1 /* netfilter.c: look after the filters for various protocols. 2 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox. 3 * 4 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any 5 * way. 6 * 7 * Rusty Russell (C)2000 -- This code is GPL. 8 * Patrick McHardy (c) 2006-2012 9 */ 10 #include <linux/kernel.h> 11 #include <linux/netfilter.h> 12 #include <net/protocol.h> 13 #include <linux/init.h> 14 #include <linux/skbuff.h> 15 #include <linux/wait.h> 16 #include <linux/module.h> 17 #include <linux/interrupt.h> 18 #include <linux/if.h> 19 #include <linux/netdevice.h> 20 #include <linux/netfilter_ipv6.h> 21 #include <linux/inetdevice.h> 22 #include <linux/proc_fs.h> 23 #include <linux/mutex.h> 24 #include <linux/slab.h> 25 #include <net/net_namespace.h> 26 #include <net/sock.h> 27 28 #include "nf_internals.h" 29 30 static DEFINE_MUTEX(afinfo_mutex); 31 32 const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly; 33 EXPORT_SYMBOL(nf_afinfo); 34 const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly; 35 EXPORT_SYMBOL_GPL(nf_ipv6_ops); 36 37 DEFINE_PER_CPU(bool, nf_skb_duplicated); 38 EXPORT_SYMBOL_GPL(nf_skb_duplicated); 39 40 int nf_register_afinfo(const struct nf_afinfo *afinfo) 41 { 42 mutex_lock(&afinfo_mutex); 43 RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo); 44 mutex_unlock(&afinfo_mutex); 45 return 0; 46 } 47 EXPORT_SYMBOL_GPL(nf_register_afinfo); 48 49 void nf_unregister_afinfo(const struct nf_afinfo *afinfo) 50 { 51 mutex_lock(&afinfo_mutex); 52 RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL); 53 mutex_unlock(&afinfo_mutex); 54 synchronize_rcu(); 55 } 56 EXPORT_SYMBOL_GPL(nf_unregister_afinfo); 57 58 #ifdef HAVE_JUMP_LABEL 59 struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 60 EXPORT_SYMBOL(nf_hooks_needed); 61 #endif 62 63 static DEFINE_MUTEX(nf_hook_mutex); 64 65 static struct list_head *nf_find_hook_list(struct net *net, 66 const struct nf_hook_ops *reg) 67 { 68 struct list_head *hook_list = NULL; 69 70 if (reg->pf != NFPROTO_NETDEV) 71 hook_list = &net->nf.hooks[reg->pf][reg->hooknum]; 72 else if (reg->hooknum == NF_NETDEV_INGRESS) { 73 #ifdef CONFIG_NETFILTER_INGRESS 74 if (reg->dev && dev_net(reg->dev) == net) 75 hook_list = ®->dev->nf_hooks_ingress; 76 #endif 77 } 78 return hook_list; 79 } 80 81 struct nf_hook_entry { 82 const struct nf_hook_ops *orig_ops; 83 struct nf_hook_ops ops; 84 }; 85 86 int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) 87 { 88 struct list_head *hook_list; 89 struct nf_hook_entry *entry; 90 struct nf_hook_ops *elem; 91 92 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 93 if (!entry) 94 return -ENOMEM; 95 96 entry->orig_ops = reg; 97 entry->ops = *reg; 98 99 hook_list = nf_find_hook_list(net, reg); 100 if (!hook_list) { 101 kfree(entry); 102 return -ENOENT; 103 } 104 105 mutex_lock(&nf_hook_mutex); 106 list_for_each_entry(elem, hook_list, list) { 107 if (reg->priority < elem->priority) 108 break; 109 } 110 list_add_rcu(&entry->ops.list, elem->list.prev); 111 mutex_unlock(&nf_hook_mutex); 112 #ifdef CONFIG_NETFILTER_INGRESS 113 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) 114 net_inc_ingress_queue(); 115 #endif 116 #ifdef HAVE_JUMP_LABEL 117 static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]); 118 #endif 119 return 0; 120 } 121 EXPORT_SYMBOL(nf_register_net_hook); 122 123 void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg) 124 { 125 struct list_head *hook_list; 126 struct nf_hook_entry *entry; 127 struct nf_hook_ops *elem; 128 129 hook_list = nf_find_hook_list(net, reg); 130 if (!hook_list) 131 return; 132 133 mutex_lock(&nf_hook_mutex); 134 list_for_each_entry(elem, hook_list, list) { 135 entry = container_of(elem, struct nf_hook_entry, ops); 136 if (entry->orig_ops == reg) { 137 list_del_rcu(&entry->ops.list); 138 break; 139 } 140 } 141 mutex_unlock(&nf_hook_mutex); 142 if (&elem->list == hook_list) { 143 WARN(1, "nf_unregister_net_hook: hook not found!\n"); 144 return; 145 } 146 #ifdef CONFIG_NETFILTER_INGRESS 147 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) 148 net_dec_ingress_queue(); 149 #endif 150 #ifdef HAVE_JUMP_LABEL 151 static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]); 152 #endif 153 synchronize_net(); 154 nf_queue_nf_hook_drop(net, &entry->ops); 155 kfree(entry); 156 } 157 EXPORT_SYMBOL(nf_unregister_net_hook); 158 159 int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg, 160 unsigned int n) 161 { 162 unsigned int i; 163 int err = 0; 164 165 for (i = 0; i < n; i++) { 166 err = nf_register_net_hook(net, ®[i]); 167 if (err) 168 goto err; 169 } 170 return err; 171 172 err: 173 if (i > 0) 174 nf_unregister_net_hooks(net, reg, i); 175 return err; 176 } 177 EXPORT_SYMBOL(nf_register_net_hooks); 178 179 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg, 180 unsigned int n) 181 { 182 while (n-- > 0) 183 nf_unregister_net_hook(net, ®[n]); 184 } 185 EXPORT_SYMBOL(nf_unregister_net_hooks); 186 187 static LIST_HEAD(nf_hook_list); 188 189 int nf_register_hook(struct nf_hook_ops *reg) 190 { 191 struct net *net, *last; 192 int ret; 193 194 rtnl_lock(); 195 for_each_net(net) { 196 ret = nf_register_net_hook(net, reg); 197 if (ret && ret != -ENOENT) 198 goto rollback; 199 } 200 list_add_tail(®->list, &nf_hook_list); 201 rtnl_unlock(); 202 203 return 0; 204 rollback: 205 last = net; 206 for_each_net(net) { 207 if (net == last) 208 break; 209 nf_unregister_net_hook(net, reg); 210 } 211 rtnl_unlock(); 212 return ret; 213 } 214 EXPORT_SYMBOL(nf_register_hook); 215 216 void nf_unregister_hook(struct nf_hook_ops *reg) 217 { 218 struct net *net; 219 220 rtnl_lock(); 221 list_del(®->list); 222 for_each_net(net) 223 nf_unregister_net_hook(net, reg); 224 rtnl_unlock(); 225 } 226 EXPORT_SYMBOL(nf_unregister_hook); 227 228 int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n) 229 { 230 unsigned int i; 231 int err = 0; 232 233 for (i = 0; i < n; i++) { 234 err = nf_register_hook(®[i]); 235 if (err) 236 goto err; 237 } 238 return err; 239 240 err: 241 if (i > 0) 242 nf_unregister_hooks(reg, i); 243 return err; 244 } 245 EXPORT_SYMBOL(nf_register_hooks); 246 247 void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n) 248 { 249 while (n-- > 0) 250 nf_unregister_hook(®[n]); 251 } 252 EXPORT_SYMBOL(nf_unregister_hooks); 253 254 unsigned int nf_iterate(struct list_head *head, 255 struct sk_buff *skb, 256 struct nf_hook_state *state, 257 struct nf_hook_ops **elemp) 258 { 259 unsigned int verdict; 260 261 /* 262 * The caller must not block between calls to this 263 * function because of risk of continuing from deleted element. 264 */ 265 list_for_each_entry_continue_rcu((*elemp), head, list) { 266 if (state->thresh > (*elemp)->priority) 267 continue; 268 269 /* Optimization: we don't need to hold module 270 reference here, since function can't sleep. --RR */ 271 repeat: 272 verdict = (*elemp)->hook((*elemp)->priv, skb, state); 273 if (verdict != NF_ACCEPT) { 274 #ifdef CONFIG_NETFILTER_DEBUG 275 if (unlikely((verdict & NF_VERDICT_MASK) 276 > NF_MAX_VERDICT)) { 277 NFDEBUG("Evil return from %p(%u).\n", 278 (*elemp)->hook, state->hook); 279 continue; 280 } 281 #endif 282 if (verdict != NF_REPEAT) 283 return verdict; 284 goto repeat; 285 } 286 } 287 return NF_ACCEPT; 288 } 289 290 291 /* Returns 1 if okfn() needs to be executed by the caller, 292 * -EPERM for NF_DROP, 0 otherwise. */ 293 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state) 294 { 295 struct nf_hook_ops *elem; 296 unsigned int verdict; 297 int ret = 0; 298 299 /* We may already have this, but read-locks nest anyway */ 300 rcu_read_lock(); 301 302 elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list); 303 next_hook: 304 verdict = nf_iterate(state->hook_list, skb, state, &elem); 305 if (verdict == NF_ACCEPT || verdict == NF_STOP) { 306 ret = 1; 307 } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) { 308 kfree_skb(skb); 309 ret = NF_DROP_GETERR(verdict); 310 if (ret == 0) 311 ret = -EPERM; 312 } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) { 313 int err = nf_queue(skb, elem, state, 314 verdict >> NF_VERDICT_QBITS); 315 if (err < 0) { 316 if (err == -ESRCH && 317 (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS)) 318 goto next_hook; 319 kfree_skb(skb); 320 } 321 } 322 rcu_read_unlock(); 323 return ret; 324 } 325 EXPORT_SYMBOL(nf_hook_slow); 326 327 328 int skb_make_writable(struct sk_buff *skb, unsigned int writable_len) 329 { 330 if (writable_len > skb->len) 331 return 0; 332 333 /* Not exclusive use of packet? Must copy. */ 334 if (!skb_cloned(skb)) { 335 if (writable_len <= skb_headlen(skb)) 336 return 1; 337 } else if (skb_clone_writable(skb, writable_len)) 338 return 1; 339 340 if (writable_len <= skb_headlen(skb)) 341 writable_len = 0; 342 else 343 writable_len -= skb_headlen(skb); 344 345 return !!__pskb_pull_tail(skb, writable_len); 346 } 347 EXPORT_SYMBOL(skb_make_writable); 348 349 /* This needs to be compiled in any case to avoid dependencies between the 350 * nfnetlink_queue code and nf_conntrack. 351 */ 352 struct nfnl_ct_hook __rcu *nfnl_ct_hook __read_mostly; 353 EXPORT_SYMBOL_GPL(nfnl_ct_hook); 354 355 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 356 /* This does not belong here, but locally generated errors need it if connection 357 tracking in use: without this, connection may not be in hash table, and hence 358 manufactured ICMP or RST packets will not be associated with it. */ 359 void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) 360 __rcu __read_mostly; 361 EXPORT_SYMBOL(ip_ct_attach); 362 363 void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb) 364 { 365 void (*attach)(struct sk_buff *, const struct sk_buff *); 366 367 if (skb->nfct) { 368 rcu_read_lock(); 369 attach = rcu_dereference(ip_ct_attach); 370 if (attach) 371 attach(new, skb); 372 rcu_read_unlock(); 373 } 374 } 375 EXPORT_SYMBOL(nf_ct_attach); 376 377 void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly; 378 EXPORT_SYMBOL(nf_ct_destroy); 379 380 void nf_conntrack_destroy(struct nf_conntrack *nfct) 381 { 382 void (*destroy)(struct nf_conntrack *); 383 384 rcu_read_lock(); 385 destroy = rcu_dereference(nf_ct_destroy); 386 BUG_ON(destroy == NULL); 387 destroy(nfct); 388 rcu_read_unlock(); 389 } 390 EXPORT_SYMBOL(nf_conntrack_destroy); 391 392 /* Built-in default zone used e.g. by modules. */ 393 const struct nf_conntrack_zone nf_ct_zone_dflt = { 394 .id = NF_CT_DEFAULT_ZONE_ID, 395 .dir = NF_CT_DEFAULT_ZONE_DIR, 396 }; 397 EXPORT_SYMBOL_GPL(nf_ct_zone_dflt); 398 #endif /* CONFIG_NF_CONNTRACK */ 399 400 #ifdef CONFIG_NF_NAT_NEEDED 401 void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *); 402 EXPORT_SYMBOL(nf_nat_decode_session_hook); 403 #endif 404 405 static int nf_register_hook_list(struct net *net) 406 { 407 struct nf_hook_ops *elem; 408 int ret; 409 410 rtnl_lock(); 411 list_for_each_entry(elem, &nf_hook_list, list) { 412 ret = nf_register_net_hook(net, elem); 413 if (ret && ret != -ENOENT) 414 goto out_undo; 415 } 416 rtnl_unlock(); 417 return 0; 418 419 out_undo: 420 list_for_each_entry_continue_reverse(elem, &nf_hook_list, list) 421 nf_unregister_net_hook(net, elem); 422 rtnl_unlock(); 423 return ret; 424 } 425 426 static void nf_unregister_hook_list(struct net *net) 427 { 428 struct nf_hook_ops *elem; 429 430 rtnl_lock(); 431 list_for_each_entry(elem, &nf_hook_list, list) 432 nf_unregister_net_hook(net, elem); 433 rtnl_unlock(); 434 } 435 436 static int __net_init netfilter_net_init(struct net *net) 437 { 438 int i, h, ret; 439 440 for (i = 0; i < ARRAY_SIZE(net->nf.hooks); i++) { 441 for (h = 0; h < NF_MAX_HOOKS; h++) 442 INIT_LIST_HEAD(&net->nf.hooks[i][h]); 443 } 444 445 #ifdef CONFIG_PROC_FS 446 net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter", 447 net->proc_net); 448 if (!net->nf.proc_netfilter) { 449 if (!net_eq(net, &init_net)) 450 pr_err("cannot create netfilter proc entry"); 451 452 return -ENOMEM; 453 } 454 #endif 455 ret = nf_register_hook_list(net); 456 if (ret) 457 remove_proc_entry("netfilter", net->proc_net); 458 459 return ret; 460 } 461 462 static void __net_exit netfilter_net_exit(struct net *net) 463 { 464 nf_unregister_hook_list(net); 465 remove_proc_entry("netfilter", net->proc_net); 466 } 467 468 static struct pernet_operations netfilter_net_ops = { 469 .init = netfilter_net_init, 470 .exit = netfilter_net_exit, 471 }; 472 473 int __init netfilter_init(void) 474 { 475 int ret; 476 477 ret = register_pernet_subsys(&netfilter_net_ops); 478 if (ret < 0) 479 goto err; 480 481 ret = netfilter_log_init(); 482 if (ret < 0) 483 goto err_pernet; 484 485 return 0; 486 err_pernet: 487 unregister_pernet_subsys(&netfilter_net_ops); 488 err: 489 return ret; 490 } 491