1 /* netfilter.c: look after the filters for various protocols. 2 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox. 3 * 4 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any 5 * way. 6 * 7 * Rusty Russell (C)2000 -- This code is GPL. 8 * Patrick McHardy (c) 2006-2012 9 */ 10 #include <linux/kernel.h> 11 #include <linux/netfilter.h> 12 #include <net/protocol.h> 13 #include <linux/init.h> 14 #include <linux/skbuff.h> 15 #include <linux/wait.h> 16 #include <linux/module.h> 17 #include <linux/interrupt.h> 18 #include <linux/if.h> 19 #include <linux/netdevice.h> 20 #include <linux/netfilter_ipv6.h> 21 #include <linux/inetdevice.h> 22 #include <linux/proc_fs.h> 23 #include <linux/mutex.h> 24 #include <linux/slab.h> 25 #include <net/net_namespace.h> 26 #include <net/sock.h> 27 28 #include "nf_internals.h" 29 30 static DEFINE_MUTEX(afinfo_mutex); 31 32 const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly; 33 EXPORT_SYMBOL(nf_afinfo); 34 const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly; 35 EXPORT_SYMBOL_GPL(nf_ipv6_ops); 36 37 DEFINE_PER_CPU(bool, nf_skb_duplicated); 38 EXPORT_SYMBOL_GPL(nf_skb_duplicated); 39 40 int nf_register_afinfo(const struct nf_afinfo *afinfo) 41 { 42 mutex_lock(&afinfo_mutex); 43 RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo); 44 mutex_unlock(&afinfo_mutex); 45 return 0; 46 } 47 EXPORT_SYMBOL_GPL(nf_register_afinfo); 48 49 void nf_unregister_afinfo(const struct nf_afinfo *afinfo) 50 { 51 mutex_lock(&afinfo_mutex); 52 RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL); 53 mutex_unlock(&afinfo_mutex); 54 synchronize_rcu(); 55 } 56 EXPORT_SYMBOL_GPL(nf_unregister_afinfo); 57 58 #ifdef HAVE_JUMP_LABEL 59 struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 60 EXPORT_SYMBOL(nf_hooks_needed); 61 #endif 62 63 static DEFINE_MUTEX(nf_hook_mutex); 64 65 static struct list_head *nf_find_hook_list(struct net *net, 66 const struct nf_hook_ops *reg) 67 { 68 struct list_head *hook_list = NULL; 69 70 if (reg->pf != NFPROTO_NETDEV) 71 hook_list = &net->nf.hooks[reg->pf][reg->hooknum]; 72 else if (reg->hooknum == NF_NETDEV_INGRESS) { 73 #ifdef CONFIG_NETFILTER_INGRESS 74 if (reg->dev && dev_net(reg->dev) == net) 75 hook_list = ®->dev->nf_hooks_ingress; 76 #endif 77 } 78 return hook_list; 79 } 80 81 struct nf_hook_entry { 82 const struct nf_hook_ops *orig_ops; 83 struct nf_hook_ops ops; 84 }; 85 86 int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) 87 { 88 struct list_head *hook_list; 89 struct nf_hook_entry *entry; 90 struct nf_hook_ops *elem; 91 92 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 93 if (!entry) 94 return -ENOMEM; 95 96 entry->orig_ops = reg; 97 entry->ops = *reg; 98 99 hook_list = nf_find_hook_list(net, reg); 100 if (!hook_list) { 101 kfree(entry); 102 return -ENOENT; 103 } 104 105 mutex_lock(&nf_hook_mutex); 106 list_for_each_entry(elem, hook_list, list) { 107 if (reg->priority < elem->priority) 108 break; 109 } 110 list_add_rcu(&entry->ops.list, elem->list.prev); 111 mutex_unlock(&nf_hook_mutex); 112 #ifdef CONFIG_NETFILTER_INGRESS 113 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) 114 net_inc_ingress_queue(); 115 #endif 116 #ifdef HAVE_JUMP_LABEL 117 static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]); 118 #endif 119 return 0; 120 } 121 EXPORT_SYMBOL(nf_register_net_hook); 122 123 void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg) 124 { 125 struct list_head *hook_list; 126 struct nf_hook_entry *entry; 127 struct nf_hook_ops *elem; 128 129 hook_list = nf_find_hook_list(net, reg); 130 if (!hook_list) 131 return; 132 133 mutex_lock(&nf_hook_mutex); 134 list_for_each_entry(elem, hook_list, list) { 135 entry = container_of(elem, struct nf_hook_entry, ops); 136 if (entry->orig_ops == reg) { 137 list_del_rcu(&entry->ops.list); 138 break; 139 } 140 } 141 mutex_unlock(&nf_hook_mutex); 142 if (&elem->list == hook_list) { 143 WARN(1, "nf_unregister_net_hook: hook not found!\n"); 144 return; 145 } 146 #ifdef CONFIG_NETFILTER_INGRESS 147 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) 148 net_dec_ingress_queue(); 149 #endif 150 #ifdef HAVE_JUMP_LABEL 151 static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]); 152 #endif 153 synchronize_net(); 154 nf_queue_nf_hook_drop(net, &entry->ops); 155 /* other cpu might still process nfqueue verdict that used reg */ 156 synchronize_net(); 157 kfree(entry); 158 } 159 EXPORT_SYMBOL(nf_unregister_net_hook); 160 161 int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg, 162 unsigned int n) 163 { 164 unsigned int i; 165 int err = 0; 166 167 for (i = 0; i < n; i++) { 168 err = nf_register_net_hook(net, ®[i]); 169 if (err) 170 goto err; 171 } 172 return err; 173 174 err: 175 if (i > 0) 176 nf_unregister_net_hooks(net, reg, i); 177 return err; 178 } 179 EXPORT_SYMBOL(nf_register_net_hooks); 180 181 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg, 182 unsigned int n) 183 { 184 while (n-- > 0) 185 nf_unregister_net_hook(net, ®[n]); 186 } 187 EXPORT_SYMBOL(nf_unregister_net_hooks); 188 189 static LIST_HEAD(nf_hook_list); 190 191 int nf_register_hook(struct nf_hook_ops *reg) 192 { 193 struct net *net, *last; 194 int ret; 195 196 rtnl_lock(); 197 for_each_net(net) { 198 ret = nf_register_net_hook(net, reg); 199 if (ret && ret != -ENOENT) 200 goto rollback; 201 } 202 list_add_tail(®->list, &nf_hook_list); 203 rtnl_unlock(); 204 205 return 0; 206 rollback: 207 last = net; 208 for_each_net(net) { 209 if (net == last) 210 break; 211 nf_unregister_net_hook(net, reg); 212 } 213 rtnl_unlock(); 214 return ret; 215 } 216 EXPORT_SYMBOL(nf_register_hook); 217 218 void nf_unregister_hook(struct nf_hook_ops *reg) 219 { 220 struct net *net; 221 222 rtnl_lock(); 223 list_del(®->list); 224 for_each_net(net) 225 nf_unregister_net_hook(net, reg); 226 rtnl_unlock(); 227 } 228 EXPORT_SYMBOL(nf_unregister_hook); 229 230 int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n) 231 { 232 unsigned int i; 233 int err = 0; 234 235 for (i = 0; i < n; i++) { 236 err = nf_register_hook(®[i]); 237 if (err) 238 goto err; 239 } 240 return err; 241 242 err: 243 if (i > 0) 244 nf_unregister_hooks(reg, i); 245 return err; 246 } 247 EXPORT_SYMBOL(nf_register_hooks); 248 249 void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n) 250 { 251 while (n-- > 0) 252 nf_unregister_hook(®[n]); 253 } 254 EXPORT_SYMBOL(nf_unregister_hooks); 255 256 unsigned int nf_iterate(struct list_head *head, 257 struct sk_buff *skb, 258 struct nf_hook_state *state, 259 struct nf_hook_ops **elemp) 260 { 261 unsigned int verdict; 262 263 /* 264 * The caller must not block between calls to this 265 * function because of risk of continuing from deleted element. 266 */ 267 list_for_each_entry_continue_rcu((*elemp), head, list) { 268 if (state->thresh > (*elemp)->priority) 269 continue; 270 271 /* Optimization: we don't need to hold module 272 reference here, since function can't sleep. --RR */ 273 repeat: 274 verdict = (*elemp)->hook(*elemp, skb, state); 275 if (verdict != NF_ACCEPT) { 276 #ifdef CONFIG_NETFILTER_DEBUG 277 if (unlikely((verdict & NF_VERDICT_MASK) 278 > NF_MAX_VERDICT)) { 279 NFDEBUG("Evil return from %p(%u).\n", 280 (*elemp)->hook, state->hook); 281 continue; 282 } 283 #endif 284 if (verdict != NF_REPEAT) 285 return verdict; 286 goto repeat; 287 } 288 } 289 return NF_ACCEPT; 290 } 291 292 293 /* Returns 1 if okfn() needs to be executed by the caller, 294 * -EPERM for NF_DROP, 0 otherwise. */ 295 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state) 296 { 297 struct nf_hook_ops *elem; 298 unsigned int verdict; 299 int ret = 0; 300 301 /* We may already have this, but read-locks nest anyway */ 302 rcu_read_lock(); 303 304 elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list); 305 next_hook: 306 verdict = nf_iterate(state->hook_list, skb, state, &elem); 307 if (verdict == NF_ACCEPT || verdict == NF_STOP) { 308 ret = 1; 309 } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) { 310 kfree_skb(skb); 311 ret = NF_DROP_GETERR(verdict); 312 if (ret == 0) 313 ret = -EPERM; 314 } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) { 315 int err = nf_queue(skb, elem, state, 316 verdict >> NF_VERDICT_QBITS); 317 if (err < 0) { 318 if (err == -ECANCELED) 319 goto next_hook; 320 if (err == -ESRCH && 321 (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS)) 322 goto next_hook; 323 kfree_skb(skb); 324 } 325 } 326 rcu_read_unlock(); 327 return ret; 328 } 329 EXPORT_SYMBOL(nf_hook_slow); 330 331 332 int skb_make_writable(struct sk_buff *skb, unsigned int writable_len) 333 { 334 if (writable_len > skb->len) 335 return 0; 336 337 /* Not exclusive use of packet? Must copy. */ 338 if (!skb_cloned(skb)) { 339 if (writable_len <= skb_headlen(skb)) 340 return 1; 341 } else if (skb_clone_writable(skb, writable_len)) 342 return 1; 343 344 if (writable_len <= skb_headlen(skb)) 345 writable_len = 0; 346 else 347 writable_len -= skb_headlen(skb); 348 349 return !!__pskb_pull_tail(skb, writable_len); 350 } 351 EXPORT_SYMBOL(skb_make_writable); 352 353 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 354 /* This does not belong here, but locally generated errors need it if connection 355 tracking in use: without this, connection may not be in hash table, and hence 356 manufactured ICMP or RST packets will not be associated with it. */ 357 void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) 358 __rcu __read_mostly; 359 EXPORT_SYMBOL(ip_ct_attach); 360 361 void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb) 362 { 363 void (*attach)(struct sk_buff *, const struct sk_buff *); 364 365 if (skb->nfct) { 366 rcu_read_lock(); 367 attach = rcu_dereference(ip_ct_attach); 368 if (attach) 369 attach(new, skb); 370 rcu_read_unlock(); 371 } 372 } 373 EXPORT_SYMBOL(nf_ct_attach); 374 375 void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly; 376 EXPORT_SYMBOL(nf_ct_destroy); 377 378 void nf_conntrack_destroy(struct nf_conntrack *nfct) 379 { 380 void (*destroy)(struct nf_conntrack *); 381 382 rcu_read_lock(); 383 destroy = rcu_dereference(nf_ct_destroy); 384 BUG_ON(destroy == NULL); 385 destroy(nfct); 386 rcu_read_unlock(); 387 } 388 EXPORT_SYMBOL(nf_conntrack_destroy); 389 390 struct nfq_ct_hook __rcu *nfq_ct_hook __read_mostly; 391 EXPORT_SYMBOL_GPL(nfq_ct_hook); 392 393 /* Built-in default zone used e.g. by modules. */ 394 const struct nf_conntrack_zone nf_ct_zone_dflt = { 395 .id = NF_CT_DEFAULT_ZONE_ID, 396 .dir = NF_CT_DEFAULT_ZONE_DIR, 397 }; 398 EXPORT_SYMBOL_GPL(nf_ct_zone_dflt); 399 #endif /* CONFIG_NF_CONNTRACK */ 400 401 #ifdef CONFIG_NF_NAT_NEEDED 402 void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *); 403 EXPORT_SYMBOL(nf_nat_decode_session_hook); 404 #endif 405 406 static int nf_register_hook_list(struct net *net) 407 { 408 struct nf_hook_ops *elem; 409 int ret; 410 411 rtnl_lock(); 412 list_for_each_entry(elem, &nf_hook_list, list) { 413 ret = nf_register_net_hook(net, elem); 414 if (ret && ret != -ENOENT) 415 goto out_undo; 416 } 417 rtnl_unlock(); 418 return 0; 419 420 out_undo: 421 list_for_each_entry_continue_reverse(elem, &nf_hook_list, list) 422 nf_unregister_net_hook(net, elem); 423 rtnl_unlock(); 424 return ret; 425 } 426 427 static void nf_unregister_hook_list(struct net *net) 428 { 429 struct nf_hook_ops *elem; 430 431 rtnl_lock(); 432 list_for_each_entry(elem, &nf_hook_list, list) 433 nf_unregister_net_hook(net, elem); 434 rtnl_unlock(); 435 } 436 437 static int __net_init netfilter_net_init(struct net *net) 438 { 439 int i, h, ret; 440 441 for (i = 0; i < ARRAY_SIZE(net->nf.hooks); i++) { 442 for (h = 0; h < NF_MAX_HOOKS; h++) 443 INIT_LIST_HEAD(&net->nf.hooks[i][h]); 444 } 445 446 #ifdef CONFIG_PROC_FS 447 net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter", 448 net->proc_net); 449 if (!net->nf.proc_netfilter) { 450 if (!net_eq(net, &init_net)) 451 pr_err("cannot create netfilter proc entry"); 452 453 return -ENOMEM; 454 } 455 #endif 456 ret = nf_register_hook_list(net); 457 if (ret) 458 remove_proc_entry("netfilter", net->proc_net); 459 460 return ret; 461 } 462 463 static void __net_exit netfilter_net_exit(struct net *net) 464 { 465 nf_unregister_hook_list(net); 466 remove_proc_entry("netfilter", net->proc_net); 467 } 468 469 static struct pernet_operations netfilter_net_ops = { 470 .init = netfilter_net_init, 471 .exit = netfilter_net_exit, 472 }; 473 474 int __init netfilter_init(void) 475 { 476 int ret; 477 478 ret = register_pernet_subsys(&netfilter_net_ops); 479 if (ret < 0) 480 goto err; 481 482 ret = netfilter_log_init(); 483 if (ret < 0) 484 goto err_pernet; 485 486 return 0; 487 err_pernet: 488 unregister_pernet_subsys(&netfilter_net_ops); 489 err: 490 return ret; 491 } 492