1 /* Connection tracking via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace.
4 * (C) 2001 by Jay Schulist <jschlst@samba.org>
5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7 * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
9 * Initial connection tracking via netlink development funded and
10 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
12 * Further development of this code funded by Astaro AG (http://www.astaro.com)
14 * This software may be used and distributed according to the terms
15 * of the GNU General Public License, incorporated herein by reference.
18 #include <linux/init.h>
19 #include <linux/module.h>
20 #include <linux/kernel.h>
21 #include <linux/rculist.h>
22 #include <linux/rculist_nulls.h>
23 #include <linux/types.h>
24 #include <linux/timer.h>
25 #include <linux/security.h>
26 #include <linux/skbuff.h>
27 #include <linux/errno.h>
28 #include <linux/netlink.h>
29 #include <linux/spinlock.h>
30 #include <linux/interrupt.h>
31 #include <linux/slab.h>
33 #include <linux/netfilter.h>
34 #include <net/netlink.h>
36 #include <net/netfilter/nf_conntrack.h>
37 #include <net/netfilter/nf_conntrack_core.h>
38 #include <net/netfilter/nf_conntrack_expect.h>
39 #include <net/netfilter/nf_conntrack_helper.h>
40 #include <net/netfilter/nf_conntrack_seqadj.h>
41 #include <net/netfilter/nf_conntrack_l3proto.h>
42 #include <net/netfilter/nf_conntrack_l4proto.h>
43 #include <net/netfilter/nf_conntrack_tuple.h>
44 #include <net/netfilter/nf_conntrack_acct.h>
45 #include <net/netfilter/nf_conntrack_zones.h>
46 #include <net/netfilter/nf_conntrack_timestamp.h>
47 #include <net/netfilter/nf_conntrack_labels.h>
48 #ifdef CONFIG_NF_NAT_NEEDED
49 #include <net/netfilter/nf_nat_core.h>
50 #include <net/netfilter/nf_nat_l4proto.h>
51 #include <net/netfilter/nf_nat_helper.h>
54 #include <linux/netfilter/nfnetlink.h>
55 #include <linux/netfilter/nfnetlink_conntrack.h>
57 MODULE_LICENSE("GPL");
59 static char __initdata version
[] = "0.93";
62 ctnetlink_dump_tuples_proto(struct sk_buff
*skb
,
63 const struct nf_conntrack_tuple
*tuple
,
64 struct nf_conntrack_l4proto
*l4proto
)
67 struct nlattr
*nest_parms
;
69 nest_parms
= nla_nest_start(skb
, CTA_TUPLE_PROTO
| NLA_F_NESTED
);
72 if (nla_put_u8(skb
, CTA_PROTO_NUM
, tuple
->dst
.protonum
))
75 if (likely(l4proto
->tuple_to_nlattr
))
76 ret
= l4proto
->tuple_to_nlattr(skb
, tuple
);
78 nla_nest_end(skb
, nest_parms
);
87 ctnetlink_dump_tuples_ip(struct sk_buff
*skb
,
88 const struct nf_conntrack_tuple
*tuple
,
89 struct nf_conntrack_l3proto
*l3proto
)
92 struct nlattr
*nest_parms
;
94 nest_parms
= nla_nest_start(skb
, CTA_TUPLE_IP
| NLA_F_NESTED
);
98 if (likely(l3proto
->tuple_to_nlattr
))
99 ret
= l3proto
->tuple_to_nlattr(skb
, tuple
);
101 nla_nest_end(skb
, nest_parms
);
110 ctnetlink_dump_tuples(struct sk_buff
*skb
,
111 const struct nf_conntrack_tuple
*tuple
)
114 struct nf_conntrack_l3proto
*l3proto
;
115 struct nf_conntrack_l4proto
*l4proto
;
118 l3proto
= __nf_ct_l3proto_find(tuple
->src
.l3num
);
119 ret
= ctnetlink_dump_tuples_ip(skb
, tuple
, l3proto
);
122 l4proto
= __nf_ct_l4proto_find(tuple
->src
.l3num
,
123 tuple
->dst
.protonum
);
124 ret
= ctnetlink_dump_tuples_proto(skb
, tuple
, l4proto
);
131 ctnetlink_dump_status(struct sk_buff
*skb
, const struct nf_conn
*ct
)
133 if (nla_put_be32(skb
, CTA_STATUS
, htonl(ct
->status
)))
134 goto nla_put_failure
;
142 ctnetlink_dump_timeout(struct sk_buff
*skb
, const struct nf_conn
*ct
)
144 long timeout
= ((long)ct
->timeout
.expires
- (long)jiffies
) / HZ
;
149 if (nla_put_be32(skb
, CTA_TIMEOUT
, htonl(timeout
)))
150 goto nla_put_failure
;
158 ctnetlink_dump_protoinfo(struct sk_buff
*skb
, struct nf_conn
*ct
)
160 struct nf_conntrack_l4proto
*l4proto
;
161 struct nlattr
*nest_proto
;
164 l4proto
= __nf_ct_l4proto_find(nf_ct_l3num(ct
), nf_ct_protonum(ct
));
165 if (!l4proto
->to_nlattr
)
168 nest_proto
= nla_nest_start(skb
, CTA_PROTOINFO
| NLA_F_NESTED
);
170 goto nla_put_failure
;
172 ret
= l4proto
->to_nlattr(skb
, nest_proto
, ct
);
174 nla_nest_end(skb
, nest_proto
);
183 ctnetlink_dump_helpinfo(struct sk_buff
*skb
, const struct nf_conn
*ct
)
185 struct nlattr
*nest_helper
;
186 const struct nf_conn_help
*help
= nfct_help(ct
);
187 struct nf_conntrack_helper
*helper
;
192 helper
= rcu_dereference(help
->helper
);
196 nest_helper
= nla_nest_start(skb
, CTA_HELP
| NLA_F_NESTED
);
198 goto nla_put_failure
;
199 if (nla_put_string(skb
, CTA_HELP_NAME
, helper
->name
))
200 goto nla_put_failure
;
202 if (helper
->to_nlattr
)
203 helper
->to_nlattr(skb
, ct
);
205 nla_nest_end(skb
, nest_helper
);
214 dump_counters(struct sk_buff
*skb
, struct nf_conn_acct
*acct
,
215 enum ip_conntrack_dir dir
, int type
)
217 enum ctattr_type attr
= dir
? CTA_COUNTERS_REPLY
: CTA_COUNTERS_ORIG
;
218 struct nf_conn_counter
*counter
= acct
->counter
;
219 struct nlattr
*nest_count
;
222 if (type
== IPCTNL_MSG_CT_GET_CTRZERO
) {
223 pkts
= atomic64_xchg(&counter
[dir
].packets
, 0);
224 bytes
= atomic64_xchg(&counter
[dir
].bytes
, 0);
226 pkts
= atomic64_read(&counter
[dir
].packets
);
227 bytes
= atomic64_read(&counter
[dir
].bytes
);
230 nest_count
= nla_nest_start(skb
, attr
| NLA_F_NESTED
);
232 goto nla_put_failure
;
234 if (nla_put_be64(skb
, CTA_COUNTERS_PACKETS
, cpu_to_be64(pkts
)) ||
235 nla_put_be64(skb
, CTA_COUNTERS_BYTES
, cpu_to_be64(bytes
)))
236 goto nla_put_failure
;
238 nla_nest_end(skb
, nest_count
);
247 ctnetlink_dump_acct(struct sk_buff
*skb
, const struct nf_conn
*ct
, int type
)
249 struct nf_conn_acct
*acct
= nf_conn_acct_find(ct
);
254 if (dump_counters(skb
, acct
, IP_CT_DIR_ORIGINAL
, type
) < 0)
256 if (dump_counters(skb
, acct
, IP_CT_DIR_REPLY
, type
) < 0)
263 ctnetlink_dump_timestamp(struct sk_buff
*skb
, const struct nf_conn
*ct
)
265 struct nlattr
*nest_count
;
266 const struct nf_conn_tstamp
*tstamp
;
268 tstamp
= nf_conn_tstamp_find(ct
);
272 nest_count
= nla_nest_start(skb
, CTA_TIMESTAMP
| NLA_F_NESTED
);
274 goto nla_put_failure
;
276 if (nla_put_be64(skb
, CTA_TIMESTAMP_START
, cpu_to_be64(tstamp
->start
)) ||
277 (tstamp
->stop
!= 0 && nla_put_be64(skb
, CTA_TIMESTAMP_STOP
,
278 cpu_to_be64(tstamp
->stop
))))
279 goto nla_put_failure
;
280 nla_nest_end(skb
, nest_count
);
288 #ifdef CONFIG_NF_CONNTRACK_MARK
290 ctnetlink_dump_mark(struct sk_buff
*skb
, const struct nf_conn
*ct
)
292 if (nla_put_be32(skb
, CTA_MARK
, htonl(ct
->mark
)))
293 goto nla_put_failure
;
300 #define ctnetlink_dump_mark(a, b) (0)
303 #ifdef CONFIG_NF_CONNTRACK_SECMARK
305 ctnetlink_dump_secctx(struct sk_buff
*skb
, const struct nf_conn
*ct
)
307 struct nlattr
*nest_secctx
;
311 ret
= security_secid_to_secctx(ct
->secmark
, &secctx
, &len
);
316 nest_secctx
= nla_nest_start(skb
, CTA_SECCTX
| NLA_F_NESTED
);
318 goto nla_put_failure
;
320 if (nla_put_string(skb
, CTA_SECCTX_NAME
, secctx
))
321 goto nla_put_failure
;
322 nla_nest_end(skb
, nest_secctx
);
326 security_release_secctx(secctx
, len
);
330 #define ctnetlink_dump_secctx(a, b) (0)
333 #ifdef CONFIG_NF_CONNTRACK_LABELS
334 static int ctnetlink_label_size(const struct nf_conn
*ct
)
336 struct nf_conn_labels
*labels
= nf_ct_labels_find(ct
);
340 return nla_total_size(labels
->words
* sizeof(long));
344 ctnetlink_dump_labels(struct sk_buff
*skb
, const struct nf_conn
*ct
)
346 struct nf_conn_labels
*labels
= nf_ct_labels_find(ct
);
352 len
= labels
->words
* sizeof(long);
355 if (labels
->bits
[i
] != 0)
356 return nla_put(skb
, CTA_LABELS
, len
, labels
->bits
);
358 } while (i
< labels
->words
);
363 #define ctnetlink_dump_labels(a, b) (0)
364 #define ctnetlink_label_size(a) (0)
367 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
370 ctnetlink_dump_master(struct sk_buff
*skb
, const struct nf_conn
*ct
)
372 struct nlattr
*nest_parms
;
374 if (!(ct
->status
& IPS_EXPECTED
))
377 nest_parms
= nla_nest_start(skb
, CTA_TUPLE_MASTER
| NLA_F_NESTED
);
379 goto nla_put_failure
;
380 if (ctnetlink_dump_tuples(skb
, master_tuple(ct
)) < 0)
381 goto nla_put_failure
;
382 nla_nest_end(skb
, nest_parms
);
391 dump_ct_seq_adj(struct sk_buff
*skb
, const struct nf_ct_seqadj
*seq
, int type
)
393 struct nlattr
*nest_parms
;
395 nest_parms
= nla_nest_start(skb
, type
| NLA_F_NESTED
);
397 goto nla_put_failure
;
399 if (nla_put_be32(skb
, CTA_SEQADJ_CORRECTION_POS
,
400 htonl(seq
->correction_pos
)) ||
401 nla_put_be32(skb
, CTA_SEQADJ_OFFSET_BEFORE
,
402 htonl(seq
->offset_before
)) ||
403 nla_put_be32(skb
, CTA_SEQADJ_OFFSET_AFTER
,
404 htonl(seq
->offset_after
)))
405 goto nla_put_failure
;
407 nla_nest_end(skb
, nest_parms
);
416 ctnetlink_dump_ct_seq_adj(struct sk_buff
*skb
, const struct nf_conn
*ct
)
418 struct nf_conn_seqadj
*seqadj
= nfct_seqadj(ct
);
419 struct nf_ct_seqadj
*seq
;
421 if (!(ct
->status
& IPS_SEQ_ADJUST
) || !seqadj
)
424 seq
= &seqadj
->seq
[IP_CT_DIR_ORIGINAL
];
425 if (dump_ct_seq_adj(skb
, seq
, CTA_SEQ_ADJ_ORIG
) == -1)
428 seq
= &seqadj
->seq
[IP_CT_DIR_REPLY
];
429 if (dump_ct_seq_adj(skb
, seq
, CTA_SEQ_ADJ_REPLY
) == -1)
436 ctnetlink_dump_id(struct sk_buff
*skb
, const struct nf_conn
*ct
)
438 if (nla_put_be32(skb
, CTA_ID
, htonl((unsigned long)ct
)))
439 goto nla_put_failure
;
447 ctnetlink_dump_use(struct sk_buff
*skb
, const struct nf_conn
*ct
)
449 if (nla_put_be32(skb
, CTA_USE
, htonl(atomic_read(&ct
->ct_general
.use
))))
450 goto nla_put_failure
;
458 ctnetlink_fill_info(struct sk_buff
*skb
, u32 portid
, u32 seq
, u32 type
,
461 struct nlmsghdr
*nlh
;
462 struct nfgenmsg
*nfmsg
;
463 struct nlattr
*nest_parms
;
464 unsigned int flags
= portid
? NLM_F_MULTI
: 0, event
;
466 event
= (NFNL_SUBSYS_CTNETLINK
<< 8 | IPCTNL_MSG_CT_NEW
);
467 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(*nfmsg
), flags
);
471 nfmsg
= nlmsg_data(nlh
);
472 nfmsg
->nfgen_family
= nf_ct_l3num(ct
);
473 nfmsg
->version
= NFNETLINK_V0
;
476 nest_parms
= nla_nest_start(skb
, CTA_TUPLE_ORIG
| NLA_F_NESTED
);
478 goto nla_put_failure
;
479 if (ctnetlink_dump_tuples(skb
, nf_ct_tuple(ct
, IP_CT_DIR_ORIGINAL
)) < 0)
480 goto nla_put_failure
;
481 nla_nest_end(skb
, nest_parms
);
483 nest_parms
= nla_nest_start(skb
, CTA_TUPLE_REPLY
| NLA_F_NESTED
);
485 goto nla_put_failure
;
486 if (ctnetlink_dump_tuples(skb
, nf_ct_tuple(ct
, IP_CT_DIR_REPLY
)) < 0)
487 goto nla_put_failure
;
488 nla_nest_end(skb
, nest_parms
);
490 if (nf_ct_zone(ct
) &&
491 nla_put_be16(skb
, CTA_ZONE
, htons(nf_ct_zone(ct
))))
492 goto nla_put_failure
;
494 if (ctnetlink_dump_status(skb
, ct
) < 0 ||
495 ctnetlink_dump_timeout(skb
, ct
) < 0 ||
496 ctnetlink_dump_acct(skb
, ct
, type
) < 0 ||
497 ctnetlink_dump_timestamp(skb
, ct
) < 0 ||
498 ctnetlink_dump_protoinfo(skb
, ct
) < 0 ||
499 ctnetlink_dump_helpinfo(skb
, ct
) < 0 ||
500 ctnetlink_dump_mark(skb
, ct
) < 0 ||
501 ctnetlink_dump_secctx(skb
, ct
) < 0 ||
502 ctnetlink_dump_labels(skb
, ct
) < 0 ||
503 ctnetlink_dump_id(skb
, ct
) < 0 ||
504 ctnetlink_dump_use(skb
, ct
) < 0 ||
505 ctnetlink_dump_master(skb
, ct
) < 0 ||
506 ctnetlink_dump_ct_seq_adj(skb
, ct
) < 0)
507 goto nla_put_failure
;
514 nlmsg_cancel(skb
, nlh
);
519 ctnetlink_proto_size(const struct nf_conn
*ct
)
521 struct nf_conntrack_l3proto
*l3proto
;
522 struct nf_conntrack_l4proto
*l4proto
;
526 l3proto
= __nf_ct_l3proto_find(nf_ct_l3num(ct
));
527 len
+= l3proto
->nla_size
;
529 l4proto
= __nf_ct_l4proto_find(nf_ct_l3num(ct
), nf_ct_protonum(ct
));
530 len
+= l4proto
->nla_size
;
537 ctnetlink_acct_size(const struct nf_conn
*ct
)
539 if (!nf_ct_ext_exist(ct
, NF_CT_EXT_ACCT
))
541 return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
542 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
543 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
548 ctnetlink_secctx_size(const struct nf_conn
*ct
)
550 #ifdef CONFIG_NF_CONNTRACK_SECMARK
553 ret
= security_secid_to_secctx(ct
->secmark
, NULL
, &len
);
557 return nla_total_size(0) /* CTA_SECCTX */
558 + nla_total_size(sizeof(char) * len
); /* CTA_SECCTX_NAME */
565 ctnetlink_timestamp_size(const struct nf_conn
*ct
)
567 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
568 if (!nf_ct_ext_exist(ct
, NF_CT_EXT_TSTAMP
))
570 return nla_total_size(0) + 2 * nla_total_size(sizeof(uint64_t));
577 ctnetlink_nlmsg_size(const struct nf_conn
*ct
)
579 return NLMSG_ALIGN(sizeof(struct nfgenmsg
))
580 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
581 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
582 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
583 + 3 * nla_total_size(sizeof(u_int8_t
)) /* CTA_PROTO_NUM */
584 + nla_total_size(sizeof(u_int32_t
)) /* CTA_ID */
585 + nla_total_size(sizeof(u_int32_t
)) /* CTA_STATUS */
586 + ctnetlink_acct_size(ct
)
587 + ctnetlink_timestamp_size(ct
)
588 + nla_total_size(sizeof(u_int32_t
)) /* CTA_TIMEOUT */
589 + nla_total_size(0) /* CTA_PROTOINFO */
590 + nla_total_size(0) /* CTA_HELP */
591 + nla_total_size(NF_CT_HELPER_NAME_LEN
) /* CTA_HELP_NAME */
592 + ctnetlink_secctx_size(ct
)
593 #ifdef CONFIG_NF_NAT_NEEDED
594 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
595 + 6 * nla_total_size(sizeof(u_int32_t
)) /* CTA_NAT_SEQ_OFFSET */
597 #ifdef CONFIG_NF_CONNTRACK_MARK
598 + nla_total_size(sizeof(u_int32_t
)) /* CTA_MARK */
600 + ctnetlink_proto_size(ct
)
601 + ctnetlink_label_size(ct
)
605 #ifdef CONFIG_NF_CONNTRACK_EVENTS
607 ctnetlink_conntrack_event(unsigned int events
, struct nf_ct_event
*item
)
610 struct nlmsghdr
*nlh
;
611 struct nfgenmsg
*nfmsg
;
612 struct nlattr
*nest_parms
;
613 struct nf_conn
*ct
= item
->ct
;
616 unsigned int flags
= 0, group
;
619 /* ignore our fake conntrack entry */
620 if (nf_ct_is_untracked(ct
))
623 if (events
& (1 << IPCT_DESTROY
)) {
624 type
= IPCTNL_MSG_CT_DELETE
;
625 group
= NFNLGRP_CONNTRACK_DESTROY
;
626 } else if (events
& ((1 << IPCT_NEW
) | (1 << IPCT_RELATED
))) {
627 type
= IPCTNL_MSG_CT_NEW
;
628 flags
= NLM_F_CREATE
|NLM_F_EXCL
;
629 group
= NFNLGRP_CONNTRACK_NEW
;
631 type
= IPCTNL_MSG_CT_NEW
;
632 group
= NFNLGRP_CONNTRACK_UPDATE
;
637 if (!item
->report
&& !nfnetlink_has_listeners(net
, group
))
640 skb
= nlmsg_new(ctnetlink_nlmsg_size(ct
), GFP_ATOMIC
);
644 type
|= NFNL_SUBSYS_CTNETLINK
<< 8;
645 nlh
= nlmsg_put(skb
, item
->portid
, 0, type
, sizeof(*nfmsg
), flags
);
649 nfmsg
= nlmsg_data(nlh
);
650 nfmsg
->nfgen_family
= nf_ct_l3num(ct
);
651 nfmsg
->version
= NFNETLINK_V0
;
655 nest_parms
= nla_nest_start(skb
, CTA_TUPLE_ORIG
| NLA_F_NESTED
);
657 goto nla_put_failure
;
658 if (ctnetlink_dump_tuples(skb
, nf_ct_tuple(ct
, IP_CT_DIR_ORIGINAL
)) < 0)
659 goto nla_put_failure
;
660 nla_nest_end(skb
, nest_parms
);
662 nest_parms
= nla_nest_start(skb
, CTA_TUPLE_REPLY
| NLA_F_NESTED
);
664 goto nla_put_failure
;
665 if (ctnetlink_dump_tuples(skb
, nf_ct_tuple(ct
, IP_CT_DIR_REPLY
)) < 0)
666 goto nla_put_failure
;
667 nla_nest_end(skb
, nest_parms
);
669 if (nf_ct_zone(ct
) &&
670 nla_put_be16(skb
, CTA_ZONE
, htons(nf_ct_zone(ct
))))
671 goto nla_put_failure
;
673 if (ctnetlink_dump_id(skb
, ct
) < 0)
674 goto nla_put_failure
;
676 if (ctnetlink_dump_status(skb
, ct
) < 0)
677 goto nla_put_failure
;
679 if (events
& (1 << IPCT_DESTROY
)) {
680 if (ctnetlink_dump_acct(skb
, ct
, type
) < 0 ||
681 ctnetlink_dump_timestamp(skb
, ct
) < 0)
682 goto nla_put_failure
;
684 if (ctnetlink_dump_timeout(skb
, ct
) < 0)
685 goto nla_put_failure
;
687 if (events
& (1 << IPCT_PROTOINFO
)
688 && ctnetlink_dump_protoinfo(skb
, ct
) < 0)
689 goto nla_put_failure
;
691 if ((events
& (1 << IPCT_HELPER
) || nfct_help(ct
))
692 && ctnetlink_dump_helpinfo(skb
, ct
) < 0)
693 goto nla_put_failure
;
695 #ifdef CONFIG_NF_CONNTRACK_SECMARK
696 if ((events
& (1 << IPCT_SECMARK
) || ct
->secmark
)
697 && ctnetlink_dump_secctx(skb
, ct
) < 0)
698 goto nla_put_failure
;
700 if (events
& (1 << IPCT_LABEL
) &&
701 ctnetlink_dump_labels(skb
, ct
) < 0)
702 goto nla_put_failure
;
704 if (events
& (1 << IPCT_RELATED
) &&
705 ctnetlink_dump_master(skb
, ct
) < 0)
706 goto nla_put_failure
;
708 if (events
& (1 << IPCT_SEQADJ
) &&
709 ctnetlink_dump_ct_seq_adj(skb
, ct
) < 0)
710 goto nla_put_failure
;
713 #ifdef CONFIG_NF_CONNTRACK_MARK
714 if ((events
& (1 << IPCT_MARK
) || ct
->mark
)
715 && ctnetlink_dump_mark(skb
, ct
) < 0)
716 goto nla_put_failure
;
721 err
= nfnetlink_send(skb
, net
, item
->portid
, group
, item
->report
,
723 if (err
== -ENOBUFS
|| err
== -EAGAIN
)
730 nlmsg_cancel(skb
, nlh
);
734 if (nfnetlink_set_err(net
, 0, group
, -ENOBUFS
) > 0)
739 #endif /* CONFIG_NF_CONNTRACK_EVENTS */
741 static int ctnetlink_done(struct netlink_callback
*cb
)
744 nf_ct_put((struct nf_conn
*)cb
->args
[1]);
750 struct ctnetlink_dump_filter
{
758 ctnetlink_dump_table(struct sk_buff
*skb
, struct netlink_callback
*cb
)
760 struct net
*net
= sock_net(skb
->sk
);
761 struct nf_conn
*ct
, *last
;
762 struct nf_conntrack_tuple_hash
*h
;
763 struct hlist_nulls_node
*n
;
764 struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
765 u_int8_t l3proto
= nfmsg
->nfgen_family
;
767 #ifdef CONFIG_NF_CONNTRACK_MARK
768 const struct ctnetlink_dump_filter
*filter
= cb
->data
;
771 spin_lock_bh(&nf_conntrack_lock
);
772 last
= (struct nf_conn
*)cb
->args
[1];
773 for (; cb
->args
[0] < net
->ct
.htable_size
; cb
->args
[0]++) {
775 hlist_nulls_for_each_entry(h
, n
, &net
->ct
.hash
[cb
->args
[0]],
777 if (NF_CT_DIRECTION(h
) != IP_CT_DIR_ORIGINAL
)
779 ct
= nf_ct_tuplehash_to_ctrack(h
);
780 /* Dump entries of a given L3 protocol number.
781 * If it is not specified, ie. l3proto == 0,
782 * then dump everything. */
783 if (l3proto
&& nf_ct_l3num(ct
) != l3proto
)
790 #ifdef CONFIG_NF_CONNTRACK_MARK
791 if (filter
&& !((ct
->mark
& filter
->mark
.mask
) ==
798 ctnetlink_fill_info(skb
, NETLINK_CB(cb
->skb
).portid
,
800 NFNL_MSG_TYPE(cb
->nlh
->nlmsg_type
),
804 nf_conntrack_get(&ct
->ct_general
);
805 cb
->args
[1] = (unsigned long)ct
;
815 spin_unlock_bh(&nf_conntrack_lock
);
823 ctnetlink_parse_tuple_ip(struct nlattr
*attr
, struct nf_conntrack_tuple
*tuple
)
825 struct nlattr
*tb
[CTA_IP_MAX
+1];
826 struct nf_conntrack_l3proto
*l3proto
;
829 ret
= nla_parse_nested(tb
, CTA_IP_MAX
, attr
, NULL
);
834 l3proto
= __nf_ct_l3proto_find(tuple
->src
.l3num
);
836 if (likely(l3proto
->nlattr_to_tuple
)) {
837 ret
= nla_validate_nested(attr
, CTA_IP_MAX
,
838 l3proto
->nla_policy
);
840 ret
= l3proto
->nlattr_to_tuple(tb
, tuple
);
848 static const struct nla_policy proto_nla_policy
[CTA_PROTO_MAX
+1] = {
849 [CTA_PROTO_NUM
] = { .type
= NLA_U8
},
853 ctnetlink_parse_tuple_proto(struct nlattr
*attr
,
854 struct nf_conntrack_tuple
*tuple
)
856 struct nlattr
*tb
[CTA_PROTO_MAX
+1];
857 struct nf_conntrack_l4proto
*l4proto
;
860 ret
= nla_parse_nested(tb
, CTA_PROTO_MAX
, attr
, proto_nla_policy
);
864 if (!tb
[CTA_PROTO_NUM
])
866 tuple
->dst
.protonum
= nla_get_u8(tb
[CTA_PROTO_NUM
]);
869 l4proto
= __nf_ct_l4proto_find(tuple
->src
.l3num
, tuple
->dst
.protonum
);
871 if (likely(l4proto
->nlattr_to_tuple
)) {
872 ret
= nla_validate_nested(attr
, CTA_PROTO_MAX
,
873 l4proto
->nla_policy
);
875 ret
= l4proto
->nlattr_to_tuple(tb
, tuple
);
883 static const struct nla_policy tuple_nla_policy
[CTA_TUPLE_MAX
+1] = {
884 [CTA_TUPLE_IP
] = { .type
= NLA_NESTED
},
885 [CTA_TUPLE_PROTO
] = { .type
= NLA_NESTED
},
889 ctnetlink_parse_tuple(const struct nlattr
* const cda
[],
890 struct nf_conntrack_tuple
*tuple
,
891 enum ctattr_type type
, u_int8_t l3num
)
893 struct nlattr
*tb
[CTA_TUPLE_MAX
+1];
896 memset(tuple
, 0, sizeof(*tuple
));
898 err
= nla_parse_nested(tb
, CTA_TUPLE_MAX
, cda
[type
], tuple_nla_policy
);
902 if (!tb
[CTA_TUPLE_IP
])
905 tuple
->src
.l3num
= l3num
;
907 err
= ctnetlink_parse_tuple_ip(tb
[CTA_TUPLE_IP
], tuple
);
911 if (!tb
[CTA_TUPLE_PROTO
])
914 err
= ctnetlink_parse_tuple_proto(tb
[CTA_TUPLE_PROTO
], tuple
);
918 /* orig and expect tuples get DIR_ORIGINAL */
919 if (type
== CTA_TUPLE_REPLY
)
920 tuple
->dst
.dir
= IP_CT_DIR_REPLY
;
922 tuple
->dst
.dir
= IP_CT_DIR_ORIGINAL
;
928 ctnetlink_parse_zone(const struct nlattr
*attr
, u16
*zone
)
931 #ifdef CONFIG_NF_CONNTRACK_ZONES
932 *zone
= ntohs(nla_get_be16(attr
));
942 static const struct nla_policy help_nla_policy
[CTA_HELP_MAX
+1] = {
943 [CTA_HELP_NAME
] = { .type
= NLA_NUL_STRING
,
944 .len
= NF_CT_HELPER_NAME_LEN
- 1 },
948 ctnetlink_parse_help(const struct nlattr
*attr
, char **helper_name
,
949 struct nlattr
**helpinfo
)
952 struct nlattr
*tb
[CTA_HELP_MAX
+1];
954 err
= nla_parse_nested(tb
, CTA_HELP_MAX
, attr
, help_nla_policy
);
958 if (!tb
[CTA_HELP_NAME
])
961 *helper_name
= nla_data(tb
[CTA_HELP_NAME
]);
963 if (tb
[CTA_HELP_INFO
])
964 *helpinfo
= tb
[CTA_HELP_INFO
];
969 #define __CTA_LABELS_MAX_LENGTH ((XT_CONNLABEL_MAXBIT + 1) / BITS_PER_BYTE)
970 static const struct nla_policy ct_nla_policy
[CTA_MAX
+1] = {
971 [CTA_TUPLE_ORIG
] = { .type
= NLA_NESTED
},
972 [CTA_TUPLE_REPLY
] = { .type
= NLA_NESTED
},
973 [CTA_STATUS
] = { .type
= NLA_U32
},
974 [CTA_PROTOINFO
] = { .type
= NLA_NESTED
},
975 [CTA_HELP
] = { .type
= NLA_NESTED
},
976 [CTA_NAT_SRC
] = { .type
= NLA_NESTED
},
977 [CTA_TIMEOUT
] = { .type
= NLA_U32
},
978 [CTA_MARK
] = { .type
= NLA_U32
},
979 [CTA_ID
] = { .type
= NLA_U32
},
980 [CTA_NAT_DST
] = { .type
= NLA_NESTED
},
981 [CTA_TUPLE_MASTER
] = { .type
= NLA_NESTED
},
982 [CTA_NAT_SEQ_ADJ_ORIG
] = { .type
= NLA_NESTED
},
983 [CTA_NAT_SEQ_ADJ_REPLY
] = { .type
= NLA_NESTED
},
984 [CTA_ZONE
] = { .type
= NLA_U16
},
985 [CTA_MARK_MASK
] = { .type
= NLA_U32
},
986 [CTA_LABELS
] = { .type
= NLA_BINARY
,
987 .len
= __CTA_LABELS_MAX_LENGTH
},
988 [CTA_LABELS_MASK
] = { .type
= NLA_BINARY
,
989 .len
= __CTA_LABELS_MAX_LENGTH
},
993 ctnetlink_del_conntrack(struct sock
*ctnl
, struct sk_buff
*skb
,
994 const struct nlmsghdr
*nlh
,
995 const struct nlattr
* const cda
[])
997 struct net
*net
= sock_net(ctnl
);
998 struct nf_conntrack_tuple_hash
*h
;
999 struct nf_conntrack_tuple tuple
;
1001 struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1002 u_int8_t u3
= nfmsg
->nfgen_family
;
1006 err
= ctnetlink_parse_zone(cda
[CTA_ZONE
], &zone
);
1010 if (cda
[CTA_TUPLE_ORIG
])
1011 err
= ctnetlink_parse_tuple(cda
, &tuple
, CTA_TUPLE_ORIG
, u3
);
1012 else if (cda
[CTA_TUPLE_REPLY
])
1013 err
= ctnetlink_parse_tuple(cda
, &tuple
, CTA_TUPLE_REPLY
, u3
);
1015 /* Flush the whole table */
1016 nf_conntrack_flush_report(net
,
1017 NETLINK_CB(skb
).portid
,
1025 h
= nf_conntrack_find_get(net
, zone
, &tuple
);
1029 ct
= nf_ct_tuplehash_to_ctrack(h
);
1032 u_int32_t id
= ntohl(nla_get_be32(cda
[CTA_ID
]));
1033 if (id
!= (u32
)(unsigned long)ct
) {
1039 if (del_timer(&ct
->timeout
))
1040 nf_ct_delete(ct
, NETLINK_CB(skb
).portid
, nlmsg_report(nlh
));
1048 ctnetlink_get_conntrack(struct sock
*ctnl
, struct sk_buff
*skb
,
1049 const struct nlmsghdr
*nlh
,
1050 const struct nlattr
* const cda
[])
1052 struct net
*net
= sock_net(ctnl
);
1053 struct nf_conntrack_tuple_hash
*h
;
1054 struct nf_conntrack_tuple tuple
;
1056 struct sk_buff
*skb2
= NULL
;
1057 struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1058 u_int8_t u3
= nfmsg
->nfgen_family
;
1062 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
1063 struct netlink_dump_control c
= {
1064 .dump
= ctnetlink_dump_table
,
1065 .done
= ctnetlink_done
,
1067 #ifdef CONFIG_NF_CONNTRACK_MARK
1068 if (cda
[CTA_MARK
] && cda
[CTA_MARK_MASK
]) {
1069 struct ctnetlink_dump_filter
*filter
;
1071 filter
= kzalloc(sizeof(struct ctnetlink_dump_filter
),
1076 filter
->mark
.val
= ntohl(nla_get_be32(cda
[CTA_MARK
]));
1078 ntohl(nla_get_be32(cda
[CTA_MARK_MASK
]));
1082 return netlink_dump_start(ctnl
, skb
, nlh
, &c
);
1085 err
= ctnetlink_parse_zone(cda
[CTA_ZONE
], &zone
);
1089 if (cda
[CTA_TUPLE_ORIG
])
1090 err
= ctnetlink_parse_tuple(cda
, &tuple
, CTA_TUPLE_ORIG
, u3
);
1091 else if (cda
[CTA_TUPLE_REPLY
])
1092 err
= ctnetlink_parse_tuple(cda
, &tuple
, CTA_TUPLE_REPLY
, u3
);
1099 h
= nf_conntrack_find_get(net
, zone
, &tuple
);
1103 ct
= nf_ct_tuplehash_to_ctrack(h
);
1106 skb2
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_KERNEL
);
1113 err
= ctnetlink_fill_info(skb2
, NETLINK_CB(skb
).portid
, nlh
->nlmsg_seq
,
1114 NFNL_MSG_TYPE(nlh
->nlmsg_type
), ct
);
1120 err
= netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).portid
, MSG_DONTWAIT
);
1129 /* this avoids a loop in nfnetlink. */
1130 return err
== -EAGAIN
? -ENOBUFS
: err
;
1133 static int ctnetlink_done_list(struct netlink_callback
*cb
)
1136 nf_ct_put((struct nf_conn
*)cb
->args
[1]);
1141 ctnetlink_dump_list(struct sk_buff
*skb
, struct netlink_callback
*cb
,
1142 struct hlist_nulls_head
*list
)
1144 struct nf_conn
*ct
, *last
;
1145 struct nf_conntrack_tuple_hash
*h
;
1146 struct hlist_nulls_node
*n
;
1147 struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
1148 u_int8_t l3proto
= nfmsg
->nfgen_family
;
1154 spin_lock_bh(&nf_conntrack_lock
);
1155 last
= (struct nf_conn
*)cb
->args
[1];
1157 hlist_nulls_for_each_entry(h
, n
, list
, hnnode
) {
1158 ct
= nf_ct_tuplehash_to_ctrack(h
);
1159 if (l3proto
&& nf_ct_l3num(ct
) != l3proto
)
1167 res
= ctnetlink_fill_info(skb
, NETLINK_CB(cb
->skb
).portid
,
1169 NFNL_MSG_TYPE(cb
->nlh
->nlmsg_type
),
1173 nf_conntrack_get(&ct
->ct_general
);
1174 cb
->args
[1] = (unsigned long)ct
;
1184 spin_unlock_bh(&nf_conntrack_lock
);
1192 ctnetlink_dump_dying(struct sk_buff
*skb
, struct netlink_callback
*cb
)
1194 struct net
*net
= sock_net(skb
->sk
);
1196 return ctnetlink_dump_list(skb
, cb
, &net
->ct
.dying
);
1200 ctnetlink_get_ct_dying(struct sock
*ctnl
, struct sk_buff
*skb
,
1201 const struct nlmsghdr
*nlh
,
1202 const struct nlattr
* const cda
[])
1204 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
1205 struct netlink_dump_control c
= {
1206 .dump
= ctnetlink_dump_dying
,
1207 .done
= ctnetlink_done_list
,
1209 return netlink_dump_start(ctnl
, skb
, nlh
, &c
);
1216 ctnetlink_dump_unconfirmed(struct sk_buff
*skb
, struct netlink_callback
*cb
)
1218 struct net
*net
= sock_net(skb
->sk
);
1220 return ctnetlink_dump_list(skb
, cb
, &net
->ct
.unconfirmed
);
1224 ctnetlink_get_ct_unconfirmed(struct sock
*ctnl
, struct sk_buff
*skb
,
1225 const struct nlmsghdr
*nlh
,
1226 const struct nlattr
* const cda
[])
1228 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
1229 struct netlink_dump_control c
= {
1230 .dump
= ctnetlink_dump_unconfirmed
,
1231 .done
= ctnetlink_done_list
,
1233 return netlink_dump_start(ctnl
, skb
, nlh
, &c
);
1239 #ifdef CONFIG_NF_NAT_NEEDED
1241 ctnetlink_parse_nat_setup(struct nf_conn
*ct
,
1242 enum nf_nat_manip_type manip
,
1243 const struct nlattr
*attr
)
1245 typeof(nfnetlink_parse_nat_setup_hook
) parse_nat_setup
;
1248 parse_nat_setup
= rcu_dereference(nfnetlink_parse_nat_setup_hook
);
1249 if (!parse_nat_setup
) {
1250 #ifdef CONFIG_MODULES
1252 nfnl_unlock(NFNL_SUBSYS_CTNETLINK
);
1253 if (request_module("nf-nat") < 0) {
1254 nfnl_lock(NFNL_SUBSYS_CTNETLINK
);
1258 nfnl_lock(NFNL_SUBSYS_CTNETLINK
);
1260 if (nfnetlink_parse_nat_setup_hook
)
1266 err
= parse_nat_setup(ct
, manip
, attr
);
1267 if (err
== -EAGAIN
) {
1268 #ifdef CONFIG_MODULES
1270 nfnl_unlock(NFNL_SUBSYS_CTNETLINK
);
1271 if (request_module("nf-nat-%u", nf_ct_l3num(ct
)) < 0) {
1272 nfnl_lock(NFNL_SUBSYS_CTNETLINK
);
1276 nfnl_lock(NFNL_SUBSYS_CTNETLINK
);
1287 ctnetlink_change_status(struct nf_conn
*ct
, const struct nlattr
* const cda
[])
1290 unsigned int status
= ntohl(nla_get_be32(cda
[CTA_STATUS
]));
1291 d
= ct
->status
^ status
;
1293 if (d
& (IPS_EXPECTED
|IPS_CONFIRMED
|IPS_DYING
))
1297 if (d
& IPS_SEEN_REPLY
&& !(status
& IPS_SEEN_REPLY
))
1298 /* SEEN_REPLY bit can only be set */
1301 if (d
& IPS_ASSURED
&& !(status
& IPS_ASSURED
))
1302 /* ASSURED bit can only be set */
1305 /* Be careful here, modifying NAT bits can screw up things,
1306 * so don't let users modify them directly if they don't pass
1308 ct
->status
|= status
& ~(IPS_NAT_DONE_MASK
| IPS_NAT_MASK
);
1313 ctnetlink_change_nat(struct nf_conn
*ct
, const struct nlattr
* const cda
[])
1315 #ifdef CONFIG_NF_NAT_NEEDED
1318 if (cda
[CTA_NAT_DST
]) {
1319 ret
= ctnetlink_parse_nat_setup(ct
,
1325 if (cda
[CTA_NAT_SRC
]) {
1326 ret
= ctnetlink_parse_nat_setup(ct
,
1339 ctnetlink_change_helper(struct nf_conn
*ct
, const struct nlattr
* const cda
[])
1341 struct nf_conntrack_helper
*helper
;
1342 struct nf_conn_help
*help
= nfct_help(ct
);
1343 char *helpname
= NULL
;
1344 struct nlattr
*helpinfo
= NULL
;
1347 /* don't change helper of sibling connections */
1351 err
= ctnetlink_parse_help(cda
[CTA_HELP
], &helpname
, &helpinfo
);
1355 if (!strcmp(helpname
, "")) {
1356 if (help
&& help
->helper
) {
1357 /* we had a helper before ... */
1358 nf_ct_remove_expectations(ct
);
1359 RCU_INIT_POINTER(help
->helper
, NULL
);
1365 helper
= __nf_conntrack_helper_find(helpname
, nf_ct_l3num(ct
),
1366 nf_ct_protonum(ct
));
1367 if (helper
== NULL
) {
1368 #ifdef CONFIG_MODULES
1369 spin_unlock_bh(&nf_conntrack_lock
);
1371 if (request_module("nfct-helper-%s", helpname
) < 0) {
1372 spin_lock_bh(&nf_conntrack_lock
);
1376 spin_lock_bh(&nf_conntrack_lock
);
1377 helper
= __nf_conntrack_helper_find(helpname
, nf_ct_l3num(ct
),
1378 nf_ct_protonum(ct
));
1386 if (help
->helper
== helper
) {
1387 /* update private helper data if allowed. */
1388 if (helper
->from_nlattr
)
1389 helper
->from_nlattr(helpinfo
, ct
);
1395 /* we cannot set a helper for an existing conntrack */
1400 ctnetlink_change_timeout(struct nf_conn
*ct
, const struct nlattr
* const cda
[])
1402 u_int32_t timeout
= ntohl(nla_get_be32(cda
[CTA_TIMEOUT
]));
1404 if (!del_timer(&ct
->timeout
))
1407 ct
->timeout
.expires
= jiffies
+ timeout
* HZ
;
1408 add_timer(&ct
->timeout
);
1413 static const struct nla_policy protoinfo_policy
[CTA_PROTOINFO_MAX
+1] = {
1414 [CTA_PROTOINFO_TCP
] = { .type
= NLA_NESTED
},
1415 [CTA_PROTOINFO_DCCP
] = { .type
= NLA_NESTED
},
1416 [CTA_PROTOINFO_SCTP
] = { .type
= NLA_NESTED
},
1420 ctnetlink_change_protoinfo(struct nf_conn
*ct
, const struct nlattr
* const cda
[])
1422 const struct nlattr
*attr
= cda
[CTA_PROTOINFO
];
1423 struct nlattr
*tb
[CTA_PROTOINFO_MAX
+1];
1424 struct nf_conntrack_l4proto
*l4proto
;
1427 err
= nla_parse_nested(tb
, CTA_PROTOINFO_MAX
, attr
, protoinfo_policy
);
1432 l4proto
= __nf_ct_l4proto_find(nf_ct_l3num(ct
), nf_ct_protonum(ct
));
1433 if (l4proto
->from_nlattr
)
1434 err
= l4proto
->from_nlattr(tb
, ct
);
1440 static const struct nla_policy seqadj_policy
[CTA_SEQADJ_MAX
+1] = {
1441 [CTA_SEQADJ_CORRECTION_POS
] = { .type
= NLA_U32
},
1442 [CTA_SEQADJ_OFFSET_BEFORE
] = { .type
= NLA_U32
},
1443 [CTA_SEQADJ_OFFSET_AFTER
] = { .type
= NLA_U32
},
1447 change_seq_adj(struct nf_ct_seqadj
*seq
, const struct nlattr
* const attr
)
1450 struct nlattr
*cda
[CTA_SEQADJ_MAX
+1];
1452 err
= nla_parse_nested(cda
, CTA_SEQADJ_MAX
, attr
, seqadj_policy
);
1456 if (!cda
[CTA_SEQADJ_CORRECTION_POS
])
1459 seq
->correction_pos
=
1460 ntohl(nla_get_be32(cda
[CTA_SEQADJ_CORRECTION_POS
]));
1462 if (!cda
[CTA_SEQADJ_OFFSET_BEFORE
])
1465 seq
->offset_before
=
1466 ntohl(nla_get_be32(cda
[CTA_SEQADJ_OFFSET_BEFORE
]));
1468 if (!cda
[CTA_SEQADJ_OFFSET_AFTER
])
1472 ntohl(nla_get_be32(cda
[CTA_SEQADJ_OFFSET_AFTER
]));
1478 ctnetlink_change_seq_adj(struct nf_conn
*ct
,
1479 const struct nlattr
* const cda
[])
1481 struct nf_conn_seqadj
*seqadj
= nfct_seqadj(ct
);
1487 if (cda
[CTA_SEQ_ADJ_ORIG
]) {
1488 ret
= change_seq_adj(&seqadj
->seq
[IP_CT_DIR_ORIGINAL
],
1489 cda
[CTA_SEQ_ADJ_ORIG
]);
1493 ct
->status
|= IPS_SEQ_ADJUST
;
1496 if (cda
[CTA_SEQ_ADJ_REPLY
]) {
1497 ret
= change_seq_adj(&seqadj
->seq
[IP_CT_DIR_REPLY
],
1498 cda
[CTA_SEQ_ADJ_REPLY
]);
1502 ct
->status
|= IPS_SEQ_ADJUST
;
1509 ctnetlink_attach_labels(struct nf_conn
*ct
, const struct nlattr
* const cda
[])
1511 #ifdef CONFIG_NF_CONNTRACK_LABELS
1512 size_t len
= nla_len(cda
[CTA_LABELS
]);
1513 const void *mask
= cda
[CTA_LABELS_MASK
];
1515 if (len
& (sizeof(u32
)-1)) /* must be multiple of u32 */
1519 if (nla_len(cda
[CTA_LABELS_MASK
]) == 0 ||
1520 nla_len(cda
[CTA_LABELS_MASK
]) != len
)
1522 mask
= nla_data(cda
[CTA_LABELS_MASK
]);
1527 return nf_connlabels_replace(ct
, nla_data(cda
[CTA_LABELS
]), mask
, len
);
1534 ctnetlink_change_conntrack(struct nf_conn
*ct
,
1535 const struct nlattr
* const cda
[])
1539 /* only allow NAT changes and master assignation for new conntracks */
1540 if (cda
[CTA_NAT_SRC
] || cda
[CTA_NAT_DST
] || cda
[CTA_TUPLE_MASTER
])
1543 if (cda
[CTA_HELP
]) {
1544 err
= ctnetlink_change_helper(ct
, cda
);
1549 if (cda
[CTA_TIMEOUT
]) {
1550 err
= ctnetlink_change_timeout(ct
, cda
);
1555 if (cda
[CTA_STATUS
]) {
1556 err
= ctnetlink_change_status(ct
, cda
);
1561 if (cda
[CTA_PROTOINFO
]) {
1562 err
= ctnetlink_change_protoinfo(ct
, cda
);
1567 #if defined(CONFIG_NF_CONNTRACK_MARK)
1569 ct
->mark
= ntohl(nla_get_be32(cda
[CTA_MARK
]));
1572 if (cda
[CTA_SEQ_ADJ_ORIG
] || cda
[CTA_SEQ_ADJ_REPLY
]) {
1573 err
= ctnetlink_change_seq_adj(ct
, cda
);
1578 if (cda
[CTA_LABELS
]) {
1579 err
= ctnetlink_attach_labels(ct
, cda
);
1587 static struct nf_conn
*
1588 ctnetlink_create_conntrack(struct net
*net
, u16 zone
,
1589 const struct nlattr
* const cda
[],
1590 struct nf_conntrack_tuple
*otuple
,
1591 struct nf_conntrack_tuple
*rtuple
,
1596 struct nf_conntrack_helper
*helper
;
1597 struct nf_conn_tstamp
*tstamp
;
1599 ct
= nf_conntrack_alloc(net
, zone
, otuple
, rtuple
, GFP_ATOMIC
);
1601 return ERR_PTR(-ENOMEM
);
1603 if (!cda
[CTA_TIMEOUT
])
1605 ct
->timeout
.expires
= ntohl(nla_get_be32(cda
[CTA_TIMEOUT
]));
1607 ct
->timeout
.expires
= jiffies
+ ct
->timeout
.expires
* HZ
;
1610 if (cda
[CTA_HELP
]) {
1611 char *helpname
= NULL
;
1612 struct nlattr
*helpinfo
= NULL
;
1614 err
= ctnetlink_parse_help(cda
[CTA_HELP
], &helpname
, &helpinfo
);
1618 helper
= __nf_conntrack_helper_find(helpname
, nf_ct_l3num(ct
),
1619 nf_ct_protonum(ct
));
1620 if (helper
== NULL
) {
1622 #ifdef CONFIG_MODULES
1623 if (request_module("nfct-helper-%s", helpname
) < 0) {
1629 helper
= __nf_conntrack_helper_find(helpname
,
1631 nf_ct_protonum(ct
));
1641 struct nf_conn_help
*help
;
1643 help
= nf_ct_helper_ext_add(ct
, helper
, GFP_ATOMIC
);
1648 /* set private helper data if allowed. */
1649 if (helper
->from_nlattr
)
1650 helper
->from_nlattr(helpinfo
, ct
);
1652 /* not in hash table yet so not strictly necessary */
1653 RCU_INIT_POINTER(help
->helper
, helper
);
1656 /* try an implicit helper assignation */
1657 err
= __nf_ct_try_assign_helper(ct
, NULL
, GFP_ATOMIC
);
1662 if (cda
[CTA_NAT_SRC
] || cda
[CTA_NAT_DST
]) {
1663 err
= ctnetlink_change_nat(ct
, cda
);
1668 nf_ct_acct_ext_add(ct
, GFP_ATOMIC
);
1669 nf_ct_tstamp_ext_add(ct
, GFP_ATOMIC
);
1670 nf_ct_ecache_ext_add(ct
, 0, 0, GFP_ATOMIC
);
1671 nf_ct_labels_ext_add(ct
);
1673 /* we must add conntrack extensions before confirmation. */
1674 ct
->status
|= IPS_CONFIRMED
;
1676 if (cda
[CTA_STATUS
]) {
1677 err
= ctnetlink_change_status(ct
, cda
);
1682 if (cda
[CTA_SEQ_ADJ_ORIG
] || cda
[CTA_SEQ_ADJ_REPLY
]) {
1683 err
= ctnetlink_change_seq_adj(ct
, cda
);
1688 memset(&ct
->proto
, 0, sizeof(ct
->proto
));
1689 if (cda
[CTA_PROTOINFO
]) {
1690 err
= ctnetlink_change_protoinfo(ct
, cda
);
1695 #if defined(CONFIG_NF_CONNTRACK_MARK)
1697 ct
->mark
= ntohl(nla_get_be32(cda
[CTA_MARK
]));
1700 /* setup master conntrack: this is a confirmed expectation */
1701 if (cda
[CTA_TUPLE_MASTER
]) {
1702 struct nf_conntrack_tuple master
;
1703 struct nf_conntrack_tuple_hash
*master_h
;
1704 struct nf_conn
*master_ct
;
1706 err
= ctnetlink_parse_tuple(cda
, &master
, CTA_TUPLE_MASTER
, u3
);
1710 master_h
= nf_conntrack_find_get(net
, zone
, &master
);
1711 if (master_h
== NULL
) {
1715 master_ct
= nf_ct_tuplehash_to_ctrack(master_h
);
1716 __set_bit(IPS_EXPECTED_BIT
, &ct
->status
);
1717 ct
->master
= master_ct
;
1719 tstamp
= nf_conn_tstamp_find(ct
);
1721 tstamp
->start
= ktime_to_ns(ktime_get_real());
1723 err
= nf_conntrack_hash_check_insert(ct
);
1734 nf_conntrack_free(ct
);
1735 return ERR_PTR(err
);
1739 ctnetlink_new_conntrack(struct sock
*ctnl
, struct sk_buff
*skb
,
1740 const struct nlmsghdr
*nlh
,
1741 const struct nlattr
* const cda
[])
1743 struct net
*net
= sock_net(ctnl
);
1744 struct nf_conntrack_tuple otuple
, rtuple
;
1745 struct nf_conntrack_tuple_hash
*h
= NULL
;
1746 struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
1748 u_int8_t u3
= nfmsg
->nfgen_family
;
1752 err
= ctnetlink_parse_zone(cda
[CTA_ZONE
], &zone
);
1756 if (cda
[CTA_TUPLE_ORIG
]) {
1757 err
= ctnetlink_parse_tuple(cda
, &otuple
, CTA_TUPLE_ORIG
, u3
);
1762 if (cda
[CTA_TUPLE_REPLY
]) {
1763 err
= ctnetlink_parse_tuple(cda
, &rtuple
, CTA_TUPLE_REPLY
, u3
);
1768 if (cda
[CTA_TUPLE_ORIG
])
1769 h
= nf_conntrack_find_get(net
, zone
, &otuple
);
1770 else if (cda
[CTA_TUPLE_REPLY
])
1771 h
= nf_conntrack_find_get(net
, zone
, &rtuple
);
1775 if (nlh
->nlmsg_flags
& NLM_F_CREATE
) {
1776 enum ip_conntrack_events events
;
1778 if (!cda
[CTA_TUPLE_ORIG
] || !cda
[CTA_TUPLE_REPLY
])
1781 ct
= ctnetlink_create_conntrack(net
, zone
, cda
, &otuple
,
1787 if (test_bit(IPS_EXPECTED_BIT
, &ct
->status
))
1788 events
= IPCT_RELATED
;
1792 if (cda
[CTA_LABELS
] &&
1793 ctnetlink_attach_labels(ct
, cda
) == 0)
1794 events
|= (1 << IPCT_LABEL
);
1796 nf_conntrack_eventmask_report((1 << IPCT_REPLY
) |
1797 (1 << IPCT_ASSURED
) |
1798 (1 << IPCT_HELPER
) |
1799 (1 << IPCT_PROTOINFO
) |
1800 (1 << IPCT_SEQADJ
) |
1801 (1 << IPCT_MARK
) | events
,
1802 ct
, NETLINK_CB(skb
).portid
,
1809 /* implicit 'else' */
1812 ct
= nf_ct_tuplehash_to_ctrack(h
);
1813 if (!(nlh
->nlmsg_flags
& NLM_F_EXCL
)) {
1814 spin_lock_bh(&nf_conntrack_lock
);
1815 err
= ctnetlink_change_conntrack(ct
, cda
);
1816 spin_unlock_bh(&nf_conntrack_lock
);
1818 nf_conntrack_eventmask_report((1 << IPCT_REPLY
) |
1819 (1 << IPCT_ASSURED
) |
1820 (1 << IPCT_HELPER
) |
1822 (1 << IPCT_PROTOINFO
) |
1823 (1 << IPCT_SEQADJ
) |
1825 ct
, NETLINK_CB(skb
).portid
,
1835 ctnetlink_ct_stat_cpu_fill_info(struct sk_buff
*skb
, u32 portid
, u32 seq
,
1836 __u16 cpu
, const struct ip_conntrack_stat
*st
)
1838 struct nlmsghdr
*nlh
;
1839 struct nfgenmsg
*nfmsg
;
1840 unsigned int flags
= portid
? NLM_F_MULTI
: 0, event
;
1842 event
= (NFNL_SUBSYS_CTNETLINK
<< 8 | IPCTNL_MSG_CT_GET_STATS_CPU
);
1843 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(*nfmsg
), flags
);
1847 nfmsg
= nlmsg_data(nlh
);
1848 nfmsg
->nfgen_family
= AF_UNSPEC
;
1849 nfmsg
->version
= NFNETLINK_V0
;
1850 nfmsg
->res_id
= htons(cpu
);
1852 if (nla_put_be32(skb
, CTA_STATS_SEARCHED
, htonl(st
->searched
)) ||
1853 nla_put_be32(skb
, CTA_STATS_FOUND
, htonl(st
->found
)) ||
1854 nla_put_be32(skb
, CTA_STATS_NEW
, htonl(st
->new)) ||
1855 nla_put_be32(skb
, CTA_STATS_INVALID
, htonl(st
->invalid
)) ||
1856 nla_put_be32(skb
, CTA_STATS_IGNORE
, htonl(st
->ignore
)) ||
1857 nla_put_be32(skb
, CTA_STATS_DELETE
, htonl(st
->delete)) ||
1858 nla_put_be32(skb
, CTA_STATS_DELETE_LIST
, htonl(st
->delete_list
)) ||
1859 nla_put_be32(skb
, CTA_STATS_INSERT
, htonl(st
->insert
)) ||
1860 nla_put_be32(skb
, CTA_STATS_INSERT_FAILED
,
1861 htonl(st
->insert_failed
)) ||
1862 nla_put_be32(skb
, CTA_STATS_DROP
, htonl(st
->drop
)) ||
1863 nla_put_be32(skb
, CTA_STATS_EARLY_DROP
, htonl(st
->early_drop
)) ||
1864 nla_put_be32(skb
, CTA_STATS_ERROR
, htonl(st
->error
)) ||
1865 nla_put_be32(skb
, CTA_STATS_SEARCH_RESTART
,
1866 htonl(st
->search_restart
)))
1867 goto nla_put_failure
;
1869 nlmsg_end(skb
, nlh
);
1874 nlmsg_cancel(skb
, nlh
);
1879 ctnetlink_ct_stat_cpu_dump(struct sk_buff
*skb
, struct netlink_callback
*cb
)
1882 struct net
*net
= sock_net(skb
->sk
);
1884 if (cb
->args
[0] == nr_cpu_ids
)
1887 for (cpu
= cb
->args
[0]; cpu
< nr_cpu_ids
; cpu
++) {
1888 const struct ip_conntrack_stat
*st
;
1890 if (!cpu_possible(cpu
))
1893 st
= per_cpu_ptr(net
->ct
.stat
, cpu
);
1894 if (ctnetlink_ct_stat_cpu_fill_info(skb
,
1895 NETLINK_CB(cb
->skb
).portid
,
1906 ctnetlink_stat_ct_cpu(struct sock
*ctnl
, struct sk_buff
*skb
,
1907 const struct nlmsghdr
*nlh
,
1908 const struct nlattr
* const cda
[])
1910 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
1911 struct netlink_dump_control c
= {
1912 .dump
= ctnetlink_ct_stat_cpu_dump
,
1914 return netlink_dump_start(ctnl
, skb
, nlh
, &c
);
1921 ctnetlink_stat_ct_fill_info(struct sk_buff
*skb
, u32 portid
, u32 seq
, u32 type
,
1924 struct nlmsghdr
*nlh
;
1925 struct nfgenmsg
*nfmsg
;
1926 unsigned int flags
= portid
? NLM_F_MULTI
: 0, event
;
1927 unsigned int nr_conntracks
= atomic_read(&net
->ct
.count
);
1929 event
= (NFNL_SUBSYS_CTNETLINK
<< 8 | IPCTNL_MSG_CT_GET_STATS
);
1930 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(*nfmsg
), flags
);
1934 nfmsg
= nlmsg_data(nlh
);
1935 nfmsg
->nfgen_family
= AF_UNSPEC
;
1936 nfmsg
->version
= NFNETLINK_V0
;
1939 if (nla_put_be32(skb
, CTA_STATS_GLOBAL_ENTRIES
, htonl(nr_conntracks
)))
1940 goto nla_put_failure
;
1942 nlmsg_end(skb
, nlh
);
1947 nlmsg_cancel(skb
, nlh
);
1952 ctnetlink_stat_ct(struct sock
*ctnl
, struct sk_buff
*skb
,
1953 const struct nlmsghdr
*nlh
,
1954 const struct nlattr
* const cda
[])
1956 struct sk_buff
*skb2
;
1959 skb2
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_KERNEL
);
1963 err
= ctnetlink_stat_ct_fill_info(skb2
, NETLINK_CB(skb
).portid
,
1965 NFNL_MSG_TYPE(nlh
->nlmsg_type
),
1970 err
= netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).portid
, MSG_DONTWAIT
);
1979 /* this avoids a loop in nfnetlink. */
1980 return err
== -EAGAIN
? -ENOBUFS
: err
;
1983 static const struct nla_policy exp_nla_policy
[CTA_EXPECT_MAX
+1] = {
1984 [CTA_EXPECT_MASTER
] = { .type
= NLA_NESTED
},
1985 [CTA_EXPECT_TUPLE
] = { .type
= NLA_NESTED
},
1986 [CTA_EXPECT_MASK
] = { .type
= NLA_NESTED
},
1987 [CTA_EXPECT_TIMEOUT
] = { .type
= NLA_U32
},
1988 [CTA_EXPECT_ID
] = { .type
= NLA_U32
},
1989 [CTA_EXPECT_HELP_NAME
] = { .type
= NLA_NUL_STRING
,
1990 .len
= NF_CT_HELPER_NAME_LEN
- 1 },
1991 [CTA_EXPECT_ZONE
] = { .type
= NLA_U16
},
1992 [CTA_EXPECT_FLAGS
] = { .type
= NLA_U32
},
1993 [CTA_EXPECT_CLASS
] = { .type
= NLA_U32
},
1994 [CTA_EXPECT_NAT
] = { .type
= NLA_NESTED
},
1995 [CTA_EXPECT_FN
] = { .type
= NLA_NUL_STRING
},
1998 static struct nf_conntrack_expect
*
1999 ctnetlink_alloc_expect(const struct nlattr
*const cda
[], struct nf_conn
*ct
,
2000 struct nf_conntrack_helper
*helper
,
2001 struct nf_conntrack_tuple
*tuple
,
2002 struct nf_conntrack_tuple
*mask
);
2004 #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
2006 ctnetlink_nfqueue_build_size(const struct nf_conn
*ct
)
2008 return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
2009 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
2010 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
2011 + 3 * nla_total_size(sizeof(u_int8_t
)) /* CTA_PROTO_NUM */
2012 + nla_total_size(sizeof(u_int32_t
)) /* CTA_ID */
2013 + nla_total_size(sizeof(u_int32_t
)) /* CTA_STATUS */
2014 + nla_total_size(sizeof(u_int32_t
)) /* CTA_TIMEOUT */
2015 + nla_total_size(0) /* CTA_PROTOINFO */
2016 + nla_total_size(0) /* CTA_HELP */
2017 + nla_total_size(NF_CT_HELPER_NAME_LEN
) /* CTA_HELP_NAME */
2018 + ctnetlink_secctx_size(ct
)
2019 #ifdef CONFIG_NF_NAT_NEEDED
2020 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
2021 + 6 * nla_total_size(sizeof(u_int32_t
)) /* CTA_NAT_SEQ_OFFSET */
2023 #ifdef CONFIG_NF_CONNTRACK_MARK
2024 + nla_total_size(sizeof(u_int32_t
)) /* CTA_MARK */
2026 + ctnetlink_proto_size(ct
)
2031 ctnetlink_nfqueue_build(struct sk_buff
*skb
, struct nf_conn
*ct
)
2033 struct nlattr
*nest_parms
;
2036 nest_parms
= nla_nest_start(skb
, CTA_TUPLE_ORIG
| NLA_F_NESTED
);
2038 goto nla_put_failure
;
2039 if (ctnetlink_dump_tuples(skb
, nf_ct_tuple(ct
, IP_CT_DIR_ORIGINAL
)) < 0)
2040 goto nla_put_failure
;
2041 nla_nest_end(skb
, nest_parms
);
2043 nest_parms
= nla_nest_start(skb
, CTA_TUPLE_REPLY
| NLA_F_NESTED
);
2045 goto nla_put_failure
;
2046 if (ctnetlink_dump_tuples(skb
, nf_ct_tuple(ct
, IP_CT_DIR_REPLY
)) < 0)
2047 goto nla_put_failure
;
2048 nla_nest_end(skb
, nest_parms
);
2050 if (nf_ct_zone(ct
)) {
2051 if (nla_put_be16(skb
, CTA_ZONE
, htons(nf_ct_zone(ct
))))
2052 goto nla_put_failure
;
2055 if (ctnetlink_dump_id(skb
, ct
) < 0)
2056 goto nla_put_failure
;
2058 if (ctnetlink_dump_status(skb
, ct
) < 0)
2059 goto nla_put_failure
;
2061 if (ctnetlink_dump_timeout(skb
, ct
) < 0)
2062 goto nla_put_failure
;
2064 if (ctnetlink_dump_protoinfo(skb
, ct
) < 0)
2065 goto nla_put_failure
;
2067 if (ctnetlink_dump_helpinfo(skb
, ct
) < 0)
2068 goto nla_put_failure
;
2070 #ifdef CONFIG_NF_CONNTRACK_SECMARK
2071 if (ct
->secmark
&& ctnetlink_dump_secctx(skb
, ct
) < 0)
2072 goto nla_put_failure
;
2074 if (ct
->master
&& ctnetlink_dump_master(skb
, ct
) < 0)
2075 goto nla_put_failure
;
2077 if ((ct
->status
& IPS_SEQ_ADJUST
) &&
2078 ctnetlink_dump_ct_seq_adj(skb
, ct
) < 0)
2079 goto nla_put_failure
;
2081 #ifdef CONFIG_NF_CONNTRACK_MARK
2082 if (ct
->mark
&& ctnetlink_dump_mark(skb
, ct
) < 0)
2083 goto nla_put_failure
;
2085 if (ctnetlink_dump_labels(skb
, ct
) < 0)
2086 goto nla_put_failure
;
2096 ctnetlink_nfqueue_parse_ct(const struct nlattr
*cda
[], struct nf_conn
*ct
)
2100 if (cda
[CTA_TIMEOUT
]) {
2101 err
= ctnetlink_change_timeout(ct
, cda
);
2105 if (cda
[CTA_STATUS
]) {
2106 err
= ctnetlink_change_status(ct
, cda
);
2110 if (cda
[CTA_HELP
]) {
2111 err
= ctnetlink_change_helper(ct
, cda
);
2115 if (cda
[CTA_LABELS
]) {
2116 err
= ctnetlink_attach_labels(ct
, cda
);
2120 #if defined(CONFIG_NF_CONNTRACK_MARK)
2122 ct
->mark
= ntohl(nla_get_be32(cda
[CTA_MARK
]));
2128 ctnetlink_nfqueue_parse(const struct nlattr
*attr
, struct nf_conn
*ct
)
2130 struct nlattr
*cda
[CTA_MAX
+1];
2133 ret
= nla_parse_nested(cda
, CTA_MAX
, attr
, ct_nla_policy
);
2137 spin_lock_bh(&nf_conntrack_lock
);
2138 ret
= ctnetlink_nfqueue_parse_ct((const struct nlattr
**)cda
, ct
);
2139 spin_unlock_bh(&nf_conntrack_lock
);
2144 static int ctnetlink_nfqueue_exp_parse(const struct nlattr
* const *cda
,
2145 const struct nf_conn
*ct
,
2146 struct nf_conntrack_tuple
*tuple
,
2147 struct nf_conntrack_tuple
*mask
)
2151 err
= ctnetlink_parse_tuple(cda
, tuple
, CTA_EXPECT_TUPLE
,
2156 return ctnetlink_parse_tuple(cda
, mask
, CTA_EXPECT_MASK
,
2161 ctnetlink_nfqueue_attach_expect(const struct nlattr
*attr
, struct nf_conn
*ct
,
2162 u32 portid
, u32 report
)
2164 struct nlattr
*cda
[CTA_EXPECT_MAX
+1];
2165 struct nf_conntrack_tuple tuple
, mask
;
2166 struct nf_conntrack_helper
*helper
= NULL
;
2167 struct nf_conntrack_expect
*exp
;
2170 err
= nla_parse_nested(cda
, CTA_EXPECT_MAX
, attr
, exp_nla_policy
);
2174 err
= ctnetlink_nfqueue_exp_parse((const struct nlattr
* const *)cda
,
2179 if (cda
[CTA_EXPECT_HELP_NAME
]) {
2180 const char *helpname
= nla_data(cda
[CTA_EXPECT_HELP_NAME
]);
2182 helper
= __nf_conntrack_helper_find(helpname
, nf_ct_l3num(ct
),
2183 nf_ct_protonum(ct
));
2188 exp
= ctnetlink_alloc_expect((const struct nlattr
* const *)cda
, ct
,
2189 helper
, &tuple
, &mask
);
2191 return PTR_ERR(exp
);
2193 err
= nf_ct_expect_related_report(exp
, portid
, report
);
2195 nf_ct_expect_put(exp
);
2202 static struct nfq_ct_hook ctnetlink_nfqueue_hook
= {
2203 .build_size
= ctnetlink_nfqueue_build_size
,
2204 .build
= ctnetlink_nfqueue_build
,
2205 .parse
= ctnetlink_nfqueue_parse
,
2206 .attach_expect
= ctnetlink_nfqueue_attach_expect
,
2207 .seq_adjust
= nf_ct_tcp_seqadj_set
,
2209 #endif /* CONFIG_NETFILTER_NETLINK_QUEUE_CT */
2211 /***********************************************************************
2213 ***********************************************************************/
2216 ctnetlink_exp_dump_tuple(struct sk_buff
*skb
,
2217 const struct nf_conntrack_tuple
*tuple
,
2218 enum ctattr_expect type
)
2220 struct nlattr
*nest_parms
;
2222 nest_parms
= nla_nest_start(skb
, type
| NLA_F_NESTED
);
2224 goto nla_put_failure
;
2225 if (ctnetlink_dump_tuples(skb
, tuple
) < 0)
2226 goto nla_put_failure
;
2227 nla_nest_end(skb
, nest_parms
);
2236 ctnetlink_exp_dump_mask(struct sk_buff
*skb
,
2237 const struct nf_conntrack_tuple
*tuple
,
2238 const struct nf_conntrack_tuple_mask
*mask
)
2241 struct nf_conntrack_l3proto
*l3proto
;
2242 struct nf_conntrack_l4proto
*l4proto
;
2243 struct nf_conntrack_tuple m
;
2244 struct nlattr
*nest_parms
;
2246 memset(&m
, 0xFF, sizeof(m
));
2247 memcpy(&m
.src
.u3
, &mask
->src
.u3
, sizeof(m
.src
.u3
));
2248 m
.src
.u
.all
= mask
->src
.u
.all
;
2249 m
.dst
.protonum
= tuple
->dst
.protonum
;
2251 nest_parms
= nla_nest_start(skb
, CTA_EXPECT_MASK
| NLA_F_NESTED
);
2253 goto nla_put_failure
;
2256 l3proto
= __nf_ct_l3proto_find(tuple
->src
.l3num
);
2257 ret
= ctnetlink_dump_tuples_ip(skb
, &m
, l3proto
);
2259 l4proto
= __nf_ct_l4proto_find(tuple
->src
.l3num
,
2260 tuple
->dst
.protonum
);
2261 ret
= ctnetlink_dump_tuples_proto(skb
, &m
, l4proto
);
2265 if (unlikely(ret
< 0))
2266 goto nla_put_failure
;
2268 nla_nest_end(skb
, nest_parms
);
2276 static const union nf_inet_addr any_addr
;
2279 ctnetlink_exp_dump_expect(struct sk_buff
*skb
,
2280 const struct nf_conntrack_expect
*exp
)
2282 struct nf_conn
*master
= exp
->master
;
2283 long timeout
= ((long)exp
->timeout
.expires
- (long)jiffies
) / HZ
;
2284 struct nf_conn_help
*help
;
2285 #ifdef CONFIG_NF_NAT_NEEDED
2286 struct nlattr
*nest_parms
;
2287 struct nf_conntrack_tuple nat_tuple
= {};
2289 struct nf_ct_helper_expectfn
*expfn
;
2294 if (ctnetlink_exp_dump_tuple(skb
, &exp
->tuple
, CTA_EXPECT_TUPLE
) < 0)
2295 goto nla_put_failure
;
2296 if (ctnetlink_exp_dump_mask(skb
, &exp
->tuple
, &exp
->mask
) < 0)
2297 goto nla_put_failure
;
2298 if (ctnetlink_exp_dump_tuple(skb
,
2299 &master
->tuplehash
[IP_CT_DIR_ORIGINAL
].tuple
,
2300 CTA_EXPECT_MASTER
) < 0)
2301 goto nla_put_failure
;
2303 #ifdef CONFIG_NF_NAT_NEEDED
2304 if (!nf_inet_addr_cmp(&exp
->saved_addr
, &any_addr
) ||
2305 exp
->saved_proto
.all
) {
2306 nest_parms
= nla_nest_start(skb
, CTA_EXPECT_NAT
| NLA_F_NESTED
);
2308 goto nla_put_failure
;
2310 if (nla_put_be32(skb
, CTA_EXPECT_NAT_DIR
, htonl(exp
->dir
)))
2311 goto nla_put_failure
;
2313 nat_tuple
.src
.l3num
= nf_ct_l3num(master
);
2314 nat_tuple
.src
.u3
= exp
->saved_addr
;
2315 nat_tuple
.dst
.protonum
= nf_ct_protonum(master
);
2316 nat_tuple
.src
.u
= exp
->saved_proto
;
2318 if (ctnetlink_exp_dump_tuple(skb
, &nat_tuple
,
2319 CTA_EXPECT_NAT_TUPLE
) < 0)
2320 goto nla_put_failure
;
2321 nla_nest_end(skb
, nest_parms
);
2324 if (nla_put_be32(skb
, CTA_EXPECT_TIMEOUT
, htonl(timeout
)) ||
2325 nla_put_be32(skb
, CTA_EXPECT_ID
, htonl((unsigned long)exp
)) ||
2326 nla_put_be32(skb
, CTA_EXPECT_FLAGS
, htonl(exp
->flags
)) ||
2327 nla_put_be32(skb
, CTA_EXPECT_CLASS
, htonl(exp
->class)))
2328 goto nla_put_failure
;
2329 help
= nfct_help(master
);
2331 struct nf_conntrack_helper
*helper
;
2333 helper
= rcu_dereference(help
->helper
);
2335 nla_put_string(skb
, CTA_EXPECT_HELP_NAME
, helper
->name
))
2336 goto nla_put_failure
;
2338 expfn
= nf_ct_helper_expectfn_find_by_symbol(exp
->expectfn
);
2339 if (expfn
!= NULL
&&
2340 nla_put_string(skb
, CTA_EXPECT_FN
, expfn
->name
))
2341 goto nla_put_failure
;
2350 ctnetlink_exp_fill_info(struct sk_buff
*skb
, u32 portid
, u32 seq
,
2351 int event
, const struct nf_conntrack_expect
*exp
)
2353 struct nlmsghdr
*nlh
;
2354 struct nfgenmsg
*nfmsg
;
2355 unsigned int flags
= portid
? NLM_F_MULTI
: 0;
2357 event
|= NFNL_SUBSYS_CTNETLINK_EXP
<< 8;
2358 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(*nfmsg
), flags
);
2362 nfmsg
= nlmsg_data(nlh
);
2363 nfmsg
->nfgen_family
= exp
->tuple
.src
.l3num
;
2364 nfmsg
->version
= NFNETLINK_V0
;
2367 if (ctnetlink_exp_dump_expect(skb
, exp
) < 0)
2368 goto nla_put_failure
;
2370 nlmsg_end(skb
, nlh
);
2375 nlmsg_cancel(skb
, nlh
);
2379 #ifdef CONFIG_NF_CONNTRACK_EVENTS
2381 ctnetlink_expect_event(unsigned int events
, struct nf_exp_event
*item
)
2383 struct nf_conntrack_expect
*exp
= item
->exp
;
2384 struct net
*net
= nf_ct_exp_net(exp
);
2385 struct nlmsghdr
*nlh
;
2386 struct nfgenmsg
*nfmsg
;
2387 struct sk_buff
*skb
;
2388 unsigned int type
, group
;
2391 if (events
& (1 << IPEXP_DESTROY
)) {
2392 type
= IPCTNL_MSG_EXP_DELETE
;
2393 group
= NFNLGRP_CONNTRACK_EXP_DESTROY
;
2394 } else if (events
& (1 << IPEXP_NEW
)) {
2395 type
= IPCTNL_MSG_EXP_NEW
;
2396 flags
= NLM_F_CREATE
|NLM_F_EXCL
;
2397 group
= NFNLGRP_CONNTRACK_EXP_NEW
;
2401 if (!item
->report
&& !nfnetlink_has_listeners(net
, group
))
2404 skb
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_ATOMIC
);
2408 type
|= NFNL_SUBSYS_CTNETLINK_EXP
<< 8;
2409 nlh
= nlmsg_put(skb
, item
->portid
, 0, type
, sizeof(*nfmsg
), flags
);
2413 nfmsg
= nlmsg_data(nlh
);
2414 nfmsg
->nfgen_family
= exp
->tuple
.src
.l3num
;
2415 nfmsg
->version
= NFNETLINK_V0
;
2419 if (ctnetlink_exp_dump_expect(skb
, exp
) < 0)
2420 goto nla_put_failure
;
2423 nlmsg_end(skb
, nlh
);
2424 nfnetlink_send(skb
, net
, item
->portid
, group
, item
->report
, GFP_ATOMIC
);
2429 nlmsg_cancel(skb
, nlh
);
2433 nfnetlink_set_err(net
, 0, 0, -ENOBUFS
);
2437 static int ctnetlink_exp_done(struct netlink_callback
*cb
)
2440 nf_ct_expect_put((struct nf_conntrack_expect
*)cb
->args
[1]);
2445 ctnetlink_exp_dump_table(struct sk_buff
*skb
, struct netlink_callback
*cb
)
2447 struct net
*net
= sock_net(skb
->sk
);
2448 struct nf_conntrack_expect
*exp
, *last
;
2449 struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
2450 u_int8_t l3proto
= nfmsg
->nfgen_family
;
2453 last
= (struct nf_conntrack_expect
*)cb
->args
[1];
2454 for (; cb
->args
[0] < nf_ct_expect_hsize
; cb
->args
[0]++) {
2456 hlist_for_each_entry(exp
, &net
->ct
.expect_hash
[cb
->args
[0]],
2458 if (l3proto
&& exp
->tuple
.src
.l3num
!= l3proto
)
2465 if (ctnetlink_exp_fill_info(skb
,
2466 NETLINK_CB(cb
->skb
).portid
,
2470 if (!atomic_inc_not_zero(&exp
->use
))
2472 cb
->args
[1] = (unsigned long)exp
;
2484 nf_ct_expect_put(last
);
2490 ctnetlink_exp_ct_dump_table(struct sk_buff
*skb
, struct netlink_callback
*cb
)
2492 struct nf_conntrack_expect
*exp
, *last
;
2493 struct nfgenmsg
*nfmsg
= nlmsg_data(cb
->nlh
);
2494 struct nf_conn
*ct
= cb
->data
;
2495 struct nf_conn_help
*help
= nfct_help(ct
);
2496 u_int8_t l3proto
= nfmsg
->nfgen_family
;
2502 last
= (struct nf_conntrack_expect
*)cb
->args
[1];
2504 hlist_for_each_entry(exp
, &help
->expectations
, lnode
) {
2505 if (l3proto
&& exp
->tuple
.src
.l3num
!= l3proto
)
2512 if (ctnetlink_exp_fill_info(skb
, NETLINK_CB(cb
->skb
).portid
,
2516 if (!atomic_inc_not_zero(&exp
->use
))
2518 cb
->args
[1] = (unsigned long)exp
;
2530 nf_ct_expect_put(last
);
2535 static int ctnetlink_dump_exp_ct(struct sock
*ctnl
, struct sk_buff
*skb
,
2536 const struct nlmsghdr
*nlh
,
2537 const struct nlattr
* const cda
[])
2540 struct net
*net
= sock_net(ctnl
);
2541 struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2542 u_int8_t u3
= nfmsg
->nfgen_family
;
2543 struct nf_conntrack_tuple tuple
;
2544 struct nf_conntrack_tuple_hash
*h
;
2547 struct netlink_dump_control c
= {
2548 .dump
= ctnetlink_exp_ct_dump_table
,
2549 .done
= ctnetlink_exp_done
,
2552 err
= ctnetlink_parse_tuple(cda
, &tuple
, CTA_EXPECT_MASTER
, u3
);
2556 if (cda
[CTA_EXPECT_ZONE
]) {
2557 err
= ctnetlink_parse_zone(cda
[CTA_EXPECT_ZONE
], &zone
);
2562 h
= nf_conntrack_find_get(net
, zone
, &tuple
);
2566 ct
= nf_ct_tuplehash_to_ctrack(h
);
2569 err
= netlink_dump_start(ctnl
, skb
, nlh
, &c
);
2576 ctnetlink_get_expect(struct sock
*ctnl
, struct sk_buff
*skb
,
2577 const struct nlmsghdr
*nlh
,
2578 const struct nlattr
* const cda
[])
2580 struct net
*net
= sock_net(ctnl
);
2581 struct nf_conntrack_tuple tuple
;
2582 struct nf_conntrack_expect
*exp
;
2583 struct sk_buff
*skb2
;
2584 struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2585 u_int8_t u3
= nfmsg
->nfgen_family
;
2589 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
2590 if (cda
[CTA_EXPECT_MASTER
])
2591 return ctnetlink_dump_exp_ct(ctnl
, skb
, nlh
, cda
);
2593 struct netlink_dump_control c
= {
2594 .dump
= ctnetlink_exp_dump_table
,
2595 .done
= ctnetlink_exp_done
,
2597 return netlink_dump_start(ctnl
, skb
, nlh
, &c
);
2601 err
= ctnetlink_parse_zone(cda
[CTA_EXPECT_ZONE
], &zone
);
2605 if (cda
[CTA_EXPECT_TUPLE
])
2606 err
= ctnetlink_parse_tuple(cda
, &tuple
, CTA_EXPECT_TUPLE
, u3
);
2607 else if (cda
[CTA_EXPECT_MASTER
])
2608 err
= ctnetlink_parse_tuple(cda
, &tuple
, CTA_EXPECT_MASTER
, u3
);
2615 exp
= nf_ct_expect_find_get(net
, zone
, &tuple
);
2619 if (cda
[CTA_EXPECT_ID
]) {
2620 __be32 id
= nla_get_be32(cda
[CTA_EXPECT_ID
]);
2621 if (ntohl(id
) != (u32
)(unsigned long)exp
) {
2622 nf_ct_expect_put(exp
);
2628 skb2
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_KERNEL
);
2630 nf_ct_expect_put(exp
);
2635 err
= ctnetlink_exp_fill_info(skb2
, NETLINK_CB(skb
).portid
,
2636 nlh
->nlmsg_seq
, IPCTNL_MSG_EXP_NEW
, exp
);
2638 nf_ct_expect_put(exp
);
2642 err
= netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).portid
, MSG_DONTWAIT
);
2651 /* this avoids a loop in nfnetlink. */
2652 return err
== -EAGAIN
? -ENOBUFS
: err
;
2656 ctnetlink_del_expect(struct sock
*ctnl
, struct sk_buff
*skb
,
2657 const struct nlmsghdr
*nlh
,
2658 const struct nlattr
* const cda
[])
2660 struct net
*net
= sock_net(ctnl
);
2661 struct nf_conntrack_expect
*exp
;
2662 struct nf_conntrack_tuple tuple
;
2663 struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2664 struct hlist_node
*next
;
2665 u_int8_t u3
= nfmsg
->nfgen_family
;
2670 if (cda
[CTA_EXPECT_TUPLE
]) {
2671 /* delete a single expect by tuple */
2672 err
= ctnetlink_parse_zone(cda
[CTA_EXPECT_ZONE
], &zone
);
2676 err
= ctnetlink_parse_tuple(cda
, &tuple
, CTA_EXPECT_TUPLE
, u3
);
2680 /* bump usage count to 2 */
2681 exp
= nf_ct_expect_find_get(net
, zone
, &tuple
);
2685 if (cda
[CTA_EXPECT_ID
]) {
2686 __be32 id
= nla_get_be32(cda
[CTA_EXPECT_ID
]);
2687 if (ntohl(id
) != (u32
)(unsigned long)exp
) {
2688 nf_ct_expect_put(exp
);
2693 /* after list removal, usage count == 1 */
2694 spin_lock_bh(&nf_conntrack_lock
);
2695 if (del_timer(&exp
->timeout
)) {
2696 nf_ct_unlink_expect_report(exp
, NETLINK_CB(skb
).portid
,
2698 nf_ct_expect_put(exp
);
2700 spin_unlock_bh(&nf_conntrack_lock
);
2701 /* have to put what we 'get' above.
2702 * after this line usage count == 0 */
2703 nf_ct_expect_put(exp
);
2704 } else if (cda
[CTA_EXPECT_HELP_NAME
]) {
2705 char *name
= nla_data(cda
[CTA_EXPECT_HELP_NAME
]);
2706 struct nf_conn_help
*m_help
;
2708 /* delete all expectations for this helper */
2709 spin_lock_bh(&nf_conntrack_lock
);
2710 for (i
= 0; i
< nf_ct_expect_hsize
; i
++) {
2711 hlist_for_each_entry_safe(exp
, next
,
2712 &net
->ct
.expect_hash
[i
],
2714 m_help
= nfct_help(exp
->master
);
2715 if (!strcmp(m_help
->helper
->name
, name
) &&
2716 del_timer(&exp
->timeout
)) {
2717 nf_ct_unlink_expect_report(exp
,
2718 NETLINK_CB(skb
).portid
,
2720 nf_ct_expect_put(exp
);
2724 spin_unlock_bh(&nf_conntrack_lock
);
2726 /* This basically means we have to flush everything*/
2727 spin_lock_bh(&nf_conntrack_lock
);
2728 for (i
= 0; i
< nf_ct_expect_hsize
; i
++) {
2729 hlist_for_each_entry_safe(exp
, next
,
2730 &net
->ct
.expect_hash
[i
],
2732 if (del_timer(&exp
->timeout
)) {
2733 nf_ct_unlink_expect_report(exp
,
2734 NETLINK_CB(skb
).portid
,
2736 nf_ct_expect_put(exp
);
2740 spin_unlock_bh(&nf_conntrack_lock
);
2746 ctnetlink_change_expect(struct nf_conntrack_expect
*x
,
2747 const struct nlattr
* const cda
[])
2749 if (cda
[CTA_EXPECT_TIMEOUT
]) {
2750 if (!del_timer(&x
->timeout
))
2753 x
->timeout
.expires
= jiffies
+
2754 ntohl(nla_get_be32(cda
[CTA_EXPECT_TIMEOUT
])) * HZ
;
2755 add_timer(&x
->timeout
);
2760 static const struct nla_policy exp_nat_nla_policy
[CTA_EXPECT_NAT_MAX
+1] = {
2761 [CTA_EXPECT_NAT_DIR
] = { .type
= NLA_U32
},
2762 [CTA_EXPECT_NAT_TUPLE
] = { .type
= NLA_NESTED
},
2766 ctnetlink_parse_expect_nat(const struct nlattr
*attr
,
2767 struct nf_conntrack_expect
*exp
,
2770 #ifdef CONFIG_NF_NAT_NEEDED
2771 struct nlattr
*tb
[CTA_EXPECT_NAT_MAX
+1];
2772 struct nf_conntrack_tuple nat_tuple
= {};
2775 err
= nla_parse_nested(tb
, CTA_EXPECT_NAT_MAX
, attr
, exp_nat_nla_policy
);
2779 if (!tb
[CTA_EXPECT_NAT_DIR
] || !tb
[CTA_EXPECT_NAT_TUPLE
])
2782 err
= ctnetlink_parse_tuple((const struct nlattr
* const *)tb
,
2783 &nat_tuple
, CTA_EXPECT_NAT_TUPLE
, u3
);
2787 exp
->saved_addr
= nat_tuple
.src
.u3
;
2788 exp
->saved_proto
= nat_tuple
.src
.u
;
2789 exp
->dir
= ntohl(nla_get_be32(tb
[CTA_EXPECT_NAT_DIR
]));
2797 static struct nf_conntrack_expect
*
2798 ctnetlink_alloc_expect(const struct nlattr
* const cda
[], struct nf_conn
*ct
,
2799 struct nf_conntrack_helper
*helper
,
2800 struct nf_conntrack_tuple
*tuple
,
2801 struct nf_conntrack_tuple
*mask
)
2803 u_int32_t
class = 0;
2804 struct nf_conntrack_expect
*exp
;
2805 struct nf_conn_help
*help
;
2808 if (cda
[CTA_EXPECT_CLASS
] && helper
) {
2809 class = ntohl(nla_get_be32(cda
[CTA_EXPECT_CLASS
]));
2810 if (class > helper
->expect_class_max
)
2811 return ERR_PTR(-EINVAL
);
2813 exp
= nf_ct_expect_alloc(ct
);
2815 return ERR_PTR(-ENOMEM
);
2817 help
= nfct_help(ct
);
2819 if (!cda
[CTA_EXPECT_TIMEOUT
]) {
2823 exp
->timeout
.expires
=
2824 jiffies
+ ntohl(nla_get_be32(cda
[CTA_EXPECT_TIMEOUT
])) * HZ
;
2826 exp
->flags
= NF_CT_EXPECT_USERSPACE
;
2827 if (cda
[CTA_EXPECT_FLAGS
]) {
2829 ntohl(nla_get_be32(cda
[CTA_EXPECT_FLAGS
]));
2832 if (cda
[CTA_EXPECT_FLAGS
]) {
2833 exp
->flags
= ntohl(nla_get_be32(cda
[CTA_EXPECT_FLAGS
]));
2834 exp
->flags
&= ~NF_CT_EXPECT_USERSPACE
;
2838 if (cda
[CTA_EXPECT_FN
]) {
2839 const char *name
= nla_data(cda
[CTA_EXPECT_FN
]);
2840 struct nf_ct_helper_expectfn
*expfn
;
2842 expfn
= nf_ct_helper_expectfn_find_by_name(name
);
2843 if (expfn
== NULL
) {
2847 exp
->expectfn
= expfn
->expectfn
;
2849 exp
->expectfn
= NULL
;
2853 exp
->helper
= helper
;
2854 exp
->tuple
= *tuple
;
2855 exp
->mask
.src
.u3
= mask
->src
.u3
;
2856 exp
->mask
.src
.u
.all
= mask
->src
.u
.all
;
2858 if (cda
[CTA_EXPECT_NAT
]) {
2859 err
= ctnetlink_parse_expect_nat(cda
[CTA_EXPECT_NAT
],
2860 exp
, nf_ct_l3num(ct
));
2866 nf_ct_expect_put(exp
);
2867 return ERR_PTR(err
);
2871 ctnetlink_create_expect(struct net
*net
, u16 zone
,
2872 const struct nlattr
* const cda
[],
2873 u_int8_t u3
, u32 portid
, int report
)
2875 struct nf_conntrack_tuple tuple
, mask
, master_tuple
;
2876 struct nf_conntrack_tuple_hash
*h
= NULL
;
2877 struct nf_conntrack_helper
*helper
= NULL
;
2878 struct nf_conntrack_expect
*exp
;
2882 /* caller guarantees that those three CTA_EXPECT_* exist */
2883 err
= ctnetlink_parse_tuple(cda
, &tuple
, CTA_EXPECT_TUPLE
, u3
);
2886 err
= ctnetlink_parse_tuple(cda
, &mask
, CTA_EXPECT_MASK
, u3
);
2889 err
= ctnetlink_parse_tuple(cda
, &master_tuple
, CTA_EXPECT_MASTER
, u3
);
2893 /* Look for master conntrack of this expectation */
2894 h
= nf_conntrack_find_get(net
, zone
, &master_tuple
);
2897 ct
= nf_ct_tuplehash_to_ctrack(h
);
2899 if (cda
[CTA_EXPECT_HELP_NAME
]) {
2900 const char *helpname
= nla_data(cda
[CTA_EXPECT_HELP_NAME
]);
2902 helper
= __nf_conntrack_helper_find(helpname
, u3
,
2903 nf_ct_protonum(ct
));
2904 if (helper
== NULL
) {
2905 #ifdef CONFIG_MODULES
2906 if (request_module("nfct-helper-%s", helpname
) < 0) {
2910 helper
= __nf_conntrack_helper_find(helpname
, u3
,
2911 nf_ct_protonum(ct
));
2922 exp
= ctnetlink_alloc_expect(cda
, ct
, helper
, &tuple
, &mask
);
2928 err
= nf_ct_expect_related_report(exp
, portid
, report
);
2934 nf_ct_expect_put(exp
);
2941 ctnetlink_new_expect(struct sock
*ctnl
, struct sk_buff
*skb
,
2942 const struct nlmsghdr
*nlh
,
2943 const struct nlattr
* const cda
[])
2945 struct net
*net
= sock_net(ctnl
);
2946 struct nf_conntrack_tuple tuple
;
2947 struct nf_conntrack_expect
*exp
;
2948 struct nfgenmsg
*nfmsg
= nlmsg_data(nlh
);
2949 u_int8_t u3
= nfmsg
->nfgen_family
;
2953 if (!cda
[CTA_EXPECT_TUPLE
]
2954 || !cda
[CTA_EXPECT_MASK
]
2955 || !cda
[CTA_EXPECT_MASTER
])
2958 err
= ctnetlink_parse_zone(cda
[CTA_EXPECT_ZONE
], &zone
);
2962 err
= ctnetlink_parse_tuple(cda
, &tuple
, CTA_EXPECT_TUPLE
, u3
);
2966 spin_lock_bh(&nf_conntrack_lock
);
2967 exp
= __nf_ct_expect_find(net
, zone
, &tuple
);
2970 spin_unlock_bh(&nf_conntrack_lock
);
2972 if (nlh
->nlmsg_flags
& NLM_F_CREATE
) {
2973 err
= ctnetlink_create_expect(net
, zone
, cda
,
2975 NETLINK_CB(skb
).portid
,
2982 if (!(nlh
->nlmsg_flags
& NLM_F_EXCL
))
2983 err
= ctnetlink_change_expect(exp
, cda
);
2984 spin_unlock_bh(&nf_conntrack_lock
);
2990 ctnetlink_exp_stat_fill_info(struct sk_buff
*skb
, u32 portid
, u32 seq
, int cpu
,
2991 const struct ip_conntrack_stat
*st
)
2993 struct nlmsghdr
*nlh
;
2994 struct nfgenmsg
*nfmsg
;
2995 unsigned int flags
= portid
? NLM_F_MULTI
: 0, event
;
2997 event
= (NFNL_SUBSYS_CTNETLINK
<< 8 | IPCTNL_MSG_EXP_GET_STATS_CPU
);
2998 nlh
= nlmsg_put(skb
, portid
, seq
, event
, sizeof(*nfmsg
), flags
);
3002 nfmsg
= nlmsg_data(nlh
);
3003 nfmsg
->nfgen_family
= AF_UNSPEC
;
3004 nfmsg
->version
= NFNETLINK_V0
;
3005 nfmsg
->res_id
= htons(cpu
);
3007 if (nla_put_be32(skb
, CTA_STATS_EXP_NEW
, htonl(st
->expect_new
)) ||
3008 nla_put_be32(skb
, CTA_STATS_EXP_CREATE
, htonl(st
->expect_create
)) ||
3009 nla_put_be32(skb
, CTA_STATS_EXP_DELETE
, htonl(st
->expect_delete
)))
3010 goto nla_put_failure
;
3012 nlmsg_end(skb
, nlh
);
3017 nlmsg_cancel(skb
, nlh
);
3022 ctnetlink_exp_stat_cpu_dump(struct sk_buff
*skb
, struct netlink_callback
*cb
)
3025 struct net
*net
= sock_net(skb
->sk
);
3027 if (cb
->args
[0] == nr_cpu_ids
)
3030 for (cpu
= cb
->args
[0]; cpu
< nr_cpu_ids
; cpu
++) {
3031 const struct ip_conntrack_stat
*st
;
3033 if (!cpu_possible(cpu
))
3036 st
= per_cpu_ptr(net
->ct
.stat
, cpu
);
3037 if (ctnetlink_exp_stat_fill_info(skb
, NETLINK_CB(cb
->skb
).portid
,
3048 ctnetlink_stat_exp_cpu(struct sock
*ctnl
, struct sk_buff
*skb
,
3049 const struct nlmsghdr
*nlh
,
3050 const struct nlattr
* const cda
[])
3052 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
3053 struct netlink_dump_control c
= {
3054 .dump
= ctnetlink_exp_stat_cpu_dump
,
3056 return netlink_dump_start(ctnl
, skb
, nlh
, &c
);
3062 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3063 static struct nf_ct_event_notifier ctnl_notifier
= {
3064 .fcn
= ctnetlink_conntrack_event
,
3067 static struct nf_exp_event_notifier ctnl_notifier_exp
= {
3068 .fcn
= ctnetlink_expect_event
,
3072 static const struct nfnl_callback ctnl_cb
[IPCTNL_MSG_MAX
] = {
3073 [IPCTNL_MSG_CT_NEW
] = { .call
= ctnetlink_new_conntrack
,
3074 .attr_count
= CTA_MAX
,
3075 .policy
= ct_nla_policy
},
3076 [IPCTNL_MSG_CT_GET
] = { .call
= ctnetlink_get_conntrack
,
3077 .attr_count
= CTA_MAX
,
3078 .policy
= ct_nla_policy
},
3079 [IPCTNL_MSG_CT_DELETE
] = { .call
= ctnetlink_del_conntrack
,
3080 .attr_count
= CTA_MAX
,
3081 .policy
= ct_nla_policy
},
3082 [IPCTNL_MSG_CT_GET_CTRZERO
] = { .call
= ctnetlink_get_conntrack
,
3083 .attr_count
= CTA_MAX
,
3084 .policy
= ct_nla_policy
},
3085 [IPCTNL_MSG_CT_GET_STATS_CPU
] = { .call
= ctnetlink_stat_ct_cpu
},
3086 [IPCTNL_MSG_CT_GET_STATS
] = { .call
= ctnetlink_stat_ct
},
3087 [IPCTNL_MSG_CT_GET_DYING
] = { .call
= ctnetlink_get_ct_dying
},
3088 [IPCTNL_MSG_CT_GET_UNCONFIRMED
] = { .call
= ctnetlink_get_ct_unconfirmed
},
3091 static const struct nfnl_callback ctnl_exp_cb
[IPCTNL_MSG_EXP_MAX
] = {
3092 [IPCTNL_MSG_EXP_GET
] = { .call
= ctnetlink_get_expect
,
3093 .attr_count
= CTA_EXPECT_MAX
,
3094 .policy
= exp_nla_policy
},
3095 [IPCTNL_MSG_EXP_NEW
] = { .call
= ctnetlink_new_expect
,
3096 .attr_count
= CTA_EXPECT_MAX
,
3097 .policy
= exp_nla_policy
},
3098 [IPCTNL_MSG_EXP_DELETE
] = { .call
= ctnetlink_del_expect
,
3099 .attr_count
= CTA_EXPECT_MAX
,
3100 .policy
= exp_nla_policy
},
3101 [IPCTNL_MSG_EXP_GET_STATS_CPU
] = { .call
= ctnetlink_stat_exp_cpu
},
3104 static const struct nfnetlink_subsystem ctnl_subsys
= {
3105 .name
= "conntrack",
3106 .subsys_id
= NFNL_SUBSYS_CTNETLINK
,
3107 .cb_count
= IPCTNL_MSG_MAX
,
3111 static const struct nfnetlink_subsystem ctnl_exp_subsys
= {
3112 .name
= "conntrack_expect",
3113 .subsys_id
= NFNL_SUBSYS_CTNETLINK_EXP
,
3114 .cb_count
= IPCTNL_MSG_EXP_MAX
,
3118 MODULE_ALIAS("ip_conntrack_netlink");
3119 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK
);
3120 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP
);
3122 static int __net_init
ctnetlink_net_init(struct net
*net
)
3124 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3127 ret
= nf_conntrack_register_notifier(net
, &ctnl_notifier
);
3129 pr_err("ctnetlink_init: cannot register notifier.\n");
3133 ret
= nf_ct_expect_register_notifier(net
, &ctnl_notifier_exp
);
3135 pr_err("ctnetlink_init: cannot expect register notifier.\n");
3136 goto err_unreg_notifier
;
3141 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3143 nf_conntrack_unregister_notifier(net
, &ctnl_notifier
);
3149 static void ctnetlink_net_exit(struct net
*net
)
3151 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3152 nf_ct_expect_unregister_notifier(net
, &ctnl_notifier_exp
);
3153 nf_conntrack_unregister_notifier(net
, &ctnl_notifier
);
3157 static void __net_exit
ctnetlink_net_exit_batch(struct list_head
*net_exit_list
)
3161 list_for_each_entry(net
, net_exit_list
, exit_list
)
3162 ctnetlink_net_exit(net
);
3165 static struct pernet_operations ctnetlink_net_ops
= {
3166 .init
= ctnetlink_net_init
,
3167 .exit_batch
= ctnetlink_net_exit_batch
,
3170 static int __init
ctnetlink_init(void)
3174 pr_info("ctnetlink v%s: registering with nfnetlink.\n", version
);
3175 ret
= nfnetlink_subsys_register(&ctnl_subsys
);
3177 pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
3181 ret
= nfnetlink_subsys_register(&ctnl_exp_subsys
);
3183 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
3184 goto err_unreg_subsys
;
3187 ret
= register_pernet_subsys(&ctnetlink_net_ops
);
3189 pr_err("ctnetlink_init: cannot register pernet operations\n");
3190 goto err_unreg_exp_subsys
;
3192 #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
3193 /* setup interaction between nf_queue and nf_conntrack_netlink. */
3194 RCU_INIT_POINTER(nfq_ct_hook
, &ctnetlink_nfqueue_hook
);
3198 err_unreg_exp_subsys
:
3199 nfnetlink_subsys_unregister(&ctnl_exp_subsys
);
3201 nfnetlink_subsys_unregister(&ctnl_subsys
);
3206 static void __exit
ctnetlink_exit(void)
3208 pr_info("ctnetlink: unregistering from nfnetlink.\n");
3210 unregister_pernet_subsys(&ctnetlink_net_ops
);
3211 nfnetlink_subsys_unregister(&ctnl_exp_subsys
);
3212 nfnetlink_subsys_unregister(&ctnl_subsys
);
3213 #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
3214 RCU_INIT_POINTER(nfq_ct_hook
, NULL
);
3218 module_init(ctnetlink_init
);
3219 module_exit(ctnetlink_exit
);