1 /* Connection tracking via netlink socket. Allows for user space 2 * protocol helpers and general trouble making from userspace. 3 * 4 * (C) 2001 by Jay Schulist <jschlst@samba.org> 5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org> 6 * (C) 2003 by Patrick Mchardy <kaber@trash.net> 7 * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org> 8 * 9 * Initial connection tracking via netlink development funded and 10 * generally made possible by Network Robots, Inc. (www.networkrobots.com) 11 * 12 * Further development of this code funded by Astaro AG (http://www.astaro.com) 13 * 14 * This software may be used and distributed according to the terms 15 * of the GNU General Public License, incorporated herein by reference. 16 */ 17 18 #include <linux/init.h> 19 #include <linux/module.h> 20 #include <linux/kernel.h> 21 #include <linux/rculist.h> 22 #include <linux/rculist_nulls.h> 23 #include <linux/types.h> 24 #include <linux/timer.h> 25 #include <linux/security.h> 26 #include <linux/skbuff.h> 27 #include <linux/errno.h> 28 #include <linux/netlink.h> 29 #include <linux/spinlock.h> 30 #include <linux/interrupt.h> 31 #include <linux/slab.h> 32 33 #include <linux/netfilter.h> 34 #include <net/netlink.h> 35 #include <net/sock.h> 36 #include <net/netfilter/nf_conntrack.h> 37 #include <net/netfilter/nf_conntrack_core.h> 38 #include <net/netfilter/nf_conntrack_expect.h> 39 #include <net/netfilter/nf_conntrack_helper.h> 40 #include <net/netfilter/nf_conntrack_seqadj.h> 41 #include <net/netfilter/nf_conntrack_l3proto.h> 42 #include <net/netfilter/nf_conntrack_l4proto.h> 43 #include <net/netfilter/nf_conntrack_tuple.h> 44 #include <net/netfilter/nf_conntrack_acct.h> 45 #include <net/netfilter/nf_conntrack_zones.h> 46 #include <net/netfilter/nf_conntrack_timestamp.h> 47 #include <net/netfilter/nf_conntrack_labels.h> 48 #include <net/netfilter/nf_conntrack_synproxy.h> 49 #ifdef CONFIG_NF_NAT_NEEDED 50 #include <net/netfilter/nf_nat_core.h> 51 #include <net/netfilter/nf_nat_l4proto.h> 52 #include <net/netfilter/nf_nat_helper.h> 53 #endif 54 55 #include <linux/netfilter/nfnetlink.h> 56 #include <linux/netfilter/nfnetlink_conntrack.h> 57 58 MODULE_LICENSE("GPL"); 59 60 static int ctnetlink_dump_tuples_proto(struct sk_buff *skb, 61 const struct nf_conntrack_tuple *tuple, 62 const struct nf_conntrack_l4proto *l4proto) 63 { 64 int ret = 0; 65 struct nlattr *nest_parms; 66 67 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED); 68 if (!nest_parms) 69 goto nla_put_failure; 70 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum)) 71 goto nla_put_failure; 72 73 if (likely(l4proto->tuple_to_nlattr)) 74 ret = l4proto->tuple_to_nlattr(skb, tuple); 75 76 nla_nest_end(skb, nest_parms); 77 78 return ret; 79 80 nla_put_failure: 81 return -1; 82 } 83 84 static int ctnetlink_dump_tuples_ip(struct sk_buff *skb, 85 const struct nf_conntrack_tuple *tuple, 86 const struct nf_conntrack_l3proto *l3proto) 87 { 88 int ret = 0; 89 struct nlattr *nest_parms; 90 91 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED); 92 if (!nest_parms) 93 goto nla_put_failure; 94 95 if (likely(l3proto->tuple_to_nlattr)) 96 ret = l3proto->tuple_to_nlattr(skb, tuple); 97 98 nla_nest_end(skb, nest_parms); 99 100 return ret; 101 102 nla_put_failure: 103 return -1; 104 } 105 106 static int ctnetlink_dump_tuples(struct sk_buff *skb, 107 const struct nf_conntrack_tuple *tuple) 108 { 109 const struct nf_conntrack_l3proto *l3proto; 110 const struct nf_conntrack_l4proto *l4proto; 111 int ret; 112 113 rcu_read_lock(); 114 l3proto = __nf_ct_l3proto_find(tuple->src.l3num); 115 ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto); 116 117 if (ret >= 0) { 118 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, 119 tuple->dst.protonum); 120 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto); 121 } 122 rcu_read_unlock(); 123 return ret; 124 } 125 126 static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype, 127 const struct nf_conntrack_zone *zone, int dir) 128 { 129 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir) 130 return 0; 131 if (nla_put_be16(skb, attrtype, htons(zone->id))) 132 goto nla_put_failure; 133 return 0; 134 135 nla_put_failure: 136 return -1; 137 } 138 139 static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct) 140 { 141 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status))) 142 goto nla_put_failure; 143 return 0; 144 145 nla_put_failure: 146 return -1; 147 } 148 149 static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct) 150 { 151 long timeout = nf_ct_expires(ct) / HZ; 152 153 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout))) 154 goto nla_put_failure; 155 return 0; 156 157 nla_put_failure: 158 return -1; 159 } 160 161 static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct) 162 { 163 const struct nf_conntrack_l4proto *l4proto; 164 struct nlattr *nest_proto; 165 int ret; 166 167 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 168 if (!l4proto->to_nlattr) 169 return 0; 170 171 nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED); 172 if (!nest_proto) 173 goto nla_put_failure; 174 175 ret = l4proto->to_nlattr(skb, nest_proto, ct); 176 177 nla_nest_end(skb, nest_proto); 178 179 return ret; 180 181 nla_put_failure: 182 return -1; 183 } 184 185 static int ctnetlink_dump_helpinfo(struct sk_buff *skb, 186 const struct nf_conn *ct) 187 { 188 struct nlattr *nest_helper; 189 const struct nf_conn_help *help = nfct_help(ct); 190 struct nf_conntrack_helper *helper; 191 192 if (!help) 193 return 0; 194 195 helper = rcu_dereference(help->helper); 196 if (!helper) 197 goto out; 198 199 nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED); 200 if (!nest_helper) 201 goto nla_put_failure; 202 if (nla_put_string(skb, CTA_HELP_NAME, helper->name)) 203 goto nla_put_failure; 204 205 if (helper->to_nlattr) 206 helper->to_nlattr(skb, ct); 207 208 nla_nest_end(skb, nest_helper); 209 out: 210 return 0; 211 212 nla_put_failure: 213 return -1; 214 } 215 216 static int 217 dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct, 218 enum ip_conntrack_dir dir, int type) 219 { 220 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG; 221 struct nf_conn_counter *counter = acct->counter; 222 struct nlattr *nest_count; 223 u64 pkts, bytes; 224 225 if (type == IPCTNL_MSG_CT_GET_CTRZERO) { 226 pkts = atomic64_xchg(&counter[dir].packets, 0); 227 bytes = atomic64_xchg(&counter[dir].bytes, 0); 228 } else { 229 pkts = atomic64_read(&counter[dir].packets); 230 bytes = atomic64_read(&counter[dir].bytes); 231 } 232 233 nest_count = nla_nest_start(skb, attr | NLA_F_NESTED); 234 if (!nest_count) 235 goto nla_put_failure; 236 237 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts), 238 CTA_COUNTERS_PAD) || 239 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes), 240 CTA_COUNTERS_PAD)) 241 goto nla_put_failure; 242 243 nla_nest_end(skb, nest_count); 244 245 return 0; 246 247 nla_put_failure: 248 return -1; 249 } 250 251 static int 252 ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type) 253 { 254 struct nf_conn_acct *acct = nf_conn_acct_find(ct); 255 256 if (!acct) 257 return 0; 258 259 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0) 260 return -1; 261 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0) 262 return -1; 263 264 return 0; 265 } 266 267 static int 268 ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct) 269 { 270 struct nlattr *nest_count; 271 const struct nf_conn_tstamp *tstamp; 272 273 tstamp = nf_conn_tstamp_find(ct); 274 if (!tstamp) 275 return 0; 276 277 nest_count = nla_nest_start(skb, CTA_TIMESTAMP | NLA_F_NESTED); 278 if (!nest_count) 279 goto nla_put_failure; 280 281 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start), 282 CTA_TIMESTAMP_PAD) || 283 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP, 284 cpu_to_be64(tstamp->stop), 285 CTA_TIMESTAMP_PAD))) 286 goto nla_put_failure; 287 nla_nest_end(skb, nest_count); 288 289 return 0; 290 291 nla_put_failure: 292 return -1; 293 } 294 295 #ifdef CONFIG_NF_CONNTRACK_MARK 296 static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) 297 { 298 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark))) 299 goto nla_put_failure; 300 return 0; 301 302 nla_put_failure: 303 return -1; 304 } 305 #else 306 #define ctnetlink_dump_mark(a, b) (0) 307 #endif 308 309 #ifdef CONFIG_NF_CONNTRACK_SECMARK 310 static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) 311 { 312 struct nlattr *nest_secctx; 313 int len, ret; 314 char *secctx; 315 316 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 317 if (ret) 318 return 0; 319 320 ret = -1; 321 nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED); 322 if (!nest_secctx) 323 goto nla_put_failure; 324 325 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx)) 326 goto nla_put_failure; 327 nla_nest_end(skb, nest_secctx); 328 329 ret = 0; 330 nla_put_failure: 331 security_release_secctx(secctx, len); 332 return ret; 333 } 334 #else 335 #define ctnetlink_dump_secctx(a, b) (0) 336 #endif 337 338 #ifdef CONFIG_NF_CONNTRACK_LABELS 339 static inline int ctnetlink_label_size(const struct nf_conn *ct) 340 { 341 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 342 343 if (!labels) 344 return 0; 345 return nla_total_size(sizeof(labels->bits)); 346 } 347 348 static int 349 ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct) 350 { 351 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 352 unsigned int i; 353 354 if (!labels) 355 return 0; 356 357 i = 0; 358 do { 359 if (labels->bits[i] != 0) 360 return nla_put(skb, CTA_LABELS, sizeof(labels->bits), 361 labels->bits); 362 i++; 363 } while (i < ARRAY_SIZE(labels->bits)); 364 365 return 0; 366 } 367 #else 368 #define ctnetlink_dump_labels(a, b) (0) 369 #define ctnetlink_label_size(a) (0) 370 #endif 371 372 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) 373 374 static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct) 375 { 376 struct nlattr *nest_parms; 377 378 if (!(ct->status & IPS_EXPECTED)) 379 return 0; 380 381 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED); 382 if (!nest_parms) 383 goto nla_put_failure; 384 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0) 385 goto nla_put_failure; 386 nla_nest_end(skb, nest_parms); 387 388 return 0; 389 390 nla_put_failure: 391 return -1; 392 } 393 394 static int 395 dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type) 396 { 397 struct nlattr *nest_parms; 398 399 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED); 400 if (!nest_parms) 401 goto nla_put_failure; 402 403 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS, 404 htonl(seq->correction_pos)) || 405 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE, 406 htonl(seq->offset_before)) || 407 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER, 408 htonl(seq->offset_after))) 409 goto nla_put_failure; 410 411 nla_nest_end(skb, nest_parms); 412 413 return 0; 414 415 nla_put_failure: 416 return -1; 417 } 418 419 static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct) 420 { 421 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct); 422 struct nf_ct_seqadj *seq; 423 424 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj) 425 return 0; 426 427 spin_lock_bh(&ct->lock); 428 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL]; 429 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1) 430 goto err; 431 432 seq = &seqadj->seq[IP_CT_DIR_REPLY]; 433 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1) 434 goto err; 435 436 spin_unlock_bh(&ct->lock); 437 return 0; 438 err: 439 spin_unlock_bh(&ct->lock); 440 return -1; 441 } 442 443 static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct) 444 { 445 if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct))) 446 goto nla_put_failure; 447 return 0; 448 449 nla_put_failure: 450 return -1; 451 } 452 453 static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct) 454 { 455 if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use)))) 456 goto nla_put_failure; 457 return 0; 458 459 nla_put_failure: 460 return -1; 461 } 462 463 static int 464 ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 465 struct nf_conn *ct) 466 { 467 const struct nf_conntrack_zone *zone; 468 struct nlmsghdr *nlh; 469 struct nfgenmsg *nfmsg; 470 struct nlattr *nest_parms; 471 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 472 473 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW); 474 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 475 if (nlh == NULL) 476 goto nlmsg_failure; 477 478 nfmsg = nlmsg_data(nlh); 479 nfmsg->nfgen_family = nf_ct_l3num(ct); 480 nfmsg->version = NFNETLINK_V0; 481 nfmsg->res_id = 0; 482 483 zone = nf_ct_zone(ct); 484 485 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 486 if (!nest_parms) 487 goto nla_put_failure; 488 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 489 goto nla_put_failure; 490 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 491 NF_CT_ZONE_DIR_ORIG) < 0) 492 goto nla_put_failure; 493 nla_nest_end(skb, nest_parms); 494 495 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 496 if (!nest_parms) 497 goto nla_put_failure; 498 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 499 goto nla_put_failure; 500 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 501 NF_CT_ZONE_DIR_REPL) < 0) 502 goto nla_put_failure; 503 nla_nest_end(skb, nest_parms); 504 505 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 506 NF_CT_DEFAULT_ZONE_DIR) < 0) 507 goto nla_put_failure; 508 509 if (ctnetlink_dump_status(skb, ct) < 0 || 510 ctnetlink_dump_timeout(skb, ct) < 0 || 511 ctnetlink_dump_acct(skb, ct, type) < 0 || 512 ctnetlink_dump_timestamp(skb, ct) < 0 || 513 ctnetlink_dump_protoinfo(skb, ct) < 0 || 514 ctnetlink_dump_helpinfo(skb, ct) < 0 || 515 ctnetlink_dump_mark(skb, ct) < 0 || 516 ctnetlink_dump_secctx(skb, ct) < 0 || 517 ctnetlink_dump_labels(skb, ct) < 0 || 518 ctnetlink_dump_id(skb, ct) < 0 || 519 ctnetlink_dump_use(skb, ct) < 0 || 520 ctnetlink_dump_master(skb, ct) < 0 || 521 ctnetlink_dump_ct_seq_adj(skb, ct) < 0) 522 goto nla_put_failure; 523 524 nlmsg_end(skb, nlh); 525 return skb->len; 526 527 nlmsg_failure: 528 nla_put_failure: 529 nlmsg_cancel(skb, nlh); 530 return -1; 531 } 532 533 #if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS) 534 static size_t ctnetlink_proto_size(const struct nf_conn *ct) 535 { 536 const struct nf_conntrack_l3proto *l3proto; 537 const struct nf_conntrack_l4proto *l4proto; 538 size_t len, len4 = 0; 539 540 l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct)); 541 len = l3proto->nla_size; 542 len *= 3u; /* ORIG, REPLY, MASTER */ 543 544 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 545 len += l4proto->nlattr_size; 546 if (l4proto->nlattr_tuple_size) { 547 len4 = l4proto->nlattr_tuple_size(); 548 len4 *= 3u; /* ORIG, REPLY, MASTER */ 549 } 550 551 return len + len4; 552 } 553 #endif 554 555 static inline size_t ctnetlink_acct_size(const struct nf_conn *ct) 556 { 557 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT)) 558 return 0; 559 return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */ 560 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */ 561 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */ 562 ; 563 } 564 565 static inline int ctnetlink_secctx_size(const struct nf_conn *ct) 566 { 567 #ifdef CONFIG_NF_CONNTRACK_SECMARK 568 int len, ret; 569 570 ret = security_secid_to_secctx(ct->secmark, NULL, &len); 571 if (ret) 572 return 0; 573 574 return nla_total_size(0) /* CTA_SECCTX */ 575 + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */ 576 #else 577 return 0; 578 #endif 579 } 580 581 static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct) 582 { 583 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 584 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP)) 585 return 0; 586 return nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t)); 587 #else 588 return 0; 589 #endif 590 } 591 592 #ifdef CONFIG_NF_CONNTRACK_EVENTS 593 static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct) 594 { 595 return NLMSG_ALIGN(sizeof(struct nfgenmsg)) 596 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 597 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 598 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 599 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 600 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 601 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 602 + ctnetlink_acct_size(ct) 603 + ctnetlink_timestamp_size(ct) 604 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 605 + nla_total_size(0) /* CTA_PROTOINFO */ 606 + nla_total_size(0) /* CTA_HELP */ 607 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 608 + ctnetlink_secctx_size(ct) 609 #ifdef CONFIG_NF_NAT_NEEDED 610 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 611 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 612 #endif 613 #ifdef CONFIG_NF_CONNTRACK_MARK 614 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 615 #endif 616 #ifdef CONFIG_NF_CONNTRACK_ZONES 617 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */ 618 #endif 619 + ctnetlink_proto_size(ct) 620 + ctnetlink_label_size(ct) 621 ; 622 } 623 624 static int 625 ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) 626 { 627 const struct nf_conntrack_zone *zone; 628 struct net *net; 629 struct nlmsghdr *nlh; 630 struct nfgenmsg *nfmsg; 631 struct nlattr *nest_parms; 632 struct nf_conn *ct = item->ct; 633 struct sk_buff *skb; 634 unsigned int type; 635 unsigned int flags = 0, group; 636 int err; 637 638 if (events & (1 << IPCT_DESTROY)) { 639 type = IPCTNL_MSG_CT_DELETE; 640 group = NFNLGRP_CONNTRACK_DESTROY; 641 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) { 642 type = IPCTNL_MSG_CT_NEW; 643 flags = NLM_F_CREATE|NLM_F_EXCL; 644 group = NFNLGRP_CONNTRACK_NEW; 645 } else if (events) { 646 type = IPCTNL_MSG_CT_NEW; 647 group = NFNLGRP_CONNTRACK_UPDATE; 648 } else 649 return 0; 650 651 net = nf_ct_net(ct); 652 if (!item->report && !nfnetlink_has_listeners(net, group)) 653 return 0; 654 655 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC); 656 if (skb == NULL) 657 goto errout; 658 659 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type); 660 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); 661 if (nlh == NULL) 662 goto nlmsg_failure; 663 664 nfmsg = nlmsg_data(nlh); 665 nfmsg->nfgen_family = nf_ct_l3num(ct); 666 nfmsg->version = NFNETLINK_V0; 667 nfmsg->res_id = 0; 668 669 zone = nf_ct_zone(ct); 670 671 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 672 if (!nest_parms) 673 goto nla_put_failure; 674 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 675 goto nla_put_failure; 676 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 677 NF_CT_ZONE_DIR_ORIG) < 0) 678 goto nla_put_failure; 679 nla_nest_end(skb, nest_parms); 680 681 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 682 if (!nest_parms) 683 goto nla_put_failure; 684 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 685 goto nla_put_failure; 686 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 687 NF_CT_ZONE_DIR_REPL) < 0) 688 goto nla_put_failure; 689 nla_nest_end(skb, nest_parms); 690 691 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 692 NF_CT_DEFAULT_ZONE_DIR) < 0) 693 goto nla_put_failure; 694 695 if (ctnetlink_dump_id(skb, ct) < 0) 696 goto nla_put_failure; 697 698 if (ctnetlink_dump_status(skb, ct) < 0) 699 goto nla_put_failure; 700 701 if (events & (1 << IPCT_DESTROY)) { 702 if (ctnetlink_dump_acct(skb, ct, type) < 0 || 703 ctnetlink_dump_timestamp(skb, ct) < 0) 704 goto nla_put_failure; 705 } else { 706 if (ctnetlink_dump_timeout(skb, ct) < 0) 707 goto nla_put_failure; 708 709 if (events & (1 << IPCT_PROTOINFO) 710 && ctnetlink_dump_protoinfo(skb, ct) < 0) 711 goto nla_put_failure; 712 713 if ((events & (1 << IPCT_HELPER) || nfct_help(ct)) 714 && ctnetlink_dump_helpinfo(skb, ct) < 0) 715 goto nla_put_failure; 716 717 #ifdef CONFIG_NF_CONNTRACK_SECMARK 718 if ((events & (1 << IPCT_SECMARK) || ct->secmark) 719 && ctnetlink_dump_secctx(skb, ct) < 0) 720 goto nla_put_failure; 721 #endif 722 if (events & (1 << IPCT_LABEL) && 723 ctnetlink_dump_labels(skb, ct) < 0) 724 goto nla_put_failure; 725 726 if (events & (1 << IPCT_RELATED) && 727 ctnetlink_dump_master(skb, ct) < 0) 728 goto nla_put_failure; 729 730 if (events & (1 << IPCT_SEQADJ) && 731 ctnetlink_dump_ct_seq_adj(skb, ct) < 0) 732 goto nla_put_failure; 733 } 734 735 #ifdef CONFIG_NF_CONNTRACK_MARK 736 if ((events & (1 << IPCT_MARK) || ct->mark) 737 && ctnetlink_dump_mark(skb, ct) < 0) 738 goto nla_put_failure; 739 #endif 740 nlmsg_end(skb, nlh); 741 err = nfnetlink_send(skb, net, item->portid, group, item->report, 742 GFP_ATOMIC); 743 if (err == -ENOBUFS || err == -EAGAIN) 744 return -ENOBUFS; 745 746 return 0; 747 748 nla_put_failure: 749 nlmsg_cancel(skb, nlh); 750 nlmsg_failure: 751 kfree_skb(skb); 752 errout: 753 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0) 754 return -ENOBUFS; 755 756 return 0; 757 } 758 #endif /* CONFIG_NF_CONNTRACK_EVENTS */ 759 760 static int ctnetlink_done(struct netlink_callback *cb) 761 { 762 if (cb->args[1]) 763 nf_ct_put((struct nf_conn *)cb->args[1]); 764 kfree(cb->data); 765 return 0; 766 } 767 768 struct ctnetlink_filter { 769 struct { 770 u_int32_t val; 771 u_int32_t mask; 772 } mark; 773 }; 774 775 static struct ctnetlink_filter * 776 ctnetlink_alloc_filter(const struct nlattr * const cda[]) 777 { 778 #ifdef CONFIG_NF_CONNTRACK_MARK 779 struct ctnetlink_filter *filter; 780 781 filter = kzalloc(sizeof(*filter), GFP_KERNEL); 782 if (filter == NULL) 783 return ERR_PTR(-ENOMEM); 784 785 filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK])); 786 filter->mark.mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK])); 787 788 return filter; 789 #else 790 return ERR_PTR(-EOPNOTSUPP); 791 #endif 792 } 793 794 static int ctnetlink_filter_match(struct nf_conn *ct, void *data) 795 { 796 struct ctnetlink_filter *filter = data; 797 798 if (filter == NULL) 799 return 1; 800 801 #ifdef CONFIG_NF_CONNTRACK_MARK 802 if ((ct->mark & filter->mark.mask) == filter->mark.val) 803 return 1; 804 #endif 805 806 return 0; 807 } 808 809 static int 810 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 811 { 812 struct net *net = sock_net(skb->sk); 813 struct nf_conn *ct, *last; 814 struct nf_conntrack_tuple_hash *h; 815 struct hlist_nulls_node *n; 816 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 817 u_int8_t l3proto = nfmsg->nfgen_family; 818 struct nf_conn *nf_ct_evict[8]; 819 int res, i; 820 spinlock_t *lockp; 821 822 last = (struct nf_conn *)cb->args[1]; 823 i = 0; 824 825 local_bh_disable(); 826 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) { 827 restart: 828 while (i) { 829 i--; 830 if (nf_ct_should_gc(nf_ct_evict[i])) 831 nf_ct_kill(nf_ct_evict[i]); 832 nf_ct_put(nf_ct_evict[i]); 833 } 834 835 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS]; 836 nf_conntrack_lock(lockp); 837 if (cb->args[0] >= nf_conntrack_htable_size) { 838 spin_unlock(lockp); 839 goto out; 840 } 841 hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]], 842 hnnode) { 843 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) 844 continue; 845 ct = nf_ct_tuplehash_to_ctrack(h); 846 if (nf_ct_is_expired(ct)) { 847 if (i < ARRAY_SIZE(nf_ct_evict) && 848 atomic_inc_not_zero(&ct->ct_general.use)) 849 nf_ct_evict[i++] = ct; 850 continue; 851 } 852 853 if (!net_eq(net, nf_ct_net(ct))) 854 continue; 855 856 /* Dump entries of a given L3 protocol number. 857 * If it is not specified, ie. l3proto == 0, 858 * then dump everything. */ 859 if (l3proto && nf_ct_l3num(ct) != l3proto) 860 continue; 861 if (cb->args[1]) { 862 if (ct != last) 863 continue; 864 cb->args[1] = 0; 865 } 866 if (!ctnetlink_filter_match(ct, cb->data)) 867 continue; 868 869 rcu_read_lock(); 870 res = 871 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid, 872 cb->nlh->nlmsg_seq, 873 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 874 ct); 875 rcu_read_unlock(); 876 if (res < 0) { 877 nf_conntrack_get(&ct->ct_general); 878 cb->args[1] = (unsigned long)ct; 879 spin_unlock(lockp); 880 goto out; 881 } 882 } 883 spin_unlock(lockp); 884 if (cb->args[1]) { 885 cb->args[1] = 0; 886 goto restart; 887 } 888 } 889 out: 890 local_bh_enable(); 891 if (last) { 892 /* nf ct hash resize happened, now clear the leftover. */ 893 if ((struct nf_conn *)cb->args[1] == last) 894 cb->args[1] = 0; 895 896 nf_ct_put(last); 897 } 898 899 while (i) { 900 i--; 901 if (nf_ct_should_gc(nf_ct_evict[i])) 902 nf_ct_kill(nf_ct_evict[i]); 903 nf_ct_put(nf_ct_evict[i]); 904 } 905 906 return skb->len; 907 } 908 909 static int ctnetlink_parse_tuple_ip(struct nlattr *attr, 910 struct nf_conntrack_tuple *tuple) 911 { 912 struct nlattr *tb[CTA_IP_MAX+1]; 913 struct nf_conntrack_l3proto *l3proto; 914 int ret = 0; 915 916 ret = nla_parse_nested(tb, CTA_IP_MAX, attr, NULL, NULL); 917 if (ret < 0) 918 return ret; 919 920 rcu_read_lock(); 921 l3proto = __nf_ct_l3proto_find(tuple->src.l3num); 922 923 if (likely(l3proto->nlattr_to_tuple)) { 924 ret = nla_validate_nested(attr, CTA_IP_MAX, 925 l3proto->nla_policy, NULL); 926 if (ret == 0) 927 ret = l3proto->nlattr_to_tuple(tb, tuple); 928 } 929 930 rcu_read_unlock(); 931 932 return ret; 933 } 934 935 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = { 936 [CTA_PROTO_NUM] = { .type = NLA_U8 }, 937 }; 938 939 static int ctnetlink_parse_tuple_proto(struct nlattr *attr, 940 struct nf_conntrack_tuple *tuple) 941 { 942 const struct nf_conntrack_l4proto *l4proto; 943 struct nlattr *tb[CTA_PROTO_MAX+1]; 944 int ret = 0; 945 946 ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy, 947 NULL); 948 if (ret < 0) 949 return ret; 950 951 if (!tb[CTA_PROTO_NUM]) 952 return -EINVAL; 953 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]); 954 955 rcu_read_lock(); 956 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum); 957 958 if (likely(l4proto->nlattr_to_tuple)) { 959 ret = nla_validate_nested(attr, CTA_PROTO_MAX, 960 l4proto->nla_policy, NULL); 961 if (ret == 0) 962 ret = l4proto->nlattr_to_tuple(tb, tuple); 963 } 964 965 rcu_read_unlock(); 966 967 return ret; 968 } 969 970 static int 971 ctnetlink_parse_zone(const struct nlattr *attr, 972 struct nf_conntrack_zone *zone) 973 { 974 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID, 975 NF_CT_DEFAULT_ZONE_DIR, 0); 976 #ifdef CONFIG_NF_CONNTRACK_ZONES 977 if (attr) 978 zone->id = ntohs(nla_get_be16(attr)); 979 #else 980 if (attr) 981 return -EOPNOTSUPP; 982 #endif 983 return 0; 984 } 985 986 static int 987 ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type, 988 struct nf_conntrack_zone *zone) 989 { 990 int ret; 991 992 if (zone->id != NF_CT_DEFAULT_ZONE_ID) 993 return -EINVAL; 994 995 ret = ctnetlink_parse_zone(attr, zone); 996 if (ret < 0) 997 return ret; 998 999 if (type == CTA_TUPLE_REPLY) 1000 zone->dir = NF_CT_ZONE_DIR_REPL; 1001 else 1002 zone->dir = NF_CT_ZONE_DIR_ORIG; 1003 1004 return 0; 1005 } 1006 1007 static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = { 1008 [CTA_TUPLE_IP] = { .type = NLA_NESTED }, 1009 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED }, 1010 [CTA_TUPLE_ZONE] = { .type = NLA_U16 }, 1011 }; 1012 1013 static int 1014 ctnetlink_parse_tuple(const struct nlattr * const cda[], 1015 struct nf_conntrack_tuple *tuple, u32 type, 1016 u_int8_t l3num, struct nf_conntrack_zone *zone) 1017 { 1018 struct nlattr *tb[CTA_TUPLE_MAX+1]; 1019 int err; 1020 1021 memset(tuple, 0, sizeof(*tuple)); 1022 1023 err = nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy, 1024 NULL); 1025 if (err < 0) 1026 return err; 1027 1028 if (!tb[CTA_TUPLE_IP]) 1029 return -EINVAL; 1030 1031 tuple->src.l3num = l3num; 1032 1033 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple); 1034 if (err < 0) 1035 return err; 1036 1037 if (!tb[CTA_TUPLE_PROTO]) 1038 return -EINVAL; 1039 1040 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple); 1041 if (err < 0) 1042 return err; 1043 1044 if (tb[CTA_TUPLE_ZONE]) { 1045 if (!zone) 1046 return -EINVAL; 1047 1048 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE], 1049 type, zone); 1050 if (err < 0) 1051 return err; 1052 } 1053 1054 /* orig and expect tuples get DIR_ORIGINAL */ 1055 if (type == CTA_TUPLE_REPLY) 1056 tuple->dst.dir = IP_CT_DIR_REPLY; 1057 else 1058 tuple->dst.dir = IP_CT_DIR_ORIGINAL; 1059 1060 return 0; 1061 } 1062 1063 static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = { 1064 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING, 1065 .len = NF_CT_HELPER_NAME_LEN - 1 }, 1066 }; 1067 1068 static int ctnetlink_parse_help(const struct nlattr *attr, char **helper_name, 1069 struct nlattr **helpinfo) 1070 { 1071 int err; 1072 struct nlattr *tb[CTA_HELP_MAX+1]; 1073 1074 err = nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy, NULL); 1075 if (err < 0) 1076 return err; 1077 1078 if (!tb[CTA_HELP_NAME]) 1079 return -EINVAL; 1080 1081 *helper_name = nla_data(tb[CTA_HELP_NAME]); 1082 1083 if (tb[CTA_HELP_INFO]) 1084 *helpinfo = tb[CTA_HELP_INFO]; 1085 1086 return 0; 1087 } 1088 1089 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { 1090 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED }, 1091 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED }, 1092 [CTA_STATUS] = { .type = NLA_U32 }, 1093 [CTA_PROTOINFO] = { .type = NLA_NESTED }, 1094 [CTA_HELP] = { .type = NLA_NESTED }, 1095 [CTA_NAT_SRC] = { .type = NLA_NESTED }, 1096 [CTA_TIMEOUT] = { .type = NLA_U32 }, 1097 [CTA_MARK] = { .type = NLA_U32 }, 1098 [CTA_ID] = { .type = NLA_U32 }, 1099 [CTA_NAT_DST] = { .type = NLA_NESTED }, 1100 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED }, 1101 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED }, 1102 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED }, 1103 [CTA_ZONE] = { .type = NLA_U16 }, 1104 [CTA_MARK_MASK] = { .type = NLA_U32 }, 1105 [CTA_LABELS] = { .type = NLA_BINARY, 1106 .len = NF_CT_LABELS_MAX_SIZE }, 1107 [CTA_LABELS_MASK] = { .type = NLA_BINARY, 1108 .len = NF_CT_LABELS_MAX_SIZE }, 1109 }; 1110 1111 static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data) 1112 { 1113 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 1114 return 0; 1115 1116 return ctnetlink_filter_match(ct, data); 1117 } 1118 1119 static int ctnetlink_flush_conntrack(struct net *net, 1120 const struct nlattr * const cda[], 1121 u32 portid, int report) 1122 { 1123 struct ctnetlink_filter *filter = NULL; 1124 1125 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) { 1126 filter = ctnetlink_alloc_filter(cda); 1127 if (IS_ERR(filter)) 1128 return PTR_ERR(filter); 1129 } 1130 1131 nf_ct_iterate_cleanup_net(net, ctnetlink_flush_iterate, filter, 1132 portid, report); 1133 kfree(filter); 1134 1135 return 0; 1136 } 1137 1138 static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl, 1139 struct sk_buff *skb, 1140 const struct nlmsghdr *nlh, 1141 const struct nlattr * const cda[], 1142 struct netlink_ext_ack *extack) 1143 { 1144 struct nf_conntrack_tuple_hash *h; 1145 struct nf_conntrack_tuple tuple; 1146 struct nf_conn *ct; 1147 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1148 u_int8_t u3 = nfmsg->nfgen_family; 1149 struct nf_conntrack_zone zone; 1150 int err; 1151 1152 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1153 if (err < 0) 1154 return err; 1155 1156 if (cda[CTA_TUPLE_ORIG]) 1157 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, 1158 u3, &zone); 1159 else if (cda[CTA_TUPLE_REPLY]) 1160 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, 1161 u3, &zone); 1162 else { 1163 return ctnetlink_flush_conntrack(net, cda, 1164 NETLINK_CB(skb).portid, 1165 nlmsg_report(nlh)); 1166 } 1167 1168 if (err < 0) 1169 return err; 1170 1171 h = nf_conntrack_find_get(net, &zone, &tuple); 1172 if (!h) 1173 return -ENOENT; 1174 1175 ct = nf_ct_tuplehash_to_ctrack(h); 1176 1177 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) { 1178 nf_ct_put(ct); 1179 return -EBUSY; 1180 } 1181 1182 if (cda[CTA_ID]) { 1183 u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID])); 1184 if (id != (u32)(unsigned long)ct) { 1185 nf_ct_put(ct); 1186 return -ENOENT; 1187 } 1188 } 1189 1190 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(nlh)); 1191 nf_ct_put(ct); 1192 1193 return 0; 1194 } 1195 1196 static int ctnetlink_get_conntrack(struct net *net, struct sock *ctnl, 1197 struct sk_buff *skb, 1198 const struct nlmsghdr *nlh, 1199 const struct nlattr * const cda[], 1200 struct netlink_ext_ack *extack) 1201 { 1202 struct nf_conntrack_tuple_hash *h; 1203 struct nf_conntrack_tuple tuple; 1204 struct nf_conn *ct; 1205 struct sk_buff *skb2 = NULL; 1206 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1207 u_int8_t u3 = nfmsg->nfgen_family; 1208 struct nf_conntrack_zone zone; 1209 int err; 1210 1211 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1212 struct netlink_dump_control c = { 1213 .dump = ctnetlink_dump_table, 1214 .done = ctnetlink_done, 1215 }; 1216 1217 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) { 1218 struct ctnetlink_filter *filter; 1219 1220 filter = ctnetlink_alloc_filter(cda); 1221 if (IS_ERR(filter)) 1222 return PTR_ERR(filter); 1223 1224 c.data = filter; 1225 } 1226 return netlink_dump_start(ctnl, skb, nlh, &c); 1227 } 1228 1229 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1230 if (err < 0) 1231 return err; 1232 1233 if (cda[CTA_TUPLE_ORIG]) 1234 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, 1235 u3, &zone); 1236 else if (cda[CTA_TUPLE_REPLY]) 1237 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, 1238 u3, &zone); 1239 else 1240 return -EINVAL; 1241 1242 if (err < 0) 1243 return err; 1244 1245 h = nf_conntrack_find_get(net, &zone, &tuple); 1246 if (!h) 1247 return -ENOENT; 1248 1249 ct = nf_ct_tuplehash_to_ctrack(h); 1250 1251 err = -ENOMEM; 1252 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1253 if (skb2 == NULL) { 1254 nf_ct_put(ct); 1255 return -ENOMEM; 1256 } 1257 1258 rcu_read_lock(); 1259 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 1260 NFNL_MSG_TYPE(nlh->nlmsg_type), ct); 1261 rcu_read_unlock(); 1262 nf_ct_put(ct); 1263 if (err <= 0) 1264 goto free; 1265 1266 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); 1267 if (err < 0) 1268 goto out; 1269 1270 return 0; 1271 1272 free: 1273 kfree_skb(skb2); 1274 out: 1275 /* this avoids a loop in nfnetlink. */ 1276 return err == -EAGAIN ? -ENOBUFS : err; 1277 } 1278 1279 static int ctnetlink_done_list(struct netlink_callback *cb) 1280 { 1281 if (cb->args[1]) 1282 nf_ct_put((struct nf_conn *)cb->args[1]); 1283 return 0; 1284 } 1285 1286 static int 1287 ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying) 1288 { 1289 struct nf_conn *ct, *last; 1290 struct nf_conntrack_tuple_hash *h; 1291 struct hlist_nulls_node *n; 1292 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1293 u_int8_t l3proto = nfmsg->nfgen_family; 1294 int res; 1295 int cpu; 1296 struct hlist_nulls_head *list; 1297 struct net *net = sock_net(skb->sk); 1298 1299 if (cb->args[2]) 1300 return 0; 1301 1302 last = (struct nf_conn *)cb->args[1]; 1303 1304 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 1305 struct ct_pcpu *pcpu; 1306 1307 if (!cpu_possible(cpu)) 1308 continue; 1309 1310 pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu); 1311 spin_lock_bh(&pcpu->lock); 1312 list = dying ? &pcpu->dying : &pcpu->unconfirmed; 1313 restart: 1314 hlist_nulls_for_each_entry(h, n, list, hnnode) { 1315 ct = nf_ct_tuplehash_to_ctrack(h); 1316 if (l3proto && nf_ct_l3num(ct) != l3proto) 1317 continue; 1318 if (cb->args[1]) { 1319 if (ct != last) 1320 continue; 1321 cb->args[1] = 0; 1322 } 1323 rcu_read_lock(); 1324 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid, 1325 cb->nlh->nlmsg_seq, 1326 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 1327 ct); 1328 rcu_read_unlock(); 1329 if (res < 0) { 1330 if (!atomic_inc_not_zero(&ct->ct_general.use)) 1331 continue; 1332 cb->args[0] = cpu; 1333 cb->args[1] = (unsigned long)ct; 1334 spin_unlock_bh(&pcpu->lock); 1335 goto out; 1336 } 1337 } 1338 if (cb->args[1]) { 1339 cb->args[1] = 0; 1340 goto restart; 1341 } 1342 spin_unlock_bh(&pcpu->lock); 1343 } 1344 cb->args[2] = 1; 1345 out: 1346 if (last) 1347 nf_ct_put(last); 1348 1349 return skb->len; 1350 } 1351 1352 static int 1353 ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb) 1354 { 1355 return ctnetlink_dump_list(skb, cb, true); 1356 } 1357 1358 static int ctnetlink_get_ct_dying(struct net *net, struct sock *ctnl, 1359 struct sk_buff *skb, 1360 const struct nlmsghdr *nlh, 1361 const struct nlattr * const cda[], 1362 struct netlink_ext_ack *extack) 1363 { 1364 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1365 struct netlink_dump_control c = { 1366 .dump = ctnetlink_dump_dying, 1367 .done = ctnetlink_done_list, 1368 }; 1369 return netlink_dump_start(ctnl, skb, nlh, &c); 1370 } 1371 1372 return -EOPNOTSUPP; 1373 } 1374 1375 static int 1376 ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb) 1377 { 1378 return ctnetlink_dump_list(skb, cb, false); 1379 } 1380 1381 static int ctnetlink_get_ct_unconfirmed(struct net *net, struct sock *ctnl, 1382 struct sk_buff *skb, 1383 const struct nlmsghdr *nlh, 1384 const struct nlattr * const cda[], 1385 struct netlink_ext_ack *extack) 1386 { 1387 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1388 struct netlink_dump_control c = { 1389 .dump = ctnetlink_dump_unconfirmed, 1390 .done = ctnetlink_done_list, 1391 }; 1392 return netlink_dump_start(ctnl, skb, nlh, &c); 1393 } 1394 1395 return -EOPNOTSUPP; 1396 } 1397 1398 #ifdef CONFIG_NF_NAT_NEEDED 1399 static int 1400 ctnetlink_parse_nat_setup(struct nf_conn *ct, 1401 enum nf_nat_manip_type manip, 1402 const struct nlattr *attr) 1403 { 1404 typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup; 1405 int err; 1406 1407 parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook); 1408 if (!parse_nat_setup) { 1409 #ifdef CONFIG_MODULES 1410 rcu_read_unlock(); 1411 nfnl_unlock(NFNL_SUBSYS_CTNETLINK); 1412 if (request_module("nf-nat") < 0) { 1413 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1414 rcu_read_lock(); 1415 return -EOPNOTSUPP; 1416 } 1417 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1418 rcu_read_lock(); 1419 if (nfnetlink_parse_nat_setup_hook) 1420 return -EAGAIN; 1421 #endif 1422 return -EOPNOTSUPP; 1423 } 1424 1425 err = parse_nat_setup(ct, manip, attr); 1426 if (err == -EAGAIN) { 1427 #ifdef CONFIG_MODULES 1428 rcu_read_unlock(); 1429 nfnl_unlock(NFNL_SUBSYS_CTNETLINK); 1430 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) { 1431 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1432 rcu_read_lock(); 1433 return -EOPNOTSUPP; 1434 } 1435 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1436 rcu_read_lock(); 1437 #else 1438 err = -EOPNOTSUPP; 1439 #endif 1440 } 1441 return err; 1442 } 1443 #endif 1444 1445 static void 1446 __ctnetlink_change_status(struct nf_conn *ct, unsigned long on, 1447 unsigned long off) 1448 { 1449 unsigned int bit; 1450 1451 /* Ignore these unchangable bits */ 1452 on &= ~IPS_UNCHANGEABLE_MASK; 1453 off &= ~IPS_UNCHANGEABLE_MASK; 1454 1455 for (bit = 0; bit < __IPS_MAX_BIT; bit++) { 1456 if (on & (1 << bit)) 1457 set_bit(bit, &ct->status); 1458 else if (off & (1 << bit)) 1459 clear_bit(bit, &ct->status); 1460 } 1461 } 1462 1463 static int 1464 ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) 1465 { 1466 unsigned long d; 1467 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); 1468 d = ct->status ^ status; 1469 1470 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) 1471 /* unchangeable */ 1472 return -EBUSY; 1473 1474 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) 1475 /* SEEN_REPLY bit can only be set */ 1476 return -EBUSY; 1477 1478 if (d & IPS_ASSURED && !(status & IPS_ASSURED)) 1479 /* ASSURED bit can only be set */ 1480 return -EBUSY; 1481 1482 __ctnetlink_change_status(ct, status, 0); 1483 return 0; 1484 } 1485 1486 static int 1487 ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[]) 1488 { 1489 #ifdef CONFIG_NF_NAT_NEEDED 1490 int ret; 1491 1492 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC]) 1493 return 0; 1494 1495 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST, 1496 cda[CTA_NAT_DST]); 1497 if (ret < 0) 1498 return ret; 1499 1500 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC, 1501 cda[CTA_NAT_SRC]); 1502 return ret; 1503 #else 1504 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC]) 1505 return 0; 1506 return -EOPNOTSUPP; 1507 #endif 1508 } 1509 1510 static int ctnetlink_change_helper(struct nf_conn *ct, 1511 const struct nlattr * const cda[]) 1512 { 1513 struct nf_conntrack_helper *helper; 1514 struct nf_conn_help *help = nfct_help(ct); 1515 char *helpname = NULL; 1516 struct nlattr *helpinfo = NULL; 1517 int err; 1518 1519 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo); 1520 if (err < 0) 1521 return err; 1522 1523 /* don't change helper of sibling connections */ 1524 if (ct->master) { 1525 /* If we try to change the helper to the same thing twice, 1526 * treat the second attempt as a no-op instead of returning 1527 * an error. 1528 */ 1529 err = -EBUSY; 1530 if (help) { 1531 rcu_read_lock(); 1532 helper = rcu_dereference(help->helper); 1533 if (helper && !strcmp(helper->name, helpname)) 1534 err = 0; 1535 rcu_read_unlock(); 1536 } 1537 1538 return err; 1539 } 1540 1541 if (!strcmp(helpname, "")) { 1542 if (help && help->helper) { 1543 /* we had a helper before ... */ 1544 nf_ct_remove_expectations(ct); 1545 RCU_INIT_POINTER(help->helper, NULL); 1546 } 1547 1548 return 0; 1549 } 1550 1551 rcu_read_lock(); 1552 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 1553 nf_ct_protonum(ct)); 1554 if (helper == NULL) { 1555 rcu_read_unlock(); 1556 return -EOPNOTSUPP; 1557 } 1558 1559 if (help) { 1560 if (help->helper == helper) { 1561 /* update private helper data if allowed. */ 1562 if (helper->from_nlattr) 1563 helper->from_nlattr(helpinfo, ct); 1564 err = 0; 1565 } else 1566 err = -EBUSY; 1567 } else { 1568 /* we cannot set a helper for an existing conntrack */ 1569 err = -EOPNOTSUPP; 1570 } 1571 1572 rcu_read_unlock(); 1573 return err; 1574 } 1575 1576 static int ctnetlink_change_timeout(struct nf_conn *ct, 1577 const struct nlattr * const cda[]) 1578 { 1579 u64 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ; 1580 1581 if (timeout > INT_MAX) 1582 timeout = INT_MAX; 1583 ct->timeout = nfct_time_stamp + (u32)timeout; 1584 1585 if (test_bit(IPS_DYING_BIT, &ct->status)) 1586 return -ETIME; 1587 1588 return 0; 1589 } 1590 1591 static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = { 1592 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED }, 1593 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED }, 1594 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED }, 1595 }; 1596 1597 static int ctnetlink_change_protoinfo(struct nf_conn *ct, 1598 const struct nlattr * const cda[]) 1599 { 1600 const struct nlattr *attr = cda[CTA_PROTOINFO]; 1601 const struct nf_conntrack_l4proto *l4proto; 1602 struct nlattr *tb[CTA_PROTOINFO_MAX+1]; 1603 int err = 0; 1604 1605 err = nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, protoinfo_policy, 1606 NULL); 1607 if (err < 0) 1608 return err; 1609 1610 rcu_read_lock(); 1611 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 1612 if (l4proto->from_nlattr) 1613 err = l4proto->from_nlattr(tb, ct); 1614 rcu_read_unlock(); 1615 1616 return err; 1617 } 1618 1619 static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = { 1620 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 }, 1621 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 }, 1622 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 }, 1623 }; 1624 1625 static int change_seq_adj(struct nf_ct_seqadj *seq, 1626 const struct nlattr * const attr) 1627 { 1628 int err; 1629 struct nlattr *cda[CTA_SEQADJ_MAX+1]; 1630 1631 err = nla_parse_nested(cda, CTA_SEQADJ_MAX, attr, seqadj_policy, NULL); 1632 if (err < 0) 1633 return err; 1634 1635 if (!cda[CTA_SEQADJ_CORRECTION_POS]) 1636 return -EINVAL; 1637 1638 seq->correction_pos = 1639 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS])); 1640 1641 if (!cda[CTA_SEQADJ_OFFSET_BEFORE]) 1642 return -EINVAL; 1643 1644 seq->offset_before = 1645 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE])); 1646 1647 if (!cda[CTA_SEQADJ_OFFSET_AFTER]) 1648 return -EINVAL; 1649 1650 seq->offset_after = 1651 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER])); 1652 1653 return 0; 1654 } 1655 1656 static int 1657 ctnetlink_change_seq_adj(struct nf_conn *ct, 1658 const struct nlattr * const cda[]) 1659 { 1660 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct); 1661 int ret = 0; 1662 1663 if (!seqadj) 1664 return 0; 1665 1666 spin_lock_bh(&ct->lock); 1667 if (cda[CTA_SEQ_ADJ_ORIG]) { 1668 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL], 1669 cda[CTA_SEQ_ADJ_ORIG]); 1670 if (ret < 0) 1671 goto err; 1672 1673 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status); 1674 } 1675 1676 if (cda[CTA_SEQ_ADJ_REPLY]) { 1677 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY], 1678 cda[CTA_SEQ_ADJ_REPLY]); 1679 if (ret < 0) 1680 goto err; 1681 1682 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status); 1683 } 1684 1685 spin_unlock_bh(&ct->lock); 1686 return 0; 1687 err: 1688 spin_unlock_bh(&ct->lock); 1689 return ret; 1690 } 1691 1692 static int 1693 ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[]) 1694 { 1695 #ifdef CONFIG_NF_CONNTRACK_LABELS 1696 size_t len = nla_len(cda[CTA_LABELS]); 1697 const void *mask = cda[CTA_LABELS_MASK]; 1698 1699 if (len & (sizeof(u32)-1)) /* must be multiple of u32 */ 1700 return -EINVAL; 1701 1702 if (mask) { 1703 if (nla_len(cda[CTA_LABELS_MASK]) == 0 || 1704 nla_len(cda[CTA_LABELS_MASK]) != len) 1705 return -EINVAL; 1706 mask = nla_data(cda[CTA_LABELS_MASK]); 1707 } 1708 1709 len /= sizeof(u32); 1710 1711 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len); 1712 #else 1713 return -EOPNOTSUPP; 1714 #endif 1715 } 1716 1717 static int 1718 ctnetlink_change_conntrack(struct nf_conn *ct, 1719 const struct nlattr * const cda[]) 1720 { 1721 int err; 1722 1723 /* only allow NAT changes and master assignation for new conntracks */ 1724 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER]) 1725 return -EOPNOTSUPP; 1726 1727 if (cda[CTA_HELP]) { 1728 err = ctnetlink_change_helper(ct, cda); 1729 if (err < 0) 1730 return err; 1731 } 1732 1733 if (cda[CTA_TIMEOUT]) { 1734 err = ctnetlink_change_timeout(ct, cda); 1735 if (err < 0) 1736 return err; 1737 } 1738 1739 if (cda[CTA_STATUS]) { 1740 err = ctnetlink_change_status(ct, cda); 1741 if (err < 0) 1742 return err; 1743 } 1744 1745 if (cda[CTA_PROTOINFO]) { 1746 err = ctnetlink_change_protoinfo(ct, cda); 1747 if (err < 0) 1748 return err; 1749 } 1750 1751 #if defined(CONFIG_NF_CONNTRACK_MARK) 1752 if (cda[CTA_MARK]) 1753 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); 1754 #endif 1755 1756 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) { 1757 err = ctnetlink_change_seq_adj(ct, cda); 1758 if (err < 0) 1759 return err; 1760 } 1761 1762 if (cda[CTA_LABELS]) { 1763 err = ctnetlink_attach_labels(ct, cda); 1764 if (err < 0) 1765 return err; 1766 } 1767 1768 return 0; 1769 } 1770 1771 static struct nf_conn * 1772 ctnetlink_create_conntrack(struct net *net, 1773 const struct nf_conntrack_zone *zone, 1774 const struct nlattr * const cda[], 1775 struct nf_conntrack_tuple *otuple, 1776 struct nf_conntrack_tuple *rtuple, 1777 u8 u3) 1778 { 1779 struct nf_conn *ct; 1780 int err = -EINVAL; 1781 struct nf_conntrack_helper *helper; 1782 struct nf_conn_tstamp *tstamp; 1783 u64 timeout; 1784 1785 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC); 1786 if (IS_ERR(ct)) 1787 return ERR_PTR(-ENOMEM); 1788 1789 if (!cda[CTA_TIMEOUT]) 1790 goto err1; 1791 1792 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ; 1793 if (timeout > INT_MAX) 1794 timeout = INT_MAX; 1795 ct->timeout = (u32)timeout + nfct_time_stamp; 1796 1797 rcu_read_lock(); 1798 if (cda[CTA_HELP]) { 1799 char *helpname = NULL; 1800 struct nlattr *helpinfo = NULL; 1801 1802 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo); 1803 if (err < 0) 1804 goto err2; 1805 1806 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 1807 nf_ct_protonum(ct)); 1808 if (helper == NULL) { 1809 rcu_read_unlock(); 1810 #ifdef CONFIG_MODULES 1811 if (request_module("nfct-helper-%s", helpname) < 0) { 1812 err = -EOPNOTSUPP; 1813 goto err1; 1814 } 1815 1816 rcu_read_lock(); 1817 helper = __nf_conntrack_helper_find(helpname, 1818 nf_ct_l3num(ct), 1819 nf_ct_protonum(ct)); 1820 if (helper) { 1821 err = -EAGAIN; 1822 goto err2; 1823 } 1824 rcu_read_unlock(); 1825 #endif 1826 err = -EOPNOTSUPP; 1827 goto err1; 1828 } else { 1829 struct nf_conn_help *help; 1830 1831 help = nf_ct_helper_ext_add(ct, helper, GFP_ATOMIC); 1832 if (help == NULL) { 1833 err = -ENOMEM; 1834 goto err2; 1835 } 1836 /* set private helper data if allowed. */ 1837 if (helper->from_nlattr) 1838 helper->from_nlattr(helpinfo, ct); 1839 1840 /* not in hash table yet so not strictly necessary */ 1841 RCU_INIT_POINTER(help->helper, helper); 1842 } 1843 } else { 1844 /* try an implicit helper assignation */ 1845 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC); 1846 if (err < 0) 1847 goto err2; 1848 } 1849 1850 err = ctnetlink_setup_nat(ct, cda); 1851 if (err < 0) 1852 goto err2; 1853 1854 nf_ct_acct_ext_add(ct, GFP_ATOMIC); 1855 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); 1856 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); 1857 nf_ct_labels_ext_add(ct); 1858 nfct_seqadj_ext_add(ct); 1859 nfct_synproxy_ext_add(ct); 1860 1861 /* we must add conntrack extensions before confirmation. */ 1862 ct->status |= IPS_CONFIRMED; 1863 1864 if (cda[CTA_STATUS]) { 1865 err = ctnetlink_change_status(ct, cda); 1866 if (err < 0) 1867 goto err2; 1868 } 1869 1870 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) { 1871 err = ctnetlink_change_seq_adj(ct, cda); 1872 if (err < 0) 1873 goto err2; 1874 } 1875 1876 memset(&ct->proto, 0, sizeof(ct->proto)); 1877 if (cda[CTA_PROTOINFO]) { 1878 err = ctnetlink_change_protoinfo(ct, cda); 1879 if (err < 0) 1880 goto err2; 1881 } 1882 1883 #if defined(CONFIG_NF_CONNTRACK_MARK) 1884 if (cda[CTA_MARK]) 1885 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); 1886 #endif 1887 1888 /* setup master conntrack: this is a confirmed expectation */ 1889 if (cda[CTA_TUPLE_MASTER]) { 1890 struct nf_conntrack_tuple master; 1891 struct nf_conntrack_tuple_hash *master_h; 1892 struct nf_conn *master_ct; 1893 1894 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER, 1895 u3, NULL); 1896 if (err < 0) 1897 goto err2; 1898 1899 master_h = nf_conntrack_find_get(net, zone, &master); 1900 if (master_h == NULL) { 1901 err = -ENOENT; 1902 goto err2; 1903 } 1904 master_ct = nf_ct_tuplehash_to_ctrack(master_h); 1905 __set_bit(IPS_EXPECTED_BIT, &ct->status); 1906 ct->master = master_ct; 1907 } 1908 tstamp = nf_conn_tstamp_find(ct); 1909 if (tstamp) 1910 tstamp->start = ktime_get_real_ns(); 1911 1912 err = nf_conntrack_hash_check_insert(ct); 1913 if (err < 0) 1914 goto err2; 1915 1916 rcu_read_unlock(); 1917 1918 return ct; 1919 1920 err2: 1921 rcu_read_unlock(); 1922 err1: 1923 nf_conntrack_free(ct); 1924 return ERR_PTR(err); 1925 } 1926 1927 static int ctnetlink_new_conntrack(struct net *net, struct sock *ctnl, 1928 struct sk_buff *skb, 1929 const struct nlmsghdr *nlh, 1930 const struct nlattr * const cda[], 1931 struct netlink_ext_ack *extack) 1932 { 1933 struct nf_conntrack_tuple otuple, rtuple; 1934 struct nf_conntrack_tuple_hash *h = NULL; 1935 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1936 struct nf_conn *ct; 1937 u_int8_t u3 = nfmsg->nfgen_family; 1938 struct nf_conntrack_zone zone; 1939 int err; 1940 1941 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1942 if (err < 0) 1943 return err; 1944 1945 if (cda[CTA_TUPLE_ORIG]) { 1946 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, 1947 u3, &zone); 1948 if (err < 0) 1949 return err; 1950 } 1951 1952 if (cda[CTA_TUPLE_REPLY]) { 1953 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, 1954 u3, &zone); 1955 if (err < 0) 1956 return err; 1957 } 1958 1959 if (cda[CTA_TUPLE_ORIG]) 1960 h = nf_conntrack_find_get(net, &zone, &otuple); 1961 else if (cda[CTA_TUPLE_REPLY]) 1962 h = nf_conntrack_find_get(net, &zone, &rtuple); 1963 1964 if (h == NULL) { 1965 err = -ENOENT; 1966 if (nlh->nlmsg_flags & NLM_F_CREATE) { 1967 enum ip_conntrack_events events; 1968 1969 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY]) 1970 return -EINVAL; 1971 if (otuple.dst.protonum != rtuple.dst.protonum) 1972 return -EINVAL; 1973 1974 ct = ctnetlink_create_conntrack(net, &zone, cda, &otuple, 1975 &rtuple, u3); 1976 if (IS_ERR(ct)) 1977 return PTR_ERR(ct); 1978 1979 err = 0; 1980 if (test_bit(IPS_EXPECTED_BIT, &ct->status)) 1981 events = 1 << IPCT_RELATED; 1982 else 1983 events = 1 << IPCT_NEW; 1984 1985 if (cda[CTA_LABELS] && 1986 ctnetlink_attach_labels(ct, cda) == 0) 1987 events |= (1 << IPCT_LABEL); 1988 1989 nf_conntrack_eventmask_report((1 << IPCT_REPLY) | 1990 (1 << IPCT_ASSURED) | 1991 (1 << IPCT_HELPER) | 1992 (1 << IPCT_PROTOINFO) | 1993 (1 << IPCT_SEQADJ) | 1994 (1 << IPCT_MARK) | events, 1995 ct, NETLINK_CB(skb).portid, 1996 nlmsg_report(nlh)); 1997 nf_ct_put(ct); 1998 } 1999 2000 return err; 2001 } 2002 /* implicit 'else' */ 2003 2004 err = -EEXIST; 2005 ct = nf_ct_tuplehash_to_ctrack(h); 2006 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) { 2007 err = ctnetlink_change_conntrack(ct, cda); 2008 if (err == 0) { 2009 nf_conntrack_eventmask_report((1 << IPCT_REPLY) | 2010 (1 << IPCT_ASSURED) | 2011 (1 << IPCT_HELPER) | 2012 (1 << IPCT_LABEL) | 2013 (1 << IPCT_PROTOINFO) | 2014 (1 << IPCT_SEQADJ) | 2015 (1 << IPCT_MARK), 2016 ct, NETLINK_CB(skb).portid, 2017 nlmsg_report(nlh)); 2018 } 2019 } 2020 2021 nf_ct_put(ct); 2022 return err; 2023 } 2024 2025 static int 2026 ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq, 2027 __u16 cpu, const struct ip_conntrack_stat *st) 2028 { 2029 struct nlmsghdr *nlh; 2030 struct nfgenmsg *nfmsg; 2031 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 2032 2033 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, 2034 IPCTNL_MSG_CT_GET_STATS_CPU); 2035 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 2036 if (nlh == NULL) 2037 goto nlmsg_failure; 2038 2039 nfmsg = nlmsg_data(nlh); 2040 nfmsg->nfgen_family = AF_UNSPEC; 2041 nfmsg->version = NFNETLINK_V0; 2042 nfmsg->res_id = htons(cpu); 2043 2044 if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) || 2045 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) || 2046 nla_put_be32(skb, CTA_STATS_IGNORE, htonl(st->ignore)) || 2047 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) || 2048 nla_put_be32(skb, CTA_STATS_INSERT_FAILED, 2049 htonl(st->insert_failed)) || 2050 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) || 2051 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) || 2052 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) || 2053 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART, 2054 htonl(st->search_restart))) 2055 goto nla_put_failure; 2056 2057 nlmsg_end(skb, nlh); 2058 return skb->len; 2059 2060 nla_put_failure: 2061 nlmsg_failure: 2062 nlmsg_cancel(skb, nlh); 2063 return -1; 2064 } 2065 2066 static int 2067 ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb) 2068 { 2069 int cpu; 2070 struct net *net = sock_net(skb->sk); 2071 2072 if (cb->args[0] == nr_cpu_ids) 2073 return 0; 2074 2075 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 2076 const struct ip_conntrack_stat *st; 2077 2078 if (!cpu_possible(cpu)) 2079 continue; 2080 2081 st = per_cpu_ptr(net->ct.stat, cpu); 2082 if (ctnetlink_ct_stat_cpu_fill_info(skb, 2083 NETLINK_CB(cb->skb).portid, 2084 cb->nlh->nlmsg_seq, 2085 cpu, st) < 0) 2086 break; 2087 } 2088 cb->args[0] = cpu; 2089 2090 return skb->len; 2091 } 2092 2093 static int ctnetlink_stat_ct_cpu(struct net *net, struct sock *ctnl, 2094 struct sk_buff *skb, 2095 const struct nlmsghdr *nlh, 2096 const struct nlattr * const cda[], 2097 struct netlink_ext_ack *extack) 2098 { 2099 if (nlh->nlmsg_flags & NLM_F_DUMP) { 2100 struct netlink_dump_control c = { 2101 .dump = ctnetlink_ct_stat_cpu_dump, 2102 }; 2103 return netlink_dump_start(ctnl, skb, nlh, &c); 2104 } 2105 2106 return 0; 2107 } 2108 2109 static int 2110 ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 2111 struct net *net) 2112 { 2113 struct nlmsghdr *nlh; 2114 struct nfgenmsg *nfmsg; 2115 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 2116 unsigned int nr_conntracks = atomic_read(&net->ct.count); 2117 2118 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS); 2119 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 2120 if (nlh == NULL) 2121 goto nlmsg_failure; 2122 2123 nfmsg = nlmsg_data(nlh); 2124 nfmsg->nfgen_family = AF_UNSPEC; 2125 nfmsg->version = NFNETLINK_V0; 2126 nfmsg->res_id = 0; 2127 2128 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks))) 2129 goto nla_put_failure; 2130 2131 nlmsg_end(skb, nlh); 2132 return skb->len; 2133 2134 nla_put_failure: 2135 nlmsg_failure: 2136 nlmsg_cancel(skb, nlh); 2137 return -1; 2138 } 2139 2140 static int ctnetlink_stat_ct(struct net *net, struct sock *ctnl, 2141 struct sk_buff *skb, const struct nlmsghdr *nlh, 2142 const struct nlattr * const cda[], 2143 struct netlink_ext_ack *extack) 2144 { 2145 struct sk_buff *skb2; 2146 int err; 2147 2148 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 2149 if (skb2 == NULL) 2150 return -ENOMEM; 2151 2152 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid, 2153 nlh->nlmsg_seq, 2154 NFNL_MSG_TYPE(nlh->nlmsg_type), 2155 sock_net(skb->sk)); 2156 if (err <= 0) 2157 goto free; 2158 2159 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); 2160 if (err < 0) 2161 goto out; 2162 2163 return 0; 2164 2165 free: 2166 kfree_skb(skb2); 2167 out: 2168 /* this avoids a loop in nfnetlink. */ 2169 return err == -EAGAIN ? -ENOBUFS : err; 2170 } 2171 2172 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = { 2173 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED }, 2174 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED }, 2175 [CTA_EXPECT_MASK] = { .type = NLA_NESTED }, 2176 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 }, 2177 [CTA_EXPECT_ID] = { .type = NLA_U32 }, 2178 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING, 2179 .len = NF_CT_HELPER_NAME_LEN - 1 }, 2180 [CTA_EXPECT_ZONE] = { .type = NLA_U16 }, 2181 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 }, 2182 [CTA_EXPECT_CLASS] = { .type = NLA_U32 }, 2183 [CTA_EXPECT_NAT] = { .type = NLA_NESTED }, 2184 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING }, 2185 }; 2186 2187 static struct nf_conntrack_expect * 2188 ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct, 2189 struct nf_conntrack_helper *helper, 2190 struct nf_conntrack_tuple *tuple, 2191 struct nf_conntrack_tuple *mask); 2192 2193 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 2194 static size_t 2195 ctnetlink_glue_build_size(const struct nf_conn *ct) 2196 { 2197 return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 2198 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 2199 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 2200 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 2201 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 2202 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 2203 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 2204 + nla_total_size(0) /* CTA_PROTOINFO */ 2205 + nla_total_size(0) /* CTA_HELP */ 2206 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 2207 + ctnetlink_secctx_size(ct) 2208 #ifdef CONFIG_NF_NAT_NEEDED 2209 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 2210 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 2211 #endif 2212 #ifdef CONFIG_NF_CONNTRACK_MARK 2213 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 2214 #endif 2215 #ifdef CONFIG_NF_CONNTRACK_ZONES 2216 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */ 2217 #endif 2218 + ctnetlink_proto_size(ct) 2219 ; 2220 } 2221 2222 static struct nf_conn *ctnetlink_glue_get_ct(const struct sk_buff *skb, 2223 enum ip_conntrack_info *ctinfo) 2224 { 2225 return nf_ct_get(skb, ctinfo); 2226 } 2227 2228 static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct) 2229 { 2230 const struct nf_conntrack_zone *zone; 2231 struct nlattr *nest_parms; 2232 2233 zone = nf_ct_zone(ct); 2234 2235 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 2236 if (!nest_parms) 2237 goto nla_put_failure; 2238 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 2239 goto nla_put_failure; 2240 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 2241 NF_CT_ZONE_DIR_ORIG) < 0) 2242 goto nla_put_failure; 2243 nla_nest_end(skb, nest_parms); 2244 2245 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 2246 if (!nest_parms) 2247 goto nla_put_failure; 2248 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 2249 goto nla_put_failure; 2250 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 2251 NF_CT_ZONE_DIR_REPL) < 0) 2252 goto nla_put_failure; 2253 nla_nest_end(skb, nest_parms); 2254 2255 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 2256 NF_CT_DEFAULT_ZONE_DIR) < 0) 2257 goto nla_put_failure; 2258 2259 if (ctnetlink_dump_id(skb, ct) < 0) 2260 goto nla_put_failure; 2261 2262 if (ctnetlink_dump_status(skb, ct) < 0) 2263 goto nla_put_failure; 2264 2265 if (ctnetlink_dump_timeout(skb, ct) < 0) 2266 goto nla_put_failure; 2267 2268 if (ctnetlink_dump_protoinfo(skb, ct) < 0) 2269 goto nla_put_failure; 2270 2271 if (ctnetlink_dump_helpinfo(skb, ct) < 0) 2272 goto nla_put_failure; 2273 2274 #ifdef CONFIG_NF_CONNTRACK_SECMARK 2275 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0) 2276 goto nla_put_failure; 2277 #endif 2278 if (ct->master && ctnetlink_dump_master(skb, ct) < 0) 2279 goto nla_put_failure; 2280 2281 if ((ct->status & IPS_SEQ_ADJUST) && 2282 ctnetlink_dump_ct_seq_adj(skb, ct) < 0) 2283 goto nla_put_failure; 2284 2285 #ifdef CONFIG_NF_CONNTRACK_MARK 2286 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0) 2287 goto nla_put_failure; 2288 #endif 2289 if (ctnetlink_dump_labels(skb, ct) < 0) 2290 goto nla_put_failure; 2291 return 0; 2292 2293 nla_put_failure: 2294 return -ENOSPC; 2295 } 2296 2297 static int 2298 ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct, 2299 enum ip_conntrack_info ctinfo, 2300 u_int16_t ct_attr, u_int16_t ct_info_attr) 2301 { 2302 struct nlattr *nest_parms; 2303 2304 nest_parms = nla_nest_start(skb, ct_attr | NLA_F_NESTED); 2305 if (!nest_parms) 2306 goto nla_put_failure; 2307 2308 if (__ctnetlink_glue_build(skb, ct) < 0) 2309 goto nla_put_failure; 2310 2311 nla_nest_end(skb, nest_parms); 2312 2313 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo))) 2314 goto nla_put_failure; 2315 2316 return 0; 2317 2318 nla_put_failure: 2319 return -ENOSPC; 2320 } 2321 2322 static int 2323 ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[]) 2324 { 2325 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); 2326 unsigned long d = ct->status ^ status; 2327 2328 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) 2329 /* SEEN_REPLY bit can only be set */ 2330 return -EBUSY; 2331 2332 if (d & IPS_ASSURED && !(status & IPS_ASSURED)) 2333 /* ASSURED bit can only be set */ 2334 return -EBUSY; 2335 2336 /* This check is less strict than ctnetlink_change_status() 2337 * because callers often flip IPS_EXPECTED bits when sending 2338 * an NFQA_CT attribute to the kernel. So ignore the 2339 * unchangeable bits but do not error out. Also user programs 2340 * are allowed to clear the bits that they are allowed to change. 2341 */ 2342 __ctnetlink_change_status(ct, status, ~status); 2343 return 0; 2344 } 2345 2346 static int 2347 ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct) 2348 { 2349 int err; 2350 2351 if (cda[CTA_TIMEOUT]) { 2352 err = ctnetlink_change_timeout(ct, cda); 2353 if (err < 0) 2354 return err; 2355 } 2356 if (cda[CTA_STATUS]) { 2357 err = ctnetlink_update_status(ct, cda); 2358 if (err < 0) 2359 return err; 2360 } 2361 if (cda[CTA_HELP]) { 2362 err = ctnetlink_change_helper(ct, cda); 2363 if (err < 0) 2364 return err; 2365 } 2366 if (cda[CTA_LABELS]) { 2367 err = ctnetlink_attach_labels(ct, cda); 2368 if (err < 0) 2369 return err; 2370 } 2371 #if defined(CONFIG_NF_CONNTRACK_MARK) 2372 if (cda[CTA_MARK]) { 2373 u32 mask = 0, mark, newmark; 2374 if (cda[CTA_MARK_MASK]) 2375 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK])); 2376 2377 mark = ntohl(nla_get_be32(cda[CTA_MARK])); 2378 newmark = (ct->mark & mask) ^ mark; 2379 if (newmark != ct->mark) 2380 ct->mark = newmark; 2381 } 2382 #endif 2383 return 0; 2384 } 2385 2386 static int 2387 ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct) 2388 { 2389 struct nlattr *cda[CTA_MAX+1]; 2390 int ret; 2391 2392 ret = nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy, NULL); 2393 if (ret < 0) 2394 return ret; 2395 2396 return ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct); 2397 } 2398 2399 static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda, 2400 const struct nf_conn *ct, 2401 struct nf_conntrack_tuple *tuple, 2402 struct nf_conntrack_tuple *mask) 2403 { 2404 int err; 2405 2406 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE, 2407 nf_ct_l3num(ct), NULL); 2408 if (err < 0) 2409 return err; 2410 2411 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK, 2412 nf_ct_l3num(ct), NULL); 2413 } 2414 2415 static int 2416 ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct, 2417 u32 portid, u32 report) 2418 { 2419 struct nlattr *cda[CTA_EXPECT_MAX+1]; 2420 struct nf_conntrack_tuple tuple, mask; 2421 struct nf_conntrack_helper *helper = NULL; 2422 struct nf_conntrack_expect *exp; 2423 int err; 2424 2425 err = nla_parse_nested(cda, CTA_EXPECT_MAX, attr, exp_nla_policy, 2426 NULL); 2427 if (err < 0) 2428 return err; 2429 2430 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda, 2431 ct, &tuple, &mask); 2432 if (err < 0) 2433 return err; 2434 2435 if (cda[CTA_EXPECT_HELP_NAME]) { 2436 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); 2437 2438 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 2439 nf_ct_protonum(ct)); 2440 if (helper == NULL) 2441 return -EOPNOTSUPP; 2442 } 2443 2444 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct, 2445 helper, &tuple, &mask); 2446 if (IS_ERR(exp)) 2447 return PTR_ERR(exp); 2448 2449 err = nf_ct_expect_related_report(exp, portid, report); 2450 nf_ct_expect_put(exp); 2451 return err; 2452 } 2453 2454 static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct, 2455 enum ip_conntrack_info ctinfo, int diff) 2456 { 2457 if (!(ct->status & IPS_NAT_MASK)) 2458 return; 2459 2460 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff); 2461 } 2462 2463 static struct nfnl_ct_hook ctnetlink_glue_hook = { 2464 .get_ct = ctnetlink_glue_get_ct, 2465 .build_size = ctnetlink_glue_build_size, 2466 .build = ctnetlink_glue_build, 2467 .parse = ctnetlink_glue_parse, 2468 .attach_expect = ctnetlink_glue_attach_expect, 2469 .seq_adjust = ctnetlink_glue_seqadj, 2470 }; 2471 #endif /* CONFIG_NETFILTER_NETLINK_GLUE_CT */ 2472 2473 /*********************************************************************** 2474 * EXPECT 2475 ***********************************************************************/ 2476 2477 static int ctnetlink_exp_dump_tuple(struct sk_buff *skb, 2478 const struct nf_conntrack_tuple *tuple, 2479 u32 type) 2480 { 2481 struct nlattr *nest_parms; 2482 2483 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED); 2484 if (!nest_parms) 2485 goto nla_put_failure; 2486 if (ctnetlink_dump_tuples(skb, tuple) < 0) 2487 goto nla_put_failure; 2488 nla_nest_end(skb, nest_parms); 2489 2490 return 0; 2491 2492 nla_put_failure: 2493 return -1; 2494 } 2495 2496 static int ctnetlink_exp_dump_mask(struct sk_buff *skb, 2497 const struct nf_conntrack_tuple *tuple, 2498 const struct nf_conntrack_tuple_mask *mask) 2499 { 2500 const struct nf_conntrack_l3proto *l3proto; 2501 const struct nf_conntrack_l4proto *l4proto; 2502 struct nf_conntrack_tuple m; 2503 struct nlattr *nest_parms; 2504 int ret; 2505 2506 memset(&m, 0xFF, sizeof(m)); 2507 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3)); 2508 m.src.u.all = mask->src.u.all; 2509 m.dst.protonum = tuple->dst.protonum; 2510 2511 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED); 2512 if (!nest_parms) 2513 goto nla_put_failure; 2514 2515 rcu_read_lock(); 2516 l3proto = __nf_ct_l3proto_find(tuple->src.l3num); 2517 ret = ctnetlink_dump_tuples_ip(skb, &m, l3proto); 2518 if (ret >= 0) { 2519 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, 2520 tuple->dst.protonum); 2521 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto); 2522 } 2523 rcu_read_unlock(); 2524 2525 if (unlikely(ret < 0)) 2526 goto nla_put_failure; 2527 2528 nla_nest_end(skb, nest_parms); 2529 2530 return 0; 2531 2532 nla_put_failure: 2533 return -1; 2534 } 2535 2536 static const union nf_inet_addr any_addr; 2537 2538 static int 2539 ctnetlink_exp_dump_expect(struct sk_buff *skb, 2540 const struct nf_conntrack_expect *exp) 2541 { 2542 struct nf_conn *master = exp->master; 2543 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ; 2544 struct nf_conn_help *help; 2545 #ifdef CONFIG_NF_NAT_NEEDED 2546 struct nlattr *nest_parms; 2547 struct nf_conntrack_tuple nat_tuple = {}; 2548 #endif 2549 struct nf_ct_helper_expectfn *expfn; 2550 2551 if (timeout < 0) 2552 timeout = 0; 2553 2554 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0) 2555 goto nla_put_failure; 2556 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0) 2557 goto nla_put_failure; 2558 if (ctnetlink_exp_dump_tuple(skb, 2559 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 2560 CTA_EXPECT_MASTER) < 0) 2561 goto nla_put_failure; 2562 2563 #ifdef CONFIG_NF_NAT_NEEDED 2564 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) || 2565 exp->saved_proto.all) { 2566 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT | NLA_F_NESTED); 2567 if (!nest_parms) 2568 goto nla_put_failure; 2569 2570 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir))) 2571 goto nla_put_failure; 2572 2573 nat_tuple.src.l3num = nf_ct_l3num(master); 2574 nat_tuple.src.u3 = exp->saved_addr; 2575 nat_tuple.dst.protonum = nf_ct_protonum(master); 2576 nat_tuple.src.u = exp->saved_proto; 2577 2578 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple, 2579 CTA_EXPECT_NAT_TUPLE) < 0) 2580 goto nla_put_failure; 2581 nla_nest_end(skb, nest_parms); 2582 } 2583 #endif 2584 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) || 2585 nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) || 2586 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) || 2587 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class))) 2588 goto nla_put_failure; 2589 help = nfct_help(master); 2590 if (help) { 2591 struct nf_conntrack_helper *helper; 2592 2593 helper = rcu_dereference(help->helper); 2594 if (helper && 2595 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name)) 2596 goto nla_put_failure; 2597 } 2598 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn); 2599 if (expfn != NULL && 2600 nla_put_string(skb, CTA_EXPECT_FN, expfn->name)) 2601 goto nla_put_failure; 2602 2603 return 0; 2604 2605 nla_put_failure: 2606 return -1; 2607 } 2608 2609 static int 2610 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq, 2611 int event, const struct nf_conntrack_expect *exp) 2612 { 2613 struct nlmsghdr *nlh; 2614 struct nfgenmsg *nfmsg; 2615 unsigned int flags = portid ? NLM_F_MULTI : 0; 2616 2617 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event); 2618 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 2619 if (nlh == NULL) 2620 goto nlmsg_failure; 2621 2622 nfmsg = nlmsg_data(nlh); 2623 nfmsg->nfgen_family = exp->tuple.src.l3num; 2624 nfmsg->version = NFNETLINK_V0; 2625 nfmsg->res_id = 0; 2626 2627 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 2628 goto nla_put_failure; 2629 2630 nlmsg_end(skb, nlh); 2631 return skb->len; 2632 2633 nlmsg_failure: 2634 nla_put_failure: 2635 nlmsg_cancel(skb, nlh); 2636 return -1; 2637 } 2638 2639 #ifdef CONFIG_NF_CONNTRACK_EVENTS 2640 static int 2641 ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item) 2642 { 2643 struct nf_conntrack_expect *exp = item->exp; 2644 struct net *net = nf_ct_exp_net(exp); 2645 struct nlmsghdr *nlh; 2646 struct nfgenmsg *nfmsg; 2647 struct sk_buff *skb; 2648 unsigned int type, group; 2649 int flags = 0; 2650 2651 if (events & (1 << IPEXP_DESTROY)) { 2652 type = IPCTNL_MSG_EXP_DELETE; 2653 group = NFNLGRP_CONNTRACK_EXP_DESTROY; 2654 } else if (events & (1 << IPEXP_NEW)) { 2655 type = IPCTNL_MSG_EXP_NEW; 2656 flags = NLM_F_CREATE|NLM_F_EXCL; 2657 group = NFNLGRP_CONNTRACK_EXP_NEW; 2658 } else 2659 return 0; 2660 2661 if (!item->report && !nfnetlink_has_listeners(net, group)) 2662 return 0; 2663 2664 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 2665 if (skb == NULL) 2666 goto errout; 2667 2668 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type); 2669 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); 2670 if (nlh == NULL) 2671 goto nlmsg_failure; 2672 2673 nfmsg = nlmsg_data(nlh); 2674 nfmsg->nfgen_family = exp->tuple.src.l3num; 2675 nfmsg->version = NFNETLINK_V0; 2676 nfmsg->res_id = 0; 2677 2678 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 2679 goto nla_put_failure; 2680 2681 nlmsg_end(skb, nlh); 2682 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC); 2683 return 0; 2684 2685 nla_put_failure: 2686 nlmsg_cancel(skb, nlh); 2687 nlmsg_failure: 2688 kfree_skb(skb); 2689 errout: 2690 nfnetlink_set_err(net, 0, 0, -ENOBUFS); 2691 return 0; 2692 } 2693 #endif 2694 static int ctnetlink_exp_done(struct netlink_callback *cb) 2695 { 2696 if (cb->args[1]) 2697 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); 2698 return 0; 2699 } 2700 2701 static int 2702 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 2703 { 2704 struct net *net = sock_net(skb->sk); 2705 struct nf_conntrack_expect *exp, *last; 2706 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 2707 u_int8_t l3proto = nfmsg->nfgen_family; 2708 2709 rcu_read_lock(); 2710 last = (struct nf_conntrack_expect *)cb->args[1]; 2711 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { 2712 restart: 2713 hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]], 2714 hnode) { 2715 if (l3proto && exp->tuple.src.l3num != l3proto) 2716 continue; 2717 2718 if (!net_eq(nf_ct_net(exp->master), net)) 2719 continue; 2720 2721 if (cb->args[1]) { 2722 if (exp != last) 2723 continue; 2724 cb->args[1] = 0; 2725 } 2726 if (ctnetlink_exp_fill_info(skb, 2727 NETLINK_CB(cb->skb).portid, 2728 cb->nlh->nlmsg_seq, 2729 IPCTNL_MSG_EXP_NEW, 2730 exp) < 0) { 2731 if (!refcount_inc_not_zero(&exp->use)) 2732 continue; 2733 cb->args[1] = (unsigned long)exp; 2734 goto out; 2735 } 2736 } 2737 if (cb->args[1]) { 2738 cb->args[1] = 0; 2739 goto restart; 2740 } 2741 } 2742 out: 2743 rcu_read_unlock(); 2744 if (last) 2745 nf_ct_expect_put(last); 2746 2747 return skb->len; 2748 } 2749 2750 static int 2751 ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 2752 { 2753 struct nf_conntrack_expect *exp, *last; 2754 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 2755 struct nf_conn *ct = cb->data; 2756 struct nf_conn_help *help = nfct_help(ct); 2757 u_int8_t l3proto = nfmsg->nfgen_family; 2758 2759 if (cb->args[0]) 2760 return 0; 2761 2762 rcu_read_lock(); 2763 last = (struct nf_conntrack_expect *)cb->args[1]; 2764 restart: 2765 hlist_for_each_entry_rcu(exp, &help->expectations, lnode) { 2766 if (l3proto && exp->tuple.src.l3num != l3proto) 2767 continue; 2768 if (cb->args[1]) { 2769 if (exp != last) 2770 continue; 2771 cb->args[1] = 0; 2772 } 2773 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid, 2774 cb->nlh->nlmsg_seq, 2775 IPCTNL_MSG_EXP_NEW, 2776 exp) < 0) { 2777 if (!refcount_inc_not_zero(&exp->use)) 2778 continue; 2779 cb->args[1] = (unsigned long)exp; 2780 goto out; 2781 } 2782 } 2783 if (cb->args[1]) { 2784 cb->args[1] = 0; 2785 goto restart; 2786 } 2787 cb->args[0] = 1; 2788 out: 2789 rcu_read_unlock(); 2790 if (last) 2791 nf_ct_expect_put(last); 2792 2793 return skb->len; 2794 } 2795 2796 static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, 2797 struct sk_buff *skb, 2798 const struct nlmsghdr *nlh, 2799 const struct nlattr * const cda[], 2800 struct netlink_ext_ack *extack) 2801 { 2802 int err; 2803 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2804 u_int8_t u3 = nfmsg->nfgen_family; 2805 struct nf_conntrack_tuple tuple; 2806 struct nf_conntrack_tuple_hash *h; 2807 struct nf_conn *ct; 2808 struct nf_conntrack_zone zone; 2809 struct netlink_dump_control c = { 2810 .dump = ctnetlink_exp_ct_dump_table, 2811 .done = ctnetlink_exp_done, 2812 }; 2813 2814 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, 2815 u3, NULL); 2816 if (err < 0) 2817 return err; 2818 2819 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 2820 if (err < 0) 2821 return err; 2822 2823 h = nf_conntrack_find_get(net, &zone, &tuple); 2824 if (!h) 2825 return -ENOENT; 2826 2827 ct = nf_ct_tuplehash_to_ctrack(h); 2828 /* No expectation linked to this connection tracking. */ 2829 if (!nfct_help(ct)) { 2830 nf_ct_put(ct); 2831 return 0; 2832 } 2833 2834 c.data = ct; 2835 2836 err = netlink_dump_start(ctnl, skb, nlh, &c); 2837 nf_ct_put(ct); 2838 2839 return err; 2840 } 2841 2842 static int ctnetlink_get_expect(struct net *net, struct sock *ctnl, 2843 struct sk_buff *skb, const struct nlmsghdr *nlh, 2844 const struct nlattr * const cda[], 2845 struct netlink_ext_ack *extack) 2846 { 2847 struct nf_conntrack_tuple tuple; 2848 struct nf_conntrack_expect *exp; 2849 struct sk_buff *skb2; 2850 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2851 u_int8_t u3 = nfmsg->nfgen_family; 2852 struct nf_conntrack_zone zone; 2853 int err; 2854 2855 if (nlh->nlmsg_flags & NLM_F_DUMP) { 2856 if (cda[CTA_EXPECT_MASTER]) 2857 return ctnetlink_dump_exp_ct(net, ctnl, skb, nlh, cda, 2858 extack); 2859 else { 2860 struct netlink_dump_control c = { 2861 .dump = ctnetlink_exp_dump_table, 2862 .done = ctnetlink_exp_done, 2863 }; 2864 return netlink_dump_start(ctnl, skb, nlh, &c); 2865 } 2866 } 2867 2868 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 2869 if (err < 0) 2870 return err; 2871 2872 if (cda[CTA_EXPECT_TUPLE]) 2873 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 2874 u3, NULL); 2875 else if (cda[CTA_EXPECT_MASTER]) 2876 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, 2877 u3, NULL); 2878 else 2879 return -EINVAL; 2880 2881 if (err < 0) 2882 return err; 2883 2884 exp = nf_ct_expect_find_get(net, &zone, &tuple); 2885 if (!exp) 2886 return -ENOENT; 2887 2888 if (cda[CTA_EXPECT_ID]) { 2889 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 2890 if (ntohl(id) != (u32)(unsigned long)exp) { 2891 nf_ct_expect_put(exp); 2892 return -ENOENT; 2893 } 2894 } 2895 2896 err = -ENOMEM; 2897 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 2898 if (skb2 == NULL) { 2899 nf_ct_expect_put(exp); 2900 goto out; 2901 } 2902 2903 rcu_read_lock(); 2904 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid, 2905 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp); 2906 rcu_read_unlock(); 2907 nf_ct_expect_put(exp); 2908 if (err <= 0) 2909 goto free; 2910 2911 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); 2912 if (err < 0) 2913 goto out; 2914 2915 return 0; 2916 2917 free: 2918 kfree_skb(skb2); 2919 out: 2920 /* this avoids a loop in nfnetlink. */ 2921 return err == -EAGAIN ? -ENOBUFS : err; 2922 } 2923 2924 static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data) 2925 { 2926 const struct nf_conn_help *m_help; 2927 const char *name = data; 2928 2929 m_help = nfct_help(exp->master); 2930 2931 return strcmp(m_help->helper->name, name) == 0; 2932 } 2933 2934 static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data) 2935 { 2936 return true; 2937 } 2938 2939 static int ctnetlink_del_expect(struct net *net, struct sock *ctnl, 2940 struct sk_buff *skb, const struct nlmsghdr *nlh, 2941 const struct nlattr * const cda[], 2942 struct netlink_ext_ack *extack) 2943 { 2944 struct nf_conntrack_expect *exp; 2945 struct nf_conntrack_tuple tuple; 2946 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2947 u_int8_t u3 = nfmsg->nfgen_family; 2948 struct nf_conntrack_zone zone; 2949 int err; 2950 2951 if (cda[CTA_EXPECT_TUPLE]) { 2952 /* delete a single expect by tuple */ 2953 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 2954 if (err < 0) 2955 return err; 2956 2957 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 2958 u3, NULL); 2959 if (err < 0) 2960 return err; 2961 2962 /* bump usage count to 2 */ 2963 exp = nf_ct_expect_find_get(net, &zone, &tuple); 2964 if (!exp) 2965 return -ENOENT; 2966 2967 if (cda[CTA_EXPECT_ID]) { 2968 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 2969 if (ntohl(id) != (u32)(unsigned long)exp) { 2970 nf_ct_expect_put(exp); 2971 return -ENOENT; 2972 } 2973 } 2974 2975 /* after list removal, usage count == 1 */ 2976 spin_lock_bh(&nf_conntrack_expect_lock); 2977 if (del_timer(&exp->timeout)) { 2978 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid, 2979 nlmsg_report(nlh)); 2980 nf_ct_expect_put(exp); 2981 } 2982 spin_unlock_bh(&nf_conntrack_expect_lock); 2983 /* have to put what we 'get' above. 2984 * after this line usage count == 0 */ 2985 nf_ct_expect_put(exp); 2986 } else if (cda[CTA_EXPECT_HELP_NAME]) { 2987 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]); 2988 2989 nf_ct_expect_iterate_net(net, expect_iter_name, name, 2990 NETLINK_CB(skb).portid, 2991 nlmsg_report(nlh)); 2992 } else { 2993 /* This basically means we have to flush everything*/ 2994 nf_ct_expect_iterate_net(net, expect_iter_all, NULL, 2995 NETLINK_CB(skb).portid, 2996 nlmsg_report(nlh)); 2997 } 2998 2999 return 0; 3000 } 3001 static int 3002 ctnetlink_change_expect(struct nf_conntrack_expect *x, 3003 const struct nlattr * const cda[]) 3004 { 3005 if (cda[CTA_EXPECT_TIMEOUT]) { 3006 if (!del_timer(&x->timeout)) 3007 return -ETIME; 3008 3009 x->timeout.expires = jiffies + 3010 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ; 3011 add_timer(&x->timeout); 3012 } 3013 return 0; 3014 } 3015 3016 static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = { 3017 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 }, 3018 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED }, 3019 }; 3020 3021 static int 3022 ctnetlink_parse_expect_nat(const struct nlattr *attr, 3023 struct nf_conntrack_expect *exp, 3024 u_int8_t u3) 3025 { 3026 #ifdef CONFIG_NF_NAT_NEEDED 3027 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1]; 3028 struct nf_conntrack_tuple nat_tuple = {}; 3029 int err; 3030 3031 err = nla_parse_nested(tb, CTA_EXPECT_NAT_MAX, attr, 3032 exp_nat_nla_policy, NULL); 3033 if (err < 0) 3034 return err; 3035 3036 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE]) 3037 return -EINVAL; 3038 3039 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb, 3040 &nat_tuple, CTA_EXPECT_NAT_TUPLE, 3041 u3, NULL); 3042 if (err < 0) 3043 return err; 3044 3045 exp->saved_addr = nat_tuple.src.u3; 3046 exp->saved_proto = nat_tuple.src.u; 3047 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR])); 3048 3049 return 0; 3050 #else 3051 return -EOPNOTSUPP; 3052 #endif 3053 } 3054 3055 static struct nf_conntrack_expect * 3056 ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct, 3057 struct nf_conntrack_helper *helper, 3058 struct nf_conntrack_tuple *tuple, 3059 struct nf_conntrack_tuple *mask) 3060 { 3061 u_int32_t class = 0; 3062 struct nf_conntrack_expect *exp; 3063 struct nf_conn_help *help; 3064 int err; 3065 3066 help = nfct_help(ct); 3067 if (!help) 3068 return ERR_PTR(-EOPNOTSUPP); 3069 3070 if (cda[CTA_EXPECT_CLASS] && helper) { 3071 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS])); 3072 if (class > helper->expect_class_max) 3073 return ERR_PTR(-EINVAL); 3074 } 3075 exp = nf_ct_expect_alloc(ct); 3076 if (!exp) 3077 return ERR_PTR(-ENOMEM); 3078 3079 if (cda[CTA_EXPECT_FLAGS]) { 3080 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS])); 3081 exp->flags &= ~NF_CT_EXPECT_USERSPACE; 3082 } else { 3083 exp->flags = 0; 3084 } 3085 if (cda[CTA_EXPECT_FN]) { 3086 const char *name = nla_data(cda[CTA_EXPECT_FN]); 3087 struct nf_ct_helper_expectfn *expfn; 3088 3089 expfn = nf_ct_helper_expectfn_find_by_name(name); 3090 if (expfn == NULL) { 3091 err = -EINVAL; 3092 goto err_out; 3093 } 3094 exp->expectfn = expfn->expectfn; 3095 } else 3096 exp->expectfn = NULL; 3097 3098 exp->class = class; 3099 exp->master = ct; 3100 exp->helper = helper; 3101 exp->tuple = *tuple; 3102 exp->mask.src.u3 = mask->src.u3; 3103 exp->mask.src.u.all = mask->src.u.all; 3104 3105 if (cda[CTA_EXPECT_NAT]) { 3106 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT], 3107 exp, nf_ct_l3num(ct)); 3108 if (err < 0) 3109 goto err_out; 3110 } 3111 return exp; 3112 err_out: 3113 nf_ct_expect_put(exp); 3114 return ERR_PTR(err); 3115 } 3116 3117 static int 3118 ctnetlink_create_expect(struct net *net, 3119 const struct nf_conntrack_zone *zone, 3120 const struct nlattr * const cda[], 3121 u_int8_t u3, u32 portid, int report) 3122 { 3123 struct nf_conntrack_tuple tuple, mask, master_tuple; 3124 struct nf_conntrack_tuple_hash *h = NULL; 3125 struct nf_conntrack_helper *helper = NULL; 3126 struct nf_conntrack_expect *exp; 3127 struct nf_conn *ct; 3128 int err; 3129 3130 /* caller guarantees that those three CTA_EXPECT_* exist */ 3131 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3132 u3, NULL); 3133 if (err < 0) 3134 return err; 3135 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, 3136 u3, NULL); 3137 if (err < 0) 3138 return err; 3139 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, 3140 u3, NULL); 3141 if (err < 0) 3142 return err; 3143 3144 /* Look for master conntrack of this expectation */ 3145 h = nf_conntrack_find_get(net, zone, &master_tuple); 3146 if (!h) 3147 return -ENOENT; 3148 ct = nf_ct_tuplehash_to_ctrack(h); 3149 3150 rcu_read_lock(); 3151 if (cda[CTA_EXPECT_HELP_NAME]) { 3152 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); 3153 3154 helper = __nf_conntrack_helper_find(helpname, u3, 3155 nf_ct_protonum(ct)); 3156 if (helper == NULL) { 3157 rcu_read_unlock(); 3158 #ifdef CONFIG_MODULES 3159 if (request_module("nfct-helper-%s", helpname) < 0) { 3160 err = -EOPNOTSUPP; 3161 goto err_ct; 3162 } 3163 rcu_read_lock(); 3164 helper = __nf_conntrack_helper_find(helpname, u3, 3165 nf_ct_protonum(ct)); 3166 if (helper) { 3167 err = -EAGAIN; 3168 goto err_rcu; 3169 } 3170 rcu_read_unlock(); 3171 #endif 3172 err = -EOPNOTSUPP; 3173 goto err_ct; 3174 } 3175 } 3176 3177 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask); 3178 if (IS_ERR(exp)) { 3179 err = PTR_ERR(exp); 3180 goto err_rcu; 3181 } 3182 3183 err = nf_ct_expect_related_report(exp, portid, report); 3184 nf_ct_expect_put(exp); 3185 err_rcu: 3186 rcu_read_unlock(); 3187 err_ct: 3188 nf_ct_put(ct); 3189 return err; 3190 } 3191 3192 static int ctnetlink_new_expect(struct net *net, struct sock *ctnl, 3193 struct sk_buff *skb, const struct nlmsghdr *nlh, 3194 const struct nlattr * const cda[], 3195 struct netlink_ext_ack *extack) 3196 { 3197 struct nf_conntrack_tuple tuple; 3198 struct nf_conntrack_expect *exp; 3199 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3200 u_int8_t u3 = nfmsg->nfgen_family; 3201 struct nf_conntrack_zone zone; 3202 int err; 3203 3204 if (!cda[CTA_EXPECT_TUPLE] 3205 || !cda[CTA_EXPECT_MASK] 3206 || !cda[CTA_EXPECT_MASTER]) 3207 return -EINVAL; 3208 3209 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3210 if (err < 0) 3211 return err; 3212 3213 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3214 u3, NULL); 3215 if (err < 0) 3216 return err; 3217 3218 spin_lock_bh(&nf_conntrack_expect_lock); 3219 exp = __nf_ct_expect_find(net, &zone, &tuple); 3220 if (!exp) { 3221 spin_unlock_bh(&nf_conntrack_expect_lock); 3222 err = -ENOENT; 3223 if (nlh->nlmsg_flags & NLM_F_CREATE) { 3224 err = ctnetlink_create_expect(net, &zone, cda, u3, 3225 NETLINK_CB(skb).portid, 3226 nlmsg_report(nlh)); 3227 } 3228 return err; 3229 } 3230 3231 err = -EEXIST; 3232 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) 3233 err = ctnetlink_change_expect(exp, cda); 3234 spin_unlock_bh(&nf_conntrack_expect_lock); 3235 3236 return err; 3237 } 3238 3239 static int 3240 ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu, 3241 const struct ip_conntrack_stat *st) 3242 { 3243 struct nlmsghdr *nlh; 3244 struct nfgenmsg *nfmsg; 3245 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 3246 3247 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, 3248 IPCTNL_MSG_EXP_GET_STATS_CPU); 3249 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 3250 if (nlh == NULL) 3251 goto nlmsg_failure; 3252 3253 nfmsg = nlmsg_data(nlh); 3254 nfmsg->nfgen_family = AF_UNSPEC; 3255 nfmsg->version = NFNETLINK_V0; 3256 nfmsg->res_id = htons(cpu); 3257 3258 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) || 3259 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) || 3260 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete))) 3261 goto nla_put_failure; 3262 3263 nlmsg_end(skb, nlh); 3264 return skb->len; 3265 3266 nla_put_failure: 3267 nlmsg_failure: 3268 nlmsg_cancel(skb, nlh); 3269 return -1; 3270 } 3271 3272 static int 3273 ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb) 3274 { 3275 int cpu; 3276 struct net *net = sock_net(skb->sk); 3277 3278 if (cb->args[0] == nr_cpu_ids) 3279 return 0; 3280 3281 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 3282 const struct ip_conntrack_stat *st; 3283 3284 if (!cpu_possible(cpu)) 3285 continue; 3286 3287 st = per_cpu_ptr(net->ct.stat, cpu); 3288 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid, 3289 cb->nlh->nlmsg_seq, 3290 cpu, st) < 0) 3291 break; 3292 } 3293 cb->args[0] = cpu; 3294 3295 return skb->len; 3296 } 3297 3298 static int ctnetlink_stat_exp_cpu(struct net *net, struct sock *ctnl, 3299 struct sk_buff *skb, 3300 const struct nlmsghdr *nlh, 3301 const struct nlattr * const cda[], 3302 struct netlink_ext_ack *extack) 3303 { 3304 if (nlh->nlmsg_flags & NLM_F_DUMP) { 3305 struct netlink_dump_control c = { 3306 .dump = ctnetlink_exp_stat_cpu_dump, 3307 }; 3308 return netlink_dump_start(ctnl, skb, nlh, &c); 3309 } 3310 3311 return 0; 3312 } 3313 3314 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3315 static struct nf_ct_event_notifier ctnl_notifier = { 3316 .fcn = ctnetlink_conntrack_event, 3317 }; 3318 3319 static struct nf_exp_event_notifier ctnl_notifier_exp = { 3320 .fcn = ctnetlink_expect_event, 3321 }; 3322 #endif 3323 3324 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = { 3325 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack, 3326 .attr_count = CTA_MAX, 3327 .policy = ct_nla_policy }, 3328 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack, 3329 .attr_count = CTA_MAX, 3330 .policy = ct_nla_policy }, 3331 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack, 3332 .attr_count = CTA_MAX, 3333 .policy = ct_nla_policy }, 3334 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack, 3335 .attr_count = CTA_MAX, 3336 .policy = ct_nla_policy }, 3337 [IPCTNL_MSG_CT_GET_STATS_CPU] = { .call = ctnetlink_stat_ct_cpu }, 3338 [IPCTNL_MSG_CT_GET_STATS] = { .call = ctnetlink_stat_ct }, 3339 [IPCTNL_MSG_CT_GET_DYING] = { .call = ctnetlink_get_ct_dying }, 3340 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = { .call = ctnetlink_get_ct_unconfirmed }, 3341 }; 3342 3343 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = { 3344 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect, 3345 .attr_count = CTA_EXPECT_MAX, 3346 .policy = exp_nla_policy }, 3347 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect, 3348 .attr_count = CTA_EXPECT_MAX, 3349 .policy = exp_nla_policy }, 3350 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect, 3351 .attr_count = CTA_EXPECT_MAX, 3352 .policy = exp_nla_policy }, 3353 [IPCTNL_MSG_EXP_GET_STATS_CPU] = { .call = ctnetlink_stat_exp_cpu }, 3354 }; 3355 3356 static const struct nfnetlink_subsystem ctnl_subsys = { 3357 .name = "conntrack", 3358 .subsys_id = NFNL_SUBSYS_CTNETLINK, 3359 .cb_count = IPCTNL_MSG_MAX, 3360 .cb = ctnl_cb, 3361 }; 3362 3363 static const struct nfnetlink_subsystem ctnl_exp_subsys = { 3364 .name = "conntrack_expect", 3365 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP, 3366 .cb_count = IPCTNL_MSG_EXP_MAX, 3367 .cb = ctnl_exp_cb, 3368 }; 3369 3370 MODULE_ALIAS("ip_conntrack_netlink"); 3371 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK); 3372 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP); 3373 3374 static int __net_init ctnetlink_net_init(struct net *net) 3375 { 3376 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3377 int ret; 3378 3379 ret = nf_conntrack_register_notifier(net, &ctnl_notifier); 3380 if (ret < 0) { 3381 pr_err("ctnetlink_init: cannot register notifier.\n"); 3382 goto err_out; 3383 } 3384 3385 ret = nf_ct_expect_register_notifier(net, &ctnl_notifier_exp); 3386 if (ret < 0) { 3387 pr_err("ctnetlink_init: cannot expect register notifier.\n"); 3388 goto err_unreg_notifier; 3389 } 3390 #endif 3391 return 0; 3392 3393 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3394 err_unreg_notifier: 3395 nf_conntrack_unregister_notifier(net, &ctnl_notifier); 3396 err_out: 3397 return ret; 3398 #endif 3399 } 3400 3401 static void ctnetlink_net_exit(struct net *net) 3402 { 3403 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3404 nf_ct_expect_unregister_notifier(net, &ctnl_notifier_exp); 3405 nf_conntrack_unregister_notifier(net, &ctnl_notifier); 3406 #endif 3407 } 3408 3409 static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list) 3410 { 3411 struct net *net; 3412 3413 list_for_each_entry(net, net_exit_list, exit_list) 3414 ctnetlink_net_exit(net); 3415 } 3416 3417 static struct pernet_operations ctnetlink_net_ops = { 3418 .init = ctnetlink_net_init, 3419 .exit_batch = ctnetlink_net_exit_batch, 3420 }; 3421 3422 static int __init ctnetlink_init(void) 3423 { 3424 int ret; 3425 3426 ret = nfnetlink_subsys_register(&ctnl_subsys); 3427 if (ret < 0) { 3428 pr_err("ctnetlink_init: cannot register with nfnetlink.\n"); 3429 goto err_out; 3430 } 3431 3432 ret = nfnetlink_subsys_register(&ctnl_exp_subsys); 3433 if (ret < 0) { 3434 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n"); 3435 goto err_unreg_subsys; 3436 } 3437 3438 ret = register_pernet_subsys(&ctnetlink_net_ops); 3439 if (ret < 0) { 3440 pr_err("ctnetlink_init: cannot register pernet operations\n"); 3441 goto err_unreg_exp_subsys; 3442 } 3443 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 3444 /* setup interaction between nf_queue and nf_conntrack_netlink. */ 3445 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook); 3446 #endif 3447 return 0; 3448 3449 err_unreg_exp_subsys: 3450 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 3451 err_unreg_subsys: 3452 nfnetlink_subsys_unregister(&ctnl_subsys); 3453 err_out: 3454 return ret; 3455 } 3456 3457 static void __exit ctnetlink_exit(void) 3458 { 3459 unregister_pernet_subsys(&ctnetlink_net_ops); 3460 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 3461 nfnetlink_subsys_unregister(&ctnl_subsys); 3462 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 3463 RCU_INIT_POINTER(nfnl_ct_hook, NULL); 3464 #endif 3465 synchronize_rcu(); 3466 } 3467 3468 module_init(ctnetlink_init); 3469 module_exit(ctnetlink_exit); 3470