1 /* 2 * Rusty Russell (C)2000 -- This code is GPL. 3 * Patrick McHardy (c) 2006-2012 4 */ 5 6 #include <linux/kernel.h> 7 #include <linux/slab.h> 8 #include <linux/init.h> 9 #include <linux/module.h> 10 #include <linux/proc_fs.h> 11 #include <linux/skbuff.h> 12 #include <linux/netfilter.h> 13 #include <linux/seq_file.h> 14 #include <linux/rcupdate.h> 15 #include <net/protocol.h> 16 #include <net/netfilter/nf_queue.h> 17 #include <net/dst.h> 18 19 #include "nf_internals.h" 20 21 /* 22 * Hook for nfnetlink_queue to register its queue handler. 23 * We do this so that most of the NFQUEUE code can be modular. 24 * 25 * Once the queue is registered it must reinject all packets it 26 * receives, no matter what. 27 */ 28 static const struct nf_queue_handler __rcu *queue_handler __read_mostly; 29 30 /* return EBUSY when somebody else is registered, return EEXIST if the 31 * same handler is registered, return 0 in case of success. */ 32 void nf_register_queue_handler(const struct nf_queue_handler *qh) 33 { 34 /* should never happen, we only have one queueing backend in kernel */ 35 WARN_ON(rcu_access_pointer(queue_handler)); 36 rcu_assign_pointer(queue_handler, qh); 37 } 38 EXPORT_SYMBOL(nf_register_queue_handler); 39 40 /* The caller must flush their queue before this */ 41 void nf_unregister_queue_handler(void) 42 { 43 RCU_INIT_POINTER(queue_handler, NULL); 44 synchronize_rcu(); 45 } 46 EXPORT_SYMBOL(nf_unregister_queue_handler); 47 48 static void nf_queue_entry_release_refs(struct nf_queue_entry *entry) 49 { 50 /* Release those devices we held, or Alexey will kill me. */ 51 if (entry->indev) 52 dev_put(entry->indev); 53 if (entry->outdev) 54 dev_put(entry->outdev); 55 #ifdef CONFIG_BRIDGE_NETFILTER 56 if (entry->skb->nf_bridge) { 57 struct nf_bridge_info *nf_bridge = entry->skb->nf_bridge; 58 59 if (nf_bridge->physindev) 60 dev_put(nf_bridge->physindev); 61 if (nf_bridge->physoutdev) 62 dev_put(nf_bridge->physoutdev); 63 } 64 #endif 65 /* Drop reference to owner of hook which queued us. */ 66 module_put(entry->elem->owner); 67 } 68 69 /* 70 * Any packet that leaves via this function must come back 71 * through nf_reinject(). 72 */ 73 static int __nf_queue(struct sk_buff *skb, 74 struct nf_hook_ops *elem, 75 u_int8_t pf, unsigned int hook, 76 struct net_device *indev, 77 struct net_device *outdev, 78 int (*okfn)(struct sk_buff *), 79 unsigned int queuenum) 80 { 81 int status = -ENOENT; 82 struct nf_queue_entry *entry = NULL; 83 #ifdef CONFIG_BRIDGE_NETFILTER 84 struct net_device *physindev; 85 struct net_device *physoutdev; 86 #endif 87 const struct nf_afinfo *afinfo; 88 const struct nf_queue_handler *qh; 89 90 /* QUEUE == DROP if no one is waiting, to be safe. */ 91 rcu_read_lock(); 92 93 qh = rcu_dereference(queue_handler); 94 if (!qh) { 95 status = -ESRCH; 96 goto err_unlock; 97 } 98 99 afinfo = nf_get_afinfo(pf); 100 if (!afinfo) 101 goto err_unlock; 102 103 entry = kmalloc(sizeof(*entry) + afinfo->route_key_size, GFP_ATOMIC); 104 if (!entry) { 105 status = -ENOMEM; 106 goto err_unlock; 107 } 108 109 *entry = (struct nf_queue_entry) { 110 .skb = skb, 111 .elem = elem, 112 .pf = pf, 113 .hook = hook, 114 .indev = indev, 115 .outdev = outdev, 116 .okfn = okfn, 117 }; 118 119 /* If it's going away, ignore hook. */ 120 if (!try_module_get(entry->elem->owner)) { 121 status = -ECANCELED; 122 goto err_unlock; 123 } 124 /* Bump dev refs so they don't vanish while packet is out */ 125 if (indev) 126 dev_hold(indev); 127 if (outdev) 128 dev_hold(outdev); 129 #ifdef CONFIG_BRIDGE_NETFILTER 130 if (skb->nf_bridge) { 131 physindev = skb->nf_bridge->physindev; 132 if (physindev) 133 dev_hold(physindev); 134 physoutdev = skb->nf_bridge->physoutdev; 135 if (physoutdev) 136 dev_hold(physoutdev); 137 } 138 #endif 139 skb_dst_force(skb); 140 afinfo->saveroute(skb, entry); 141 status = qh->outfn(entry, queuenum); 142 143 rcu_read_unlock(); 144 145 if (status < 0) { 146 nf_queue_entry_release_refs(entry); 147 goto err; 148 } 149 150 return 0; 151 152 err_unlock: 153 rcu_read_unlock(); 154 err: 155 kfree(entry); 156 return status; 157 } 158 159 #ifdef CONFIG_BRIDGE_NETFILTER 160 /* When called from bridge netfilter, skb->data must point to MAC header 161 * before calling skb_gso_segment(). Else, original MAC header is lost 162 * and segmented skbs will be sent to wrong destination. 163 */ 164 static void nf_bridge_adjust_skb_data(struct sk_buff *skb) 165 { 166 if (skb->nf_bridge) 167 __skb_push(skb, skb->network_header - skb->mac_header); 168 } 169 170 static void nf_bridge_adjust_segmented_data(struct sk_buff *skb) 171 { 172 if (skb->nf_bridge) 173 __skb_pull(skb, skb->network_header - skb->mac_header); 174 } 175 #else 176 #define nf_bridge_adjust_skb_data(s) do {} while (0) 177 #define nf_bridge_adjust_segmented_data(s) do {} while (0) 178 #endif 179 180 int nf_queue(struct sk_buff *skb, 181 struct nf_hook_ops *elem, 182 u_int8_t pf, unsigned int hook, 183 struct net_device *indev, 184 struct net_device *outdev, 185 int (*okfn)(struct sk_buff *), 186 unsigned int queuenum) 187 { 188 struct sk_buff *segs; 189 int err = -EINVAL; 190 unsigned int queued; 191 192 if (!skb_is_gso(skb)) 193 return __nf_queue(skb, elem, pf, hook, indev, outdev, okfn, 194 queuenum); 195 196 switch (pf) { 197 case NFPROTO_IPV4: 198 skb->protocol = htons(ETH_P_IP); 199 break; 200 case NFPROTO_IPV6: 201 skb->protocol = htons(ETH_P_IPV6); 202 break; 203 } 204 205 nf_bridge_adjust_skb_data(skb); 206 segs = skb_gso_segment(skb, 0); 207 /* Does not use PTR_ERR to limit the number of error codes that can be 208 * returned by nf_queue. For instance, callers rely on -ECANCELED to mean 209 * 'ignore this hook'. 210 */ 211 if (IS_ERR(segs)) 212 goto out_err; 213 queued = 0; 214 err = 0; 215 do { 216 struct sk_buff *nskb = segs->next; 217 218 segs->next = NULL; 219 if (err == 0) { 220 nf_bridge_adjust_segmented_data(segs); 221 err = __nf_queue(segs, elem, pf, hook, indev, 222 outdev, okfn, queuenum); 223 } 224 if (err == 0) 225 queued++; 226 else 227 kfree_skb(segs); 228 segs = nskb; 229 } while (segs); 230 231 if (queued) { 232 kfree_skb(skb); 233 return 0; 234 } 235 out_err: 236 nf_bridge_adjust_segmented_data(skb); 237 return err; 238 } 239 240 void nf_reinject(struct nf_queue_entry *entry, unsigned int verdict) 241 { 242 struct sk_buff *skb = entry->skb; 243 struct nf_hook_ops *elem = entry->elem; 244 const struct nf_afinfo *afinfo; 245 int err; 246 247 rcu_read_lock(); 248 249 nf_queue_entry_release_refs(entry); 250 251 /* Continue traversal iff userspace said ok... */ 252 if (verdict == NF_REPEAT) { 253 elem = list_entry(elem->list.prev, struct nf_hook_ops, list); 254 verdict = NF_ACCEPT; 255 } 256 257 if (verdict == NF_ACCEPT) { 258 afinfo = nf_get_afinfo(entry->pf); 259 if (!afinfo || afinfo->reroute(skb, entry) < 0) 260 verdict = NF_DROP; 261 } 262 263 if (verdict == NF_ACCEPT) { 264 next_hook: 265 verdict = nf_iterate(&nf_hooks[entry->pf][entry->hook], 266 skb, entry->hook, 267 entry->indev, entry->outdev, &elem, 268 entry->okfn, INT_MIN); 269 } 270 271 switch (verdict & NF_VERDICT_MASK) { 272 case NF_ACCEPT: 273 case NF_STOP: 274 local_bh_disable(); 275 entry->okfn(skb); 276 local_bh_enable(); 277 break; 278 case NF_QUEUE: 279 err = __nf_queue(skb, elem, entry->pf, entry->hook, 280 entry->indev, entry->outdev, entry->okfn, 281 verdict >> NF_VERDICT_QBITS); 282 if (err < 0) { 283 if (err == -ECANCELED) 284 goto next_hook; 285 if (err == -ESRCH && 286 (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS)) 287 goto next_hook; 288 kfree_skb(skb); 289 } 290 break; 291 case NF_STOLEN: 292 break; 293 default: 294 kfree_skb(skb); 295 } 296 rcu_read_unlock(); 297 kfree(entry); 298 } 299 EXPORT_SYMBOL(nf_reinject); 300