1 /* Connection tracking via netlink socket. Allows for user space 2 * protocol helpers and general trouble making from userspace. 3 * 4 * (C) 2001 by Jay Schulist <jschlst@samba.org> 5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org> 6 * (C) 2003 by Patrick Mchardy <kaber@trash.net> 7 * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org> 8 * 9 * Initial connection tracking via netlink development funded and 10 * generally made possible by Network Robots, Inc. (www.networkrobots.com) 11 * 12 * Further development of this code funded by Astaro AG (http://www.astaro.com) 13 * 14 * This software may be used and distributed according to the terms 15 * of the GNU General Public License, incorporated herein by reference. 16 */ 17 18 #include <linux/init.h> 19 #include <linux/module.h> 20 #include <linux/kernel.h> 21 #include <linux/rculist.h> 22 #include <linux/rculist_nulls.h> 23 #include <linux/types.h> 24 #include <linux/timer.h> 25 #include <linux/security.h> 26 #include <linux/skbuff.h> 27 #include <linux/errno.h> 28 #include <linux/netlink.h> 29 #include <linux/spinlock.h> 30 #include <linux/interrupt.h> 31 #include <linux/slab.h> 32 33 #include <linux/netfilter.h> 34 #include <net/netlink.h> 35 #include <net/sock.h> 36 #include <net/netfilter/nf_conntrack.h> 37 #include <net/netfilter/nf_conntrack_core.h> 38 #include <net/netfilter/nf_conntrack_expect.h> 39 #include <net/netfilter/nf_conntrack_helper.h> 40 #include <net/netfilter/nf_conntrack_seqadj.h> 41 #include <net/netfilter/nf_conntrack_l4proto.h> 42 #include <net/netfilter/nf_conntrack_tuple.h> 43 #include <net/netfilter/nf_conntrack_acct.h> 44 #include <net/netfilter/nf_conntrack_zones.h> 45 #include <net/netfilter/nf_conntrack_timestamp.h> 46 #include <net/netfilter/nf_conntrack_labels.h> 47 #include <net/netfilter/nf_conntrack_synproxy.h> 48 #ifdef CONFIG_NF_NAT_NEEDED 49 #include <net/netfilter/nf_nat_core.h> 50 #include <net/netfilter/nf_nat_l4proto.h> 51 #include <net/netfilter/nf_nat_helper.h> 52 #endif 53 54 #include <linux/netfilter/nfnetlink.h> 55 #include <linux/netfilter/nfnetlink_conntrack.h> 56 57 MODULE_LICENSE("GPL"); 58 59 static int ctnetlink_dump_tuples_proto(struct sk_buff *skb, 60 const struct nf_conntrack_tuple *tuple, 61 const struct nf_conntrack_l4proto *l4proto) 62 { 63 int ret = 0; 64 struct nlattr *nest_parms; 65 66 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED); 67 if (!nest_parms) 68 goto nla_put_failure; 69 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum)) 70 goto nla_put_failure; 71 72 if (likely(l4proto->tuple_to_nlattr)) 73 ret = l4proto->tuple_to_nlattr(skb, tuple); 74 75 nla_nest_end(skb, nest_parms); 76 77 return ret; 78 79 nla_put_failure: 80 return -1; 81 } 82 83 static int ipv4_tuple_to_nlattr(struct sk_buff *skb, 84 const struct nf_conntrack_tuple *tuple) 85 { 86 if (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) || 87 nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip)) 88 return -EMSGSIZE; 89 return 0; 90 } 91 92 static int ipv6_tuple_to_nlattr(struct sk_buff *skb, 93 const struct nf_conntrack_tuple *tuple) 94 { 95 if (nla_put_in6_addr(skb, CTA_IP_V6_SRC, &tuple->src.u3.in6) || 96 nla_put_in6_addr(skb, CTA_IP_V6_DST, &tuple->dst.u3.in6)) 97 return -EMSGSIZE; 98 return 0; 99 } 100 101 static int ctnetlink_dump_tuples_ip(struct sk_buff *skb, 102 const struct nf_conntrack_tuple *tuple) 103 { 104 int ret = 0; 105 struct nlattr *nest_parms; 106 107 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED); 108 if (!nest_parms) 109 goto nla_put_failure; 110 111 switch (tuple->src.l3num) { 112 case NFPROTO_IPV4: 113 ret = ipv4_tuple_to_nlattr(skb, tuple); 114 break; 115 case NFPROTO_IPV6: 116 ret = ipv6_tuple_to_nlattr(skb, tuple); 117 break; 118 } 119 120 nla_nest_end(skb, nest_parms); 121 122 return ret; 123 124 nla_put_failure: 125 return -1; 126 } 127 128 static int ctnetlink_dump_tuples(struct sk_buff *skb, 129 const struct nf_conntrack_tuple *tuple) 130 { 131 const struct nf_conntrack_l4proto *l4proto; 132 int ret; 133 134 rcu_read_lock(); 135 ret = ctnetlink_dump_tuples_ip(skb, tuple); 136 137 if (ret >= 0) { 138 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, 139 tuple->dst.protonum); 140 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto); 141 } 142 rcu_read_unlock(); 143 return ret; 144 } 145 146 static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype, 147 const struct nf_conntrack_zone *zone, int dir) 148 { 149 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir) 150 return 0; 151 if (nla_put_be16(skb, attrtype, htons(zone->id))) 152 goto nla_put_failure; 153 return 0; 154 155 nla_put_failure: 156 return -1; 157 } 158 159 static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct) 160 { 161 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status))) 162 goto nla_put_failure; 163 return 0; 164 165 nla_put_failure: 166 return -1; 167 } 168 169 static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct) 170 { 171 long timeout = nf_ct_expires(ct) / HZ; 172 173 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout))) 174 goto nla_put_failure; 175 return 0; 176 177 nla_put_failure: 178 return -1; 179 } 180 181 static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct) 182 { 183 const struct nf_conntrack_l4proto *l4proto; 184 struct nlattr *nest_proto; 185 int ret; 186 187 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 188 if (!l4proto->to_nlattr) 189 return 0; 190 191 nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED); 192 if (!nest_proto) 193 goto nla_put_failure; 194 195 ret = l4proto->to_nlattr(skb, nest_proto, ct); 196 197 nla_nest_end(skb, nest_proto); 198 199 return ret; 200 201 nla_put_failure: 202 return -1; 203 } 204 205 static int ctnetlink_dump_helpinfo(struct sk_buff *skb, 206 const struct nf_conn *ct) 207 { 208 struct nlattr *nest_helper; 209 const struct nf_conn_help *help = nfct_help(ct); 210 struct nf_conntrack_helper *helper; 211 212 if (!help) 213 return 0; 214 215 helper = rcu_dereference(help->helper); 216 if (!helper) 217 goto out; 218 219 nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED); 220 if (!nest_helper) 221 goto nla_put_failure; 222 if (nla_put_string(skb, CTA_HELP_NAME, helper->name)) 223 goto nla_put_failure; 224 225 if (helper->to_nlattr) 226 helper->to_nlattr(skb, ct); 227 228 nla_nest_end(skb, nest_helper); 229 out: 230 return 0; 231 232 nla_put_failure: 233 return -1; 234 } 235 236 static int 237 dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct, 238 enum ip_conntrack_dir dir, int type) 239 { 240 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG; 241 struct nf_conn_counter *counter = acct->counter; 242 struct nlattr *nest_count; 243 u64 pkts, bytes; 244 245 if (type == IPCTNL_MSG_CT_GET_CTRZERO) { 246 pkts = atomic64_xchg(&counter[dir].packets, 0); 247 bytes = atomic64_xchg(&counter[dir].bytes, 0); 248 } else { 249 pkts = atomic64_read(&counter[dir].packets); 250 bytes = atomic64_read(&counter[dir].bytes); 251 } 252 253 nest_count = nla_nest_start(skb, attr | NLA_F_NESTED); 254 if (!nest_count) 255 goto nla_put_failure; 256 257 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts), 258 CTA_COUNTERS_PAD) || 259 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes), 260 CTA_COUNTERS_PAD)) 261 goto nla_put_failure; 262 263 nla_nest_end(skb, nest_count); 264 265 return 0; 266 267 nla_put_failure: 268 return -1; 269 } 270 271 static int 272 ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type) 273 { 274 struct nf_conn_acct *acct = nf_conn_acct_find(ct); 275 276 if (!acct) 277 return 0; 278 279 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0) 280 return -1; 281 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0) 282 return -1; 283 284 return 0; 285 } 286 287 static int 288 ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct) 289 { 290 struct nlattr *nest_count; 291 const struct nf_conn_tstamp *tstamp; 292 293 tstamp = nf_conn_tstamp_find(ct); 294 if (!tstamp) 295 return 0; 296 297 nest_count = nla_nest_start(skb, CTA_TIMESTAMP | NLA_F_NESTED); 298 if (!nest_count) 299 goto nla_put_failure; 300 301 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start), 302 CTA_TIMESTAMP_PAD) || 303 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP, 304 cpu_to_be64(tstamp->stop), 305 CTA_TIMESTAMP_PAD))) 306 goto nla_put_failure; 307 nla_nest_end(skb, nest_count); 308 309 return 0; 310 311 nla_put_failure: 312 return -1; 313 } 314 315 #ifdef CONFIG_NF_CONNTRACK_MARK 316 static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) 317 { 318 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark))) 319 goto nla_put_failure; 320 return 0; 321 322 nla_put_failure: 323 return -1; 324 } 325 #else 326 #define ctnetlink_dump_mark(a, b) (0) 327 #endif 328 329 #ifdef CONFIG_NF_CONNTRACK_SECMARK 330 static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) 331 { 332 struct nlattr *nest_secctx; 333 int len, ret; 334 char *secctx; 335 336 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 337 if (ret) 338 return 0; 339 340 ret = -1; 341 nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED); 342 if (!nest_secctx) 343 goto nla_put_failure; 344 345 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx)) 346 goto nla_put_failure; 347 nla_nest_end(skb, nest_secctx); 348 349 ret = 0; 350 nla_put_failure: 351 security_release_secctx(secctx, len); 352 return ret; 353 } 354 #else 355 #define ctnetlink_dump_secctx(a, b) (0) 356 #endif 357 358 #ifdef CONFIG_NF_CONNTRACK_LABELS 359 static inline int ctnetlink_label_size(const struct nf_conn *ct) 360 { 361 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 362 363 if (!labels) 364 return 0; 365 return nla_total_size(sizeof(labels->bits)); 366 } 367 368 static int 369 ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct) 370 { 371 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 372 unsigned int i; 373 374 if (!labels) 375 return 0; 376 377 i = 0; 378 do { 379 if (labels->bits[i] != 0) 380 return nla_put(skb, CTA_LABELS, sizeof(labels->bits), 381 labels->bits); 382 i++; 383 } while (i < ARRAY_SIZE(labels->bits)); 384 385 return 0; 386 } 387 #else 388 #define ctnetlink_dump_labels(a, b) (0) 389 #define ctnetlink_label_size(a) (0) 390 #endif 391 392 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) 393 394 static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct) 395 { 396 struct nlattr *nest_parms; 397 398 if (!(ct->status & IPS_EXPECTED)) 399 return 0; 400 401 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED); 402 if (!nest_parms) 403 goto nla_put_failure; 404 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0) 405 goto nla_put_failure; 406 nla_nest_end(skb, nest_parms); 407 408 return 0; 409 410 nla_put_failure: 411 return -1; 412 } 413 414 static int 415 dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type) 416 { 417 struct nlattr *nest_parms; 418 419 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED); 420 if (!nest_parms) 421 goto nla_put_failure; 422 423 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS, 424 htonl(seq->correction_pos)) || 425 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE, 426 htonl(seq->offset_before)) || 427 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER, 428 htonl(seq->offset_after))) 429 goto nla_put_failure; 430 431 nla_nest_end(skb, nest_parms); 432 433 return 0; 434 435 nla_put_failure: 436 return -1; 437 } 438 439 static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct) 440 { 441 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct); 442 struct nf_ct_seqadj *seq; 443 444 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj) 445 return 0; 446 447 spin_lock_bh(&ct->lock); 448 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL]; 449 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1) 450 goto err; 451 452 seq = &seqadj->seq[IP_CT_DIR_REPLY]; 453 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1) 454 goto err; 455 456 spin_unlock_bh(&ct->lock); 457 return 0; 458 err: 459 spin_unlock_bh(&ct->lock); 460 return -1; 461 } 462 463 static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct) 464 { 465 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct); 466 struct nlattr *nest_parms; 467 468 if (!synproxy) 469 return 0; 470 471 nest_parms = nla_nest_start(skb, CTA_SYNPROXY | NLA_F_NESTED); 472 if (!nest_parms) 473 goto nla_put_failure; 474 475 if (nla_put_be32(skb, CTA_SYNPROXY_ISN, htonl(synproxy->isn)) || 476 nla_put_be32(skb, CTA_SYNPROXY_ITS, htonl(synproxy->its)) || 477 nla_put_be32(skb, CTA_SYNPROXY_TSOFF, htonl(synproxy->tsoff))) 478 goto nla_put_failure; 479 480 nla_nest_end(skb, nest_parms); 481 482 return 0; 483 484 nla_put_failure: 485 return -1; 486 } 487 488 static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct) 489 { 490 if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct))) 491 goto nla_put_failure; 492 return 0; 493 494 nla_put_failure: 495 return -1; 496 } 497 498 static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct) 499 { 500 if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use)))) 501 goto nla_put_failure; 502 return 0; 503 504 nla_put_failure: 505 return -1; 506 } 507 508 static int 509 ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 510 struct nf_conn *ct) 511 { 512 const struct nf_conntrack_zone *zone; 513 struct nlmsghdr *nlh; 514 struct nfgenmsg *nfmsg; 515 struct nlattr *nest_parms; 516 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 517 518 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW); 519 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 520 if (nlh == NULL) 521 goto nlmsg_failure; 522 523 nfmsg = nlmsg_data(nlh); 524 nfmsg->nfgen_family = nf_ct_l3num(ct); 525 nfmsg->version = NFNETLINK_V0; 526 nfmsg->res_id = 0; 527 528 zone = nf_ct_zone(ct); 529 530 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 531 if (!nest_parms) 532 goto nla_put_failure; 533 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 534 goto nla_put_failure; 535 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 536 NF_CT_ZONE_DIR_ORIG) < 0) 537 goto nla_put_failure; 538 nla_nest_end(skb, nest_parms); 539 540 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 541 if (!nest_parms) 542 goto nla_put_failure; 543 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 544 goto nla_put_failure; 545 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 546 NF_CT_ZONE_DIR_REPL) < 0) 547 goto nla_put_failure; 548 nla_nest_end(skb, nest_parms); 549 550 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 551 NF_CT_DEFAULT_ZONE_DIR) < 0) 552 goto nla_put_failure; 553 554 if (ctnetlink_dump_status(skb, ct) < 0 || 555 ctnetlink_dump_timeout(skb, ct) < 0 || 556 ctnetlink_dump_acct(skb, ct, type) < 0 || 557 ctnetlink_dump_timestamp(skb, ct) < 0 || 558 ctnetlink_dump_protoinfo(skb, ct) < 0 || 559 ctnetlink_dump_helpinfo(skb, ct) < 0 || 560 ctnetlink_dump_mark(skb, ct) < 0 || 561 ctnetlink_dump_secctx(skb, ct) < 0 || 562 ctnetlink_dump_labels(skb, ct) < 0 || 563 ctnetlink_dump_id(skb, ct) < 0 || 564 ctnetlink_dump_use(skb, ct) < 0 || 565 ctnetlink_dump_master(skb, ct) < 0 || 566 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 || 567 ctnetlink_dump_ct_synproxy(skb, ct) < 0) 568 goto nla_put_failure; 569 570 nlmsg_end(skb, nlh); 571 return skb->len; 572 573 nlmsg_failure: 574 nla_put_failure: 575 nlmsg_cancel(skb, nlh); 576 return -1; 577 } 578 579 static const struct nla_policy cta_ip_nla_policy[CTA_IP_MAX + 1] = { 580 [CTA_IP_V4_SRC] = { .type = NLA_U32 }, 581 [CTA_IP_V4_DST] = { .type = NLA_U32 }, 582 [CTA_IP_V6_SRC] = { .len = sizeof(__be32) * 4 }, 583 [CTA_IP_V6_DST] = { .len = sizeof(__be32) * 4 }, 584 }; 585 586 #if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS) 587 static size_t ctnetlink_proto_size(const struct nf_conn *ct) 588 { 589 const struct nf_conntrack_l4proto *l4proto; 590 size_t len, len4 = 0; 591 592 len = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1); 593 len *= 3u; /* ORIG, REPLY, MASTER */ 594 595 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 596 len += l4proto->nlattr_size; 597 if (l4proto->nlattr_tuple_size) { 598 len4 = l4proto->nlattr_tuple_size(); 599 len4 *= 3u; /* ORIG, REPLY, MASTER */ 600 } 601 602 return len + len4; 603 } 604 #endif 605 606 static inline size_t ctnetlink_acct_size(const struct nf_conn *ct) 607 { 608 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT)) 609 return 0; 610 return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */ 611 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */ 612 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */ 613 ; 614 } 615 616 static inline int ctnetlink_secctx_size(const struct nf_conn *ct) 617 { 618 #ifdef CONFIG_NF_CONNTRACK_SECMARK 619 int len, ret; 620 621 ret = security_secid_to_secctx(ct->secmark, NULL, &len); 622 if (ret) 623 return 0; 624 625 return nla_total_size(0) /* CTA_SECCTX */ 626 + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */ 627 #else 628 return 0; 629 #endif 630 } 631 632 static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct) 633 { 634 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 635 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP)) 636 return 0; 637 return nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t)); 638 #else 639 return 0; 640 #endif 641 } 642 643 #ifdef CONFIG_NF_CONNTRACK_EVENTS 644 static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct) 645 { 646 return NLMSG_ALIGN(sizeof(struct nfgenmsg)) 647 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 648 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 649 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 650 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 651 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 652 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 653 + ctnetlink_acct_size(ct) 654 + ctnetlink_timestamp_size(ct) 655 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 656 + nla_total_size(0) /* CTA_PROTOINFO */ 657 + nla_total_size(0) /* CTA_HELP */ 658 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 659 + ctnetlink_secctx_size(ct) 660 #ifdef CONFIG_NF_NAT_NEEDED 661 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 662 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 663 #endif 664 #ifdef CONFIG_NF_CONNTRACK_MARK 665 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 666 #endif 667 #ifdef CONFIG_NF_CONNTRACK_ZONES 668 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */ 669 #endif 670 + ctnetlink_proto_size(ct) 671 + ctnetlink_label_size(ct) 672 ; 673 } 674 675 static int 676 ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) 677 { 678 const struct nf_conntrack_zone *zone; 679 struct net *net; 680 struct nlmsghdr *nlh; 681 struct nfgenmsg *nfmsg; 682 struct nlattr *nest_parms; 683 struct nf_conn *ct = item->ct; 684 struct sk_buff *skb; 685 unsigned int type; 686 unsigned int flags = 0, group; 687 int err; 688 689 if (events & (1 << IPCT_DESTROY)) { 690 type = IPCTNL_MSG_CT_DELETE; 691 group = NFNLGRP_CONNTRACK_DESTROY; 692 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) { 693 type = IPCTNL_MSG_CT_NEW; 694 flags = NLM_F_CREATE|NLM_F_EXCL; 695 group = NFNLGRP_CONNTRACK_NEW; 696 } else if (events) { 697 type = IPCTNL_MSG_CT_NEW; 698 group = NFNLGRP_CONNTRACK_UPDATE; 699 } else 700 return 0; 701 702 net = nf_ct_net(ct); 703 if (!item->report && !nfnetlink_has_listeners(net, group)) 704 return 0; 705 706 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC); 707 if (skb == NULL) 708 goto errout; 709 710 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type); 711 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); 712 if (nlh == NULL) 713 goto nlmsg_failure; 714 715 nfmsg = nlmsg_data(nlh); 716 nfmsg->nfgen_family = nf_ct_l3num(ct); 717 nfmsg->version = NFNETLINK_V0; 718 nfmsg->res_id = 0; 719 720 zone = nf_ct_zone(ct); 721 722 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 723 if (!nest_parms) 724 goto nla_put_failure; 725 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 726 goto nla_put_failure; 727 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 728 NF_CT_ZONE_DIR_ORIG) < 0) 729 goto nla_put_failure; 730 nla_nest_end(skb, nest_parms); 731 732 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 733 if (!nest_parms) 734 goto nla_put_failure; 735 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 736 goto nla_put_failure; 737 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 738 NF_CT_ZONE_DIR_REPL) < 0) 739 goto nla_put_failure; 740 nla_nest_end(skb, nest_parms); 741 742 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 743 NF_CT_DEFAULT_ZONE_DIR) < 0) 744 goto nla_put_failure; 745 746 if (ctnetlink_dump_id(skb, ct) < 0) 747 goto nla_put_failure; 748 749 if (ctnetlink_dump_status(skb, ct) < 0) 750 goto nla_put_failure; 751 752 if (events & (1 << IPCT_DESTROY)) { 753 if (ctnetlink_dump_acct(skb, ct, type) < 0 || 754 ctnetlink_dump_timestamp(skb, ct) < 0) 755 goto nla_put_failure; 756 } else { 757 if (ctnetlink_dump_timeout(skb, ct) < 0) 758 goto nla_put_failure; 759 760 if (events & (1 << IPCT_PROTOINFO) 761 && ctnetlink_dump_protoinfo(skb, ct) < 0) 762 goto nla_put_failure; 763 764 if ((events & (1 << IPCT_HELPER) || nfct_help(ct)) 765 && ctnetlink_dump_helpinfo(skb, ct) < 0) 766 goto nla_put_failure; 767 768 #ifdef CONFIG_NF_CONNTRACK_SECMARK 769 if ((events & (1 << IPCT_SECMARK) || ct->secmark) 770 && ctnetlink_dump_secctx(skb, ct) < 0) 771 goto nla_put_failure; 772 #endif 773 if (events & (1 << IPCT_LABEL) && 774 ctnetlink_dump_labels(skb, ct) < 0) 775 goto nla_put_failure; 776 777 if (events & (1 << IPCT_RELATED) && 778 ctnetlink_dump_master(skb, ct) < 0) 779 goto nla_put_failure; 780 781 if (events & (1 << IPCT_SEQADJ) && 782 ctnetlink_dump_ct_seq_adj(skb, ct) < 0) 783 goto nla_put_failure; 784 785 if (events & (1 << IPCT_SYNPROXY) && 786 ctnetlink_dump_ct_synproxy(skb, ct) < 0) 787 goto nla_put_failure; 788 } 789 790 #ifdef CONFIG_NF_CONNTRACK_MARK 791 if ((events & (1 << IPCT_MARK) || ct->mark) 792 && ctnetlink_dump_mark(skb, ct) < 0) 793 goto nla_put_failure; 794 #endif 795 nlmsg_end(skb, nlh); 796 err = nfnetlink_send(skb, net, item->portid, group, item->report, 797 GFP_ATOMIC); 798 if (err == -ENOBUFS || err == -EAGAIN) 799 return -ENOBUFS; 800 801 return 0; 802 803 nla_put_failure: 804 nlmsg_cancel(skb, nlh); 805 nlmsg_failure: 806 kfree_skb(skb); 807 errout: 808 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0) 809 return -ENOBUFS; 810 811 return 0; 812 } 813 #endif /* CONFIG_NF_CONNTRACK_EVENTS */ 814 815 static int ctnetlink_done(struct netlink_callback *cb) 816 { 817 if (cb->args[1]) 818 nf_ct_put((struct nf_conn *)cb->args[1]); 819 kfree(cb->data); 820 return 0; 821 } 822 823 struct ctnetlink_filter { 824 struct { 825 u_int32_t val; 826 u_int32_t mask; 827 } mark; 828 }; 829 830 static struct ctnetlink_filter * 831 ctnetlink_alloc_filter(const struct nlattr * const cda[]) 832 { 833 #ifdef CONFIG_NF_CONNTRACK_MARK 834 struct ctnetlink_filter *filter; 835 836 filter = kzalloc(sizeof(*filter), GFP_KERNEL); 837 if (filter == NULL) 838 return ERR_PTR(-ENOMEM); 839 840 filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK])); 841 filter->mark.mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK])); 842 843 return filter; 844 #else 845 return ERR_PTR(-EOPNOTSUPP); 846 #endif 847 } 848 849 static int ctnetlink_start(struct netlink_callback *cb) 850 { 851 const struct nlattr * const *cda = cb->data; 852 struct ctnetlink_filter *filter = NULL; 853 854 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) { 855 filter = ctnetlink_alloc_filter(cda); 856 if (IS_ERR(filter)) 857 return PTR_ERR(filter); 858 } 859 860 cb->data = filter; 861 return 0; 862 } 863 864 static int ctnetlink_filter_match(struct nf_conn *ct, void *data) 865 { 866 struct ctnetlink_filter *filter = data; 867 868 if (filter == NULL) 869 return 1; 870 871 #ifdef CONFIG_NF_CONNTRACK_MARK 872 if ((ct->mark & filter->mark.mask) == filter->mark.val) 873 return 1; 874 #endif 875 876 return 0; 877 } 878 879 static int 880 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 881 { 882 struct net *net = sock_net(skb->sk); 883 struct nf_conn *ct, *last; 884 struct nf_conntrack_tuple_hash *h; 885 struct hlist_nulls_node *n; 886 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 887 u_int8_t l3proto = nfmsg->nfgen_family; 888 struct nf_conn *nf_ct_evict[8]; 889 int res, i; 890 spinlock_t *lockp; 891 892 last = (struct nf_conn *)cb->args[1]; 893 i = 0; 894 895 local_bh_disable(); 896 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) { 897 restart: 898 while (i) { 899 i--; 900 if (nf_ct_should_gc(nf_ct_evict[i])) 901 nf_ct_kill(nf_ct_evict[i]); 902 nf_ct_put(nf_ct_evict[i]); 903 } 904 905 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS]; 906 nf_conntrack_lock(lockp); 907 if (cb->args[0] >= nf_conntrack_htable_size) { 908 spin_unlock(lockp); 909 goto out; 910 } 911 hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]], 912 hnnode) { 913 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) 914 continue; 915 ct = nf_ct_tuplehash_to_ctrack(h); 916 if (nf_ct_is_expired(ct)) { 917 if (i < ARRAY_SIZE(nf_ct_evict) && 918 atomic_inc_not_zero(&ct->ct_general.use)) 919 nf_ct_evict[i++] = ct; 920 continue; 921 } 922 923 if (!net_eq(net, nf_ct_net(ct))) 924 continue; 925 926 /* Dump entries of a given L3 protocol number. 927 * If it is not specified, ie. l3proto == 0, 928 * then dump everything. */ 929 if (l3proto && nf_ct_l3num(ct) != l3proto) 930 continue; 931 if (cb->args[1]) { 932 if (ct != last) 933 continue; 934 cb->args[1] = 0; 935 } 936 if (!ctnetlink_filter_match(ct, cb->data)) 937 continue; 938 939 rcu_read_lock(); 940 res = 941 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid, 942 cb->nlh->nlmsg_seq, 943 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 944 ct); 945 rcu_read_unlock(); 946 if (res < 0) { 947 nf_conntrack_get(&ct->ct_general); 948 cb->args[1] = (unsigned long)ct; 949 spin_unlock(lockp); 950 goto out; 951 } 952 } 953 spin_unlock(lockp); 954 if (cb->args[1]) { 955 cb->args[1] = 0; 956 goto restart; 957 } 958 } 959 out: 960 local_bh_enable(); 961 if (last) { 962 /* nf ct hash resize happened, now clear the leftover. */ 963 if ((struct nf_conn *)cb->args[1] == last) 964 cb->args[1] = 0; 965 966 nf_ct_put(last); 967 } 968 969 while (i) { 970 i--; 971 if (nf_ct_should_gc(nf_ct_evict[i])) 972 nf_ct_kill(nf_ct_evict[i]); 973 nf_ct_put(nf_ct_evict[i]); 974 } 975 976 return skb->len; 977 } 978 979 static int ipv4_nlattr_to_tuple(struct nlattr *tb[], 980 struct nf_conntrack_tuple *t) 981 { 982 if (!tb[CTA_IP_V4_SRC] || !tb[CTA_IP_V4_DST]) 983 return -EINVAL; 984 985 t->src.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_SRC]); 986 t->dst.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_DST]); 987 988 return 0; 989 } 990 991 static int ipv6_nlattr_to_tuple(struct nlattr *tb[], 992 struct nf_conntrack_tuple *t) 993 { 994 if (!tb[CTA_IP_V6_SRC] || !tb[CTA_IP_V6_DST]) 995 return -EINVAL; 996 997 t->src.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_SRC]); 998 t->dst.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_DST]); 999 1000 return 0; 1001 } 1002 1003 static int ctnetlink_parse_tuple_ip(struct nlattr *attr, 1004 struct nf_conntrack_tuple *tuple) 1005 { 1006 struct nlattr *tb[CTA_IP_MAX+1]; 1007 int ret = 0; 1008 1009 ret = nla_parse_nested(tb, CTA_IP_MAX, attr, NULL, NULL); 1010 if (ret < 0) 1011 return ret; 1012 1013 ret = nla_validate_nested(attr, CTA_IP_MAX, 1014 cta_ip_nla_policy, NULL); 1015 if (ret) 1016 return ret; 1017 1018 switch (tuple->src.l3num) { 1019 case NFPROTO_IPV4: 1020 ret = ipv4_nlattr_to_tuple(tb, tuple); 1021 break; 1022 case NFPROTO_IPV6: 1023 ret = ipv6_nlattr_to_tuple(tb, tuple); 1024 break; 1025 } 1026 1027 return ret; 1028 } 1029 1030 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = { 1031 [CTA_PROTO_NUM] = { .type = NLA_U8 }, 1032 }; 1033 1034 static int ctnetlink_parse_tuple_proto(struct nlattr *attr, 1035 struct nf_conntrack_tuple *tuple) 1036 { 1037 const struct nf_conntrack_l4proto *l4proto; 1038 struct nlattr *tb[CTA_PROTO_MAX+1]; 1039 int ret = 0; 1040 1041 ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy, 1042 NULL); 1043 if (ret < 0) 1044 return ret; 1045 1046 if (!tb[CTA_PROTO_NUM]) 1047 return -EINVAL; 1048 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]); 1049 1050 rcu_read_lock(); 1051 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum); 1052 1053 if (likely(l4proto->nlattr_to_tuple)) { 1054 ret = nla_validate_nested(attr, CTA_PROTO_MAX, 1055 l4proto->nla_policy, NULL); 1056 if (ret == 0) 1057 ret = l4proto->nlattr_to_tuple(tb, tuple); 1058 } 1059 1060 rcu_read_unlock(); 1061 1062 return ret; 1063 } 1064 1065 static int 1066 ctnetlink_parse_zone(const struct nlattr *attr, 1067 struct nf_conntrack_zone *zone) 1068 { 1069 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID, 1070 NF_CT_DEFAULT_ZONE_DIR, 0); 1071 #ifdef CONFIG_NF_CONNTRACK_ZONES 1072 if (attr) 1073 zone->id = ntohs(nla_get_be16(attr)); 1074 #else 1075 if (attr) 1076 return -EOPNOTSUPP; 1077 #endif 1078 return 0; 1079 } 1080 1081 static int 1082 ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type, 1083 struct nf_conntrack_zone *zone) 1084 { 1085 int ret; 1086 1087 if (zone->id != NF_CT_DEFAULT_ZONE_ID) 1088 return -EINVAL; 1089 1090 ret = ctnetlink_parse_zone(attr, zone); 1091 if (ret < 0) 1092 return ret; 1093 1094 if (type == CTA_TUPLE_REPLY) 1095 zone->dir = NF_CT_ZONE_DIR_REPL; 1096 else 1097 zone->dir = NF_CT_ZONE_DIR_ORIG; 1098 1099 return 0; 1100 } 1101 1102 static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = { 1103 [CTA_TUPLE_IP] = { .type = NLA_NESTED }, 1104 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED }, 1105 [CTA_TUPLE_ZONE] = { .type = NLA_U16 }, 1106 }; 1107 1108 static int 1109 ctnetlink_parse_tuple(const struct nlattr * const cda[], 1110 struct nf_conntrack_tuple *tuple, u32 type, 1111 u_int8_t l3num, struct nf_conntrack_zone *zone) 1112 { 1113 struct nlattr *tb[CTA_TUPLE_MAX+1]; 1114 int err; 1115 1116 memset(tuple, 0, sizeof(*tuple)); 1117 1118 err = nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy, 1119 NULL); 1120 if (err < 0) 1121 return err; 1122 1123 if (!tb[CTA_TUPLE_IP]) 1124 return -EINVAL; 1125 1126 tuple->src.l3num = l3num; 1127 1128 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple); 1129 if (err < 0) 1130 return err; 1131 1132 if (!tb[CTA_TUPLE_PROTO]) 1133 return -EINVAL; 1134 1135 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple); 1136 if (err < 0) 1137 return err; 1138 1139 if (tb[CTA_TUPLE_ZONE]) { 1140 if (!zone) 1141 return -EINVAL; 1142 1143 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE], 1144 type, zone); 1145 if (err < 0) 1146 return err; 1147 } 1148 1149 /* orig and expect tuples get DIR_ORIGINAL */ 1150 if (type == CTA_TUPLE_REPLY) 1151 tuple->dst.dir = IP_CT_DIR_REPLY; 1152 else 1153 tuple->dst.dir = IP_CT_DIR_ORIGINAL; 1154 1155 return 0; 1156 } 1157 1158 static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = { 1159 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING, 1160 .len = NF_CT_HELPER_NAME_LEN - 1 }, 1161 }; 1162 1163 static int ctnetlink_parse_help(const struct nlattr *attr, char **helper_name, 1164 struct nlattr **helpinfo) 1165 { 1166 int err; 1167 struct nlattr *tb[CTA_HELP_MAX+1]; 1168 1169 err = nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy, NULL); 1170 if (err < 0) 1171 return err; 1172 1173 if (!tb[CTA_HELP_NAME]) 1174 return -EINVAL; 1175 1176 *helper_name = nla_data(tb[CTA_HELP_NAME]); 1177 1178 if (tb[CTA_HELP_INFO]) 1179 *helpinfo = tb[CTA_HELP_INFO]; 1180 1181 return 0; 1182 } 1183 1184 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { 1185 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED }, 1186 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED }, 1187 [CTA_STATUS] = { .type = NLA_U32 }, 1188 [CTA_PROTOINFO] = { .type = NLA_NESTED }, 1189 [CTA_HELP] = { .type = NLA_NESTED }, 1190 [CTA_NAT_SRC] = { .type = NLA_NESTED }, 1191 [CTA_TIMEOUT] = { .type = NLA_U32 }, 1192 [CTA_MARK] = { .type = NLA_U32 }, 1193 [CTA_ID] = { .type = NLA_U32 }, 1194 [CTA_NAT_DST] = { .type = NLA_NESTED }, 1195 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED }, 1196 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED }, 1197 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED }, 1198 [CTA_ZONE] = { .type = NLA_U16 }, 1199 [CTA_MARK_MASK] = { .type = NLA_U32 }, 1200 [CTA_LABELS] = { .type = NLA_BINARY, 1201 .len = NF_CT_LABELS_MAX_SIZE }, 1202 [CTA_LABELS_MASK] = { .type = NLA_BINARY, 1203 .len = NF_CT_LABELS_MAX_SIZE }, 1204 }; 1205 1206 static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data) 1207 { 1208 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 1209 return 0; 1210 1211 return ctnetlink_filter_match(ct, data); 1212 } 1213 1214 static int ctnetlink_flush_conntrack(struct net *net, 1215 const struct nlattr * const cda[], 1216 u32 portid, int report) 1217 { 1218 struct ctnetlink_filter *filter = NULL; 1219 1220 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) { 1221 filter = ctnetlink_alloc_filter(cda); 1222 if (IS_ERR(filter)) 1223 return PTR_ERR(filter); 1224 } 1225 1226 nf_ct_iterate_cleanup_net(net, ctnetlink_flush_iterate, filter, 1227 portid, report); 1228 kfree(filter); 1229 1230 return 0; 1231 } 1232 1233 static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, 1234 struct sk_buff *skb, 1235 const struct nlmsghdr *nlh, 1236 const struct nlattr * const cda[], 1237 struct netlink_ext_ack *extack) 1238 { 1239 struct nf_conntrack_tuple_hash *h; 1240 struct nf_conntrack_tuple tuple; 1241 struct nf_conn *ct; 1242 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1243 u_int8_t u3 = nfmsg->nfgen_family; 1244 struct nf_conntrack_zone zone; 1245 int err; 1246 1247 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1248 if (err < 0) 1249 return err; 1250 1251 if (cda[CTA_TUPLE_ORIG]) 1252 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, 1253 u3, &zone); 1254 else if (cda[CTA_TUPLE_REPLY]) 1255 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, 1256 u3, &zone); 1257 else { 1258 return ctnetlink_flush_conntrack(net, cda, 1259 NETLINK_CB(skb).portid, 1260 nlmsg_report(nlh)); 1261 } 1262 1263 if (err < 0) 1264 return err; 1265 1266 h = nf_conntrack_find_get(net, &zone, &tuple); 1267 if (!h) 1268 return -ENOENT; 1269 1270 ct = nf_ct_tuplehash_to_ctrack(h); 1271 1272 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) { 1273 nf_ct_put(ct); 1274 return -EBUSY; 1275 } 1276 1277 if (cda[CTA_ID]) { 1278 u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID])); 1279 if (id != (u32)(unsigned long)ct) { 1280 nf_ct_put(ct); 1281 return -ENOENT; 1282 } 1283 } 1284 1285 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(nlh)); 1286 nf_ct_put(ct); 1287 1288 return 0; 1289 } 1290 1291 static int ctnetlink_get_conntrack(struct net *net, struct sock *ctnl, 1292 struct sk_buff *skb, 1293 const struct nlmsghdr *nlh, 1294 const struct nlattr * const cda[], 1295 struct netlink_ext_ack *extack) 1296 { 1297 struct nf_conntrack_tuple_hash *h; 1298 struct nf_conntrack_tuple tuple; 1299 struct nf_conn *ct; 1300 struct sk_buff *skb2 = NULL; 1301 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1302 u_int8_t u3 = nfmsg->nfgen_family; 1303 struct nf_conntrack_zone zone; 1304 int err; 1305 1306 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1307 struct netlink_dump_control c = { 1308 .start = ctnetlink_start, 1309 .dump = ctnetlink_dump_table, 1310 .done = ctnetlink_done, 1311 .data = (void *)cda, 1312 }; 1313 1314 return netlink_dump_start(ctnl, skb, nlh, &c); 1315 } 1316 1317 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1318 if (err < 0) 1319 return err; 1320 1321 if (cda[CTA_TUPLE_ORIG]) 1322 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, 1323 u3, &zone); 1324 else if (cda[CTA_TUPLE_REPLY]) 1325 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, 1326 u3, &zone); 1327 else 1328 return -EINVAL; 1329 1330 if (err < 0) 1331 return err; 1332 1333 h = nf_conntrack_find_get(net, &zone, &tuple); 1334 if (!h) 1335 return -ENOENT; 1336 1337 ct = nf_ct_tuplehash_to_ctrack(h); 1338 1339 err = -ENOMEM; 1340 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1341 if (skb2 == NULL) { 1342 nf_ct_put(ct); 1343 return -ENOMEM; 1344 } 1345 1346 rcu_read_lock(); 1347 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 1348 NFNL_MSG_TYPE(nlh->nlmsg_type), ct); 1349 rcu_read_unlock(); 1350 nf_ct_put(ct); 1351 if (err <= 0) 1352 goto free; 1353 1354 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); 1355 if (err < 0) 1356 goto out; 1357 1358 return 0; 1359 1360 free: 1361 kfree_skb(skb2); 1362 out: 1363 /* this avoids a loop in nfnetlink. */ 1364 return err == -EAGAIN ? -ENOBUFS : err; 1365 } 1366 1367 static int ctnetlink_done_list(struct netlink_callback *cb) 1368 { 1369 if (cb->args[1]) 1370 nf_ct_put((struct nf_conn *)cb->args[1]); 1371 return 0; 1372 } 1373 1374 static int 1375 ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying) 1376 { 1377 struct nf_conn *ct, *last; 1378 struct nf_conntrack_tuple_hash *h; 1379 struct hlist_nulls_node *n; 1380 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1381 u_int8_t l3proto = nfmsg->nfgen_family; 1382 int res; 1383 int cpu; 1384 struct hlist_nulls_head *list; 1385 struct net *net = sock_net(skb->sk); 1386 1387 if (cb->args[2]) 1388 return 0; 1389 1390 last = (struct nf_conn *)cb->args[1]; 1391 1392 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 1393 struct ct_pcpu *pcpu; 1394 1395 if (!cpu_possible(cpu)) 1396 continue; 1397 1398 pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu); 1399 spin_lock_bh(&pcpu->lock); 1400 list = dying ? &pcpu->dying : &pcpu->unconfirmed; 1401 restart: 1402 hlist_nulls_for_each_entry(h, n, list, hnnode) { 1403 ct = nf_ct_tuplehash_to_ctrack(h); 1404 if (l3proto && nf_ct_l3num(ct) != l3proto) 1405 continue; 1406 if (cb->args[1]) { 1407 if (ct != last) 1408 continue; 1409 cb->args[1] = 0; 1410 } 1411 rcu_read_lock(); 1412 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid, 1413 cb->nlh->nlmsg_seq, 1414 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 1415 ct); 1416 rcu_read_unlock(); 1417 if (res < 0) { 1418 if (!atomic_inc_not_zero(&ct->ct_general.use)) 1419 continue; 1420 cb->args[0] = cpu; 1421 cb->args[1] = (unsigned long)ct; 1422 spin_unlock_bh(&pcpu->lock); 1423 goto out; 1424 } 1425 } 1426 if (cb->args[1]) { 1427 cb->args[1] = 0; 1428 goto restart; 1429 } 1430 spin_unlock_bh(&pcpu->lock); 1431 } 1432 cb->args[2] = 1; 1433 out: 1434 if (last) 1435 nf_ct_put(last); 1436 1437 return skb->len; 1438 } 1439 1440 static int 1441 ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb) 1442 { 1443 return ctnetlink_dump_list(skb, cb, true); 1444 } 1445 1446 static int ctnetlink_get_ct_dying(struct net *net, struct sock *ctnl, 1447 struct sk_buff *skb, 1448 const struct nlmsghdr *nlh, 1449 const struct nlattr * const cda[], 1450 struct netlink_ext_ack *extack) 1451 { 1452 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1453 struct netlink_dump_control c = { 1454 .dump = ctnetlink_dump_dying, 1455 .done = ctnetlink_done_list, 1456 }; 1457 return netlink_dump_start(ctnl, skb, nlh, &c); 1458 } 1459 1460 return -EOPNOTSUPP; 1461 } 1462 1463 static int 1464 ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb) 1465 { 1466 return ctnetlink_dump_list(skb, cb, false); 1467 } 1468 1469 static int ctnetlink_get_ct_unconfirmed(struct net *net, struct sock *ctnl, 1470 struct sk_buff *skb, 1471 const struct nlmsghdr *nlh, 1472 const struct nlattr * const cda[], 1473 struct netlink_ext_ack *extack) 1474 { 1475 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1476 struct netlink_dump_control c = { 1477 .dump = ctnetlink_dump_unconfirmed, 1478 .done = ctnetlink_done_list, 1479 }; 1480 return netlink_dump_start(ctnl, skb, nlh, &c); 1481 } 1482 1483 return -EOPNOTSUPP; 1484 } 1485 1486 #ifdef CONFIG_NF_NAT_NEEDED 1487 static int 1488 ctnetlink_parse_nat_setup(struct nf_conn *ct, 1489 enum nf_nat_manip_type manip, 1490 const struct nlattr *attr) 1491 { 1492 struct nf_nat_hook *nat_hook; 1493 int err; 1494 1495 nat_hook = rcu_dereference(nf_nat_hook); 1496 if (!nat_hook) { 1497 #ifdef CONFIG_MODULES 1498 rcu_read_unlock(); 1499 nfnl_unlock(NFNL_SUBSYS_CTNETLINK); 1500 if (request_module("nf-nat") < 0) { 1501 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1502 rcu_read_lock(); 1503 return -EOPNOTSUPP; 1504 } 1505 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1506 rcu_read_lock(); 1507 nat_hook = rcu_dereference(nf_nat_hook); 1508 if (nat_hook) 1509 return -EAGAIN; 1510 #endif 1511 return -EOPNOTSUPP; 1512 } 1513 1514 err = nat_hook->parse_nat_setup(ct, manip, attr); 1515 if (err == -EAGAIN) { 1516 #ifdef CONFIG_MODULES 1517 rcu_read_unlock(); 1518 nfnl_unlock(NFNL_SUBSYS_CTNETLINK); 1519 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) { 1520 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1521 rcu_read_lock(); 1522 return -EOPNOTSUPP; 1523 } 1524 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1525 rcu_read_lock(); 1526 #else 1527 err = -EOPNOTSUPP; 1528 #endif 1529 } 1530 return err; 1531 } 1532 #endif 1533 1534 static void 1535 __ctnetlink_change_status(struct nf_conn *ct, unsigned long on, 1536 unsigned long off) 1537 { 1538 unsigned int bit; 1539 1540 /* Ignore these unchangable bits */ 1541 on &= ~IPS_UNCHANGEABLE_MASK; 1542 off &= ~IPS_UNCHANGEABLE_MASK; 1543 1544 for (bit = 0; bit < __IPS_MAX_BIT; bit++) { 1545 if (on & (1 << bit)) 1546 set_bit(bit, &ct->status); 1547 else if (off & (1 << bit)) 1548 clear_bit(bit, &ct->status); 1549 } 1550 } 1551 1552 static int 1553 ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) 1554 { 1555 unsigned long d; 1556 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); 1557 d = ct->status ^ status; 1558 1559 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) 1560 /* unchangeable */ 1561 return -EBUSY; 1562 1563 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) 1564 /* SEEN_REPLY bit can only be set */ 1565 return -EBUSY; 1566 1567 if (d & IPS_ASSURED && !(status & IPS_ASSURED)) 1568 /* ASSURED bit can only be set */ 1569 return -EBUSY; 1570 1571 __ctnetlink_change_status(ct, status, 0); 1572 return 0; 1573 } 1574 1575 static int 1576 ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[]) 1577 { 1578 #ifdef CONFIG_NF_NAT_NEEDED 1579 int ret; 1580 1581 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC]) 1582 return 0; 1583 1584 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST, 1585 cda[CTA_NAT_DST]); 1586 if (ret < 0) 1587 return ret; 1588 1589 return ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC, 1590 cda[CTA_NAT_SRC]); 1591 #else 1592 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC]) 1593 return 0; 1594 return -EOPNOTSUPP; 1595 #endif 1596 } 1597 1598 static int ctnetlink_change_helper(struct nf_conn *ct, 1599 const struct nlattr * const cda[]) 1600 { 1601 struct nf_conntrack_helper *helper; 1602 struct nf_conn_help *help = nfct_help(ct); 1603 char *helpname = NULL; 1604 struct nlattr *helpinfo = NULL; 1605 int err; 1606 1607 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo); 1608 if (err < 0) 1609 return err; 1610 1611 /* don't change helper of sibling connections */ 1612 if (ct->master) { 1613 /* If we try to change the helper to the same thing twice, 1614 * treat the second attempt as a no-op instead of returning 1615 * an error. 1616 */ 1617 err = -EBUSY; 1618 if (help) { 1619 rcu_read_lock(); 1620 helper = rcu_dereference(help->helper); 1621 if (helper && !strcmp(helper->name, helpname)) 1622 err = 0; 1623 rcu_read_unlock(); 1624 } 1625 1626 return err; 1627 } 1628 1629 if (!strcmp(helpname, "")) { 1630 if (help && help->helper) { 1631 /* we had a helper before ... */ 1632 nf_ct_remove_expectations(ct); 1633 RCU_INIT_POINTER(help->helper, NULL); 1634 } 1635 1636 return 0; 1637 } 1638 1639 rcu_read_lock(); 1640 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 1641 nf_ct_protonum(ct)); 1642 if (helper == NULL) { 1643 rcu_read_unlock(); 1644 return -EOPNOTSUPP; 1645 } 1646 1647 if (help) { 1648 if (help->helper == helper) { 1649 /* update private helper data if allowed. */ 1650 if (helper->from_nlattr) 1651 helper->from_nlattr(helpinfo, ct); 1652 err = 0; 1653 } else 1654 err = -EBUSY; 1655 } else { 1656 /* we cannot set a helper for an existing conntrack */ 1657 err = -EOPNOTSUPP; 1658 } 1659 1660 rcu_read_unlock(); 1661 return err; 1662 } 1663 1664 static int ctnetlink_change_timeout(struct nf_conn *ct, 1665 const struct nlattr * const cda[]) 1666 { 1667 u64 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ; 1668 1669 if (timeout > INT_MAX) 1670 timeout = INT_MAX; 1671 ct->timeout = nfct_time_stamp + (u32)timeout; 1672 1673 if (test_bit(IPS_DYING_BIT, &ct->status)) 1674 return -ETIME; 1675 1676 return 0; 1677 } 1678 1679 static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = { 1680 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED }, 1681 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED }, 1682 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED }, 1683 }; 1684 1685 static int ctnetlink_change_protoinfo(struct nf_conn *ct, 1686 const struct nlattr * const cda[]) 1687 { 1688 const struct nlattr *attr = cda[CTA_PROTOINFO]; 1689 const struct nf_conntrack_l4proto *l4proto; 1690 struct nlattr *tb[CTA_PROTOINFO_MAX+1]; 1691 int err = 0; 1692 1693 err = nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, protoinfo_policy, 1694 NULL); 1695 if (err < 0) 1696 return err; 1697 1698 rcu_read_lock(); 1699 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 1700 if (l4proto->from_nlattr) 1701 err = l4proto->from_nlattr(tb, ct); 1702 rcu_read_unlock(); 1703 1704 return err; 1705 } 1706 1707 static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = { 1708 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 }, 1709 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 }, 1710 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 }, 1711 }; 1712 1713 static int change_seq_adj(struct nf_ct_seqadj *seq, 1714 const struct nlattr * const attr) 1715 { 1716 int err; 1717 struct nlattr *cda[CTA_SEQADJ_MAX+1]; 1718 1719 err = nla_parse_nested(cda, CTA_SEQADJ_MAX, attr, seqadj_policy, NULL); 1720 if (err < 0) 1721 return err; 1722 1723 if (!cda[CTA_SEQADJ_CORRECTION_POS]) 1724 return -EINVAL; 1725 1726 seq->correction_pos = 1727 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS])); 1728 1729 if (!cda[CTA_SEQADJ_OFFSET_BEFORE]) 1730 return -EINVAL; 1731 1732 seq->offset_before = 1733 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE])); 1734 1735 if (!cda[CTA_SEQADJ_OFFSET_AFTER]) 1736 return -EINVAL; 1737 1738 seq->offset_after = 1739 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER])); 1740 1741 return 0; 1742 } 1743 1744 static int 1745 ctnetlink_change_seq_adj(struct nf_conn *ct, 1746 const struct nlattr * const cda[]) 1747 { 1748 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct); 1749 int ret = 0; 1750 1751 if (!seqadj) 1752 return 0; 1753 1754 spin_lock_bh(&ct->lock); 1755 if (cda[CTA_SEQ_ADJ_ORIG]) { 1756 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL], 1757 cda[CTA_SEQ_ADJ_ORIG]); 1758 if (ret < 0) 1759 goto err; 1760 1761 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status); 1762 } 1763 1764 if (cda[CTA_SEQ_ADJ_REPLY]) { 1765 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY], 1766 cda[CTA_SEQ_ADJ_REPLY]); 1767 if (ret < 0) 1768 goto err; 1769 1770 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status); 1771 } 1772 1773 spin_unlock_bh(&ct->lock); 1774 return 0; 1775 err: 1776 spin_unlock_bh(&ct->lock); 1777 return ret; 1778 } 1779 1780 static const struct nla_policy synproxy_policy[CTA_SYNPROXY_MAX + 1] = { 1781 [CTA_SYNPROXY_ISN] = { .type = NLA_U32 }, 1782 [CTA_SYNPROXY_ITS] = { .type = NLA_U32 }, 1783 [CTA_SYNPROXY_TSOFF] = { .type = NLA_U32 }, 1784 }; 1785 1786 static int ctnetlink_change_synproxy(struct nf_conn *ct, 1787 const struct nlattr * const cda[]) 1788 { 1789 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct); 1790 struct nlattr *tb[CTA_SYNPROXY_MAX + 1]; 1791 int err; 1792 1793 if (!synproxy) 1794 return 0; 1795 1796 err = nla_parse_nested(tb, CTA_SYNPROXY_MAX, cda[CTA_SYNPROXY], 1797 synproxy_policy, NULL); 1798 if (err < 0) 1799 return err; 1800 1801 if (!tb[CTA_SYNPROXY_ISN] || 1802 !tb[CTA_SYNPROXY_ITS] || 1803 !tb[CTA_SYNPROXY_TSOFF]) 1804 return -EINVAL; 1805 1806 synproxy->isn = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ISN])); 1807 synproxy->its = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ITS])); 1808 synproxy->tsoff = ntohl(nla_get_be32(tb[CTA_SYNPROXY_TSOFF])); 1809 1810 return 0; 1811 } 1812 1813 static int 1814 ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[]) 1815 { 1816 #ifdef CONFIG_NF_CONNTRACK_LABELS 1817 size_t len = nla_len(cda[CTA_LABELS]); 1818 const void *mask = cda[CTA_LABELS_MASK]; 1819 1820 if (len & (sizeof(u32)-1)) /* must be multiple of u32 */ 1821 return -EINVAL; 1822 1823 if (mask) { 1824 if (nla_len(cda[CTA_LABELS_MASK]) == 0 || 1825 nla_len(cda[CTA_LABELS_MASK]) != len) 1826 return -EINVAL; 1827 mask = nla_data(cda[CTA_LABELS_MASK]); 1828 } 1829 1830 len /= sizeof(u32); 1831 1832 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len); 1833 #else 1834 return -EOPNOTSUPP; 1835 #endif 1836 } 1837 1838 static int 1839 ctnetlink_change_conntrack(struct nf_conn *ct, 1840 const struct nlattr * const cda[]) 1841 { 1842 int err; 1843 1844 /* only allow NAT changes and master assignation for new conntracks */ 1845 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER]) 1846 return -EOPNOTSUPP; 1847 1848 if (cda[CTA_HELP]) { 1849 err = ctnetlink_change_helper(ct, cda); 1850 if (err < 0) 1851 return err; 1852 } 1853 1854 if (cda[CTA_TIMEOUT]) { 1855 err = ctnetlink_change_timeout(ct, cda); 1856 if (err < 0) 1857 return err; 1858 } 1859 1860 if (cda[CTA_STATUS]) { 1861 err = ctnetlink_change_status(ct, cda); 1862 if (err < 0) 1863 return err; 1864 } 1865 1866 if (cda[CTA_PROTOINFO]) { 1867 err = ctnetlink_change_protoinfo(ct, cda); 1868 if (err < 0) 1869 return err; 1870 } 1871 1872 #if defined(CONFIG_NF_CONNTRACK_MARK) 1873 if (cda[CTA_MARK]) 1874 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); 1875 #endif 1876 1877 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) { 1878 err = ctnetlink_change_seq_adj(ct, cda); 1879 if (err < 0) 1880 return err; 1881 } 1882 1883 if (cda[CTA_SYNPROXY]) { 1884 err = ctnetlink_change_synproxy(ct, cda); 1885 if (err < 0) 1886 return err; 1887 } 1888 1889 if (cda[CTA_LABELS]) { 1890 err = ctnetlink_attach_labels(ct, cda); 1891 if (err < 0) 1892 return err; 1893 } 1894 1895 return 0; 1896 } 1897 1898 static struct nf_conn * 1899 ctnetlink_create_conntrack(struct net *net, 1900 const struct nf_conntrack_zone *zone, 1901 const struct nlattr * const cda[], 1902 struct nf_conntrack_tuple *otuple, 1903 struct nf_conntrack_tuple *rtuple, 1904 u8 u3) 1905 { 1906 struct nf_conn *ct; 1907 int err = -EINVAL; 1908 struct nf_conntrack_helper *helper; 1909 struct nf_conn_tstamp *tstamp; 1910 u64 timeout; 1911 1912 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC); 1913 if (IS_ERR(ct)) 1914 return ERR_PTR(-ENOMEM); 1915 1916 if (!cda[CTA_TIMEOUT]) 1917 goto err1; 1918 1919 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ; 1920 if (timeout > INT_MAX) 1921 timeout = INT_MAX; 1922 ct->timeout = (u32)timeout + nfct_time_stamp; 1923 1924 rcu_read_lock(); 1925 if (cda[CTA_HELP]) { 1926 char *helpname = NULL; 1927 struct nlattr *helpinfo = NULL; 1928 1929 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo); 1930 if (err < 0) 1931 goto err2; 1932 1933 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 1934 nf_ct_protonum(ct)); 1935 if (helper == NULL) { 1936 rcu_read_unlock(); 1937 #ifdef CONFIG_MODULES 1938 if (request_module("nfct-helper-%s", helpname) < 0) { 1939 err = -EOPNOTSUPP; 1940 goto err1; 1941 } 1942 1943 rcu_read_lock(); 1944 helper = __nf_conntrack_helper_find(helpname, 1945 nf_ct_l3num(ct), 1946 nf_ct_protonum(ct)); 1947 if (helper) { 1948 err = -EAGAIN; 1949 goto err2; 1950 } 1951 rcu_read_unlock(); 1952 #endif 1953 err = -EOPNOTSUPP; 1954 goto err1; 1955 } else { 1956 struct nf_conn_help *help; 1957 1958 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); 1959 if (help == NULL) { 1960 err = -ENOMEM; 1961 goto err2; 1962 } 1963 /* set private helper data if allowed. */ 1964 if (helper->from_nlattr) 1965 helper->from_nlattr(helpinfo, ct); 1966 1967 /* not in hash table yet so not strictly necessary */ 1968 RCU_INIT_POINTER(help->helper, helper); 1969 } 1970 } else { 1971 /* try an implicit helper assignation */ 1972 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC); 1973 if (err < 0) 1974 goto err2; 1975 } 1976 1977 err = ctnetlink_setup_nat(ct, cda); 1978 if (err < 0) 1979 goto err2; 1980 1981 nf_ct_acct_ext_add(ct, GFP_ATOMIC); 1982 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); 1983 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); 1984 nf_ct_labels_ext_add(ct); 1985 nfct_seqadj_ext_add(ct); 1986 nfct_synproxy_ext_add(ct); 1987 1988 /* we must add conntrack extensions before confirmation. */ 1989 ct->status |= IPS_CONFIRMED; 1990 1991 if (cda[CTA_STATUS]) { 1992 err = ctnetlink_change_status(ct, cda); 1993 if (err < 0) 1994 goto err2; 1995 } 1996 1997 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) { 1998 err = ctnetlink_change_seq_adj(ct, cda); 1999 if (err < 0) 2000 goto err2; 2001 } 2002 2003 memset(&ct->proto, 0, sizeof(ct->proto)); 2004 if (cda[CTA_PROTOINFO]) { 2005 err = ctnetlink_change_protoinfo(ct, cda); 2006 if (err < 0) 2007 goto err2; 2008 } 2009 2010 if (cda[CTA_SYNPROXY]) { 2011 err = ctnetlink_change_synproxy(ct, cda); 2012 if (err < 0) 2013 goto err2; 2014 } 2015 2016 #if defined(CONFIG_NF_CONNTRACK_MARK) 2017 if (cda[CTA_MARK]) 2018 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); 2019 #endif 2020 2021 /* setup master conntrack: this is a confirmed expectation */ 2022 if (cda[CTA_TUPLE_MASTER]) { 2023 struct nf_conntrack_tuple master; 2024 struct nf_conntrack_tuple_hash *master_h; 2025 struct nf_conn *master_ct; 2026 2027 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER, 2028 u3, NULL); 2029 if (err < 0) 2030 goto err2; 2031 2032 master_h = nf_conntrack_find_get(net, zone, &master); 2033 if (master_h == NULL) { 2034 err = -ENOENT; 2035 goto err2; 2036 } 2037 master_ct = nf_ct_tuplehash_to_ctrack(master_h); 2038 __set_bit(IPS_EXPECTED_BIT, &ct->status); 2039 ct->master = master_ct; 2040 } 2041 tstamp = nf_conn_tstamp_find(ct); 2042 if (tstamp) 2043 tstamp->start = ktime_get_real_ns(); 2044 2045 err = nf_conntrack_hash_check_insert(ct); 2046 if (err < 0) 2047 goto err2; 2048 2049 rcu_read_unlock(); 2050 2051 return ct; 2052 2053 err2: 2054 rcu_read_unlock(); 2055 err1: 2056 nf_conntrack_free(ct); 2057 return ERR_PTR(err); 2058 } 2059 2060 static int ctnetlink_new_conntrack(struct net *net, struct sock *ctnl, 2061 struct sk_buff *skb, 2062 const struct nlmsghdr *nlh, 2063 const struct nlattr * const cda[], 2064 struct netlink_ext_ack *extack) 2065 { 2066 struct nf_conntrack_tuple otuple, rtuple; 2067 struct nf_conntrack_tuple_hash *h = NULL; 2068 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2069 struct nf_conn *ct; 2070 u_int8_t u3 = nfmsg->nfgen_family; 2071 struct nf_conntrack_zone zone; 2072 int err; 2073 2074 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 2075 if (err < 0) 2076 return err; 2077 2078 if (cda[CTA_TUPLE_ORIG]) { 2079 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, 2080 u3, &zone); 2081 if (err < 0) 2082 return err; 2083 } 2084 2085 if (cda[CTA_TUPLE_REPLY]) { 2086 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, 2087 u3, &zone); 2088 if (err < 0) 2089 return err; 2090 } 2091 2092 if (cda[CTA_TUPLE_ORIG]) 2093 h = nf_conntrack_find_get(net, &zone, &otuple); 2094 else if (cda[CTA_TUPLE_REPLY]) 2095 h = nf_conntrack_find_get(net, &zone, &rtuple); 2096 2097 if (h == NULL) { 2098 err = -ENOENT; 2099 if (nlh->nlmsg_flags & NLM_F_CREATE) { 2100 enum ip_conntrack_events events; 2101 2102 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY]) 2103 return -EINVAL; 2104 if (otuple.dst.protonum != rtuple.dst.protonum) 2105 return -EINVAL; 2106 2107 ct = ctnetlink_create_conntrack(net, &zone, cda, &otuple, 2108 &rtuple, u3); 2109 if (IS_ERR(ct)) 2110 return PTR_ERR(ct); 2111 2112 err = 0; 2113 if (test_bit(IPS_EXPECTED_BIT, &ct->status)) 2114 events = 1 << IPCT_RELATED; 2115 else 2116 events = 1 << IPCT_NEW; 2117 2118 if (cda[CTA_LABELS] && 2119 ctnetlink_attach_labels(ct, cda) == 0) 2120 events |= (1 << IPCT_LABEL); 2121 2122 nf_conntrack_eventmask_report((1 << IPCT_REPLY) | 2123 (1 << IPCT_ASSURED) | 2124 (1 << IPCT_HELPER) | 2125 (1 << IPCT_PROTOINFO) | 2126 (1 << IPCT_SEQADJ) | 2127 (1 << IPCT_MARK) | 2128 (1 << IPCT_SYNPROXY) | 2129 events, 2130 ct, NETLINK_CB(skb).portid, 2131 nlmsg_report(nlh)); 2132 nf_ct_put(ct); 2133 } 2134 2135 return err; 2136 } 2137 /* implicit 'else' */ 2138 2139 err = -EEXIST; 2140 ct = nf_ct_tuplehash_to_ctrack(h); 2141 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) { 2142 err = ctnetlink_change_conntrack(ct, cda); 2143 if (err == 0) { 2144 nf_conntrack_eventmask_report((1 << IPCT_REPLY) | 2145 (1 << IPCT_ASSURED) | 2146 (1 << IPCT_HELPER) | 2147 (1 << IPCT_LABEL) | 2148 (1 << IPCT_PROTOINFO) | 2149 (1 << IPCT_SEQADJ) | 2150 (1 << IPCT_MARK) | 2151 (1 << IPCT_SYNPROXY), 2152 ct, NETLINK_CB(skb).portid, 2153 nlmsg_report(nlh)); 2154 } 2155 } 2156 2157 nf_ct_put(ct); 2158 return err; 2159 } 2160 2161 static int 2162 ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq, 2163 __u16 cpu, const struct ip_conntrack_stat *st) 2164 { 2165 struct nlmsghdr *nlh; 2166 struct nfgenmsg *nfmsg; 2167 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 2168 2169 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, 2170 IPCTNL_MSG_CT_GET_STATS_CPU); 2171 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 2172 if (nlh == NULL) 2173 goto nlmsg_failure; 2174 2175 nfmsg = nlmsg_data(nlh); 2176 nfmsg->nfgen_family = AF_UNSPEC; 2177 nfmsg->version = NFNETLINK_V0; 2178 nfmsg->res_id = htons(cpu); 2179 2180 if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) || 2181 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) || 2182 nla_put_be32(skb, CTA_STATS_IGNORE, htonl(st->ignore)) || 2183 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) || 2184 nla_put_be32(skb, CTA_STATS_INSERT_FAILED, 2185 htonl(st->insert_failed)) || 2186 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) || 2187 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) || 2188 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) || 2189 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART, 2190 htonl(st->search_restart))) 2191 goto nla_put_failure; 2192 2193 nlmsg_end(skb, nlh); 2194 return skb->len; 2195 2196 nla_put_failure: 2197 nlmsg_failure: 2198 nlmsg_cancel(skb, nlh); 2199 return -1; 2200 } 2201 2202 static int 2203 ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb) 2204 { 2205 int cpu; 2206 struct net *net = sock_net(skb->sk); 2207 2208 if (cb->args[0] == nr_cpu_ids) 2209 return 0; 2210 2211 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 2212 const struct ip_conntrack_stat *st; 2213 2214 if (!cpu_possible(cpu)) 2215 continue; 2216 2217 st = per_cpu_ptr(net->ct.stat, cpu); 2218 if (ctnetlink_ct_stat_cpu_fill_info(skb, 2219 NETLINK_CB(cb->skb).portid, 2220 cb->nlh->nlmsg_seq, 2221 cpu, st) < 0) 2222 break; 2223 } 2224 cb->args[0] = cpu; 2225 2226 return skb->len; 2227 } 2228 2229 static int ctnetlink_stat_ct_cpu(struct net *net, struct sock *ctnl, 2230 struct sk_buff *skb, 2231 const struct nlmsghdr *nlh, 2232 const struct nlattr * const cda[], 2233 struct netlink_ext_ack *extack) 2234 { 2235 if (nlh->nlmsg_flags & NLM_F_DUMP) { 2236 struct netlink_dump_control c = { 2237 .dump = ctnetlink_ct_stat_cpu_dump, 2238 }; 2239 return netlink_dump_start(ctnl, skb, nlh, &c); 2240 } 2241 2242 return 0; 2243 } 2244 2245 static int 2246 ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 2247 struct net *net) 2248 { 2249 struct nlmsghdr *nlh; 2250 struct nfgenmsg *nfmsg; 2251 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 2252 unsigned int nr_conntracks = atomic_read(&net->ct.count); 2253 2254 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS); 2255 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 2256 if (nlh == NULL) 2257 goto nlmsg_failure; 2258 2259 nfmsg = nlmsg_data(nlh); 2260 nfmsg->nfgen_family = AF_UNSPEC; 2261 nfmsg->version = NFNETLINK_V0; 2262 nfmsg->res_id = 0; 2263 2264 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks))) 2265 goto nla_put_failure; 2266 2267 if (nla_put_be32(skb, CTA_STATS_GLOBAL_MAX_ENTRIES, htonl(nf_conntrack_max))) 2268 goto nla_put_failure; 2269 2270 nlmsg_end(skb, nlh); 2271 return skb->len; 2272 2273 nla_put_failure: 2274 nlmsg_failure: 2275 nlmsg_cancel(skb, nlh); 2276 return -1; 2277 } 2278 2279 static int ctnetlink_stat_ct(struct net *net, struct sock *ctnl, 2280 struct sk_buff *skb, const struct nlmsghdr *nlh, 2281 const struct nlattr * const cda[], 2282 struct netlink_ext_ack *extack) 2283 { 2284 struct sk_buff *skb2; 2285 int err; 2286 2287 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 2288 if (skb2 == NULL) 2289 return -ENOMEM; 2290 2291 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid, 2292 nlh->nlmsg_seq, 2293 NFNL_MSG_TYPE(nlh->nlmsg_type), 2294 sock_net(skb->sk)); 2295 if (err <= 0) 2296 goto free; 2297 2298 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); 2299 if (err < 0) 2300 goto out; 2301 2302 return 0; 2303 2304 free: 2305 kfree_skb(skb2); 2306 out: 2307 /* this avoids a loop in nfnetlink. */ 2308 return err == -EAGAIN ? -ENOBUFS : err; 2309 } 2310 2311 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = { 2312 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED }, 2313 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED }, 2314 [CTA_EXPECT_MASK] = { .type = NLA_NESTED }, 2315 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 }, 2316 [CTA_EXPECT_ID] = { .type = NLA_U32 }, 2317 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING, 2318 .len = NF_CT_HELPER_NAME_LEN - 1 }, 2319 [CTA_EXPECT_ZONE] = { .type = NLA_U16 }, 2320 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 }, 2321 [CTA_EXPECT_CLASS] = { .type = NLA_U32 }, 2322 [CTA_EXPECT_NAT] = { .type = NLA_NESTED }, 2323 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING }, 2324 }; 2325 2326 static struct nf_conntrack_expect * 2327 ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct, 2328 struct nf_conntrack_helper *helper, 2329 struct nf_conntrack_tuple *tuple, 2330 struct nf_conntrack_tuple *mask); 2331 2332 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 2333 static size_t 2334 ctnetlink_glue_build_size(const struct nf_conn *ct) 2335 { 2336 return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 2337 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 2338 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 2339 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 2340 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 2341 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 2342 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 2343 + nla_total_size(0) /* CTA_PROTOINFO */ 2344 + nla_total_size(0) /* CTA_HELP */ 2345 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 2346 + ctnetlink_secctx_size(ct) 2347 #ifdef CONFIG_NF_NAT_NEEDED 2348 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 2349 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 2350 #endif 2351 #ifdef CONFIG_NF_CONNTRACK_MARK 2352 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 2353 #endif 2354 #ifdef CONFIG_NF_CONNTRACK_ZONES 2355 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */ 2356 #endif 2357 + ctnetlink_proto_size(ct) 2358 ; 2359 } 2360 2361 static struct nf_conn *ctnetlink_glue_get_ct(const struct sk_buff *skb, 2362 enum ip_conntrack_info *ctinfo) 2363 { 2364 return nf_ct_get(skb, ctinfo); 2365 } 2366 2367 static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct) 2368 { 2369 const struct nf_conntrack_zone *zone; 2370 struct nlattr *nest_parms; 2371 2372 zone = nf_ct_zone(ct); 2373 2374 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 2375 if (!nest_parms) 2376 goto nla_put_failure; 2377 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 2378 goto nla_put_failure; 2379 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 2380 NF_CT_ZONE_DIR_ORIG) < 0) 2381 goto nla_put_failure; 2382 nla_nest_end(skb, nest_parms); 2383 2384 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 2385 if (!nest_parms) 2386 goto nla_put_failure; 2387 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 2388 goto nla_put_failure; 2389 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 2390 NF_CT_ZONE_DIR_REPL) < 0) 2391 goto nla_put_failure; 2392 nla_nest_end(skb, nest_parms); 2393 2394 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 2395 NF_CT_DEFAULT_ZONE_DIR) < 0) 2396 goto nla_put_failure; 2397 2398 if (ctnetlink_dump_id(skb, ct) < 0) 2399 goto nla_put_failure; 2400 2401 if (ctnetlink_dump_status(skb, ct) < 0) 2402 goto nla_put_failure; 2403 2404 if (ctnetlink_dump_timeout(skb, ct) < 0) 2405 goto nla_put_failure; 2406 2407 if (ctnetlink_dump_protoinfo(skb, ct) < 0) 2408 goto nla_put_failure; 2409 2410 if (ctnetlink_dump_helpinfo(skb, ct) < 0) 2411 goto nla_put_failure; 2412 2413 #ifdef CONFIG_NF_CONNTRACK_SECMARK 2414 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0) 2415 goto nla_put_failure; 2416 #endif 2417 if (ct->master && ctnetlink_dump_master(skb, ct) < 0) 2418 goto nla_put_failure; 2419 2420 if ((ct->status & IPS_SEQ_ADJUST) && 2421 ctnetlink_dump_ct_seq_adj(skb, ct) < 0) 2422 goto nla_put_failure; 2423 2424 if (ctnetlink_dump_ct_synproxy(skb, ct) < 0) 2425 goto nla_put_failure; 2426 2427 #ifdef CONFIG_NF_CONNTRACK_MARK 2428 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0) 2429 goto nla_put_failure; 2430 #endif 2431 if (ctnetlink_dump_labels(skb, ct) < 0) 2432 goto nla_put_failure; 2433 return 0; 2434 2435 nla_put_failure: 2436 return -ENOSPC; 2437 } 2438 2439 static int 2440 ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct, 2441 enum ip_conntrack_info ctinfo, 2442 u_int16_t ct_attr, u_int16_t ct_info_attr) 2443 { 2444 struct nlattr *nest_parms; 2445 2446 nest_parms = nla_nest_start(skb, ct_attr | NLA_F_NESTED); 2447 if (!nest_parms) 2448 goto nla_put_failure; 2449 2450 if (__ctnetlink_glue_build(skb, ct) < 0) 2451 goto nla_put_failure; 2452 2453 nla_nest_end(skb, nest_parms); 2454 2455 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo))) 2456 goto nla_put_failure; 2457 2458 return 0; 2459 2460 nla_put_failure: 2461 return -ENOSPC; 2462 } 2463 2464 static int 2465 ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[]) 2466 { 2467 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); 2468 unsigned long d = ct->status ^ status; 2469 2470 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) 2471 /* SEEN_REPLY bit can only be set */ 2472 return -EBUSY; 2473 2474 if (d & IPS_ASSURED && !(status & IPS_ASSURED)) 2475 /* ASSURED bit can only be set */ 2476 return -EBUSY; 2477 2478 /* This check is less strict than ctnetlink_change_status() 2479 * because callers often flip IPS_EXPECTED bits when sending 2480 * an NFQA_CT attribute to the kernel. So ignore the 2481 * unchangeable bits but do not error out. Also user programs 2482 * are allowed to clear the bits that they are allowed to change. 2483 */ 2484 __ctnetlink_change_status(ct, status, ~status); 2485 return 0; 2486 } 2487 2488 static int 2489 ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct) 2490 { 2491 int err; 2492 2493 if (cda[CTA_TIMEOUT]) { 2494 err = ctnetlink_change_timeout(ct, cda); 2495 if (err < 0) 2496 return err; 2497 } 2498 if (cda[CTA_STATUS]) { 2499 err = ctnetlink_update_status(ct, cda); 2500 if (err < 0) 2501 return err; 2502 } 2503 if (cda[CTA_HELP]) { 2504 err = ctnetlink_change_helper(ct, cda); 2505 if (err < 0) 2506 return err; 2507 } 2508 if (cda[CTA_LABELS]) { 2509 err = ctnetlink_attach_labels(ct, cda); 2510 if (err < 0) 2511 return err; 2512 } 2513 #if defined(CONFIG_NF_CONNTRACK_MARK) 2514 if (cda[CTA_MARK]) { 2515 u32 mask = 0, mark, newmark; 2516 if (cda[CTA_MARK_MASK]) 2517 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK])); 2518 2519 mark = ntohl(nla_get_be32(cda[CTA_MARK])); 2520 newmark = (ct->mark & mask) ^ mark; 2521 if (newmark != ct->mark) 2522 ct->mark = newmark; 2523 } 2524 #endif 2525 return 0; 2526 } 2527 2528 static int 2529 ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct) 2530 { 2531 struct nlattr *cda[CTA_MAX+1]; 2532 int ret; 2533 2534 ret = nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy, NULL); 2535 if (ret < 0) 2536 return ret; 2537 2538 return ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct); 2539 } 2540 2541 static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda, 2542 const struct nf_conn *ct, 2543 struct nf_conntrack_tuple *tuple, 2544 struct nf_conntrack_tuple *mask) 2545 { 2546 int err; 2547 2548 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE, 2549 nf_ct_l3num(ct), NULL); 2550 if (err < 0) 2551 return err; 2552 2553 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK, 2554 nf_ct_l3num(ct), NULL); 2555 } 2556 2557 static int 2558 ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct, 2559 u32 portid, u32 report) 2560 { 2561 struct nlattr *cda[CTA_EXPECT_MAX+1]; 2562 struct nf_conntrack_tuple tuple, mask; 2563 struct nf_conntrack_helper *helper = NULL; 2564 struct nf_conntrack_expect *exp; 2565 int err; 2566 2567 err = nla_parse_nested(cda, CTA_EXPECT_MAX, attr, exp_nla_policy, 2568 NULL); 2569 if (err < 0) 2570 return err; 2571 2572 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda, 2573 ct, &tuple, &mask); 2574 if (err < 0) 2575 return err; 2576 2577 if (cda[CTA_EXPECT_HELP_NAME]) { 2578 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); 2579 2580 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 2581 nf_ct_protonum(ct)); 2582 if (helper == NULL) 2583 return -EOPNOTSUPP; 2584 } 2585 2586 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct, 2587 helper, &tuple, &mask); 2588 if (IS_ERR(exp)) 2589 return PTR_ERR(exp); 2590 2591 err = nf_ct_expect_related_report(exp, portid, report); 2592 nf_ct_expect_put(exp); 2593 return err; 2594 } 2595 2596 static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct, 2597 enum ip_conntrack_info ctinfo, int diff) 2598 { 2599 if (!(ct->status & IPS_NAT_MASK)) 2600 return; 2601 2602 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff); 2603 } 2604 2605 static struct nfnl_ct_hook ctnetlink_glue_hook = { 2606 .get_ct = ctnetlink_glue_get_ct, 2607 .build_size = ctnetlink_glue_build_size, 2608 .build = ctnetlink_glue_build, 2609 .parse = ctnetlink_glue_parse, 2610 .attach_expect = ctnetlink_glue_attach_expect, 2611 .seq_adjust = ctnetlink_glue_seqadj, 2612 }; 2613 #endif /* CONFIG_NETFILTER_NETLINK_GLUE_CT */ 2614 2615 /*********************************************************************** 2616 * EXPECT 2617 ***********************************************************************/ 2618 2619 static int ctnetlink_exp_dump_tuple(struct sk_buff *skb, 2620 const struct nf_conntrack_tuple *tuple, 2621 u32 type) 2622 { 2623 struct nlattr *nest_parms; 2624 2625 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED); 2626 if (!nest_parms) 2627 goto nla_put_failure; 2628 if (ctnetlink_dump_tuples(skb, tuple) < 0) 2629 goto nla_put_failure; 2630 nla_nest_end(skb, nest_parms); 2631 2632 return 0; 2633 2634 nla_put_failure: 2635 return -1; 2636 } 2637 2638 static int ctnetlink_exp_dump_mask(struct sk_buff *skb, 2639 const struct nf_conntrack_tuple *tuple, 2640 const struct nf_conntrack_tuple_mask *mask) 2641 { 2642 const struct nf_conntrack_l4proto *l4proto; 2643 struct nf_conntrack_tuple m; 2644 struct nlattr *nest_parms; 2645 int ret; 2646 2647 memset(&m, 0xFF, sizeof(m)); 2648 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3)); 2649 m.src.u.all = mask->src.u.all; 2650 m.dst.protonum = tuple->dst.protonum; 2651 2652 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED); 2653 if (!nest_parms) 2654 goto nla_put_failure; 2655 2656 rcu_read_lock(); 2657 ret = ctnetlink_dump_tuples_ip(skb, &m); 2658 if (ret >= 0) { 2659 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, 2660 tuple->dst.protonum); 2661 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto); 2662 } 2663 rcu_read_unlock(); 2664 2665 if (unlikely(ret < 0)) 2666 goto nla_put_failure; 2667 2668 nla_nest_end(skb, nest_parms); 2669 2670 return 0; 2671 2672 nla_put_failure: 2673 return -1; 2674 } 2675 2676 static const union nf_inet_addr any_addr; 2677 2678 static int 2679 ctnetlink_exp_dump_expect(struct sk_buff *skb, 2680 const struct nf_conntrack_expect *exp) 2681 { 2682 struct nf_conn *master = exp->master; 2683 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ; 2684 struct nf_conn_help *help; 2685 #ifdef CONFIG_NF_NAT_NEEDED 2686 struct nlattr *nest_parms; 2687 struct nf_conntrack_tuple nat_tuple = {}; 2688 #endif 2689 struct nf_ct_helper_expectfn *expfn; 2690 2691 if (timeout < 0) 2692 timeout = 0; 2693 2694 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0) 2695 goto nla_put_failure; 2696 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0) 2697 goto nla_put_failure; 2698 if (ctnetlink_exp_dump_tuple(skb, 2699 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 2700 CTA_EXPECT_MASTER) < 0) 2701 goto nla_put_failure; 2702 2703 #ifdef CONFIG_NF_NAT_NEEDED 2704 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) || 2705 exp->saved_proto.all) { 2706 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT | NLA_F_NESTED); 2707 if (!nest_parms) 2708 goto nla_put_failure; 2709 2710 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir))) 2711 goto nla_put_failure; 2712 2713 nat_tuple.src.l3num = nf_ct_l3num(master); 2714 nat_tuple.src.u3 = exp->saved_addr; 2715 nat_tuple.dst.protonum = nf_ct_protonum(master); 2716 nat_tuple.src.u = exp->saved_proto; 2717 2718 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple, 2719 CTA_EXPECT_NAT_TUPLE) < 0) 2720 goto nla_put_failure; 2721 nla_nest_end(skb, nest_parms); 2722 } 2723 #endif 2724 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) || 2725 nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) || 2726 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) || 2727 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class))) 2728 goto nla_put_failure; 2729 help = nfct_help(master); 2730 if (help) { 2731 struct nf_conntrack_helper *helper; 2732 2733 helper = rcu_dereference(help->helper); 2734 if (helper && 2735 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name)) 2736 goto nla_put_failure; 2737 } 2738 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn); 2739 if (expfn != NULL && 2740 nla_put_string(skb, CTA_EXPECT_FN, expfn->name)) 2741 goto nla_put_failure; 2742 2743 return 0; 2744 2745 nla_put_failure: 2746 return -1; 2747 } 2748 2749 static int 2750 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq, 2751 int event, const struct nf_conntrack_expect *exp) 2752 { 2753 struct nlmsghdr *nlh; 2754 struct nfgenmsg *nfmsg; 2755 unsigned int flags = portid ? NLM_F_MULTI : 0; 2756 2757 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event); 2758 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 2759 if (nlh == NULL) 2760 goto nlmsg_failure; 2761 2762 nfmsg = nlmsg_data(nlh); 2763 nfmsg->nfgen_family = exp->tuple.src.l3num; 2764 nfmsg->version = NFNETLINK_V0; 2765 nfmsg->res_id = 0; 2766 2767 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 2768 goto nla_put_failure; 2769 2770 nlmsg_end(skb, nlh); 2771 return skb->len; 2772 2773 nlmsg_failure: 2774 nla_put_failure: 2775 nlmsg_cancel(skb, nlh); 2776 return -1; 2777 } 2778 2779 #ifdef CONFIG_NF_CONNTRACK_EVENTS 2780 static int 2781 ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item) 2782 { 2783 struct nf_conntrack_expect *exp = item->exp; 2784 struct net *net = nf_ct_exp_net(exp); 2785 struct nlmsghdr *nlh; 2786 struct nfgenmsg *nfmsg; 2787 struct sk_buff *skb; 2788 unsigned int type, group; 2789 int flags = 0; 2790 2791 if (events & (1 << IPEXP_DESTROY)) { 2792 type = IPCTNL_MSG_EXP_DELETE; 2793 group = NFNLGRP_CONNTRACK_EXP_DESTROY; 2794 } else if (events & (1 << IPEXP_NEW)) { 2795 type = IPCTNL_MSG_EXP_NEW; 2796 flags = NLM_F_CREATE|NLM_F_EXCL; 2797 group = NFNLGRP_CONNTRACK_EXP_NEW; 2798 } else 2799 return 0; 2800 2801 if (!item->report && !nfnetlink_has_listeners(net, group)) 2802 return 0; 2803 2804 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 2805 if (skb == NULL) 2806 goto errout; 2807 2808 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type); 2809 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); 2810 if (nlh == NULL) 2811 goto nlmsg_failure; 2812 2813 nfmsg = nlmsg_data(nlh); 2814 nfmsg->nfgen_family = exp->tuple.src.l3num; 2815 nfmsg->version = NFNETLINK_V0; 2816 nfmsg->res_id = 0; 2817 2818 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 2819 goto nla_put_failure; 2820 2821 nlmsg_end(skb, nlh); 2822 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC); 2823 return 0; 2824 2825 nla_put_failure: 2826 nlmsg_cancel(skb, nlh); 2827 nlmsg_failure: 2828 kfree_skb(skb); 2829 errout: 2830 nfnetlink_set_err(net, 0, 0, -ENOBUFS); 2831 return 0; 2832 } 2833 #endif 2834 static int ctnetlink_exp_done(struct netlink_callback *cb) 2835 { 2836 if (cb->args[1]) 2837 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); 2838 return 0; 2839 } 2840 2841 static int 2842 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 2843 { 2844 struct net *net = sock_net(skb->sk); 2845 struct nf_conntrack_expect *exp, *last; 2846 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 2847 u_int8_t l3proto = nfmsg->nfgen_family; 2848 2849 rcu_read_lock(); 2850 last = (struct nf_conntrack_expect *)cb->args[1]; 2851 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { 2852 restart: 2853 hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]], 2854 hnode) { 2855 if (l3proto && exp->tuple.src.l3num != l3proto) 2856 continue; 2857 2858 if (!net_eq(nf_ct_net(exp->master), net)) 2859 continue; 2860 2861 if (cb->args[1]) { 2862 if (exp != last) 2863 continue; 2864 cb->args[1] = 0; 2865 } 2866 if (ctnetlink_exp_fill_info(skb, 2867 NETLINK_CB(cb->skb).portid, 2868 cb->nlh->nlmsg_seq, 2869 IPCTNL_MSG_EXP_NEW, 2870 exp) < 0) { 2871 if (!refcount_inc_not_zero(&exp->use)) 2872 continue; 2873 cb->args[1] = (unsigned long)exp; 2874 goto out; 2875 } 2876 } 2877 if (cb->args[1]) { 2878 cb->args[1] = 0; 2879 goto restart; 2880 } 2881 } 2882 out: 2883 rcu_read_unlock(); 2884 if (last) 2885 nf_ct_expect_put(last); 2886 2887 return skb->len; 2888 } 2889 2890 static int 2891 ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 2892 { 2893 struct nf_conntrack_expect *exp, *last; 2894 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 2895 struct nf_conn *ct = cb->data; 2896 struct nf_conn_help *help = nfct_help(ct); 2897 u_int8_t l3proto = nfmsg->nfgen_family; 2898 2899 if (cb->args[0]) 2900 return 0; 2901 2902 rcu_read_lock(); 2903 last = (struct nf_conntrack_expect *)cb->args[1]; 2904 restart: 2905 hlist_for_each_entry_rcu(exp, &help->expectations, lnode) { 2906 if (l3proto && exp->tuple.src.l3num != l3proto) 2907 continue; 2908 if (cb->args[1]) { 2909 if (exp != last) 2910 continue; 2911 cb->args[1] = 0; 2912 } 2913 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid, 2914 cb->nlh->nlmsg_seq, 2915 IPCTNL_MSG_EXP_NEW, 2916 exp) < 0) { 2917 if (!refcount_inc_not_zero(&exp->use)) 2918 continue; 2919 cb->args[1] = (unsigned long)exp; 2920 goto out; 2921 } 2922 } 2923 if (cb->args[1]) { 2924 cb->args[1] = 0; 2925 goto restart; 2926 } 2927 cb->args[0] = 1; 2928 out: 2929 rcu_read_unlock(); 2930 if (last) 2931 nf_ct_expect_put(last); 2932 2933 return skb->len; 2934 } 2935 2936 static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, 2937 struct sk_buff *skb, 2938 const struct nlmsghdr *nlh, 2939 const struct nlattr * const cda[], 2940 struct netlink_ext_ack *extack) 2941 { 2942 int err; 2943 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2944 u_int8_t u3 = nfmsg->nfgen_family; 2945 struct nf_conntrack_tuple tuple; 2946 struct nf_conntrack_tuple_hash *h; 2947 struct nf_conn *ct; 2948 struct nf_conntrack_zone zone; 2949 struct netlink_dump_control c = { 2950 .dump = ctnetlink_exp_ct_dump_table, 2951 .done = ctnetlink_exp_done, 2952 }; 2953 2954 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, 2955 u3, NULL); 2956 if (err < 0) 2957 return err; 2958 2959 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 2960 if (err < 0) 2961 return err; 2962 2963 h = nf_conntrack_find_get(net, &zone, &tuple); 2964 if (!h) 2965 return -ENOENT; 2966 2967 ct = nf_ct_tuplehash_to_ctrack(h); 2968 /* No expectation linked to this connection tracking. */ 2969 if (!nfct_help(ct)) { 2970 nf_ct_put(ct); 2971 return 0; 2972 } 2973 2974 c.data = ct; 2975 2976 err = netlink_dump_start(ctnl, skb, nlh, &c); 2977 nf_ct_put(ct); 2978 2979 return err; 2980 } 2981 2982 static int ctnetlink_get_expect(struct net *net, struct sock *ctnl, 2983 struct sk_buff *skb, const struct nlmsghdr *nlh, 2984 const struct nlattr * const cda[], 2985 struct netlink_ext_ack *extack) 2986 { 2987 struct nf_conntrack_tuple tuple; 2988 struct nf_conntrack_expect *exp; 2989 struct sk_buff *skb2; 2990 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2991 u_int8_t u3 = nfmsg->nfgen_family; 2992 struct nf_conntrack_zone zone; 2993 int err; 2994 2995 if (nlh->nlmsg_flags & NLM_F_DUMP) { 2996 if (cda[CTA_EXPECT_MASTER]) 2997 return ctnetlink_dump_exp_ct(net, ctnl, skb, nlh, cda, 2998 extack); 2999 else { 3000 struct netlink_dump_control c = { 3001 .dump = ctnetlink_exp_dump_table, 3002 .done = ctnetlink_exp_done, 3003 }; 3004 return netlink_dump_start(ctnl, skb, nlh, &c); 3005 } 3006 } 3007 3008 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3009 if (err < 0) 3010 return err; 3011 3012 if (cda[CTA_EXPECT_TUPLE]) 3013 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3014 u3, NULL); 3015 else if (cda[CTA_EXPECT_MASTER]) 3016 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, 3017 u3, NULL); 3018 else 3019 return -EINVAL; 3020 3021 if (err < 0) 3022 return err; 3023 3024 exp = nf_ct_expect_find_get(net, &zone, &tuple); 3025 if (!exp) 3026 return -ENOENT; 3027 3028 if (cda[CTA_EXPECT_ID]) { 3029 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 3030 if (ntohl(id) != (u32)(unsigned long)exp) { 3031 nf_ct_expect_put(exp); 3032 return -ENOENT; 3033 } 3034 } 3035 3036 err = -ENOMEM; 3037 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 3038 if (skb2 == NULL) { 3039 nf_ct_expect_put(exp); 3040 goto out; 3041 } 3042 3043 rcu_read_lock(); 3044 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid, 3045 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp); 3046 rcu_read_unlock(); 3047 nf_ct_expect_put(exp); 3048 if (err <= 0) 3049 goto free; 3050 3051 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); 3052 if (err < 0) 3053 goto out; 3054 3055 return 0; 3056 3057 free: 3058 kfree_skb(skb2); 3059 out: 3060 /* this avoids a loop in nfnetlink. */ 3061 return err == -EAGAIN ? -ENOBUFS : err; 3062 } 3063 3064 static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data) 3065 { 3066 const struct nf_conn_help *m_help; 3067 const char *name = data; 3068 3069 m_help = nfct_help(exp->master); 3070 3071 return strcmp(m_help->helper->name, name) == 0; 3072 } 3073 3074 static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data) 3075 { 3076 return true; 3077 } 3078 3079 static int ctnetlink_del_expect(struct net *net, struct sock *ctnl, 3080 struct sk_buff *skb, const struct nlmsghdr *nlh, 3081 const struct nlattr * const cda[], 3082 struct netlink_ext_ack *extack) 3083 { 3084 struct nf_conntrack_expect *exp; 3085 struct nf_conntrack_tuple tuple; 3086 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3087 u_int8_t u3 = nfmsg->nfgen_family; 3088 struct nf_conntrack_zone zone; 3089 int err; 3090 3091 if (cda[CTA_EXPECT_TUPLE]) { 3092 /* delete a single expect by tuple */ 3093 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3094 if (err < 0) 3095 return err; 3096 3097 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3098 u3, NULL); 3099 if (err < 0) 3100 return err; 3101 3102 /* bump usage count to 2 */ 3103 exp = nf_ct_expect_find_get(net, &zone, &tuple); 3104 if (!exp) 3105 return -ENOENT; 3106 3107 if (cda[CTA_EXPECT_ID]) { 3108 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 3109 if (ntohl(id) != (u32)(unsigned long)exp) { 3110 nf_ct_expect_put(exp); 3111 return -ENOENT; 3112 } 3113 } 3114 3115 /* after list removal, usage count == 1 */ 3116 spin_lock_bh(&nf_conntrack_expect_lock); 3117 if (del_timer(&exp->timeout)) { 3118 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid, 3119 nlmsg_report(nlh)); 3120 nf_ct_expect_put(exp); 3121 } 3122 spin_unlock_bh(&nf_conntrack_expect_lock); 3123 /* have to put what we 'get' above. 3124 * after this line usage count == 0 */ 3125 nf_ct_expect_put(exp); 3126 } else if (cda[CTA_EXPECT_HELP_NAME]) { 3127 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]); 3128 3129 nf_ct_expect_iterate_net(net, expect_iter_name, name, 3130 NETLINK_CB(skb).portid, 3131 nlmsg_report(nlh)); 3132 } else { 3133 /* This basically means we have to flush everything*/ 3134 nf_ct_expect_iterate_net(net, expect_iter_all, NULL, 3135 NETLINK_CB(skb).portid, 3136 nlmsg_report(nlh)); 3137 } 3138 3139 return 0; 3140 } 3141 static int 3142 ctnetlink_change_expect(struct nf_conntrack_expect *x, 3143 const struct nlattr * const cda[]) 3144 { 3145 if (cda[CTA_EXPECT_TIMEOUT]) { 3146 if (!del_timer(&x->timeout)) 3147 return -ETIME; 3148 3149 x->timeout.expires = jiffies + 3150 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ; 3151 add_timer(&x->timeout); 3152 } 3153 return 0; 3154 } 3155 3156 static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = { 3157 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 }, 3158 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED }, 3159 }; 3160 3161 static int 3162 ctnetlink_parse_expect_nat(const struct nlattr *attr, 3163 struct nf_conntrack_expect *exp, 3164 u_int8_t u3) 3165 { 3166 #ifdef CONFIG_NF_NAT_NEEDED 3167 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1]; 3168 struct nf_conntrack_tuple nat_tuple = {}; 3169 int err; 3170 3171 err = nla_parse_nested(tb, CTA_EXPECT_NAT_MAX, attr, 3172 exp_nat_nla_policy, NULL); 3173 if (err < 0) 3174 return err; 3175 3176 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE]) 3177 return -EINVAL; 3178 3179 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb, 3180 &nat_tuple, CTA_EXPECT_NAT_TUPLE, 3181 u3, NULL); 3182 if (err < 0) 3183 return err; 3184 3185 exp->saved_addr = nat_tuple.src.u3; 3186 exp->saved_proto = nat_tuple.src.u; 3187 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR])); 3188 3189 return 0; 3190 #else 3191 return -EOPNOTSUPP; 3192 #endif 3193 } 3194 3195 static struct nf_conntrack_expect * 3196 ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct, 3197 struct nf_conntrack_helper *helper, 3198 struct nf_conntrack_tuple *tuple, 3199 struct nf_conntrack_tuple *mask) 3200 { 3201 u_int32_t class = 0; 3202 struct nf_conntrack_expect *exp; 3203 struct nf_conn_help *help; 3204 int err; 3205 3206 help = nfct_help(ct); 3207 if (!help) 3208 return ERR_PTR(-EOPNOTSUPP); 3209 3210 if (cda[CTA_EXPECT_CLASS] && helper) { 3211 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS])); 3212 if (class > helper->expect_class_max) 3213 return ERR_PTR(-EINVAL); 3214 } 3215 exp = nf_ct_expect_alloc(ct); 3216 if (!exp) 3217 return ERR_PTR(-ENOMEM); 3218 3219 if (cda[CTA_EXPECT_FLAGS]) { 3220 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS])); 3221 exp->flags &= ~NF_CT_EXPECT_USERSPACE; 3222 } else { 3223 exp->flags = 0; 3224 } 3225 if (cda[CTA_EXPECT_FN]) { 3226 const char *name = nla_data(cda[CTA_EXPECT_FN]); 3227 struct nf_ct_helper_expectfn *expfn; 3228 3229 expfn = nf_ct_helper_expectfn_find_by_name(name); 3230 if (expfn == NULL) { 3231 err = -EINVAL; 3232 goto err_out; 3233 } 3234 exp->expectfn = expfn->expectfn; 3235 } else 3236 exp->expectfn = NULL; 3237 3238 exp->class = class; 3239 exp->master = ct; 3240 exp->helper = helper; 3241 exp->tuple = *tuple; 3242 exp->mask.src.u3 = mask->src.u3; 3243 exp->mask.src.u.all = mask->src.u.all; 3244 3245 if (cda[CTA_EXPECT_NAT]) { 3246 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT], 3247 exp, nf_ct_l3num(ct)); 3248 if (err < 0) 3249 goto err_out; 3250 } 3251 return exp; 3252 err_out: 3253 nf_ct_expect_put(exp); 3254 return ERR_PTR(err); 3255 } 3256 3257 static int 3258 ctnetlink_create_expect(struct net *net, 3259 const struct nf_conntrack_zone *zone, 3260 const struct nlattr * const cda[], 3261 u_int8_t u3, u32 portid, int report) 3262 { 3263 struct nf_conntrack_tuple tuple, mask, master_tuple; 3264 struct nf_conntrack_tuple_hash *h = NULL; 3265 struct nf_conntrack_helper *helper = NULL; 3266 struct nf_conntrack_expect *exp; 3267 struct nf_conn *ct; 3268 int err; 3269 3270 /* caller guarantees that those three CTA_EXPECT_* exist */ 3271 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3272 u3, NULL); 3273 if (err < 0) 3274 return err; 3275 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, 3276 u3, NULL); 3277 if (err < 0) 3278 return err; 3279 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, 3280 u3, NULL); 3281 if (err < 0) 3282 return err; 3283 3284 /* Look for master conntrack of this expectation */ 3285 h = nf_conntrack_find_get(net, zone, &master_tuple); 3286 if (!h) 3287 return -ENOENT; 3288 ct = nf_ct_tuplehash_to_ctrack(h); 3289 3290 rcu_read_lock(); 3291 if (cda[CTA_EXPECT_HELP_NAME]) { 3292 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); 3293 3294 helper = __nf_conntrack_helper_find(helpname, u3, 3295 nf_ct_protonum(ct)); 3296 if (helper == NULL) { 3297 rcu_read_unlock(); 3298 #ifdef CONFIG_MODULES 3299 if (request_module("nfct-helper-%s", helpname) < 0) { 3300 err = -EOPNOTSUPP; 3301 goto err_ct; 3302 } 3303 rcu_read_lock(); 3304 helper = __nf_conntrack_helper_find(helpname, u3, 3305 nf_ct_protonum(ct)); 3306 if (helper) { 3307 err = -EAGAIN; 3308 goto err_rcu; 3309 } 3310 rcu_read_unlock(); 3311 #endif 3312 err = -EOPNOTSUPP; 3313 goto err_ct; 3314 } 3315 } 3316 3317 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask); 3318 if (IS_ERR(exp)) { 3319 err = PTR_ERR(exp); 3320 goto err_rcu; 3321 } 3322 3323 err = nf_ct_expect_related_report(exp, portid, report); 3324 nf_ct_expect_put(exp); 3325 err_rcu: 3326 rcu_read_unlock(); 3327 err_ct: 3328 nf_ct_put(ct); 3329 return err; 3330 } 3331 3332 static int ctnetlink_new_expect(struct net *net, struct sock *ctnl, 3333 struct sk_buff *skb, const struct nlmsghdr *nlh, 3334 const struct nlattr * const cda[], 3335 struct netlink_ext_ack *extack) 3336 { 3337 struct nf_conntrack_tuple tuple; 3338 struct nf_conntrack_expect *exp; 3339 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3340 u_int8_t u3 = nfmsg->nfgen_family; 3341 struct nf_conntrack_zone zone; 3342 int err; 3343 3344 if (!cda[CTA_EXPECT_TUPLE] 3345 || !cda[CTA_EXPECT_MASK] 3346 || !cda[CTA_EXPECT_MASTER]) 3347 return -EINVAL; 3348 3349 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3350 if (err < 0) 3351 return err; 3352 3353 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3354 u3, NULL); 3355 if (err < 0) 3356 return err; 3357 3358 spin_lock_bh(&nf_conntrack_expect_lock); 3359 exp = __nf_ct_expect_find(net, &zone, &tuple); 3360 if (!exp) { 3361 spin_unlock_bh(&nf_conntrack_expect_lock); 3362 err = -ENOENT; 3363 if (nlh->nlmsg_flags & NLM_F_CREATE) { 3364 err = ctnetlink_create_expect(net, &zone, cda, u3, 3365 NETLINK_CB(skb).portid, 3366 nlmsg_report(nlh)); 3367 } 3368 return err; 3369 } 3370 3371 err = -EEXIST; 3372 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) 3373 err = ctnetlink_change_expect(exp, cda); 3374 spin_unlock_bh(&nf_conntrack_expect_lock); 3375 3376 return err; 3377 } 3378 3379 static int 3380 ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu, 3381 const struct ip_conntrack_stat *st) 3382 { 3383 struct nlmsghdr *nlh; 3384 struct nfgenmsg *nfmsg; 3385 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 3386 3387 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, 3388 IPCTNL_MSG_EXP_GET_STATS_CPU); 3389 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 3390 if (nlh == NULL) 3391 goto nlmsg_failure; 3392 3393 nfmsg = nlmsg_data(nlh); 3394 nfmsg->nfgen_family = AF_UNSPEC; 3395 nfmsg->version = NFNETLINK_V0; 3396 nfmsg->res_id = htons(cpu); 3397 3398 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) || 3399 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) || 3400 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete))) 3401 goto nla_put_failure; 3402 3403 nlmsg_end(skb, nlh); 3404 return skb->len; 3405 3406 nla_put_failure: 3407 nlmsg_failure: 3408 nlmsg_cancel(skb, nlh); 3409 return -1; 3410 } 3411 3412 static int 3413 ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb) 3414 { 3415 int cpu; 3416 struct net *net = sock_net(skb->sk); 3417 3418 if (cb->args[0] == nr_cpu_ids) 3419 return 0; 3420 3421 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 3422 const struct ip_conntrack_stat *st; 3423 3424 if (!cpu_possible(cpu)) 3425 continue; 3426 3427 st = per_cpu_ptr(net->ct.stat, cpu); 3428 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid, 3429 cb->nlh->nlmsg_seq, 3430 cpu, st) < 0) 3431 break; 3432 } 3433 cb->args[0] = cpu; 3434 3435 return skb->len; 3436 } 3437 3438 static int ctnetlink_stat_exp_cpu(struct net *net, struct sock *ctnl, 3439 struct sk_buff *skb, 3440 const struct nlmsghdr *nlh, 3441 const struct nlattr * const cda[], 3442 struct netlink_ext_ack *extack) 3443 { 3444 if (nlh->nlmsg_flags & NLM_F_DUMP) { 3445 struct netlink_dump_control c = { 3446 .dump = ctnetlink_exp_stat_cpu_dump, 3447 }; 3448 return netlink_dump_start(ctnl, skb, nlh, &c); 3449 } 3450 3451 return 0; 3452 } 3453 3454 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3455 static struct nf_ct_event_notifier ctnl_notifier = { 3456 .fcn = ctnetlink_conntrack_event, 3457 }; 3458 3459 static struct nf_exp_event_notifier ctnl_notifier_exp = { 3460 .fcn = ctnetlink_expect_event, 3461 }; 3462 #endif 3463 3464 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = { 3465 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack, 3466 .attr_count = CTA_MAX, 3467 .policy = ct_nla_policy }, 3468 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack, 3469 .attr_count = CTA_MAX, 3470 .policy = ct_nla_policy }, 3471 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack, 3472 .attr_count = CTA_MAX, 3473 .policy = ct_nla_policy }, 3474 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack, 3475 .attr_count = CTA_MAX, 3476 .policy = ct_nla_policy }, 3477 [IPCTNL_MSG_CT_GET_STATS_CPU] = { .call = ctnetlink_stat_ct_cpu }, 3478 [IPCTNL_MSG_CT_GET_STATS] = { .call = ctnetlink_stat_ct }, 3479 [IPCTNL_MSG_CT_GET_DYING] = { .call = ctnetlink_get_ct_dying }, 3480 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = { .call = ctnetlink_get_ct_unconfirmed }, 3481 }; 3482 3483 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = { 3484 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect, 3485 .attr_count = CTA_EXPECT_MAX, 3486 .policy = exp_nla_policy }, 3487 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect, 3488 .attr_count = CTA_EXPECT_MAX, 3489 .policy = exp_nla_policy }, 3490 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect, 3491 .attr_count = CTA_EXPECT_MAX, 3492 .policy = exp_nla_policy }, 3493 [IPCTNL_MSG_EXP_GET_STATS_CPU] = { .call = ctnetlink_stat_exp_cpu }, 3494 }; 3495 3496 static const struct nfnetlink_subsystem ctnl_subsys = { 3497 .name = "conntrack", 3498 .subsys_id = NFNL_SUBSYS_CTNETLINK, 3499 .cb_count = IPCTNL_MSG_MAX, 3500 .cb = ctnl_cb, 3501 }; 3502 3503 static const struct nfnetlink_subsystem ctnl_exp_subsys = { 3504 .name = "conntrack_expect", 3505 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP, 3506 .cb_count = IPCTNL_MSG_EXP_MAX, 3507 .cb = ctnl_exp_cb, 3508 }; 3509 3510 MODULE_ALIAS("ip_conntrack_netlink"); 3511 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK); 3512 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP); 3513 3514 static int __net_init ctnetlink_net_init(struct net *net) 3515 { 3516 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3517 int ret; 3518 3519 ret = nf_conntrack_register_notifier(net, &ctnl_notifier); 3520 if (ret < 0) { 3521 pr_err("ctnetlink_init: cannot register notifier.\n"); 3522 goto err_out; 3523 } 3524 3525 ret = nf_ct_expect_register_notifier(net, &ctnl_notifier_exp); 3526 if (ret < 0) { 3527 pr_err("ctnetlink_init: cannot expect register notifier.\n"); 3528 goto err_unreg_notifier; 3529 } 3530 #endif 3531 return 0; 3532 3533 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3534 err_unreg_notifier: 3535 nf_conntrack_unregister_notifier(net, &ctnl_notifier); 3536 err_out: 3537 return ret; 3538 #endif 3539 } 3540 3541 static void ctnetlink_net_exit(struct net *net) 3542 { 3543 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3544 nf_ct_expect_unregister_notifier(net, &ctnl_notifier_exp); 3545 nf_conntrack_unregister_notifier(net, &ctnl_notifier); 3546 #endif 3547 } 3548 3549 static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list) 3550 { 3551 struct net *net; 3552 3553 list_for_each_entry(net, net_exit_list, exit_list) 3554 ctnetlink_net_exit(net); 3555 } 3556 3557 static struct pernet_operations ctnetlink_net_ops = { 3558 .init = ctnetlink_net_init, 3559 .exit_batch = ctnetlink_net_exit_batch, 3560 }; 3561 3562 static int __init ctnetlink_init(void) 3563 { 3564 int ret; 3565 3566 ret = nfnetlink_subsys_register(&ctnl_subsys); 3567 if (ret < 0) { 3568 pr_err("ctnetlink_init: cannot register with nfnetlink.\n"); 3569 goto err_out; 3570 } 3571 3572 ret = nfnetlink_subsys_register(&ctnl_exp_subsys); 3573 if (ret < 0) { 3574 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n"); 3575 goto err_unreg_subsys; 3576 } 3577 3578 ret = register_pernet_subsys(&ctnetlink_net_ops); 3579 if (ret < 0) { 3580 pr_err("ctnetlink_init: cannot register pernet operations\n"); 3581 goto err_unreg_exp_subsys; 3582 } 3583 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 3584 /* setup interaction between nf_queue and nf_conntrack_netlink. */ 3585 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook); 3586 #endif 3587 return 0; 3588 3589 err_unreg_exp_subsys: 3590 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 3591 err_unreg_subsys: 3592 nfnetlink_subsys_unregister(&ctnl_subsys); 3593 err_out: 3594 return ret; 3595 } 3596 3597 static void __exit ctnetlink_exit(void) 3598 { 3599 unregister_pernet_subsys(&ctnetlink_net_ops); 3600 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 3601 nfnetlink_subsys_unregister(&ctnl_subsys); 3602 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 3603 RCU_INIT_POINTER(nfnl_ct_hook, NULL); 3604 #endif 3605 synchronize_rcu(); 3606 } 3607 3608 module_init(ctnetlink_init); 3609 module_exit(ctnetlink_exit); 3610