1 /* netfilter.c: look after the filters for various protocols. 2 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox. 3 * 4 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any 5 * way. 6 * 7 * Rusty Russell (C)2000 -- This code is GPL. 8 * Patrick McHardy (c) 2006-2012 9 */ 10 #include <linux/kernel.h> 11 #include <linux/netfilter.h> 12 #include <net/protocol.h> 13 #include <linux/init.h> 14 #include <linux/skbuff.h> 15 #include <linux/wait.h> 16 #include <linux/module.h> 17 #include <linux/interrupt.h> 18 #include <linux/if.h> 19 #include <linux/netdevice.h> 20 #include <linux/netfilter_ipv6.h> 21 #include <linux/inetdevice.h> 22 #include <linux/proc_fs.h> 23 #include <linux/mutex.h> 24 #include <linux/slab.h> 25 #include <linux/rcupdate.h> 26 #include <net/net_namespace.h> 27 #include <net/sock.h> 28 29 #include "nf_internals.h" 30 31 static DEFINE_MUTEX(afinfo_mutex); 32 33 const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly; 34 EXPORT_SYMBOL(nf_afinfo); 35 const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly; 36 EXPORT_SYMBOL_GPL(nf_ipv6_ops); 37 38 DEFINE_PER_CPU(bool, nf_skb_duplicated); 39 EXPORT_SYMBOL_GPL(nf_skb_duplicated); 40 41 int nf_register_afinfo(const struct nf_afinfo *afinfo) 42 { 43 mutex_lock(&afinfo_mutex); 44 RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo); 45 mutex_unlock(&afinfo_mutex); 46 return 0; 47 } 48 EXPORT_SYMBOL_GPL(nf_register_afinfo); 49 50 void nf_unregister_afinfo(const struct nf_afinfo *afinfo) 51 { 52 mutex_lock(&afinfo_mutex); 53 RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL); 54 mutex_unlock(&afinfo_mutex); 55 synchronize_rcu(); 56 } 57 EXPORT_SYMBOL_GPL(nf_unregister_afinfo); 58 59 #ifdef HAVE_JUMP_LABEL 60 struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 61 EXPORT_SYMBOL(nf_hooks_needed); 62 #endif 63 64 static DEFINE_MUTEX(nf_hook_mutex); 65 #define nf_entry_dereference(e) \ 66 rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex)) 67 68 static struct nf_hook_entry __rcu **nf_hook_entry_head(struct net *net, const struct nf_hook_ops *reg) 69 { 70 if (reg->pf != NFPROTO_NETDEV) 71 return net->nf.hooks[reg->pf]+reg->hooknum; 72 73 #ifdef CONFIG_NETFILTER_INGRESS 74 if (reg->hooknum == NF_NETDEV_INGRESS) { 75 if (reg->dev && dev_net(reg->dev) == net) 76 return ®->dev->nf_hooks_ingress; 77 } 78 #endif 79 return NULL; 80 } 81 82 int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) 83 { 84 struct nf_hook_entry __rcu **pp; 85 struct nf_hook_entry *entry, *p; 86 87 if (reg->pf == NFPROTO_NETDEV) { 88 #ifndef CONFIG_NETFILTER_INGRESS 89 if (reg->hooknum == NF_NETDEV_INGRESS) 90 return -EOPNOTSUPP; 91 #endif 92 if (reg->hooknum != NF_NETDEV_INGRESS || 93 !reg->dev || dev_net(reg->dev) != net) 94 return -EINVAL; 95 } 96 97 pp = nf_hook_entry_head(net, reg); 98 if (!pp) 99 return -EINVAL; 100 101 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 102 if (!entry) 103 return -ENOMEM; 104 105 nf_hook_entry_init(entry, reg); 106 107 mutex_lock(&nf_hook_mutex); 108 109 /* Find the spot in the list */ 110 while ((p = nf_entry_dereference(*pp)) != NULL) { 111 if (reg->priority < nf_hook_entry_priority(p)) 112 break; 113 pp = &p->next; 114 } 115 rcu_assign_pointer(entry->next, p); 116 rcu_assign_pointer(*pp, entry); 117 118 mutex_unlock(&nf_hook_mutex); 119 #ifdef CONFIG_NETFILTER_INGRESS 120 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) 121 net_inc_ingress_queue(); 122 #endif 123 #ifdef HAVE_JUMP_LABEL 124 static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]); 125 #endif 126 return 0; 127 } 128 EXPORT_SYMBOL(nf_register_net_hook); 129 130 void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg) 131 { 132 struct nf_hook_entry __rcu **pp; 133 struct nf_hook_entry *p; 134 135 pp = nf_hook_entry_head(net, reg); 136 if (WARN_ON_ONCE(!pp)) 137 return; 138 139 mutex_lock(&nf_hook_mutex); 140 while ((p = nf_entry_dereference(*pp)) != NULL) { 141 if (nf_hook_entry_ops(p) == reg) { 142 rcu_assign_pointer(*pp, p->next); 143 break; 144 } 145 pp = &p->next; 146 } 147 mutex_unlock(&nf_hook_mutex); 148 if (!p) { 149 WARN(1, "nf_unregister_net_hook: hook not found!\n"); 150 return; 151 } 152 #ifdef CONFIG_NETFILTER_INGRESS 153 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) 154 net_dec_ingress_queue(); 155 #endif 156 #ifdef HAVE_JUMP_LABEL 157 static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]); 158 #endif 159 synchronize_net(); 160 nf_queue_nf_hook_drop(net, p); 161 /* other cpu might still process nfqueue verdict that used reg */ 162 synchronize_net(); 163 kfree(p); 164 } 165 EXPORT_SYMBOL(nf_unregister_net_hook); 166 167 int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg, 168 unsigned int n) 169 { 170 unsigned int i; 171 int err = 0; 172 173 for (i = 0; i < n; i++) { 174 err = nf_register_net_hook(net, ®[i]); 175 if (err) 176 goto err; 177 } 178 return err; 179 180 err: 181 if (i > 0) 182 nf_unregister_net_hooks(net, reg, i); 183 return err; 184 } 185 EXPORT_SYMBOL(nf_register_net_hooks); 186 187 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg, 188 unsigned int n) 189 { 190 while (n-- > 0) 191 nf_unregister_net_hook(net, ®[n]); 192 } 193 EXPORT_SYMBOL(nf_unregister_net_hooks); 194 195 static LIST_HEAD(nf_hook_list); 196 197 static int _nf_register_hook(struct nf_hook_ops *reg) 198 { 199 struct net *net, *last; 200 int ret; 201 202 for_each_net(net) { 203 ret = nf_register_net_hook(net, reg); 204 if (ret && ret != -ENOENT) 205 goto rollback; 206 } 207 list_add_tail(®->list, &nf_hook_list); 208 209 return 0; 210 rollback: 211 last = net; 212 for_each_net(net) { 213 if (net == last) 214 break; 215 nf_unregister_net_hook(net, reg); 216 } 217 return ret; 218 } 219 220 int nf_register_hook(struct nf_hook_ops *reg) 221 { 222 int ret; 223 224 rtnl_lock(); 225 ret = _nf_register_hook(reg); 226 rtnl_unlock(); 227 228 return ret; 229 } 230 EXPORT_SYMBOL(nf_register_hook); 231 232 static void _nf_unregister_hook(struct nf_hook_ops *reg) 233 { 234 struct net *net; 235 236 list_del(®->list); 237 for_each_net(net) 238 nf_unregister_net_hook(net, reg); 239 } 240 241 void nf_unregister_hook(struct nf_hook_ops *reg) 242 { 243 rtnl_lock(); 244 _nf_unregister_hook(reg); 245 rtnl_unlock(); 246 } 247 EXPORT_SYMBOL(nf_unregister_hook); 248 249 int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n) 250 { 251 unsigned int i; 252 int err = 0; 253 254 for (i = 0; i < n; i++) { 255 err = nf_register_hook(®[i]); 256 if (err) 257 goto err; 258 } 259 return err; 260 261 err: 262 if (i > 0) 263 nf_unregister_hooks(reg, i); 264 return err; 265 } 266 EXPORT_SYMBOL(nf_register_hooks); 267 268 /* Caller MUST take rtnl_lock() */ 269 int _nf_register_hooks(struct nf_hook_ops *reg, unsigned int n) 270 { 271 unsigned int i; 272 int err = 0; 273 274 for (i = 0; i < n; i++) { 275 err = _nf_register_hook(®[i]); 276 if (err) 277 goto err; 278 } 279 return err; 280 281 err: 282 if (i > 0) 283 _nf_unregister_hooks(reg, i); 284 return err; 285 } 286 EXPORT_SYMBOL(_nf_register_hooks); 287 288 void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n) 289 { 290 while (n-- > 0) 291 nf_unregister_hook(®[n]); 292 } 293 EXPORT_SYMBOL(nf_unregister_hooks); 294 295 /* Caller MUST take rtnl_lock */ 296 void _nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n) 297 { 298 while (n-- > 0) 299 _nf_unregister_hook(®[n]); 300 } 301 EXPORT_SYMBOL(_nf_unregister_hooks); 302 303 /* Returns 1 if okfn() needs to be executed by the caller, 304 * -EPERM for NF_DROP, 0 otherwise. Caller must hold rcu_read_lock. */ 305 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state, 306 struct nf_hook_entry *entry) 307 { 308 unsigned int verdict; 309 int ret; 310 311 do { 312 verdict = nf_hook_entry_hookfn(entry, skb, state); 313 switch (verdict & NF_VERDICT_MASK) { 314 case NF_ACCEPT: 315 entry = rcu_dereference(entry->next); 316 break; 317 case NF_DROP: 318 kfree_skb(skb); 319 ret = NF_DROP_GETERR(verdict); 320 if (ret == 0) 321 ret = -EPERM; 322 return ret; 323 case NF_QUEUE: 324 ret = nf_queue(skb, state, &entry, verdict); 325 if (ret == 1 && entry) 326 continue; 327 return ret; 328 default: 329 /* Implicit handling for NF_STOLEN, as well as any other 330 * non conventional verdicts. 331 */ 332 return 0; 333 } 334 } while (entry); 335 336 return 1; 337 } 338 EXPORT_SYMBOL(nf_hook_slow); 339 340 341 int skb_make_writable(struct sk_buff *skb, unsigned int writable_len) 342 { 343 if (writable_len > skb->len) 344 return 0; 345 346 /* Not exclusive use of packet? Must copy. */ 347 if (!skb_cloned(skb)) { 348 if (writable_len <= skb_headlen(skb)) 349 return 1; 350 } else if (skb_clone_writable(skb, writable_len)) 351 return 1; 352 353 if (writable_len <= skb_headlen(skb)) 354 writable_len = 0; 355 else 356 writable_len -= skb_headlen(skb); 357 358 return !!__pskb_pull_tail(skb, writable_len); 359 } 360 EXPORT_SYMBOL(skb_make_writable); 361 362 /* This needs to be compiled in any case to avoid dependencies between the 363 * nfnetlink_queue code and nf_conntrack. 364 */ 365 struct nfnl_ct_hook __rcu *nfnl_ct_hook __read_mostly; 366 EXPORT_SYMBOL_GPL(nfnl_ct_hook); 367 368 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 369 /* This does not belong here, but locally generated errors need it if connection 370 tracking in use: without this, connection may not be in hash table, and hence 371 manufactured ICMP or RST packets will not be associated with it. */ 372 void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) 373 __rcu __read_mostly; 374 EXPORT_SYMBOL(ip_ct_attach); 375 376 void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb) 377 { 378 void (*attach)(struct sk_buff *, const struct sk_buff *); 379 380 if (skb->nfct) { 381 rcu_read_lock(); 382 attach = rcu_dereference(ip_ct_attach); 383 if (attach) 384 attach(new, skb); 385 rcu_read_unlock(); 386 } 387 } 388 EXPORT_SYMBOL(nf_ct_attach); 389 390 void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly; 391 EXPORT_SYMBOL(nf_ct_destroy); 392 393 void nf_conntrack_destroy(struct nf_conntrack *nfct) 394 { 395 void (*destroy)(struct nf_conntrack *); 396 397 rcu_read_lock(); 398 destroy = rcu_dereference(nf_ct_destroy); 399 BUG_ON(destroy == NULL); 400 destroy(nfct); 401 rcu_read_unlock(); 402 } 403 EXPORT_SYMBOL(nf_conntrack_destroy); 404 405 /* Built-in default zone used e.g. by modules. */ 406 const struct nf_conntrack_zone nf_ct_zone_dflt = { 407 .id = NF_CT_DEFAULT_ZONE_ID, 408 .dir = NF_CT_DEFAULT_ZONE_DIR, 409 }; 410 EXPORT_SYMBOL_GPL(nf_ct_zone_dflt); 411 #endif /* CONFIG_NF_CONNTRACK */ 412 413 #ifdef CONFIG_NF_NAT_NEEDED 414 void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *); 415 EXPORT_SYMBOL(nf_nat_decode_session_hook); 416 #endif 417 418 static int nf_register_hook_list(struct net *net) 419 { 420 struct nf_hook_ops *elem; 421 int ret; 422 423 rtnl_lock(); 424 list_for_each_entry(elem, &nf_hook_list, list) { 425 ret = nf_register_net_hook(net, elem); 426 if (ret && ret != -ENOENT) 427 goto out_undo; 428 } 429 rtnl_unlock(); 430 return 0; 431 432 out_undo: 433 list_for_each_entry_continue_reverse(elem, &nf_hook_list, list) 434 nf_unregister_net_hook(net, elem); 435 rtnl_unlock(); 436 return ret; 437 } 438 439 static void nf_unregister_hook_list(struct net *net) 440 { 441 struct nf_hook_ops *elem; 442 443 rtnl_lock(); 444 list_for_each_entry(elem, &nf_hook_list, list) 445 nf_unregister_net_hook(net, elem); 446 rtnl_unlock(); 447 } 448 449 static int __net_init netfilter_net_init(struct net *net) 450 { 451 int i, h, ret; 452 453 for (i = 0; i < ARRAY_SIZE(net->nf.hooks); i++) { 454 for (h = 0; h < NF_MAX_HOOKS; h++) 455 RCU_INIT_POINTER(net->nf.hooks[i][h], NULL); 456 } 457 458 #ifdef CONFIG_PROC_FS 459 net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter", 460 net->proc_net); 461 if (!net->nf.proc_netfilter) { 462 if (!net_eq(net, &init_net)) 463 pr_err("cannot create netfilter proc entry"); 464 465 return -ENOMEM; 466 } 467 #endif 468 ret = nf_register_hook_list(net); 469 if (ret) 470 remove_proc_entry("netfilter", net->proc_net); 471 472 return ret; 473 } 474 475 static void __net_exit netfilter_net_exit(struct net *net) 476 { 477 nf_unregister_hook_list(net); 478 remove_proc_entry("netfilter", net->proc_net); 479 } 480 481 static struct pernet_operations netfilter_net_ops = { 482 .init = netfilter_net_init, 483 .exit = netfilter_net_exit, 484 }; 485 486 int __init netfilter_init(void) 487 { 488 int ret; 489 490 ret = register_pernet_subsys(&netfilter_net_ops); 491 if (ret < 0) 492 goto err; 493 494 ret = netfilter_log_init(); 495 if (ret < 0) 496 goto err_pernet; 497 498 return 0; 499 err_pernet: 500 unregister_pernet_subsys(&netfilter_net_ops); 501 err: 502 return ret; 503 } 504