1 /* SPDX-License-Identifier: GPL-2.0 */ 2 #ifndef __LINUX_NETFILTER_H 3 #define __LINUX_NETFILTER_H 4 5 #include <linux/init.h> 6 #include <linux/skbuff.h> 7 #include <linux/net.h> 8 #include <linux/if.h> 9 #include <linux/in.h> 10 #include <linux/in6.h> 11 #include <linux/wait.h> 12 #include <linux/list.h> 13 #include <linux/static_key.h> 14 #include <linux/netfilter_defs.h> 15 #include <linux/netdevice.h> 16 #include <linux/sockptr.h> 17 #include <net/net_namespace.h> 18 19 static inline int NF_DROP_GETERR(int verdict) 20 { 21 return -(verdict >> NF_VERDICT_QBITS); 22 } 23 24 static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1, 25 const union nf_inet_addr *a2) 26 { 27 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64 28 const unsigned long *ul1 = (const unsigned long *)a1; 29 const unsigned long *ul2 = (const unsigned long *)a2; 30 31 return ((ul1[0] ^ ul2[0]) | (ul1[1] ^ ul2[1])) == 0UL; 32 #else 33 return a1->all[0] == a2->all[0] && 34 a1->all[1] == a2->all[1] && 35 a1->all[2] == a2->all[2] && 36 a1->all[3] == a2->all[3]; 37 #endif 38 } 39 40 static inline void nf_inet_addr_mask(const union nf_inet_addr *a1, 41 union nf_inet_addr *result, 42 const union nf_inet_addr *mask) 43 { 44 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64 45 const unsigned long *ua = (const unsigned long *)a1; 46 unsigned long *ur = (unsigned long *)result; 47 const unsigned long *um = (const unsigned long *)mask; 48 49 ur[0] = ua[0] & um[0]; 50 ur[1] = ua[1] & um[1]; 51 #else 52 result->all[0] = a1->all[0] & mask->all[0]; 53 result->all[1] = a1->all[1] & mask->all[1]; 54 result->all[2] = a1->all[2] & mask->all[2]; 55 result->all[3] = a1->all[3] & mask->all[3]; 56 #endif 57 } 58 59 int netfilter_init(void); 60 61 struct sk_buff; 62 63 struct nf_hook_ops; 64 65 struct sock; 66 67 struct nf_hook_state { 68 unsigned int hook; 69 u_int8_t pf; 70 struct net_device *in; 71 struct net_device *out; 72 struct sock *sk; 73 struct net *net; 74 int (*okfn)(struct net *, struct sock *, struct sk_buff *); 75 }; 76 77 typedef unsigned int nf_hookfn(void *priv, 78 struct sk_buff *skb, 79 const struct nf_hook_state *state); 80 struct nf_hook_ops { 81 /* User fills in from here down. */ 82 nf_hookfn *hook; 83 struct net_device *dev; 84 void *priv; 85 u_int8_t pf; 86 unsigned int hooknum; 87 /* Hooks are ordered in ascending priority. */ 88 int priority; 89 }; 90 91 struct nf_hook_entry { 92 nf_hookfn *hook; 93 void *priv; 94 }; 95 96 struct nf_hook_entries_rcu_head { 97 struct rcu_head head; 98 void *allocation; 99 }; 100 101 struct nf_hook_entries { 102 u16 num_hook_entries; 103 /* padding */ 104 struct nf_hook_entry hooks[]; 105 106 /* trailer: pointers to original orig_ops of each hook, 107 * followed by rcu_head and scratch space used for freeing 108 * the structure via call_rcu. 109 * 110 * This is not part of struct nf_hook_entry since its only 111 * needed in slow path (hook register/unregister): 112 * const struct nf_hook_ops *orig_ops[] 113 * 114 * For the same reason, we store this at end -- its 115 * only needed when a hook is deleted, not during 116 * packet path processing: 117 * struct nf_hook_entries_rcu_head head 118 */ 119 }; 120 121 #ifdef CONFIG_NETFILTER 122 static inline struct nf_hook_ops **nf_hook_entries_get_hook_ops(const struct nf_hook_entries *e) 123 { 124 unsigned int n = e->num_hook_entries; 125 const void *hook_end; 126 127 hook_end = &e->hooks[n]; /* this is *past* ->hooks[]! */ 128 129 return (struct nf_hook_ops **)hook_end; 130 } 131 132 static inline int 133 nf_hook_entry_hookfn(const struct nf_hook_entry *entry, struct sk_buff *skb, 134 struct nf_hook_state *state) 135 { 136 return entry->hook(entry->priv, skb, state); 137 } 138 139 static inline void nf_hook_state_init(struct nf_hook_state *p, 140 unsigned int hook, 141 u_int8_t pf, 142 struct net_device *indev, 143 struct net_device *outdev, 144 struct sock *sk, 145 struct net *net, 146 int (*okfn)(struct net *, struct sock *, struct sk_buff *)) 147 { 148 p->hook = hook; 149 p->pf = pf; 150 p->in = indev; 151 p->out = outdev; 152 p->sk = sk; 153 p->net = net; 154 p->okfn = okfn; 155 } 156 157 158 159 struct nf_sockopt_ops { 160 struct list_head list; 161 162 u_int8_t pf; 163 164 /* Non-inclusive ranges: use 0/0/NULL to never get called. */ 165 int set_optmin; 166 int set_optmax; 167 int (*set)(struct sock *sk, int optval, sockptr_t arg, 168 unsigned int len); 169 int get_optmin; 170 int get_optmax; 171 int (*get)(struct sock *sk, int optval, void __user *user, int *len); 172 /* Use the module struct to lock set/get code in place */ 173 struct module *owner; 174 }; 175 176 /* Function to register/unregister hook points. */ 177 int nf_register_net_hook(struct net *net, const struct nf_hook_ops *ops); 178 void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *ops); 179 int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg, 180 unsigned int n); 181 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg, 182 unsigned int n); 183 184 /* Functions to register get/setsockopt ranges (non-inclusive). You 185 need to check permissions yourself! */ 186 int nf_register_sockopt(struct nf_sockopt_ops *reg); 187 void nf_unregister_sockopt(struct nf_sockopt_ops *reg); 188 189 #ifdef CONFIG_JUMP_LABEL 190 extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 191 #endif 192 193 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state, 194 const struct nf_hook_entries *e, unsigned int i); 195 196 void nf_hook_slow_list(struct list_head *head, struct nf_hook_state *state, 197 const struct nf_hook_entries *e); 198 /** 199 * nf_hook - call a netfilter hook 200 * 201 * Returns 1 if the hook has allowed the packet to pass. The function 202 * okfn must be invoked by the caller in this case. Any other return 203 * value indicates the packet has been consumed by the hook. 204 */ 205 static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net, 206 struct sock *sk, struct sk_buff *skb, 207 struct net_device *indev, struct net_device *outdev, 208 int (*okfn)(struct net *, struct sock *, struct sk_buff *)) 209 { 210 struct nf_hook_entries *hook_head = NULL; 211 int ret = 1; 212 213 #ifdef CONFIG_JUMP_LABEL 214 if (__builtin_constant_p(pf) && 215 __builtin_constant_p(hook) && 216 !static_key_false(&nf_hooks_needed[pf][hook])) 217 return 1; 218 #endif 219 220 rcu_read_lock(); 221 switch (pf) { 222 case NFPROTO_IPV4: 223 hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]); 224 break; 225 case NFPROTO_IPV6: 226 hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]); 227 break; 228 case NFPROTO_ARP: 229 #ifdef CONFIG_NETFILTER_FAMILY_ARP 230 if (WARN_ON_ONCE(hook >= ARRAY_SIZE(net->nf.hooks_arp))) 231 break; 232 hook_head = rcu_dereference(net->nf.hooks_arp[hook]); 233 #endif 234 break; 235 case NFPROTO_BRIDGE: 236 #ifdef CONFIG_NETFILTER_FAMILY_BRIDGE 237 hook_head = rcu_dereference(net->nf.hooks_bridge[hook]); 238 #endif 239 break; 240 #if IS_ENABLED(CONFIG_DECNET) 241 case NFPROTO_DECNET: 242 hook_head = rcu_dereference(net->nf.hooks_decnet[hook]); 243 break; 244 #endif 245 default: 246 WARN_ON_ONCE(1); 247 break; 248 } 249 250 if (hook_head) { 251 struct nf_hook_state state; 252 253 nf_hook_state_init(&state, hook, pf, indev, outdev, 254 sk, net, okfn); 255 256 ret = nf_hook_slow(skb, &state, hook_head, 0); 257 } 258 rcu_read_unlock(); 259 260 return ret; 261 } 262 263 /* Activate hook; either okfn or kfree_skb called, unless a hook 264 returns NF_STOLEN (in which case, it's up to the hook to deal with 265 the consequences). 266 267 Returns -ERRNO if packet dropped. Zero means queued, stolen or 268 accepted. 269 */ 270 271 /* RR: 272 > I don't want nf_hook to return anything because people might forget 273 > about async and trust the return value to mean "packet was ok". 274 275 AK: 276 Just document it clearly, then you can expect some sense from kernel 277 coders :) 278 */ 279 280 static inline int 281 NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, 282 struct sk_buff *skb, struct net_device *in, struct net_device *out, 283 int (*okfn)(struct net *, struct sock *, struct sk_buff *), 284 bool cond) 285 { 286 int ret; 287 288 if (!cond || 289 ((ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn)) == 1)) 290 ret = okfn(net, sk, skb); 291 return ret; 292 } 293 294 static inline int 295 NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct sk_buff *skb, 296 struct net_device *in, struct net_device *out, 297 int (*okfn)(struct net *, struct sock *, struct sk_buff *)) 298 { 299 int ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn); 300 if (ret == 1) 301 ret = okfn(net, sk, skb); 302 return ret; 303 } 304 305 static inline void 306 NF_HOOK_LIST(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, 307 struct list_head *head, struct net_device *in, struct net_device *out, 308 int (*okfn)(struct net *, struct sock *, struct sk_buff *)) 309 { 310 struct nf_hook_entries *hook_head = NULL; 311 312 #ifdef CONFIG_JUMP_LABEL 313 if (__builtin_constant_p(pf) && 314 __builtin_constant_p(hook) && 315 !static_key_false(&nf_hooks_needed[pf][hook])) 316 return; 317 #endif 318 319 rcu_read_lock(); 320 switch (pf) { 321 case NFPROTO_IPV4: 322 hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]); 323 break; 324 case NFPROTO_IPV6: 325 hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]); 326 break; 327 default: 328 WARN_ON_ONCE(1); 329 break; 330 } 331 332 if (hook_head) { 333 struct nf_hook_state state; 334 335 nf_hook_state_init(&state, hook, pf, in, out, sk, net, okfn); 336 337 nf_hook_slow_list(head, &state, hook_head); 338 } 339 rcu_read_unlock(); 340 } 341 342 /* Call setsockopt() */ 343 int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, sockptr_t opt, 344 unsigned int len); 345 int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, 346 int *len); 347 348 struct flowi; 349 struct nf_queue_entry; 350 351 __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook, 352 unsigned int dataoff, u_int8_t protocol, 353 unsigned short family); 354 355 __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook, 356 unsigned int dataoff, unsigned int len, 357 u_int8_t protocol, unsigned short family); 358 int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl, 359 bool strict, unsigned short family); 360 int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry); 361 362 #include <net/flow.h> 363 364 struct nf_conn; 365 enum nf_nat_manip_type; 366 struct nlattr; 367 enum ip_conntrack_dir; 368 369 struct nf_nat_hook { 370 int (*parse_nat_setup)(struct nf_conn *ct, enum nf_nat_manip_type manip, 371 const struct nlattr *attr); 372 void (*decode_session)(struct sk_buff *skb, struct flowi *fl); 373 unsigned int (*manip_pkt)(struct sk_buff *skb, struct nf_conn *ct, 374 enum nf_nat_manip_type mtype, 375 enum ip_conntrack_dir dir); 376 }; 377 378 extern struct nf_nat_hook __rcu *nf_nat_hook; 379 380 static inline void 381 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) 382 { 383 #if IS_ENABLED(CONFIG_NF_NAT) 384 struct nf_nat_hook *nat_hook; 385 386 rcu_read_lock(); 387 nat_hook = rcu_dereference(nf_nat_hook); 388 if (nat_hook && nat_hook->decode_session) 389 nat_hook->decode_session(skb, fl); 390 rcu_read_unlock(); 391 #endif 392 } 393 394 #else /* !CONFIG_NETFILTER */ 395 static inline int 396 NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, 397 struct sk_buff *skb, struct net_device *in, struct net_device *out, 398 int (*okfn)(struct net *, struct sock *, struct sk_buff *), 399 bool cond) 400 { 401 return okfn(net, sk, skb); 402 } 403 404 static inline int 405 NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, 406 struct sk_buff *skb, struct net_device *in, struct net_device *out, 407 int (*okfn)(struct net *, struct sock *, struct sk_buff *)) 408 { 409 return okfn(net, sk, skb); 410 } 411 412 static inline void 413 NF_HOOK_LIST(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, 414 struct list_head *head, struct net_device *in, struct net_device *out, 415 int (*okfn)(struct net *, struct sock *, struct sk_buff *)) 416 { 417 /* nothing to do */ 418 } 419 420 static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net, 421 struct sock *sk, struct sk_buff *skb, 422 struct net_device *indev, struct net_device *outdev, 423 int (*okfn)(struct net *, struct sock *, struct sk_buff *)) 424 { 425 return 1; 426 } 427 struct flowi; 428 static inline void 429 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) 430 { 431 } 432 #endif /*CONFIG_NETFILTER*/ 433 434 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 435 #include <linux/netfilter/nf_conntrack_zones_common.h> 436 437 extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu; 438 void nf_ct_attach(struct sk_buff *, const struct sk_buff *); 439 struct nf_conntrack_tuple; 440 bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple, 441 const struct sk_buff *skb); 442 #else 443 static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} 444 struct nf_conntrack_tuple; 445 static inline bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple, 446 const struct sk_buff *skb) 447 { 448 return false; 449 } 450 #endif 451 452 struct nf_conn; 453 enum ip_conntrack_info; 454 455 struct nf_ct_hook { 456 int (*update)(struct net *net, struct sk_buff *skb); 457 void (*destroy)(struct nf_conntrack *); 458 bool (*get_tuple_skb)(struct nf_conntrack_tuple *, 459 const struct sk_buff *); 460 }; 461 extern struct nf_ct_hook __rcu *nf_ct_hook; 462 463 struct nlattr; 464 465 struct nfnl_ct_hook { 466 size_t (*build_size)(const struct nf_conn *ct); 467 int (*build)(struct sk_buff *skb, struct nf_conn *ct, 468 enum ip_conntrack_info ctinfo, 469 u_int16_t ct_attr, u_int16_t ct_info_attr); 470 int (*parse)(const struct nlattr *attr, struct nf_conn *ct); 471 int (*attach_expect)(const struct nlattr *attr, struct nf_conn *ct, 472 u32 portid, u32 report); 473 void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct, 474 enum ip_conntrack_info ctinfo, s32 off); 475 }; 476 extern struct nfnl_ct_hook __rcu *nfnl_ct_hook; 477 478 /** 479 * nf_skb_duplicated - TEE target has sent a packet 480 * 481 * When a xtables target sends a packet, the OUTPUT and POSTROUTING 482 * hooks are traversed again, i.e. nft and xtables are invoked recursively. 483 * 484 * This is used by xtables TEE target to prevent the duplicated skb from 485 * being duplicated again. 486 */ 487 DECLARE_PER_CPU(bool, nf_skb_duplicated); 488 489 #endif /*__LINUX_NETFILTER_H*/ 490