1 /* netfilter.c: look after the filters for various protocols. 2 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox. 3 * 4 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any 5 * way. 6 * 7 * Rusty Russell (C)2000 -- This code is GPL. 8 * Patrick McHardy (c) 2006-2012 9 */ 10 #include <linux/kernel.h> 11 #include <linux/netfilter.h> 12 #include <net/protocol.h> 13 #include <linux/init.h> 14 #include <linux/skbuff.h> 15 #include <linux/wait.h> 16 #include <linux/module.h> 17 #include <linux/interrupt.h> 18 #include <linux/if.h> 19 #include <linux/netdevice.h> 20 #include <linux/netfilter_ipv6.h> 21 #include <linux/inetdevice.h> 22 #include <linux/proc_fs.h> 23 #include <linux/mutex.h> 24 #include <linux/slab.h> 25 #include <net/net_namespace.h> 26 #include <net/sock.h> 27 28 #include "nf_internals.h" 29 30 static DEFINE_MUTEX(afinfo_mutex); 31 32 const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly; 33 EXPORT_SYMBOL(nf_afinfo); 34 const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly; 35 EXPORT_SYMBOL_GPL(nf_ipv6_ops); 36 37 DEFINE_PER_CPU(bool, nf_skb_duplicated); 38 EXPORT_SYMBOL_GPL(nf_skb_duplicated); 39 40 int nf_register_afinfo(const struct nf_afinfo *afinfo) 41 { 42 mutex_lock(&afinfo_mutex); 43 RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo); 44 mutex_unlock(&afinfo_mutex); 45 return 0; 46 } 47 EXPORT_SYMBOL_GPL(nf_register_afinfo); 48 49 void nf_unregister_afinfo(const struct nf_afinfo *afinfo) 50 { 51 mutex_lock(&afinfo_mutex); 52 RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL); 53 mutex_unlock(&afinfo_mutex); 54 synchronize_rcu(); 55 } 56 EXPORT_SYMBOL_GPL(nf_unregister_afinfo); 57 58 #ifdef HAVE_JUMP_LABEL 59 struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 60 EXPORT_SYMBOL(nf_hooks_needed); 61 #endif 62 63 static DEFINE_MUTEX(nf_hook_mutex); 64 65 static struct list_head *nf_find_hook_list(struct net *net, 66 const struct nf_hook_ops *reg) 67 { 68 struct list_head *hook_list = NULL; 69 70 if (reg->pf != NFPROTO_NETDEV) 71 hook_list = &net->nf.hooks[reg->pf][reg->hooknum]; 72 else if (reg->hooknum == NF_NETDEV_INGRESS) { 73 #ifdef CONFIG_NETFILTER_INGRESS 74 if (reg->dev && dev_net(reg->dev) == net) 75 hook_list = ®->dev->nf_hooks_ingress; 76 #endif 77 } 78 return hook_list; 79 } 80 81 struct nf_hook_entry { 82 const struct nf_hook_ops *orig_ops; 83 struct nf_hook_ops ops; 84 }; 85 86 int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) 87 { 88 struct list_head *hook_list; 89 struct nf_hook_entry *entry; 90 struct nf_hook_ops *elem; 91 92 entry = kmalloc(sizeof(*entry), GFP_KERNEL); 93 if (!entry) 94 return -ENOMEM; 95 96 entry->orig_ops = reg; 97 entry->ops = *reg; 98 99 hook_list = nf_find_hook_list(net, reg); 100 if (!hook_list) { 101 kfree(entry); 102 return -ENOENT; 103 } 104 105 mutex_lock(&nf_hook_mutex); 106 list_for_each_entry(elem, hook_list, list) { 107 if (reg->priority < elem->priority) 108 break; 109 } 110 list_add_rcu(&entry->ops.list, elem->list.prev); 111 mutex_unlock(&nf_hook_mutex); 112 #ifdef CONFIG_NETFILTER_INGRESS 113 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) 114 net_inc_ingress_queue(); 115 #endif 116 #ifdef HAVE_JUMP_LABEL 117 static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]); 118 #endif 119 return 0; 120 } 121 EXPORT_SYMBOL(nf_register_net_hook); 122 123 void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg) 124 { 125 struct list_head *hook_list; 126 struct nf_hook_entry *entry; 127 struct nf_hook_ops *elem; 128 129 hook_list = nf_find_hook_list(net, reg); 130 if (!hook_list) 131 return; 132 133 mutex_lock(&nf_hook_mutex); 134 list_for_each_entry(elem, hook_list, list) { 135 entry = container_of(elem, struct nf_hook_entry, ops); 136 if (entry->orig_ops == reg) { 137 list_del_rcu(&entry->ops.list); 138 break; 139 } 140 } 141 mutex_unlock(&nf_hook_mutex); 142 if (&elem->list == hook_list) { 143 WARN(1, "nf_unregister_net_hook: hook not found!\n"); 144 return; 145 } 146 #ifdef CONFIG_NETFILTER_INGRESS 147 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) 148 net_dec_ingress_queue(); 149 #endif 150 #ifdef HAVE_JUMP_LABEL 151 static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]); 152 #endif 153 synchronize_net(); 154 nf_queue_nf_hook_drop(net, &entry->ops); 155 /* other cpu might still process nfqueue verdict that used reg */ 156 synchronize_net(); 157 kfree(entry); 158 } 159 EXPORT_SYMBOL(nf_unregister_net_hook); 160 161 int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg, 162 unsigned int n) 163 { 164 unsigned int i; 165 int err = 0; 166 167 for (i = 0; i < n; i++) { 168 err = nf_register_net_hook(net, ®[i]); 169 if (err) 170 goto err; 171 } 172 return err; 173 174 err: 175 if (i > 0) 176 nf_unregister_net_hooks(net, reg, i); 177 return err; 178 } 179 EXPORT_SYMBOL(nf_register_net_hooks); 180 181 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg, 182 unsigned int n) 183 { 184 while (n-- > 0) 185 nf_unregister_net_hook(net, ®[n]); 186 } 187 EXPORT_SYMBOL(nf_unregister_net_hooks); 188 189 static LIST_HEAD(nf_hook_list); 190 191 int nf_register_hook(struct nf_hook_ops *reg) 192 { 193 struct net *net, *last; 194 int ret; 195 196 rtnl_lock(); 197 for_each_net(net) { 198 ret = nf_register_net_hook(net, reg); 199 if (ret && ret != -ENOENT) 200 goto rollback; 201 } 202 list_add_tail(®->list, &nf_hook_list); 203 rtnl_unlock(); 204 205 return 0; 206 rollback: 207 last = net; 208 for_each_net(net) { 209 if (net == last) 210 break; 211 nf_unregister_net_hook(net, reg); 212 } 213 rtnl_unlock(); 214 return ret; 215 } 216 EXPORT_SYMBOL(nf_register_hook); 217 218 void nf_unregister_hook(struct nf_hook_ops *reg) 219 { 220 struct net *net; 221 222 rtnl_lock(); 223 list_del(®->list); 224 for_each_net(net) 225 nf_unregister_net_hook(net, reg); 226 rtnl_unlock(); 227 } 228 EXPORT_SYMBOL(nf_unregister_hook); 229 230 int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n) 231 { 232 unsigned int i; 233 int err = 0; 234 235 for (i = 0; i < n; i++) { 236 err = nf_register_hook(®[i]); 237 if (err) 238 goto err; 239 } 240 return err; 241 242 err: 243 if (i > 0) 244 nf_unregister_hooks(reg, i); 245 return err; 246 } 247 EXPORT_SYMBOL(nf_register_hooks); 248 249 void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n) 250 { 251 while (n-- > 0) 252 nf_unregister_hook(®[n]); 253 } 254 EXPORT_SYMBOL(nf_unregister_hooks); 255 256 unsigned int nf_iterate(struct list_head *head, 257 struct sk_buff *skb, 258 struct nf_hook_state *state, 259 struct nf_hook_ops **elemp) 260 { 261 unsigned int verdict; 262 263 /* 264 * The caller must not block between calls to this 265 * function because of risk of continuing from deleted element. 266 */ 267 list_for_each_entry_continue_rcu((*elemp), head, list) { 268 if (state->thresh > (*elemp)->priority) 269 continue; 270 271 /* Optimization: we don't need to hold module 272 reference here, since function can't sleep. --RR */ 273 repeat: 274 verdict = (*elemp)->hook((*elemp)->priv, skb, state); 275 if (verdict != NF_ACCEPT) { 276 #ifdef CONFIG_NETFILTER_DEBUG 277 if (unlikely((verdict & NF_VERDICT_MASK) 278 > NF_MAX_VERDICT)) { 279 NFDEBUG("Evil return from %p(%u).\n", 280 (*elemp)->hook, state->hook); 281 continue; 282 } 283 #endif 284 if (verdict != NF_REPEAT) 285 return verdict; 286 goto repeat; 287 } 288 } 289 return NF_ACCEPT; 290 } 291 292 293 /* Returns 1 if okfn() needs to be executed by the caller, 294 * -EPERM for NF_DROP, 0 otherwise. */ 295 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state) 296 { 297 struct nf_hook_ops *elem; 298 unsigned int verdict; 299 int ret = 0; 300 301 /* We may already have this, but read-locks nest anyway */ 302 rcu_read_lock(); 303 304 elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list); 305 next_hook: 306 verdict = nf_iterate(state->hook_list, skb, state, &elem); 307 if (verdict == NF_ACCEPT || verdict == NF_STOP) { 308 ret = 1; 309 } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) { 310 kfree_skb(skb); 311 ret = NF_DROP_GETERR(verdict); 312 if (ret == 0) 313 ret = -EPERM; 314 } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) { 315 int err = nf_queue(skb, elem, state, 316 verdict >> NF_VERDICT_QBITS); 317 if (err < 0) { 318 if (err == -ESRCH && 319 (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS)) 320 goto next_hook; 321 kfree_skb(skb); 322 } 323 } 324 rcu_read_unlock(); 325 return ret; 326 } 327 EXPORT_SYMBOL(nf_hook_slow); 328 329 330 int skb_make_writable(struct sk_buff *skb, unsigned int writable_len) 331 { 332 if (writable_len > skb->len) 333 return 0; 334 335 /* Not exclusive use of packet? Must copy. */ 336 if (!skb_cloned(skb)) { 337 if (writable_len <= skb_headlen(skb)) 338 return 1; 339 } else if (skb_clone_writable(skb, writable_len)) 340 return 1; 341 342 if (writable_len <= skb_headlen(skb)) 343 writable_len = 0; 344 else 345 writable_len -= skb_headlen(skb); 346 347 return !!__pskb_pull_tail(skb, writable_len); 348 } 349 EXPORT_SYMBOL(skb_make_writable); 350 351 /* This needs to be compiled in any case to avoid dependencies between the 352 * nfnetlink_queue code and nf_conntrack. 353 */ 354 struct nfnl_ct_hook __rcu *nfnl_ct_hook __read_mostly; 355 EXPORT_SYMBOL_GPL(nfnl_ct_hook); 356 357 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 358 /* This does not belong here, but locally generated errors need it if connection 359 tracking in use: without this, connection may not be in hash table, and hence 360 manufactured ICMP or RST packets will not be associated with it. */ 361 void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) 362 __rcu __read_mostly; 363 EXPORT_SYMBOL(ip_ct_attach); 364 365 void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb) 366 { 367 void (*attach)(struct sk_buff *, const struct sk_buff *); 368 369 if (skb->nfct) { 370 rcu_read_lock(); 371 attach = rcu_dereference(ip_ct_attach); 372 if (attach) 373 attach(new, skb); 374 rcu_read_unlock(); 375 } 376 } 377 EXPORT_SYMBOL(nf_ct_attach); 378 379 void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly; 380 EXPORT_SYMBOL(nf_ct_destroy); 381 382 void nf_conntrack_destroy(struct nf_conntrack *nfct) 383 { 384 void (*destroy)(struct nf_conntrack *); 385 386 rcu_read_lock(); 387 destroy = rcu_dereference(nf_ct_destroy); 388 BUG_ON(destroy == NULL); 389 destroy(nfct); 390 rcu_read_unlock(); 391 } 392 EXPORT_SYMBOL(nf_conntrack_destroy); 393 394 /* Built-in default zone used e.g. by modules. */ 395 const struct nf_conntrack_zone nf_ct_zone_dflt = { 396 .id = NF_CT_DEFAULT_ZONE_ID, 397 .dir = NF_CT_DEFAULT_ZONE_DIR, 398 }; 399 EXPORT_SYMBOL_GPL(nf_ct_zone_dflt); 400 #endif /* CONFIG_NF_CONNTRACK */ 401 402 #ifdef CONFIG_NF_NAT_NEEDED 403 void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *); 404 EXPORT_SYMBOL(nf_nat_decode_session_hook); 405 #endif 406 407 static int nf_register_hook_list(struct net *net) 408 { 409 struct nf_hook_ops *elem; 410 int ret; 411 412 rtnl_lock(); 413 list_for_each_entry(elem, &nf_hook_list, list) { 414 ret = nf_register_net_hook(net, elem); 415 if (ret && ret != -ENOENT) 416 goto out_undo; 417 } 418 rtnl_unlock(); 419 return 0; 420 421 out_undo: 422 list_for_each_entry_continue_reverse(elem, &nf_hook_list, list) 423 nf_unregister_net_hook(net, elem); 424 rtnl_unlock(); 425 return ret; 426 } 427 428 static void nf_unregister_hook_list(struct net *net) 429 { 430 struct nf_hook_ops *elem; 431 432 rtnl_lock(); 433 list_for_each_entry(elem, &nf_hook_list, list) 434 nf_unregister_net_hook(net, elem); 435 rtnl_unlock(); 436 } 437 438 static int __net_init netfilter_net_init(struct net *net) 439 { 440 int i, h, ret; 441 442 for (i = 0; i < ARRAY_SIZE(net->nf.hooks); i++) { 443 for (h = 0; h < NF_MAX_HOOKS; h++) 444 INIT_LIST_HEAD(&net->nf.hooks[i][h]); 445 } 446 447 #ifdef CONFIG_PROC_FS 448 net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter", 449 net->proc_net); 450 if (!net->nf.proc_netfilter) { 451 if (!net_eq(net, &init_net)) 452 pr_err("cannot create netfilter proc entry"); 453 454 return -ENOMEM; 455 } 456 #endif 457 ret = nf_register_hook_list(net); 458 if (ret) 459 remove_proc_entry("netfilter", net->proc_net); 460 461 return ret; 462 } 463 464 static void __net_exit netfilter_net_exit(struct net *net) 465 { 466 nf_unregister_hook_list(net); 467 remove_proc_entry("netfilter", net->proc_net); 468 } 469 470 static struct pernet_operations netfilter_net_ops = { 471 .init = netfilter_net_init, 472 .exit = netfilter_net_exit, 473 }; 474 475 int __init netfilter_init(void) 476 { 477 int ret; 478 479 ret = register_pernet_subsys(&netfilter_net_ops); 480 if (ret < 0) 481 goto err; 482 483 ret = netfilter_log_init(); 484 if (ret < 0) 485 goto err_pernet; 486 487 return 0; 488 err_pernet: 489 unregister_pernet_subsys(&netfilter_net_ops); 490 err: 491 return ret; 492 } 493