include/linux/netfilter.h at v4.14 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / include / linux / netfilter.h
at v4.14 12 kB view raw
  1/* SPDX-License-Identifier: GPL-2.0 */
  2#ifndef __LINUX_NETFILTER_H
  3#define __LINUX_NETFILTER_H
  4
  5#include <linux/init.h>
  6#include <linux/skbuff.h>
  7#include <linux/net.h>
  8#include <linux/if.h>
  9#include <linux/in.h>
 10#include <linux/in6.h>
 11#include <linux/wait.h>
 12#include <linux/list.h>
 13#include <linux/static_key.h>
 14#include <linux/netfilter_defs.h>
 15#include <linux/netdevice.h>
 16#include <net/net_namespace.h>
 17
 18#ifdef CONFIG_NETFILTER
 19static inline int NF_DROP_GETERR(int verdict)
 20{
 21	return -(verdict >> NF_VERDICT_QBITS);
 22}
 23
 24static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1,
 25				   const union nf_inet_addr *a2)
 26{
 27	return a1->all[0] == a2->all[0] &&
 28	       a1->all[1] == a2->all[1] &&
 29	       a1->all[2] == a2->all[2] &&
 30	       a1->all[3] == a2->all[3];
 31}
 32
 33static inline void nf_inet_addr_mask(const union nf_inet_addr *a1,
 34				     union nf_inet_addr *result,
 35				     const union nf_inet_addr *mask)
 36{
 37	result->all[0] = a1->all[0] & mask->all[0];
 38	result->all[1] = a1->all[1] & mask->all[1];
 39	result->all[2] = a1->all[2] & mask->all[2];
 40	result->all[3] = a1->all[3] & mask->all[3];
 41}
 42
 43int netfilter_init(void);
 44
 45struct sk_buff;
 46
 47struct nf_hook_ops;
 48
 49struct sock;
 50
 51struct nf_hook_state {
 52	unsigned int hook;
 53	u_int8_t pf;
 54	struct net_device *in;
 55	struct net_device *out;
 56	struct sock *sk;
 57	struct net *net;
 58	int (*okfn)(struct net *, struct sock *, struct sk_buff *);
 59};
 60
 61typedef unsigned int nf_hookfn(void *priv,
 62			       struct sk_buff *skb,
 63			       const struct nf_hook_state *state);
 64struct nf_hook_ops {
 65	/* User fills in from here down. */
 66	nf_hookfn		*hook;
 67	struct net_device	*dev;
 68	void			*priv;
 69	u_int8_t		pf;
 70	unsigned int		hooknum;
 71	/* Hooks are ordered in ascending priority. */
 72	int			priority;
 73};
 74
 75struct nf_hook_entry {
 76	nf_hookfn			*hook;
 77	void				*priv;
 78};
 79
 80struct nf_hook_entries {
 81	u16				num_hook_entries;
 82	/* padding */
 83	struct nf_hook_entry		hooks[];
 84
 85	/* trailer: pointers to original orig_ops of each hook.
 86	 *
 87	 * This is not part of struct nf_hook_entry since its only
 88	 * needed in slow path (hook register/unregister).
 89	 *
 90	 * const struct nf_hook_ops     *orig_ops[]
 91	 */
 92};
 93
 94static inline struct nf_hook_ops **nf_hook_entries_get_hook_ops(const struct nf_hook_entries *e)
 95{
 96	unsigned int n = e->num_hook_entries;
 97	const void *hook_end;
 98
 99	hook_end = &e->hooks[n]; /* this is *past* ->hooks[]! */
100
101	return (struct nf_hook_ops **)hook_end;
102}
103
104static inline int
105nf_hook_entry_hookfn(const struct nf_hook_entry *entry, struct sk_buff *skb,
106		     struct nf_hook_state *state)
107{
108	return entry->hook(entry->priv, skb, state);
109}
110
111static inline void nf_hook_state_init(struct nf_hook_state *p,
112				      unsigned int hook,
113				      u_int8_t pf,
114				      struct net_device *indev,
115				      struct net_device *outdev,
116				      struct sock *sk,
117				      struct net *net,
118				      int (*okfn)(struct net *, struct sock *, struct sk_buff *))
119{
120	p->hook = hook;
121	p->pf = pf;
122	p->in = indev;
123	p->out = outdev;
124	p->sk = sk;
125	p->net = net;
126	p->okfn = okfn;
127}
128
129
130
131struct nf_sockopt_ops {
132	struct list_head list;
133
134	u_int8_t pf;
135
136	/* Non-inclusive ranges: use 0/0/NULL to never get called. */
137	int set_optmin;
138	int set_optmax;
139	int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len);
140#ifdef CONFIG_COMPAT
141	int (*compat_set)(struct sock *sk, int optval,
142			void __user *user, unsigned int len);
143#endif
144	int get_optmin;
145	int get_optmax;
146	int (*get)(struct sock *sk, int optval, void __user *user, int *len);
147#ifdef CONFIG_COMPAT
148	int (*compat_get)(struct sock *sk, int optval,
149			void __user *user, int *len);
150#endif
151	/* Use the module struct to lock set/get code in place */
152	struct module *owner;
153};
154
155/* Function to register/unregister hook points. */
156int nf_register_net_hook(struct net *net, const struct nf_hook_ops *ops);
157void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *ops);
158int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg,
159			  unsigned int n);
160void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg,
161			     unsigned int n);
162
163/* Functions to register get/setsockopt ranges (non-inclusive).  You
164   need to check permissions yourself! */
165int nf_register_sockopt(struct nf_sockopt_ops *reg);
166void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
167
168#ifdef HAVE_JUMP_LABEL
169extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
170#endif
171
172int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state,
173		 const struct nf_hook_entries *e, unsigned int i);
174
175/**
176 *	nf_hook - call a netfilter hook
177 *
178 *	Returns 1 if the hook has allowed the packet to pass.  The function
179 *	okfn must be invoked by the caller in this case.  Any other return
180 *	value indicates the packet has been consumed by the hook.
181 */
182static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
183			  struct sock *sk, struct sk_buff *skb,
184			  struct net_device *indev, struct net_device *outdev,
185			  int (*okfn)(struct net *, struct sock *, struct sk_buff *))
186{
187	struct nf_hook_entries *hook_head;
188	int ret = 1;
189
190#ifdef HAVE_JUMP_LABEL
191	if (__builtin_constant_p(pf) &&
192	    __builtin_constant_p(hook) &&
193	    !static_key_false(&nf_hooks_needed[pf][hook]))
194		return 1;
195#endif
196
197	rcu_read_lock();
198	hook_head = rcu_dereference(net->nf.hooks[pf][hook]);
199	if (hook_head) {
200		struct nf_hook_state state;
201
202		nf_hook_state_init(&state, hook, pf, indev, outdev,
203				   sk, net, okfn);
204
205		ret = nf_hook_slow(skb, &state, hook_head, 0);
206	}
207	rcu_read_unlock();
208
209	return ret;
210}
211
212/* Activate hook; either okfn or kfree_skb called, unless a hook
213   returns NF_STOLEN (in which case, it's up to the hook to deal with
214   the consequences).
215
216   Returns -ERRNO if packet dropped.  Zero means queued, stolen or
217   accepted.
218*/
219
220/* RR:
221   > I don't want nf_hook to return anything because people might forget
222   > about async and trust the return value to mean "packet was ok".
223
224   AK:
225   Just document it clearly, then you can expect some sense from kernel
226   coders :)
227*/
228
229static inline int
230NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
231	     struct sk_buff *skb, struct net_device *in, struct net_device *out,
232	     int (*okfn)(struct net *, struct sock *, struct sk_buff *),
233	     bool cond)
234{
235	int ret;
236
237	if (!cond ||
238	    ((ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn)) == 1))
239		ret = okfn(net, sk, skb);
240	return ret;
241}
242
243static inline int
244NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct sk_buff *skb,
245	struct net_device *in, struct net_device *out,
246	int (*okfn)(struct net *, struct sock *, struct sk_buff *))
247{
248	int ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn);
249	if (ret == 1)
250		ret = okfn(net, sk, skb);
251	return ret;
252}
253
254/* Call setsockopt() */
255int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt,
256		  unsigned int len);
257int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt,
258		  int *len);
259#ifdef CONFIG_COMPAT
260int compat_nf_setsockopt(struct sock *sk, u_int8_t pf, int optval,
261		char __user *opt, unsigned int len);
262int compat_nf_getsockopt(struct sock *sk, u_int8_t pf, int optval,
263		char __user *opt, int *len);
264#endif
265
266/* Call this before modifying an existing packet: ensures it is
267   modifiable and linear to the point you care about (writable_len).
268   Returns true or false. */
269int skb_make_writable(struct sk_buff *skb, unsigned int writable_len);
270
271struct flowi;
272struct nf_queue_entry;
273
274struct nf_afinfo {
275	unsigned short	family;
276	__sum16		(*checksum)(struct sk_buff *skb, unsigned int hook,
277				    unsigned int dataoff, u_int8_t protocol);
278	__sum16		(*checksum_partial)(struct sk_buff *skb,
279					    unsigned int hook,
280					    unsigned int dataoff,
281					    unsigned int len,
282					    u_int8_t protocol);
283	int		(*route)(struct net *net, struct dst_entry **dst,
284				 struct flowi *fl, bool strict);
285	void		(*saveroute)(const struct sk_buff *skb,
286				     struct nf_queue_entry *entry);
287	int		(*reroute)(struct net *net, struct sk_buff *skb,
288				   const struct nf_queue_entry *entry);
289	int		route_key_size;
290};
291
292extern const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO];
293static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family)
294{
295	return rcu_dereference(nf_afinfo[family]);
296}
297
298static inline __sum16
299nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff,
300	    u_int8_t protocol, unsigned short family)
301{
302	const struct nf_afinfo *afinfo;
303	__sum16 csum = 0;
304
305	rcu_read_lock();
306	afinfo = nf_get_afinfo(family);
307	if (afinfo)
308		csum = afinfo->checksum(skb, hook, dataoff, protocol);
309	rcu_read_unlock();
310	return csum;
311}
312
313static inline __sum16
314nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
315		    unsigned int dataoff, unsigned int len,
316		    u_int8_t protocol, unsigned short family)
317{
318	const struct nf_afinfo *afinfo;
319	__sum16 csum = 0;
320
321	rcu_read_lock();
322	afinfo = nf_get_afinfo(family);
323	if (afinfo)
324		csum = afinfo->checksum_partial(skb, hook, dataoff, len,
325						protocol);
326	rcu_read_unlock();
327	return csum;
328}
329
330int nf_register_afinfo(const struct nf_afinfo *afinfo);
331void nf_unregister_afinfo(const struct nf_afinfo *afinfo);
332
333#include <net/flow.h>
334extern void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
335
336static inline void
337nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
338{
339#ifdef CONFIG_NF_NAT_NEEDED
340	void (*decodefn)(struct sk_buff *, struct flowi *);
341
342	rcu_read_lock();
343	decodefn = rcu_dereference(nf_nat_decode_session_hook);
344	if (decodefn)
345		decodefn(skb, fl);
346	rcu_read_unlock();
347#endif
348}
349
350#else /* !CONFIG_NETFILTER */
351static inline int
352NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
353	     struct sk_buff *skb, struct net_device *in, struct net_device *out,
354	     int (*okfn)(struct net *, struct sock *, struct sk_buff *),
355	     bool cond)
356{
357	return okfn(net, sk, skb);
358}
359
360static inline int
361NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
362	struct sk_buff *skb, struct net_device *in, struct net_device *out,
363	int (*okfn)(struct net *, struct sock *, struct sk_buff *))
364{
365	return okfn(net, sk, skb);
366}
367
368static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
369			  struct sock *sk, struct sk_buff *skb,
370			  struct net_device *indev, struct net_device *outdev,
371			  int (*okfn)(struct net *, struct sock *, struct sk_buff *))
372{
373	return 1;
374}
375struct flowi;
376static inline void
377nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
378{
379}
380#endif /*CONFIG_NETFILTER*/
381
382#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
383#include <linux/netfilter/nf_conntrack_zones_common.h>
384
385extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu;
386void nf_ct_attach(struct sk_buff *, const struct sk_buff *);
387extern void (*nf_ct_destroy)(struct nf_conntrack *) __rcu;
388#else
389static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
390#endif
391
392struct nf_conn;
393enum ip_conntrack_info;
394struct nlattr;
395
396struct nfnl_ct_hook {
397	struct nf_conn *(*get_ct)(const struct sk_buff *skb,
398				  enum ip_conntrack_info *ctinfo);
399	size_t (*build_size)(const struct nf_conn *ct);
400	int (*build)(struct sk_buff *skb, struct nf_conn *ct,
401		     enum ip_conntrack_info ctinfo,
402		     u_int16_t ct_attr, u_int16_t ct_info_attr);
403	int (*parse)(const struct nlattr *attr, struct nf_conn *ct);
404	int (*attach_expect)(const struct nlattr *attr, struct nf_conn *ct,
405			     u32 portid, u32 report);
406	void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct,
407			   enum ip_conntrack_info ctinfo, s32 off);
408};
409extern struct nfnl_ct_hook __rcu *nfnl_ct_hook;
410
411/**
412 * nf_skb_duplicated - TEE target has sent a packet
413 *
414 * When a xtables target sends a packet, the OUTPUT and POSTROUTING
415 * hooks are traversed again, i.e. nft and xtables are invoked recursively.
416 *
417 * This is used by xtables TEE target to prevent the duplicated skb from
418 * being duplicated again.
419 */
420DECLARE_PER_CPU(bool, nf_skb_duplicated);
421
422#endif /*__LINUX_NETFILTER_H*/