Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
core.c
Go to the documentation of this file.
1 /* netfilter.c: look after the filters for various protocols.
2  * Heavily influenced by the old firewall.c by David Bonn and Alan Cox.
3  *
4  * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any
5  * way.
6  *
7  * Rusty Russell (C)2000 -- This code is GPL.
8  */
9 #include <linux/kernel.h>
10 #include <linux/netfilter.h>
11 #include <net/protocol.h>
12 #include <linux/init.h>
13 #include <linux/skbuff.h>
14 #include <linux/wait.h>
15 #include <linux/module.h>
16 #include <linux/interrupt.h>
17 #include <linux/if.h>
18 #include <linux/netdevice.h>
19 #include <linux/inetdevice.h>
20 #include <linux/proc_fs.h>
21 #include <linux/mutex.h>
22 #include <linux/slab.h>
23 #include <net/net_namespace.h>
24 #include <net/sock.h>
25 
26 #include "nf_internals.h"
27 
28 static DEFINE_MUTEX(afinfo_mutex);
29 
30 const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
31 EXPORT_SYMBOL(nf_afinfo);
32 
33 int nf_register_afinfo(const struct nf_afinfo *afinfo)
34 {
35  int err;
36 
37  err = mutex_lock_interruptible(&afinfo_mutex);
38  if (err < 0)
39  return err;
40  RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo);
41  mutex_unlock(&afinfo_mutex);
42  return 0;
43 }
44 EXPORT_SYMBOL_GPL(nf_register_afinfo);
45 
46 void nf_unregister_afinfo(const struct nf_afinfo *afinfo)
47 {
48  mutex_lock(&afinfo_mutex);
49  RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL);
50  mutex_unlock(&afinfo_mutex);
51  synchronize_rcu();
52 }
53 EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
54 
55 struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS] __read_mostly;
56 EXPORT_SYMBOL(nf_hooks);
57 
58 #if defined(CONFIG_JUMP_LABEL)
59 struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
60 EXPORT_SYMBOL(nf_hooks_needed);
61 #endif
62 
63 static DEFINE_MUTEX(nf_hook_mutex);
64 
65 int nf_register_hook(struct nf_hook_ops *reg)
66 {
67  struct nf_hook_ops *elem;
68  int err;
69 
70  err = mutex_lock_interruptible(&nf_hook_mutex);
71  if (err < 0)
72  return err;
73  list_for_each_entry(elem, &nf_hooks[reg->pf][reg->hooknum], list) {
74  if (reg->priority < elem->priority)
75  break;
76  }
77  list_add_rcu(&reg->list, elem->list.prev);
78  mutex_unlock(&nf_hook_mutex);
79 #if defined(CONFIG_JUMP_LABEL)
80  static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
81 #endif
82  return 0;
83 }
84 EXPORT_SYMBOL(nf_register_hook);
85 
86 void nf_unregister_hook(struct nf_hook_ops *reg)
87 {
88  mutex_lock(&nf_hook_mutex);
89  list_del_rcu(&reg->list);
90  mutex_unlock(&nf_hook_mutex);
91 #if defined(CONFIG_JUMP_LABEL)
92  static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]);
93 #endif
94  synchronize_net();
95 }
96 EXPORT_SYMBOL(nf_unregister_hook);
97 
98 int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n)
99 {
100  unsigned int i;
101  int err = 0;
102 
103  for (i = 0; i < n; i++) {
104  err = nf_register_hook(&reg[i]);
105  if (err)
106  goto err;
107  }
108  return err;
109 
110 err:
111  if (i > 0)
112  nf_unregister_hooks(reg, i);
113  return err;
114 }
115 EXPORT_SYMBOL(nf_register_hooks);
116 
117 void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n)
118 {
119  while (n-- > 0)
120  nf_unregister_hook(&reg[n]);
121 }
122 EXPORT_SYMBOL(nf_unregister_hooks);
123 
124 unsigned int nf_iterate(struct list_head *head,
125  struct sk_buff *skb,
126  unsigned int hook,
127  const struct net_device *indev,
128  const struct net_device *outdev,
129  struct nf_hook_ops **elemp,
130  int (*okfn)(struct sk_buff *),
131  int hook_thresh)
132 {
133  unsigned int verdict;
134 
135  /*
136  * The caller must not block between calls to this
137  * function because of risk of continuing from deleted element.
138  */
139  list_for_each_entry_continue_rcu((*elemp), head, list) {
140  if (hook_thresh > (*elemp)->priority)
141  continue;
142 
143  /* Optimization: we don't need to hold module
144  reference here, since function can't sleep. --RR */
145 repeat:
146  verdict = (*elemp)->hook(hook, skb, indev, outdev, okfn);
147  if (verdict != NF_ACCEPT) {
148 #ifdef CONFIG_NETFILTER_DEBUG
149  if (unlikely((verdict & NF_VERDICT_MASK)
150  > NF_MAX_VERDICT)) {
151  NFDEBUG("Evil return from %p(%u).\n",
152  (*elemp)->hook, hook);
153  continue;
154  }
155 #endif
156  if (verdict != NF_REPEAT)
157  return verdict;
158  goto repeat;
159  }
160  }
161  return NF_ACCEPT;
162 }
163 
164 
165 /* Returns 1 if okfn() needs to be executed by the caller,
166  * -EPERM for NF_DROP, 0 otherwise. */
167 int nf_hook_slow(u_int8_t pf, unsigned int hook, struct sk_buff *skb,
168  struct net_device *indev,
169  struct net_device *outdev,
170  int (*okfn)(struct sk_buff *),
171  int hook_thresh)
172 {
173  struct nf_hook_ops *elem;
174  unsigned int verdict;
175  int ret = 0;
176 
177  /* We may already have this, but read-locks nest anyway */
178  rcu_read_lock();
179 
180  elem = list_entry_rcu(&nf_hooks[pf][hook], struct nf_hook_ops, list);
181 next_hook:
182  verdict = nf_iterate(&nf_hooks[pf][hook], skb, hook, indev,
183  outdev, &elem, okfn, hook_thresh);
184  if (verdict == NF_ACCEPT || verdict == NF_STOP) {
185  ret = 1;
186  } else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
187  kfree_skb(skb);
188  ret = NF_DROP_GETERR(verdict);
189  if (ret == 0)
190  ret = -EPERM;
191  } else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
192  int err = nf_queue(skb, elem, pf, hook, indev, outdev, okfn,
193  verdict >> NF_VERDICT_QBITS);
194  if (err < 0) {
195  if (err == -ECANCELED)
196  goto next_hook;
197  if (err == -ESRCH &&
198  (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
199  goto next_hook;
200  kfree_skb(skb);
201  }
202  }
203  rcu_read_unlock();
204  return ret;
205 }
206 EXPORT_SYMBOL(nf_hook_slow);
207 
208 
209 int skb_make_writable(struct sk_buff *skb, unsigned int writable_len)
210 {
211  if (writable_len > skb->len)
212  return 0;
213 
214  /* Not exclusive use of packet? Must copy. */
215  if (!skb_cloned(skb)) {
216  if (writable_len <= skb_headlen(skb))
217  return 1;
218  } else if (skb_clone_writable(skb, writable_len))
219  return 1;
220 
221  if (writable_len <= skb_headlen(skb))
222  writable_len = 0;
223  else
224  writable_len -= skb_headlen(skb);
225 
226  return !!__pskb_pull_tail(skb, writable_len);
227 }
228 EXPORT_SYMBOL(skb_make_writable);
229 
230 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
231 /* This does not belong here, but locally generated errors need it if connection
232  tracking in use: without this, connection may not be in hash table, and hence
233  manufactured ICMP or RST packets will not be associated with it. */
234 void (*ip_ct_attach)(struct sk_buff *, struct sk_buff *) __rcu __read_mostly;
235 EXPORT_SYMBOL(ip_ct_attach);
236 
237 void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb)
238 {
239  void (*attach)(struct sk_buff *, struct sk_buff *);
240 
241  if (skb->nfct) {
242  rcu_read_lock();
243  attach = rcu_dereference(ip_ct_attach);
244  if (attach)
245  attach(new, skb);
246  rcu_read_unlock();
247  }
248 }
249 EXPORT_SYMBOL(nf_ct_attach);
250 
251 void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly;
252 EXPORT_SYMBOL(nf_ct_destroy);
253 
254 void nf_conntrack_destroy(struct nf_conntrack *nfct)
255 {
256  void (*destroy)(struct nf_conntrack *);
257 
258  rcu_read_lock();
259  destroy = rcu_dereference(nf_ct_destroy);
260  BUG_ON(destroy == NULL);
261  destroy(nfct);
262  rcu_read_unlock();
263 }
264 EXPORT_SYMBOL(nf_conntrack_destroy);
265 
266 struct nfq_ct_hook __rcu *nfq_ct_hook __read_mostly;
267 EXPORT_SYMBOL_GPL(nfq_ct_hook);
268 
269 struct nfq_ct_nat_hook __rcu *nfq_ct_nat_hook __read_mostly;
270 EXPORT_SYMBOL_GPL(nfq_ct_nat_hook);
271 
272 #endif /* CONFIG_NF_CONNTRACK */
273 
274 #ifdef CONFIG_NF_NAT_NEEDED
275 void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
276 EXPORT_SYMBOL(nf_nat_decode_session_hook);
277 #endif
278 
279 #ifdef CONFIG_PROC_FS
280 struct proc_dir_entry *proc_net_netfilter;
281 EXPORT_SYMBOL(proc_net_netfilter);
282 #endif
283 
284 void __init netfilter_init(void)
285 {
286  int i, h;
287  for (i = 0; i < ARRAY_SIZE(nf_hooks); i++) {
288  for (h = 0; h < NF_MAX_HOOKS; h++)
289  INIT_LIST_HEAD(&nf_hooks[i][h]);
290  }
291 
292 #ifdef CONFIG_PROC_FS
293  proc_net_netfilter = proc_mkdir("netfilter", init_net.proc_net);
294  if (!proc_net_netfilter)
295  panic("cannot create netfilter proc entry");
296 #endif
297 
298  if (netfilter_queue_init() < 0)
299  panic("cannot initialize nf_queue");
300  if (netfilter_log_init() < 0)
301  panic("cannot initialize nf_log");
302 }
Generated on Thu Jan 10 2013 12:58:00 for Linux Kernel by   doxygen 1.8.2