1 // SPDX-License-Identifier: GPL-2.0 2 /* netfilter.c: look after the filters for various protocols. 3 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox. 4 * 5 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any 6 * way. 7 */ 8 #include <linux/kernel.h> 9 #include <linux/netfilter.h> 10 #include <net/protocol.h> 11 #include <linux/init.h> 12 #include <linux/skbuff.h> 13 #include <linux/wait.h> 14 #include <linux/module.h> 15 #include <linux/interrupt.h> 16 #include <linux/if.h> 17 #include <linux/netdevice.h> 18 #include <linux/netfilter_ipv6.h> 19 #include <linux/inetdevice.h> 20 #include <linux/proc_fs.h> 21 #include <linux/mutex.h> 22 #include <linux/mm.h> 23 #include <linux/rcupdate.h> 24 #include <net/net_namespace.h> 25 #include <net/netfilter/nf_queue.h> 26 #include <net/sock.h> 27 28 #include "nf_internals.h" 29 30 #ifdef CONFIG_JUMP_LABEL 31 struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; 32 EXPORT_SYMBOL(nf_hooks_needed); 33 #endif 34 35 static DEFINE_MUTEX(nf_hook_mutex); 36 37 /* max hooks per family/hooknum */ 38 #define MAX_HOOK_COUNT 1024 39 40 #define nf_entry_dereference(e) \ 41 rcu_dereference_protected(e, lockdep_is_held(&nf_hook_mutex)) 42 43 static struct nf_hook_entries *allocate_hook_entries_size(u16 num) 44 { 45 struct nf_hook_entries *e; 46 size_t alloc = sizeof(*e) + 47 sizeof(struct nf_hook_entry) * num + 48 sizeof(struct nf_hook_ops *) * num + 49 sizeof(struct nf_hook_entries_rcu_head); 50 51 if (num == 0) 52 return NULL; 53 54 e = kvzalloc(alloc, GFP_KERNEL_ACCOUNT); 55 if (e) 56 e->num_hook_entries = num; 57 return e; 58 } 59 60 static void __nf_hook_entries_free(struct rcu_head *h) 61 { 62 struct nf_hook_entries_rcu_head *head; 63 64 head = container_of(h, struct nf_hook_entries_rcu_head, head); 65 kvfree(head->allocation); 66 } 67 68 static void nf_hook_entries_free(struct nf_hook_entries *e) 69 { 70 struct nf_hook_entries_rcu_head *head; 71 struct nf_hook_ops **ops; 72 unsigned int num; 73 74 if (!e) 75 return; 76 77 num = e->num_hook_entries; 78 ops = nf_hook_entries_get_hook_ops(e); 79 head = (void *)&ops[num]; 80 head->allocation = e; 81 call_rcu(&head->head, __nf_hook_entries_free); 82 } 83 84 static unsigned int accept_all(void *priv, 85 struct sk_buff *skb, 86 const struct nf_hook_state *state) 87 { 88 return NF_ACCEPT; /* ACCEPT makes nf_hook_slow call next hook */ 89 } 90 91 static const struct nf_hook_ops dummy_ops = { 92 .hook = accept_all, 93 .priority = INT_MIN, 94 }; 95 96 static struct nf_hook_entries * 97 nf_hook_entries_grow(const struct nf_hook_entries *old, 98 const struct nf_hook_ops *reg) 99 { 100 unsigned int i, alloc_entries, nhooks, old_entries; 101 struct nf_hook_ops **orig_ops = NULL; 102 struct nf_hook_ops **new_ops; 103 struct nf_hook_entries *new; 104 bool inserted = false; 105 106 alloc_entries = 1; 107 old_entries = old ? old->num_hook_entries : 0; 108 109 if (old) { 110 orig_ops = nf_hook_entries_get_hook_ops(old); 111 112 for (i = 0; i < old_entries; i++) { 113 if (orig_ops[i] != &dummy_ops) 114 alloc_entries++; 115 116 /* Restrict BPF hook type to force a unique priority, not 117 * shared at attach time. 118 * 119 * This is mainly to avoid ordering issues between two 120 * different bpf programs, this doesn't prevent a normal 121 * hook at same priority as a bpf one (we don't want to 122 * prevent defrag, conntrack, iptables etc from attaching). 123 */ 124 if (reg->priority == orig_ops[i]->priority && 125 reg->hook_ops_type == NF_HOOK_OP_BPF) 126 return ERR_PTR(-EBUSY); 127 } 128 } 129 130 if (alloc_entries > MAX_HOOK_COUNT) 131 return ERR_PTR(-E2BIG); 132 133 new = allocate_hook_entries_size(alloc_entries); 134 if (!new) 135 return ERR_PTR(-ENOMEM); 136 137 new_ops = nf_hook_entries_get_hook_ops(new); 138 139 i = 0; 140 nhooks = 0; 141 while (i < old_entries) { 142 if (orig_ops[i] == &dummy_ops) { 143 ++i; 144 continue; 145 } 146 147 if (inserted || reg->priority > orig_ops[i]->priority) { 148 new_ops[nhooks] = (void *)orig_ops[i]; 149 new->hooks[nhooks] = old->hooks[i]; 150 i++; 151 } else { 152 new_ops[nhooks] = (void *)reg; 153 new->hooks[nhooks].hook = reg->hook; 154 new->hooks[nhooks].priv = reg->priv; 155 inserted = true; 156 } 157 nhooks++; 158 } 159 160 if (!inserted) { 161 new_ops[nhooks] = (void *)reg; 162 new->hooks[nhooks].hook = reg->hook; 163 new->hooks[nhooks].priv = reg->priv; 164 } 165 166 return new; 167 } 168 169 static void hooks_validate(const struct nf_hook_entries *hooks) 170 { 171 #ifdef CONFIG_DEBUG_MISC 172 struct nf_hook_ops **orig_ops; 173 int prio = INT_MIN; 174 size_t i = 0; 175 176 orig_ops = nf_hook_entries_get_hook_ops(hooks); 177 178 for (i = 0; i < hooks->num_hook_entries; i++) { 179 if (orig_ops[i] == &dummy_ops) 180 continue; 181 182 WARN_ON(orig_ops[i]->priority < prio); 183 184 if (orig_ops[i]->priority > prio) 185 prio = orig_ops[i]->priority; 186 } 187 #endif 188 } 189 190 int nf_hook_entries_insert_raw(struct nf_hook_entries __rcu **pp, 191 const struct nf_hook_ops *reg) 192 { 193 struct nf_hook_entries *new_hooks; 194 struct nf_hook_entries *p; 195 196 p = rcu_dereference_raw(*pp); 197 new_hooks = nf_hook_entries_grow(p, reg); 198 if (IS_ERR(new_hooks)) 199 return PTR_ERR(new_hooks); 200 201 hooks_validate(new_hooks); 202 203 rcu_assign_pointer(*pp, new_hooks); 204 205 BUG_ON(p == new_hooks); 206 nf_hook_entries_free(p); 207 return 0; 208 } 209 EXPORT_SYMBOL_GPL(nf_hook_entries_insert_raw); 210 211 /* 212 * __nf_hook_entries_try_shrink - try to shrink hook array 213 * 214 * @old -- current hook blob at @pp 215 * @pp -- location of hook blob 216 * 217 * Hook unregistration must always succeed, so to-be-removed hooks 218 * are replaced by a dummy one that will just move to next hook. 219 * 220 * This counts the current dummy hooks, attempts to allocate new blob, 221 * copies the live hooks, then replaces and discards old one. 222 * 223 * return values: 224 * 225 * Returns address to free, or NULL. 226 */ 227 static void *__nf_hook_entries_try_shrink(struct nf_hook_entries *old, 228 struct nf_hook_entries __rcu **pp) 229 { 230 unsigned int i, j, skip = 0, hook_entries; 231 struct nf_hook_entries *new = NULL; 232 struct nf_hook_ops **orig_ops; 233 struct nf_hook_ops **new_ops; 234 235 if (WARN_ON_ONCE(!old)) 236 return NULL; 237 238 orig_ops = nf_hook_entries_get_hook_ops(old); 239 for (i = 0; i < old->num_hook_entries; i++) { 240 if (orig_ops[i] == &dummy_ops) 241 skip++; 242 } 243 244 /* if skip == hook_entries all hooks have been removed */ 245 hook_entries = old->num_hook_entries; 246 if (skip == hook_entries) 247 goto out_assign; 248 249 if (skip == 0) 250 return NULL; 251 252 hook_entries -= skip; 253 new = allocate_hook_entries_size(hook_entries); 254 if (!new) 255 return NULL; 256 257 new_ops = nf_hook_entries_get_hook_ops(new); 258 for (i = 0, j = 0; i < old->num_hook_entries; i++) { 259 if (orig_ops[i] == &dummy_ops) 260 continue; 261 new->hooks[j] = old->hooks[i]; 262 new_ops[j] = (void *)orig_ops[i]; 263 j++; 264 } 265 hooks_validate(new); 266 out_assign: 267 rcu_assign_pointer(*pp, new); 268 return old; 269 } 270 271 static struct nf_hook_entries __rcu ** 272 nf_hook_entry_head(struct net *net, int pf, unsigned int hooknum, 273 struct net_device *dev) 274 { 275 switch (pf) { 276 case NFPROTO_NETDEV: 277 break; 278 #ifdef CONFIG_NETFILTER_FAMILY_ARP 279 case NFPROTO_ARP: 280 if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_arp) <= hooknum)) 281 return NULL; 282 return net->nf.hooks_arp + hooknum; 283 #endif 284 #ifdef CONFIG_NETFILTER_FAMILY_BRIDGE 285 case NFPROTO_BRIDGE: 286 if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_bridge) <= hooknum)) 287 return NULL; 288 return net->nf.hooks_bridge + hooknum; 289 #endif 290 #ifdef CONFIG_NETFILTER_INGRESS 291 case NFPROTO_INET: 292 if (WARN_ON_ONCE(hooknum != NF_INET_INGRESS)) 293 return NULL; 294 if (!dev || dev_net(dev) != net) { 295 WARN_ON_ONCE(1); 296 return NULL; 297 } 298 return &dev->nf_hooks_ingress; 299 #endif 300 case NFPROTO_IPV4: 301 if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv4) <= hooknum)) 302 return NULL; 303 return net->nf.hooks_ipv4 + hooknum; 304 case NFPROTO_IPV6: 305 if (WARN_ON_ONCE(ARRAY_SIZE(net->nf.hooks_ipv6) <= hooknum)) 306 return NULL; 307 return net->nf.hooks_ipv6 + hooknum; 308 default: 309 WARN_ON_ONCE(1); 310 return NULL; 311 } 312 313 #ifdef CONFIG_NETFILTER_INGRESS 314 if (hooknum == NF_NETDEV_INGRESS) { 315 if (dev && dev_net(dev) == net) 316 return &dev->nf_hooks_ingress; 317 } 318 #endif 319 #ifdef CONFIG_NETFILTER_EGRESS 320 if (hooknum == NF_NETDEV_EGRESS) { 321 if (dev && dev_net(dev) == net) 322 return &dev->nf_hooks_egress; 323 } 324 #endif 325 WARN_ON_ONCE(1); 326 return NULL; 327 } 328 329 static int nf_ingress_check(struct net *net, const struct nf_hook_ops *reg, 330 int hooknum) 331 { 332 #ifndef CONFIG_NETFILTER_INGRESS 333 if (reg->hooknum == hooknum) 334 return -EOPNOTSUPP; 335 #endif 336 if (reg->hooknum != hooknum || 337 !reg->dev || dev_net(reg->dev) != net) 338 return -EINVAL; 339 340 return 0; 341 } 342 343 static inline bool __maybe_unused nf_ingress_hook(const struct nf_hook_ops *reg, 344 int pf) 345 { 346 if ((pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_INGRESS) || 347 (pf == NFPROTO_INET && reg->hooknum == NF_INET_INGRESS)) 348 return true; 349 350 return false; 351 } 352 353 static inline bool __maybe_unused nf_egress_hook(const struct nf_hook_ops *reg, 354 int pf) 355 { 356 return pf == NFPROTO_NETDEV && reg->hooknum == NF_NETDEV_EGRESS; 357 } 358 359 static void nf_static_key_inc(const struct nf_hook_ops *reg, int pf) 360 { 361 #ifdef CONFIG_JUMP_LABEL 362 int hooknum; 363 364 if (pf == NFPROTO_INET && reg->hooknum == NF_INET_INGRESS) { 365 pf = NFPROTO_NETDEV; 366 hooknum = NF_NETDEV_INGRESS; 367 } else { 368 hooknum = reg->hooknum; 369 } 370 static_key_slow_inc(&nf_hooks_needed[pf][hooknum]); 371 #endif 372 } 373 374 static void nf_static_key_dec(const struct nf_hook_ops *reg, int pf) 375 { 376 #ifdef CONFIG_JUMP_LABEL 377 int hooknum; 378 379 if (pf == NFPROTO_INET && reg->hooknum == NF_INET_INGRESS) { 380 pf = NFPROTO_NETDEV; 381 hooknum = NF_NETDEV_INGRESS; 382 } else { 383 hooknum = reg->hooknum; 384 } 385 static_key_slow_dec(&nf_hooks_needed[pf][hooknum]); 386 #endif 387 } 388 389 static int __nf_register_net_hook(struct net *net, int pf, 390 const struct nf_hook_ops *reg) 391 { 392 struct nf_hook_entries *p, *new_hooks; 393 struct nf_hook_entries __rcu **pp; 394 int err; 395 396 switch (pf) { 397 case NFPROTO_NETDEV: 398 #ifndef CONFIG_NETFILTER_INGRESS 399 if (reg->hooknum == NF_NETDEV_INGRESS) 400 return -EOPNOTSUPP; 401 #endif 402 #ifndef CONFIG_NETFILTER_EGRESS 403 if (reg->hooknum == NF_NETDEV_EGRESS) 404 return -EOPNOTSUPP; 405 #endif 406 if ((reg->hooknum != NF_NETDEV_INGRESS && 407 reg->hooknum != NF_NETDEV_EGRESS) || 408 !reg->dev || dev_net(reg->dev) != net) 409 return -EINVAL; 410 break; 411 case NFPROTO_INET: 412 if (reg->hooknum != NF_INET_INGRESS) 413 break; 414 415 err = nf_ingress_check(net, reg, NF_INET_INGRESS); 416 if (err < 0) 417 return err; 418 break; 419 } 420 421 pp = nf_hook_entry_head(net, pf, reg->hooknum, reg->dev); 422 if (!pp) 423 return -EINVAL; 424 425 mutex_lock(&nf_hook_mutex); 426 427 p = nf_entry_dereference(*pp); 428 new_hooks = nf_hook_entries_grow(p, reg); 429 430 if (!IS_ERR(new_hooks)) { 431 hooks_validate(new_hooks); 432 rcu_assign_pointer(*pp, new_hooks); 433 } 434 435 mutex_unlock(&nf_hook_mutex); 436 if (IS_ERR(new_hooks)) 437 return PTR_ERR(new_hooks); 438 439 #ifdef CONFIG_NETFILTER_INGRESS 440 if (nf_ingress_hook(reg, pf)) 441 net_inc_ingress_queue(); 442 #endif 443 #ifdef CONFIG_NETFILTER_EGRESS 444 if (nf_egress_hook(reg, pf)) 445 net_inc_egress_queue(); 446 #endif 447 nf_static_key_inc(reg, pf); 448 449 BUG_ON(p == new_hooks); 450 nf_hook_entries_free(p); 451 return 0; 452 } 453 454 /* 455 * nf_remove_net_hook - remove a hook from blob 456 * 457 * @oldp: current address of hook blob 458 * @unreg: hook to unregister 459 * 460 * This cannot fail, hook unregistration must always succeed. 461 * Therefore replace the to-be-removed hook with a dummy hook. 462 */ 463 static bool nf_remove_net_hook(struct nf_hook_entries *old, 464 const struct nf_hook_ops *unreg) 465 { 466 struct nf_hook_ops **orig_ops; 467 unsigned int i; 468 469 orig_ops = nf_hook_entries_get_hook_ops(old); 470 for (i = 0; i < old->num_hook_entries; i++) { 471 if (orig_ops[i] != unreg) 472 continue; 473 WRITE_ONCE(old->hooks[i].hook, accept_all); 474 WRITE_ONCE(orig_ops[i], (void *)&dummy_ops); 475 return true; 476 } 477 478 return false; 479 } 480 481 static void __nf_unregister_net_hook(struct net *net, int pf, 482 const struct nf_hook_ops *reg) 483 { 484 struct nf_hook_entries __rcu **pp; 485 struct nf_hook_entries *p; 486 487 pp = nf_hook_entry_head(net, pf, reg->hooknum, reg->dev); 488 if (!pp) 489 return; 490 491 mutex_lock(&nf_hook_mutex); 492 493 p = nf_entry_dereference(*pp); 494 if (WARN_ON_ONCE(!p)) { 495 mutex_unlock(&nf_hook_mutex); 496 return; 497 } 498 499 if (nf_remove_net_hook(p, reg)) { 500 #ifdef CONFIG_NETFILTER_INGRESS 501 if (nf_ingress_hook(reg, pf)) 502 net_dec_ingress_queue(); 503 #endif 504 #ifdef CONFIG_NETFILTER_EGRESS 505 if (nf_egress_hook(reg, pf)) 506 net_dec_egress_queue(); 507 #endif 508 nf_static_key_dec(reg, pf); 509 } else { 510 WARN_ONCE(1, "hook not found, pf %d num %d", pf, reg->hooknum); 511 } 512 513 p = __nf_hook_entries_try_shrink(p, pp); 514 mutex_unlock(&nf_hook_mutex); 515 if (!p) 516 return; 517 518 nf_queue_nf_hook_drop(net); 519 nf_hook_entries_free(p); 520 } 521 522 void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg) 523 { 524 if (reg->pf == NFPROTO_INET) { 525 if (reg->hooknum == NF_INET_INGRESS) { 526 __nf_unregister_net_hook(net, NFPROTO_INET, reg); 527 } else { 528 __nf_unregister_net_hook(net, NFPROTO_IPV4, reg); 529 __nf_unregister_net_hook(net, NFPROTO_IPV6, reg); 530 } 531 } else { 532 __nf_unregister_net_hook(net, reg->pf, reg); 533 } 534 } 535 EXPORT_SYMBOL(nf_unregister_net_hook); 536 537 void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp, 538 const struct nf_hook_ops *reg) 539 { 540 struct nf_hook_entries *p; 541 542 p = rcu_dereference_raw(*pp); 543 if (nf_remove_net_hook(p, reg)) { 544 p = __nf_hook_entries_try_shrink(p, pp); 545 nf_hook_entries_free(p); 546 } 547 } 548 EXPORT_SYMBOL_GPL(nf_hook_entries_delete_raw); 549 550 int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) 551 { 552 int err; 553 554 if (reg->pf == NFPROTO_INET) { 555 if (reg->hooknum == NF_INET_INGRESS) { 556 err = __nf_register_net_hook(net, NFPROTO_INET, reg); 557 if (err < 0) 558 return err; 559 } else { 560 err = __nf_register_net_hook(net, NFPROTO_IPV4, reg); 561 if (err < 0) 562 return err; 563 564 err = __nf_register_net_hook(net, NFPROTO_IPV6, reg); 565 if (err < 0) { 566 __nf_unregister_net_hook(net, NFPROTO_IPV4, reg); 567 return err; 568 } 569 } 570 } else { 571 err = __nf_register_net_hook(net, reg->pf, reg); 572 if (err < 0) 573 return err; 574 } 575 576 return 0; 577 } 578 EXPORT_SYMBOL(nf_register_net_hook); 579 580 int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg, 581 unsigned int n) 582 { 583 unsigned int i; 584 int err = 0; 585 586 for (i = 0; i < n; i++) { 587 err = nf_register_net_hook(net, ®[i]); 588 if (err) 589 goto err; 590 } 591 return err; 592 593 err: 594 if (i > 0) 595 nf_unregister_net_hooks(net, reg, i); 596 return err; 597 } 598 EXPORT_SYMBOL(nf_register_net_hooks); 599 600 void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg, 601 unsigned int hookcount) 602 { 603 unsigned int i; 604 605 for (i = 0; i < hookcount; i++) 606 nf_unregister_net_hook(net, ®[i]); 607 } 608 EXPORT_SYMBOL(nf_unregister_net_hooks); 609 610 /* Returns 1 if okfn() needs to be executed by the caller, 611 * -EPERM for NF_DROP, 0 otherwise. Caller must hold rcu_read_lock. */ 612 int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state, 613 const struct nf_hook_entries *e, unsigned int s) 614 { 615 unsigned int verdict; 616 int ret; 617 618 for (; s < e->num_hook_entries; s++) { 619 verdict = nf_hook_entry_hookfn(&e->hooks[s], skb, state); 620 switch (verdict & NF_VERDICT_MASK) { 621 case NF_ACCEPT: 622 break; 623 case NF_DROP: 624 kfree_skb_reason(skb, 625 SKB_DROP_REASON_NETFILTER_DROP); 626 ret = NF_DROP_GETERR(verdict); 627 if (ret == 0) 628 ret = -EPERM; 629 return ret; 630 case NF_QUEUE: 631 ret = nf_queue(skb, state, s, verdict); 632 if (ret == 1) 633 continue; 634 return ret; 635 case NF_STOLEN: 636 return NF_DROP_GETERR(verdict); 637 default: 638 WARN_ON_ONCE(1); 639 return 0; 640 } 641 } 642 643 return 1; 644 } 645 EXPORT_SYMBOL(nf_hook_slow); 646 647 void nf_hook_slow_list(struct list_head *head, struct nf_hook_state *state, 648 const struct nf_hook_entries *e) 649 { 650 struct sk_buff *skb, *next; 651 LIST_HEAD(sublist); 652 int ret; 653 654 list_for_each_entry_safe(skb, next, head, list) { 655 skb_list_del_init(skb); 656 ret = nf_hook_slow(skb, state, e, 0); 657 if (ret == 1) 658 list_add_tail(&skb->list, &sublist); 659 } 660 /* Put passed packets back on main list */ 661 list_splice(&sublist, head); 662 } 663 EXPORT_SYMBOL(nf_hook_slow_list); 664 665 /* This needs to be compiled in any case to avoid dependencies between the 666 * nfnetlink_queue code and nf_conntrack. 667 */ 668 const struct nfnl_ct_hook __rcu *nfnl_ct_hook __read_mostly; 669 EXPORT_SYMBOL_GPL(nfnl_ct_hook); 670 671 const struct nf_ct_hook __rcu *nf_ct_hook __read_mostly; 672 EXPORT_SYMBOL_GPL(nf_ct_hook); 673 674 const struct nf_defrag_hook __rcu *nf_defrag_v4_hook __read_mostly; 675 EXPORT_SYMBOL_GPL(nf_defrag_v4_hook); 676 677 const struct nf_defrag_hook __rcu *nf_defrag_v6_hook __read_mostly; 678 EXPORT_SYMBOL_GPL(nf_defrag_v6_hook); 679 680 #if IS_ENABLED(CONFIG_NF_CONNTRACK) 681 u8 nf_ctnetlink_has_listener; 682 EXPORT_SYMBOL_GPL(nf_ctnetlink_has_listener); 683 684 const struct nf_nat_hook __rcu *nf_nat_hook __read_mostly; 685 EXPORT_SYMBOL_GPL(nf_nat_hook); 686 687 /* This does not belong here, but locally generated errors need it if connection 688 * tracking in use: without this, connection may not be in hash table, and hence 689 * manufactured ICMP or RST packets will not be associated with it. 690 */ 691 void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb) 692 { 693 const struct nf_ct_hook *ct_hook; 694 695 if (skb->_nfct) { 696 rcu_read_lock(); 697 ct_hook = rcu_dereference(nf_ct_hook); 698 if (ct_hook) 699 ct_hook->attach(new, skb); 700 rcu_read_unlock(); 701 } 702 } 703 EXPORT_SYMBOL(nf_ct_attach); 704 705 void nf_conntrack_destroy(struct nf_conntrack *nfct) 706 { 707 const struct nf_ct_hook *ct_hook; 708 709 rcu_read_lock(); 710 ct_hook = rcu_dereference(nf_ct_hook); 711 if (ct_hook) 712 ct_hook->destroy(nfct); 713 rcu_read_unlock(); 714 715 WARN_ON(!ct_hook); 716 } 717 EXPORT_SYMBOL(nf_conntrack_destroy); 718 719 void nf_ct_set_closing(struct nf_conntrack *nfct) 720 { 721 const struct nf_ct_hook *ct_hook; 722 723 if (!nfct) 724 return; 725 726 rcu_read_lock(); 727 ct_hook = rcu_dereference(nf_ct_hook); 728 if (ct_hook) 729 ct_hook->set_closing(nfct); 730 731 rcu_read_unlock(); 732 } 733 EXPORT_SYMBOL_GPL(nf_ct_set_closing); 734 735 bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple, 736 const struct sk_buff *skb) 737 { 738 const struct nf_ct_hook *ct_hook; 739 bool ret = false; 740 741 rcu_read_lock(); 742 ct_hook = rcu_dereference(nf_ct_hook); 743 if (ct_hook) 744 ret = ct_hook->get_tuple_skb(dst_tuple, skb); 745 rcu_read_unlock(); 746 return ret; 747 } 748 EXPORT_SYMBOL(nf_ct_get_tuple_skb); 749 750 /* Built-in default zone used e.g. by modules. */ 751 const struct nf_conntrack_zone nf_ct_zone_dflt = { 752 .id = NF_CT_DEFAULT_ZONE_ID, 753 .dir = NF_CT_DEFAULT_ZONE_DIR, 754 }; 755 EXPORT_SYMBOL_GPL(nf_ct_zone_dflt); 756 #endif /* CONFIG_NF_CONNTRACK */ 757 758 static void __net_init 759 __netfilter_net_init(struct nf_hook_entries __rcu **e, int max) 760 { 761 int h; 762 763 for (h = 0; h < max; h++) 764 RCU_INIT_POINTER(e[h], NULL); 765 } 766 767 static int __net_init netfilter_net_init(struct net *net) 768 { 769 __netfilter_net_init(net->nf.hooks_ipv4, ARRAY_SIZE(net->nf.hooks_ipv4)); 770 __netfilter_net_init(net->nf.hooks_ipv6, ARRAY_SIZE(net->nf.hooks_ipv6)); 771 #ifdef CONFIG_NETFILTER_FAMILY_ARP 772 __netfilter_net_init(net->nf.hooks_arp, ARRAY_SIZE(net->nf.hooks_arp)); 773 #endif 774 #ifdef CONFIG_NETFILTER_FAMILY_BRIDGE 775 __netfilter_net_init(net->nf.hooks_bridge, ARRAY_SIZE(net->nf.hooks_bridge)); 776 #endif 777 #ifdef CONFIG_PROC_FS 778 net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter", 779 net->proc_net); 780 if (!net->nf.proc_netfilter) { 781 if (!net_eq(net, &init_net)) 782 pr_err("cannot create netfilter proc entry"); 783 784 return -ENOMEM; 785 } 786 #endif 787 788 return 0; 789 } 790 791 static void __net_exit netfilter_net_exit(struct net *net) 792 { 793 remove_proc_entry("netfilter", net->proc_net); 794 } 795 796 static struct pernet_operations netfilter_net_ops = { 797 .init = netfilter_net_init, 798 .exit = netfilter_net_exit, 799 }; 800 801 int __init netfilter_init(void) 802 { 803 int ret; 804 805 ret = register_pernet_subsys(&netfilter_net_ops); 806 if (ret < 0) 807 goto err; 808 809 #ifdef CONFIG_LWTUNNEL 810 ret = netfilter_lwtunnel_init(); 811 if (ret < 0) 812 goto err_lwtunnel_pernet; 813 #endif 814 ret = netfilter_log_init(); 815 if (ret < 0) 816 goto err_log_pernet; 817 818 return 0; 819 err_log_pernet: 820 #ifdef CONFIG_LWTUNNEL 821 netfilter_lwtunnel_fini(); 822 err_lwtunnel_pernet: 823 #endif 824 unregister_pernet_subsys(&netfilter_net_ops); 825 err: 826 return ret; 827 } 828