Line data Source code
1 : /* SPDX-License-Identifier: GPL-2.0 */
2 : #ifndef __LINUX_NETFILTER_H
3 : #define __LINUX_NETFILTER_H
4 :
5 : #include <linux/init.h>
6 : #include <linux/skbuff.h>
7 : #include <linux/net.h>
8 : #include <linux/if.h>
9 : #include <linux/in.h>
10 : #include <linux/in6.h>
11 : #include <linux/wait.h>
12 : #include <linux/list.h>
13 : #include <linux/static_key.h>
14 : #include <linux/netfilter_defs.h>
15 : #include <linux/netdevice.h>
16 : #include <linux/sockptr.h>
17 : #include <net/net_namespace.h>
18 :
19 0 : static inline int NF_DROP_GETERR(int verdict)
20 : {
21 0 : return -(verdict >> NF_VERDICT_QBITS);
22 : }
23 :
24 : static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1,
25 : const union nf_inet_addr *a2)
26 : {
27 : #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64
28 : const unsigned long *ul1 = (const unsigned long *)a1;
29 : const unsigned long *ul2 = (const unsigned long *)a2;
30 :
31 : return ((ul1[0] ^ ul2[0]) | (ul1[1] ^ ul2[1])) == 0UL;
32 : #else
33 : return a1->all[0] == a2->all[0] &&
34 : a1->all[1] == a2->all[1] &&
35 : a1->all[2] == a2->all[2] &&
36 : a1->all[3] == a2->all[3];
37 : #endif
38 : }
39 :
40 : static inline void nf_inet_addr_mask(const union nf_inet_addr *a1,
41 : union nf_inet_addr *result,
42 : const union nf_inet_addr *mask)
43 : {
44 : #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64
45 : const unsigned long *ua = (const unsigned long *)a1;
46 : unsigned long *ur = (unsigned long *)result;
47 : const unsigned long *um = (const unsigned long *)mask;
48 :
49 : ur[0] = ua[0] & um[0];
50 : ur[1] = ua[1] & um[1];
51 : #else
52 : result->all[0] = a1->all[0] & mask->all[0];
53 : result->all[1] = a1->all[1] & mask->all[1];
54 : result->all[2] = a1->all[2] & mask->all[2];
55 : result->all[3] = a1->all[3] & mask->all[3];
56 : #endif
57 : }
58 :
59 : int netfilter_init(void);
60 :
61 : struct sk_buff;
62 :
63 : struct nf_hook_ops;
64 :
65 : struct sock;
66 :
67 : struct nf_hook_state {
68 : unsigned int hook;
69 : u_int8_t pf;
70 : struct net_device *in;
71 : struct net_device *out;
72 : struct sock *sk;
73 : struct net *net;
74 : int (*okfn)(struct net *, struct sock *, struct sk_buff *);
75 : };
76 :
77 : typedef unsigned int nf_hookfn(void *priv,
78 : struct sk_buff *skb,
79 : const struct nf_hook_state *state);
80 : struct nf_hook_ops {
81 : /* User fills in from here down. */
82 : nf_hookfn *hook;
83 : struct net_device *dev;
84 : void *priv;
85 : u_int8_t pf;
86 : unsigned int hooknum;
87 : /* Hooks are ordered in ascending priority. */
88 : int priority;
89 : };
90 :
91 : struct nf_hook_entry {
92 : nf_hookfn *hook;
93 : void *priv;
94 : };
95 :
96 : struct nf_hook_entries_rcu_head {
97 : struct rcu_head head;
98 : void *allocation;
99 : };
100 :
101 : struct nf_hook_entries {
102 : u16 num_hook_entries;
103 : /* padding */
104 : struct nf_hook_entry hooks[];
105 :
106 : /* trailer: pointers to original orig_ops of each hook,
107 : * followed by rcu_head and scratch space used for freeing
108 : * the structure via call_rcu.
109 : *
110 : * This is not part of struct nf_hook_entry since its only
111 : * needed in slow path (hook register/unregister):
112 : * const struct nf_hook_ops *orig_ops[]
113 : *
114 : * For the same reason, we store this at end -- its
115 : * only needed when a hook is deleted, not during
116 : * packet path processing:
117 : * struct nf_hook_entries_rcu_head head
118 : */
119 : };
120 :
121 : #ifdef CONFIG_NETFILTER
122 0 : static inline struct nf_hook_ops **nf_hook_entries_get_hook_ops(const struct nf_hook_entries *e)
123 : {
124 0 : unsigned int n = e->num_hook_entries;
125 0 : const void *hook_end;
126 :
127 0 : hook_end = &e->hooks[n]; /* this is *past* ->hooks[]! */
128 :
129 0 : return (struct nf_hook_ops **)hook_end;
130 : }
131 :
132 : static inline int
133 0 : nf_hook_entry_hookfn(const struct nf_hook_entry *entry, struct sk_buff *skb,
134 : struct nf_hook_state *state)
135 : {
136 0 : return entry->hook(entry->priv, skb, state);
137 : }
138 :
139 0 : static inline void nf_hook_state_init(struct nf_hook_state *p,
140 : unsigned int hook,
141 : u_int8_t pf,
142 : struct net_device *indev,
143 : struct net_device *outdev,
144 : struct sock *sk,
145 : struct net *net,
146 : int (*okfn)(struct net *, struct sock *, struct sk_buff *))
147 : {
148 0 : p->hook = hook;
149 0 : p->pf = pf;
150 0 : p->in = indev;
151 0 : p->out = outdev;
152 0 : p->sk = sk;
153 0 : p->net = net;
154 0 : p->okfn = okfn;
155 : }
156 :
157 :
158 :
159 : struct nf_sockopt_ops {
160 : struct list_head list;
161 :
162 : u_int8_t pf;
163 :
164 : /* Non-inclusive ranges: use 0/0/NULL to never get called. */
165 : int set_optmin;
166 : int set_optmax;
167 : int (*set)(struct sock *sk, int optval, sockptr_t arg,
168 : unsigned int len);
169 : int get_optmin;
170 : int get_optmax;
171 : int (*get)(struct sock *sk, int optval, void __user *user, int *len);
172 : /* Use the module struct to lock set/get code in place */
173 : struct module *owner;
174 : };
175 :
176 : /* Function to register/unregister hook points. */
177 : int nf_register_net_hook(struct net *net, const struct nf_hook_ops *ops);
178 : void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *ops);
179 : int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg,
180 : unsigned int n);
181 : void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg,
182 : unsigned int n);
183 :
184 : /* Functions to register get/setsockopt ranges (non-inclusive). You
185 : need to check permissions yourself! */
186 : int nf_register_sockopt(struct nf_sockopt_ops *reg);
187 : void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
188 :
189 : #ifdef CONFIG_JUMP_LABEL
190 : extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
191 : #endif
192 :
193 : int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state,
194 : const struct nf_hook_entries *e, unsigned int i);
195 :
196 : void nf_hook_slow_list(struct list_head *head, struct nf_hook_state *state,
197 : const struct nf_hook_entries *e);
198 : /**
199 : * nf_hook - call a netfilter hook
200 : *
201 : * Returns 1 if the hook has allowed the packet to pass. The function
202 : * okfn must be invoked by the caller in this case. Any other return
203 : * value indicates the packet has been consumed by the hook.
204 : */
205 1350 : static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
206 : struct sock *sk, struct sk_buff *skb,
207 : struct net_device *indev, struct net_device *outdev,
208 : int (*okfn)(struct net *, struct sock *, struct sk_buff *))
209 : {
210 1350 : struct nf_hook_entries *hook_head = NULL;
211 1350 : int ret = 1;
212 :
213 : #ifdef CONFIG_JUMP_LABEL
214 : if (__builtin_constant_p(pf) &&
215 : __builtin_constant_p(hook) &&
216 : !static_key_false(&nf_hooks_needed[pf][hook]))
217 : return 1;
218 : #endif
219 :
220 1350 : rcu_read_lock();
221 1350 : switch (pf) {
222 : case NFPROTO_IPV4:
223 1342 : hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]);
224 : break;
225 : case NFPROTO_IPV6:
226 0 : hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
227 : break;
228 : case NFPROTO_ARP:
229 : #ifdef CONFIG_NETFILTER_FAMILY_ARP
230 : if (WARN_ON_ONCE(hook >= ARRAY_SIZE(net->nf.hooks_arp)))
231 : break;
232 : hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
233 : #endif
234 : break;
235 : case NFPROTO_BRIDGE:
236 : #ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
237 : hook_head = rcu_dereference(net->nf.hooks_bridge[hook]);
238 : #endif
239 : break;
240 : #if IS_ENABLED(CONFIG_DECNET)
241 : case NFPROTO_DECNET:
242 : hook_head = rcu_dereference(net->nf.hooks_decnet[hook]);
243 : break;
244 : #endif
245 : default:
246 0 : WARN_ON_ONCE(1);
247 0 : break;
248 : }
249 :
250 1342 : if (hook_head) {
251 0 : struct nf_hook_state state;
252 :
253 0 : nf_hook_state_init(&state, hook, pf, indev, outdev,
254 : sk, net, okfn);
255 :
256 0 : ret = nf_hook_slow(skb, &state, hook_head, 0);
257 : }
258 1350 : rcu_read_unlock();
259 :
260 1350 : return ret;
261 : }
262 :
263 : /* Activate hook; either okfn or kfree_skb called, unless a hook
264 : returns NF_STOLEN (in which case, it's up to the hook to deal with
265 : the consequences).
266 :
267 : Returns -ERRNO if packet dropped. Zero means queued, stolen or
268 : accepted.
269 : */
270 :
271 : /* RR:
272 : > I don't want nf_hook to return anything because people might forget
273 : > about async and trust the return value to mean "packet was ok".
274 :
275 : AK:
276 : Just document it clearly, then you can expect some sense from kernel
277 : coders :)
278 : */
279 :
280 : static inline int
281 444 : NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
282 : struct sk_buff *skb, struct net_device *in, struct net_device *out,
283 : int (*okfn)(struct net *, struct sock *, struct sk_buff *),
284 : bool cond)
285 : {
286 444 : int ret;
287 :
288 444 : if (!cond ||
289 444 : ((ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn)) == 1))
290 444 : ret = okfn(net, sk, skb);
291 444 : return ret;
292 : }
293 :
294 : static inline int
295 462 : NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct sk_buff *skb,
296 : struct net_device *in, struct net_device *out,
297 : int (*okfn)(struct net *, struct sock *, struct sk_buff *))
298 : {
299 462 : int ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn);
300 462 : if (ret == 1)
301 462 : ret = okfn(net, sk, skb);
302 462 : return ret;
303 : }
304 :
305 : static inline void
306 405 : NF_HOOK_LIST(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
307 : struct list_head *head, struct net_device *in, struct net_device *out,
308 : int (*okfn)(struct net *, struct sock *, struct sk_buff *))
309 : {
310 405 : struct nf_hook_entries *hook_head = NULL;
311 :
312 : #ifdef CONFIG_JUMP_LABEL
313 : if (__builtin_constant_p(pf) &&
314 : __builtin_constant_p(hook) &&
315 : !static_key_false(&nf_hooks_needed[pf][hook]))
316 : return;
317 : #endif
318 :
319 405 : rcu_read_lock();
320 405 : switch (pf) {
321 : case NFPROTO_IPV4:
322 405 : hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]);
323 : break;
324 : case NFPROTO_IPV6:
325 0 : hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
326 : break;
327 : default:
328 0 : WARN_ON_ONCE(1);
329 0 : break;
330 : }
331 :
332 405 : if (hook_head) {
333 0 : struct nf_hook_state state;
334 :
335 0 : nf_hook_state_init(&state, hook, pf, in, out, sk, net, okfn);
336 :
337 0 : nf_hook_slow_list(head, &state, hook_head);
338 : }
339 405 : rcu_read_unlock();
340 405 : }
341 :
342 : /* Call setsockopt() */
343 : int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, sockptr_t opt,
344 : unsigned int len);
345 : int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt,
346 : int *len);
347 :
348 : struct flowi;
349 : struct nf_queue_entry;
350 :
351 : __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
352 : unsigned int dataoff, u_int8_t protocol,
353 : unsigned short family);
354 :
355 : __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
356 : unsigned int dataoff, unsigned int len,
357 : u_int8_t protocol, unsigned short family);
358 : int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
359 : bool strict, unsigned short family);
360 : int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry);
361 :
362 : #include <net/flow.h>
363 :
364 : struct nf_conn;
365 : enum nf_nat_manip_type;
366 : struct nlattr;
367 : enum ip_conntrack_dir;
368 :
369 : struct nf_nat_hook {
370 : int (*parse_nat_setup)(struct nf_conn *ct, enum nf_nat_manip_type manip,
371 : const struct nlattr *attr);
372 : void (*decode_session)(struct sk_buff *skb, struct flowi *fl);
373 : unsigned int (*manip_pkt)(struct sk_buff *skb, struct nf_conn *ct,
374 : enum nf_nat_manip_type mtype,
375 : enum ip_conntrack_dir dir);
376 : };
377 :
378 : extern struct nf_nat_hook __rcu *nf_nat_hook;
379 :
380 : static inline void
381 : nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
382 : {
383 : #if IS_ENABLED(CONFIG_NF_NAT)
384 : struct nf_nat_hook *nat_hook;
385 :
386 : rcu_read_lock();
387 : nat_hook = rcu_dereference(nf_nat_hook);
388 : if (nat_hook && nat_hook->decode_session)
389 : nat_hook->decode_session(skb, fl);
390 : rcu_read_unlock();
391 : #endif
392 : }
393 :
394 : #else /* !CONFIG_NETFILTER */
395 : static inline int
396 : NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
397 : struct sk_buff *skb, struct net_device *in, struct net_device *out,
398 : int (*okfn)(struct net *, struct sock *, struct sk_buff *),
399 : bool cond)
400 : {
401 : return okfn(net, sk, skb);
402 : }
403 :
404 : static inline int
405 : NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
406 : struct sk_buff *skb, struct net_device *in, struct net_device *out,
407 : int (*okfn)(struct net *, struct sock *, struct sk_buff *))
408 : {
409 : return okfn(net, sk, skb);
410 : }
411 :
412 : static inline void
413 : NF_HOOK_LIST(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
414 : struct list_head *head, struct net_device *in, struct net_device *out,
415 : int (*okfn)(struct net *, struct sock *, struct sk_buff *))
416 : {
417 : /* nothing to do */
418 : }
419 :
420 : static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
421 : struct sock *sk, struct sk_buff *skb,
422 : struct net_device *indev, struct net_device *outdev,
423 : int (*okfn)(struct net *, struct sock *, struct sk_buff *))
424 : {
425 : return 1;
426 : }
427 : struct flowi;
428 : static inline void
429 : nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
430 : {
431 : }
432 : #endif /*CONFIG_NETFILTER*/
433 :
434 : #if IS_ENABLED(CONFIG_NF_CONNTRACK)
435 : #include <linux/netfilter/nf_conntrack_zones_common.h>
436 :
437 : extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu;
438 : void nf_ct_attach(struct sk_buff *, const struct sk_buff *);
439 : struct nf_conntrack_tuple;
440 : bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple,
441 : const struct sk_buff *skb);
442 : #else
443 : static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
444 : struct nf_conntrack_tuple;
445 : static inline bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple,
446 : const struct sk_buff *skb)
447 : {
448 : return false;
449 : }
450 : #endif
451 :
452 : struct nf_conn;
453 : enum ip_conntrack_info;
454 :
455 : struct nf_ct_hook {
456 : int (*update)(struct net *net, struct sk_buff *skb);
457 : void (*destroy)(struct nf_conntrack *);
458 : bool (*get_tuple_skb)(struct nf_conntrack_tuple *,
459 : const struct sk_buff *);
460 : };
461 : extern struct nf_ct_hook __rcu *nf_ct_hook;
462 :
463 : struct nlattr;
464 :
465 : struct nfnl_ct_hook {
466 : size_t (*build_size)(const struct nf_conn *ct);
467 : int (*build)(struct sk_buff *skb, struct nf_conn *ct,
468 : enum ip_conntrack_info ctinfo,
469 : u_int16_t ct_attr, u_int16_t ct_info_attr);
470 : int (*parse)(const struct nlattr *attr, struct nf_conn *ct);
471 : int (*attach_expect)(const struct nlattr *attr, struct nf_conn *ct,
472 : u32 portid, u32 report);
473 : void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct,
474 : enum ip_conntrack_info ctinfo, s32 off);
475 : };
476 : extern struct nfnl_ct_hook __rcu *nfnl_ct_hook;
477 :
478 : /**
479 : * nf_skb_duplicated - TEE target has sent a packet
480 : *
481 : * When a xtables target sends a packet, the OUTPUT and POSTROUTING
482 : * hooks are traversed again, i.e. nft and xtables are invoked recursively.
483 : *
484 : * This is used by xtables TEE target to prevent the duplicated skb from
485 : * being duplicated again.
486 : */
487 : DECLARE_PER_CPU(bool, nf_skb_duplicated);
488 :
489 : #endif /*__LINUX_NETFILTER_H*/
|
