1/*
2 * f_flow.c		Flow filter
3 *
4 *		This program is free software; you can redistribute it and/or
5 *		modify it under the terms of the GNU General Public License
6 *		as published by the Free Software Foundation; either version
7 *		2 of the License, or (at your option) any later version.
8 *
9 * Authors:	Patrick McHardy <kaber@trash.net>
10 */
11#include <stdio.h>
12#include <stdlib.h>
13#include <unistd.h>
14#include <string.h>
15#include <errno.h>
16
17#include "utils.h"
18#include "tc_util.h"
19#include "m_ematch.h"
20
21static void explain(void)
22{
23	fprintf(stderr,
24"Usage: ... flow ...\n"
25"\n"
26" [mapping mode]: map key KEY [ OPS ] ...\n"
27" [hashing mode]: hash keys KEY-LIST ... [ perturb SECS ]\n"
28"\n"
29"                 [ divisor NUM ] [ baseclass ID ] [ match EMATCH_TREE ]\n"
30"                 [ action ACTION_SPEC ]\n"
31"\n"
32"KEY-LIST := [ KEY-LIST , ] KEY\n"
33"KEY      := [ src | dst | proto | proto-src | proto-dst | iif | priority | \n"
34"              mark | nfct | nfct-src | nfct-dst | nfct-proto-src | \n"
35"              nfct-proto-dst | rt-classid | sk-uid | sk-gid |\n"
36"              vlan-tag | rxhash ]\n"
37"OPS      := [ or NUM | and NUM | xor NUM | rshift NUM | addend NUM ]\n"
38"ID       := X:Y\n"
39	);
40}
41
42static const char *flow_keys[FLOW_KEY_MAX+1] = {
43	[FLOW_KEY_SRC]			= "src",
44	[FLOW_KEY_DST]			= "dst",
45	[FLOW_KEY_PROTO]		= "proto",
46	[FLOW_KEY_PROTO_SRC]		= "proto-src",
47	[FLOW_KEY_PROTO_DST]		= "proto-dst",
48	[FLOW_KEY_IIF]			= "iif",
49	[FLOW_KEY_PRIORITY]		= "priority",
50	[FLOW_KEY_MARK]			= "mark",
51	[FLOW_KEY_NFCT]			= "nfct",
52	[FLOW_KEY_NFCT_SRC]		= "nfct-src",
53	[FLOW_KEY_NFCT_DST]		= "nfct-dst",
54	[FLOW_KEY_NFCT_PROTO_SRC]	= "nfct-proto-src",
55	[FLOW_KEY_NFCT_PROTO_DST]	= "nfct-proto-dst",
56	[FLOW_KEY_RTCLASSID]		= "rt-classid",
57	[FLOW_KEY_SKUID]		= "sk-uid",
58	[FLOW_KEY_SKGID]		= "sk-gid",
59	[FLOW_KEY_VLAN_TAG]		= "vlan-tag",
60	[FLOW_KEY_RXHASH]		= "rxhash",
61};
62
63static int flow_parse_keys(__u32 *keys, __u32 *nkeys, char *argv)
64{
65	char *s, *sep;
66	unsigned int i;
67
68	*keys = 0;
69	*nkeys = 0;
70	s = argv;
71	while (s != NULL) {
72		sep = strchr(s, ',');
73		if (sep)
74			*sep = '\0';
75
76		for (i = 0; i <= FLOW_KEY_MAX; i++) {
77			if (matches(s, flow_keys[i]) == 0) {
78				*keys |= 1 << i;
79				(*nkeys)++;
80				break;
81			}
82		}
83		if (i > FLOW_KEY_MAX) {
84			fprintf(stderr, "Unknown flow key \"%s\"\n", s);
85			return -1;
86		}
87		s = sep ? sep + 1 : NULL;
88	}
89	return 0;
90}
91
92static void transfer_bitop(__u32 *mask, __u32 *xor, __u32 m, __u32 x)
93{
94	*xor = x ^ (*xor & m);
95	*mask &= m;
96}
97
98static int get_addend(__u32 *addend, char *argv, __u32 keys)
99{
100	inet_prefix addr;
101	int sign = 0;
102	__u32 tmp;
103
104	if (*argv == '-') {
105		sign = 1;
106		argv++;
107	}
108
109	if (get_u32(&tmp, argv, 0) == 0)
110		goto out;
111
112	if (keys & (FLOW_KEY_SRC | FLOW_KEY_DST |
113		    FLOW_KEY_NFCT_SRC | FLOW_KEY_NFCT_DST) &&
114	    get_addr(&addr, argv, AF_UNSPEC) == 0) {
115		switch (addr.family) {
116		case AF_INET:
117			tmp = ntohl(addr.data[0]);
118			goto out;
119		case AF_INET6:
120			tmp = ntohl(addr.data[3]);
121			goto out;
122		}
123	}
124
125	return -1;
126out:
127	if (sign)
128		tmp = -tmp;
129	*addend = tmp;
130	return 0;
131}
132
133static int flow_parse_opt(struct filter_util *fu, char *handle,
134			  int argc, char **argv, struct nlmsghdr *n)
135{
136	struct tc_police tp;
137	struct tcmsg *t = NLMSG_DATA(n);
138	struct rtattr *tail;
139	__u32 mask = ~0U, xor = 0;
140	__u32 keys = 0, nkeys = 0;
141	__u32 mode = FLOW_MODE_MAP;
142	__u32 tmp;
143
144	memset(&tp, 0, sizeof(tp));
145
146	if (handle) {
147		if (get_u32(&t->tcm_handle, handle, 0)) {
148			fprintf(stderr, "Illegal \"handle\"\n");
149			return -1;
150		}
151	}
152
153	tail = NLMSG_TAIL(n);
154	addattr_l(n, 4096, TCA_OPTIONS, NULL, 0);
155
156	while (argc > 0) {
157		if (matches(*argv, "map") == 0) {
158			mode = FLOW_MODE_MAP;
159		} else if (matches(*argv, "hash") == 0) {
160			mode = FLOW_MODE_HASH;
161		} else if (matches(*argv, "keys") == 0) {
162			NEXT_ARG();
163			if (flow_parse_keys(&keys, &nkeys, *argv))
164				return -1;
165			addattr32(n, 4096, TCA_FLOW_KEYS, keys);
166		} else if (matches(*argv, "and") == 0) {
167			NEXT_ARG();
168			if (get_u32(&tmp, *argv, 0)) {
169				fprintf(stderr, "Illegal \"mask\"\n");
170				return -1;
171			}
172			transfer_bitop(&mask, &xor, tmp, 0);
173		} else if (matches(*argv, "or") == 0) {
174			NEXT_ARG();
175			if (get_u32(&tmp, *argv, 0)) {
176				fprintf(stderr, "Illegal \"or\"\n");
177				return -1;
178			}
179			transfer_bitop(&mask, &xor, ~tmp, tmp);
180		} else if (matches(*argv, "xor") == 0) {
181			NEXT_ARG();
182			if (get_u32(&tmp, *argv, 0)) {
183				fprintf(stderr, "Illegal \"xor\"\n");
184				return -1;
185			}
186			transfer_bitop(&mask, &xor, ~0, tmp);
187		} else if (matches(*argv, "rshift") == 0) {
188			NEXT_ARG();
189			if (get_u32(&tmp, *argv, 0)) {
190				fprintf(stderr, "Illegal \"rshift\"\n");
191				return -1;
192			}
193			addattr32(n, 4096, TCA_FLOW_RSHIFT, tmp);
194		} else if (matches(*argv, "addend") == 0) {
195			NEXT_ARG();
196			if (get_addend(&tmp, *argv, keys)) {
197				fprintf(stderr, "Illegal \"addend\"\n");
198				return -1;
199			}
200			addattr32(n, 4096, TCA_FLOW_ADDEND, tmp);
201		} else if (matches(*argv, "divisor") == 0) {
202			NEXT_ARG();
203			if (get_u32(&tmp, *argv, 0)) {
204				fprintf(stderr, "Illegal \"divisor\"\n");
205				return -1;
206			}
207			addattr32(n, 4096, TCA_FLOW_DIVISOR, tmp);
208		} else if (matches(*argv, "baseclass") == 0) {
209			NEXT_ARG();
210			if (get_tc_classid(&tmp, *argv) || TC_H_MIN(tmp) == 0) {
211				fprintf(stderr, "Illegal \"baseclass\"\n");
212				return -1;
213			}
214			addattr32(n, 4096, TCA_FLOW_BASECLASS, tmp);
215		} else if (matches(*argv, "perturb") == 0) {
216			NEXT_ARG();
217			if (get_u32(&tmp, *argv, 0)) {
218				fprintf(stderr, "Illegal \"perturb\"\n");
219				return -1;
220			}
221			addattr32(n, 4096, TCA_FLOW_PERTURB, tmp);
222		} else if (matches(*argv, "police") == 0) {
223			NEXT_ARG();
224			if (parse_police(&argc, &argv, TCA_FLOW_POLICE, n)) {
225				fprintf(stderr, "Illegal \"police\"\n");
226				return -1;
227			}
228			continue;
229		} else if (matches(*argv, "action") == 0) {
230			NEXT_ARG();
231			if (parse_action(&argc, &argv, TCA_FLOW_ACT, n)) {
232				fprintf(stderr, "Illegal \"action\"\n");
233				return -1;
234			}
235			continue;
236		} else if (matches(*argv, "match") == 0) {
237			NEXT_ARG();
238			if (parse_ematch(&argc, &argv, TCA_FLOW_EMATCHES, n)) {
239				fprintf(stderr, "Illegal \"ematch\"\n");
240				return -1;
241			}
242			continue;
243		} else if (matches(*argv, "help") == 0) {
244			explain();
245			return -1;
246		} else {
247			fprintf(stderr, "What is \"%s\"?\n", *argv);
248			explain();
249			return -1;
250		}
251		argv++, argc--;
252	}
253
254	if (nkeys > 1 && mode != FLOW_MODE_HASH) {
255		fprintf(stderr, "Invalid mode \"map\" for multiple keys\n");
256		return -1;
257	}
258	addattr32(n, 4096, TCA_FLOW_MODE, mode);
259
260	if (mask != ~0 || xor != 0) {
261		addattr32(n, 4096, TCA_FLOW_MASK, mask);
262		addattr32(n, 4096, TCA_FLOW_XOR, xor);
263	}
264
265	tail->rta_len = (void *)NLMSG_TAIL(n) - (void *)tail;
266	return 0;
267}
268
269static int flow_print_opt(struct filter_util *fu, FILE *f, struct rtattr *opt,
270			  __u32 handle)
271{
272	struct rtattr *tb[TCA_FLOW_MAX+1];
273	SPRINT_BUF(b1);
274	unsigned int i;
275	__u32 mask = ~0, val = 0;
276
277	if (opt == NULL)
278		return -EINVAL;
279
280	parse_rtattr_nested(tb, TCA_FLOW_MAX, opt);
281
282	fprintf(f, "handle 0x%x ", handle);
283
284	if (tb[TCA_FLOW_MODE]) {
285		__u32 mode = rta_getattr_u32(tb[TCA_FLOW_MODE]);
286
287		switch (mode) {
288		case FLOW_MODE_MAP:
289			fprintf(f, "map ");
290			break;
291		case FLOW_MODE_HASH:
292			fprintf(f, "hash ");
293			break;
294		}
295	}
296
297	if (tb[TCA_FLOW_KEYS]) {
298		__u32 keymask = rta_getattr_u32(tb[TCA_FLOW_KEYS]);
299		char *sep = "";
300
301		fprintf(f, "keys ");
302		for (i = 0; i <= FLOW_KEY_MAX; i++) {
303			if (keymask & (1 << i)) {
304				fprintf(f, "%s%s", sep, flow_keys[i]);
305				sep = ",";
306			}
307		}
308		fprintf(f, " ");
309	}
310
311	if (tb[TCA_FLOW_MASK])
312		mask = rta_getattr_u32(tb[TCA_FLOW_MASK]);
313	if (tb[TCA_FLOW_XOR])
314		val = rta_getattr_u32(tb[TCA_FLOW_XOR]);
315
316	if (mask != ~0 || val != 0) {
317		__u32 or = (mask & val) ^ val;
318		__u32 xor = mask & val;
319
320		if (mask != ~0)
321			fprintf(f, "and 0x%.8x ", mask);
322		if (xor != 0)
323			fprintf(f, "xor 0x%.8x ", xor);
324		if (or != 0)
325			fprintf(f, "or 0x%.8x ", or);
326	}
327
328	if (tb[TCA_FLOW_RSHIFT])
329		fprintf(f, "rshift %u ",
330			rta_getattr_u32(tb[TCA_FLOW_RSHIFT]));
331	if (tb[TCA_FLOW_ADDEND])
332		fprintf(f, "addend 0x%x ",
333			rta_getattr_u32(tb[TCA_FLOW_ADDEND]));
334
335	if (tb[TCA_FLOW_DIVISOR])
336		fprintf(f, "divisor %u ",
337			rta_getattr_u32(tb[TCA_FLOW_DIVISOR]));
338	if (tb[TCA_FLOW_BASECLASS])
339		fprintf(f, "baseclass %s ",
340			sprint_tc_classid(rta_getattr_u32(tb[TCA_FLOW_BASECLASS]), b1));
341
342	if (tb[TCA_FLOW_PERTURB])
343		fprintf(f, "perturb %usec ",
344			rta_getattr_u32(tb[TCA_FLOW_PERTURB]));
345
346	if (tb[TCA_FLOW_EMATCHES])
347		print_ematch(f, tb[TCA_FLOW_EMATCHES]);
348	if (tb[TCA_FLOW_POLICE])
349		tc_print_police(f, tb[TCA_FLOW_POLICE]);
350	if (tb[TCA_FLOW_ACT]) {
351		fprintf(f, "\n");
352		tc_print_action(f, tb[TCA_FLOW_ACT]);
353	}
354	return 0;
355}
356
357struct filter_util flow_filter_util = {
358	.id		= "flow",
359	.parse_fopt	= flow_parse_opt,
360	.print_fopt	= flow_print_opt,
361};
362