1 /* netfilter.c: look after the filters for various protocols. 2 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox. 3 * 4 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any 5 * way. 6 * 7 * Rusty Russell (C)2000 -- This code is GPL. 8 * Patrick McHardy (c) 2006-2012 9 */ 10 #include <linux/kernel.h> 11 #include <linux/netfilter.h> 12 #include <net/protocol.h> 13 #include <linux/init.h> 14 #include <linux/skbuff.h> 15 #include <linux/wait.h> 16 #include <linux/module.h> 17 #include <linux/interrupt.h> 18 #include <linux/if.h> 19 #include <linux/netdevice.h> 20 #include <linux/netfilter_ipv6.h> 21 #include <linux/inetdevice.h> 22 #include <linux/proc_fs.h> 23 #include <linux/mutex.h> 24 #include <linux/slab.h> 25 #include <net/net_namespace.h> 26 #include <net/sock.h> 27 28 #include "nf_internals.h" 29 30 static DEFINE_MUTEX(afinfo_mutex); 31 32 const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly; 33 EXPORT_SYMBOL(nf_afinfo); 34 const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly; 35 EXPORT_SYMBOL_GPL(nf_ipv6_ops); 36 37 int nf_register_afinfo(const struct nf_afinfo *afinfo) 38 { 39 mutex_lock(&afinfo_mutex); 40 RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo); 41 mutex_unlock(&afinfo_mutex); 42 return 0; 43 } 44 EXPORT_SYMBOL_GPL(nf_register_afinfo); 45 46 void nf_unregister_afinfo(const struct nf_afinfo *afinfo) 47 { 48 mutex_lock(&afinfo_mutex); 49 RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL); 50 mutex_unlock(&afinfo_mutex); 51 synchronize_rcu(); 52 } 53 EXPORT_SYMBOL_GPL(nf_unregister_afinfo); 54 55 struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS] __read_mostly; 56 EXPORT_SYMBOL(nf_hooks); 57 58 #ifdef HAVE_JUMP_LABEL 59 struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 60 EXPORT_SYMBOL(nf_hooks_needed); 61 #endif 62 63 static DEFINE_MUTEX(nf_hook_mutex); 64 65 int nf_register_hook(struct nf_hook_ops *reg) 66 { 67 struct list_head *nf_hook_list; 68 struct nf_hook_ops *elem; 69 70 mutex_lock(&nf_hook_mutex); 71 switch (reg->pf) { 72 case NFPROTO_NETDEV: 73 #ifdef CONFIG_NETFILTER_INGRESS 74 if (reg->hooknum == NF_NETDEV_INGRESS) { 75 BUG_ON(reg->dev == NULL); 76 nf_hook_list = ®->dev->nf_hooks_ingress; 77 net_inc_ingress_queue(); 78 break; 79 } 80 #endif 81 /* Fall through. */ 82 default: 83 nf_hook_list = &nf_hooks[reg->pf][reg->hooknum]; 84 break; 85 } 86 87 list_for_each_entry(elem, nf_hook_list, list) { 88 if (reg->priority < elem->priority) 89 break; 90 } 91 list_add_rcu(®->list, elem->list.prev); 92 mutex_unlock(&nf_hook_mutex); 93 #ifdef HAVE_JUMP_LABEL 94 static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]); 95 #endif 96 return 0; 97 } 98 EXPORT_SYMBOL(nf_register_hook); 99 100 void nf_unregister_hook(struct nf_hook_ops *reg) 101 { 102 mutex_lock(&nf_hook_mutex); 103 list_del_rcu(®->list); 104 mutex_unlock(&nf_hook_mutex); 105 switch (reg->pf) { 106 case NFPROTO_NETDEV: 107 #ifdef CONFIG_NETFILTER_INGRESS 108 if (reg->hooknum == NF_NETDEV_INGRESS) { 109 net_dec_ingress_queue(); 110 break; 111 } 112 break; 113 #endif 114 default: 115 break; 116 } 117 #ifdef HAVE_JUMP_LABEL 118 static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]); 119 #endif 120 synchronize_net(); 121 nf_queue_nf_hook_drop(reg); 122 } 123 EXPORT_SYMBOL(nf_unregister_hook); 124 125 int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n) 126 { 127 unsigned int i; 128 int err = 0; 129 130 for (i = 0; i < n; i++) { 131 err = nf_register_hook(®[i]); 132 if (err) 133 goto err; 134 } 135 return err; 136 137 err: 138 if (i > 0) 139 nf_unregister_hooks(reg, i); 140 return err; 141 } 142 EXPORT_SYMBOL(nf_register_hooks); 143 144 void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n) 145 { 146 while (n-- > 0) 147 nf_unregister_hook(®[n]); 148 } 149 EXPORT_SYMBOL(nf_unregister_hooks); 150 151 unsigned int nf_iterate(struct list_head *head, 152 struct sk_buff *skb, 153 struct nf_hook_state *state, 154 struct nf_hook_ops **elemp) 155 { 156 unsigned int verdict; 157 158 /* 159 * The caller must not block between calls to this 160 * function because of risk of continuing from deleted element. 161 */ 162 list_for_each_entry_continue_rcu((*elemp), head, list) { 163 if (state->thresh > (*elemp)->priority) 164 continue; 165 166 /* Optimization: we don't need to hold module 167 reference here, since function can't sleep. --RR */ 168 repeat: 169 verdict = (*elemp)->hook(*elemp, skb, state); 170 if (verdict != NF_ACCEPT) { 171 #ifdef CONFIG_NETFILTER_DEBUG 172 if (unlikely((verdict & NF_VERDICT_MASK) 173 > NF_MAX_VERDICT)) { 174 NFDEBUG("Evil return from %p(%u).\n", 175 (*elemp)->hook, state->hook); 176 continue; 177 } 178 #endif 179 if (verdict != NF_REPEAT) 180 return verdict; 181 goto repeat; 182 } 183 } 184 return NF_ACCEPT; 185 } 186 187 188 /* Returns 1 if okfn() needs to be executed by the caller, 189 * -EPERM for NF_DROP, 0 otherwise. */ 190 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state) 191 { 192 struct nf_hook_ops *elem; 193 unsigned int verdict; 194 int ret = 0; 195 196 /* We may already have this, but read-locks nest anyway */ 197 rcu_read_lock(); 198 199 elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list); 200 next_hook: 201 verdict = nf_iterate(state->hook_list, skb, state, &elem); 202 if (verdict == NF_ACCEPT || verdict == NF_STOP) { 203 ret = 1; 204 } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) { 205 kfree_skb(skb); 206 ret = NF_DROP_GETERR(verdict); 207 if (ret == 0) 208 ret = -EPERM; 209 } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) { 210 int err = nf_queue(skb, elem, state, 211 verdict >> NF_VERDICT_QBITS); 212 if (err < 0) { 213 if (err == -ECANCELED) 214 goto next_hook; 215 if (err == -ESRCH && 216 (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS)) 217 goto next_hook; 218 kfree_skb(skb); 219 } 220 } 221 rcu_read_unlock(); 222 return ret; 223 } 224 EXPORT_SYMBOL(nf_hook_slow); 225 226 227 int skb_make_writable(struct sk_buff *skb, unsigned int writable_len) 228 { 229 if (writable_len > skb->len) 230 return 0; 231 232 /* Not exclusive use of packet? Must copy. */ 233 if (!skb_cloned(skb)) { 234 if (writable_len <= skb_headlen(skb)) 235 return 1; 236 } else if (skb_clone_writable(skb, writable_len)) 237 return 1; 238 239 if (writable_len <= skb_headlen(skb)) 240 writable_len = 0; 241 else 242 writable_len -= skb_headlen(skb); 243 244 return !!__pskb_pull_tail(skb, writable_len); 245 } 246 EXPORT_SYMBOL(skb_make_writable); 247 248 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 249 /* This does not belong here, but locally generated errors need it if connection 250 tracking in use: without this, connection may not be in hash table, and hence 251 manufactured ICMP or RST packets will not be associated with it. */ 252 void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) 253 __rcu __read_mostly; 254 EXPORT_SYMBOL(ip_ct_attach); 255 256 void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb) 257 { 258 void (*attach)(struct sk_buff *, const struct sk_buff *); 259 260 if (skb->nfct) { 261 rcu_read_lock(); 262 attach = rcu_dereference(ip_ct_attach); 263 if (attach) 264 attach(new, skb); 265 rcu_read_unlock(); 266 } 267 } 268 EXPORT_SYMBOL(nf_ct_attach); 269 270 void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly; 271 EXPORT_SYMBOL(nf_ct_destroy); 272 273 void nf_conntrack_destroy(struct nf_conntrack *nfct) 274 { 275 void (*destroy)(struct nf_conntrack *); 276 277 rcu_read_lock(); 278 destroy = rcu_dereference(nf_ct_destroy); 279 BUG_ON(destroy == NULL); 280 destroy(nfct); 281 rcu_read_unlock(); 282 } 283 EXPORT_SYMBOL(nf_conntrack_destroy); 284 285 struct nfq_ct_hook __rcu *nfq_ct_hook __read_mostly; 286 EXPORT_SYMBOL_GPL(nfq_ct_hook); 287 288 struct nfq_ct_nat_hook __rcu *nfq_ct_nat_hook __read_mostly; 289 EXPORT_SYMBOL_GPL(nfq_ct_nat_hook); 290 291 #endif /* CONFIG_NF_CONNTRACK */ 292 293 #ifdef CONFIG_NF_NAT_NEEDED 294 void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *); 295 EXPORT_SYMBOL(nf_nat_decode_session_hook); 296 #endif 297 298 static int __net_init netfilter_net_init(struct net *net) 299 { 300 #ifdef CONFIG_PROC_FS 301 net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter", 302 net->proc_net); 303 if (!net->nf.proc_netfilter) { 304 if (!net_eq(net, &init_net)) 305 pr_err("cannot create netfilter proc entry"); 306 307 return -ENOMEM; 308 } 309 #endif 310 return 0; 311 } 312 313 static void __net_exit netfilter_net_exit(struct net *net) 314 { 315 remove_proc_entry("netfilter", net->proc_net); 316 } 317 318 static struct pernet_operations netfilter_net_ops = { 319 .init = netfilter_net_init, 320 .exit = netfilter_net_exit, 321 }; 322 323 int __init netfilter_init(void) 324 { 325 int i, h, ret; 326 327 for (i = 0; i < ARRAY_SIZE(nf_hooks); i++) { 328 for (h = 0; h < NF_MAX_HOOKS; h++) 329 INIT_LIST_HEAD(&nf_hooks[i][h]); 330 } 331 332 ret = register_pernet_subsys(&netfilter_net_ops); 333 if (ret < 0) 334 goto err; 335 336 ret = netfilter_log_init(); 337 if (ret < 0) 338 goto err_pernet; 339 340 return 0; 341 err_pernet: 342 unregister_pernet_subsys(&netfilter_net_ops); 343 err: 344 return ret; 345 } 346