include/linux/netfilter_netdev.h

0001 /* SPDX-License-Identifier: GPL-2.0 */
0002 #ifndef _NETFILTER_NETDEV_H_
0003 #define _NETFILTER_NETDEV_H_
0004
0005 #include <linux/netfilter.h>
0006 #include <linux/netdevice.h>
0007
0008 #ifdef CONFIG_NETFILTER_INGRESS
0009 static inline bool nf_hook_ingress_active(const struct sk_buff *skb)
0010 {
0011 #ifdef CONFIG_JUMP_LABEL
0012     if (!static_key_false(&nf_hooks_needed[NFPROTO_NETDEV][NF_NETDEV_INGRESS]))
0013         return false;
0014 #endif
0015     return rcu_access_pointer(skb->dev->nf_hooks_ingress);
0016 }
0017
0018 /* caller must hold rcu_read_lock */
0019 static inline int nf_hook_ingress(struct sk_buff *skb)
0020 {
0021     struct nf_hook_entries *e = rcu_dereference(skb->dev->nf_hooks_ingress);
0022     struct nf_hook_state state;
0023     int ret;
0024
0025     /* Must recheck the ingress hook head, in the event it became NULL
0026      * after the check in nf_hook_ingress_active evaluated to true.
0027      */
0028     if (unlikely(!e))
0029         return 0;
0030
0031     nf_hook_state_init(&state, NF_NETDEV_INGRESS,
0032                NFPROTO_NETDEV, skb->dev, NULL, NULL,
0033                dev_net(skb->dev), NULL);
0034     ret = nf_hook_slow(skb, &state, e, 0);
0035     if (ret == 0)
0036         return -1;
0037
0038     return ret;
0039 }
0040
0041 #else /* CONFIG_NETFILTER_INGRESS */
0042 static inline int nf_hook_ingress_active(struct sk_buff *skb)
0043 {
0044     return 0;
0045 }
0046
0047 static inline int nf_hook_ingress(struct sk_buff *skb)
0048 {
0049     return 0;
0050 }
0051 #endif /* CONFIG_NETFILTER_INGRESS */
0052
0053 #ifdef CONFIG_NETFILTER_EGRESS
0054 static inline bool nf_hook_egress_active(void)
0055 {
0056 #ifdef CONFIG_JUMP_LABEL
0057     if (!static_key_false(&nf_hooks_needed[NFPROTO_NETDEV][NF_NETDEV_EGRESS]))
0058         return false;
0059 #endif
0060     return true;
0061 }
0062
0063 /**
0064  * nf_hook_egress - classify packets before transmission
0065  * @skb: packet to be classified
0066  * @rc: result code which shall be returned by __dev_queue_xmit() on failure
0067  * @dev: netdev whose egress hooks shall be applied to @skb
0068  *
0069  * Returns @skb on success or %NULL if the packet was consumed or filtered.
0070  * Caller must hold rcu_read_lock.
0071  *
0072  * On ingress, packets are classified first by tc, then by netfilter.
0073  * On egress, the order is reversed for symmetry.  Conceptually, tc and
0074  * netfilter can be thought of as layers, with netfilter layered above tc:
0075  * When tc redirects a packet to another interface, netfilter is not applied
0076  * because the packet is on the tc layer.
0077  *
0078  * The nf_skip_egress flag controls whether netfilter is applied on egress.
0079  * It is updated by __netif_receive_skb_core() and __dev_queue_xmit() when the
0080  * packet passes through tc and netfilter.  Because __dev_queue_xmit() may be
0081  * called recursively by tunnel drivers such as vxlan, the flag is reverted to
0082  * false after sch_handle_egress().  This ensures that netfilter is applied
0083  * both on the overlay and underlying network.
0084  */
0085 static inline struct sk_buff *nf_hook_egress(struct sk_buff *skb, int *rc,
0086                          struct net_device *dev)
0087 {
0088     struct nf_hook_entries *e;
0089     struct nf_hook_state state;
0090     int ret;
0091
0092 #ifdef CONFIG_NETFILTER_SKIP_EGRESS
0093     if (skb->nf_skip_egress)
0094         return skb;
0095 #endif
0096
0097     e = rcu_dereference_check(dev->nf_hooks_egress, rcu_read_lock_bh_held());
0098     if (!e)
0099         return skb;
0100
0101     nf_hook_state_init(&state, NF_NETDEV_EGRESS,
0102                NFPROTO_NETDEV, NULL, dev, NULL,
0103                dev_net(dev), NULL);
0104
0105     /* nf assumes rcu_read_lock, not just read_lock_bh */
0106     rcu_read_lock();
0107     ret = nf_hook_slow(skb, &state, e, 0);
0108     rcu_read_unlock();
0109
0110     if (ret == 1) {
0111         return skb;
0112     } else if (ret < 0) {
0113         *rc = NET_XMIT_DROP;
0114         return NULL;
0115     } else { /* ret == 0 */
0116         *rc = NET_XMIT_SUCCESS;
0117         return NULL;
0118     }
0119 }
0120 #else /* CONFIG_NETFILTER_EGRESS */
0121 static inline bool nf_hook_egress_active(void)
0122 {
0123     return false;
0124 }
0125
0126 static inline struct sk_buff *nf_hook_egress(struct sk_buff *skb, int *rc,
0127                          struct net_device *dev)
0128 {
0129     return skb;
0130 }
0131 #endif /* CONFIG_NETFILTER_EGRESS */
0132
0133 static inline void nf_skip_egress(struct sk_buff *skb, bool skip)
0134 {
0135 #ifdef CONFIG_NETFILTER_SKIP_EGRESS
0136     skb->nf_skip_egress = skip;
0137 #endif
0138 }
0139
0140 static inline void nf_hook_netdev_init(struct net_device *dev)
0141 {
0142 #ifdef CONFIG_NETFILTER_INGRESS
0143     RCU_INIT_POINTER(dev->nf_hooks_ingress, NULL);
0144 #endif
0145 #ifdef CONFIG_NETFILTER_EGRESS
0146     RCU_INIT_POINTER(dev->nf_hooks_egress, NULL);
0147 #endif
0148 }
0149
0150 #endif /* _NETFILTER_NETDEV_H_ */