include/linux/netfilter.h

0001 /* SPDX-License-Identifier: GPL-2.0 */
0002 #ifndef __LINUX_NETFILTER_H
0003 #define __LINUX_NETFILTER_H
0004
0005 #include <linux/init.h>
0006 #include <linux/skbuff.h>
0007 #include <linux/net.h>
0008 #include <linux/if.h>
0009 #include <linux/in.h>
0010 #include <linux/in6.h>
0011 #include <linux/wait.h>
0012 #include <linux/list.h>
0013 #include <linux/static_key.h>
0014 #include <linux/netfilter_defs.h>
0015 #include <linux/netdevice.h>
0016 #include <linux/sockptr.h>
0017 #include <net/net_namespace.h>
0018
0019 static inline int NF_DROP_GETERR(int verdict)
0020 {
0021     return -(verdict >> NF_VERDICT_QBITS);
0022 }
0023
0024 static inline int nf_inet_addr_cmp(const union nf_inet_addr *a1,
0025                    const union nf_inet_addr *a2)
0026 {
0027 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64
0028     const unsigned long *ul1 = (const unsigned long *)a1;
0029     const unsigned long *ul2 = (const unsigned long *)a2;
0030
0031     return ((ul1[0] ^ ul2[0]) | (ul1[1] ^ ul2[1])) == 0UL;
0032 #else
0033     return a1->all[0] == a2->all[0] &&
0034            a1->all[1] == a2->all[1] &&
0035            a1->all[2] == a2->all[2] &&
0036            a1->all[3] == a2->all[3];
0037 #endif
0038 }
0039
0040 static inline void nf_inet_addr_mask(const union nf_inet_addr *a1,
0041                      union nf_inet_addr *result,
0042                      const union nf_inet_addr *mask)
0043 {
0044 #if defined(CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS) && BITS_PER_LONG == 64
0045     const unsigned long *ua = (const unsigned long *)a1;
0046     unsigned long *ur = (unsigned long *)result;
0047     const unsigned long *um = (const unsigned long *)mask;
0048
0049     ur[0] = ua[0] & um[0];
0050     ur[1] = ua[1] & um[1];
0051 #else
0052     result->all[0] = a1->all[0] & mask->all[0];
0053     result->all[1] = a1->all[1] & mask->all[1];
0054     result->all[2] = a1->all[2] & mask->all[2];
0055     result->all[3] = a1->all[3] & mask->all[3];
0056 #endif
0057 }
0058
0059 int netfilter_init(void);
0060
0061 struct sk_buff;
0062
0063 struct nf_hook_ops;
0064
0065 struct sock;
0066
0067 struct nf_hook_state {
0068     u8 hook;
0069     u8 pf;
0070     struct net_device *in;
0071     struct net_device *out;
0072     struct sock *sk;
0073     struct net *net;
0074     int (*okfn)(struct net *, struct sock *, struct sk_buff *);
0075 };
0076
0077 typedef unsigned int nf_hookfn(void *priv,
0078                    struct sk_buff *skb,
0079                    const struct nf_hook_state *state);
0080 enum nf_hook_ops_type {
0081     NF_HOOK_OP_UNDEFINED,
0082     NF_HOOK_OP_NF_TABLES,
0083 };
0084
0085 struct nf_hook_ops {
0086     /* User fills in from here down. */
0087     nf_hookfn       *hook;
0088     struct net_device   *dev;
0089     void            *priv;
0090     u8          pf;
0091     enum nf_hook_ops_type   hook_ops_type:8;
0092     unsigned int        hooknum;
0093     /* Hooks are ordered in ascending priority. */
0094     int         priority;
0095 };
0096
0097 struct nf_hook_entry {
0098     nf_hookfn           *hook;
0099     void                *priv;
0100 };
0101
0102 struct nf_hook_entries_rcu_head {
0103     struct rcu_head head;
0104     void    *allocation;
0105 };
0106
0107 struct nf_hook_entries {
0108     u16             num_hook_entries;
0109     /* padding */
0110     struct nf_hook_entry        hooks[];
0111
0112     /* trailer: pointers to original orig_ops of each hook,
0113      * followed by rcu_head and scratch space used for freeing
0114      * the structure via call_rcu.
0115      *
0116      *   This is not part of struct nf_hook_entry since its only
0117      *   needed in slow path (hook register/unregister):
0118      * const struct nf_hook_ops     *orig_ops[]
0119      *
0120      *   For the same reason, we store this at end -- its
0121      *   only needed when a hook is deleted, not during
0122      *   packet path processing:
0123      * struct nf_hook_entries_rcu_head     head
0124      */
0125 };
0126
0127 #ifdef CONFIG_NETFILTER
0128 static inline struct nf_hook_ops **nf_hook_entries_get_hook_ops(const struct nf_hook_entries *e)
0129 {
0130     unsigned int n = e->num_hook_entries;
0131     const void *hook_end;
0132
0133     hook_end = &e->hooks[n]; /* this is *past* ->hooks[]! */
0134
0135     return (struct nf_hook_ops **)hook_end;
0136 }
0137
0138 static inline int
0139 nf_hook_entry_hookfn(const struct nf_hook_entry *entry, struct sk_buff *skb,
0140              struct nf_hook_state *state)
0141 {
0142     return entry->hook(entry->priv, skb, state);
0143 }
0144
0145 static inline void nf_hook_state_init(struct nf_hook_state *p,
0146                       unsigned int hook,
0147                       u_int8_t pf,
0148                       struct net_device *indev,
0149                       struct net_device *outdev,
0150                       struct sock *sk,
0151                       struct net *net,
0152                       int (*okfn)(struct net *, struct sock *, struct sk_buff *))
0153 {
0154     p->hook = hook;
0155     p->pf = pf;
0156     p->in = indev;
0157     p->out = outdev;
0158     p->sk = sk;
0159     p->net = net;
0160     p->okfn = okfn;
0161 }
0162
0163
0164
0165 struct nf_sockopt_ops {
0166     struct list_head list;
0167
0168     u_int8_t pf;
0169
0170     /* Non-inclusive ranges: use 0/0/NULL to never get called. */
0171     int set_optmin;
0172     int set_optmax;
0173     int (*set)(struct sock *sk, int optval, sockptr_t arg,
0174            unsigned int len);
0175     int get_optmin;
0176     int get_optmax;
0177     int (*get)(struct sock *sk, int optval, void __user *user, int *len);
0178     /* Use the module struct to lock set/get code in place */
0179     struct module *owner;
0180 };
0181
0182 /* Function to register/unregister hook points. */
0183 int nf_register_net_hook(struct net *net, const struct nf_hook_ops *ops);
0184 void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *ops);
0185 int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg,
0186               unsigned int n);
0187 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg,
0188                  unsigned int n);
0189
0190 /* Functions to register get/setsockopt ranges (non-inclusive).  You
0191    need to check permissions yourself! */
0192 int nf_register_sockopt(struct nf_sockopt_ops *reg);
0193 void nf_unregister_sockopt(struct nf_sockopt_ops *reg);
0194
0195 #ifdef CONFIG_JUMP_LABEL
0196 extern struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
0197 #endif
0198
0199 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state,
0200          const struct nf_hook_entries *e, unsigned int i);
0201
0202 void nf_hook_slow_list(struct list_head *head, struct nf_hook_state *state,
0203                const struct nf_hook_entries *e);
0204 /**
0205  *  nf_hook - call a netfilter hook
0206  *
0207  *  Returns 1 if the hook has allowed the packet to pass.  The function
0208  *  okfn must be invoked by the caller in this case.  Any other return
0209  *  value indicates the packet has been consumed by the hook.
0210  */
0211 static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
0212               struct sock *sk, struct sk_buff *skb,
0213               struct net_device *indev, struct net_device *outdev,
0214               int (*okfn)(struct net *, struct sock *, struct sk_buff *))
0215 {
0216     struct nf_hook_entries *hook_head = NULL;
0217     int ret = 1;
0218
0219 #ifdef CONFIG_JUMP_LABEL
0220     if (__builtin_constant_p(pf) &&
0221         __builtin_constant_p(hook) &&
0222         !static_key_false(&nf_hooks_needed[pf][hook]))
0223         return 1;
0224 #endif
0225
0226     rcu_read_lock();
0227     switch (pf) {
0228     case NFPROTO_IPV4:
0229         hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]);
0230         break;
0231     case NFPROTO_IPV6:
0232         hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
0233         break;
0234     case NFPROTO_ARP:
0235 #ifdef CONFIG_NETFILTER_FAMILY_ARP
0236         if (WARN_ON_ONCE(hook >= ARRAY_SIZE(net->nf.hooks_arp)))
0237             break;
0238         hook_head = rcu_dereference(net->nf.hooks_arp[hook]);
0239 #endif
0240         break;
0241     case NFPROTO_BRIDGE:
0242 #ifdef CONFIG_NETFILTER_FAMILY_BRIDGE
0243         hook_head = rcu_dereference(net->nf.hooks_bridge[hook]);
0244 #endif
0245         break;
0246 #if IS_ENABLED(CONFIG_DECNET)
0247     case NFPROTO_DECNET:
0248         hook_head = rcu_dereference(net->nf.hooks_decnet[hook]);
0249         break;
0250 #endif
0251     default:
0252         WARN_ON_ONCE(1);
0253         break;
0254     }
0255
0256     if (hook_head) {
0257         struct nf_hook_state state;
0258
0259         nf_hook_state_init(&state, hook, pf, indev, outdev,
0260                    sk, net, okfn);
0261
0262         ret = nf_hook_slow(skb, &state, hook_head, 0);
0263     }
0264     rcu_read_unlock();
0265
0266     return ret;
0267 }
0268
0269 /* Activate hook; either okfn or kfree_skb called, unless a hook
0270    returns NF_STOLEN (in which case, it's up to the hook to deal with
0271    the consequences).
0272
0273    Returns -ERRNO if packet dropped.  Zero means queued, stolen or
0274    accepted.
0275 */
0276
0277 /* RR:
0278    > I don't want nf_hook to return anything because people might forget
0279    > about async and trust the return value to mean "packet was ok".
0280
0281    AK:
0282    Just document it clearly, then you can expect some sense from kernel
0283    coders :)
0284 */
0285
0286 static inline int
0287 NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
0288          struct sk_buff *skb, struct net_device *in, struct net_device *out,
0289          int (*okfn)(struct net *, struct sock *, struct sk_buff *),
0290          bool cond)
0291 {
0292     int ret;
0293
0294     if (!cond ||
0295         ((ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn)) == 1))
0296         ret = okfn(net, sk, skb);
0297     return ret;
0298 }
0299
0300 static inline int
0301 NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk, struct sk_buff *skb,
0302     struct net_device *in, struct net_device *out,
0303     int (*okfn)(struct net *, struct sock *, struct sk_buff *))
0304 {
0305     int ret = nf_hook(pf, hook, net, sk, skb, in, out, okfn);
0306     if (ret == 1)
0307         ret = okfn(net, sk, skb);
0308     return ret;
0309 }
0310
0311 static inline void
0312 NF_HOOK_LIST(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
0313          struct list_head *head, struct net_device *in, struct net_device *out,
0314          int (*okfn)(struct net *, struct sock *, struct sk_buff *))
0315 {
0316     struct nf_hook_entries *hook_head = NULL;
0317
0318 #ifdef CONFIG_JUMP_LABEL
0319     if (__builtin_constant_p(pf) &&
0320         __builtin_constant_p(hook) &&
0321         !static_key_false(&nf_hooks_needed[pf][hook]))
0322         return;
0323 #endif
0324
0325     rcu_read_lock();
0326     switch (pf) {
0327     case NFPROTO_IPV4:
0328         hook_head = rcu_dereference(net->nf.hooks_ipv4[hook]);
0329         break;
0330     case NFPROTO_IPV6:
0331         hook_head = rcu_dereference(net->nf.hooks_ipv6[hook]);
0332         break;
0333     default:
0334         WARN_ON_ONCE(1);
0335         break;
0336     }
0337
0338     if (hook_head) {
0339         struct nf_hook_state state;
0340
0341         nf_hook_state_init(&state, hook, pf, in, out, sk, net, okfn);
0342
0343         nf_hook_slow_list(head, &state, hook_head);
0344     }
0345     rcu_read_unlock();
0346 }
0347
0348 /* Call setsockopt() */
0349 int nf_setsockopt(struct sock *sk, u_int8_t pf, int optval, sockptr_t opt,
0350           unsigned int len);
0351 int nf_getsockopt(struct sock *sk, u_int8_t pf, int optval, char __user *opt,
0352           int *len);
0353
0354 struct flowi;
0355 struct nf_queue_entry;
0356
0357 __sum16 nf_checksum(struct sk_buff *skb, unsigned int hook,
0358             unsigned int dataoff, u_int8_t protocol,
0359             unsigned short family);
0360
0361 __sum16 nf_checksum_partial(struct sk_buff *skb, unsigned int hook,
0362                 unsigned int dataoff, unsigned int len,
0363                 u_int8_t protocol, unsigned short family);
0364 int nf_route(struct net *net, struct dst_entry **dst, struct flowi *fl,
0365          bool strict, unsigned short family);
0366 int nf_reroute(struct sk_buff *skb, struct nf_queue_entry *entry);
0367
0368 #include <net/flow.h>
0369
0370 struct nf_conn;
0371 enum nf_nat_manip_type;
0372 struct nlattr;
0373 enum ip_conntrack_dir;
0374
0375 struct nf_nat_hook {
0376     int (*parse_nat_setup)(struct nf_conn *ct, enum nf_nat_manip_type manip,
0377                    const struct nlattr *attr);
0378     void (*decode_session)(struct sk_buff *skb, struct flowi *fl);
0379     unsigned int (*manip_pkt)(struct sk_buff *skb, struct nf_conn *ct,
0380                   enum nf_nat_manip_type mtype,
0381                   enum ip_conntrack_dir dir);
0382     void (*remove_nat_bysrc)(struct nf_conn *ct);
0383 };
0384
0385 extern const struct nf_nat_hook __rcu *nf_nat_hook;
0386
0387 static inline void
0388 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
0389 {
0390 #if IS_ENABLED(CONFIG_NF_NAT)
0391     const struct nf_nat_hook *nat_hook;
0392
0393     rcu_read_lock();
0394     nat_hook = rcu_dereference(nf_nat_hook);
0395     if (nat_hook && nat_hook->decode_session)
0396         nat_hook->decode_session(skb, fl);
0397     rcu_read_unlock();
0398 #endif
0399 }
0400
0401 #else /* !CONFIG_NETFILTER */
0402 static inline int
0403 NF_HOOK_COND(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
0404          struct sk_buff *skb, struct net_device *in, struct net_device *out,
0405          int (*okfn)(struct net *, struct sock *, struct sk_buff *),
0406          bool cond)
0407 {
0408     return okfn(net, sk, skb);
0409 }
0410
0411 static inline int
0412 NF_HOOK(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
0413     struct sk_buff *skb, struct net_device *in, struct net_device *out,
0414     int (*okfn)(struct net *, struct sock *, struct sk_buff *))
0415 {
0416     return okfn(net, sk, skb);
0417 }
0418
0419 static inline void
0420 NF_HOOK_LIST(uint8_t pf, unsigned int hook, struct net *net, struct sock *sk,
0421          struct list_head *head, struct net_device *in, struct net_device *out,
0422          int (*okfn)(struct net *, struct sock *, struct sk_buff *))
0423 {
0424     /* nothing to do */
0425 }
0426
0427 static inline int nf_hook(u_int8_t pf, unsigned int hook, struct net *net,
0428               struct sock *sk, struct sk_buff *skb,
0429               struct net_device *indev, struct net_device *outdev,
0430               int (*okfn)(struct net *, struct sock *, struct sk_buff *))
0431 {
0432     return 1;
0433 }
0434 struct flowi;
0435 static inline void
0436 nf_nat_decode_session(struct sk_buff *skb, struct flowi *fl, u_int8_t family)
0437 {
0438 }
0439 #endif /*CONFIG_NETFILTER*/
0440
0441 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
0442 #include <linux/netfilter/nf_conntrack_zones_common.h>
0443
0444 void nf_ct_attach(struct sk_buff *, const struct sk_buff *);
0445 struct nf_conntrack_tuple;
0446 bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple,
0447              const struct sk_buff *skb);
0448 #else
0449 static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
0450 struct nf_conntrack_tuple;
0451 static inline bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple,
0452                        const struct sk_buff *skb)
0453 {
0454     return false;
0455 }
0456 #endif
0457
0458 struct nf_conn;
0459 enum ip_conntrack_info;
0460
0461 struct nf_ct_hook {
0462     int (*update)(struct net *net, struct sk_buff *skb);
0463     void (*destroy)(struct nf_conntrack *);
0464     bool (*get_tuple_skb)(struct nf_conntrack_tuple *,
0465                   const struct sk_buff *);
0466     void (*attach)(struct sk_buff *nskb, const struct sk_buff *skb);
0467 };
0468 extern const struct nf_ct_hook __rcu *nf_ct_hook;
0469
0470 struct nlattr;
0471
0472 struct nfnl_ct_hook {
0473     size_t (*build_size)(const struct nf_conn *ct);
0474     int (*build)(struct sk_buff *skb, struct nf_conn *ct,
0475              enum ip_conntrack_info ctinfo,
0476              u_int16_t ct_attr, u_int16_t ct_info_attr);
0477     int (*parse)(const struct nlattr *attr, struct nf_conn *ct);
0478     int (*attach_expect)(const struct nlattr *attr, struct nf_conn *ct,
0479                  u32 portid, u32 report);
0480     void (*seq_adjust)(struct sk_buff *skb, struct nf_conn *ct,
0481                enum ip_conntrack_info ctinfo, s32 off);
0482 };
0483 extern const struct nfnl_ct_hook __rcu *nfnl_ct_hook;
0484
0485 /**
0486  * nf_skb_duplicated - TEE target has sent a packet
0487  *
0488  * When a xtables target sends a packet, the OUTPUT and POSTROUTING
0489  * hooks are traversed again, i.e. nft and xtables are invoked recursively.
0490  *
0491  * This is used by xtables TEE target to prevent the duplicated skb from
0492  * being duplicated again.
0493  */
0494 DECLARE_PER_CPU(bool, nf_skb_duplicated);
0495
0496 #endif /*__LINUX_NETFILTER_H*/