1 #ifndef __LINUX_NETFILTER_H 2 #define __LINUX_NETFILTER_H 3 4 #include <linux/init.h> 5 #include <linux/skbuff.h> 6 #include <linux/net.h> 7 #include <linux/if.h> 8 #include <linux/in.h> 9 #include <linux/in6.h> 10 #include <linux/wait.h> 11 #include <linux/list.h> 12 #include <linux/static_key.h> 13 #include <linux/netfilter_defs.h> 14 15 #ifdef CONFIG_NETFILTER 16 static inline int NF_DROP_GETERR(int verdict) 17 { 18 return -(verdict >> NF_VERDICT_QBITS); 19 } 20 21 static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1, 22 const union nf_inet_addr *a2) 23 { 24 return a1->all[0] == a2->all[0] && 25 a1->all[1] == a2->all[1] && 26 a1->all[2] == a2->all[2] && 27 a1->all[3] == a2->all[3]; 28 } 29 30 static inline void nf_inet_addr_mask(const union nf_inet_addr *a1, 31 union nf_inet_addr *result, 32 const union nf_inet_addr *mask) 33 { 34 result->all[0] = a1->all[0] & mask->all[0]; 35 result->all[1] = a1->all[1] & mask->all[1]; 36 result->all[2] = a1->all[2] & mask->all[2]; 37 result->all[3] = a1->all[3] & mask->all[3]; 38 } 39 40 int netfilter_init(void); 41 42 struct sk_buff; 43 44 struct nf_hook_ops; 45 46 struct sock; 47 48 struct nf_hook_state { 49 unsigned int hook; 50 int thresh; 51 u_int8_t pf; 52 struct net_device *in; 53 struct net_device *out; 54 struct sock *sk; 55 struct list_head *hook_list; 56 int (*okfn)(struct sock *, struct sk_buff *); 57 }; 58 59 static inline void nf_hook_state_init(struct nf_hook_state *p, 60 struct list_head *hook_list, 61 unsigned int hook, 62 int thresh, u_int8_t pf, 63 struct net_device *indev, 64 struct net_device *outdev, 65 struct sock *sk, 66 int (*okfn)(struct sock *, struct sk_buff *)) 67 { 68 p->hook = hook; 69 p->thresh = thresh; 70 p->pf = pf; 71 p->in = indev; 72 p->out = outdev; 73 p->sk = sk; 74 p->hook_list = hook_list; 75 p->okfn = okfn; 76 } 77 78 typedef unsigned int nf_hookfn(const struct nf_hook_ops *ops, 79 struct sk_buff *skb, 80 const struct nf_hook_state *state); 81 82 struct nf_hook_ops { 83 struct list_head list; 84 85 /* User fills in from here down. */ 86 nf_hookfn *hook; 87 struct net_device *dev; 88 struct module *owner; 89 void *priv; 90 u_int8_t pf; 91 unsigned int hooknum; 92 /* Hooks are ordered in ascending priority. */ 93 int priority; 94 }; 95 96 struct nf_sockopt_ops { 97 struct list_head list; 98 99 u_int8_t pf; 100 101 /* Non-inclusive ranges: use 0/0/NULL to never get called. */ 102 int set_optmin; 103 int set_optmax; 104 int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len); 105 #ifdef CONFIG_COMPAT 106 int (*compat_set)(struct sock *sk, int optval, 107 void __user *user, unsigned int len); 108 #endif 109 int get_optmin; 110 int get_optmax; 111 int (*get)(struct sock *sk, int optval, void __user *user, int *len); 112 #ifdef CONFIG_COMPAT 113 int (*compat_get)(struct sock *sk, int optval, 114 void __user *user, int *len); 115 #endif 116 /* Use the module struct to lock set/get code in place */ 117 struct module *owner; 118 }; 119 120 /* Function to register/unregister hook points. */ 121 int nf_register_hook(struct nf_hook_ops *reg); 122 void nf_unregister_hook(struct nf_hook_ops *reg); 123 int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n); 124 void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n); 125 126 /* Functions to register get/setsockopt ranges (non-inclusive). You 127 need to check permissions yourself! */ 128 int nf_register_sockopt(struct nf_sockopt_ops *reg); 129 void nf_unregister_sockopt(struct nf_sockopt_ops *reg); 130 131 extern struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 132 133 #ifdef HAVE_JUMP_LABEL 134 extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 135 136 static inline bool nf_hook_list_active(struct list_head *nf_hook_list, 137 u_int8_t pf, unsigned int hook) 138 { 139 if (__builtin_constant_p(pf) && 140 __builtin_constant_p(hook)) 141 return static_key_false(&nf_hooks_needed[pf][hook]); 142 143 return !list_empty(nf_hook_list); 144 } 145 #else 146 static inline bool nf_hook_list_active(struct list_head *nf_hook_list, 147 u_int8_t pf, unsigned int hook) 148 { 149 return !list_empty(nf_hook_list); 150 } 151 #endif 152 153 static inline bool nf_hooks_active(u_int8_t pf, unsigned int hook) 154 { 155 return nf_hook_list_active(&nf_hooks[pf][hook], pf, hook); 156 } 157 158 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state); 159 160 /** 161 * nf_hook_thresh - call a netfilter hook 162 * 163 * Returns 1 if the hook has allowed the packet to pass. The function 164 * okfn must be invoked by the caller in this case. Any other return 165 * value indicates the packet has been consumed by the hook. 166 */ 167 static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, 168 struct sock *sk, 169 struct sk_buff *skb, 170 struct net_device *indev, 171 struct net_device *outdev, 172 int (*okfn)(struct sock *, struct sk_buff *), 173 int thresh) 174 { 175 if (nf_hooks_active(pf, hook)) { 176 struct nf_hook_state state; 177 178 nf_hook_state_init(&state, &nf_hooks[pf][hook], hook, thresh, 179 pf, indev, outdev, sk, okfn); 180 return nf_hook_slow(skb, &state); 181 } 182 return 1; 183 } 184 185 static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sock *sk, 186 struct sk_buff *skb, struct net_device *indev, 187 struct net_device *outdev, 188 int (*okfn)(struct sock *, struct sk_buff *)) 189 { 190 return nf_hook_thresh(pf, hook, sk, skb, indev, outdev, okfn, INT_MIN); 191 } 192 193 /* Activate hook; either okfn or kfree_skb called, unless a hook 194 returns NF_STOLEN (in which case, it's up to the hook to deal with 195 the consequences). 196 197 Returns -ERRNO if packet dropped. Zero means queued, stolen or 198 accepted. 199 */ 200 201 /* RR: 202 > I don't want nf_hook to return anything because people might forget 203 > about async and trust the return value to mean "packet was ok". 204 205 AK: 206 Just document it clearly, then you can expect some sense from kernel 207 coders :) 208 */ 209 210 static inline int 211 NF_HOOK_THRESH(uint8_t pf, unsigned int hook, struct sock *sk, 212 struct sk_buff *skb, struct net_device *in, 213 struct net_device *out, 214 int (*okfn)(struct sock *, struct sk_buff *), int thresh) 215 { 216 int ret = nf_hook_thresh(pf, hook, sk, skb, in, out, okfn, thresh); 217 if (ret == 1) 218 ret = okfn(sk, skb); 219 return ret; 220 } 221 222 static inline int 223 NF_HOOK_COND(uint8_t pf, unsigned int hook, struct sock *sk, 224 struct sk_buff *skb, struct net_device *in, struct net_device *out, 225 int (*okfn)(struct sock *, struct sk_buff *), bool cond) 226 { 227 int ret; 228 229 if (!cond || 230 ((ret = nf_hook_thresh(pf, hook, sk, skb, in, out, okfn, INT_MIN)) == 1)) 231 ret = okfn(sk, skb); 232 return ret; 233 } 234 235 static inline int 236 NF_HOOK(uint8_t pf, unsigned int hook, struct sock *sk, struct sk_buff *skb, 237 struct net_device *in, struct net_device *out, 238 int (*okfn)(struct sock *, struct sk_buff *)) 239 { 240 return NF_HOOK_THRESH(pf, hook, sk, skb, in, out, okfn, INT_MIN); 241 } 242 243 /* Call setsockopt() */ 244 int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, 245 unsigned int len); 246 int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, 247 int *len); 248 #ifdef CONFIG_COMPAT 249 int compat_nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, 250 char __user *opt, unsigned int len); 251 int compat_nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, 252 char __user *opt, int *len); 253 #endif 254 255 /* Call this before modifying an existing packet: ensures it is 256 modifiable and linear to the point you care about (writable_len). 257 Returns true or false. */ 258 int skb_make_writable(struct sk_buff *skb, unsigned int writable_len); 259 260 struct flowi; 261 struct nf_queue_entry; 262 263 struct nf_afinfo { 264 unsigned short family; 265 __sum16 (*checksum)(struct sk_buff *skb, unsigned int hook, 266 unsigned int dataoff, u_int8_t protocol); 267 __sum16 (*checksum_partial)(struct sk_buff *skb, 268 unsigned int hook, 269 unsigned int dataoff, 270 unsigned int len, 271 u_int8_t protocol); 272 int (*route)(struct net *net, struct dst_entry **dst, 273 struct flowi *fl, bool strict); 274 void (*saveroute)(const struct sk_buff *skb, 275 struct nf_queue_entry *entry); 276 int (*reroute)(struct sk_buff *skb, 277 const struct nf_queue_entry *entry); 278 int route_key_size; 279 }; 280 281 extern const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO]; 282 static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family) 283 { 284 return rcu_dereference(nf_afinfo[family]); 285 } 286 287 static inline __sum16 288 nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff, 289 u_int8_t protocol, unsigned short family) 290 { 291 const struct nf_afinfo *afinfo; 292 __sum16 csum = 0; 293 294 rcu_read_lock(); 295 afinfo = nf_get_afinfo(family); 296 if (afinfo) 297 csum = afinfo->checksum(skb, hook, dataoff, protocol); 298 rcu_read_unlock(); 299 return csum; 300 } 301 302 static inline __sum16 303 nf_checksum_partial(struct sk_buff *skb, unsigned int hook, 304 unsigned int dataoff, unsigned int len, 305 u_int8_t protocol, unsigned short family) 306 { 307 const struct nf_afinfo *afinfo; 308 __sum16 csum = 0; 309 310 rcu_read_lock(); 311 afinfo = nf_get_afinfo(family); 312 if (afinfo) 313 csum = afinfo->checksum_partial(skb, hook, dataoff, len, 314 protocol); 315 rcu_read_unlock(); 316 return csum; 317 } 318 319 int nf_register_afinfo(const struct nf_afinfo *afinfo); 320 void nf_unregister_afinfo(const struct nf_afinfo *afinfo); 321 322 #include <net/flow.h> 323 extern void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *); 324 325 static inline void 326 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) 327 { 328 #ifdef CONFIG_NF_NAT_NEEDED 329 void (*decodefn)(struct sk_buff *, struct flowi *); 330 331 rcu_read_lock(); 332 decodefn = rcu_dereference(nf_nat_decode_session_hook); 333 if (decodefn) 334 decodefn(skb, fl); 335 rcu_read_unlock(); 336 #endif 337 } 338 339 #else /* !CONFIG_NETFILTER */ 340 #define NF_HOOK(pf, hook, sk, skb, indev, outdev, okfn) (okfn)(sk, skb) 341 #define NF_HOOK_COND(pf, hook, sk, skb, indev, outdev, okfn, cond) (okfn)(sk, skb) 342 static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, 343 struct sock *sk, 344 struct sk_buff *skb, 345 struct net_device *indev, 346 struct net_device *outdev, 347 int (*okfn)(struct sock *sk, struct sk_buff *), int thresh) 348 { 349 return okfn(sk, skb); 350 } 351 static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sock *sk, 352 struct sk_buff *skb, struct net_device *indev, 353 struct net_device *outdev, 354 int (*okfn)(struct sock *, struct sk_buff *)) 355 { 356 return 1; 357 } 358 struct flowi; 359 static inline void 360 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) 361 { 362 } 363 #endif /*CONFIG_NETFILTER*/ 364 365 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) 366 extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu; 367 void nf_ct_attach(struct sk_buff *, const struct sk_buff *); 368 extern void (*nf_ct_destroy)(struct nf_conntrack *) __rcu; 369 370 struct nf_conn; 371 enum ip_conntrack_info; 372 struct nlattr; 373 374 struct nfq_ct_hook { 375 size_t (*build_size)(const struct nf_conn *ct); 376 int (*build)(struct sk_buff *skb, struct nf_conn *ct); 377 int (*parse)(const struct nlattr *attr, struct nf_conn *ct); 378 int (*attach_expect)(const struct nlattr *attr, struct nf_conn *ct, 379 u32 portid, u32 report); 380 void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct, 381 enum ip_conntrack_info ctinfo, s32 off); 382 }; 383 extern struct nfq_ct_hook __rcu *nfq_ct_hook; 384 #else 385 static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} 386 #endif 387 388 #endif /*__LINUX_NETFILTER_H*/ 389