[mirror_ubuntu-hirsute-kernel.git] / net / netfilter / core.c

/* netfilter.c: look after the filters for various protocols.
 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox.
 *
 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any
 * way.
 *
 * Rusty Russell (C)2000 -- This code is GPL.
 * Patrick McHardy (c) 2006-2012
 */
#include <linux/kernel.h>
#include <linux/netfilter.h>
#include <net/protocol.h>
#include <linux/init.h>
#include <linux/skbuff.h>
#include <linux/wait.h>
#include <linux/module.h>
#include <linux/interrupt.h>
#include <linux/if.h>
#include <linux/netdevice.h>
#include <linux/netfilter_ipv6.h>
#include <linux/inetdevice.h>
#include <linux/proc_fs.h>
#include <linux/mutex.h>
#include <linux/slab.h>
#include <net/net_namespace.h>
#include <net/sock.h>

#include "nf_internals.h"

static DEFINE_MUTEX(afinfo_mutex);

const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
EXPORT_SYMBOL(nf_afinfo);
const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
EXPORT_SYMBOL_GPL(nf_ipv6_ops);

DEFINE_PER_CPU(bool, nf_skb_duplicated);
EXPORT_SYMBOL_GPL(nf_skb_duplicated);

int nf_register_afinfo(const struct nf_afinfo *afinfo)
{
	mutex_lock(&afinfo_mutex);
	RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo);
	mutex_unlock(&afinfo_mutex);
	return 0;
}
EXPORT_SYMBOL_GPL(nf_register_afinfo);

void nf_unregister_afinfo(const struct nf_afinfo *afinfo)
{
	mutex_lock(&afinfo_mutex);
	RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL);
	mutex_unlock(&afinfo_mutex);
	synchronize_rcu();
}
EXPORT_SYMBOL_GPL(nf_unregister_afinfo);

#ifdef HAVE_JUMP_LABEL
struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
EXPORT_SYMBOL(nf_hooks_needed);
#endif

static DEFINE_MUTEX(nf_hook_mutex);

static struct list_head *find_nf_hook_list(struct net *net,
					   const struct nf_hook_ops *reg)
{
	struct list_head *nf_hook_list = NULL;

	if (reg->pf != NFPROTO_NETDEV)
		nf_hook_list = &net->nf.hooks[reg->pf][reg->hooknum];
	else if (reg->hooknum == NF_NETDEV_INGRESS) {
#ifdef CONFIG_NETFILTER_INGRESS
		if (reg->dev && dev_net(reg->dev) == net)
			nf_hook_list = &reg->dev->nf_hooks_ingress;
#endif
	}
	return nf_hook_list;
}

int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg)
{
	struct list_head *nf_hook_list;
	struct nf_hook_ops *elem, *new;

	new = kzalloc(sizeof(*new), GFP_KERNEL);
	if (!new)
		return -ENOMEM;

	new->hook     = reg->hook;
	new->dev      = reg->dev;
	new->owner    = reg->owner;
	new->priv     = reg->priv;
	new->pf       = reg->pf;
	new->hooknum  = reg->hooknum;
	new->priority = reg->priority;

	nf_hook_list = find_nf_hook_list(net, reg);
	if (!nf_hook_list)
		return -ENOENT;

	mutex_lock(&nf_hook_mutex);
	list_for_each_entry(elem, nf_hook_list, list) {
		if (reg->priority < elem->priority)
			break;
	}
	list_add_rcu(&new->list, elem->list.prev);
	mutex_unlock(&nf_hook_mutex);
#ifdef CONFIG_NETFILTER_INGRESS
	if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
		net_inc_ingress_queue();
#endif
#ifdef HAVE_JUMP_LABEL
	static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
#endif
	return 0;
}
EXPORT_SYMBOL(nf_register_net_hook);

void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg)
{
	struct list_head *nf_hook_list;
	struct nf_hook_ops *elem;

	nf_hook_list = find_nf_hook_list(net, reg);
	if (!nf_hook_list)
		return;

	mutex_lock(&nf_hook_mutex);
	list_for_each_entry(elem, nf_hook_list, list) {
		if ((reg->hook     == elem->hook) &&
		    (reg->dev      == elem->dev) &&
		    (reg->owner    == elem->owner) &&
		    (reg->priv     == elem->priv) &&
		    (reg->pf       == elem->pf) &&
		    (reg->hooknum  == elem->hooknum) &&
		    (reg->priority == elem->priority)) {
			list_del_rcu(&elem->list);
			break;
		}
	}
	mutex_unlock(&nf_hook_mutex);
	if (&elem->list == nf_hook_list) {
		WARN(1, "nf_unregister_net_hook: hook not found!\n");
		return;
	}
#ifdef CONFIG_NETFILTER_INGRESS
	if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
		net_dec_ingress_queue();
#endif
#ifdef HAVE_JUMP_LABEL
	static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]);
#endif
	synchronize_net();
	nf_queue_nf_hook_drop(elem);
	kfree(elem);
}
EXPORT_SYMBOL(nf_unregister_net_hook);

int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg,
			  unsigned int n)
{
	unsigned int i;
	int err = 0;

	for (i = 0; i < n; i++) {
		err = nf_register_net_hook(net, &reg[i]);
		if (err)
			goto err;
	}
	return err;

err:
	if (i > 0)
		nf_unregister_net_hooks(net, reg, i);
	return err;
}
EXPORT_SYMBOL(nf_register_net_hooks);

void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg,
			     unsigned int n)
{
	while (n-- > 0)
		nf_unregister_net_hook(net, &reg[n]);
}
EXPORT_SYMBOL(nf_unregister_net_hooks);

static LIST_HEAD(nf_hook_list);

int nf_register_hook(struct nf_hook_ops *reg)
{
	struct net *net, *last;
	int ret;

	rtnl_lock();
	for_each_net(net) {
		ret = nf_register_net_hook(net, reg);
		if (ret && ret != -ENOENT)
			goto rollback;
	}
	list_add_tail(&reg->list, &nf_hook_list);
	rtnl_unlock();

	return 0;
rollback:
	last = net;
	for_each_net(net) {
		if (net == last)
			break;
		nf_unregister_net_hook(net, reg);
	}
	rtnl_unlock();
	return ret;
}
EXPORT_SYMBOL(nf_register_hook);

void nf_unregister_hook(struct nf_hook_ops *reg)
{
	struct net *net;

	rtnl_lock();
	list_del(&reg->list);
	for_each_net(net)
		nf_unregister_net_hook(net, reg);
	rtnl_unlock();
}
EXPORT_SYMBOL(nf_unregister_hook);

int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n)
{
	unsigned int i;
	int err = 0;

	for (i = 0; i < n; i++) {
		err = nf_register_hook(&reg[i]);
		if (err)
			goto err;
	}
	return err;

err:
	if (i > 0)
		nf_unregister_hooks(reg, i);
	return err;
}
EXPORT_SYMBOL(nf_register_hooks);

void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n)
{
	while (n-- > 0)
		nf_unregister_hook(&reg[n]);
}
EXPORT_SYMBOL(nf_unregister_hooks);

unsigned int nf_iterate(struct list_head *head,
			struct sk_buff *skb,
			struct nf_hook_state *state,
			struct nf_hook_ops **elemp)
{
	unsigned int verdict;

	/*
	 * The caller must not block between calls to this
	 * function because of risk of continuing from deleted element.
	 */
	list_for_each_entry_continue_rcu((*elemp), head, list) {
		if (state->thresh > (*elemp)->priority)
			continue;

		/* Optimization: we don't need to hold module
		   reference here, since function can't sleep. --RR */
repeat:
		verdict = (*elemp)->hook(*elemp, skb, state);
		if (verdict != NF_ACCEPT) {
#ifdef CONFIG_NETFILTER_DEBUG
			if (unlikely((verdict & NF_VERDICT_MASK)
							> NF_MAX_VERDICT)) {
				NFDEBUG("Evil return from %p(%u).\n",
					(*elemp)->hook, state->hook);
				continue;
			}
#endif
			if (verdict != NF_REPEAT)
				return verdict;
			goto repeat;
		}
	}
	return NF_ACCEPT;
}


/* Returns 1 if okfn() needs to be executed by the caller,
 * -EPERM for NF_DROP, 0 otherwise. */
int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state)
{
	struct nf_hook_ops *elem;
	unsigned int verdict;
	int ret = 0;

	/* We may already have this, but read-locks nest anyway */
	rcu_read_lock();

	elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list);
next_hook:
	verdict = nf_iterate(state->hook_list, skb, state, &elem);
	if (verdict == NF_ACCEPT || verdict == NF_STOP) {
		ret = 1;
	} else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
		kfree_skb(skb);
		ret = NF_DROP_GETERR(verdict);
		if (ret == 0)
			ret = -EPERM;
	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
		int err = nf_queue(skb, elem, state,
				   verdict >> NF_VERDICT_QBITS);
		if (err < 0) {
			if (err == -ECANCELED)
				goto next_hook;
			if (err == -ESRCH &&
			   (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
				goto next_hook;
			kfree_skb(skb);
		}
	}
	rcu_read_unlock();
	return ret;
}
EXPORT_SYMBOL(nf_hook_slow);


int skb_make_writable(struct sk_buff *skb, unsigned int writable_len)
{
	if (writable_len > skb->len)
		return 0;

	/* Not exclusive use of packet?  Must copy. */
	if (!skb_cloned(skb)) {
		if (writable_len <= skb_headlen(skb))
			return 1;
	} else if (skb_clone_writable(skb, writable_len))
		return 1;

	if (writable_len <= skb_headlen(skb))
		writable_len = 0;
	else
		writable_len -= skb_headlen(skb);

	return !!__pskb_pull_tail(skb, writable_len);
}
EXPORT_SYMBOL(skb_make_writable);

#if IS_ENABLED(CONFIG_NF_CONNTRACK)
/* This does not belong here, but locally generated errors need it if connection
   tracking in use: without this, connection may not be in hash table, and hence
   manufactured ICMP or RST packets will not be associated with it. */
void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *)
		__rcu __read_mostly;
EXPORT_SYMBOL(ip_ct_attach);

void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb)
{
	void (*attach)(struct sk_buff *, const struct sk_buff *);

	if (skb->nfct) {
		rcu_read_lock();
		attach = rcu_dereference(ip_ct_attach);
		if (attach)
			attach(new, skb);
		rcu_read_unlock();
	}
}
EXPORT_SYMBOL(nf_ct_attach);

void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly;
EXPORT_SYMBOL(nf_ct_destroy);

void nf_conntrack_destroy(struct nf_conntrack *nfct)
{
	void (*destroy)(struct nf_conntrack *);

	rcu_read_lock();
	destroy = rcu_dereference(nf_ct_destroy);
	BUG_ON(destroy == NULL);
	destroy(nfct);
	rcu_read_unlock();
}
EXPORT_SYMBOL(nf_conntrack_destroy);

struct nfq_ct_hook __rcu *nfq_ct_hook __read_mostly;
EXPORT_SYMBOL_GPL(nfq_ct_hook);

struct nfq_ct_nat_hook __rcu *nfq_ct_nat_hook __read_mostly;
EXPORT_SYMBOL_GPL(nfq_ct_nat_hook);

#endif /* CONFIG_NF_CONNTRACK */

#ifdef CONFIG_NF_NAT_NEEDED
void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
EXPORT_SYMBOL(nf_nat_decode_session_hook);
#endif

static int nf_register_hook_list(struct net *net)
{
	struct nf_hook_ops *elem;
	int ret;

	rtnl_lock();
	list_for_each_entry(elem, &nf_hook_list, list) {
		ret = nf_register_net_hook(net, elem);
		if (ret && ret != -ENOENT)
			goto out_undo;
	}
	rtnl_unlock();
	return 0;

out_undo:
	list_for_each_entry_continue_reverse(elem, &nf_hook_list, list)
		nf_unregister_net_hook(net, elem);
	rtnl_unlock();
	return ret;
}

static void nf_unregister_hook_list(struct net *net)
{
	struct nf_hook_ops *elem;

	rtnl_lock();
	list_for_each_entry(elem, &nf_hook_list, list)
		nf_unregister_net_hook(net, elem);
	rtnl_unlock();
}

static int __net_init netfilter_net_init(struct net *net)
{
	int i, h, ret;

	for (i = 0; i < ARRAY_SIZE(net->nf.hooks); i++) {
		for (h = 0; h < NF_MAX_HOOKS; h++)
			INIT_LIST_HEAD(&net->nf.hooks[i][h]);
	}

#ifdef CONFIG_PROC_FS
	net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter",
						net->proc_net);
	if (!net->nf.proc_netfilter) {
		if (!net_eq(net, &init_net))
			pr_err("cannot create netfilter proc entry");

		return -ENOMEM;
	}
#endif
	ret = nf_register_hook_list(net);
	if (ret)
		remove_proc_entry("netfilter", net->proc_net);

	return ret;
}

static void __net_exit netfilter_net_exit(struct net *net)
{
	nf_unregister_hook_list(net);
	remove_proc_entry("netfilter", net->proc_net);
}

static struct pernet_operations netfilter_net_ops = {
	.init = netfilter_net_init,
	.exit = netfilter_net_exit,
};

int __init netfilter_init(void)
{
	int ret;

	ret = register_pernet_subsys(&netfilter_net_ops);
	if (ret < 0)
		goto err;

	ret = netfilter_log_init();
	if (ret < 0)
		goto err_pernet;

	return 0;
err_pernet:
	unregister_pernet_subsys(&netfilter_net_ops);
err:
	return ret;
}
Commit	Line	Data
601e68e1	1	/* netfilter.c: look after the filters for various protocols.
f6ebe77f HW	2	* Heavily influenced by the old firewall.c by David Bonn and Alan Cox.
	3	*
	4	* Thanks to Rob `CmdrTaco' Malda for not influencing this code in any
	5	* way.
	6	*
	7	* Rusty Russell (C)2000 -- This code is GPL.
f229f6ce	8	* Patrick McHardy (c) 2006-2012
f6ebe77f	9	*/
f6ebe77f HW	10	#include <linux/kernel.h>
	11	#include <linux/netfilter.h>
	12	#include <net/protocol.h>
	13	#include <linux/init.h>
	14	#include <linux/skbuff.h>
	15	#include <linux/wait.h>
	16	#include <linux/module.h>
	17	#include <linux/interrupt.h>
	18	#include <linux/if.h>
	19	#include <linux/netdevice.h>
56768644	20	#include <linux/netfilter_ipv6.h>
f6ebe77f HW	21	#include <linux/inetdevice.h>
f6ebe77f HW	22	#include <linux/proc_fs.h>
d486dd1f	23	#include <linux/mutex.h>
5a0e3ad6	24	#include <linux/slab.h>
457c4cbc	25	#include <net/net_namespace.h>
f6ebe77f HW	26	#include <net/sock.h>
	27
	28	#include "nf_internals.h"
	29
d486dd1f	30	static DEFINE_MUTEX(afinfo_mutex);
bce8032e	31
0906a372	32	const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
bce8032e	33	EXPORT_SYMBOL(nf_afinfo);
2a7851bf FW	34	const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
2a7851bf FW	35	EXPORT_SYMBOL_GPL(nf_ipv6_ops);
bce8032e	36
e7c8899f FW	37	DEFINE_PER_CPU(bool, nf_skb_duplicated);
	38	EXPORT_SYMBOL_GPL(nf_skb_duplicated);
	39
1e796fda	40	int nf_register_afinfo(const struct nf_afinfo *afinfo)
bce8032e	41	{
7926dbfa	42	mutex_lock(&afinfo_mutex);
a9b3cd7f	43	RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo);
d486dd1f	44	mutex_unlock(&afinfo_mutex);
bce8032e PM	45	return 0;
	46	}
	47	EXPORT_SYMBOL_GPL(nf_register_afinfo);
	48
1e796fda	49	void nf_unregister_afinfo(const struct nf_afinfo *afinfo)
bce8032e	50	{
d486dd1f	51	mutex_lock(&afinfo_mutex);
a9b3cd7f	52	RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL);
d486dd1f	53	mutex_unlock(&afinfo_mutex);
bce8032e PM	54	synchronize_rcu();
	55	}
	56	EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
	57
d1c85c2e	58	#ifdef HAVE_JUMP_LABEL
c5905afb	59	struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
a2d7ec58 ED	60	EXPORT_SYMBOL(nf_hooks_needed);
	61	#endif
	62
fd706d69	63	static DEFINE_MUTEX(nf_hook_mutex);
f6ebe77f	64
085db2c0 EB	65	static struct list_head find_nf_hook_list(struct net net,
085db2c0 EB	66	const struct nf_hook_ops *reg)
f6ebe77f	67	{
0edcf282	68	struct list_head *nf_hook_list = NULL;
f6ebe77f	69
0edcf282	70	if (reg->pf != NFPROTO_NETDEV)
085db2c0	71	nf_hook_list = &net->nf.hooks[reg->pf][reg->hooknum];
0edcf282	72	else if (reg->hooknum == NF_NETDEV_INGRESS) {
e687ad60	73	#ifdef CONFIG_NETFILTER_INGRESS
085db2c0	74	if (reg->dev && dev_net(reg->dev) == net)
e687ad60	75	nf_hook_list = &reg->dev->nf_hooks_ingress;
e687ad60	76	#endif
e687ad60	77	}
0edcf282 EB	78	return nf_hook_list;
0edcf282 EB	79	}
e687ad60	80
085db2c0	81	int nf_register_net_hook(struct net net, const struct nf_hook_ops reg)
0edcf282 EB	82	{
0edcf282 EB	83	struct list_head *nf_hook_list;
085db2c0 EB	84	struct nf_hook_ops elem, new;
	85
	86	new = kzalloc(sizeof(*new), GFP_KERNEL);
	87	if (!new)
	88	return -ENOMEM;
0edcf282	89
085db2c0 EB	90	new->hook = reg->hook;
	91	new->dev = reg->dev;
	92	new->owner = reg->owner;
	93	new->priv = reg->priv;
	94	new->pf = reg->pf;
	95	new->hooknum = reg->hooknum;
	96	new->priority = reg->priority;
	97
	98	nf_hook_list = find_nf_hook_list(net, reg);
0edcf282 EB	99	if (!nf_hook_list)
	100	return -ENOENT;
	101
	102	mutex_lock(&nf_hook_mutex);
e687ad60	103	list_for_each_entry(elem, nf_hook_list, list) {
4c610979	104	if (reg->priority < elem->priority)
f6ebe77f HW	105	break;
f6ebe77f HW	106	}
085db2c0	107	list_add_rcu(&new->list, elem->list.prev);
fd706d69	108	mutex_unlock(&nf_hook_mutex);
4c091156 EB	109	#ifdef CONFIG_NETFILTER_INGRESS
	110	if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
	111	net_inc_ingress_queue();
	112	#endif
d1c85c2e	113	#ifdef HAVE_JUMP_LABEL
c5905afb	114	static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
a2d7ec58	115	#endif
f6ebe77f HW	116	return 0;
f6ebe77f HW	117	}
085db2c0	118	EXPORT_SYMBOL(nf_register_net_hook);
f6ebe77f	119
085db2c0	120	void nf_unregister_net_hook(struct net net, const struct nf_hook_ops reg)
f6ebe77f	121	{
085db2c0 EB	122	struct list_head *nf_hook_list;
	123	struct nf_hook_ops *elem;
	124
	125	nf_hook_list = find_nf_hook_list(net, reg);
	126	if (!nf_hook_list)
	127	return;
	128
fd706d69	129	mutex_lock(&nf_hook_mutex);
085db2c0 EB	130	list_for_each_entry(elem, nf_hook_list, list) {
	131	if ((reg->hook == elem->hook) &&
	132	(reg->dev == elem->dev) &&
	133	(reg->owner == elem->owner) &&
	134	(reg->priv == elem->priv) &&
	135	(reg->pf == elem->pf) &&
	136	(reg->hooknum == elem->hooknum) &&
	137	(reg->priority == elem->priority)) {
	138	list_del_rcu(&elem->list);
	139	break;
	140	}
	141	}
fd706d69	142	mutex_unlock(&nf_hook_mutex);
085db2c0 EB	143	if (&elem->list == nf_hook_list) {
	144	WARN(1, "nf_unregister_net_hook: hook not found!\n");
	145	return;
	146	}
e687ad60	147	#ifdef CONFIG_NETFILTER_INGRESS
4c091156 EB	148	if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
4c091156 EB	149	net_dec_ingress_queue();
e687ad60	150	#endif
d1c85c2e	151	#ifdef HAVE_JUMP_LABEL
c5905afb	152	static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]);
a2d7ec58	153	#endif
f6ebe77f	154	synchronize_net();
085db2c0 EB	155	nf_queue_nf_hook_drop(elem);
	156	kfree(elem);
	157	}
	158	EXPORT_SYMBOL(nf_unregister_net_hook);
	159
	160	int nf_register_net_hooks(struct net net, const struct nf_hook_ops reg,
	161	unsigned int n)
	162	{
	163	unsigned int i;
	164	int err = 0;
	165
	166	for (i = 0; i < n; i++) {
	167	err = nf_register_net_hook(net, &reg[i]);
	168	if (err)
	169	goto err;
	170	}
	171	return err;
	172
	173	err:
	174	if (i > 0)
	175	nf_unregister_net_hooks(net, reg, i);
	176	return err;
	177	}
	178	EXPORT_SYMBOL(nf_register_net_hooks);
	179
	180	void nf_unregister_net_hooks(struct net net, const struct nf_hook_ops reg,
	181	unsigned int n)
	182	{
	183	while (n-- > 0)
	184	nf_unregister_net_hook(net, &reg[n]);
	185	}
	186	EXPORT_SYMBOL(nf_unregister_net_hooks);
	187
	188	static LIST_HEAD(nf_hook_list);
	189
	190	int nf_register_hook(struct nf_hook_ops *reg)
	191	{
	192	struct net net, last;
	193	int ret;
	194
	195	rtnl_lock();
	196	for_each_net(net) {
	197	ret = nf_register_net_hook(net, reg);
	198	if (ret && ret != -ENOENT)
	199	goto rollback;
	200	}
	201	list_add_tail(&reg->list, &nf_hook_list);
	202	rtnl_unlock();
	203
	204	return 0;
	205	rollback:
	206	last = net;
	207	for_each_net(net) {
	208	if (net == last)
	209	break;
	210	nf_unregister_net_hook(net, reg);
	211	}
	212	rtnl_unlock();
	213	return ret;
	214	}
	215	EXPORT_SYMBOL(nf_register_hook);
	216
	217	void nf_unregister_hook(struct nf_hook_ops *reg)
	218	{
219	struct net *net;
220
221	rtnl_lock();
222	list_del(&reg->list);
223	for_each_net(net)
224	nf_unregister_net_hook(net, reg);
225	rtnl_unlock();
f6ebe77f HW	226	}
	227	EXPORT_SYMBOL(nf_unregister_hook);
	228
972d1cb1 PM	229	int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n)
	230	{
	231	unsigned int i;
	232	int err = 0;
	233
	234	for (i = 0; i < n; i++) {
	235	err = nf_register_hook(&reg[i]);
	236	if (err)
	237	goto err;
	238	}
	239	return err;
	240
	241	err:
	242	if (i > 0)
	243	nf_unregister_hooks(reg, i);
	244	return err;
	245	}
	246	EXPORT_SYMBOL(nf_register_hooks);
	247
	248	void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n)
	249	{
f68c5301 CG	250	while (n-- > 0)
f68c5301 CG	251	nf_unregister_hook(&reg[n]);
972d1cb1 PM	252	}
	253	EXPORT_SYMBOL(nf_unregister_hooks);
	254
f6ebe77f	255	unsigned int nf_iterate(struct list_head *head,
3db05fea	256	struct sk_buff *skb,
cfdfab31 DM	257	struct nf_hook_state *state,
cfdfab31 DM	258	struct nf_hook_ops **elemp)
f6ebe77f HW	259	{
	260	unsigned int verdict;
	261
	262	/*
	263	* The caller must not block between calls to this
	264	* function because of risk of continuing from deleted element.
	265	*/
2a6decfd	266	list_for_each_entry_continue_rcu((*elemp), head, list) {
cfdfab31	267	if (state->thresh > (*elemp)->priority)
f6ebe77f HW	268	continue;
	269
	270	/* Optimization: we don't need to hold module
601e68e1	271	reference here, since function can't sleep. --RR */
de9963f0	272	repeat:
238e54c9	273	verdict = (elemp)->hook(elemp, skb, state);
f6ebe77f HW	274	if (verdict != NF_ACCEPT) {
	275	#ifdef CONFIG_NETFILTER_DEBUG
	276	if (unlikely((verdict & NF_VERDICT_MASK)
	277	> NF_MAX_VERDICT)) {
	278	NFDEBUG("Evil return from %p(%u).\n",
cfdfab31	279	(*elemp)->hook, state->hook);
f6ebe77f HW	280	continue;
	281	}
	282	#endif
2a6decfd	283	if (verdict != NF_REPEAT)
f6ebe77f	284	return verdict;
de9963f0	285	goto repeat;
f6ebe77f HW	286	}
	287	}
	288	return NF_ACCEPT;
	289	}
	290
	291
	292	/* Returns 1 if okfn() needs to be executed by the caller,
	293	* -EPERM for NF_DROP, 0 otherwise. */
cfdfab31	294	int nf_hook_slow(struct sk_buff skb, struct nf_hook_state state)
f6ebe77f	295	{
2a6decfd	296	struct nf_hook_ops *elem;
f6ebe77f HW	297	unsigned int verdict;
	298	int ret = 0;
	299
	300	/* We may already have this, but read-locks nest anyway */
	301	rcu_read_lock();
	302
f7191483	303	elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list);
f6ebe77f	304	next_hook:
f7191483	305	verdict = nf_iterate(state->hook_list, skb, state, &elem);
f6ebe77f HW	306	if (verdict == NF_ACCEPT \|\| verdict == NF_STOP) {
f6ebe77f HW	307	ret = 1;
da683650	308	} else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
3db05fea	309	kfree_skb(skb);
f615df76	310	ret = NF_DROP_GETERR(verdict);
da683650 EP	311	if (ret == 0)
da683650 EP	312	ret = -EPERM;
f9c63990	313	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
cfdfab31 DM	314	int err = nf_queue(skb, elem, state,
cfdfab31 DM	315	verdict >> NF_VERDICT_QBITS);
563e1232 FW	316	if (err < 0) {
563e1232 FW	317	if (err == -ECANCELED)
06cdb634	318	goto next_hook;
563e1232	319	if (err == -ESRCH &&
94b27cc3 FW	320	(verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
94b27cc3 FW	321	goto next_hook;
06cdb634 FW	322	kfree_skb(skb);
06cdb634 FW	323	}
f6ebe77f	324	}
f6ebe77f HW	325	rcu_read_unlock();
	326	return ret;
	327	}
	328	EXPORT_SYMBOL(nf_hook_slow);
	329
	330
37d41879	331	int skb_make_writable(struct sk_buff *skb, unsigned int writable_len)
f6ebe77f	332	{
37d41879	333	if (writable_len > skb->len)
f6ebe77f HW	334	return 0;
	335
	336	/* Not exclusive use of packet? Must copy. */
37d41879 HX	337	if (!skb_cloned(skb)) {
	338	if (writable_len <= skb_headlen(skb))
	339	return 1;
	340	} else if (skb_clone_writable(skb, writable_len))
	341	return 1;
	342
	343	if (writable_len <= skb_headlen(skb))
	344	writable_len = 0;
	345	else
	346	writable_len -= skb_headlen(skb);
	347
	348	return !!__pskb_pull_tail(skb, writable_len);
f6ebe77f HW	349	}
	350	EXPORT_SYMBOL(skb_make_writable);
	351
c0cd1156	352	#if IS_ENABLED(CONFIG_NF_CONNTRACK)
f6ebe77f HW	353	/* This does not belong here, but locally generated errors need it if connection
	354	tracking in use: without this, connection may not be in hash table, and hence
	355	manufactured ICMP or RST packets will not be associated with it. */
312a0c16 PM	356	void (ip_ct_attach)(struct sk_buff , const struct sk_buff *)
312a0c16 PM	357	__rcu __read_mostly;
f6ebe77f HW	358	EXPORT_SYMBOL(ip_ct_attach);
f6ebe77f HW	359
312a0c16	360	void nf_ct_attach(struct sk_buff new, const struct sk_buff skb)
f6ebe77f	361	{
312a0c16	362	void (attach)(struct sk_buff , const struct sk_buff *);
f6ebe77f	363
c3a47ab3 PM	364	if (skb->nfct) {
	365	rcu_read_lock();
	366	attach = rcu_dereference(ip_ct_attach);
	367	if (attach)
	368	attach(new, skb);
	369	rcu_read_unlock();
f6ebe77f HW	370	}
	371	}
	372	EXPORT_SYMBOL(nf_ct_attach);
de6e05c4	373
0e60ebe0	374	void (nf_ct_destroy)(struct nf_conntrack ) __rcu __read_mostly;
de6e05c4 YK	375	EXPORT_SYMBOL(nf_ct_destroy);
	376
	377	void nf_conntrack_destroy(struct nf_conntrack *nfct)
	378	{
	379	void (destroy)(struct nf_conntrack );
	380
	381	rcu_read_lock();
	382	destroy = rcu_dereference(nf_ct_destroy);
	383	BUG_ON(destroy == NULL);
	384	destroy(nfct);
	385	rcu_read_unlock();
	386	}
	387	EXPORT_SYMBOL(nf_conntrack_destroy);
9cb01766	388
5a05fae5	389	struct nfq_ct_hook __rcu *nfq_ct_hook __read_mostly;
9cb01766 PNA	390	EXPORT_SYMBOL_GPL(nfq_ct_hook);
9cb01766 PNA	391
d584a61a PNA	392	struct nfq_ct_nat_hook __rcu *nfq_ct_nat_hook __read_mostly;
	393	EXPORT_SYMBOL_GPL(nfq_ct_nat_hook);
	394
de6e05c4	395	#endif /* CONFIG_NF_CONNTRACK */
f6ebe77f	396
c7232c99 PM	397	#ifdef CONFIG_NF_NAT_NEEDED
	398	void (nf_nat_decode_session_hook)(struct sk_buff , struct flowi *);
	399	EXPORT_SYMBOL(nf_nat_decode_session_hook);
	400	#endif
	401
085db2c0 EB	402	static int nf_register_hook_list(struct net *net)
	403	{
	404	struct nf_hook_ops *elem;
	405	int ret;
	406
	407	rtnl_lock();
	408	list_for_each_entry(elem, &nf_hook_list, list) {
	409	ret = nf_register_net_hook(net, elem);
	410	if (ret && ret != -ENOENT)
	411	goto out_undo;
	412	}
	413	rtnl_unlock();
	414	return 0;
	415
	416	out_undo:
	417	list_for_each_entry_continue_reverse(elem, &nf_hook_list, list)
	418	nf_unregister_net_hook(net, elem);
	419	rtnl_unlock();
	420	return ret;
	421	}
	422
	423	static void nf_unregister_hook_list(struct net *net)
	424	{
	425	struct nf_hook_ops *elem;
	426
	427	rtnl_lock();
	428	list_for_each_entry(elem, &nf_hook_list, list)
	429	nf_unregister_net_hook(net, elem);
	430	rtnl_unlock();
	431	}
	432
f3c1a44a G	433	static int __net_init netfilter_net_init(struct net *net)
f3c1a44a G	434	{
085db2c0 EB	435	int i, h, ret;
	436
	437	for (i = 0; i < ARRAY_SIZE(net->nf.hooks); i++) {
	438	for (h = 0; h < NF_MAX_HOOKS; h++)
	439	INIT_LIST_HEAD(&net->nf.hooks[i][h]);
	440	}
	441
f3c1a44a G	442	#ifdef CONFIG_PROC_FS
	443	net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter",
	444	net->proc_net);
12202fa7 PNA	445	if (!net->nf.proc_netfilter) {
	446	if (!net_eq(net, &init_net))
	447	pr_err("cannot create netfilter proc entry");
	448
f3c1a44a G	449	return -ENOMEM;
	450	}
	451	#endif
085db2c0 EB	452	ret = nf_register_hook_list(net);
	453	if (ret)
	454	remove_proc_entry("netfilter", net->proc_net);
	455
	456	return ret;
f3c1a44a G	457	}
	458
	459	static void __net_exit netfilter_net_exit(struct net *net)
	460	{
085db2c0	461	nf_unregister_hook_list(net);
f3c1a44a G	462	remove_proc_entry("netfilter", net->proc_net);
	463	}
	464
	465	static struct pernet_operations netfilter_net_ops = {
	466	.init = netfilter_net_init,
	467	.exit = netfilter_net_exit,
	468	};
	469
6d11cfdb	470	int __init netfilter_init(void)
f6ebe77f	471	{
085db2c0	472	int ret;
f6ebe77f	473
6d11cfdb PNA	474	ret = register_pernet_subsys(&netfilter_net_ops);
	475	if (ret < 0)
	476	goto err;
	477
	478	ret = netfilter_log_init();
	479	if (ret < 0)
	480	goto err_pernet;
f6ebe77f	481
6d11cfdb PNA	482	return 0;
	483	err_pernet:
	484	unregister_pernet_subsys(&netfilter_net_ops);
	485	err:
	486	return ret;
f6ebe77f	487	}