]> git.proxmox.com Git - mirror_ubuntu-hirsute-kernel.git/blob - net/netfilter/core.c
projects / mirror_ubuntu-hirsute-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
netfilter: xtables: remove __pure annotation
[mirror_ubuntu-hirsute-kernel.git] / net / netfilter / core.c
1 /* netfilter.c: look after the filters for various protocols.
2 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox.
3 *
4 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any
5 * way.
6 *
7 * Rusty Russell (C)2000 -- This code is GPL.
8 * Patrick McHardy (c) 2006-2012
9 */
10 #include <linux/kernel.h>
11 #include <linux/netfilter.h>
12 #include <net/protocol.h>
13 #include <linux/init.h>
14 #include <linux/skbuff.h>
15 #include <linux/wait.h>
16 #include <linux/module.h>
17 #include <linux/interrupt.h>
18 #include <linux/if.h>
19 #include <linux/netdevice.h>
20 #include <linux/netfilter_ipv6.h>
21 #include <linux/inetdevice.h>
22 #include <linux/proc_fs.h>
23 #include <linux/mutex.h>
24 #include <linux/slab.h>
25 #include <net/net_namespace.h>
26 #include <net/sock.h>
27
28 #include "nf_internals.h"
29
30 static DEFINE_MUTEX(afinfo_mutex);
31
32 const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
33 EXPORT_SYMBOL(nf_afinfo);
34 const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
35 EXPORT_SYMBOL_GPL(nf_ipv6_ops);
36
37 DEFINE_PER_CPU(bool, nf_skb_duplicated);
38 EXPORT_SYMBOL_GPL(nf_skb_duplicated);
39
40 int nf_register_afinfo(const struct nf_afinfo *afinfo)
41 {
42 mutex_lock(&afinfo_mutex);
43 RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo);
44 mutex_unlock(&afinfo_mutex);
45 return 0;
46 }
47 EXPORT_SYMBOL_GPL(nf_register_afinfo);
48
49 void nf_unregister_afinfo(const struct nf_afinfo *afinfo)
50 {
51 mutex_lock(&afinfo_mutex);
52 RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL);
53 mutex_unlock(&afinfo_mutex);
54 synchronize_rcu();
55 }
56 EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
57
58 #ifdef HAVE_JUMP_LABEL
59 struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
60 EXPORT_SYMBOL(nf_hooks_needed);
61 #endif
62
63 static DEFINE_MUTEX(nf_hook_mutex);
64
65 static struct list_head *find_nf_hook_list(struct net *net,
66 const struct nf_hook_ops *reg)
67 {
68 struct list_head *nf_hook_list = NULL;
69
70 if (reg->pf != NFPROTO_NETDEV)
71 nf_hook_list = &net->nf.hooks[reg->pf][reg->hooknum];
72 else if (reg->hooknum == NF_NETDEV_INGRESS) {
73 #ifdef CONFIG_NETFILTER_INGRESS
74 if (reg->dev && dev_net(reg->dev) == net)
75 nf_hook_list = &reg->dev->nf_hooks_ingress;
76 #endif
77 }
78 return nf_hook_list;
79 }
80
81 int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg)
82 {
83 struct list_head *nf_hook_list;
84 struct nf_hook_ops *elem, *new;
85
86 new = kzalloc(sizeof(*new), GFP_KERNEL);
87 if (!new)
88 return -ENOMEM;
89
90 new->hook = reg->hook;
91 new->dev = reg->dev;
92 new->owner = reg->owner;
93 new->priv = reg->priv;
94 new->pf = reg->pf;
95 new->hooknum = reg->hooknum;
96 new->priority = reg->priority;
97
98 nf_hook_list = find_nf_hook_list(net, reg);
99 if (!nf_hook_list)
100 return -ENOENT;
101
102 mutex_lock(&nf_hook_mutex);
103 list_for_each_entry(elem, nf_hook_list, list) {
104 if (reg->priority < elem->priority)
105 break;
106 }
107 list_add_rcu(&new->list, elem->list.prev);
108 mutex_unlock(&nf_hook_mutex);
109 #ifdef CONFIG_NETFILTER_INGRESS
110 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
111 net_inc_ingress_queue();
112 #endif
113 #ifdef HAVE_JUMP_LABEL
114 static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
115 #endif
116 return 0;
117 }
118 EXPORT_SYMBOL(nf_register_net_hook);
119
120 void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg)
121 {
122 struct list_head *nf_hook_list;
123 struct nf_hook_ops *elem;
124
125 nf_hook_list = find_nf_hook_list(net, reg);
126 if (!nf_hook_list)
127 return;
128
129 mutex_lock(&nf_hook_mutex);
130 list_for_each_entry(elem, nf_hook_list, list) {
131 if ((reg->hook == elem->hook) &&
132 (reg->dev == elem->dev) &&
133 (reg->owner == elem->owner) &&
134 (reg->priv == elem->priv) &&
135 (reg->pf == elem->pf) &&
136 (reg->hooknum == elem->hooknum) &&
137 (reg->priority == elem->priority)) {
138 list_del_rcu(&elem->list);
139 break;
140 }
141 }
142 mutex_unlock(&nf_hook_mutex);
143 if (&elem->list == nf_hook_list) {
144 WARN(1, "nf_unregister_net_hook: hook not found!\n");
145 return;
146 }
147 #ifdef CONFIG_NETFILTER_INGRESS
148 if (reg->pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS)
149 net_dec_ingress_queue();
150 #endif
151 #ifdef HAVE_JUMP_LABEL
152 static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]);
153 #endif
154 synchronize_net();
155 nf_queue_nf_hook_drop(elem);
156 kfree(elem);
157 }
158 EXPORT_SYMBOL(nf_unregister_net_hook);
159
160 int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg,
161 unsigned int n)
162 {
163 unsigned int i;
164 int err = 0;
165
166 for (i = 0; i < n; i++) {
167 err = nf_register_net_hook(net, &reg[i]);
168 if (err)
169 goto err;
170 }
171 return err;
172
173 err:
174 if (i > 0)
175 nf_unregister_net_hooks(net, reg, i);
176 return err;
177 }
178 EXPORT_SYMBOL(nf_register_net_hooks);
179
180 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg,
181 unsigned int n)
182 {
183 while (n-- > 0)
184 nf_unregister_net_hook(net, &reg[n]);
185 }
186 EXPORT_SYMBOL(nf_unregister_net_hooks);
187
188 static LIST_HEAD(nf_hook_list);
189
190 int nf_register_hook(struct nf_hook_ops *reg)
191 {
192 struct net *net, *last;
193 int ret;
194
195 rtnl_lock();
196 for_each_net(net) {
197 ret = nf_register_net_hook(net, reg);
198 if (ret && ret != -ENOENT)
199 goto rollback;
200 }
201 list_add_tail(&reg->list, &nf_hook_list);
202 rtnl_unlock();
203
204 return 0;
205 rollback:
206 last = net;
207 for_each_net(net) {
208 if (net == last)
209 break;
210 nf_unregister_net_hook(net, reg);
211 }
212 rtnl_unlock();
213 return ret;
214 }
215 EXPORT_SYMBOL(nf_register_hook);
216
217 void nf_unregister_hook(struct nf_hook_ops *reg)
218 {
219 struct net *net;
220
221 rtnl_lock();
222 list_del(&reg->list);
223 for_each_net(net)
224 nf_unregister_net_hook(net, reg);
225 rtnl_unlock();
226 }
227 EXPORT_SYMBOL(nf_unregister_hook);
228
229 int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n)
230 {
231 unsigned int i;
232 int err = 0;
233
234 for (i = 0; i < n; i++) {
235 err = nf_register_hook(&reg[i]);
236 if (err)
237 goto err;
238 }
239 return err;
240
241 err:
242 if (i > 0)
243 nf_unregister_hooks(reg, i);
244 return err;
245 }
246 EXPORT_SYMBOL(nf_register_hooks);
247
248 void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n)
249 {
250 while (n-- > 0)
251 nf_unregister_hook(&reg[n]);
252 }
253 EXPORT_SYMBOL(nf_unregister_hooks);
254
255 unsigned int nf_iterate(struct list_head *head,
256 struct sk_buff *skb,
257 struct nf_hook_state *state,
258 struct nf_hook_ops **elemp)
259 {
260 unsigned int verdict;
261
262 /*
263 * The caller must not block between calls to this
264 * function because of risk of continuing from deleted element.
265 */
266 list_for_each_entry_continue_rcu((*elemp), head, list) {
267 if (state->thresh > (*elemp)->priority)
268 continue;
269
270 /* Optimization: we don't need to hold module
271 reference here, since function can't sleep. --RR */
272 repeat:
273 verdict = (*elemp)->hook(*elemp, skb, state);
274 if (verdict != NF_ACCEPT) {
275 #ifdef CONFIG_NETFILTER_DEBUG
276 if (unlikely((verdict & NF_VERDICT_MASK)
277 > NF_MAX_VERDICT)) {
278 NFDEBUG("Evil return from %p(%u).\n",
279 (*elemp)->hook, state->hook);
280 continue;
281 }
282 #endif
283 if (verdict != NF_REPEAT)
284 return verdict;
285 goto repeat;
286 }
287 }
288 return NF_ACCEPT;
289 }
290
291
292 /* Returns 1 if okfn() needs to be executed by the caller,
293 * -EPERM for NF_DROP, 0 otherwise. */
294 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state)
295 {
296 struct nf_hook_ops *elem;
297 unsigned int verdict;
298 int ret = 0;
299
300 /* We may already have this, but read-locks nest anyway */
301 rcu_read_lock();
302
303 elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list);
304 next_hook:
305 verdict = nf_iterate(state->hook_list, skb, state, &elem);
306 if (verdict == NF_ACCEPT || verdict == NF_STOP) {
307 ret = 1;
308 } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
309 kfree_skb(skb);
310 ret = NF_DROP_GETERR(verdict);
311 if (ret == 0)
312 ret = -EPERM;
313 } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
314 int err = nf_queue(skb, elem, state,
315 verdict >> NF_VERDICT_QBITS);
316 if (err < 0) {
317 if (err == -ECANCELED)
318 goto next_hook;
319 if (err == -ESRCH &&
320 (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
321 goto next_hook;
322 kfree_skb(skb);
323 }
324 }
325 rcu_read_unlock();
326 return ret;
327 }
328 EXPORT_SYMBOL(nf_hook_slow);
329
330
331 int skb_make_writable(struct sk_buff *skb, unsigned int writable_len)
332 {
333 if (writable_len > skb->len)
334 return 0;
335
336 /* Not exclusive use of packet? Must copy. */
337 if (!skb_cloned(skb)) {
338 if (writable_len <= skb_headlen(skb))
339 return 1;
340 } else if (skb_clone_writable(skb, writable_len))
341 return 1;
342
343 if (writable_len <= skb_headlen(skb))
344 writable_len = 0;
345 else
346 writable_len -= skb_headlen(skb);
347
348 return !!__pskb_pull_tail(skb, writable_len);
349 }
350 EXPORT_SYMBOL(skb_make_writable);
351
352 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
353 /* This does not belong here, but locally generated errors need it if connection
354 tracking in use: without this, connection may not be in hash table, and hence
355 manufactured ICMP or RST packets will not be associated with it. */
356 void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *)
357 __rcu __read_mostly;
358 EXPORT_SYMBOL(ip_ct_attach);
359
360 void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb)
361 {
362 void (*attach)(struct sk_buff *, const struct sk_buff *);
363
364 if (skb->nfct) {
365 rcu_read_lock();
366 attach = rcu_dereference(ip_ct_attach);
367 if (attach)
368 attach(new, skb);
369 rcu_read_unlock();
370 }
371 }
372 EXPORT_SYMBOL(nf_ct_attach);
373
374 void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly;
375 EXPORT_SYMBOL(nf_ct_destroy);
376
377 void nf_conntrack_destroy(struct nf_conntrack *nfct)
378 {
379 void (*destroy)(struct nf_conntrack *);
380
381 rcu_read_lock();
382 destroy = rcu_dereference(nf_ct_destroy);
383 BUG_ON(destroy == NULL);
384 destroy(nfct);
385 rcu_read_unlock();
386 }
387 EXPORT_SYMBOL(nf_conntrack_destroy);
388
389 struct nfq_ct_hook __rcu *nfq_ct_hook __read_mostly;
390 EXPORT_SYMBOL_GPL(nfq_ct_hook);
391
392 struct nfq_ct_nat_hook __rcu *nfq_ct_nat_hook __read_mostly;
393 EXPORT_SYMBOL_GPL(nfq_ct_nat_hook);
394
395 #endif /* CONFIG_NF_CONNTRACK */
396
397 #ifdef CONFIG_NF_NAT_NEEDED
398 void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
399 EXPORT_SYMBOL(nf_nat_decode_session_hook);
400 #endif
401
402 static int nf_register_hook_list(struct net *net)
403 {
404 struct nf_hook_ops *elem;
405 int ret;
406
407 rtnl_lock();
408 list_for_each_entry(elem, &nf_hook_list, list) {
409 ret = nf_register_net_hook(net, elem);
410 if (ret && ret != -ENOENT)
411 goto out_undo;
412 }
413 rtnl_unlock();
414 return 0;
415
416 out_undo:
417 list_for_each_entry_continue_reverse(elem, &nf_hook_list, list)
418 nf_unregister_net_hook(net, elem);
419 rtnl_unlock();
420 return ret;
421 }
422
423 static void nf_unregister_hook_list(struct net *net)
424 {
425 struct nf_hook_ops *elem;
426
427 rtnl_lock();
428 list_for_each_entry(elem, &nf_hook_list, list)
429 nf_unregister_net_hook(net, elem);
430 rtnl_unlock();
431 }
432
433 static int __net_init netfilter_net_init(struct net *net)
434 {
435 int i, h, ret;
436
437 for (i = 0; i < ARRAY_SIZE(net->nf.hooks); i++) {
438 for (h = 0; h < NF_MAX_HOOKS; h++)
439 INIT_LIST_HEAD(&net->nf.hooks[i][h]);
440 }
441
442 #ifdef CONFIG_PROC_FS
443 net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter",
444 net->proc_net);
445 if (!net->nf.proc_netfilter) {
446 if (!net_eq(net, &init_net))
447 pr_err("cannot create netfilter proc entry");
448
449 return -ENOMEM;
450 }
451 #endif
452 ret = nf_register_hook_list(net);
453 if (ret)
454 remove_proc_entry("netfilter", net->proc_net);
455
456 return ret;
457 }
458
459 static void __net_exit netfilter_net_exit(struct net *net)
460 {
461 nf_unregister_hook_list(net);
462 remove_proc_entry("netfilter", net->proc_net);
463 }
464
465 static struct pernet_operations netfilter_net_ops = {
466 .init = netfilter_net_init,
467 .exit = netfilter_net_exit,
468 };
469
470 int __init netfilter_init(void)
471 {
472 int ret;
473
474 ret = register_pernet_subsys(&netfilter_net_ops);
475 if (ret < 0)
476 goto err;
477
478 ret = netfilter_log_init();
479 if (ret < 0)
480 goto err_pernet;
481
482 return 0;
483 err_pernet:
484 unregister_pernet_subsys(&netfilter_net_ops);
485 err:
486 return ret;
487 }
Ubuntu Hirsute Linux kernel mirror