1 /* Connection tracking via netlink socket. Allows for user space 2 * protocol helpers and general trouble making from userspace. 3 * 4 * (C) 2001 by Jay Schulist <jschlst@samba.org> 5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org> 6 * (C) 2003 by Patrick Mchardy <kaber@trash.net> 7 * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org> 8 * 9 * Initial connection tracking via netlink development funded and 10 * generally made possible by Network Robots, Inc. (www.networkrobots.com) 11 * 12 * Further development of this code funded by Astaro AG (http://www.astaro.com) 13 * 14 * This software may be used and distributed according to the terms 15 * of the GNU General Public License, incorporated herein by reference. 16 */ 17 18 #include <linux/init.h> 19 #include <linux/module.h> 20 #include <linux/kernel.h> 21 #include <linux/rculist.h> 22 #include <linux/rculist_nulls.h> 23 #include <linux/types.h> 24 #include <linux/timer.h> 25 #include <linux/security.h> 26 #include <linux/skbuff.h> 27 #include <linux/errno.h> 28 #include <linux/netlink.h> 29 #include <linux/spinlock.h> 30 #include <linux/interrupt.h> 31 #include <linux/slab.h> 32 #include <linux/siphash.h> 33 34 #include <linux/netfilter.h> 35 #include <net/netlink.h> 36 #include <net/sock.h> 37 #include <net/netfilter/nf_conntrack.h> 38 #include <net/netfilter/nf_conntrack_core.h> 39 #include <net/netfilter/nf_conntrack_expect.h> 40 #include <net/netfilter/nf_conntrack_helper.h> 41 #include <net/netfilter/nf_conntrack_seqadj.h> 42 #include <net/netfilter/nf_conntrack_l4proto.h> 43 #include <net/netfilter/nf_conntrack_tuple.h> 44 #include <net/netfilter/nf_conntrack_acct.h> 45 #include <net/netfilter/nf_conntrack_zones.h> 46 #include <net/netfilter/nf_conntrack_timestamp.h> 47 #include <net/netfilter/nf_conntrack_labels.h> 48 #include <net/netfilter/nf_conntrack_synproxy.h> 49 #if IS_ENABLED(CONFIG_NF_NAT) 50 #include <net/netfilter/nf_nat.h> 51 #include <net/netfilter/nf_nat_helper.h> 52 #endif 53 54 #include <linux/netfilter/nfnetlink.h> 55 #include <linux/netfilter/nfnetlink_conntrack.h> 56 57 #include "nf_internals.h" 58 59 MODULE_LICENSE("GPL"); 60 61 static int ctnetlink_dump_tuples_proto(struct sk_buff *skb, 62 const struct nf_conntrack_tuple *tuple, 63 const struct nf_conntrack_l4proto *l4proto) 64 { 65 int ret = 0; 66 struct nlattr *nest_parms; 67 68 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO); 69 if (!nest_parms) 70 goto nla_put_failure; 71 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum)) 72 goto nla_put_failure; 73 74 if (likely(l4proto->tuple_to_nlattr)) 75 ret = l4proto->tuple_to_nlattr(skb, tuple); 76 77 nla_nest_end(skb, nest_parms); 78 79 return ret; 80 81 nla_put_failure: 82 return -1; 83 } 84 85 static int ipv4_tuple_to_nlattr(struct sk_buff *skb, 86 const struct nf_conntrack_tuple *tuple) 87 { 88 if (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) || 89 nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip)) 90 return -EMSGSIZE; 91 return 0; 92 } 93 94 static int ipv6_tuple_to_nlattr(struct sk_buff *skb, 95 const struct nf_conntrack_tuple *tuple) 96 { 97 if (nla_put_in6_addr(skb, CTA_IP_V6_SRC, &tuple->src.u3.in6) || 98 nla_put_in6_addr(skb, CTA_IP_V6_DST, &tuple->dst.u3.in6)) 99 return -EMSGSIZE; 100 return 0; 101 } 102 103 static int ctnetlink_dump_tuples_ip(struct sk_buff *skb, 104 const struct nf_conntrack_tuple *tuple) 105 { 106 int ret = 0; 107 struct nlattr *nest_parms; 108 109 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP); 110 if (!nest_parms) 111 goto nla_put_failure; 112 113 switch (tuple->src.l3num) { 114 case NFPROTO_IPV4: 115 ret = ipv4_tuple_to_nlattr(skb, tuple); 116 break; 117 case NFPROTO_IPV6: 118 ret = ipv6_tuple_to_nlattr(skb, tuple); 119 break; 120 } 121 122 nla_nest_end(skb, nest_parms); 123 124 return ret; 125 126 nla_put_failure: 127 return -1; 128 } 129 130 static int ctnetlink_dump_tuples(struct sk_buff *skb, 131 const struct nf_conntrack_tuple *tuple) 132 { 133 const struct nf_conntrack_l4proto *l4proto; 134 int ret; 135 136 rcu_read_lock(); 137 ret = ctnetlink_dump_tuples_ip(skb, tuple); 138 139 if (ret >= 0) { 140 l4proto = nf_ct_l4proto_find(tuple->dst.protonum); 141 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto); 142 } 143 rcu_read_unlock(); 144 return ret; 145 } 146 147 static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype, 148 const struct nf_conntrack_zone *zone, int dir) 149 { 150 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir) 151 return 0; 152 if (nla_put_be16(skb, attrtype, htons(zone->id))) 153 goto nla_put_failure; 154 return 0; 155 156 nla_put_failure: 157 return -1; 158 } 159 160 static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct) 161 { 162 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status))) 163 goto nla_put_failure; 164 return 0; 165 166 nla_put_failure: 167 return -1; 168 } 169 170 static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct, 171 bool skip_zero) 172 { 173 long timeout = nf_ct_expires(ct) / HZ; 174 175 if (skip_zero && timeout == 0) 176 return 0; 177 178 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout))) 179 goto nla_put_failure; 180 return 0; 181 182 nla_put_failure: 183 return -1; 184 } 185 186 static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct, 187 bool destroy) 188 { 189 const struct nf_conntrack_l4proto *l4proto; 190 struct nlattr *nest_proto; 191 int ret; 192 193 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 194 if (!l4proto->to_nlattr) 195 return 0; 196 197 nest_proto = nla_nest_start(skb, CTA_PROTOINFO); 198 if (!nest_proto) 199 goto nla_put_failure; 200 201 ret = l4proto->to_nlattr(skb, nest_proto, ct, destroy); 202 203 nla_nest_end(skb, nest_proto); 204 205 return ret; 206 207 nla_put_failure: 208 return -1; 209 } 210 211 static int ctnetlink_dump_helpinfo(struct sk_buff *skb, 212 const struct nf_conn *ct) 213 { 214 struct nlattr *nest_helper; 215 const struct nf_conn_help *help = nfct_help(ct); 216 struct nf_conntrack_helper *helper; 217 218 if (!help) 219 return 0; 220 221 helper = rcu_dereference(help->helper); 222 if (!helper) 223 goto out; 224 225 nest_helper = nla_nest_start(skb, CTA_HELP); 226 if (!nest_helper) 227 goto nla_put_failure; 228 if (nla_put_string(skb, CTA_HELP_NAME, helper->name)) 229 goto nla_put_failure; 230 231 if (helper->to_nlattr) 232 helper->to_nlattr(skb, ct); 233 234 nla_nest_end(skb, nest_helper); 235 out: 236 return 0; 237 238 nla_put_failure: 239 return -1; 240 } 241 242 static int 243 dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct, 244 enum ip_conntrack_dir dir, int type) 245 { 246 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG; 247 struct nf_conn_counter *counter = acct->counter; 248 struct nlattr *nest_count; 249 u64 pkts, bytes; 250 251 if (type == IPCTNL_MSG_CT_GET_CTRZERO) { 252 pkts = atomic64_xchg(&counter[dir].packets, 0); 253 bytes = atomic64_xchg(&counter[dir].bytes, 0); 254 } else { 255 pkts = atomic64_read(&counter[dir].packets); 256 bytes = atomic64_read(&counter[dir].bytes); 257 } 258 259 nest_count = nla_nest_start(skb, attr); 260 if (!nest_count) 261 goto nla_put_failure; 262 263 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts), 264 CTA_COUNTERS_PAD) || 265 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes), 266 CTA_COUNTERS_PAD)) 267 goto nla_put_failure; 268 269 nla_nest_end(skb, nest_count); 270 271 return 0; 272 273 nla_put_failure: 274 return -1; 275 } 276 277 static int 278 ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type) 279 { 280 struct nf_conn_acct *acct = nf_conn_acct_find(ct); 281 282 if (!acct) 283 return 0; 284 285 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0) 286 return -1; 287 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0) 288 return -1; 289 290 return 0; 291 } 292 293 static int 294 ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct) 295 { 296 struct nlattr *nest_count; 297 const struct nf_conn_tstamp *tstamp; 298 299 tstamp = nf_conn_tstamp_find(ct); 300 if (!tstamp) 301 return 0; 302 303 nest_count = nla_nest_start(skb, CTA_TIMESTAMP); 304 if (!nest_count) 305 goto nla_put_failure; 306 307 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start), 308 CTA_TIMESTAMP_PAD) || 309 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP, 310 cpu_to_be64(tstamp->stop), 311 CTA_TIMESTAMP_PAD))) 312 goto nla_put_failure; 313 nla_nest_end(skb, nest_count); 314 315 return 0; 316 317 nla_put_failure: 318 return -1; 319 } 320 321 #ifdef CONFIG_NF_CONNTRACK_MARK 322 static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) 323 { 324 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark))) 325 goto nla_put_failure; 326 return 0; 327 328 nla_put_failure: 329 return -1; 330 } 331 #else 332 #define ctnetlink_dump_mark(a, b) (0) 333 #endif 334 335 #ifdef CONFIG_NF_CONNTRACK_SECMARK 336 static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) 337 { 338 struct nlattr *nest_secctx; 339 int len, ret; 340 char *secctx; 341 342 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 343 if (ret) 344 return 0; 345 346 ret = -1; 347 nest_secctx = nla_nest_start(skb, CTA_SECCTX); 348 if (!nest_secctx) 349 goto nla_put_failure; 350 351 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx)) 352 goto nla_put_failure; 353 nla_nest_end(skb, nest_secctx); 354 355 ret = 0; 356 nla_put_failure: 357 security_release_secctx(secctx, len); 358 return ret; 359 } 360 #else 361 #define ctnetlink_dump_secctx(a, b) (0) 362 #endif 363 364 #ifdef CONFIG_NF_CONNTRACK_LABELS 365 static inline int ctnetlink_label_size(const struct nf_conn *ct) 366 { 367 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 368 369 if (!labels) 370 return 0; 371 return nla_total_size(sizeof(labels->bits)); 372 } 373 374 static int 375 ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct) 376 { 377 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 378 unsigned int i; 379 380 if (!labels) 381 return 0; 382 383 i = 0; 384 do { 385 if (labels->bits[i] != 0) 386 return nla_put(skb, CTA_LABELS, sizeof(labels->bits), 387 labels->bits); 388 i++; 389 } while (i < ARRAY_SIZE(labels->bits)); 390 391 return 0; 392 } 393 #else 394 #define ctnetlink_dump_labels(a, b) (0) 395 #define ctnetlink_label_size(a) (0) 396 #endif 397 398 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) 399 400 static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct) 401 { 402 struct nlattr *nest_parms; 403 404 if (!(ct->status & IPS_EXPECTED)) 405 return 0; 406 407 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER); 408 if (!nest_parms) 409 goto nla_put_failure; 410 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0) 411 goto nla_put_failure; 412 nla_nest_end(skb, nest_parms); 413 414 return 0; 415 416 nla_put_failure: 417 return -1; 418 } 419 420 static int 421 dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type) 422 { 423 struct nlattr *nest_parms; 424 425 nest_parms = nla_nest_start(skb, type); 426 if (!nest_parms) 427 goto nla_put_failure; 428 429 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS, 430 htonl(seq->correction_pos)) || 431 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE, 432 htonl(seq->offset_before)) || 433 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER, 434 htonl(seq->offset_after))) 435 goto nla_put_failure; 436 437 nla_nest_end(skb, nest_parms); 438 439 return 0; 440 441 nla_put_failure: 442 return -1; 443 } 444 445 static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct) 446 { 447 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct); 448 struct nf_ct_seqadj *seq; 449 450 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj) 451 return 0; 452 453 spin_lock_bh(&ct->lock); 454 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL]; 455 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1) 456 goto err; 457 458 seq = &seqadj->seq[IP_CT_DIR_REPLY]; 459 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1) 460 goto err; 461 462 spin_unlock_bh(&ct->lock); 463 return 0; 464 err: 465 spin_unlock_bh(&ct->lock); 466 return -1; 467 } 468 469 static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct) 470 { 471 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct); 472 struct nlattr *nest_parms; 473 474 if (!synproxy) 475 return 0; 476 477 nest_parms = nla_nest_start(skb, CTA_SYNPROXY); 478 if (!nest_parms) 479 goto nla_put_failure; 480 481 if (nla_put_be32(skb, CTA_SYNPROXY_ISN, htonl(synproxy->isn)) || 482 nla_put_be32(skb, CTA_SYNPROXY_ITS, htonl(synproxy->its)) || 483 nla_put_be32(skb, CTA_SYNPROXY_TSOFF, htonl(synproxy->tsoff))) 484 goto nla_put_failure; 485 486 nla_nest_end(skb, nest_parms); 487 488 return 0; 489 490 nla_put_failure: 491 return -1; 492 } 493 494 static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct) 495 { 496 __be32 id = (__force __be32)nf_ct_get_id(ct); 497 498 if (nla_put_be32(skb, CTA_ID, id)) 499 goto nla_put_failure; 500 return 0; 501 502 nla_put_failure: 503 return -1; 504 } 505 506 static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct) 507 { 508 if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use)))) 509 goto nla_put_failure; 510 return 0; 511 512 nla_put_failure: 513 return -1; 514 } 515 516 /* all these functions access ct->ext. Caller must either hold a reference 517 * on ct or prevent its deletion by holding either the bucket spinlock or 518 * pcpu dying list lock. 519 */ 520 static int ctnetlink_dump_extinfo(struct sk_buff *skb, 521 struct nf_conn *ct, u32 type) 522 { 523 if (ctnetlink_dump_acct(skb, ct, type) < 0 || 524 ctnetlink_dump_timestamp(skb, ct) < 0 || 525 ctnetlink_dump_helpinfo(skb, ct) < 0 || 526 ctnetlink_dump_labels(skb, ct) < 0 || 527 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 || 528 ctnetlink_dump_ct_synproxy(skb, ct) < 0) 529 return -1; 530 531 return 0; 532 } 533 534 static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct) 535 { 536 if (ctnetlink_dump_status(skb, ct) < 0 || 537 ctnetlink_dump_mark(skb, ct) < 0 || 538 ctnetlink_dump_secctx(skb, ct) < 0 || 539 ctnetlink_dump_id(skb, ct) < 0 || 540 ctnetlink_dump_use(skb, ct) < 0 || 541 ctnetlink_dump_master(skb, ct) < 0) 542 return -1; 543 544 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) && 545 (ctnetlink_dump_timeout(skb, ct, false) < 0 || 546 ctnetlink_dump_protoinfo(skb, ct, false) < 0)) 547 return -1; 548 549 return 0; 550 } 551 552 static int 553 ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 554 struct nf_conn *ct, bool extinfo, unsigned int flags) 555 { 556 const struct nf_conntrack_zone *zone; 557 struct nlmsghdr *nlh; 558 struct nlattr *nest_parms; 559 unsigned int event; 560 561 if (portid) 562 flags |= NLM_F_MULTI; 563 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW); 564 nlh = nfnl_msg_put(skb, portid, seq, event, flags, nf_ct_l3num(ct), 565 NFNETLINK_V0, 0); 566 if (!nlh) 567 goto nlmsg_failure; 568 569 zone = nf_ct_zone(ct); 570 571 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG); 572 if (!nest_parms) 573 goto nla_put_failure; 574 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 575 goto nla_put_failure; 576 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 577 NF_CT_ZONE_DIR_ORIG) < 0) 578 goto nla_put_failure; 579 nla_nest_end(skb, nest_parms); 580 581 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY); 582 if (!nest_parms) 583 goto nla_put_failure; 584 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 585 goto nla_put_failure; 586 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 587 NF_CT_ZONE_DIR_REPL) < 0) 588 goto nla_put_failure; 589 nla_nest_end(skb, nest_parms); 590 591 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 592 NF_CT_DEFAULT_ZONE_DIR) < 0) 593 goto nla_put_failure; 594 595 if (ctnetlink_dump_info(skb, ct) < 0) 596 goto nla_put_failure; 597 if (extinfo && ctnetlink_dump_extinfo(skb, ct, type) < 0) 598 goto nla_put_failure; 599 600 nlmsg_end(skb, nlh); 601 return skb->len; 602 603 nlmsg_failure: 604 nla_put_failure: 605 nlmsg_cancel(skb, nlh); 606 return -1; 607 } 608 609 static const struct nla_policy cta_ip_nla_policy[CTA_IP_MAX + 1] = { 610 [CTA_IP_V4_SRC] = { .type = NLA_U32 }, 611 [CTA_IP_V4_DST] = { .type = NLA_U32 }, 612 [CTA_IP_V6_SRC] = { .len = sizeof(__be32) * 4 }, 613 [CTA_IP_V6_DST] = { .len = sizeof(__be32) * 4 }, 614 }; 615 616 #if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS) 617 static size_t ctnetlink_proto_size(const struct nf_conn *ct) 618 { 619 const struct nf_conntrack_l4proto *l4proto; 620 size_t len, len4 = 0; 621 622 len = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1); 623 len *= 3u; /* ORIG, REPLY, MASTER */ 624 625 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 626 len += l4proto->nlattr_size; 627 if (l4proto->nlattr_tuple_size) { 628 len4 = l4proto->nlattr_tuple_size(); 629 len4 *= 3u; /* ORIG, REPLY, MASTER */ 630 } 631 632 return len + len4; 633 } 634 #endif 635 636 static inline size_t ctnetlink_acct_size(const struct nf_conn *ct) 637 { 638 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT)) 639 return 0; 640 return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */ 641 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */ 642 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */ 643 ; 644 } 645 646 static inline int ctnetlink_secctx_size(const struct nf_conn *ct) 647 { 648 #ifdef CONFIG_NF_CONNTRACK_SECMARK 649 int len, ret; 650 651 ret = security_secid_to_secctx(ct->secmark, NULL, &len); 652 if (ret) 653 return 0; 654 655 return nla_total_size(0) /* CTA_SECCTX */ 656 + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */ 657 #else 658 return 0; 659 #endif 660 } 661 662 static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct) 663 { 664 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 665 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP)) 666 return 0; 667 return nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t)); 668 #else 669 return 0; 670 #endif 671 } 672 673 #ifdef CONFIG_NF_CONNTRACK_EVENTS 674 static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct) 675 { 676 return NLMSG_ALIGN(sizeof(struct nfgenmsg)) 677 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 678 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 679 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 680 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 681 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 682 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 683 + ctnetlink_acct_size(ct) 684 + ctnetlink_timestamp_size(ct) 685 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 686 + nla_total_size(0) /* CTA_PROTOINFO */ 687 + nla_total_size(0) /* CTA_HELP */ 688 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 689 + ctnetlink_secctx_size(ct) 690 #if IS_ENABLED(CONFIG_NF_NAT) 691 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 692 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 693 #endif 694 #ifdef CONFIG_NF_CONNTRACK_MARK 695 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 696 #endif 697 #ifdef CONFIG_NF_CONNTRACK_ZONES 698 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */ 699 #endif 700 + ctnetlink_proto_size(ct) 701 + ctnetlink_label_size(ct) 702 ; 703 } 704 705 static int 706 ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) 707 { 708 const struct nf_conntrack_zone *zone; 709 struct net *net; 710 struct nlmsghdr *nlh; 711 struct nlattr *nest_parms; 712 struct nf_conn *ct = item->ct; 713 struct sk_buff *skb; 714 unsigned int type; 715 unsigned int flags = 0, group; 716 int err; 717 718 if (events & (1 << IPCT_DESTROY)) { 719 type = IPCTNL_MSG_CT_DELETE; 720 group = NFNLGRP_CONNTRACK_DESTROY; 721 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) { 722 type = IPCTNL_MSG_CT_NEW; 723 flags = NLM_F_CREATE|NLM_F_EXCL; 724 group = NFNLGRP_CONNTRACK_NEW; 725 } else if (events) { 726 type = IPCTNL_MSG_CT_NEW; 727 group = NFNLGRP_CONNTRACK_UPDATE; 728 } else 729 return 0; 730 731 net = nf_ct_net(ct); 732 if (!item->report && !nfnetlink_has_listeners(net, group)) 733 return 0; 734 735 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC); 736 if (skb == NULL) 737 goto errout; 738 739 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type); 740 nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, nf_ct_l3num(ct), 741 NFNETLINK_V0, 0); 742 if (!nlh) 743 goto nlmsg_failure; 744 745 zone = nf_ct_zone(ct); 746 747 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG); 748 if (!nest_parms) 749 goto nla_put_failure; 750 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 751 goto nla_put_failure; 752 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 753 NF_CT_ZONE_DIR_ORIG) < 0) 754 goto nla_put_failure; 755 nla_nest_end(skb, nest_parms); 756 757 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY); 758 if (!nest_parms) 759 goto nla_put_failure; 760 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 761 goto nla_put_failure; 762 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 763 NF_CT_ZONE_DIR_REPL) < 0) 764 goto nla_put_failure; 765 nla_nest_end(skb, nest_parms); 766 767 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 768 NF_CT_DEFAULT_ZONE_DIR) < 0) 769 goto nla_put_failure; 770 771 if (ctnetlink_dump_id(skb, ct) < 0) 772 goto nla_put_failure; 773 774 if (ctnetlink_dump_status(skb, ct) < 0) 775 goto nla_put_failure; 776 777 if (events & (1 << IPCT_DESTROY)) { 778 if (ctnetlink_dump_timeout(skb, ct, true) < 0) 779 goto nla_put_failure; 780 781 if (ctnetlink_dump_acct(skb, ct, type) < 0 || 782 ctnetlink_dump_timestamp(skb, ct) < 0 || 783 ctnetlink_dump_protoinfo(skb, ct, true) < 0) 784 goto nla_put_failure; 785 } else { 786 if (ctnetlink_dump_timeout(skb, ct, false) < 0) 787 goto nla_put_failure; 788 789 if (events & (1 << IPCT_PROTOINFO) && 790 ctnetlink_dump_protoinfo(skb, ct, false) < 0) 791 goto nla_put_failure; 792 793 if ((events & (1 << IPCT_HELPER) || nfct_help(ct)) 794 && ctnetlink_dump_helpinfo(skb, ct) < 0) 795 goto nla_put_failure; 796 797 #ifdef CONFIG_NF_CONNTRACK_SECMARK 798 if ((events & (1 << IPCT_SECMARK) || ct->secmark) 799 && ctnetlink_dump_secctx(skb, ct) < 0) 800 goto nla_put_failure; 801 #endif 802 if (events & (1 << IPCT_LABEL) && 803 ctnetlink_dump_labels(skb, ct) < 0) 804 goto nla_put_failure; 805 806 if (events & (1 << IPCT_RELATED) && 807 ctnetlink_dump_master(skb, ct) < 0) 808 goto nla_put_failure; 809 810 if (events & (1 << IPCT_SEQADJ) && 811 ctnetlink_dump_ct_seq_adj(skb, ct) < 0) 812 goto nla_put_failure; 813 814 if (events & (1 << IPCT_SYNPROXY) && 815 ctnetlink_dump_ct_synproxy(skb, ct) < 0) 816 goto nla_put_failure; 817 } 818 819 #ifdef CONFIG_NF_CONNTRACK_MARK 820 if ((events & (1 << IPCT_MARK) || ct->mark) 821 && ctnetlink_dump_mark(skb, ct) < 0) 822 goto nla_put_failure; 823 #endif 824 nlmsg_end(skb, nlh); 825 err = nfnetlink_send(skb, net, item->portid, group, item->report, 826 GFP_ATOMIC); 827 if (err == -ENOBUFS || err == -EAGAIN) 828 return -ENOBUFS; 829 830 return 0; 831 832 nla_put_failure: 833 nlmsg_cancel(skb, nlh); 834 nlmsg_failure: 835 kfree_skb(skb); 836 errout: 837 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0) 838 return -ENOBUFS; 839 840 return 0; 841 } 842 #endif /* CONFIG_NF_CONNTRACK_EVENTS */ 843 844 static int ctnetlink_done(struct netlink_callback *cb) 845 { 846 if (cb->args[1]) 847 nf_ct_put((struct nf_conn *)cb->args[1]); 848 kfree(cb->data); 849 return 0; 850 } 851 852 struct ctnetlink_filter { 853 u8 family; 854 855 u_int32_t orig_flags; 856 u_int32_t reply_flags; 857 858 struct nf_conntrack_tuple orig; 859 struct nf_conntrack_tuple reply; 860 struct nf_conntrack_zone zone; 861 862 struct { 863 u_int32_t val; 864 u_int32_t mask; 865 } mark; 866 }; 867 868 static const struct nla_policy cta_filter_nla_policy[CTA_FILTER_MAX + 1] = { 869 [CTA_FILTER_ORIG_FLAGS] = { .type = NLA_U32 }, 870 [CTA_FILTER_REPLY_FLAGS] = { .type = NLA_U32 }, 871 }; 872 873 static int ctnetlink_parse_filter(const struct nlattr *attr, 874 struct ctnetlink_filter *filter) 875 { 876 struct nlattr *tb[CTA_FILTER_MAX + 1]; 877 int ret = 0; 878 879 ret = nla_parse_nested(tb, CTA_FILTER_MAX, attr, cta_filter_nla_policy, 880 NULL); 881 if (ret) 882 return ret; 883 884 if (tb[CTA_FILTER_ORIG_FLAGS]) { 885 filter->orig_flags = nla_get_u32(tb[CTA_FILTER_ORIG_FLAGS]); 886 if (filter->orig_flags & ~CTA_FILTER_F_ALL) 887 return -EOPNOTSUPP; 888 } 889 890 if (tb[CTA_FILTER_REPLY_FLAGS]) { 891 filter->reply_flags = nla_get_u32(tb[CTA_FILTER_REPLY_FLAGS]); 892 if (filter->reply_flags & ~CTA_FILTER_F_ALL) 893 return -EOPNOTSUPP; 894 } 895 896 return 0; 897 } 898 899 static int ctnetlink_parse_zone(const struct nlattr *attr, 900 struct nf_conntrack_zone *zone); 901 static int ctnetlink_parse_tuple_filter(const struct nlattr * const cda[], 902 struct nf_conntrack_tuple *tuple, 903 u32 type, u_int8_t l3num, 904 struct nf_conntrack_zone *zone, 905 u_int32_t flags); 906 907 static struct ctnetlink_filter * 908 ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family) 909 { 910 struct ctnetlink_filter *filter; 911 int err; 912 913 #ifndef CONFIG_NF_CONNTRACK_MARK 914 if (cda[CTA_MARK] || cda[CTA_MARK_MASK]) 915 return ERR_PTR(-EOPNOTSUPP); 916 #endif 917 918 filter = kzalloc(sizeof(*filter), GFP_KERNEL); 919 if (filter == NULL) 920 return ERR_PTR(-ENOMEM); 921 922 filter->family = family; 923 924 #ifdef CONFIG_NF_CONNTRACK_MARK 925 if (cda[CTA_MARK]) { 926 filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK])); 927 if (cda[CTA_MARK_MASK]) 928 filter->mark.mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK])); 929 else 930 filter->mark.mask = 0xffffffff; 931 } else if (cda[CTA_MARK_MASK]) { 932 err = -EINVAL; 933 goto err_filter; 934 } 935 #endif 936 if (!cda[CTA_FILTER]) 937 return filter; 938 939 err = ctnetlink_parse_zone(cda[CTA_ZONE], &filter->zone); 940 if (err < 0) 941 goto err_filter; 942 943 err = ctnetlink_parse_filter(cda[CTA_FILTER], filter); 944 if (err < 0) 945 goto err_filter; 946 947 if (filter->orig_flags) { 948 if (!cda[CTA_TUPLE_ORIG]) { 949 err = -EINVAL; 950 goto err_filter; 951 } 952 953 err = ctnetlink_parse_tuple_filter(cda, &filter->orig, 954 CTA_TUPLE_ORIG, 955 filter->family, 956 &filter->zone, 957 filter->orig_flags); 958 if (err < 0) 959 goto err_filter; 960 } 961 962 if (filter->reply_flags) { 963 if (!cda[CTA_TUPLE_REPLY]) { 964 err = -EINVAL; 965 goto err_filter; 966 } 967 968 err = ctnetlink_parse_tuple_filter(cda, &filter->reply, 969 CTA_TUPLE_REPLY, 970 filter->family, 971 &filter->zone, 972 filter->orig_flags); 973 if (err < 0) { 974 err = -EINVAL; 975 goto err_filter; 976 } 977 } 978 979 return filter; 980 981 err_filter: 982 kfree(filter); 983 984 return ERR_PTR(err); 985 } 986 987 static bool ctnetlink_needs_filter(u8 family, const struct nlattr * const *cda) 988 { 989 return family || cda[CTA_MARK] || cda[CTA_FILTER]; 990 } 991 992 static int ctnetlink_start(struct netlink_callback *cb) 993 { 994 const struct nlattr * const *cda = cb->data; 995 struct ctnetlink_filter *filter = NULL; 996 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 997 u8 family = nfmsg->nfgen_family; 998 999 if (ctnetlink_needs_filter(family, cda)) { 1000 filter = ctnetlink_alloc_filter(cda, family); 1001 if (IS_ERR(filter)) 1002 return PTR_ERR(filter); 1003 } 1004 1005 cb->data = filter; 1006 return 0; 1007 } 1008 1009 static int ctnetlink_filter_match_tuple(struct nf_conntrack_tuple *filter_tuple, 1010 struct nf_conntrack_tuple *ct_tuple, 1011 u_int32_t flags, int family) 1012 { 1013 switch (family) { 1014 case NFPROTO_IPV4: 1015 if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) && 1016 filter_tuple->src.u3.ip != ct_tuple->src.u3.ip) 1017 return 0; 1018 1019 if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) && 1020 filter_tuple->dst.u3.ip != ct_tuple->dst.u3.ip) 1021 return 0; 1022 break; 1023 case NFPROTO_IPV6: 1024 if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) && 1025 !ipv6_addr_cmp(&filter_tuple->src.u3.in6, 1026 &ct_tuple->src.u3.in6)) 1027 return 0; 1028 1029 if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) && 1030 !ipv6_addr_cmp(&filter_tuple->dst.u3.in6, 1031 &ct_tuple->dst.u3.in6)) 1032 return 0; 1033 break; 1034 } 1035 1036 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) && 1037 filter_tuple->dst.protonum != ct_tuple->dst.protonum) 1038 return 0; 1039 1040 switch (ct_tuple->dst.protonum) { 1041 case IPPROTO_TCP: 1042 case IPPROTO_UDP: 1043 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_SRC_PORT)) && 1044 filter_tuple->src.u.tcp.port != ct_tuple->src.u.tcp.port) 1045 return 0; 1046 1047 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_DST_PORT)) && 1048 filter_tuple->dst.u.tcp.port != ct_tuple->dst.u.tcp.port) 1049 return 0; 1050 break; 1051 case IPPROTO_ICMP: 1052 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_TYPE)) && 1053 filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type) 1054 return 0; 1055 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_CODE)) && 1056 filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code) 1057 return 0; 1058 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_ID)) && 1059 filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id) 1060 return 0; 1061 break; 1062 case IPPROTO_ICMPV6: 1063 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_TYPE)) && 1064 filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type) 1065 return 0; 1066 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_CODE)) && 1067 filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code) 1068 return 0; 1069 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_ID)) && 1070 filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id) 1071 return 0; 1072 break; 1073 } 1074 1075 return 1; 1076 } 1077 1078 static int ctnetlink_filter_match(struct nf_conn *ct, void *data) 1079 { 1080 struct ctnetlink_filter *filter = data; 1081 struct nf_conntrack_tuple *tuple; 1082 1083 if (filter == NULL) 1084 goto out; 1085 1086 /* Match entries of a given L3 protocol number. 1087 * If it is not specified, ie. l3proto == 0, 1088 * then match everything. 1089 */ 1090 if (filter->family && nf_ct_l3num(ct) != filter->family) 1091 goto ignore_entry; 1092 1093 if (filter->orig_flags) { 1094 tuple = nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL); 1095 if (!ctnetlink_filter_match_tuple(&filter->orig, tuple, 1096 filter->orig_flags, 1097 filter->family)) 1098 goto ignore_entry; 1099 } 1100 1101 if (filter->reply_flags) { 1102 tuple = nf_ct_tuple(ct, IP_CT_DIR_REPLY); 1103 if (!ctnetlink_filter_match_tuple(&filter->reply, tuple, 1104 filter->reply_flags, 1105 filter->family)) 1106 goto ignore_entry; 1107 } 1108 1109 #ifdef CONFIG_NF_CONNTRACK_MARK 1110 if ((ct->mark & filter->mark.mask) != filter->mark.val) 1111 goto ignore_entry; 1112 #endif 1113 1114 out: 1115 return 1; 1116 1117 ignore_entry: 1118 return 0; 1119 } 1120 1121 static int 1122 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 1123 { 1124 unsigned int flags = cb->data ? NLM_F_DUMP_FILTERED : 0; 1125 struct net *net = sock_net(skb->sk); 1126 struct nf_conn *ct, *last; 1127 struct nf_conntrack_tuple_hash *h; 1128 struct hlist_nulls_node *n; 1129 struct nf_conn *nf_ct_evict[8]; 1130 int res, i; 1131 spinlock_t *lockp; 1132 1133 last = (struct nf_conn *)cb->args[1]; 1134 i = 0; 1135 1136 local_bh_disable(); 1137 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) { 1138 restart: 1139 while (i) { 1140 i--; 1141 if (nf_ct_should_gc(nf_ct_evict[i])) 1142 nf_ct_kill(nf_ct_evict[i]); 1143 nf_ct_put(nf_ct_evict[i]); 1144 } 1145 1146 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS]; 1147 nf_conntrack_lock(lockp); 1148 if (cb->args[0] >= nf_conntrack_htable_size) { 1149 spin_unlock(lockp); 1150 goto out; 1151 } 1152 hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]], 1153 hnnode) { 1154 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) 1155 continue; 1156 ct = nf_ct_tuplehash_to_ctrack(h); 1157 if (nf_ct_is_expired(ct)) { 1158 if (i < ARRAY_SIZE(nf_ct_evict) && 1159 atomic_inc_not_zero(&ct->ct_general.use)) 1160 nf_ct_evict[i++] = ct; 1161 continue; 1162 } 1163 1164 if (!net_eq(net, nf_ct_net(ct))) 1165 continue; 1166 1167 if (cb->args[1]) { 1168 if (ct != last) 1169 continue; 1170 cb->args[1] = 0; 1171 } 1172 if (!ctnetlink_filter_match(ct, cb->data)) 1173 continue; 1174 1175 res = 1176 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid, 1177 cb->nlh->nlmsg_seq, 1178 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 1179 ct, true, flags); 1180 if (res < 0) { 1181 nf_conntrack_get(&ct->ct_general); 1182 cb->args[1] = (unsigned long)ct; 1183 spin_unlock(lockp); 1184 goto out; 1185 } 1186 } 1187 spin_unlock(lockp); 1188 if (cb->args[1]) { 1189 cb->args[1] = 0; 1190 goto restart; 1191 } 1192 } 1193 out: 1194 local_bh_enable(); 1195 if (last) { 1196 /* nf ct hash resize happened, now clear the leftover. */ 1197 if ((struct nf_conn *)cb->args[1] == last) 1198 cb->args[1] = 0; 1199 1200 nf_ct_put(last); 1201 } 1202 1203 while (i) { 1204 i--; 1205 if (nf_ct_should_gc(nf_ct_evict[i])) 1206 nf_ct_kill(nf_ct_evict[i]); 1207 nf_ct_put(nf_ct_evict[i]); 1208 } 1209 1210 return skb->len; 1211 } 1212 1213 static int ipv4_nlattr_to_tuple(struct nlattr *tb[], 1214 struct nf_conntrack_tuple *t, 1215 u_int32_t flags) 1216 { 1217 if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) { 1218 if (!tb[CTA_IP_V4_SRC]) 1219 return -EINVAL; 1220 1221 t->src.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_SRC]); 1222 } 1223 1224 if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) { 1225 if (!tb[CTA_IP_V4_DST]) 1226 return -EINVAL; 1227 1228 t->dst.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_DST]); 1229 } 1230 1231 return 0; 1232 } 1233 1234 static int ipv6_nlattr_to_tuple(struct nlattr *tb[], 1235 struct nf_conntrack_tuple *t, 1236 u_int32_t flags) 1237 { 1238 if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) { 1239 if (!tb[CTA_IP_V6_SRC]) 1240 return -EINVAL; 1241 1242 t->src.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_SRC]); 1243 } 1244 1245 if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) { 1246 if (!tb[CTA_IP_V6_DST]) 1247 return -EINVAL; 1248 1249 t->dst.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_DST]); 1250 } 1251 1252 return 0; 1253 } 1254 1255 static int ctnetlink_parse_tuple_ip(struct nlattr *attr, 1256 struct nf_conntrack_tuple *tuple, 1257 u_int32_t flags) 1258 { 1259 struct nlattr *tb[CTA_IP_MAX+1]; 1260 int ret = 0; 1261 1262 ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, NULL, NULL); 1263 if (ret < 0) 1264 return ret; 1265 1266 ret = nla_validate_nested_deprecated(attr, CTA_IP_MAX, 1267 cta_ip_nla_policy, NULL); 1268 if (ret) 1269 return ret; 1270 1271 switch (tuple->src.l3num) { 1272 case NFPROTO_IPV4: 1273 ret = ipv4_nlattr_to_tuple(tb, tuple, flags); 1274 break; 1275 case NFPROTO_IPV6: 1276 ret = ipv6_nlattr_to_tuple(tb, tuple, flags); 1277 break; 1278 } 1279 1280 return ret; 1281 } 1282 1283 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = { 1284 [CTA_PROTO_NUM] = { .type = NLA_U8 }, 1285 }; 1286 1287 static int ctnetlink_parse_tuple_proto(struct nlattr *attr, 1288 struct nf_conntrack_tuple *tuple, 1289 u_int32_t flags) 1290 { 1291 const struct nf_conntrack_l4proto *l4proto; 1292 struct nlattr *tb[CTA_PROTO_MAX+1]; 1293 int ret = 0; 1294 1295 ret = nla_parse_nested_deprecated(tb, CTA_PROTO_MAX, attr, 1296 proto_nla_policy, NULL); 1297 if (ret < 0) 1298 return ret; 1299 1300 if (!(flags & CTA_FILTER_FLAG(CTA_PROTO_NUM))) 1301 return 0; 1302 1303 if (!tb[CTA_PROTO_NUM]) 1304 return -EINVAL; 1305 1306 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]); 1307 1308 rcu_read_lock(); 1309 l4proto = nf_ct_l4proto_find(tuple->dst.protonum); 1310 1311 if (likely(l4proto->nlattr_to_tuple)) { 1312 ret = nla_validate_nested_deprecated(attr, CTA_PROTO_MAX, 1313 l4proto->nla_policy, 1314 NULL); 1315 if (ret == 0) 1316 ret = l4proto->nlattr_to_tuple(tb, tuple, flags); 1317 } 1318 1319 rcu_read_unlock(); 1320 1321 return ret; 1322 } 1323 1324 static int 1325 ctnetlink_parse_zone(const struct nlattr *attr, 1326 struct nf_conntrack_zone *zone) 1327 { 1328 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID, 1329 NF_CT_DEFAULT_ZONE_DIR, 0); 1330 #ifdef CONFIG_NF_CONNTRACK_ZONES 1331 if (attr) 1332 zone->id = ntohs(nla_get_be16(attr)); 1333 #else 1334 if (attr) 1335 return -EOPNOTSUPP; 1336 #endif 1337 return 0; 1338 } 1339 1340 static int 1341 ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type, 1342 struct nf_conntrack_zone *zone) 1343 { 1344 int ret; 1345 1346 if (zone->id != NF_CT_DEFAULT_ZONE_ID) 1347 return -EINVAL; 1348 1349 ret = ctnetlink_parse_zone(attr, zone); 1350 if (ret < 0) 1351 return ret; 1352 1353 if (type == CTA_TUPLE_REPLY) 1354 zone->dir = NF_CT_ZONE_DIR_REPL; 1355 else 1356 zone->dir = NF_CT_ZONE_DIR_ORIG; 1357 1358 return 0; 1359 } 1360 1361 static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = { 1362 [CTA_TUPLE_IP] = { .type = NLA_NESTED }, 1363 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED }, 1364 [CTA_TUPLE_ZONE] = { .type = NLA_U16 }, 1365 }; 1366 1367 #define CTA_FILTER_F_ALL_CTA_PROTO \ 1368 (CTA_FILTER_F_CTA_PROTO_SRC_PORT | \ 1369 CTA_FILTER_F_CTA_PROTO_DST_PORT | \ 1370 CTA_FILTER_F_CTA_PROTO_ICMP_TYPE | \ 1371 CTA_FILTER_F_CTA_PROTO_ICMP_CODE | \ 1372 CTA_FILTER_F_CTA_PROTO_ICMP_ID | \ 1373 CTA_FILTER_F_CTA_PROTO_ICMPV6_TYPE | \ 1374 CTA_FILTER_F_CTA_PROTO_ICMPV6_CODE | \ 1375 CTA_FILTER_F_CTA_PROTO_ICMPV6_ID) 1376 1377 static int 1378 ctnetlink_parse_tuple_filter(const struct nlattr * const cda[], 1379 struct nf_conntrack_tuple *tuple, u32 type, 1380 u_int8_t l3num, struct nf_conntrack_zone *zone, 1381 u_int32_t flags) 1382 { 1383 struct nlattr *tb[CTA_TUPLE_MAX+1]; 1384 int err; 1385 1386 memset(tuple, 0, sizeof(*tuple)); 1387 1388 err = nla_parse_nested_deprecated(tb, CTA_TUPLE_MAX, cda[type], 1389 tuple_nla_policy, NULL); 1390 if (err < 0) 1391 return err; 1392 1393 if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6) 1394 return -EOPNOTSUPP; 1395 tuple->src.l3num = l3num; 1396 1397 if (flags & CTA_FILTER_FLAG(CTA_IP_DST) || 1398 flags & CTA_FILTER_FLAG(CTA_IP_SRC)) { 1399 if (!tb[CTA_TUPLE_IP]) 1400 return -EINVAL; 1401 1402 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple, flags); 1403 if (err < 0) 1404 return err; 1405 } 1406 1407 if (flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) { 1408 if (!tb[CTA_TUPLE_PROTO]) 1409 return -EINVAL; 1410 1411 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple, flags); 1412 if (err < 0) 1413 return err; 1414 } else if (flags & CTA_FILTER_FLAG(ALL_CTA_PROTO)) { 1415 /* Can't manage proto flags without a protonum */ 1416 return -EINVAL; 1417 } 1418 1419 if ((flags & CTA_FILTER_FLAG(CTA_TUPLE_ZONE)) && tb[CTA_TUPLE_ZONE]) { 1420 if (!zone) 1421 return -EINVAL; 1422 1423 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE], 1424 type, zone); 1425 if (err < 0) 1426 return err; 1427 } 1428 1429 /* orig and expect tuples get DIR_ORIGINAL */ 1430 if (type == CTA_TUPLE_REPLY) 1431 tuple->dst.dir = IP_CT_DIR_REPLY; 1432 else 1433 tuple->dst.dir = IP_CT_DIR_ORIGINAL; 1434 1435 return 0; 1436 } 1437 1438 static int 1439 ctnetlink_parse_tuple(const struct nlattr * const cda[], 1440 struct nf_conntrack_tuple *tuple, u32 type, 1441 u_int8_t l3num, struct nf_conntrack_zone *zone) 1442 { 1443 return ctnetlink_parse_tuple_filter(cda, tuple, type, l3num, zone, 1444 CTA_FILTER_FLAG(ALL)); 1445 } 1446 1447 static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = { 1448 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING, 1449 .len = NF_CT_HELPER_NAME_LEN - 1 }, 1450 }; 1451 1452 static int ctnetlink_parse_help(const struct nlattr *attr, char **helper_name, 1453 struct nlattr **helpinfo) 1454 { 1455 int err; 1456 struct nlattr *tb[CTA_HELP_MAX+1]; 1457 1458 err = nla_parse_nested_deprecated(tb, CTA_HELP_MAX, attr, 1459 help_nla_policy, NULL); 1460 if (err < 0) 1461 return err; 1462 1463 if (!tb[CTA_HELP_NAME]) 1464 return -EINVAL; 1465 1466 *helper_name = nla_data(tb[CTA_HELP_NAME]); 1467 1468 if (tb[CTA_HELP_INFO]) 1469 *helpinfo = tb[CTA_HELP_INFO]; 1470 1471 return 0; 1472 } 1473 1474 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { 1475 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED }, 1476 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED }, 1477 [CTA_STATUS] = { .type = NLA_U32 }, 1478 [CTA_PROTOINFO] = { .type = NLA_NESTED }, 1479 [CTA_HELP] = { .type = NLA_NESTED }, 1480 [CTA_NAT_SRC] = { .type = NLA_NESTED }, 1481 [CTA_TIMEOUT] = { .type = NLA_U32 }, 1482 [CTA_MARK] = { .type = NLA_U32 }, 1483 [CTA_ID] = { .type = NLA_U32 }, 1484 [CTA_NAT_DST] = { .type = NLA_NESTED }, 1485 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED }, 1486 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED }, 1487 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED }, 1488 [CTA_ZONE] = { .type = NLA_U16 }, 1489 [CTA_MARK_MASK] = { .type = NLA_U32 }, 1490 [CTA_LABELS] = { .type = NLA_BINARY, 1491 .len = NF_CT_LABELS_MAX_SIZE }, 1492 [CTA_LABELS_MASK] = { .type = NLA_BINARY, 1493 .len = NF_CT_LABELS_MAX_SIZE }, 1494 [CTA_FILTER] = { .type = NLA_NESTED }, 1495 }; 1496 1497 static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data) 1498 { 1499 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 1500 return 0; 1501 1502 return ctnetlink_filter_match(ct, data); 1503 } 1504 1505 static int ctnetlink_flush_conntrack(struct net *net, 1506 const struct nlattr * const cda[], 1507 u32 portid, int report, u8 family) 1508 { 1509 struct ctnetlink_filter *filter = NULL; 1510 1511 if (ctnetlink_needs_filter(family, cda)) { 1512 if (cda[CTA_FILTER]) 1513 return -EOPNOTSUPP; 1514 1515 filter = ctnetlink_alloc_filter(cda, family); 1516 if (IS_ERR(filter)) 1517 return PTR_ERR(filter); 1518 } 1519 1520 nf_ct_iterate_cleanup_net(net, ctnetlink_flush_iterate, filter, 1521 portid, report); 1522 kfree(filter); 1523 1524 return 0; 1525 } 1526 1527 static int ctnetlink_del_conntrack(struct sk_buff *skb, 1528 const struct nfnl_info *info, 1529 const struct nlattr * const cda[]) 1530 { 1531 u8 family = info->nfmsg->nfgen_family; 1532 struct nf_conntrack_tuple_hash *h; 1533 struct nf_conntrack_tuple tuple; 1534 struct nf_conntrack_zone zone; 1535 struct nf_conn *ct; 1536 int err; 1537 1538 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1539 if (err < 0) 1540 return err; 1541 1542 if (cda[CTA_TUPLE_ORIG]) 1543 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, 1544 family, &zone); 1545 else if (cda[CTA_TUPLE_REPLY]) 1546 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, 1547 family, &zone); 1548 else { 1549 u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC; 1550 1551 return ctnetlink_flush_conntrack(info->net, cda, 1552 NETLINK_CB(skb).portid, 1553 nlmsg_report(info->nlh), u3); 1554 } 1555 1556 if (err < 0) 1557 return err; 1558 1559 h = nf_conntrack_find_get(info->net, &zone, &tuple); 1560 if (!h) 1561 return -ENOENT; 1562 1563 ct = nf_ct_tuplehash_to_ctrack(h); 1564 1565 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) { 1566 nf_ct_put(ct); 1567 return -EBUSY; 1568 } 1569 1570 if (cda[CTA_ID]) { 1571 __be32 id = nla_get_be32(cda[CTA_ID]); 1572 1573 if (id != (__force __be32)nf_ct_get_id(ct)) { 1574 nf_ct_put(ct); 1575 return -ENOENT; 1576 } 1577 } 1578 1579 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(info->nlh)); 1580 nf_ct_put(ct); 1581 1582 return 0; 1583 } 1584 1585 static int ctnetlink_get_conntrack(struct sk_buff *skb, 1586 const struct nfnl_info *info, 1587 const struct nlattr * const cda[]) 1588 { 1589 u_int8_t u3 = info->nfmsg->nfgen_family; 1590 struct nf_conntrack_tuple_hash *h; 1591 struct nf_conntrack_tuple tuple; 1592 struct nf_conntrack_zone zone; 1593 struct sk_buff *skb2; 1594 struct nf_conn *ct; 1595 int err; 1596 1597 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1598 struct netlink_dump_control c = { 1599 .start = ctnetlink_start, 1600 .dump = ctnetlink_dump_table, 1601 .done = ctnetlink_done, 1602 .data = (void *)cda, 1603 }; 1604 1605 return netlink_dump_start(info->sk, skb, info->nlh, &c); 1606 } 1607 1608 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1609 if (err < 0) 1610 return err; 1611 1612 if (cda[CTA_TUPLE_ORIG]) 1613 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, 1614 u3, &zone); 1615 else if (cda[CTA_TUPLE_REPLY]) 1616 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, 1617 u3, &zone); 1618 else 1619 return -EINVAL; 1620 1621 if (err < 0) 1622 return err; 1623 1624 h = nf_conntrack_find_get(info->net, &zone, &tuple); 1625 if (!h) 1626 return -ENOENT; 1627 1628 ct = nf_ct_tuplehash_to_ctrack(h); 1629 1630 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1631 if (!skb2) { 1632 nf_ct_put(ct); 1633 return -ENOMEM; 1634 } 1635 1636 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, 1637 info->nlh->nlmsg_seq, 1638 NFNL_MSG_TYPE(info->nlh->nlmsg_type), ct, 1639 true, 0); 1640 nf_ct_put(ct); 1641 if (err <= 0) { 1642 kfree_skb(skb2); 1643 return -ENOMEM; 1644 } 1645 1646 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 1647 } 1648 1649 static int ctnetlink_done_list(struct netlink_callback *cb) 1650 { 1651 if (cb->args[1]) 1652 nf_ct_put((struct nf_conn *)cb->args[1]); 1653 return 0; 1654 } 1655 1656 static int 1657 ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying) 1658 { 1659 struct nf_conn *ct, *last; 1660 struct nf_conntrack_tuple_hash *h; 1661 struct hlist_nulls_node *n; 1662 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1663 u_int8_t l3proto = nfmsg->nfgen_family; 1664 int res; 1665 int cpu; 1666 struct hlist_nulls_head *list; 1667 struct net *net = sock_net(skb->sk); 1668 1669 if (cb->args[2]) 1670 return 0; 1671 1672 last = (struct nf_conn *)cb->args[1]; 1673 1674 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 1675 struct ct_pcpu *pcpu; 1676 1677 if (!cpu_possible(cpu)) 1678 continue; 1679 1680 pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu); 1681 spin_lock_bh(&pcpu->lock); 1682 list = dying ? &pcpu->dying : &pcpu->unconfirmed; 1683 restart: 1684 hlist_nulls_for_each_entry(h, n, list, hnnode) { 1685 ct = nf_ct_tuplehash_to_ctrack(h); 1686 if (l3proto && nf_ct_l3num(ct) != l3proto) 1687 continue; 1688 if (cb->args[1]) { 1689 if (ct != last) 1690 continue; 1691 cb->args[1] = 0; 1692 } 1693 1694 /* We can't dump extension info for the unconfirmed 1695 * list because unconfirmed conntracks can have 1696 * ct->ext reallocated (and thus freed). 1697 * 1698 * In the dying list case ct->ext can't be free'd 1699 * until after we drop pcpu->lock. 1700 */ 1701 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid, 1702 cb->nlh->nlmsg_seq, 1703 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 1704 ct, dying ? true : false, 0); 1705 if (res < 0) { 1706 if (!atomic_inc_not_zero(&ct->ct_general.use)) 1707 continue; 1708 cb->args[0] = cpu; 1709 cb->args[1] = (unsigned long)ct; 1710 spin_unlock_bh(&pcpu->lock); 1711 goto out; 1712 } 1713 } 1714 if (cb->args[1]) { 1715 cb->args[1] = 0; 1716 goto restart; 1717 } 1718 spin_unlock_bh(&pcpu->lock); 1719 } 1720 cb->args[2] = 1; 1721 out: 1722 if (last) 1723 nf_ct_put(last); 1724 1725 return skb->len; 1726 } 1727 1728 static int 1729 ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb) 1730 { 1731 return ctnetlink_dump_list(skb, cb, true); 1732 } 1733 1734 static int ctnetlink_get_ct_dying(struct sk_buff *skb, 1735 const struct nfnl_info *info, 1736 const struct nlattr * const cda[]) 1737 { 1738 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1739 struct netlink_dump_control c = { 1740 .dump = ctnetlink_dump_dying, 1741 .done = ctnetlink_done_list, 1742 }; 1743 return netlink_dump_start(info->sk, skb, info->nlh, &c); 1744 } 1745 1746 return -EOPNOTSUPP; 1747 } 1748 1749 static int 1750 ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb) 1751 { 1752 return ctnetlink_dump_list(skb, cb, false); 1753 } 1754 1755 static int ctnetlink_get_ct_unconfirmed(struct sk_buff *skb, 1756 const struct nfnl_info *info, 1757 const struct nlattr * const cda[]) 1758 { 1759 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1760 struct netlink_dump_control c = { 1761 .dump = ctnetlink_dump_unconfirmed, 1762 .done = ctnetlink_done_list, 1763 }; 1764 return netlink_dump_start(info->sk, skb, info->nlh, &c); 1765 } 1766 1767 return -EOPNOTSUPP; 1768 } 1769 1770 #if IS_ENABLED(CONFIG_NF_NAT) 1771 static int 1772 ctnetlink_parse_nat_setup(struct nf_conn *ct, 1773 enum nf_nat_manip_type manip, 1774 const struct nlattr *attr) 1775 __must_hold(RCU) 1776 { 1777 struct nf_nat_hook *nat_hook; 1778 int err; 1779 1780 nat_hook = rcu_dereference(nf_nat_hook); 1781 if (!nat_hook) { 1782 #ifdef CONFIG_MODULES 1783 rcu_read_unlock(); 1784 nfnl_unlock(NFNL_SUBSYS_CTNETLINK); 1785 if (request_module("nf-nat") < 0) { 1786 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1787 rcu_read_lock(); 1788 return -EOPNOTSUPP; 1789 } 1790 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1791 rcu_read_lock(); 1792 nat_hook = rcu_dereference(nf_nat_hook); 1793 if (nat_hook) 1794 return -EAGAIN; 1795 #endif 1796 return -EOPNOTSUPP; 1797 } 1798 1799 err = nat_hook->parse_nat_setup(ct, manip, attr); 1800 if (err == -EAGAIN) { 1801 #ifdef CONFIG_MODULES 1802 rcu_read_unlock(); 1803 nfnl_unlock(NFNL_SUBSYS_CTNETLINK); 1804 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) { 1805 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1806 rcu_read_lock(); 1807 return -EOPNOTSUPP; 1808 } 1809 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1810 rcu_read_lock(); 1811 #else 1812 err = -EOPNOTSUPP; 1813 #endif 1814 } 1815 return err; 1816 } 1817 #endif 1818 1819 static void 1820 __ctnetlink_change_status(struct nf_conn *ct, unsigned long on, 1821 unsigned long off) 1822 { 1823 unsigned int bit; 1824 1825 /* Ignore these unchangable bits */ 1826 on &= ~IPS_UNCHANGEABLE_MASK; 1827 off &= ~IPS_UNCHANGEABLE_MASK; 1828 1829 for (bit = 0; bit < __IPS_MAX_BIT; bit++) { 1830 if (on & (1 << bit)) 1831 set_bit(bit, &ct->status); 1832 else if (off & (1 << bit)) 1833 clear_bit(bit, &ct->status); 1834 } 1835 } 1836 1837 static int 1838 ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) 1839 { 1840 unsigned long d; 1841 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); 1842 d = ct->status ^ status; 1843 1844 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) 1845 /* unchangeable */ 1846 return -EBUSY; 1847 1848 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) 1849 /* SEEN_REPLY bit can only be set */ 1850 return -EBUSY; 1851 1852 if (d & IPS_ASSURED && !(status & IPS_ASSURED)) 1853 /* ASSURED bit can only be set */ 1854 return -EBUSY; 1855 1856 __ctnetlink_change_status(ct, status, 0); 1857 return 0; 1858 } 1859 1860 static int 1861 ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[]) 1862 { 1863 #if IS_ENABLED(CONFIG_NF_NAT) 1864 int ret; 1865 1866 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC]) 1867 return 0; 1868 1869 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST, 1870 cda[CTA_NAT_DST]); 1871 if (ret < 0) 1872 return ret; 1873 1874 return ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC, 1875 cda[CTA_NAT_SRC]); 1876 #else 1877 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC]) 1878 return 0; 1879 return -EOPNOTSUPP; 1880 #endif 1881 } 1882 1883 static int ctnetlink_change_helper(struct nf_conn *ct, 1884 const struct nlattr * const cda[]) 1885 { 1886 struct nf_conntrack_helper *helper; 1887 struct nf_conn_help *help = nfct_help(ct); 1888 char *helpname = NULL; 1889 struct nlattr *helpinfo = NULL; 1890 int err; 1891 1892 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo); 1893 if (err < 0) 1894 return err; 1895 1896 /* don't change helper of sibling connections */ 1897 if (ct->master) { 1898 /* If we try to change the helper to the same thing twice, 1899 * treat the second attempt as a no-op instead of returning 1900 * an error. 1901 */ 1902 err = -EBUSY; 1903 if (help) { 1904 rcu_read_lock(); 1905 helper = rcu_dereference(help->helper); 1906 if (helper && !strcmp(helper->name, helpname)) 1907 err = 0; 1908 rcu_read_unlock(); 1909 } 1910 1911 return err; 1912 } 1913 1914 if (!strcmp(helpname, "")) { 1915 if (help && help->helper) { 1916 /* we had a helper before ... */ 1917 nf_ct_remove_expectations(ct); 1918 RCU_INIT_POINTER(help->helper, NULL); 1919 } 1920 1921 return 0; 1922 } 1923 1924 rcu_read_lock(); 1925 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 1926 nf_ct_protonum(ct)); 1927 if (helper == NULL) { 1928 rcu_read_unlock(); 1929 return -EOPNOTSUPP; 1930 } 1931 1932 if (help) { 1933 if (help->helper == helper) { 1934 /* update private helper data if allowed. */ 1935 if (helper->from_nlattr) 1936 helper->from_nlattr(helpinfo, ct); 1937 err = 0; 1938 } else 1939 err = -EBUSY; 1940 } else { 1941 /* we cannot set a helper for an existing conntrack */ 1942 err = -EOPNOTSUPP; 1943 } 1944 1945 rcu_read_unlock(); 1946 return err; 1947 } 1948 1949 static int ctnetlink_change_timeout(struct nf_conn *ct, 1950 const struct nlattr * const cda[]) 1951 { 1952 u64 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ; 1953 1954 if (timeout > INT_MAX) 1955 timeout = INT_MAX; 1956 ct->timeout = nfct_time_stamp + (u32)timeout; 1957 1958 if (test_bit(IPS_DYING_BIT, &ct->status)) 1959 return -ETIME; 1960 1961 return 0; 1962 } 1963 1964 #if defined(CONFIG_NF_CONNTRACK_MARK) 1965 static void ctnetlink_change_mark(struct nf_conn *ct, 1966 const struct nlattr * const cda[]) 1967 { 1968 u32 mark, newmark, mask = 0; 1969 1970 if (cda[CTA_MARK_MASK]) 1971 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK])); 1972 1973 mark = ntohl(nla_get_be32(cda[CTA_MARK])); 1974 newmark = (ct->mark & mask) ^ mark; 1975 if (newmark != ct->mark) 1976 ct->mark = newmark; 1977 } 1978 #endif 1979 1980 static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = { 1981 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED }, 1982 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED }, 1983 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED }, 1984 }; 1985 1986 static int ctnetlink_change_protoinfo(struct nf_conn *ct, 1987 const struct nlattr * const cda[]) 1988 { 1989 const struct nlattr *attr = cda[CTA_PROTOINFO]; 1990 const struct nf_conntrack_l4proto *l4proto; 1991 struct nlattr *tb[CTA_PROTOINFO_MAX+1]; 1992 int err = 0; 1993 1994 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_MAX, attr, 1995 protoinfo_policy, NULL); 1996 if (err < 0) 1997 return err; 1998 1999 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 2000 if (l4proto->from_nlattr) 2001 err = l4proto->from_nlattr(tb, ct); 2002 2003 return err; 2004 } 2005 2006 static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = { 2007 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 }, 2008 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 }, 2009 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 }, 2010 }; 2011 2012 static int change_seq_adj(struct nf_ct_seqadj *seq, 2013 const struct nlattr * const attr) 2014 { 2015 int err; 2016 struct nlattr *cda[CTA_SEQADJ_MAX+1]; 2017 2018 err = nla_parse_nested_deprecated(cda, CTA_SEQADJ_MAX, attr, 2019 seqadj_policy, NULL); 2020 if (err < 0) 2021 return err; 2022 2023 if (!cda[CTA_SEQADJ_CORRECTION_POS]) 2024 return -EINVAL; 2025 2026 seq->correction_pos = 2027 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS])); 2028 2029 if (!cda[CTA_SEQADJ_OFFSET_BEFORE]) 2030 return -EINVAL; 2031 2032 seq->offset_before = 2033 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE])); 2034 2035 if (!cda[CTA_SEQADJ_OFFSET_AFTER]) 2036 return -EINVAL; 2037 2038 seq->offset_after = 2039 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER])); 2040 2041 return 0; 2042 } 2043 2044 static int 2045 ctnetlink_change_seq_adj(struct nf_conn *ct, 2046 const struct nlattr * const cda[]) 2047 { 2048 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct); 2049 int ret = 0; 2050 2051 if (!seqadj) 2052 return 0; 2053 2054 spin_lock_bh(&ct->lock); 2055 if (cda[CTA_SEQ_ADJ_ORIG]) { 2056 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL], 2057 cda[CTA_SEQ_ADJ_ORIG]); 2058 if (ret < 0) 2059 goto err; 2060 2061 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status); 2062 } 2063 2064 if (cda[CTA_SEQ_ADJ_REPLY]) { 2065 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY], 2066 cda[CTA_SEQ_ADJ_REPLY]); 2067 if (ret < 0) 2068 goto err; 2069 2070 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status); 2071 } 2072 2073 spin_unlock_bh(&ct->lock); 2074 return 0; 2075 err: 2076 spin_unlock_bh(&ct->lock); 2077 return ret; 2078 } 2079 2080 static const struct nla_policy synproxy_policy[CTA_SYNPROXY_MAX + 1] = { 2081 [CTA_SYNPROXY_ISN] = { .type = NLA_U32 }, 2082 [CTA_SYNPROXY_ITS] = { .type = NLA_U32 }, 2083 [CTA_SYNPROXY_TSOFF] = { .type = NLA_U32 }, 2084 }; 2085 2086 static int ctnetlink_change_synproxy(struct nf_conn *ct, 2087 const struct nlattr * const cda[]) 2088 { 2089 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct); 2090 struct nlattr *tb[CTA_SYNPROXY_MAX + 1]; 2091 int err; 2092 2093 if (!synproxy) 2094 return 0; 2095 2096 err = nla_parse_nested_deprecated(tb, CTA_SYNPROXY_MAX, 2097 cda[CTA_SYNPROXY], synproxy_policy, 2098 NULL); 2099 if (err < 0) 2100 return err; 2101 2102 if (!tb[CTA_SYNPROXY_ISN] || 2103 !tb[CTA_SYNPROXY_ITS] || 2104 !tb[CTA_SYNPROXY_TSOFF]) 2105 return -EINVAL; 2106 2107 synproxy->isn = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ISN])); 2108 synproxy->its = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ITS])); 2109 synproxy->tsoff = ntohl(nla_get_be32(tb[CTA_SYNPROXY_TSOFF])); 2110 2111 return 0; 2112 } 2113 2114 static int 2115 ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[]) 2116 { 2117 #ifdef CONFIG_NF_CONNTRACK_LABELS 2118 size_t len = nla_len(cda[CTA_LABELS]); 2119 const void *mask = cda[CTA_LABELS_MASK]; 2120 2121 if (len & (sizeof(u32)-1)) /* must be multiple of u32 */ 2122 return -EINVAL; 2123 2124 if (mask) { 2125 if (nla_len(cda[CTA_LABELS_MASK]) == 0 || 2126 nla_len(cda[CTA_LABELS_MASK]) != len) 2127 return -EINVAL; 2128 mask = nla_data(cda[CTA_LABELS_MASK]); 2129 } 2130 2131 len /= sizeof(u32); 2132 2133 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len); 2134 #else 2135 return -EOPNOTSUPP; 2136 #endif 2137 } 2138 2139 static int 2140 ctnetlink_change_conntrack(struct nf_conn *ct, 2141 const struct nlattr * const cda[]) 2142 { 2143 int err; 2144 2145 /* only allow NAT changes and master assignation for new conntracks */ 2146 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER]) 2147 return -EOPNOTSUPP; 2148 2149 if (cda[CTA_HELP]) { 2150 err = ctnetlink_change_helper(ct, cda); 2151 if (err < 0) 2152 return err; 2153 } 2154 2155 if (cda[CTA_TIMEOUT]) { 2156 err = ctnetlink_change_timeout(ct, cda); 2157 if (err < 0) 2158 return err; 2159 } 2160 2161 if (cda[CTA_STATUS]) { 2162 err = ctnetlink_change_status(ct, cda); 2163 if (err < 0) 2164 return err; 2165 } 2166 2167 if (cda[CTA_PROTOINFO]) { 2168 err = ctnetlink_change_protoinfo(ct, cda); 2169 if (err < 0) 2170 return err; 2171 } 2172 2173 #if defined(CONFIG_NF_CONNTRACK_MARK) 2174 if (cda[CTA_MARK]) 2175 ctnetlink_change_mark(ct, cda); 2176 #endif 2177 2178 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) { 2179 err = ctnetlink_change_seq_adj(ct, cda); 2180 if (err < 0) 2181 return err; 2182 } 2183 2184 if (cda[CTA_SYNPROXY]) { 2185 err = ctnetlink_change_synproxy(ct, cda); 2186 if (err < 0) 2187 return err; 2188 } 2189 2190 if (cda[CTA_LABELS]) { 2191 err = ctnetlink_attach_labels(ct, cda); 2192 if (err < 0) 2193 return err; 2194 } 2195 2196 return 0; 2197 } 2198 2199 static struct nf_conn * 2200 ctnetlink_create_conntrack(struct net *net, 2201 const struct nf_conntrack_zone *zone, 2202 const struct nlattr * const cda[], 2203 struct nf_conntrack_tuple *otuple, 2204 struct nf_conntrack_tuple *rtuple, 2205 u8 u3) 2206 { 2207 struct nf_conn *ct; 2208 int err = -EINVAL; 2209 struct nf_conntrack_helper *helper; 2210 struct nf_conn_tstamp *tstamp; 2211 u64 timeout; 2212 2213 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC); 2214 if (IS_ERR(ct)) 2215 return ERR_PTR(-ENOMEM); 2216 2217 if (!cda[CTA_TIMEOUT]) 2218 goto err1; 2219 2220 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ; 2221 if (timeout > INT_MAX) 2222 timeout = INT_MAX; 2223 ct->timeout = (u32)timeout + nfct_time_stamp; 2224 2225 rcu_read_lock(); 2226 if (cda[CTA_HELP]) { 2227 char *helpname = NULL; 2228 struct nlattr *helpinfo = NULL; 2229 2230 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo); 2231 if (err < 0) 2232 goto err2; 2233 2234 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 2235 nf_ct_protonum(ct)); 2236 if (helper == NULL) { 2237 rcu_read_unlock(); 2238 #ifdef CONFIG_MODULES 2239 if (request_module("nfct-helper-%s", helpname) < 0) { 2240 err = -EOPNOTSUPP; 2241 goto err1; 2242 } 2243 2244 rcu_read_lock(); 2245 helper = __nf_conntrack_helper_find(helpname, 2246 nf_ct_l3num(ct), 2247 nf_ct_protonum(ct)); 2248 if (helper) { 2249 err = -EAGAIN; 2250 goto err2; 2251 } 2252 rcu_read_unlock(); 2253 #endif 2254 err = -EOPNOTSUPP; 2255 goto err1; 2256 } else { 2257 struct nf_conn_help *help; 2258 2259 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); 2260 if (help == NULL) { 2261 err = -ENOMEM; 2262 goto err2; 2263 } 2264 /* set private helper data if allowed. */ 2265 if (helper->from_nlattr) 2266 helper->from_nlattr(helpinfo, ct); 2267 2268 /* not in hash table yet so not strictly necessary */ 2269 RCU_INIT_POINTER(help->helper, helper); 2270 } 2271 } else { 2272 /* try an implicit helper assignation */ 2273 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC); 2274 if (err < 0) 2275 goto err2; 2276 } 2277 2278 err = ctnetlink_setup_nat(ct, cda); 2279 if (err < 0) 2280 goto err2; 2281 2282 nf_ct_acct_ext_add(ct, GFP_ATOMIC); 2283 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); 2284 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); 2285 nf_ct_labels_ext_add(ct); 2286 nfct_seqadj_ext_add(ct); 2287 nfct_synproxy_ext_add(ct); 2288 2289 /* we must add conntrack extensions before confirmation. */ 2290 ct->status |= IPS_CONFIRMED; 2291 2292 if (cda[CTA_STATUS]) { 2293 err = ctnetlink_change_status(ct, cda); 2294 if (err < 0) 2295 goto err2; 2296 } 2297 2298 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) { 2299 err = ctnetlink_change_seq_adj(ct, cda); 2300 if (err < 0) 2301 goto err2; 2302 } 2303 2304 memset(&ct->proto, 0, sizeof(ct->proto)); 2305 if (cda[CTA_PROTOINFO]) { 2306 err = ctnetlink_change_protoinfo(ct, cda); 2307 if (err < 0) 2308 goto err2; 2309 } 2310 2311 if (cda[CTA_SYNPROXY]) { 2312 err = ctnetlink_change_synproxy(ct, cda); 2313 if (err < 0) 2314 goto err2; 2315 } 2316 2317 #if defined(CONFIG_NF_CONNTRACK_MARK) 2318 if (cda[CTA_MARK]) 2319 ctnetlink_change_mark(ct, cda); 2320 #endif 2321 2322 /* setup master conntrack: this is a confirmed expectation */ 2323 if (cda[CTA_TUPLE_MASTER]) { 2324 struct nf_conntrack_tuple master; 2325 struct nf_conntrack_tuple_hash *master_h; 2326 struct nf_conn *master_ct; 2327 2328 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER, 2329 u3, NULL); 2330 if (err < 0) 2331 goto err2; 2332 2333 master_h = nf_conntrack_find_get(net, zone, &master); 2334 if (master_h == NULL) { 2335 err = -ENOENT; 2336 goto err2; 2337 } 2338 master_ct = nf_ct_tuplehash_to_ctrack(master_h); 2339 __set_bit(IPS_EXPECTED_BIT, &ct->status); 2340 ct->master = master_ct; 2341 } 2342 tstamp = nf_conn_tstamp_find(ct); 2343 if (tstamp) 2344 tstamp->start = ktime_get_real_ns(); 2345 2346 err = nf_conntrack_hash_check_insert(ct); 2347 if (err < 0) 2348 goto err2; 2349 2350 rcu_read_unlock(); 2351 2352 return ct; 2353 2354 err2: 2355 rcu_read_unlock(); 2356 err1: 2357 nf_conntrack_free(ct); 2358 return ERR_PTR(err); 2359 } 2360 2361 static int ctnetlink_new_conntrack(struct sk_buff *skb, 2362 const struct nfnl_info *info, 2363 const struct nlattr * const cda[]) 2364 { 2365 struct nf_conntrack_tuple otuple, rtuple; 2366 struct nf_conntrack_tuple_hash *h = NULL; 2367 u_int8_t u3 = info->nfmsg->nfgen_family; 2368 struct nf_conntrack_zone zone; 2369 struct nf_conn *ct; 2370 int err; 2371 2372 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 2373 if (err < 0) 2374 return err; 2375 2376 if (cda[CTA_TUPLE_ORIG]) { 2377 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, 2378 u3, &zone); 2379 if (err < 0) 2380 return err; 2381 } 2382 2383 if (cda[CTA_TUPLE_REPLY]) { 2384 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, 2385 u3, &zone); 2386 if (err < 0) 2387 return err; 2388 } 2389 2390 if (cda[CTA_TUPLE_ORIG]) 2391 h = nf_conntrack_find_get(info->net, &zone, &otuple); 2392 else if (cda[CTA_TUPLE_REPLY]) 2393 h = nf_conntrack_find_get(info->net, &zone, &rtuple); 2394 2395 if (h == NULL) { 2396 err = -ENOENT; 2397 if (info->nlh->nlmsg_flags & NLM_F_CREATE) { 2398 enum ip_conntrack_events events; 2399 2400 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY]) 2401 return -EINVAL; 2402 if (otuple.dst.protonum != rtuple.dst.protonum) 2403 return -EINVAL; 2404 2405 ct = ctnetlink_create_conntrack(info->net, &zone, cda, 2406 &otuple, &rtuple, u3); 2407 if (IS_ERR(ct)) 2408 return PTR_ERR(ct); 2409 2410 err = 0; 2411 if (test_bit(IPS_EXPECTED_BIT, &ct->status)) 2412 events = 1 << IPCT_RELATED; 2413 else 2414 events = 1 << IPCT_NEW; 2415 2416 if (cda[CTA_LABELS] && 2417 ctnetlink_attach_labels(ct, cda) == 0) 2418 events |= (1 << IPCT_LABEL); 2419 2420 nf_conntrack_eventmask_report((1 << IPCT_REPLY) | 2421 (1 << IPCT_ASSURED) | 2422 (1 << IPCT_HELPER) | 2423 (1 << IPCT_PROTOINFO) | 2424 (1 << IPCT_SEQADJ) | 2425 (1 << IPCT_MARK) | 2426 (1 << IPCT_SYNPROXY) | 2427 events, 2428 ct, NETLINK_CB(skb).portid, 2429 nlmsg_report(info->nlh)); 2430 nf_ct_put(ct); 2431 } 2432 2433 return err; 2434 } 2435 /* implicit 'else' */ 2436 2437 err = -EEXIST; 2438 ct = nf_ct_tuplehash_to_ctrack(h); 2439 if (!(info->nlh->nlmsg_flags & NLM_F_EXCL)) { 2440 err = ctnetlink_change_conntrack(ct, cda); 2441 if (err == 0) { 2442 nf_conntrack_eventmask_report((1 << IPCT_REPLY) | 2443 (1 << IPCT_ASSURED) | 2444 (1 << IPCT_HELPER) | 2445 (1 << IPCT_LABEL) | 2446 (1 << IPCT_PROTOINFO) | 2447 (1 << IPCT_SEQADJ) | 2448 (1 << IPCT_MARK) | 2449 (1 << IPCT_SYNPROXY), 2450 ct, NETLINK_CB(skb).portid, 2451 nlmsg_report(info->nlh)); 2452 } 2453 } 2454 2455 nf_ct_put(ct); 2456 return err; 2457 } 2458 2459 static int 2460 ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq, 2461 __u16 cpu, const struct ip_conntrack_stat *st) 2462 { 2463 struct nlmsghdr *nlh; 2464 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 2465 2466 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, 2467 IPCTNL_MSG_CT_GET_STATS_CPU); 2468 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, 2469 NFNETLINK_V0, htons(cpu)); 2470 if (!nlh) 2471 goto nlmsg_failure; 2472 2473 if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) || 2474 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) || 2475 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) || 2476 nla_put_be32(skb, CTA_STATS_INSERT_FAILED, 2477 htonl(st->insert_failed)) || 2478 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) || 2479 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) || 2480 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) || 2481 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART, 2482 htonl(st->search_restart)) || 2483 nla_put_be32(skb, CTA_STATS_CLASH_RESOLVE, 2484 htonl(st->clash_resolve))) 2485 goto nla_put_failure; 2486 2487 nlmsg_end(skb, nlh); 2488 return skb->len; 2489 2490 nla_put_failure: 2491 nlmsg_failure: 2492 nlmsg_cancel(skb, nlh); 2493 return -1; 2494 } 2495 2496 static int 2497 ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb) 2498 { 2499 int cpu; 2500 struct net *net = sock_net(skb->sk); 2501 2502 if (cb->args[0] == nr_cpu_ids) 2503 return 0; 2504 2505 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 2506 const struct ip_conntrack_stat *st; 2507 2508 if (!cpu_possible(cpu)) 2509 continue; 2510 2511 st = per_cpu_ptr(net->ct.stat, cpu); 2512 if (ctnetlink_ct_stat_cpu_fill_info(skb, 2513 NETLINK_CB(cb->skb).portid, 2514 cb->nlh->nlmsg_seq, 2515 cpu, st) < 0) 2516 break; 2517 } 2518 cb->args[0] = cpu; 2519 2520 return skb->len; 2521 } 2522 2523 static int ctnetlink_stat_ct_cpu(struct sk_buff *skb, 2524 const struct nfnl_info *info, 2525 const struct nlattr * const cda[]) 2526 { 2527 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 2528 struct netlink_dump_control c = { 2529 .dump = ctnetlink_ct_stat_cpu_dump, 2530 }; 2531 return netlink_dump_start(info->sk, skb, info->nlh, &c); 2532 } 2533 2534 return 0; 2535 } 2536 2537 static int 2538 ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 2539 struct net *net) 2540 { 2541 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 2542 unsigned int nr_conntracks; 2543 struct nlmsghdr *nlh; 2544 2545 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS); 2546 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, 2547 NFNETLINK_V0, 0); 2548 if (!nlh) 2549 goto nlmsg_failure; 2550 2551 nr_conntracks = nf_conntrack_count(net); 2552 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks))) 2553 goto nla_put_failure; 2554 2555 if (nla_put_be32(skb, CTA_STATS_GLOBAL_MAX_ENTRIES, htonl(nf_conntrack_max))) 2556 goto nla_put_failure; 2557 2558 nlmsg_end(skb, nlh); 2559 return skb->len; 2560 2561 nla_put_failure: 2562 nlmsg_failure: 2563 nlmsg_cancel(skb, nlh); 2564 return -1; 2565 } 2566 2567 static int ctnetlink_stat_ct(struct sk_buff *skb, const struct nfnl_info *info, 2568 const struct nlattr * const cda[]) 2569 { 2570 struct sk_buff *skb2; 2571 int err; 2572 2573 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 2574 if (skb2 == NULL) 2575 return -ENOMEM; 2576 2577 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid, 2578 info->nlh->nlmsg_seq, 2579 NFNL_MSG_TYPE(info->nlh->nlmsg_type), 2580 sock_net(skb->sk)); 2581 if (err <= 0) { 2582 kfree_skb(skb2); 2583 return -ENOMEM; 2584 } 2585 2586 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 2587 } 2588 2589 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = { 2590 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED }, 2591 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED }, 2592 [CTA_EXPECT_MASK] = { .type = NLA_NESTED }, 2593 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 }, 2594 [CTA_EXPECT_ID] = { .type = NLA_U32 }, 2595 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING, 2596 .len = NF_CT_HELPER_NAME_LEN - 1 }, 2597 [CTA_EXPECT_ZONE] = { .type = NLA_U16 }, 2598 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 }, 2599 [CTA_EXPECT_CLASS] = { .type = NLA_U32 }, 2600 [CTA_EXPECT_NAT] = { .type = NLA_NESTED }, 2601 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING }, 2602 }; 2603 2604 static struct nf_conntrack_expect * 2605 ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct, 2606 struct nf_conntrack_helper *helper, 2607 struct nf_conntrack_tuple *tuple, 2608 struct nf_conntrack_tuple *mask); 2609 2610 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 2611 static size_t 2612 ctnetlink_glue_build_size(const struct nf_conn *ct) 2613 { 2614 return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 2615 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 2616 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 2617 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 2618 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 2619 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 2620 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 2621 + nla_total_size(0) /* CTA_PROTOINFO */ 2622 + nla_total_size(0) /* CTA_HELP */ 2623 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 2624 + ctnetlink_secctx_size(ct) 2625 #if IS_ENABLED(CONFIG_NF_NAT) 2626 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 2627 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 2628 #endif 2629 #ifdef CONFIG_NF_CONNTRACK_MARK 2630 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 2631 #endif 2632 #ifdef CONFIG_NF_CONNTRACK_ZONES 2633 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */ 2634 #endif 2635 + ctnetlink_proto_size(ct) 2636 ; 2637 } 2638 2639 static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct) 2640 { 2641 const struct nf_conntrack_zone *zone; 2642 struct nlattr *nest_parms; 2643 2644 zone = nf_ct_zone(ct); 2645 2646 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG); 2647 if (!nest_parms) 2648 goto nla_put_failure; 2649 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 2650 goto nla_put_failure; 2651 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 2652 NF_CT_ZONE_DIR_ORIG) < 0) 2653 goto nla_put_failure; 2654 nla_nest_end(skb, nest_parms); 2655 2656 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY); 2657 if (!nest_parms) 2658 goto nla_put_failure; 2659 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 2660 goto nla_put_failure; 2661 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 2662 NF_CT_ZONE_DIR_REPL) < 0) 2663 goto nla_put_failure; 2664 nla_nest_end(skb, nest_parms); 2665 2666 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 2667 NF_CT_DEFAULT_ZONE_DIR) < 0) 2668 goto nla_put_failure; 2669 2670 if (ctnetlink_dump_id(skb, ct) < 0) 2671 goto nla_put_failure; 2672 2673 if (ctnetlink_dump_status(skb, ct) < 0) 2674 goto nla_put_failure; 2675 2676 if (ctnetlink_dump_timeout(skb, ct, false) < 0) 2677 goto nla_put_failure; 2678 2679 if (ctnetlink_dump_protoinfo(skb, ct, false) < 0) 2680 goto nla_put_failure; 2681 2682 if (ctnetlink_dump_helpinfo(skb, ct) < 0) 2683 goto nla_put_failure; 2684 2685 #ifdef CONFIG_NF_CONNTRACK_SECMARK 2686 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0) 2687 goto nla_put_failure; 2688 #endif 2689 if (ct->master && ctnetlink_dump_master(skb, ct) < 0) 2690 goto nla_put_failure; 2691 2692 if ((ct->status & IPS_SEQ_ADJUST) && 2693 ctnetlink_dump_ct_seq_adj(skb, ct) < 0) 2694 goto nla_put_failure; 2695 2696 if (ctnetlink_dump_ct_synproxy(skb, ct) < 0) 2697 goto nla_put_failure; 2698 2699 #ifdef CONFIG_NF_CONNTRACK_MARK 2700 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0) 2701 goto nla_put_failure; 2702 #endif 2703 if (ctnetlink_dump_labels(skb, ct) < 0) 2704 goto nla_put_failure; 2705 return 0; 2706 2707 nla_put_failure: 2708 return -ENOSPC; 2709 } 2710 2711 static int 2712 ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct, 2713 enum ip_conntrack_info ctinfo, 2714 u_int16_t ct_attr, u_int16_t ct_info_attr) 2715 { 2716 struct nlattr *nest_parms; 2717 2718 nest_parms = nla_nest_start(skb, ct_attr); 2719 if (!nest_parms) 2720 goto nla_put_failure; 2721 2722 if (__ctnetlink_glue_build(skb, ct) < 0) 2723 goto nla_put_failure; 2724 2725 nla_nest_end(skb, nest_parms); 2726 2727 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo))) 2728 goto nla_put_failure; 2729 2730 return 0; 2731 2732 nla_put_failure: 2733 return -ENOSPC; 2734 } 2735 2736 static int 2737 ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[]) 2738 { 2739 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); 2740 unsigned long d = ct->status ^ status; 2741 2742 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) 2743 /* SEEN_REPLY bit can only be set */ 2744 return -EBUSY; 2745 2746 if (d & IPS_ASSURED && !(status & IPS_ASSURED)) 2747 /* ASSURED bit can only be set */ 2748 return -EBUSY; 2749 2750 /* This check is less strict than ctnetlink_change_status() 2751 * because callers often flip IPS_EXPECTED bits when sending 2752 * an NFQA_CT attribute to the kernel. So ignore the 2753 * unchangeable bits but do not error out. Also user programs 2754 * are allowed to clear the bits that they are allowed to change. 2755 */ 2756 __ctnetlink_change_status(ct, status, ~status); 2757 return 0; 2758 } 2759 2760 static int 2761 ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct) 2762 { 2763 int err; 2764 2765 if (cda[CTA_TIMEOUT]) { 2766 err = ctnetlink_change_timeout(ct, cda); 2767 if (err < 0) 2768 return err; 2769 } 2770 if (cda[CTA_STATUS]) { 2771 err = ctnetlink_update_status(ct, cda); 2772 if (err < 0) 2773 return err; 2774 } 2775 if (cda[CTA_HELP]) { 2776 err = ctnetlink_change_helper(ct, cda); 2777 if (err < 0) 2778 return err; 2779 } 2780 if (cda[CTA_LABELS]) { 2781 err = ctnetlink_attach_labels(ct, cda); 2782 if (err < 0) 2783 return err; 2784 } 2785 #if defined(CONFIG_NF_CONNTRACK_MARK) 2786 if (cda[CTA_MARK]) { 2787 ctnetlink_change_mark(ct, cda); 2788 } 2789 #endif 2790 return 0; 2791 } 2792 2793 static int 2794 ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct) 2795 { 2796 struct nlattr *cda[CTA_MAX+1]; 2797 int ret; 2798 2799 ret = nla_parse_nested_deprecated(cda, CTA_MAX, attr, ct_nla_policy, 2800 NULL); 2801 if (ret < 0) 2802 return ret; 2803 2804 return ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct); 2805 } 2806 2807 static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda, 2808 const struct nf_conn *ct, 2809 struct nf_conntrack_tuple *tuple, 2810 struct nf_conntrack_tuple *mask) 2811 { 2812 int err; 2813 2814 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE, 2815 nf_ct_l3num(ct), NULL); 2816 if (err < 0) 2817 return err; 2818 2819 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK, 2820 nf_ct_l3num(ct), NULL); 2821 } 2822 2823 static int 2824 ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct, 2825 u32 portid, u32 report) 2826 { 2827 struct nlattr *cda[CTA_EXPECT_MAX+1]; 2828 struct nf_conntrack_tuple tuple, mask; 2829 struct nf_conntrack_helper *helper = NULL; 2830 struct nf_conntrack_expect *exp; 2831 int err; 2832 2833 err = nla_parse_nested_deprecated(cda, CTA_EXPECT_MAX, attr, 2834 exp_nla_policy, NULL); 2835 if (err < 0) 2836 return err; 2837 2838 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda, 2839 ct, &tuple, &mask); 2840 if (err < 0) 2841 return err; 2842 2843 if (cda[CTA_EXPECT_HELP_NAME]) { 2844 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); 2845 2846 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 2847 nf_ct_protonum(ct)); 2848 if (helper == NULL) 2849 return -EOPNOTSUPP; 2850 } 2851 2852 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct, 2853 helper, &tuple, &mask); 2854 if (IS_ERR(exp)) 2855 return PTR_ERR(exp); 2856 2857 err = nf_ct_expect_related_report(exp, portid, report, 0); 2858 nf_ct_expect_put(exp); 2859 return err; 2860 } 2861 2862 static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct, 2863 enum ip_conntrack_info ctinfo, int diff) 2864 { 2865 if (!(ct->status & IPS_NAT_MASK)) 2866 return; 2867 2868 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff); 2869 } 2870 2871 static struct nfnl_ct_hook ctnetlink_glue_hook = { 2872 .build_size = ctnetlink_glue_build_size, 2873 .build = ctnetlink_glue_build, 2874 .parse = ctnetlink_glue_parse, 2875 .attach_expect = ctnetlink_glue_attach_expect, 2876 .seq_adjust = ctnetlink_glue_seqadj, 2877 }; 2878 #endif /* CONFIG_NETFILTER_NETLINK_GLUE_CT */ 2879 2880 /*********************************************************************** 2881 * EXPECT 2882 ***********************************************************************/ 2883 2884 static int ctnetlink_exp_dump_tuple(struct sk_buff *skb, 2885 const struct nf_conntrack_tuple *tuple, 2886 u32 type) 2887 { 2888 struct nlattr *nest_parms; 2889 2890 nest_parms = nla_nest_start(skb, type); 2891 if (!nest_parms) 2892 goto nla_put_failure; 2893 if (ctnetlink_dump_tuples(skb, tuple) < 0) 2894 goto nla_put_failure; 2895 nla_nest_end(skb, nest_parms); 2896 2897 return 0; 2898 2899 nla_put_failure: 2900 return -1; 2901 } 2902 2903 static int ctnetlink_exp_dump_mask(struct sk_buff *skb, 2904 const struct nf_conntrack_tuple *tuple, 2905 const struct nf_conntrack_tuple_mask *mask) 2906 { 2907 const struct nf_conntrack_l4proto *l4proto; 2908 struct nf_conntrack_tuple m; 2909 struct nlattr *nest_parms; 2910 int ret; 2911 2912 memset(&m, 0xFF, sizeof(m)); 2913 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3)); 2914 m.src.u.all = mask->src.u.all; 2915 m.src.l3num = tuple->src.l3num; 2916 m.dst.protonum = tuple->dst.protonum; 2917 2918 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK); 2919 if (!nest_parms) 2920 goto nla_put_failure; 2921 2922 rcu_read_lock(); 2923 ret = ctnetlink_dump_tuples_ip(skb, &m); 2924 if (ret >= 0) { 2925 l4proto = nf_ct_l4proto_find(tuple->dst.protonum); 2926 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto); 2927 } 2928 rcu_read_unlock(); 2929 2930 if (unlikely(ret < 0)) 2931 goto nla_put_failure; 2932 2933 nla_nest_end(skb, nest_parms); 2934 2935 return 0; 2936 2937 nla_put_failure: 2938 return -1; 2939 } 2940 2941 static const union nf_inet_addr any_addr; 2942 2943 static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp) 2944 { 2945 static __read_mostly siphash_key_t exp_id_seed; 2946 unsigned long a, b, c, d; 2947 2948 net_get_random_once(&exp_id_seed, sizeof(exp_id_seed)); 2949 2950 a = (unsigned long)exp; 2951 b = (unsigned long)exp->helper; 2952 c = (unsigned long)exp->master; 2953 d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed); 2954 2955 #ifdef CONFIG_64BIT 2956 return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed); 2957 #else 2958 return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed); 2959 #endif 2960 } 2961 2962 static int 2963 ctnetlink_exp_dump_expect(struct sk_buff *skb, 2964 const struct nf_conntrack_expect *exp) 2965 { 2966 struct nf_conn *master = exp->master; 2967 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ; 2968 struct nf_conn_help *help; 2969 #if IS_ENABLED(CONFIG_NF_NAT) 2970 struct nlattr *nest_parms; 2971 struct nf_conntrack_tuple nat_tuple = {}; 2972 #endif 2973 struct nf_ct_helper_expectfn *expfn; 2974 2975 if (timeout < 0) 2976 timeout = 0; 2977 2978 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0) 2979 goto nla_put_failure; 2980 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0) 2981 goto nla_put_failure; 2982 if (ctnetlink_exp_dump_tuple(skb, 2983 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 2984 CTA_EXPECT_MASTER) < 0) 2985 goto nla_put_failure; 2986 2987 #if IS_ENABLED(CONFIG_NF_NAT) 2988 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) || 2989 exp->saved_proto.all) { 2990 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT); 2991 if (!nest_parms) 2992 goto nla_put_failure; 2993 2994 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir))) 2995 goto nla_put_failure; 2996 2997 nat_tuple.src.l3num = nf_ct_l3num(master); 2998 nat_tuple.src.u3 = exp->saved_addr; 2999 nat_tuple.dst.protonum = nf_ct_protonum(master); 3000 nat_tuple.src.u = exp->saved_proto; 3001 3002 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple, 3003 CTA_EXPECT_NAT_TUPLE) < 0) 3004 goto nla_put_failure; 3005 nla_nest_end(skb, nest_parms); 3006 } 3007 #endif 3008 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) || 3009 nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) || 3010 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) || 3011 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class))) 3012 goto nla_put_failure; 3013 help = nfct_help(master); 3014 if (help) { 3015 struct nf_conntrack_helper *helper; 3016 3017 helper = rcu_dereference(help->helper); 3018 if (helper && 3019 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name)) 3020 goto nla_put_failure; 3021 } 3022 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn); 3023 if (expfn != NULL && 3024 nla_put_string(skb, CTA_EXPECT_FN, expfn->name)) 3025 goto nla_put_failure; 3026 3027 return 0; 3028 3029 nla_put_failure: 3030 return -1; 3031 } 3032 3033 static int 3034 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq, 3035 int event, const struct nf_conntrack_expect *exp) 3036 { 3037 struct nlmsghdr *nlh; 3038 unsigned int flags = portid ? NLM_F_MULTI : 0; 3039 3040 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event); 3041 nlh = nfnl_msg_put(skb, portid, seq, event, flags, 3042 exp->tuple.src.l3num, NFNETLINK_V0, 0); 3043 if (!nlh) 3044 goto nlmsg_failure; 3045 3046 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 3047 goto nla_put_failure; 3048 3049 nlmsg_end(skb, nlh); 3050 return skb->len; 3051 3052 nlmsg_failure: 3053 nla_put_failure: 3054 nlmsg_cancel(skb, nlh); 3055 return -1; 3056 } 3057 3058 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3059 static int 3060 ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item) 3061 { 3062 struct nf_conntrack_expect *exp = item->exp; 3063 struct net *net = nf_ct_exp_net(exp); 3064 struct nlmsghdr *nlh; 3065 struct sk_buff *skb; 3066 unsigned int type, group; 3067 int flags = 0; 3068 3069 if (events & (1 << IPEXP_DESTROY)) { 3070 type = IPCTNL_MSG_EXP_DELETE; 3071 group = NFNLGRP_CONNTRACK_EXP_DESTROY; 3072 } else if (events & (1 << IPEXP_NEW)) { 3073 type = IPCTNL_MSG_EXP_NEW; 3074 flags = NLM_F_CREATE|NLM_F_EXCL; 3075 group = NFNLGRP_CONNTRACK_EXP_NEW; 3076 } else 3077 return 0; 3078 3079 if (!item->report && !nfnetlink_has_listeners(net, group)) 3080 return 0; 3081 3082 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 3083 if (skb == NULL) 3084 goto errout; 3085 3086 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type); 3087 nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, 3088 exp->tuple.src.l3num, NFNETLINK_V0, 0); 3089 if (!nlh) 3090 goto nlmsg_failure; 3091 3092 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 3093 goto nla_put_failure; 3094 3095 nlmsg_end(skb, nlh); 3096 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC); 3097 return 0; 3098 3099 nla_put_failure: 3100 nlmsg_cancel(skb, nlh); 3101 nlmsg_failure: 3102 kfree_skb(skb); 3103 errout: 3104 nfnetlink_set_err(net, 0, 0, -ENOBUFS); 3105 return 0; 3106 } 3107 #endif 3108 static int ctnetlink_exp_done(struct netlink_callback *cb) 3109 { 3110 if (cb->args[1]) 3111 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); 3112 return 0; 3113 } 3114 3115 static int 3116 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 3117 { 3118 struct net *net = sock_net(skb->sk); 3119 struct nf_conntrack_expect *exp, *last; 3120 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3121 u_int8_t l3proto = nfmsg->nfgen_family; 3122 3123 rcu_read_lock(); 3124 last = (struct nf_conntrack_expect *)cb->args[1]; 3125 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { 3126 restart: 3127 hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]], 3128 hnode) { 3129 if (l3proto && exp->tuple.src.l3num != l3proto) 3130 continue; 3131 3132 if (!net_eq(nf_ct_net(exp->master), net)) 3133 continue; 3134 3135 if (cb->args[1]) { 3136 if (exp != last) 3137 continue; 3138 cb->args[1] = 0; 3139 } 3140 if (ctnetlink_exp_fill_info(skb, 3141 NETLINK_CB(cb->skb).portid, 3142 cb->nlh->nlmsg_seq, 3143 IPCTNL_MSG_EXP_NEW, 3144 exp) < 0) { 3145 if (!refcount_inc_not_zero(&exp->use)) 3146 continue; 3147 cb->args[1] = (unsigned long)exp; 3148 goto out; 3149 } 3150 } 3151 if (cb->args[1]) { 3152 cb->args[1] = 0; 3153 goto restart; 3154 } 3155 } 3156 out: 3157 rcu_read_unlock(); 3158 if (last) 3159 nf_ct_expect_put(last); 3160 3161 return skb->len; 3162 } 3163 3164 static int 3165 ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 3166 { 3167 struct nf_conntrack_expect *exp, *last; 3168 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3169 struct nf_conn *ct = cb->data; 3170 struct nf_conn_help *help = nfct_help(ct); 3171 u_int8_t l3proto = nfmsg->nfgen_family; 3172 3173 if (cb->args[0]) 3174 return 0; 3175 3176 rcu_read_lock(); 3177 last = (struct nf_conntrack_expect *)cb->args[1]; 3178 restart: 3179 hlist_for_each_entry_rcu(exp, &help->expectations, lnode) { 3180 if (l3proto && exp->tuple.src.l3num != l3proto) 3181 continue; 3182 if (cb->args[1]) { 3183 if (exp != last) 3184 continue; 3185 cb->args[1] = 0; 3186 } 3187 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid, 3188 cb->nlh->nlmsg_seq, 3189 IPCTNL_MSG_EXP_NEW, 3190 exp) < 0) { 3191 if (!refcount_inc_not_zero(&exp->use)) 3192 continue; 3193 cb->args[1] = (unsigned long)exp; 3194 goto out; 3195 } 3196 } 3197 if (cb->args[1]) { 3198 cb->args[1] = 0; 3199 goto restart; 3200 } 3201 cb->args[0] = 1; 3202 out: 3203 rcu_read_unlock(); 3204 if (last) 3205 nf_ct_expect_put(last); 3206 3207 return skb->len; 3208 } 3209 3210 static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, 3211 struct sk_buff *skb, 3212 const struct nlmsghdr *nlh, 3213 const struct nlattr * const cda[], 3214 struct netlink_ext_ack *extack) 3215 { 3216 int err; 3217 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3218 u_int8_t u3 = nfmsg->nfgen_family; 3219 struct nf_conntrack_tuple tuple; 3220 struct nf_conntrack_tuple_hash *h; 3221 struct nf_conn *ct; 3222 struct nf_conntrack_zone zone; 3223 struct netlink_dump_control c = { 3224 .dump = ctnetlink_exp_ct_dump_table, 3225 .done = ctnetlink_exp_done, 3226 }; 3227 3228 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, 3229 u3, NULL); 3230 if (err < 0) 3231 return err; 3232 3233 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3234 if (err < 0) 3235 return err; 3236 3237 h = nf_conntrack_find_get(net, &zone, &tuple); 3238 if (!h) 3239 return -ENOENT; 3240 3241 ct = nf_ct_tuplehash_to_ctrack(h); 3242 /* No expectation linked to this connection tracking. */ 3243 if (!nfct_help(ct)) { 3244 nf_ct_put(ct); 3245 return 0; 3246 } 3247 3248 c.data = ct; 3249 3250 err = netlink_dump_start(ctnl, skb, nlh, &c); 3251 nf_ct_put(ct); 3252 3253 return err; 3254 } 3255 3256 static int ctnetlink_get_expect(struct sk_buff *skb, 3257 const struct nfnl_info *info, 3258 const struct nlattr * const cda[]) 3259 { 3260 u_int8_t u3 = info->nfmsg->nfgen_family; 3261 struct nf_conntrack_tuple tuple; 3262 struct nf_conntrack_expect *exp; 3263 struct nf_conntrack_zone zone; 3264 struct sk_buff *skb2; 3265 int err; 3266 3267 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3268 if (cda[CTA_EXPECT_MASTER]) 3269 return ctnetlink_dump_exp_ct(info->net, info->sk, skb, 3270 info->nlh, cda, 3271 info->extack); 3272 else { 3273 struct netlink_dump_control c = { 3274 .dump = ctnetlink_exp_dump_table, 3275 .done = ctnetlink_exp_done, 3276 }; 3277 return netlink_dump_start(info->sk, skb, info->nlh, &c); 3278 } 3279 } 3280 3281 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3282 if (err < 0) 3283 return err; 3284 3285 if (cda[CTA_EXPECT_TUPLE]) 3286 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3287 u3, NULL); 3288 else if (cda[CTA_EXPECT_MASTER]) 3289 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, 3290 u3, NULL); 3291 else 3292 return -EINVAL; 3293 3294 if (err < 0) 3295 return err; 3296 3297 exp = nf_ct_expect_find_get(info->net, &zone, &tuple); 3298 if (!exp) 3299 return -ENOENT; 3300 3301 if (cda[CTA_EXPECT_ID]) { 3302 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 3303 3304 if (id != nf_expect_get_id(exp)) { 3305 nf_ct_expect_put(exp); 3306 return -ENOENT; 3307 } 3308 } 3309 3310 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 3311 if (!skb2) { 3312 nf_ct_expect_put(exp); 3313 return -ENOMEM; 3314 } 3315 3316 rcu_read_lock(); 3317 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid, 3318 info->nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, 3319 exp); 3320 rcu_read_unlock(); 3321 nf_ct_expect_put(exp); 3322 if (err <= 0) { 3323 kfree_skb(skb2); 3324 return -ENOMEM; 3325 } 3326 3327 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 3328 } 3329 3330 static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data) 3331 { 3332 const struct nf_conn_help *m_help; 3333 const char *name = data; 3334 3335 m_help = nfct_help(exp->master); 3336 3337 return strcmp(m_help->helper->name, name) == 0; 3338 } 3339 3340 static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data) 3341 { 3342 return true; 3343 } 3344 3345 static int ctnetlink_del_expect(struct sk_buff *skb, 3346 const struct nfnl_info *info, 3347 const struct nlattr * const cda[]) 3348 { 3349 u_int8_t u3 = info->nfmsg->nfgen_family; 3350 struct nf_conntrack_expect *exp; 3351 struct nf_conntrack_tuple tuple; 3352 struct nf_conntrack_zone zone; 3353 int err; 3354 3355 if (cda[CTA_EXPECT_TUPLE]) { 3356 /* delete a single expect by tuple */ 3357 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3358 if (err < 0) 3359 return err; 3360 3361 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3362 u3, NULL); 3363 if (err < 0) 3364 return err; 3365 3366 /* bump usage count to 2 */ 3367 exp = nf_ct_expect_find_get(info->net, &zone, &tuple); 3368 if (!exp) 3369 return -ENOENT; 3370 3371 if (cda[CTA_EXPECT_ID]) { 3372 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 3373 if (ntohl(id) != (u32)(unsigned long)exp) { 3374 nf_ct_expect_put(exp); 3375 return -ENOENT; 3376 } 3377 } 3378 3379 /* after list removal, usage count == 1 */ 3380 spin_lock_bh(&nf_conntrack_expect_lock); 3381 if (del_timer(&exp->timeout)) { 3382 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid, 3383 nlmsg_report(info->nlh)); 3384 nf_ct_expect_put(exp); 3385 } 3386 spin_unlock_bh(&nf_conntrack_expect_lock); 3387 /* have to put what we 'get' above. 3388 * after this line usage count == 0 */ 3389 nf_ct_expect_put(exp); 3390 } else if (cda[CTA_EXPECT_HELP_NAME]) { 3391 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]); 3392 3393 nf_ct_expect_iterate_net(info->net, expect_iter_name, name, 3394 NETLINK_CB(skb).portid, 3395 nlmsg_report(info->nlh)); 3396 } else { 3397 /* This basically means we have to flush everything*/ 3398 nf_ct_expect_iterate_net(info->net, expect_iter_all, NULL, 3399 NETLINK_CB(skb).portid, 3400 nlmsg_report(info->nlh)); 3401 } 3402 3403 return 0; 3404 } 3405 static int 3406 ctnetlink_change_expect(struct nf_conntrack_expect *x, 3407 const struct nlattr * const cda[]) 3408 { 3409 if (cda[CTA_EXPECT_TIMEOUT]) { 3410 if (!del_timer(&x->timeout)) 3411 return -ETIME; 3412 3413 x->timeout.expires = jiffies + 3414 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ; 3415 add_timer(&x->timeout); 3416 } 3417 return 0; 3418 } 3419 3420 static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = { 3421 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 }, 3422 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED }, 3423 }; 3424 3425 static int 3426 ctnetlink_parse_expect_nat(const struct nlattr *attr, 3427 struct nf_conntrack_expect *exp, 3428 u_int8_t u3) 3429 { 3430 #if IS_ENABLED(CONFIG_NF_NAT) 3431 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1]; 3432 struct nf_conntrack_tuple nat_tuple = {}; 3433 int err; 3434 3435 err = nla_parse_nested_deprecated(tb, CTA_EXPECT_NAT_MAX, attr, 3436 exp_nat_nla_policy, NULL); 3437 if (err < 0) 3438 return err; 3439 3440 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE]) 3441 return -EINVAL; 3442 3443 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb, 3444 &nat_tuple, CTA_EXPECT_NAT_TUPLE, 3445 u3, NULL); 3446 if (err < 0) 3447 return err; 3448 3449 exp->saved_addr = nat_tuple.src.u3; 3450 exp->saved_proto = nat_tuple.src.u; 3451 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR])); 3452 3453 return 0; 3454 #else 3455 return -EOPNOTSUPP; 3456 #endif 3457 } 3458 3459 static struct nf_conntrack_expect * 3460 ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct, 3461 struct nf_conntrack_helper *helper, 3462 struct nf_conntrack_tuple *tuple, 3463 struct nf_conntrack_tuple *mask) 3464 { 3465 u_int32_t class = 0; 3466 struct nf_conntrack_expect *exp; 3467 struct nf_conn_help *help; 3468 int err; 3469 3470 help = nfct_help(ct); 3471 if (!help) 3472 return ERR_PTR(-EOPNOTSUPP); 3473 3474 if (cda[CTA_EXPECT_CLASS] && helper) { 3475 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS])); 3476 if (class > helper->expect_class_max) 3477 return ERR_PTR(-EINVAL); 3478 } 3479 exp = nf_ct_expect_alloc(ct); 3480 if (!exp) 3481 return ERR_PTR(-ENOMEM); 3482 3483 if (cda[CTA_EXPECT_FLAGS]) { 3484 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS])); 3485 exp->flags &= ~NF_CT_EXPECT_USERSPACE; 3486 } else { 3487 exp->flags = 0; 3488 } 3489 if (cda[CTA_EXPECT_FN]) { 3490 const char *name = nla_data(cda[CTA_EXPECT_FN]); 3491 struct nf_ct_helper_expectfn *expfn; 3492 3493 expfn = nf_ct_helper_expectfn_find_by_name(name); 3494 if (expfn == NULL) { 3495 err = -EINVAL; 3496 goto err_out; 3497 } 3498 exp->expectfn = expfn->expectfn; 3499 } else 3500 exp->expectfn = NULL; 3501 3502 exp->class = class; 3503 exp->master = ct; 3504 exp->helper = helper; 3505 exp->tuple = *tuple; 3506 exp->mask.src.u3 = mask->src.u3; 3507 exp->mask.src.u.all = mask->src.u.all; 3508 3509 if (cda[CTA_EXPECT_NAT]) { 3510 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT], 3511 exp, nf_ct_l3num(ct)); 3512 if (err < 0) 3513 goto err_out; 3514 } 3515 return exp; 3516 err_out: 3517 nf_ct_expect_put(exp); 3518 return ERR_PTR(err); 3519 } 3520 3521 static int 3522 ctnetlink_create_expect(struct net *net, 3523 const struct nf_conntrack_zone *zone, 3524 const struct nlattr * const cda[], 3525 u_int8_t u3, u32 portid, int report) 3526 { 3527 struct nf_conntrack_tuple tuple, mask, master_tuple; 3528 struct nf_conntrack_tuple_hash *h = NULL; 3529 struct nf_conntrack_helper *helper = NULL; 3530 struct nf_conntrack_expect *exp; 3531 struct nf_conn *ct; 3532 int err; 3533 3534 /* caller guarantees that those three CTA_EXPECT_* exist */ 3535 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3536 u3, NULL); 3537 if (err < 0) 3538 return err; 3539 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, 3540 u3, NULL); 3541 if (err < 0) 3542 return err; 3543 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, 3544 u3, NULL); 3545 if (err < 0) 3546 return err; 3547 3548 /* Look for master conntrack of this expectation */ 3549 h = nf_conntrack_find_get(net, zone, &master_tuple); 3550 if (!h) 3551 return -ENOENT; 3552 ct = nf_ct_tuplehash_to_ctrack(h); 3553 3554 rcu_read_lock(); 3555 if (cda[CTA_EXPECT_HELP_NAME]) { 3556 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); 3557 3558 helper = __nf_conntrack_helper_find(helpname, u3, 3559 nf_ct_protonum(ct)); 3560 if (helper == NULL) { 3561 rcu_read_unlock(); 3562 #ifdef CONFIG_MODULES 3563 if (request_module("nfct-helper-%s", helpname) < 0) { 3564 err = -EOPNOTSUPP; 3565 goto err_ct; 3566 } 3567 rcu_read_lock(); 3568 helper = __nf_conntrack_helper_find(helpname, u3, 3569 nf_ct_protonum(ct)); 3570 if (helper) { 3571 err = -EAGAIN; 3572 goto err_rcu; 3573 } 3574 rcu_read_unlock(); 3575 #endif 3576 err = -EOPNOTSUPP; 3577 goto err_ct; 3578 } 3579 } 3580 3581 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask); 3582 if (IS_ERR(exp)) { 3583 err = PTR_ERR(exp); 3584 goto err_rcu; 3585 } 3586 3587 err = nf_ct_expect_related_report(exp, portid, report, 0); 3588 nf_ct_expect_put(exp); 3589 err_rcu: 3590 rcu_read_unlock(); 3591 err_ct: 3592 nf_ct_put(ct); 3593 return err; 3594 } 3595 3596 static int ctnetlink_new_expect(struct sk_buff *skb, 3597 const struct nfnl_info *info, 3598 const struct nlattr * const cda[]) 3599 { 3600 u_int8_t u3 = info->nfmsg->nfgen_family; 3601 struct nf_conntrack_tuple tuple; 3602 struct nf_conntrack_expect *exp; 3603 struct nf_conntrack_zone zone; 3604 int err; 3605 3606 if (!cda[CTA_EXPECT_TUPLE] 3607 || !cda[CTA_EXPECT_MASK] 3608 || !cda[CTA_EXPECT_MASTER]) 3609 return -EINVAL; 3610 3611 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3612 if (err < 0) 3613 return err; 3614 3615 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3616 u3, NULL); 3617 if (err < 0) 3618 return err; 3619 3620 spin_lock_bh(&nf_conntrack_expect_lock); 3621 exp = __nf_ct_expect_find(info->net, &zone, &tuple); 3622 if (!exp) { 3623 spin_unlock_bh(&nf_conntrack_expect_lock); 3624 err = -ENOENT; 3625 if (info->nlh->nlmsg_flags & NLM_F_CREATE) { 3626 err = ctnetlink_create_expect(info->net, &zone, cda, u3, 3627 NETLINK_CB(skb).portid, 3628 nlmsg_report(info->nlh)); 3629 } 3630 return err; 3631 } 3632 3633 err = -EEXIST; 3634 if (!(info->nlh->nlmsg_flags & NLM_F_EXCL)) 3635 err = ctnetlink_change_expect(exp, cda); 3636 spin_unlock_bh(&nf_conntrack_expect_lock); 3637 3638 return err; 3639 } 3640 3641 static int 3642 ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu, 3643 const struct ip_conntrack_stat *st) 3644 { 3645 struct nlmsghdr *nlh; 3646 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 3647 3648 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, 3649 IPCTNL_MSG_EXP_GET_STATS_CPU); 3650 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, 3651 NFNETLINK_V0, htons(cpu)); 3652 if (!nlh) 3653 goto nlmsg_failure; 3654 3655 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) || 3656 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) || 3657 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete))) 3658 goto nla_put_failure; 3659 3660 nlmsg_end(skb, nlh); 3661 return skb->len; 3662 3663 nla_put_failure: 3664 nlmsg_failure: 3665 nlmsg_cancel(skb, nlh); 3666 return -1; 3667 } 3668 3669 static int 3670 ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb) 3671 { 3672 int cpu; 3673 struct net *net = sock_net(skb->sk); 3674 3675 if (cb->args[0] == nr_cpu_ids) 3676 return 0; 3677 3678 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 3679 const struct ip_conntrack_stat *st; 3680 3681 if (!cpu_possible(cpu)) 3682 continue; 3683 3684 st = per_cpu_ptr(net->ct.stat, cpu); 3685 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid, 3686 cb->nlh->nlmsg_seq, 3687 cpu, st) < 0) 3688 break; 3689 } 3690 cb->args[0] = cpu; 3691 3692 return skb->len; 3693 } 3694 3695 static int ctnetlink_stat_exp_cpu(struct sk_buff *skb, 3696 const struct nfnl_info *info, 3697 const struct nlattr * const cda[]) 3698 { 3699 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3700 struct netlink_dump_control c = { 3701 .dump = ctnetlink_exp_stat_cpu_dump, 3702 }; 3703 return netlink_dump_start(info->sk, skb, info->nlh, &c); 3704 } 3705 3706 return 0; 3707 } 3708 3709 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3710 static struct nf_ct_event_notifier ctnl_notifier = { 3711 .fcn = ctnetlink_conntrack_event, 3712 }; 3713 3714 static struct nf_exp_event_notifier ctnl_notifier_exp = { 3715 .fcn = ctnetlink_expect_event, 3716 }; 3717 #endif 3718 3719 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = { 3720 [IPCTNL_MSG_CT_NEW] = { 3721 .call = ctnetlink_new_conntrack, 3722 .type = NFNL_CB_MUTEX, 3723 .attr_count = CTA_MAX, 3724 .policy = ct_nla_policy 3725 }, 3726 [IPCTNL_MSG_CT_GET] = { 3727 .call = ctnetlink_get_conntrack, 3728 .type = NFNL_CB_MUTEX, 3729 .attr_count = CTA_MAX, 3730 .policy = ct_nla_policy 3731 }, 3732 [IPCTNL_MSG_CT_DELETE] = { 3733 .call = ctnetlink_del_conntrack, 3734 .type = NFNL_CB_MUTEX, 3735 .attr_count = CTA_MAX, 3736 .policy = ct_nla_policy 3737 }, 3738 [IPCTNL_MSG_CT_GET_CTRZERO] = { 3739 .call = ctnetlink_get_conntrack, 3740 .type = NFNL_CB_MUTEX, 3741 .attr_count = CTA_MAX, 3742 .policy = ct_nla_policy 3743 }, 3744 [IPCTNL_MSG_CT_GET_STATS_CPU] = { 3745 .call = ctnetlink_stat_ct_cpu, 3746 .type = NFNL_CB_MUTEX, 3747 }, 3748 [IPCTNL_MSG_CT_GET_STATS] = { 3749 .call = ctnetlink_stat_ct, 3750 .type = NFNL_CB_MUTEX, 3751 }, 3752 [IPCTNL_MSG_CT_GET_DYING] = { 3753 .call = ctnetlink_get_ct_dying, 3754 .type = NFNL_CB_MUTEX, 3755 }, 3756 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = { 3757 .call = ctnetlink_get_ct_unconfirmed, 3758 .type = NFNL_CB_MUTEX, 3759 }, 3760 }; 3761 3762 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = { 3763 [IPCTNL_MSG_EXP_GET] = { 3764 .call = ctnetlink_get_expect, 3765 .type = NFNL_CB_MUTEX, 3766 .attr_count = CTA_EXPECT_MAX, 3767 .policy = exp_nla_policy 3768 }, 3769 [IPCTNL_MSG_EXP_NEW] = { 3770 .call = ctnetlink_new_expect, 3771 .type = NFNL_CB_MUTEX, 3772 .attr_count = CTA_EXPECT_MAX, 3773 .policy = exp_nla_policy 3774 }, 3775 [IPCTNL_MSG_EXP_DELETE] = { 3776 .call = ctnetlink_del_expect, 3777 .type = NFNL_CB_MUTEX, 3778 .attr_count = CTA_EXPECT_MAX, 3779 .policy = exp_nla_policy 3780 }, 3781 [IPCTNL_MSG_EXP_GET_STATS_CPU] = { 3782 .call = ctnetlink_stat_exp_cpu, 3783 .type = NFNL_CB_MUTEX, 3784 }, 3785 }; 3786 3787 static const struct nfnetlink_subsystem ctnl_subsys = { 3788 .name = "conntrack", 3789 .subsys_id = NFNL_SUBSYS_CTNETLINK, 3790 .cb_count = IPCTNL_MSG_MAX, 3791 .cb = ctnl_cb, 3792 }; 3793 3794 static const struct nfnetlink_subsystem ctnl_exp_subsys = { 3795 .name = "conntrack_expect", 3796 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP, 3797 .cb_count = IPCTNL_MSG_EXP_MAX, 3798 .cb = ctnl_exp_cb, 3799 }; 3800 3801 MODULE_ALIAS("ip_conntrack_netlink"); 3802 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK); 3803 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP); 3804 3805 static int __net_init ctnetlink_net_init(struct net *net) 3806 { 3807 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3808 int ret; 3809 3810 ret = nf_conntrack_register_notifier(net, &ctnl_notifier); 3811 if (ret < 0) { 3812 pr_err("ctnetlink_init: cannot register notifier.\n"); 3813 goto err_out; 3814 } 3815 3816 ret = nf_ct_expect_register_notifier(net, &ctnl_notifier_exp); 3817 if (ret < 0) { 3818 pr_err("ctnetlink_init: cannot expect register notifier.\n"); 3819 goto err_unreg_notifier; 3820 } 3821 #endif 3822 return 0; 3823 3824 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3825 err_unreg_notifier: 3826 nf_conntrack_unregister_notifier(net, &ctnl_notifier); 3827 err_out: 3828 return ret; 3829 #endif 3830 } 3831 3832 static void ctnetlink_net_exit(struct net *net) 3833 { 3834 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3835 nf_ct_expect_unregister_notifier(net, &ctnl_notifier_exp); 3836 nf_conntrack_unregister_notifier(net, &ctnl_notifier); 3837 #endif 3838 } 3839 3840 static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list) 3841 { 3842 struct net *net; 3843 3844 list_for_each_entry(net, net_exit_list, exit_list) 3845 ctnetlink_net_exit(net); 3846 3847 /* wait for other cpus until they are done with ctnl_notifiers */ 3848 synchronize_rcu(); 3849 } 3850 3851 static struct pernet_operations ctnetlink_net_ops = { 3852 .init = ctnetlink_net_init, 3853 .exit_batch = ctnetlink_net_exit_batch, 3854 }; 3855 3856 static int __init ctnetlink_init(void) 3857 { 3858 int ret; 3859 3860 ret = nfnetlink_subsys_register(&ctnl_subsys); 3861 if (ret < 0) { 3862 pr_err("ctnetlink_init: cannot register with nfnetlink.\n"); 3863 goto err_out; 3864 } 3865 3866 ret = nfnetlink_subsys_register(&ctnl_exp_subsys); 3867 if (ret < 0) { 3868 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n"); 3869 goto err_unreg_subsys; 3870 } 3871 3872 ret = register_pernet_subsys(&ctnetlink_net_ops); 3873 if (ret < 0) { 3874 pr_err("ctnetlink_init: cannot register pernet operations\n"); 3875 goto err_unreg_exp_subsys; 3876 } 3877 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 3878 /* setup interaction between nf_queue and nf_conntrack_netlink. */ 3879 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook); 3880 #endif 3881 return 0; 3882 3883 err_unreg_exp_subsys: 3884 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 3885 err_unreg_subsys: 3886 nfnetlink_subsys_unregister(&ctnl_subsys); 3887 err_out: 3888 return ret; 3889 } 3890 3891 static void __exit ctnetlink_exit(void) 3892 { 3893 unregister_pernet_subsys(&ctnetlink_net_ops); 3894 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 3895 nfnetlink_subsys_unregister(&ctnl_subsys); 3896 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 3897 RCU_INIT_POINTER(nfnl_ct_hook, NULL); 3898 #endif 3899 synchronize_rcu(); 3900 } 3901 3902 module_init(ctnetlink_init); 3903 module_exit(ctnetlink_exit); 3904