LXR linux/include/linux/netfilter/x

   1/* SPDX-License-Identifier: GPL-2.0 */
   2#ifndef _X_TABLES_H
   3#define _X_TABLES_H
   4
   5
   6#include <linux/netdevice.h>
   7#include <linux/static_key.h>
   8#include <linux/netfilter.h>
   9#include <uapi/linux/netfilter/x_tables.h>
  10
  11/* Test a struct->invflags and a boolean for inequality */
  12#define NF_INVF(ptr, flag, boolean)                                     \
  13        ((boolean) ^ !!((ptr)->invflags & (flag)))
  14
  15/**
  16 * struct xt_action_param - parameters for matches/targets
  17 *
  18 * @match:      the match extension
  19 * @target:     the target extension
  20 * @matchinfo:  per-match data
  21 * @targetinfo: per-target data
  22 * @state:      pointer to hook state this packet came from
  23 * @fragoff:    packet is a fragment, this is the data offset
  24 * @thoff:      position of transport header relative to skb->data
  25 *
  26 * Fields written to by extensions:
  27 *
  28 * @hotdrop:    drop packet if we had inspection problems
  29 */
  30struct xt_action_param {
  31        union {
  32                const struct xt_match *match;
  33                const struct xt_target *target;
  34        };
  35        union {
  36                const void *matchinfo, *targinfo;
  37        };
  38        const struct nf_hook_state *state;
  39        unsigned int thoff;
  40        u16 fragoff;
  41        bool hotdrop;
  42};
  43
  44static inline struct net *xt_net(const struct xt_action_param *par)
  45{
  46        return par->state->net;
  47}
  48
  49static inline struct net_device *xt_in(const struct xt_action_param *par)
  50{
  51        return par->state->in;
  52}
  53
  54static inline const char *xt_inname(const struct xt_action_param *par)
  55{
  56        return par->state->in->name;
  57}
  58
  59static inline struct net_device *xt_out(const struct xt_action_param *par)
  60{
  61        return par->state->out;
  62}
  63
  64static inline const char *xt_outname(const struct xt_action_param *par)
  65{
  66        return par->state->out->name;
  67}
  68
  69static inline unsigned int xt_hooknum(const struct xt_action_param *par)
  70{
  71        return par->state->hook;
  72}
  73
  74static inline u_int8_t xt_family(const struct xt_action_param *par)
  75{
  76        return par->state->pf;
  77}
  78
  79/**
  80 * struct xt_mtchk_param - parameters for match extensions'
  81 * checkentry functions
  82 *
  83 * @net:        network namespace through which the check was invoked
  84 * @table:      table the rule is tried to be inserted into
  85 * @entryinfo:  the family-specific rule data
  86 *              (struct ipt_ip, ip6t_ip, arpt_arp or (note) ebt_entry)
  87 * @match:      struct xt_match through which this function was invoked
  88 * @matchinfo:  per-match data
  89 * @hook_mask:  via which hooks the new rule is reachable
  90 * Other fields as above.
  91 */
  92struct xt_mtchk_param {
  93        struct net *net;
  94        const char *table;
  95        const void *entryinfo;
  96        const struct xt_match *match;
  97        void *matchinfo;
  98        unsigned int hook_mask;
  99        u_int8_t family;
 100        bool nft_compat;
 101};
 102
 103/**
 104 * struct xt_mdtor_param - match destructor parameters
 105 * Fields as above.
 106 */
 107struct xt_mtdtor_param {
 108        struct net *net;
 109        const struct xt_match *match;
 110        void *matchinfo;
 111        u_int8_t family;
 112};
 113
 114/**
 115 * struct xt_tgchk_param - parameters for target extensions'
 116 * checkentry functions
 117 *
 118 * @entryinfo:  the family-specific rule data
 119 *              (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry)
 120 *
 121 * Other fields see above.
 122 */
 123struct xt_tgchk_param {
 124        struct net *net;
 125        const char *table;
 126        const void *entryinfo;
 127        const struct xt_target *target;
 128        void *targinfo;
 129        unsigned int hook_mask;
 130        u_int8_t family;
 131        bool nft_compat;
 132};
 133
 134/* Target destructor parameters */
 135struct xt_tgdtor_param {
 136        struct net *net;
 137        const struct xt_target *target;
 138        void *targinfo;
 139        u_int8_t family;
 140};
 141
 142struct xt_match {
 143        struct list_head list;
 144
 145        const char name[XT_EXTENSION_MAXNAMELEN];
 146        u_int8_t revision;
 147
 148        /* Return true or false: return FALSE and set *hotdrop = 1 to
 149           force immediate packet drop. */
 150        /* Arguments changed since 2.6.9, as this must now handle
 151           non-linear skb, using skb_header_pointer and
 152           skb_ip_make_writable. */
 153        bool (*match)(const struct sk_buff *skb,
 154                      struct xt_action_param *);
 155
 156        /* Called when user tries to insert an entry of this type. */
 157        int (*checkentry)(const struct xt_mtchk_param *);
 158
 159        /* Called when entry of this type deleted. */
 160        void (*destroy)(const struct xt_mtdtor_param *);
 161#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
 162        /* Called when userspace align differs from kernel space one */
 163        void (*compat_from_user)(void *dst, const void *src);
 164        int (*compat_to_user)(void __user *dst, const void *src);
 165#endif
 166        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 167        struct module *me;
 168
 169        const char *table;
 170        unsigned int matchsize;
 171        unsigned int usersize;
 172#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
 173        unsigned int compatsize;
 174#endif
 175        unsigned int hooks;
 176        unsigned short proto;
 177
 178        unsigned short family;
 179};
 180
 181/* Registration hooks for targets. */
 182struct xt_target {
 183        struct list_head list;
 184
 185        const char name[XT_EXTENSION_MAXNAMELEN];
 186        u_int8_t revision;
 187
 188        /* Returns verdict. Argument order changed since 2.6.9, as this
 189           must now handle non-linear skbs, using skb_copy_bits and
 190           skb_ip_make_writable. */
 191        unsigned int (*target)(struct sk_buff *skb,
 192                               const struct xt_action_param *);
 193
 194        /* Called when user tries to insert an entry of this type:
 195           hook_mask is a bitmask of hooks from which it can be
 196           called. */
 197        /* Should return 0 on success or an error code otherwise (-Exxxx). */
 198        int (*checkentry)(const struct xt_tgchk_param *);
 199
 200        /* Called when entry of this type deleted. */
 201        void (*destroy)(const struct xt_tgdtor_param *);
 202#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
 203        /* Called when userspace align differs from kernel space one */
 204        void (*compat_from_user)(void *dst, const void *src);
 205        int (*compat_to_user)(void __user *dst, const void *src);
 206#endif
 207        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 208        struct module *me;
 209
 210        const char *table;
 211        unsigned int targetsize;
 212        unsigned int usersize;
 213#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
 214        unsigned int compatsize;
 215#endif
 216        unsigned int hooks;
 217        unsigned short proto;
 218
 219        unsigned short family;
 220};
 221
 222/* Furniture shopping... */
 223struct xt_table {
 224        struct list_head list;
 225
 226        /* What hooks you will enter on */
 227        unsigned int valid_hooks;
 228
 229        /* Man behind the curtain... */
 230        struct xt_table_info *private;
 231
 232        /* hook ops that register the table with the netfilter core */
 233        struct nf_hook_ops *ops;
 234
 235        /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 236        struct module *me;
 237
 238        u_int8_t af;            /* address/protocol family */
 239        int priority;           /* hook order */
 240
 241        /* A unique name... */
 242        const char name[XT_TABLE_MAXNAMELEN];
 243};
 244
 245#include <linux/netfilter_ipv4.h>
 246
 247/* The table itself */
 248struct xt_table_info {
 249        /* Size per table */
 250        unsigned int size;
 251        /* Number of entries: FIXME. --RR */
 252        unsigned int number;
 253        /* Initial number of entries. Needed for module usage count */
 254        unsigned int initial_entries;
 255
 256        /* Entry points and underflows */
 257        unsigned int hook_entry[NF_INET_NUMHOOKS];
 258        unsigned int underflow[NF_INET_NUMHOOKS];
 259
 260        /*
 261         * Number of user chains. Since tables cannot have loops, at most
 262         * @stacksize jumps (number of user chains) can possibly be made.
 263         */
 264        unsigned int stacksize;
 265        void ***jumpstack;
 266
 267        unsigned char entries[] __aligned(8);
 268};
 269
 270int xt_register_target(struct xt_target *target);
 271void xt_unregister_target(struct xt_target *target);
 272int xt_register_targets(struct xt_target *target, unsigned int n);
 273void xt_unregister_targets(struct xt_target *target, unsigned int n);
 274
 275int xt_register_match(struct xt_match *target);
 276void xt_unregister_match(struct xt_match *target);
 277int xt_register_matches(struct xt_match *match, unsigned int n);
 278void xt_unregister_matches(struct xt_match *match, unsigned int n);
 279
 280int xt_check_entry_offsets(const void *base, const char *elems,
 281                           unsigned int target_offset,
 282                           unsigned int next_offset);
 283
 284int xt_check_table_hooks(const struct xt_table_info *info, unsigned int valid_hooks);
 285
 286unsigned int *xt_alloc_entry_offsets(unsigned int size);
 287bool xt_find_jump_offset(const unsigned int *offsets,
 288                         unsigned int target, unsigned int size);
 289
 290int xt_check_proc_name(const char *name, unsigned int size);
 291
 292int xt_check_match(struct xt_mtchk_param *, unsigned int size, u16 proto,
 293                   bool inv_proto);
 294int xt_check_target(struct xt_tgchk_param *, unsigned int size, u16 proto,
 295                    bool inv_proto);
 296
 297int xt_match_to_user(const struct xt_entry_match *m,
 298                     struct xt_entry_match __user *u);
 299int xt_target_to_user(const struct xt_entry_target *t,
 300                      struct xt_entry_target __user *u);
 301int xt_data_to_user(void __user *dst, const void *src,
 302                    int usersize, int size, int aligned_size);
 303
 304void *xt_copy_counters(sockptr_t arg, unsigned int len,
 305                       struct xt_counters_info *info);
 306struct xt_counters *xt_counters_alloc(unsigned int counters);
 307
 308struct xt_table *xt_register_table(struct net *net,
 309                                   const struct xt_table *table,
 310                                   struct xt_table_info *bootstrap,
 311                                   struct xt_table_info *newinfo);
 312void *xt_unregister_table(struct xt_table *table);
 313
 314struct xt_table_info *xt_replace_table(struct xt_table *table,
 315                                       unsigned int num_counters,
 316                                       struct xt_table_info *newinfo,
 317                                       int *error);
 318
 319struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
 320struct xt_match *xt_request_find_match(u8 af, const char *name, u8 revision);
 321struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision);
 322int xt_find_revision(u8 af, const char *name, u8 revision, int target,
 323                     int *err);
 324
 325struct xt_table *xt_find_table(struct net *net, u8 af, const char *name);
 326struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
 327                                    const char *name);
 328struct xt_table *xt_request_find_table_lock(struct net *net, u_int8_t af,
 329                                            const char *name);
 330void xt_table_unlock(struct xt_table *t);
 331
 332int xt_proto_init(struct net *net, u_int8_t af);
 333void xt_proto_fini(struct net *net, u_int8_t af);
 334
 335struct xt_table_info *xt_alloc_table_info(unsigned int size);
 336void xt_free_table_info(struct xt_table_info *info);
 337
 338/**
 339 * xt_recseq - recursive seqcount for netfilter use
 340 *
 341 * Packet processing changes the seqcount only if no recursion happened
 342 * get_counters() can use read_seqcount_begin()/read_seqcount_retry(),
 343 * because we use the normal seqcount convention :
 344 * Low order bit set to 1 if a writer is active.
 345 */
 346DECLARE_PER_CPU(seqcount_t, xt_recseq);
 347
 348/* xt_tee_enabled - true if x_tables needs to handle reentrancy
 349 *
 350 * Enabled if current ip(6)tables ruleset has at least one -j TEE rule.
 351 */
 352extern struct static_key xt_tee_enabled;
 353
 354/**
 355 * xt_write_recseq_begin - start of a write section
 356 *
 357 * Begin packet processing : all readers must wait the end
 358 * 1) Must be called with preemption disabled
 359 * 2) softirqs must be disabled too (or we should use this_cpu_add())
 360 * Returns :
 361 *  1 if no recursion on this cpu
 362 *  0 if recursion detected
 363 */
 364static inline unsigned int xt_write_recseq_begin(void)
 365{
 366        unsigned int addend;
 367
 368        /*
 369         * Low order bit of sequence is set if we already
 370         * called xt_write_recseq_begin().
 371         */
 372        addend = (__this_cpu_read(xt_recseq.sequence) + 1) & 1;
 373
 374        /*
 375         * This is kind of a write_seqcount_begin(), but addend is 0 or 1
 376         * We dont check addend value to avoid a test and conditional jump,
 377         * since addend is most likely 1
 378         */
 379        __this_cpu_add(xt_recseq.sequence, addend);
 380        smp_mb();
 381
 382        return addend;
 383}
 384
 385/**
 386 * xt_write_recseq_end - end of a write section
 387 * @addend: return value from previous xt_write_recseq_begin()
 388 *
 389 * End packet processing : all readers can proceed
 390 * 1) Must be called with preemption disabled
 391 * 2) softirqs must be disabled too (or we should use this_cpu_add())
 392 */
 393static inline void xt_write_recseq_end(unsigned int addend)
 394{
 395        /* this is kind of a write_seqcount_end(), but addend is 0 or 1 */
 396        smp_wmb();
 397        __this_cpu_add(xt_recseq.sequence, addend);
 398}
 399
 400/*
 401 * This helper is performance critical and must be inlined
 402 */
 403static inline unsigned long ifname_compare_aligned(const char *_a,
 404                                                   const char *_b,
 405                                                   const char *_mask)
 406{
 407        const unsigned long *a = (const unsigned long *)_a;
 408        const unsigned long *b = (const unsigned long *)_b;
 409        const unsigned long *mask = (const unsigned long *)_mask;
 410        unsigned long ret;
 411
 412        ret = (a[0] ^ b[0]) & mask[0];
 413        if (IFNAMSIZ > sizeof(unsigned long))
 414                ret |= (a[1] ^ b[1]) & mask[1];
 415        if (IFNAMSIZ > 2 * sizeof(unsigned long))
 416                ret |= (a[2] ^ b[2]) & mask[2];
 417        if (IFNAMSIZ > 3 * sizeof(unsigned long))
 418                ret |= (a[3] ^ b[3]) & mask[3];
 419        BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
 420        return ret;
 421}
 422
 423struct xt_percpu_counter_alloc_state {
 424        unsigned int off;
 425        const char __percpu *mem;
 426};
 427
 428bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
 429                             struct xt_counters *counter);
 430void xt_percpu_counter_free(struct xt_counters *cnt);
 431
 432static inline struct xt_counters *
 433xt_get_this_cpu_counter(struct xt_counters *cnt)
 434{
 435        if (nr_cpu_ids > 1)
 436                return this_cpu_ptr((void __percpu *) (unsigned long) cnt->pcnt);
 437
 438        return cnt;
 439}
 440
 441static inline struct xt_counters *
 442xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu)
 443{
 444        if (nr_cpu_ids > 1)
 445                return per_cpu_ptr((void __percpu *) (unsigned long) cnt->pcnt, cpu);
 446
 447        return cnt;
 448}
 449
 450struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *);
 451
 452int xt_register_template(const struct xt_table *t, int(*table_init)(struct net *net));
 453void xt_unregister_template(const struct xt_table *t);
 454
 455#ifdef CONFIG_NETFILTER_XTABLES_COMPAT
 456#include <net/compat.h>
 457
 458struct compat_xt_entry_match {
 459        union {
 460                struct {
 461                        u_int16_t match_size;
 462                        char name[XT_FUNCTION_MAXNAMELEN - 1];
 463                        u_int8_t revision;
 464                } user;
 465                struct {
 466                        u_int16_t match_size;
 467                        compat_uptr_t match;
 468                } kernel;
 469                u_int16_t match_size;
 470        } u;
 471        unsigned char data[];
 472};
 473
 474struct compat_xt_entry_target {
 475        union {
 476                struct {
 477                        u_int16_t target_size;
 478                        char name[XT_FUNCTION_MAXNAMELEN - 1];
 479                        u_int8_t revision;
 480                } user;
 481                struct {
 482                        u_int16_t target_size;
 483                        compat_uptr_t target;
 484                } kernel;
 485                u_int16_t target_size;
 486        } u;
 487        unsigned char data[];
 488};
 489
 490/* FIXME: this works only on 32 bit tasks
 491 * need to change whole approach in order to calculate align as function of
 492 * current task alignment */
 493
 494struct compat_xt_counters {
 495        compat_u64 pcnt, bcnt;                  /* Packet and byte counters */
 496};
 497
 498struct compat_xt_counters_info {
 499        char name[XT_TABLE_MAXNAMELEN];
 500        compat_uint_t num_counters;
 501        struct compat_xt_counters counters[];
 502};
 503
 504struct _compat_xt_align {
 505        __u8 u8;
 506        __u16 u16;
 507        __u32 u32;
 508        compat_u64 u64;
 509};
 510
 511#define COMPAT_XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _compat_xt_align))
 512
 513void xt_compat_lock(u_int8_t af);
 514void xt_compat_unlock(u_int8_t af);
 515
 516int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta);
 517void xt_compat_flush_offsets(u_int8_t af);
 518int xt_compat_init_offsets(u8 af, unsigned int number);
 519int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
 520
 521int xt_compat_match_offset(const struct xt_match *match);
 522void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
 523                              unsigned int *size);
 524int xt_compat_match_to_user(const struct xt_entry_match *m,
 525                            void __user **dstptr, unsigned int *size);
 526
 527int xt_compat_target_offset(const struct xt_target *target);
 528void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
 529                                unsigned int *size);
 530int xt_compat_target_to_user(const struct xt_entry_target *t,
 531                             void __user **dstptr, unsigned int *size);
 532int xt_compat_check_entry_offsets(const void *base, const char *elems,
 533                                  unsigned int target_offset,
 534                                  unsigned int next_offset);
 535
 536#endif /* CONFIG_NETFILTER_XTABLES_COMPAT */
 537#endif /* _X_TABLES_H */
 538