tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom
kernel / include / linux / netfilter.h
at v4.2 11 kB view raw
1#ifndef __LINUX_NETFILTER_H 2#define __LINUX_NETFILTER_H 3 4#include <linux/init.h> 5#include <linux/skbuff.h> 6#include <linux/net.h> 7#include <linux/if.h> 8#include <linux/in.h> 9#include <linux/in6.h> 10#include <linux/wait.h> 11#include <linux/list.h> 12#include <linux/static_key.h> 13#include <linux/netfilter_defs.h> 14 15#ifdef CONFIG_NETFILTER 16static inline int NF_DROP_GETERR(int verdict) 17{ 18 return -(verdict >> NF_VERDICT_QBITS); 19} 20 21static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1, 22 const union nf_inet_addr *a2) 23{ 24 return a1->all[0] == a2->all[0] && 25 a1->all[1] == a2->all[1] && 26 a1->all[2] == a2->all[2] && 27 a1->all[3] == a2->all[3]; 28} 29 30static inline void nf_inet_addr_mask(const union nf_inet_addr *a1, 31 union nf_inet_addr *result, 32 const union nf_inet_addr *mask) 33{ 34 result->all[0] = a1->all[0] & mask->all[0]; 35 result->all[1] = a1->all[1] & mask->all[1]; 36 result->all[2] = a1->all[2] & mask->all[2]; 37 result->all[3] = a1->all[3] & mask->all[3]; 38} 39 40int netfilter_init(void); 41 42struct sk_buff; 43 44struct nf_hook_ops; 45 46struct sock; 47 48struct nf_hook_state { 49 unsigned int hook; 50 int thresh; 51 u_int8_t pf; 52 struct net_device *in; 53 struct net_device *out; 54 struct sock *sk; 55 struct list_head *hook_list; 56 int (*okfn)(struct sock *, struct sk_buff *); 57}; 58 59static inline void nf_hook_state_init(struct nf_hook_state *p, 60 struct list_head *hook_list, 61 unsigned int hook, 62 int thresh, u_int8_t pf, 63 struct net_device *indev, 64 struct net_device *outdev, 65 struct sock *sk, 66 int (*okfn)(struct sock *, struct sk_buff *)) 67{ 68 p->hook = hook; 69 p->thresh = thresh; 70 p->pf = pf; 71 p->in = indev; 72 p->out = outdev; 73 p->sk = sk; 74 p->hook_list = hook_list; 75 p->okfn = okfn; 76} 77 78typedef unsigned int nf_hookfn(const struct nf_hook_ops *ops, 79 struct sk_buff *skb, 80 const struct nf_hook_state *state); 81 82struct nf_hook_ops { 83 struct list_head list; 84 85 /* User fills in from here down. */ 86 nf_hookfn *hook; 87 struct net_device *dev; 88 struct module *owner; 89 void *priv; 90 u_int8_t pf; 91 unsigned int hooknum; 92 /* Hooks are ordered in ascending priority. */ 93 int priority; 94}; 95 96struct nf_sockopt_ops { 97 struct list_head list; 98 99 u_int8_t pf; 100 101 /* Non-inclusive ranges: use 0/0/NULL to never get called. */ 102 int set_optmin; 103 int set_optmax; 104 int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len); 105#ifdef CONFIG_COMPAT 106 int (*compat_set)(struct sock *sk, int optval, 107 void __user *user, unsigned int len); 108#endif 109 int get_optmin; 110 int get_optmax; 111 int (*get)(struct sock *sk, int optval, void __user *user, int *len); 112#ifdef CONFIG_COMPAT 113 int (*compat_get)(struct sock *sk, int optval, 114 void __user *user, int *len); 115#endif 116 /* Use the module struct to lock set/get code in place */ 117 struct module *owner; 118}; 119 120/* Function to register/unregister hook points. */ 121int nf_register_hook(struct nf_hook_ops *reg); 122void nf_unregister_hook(struct nf_hook_ops *reg); 123int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n); 124void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n); 125 126/* Functions to register get/setsockopt ranges (non-inclusive). You 127 need to check permissions yourself! */ 128int nf_register_sockopt(struct nf_sockopt_ops *reg); 129void nf_unregister_sockopt(struct nf_sockopt_ops *reg); 130 131extern struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 132 133#ifdef HAVE_JUMP_LABEL 134extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 135 136static inline bool nf_hook_list_active(struct list_head *nf_hook_list, 137 u_int8_t pf, unsigned int hook) 138{ 139 if (__builtin_constant_p(pf) && 140 __builtin_constant_p(hook)) 141 return static_key_false(&nf_hooks_needed[pf][hook]); 142 143 return !list_empty(nf_hook_list); 144} 145#else 146static inline bool nf_hook_list_active(struct list_head *nf_hook_list, 147 u_int8_t pf, unsigned int hook) 148{ 149 return !list_empty(nf_hook_list); 150} 151#endif 152 153static inline bool nf_hooks_active(u_int8_t pf, unsigned int hook) 154{ 155 return nf_hook_list_active(&nf_hooks[pf][hook], pf, hook); 156} 157 158int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state); 159 160/** 161 * nf_hook_thresh - call a netfilter hook 162 * 163 * Returns 1 if the hook has allowed the packet to pass. The function 164 * okfn must be invoked by the caller in this case. Any other return 165 * value indicates the packet has been consumed by the hook. 166 */ 167static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, 168 struct sock *sk, 169 struct sk_buff *skb, 170 struct net_device *indev, 171 struct net_device *outdev, 172 int (*okfn)(struct sock *, struct sk_buff *), 173 int thresh) 174{ 175 if (nf_hooks_active(pf, hook)) { 176 struct nf_hook_state state; 177 178 nf_hook_state_init(&state, &nf_hooks[pf][hook], hook, thresh, 179 pf, indev, outdev, sk, okfn); 180 return nf_hook_slow(skb, &state); 181 } 182 return 1; 183} 184 185static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sock *sk, 186 struct sk_buff *skb, struct net_device *indev, 187 struct net_device *outdev, 188 int (*okfn)(struct sock *, struct sk_buff *)) 189{ 190 return nf_hook_thresh(pf, hook, sk, skb, indev, outdev, okfn, INT_MIN); 191} 192 193/* Activate hook; either okfn or kfree_skb called, unless a hook 194 returns NF_STOLEN (in which case, it's up to the hook to deal with 195 the consequences). 196 197 Returns -ERRNO if packet dropped. Zero means queued, stolen or 198 accepted. 199*/ 200 201/* RR: 202 > I don't want nf_hook to return anything because people might forget 203 > about async and trust the return value to mean "packet was ok". 204 205 AK: 206 Just document it clearly, then you can expect some sense from kernel 207 coders :) 208*/ 209 210static inline int 211NF_HOOK_THRESH(uint8_t pf, unsigned int hook, struct sock *sk, 212 struct sk_buff *skb, struct net_device *in, 213 struct net_device *out, 214 int (*okfn)(struct sock *, struct sk_buff *), int thresh) 215{ 216 int ret = nf_hook_thresh(pf, hook, sk, skb, in, out, okfn, thresh); 217 if (ret == 1) 218 ret = okfn(sk, skb); 219 return ret; 220} 221 222static inline int 223NF_HOOK_COND(uint8_t pf, unsigned int hook, struct sock *sk, 224 struct sk_buff *skb, struct net_device *in, struct net_device *out, 225 int (*okfn)(struct sock *, struct sk_buff *), bool cond) 226{ 227 int ret; 228 229 if (!cond || 230 ((ret = nf_hook_thresh(pf, hook, sk, skb, in, out, okfn, INT_MIN)) == 1)) 231 ret = okfn(sk, skb); 232 return ret; 233} 234 235static inline int 236NF_HOOK(uint8_t pf, unsigned int hook, struct sock *sk, struct sk_buff *skb, 237 struct net_device *in, struct net_device *out, 238 int (*okfn)(struct sock *, struct sk_buff *)) 239{ 240 return NF_HOOK_THRESH(pf, hook, sk, skb, in, out, okfn, INT_MIN); 241} 242 243/* Call setsockopt() */ 244int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, 245 unsigned int len); 246int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt, 247 int *len); 248#ifdef CONFIG_COMPAT 249int compat_nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, 250 char __user *opt, unsigned int len); 251int compat_nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, 252 char __user *opt, int *len); 253#endif 254 255/* Call this before modifying an existing packet: ensures it is 256 modifiable and linear to the point you care about (writable_len). 257 Returns true or false. */ 258int skb_make_writable(struct sk_buff *skb, unsigned int writable_len); 259 260struct flowi; 261struct nf_queue_entry; 262 263struct nf_afinfo { 264 unsigned short family; 265 __sum16 (*checksum)(struct sk_buff *skb, unsigned int hook, 266 unsigned int dataoff, u_int8_t protocol); 267 __sum16 (*checksum_partial)(struct sk_buff *skb, 268 unsigned int hook, 269 unsigned int dataoff, 270 unsigned int len, 271 u_int8_t protocol); 272 int (*route)(struct net *net, struct dst_entry **dst, 273 struct flowi *fl, bool strict); 274 void (*saveroute)(const struct sk_buff *skb, 275 struct nf_queue_entry *entry); 276 int (*reroute)(struct sk_buff *skb, 277 const struct nf_queue_entry *entry); 278 int route_key_size; 279}; 280 281extern const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO]; 282static inline const struct nf_afinfo *nf_get_afinfo(unsigned short family) 283{ 284 return rcu_dereference(nf_afinfo[family]); 285} 286 287static inline __sum16 288nf_checksum(struct sk_buff *skb, unsigned int hook, unsigned int dataoff, 289 u_int8_t protocol, unsigned short family) 290{ 291 const struct nf_afinfo *afinfo; 292 __sum16 csum = 0; 293 294 rcu_read_lock(); 295 afinfo = nf_get_afinfo(family); 296 if (afinfo) 297 csum = afinfo->checksum(skb, hook, dataoff, protocol); 298 rcu_read_unlock(); 299 return csum; 300} 301 302static inline __sum16 303nf_checksum_partial(struct sk_buff *skb, unsigned int hook, 304 unsigned int dataoff, unsigned int len, 305 u_int8_t protocol, unsigned short family) 306{ 307 const struct nf_afinfo *afinfo; 308 __sum16 csum = 0; 309 310 rcu_read_lock(); 311 afinfo = nf_get_afinfo(family); 312 if (afinfo) 313 csum = afinfo->checksum_partial(skb, hook, dataoff, len, 314 protocol); 315 rcu_read_unlock(); 316 return csum; 317} 318 319int nf_register_afinfo(const struct nf_afinfo *afinfo); 320void nf_unregister_afinfo(const struct nf_afinfo *afinfo); 321 322#include <net/flow.h> 323extern void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *); 324 325static inline void 326nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) 327{ 328#ifdef CONFIG_NF_NAT_NEEDED 329 void (*decodefn)(struct sk_buff *, struct flowi *); 330 331 rcu_read_lock(); 332 decodefn = rcu_dereference(nf_nat_decode_session_hook); 333 if (decodefn) 334 decodefn(skb, fl); 335 rcu_read_unlock(); 336#endif 337} 338 339#else /* !CONFIG_NETFILTER */ 340#define NF_HOOK(pf, hook, sk, skb, indev, outdev, okfn) (okfn)(sk, skb) 341#define NF_HOOK_COND(pf, hook, sk, skb, indev, outdev, okfn, cond) (okfn)(sk, skb) 342static inline int nf_hook_thresh(u_int8_t pf, unsigned int hook, 343 struct sock *sk, 344 struct sk_buff *skb, 345 struct net_device *indev, 346 struct net_device *outdev, 347 int (*okfn)(struct sock *sk, struct sk_buff *), int thresh) 348{ 349 return okfn(sk, skb); 350} 351static inline int nf_hook(u_int8_t pf, unsigned int hook, struct sock *sk, 352 struct sk_buff *skb, struct net_device *indev, 353 struct net_device *outdev, 354 int (*okfn)(struct sock *, struct sk_buff *)) 355{ 356 return 1; 357} 358struct flowi; 359static inline void 360nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family) 361{ 362} 363#endif /*CONFIG_NETFILTER*/ 364 365#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) 366extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu; 367void nf_ct_attach(struct sk_buff *, const struct sk_buff *); 368extern void (*nf_ct_destroy)(struct nf_conntrack *) __rcu; 369 370struct nf_conn; 371enum ip_conntrack_info; 372struct nlattr; 373 374struct nfq_ct_hook { 375 size_t (*build_size)(const struct nf_conn *ct); 376 int (*build)(struct sk_buff *skb, struct nf_conn *ct); 377 int (*parse)(const struct nlattr *attr, struct nf_conn *ct); 378 int (*attach_expect)(const struct nlattr *attr, struct nf_conn *ct, 379 u32 portid, u32 report); 380 void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct, 381 enum ip_conntrack_info ctinfo, s32 off); 382}; 383extern struct nfq_ct_hook __rcu *nfq_ct_hook; 384#else 385static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {} 386#endif 387 388#endif /*__LINUX_NETFILTER_H*/