diff options
author | Harald Welte <laforge@netfilter.org> | 2005-08-09 22:30:24 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2005-08-29 18:31:29 -0400 |
commit | f9e815b376dc19e6afc551cd755ac64e9e42d81f (patch) | |
tree | 1cbc3d1e64d3dd51404c8935e676beb468867979 /net | |
parent | ac3247baf8ecadf168642e3898b0212c29c79715 (diff) |
[NETFITLER]: Add nfnetlink layer.
Introduce "nfnetlink" (netfilter netlink) layer. This layer is used as
transport layer for all userspace communication of the new upcoming
netfilter subsystems, such as ctnetlink, nfnetlink_queue and some day even
the mythical pkttables ;)
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/Kconfig | 2 | ||||
-rw-r--r-- | net/Makefile | 1 | ||||
-rw-r--r-- | net/netfilter/Kconfig | 5 | ||||
-rw-r--r-- | net/netfilter/Makefile | 1 | ||||
-rw-r--r-- | net/netfilter/nfnetlink.c | 343 |
5 files changed, 352 insertions, 0 deletions
diff --git a/net/Kconfig b/net/Kconfig index 40a31ba86d2c..02877ac0f2f4 100644 --- a/net/Kconfig +++ b/net/Kconfig | |||
@@ -205,6 +205,8 @@ config NET_PKTGEN | |||
205 | To compile this code as a module, choose M here: the | 205 | To compile this code as a module, choose M here: the |
206 | module will be called pktgen. | 206 | module will be called pktgen. |
207 | 207 | ||
208 | source "net/netfilter/Kconfig" | ||
209 | |||
208 | endmenu | 210 | endmenu |
209 | 211 | ||
210 | endmenu | 212 | endmenu |
diff --git a/net/Makefile b/net/Makefile index 8e2bdc025ab8..4a01be8d3e1e 100644 --- a/net/Makefile +++ b/net/Makefile | |||
@@ -16,6 +16,7 @@ obj-$(CONFIG_NET) += $(tmp-y) | |||
16 | obj-$(CONFIG_LLC) += llc/ | 16 | obj-$(CONFIG_LLC) += llc/ |
17 | obj-$(CONFIG_NET) += ethernet/ 802/ sched/ netlink/ | 17 | obj-$(CONFIG_NET) += ethernet/ 802/ sched/ netlink/ |
18 | obj-$(CONFIG_INET) += ipv4/ | 18 | obj-$(CONFIG_INET) += ipv4/ |
19 | obj-$(CONFIG_NETFILTER) += netfilter/ | ||
19 | obj-$(CONFIG_XFRM) += xfrm/ | 20 | obj-$(CONFIG_XFRM) += xfrm/ |
20 | obj-$(CONFIG_UNIX) += unix/ | 21 | obj-$(CONFIG_UNIX) += unix/ |
21 | ifneq ($(CONFIG_IPV6),) | 22 | ifneq ($(CONFIG_IPV6),) |
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig new file mode 100644 index 000000000000..3629d3d1776d --- /dev/null +++ b/net/netfilter/Kconfig | |||
@@ -0,0 +1,5 @@ | |||
1 | config NETFILTER_NETLINK | ||
2 | tristate "Netfilter netlink interface" | ||
3 | help | ||
4 | If this option is enabled, the kernel will include support | ||
5 | for the new netfilter netlink interface. | ||
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile new file mode 100644 index 000000000000..02e67d371941 --- /dev/null +++ b/net/netfilter/Makefile | |||
@@ -0,0 +1 @@ | |||
obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o | |||
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c new file mode 100644 index 000000000000..710acd77cc4c --- /dev/null +++ b/net/netfilter/nfnetlink.c | |||
@@ -0,0 +1,343 @@ | |||
1 | /* Netfilter messages via netlink socket. Allows for user space | ||
2 | * protocol helpers and general trouble making from userspace. | ||
3 | * | ||
4 | * (C) 2001 by Jay Schulist <jschlst@samba.org>, | ||
5 | * (C) 2002-2005 by Harald Welte <laforge@gnumonks.org> | ||
6 | * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net> | ||
7 | * | ||
8 | * Initial netfilter messages via netlink development funded and | ||
9 | * generally made possible by Network Robots, Inc. (www.networkrobots.com) | ||
10 | * | ||
11 | * Further development of this code funded by Astaro AG (http://www.astaro.com) | ||
12 | * | ||
13 | * This software may be used and distributed according to the terms | ||
14 | * of the GNU General Public License, incorporated herein by reference. | ||
15 | */ | ||
16 | |||
17 | #include <linux/config.h> | ||
18 | #include <linux/module.h> | ||
19 | #include <linux/types.h> | ||
20 | #include <linux/socket.h> | ||
21 | #include <linux/kernel.h> | ||
22 | #include <linux/major.h> | ||
23 | #include <linux/sched.h> | ||
24 | #include <linux/timer.h> | ||
25 | #include <linux/string.h> | ||
26 | #include <linux/sockios.h> | ||
27 | #include <linux/net.h> | ||
28 | #include <linux/fcntl.h> | ||
29 | #include <linux/skbuff.h> | ||
30 | #include <asm/uaccess.h> | ||
31 | #include <asm/system.h> | ||
32 | #include <net/sock.h> | ||
33 | #include <linux/init.h> | ||
34 | #include <linux/spinlock.h> | ||
35 | |||
36 | #include <linux/netfilter.h> | ||
37 | #include <linux/netlink.h> | ||
38 | #include <linux/netfilter/nfnetlink.h> | ||
39 | |||
40 | MODULE_LICENSE("GPL"); | ||
41 | |||
42 | static char __initdata nfversion[] = "0.30"; | ||
43 | |||
44 | #if 0 | ||
45 | #define DEBUGP printk | ||
46 | #else | ||
47 | #define DEBUGP(format, args...) | ||
48 | #endif | ||
49 | |||
50 | static struct sock *nfnl = NULL; | ||
51 | static struct nfnetlink_subsystem *subsys_table[NFNL_SUBSYS_COUNT]; | ||
52 | DECLARE_MUTEX(nfnl_sem); | ||
53 | |||
54 | void nfnl_lock(void) | ||
55 | { | ||
56 | nfnl_shlock(); | ||
57 | } | ||
58 | |||
59 | void nfnl_unlock(void) | ||
60 | { | ||
61 | nfnl_shunlock(); | ||
62 | } | ||
63 | |||
64 | int nfnetlink_subsys_register(struct nfnetlink_subsystem *n) | ||
65 | { | ||
66 | DEBUGP("registering subsystem ID %u\n", n->subsys_id); | ||
67 | |||
68 | /* If the netlink socket wasn't created, then fail */ | ||
69 | if (!nfnl) | ||
70 | return -1; | ||
71 | |||
72 | nfnl_lock(); | ||
73 | subsys_table[n->subsys_id] = n; | ||
74 | nfnl_unlock(); | ||
75 | |||
76 | return 0; | ||
77 | } | ||
78 | |||
79 | int nfnetlink_subsys_unregister(struct nfnetlink_subsystem *n) | ||
80 | { | ||
81 | DEBUGP("unregistering subsystem ID %u\n", n->subsys_id); | ||
82 | |||
83 | nfnl_lock(); | ||
84 | subsys_table[n->subsys_id] = NULL; | ||
85 | nfnl_unlock(); | ||
86 | |||
87 | return 0; | ||
88 | } | ||
89 | |||
90 | static inline struct nfnetlink_subsystem *nfnetlink_get_subsys(u_int16_t type) | ||
91 | { | ||
92 | u_int8_t subsys_id = NFNL_SUBSYS_ID(type); | ||
93 | |||
94 | if (subsys_id >= NFNL_SUBSYS_COUNT | ||
95 | || subsys_table[subsys_id] == NULL) | ||
96 | return NULL; | ||
97 | |||
98 | return subsys_table[subsys_id]; | ||
99 | } | ||
100 | |||
101 | static inline struct nfnl_callback * | ||
102 | nfnetlink_find_client(u_int16_t type, struct nfnetlink_subsystem *ss) | ||
103 | { | ||
104 | u_int8_t cb_id = NFNL_MSG_TYPE(type); | ||
105 | |||
106 | if (cb_id >= ss->cb_count) { | ||
107 | DEBUGP("msgtype %u >= %u, returning\n", type, ss->cb_count); | ||
108 | return NULL; | ||
109 | } | ||
110 | |||
111 | return &ss->cb[cb_id]; | ||
112 | } | ||
113 | |||
114 | void __nfa_fill(struct sk_buff *skb, int attrtype, int attrlen, | ||
115 | const void *data) | ||
116 | { | ||
117 | struct nfattr *nfa; | ||
118 | int size = NFA_LENGTH(attrlen); | ||
119 | |||
120 | nfa = (struct nfattr *)skb_put(skb, NFA_ALIGN(size)); | ||
121 | nfa->nfa_type = attrtype; | ||
122 | nfa->nfa_len = size; | ||
123 | memcpy(NFA_DATA(nfa), data, attrlen); | ||
124 | } | ||
125 | |||
126 | int nfattr_parse(struct nfattr *tb[], int maxattr, struct nfattr *nfa, int len) | ||
127 | { | ||
128 | memset(tb, 0, sizeof(struct nfattr *) * maxattr); | ||
129 | |||
130 | while (NFA_OK(nfa, len)) { | ||
131 | unsigned flavor = nfa->nfa_type; | ||
132 | if (flavor && flavor <= maxattr) | ||
133 | tb[flavor-1] = nfa; | ||
134 | nfa = NFA_NEXT(nfa, len); | ||
135 | } | ||
136 | |||
137 | return 0; | ||
138 | } | ||
139 | |||
140 | /** | ||
141 | * nfnetlink_check_attributes - check and parse nfnetlink attributes | ||
142 | * | ||
143 | * subsys: nfnl subsystem for which this message is to be parsed | ||
144 | * nlmsghdr: netlink message to be checked/parsed | ||
145 | * cda: array of pointers, needs to be at least subsys->attr_count big | ||
146 | * | ||
147 | */ | ||
148 | static int | ||
149 | nfnetlink_check_attributes(struct nfnetlink_subsystem *subsys, | ||
150 | struct nlmsghdr *nlh, struct nfattr *cda[]) | ||
151 | { | ||
152 | int min_len; | ||
153 | |||
154 | memset(cda, 0, sizeof(struct nfattr *) * subsys->attr_count); | ||
155 | |||
156 | /* check attribute lengths. */ | ||
157 | min_len = NLMSG_ALIGN(sizeof(struct nfgenmsg)); | ||
158 | if (nlh->nlmsg_len < min_len) | ||
159 | return -EINVAL; | ||
160 | |||
161 | if (nlh->nlmsg_len > min_len) { | ||
162 | struct nfattr *attr = NFM_NFA(NLMSG_DATA(nlh)); | ||
163 | int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len); | ||
164 | |||
165 | while (NFA_OK(attr, attrlen)) { | ||
166 | unsigned flavor = attr->nfa_type; | ||
167 | if (flavor) { | ||
168 | if (flavor > subsys->attr_count) | ||
169 | return -EINVAL; | ||
170 | cda[flavor - 1] = attr; | ||
171 | } | ||
172 | attr = NFA_NEXT(attr, attrlen); | ||
173 | } | ||
174 | } else | ||
175 | return -EINVAL; | ||
176 | |||
177 | return 0; | ||
178 | } | ||
179 | |||
180 | int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, int echo) | ||
181 | { | ||
182 | int allocation = in_interrupt() ? GFP_ATOMIC : GFP_KERNEL; | ||
183 | int err = 0; | ||
184 | |||
185 | NETLINK_CB(skb).dst_groups = group; | ||
186 | if (echo) | ||
187 | atomic_inc(&skb->users); | ||
188 | netlink_broadcast(nfnl, skb, pid, group, allocation); | ||
189 | if (echo) | ||
190 | err = netlink_unicast(nfnl, skb, pid, MSG_DONTWAIT); | ||
191 | |||
192 | return err; | ||
193 | } | ||
194 | |||
195 | int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags) | ||
196 | { | ||
197 | return netlink_unicast(nfnl, skb, pid, flags); | ||
198 | } | ||
199 | |||
200 | /* Process one complete nfnetlink message. */ | ||
201 | static inline int nfnetlink_rcv_msg(struct sk_buff *skb, | ||
202 | struct nlmsghdr *nlh, int *errp) | ||
203 | { | ||
204 | struct nfnl_callback *nc; | ||
205 | struct nfnetlink_subsystem *ss; | ||
206 | int type, err = 0; | ||
207 | |||
208 | DEBUGP("entered; subsys=%u, msgtype=%u\n", | ||
209 | NFNL_SUBSYS_ID(nlh->nlmsg_type), | ||
210 | NFNL_MSG_TYPE(nlh->nlmsg_type)); | ||
211 | |||
212 | /* Only requests are handled by kernel now. */ | ||
213 | if (!(nlh->nlmsg_flags & NLM_F_REQUEST)) { | ||
214 | DEBUGP("received non-request message\n"); | ||
215 | return 0; | ||
216 | } | ||
217 | |||
218 | /* All the messages must at least contain nfgenmsg */ | ||
219 | if (nlh->nlmsg_len < | ||
220 | NLMSG_LENGTH(NLMSG_ALIGN(sizeof(struct nfgenmsg)))) { | ||
221 | DEBUGP("received message was too short\n"); | ||
222 | return 0; | ||
223 | } | ||
224 | |||
225 | type = nlh->nlmsg_type; | ||
226 | ss = nfnetlink_get_subsys(type); | ||
227 | if (!ss) | ||
228 | goto err_inval; | ||
229 | |||
230 | nc = nfnetlink_find_client(type, ss); | ||
231 | if (!nc) { | ||
232 | DEBUGP("unable to find client for type %d\n", type); | ||
233 | goto err_inval; | ||
234 | } | ||
235 | |||
236 | if (nc->cap_required && | ||
237 | !cap_raised(NETLINK_CB(skb).eff_cap, nc->cap_required)) { | ||
238 | DEBUGP("permission denied for type %d\n", type); | ||
239 | *errp = -EPERM; | ||
240 | return -1; | ||
241 | } | ||
242 | |||
243 | { | ||
244 | struct nfattr *cda[ss->attr_count]; | ||
245 | |||
246 | memset(cda, 0, ss->attr_count*sizeof(struct nfattr *)); | ||
247 | |||
248 | err = nfnetlink_check_attributes(ss, nlh, cda); | ||
249 | if (err < 0) | ||
250 | goto err_inval; | ||
251 | |||
252 | err = nc->call(nfnl, skb, nlh, cda, errp); | ||
253 | *errp = err; | ||
254 | return err; | ||
255 | } | ||
256 | |||
257 | err_inval: | ||
258 | *errp = -EINVAL; | ||
259 | return -1; | ||
260 | } | ||
261 | |||
262 | /* Process one packet of messages. */ | ||
263 | static inline int nfnetlink_rcv_skb(struct sk_buff *skb) | ||
264 | { | ||
265 | int err; | ||
266 | struct nlmsghdr *nlh; | ||
267 | |||
268 | while (skb->len >= NLMSG_SPACE(0)) { | ||
269 | u32 rlen; | ||
270 | |||
271 | nlh = (struct nlmsghdr *)skb->data; | ||
272 | if (nlh->nlmsg_len < sizeof(struct nlmsghdr) | ||
273 | || skb->len < nlh->nlmsg_len) | ||
274 | return 0; | ||
275 | rlen = NLMSG_ALIGN(nlh->nlmsg_len); | ||
276 | if (rlen > skb->len) | ||
277 | rlen = skb->len; | ||
278 | if (nfnetlink_rcv_msg(skb, nlh, &err)) { | ||
279 | if (!err) | ||
280 | return -1; | ||
281 | netlink_ack(skb, nlh, err); | ||
282 | } else | ||
283 | if (nlh->nlmsg_flags & NLM_F_ACK) | ||
284 | netlink_ack(skb, nlh, 0); | ||
285 | skb_pull(skb, rlen); | ||
286 | } | ||
287 | |||
288 | return 0; | ||
289 | } | ||
290 | |||
291 | static void nfnetlink_rcv(struct sock *sk, int len) | ||
292 | { | ||
293 | do { | ||
294 | struct sk_buff *skb; | ||
295 | |||
296 | if (nfnl_shlock_nowait()) | ||
297 | return; | ||
298 | |||
299 | while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) { | ||
300 | if (nfnetlink_rcv_skb(skb)) { | ||
301 | if (skb->len) | ||
302 | skb_queue_head(&sk->sk_receive_queue, | ||
303 | skb); | ||
304 | else | ||
305 | kfree_skb(skb); | ||
306 | break; | ||
307 | } | ||
308 | kfree_skb(skb); | ||
309 | } | ||
310 | |||
311 | up(&nfnl_sem); | ||
312 | } while(nfnl && nfnl->sk_receive_queue.qlen); | ||
313 | } | ||
314 | |||
315 | void __exit nfnetlink_exit(void) | ||
316 | { | ||
317 | printk("Removing netfilter NETLINK layer.\n"); | ||
318 | sock_release(nfnl->sk_socket); | ||
319 | return; | ||
320 | } | ||
321 | |||
322 | int __init nfnetlink_init(void) | ||
323 | { | ||
324 | printk("Netfilter messages via NETLINK v%s.\n", nfversion); | ||
325 | |||
326 | nfnl = netlink_kernel_create(NETLINK_NETFILTER, nfnetlink_rcv); | ||
327 | if (!nfnl) { | ||
328 | printk(KERN_ERR "cannot initialize nfnetlink!\n"); | ||
329 | return -1; | ||
330 | } | ||
331 | |||
332 | return 0; | ||
333 | } | ||
334 | |||
335 | module_init(nfnetlink_init); | ||
336 | module_exit(nfnetlink_exit); | ||
337 | |||
338 | EXPORT_SYMBOL_GPL(nfnetlink_subsys_register); | ||
339 | EXPORT_SYMBOL_GPL(nfnetlink_subsys_unregister); | ||
340 | EXPORT_SYMBOL_GPL(nfnetlink_send); | ||
341 | EXPORT_SYMBOL_GPL(nfnetlink_unicast); | ||
342 | EXPORT_SYMBOL_GPL(nfattr_parse); | ||
343 | EXPORT_SYMBOL_GPL(__nfa_fill); | ||