1 | /* SPDX-License-Identifier: GPL-2.0 */ |
2 | /* |
3 | * Operations on the network namespace |
4 | */ |
5 | #ifndef __NET_NET_NAMESPACE_H |
6 | #define __NET_NET_NAMESPACE_H |
7 | |
8 | #include <linux/atomic.h> |
9 | #include <linux/refcount.h> |
10 | #include <linux/workqueue.h> |
11 | #include <linux/list.h> |
12 | #include <linux/sysctl.h> |
13 | #include <linux/uidgid.h> |
14 | |
15 | #include <net/flow.h> |
16 | #include <net/netns/core.h> |
17 | #include <net/netns/mib.h> |
18 | #include <net/netns/unix.h> |
19 | #include <net/netns/packet.h> |
20 | #include <net/netns/ipv4.h> |
21 | #include <net/netns/ipv6.h> |
22 | #include <net/netns/nexthop.h> |
23 | #include <net/netns/ieee802154_6lowpan.h> |
24 | #include <net/netns/sctp.h> |
25 | #include <net/netns/netfilter.h> |
26 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) |
27 | #include <net/netns/conntrack.h> |
28 | #endif |
29 | #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) |
30 | #include <net/netns/flow_table.h> |
31 | #endif |
32 | #include <net/netns/nftables.h> |
33 | #include <net/netns/xfrm.h> |
34 | #include <net/netns/mpls.h> |
35 | #include <net/netns/can.h> |
36 | #include <net/netns/xdp.h> |
37 | #include <net/netns/smc.h> |
38 | #include <net/netns/bpf.h> |
39 | #include <net/netns/mctp.h> |
40 | #include <net/net_trackers.h> |
41 | #include <linux/ns_common.h> |
42 | #include <linux/idr.h> |
43 | #include <linux/skbuff.h> |
44 | #include <linux/notifier.h> |
45 | |
46 | struct user_namespace; |
47 | struct proc_dir_entry; |
48 | struct net_device; |
49 | struct sock; |
50 | struct ; |
51 | struct net_generic; |
52 | struct uevent_sock; |
53 | struct netns_ipvs; |
54 | struct bpf_prog; |
55 | |
56 | |
57 | #define NETDEV_HASHBITS 8 |
58 | #define NETDEV_HASHENTRIES (1 << NETDEV_HASHBITS) |
59 | |
60 | struct net { |
61 | /* First cache line can be often dirtied. |
62 | * Do not place here read-mostly fields. |
63 | */ |
64 | refcount_t passive; /* To decide when the network |
65 | * namespace should be freed. |
66 | */ |
67 | spinlock_t rules_mod_lock; |
68 | |
69 | atomic_t dev_unreg_count; |
70 | |
71 | unsigned int dev_base_seq; /* protected by rtnl_mutex */ |
72 | int ifindex; |
73 | |
74 | spinlock_t nsid_lock; |
75 | atomic_t fnhe_genid; |
76 | |
77 | struct list_head list; /* list of network namespaces */ |
78 | struct list_head exit_list; /* To linked to call pernet exit |
79 | * methods on dead net ( |
80 | * pernet_ops_rwsem read locked), |
81 | * or to unregister pernet ops |
82 | * (pernet_ops_rwsem write locked). |
83 | */ |
84 | struct llist_node cleanup_list; /* namespaces on death row */ |
85 | |
86 | #ifdef CONFIG_KEYS |
87 | struct key_tag *key_domain; /* Key domain of operation tag */ |
88 | #endif |
89 | struct user_namespace *user_ns; /* Owning user namespace */ |
90 | struct ucounts *ucounts; |
91 | struct idr netns_ids; |
92 | |
93 | struct ns_common ns; |
94 | struct ref_tracker_dir refcnt_tracker; |
95 | |
96 | struct list_head dev_base_head; |
97 | struct proc_dir_entry *proc_net; |
98 | struct proc_dir_entry *proc_net_stat; |
99 | |
100 | #ifdef CONFIG_SYSCTL |
101 | struct ctl_table_set sysctls; |
102 | #endif |
103 | |
104 | struct sock *rtnl; /* rtnetlink socket */ |
105 | struct sock *genl_sock; |
106 | |
107 | struct uevent_sock *uevent_sock; /* uevent socket */ |
108 | |
109 | struct hlist_head *dev_name_head; |
110 | struct hlist_head *dev_index_head; |
111 | struct raw_notifier_head netdev_chain; |
112 | |
113 | /* Note that @hash_mix can be read millions times per second, |
114 | * it is critical that it is on a read_mostly cache line. |
115 | */ |
116 | u32 hash_mix; |
117 | |
118 | struct net_device *loopback_dev; /* The loopback */ |
119 | |
120 | /* core fib_rules */ |
121 | struct list_head rules_ops; |
122 | |
123 | struct netns_core core; |
124 | struct netns_mib mib; |
125 | struct netns_packet packet; |
126 | #if IS_ENABLED(CONFIG_UNIX) |
127 | struct netns_unix unx; |
128 | #endif |
129 | struct netns_nexthop nexthop; |
130 | struct netns_ipv4 ipv4; |
131 | #if IS_ENABLED(CONFIG_IPV6) |
132 | struct netns_ipv6 ipv6; |
133 | #endif |
134 | #if IS_ENABLED(CONFIG_IEEE802154_6LOWPAN) |
135 | struct netns_ieee802154_lowpan ieee802154_lowpan; |
136 | #endif |
137 | #if defined(CONFIG_IP_SCTP) || defined(CONFIG_IP_SCTP_MODULE) |
138 | struct netns_sctp sctp; |
139 | #endif |
140 | #ifdef CONFIG_NETFILTER |
141 | struct netns_nf nf; |
142 | #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) |
143 | struct netns_ct ct; |
144 | #endif |
145 | #if defined(CONFIG_NF_TABLES) || defined(CONFIG_NF_TABLES_MODULE) |
146 | struct netns_nftables nft; |
147 | #endif |
148 | #if IS_ENABLED(CONFIG_NF_FLOW_TABLE) |
149 | struct netns_ft ft; |
150 | #endif |
151 | #endif |
152 | #ifdef CONFIG_WEXT_CORE |
153 | struct sk_buff_head wext_nlevents; |
154 | #endif |
155 | struct net_generic __rcu *gen; |
156 | |
157 | /* Used to store attached BPF programs */ |
158 | struct netns_bpf bpf; |
159 | |
160 | /* Note : following structs are cache line aligned */ |
161 | #ifdef CONFIG_XFRM |
162 | struct netns_xfrm xfrm; |
163 | #endif |
164 | |
165 | u64 net_cookie; /* written once */ |
166 | |
167 | #if IS_ENABLED(CONFIG_IP_VS) |
168 | struct netns_ipvs *ipvs; |
169 | #endif |
170 | #if IS_ENABLED(CONFIG_MPLS) |
171 | struct netns_mpls mpls; |
172 | #endif |
173 | #if IS_ENABLED(CONFIG_CAN) |
174 | struct netns_can can; |
175 | #endif |
176 | #ifdef CONFIG_XDP_SOCKETS |
177 | struct netns_xdp xdp; |
178 | #endif |
179 | #if IS_ENABLED(CONFIG_MCTP) |
180 | struct netns_mctp mctp; |
181 | #endif |
182 | #if IS_ENABLED(CONFIG_CRYPTO_USER) |
183 | struct sock *crypto_nlsk; |
184 | #endif |
185 | struct sock *diag_nlsk; |
186 | #if IS_ENABLED(CONFIG_SMC) |
187 | struct netns_smc smc; |
188 | #endif |
189 | } __randomize_layout; |
190 | |
191 | #include <linux/seq_file_net.h> |
192 | |
193 | /* Init's network namespace */ |
194 | extern struct net init_net; |
195 | |
196 | #ifdef CONFIG_NET_NS |
197 | struct net *copy_net_ns(unsigned long flags, struct user_namespace *user_ns, |
198 | struct net *old_net); |
199 | |
200 | void net_ns_get_ownership(const struct net *net, kuid_t *uid, kgid_t *gid); |
201 | |
202 | void net_ns_barrier(void); |
203 | |
204 | struct ns_common *get_net_ns(struct ns_common *ns); |
205 | struct net *get_net_ns_by_fd(int fd); |
206 | #else /* CONFIG_NET_NS */ |
207 | #include <linux/sched.h> |
208 | #include <linux/nsproxy.h> |
209 | static inline struct net *copy_net_ns(unsigned long flags, |
210 | struct user_namespace *user_ns, struct net *old_net) |
211 | { |
212 | if (flags & CLONE_NEWNET) |
213 | return ERR_PTR(-EINVAL); |
214 | return old_net; |
215 | } |
216 | |
217 | static inline void net_ns_get_ownership(const struct net *net, |
218 | kuid_t *uid, kgid_t *gid) |
219 | { |
220 | *uid = GLOBAL_ROOT_UID; |
221 | *gid = GLOBAL_ROOT_GID; |
222 | } |
223 | |
224 | static inline void net_ns_barrier(void) {} |
225 | |
226 | static inline struct ns_common *get_net_ns(struct ns_common *ns) |
227 | { |
228 | return ERR_PTR(-EINVAL); |
229 | } |
230 | |
231 | static inline struct net *get_net_ns_by_fd(int fd) |
232 | { |
233 | return ERR_PTR(-EINVAL); |
234 | } |
235 | #endif /* CONFIG_NET_NS */ |
236 | |
237 | |
238 | extern struct list_head net_namespace_list; |
239 | |
240 | struct net *get_net_ns_by_pid(pid_t pid); |
241 | |
242 | #ifdef CONFIG_SYSCTL |
243 | void ipx_register_sysctl(void); |
244 | void ipx_unregister_sysctl(void); |
245 | #else |
246 | #define ipx_register_sysctl() |
247 | #define ipx_unregister_sysctl() |
248 | #endif |
249 | |
250 | #ifdef CONFIG_NET_NS |
251 | void __put_net(struct net *net); |
252 | |
253 | /* Try using get_net_track() instead */ |
254 | static inline struct net *get_net(struct net *net) |
255 | { |
256 | refcount_inc(&net->ns.count); |
257 | return net; |
258 | } |
259 | |
260 | static inline struct net *maybe_get_net(struct net *net) |
261 | { |
262 | /* Used when we know struct net exists but we |
263 | * aren't guaranteed a previous reference count |
264 | * exists. If the reference count is zero this |
265 | * function fails and returns NULL. |
266 | */ |
267 | if (!refcount_inc_not_zero(&net->ns.count)) |
268 | net = NULL; |
269 | return net; |
270 | } |
271 | |
272 | /* Try using put_net_track() instead */ |
273 | static inline void put_net(struct net *net) |
274 | { |
275 | if (refcount_dec_and_test(&net->ns.count)) |
276 | __put_net(net); |
277 | } |
278 | |
279 | static inline |
280 | int net_eq(const struct net *net1, const struct net *net2) |
281 | { |
282 | return net1 == net2; |
283 | } |
284 | |
285 | static inline int check_net(const struct net *net) |
286 | { |
287 | return refcount_read(&net->ns.count) != 0; |
288 | } |
289 | |
290 | void net_drop_ns(void *); |
291 | |
292 | #else |
293 | |
294 | static inline struct net *get_net(struct net *net) |
295 | { |
296 | return net; |
297 | } |
298 | |
299 | static inline void put_net(struct net *net) |
300 | { |
301 | } |
302 | |
303 | static inline struct net *maybe_get_net(struct net *net) |
304 | { |
305 | return net; |
306 | } |
307 | |
308 | static inline |
309 | int net_eq(const struct net *net1, const struct net *net2) |
310 | { |
311 | return 1; |
312 | } |
313 | |
314 | static inline int check_net(const struct net *net) |
315 | { |
316 | return 1; |
317 | } |
318 | |
319 | #define net_drop_ns NULL |
320 | #endif |
321 | |
322 | |
323 | static inline void netns_tracker_alloc(struct net *net, |
324 | netns_tracker *tracker, gfp_t gfp) |
325 | { |
326 | #ifdef CONFIG_NET_NS_REFCNT_TRACKER |
327 | ref_tracker_alloc(&net->refcnt_tracker, tracker, gfp); |
328 | #endif |
329 | } |
330 | |
331 | static inline void netns_tracker_free(struct net *net, |
332 | netns_tracker *tracker) |
333 | { |
334 | #ifdef CONFIG_NET_NS_REFCNT_TRACKER |
335 | ref_tracker_free(&net->refcnt_tracker, tracker); |
336 | #endif |
337 | } |
338 | |
339 | static inline struct net *get_net_track(struct net *net, |
340 | netns_tracker *tracker, gfp_t gfp) |
341 | { |
342 | get_net(net); |
343 | netns_tracker_alloc(net, tracker, gfp); |
344 | return net; |
345 | } |
346 | |
347 | static inline void put_net_track(struct net *net, netns_tracker *tracker) |
348 | { |
349 | netns_tracker_free(net, tracker); |
350 | put_net(net); |
351 | } |
352 | |
353 | typedef struct { |
354 | #ifdef CONFIG_NET_NS |
355 | struct net *net; |
356 | #endif |
357 | } possible_net_t; |
358 | |
359 | static inline void write_pnet(possible_net_t *pnet, struct net *net) |
360 | { |
361 | #ifdef CONFIG_NET_NS |
362 | pnet->net = net; |
363 | #endif |
364 | } |
365 | |
366 | static inline struct net *read_pnet(const possible_net_t *pnet) |
367 | { |
368 | #ifdef CONFIG_NET_NS |
369 | return pnet->net; |
370 | #else |
371 | return &init_net; |
372 | #endif |
373 | } |
374 | |
375 | /* Protected by net_rwsem */ |
376 | #define for_each_net(VAR) \ |
377 | list_for_each_entry(VAR, &net_namespace_list, list) |
378 | #define for_each_net_continue_reverse(VAR) \ |
379 | list_for_each_entry_continue_reverse(VAR, &net_namespace_list, list) |
380 | #define for_each_net_rcu(VAR) \ |
381 | list_for_each_entry_rcu(VAR, &net_namespace_list, list) |
382 | |
383 | #ifdef CONFIG_NET_NS |
384 | #define __net_init |
385 | #define __net_exit |
386 | #define __net_initdata |
387 | #define __net_initconst |
388 | #else |
389 | #define __net_init __init |
390 | #define __net_exit __ref |
391 | #define __net_initdata __initdata |
392 | #define __net_initconst __initconst |
393 | #endif |
394 | |
395 | int peernet2id_alloc(struct net *net, struct net *peer, gfp_t gfp); |
396 | int peernet2id(const struct net *net, struct net *peer); |
397 | bool peernet_has_id(const struct net *net, struct net *peer); |
398 | struct net *get_net_ns_by_id(const struct net *net, int id); |
399 | |
400 | struct pernet_operations { |
401 | struct list_head list; |
402 | /* |
403 | * Below methods are called without any exclusive locks. |
404 | * More than one net may be constructed and destructed |
405 | * in parallel on several cpus. Every pernet_operations |
406 | * have to keep in mind all other pernet_operations and |
407 | * to introduce a locking, if they share common resources. |
408 | * |
409 | * The only time they are called with exclusive lock is |
410 | * from register_pernet_subsys(), unregister_pernet_subsys() |
411 | * register_pernet_device() and unregister_pernet_device(). |
412 | * |
413 | * Exit methods using blocking RCU primitives, such as |
414 | * synchronize_rcu(), should be implemented via exit_batch. |
415 | * Then, destruction of a group of net requires single |
416 | * synchronize_rcu() related to these pernet_operations, |
417 | * instead of separate synchronize_rcu() for every net. |
418 | * Please, avoid synchronize_rcu() at all, where it's possible. |
419 | * |
420 | * Note that a combination of pre_exit() and exit() can |
421 | * be used, since a synchronize_rcu() is guaranteed between |
422 | * the calls. |
423 | */ |
424 | int (*init)(struct net *net); |
425 | void (*pre_exit)(struct net *net); |
426 | void (*exit)(struct net *net); |
427 | void (*exit_batch)(struct list_head *net_exit_list); |
428 | unsigned int *id; |
429 | size_t size; |
430 | }; |
431 | |
432 | /* |
433 | * Use these carefully. If you implement a network device and it |
434 | * needs per network namespace operations use device pernet operations, |
435 | * otherwise use pernet subsys operations. |
436 | * |
437 | * Network interfaces need to be removed from a dying netns _before_ |
438 | * subsys notifiers can be called, as most of the network code cleanup |
439 | * (which is done from subsys notifiers) runs with the assumption that |
440 | * dev_remove_pack has been called so no new packets will arrive during |
441 | * and after the cleanup functions have been called. dev_remove_pack |
442 | * is not per namespace so instead the guarantee of no more packets |
443 | * arriving in a network namespace is provided by ensuring that all |
444 | * network devices and all sockets have left the network namespace |
445 | * before the cleanup methods are called. |
446 | * |
447 | * For the longest time the ipv4 icmp code was registered as a pernet |
448 | * device which caused kernel oops, and panics during network |
449 | * namespace cleanup. So please don't get this wrong. |
450 | */ |
451 | int register_pernet_subsys(struct pernet_operations *); |
452 | void unregister_pernet_subsys(struct pernet_operations *); |
453 | int register_pernet_device(struct pernet_operations *); |
454 | void unregister_pernet_device(struct pernet_operations *); |
455 | |
456 | struct ctl_table; |
457 | |
458 | #ifdef CONFIG_SYSCTL |
459 | int net_sysctl_init(void); |
460 | struct ctl_table_header *register_net_sysctl(struct net *net, const char *path, |
461 | struct ctl_table *table); |
462 | void unregister_net_sysctl_table(struct ctl_table_header *header); |
463 | #else |
464 | static inline int net_sysctl_init(void) { return 0; } |
465 | static inline struct ctl_table_header *register_net_sysctl(struct net *net, |
466 | const char *path, struct ctl_table *table) |
467 | { |
468 | return NULL; |
469 | } |
470 | static inline void unregister_net_sysctl_table(struct ctl_table_header *) |
471 | { |
472 | } |
473 | #endif |
474 | |
475 | static inline int rt_genid_ipv4(const struct net *net) |
476 | { |
477 | return atomic_read(&net->ipv4.rt_genid); |
478 | } |
479 | |
480 | #if IS_ENABLED(CONFIG_IPV6) |
481 | static inline int rt_genid_ipv6(const struct net *net) |
482 | { |
483 | return atomic_read(&net->ipv6.fib6_sernum); |
484 | } |
485 | #endif |
486 | |
487 | static inline void rt_genid_bump_ipv4(struct net *net) |
488 | { |
489 | atomic_inc(&net->ipv4.rt_genid); |
490 | } |
491 | |
492 | extern void (*__fib6_flush_trees)(struct net *net); |
493 | static inline void rt_genid_bump_ipv6(struct net *net) |
494 | { |
495 | if (__fib6_flush_trees) |
496 | __fib6_flush_trees(net); |
497 | } |
498 | |
499 | #if IS_ENABLED(CONFIG_IEEE802154_6LOWPAN) |
500 | static inline struct netns_ieee802154_lowpan * |
501 | net_ieee802154_lowpan(struct net *net) |
502 | { |
503 | return &net->ieee802154_lowpan; |
504 | } |
505 | #endif |
506 | |
507 | /* For callers who don't really care about whether it's IPv4 or IPv6 */ |
508 | static inline void rt_genid_bump_all(struct net *net) |
509 | { |
510 | rt_genid_bump_ipv4(net); |
511 | rt_genid_bump_ipv6(net); |
512 | } |
513 | |
514 | static inline int fnhe_genid(const struct net *net) |
515 | { |
516 | return atomic_read(&net->fnhe_genid); |
517 | } |
518 | |
519 | static inline void fnhe_genid_bump(struct net *net) |
520 | { |
521 | atomic_inc(&net->fnhe_genid); |
522 | } |
523 | |
524 | #ifdef CONFIG_NET |
525 | void net_ns_init(void); |
526 | #else |
527 | static inline void net_ns_init(void) {} |
528 | #endif |
529 | |
530 | #endif /* __NET_NET_NAMESPACE_H */ |
531 | |