1 /* netfilter.c: look after the filters for various protocols. 2 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox. 3 * 4 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any 5 * way. 6 * 7 * Rusty Russell (C)2000 -- This code is GPL. 8 * Patrick McHardy (c) 2006-2012 9 */ 10 #include <linux/kernel.h> 11 #include <linux/netfilter.h> 12 #include <net/protocol.h> 13 #include <linux/init.h> 14 #include <linux/skbuff.h> 15 #include <linux/wait.h> 16 #include <linux/module.h> 17 #include <linux/interrupt.h> 18 #include <linux/if.h> 19 #include <linux/netdevice.h> 20 #include <linux/netfilter_ipv6.h> 21 #include <linux/inetdevice.h> 22 #include <linux/proc_fs.h> 23 #include <linux/mutex.h> 24 #include <linux/slab.h> 25 #include <net/net_namespace.h> 26 #include <net/sock.h> 27 28 #include "nf_internals.h" 29 30 static DEFINE_MUTEX(afinfo_mutex); 31 32 const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly; 33 EXPORT_SYMBOL(nf_afinfo); 34 const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly; 35 EXPORT_SYMBOL_GPL(nf_ipv6_ops); 36 37 DEFINE_PER_CPU(bool, nf_skb_duplicated); 38 EXPORT_SYMBOL_GPL(nf_skb_duplicated); 39 40 int nf_register_afinfo(const struct nf_afinfo *afinfo) 41 { 42 mutex_lock(&afinfo_mutex); 43 RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo); 44 mutex_unlock(&afinfo_mutex); 45 return 0; 46 } 47 EXPORT_SYMBOL_GPL(nf_register_afinfo); 48 49 void nf_unregister_afinfo(const struct nf_afinfo *afinfo) 50 { 51 mutex_lock(&afinfo_mutex); 52 RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL); 53 mutex_unlock(&afinfo_mutex); 54 synchronize_rcu(); 55 } 56 EXPORT_SYMBOL_GPL(nf_unregister_afinfo); 57 58 #ifdef HAVE_JUMP_LABEL 59 struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 60 EXPORT_SYMBOL(nf_hooks_needed); 61 #endif 62 63 static DEFINE_MUTEX(nf_hook_mutex); 64 65 static struct list_head *nf_find_hook_list(struct net *net, 66 const struct nf_hook_ops *reg) 67 { 68 struct list_head *hook_list = NULL; 69 70 if (reg->pf != NFPROTO_NETDEV) 71 hook_list = &net->nf.hooks[reg->pf][reg->hooknum]; 72 else if (reg->hooknum == NF_NETDEV_INGRESS) { 73 #ifdef CONFIG_NETFILTER_INGRESS 74 if (reg->dev && dev_net(reg->dev) == net) 75 hook_list = ®->dev->nf_hooks_ingress; 76 #endif 77 } 78 return hook_list; 79 } 80 81 struct nf_hook_entry { 82 const struct nf_hook_ops *orig_ops; 83 struct nf_hook_ops ops; 84 }; 85 86 int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) 87 { 88 struct list_head *hook_list; 89 struct nf_hook_entry *entry; 90 struct nf_hook_ops *elem; 91 92 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 93 if (!entry) 94 return -ENOMEM; 95 96 entry->orig_ops = reg; 97 entry->ops = *reg; 98 99 hook_list = nf_find_hook_list(net, reg); 100 if (!hook_list) { 101 kfree(entry); 102 return -ENOENT; 103 } 104 105 mutex_lock(&nf_hook_mutex); 106 list_for_each_entry(elem, hook_list, list) { 107 if (reg->priority < elem->priority) 108 break; 109 } 110 list_add_rcu(&entry->ops.list, elem->list.prev); 111 mutex_unlock(&nf_hook_mutex); 112 #ifdef CONFIG_NETFILTER_INGRESS 113 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) 114 net_inc_ingress_queue(); 115 #endif 116 #ifdef HAVE_JUMP_LABEL 117 static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]); 118 #endif 119 return 0; 120 } 121 EXPORT_SYMBOL(nf_register_net_hook); 122 123 void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg) 124 { 125 struct list_head *hook_list; 126 struct nf_hook_entry *entry; 127 struct nf_hook_ops *elem; 128 129 hook_list = nf_find_hook_list(net, reg); 130 if (!hook_list) 131 return; 132 133 mutex_lock(&nf_hook_mutex); 134 list_for_each_entry(elem, hook_list, list) { 135 entry = container_of(elem, struct nf_hook_entry, ops); 136 if (entry->orig_ops == reg) { 137 list_del_rcu(&entry->ops.list); 138 break; 139 } 140 } 141 mutex_unlock(&nf_hook_mutex); 142 if (&elem->list == hook_list) { 143 WARN(1, "nf_unregister_net_hook: hook not found!\n"); 144 return; 145 } 146 #ifdef CONFIG_NETFILTER_INGRESS 147 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) 148 net_dec_ingress_queue(); 149 #endif 150 #ifdef HAVE_JUMP_LABEL 151 static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]); 152 #endif 153 synchronize_net(); 154 nf_queue_nf_hook_drop(net, &entry->ops); 155 /* other cpu might still process nfqueue verdict that used reg */ 156 synchronize_net(); 157 kfree(entry); 158 } 159 EXPORT_SYMBOL(nf_unregister_net_hook); 160 161 int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg, 162 unsigned int n) 163 { 164 unsigned int i; 165 int err = 0; 166 167 for (i = 0; i < n; i++) { 168 err = nf_register_net_hook(net, ®[i]); 169 if (err) 170 goto err; 171 } 172 return err; 173 174 err: 175 if (i > 0) 176 nf_unregister_net_hooks(net, reg, i); 177 return err; 178 } 179 EXPORT_SYMBOL(nf_register_net_hooks); 180 181 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg, 182 unsigned int n) 183 { 184 while (n-- > 0) 185 nf_unregister_net_hook(net, ®[n]); 186 } 187 EXPORT_SYMBOL(nf_unregister_net_hooks); 188 189 static LIST_HEAD(nf_hook_list); 190 191 static int _nf_register_hook(struct nf_hook_ops *reg) 192 { 193 struct net *net, *last; 194 int ret; 195 196 for_each_net(net) { 197 ret = nf_register_net_hook(net, reg); 198 if (ret && ret != -ENOENT) 199 goto rollback; 200 } 201 list_add_tail(®->list, &nf_hook_list); 202 203 return 0; 204 rollback: 205 last = net; 206 for_each_net(net) { 207 if (net == last) 208 break; 209 nf_unregister_net_hook(net, reg); 210 } 211 return ret; 212 } 213 214 int nf_register_hook(struct nf_hook_ops *reg) 215 { 216 int ret; 217 218 rtnl_lock(); 219 ret = _nf_register_hook(reg); 220 rtnl_unlock(); 221 222 return ret; 223 } 224 EXPORT_SYMBOL(nf_register_hook); 225 226 static void _nf_unregister_hook(struct nf_hook_ops *reg) 227 { 228 struct net *net; 229 230 list_del(®->list); 231 for_each_net(net) 232 nf_unregister_net_hook(net, reg); 233 } 234 235 void nf_unregister_hook(struct nf_hook_ops *reg) 236 { 237 rtnl_lock(); 238 _nf_unregister_hook(reg); 239 rtnl_unlock(); 240 } 241 EXPORT_SYMBOL(nf_unregister_hook); 242 243 int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n) 244 { 245 unsigned int i; 246 int err = 0; 247 248 for (i = 0; i < n; i++) { 249 err = nf_register_hook(®[i]); 250 if (err) 251 goto err; 252 } 253 return err; 254 255 err: 256 if (i > 0) 257 nf_unregister_hooks(reg, i); 258 return err; 259 } 260 EXPORT_SYMBOL(nf_register_hooks); 261 262 /* Caller MUST take rtnl_lock() */ 263 int _nf_register_hooks(struct nf_hook_ops *reg, unsigned int n) 264 { 265 unsigned int i; 266 int err = 0; 267 268 for (i = 0; i < n; i++) { 269 err = _nf_register_hook(®[i]); 270 if (err) 271 goto err; 272 } 273 return err; 274 275 err: 276 if (i > 0) 277 _nf_unregister_hooks(reg, i); 278 return err; 279 } 280 EXPORT_SYMBOL(_nf_register_hooks); 281 282 void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n) 283 { 284 while (n-- > 0) 285 nf_unregister_hook(®[n]); 286 } 287 EXPORT_SYMBOL(nf_unregister_hooks); 288 289 /* Caller MUST take rtnl_lock */ 290 void _nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n) 291 { 292 while (n-- > 0) 293 _nf_unregister_hook(®[n]); 294 } 295 EXPORT_SYMBOL(_nf_unregister_hooks); 296 297 unsigned int nf_iterate(struct list_head *head, 298 struct sk_buff *skb, 299 struct nf_hook_state *state, 300 struct nf_hook_ops **elemp) 301 { 302 unsigned int verdict; 303 304 /* 305 * The caller must not block between calls to this 306 * function because of risk of continuing from deleted element. 307 */ 308 list_for_each_entry_continue_rcu((*elemp), head, list) { 309 if (state->thresh > (*elemp)->priority) 310 continue; 311 312 /* Optimization: we don't need to hold module 313 reference here, since function can't sleep. --RR */ 314 repeat: 315 verdict = (*elemp)->hook((*elemp)->priv, skb, state); 316 if (verdict != NF_ACCEPT) { 317 #ifdef CONFIG_NETFILTER_DEBUG 318 if (unlikely((verdict & NF_VERDICT_MASK) 319 > NF_MAX_VERDICT)) { 320 NFDEBUG("Evil return from %p(%u).\n", 321 (*elemp)->hook, state->hook); 322 continue; 323 } 324 #endif 325 if (verdict != NF_REPEAT) 326 return verdict; 327 goto repeat; 328 } 329 } 330 return NF_ACCEPT; 331 } 332 333 334 /* Returns 1 if okfn() needs to be executed by the caller, 335 * -EPERM for NF_DROP, 0 otherwise. */ 336 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state) 337 { 338 struct nf_hook_ops *elem; 339 unsigned int verdict; 340 int ret = 0; 341 342 /* We may already have this, but read-locks nest anyway */ 343 rcu_read_lock(); 344 345 elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list); 346 next_hook: 347 verdict = nf_iterate(state->hook_list, skb, state, &elem); 348 if (verdict == NF_ACCEPT || verdict == NF_STOP) { 349 ret = 1; 350 } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) { 351 kfree_skb(skb); 352 ret = NF_DROP_GETERR(verdict); 353 if (ret == 0) 354 ret = -EPERM; 355 } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) { 356 int err = nf_queue(skb, elem, state, 357 verdict >> NF_VERDICT_QBITS); 358 if (err < 0) { 359 if (err == -ESRCH && 360 (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS)) 361 goto next_hook; 362 kfree_skb(skb); 363 } 364 } 365 rcu_read_unlock(); 366 return ret; 367 } 368 EXPORT_SYMBOL(nf_hook_slow); 369 370 371 int skb_make_writable(struct sk_buff *skb, unsigned int writable_len) 372 { 373 if (writable_len > skb->len) 374 return 0; 375 376 /* Not exclusive use of packet? Must copy. */ 377 if (!skb_cloned(skb)) { 378 if (writable_len <= skb_headlen(skb)) 379 return 1; 380 } else if (skb_clone_writable(skb, writable_len)) 381 return 1; 382 383 if (writable_len <= skb_headlen(skb)) 384 writable_len = 0; 385 else 386 writable_len -= skb_headlen(skb); 387 388 return !!__pskb_pull_tail(skb, writable_len); 389 } 390 EXPORT_SYMBOL(skb_make_writable); 391 392 /* This needs to be compiled in any case to avoid dependencies between the 393 * nfnetlink_queue code and nf_conntrack. 394 */ 395 struct nfnl_ct_hook __rcu *nfnl_ct_hook __read_mostly; 396 EXPORT_SYMBOL_GPL(nfnl_ct_hook); 397 398 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 399 /* This does not belong here, but locally generated errors need it if connection 400 tracking in use: without this, connection may not be in hash table, and hence 401 manufactured ICMP or RST packets will not be associated with it. */ 402 void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) 403 __rcu __read_mostly; 404 EXPORT_SYMBOL(ip_ct_attach); 405 406 void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb) 407 { 408 void (*attach)(struct sk_buff *, const struct sk_buff *); 409 410 if (skb->nfct) { 411 rcu_read_lock(); 412 attach = rcu_dereference(ip_ct_attach); 413 if (attach) 414 attach(new, skb); 415 rcu_read_unlock(); 416 } 417 } 418 EXPORT_SYMBOL(nf_ct_attach); 419 420 void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly; 421 EXPORT_SYMBOL(nf_ct_destroy); 422 423 void nf_conntrack_destroy(struct nf_conntrack *nfct) 424 { 425 void (*destroy)(struct nf_conntrack *); 426 427 rcu_read_lock(); 428 destroy = rcu_dereference(nf_ct_destroy); 429 BUG_ON(destroy == NULL); 430 destroy(nfct); 431 rcu_read_unlock(); 432 } 433 EXPORT_SYMBOL(nf_conntrack_destroy); 434 435 /* Built-in default zone used e.g. by modules. */ 436 const struct nf_conntrack_zone nf_ct_zone_dflt = { 437 .id = NF_CT_DEFAULT_ZONE_ID, 438 .dir = NF_CT_DEFAULT_ZONE_DIR, 439 }; 440 EXPORT_SYMBOL_GPL(nf_ct_zone_dflt); 441 #endif /* CONFIG_NF_CONNTRACK */ 442 443 #ifdef CONFIG_NF_NAT_NEEDED 444 void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *); 445 EXPORT_SYMBOL(nf_nat_decode_session_hook); 446 #endif 447 448 static int nf_register_hook_list(struct net *net) 449 { 450 struct nf_hook_ops *elem; 451 int ret; 452 453 rtnl_lock(); 454 list_for_each_entry(elem, &nf_hook_list, list) { 455 ret = nf_register_net_hook(net, elem); 456 if (ret && ret != -ENOENT) 457 goto out_undo; 458 } 459 rtnl_unlock(); 460 return 0; 461 462 out_undo: 463 list_for_each_entry_continue_reverse(elem, &nf_hook_list, list) 464 nf_unregister_net_hook(net, elem); 465 rtnl_unlock(); 466 return ret; 467 } 468 469 static void nf_unregister_hook_list(struct net *net) 470 { 471 struct nf_hook_ops *elem; 472 473 rtnl_lock(); 474 list_for_each_entry(elem, &nf_hook_list, list) 475 nf_unregister_net_hook(net, elem); 476 rtnl_unlock(); 477 } 478 479 static int __net_init netfilter_net_init(struct net *net) 480 { 481 int i, h, ret; 482 483 for (i = 0; i < ARRAY_SIZE(net->nf.hooks); i++) { 484 for (h = 0; h < NF_MAX_HOOKS; h++) 485 INIT_LIST_HEAD(&net->nf.hooks[i][h]); 486 } 487 488 #ifdef CONFIG_PROC_FS 489 net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter", 490 net->proc_net); 491 if (!net->nf.proc_netfilter) { 492 if (!net_eq(net, &init_net)) 493 pr_err("cannot create netfilter proc entry"); 494 495 return -ENOMEM; 496 } 497 #endif 498 ret = nf_register_hook_list(net); 499 if (ret) 500 remove_proc_entry("netfilter", net->proc_net); 501 502 return ret; 503 } 504 505 static void __net_exit netfilter_net_exit(struct net *net) 506 { 507 nf_unregister_hook_list(net); 508 remove_proc_entry("netfilter", net->proc_net); 509 } 510 511 static struct pernet_operations netfilter_net_ops = { 512 .init = netfilter_net_init, 513 .exit = netfilter_net_exit, 514 }; 515 516 int __init netfilter_init(void) 517 { 518 int ret; 519 520 ret = register_pernet_subsys(&netfilter_net_ops); 521 if (ret < 0) 522 goto err; 523 524 ret = netfilter_log_init(); 525 if (ret < 0) 526 goto err_pernet; 527 528 return 0; 529 err_pernet: 530 unregister_pernet_subsys(&netfilter_net_ops); 531 err: 532 return ret; 533 } 534