netfilter: add new hook nfnl subsystem · tjh.dev/kernel@e2cf17d

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

netfilter: add new hook nfnl subsystem

This nfnl subsystem allows to dump the list of all active netfiler hooks,
e.g. defrag, conntrack, nf/ip/arp/ip6tables and so on.

This helps to see what kind of features are currently enabled in
the network stack.

Sample output from nft tool using this infra:

$ nft list hook ip input
family ip hook input {
+0000000010 nft_do_chain_inet [nf_tables] # nft table firewalld INPUT
+0000000100 nf_nat_ipv4_local_in [nf_nat]
+2147483647 ipv4_confirm [nf_conntrack]
}

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by

Pablo Neira Ayuso 4 years ago e2cf17d3 7b4b2fa3

+443 -1

6 changed files

expand all

include

uapi

linux

netfilter

nfnetlink.h

nfnetlink_hook.h

net

netfilter

Kconfig

Makefile

nfnetlink.c

nfnetlink_hook.c

+2 -1

include/uapi/linux/netfilter/nfnetlink.h

··· 60 60 #define NFNL_SUBSYS_CTHELPER 9 61 61 #define NFNL_SUBSYS_NFTABLES 10 62 62 #define NFNL_SUBSYS_NFT_COMPAT 11 63 - #define NFNL_SUBSYS_COUNT 12 63 + #define NFNL_SUBSYS_HOOK 12 64 + #define NFNL_SUBSYS_COUNT 13 64 65 65 66 /* Reserved control nfnetlink messages */ 66 67 #define NFNL_MSG_BATCH_BEGIN NLMSG_MIN_TYPE

+55

include/uapi/linux/netfilter/nfnetlink_hook.h

··· 1 + /* SPDX-License-Identifier: GPL-2.0 WITH Linux-syscall-note */ 2 + #ifndef _NFNL_HOOK_H_ 3 + #define _NFNL_HOOK_H_ 4 + 5 + enum nfnl_hook_msg_types { 6 + NFNL_MSG_HOOK_GET, 7 + NFNL_MSG_HOOK_MAX, 8 + }; 9 + 10 + /** 11 + * enum nfnl_hook_attributes - netfilter hook netlink attributes 12 + * 13 + * @NFNLA_HOOK_HOOKNUM: netfilter hook number (NLA_U32) 14 + * @NFNLA_HOOK_PRIORITY: netfilter hook priority (NLA_U32) 15 + * @NFNLA_HOOK_DEV: netdevice name (NLA_STRING) 16 + * @NFNLA_HOOK_FUNCTION_NAME: hook function name (NLA_STRING) 17 + * @NFNLA_HOOK_MODULE_NAME: kernel module that registered this hook (NLA_STRING) 18 + * @NFNLA_HOOK_CHAIN_INFO: basechain hook metadata (NLA_NESTED) 19 + */ 20 + enum nfnl_hook_attributes { 21 + NFNLA_HOOK_UNSPEC, 22 + NFNLA_HOOK_HOOKNUM, 23 + NFNLA_HOOK_PRIORITY, 24 + NFNLA_HOOK_DEV, 25 + NFNLA_HOOK_FUNCTION_NAME, 26 + NFNLA_HOOK_MODULE_NAME, 27 + NFNLA_HOOK_CHAIN_INFO, 28 + __NFNLA_HOOK_MAX 29 + }; 30 + #define NFNLA_HOOK_MAX (__NFNLA_HOOK_MAX - 1) 31 + 32 + /** 33 + * enum nfnl_hook_chain_info_attributes - chain description 34 + * 35 + * NFNLA_HOOK_INFO_DESC: nft chain and table name (enum nft_table_attributes) (NLA_NESTED) 36 + * NFNLA_HOOK_INFO_TYPE: chain type (enum nfnl_hook_chaintype) (NLA_U32) 37 + */ 38 + enum nfnl_hook_chain_info_attributes { 39 + NFNLA_HOOK_INFO_UNSPEC, 40 + NFNLA_HOOK_INFO_DESC, 41 + NFNLA_HOOK_INFO_TYPE, 42 + __NFNLA_HOOK_INFO_MAX, 43 + }; 44 + #define NFNLA_HOOK_INFO_MAX (__NFNLA_HOOK_INFO_MAX - 1) 45 + 46 + /** 47 + * enum nfnl_hook_chaintype - chain type 48 + * 49 + * @NFNL_HOOK_TYPE_NFTABLES nf_tables base chain 50 + */ 51 + enum nfnl_hook_chaintype { 52 + NFNL_HOOK_TYPE_NFTABLES = 0x1, 53 + }; 54 + 55 + #endif /* _NFNL_HOOK_H */

net/netfilter/Kconfig

··· 19 19 config NETFILTER_FAMILY_ARP 20 20 bool 21 21 22 + config NETFILTER_NETLINK_HOOK 23 + tristate "Netfilter base hook dump support" 24 + depends on NETFILTER_ADVANCED 25 + select NETFILTER_NETLINK 26 + help 27 + If this option is enabled, the kernel will include support 28 + to list the base netfilter hooks via NFNETLINK. 29 + This is helpful for debugging. 30 + 22 31 config NETFILTER_NETLINK_ACCT 23 32 tristate "Netfilter NFACCT over NFNETLINK interface" 24 33 depends on NETFILTER_ADVANCED

net/netfilter/Makefile

··· 22 22 obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o 23 23 obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o 24 24 obj-$(CONFIG_NETFILTER_NETLINK_OSF) += nfnetlink_osf.o 25 + obj-$(CONFIG_NETFILTER_NETLINK_HOOK) += nfnetlink_hook.o 25 26 26 27 # connection tracking 27 28 obj-$(CONFIG_NF_CONNTRACK) += nf_conntrack.o

net/netfilter/nfnetlink.c

··· 68 68 [NFNL_SUBSYS_CTHELPER] = "nfnl_subsys_cthelper", 69 69 [NFNL_SUBSYS_NFTABLES] = "nfnl_subsys_nftables", 70 70 [NFNL_SUBSYS_NFT_COMPAT] = "nfnl_subsys_nftcompat", 71 + [NFNL_SUBSYS_HOOK] = "nfnl_subsys_hook", 71 72 }; 72 73 73 74 static const int nfnl_group2type[NFNLGRP_MAX+1] = {

+375

net/netfilter/nfnetlink_hook.c

··· 1 + // SPDX-License-Identifier: GPL-2.0-or-later 2 + /* 3 + * Copyright (c) 2021 Red Hat GmbH 4 + * 5 + * Author: Florian Westphal <fw@strlen.de> 6 + */ 7 + 8 + #include <linux/module.h> 9 + #include <linux/kernel.h> 10 + #include <linux/types.h> 11 + #include <linux/skbuff.h> 12 + #include <linux/errno.h> 13 + #include <linux/netlink.h> 14 + #include <linux/slab.h> 15 + 16 + #include <linux/netfilter.h> 17 + 18 + #include <linux/netfilter/nfnetlink.h> 19 + #include <linux/netfilter/nfnetlink_hook.h> 20 + 21 + #include <net/netfilter/nf_tables.h> 22 + #include <net/sock.h> 23 + 24 + static const struct nla_policy nfnl_hook_nla_policy[NFNLA_HOOK_MAX + 1] = { 25 + [NFNLA_HOOK_HOOKNUM] = { .type = NLA_U32 }, 26 + [NFNLA_HOOK_PRIORITY] = { .type = NLA_U32 }, 27 + [NFNLA_HOOK_DEV] = { .type = NLA_STRING, 28 + .len = IFNAMSIZ - 1 }, 29 + [NFNLA_HOOK_FUNCTION_NAME] = { .type = NLA_NUL_STRING, 30 + .len = KSYM_NAME_LEN, }, 31 + [NFNLA_HOOK_MODULE_NAME] = { .type = NLA_NUL_STRING, 32 + .len = MODULE_NAME_LEN, }, 33 + [NFNLA_HOOK_CHAIN_INFO] = { .type = NLA_NESTED, }, 34 + }; 35 + 36 + static int nf_netlink_dump_start_rcu(struct sock *nlsk, struct sk_buff *skb, 37 + const struct nlmsghdr *nlh, 38 + struct netlink_dump_control *c) 39 + { 40 + int err; 41 + 42 + if (!try_module_get(THIS_MODULE)) 43 + return -EINVAL; 44 + 45 + rcu_read_unlock(); 46 + err = netlink_dump_start(nlsk, skb, nlh, c); 47 + rcu_read_lock(); 48 + module_put(THIS_MODULE); 49 + 50 + return err; 51 + } 52 + 53 + struct nfnl_dump_hook_data { 54 + char devname[IFNAMSIZ]; 55 + unsigned long headv; 56 + u8 hook; 57 + }; 58 + 59 + static int nfnl_hook_put_nft_chain_info(struct sk_buff *nlskb, 60 + const struct nfnl_dump_hook_data *ctx, 61 + unsigned int seq, 62 + const struct nf_hook_ops *ops) 63 + { 64 + struct net *net = sock_net(nlskb->sk); 65 + struct nlattr *nest, *nest2; 66 + struct nft_chain *chain; 67 + int ret = 0; 68 + 69 + if (ops->hook_ops_type != NF_HOOK_OP_NF_TABLES) 70 + return 0; 71 + 72 + chain = ops->priv; 73 + if (WARN_ON_ONCE(!chain)) 74 + return 0; 75 + 76 + if (!nft_is_active(net, chain)) 77 + return 0; 78 + 79 + nest = nla_nest_start(nlskb, NFNLA_HOOK_CHAIN_INFO); 80 + if (!nest) 81 + return -EMSGSIZE; 82 + 83 + ret = nla_put_be32(nlskb, NFNLA_HOOK_INFO_TYPE, 84 + htonl(NFNL_HOOK_TYPE_NFTABLES)); 85 + if (ret) 86 + goto cancel_nest; 87 + 88 + nest2 = nla_nest_start(nlskb, NFNLA_HOOK_INFO_DESC); 89 + if (!nest2) 90 + goto cancel_nest; 91 + 92 + ret = nla_put_string(nlskb, NFTA_CHAIN_TABLE, chain->table->name); 93 + if (ret) 94 + goto cancel_nest; 95 + 96 + ret = nla_put_string(nlskb, NFTA_CHAIN_NAME, chain->name); 97 + if (ret) 98 + goto cancel_nest; 99 + 100 + nla_nest_end(nlskb, nest2); 101 + nla_nest_end(nlskb, nest); 102 + return ret; 103 + 104 + cancel_nest: 105 + nla_nest_cancel(nlskb, nest); 106 + return -EMSGSIZE; 107 + } 108 + 109 + static int nfnl_hook_dump_one(struct sk_buff *nlskb, 110 + const struct nfnl_dump_hook_data *ctx, 111 + const struct nf_hook_ops *ops, 112 + unsigned int seq) 113 + { 114 + u16 event = nfnl_msg_type(NFNL_SUBSYS_HOOK, NFNL_MSG_HOOK_GET); 115 + unsigned int portid = NETLINK_CB(nlskb).portid; 116 + struct nlmsghdr *nlh; 117 + int ret = -EMSGSIZE; 118 + #ifdef CONFIG_KALLSYMS 119 + char sym[KSYM_SYMBOL_LEN]; 120 + char *module_name; 121 + #endif 122 + nlh = nfnl_msg_put(nlskb, portid, seq, event, 123 + NLM_F_MULTI, ops->pf, NFNETLINK_V0, 0); 124 + if (!nlh) 125 + goto nla_put_failure; 126 + 127 + #ifdef CONFIG_KALLSYMS 128 + ret = snprintf(sym, sizeof(sym), "%ps", ops->hook); 129 + if (ret < 0 || ret > (int)sizeof(sym)) 130 + goto nla_put_failure; 131 + 132 + module_name = strstr(sym, " ["); 133 + if (module_name) { 134 + char *end; 135 + 136 + module_name += 2; 137 + end = strchr(module_name, ']'); 138 + if (end) { 139 + *end = 0; 140 + 141 + ret = nla_put_string(nlskb, NFNLA_HOOK_MODULE_NAME, module_name); 142 + if (ret) 143 + goto nla_put_failure; 144 + } 145 + } 146 + 147 + ret = nla_put_string(nlskb, NFNLA_HOOK_FUNCTION_NAME, sym); 148 + if (ret) 149 + goto nla_put_failure; 150 + #endif 151 + 152 + ret = nla_put_be32(nlskb, NFNLA_HOOK_HOOKNUM, htonl(ops->hooknum)); 153 + if (ret) 154 + goto nla_put_failure; 155 + 156 + ret = nla_put_be32(nlskb, NFNLA_HOOK_PRIORITY, htonl(ops->priority)); 157 + if (ret) 158 + goto nla_put_failure; 159 + 160 + ret = nfnl_hook_put_nft_chain_info(nlskb, ctx, seq, ops); 161 + if (ret) 162 + goto nla_put_failure; 163 + 164 + nlmsg_end(nlskb, nlh); 165 + return 0; 166 + nla_put_failure: 167 + nlmsg_trim(nlskb, nlh); 168 + return ret; 169 + } 170 + 171 + static const struct nf_hook_entries * 172 + nfnl_hook_entries_head(u8 pf, unsigned int hook, struct net *net, const char *dev) 173 + { 174 + const struct nf_hook_entries *hook_head = NULL; 175 + struct net_device *netdev; 176 + 177 + switch (pf) { 178 + case NFPROTO_IPV4: 179 + if (hook >= ARRAY_SIZE(net->nf.hooks_ipv4)) 180 + return ERR_PTR(-EINVAL); 181 + hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]); 182 + break; 183 + case NFPROTO_IPV6: 184 + hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]); 185 + if (hook >= ARRAY_SIZE(net->nf.hooks_ipv6)) 186 + return ERR_PTR(-EINVAL); 187 + break; 188 + case NFPROTO_ARP: 189 + #ifdef CONFIG_NETFILTER_FAMILY_ARP 190 + if (hook >= ARRAY_SIZE(net->nf.hooks_arp)) 191 + return ERR_PTR(-EINVAL); 192 + hook_head = rcu_dereference(net->nf.hooks_arp[hook]); 193 + #endif 194 + break; 195 + case NFPROTO_BRIDGE: 196 + #ifdef CONFIG_NETFILTER_FAMILY_BRIDGE 197 + if (hook >= ARRAY_SIZE(net->nf.hooks_bridge)) 198 + return ERR_PTR(-EINVAL); 199 + hook_head = rcu_dereference(net->nf.hooks_bridge[hook]); 200 + #endif 201 + break; 202 + #if IS_ENABLED(CONFIG_DECNET) 203 + case NFPROTO_DECNET: 204 + if (hook >= ARRAY_SIZE(net->nf.hooks_decnet)) 205 + return ERR_PTR(-EINVAL); 206 + hook_head = rcu_dereference(net->nf.hooks_decnet[hook]); 207 + break; 208 + #endif 209 + #ifdef CONFIG_NETFILTER_INGRESS 210 + case NFPROTO_NETDEV: 211 + if (hook != NF_NETDEV_INGRESS) 212 + return ERR_PTR(-EOPNOTSUPP); 213 + 214 + if (!dev) 215 + return ERR_PTR(-ENODEV); 216 + 217 + netdev = dev_get_by_name_rcu(net, dev); 218 + if (!netdev) 219 + return ERR_PTR(-ENODEV); 220 + 221 + return rcu_dereference(netdev->nf_hooks_ingress); 222 + #endif 223 + default: 224 + return ERR_PTR(-EPROTONOSUPPORT); 225 + } 226 + 227 + return hook_head; 228 + } 229 + 230 + static int nfnl_hook_dump(struct sk_buff *nlskb, 231 + struct netlink_callback *cb) 232 + { 233 + struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 234 + struct nfnl_dump_hook_data *ctx = cb->data; 235 + int err, family = nfmsg->nfgen_family; 236 + struct net *net = sock_net(nlskb->sk); 237 + struct nf_hook_ops * const *ops; 238 + const struct nf_hook_entries *e; 239 + unsigned int i = cb->args[0]; 240 + 241 + rcu_read_lock(); 242 + 243 + e = nfnl_hook_entries_head(family, ctx->hook, net, ctx->devname); 244 + if (!e) 245 + goto done; 246 + 247 + if (IS_ERR(e)) { 248 + cb->seq++; 249 + goto done; 250 + } 251 + 252 + if ((unsigned long)e != ctx->headv || i >= e->num_hook_entries) 253 + cb->seq++; 254 + 255 + ops = nf_hook_entries_get_hook_ops(e); 256 + 257 + for (; i < e->num_hook_entries; i++) { 258 + err = nfnl_hook_dump_one(nlskb, ctx, ops[i], cb->seq); 259 + if (err) 260 + break; 261 + } 262 + 263 + done: 264 + nl_dump_check_consistent(cb, nlmsg_hdr(nlskb)); 265 + rcu_read_unlock(); 266 + cb->args[0] = i; 267 + return nlskb->len; 268 + } 269 + 270 + static int nfnl_hook_dump_start(struct netlink_callback *cb) 271 + { 272 + const struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 273 + const struct nlattr * const *nla = cb->data; 274 + struct nfnl_dump_hook_data *ctx = NULL; 275 + struct net *net = sock_net(cb->skb->sk); 276 + u8 family = nfmsg->nfgen_family; 277 + char name[IFNAMSIZ] = ""; 278 + const void *head; 279 + u32 hooknum; 280 + 281 + hooknum = ntohl(nla_get_be32(nla[NFNLA_HOOK_HOOKNUM])); 282 + if (hooknum > 255) 283 + return -EINVAL; 284 + 285 + if (family == NFPROTO_NETDEV) { 286 + if (!nla[NFNLA_HOOK_DEV]) 287 + return -EINVAL; 288 + 289 + nla_strscpy(name, nla[NFNLA_HOOK_DEV], sizeof(name)); 290 + } 291 + 292 + rcu_read_lock(); 293 + /* Not dereferenced; for consistency check only */ 294 + head = nfnl_hook_entries_head(family, hooknum, net, name); 295 + rcu_read_unlock(); 296 + 297 + if (head && IS_ERR(head)) 298 + return PTR_ERR(head); 299 + 300 + ctx = kzalloc(sizeof(*ctx), GFP_KERNEL); 301 + if (!ctx) 302 + return -ENOMEM; 303 + 304 + strscpy(ctx->devname, name, sizeof(ctx->devname)); 305 + ctx->headv = (unsigned long)head; 306 + ctx->hook = hooknum; 307 + 308 + cb->seq = 1; 309 + cb->data = ctx; 310 + 311 + return 0; 312 + } 313 + 314 + static int nfnl_hook_dump_stop(struct netlink_callback *cb) 315 + { 316 + kfree(cb->data); 317 + return 0; 318 + } 319 + 320 + static int nfnl_hook_get(struct sk_buff *skb, 321 + const struct nfnl_info *info, 322 + const struct nlattr * const nla[]) 323 + { 324 + if (!nla[NFNLA_HOOK_HOOKNUM]) 325 + return -EINVAL; 326 + 327 + if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 328 + struct netlink_dump_control c = { 329 + .start = nfnl_hook_dump_start, 330 + .done = nfnl_hook_dump_stop, 331 + .dump = nfnl_hook_dump, 332 + .module = THIS_MODULE, 333 + .data = (void *)nla, 334 + }; 335 + 336 + return nf_netlink_dump_start_rcu(info->sk, skb, info->nlh, &c); 337 + } 338 + 339 + return -EOPNOTSUPP; 340 + } 341 + 342 + static const struct nfnl_callback nfnl_hook_cb[NFNL_MSG_HOOK_MAX] = { 343 + [NFNL_MSG_HOOK_GET] = { 344 + .call = nfnl_hook_get, 345 + .type = NFNL_CB_RCU, 346 + .attr_count = NFNLA_HOOK_MAX, 347 + .policy = nfnl_hook_nla_policy 348 + }, 349 + }; 350 + 351 + static const struct nfnetlink_subsystem nfhook_subsys = { 352 + .name = "nfhook", 353 + .subsys_id = NFNL_SUBSYS_HOOK, 354 + .cb_count = NFNL_MSG_HOOK_MAX, 355 + .cb = nfnl_hook_cb, 356 + }; 357 + 358 + MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_HOOK); 359 + 360 + static int __init nfnetlink_hook_init(void) 361 + { 362 + return nfnetlink_subsys_register(&nfhook_subsys); 363 + } 364 + 365 + static void __exit nfnetlink_hook_exit(void) 366 + { 367 + nfnetlink_subsys_unregister(&nfhook_subsys); 368 + } 369 + 370 + module_init(nfnetlink_hook_init); 371 + module_exit(nfnetlink_hook_exit); 372 + 373 + MODULE_LICENSE("GPL"); 374 + MODULE_AUTHOR("Florian Westphal <fw@strlen.de>"); 375 + MODULE_DESCRIPTION("nfnetlink_hook: list registered netfilter hooks");