net/netfilter/nf_queue.c at v5.16 · tjh.dev/kernel

tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
kernel / net / netfilter / nf_queue.c
at v5.16 7.6 kB view raw
  1/*
  2 * Rusty Russell (C)2000 -- This code is GPL.
  3 * Patrick McHardy (c) 2006-2012
  4 */
  5
  6#include <linux/kernel.h>
  7#include <linux/slab.h>
  8#include <linux/init.h>
  9#include <linux/module.h>
 10#include <linux/proc_fs.h>
 11#include <linux/skbuff.h>
 12#include <linux/netfilter.h>
 13#include <linux/netfilter_ipv4.h>
 14#include <linux/netfilter_ipv6.h>
 15#include <linux/netfilter_bridge.h>
 16#include <linux/seq_file.h>
 17#include <linux/rcupdate.h>
 18#include <net/protocol.h>
 19#include <net/netfilter/nf_queue.h>
 20#include <net/dst.h>
 21
 22#include "nf_internals.h"
 23
 24static const struct nf_queue_handler __rcu *nf_queue_handler;
 25
 26/*
 27 * Hook for nfnetlink_queue to register its queue handler.
 28 * We do this so that most of the NFQUEUE code can be modular.
 29 *
 30 * Once the queue is registered it must reinject all packets it
 31 * receives, no matter what.
 32 */
 33
 34void nf_register_queue_handler(const struct nf_queue_handler *qh)
 35{
 36	/* should never happen, we only have one queueing backend in kernel */
 37	WARN_ON(rcu_access_pointer(nf_queue_handler));
 38	rcu_assign_pointer(nf_queue_handler, qh);
 39}
 40EXPORT_SYMBOL(nf_register_queue_handler);
 41
 42/* The caller must flush their queue before this */
 43void nf_unregister_queue_handler(void)
 44{
 45	RCU_INIT_POINTER(nf_queue_handler, NULL);
 46}
 47EXPORT_SYMBOL(nf_unregister_queue_handler);
 48
 49static void nf_queue_entry_release_refs(struct nf_queue_entry *entry)
 50{
 51	struct nf_hook_state *state = &entry->state;
 52
 53	/* Release those devices we held, or Alexey will kill me. */
 54	dev_put(state->in);
 55	dev_put(state->out);
 56	if (state->sk)
 57		sock_put(state->sk);
 58
 59#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
 60	dev_put(entry->physin);
 61	dev_put(entry->physout);
 62#endif
 63}
 64
 65void nf_queue_entry_free(struct nf_queue_entry *entry)
 66{
 67	nf_queue_entry_release_refs(entry);
 68	kfree(entry);
 69}
 70EXPORT_SYMBOL_GPL(nf_queue_entry_free);
 71
 72static void __nf_queue_entry_init_physdevs(struct nf_queue_entry *entry)
 73{
 74#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
 75	const struct sk_buff *skb = entry->skb;
 76	struct nf_bridge_info *nf_bridge;
 77
 78	nf_bridge = nf_bridge_info_get(skb);
 79	if (nf_bridge) {
 80		entry->physin = nf_bridge_get_physindev(skb);
 81		entry->physout = nf_bridge_get_physoutdev(skb);
 82	} else {
 83		entry->physin = NULL;
 84		entry->physout = NULL;
 85	}
 86#endif
 87}
 88
 89/* Bump dev refs so they don't vanish while packet is out */
 90void nf_queue_entry_get_refs(struct nf_queue_entry *entry)
 91{
 92	struct nf_hook_state *state = &entry->state;
 93
 94	dev_hold(state->in);
 95	dev_hold(state->out);
 96	if (state->sk)
 97		sock_hold(state->sk);
 98
 99#if IS_ENABLED(CONFIG_BRIDGE_NETFILTER)
100	dev_hold(entry->physin);
101	dev_hold(entry->physout);
102#endif
103}
104EXPORT_SYMBOL_GPL(nf_queue_entry_get_refs);
105
106void nf_queue_nf_hook_drop(struct net *net)
107{
108	const struct nf_queue_handler *qh;
109
110	rcu_read_lock();
111	qh = rcu_dereference(nf_queue_handler);
112	if (qh)
113		qh->nf_hook_drop(net);
114	rcu_read_unlock();
115}
116EXPORT_SYMBOL_GPL(nf_queue_nf_hook_drop);
117
118static void nf_ip_saveroute(const struct sk_buff *skb,
119			    struct nf_queue_entry *entry)
120{
121	struct ip_rt_info *rt_info = nf_queue_entry_reroute(entry);
122
123	if (entry->state.hook == NF_INET_LOCAL_OUT) {
124		const struct iphdr *iph = ip_hdr(skb);
125
126		rt_info->tos = iph->tos;
127		rt_info->daddr = iph->daddr;
128		rt_info->saddr = iph->saddr;
129		rt_info->mark = skb->mark;
130	}
131}
132
133static void nf_ip6_saveroute(const struct sk_buff *skb,
134			     struct nf_queue_entry *entry)
135{
136	struct ip6_rt_info *rt_info = nf_queue_entry_reroute(entry);
137
138	if (entry->state.hook == NF_INET_LOCAL_OUT) {
139		const struct ipv6hdr *iph = ipv6_hdr(skb);
140
141		rt_info->daddr = iph->daddr;
142		rt_info->saddr = iph->saddr;
143		rt_info->mark = skb->mark;
144	}
145}
146
147static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
148		      unsigned int index, unsigned int queuenum)
149{
150	struct nf_queue_entry *entry = NULL;
151	const struct nf_queue_handler *qh;
152	unsigned int route_key_size;
153	int status;
154
155	/* QUEUE == DROP if no one is waiting, to be safe. */
156	qh = rcu_dereference(nf_queue_handler);
157	if (!qh)
158		return -ESRCH;
159
160	switch (state->pf) {
161	case AF_INET:
162		route_key_size = sizeof(struct ip_rt_info);
163		break;
164	case AF_INET6:
165		route_key_size = sizeof(struct ip6_rt_info);
166		break;
167	default:
168		route_key_size = 0;
169		break;
170	}
171
172	entry = kmalloc(sizeof(*entry) + route_key_size, GFP_ATOMIC);
173	if (!entry)
174		return -ENOMEM;
175
176	if (skb_dst(skb) && !skb_dst_force(skb)) {
177		kfree(entry);
178		return -ENETDOWN;
179	}
180
181	*entry = (struct nf_queue_entry) {
182		.skb	= skb,
183		.state	= *state,
184		.hook_index = index,
185		.size	= sizeof(*entry) + route_key_size,
186	};
187
188	__nf_queue_entry_init_physdevs(entry);
189
190	nf_queue_entry_get_refs(entry);
191
192	switch (entry->state.pf) {
193	case AF_INET:
194		nf_ip_saveroute(skb, entry);
195		break;
196	case AF_INET6:
197		nf_ip6_saveroute(skb, entry);
198		break;
199	}
200
201	status = qh->outfn(entry, queuenum);
202	if (status < 0) {
203		nf_queue_entry_free(entry);
204		return status;
205	}
206
207	return 0;
208}
209
210/* Packets leaving via this function must come back through nf_reinject(). */
211int nf_queue(struct sk_buff *skb, struct nf_hook_state *state,
212	     unsigned int index, unsigned int verdict)
213{
214	int ret;
215
216	ret = __nf_queue(skb, state, index, verdict >> NF_VERDICT_QBITS);
217	if (ret < 0) {
218		if (ret == -ESRCH &&
219		    (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
220			return 1;
221		kfree_skb(skb);
222	}
223
224	return 0;
225}
226EXPORT_SYMBOL_GPL(nf_queue);
227
228static unsigned int nf_iterate(struct sk_buff *skb,
229			       struct nf_hook_state *state,
230			       const struct nf_hook_entries *hooks,
231			       unsigned int *index)
232{
233	const struct nf_hook_entry *hook;
234	unsigned int verdict, i = *index;
235
236	while (i < hooks->num_hook_entries) {
237		hook = &hooks->hooks[i];
238repeat:
239		verdict = nf_hook_entry_hookfn(hook, skb, state);
240		if (verdict != NF_ACCEPT) {
241			*index = i;
242			if (verdict != NF_REPEAT)
243				return verdict;
244			goto repeat;
245		}
246		i++;
247	}
248
249	*index = i;
250	return NF_ACCEPT;
251}
252
253static struct nf_hook_entries *nf_hook_entries_head(const struct net *net, u8 pf, u8 hooknum)
254{
255	switch (pf) {
256#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
257	case NFPROTO_BRIDGE:
258		return rcu_dereference(net->nf.hooks_bridge[hooknum]);
259#endif
260	case NFPROTO_IPV4:
261		return rcu_dereference(net->nf.hooks_ipv4[hooknum]);
262	case NFPROTO_IPV6:
263		return rcu_dereference(net->nf.hooks_ipv6[hooknum]);
264	default:
265		WARN_ON_ONCE(1);
266		return NULL;
267	}
268
269	return NULL;
270}
271
272/* Caller must hold rcu read-side lock */
273void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict)
274{
275	const struct nf_hook_entry *hook_entry;
276	const struct nf_hook_entries *hooks;
277	struct sk_buff *skb = entry->skb;
278	const struct net *net;
279	unsigned int i;
280	int err;
281	u8 pf;
282
283	net = entry->state.net;
284	pf = entry->state.pf;
285
286	hooks = nf_hook_entries_head(net, pf, entry->state.hook);
287
288	i = entry->hook_index;
289	if (WARN_ON_ONCE(!hooks || i >= hooks->num_hook_entries)) {
290		kfree_skb(skb);
291		nf_queue_entry_free(entry);
292		return;
293	}
294
295	hook_entry = &hooks->hooks[i];
296
297	/* Continue traversal iff userspace said ok... */
298	if (verdict == NF_REPEAT)
299		verdict = nf_hook_entry_hookfn(hook_entry, skb, &entry->state);
300
301	if (verdict == NF_ACCEPT) {
302		if (nf_reroute(skb, entry) < 0)
303			verdict = NF_DROP;
304	}
305
306	if (verdict == NF_ACCEPT) {
307next_hook:
308		++i;
309		verdict = nf_iterate(skb, &entry->state, hooks, &i);
310	}
311
312	switch (verdict & NF_VERDICT_MASK) {
313	case NF_ACCEPT:
314	case NF_STOP:
315		local_bh_disable();
316		entry->state.okfn(entry->state.net, entry->state.sk, skb);
317		local_bh_enable();
318		break;
319	case NF_QUEUE:
320		err = nf_queue(skb, &entry->state, i, verdict);
321		if (err == 1)
322			goto next_hook;
323		break;
324	case NF_STOLEN:
325		break;
326	default:
327		kfree_skb(skb);
328	}
329
330	nf_queue_entry_free(entry);
331}
332EXPORT_SYMBOL(nf_reinject);