root/include/linux/netfilter/x_tables.h

/* [<][>][^][v][top][bottom][index][help] */

INCLUDED FROM

DEFINITIONS

This source file includes following definitions.
  1. xt_net
  2. xt_in
  3. xt_inname
  4. xt_out
  5. xt_outname
  6. xt_hooknum
  7. xt_family
  8. xt_write_recseq_begin
  9. xt_write_recseq_end
  10. ifname_compare_aligned
  11. xt_get_this_cpu_counter
  12. xt_get_per_cpu_counter
   1 /* SPDX-License-Identifier: GPL-2.0 */
   2 #ifndef _X_TABLES_H
   3 #define _X_TABLES_H
   4 
   5 
   6 #include <linux/netdevice.h>
   7 #include <linux/static_key.h>
   8 #include <linux/netfilter.h>
   9 #include <uapi/linux/netfilter/x_tables.h>
  10 
  11 /* Test a struct->invflags and a boolean for inequality */
  12 #define NF_INVF(ptr, flag, boolean)                                     \
  13         ((boolean) ^ !!((ptr)->invflags & (flag)))
  14 
  15 /**
  16  * struct xt_action_param - parameters for matches/targets
  17  *
  18  * @match:      the match extension
  19  * @target:     the target extension
  20  * @matchinfo:  per-match data
  21  * @targetinfo: per-target data
  22  * @state:      pointer to hook state this packet came from
  23  * @fragoff:    packet is a fragment, this is the data offset
  24  * @thoff:      position of transport header relative to skb->data
  25  *
  26  * Fields written to by extensions:
  27  *
  28  * @hotdrop:    drop packet if we had inspection problems
  29  */
  30 struct xt_action_param {
  31         union {
  32                 const struct xt_match *match;
  33                 const struct xt_target *target;
  34         };
  35         union {
  36                 const void *matchinfo, *targinfo;
  37         };
  38         const struct nf_hook_state *state;
  39         int fragoff;
  40         unsigned int thoff;
  41         bool hotdrop;
  42 };
  43 
  44 static inline struct net *xt_net(const struct xt_action_param *par)
  45 {
  46         return par->state->net;
  47 }
  48 
  49 static inline struct net_device *xt_in(const struct xt_action_param *par)
  50 {
  51         return par->state->in;
  52 }
  53 
  54 static inline const char *xt_inname(const struct xt_action_param *par)
  55 {
  56         return par->state->in->name;
  57 }
  58 
  59 static inline struct net_device *xt_out(const struct xt_action_param *par)
  60 {
  61         return par->state->out;
  62 }
  63 
  64 static inline const char *xt_outname(const struct xt_action_param *par)
  65 {
  66         return par->state->out->name;
  67 }
  68 
  69 static inline unsigned int xt_hooknum(const struct xt_action_param *par)
  70 {
  71         return par->state->hook;
  72 }
  73 
  74 static inline u_int8_t xt_family(const struct xt_action_param *par)
  75 {
  76         return par->state->pf;
  77 }
  78 
  79 /**
  80  * struct xt_mtchk_param - parameters for match extensions'
  81  * checkentry functions
  82  *
  83  * @net:        network namespace through which the check was invoked
  84  * @table:      table the rule is tried to be inserted into
  85  * @entryinfo:  the family-specific rule data
  86  *              (struct ipt_ip, ip6t_ip, arpt_arp or (note) ebt_entry)
  87  * @match:      struct xt_match through which this function was invoked
  88  * @matchinfo:  per-match data
  89  * @hook_mask:  via which hooks the new rule is reachable
  90  * Other fields as above.
  91  */
  92 struct xt_mtchk_param {
  93         struct net *net;
  94         const char *table;
  95         const void *entryinfo;
  96         const struct xt_match *match;
  97         void *matchinfo;
  98         unsigned int hook_mask;
  99         u_int8_t family;
 100         bool nft_compat;
 101 };
 102 
 103 /**
 104  * struct xt_mdtor_param - match destructor parameters
 105  * Fields as above.
 106  */
 107 struct xt_mtdtor_param {
 108         struct net *net;
 109         const struct xt_match *match;
 110         void *matchinfo;
 111         u_int8_t family;
 112 };
 113 
 114 /**
 115  * struct xt_tgchk_param - parameters for target extensions'
 116  * checkentry functions
 117  *
 118  * @entryinfo:  the family-specific rule data
 119  *              (struct ipt_entry, ip6t_entry, arpt_entry, ebt_entry)
 120  *
 121  * Other fields see above.
 122  */
 123 struct xt_tgchk_param {
 124         struct net *net;
 125         const char *table;
 126         const void *entryinfo;
 127         const struct xt_target *target;
 128         void *targinfo;
 129         unsigned int hook_mask;
 130         u_int8_t family;
 131         bool nft_compat;
 132 };
 133 
 134 /* Target destructor parameters */
 135 struct xt_tgdtor_param {
 136         struct net *net;
 137         const struct xt_target *target;
 138         void *targinfo;
 139         u_int8_t family;
 140 };
 141 
 142 struct xt_match {
 143         struct list_head list;
 144 
 145         const char name[XT_EXTENSION_MAXNAMELEN];
 146         u_int8_t revision;
 147 
 148         /* Return true or false: return FALSE and set *hotdrop = 1 to
 149            force immediate packet drop. */
 150         /* Arguments changed since 2.6.9, as this must now handle
 151            non-linear skb, using skb_header_pointer and
 152            skb_ip_make_writable. */
 153         bool (*match)(const struct sk_buff *skb,
 154                       struct xt_action_param *);
 155 
 156         /* Called when user tries to insert an entry of this type. */
 157         int (*checkentry)(const struct xt_mtchk_param *);
 158 
 159         /* Called when entry of this type deleted. */
 160         void (*destroy)(const struct xt_mtdtor_param *);
 161 #ifdef CONFIG_COMPAT
 162         /* Called when userspace align differs from kernel space one */
 163         void (*compat_from_user)(void *dst, const void *src);
 164         int (*compat_to_user)(void __user *dst, const void *src);
 165 #endif
 166         /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 167         struct module *me;
 168 
 169         const char *table;
 170         unsigned int matchsize;
 171         unsigned int usersize;
 172 #ifdef CONFIG_COMPAT
 173         unsigned int compatsize;
 174 #endif
 175         unsigned int hooks;
 176         unsigned short proto;
 177 
 178         unsigned short family;
 179 };
 180 
 181 /* Registration hooks for targets. */
 182 struct xt_target {
 183         struct list_head list;
 184 
 185         const char name[XT_EXTENSION_MAXNAMELEN];
 186         u_int8_t revision;
 187 
 188         /* Returns verdict. Argument order changed since 2.6.9, as this
 189            must now handle non-linear skbs, using skb_copy_bits and
 190            skb_ip_make_writable. */
 191         unsigned int (*target)(struct sk_buff *skb,
 192                                const struct xt_action_param *);
 193 
 194         /* Called when user tries to insert an entry of this type:
 195            hook_mask is a bitmask of hooks from which it can be
 196            called. */
 197         /* Should return 0 on success or an error code otherwise (-Exxxx). */
 198         int (*checkentry)(const struct xt_tgchk_param *);
 199 
 200         /* Called when entry of this type deleted. */
 201         void (*destroy)(const struct xt_tgdtor_param *);
 202 #ifdef CONFIG_COMPAT
 203         /* Called when userspace align differs from kernel space one */
 204         void (*compat_from_user)(void *dst, const void *src);
 205         int (*compat_to_user)(void __user *dst, const void *src);
 206 #endif
 207         /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 208         struct module *me;
 209 
 210         const char *table;
 211         unsigned int targetsize;
 212         unsigned int usersize;
 213 #ifdef CONFIG_COMPAT
 214         unsigned int compatsize;
 215 #endif
 216         unsigned int hooks;
 217         unsigned short proto;
 218 
 219         unsigned short family;
 220 };
 221 
 222 /* Furniture shopping... */
 223 struct xt_table {
 224         struct list_head list;
 225 
 226         /* What hooks you will enter on */
 227         unsigned int valid_hooks;
 228 
 229         /* Man behind the curtain... */
 230         struct xt_table_info *private;
 231 
 232         /* Set this to THIS_MODULE if you are a module, otherwise NULL */
 233         struct module *me;
 234 
 235         u_int8_t af;            /* address/protocol family */
 236         int priority;           /* hook order */
 237 
 238         /* called when table is needed in the given netns */
 239         int (*table_init)(struct net *net);
 240 
 241         /* A unique name... */
 242         const char name[XT_TABLE_MAXNAMELEN];
 243 };
 244 
 245 #include <linux/netfilter_ipv4.h>
 246 
 247 /* The table itself */
 248 struct xt_table_info {
 249         /* Size per table */
 250         unsigned int size;
 251         /* Number of entries: FIXME. --RR */
 252         unsigned int number;
 253         /* Initial number of entries. Needed for module usage count */
 254         unsigned int initial_entries;
 255 
 256         /* Entry points and underflows */
 257         unsigned int hook_entry[NF_INET_NUMHOOKS];
 258         unsigned int underflow[NF_INET_NUMHOOKS];
 259 
 260         /*
 261          * Number of user chains. Since tables cannot have loops, at most
 262          * @stacksize jumps (number of user chains) can possibly be made.
 263          */
 264         unsigned int stacksize;
 265         void ***jumpstack;
 266 
 267         unsigned char entries[0] __aligned(8);
 268 };
 269 
 270 int xt_register_target(struct xt_target *target);
 271 void xt_unregister_target(struct xt_target *target);
 272 int xt_register_targets(struct xt_target *target, unsigned int n);
 273 void xt_unregister_targets(struct xt_target *target, unsigned int n);
 274 
 275 int xt_register_match(struct xt_match *target);
 276 void xt_unregister_match(struct xt_match *target);
 277 int xt_register_matches(struct xt_match *match, unsigned int n);
 278 void xt_unregister_matches(struct xt_match *match, unsigned int n);
 279 
 280 int xt_check_entry_offsets(const void *base, const char *elems,
 281                            unsigned int target_offset,
 282                            unsigned int next_offset);
 283 
 284 int xt_check_table_hooks(const struct xt_table_info *info, unsigned int valid_hooks);
 285 
 286 unsigned int *xt_alloc_entry_offsets(unsigned int size);
 287 bool xt_find_jump_offset(const unsigned int *offsets,
 288                          unsigned int target, unsigned int size);
 289 
 290 int xt_check_proc_name(const char *name, unsigned int size);
 291 
 292 int xt_check_match(struct xt_mtchk_param *, unsigned int size, u16 proto,
 293                    bool inv_proto);
 294 int xt_check_target(struct xt_tgchk_param *, unsigned int size, u16 proto,
 295                     bool inv_proto);
 296 
 297 int xt_match_to_user(const struct xt_entry_match *m,
 298                      struct xt_entry_match __user *u);
 299 int xt_target_to_user(const struct xt_entry_target *t,
 300                       struct xt_entry_target __user *u);
 301 int xt_data_to_user(void __user *dst, const void *src,
 302                     int usersize, int size, int aligned_size);
 303 
 304 void *xt_copy_counters_from_user(const void __user *user, unsigned int len,
 305                                  struct xt_counters_info *info, bool compat);
 306 struct xt_counters *xt_counters_alloc(unsigned int counters);
 307 
 308 struct xt_table *xt_register_table(struct net *net,
 309                                    const struct xt_table *table,
 310                                    struct xt_table_info *bootstrap,
 311                                    struct xt_table_info *newinfo);
 312 void *xt_unregister_table(struct xt_table *table);
 313 
 314 struct xt_table_info *xt_replace_table(struct xt_table *table,
 315                                        unsigned int num_counters,
 316                                        struct xt_table_info *newinfo,
 317                                        int *error);
 318 
 319 struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
 320 struct xt_match *xt_request_find_match(u8 af, const char *name, u8 revision);
 321 struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision);
 322 int xt_find_revision(u8 af, const char *name, u8 revision, int target,
 323                      int *err);
 324 
 325 struct xt_table *xt_find_table_lock(struct net *net, u_int8_t af,
 326                                     const char *name);
 327 struct xt_table *xt_request_find_table_lock(struct net *net, u_int8_t af,
 328                                             const char *name);
 329 void xt_table_unlock(struct xt_table *t);
 330 
 331 int xt_proto_init(struct net *net, u_int8_t af);
 332 void xt_proto_fini(struct net *net, u_int8_t af);
 333 
 334 struct xt_table_info *xt_alloc_table_info(unsigned int size);
 335 void xt_free_table_info(struct xt_table_info *info);
 336 
 337 /**
 338  * xt_recseq - recursive seqcount for netfilter use
 339  *
 340  * Packet processing changes the seqcount only if no recursion happened
 341  * get_counters() can use read_seqcount_begin()/read_seqcount_retry(),
 342  * because we use the normal seqcount convention :
 343  * Low order bit set to 1 if a writer is active.
 344  */
 345 DECLARE_PER_CPU(seqcount_t, xt_recseq);
 346 
 347 /* xt_tee_enabled - true if x_tables needs to handle reentrancy
 348  *
 349  * Enabled if current ip(6)tables ruleset has at least one -j TEE rule.
 350  */
 351 extern struct static_key xt_tee_enabled;
 352 
 353 /**
 354  * xt_write_recseq_begin - start of a write section
 355  *
 356  * Begin packet processing : all readers must wait the end
 357  * 1) Must be called with preemption disabled
 358  * 2) softirqs must be disabled too (or we should use this_cpu_add())
 359  * Returns :
 360  *  1 if no recursion on this cpu
 361  *  0 if recursion detected
 362  */
 363 static inline unsigned int xt_write_recseq_begin(void)
 364 {
 365         unsigned int addend;
 366 
 367         /*
 368          * Low order bit of sequence is set if we already
 369          * called xt_write_recseq_begin().
 370          */
 371         addend = (__this_cpu_read(xt_recseq.sequence) + 1) & 1;
 372 
 373         /*
 374          * This is kind of a write_seqcount_begin(), but addend is 0 or 1
 375          * We dont check addend value to avoid a test and conditional jump,
 376          * since addend is most likely 1
 377          */
 378         __this_cpu_add(xt_recseq.sequence, addend);
 379         smp_wmb();
 380 
 381         return addend;
 382 }
 383 
 384 /**
 385  * xt_write_recseq_end - end of a write section
 386  * @addend: return value from previous xt_write_recseq_begin()
 387  *
 388  * End packet processing : all readers can proceed
 389  * 1) Must be called with preemption disabled
 390  * 2) softirqs must be disabled too (or we should use this_cpu_add())
 391  */
 392 static inline void xt_write_recseq_end(unsigned int addend)
 393 {
 394         /* this is kind of a write_seqcount_end(), but addend is 0 or 1 */
 395         smp_wmb();
 396         __this_cpu_add(xt_recseq.sequence, addend);
 397 }
 398 
 399 /*
 400  * This helper is performance critical and must be inlined
 401  */
 402 static inline unsigned long ifname_compare_aligned(const char *_a,
 403                                                    const char *_b,
 404                                                    const char *_mask)
 405 {
 406         const unsigned long *a = (const unsigned long *)_a;
 407         const unsigned long *b = (const unsigned long *)_b;
 408         const unsigned long *mask = (const unsigned long *)_mask;
 409         unsigned long ret;
 410 
 411         ret = (a[0] ^ b[0]) & mask[0];
 412         if (IFNAMSIZ > sizeof(unsigned long))
 413                 ret |= (a[1] ^ b[1]) & mask[1];
 414         if (IFNAMSIZ > 2 * sizeof(unsigned long))
 415                 ret |= (a[2] ^ b[2]) & mask[2];
 416         if (IFNAMSIZ > 3 * sizeof(unsigned long))
 417                 ret |= (a[3] ^ b[3]) & mask[3];
 418         BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
 419         return ret;
 420 }
 421 
 422 struct xt_percpu_counter_alloc_state {
 423         unsigned int off;
 424         const char __percpu *mem;
 425 };
 426 
 427 bool xt_percpu_counter_alloc(struct xt_percpu_counter_alloc_state *state,
 428                              struct xt_counters *counter);
 429 void xt_percpu_counter_free(struct xt_counters *cnt);
 430 
 431 static inline struct xt_counters *
 432 xt_get_this_cpu_counter(struct xt_counters *cnt)
 433 {
 434         if (nr_cpu_ids > 1)
 435                 return this_cpu_ptr((void __percpu *) (unsigned long) cnt->pcnt);
 436 
 437         return cnt;
 438 }
 439 
 440 static inline struct xt_counters *
 441 xt_get_per_cpu_counter(struct xt_counters *cnt, unsigned int cpu)
 442 {
 443         if (nr_cpu_ids > 1)
 444                 return per_cpu_ptr((void __percpu *) (unsigned long) cnt->pcnt, cpu);
 445 
 446         return cnt;
 447 }
 448 
 449 struct nf_hook_ops *xt_hook_ops_alloc(const struct xt_table *, nf_hookfn *);
 450 
 451 #ifdef CONFIG_COMPAT
 452 #include <net/compat.h>
 453 
 454 struct compat_xt_entry_match {
 455         union {
 456                 struct {
 457                         u_int16_t match_size;
 458                         char name[XT_FUNCTION_MAXNAMELEN - 1];
 459                         u_int8_t revision;
 460                 } user;
 461                 struct {
 462                         u_int16_t match_size;
 463                         compat_uptr_t match;
 464                 } kernel;
 465                 u_int16_t match_size;
 466         } u;
 467         unsigned char data[0];
 468 };
 469 
 470 struct compat_xt_entry_target {
 471         union {
 472                 struct {
 473                         u_int16_t target_size;
 474                         char name[XT_FUNCTION_MAXNAMELEN - 1];
 475                         u_int8_t revision;
 476                 } user;
 477                 struct {
 478                         u_int16_t target_size;
 479                         compat_uptr_t target;
 480                 } kernel;
 481                 u_int16_t target_size;
 482         } u;
 483         unsigned char data[0];
 484 };
 485 
 486 /* FIXME: this works only on 32 bit tasks
 487  * need to change whole approach in order to calculate align as function of
 488  * current task alignment */
 489 
 490 struct compat_xt_counters {
 491         compat_u64 pcnt, bcnt;                  /* Packet and byte counters */
 492 };
 493 
 494 struct compat_xt_counters_info {
 495         char name[XT_TABLE_MAXNAMELEN];
 496         compat_uint_t num_counters;
 497         struct compat_xt_counters counters[0];
 498 };
 499 
 500 struct _compat_xt_align {
 501         __u8 u8;
 502         __u16 u16;
 503         __u32 u32;
 504         compat_u64 u64;
 505 };
 506 
 507 #define COMPAT_XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _compat_xt_align))
 508 
 509 void xt_compat_lock(u_int8_t af);
 510 void xt_compat_unlock(u_int8_t af);
 511 
 512 int xt_compat_add_offset(u_int8_t af, unsigned int offset, int delta);
 513 void xt_compat_flush_offsets(u_int8_t af);
 514 int xt_compat_init_offsets(u8 af, unsigned int number);
 515 int xt_compat_calc_jump(u_int8_t af, unsigned int offset);
 516 
 517 int xt_compat_match_offset(const struct xt_match *match);
 518 void xt_compat_match_from_user(struct xt_entry_match *m, void **dstptr,
 519                               unsigned int *size);
 520 int xt_compat_match_to_user(const struct xt_entry_match *m,
 521                             void __user **dstptr, unsigned int *size);
 522 
 523 int xt_compat_target_offset(const struct xt_target *target);
 524 void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
 525                                 unsigned int *size);
 526 int xt_compat_target_to_user(const struct xt_entry_target *t,
 527                              void __user **dstptr, unsigned int *size);
 528 int xt_compat_check_entry_offsets(const void *base, const char *elems,
 529                                   unsigned int target_offset,
 530                                   unsigned int next_offset);
 531 
 532 #endif /* CONFIG_COMPAT */
 533 #endif /* _X_TABLES_H */
/* [<][>][^][v][top][bottom][index][help] */