projects / deliverable / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge branch 'upstream-linus' of master.kernel.org:/pub/scm/linux/kernel/git/jgarzik...
[deliverable/linux.git] / net / netfilter / nf_conntrack_netlink.c
1 /* Connection tracking via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace.
3 *
4 * (C) 2001 by Jay Schulist <jschlst@samba.org>
5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7 * (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net>
8 *
9 * I've reworked this stuff to use attributes instead of conntrack
10 * structures. 5.44 am. I need more tea. --pablo 05/07/11.
11 *
12 * Initial connection tracking via netlink development funded and
13 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
14 *
15 * Further development of this code funded by Astaro AG (http://www.astaro.com)
16 *
17 * This software may be used and distributed according to the terms
18 * of the GNU General Public License, incorporated herein by reference.
19 *
20 * Derived from ip_conntrack_netlink.c: Port by Pablo Neira Ayuso (05/11/14)
21 */
22
23 #include <linux/init.h>
24 #include <linux/module.h>
25 #include <linux/kernel.h>
26 #include <linux/types.h>
27 #include <linux/timer.h>
28 #include <linux/skbuff.h>
29 #include <linux/errno.h>
30 #include <linux/netlink.h>
31 #include <linux/spinlock.h>
32 #include <linux/interrupt.h>
33 #include <linux/notifier.h>
34
35 #include <linux/netfilter.h>
36 #include <net/netfilter/nf_conntrack.h>
37 #include <net/netfilter/nf_conntrack_core.h>
38 #include <net/netfilter/nf_conntrack_helper.h>
39 #include <net/netfilter/nf_conntrack_l3proto.h>
40 #include <net/netfilter/nf_conntrack_protocol.h>
41 #include <linux/netfilter_ipv4/ip_nat_protocol.h>
42
43 #include <linux/netfilter/nfnetlink.h>
44 #include <linux/netfilter/nfnetlink_conntrack.h>
45
46 MODULE_LICENSE("GPL");
47
48 static char __initdata version[] = "0.93";
49
50 #if 0
51 #define DEBUGP printk
52 #else
53 #define DEBUGP(format, args...)
54 #endif
55
56
57 static inline int
58 ctnetlink_dump_tuples_proto(struct sk_buff *skb,
59 const struct nf_conntrack_tuple *tuple,
60 struct nf_conntrack_protocol *proto)
61 {
62 int ret = 0;
63 struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
64
65 NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum);
66
67 if (likely(proto->tuple_to_nfattr))
68 ret = proto->tuple_to_nfattr(skb, tuple);
69
70 NFA_NEST_END(skb, nest_parms);
71
72 return ret;
73
74 nfattr_failure:
75 return -1;
76 }
77
78 static inline int
79 ctnetlink_dump_tuples_ip(struct sk_buff *skb,
80 const struct nf_conntrack_tuple *tuple,
81 struct nf_conntrack_l3proto *l3proto)
82 {
83 int ret = 0;
84 struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
85
86 if (likely(l3proto->tuple_to_nfattr))
87 ret = l3proto->tuple_to_nfattr(skb, tuple);
88
89 NFA_NEST_END(skb, nest_parms);
90
91 return ret;
92
93 nfattr_failure:
94 return -1;
95 }
96
97 static inline int
98 ctnetlink_dump_tuples(struct sk_buff *skb,
99 const struct nf_conntrack_tuple *tuple)
100 {
101 int ret;
102 struct nf_conntrack_l3proto *l3proto;
103 struct nf_conntrack_protocol *proto;
104
105 l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
106 ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
107 nf_ct_l3proto_put(l3proto);
108
109 if (unlikely(ret < 0))
110 return ret;
111
112 proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
113 ret = ctnetlink_dump_tuples_proto(skb, tuple, proto);
114 nf_ct_proto_put(proto);
115
116 return ret;
117 }
118
119 static inline int
120 ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
121 {
122 u_int32_t status = htonl((u_int32_t) ct->status);
123 NFA_PUT(skb, CTA_STATUS, sizeof(status), &status);
124 return 0;
125
126 nfattr_failure:
127 return -1;
128 }
129
130 static inline int
131 ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
132 {
133 long timeout_l = ct->timeout.expires - jiffies;
134 u_int32_t timeout;
135
136 if (timeout_l < 0)
137 timeout = 0;
138 else
139 timeout = htonl(timeout_l / HZ);
140
141 NFA_PUT(skb, CTA_TIMEOUT, sizeof(timeout), &timeout);
142 return 0;
143
144 nfattr_failure:
145 return -1;
146 }
147
148 static inline int
149 ctnetlink_dump_protoinfo(struct sk_buff *skb, const struct nf_conn *ct)
150 {
151 struct nf_conntrack_protocol *proto = nf_ct_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num, ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
152 struct nfattr *nest_proto;
153 int ret;
154
155 if (!proto->to_nfattr) {
156 nf_ct_proto_put(proto);
157 return 0;
158 }
159
160 nest_proto = NFA_NEST(skb, CTA_PROTOINFO);
161
162 ret = proto->to_nfattr(skb, nest_proto, ct);
163
164 nf_ct_proto_put(proto);
165
166 NFA_NEST_END(skb, nest_proto);
167
168 return ret;
169
170 nfattr_failure:
171 return -1;
172 }
173
174 static inline int
175 ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct)
176 {
177 struct nfattr *nest_helper;
178 const struct nf_conn_help *help = nfct_help(ct);
179
180 if (!help || !help->helper)
181 return 0;
182
183 nest_helper = NFA_NEST(skb, CTA_HELP);
184 NFA_PUT(skb, CTA_HELP_NAME, strlen(help->helper->name), help->helper->name);
185
186 if (help->helper->to_nfattr)
187 help->helper->to_nfattr(skb, ct);
188
189 NFA_NEST_END(skb, nest_helper);
190
191 return 0;
192
193 nfattr_failure:
194 return -1;
195 }
196
197 #ifdef CONFIG_NF_CT_ACCT
198 static inline int
199 ctnetlink_dump_counters(struct sk_buff *skb, const struct nf_conn *ct,
200 enum ip_conntrack_dir dir)
201 {
202 enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
203 struct nfattr *nest_count = NFA_NEST(skb, type);
204 u_int32_t tmp;
205
206 tmp = htonl(ct->counters[dir].packets);
207 NFA_PUT(skb, CTA_COUNTERS32_PACKETS, sizeof(u_int32_t), &tmp);
208
209 tmp = htonl(ct->counters[dir].bytes);
210 NFA_PUT(skb, CTA_COUNTERS32_BYTES, sizeof(u_int32_t), &tmp);
211
212 NFA_NEST_END(skb, nest_count);
213
214 return 0;
215
216 nfattr_failure:
217 return -1;
218 }
219 #else
220 #define ctnetlink_dump_counters(a, b, c) (0)
221 #endif
222
223 #ifdef CONFIG_NF_CONNTRACK_MARK
224 static inline int
225 ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
226 {
227 u_int32_t mark = htonl(ct->mark);
228
229 NFA_PUT(skb, CTA_MARK, sizeof(u_int32_t), &mark);
230 return 0;
231
232 nfattr_failure:
233 return -1;
234 }
235 #else
236 #define ctnetlink_dump_mark(a, b) (0)
237 #endif
238
239 static inline int
240 ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
241 {
242 u_int32_t id = htonl(ct->id);
243 NFA_PUT(skb, CTA_ID, sizeof(u_int32_t), &id);
244 return 0;
245
246 nfattr_failure:
247 return -1;
248 }
249
250 static inline int
251 ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
252 {
253 u_int32_t use = htonl(atomic_read(&ct->ct_general.use));
254
255 NFA_PUT(skb, CTA_USE, sizeof(u_int32_t), &use);
256 return 0;
257
258 nfattr_failure:
259 return -1;
260 }
261
262 #define tuple(ct, dir) (&(ct)->tuplehash[dir].tuple)
263
264 static int
265 ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
266 int event, int nowait,
267 const struct nf_conn *ct)
268 {
269 struct nlmsghdr *nlh;
270 struct nfgenmsg *nfmsg;
271 struct nfattr *nest_parms;
272 unsigned char *b;
273
274 b = skb->tail;
275
276 event |= NFNL_SUBSYS_CTNETLINK << 8;
277 nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg));
278 nfmsg = NLMSG_DATA(nlh);
279
280 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0;
281 nfmsg->nfgen_family =
282 ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
283 nfmsg->version = NFNETLINK_V0;
284 nfmsg->res_id = 0;
285
286 nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG);
287 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
288 goto nfattr_failure;
289 NFA_NEST_END(skb, nest_parms);
290
291 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
292 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
293 goto nfattr_failure;
294 NFA_NEST_END(skb, nest_parms);
295
296 if (ctnetlink_dump_status(skb, ct) < 0 ||
297 ctnetlink_dump_timeout(skb, ct) < 0 ||
298 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
299 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 ||
300 ctnetlink_dump_protoinfo(skb, ct) < 0 ||
301 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
302 ctnetlink_dump_mark(skb, ct) < 0 ||
303 ctnetlink_dump_id(skb, ct) < 0 ||
304 ctnetlink_dump_use(skb, ct) < 0)
305 goto nfattr_failure;
306
307 nlh->nlmsg_len = skb->tail - b;
308 return skb->len;
309
310 nlmsg_failure:
311 nfattr_failure:
312 skb_trim(skb, b - skb->data);
313 return -1;
314 }
315
316 #ifdef CONFIG_NF_CONNTRACK_EVENTS
317 static int ctnetlink_conntrack_event(struct notifier_block *this,
318 unsigned long events, void *ptr)
319 {
320 struct nlmsghdr *nlh;
321 struct nfgenmsg *nfmsg;
322 struct nfattr *nest_parms;
323 struct nf_conn *ct = (struct nf_conn *)ptr;
324 struct sk_buff *skb;
325 unsigned int type;
326 unsigned char *b;
327 unsigned int flags = 0, group;
328
329 /* ignore our fake conntrack entry */
330 if (ct == &nf_conntrack_untracked)
331 return NOTIFY_DONE;
332
333 if (events & IPCT_DESTROY) {
334 type = IPCTNL_MSG_CT_DELETE;
335 group = NFNLGRP_CONNTRACK_DESTROY;
336 } else if (events & (IPCT_NEW | IPCT_RELATED)) {
337 type = IPCTNL_MSG_CT_NEW;
338 flags = NLM_F_CREATE|NLM_F_EXCL;
339 /* dump everything */
340 events = ~0UL;
341 group = NFNLGRP_CONNTRACK_NEW;
342 } else if (events & (IPCT_STATUS | IPCT_PROTOINFO)) {
343 type = IPCTNL_MSG_CT_NEW;
344 group = NFNLGRP_CONNTRACK_UPDATE;
345 } else
346 return NOTIFY_DONE;
347
348 if (!nfnetlink_has_listeners(group))
349 return NOTIFY_DONE;
350
351 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
352 if (!skb)
353 return NOTIFY_DONE;
354
355 b = skb->tail;
356
357 type |= NFNL_SUBSYS_CTNETLINK << 8;
358 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg));
359 nfmsg = NLMSG_DATA(nlh);
360
361 nlh->nlmsg_flags = flags;
362 nfmsg->nfgen_family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
363 nfmsg->version = NFNETLINK_V0;
364 nfmsg->res_id = 0;
365
366 nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG);
367 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
368 goto nfattr_failure;
369 NFA_NEST_END(skb, nest_parms);
370
371 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
372 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
373 goto nfattr_failure;
374 NFA_NEST_END(skb, nest_parms);
375
376 /* NAT stuff is now a status flag */
377 if ((events & IPCT_STATUS || events & IPCT_NATINFO)
378 && ctnetlink_dump_status(skb, ct) < 0)
379 goto nfattr_failure;
380 if (events & IPCT_REFRESH
381 && ctnetlink_dump_timeout(skb, ct) < 0)
382 goto nfattr_failure;
383 if (events & IPCT_PROTOINFO
384 && ctnetlink_dump_protoinfo(skb, ct) < 0)
385 goto nfattr_failure;
386 if (events & IPCT_HELPINFO
387 && ctnetlink_dump_helpinfo(skb, ct) < 0)
388 goto nfattr_failure;
389
390 if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
391 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
392 goto nfattr_failure;
393
394 if (events & IPCT_MARK
395 && ctnetlink_dump_mark(skb, ct) < 0)
396 goto nfattr_failure;
397
398 nlh->nlmsg_len = skb->tail - b;
399 nfnetlink_send(skb, 0, group, 0);
400 return NOTIFY_DONE;
401
402 nlmsg_failure:
403 nfattr_failure:
404 kfree_skb(skb);
405 return NOTIFY_DONE;
406 }
407 #endif /* CONFIG_NF_CONNTRACK_EVENTS */
408
409 static int ctnetlink_done(struct netlink_callback *cb)
410 {
411 if (cb->args[1])
412 nf_ct_put((struct nf_conn *)cb->args[1]);
413 DEBUGP("entered %s\n", __FUNCTION__);
414 return 0;
415 }
416
417 #define L3PROTO(ct) ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num
418
419 static int
420 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
421 {
422 struct nf_conn *ct, *last;
423 struct nf_conntrack_tuple_hash *h;
424 struct list_head *i;
425 struct nfgenmsg *nfmsg = NLMSG_DATA(cb->nlh);
426 u_int8_t l3proto = nfmsg->nfgen_family;
427
428 DEBUGP("entered %s, last bucket=%lu id=%u\n", __FUNCTION__,
429 cb->args[0], *id);
430
431 read_lock_bh(&nf_conntrack_lock);
432 last = (struct nf_conn *)cb->args[1];
433 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
434 restart:
435 list_for_each_prev(i, &nf_conntrack_hash[cb->args[0]]) {
436 h = (struct nf_conntrack_tuple_hash *) i;
437 if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
438 continue;
439 ct = nf_ct_tuplehash_to_ctrack(h);
440 /* Dump entries of a given L3 protocol number.
441 * If it is not specified, ie. l3proto == 0,
442 * then dump everything. */
443 if (l3proto && L3PROTO(ct) != l3proto)
444 continue;
445 if (cb->args[1]) {
446 if (ct != last)
447 continue;
448 cb->args[1] = 0;
449 }
450 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
451 cb->nlh->nlmsg_seq,
452 IPCTNL_MSG_CT_NEW,
453 1, ct) < 0) {
454 nf_conntrack_get(&ct->ct_general);
455 cb->args[1] = (unsigned long)ct;
456 goto out;
457 }
458 #ifdef CONFIG_NF_CT_ACCT
459 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) ==
460 IPCTNL_MSG_CT_GET_CTRZERO)
461 memset(&ct->counters, 0, sizeof(ct->counters));
462 #endif
463 }
464 if (cb->args[1]) {
465 cb->args[1] = 0;
466 goto restart;
467 }
468 }
469 out:
470 read_unlock_bh(&nf_conntrack_lock);
471 if (last)
472 nf_ct_put(last);
473
474 DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id);
475 return skb->len;
476 }
477
478 static inline int
479 ctnetlink_parse_tuple_ip(struct nfattr *attr, struct nf_conntrack_tuple *tuple)
480 {
481 struct nfattr *tb[CTA_IP_MAX];
482 struct nf_conntrack_l3proto *l3proto;
483 int ret = 0;
484
485 DEBUGP("entered %s\n", __FUNCTION__);
486
487 nfattr_parse_nested(tb, CTA_IP_MAX, attr);
488
489 l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
490
491 if (likely(l3proto->nfattr_to_tuple))
492 ret = l3proto->nfattr_to_tuple(tb, tuple);
493
494 nf_ct_l3proto_put(l3proto);
495
496 DEBUGP("leaving\n");
497
498 return ret;
499 }
500
501 static const size_t cta_min_proto[CTA_PROTO_MAX] = {
502 [CTA_PROTO_NUM-1] = sizeof(u_int8_t),
503 };
504
505 static inline int
506 ctnetlink_parse_tuple_proto(struct nfattr *attr,
507 struct nf_conntrack_tuple *tuple)
508 {
509 struct nfattr *tb[CTA_PROTO_MAX];
510 struct nf_conntrack_protocol *proto;
511 int ret = 0;
512
513 DEBUGP("entered %s\n", __FUNCTION__);
514
515 nfattr_parse_nested(tb, CTA_PROTO_MAX, attr);
516
517 if (nfattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto))
518 return -EINVAL;
519
520 if (!tb[CTA_PROTO_NUM-1])
521 return -EINVAL;
522 tuple->dst.protonum = *(u_int8_t *)NFA_DATA(tb[CTA_PROTO_NUM-1]);
523
524 proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
525
526 if (likely(proto->nfattr_to_tuple))
527 ret = proto->nfattr_to_tuple(tb, tuple);
528
529 nf_ct_proto_put(proto);
530
531 return ret;
532 }
533
534 static inline int
535 ctnetlink_parse_tuple(struct nfattr *cda[], struct nf_conntrack_tuple *tuple,
536 enum ctattr_tuple type, u_int8_t l3num)
537 {
538 struct nfattr *tb[CTA_TUPLE_MAX];
539 int err;
540
541 DEBUGP("entered %s\n", __FUNCTION__);
542
543 memset(tuple, 0, sizeof(*tuple));
544
545 nfattr_parse_nested(tb, CTA_TUPLE_MAX, cda[type-1]);
546
547 if (!tb[CTA_TUPLE_IP-1])
548 return -EINVAL;
549
550 tuple->src.l3num = l3num;
551
552 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP-1], tuple);
553 if (err < 0)
554 return err;
555
556 if (!tb[CTA_TUPLE_PROTO-1])
557 return -EINVAL;
558
559 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO-1], tuple);
560 if (err < 0)
561 return err;
562
563 /* orig and expect tuples get DIR_ORIGINAL */
564 if (type == CTA_TUPLE_REPLY)
565 tuple->dst.dir = IP_CT_DIR_REPLY;
566 else
567 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
568
569 NF_CT_DUMP_TUPLE(tuple);
570
571 DEBUGP("leaving\n");
572
573 return 0;
574 }
575
576 #ifdef CONFIG_IP_NF_NAT_NEEDED
577 static const size_t cta_min_protonat[CTA_PROTONAT_MAX] = {
578 [CTA_PROTONAT_PORT_MIN-1] = sizeof(u_int16_t),
579 [CTA_PROTONAT_PORT_MAX-1] = sizeof(u_int16_t),
580 };
581
582 static int ctnetlink_parse_nat_proto(struct nfattr *attr,
583 const struct nf_conn *ct,
584 struct ip_nat_range *range)
585 {
586 struct nfattr *tb[CTA_PROTONAT_MAX];
587 struct ip_nat_protocol *npt;
588
589 DEBUGP("entered %s\n", __FUNCTION__);
590
591 nfattr_parse_nested(tb, CTA_PROTONAT_MAX, attr);
592
593 if (nfattr_bad_size(tb, CTA_PROTONAT_MAX, cta_min_protonat))
594 return -EINVAL;
595
596 npt = ip_nat_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
597
598 if (!npt->nfattr_to_range) {
599 ip_nat_proto_put(npt);
600 return 0;
601 }
602
603 /* nfattr_to_range returns 1 if it parsed, 0 if not, neg. on error */
604 if (npt->nfattr_to_range(tb, range) > 0)
605 range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
606
607 ip_nat_proto_put(npt);
608
609 DEBUGP("leaving\n");
610 return 0;
611 }
612
613 static const size_t cta_min_nat[CTA_NAT_MAX] = {
614 [CTA_NAT_MINIP-1] = sizeof(u_int32_t),
615 [CTA_NAT_MAXIP-1] = sizeof(u_int32_t),
616 };
617
618 static inline int
619 ctnetlink_parse_nat(struct nfattr *nat,
620 const struct nf_conn *ct, struct ip_nat_range *range)
621 {
622 struct nfattr *tb[CTA_NAT_MAX];
623 int err;
624
625 DEBUGP("entered %s\n", __FUNCTION__);
626
627 memset(range, 0, sizeof(*range));
628
629 nfattr_parse_nested(tb, CTA_NAT_MAX, nat);
630
631 if (nfattr_bad_size(tb, CTA_NAT_MAX, cta_min_nat))
632 return -EINVAL;
633
634 if (tb[CTA_NAT_MINIP-1])
635 range->min_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MINIP-1]);
636
637 if (!tb[CTA_NAT_MAXIP-1])
638 range->max_ip = range->min_ip;
639 else
640 range->max_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MAXIP-1]);
641
642 if (range->min_ip)
643 range->flags |= IP_NAT_RANGE_MAP_IPS;
644
645 if (!tb[CTA_NAT_PROTO-1])
646 return 0;
647
648 err = ctnetlink_parse_nat_proto(tb[CTA_NAT_PROTO-1], ct, range);
649 if (err < 0)
650 return err;
651
652 DEBUGP("leaving\n");
653 return 0;
654 }
655 #endif
656
657 static inline int
658 ctnetlink_parse_help(struct nfattr *attr, char **helper_name)
659 {
660 struct nfattr *tb[CTA_HELP_MAX];
661
662 DEBUGP("entered %s\n", __FUNCTION__);
663
664 nfattr_parse_nested(tb, CTA_HELP_MAX, attr);
665
666 if (!tb[CTA_HELP_NAME-1])
667 return -EINVAL;
668
669 *helper_name = NFA_DATA(tb[CTA_HELP_NAME-1]);
670
671 return 0;
672 }
673
674 static const size_t cta_min[CTA_MAX] = {
675 [CTA_STATUS-1] = sizeof(u_int32_t),
676 [CTA_TIMEOUT-1] = sizeof(u_int32_t),
677 [CTA_MARK-1] = sizeof(u_int32_t),
678 [CTA_USE-1] = sizeof(u_int32_t),
679 [CTA_ID-1] = sizeof(u_int32_t)
680 };
681
682 static int
683 ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
684 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
685 {
686 struct nf_conntrack_tuple_hash *h;
687 struct nf_conntrack_tuple tuple;
688 struct nf_conn *ct;
689 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
690 u_int8_t u3 = nfmsg->nfgen_family;
691 int err = 0;
692
693 DEBUGP("entered %s\n", __FUNCTION__);
694
695 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
696 return -EINVAL;
697
698 if (cda[CTA_TUPLE_ORIG-1])
699 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
700 else if (cda[CTA_TUPLE_REPLY-1])
701 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
702 else {
703 /* Flush the whole table */
704 nf_conntrack_flush();
705 return 0;
706 }
707
708 if (err < 0)
709 return err;
710
711 h = nf_conntrack_find_get(&tuple, NULL);
712 if (!h) {
713 DEBUGP("tuple not found in conntrack hash\n");
714 return -ENOENT;
715 }
716
717 ct = nf_ct_tuplehash_to_ctrack(h);
718
719 if (cda[CTA_ID-1]) {
720 u_int32_t id = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_ID-1]));
721 if (ct->id != id) {
722 nf_ct_put(ct);
723 return -ENOENT;
724 }
725 }
726 if (del_timer(&ct->timeout))
727 ct->timeout.function((unsigned long)ct);
728
729 nf_ct_put(ct);
730 DEBUGP("leaving\n");
731
732 return 0;
733 }
734
735 static int
736 ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
737 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
738 {
739 struct nf_conntrack_tuple_hash *h;
740 struct nf_conntrack_tuple tuple;
741 struct nf_conn *ct;
742 struct sk_buff *skb2 = NULL;
743 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
744 u_int8_t u3 = nfmsg->nfgen_family;
745 int err = 0;
746
747 DEBUGP("entered %s\n", __FUNCTION__);
748
749 if (nlh->nlmsg_flags & NLM_F_DUMP) {
750 u32 rlen;
751
752 #ifndef CONFIG_NF_CT_ACCT
753 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == IPCTNL_MSG_CT_GET_CTRZERO)
754 return -ENOTSUPP;
755 #endif
756 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
757 ctnetlink_dump_table,
758 ctnetlink_done)) != 0)
759 return -EINVAL;
760
761 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
762 if (rlen > skb->len)
763 rlen = skb->len;
764 skb_pull(skb, rlen);
765 return 0;
766 }
767
768 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
769 return -EINVAL;
770
771 if (cda[CTA_TUPLE_ORIG-1])
772 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
773 else if (cda[CTA_TUPLE_REPLY-1])
774 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
775 else
776 return -EINVAL;
777
778 if (err < 0)
779 return err;
780
781 h = nf_conntrack_find_get(&tuple, NULL);
782 if (!h) {
783 DEBUGP("tuple not found in conntrack hash");
784 return -ENOENT;
785 }
786 DEBUGP("tuple found\n");
787 ct = nf_ct_tuplehash_to_ctrack(h);
788
789 err = -ENOMEM;
790 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
791 if (!skb2) {
792 nf_ct_put(ct);
793 return -ENOMEM;
794 }
795 NETLINK_CB(skb2).dst_pid = NETLINK_CB(skb).pid;
796
797 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq,
798 IPCTNL_MSG_CT_NEW, 1, ct);
799 nf_ct_put(ct);
800 if (err <= 0)
801 goto free;
802
803 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
804 if (err < 0)
805 goto out;
806
807 DEBUGP("leaving\n");
808 return 0;
809
810 free:
811 kfree_skb(skb2);
812 out:
813 return err;
814 }
815
816 static inline int
817 ctnetlink_change_status(struct nf_conn *ct, struct nfattr *cda[])
818 {
819 unsigned long d;
820 unsigned status = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_STATUS-1]));
821 d = ct->status ^ status;
822
823 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
824 /* unchangeable */
825 return -EINVAL;
826
827 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
828 /* SEEN_REPLY bit can only be set */
829 return -EINVAL;
830
831
832 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
833 /* ASSURED bit can only be set */
834 return -EINVAL;
835
836 if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) {
837 #ifndef CONFIG_IP_NF_NAT_NEEDED
838 return -EINVAL;
839 #else
840 struct ip_nat_range range;
841
842 if (cda[CTA_NAT_DST-1]) {
843 if (ctnetlink_parse_nat(cda[CTA_NAT_DST-1], ct,
844 &range) < 0)
845 return -EINVAL;
846 if (ip_nat_initialized(ct,
847 HOOK2MANIP(NF_IP_PRE_ROUTING)))
848 return -EEXIST;
849 ip_nat_setup_info(ct, &range, hooknum);
850 }
851 if (cda[CTA_NAT_SRC-1]) {
852 if (ctnetlink_parse_nat(cda[CTA_NAT_SRC-1], ct,
853 &range) < 0)
854 return -EINVAL;
855 if (ip_nat_initialized(ct,
856 HOOK2MANIP(NF_IP_POST_ROUTING)))
857 return -EEXIST;
858 ip_nat_setup_info(ct, &range, hooknum);
859 }
860 #endif
861 }
862
863 /* Be careful here, modifying NAT bits can screw up things,
864 * so don't let users modify them directly if they don't pass
865 * ip_nat_range. */
866 ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
867 return 0;
868 }
869
870
871 static inline int
872 ctnetlink_change_helper(struct nf_conn *ct, struct nfattr *cda[])
873 {
874 struct nf_conntrack_helper *helper;
875 struct nf_conn_help *help = nfct_help(ct);
876 char *helpname;
877 int err;
878
879 DEBUGP("entered %s\n", __FUNCTION__);
880
881 if (!help) {
882 /* FIXME: we need to reallocate and rehash */
883 return -EBUSY;
884 }
885
886 /* don't change helper of sibling connections */
887 if (ct->master)
888 return -EINVAL;
889
890 err = ctnetlink_parse_help(cda[CTA_HELP-1], &helpname);
891 if (err < 0)
892 return err;
893
894 helper = __nf_conntrack_helper_find_byname(helpname);
895 if (!helper) {
896 if (!strcmp(helpname, ""))
897 helper = NULL;
898 else
899 return -EINVAL;
900 }
901
902 if (help->helper) {
903 if (!helper) {
904 /* we had a helper before ... */
905 nf_ct_remove_expectations(ct);
906 help->helper = NULL;
907 } else {
908 /* need to zero data of old helper */
909 memset(&help->help, 0, sizeof(help->help));
910 }
911 }
912
913 help->helper = helper;
914
915 return 0;
916 }
917
918 static inline int
919 ctnetlink_change_timeout(struct nf_conn *ct, struct nfattr *cda[])
920 {
921 u_int32_t timeout = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1]));
922
923 if (!del_timer(&ct->timeout))
924 return -ETIME;
925
926 ct->timeout.expires = jiffies + timeout * HZ;
927 add_timer(&ct->timeout);
928
929 return 0;
930 }
931
932 static inline int
933 ctnetlink_change_protoinfo(struct nf_conn *ct, struct nfattr *cda[])
934 {
935 struct nfattr *tb[CTA_PROTOINFO_MAX], *attr = cda[CTA_PROTOINFO-1];
936 struct nf_conntrack_protocol *proto;
937 u_int16_t npt = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
938 u_int16_t l3num = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
939 int err = 0;
940
941 nfattr_parse_nested(tb, CTA_PROTOINFO_MAX, attr);
942
943 proto = nf_ct_proto_find_get(l3num, npt);
944
945 if (proto->from_nfattr)
946 err = proto->from_nfattr(tb, ct);
947 nf_ct_proto_put(proto);
948
949 return err;
950 }
951
952 static int
953 ctnetlink_change_conntrack(struct nf_conn *ct, struct nfattr *cda[])
954 {
955 int err;
956
957 DEBUGP("entered %s\n", __FUNCTION__);
958
959 if (cda[CTA_HELP-1]) {
960 err = ctnetlink_change_helper(ct, cda);
961 if (err < 0)
962 return err;
963 }
964
965 if (cda[CTA_TIMEOUT-1]) {
966 err = ctnetlink_change_timeout(ct, cda);
967 if (err < 0)
968 return err;
969 }
970
971 if (cda[CTA_STATUS-1]) {
972 err = ctnetlink_change_status(ct, cda);
973 if (err < 0)
974 return err;
975 }
976
977 if (cda[CTA_PROTOINFO-1]) {
978 err = ctnetlink_change_protoinfo(ct, cda);
979 if (err < 0)
980 return err;
981 }
982
983 #if defined(CONFIG_NF_CONNTRACK_MARK)
984 if (cda[CTA_MARK-1])
985 ct->mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
986 #endif
987
988 DEBUGP("all done\n");
989 return 0;
990 }
991
992 static int
993 ctnetlink_create_conntrack(struct nfattr *cda[],
994 struct nf_conntrack_tuple *otuple,
995 struct nf_conntrack_tuple *rtuple)
996 {
997 struct nf_conn *ct;
998 int err = -EINVAL;
999
1000 DEBUGP("entered %s\n", __FUNCTION__);
1001
1002 ct = nf_conntrack_alloc(otuple, rtuple);
1003 if (ct == NULL || IS_ERR(ct))
1004 return -ENOMEM;
1005
1006 if (!cda[CTA_TIMEOUT-1])
1007 goto err;
1008 ct->timeout.expires = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1]));
1009
1010 ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
1011 ct->status |= IPS_CONFIRMED;
1012
1013 err = ctnetlink_change_status(ct, cda);
1014 if (err < 0)
1015 goto err;
1016
1017 if (cda[CTA_PROTOINFO-1]) {
1018 err = ctnetlink_change_protoinfo(ct, cda);
1019 if (err < 0)
1020 return err;
1021 }
1022
1023 #if defined(CONFIG_NF_CONNTRACK_MARK)
1024 if (cda[CTA_MARK-1])
1025 ct->mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
1026 #endif
1027
1028 add_timer(&ct->timeout);
1029 nf_conntrack_hash_insert(ct);
1030
1031 DEBUGP("conntrack with id %u inserted\n", ct->id);
1032 return 0;
1033
1034 err:
1035 nf_conntrack_free(ct);
1036 return err;
1037 }
1038
1039 static int
1040 ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1041 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1042 {
1043 struct nf_conntrack_tuple otuple, rtuple;
1044 struct nf_conntrack_tuple_hash *h = NULL;
1045 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
1046 u_int8_t u3 = nfmsg->nfgen_family;
1047 int err = 0;
1048
1049 DEBUGP("entered %s\n", __FUNCTION__);
1050
1051 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
1052 return -EINVAL;
1053
1054 if (cda[CTA_TUPLE_ORIG-1]) {
1055 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3);
1056 if (err < 0)
1057 return err;
1058 }
1059
1060 if (cda[CTA_TUPLE_REPLY-1]) {
1061 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, u3);
1062 if (err < 0)
1063 return err;
1064 }
1065
1066 write_lock_bh(&nf_conntrack_lock);
1067 if (cda[CTA_TUPLE_ORIG-1])
1068 h = __nf_conntrack_find(&otuple, NULL);
1069 else if (cda[CTA_TUPLE_REPLY-1])
1070 h = __nf_conntrack_find(&rtuple, NULL);
1071
1072 if (h == NULL) {
1073 write_unlock_bh(&nf_conntrack_lock);
1074 DEBUGP("no such conntrack, create new\n");
1075 err = -ENOENT;
1076 if (nlh->nlmsg_flags & NLM_F_CREATE)
1077 err = ctnetlink_create_conntrack(cda, &otuple, &rtuple);
1078 return err;
1079 }
1080 /* implicit 'else' */
1081
1082 /* we only allow nat config for new conntracks */
1083 if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) {
1084 err = -EINVAL;
1085 goto out_unlock;
1086 }
1087
1088 /* We manipulate the conntrack inside the global conntrack table lock,
1089 * so there's no need to increase the refcount */
1090 DEBUGP("conntrack found\n");
1091 err = -EEXIST;
1092 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
1093 err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h), cda);
1094
1095 out_unlock:
1096 write_unlock_bh(&nf_conntrack_lock);
1097 return err;
1098 }
1099
1100 /***********************************************************************
1101 * EXPECT
1102 ***********************************************************************/
1103
1104 static inline int
1105 ctnetlink_exp_dump_tuple(struct sk_buff *skb,
1106 const struct nf_conntrack_tuple *tuple,
1107 enum ctattr_expect type)
1108 {
1109 struct nfattr *nest_parms = NFA_NEST(skb, type);
1110
1111 if (ctnetlink_dump_tuples(skb, tuple) < 0)
1112 goto nfattr_failure;
1113
1114 NFA_NEST_END(skb, nest_parms);
1115
1116 return 0;
1117
1118 nfattr_failure:
1119 return -1;
1120 }
1121
1122 static inline int
1123 ctnetlink_exp_dump_mask(struct sk_buff *skb,
1124 const struct nf_conntrack_tuple *tuple,
1125 const struct nf_conntrack_tuple *mask)
1126 {
1127 int ret;
1128 struct nf_conntrack_l3proto *l3proto;
1129 struct nf_conntrack_protocol *proto;
1130 struct nfattr *nest_parms = NFA_NEST(skb, CTA_EXPECT_MASK);
1131
1132 l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
1133 ret = ctnetlink_dump_tuples_ip(skb, mask, l3proto);
1134 nf_ct_l3proto_put(l3proto);
1135
1136 if (unlikely(ret < 0))
1137 goto nfattr_failure;
1138
1139 proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
1140 ret = ctnetlink_dump_tuples_proto(skb, mask, proto);
1141 nf_ct_proto_put(proto);
1142 if (unlikely(ret < 0))
1143 goto nfattr_failure;
1144
1145 NFA_NEST_END(skb, nest_parms);
1146
1147 return 0;
1148
1149 nfattr_failure:
1150 return -1;
1151 }
1152
1153 static inline int
1154 ctnetlink_exp_dump_expect(struct sk_buff *skb,
1155 const struct nf_conntrack_expect *exp)
1156 {
1157 struct nf_conn *master = exp->master;
1158 u_int32_t timeout = htonl((exp->timeout.expires - jiffies) / HZ);
1159 u_int32_t id = htonl(exp->id);
1160
1161 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
1162 goto nfattr_failure;
1163 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
1164 goto nfattr_failure;
1165 if (ctnetlink_exp_dump_tuple(skb,
1166 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
1167 CTA_EXPECT_MASTER) < 0)
1168 goto nfattr_failure;
1169
1170 NFA_PUT(skb, CTA_EXPECT_TIMEOUT, sizeof(timeout), &timeout);
1171 NFA_PUT(skb, CTA_EXPECT_ID, sizeof(u_int32_t), &id);
1172
1173 return 0;
1174
1175 nfattr_failure:
1176 return -1;
1177 }
1178
1179 static int
1180 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
1181 int event,
1182 int nowait,
1183 const struct nf_conntrack_expect *exp)
1184 {
1185 struct nlmsghdr *nlh;
1186 struct nfgenmsg *nfmsg;
1187 unsigned char *b;
1188
1189 b = skb->tail;
1190
1191 event |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1192 nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg));
1193 nfmsg = NLMSG_DATA(nlh);
1194
1195 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0;
1196 nfmsg->nfgen_family = exp->tuple.src.l3num;
1197 nfmsg->version = NFNETLINK_V0;
1198 nfmsg->res_id = 0;
1199
1200 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1201 goto nfattr_failure;
1202
1203 nlh->nlmsg_len = skb->tail - b;
1204 return skb->len;
1205
1206 nlmsg_failure:
1207 nfattr_failure:
1208 skb_trim(skb, b - skb->data);
1209 return -1;
1210 }
1211
1212 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1213 static int ctnetlink_expect_event(struct notifier_block *this,
1214 unsigned long events, void *ptr)
1215 {
1216 struct nlmsghdr *nlh;
1217 struct nfgenmsg *nfmsg;
1218 struct nf_conntrack_expect *exp = (struct nf_conntrack_expect *)ptr;
1219 struct sk_buff *skb;
1220 unsigned int type;
1221 unsigned char *b;
1222 int flags = 0;
1223
1224 if (events & IPEXP_NEW) {
1225 type = IPCTNL_MSG_EXP_NEW;
1226 flags = NLM_F_CREATE|NLM_F_EXCL;
1227 } else
1228 return NOTIFY_DONE;
1229
1230 if (!nfnetlink_has_listeners(NFNLGRP_CONNTRACK_EXP_NEW))
1231 return NOTIFY_DONE;
1232
1233 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1234 if (!skb)
1235 return NOTIFY_DONE;
1236
1237 b = skb->tail;
1238
1239 type |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1240 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg));
1241 nfmsg = NLMSG_DATA(nlh);
1242
1243 nlh->nlmsg_flags = flags;
1244 nfmsg->nfgen_family = exp->tuple.src.l3num;
1245 nfmsg->version = NFNETLINK_V0;
1246 nfmsg->res_id = 0;
1247
1248 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1249 goto nfattr_failure;
1250
1251 nlh->nlmsg_len = skb->tail - b;
1252 nfnetlink_send(skb, 0, NFNLGRP_CONNTRACK_EXP_NEW, 0);
1253 return NOTIFY_DONE;
1254
1255 nlmsg_failure:
1256 nfattr_failure:
1257 kfree_skb(skb);
1258 return NOTIFY_DONE;
1259 }
1260 #endif
1261
1262 static int
1263 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
1264 {
1265 struct nf_conntrack_expect *exp = NULL;
1266 struct list_head *i;
1267 u_int32_t *id = (u_int32_t *) &cb->args[0];
1268 struct nfgenmsg *nfmsg = NLMSG_DATA(cb->nlh);
1269 u_int8_t l3proto = nfmsg->nfgen_family;
1270
1271 DEBUGP("entered %s, last id=%llu\n", __FUNCTION__, *id);
1272
1273 read_lock_bh(&nf_conntrack_lock);
1274 list_for_each_prev(i, &nf_conntrack_expect_list) {
1275 exp = (struct nf_conntrack_expect *) i;
1276 if (l3proto && exp->tuple.src.l3num != l3proto)
1277 continue;
1278 if (exp->id <= *id)
1279 continue;
1280 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).pid,
1281 cb->nlh->nlmsg_seq,
1282 IPCTNL_MSG_EXP_NEW,
1283 1, exp) < 0)
1284 goto out;
1285 *id = exp->id;
1286 }
1287 out:
1288 read_unlock_bh(&nf_conntrack_lock);
1289
1290 DEBUGP("leaving, last id=%llu\n", *id);
1291
1292 return skb->len;
1293 }
1294
1295 static const size_t cta_min_exp[CTA_EXPECT_MAX] = {
1296 [CTA_EXPECT_TIMEOUT-1] = sizeof(u_int32_t),
1297 [CTA_EXPECT_ID-1] = sizeof(u_int32_t)
1298 };
1299
1300 static int
1301 ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
1302 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1303 {
1304 struct nf_conntrack_tuple tuple;
1305 struct nf_conntrack_expect *exp;
1306 struct sk_buff *skb2;
1307 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
1308 u_int8_t u3 = nfmsg->nfgen_family;
1309 int err = 0;
1310
1311 DEBUGP("entered %s\n", __FUNCTION__);
1312
1313 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1314 return -EINVAL;
1315
1316 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1317 u32 rlen;
1318
1319 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
1320 ctnetlink_exp_dump_table,
1321 ctnetlink_done)) != 0)
1322 return -EINVAL;
1323 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
1324 if (rlen > skb->len)
1325 rlen = skb->len;
1326 skb_pull(skb, rlen);
1327 return 0;
1328 }
1329
1330 if (cda[CTA_EXPECT_MASTER-1])
1331 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3);
1332 else
1333 return -EINVAL;
1334
1335 if (err < 0)
1336 return err;
1337
1338 exp = nf_conntrack_expect_find(&tuple);
1339 if (!exp)
1340 return -ENOENT;
1341
1342 if (cda[CTA_EXPECT_ID-1]) {
1343 u_int32_t id = *(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_ID-1]);
1344 if (exp->id != ntohl(id)) {
1345 nf_conntrack_expect_put(exp);
1346 return -ENOENT;
1347 }
1348 }
1349
1350 err = -ENOMEM;
1351 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1352 if (!skb2)
1353 goto out;
1354 NETLINK_CB(skb2).dst_pid = NETLINK_CB(skb).pid;
1355
1356 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid,
1357 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
1358 1, exp);
1359 if (err <= 0)
1360 goto free;
1361
1362 nf_conntrack_expect_put(exp);
1363
1364 return netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1365
1366 free:
1367 kfree_skb(skb2);
1368 out:
1369 nf_conntrack_expect_put(exp);
1370 return err;
1371 }
1372
1373 static int
1374 ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
1375 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1376 {
1377 struct nf_conntrack_expect *exp, *tmp;
1378 struct nf_conntrack_tuple tuple;
1379 struct nf_conntrack_helper *h;
1380 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
1381 u_int8_t u3 = nfmsg->nfgen_family;
1382 int err;
1383
1384 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1385 return -EINVAL;
1386
1387 if (cda[CTA_EXPECT_TUPLE-1]) {
1388 /* delete a single expect by tuple */
1389 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1390 if (err < 0)
1391 return err;
1392
1393 /* bump usage count to 2 */
1394 exp = nf_conntrack_expect_find(&tuple);
1395 if (!exp)
1396 return -ENOENT;
1397
1398 if (cda[CTA_EXPECT_ID-1]) {
1399 u_int32_t id =
1400 *(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_ID-1]);
1401 if (exp->id != ntohl(id)) {
1402 nf_conntrack_expect_put(exp);
1403 return -ENOENT;
1404 }
1405 }
1406
1407 /* after list removal, usage count == 1 */
1408 nf_conntrack_unexpect_related(exp);
1409 /* have to put what we 'get' above.
1410 * after this line usage count == 0 */
1411 nf_conntrack_expect_put(exp);
1412 } else if (cda[CTA_EXPECT_HELP_NAME-1]) {
1413 char *name = NFA_DATA(cda[CTA_EXPECT_HELP_NAME-1]);
1414
1415 /* delete all expectations for this helper */
1416 write_lock_bh(&nf_conntrack_lock);
1417 h = __nf_conntrack_helper_find_byname(name);
1418 if (!h) {
1419 write_unlock_bh(&nf_conntrack_lock);
1420 return -EINVAL;
1421 }
1422 list_for_each_entry_safe(exp, tmp, &nf_conntrack_expect_list,
1423 list) {
1424 struct nf_conn_help *m_help = nfct_help(exp->master);
1425 if (m_help->helper == h
1426 && del_timer(&exp->timeout)) {
1427 nf_ct_unlink_expect(exp);
1428 nf_conntrack_expect_put(exp);
1429 }
1430 }
1431 write_unlock_bh(&nf_conntrack_lock);
1432 } else {
1433 /* This basically means we have to flush everything*/
1434 write_lock_bh(&nf_conntrack_lock);
1435 list_for_each_entry_safe(exp, tmp, &nf_conntrack_expect_list,
1436 list) {
1437 if (del_timer(&exp->timeout)) {
1438 nf_ct_unlink_expect(exp);
1439 nf_conntrack_expect_put(exp);
1440 }
1441 }
1442 write_unlock_bh(&nf_conntrack_lock);
1443 }
1444
1445 return 0;
1446 }
1447 static int
1448 ctnetlink_change_expect(struct nf_conntrack_expect *x, struct nfattr *cda[])
1449 {
1450 return -EOPNOTSUPP;
1451 }
1452
1453 static int
1454 ctnetlink_create_expect(struct nfattr *cda[], u_int8_t u3)
1455 {
1456 struct nf_conntrack_tuple tuple, mask, master_tuple;
1457 struct nf_conntrack_tuple_hash *h = NULL;
1458 struct nf_conntrack_expect *exp;
1459 struct nf_conn *ct;
1460 struct nf_conn_help *help;
1461 int err = 0;
1462
1463 DEBUGP("entered %s\n", __FUNCTION__);
1464
1465 /* caller guarantees that those three CTA_EXPECT_* exist */
1466 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1467 if (err < 0)
1468 return err;
1469 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, u3);
1470 if (err < 0)
1471 return err;
1472 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, u3);
1473 if (err < 0)
1474 return err;
1475
1476 /* Look for master conntrack of this expectation */
1477 h = nf_conntrack_find_get(&master_tuple, NULL);
1478 if (!h)
1479 return -ENOENT;
1480 ct = nf_ct_tuplehash_to_ctrack(h);
1481 help = nfct_help(ct);
1482
1483 if (!help || !help->helper) {
1484 /* such conntrack hasn't got any helper, abort */
1485 err = -EINVAL;
1486 goto out;
1487 }
1488
1489 exp = nf_conntrack_expect_alloc(ct);
1490 if (!exp) {
1491 err = -ENOMEM;
1492 goto out;
1493 }
1494
1495 exp->expectfn = NULL;
1496 exp->flags = 0;
1497 exp->master = ct;
1498 memcpy(&exp->tuple, &tuple, sizeof(struct nf_conntrack_tuple));
1499 memcpy(&exp->mask, &mask, sizeof(struct nf_conntrack_tuple));
1500
1501 err = nf_conntrack_expect_related(exp);
1502 nf_conntrack_expect_put(exp);
1503
1504 out:
1505 nf_ct_put(nf_ct_tuplehash_to_ctrack(h));
1506 return err;
1507 }
1508
1509 static int
1510 ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
1511 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1512 {
1513 struct nf_conntrack_tuple tuple;
1514 struct nf_conntrack_expect *exp;
1515 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
1516 u_int8_t u3 = nfmsg->nfgen_family;
1517 int err = 0;
1518
1519 DEBUGP("entered %s\n", __FUNCTION__);
1520
1521 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1522 return -EINVAL;
1523
1524 if (!cda[CTA_EXPECT_TUPLE-1]
1525 || !cda[CTA_EXPECT_MASK-1]
1526 || !cda[CTA_EXPECT_MASTER-1])
1527 return -EINVAL;
1528
1529 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1530 if (err < 0)
1531 return err;
1532
1533 write_lock_bh(&nf_conntrack_lock);
1534 exp = __nf_conntrack_expect_find(&tuple);
1535
1536 if (!exp) {
1537 write_unlock_bh(&nf_conntrack_lock);
1538 err = -ENOENT;
1539 if (nlh->nlmsg_flags & NLM_F_CREATE)
1540 err = ctnetlink_create_expect(cda, u3);
1541 return err;
1542 }
1543
1544 err = -EEXIST;
1545 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
1546 err = ctnetlink_change_expect(exp, cda);
1547 write_unlock_bh(&nf_conntrack_lock);
1548
1549 DEBUGP("leaving\n");
1550
1551 return err;
1552 }
1553
1554 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1555 static struct notifier_block ctnl_notifier = {
1556 .notifier_call = ctnetlink_conntrack_event,
1557 };
1558
1559 static struct notifier_block ctnl_notifier_exp = {
1560 .notifier_call = ctnetlink_expect_event,
1561 };
1562 #endif
1563
1564 static struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
1565 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
1566 .attr_count = CTA_MAX, },
1567 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
1568 .attr_count = CTA_MAX, },
1569 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
1570 .attr_count = CTA_MAX, },
1571 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
1572 .attr_count = CTA_MAX, },
1573 };
1574
1575 static struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
1576 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
1577 .attr_count = CTA_EXPECT_MAX, },
1578 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
1579 .attr_count = CTA_EXPECT_MAX, },
1580 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
1581 .attr_count = CTA_EXPECT_MAX, },
1582 };
1583
1584 static struct nfnetlink_subsystem ctnl_subsys = {
1585 .name = "conntrack",
1586 .subsys_id = NFNL_SUBSYS_CTNETLINK,
1587 .cb_count = IPCTNL_MSG_MAX,
1588 .cb = ctnl_cb,
1589 };
1590
1591 static struct nfnetlink_subsystem ctnl_exp_subsys = {
1592 .name = "conntrack_expect",
1593 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
1594 .cb_count = IPCTNL_MSG_EXP_MAX,
1595 .cb = ctnl_exp_cb,
1596 };
1597
1598 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
1599 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
1600
1601 static int __init ctnetlink_init(void)
1602 {
1603 int ret;
1604
1605 printk("ctnetlink v%s: registering with nfnetlink.\n", version);
1606 ret = nfnetlink_subsys_register(&ctnl_subsys);
1607 if (ret < 0) {
1608 printk("ctnetlink_init: cannot register with nfnetlink.\n");
1609 goto err_out;
1610 }
1611
1612 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
1613 if (ret < 0) {
1614 printk("ctnetlink_init: cannot register exp with nfnetlink.\n");
1615 goto err_unreg_subsys;
1616 }
1617
1618 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1619 ret = nf_conntrack_register_notifier(&ctnl_notifier);
1620 if (ret < 0) {
1621 printk("ctnetlink_init: cannot register notifier.\n");
1622 goto err_unreg_exp_subsys;
1623 }
1624
1625 ret = nf_conntrack_expect_register_notifier(&ctnl_notifier_exp);
1626 if (ret < 0) {
1627 printk("ctnetlink_init: cannot expect register notifier.\n");
1628 goto err_unreg_notifier;
1629 }
1630 #endif
1631
1632 return 0;
1633
1634 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1635 err_unreg_notifier:
1636 nf_conntrack_unregister_notifier(&ctnl_notifier);
1637 err_unreg_exp_subsys:
1638 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1639 #endif
1640 err_unreg_subsys:
1641 nfnetlink_subsys_unregister(&ctnl_subsys);
1642 err_out:
1643 return ret;
1644 }
1645
1646 static void __exit ctnetlink_exit(void)
1647 {
1648 printk("ctnetlink: unregistering from nfnetlink.\n");
1649
1650 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1651 nf_conntrack_expect_unregister_notifier(&ctnl_notifier_exp);
1652 nf_conntrack_unregister_notifier(&ctnl_notifier);
1653 #endif
1654
1655 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1656 nfnetlink_subsys_unregister(&ctnl_subsys);
1657 return;
1658 }
1659
1660 module_init(ctnetlink_init);
1661 module_exit(ctnetlink_exit);
Linux kernel - Deliverables
This page took 0.120424 seconds and 6 git commands to generate.