nft_lookup.c - cachepc-linux - Fork of AMDESE/linux with modifications for CachePC side-channel attack

	cachepc-linux Fork of AMDESE/linux with modifications for CachePC side-channel attack
	git clone https://git.sinitax.com/sinitax/cachepc-linux
	Log \| Files \| Refs \| README \| LICENSE \| sfeed.txt
nft_lookup.c (7311B)
      1// SPDX-License-Identifier: GPL-2.0-only
      2/*
      3 * Copyright (c) 2009 Patrick McHardy <kaber@trash.net>
      4 *
      5 * Development of this code funded by Astaro AG (http://www.astaro.com/)
      6 */
      7
      8#include <linux/kernel.h>
      9#include <linux/init.h>
     10#include <linux/list.h>
     11#include <linux/rbtree.h>
     12#include <linux/netlink.h>
     13#include <linux/netfilter.h>
     14#include <linux/netfilter/nf_tables.h>
     15#include <net/netfilter/nf_tables.h>
     16#include <net/netfilter/nf_tables_core.h>
     17
     18struct nft_lookup {
     19	struct nft_set			*set;
     20	u8				sreg;
     21	u8				dreg;
     22	bool				invert;
     23	struct nft_set_binding		binding;
     24};
     25
     26#ifdef CONFIG_RETPOLINE
     27bool nft_set_do_lookup(const struct net *net, const struct nft_set *set,
     28		       const u32 *key, const struct nft_set_ext **ext)
     29{
     30	if (set->ops == &nft_set_hash_fast_type.ops)
     31		return nft_hash_lookup_fast(net, set, key, ext);
     32	if (set->ops == &nft_set_hash_type.ops)
     33		return nft_hash_lookup(net, set, key, ext);
     34
     35	if (set->ops == &nft_set_rhash_type.ops)
     36		return nft_rhash_lookup(net, set, key, ext);
     37
     38	if (set->ops == &nft_set_bitmap_type.ops)
     39		return nft_bitmap_lookup(net, set, key, ext);
     40
     41	if (set->ops == &nft_set_pipapo_type.ops)
     42		return nft_pipapo_lookup(net, set, key, ext);
     43#if defined(CONFIG_X86_64) && !defined(CONFIG_UML)
     44	if (set->ops == &nft_set_pipapo_avx2_type.ops)
     45		return nft_pipapo_avx2_lookup(net, set, key, ext);
     46#endif
     47
     48	if (set->ops == &nft_set_rbtree_type.ops)
     49		return nft_rbtree_lookup(net, set, key, ext);
     50
     51	WARN_ON_ONCE(1);
     52	return set->ops->lookup(net, set, key, ext);
     53}
     54EXPORT_SYMBOL_GPL(nft_set_do_lookup);
     55#endif
     56
     57void nft_lookup_eval(const struct nft_expr *expr,
     58		     struct nft_regs *regs,
     59		     const struct nft_pktinfo *pkt)
     60{
     61	const struct nft_lookup *priv = nft_expr_priv(expr);
     62	const struct nft_set *set = priv->set;
     63	const struct nft_set_ext *ext = NULL;
     64	const struct net *net = nft_net(pkt);
     65	bool found;
     66
     67	found =	nft_set_do_lookup(net, set, &regs->data[priv->sreg], &ext) ^
     68				  priv->invert;
     69	if (!found) {
     70		ext = nft_set_catchall_lookup(net, set);
     71		if (!ext) {
     72			regs->verdict.code = NFT_BREAK;
     73			return;
     74		}
     75	}
     76
     77	if (ext) {
     78		if (set->flags & NFT_SET_MAP)
     79			nft_data_copy(&regs->data[priv->dreg],
     80				      nft_set_ext_data(ext), set->dlen);
     81
     82		nft_set_elem_update_expr(ext, regs, pkt);
     83	}
     84}
     85
     86static const struct nla_policy nft_lookup_policy[NFTA_LOOKUP_MAX + 1] = {
     87	[NFTA_LOOKUP_SET]	= { .type = NLA_STRING,
     88				    .len = NFT_SET_MAXNAMELEN - 1 },
     89	[NFTA_LOOKUP_SET_ID]	= { .type = NLA_U32 },
     90	[NFTA_LOOKUP_SREG]	= { .type = NLA_U32 },
     91	[NFTA_LOOKUP_DREG]	= { .type = NLA_U32 },
     92	[NFTA_LOOKUP_FLAGS]	= { .type = NLA_U32 },
     93};
     94
     95static int nft_lookup_init(const struct nft_ctx *ctx,
     96			   const struct nft_expr *expr,
     97			   const struct nlattr * const tb[])
     98{
     99	struct nft_lookup *priv = nft_expr_priv(expr);
    100	u8 genmask = nft_genmask_next(ctx->net);
    101	struct nft_set *set;
    102	u32 flags;
    103	int err;
    104
    105	if (tb[NFTA_LOOKUP_SET] == NULL ||
    106	    tb[NFTA_LOOKUP_SREG] == NULL)
    107		return -EINVAL;
    108
    109	set = nft_set_lookup_global(ctx->net, ctx->table, tb[NFTA_LOOKUP_SET],
    110				    tb[NFTA_LOOKUP_SET_ID], genmask);
    111	if (IS_ERR(set))
    112		return PTR_ERR(set);
    113
    114	err = nft_parse_register_load(tb[NFTA_LOOKUP_SREG], &priv->sreg,
    115				      set->klen);
    116	if (err < 0)
    117		return err;
    118
    119	if (tb[NFTA_LOOKUP_FLAGS]) {
    120		flags = ntohl(nla_get_be32(tb[NFTA_LOOKUP_FLAGS]));
    121
    122		if (flags & ~NFT_LOOKUP_F_INV)
    123			return -EINVAL;
    124
    125		if (flags & NFT_LOOKUP_F_INV) {
    126			if (set->flags & NFT_SET_MAP)
    127				return -EINVAL;
    128			priv->invert = true;
    129		}
    130	}
    131
    132	if (tb[NFTA_LOOKUP_DREG] != NULL) {
    133		if (priv->invert)
    134			return -EINVAL;
    135		if (!(set->flags & NFT_SET_MAP))
    136			return -EINVAL;
    137
    138		err = nft_parse_register_store(ctx, tb[NFTA_LOOKUP_DREG],
    139					       &priv->dreg, NULL, set->dtype,
    140					       set->dlen);
    141		if (err < 0)
    142			return err;
    143	} else if (set->flags & NFT_SET_MAP)
    144		return -EINVAL;
    145
    146	priv->binding.flags = set->flags & NFT_SET_MAP;
    147
    148	err = nf_tables_bind_set(ctx, set, &priv->binding);
    149	if (err < 0)
    150		return err;
    151
    152	priv->set = set;
    153	return 0;
    154}
    155
    156static void nft_lookup_deactivate(const struct nft_ctx *ctx,
    157				  const struct nft_expr *expr,
    158				  enum nft_trans_phase phase)
    159{
    160	struct nft_lookup *priv = nft_expr_priv(expr);
    161
    162	nf_tables_deactivate_set(ctx, priv->set, &priv->binding, phase);
    163}
    164
    165static void nft_lookup_activate(const struct nft_ctx *ctx,
    166				const struct nft_expr *expr)
    167{
    168	struct nft_lookup *priv = nft_expr_priv(expr);
    169
    170	priv->set->use++;
    171}
    172
    173static void nft_lookup_destroy(const struct nft_ctx *ctx,
    174			       const struct nft_expr *expr)
    175{
    176	struct nft_lookup *priv = nft_expr_priv(expr);
    177
    178	nf_tables_destroy_set(ctx, priv->set);
    179}
    180
    181static int nft_lookup_dump(struct sk_buff *skb, const struct nft_expr *expr)
    182{
    183	const struct nft_lookup *priv = nft_expr_priv(expr);
    184	u32 flags = priv->invert ? NFT_LOOKUP_F_INV : 0;
    185
    186	if (nla_put_string(skb, NFTA_LOOKUP_SET, priv->set->name))
    187		goto nla_put_failure;
    188	if (nft_dump_register(skb, NFTA_LOOKUP_SREG, priv->sreg))
    189		goto nla_put_failure;
    190	if (priv->set->flags & NFT_SET_MAP)
    191		if (nft_dump_register(skb, NFTA_LOOKUP_DREG, priv->dreg))
    192			goto nla_put_failure;
    193	if (nla_put_be32(skb, NFTA_LOOKUP_FLAGS, htonl(flags)))
    194		goto nla_put_failure;
    195	return 0;
    196
    197nla_put_failure:
    198	return -1;
    199}
    200
    201static int nft_lookup_validate_setelem(const struct nft_ctx *ctx,
    202				       struct nft_set *set,
    203				       const struct nft_set_iter *iter,
    204				       struct nft_set_elem *elem)
    205{
    206	const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
    207	struct nft_ctx *pctx = (struct nft_ctx *)ctx;
    208	const struct nft_data *data;
    209	int err;
    210
    211	if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
    212	    *nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
    213		return 0;
    214
    215	data = nft_set_ext_data(ext);
    216	switch (data->verdict.code) {
    217	case NFT_JUMP:
    218	case NFT_GOTO:
    219		pctx->level++;
    220		err = nft_chain_validate(ctx, data->verdict.chain);
    221		if (err < 0)
    222			return err;
    223		pctx->level--;
    224		break;
    225	default:
    226		break;
    227	}
    228
    229	return 0;
    230}
    231
    232static int nft_lookup_validate(const struct nft_ctx *ctx,
    233			       const struct nft_expr *expr,
    234			       const struct nft_data **d)
    235{
    236	const struct nft_lookup *priv = nft_expr_priv(expr);
    237	struct nft_set_iter iter;
    238
    239	if (!(priv->set->flags & NFT_SET_MAP) ||
    240	    priv->set->dtype != NFT_DATA_VERDICT)
    241		return 0;
    242
    243	iter.genmask	= nft_genmask_next(ctx->net);
    244	iter.skip	= 0;
    245	iter.count	= 0;
    246	iter.err	= 0;
    247	iter.fn		= nft_lookup_validate_setelem;
    248
    249	priv->set->ops->walk(ctx, priv->set, &iter);
    250	if (iter.err < 0)
    251		return iter.err;
    252
    253	return 0;
    254}
    255
    256static bool nft_lookup_reduce(struct nft_regs_track *track,
    257			      const struct nft_expr *expr)
    258{
    259	const struct nft_lookup *priv = nft_expr_priv(expr);
    260
    261	if (priv->set->flags & NFT_SET_MAP)
    262		nft_reg_track_cancel(track, priv->dreg, priv->set->dlen);
    263
    264	return false;
    265}
    266
    267static const struct nft_expr_ops nft_lookup_ops = {
    268	.type		= &nft_lookup_type,
    269	.size		= NFT_EXPR_SIZE(sizeof(struct nft_lookup)),
    270	.eval		= nft_lookup_eval,
    271	.init		= nft_lookup_init,
    272	.activate	= nft_lookup_activate,
    273	.deactivate	= nft_lookup_deactivate,
    274	.destroy	= nft_lookup_destroy,
    275	.dump		= nft_lookup_dump,
    276	.validate	= nft_lookup_validate,
    277	.reduce		= nft_lookup_reduce,
    278};
    279
    280struct nft_expr_type nft_lookup_type __read_mostly = {
    281	.name		= "lookup",
    282	.ops		= &nft_lookup_ops,
    283	.policy		= nft_lookup_policy,
    284	.maxattr	= NFTA_LOOKUP_MAX,
    285	.owner		= THIS_MODULE,
    286};