aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorHarald Welte <laforge@netfilter.org>2005-08-09 22:30:24 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2005-08-29 18:31:29 -0400
commitf9e815b376dc19e6afc551cd755ac64e9e42d81f (patch)
tree1cbc3d1e64d3dd51404c8935e676beb468867979 /net
parentac3247baf8ecadf168642e3898b0212c29c79715 (diff)
[NETFITLER]: Add nfnetlink layer.
Introduce "nfnetlink" (netfilter netlink) layer. This layer is used as transport layer for all userspace communication of the new upcoming netfilter subsystems, such as ctnetlink, nfnetlink_queue and some day even the mythical pkttables ;) Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/Kconfig2
-rw-r--r--net/Makefile1
-rw-r--r--net/netfilter/Kconfig5
-rw-r--r--net/netfilter/Makefile1
-rw-r--r--net/netfilter/nfnetlink.c343
5 files changed, 352 insertions, 0 deletions
diff --git a/net/Kconfig b/net/Kconfig
index 40a31ba86d2c..02877ac0f2f4 100644
--- a/net/Kconfig
+++ b/net/Kconfig
@@ -205,6 +205,8 @@ config NET_PKTGEN
205 To compile this code as a module, choose M here: the 205 To compile this code as a module, choose M here: the
206 module will be called pktgen. 206 module will be called pktgen.
207 207
208source "net/netfilter/Kconfig"
209
208endmenu 210endmenu
209 211
210endmenu 212endmenu
diff --git a/net/Makefile b/net/Makefile
index 8e2bdc025ab8..4a01be8d3e1e 100644
--- a/net/Makefile
+++ b/net/Makefile
@@ -16,6 +16,7 @@ obj-$(CONFIG_NET) += $(tmp-y)
16obj-$(CONFIG_LLC) += llc/ 16obj-$(CONFIG_LLC) += llc/
17obj-$(CONFIG_NET) += ethernet/ 802/ sched/ netlink/ 17obj-$(CONFIG_NET) += ethernet/ 802/ sched/ netlink/
18obj-$(CONFIG_INET) += ipv4/ 18obj-$(CONFIG_INET) += ipv4/
19obj-$(CONFIG_NETFILTER) += netfilter/
19obj-$(CONFIG_XFRM) += xfrm/ 20obj-$(CONFIG_XFRM) += xfrm/
20obj-$(CONFIG_UNIX) += unix/ 21obj-$(CONFIG_UNIX) += unix/
21ifneq ($(CONFIG_IPV6),) 22ifneq ($(CONFIG_IPV6),)
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
new file mode 100644
index 000000000000..3629d3d1776d
--- /dev/null
+++ b/net/netfilter/Kconfig
@@ -0,0 +1,5 @@
1config NETFILTER_NETLINK
2 tristate "Netfilter netlink interface"
3 help
4 If this option is enabled, the kernel will include support
5 for the new netfilter netlink interface.
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
new file mode 100644
index 000000000000..02e67d371941
--- /dev/null
+++ b/net/netfilter/Makefile
@@ -0,0 +1 @@
obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
new file mode 100644
index 000000000000..710acd77cc4c
--- /dev/null
+++ b/net/netfilter/nfnetlink.c
@@ -0,0 +1,343 @@
1/* Netfilter messages via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace.
3 *
4 * (C) 2001 by Jay Schulist <jschlst@samba.org>,
5 * (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>
7 *
8 * Initial netfilter messages via netlink development funded and
9 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
10 *
11 * Further development of this code funded by Astaro AG (http://www.astaro.com)
12 *
13 * This software may be used and distributed according to the terms
14 * of the GNU General Public License, incorporated herein by reference.
15 */
16
17#include <linux/config.h>
18#include <linux/module.h>
19#include <linux/types.h>
20#include <linux/socket.h>
21#include <linux/kernel.h>
22#include <linux/major.h>
23#include <linux/sched.h>
24#include <linux/timer.h>
25#include <linux/string.h>
26#include <linux/sockios.h>
27#include <linux/net.h>
28#include <linux/fcntl.h>
29#include <linux/skbuff.h>
30#include <asm/uaccess.h>
31#include <asm/system.h>
32#include <net/sock.h>
33#include <linux/init.h>
34#include <linux/spinlock.h>
35
36#include <linux/netfilter.h>
37#include <linux/netlink.h>
38#include <linux/netfilter/nfnetlink.h>
39
40MODULE_LICENSE("GPL");
41
42static char __initdata nfversion[] = "0.30";
43
44#if 0
45#define DEBUGP printk
46#else
47#define DEBUGP(format, args...)
48#endif
49
50static struct sock *nfnl = NULL;
51static struct nfnetlink_subsystem *subsys_table[NFNL_SUBSYS_COUNT];
52DECLARE_MUTEX(nfnl_sem);
53
54void nfnl_lock(void)
55{
56 nfnl_shlock();
57}
58
59void nfnl_unlock(void)
60{
61 nfnl_shunlock();
62}
63
64int nfnetlink_subsys_register(struct nfnetlink_subsystem *n)
65{
66 DEBUGP("registering subsystem ID %u\n", n->subsys_id);
67
68 /* If the netlink socket wasn't created, then fail */
69 if (!nfnl)
70 return -1;
71
72 nfnl_lock();
73 subsys_table[n->subsys_id] = n;
74 nfnl_unlock();
75
76 return 0;
77}
78
79int nfnetlink_subsys_unregister(struct nfnetlink_subsystem *n)
80{
81 DEBUGP("unregistering subsystem ID %u\n", n->subsys_id);
82
83 nfnl_lock();
84 subsys_table[n->subsys_id] = NULL;
85 nfnl_unlock();
86
87 return 0;
88}
89
90static inline struct nfnetlink_subsystem *nfnetlink_get_subsys(u_int16_t type)
91{
92 u_int8_t subsys_id = NFNL_SUBSYS_ID(type);
93
94 if (subsys_id >= NFNL_SUBSYS_COUNT
95 || subsys_table[subsys_id] == NULL)
96 return NULL;
97
98 return subsys_table[subsys_id];
99}
100
101static inline struct nfnl_callback *
102nfnetlink_find_client(u_int16_t type, struct nfnetlink_subsystem *ss)
103{
104 u_int8_t cb_id = NFNL_MSG_TYPE(type);
105
106 if (cb_id >= ss->cb_count) {
107 DEBUGP("msgtype %u >= %u, returning\n", type, ss->cb_count);
108 return NULL;
109 }
110
111 return &ss->cb[cb_id];
112}
113
114void __nfa_fill(struct sk_buff *skb, int attrtype, int attrlen,
115 const void *data)
116{
117 struct nfattr *nfa;
118 int size = NFA_LENGTH(attrlen);
119
120 nfa = (struct nfattr *)skb_put(skb, NFA_ALIGN(size));
121 nfa->nfa_type = attrtype;
122 nfa->nfa_len = size;
123 memcpy(NFA_DATA(nfa), data, attrlen);
124}
125
126int nfattr_parse(struct nfattr *tb[], int maxattr, struct nfattr *nfa, int len)
127{
128 memset(tb, 0, sizeof(struct nfattr *) * maxattr);
129
130 while (NFA_OK(nfa, len)) {
131 unsigned flavor = nfa->nfa_type;
132 if (flavor && flavor <= maxattr)
133 tb[flavor-1] = nfa;
134 nfa = NFA_NEXT(nfa, len);
135 }
136
137 return 0;
138}
139
140/**
141 * nfnetlink_check_attributes - check and parse nfnetlink attributes
142 *
143 * subsys: nfnl subsystem for which this message is to be parsed
144 * nlmsghdr: netlink message to be checked/parsed
145 * cda: array of pointers, needs to be at least subsys->attr_count big
146 *
147 */
148static int
149nfnetlink_check_attributes(struct nfnetlink_subsystem *subsys,
150 struct nlmsghdr *nlh, struct nfattr *cda[])
151{
152 int min_len;
153
154 memset(cda, 0, sizeof(struct nfattr *) * subsys->attr_count);
155
156 /* check attribute lengths. */
157 min_len = NLMSG_ALIGN(sizeof(struct nfgenmsg));
158 if (nlh->nlmsg_len < min_len)
159 return -EINVAL;
160
161 if (nlh->nlmsg_len > min_len) {
162 struct nfattr *attr = NFM_NFA(NLMSG_DATA(nlh));
163 int attrlen = nlh->nlmsg_len - NLMSG_ALIGN(min_len);
164
165 while (NFA_OK(attr, attrlen)) {
166 unsigned flavor = attr->nfa_type;
167 if (flavor) {
168 if (flavor > subsys->attr_count)
169 return -EINVAL;
170 cda[flavor - 1] = attr;
171 }
172 attr = NFA_NEXT(attr, attrlen);
173 }
174 } else
175 return -EINVAL;
176
177 return 0;
178}
179
180int nfnetlink_send(struct sk_buff *skb, u32 pid, unsigned group, int echo)
181{
182 int allocation = in_interrupt() ? GFP_ATOMIC : GFP_KERNEL;
183 int err = 0;
184
185 NETLINK_CB(skb).dst_groups = group;
186 if (echo)
187 atomic_inc(&skb->users);
188 netlink_broadcast(nfnl, skb, pid, group, allocation);
189 if (echo)
190 err = netlink_unicast(nfnl, skb, pid, MSG_DONTWAIT);
191
192 return err;
193}
194
195int nfnetlink_unicast(struct sk_buff *skb, u_int32_t pid, int flags)
196{
197 return netlink_unicast(nfnl, skb, pid, flags);
198}
199
200/* Process one complete nfnetlink message. */
201static inline int nfnetlink_rcv_msg(struct sk_buff *skb,
202 struct nlmsghdr *nlh, int *errp)
203{
204 struct nfnl_callback *nc;
205 struct nfnetlink_subsystem *ss;
206 int type, err = 0;
207
208 DEBUGP("entered; subsys=%u, msgtype=%u\n",
209 NFNL_SUBSYS_ID(nlh->nlmsg_type),
210 NFNL_MSG_TYPE(nlh->nlmsg_type));
211
212 /* Only requests are handled by kernel now. */
213 if (!(nlh->nlmsg_flags & NLM_F_REQUEST)) {
214 DEBUGP("received non-request message\n");
215 return 0;
216 }
217
218 /* All the messages must at least contain nfgenmsg */
219 if (nlh->nlmsg_len <
220 NLMSG_LENGTH(NLMSG_ALIGN(sizeof(struct nfgenmsg)))) {
221 DEBUGP("received message was too short\n");
222 return 0;
223 }
224
225 type = nlh->nlmsg_type;
226 ss = nfnetlink_get_subsys(type);
227 if (!ss)
228 goto err_inval;
229
230 nc = nfnetlink_find_client(type, ss);
231 if (!nc) {
232 DEBUGP("unable to find client for type %d\n", type);
233 goto err_inval;
234 }
235
236 if (nc->cap_required &&
237 !cap_raised(NETLINK_CB(skb).eff_cap, nc->cap_required)) {
238 DEBUGP("permission denied for type %d\n", type);
239 *errp = -EPERM;
240 return -1;
241 }
242
243 {
244 struct nfattr *cda[ss->attr_count];
245
246 memset(cda, 0, ss->attr_count*sizeof(struct nfattr *));
247
248 err = nfnetlink_check_attributes(ss, nlh, cda);
249 if (err < 0)
250 goto err_inval;
251
252 err = nc->call(nfnl, skb, nlh, cda, errp);
253 *errp = err;
254 return err;
255 }
256
257err_inval:
258 *errp = -EINVAL;
259 return -1;
260}
261
262/* Process one packet of messages. */
263static inline int nfnetlink_rcv_skb(struct sk_buff *skb)
264{
265 int err;
266 struct nlmsghdr *nlh;
267
268 while (skb->len >= NLMSG_SPACE(0)) {
269 u32 rlen;
270
271 nlh = (struct nlmsghdr *)skb->data;
272 if (nlh->nlmsg_len < sizeof(struct nlmsghdr)
273 || skb->len < nlh->nlmsg_len)
274 return 0;
275 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
276 if (rlen > skb->len)
277 rlen = skb->len;
278 if (nfnetlink_rcv_msg(skb, nlh, &err)) {
279 if (!err)
280 return -1;
281 netlink_ack(skb, nlh, err);
282 } else
283 if (nlh->nlmsg_flags & NLM_F_ACK)
284 netlink_ack(skb, nlh, 0);
285 skb_pull(skb, rlen);
286 }
287
288 return 0;
289}
290
291static void nfnetlink_rcv(struct sock *sk, int len)
292{
293 do {
294 struct sk_buff *skb;
295
296 if (nfnl_shlock_nowait())
297 return;
298
299 while ((skb = skb_dequeue(&sk->sk_receive_queue)) != NULL) {
300 if (nfnetlink_rcv_skb(skb)) {
301 if (skb->len)
302 skb_queue_head(&sk->sk_receive_queue,
303 skb);
304 else
305 kfree_skb(skb);
306 break;
307 }
308 kfree_skb(skb);
309 }
310
311 up(&nfnl_sem);
312 } while(nfnl && nfnl->sk_receive_queue.qlen);
313}
314
315void __exit nfnetlink_exit(void)
316{
317 printk("Removing netfilter NETLINK layer.\n");
318 sock_release(nfnl->sk_socket);
319 return;
320}
321
322int __init nfnetlink_init(void)
323{
324 printk("Netfilter messages via NETLINK v%s.\n", nfversion);
325
326 nfnl = netlink_kernel_create(NETLINK_NETFILTER, nfnetlink_rcv);
327 if (!nfnl) {
328 printk(KERN_ERR "cannot initialize nfnetlink!\n");
329 return -1;
330 }
331
332 return 0;
333}
334
335module_init(nfnetlink_init);
336module_exit(nfnetlink_exit);
337
338EXPORT_SYMBOL_GPL(nfnetlink_subsys_register);
339EXPORT_SYMBOL_GPL(nfnetlink_subsys_unregister);
340EXPORT_SYMBOL_GPL(nfnetlink_send);
341EXPORT_SYMBOL_GPL(nfnetlink_unicast);
342EXPORT_SYMBOL_GPL(nfattr_parse);
343EXPORT_SYMBOL_GPL(__nfa_fill);