aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Welte <laforge@netfilter.org>2005-08-09 22:30:24 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2005-08-29 18:31:29 -0400
commitf9e815b376dc19e6afc551cd755ac64e9e42d81f (patch)
tree1cbc3d1e64d3dd51404c8935e676beb468867979
parentac3247baf8ecadf168642e3898b0212c29c79715 (diff)
[NETFITLER]: Add nfnetlink layer.
Introduce "nfnetlink" (netfilter netlink) layer. This layer is used as transport layer for all userspace communication of the new upcoming netfilter subsystems, such as ctnetlink, nfnetlink_queue and some day even the mythical pkttables ;) Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/linux/netfilter/nfnetlink.h145
-rw-r--r--net/Kconfig2
-rw-r--r--net/Makefile1
-rw-r--r--net/netfilter/Kconfig5
-rw-r--r--net/netfilter/Makefile1
-rw-r--r--net/netfilter/nfnetlink.c343
6 files changed, 497 insertions, 0 deletions
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
new file mode 100644
index 000000000000..8f1bfb8d650b
--- /dev/null
+++ b/include/linux/netfilter/nfnetlink.h
@@ -0,0 +1,145 @@
1#ifndef _NFNETLINK_H
2#define _NFNETLINK_H
3#include <linux/types.h>
4
5/* nfnetlink groups: Up to 32 maximum */
6#define NF_NETLINK_CONNTRACK_NEW 0x00000001
7#define NF_NETLINK_CONNTRACK_UPDATE 0x00000002
8#define NF_NETLINK_CONNTRACK_DESTROY 0x00000004
9#define NF_NETLINK_CONNTRACK_EXP_NEW 0x00000008
10#define NF_NETLINK_CONNTRACK_EXP_UPDATE 0x00000010
11#define NF_NETLINK_CONNTRACK_EXP_DESTROY 0x00000020
12
13/* Generic structure for encapsulation optional netfilter information.
14 * It is reminiscent of sockaddr, but with sa_family replaced
15 * with attribute type.
16 * ! This should someday be put somewhere generic as now rtnetlink and
17 * ! nfnetlink use the same attributes methods. - J. Schulist.
18 */
19
20struct nfattr
21{
22 u_int16_t nfa_len;
23 u_int16_t nfa_type;
24} __attribute__ ((packed));
25
26/* FIXME: Shamelessly copy and pasted from rtnetlink.h, it's time
27 * to put this in a generic file */
28
29#define NFA_ALIGNTO 4
30#define NFA_ALIGN(len) (((len) + NFA_ALIGNTO - 1) & ~(NFA_ALIGNTO - 1))
31#define NFA_OK(nfa,len) ((len) > 0 && (nfa)->nfa_len >= sizeof(struct nfattr) \
32 && (nfa)->nfa_len <= (len))
33#define NFA_NEXT(nfa,attrlen) ((attrlen) -= NFA_ALIGN((nfa)->nfa_len), \
34 (struct nfattr *)(((char *)(nfa)) + NFA_ALIGN((nfa)->nfa_len)))
35#define NFA_LENGTH(len) (NFA_ALIGN(sizeof(struct nfattr)) + (len))
36#define NFA_SPACE(len) NFA_ALIGN(NFA_LENGTH(len))
37#define NFA_DATA(nfa) ((void *)(((char *)(nfa)) + NFA_LENGTH(0)))
38#define NFA_PAYLOAD(nfa) ((int)((nfa)->nfa_len) - NFA_LENGTH(0))
39#define NFA_NEST(skb, type) \
40({ struct nfattr *__start = (struct nfattr *) (skb)->tail; \
41 NFA_PUT(skb, type, 0, NULL); \
42 __start; })
43#define NFA_NEST_END(skb, start) \
44({ (start)->nfa_len = ((skb)->tail - (unsigned char *) (start)); \
45 (skb)->len; })
46#define NFA_NEST_CANCEL(skb, start) \
47({ if (start) \
48 skb_trim(skb, (unsigned char *) (start) - (skb)->data); \
49 -1; })
50
51/* General form of address family dependent message.
52 */
53struct nfgenmsg {
54 u_int8_t nfgen_family; /* AF_xxx */
55 u_int8_t version; /* nfnetlink version */
56 u_int16_t res_id; /* resource id */
57} __attribute__ ((packed));
58
59#define NFNETLINK_V1 1
60
61#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \
62 + NLMSG_ALIGN(sizeof(struct nfgenmsg))))
63#define NFM_PAYLOAD(n) NLMSG_PAYLOAD(n, sizeof(struct nfgenmsg))
64
65/* netfilter netlink message types are split in two pieces:
66 * 8 bit subsystem, 8bit operation.
67 */
68
69#define NFNL_SUBSYS_ID(x) ((x & 0xff00) >> 8)
70#define NFNL_MSG_TYPE(x) (x & 0x00ff)
71
72enum nfnl_subsys_id {
73 NFNL_SUBSYS_NONE = 0,
74 NFNL_SUBSYS_CTNETLINK,
75 NFNL_SUBSYS_CTNETLINK_EXP,
76 NFNL_SUBSYS_IPTNETLINK,
77 NFNL_SUBSYS_QUEUE,
78 NFNL_SUBSYS_ULOG,
79 NFNL_SUBSYS_COUNT,
80};
81
82#ifdef __KERNEL__
83
84#include <linux/capability.h>
85
86struct nfnl_callback
87{
88 kernel_cap_t cap_required; /* capabilities required for this msg */
89 int (*call)(struct sock *nl, struct sk_buff *skb,
90 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp);
91};
92
93struct nfnetlink_subsystem
94{
95 const char *name;
96 __u8 subsys_id; /* nfnetlink subsystem ID */
97 __u8 cb_count; /* number of callbacks */
98 u_int32_t attr_count; /* number of nfattr's */
99 struct nfnl_callback *cb; /* callback for individual types */
100};
101
102extern void __nfa_fill(struct sk_buff *skb, int attrtype,
103 int attrlen, const void *data);
104#define NFA_PUT(skb, attrtype, attrlen, data) \
105({ if (skb_tailroom(skb) < (int)NFA_SPACE(attrlen)) goto nfattr_failure; \
106 __nfa_fill(skb, attrtype, attrlen, data); })
107
108extern struct semaphore nfnl_sem;
109
110#define nfnl_shlock() down(&nfnl_sem)
111#define nfnl_shlock_nowait() down_trylock(&nfnl_sem)
112
113#define nfnl_shunlock() do { up(&nfnl_sem); \
114 if(nfnl && nfnl->sk_receive_queue.qlen) \
115 nfnl->sk_data_ready(nfnl, 0); \
116 } while(0)
117
118extern void nfnl_lock(void);
119extern void nfnl_unlock(void);
120
121extern int nfnetlink_subsys_register(struct nfnetlink_subsystem *n);
122extern int nfnetlink_subsys_unregister(struct nfnetlink_subsystem *n);
123
124extern int nfattr_parse(struct nfattr *tb[], int maxattr,
125 struct nfattr *nfa, int len);
126
127#define nfattr_parse_nested(tb, max, nfa) \
128 nfattr_parse((tb), (max), NFA_DATA((nfa)), NFA_PAYLOAD((nfa)))
129
130#define nfattr_bad_size(tb, max, cta_min) \
131({ int __i, __res = 0; \
132 for (__i=0; __i<max; __i++) \
133 if (tb[__i] && NFA_PAYLOAD(tb[__i]) < cta_min[__i]){ \
134 __res = 1; \
135 break; \
136 } \
137 __res; \
138})
139
140extern int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group,
141 int echo);
142extern int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags);
143
144#endif /* __KERNEL__ */
145#endif /* _NFNETLINK_H */
diff --git a/net/Kconfig b/net/Kconfig
index 40a31ba86d2c..02877ac0f2f4 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -205,6 +205,8 @@ config NET_PKTGEN
205 To compile this code as a module, choose M here: the 205 To compile this code as a module, choose M here: the
206 module will be called pktgen. 206 module will be called pktgen.
207 207
208source "net/netfilter/Kconfig"
209
208endmenu 210endmenu
209 211
210endmenu 212endmenu
diff --git a/net/Makefile b/net/Makefile
index 8e2bdc025ab8..4a01be8d3e1e 100644
--- a/net/Makefile
+++ b/net/Makefile
@@ -16,6 +16,7 @@ obj-$(CONFIG_NET) += $(tmp-y)
16obj-$(CONFIG_LLC) += llc/ 16obj-$(CONFIG_LLC) += llc/
17obj-$(CONFIG_NET) += ethernet/ 802/ sched/ netlink/ 17obj-$(CONFIG_NET) += ethernet/ 802/ sched/ netlink/
18obj-$(CONFIG_INET) += ipv4/ 18obj-$(CONFIG_INET) += ipv4/
19obj-$(CONFIG_NETFILTER) += netfilter/
19obj-$(CONFIG_XFRM) += xfrm/ 20obj-$(CONFIG_XFRM) += xfrm/
20obj-$(CONFIG_UNIX) += unix/ 21obj-$(CONFIG_UNIX) += unix/
21ifneq ($(CONFIG_IPV6),) 22ifneq ($(CONFIG_IPV6),)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
new file mode 100644
index 000000000000..3629d3d1776d
--- /dev/null
+++ b/net/netfilter/Kconfig
@@ -0,0 +1,5 @@
1config NETFILTER_NETLINK
2 tristate "Netfilter netlink interface"
3 help
4 If this option is enabled, the kernel will include support
5 for the new netfilter netlink interface.
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
new file mode 100644
index 000000000000..02e67d371941
--- /dev/null
+++ b/net/netfilter/Makefile
@@ -0,0 +1 @@
obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
new file mode 100644
index 000000000000..710acd77cc4c
--- /dev/null
+++ b/net/netfilter/nfnetlink.c
@@ -0,0 +1,343 @@
1/* Netfilter messages via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace.
3 *
4 * (C) 2001 by Jay Schulist <jschlst@samba.org>,
5 * (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>
7 *
8 * Initial netfilter messages via netlink development funded and
9 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
10 *
11 * Further development of this code funded by Astaro AG (http://www.astaro.com)
12 *
13 * This software may be used and distributed according to the terms
14 * of the GNU General Public License, incorporated herein by reference.
15 */
16
17#include <linux/config.h>
18#include <linux/module.h>
19#include <linux/types.h>
20#include <linux/socket.h>
21#include <linux/kernel.h>
22#include <linux/major.h>
23#include <linux/sched.h>
24#include <linux/timer.h>
25#include <linux/string.h>
26#include <linux/sockios.h>
27#include <linux/net.h>
28#include <linux/fcntl.h>
29#include <linux/skbuff.h>
30#include <asm/uaccess.h>
31#include <asm/system.h>
32#include <net/sock.h>
33#include <linux/init.h>
34#include <linux/spinlock.h>
35
36#include <linux/netfilter.h>
37#include <linux/netlink.h>
38#include <linux/netfilter/nfnetlink.h>
39
40MODULE_LICENSE("GPL");
41
42static char __initdata nfversion[] = "0.30";
43
44#if 0
45#define DEBUGP printk
46#else
47#define DEBUGP(format, args...)
48#endif
49
50static struct sock *nfnl = NULL;
51static struct nfnetlink_subsystem *subsys_table[NFNL_SUBSYS_COUNT];
52DECLARE_MUTEX(nfnl_sem);
53
54void nfnl_lock(void)
55{
56 nfnl_shlock();
57}
58
59void nfnl_unlock(void)
60{
61 nfnl_shunlock();
62}
63
64int nfnetlink_subsys_register(struct nfnetlink_subsystem *n)
65{
66 DEBUGP("registering subsystem ID %u\n", n->subsys_id);
67
68 /* If the netlink socket wasn't created, then fail */
69 if (!nfnl)
70 return -1;
71
72 nfnl_lock();
73 subsys_table[n->subsys_id] = n;
74 nfnl_unlock();
75
76 return 0;
77}
78
79int nfnetlink_subsys_unregister(struct nfnetlink_subsystem *n)
80{
81 DEBUGP("unregistering subsystem ID %u\n", n->subsys_id);
82
83 nfnl_lock();
84 subsys_table[n->subsys_id] = NULL;
85 nfnl_unlock();
86
87 return 0;
88}
89
90static inline struct nfnetlink_subsystem *nfnetlink_get_subsys(u_int16_t type)
91{
92 u_int8_t subsys_id = NFNL_SUBSYS_ID(type);
93
94 if (subsys_id >= NFNL_SUBSYS_COUNT
95 || subsys_table[subsys_id] == NULL)
96 return NULL;
97
98 return subsys_table[subsys_id];
99}
100
101static inline struct nfnl_callback *
102nfnetlink_find_client(u_int16_t type, struct nfnetlink_subsystem *ss)
103{
104 u_int8_t cb_id = NFNL_MSG_TYPE(type);
105
106 if (cb_id >= ss->cb_count) {
107 DEBUGP("msgtype %u >= %u, returning\n", type, ss->cb_count);
108 return NULL;
109 }
110
111 return &ss->cb[cb_id];
112}
113
114void __nfa_fill(struct sk_buff *skb, int attrtype, int attrlen,
115 const void *data)
116{
117 struct nfattr *nfa;
118 int size = NFA_LENGTH(attrlen);
119
120 nfa = (struct nfattr *)skb_put(skb, NFA_ALIGN(size));
121 nfa->nfa_type = attrtype;
122 nfa->nfa_len = size;
123 memcpy(NFA_DATA(nfa), data, attrlen);
124}
125
126int nfattr_parse(struct nfattr *tb[], int maxattr, struct nfattr *nfa, int len)
127{
128 memset(tb, 0, sizeof(struct nfattr *) * maxattr);
129
130 while (NFA_OK(nfa, len)) {
131 unsigned flavor = nfa->nfa_type;
132 if (flavor && flavor <= maxattr)
133 tb[flavor-1] = nfa;
134 nfa = NFA_NEXT(nfa, len);
135 }
136
137 return 0;
138}
139
140/**
141 * nfnetlink_check_attributes - check and parse nfnetlink attributes
142 *
143 * subsys: nfnl subsystem for which this message is to be parsed
144 * nlmsghdr: netlink message to be checked/parsed
145 * cda: array of pointers, needs to be at least subsys->attr_count big
146 *
147 */
148static int
149nfnetlink_check_attributes(struct nfnetlink_subsystem *subsys,
150 struct nlmsghdr *nlh, struct nfattr *cda[])
151{
152 int min_len;
153
154 memset(cda, 0, sizeof(struct nfattr *) * subsys->attr_count);
155
156 /* check attribute lengths. */
157 min_len = NLMSG_ALIGN(sizeof(struct nfgenmsg));
158 if (nlh->nlmsg_len < min_len)
159 return -EINVAL;
160
161 if (nlh->nlmsg_len > min_len) {
162 struct nfattr *attr = NFM_NFA(NLMSG_DATA(nlh));
163 int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len);
164
165 while (NFA_OK(attr, attrlen)) {
166 unsigned flavor = attr->nfa_type;
167 if (flavor) {
168 if (flavor > subsys->attr_count)
169 return -EINVAL;
170 cda[flavor - 1] = attr;
171 }
172 attr = NFA_NEXT(attr, attrlen);
173 }
174 } else
175 return -EINVAL;
176
177 return 0;
178}
179
180int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, int echo)
181{
182 int allocation = in_interrupt() ? GFP_ATOMIC : GFP_KERNEL;
183 int err = 0;
184
185 NETLINK_CB(skb).dst_groups = group;
186 if (echo)
187 atomic_inc(&skb->users);
188 netlink_broadcast(nfnl, skb, pid, group, allocation);
189 if (echo)
190 err = netlink_unicast(nfnl, skb, pid, MSG_DONTWAIT);
191
192 return err;
193}
194
195int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags)
196{
197 return netlink_unicast(nfnl, skb, pid, flags);
198}
199
200/* Process one complete nfnetlink message. */
201static inline int nfnetlink_rcv_msg(struct sk_buff *skb,
202 struct nlmsghdr *nlh, int *errp)
203{
204 struct nfnl_callback *nc;
205 struct nfnetlink_subsystem *ss;
206 int type, err = 0;
207
208 DEBUGP("entered; subsys=%u, msgtype=%u\n",
209 NFNL_SUBSYS_ID(nlh->nlmsg_type),
210 NFNL_MSG_TYPE(nlh->nlmsg_type));
211
212 /* Only requests are handled by kernel now. */
213 if (!(nlh->nlmsg_flags & NLM_F_REQUEST)) {
214 DEBUGP("received non-request message\n");
215 return 0;
216 }
217
218 /* All the messages must at least contain nfgenmsg */
219 if (nlh->nlmsg_len <
220 NLMSG_LENGTH(NLMSG_ALIGN(sizeof(struct nfgenmsg)))) {
221 DEBUGP("received message was too short\n");
222 return 0;
223 }
224
225 type = nlh->nlmsg_type;
226 ss = nfnetlink_get_subsys(type);
227 if (!ss)
228 goto err_inval;
229
230 nc = nfnetlink_find_client(type, ss);
231 if (!nc) {
232 DEBUGP("unable to find client for type %d\n", type);
233 goto err_inval;
234 }
235
236 if (nc->cap_required &&
237 !cap_raised(NETLINK_CB(skb).eff_cap, nc->cap_required)) {
238 DEBUGP("permission denied for type %d\n", type);
239 *errp = -EPERM;
240 return -1;
241 }
242
243 {
244 struct nfattr *cda[ss->attr_count];
245
246 memset(cda, 0, ss->attr_count*sizeof(struct nfattr *));
247
248 err = nfnetlink_check_attributes(ss, nlh, cda);
249 if (err < 0)
250 goto err_inval;
251
252 err = nc->call(nfnl, skb, nlh, cda, errp);
253 *errp = err;
254 return err;
255 }
256
257err_inval:
258 *errp = -EINVAL;
259 return -1;
260}
261
262/* Process one packet of messages. */
263static inline int nfnetlink_rcv_skb(struct sk_buff *skb)
264{
265 int err;
266 struct nlmsghdr *nlh;
267
268 while (skb->len >= NLMSG_SPACE(0)) {
269 u32 rlen;
270
271 nlh = (struct nlmsghdr *)skb->data;
272 if (nlh->nlmsg_len < sizeof(struct nlmsghdr)
273 || skb->len < nlh->nlmsg_len)
274 return 0;
275 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
276 if (rlen > skb->len)
277 rlen = skb->len;
278 if (nfnetlink_rcv_msg(skb, nlh, &err)) {
279 if (!err)
280 return -1;
281 netlink_ack(skb, nlh, err);
282 } else
283 if (nlh->nlmsg_flags & NLM_F_ACK)
284 netlink_ack(skb, nlh, 0);
285 skb_pull(skb, rlen);
286 }
287
288 return 0;
289}
290
291static void nfnetlink_rcv(struct sock *sk, int len)
292{
293 do {
294 struct sk_buff *skb;
295
296 if (nfnl_shlock_nowait())
297 return;
298
299 while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) {
300 if (nfnetlink_rcv_skb(skb)) {
301 if (skb->len)
302 skb_queue_head(&sk->sk_receive_queue,
303 skb);
304 else
305 kfree_skb(skb);
306 break;
307 }
308 kfree_skb(skb);
309 }
310
311 up(&nfnl_sem);
312 } while(nfnl && nfnl->sk_receive_queue.qlen);
313}
314
315void __exit nfnetlink_exit(void)
316{
317 printk("Removing netfilter NETLINK layer.\n");
318 sock_release(nfnl->sk_socket);
319 return;
320}
321
322int __init nfnetlink_init(void)
323{
324 printk("Netfilter messages via NETLINK v%s.\n", nfversion);
325
326 nfnl = netlink_kernel_create(NETLINK_NETFILTER, nfnetlink_rcv);
327 if (!nfnl) {
328 printk(KERN_ERR "cannot initialize nfnetlink!\n");
329 return -1;
330 }
331
332 return 0;
333}
334
335module_init(nfnetlink_init);
336module_exit(nfnetlink_exit);
337
338EXPORT_SYMBOL_GPL(nfnetlink_subsys_register);
339EXPORT_SYMBOL_GPL(nfnetlink_subsys_unregister);
340EXPORT_SYMBOL_GPL(nfnetlink_send);
341EXPORT_SYMBOL_GPL(nfnetlink_unicast);
342EXPORT_SYMBOL_GPL(nfattr_parse);
343EXPORT_SYMBOL_GPL(__nfa_fill);