Commit e8179610 authored by Gao feng's avatar Gao feng Committed by Pablo Neira Ayuso

netfilter: nfnetlink_queue: add net namespace support for nfnetlink_queue

This patch makes /proc/net/netfilter/nfnetlink_queue pernet.
Moreover, there's a pernet instance table and lock.
Signed-off-by: default avatarGao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 5b023fc8
...@@ -30,6 +30,7 @@ ...@@ -30,6 +30,7 @@
#include <linux/list.h> #include <linux/list.h>
#include <net/sock.h> #include <net/sock.h>
#include <net/netfilter/nf_queue.h> #include <net/netfilter/nf_queue.h>
#include <net/netns/generic.h>
#include <net/netfilter/nfnetlink_queue.h> #include <net/netfilter/nfnetlink_queue.h>
#include <linux/atomic.h> #include <linux/atomic.h>
...@@ -66,10 +67,18 @@ struct nfqnl_instance { ...@@ -66,10 +67,18 @@ struct nfqnl_instance {
typedef int (*nfqnl_cmpfn)(struct nf_queue_entry *, unsigned long); typedef int (*nfqnl_cmpfn)(struct nf_queue_entry *, unsigned long);
static DEFINE_SPINLOCK(instances_lock); static int nfnl_queue_net_id __read_mostly;
#define INSTANCE_BUCKETS 16 #define INSTANCE_BUCKETS 16
static struct hlist_head instance_table[INSTANCE_BUCKETS] __read_mostly; struct nfnl_queue_net {
spinlock_t instances_lock;
struct hlist_head instance_table[INSTANCE_BUCKETS];
};
static struct nfnl_queue_net *nfnl_queue_pernet(struct net *net)
{
return net_generic(net, nfnl_queue_net_id);
}
static inline u_int8_t instance_hashfn(u_int16_t queue_num) static inline u_int8_t instance_hashfn(u_int16_t queue_num)
{ {
...@@ -77,12 +86,12 @@ static inline u_int8_t instance_hashfn(u_int16_t queue_num) ...@@ -77,12 +86,12 @@ static inline u_int8_t instance_hashfn(u_int16_t queue_num)
} }
static struct nfqnl_instance * static struct nfqnl_instance *
instance_lookup(u_int16_t queue_num) instance_lookup(struct nfnl_queue_net *q, u_int16_t queue_num)
{ {
struct hlist_head *head; struct hlist_head *head;
struct nfqnl_instance *inst; struct nfqnl_instance *inst;
head = &instance_table[instance_hashfn(queue_num)]; head = &q->instance_table[instance_hashfn(queue_num)];
hlist_for_each_entry_rcu(inst, head, hlist) { hlist_for_each_entry_rcu(inst, head, hlist) {
if (inst->queue_num == queue_num) if (inst->queue_num == queue_num)
return inst; return inst;
...@@ -91,14 +100,15 @@ instance_lookup(u_int16_t queue_num) ...@@ -91,14 +100,15 @@ instance_lookup(u_int16_t queue_num)
} }
static struct nfqnl_instance * static struct nfqnl_instance *
instance_create(u_int16_t queue_num, int portid) instance_create(struct nfnl_queue_net *q, u_int16_t queue_num,
int portid)
{ {
struct nfqnl_instance *inst; struct nfqnl_instance *inst;
unsigned int h; unsigned int h;
int err; int err;
spin_lock(&instances_lock); spin_lock(&q->instances_lock);
if (instance_lookup(queue_num)) { if (instance_lookup(q, queue_num)) {
err = -EEXIST; err = -EEXIST;
goto out_unlock; goto out_unlock;
} }
...@@ -123,16 +133,16 @@ instance_create(u_int16_t queue_num, int portid) ...@@ -123,16 +133,16 @@ instance_create(u_int16_t queue_num, int portid)
} }
h = instance_hashfn(queue_num); h = instance_hashfn(queue_num);
hlist_add_head_rcu(&inst->hlist, &instance_table[h]); hlist_add_head_rcu(&inst->hlist, &q->instance_table[h]);
spin_unlock(&instances_lock); spin_unlock(&q->instances_lock);
return inst; return inst;
out_free: out_free:
kfree(inst); kfree(inst);
out_unlock: out_unlock:
spin_unlock(&instances_lock); spin_unlock(&q->instances_lock);
return ERR_PTR(err); return ERR_PTR(err);
} }
...@@ -158,11 +168,11 @@ __instance_destroy(struct nfqnl_instance *inst) ...@@ -158,11 +168,11 @@ __instance_destroy(struct nfqnl_instance *inst)
} }
static void static void
instance_destroy(struct nfqnl_instance *inst) instance_destroy(struct nfnl_queue_net *q, struct nfqnl_instance *inst)
{ {
spin_lock(&instances_lock); spin_lock(&q->instances_lock);
__instance_destroy(inst); __instance_destroy(inst);
spin_unlock(&instances_lock); spin_unlock(&q->instances_lock);
} }
static inline void static inline void
...@@ -473,9 +483,12 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum) ...@@ -473,9 +483,12 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
int err = -ENOBUFS; int err = -ENOBUFS;
__be32 *packet_id_ptr; __be32 *packet_id_ptr;
int failopen = 0; int failopen = 0;
struct net *net = dev_net(entry->indev ?
entry->indev : entry->outdev);
struct nfnl_queue_net *q = nfnl_queue_pernet(net);
/* rcu_read_lock()ed by nf_hook_slow() */ /* rcu_read_lock()ed by nf_hook_slow() */
queue = instance_lookup(queuenum); queue = instance_lookup(q, queuenum);
if (!queue) { if (!queue) {
err = -ESRCH; err = -ESRCH;
goto err_out; goto err_out;
...@@ -512,7 +525,7 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum) ...@@ -512,7 +525,7 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
*packet_id_ptr = htonl(entry->id); *packet_id_ptr = htonl(entry->id);
/* nfnetlink_unicast will either free the nskb or add it to a socket */ /* nfnetlink_unicast will either free the nskb or add it to a socket */
err = nfnetlink_unicast(nskb, &init_net, queue->peer_portid, MSG_DONTWAIT); err = nfnetlink_unicast(nskb, net, queue->peer_portid, MSG_DONTWAIT);
if (err < 0) { if (err < 0) {
queue->queue_user_dropped++; queue->queue_user_dropped++;
goto err_out_unlock; goto err_out_unlock;
...@@ -625,15 +638,16 @@ dev_cmp(struct nf_queue_entry *entry, unsigned long ifindex) ...@@ -625,15 +638,16 @@ dev_cmp(struct nf_queue_entry *entry, unsigned long ifindex)
/* drop all packets with either indev or outdev == ifindex from all queue /* drop all packets with either indev or outdev == ifindex from all queue
* instances */ * instances */
static void static void
nfqnl_dev_drop(int ifindex) nfqnl_dev_drop(struct net *net, int ifindex)
{ {
int i; int i;
struct nfnl_queue_net *q = nfnl_queue_pernet(net);
rcu_read_lock(); rcu_read_lock();
for (i = 0; i < INSTANCE_BUCKETS; i++) { for (i = 0; i < INSTANCE_BUCKETS; i++) {
struct nfqnl_instance *inst; struct nfqnl_instance *inst;
struct hlist_head *head = &instance_table[i]; struct hlist_head *head = &q->instance_table[i];
hlist_for_each_entry_rcu(inst, head, hlist) hlist_for_each_entry_rcu(inst, head, hlist)
nfqnl_flush(inst, dev_cmp, ifindex); nfqnl_flush(inst, dev_cmp, ifindex);
...@@ -650,12 +664,9 @@ nfqnl_rcv_dev_event(struct notifier_block *this, ...@@ -650,12 +664,9 @@ nfqnl_rcv_dev_event(struct notifier_block *this,
{ {
struct net_device *dev = ptr; struct net_device *dev = ptr;
if (!net_eq(dev_net(dev), &init_net))
return NOTIFY_DONE;
/* Drop any packets associated with the downed device */ /* Drop any packets associated with the downed device */
if (event == NETDEV_DOWN) if (event == NETDEV_DOWN)
nfqnl_dev_drop(dev->ifindex); nfqnl_dev_drop(dev_net(dev), dev->ifindex);
return NOTIFY_DONE; return NOTIFY_DONE;
} }
...@@ -668,24 +679,24 @@ nfqnl_rcv_nl_event(struct notifier_block *this, ...@@ -668,24 +679,24 @@ nfqnl_rcv_nl_event(struct notifier_block *this,
unsigned long event, void *ptr) unsigned long event, void *ptr)
{ {
struct netlink_notify *n = ptr; struct netlink_notify *n = ptr;
struct nfnl_queue_net *q = nfnl_queue_pernet(n->net);
if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) { if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) {
int i; int i;
/* destroy all instances for this portid */ /* destroy all instances for this portid */
spin_lock(&instances_lock); spin_lock(&q->instances_lock);
for (i = 0; i < INSTANCE_BUCKETS; i++) { for (i = 0; i < INSTANCE_BUCKETS; i++) {
struct hlist_node *t2; struct hlist_node *t2;
struct nfqnl_instance *inst; struct nfqnl_instance *inst;
struct hlist_head *head = &instance_table[i]; struct hlist_head *head = &q->instance_table[i];
hlist_for_each_entry_safe(inst, t2, head, hlist) { hlist_for_each_entry_safe(inst, t2, head, hlist) {
if ((n->net == &init_net) && if (n->portid == inst->peer_portid)
(n->portid == inst->peer_portid))
__instance_destroy(inst); __instance_destroy(inst);
} }
} }
spin_unlock(&instances_lock); spin_unlock(&q->instances_lock);
} }
return NOTIFY_DONE; return NOTIFY_DONE;
} }
...@@ -706,11 +717,12 @@ static const struct nla_policy nfqa_verdict_batch_policy[NFQA_MAX+1] = { ...@@ -706,11 +717,12 @@ static const struct nla_policy nfqa_verdict_batch_policy[NFQA_MAX+1] = {
[NFQA_MARK] = { .type = NLA_U32 }, [NFQA_MARK] = { .type = NLA_U32 },
}; };
static struct nfqnl_instance *verdict_instance_lookup(u16 queue_num, int nlportid) static struct nfqnl_instance *
verdict_instance_lookup(struct nfnl_queue_net *q, u16 queue_num, int nlportid)
{ {
struct nfqnl_instance *queue; struct nfqnl_instance *queue;
queue = instance_lookup(queue_num); queue = instance_lookup(q, queue_num);
if (!queue) if (!queue)
return ERR_PTR(-ENODEV); return ERR_PTR(-ENODEV);
...@@ -754,7 +766,11 @@ nfqnl_recv_verdict_batch(struct sock *ctnl, struct sk_buff *skb, ...@@ -754,7 +766,11 @@ nfqnl_recv_verdict_batch(struct sock *ctnl, struct sk_buff *skb,
LIST_HEAD(batch_list); LIST_HEAD(batch_list);
u16 queue_num = ntohs(nfmsg->res_id); u16 queue_num = ntohs(nfmsg->res_id);
queue = verdict_instance_lookup(queue_num, NETLINK_CB(skb).portid); struct net *net = sock_net(ctnl);
struct nfnl_queue_net *q = nfnl_queue_pernet(net);
queue = verdict_instance_lookup(q, queue_num,
NETLINK_CB(skb).portid);
if (IS_ERR(queue)) if (IS_ERR(queue))
return PTR_ERR(queue); return PTR_ERR(queue);
...@@ -802,10 +818,13 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb, ...@@ -802,10 +818,13 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
enum ip_conntrack_info uninitialized_var(ctinfo); enum ip_conntrack_info uninitialized_var(ctinfo);
struct nf_conn *ct = NULL; struct nf_conn *ct = NULL;
queue = instance_lookup(queue_num); struct net *net = sock_net(ctnl);
if (!queue) struct nfnl_queue_net *q = nfnl_queue_pernet(net);
queue = verdict_instance_lookup(queue_num, NETLINK_CB(skb).portid); queue = instance_lookup(q, queue_num);
if (!queue)
queue = verdict_instance_lookup(q, queue_num,
NETLINK_CB(skb).portid);
if (IS_ERR(queue)) if (IS_ERR(queue))
return PTR_ERR(queue); return PTR_ERR(queue);
...@@ -869,6 +888,8 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ...@@ -869,6 +888,8 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
u_int16_t queue_num = ntohs(nfmsg->res_id); u_int16_t queue_num = ntohs(nfmsg->res_id);
struct nfqnl_instance *queue; struct nfqnl_instance *queue;
struct nfqnl_msg_config_cmd *cmd = NULL; struct nfqnl_msg_config_cmd *cmd = NULL;
struct net *net = sock_net(ctnl);
struct nfnl_queue_net *q = nfnl_queue_pernet(net);
int ret = 0; int ret = 0;
if (nfqa[NFQA_CFG_CMD]) { if (nfqa[NFQA_CFG_CMD]) {
...@@ -882,7 +903,7 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ...@@ -882,7 +903,7 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
} }
rcu_read_lock(); rcu_read_lock();
queue = instance_lookup(queue_num); queue = instance_lookup(q, queue_num);
if (queue && queue->peer_portid != NETLINK_CB(skb).portid) { if (queue && queue->peer_portid != NETLINK_CB(skb).portid) {
ret = -EPERM; ret = -EPERM;
goto err_out_unlock; goto err_out_unlock;
...@@ -895,7 +916,8 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ...@@ -895,7 +916,8 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
ret = -EBUSY; ret = -EBUSY;
goto err_out_unlock; goto err_out_unlock;
} }
queue = instance_create(queue_num, NETLINK_CB(skb).portid); queue = instance_create(q, queue_num,
NETLINK_CB(skb).portid);
if (IS_ERR(queue)) { if (IS_ERR(queue)) {
ret = PTR_ERR(queue); ret = PTR_ERR(queue);
goto err_out_unlock; goto err_out_unlock;
...@@ -906,7 +928,7 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb, ...@@ -906,7 +928,7 @@ nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
ret = -ENODEV; ret = -ENODEV;
goto err_out_unlock; goto err_out_unlock;
} }
instance_destroy(queue); instance_destroy(q, queue);
break; break;
case NFQNL_CFG_CMD_PF_BIND: case NFQNL_CFG_CMD_PF_BIND:
case NFQNL_CFG_CMD_PF_UNBIND: case NFQNL_CFG_CMD_PF_UNBIND:
...@@ -1000,19 +1022,24 @@ static const struct nfnetlink_subsystem nfqnl_subsys = { ...@@ -1000,19 +1022,24 @@ static const struct nfnetlink_subsystem nfqnl_subsys = {
#ifdef CONFIG_PROC_FS #ifdef CONFIG_PROC_FS
struct iter_state { struct iter_state {
struct seq_net_private p;
unsigned int bucket; unsigned int bucket;
}; };
static struct hlist_node *get_first(struct seq_file *seq) static struct hlist_node *get_first(struct seq_file *seq)
{ {
struct iter_state *st = seq->private; struct iter_state *st = seq->private;
struct net *net;
struct nfnl_queue_net *q;
if (!st) if (!st)
return NULL; return NULL;
net = seq_file_net(seq);
q = nfnl_queue_pernet(net);
for (st->bucket = 0; st->bucket < INSTANCE_BUCKETS; st->bucket++) { for (st->bucket = 0; st->bucket < INSTANCE_BUCKETS; st->bucket++) {
if (!hlist_empty(&instance_table[st->bucket])) if (!hlist_empty(&q->instance_table[st->bucket]))
return instance_table[st->bucket].first; return q->instance_table[st->bucket].first;
} }
return NULL; return NULL;
} }
...@@ -1020,13 +1047,17 @@ static struct hlist_node *get_first(struct seq_file *seq) ...@@ -1020,13 +1047,17 @@ static struct hlist_node *get_first(struct seq_file *seq)
static struct hlist_node *get_next(struct seq_file *seq, struct hlist_node *h) static struct hlist_node *get_next(struct seq_file *seq, struct hlist_node *h)
{ {
struct iter_state *st = seq->private; struct iter_state *st = seq->private;
struct net *net = seq_file_net(seq);
h = h->next; h = h->next;
while (!h) { while (!h) {
struct nfnl_queue_net *q;
if (++st->bucket >= INSTANCE_BUCKETS) if (++st->bucket >= INSTANCE_BUCKETS)
return NULL; return NULL;
h = instance_table[st->bucket].first; q = nfnl_queue_pernet(net);
h = q->instance_table[st->bucket].first;
} }
return h; return h;
} }
...@@ -1042,11 +1073,11 @@ static struct hlist_node *get_idx(struct seq_file *seq, loff_t pos) ...@@ -1042,11 +1073,11 @@ static struct hlist_node *get_idx(struct seq_file *seq, loff_t pos)
return pos ? NULL : head; return pos ? NULL : head;
} }
static void *seq_start(struct seq_file *seq, loff_t *pos) static void *seq_start(struct seq_file *s, loff_t *pos)
__acquires(instances_lock) __acquires(nfnl_queue_pernet(seq_file_net(s))->instances_lock)
{ {
spin_lock(&instances_lock); spin_lock(&nfnl_queue_pernet(seq_file_net(s))->instances_lock);
return get_idx(seq, *pos); return get_idx(s, *pos);
} }
static void *seq_next(struct seq_file *s, void *v, loff_t *pos) static void *seq_next(struct seq_file *s, void *v, loff_t *pos)
...@@ -1056,9 +1087,9 @@ static void *seq_next(struct seq_file *s, void *v, loff_t *pos) ...@@ -1056,9 +1087,9 @@ static void *seq_next(struct seq_file *s, void *v, loff_t *pos)
} }
static void seq_stop(struct seq_file *s, void *v) static void seq_stop(struct seq_file *s, void *v)
__releases(instances_lock) __releases(nfnl_queue_pernet(seq_file_net(s))->instances_lock)
{ {
spin_unlock(&instances_lock); spin_unlock(&nfnl_queue_pernet(seq_file_net(s))->instances_lock);
} }
static int seq_show(struct seq_file *s, void *v) static int seq_show(struct seq_file *s, void *v)
...@@ -1082,7 +1113,7 @@ static const struct seq_operations nfqnl_seq_ops = { ...@@ -1082,7 +1113,7 @@ static const struct seq_operations nfqnl_seq_ops = {
static int nfqnl_open(struct inode *inode, struct file *file) static int nfqnl_open(struct inode *inode, struct file *file)
{ {
return seq_open_private(file, &nfqnl_seq_ops, return seq_open_net(inode, file, &nfqnl_seq_ops,
sizeof(struct iter_state)); sizeof(struct iter_state));
} }
...@@ -1091,39 +1122,63 @@ static const struct file_operations nfqnl_file_ops = { ...@@ -1091,39 +1122,63 @@ static const struct file_operations nfqnl_file_ops = {
.open = nfqnl_open, .open = nfqnl_open,
.read = seq_read, .read = seq_read,
.llseek = seq_lseek, .llseek = seq_lseek,
.release = seq_release_private, .release = seq_release_net,
}; };
#endif /* PROC_FS */ #endif /* PROC_FS */
static int __init nfnetlink_queue_init(void) static int __net_init nfnl_queue_net_init(struct net *net)
{ {
int i, status = -ENOMEM; unsigned int i;
struct nfnl_queue_net *q = nfnl_queue_pernet(net);
for (i = 0; i < INSTANCE_BUCKETS; i++) for (i = 0; i < INSTANCE_BUCKETS; i++)
INIT_HLIST_HEAD(&instance_table[i]); INIT_HLIST_HEAD(&q->instance_table[i]);
spin_lock_init(&q->instances_lock);
#ifdef CONFIG_PROC_FS
if (!proc_create("nfnetlink_queue", 0440,
net->nf.proc_netfilter, &nfqnl_file_ops))
return -ENOMEM;
#endif
return 0;
}
static void __net_exit nfnl_queue_net_exit(struct net *net)
{
remove_proc_entry("nfnetlink_queue", net->nf.proc_netfilter);
}
static struct pernet_operations nfnl_queue_net_ops = {
.init = nfnl_queue_net_init,
.exit = nfnl_queue_net_exit,
.id = &nfnl_queue_net_id,
.size = sizeof(struct nfnl_queue_net),
};
static int __init nfnetlink_queue_init(void)
{
int status = -ENOMEM;
netlink_register_notifier(&nfqnl_rtnl_notifier); netlink_register_notifier(&nfqnl_rtnl_notifier);
status = nfnetlink_subsys_register(&nfqnl_subsys); status = nfnetlink_subsys_register(&nfqnl_subsys);
if (status < 0) { if (status < 0) {
printk(KERN_ERR "nf_queue: failed to create netlink socket\n"); pr_err("nf_queue: failed to create netlink socket\n");
goto cleanup_netlink_notifier; goto cleanup_netlink_notifier;
} }
#ifdef CONFIG_PROC_FS status = register_pernet_subsys(&nfnl_queue_net_ops);
if (!proc_create("nfnetlink_queue", 0440, if (status < 0) {
proc_net_netfilter, &nfqnl_file_ops)) pr_err("nf_queue: failed to register pernet ops\n");
goto cleanup_subsys; goto cleanup_subsys;
#endif }
register_netdevice_notifier(&nfqnl_dev_notifier); register_netdevice_notifier(&nfqnl_dev_notifier);
nf_register_queue_handler(&nfqh); nf_register_queue_handler(&nfqh);
return status; return status;
#ifdef CONFIG_PROC_FS
cleanup_subsys: cleanup_subsys:
nfnetlink_subsys_unregister(&nfqnl_subsys); nfnetlink_subsys_unregister(&nfqnl_subsys);
#endif
cleanup_netlink_notifier: cleanup_netlink_notifier:
netlink_unregister_notifier(&nfqnl_rtnl_notifier); netlink_unregister_notifier(&nfqnl_rtnl_notifier);
return status; return status;
...@@ -1133,9 +1188,7 @@ static void __exit nfnetlink_queue_fini(void) ...@@ -1133,9 +1188,7 @@ static void __exit nfnetlink_queue_fini(void)
{ {
nf_unregister_queue_handler(); nf_unregister_queue_handler();
unregister_netdevice_notifier(&nfqnl_dev_notifier); unregister_netdevice_notifier(&nfqnl_dev_notifier);
#ifdef CONFIG_PROC_FS unregister_pernet_subsys(&nfnl_queue_net_ops);
remove_proc_entry("nfnetlink_queue", proc_net_netfilter);
#endif
nfnetlink_subsys_unregister(&nfqnl_subsys); nfnetlink_subsys_unregister(&nfqnl_subsys);
netlink_unregister_notifier(&nfqnl_rtnl_notifier); netlink_unregister_notifier(&nfqnl_rtnl_notifier);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment