1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef __LINUX_NETFILTER_H 3 #define __LINUX_NETFILTER_H 4 5 #include <linux/init.h> 6 #include <linux/skbuff.h> 7 #include <linux/net.h> 8 #include <linux/if.h> 9 #include <linux/in.h> 10 #include <linux/in6.h> 11 #include <linux/wait.h> 12 #include <linux/list.h> 13 #include <linux/static_key.h> 14 #include <linux/netfilter_defs.h> 15 #include <linux/netdevice.h> 16 #include <net/net_namespace.h> 17 18 #ifdef CONFIG_NETFILTER 19 static inline int NF_DROP_GETERR(int verdict) 20 { 21 return -(verdict >> NF_VERDICT_QBITS); 22 } 23 24 static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1, 25 const union nf_inet_addr *a2) 26 { 27 return a1->all[0] == a2->all[0] && 28 a1->all[1] == a2->all[1] && 29 a1->all[2] == a2->all[2] && 30 a1->all[3] == a2->all[3]; 31 } 32 33 static inline void nf_inet_addr_mask(const union nf_inet_addr *a1, 34 union nf_inet_addr *result, 35 const union nf_inet_addr *mask) 36 { 37 result->all[0] = a1->all[0] & mask->all[0]; 38 result->all[1] = a1->all[1] & mask->all[1]; 39 result->all[2] = a1->all[2] & mask->all[2]; 40 result->all[3] = a1->all[3] & mask->all[3]; 41 } 42 43 int netfilter_init(void); 44 45 struct sk_buff; 46 47 struct nf_hook_ops; 48 49 struct sock; 50 51 struct nf_hook_state { 52 unsigned int hook; 53 u_int8_t pf; 54 struct net_device *in; 55 struct net_device *out; 56 struct sock *sk; 57 struct net *net; 58 int (*okfn)(struct net *, struct sock *, struct sk_buff *); 59 }; 60 61 typedef unsigned int nf_hookfn(void *priv, 62 struct sk_buff *skb, 63 const struct nf_hook_state *state); 64 struct nf_hook_ops { 65 /* User fills in from here down. */ 66 nf_hookfn *hook; 67 struct net_device *dev; 68 void *priv; 69 u_int8_t pf; 70 unsigned int hooknum; 71 /* Hooks are ordered in ascending priority. */ 72 int priority; 73 }; 74 75 struct nf_hook_entry { 76 nf_hookfn *hook; 77 void *priv; 78 }; 79 80 struct nf_hook_entries { 81 u16 num_hook_entries; 82 /* padding */ 83 struct nf_hook_entry hooks[]; 84 85 /* trailer: pointers to original orig_ops of each hook. 86 * 87 * This is not part of struct nf_hook_entry since its only 88 * needed in slow path (hook register/unregister). 89 * 90 * const struct nf_hook_ops *orig_ops[] 91 */ 92 }; 93 94 static inline struct nf_hook_ops **nf_hook_entries_get_hook_ops(const struct nf_hook_entries *e) 95 { 96 unsigned int n = e->num_hook_entries; 97 const void *hook_end; 98 99 hook_end = &e->hooks[n]; /* this is *past* ->hooks[]! */ 100 101 return (struct nf_hook_ops **)hook_end; 102 } 103 104 static inline int 105 nf_hook_entry_hookfn(const struct nf_hook_entry *entry, struct sk_buff *skb, 106 struct nf_hook_state *state) 107 { 108 return entry->hook(entry->priv, skb, state); 109 } 110 111 static inline void nf_hook_state_init(struct nf_hook_state *p, 112 unsigned int hook, 113 u_int8_t pf, 114 struct net_device *indev, 115 struct net_device *outdev, 116 struct sock *sk, 117 struct net *net, 118 int (*okfn)(struct net *, struct sock *, struct sk_buff *)) 119 { 120 p->hook = hook; 121 p->pf = pf; 122 p->in = indev; 123 p->out = outdev; 124 p->sk = sk; 125 p->net = net; 126 p->okfn = okfn; 127 } 128 129 130 131 struct nf_sockopt_ops { 132 struct list_head list; 133 134 u_int8_t pf; 135 136 /* Non-inclusive ranges: use 0/0/NULL to never get called. */ 137 int set_optmin; 138 int set_optmax; 139 int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len); 140 #ifdef CONFIG_COMPAT 141 int (*compat_set)(struct sock *sk, int optval, 142 void __user *user, unsigned int len); 143 #endif 144 int get_optmin; 145 int get_optmax; 146 int (*get)(struct sock *sk, int optval, void __user *user, int *len); 147 #ifdef CONFIG_COMPAT 148 int (*compat_get)(struct sock *sk, int optval, 149 void __user *user, int *len); 150 #endif 151 /* Use the module struct to lock set/get code in place */ 152 struct module *owner; 153 }; 154 155 /* Function to register/unregister hook points. */ 156 int nf_register_net_hook(struct net *net, const struct nf_hook_ops *ops); 157 void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *ops); 158 int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg, 159 unsigned int n); 160 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg, 161 unsigned int n); 162 163 /* Functions to register get/setsockopt ranges (non-inclusive). You 164 need to check permissions yourself! */ 165 int nf_register_sockopt(struct nf_sockopt_ops *reg); 166 void nf_unregister_sockopt(struct nf_sockopt_ops *reg); 167 168 #ifdef HAVE_JUMP_LABEL 169 extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 170 #endif 171 172 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state, 173 const struct nf_hook_entries *e, unsigned int i); 174 175 /** 176 * nf_hook - call a netfilter hook 177 * 178 * Returns 1 if the hook has allowed the packet to pass. The function 179 * okfn must be invoked by the caller in this case. Any other return 180 * value indicates the packet has been consumed by the hook. 181 */ 182 static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net, 183 struct sock *sk, struct sk_buff *skb, 184 struct net_device *indev, struct net_device *outdev, 185 int (*okfn)(struct net *, struct sock *, struct sk_buff *)) 186 { 187 struct nf_hook_entries *hook_head; 188 int ret = 1; 189 190 #ifdef HAVE_JUMP_LABEL 191 if (__builtin_constant_p(pf) && 192 __builtin_constant_p(hook) && 193 !static_key_false(&nf_hooks_needed[pf][hook])) 194 return 1; 195 #endif 196 197 rcu_read_lock(); 198 hook_head = rcu_dereference(net->nf.hooks[pf][hook]); 199 if (hook_head) { 200 struct nf_hook_state state; 201 202 nf_hook_state_init(&state, hook, pf, indev, outdev, 203 sk, net, okfn); 204 205 ret = nf_hook_slow(skb, &state, hook_head, 0); 206 } 207 rcu_read_unlock(); 208 209 return ret; 210 } 211 212 /* Activate hook; either okfn or kfree_skb called, unless a hook 213 returns NF_STOLEN (in which case, it's up to the hook to deal with 214 the consequences). 215 216 Returns -ERRNO if packet dropped. Zero means queued, stolen or 217 accepted. 218 */ 219 220 /* RR: 221 > I don't want nf_hook to return anything because people might forget 222 > about async and trust the return value to mean "packet was ok". 223 224 AK: 225 Just document it clearly, then you can expect some sense from kernel 226 coders :) 227 */ 228 229 static inline int 230 NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, 231 struct sk_buff *skb, struct net_device *in, struct net_device *out, 232 int (*okfn)(struct net *, struct sock *, struct sk_buff *), 233 bool cond) 234 { 235 int ret; 236 237 if (!cond || 238 ((ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn)) == 1)) 239 ret = okfn(net, sk, skb); 240 return ret; 241 } 242 243 static inline int 244 NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct sk_buff *skb, 245 struct net_device *in, struct net_device *out, 246 int (*okfn)(struct net *, struct sock *, struct sk_buff *)) 247 { 248 int ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn); 249 if (ret == 1) 250 ret = okfn(net, sk, skb); 251 return ret; 252 } 253 254 /* Call setsockopt() */ 255 int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, 256 unsigned int len); 257 int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, 258 int *len); 259 #ifdef CONFIG_COMPAT 260 int compat_nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, 261 char __user *opt, unsigned int len); 262 int compat_nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, 263 char __user *opt, int *len); 264 #endif 265 266 /* Call this before modifying an existing packet: ensures it is 267 modifiable and linear to the point you care about (writable_len). 268 Returns true or false. */ 269 int skb_make_writable(struct sk_buff *skb, unsigned int writable_len); 270 271 struct flowi; 272 struct nf_queue_entry; 273 274 struct nf_afinfo { 275 unsigned short family; 276 __sum16 (*checksum)(struct sk_buff *skb, unsigned int hook, 277 unsigned int dataoff, u_int8_t protocol); 278 __sum16 (*checksum_partial)(struct sk_buff *skb, 279 unsigned int hook, 280 unsigned int dataoff, 281 unsigned int len, 282 u_int8_t protocol); 283 int (*route)(struct net *net, struct dst_entry **dst, 284 struct flowi *fl, bool strict); 285 void (*saveroute)(const struct sk_buff *skb, 286 struct nf_queue_entry *entry); 287 int (*reroute)(struct net *net, struct sk_buff *skb, 288 const struct nf_queue_entry *entry); 289 int route_key_size; 290 }; 291 292 extern const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO]; 293 static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family) 294 { 295 return rcu_dereference(nf_afinfo[family]); 296 } 297 298 static inline __sum16 299 nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff, 300 u_int8_t protocol, unsigned short family) 301 { 302 const struct nf_afinfo *afinfo; 303 __sum16 csum = 0; 304 305 rcu_read_lock(); 306 afinfo = nf_get_afinfo(family); 307 if (afinfo) 308 csum = afinfo->checksum(skb, hook, dataoff, protocol); 309 rcu_read_unlock(); 310 return csum; 311 } 312 313 static inline __sum16 314 nf_checksum_partial(struct sk_buff *skb, unsigned int hook, 315 unsigned int dataoff, unsigned int len, 316 u_int8_t protocol, unsigned short family) 317 { 318 const struct nf_afinfo *afinfo; 319 __sum16 csum = 0; 320 321 rcu_read_lock(); 322 afinfo = nf_get_afinfo(family); 323 if (afinfo) 324 csum = afinfo->checksum_partial(skb, hook, dataoff, len, 325 protocol); 326 rcu_read_unlock(); 327 return csum; 328 } 329 330 int nf_register_afinfo(const struct nf_afinfo *afinfo); 331 void nf_unregister_afinfo(const struct nf_afinfo *afinfo); 332 333 #include <net/flow.h> 334 extern void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *); 335 336 static inline void 337 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) 338 { 339 #ifdef CONFIG_NF_NAT_NEEDED 340 void (*decodefn)(struct sk_buff *, struct flowi *); 341 342 rcu_read_lock(); 343 decodefn = rcu_dereference(nf_nat_decode_session_hook); 344 if (decodefn) 345 decodefn(skb, fl); 346 rcu_read_unlock(); 347 #endif 348 } 349 350 #else /* !CONFIG_NETFILTER */ 351 static inline int 352 NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, 353 struct sk_buff *skb, struct net_device *in, struct net_device *out, 354 int (*okfn)(struct net *, struct sock *, struct sk_buff *), 355 bool cond) 356 { 357 return okfn(net, sk, skb); 358 } 359 360 static inline int 361 NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, 362 struct sk_buff *skb, struct net_device *in, struct net_device *out, 363 int (*okfn)(struct net *, struct sock *, struct sk_buff *)) 364 { 365 return okfn(net, sk, skb); 366 } 367 368 static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net, 369 struct sock *sk, struct sk_buff *skb, 370 struct net_device *indev, struct net_device *outdev, 371 int (*okfn)(struct net *, struct sock *, struct sk_buff *)) 372 { 373 return 1; 374 } 375 struct flowi; 376 static inline void 377 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) 378 { 379 } 380 #endif /*CONFIG_NETFILTER*/ 381 382 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) 383 #include <linux/netfilter/nf_conntrack_zones_common.h> 384 385 extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu; 386 void nf_ct_attach(struct sk_buff *, const struct sk_buff *); 387 extern void (*nf_ct_destroy)(struct nf_conntrack *) __rcu; 388 #else 389 static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} 390 #endif 391 392 struct nf_conn; 393 enum ip_conntrack_info; 394 struct nlattr; 395 396 struct nfnl_ct_hook { 397 struct nf_conn *(*get_ct)(const struct sk_buff *skb, 398 enum ip_conntrack_info *ctinfo); 399 size_t (*build_size)(const struct nf_conn *ct); 400 int (*build)(struct sk_buff *skb, struct nf_conn *ct, 401 enum ip_conntrack_info ctinfo, 402 u_int16_t ct_attr, u_int16_t ct_info_attr); 403 int (*parse)(const struct nlattr *attr, struct nf_conn *ct); 404 int (*attach_expect)(const struct nlattr *attr, struct nf_conn *ct, 405 u32 portid, u32 report); 406 void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct, 407 enum ip_conntrack_info ctinfo, s32 off); 408 }; 409 extern struct nfnl_ct_hook __rcu *nfnl_ct_hook; 410 411 /** 412 * nf_skb_duplicated - TEE target has sent a packet 413 * 414 * When a xtables target sends a packet, the OUTPUT and POSTROUTING 415 * hooks are traversed again, i.e. nft and xtables are invoked recursively. 416 * 417 * This is used by xtables TEE target to prevent the duplicated skb from 418 * being duplicated again. 419 */ 420 DECLARE_PER_CPU(bool, nf_skb_duplicated); 421 422 #endif /*__LINUX_NETFILTER_H*/ 423