LXR linux/include/linux/netfilter.h

   1/* SPDX-License-Identifier: GPL-2.0 */
   2#ifndef __LINUX_NETFILTER_H
   3#define __LINUX_NETFILTER_H
   4
   5#include <linux/init.h>
   6#include <linux/skbuff.h>
   7#include <linux/net.h>
   8#include <linux/if.h>
   9#include <linux/in.h>
  10#include <linux/in6.h>
  11#include <linux/wait.h>
  12#include <linux/list.h>
  13#include <linux/static_key.h>
  14#include <linux/netfilter_defs.h>
  15#include <linux/netdevice.h>
  16#include <net/net_namespace.h>
  17
  18#ifdef CONFIG_NETFILTER
  19static inline int NF_DROP_GETERR(int verdict)
  20{
  21        return -(verdict >> NF_VERDICT_QBITS);
  22}
  23
  24static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1,
  25                                   const union nf_inet_addr *a2)
  26{
  27#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64
  28        const unsigned long *ul1 = (const unsigned long *)a1;
  29        const unsigned long *ul2 = (const unsigned long *)a2;
  30
  31        return ((ul1[0] ^ ul2[0]) | (ul1[1] ^ ul2[1])) == 0UL;
  32#else
  33        return a1->all[0] == a2->all[0] &&
  34               a1->all[1] == a2->all[1] &&
  35               a1->all[2] == a2->all[2] &&
  36               a1->all[3] == a2->all[3];
  37#endif
  38}
  39
  40static inline void nf_inet_addr_mask(const union nf_inet_addr *a1,
  41                                     union nf_inet_addr *result,
  42                                     const union nf_inet_addr *mask)
  43{
  44#if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64
  45        const unsigned long *ua = (const unsigned long *)a1;
  46        unsigned long *ur = (unsigned long *)result;
  47        const unsigned long *um = (const unsigned long *)mask;
  48
  49        ur[0] = ua[0] & um[0];
  50        ur[1] = ua[1] & um[1];
  51#else
  52        result->all[0] = a1->all[0] & mask->all[0];
  53        result->all[1] = a1->all[1] & mask->all[1];
  54        result->all[2] = a1->all[2] & mask->all[2];
  55        result->all[3] = a1->all[3] & mask->all[3];
  56#endif
  57}
  58
  59int netfilter_init(void);
  60
  61struct sk_buff;
  62
  63struct nf_hook_ops;
  64
  65struct sock;
  66
  67struct nf_hook_state {
  68        unsigned int hook;
  69        u_int8_t pf;
  70        struct net_device *in;
  71        struct net_device *out;
  72        struct sock *sk;
  73        struct net *net;
  74        int (*okfn)(struct net *, struct sock *, struct sk_buff *);
  75};
  76
  77typedef unsigned int nf_hookfn(void *priv,
  78                               struct sk_buff *skb,
  79                               const struct nf_hook_state *state);
  80struct nf_hook_ops {
  81        /* User fills in from here down. */
  82        nf_hookfn               *hook;
  83        struct net_device       *dev;
  84        void                    *priv;
  85        u_int8_t                pf;
  86        unsigned int            hooknum;
  87        /* Hooks are ordered in ascending priority. */
  88        int                     priority;
  89};
  90
  91struct nf_hook_entry {
  92        nf_hookfn                       *hook;
  93        void                            *priv;
  94};
  95
  96struct nf_hook_entries_rcu_head {
  97        struct rcu_head head;
  98        void    *allocation;
  99};
 100
 101struct nf_hook_entries {
 102        u16                             num_hook_entries;
 103        /* padding */
 104        struct nf_hook_entry            hooks[];
 105
 106        /* trailer: pointers to original orig_ops of each hook,
 107         * followed by rcu_head and scratch space used for freeing
 108         * the structure via call_rcu.
 109         *
 110         *   This is not part of struct nf_hook_entry since its only
 111         *   needed in slow path (hook register/unregister):
 112         * const struct nf_hook_ops     *orig_ops[]
 113         *
 114         *   For the same reason, we store this at end -- its
 115         *   only needed when a hook is deleted, not during
 116         *   packet path processing:
 117         * struct nf_hook_entries_rcu_head     head
 118         */
 119};
 120
 121static inline struct nf_hook_ops **nf_hook_entries_get_hook_ops(const struct nf_hook_entries *e)
 122{
 123        unsigned int n = e->num_hook_entries;
 124        const void *hook_end;
 125
 126        hook_end = &e->hooks[n]; /* this is *past* ->hooks[]! */
 127
 128        return (struct nf_hook_ops **)hook_end;
 129}
 130
 131static inline int
 132nf_hook_entry_hookfn(const struct nf_hook_entry *entry, struct sk_buff *skb,
 133                     struct nf_hook_state *state)
 134{
 135        return entry->hook(entry->priv, skb, state);
 136}
 137
 138static inline void nf_hook_state_init(struct nf_hook_state *p,
 139                                      unsigned int hook,
 140                                      u_int8_t pf,
 141                                      struct net_device *indev,
 142                                      struct net_device *outdev,
 143                                      struct sock *sk,
 144                                      struct net *net,
 145                                      int (*okfn)(struct net *, struct sock *, struct sk_buff *))
 146{
 147        p->hook = hook;
 148        p->pf = pf;
 149        p->in = indev;
 150        p->out = outdev;
 151        p->sk = sk;
 152        p->net = net;
 153        p->okfn = okfn;
 154}
 155
 156
 157
 158struct nf_sockopt_ops {
 159        struct list_head list;
 160
 161        u_int8_t pf;
 162
 163        /* Non-inclusive ranges: use 0/0/NULL to never get called. */
 164        int set_optmin;
 165        int set_optmax;
 166        int (*set)(struct sock *sk, int optval, void __user *user, unsigned int len);
 167#ifdef CONFIG_COMPAT
 168        int (*compat_set)(struct sock *sk, int optval,
 169                        void __user *user, unsigned int len);
 170#endif
 171        int get_optmin;
 172        int get_optmax;
 173        int (*get)(struct sock *sk, int optval, void __user *user, int *len);
 174#ifdef CONFIG_COMPAT
 175        int (*compat_get)(struct sock *sk, int optval,
 176                        void __user *user, int *len);
 177#endif
 178        /* Use the module struct to lock set/get code in place */
 179        struct module *owner;
 180};
 181
 182/* Function to register/unregister hook points. */
 183int nf_register_net_hook(struct net *net, const struct nf_hook_ops *ops);
 184void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *ops);
 185int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg,
 186                          unsigned int n);
 187void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg,
 188                             unsigned int n);
 189
 190/* Functions to register get/setsockopt ranges (non-inclusive).  You
 191   need to check permissions yourself! */
 192int nf_register_sockopt(struct nf_sockopt_ops *reg);
 193void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
 194
 195#ifdef CONFIG_JUMP_LABEL
 196extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
 197#endif
 198
 199int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state,
 200                 const struct nf_hook_entries *e, unsigned int i);
 201
 202/**
 203 *      nf_hook - call a netfilter hook
 204 *
 205 *      Returns 1 if the hook has allowed the packet to pass.  The function
 206 *      okfn must be invoked by the caller in this case.  Any other return
 207 *      value indicates the packet has been consumed by the hook.
 208 */
 209static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
 210                          struct sock *sk, struct sk_buff *skb,
 211                          struct net_device *indev, struct net_device *outdev,
 212                          int (*okfn)(struct net *, struct sock *, struct sk_buff *))
 213{
 214        struct nf_hook_entries *hook_head = NULL;
 215        int ret = 1;
 216
 217#ifdef CONFIG_JUMP_LABEL
 218        if (__builtin_constant_p(pf) &&
 219            __builtin_constant_p(hook) &&
 220            !static_key_false(&nf_hooks_needed[pf][hook]))
 221                return 1;
 222#endif
 223
 224        rcu_read_lock();
 225        switch (pf) {
 226        case NFPROTO_IPV4:
 227                hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]);
 228                break;
 229        case NFPROTO_IPV6:
 230                hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
 231                break;
 232        case NFPROTO_ARP:
 233#ifdef CONFIG_NETFILTER_FAMILY_ARP
 234                if (WARN_ON_ONCE(hook >= ARRAY_SIZE(net->nf.hooks_arp)))
 235                        break;
 236                hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
 237#endif
 238                break;
 239        case NFPROTO_BRIDGE:
 240#ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
 241                hook_head = rcu_dereference(net->nf.hooks_bridge[hook]);
 242#endif
 243                break;
 244#if IS_ENABLED(CONFIG_DECNET)
 245        case NFPROTO_DECNET:
 246                hook_head = rcu_dereference(net->nf.hooks_decnet[hook]);
 247                break;
 248#endif
 249        default:
 250                WARN_ON_ONCE(1);
 251                break;
 252        }
 253
 254        if (hook_head) {
 255                struct nf_hook_state state;
 256
 257                nf_hook_state_init(&state, hook, pf, indev, outdev,
 258                                   sk, net, okfn);
 259
 260                ret = nf_hook_slow(skb, &state, hook_head, 0);
 261        }
 262        rcu_read_unlock();
 263
 264        return ret;
 265}
 266
 267/* Activate hook; either okfn or kfree_skb called, unless a hook
 268   returns NF_STOLEN (in which case, it's up to the hook to deal with
 269   the consequences).
 270
 271   Returns -ERRNO if packet dropped.  Zero means queued, stolen or
 272   accepted.
 273*/
 274
 275/* RR:
 276   > I don't want nf_hook to return anything because people might forget
 277   > about async and trust the return value to mean "packet was ok".
 278
 279   AK:
 280   Just document it clearly, then you can expect some sense from kernel
 281   coders :)
 282*/
 283
 284static inline int
 285NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
 286             struct sk_buff *skb, struct net_device *in, struct net_device *out,
 287             int (*okfn)(struct net *, struct sock *, struct sk_buff *),
 288             bool cond)
 289{
 290        int ret;
 291
 292        if (!cond ||
 293            ((ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn)) == 1))
 294                ret = okfn(net, sk, skb);
 295        return ret;
 296}
 297
 298static inline int
 299NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct sk_buff *skb,
 300        struct net_device *in, struct net_device *out,
 301        int (*okfn)(struct net *, struct sock *, struct sk_buff *))
 302{
 303        int ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn);
 304        if (ret == 1)
 305                ret = okfn(net, sk, skb);
 306        return ret;
 307}
 308
 309static inline void
 310NF_HOOK_LIST(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
 311             struct list_head *head, struct net_device *in, struct net_device *out,
 312             int (*okfn)(struct net *, struct sock *, struct sk_buff *))
 313{
 314        struct sk_buff *skb, *next;
 315        struct list_head sublist;
 316
 317        INIT_LIST_HEAD(&sublist);
 318        list_for_each_entry_safe(skb, next, head, list) {
 319                list_del(&skb->list);
 320                if (nf_hook(pf, hook, net, sk, skb, in, out, okfn) == 1)
 321                        list_add_tail(&skb->list, &sublist);
 322        }
 323        /* Put passed packets back on main list */
 324        list_splice(&sublist, head);
 325}
 326
 327/* Call setsockopt() */
 328int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt,
 329                  unsigned int len);
 330int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt,
 331                  int *len);
 332#ifdef CONFIG_COMPAT
 333int compat_nf_setsockopt(struct sock *sk, u_int8_t pf, int optval,
 334                char __user *opt, unsigned int len);
 335int compat_nf_getsockopt(struct sock *sk, u_int8_t pf, int optval,
 336                char __user *opt, int *len);
 337#endif
 338
 339/* Call this before modifying an existing packet: ensures it is
 340   modifiable and linear to the point you care about (writable_len).
 341   Returns true or false. */
 342int skb_make_writable(struct sk_buff *skb, unsigned int writable_len);
 343
 344struct flowi;
 345struct nf_queue_entry;
 346
 347__sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
 348                    unsigned int dataoff, u_int8_t protocol,
 349                    unsigned short family);
 350
 351__sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
 352                            unsigned int dataoff, unsigned int len,
 353                            u_int8_t protocol, unsigned short family);
 354int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
 355             bool strict, unsigned short family);
 356int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry);
 357
 358#include <net/flow.h>
 359
 360struct nf_conn;
 361enum nf_nat_manip_type;
 362struct nlattr;
 363enum ip_conntrack_dir;
 364
 365struct nf_nat_hook {
 366        int (*parse_nat_setup)(struct nf_conn *ct, enum nf_nat_manip_type manip,
 367                               const struct nlattr *attr);
 368        void (*decode_session)(struct sk_buff *skb, struct flowi *fl);
 369        unsigned int (*manip_pkt)(struct sk_buff *skb, struct nf_conn *ct,
 370                                  enum nf_nat_manip_type mtype,
 371                                  enum ip_conntrack_dir dir);
 372};
 373
 374extern struct nf_nat_hook __rcu *nf_nat_hook;
 375
 376static inline void
 377nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
 378{
 379#if IS_ENABLED(CONFIG_NF_NAT)
 380        struct nf_nat_hook *nat_hook;
 381
 382        rcu_read_lock();
 383        nat_hook = rcu_dereference(nf_nat_hook);
 384        if (nat_hook && nat_hook->decode_session)
 385                nat_hook->decode_session(skb, fl);
 386        rcu_read_unlock();
 387#endif
 388}
 389
 390#else /* !CONFIG_NETFILTER */
 391static inline int
 392NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
 393             struct sk_buff *skb, struct net_device *in, struct net_device *out,
 394             int (*okfn)(struct net *, struct sock *, struct sk_buff *),
 395             bool cond)
 396{
 397        return okfn(net, sk, skb);
 398}
 399
 400static inline int
 401NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
 402        struct sk_buff *skb, struct net_device *in, struct net_device *out,
 403        int (*okfn)(struct net *, struct sock *, struct sk_buff *))
 404{
 405        return okfn(net, sk, skb);
 406}
 407
 408static inline void
 409NF_HOOK_LIST(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
 410             struct list_head *head, struct net_device *in, struct net_device *out,
 411             int (*okfn)(struct net *, struct sock *, struct sk_buff *))
 412{
 413        /* nothing to do */
 414}
 415
 416static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
 417                          struct sock *sk, struct sk_buff *skb,
 418                          struct net_device *indev, struct net_device *outdev,
 419                          int (*okfn)(struct net *, struct sock *, struct sk_buff *))
 420{
 421        return 1;
 422}
 423struct flowi;
 424static inline void
 425nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
 426{
 427}
 428#endif /*CONFIG_NETFILTER*/
 429
 430#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
 431#include <linux/netfilter/nf_conntrack_zones_common.h>
 432
 433extern void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *) __rcu;
 434void nf_ct_attach(struct sk_buff *, const struct sk_buff *);
 435struct nf_conntrack_tuple;
 436bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple,
 437                         const struct sk_buff *skb);
 438#else
 439static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
 440struct nf_conntrack_tuple;
 441static inline bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple,
 442                                       const struct sk_buff *skb)
 443{
 444        return false;
 445}
 446#endif
 447
 448struct nf_conn;
 449enum ip_conntrack_info;
 450
 451struct nf_ct_hook {
 452        int (*update)(struct net *net, struct sk_buff *skb);
 453        void (*destroy)(struct nf_conntrack *);
 454        bool (*get_tuple_skb)(struct nf_conntrack_tuple *,
 455                              const struct sk_buff *);
 456};
 457extern struct nf_ct_hook __rcu *nf_ct_hook;
 458
 459struct nlattr;
 460
 461struct nfnl_ct_hook {
 462        struct nf_conn *(*get_ct)(const struct sk_buff *skb,
 463                                  enum ip_conntrack_info *ctinfo);
 464        size_t (*build_size)(const struct nf_conn *ct);
 465        int (*build)(struct sk_buff *skb, struct nf_conn *ct,
 466                     enum ip_conntrack_info ctinfo,
 467                     u_int16_t ct_attr, u_int16_t ct_info_attr);
 468        int (*parse)(const struct nlattr *attr, struct nf_conn *ct);
 469        int (*attach_expect)(const struct nlattr *attr, struct nf_conn *ct,
 470                             u32 portid, u32 report);
 471        void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct,
 472                           enum ip_conntrack_info ctinfo, s32 off);
 473};
 474extern struct nfnl_ct_hook __rcu *nfnl_ct_hook;
 475
 476/**
 477 * nf_skb_duplicated - TEE target has sent a packet
 478 *
 479 * When a xtables target sends a packet, the OUTPUT and POSTROUTING
 480 * hooks are traversed again, i.e. nft and xtables are invoked recursively.
 481 *
 482 * This is used by xtables TEE target to prevent the duplicated skb from
 483 * being duplicated again.
 484 */
 485DECLARE_PER_CPU(bool, nf_skb_duplicated);
 486
 487#endif /*__LINUX_NETFILTER_H*/
 488