2 * Copyright (c) 2008 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 * Development of this code funded by Astaro AG (http://www.astaro.com/)
11 #include <linux/kernel.h>
12 #include <linux/init.h>
13 #include <linux/module.h>
14 #include <linux/netlink.h>
15 #include <linux/netfilter.h>
16 #include <linux/netfilter/nf_tables.h>
17 #include <net/netfilter/nf_tables.h>
25 enum nft_registers dreg:8;
29 static unsigned int optlen(const u8 *opt, unsigned int offset)
31 /* Beware zero-length options: make finite progress */
32 if (opt[offset] <= TCPOPT_NOP || opt[offset + 1] == 0)
35 return opt[offset + 1];
38 static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
39 struct nft_regs *regs,
40 const struct nft_pktinfo *pkt)
42 struct nft_exthdr *priv = nft_expr_priv(expr);
43 u32 *dest = ®s->data[priv->dreg];
44 unsigned int offset = 0;
47 err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);
48 if (priv->flags & NFT_EXTHDR_F_PRESENT) {
54 offset += priv->offset;
56 dest[priv->len / NFT_REG32_SIZE] = 0;
57 if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
61 regs->verdict.code = NFT_BREAK;
64 static void nft_exthdr_tcp_eval(const struct nft_expr *expr,
65 struct nft_regs *regs,
66 const struct nft_pktinfo *pkt)
68 u8 buff[sizeof(struct tcphdr) + MAX_TCP_OPTION_SPACE];
69 struct nft_exthdr *priv = nft_expr_priv(expr);
70 unsigned int i, optl, tcphdr_len, offset;
71 u32 *dest = ®s->data[priv->dreg];
75 if (!pkt->tprot_set || pkt->tprot != IPPROTO_TCP)
78 tcph = skb_header_pointer(pkt->skb, pkt->xt.thoff, sizeof(*tcph), buff);
82 tcphdr_len = __tcp_hdrlen(tcph);
83 if (tcphdr_len < sizeof(*tcph))
86 tcph = skb_header_pointer(pkt->skb, pkt->xt.thoff, tcphdr_len, buff);
91 for (i = sizeof(*tcph); i < tcphdr_len - 1; i += optl) {
92 optl = optlen(opt, i);
94 if (priv->type != opt[i])
97 if (i + optl > tcphdr_len || priv->len + priv->offset > optl)
100 offset = i + priv->offset;
101 if (priv->flags & NFT_EXTHDR_F_PRESENT) {
104 dest[priv->len / NFT_REG32_SIZE] = 0;
105 memcpy(dest, opt + offset, priv->len);
112 if (priv->flags & NFT_EXTHDR_F_PRESENT)
115 regs->verdict.code = NFT_BREAK;
118 static const struct nla_policy nft_exthdr_policy[NFTA_EXTHDR_MAX + 1] = {
119 [NFTA_EXTHDR_DREG] = { .type = NLA_U32 },
120 [NFTA_EXTHDR_TYPE] = { .type = NLA_U8 },
121 [NFTA_EXTHDR_OFFSET] = { .type = NLA_U32 },
122 [NFTA_EXTHDR_LEN] = { .type = NLA_U32 },
123 [NFTA_EXTHDR_FLAGS] = { .type = NLA_U32 },
126 static int nft_exthdr_init(const struct nft_ctx *ctx,
127 const struct nft_expr *expr,
128 const struct nlattr * const tb[])
130 struct nft_exthdr *priv = nft_expr_priv(expr);
131 u32 offset, len, flags = 0, op = NFT_EXTHDR_OP_IPV6;
134 if (!tb[NFTA_EXTHDR_DREG] ||
135 !tb[NFTA_EXTHDR_TYPE] ||
136 !tb[NFTA_EXTHDR_OFFSET] ||
137 !tb[NFTA_EXTHDR_LEN])
140 err = nft_parse_u32_check(tb[NFTA_EXTHDR_OFFSET], U8_MAX, &offset);
144 err = nft_parse_u32_check(tb[NFTA_EXTHDR_LEN], U8_MAX, &len);
148 if (tb[NFTA_EXTHDR_FLAGS]) {
149 err = nft_parse_u32_check(tb[NFTA_EXTHDR_FLAGS], U8_MAX, &flags);
153 if (flags & ~NFT_EXTHDR_F_PRESENT)
157 if (tb[NFTA_EXTHDR_OP]) {
158 err = nft_parse_u32_check(tb[NFTA_EXTHDR_OP], U8_MAX, &op);
163 priv->type = nla_get_u8(tb[NFTA_EXTHDR_TYPE]);
164 priv->offset = offset;
166 priv->dreg = nft_parse_register(tb[NFTA_EXTHDR_DREG]);
170 return nft_validate_register_store(ctx, priv->dreg, NULL,
171 NFT_DATA_VALUE, priv->len);
174 static int nft_exthdr_dump(struct sk_buff *skb, const struct nft_expr *expr)
176 const struct nft_exthdr *priv = nft_expr_priv(expr);
178 if (nft_dump_register(skb, NFTA_EXTHDR_DREG, priv->dreg))
179 goto nla_put_failure;
180 if (nla_put_u8(skb, NFTA_EXTHDR_TYPE, priv->type))
181 goto nla_put_failure;
182 if (nla_put_be32(skb, NFTA_EXTHDR_OFFSET, htonl(priv->offset)))
183 goto nla_put_failure;
184 if (nla_put_be32(skb, NFTA_EXTHDR_LEN, htonl(priv->len)))
185 goto nla_put_failure;
186 if (nla_put_be32(skb, NFTA_EXTHDR_FLAGS, htonl(priv->flags)))
187 goto nla_put_failure;
188 if (nla_put_be32(skb, NFTA_EXTHDR_OP, htonl(priv->op)))
189 goto nla_put_failure;
196 static struct nft_expr_type nft_exthdr_type;
197 static const struct nft_expr_ops nft_exthdr_ipv6_ops = {
198 .type = &nft_exthdr_type,
199 .size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
200 .eval = nft_exthdr_ipv6_eval,
201 .init = nft_exthdr_init,
202 .dump = nft_exthdr_dump,
205 static const struct nft_expr_ops nft_exthdr_tcp_ops = {
206 .type = &nft_exthdr_type,
207 .size = NFT_EXPR_SIZE(sizeof(struct nft_exthdr)),
208 .eval = nft_exthdr_tcp_eval,
209 .init = nft_exthdr_init,
210 .dump = nft_exthdr_dump,
213 static const struct nft_expr_ops *
214 nft_exthdr_select_ops(const struct nft_ctx *ctx,
215 const struct nlattr * const tb[])
219 if (!tb[NFTA_EXTHDR_OP])
220 return &nft_exthdr_ipv6_ops;
222 op = ntohl(nla_get_u32(tb[NFTA_EXTHDR_OP]));
224 case NFT_EXTHDR_OP_TCPOPT:
225 return &nft_exthdr_tcp_ops;
226 case NFT_EXTHDR_OP_IPV6:
227 return &nft_exthdr_ipv6_ops;
230 return ERR_PTR(-EOPNOTSUPP);
233 static struct nft_expr_type nft_exthdr_type __read_mostly = {
235 .select_ops = nft_exthdr_select_ops,
236 .policy = nft_exthdr_policy,
237 .maxattr = NFTA_EXTHDR_MAX,
238 .owner = THIS_MODULE,
241 static int __init nft_exthdr_module_init(void)
243 return nft_register_expr(&nft_exthdr_type);
246 static void __exit nft_exthdr_module_exit(void)
248 nft_unregister_expr(&nft_exthdr_type);
251 module_init(nft_exthdr_module_init);
252 module_exit(nft_exthdr_module_exit);
254 MODULE_LICENSE("GPL");
255 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
256 MODULE_ALIAS_NFT_EXPR("exthdr");
projects / karo-tx-linux.git / blob