linux/netfilter/x_tables.h

0001 /* SPDX-License-Identifier: GPL-2.0 */
0002 #ifndef _X_TABLES_H
0003 #define _X_TABLES_H
0004
0005
0006 #include <linux/netdevice.h>
0007 #include <linux/static_key.h>
0008 #include <linux/netfilter.h>
0009 #include <uapi/linux/netfilter/x_tables.h>
0010
0011 /* Test a struct->invflags and a boolean for inequality */
0012 #define NF_INVF(ptr, flag, boolean)                 \
0013     ((boolean) ^ !!((ptr)->invflags & (flag)))
0014
0015 /**
0016  * struct xt_action_param - parameters for matches/targets
0017  *
0018  * @match:  the match extension
0019  * @target: the target extension
0020  * @matchinfo:  per-match data
0021  * @targetinfo: per-target data
0022  * @state:  pointer to hook state this packet came from
0023  * @fragoff:    packet is a fragment, this is the data offset
0024  * @thoff:  position of transport header relative to skb->data
0025  *
0026  * Fields written to by extensions:
0027  *
0028  * @hotdrop:    drop packet if we had inspection problems
0029  */
0030 struct xt_action_param {
0031     union {
0032         const struct xt_match *match;
0033         const struct xt_target *target;
0034     };
0035     union {
0036         const void *matchinfo, *targinfo;
0037     };
0038     const struct nf_hook_state *state;
0039     unsigned int thoff;
0040     u16 fragoff;
0041     bool hotdrop;
0042 };
0043
0044 static inline struct net *xt_net(const struct xt_action_param *par)
0045 {
0046     return par->state->net;
0047 }
0048
0049 static inline struct net_device *xt_in(const struct xt_action_param *par)
0050 {
0051     return par->state->in;
0052 }
0053
0054 static inline const char *xt_inname(const struct xt_action_param *par)
0055 {
0056     return par->state->in->name;
0057 }
0058
0059 static inline struct net_device *xt_out(const struct xt_action_param *par)
0060 {
0061     return par->state->out;
0062 }
0063
0064 static inline const char *xt_outname(const struct xt_action_param *par)
0065 {
0066     return par->state->out->name;
0067 }
0068
0069 static inline unsigned int xt_hooknum(const struct xt_action_param *par)
0070 {
0071     return par->state->hook;
0072 }
0073
0074 static inline u_int8_t xt_family(const struct xt_action_param *par)
0075 {
0076     return par->state->pf;
0077 }
0078
0079 /**
0080  * struct xt_mtchk_param - parameters for match extensions'
0081  * checkentry functions
0082  *
0083  * @net:    network namespace through which the check was invoked
0084  * @table:  table the rule is tried to be inserted into
0085  * @entryinfo:  the family-specific rule data
0086  *      (struct ipt_ip, ip6t_ip, arpt_arp or (note) ebt_entry)
0087  * @match:  struct xt_match through which this function was invoked
0088  * @matchinfo:  per-match data
0089  * @hook_mask:  via which hooks the new rule is reachable
0090  * Other fields as above.
0091  */
0092 struct xt_mtchk_param {
0093     struct net *net;
0094     const char *table;
0095     const void *entryinfo;
0096     const struct xt_match *match;
0097     void *matchinfo;
0098     unsigned int hook_mask;
0099     u_int8_t family;
0100     bool nft_compat;
0101 };
0102
0103 /**
0104  * struct xt_mdtor_param - match destructor parameters
0105  * Fields as above.
0106  */
0107 struct xt_mtdtor_param {
0108     struct net *net;
0109     const struct xt_match *match;
0110     void *matchinfo;
0111     u_int8_t family;
0112 };
0113
0114 /**
0115  * struct xt_tgchk_param - parameters for target extensions'
0116  * checkentry functions
0117  *
0118  * @entryinfo:  the family-specific rule data
0119  *      (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry)
0120  *
0121  * Other fields see above.
0122  */
0123 struct xt_tgchk_param {
0124     struct net *net;
0125     const char *table;
0126     const void *entryinfo;
0127     const struct xt_target *target;
0128     void *targinfo;
0129     unsigned int hook_mask;
0130     u_int8_t family;
0131     bool nft_compat;
0132 };
0133
0134 /* Target destructor parameters */
0135 struct xt_tgdtor_param {
0136     struct net *net;
0137     const struct xt_target *target;
0138     void *targinfo;
0139     u_int8_t family;
0140 };
0141
0142 struct xt_match {
0143     struct list_head list;
0144
0145     const char name[XT_EXTENSION_MAXNAMELEN];
0146     u_int8_t revision;
0147
0148     /* Return true or false: return FALSE and set *hotdrop = 1 to
0149            force immediate packet drop. */
0150     /* Arguments changed since 2.6.9, as this must now handle
0151        non-linear skb, using skb_header_pointer and
0152        skb_ip_make_writable. */
0153     bool (*match)(const struct sk_buff *skb,
0154               struct xt_action_param *);
0155
0156     /* Called when user tries to insert an entry of this type. */
0157     int (*checkentry)(const struct xt_mtchk_param *);
0158
0159     /* Called when entry of this type deleted. */
0160     void (*destroy)(const struct xt_mtdtor_param *);
0161 #ifdef CONFIG_NETFILTER_XTABLES_COMPAT
0162     /* Called when userspace align differs from kernel space one */
0163     void (*compat_from_user)(void *dst, const void *src);
0164     int (*compat_to_user)(void __user *dst, const void *src);
0165 #endif
0166     /* Set this to THIS_MODULE if you are a module, otherwise NULL */
0167     struct module *me;
0168
0169     const char *table;
0170     unsigned int matchsize;
0171     unsigned int usersize;
0172 #ifdef CONFIG_NETFILTER_XTABLES_COMPAT
0173     unsigned int compatsize;
0174 #endif
0175     unsigned int hooks;
0176     unsigned short proto;
0177
0178     unsigned short family;
0179 };
0180
0181 /* Registration hooks for targets. */
0182 struct xt_target {
0183     struct list_head list;
0184
0185     const char name[XT_EXTENSION_MAXNAMELEN];
0186     u_int8_t revision;
0187
0188     /* Returns verdict. Argument order changed since 2.6.9, as this
0189        must now handle non-linear skbs, using skb_copy_bits and
0190        skb_ip_make_writable. */
0191     unsigned int (*target)(struct sk_buff *skb,
0192                    const struct xt_action_param *);
0193
0194     /* Called when user tries to insert an entry of this type:
0195            hook_mask is a bitmask of hooks from which it can be
0196            called. */
0197     /* Should return 0 on success or an error code otherwise (-Exxxx). */
0198     int (*checkentry)(const struct xt_tgchk_param *);
0199
0200     /* Called when entry of this type deleted. */
0201     void (*destroy)(const struct xt_tgdtor_param *);
0202 #ifdef CONFIG_NETFILTER_XTABLES_COMPAT
0203     /* Called when userspace align differs from kernel space one */
0204     void (*compat_from_user)(void *dst, const void *src);
0205     int (*compat_to_user)(void __user *dst, const void *src);
0206 #endif
0207     /* Set this to THIS_MODULE if you are a module, otherwise NULL */
0208     struct module *me;
0209
0210     const char *table;
0211     unsigned int targetsize;
0212     unsigned int usersize;
0213 #ifdef CONFIG_NETFILTER_XTABLES_COMPAT
0214     unsigned int compatsize;
0215 #endif
0216     unsigned int hooks;
0217     unsigned short proto;
0218
0219     unsigned short family;
0220 };
0221
0222 /* Furniture shopping... */
0223 struct xt_table {
0224     struct list_head list;
0225
0226     /* What hooks you will enter on */
0227     unsigned int valid_hooks;
0228
0229     /* Man behind the curtain... */
0230     struct xt_table_info *private;
0231
0232     /* hook ops that register the table with the netfilter core */
0233     struct nf_hook_ops *ops;
0234
0235     /* Set this to THIS_MODULE if you are a module, otherwise NULL */
0236     struct module *me;
0237
0238     u_int8_t af;        /* address/protocol family */
0239     int priority;       /* hook order */
0240
0241     /* A unique name... */
0242     const char name[XT_TABLE_MAXNAMELEN];
0243 };
0244
0245 #include <linux/netfilter_ipv4.h>
0246
0247 /* The table itself */
0248 struct xt_table_info {
0249     /* Size per table */
0250     unsigned int size;
0251     /* Number of entries: FIXME. --RR */
0252     unsigned int number;
0253     /* Initial number of entries. Needed for module usage count */
0254     unsigned int initial_entries;
0255
0256     /* Entry points and underflows */
0257     unsigned int hook_entry[NF_INET_NUMHOOKS];
0258     unsigned int underflow[NF_INET_NUMHOOKS];
0259
0260     /*
0261      * Number of user chains. Since tables cannot have loops, at most
0262      * @stacksize jumps (number of user chains) can possibly be made.
0263      */
0264     unsigned int stacksize;
0265     void ***jumpstack;
0266
0267     unsigned char entries[] __aligned(8);
0268 };
0269
0270 int xt_register_target(struct xt_target *target);
0271 void xt_unregister_target(struct xt_target *target);
0272 int xt_register_targets(struct xt_target *target, unsigned int n);
0273 void xt_unregister_targets(struct xt_target *target, unsigned int n);
0274
0275 int xt_register_match(struct xt_match *target);
0276 void xt_unregister_match(struct xt_match *target);
0277 int xt_register_matches(struct xt_match *match, unsigned int n);
0278 void xt_unregister_matches(struct xt_match *match, unsigned int n);
0279
0280 int xt_check_entry_offsets(const void *base, const char *elems,
0281                unsigned int target_offset,
0282                unsigned int next_offset);
0283
0284 int xt_check_table_hooks(const struct xt_table_info *info, unsigned int valid_hooks);
0285
0286 unsigned int *xt_alloc_entry_offsets(unsigned int size);
0287 bool xt_find_jump_offset(const unsigned int *offsets,
0288              unsigned int target, unsigned int size);
0289
0290 int xt_check_proc_name(const char *name, unsigned int size);
0291
0292 int xt_check_match(struct xt_mtchk_param *, unsigned int size, u16 proto,
0293            bool inv_proto);
0294 int xt_check_target(struct xt_tgchk_param *, unsigned int size, u16 proto,
0295             bool inv_proto);
0296
0297 int xt_match_to_user(const struct xt_entry_match *m,
0298              struct xt_entry_match __user *u);
0299 int xt_target_to_user(const struct xt_entry_target *t,
0300               struct xt_entry_target __user *u);
0301 int xt_data_to_user(void __user *dst, const void *src,
0302             int usersize, int size, int aligned_size);
0303
0304 void *xt_copy_counters(sockptr_t arg, unsigned int len,
0305                struct xt_counters_info *info);
0306 struct xt_counters *xt_counters_alloc(unsigned int counters);
0307
0308 struct xt_table *xt_register_table(struct net *net,
0309                    const struct xt_table *table,
0310                    struct xt_table_info *bootstrap,
0311                    struct xt_table_info *newinfo);
0312 void *xt_unregister_table(struct xt_table *table);
0313
0314 struct xt_table_info *xt_replace_table(struct xt_table *table,
0315                        unsigned int num_counters,
0316                        struct xt_table_info *newinfo,
0317                        int *error);
0318
0319 struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
0320 struct xt_match *xt_request_find_match(u8 af, const char *name, u8 revision);
0321 struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision);
0322 int xt_find_revision(u8 af, const char *name, u8 revision, int target,
0323              int *err);
0324
0325 struct xt_table *xt_find_table(struct net *net, u8 af, const char *name);
0326 struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
0327                     const char *name);
0328 struct xt_table *xt_request_find_table_lock(struct net *net, u_int8_t af,
0329                         const char *name);
0330 void xt_table_unlock(struct xt_table *t);
0331
0332 int xt_proto_init(struct net *net, u_int8_t af);
0333 void xt_proto_fini(struct net *net, u_int8_t af);
0334
0335 struct xt_table_info *xt_alloc_table_info(unsigned int size);
0336 void xt_free_table_info(struct xt_table_info *info);
0337
0338 /**
0339  * xt_recseq - recursive seqcount for netfilter use
0340  *
0341  * Packet processing changes the seqcount only if no recursion happened
0342  * get_counters() can use read_seqcount_begin()/read_seqcount_retry(),
0343  * because we use the normal seqcount convention :
0344  * Low order bit set to 1 if a writer is active.
0345  */
0346 DECLARE_PER_CPU(seqcount_t, xt_recseq);
0347
0348 /* xt_tee_enabled - true if x_tables needs to handle reentrancy
0349  *
0350  * Enabled if current ip(6)tables ruleset has at least one -j TEE rule.
0351  */
0352 extern struct static_key xt_tee_enabled;
0353
0354 /**
0355  * xt_write_recseq_begin - start of a write section
0356  *
0357  * Begin packet processing : all readers must wait the end
0358  * 1) Must be called with preemption disabled
0359  * 2) softirqs must be disabled too (or we should use this_cpu_add())
0360  * Returns :
0361  *  1 if no recursion on this cpu
0362  *  0 if recursion detected
0363  */
0364 static inline unsigned int xt_write_recseq_begin(void)
0365 {
0366     unsigned int addend;
0367
0368     /*
0369      * Low order bit of sequence is set if we already
0370      * called xt_write_recseq_begin().
0371      */
0372     addend = (__this_cpu_read(xt_recseq.sequence) + 1) & 1;
0373
0374     /*
0375      * This is kind of a write_seqcount_begin(), but addend is 0 or 1
0376      * We dont check addend value to avoid a test and conditional jump,
0377      * since addend is most likely 1
0378      */
0379     __this_cpu_add(xt_recseq.sequence, addend);
0380     smp_mb();
0381
0382     return addend;
0383 }
0384
0385 /**
0386  * xt_write_recseq_end - end of a write section
0387  * @addend: return value from previous xt_write_recseq_begin()
0388  *
0389  * End packet processing : all readers can proceed
0390  * 1) Must be called with preemption disabled
0391  * 2) softirqs must be disabled too (or we should use this_cpu_add())
0392  */
0393 static inline void xt_write_recseq_end(unsigned int addend)
0394 {
0395     /* this is kind of a write_seqcount_end(), but addend is 0 or 1 */
0396     smp_wmb();
0397     __this_cpu_add(xt_recseq.sequence, addend);
0398 }
0399
0400 /*
0401  * This helper is performance critical and must be inlined
0402  */
0403 static inline unsigned long ifname_compare_aligned(const char *_a,
0404                            const char *_b,
0405                            const char *_mask)
0406 {
0407     const unsigned long *a = (const unsigned long *)_a;
0408     const unsigned long *b = (const unsigned long *)_b;
0409     const unsigned long *mask = (const unsigned long *)_mask;
0410     unsigned long ret;
0411
0412     ret = (a[0] ^ b[0]) & mask[0];
0413     if (IFNAMSIZ > sizeof(unsigned long))
0414         ret |= (a[1] ^ b[1]) & mask[1];
0415     if (IFNAMSIZ > 2 * sizeof(unsigned long))
0416         ret |= (a[2] ^ b[2]) & mask[2];
0417     if (IFNAMSIZ > 3 * sizeof(unsigned long))
0418         ret |= (a[3] ^ b[3]) & mask[3];
0419     BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
0420     return ret;
0421 }
0422
0423 struct xt_percpu_counter_alloc_state {
0424     unsigned int off;
0425     const char __percpu *mem;
0426 };
0427
0428 bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
0429                  struct xt_counters *counter);
0430 void xt_percpu_counter_free(struct xt_counters *cnt);
0431
0432 static inline struct xt_counters *
0433 xt_get_this_cpu_counter(struct xt_counters *cnt)
0434 {
0435     if (nr_cpu_ids > 1)
0436         return this_cpu_ptr((void __percpu *) (unsigned long) cnt->pcnt);
0437
0438     return cnt;
0439 }
0440
0441 static inline struct xt_counters *
0442 xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu)
0443 {
0444     if (nr_cpu_ids > 1)
0445         return per_cpu_ptr((void __percpu *) (unsigned long) cnt->pcnt, cpu);
0446
0447     return cnt;
0448 }
0449
0450 struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *);
0451
0452 int xt_register_template(const struct xt_table *t, int(*table_init)(struct net *net));
0453 void xt_unregister_template(const struct xt_table *t);
0454
0455 #ifdef CONFIG_NETFILTER_XTABLES_COMPAT
0456 #include <net/compat.h>
0457
0458 struct compat_xt_entry_match {
0459     union {
0460         struct {
0461             u_int16_t match_size;
0462             char name[XT_FUNCTION_MAXNAMELEN - 1];
0463             u_int8_t revision;
0464         } user;
0465         struct {
0466             u_int16_t match_size;
0467             compat_uptr_t match;
0468         } kernel;
0469         u_int16_t match_size;
0470     } u;
0471     unsigned char data[];
0472 };
0473
0474 struct compat_xt_entry_target {
0475     union {
0476         struct {
0477             u_int16_t target_size;
0478             char name[XT_FUNCTION_MAXNAMELEN - 1];
0479             u_int8_t revision;
0480         } user;
0481         struct {
0482             u_int16_t target_size;
0483             compat_uptr_t target;
0484         } kernel;
0485         u_int16_t target_size;
0486     } u;
0487     unsigned char data[];
0488 };
0489
0490 /* FIXME: this works only on 32 bit tasks
0491  * need to change whole approach in order to calculate align as function of
0492  * current task alignment */
0493
0494 struct compat_xt_counters {
0495     compat_u64 pcnt, bcnt;          /* Packet and byte counters */
0496 };
0497
0498 struct compat_xt_counters_info {
0499     char name[XT_TABLE_MAXNAMELEN];
0500     compat_uint_t num_counters;
0501     struct compat_xt_counters counters[];
0502 };
0503
0504 struct _compat_xt_align {
0505     __u8 u8;
0506     __u16 u16;
0507     __u32 u32;
0508     compat_u64 u64;
0509 };
0510
0511 #define COMPAT_XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _compat_xt_align))
0512
0513 void xt_compat_lock(u_int8_t af);
0514 void xt_compat_unlock(u_int8_t af);
0515
0516 int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta);
0517 void xt_compat_flush_offsets(u_int8_t af);
0518 int xt_compat_init_offsets(u8 af, unsigned int number);
0519 int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
0520
0521 int xt_compat_match_offset(const struct xt_match *match);
0522 void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
0523                   unsigned int *size);
0524 int xt_compat_match_to_user(const struct xt_entry_match *m,
0525                 void __user **dstptr, unsigned int *size);
0526
0527 int xt_compat_target_offset(const struct xt_target *target);
0528 void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
0529                 unsigned int *size);
0530 int xt_compat_target_to_user(const struct xt_entry_target *t,
0531                  void __user **dstptr, unsigned int *size);
0532 int xt_compat_check_entry_offsets(const void *base, const char *elems,
0533                   unsigned int target_offset,
0534                   unsigned int next_offset);
0535
0536 #endif /* CONFIG_NETFILTER_XTABLES_COMPAT */
0537 #endif /* _X_TABLES_H */