[linux-2.6-block.git] / net / netfilter / core.c

/* netfilter.c: look after the filters for various protocols.
 * Heavily influenced by the old firewall.c by David Bonn and Alan Cox.
 *
 * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any
 * way.
 *
 * Rusty Russell (C)2000 -- This code is GPL.
 * Patrick McHardy (c) 2006-2012
 */
#include <linux/kernel.h>
#include <linux/netfilter.h>
#include <net/protocol.h>
#include <linux/init.h>
#include <linux/skbuff.h>
#include <linux/wait.h>
#include <linux/module.h>
#include <linux/interrupt.h>
#include <linux/if.h>
#include <linux/netdevice.h>
#include <linux/netfilter_ipv6.h>
#include <linux/inetdevice.h>
#include <linux/proc_fs.h>
#include <linux/mutex.h>
#include <linux/slab.h>
#include <net/net_namespace.h>
#include <net/sock.h>

#include "nf_internals.h"

static DEFINE_MUTEX(afinfo_mutex);

const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
EXPORT_SYMBOL(nf_afinfo);
const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
EXPORT_SYMBOL_GPL(nf_ipv6_ops);

int nf_register_afinfo(const struct nf_afinfo *afinfo)
{
	mutex_lock(&afinfo_mutex);
	RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo);
	mutex_unlock(&afinfo_mutex);
	return 0;
}
EXPORT_SYMBOL_GPL(nf_register_afinfo);

void nf_unregister_afinfo(const struct nf_afinfo *afinfo)
{
	mutex_lock(&afinfo_mutex);
	RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL);
	mutex_unlock(&afinfo_mutex);
	synchronize_rcu();
}
EXPORT_SYMBOL_GPL(nf_unregister_afinfo);

struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS] __read_mostly;
EXPORT_SYMBOL(nf_hooks);

#ifdef HAVE_JUMP_LABEL
struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
EXPORT_SYMBOL(nf_hooks_needed);
#endif

static DEFINE_MUTEX(nf_hook_mutex);

int nf_register_hook(struct nf_hook_ops *reg)
{
	struct list_head *nf_hook_list;
	struct nf_hook_ops *elem;

	mutex_lock(&nf_hook_mutex);
	switch (reg->pf) {
	case NFPROTO_NETDEV:
#ifdef CONFIG_NETFILTER_INGRESS
		if (reg->hooknum == NF_NETDEV_INGRESS) {
			BUG_ON(reg->dev == NULL);
			nf_hook_list = &reg->dev->nf_hooks_ingress;
			net_inc_ingress_queue();
			break;
		}
#endif
		/* Fall through. */
	default:
		nf_hook_list = &nf_hooks[reg->pf][reg->hooknum];
		break;
	}

	list_for_each_entry(elem, nf_hook_list, list) {
		if (reg->priority < elem->priority)
			break;
	}
	list_add_rcu(&reg->list, elem->list.prev);
	mutex_unlock(&nf_hook_mutex);
#ifdef HAVE_JUMP_LABEL
	static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
#endif
	return 0;
}
EXPORT_SYMBOL(nf_register_hook);

void nf_unregister_hook(struct nf_hook_ops *reg)
{
	mutex_lock(&nf_hook_mutex);
	list_del_rcu(&reg->list);
	mutex_unlock(&nf_hook_mutex);
	switch (reg->pf) {
	case NFPROTO_NETDEV:
#ifdef CONFIG_NETFILTER_INGRESS
		if (reg->hooknum == NF_NETDEV_INGRESS) {
			net_dec_ingress_queue();
			break;
		}
		break;
#endif
	default:
		break;
	}
#ifdef HAVE_JUMP_LABEL
	static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]);
#endif
	synchronize_net();
	nf_queue_nf_hook_drop(reg);
}
EXPORT_SYMBOL(nf_unregister_hook);

int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n)
{
	unsigned int i;
	int err = 0;

	for (i = 0; i < n; i++) {
		err = nf_register_hook(&reg[i]);
		if (err)
			goto err;
	}
	return err;

err:
	if (i > 0)
		nf_unregister_hooks(reg, i);
	return err;
}
EXPORT_SYMBOL(nf_register_hooks);

void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n)
{
	while (n-- > 0)
		nf_unregister_hook(&reg[n]);
}
EXPORT_SYMBOL(nf_unregister_hooks);

unsigned int nf_iterate(struct list_head *head,
			struct sk_buff *skb,
			struct nf_hook_state *state,
			struct nf_hook_ops **elemp)
{
	unsigned int verdict;

	/*
	 * The caller must not block between calls to this
	 * function because of risk of continuing from deleted element.
	 */
	list_for_each_entry_continue_rcu((*elemp), head, list) {
		if (state->thresh > (*elemp)->priority)
			continue;

		/* Optimization: we don't need to hold module
		   reference here, since function can't sleep. --RR */
repeat:
		verdict = (*elemp)->hook(*elemp, skb, state);
		if (verdict != NF_ACCEPT) {
#ifdef CONFIG_NETFILTER_DEBUG
			if (unlikely((verdict & NF_VERDICT_MASK)
							> NF_MAX_VERDICT)) {
				NFDEBUG("Evil return from %p(%u).\n",
					(*elemp)->hook, state->hook);
				continue;
			}
#endif
			if (verdict != NF_REPEAT)
				return verdict;
			goto repeat;
		}
	}
	return NF_ACCEPT;
}


/* Returns 1 if okfn() needs to be executed by the caller,
 * -EPERM for NF_DROP, 0 otherwise. */
int nf_hook_slow(struct sk_buff *skb, struct nf_hook_state *state)
{
	struct nf_hook_ops *elem;
	unsigned int verdict;
	int ret = 0;

	/* We may already have this, but read-locks nest anyway */
	rcu_read_lock();

	elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list);
next_hook:
	verdict = nf_iterate(state->hook_list, skb, state, &elem);
	if (verdict == NF_ACCEPT || verdict == NF_STOP) {
		ret = 1;
	} else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
		kfree_skb(skb);
		ret = NF_DROP_GETERR(verdict);
		if (ret == 0)
			ret = -EPERM;
	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
		int err = nf_queue(skb, elem, state,
				   verdict >> NF_VERDICT_QBITS);
		if (err < 0) {
			if (err == -ECANCELED)
				goto next_hook;
			if (err == -ESRCH &&
			   (verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
				goto next_hook;
			kfree_skb(skb);
		}
	}
	rcu_read_unlock();
	return ret;
}
EXPORT_SYMBOL(nf_hook_slow);


int skb_make_writable(struct sk_buff *skb, unsigned int writable_len)
{
	if (writable_len > skb->len)
		return 0;

	/* Not exclusive use of packet?  Must copy. */
	if (!skb_cloned(skb)) {
		if (writable_len <= skb_headlen(skb))
			return 1;
	} else if (skb_clone_writable(skb, writable_len))
		return 1;

	if (writable_len <= skb_headlen(skb))
		writable_len = 0;
	else
		writable_len -= skb_headlen(skb);

	return !!__pskb_pull_tail(skb, writable_len);
}
EXPORT_SYMBOL(skb_make_writable);

#if IS_ENABLED(CONFIG_NF_CONNTRACK)
/* This does not belong here, but locally generated errors need it if connection
   tracking in use: without this, connection may not be in hash table, and hence
   manufactured ICMP or RST packets will not be associated with it. */
void (*ip_ct_attach)(struct sk_buff *, const struct sk_buff *)
		__rcu __read_mostly;
EXPORT_SYMBOL(ip_ct_attach);

void nf_ct_attach(struct sk_buff *new, const struct sk_buff *skb)
{
	void (*attach)(struct sk_buff *, const struct sk_buff *);

	if (skb->nfct) {
		rcu_read_lock();
		attach = rcu_dereference(ip_ct_attach);
		if (attach)
			attach(new, skb);
		rcu_read_unlock();
	}
}
EXPORT_SYMBOL(nf_ct_attach);

void (*nf_ct_destroy)(struct nf_conntrack *) __rcu __read_mostly;
EXPORT_SYMBOL(nf_ct_destroy);

void nf_conntrack_destroy(struct nf_conntrack *nfct)
{
	void (*destroy)(struct nf_conntrack *);

	rcu_read_lock();
	destroy = rcu_dereference(nf_ct_destroy);
	BUG_ON(destroy == NULL);
	destroy(nfct);
	rcu_read_unlock();
}
EXPORT_SYMBOL(nf_conntrack_destroy);

struct nfq_ct_hook __rcu *nfq_ct_hook __read_mostly;
EXPORT_SYMBOL_GPL(nfq_ct_hook);

struct nfq_ct_nat_hook __rcu *nfq_ct_nat_hook __read_mostly;
EXPORT_SYMBOL_GPL(nfq_ct_nat_hook);

#endif /* CONFIG_NF_CONNTRACK */

#ifdef CONFIG_NF_NAT_NEEDED
void (*nf_nat_decode_session_hook)(struct sk_buff *, struct flowi *);
EXPORT_SYMBOL(nf_nat_decode_session_hook);
#endif

static int __net_init netfilter_net_init(struct net *net)
{
#ifdef CONFIG_PROC_FS
	net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter",
						net->proc_net);
	if (!net->nf.proc_netfilter) {
		if (!net_eq(net, &init_net))
			pr_err("cannot create netfilter proc entry");

		return -ENOMEM;
	}
#endif
	return 0;
}

static void __net_exit netfilter_net_exit(struct net *net)
{
	remove_proc_entry("netfilter", net->proc_net);
}

static struct pernet_operations netfilter_net_ops = {
	.init = netfilter_net_init,
	.exit = netfilter_net_exit,
};

int __init netfilter_init(void)
{
	int i, h, ret;

	for (i = 0; i < ARRAY_SIZE(nf_hooks); i++) {
		for (h = 0; h < NF_MAX_HOOKS; h++)
			INIT_LIST_HEAD(&nf_hooks[i][h]);
	}

	ret = register_pernet_subsys(&netfilter_net_ops);
	if (ret < 0)
		goto err;

	ret = netfilter_log_init();
	if (ret < 0)
		goto err_pernet;

	return 0;
err_pernet:
	unregister_pernet_subsys(&netfilter_net_ops);
err:
	return ret;
}
Commit	Line	Data
601e68e1	1	/* netfilter.c: look after the filters for various protocols.
f6ebe77f HW	2	* Heavily influenced by the old firewall.c by David Bonn and Alan Cox.
	3	*
	4	* Thanks to Rob `CmdrTaco' Malda for not influencing this code in any
	5	* way.
	6	*
	7	* Rusty Russell (C)2000 -- This code is GPL.
f229f6ce	8	* Patrick McHardy (c) 2006-2012
f6ebe77f	9	*/
f6ebe77f HW	10	#include <linux/kernel.h>
	11	#include <linux/netfilter.h>
	12	#include <net/protocol.h>
	13	#include <linux/init.h>
	14	#include <linux/skbuff.h>
	15	#include <linux/wait.h>
	16	#include <linux/module.h>
	17	#include <linux/interrupt.h>
	18	#include <linux/if.h>
	19	#include <linux/netdevice.h>
56768644	20	#include <linux/netfilter_ipv6.h>
f6ebe77f HW	21	#include <linux/inetdevice.h>
f6ebe77f HW	22	#include <linux/proc_fs.h>
d486dd1f	23	#include <linux/mutex.h>
5a0e3ad6	24	#include <linux/slab.h>
457c4cbc	25	#include <net/net_namespace.h>
f6ebe77f HW	26	#include <net/sock.h>
	27
	28	#include "nf_internals.h"
	29
d486dd1f	30	static DEFINE_MUTEX(afinfo_mutex);
bce8032e	31
0906a372	32	const struct nf_afinfo __rcu *nf_afinfo[NFPROTO_NUMPROTO] __read_mostly;
bce8032e	33	EXPORT_SYMBOL(nf_afinfo);
2a7851bf FW	34	const struct nf_ipv6_ops __rcu *nf_ipv6_ops __read_mostly;
2a7851bf FW	35	EXPORT_SYMBOL_GPL(nf_ipv6_ops);
bce8032e	36
1e796fda	37	int nf_register_afinfo(const struct nf_afinfo *afinfo)
bce8032e	38	{
7926dbfa	39	mutex_lock(&afinfo_mutex);
a9b3cd7f	40	RCU_INIT_POINTER(nf_afinfo[afinfo->family], afinfo);
d486dd1f	41	mutex_unlock(&afinfo_mutex);
bce8032e PM	42	return 0;
	43	}
	44	EXPORT_SYMBOL_GPL(nf_register_afinfo);
	45
1e796fda	46	void nf_unregister_afinfo(const struct nf_afinfo *afinfo)
bce8032e	47	{
d486dd1f	48	mutex_lock(&afinfo_mutex);
a9b3cd7f	49	RCU_INIT_POINTER(nf_afinfo[afinfo->family], NULL);
d486dd1f	50	mutex_unlock(&afinfo_mutex);
bce8032e PM	51	synchronize_rcu();
	52	}
	53	EXPORT_SYMBOL_GPL(nf_unregister_afinfo);
	54
7e9c6eeb	55	struct list_head nf_hooks[NFPROTO_NUMPROTO][NF_MAX_HOOKS] __read_mostly;
f6ebe77f	56	EXPORT_SYMBOL(nf_hooks);
a2d7ec58	57
d1c85c2e	58	#ifdef HAVE_JUMP_LABEL
c5905afb	59	struct static_key nf_hooks_needed[NFPROTO_NUMPROTO][NF_MAX_HOOKS];
a2d7ec58 ED	60	EXPORT_SYMBOL(nf_hooks_needed);
	61	#endif
	62
fd706d69	63	static DEFINE_MUTEX(nf_hook_mutex);
f6ebe77f HW	64
	65	int nf_register_hook(struct nf_hook_ops *reg)
	66	{
e687ad60	67	struct list_head *nf_hook_list;
4c610979	68	struct nf_hook_ops *elem;
f6ebe77f	69
7926dbfa	70	mutex_lock(&nf_hook_mutex);
e687ad60 PN	71	switch (reg->pf) {
	72	case NFPROTO_NETDEV:
	73	#ifdef CONFIG_NETFILTER_INGRESS
	74	if (reg->hooknum == NF_NETDEV_INGRESS) {
	75	BUG_ON(reg->dev == NULL);
	76	nf_hook_list = &reg->dev->nf_hooks_ingress;
	77	net_inc_ingress_queue();
	78	break;
	79	}
	80	#endif
	81	/* Fall through. */
	82	default:
	83	nf_hook_list = &nf_hooks[reg->pf][reg->hooknum];
	84	break;
	85	}
	86
	87	list_for_each_entry(elem, nf_hook_list, list) {
4c610979	88	if (reg->priority < elem->priority)
f6ebe77f HW	89	break;
f6ebe77f HW	90	}
4c610979	91	list_add_rcu(&reg->list, elem->list.prev);
fd706d69	92	mutex_unlock(&nf_hook_mutex);
d1c85c2e	93	#ifdef HAVE_JUMP_LABEL
c5905afb	94	static_key_slow_inc(&nf_hooks_needed[reg->pf][reg->hooknum]);
a2d7ec58	95	#endif
f6ebe77f HW	96	return 0;
	97	}
	98	EXPORT_SYMBOL(nf_register_hook);
	99
	100	void nf_unregister_hook(struct nf_hook_ops *reg)
	101	{
fd706d69	102	mutex_lock(&nf_hook_mutex);
f6ebe77f	103	list_del_rcu(&reg->list);
fd706d69	104	mutex_unlock(&nf_hook_mutex);
e687ad60 PN	105	switch (reg->pf) {
	106	case NFPROTO_NETDEV:
	107	#ifdef CONFIG_NETFILTER_INGRESS
	108	if (reg->hooknum == NF_NETDEV_INGRESS) {
	109	net_dec_ingress_queue();
	110	break;
	111	}
	112	break;
	113	#endif
	114	default:
	115	break;
	116	}
d1c85c2e	117	#ifdef HAVE_JUMP_LABEL
c5905afb	118	static_key_slow_dec(&nf_hooks_needed[reg->pf][reg->hooknum]);
a2d7ec58	119	#endif
f6ebe77f	120	synchronize_net();
8405a8ff	121	nf_queue_nf_hook_drop(reg);
f6ebe77f HW	122	}
	123	EXPORT_SYMBOL(nf_unregister_hook);
	124
972d1cb1 PM	125	int nf_register_hooks(struct nf_hook_ops *reg, unsigned int n)
	126	{
	127	unsigned int i;
	128	int err = 0;
	129
	130	for (i = 0; i < n; i++) {
	131	err = nf_register_hook(&reg[i]);
	132	if (err)
	133	goto err;
	134	}
	135	return err;
	136
	137	err:
	138	if (i > 0)
	139	nf_unregister_hooks(reg, i);
	140	return err;
	141	}
	142	EXPORT_SYMBOL(nf_register_hooks);
	143
	144	void nf_unregister_hooks(struct nf_hook_ops *reg, unsigned int n)
	145	{
f68c5301 CG	146	while (n-- > 0)
f68c5301 CG	147	nf_unregister_hook(&reg[n]);
972d1cb1 PM	148	}
	149	EXPORT_SYMBOL(nf_unregister_hooks);
	150
f6ebe77f	151	unsigned int nf_iterate(struct list_head *head,
3db05fea	152	struct sk_buff *skb,
cfdfab31 DM	153	struct nf_hook_state *state,
cfdfab31 DM	154	struct nf_hook_ops **elemp)
f6ebe77f HW	155	{
	156	unsigned int verdict;
	157
	158	/*
	159	* The caller must not block between calls to this
	160	* function because of risk of continuing from deleted element.
	161	*/
2a6decfd	162	list_for_each_entry_continue_rcu((*elemp), head, list) {
cfdfab31	163	if (state->thresh > (*elemp)->priority)
f6ebe77f HW	164	continue;
	165
	166	/* Optimization: we don't need to hold module
601e68e1	167	reference here, since function can't sleep. --RR */
de9963f0	168	repeat:
238e54c9	169	verdict = (elemp)->hook(elemp, skb, state);
f6ebe77f HW	170	if (verdict != NF_ACCEPT) {
	171	#ifdef CONFIG_NETFILTER_DEBUG
	172	if (unlikely((verdict & NF_VERDICT_MASK)
	173	> NF_MAX_VERDICT)) {
	174	NFDEBUG("Evil return from %p(%u).\n",
cfdfab31	175	(*elemp)->hook, state->hook);
f6ebe77f HW	176	continue;
	177	}
	178	#endif
2a6decfd	179	if (verdict != NF_REPEAT)
f6ebe77f	180	return verdict;
de9963f0	181	goto repeat;
f6ebe77f HW	182	}
	183	}
	184	return NF_ACCEPT;
	185	}
	186
	187
	188	/* Returns 1 if okfn() needs to be executed by the caller,
	189	* -EPERM for NF_DROP, 0 otherwise. */
cfdfab31	190	int nf_hook_slow(struct sk_buff skb, struct nf_hook_state state)
f6ebe77f	191	{
2a6decfd	192	struct nf_hook_ops *elem;
f6ebe77f HW	193	unsigned int verdict;
	194	int ret = 0;
	195
	196	/* We may already have this, but read-locks nest anyway */
	197	rcu_read_lock();
	198
f7191483	199	elem = list_entry_rcu(state->hook_list, struct nf_hook_ops, list);
f6ebe77f	200	next_hook:
f7191483	201	verdict = nf_iterate(state->hook_list, skb, state, &elem);
f6ebe77f HW	202	if (verdict == NF_ACCEPT \|\| verdict == NF_STOP) {
f6ebe77f HW	203	ret = 1;
da683650	204	} else if ((verdict & NF_VERDICT_MASK) == NF_DROP) {
3db05fea	205	kfree_skb(skb);
f615df76	206	ret = NF_DROP_GETERR(verdict);
da683650 EP	207	if (ret == 0)
da683650 EP	208	ret = -EPERM;
f9c63990	209	} else if ((verdict & NF_VERDICT_MASK) == NF_QUEUE) {
cfdfab31 DM	210	int err = nf_queue(skb, elem, state,
cfdfab31 DM	211	verdict >> NF_VERDICT_QBITS);
563e1232 FW	212	if (err < 0) {
563e1232 FW	213	if (err == -ECANCELED)
06cdb634	214	goto next_hook;
563e1232	215	if (err == -ESRCH &&
94b27cc3 FW	216	(verdict & NF_VERDICT_FLAG_QUEUE_BYPASS))
94b27cc3 FW	217	goto next_hook;
06cdb634 FW	218	kfree_skb(skb);
06cdb634 FW	219	}
f6ebe77f	220	}
f6ebe77f HW	221	rcu_read_unlock();
	222	return ret;
	223	}
	224	EXPORT_SYMBOL(nf_hook_slow);
	225
	226
37d41879	227	int skb_make_writable(struct sk_buff *skb, unsigned int writable_len)
f6ebe77f	228	{
37d41879	229	if (writable_len > skb->len)
f6ebe77f HW	230	return 0;
	231
	232	/* Not exclusive use of packet? Must copy. */
37d41879 HX	233	if (!skb_cloned(skb)) {
	234	if (writable_len <= skb_headlen(skb))
	235	return 1;
	236	} else if (skb_clone_writable(skb, writable_len))
	237	return 1;
	238
	239	if (writable_len <= skb_headlen(skb))
	240	writable_len = 0;
	241	else
	242	writable_len -= skb_headlen(skb);
	243
	244	return !!__pskb_pull_tail(skb, writable_len);
f6ebe77f HW	245	}
	246	EXPORT_SYMBOL(skb_make_writable);
	247
c0cd1156	248	#if IS_ENABLED(CONFIG_NF_CONNTRACK)
f6ebe77f HW	249	/* This does not belong here, but locally generated errors need it if connection
	250	tracking in use: without this, connection may not be in hash table, and hence
	251	manufactured ICMP or RST packets will not be associated with it. */
312a0c16 PM	252	void (ip_ct_attach)(struct sk_buff , const struct sk_buff *)
312a0c16 PM	253	__rcu __read_mostly;
f6ebe77f HW	254	EXPORT_SYMBOL(ip_ct_attach);
f6ebe77f HW	255
312a0c16	256	void nf_ct_attach(struct sk_buff new, const struct sk_buff skb)
f6ebe77f	257	{
312a0c16	258	void (attach)(struct sk_buff , const struct sk_buff *);
f6ebe77f	259
c3a47ab3 PM	260	if (skb->nfct) {
	261	rcu_read_lock();
	262	attach = rcu_dereference(ip_ct_attach);
	263	if (attach)
	264	attach(new, skb);
	265	rcu_read_unlock();
f6ebe77f HW	266	}
	267	}
	268	EXPORT_SYMBOL(nf_ct_attach);
de6e05c4	269
0e60ebe0	270	void (nf_ct_destroy)(struct nf_conntrack ) __rcu __read_mostly;
de6e05c4 YK	271	EXPORT_SYMBOL(nf_ct_destroy);
	272
	273	void nf_conntrack_destroy(struct nf_conntrack *nfct)
	274	{
	275	void (destroy)(struct nf_conntrack );
	276
	277	rcu_read_lock();
	278	destroy = rcu_dereference(nf_ct_destroy);
	279	BUG_ON(destroy == NULL);
	280	destroy(nfct);
	281	rcu_read_unlock();
	282	}
	283	EXPORT_SYMBOL(nf_conntrack_destroy);
9cb01766	284
5a05fae5	285	struct nfq_ct_hook __rcu *nfq_ct_hook __read_mostly;
9cb01766 PNA	286	EXPORT_SYMBOL_GPL(nfq_ct_hook);
9cb01766 PNA	287
d584a61a PNA	288	struct nfq_ct_nat_hook __rcu *nfq_ct_nat_hook __read_mostly;
	289	EXPORT_SYMBOL_GPL(nfq_ct_nat_hook);
	290
de6e05c4	291	#endif /* CONFIG_NF_CONNTRACK */
f6ebe77f	292
c7232c99 PM	293	#ifdef CONFIG_NF_NAT_NEEDED
	294	void (nf_nat_decode_session_hook)(struct sk_buff , struct flowi *);
	295	EXPORT_SYMBOL(nf_nat_decode_session_hook);
	296	#endif
	297
f3c1a44a G	298	static int __net_init netfilter_net_init(struct net *net)
	299	{
	300	#ifdef CONFIG_PROC_FS
	301	net->nf.proc_netfilter = proc_net_mkdir(net, "netfilter",
	302	net->proc_net);
12202fa7 PNA	303	if (!net->nf.proc_netfilter) {
	304	if (!net_eq(net, &init_net))
	305	pr_err("cannot create netfilter proc entry");
	306
f3c1a44a G	307	return -ENOMEM;
	308	}
	309	#endif
	310	return 0;
	311	}
	312
	313	static void __net_exit netfilter_net_exit(struct net *net)
	314	{
	315	remove_proc_entry("netfilter", net->proc_net);
	316	}
	317
	318	static struct pernet_operations netfilter_net_ops = {
	319	.init = netfilter_net_init,
	320	.exit = netfilter_net_exit,
	321	};
	322
6d11cfdb	323	int __init netfilter_init(void)
f6ebe77f	324	{
6d11cfdb PNA	325	int i, h, ret;
6d11cfdb PNA	326
7e9c6eeb	327	for (i = 0; i < ARRAY_SIZE(nf_hooks); i++) {
f6ebe77f HW	328	for (h = 0; h < NF_MAX_HOOKS; h++)
	329	INIT_LIST_HEAD(&nf_hooks[i][h]);
	330	}
	331
6d11cfdb PNA	332	ret = register_pernet_subsys(&netfilter_net_ops);
	333	if (ret < 0)
	334	goto err;
	335
	336	ret = netfilter_log_init();
	337	if (ret < 0)
	338	goto err_pernet;
f6ebe77f	339
6d11cfdb PNA	340	return 0;
	341	err_pernet:
	342	unregister_pernet_subsys(&netfilter_net_ops);
	343	err:
	344	return ret;
f6ebe77f	345	}