1/* Connection tracking via netlink socket. Allows for user space 2 * protocol helpers and general trouble making from userspace. 3 * 4 * (C) 2001 by Jay Schulist <jschlst@samba.org> 5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org> 6 * (C) 2003 by Patrick Mchardy <kaber@trash.net> 7 * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org> 8 * 9 * Initial connection tracking via netlink development funded and 10 * generally made possible by Network Robots, Inc. (www.networkrobots.com) 11 * 12 * Further development of this code funded by Astaro AG (http://www.astaro.com) 13 * 14 * This software may be used and distributed according to the terms 15 * of the GNU General Public License, incorporated herein by reference. 16 */ 17 18#include <linux/init.h> 19#include <linux/module.h> 20#include <linux/kernel.h> 21#include <linux/rculist.h> 22#include <linux/rculist_nulls.h> 23#include <linux/types.h> 24#include <linux/timer.h> 25#include <linux/security.h> 26#include <linux/skbuff.h> 27#include <linux/errno.h> 28#include <linux/netlink.h> 29#include <linux/spinlock.h> 30#include <linux/interrupt.h> 31#include <linux/slab.h> 32 33#include <linux/netfilter.h> 34#include <net/netlink.h> 35#include <net/sock.h> 36#include <net/netfilter/nf_conntrack.h> 37#include <net/netfilter/nf_conntrack_core.h> 38#include <net/netfilter/nf_conntrack_expect.h> 39#include <net/netfilter/nf_conntrack_helper.h> 40#include <net/netfilter/nf_conntrack_l3proto.h> 41#include <net/netfilter/nf_conntrack_l4proto.h> 42#include <net/netfilter/nf_conntrack_tuple.h> 43#include <net/netfilter/nf_conntrack_acct.h> 44#include <net/netfilter/nf_conntrack_zones.h> 45#include <net/netfilter/nf_conntrack_timestamp.h> 46#include <net/netfilter/nf_conntrack_labels.h> 47#ifdef CONFIG_NF_NAT_NEEDED 48#include <net/netfilter/nf_nat_core.h> 49#include <net/netfilter/nf_nat_l4proto.h> 50#include <net/netfilter/nf_nat_helper.h> 51#endif 52 53#include <linux/netfilter/nfnetlink.h> 54#include <linux/netfilter/nfnetlink_conntrack.h> 55 56MODULE_LICENSE("GPL"); 57 58static char __initdata version[] = "0.93"; 59 60static inline int 61ctnetlink_dump_tuples_proto(struct sk_buff *skb, 62 const struct nf_conntrack_tuple *tuple, 63 struct nf_conntrack_l4proto *l4proto) 64{ 65 int ret = 0; 66 struct nlattr *nest_parms; 67 68 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED); 69 if (!nest_parms) 70 goto nla_put_failure; 71 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum)) 72 goto nla_put_failure; 73 74 if (likely(l4proto->tuple_to_nlattr)) 75 ret = l4proto->tuple_to_nlattr(skb, tuple); 76 77 nla_nest_end(skb, nest_parms); 78 79 return ret; 80 81nla_put_failure: 82 return -1; 83} 84 85static inline int 86ctnetlink_dump_tuples_ip(struct sk_buff *skb, 87 const struct nf_conntrack_tuple *tuple, 88 struct nf_conntrack_l3proto *l3proto) 89{ 90 int ret = 0; 91 struct nlattr *nest_parms; 92 93 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED); 94 if (!nest_parms) 95 goto nla_put_failure; 96 97 if (likely(l3proto->tuple_to_nlattr)) 98 ret = l3proto->tuple_to_nlattr(skb, tuple); 99 100 nla_nest_end(skb, nest_parms); 101 102 return ret; 103 104nla_put_failure: 105 return -1; 106} 107 108static int 109ctnetlink_dump_tuples(struct sk_buff *skb, 110 const struct nf_conntrack_tuple *tuple) 111{ 112 int ret; 113 struct nf_conntrack_l3proto *l3proto; 114 struct nf_conntrack_l4proto *l4proto; 115 116 rcu_read_lock(); 117 l3proto = __nf_ct_l3proto_find(tuple->src.l3num); 118 ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto); 119 120 if (ret >= 0) { 121 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, 122 tuple->dst.protonum); 123 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto); 124 } 125 rcu_read_unlock(); 126 return ret; 127} 128 129static inline int 130ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct) 131{ 132 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status))) 133 goto nla_put_failure; 134 return 0; 135 136nla_put_failure: 137 return -1; 138} 139 140static inline int 141ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct) 142{ 143 long timeout = ((long)ct->timeout.expires - (long)jiffies) / HZ; 144 145 if (timeout < 0) 146 timeout = 0; 147 148 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout))) 149 goto nla_put_failure; 150 return 0; 151 152nla_put_failure: 153 return -1; 154} 155 156static inline int 157ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct) 158{ 159 struct nf_conntrack_l4proto *l4proto; 160 struct nlattr *nest_proto; 161 int ret; 162 163 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 164 if (!l4proto->to_nlattr) 165 return 0; 166 167 nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED); 168 if (!nest_proto) 169 goto nla_put_failure; 170 171 ret = l4proto->to_nlattr(skb, nest_proto, ct); 172 173 nla_nest_end(skb, nest_proto); 174 175 return ret; 176 177nla_put_failure: 178 return -1; 179} 180 181static inline int 182ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct) 183{ 184 struct nlattr *nest_helper; 185 const struct nf_conn_help *help = nfct_help(ct); 186 struct nf_conntrack_helper *helper; 187 188 if (!help) 189 return 0; 190 191 helper = rcu_dereference(help->helper); 192 if (!helper) 193 goto out; 194 195 nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED); 196 if (!nest_helper) 197 goto nla_put_failure; 198 if (nla_put_string(skb, CTA_HELP_NAME, helper->name)) 199 goto nla_put_failure; 200 201 if (helper->to_nlattr) 202 helper->to_nlattr(skb, ct); 203 204 nla_nest_end(skb, nest_helper); 205out: 206 return 0; 207 208nla_put_failure: 209 return -1; 210} 211 212static int 213dump_counters(struct sk_buff *skb, u64 pkts, u64 bytes, 214 enum ip_conntrack_dir dir) 215{ 216 enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG; 217 struct nlattr *nest_count; 218 219 nest_count = nla_nest_start(skb, type | NLA_F_NESTED); 220 if (!nest_count) 221 goto nla_put_failure; 222 223 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts)) || 224 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes))) 225 goto nla_put_failure; 226 227 nla_nest_end(skb, nest_count); 228 229 return 0; 230 231nla_put_failure: 232 return -1; 233} 234 235static int 236ctnetlink_dump_counters(struct sk_buff *skb, const struct nf_conn *ct, 237 enum ip_conntrack_dir dir, int type) 238{ 239 struct nf_conn_counter *acct; 240 u64 pkts, bytes; 241 242 acct = nf_conn_acct_find(ct); 243 if (!acct) 244 return 0; 245 246 if (type == IPCTNL_MSG_CT_GET_CTRZERO) { 247 pkts = atomic64_xchg(&acct[dir].packets, 0); 248 bytes = atomic64_xchg(&acct[dir].bytes, 0); 249 } else { 250 pkts = atomic64_read(&acct[dir].packets); 251 bytes = atomic64_read(&acct[dir].bytes); 252 } 253 return dump_counters(skb, pkts, bytes, dir); 254} 255 256static int 257ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct) 258{ 259 struct nlattr *nest_count; 260 const struct nf_conn_tstamp *tstamp; 261 262 tstamp = nf_conn_tstamp_find(ct); 263 if (!tstamp) 264 return 0; 265 266 nest_count = nla_nest_start(skb, CTA_TIMESTAMP | NLA_F_NESTED); 267 if (!nest_count) 268 goto nla_put_failure; 269 270 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start)) || 271 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP, 272 cpu_to_be64(tstamp->stop)))) 273 goto nla_put_failure; 274 nla_nest_end(skb, nest_count); 275 276 return 0; 277 278nla_put_failure: 279 return -1; 280} 281 282#ifdef CONFIG_NF_CONNTRACK_MARK 283static inline int 284ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) 285{ 286 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark))) 287 goto nla_put_failure; 288 return 0; 289 290nla_put_failure: 291 return -1; 292} 293#else 294#define ctnetlink_dump_mark(a, b) (0) 295#endif 296 297#ifdef CONFIG_NF_CONNTRACK_SECMARK 298static inline int 299ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) 300{ 301 struct nlattr *nest_secctx; 302 int len, ret; 303 char *secctx; 304 305 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 306 if (ret) 307 return 0; 308 309 ret = -1; 310 nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED); 311 if (!nest_secctx) 312 goto nla_put_failure; 313 314 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx)) 315 goto nla_put_failure; 316 nla_nest_end(skb, nest_secctx); 317 318 ret = 0; 319nla_put_failure: 320 security_release_secctx(secctx, len); 321 return ret; 322} 323#else 324#define ctnetlink_dump_secctx(a, b) (0) 325#endif 326 327#ifdef CONFIG_NF_CONNTRACK_LABELS 328static int ctnetlink_label_size(const struct nf_conn *ct) 329{ 330 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 331 332 if (!labels) 333 return 0; 334 return nla_total_size(labels->words * sizeof(long)); 335} 336 337static int 338ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct) 339{ 340 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 341 unsigned int len, i; 342 343 if (!labels) 344 return 0; 345 346 len = labels->words * sizeof(long); 347 i = 0; 348 do { 349 if (labels->bits[i] != 0) 350 return nla_put(skb, CTA_LABELS, len, labels->bits); 351 i++; 352 } while (i < labels->words); 353 354 return 0; 355} 356#else 357#define ctnetlink_dump_labels(a, b) (0) 358#define ctnetlink_label_size(a) (0) 359#endif 360 361#define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) 362 363static inline int 364ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct) 365{ 366 struct nlattr *nest_parms; 367 368 if (!(ct->status & IPS_EXPECTED)) 369 return 0; 370 371 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED); 372 if (!nest_parms) 373 goto nla_put_failure; 374 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0) 375 goto nla_put_failure; 376 nla_nest_end(skb, nest_parms); 377 378 return 0; 379 380nla_put_failure: 381 return -1; 382} 383 384#ifdef CONFIG_NF_NAT_NEEDED 385static int 386dump_nat_seq_adj(struct sk_buff *skb, const struct nf_nat_seq *natseq, int type) 387{ 388 struct nlattr *nest_parms; 389 390 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED); 391 if (!nest_parms) 392 goto nla_put_failure; 393 394 if (nla_put_be32(skb, CTA_NAT_SEQ_CORRECTION_POS, 395 htonl(natseq->correction_pos)) || 396 nla_put_be32(skb, CTA_NAT_SEQ_OFFSET_BEFORE, 397 htonl(natseq->offset_before)) || 398 nla_put_be32(skb, CTA_NAT_SEQ_OFFSET_AFTER, 399 htonl(natseq->offset_after))) 400 goto nla_put_failure; 401 402 nla_nest_end(skb, nest_parms); 403 404 return 0; 405 406nla_put_failure: 407 return -1; 408} 409 410static inline int 411ctnetlink_dump_nat_seq_adj(struct sk_buff *skb, const struct nf_conn *ct) 412{ 413 struct nf_nat_seq *natseq; 414 struct nf_conn_nat *nat = nfct_nat(ct); 415 416 if (!(ct->status & IPS_SEQ_ADJUST) || !nat) 417 return 0; 418 419 natseq = &nat->seq[IP_CT_DIR_ORIGINAL]; 420 if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_ORIG) == -1) 421 return -1; 422 423 natseq = &nat->seq[IP_CT_DIR_REPLY]; 424 if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_REPLY) == -1) 425 return -1; 426 427 return 0; 428} 429#else 430#define ctnetlink_dump_nat_seq_adj(a, b) (0) 431#endif 432 433static inline int 434ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct) 435{ 436 if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct))) 437 goto nla_put_failure; 438 return 0; 439 440nla_put_failure: 441 return -1; 442} 443 444static inline int 445ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct) 446{ 447 if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use)))) 448 goto nla_put_failure; 449 return 0; 450 451nla_put_failure: 452 return -1; 453} 454 455static int 456ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 457 struct nf_conn *ct) 458{ 459 struct nlmsghdr *nlh; 460 struct nfgenmsg *nfmsg; 461 struct nlattr *nest_parms; 462 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 463 464 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_NEW); 465 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 466 if (nlh == NULL) 467 goto nlmsg_failure; 468 469 nfmsg = nlmsg_data(nlh); 470 nfmsg->nfgen_family = nf_ct_l3num(ct); 471 nfmsg->version = NFNETLINK_V0; 472 nfmsg->res_id = 0; 473 474 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 475 if (!nest_parms) 476 goto nla_put_failure; 477 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 478 goto nla_put_failure; 479 nla_nest_end(skb, nest_parms); 480 481 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 482 if (!nest_parms) 483 goto nla_put_failure; 484 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 485 goto nla_put_failure; 486 nla_nest_end(skb, nest_parms); 487 488 if (nf_ct_zone(ct) && 489 nla_put_be16(skb, CTA_ZONE, htons(nf_ct_zone(ct)))) 490 goto nla_put_failure; 491 492 if (ctnetlink_dump_status(skb, ct) < 0 || 493 ctnetlink_dump_timeout(skb, ct) < 0 || 494 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL, type) < 0 || 495 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY, type) < 0 || 496 ctnetlink_dump_timestamp(skb, ct) < 0 || 497 ctnetlink_dump_protoinfo(skb, ct) < 0 || 498 ctnetlink_dump_helpinfo(skb, ct) < 0 || 499 ctnetlink_dump_mark(skb, ct) < 0 || 500 ctnetlink_dump_secctx(skb, ct) < 0 || 501 ctnetlink_dump_labels(skb, ct) < 0 || 502 ctnetlink_dump_id(skb, ct) < 0 || 503 ctnetlink_dump_use(skb, ct) < 0 || 504 ctnetlink_dump_master(skb, ct) < 0 || 505 ctnetlink_dump_nat_seq_adj(skb, ct) < 0) 506 goto nla_put_failure; 507 508 nlmsg_end(skb, nlh); 509 return skb->len; 510 511nlmsg_failure: 512nla_put_failure: 513 nlmsg_cancel(skb, nlh); 514 return -1; 515} 516 517static inline size_t 518ctnetlink_proto_size(const struct nf_conn *ct) 519{ 520 struct nf_conntrack_l3proto *l3proto; 521 struct nf_conntrack_l4proto *l4proto; 522 size_t len = 0; 523 524 rcu_read_lock(); 525 l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct)); 526 len += l3proto->nla_size; 527 528 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 529 len += l4proto->nla_size; 530 rcu_read_unlock(); 531 532 return len; 533} 534 535static inline size_t 536ctnetlink_counters_size(const struct nf_conn *ct) 537{ 538 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT)) 539 return 0; 540 return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */ 541 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */ 542 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */ 543 ; 544} 545 546static inline int 547ctnetlink_secctx_size(const struct nf_conn *ct) 548{ 549#ifdef CONFIG_NF_CONNTRACK_SECMARK 550 int len, ret; 551 552 ret = security_secid_to_secctx(ct->secmark, NULL, &len); 553 if (ret) 554 return 0; 555 556 return nla_total_size(0) /* CTA_SECCTX */ 557 + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */ 558#else 559 return 0; 560#endif 561} 562 563static inline size_t 564ctnetlink_timestamp_size(const struct nf_conn *ct) 565{ 566#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 567 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP)) 568 return 0; 569 return nla_total_size(0) + 2 * nla_total_size(sizeof(uint64_t)); 570#else 571 return 0; 572#endif 573} 574 575static inline size_t 576ctnetlink_nlmsg_size(const struct nf_conn *ct) 577{ 578 return NLMSG_ALIGN(sizeof(struct nfgenmsg)) 579 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 580 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 581 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 582 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 583 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 584 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 585 + ctnetlink_counters_size(ct) 586 + ctnetlink_timestamp_size(ct) 587 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 588 + nla_total_size(0) /* CTA_PROTOINFO */ 589 + nla_total_size(0) /* CTA_HELP */ 590 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 591 + ctnetlink_secctx_size(ct) 592#ifdef CONFIG_NF_NAT_NEEDED 593 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 594 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 595#endif 596#ifdef CONFIG_NF_CONNTRACK_MARK 597 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 598#endif 599 + ctnetlink_proto_size(ct) 600 + ctnetlink_label_size(ct) 601 ; 602} 603 604#ifdef CONFIG_NF_CONNTRACK_EVENTS 605static int 606ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) 607{ 608 struct net *net; 609 struct nlmsghdr *nlh; 610 struct nfgenmsg *nfmsg; 611 struct nlattr *nest_parms; 612 struct nf_conn *ct = item->ct; 613 struct sk_buff *skb; 614 unsigned int type; 615 unsigned int flags = 0, group; 616 int err; 617 618 /* ignore our fake conntrack entry */ 619 if (nf_ct_is_untracked(ct)) 620 return 0; 621 622 if (events & (1 << IPCT_DESTROY)) { 623 type = IPCTNL_MSG_CT_DELETE; 624 group = NFNLGRP_CONNTRACK_DESTROY; 625 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) { 626 type = IPCTNL_MSG_CT_NEW; 627 flags = NLM_F_CREATE|NLM_F_EXCL; 628 group = NFNLGRP_CONNTRACK_NEW; 629 } else if (events) { 630 type = IPCTNL_MSG_CT_NEW; 631 group = NFNLGRP_CONNTRACK_UPDATE; 632 } else 633 return 0; 634 635 net = nf_ct_net(ct); 636 if (!item->report && !nfnetlink_has_listeners(net, group)) 637 return 0; 638 639 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC); 640 if (skb == NULL) 641 goto errout; 642 643 type |= NFNL_SUBSYS_CTNETLINK << 8; 644 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); 645 if (nlh == NULL) 646 goto nlmsg_failure; 647 648 nfmsg = nlmsg_data(nlh); 649 nfmsg->nfgen_family = nf_ct_l3num(ct); 650 nfmsg->version = NFNETLINK_V0; 651 nfmsg->res_id = 0; 652 653 rcu_read_lock(); 654 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 655 if (!nest_parms) 656 goto nla_put_failure; 657 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 658 goto nla_put_failure; 659 nla_nest_end(skb, nest_parms); 660 661 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 662 if (!nest_parms) 663 goto nla_put_failure; 664 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 665 goto nla_put_failure; 666 nla_nest_end(skb, nest_parms); 667 668 if (nf_ct_zone(ct) && 669 nla_put_be16(skb, CTA_ZONE, htons(nf_ct_zone(ct)))) 670 goto nla_put_failure; 671 672 if (ctnetlink_dump_id(skb, ct) < 0) 673 goto nla_put_failure; 674 675 if (ctnetlink_dump_status(skb, ct) < 0) 676 goto nla_put_failure; 677 678 if (events & (1 << IPCT_DESTROY)) { 679 if (ctnetlink_dump_counters(skb, ct, 680 IP_CT_DIR_ORIGINAL, type) < 0 || 681 ctnetlink_dump_counters(skb, ct, 682 IP_CT_DIR_REPLY, type) < 0 || 683 ctnetlink_dump_timestamp(skb, ct) < 0) 684 goto nla_put_failure; 685 } else { 686 if (ctnetlink_dump_timeout(skb, ct) < 0) 687 goto nla_put_failure; 688 689 if (events & (1 << IPCT_PROTOINFO) 690 && ctnetlink_dump_protoinfo(skb, ct) < 0) 691 goto nla_put_failure; 692 693 if ((events & (1 << IPCT_HELPER) || nfct_help(ct)) 694 && ctnetlink_dump_helpinfo(skb, ct) < 0) 695 goto nla_put_failure; 696 697#ifdef CONFIG_NF_CONNTRACK_SECMARK 698 if ((events & (1 << IPCT_SECMARK) || ct->secmark) 699 && ctnetlink_dump_secctx(skb, ct) < 0) 700 goto nla_put_failure; 701#endif 702 if (events & (1 << IPCT_LABEL) && 703 ctnetlink_dump_labels(skb, ct) < 0) 704 goto nla_put_failure; 705 706 if (events & (1 << IPCT_RELATED) && 707 ctnetlink_dump_master(skb, ct) < 0) 708 goto nla_put_failure; 709 710 if (events & (1 << IPCT_NATSEQADJ) && 711 ctnetlink_dump_nat_seq_adj(skb, ct) < 0) 712 goto nla_put_failure; 713 } 714 715#ifdef CONFIG_NF_CONNTRACK_MARK 716 if ((events & (1 << IPCT_MARK) || ct->mark) 717 && ctnetlink_dump_mark(skb, ct) < 0) 718 goto nla_put_failure; 719#endif 720 rcu_read_unlock(); 721 722 nlmsg_end(skb, nlh); 723 err = nfnetlink_send(skb, net, item->portid, group, item->report, 724 GFP_ATOMIC); 725 if (err == -ENOBUFS || err == -EAGAIN) 726 return -ENOBUFS; 727 728 return 0; 729 730nla_put_failure: 731 rcu_read_unlock(); 732 nlmsg_cancel(skb, nlh); 733nlmsg_failure: 734 kfree_skb(skb); 735errout: 736 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0) 737 return -ENOBUFS; 738 739 return 0; 740} 741#endif /* CONFIG_NF_CONNTRACK_EVENTS */ 742 743static int ctnetlink_done(struct netlink_callback *cb) 744{ 745 if (cb->args[1]) 746 nf_ct_put((struct nf_conn *)cb->args[1]); 747 if (cb->data) 748 kfree(cb->data); 749 return 0; 750} 751 752struct ctnetlink_dump_filter { 753 struct { 754 u_int32_t val; 755 u_int32_t mask; 756 } mark; 757}; 758 759static int 760ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 761{ 762 struct net *net = sock_net(skb->sk); 763 struct nf_conn *ct, *last; 764 struct nf_conntrack_tuple_hash *h; 765 struct hlist_nulls_node *n; 766 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 767 u_int8_t l3proto = nfmsg->nfgen_family; 768 int res; 769#ifdef CONFIG_NF_CONNTRACK_MARK 770 const struct ctnetlink_dump_filter *filter = cb->data; 771#endif 772 773 spin_lock_bh(&nf_conntrack_lock); 774 last = (struct nf_conn *)cb->args[1]; 775 for (; cb->args[0] < net->ct.htable_size; cb->args[0]++) { 776restart: 777 hlist_nulls_for_each_entry(h, n, &net->ct.hash[cb->args[0]], 778 hnnode) { 779 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) 780 continue; 781 ct = nf_ct_tuplehash_to_ctrack(h); 782 /* Dump entries of a given L3 protocol number. 783 * If it is not specified, ie. l3proto == 0, 784 * then dump everything. */ 785 if (l3proto && nf_ct_l3num(ct) != l3proto) 786 continue; 787 if (cb->args[1]) { 788 if (ct != last) 789 continue; 790 cb->args[1] = 0; 791 } 792#ifdef CONFIG_NF_CONNTRACK_MARK 793 if (filter && !((ct->mark & filter->mark.mask) == 794 filter->mark.val)) { 795 continue; 796 } 797#endif 798 rcu_read_lock(); 799 res = 800 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid, 801 cb->nlh->nlmsg_seq, 802 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 803 ct); 804 rcu_read_unlock(); 805 if (res < 0) { 806 nf_conntrack_get(&ct->ct_general); 807 cb->args[1] = (unsigned long)ct; 808 goto out; 809 } 810 } 811 if (cb->args[1]) { 812 cb->args[1] = 0; 813 goto restart; 814 } 815 } 816out: 817 spin_unlock_bh(&nf_conntrack_lock); 818 if (last) 819 nf_ct_put(last); 820 821 return skb->len; 822} 823 824static inline int 825ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple) 826{ 827 struct nlattr *tb[CTA_IP_MAX+1]; 828 struct nf_conntrack_l3proto *l3proto; 829 int ret = 0; 830 831 nla_parse_nested(tb, CTA_IP_MAX, attr, NULL); 832 833 rcu_read_lock(); 834 l3proto = __nf_ct_l3proto_find(tuple->src.l3num); 835 836 if (likely(l3proto->nlattr_to_tuple)) { 837 ret = nla_validate_nested(attr, CTA_IP_MAX, 838 l3proto->nla_policy); 839 if (ret == 0) 840 ret = l3proto->nlattr_to_tuple(tb, tuple); 841 } 842 843 rcu_read_unlock(); 844 845 return ret; 846} 847 848static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = { 849 [CTA_PROTO_NUM] = { .type = NLA_U8 }, 850}; 851 852static inline int 853ctnetlink_parse_tuple_proto(struct nlattr *attr, 854 struct nf_conntrack_tuple *tuple) 855{ 856 struct nlattr *tb[CTA_PROTO_MAX+1]; 857 struct nf_conntrack_l4proto *l4proto; 858 int ret = 0; 859 860 ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy); 861 if (ret < 0) 862 return ret; 863 864 if (!tb[CTA_PROTO_NUM]) 865 return -EINVAL; 866 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]); 867 868 rcu_read_lock(); 869 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum); 870 871 if (likely(l4proto->nlattr_to_tuple)) { 872 ret = nla_validate_nested(attr, CTA_PROTO_MAX, 873 l4proto->nla_policy); 874 if (ret == 0) 875 ret = l4proto->nlattr_to_tuple(tb, tuple); 876 } 877 878 rcu_read_unlock(); 879 880 return ret; 881} 882 883static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = { 884 [CTA_TUPLE_IP] = { .type = NLA_NESTED }, 885 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED }, 886}; 887 888static int 889ctnetlink_parse_tuple(const struct nlattr * const cda[], 890 struct nf_conntrack_tuple *tuple, 891 enum ctattr_type type, u_int8_t l3num) 892{ 893 struct nlattr *tb[CTA_TUPLE_MAX+1]; 894 int err; 895 896 memset(tuple, 0, sizeof(*tuple)); 897 898 nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy); 899 900 if (!tb[CTA_TUPLE_IP]) 901 return -EINVAL; 902 903 tuple->src.l3num = l3num; 904 905 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple); 906 if (err < 0) 907 return err; 908 909 if (!tb[CTA_TUPLE_PROTO]) 910 return -EINVAL; 911 912 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple); 913 if (err < 0) 914 return err; 915 916 /* orig and expect tuples get DIR_ORIGINAL */ 917 if (type == CTA_TUPLE_REPLY) 918 tuple->dst.dir = IP_CT_DIR_REPLY; 919 else 920 tuple->dst.dir = IP_CT_DIR_ORIGINAL; 921 922 return 0; 923} 924 925static int 926ctnetlink_parse_zone(const struct nlattr *attr, u16 *zone) 927{ 928 if (attr) 929#ifdef CONFIG_NF_CONNTRACK_ZONES 930 *zone = ntohs(nla_get_be16(attr)); 931#else 932 return -EOPNOTSUPP; 933#endif 934 else 935 *zone = 0; 936 937 return 0; 938} 939 940static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = { 941 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING, 942 .len = NF_CT_HELPER_NAME_LEN - 1 }, 943}; 944 945static inline int 946ctnetlink_parse_help(const struct nlattr *attr, char **helper_name, 947 struct nlattr **helpinfo) 948{ 949 struct nlattr *tb[CTA_HELP_MAX+1]; 950 951 nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy); 952 953 if (!tb[CTA_HELP_NAME]) 954 return -EINVAL; 955 956 *helper_name = nla_data(tb[CTA_HELP_NAME]); 957 958 if (tb[CTA_HELP_INFO]) 959 *helpinfo = tb[CTA_HELP_INFO]; 960 961 return 0; 962} 963 964#define __CTA_LABELS_MAX_LENGTH ((XT_CONNLABEL_MAXBIT + 1) / BITS_PER_BYTE) 965static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { 966 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED }, 967 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED }, 968 [CTA_STATUS] = { .type = NLA_U32 }, 969 [CTA_PROTOINFO] = { .type = NLA_NESTED }, 970 [CTA_HELP] = { .type = NLA_NESTED }, 971 [CTA_NAT_SRC] = { .type = NLA_NESTED }, 972 [CTA_TIMEOUT] = { .type = NLA_U32 }, 973 [CTA_MARK] = { .type = NLA_U32 }, 974 [CTA_ID] = { .type = NLA_U32 }, 975 [CTA_NAT_DST] = { .type = NLA_NESTED }, 976 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED }, 977 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED }, 978 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED }, 979 [CTA_ZONE] = { .type = NLA_U16 }, 980 [CTA_MARK_MASK] = { .type = NLA_U32 }, 981 [CTA_LABELS] = { .type = NLA_BINARY, 982 .len = __CTA_LABELS_MAX_LENGTH }, 983 [CTA_LABELS_MASK] = { .type = NLA_BINARY, 984 .len = __CTA_LABELS_MAX_LENGTH }, 985}; 986 987static int 988ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, 989 const struct nlmsghdr *nlh, 990 const struct nlattr * const cda[]) 991{ 992 struct net *net = sock_net(ctnl); 993 struct nf_conntrack_tuple_hash *h; 994 struct nf_conntrack_tuple tuple; 995 struct nf_conn *ct; 996 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 997 u_int8_t u3 = nfmsg->nfgen_family; 998 u16 zone; 999 int err; 1000 1001 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1002 if (err < 0) 1003 return err; 1004 1005 if (cda[CTA_TUPLE_ORIG]) 1006 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3); 1007 else if (cda[CTA_TUPLE_REPLY]) 1008 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3); 1009 else { 1010 /* Flush the whole table */ 1011 nf_conntrack_flush_report(net, 1012 NETLINK_CB(skb).portid, 1013 nlmsg_report(nlh)); 1014 return 0; 1015 } 1016 1017 if (err < 0) 1018 return err; 1019 1020 h = nf_conntrack_find_get(net, zone, &tuple); 1021 if (!h) 1022 return -ENOENT; 1023 1024 ct = nf_ct_tuplehash_to_ctrack(h); 1025 1026 if (cda[CTA_ID]) { 1027 u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID])); 1028 if (id != (u32)(unsigned long)ct) { 1029 nf_ct_put(ct); 1030 return -ENOENT; 1031 } 1032 } 1033 1034 if (del_timer(&ct->timeout)) { 1035 if (nf_conntrack_event_report(IPCT_DESTROY, ct, 1036 NETLINK_CB(skb).portid, 1037 nlmsg_report(nlh)) < 0) { 1038 nf_ct_delete_from_lists(ct); 1039 /* we failed to report the event, try later */ 1040 nf_ct_dying_timeout(ct); 1041 nf_ct_put(ct); 1042 return 0; 1043 } 1044 /* death_by_timeout would report the event again */ 1045 set_bit(IPS_DYING_BIT, &ct->status); 1046 nf_ct_delete_from_lists(ct); 1047 nf_ct_put(ct); 1048 } 1049 nf_ct_put(ct); 1050 1051 return 0; 1052} 1053 1054static int 1055ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, 1056 const struct nlmsghdr *nlh, 1057 const struct nlattr * const cda[]) 1058{ 1059 struct net *net = sock_net(ctnl); 1060 struct nf_conntrack_tuple_hash *h; 1061 struct nf_conntrack_tuple tuple; 1062 struct nf_conn *ct; 1063 struct sk_buff *skb2 = NULL; 1064 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1065 u_int8_t u3 = nfmsg->nfgen_family; 1066 u16 zone; 1067 int err; 1068 1069 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1070 struct netlink_dump_control c = { 1071 .dump = ctnetlink_dump_table, 1072 .done = ctnetlink_done, 1073 }; 1074#ifdef CONFIG_NF_CONNTRACK_MARK 1075 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) { 1076 struct ctnetlink_dump_filter *filter; 1077 1078 filter = kzalloc(sizeof(struct ctnetlink_dump_filter), 1079 GFP_ATOMIC); 1080 if (filter == NULL) 1081 return -ENOMEM; 1082 1083 filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK])); 1084 filter->mark.mask = 1085 ntohl(nla_get_be32(cda[CTA_MARK_MASK])); 1086 c.data = filter; 1087 } 1088#endif 1089 return netlink_dump_start(ctnl, skb, nlh, &c); 1090 } 1091 1092 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1093 if (err < 0) 1094 return err; 1095 1096 if (cda[CTA_TUPLE_ORIG]) 1097 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3); 1098 else if (cda[CTA_TUPLE_REPLY]) 1099 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3); 1100 else 1101 return -EINVAL; 1102 1103 if (err < 0) 1104 return err; 1105 1106 h = nf_conntrack_find_get(net, zone, &tuple); 1107 if (!h) 1108 return -ENOENT; 1109 1110 ct = nf_ct_tuplehash_to_ctrack(h); 1111 1112 err = -ENOMEM; 1113 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1114 if (skb2 == NULL) { 1115 nf_ct_put(ct); 1116 return -ENOMEM; 1117 } 1118 1119 rcu_read_lock(); 1120 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 1121 NFNL_MSG_TYPE(nlh->nlmsg_type), ct); 1122 rcu_read_unlock(); 1123 nf_ct_put(ct); 1124 if (err <= 0) 1125 goto free; 1126 1127 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); 1128 if (err < 0) 1129 goto out; 1130 1131 return 0; 1132 1133free: 1134 kfree_skb(skb2); 1135out: 1136 /* this avoids a loop in nfnetlink. */ 1137 return err == -EAGAIN ? -ENOBUFS : err; 1138} 1139 1140static int ctnetlink_done_list(struct netlink_callback *cb) 1141{ 1142 if (cb->args[1]) 1143 nf_ct_put((struct nf_conn *)cb->args[1]); 1144 return 0; 1145} 1146 1147static int 1148ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, 1149 struct hlist_nulls_head *list) 1150{ 1151 struct nf_conn *ct, *last; 1152 struct nf_conntrack_tuple_hash *h; 1153 struct hlist_nulls_node *n; 1154 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1155 u_int8_t l3proto = nfmsg->nfgen_family; 1156 int res; 1157 1158 if (cb->args[2]) 1159 return 0; 1160 1161 spin_lock_bh(&nf_conntrack_lock); 1162 last = (struct nf_conn *)cb->args[1]; 1163restart: 1164 hlist_nulls_for_each_entry(h, n, list, hnnode) { 1165 ct = nf_ct_tuplehash_to_ctrack(h); 1166 if (l3proto && nf_ct_l3num(ct) != l3proto) 1167 continue; 1168 if (cb->args[1]) { 1169 if (ct != last) 1170 continue; 1171 cb->args[1] = 0; 1172 } 1173 rcu_read_lock(); 1174 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid, 1175 cb->nlh->nlmsg_seq, 1176 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 1177 ct); 1178 rcu_read_unlock(); 1179 if (res < 0) { 1180 nf_conntrack_get(&ct->ct_general); 1181 cb->args[1] = (unsigned long)ct; 1182 goto out; 1183 } 1184 } 1185 if (cb->args[1]) { 1186 cb->args[1] = 0; 1187 goto restart; 1188 } else 1189 cb->args[2] = 1; 1190out: 1191 spin_unlock_bh(&nf_conntrack_lock); 1192 if (last) 1193 nf_ct_put(last); 1194 1195 return skb->len; 1196} 1197 1198static int 1199ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb) 1200{ 1201 struct net *net = sock_net(skb->sk); 1202 1203 return ctnetlink_dump_list(skb, cb, &net->ct.dying); 1204} 1205 1206static int 1207ctnetlink_get_ct_dying(struct sock *ctnl, struct sk_buff *skb, 1208 const struct nlmsghdr *nlh, 1209 const struct nlattr * const cda[]) 1210{ 1211 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1212 struct netlink_dump_control c = { 1213 .dump = ctnetlink_dump_dying, 1214 .done = ctnetlink_done_list, 1215 }; 1216 return netlink_dump_start(ctnl, skb, nlh, &c); 1217 } 1218 1219 return -EOPNOTSUPP; 1220} 1221 1222static int 1223ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb) 1224{ 1225 struct net *net = sock_net(skb->sk); 1226 1227 return ctnetlink_dump_list(skb, cb, &net->ct.unconfirmed); 1228} 1229 1230static int 1231ctnetlink_get_ct_unconfirmed(struct sock *ctnl, struct sk_buff *skb, 1232 const struct nlmsghdr *nlh, 1233 const struct nlattr * const cda[]) 1234{ 1235 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1236 struct netlink_dump_control c = { 1237 .dump = ctnetlink_dump_unconfirmed, 1238 .done = ctnetlink_done_list, 1239 }; 1240 return netlink_dump_start(ctnl, skb, nlh, &c); 1241 } 1242 1243 return -EOPNOTSUPP; 1244} 1245 1246#ifdef CONFIG_NF_NAT_NEEDED 1247static int 1248ctnetlink_parse_nat_setup(struct nf_conn *ct, 1249 enum nf_nat_manip_type manip, 1250 const struct nlattr *attr) 1251{ 1252 typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup; 1253 int err; 1254 1255 parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook); 1256 if (!parse_nat_setup) { 1257#ifdef CONFIG_MODULES 1258 rcu_read_unlock(); 1259 nfnl_unlock(NFNL_SUBSYS_CTNETLINK); 1260 if (request_module("nf-nat") < 0) { 1261 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1262 rcu_read_lock(); 1263 return -EOPNOTSUPP; 1264 } 1265 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1266 rcu_read_lock(); 1267 if (nfnetlink_parse_nat_setup_hook) 1268 return -EAGAIN; 1269#endif 1270 return -EOPNOTSUPP; 1271 } 1272 1273 err = parse_nat_setup(ct, manip, attr); 1274 if (err == -EAGAIN) { 1275#ifdef CONFIG_MODULES 1276 rcu_read_unlock(); 1277 nfnl_unlock(NFNL_SUBSYS_CTNETLINK); 1278 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) { 1279 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1280 rcu_read_lock(); 1281 return -EOPNOTSUPP; 1282 } 1283 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1284 rcu_read_lock(); 1285#else 1286 err = -EOPNOTSUPP; 1287#endif 1288 } 1289 return err; 1290} 1291#endif 1292 1293static int 1294ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) 1295{ 1296 unsigned long d; 1297 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); 1298 d = ct->status ^ status; 1299 1300 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) 1301 /* unchangeable */ 1302 return -EBUSY; 1303 1304 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) 1305 /* SEEN_REPLY bit can only be set */ 1306 return -EBUSY; 1307 1308 if (d & IPS_ASSURED && !(status & IPS_ASSURED)) 1309 /* ASSURED bit can only be set */ 1310 return -EBUSY; 1311 1312 /* Be careful here, modifying NAT bits can screw up things, 1313 * so don't let users modify them directly if they don't pass 1314 * nf_nat_range. */ 1315 ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK); 1316 return 0; 1317} 1318 1319static int 1320ctnetlink_change_nat(struct nf_conn *ct, const struct nlattr * const cda[]) 1321{ 1322#ifdef CONFIG_NF_NAT_NEEDED 1323 int ret; 1324 1325 if (cda[CTA_NAT_DST]) { 1326 ret = ctnetlink_parse_nat_setup(ct, 1327 NF_NAT_MANIP_DST, 1328 cda[CTA_NAT_DST]); 1329 if (ret < 0) 1330 return ret; 1331 } 1332 if (cda[CTA_NAT_SRC]) { 1333 ret = ctnetlink_parse_nat_setup(ct, 1334 NF_NAT_MANIP_SRC, 1335 cda[CTA_NAT_SRC]); 1336 if (ret < 0) 1337 return ret; 1338 } 1339 return 0; 1340#else 1341 return -EOPNOTSUPP; 1342#endif 1343} 1344 1345static inline int 1346ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[]) 1347{ 1348 struct nf_conntrack_helper *helper; 1349 struct nf_conn_help *help = nfct_help(ct); 1350 char *helpname = NULL; 1351 struct nlattr *helpinfo = NULL; 1352 int err; 1353 1354 /* don't change helper of sibling connections */ 1355 if (ct->master) 1356 return -EBUSY; 1357 1358 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo); 1359 if (err < 0) 1360 return err; 1361 1362 if (!strcmp(helpname, "")) { 1363 if (help && help->helper) { 1364 /* we had a helper before ... */ 1365 nf_ct_remove_expectations(ct); 1366 RCU_INIT_POINTER(help->helper, NULL); 1367 } 1368 1369 return 0; 1370 } 1371 1372 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 1373 nf_ct_protonum(ct)); 1374 if (helper == NULL) { 1375#ifdef CONFIG_MODULES 1376 spin_unlock_bh(&nf_conntrack_lock); 1377 1378 if (request_module("nfct-helper-%s", helpname) < 0) { 1379 spin_lock_bh(&nf_conntrack_lock); 1380 return -EOPNOTSUPP; 1381 } 1382 1383 spin_lock_bh(&nf_conntrack_lock); 1384 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 1385 nf_ct_protonum(ct)); 1386 if (helper) 1387 return -EAGAIN; 1388#endif 1389 return -EOPNOTSUPP; 1390 } 1391 1392 if (help) { 1393 if (help->helper == helper) { 1394 /* update private helper data if allowed. */ 1395 if (helper->from_nlattr) 1396 helper->from_nlattr(helpinfo, ct); 1397 return 0; 1398 } else 1399 return -EBUSY; 1400 } 1401 1402 /* we cannot set a helper for an existing conntrack */ 1403 return -EOPNOTSUPP; 1404} 1405 1406static inline int 1407ctnetlink_change_timeout(struct nf_conn *ct, const struct nlattr * const cda[]) 1408{ 1409 u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT])); 1410 1411 if (!del_timer(&ct->timeout)) 1412 return -ETIME; 1413 1414 ct->timeout.expires = jiffies + timeout * HZ; 1415 add_timer(&ct->timeout); 1416 1417 return 0; 1418} 1419 1420static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = { 1421 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED }, 1422 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED }, 1423 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED }, 1424}; 1425 1426static inline int 1427ctnetlink_change_protoinfo(struct nf_conn *ct, const struct nlattr * const cda[]) 1428{ 1429 const struct nlattr *attr = cda[CTA_PROTOINFO]; 1430 struct nlattr *tb[CTA_PROTOINFO_MAX+1]; 1431 struct nf_conntrack_l4proto *l4proto; 1432 int err = 0; 1433 1434 nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, protoinfo_policy); 1435 1436 rcu_read_lock(); 1437 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 1438 if (l4proto->from_nlattr) 1439 err = l4proto->from_nlattr(tb, ct); 1440 rcu_read_unlock(); 1441 1442 return err; 1443} 1444 1445#ifdef CONFIG_NF_NAT_NEEDED 1446static const struct nla_policy nat_seq_policy[CTA_NAT_SEQ_MAX+1] = { 1447 [CTA_NAT_SEQ_CORRECTION_POS] = { .type = NLA_U32 }, 1448 [CTA_NAT_SEQ_OFFSET_BEFORE] = { .type = NLA_U32 }, 1449 [CTA_NAT_SEQ_OFFSET_AFTER] = { .type = NLA_U32 }, 1450}; 1451 1452static inline int 1453change_nat_seq_adj(struct nf_nat_seq *natseq, const struct nlattr * const attr) 1454{ 1455 struct nlattr *cda[CTA_NAT_SEQ_MAX+1]; 1456 1457 nla_parse_nested(cda, CTA_NAT_SEQ_MAX, attr, nat_seq_policy); 1458 1459 if (!cda[CTA_NAT_SEQ_CORRECTION_POS]) 1460 return -EINVAL; 1461 1462 natseq->correction_pos = 1463 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_CORRECTION_POS])); 1464 1465 if (!cda[CTA_NAT_SEQ_OFFSET_BEFORE]) 1466 return -EINVAL; 1467 1468 natseq->offset_before = 1469 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_BEFORE])); 1470 1471 if (!cda[CTA_NAT_SEQ_OFFSET_AFTER]) 1472 return -EINVAL; 1473 1474 natseq->offset_after = 1475 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_AFTER])); 1476 1477 return 0; 1478} 1479 1480static int 1481ctnetlink_change_nat_seq_adj(struct nf_conn *ct, 1482 const struct nlattr * const cda[]) 1483{ 1484 int ret = 0; 1485 struct nf_conn_nat *nat = nfct_nat(ct); 1486 1487 if (!nat) 1488 return 0; 1489 1490 if (cda[CTA_NAT_SEQ_ADJ_ORIG]) { 1491 ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_ORIGINAL], 1492 cda[CTA_NAT_SEQ_ADJ_ORIG]); 1493 if (ret < 0) 1494 return ret; 1495 1496 ct->status |= IPS_SEQ_ADJUST; 1497 } 1498 1499 if (cda[CTA_NAT_SEQ_ADJ_REPLY]) { 1500 ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_REPLY], 1501 cda[CTA_NAT_SEQ_ADJ_REPLY]); 1502 if (ret < 0) 1503 return ret; 1504 1505 ct->status |= IPS_SEQ_ADJUST; 1506 } 1507 1508 return 0; 1509} 1510#endif 1511 1512static int 1513ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[]) 1514{ 1515#ifdef CONFIG_NF_CONNTRACK_LABELS 1516 size_t len = nla_len(cda[CTA_LABELS]); 1517 const void *mask = cda[CTA_LABELS_MASK]; 1518 1519 if (len & (sizeof(u32)-1)) /* must be multiple of u32 */ 1520 return -EINVAL; 1521 1522 if (mask) { 1523 if (nla_len(cda[CTA_LABELS_MASK]) == 0 || 1524 nla_len(cda[CTA_LABELS_MASK]) != len) 1525 return -EINVAL; 1526 mask = nla_data(cda[CTA_LABELS_MASK]); 1527 } 1528 1529 len /= sizeof(u32); 1530 1531 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len); 1532#else 1533 return -EOPNOTSUPP; 1534#endif 1535} 1536 1537static int 1538ctnetlink_change_conntrack(struct nf_conn *ct, 1539 const struct nlattr * const cda[]) 1540{ 1541 int err; 1542 1543 /* only allow NAT changes and master assignation for new conntracks */ 1544 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER]) 1545 return -EOPNOTSUPP; 1546 1547 if (cda[CTA_HELP]) { 1548 err = ctnetlink_change_helper(ct, cda); 1549 if (err < 0) 1550 return err; 1551 } 1552 1553 if (cda[CTA_TIMEOUT]) { 1554 err = ctnetlink_change_timeout(ct, cda); 1555 if (err < 0) 1556 return err; 1557 } 1558 1559 if (cda[CTA_STATUS]) { 1560 err = ctnetlink_change_status(ct, cda); 1561 if (err < 0) 1562 return err; 1563 } 1564 1565 if (cda[CTA_PROTOINFO]) { 1566 err = ctnetlink_change_protoinfo(ct, cda); 1567 if (err < 0) 1568 return err; 1569 } 1570 1571#if defined(CONFIG_NF_CONNTRACK_MARK) 1572 if (cda[CTA_MARK]) 1573 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); 1574#endif 1575 1576#ifdef CONFIG_NF_NAT_NEEDED 1577 if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) { 1578 err = ctnetlink_change_nat_seq_adj(ct, cda); 1579 if (err < 0) 1580 return err; 1581 } 1582#endif 1583 if (cda[CTA_LABELS]) { 1584 err = ctnetlink_attach_labels(ct, cda); 1585 if (err < 0) 1586 return err; 1587 } 1588 1589 return 0; 1590} 1591 1592static struct nf_conn * 1593ctnetlink_create_conntrack(struct net *net, u16 zone, 1594 const struct nlattr * const cda[], 1595 struct nf_conntrack_tuple *otuple, 1596 struct nf_conntrack_tuple *rtuple, 1597 u8 u3) 1598{ 1599 struct nf_conn *ct; 1600 int err = -EINVAL; 1601 struct nf_conntrack_helper *helper; 1602 struct nf_conn_tstamp *tstamp; 1603 1604 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC); 1605 if (IS_ERR(ct)) 1606 return ERR_PTR(-ENOMEM); 1607 1608 if (!cda[CTA_TIMEOUT]) 1609 goto err1; 1610 ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT])); 1611 1612 ct->timeout.expires = jiffies + ct->timeout.expires * HZ; 1613 1614 rcu_read_lock(); 1615 if (cda[CTA_HELP]) { 1616 char *helpname = NULL; 1617 struct nlattr *helpinfo = NULL; 1618 1619 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo); 1620 if (err < 0) 1621 goto err2; 1622 1623 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 1624 nf_ct_protonum(ct)); 1625 if (helper == NULL) { 1626 rcu_read_unlock(); 1627#ifdef CONFIG_MODULES 1628 if (request_module("nfct-helper-%s", helpname) < 0) { 1629 err = -EOPNOTSUPP; 1630 goto err1; 1631 } 1632 1633 rcu_read_lock(); 1634 helper = __nf_conntrack_helper_find(helpname, 1635 nf_ct_l3num(ct), 1636 nf_ct_protonum(ct)); 1637 if (helper) { 1638 err = -EAGAIN; 1639 goto err2; 1640 } 1641 rcu_read_unlock(); 1642#endif 1643 err = -EOPNOTSUPP; 1644 goto err1; 1645 } else { 1646 struct nf_conn_help *help; 1647 1648 help = nf_ct_helper_ext_add(ct, helper, GFP_ATOMIC); 1649 if (help == NULL) { 1650 err = -ENOMEM; 1651 goto err2; 1652 } 1653 /* set private helper data if allowed. */ 1654 if (helper->from_nlattr) 1655 helper->from_nlattr(helpinfo, ct); 1656 1657 /* not in hash table yet so not strictly necessary */ 1658 RCU_INIT_POINTER(help->helper, helper); 1659 } 1660 } else { 1661 /* try an implicit helper assignation */ 1662 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC); 1663 if (err < 0) 1664 goto err2; 1665 } 1666 1667 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) { 1668 err = ctnetlink_change_nat(ct, cda); 1669 if (err < 0) 1670 goto err2; 1671 } 1672 1673 nf_ct_acct_ext_add(ct, GFP_ATOMIC); 1674 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); 1675 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); 1676 nf_ct_labels_ext_add(ct); 1677 1678 /* we must add conntrack extensions before confirmation. */ 1679 ct->status |= IPS_CONFIRMED; 1680 1681 if (cda[CTA_STATUS]) { 1682 err = ctnetlink_change_status(ct, cda); 1683 if (err < 0) 1684 goto err2; 1685 } 1686 1687#ifdef CONFIG_NF_NAT_NEEDED 1688 if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) { 1689 err = ctnetlink_change_nat_seq_adj(ct, cda); 1690 if (err < 0) 1691 goto err2; 1692 } 1693#endif 1694 1695 memset(&ct->proto, 0, sizeof(ct->proto)); 1696 if (cda[CTA_PROTOINFO]) { 1697 err = ctnetlink_change_protoinfo(ct, cda); 1698 if (err < 0) 1699 goto err2; 1700 } 1701 1702#if defined(CONFIG_NF_CONNTRACK_MARK) 1703 if (cda[CTA_MARK]) 1704 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); 1705#endif 1706 1707 /* setup master conntrack: this is a confirmed expectation */ 1708 if (cda[CTA_TUPLE_MASTER]) { 1709 struct nf_conntrack_tuple master; 1710 struct nf_conntrack_tuple_hash *master_h; 1711 struct nf_conn *master_ct; 1712 1713 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER, u3); 1714 if (err < 0) 1715 goto err2; 1716 1717 master_h = nf_conntrack_find_get(net, zone, &master); 1718 if (master_h == NULL) { 1719 err = -ENOENT; 1720 goto err2; 1721 } 1722 master_ct = nf_ct_tuplehash_to_ctrack(master_h); 1723 __set_bit(IPS_EXPECTED_BIT, &ct->status); 1724 ct->master = master_ct; 1725 } 1726 tstamp = nf_conn_tstamp_find(ct); 1727 if (tstamp) 1728 tstamp->start = ktime_to_ns(ktime_get_real()); 1729 1730 err = nf_conntrack_hash_check_insert(ct); 1731 if (err < 0) 1732 goto err2; 1733 1734 rcu_read_unlock(); 1735 1736 return ct; 1737 1738err2: 1739 rcu_read_unlock(); 1740err1: 1741 nf_conntrack_free(ct); 1742 return ERR_PTR(err); 1743} 1744 1745static int 1746ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, 1747 const struct nlmsghdr *nlh, 1748 const struct nlattr * const cda[]) 1749{ 1750 struct net *net = sock_net(ctnl); 1751 struct nf_conntrack_tuple otuple, rtuple; 1752 struct nf_conntrack_tuple_hash *h = NULL; 1753 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1754 struct nf_conn *ct; 1755 u_int8_t u3 = nfmsg->nfgen_family; 1756 u16 zone; 1757 int err; 1758 1759 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1760 if (err < 0) 1761 return err; 1762 1763 if (cda[CTA_TUPLE_ORIG]) { 1764 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3); 1765 if (err < 0) 1766 return err; 1767 } 1768 1769 if (cda[CTA_TUPLE_REPLY]) { 1770 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, u3); 1771 if (err < 0) 1772 return err; 1773 } 1774 1775 if (cda[CTA_TUPLE_ORIG]) 1776 h = nf_conntrack_find_get(net, zone, &otuple); 1777 else if (cda[CTA_TUPLE_REPLY]) 1778 h = nf_conntrack_find_get(net, zone, &rtuple); 1779 1780 if (h == NULL) { 1781 err = -ENOENT; 1782 if (nlh->nlmsg_flags & NLM_F_CREATE) { 1783 enum ip_conntrack_events events; 1784 1785 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY]) 1786 return -EINVAL; 1787 1788 ct = ctnetlink_create_conntrack(net, zone, cda, &otuple, 1789 &rtuple, u3); 1790 if (IS_ERR(ct)) 1791 return PTR_ERR(ct); 1792 1793 err = 0; 1794 if (test_bit(IPS_EXPECTED_BIT, &ct->status)) 1795 events = IPCT_RELATED; 1796 else 1797 events = IPCT_NEW; 1798 1799 if (cda[CTA_LABELS] && 1800 ctnetlink_attach_labels(ct, cda) == 0) 1801 events |= (1 << IPCT_LABEL); 1802 1803 nf_conntrack_eventmask_report((1 << IPCT_REPLY) | 1804 (1 << IPCT_ASSURED) | 1805 (1 << IPCT_HELPER) | 1806 (1 << IPCT_PROTOINFO) | 1807 (1 << IPCT_NATSEQADJ) | 1808 (1 << IPCT_MARK) | events, 1809 ct, NETLINK_CB(skb).portid, 1810 nlmsg_report(nlh)); 1811 nf_ct_put(ct); 1812 } 1813 1814 return err; 1815 } 1816 /* implicit 'else' */ 1817 1818 err = -EEXIST; 1819 ct = nf_ct_tuplehash_to_ctrack(h); 1820 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) { 1821 spin_lock_bh(&nf_conntrack_lock); 1822 err = ctnetlink_change_conntrack(ct, cda); 1823 spin_unlock_bh(&nf_conntrack_lock); 1824 if (err == 0) { 1825 nf_conntrack_eventmask_report((1 << IPCT_REPLY) | 1826 (1 << IPCT_ASSURED) | 1827 (1 << IPCT_HELPER) | 1828 (1 << IPCT_LABEL) | 1829 (1 << IPCT_PROTOINFO) | 1830 (1 << IPCT_NATSEQADJ) | 1831 (1 << IPCT_MARK), 1832 ct, NETLINK_CB(skb).portid, 1833 nlmsg_report(nlh)); 1834 } 1835 } 1836 1837 nf_ct_put(ct); 1838 return err; 1839} 1840 1841static int 1842ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq, 1843 __u16 cpu, const struct ip_conntrack_stat *st) 1844{ 1845 struct nlmsghdr *nlh; 1846 struct nfgenmsg *nfmsg; 1847 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 1848 1849 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_GET_STATS_CPU); 1850 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 1851 if (nlh == NULL) 1852 goto nlmsg_failure; 1853 1854 nfmsg = nlmsg_data(nlh); 1855 nfmsg->nfgen_family = AF_UNSPEC; 1856 nfmsg->version = NFNETLINK_V0; 1857 nfmsg->res_id = htons(cpu); 1858 1859 if (nla_put_be32(skb, CTA_STATS_SEARCHED, htonl(st->searched)) || 1860 nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) || 1861 nla_put_be32(skb, CTA_STATS_NEW, htonl(st->new)) || 1862 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) || 1863 nla_put_be32(skb, CTA_STATS_IGNORE, htonl(st->ignore)) || 1864 nla_put_be32(skb, CTA_STATS_DELETE, htonl(st->delete)) || 1865 nla_put_be32(skb, CTA_STATS_DELETE_LIST, htonl(st->delete_list)) || 1866 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) || 1867 nla_put_be32(skb, CTA_STATS_INSERT_FAILED, 1868 htonl(st->insert_failed)) || 1869 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) || 1870 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) || 1871 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) || 1872 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART, 1873 htonl(st->search_restart))) 1874 goto nla_put_failure; 1875 1876 nlmsg_end(skb, nlh); 1877 return skb->len; 1878 1879nla_put_failure: 1880nlmsg_failure: 1881 nlmsg_cancel(skb, nlh); 1882 return -1; 1883} 1884 1885static int 1886ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb) 1887{ 1888 int cpu; 1889 struct net *net = sock_net(skb->sk); 1890 1891 if (cb->args[0] == nr_cpu_ids) 1892 return 0; 1893 1894 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 1895 const struct ip_conntrack_stat *st; 1896 1897 if (!cpu_possible(cpu)) 1898 continue; 1899 1900 st = per_cpu_ptr(net->ct.stat, cpu); 1901 if (ctnetlink_ct_stat_cpu_fill_info(skb, 1902 NETLINK_CB(cb->skb).portid, 1903 cb->nlh->nlmsg_seq, 1904 cpu, st) < 0) 1905 break; 1906 } 1907 cb->args[0] = cpu; 1908 1909 return skb->len; 1910} 1911 1912static int 1913ctnetlink_stat_ct_cpu(struct sock *ctnl, struct sk_buff *skb, 1914 const struct nlmsghdr *nlh, 1915 const struct nlattr * const cda[]) 1916{ 1917 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1918 struct netlink_dump_control c = { 1919 .dump = ctnetlink_ct_stat_cpu_dump, 1920 }; 1921 return netlink_dump_start(ctnl, skb, nlh, &c); 1922 } 1923 1924 return 0; 1925} 1926 1927static int 1928ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 1929 struct net *net) 1930{ 1931 struct nlmsghdr *nlh; 1932 struct nfgenmsg *nfmsg; 1933 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 1934 unsigned int nr_conntracks = atomic_read(&net->ct.count); 1935 1936 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_GET_STATS); 1937 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 1938 if (nlh == NULL) 1939 goto nlmsg_failure; 1940 1941 nfmsg = nlmsg_data(nlh); 1942 nfmsg->nfgen_family = AF_UNSPEC; 1943 nfmsg->version = NFNETLINK_V0; 1944 nfmsg->res_id = 0; 1945 1946 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks))) 1947 goto nla_put_failure; 1948 1949 nlmsg_end(skb, nlh); 1950 return skb->len; 1951 1952nla_put_failure: 1953nlmsg_failure: 1954 nlmsg_cancel(skb, nlh); 1955 return -1; 1956} 1957 1958static int 1959ctnetlink_stat_ct(struct sock *ctnl, struct sk_buff *skb, 1960 const struct nlmsghdr *nlh, 1961 const struct nlattr * const cda[]) 1962{ 1963 struct sk_buff *skb2; 1964 int err; 1965 1966 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1967 if (skb2 == NULL) 1968 return -ENOMEM; 1969 1970 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid, 1971 nlh->nlmsg_seq, 1972 NFNL_MSG_TYPE(nlh->nlmsg_type), 1973 sock_net(skb->sk)); 1974 if (err <= 0) 1975 goto free; 1976 1977 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); 1978 if (err < 0) 1979 goto out; 1980 1981 return 0; 1982 1983free: 1984 kfree_skb(skb2); 1985out: 1986 /* this avoids a loop in nfnetlink. */ 1987 return err == -EAGAIN ? -ENOBUFS : err; 1988} 1989 1990#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT 1991static size_t 1992ctnetlink_nfqueue_build_size(const struct nf_conn *ct) 1993{ 1994 return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 1995 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 1996 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 1997 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 1998 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 1999 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 2000 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 2001 + nla_total_size(0) /* CTA_PROTOINFO */ 2002 + nla_total_size(0) /* CTA_HELP */ 2003 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 2004 + ctnetlink_secctx_size(ct) 2005#ifdef CONFIG_NF_NAT_NEEDED 2006 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 2007 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 2008#endif 2009#ifdef CONFIG_NF_CONNTRACK_MARK 2010 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 2011#endif 2012 + ctnetlink_proto_size(ct) 2013 ; 2014} 2015 2016static int 2017ctnetlink_nfqueue_build(struct sk_buff *skb, struct nf_conn *ct) 2018{ 2019 struct nlattr *nest_parms; 2020 2021 rcu_read_lock(); 2022 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 2023 if (!nest_parms) 2024 goto nla_put_failure; 2025 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 2026 goto nla_put_failure; 2027 nla_nest_end(skb, nest_parms); 2028 2029 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 2030 if (!nest_parms) 2031 goto nla_put_failure; 2032 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 2033 goto nla_put_failure; 2034 nla_nest_end(skb, nest_parms); 2035 2036 if (nf_ct_zone(ct)) { 2037 if (nla_put_be16(skb, CTA_ZONE, htons(nf_ct_zone(ct)))) 2038 goto nla_put_failure; 2039 } 2040 2041 if (ctnetlink_dump_id(skb, ct) < 0) 2042 goto nla_put_failure; 2043 2044 if (ctnetlink_dump_status(skb, ct) < 0) 2045 goto nla_put_failure; 2046 2047 if (ctnetlink_dump_timeout(skb, ct) < 0) 2048 goto nla_put_failure; 2049 2050 if (ctnetlink_dump_protoinfo(skb, ct) < 0) 2051 goto nla_put_failure; 2052 2053 if (ctnetlink_dump_helpinfo(skb, ct) < 0) 2054 goto nla_put_failure; 2055 2056#ifdef CONFIG_NF_CONNTRACK_SECMARK 2057 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0) 2058 goto nla_put_failure; 2059#endif 2060 if (ct->master && ctnetlink_dump_master(skb, ct) < 0) 2061 goto nla_put_failure; 2062 2063 if ((ct->status & IPS_SEQ_ADJUST) && 2064 ctnetlink_dump_nat_seq_adj(skb, ct) < 0) 2065 goto nla_put_failure; 2066 2067#ifdef CONFIG_NF_CONNTRACK_MARK 2068 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0) 2069 goto nla_put_failure; 2070#endif 2071 if (ctnetlink_dump_labels(skb, ct) < 0) 2072 goto nla_put_failure; 2073 rcu_read_unlock(); 2074 return 0; 2075 2076nla_put_failure: 2077 rcu_read_unlock(); 2078 return -ENOSPC; 2079} 2080 2081static int 2082ctnetlink_nfqueue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct) 2083{ 2084 int err; 2085 2086 if (cda[CTA_TIMEOUT]) { 2087 err = ctnetlink_change_timeout(ct, cda); 2088 if (err < 0) 2089 return err; 2090 } 2091 if (cda[CTA_STATUS]) { 2092 err = ctnetlink_change_status(ct, cda); 2093 if (err < 0) 2094 return err; 2095 } 2096 if (cda[CTA_HELP]) { 2097 err = ctnetlink_change_helper(ct, cda); 2098 if (err < 0) 2099 return err; 2100 } 2101 if (cda[CTA_LABELS]) { 2102 err = ctnetlink_attach_labels(ct, cda); 2103 if (err < 0) 2104 return err; 2105 } 2106#if defined(CONFIG_NF_CONNTRACK_MARK) 2107 if (cda[CTA_MARK]) 2108 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); 2109#endif 2110 return 0; 2111} 2112 2113static int 2114ctnetlink_nfqueue_parse(const struct nlattr *attr, struct nf_conn *ct) 2115{ 2116 struct nlattr *cda[CTA_MAX+1]; 2117 int ret; 2118 2119 nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy); 2120 2121 spin_lock_bh(&nf_conntrack_lock); 2122 ret = ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct); 2123 spin_unlock_bh(&nf_conntrack_lock); 2124 2125 return ret; 2126} 2127 2128static struct nfq_ct_hook ctnetlink_nfqueue_hook = { 2129 .build_size = ctnetlink_nfqueue_build_size, 2130 .build = ctnetlink_nfqueue_build, 2131 .parse = ctnetlink_nfqueue_parse, 2132}; 2133#endif /* CONFIG_NETFILTER_NETLINK_QUEUE_CT */ 2134 2135/*********************************************************************** 2136 * EXPECT 2137 ***********************************************************************/ 2138 2139static inline int 2140ctnetlink_exp_dump_tuple(struct sk_buff *skb, 2141 const struct nf_conntrack_tuple *tuple, 2142 enum ctattr_expect type) 2143{ 2144 struct nlattr *nest_parms; 2145 2146 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED); 2147 if (!nest_parms) 2148 goto nla_put_failure; 2149 if (ctnetlink_dump_tuples(skb, tuple) < 0) 2150 goto nla_put_failure; 2151 nla_nest_end(skb, nest_parms); 2152 2153 return 0; 2154 2155nla_put_failure: 2156 return -1; 2157} 2158 2159static inline int 2160ctnetlink_exp_dump_mask(struct sk_buff *skb, 2161 const struct nf_conntrack_tuple *tuple, 2162 const struct nf_conntrack_tuple_mask *mask) 2163{ 2164 int ret; 2165 struct nf_conntrack_l3proto *l3proto; 2166 struct nf_conntrack_l4proto *l4proto; 2167 struct nf_conntrack_tuple m; 2168 struct nlattr *nest_parms; 2169 2170 memset(&m, 0xFF, sizeof(m)); 2171 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3)); 2172 m.src.u.all = mask->src.u.all; 2173 m.dst.protonum = tuple->dst.protonum; 2174 2175 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED); 2176 if (!nest_parms) 2177 goto nla_put_failure; 2178 2179 rcu_read_lock(); 2180 l3proto = __nf_ct_l3proto_find(tuple->src.l3num); 2181 ret = ctnetlink_dump_tuples_ip(skb, &m, l3proto); 2182 if (ret >= 0) { 2183 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, 2184 tuple->dst.protonum); 2185 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto); 2186 } 2187 rcu_read_unlock(); 2188 2189 if (unlikely(ret < 0)) 2190 goto nla_put_failure; 2191 2192 nla_nest_end(skb, nest_parms); 2193 2194 return 0; 2195 2196nla_put_failure: 2197 return -1; 2198} 2199 2200static const union nf_inet_addr any_addr; 2201 2202static int 2203ctnetlink_exp_dump_expect(struct sk_buff *skb, 2204 const struct nf_conntrack_expect *exp) 2205{ 2206 struct nf_conn *master = exp->master; 2207 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ; 2208 struct nf_conn_help *help; 2209#ifdef CONFIG_NF_NAT_NEEDED 2210 struct nlattr *nest_parms; 2211 struct nf_conntrack_tuple nat_tuple = {}; 2212#endif 2213 struct nf_ct_helper_expectfn *expfn; 2214 2215 if (timeout < 0) 2216 timeout = 0; 2217 2218 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0) 2219 goto nla_put_failure; 2220 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0) 2221 goto nla_put_failure; 2222 if (ctnetlink_exp_dump_tuple(skb, 2223 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 2224 CTA_EXPECT_MASTER) < 0) 2225 goto nla_put_failure; 2226 2227#ifdef CONFIG_NF_NAT_NEEDED 2228 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) || 2229 exp->saved_proto.all) { 2230 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT | NLA_F_NESTED); 2231 if (!nest_parms) 2232 goto nla_put_failure; 2233 2234 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir))) 2235 goto nla_put_failure; 2236 2237 nat_tuple.src.l3num = nf_ct_l3num(master); 2238 nat_tuple.src.u3 = exp->saved_addr; 2239 nat_tuple.dst.protonum = nf_ct_protonum(master); 2240 nat_tuple.src.u = exp->saved_proto; 2241 2242 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple, 2243 CTA_EXPECT_NAT_TUPLE) < 0) 2244 goto nla_put_failure; 2245 nla_nest_end(skb, nest_parms); 2246 } 2247#endif 2248 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) || 2249 nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) || 2250 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) || 2251 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class))) 2252 goto nla_put_failure; 2253 help = nfct_help(master); 2254 if (help) { 2255 struct nf_conntrack_helper *helper; 2256 2257 helper = rcu_dereference(help->helper); 2258 if (helper && 2259 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name)) 2260 goto nla_put_failure; 2261 } 2262 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn); 2263 if (expfn != NULL && 2264 nla_put_string(skb, CTA_EXPECT_FN, expfn->name)) 2265 goto nla_put_failure; 2266 2267 return 0; 2268 2269nla_put_failure: 2270 return -1; 2271} 2272 2273static int 2274ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq, 2275 int event, const struct nf_conntrack_expect *exp) 2276{ 2277 struct nlmsghdr *nlh; 2278 struct nfgenmsg *nfmsg; 2279 unsigned int flags = portid ? NLM_F_MULTI : 0; 2280 2281 event |= NFNL_SUBSYS_CTNETLINK_EXP << 8; 2282 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 2283 if (nlh == NULL) 2284 goto nlmsg_failure; 2285 2286 nfmsg = nlmsg_data(nlh); 2287 nfmsg->nfgen_family = exp->tuple.src.l3num; 2288 nfmsg->version = NFNETLINK_V0; 2289 nfmsg->res_id = 0; 2290 2291 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 2292 goto nla_put_failure; 2293 2294 nlmsg_end(skb, nlh); 2295 return skb->len; 2296 2297nlmsg_failure: 2298nla_put_failure: 2299 nlmsg_cancel(skb, nlh); 2300 return -1; 2301} 2302 2303#ifdef CONFIG_NF_CONNTRACK_EVENTS 2304static int 2305ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item) 2306{ 2307 struct nf_conntrack_expect *exp = item->exp; 2308 struct net *net = nf_ct_exp_net(exp); 2309 struct nlmsghdr *nlh; 2310 struct nfgenmsg *nfmsg; 2311 struct sk_buff *skb; 2312 unsigned int type, group; 2313 int flags = 0; 2314 2315 if (events & (1 << IPEXP_DESTROY)) { 2316 type = IPCTNL_MSG_EXP_DELETE; 2317 group = NFNLGRP_CONNTRACK_EXP_DESTROY; 2318 } else if (events & (1 << IPEXP_NEW)) { 2319 type = IPCTNL_MSG_EXP_NEW; 2320 flags = NLM_F_CREATE|NLM_F_EXCL; 2321 group = NFNLGRP_CONNTRACK_EXP_NEW; 2322 } else 2323 return 0; 2324 2325 if (!item->report && !nfnetlink_has_listeners(net, group)) 2326 return 0; 2327 2328 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 2329 if (skb == NULL) 2330 goto errout; 2331 2332 type |= NFNL_SUBSYS_CTNETLINK_EXP << 8; 2333 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); 2334 if (nlh == NULL) 2335 goto nlmsg_failure; 2336 2337 nfmsg = nlmsg_data(nlh); 2338 nfmsg->nfgen_family = exp->tuple.src.l3num; 2339 nfmsg->version = NFNETLINK_V0; 2340 nfmsg->res_id = 0; 2341 2342 rcu_read_lock(); 2343 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 2344 goto nla_put_failure; 2345 rcu_read_unlock(); 2346 2347 nlmsg_end(skb, nlh); 2348 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC); 2349 return 0; 2350 2351nla_put_failure: 2352 rcu_read_unlock(); 2353 nlmsg_cancel(skb, nlh); 2354nlmsg_failure: 2355 kfree_skb(skb); 2356errout: 2357 nfnetlink_set_err(net, 0, 0, -ENOBUFS); 2358 return 0; 2359} 2360#endif 2361static int ctnetlink_exp_done(struct netlink_callback *cb) 2362{ 2363 if (cb->args[1]) 2364 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); 2365 return 0; 2366} 2367 2368static int 2369ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 2370{ 2371 struct net *net = sock_net(skb->sk); 2372 struct nf_conntrack_expect *exp, *last; 2373 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 2374 u_int8_t l3proto = nfmsg->nfgen_family; 2375 2376 rcu_read_lock(); 2377 last = (struct nf_conntrack_expect *)cb->args[1]; 2378 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { 2379restart: 2380 hlist_for_each_entry(exp, &net->ct.expect_hash[cb->args[0]], 2381 hnode) { 2382 if (l3proto && exp->tuple.src.l3num != l3proto) 2383 continue; 2384 if (cb->args[1]) { 2385 if (exp != last) 2386 continue; 2387 cb->args[1] = 0; 2388 } 2389 if (ctnetlink_exp_fill_info(skb, 2390 NETLINK_CB(cb->skb).portid, 2391 cb->nlh->nlmsg_seq, 2392 IPCTNL_MSG_EXP_NEW, 2393 exp) < 0) { 2394 if (!atomic_inc_not_zero(&exp->use)) 2395 continue; 2396 cb->args[1] = (unsigned long)exp; 2397 goto out; 2398 } 2399 } 2400 if (cb->args[1]) { 2401 cb->args[1] = 0; 2402 goto restart; 2403 } 2404 } 2405out: 2406 rcu_read_unlock(); 2407 if (last) 2408 nf_ct_expect_put(last); 2409 2410 return skb->len; 2411} 2412 2413static int 2414ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 2415{ 2416 struct nf_conntrack_expect *exp, *last; 2417 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 2418 struct nf_conn *ct = cb->data; 2419 struct nf_conn_help *help = nfct_help(ct); 2420 u_int8_t l3proto = nfmsg->nfgen_family; 2421 2422 if (cb->args[0]) 2423 return 0; 2424 2425 rcu_read_lock(); 2426 last = (struct nf_conntrack_expect *)cb->args[1]; 2427restart: 2428 hlist_for_each_entry(exp, &help->expectations, lnode) { 2429 if (l3proto && exp->tuple.src.l3num != l3proto) 2430 continue; 2431 if (cb->args[1]) { 2432 if (exp != last) 2433 continue; 2434 cb->args[1] = 0; 2435 } 2436 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid, 2437 cb->nlh->nlmsg_seq, 2438 IPCTNL_MSG_EXP_NEW, 2439 exp) < 0) { 2440 if (!atomic_inc_not_zero(&exp->use)) 2441 continue; 2442 cb->args[1] = (unsigned long)exp; 2443 goto out; 2444 } 2445 } 2446 if (cb->args[1]) { 2447 cb->args[1] = 0; 2448 goto restart; 2449 } 2450 cb->args[0] = 1; 2451out: 2452 rcu_read_unlock(); 2453 if (last) 2454 nf_ct_expect_put(last); 2455 2456 return skb->len; 2457} 2458 2459static int ctnetlink_dump_exp_ct(struct sock *ctnl, struct sk_buff *skb, 2460 const struct nlmsghdr *nlh, 2461 const struct nlattr * const cda[]) 2462{ 2463 int err; 2464 struct net *net = sock_net(ctnl); 2465 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2466 u_int8_t u3 = nfmsg->nfgen_family; 2467 struct nf_conntrack_tuple tuple; 2468 struct nf_conntrack_tuple_hash *h; 2469 struct nf_conn *ct; 2470 u16 zone = 0; 2471 struct netlink_dump_control c = { 2472 .dump = ctnetlink_exp_ct_dump_table, 2473 .done = ctnetlink_exp_done, 2474 }; 2475 2476 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3); 2477 if (err < 0) 2478 return err; 2479 2480 if (cda[CTA_EXPECT_ZONE]) { 2481 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 2482 if (err < 0) 2483 return err; 2484 } 2485 2486 h = nf_conntrack_find_get(net, zone, &tuple); 2487 if (!h) 2488 return -ENOENT; 2489 2490 ct = nf_ct_tuplehash_to_ctrack(h); 2491 c.data = ct; 2492 2493 err = netlink_dump_start(ctnl, skb, nlh, &c); 2494 nf_ct_put(ct); 2495 2496 return err; 2497} 2498 2499static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = { 2500 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED }, 2501 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED }, 2502 [CTA_EXPECT_MASK] = { .type = NLA_NESTED }, 2503 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 }, 2504 [CTA_EXPECT_ID] = { .type = NLA_U32 }, 2505 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING, 2506 .len = NF_CT_HELPER_NAME_LEN - 1 }, 2507 [CTA_EXPECT_ZONE] = { .type = NLA_U16 }, 2508 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 }, 2509 [CTA_EXPECT_CLASS] = { .type = NLA_U32 }, 2510 [CTA_EXPECT_NAT] = { .type = NLA_NESTED }, 2511 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING }, 2512}; 2513 2514static int 2515ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, 2516 const struct nlmsghdr *nlh, 2517 const struct nlattr * const cda[]) 2518{ 2519 struct net *net = sock_net(ctnl); 2520 struct nf_conntrack_tuple tuple; 2521 struct nf_conntrack_expect *exp; 2522 struct sk_buff *skb2; 2523 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2524 u_int8_t u3 = nfmsg->nfgen_family; 2525 u16 zone; 2526 int err; 2527 2528 if (nlh->nlmsg_flags & NLM_F_DUMP) { 2529 if (cda[CTA_EXPECT_MASTER]) 2530 return ctnetlink_dump_exp_ct(ctnl, skb, nlh, cda); 2531 else { 2532 struct netlink_dump_control c = { 2533 .dump = ctnetlink_exp_dump_table, 2534 .done = ctnetlink_exp_done, 2535 }; 2536 return netlink_dump_start(ctnl, skb, nlh, &c); 2537 } 2538 } 2539 2540 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 2541 if (err < 0) 2542 return err; 2543 2544 if (cda[CTA_EXPECT_TUPLE]) 2545 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); 2546 else if (cda[CTA_EXPECT_MASTER]) 2547 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3); 2548 else 2549 return -EINVAL; 2550 2551 if (err < 0) 2552 return err; 2553 2554 exp = nf_ct_expect_find_get(net, zone, &tuple); 2555 if (!exp) 2556 return -ENOENT; 2557 2558 if (cda[CTA_EXPECT_ID]) { 2559 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 2560 if (ntohl(id) != (u32)(unsigned long)exp) { 2561 nf_ct_expect_put(exp); 2562 return -ENOENT; 2563 } 2564 } 2565 2566 err = -ENOMEM; 2567 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 2568 if (skb2 == NULL) { 2569 nf_ct_expect_put(exp); 2570 goto out; 2571 } 2572 2573 rcu_read_lock(); 2574 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid, 2575 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp); 2576 rcu_read_unlock(); 2577 nf_ct_expect_put(exp); 2578 if (err <= 0) 2579 goto free; 2580 2581 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); 2582 if (err < 0) 2583 goto out; 2584 2585 return 0; 2586 2587free: 2588 kfree_skb(skb2); 2589out: 2590 /* this avoids a loop in nfnetlink. */ 2591 return err == -EAGAIN ? -ENOBUFS : err; 2592} 2593 2594static int 2595ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, 2596 const struct nlmsghdr *nlh, 2597 const struct nlattr * const cda[]) 2598{ 2599 struct net *net = sock_net(ctnl); 2600 struct nf_conntrack_expect *exp; 2601 struct nf_conntrack_tuple tuple; 2602 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2603 struct hlist_node *next; 2604 u_int8_t u3 = nfmsg->nfgen_family; 2605 unsigned int i; 2606 u16 zone; 2607 int err; 2608 2609 if (cda[CTA_EXPECT_TUPLE]) { 2610 /* delete a single expect by tuple */ 2611 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 2612 if (err < 0) 2613 return err; 2614 2615 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); 2616 if (err < 0) 2617 return err; 2618 2619 /* bump usage count to 2 */ 2620 exp = nf_ct_expect_find_get(net, zone, &tuple); 2621 if (!exp) 2622 return -ENOENT; 2623 2624 if (cda[CTA_EXPECT_ID]) { 2625 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 2626 if (ntohl(id) != (u32)(unsigned long)exp) { 2627 nf_ct_expect_put(exp); 2628 return -ENOENT; 2629 } 2630 } 2631 2632 /* after list removal, usage count == 1 */ 2633 spin_lock_bh(&nf_conntrack_lock); 2634 if (del_timer(&exp->timeout)) { 2635 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid, 2636 nlmsg_report(nlh)); 2637 nf_ct_expect_put(exp); 2638 } 2639 spin_unlock_bh(&nf_conntrack_lock); 2640 /* have to put what we 'get' above. 2641 * after this line usage count == 0 */ 2642 nf_ct_expect_put(exp); 2643 } else if (cda[CTA_EXPECT_HELP_NAME]) { 2644 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]); 2645 struct nf_conn_help *m_help; 2646 2647 /* delete all expectations for this helper */ 2648 spin_lock_bh(&nf_conntrack_lock); 2649 for (i = 0; i < nf_ct_expect_hsize; i++) { 2650 hlist_for_each_entry_safe(exp, next, 2651 &net->ct.expect_hash[i], 2652 hnode) { 2653 m_help = nfct_help(exp->master); 2654 if (!strcmp(m_help->helper->name, name) && 2655 del_timer(&exp->timeout)) { 2656 nf_ct_unlink_expect_report(exp, 2657 NETLINK_CB(skb).portid, 2658 nlmsg_report(nlh)); 2659 nf_ct_expect_put(exp); 2660 } 2661 } 2662 } 2663 spin_unlock_bh(&nf_conntrack_lock); 2664 } else { 2665 /* This basically means we have to flush everything*/ 2666 spin_lock_bh(&nf_conntrack_lock); 2667 for (i = 0; i < nf_ct_expect_hsize; i++) { 2668 hlist_for_each_entry_safe(exp, next, 2669 &net->ct.expect_hash[i], 2670 hnode) { 2671 if (del_timer(&exp->timeout)) { 2672 nf_ct_unlink_expect_report(exp, 2673 NETLINK_CB(skb).portid, 2674 nlmsg_report(nlh)); 2675 nf_ct_expect_put(exp); 2676 } 2677 } 2678 } 2679 spin_unlock_bh(&nf_conntrack_lock); 2680 } 2681 2682 return 0; 2683} 2684static int 2685ctnetlink_change_expect(struct nf_conntrack_expect *x, 2686 const struct nlattr * const cda[]) 2687{ 2688 if (cda[CTA_EXPECT_TIMEOUT]) { 2689 if (!del_timer(&x->timeout)) 2690 return -ETIME; 2691 2692 x->timeout.expires = jiffies + 2693 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ; 2694 add_timer(&x->timeout); 2695 } 2696 return 0; 2697} 2698 2699static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = { 2700 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 }, 2701 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED }, 2702}; 2703 2704static int 2705ctnetlink_parse_expect_nat(const struct nlattr *attr, 2706 struct nf_conntrack_expect *exp, 2707 u_int8_t u3) 2708{ 2709#ifdef CONFIG_NF_NAT_NEEDED 2710 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1]; 2711 struct nf_conntrack_tuple nat_tuple = {}; 2712 int err; 2713 2714 nla_parse_nested(tb, CTA_EXPECT_NAT_MAX, attr, exp_nat_nla_policy); 2715 2716 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE]) 2717 return -EINVAL; 2718 2719 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb, 2720 &nat_tuple, CTA_EXPECT_NAT_TUPLE, u3); 2721 if (err < 0) 2722 return err; 2723 2724 exp->saved_addr = nat_tuple.src.u3; 2725 exp->saved_proto = nat_tuple.src.u; 2726 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR])); 2727 2728 return 0; 2729#else 2730 return -EOPNOTSUPP; 2731#endif 2732} 2733 2734static int 2735ctnetlink_create_expect(struct net *net, u16 zone, 2736 const struct nlattr * const cda[], 2737 u_int8_t u3, 2738 u32 portid, int report) 2739{ 2740 struct nf_conntrack_tuple tuple, mask, master_tuple; 2741 struct nf_conntrack_tuple_hash *h = NULL; 2742 struct nf_conntrack_expect *exp; 2743 struct nf_conn *ct; 2744 struct nf_conn_help *help; 2745 struct nf_conntrack_helper *helper = NULL; 2746 u_int32_t class = 0; 2747 int err = 0; 2748 2749 /* caller guarantees that those three CTA_EXPECT_* exist */ 2750 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); 2751 if (err < 0) 2752 return err; 2753 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, u3); 2754 if (err < 0) 2755 return err; 2756 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, u3); 2757 if (err < 0) 2758 return err; 2759 2760 /* Look for master conntrack of this expectation */ 2761 h = nf_conntrack_find_get(net, zone, &master_tuple); 2762 if (!h) 2763 return -ENOENT; 2764 ct = nf_ct_tuplehash_to_ctrack(h); 2765 2766 /* Look for helper of this expectation */ 2767 if (cda[CTA_EXPECT_HELP_NAME]) { 2768 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); 2769 2770 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 2771 nf_ct_protonum(ct)); 2772 if (helper == NULL) { 2773#ifdef CONFIG_MODULES 2774 if (request_module("nfct-helper-%s", helpname) < 0) { 2775 err = -EOPNOTSUPP; 2776 goto out; 2777 } 2778 2779 helper = __nf_conntrack_helper_find(helpname, 2780 nf_ct_l3num(ct), 2781 nf_ct_protonum(ct)); 2782 if (helper) { 2783 err = -EAGAIN; 2784 goto out; 2785 } 2786#endif 2787 err = -EOPNOTSUPP; 2788 goto out; 2789 } 2790 } 2791 2792 if (cda[CTA_EXPECT_CLASS] && helper) { 2793 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS])); 2794 if (class > helper->expect_class_max) { 2795 err = -EINVAL; 2796 goto out; 2797 } 2798 } 2799 exp = nf_ct_expect_alloc(ct); 2800 if (!exp) { 2801 err = -ENOMEM; 2802 goto out; 2803 } 2804 help = nfct_help(ct); 2805 if (!help) { 2806 if (!cda[CTA_EXPECT_TIMEOUT]) { 2807 err = -EINVAL; 2808 goto err_out; 2809 } 2810 exp->timeout.expires = 2811 jiffies + ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ; 2812 2813 exp->flags = NF_CT_EXPECT_USERSPACE; 2814 if (cda[CTA_EXPECT_FLAGS]) { 2815 exp->flags |= 2816 ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS])); 2817 } 2818 } else { 2819 if (cda[CTA_EXPECT_FLAGS]) { 2820 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS])); 2821 exp->flags &= ~NF_CT_EXPECT_USERSPACE; 2822 } else 2823 exp->flags = 0; 2824 } 2825 if (cda[CTA_EXPECT_FN]) { 2826 const char *name = nla_data(cda[CTA_EXPECT_FN]); 2827 struct nf_ct_helper_expectfn *expfn; 2828 2829 expfn = nf_ct_helper_expectfn_find_by_name(name); 2830 if (expfn == NULL) { 2831 err = -EINVAL; 2832 goto err_out; 2833 } 2834 exp->expectfn = expfn->expectfn; 2835 } else 2836 exp->expectfn = NULL; 2837 2838 exp->class = class; 2839 exp->master = ct; 2840 exp->helper = helper; 2841 memcpy(&exp->tuple, &tuple, sizeof(struct nf_conntrack_tuple)); 2842 memcpy(&exp->mask.src.u3, &mask.src.u3, sizeof(exp->mask.src.u3)); 2843 exp->mask.src.u.all = mask.src.u.all; 2844 2845 if (cda[CTA_EXPECT_NAT]) { 2846 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT], 2847 exp, u3); 2848 if (err < 0) 2849 goto err_out; 2850 } 2851 err = nf_ct_expect_related_report(exp, portid, report); 2852err_out: 2853 nf_ct_expect_put(exp); 2854out: 2855 nf_ct_put(nf_ct_tuplehash_to_ctrack(h)); 2856 return err; 2857} 2858 2859static int 2860ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb, 2861 const struct nlmsghdr *nlh, 2862 const struct nlattr * const cda[]) 2863{ 2864 struct net *net = sock_net(ctnl); 2865 struct nf_conntrack_tuple tuple; 2866 struct nf_conntrack_expect *exp; 2867 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2868 u_int8_t u3 = nfmsg->nfgen_family; 2869 u16 zone; 2870 int err; 2871 2872 if (!cda[CTA_EXPECT_TUPLE] 2873 || !cda[CTA_EXPECT_MASK] 2874 || !cda[CTA_EXPECT_MASTER]) 2875 return -EINVAL; 2876 2877 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 2878 if (err < 0) 2879 return err; 2880 2881 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); 2882 if (err < 0) 2883 return err; 2884 2885 spin_lock_bh(&nf_conntrack_lock); 2886 exp = __nf_ct_expect_find(net, zone, &tuple); 2887 2888 if (!exp) { 2889 spin_unlock_bh(&nf_conntrack_lock); 2890 err = -ENOENT; 2891 if (nlh->nlmsg_flags & NLM_F_CREATE) { 2892 err = ctnetlink_create_expect(net, zone, cda, 2893 u3, 2894 NETLINK_CB(skb).portid, 2895 nlmsg_report(nlh)); 2896 } 2897 return err; 2898 } 2899 2900 err = -EEXIST; 2901 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) 2902 err = ctnetlink_change_expect(exp, cda); 2903 spin_unlock_bh(&nf_conntrack_lock); 2904 2905 return err; 2906} 2907 2908static int 2909ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu, 2910 const struct ip_conntrack_stat *st) 2911{ 2912 struct nlmsghdr *nlh; 2913 struct nfgenmsg *nfmsg; 2914 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 2915 2916 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_EXP_GET_STATS_CPU); 2917 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 2918 if (nlh == NULL) 2919 goto nlmsg_failure; 2920 2921 nfmsg = nlmsg_data(nlh); 2922 nfmsg->nfgen_family = AF_UNSPEC; 2923 nfmsg->version = NFNETLINK_V0; 2924 nfmsg->res_id = htons(cpu); 2925 2926 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) || 2927 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) || 2928 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete))) 2929 goto nla_put_failure; 2930 2931 nlmsg_end(skb, nlh); 2932 return skb->len; 2933 2934nla_put_failure: 2935nlmsg_failure: 2936 nlmsg_cancel(skb, nlh); 2937 return -1; 2938} 2939 2940static int 2941ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb) 2942{ 2943 int cpu; 2944 struct net *net = sock_net(skb->sk); 2945 2946 if (cb->args[0] == nr_cpu_ids) 2947 return 0; 2948 2949 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 2950 const struct ip_conntrack_stat *st; 2951 2952 if (!cpu_possible(cpu)) 2953 continue; 2954 2955 st = per_cpu_ptr(net->ct.stat, cpu); 2956 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid, 2957 cb->nlh->nlmsg_seq, 2958 cpu, st) < 0) 2959 break; 2960 } 2961 cb->args[0] = cpu; 2962 2963 return skb->len; 2964} 2965 2966static int 2967ctnetlink_stat_exp_cpu(struct sock *ctnl, struct sk_buff *skb, 2968 const struct nlmsghdr *nlh, 2969 const struct nlattr * const cda[]) 2970{ 2971 if (nlh->nlmsg_flags & NLM_F_DUMP) { 2972 struct netlink_dump_control c = { 2973 .dump = ctnetlink_exp_stat_cpu_dump, 2974 }; 2975 return netlink_dump_start(ctnl, skb, nlh, &c); 2976 } 2977 2978 return 0; 2979} 2980 2981#ifdef CONFIG_NF_CONNTRACK_EVENTS 2982static struct nf_ct_event_notifier ctnl_notifier = { 2983 .fcn = ctnetlink_conntrack_event, 2984}; 2985 2986static struct nf_exp_event_notifier ctnl_notifier_exp = { 2987 .fcn = ctnetlink_expect_event, 2988}; 2989#endif 2990 2991static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = { 2992 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack, 2993 .attr_count = CTA_MAX, 2994 .policy = ct_nla_policy }, 2995 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack, 2996 .attr_count = CTA_MAX, 2997 .policy = ct_nla_policy }, 2998 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack, 2999 .attr_count = CTA_MAX, 3000 .policy = ct_nla_policy }, 3001 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack, 3002 .attr_count = CTA_MAX, 3003 .policy = ct_nla_policy }, 3004 [IPCTNL_MSG_CT_GET_STATS_CPU] = { .call = ctnetlink_stat_ct_cpu }, 3005 [IPCTNL_MSG_CT_GET_STATS] = { .call = ctnetlink_stat_ct }, 3006 [IPCTNL_MSG_CT_GET_DYING] = { .call = ctnetlink_get_ct_dying }, 3007 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = { .call = ctnetlink_get_ct_unconfirmed }, 3008}; 3009 3010static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = { 3011 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect, 3012 .attr_count = CTA_EXPECT_MAX, 3013 .policy = exp_nla_policy }, 3014 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect, 3015 .attr_count = CTA_EXPECT_MAX, 3016 .policy = exp_nla_policy }, 3017 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect, 3018 .attr_count = CTA_EXPECT_MAX, 3019 .policy = exp_nla_policy }, 3020 [IPCTNL_MSG_EXP_GET_STATS_CPU] = { .call = ctnetlink_stat_exp_cpu }, 3021}; 3022 3023static const struct nfnetlink_subsystem ctnl_subsys = { 3024 .name = "conntrack", 3025 .subsys_id = NFNL_SUBSYS_CTNETLINK, 3026 .cb_count = IPCTNL_MSG_MAX, 3027 .cb = ctnl_cb, 3028}; 3029 3030static const struct nfnetlink_subsystem ctnl_exp_subsys = { 3031 .name = "conntrack_expect", 3032 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP, 3033 .cb_count = IPCTNL_MSG_EXP_MAX, 3034 .cb = ctnl_exp_cb, 3035}; 3036 3037MODULE_ALIAS("ip_conntrack_netlink"); 3038MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK); 3039MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP); 3040 3041static int __net_init ctnetlink_net_init(struct net *net) 3042{ 3043#ifdef CONFIG_NF_CONNTRACK_EVENTS 3044 int ret; 3045 3046 ret = nf_conntrack_register_notifier(net, &ctnl_notifier); 3047 if (ret < 0) { 3048 pr_err("ctnetlink_init: cannot register notifier.\n"); 3049 goto err_out; 3050 } 3051 3052 ret = nf_ct_expect_register_notifier(net, &ctnl_notifier_exp); 3053 if (ret < 0) { 3054 pr_err("ctnetlink_init: cannot expect register notifier.\n"); 3055 goto err_unreg_notifier; 3056 } 3057#endif 3058 return 0; 3059 3060#ifdef CONFIG_NF_CONNTRACK_EVENTS 3061err_unreg_notifier: 3062 nf_conntrack_unregister_notifier(net, &ctnl_notifier); 3063err_out: 3064 return ret; 3065#endif 3066} 3067 3068static void ctnetlink_net_exit(struct net *net) 3069{ 3070#ifdef CONFIG_NF_CONNTRACK_EVENTS 3071 nf_ct_expect_unregister_notifier(net, &ctnl_notifier_exp); 3072 nf_conntrack_unregister_notifier(net, &ctnl_notifier); 3073#endif 3074} 3075 3076static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list) 3077{ 3078 struct net *net; 3079 3080 list_for_each_entry(net, net_exit_list, exit_list) 3081 ctnetlink_net_exit(net); 3082} 3083 3084static struct pernet_operations ctnetlink_net_ops = { 3085 .init = ctnetlink_net_init, 3086 .exit_batch = ctnetlink_net_exit_batch, 3087}; 3088 3089static int __init ctnetlink_init(void) 3090{ 3091 int ret; 3092 3093 pr_info("ctnetlink v%s: registering with nfnetlink.\n", version); 3094 ret = nfnetlink_subsys_register(&ctnl_subsys); 3095 if (ret < 0) { 3096 pr_err("ctnetlink_init: cannot register with nfnetlink.\n"); 3097 goto err_out; 3098 } 3099 3100 ret = nfnetlink_subsys_register(&ctnl_exp_subsys); 3101 if (ret < 0) { 3102 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n"); 3103 goto err_unreg_subsys; 3104 } 3105 3106 ret = register_pernet_subsys(&ctnetlink_net_ops); 3107 if (ret < 0) { 3108 pr_err("ctnetlink_init: cannot register pernet operations\n"); 3109 goto err_unreg_exp_subsys; 3110 } 3111#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT 3112 /* setup interaction between nf_queue and nf_conntrack_netlink. */ 3113 RCU_INIT_POINTER(nfq_ct_hook, &ctnetlink_nfqueue_hook); 3114#endif 3115 return 0; 3116 3117err_unreg_exp_subsys: 3118 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 3119err_unreg_subsys: 3120 nfnetlink_subsys_unregister(&ctnl_subsys); 3121err_out: 3122 return ret; 3123} 3124 3125static void __exit ctnetlink_exit(void) 3126{ 3127 pr_info("ctnetlink: unregistering from nfnetlink.\n"); 3128 3129 unregister_pernet_subsys(&ctnetlink_net_ops); 3130 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 3131 nfnetlink_subsys_unregister(&ctnl_subsys); 3132#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT 3133 RCU_INIT_POINTER(nfq_ct_hook, NULL); 3134#endif 3135} 3136 3137module_init(ctnetlink_init); 3138module_exit(ctnetlink_exit); 3139