nf_conntrack_netlink.c revision cb1cb5c47457ff2b604dac2da44cab4d39d11459
1/* Connection tracking via netlink socket. Allows for user space 2 * protocol helpers and general trouble making from userspace. 3 * 4 * (C) 2001 by Jay Schulist <jschlst@samba.org> 5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org> 6 * (C) 2003 by Patrick Mchardy <kaber@trash.net> 7 * (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org> 8 * 9 * Initial connection tracking via netlink development funded and 10 * generally made possible by Network Robots, Inc. (www.networkrobots.com) 11 * 12 * Further development of this code funded by Astaro AG (http://www.astaro.com) 13 * 14 * This software may be used and distributed according to the terms 15 * of the GNU General Public License, incorporated herein by reference. 16 */ 17 18#include <linux/init.h> 19#include <linux/module.h> 20#include <linux/kernel.h> 21#include <linux/rculist.h> 22#include <linux/types.h> 23#include <linux/timer.h> 24#include <linux/skbuff.h> 25#include <linux/errno.h> 26#include <linux/netlink.h> 27#include <linux/spinlock.h> 28#include <linux/interrupt.h> 29#include <linux/notifier.h> 30 31#include <linux/netfilter.h> 32#include <net/netlink.h> 33#include <net/netfilter/nf_conntrack.h> 34#include <net/netfilter/nf_conntrack_core.h> 35#include <net/netfilter/nf_conntrack_expect.h> 36#include <net/netfilter/nf_conntrack_helper.h> 37#include <net/netfilter/nf_conntrack_l3proto.h> 38#include <net/netfilter/nf_conntrack_l4proto.h> 39#include <net/netfilter/nf_conntrack_tuple.h> 40#include <net/netfilter/nf_conntrack_acct.h> 41#ifdef CONFIG_NF_NAT_NEEDED 42#include <net/netfilter/nf_nat_core.h> 43#include <net/netfilter/nf_nat_protocol.h> 44#endif 45 46#include <linux/netfilter/nfnetlink.h> 47#include <linux/netfilter/nfnetlink_conntrack.h> 48 49MODULE_LICENSE("GPL"); 50 51static char __initdata version[] = "0.93"; 52 53static inline int 54ctnetlink_dump_tuples_proto(struct sk_buff *skb, 55 const struct nf_conntrack_tuple *tuple, 56 struct nf_conntrack_l4proto *l4proto) 57{ 58 int ret = 0; 59 struct nlattr *nest_parms; 60 61 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED); 62 if (!nest_parms) 63 goto nla_put_failure; 64 NLA_PUT_U8(skb, CTA_PROTO_NUM, tuple->dst.protonum); 65 66 if (likely(l4proto->tuple_to_nlattr)) 67 ret = l4proto->tuple_to_nlattr(skb, tuple); 68 69 nla_nest_end(skb, nest_parms); 70 71 return ret; 72 73nla_put_failure: 74 return -1; 75} 76 77static inline int 78ctnetlink_dump_tuples_ip(struct sk_buff *skb, 79 const struct nf_conntrack_tuple *tuple, 80 struct nf_conntrack_l3proto *l3proto) 81{ 82 int ret = 0; 83 struct nlattr *nest_parms; 84 85 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED); 86 if (!nest_parms) 87 goto nla_put_failure; 88 89 if (likely(l3proto->tuple_to_nlattr)) 90 ret = l3proto->tuple_to_nlattr(skb, tuple); 91 92 nla_nest_end(skb, nest_parms); 93 94 return ret; 95 96nla_put_failure: 97 return -1; 98} 99 100static int 101ctnetlink_dump_tuples(struct sk_buff *skb, 102 const struct nf_conntrack_tuple *tuple) 103{ 104 int ret; 105 struct nf_conntrack_l3proto *l3proto; 106 struct nf_conntrack_l4proto *l4proto; 107 108 l3proto = nf_ct_l3proto_find_get(tuple->src.l3num); 109 ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto); 110 nf_ct_l3proto_put(l3proto); 111 112 if (unlikely(ret < 0)) 113 return ret; 114 115 l4proto = nf_ct_l4proto_find_get(tuple->src.l3num, tuple->dst.protonum); 116 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto); 117 nf_ct_l4proto_put(l4proto); 118 119 return ret; 120} 121 122static inline int 123ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct) 124{ 125 NLA_PUT_BE32(skb, CTA_STATUS, htonl(ct->status)); 126 return 0; 127 128nla_put_failure: 129 return -1; 130} 131 132static inline int 133ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct) 134{ 135 long timeout = (ct->timeout.expires - jiffies) / HZ; 136 137 if (timeout < 0) 138 timeout = 0; 139 140 NLA_PUT_BE32(skb, CTA_TIMEOUT, htonl(timeout)); 141 return 0; 142 143nla_put_failure: 144 return -1; 145} 146 147static inline int 148ctnetlink_dump_protoinfo(struct sk_buff *skb, const struct nf_conn *ct) 149{ 150 struct nf_conntrack_l4proto *l4proto; 151 struct nlattr *nest_proto; 152 int ret; 153 154 l4proto = nf_ct_l4proto_find_get(nf_ct_l3num(ct), nf_ct_protonum(ct)); 155 if (!l4proto->to_nlattr) { 156 nf_ct_l4proto_put(l4proto); 157 return 0; 158 } 159 160 nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED); 161 if (!nest_proto) 162 goto nla_put_failure; 163 164 ret = l4proto->to_nlattr(skb, nest_proto, ct); 165 166 nf_ct_l4proto_put(l4proto); 167 168 nla_nest_end(skb, nest_proto); 169 170 return ret; 171 172nla_put_failure: 173 nf_ct_l4proto_put(l4proto); 174 return -1; 175} 176 177static inline int 178ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct) 179{ 180 struct nlattr *nest_helper; 181 const struct nf_conn_help *help = nfct_help(ct); 182 struct nf_conntrack_helper *helper; 183 184 if (!help) 185 return 0; 186 187 rcu_read_lock(); 188 helper = rcu_dereference(help->helper); 189 if (!helper) 190 goto out; 191 192 nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED); 193 if (!nest_helper) 194 goto nla_put_failure; 195 NLA_PUT_STRING(skb, CTA_HELP_NAME, helper->name); 196 197 if (helper->to_nlattr) 198 helper->to_nlattr(skb, ct); 199 200 nla_nest_end(skb, nest_helper); 201out: 202 rcu_read_unlock(); 203 return 0; 204 205nla_put_failure: 206 rcu_read_unlock(); 207 return -1; 208} 209 210static int 211ctnetlink_dump_counters(struct sk_buff *skb, const struct nf_conn *ct, 212 enum ip_conntrack_dir dir) 213{ 214 enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG; 215 struct nlattr *nest_count; 216 const struct nf_conn_counter *acct; 217 218 acct = nf_conn_acct_find(ct); 219 if (!acct) 220 return 0; 221 222 nest_count = nla_nest_start(skb, type | NLA_F_NESTED); 223 if (!nest_count) 224 goto nla_put_failure; 225 226 NLA_PUT_BE64(skb, CTA_COUNTERS_PACKETS, 227 cpu_to_be64(acct[dir].packets)); 228 NLA_PUT_BE64(skb, CTA_COUNTERS_BYTES, 229 cpu_to_be64(acct[dir].bytes)); 230 231 nla_nest_end(skb, nest_count); 232 233 return 0; 234 235nla_put_failure: 236 return -1; 237} 238 239#ifdef CONFIG_NF_CONNTRACK_MARK 240static inline int 241ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) 242{ 243 NLA_PUT_BE32(skb, CTA_MARK, htonl(ct->mark)); 244 return 0; 245 246nla_put_failure: 247 return -1; 248} 249#else 250#define ctnetlink_dump_mark(a, b) (0) 251#endif 252 253#ifdef CONFIG_NF_CONNTRACK_SECMARK 254static inline int 255ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct) 256{ 257 NLA_PUT_BE32(skb, CTA_SECMARK, htonl(ct->secmark)); 258 return 0; 259 260nla_put_failure: 261 return -1; 262} 263#else 264#define ctnetlink_dump_secmark(a, b) (0) 265#endif 266 267#define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) 268 269static inline int 270ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct) 271{ 272 struct nlattr *nest_parms; 273 274 if (!(ct->status & IPS_EXPECTED)) 275 return 0; 276 277 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED); 278 if (!nest_parms) 279 goto nla_put_failure; 280 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0) 281 goto nla_put_failure; 282 nla_nest_end(skb, nest_parms); 283 284 return 0; 285 286nla_put_failure: 287 return -1; 288} 289 290#ifdef CONFIG_NF_NAT_NEEDED 291static int 292dump_nat_seq_adj(struct sk_buff *skb, const struct nf_nat_seq *natseq, int type) 293{ 294 struct nlattr *nest_parms; 295 296 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED); 297 if (!nest_parms) 298 goto nla_put_failure; 299 300 NLA_PUT_BE32(skb, CTA_NAT_SEQ_CORRECTION_POS, 301 htonl(natseq->correction_pos)); 302 NLA_PUT_BE32(skb, CTA_NAT_SEQ_OFFSET_BEFORE, 303 htonl(natseq->offset_before)); 304 NLA_PUT_BE32(skb, CTA_NAT_SEQ_OFFSET_AFTER, 305 htonl(natseq->offset_after)); 306 307 nla_nest_end(skb, nest_parms); 308 309 return 0; 310 311nla_put_failure: 312 return -1; 313} 314 315static inline int 316ctnetlink_dump_nat_seq_adj(struct sk_buff *skb, const struct nf_conn *ct) 317{ 318 struct nf_nat_seq *natseq; 319 struct nf_conn_nat *nat = nfct_nat(ct); 320 321 if (!(ct->status & IPS_SEQ_ADJUST) || !nat) 322 return 0; 323 324 natseq = &nat->seq[IP_CT_DIR_ORIGINAL]; 325 if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_ORIG) == -1) 326 return -1; 327 328 natseq = &nat->seq[IP_CT_DIR_REPLY]; 329 if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_REPLY) == -1) 330 return -1; 331 332 return 0; 333} 334#else 335#define ctnetlink_dump_nat_seq_adj(a, b) (0) 336#endif 337 338static inline int 339ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct) 340{ 341 NLA_PUT_BE32(skb, CTA_ID, htonl((unsigned long)ct)); 342 return 0; 343 344nla_put_failure: 345 return -1; 346} 347 348static inline int 349ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct) 350{ 351 NLA_PUT_BE32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use))); 352 return 0; 353 354nla_put_failure: 355 return -1; 356} 357 358#define tuple(ct, dir) (&(ct)->tuplehash[dir].tuple) 359 360static int 361ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq, 362 int event, int nowait, 363 const struct nf_conn *ct) 364{ 365 struct nlmsghdr *nlh; 366 struct nfgenmsg *nfmsg; 367 struct nlattr *nest_parms; 368 unsigned char *b = skb_tail_pointer(skb); 369 370 event |= NFNL_SUBSYS_CTNETLINK << 8; 371 nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg)); 372 nfmsg = NLMSG_DATA(nlh); 373 374 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0; 375 nfmsg->nfgen_family = nf_ct_l3num(ct); 376 nfmsg->version = NFNETLINK_V0; 377 nfmsg->res_id = 0; 378 379 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 380 if (!nest_parms) 381 goto nla_put_failure; 382 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 383 goto nla_put_failure; 384 nla_nest_end(skb, nest_parms); 385 386 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 387 if (!nest_parms) 388 goto nla_put_failure; 389 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0) 390 goto nla_put_failure; 391 nla_nest_end(skb, nest_parms); 392 393 if (ctnetlink_dump_status(skb, ct) < 0 || 394 ctnetlink_dump_timeout(skb, ct) < 0 || 395 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 || 396 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 || 397 ctnetlink_dump_protoinfo(skb, ct) < 0 || 398 ctnetlink_dump_helpinfo(skb, ct) < 0 || 399 ctnetlink_dump_mark(skb, ct) < 0 || 400 ctnetlink_dump_secmark(skb, ct) < 0 || 401 ctnetlink_dump_id(skb, ct) < 0 || 402 ctnetlink_dump_use(skb, ct) < 0 || 403 ctnetlink_dump_master(skb, ct) < 0 || 404 ctnetlink_dump_nat_seq_adj(skb, ct) < 0) 405 goto nla_put_failure; 406 407 nlh->nlmsg_len = skb_tail_pointer(skb) - b; 408 return skb->len; 409 410nlmsg_failure: 411nla_put_failure: 412 nlmsg_trim(skb, b); 413 return -1; 414} 415 416#ifdef CONFIG_NF_CONNTRACK_EVENTS 417static int ctnetlink_conntrack_event(struct notifier_block *this, 418 unsigned long events, void *ptr) 419{ 420 struct nlmsghdr *nlh; 421 struct nfgenmsg *nfmsg; 422 struct nlattr *nest_parms; 423 struct nf_conn *ct = (struct nf_conn *)ptr; 424 struct sk_buff *skb; 425 unsigned int type; 426 sk_buff_data_t b; 427 unsigned int flags = 0, group; 428 429 /* ignore our fake conntrack entry */ 430 if (ct == &nf_conntrack_untracked) 431 return NOTIFY_DONE; 432 433 if (events & IPCT_DESTROY) { 434 type = IPCTNL_MSG_CT_DELETE; 435 group = NFNLGRP_CONNTRACK_DESTROY; 436 } else if (events & (IPCT_NEW | IPCT_RELATED)) { 437 type = IPCTNL_MSG_CT_NEW; 438 flags = NLM_F_CREATE|NLM_F_EXCL; 439 group = NFNLGRP_CONNTRACK_NEW; 440 } else if (events & (IPCT_STATUS | IPCT_PROTOINFO)) { 441 type = IPCTNL_MSG_CT_NEW; 442 group = NFNLGRP_CONNTRACK_UPDATE; 443 } else 444 return NOTIFY_DONE; 445 446 if (!nfnetlink_has_listeners(group)) 447 return NOTIFY_DONE; 448 449 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 450 if (!skb) 451 return NOTIFY_DONE; 452 453 b = skb->tail; 454 455 type |= NFNL_SUBSYS_CTNETLINK << 8; 456 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg)); 457 nfmsg = NLMSG_DATA(nlh); 458 459 nlh->nlmsg_flags = flags; 460 nfmsg->nfgen_family = nf_ct_l3num(ct); 461 nfmsg->version = NFNETLINK_V0; 462 nfmsg->res_id = 0; 463 464 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 465 if (!nest_parms) 466 goto nla_put_failure; 467 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 468 goto nla_put_failure; 469 nla_nest_end(skb, nest_parms); 470 471 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 472 if (!nest_parms) 473 goto nla_put_failure; 474 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0) 475 goto nla_put_failure; 476 nla_nest_end(skb, nest_parms); 477 478 if (ctnetlink_dump_id(skb, ct) < 0) 479 goto nla_put_failure; 480 481 if (ctnetlink_dump_status(skb, ct) < 0) 482 goto nla_put_failure; 483 484 if (events & IPCT_DESTROY) { 485 if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 || 486 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0) 487 goto nla_put_failure; 488 } else { 489 if (ctnetlink_dump_timeout(skb, ct) < 0) 490 goto nla_put_failure; 491 492 if (events & IPCT_PROTOINFO 493 && ctnetlink_dump_protoinfo(skb, ct) < 0) 494 goto nla_put_failure; 495 496 if ((events & IPCT_HELPER || nfct_help(ct)) 497 && ctnetlink_dump_helpinfo(skb, ct) < 0) 498 goto nla_put_failure; 499 500#ifdef CONFIG_NF_CONNTRACK_SECMARK 501 if ((events & IPCT_SECMARK || ct->secmark) 502 && ctnetlink_dump_secmark(skb, ct) < 0) 503 goto nla_put_failure; 504#endif 505 506 if (events & IPCT_RELATED && 507 ctnetlink_dump_master(skb, ct) < 0) 508 goto nla_put_failure; 509 510 if (events & IPCT_NATSEQADJ && 511 ctnetlink_dump_nat_seq_adj(skb, ct) < 0) 512 goto nla_put_failure; 513 } 514 515#ifdef CONFIG_NF_CONNTRACK_MARK 516 if ((events & IPCT_MARK || ct->mark) 517 && ctnetlink_dump_mark(skb, ct) < 0) 518 goto nla_put_failure; 519#endif 520 521 nlh->nlmsg_len = skb->tail - b; 522 nfnetlink_send(skb, 0, group, 0); 523 return NOTIFY_DONE; 524 525nlmsg_failure: 526nla_put_failure: 527 kfree_skb(skb); 528 return NOTIFY_DONE; 529} 530#endif /* CONFIG_NF_CONNTRACK_EVENTS */ 531 532static int ctnetlink_done(struct netlink_callback *cb) 533{ 534 if (cb->args[1]) 535 nf_ct_put((struct nf_conn *)cb->args[1]); 536 return 0; 537} 538 539static int 540ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 541{ 542 struct nf_conn *ct, *last; 543 struct nf_conntrack_tuple_hash *h; 544 struct hlist_node *n; 545 struct nfgenmsg *nfmsg = NLMSG_DATA(cb->nlh); 546 u_int8_t l3proto = nfmsg->nfgen_family; 547 548 rcu_read_lock(); 549 last = (struct nf_conn *)cb->args[1]; 550 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) { 551restart: 552 hlist_for_each_entry_rcu(h, n, &nf_conntrack_hash[cb->args[0]], 553 hnode) { 554 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) 555 continue; 556 ct = nf_ct_tuplehash_to_ctrack(h); 557 /* Dump entries of a given L3 protocol number. 558 * If it is not specified, ie. l3proto == 0, 559 * then dump everything. */ 560 if (l3proto && nf_ct_l3num(ct) != l3proto) 561 continue; 562 if (cb->args[1]) { 563 if (ct != last) 564 continue; 565 cb->args[1] = 0; 566 } 567 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid, 568 cb->nlh->nlmsg_seq, 569 IPCTNL_MSG_CT_NEW, 570 1, ct) < 0) { 571 if (!atomic_inc_not_zero(&ct->ct_general.use)) 572 continue; 573 cb->args[1] = (unsigned long)ct; 574 goto out; 575 } 576 577 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == 578 IPCTNL_MSG_CT_GET_CTRZERO) { 579 struct nf_conn_counter *acct; 580 581 acct = nf_conn_acct_find(ct); 582 if (acct) 583 memset(acct, 0, sizeof(struct nf_conn_counter[IP_CT_DIR_MAX])); 584 } 585 } 586 if (cb->args[1]) { 587 cb->args[1] = 0; 588 goto restart; 589 } 590 } 591out: 592 rcu_read_unlock(); 593 if (last) 594 nf_ct_put(last); 595 596 return skb->len; 597} 598 599static inline int 600ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple) 601{ 602 struct nlattr *tb[CTA_IP_MAX+1]; 603 struct nf_conntrack_l3proto *l3proto; 604 int ret = 0; 605 606 nla_parse_nested(tb, CTA_IP_MAX, attr, NULL); 607 608 l3proto = nf_ct_l3proto_find_get(tuple->src.l3num); 609 610 if (likely(l3proto->nlattr_to_tuple)) { 611 ret = nla_validate_nested(attr, CTA_IP_MAX, 612 l3proto->nla_policy); 613 if (ret == 0) 614 ret = l3proto->nlattr_to_tuple(tb, tuple); 615 } 616 617 nf_ct_l3proto_put(l3proto); 618 619 return ret; 620} 621 622static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = { 623 [CTA_PROTO_NUM] = { .type = NLA_U8 }, 624}; 625 626static inline int 627ctnetlink_parse_tuple_proto(struct nlattr *attr, 628 struct nf_conntrack_tuple *tuple) 629{ 630 struct nlattr *tb[CTA_PROTO_MAX+1]; 631 struct nf_conntrack_l4proto *l4proto; 632 int ret = 0; 633 634 ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy); 635 if (ret < 0) 636 return ret; 637 638 if (!tb[CTA_PROTO_NUM]) 639 return -EINVAL; 640 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]); 641 642 l4proto = nf_ct_l4proto_find_get(tuple->src.l3num, tuple->dst.protonum); 643 644 if (likely(l4proto->nlattr_to_tuple)) { 645 ret = nla_validate_nested(attr, CTA_PROTO_MAX, 646 l4proto->nla_policy); 647 if (ret == 0) 648 ret = l4proto->nlattr_to_tuple(tb, tuple); 649 } 650 651 nf_ct_l4proto_put(l4proto); 652 653 return ret; 654} 655 656static int 657ctnetlink_parse_tuple(struct nlattr *cda[], struct nf_conntrack_tuple *tuple, 658 enum ctattr_tuple type, u_int8_t l3num) 659{ 660 struct nlattr *tb[CTA_TUPLE_MAX+1]; 661 int err; 662 663 memset(tuple, 0, sizeof(*tuple)); 664 665 nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], NULL); 666 667 if (!tb[CTA_TUPLE_IP]) 668 return -EINVAL; 669 670 tuple->src.l3num = l3num; 671 672 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple); 673 if (err < 0) 674 return err; 675 676 if (!tb[CTA_TUPLE_PROTO]) 677 return -EINVAL; 678 679 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple); 680 if (err < 0) 681 return err; 682 683 /* orig and expect tuples get DIR_ORIGINAL */ 684 if (type == CTA_TUPLE_REPLY) 685 tuple->dst.dir = IP_CT_DIR_REPLY; 686 else 687 tuple->dst.dir = IP_CT_DIR_ORIGINAL; 688 689 return 0; 690} 691 692#ifdef CONFIG_NF_NAT_NEEDED 693static const struct nla_policy protonat_nla_policy[CTA_PROTONAT_MAX+1] = { 694 [CTA_PROTONAT_PORT_MIN] = { .type = NLA_U16 }, 695 [CTA_PROTONAT_PORT_MAX] = { .type = NLA_U16 }, 696}; 697 698static int nfnetlink_parse_nat_proto(struct nlattr *attr, 699 const struct nf_conn *ct, 700 struct nf_nat_range *range) 701{ 702 struct nlattr *tb[CTA_PROTONAT_MAX+1]; 703 const struct nf_nat_protocol *npt; 704 int err; 705 706 err = nla_parse_nested(tb, CTA_PROTONAT_MAX, attr, protonat_nla_policy); 707 if (err < 0) 708 return err; 709 710 npt = nf_nat_proto_find_get(nf_ct_protonum(ct)); 711 if (npt->nlattr_to_range) 712 err = npt->nlattr_to_range(tb, range); 713 nf_nat_proto_put(npt); 714 return err; 715} 716 717static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = { 718 [CTA_NAT_MINIP] = { .type = NLA_U32 }, 719 [CTA_NAT_MAXIP] = { .type = NLA_U32 }, 720}; 721 722static inline int 723nfnetlink_parse_nat(struct nlattr *nat, 724 const struct nf_conn *ct, struct nf_nat_range *range) 725{ 726 struct nlattr *tb[CTA_NAT_MAX+1]; 727 int err; 728 729 memset(range, 0, sizeof(*range)); 730 731 err = nla_parse_nested(tb, CTA_NAT_MAX, nat, nat_nla_policy); 732 if (err < 0) 733 return err; 734 735 if (tb[CTA_NAT_MINIP]) 736 range->min_ip = nla_get_be32(tb[CTA_NAT_MINIP]); 737 738 if (!tb[CTA_NAT_MAXIP]) 739 range->max_ip = range->min_ip; 740 else 741 range->max_ip = nla_get_be32(tb[CTA_NAT_MAXIP]); 742 743 if (range->min_ip) 744 range->flags |= IP_NAT_RANGE_MAP_IPS; 745 746 if (!tb[CTA_NAT_PROTO]) 747 return 0; 748 749 err = nfnetlink_parse_nat_proto(tb[CTA_NAT_PROTO], ct, range); 750 if (err < 0) 751 return err; 752 753 return 0; 754} 755#endif 756 757static inline int 758ctnetlink_parse_help(struct nlattr *attr, char **helper_name) 759{ 760 struct nlattr *tb[CTA_HELP_MAX+1]; 761 762 nla_parse_nested(tb, CTA_HELP_MAX, attr, NULL); 763 764 if (!tb[CTA_HELP_NAME]) 765 return -EINVAL; 766 767 *helper_name = nla_data(tb[CTA_HELP_NAME]); 768 769 return 0; 770} 771 772static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { 773 [CTA_STATUS] = { .type = NLA_U32 }, 774 [CTA_TIMEOUT] = { .type = NLA_U32 }, 775 [CTA_MARK] = { .type = NLA_U32 }, 776 [CTA_USE] = { .type = NLA_U32 }, 777 [CTA_ID] = { .type = NLA_U32 }, 778}; 779 780static int 781ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, 782 struct nlmsghdr *nlh, struct nlattr *cda[]) 783{ 784 struct nf_conntrack_tuple_hash *h; 785 struct nf_conntrack_tuple tuple; 786 struct nf_conn *ct; 787 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh); 788 u_int8_t u3 = nfmsg->nfgen_family; 789 int err = 0; 790 791 if (cda[CTA_TUPLE_ORIG]) 792 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3); 793 else if (cda[CTA_TUPLE_REPLY]) 794 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3); 795 else { 796 /* Flush the whole table */ 797 nf_conntrack_flush(); 798 return 0; 799 } 800 801 if (err < 0) 802 return err; 803 804 h = nf_conntrack_find_get(&tuple); 805 if (!h) 806 return -ENOENT; 807 808 ct = nf_ct_tuplehash_to_ctrack(h); 809 810 if (cda[CTA_ID]) { 811 u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID])); 812 if (id != (u32)(unsigned long)ct) { 813 nf_ct_put(ct); 814 return -ENOENT; 815 } 816 } 817 818 nf_ct_kill(ct); 819 nf_ct_put(ct); 820 821 return 0; 822} 823 824static int 825ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, 826 struct nlmsghdr *nlh, struct nlattr *cda[]) 827{ 828 struct nf_conntrack_tuple_hash *h; 829 struct nf_conntrack_tuple tuple; 830 struct nf_conn *ct; 831 struct sk_buff *skb2 = NULL; 832 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh); 833 u_int8_t u3 = nfmsg->nfgen_family; 834 int err = 0; 835 836 if (nlh->nlmsg_flags & NLM_F_DUMP) 837 return netlink_dump_start(ctnl, skb, nlh, ctnetlink_dump_table, 838 ctnetlink_done); 839 840 if (cda[CTA_TUPLE_ORIG]) 841 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3); 842 else if (cda[CTA_TUPLE_REPLY]) 843 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3); 844 else 845 return -EINVAL; 846 847 if (err < 0) 848 return err; 849 850 h = nf_conntrack_find_get(&tuple); 851 if (!h) 852 return -ENOENT; 853 854 ct = nf_ct_tuplehash_to_ctrack(h); 855 856 err = -ENOMEM; 857 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 858 if (!skb2) { 859 nf_ct_put(ct); 860 return -ENOMEM; 861 } 862 863 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 864 IPCTNL_MSG_CT_NEW, 1, ct); 865 nf_ct_put(ct); 866 if (err <= 0) 867 goto free; 868 869 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); 870 if (err < 0) 871 goto out; 872 873 return 0; 874 875free: 876 kfree_skb(skb2); 877out: 878 return err; 879} 880 881static int 882ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[]) 883{ 884 unsigned long d; 885 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); 886 d = ct->status ^ status; 887 888 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) 889 /* unchangeable */ 890 return -EBUSY; 891 892 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) 893 /* SEEN_REPLY bit can only be set */ 894 return -EBUSY; 895 896 if (d & IPS_ASSURED && !(status & IPS_ASSURED)) 897 /* ASSURED bit can only be set */ 898 return -EBUSY; 899 900 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) { 901#ifndef CONFIG_NF_NAT_NEEDED 902 return -EOPNOTSUPP; 903#else 904 struct nf_nat_range range; 905 906 if (cda[CTA_NAT_DST]) { 907 if (nfnetlink_parse_nat(cda[CTA_NAT_DST], ct, 908 &range) < 0) 909 return -EINVAL; 910 if (nf_nat_initialized(ct, IP_NAT_MANIP_DST)) 911 return -EEXIST; 912 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_DST); 913 } 914 if (cda[CTA_NAT_SRC]) { 915 if (nfnetlink_parse_nat(cda[CTA_NAT_SRC], ct, 916 &range) < 0) 917 return -EINVAL; 918 if (nf_nat_initialized(ct, IP_NAT_MANIP_SRC)) 919 return -EEXIST; 920 nf_nat_setup_info(ct, &range, IP_NAT_MANIP_SRC); 921 } 922#endif 923 } 924 925 /* Be careful here, modifying NAT bits can screw up things, 926 * so don't let users modify them directly if they don't pass 927 * nf_nat_range. */ 928 ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK); 929 return 0; 930} 931 932 933static inline int 934ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[]) 935{ 936 struct nf_conntrack_helper *helper; 937 struct nf_conn_help *help = nfct_help(ct); 938 char *helpname; 939 int err; 940 941 /* don't change helper of sibling connections */ 942 if (ct->master) 943 return -EBUSY; 944 945 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname); 946 if (err < 0) 947 return err; 948 949 if (!strcmp(helpname, "")) { 950 if (help && help->helper) { 951 /* we had a helper before ... */ 952 nf_ct_remove_expectations(ct); 953 rcu_assign_pointer(help->helper, NULL); 954 } 955 956 return 0; 957 } 958 959 helper = __nf_conntrack_helper_find_byname(helpname); 960 if (helper == NULL) 961 return -EOPNOTSUPP; 962 963 if (help) { 964 if (help->helper == helper) 965 return 0; 966 if (help->helper) 967 return -EBUSY; 968 /* need to zero data of old helper */ 969 memset(&help->help, 0, sizeof(help->help)); 970 } else { 971 help = nf_ct_helper_ext_add(ct, GFP_KERNEL); 972 if (help == NULL) 973 return -ENOMEM; 974 } 975 976 rcu_assign_pointer(help->helper, helper); 977 978 return 0; 979} 980 981static inline int 982ctnetlink_change_timeout(struct nf_conn *ct, struct nlattr *cda[]) 983{ 984 u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT])); 985 986 if (!del_timer(&ct->timeout)) 987 return -ETIME; 988 989 ct->timeout.expires = jiffies + timeout * HZ; 990 add_timer(&ct->timeout); 991 992 return 0; 993} 994 995static inline int 996ctnetlink_change_protoinfo(struct nf_conn *ct, struct nlattr *cda[]) 997{ 998 struct nlattr *tb[CTA_PROTOINFO_MAX+1], *attr = cda[CTA_PROTOINFO]; 999 struct nf_conntrack_l4proto *l4proto; 1000 int err = 0; 1001 1002 nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, NULL); 1003 1004 l4proto = nf_ct_l4proto_find_get(nf_ct_l3num(ct), nf_ct_protonum(ct)); 1005 if (l4proto->from_nlattr) 1006 err = l4proto->from_nlattr(tb, ct); 1007 nf_ct_l4proto_put(l4proto); 1008 1009 return err; 1010} 1011 1012#ifdef CONFIG_NF_NAT_NEEDED 1013static inline int 1014change_nat_seq_adj(struct nf_nat_seq *natseq, struct nlattr *attr) 1015{ 1016 struct nlattr *cda[CTA_NAT_SEQ_MAX+1]; 1017 1018 nla_parse_nested(cda, CTA_NAT_SEQ_MAX, attr, NULL); 1019 1020 if (!cda[CTA_NAT_SEQ_CORRECTION_POS]) 1021 return -EINVAL; 1022 1023 natseq->correction_pos = 1024 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_CORRECTION_POS])); 1025 1026 if (!cda[CTA_NAT_SEQ_OFFSET_BEFORE]) 1027 return -EINVAL; 1028 1029 natseq->offset_before = 1030 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_BEFORE])); 1031 1032 if (!cda[CTA_NAT_SEQ_OFFSET_AFTER]) 1033 return -EINVAL; 1034 1035 natseq->offset_after = 1036 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_AFTER])); 1037 1038 return 0; 1039} 1040 1041static int 1042ctnetlink_change_nat_seq_adj(struct nf_conn *ct, struct nlattr *cda[]) 1043{ 1044 int ret = 0; 1045 struct nf_conn_nat *nat = nfct_nat(ct); 1046 1047 if (!nat) 1048 return 0; 1049 1050 if (cda[CTA_NAT_SEQ_ADJ_ORIG]) { 1051 ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_ORIGINAL], 1052 cda[CTA_NAT_SEQ_ADJ_ORIG]); 1053 if (ret < 0) 1054 return ret; 1055 1056 ct->status |= IPS_SEQ_ADJUST; 1057 } 1058 1059 if (cda[CTA_NAT_SEQ_ADJ_REPLY]) { 1060 ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_REPLY], 1061 cda[CTA_NAT_SEQ_ADJ_REPLY]); 1062 if (ret < 0) 1063 return ret; 1064 1065 ct->status |= IPS_SEQ_ADJUST; 1066 } 1067 1068 return 0; 1069} 1070#endif 1071 1072static int 1073ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[]) 1074{ 1075 int err; 1076 1077 if (cda[CTA_HELP]) { 1078 err = ctnetlink_change_helper(ct, cda); 1079 if (err < 0) 1080 return err; 1081 } 1082 1083 if (cda[CTA_TIMEOUT]) { 1084 err = ctnetlink_change_timeout(ct, cda); 1085 if (err < 0) 1086 return err; 1087 } 1088 1089 if (cda[CTA_STATUS]) { 1090 err = ctnetlink_change_status(ct, cda); 1091 if (err < 0) 1092 return err; 1093 } 1094 1095 if (cda[CTA_PROTOINFO]) { 1096 err = ctnetlink_change_protoinfo(ct, cda); 1097 if (err < 0) 1098 return err; 1099 } 1100 1101#if defined(CONFIG_NF_CONNTRACK_MARK) 1102 if (cda[CTA_MARK]) 1103 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); 1104#endif 1105 1106#ifdef CONFIG_NF_NAT_NEEDED 1107 if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) { 1108 err = ctnetlink_change_nat_seq_adj(ct, cda); 1109 if (err < 0) 1110 return err; 1111 } 1112#endif 1113 1114 return 0; 1115} 1116 1117static int 1118ctnetlink_create_conntrack(struct nlattr *cda[], 1119 struct nf_conntrack_tuple *otuple, 1120 struct nf_conntrack_tuple *rtuple, 1121 struct nf_conn *master_ct) 1122{ 1123 struct nf_conn *ct; 1124 int err = -EINVAL; 1125 struct nf_conn_help *help; 1126 struct nf_conntrack_helper *helper; 1127 1128 ct = nf_conntrack_alloc(otuple, rtuple, GFP_KERNEL); 1129 if (ct == NULL || IS_ERR(ct)) 1130 return -ENOMEM; 1131 1132 if (!cda[CTA_TIMEOUT]) 1133 goto err; 1134 ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT])); 1135 1136 ct->timeout.expires = jiffies + ct->timeout.expires * HZ; 1137 ct->status |= IPS_CONFIRMED; 1138 1139 rcu_read_lock(); 1140 helper = __nf_ct_helper_find(rtuple); 1141 if (helper) { 1142 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); 1143 if (help == NULL) { 1144 rcu_read_unlock(); 1145 err = -ENOMEM; 1146 goto err; 1147 } 1148 /* not in hash table yet so not strictly necessary */ 1149 rcu_assign_pointer(help->helper, helper); 1150 } 1151 1152 if (cda[CTA_STATUS]) { 1153 err = ctnetlink_change_status(ct, cda); 1154 if (err < 0) { 1155 rcu_read_unlock(); 1156 goto err; 1157 } 1158 } 1159 1160 if (cda[CTA_PROTOINFO]) { 1161 err = ctnetlink_change_protoinfo(ct, cda); 1162 if (err < 0) { 1163 rcu_read_unlock(); 1164 goto err; 1165 } 1166 } 1167 1168 nf_ct_acct_ext_add(ct, GFP_KERNEL); 1169 1170#if defined(CONFIG_NF_CONNTRACK_MARK) 1171 if (cda[CTA_MARK]) 1172 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); 1173#endif 1174 1175 /* setup master conntrack: this is a confirmed expectation */ 1176 if (master_ct) { 1177 __set_bit(IPS_EXPECTED_BIT, &ct->status); 1178 ct->master = master_ct; 1179 } 1180 1181 add_timer(&ct->timeout); 1182 nf_conntrack_hash_insert(ct); 1183 rcu_read_unlock(); 1184 1185 return 0; 1186 1187err: 1188 nf_conntrack_free(ct); 1189 return err; 1190} 1191 1192static int 1193ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, 1194 struct nlmsghdr *nlh, struct nlattr *cda[]) 1195{ 1196 struct nf_conntrack_tuple otuple, rtuple; 1197 struct nf_conntrack_tuple_hash *h = NULL; 1198 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh); 1199 u_int8_t u3 = nfmsg->nfgen_family; 1200 int err = 0; 1201 1202 if (cda[CTA_TUPLE_ORIG]) { 1203 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3); 1204 if (err < 0) 1205 return err; 1206 } 1207 1208 if (cda[CTA_TUPLE_REPLY]) { 1209 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, u3); 1210 if (err < 0) 1211 return err; 1212 } 1213 1214 spin_lock_bh(&nf_conntrack_lock); 1215 if (cda[CTA_TUPLE_ORIG]) 1216 h = __nf_conntrack_find(&otuple); 1217 else if (cda[CTA_TUPLE_REPLY]) 1218 h = __nf_conntrack_find(&rtuple); 1219 1220 if (h == NULL) { 1221 struct nf_conntrack_tuple master; 1222 struct nf_conntrack_tuple_hash *master_h = NULL; 1223 struct nf_conn *master_ct = NULL; 1224 1225 if (cda[CTA_TUPLE_MASTER]) { 1226 err = ctnetlink_parse_tuple(cda, 1227 &master, 1228 CTA_TUPLE_MASTER, 1229 u3); 1230 if (err < 0) 1231 goto out_unlock; 1232 1233 master_h = __nf_conntrack_find(&master); 1234 if (master_h == NULL) { 1235 err = -ENOENT; 1236 goto out_unlock; 1237 } 1238 master_ct = nf_ct_tuplehash_to_ctrack(master_h); 1239 atomic_inc(&master_ct->ct_general.use); 1240 } 1241 1242 spin_unlock_bh(&nf_conntrack_lock); 1243 err = -ENOENT; 1244 if (nlh->nlmsg_flags & NLM_F_CREATE) 1245 err = ctnetlink_create_conntrack(cda, 1246 &otuple, 1247 &rtuple, 1248 master_ct); 1249 if (err < 0 && master_ct) 1250 nf_ct_put(master_ct); 1251 1252 return err; 1253 } 1254 /* implicit 'else' */ 1255 1256 /* We manipulate the conntrack inside the global conntrack table lock, 1257 * so there's no need to increase the refcount */ 1258 err = -EEXIST; 1259 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) { 1260 /* we only allow nat config for new conntracks */ 1261 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) { 1262 err = -EOPNOTSUPP; 1263 goto out_unlock; 1264 } 1265 /* can't link an existing conntrack to a master */ 1266 if (cda[CTA_TUPLE_MASTER]) { 1267 err = -EOPNOTSUPP; 1268 goto out_unlock; 1269 } 1270 err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h), 1271 cda); 1272 } 1273 1274out_unlock: 1275 spin_unlock_bh(&nf_conntrack_lock); 1276 return err; 1277} 1278 1279/*********************************************************************** 1280 * EXPECT 1281 ***********************************************************************/ 1282 1283static inline int 1284ctnetlink_exp_dump_tuple(struct sk_buff *skb, 1285 const struct nf_conntrack_tuple *tuple, 1286 enum ctattr_expect type) 1287{ 1288 struct nlattr *nest_parms; 1289 1290 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED); 1291 if (!nest_parms) 1292 goto nla_put_failure; 1293 if (ctnetlink_dump_tuples(skb, tuple) < 0) 1294 goto nla_put_failure; 1295 nla_nest_end(skb, nest_parms); 1296 1297 return 0; 1298 1299nla_put_failure: 1300 return -1; 1301} 1302 1303static inline int 1304ctnetlink_exp_dump_mask(struct sk_buff *skb, 1305 const struct nf_conntrack_tuple *tuple, 1306 const struct nf_conntrack_tuple_mask *mask) 1307{ 1308 int ret; 1309 struct nf_conntrack_l3proto *l3proto; 1310 struct nf_conntrack_l4proto *l4proto; 1311 struct nf_conntrack_tuple m; 1312 struct nlattr *nest_parms; 1313 1314 memset(&m, 0xFF, sizeof(m)); 1315 m.src.u.all = mask->src.u.all; 1316 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3)); 1317 1318 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED); 1319 if (!nest_parms) 1320 goto nla_put_failure; 1321 1322 l3proto = nf_ct_l3proto_find_get(tuple->src.l3num); 1323 ret = ctnetlink_dump_tuples_ip(skb, &m, l3proto); 1324 nf_ct_l3proto_put(l3proto); 1325 1326 if (unlikely(ret < 0)) 1327 goto nla_put_failure; 1328 1329 l4proto = nf_ct_l4proto_find_get(tuple->src.l3num, tuple->dst.protonum); 1330 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto); 1331 nf_ct_l4proto_put(l4proto); 1332 if (unlikely(ret < 0)) 1333 goto nla_put_failure; 1334 1335 nla_nest_end(skb, nest_parms); 1336 1337 return 0; 1338 1339nla_put_failure: 1340 return -1; 1341} 1342 1343static int 1344ctnetlink_exp_dump_expect(struct sk_buff *skb, 1345 const struct nf_conntrack_expect *exp) 1346{ 1347 struct nf_conn *master = exp->master; 1348 long timeout = (exp->timeout.expires - jiffies) / HZ; 1349 1350 if (timeout < 0) 1351 timeout = 0; 1352 1353 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0) 1354 goto nla_put_failure; 1355 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0) 1356 goto nla_put_failure; 1357 if (ctnetlink_exp_dump_tuple(skb, 1358 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 1359 CTA_EXPECT_MASTER) < 0) 1360 goto nla_put_failure; 1361 1362 NLA_PUT_BE32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)); 1363 NLA_PUT_BE32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)); 1364 1365 return 0; 1366 1367nla_put_failure: 1368 return -1; 1369} 1370 1371static int 1372ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq, 1373 int event, 1374 int nowait, 1375 const struct nf_conntrack_expect *exp) 1376{ 1377 struct nlmsghdr *nlh; 1378 struct nfgenmsg *nfmsg; 1379 unsigned char *b = skb_tail_pointer(skb); 1380 1381 event |= NFNL_SUBSYS_CTNETLINK_EXP << 8; 1382 nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg)); 1383 nfmsg = NLMSG_DATA(nlh); 1384 1385 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0; 1386 nfmsg->nfgen_family = exp->tuple.src.l3num; 1387 nfmsg->version = NFNETLINK_V0; 1388 nfmsg->res_id = 0; 1389 1390 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 1391 goto nla_put_failure; 1392 1393 nlh->nlmsg_len = skb_tail_pointer(skb) - b; 1394 return skb->len; 1395 1396nlmsg_failure: 1397nla_put_failure: 1398 nlmsg_trim(skb, b); 1399 return -1; 1400} 1401 1402#ifdef CONFIG_NF_CONNTRACK_EVENTS 1403static int ctnetlink_expect_event(struct notifier_block *this, 1404 unsigned long events, void *ptr) 1405{ 1406 struct nlmsghdr *nlh; 1407 struct nfgenmsg *nfmsg; 1408 struct nf_conntrack_expect *exp = (struct nf_conntrack_expect *)ptr; 1409 struct sk_buff *skb; 1410 unsigned int type; 1411 sk_buff_data_t b; 1412 int flags = 0; 1413 1414 if (events & IPEXP_NEW) { 1415 type = IPCTNL_MSG_EXP_NEW; 1416 flags = NLM_F_CREATE|NLM_F_EXCL; 1417 } else 1418 return NOTIFY_DONE; 1419 1420 if (!nfnetlink_has_listeners(NFNLGRP_CONNTRACK_EXP_NEW)) 1421 return NOTIFY_DONE; 1422 1423 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); 1424 if (!skb) 1425 return NOTIFY_DONE; 1426 1427 b = skb->tail; 1428 1429 type |= NFNL_SUBSYS_CTNETLINK_EXP << 8; 1430 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg)); 1431 nfmsg = NLMSG_DATA(nlh); 1432 1433 nlh->nlmsg_flags = flags; 1434 nfmsg->nfgen_family = exp->tuple.src.l3num; 1435 nfmsg->version = NFNETLINK_V0; 1436 nfmsg->res_id = 0; 1437 1438 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 1439 goto nla_put_failure; 1440 1441 nlh->nlmsg_len = skb->tail - b; 1442 nfnetlink_send(skb, 0, NFNLGRP_CONNTRACK_EXP_NEW, 0); 1443 return NOTIFY_DONE; 1444 1445nlmsg_failure: 1446nla_put_failure: 1447 kfree_skb(skb); 1448 return NOTIFY_DONE; 1449} 1450#endif 1451static int ctnetlink_exp_done(struct netlink_callback *cb) 1452{ 1453 if (cb->args[1]) 1454 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); 1455 return 0; 1456} 1457 1458static int 1459ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 1460{ 1461 struct nf_conntrack_expect *exp, *last; 1462 struct nfgenmsg *nfmsg = NLMSG_DATA(cb->nlh); 1463 struct hlist_node *n; 1464 u_int8_t l3proto = nfmsg->nfgen_family; 1465 1466 rcu_read_lock(); 1467 last = (struct nf_conntrack_expect *)cb->args[1]; 1468 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { 1469restart: 1470 hlist_for_each_entry(exp, n, &nf_ct_expect_hash[cb->args[0]], 1471 hnode) { 1472 if (l3proto && exp->tuple.src.l3num != l3proto) 1473 continue; 1474 if (cb->args[1]) { 1475 if (exp != last) 1476 continue; 1477 cb->args[1] = 0; 1478 } 1479 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).pid, 1480 cb->nlh->nlmsg_seq, 1481 IPCTNL_MSG_EXP_NEW, 1482 1, exp) < 0) { 1483 if (!atomic_inc_not_zero(&exp->use)) 1484 continue; 1485 cb->args[1] = (unsigned long)exp; 1486 goto out; 1487 } 1488 } 1489 if (cb->args[1]) { 1490 cb->args[1] = 0; 1491 goto restart; 1492 } 1493 } 1494out: 1495 rcu_read_unlock(); 1496 if (last) 1497 nf_ct_expect_put(last); 1498 1499 return skb->len; 1500} 1501 1502static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = { 1503 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 }, 1504 [CTA_EXPECT_ID] = { .type = NLA_U32 }, 1505}; 1506 1507static int 1508ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, 1509 struct nlmsghdr *nlh, struct nlattr *cda[]) 1510{ 1511 struct nf_conntrack_tuple tuple; 1512 struct nf_conntrack_expect *exp; 1513 struct sk_buff *skb2; 1514 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh); 1515 u_int8_t u3 = nfmsg->nfgen_family; 1516 int err = 0; 1517 1518 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1519 return netlink_dump_start(ctnl, skb, nlh, 1520 ctnetlink_exp_dump_table, 1521 ctnetlink_exp_done); 1522 } 1523 1524 if (cda[CTA_EXPECT_MASTER]) 1525 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3); 1526 else 1527 return -EINVAL; 1528 1529 if (err < 0) 1530 return err; 1531 1532 exp = nf_ct_expect_find_get(&tuple); 1533 if (!exp) 1534 return -ENOENT; 1535 1536 if (cda[CTA_EXPECT_ID]) { 1537 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 1538 if (ntohl(id) != (u32)(unsigned long)exp) { 1539 nf_ct_expect_put(exp); 1540 return -ENOENT; 1541 } 1542 } 1543 1544 err = -ENOMEM; 1545 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); 1546 if (!skb2) 1547 goto out; 1548 1549 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid, 1550 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, 1551 1, exp); 1552 if (err <= 0) 1553 goto free; 1554 1555 nf_ct_expect_put(exp); 1556 1557 return netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); 1558 1559free: 1560 kfree_skb(skb2); 1561out: 1562 nf_ct_expect_put(exp); 1563 return err; 1564} 1565 1566static int 1567ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, 1568 struct nlmsghdr *nlh, struct nlattr *cda[]) 1569{ 1570 struct nf_conntrack_expect *exp; 1571 struct nf_conntrack_tuple tuple; 1572 struct nf_conntrack_helper *h; 1573 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh); 1574 struct hlist_node *n, *next; 1575 u_int8_t u3 = nfmsg->nfgen_family; 1576 unsigned int i; 1577 int err; 1578 1579 if (cda[CTA_EXPECT_TUPLE]) { 1580 /* delete a single expect by tuple */ 1581 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); 1582 if (err < 0) 1583 return err; 1584 1585 /* bump usage count to 2 */ 1586 exp = nf_ct_expect_find_get(&tuple); 1587 if (!exp) 1588 return -ENOENT; 1589 1590 if (cda[CTA_EXPECT_ID]) { 1591 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 1592 if (ntohl(id) != (u32)(unsigned long)exp) { 1593 nf_ct_expect_put(exp); 1594 return -ENOENT; 1595 } 1596 } 1597 1598 /* after list removal, usage count == 1 */ 1599 nf_ct_unexpect_related(exp); 1600 /* have to put what we 'get' above. 1601 * after this line usage count == 0 */ 1602 nf_ct_expect_put(exp); 1603 } else if (cda[CTA_EXPECT_HELP_NAME]) { 1604 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]); 1605 struct nf_conn_help *m_help; 1606 1607 /* delete all expectations for this helper */ 1608 spin_lock_bh(&nf_conntrack_lock); 1609 h = __nf_conntrack_helper_find_byname(name); 1610 if (!h) { 1611 spin_unlock_bh(&nf_conntrack_lock); 1612 return -EOPNOTSUPP; 1613 } 1614 for (i = 0; i < nf_ct_expect_hsize; i++) { 1615 hlist_for_each_entry_safe(exp, n, next, 1616 &nf_ct_expect_hash[i], 1617 hnode) { 1618 m_help = nfct_help(exp->master); 1619 if (m_help->helper == h 1620 && del_timer(&exp->timeout)) { 1621 nf_ct_unlink_expect(exp); 1622 nf_ct_expect_put(exp); 1623 } 1624 } 1625 } 1626 spin_unlock_bh(&nf_conntrack_lock); 1627 } else { 1628 /* This basically means we have to flush everything*/ 1629 spin_lock_bh(&nf_conntrack_lock); 1630 for (i = 0; i < nf_ct_expect_hsize; i++) { 1631 hlist_for_each_entry_safe(exp, n, next, 1632 &nf_ct_expect_hash[i], 1633 hnode) { 1634 if (del_timer(&exp->timeout)) { 1635 nf_ct_unlink_expect(exp); 1636 nf_ct_expect_put(exp); 1637 } 1638 } 1639 } 1640 spin_unlock_bh(&nf_conntrack_lock); 1641 } 1642 1643 return 0; 1644} 1645static int 1646ctnetlink_change_expect(struct nf_conntrack_expect *x, struct nlattr *cda[]) 1647{ 1648 return -EOPNOTSUPP; 1649} 1650 1651static int 1652ctnetlink_create_expect(struct nlattr *cda[], u_int8_t u3) 1653{ 1654 struct nf_conntrack_tuple tuple, mask, master_tuple; 1655 struct nf_conntrack_tuple_hash *h = NULL; 1656 struct nf_conntrack_expect *exp; 1657 struct nf_conn *ct; 1658 struct nf_conn_help *help; 1659 int err = 0; 1660 1661 /* caller guarantees that those three CTA_EXPECT_* exist */ 1662 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); 1663 if (err < 0) 1664 return err; 1665 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, u3); 1666 if (err < 0) 1667 return err; 1668 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, u3); 1669 if (err < 0) 1670 return err; 1671 1672 /* Look for master conntrack of this expectation */ 1673 h = nf_conntrack_find_get(&master_tuple); 1674 if (!h) 1675 return -ENOENT; 1676 ct = nf_ct_tuplehash_to_ctrack(h); 1677 help = nfct_help(ct); 1678 1679 if (!help || !help->helper) { 1680 /* such conntrack hasn't got any helper, abort */ 1681 err = -EINVAL; 1682 goto out; 1683 } 1684 1685 exp = nf_ct_expect_alloc(ct); 1686 if (!exp) { 1687 err = -ENOMEM; 1688 goto out; 1689 } 1690 1691 exp->expectfn = NULL; 1692 exp->flags = 0; 1693 exp->master = ct; 1694 exp->helper = NULL; 1695 memcpy(&exp->tuple, &tuple, sizeof(struct nf_conntrack_tuple)); 1696 memcpy(&exp->mask.src.u3, &mask.src.u3, sizeof(exp->mask.src.u3)); 1697 exp->mask.src.u.all = mask.src.u.all; 1698 1699 err = nf_ct_expect_related(exp); 1700 nf_ct_expect_put(exp); 1701 1702out: 1703 nf_ct_put(nf_ct_tuplehash_to_ctrack(h)); 1704 return err; 1705} 1706 1707static int 1708ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb, 1709 struct nlmsghdr *nlh, struct nlattr *cda[]) 1710{ 1711 struct nf_conntrack_tuple tuple; 1712 struct nf_conntrack_expect *exp; 1713 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh); 1714 u_int8_t u3 = nfmsg->nfgen_family; 1715 int err = 0; 1716 1717 if (!cda[CTA_EXPECT_TUPLE] 1718 || !cda[CTA_EXPECT_MASK] 1719 || !cda[CTA_EXPECT_MASTER]) 1720 return -EINVAL; 1721 1722 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); 1723 if (err < 0) 1724 return err; 1725 1726 spin_lock_bh(&nf_conntrack_lock); 1727 exp = __nf_ct_expect_find(&tuple); 1728 1729 if (!exp) { 1730 spin_unlock_bh(&nf_conntrack_lock); 1731 err = -ENOENT; 1732 if (nlh->nlmsg_flags & NLM_F_CREATE) 1733 err = ctnetlink_create_expect(cda, u3); 1734 return err; 1735 } 1736 1737 err = -EEXIST; 1738 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) 1739 err = ctnetlink_change_expect(exp, cda); 1740 spin_unlock_bh(&nf_conntrack_lock); 1741 1742 return err; 1743} 1744 1745#ifdef CONFIG_NF_CONNTRACK_EVENTS 1746static struct notifier_block ctnl_notifier = { 1747 .notifier_call = ctnetlink_conntrack_event, 1748}; 1749 1750static struct notifier_block ctnl_notifier_exp = { 1751 .notifier_call = ctnetlink_expect_event, 1752}; 1753#endif 1754 1755static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = { 1756 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack, 1757 .attr_count = CTA_MAX, 1758 .policy = ct_nla_policy }, 1759 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack, 1760 .attr_count = CTA_MAX, 1761 .policy = ct_nla_policy }, 1762 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack, 1763 .attr_count = CTA_MAX, 1764 .policy = ct_nla_policy }, 1765 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack, 1766 .attr_count = CTA_MAX, 1767 .policy = ct_nla_policy }, 1768}; 1769 1770static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = { 1771 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect, 1772 .attr_count = CTA_EXPECT_MAX, 1773 .policy = exp_nla_policy }, 1774 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect, 1775 .attr_count = CTA_EXPECT_MAX, 1776 .policy = exp_nla_policy }, 1777 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect, 1778 .attr_count = CTA_EXPECT_MAX, 1779 .policy = exp_nla_policy }, 1780}; 1781 1782static const struct nfnetlink_subsystem ctnl_subsys = { 1783 .name = "conntrack", 1784 .subsys_id = NFNL_SUBSYS_CTNETLINK, 1785 .cb_count = IPCTNL_MSG_MAX, 1786 .cb = ctnl_cb, 1787}; 1788 1789static const struct nfnetlink_subsystem ctnl_exp_subsys = { 1790 .name = "conntrack_expect", 1791 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP, 1792 .cb_count = IPCTNL_MSG_EXP_MAX, 1793 .cb = ctnl_exp_cb, 1794}; 1795 1796MODULE_ALIAS("ip_conntrack_netlink"); 1797MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK); 1798MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP); 1799 1800static int __init ctnetlink_init(void) 1801{ 1802 int ret; 1803 1804 printk("ctnetlink v%s: registering with nfnetlink.\n", version); 1805 ret = nfnetlink_subsys_register(&ctnl_subsys); 1806 if (ret < 0) { 1807 printk("ctnetlink_init: cannot register with nfnetlink.\n"); 1808 goto err_out; 1809 } 1810 1811 ret = nfnetlink_subsys_register(&ctnl_exp_subsys); 1812 if (ret < 0) { 1813 printk("ctnetlink_init: cannot register exp with nfnetlink.\n"); 1814 goto err_unreg_subsys; 1815 } 1816 1817#ifdef CONFIG_NF_CONNTRACK_EVENTS 1818 ret = nf_conntrack_register_notifier(&ctnl_notifier); 1819 if (ret < 0) { 1820 printk("ctnetlink_init: cannot register notifier.\n"); 1821 goto err_unreg_exp_subsys; 1822 } 1823 1824 ret = nf_ct_expect_register_notifier(&ctnl_notifier_exp); 1825 if (ret < 0) { 1826 printk("ctnetlink_init: cannot expect register notifier.\n"); 1827 goto err_unreg_notifier; 1828 } 1829#endif 1830 1831 return 0; 1832 1833#ifdef CONFIG_NF_CONNTRACK_EVENTS 1834err_unreg_notifier: 1835 nf_conntrack_unregister_notifier(&ctnl_notifier); 1836err_unreg_exp_subsys: 1837 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 1838#endif 1839err_unreg_subsys: 1840 nfnetlink_subsys_unregister(&ctnl_subsys); 1841err_out: 1842 return ret; 1843} 1844 1845static void __exit ctnetlink_exit(void) 1846{ 1847 printk("ctnetlink: unregistering from nfnetlink.\n"); 1848 1849#ifdef CONFIG_NF_CONNTRACK_EVENTS 1850 nf_ct_expect_unregister_notifier(&ctnl_notifier_exp); 1851 nf_conntrack_unregister_notifier(&ctnl_notifier); 1852#endif 1853 1854 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 1855 nfnetlink_subsys_unregister(&ctnl_subsys); 1856 return; 1857} 1858 1859module_init(ctnetlink_init); 1860module_exit(ctnetlink_exit); 1861