1 /* netfilter.c: look after the filters for various protocols.
2 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox.
4 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any
7 * Rusty Russell (C)2000 -- This code is GPL.
8 * Patrick McHardy (c) 2006-2012
10 #include <linux/kernel.h>
11 #include <linux/netfilter.h>
12 #include <net/protocol.h>
13 #include <linux/init.h>
14 #include <linux/skbuff.h>
15 #include <linux/wait.h>
16 #include <linux/module.h>
17 #include <linux/interrupt.h>
19 #include <linux/netdevice.h>
20 #include <linux/netfilter_ipv6.h>
21 #include <linux/inetdevice.h>
22 #include <linux/proc_fs.h>
23 #include <linux/mutex.h>
24 #include <linux/slab.h>
25 #include <net/net_namespace.h>
28 #include "nf_internals.h"
30 static DEFINE_MUTEX(afinfo_mutex);
32 const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
33 EXPORT_SYMBOL(nf_afinfo);
34 const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
35 EXPORT_SYMBOL_GPL(nf_ipv6_ops);
37 DEFINE_PER_CPU(bool, nf_skb_duplicated);
38 EXPORT_SYMBOL_GPL(nf_skb_duplicated);
40 int nf_register_afinfo(const struct nf_afinfo *afinfo)
42 mutex_lock(&afinfo_mutex);
43 RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo);
44 mutex_unlock(&afinfo_mutex);
47 EXPORT_SYMBOL_GPL(nf_register_afinfo);
49 void nf_unregister_afinfo(const struct nf_afinfo *afinfo)
51 mutex_lock(&afinfo_mutex);
52 RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL);
53 mutex_unlock(&afinfo_mutex);
56 EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
58 #ifdef HAVE_JUMP_LABEL
59 struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
60 EXPORT_SYMBOL(nf_hooks_needed);
63 static DEFINE_MUTEX(nf_hook_mutex);
65 static struct list_head *nf_find_hook_list(struct net *net,
66 const struct nf_hook_ops *reg)
68 struct list_head *hook_list = NULL;
70 if (reg->pf != NFPROTO_NETDEV)
71 hook_list = &net->nf.hooks[reg->pf][reg->hooknum];
72 else if (reg->hooknum == NF_NETDEV_INGRESS) {
73 #ifdef CONFIG_NETFILTER_INGRESS
74 if (reg->dev && dev_net(reg->dev) == net)
75 hook_list = ®->dev->nf_hooks_ingress;
81 struct nf_hook_entry {
82 const struct nf_hook_ops *orig_ops;
83 struct nf_hook_ops ops;
86 int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg)
88 struct list_head *hook_list;
89 struct nf_hook_entry *entry;
90 struct nf_hook_ops *elem;
92 if (reg->pf == NFPROTO_NETDEV &&
93 (reg->hooknum != NF_NETDEV_INGRESS ||
94 !reg->dev || dev_net(reg->dev) != net))
97 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
101 entry->orig_ops = reg;
104 hook_list = nf_find_hook_list(net, reg);
110 mutex_lock(&nf_hook_mutex);
111 list_for_each_entry(elem, hook_list, list) {
112 if (reg->priority < elem->priority)
115 list_add_rcu(&entry->ops.list, elem->list.prev);
116 mutex_unlock(&nf_hook_mutex);
117 #ifdef CONFIG_NETFILTER_INGRESS
118 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
119 net_inc_ingress_queue();
121 #ifdef HAVE_JUMP_LABEL
122 static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
126 EXPORT_SYMBOL(nf_register_net_hook);
128 void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg)
130 struct list_head *hook_list;
131 struct nf_hook_entry *entry;
132 struct nf_hook_ops *elem;
134 hook_list = nf_find_hook_list(net, reg);
138 mutex_lock(&nf_hook_mutex);
139 list_for_each_entry(elem, hook_list, list) {
140 entry = container_of(elem, struct nf_hook_entry, ops);
141 if (entry->orig_ops == reg) {
142 list_del_rcu(&entry->ops.list);
146 mutex_unlock(&nf_hook_mutex);
147 if (&elem->list == hook_list) {
148 WARN(1, "nf_unregister_net_hook: hook not found!\n");
151 #ifdef CONFIG_NETFILTER_INGRESS
152 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
153 net_dec_ingress_queue();
155 #ifdef HAVE_JUMP_LABEL
156 static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]);
159 nf_queue_nf_hook_drop(net, &entry->ops);
160 /* other cpu might still process nfqueue verdict that used reg */
164 EXPORT_SYMBOL(nf_unregister_net_hook);
166 int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg,
172 for (i = 0; i < n; i++) {
173 err = nf_register_net_hook(net, ®[i]);
181 nf_unregister_net_hooks(net, reg, i);
184 EXPORT_SYMBOL(nf_register_net_hooks);
186 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg,
190 nf_unregister_net_hook(net, ®[n]);
192 EXPORT_SYMBOL(nf_unregister_net_hooks);
194 static LIST_HEAD(nf_hook_list);
196 int nf_register_hook(struct nf_hook_ops *reg)
198 struct net *net, *last;
203 ret = nf_register_net_hook(net, reg);
204 if (ret && ret != -ENOENT)
207 list_add_tail(®->list, &nf_hook_list);
216 nf_unregister_net_hook(net, reg);
221 EXPORT_SYMBOL(nf_register_hook);
223 void nf_unregister_hook(struct nf_hook_ops *reg)
228 list_del(®->list);
230 nf_unregister_net_hook(net, reg);
233 EXPORT_SYMBOL(nf_unregister_hook);
235 int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n)
240 for (i = 0; i < n; i++) {
241 err = nf_register_hook(®[i]);
249 nf_unregister_hooks(reg, i);
252 EXPORT_SYMBOL(nf_register_hooks);
254 void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n)
257 nf_unregister_hook(®[n]);
259 EXPORT_SYMBOL(nf_unregister_hooks);
261 unsigned int nf_iterate(struct list_head *head,
263 struct nf_hook_state *state,
264 struct nf_hook_ops **elemp)
266 unsigned int verdict;
269 * The caller must not block between calls to this
270 * function because of risk of continuing from deleted element.
272 list_for_each_entry_continue_rcu((*elemp), head, list) {
273 if (state->thresh > (*elemp)->priority)
276 /* Optimization: we don't need to hold module
277 reference here, since function can't sleep. --RR */
279 verdict = (*elemp)->hook((*elemp)->priv, skb, state);
280 if (verdict != NF_ACCEPT) {
281 #ifdef CONFIG_NETFILTER_DEBUG
282 if (unlikely((verdict & NF_VERDICT_MASK)
284 NFDEBUG("Evil return from %p(%u).\n",
285 (*elemp)->hook, state->hook);
289 if (verdict != NF_REPEAT)
298 /* Returns 1 if okfn() needs to be executed by the caller,
299 * -EPERM for NF_DROP, 0 otherwise. Caller must hold rcu_read_lock. */
300 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state)
302 struct nf_hook_ops *elem;
303 unsigned int verdict;
306 elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list);
308 verdict = nf_iterate(state->hook_list, skb, state, &elem);
309 if (verdict == NF_ACCEPT || verdict == NF_STOP) {
311 } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
313 ret = NF_DROP_GETERR(verdict);
316 } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
317 int err = nf_queue(skb, elem, state,
318 verdict >> NF_VERDICT_QBITS);
321 (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
328 EXPORT_SYMBOL(nf_hook_slow);
331 int skb_make_writable(struct sk_buff *skb, unsigned int writable_len)
333 if (writable_len > skb->len)
336 /* Not exclusive use of packet? Must copy. */
337 if (!skb_cloned(skb)) {
338 if (writable_len <= skb_headlen(skb))
340 } else if (skb_clone_writable(skb, writable_len))
343 if (writable_len <= skb_headlen(skb))
346 writable_len -= skb_headlen(skb);
348 return !!__pskb_pull_tail(skb, writable_len);
350 EXPORT_SYMBOL(skb_make_writable);
352 /* This needs to be compiled in any case to avoid dependencies between the
353 * nfnetlink_queue code and nf_conntrack.
355 struct nfnl_ct_hook __rcu *nfnl_ct_hook __read_mostly;
356 EXPORT_SYMBOL_GPL(nfnl_ct_hook);
358 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
359 /* This does not belong here, but locally generated errors need it if connection
360 tracking in use: without this, connection may not be in hash table, and hence
361 manufactured ICMP or RST packets will not be associated with it. */
362 void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *)
364 EXPORT_SYMBOL(ip_ct_attach);
366 void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb)
368 void (*attach)(struct sk_buff *, const struct sk_buff *);
372 attach = rcu_dereference(ip_ct_attach);
378 EXPORT_SYMBOL(nf_ct_attach);
380 void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly;
381 EXPORT_SYMBOL(nf_ct_destroy);
383 void nf_conntrack_destroy(struct nf_conntrack *nfct)
385 void (*destroy)(struct nf_conntrack *);
388 destroy = rcu_dereference(nf_ct_destroy);
389 BUG_ON(destroy == NULL);
393 EXPORT_SYMBOL(nf_conntrack_destroy);
395 /* Built-in default zone used e.g. by modules. */
396 const struct nf_conntrack_zone nf_ct_zone_dflt = {
397 .id = NF_CT_DEFAULT_ZONE_ID,
398 .dir = NF_CT_DEFAULT_ZONE_DIR,
400 EXPORT_SYMBOL_GPL(nf_ct_zone_dflt);
401 #endif /* CONFIG_NF_CONNTRACK */
403 #ifdef CONFIG_NF_NAT_NEEDED
404 void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
405 EXPORT_SYMBOL(nf_nat_decode_session_hook);
408 static int nf_register_hook_list(struct net *net)
410 struct nf_hook_ops *elem;
414 list_for_each_entry(elem, &nf_hook_list, list) {
415 ret = nf_register_net_hook(net, elem);
416 if (ret && ret != -ENOENT)
423 list_for_each_entry_continue_reverse(elem, &nf_hook_list, list)
424 nf_unregister_net_hook(net, elem);
429 static void nf_unregister_hook_list(struct net *net)
431 struct nf_hook_ops *elem;
434 list_for_each_entry(elem, &nf_hook_list, list)
435 nf_unregister_net_hook(net, elem);
439 static int __net_init netfilter_net_init(struct net *net)
443 for (i = 0; i < ARRAY_SIZE(net->nf.hooks); i++) {
444 for (h = 0; h < NF_MAX_HOOKS; h++)
445 INIT_LIST_HEAD(&net->nf.hooks[i][h]);
448 #ifdef CONFIG_PROC_FS
449 net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter",
451 if (!net->nf.proc_netfilter) {
452 if (!net_eq(net, &init_net))
453 pr_err("cannot create netfilter proc entry");
458 ret = nf_register_hook_list(net);
460 remove_proc_entry("netfilter", net->proc_net);
465 static void __net_exit netfilter_net_exit(struct net *net)
467 nf_unregister_hook_list(net);
468 remove_proc_entry("netfilter", net->proc_net);
471 static struct pernet_operations netfilter_net_ops = {
472 .init = netfilter_net_init,
473 .exit = netfilter_net_exit,
476 int __init netfilter_init(void)
480 ret = register_pernet_subsys(&netfilter_net_ops);
484 ret = netfilter_log_init();
490 unregister_pernet_subsys(&netfilter_net_ops);
projects / cascardo / linux.git / blob