1 /* netfilter.c: look after the filters for various protocols.
2 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox.
4 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any
7 * Rusty Russell (C)2000 -- This code is GPL.
8 * Patrick McHardy (c) 2006-2012
10 #include <linux/kernel.h>
11 #include <linux/netfilter.h>
12 #include <net/protocol.h>
13 #include <linux/init.h>
14 #include <linux/skbuff.h>
15 #include <linux/wait.h>
16 #include <linux/module.h>
17 #include <linux/interrupt.h>
19 #include <linux/netdevice.h>
20 #include <linux/netfilter_ipv6.h>
21 #include <linux/inetdevice.h>
22 #include <linux/proc_fs.h>
23 #include <linux/mutex.h>
24 #include <linux/slab.h>
25 #include <linux/rcupdate.h>
26 #include <net/net_namespace.h>
29 #include "nf_internals.h"
31 static DEFINE_MUTEX(afinfo_mutex);
33 const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
34 EXPORT_SYMBOL(nf_afinfo);
35 const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
36 EXPORT_SYMBOL_GPL(nf_ipv6_ops);
38 DEFINE_PER_CPU(bool, nf_skb_duplicated);
39 EXPORT_SYMBOL_GPL(nf_skb_duplicated);
41 int nf_register_afinfo(const struct nf_afinfo *afinfo)
43 mutex_lock(&afinfo_mutex);
44 RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo);
45 mutex_unlock(&afinfo_mutex);
48 EXPORT_SYMBOL_GPL(nf_register_afinfo);
50 void nf_unregister_afinfo(const struct nf_afinfo *afinfo)
52 mutex_lock(&afinfo_mutex);
53 RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL);
54 mutex_unlock(&afinfo_mutex);
57 EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
59 #ifdef HAVE_JUMP_LABEL
60 struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
61 EXPORT_SYMBOL(nf_hooks_needed);
64 static DEFINE_MUTEX(nf_hook_mutex);
65 #define nf_entry_dereference(e) \
66 rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex))
68 static struct nf_hook_entry *nf_hook_entry_head(struct net *net,
69 const struct nf_hook_ops *reg)
71 struct nf_hook_entry *hook_head = NULL;
73 if (reg->pf != NFPROTO_NETDEV)
74 hook_head = nf_entry_dereference(net->nf.hooks[reg->pf]
76 else if (reg->hooknum == NF_NETDEV_INGRESS) {
77 #ifdef CONFIG_NETFILTER_INGRESS
78 if (reg->dev && dev_net(reg->dev) == net)
81 reg->dev->nf_hooks_ingress);
87 /* must hold nf_hook_mutex */
88 static void nf_set_hooks_head(struct net *net, const struct nf_hook_ops *reg,
89 struct nf_hook_entry *entry)
93 #ifdef CONFIG_NETFILTER_INGRESS
94 /* We already checked in nf_register_net_hook() that this is
97 rcu_assign_pointer(reg->dev->nf_hooks_ingress, entry);
101 rcu_assign_pointer(net->nf.hooks[reg->pf][reg->hooknum],
107 int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg)
109 struct nf_hook_entry *hooks_entry;
110 struct nf_hook_entry *entry;
112 if (reg->pf == NFPROTO_NETDEV) {
113 #ifndef CONFIG_NETFILTER_INGRESS
114 if (reg->hooknum == NF_NETDEV_INGRESS)
117 if (reg->hooknum != NF_NETDEV_INGRESS ||
118 !reg->dev || dev_net(reg->dev) != net)
122 entry = kmalloc(sizeof(*entry), GFP_KERNEL);
126 entry->orig_ops = reg;
130 mutex_lock(&nf_hook_mutex);
131 hooks_entry = nf_hook_entry_head(net, reg);
133 if (hooks_entry && hooks_entry->orig_ops->priority > reg->priority) {
134 /* This is the case where we need to insert at the head */
135 entry->next = hooks_entry;
139 while (hooks_entry &&
140 reg->priority >= hooks_entry->orig_ops->priority &&
141 nf_entry_dereference(hooks_entry->next)) {
142 hooks_entry = nf_entry_dereference(hooks_entry->next);
146 entry->next = nf_entry_dereference(hooks_entry->next);
147 rcu_assign_pointer(hooks_entry->next, entry);
149 nf_set_hooks_head(net, reg, entry);
152 mutex_unlock(&nf_hook_mutex);
153 #ifdef CONFIG_NETFILTER_INGRESS
154 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
155 net_inc_ingress_queue();
157 #ifdef HAVE_JUMP_LABEL
158 static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
162 EXPORT_SYMBOL(nf_register_net_hook);
164 void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg)
166 struct nf_hook_entry *hooks_entry;
168 mutex_lock(&nf_hook_mutex);
169 hooks_entry = nf_hook_entry_head(net, reg);
170 if (hooks_entry && hooks_entry->orig_ops == reg) {
171 nf_set_hooks_head(net, reg,
172 nf_entry_dereference(hooks_entry->next));
175 while (hooks_entry && nf_entry_dereference(hooks_entry->next)) {
176 struct nf_hook_entry *next =
177 nf_entry_dereference(hooks_entry->next);
178 struct nf_hook_entry *nnext;
180 if (next->orig_ops != reg) {
184 nnext = nf_entry_dereference(next->next);
185 rcu_assign_pointer(hooks_entry->next, nnext);
191 mutex_unlock(&nf_hook_mutex);
193 WARN(1, "nf_unregister_net_hook: hook not found!\n");
196 #ifdef CONFIG_NETFILTER_INGRESS
197 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
198 net_dec_ingress_queue();
200 #ifdef HAVE_JUMP_LABEL
201 static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]);
204 nf_queue_nf_hook_drop(net, hooks_entry);
205 /* other cpu might still process nfqueue verdict that used reg */
209 EXPORT_SYMBOL(nf_unregister_net_hook);
211 int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg,
217 for (i = 0; i < n; i++) {
218 err = nf_register_net_hook(net, ®[i]);
226 nf_unregister_net_hooks(net, reg, i);
229 EXPORT_SYMBOL(nf_register_net_hooks);
231 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg,
235 nf_unregister_net_hook(net, ®[n]);
237 EXPORT_SYMBOL(nf_unregister_net_hooks);
239 static LIST_HEAD(nf_hook_list);
241 static int _nf_register_hook(struct nf_hook_ops *reg)
243 struct net *net, *last;
247 ret = nf_register_net_hook(net, reg);
248 if (ret && ret != -ENOENT)
251 list_add_tail(®->list, &nf_hook_list);
259 nf_unregister_net_hook(net, reg);
264 int nf_register_hook(struct nf_hook_ops *reg)
269 ret = _nf_register_hook(reg);
274 EXPORT_SYMBOL(nf_register_hook);
276 static void _nf_unregister_hook(struct nf_hook_ops *reg)
280 list_del(®->list);
282 nf_unregister_net_hook(net, reg);
285 void nf_unregister_hook(struct nf_hook_ops *reg)
288 _nf_unregister_hook(reg);
291 EXPORT_SYMBOL(nf_unregister_hook);
293 int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n)
298 for (i = 0; i < n; i++) {
299 err = nf_register_hook(®[i]);
307 nf_unregister_hooks(reg, i);
310 EXPORT_SYMBOL(nf_register_hooks);
312 /* Caller MUST take rtnl_lock() */
313 int _nf_register_hooks(struct nf_hook_ops *reg, unsigned int n)
318 for (i = 0; i < n; i++) {
319 err = _nf_register_hook(®[i]);
327 _nf_unregister_hooks(reg, i);
330 EXPORT_SYMBOL(_nf_register_hooks);
332 void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n)
335 nf_unregister_hook(®[n]);
337 EXPORT_SYMBOL(nf_unregister_hooks);
339 /* Caller MUST take rtnl_lock */
340 void _nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n)
343 _nf_unregister_hook(®[n]);
345 EXPORT_SYMBOL(_nf_unregister_hooks);
347 unsigned int nf_iterate(struct sk_buff *skb,
348 struct nf_hook_state *state,
349 struct nf_hook_entry **entryp)
351 unsigned int verdict;
354 * The caller must not block between calls to this
355 * function because of risk of continuing from deleted element.
358 if (state->thresh > (*entryp)->ops.priority) {
359 *entryp = rcu_dereference((*entryp)->next);
363 /* Optimization: we don't need to hold module
364 reference here, since function can't sleep. --RR */
366 verdict = (*entryp)->ops.hook((*entryp)->ops.priv, skb, state);
367 if (verdict != NF_ACCEPT) {
368 #ifdef CONFIG_NETFILTER_DEBUG
369 if (unlikely((verdict & NF_VERDICT_MASK)
371 NFDEBUG("Evil return from %p(%u).\n",
372 (*entryp)->ops.hook, state->hook);
373 *entryp = rcu_dereference((*entryp)->next);
377 if (verdict != NF_REPEAT)
381 *entryp = rcu_dereference((*entryp)->next);
387 /* Returns 1 if okfn() needs to be executed by the caller,
388 * -EPERM for NF_DROP, 0 otherwise. Caller must hold rcu_read_lock. */
389 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state)
391 struct nf_hook_entry *entry;
392 unsigned int verdict;
395 entry = rcu_dereference(state->hook_entries);
397 verdict = nf_iterate(skb, state, &entry);
398 if (verdict == NF_ACCEPT || verdict == NF_STOP) {
400 } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
402 ret = NF_DROP_GETERR(verdict);
405 } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
408 RCU_INIT_POINTER(state->hook_entries, entry);
409 err = nf_queue(skb, state, verdict >> NF_VERDICT_QBITS);
412 (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
419 EXPORT_SYMBOL(nf_hook_slow);
422 int skb_make_writable(struct sk_buff *skb, unsigned int writable_len)
424 if (writable_len > skb->len)
427 /* Not exclusive use of packet? Must copy. */
428 if (!skb_cloned(skb)) {
429 if (writable_len <= skb_headlen(skb))
431 } else if (skb_clone_writable(skb, writable_len))
434 if (writable_len <= skb_headlen(skb))
437 writable_len -= skb_headlen(skb);
439 return !!__pskb_pull_tail(skb, writable_len);
441 EXPORT_SYMBOL(skb_make_writable);
443 /* This needs to be compiled in any case to avoid dependencies between the
444 * nfnetlink_queue code and nf_conntrack.
446 struct nfnl_ct_hook __rcu *nfnl_ct_hook __read_mostly;
447 EXPORT_SYMBOL_GPL(nfnl_ct_hook);
449 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
450 /* This does not belong here, but locally generated errors need it if connection
451 tracking in use: without this, connection may not be in hash table, and hence
452 manufactured ICMP or RST packets will not be associated with it. */
453 void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *)
455 EXPORT_SYMBOL(ip_ct_attach);
457 void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb)
459 void (*attach)(struct sk_buff *, const struct sk_buff *);
463 attach = rcu_dereference(ip_ct_attach);
469 EXPORT_SYMBOL(nf_ct_attach);
471 void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly;
472 EXPORT_SYMBOL(nf_ct_destroy);
474 void nf_conntrack_destroy(struct nf_conntrack *nfct)
476 void (*destroy)(struct nf_conntrack *);
479 destroy = rcu_dereference(nf_ct_destroy);
480 BUG_ON(destroy == NULL);
484 EXPORT_SYMBOL(nf_conntrack_destroy);
486 /* Built-in default zone used e.g. by modules. */
487 const struct nf_conntrack_zone nf_ct_zone_dflt = {
488 .id = NF_CT_DEFAULT_ZONE_ID,
489 .dir = NF_CT_DEFAULT_ZONE_DIR,
491 EXPORT_SYMBOL_GPL(nf_ct_zone_dflt);
492 #endif /* CONFIG_NF_CONNTRACK */
494 #ifdef CONFIG_NF_NAT_NEEDED
495 void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
496 EXPORT_SYMBOL(nf_nat_decode_session_hook);
499 static int nf_register_hook_list(struct net *net)
501 struct nf_hook_ops *elem;
505 list_for_each_entry(elem, &nf_hook_list, list) {
506 ret = nf_register_net_hook(net, elem);
507 if (ret && ret != -ENOENT)
514 list_for_each_entry_continue_reverse(elem, &nf_hook_list, list)
515 nf_unregister_net_hook(net, elem);
520 static void nf_unregister_hook_list(struct net *net)
522 struct nf_hook_ops *elem;
525 list_for_each_entry(elem, &nf_hook_list, list)
526 nf_unregister_net_hook(net, elem);
530 static int __net_init netfilter_net_init(struct net *net)
534 for (i = 0; i < ARRAY_SIZE(net->nf.hooks); i++) {
535 for (h = 0; h < NF_MAX_HOOKS; h++)
536 RCU_INIT_POINTER(net->nf.hooks[i][h], NULL);
539 #ifdef CONFIG_PROC_FS
540 net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter",
542 if (!net->nf.proc_netfilter) {
543 if (!net_eq(net, &init_net))
544 pr_err("cannot create netfilter proc entry");
549 ret = nf_register_hook_list(net);
551 remove_proc_entry("netfilter", net->proc_net);
556 static void __net_exit netfilter_net_exit(struct net *net)
558 nf_unregister_hook_list(net);
559 remove_proc_entry("netfilter", net->proc_net);
562 static struct pernet_operations netfilter_net_ops = {
563 .init = netfilter_net_init,
564 .exit = netfilter_net_exit,
567 int __init netfilter_init(void)
571 ret = register_pernet_subsys(&netfilter_net_ops);
575 ret = netfilter_log_init();
581 unregister_pernet_subsys(&netfilter_net_ops);
projects / cascardo / linux.git / blob