diff options
author | Harald Welte <laforge@netfilter.org> | 2005-08-09 22:30:24 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2005-08-29 18:31:29 -0400 |
commit | f9e815b376dc19e6afc551cd755ac64e9e42d81f (patch) | |
tree | 1cbc3d1e64d3dd51404c8935e676beb468867979 | |
parent | ac3247baf8ecadf168642e3898b0212c29c79715 (diff) |
[NETFITLER]: Add nfnetlink layer.
Introduce "nfnetlink" (netfilter netlink) layer. This layer is used as
transport layer for all userspace communication of the new upcoming
netfilter subsystems, such as ctnetlink, nfnetlink_queue and some day even
the mythical pkttables ;)
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/linux/netfilter/nfnetlink.h | 145 | ||||
-rw-r--r-- | net/Kconfig | 2 | ||||
-rw-r--r-- | net/Makefile | 1 | ||||
-rw-r--r-- | net/netfilter/Kconfig | 5 | ||||
-rw-r--r-- | net/netfilter/Makefile | 1 | ||||
-rw-r--r-- | net/netfilter/nfnetlink.c | 343 |
6 files changed, 497 insertions, 0 deletions
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h new file mode 100644 index 000000000000..8f1bfb8d650b --- /dev/null +++ b/include/linux/netfilter/nfnetlink.h | |||
@@ -0,0 +1,145 @@ | |||
1 | #ifndef _NFNETLINK_H | ||
2 | #define _NFNETLINK_H | ||
3 | #include <linux/types.h> | ||
4 | |||
5 | /* nfnetlink groups: Up to 32 maximum */ | ||
6 | #define NF_NETLINK_CONNTRACK_NEW 0x00000001 | ||
7 | #define NF_NETLINK_CONNTRACK_UPDATE 0x00000002 | ||
8 | #define NF_NETLINK_CONNTRACK_DESTROY 0x00000004 | ||
9 | #define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008 | ||
10 | #define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010 | ||
11 | #define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020 | ||
12 | |||
13 | /* Generic structure for encapsulation optional netfilter information. | ||
14 | * It is reminiscent of sockaddr, but with sa_family replaced | ||
15 | * with attribute type. | ||
16 | * ! This should someday be put somewhere generic as now rtnetlink and | ||
17 | * ! nfnetlink use the same attributes methods. - J. Schulist. | ||
18 | */ | ||
19 | |||
20 | struct nfattr | ||
21 | { | ||
22 | u_int16_t nfa_len; | ||
23 | u_int16_t nfa_type; | ||
24 | } __attribute__ ((packed)); | ||
25 | |||
26 | /* FIXME: Shamelessly copy and pasted from rtnetlink.h, it's time | ||
27 | * to put this in a generic file */ | ||
28 | |||
29 | #define NFA_ALIGNTO 4 | ||
30 | #define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1)) | ||
31 | #define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \ | ||
32 | && (nfa)->nfa_len <= (len)) | ||
33 | #define NFA_NEXT(nfa,attrlen) ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \ | ||
34 | (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len))) | ||
35 | #define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len)) | ||
36 | #define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len)) | ||
37 | #define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0))) | ||
38 | #define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0)) | ||
39 | #define NFA_NEST(skb, type) \ | ||
40 | ({ struct nfattr *__start = (struct nfattr *) (skb)->tail; \ | ||
41 | NFA_PUT(skb, type, 0, NULL); \ | ||
42 | __start; }) | ||
43 | #define NFA_NEST_END(skb, start) \ | ||
44 | ({ (start)->nfa_len = ((skb)->tail - (unsigned char *) (start)); \ | ||
45 | (skb)->len; }) | ||
46 | #define NFA_NEST_CANCEL(skb, start) \ | ||
47 | ({ if (start) \ | ||
48 | skb_trim(skb, (unsigned char *) (start) - (skb)->data); \ | ||
49 | -1; }) | ||
50 | |||
51 | /* General form of address family dependent message. | ||
52 | */ | ||
53 | struct nfgenmsg { | ||
54 | u_int8_t nfgen_family; /* AF_xxx */ | ||
55 | u_int8_t version; /* nfnetlink version */ | ||
56 | u_int16_t res_id; /* resource id */ | ||
57 | } __attribute__ ((packed)); | ||
58 | |||
59 | #define NFNETLINK_V1 1 | ||
60 | |||
61 | #define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \ | ||
62 | + NLMSG_ALIGN(sizeof(struct nfgenmsg)))) | ||
63 | #define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg)) | ||
64 | |||
65 | /* netfilter netlink message types are split in two pieces: | ||
66 | * 8 bit subsystem, 8bit operation. | ||
67 | */ | ||
68 | |||
69 | #define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8) | ||
70 | #define NFNL_MSG_TYPE(x) (x & 0x00ff) | ||
71 | |||
72 | enum nfnl_subsys_id { | ||
73 | NFNL_SUBSYS_NONE = 0, | ||
74 | NFNL_SUBSYS_CTNETLINK, | ||
75 | NFNL_SUBSYS_CTNETLINK_EXP, | ||
76 | NFNL_SUBSYS_IPTNETLINK, | ||
77 | NFNL_SUBSYS_QUEUE, | ||
78 | NFNL_SUBSYS_ULOG, | ||
79 | NFNL_SUBSYS_COUNT, | ||
80 | }; | ||
81 | |||
82 | #ifdef __KERNEL__ | ||
83 | |||
84 | #include <linux/capability.h> | ||
85 | |||
86 | struct nfnl_callback | ||
87 | { | ||
88 | kernel_cap_t cap_required; /* capabilities required for this msg */ | ||
89 | int (*call)(struct sock *nl, struct sk_buff *skb, | ||
90 | struct nlmsghdr *nlh, struct nfattr *cda[], int *errp); | ||
91 | }; | ||
92 | |||
93 | struct nfnetlink_subsystem | ||
94 | { | ||
95 | const char *name; | ||
96 | __u8 subsys_id; /* nfnetlink subsystem ID */ | ||
97 | __u8 cb_count; /* number of callbacks */ | ||
98 | u_int32_t attr_count; /* number of nfattr's */ | ||
99 | struct nfnl_callback *cb; /* callback for individual types */ | ||
100 | }; | ||
101 | |||
102 | extern void __nfa_fill(struct sk_buff *skb, int attrtype, | ||
103 | int attrlen, const void *data); | ||
104 | #define NFA_PUT(skb, attrtype, attrlen, data) \ | ||
105 | ({ if (skb_tailroom(skb) < (int)NFA_SPACE(attrlen)) goto nfattr_failure; \ | ||
106 | __nfa_fill(skb, attrtype, attrlen, data); }) | ||
107 | |||
108 | extern struct semaphore nfnl_sem; | ||
109 | |||
110 | #define nfnl_shlock() down(&nfnl_sem) | ||
111 | #define nfnl_shlock_nowait() down_trylock(&nfnl_sem) | ||
112 | |||
113 | #define nfnl_shunlock() do { up(&nfnl_sem); \ | ||
114 | if(nfnl && nfnl->sk_receive_queue.qlen) \ | ||
115 | nfnl->sk_data_ready(nfnl, 0); \ | ||
116 | } while(0) | ||
117 | |||
118 | extern void nfnl_lock(void); | ||
119 | extern void nfnl_unlock(void); | ||
120 | |||
121 | extern int nfnetlink_subsys_register(struct nfnetlink_subsystem *n); | ||
122 | extern int nfnetlink_subsys_unregister(struct nfnetlink_subsystem *n); | ||
123 | |||
124 | extern int nfattr_parse(struct nfattr *tb[], int maxattr, | ||
125 | struct nfattr *nfa, int len); | ||
126 | |||
127 | #define nfattr_parse_nested(tb, max, nfa) \ | ||
128 | nfattr_parse((tb), (max), NFA_DATA((nfa)), NFA_PAYLOAD((nfa))) | ||
129 | |||
130 | #define nfattr_bad_size(tb, max, cta_min) \ | ||
131 | ({ int __i, __res = 0; \ | ||
132 | for (__i=0; __i<max; __i++) \ | ||
133 | if (tb[__i] && NFA_PAYLOAD(tb[__i]) < cta_min[__i]){ \ | ||
134 | __res = 1; \ | ||
135 | break; \ | ||
136 | } \ | ||
137 | __res; \ | ||
138 | }) | ||
139 | |||
140 | extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, | ||
141 | int echo); | ||
142 | extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags); | ||
143 | |||
144 | #endif /* __KERNEL__ */ | ||
145 | #endif /* _NFNETLINK_H */ | ||
diff --git a/net/Kconfig b/net/Kconfig index 40a31ba86d2c..02877ac0f2f4 100644 --- a/net/Kconfig +++ b/net/Kconfig | |||
@@ -205,6 +205,8 @@ config NET_PKTGEN | |||
205 | To compile this code as a module, choose M here: the | 205 | To compile this code as a module, choose M here: the |
206 | module will be called pktgen. | 206 | module will be called pktgen. |
207 | 207 | ||
208 | source "net/netfilter/Kconfig" | ||
209 | |||
208 | endmenu | 210 | endmenu |
209 | 211 | ||
210 | endmenu | 212 | endmenu |
diff --git a/net/Makefile b/net/Makefile index 8e2bdc025ab8..4a01be8d3e1e 100644 --- a/net/Makefile +++ b/net/Makefile | |||
@@ -16,6 +16,7 @@ obj-$(CONFIG_NET) += $(tmp-y) | |||
16 | obj-$(CONFIG_LLC) += llc/ | 16 | obj-$(CONFIG_LLC) += llc/ |
17 | obj-$(CONFIG_NET) += ethernet/ 802/ sched/ netlink/ | 17 | obj-$(CONFIG_NET) += ethernet/ 802/ sched/ netlink/ |
18 | obj-$(CONFIG_INET) += ipv4/ | 18 | obj-$(CONFIG_INET) += ipv4/ |
19 | obj-$(CONFIG_NETFILTER) += netfilter/ | ||
19 | obj-$(CONFIG_XFRM) += xfrm/ | 20 | obj-$(CONFIG_XFRM) += xfrm/ |
20 | obj-$(CONFIG_UNIX) += unix/ | 21 | obj-$(CONFIG_UNIX) += unix/ |
21 | ifneq ($(CONFIG_IPV6),) | 22 | ifneq ($(CONFIG_IPV6),) |
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig new file mode 100644 index 000000000000..3629d3d1776d --- /dev/null +++ b/net/netfilter/Kconfig | |||
@@ -0,0 +1,5 @@ | |||
1 | config NETFILTER_NETLINK | ||
2 | tristate "Netfilter netlink interface" | ||
3 | help | ||
4 | If this option is enabled, the kernel will include support | ||
5 | for the new netfilter netlink interface. | ||
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile new file mode 100644 index 000000000000..02e67d371941 --- /dev/null +++ b/net/netfilter/Makefile | |||
@@ -0,0 +1 @@ | |||
obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o | |||
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c new file mode 100644 index 000000000000..710acd77cc4c --- /dev/null +++ b/net/netfilter/nfnetlink.c | |||
@@ -0,0 +1,343 @@ | |||
1 | /* Netfilter messages via netlink socket. Allows for user space | ||
2 | * protocol helpers and general trouble making from userspace. | ||
3 | * | ||
4 | * (C) 2001 by Jay Schulist <jschlst@samba.org>, | ||
5 | * (C) 2002-2005 by Harald Welte <laforge@gnumonks.org> | ||
6 | * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net> | ||
7 | * | ||
8 | * Initial netfilter messages via netlink development funded and | ||
9 | * generally made possible by Network Robots, Inc. (www.networkrobots.com) | ||
10 | * | ||
11 | * Further development of this code funded by Astaro AG (http://www.astaro.com) | ||
12 | * | ||
13 | * This software may be used and distributed according to the terms | ||
14 | * of the GNU General Public License, incorporated herein by reference. | ||
15 | */ | ||
16 | |||
17 | #include <linux/config.h> | ||
18 | #include <linux/module.h> | ||
19 | #include <linux/types.h> | ||
20 | #include <linux/socket.h> | ||
21 | #include <linux/kernel.h> | ||
22 | #include <linux/major.h> | ||
23 | #include <linux/sched.h> | ||
24 | #include <linux/timer.h> | ||
25 | #include <linux/string.h> | ||
26 | #include <linux/sockios.h> | ||
27 | #include <linux/net.h> | ||
28 | #include <linux/fcntl.h> | ||
29 | #include <linux/skbuff.h> | ||
30 | #include <asm/uaccess.h> | ||
31 | #include <asm/system.h> | ||
32 | #include <net/sock.h> | ||
33 | #include <linux/init.h> | ||
34 | #include <linux/spinlock.h> | ||
35 | |||
36 | #include <linux/netfilter.h> | ||
37 | #include <linux/netlink.h> | ||
38 | #include <linux/netfilter/nfnetlink.h> | ||
39 | |||
40 | MODULE_LICENSE("GPL"); | ||
41 | |||
42 | static char __initdata nfversion[] = "0.30"; | ||
43 | |||
44 | #if 0 | ||
45 | #define DEBUGP printk | ||
46 | #else | ||
47 | #define DEBUGP(format, args...) | ||
48 | #endif | ||
49 | |||
50 | static struct sock *nfnl = NULL; | ||
51 | static struct nfnetlink_subsystem *subsys_table[NFNL_SUBSYS_COUNT]; | ||
52 | DECLARE_MUTEX(nfnl_sem); | ||
53 | |||
54 | void nfnl_lock(void) | ||
55 | { | ||
56 | nfnl_shlock(); | ||
57 | } | ||
58 | |||
59 | void nfnl_unlock(void) | ||
60 | { | ||
61 | nfnl_shunlock(); | ||
62 | } | ||
63 | |||
64 | int nfnetlink_subsys_register(struct nfnetlink_subsystem *n) | ||
65 | { | ||
66 | DEBUGP("registering subsystem ID %u\n", n->subsys_id); | ||
67 | |||
68 | /* If the netlink socket wasn't created, then fail */ | ||
69 | if (!nfnl) | ||
70 | return -1; | ||
71 | |||
72 | nfnl_lock(); | ||
73 | subsys_table[n->subsys_id] = n; | ||
74 | nfnl_unlock(); | ||
75 | |||
76 | return 0; | ||
77 | } | ||
78 | |||
79 | int nfnetlink_subsys_unregister(struct nfnetlink_subsystem *n) | ||
80 | { | ||
81 | DEBUGP("unregistering subsystem ID %u\n", n->subsys_id); | ||
82 | |||
83 | nfnl_lock(); | ||
84 | subsys_table[n->subsys_id] = NULL; | ||
85 | nfnl_unlock(); | ||
86 | |||
87 | return 0; | ||
88 | } | ||
89 | |||
90 | static inline struct nfnetlink_subsystem *nfnetlink_get_subsys(u_int16_t type) | ||
91 | { | ||
92 | u_int8_t subsys_id = NFNL_SUBSYS_ID(type); | ||
93 | |||
94 | if (subsys_id >= NFNL_SUBSYS_COUNT | ||
95 | || subsys_table[subsys_id] == NULL) | ||
96 | return NULL; | ||
97 | |||
98 | return subsys_table[subsys_id]; | ||
99 | } | ||
100 | |||
101 | static inline struct nfnl_callback * | ||
102 | nfnetlink_find_client(u_int16_t type, struct nfnetlink_subsystem *ss) | ||
103 | { | ||
104 | u_int8_t cb_id = NFNL_MSG_TYPE(type); | ||
105 | |||
106 | if (cb_id >= ss->cb_count) { | ||
107 | DEBUGP("msgtype %u >= %u, returning\n", type, ss->cb_count); | ||
108 | return NULL; | ||
109 | } | ||
110 | |||
111 | return &ss->cb[cb_id]; | ||
112 | } | ||
113 | |||
114 | void __nfa_fill(struct sk_buff *skb, int attrtype, int attrlen, | ||
115 | const void *data) | ||
116 | { | ||
117 | struct nfattr *nfa; | ||
118 | int size = NFA_LENGTH(attrlen); | ||
119 | |||
120 | nfa = (struct nfattr *)skb_put(skb, NFA_ALIGN(size)); | ||
121 | nfa->nfa_type = attrtype; | ||
122 | nfa->nfa_len = size; | ||
123 | memcpy(NFA_DATA(nfa), data, attrlen); | ||
124 | } | ||
125 | |||
126 | int nfattr_parse(struct nfattr *tb[], int maxattr, struct nfattr *nfa, int len) | ||
127 | { | ||
128 | memset(tb, 0, sizeof(struct nfattr *) * maxattr); | ||
129 | |||
130 | while (NFA_OK(nfa, len)) { | ||
131 | unsigned flavor = nfa->nfa_type; | ||
132 | if (flavor && flavor <= maxattr) | ||
133 | tb[flavor-1] = nfa; | ||
134 | nfa = NFA_NEXT(nfa, len); | ||
135 | } | ||
136 | |||
137 | return 0; | ||
138 | } | ||
139 | |||
140 | /** | ||
141 | * nfnetlink_check_attributes - check and parse nfnetlink attributes | ||
142 | * | ||
143 | * subsys: nfnl subsystem for which this message is to be parsed | ||
144 | * nlmsghdr: netlink message to be checked/parsed | ||
145 | * cda: array of pointers, needs to be at least subsys->attr_count big | ||
146 | * | ||
147 | */ | ||
148 | static int | ||
149 | nfnetlink_check_attributes(struct nfnetlink_subsystem *subsys, | ||
150 | struct nlmsghdr *nlh, struct nfattr *cda[]) | ||
151 | { | ||
152 | int min_len; | ||
153 | |||
154 | memset(cda, 0, sizeof(struct nfattr *) * subsys->attr_count); | ||
155 | |||
156 | /* check attribute lengths. */ | ||
157 | min_len = NLMSG_ALIGN(sizeof(struct nfgenmsg)); | ||
158 | if (nlh->nlmsg_len < min_len) | ||
159 | return -EINVAL; | ||
160 | |||
161 | if (nlh->nlmsg_len > min_len) { | ||
162 | struct nfattr *attr = NFM_NFA(NLMSG_DATA(nlh)); | ||
163 | int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len); | ||
164 | |||
165 | while (NFA_OK(attr, attrlen)) { | ||
166 | unsigned flavor = attr->nfa_type; | ||
167 | if (flavor) { | ||
168 | if (flavor > subsys->attr_count) | ||
169 | return -EINVAL; | ||
170 | cda[flavor - 1] = attr; | ||
171 | } | ||
172 | attr = NFA_NEXT(attr, attrlen); | ||
173 | } | ||
174 | } else | ||
175 | return -EINVAL; | ||
176 | |||
177 | return 0; | ||
178 | } | ||
179 | |||
180 | int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, int echo) | ||
181 | { | ||
182 | int allocation = in_interrupt() ? GFP_ATOMIC : GFP_KERNEL; | ||
183 | int err = 0; | ||
184 | |||
185 | NETLINK_CB(skb).dst_groups = group; | ||
186 | if (echo) | ||
187 | atomic_inc(&skb->users); | ||
188 | netlink_broadcast(nfnl, skb, pid, group, allocation); | ||
189 | if (echo) | ||
190 | err = netlink_unicast(nfnl, skb, pid, MSG_DONTWAIT); | ||
191 | |||
192 | return err; | ||
193 | } | ||
194 | |||
195 | int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags) | ||
196 | { | ||
197 | return netlink_unicast(nfnl, skb, pid, flags); | ||
198 | } | ||
199 | |||
200 | /* Process one complete nfnetlink message. */ | ||
201 | static inline int nfnetlink_rcv_msg(struct sk_buff *skb, | ||
202 | struct nlmsghdr *nlh, int *errp) | ||
203 | { | ||
204 | struct nfnl_callback *nc; | ||
205 | struct nfnetlink_subsystem *ss; | ||
206 | int type, err = 0; | ||
207 | |||
208 | DEBUGP("entered; subsys=%u, msgtype=%u\n", | ||
209 | NFNL_SUBSYS_ID(nlh->nlmsg_type), | ||
210 | NFNL_MSG_TYPE(nlh->nlmsg_type)); | ||
211 | |||
212 | /* Only requests are handled by kernel now. */ | ||
213 | if (!(nlh->nlmsg_flags & NLM_F_REQUEST)) { | ||
214 | DEBUGP("received non-request message\n"); | ||
215 | return 0; | ||
216 | } | ||
217 | |||
218 | /* All the messages must at least contain nfgenmsg */ | ||
219 | if (nlh->nlmsg_len < | ||
220 | NLMSG_LENGTH(NLMSG_ALIGN(sizeof(struct nfgenmsg)))) { | ||
221 | DEBUGP("received message was too short\n"); | ||
222 | return 0; | ||
223 | } | ||
224 | |||
225 | type = nlh->nlmsg_type; | ||
226 | ss = nfnetlink_get_subsys(type); | ||
227 | if (!ss) | ||
228 | goto err_inval; | ||
229 | |||
230 | nc = nfnetlink_find_client(type, ss); | ||
231 | if (!nc) { | ||
232 | DEBUGP("unable to find client for type %d\n", type); | ||
233 | goto err_inval; | ||
234 | } | ||
235 | |||
236 | if (nc->cap_required && | ||
237 | !cap_raised(NETLINK_CB(skb).eff_cap, nc->cap_required)) { | ||
238 | DEBUGP("permission denied for type %d\n", type); | ||
239 | *errp = -EPERM; | ||
240 | return -1; | ||
241 | } | ||
242 | |||
243 | { | ||
244 | struct nfattr *cda[ss->attr_count]; | ||
245 | |||
246 | memset(cda, 0, ss->attr_count*sizeof(struct nfattr *)); | ||
247 | |||
248 | err = nfnetlink_check_attributes(ss, nlh, cda); | ||
249 | if (err < 0) | ||
250 | goto err_inval; | ||
251 | |||
252 | err = nc->call(nfnl, skb, nlh, cda, errp); | ||
253 | *errp = err; | ||
254 | return err; | ||
255 | } | ||
256 | |||
257 | err_inval: | ||
258 | *errp = -EINVAL; | ||
259 | return -1; | ||
260 | } | ||
261 | |||
262 | /* Process one packet of messages. */ | ||
263 | static inline int nfnetlink_rcv_skb(struct sk_buff *skb) | ||
264 | { | ||
265 | int err; | ||
266 | struct nlmsghdr *nlh; | ||
267 | |||
268 | while (skb->len >= NLMSG_SPACE(0)) { | ||
269 | u32 rlen; | ||
270 | |||
271 | nlh = (struct nlmsghdr *)skb->data; | ||
272 | if (nlh->nlmsg_len < sizeof(struct nlmsghdr) | ||
273 | || skb->len < nlh->nlmsg_len) | ||
274 | return 0; | ||
275 | rlen = NLMSG_ALIGN(nlh->nlmsg_len); | ||
276 | if (rlen > skb->len) | ||
277 | rlen = skb->len; | ||
278 | if (nfnetlink_rcv_msg(skb, nlh, &err)) { | ||
279 | if (!err) | ||
280 | return -1; | ||
281 | netlink_ack(skb, nlh, err); | ||
282 | } else | ||
283 | if (nlh->nlmsg_flags & NLM_F_ACK) | ||
284 | netlink_ack(skb, nlh, 0); | ||
285 | skb_pull(skb, rlen); | ||
286 | } | ||
287 | |||
288 | return 0; | ||
289 | } | ||
290 | |||
291 | static void nfnetlink_rcv(struct sock *sk, int len) | ||
292 | { | ||
293 | do { | ||
294 | struct sk_buff *skb; | ||
295 | |||
296 | if (nfnl_shlock_nowait()) | ||
297 | return; | ||
298 | |||
299 | while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) { | ||
300 | if (nfnetlink_rcv_skb(skb)) { | ||
301 | if (skb->len) | ||
302 | skb_queue_head(&sk->sk_receive_queue, | ||
303 | skb); | ||
304 | else | ||
305 | kfree_skb(skb); | ||
306 | break; | ||
307 | } | ||
308 | kfree_skb(skb); | ||
309 | } | ||
310 | |||
311 | up(&nfnl_sem); | ||
312 | } while(nfnl && nfnl->sk_receive_queue.qlen); | ||
313 | } | ||
314 | |||
315 | void __exit nfnetlink_exit(void) | ||
316 | { | ||
317 | printk("Removing netfilter NETLINK layer.\n"); | ||
318 | sock_release(nfnl->sk_socket); | ||
319 | return; | ||
320 | } | ||
321 | |||
322 | int __init nfnetlink_init(void) | ||
323 | { | ||
324 | printk("Netfilter messages via NETLINK v%s.\n", nfversion); | ||
325 | |||
326 | nfnl = netlink_kernel_create(NETLINK_NETFILTER, nfnetlink_rcv); | ||
327 | if (!nfnl) { | ||
328 | printk(KERN_ERR "cannot initialize nfnetlink!\n"); | ||
329 | return -1; | ||
330 | } | ||
331 | |||
332 | return 0; | ||
333 | } | ||
334 | |||
335 | module_init(nfnetlink_init); | ||
336 | module_exit(nfnetlink_exit); | ||
337 | |||
338 | EXPORT_SYMBOL_GPL(nfnetlink_subsys_register); | ||
339 | EXPORT_SYMBOL_GPL(nfnetlink_subsys_unregister); | ||
340 | EXPORT_SYMBOL_GPL(nfnetlink_send); | ||
341 | EXPORT_SYMBOL_GPL(nfnetlink_unicast); | ||
342 | EXPORT_SYMBOL_GPL(nfattr_parse); | ||
343 | EXPORT_SYMBOL_GPL(__nfa_fill); | ||