/* netfilter.c: look after the filters for various protocols. * Heavily influenced by the old firewall.c by David Bonn and Alan Cox. * * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any * way. * * This code is GPL. */ #include <linux/kernel.h> #include <linux/netfilter.h> #include <net/protocol.h> #include <linux/init.h> #include <linux/skbuff.h> #include <linux/wait.h> #include <linux/module.h> #include <linux/interrupt.h> #include <linux/if.h> #include <linux/netdevice.h> #include <linux/netfilter_ipv6.h> #include <linux/inetdevice.h> #include <linux/proc_fs.h> #include <linux/mutex.h> #include <linux/mm.h> #include <linux/rcupdate.h> #include <net/net_namespace.h> #include <net/netfilter/nf_queue.h> #include <net/sock.h> #include "nf_internals.h" const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly; EXPORT_SYMBOL_GPL(…); DEFINE_PER_CPU(bool, nf_skb_duplicated); EXPORT_SYMBOL_GPL(…); #ifdef CONFIG_JUMP_LABEL struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS]; EXPORT_SYMBOL(…); #endif static DEFINE_MUTEX(nf_hook_mutex); /* max hooks per family/hooknum */ #define MAX_HOOK_COUNT … #define nf_entry_dereference(e) … static struct nf_hook_entries *allocate_hook_entries_size(u16 num) { … } static void __nf_hook_entries_free(struct rcu_head *h) { … } static void nf_hook_entries_free(struct nf_hook_entries *e) { … } static unsigned int accept_all(void *priv, struct sk_buff *skb, const struct nf_hook_state *state) { … } static const struct nf_hook_ops dummy_ops = …; static struct nf_hook_entries * nf_hook_entries_grow(const struct nf_hook_entries *old, const struct nf_hook_ops *reg) { … } static void hooks_validate(const struct nf_hook_entries *hooks) { … } int nf_hook_entries_insert_raw(struct nf_hook_entries __rcu **pp, const struct nf_hook_ops *reg) { … } EXPORT_SYMBOL_GPL(…); /* * __nf_hook_entries_try_shrink - try to shrink hook array * * @old -- current hook blob at @pp * @pp -- location of hook blob * * Hook unregistration must always succeed, so to-be-removed hooks * are replaced by a dummy one that will just move to next hook. * * This counts the current dummy hooks, attempts to allocate new blob, * copies the live hooks, then replaces and discards old one. * * return values: * * Returns address to free, or NULL. */ static void *__nf_hook_entries_try_shrink(struct nf_hook_entries *old, struct nf_hook_entries __rcu **pp) { … } static struct nf_hook_entries __rcu ** nf_hook_entry_head(struct net *net, int pf, unsigned int hooknum, struct net_device *dev) { … } static int nf_ingress_check(struct net *net, const struct nf_hook_ops *reg, int hooknum) { … } static inline bool __maybe_unused nf_ingress_hook(const struct nf_hook_ops *reg, int pf) { … } static inline bool __maybe_unused nf_egress_hook(const struct nf_hook_ops *reg, int pf) { … } static void nf_static_key_inc(const struct nf_hook_ops *reg, int pf) { … } static void nf_static_key_dec(const struct nf_hook_ops *reg, int pf) { … } static int __nf_register_net_hook(struct net *net, int pf, const struct nf_hook_ops *reg) { … } /* * nf_remove_net_hook - remove a hook from blob * * @oldp: current address of hook blob * @unreg: hook to unregister * * This cannot fail, hook unregistration must always succeed. * Therefore replace the to-be-removed hook with a dummy hook. */ static bool nf_remove_net_hook(struct nf_hook_entries *old, const struct nf_hook_ops *unreg) { … } static void __nf_unregister_net_hook(struct net *net, int pf, const struct nf_hook_ops *reg) { … } void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg) { … } EXPORT_SYMBOL(…); void nf_hook_entries_delete_raw(struct nf_hook_entries __rcu **pp, const struct nf_hook_ops *reg) { … } EXPORT_SYMBOL_GPL(…); int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) { … } EXPORT_SYMBOL(…); int nf_register_net_hooks(struct net *net, const struct nf_hook_ops *reg, unsigned int n) { … } EXPORT_SYMBOL(…); void nf_unregister_net_hooks(struct net *net, const struct nf_hook_ops *reg, unsigned int hookcount) { … } EXPORT_SYMBOL(…); /* Returns 1 if okfn() needs to be executed by the caller, * -EPERM for NF_DROP, 0 otherwise. Caller must hold rcu_read_lock. */ int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state, const struct nf_hook_entries *e, unsigned int s) { … } EXPORT_SYMBOL(…); void nf_hook_slow_list(struct list_head *head, struct nf_hook_state *state, const struct nf_hook_entries *e) { … } EXPORT_SYMBOL(…); /* This needs to be compiled in any case to avoid dependencies between the * nfnetlink_queue code and nf_conntrack. */ const struct nfnl_ct_hook __rcu *nfnl_ct_hook __read_mostly; EXPORT_SYMBOL_GPL(…); const struct nf_ct_hook __rcu *nf_ct_hook __read_mostly; EXPORT_SYMBOL_GPL(…); const struct nf_defrag_hook __rcu *nf_defrag_v4_hook __read_mostly; EXPORT_SYMBOL_GPL(…); const struct nf_defrag_hook __rcu *nf_defrag_v6_hook __read_mostly; EXPORT_SYMBOL_GPL(…); #if IS_ENABLED(CONFIG_NF_CONNTRACK) u8 nf_ctnetlink_has_listener; EXPORT_SYMBOL_GPL(…); const struct nf_nat_hook __rcu *nf_nat_hook __read_mostly; EXPORT_SYMBOL_GPL(…); /* This does not belong here, but locally generated errors need it if connection * tracking in use: without this, connection may not be in hash table, and hence * manufactured ICMP or RST packets will not be associated with it. */ void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb) { … } EXPORT_SYMBOL(…); void nf_conntrack_destroy(struct nf_conntrack *nfct) { … } EXPORT_SYMBOL(…); void nf_ct_set_closing(struct nf_conntrack *nfct) { … } EXPORT_SYMBOL_GPL(…); bool nf_ct_get_tuple_skb(struct nf_conntrack_tuple *dst_tuple, const struct sk_buff *skb) { … } EXPORT_SYMBOL(…); /* Built-in default zone used e.g. by modules. */ const struct nf_conntrack_zone nf_ct_zone_dflt = …; EXPORT_SYMBOL_GPL(…); #endif /* CONFIG_NF_CONNTRACK */ static void __net_init __netfilter_net_init(struct nf_hook_entries __rcu **e, int max) { … } static int __net_init netfilter_net_init(struct net *net) { … } static void __net_exit netfilter_net_exit(struct net *net) { … } static struct pernet_operations netfilter_net_ops = …; int __init netfilter_init(void) { … }
Codebase Browser
linux