1 /* Connection tracking via netlink socket. Allows for user space 2 * protocol helpers and general trouble making from userspace. 3 * 4 * (C) 2001 by Jay Schulist <jschlst@samba.org> 5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org> 6 * (C) 2003 by Patrick Mchardy <kaber@trash.net> 7 * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org> 8 * 9 * Initial connection tracking via netlink development funded and 10 * generally made possible by Network Robots, Inc. (www.networkrobots.com) 11 * 12 * Further development of this code funded by Astaro AG (http://www.astaro.com) 13 * 14 * This software may be used and distributed according to the terms 15 * of the GNU General Public License, incorporated herein by reference. 16 */ 17 18 #include <linux/init.h> 19 #include <linux/module.h> 20 #include <linux/kernel.h> 21 #include <linux/rculist.h> 22 #include <linux/rculist_nulls.h> 23 #include <linux/types.h> 24 #include <linux/timer.h> 25 #include <linux/security.h> 26 #include <linux/skbuff.h> 27 #include <linux/errno.h> 28 #include <linux/netlink.h> 29 #include <linux/spinlock.h> 30 #include <linux/interrupt.h> 31 #include <linux/slab.h> 32 33 #include <linux/netfilter.h> 34 #include <net/netlink.h> 35 #include <net/sock.h> 36 #include <net/netfilter/nf_conntrack.h> 37 #include <net/netfilter/nf_conntrack_core.h> 38 #include <net/netfilter/nf_conntrack_expect.h> 39 #include <net/netfilter/nf_conntrack_helper.h> 40 #include <net/netfilter/nf_conntrack_seqadj.h> 41 #include <net/netfilter/nf_conntrack_l3proto.h> 42 #include <net/netfilter/nf_conntrack_l4proto.h> 43 #include <net/netfilter/nf_conntrack_tuple.h> 44 #include <net/netfilter/nf_conntrack_acct.h> 45 #include <net/netfilter/nf_conntrack_zones.h> 46 #include <net/netfilter/nf_conntrack_timestamp.h> 47 #include <net/netfilter/nf_conntrack_labels.h> 48 #ifdef CONFIG_NF_NAT_NEEDED 49 #include <net/netfilter/nf_nat_core.h> 50 #include <net/netfilter/nf_nat_l4proto.h> 51 #include <net/netfilter/nf_nat_helper.h> 52 #endif 53 54 #include <linux/netfilter/nfnetlink.h> 55 #include <linux/netfilter/nfnetlink_conntrack.h> 56 57 MODULE_LICENSE("GPL"); 58 59 static char __initdata version[] = "0.93"; 60 61 static inline int 62 ctnetlink_dump_tuples_proto(struct sk_buff *skb, 63 const struct nf_conntrack_tuple *tuple, 64 struct nf_conntrack_l4proto *l4proto) 65 { 66 int ret = 0; 67 struct nlattr *nest_parms; 68 69 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED); 70 if (!nest_parms) 71 goto nla_put_failure; 72 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum)) 73 goto nla_put_failure; 74 75 if (likely(l4proto->tuple_to_nlattr)) 76 ret = l4proto->tuple_to_nlattr(skb, tuple); 77 78 nla_nest_end(skb, nest_parms); 79 80 return ret; 81 82 nla_put_failure: 83 return -1; 84 } 85 86 static inline int 87 ctnetlink_dump_tuples_ip(struct sk_buff *skb, 88 const struct nf_conntrack_tuple *tuple, 89 struct nf_conntrack_l3proto *l3proto) 90 { 91 int ret = 0; 92 struct nlattr *nest_parms; 93 94 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED); 95 if (!nest_parms) 96 goto nla_put_failure; 97 98 if (likely(l3proto->tuple_to_nlattr)) 99 ret = l3proto->tuple_to_nlattr(skb, tuple); 100 101 nla_nest_end(skb, nest_parms); 102 103 return ret; 104 105 nla_put_failure: 106 return -1; 107 } 108 109 static int 110 ctnetlink_dump_tuples(struct sk_buff *skb, 111 const struct nf_conntrack_tuple *tuple) 112 { 113 int ret; 114 struct nf_conntrack_l3proto *l3proto; 115 struct nf_conntrack_l4proto *l4proto; 116 117 rcu_read_lock(); 118 l3proto = __nf_ct_l3proto_find(tuple->src.l3num); 119 ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto); 120 121 if (ret >= 0) { 122 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, 123 tuple->dst.protonum); 124 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto); 125 } 126 rcu_read_unlock(); 127 return ret; 128 } 129 130 static inline int 131 ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype, 132 const struct nf_conntrack_zone *zone, int dir) 133 { 134 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir) 135 return 0; 136 if (nla_put_be16(skb, attrtype, htons(zone->id))) 137 goto nla_put_failure; 138 return 0; 139 140 nla_put_failure: 141 return -1; 142 } 143 144 static inline int 145 ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct) 146 { 147 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status))) 148 goto nla_put_failure; 149 return 0; 150 151 nla_put_failure: 152 return -1; 153 } 154 155 static inline int 156 ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct) 157 { 158 long timeout = ((long)ct->timeout.expires - (long)jiffies) / HZ; 159 160 if (timeout < 0) 161 timeout = 0; 162 163 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout))) 164 goto nla_put_failure; 165 return 0; 166 167 nla_put_failure: 168 return -1; 169 } 170 171 static inline int 172 ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct) 173 { 174 struct nf_conntrack_l4proto *l4proto; 175 struct nlattr *nest_proto; 176 int ret; 177 178 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 179 if (!l4proto->to_nlattr) 180 return 0; 181 182 nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED); 183 if (!nest_proto) 184 goto nla_put_failure; 185 186 ret = l4proto->to_nlattr(skb, nest_proto, ct); 187 188 nla_nest_end(skb, nest_proto); 189 190 return ret; 191 192 nla_put_failure: 193 return -1; 194 } 195 196 static inline int 197 ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct) 198 { 199 struct nlattr *nest_helper; 200 const struct nf_conn_help *help = nfct_help(ct); 201 struct nf_conntrack_helper *helper; 202 203 if (!help) 204 return 0; 205 206 helper = rcu_dereference(help->helper); 207 if (!helper) 208 goto out; 209 210 nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED); 211 if (!nest_helper) 212 goto nla_put_failure; 213 if (nla_put_string(skb, CTA_HELP_NAME, helper->name)) 214 goto nla_put_failure; 215 216 if (helper->to_nlattr) 217 helper->to_nlattr(skb, ct); 218 219 nla_nest_end(skb, nest_helper); 220 out: 221 return 0; 222 223 nla_put_failure: 224 return -1; 225 } 226 227 static int 228 dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct, 229 enum ip_conntrack_dir dir, int type) 230 { 231 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG; 232 struct nf_conn_counter *counter = acct->counter; 233 struct nlattr *nest_count; 234 u64 pkts, bytes; 235 236 if (type == IPCTNL_MSG_CT_GET_CTRZERO) { 237 pkts = atomic64_xchg(&counter[dir].packets, 0); 238 bytes = atomic64_xchg(&counter[dir].bytes, 0); 239 } else { 240 pkts = atomic64_read(&counter[dir].packets); 241 bytes = atomic64_read(&counter[dir].bytes); 242 } 243 244 nest_count = nla_nest_start(skb, attr | NLA_F_NESTED); 245 if (!nest_count) 246 goto nla_put_failure; 247 248 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts)) || 249 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes))) 250 goto nla_put_failure; 251 252 nla_nest_end(skb, nest_count); 253 254 return 0; 255 256 nla_put_failure: 257 return -1; 258 } 259 260 static int 261 ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type) 262 { 263 struct nf_conn_acct *acct = nf_conn_acct_find(ct); 264 265 if (!acct) 266 return 0; 267 268 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0) 269 return -1; 270 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0) 271 return -1; 272 273 return 0; 274 } 275 276 static int 277 ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct) 278 { 279 struct nlattr *nest_count; 280 const struct nf_conn_tstamp *tstamp; 281 282 tstamp = nf_conn_tstamp_find(ct); 283 if (!tstamp) 284 return 0; 285 286 nest_count = nla_nest_start(skb, CTA_TIMESTAMP | NLA_F_NESTED); 287 if (!nest_count) 288 goto nla_put_failure; 289 290 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start)) || 291 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP, 292 cpu_to_be64(tstamp->stop)))) 293 goto nla_put_failure; 294 nla_nest_end(skb, nest_count); 295 296 return 0; 297 298 nla_put_failure: 299 return -1; 300 } 301 302 #ifdef CONFIG_NF_CONNTRACK_MARK 303 static inline int 304 ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) 305 { 306 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark))) 307 goto nla_put_failure; 308 return 0; 309 310 nla_put_failure: 311 return -1; 312 } 313 #else 314 #define ctnetlink_dump_mark(a, b) (0) 315 #endif 316 317 #ifdef CONFIG_NF_CONNTRACK_SECMARK 318 static inline int 319 ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) 320 { 321 struct nlattr *nest_secctx; 322 int len, ret; 323 char *secctx; 324 325 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 326 if (ret) 327 return 0; 328 329 ret = -1; 330 nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED); 331 if (!nest_secctx) 332 goto nla_put_failure; 333 334 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx)) 335 goto nla_put_failure; 336 nla_nest_end(skb, nest_secctx); 337 338 ret = 0; 339 nla_put_failure: 340 security_release_secctx(secctx, len); 341 return ret; 342 } 343 #else 344 #define ctnetlink_dump_secctx(a, b) (0) 345 #endif 346 347 #ifdef CONFIG_NF_CONNTRACK_LABELS 348 static int ctnetlink_label_size(const struct nf_conn *ct) 349 { 350 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 351 352 if (!labels) 353 return 0; 354 return nla_total_size(labels->words * sizeof(long)); 355 } 356 357 static int 358 ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct) 359 { 360 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 361 unsigned int len, i; 362 363 if (!labels) 364 return 0; 365 366 len = labels->words * sizeof(long); 367 i = 0; 368 do { 369 if (labels->bits[i] != 0) 370 return nla_put(skb, CTA_LABELS, len, labels->bits); 371 i++; 372 } while (i < labels->words); 373 374 return 0; 375 } 376 #else 377 #define ctnetlink_dump_labels(a, b) (0) 378 #define ctnetlink_label_size(a) (0) 379 #endif 380 381 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) 382 383 static inline int 384 ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct) 385 { 386 struct nlattr *nest_parms; 387 388 if (!(ct->status & IPS_EXPECTED)) 389 return 0; 390 391 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED); 392 if (!nest_parms) 393 goto nla_put_failure; 394 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0) 395 goto nla_put_failure; 396 nla_nest_end(skb, nest_parms); 397 398 return 0; 399 400 nla_put_failure: 401 return -1; 402 } 403 404 static int 405 dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type) 406 { 407 struct nlattr *nest_parms; 408 409 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED); 410 if (!nest_parms) 411 goto nla_put_failure; 412 413 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS, 414 htonl(seq->correction_pos)) || 415 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE, 416 htonl(seq->offset_before)) || 417 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER, 418 htonl(seq->offset_after))) 419 goto nla_put_failure; 420 421 nla_nest_end(skb, nest_parms); 422 423 return 0; 424 425 nla_put_failure: 426 return -1; 427 } 428 429 static inline int 430 ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, const struct nf_conn *ct) 431 { 432 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct); 433 struct nf_ct_seqadj *seq; 434 435 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj) 436 return 0; 437 438 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL]; 439 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1) 440 return -1; 441 442 seq = &seqadj->seq[IP_CT_DIR_REPLY]; 443 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1) 444 return -1; 445 446 return 0; 447 } 448 449 static inline int 450 ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct) 451 { 452 if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct))) 453 goto nla_put_failure; 454 return 0; 455 456 nla_put_failure: 457 return -1; 458 } 459 460 static inline int 461 ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct) 462 { 463 if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use)))) 464 goto nla_put_failure; 465 return 0; 466 467 nla_put_failure: 468 return -1; 469 } 470 471 static int 472 ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 473 struct nf_conn *ct) 474 { 475 const struct nf_conntrack_zone *zone; 476 struct nlmsghdr *nlh; 477 struct nfgenmsg *nfmsg; 478 struct nlattr *nest_parms; 479 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 480 481 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_NEW); 482 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 483 if (nlh == NULL) 484 goto nlmsg_failure; 485 486 nfmsg = nlmsg_data(nlh); 487 nfmsg->nfgen_family = nf_ct_l3num(ct); 488 nfmsg->version = NFNETLINK_V0; 489 nfmsg->res_id = 0; 490 491 zone = nf_ct_zone(ct); 492 493 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 494 if (!nest_parms) 495 goto nla_put_failure; 496 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 497 goto nla_put_failure; 498 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 499 NF_CT_ZONE_DIR_ORIG) < 0) 500 goto nla_put_failure; 501 nla_nest_end(skb, nest_parms); 502 503 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 504 if (!nest_parms) 505 goto nla_put_failure; 506 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 507 goto nla_put_failure; 508 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 509 NF_CT_ZONE_DIR_REPL) < 0) 510 goto nla_put_failure; 511 nla_nest_end(skb, nest_parms); 512 513 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 514 NF_CT_DEFAULT_ZONE_DIR) < 0) 515 goto nla_put_failure; 516 517 if (ctnetlink_dump_status(skb, ct) < 0 || 518 ctnetlink_dump_timeout(skb, ct) < 0 || 519 ctnetlink_dump_acct(skb, ct, type) < 0 || 520 ctnetlink_dump_timestamp(skb, ct) < 0 || 521 ctnetlink_dump_protoinfo(skb, ct) < 0 || 522 ctnetlink_dump_helpinfo(skb, ct) < 0 || 523 ctnetlink_dump_mark(skb, ct) < 0 || 524 ctnetlink_dump_secctx(skb, ct) < 0 || 525 ctnetlink_dump_labels(skb, ct) < 0 || 526 ctnetlink_dump_id(skb, ct) < 0 || 527 ctnetlink_dump_use(skb, ct) < 0 || 528 ctnetlink_dump_master(skb, ct) < 0 || 529 ctnetlink_dump_ct_seq_adj(skb, ct) < 0) 530 goto nla_put_failure; 531 532 nlmsg_end(skb, nlh); 533 return skb->len; 534 535 nlmsg_failure: 536 nla_put_failure: 537 nlmsg_cancel(skb, nlh); 538 return -1; 539 } 540 541 static inline size_t 542 ctnetlink_proto_size(const struct nf_conn *ct) 543 { 544 struct nf_conntrack_l3proto *l3proto; 545 struct nf_conntrack_l4proto *l4proto; 546 size_t len = 0; 547 548 rcu_read_lock(); 549 l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct)); 550 len += l3proto->nla_size; 551 552 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 553 len += l4proto->nla_size; 554 rcu_read_unlock(); 555 556 return len; 557 } 558 559 static inline size_t 560 ctnetlink_acct_size(const struct nf_conn *ct) 561 { 562 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT)) 563 return 0; 564 return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */ 565 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */ 566 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */ 567 ; 568 } 569 570 static inline int 571 ctnetlink_secctx_size(const struct nf_conn *ct) 572 { 573 #ifdef CONFIG_NF_CONNTRACK_SECMARK 574 int len, ret; 575 576 ret = security_secid_to_secctx(ct->secmark, NULL, &len); 577 if (ret) 578 return 0; 579 580 return nla_total_size(0) /* CTA_SECCTX */ 581 + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */ 582 #else 583 return 0; 584 #endif 585 } 586 587 static inline size_t 588 ctnetlink_timestamp_size(const struct nf_conn *ct) 589 { 590 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 591 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP)) 592 return 0; 593 return nla_total_size(0) + 2 * nla_total_size(sizeof(uint64_t)); 594 #else 595 return 0; 596 #endif 597 } 598 599 static inline size_t 600 ctnetlink_nlmsg_size(const struct nf_conn *ct) 601 { 602 return NLMSG_ALIGN(sizeof(struct nfgenmsg)) 603 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 604 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 605 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 606 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 607 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 608 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 609 + ctnetlink_acct_size(ct) 610 + ctnetlink_timestamp_size(ct) 611 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 612 + nla_total_size(0) /* CTA_PROTOINFO */ 613 + nla_total_size(0) /* CTA_HELP */ 614 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 615 + ctnetlink_secctx_size(ct) 616 #ifdef CONFIG_NF_NAT_NEEDED 617 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 618 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 619 #endif 620 #ifdef CONFIG_NF_CONNTRACK_MARK 621 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 622 #endif 623 #ifdef CONFIG_NF_CONNTRACK_ZONES 624 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */ 625 #endif 626 + ctnetlink_proto_size(ct) 627 + ctnetlink_label_size(ct) 628 ; 629 } 630 631 #ifdef CONFIG_NF_CONNTRACK_EVENTS 632 static int 633 ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) 634 { 635 const struct nf_conntrack_zone *zone; 636 struct net *net; 637 struct nlmsghdr *nlh; 638 struct nfgenmsg *nfmsg; 639 struct nlattr *nest_parms; 640 struct nf_conn *ct = item->ct; 641 struct sk_buff *skb; 642 unsigned int type; 643 unsigned int flags = 0, group; 644 int err; 645 646 /* ignore our fake conntrack entry */ 647 if (nf_ct_is_untracked(ct)) 648 return 0; 649 650 if (events & (1 << IPCT_DESTROY)) { 651 type = IPCTNL_MSG_CT_DELETE; 652 group = NFNLGRP_CONNTRACK_DESTROY; 653 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) { 654 type = IPCTNL_MSG_CT_NEW; 655 flags = NLM_F_CREATE|NLM_F_EXCL; 656 group = NFNLGRP_CONNTRACK_NEW; 657 } else if (events) { 658 type = IPCTNL_MSG_CT_NEW; 659 group = NFNLGRP_CONNTRACK_UPDATE; 660 } else 661 return 0; 662 663 net = nf_ct_net(ct); 664 if (!item->report && !nfnetlink_has_listeners(net, group)) 665 return 0; 666 667 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC); 668 if (skb == NULL) 669 goto errout; 670 671 type |= NFNL_SUBSYS_CTNETLINK << 8; 672 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); 673 if (nlh == NULL) 674 goto nlmsg_failure; 675 676 nfmsg = nlmsg_data(nlh); 677 nfmsg->nfgen_family = nf_ct_l3num(ct); 678 nfmsg->version = NFNETLINK_V0; 679 nfmsg->res_id = 0; 680 681 rcu_read_lock(); 682 zone = nf_ct_zone(ct); 683 684 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 685 if (!nest_parms) 686 goto nla_put_failure; 687 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 688 goto nla_put_failure; 689 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 690 NF_CT_ZONE_DIR_ORIG) < 0) 691 goto nla_put_failure; 692 nla_nest_end(skb, nest_parms); 693 694 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 695 if (!nest_parms) 696 goto nla_put_failure; 697 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 698 goto nla_put_failure; 699 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 700 NF_CT_ZONE_DIR_REPL) < 0) 701 goto nla_put_failure; 702 nla_nest_end(skb, nest_parms); 703 704 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 705 NF_CT_DEFAULT_ZONE_DIR) < 0) 706 goto nla_put_failure; 707 708 if (ctnetlink_dump_id(skb, ct) < 0) 709 goto nla_put_failure; 710 711 if (ctnetlink_dump_status(skb, ct) < 0) 712 goto nla_put_failure; 713 714 if (events & (1 << IPCT_DESTROY)) { 715 if (ctnetlink_dump_acct(skb, ct, type) < 0 || 716 ctnetlink_dump_timestamp(skb, ct) < 0) 717 goto nla_put_failure; 718 } else { 719 if (ctnetlink_dump_timeout(skb, ct) < 0) 720 goto nla_put_failure; 721 722 if (events & (1 << IPCT_PROTOINFO) 723 && ctnetlink_dump_protoinfo(skb, ct) < 0) 724 goto nla_put_failure; 725 726 if ((events & (1 << IPCT_HELPER) || nfct_help(ct)) 727 && ctnetlink_dump_helpinfo(skb, ct) < 0) 728 goto nla_put_failure; 729 730 #ifdef CONFIG_NF_CONNTRACK_SECMARK 731 if ((events & (1 << IPCT_SECMARK) || ct->secmark) 732 && ctnetlink_dump_secctx(skb, ct) < 0) 733 goto nla_put_failure; 734 #endif 735 if (events & (1 << IPCT_LABEL) && 736 ctnetlink_dump_labels(skb, ct) < 0) 737 goto nla_put_failure; 738 739 if (events & (1 << IPCT_RELATED) && 740 ctnetlink_dump_master(skb, ct) < 0) 741 goto nla_put_failure; 742 743 if (events & (1 << IPCT_SEQADJ) && 744 ctnetlink_dump_ct_seq_adj(skb, ct) < 0) 745 goto nla_put_failure; 746 } 747 748 #ifdef CONFIG_NF_CONNTRACK_MARK 749 if ((events & (1 << IPCT_MARK) || ct->mark) 750 && ctnetlink_dump_mark(skb, ct) < 0) 751 goto nla_put_failure; 752 #endif 753 rcu_read_unlock(); 754 755 nlmsg_end(skb, nlh); 756 err = nfnetlink_send(skb, net, item->portid, group, item->report, 757 GFP_ATOMIC); 758 if (err == -ENOBUFS || err == -EAGAIN) 759 return -ENOBUFS; 760 761 return 0; 762 763 nla_put_failure: 764 rcu_read_unlock(); 765 nlmsg_cancel(skb, nlh); 766 nlmsg_failure: 767 kfree_skb(skb); 768 errout: 769 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0) 770 return -ENOBUFS; 771 772 return 0; 773 } 774 #endif /* CONFIG_NF_CONNTRACK_EVENTS */ 775 776 static int ctnetlink_done(struct netlink_callback *cb) 777 { 778 if (cb->args[1]) 779 nf_ct_put((struct nf_conn *)cb->args[1]); 780 kfree(cb->data); 781 return 0; 782 } 783 784 struct ctnetlink_filter { 785 struct { 786 u_int32_t val; 787 u_int32_t mask; 788 } mark; 789 }; 790 791 static struct ctnetlink_filter * 792 ctnetlink_alloc_filter(const struct nlattr * const cda[]) 793 { 794 #ifdef CONFIG_NF_CONNTRACK_MARK 795 struct ctnetlink_filter *filter; 796 797 filter = kzalloc(sizeof(*filter), GFP_KERNEL); 798 if (filter == NULL) 799 return ERR_PTR(-ENOMEM); 800 801 filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK])); 802 filter->mark.mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK])); 803 804 return filter; 805 #else 806 return ERR_PTR(-EOPNOTSUPP); 807 #endif 808 } 809 810 static int ctnetlink_filter_match(struct nf_conn *ct, void *data) 811 { 812 struct ctnetlink_filter *filter = data; 813 814 if (filter == NULL) 815 return 1; 816 817 #ifdef CONFIG_NF_CONNTRACK_MARK 818 if ((ct->mark & filter->mark.mask) == filter->mark.val) 819 return 1; 820 #endif 821 822 return 0; 823 } 824 825 static int 826 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 827 { 828 struct net *net = sock_net(skb->sk); 829 struct nf_conn *ct, *last; 830 struct nf_conntrack_tuple_hash *h; 831 struct hlist_nulls_node *n; 832 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 833 u_int8_t l3proto = nfmsg->nfgen_family; 834 int res; 835 spinlock_t *lockp; 836 837 last = (struct nf_conn *)cb->args[1]; 838 839 local_bh_disable(); 840 for (; cb->args[0] < net->ct.htable_size; cb->args[0]++) { 841 restart: 842 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS]; 843 spin_lock(lockp); 844 if (cb->args[0] >= net->ct.htable_size) { 845 spin_unlock(lockp); 846 goto out; 847 } 848 hlist_nulls_for_each_entry(h, n, &net->ct.hash[cb->args[0]], 849 hnnode) { 850 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) 851 continue; 852 ct = nf_ct_tuplehash_to_ctrack(h); 853 /* Dump entries of a given L3 protocol number. 854 * If it is not specified, ie. l3proto == 0, 855 * then dump everything. */ 856 if (l3proto && nf_ct_l3num(ct) != l3proto) 857 continue; 858 if (cb->args[1]) { 859 if (ct != last) 860 continue; 861 cb->args[1] = 0; 862 } 863 if (!ctnetlink_filter_match(ct, cb->data)) 864 continue; 865 866 rcu_read_lock(); 867 res = 868 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid, 869 cb->nlh->nlmsg_seq, 870 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 871 ct); 872 rcu_read_unlock(); 873 if (res < 0) { 874 nf_conntrack_get(&ct->ct_general); 875 cb->args[1] = (unsigned long)ct; 876 spin_unlock(lockp); 877 goto out; 878 } 879 } 880 spin_unlock(lockp); 881 if (cb->args[1]) { 882 cb->args[1] = 0; 883 goto restart; 884 } 885 } 886 out: 887 local_bh_enable(); 888 if (last) 889 nf_ct_put(last); 890 891 return skb->len; 892 } 893 894 static inline int 895 ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple) 896 { 897 struct nlattr *tb[CTA_IP_MAX+1]; 898 struct nf_conntrack_l3proto *l3proto; 899 int ret = 0; 900 901 ret = nla_parse_nested(tb, CTA_IP_MAX, attr, NULL); 902 if (ret < 0) 903 return ret; 904 905 rcu_read_lock(); 906 l3proto = __nf_ct_l3proto_find(tuple->src.l3num); 907 908 if (likely(l3proto->nlattr_to_tuple)) { 909 ret = nla_validate_nested(attr, CTA_IP_MAX, 910 l3proto->nla_policy); 911 if (ret == 0) 912 ret = l3proto->nlattr_to_tuple(tb, tuple); 913 } 914 915 rcu_read_unlock(); 916 917 return ret; 918 } 919 920 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = { 921 [CTA_PROTO_NUM] = { .type = NLA_U8 }, 922 }; 923 924 static inline int 925 ctnetlink_parse_tuple_proto(struct nlattr *attr, 926 struct nf_conntrack_tuple *tuple) 927 { 928 struct nlattr *tb[CTA_PROTO_MAX+1]; 929 struct nf_conntrack_l4proto *l4proto; 930 int ret = 0; 931 932 ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy); 933 if (ret < 0) 934 return ret; 935 936 if (!tb[CTA_PROTO_NUM]) 937 return -EINVAL; 938 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]); 939 940 rcu_read_lock(); 941 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum); 942 943 if (likely(l4proto->nlattr_to_tuple)) { 944 ret = nla_validate_nested(attr, CTA_PROTO_MAX, 945 l4proto->nla_policy); 946 if (ret == 0) 947 ret = l4proto->nlattr_to_tuple(tb, tuple); 948 } 949 950 rcu_read_unlock(); 951 952 return ret; 953 } 954 955 static int 956 ctnetlink_parse_zone(const struct nlattr *attr, 957 struct nf_conntrack_zone *zone) 958 { 959 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID, 960 NF_CT_DEFAULT_ZONE_DIR, 0); 961 #ifdef CONFIG_NF_CONNTRACK_ZONES 962 if (attr) 963 zone->id = ntohs(nla_get_be16(attr)); 964 #else 965 if (attr) 966 return -EOPNOTSUPP; 967 #endif 968 return 0; 969 } 970 971 static int 972 ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type, 973 struct nf_conntrack_zone *zone) 974 { 975 int ret; 976 977 if (zone->id != NF_CT_DEFAULT_ZONE_ID) 978 return -EINVAL; 979 980 ret = ctnetlink_parse_zone(attr, zone); 981 if (ret < 0) 982 return ret; 983 984 if (type == CTA_TUPLE_REPLY) 985 zone->dir = NF_CT_ZONE_DIR_REPL; 986 else 987 zone->dir = NF_CT_ZONE_DIR_ORIG; 988 989 return 0; 990 } 991 992 static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = { 993 [CTA_TUPLE_IP] = { .type = NLA_NESTED }, 994 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED }, 995 [CTA_TUPLE_ZONE] = { .type = NLA_U16 }, 996 }; 997 998 static int 999 ctnetlink_parse_tuple(const struct nlattr * const cda[], 1000 struct nf_conntrack_tuple *tuple, 1001 enum ctattr_type type, u_int8_t l3num, 1002 struct nf_conntrack_zone *zone) 1003 { 1004 struct nlattr *tb[CTA_TUPLE_MAX+1]; 1005 int err; 1006 1007 memset(tuple, 0, sizeof(*tuple)); 1008 1009 err = nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy); 1010 if (err < 0) 1011 return err; 1012 1013 if (!tb[CTA_TUPLE_IP]) 1014 return -EINVAL; 1015 1016 tuple->src.l3num = l3num; 1017 1018 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple); 1019 if (err < 0) 1020 return err; 1021 1022 if (!tb[CTA_TUPLE_PROTO]) 1023 return -EINVAL; 1024 1025 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple); 1026 if (err < 0) 1027 return err; 1028 1029 if (tb[CTA_TUPLE_ZONE]) { 1030 if (!zone) 1031 return -EINVAL; 1032 1033 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE], 1034 type, zone); 1035 if (err < 0) 1036 return err; 1037 } 1038 1039 /* orig and expect tuples get DIR_ORIGINAL */ 1040 if (type == CTA_TUPLE_REPLY) 1041 tuple->dst.dir = IP_CT_DIR_REPLY; 1042 else 1043 tuple->dst.dir = IP_CT_DIR_ORIGINAL; 1044 1045 return 0; 1046 } 1047 1048 static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = { 1049 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING, 1050 .len = NF_CT_HELPER_NAME_LEN - 1 }, 1051 }; 1052 1053 static inline int 1054 ctnetlink_parse_help(const struct nlattr *attr, char **helper_name, 1055 struct nlattr **helpinfo) 1056 { 1057 int err; 1058 struct nlattr *tb[CTA_HELP_MAX+1]; 1059 1060 err = nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy); 1061 if (err < 0) 1062 return err; 1063 1064 if (!tb[CTA_HELP_NAME]) 1065 return -EINVAL; 1066 1067 *helper_name = nla_data(tb[CTA_HELP_NAME]); 1068 1069 if (tb[CTA_HELP_INFO]) 1070 *helpinfo = tb[CTA_HELP_INFO]; 1071 1072 return 0; 1073 } 1074 1075 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { 1076 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED }, 1077 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED }, 1078 [CTA_STATUS] = { .type = NLA_U32 }, 1079 [CTA_PROTOINFO] = { .type = NLA_NESTED }, 1080 [CTA_HELP] = { .type = NLA_NESTED }, 1081 [CTA_NAT_SRC] = { .type = NLA_NESTED }, 1082 [CTA_TIMEOUT] = { .type = NLA_U32 }, 1083 [CTA_MARK] = { .type = NLA_U32 }, 1084 [CTA_ID] = { .type = NLA_U32 }, 1085 [CTA_NAT_DST] = { .type = NLA_NESTED }, 1086 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED }, 1087 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED }, 1088 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED }, 1089 [CTA_ZONE] = { .type = NLA_U16 }, 1090 [CTA_MARK_MASK] = { .type = NLA_U32 }, 1091 [CTA_LABELS] = { .type = NLA_BINARY, 1092 .len = NF_CT_LABELS_MAX_SIZE }, 1093 [CTA_LABELS_MASK] = { .type = NLA_BINARY, 1094 .len = NF_CT_LABELS_MAX_SIZE }, 1095 }; 1096 1097 static int ctnetlink_flush_conntrack(struct net *net, 1098 const struct nlattr * const cda[], 1099 u32 portid, int report) 1100 { 1101 struct ctnetlink_filter *filter = NULL; 1102 1103 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) { 1104 filter = ctnetlink_alloc_filter(cda); 1105 if (IS_ERR(filter)) 1106 return PTR_ERR(filter); 1107 } 1108 1109 nf_ct_iterate_cleanup(net, ctnetlink_filter_match, filter, 1110 portid, report); 1111 kfree(filter); 1112 1113 return 0; 1114 } 1115 1116 static int 1117 ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, 1118 const struct nlmsghdr *nlh, 1119 const struct nlattr * const cda[]) 1120 { 1121 struct net *net = sock_net(ctnl); 1122 struct nf_conntrack_tuple_hash *h; 1123 struct nf_conntrack_tuple tuple; 1124 struct nf_conn *ct; 1125 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1126 u_int8_t u3 = nfmsg->nfgen_family; 1127 struct nf_conntrack_zone zone; 1128 int err; 1129 1130 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1131 if (err < 0) 1132 return err; 1133 1134 if (cda[CTA_TUPLE_ORIG]) 1135 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, 1136 u3, &zone); 1137 else if (cda[CTA_TUPLE_REPLY]) 1138 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, 1139 u3, &zone); 1140 else { 1141 return ctnetlink_flush_conntrack(net, cda, 1142 NETLINK_CB(skb).portid, 1143 nlmsg_report(nlh)); 1144 } 1145 1146 if (err < 0) 1147 return err; 1148 1149 h = nf_conntrack_find_get(net, &zone, &tuple); 1150 if (!h) 1151 return -ENOENT; 1152 1153 ct = nf_ct_tuplehash_to_ctrack(h); 1154 1155 if (cda[CTA_ID]) { 1156 u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID])); 1157 if (id != (u32)(unsigned long)ct) { 1158 nf_ct_put(ct); 1159 return -ENOENT; 1160 } 1161 } 1162 1163 if (del_timer(&ct->timeout)) 1164 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(nlh)); 1165 1166 nf_ct_put(ct); 1167 1168 return 0; 1169 } 1170 1171 static int 1172 ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, 1173 const struct nlmsghdr *nlh, 1174 const struct nlattr * const cda[]) 1175 { 1176 struct net *net = sock_net(ctnl); 1177 struct nf_conntrack_tuple_hash *h; 1178 struct nf_conntrack_tuple tuple; 1179 struct nf_conn *ct; 1180 struct sk_buff *skb2 = NULL; 1181 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1182 u_int8_t u3 = nfmsg->nfgen_family; 1183 struct nf_conntrack_zone zone; 1184 int err; 1185 1186 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1187 struct netlink_dump_control c = { 1188 .dump = ctnetlink_dump_table, 1189 .done = ctnetlink_done, 1190 }; 1191 1192 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) { 1193 struct ctnetlink_filter *filter; 1194 1195 filter = ctnetlink_alloc_filter(cda); 1196 if (IS_ERR(filter)) 1197 return PTR_ERR(filter); 1198 1199 c.data = filter; 1200 } 1201 return netlink_dump_start(ctnl, skb, nlh, &c); 1202 } 1203 1204 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1205 if (err < 0) 1206 return err; 1207 1208 if (cda[CTA_TUPLE_ORIG]) 1209 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, 1210 u3, &zone); 1211 else if (cda[CTA_TUPLE_REPLY]) 1212 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, 1213 u3, &zone); 1214 else 1215 return -EINVAL; 1216 1217 if (err < 0) 1218 return err; 1219 1220 h = nf_conntrack_find_get(net, &zone, &tuple); 1221 if (!h) 1222 return -ENOENT; 1223 1224 ct = nf_ct_tuplehash_to_ctrack(h); 1225 1226 err = -ENOMEM; 1227 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1228 if (skb2 == NULL) { 1229 nf_ct_put(ct); 1230 return -ENOMEM; 1231 } 1232 1233 rcu_read_lock(); 1234 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq, 1235 NFNL_MSG_TYPE(nlh->nlmsg_type), ct); 1236 rcu_read_unlock(); 1237 nf_ct_put(ct); 1238 if (err <= 0) 1239 goto free; 1240 1241 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); 1242 if (err < 0) 1243 goto out; 1244 1245 return 0; 1246 1247 free: 1248 kfree_skb(skb2); 1249 out: 1250 /* this avoids a loop in nfnetlink. */ 1251 return err == -EAGAIN ? -ENOBUFS : err; 1252 } 1253 1254 static int ctnetlink_done_list(struct netlink_callback *cb) 1255 { 1256 if (cb->args[1]) 1257 nf_ct_put((struct nf_conn *)cb->args[1]); 1258 return 0; 1259 } 1260 1261 static int 1262 ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying) 1263 { 1264 struct nf_conn *ct, *last; 1265 struct nf_conntrack_tuple_hash *h; 1266 struct hlist_nulls_node *n; 1267 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1268 u_int8_t l3proto = nfmsg->nfgen_family; 1269 int res; 1270 int cpu; 1271 struct hlist_nulls_head *list; 1272 struct net *net = sock_net(skb->sk); 1273 1274 if (cb->args[2]) 1275 return 0; 1276 1277 last = (struct nf_conn *)cb->args[1]; 1278 1279 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 1280 struct ct_pcpu *pcpu; 1281 1282 if (!cpu_possible(cpu)) 1283 continue; 1284 1285 pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu); 1286 spin_lock_bh(&pcpu->lock); 1287 list = dying ? &pcpu->dying : &pcpu->unconfirmed; 1288 restart: 1289 hlist_nulls_for_each_entry(h, n, list, hnnode) { 1290 ct = nf_ct_tuplehash_to_ctrack(h); 1291 if (l3proto && nf_ct_l3num(ct) != l3proto) 1292 continue; 1293 if (cb->args[1]) { 1294 if (ct != last) 1295 continue; 1296 cb->args[1] = 0; 1297 } 1298 rcu_read_lock(); 1299 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid, 1300 cb->nlh->nlmsg_seq, 1301 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 1302 ct); 1303 rcu_read_unlock(); 1304 if (res < 0) { 1305 if (!atomic_inc_not_zero(&ct->ct_general.use)) 1306 continue; 1307 cb->args[0] = cpu; 1308 cb->args[1] = (unsigned long)ct; 1309 spin_unlock_bh(&pcpu->lock); 1310 goto out; 1311 } 1312 } 1313 if (cb->args[1]) { 1314 cb->args[1] = 0; 1315 goto restart; 1316 } 1317 spin_unlock_bh(&pcpu->lock); 1318 } 1319 cb->args[2] = 1; 1320 out: 1321 if (last) 1322 nf_ct_put(last); 1323 1324 return skb->len; 1325 } 1326 1327 static int 1328 ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb) 1329 { 1330 return ctnetlink_dump_list(skb, cb, true); 1331 } 1332 1333 static int 1334 ctnetlink_get_ct_dying(struct sock *ctnl, struct sk_buff *skb, 1335 const struct nlmsghdr *nlh, 1336 const struct nlattr * const cda[]) 1337 { 1338 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1339 struct netlink_dump_control c = { 1340 .dump = ctnetlink_dump_dying, 1341 .done = ctnetlink_done_list, 1342 }; 1343 return netlink_dump_start(ctnl, skb, nlh, &c); 1344 } 1345 1346 return -EOPNOTSUPP; 1347 } 1348 1349 static int 1350 ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb) 1351 { 1352 return ctnetlink_dump_list(skb, cb, false); 1353 } 1354 1355 static int 1356 ctnetlink_get_ct_unconfirmed(struct sock *ctnl, struct sk_buff *skb, 1357 const struct nlmsghdr *nlh, 1358 const struct nlattr * const cda[]) 1359 { 1360 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1361 struct netlink_dump_control c = { 1362 .dump = ctnetlink_dump_unconfirmed, 1363 .done = ctnetlink_done_list, 1364 }; 1365 return netlink_dump_start(ctnl, skb, nlh, &c); 1366 } 1367 1368 return -EOPNOTSUPP; 1369 } 1370 1371 #ifdef CONFIG_NF_NAT_NEEDED 1372 static int 1373 ctnetlink_parse_nat_setup(struct nf_conn *ct, 1374 enum nf_nat_manip_type manip, 1375 const struct nlattr *attr) 1376 { 1377 typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup; 1378 int err; 1379 1380 parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook); 1381 if (!parse_nat_setup) { 1382 #ifdef CONFIG_MODULES 1383 rcu_read_unlock(); 1384 nfnl_unlock(NFNL_SUBSYS_CTNETLINK); 1385 if (request_module("nf-nat") < 0) { 1386 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1387 rcu_read_lock(); 1388 return -EOPNOTSUPP; 1389 } 1390 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1391 rcu_read_lock(); 1392 if (nfnetlink_parse_nat_setup_hook) 1393 return -EAGAIN; 1394 #endif 1395 return -EOPNOTSUPP; 1396 } 1397 1398 err = parse_nat_setup(ct, manip, attr); 1399 if (err == -EAGAIN) { 1400 #ifdef CONFIG_MODULES 1401 rcu_read_unlock(); 1402 nfnl_unlock(NFNL_SUBSYS_CTNETLINK); 1403 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) { 1404 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1405 rcu_read_lock(); 1406 return -EOPNOTSUPP; 1407 } 1408 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1409 rcu_read_lock(); 1410 #else 1411 err = -EOPNOTSUPP; 1412 #endif 1413 } 1414 return err; 1415 } 1416 #endif 1417 1418 static int 1419 ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) 1420 { 1421 unsigned long d; 1422 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); 1423 d = ct->status ^ status; 1424 1425 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) 1426 /* unchangeable */ 1427 return -EBUSY; 1428 1429 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) 1430 /* SEEN_REPLY bit can only be set */ 1431 return -EBUSY; 1432 1433 if (d & IPS_ASSURED && !(status & IPS_ASSURED)) 1434 /* ASSURED bit can only be set */ 1435 return -EBUSY; 1436 1437 /* Be careful here, modifying NAT bits can screw up things, 1438 * so don't let users modify them directly if they don't pass 1439 * nf_nat_range. */ 1440 ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK); 1441 return 0; 1442 } 1443 1444 static int 1445 ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[]) 1446 { 1447 #ifdef CONFIG_NF_NAT_NEEDED 1448 int ret; 1449 1450 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC]) 1451 return 0; 1452 1453 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST, 1454 cda[CTA_NAT_DST]); 1455 if (ret < 0) 1456 return ret; 1457 1458 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC, 1459 cda[CTA_NAT_SRC]); 1460 return ret; 1461 #else 1462 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC]) 1463 return 0; 1464 return -EOPNOTSUPP; 1465 #endif 1466 } 1467 1468 static inline int 1469 ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[]) 1470 { 1471 struct nf_conntrack_helper *helper; 1472 struct nf_conn_help *help = nfct_help(ct); 1473 char *helpname = NULL; 1474 struct nlattr *helpinfo = NULL; 1475 int err; 1476 1477 /* don't change helper of sibling connections */ 1478 if (ct->master) 1479 return -EBUSY; 1480 1481 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo); 1482 if (err < 0) 1483 return err; 1484 1485 if (!strcmp(helpname, "")) { 1486 if (help && help->helper) { 1487 /* we had a helper before ... */ 1488 nf_ct_remove_expectations(ct); 1489 RCU_INIT_POINTER(help->helper, NULL); 1490 } 1491 1492 return 0; 1493 } 1494 1495 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 1496 nf_ct_protonum(ct)); 1497 if (helper == NULL) { 1498 #ifdef CONFIG_MODULES 1499 spin_unlock_bh(&nf_conntrack_expect_lock); 1500 1501 if (request_module("nfct-helper-%s", helpname) < 0) { 1502 spin_lock_bh(&nf_conntrack_expect_lock); 1503 return -EOPNOTSUPP; 1504 } 1505 1506 spin_lock_bh(&nf_conntrack_expect_lock); 1507 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 1508 nf_ct_protonum(ct)); 1509 if (helper) 1510 return -EAGAIN; 1511 #endif 1512 return -EOPNOTSUPP; 1513 } 1514 1515 if (help) { 1516 if (help->helper == helper) { 1517 /* update private helper data if allowed. */ 1518 if (helper->from_nlattr) 1519 helper->from_nlattr(helpinfo, ct); 1520 return 0; 1521 } else 1522 return -EBUSY; 1523 } 1524 1525 /* we cannot set a helper for an existing conntrack */ 1526 return -EOPNOTSUPP; 1527 } 1528 1529 static inline int 1530 ctnetlink_change_timeout(struct nf_conn *ct, const struct nlattr * const cda[]) 1531 { 1532 u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT])); 1533 1534 if (!del_timer(&ct->timeout)) 1535 return -ETIME; 1536 1537 ct->timeout.expires = jiffies + timeout * HZ; 1538 add_timer(&ct->timeout); 1539 1540 return 0; 1541 } 1542 1543 static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = { 1544 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED }, 1545 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED }, 1546 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED }, 1547 }; 1548 1549 static inline int 1550 ctnetlink_change_protoinfo(struct nf_conn *ct, const struct nlattr * const cda[]) 1551 { 1552 const struct nlattr *attr = cda[CTA_PROTOINFO]; 1553 struct nlattr *tb[CTA_PROTOINFO_MAX+1]; 1554 struct nf_conntrack_l4proto *l4proto; 1555 int err = 0; 1556 1557 err = nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, protoinfo_policy); 1558 if (err < 0) 1559 return err; 1560 1561 rcu_read_lock(); 1562 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 1563 if (l4proto->from_nlattr) 1564 err = l4proto->from_nlattr(tb, ct); 1565 rcu_read_unlock(); 1566 1567 return err; 1568 } 1569 1570 static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = { 1571 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 }, 1572 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 }, 1573 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 }, 1574 }; 1575 1576 static inline int 1577 change_seq_adj(struct nf_ct_seqadj *seq, const struct nlattr * const attr) 1578 { 1579 int err; 1580 struct nlattr *cda[CTA_SEQADJ_MAX+1]; 1581 1582 err = nla_parse_nested(cda, CTA_SEQADJ_MAX, attr, seqadj_policy); 1583 if (err < 0) 1584 return err; 1585 1586 if (!cda[CTA_SEQADJ_CORRECTION_POS]) 1587 return -EINVAL; 1588 1589 seq->correction_pos = 1590 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS])); 1591 1592 if (!cda[CTA_SEQADJ_OFFSET_BEFORE]) 1593 return -EINVAL; 1594 1595 seq->offset_before = 1596 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE])); 1597 1598 if (!cda[CTA_SEQADJ_OFFSET_AFTER]) 1599 return -EINVAL; 1600 1601 seq->offset_after = 1602 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER])); 1603 1604 return 0; 1605 } 1606 1607 static int 1608 ctnetlink_change_seq_adj(struct nf_conn *ct, 1609 const struct nlattr * const cda[]) 1610 { 1611 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct); 1612 int ret = 0; 1613 1614 if (!seqadj) 1615 return 0; 1616 1617 if (cda[CTA_SEQ_ADJ_ORIG]) { 1618 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL], 1619 cda[CTA_SEQ_ADJ_ORIG]); 1620 if (ret < 0) 1621 return ret; 1622 1623 ct->status |= IPS_SEQ_ADJUST; 1624 } 1625 1626 if (cda[CTA_SEQ_ADJ_REPLY]) { 1627 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY], 1628 cda[CTA_SEQ_ADJ_REPLY]); 1629 if (ret < 0) 1630 return ret; 1631 1632 ct->status |= IPS_SEQ_ADJUST; 1633 } 1634 1635 return 0; 1636 } 1637 1638 static int 1639 ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[]) 1640 { 1641 #ifdef CONFIG_NF_CONNTRACK_LABELS 1642 size_t len = nla_len(cda[CTA_LABELS]); 1643 const void *mask = cda[CTA_LABELS_MASK]; 1644 1645 if (len & (sizeof(u32)-1)) /* must be multiple of u32 */ 1646 return -EINVAL; 1647 1648 if (mask) { 1649 if (nla_len(cda[CTA_LABELS_MASK]) == 0 || 1650 nla_len(cda[CTA_LABELS_MASK]) != len) 1651 return -EINVAL; 1652 mask = nla_data(cda[CTA_LABELS_MASK]); 1653 } 1654 1655 len /= sizeof(u32); 1656 1657 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len); 1658 #else 1659 return -EOPNOTSUPP; 1660 #endif 1661 } 1662 1663 static int 1664 ctnetlink_change_conntrack(struct nf_conn *ct, 1665 const struct nlattr * const cda[]) 1666 { 1667 int err; 1668 1669 /* only allow NAT changes and master assignation for new conntracks */ 1670 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER]) 1671 return -EOPNOTSUPP; 1672 1673 if (cda[CTA_HELP]) { 1674 err = ctnetlink_change_helper(ct, cda); 1675 if (err < 0) 1676 return err; 1677 } 1678 1679 if (cda[CTA_TIMEOUT]) { 1680 err = ctnetlink_change_timeout(ct, cda); 1681 if (err < 0) 1682 return err; 1683 } 1684 1685 if (cda[CTA_STATUS]) { 1686 err = ctnetlink_change_status(ct, cda); 1687 if (err < 0) 1688 return err; 1689 } 1690 1691 if (cda[CTA_PROTOINFO]) { 1692 err = ctnetlink_change_protoinfo(ct, cda); 1693 if (err < 0) 1694 return err; 1695 } 1696 1697 #if defined(CONFIG_NF_CONNTRACK_MARK) 1698 if (cda[CTA_MARK]) 1699 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); 1700 #endif 1701 1702 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) { 1703 err = ctnetlink_change_seq_adj(ct, cda); 1704 if (err < 0) 1705 return err; 1706 } 1707 1708 if (cda[CTA_LABELS]) { 1709 err = ctnetlink_attach_labels(ct, cda); 1710 if (err < 0) 1711 return err; 1712 } 1713 1714 return 0; 1715 } 1716 1717 static struct nf_conn * 1718 ctnetlink_create_conntrack(struct net *net, 1719 const struct nf_conntrack_zone *zone, 1720 const struct nlattr * const cda[], 1721 struct nf_conntrack_tuple *otuple, 1722 struct nf_conntrack_tuple *rtuple, 1723 u8 u3) 1724 { 1725 struct nf_conn *ct; 1726 int err = -EINVAL; 1727 struct nf_conntrack_helper *helper; 1728 struct nf_conn_tstamp *tstamp; 1729 1730 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC); 1731 if (IS_ERR(ct)) 1732 return ERR_PTR(-ENOMEM); 1733 1734 if (!cda[CTA_TIMEOUT]) 1735 goto err1; 1736 ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT])); 1737 1738 ct->timeout.expires = jiffies + ct->timeout.expires * HZ; 1739 1740 rcu_read_lock(); 1741 if (cda[CTA_HELP]) { 1742 char *helpname = NULL; 1743 struct nlattr *helpinfo = NULL; 1744 1745 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo); 1746 if (err < 0) 1747 goto err2; 1748 1749 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 1750 nf_ct_protonum(ct)); 1751 if (helper == NULL) { 1752 rcu_read_unlock(); 1753 #ifdef CONFIG_MODULES 1754 if (request_module("nfct-helper-%s", helpname) < 0) { 1755 err = -EOPNOTSUPP; 1756 goto err1; 1757 } 1758 1759 rcu_read_lock(); 1760 helper = __nf_conntrack_helper_find(helpname, 1761 nf_ct_l3num(ct), 1762 nf_ct_protonum(ct)); 1763 if (helper) { 1764 err = -EAGAIN; 1765 goto err2; 1766 } 1767 rcu_read_unlock(); 1768 #endif 1769 err = -EOPNOTSUPP; 1770 goto err1; 1771 } else { 1772 struct nf_conn_help *help; 1773 1774 help = nf_ct_helper_ext_add(ct, helper, GFP_ATOMIC); 1775 if (help == NULL) { 1776 err = -ENOMEM; 1777 goto err2; 1778 } 1779 /* set private helper data if allowed. */ 1780 if (helper->from_nlattr) 1781 helper->from_nlattr(helpinfo, ct); 1782 1783 /* not in hash table yet so not strictly necessary */ 1784 RCU_INIT_POINTER(help->helper, helper); 1785 } 1786 } else { 1787 /* try an implicit helper assignation */ 1788 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC); 1789 if (err < 0) 1790 goto err2; 1791 } 1792 1793 err = ctnetlink_setup_nat(ct, cda); 1794 if (err < 0) 1795 goto err2; 1796 1797 nf_ct_acct_ext_add(ct, GFP_ATOMIC); 1798 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); 1799 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); 1800 nf_ct_labels_ext_add(ct); 1801 1802 /* we must add conntrack extensions before confirmation. */ 1803 ct->status |= IPS_CONFIRMED; 1804 1805 if (cda[CTA_STATUS]) { 1806 err = ctnetlink_change_status(ct, cda); 1807 if (err < 0) 1808 goto err2; 1809 } 1810 1811 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) { 1812 err = ctnetlink_change_seq_adj(ct, cda); 1813 if (err < 0) 1814 goto err2; 1815 } 1816 1817 memset(&ct->proto, 0, sizeof(ct->proto)); 1818 if (cda[CTA_PROTOINFO]) { 1819 err = ctnetlink_change_protoinfo(ct, cda); 1820 if (err < 0) 1821 goto err2; 1822 } 1823 1824 #if defined(CONFIG_NF_CONNTRACK_MARK) 1825 if (cda[CTA_MARK]) 1826 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); 1827 #endif 1828 1829 /* setup master conntrack: this is a confirmed expectation */ 1830 if (cda[CTA_TUPLE_MASTER]) { 1831 struct nf_conntrack_tuple master; 1832 struct nf_conntrack_tuple_hash *master_h; 1833 struct nf_conn *master_ct; 1834 1835 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER, 1836 u3, NULL); 1837 if (err < 0) 1838 goto err2; 1839 1840 master_h = nf_conntrack_find_get(net, zone, &master); 1841 if (master_h == NULL) { 1842 err = -ENOENT; 1843 goto err2; 1844 } 1845 master_ct = nf_ct_tuplehash_to_ctrack(master_h); 1846 __set_bit(IPS_EXPECTED_BIT, &ct->status); 1847 ct->master = master_ct; 1848 } 1849 tstamp = nf_conn_tstamp_find(ct); 1850 if (tstamp) 1851 tstamp->start = ktime_get_real_ns(); 1852 1853 err = nf_conntrack_hash_check_insert(ct); 1854 if (err < 0) 1855 goto err2; 1856 1857 rcu_read_unlock(); 1858 1859 return ct; 1860 1861 err2: 1862 rcu_read_unlock(); 1863 err1: 1864 nf_conntrack_free(ct); 1865 return ERR_PTR(err); 1866 } 1867 1868 static int 1869 ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, 1870 const struct nlmsghdr *nlh, 1871 const struct nlattr * const cda[]) 1872 { 1873 struct net *net = sock_net(ctnl); 1874 struct nf_conntrack_tuple otuple, rtuple; 1875 struct nf_conntrack_tuple_hash *h = NULL; 1876 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1877 struct nf_conn *ct; 1878 u_int8_t u3 = nfmsg->nfgen_family; 1879 struct nf_conntrack_zone zone; 1880 int err; 1881 1882 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1883 if (err < 0) 1884 return err; 1885 1886 if (cda[CTA_TUPLE_ORIG]) { 1887 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, 1888 u3, &zone); 1889 if (err < 0) 1890 return err; 1891 } 1892 1893 if (cda[CTA_TUPLE_REPLY]) { 1894 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, 1895 u3, &zone); 1896 if (err < 0) 1897 return err; 1898 } 1899 1900 if (cda[CTA_TUPLE_ORIG]) 1901 h = nf_conntrack_find_get(net, &zone, &otuple); 1902 else if (cda[CTA_TUPLE_REPLY]) 1903 h = nf_conntrack_find_get(net, &zone, &rtuple); 1904 1905 if (h == NULL) { 1906 err = -ENOENT; 1907 if (nlh->nlmsg_flags & NLM_F_CREATE) { 1908 enum ip_conntrack_events events; 1909 1910 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY]) 1911 return -EINVAL; 1912 1913 ct = ctnetlink_create_conntrack(net, &zone, cda, &otuple, 1914 &rtuple, u3); 1915 if (IS_ERR(ct)) 1916 return PTR_ERR(ct); 1917 1918 err = 0; 1919 if (test_bit(IPS_EXPECTED_BIT, &ct->status)) 1920 events = IPCT_RELATED; 1921 else 1922 events = IPCT_NEW; 1923 1924 if (cda[CTA_LABELS] && 1925 ctnetlink_attach_labels(ct, cda) == 0) 1926 events |= (1 << IPCT_LABEL); 1927 1928 nf_conntrack_eventmask_report((1 << IPCT_REPLY) | 1929 (1 << IPCT_ASSURED) | 1930 (1 << IPCT_HELPER) | 1931 (1 << IPCT_PROTOINFO) | 1932 (1 << IPCT_SEQADJ) | 1933 (1 << IPCT_MARK) | events, 1934 ct, NETLINK_CB(skb).portid, 1935 nlmsg_report(nlh)); 1936 nf_ct_put(ct); 1937 } 1938 1939 return err; 1940 } 1941 /* implicit 'else' */ 1942 1943 err = -EEXIST; 1944 ct = nf_ct_tuplehash_to_ctrack(h); 1945 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) { 1946 spin_lock_bh(&nf_conntrack_expect_lock); 1947 err = ctnetlink_change_conntrack(ct, cda); 1948 spin_unlock_bh(&nf_conntrack_expect_lock); 1949 if (err == 0) { 1950 nf_conntrack_eventmask_report((1 << IPCT_REPLY) | 1951 (1 << IPCT_ASSURED) | 1952 (1 << IPCT_HELPER) | 1953 (1 << IPCT_LABEL) | 1954 (1 << IPCT_PROTOINFO) | 1955 (1 << IPCT_SEQADJ) | 1956 (1 << IPCT_MARK), 1957 ct, NETLINK_CB(skb).portid, 1958 nlmsg_report(nlh)); 1959 } 1960 } 1961 1962 nf_ct_put(ct); 1963 return err; 1964 } 1965 1966 static int 1967 ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq, 1968 __u16 cpu, const struct ip_conntrack_stat *st) 1969 { 1970 struct nlmsghdr *nlh; 1971 struct nfgenmsg *nfmsg; 1972 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 1973 1974 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_GET_STATS_CPU); 1975 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 1976 if (nlh == NULL) 1977 goto nlmsg_failure; 1978 1979 nfmsg = nlmsg_data(nlh); 1980 nfmsg->nfgen_family = AF_UNSPEC; 1981 nfmsg->version = NFNETLINK_V0; 1982 nfmsg->res_id = htons(cpu); 1983 1984 if (nla_put_be32(skb, CTA_STATS_SEARCHED, htonl(st->searched)) || 1985 nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) || 1986 nla_put_be32(skb, CTA_STATS_NEW, htonl(st->new)) || 1987 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) || 1988 nla_put_be32(skb, CTA_STATS_IGNORE, htonl(st->ignore)) || 1989 nla_put_be32(skb, CTA_STATS_DELETE, htonl(st->delete)) || 1990 nla_put_be32(skb, CTA_STATS_DELETE_LIST, htonl(st->delete_list)) || 1991 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) || 1992 nla_put_be32(skb, CTA_STATS_INSERT_FAILED, 1993 htonl(st->insert_failed)) || 1994 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) || 1995 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) || 1996 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) || 1997 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART, 1998 htonl(st->search_restart))) 1999 goto nla_put_failure; 2000 2001 nlmsg_end(skb, nlh); 2002 return skb->len; 2003 2004 nla_put_failure: 2005 nlmsg_failure: 2006 nlmsg_cancel(skb, nlh); 2007 return -1; 2008 } 2009 2010 static int 2011 ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb) 2012 { 2013 int cpu; 2014 struct net *net = sock_net(skb->sk); 2015 2016 if (cb->args[0] == nr_cpu_ids) 2017 return 0; 2018 2019 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 2020 const struct ip_conntrack_stat *st; 2021 2022 if (!cpu_possible(cpu)) 2023 continue; 2024 2025 st = per_cpu_ptr(net->ct.stat, cpu); 2026 if (ctnetlink_ct_stat_cpu_fill_info(skb, 2027 NETLINK_CB(cb->skb).portid, 2028 cb->nlh->nlmsg_seq, 2029 cpu, st) < 0) 2030 break; 2031 } 2032 cb->args[0] = cpu; 2033 2034 return skb->len; 2035 } 2036 2037 static int 2038 ctnetlink_stat_ct_cpu(struct sock *ctnl, struct sk_buff *skb, 2039 const struct nlmsghdr *nlh, 2040 const struct nlattr * const cda[]) 2041 { 2042 if (nlh->nlmsg_flags & NLM_F_DUMP) { 2043 struct netlink_dump_control c = { 2044 .dump = ctnetlink_ct_stat_cpu_dump, 2045 }; 2046 return netlink_dump_start(ctnl, skb, nlh, &c); 2047 } 2048 2049 return 0; 2050 } 2051 2052 static int 2053 ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 2054 struct net *net) 2055 { 2056 struct nlmsghdr *nlh; 2057 struct nfgenmsg *nfmsg; 2058 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 2059 unsigned int nr_conntracks = atomic_read(&net->ct.count); 2060 2061 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_GET_STATS); 2062 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 2063 if (nlh == NULL) 2064 goto nlmsg_failure; 2065 2066 nfmsg = nlmsg_data(nlh); 2067 nfmsg->nfgen_family = AF_UNSPEC; 2068 nfmsg->version = NFNETLINK_V0; 2069 nfmsg->res_id = 0; 2070 2071 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks))) 2072 goto nla_put_failure; 2073 2074 nlmsg_end(skb, nlh); 2075 return skb->len; 2076 2077 nla_put_failure: 2078 nlmsg_failure: 2079 nlmsg_cancel(skb, nlh); 2080 return -1; 2081 } 2082 2083 static int 2084 ctnetlink_stat_ct(struct sock *ctnl, struct sk_buff *skb, 2085 const struct nlmsghdr *nlh, 2086 const struct nlattr * const cda[]) 2087 { 2088 struct sk_buff *skb2; 2089 int err; 2090 2091 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 2092 if (skb2 == NULL) 2093 return -ENOMEM; 2094 2095 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid, 2096 nlh->nlmsg_seq, 2097 NFNL_MSG_TYPE(nlh->nlmsg_type), 2098 sock_net(skb->sk)); 2099 if (err <= 0) 2100 goto free; 2101 2102 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); 2103 if (err < 0) 2104 goto out; 2105 2106 return 0; 2107 2108 free: 2109 kfree_skb(skb2); 2110 out: 2111 /* this avoids a loop in nfnetlink. */ 2112 return err == -EAGAIN ? -ENOBUFS : err; 2113 } 2114 2115 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = { 2116 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED }, 2117 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED }, 2118 [CTA_EXPECT_MASK] = { .type = NLA_NESTED }, 2119 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 }, 2120 [CTA_EXPECT_ID] = { .type = NLA_U32 }, 2121 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING, 2122 .len = NF_CT_HELPER_NAME_LEN - 1 }, 2123 [CTA_EXPECT_ZONE] = { .type = NLA_U16 }, 2124 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 }, 2125 [CTA_EXPECT_CLASS] = { .type = NLA_U32 }, 2126 [CTA_EXPECT_NAT] = { .type = NLA_NESTED }, 2127 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING }, 2128 }; 2129 2130 static struct nf_conntrack_expect * 2131 ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct, 2132 struct nf_conntrack_helper *helper, 2133 struct nf_conntrack_tuple *tuple, 2134 struct nf_conntrack_tuple *mask); 2135 2136 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 2137 static size_t 2138 ctnetlink_glue_build_size(const struct nf_conn *ct) 2139 { 2140 return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 2141 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 2142 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 2143 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 2144 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 2145 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 2146 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 2147 + nla_total_size(0) /* CTA_PROTOINFO */ 2148 + nla_total_size(0) /* CTA_HELP */ 2149 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 2150 + ctnetlink_secctx_size(ct) 2151 #ifdef CONFIG_NF_NAT_NEEDED 2152 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 2153 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 2154 #endif 2155 #ifdef CONFIG_NF_CONNTRACK_MARK 2156 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 2157 #endif 2158 #ifdef CONFIG_NF_CONNTRACK_ZONES 2159 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */ 2160 #endif 2161 + ctnetlink_proto_size(ct) 2162 ; 2163 } 2164 2165 static struct nf_conn *ctnetlink_glue_get_ct(const struct sk_buff *skb, 2166 enum ip_conntrack_info *ctinfo) 2167 { 2168 struct nf_conn *ct; 2169 2170 ct = nf_ct_get(skb, ctinfo); 2171 if (ct && nf_ct_is_untracked(ct)) 2172 ct = NULL; 2173 2174 return ct; 2175 } 2176 2177 static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct) 2178 { 2179 const struct nf_conntrack_zone *zone; 2180 struct nlattr *nest_parms; 2181 2182 rcu_read_lock(); 2183 zone = nf_ct_zone(ct); 2184 2185 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 2186 if (!nest_parms) 2187 goto nla_put_failure; 2188 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 2189 goto nla_put_failure; 2190 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 2191 NF_CT_ZONE_DIR_ORIG) < 0) 2192 goto nla_put_failure; 2193 nla_nest_end(skb, nest_parms); 2194 2195 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 2196 if (!nest_parms) 2197 goto nla_put_failure; 2198 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 2199 goto nla_put_failure; 2200 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 2201 NF_CT_ZONE_DIR_REPL) < 0) 2202 goto nla_put_failure; 2203 nla_nest_end(skb, nest_parms); 2204 2205 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 2206 NF_CT_DEFAULT_ZONE_DIR) < 0) 2207 goto nla_put_failure; 2208 2209 if (ctnetlink_dump_id(skb, ct) < 0) 2210 goto nla_put_failure; 2211 2212 if (ctnetlink_dump_status(skb, ct) < 0) 2213 goto nla_put_failure; 2214 2215 if (ctnetlink_dump_timeout(skb, ct) < 0) 2216 goto nla_put_failure; 2217 2218 if (ctnetlink_dump_protoinfo(skb, ct) < 0) 2219 goto nla_put_failure; 2220 2221 if (ctnetlink_dump_helpinfo(skb, ct) < 0) 2222 goto nla_put_failure; 2223 2224 #ifdef CONFIG_NF_CONNTRACK_SECMARK 2225 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0) 2226 goto nla_put_failure; 2227 #endif 2228 if (ct->master && ctnetlink_dump_master(skb, ct) < 0) 2229 goto nla_put_failure; 2230 2231 if ((ct->status & IPS_SEQ_ADJUST) && 2232 ctnetlink_dump_ct_seq_adj(skb, ct) < 0) 2233 goto nla_put_failure; 2234 2235 #ifdef CONFIG_NF_CONNTRACK_MARK 2236 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0) 2237 goto nla_put_failure; 2238 #endif 2239 if (ctnetlink_dump_labels(skb, ct) < 0) 2240 goto nla_put_failure; 2241 rcu_read_unlock(); 2242 return 0; 2243 2244 nla_put_failure: 2245 rcu_read_unlock(); 2246 return -ENOSPC; 2247 } 2248 2249 static int 2250 ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct, 2251 enum ip_conntrack_info ctinfo, 2252 u_int16_t ct_attr, u_int16_t ct_info_attr) 2253 { 2254 struct nlattr *nest_parms; 2255 2256 nest_parms = nla_nest_start(skb, ct_attr | NLA_F_NESTED); 2257 if (!nest_parms) 2258 goto nla_put_failure; 2259 2260 if (__ctnetlink_glue_build(skb, ct) < 0) 2261 goto nla_put_failure; 2262 2263 nla_nest_end(skb, nest_parms); 2264 2265 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo))) 2266 goto nla_put_failure; 2267 2268 return 0; 2269 2270 nla_put_failure: 2271 return -ENOSPC; 2272 } 2273 2274 static int 2275 ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct) 2276 { 2277 int err; 2278 2279 if (cda[CTA_TIMEOUT]) { 2280 err = ctnetlink_change_timeout(ct, cda); 2281 if (err < 0) 2282 return err; 2283 } 2284 if (cda[CTA_STATUS]) { 2285 err = ctnetlink_change_status(ct, cda); 2286 if (err < 0) 2287 return err; 2288 } 2289 if (cda[CTA_HELP]) { 2290 err = ctnetlink_change_helper(ct, cda); 2291 if (err < 0) 2292 return err; 2293 } 2294 if (cda[CTA_LABELS]) { 2295 err = ctnetlink_attach_labels(ct, cda); 2296 if (err < 0) 2297 return err; 2298 } 2299 #if defined(CONFIG_NF_CONNTRACK_MARK) 2300 if (cda[CTA_MARK]) { 2301 u32 mask = 0, mark, newmark; 2302 if (cda[CTA_MARK_MASK]) 2303 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK])); 2304 2305 mark = ntohl(nla_get_be32(cda[CTA_MARK])); 2306 newmark = (ct->mark & mask) ^ mark; 2307 if (newmark != ct->mark) 2308 ct->mark = newmark; 2309 } 2310 #endif 2311 return 0; 2312 } 2313 2314 static int 2315 ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct) 2316 { 2317 struct nlattr *cda[CTA_MAX+1]; 2318 int ret; 2319 2320 ret = nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy); 2321 if (ret < 0) 2322 return ret; 2323 2324 spin_lock_bh(&nf_conntrack_expect_lock); 2325 ret = ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct); 2326 spin_unlock_bh(&nf_conntrack_expect_lock); 2327 2328 return ret; 2329 } 2330 2331 static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda, 2332 const struct nf_conn *ct, 2333 struct nf_conntrack_tuple *tuple, 2334 struct nf_conntrack_tuple *mask) 2335 { 2336 int err; 2337 2338 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE, 2339 nf_ct_l3num(ct), NULL); 2340 if (err < 0) 2341 return err; 2342 2343 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK, 2344 nf_ct_l3num(ct), NULL); 2345 } 2346 2347 static int 2348 ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct, 2349 u32 portid, u32 report) 2350 { 2351 struct nlattr *cda[CTA_EXPECT_MAX+1]; 2352 struct nf_conntrack_tuple tuple, mask; 2353 struct nf_conntrack_helper *helper = NULL; 2354 struct nf_conntrack_expect *exp; 2355 int err; 2356 2357 err = nla_parse_nested(cda, CTA_EXPECT_MAX, attr, exp_nla_policy); 2358 if (err < 0) 2359 return err; 2360 2361 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda, 2362 ct, &tuple, &mask); 2363 if (err < 0) 2364 return err; 2365 2366 if (cda[CTA_EXPECT_HELP_NAME]) { 2367 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); 2368 2369 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 2370 nf_ct_protonum(ct)); 2371 if (helper == NULL) 2372 return -EOPNOTSUPP; 2373 } 2374 2375 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct, 2376 helper, &tuple, &mask); 2377 if (IS_ERR(exp)) 2378 return PTR_ERR(exp); 2379 2380 err = nf_ct_expect_related_report(exp, portid, report); 2381 if (err < 0) { 2382 nf_ct_expect_put(exp); 2383 return err; 2384 } 2385 2386 return 0; 2387 } 2388 2389 static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct, 2390 enum ip_conntrack_info ctinfo, int diff) 2391 { 2392 if (!(ct->status & IPS_NAT_MASK)) 2393 return; 2394 2395 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff); 2396 } 2397 2398 static struct nfnl_ct_hook ctnetlink_glue_hook = { 2399 .get_ct = ctnetlink_glue_get_ct, 2400 .build_size = ctnetlink_glue_build_size, 2401 .build = ctnetlink_glue_build, 2402 .parse = ctnetlink_glue_parse, 2403 .attach_expect = ctnetlink_glue_attach_expect, 2404 .seq_adjust = ctnetlink_glue_seqadj, 2405 }; 2406 #endif /* CONFIG_NETFILTER_NETLINK_GLUE_CT */ 2407 2408 /*********************************************************************** 2409 * EXPECT 2410 ***********************************************************************/ 2411 2412 static inline int 2413 ctnetlink_exp_dump_tuple(struct sk_buff *skb, 2414 const struct nf_conntrack_tuple *tuple, 2415 enum ctattr_expect type) 2416 { 2417 struct nlattr *nest_parms; 2418 2419 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED); 2420 if (!nest_parms) 2421 goto nla_put_failure; 2422 if (ctnetlink_dump_tuples(skb, tuple) < 0) 2423 goto nla_put_failure; 2424 nla_nest_end(skb, nest_parms); 2425 2426 return 0; 2427 2428 nla_put_failure: 2429 return -1; 2430 } 2431 2432 static inline int 2433 ctnetlink_exp_dump_mask(struct sk_buff *skb, 2434 const struct nf_conntrack_tuple *tuple, 2435 const struct nf_conntrack_tuple_mask *mask) 2436 { 2437 int ret; 2438 struct nf_conntrack_l3proto *l3proto; 2439 struct nf_conntrack_l4proto *l4proto; 2440 struct nf_conntrack_tuple m; 2441 struct nlattr *nest_parms; 2442 2443 memset(&m, 0xFF, sizeof(m)); 2444 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3)); 2445 m.src.u.all = mask->src.u.all; 2446 m.dst.protonum = tuple->dst.protonum; 2447 2448 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED); 2449 if (!nest_parms) 2450 goto nla_put_failure; 2451 2452 rcu_read_lock(); 2453 l3proto = __nf_ct_l3proto_find(tuple->src.l3num); 2454 ret = ctnetlink_dump_tuples_ip(skb, &m, l3proto); 2455 if (ret >= 0) { 2456 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, 2457 tuple->dst.protonum); 2458 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto); 2459 } 2460 rcu_read_unlock(); 2461 2462 if (unlikely(ret < 0)) 2463 goto nla_put_failure; 2464 2465 nla_nest_end(skb, nest_parms); 2466 2467 return 0; 2468 2469 nla_put_failure: 2470 return -1; 2471 } 2472 2473 static const union nf_inet_addr any_addr; 2474 2475 static int 2476 ctnetlink_exp_dump_expect(struct sk_buff *skb, 2477 const struct nf_conntrack_expect *exp) 2478 { 2479 struct nf_conn *master = exp->master; 2480 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ; 2481 struct nf_conn_help *help; 2482 #ifdef CONFIG_NF_NAT_NEEDED 2483 struct nlattr *nest_parms; 2484 struct nf_conntrack_tuple nat_tuple = {}; 2485 #endif 2486 struct nf_ct_helper_expectfn *expfn; 2487 2488 if (timeout < 0) 2489 timeout = 0; 2490 2491 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0) 2492 goto nla_put_failure; 2493 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0) 2494 goto nla_put_failure; 2495 if (ctnetlink_exp_dump_tuple(skb, 2496 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 2497 CTA_EXPECT_MASTER) < 0) 2498 goto nla_put_failure; 2499 2500 #ifdef CONFIG_NF_NAT_NEEDED 2501 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) || 2502 exp->saved_proto.all) { 2503 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT | NLA_F_NESTED); 2504 if (!nest_parms) 2505 goto nla_put_failure; 2506 2507 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir))) 2508 goto nla_put_failure; 2509 2510 nat_tuple.src.l3num = nf_ct_l3num(master); 2511 nat_tuple.src.u3 = exp->saved_addr; 2512 nat_tuple.dst.protonum = nf_ct_protonum(master); 2513 nat_tuple.src.u = exp->saved_proto; 2514 2515 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple, 2516 CTA_EXPECT_NAT_TUPLE) < 0) 2517 goto nla_put_failure; 2518 nla_nest_end(skb, nest_parms); 2519 } 2520 #endif 2521 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) || 2522 nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) || 2523 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) || 2524 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class))) 2525 goto nla_put_failure; 2526 help = nfct_help(master); 2527 if (help) { 2528 struct nf_conntrack_helper *helper; 2529 2530 helper = rcu_dereference(help->helper); 2531 if (helper && 2532 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name)) 2533 goto nla_put_failure; 2534 } 2535 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn); 2536 if (expfn != NULL && 2537 nla_put_string(skb, CTA_EXPECT_FN, expfn->name)) 2538 goto nla_put_failure; 2539 2540 return 0; 2541 2542 nla_put_failure: 2543 return -1; 2544 } 2545 2546 static int 2547 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq, 2548 int event, const struct nf_conntrack_expect *exp) 2549 { 2550 struct nlmsghdr *nlh; 2551 struct nfgenmsg *nfmsg; 2552 unsigned int flags = portid ? NLM_F_MULTI : 0; 2553 2554 event |= NFNL_SUBSYS_CTNETLINK_EXP << 8; 2555 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 2556 if (nlh == NULL) 2557 goto nlmsg_failure; 2558 2559 nfmsg = nlmsg_data(nlh); 2560 nfmsg->nfgen_family = exp->tuple.src.l3num; 2561 nfmsg->version = NFNETLINK_V0; 2562 nfmsg->res_id = 0; 2563 2564 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 2565 goto nla_put_failure; 2566 2567 nlmsg_end(skb, nlh); 2568 return skb->len; 2569 2570 nlmsg_failure: 2571 nla_put_failure: 2572 nlmsg_cancel(skb, nlh); 2573 return -1; 2574 } 2575 2576 #ifdef CONFIG_NF_CONNTRACK_EVENTS 2577 static int 2578 ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item) 2579 { 2580 struct nf_conntrack_expect *exp = item->exp; 2581 struct net *net = nf_ct_exp_net(exp); 2582 struct nlmsghdr *nlh; 2583 struct nfgenmsg *nfmsg; 2584 struct sk_buff *skb; 2585 unsigned int type, group; 2586 int flags = 0; 2587 2588 if (events & (1 << IPEXP_DESTROY)) { 2589 type = IPCTNL_MSG_EXP_DELETE; 2590 group = NFNLGRP_CONNTRACK_EXP_DESTROY; 2591 } else if (events & (1 << IPEXP_NEW)) { 2592 type = IPCTNL_MSG_EXP_NEW; 2593 flags = NLM_F_CREATE|NLM_F_EXCL; 2594 group = NFNLGRP_CONNTRACK_EXP_NEW; 2595 } else 2596 return 0; 2597 2598 if (!item->report && !nfnetlink_has_listeners(net, group)) 2599 return 0; 2600 2601 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 2602 if (skb == NULL) 2603 goto errout; 2604 2605 type |= NFNL_SUBSYS_CTNETLINK_EXP << 8; 2606 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags); 2607 if (nlh == NULL) 2608 goto nlmsg_failure; 2609 2610 nfmsg = nlmsg_data(nlh); 2611 nfmsg->nfgen_family = exp->tuple.src.l3num; 2612 nfmsg->version = NFNETLINK_V0; 2613 nfmsg->res_id = 0; 2614 2615 rcu_read_lock(); 2616 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 2617 goto nla_put_failure; 2618 rcu_read_unlock(); 2619 2620 nlmsg_end(skb, nlh); 2621 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC); 2622 return 0; 2623 2624 nla_put_failure: 2625 rcu_read_unlock(); 2626 nlmsg_cancel(skb, nlh); 2627 nlmsg_failure: 2628 kfree_skb(skb); 2629 errout: 2630 nfnetlink_set_err(net, 0, 0, -ENOBUFS); 2631 return 0; 2632 } 2633 #endif 2634 static int ctnetlink_exp_done(struct netlink_callback *cb) 2635 { 2636 if (cb->args[1]) 2637 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); 2638 return 0; 2639 } 2640 2641 static int 2642 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 2643 { 2644 struct net *net = sock_net(skb->sk); 2645 struct nf_conntrack_expect *exp, *last; 2646 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 2647 u_int8_t l3proto = nfmsg->nfgen_family; 2648 2649 rcu_read_lock(); 2650 last = (struct nf_conntrack_expect *)cb->args[1]; 2651 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { 2652 restart: 2653 hlist_for_each_entry(exp, &net->ct.expect_hash[cb->args[0]], 2654 hnode) { 2655 if (l3proto && exp->tuple.src.l3num != l3proto) 2656 continue; 2657 if (cb->args[1]) { 2658 if (exp != last) 2659 continue; 2660 cb->args[1] = 0; 2661 } 2662 if (ctnetlink_exp_fill_info(skb, 2663 NETLINK_CB(cb->skb).portid, 2664 cb->nlh->nlmsg_seq, 2665 IPCTNL_MSG_EXP_NEW, 2666 exp) < 0) { 2667 if (!atomic_inc_not_zero(&exp->use)) 2668 continue; 2669 cb->args[1] = (unsigned long)exp; 2670 goto out; 2671 } 2672 } 2673 if (cb->args[1]) { 2674 cb->args[1] = 0; 2675 goto restart; 2676 } 2677 } 2678 out: 2679 rcu_read_unlock(); 2680 if (last) 2681 nf_ct_expect_put(last); 2682 2683 return skb->len; 2684 } 2685 2686 static int 2687 ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 2688 { 2689 struct nf_conntrack_expect *exp, *last; 2690 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 2691 struct nf_conn *ct = cb->data; 2692 struct nf_conn_help *help = nfct_help(ct); 2693 u_int8_t l3proto = nfmsg->nfgen_family; 2694 2695 if (cb->args[0]) 2696 return 0; 2697 2698 rcu_read_lock(); 2699 last = (struct nf_conntrack_expect *)cb->args[1]; 2700 restart: 2701 hlist_for_each_entry(exp, &help->expectations, lnode) { 2702 if (l3proto && exp->tuple.src.l3num != l3proto) 2703 continue; 2704 if (cb->args[1]) { 2705 if (exp != last) 2706 continue; 2707 cb->args[1] = 0; 2708 } 2709 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid, 2710 cb->nlh->nlmsg_seq, 2711 IPCTNL_MSG_EXP_NEW, 2712 exp) < 0) { 2713 if (!atomic_inc_not_zero(&exp->use)) 2714 continue; 2715 cb->args[1] = (unsigned long)exp; 2716 goto out; 2717 } 2718 } 2719 if (cb->args[1]) { 2720 cb->args[1] = 0; 2721 goto restart; 2722 } 2723 cb->args[0] = 1; 2724 out: 2725 rcu_read_unlock(); 2726 if (last) 2727 nf_ct_expect_put(last); 2728 2729 return skb->len; 2730 } 2731 2732 static int ctnetlink_dump_exp_ct(struct sock *ctnl, struct sk_buff *skb, 2733 const struct nlmsghdr *nlh, 2734 const struct nlattr * const cda[]) 2735 { 2736 int err; 2737 struct net *net = sock_net(ctnl); 2738 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2739 u_int8_t u3 = nfmsg->nfgen_family; 2740 struct nf_conntrack_tuple tuple; 2741 struct nf_conntrack_tuple_hash *h; 2742 struct nf_conn *ct; 2743 struct nf_conntrack_zone zone; 2744 struct netlink_dump_control c = { 2745 .dump = ctnetlink_exp_ct_dump_table, 2746 .done = ctnetlink_exp_done, 2747 }; 2748 2749 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, 2750 u3, NULL); 2751 if (err < 0) 2752 return err; 2753 2754 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 2755 if (err < 0) 2756 return err; 2757 2758 h = nf_conntrack_find_get(net, &zone, &tuple); 2759 if (!h) 2760 return -ENOENT; 2761 2762 ct = nf_ct_tuplehash_to_ctrack(h); 2763 c.data = ct; 2764 2765 err = netlink_dump_start(ctnl, skb, nlh, &c); 2766 nf_ct_put(ct); 2767 2768 return err; 2769 } 2770 2771 static int 2772 ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, 2773 const struct nlmsghdr *nlh, 2774 const struct nlattr * const cda[]) 2775 { 2776 struct net *net = sock_net(ctnl); 2777 struct nf_conntrack_tuple tuple; 2778 struct nf_conntrack_expect *exp; 2779 struct sk_buff *skb2; 2780 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2781 u_int8_t u3 = nfmsg->nfgen_family; 2782 struct nf_conntrack_zone zone; 2783 int err; 2784 2785 if (nlh->nlmsg_flags & NLM_F_DUMP) { 2786 if (cda[CTA_EXPECT_MASTER]) 2787 return ctnetlink_dump_exp_ct(ctnl, skb, nlh, cda); 2788 else { 2789 struct netlink_dump_control c = { 2790 .dump = ctnetlink_exp_dump_table, 2791 .done = ctnetlink_exp_done, 2792 }; 2793 return netlink_dump_start(ctnl, skb, nlh, &c); 2794 } 2795 } 2796 2797 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 2798 if (err < 0) 2799 return err; 2800 2801 if (cda[CTA_EXPECT_TUPLE]) 2802 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 2803 u3, NULL); 2804 else if (cda[CTA_EXPECT_MASTER]) 2805 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, 2806 u3, NULL); 2807 else 2808 return -EINVAL; 2809 2810 if (err < 0) 2811 return err; 2812 2813 exp = nf_ct_expect_find_get(net, &zone, &tuple); 2814 if (!exp) 2815 return -ENOENT; 2816 2817 if (cda[CTA_EXPECT_ID]) { 2818 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 2819 if (ntohl(id) != (u32)(unsigned long)exp) { 2820 nf_ct_expect_put(exp); 2821 return -ENOENT; 2822 } 2823 } 2824 2825 err = -ENOMEM; 2826 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 2827 if (skb2 == NULL) { 2828 nf_ct_expect_put(exp); 2829 goto out; 2830 } 2831 2832 rcu_read_lock(); 2833 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid, 2834 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp); 2835 rcu_read_unlock(); 2836 nf_ct_expect_put(exp); 2837 if (err <= 0) 2838 goto free; 2839 2840 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT); 2841 if (err < 0) 2842 goto out; 2843 2844 return 0; 2845 2846 free: 2847 kfree_skb(skb2); 2848 out: 2849 /* this avoids a loop in nfnetlink. */ 2850 return err == -EAGAIN ? -ENOBUFS : err; 2851 } 2852 2853 static int 2854 ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, 2855 const struct nlmsghdr *nlh, 2856 const struct nlattr * const cda[]) 2857 { 2858 struct net *net = sock_net(ctnl); 2859 struct nf_conntrack_expect *exp; 2860 struct nf_conntrack_tuple tuple; 2861 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 2862 struct hlist_node *next; 2863 u_int8_t u3 = nfmsg->nfgen_family; 2864 struct nf_conntrack_zone zone; 2865 unsigned int i; 2866 int err; 2867 2868 if (cda[CTA_EXPECT_TUPLE]) { 2869 /* delete a single expect by tuple */ 2870 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 2871 if (err < 0) 2872 return err; 2873 2874 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 2875 u3, NULL); 2876 if (err < 0) 2877 return err; 2878 2879 /* bump usage count to 2 */ 2880 exp = nf_ct_expect_find_get(net, &zone, &tuple); 2881 if (!exp) 2882 return -ENOENT; 2883 2884 if (cda[CTA_EXPECT_ID]) { 2885 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 2886 if (ntohl(id) != (u32)(unsigned long)exp) { 2887 nf_ct_expect_put(exp); 2888 return -ENOENT; 2889 } 2890 } 2891 2892 /* after list removal, usage count == 1 */ 2893 spin_lock_bh(&nf_conntrack_expect_lock); 2894 if (del_timer(&exp->timeout)) { 2895 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid, 2896 nlmsg_report(nlh)); 2897 nf_ct_expect_put(exp); 2898 } 2899 spin_unlock_bh(&nf_conntrack_expect_lock); 2900 /* have to put what we 'get' above. 2901 * after this line usage count == 0 */ 2902 nf_ct_expect_put(exp); 2903 } else if (cda[CTA_EXPECT_HELP_NAME]) { 2904 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]); 2905 struct nf_conn_help *m_help; 2906 2907 /* delete all expectations for this helper */ 2908 spin_lock_bh(&nf_conntrack_expect_lock); 2909 for (i = 0; i < nf_ct_expect_hsize; i++) { 2910 hlist_for_each_entry_safe(exp, next, 2911 &net->ct.expect_hash[i], 2912 hnode) { 2913 m_help = nfct_help(exp->master); 2914 if (!strcmp(m_help->helper->name, name) && 2915 del_timer(&exp->timeout)) { 2916 nf_ct_unlink_expect_report(exp, 2917 NETLINK_CB(skb).portid, 2918 nlmsg_report(nlh)); 2919 nf_ct_expect_put(exp); 2920 } 2921 } 2922 } 2923 spin_unlock_bh(&nf_conntrack_expect_lock); 2924 } else { 2925 /* This basically means we have to flush everything*/ 2926 spin_lock_bh(&nf_conntrack_expect_lock); 2927 for (i = 0; i < nf_ct_expect_hsize; i++) { 2928 hlist_for_each_entry_safe(exp, next, 2929 &net->ct.expect_hash[i], 2930 hnode) { 2931 if (del_timer(&exp->timeout)) { 2932 nf_ct_unlink_expect_report(exp, 2933 NETLINK_CB(skb).portid, 2934 nlmsg_report(nlh)); 2935 nf_ct_expect_put(exp); 2936 } 2937 } 2938 } 2939 spin_unlock_bh(&nf_conntrack_expect_lock); 2940 } 2941 2942 return 0; 2943 } 2944 static int 2945 ctnetlink_change_expect(struct nf_conntrack_expect *x, 2946 const struct nlattr * const cda[]) 2947 { 2948 if (cda[CTA_EXPECT_TIMEOUT]) { 2949 if (!del_timer(&x->timeout)) 2950 return -ETIME; 2951 2952 x->timeout.expires = jiffies + 2953 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ; 2954 add_timer(&x->timeout); 2955 } 2956 return 0; 2957 } 2958 2959 static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = { 2960 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 }, 2961 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED }, 2962 }; 2963 2964 static int 2965 ctnetlink_parse_expect_nat(const struct nlattr *attr, 2966 struct nf_conntrack_expect *exp, 2967 u_int8_t u3) 2968 { 2969 #ifdef CONFIG_NF_NAT_NEEDED 2970 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1]; 2971 struct nf_conntrack_tuple nat_tuple = {}; 2972 int err; 2973 2974 err = nla_parse_nested(tb, CTA_EXPECT_NAT_MAX, attr, exp_nat_nla_policy); 2975 if (err < 0) 2976 return err; 2977 2978 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE]) 2979 return -EINVAL; 2980 2981 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb, 2982 &nat_tuple, CTA_EXPECT_NAT_TUPLE, 2983 u3, NULL); 2984 if (err < 0) 2985 return err; 2986 2987 exp->saved_addr = nat_tuple.src.u3; 2988 exp->saved_proto = nat_tuple.src.u; 2989 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR])); 2990 2991 return 0; 2992 #else 2993 return -EOPNOTSUPP; 2994 #endif 2995 } 2996 2997 static struct nf_conntrack_expect * 2998 ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct, 2999 struct nf_conntrack_helper *helper, 3000 struct nf_conntrack_tuple *tuple, 3001 struct nf_conntrack_tuple *mask) 3002 { 3003 u_int32_t class = 0; 3004 struct nf_conntrack_expect *exp; 3005 struct nf_conn_help *help; 3006 int err; 3007 3008 if (cda[CTA_EXPECT_CLASS] && helper) { 3009 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS])); 3010 if (class > helper->expect_class_max) 3011 return ERR_PTR(-EINVAL); 3012 } 3013 exp = nf_ct_expect_alloc(ct); 3014 if (!exp) 3015 return ERR_PTR(-ENOMEM); 3016 3017 help = nfct_help(ct); 3018 if (!help) { 3019 if (!cda[CTA_EXPECT_TIMEOUT]) { 3020 err = -EINVAL; 3021 goto err_out; 3022 } 3023 exp->timeout.expires = 3024 jiffies + ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ; 3025 3026 exp->flags = NF_CT_EXPECT_USERSPACE; 3027 if (cda[CTA_EXPECT_FLAGS]) { 3028 exp->flags |= 3029 ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS])); 3030 } 3031 } else { 3032 if (cda[CTA_EXPECT_FLAGS]) { 3033 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS])); 3034 exp->flags &= ~NF_CT_EXPECT_USERSPACE; 3035 } else 3036 exp->flags = 0; 3037 } 3038 if (cda[CTA_EXPECT_FN]) { 3039 const char *name = nla_data(cda[CTA_EXPECT_FN]); 3040 struct nf_ct_helper_expectfn *expfn; 3041 3042 expfn = nf_ct_helper_expectfn_find_by_name(name); 3043 if (expfn == NULL) { 3044 err = -EINVAL; 3045 goto err_out; 3046 } 3047 exp->expectfn = expfn->expectfn; 3048 } else 3049 exp->expectfn = NULL; 3050 3051 exp->class = class; 3052 exp->master = ct; 3053 exp->helper = helper; 3054 exp->tuple = *tuple; 3055 exp->mask.src.u3 = mask->src.u3; 3056 exp->mask.src.u.all = mask->src.u.all; 3057 3058 if (cda[CTA_EXPECT_NAT]) { 3059 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT], 3060 exp, nf_ct_l3num(ct)); 3061 if (err < 0) 3062 goto err_out; 3063 } 3064 return exp; 3065 err_out: 3066 nf_ct_expect_put(exp); 3067 return ERR_PTR(err); 3068 } 3069 3070 static int 3071 ctnetlink_create_expect(struct net *net, 3072 const struct nf_conntrack_zone *zone, 3073 const struct nlattr * const cda[], 3074 u_int8_t u3, u32 portid, int report) 3075 { 3076 struct nf_conntrack_tuple tuple, mask, master_tuple; 3077 struct nf_conntrack_tuple_hash *h = NULL; 3078 struct nf_conntrack_helper *helper = NULL; 3079 struct nf_conntrack_expect *exp; 3080 struct nf_conn *ct; 3081 int err; 3082 3083 /* caller guarantees that those three CTA_EXPECT_* exist */ 3084 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3085 u3, NULL); 3086 if (err < 0) 3087 return err; 3088 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, 3089 u3, NULL); 3090 if (err < 0) 3091 return err; 3092 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, 3093 u3, NULL); 3094 if (err < 0) 3095 return err; 3096 3097 /* Look for master conntrack of this expectation */ 3098 h = nf_conntrack_find_get(net, zone, &master_tuple); 3099 if (!h) 3100 return -ENOENT; 3101 ct = nf_ct_tuplehash_to_ctrack(h); 3102 3103 if (cda[CTA_EXPECT_HELP_NAME]) { 3104 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); 3105 3106 helper = __nf_conntrack_helper_find(helpname, u3, 3107 nf_ct_protonum(ct)); 3108 if (helper == NULL) { 3109 #ifdef CONFIG_MODULES 3110 if (request_module("nfct-helper-%s", helpname) < 0) { 3111 err = -EOPNOTSUPP; 3112 goto err_ct; 3113 } 3114 helper = __nf_conntrack_helper_find(helpname, u3, 3115 nf_ct_protonum(ct)); 3116 if (helper) { 3117 err = -EAGAIN; 3118 goto err_ct; 3119 } 3120 #endif 3121 err = -EOPNOTSUPP; 3122 goto err_ct; 3123 } 3124 } 3125 3126 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask); 3127 if (IS_ERR(exp)) { 3128 err = PTR_ERR(exp); 3129 goto err_ct; 3130 } 3131 3132 err = nf_ct_expect_related_report(exp, portid, report); 3133 nf_ct_expect_put(exp); 3134 err_ct: 3135 nf_ct_put(ct); 3136 return err; 3137 } 3138 3139 static int 3140 ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb, 3141 const struct nlmsghdr *nlh, 3142 const struct nlattr * const cda[]) 3143 { 3144 struct net *net = sock_net(ctnl); 3145 struct nf_conntrack_tuple tuple; 3146 struct nf_conntrack_expect *exp; 3147 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3148 u_int8_t u3 = nfmsg->nfgen_family; 3149 struct nf_conntrack_zone zone; 3150 int err; 3151 3152 if (!cda[CTA_EXPECT_TUPLE] 3153 || !cda[CTA_EXPECT_MASK] 3154 || !cda[CTA_EXPECT_MASTER]) 3155 return -EINVAL; 3156 3157 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3158 if (err < 0) 3159 return err; 3160 3161 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3162 u3, NULL); 3163 if (err < 0) 3164 return err; 3165 3166 spin_lock_bh(&nf_conntrack_expect_lock); 3167 exp = __nf_ct_expect_find(net, &zone, &tuple); 3168 if (!exp) { 3169 spin_unlock_bh(&nf_conntrack_expect_lock); 3170 err = -ENOENT; 3171 if (nlh->nlmsg_flags & NLM_F_CREATE) { 3172 err = ctnetlink_create_expect(net, &zone, cda, u3, 3173 NETLINK_CB(skb).portid, 3174 nlmsg_report(nlh)); 3175 } 3176 return err; 3177 } 3178 3179 err = -EEXIST; 3180 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) 3181 err = ctnetlink_change_expect(exp, cda); 3182 spin_unlock_bh(&nf_conntrack_expect_lock); 3183 3184 return err; 3185 } 3186 3187 static int 3188 ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu, 3189 const struct ip_conntrack_stat *st) 3190 { 3191 struct nlmsghdr *nlh; 3192 struct nfgenmsg *nfmsg; 3193 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 3194 3195 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_EXP_GET_STATS_CPU); 3196 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 3197 if (nlh == NULL) 3198 goto nlmsg_failure; 3199 3200 nfmsg = nlmsg_data(nlh); 3201 nfmsg->nfgen_family = AF_UNSPEC; 3202 nfmsg->version = NFNETLINK_V0; 3203 nfmsg->res_id = htons(cpu); 3204 3205 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) || 3206 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) || 3207 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete))) 3208 goto nla_put_failure; 3209 3210 nlmsg_end(skb, nlh); 3211 return skb->len; 3212 3213 nla_put_failure: 3214 nlmsg_failure: 3215 nlmsg_cancel(skb, nlh); 3216 return -1; 3217 } 3218 3219 static int 3220 ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb) 3221 { 3222 int cpu; 3223 struct net *net = sock_net(skb->sk); 3224 3225 if (cb->args[0] == nr_cpu_ids) 3226 return 0; 3227 3228 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 3229 const struct ip_conntrack_stat *st; 3230 3231 if (!cpu_possible(cpu)) 3232 continue; 3233 3234 st = per_cpu_ptr(net->ct.stat, cpu); 3235 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid, 3236 cb->nlh->nlmsg_seq, 3237 cpu, st) < 0) 3238 break; 3239 } 3240 cb->args[0] = cpu; 3241 3242 return skb->len; 3243 } 3244 3245 static int 3246 ctnetlink_stat_exp_cpu(struct sock *ctnl, struct sk_buff *skb, 3247 const struct nlmsghdr *nlh, 3248 const struct nlattr * const cda[]) 3249 { 3250 if (nlh->nlmsg_flags & NLM_F_DUMP) { 3251 struct netlink_dump_control c = { 3252 .dump = ctnetlink_exp_stat_cpu_dump, 3253 }; 3254 return netlink_dump_start(ctnl, skb, nlh, &c); 3255 } 3256 3257 return 0; 3258 } 3259 3260 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3261 static struct nf_ct_event_notifier ctnl_notifier = { 3262 .fcn = ctnetlink_conntrack_event, 3263 }; 3264 3265 static struct nf_exp_event_notifier ctnl_notifier_exp = { 3266 .fcn = ctnetlink_expect_event, 3267 }; 3268 #endif 3269 3270 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = { 3271 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack, 3272 .attr_count = CTA_MAX, 3273 .policy = ct_nla_policy }, 3274 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack, 3275 .attr_count = CTA_MAX, 3276 .policy = ct_nla_policy }, 3277 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack, 3278 .attr_count = CTA_MAX, 3279 .policy = ct_nla_policy }, 3280 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack, 3281 .attr_count = CTA_MAX, 3282 .policy = ct_nla_policy }, 3283 [IPCTNL_MSG_CT_GET_STATS_CPU] = { .call = ctnetlink_stat_ct_cpu }, 3284 [IPCTNL_MSG_CT_GET_STATS] = { .call = ctnetlink_stat_ct }, 3285 [IPCTNL_MSG_CT_GET_DYING] = { .call = ctnetlink_get_ct_dying }, 3286 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = { .call = ctnetlink_get_ct_unconfirmed }, 3287 }; 3288 3289 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = { 3290 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect, 3291 .attr_count = CTA_EXPECT_MAX, 3292 .policy = exp_nla_policy }, 3293 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect, 3294 .attr_count = CTA_EXPECT_MAX, 3295 .policy = exp_nla_policy }, 3296 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect, 3297 .attr_count = CTA_EXPECT_MAX, 3298 .policy = exp_nla_policy }, 3299 [IPCTNL_MSG_EXP_GET_STATS_CPU] = { .call = ctnetlink_stat_exp_cpu }, 3300 }; 3301 3302 static const struct nfnetlink_subsystem ctnl_subsys = { 3303 .name = "conntrack", 3304 .subsys_id = NFNL_SUBSYS_CTNETLINK, 3305 .cb_count = IPCTNL_MSG_MAX, 3306 .cb = ctnl_cb, 3307 }; 3308 3309 static const struct nfnetlink_subsystem ctnl_exp_subsys = { 3310 .name = "conntrack_expect", 3311 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP, 3312 .cb_count = IPCTNL_MSG_EXP_MAX, 3313 .cb = ctnl_exp_cb, 3314 }; 3315 3316 MODULE_ALIAS("ip_conntrack_netlink"); 3317 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK); 3318 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP); 3319 3320 static int __net_init ctnetlink_net_init(struct net *net) 3321 { 3322 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3323 int ret; 3324 3325 ret = nf_conntrack_register_notifier(net, &ctnl_notifier); 3326 if (ret < 0) { 3327 pr_err("ctnetlink_init: cannot register notifier.\n"); 3328 goto err_out; 3329 } 3330 3331 ret = nf_ct_expect_register_notifier(net, &ctnl_notifier_exp); 3332 if (ret < 0) { 3333 pr_err("ctnetlink_init: cannot expect register notifier.\n"); 3334 goto err_unreg_notifier; 3335 } 3336 #endif 3337 return 0; 3338 3339 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3340 err_unreg_notifier: 3341 nf_conntrack_unregister_notifier(net, &ctnl_notifier); 3342 err_out: 3343 return ret; 3344 #endif 3345 } 3346 3347 static void ctnetlink_net_exit(struct net *net) 3348 { 3349 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3350 nf_ct_expect_unregister_notifier(net, &ctnl_notifier_exp); 3351 nf_conntrack_unregister_notifier(net, &ctnl_notifier); 3352 #endif 3353 } 3354 3355 static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list) 3356 { 3357 struct net *net; 3358 3359 list_for_each_entry(net, net_exit_list, exit_list) 3360 ctnetlink_net_exit(net); 3361 } 3362 3363 static struct pernet_operations ctnetlink_net_ops = { 3364 .init = ctnetlink_net_init, 3365 .exit_batch = ctnetlink_net_exit_batch, 3366 }; 3367 3368 static int __init ctnetlink_init(void) 3369 { 3370 int ret; 3371 3372 pr_info("ctnetlink v%s: registering with nfnetlink.\n", version); 3373 ret = nfnetlink_subsys_register(&ctnl_subsys); 3374 if (ret < 0) { 3375 pr_err("ctnetlink_init: cannot register with nfnetlink.\n"); 3376 goto err_out; 3377 } 3378 3379 ret = nfnetlink_subsys_register(&ctnl_exp_subsys); 3380 if (ret < 0) { 3381 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n"); 3382 goto err_unreg_subsys; 3383 } 3384 3385 ret = register_pernet_subsys(&ctnetlink_net_ops); 3386 if (ret < 0) { 3387 pr_err("ctnetlink_init: cannot register pernet operations\n"); 3388 goto err_unreg_exp_subsys; 3389 } 3390 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 3391 /* setup interaction between nf_queue and nf_conntrack_netlink. */ 3392 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook); 3393 #endif 3394 return 0; 3395 3396 err_unreg_exp_subsys: 3397 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 3398 err_unreg_subsys: 3399 nfnetlink_subsys_unregister(&ctnl_subsys); 3400 err_out: 3401 return ret; 3402 } 3403 3404 static void __exit ctnetlink_exit(void) 3405 { 3406 pr_info("ctnetlink: unregistering from nfnetlink.\n"); 3407 3408 unregister_pernet_subsys(&ctnetlink_net_ops); 3409 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 3410 nfnetlink_subsys_unregister(&ctnl_subsys); 3411 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 3412 RCU_INIT_POINTER(nfnl_ct_hook, NULL); 3413 #endif 3414 } 3415 3416 module_init(ctnetlink_init); 3417 module_exit(ctnetlink_exit); 3418