net/npf/npf_bpf.c

4e592132Srmind/*-
4e592132Srmind * Copyright (c) 2009-2013 The NetBSD Foundation, Inc.
4e592132Srmind * All rights reserved.
4e592132Srmind *
4e592132Srmind * This material is based upon work partially supported by The
4e592132Srmind * NetBSD Foundation under a contract with Mindaugas Rasiukevicius.
4e592132Srmind *
4e592132Srmind * Redistribution and use in source and binary forms, with or without
4e592132Srmind * modification, are permitted provided that the following conditions
4e592132Srmind * are met:
4e592132Srmind * 1. Redistributions of source code must retain the above copyright
4e592132Srmind *    notice, this list of conditions and the following disclaimer.
4e592132Srmind * 2. Redistributions in binary form must reproduce the above copyright
4e592132Srmind *    notice, this list of conditions and the following disclaimer in the
4e592132Srmind *    documentation and/or other materials provided with the distribution.
4e592132Srmind *
4e592132Srmind * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
4e592132Srmind * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
4e592132Srmind * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
4e592132Srmind * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
4e592132Srmind * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
4e592132Srmind * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
4e592132Srmind * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
4e592132Srmind * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
4e592132Srmind * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
4e592132Srmind * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
4e592132Srmind * POSSIBILITY OF SUCH DAMAGE.
4e592132Srmind */
4e592132Srmind
4e592132Srmind/*
4e592132Srmind * NPF byte-code processing.
4e592132Srmind */
4e592132Srmind
f75d79ebSchristos#ifdef _KERNEL
4e592132Srmind#include <sys/cdefs.h>
*39013e66Srmind__KERNEL_RCSID(0, "$NetBSD: npf_bpf.c,v 1.14 2018/09/29 14:41:36 rmind Exp $");
4e592132Srmind
4e592132Srmind#include <sys/types.h>
4e592132Srmind#include <sys/param.h>
4e592132Srmind
263d30c4Srmind#include <sys/bitops.h>
4e592132Srmind#include <sys/mbuf.h>
c782c888Srmind#include <net/bpf.h>
f75d79ebSchristos#endif
4e592132Srmind
4e592132Srmind#define NPF_BPFCOP
4e592132Srmind#include "npf_impl.h"
4e592132Srmind
f75d79ebSchristos#if defined(_NPF_STANDALONE)
f75d79ebSchristos#define	m_length(m)		(nbuf)->nb_mops->getchainlen(m)
f75d79ebSchristos#endif
f75d79ebSchristos
4e592132Srmind/*
4e592132Srmind * BPF context and the coprocessor.
4e592132Srmind */
4e592132Srmind
4e592132Srmindstatic bpf_ctx_t *npf_bpfctx __read_mostly;
4e592132Srmind
f9dc8d88Salnsnstatic uint32_t	npf_cop_l3(const bpf_ctx_t *, bpf_args_t *, uint32_t);
f9dc8d88Salnsnstatic uint32_t	npf_cop_table(const bpf_ctx_t *, bpf_args_t *, uint32_t);
4e592132Srmind
4e592132Srmindstatic const bpf_copfunc_t npf_bpfcop[] = {
4e592132Srmind	[NPF_COP_L3]	= npf_cop_l3,
4e592132Srmind	[NPF_COP_TABLE]	= npf_cop_table,
4e592132Srmind};
4e592132Srmind
263d30c4Srmind#define	BPF_MW_ALLMASK \
263d30c4Srmind    ((1U << BPF_MW_IPVER) | (1U << BPF_MW_L4OFF) | (1U << BPF_MW_L4PROTO))
263d30c4Srmind
4e592132Srmindvoid
4e592132Srmindnpf_bpf_sysinit(void)
4e592132Srmind{
4e592132Srmind	npf_bpfctx = bpf_create();
4e592132Srmind	bpf_set_cop(npf_bpfctx, npf_bpfcop, __arraycount(npf_bpfcop));
263d30c4Srmind	bpf_set_extmem(npf_bpfctx, NPF_BPF_NWORDS, BPF_MW_ALLMASK);
4e592132Srmind}
4e592132Srmind
4e592132Srmindvoid
4e592132Srmindnpf_bpf_sysfini(void)
4e592132Srmind{
4e592132Srmind	bpf_destroy(npf_bpfctx);
4e592132Srmind}
4e592132Srmind
263d30c4Srmindvoid
a7d2a608Srmindnpf_bpf_prepare(npf_cache_t *npc, bpf_args_t *args, uint32_t *M)
263d30c4Srmind{
f75d79ebSchristos	nbuf_t *nbuf = npc->npc_nbuf;
f75d79ebSchristos	const struct mbuf *mbuf = nbuf_head_mbuf(nbuf);
263d30c4Srmind	const size_t pktlen = m_length(mbuf);
263d30c4Srmind
263d30c4Srmind	/* Prepare the arguments for the BPF programs. */
f75d79ebSchristos#ifdef _NPF_STANDALONE
f75d79ebSchristos	args->pkt = (const uint8_t *)nbuf_dataptr(nbuf);
f75d79ebSchristos	args->wirelen = args->buflen = pktlen;
f75d79ebSchristos#else
263d30c4Srmind	args->pkt = (const uint8_t *)mbuf;
263d30c4Srmind	args->wirelen = pktlen;
263d30c4Srmind	args->buflen = 0;
f75d79ebSchristos#endif
9c7a886eSrmind	args->mem = M;
263d30c4Srmind	args->arg = npc;
9c7a886eSrmind
9c7a886eSrmind	/*
9c7a886eSrmind	 * Convert address length to IP version.  Just mask out
9c7a886eSrmind	 * number 4 or set 6 if higher bits set, such that:
9c7a886eSrmind	 *
9c7a886eSrmind	 *	0	=>	0
9c7a886eSrmind	 *	4	=>	4 (IPVERSION)
9c7a886eSrmind	 *	16	=>	6 (IPV6_VERSION >> 4)
9c7a886eSrmind	 */
9c7a886eSrmind	const u_int alen = npc->npc_alen;
9c7a886eSrmind	const uint32_t ver = (alen & 4) | ((alen >> 4) * 6);
9c7a886eSrmind
9c7a886eSrmind	/*
9c7a886eSrmind	 * Output words in the memory store:
9c7a886eSrmind	 *	BPF_MW_IPVER	IP version (4 or 6).
9c7a886eSrmind	 *	BPF_MW_L4OFF	L4 header offset.
9c7a886eSrmind	 *	BPF_MW_L4PROTO	L4 protocol.
9c7a886eSrmind	 */
9c7a886eSrmind	M[BPF_MW_IPVER] = ver;
9c7a886eSrmind	M[BPF_MW_L4OFF] = npc->npc_hlen;
9c7a886eSrmind	M[BPF_MW_L4PROTO] = npc->npc_proto;
263d30c4Srmind}
263d30c4Srmind
4e592132Srmindint
c4d05d45Srmindnpf_bpf_filter(bpf_args_t *args, const void *code, bpfjit_func_t jcode)
4e592132Srmind{
c4d05d45Srmind	/* Execute JIT-compiled code. */
4e592132Srmind	if (__predict_true(jcode)) {
c4d05d45Srmind		return jcode(npf_bpfctx, args);
4e592132Srmind	}
9c7a886eSrmind
4e592132Srmind	/* Execute BPF byte-code. */
c4d05d45Srmind	return bpf_filter_ext(npf_bpfctx, code, args);
4e592132Srmind}
4e592132Srmind
c782c888Srmindvoid *
c782c888Srmindnpf_bpf_compile(void *code, size_t size)
c782c888Srmind{
c782c888Srmind	return bpf_jit_generate(npf_bpfctx, code, size);
c782c888Srmind}
c782c888Srmind
4e592132Srmindbool
4e592132Srmindnpf_bpf_validate(const void *code, size_t len)
4e592132Srmind{
4e592132Srmind	const size_t icount = len / sizeof(struct bpf_insn);
4e592132Srmind	return bpf_validate_ext(npf_bpfctx, code, icount) != 0;
4e592132Srmind}
4e592132Srmind
4e592132Srmind/*
4e592132Srmind * NPF_COP_L3: fetches layer 3 information.
4e592132Srmind */
4e592132Srmindstatic uint32_t
f9dc8d88Salnsnnpf_cop_l3(const bpf_ctx_t *bc, bpf_args_t *args, uint32_t A)
4e592132Srmind{
d0748eb9Srmind	const npf_cache_t * const npc = (const npf_cache_t *)args->arg;
9c7a886eSrmind	const uint32_t ver = (npc->npc_alen & 4) | ((npc->npc_alen >> 4) * 6);
d0748eb9Srmind	uint32_t * const M = args->mem;
4e592132Srmind
4e592132Srmind	M[BPF_MW_IPVER] = ver;
4e592132Srmind	M[BPF_MW_L4OFF] = npc->npc_hlen;
4e592132Srmind	M[BPF_MW_L4PROTO] = npc->npc_proto;
9c7a886eSrmind	return ver; /* A <- IP version */
4e592132Srmind}
4e592132Srmind
4e592132Srmind#define	SRC_FLAG_BIT	(1U << 31)
4e592132Srmind
4e592132Srmind/*
4e592132Srmind * NPF_COP_TABLE: perform NPF table lookup.
4e592132Srmind *
4e592132Srmind *	A <- non-zero (true) if found and zero (false) otherwise
4e592132Srmind */
4e592132Srmindstatic uint32_t
f9dc8d88Salnsnnpf_cop_table(const bpf_ctx_t *bc, bpf_args_t *args, uint32_t A)
4e592132Srmind{
d0748eb9Srmind	const npf_cache_t * const npc = (const npf_cache_t *)args->arg;
f75d79ebSchristos	npf_tableset_t *tblset = npf_config_tableset(npc->npc_ctx);
4e592132Srmind	const uint32_t tid = A & (SRC_FLAG_BIT - 1);
4e592132Srmind	const npf_addr_t *addr;
1e7342c1Srmind	npf_table_t *t;
4e592132Srmind
0def1972Srmind	if (!npf_iscached(npc, NPC_IP46)) {
0def1972Srmind		return 0;
0def1972Srmind	}
0def1972Srmind	t = npf_tableset_getbyid(tblset, tid);
0def1972Srmind	if (__predict_false(!t)) {
1e7342c1Srmind		return 0;
1e7342c1Srmind	}
8a8347bdSrmind	addr = npc->npc_ips[(A & SRC_FLAG_BIT) ? NPF_SRC : NPF_DST];
1e7342c1Srmind	return npf_table_lookup(t, npc->npc_alen, addr) == 0;
4e592132Srmind}