projects / deliverable / linux.git / blob
? search:


56ead1a1711c9ad5bbc76286af4a34bea3a6470e
[deliverable/linux.git] / net / netfilter / core.c
1 /* netfilter.c: look after the filters for various protocols.
2 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox.
3 *
4 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any
5 * way.
6 *
7 * Rusty Russell (C)2000 -- This code is GPL.
8 * Patrick McHardy (c) 2006-2012
9 */
10 #include <linux/kernel.h>
11 #include <linux/netfilter.h>
12 #include <net/protocol.h>
13 #include <linux/init.h>
14 #include <linux/skbuff.h>
15 #include <linux/wait.h>
16 #include <linux/module.h>
17 #include <linux/interrupt.h>
18 #include <linux/if.h>
19 #include <linux/netdevice.h>
20 #include <linux/netfilter_ipv6.h>
21 #include <linux/inetdevice.h>
22 #include <linux/proc_fs.h>
23 #include <linux/mutex.h>
24 #include <linux/slab.h>
25 #include <net/net_namespace.h>
26 #include <net/sock.h>
27
28 #include "nf_internals.h"
29
30 static DEFINE_MUTEX(afinfo_mutex);
31
32 const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
33 EXPORT_SYMBOL(nf_afinfo);
34 const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
35 EXPORT_SYMBOL_GPL(nf_ipv6_ops);
36
37 int nf_register_afinfo(const struct nf_afinfo *afinfo)
38 {
39 mutex_lock(&afinfo_mutex);
40 RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo);
41 mutex_unlock(&afinfo_mutex);
42 return 0;
43 }
44 EXPORT_SYMBOL_GPL(nf_register_afinfo);
45
46 void nf_unregister_afinfo(const struct nf_afinfo *afinfo)
47 {
48 mutex_lock(&afinfo_mutex);
49 RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL);
50 mutex_unlock(&afinfo_mutex);
51 synchronize_rcu();
52 }
53 EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
54
55 #ifdef HAVE_JUMP_LABEL
56 struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
57 EXPORT_SYMBOL(nf_hooks_needed);
58 #endif
59
60 static DEFINE_MUTEX(nf_hook_mutex);
61
62 static struct list_head *find_nf_hook_list(struct net *net,
63 const struct nf_hook_ops *reg)
64 {
65 struct list_head *nf_hook_list = NULL;
66
67 if (reg->pf != NFPROTO_NETDEV)
68 nf_hook_list = &net->nf.hooks[reg->pf][reg->hooknum];
69 else if (reg->hooknum == NF_NETDEV_INGRESS) {
70 #ifdef CONFIG_NETFILTER_INGRESS
71 if (reg->dev && dev_net(reg->dev) == net)
72 nf_hook_list = &reg->dev->nf_hooks_ingress;
73 #endif
74 }
75 return nf_hook_list;
76 }
77
78 int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg)
79 {
80 struct list_head *nf_hook_list;
81 struct nf_hook_ops *elem, *new;
82
83 new = kzalloc(sizeof(*new), GFP_KERNEL);
84 if (!new)
85 return -ENOMEM;
86
87 new->hook = reg->hook;
88 new->dev = reg->dev;
89 new->owner = reg->owner;
90 new->priv = reg->priv;
91 new->pf = reg->pf;
92 new->hooknum = reg->hooknum;
93 new->priority = reg->priority;
94
95 nf_hook_list = find_nf_hook_list(net, reg);
96 if (!nf_hook_list)
97 return -ENOENT;
98
99 mutex_lock(&nf_hook_mutex);
100 list_for_each_entry(elem, nf_hook_list, list) {
101 if (reg->priority < elem->priority)
102 break;
103 }
104 list_add_rcu(&new->list, elem->list.prev);
105 mutex_unlock(&nf_hook_mutex);
106 #ifdef CONFIG_NETFILTER_INGRESS
107 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
108 net_inc_ingress_queue();
109 #endif
110 #ifdef HAVE_JUMP_LABEL
111 static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
112 #endif
113 return 0;
114 }
115 EXPORT_SYMBOL(nf_register_net_hook);
116
117 void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg)
118 {
119 struct list_head *nf_hook_list;
120 struct nf_hook_ops *elem;
121
122 nf_hook_list = find_nf_hook_list(net, reg);
123 if (!nf_hook_list)
124 return;
125
126 mutex_lock(&nf_hook_mutex);
127 list_for_each_entry(elem, nf_hook_list, list) {
128 if ((reg->hook == elem->hook) &&
129 (reg->dev == elem->dev) &&
130 (reg->owner == elem->owner) &&
131 (reg->priv == elem->priv) &&
132 (reg->pf == elem->pf) &&
133 (reg->hooknum == elem->hooknum) &&
134 (reg->priority == elem->priority)) {
135 list_del_rcu(&elem->list);
136 break;
137 }
138 }
139 mutex_unlock(&nf_hook_mutex);
140 if (&elem->list == nf_hook_list) {
141 WARN(1, "nf_unregister_net_hook: hook not found!\n");
142 return;
143 }
144 #ifdef CONFIG_NETFILTER_INGRESS
145 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
146 net_dec_ingress_queue();
147 #endif
148 #ifdef HAVE_JUMP_LABEL
149 static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]);
150 #endif
151 synchronize_net();
152 nf_queue_nf_hook_drop(elem);
153 kfree(elem);
154 }
155 EXPORT_SYMBOL(nf_unregister_net_hook);
156
157 int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg,
158 unsigned int n)
159 {
160 unsigned int i;
161 int err = 0;
162
163 for (i = 0; i < n; i++) {
164 err = nf_register_net_hook(net, &reg[i]);
165 if (err)
166 goto err;
167 }
168 return err;
169
170 err:
171 if (i > 0)
172 nf_unregister_net_hooks(net, reg, i);
173 return err;
174 }
175 EXPORT_SYMBOL(nf_register_net_hooks);
176
177 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg,
178 unsigned int n)
179 {
180 while (n-- > 0)
181 nf_unregister_net_hook(net, &reg[n]);
182 }
183 EXPORT_SYMBOL(nf_unregister_net_hooks);
184
185 static LIST_HEAD(nf_hook_list);
186
187 int nf_register_hook(struct nf_hook_ops *reg)
188 {
189 struct net *net, *last;
190 int ret;
191
192 rtnl_lock();
193 for_each_net(net) {
194 ret = nf_register_net_hook(net, reg);
195 if (ret && ret != -ENOENT)
196 goto rollback;
197 }
198 list_add_tail(&reg->list, &nf_hook_list);
199 rtnl_unlock();
200
201 return 0;
202 rollback:
203 last = net;
204 for_each_net(net) {
205 if (net == last)
206 break;
207 nf_unregister_net_hook(net, reg);
208 }
209 rtnl_unlock();
210 return ret;
211 }
212 EXPORT_SYMBOL(nf_register_hook);
213
214 void nf_unregister_hook(struct nf_hook_ops *reg)
215 {
216 struct net *net;
217
218 rtnl_lock();
219 list_del(&reg->list);
220 for_each_net(net)
221 nf_unregister_net_hook(net, reg);
222 rtnl_unlock();
223 }
224 EXPORT_SYMBOL(nf_unregister_hook);
225
226 int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n)
227 {
228 unsigned int i;
229 int err = 0;
230
231 for (i = 0; i < n; i++) {
232 err = nf_register_hook(&reg[i]);
233 if (err)
234 goto err;
235 }
236 return err;
237
238 err:
239 if (i > 0)
240 nf_unregister_hooks(reg, i);
241 return err;
242 }
243 EXPORT_SYMBOL(nf_register_hooks);
244
245 void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n)
246 {
247 while (n-- > 0)
248 nf_unregister_hook(&reg[n]);
249 }
250 EXPORT_SYMBOL(nf_unregister_hooks);
251
252 unsigned int nf_iterate(struct list_head *head,
253 struct sk_buff *skb,
254 struct nf_hook_state *state,
255 struct nf_hook_ops **elemp)
256 {
257 unsigned int verdict;
258
259 /*
260 * The caller must not block between calls to this
261 * function because of risk of continuing from deleted element.
262 */
263 list_for_each_entry_continue_rcu((*elemp), head, list) {
264 if (state->thresh > (*elemp)->priority)
265 continue;
266
267 /* Optimization: we don't need to hold module
268 reference here, since function can't sleep. --RR */
269 repeat:
270 verdict = (*elemp)->hook(*elemp, skb, state);
271 if (verdict != NF_ACCEPT) {
272 #ifdef CONFIG_NETFILTER_DEBUG
273 if (unlikely((verdict & NF_VERDICT_MASK)
274 > NF_MAX_VERDICT)) {
275 NFDEBUG("Evil return from %p(%u).\n",
276 (*elemp)->hook, state->hook);
277 continue;
278 }
279 #endif
280 if (verdict != NF_REPEAT)
281 return verdict;
282 goto repeat;
283 }
284 }
285 return NF_ACCEPT;
286 }
287
288
289 /* Returns 1 if okfn() needs to be executed by the caller,
290 * -EPERM for NF_DROP, 0 otherwise. */
291 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state)
292 {
293 struct nf_hook_ops *elem;
294 unsigned int verdict;
295 int ret = 0;
296
297 /* We may already have this, but read-locks nest anyway */
298 rcu_read_lock();
299
300 elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list);
301 next_hook:
302 verdict = nf_iterate(state->hook_list, skb, state, &elem);
303 if (verdict == NF_ACCEPT || verdict == NF_STOP) {
304 ret = 1;
305 } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
306 kfree_skb(skb);
307 ret = NF_DROP_GETERR(verdict);
308 if (ret == 0)
309 ret = -EPERM;
310 } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
311 int err = nf_queue(skb, elem, state,
312 verdict >> NF_VERDICT_QBITS);
313 if (err < 0) {
314 if (err == -ECANCELED)
315 goto next_hook;
316 if (err == -ESRCH &&
317 (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
318 goto next_hook;
319 kfree_skb(skb);
320 }
321 }
322 rcu_read_unlock();
323 return ret;
324 }
325 EXPORT_SYMBOL(nf_hook_slow);
326
327
328 int skb_make_writable(struct sk_buff *skb, unsigned int writable_len)
329 {
330 if (writable_len > skb->len)
331 return 0;
332
333 /* Not exclusive use of packet? Must copy. */
334 if (!skb_cloned(skb)) {
335 if (writable_len <= skb_headlen(skb))
336 return 1;
337 } else if (skb_clone_writable(skb, writable_len))
338 return 1;
339
340 if (writable_len <= skb_headlen(skb))
341 writable_len = 0;
342 else
343 writable_len -= skb_headlen(skb);
344
345 return !!__pskb_pull_tail(skb, writable_len);
346 }
347 EXPORT_SYMBOL(skb_make_writable);
348
349 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
350 /* This does not belong here, but locally generated errors need it if connection
351 tracking in use: without this, connection may not be in hash table, and hence
352 manufactured ICMP or RST packets will not be associated with it. */
353 void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *)
354 __rcu __read_mostly;
355 EXPORT_SYMBOL(ip_ct_attach);
356
357 void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb)
358 {
359 void (*attach)(struct sk_buff *, const struct sk_buff *);
360
361 if (skb->nfct) {
362 rcu_read_lock();
363 attach = rcu_dereference(ip_ct_attach);
364 if (attach)
365 attach(new, skb);
366 rcu_read_unlock();
367 }
368 }
369 EXPORT_SYMBOL(nf_ct_attach);
370
371 void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly;
372 EXPORT_SYMBOL(nf_ct_destroy);
373
374 void nf_conntrack_destroy(struct nf_conntrack *nfct)
375 {
376 void (*destroy)(struct nf_conntrack *);
377
378 rcu_read_lock();
379 destroy = rcu_dereference(nf_ct_destroy);
380 BUG_ON(destroy == NULL);
381 destroy(nfct);
382 rcu_read_unlock();
383 }
384 EXPORT_SYMBOL(nf_conntrack_destroy);
385
386 struct nfq_ct_hook __rcu *nfq_ct_hook __read_mostly;
387 EXPORT_SYMBOL_GPL(nfq_ct_hook);
388
389 struct nfq_ct_nat_hook __rcu *nfq_ct_nat_hook __read_mostly;
390 EXPORT_SYMBOL_GPL(nfq_ct_nat_hook);
391
392 #endif /* CONFIG_NF_CONNTRACK */
393
394 #ifdef CONFIG_NF_NAT_NEEDED
395 void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
396 EXPORT_SYMBOL(nf_nat_decode_session_hook);
397 #endif
398
399 static int nf_register_hook_list(struct net *net)
400 {
401 struct nf_hook_ops *elem;
402 int ret;
403
404 rtnl_lock();
405 list_for_each_entry(elem, &nf_hook_list, list) {
406 ret = nf_register_net_hook(net, elem);
407 if (ret && ret != -ENOENT)
408 goto out_undo;
409 }
410 rtnl_unlock();
411 return 0;
412
413 out_undo:
414 list_for_each_entry_continue_reverse(elem, &nf_hook_list, list)
415 nf_unregister_net_hook(net, elem);
416 rtnl_unlock();
417 return ret;
418 }
419
420 static void nf_unregister_hook_list(struct net *net)
421 {
422 struct nf_hook_ops *elem;
423
424 rtnl_lock();
425 list_for_each_entry(elem, &nf_hook_list, list)
426 nf_unregister_net_hook(net, elem);
427 rtnl_unlock();
428 }
429
430 static int __net_init netfilter_net_init(struct net *net)
431 {
432 int i, h, ret;
433
434 for (i = 0; i < ARRAY_SIZE(net->nf.hooks); i++) {
435 for (h = 0; h < NF_MAX_HOOKS; h++)
436 INIT_LIST_HEAD(&net->nf.hooks[i][h]);
437 }
438
439 #ifdef CONFIG_PROC_FS
440 net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter",
441 net->proc_net);
442 if (!net->nf.proc_netfilter) {
443 if (!net_eq(net, &init_net))
444 pr_err("cannot create netfilter proc entry");
445
446 return -ENOMEM;
447 }
448 #endif
449 ret = nf_register_hook_list(net);
450 if (ret)
451 remove_proc_entry("netfilter", net->proc_net);
452
453 return ret;
454 }
455
456 static void __net_exit netfilter_net_exit(struct net *net)
457 {
458 nf_unregister_hook_list(net);
459 remove_proc_entry("netfilter", net->proc_net);
460 }
461
462 static struct pernet_operations netfilter_net_ops = {
463 .init = netfilter_net_init,
464 .exit = netfilter_net_exit,
465 };
466
467 int __init netfilter_init(void)
468 {
469 int ret;
470
471 ret = register_pernet_subsys(&netfilter_net_ops);
472 if (ret < 0)
473 goto err;
474
475 ret = netfilter_log_init();
476 if (ret < 0)
477 goto err_pernet;
478
479 return 0;
480 err_pernet:
481 unregister_pernet_subsys(&netfilter_net_ops);
482 err:
483 return ret;
484 }
Linux kernel - Deliverables
This page took 0.052429 seconds and 4 git commands to generate.