops, struct nlmsghdr *nlh,
 544                                u32 pid)
 545 {
 546         struct sk_buff *skb;
 547         int err = -ENOBUFS;
 548
 549         skb = nlmsg_new(fib_rule_nlmsg_size(ops, rule), GFP_KERNEL);
 550         if (skb == NULL)
 551                 goto errout;
 552
 553         err = fib_nl_fill_rule(skb, rule, pid, nlh->nlmsg_seq, event, 0, ops);
 554         if (err < 0) {
 555                 /* -EMSGSIZE implies BUG in fib_rule_nlmsg_size() */
 556                 WARN_ON(err == -EMSGSIZE);
 557                 kfree_skb(skb);
 558                 goto errout;
 559         }
 560         err = rtnl_notify(skb, pid, ops->nlgroup, nlh, GFP_KERNEL);
 561 errout:
 562         if (err < 0)
 563                 rtnl_set_sk_err(ops->nlgroup, err);
 564 }
 565
 566 static void attach_rules(struct list_head *rules, struct net_device *dev)
 567 {
 568         struct fib_rule *rule;
 569
 570         list_for_each_entry(rule, rules, list) {
 571                 if (rule->ifindex == -1 &&
 572                     strcmp(dev->name, rule->ifname) == 0)
 573                         rule->ifindex = dev->ifindex;
 574         }
 575 }
 576
 577 static void detach_rules(struct list_head *rules, struct net_device *dev)
 578 {
 579         struct fib_rule *rule;
 580
 581         list_for_each_entry(rule, rules, list)
 582                 if (rule->ifindex == dev->ifindex)
 583                         rule->ifindex = -1;
 584 }
 585
 586
 587 static int fib_rules_event(struct notifier_block *this, unsigned long event,
 588                             void *ptr)
 589 {
 590         struct net_device *dev = ptr;
 591         struct fib_rules_ops *ops;
 592
 593         ASSERT_RTNL();
 594         rcu_read_lock();
 595
 596         switch (event) {
 597         case NETDEV_REGISTER:
 598                 list_for_each_entry(ops, &rules_ops, list)
 599                         attach_rules(ops->rules_list, dev);
 600                 break;
 601
 602         case NETDEV_UNREGISTER:
 603                 list_for_each_entry(ops, &rules_ops, list)
 604                         detach_rules(ops->rules_list, dev);
 605                 break;
 606         }
 607
 608         rcu_read_unlock();
 609
 610         return NOTIFY_DONE;
 611 }
 612
 613 static struct notifier_block fib_rules_notifier = {
 614         .notifier_call = fib_rules_event,
 615 };
 616
 617 static int __init fib_rules_init(void)
 618 {
 619         rtnl_register(PF_UNSPEC, RTM_NEWRULE, fib_nl_newrule, NULL);
 620         rtnl_register(PF_UNSPEC, RTM_DELRULE, fib_nl_delrule, NULL);
 621         rtnl_register(PF_UNSPEC, RTM_GETRULE, NULL, fib_nl_dumprule);
 622
 623         return register_netdevice_notifier(&fib_rules_notifier);
 624 }
 625
 626 subsys_initcall(fib_rules_init);