1 /* SPDX-License-Identifier: GPL-2.0 */ 2 /* 3 * Operations on the network namespace 4 */ 5 #ifndef __NET_NET_NAMESPACE_H 6 #define __NET_NET_NAMESPACE_H 7 8 #include <linux/atomic.h> 9 #include <linux/refcount.h> 10 #include <linux/workqueue.h> 11 #include <linux/list.h> 12 #include <linux/sysctl.h> 13 #include <linux/uidgid.h> 14 15 #include <net/flow.h> 16 #include <net/netns/core.h> 17 #include <net/netns/mib.h> 18 #include <net/netns/unix.h> 19 #include <net/netns/packet.h> 20 #include <net/netns/ipv4.h> 21 #include <net/netns/ipv6.h> 22 #include <net/netns/nexthop.h> 23 #include <net/netns/ieee802154_6lowpan.h> 24 #include <net/netns/sctp.h> 25 #include <net/netns/netfilter.h> 26 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) 27 #include <net/netns/conntrack.h> 28 #endif 29 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 30 #include <net/netns/flow_table.h> 31 #endif 32 #include <net/netns/nftables.h> 33 #include <net/netns/xfrm.h> 34 #include <net/netns/mpls.h> 35 #include <net/netns/can.h> 36 #include <net/netns/xdp.h> 37 #include <net/netns/smc.h> 38 #include <net/netns/bpf.h> 39 #include <net/netns/mctp.h> 40 #include <net/net_trackers.h> 41 #include <linux/ns_common.h> 42 #include <linux/idr.h> 43 #include <linux/skbuff.h> 44 #include <linux/notifier.h> 45 #include <linux/xarray.h> 46 47 struct user_namespace; 48 struct proc_dir_entry; 49 struct net_device; 50 struct sock; 51 struct ctl_table_header; 52 struct net_generic; 53 struct uevent_sock; 54 struct netns_ipvs; 55 struct bpf_prog; 56 57 58 #define NETDEV_HASHBITS 8 59 #define NETDEV_HASHENTRIES (1 << NETDEV_HASHBITS) 60 61 struct net { 62 /* First cache line can be often dirtied. 63 * Do not place here read-mostly fields. 64 */ 65 refcount_t passive; /* To decide when the network 66 * namespace should be freed. 67 */ 68 spinlock_t rules_mod_lock; 69 70 atomic_t dev_unreg_count; 71 72 unsigned int dev_base_seq; /* protected by rtnl_mutex */ 73 u32 ifindex; 74 75 spinlock_t nsid_lock; 76 atomic_t fnhe_genid; 77 78 struct list_head list; /* list of network namespaces */ 79 struct list_head exit_list; /* To linked to call pernet exit 80 * methods on dead net ( 81 * pernet_ops_rwsem read locked), 82 * or to unregister pernet ops 83 * (pernet_ops_rwsem write locked). 84 */ 85 struct llist_node defer_free_list; 86 struct llist_node cleanup_list; /* namespaces on death row */ 87 88 #ifdef CONFIG_KEYS 89 struct key_tag *key_domain; /* Key domain of operation tag */ 90 #endif 91 struct user_namespace *user_ns; /* Owning user namespace */ 92 struct ucounts *ucounts; 93 struct idr netns_ids; 94 95 struct ns_common ns; 96 struct ref_tracker_dir refcnt_tracker; 97 struct ref_tracker_dir notrefcnt_tracker; /* tracker for objects not 98 * refcounted against netns 99 */ 100 struct list_head dev_base_head; 101 struct proc_dir_entry *proc_net; 102 struct proc_dir_entry *proc_net_stat; 103 104 #ifdef CONFIG_SYSCTL 105 struct ctl_table_set sysctls; 106 #endif 107 108 struct sock *rtnl; /* rtnetlink socket */ 109 struct sock *genl_sock; 110 111 struct uevent_sock *uevent_sock; /* uevent socket */ 112 113 struct hlist_head *dev_name_head; 114 struct hlist_head *dev_index_head; 115 struct xarray dev_by_index; 116 struct raw_notifier_head netdev_chain; 117 118 /* Note that @hash_mix can be read millions times per second, 119 * it is critical that it is on a read_mostly cache line. 120 */ 121 u32 hash_mix; 122 123 struct net_device *loopback_dev; /* The loopback */ 124 125 /* core fib_rules */ 126 struct list_head rules_ops; 127 128 struct netns_core core; 129 struct netns_mib mib; 130 struct netns_packet packet; 131 #if IS_ENABLED(CONFIG_UNIX) 132 struct netns_unix unx; 133 #endif 134 struct netns_nexthop nexthop; 135 struct netns_ipv4 ipv4; 136 #if IS_ENABLED(CONFIG_IPV6) 137 struct netns_ipv6 ipv6; 138 #endif 139 #if IS_ENABLED(CONFIG_IEEE802154_6LOWPAN) 140 struct netns_ieee802154_lowpan ieee802154_lowpan; 141 #endif 142 #if defined(CONFIG_IP_SCTP) || defined(CONFIG_IP_SCTP_MODULE) 143 struct netns_sctp sctp; 144 #endif 145 #ifdef CONFIG_NETFILTER 146 struct netns_nf nf; 147 #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) 148 struct netns_ct ct; 149 #endif 150 #if defined(CONFIG_NF_TABLES) || defined(CONFIG_NF_TABLES_MODULE) 151 struct netns_nftables nft; 152 #endif 153 #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) 154 struct netns_ft ft; 155 #endif 156 #endif 157 #ifdef CONFIG_WEXT_CORE 158 struct sk_buff_head wext_nlevents; 159 #endif 160 struct net_generic __rcu *gen; 161 162 /* Used to store attached BPF programs */ 163 struct netns_bpf bpf; 164 165 /* Note : following structs are cache line aligned */ 166 #ifdef CONFIG_XFRM 167 struct netns_xfrm xfrm; 168 #endif 169 170 u64 net_cookie; /* written once */ 171 172 #if IS_ENABLED(CONFIG_IP_VS) 173 struct netns_ipvs *ipvs; 174 #endif 175 #if IS_ENABLED(CONFIG_MPLS) 176 struct netns_mpls mpls; 177 #endif 178 #if IS_ENABLED(CONFIG_CAN) 179 struct netns_can can; 180 #endif 181 #ifdef CONFIG_XDP_SOCKETS 182 struct netns_xdp xdp; 183 #endif 184 #if IS_ENABLED(CONFIG_MCTP) 185 struct netns_mctp mctp; 186 #endif 187 #if IS_ENABLED(CONFIG_CRYPTO_USER) 188 struct sock *crypto_nlsk; 189 #endif 190 struct sock *diag_nlsk; 191 #if IS_ENABLED(CONFIG_SMC) 192 struct netns_smc smc; 193 #endif 194 } __randomize_layout; 195 196 #include <linux/seq_file_net.h> 197 198 /* Init's network namespace */ 199 extern struct net init_net; 200 201 #ifdef CONFIG_NET_NS 202 struct net *copy_net_ns(unsigned long flags, struct user_namespace *user_ns, 203 struct net *old_net); 204 205 void net_ns_get_ownership(const struct net *net, kuid_t *uid, kgid_t *gid); 206 207 void net_ns_barrier(void); 208 209 struct ns_common *get_net_ns(struct ns_common *ns); 210 struct net *get_net_ns_by_fd(int fd); 211 #else /* CONFIG_NET_NS */ 212 #include <linux/sched.h> 213 #include <linux/nsproxy.h> 214 static inline struct net *copy_net_ns(unsigned long flags, 215 struct user_namespace *user_ns, struct net *old_net) 216 { 217 if (flags & CLONE_NEWNET) 218 return ERR_PTR(-EINVAL); 219 return old_net; 220 } 221 222 static inline void net_ns_get_ownership(const struct net *net, 223 kuid_t *uid, kgid_t *gid) 224 { 225 *uid = GLOBAL_ROOT_UID; 226 *gid = GLOBAL_ROOT_GID; 227 } 228 229 static inline void net_ns_barrier(void) {} 230 231 static inline struct ns_common *get_net_ns(struct ns_common *ns) 232 { 233 return ERR_PTR(-EINVAL); 234 } 235 236 static inline struct net *get_net_ns_by_fd(int fd) 237 { 238 return ERR_PTR(-EINVAL); 239 } 240 #endif /* CONFIG_NET_NS */ 241 242 243 extern struct list_head net_namespace_list; 244 245 struct net *get_net_ns_by_pid(pid_t pid); 246 247 #ifdef CONFIG_SYSCTL 248 void ipx_register_sysctl(void); 249 void ipx_unregister_sysctl(void); 250 #else 251 #define ipx_register_sysctl() 252 #define ipx_unregister_sysctl() 253 #endif 254 255 #ifdef CONFIG_NET_NS 256 void __put_net(struct net *net); 257 258 /* Try using get_net_track() instead */ 259 static inline struct net *get_net(struct net *net) 260 { 261 refcount_inc(&net->ns.count); 262 return net; 263 } 264 265 static inline struct net *maybe_get_net(struct net *net) 266 { 267 /* Used when we know struct net exists but we 268 * aren't guaranteed a previous reference count 269 * exists. If the reference count is zero this 270 * function fails and returns NULL. 271 */ 272 if (!refcount_inc_not_zero(&net->ns.count)) 273 net = NULL; 274 return net; 275 } 276 277 /* Try using put_net_track() instead */ 278 static inline void put_net(struct net *net) 279 { 280 if (refcount_dec_and_test(&net->ns.count)) 281 __put_net(net); 282 } 283 284 static inline 285 int net_eq(const struct net *net1, const struct net *net2) 286 { 287 return net1 == net2; 288 } 289 290 static inline int check_net(const struct net *net) 291 { 292 return refcount_read(&net->ns.count) != 0; 293 } 294 295 void net_drop_ns(void *); 296 297 #else 298 299 static inline struct net *get_net(struct net *net) 300 { 301 return net; 302 } 303 304 static inline void put_net(struct net *net) 305 { 306 } 307 308 static inline struct net *maybe_get_net(struct net *net) 309 { 310 return net; 311 } 312 313 static inline 314 int net_eq(const struct net *net1, const struct net *net2) 315 { 316 return 1; 317 } 318 319 static inline int check_net(const struct net *net) 320 { 321 return 1; 322 } 323 324 #define net_drop_ns NULL 325 #endif 326 327 328 static inline void __netns_tracker_alloc(struct net *net, 329 netns_tracker *tracker, 330 bool refcounted, 331 gfp_t gfp) 332 { 333 #ifdef CONFIG_NET_NS_REFCNT_TRACKER 334 ref_tracker_alloc(refcounted ? &net->refcnt_tracker : 335 &net->notrefcnt_tracker, 336 tracker, gfp); 337 #endif 338 } 339 340 static inline void netns_tracker_alloc(struct net *net, netns_tracker *tracker, 341 gfp_t gfp) 342 { 343 __netns_tracker_alloc(net, tracker, true, gfp); 344 } 345 346 static inline void __netns_tracker_free(struct net *net, 347 netns_tracker *tracker, 348 bool refcounted) 349 { 350 #ifdef CONFIG_NET_NS_REFCNT_TRACKER 351 ref_tracker_free(refcounted ? &net->refcnt_tracker : 352 &net->notrefcnt_tracker, tracker); 353 #endif 354 } 355 356 static inline struct net *get_net_track(struct net *net, 357 netns_tracker *tracker, gfp_t gfp) 358 { 359 get_net(net); 360 netns_tracker_alloc(net, tracker, gfp); 361 return net; 362 } 363 364 static inline void put_net_track(struct net *net, netns_tracker *tracker) 365 { 366 __netns_tracker_free(net, tracker, true); 367 put_net(net); 368 } 369 370 typedef struct { 371 #ifdef CONFIG_NET_NS 372 struct net *net; 373 #endif 374 } possible_net_t; 375 376 static inline void write_pnet(possible_net_t *pnet, struct net *net) 377 { 378 #ifdef CONFIG_NET_NS 379 pnet->net = net; 380 #endif 381 } 382 383 static inline struct net *read_pnet(const possible_net_t *pnet) 384 { 385 #ifdef CONFIG_NET_NS 386 return pnet->net; 387 #else 388 return &init_net; 389 #endif 390 } 391 392 /* Protected by net_rwsem */ 393 #define for_each_net(VAR) \ 394 list_for_each_entry(VAR, &net_namespace_list, list) 395 #define for_each_net_continue_reverse(VAR) \ 396 list_for_each_entry_continue_reverse(VAR, &net_namespace_list, list) 397 #define for_each_net_rcu(VAR) \ 398 list_for_each_entry_rcu(VAR, &net_namespace_list, list) 399 400 #ifdef CONFIG_NET_NS 401 #define __net_init 402 #define __net_exit 403 #define __net_initdata 404 #define __net_initconst 405 #else 406 #define __net_init __init 407 #define __net_exit __ref 408 #define __net_initdata __initdata 409 #define __net_initconst __initconst 410 #endif 411 412 int peernet2id_alloc(struct net *net, struct net *peer, gfp_t gfp); 413 int peernet2id(const struct net *net, struct net *peer); 414 bool peernet_has_id(const struct net *net, struct net *peer); 415 struct net *get_net_ns_by_id(const struct net *net, int id); 416 417 struct pernet_operations { 418 struct list_head list; 419 /* 420 * Below methods are called without any exclusive locks. 421 * More than one net may be constructed and destructed 422 * in parallel on several cpus. Every pernet_operations 423 * have to keep in mind all other pernet_operations and 424 * to introduce a locking, if they share common resources. 425 * 426 * The only time they are called with exclusive lock is 427 * from register_pernet_subsys(), unregister_pernet_subsys() 428 * register_pernet_device() and unregister_pernet_device(). 429 * 430 * Exit methods using blocking RCU primitives, such as 431 * synchronize_rcu(), should be implemented via exit_batch. 432 * Then, destruction of a group of net requires single 433 * synchronize_rcu() related to these pernet_operations, 434 * instead of separate synchronize_rcu() for every net. 435 * Please, avoid synchronize_rcu() at all, where it's possible. 436 * 437 * Note that a combination of pre_exit() and exit() can 438 * be used, since a synchronize_rcu() is guaranteed between 439 * the calls. 440 */ 441 int (*init)(struct net *net); 442 void (*pre_exit)(struct net *net); 443 void (*exit)(struct net *net); 444 void (*exit_batch)(struct list_head *net_exit_list); 445 /* Following method is called with RTNL held. */ 446 void (*exit_batch_rtnl)(struct list_head *net_exit_list, 447 struct list_head *dev_kill_list); 448 unsigned int *id; 449 size_t size; 450 }; 451 452 /* 453 * Use these carefully. If you implement a network device and it 454 * needs per network namespace operations use device pernet operations, 455 * otherwise use pernet subsys operations. 456 * 457 * Network interfaces need to be removed from a dying netns _before_ 458 * subsys notifiers can be called, as most of the network code cleanup 459 * (which is done from subsys notifiers) runs with the assumption that 460 * dev_remove_pack has been called so no new packets will arrive during 461 * and after the cleanup functions have been called. dev_remove_pack 462 * is not per namespace so instead the guarantee of no more packets 463 * arriving in a network namespace is provided by ensuring that all 464 * network devices and all sockets have left the network namespace 465 * before the cleanup methods are called. 466 * 467 * For the longest time the ipv4 icmp code was registered as a pernet 468 * device which caused kernel oops, and panics during network 469 * namespace cleanup. So please don't get this wrong. 470 */ 471 int register_pernet_subsys(struct pernet_operations *); 472 void unregister_pernet_subsys(struct pernet_operations *); 473 int register_pernet_device(struct pernet_operations *); 474 void unregister_pernet_device(struct pernet_operations *); 475 476 struct ctl_table; 477 478 #define register_net_sysctl(net, path, table) \ 479 register_net_sysctl_sz(net, path, table, ARRAY_SIZE(table)) 480 #ifdef CONFIG_SYSCTL 481 int net_sysctl_init(void); 482 struct ctl_table_header *register_net_sysctl_sz(struct net *net, const char *path, 483 struct ctl_table *table, size_t table_size); 484 void unregister_net_sysctl_table(struct ctl_table_header *header); 485 #else 486 static inline int net_sysctl_init(void) { return 0; } 487 static inline struct ctl_table_header *register_net_sysctl_sz(struct net *net, 488 const char *path, struct ctl_table *table, size_t table_size) 489 { 490 return NULL; 491 } 492 static inline void unregister_net_sysctl_table(struct ctl_table_header *header) 493 { 494 } 495 #endif 496 497 static inline int rt_genid_ipv4(const struct net *net) 498 { 499 return atomic_read(&net->ipv4.rt_genid); 500 } 501 502 #if IS_ENABLED(CONFIG_IPV6) 503 static inline int rt_genid_ipv6(const struct net *net) 504 { 505 return atomic_read(&net->ipv6.fib6_sernum); 506 } 507 #endif 508 509 static inline void rt_genid_bump_ipv4(struct net *net) 510 { 511 atomic_inc(&net->ipv4.rt_genid); 512 } 513 514 extern void (*__fib6_flush_trees)(struct net *net); 515 static inline void rt_genid_bump_ipv6(struct net *net) 516 { 517 if (__fib6_flush_trees) 518 __fib6_flush_trees(net); 519 } 520 521 #if IS_ENABLED(CONFIG_IEEE802154_6LOWPAN) 522 static inline struct netns_ieee802154_lowpan * 523 net_ieee802154_lowpan(struct net *net) 524 { 525 return &net->ieee802154_lowpan; 526 } 527 #endif 528 529 /* For callers who don't really care about whether it's IPv4 or IPv6 */ 530 static inline void rt_genid_bump_all(struct net *net) 531 { 532 rt_genid_bump_ipv4(net); 533 rt_genid_bump_ipv6(net); 534 } 535 536 static inline int fnhe_genid(const struct net *net) 537 { 538 return atomic_read(&net->fnhe_genid); 539 } 540 541 static inline void fnhe_genid_bump(struct net *net) 542 { 543 atomic_inc(&net->fnhe_genid); 544 } 545 546 #ifdef CONFIG_NET 547 void net_ns_init(void); 548 #else 549 static inline void net_ns_init(void) {} 550 #endif 551 552 #endif /* __NET_NET_NAMESPACE_H */ 553