tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

[NETFITLER]: Add nfnetlink layer.

Introduce "nfnetlink" (netfilter netlink) layer. This layer is used as
transport layer for all userspace communication of the new upcoming
netfilter subsystems, such as ctnetlink, nfnetlink_queue and some day even
the mythical pkttables ;)

Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Harald Welte and committed by
David S. Miller f9e815b3 ac3247ba

+497
+145
include/linux/netfilter/nfnetlink.h
··· 1 + #ifndef _NFNETLINK_H 2 + #define _NFNETLINK_H 3 + #include <linux/types.h> 4 + 5 + /* nfnetlink groups: Up to 32 maximum */ 6 + #define NF_NETLINK_CONNTRACK_NEW 0x00000001 7 + #define NF_NETLINK_CONNTRACK_UPDATE 0x00000002 8 + #define NF_NETLINK_CONNTRACK_DESTROY 0x00000004 9 + #define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008 10 + #define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010 11 + #define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020 12 + 13 + /* Generic structure for encapsulation optional netfilter information. 14 + * It is reminiscent of sockaddr, but with sa_family replaced 15 + * with attribute type. 16 + * ! This should someday be put somewhere generic as now rtnetlink and 17 + * ! nfnetlink use the same attributes methods. - J. Schulist. 18 + */ 19 + 20 + struct nfattr 21 + { 22 + u_int16_t nfa_len; 23 + u_int16_t nfa_type; 24 + } __attribute__ ((packed)); 25 + 26 + /* FIXME: Shamelessly copy and pasted from rtnetlink.h, it's time 27 + * to put this in a generic file */ 28 + 29 + #define NFA_ALIGNTO 4 30 + #define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1)) 31 + #define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \ 32 + && (nfa)->nfa_len <= (len)) 33 + #define NFA_NEXT(nfa,attrlen) ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \ 34 + (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len))) 35 + #define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len)) 36 + #define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len)) 37 + #define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0))) 38 + #define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0)) 39 + #define NFA_NEST(skb, type) \ 40 + ({ struct nfattr *__start = (struct nfattr *) (skb)->tail; \ 41 + NFA_PUT(skb, type, 0, NULL); \ 42 + __start; }) 43 + #define NFA_NEST_END(skb, start) \ 44 + ({ (start)->nfa_len = ((skb)->tail - (unsigned char *) (start)); \ 45 + (skb)->len; }) 46 + #define NFA_NEST_CANCEL(skb, start) \ 47 + ({ if (start) \ 48 + skb_trim(skb, (unsigned char *) (start) - (skb)->data); \ 49 + -1; }) 50 + 51 + /* General form of address family dependent message. 52 + */ 53 + struct nfgenmsg { 54 + u_int8_t nfgen_family; /* AF_xxx */ 55 + u_int8_t version; /* nfnetlink version */ 56 + u_int16_t res_id; /* resource id */ 57 + } __attribute__ ((packed)); 58 + 59 + #define NFNETLINK_V1 1 60 + 61 + #define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \ 62 + + NLMSG_ALIGN(sizeof(struct nfgenmsg)))) 63 + #define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg)) 64 + 65 + /* netfilter netlink message types are split in two pieces: 66 + * 8 bit subsystem, 8bit operation. 67 + */ 68 + 69 + #define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8) 70 + #define NFNL_MSG_TYPE(x) (x & 0x00ff) 71 + 72 + enum nfnl_subsys_id { 73 + NFNL_SUBSYS_NONE = 0, 74 + NFNL_SUBSYS_CTNETLINK, 75 + NFNL_SUBSYS_CTNETLINK_EXP, 76 + NFNL_SUBSYS_IPTNETLINK, 77 + NFNL_SUBSYS_QUEUE, 78 + NFNL_SUBSYS_ULOG, 79 + NFNL_SUBSYS_COUNT, 80 + }; 81 + 82 + #ifdef __KERNEL__ 83 + 84 + #include <linux/capability.h> 85 + 86 + struct nfnl_callback 87 + { 88 + kernel_cap_t cap_required; /* capabilities required for this msg */ 89 + int (*call)(struct sock *nl, struct sk_buff *skb, 90 + struct nlmsghdr *nlh, struct nfattr *cda[], int *errp); 91 + }; 92 + 93 + struct nfnetlink_subsystem 94 + { 95 + const char *name; 96 + __u8 subsys_id; /* nfnetlink subsystem ID */ 97 + __u8 cb_count; /* number of callbacks */ 98 + u_int32_t attr_count; /* number of nfattr's */ 99 + struct nfnl_callback *cb; /* callback for individual types */ 100 + }; 101 + 102 + extern void __nfa_fill(struct sk_buff *skb, int attrtype, 103 + int attrlen, const void *data); 104 + #define NFA_PUT(skb, attrtype, attrlen, data) \ 105 + ({ if (skb_tailroom(skb) < (int)NFA_SPACE(attrlen)) goto nfattr_failure; \ 106 + __nfa_fill(skb, attrtype, attrlen, data); }) 107 + 108 + extern struct semaphore nfnl_sem; 109 + 110 + #define nfnl_shlock() down(&nfnl_sem) 111 + #define nfnl_shlock_nowait() down_trylock(&nfnl_sem) 112 + 113 + #define nfnl_shunlock() do { up(&nfnl_sem); \ 114 + if(nfnl && nfnl->sk_receive_queue.qlen) \ 115 + nfnl->sk_data_ready(nfnl, 0); \ 116 + } while(0) 117 + 118 + extern void nfnl_lock(void); 119 + extern void nfnl_unlock(void); 120 + 121 + extern int nfnetlink_subsys_register(struct nfnetlink_subsystem *n); 122 + extern int nfnetlink_subsys_unregister(struct nfnetlink_subsystem *n); 123 + 124 + extern int nfattr_parse(struct nfattr *tb[], int maxattr, 125 + struct nfattr *nfa, int len); 126 + 127 + #define nfattr_parse_nested(tb, max, nfa) \ 128 + nfattr_parse((tb), (max), NFA_DATA((nfa)), NFA_PAYLOAD((nfa))) 129 + 130 + #define nfattr_bad_size(tb, max, cta_min) \ 131 + ({ int __i, __res = 0; \ 132 + for (__i=0; __i<max; __i++) \ 133 + if (tb[__i] && NFA_PAYLOAD(tb[__i]) < cta_min[__i]){ \ 134 + __res = 1; \ 135 + break; \ 136 + } \ 137 + __res; \ 138 + }) 139 + 140 + extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, 141 + int echo); 142 + extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags); 143 + 144 + #endif /* __KERNEL__ */ 145 + #endif /* _NFNETLINK_H */
+2
net/Kconfig
··· 205 205 To compile this code as a module, choose M here: the 206 206 module will be called pktgen. 207 207 208 + source "net/netfilter/Kconfig" 209 + 208 210 endmenu 209 211 210 212 endmenu
+1
net/Makefile
··· 16 16 obj-$(CONFIG_LLC) += llc/ 17 17 obj-$(CONFIG_NET) += ethernet/ 802/ sched/ netlink/ 18 18 obj-$(CONFIG_INET) += ipv4/ 19 + obj-$(CONFIG_NETFILTER) += netfilter/ 19 20 obj-$(CONFIG_XFRM) += xfrm/ 20 21 obj-$(CONFIG_UNIX) += unix/ 21 22 ifneq ($(CONFIG_IPV6),)
+5
net/netfilter/Kconfig
··· 1 + config NETFILTER_NETLINK 2 + tristate "Netfilter netlink interface" 3 + help 4 + If this option is enabled, the kernel will include support 5 + for the new netfilter netlink interface.
+1
net/netfilter/Makefile
··· 1 + obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o
+343
net/netfilter/nfnetlink.c
··· 1 + /* Netfilter messages via netlink socket. Allows for user space 2 + * protocol helpers and general trouble making from userspace. 3 + * 4 + * (C) 2001 by Jay Schulist <jschlst@samba.org>, 5 + * (C) 2002-2005 by Harald Welte <laforge@gnumonks.org> 6 + * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net> 7 + * 8 + * Initial netfilter messages via netlink development funded and 9 + * generally made possible by Network Robots, Inc. (www.networkrobots.com) 10 + * 11 + * Further development of this code funded by Astaro AG (http://www.astaro.com) 12 + * 13 + * This software may be used and distributed according to the terms 14 + * of the GNU General Public License, incorporated herein by reference. 15 + */ 16 + 17 + #include <linux/config.h> 18 + #include <linux/module.h> 19 + #include <linux/types.h> 20 + #include <linux/socket.h> 21 + #include <linux/kernel.h> 22 + #include <linux/major.h> 23 + #include <linux/sched.h> 24 + #include <linux/timer.h> 25 + #include <linux/string.h> 26 + #include <linux/sockios.h> 27 + #include <linux/net.h> 28 + #include <linux/fcntl.h> 29 + #include <linux/skbuff.h> 30 + #include <asm/uaccess.h> 31 + #include <asm/system.h> 32 + #include <net/sock.h> 33 + #include <linux/init.h> 34 + #include <linux/spinlock.h> 35 + 36 + #include <linux/netfilter.h> 37 + #include <linux/netlink.h> 38 + #include <linux/netfilter/nfnetlink.h> 39 + 40 + MODULE_LICENSE("GPL"); 41 + 42 + static char __initdata nfversion[] = "0.30"; 43 + 44 + #if 0 45 + #define DEBUGP printk 46 + #else 47 + #define DEBUGP(format, args...) 48 + #endif 49 + 50 + static struct sock *nfnl = NULL; 51 + static struct nfnetlink_subsystem *subsys_table[NFNL_SUBSYS_COUNT]; 52 + DECLARE_MUTEX(nfnl_sem); 53 + 54 + void nfnl_lock(void) 55 + { 56 + nfnl_shlock(); 57 + } 58 + 59 + void nfnl_unlock(void) 60 + { 61 + nfnl_shunlock(); 62 + } 63 + 64 + int nfnetlink_subsys_register(struct nfnetlink_subsystem *n) 65 + { 66 + DEBUGP("registering subsystem ID %u\n", n->subsys_id); 67 + 68 + /* If the netlink socket wasn't created, then fail */ 69 + if (!nfnl) 70 + return -1; 71 + 72 + nfnl_lock(); 73 + subsys_table[n->subsys_id] = n; 74 + nfnl_unlock(); 75 + 76 + return 0; 77 + } 78 + 79 + int nfnetlink_subsys_unregister(struct nfnetlink_subsystem *n) 80 + { 81 + DEBUGP("unregistering subsystem ID %u\n", n->subsys_id); 82 + 83 + nfnl_lock(); 84 + subsys_table[n->subsys_id] = NULL; 85 + nfnl_unlock(); 86 + 87 + return 0; 88 + } 89 + 90 + static inline struct nfnetlink_subsystem *nfnetlink_get_subsys(u_int16_t type) 91 + { 92 + u_int8_t subsys_id = NFNL_SUBSYS_ID(type); 93 + 94 + if (subsys_id >= NFNL_SUBSYS_COUNT 95 + || subsys_table[subsys_id] == NULL) 96 + return NULL; 97 + 98 + return subsys_table[subsys_id]; 99 + } 100 + 101 + static inline struct nfnl_callback * 102 + nfnetlink_find_client(u_int16_t type, struct nfnetlink_subsystem *ss) 103 + { 104 + u_int8_t cb_id = NFNL_MSG_TYPE(type); 105 + 106 + if (cb_id >= ss->cb_count) { 107 + DEBUGP("msgtype %u >= %u, returning\n", type, ss->cb_count); 108 + return NULL; 109 + } 110 + 111 + return &ss->cb[cb_id]; 112 + } 113 + 114 + void __nfa_fill(struct sk_buff *skb, int attrtype, int attrlen, 115 + const void *data) 116 + { 117 + struct nfattr *nfa; 118 + int size = NFA_LENGTH(attrlen); 119 + 120 + nfa = (struct nfattr *)skb_put(skb, NFA_ALIGN(size)); 121 + nfa->nfa_type = attrtype; 122 + nfa->nfa_len = size; 123 + memcpy(NFA_DATA(nfa), data, attrlen); 124 + } 125 + 126 + int nfattr_parse(struct nfattr *tb[], int maxattr, struct nfattr *nfa, int len) 127 + { 128 + memset(tb, 0, sizeof(struct nfattr *) * maxattr); 129 + 130 + while (NFA_OK(nfa, len)) { 131 + unsigned flavor = nfa->nfa_type; 132 + if (flavor && flavor <= maxattr) 133 + tb[flavor-1] = nfa; 134 + nfa = NFA_NEXT(nfa, len); 135 + } 136 + 137 + return 0; 138 + } 139 + 140 + /** 141 + * nfnetlink_check_attributes - check and parse nfnetlink attributes 142 + * 143 + * subsys: nfnl subsystem for which this message is to be parsed 144 + * nlmsghdr: netlink message to be checked/parsed 145 + * cda: array of pointers, needs to be at least subsys->attr_count big 146 + * 147 + */ 148 + static int 149 + nfnetlink_check_attributes(struct nfnetlink_subsystem *subsys, 150 + struct nlmsghdr *nlh, struct nfattr *cda[]) 151 + { 152 + int min_len; 153 + 154 + memset(cda, 0, sizeof(struct nfattr *) * subsys->attr_count); 155 + 156 + /* check attribute lengths. */ 157 + min_len = NLMSG_ALIGN(sizeof(struct nfgenmsg)); 158 + if (nlh->nlmsg_len < min_len) 159 + return -EINVAL; 160 + 161 + if (nlh->nlmsg_len > min_len) { 162 + struct nfattr *attr = NFM_NFA(NLMSG_DATA(nlh)); 163 + int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len); 164 + 165 + while (NFA_OK(attr, attrlen)) { 166 + unsigned flavor = attr->nfa_type; 167 + if (flavor) { 168 + if (flavor > subsys->attr_count) 169 + return -EINVAL; 170 + cda[flavor - 1] = attr; 171 + } 172 + attr = NFA_NEXT(attr, attrlen); 173 + } 174 + } else 175 + return -EINVAL; 176 + 177 + return 0; 178 + } 179 + 180 + int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, int echo) 181 + { 182 + int allocation = in_interrupt() ? GFP_ATOMIC : GFP_KERNEL; 183 + int err = 0; 184 + 185 + NETLINK_CB(skb).dst_groups = group; 186 + if (echo) 187 + atomic_inc(&skb->users); 188 + netlink_broadcast(nfnl, skb, pid, group, allocation); 189 + if (echo) 190 + err = netlink_unicast(nfnl, skb, pid, MSG_DONTWAIT); 191 + 192 + return err; 193 + } 194 + 195 + int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags) 196 + { 197 + return netlink_unicast(nfnl, skb, pid, flags); 198 + } 199 + 200 + /* Process one complete nfnetlink message. */ 201 + static inline int nfnetlink_rcv_msg(struct sk_buff *skb, 202 + struct nlmsghdr *nlh, int *errp) 203 + { 204 + struct nfnl_callback *nc; 205 + struct nfnetlink_subsystem *ss; 206 + int type, err = 0; 207 + 208 + DEBUGP("entered; subsys=%u, msgtype=%u\n", 209 + NFNL_SUBSYS_ID(nlh->nlmsg_type), 210 + NFNL_MSG_TYPE(nlh->nlmsg_type)); 211 + 212 + /* Only requests are handled by kernel now. */ 213 + if (!(nlh->nlmsg_flags & NLM_F_REQUEST)) { 214 + DEBUGP("received non-request message\n"); 215 + return 0; 216 + } 217 + 218 + /* All the messages must at least contain nfgenmsg */ 219 + if (nlh->nlmsg_len < 220 + NLMSG_LENGTH(NLMSG_ALIGN(sizeof(struct nfgenmsg)))) { 221 + DEBUGP("received message was too short\n"); 222 + return 0; 223 + } 224 + 225 + type = nlh->nlmsg_type; 226 + ss = nfnetlink_get_subsys(type); 227 + if (!ss) 228 + goto err_inval; 229 + 230 + nc = nfnetlink_find_client(type, ss); 231 + if (!nc) { 232 + DEBUGP("unable to find client for type %d\n", type); 233 + goto err_inval; 234 + } 235 + 236 + if (nc->cap_required && 237 + !cap_raised(NETLINK_CB(skb).eff_cap, nc->cap_required)) { 238 + DEBUGP("permission denied for type %d\n", type); 239 + *errp = -EPERM; 240 + return -1; 241 + } 242 + 243 + { 244 + struct nfattr *cda[ss->attr_count]; 245 + 246 + memset(cda, 0, ss->attr_count*sizeof(struct nfattr *)); 247 + 248 + err = nfnetlink_check_attributes(ss, nlh, cda); 249 + if (err < 0) 250 + goto err_inval; 251 + 252 + err = nc->call(nfnl, skb, nlh, cda, errp); 253 + *errp = err; 254 + return err; 255 + } 256 + 257 + err_inval: 258 + *errp = -EINVAL; 259 + return -1; 260 + } 261 + 262 + /* Process one packet of messages. */ 263 + static inline int nfnetlink_rcv_skb(struct sk_buff *skb) 264 + { 265 + int err; 266 + struct nlmsghdr *nlh; 267 + 268 + while (skb->len >= NLMSG_SPACE(0)) { 269 + u32 rlen; 270 + 271 + nlh = (struct nlmsghdr *)skb->data; 272 + if (nlh->nlmsg_len < sizeof(struct nlmsghdr) 273 + || skb->len < nlh->nlmsg_len) 274 + return 0; 275 + rlen = NLMSG_ALIGN(nlh->nlmsg_len); 276 + if (rlen > skb->len) 277 + rlen = skb->len; 278 + if (nfnetlink_rcv_msg(skb, nlh, &err)) { 279 + if (!err) 280 + return -1; 281 + netlink_ack(skb, nlh, err); 282 + } else 283 + if (nlh->nlmsg_flags & NLM_F_ACK) 284 + netlink_ack(skb, nlh, 0); 285 + skb_pull(skb, rlen); 286 + } 287 + 288 + return 0; 289 + } 290 + 291 + static void nfnetlink_rcv(struct sock *sk, int len) 292 + { 293 + do { 294 + struct sk_buff *skb; 295 + 296 + if (nfnl_shlock_nowait()) 297 + return; 298 + 299 + while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) { 300 + if (nfnetlink_rcv_skb(skb)) { 301 + if (skb->len) 302 + skb_queue_head(&sk->sk_receive_queue, 303 + skb); 304 + else 305 + kfree_skb(skb); 306 + break; 307 + } 308 + kfree_skb(skb); 309 + } 310 + 311 + up(&nfnl_sem); 312 + } while(nfnl && nfnl->sk_receive_queue.qlen); 313 + } 314 + 315 + void __exit nfnetlink_exit(void) 316 + { 317 + printk("Removing netfilter NETLINK layer.\n"); 318 + sock_release(nfnl->sk_socket); 319 + return; 320 + } 321 + 322 + int __init nfnetlink_init(void) 323 + { 324 + printk("Netfilter messages via NETLINK v%s.\n", nfversion); 325 + 326 + nfnl = netlink_kernel_create(NETLINK_NETFILTER, nfnetlink_rcv); 327 + if (!nfnl) { 328 + printk(KERN_ERR "cannot initialize nfnetlink!\n"); 329 + return -1; 330 + } 331 + 332 + return 0; 333 + } 334 + 335 + module_init(nfnetlink_init); 336 + module_exit(nfnetlink_exit); 337 + 338 + EXPORT_SYMBOL_GPL(nfnetlink_subsys_register); 339 + EXPORT_SYMBOL_GPL(nfnetlink_subsys_unregister); 340 + EXPORT_SYMBOL_GPL(nfnetlink_send); 341 + EXPORT_SYMBOL_GPL(nfnetlink_unicast); 342 + EXPORT_SYMBOL_GPL(nfattr_parse); 343 + EXPORT_SYMBOL_GPL(__nfa_fill);