Blame - net/ipv4/netfilter/iptable_filter.c - kernel/msm-4.9

blob: 7667f223d7f8c12321537919dbc5260c0813e474 [file] [log] [blame]

Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	1	/*
				2	* This is the 1999 rewrite of IP Firewalling, aiming for kernel 2.3.x.
				3	*
				4	* Copyright (C) 1999 Paul `Rusty' Russell & Michael J. Neuling
				5	* Copyright (C) 2000-2004 Netfilter Core Team <coreteam@netfilter.org>
				6	*
				7	* This program is free software; you can redistribute it and/or modify
				8	* it under the terms of the GNU General Public License version 2 as
				9	* published by the Free Software Foundation.
				10	*
				11	*/
				12
				13	#include <linux/module.h>
				14	#include <linux/moduleparam.h>
				15	#include <linux/netfilter_ipv4/ip_tables.h>
Tejun Heo	5a0e3ad	2010-03-24 17:04:11 +0900	[diff] [blame]	16	#include <linux/slab.h>
Arnaldo Carvalho de Melo	c9bdd4b	2007-03-12 20:09:15 -0300	[diff] [blame]	17	#include <net/ip.h>
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	18
				19	MODULE_LICENSE("GPL");
				20	MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");
				21	MODULE_DESCRIPTION("iptables filter table");
				22
Patrick McHardy	6e23ae2	2007-11-19 18:53:30 -0800	[diff] [blame]	23	#define FILTER_VALID_HOOKS ((1 << NF_INET_LOCAL_IN) \| \
				24	(1 << NF_INET_FORWARD) \| \
				25	(1 << NF_INET_LOCAL_OUT))
Florian Westphal	b9e69e1	2016-02-25 10:08:36 +0100	[diff] [blame]	26	static int __net_init iptable_filter_table_init(struct net *net);
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	27
Jan Engelhardt	35aad0f	2009-08-24 14:56:30 +0200	[diff] [blame]	28	static const struct xt_table packet_filter = {
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	29	.name = "filter",
				30	.valid_hooks = FILTER_VALID_HOOKS,
Harald Welte	2e4e6a1	2006-01-12 13:30:04 -0800	[diff] [blame]	31	.me = THIS_MODULE,
Jan Engelhardt	f88e6a8	2009-06-13 06:25:44 +0200	[diff] [blame]	32	.af = NFPROTO_IPV4,
Jan Engelhardt	2b95efe	2009-06-17 13:57:48 +0200	[diff] [blame]	33	.priority = NF_IP_PRI_FILTER,
Florian Westphal	b9e69e1	2016-02-25 10:08:36 +0100	[diff] [blame]	34	.table_init = iptable_filter_table_init,
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	35	};
				36
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	37	static unsigned int
Eric W. Biederman	06198b3	2015-09-18 14:33:06 -0500	[diff] [blame]	38	iptable_filter_hook(void priv, struct sk_buff skb,
David S. Miller	238e54c	2015-04-03 20:32:56 -0400	[diff] [blame]	39	const struct nf_hook_state *state)
Alexey Dobriyan	666953df	2008-04-14 09:56:02 +0200	[diff] [blame]	40	{
Eric W. Biederman	6cb8ff3f1	2015-09-18 14:32:55 -0500	[diff] [blame]	41	if (state->hook == NF_INET_LOCAL_OUT &&
Jan Engelhardt	2b21e05	2009-06-13 06:57:10 +0200	[diff] [blame]	42	(skb->len < sizeof(struct iphdr) \|\|
				43	ip_hdrlen(skb) < sizeof(struct iphdr)))
				44	/* root is playing with raw sockets. */
				45	return NF_ACCEPT;
Jan Engelhardt	737535c	2009-06-13 06:46:36 +0200	[diff] [blame]	46
Eric W. Biederman	6cb8ff3f1	2015-09-18 14:32:55 -0500	[diff] [blame]	47	return ipt_do_table(skb, state, state->net->ipv4.iptable_filter);
Alexey Dobriyan	666953df	2008-04-14 09:56:02 +0200	[diff] [blame]	48	}
				49
Jan Engelhardt	2b95efe	2009-06-17 13:57:48 +0200	[diff] [blame]	50	static struct nf_hook_ops *filter_ops __read_mostly;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	51
				52	/* Default to forward because I got too much mail already. */
Florian Westphal	b9e69e1	2016-02-25 10:08:36 +0100	[diff] [blame]	53	static bool forward __read_mostly = true;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	54	module_param(forward, bool, 0000);
				55
Florian Westphal	b9e69e1	2016-02-25 10:08:36 +0100	[diff] [blame]	56	static int __net_init iptable_filter_table_init(struct net *net)
Alexey Dobriyan	9335f04	2008-01-31 04:03:23 -0800	[diff] [blame]	57	{
Jan Engelhardt	e3eaa99	2009-06-17 22:14:54 +0200	[diff] [blame]	58	struct ipt_replace *repl;
Florian Westphal	a67dd26	2016-02-25 10:08:35 +0100	[diff] [blame]	59	int err;
Jan Engelhardt	e3eaa99	2009-06-17 22:14:54 +0200	[diff] [blame]	60
Florian Westphal	b9e69e1	2016-02-25 10:08:36 +0100	[diff] [blame]	61	if (net->ipv4.iptable_filter)
				62	return 0;
				63
Jan Engelhardt	e3eaa99	2009-06-17 22:14:54 +0200	[diff] [blame]	64	repl = ipt_alloc_initial_table(&packet_filter);
				65	if (repl == NULL)
				66	return -ENOMEM;
				67	/* Entry 1 is the FORWARD hook */
				68	((struct ipt_standard *)repl->entries)[1].target.verdict =
Rusty Russell	523f610	2012-03-22 12:27:06 +0000	[diff] [blame]	69	forward ? -NF_ACCEPT - 1 : -NF_DROP - 1;
Jan Engelhardt	e3eaa99	2009-06-17 22:14:54 +0200	[diff] [blame]	70
Florian Westphal	a67dd26	2016-02-25 10:08:35 +0100	[diff] [blame]	71	err = ipt_register_table(net, &packet_filter, repl, filter_ops,
				72	&net->ipv4.iptable_filter);
Jan Engelhardt	e3eaa99	2009-06-17 22:14:54 +0200	[diff] [blame]	73	kfree(repl);
Florian Westphal	a67dd26	2016-02-25 10:08:35 +0100	[diff] [blame]	74	return err;
Alexey Dobriyan	9335f04	2008-01-31 04:03:23 -0800	[diff] [blame]	75	}
				76
Florian Westphal	b9e69e1	2016-02-25 10:08:36 +0100	[diff] [blame]	77	static int __net_init iptable_filter_net_init(struct net *net)
				78	{
				79	if (net == &init_net \|\| !forward)
				80	return iptable_filter_table_init(net);
				81
				82	return 0;
				83	}
				84
Alexey Dobriyan	9335f04	2008-01-31 04:03:23 -0800	[diff] [blame]	85	static void __net_exit iptable_filter_net_exit(struct net *net)
				86	{
Florian Westphal	b9e69e1	2016-02-25 10:08:36 +0100	[diff] [blame]	87	if (!net->ipv4.iptable_filter)
				88	return;
Florian Westphal	a67dd26	2016-02-25 10:08:35 +0100	[diff] [blame]	89	ipt_unregister_table(net, net->ipv4.iptable_filter, filter_ops);
Florian Westphal	b9e69e1	2016-02-25 10:08:36 +0100	[diff] [blame]	90	net->ipv4.iptable_filter = NULL;
Alexey Dobriyan	9335f04	2008-01-31 04:03:23 -0800	[diff] [blame]	91	}
				92
				93	static struct pernet_operations iptable_filter_net_ops = {
				94	.init = iptable_filter_net_init,
				95	.exit = iptable_filter_net_exit,
				96	};
				97
Andrew Morton	65b4b4e	2006-03-28 16:37:06 -0800	[diff] [blame]	98	static int __init iptable_filter_init(void)
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	99	{
				100	int ret;
				101
Florian Westphal	b9e69e1	2016-02-25 10:08:36 +0100	[diff] [blame]	102	filter_ops = xt_hook_ops_alloc(&packet_filter, iptable_filter_hook);
				103	if (IS_ERR(filter_ops))
				104	return PTR_ERR(filter_ops);
				105
Alexey Dobriyan	9335f04	2008-01-31 04:03:23 -0800	[diff] [blame]	106	ret = register_pernet_subsys(&iptable_filter_net_ops);
				107	if (ret < 0)
Florian Westphal	b9e69e1	2016-02-25 10:08:36 +0100	[diff] [blame]	108	kfree(filter_ops);
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	109
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	110	return ret;
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	111	}
				112
Andrew Morton	65b4b4e	2006-03-28 16:37:06 -0800	[diff] [blame]	113	static void __exit iptable_filter_fini(void)
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	114	{
Alexey Dobriyan	9335f04	2008-01-31 04:03:23 -0800	[diff] [blame]	115	unregister_pernet_subsys(&iptable_filter_net_ops);
Florian Westphal	b9e69e1	2016-02-25 10:08:36 +0100	[diff] [blame]	116	kfree(filter_ops);
Linus Torvalds	1da177e	2005-04-16 15:20:36 -0700	[diff] [blame]	117	}
				118
Andrew Morton	65b4b4e	2006-03-28 16:37:06 -0800	[diff] [blame]	119	module_init(iptable_filter_init);
				120	module_exit(iptable_filter_fini);