1 /* Connection tracking via netlink socket. Allows for user space 2 * protocol helpers and general trouble making from userspace. 3 * 4 * (C) 2001 by Jay Schulist <jschlst@samba.org> 5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org> 6 * (C) 2003 by Patrick Mchardy <kaber@trash.net> 7 * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org> 8 * 9 * Initial connection tracking via netlink development funded and 10 * generally made possible by Network Robots, Inc. (www.networkrobots.com) 11 * 12 * Further development of this code funded by Astaro AG (http://www.astaro.com) 13 * 14 * This software may be used and distributed according to the terms 15 * of the GNU General Public License, incorporated herein by reference. 16 */ 17 18 #include <linux/init.h> 19 #include <linux/module.h> 20 #include <linux/kernel.h> 21 #include <linux/rculist.h> 22 #include <linux/rculist_nulls.h> 23 #include <linux/types.h> 24 #include <linux/timer.h> 25 #include <linux/security.h> 26 #include <linux/skbuff.h> 27 #include <linux/errno.h> 28 #include <linux/netlink.h> 29 #include <linux/spinlock.h> 30 #include <linux/interrupt.h> 31 #include <linux/slab.h> 32 #include <linux/siphash.h> 33 34 #include <linux/netfilter.h> 35 #include <net/netlink.h> 36 #include <net/sock.h> 37 #include <net/netfilter/nf_conntrack.h> 38 #include <net/netfilter/nf_conntrack_core.h> 39 #include <net/netfilter/nf_conntrack_expect.h> 40 #include <net/netfilter/nf_conntrack_helper.h> 41 #include <net/netfilter/nf_conntrack_seqadj.h> 42 #include <net/netfilter/nf_conntrack_l4proto.h> 43 #include <net/netfilter/nf_conntrack_tuple.h> 44 #include <net/netfilter/nf_conntrack_acct.h> 45 #include <net/netfilter/nf_conntrack_zones.h> 46 #include <net/netfilter/nf_conntrack_timestamp.h> 47 #include <net/netfilter/nf_conntrack_labels.h> 48 #include <net/netfilter/nf_conntrack_synproxy.h> 49 #if IS_ENABLED(CONFIG_NF_NAT) 50 #include <net/netfilter/nf_nat.h> 51 #include <net/netfilter/nf_nat_helper.h> 52 #endif 53 54 #include <linux/netfilter/nfnetlink.h> 55 #include <linux/netfilter/nfnetlink_conntrack.h> 56 57 #include "nf_internals.h" 58 59 MODULE_LICENSE("GPL"); 60 61 struct ctnetlink_list_dump_ctx { 62 struct nf_conn *last; 63 unsigned int cpu; 64 bool done; 65 }; 66 67 static int ctnetlink_dump_tuples_proto(struct sk_buff *skb, 68 const struct nf_conntrack_tuple *tuple, 69 const struct nf_conntrack_l4proto *l4proto) 70 { 71 int ret = 0; 72 struct nlattr *nest_parms; 73 74 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO); 75 if (!nest_parms) 76 goto nla_put_failure; 77 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum)) 78 goto nla_put_failure; 79 80 if (likely(l4proto->tuple_to_nlattr)) 81 ret = l4proto->tuple_to_nlattr(skb, tuple); 82 83 nla_nest_end(skb, nest_parms); 84 85 return ret; 86 87 nla_put_failure: 88 return -1; 89 } 90 91 static int ipv4_tuple_to_nlattr(struct sk_buff *skb, 92 const struct nf_conntrack_tuple *tuple) 93 { 94 if (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) || 95 nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip)) 96 return -EMSGSIZE; 97 return 0; 98 } 99 100 static int ipv6_tuple_to_nlattr(struct sk_buff *skb, 101 const struct nf_conntrack_tuple *tuple) 102 { 103 if (nla_put_in6_addr(skb, CTA_IP_V6_SRC, &tuple->src.u3.in6) || 104 nla_put_in6_addr(skb, CTA_IP_V6_DST, &tuple->dst.u3.in6)) 105 return -EMSGSIZE; 106 return 0; 107 } 108 109 static int ctnetlink_dump_tuples_ip(struct sk_buff *skb, 110 const struct nf_conntrack_tuple *tuple) 111 { 112 int ret = 0; 113 struct nlattr *nest_parms; 114 115 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP); 116 if (!nest_parms) 117 goto nla_put_failure; 118 119 switch (tuple->src.l3num) { 120 case NFPROTO_IPV4: 121 ret = ipv4_tuple_to_nlattr(skb, tuple); 122 break; 123 case NFPROTO_IPV6: 124 ret = ipv6_tuple_to_nlattr(skb, tuple); 125 break; 126 } 127 128 nla_nest_end(skb, nest_parms); 129 130 return ret; 131 132 nla_put_failure: 133 return -1; 134 } 135 136 static int ctnetlink_dump_tuples(struct sk_buff *skb, 137 const struct nf_conntrack_tuple *tuple) 138 { 139 const struct nf_conntrack_l4proto *l4proto; 140 int ret; 141 142 rcu_read_lock(); 143 ret = ctnetlink_dump_tuples_ip(skb, tuple); 144 145 if (ret >= 0) { 146 l4proto = nf_ct_l4proto_find(tuple->dst.protonum); 147 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto); 148 } 149 rcu_read_unlock(); 150 return ret; 151 } 152 153 static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype, 154 const struct nf_conntrack_zone *zone, int dir) 155 { 156 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir) 157 return 0; 158 if (nla_put_be16(skb, attrtype, htons(zone->id))) 159 goto nla_put_failure; 160 return 0; 161 162 nla_put_failure: 163 return -1; 164 } 165 166 static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct) 167 { 168 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status))) 169 goto nla_put_failure; 170 return 0; 171 172 nla_put_failure: 173 return -1; 174 } 175 176 static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct, 177 bool skip_zero) 178 { 179 long timeout = nf_ct_expires(ct) / HZ; 180 181 if (skip_zero && timeout == 0) 182 return 0; 183 184 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout))) 185 goto nla_put_failure; 186 return 0; 187 188 nla_put_failure: 189 return -1; 190 } 191 192 static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct, 193 bool destroy) 194 { 195 const struct nf_conntrack_l4proto *l4proto; 196 struct nlattr *nest_proto; 197 int ret; 198 199 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 200 if (!l4proto->to_nlattr) 201 return 0; 202 203 nest_proto = nla_nest_start(skb, CTA_PROTOINFO); 204 if (!nest_proto) 205 goto nla_put_failure; 206 207 ret = l4proto->to_nlattr(skb, nest_proto, ct, destroy); 208 209 nla_nest_end(skb, nest_proto); 210 211 return ret; 212 213 nla_put_failure: 214 return -1; 215 } 216 217 static int ctnetlink_dump_helpinfo(struct sk_buff *skb, 218 const struct nf_conn *ct) 219 { 220 struct nlattr *nest_helper; 221 const struct nf_conn_help *help = nfct_help(ct); 222 struct nf_conntrack_helper *helper; 223 224 if (!help) 225 return 0; 226 227 rcu_read_lock(); 228 helper = rcu_dereference(help->helper); 229 if (!helper) 230 goto out; 231 232 nest_helper = nla_nest_start(skb, CTA_HELP); 233 if (!nest_helper) 234 goto nla_put_failure; 235 if (nla_put_string(skb, CTA_HELP_NAME, helper->name)) 236 goto nla_put_failure; 237 238 if (helper->to_nlattr) 239 helper->to_nlattr(skb, ct); 240 241 nla_nest_end(skb, nest_helper); 242 out: 243 rcu_read_unlock(); 244 return 0; 245 246 nla_put_failure: 247 rcu_read_unlock(); 248 return -1; 249 } 250 251 static int 252 dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct, 253 enum ip_conntrack_dir dir, int type) 254 { 255 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG; 256 struct nf_conn_counter *counter = acct->counter; 257 struct nlattr *nest_count; 258 u64 pkts, bytes; 259 260 if (type == IPCTNL_MSG_CT_GET_CTRZERO) { 261 pkts = atomic64_xchg(&counter[dir].packets, 0); 262 bytes = atomic64_xchg(&counter[dir].bytes, 0); 263 } else { 264 pkts = atomic64_read(&counter[dir].packets); 265 bytes = atomic64_read(&counter[dir].bytes); 266 } 267 268 nest_count = nla_nest_start(skb, attr); 269 if (!nest_count) 270 goto nla_put_failure; 271 272 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts), 273 CTA_COUNTERS_PAD) || 274 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes), 275 CTA_COUNTERS_PAD)) 276 goto nla_put_failure; 277 278 nla_nest_end(skb, nest_count); 279 280 return 0; 281 282 nla_put_failure: 283 return -1; 284 } 285 286 static int 287 ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type) 288 { 289 struct nf_conn_acct *acct = nf_conn_acct_find(ct); 290 291 if (!acct) 292 return 0; 293 294 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0) 295 return -1; 296 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0) 297 return -1; 298 299 return 0; 300 } 301 302 static int 303 ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct) 304 { 305 struct nlattr *nest_count; 306 const struct nf_conn_tstamp *tstamp; 307 308 tstamp = nf_conn_tstamp_find(ct); 309 if (!tstamp) 310 return 0; 311 312 nest_count = nla_nest_start(skb, CTA_TIMESTAMP); 313 if (!nest_count) 314 goto nla_put_failure; 315 316 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start), 317 CTA_TIMESTAMP_PAD) || 318 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP, 319 cpu_to_be64(tstamp->stop), 320 CTA_TIMESTAMP_PAD))) 321 goto nla_put_failure; 322 nla_nest_end(skb, nest_count); 323 324 return 0; 325 326 nla_put_failure: 327 return -1; 328 } 329 330 #ifdef CONFIG_NF_CONNTRACK_MARK 331 static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct, 332 bool dump) 333 { 334 u32 mark = READ_ONCE(ct->mark); 335 336 if (!mark && !dump) 337 return 0; 338 339 if (nla_put_be32(skb, CTA_MARK, htonl(mark))) 340 goto nla_put_failure; 341 return 0; 342 343 nla_put_failure: 344 return -1; 345 } 346 #else 347 #define ctnetlink_dump_mark(a, b, c) (0) 348 #endif 349 350 #ifdef CONFIG_NF_CONNTRACK_SECMARK 351 static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) 352 { 353 struct nlattr *nest_secctx; 354 int len, ret; 355 char *secctx; 356 357 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 358 if (ret) 359 return 0; 360 361 ret = -1; 362 nest_secctx = nla_nest_start(skb, CTA_SECCTX); 363 if (!nest_secctx) 364 goto nla_put_failure; 365 366 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx)) 367 goto nla_put_failure; 368 nla_nest_end(skb, nest_secctx); 369 370 ret = 0; 371 nla_put_failure: 372 security_release_secctx(secctx, len); 373 return ret; 374 } 375 #else 376 #define ctnetlink_dump_secctx(a, b) (0) 377 #endif 378 379 #ifdef CONFIG_NF_CONNTRACK_LABELS 380 static inline int ctnetlink_label_size(const struct nf_conn *ct) 381 { 382 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 383 384 if (!labels) 385 return 0; 386 return nla_total_size(sizeof(labels->bits)); 387 } 388 389 static int 390 ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct) 391 { 392 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 393 unsigned int i; 394 395 if (!labels) 396 return 0; 397 398 i = 0; 399 do { 400 if (labels->bits[i] != 0) 401 return nla_put(skb, CTA_LABELS, sizeof(labels->bits), 402 labels->bits); 403 i++; 404 } while (i < ARRAY_SIZE(labels->bits)); 405 406 return 0; 407 } 408 #else 409 #define ctnetlink_dump_labels(a, b) (0) 410 #define ctnetlink_label_size(a) (0) 411 #endif 412 413 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) 414 415 static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct) 416 { 417 struct nlattr *nest_parms; 418 419 if (!(ct->status & IPS_EXPECTED)) 420 return 0; 421 422 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER); 423 if (!nest_parms) 424 goto nla_put_failure; 425 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0) 426 goto nla_put_failure; 427 nla_nest_end(skb, nest_parms); 428 429 return 0; 430 431 nla_put_failure: 432 return -1; 433 } 434 435 static int 436 dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type) 437 { 438 struct nlattr *nest_parms; 439 440 nest_parms = nla_nest_start(skb, type); 441 if (!nest_parms) 442 goto nla_put_failure; 443 444 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS, 445 htonl(seq->correction_pos)) || 446 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE, 447 htonl(seq->offset_before)) || 448 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER, 449 htonl(seq->offset_after))) 450 goto nla_put_failure; 451 452 nla_nest_end(skb, nest_parms); 453 454 return 0; 455 456 nla_put_failure: 457 return -1; 458 } 459 460 static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct) 461 { 462 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct); 463 struct nf_ct_seqadj *seq; 464 465 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj) 466 return 0; 467 468 spin_lock_bh(&ct->lock); 469 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL]; 470 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1) 471 goto err; 472 473 seq = &seqadj->seq[IP_CT_DIR_REPLY]; 474 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1) 475 goto err; 476 477 spin_unlock_bh(&ct->lock); 478 return 0; 479 err: 480 spin_unlock_bh(&ct->lock); 481 return -1; 482 } 483 484 static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct) 485 { 486 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct); 487 struct nlattr *nest_parms; 488 489 if (!synproxy) 490 return 0; 491 492 nest_parms = nla_nest_start(skb, CTA_SYNPROXY); 493 if (!nest_parms) 494 goto nla_put_failure; 495 496 if (nla_put_be32(skb, CTA_SYNPROXY_ISN, htonl(synproxy->isn)) || 497 nla_put_be32(skb, CTA_SYNPROXY_ITS, htonl(synproxy->its)) || 498 nla_put_be32(skb, CTA_SYNPROXY_TSOFF, htonl(synproxy->tsoff))) 499 goto nla_put_failure; 500 501 nla_nest_end(skb, nest_parms); 502 503 return 0; 504 505 nla_put_failure: 506 return -1; 507 } 508 509 static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct) 510 { 511 __be32 id = (__force __be32)nf_ct_get_id(ct); 512 513 if (nla_put_be32(skb, CTA_ID, id)) 514 goto nla_put_failure; 515 return 0; 516 517 nla_put_failure: 518 return -1; 519 } 520 521 static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct) 522 { 523 if (nla_put_be32(skb, CTA_USE, htonl(refcount_read(&ct->ct_general.use)))) 524 goto nla_put_failure; 525 return 0; 526 527 nla_put_failure: 528 return -1; 529 } 530 531 /* all these functions access ct->ext. Caller must either hold a reference 532 * on ct or prevent its deletion by holding either the bucket spinlock or 533 * pcpu dying list lock. 534 */ 535 static int ctnetlink_dump_extinfo(struct sk_buff *skb, 536 struct nf_conn *ct, u32 type) 537 { 538 if (ctnetlink_dump_acct(skb, ct, type) < 0 || 539 ctnetlink_dump_timestamp(skb, ct) < 0 || 540 ctnetlink_dump_helpinfo(skb, ct) < 0 || 541 ctnetlink_dump_labels(skb, ct) < 0 || 542 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 || 543 ctnetlink_dump_ct_synproxy(skb, ct) < 0) 544 return -1; 545 546 return 0; 547 } 548 549 static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct) 550 { 551 if (ctnetlink_dump_status(skb, ct) < 0 || 552 ctnetlink_dump_mark(skb, ct, true) < 0 || 553 ctnetlink_dump_secctx(skb, ct) < 0 || 554 ctnetlink_dump_id(skb, ct) < 0 || 555 ctnetlink_dump_use(skb, ct) < 0 || 556 ctnetlink_dump_master(skb, ct) < 0) 557 return -1; 558 559 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) && 560 (ctnetlink_dump_timeout(skb, ct, false) < 0 || 561 ctnetlink_dump_protoinfo(skb, ct, false) < 0)) 562 return -1; 563 564 return 0; 565 } 566 567 static int 568 ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 569 struct nf_conn *ct, bool extinfo, unsigned int flags) 570 { 571 const struct nf_conntrack_zone *zone; 572 struct nlmsghdr *nlh; 573 struct nlattr *nest_parms; 574 unsigned int event; 575 576 if (portid) 577 flags |= NLM_F_MULTI; 578 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW); 579 nlh = nfnl_msg_put(skb, portid, seq, event, flags, nf_ct_l3num(ct), 580 NFNETLINK_V0, 0); 581 if (!nlh) 582 goto nlmsg_failure; 583 584 zone = nf_ct_zone(ct); 585 586 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG); 587 if (!nest_parms) 588 goto nla_put_failure; 589 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 590 goto nla_put_failure; 591 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 592 NF_CT_ZONE_DIR_ORIG) < 0) 593 goto nla_put_failure; 594 nla_nest_end(skb, nest_parms); 595 596 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY); 597 if (!nest_parms) 598 goto nla_put_failure; 599 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 600 goto nla_put_failure; 601 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 602 NF_CT_ZONE_DIR_REPL) < 0) 603 goto nla_put_failure; 604 nla_nest_end(skb, nest_parms); 605 606 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 607 NF_CT_DEFAULT_ZONE_DIR) < 0) 608 goto nla_put_failure; 609 610 if (ctnetlink_dump_info(skb, ct) < 0) 611 goto nla_put_failure; 612 if (extinfo && ctnetlink_dump_extinfo(skb, ct, type) < 0) 613 goto nla_put_failure; 614 615 nlmsg_end(skb, nlh); 616 return skb->len; 617 618 nlmsg_failure: 619 nla_put_failure: 620 nlmsg_cancel(skb, nlh); 621 return -1; 622 } 623 624 static const struct nla_policy cta_ip_nla_policy[CTA_IP_MAX + 1] = { 625 [CTA_IP_V4_SRC] = { .type = NLA_U32 }, 626 [CTA_IP_V4_DST] = { .type = NLA_U32 }, 627 [CTA_IP_V6_SRC] = { .len = sizeof(__be32) * 4 }, 628 [CTA_IP_V6_DST] = { .len = sizeof(__be32) * 4 }, 629 }; 630 631 #if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS) 632 static size_t ctnetlink_proto_size(const struct nf_conn *ct) 633 { 634 const struct nf_conntrack_l4proto *l4proto; 635 size_t len, len4 = 0; 636 637 len = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1); 638 len *= 3u; /* ORIG, REPLY, MASTER */ 639 640 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 641 len += l4proto->nlattr_size; 642 if (l4proto->nlattr_tuple_size) { 643 len4 = l4proto->nlattr_tuple_size(); 644 len4 *= 3u; /* ORIG, REPLY, MASTER */ 645 } 646 647 return len + len4; 648 } 649 #endif 650 651 static inline size_t ctnetlink_acct_size(const struct nf_conn *ct) 652 { 653 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT)) 654 return 0; 655 return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */ 656 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */ 657 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */ 658 ; 659 } 660 661 static inline int ctnetlink_secctx_size(const struct nf_conn *ct) 662 { 663 #ifdef CONFIG_NF_CONNTRACK_SECMARK 664 int len, ret; 665 666 ret = security_secid_to_secctx(ct->secmark, NULL, &len); 667 if (ret) 668 return 0; 669 670 return nla_total_size(0) /* CTA_SECCTX */ 671 + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */ 672 #else 673 return 0; 674 #endif 675 } 676 677 static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct) 678 { 679 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 680 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP)) 681 return 0; 682 return nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t)); 683 #else 684 return 0; 685 #endif 686 } 687 688 #ifdef CONFIG_NF_CONNTRACK_EVENTS 689 static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct) 690 { 691 return NLMSG_ALIGN(sizeof(struct nfgenmsg)) 692 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 693 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 694 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 695 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 696 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 697 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 698 + ctnetlink_acct_size(ct) 699 + ctnetlink_timestamp_size(ct) 700 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 701 + nla_total_size(0) /* CTA_PROTOINFO */ 702 + nla_total_size(0) /* CTA_HELP */ 703 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 704 + ctnetlink_secctx_size(ct) 705 #if IS_ENABLED(CONFIG_NF_NAT) 706 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 707 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 708 #endif 709 #ifdef CONFIG_NF_CONNTRACK_MARK 710 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 711 #endif 712 #ifdef CONFIG_NF_CONNTRACK_ZONES 713 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */ 714 #endif 715 + ctnetlink_proto_size(ct) 716 + ctnetlink_label_size(ct) 717 ; 718 } 719 720 static int 721 ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item) 722 { 723 const struct nf_conntrack_zone *zone; 724 struct net *net; 725 struct nlmsghdr *nlh; 726 struct nlattr *nest_parms; 727 struct nf_conn *ct = item->ct; 728 struct sk_buff *skb; 729 unsigned int type; 730 unsigned int flags = 0, group; 731 int err; 732 733 if (events & (1 << IPCT_DESTROY)) { 734 type = IPCTNL_MSG_CT_DELETE; 735 group = NFNLGRP_CONNTRACK_DESTROY; 736 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) { 737 type = IPCTNL_MSG_CT_NEW; 738 flags = NLM_F_CREATE|NLM_F_EXCL; 739 group = NFNLGRP_CONNTRACK_NEW; 740 } else if (events) { 741 type = IPCTNL_MSG_CT_NEW; 742 group = NFNLGRP_CONNTRACK_UPDATE; 743 } else 744 return 0; 745 746 net = nf_ct_net(ct); 747 if (!item->report && !nfnetlink_has_listeners(net, group)) 748 return 0; 749 750 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC); 751 if (skb == NULL) 752 goto errout; 753 754 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type); 755 nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, nf_ct_l3num(ct), 756 NFNETLINK_V0, 0); 757 if (!nlh) 758 goto nlmsg_failure; 759 760 zone = nf_ct_zone(ct); 761 762 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG); 763 if (!nest_parms) 764 goto nla_put_failure; 765 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 766 goto nla_put_failure; 767 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 768 NF_CT_ZONE_DIR_ORIG) < 0) 769 goto nla_put_failure; 770 nla_nest_end(skb, nest_parms); 771 772 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY); 773 if (!nest_parms) 774 goto nla_put_failure; 775 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 776 goto nla_put_failure; 777 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 778 NF_CT_ZONE_DIR_REPL) < 0) 779 goto nla_put_failure; 780 nla_nest_end(skb, nest_parms); 781 782 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 783 NF_CT_DEFAULT_ZONE_DIR) < 0) 784 goto nla_put_failure; 785 786 if (ctnetlink_dump_id(skb, ct) < 0) 787 goto nla_put_failure; 788 789 if (ctnetlink_dump_status(skb, ct) < 0) 790 goto nla_put_failure; 791 792 if (events & (1 << IPCT_DESTROY)) { 793 if (ctnetlink_dump_timeout(skb, ct, true) < 0) 794 goto nla_put_failure; 795 796 if (ctnetlink_dump_acct(skb, ct, type) < 0 || 797 ctnetlink_dump_timestamp(skb, ct) < 0 || 798 ctnetlink_dump_protoinfo(skb, ct, true) < 0) 799 goto nla_put_failure; 800 } else { 801 if (ctnetlink_dump_timeout(skb, ct, false) < 0) 802 goto nla_put_failure; 803 804 if (events & (1 << IPCT_PROTOINFO) && 805 ctnetlink_dump_protoinfo(skb, ct, false) < 0) 806 goto nla_put_failure; 807 808 if ((events & (1 << IPCT_HELPER) || nfct_help(ct)) 809 && ctnetlink_dump_helpinfo(skb, ct) < 0) 810 goto nla_put_failure; 811 812 #ifdef CONFIG_NF_CONNTRACK_SECMARK 813 if ((events & (1 << IPCT_SECMARK) || ct->secmark) 814 && ctnetlink_dump_secctx(skb, ct) < 0) 815 goto nla_put_failure; 816 #endif 817 if (events & (1 << IPCT_LABEL) && 818 ctnetlink_dump_labels(skb, ct) < 0) 819 goto nla_put_failure; 820 821 if (events & (1 << IPCT_RELATED) && 822 ctnetlink_dump_master(skb, ct) < 0) 823 goto nla_put_failure; 824 825 if (events & (1 << IPCT_SEQADJ) && 826 ctnetlink_dump_ct_seq_adj(skb, ct) < 0) 827 goto nla_put_failure; 828 829 if (events & (1 << IPCT_SYNPROXY) && 830 ctnetlink_dump_ct_synproxy(skb, ct) < 0) 831 goto nla_put_failure; 832 } 833 834 #ifdef CONFIG_NF_CONNTRACK_MARK 835 if (ctnetlink_dump_mark(skb, ct, events & (1 << IPCT_MARK))) 836 goto nla_put_failure; 837 #endif 838 nlmsg_end(skb, nlh); 839 err = nfnetlink_send(skb, net, item->portid, group, item->report, 840 GFP_ATOMIC); 841 if (err == -ENOBUFS || err == -EAGAIN) 842 return -ENOBUFS; 843 844 return 0; 845 846 nla_put_failure: 847 nlmsg_cancel(skb, nlh); 848 nlmsg_failure: 849 kfree_skb(skb); 850 errout: 851 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0) 852 return -ENOBUFS; 853 854 return 0; 855 } 856 #endif /* CONFIG_NF_CONNTRACK_EVENTS */ 857 858 static int ctnetlink_done(struct netlink_callback *cb) 859 { 860 if (cb->args[1]) 861 nf_ct_put((struct nf_conn *)cb->args[1]); 862 kfree(cb->data); 863 return 0; 864 } 865 866 struct ctnetlink_filter_u32 { 867 u32 val; 868 u32 mask; 869 }; 870 871 struct ctnetlink_filter { 872 u8 family; 873 874 u_int32_t orig_flags; 875 u_int32_t reply_flags; 876 877 struct nf_conntrack_tuple orig; 878 struct nf_conntrack_tuple reply; 879 struct nf_conntrack_zone zone; 880 881 struct ctnetlink_filter_u32 mark; 882 struct ctnetlink_filter_u32 status; 883 }; 884 885 static const struct nla_policy cta_filter_nla_policy[CTA_FILTER_MAX + 1] = { 886 [CTA_FILTER_ORIG_FLAGS] = { .type = NLA_U32 }, 887 [CTA_FILTER_REPLY_FLAGS] = { .type = NLA_U32 }, 888 }; 889 890 static int ctnetlink_parse_filter(const struct nlattr *attr, 891 struct ctnetlink_filter *filter) 892 { 893 struct nlattr *tb[CTA_FILTER_MAX + 1]; 894 int ret = 0; 895 896 ret = nla_parse_nested(tb, CTA_FILTER_MAX, attr, cta_filter_nla_policy, 897 NULL); 898 if (ret) 899 return ret; 900 901 if (tb[CTA_FILTER_ORIG_FLAGS]) { 902 filter->orig_flags = nla_get_u32(tb[CTA_FILTER_ORIG_FLAGS]); 903 if (filter->orig_flags & ~CTA_FILTER_F_ALL) 904 return -EOPNOTSUPP; 905 } 906 907 if (tb[CTA_FILTER_REPLY_FLAGS]) { 908 filter->reply_flags = nla_get_u32(tb[CTA_FILTER_REPLY_FLAGS]); 909 if (filter->reply_flags & ~CTA_FILTER_F_ALL) 910 return -EOPNOTSUPP; 911 } 912 913 return 0; 914 } 915 916 static int ctnetlink_parse_zone(const struct nlattr *attr, 917 struct nf_conntrack_zone *zone); 918 static int ctnetlink_parse_tuple_filter(const struct nlattr * const cda[], 919 struct nf_conntrack_tuple *tuple, 920 u32 type, u_int8_t l3num, 921 struct nf_conntrack_zone *zone, 922 u_int32_t flags); 923 924 static int ctnetlink_filter_parse_mark(struct ctnetlink_filter_u32 *mark, 925 const struct nlattr * const cda[]) 926 { 927 #ifdef CONFIG_NF_CONNTRACK_MARK 928 if (cda[CTA_MARK]) { 929 mark->val = ntohl(nla_get_be32(cda[CTA_MARK])); 930 931 if (cda[CTA_MARK_MASK]) 932 mark->mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK])); 933 else 934 mark->mask = 0xffffffff; 935 } else if (cda[CTA_MARK_MASK]) { 936 return -EINVAL; 937 } 938 #endif 939 return 0; 940 } 941 942 static int ctnetlink_filter_parse_status(struct ctnetlink_filter_u32 *status, 943 const struct nlattr * const cda[]) 944 { 945 if (cda[CTA_STATUS]) { 946 status->val = ntohl(nla_get_be32(cda[CTA_STATUS])); 947 if (cda[CTA_STATUS_MASK]) 948 status->mask = ntohl(nla_get_be32(cda[CTA_STATUS_MASK])); 949 else 950 status->mask = status->val; 951 952 /* status->val == 0? always true, else always false. */ 953 if (status->mask == 0) 954 return -EINVAL; 955 } else if (cda[CTA_STATUS_MASK]) { 956 return -EINVAL; 957 } 958 959 /* CTA_STATUS is NLA_U32, if this fires UAPI needs to be extended */ 960 BUILD_BUG_ON(__IPS_MAX_BIT >= 32); 961 return 0; 962 } 963 964 static struct ctnetlink_filter * 965 ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family) 966 { 967 struct ctnetlink_filter *filter; 968 int err; 969 970 #ifndef CONFIG_NF_CONNTRACK_MARK 971 if (cda[CTA_MARK] || cda[CTA_MARK_MASK]) 972 return ERR_PTR(-EOPNOTSUPP); 973 #endif 974 975 filter = kzalloc(sizeof(*filter), GFP_KERNEL); 976 if (filter == NULL) 977 return ERR_PTR(-ENOMEM); 978 979 filter->family = family; 980 981 err = ctnetlink_filter_parse_mark(&filter->mark, cda); 982 if (err) 983 goto err_filter; 984 985 err = ctnetlink_filter_parse_status(&filter->status, cda); 986 if (err) 987 goto err_filter; 988 989 if (!cda[CTA_FILTER]) 990 return filter; 991 992 err = ctnetlink_parse_zone(cda[CTA_ZONE], &filter->zone); 993 if (err < 0) 994 goto err_filter; 995 996 err = ctnetlink_parse_filter(cda[CTA_FILTER], filter); 997 if (err < 0) 998 goto err_filter; 999 1000 if (filter->orig_flags) { 1001 if (!cda[CTA_TUPLE_ORIG]) { 1002 err = -EINVAL; 1003 goto err_filter; 1004 } 1005 1006 err = ctnetlink_parse_tuple_filter(cda, &filter->orig, 1007 CTA_TUPLE_ORIG, 1008 filter->family, 1009 &filter->zone, 1010 filter->orig_flags); 1011 if (err < 0) 1012 goto err_filter; 1013 } 1014 1015 if (filter->reply_flags) { 1016 if (!cda[CTA_TUPLE_REPLY]) { 1017 err = -EINVAL; 1018 goto err_filter; 1019 } 1020 1021 err = ctnetlink_parse_tuple_filter(cda, &filter->reply, 1022 CTA_TUPLE_REPLY, 1023 filter->family, 1024 &filter->zone, 1025 filter->reply_flags); 1026 if (err < 0) 1027 goto err_filter; 1028 } 1029 1030 return filter; 1031 1032 err_filter: 1033 kfree(filter); 1034 1035 return ERR_PTR(err); 1036 } 1037 1038 static bool ctnetlink_needs_filter(u8 family, const struct nlattr * const *cda) 1039 { 1040 return family || cda[CTA_MARK] || cda[CTA_FILTER] || cda[CTA_STATUS]; 1041 } 1042 1043 static int ctnetlink_start(struct netlink_callback *cb) 1044 { 1045 const struct nlattr * const *cda = cb->data; 1046 struct ctnetlink_filter *filter = NULL; 1047 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1048 u8 family = nfmsg->nfgen_family; 1049 1050 if (ctnetlink_needs_filter(family, cda)) { 1051 filter = ctnetlink_alloc_filter(cda, family); 1052 if (IS_ERR(filter)) 1053 return PTR_ERR(filter); 1054 } 1055 1056 cb->data = filter; 1057 return 0; 1058 } 1059 1060 static int ctnetlink_filter_match_tuple(struct nf_conntrack_tuple *filter_tuple, 1061 struct nf_conntrack_tuple *ct_tuple, 1062 u_int32_t flags, int family) 1063 { 1064 switch (family) { 1065 case NFPROTO_IPV4: 1066 if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) && 1067 filter_tuple->src.u3.ip != ct_tuple->src.u3.ip) 1068 return 0; 1069 1070 if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) && 1071 filter_tuple->dst.u3.ip != ct_tuple->dst.u3.ip) 1072 return 0; 1073 break; 1074 case NFPROTO_IPV6: 1075 if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) && 1076 !ipv6_addr_cmp(&filter_tuple->src.u3.in6, 1077 &ct_tuple->src.u3.in6)) 1078 return 0; 1079 1080 if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) && 1081 !ipv6_addr_cmp(&filter_tuple->dst.u3.in6, 1082 &ct_tuple->dst.u3.in6)) 1083 return 0; 1084 break; 1085 } 1086 1087 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) && 1088 filter_tuple->dst.protonum != ct_tuple->dst.protonum) 1089 return 0; 1090 1091 switch (ct_tuple->dst.protonum) { 1092 case IPPROTO_TCP: 1093 case IPPROTO_UDP: 1094 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_SRC_PORT)) && 1095 filter_tuple->src.u.tcp.port != ct_tuple->src.u.tcp.port) 1096 return 0; 1097 1098 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_DST_PORT)) && 1099 filter_tuple->dst.u.tcp.port != ct_tuple->dst.u.tcp.port) 1100 return 0; 1101 break; 1102 case IPPROTO_ICMP: 1103 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_TYPE)) && 1104 filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type) 1105 return 0; 1106 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_CODE)) && 1107 filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code) 1108 return 0; 1109 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_ID)) && 1110 filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id) 1111 return 0; 1112 break; 1113 case IPPROTO_ICMPV6: 1114 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_TYPE)) && 1115 filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type) 1116 return 0; 1117 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_CODE)) && 1118 filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code) 1119 return 0; 1120 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_ID)) && 1121 filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id) 1122 return 0; 1123 break; 1124 } 1125 1126 return 1; 1127 } 1128 1129 static int ctnetlink_filter_match(struct nf_conn *ct, void *data) 1130 { 1131 struct ctnetlink_filter *filter = data; 1132 struct nf_conntrack_tuple *tuple; 1133 u32 status; 1134 1135 if (filter == NULL) 1136 goto out; 1137 1138 /* Match entries of a given L3 protocol number. 1139 * If it is not specified, ie. l3proto == 0, 1140 * then match everything. 1141 */ 1142 if (filter->family && nf_ct_l3num(ct) != filter->family) 1143 goto ignore_entry; 1144 1145 if (filter->orig_flags) { 1146 tuple = nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL); 1147 if (!ctnetlink_filter_match_tuple(&filter->orig, tuple, 1148 filter->orig_flags, 1149 filter->family)) 1150 goto ignore_entry; 1151 } 1152 1153 if (filter->reply_flags) { 1154 tuple = nf_ct_tuple(ct, IP_CT_DIR_REPLY); 1155 if (!ctnetlink_filter_match_tuple(&filter->reply, tuple, 1156 filter->reply_flags, 1157 filter->family)) 1158 goto ignore_entry; 1159 } 1160 1161 #ifdef CONFIG_NF_CONNTRACK_MARK 1162 if ((READ_ONCE(ct->mark) & filter->mark.mask) != filter->mark.val) 1163 goto ignore_entry; 1164 #endif 1165 status = (u32)READ_ONCE(ct->status); 1166 if ((status & filter->status.mask) != filter->status.val) 1167 goto ignore_entry; 1168 1169 out: 1170 return 1; 1171 1172 ignore_entry: 1173 return 0; 1174 } 1175 1176 static int 1177 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 1178 { 1179 unsigned int flags = cb->data ? NLM_F_DUMP_FILTERED : 0; 1180 struct net *net = sock_net(skb->sk); 1181 struct nf_conn *ct, *last; 1182 struct nf_conntrack_tuple_hash *h; 1183 struct hlist_nulls_node *n; 1184 struct nf_conn *nf_ct_evict[8]; 1185 int res, i; 1186 spinlock_t *lockp; 1187 1188 last = (struct nf_conn *)cb->args[1]; 1189 i = 0; 1190 1191 local_bh_disable(); 1192 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) { 1193 restart: 1194 while (i) { 1195 i--; 1196 if (nf_ct_should_gc(nf_ct_evict[i])) 1197 nf_ct_kill(nf_ct_evict[i]); 1198 nf_ct_put(nf_ct_evict[i]); 1199 } 1200 1201 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS]; 1202 nf_conntrack_lock(lockp); 1203 if (cb->args[0] >= nf_conntrack_htable_size) { 1204 spin_unlock(lockp); 1205 goto out; 1206 } 1207 hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]], 1208 hnnode) { 1209 ct = nf_ct_tuplehash_to_ctrack(h); 1210 if (nf_ct_is_expired(ct)) { 1211 /* need to defer nf_ct_kill() until lock is released */ 1212 if (i < ARRAY_SIZE(nf_ct_evict) && 1213 refcount_inc_not_zero(&ct->ct_general.use)) 1214 nf_ct_evict[i++] = ct; 1215 continue; 1216 } 1217 1218 if (!net_eq(net, nf_ct_net(ct))) 1219 continue; 1220 1221 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) 1222 continue; 1223 1224 if (cb->args[1]) { 1225 if (ct != last) 1226 continue; 1227 cb->args[1] = 0; 1228 } 1229 if (!ctnetlink_filter_match(ct, cb->data)) 1230 continue; 1231 1232 res = 1233 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid, 1234 cb->nlh->nlmsg_seq, 1235 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 1236 ct, true, flags); 1237 if (res < 0) { 1238 nf_conntrack_get(&ct->ct_general); 1239 cb->args[1] = (unsigned long)ct; 1240 spin_unlock(lockp); 1241 goto out; 1242 } 1243 } 1244 spin_unlock(lockp); 1245 if (cb->args[1]) { 1246 cb->args[1] = 0; 1247 goto restart; 1248 } 1249 } 1250 out: 1251 local_bh_enable(); 1252 if (last) { 1253 /* nf ct hash resize happened, now clear the leftover. */ 1254 if ((struct nf_conn *)cb->args[1] == last) 1255 cb->args[1] = 0; 1256 1257 nf_ct_put(last); 1258 } 1259 1260 while (i) { 1261 i--; 1262 if (nf_ct_should_gc(nf_ct_evict[i])) 1263 nf_ct_kill(nf_ct_evict[i]); 1264 nf_ct_put(nf_ct_evict[i]); 1265 } 1266 1267 return skb->len; 1268 } 1269 1270 static int ipv4_nlattr_to_tuple(struct nlattr *tb[], 1271 struct nf_conntrack_tuple *t, 1272 u_int32_t flags) 1273 { 1274 if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) { 1275 if (!tb[CTA_IP_V4_SRC]) 1276 return -EINVAL; 1277 1278 t->src.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_SRC]); 1279 } 1280 1281 if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) { 1282 if (!tb[CTA_IP_V4_DST]) 1283 return -EINVAL; 1284 1285 t->dst.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_DST]); 1286 } 1287 1288 return 0; 1289 } 1290 1291 static int ipv6_nlattr_to_tuple(struct nlattr *tb[], 1292 struct nf_conntrack_tuple *t, 1293 u_int32_t flags) 1294 { 1295 if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) { 1296 if (!tb[CTA_IP_V6_SRC]) 1297 return -EINVAL; 1298 1299 t->src.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_SRC]); 1300 } 1301 1302 if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) { 1303 if (!tb[CTA_IP_V6_DST]) 1304 return -EINVAL; 1305 1306 t->dst.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_DST]); 1307 } 1308 1309 return 0; 1310 } 1311 1312 static int ctnetlink_parse_tuple_ip(struct nlattr *attr, 1313 struct nf_conntrack_tuple *tuple, 1314 u_int32_t flags) 1315 { 1316 struct nlattr *tb[CTA_IP_MAX+1]; 1317 int ret = 0; 1318 1319 ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, NULL, NULL); 1320 if (ret < 0) 1321 return ret; 1322 1323 ret = nla_validate_nested_deprecated(attr, CTA_IP_MAX, 1324 cta_ip_nla_policy, NULL); 1325 if (ret) 1326 return ret; 1327 1328 switch (tuple->src.l3num) { 1329 case NFPROTO_IPV4: 1330 ret = ipv4_nlattr_to_tuple(tb, tuple, flags); 1331 break; 1332 case NFPROTO_IPV6: 1333 ret = ipv6_nlattr_to_tuple(tb, tuple, flags); 1334 break; 1335 } 1336 1337 return ret; 1338 } 1339 1340 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = { 1341 [CTA_PROTO_NUM] = { .type = NLA_U8 }, 1342 }; 1343 1344 static int ctnetlink_parse_tuple_proto(struct nlattr *attr, 1345 struct nf_conntrack_tuple *tuple, 1346 u_int32_t flags) 1347 { 1348 const struct nf_conntrack_l4proto *l4proto; 1349 struct nlattr *tb[CTA_PROTO_MAX+1]; 1350 int ret = 0; 1351 1352 ret = nla_parse_nested_deprecated(tb, CTA_PROTO_MAX, attr, 1353 proto_nla_policy, NULL); 1354 if (ret < 0) 1355 return ret; 1356 1357 if (!(flags & CTA_FILTER_FLAG(CTA_PROTO_NUM))) 1358 return 0; 1359 1360 if (!tb[CTA_PROTO_NUM]) 1361 return -EINVAL; 1362 1363 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]); 1364 1365 rcu_read_lock(); 1366 l4proto = nf_ct_l4proto_find(tuple->dst.protonum); 1367 1368 if (likely(l4proto->nlattr_to_tuple)) { 1369 ret = nla_validate_nested_deprecated(attr, CTA_PROTO_MAX, 1370 l4proto->nla_policy, 1371 NULL); 1372 if (ret == 0) 1373 ret = l4proto->nlattr_to_tuple(tb, tuple, flags); 1374 } 1375 1376 rcu_read_unlock(); 1377 1378 return ret; 1379 } 1380 1381 static int 1382 ctnetlink_parse_zone(const struct nlattr *attr, 1383 struct nf_conntrack_zone *zone) 1384 { 1385 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID, 1386 NF_CT_DEFAULT_ZONE_DIR, 0); 1387 #ifdef CONFIG_NF_CONNTRACK_ZONES 1388 if (attr) 1389 zone->id = ntohs(nla_get_be16(attr)); 1390 #else 1391 if (attr) 1392 return -EOPNOTSUPP; 1393 #endif 1394 return 0; 1395 } 1396 1397 static int 1398 ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type, 1399 struct nf_conntrack_zone *zone) 1400 { 1401 int ret; 1402 1403 if (zone->id != NF_CT_DEFAULT_ZONE_ID) 1404 return -EINVAL; 1405 1406 ret = ctnetlink_parse_zone(attr, zone); 1407 if (ret < 0) 1408 return ret; 1409 1410 if (type == CTA_TUPLE_REPLY) 1411 zone->dir = NF_CT_ZONE_DIR_REPL; 1412 else 1413 zone->dir = NF_CT_ZONE_DIR_ORIG; 1414 1415 return 0; 1416 } 1417 1418 static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = { 1419 [CTA_TUPLE_IP] = { .type = NLA_NESTED }, 1420 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED }, 1421 [CTA_TUPLE_ZONE] = { .type = NLA_U16 }, 1422 }; 1423 1424 #define CTA_FILTER_F_ALL_CTA_PROTO \ 1425 (CTA_FILTER_F_CTA_PROTO_SRC_PORT | \ 1426 CTA_FILTER_F_CTA_PROTO_DST_PORT | \ 1427 CTA_FILTER_F_CTA_PROTO_ICMP_TYPE | \ 1428 CTA_FILTER_F_CTA_PROTO_ICMP_CODE | \ 1429 CTA_FILTER_F_CTA_PROTO_ICMP_ID | \ 1430 CTA_FILTER_F_CTA_PROTO_ICMPV6_TYPE | \ 1431 CTA_FILTER_F_CTA_PROTO_ICMPV6_CODE | \ 1432 CTA_FILTER_F_CTA_PROTO_ICMPV6_ID) 1433 1434 static int 1435 ctnetlink_parse_tuple_filter(const struct nlattr * const cda[], 1436 struct nf_conntrack_tuple *tuple, u32 type, 1437 u_int8_t l3num, struct nf_conntrack_zone *zone, 1438 u_int32_t flags) 1439 { 1440 struct nlattr *tb[CTA_TUPLE_MAX+1]; 1441 int err; 1442 1443 memset(tuple, 0, sizeof(*tuple)); 1444 1445 err = nla_parse_nested_deprecated(tb, CTA_TUPLE_MAX, cda[type], 1446 tuple_nla_policy, NULL); 1447 if (err < 0) 1448 return err; 1449 1450 if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6) 1451 return -EOPNOTSUPP; 1452 tuple->src.l3num = l3num; 1453 1454 if (flags & CTA_FILTER_FLAG(CTA_IP_DST) || 1455 flags & CTA_FILTER_FLAG(CTA_IP_SRC)) { 1456 if (!tb[CTA_TUPLE_IP]) 1457 return -EINVAL; 1458 1459 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple, flags); 1460 if (err < 0) 1461 return err; 1462 } 1463 1464 if (flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) { 1465 if (!tb[CTA_TUPLE_PROTO]) 1466 return -EINVAL; 1467 1468 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple, flags); 1469 if (err < 0) 1470 return err; 1471 } else if (flags & CTA_FILTER_FLAG(ALL_CTA_PROTO)) { 1472 /* Can't manage proto flags without a protonum */ 1473 return -EINVAL; 1474 } 1475 1476 if ((flags & CTA_FILTER_FLAG(CTA_TUPLE_ZONE)) && tb[CTA_TUPLE_ZONE]) { 1477 if (!zone) 1478 return -EINVAL; 1479 1480 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE], 1481 type, zone); 1482 if (err < 0) 1483 return err; 1484 } 1485 1486 /* orig and expect tuples get DIR_ORIGINAL */ 1487 if (type == CTA_TUPLE_REPLY) 1488 tuple->dst.dir = IP_CT_DIR_REPLY; 1489 else 1490 tuple->dst.dir = IP_CT_DIR_ORIGINAL; 1491 1492 return 0; 1493 } 1494 1495 static int 1496 ctnetlink_parse_tuple(const struct nlattr * const cda[], 1497 struct nf_conntrack_tuple *tuple, u32 type, 1498 u_int8_t l3num, struct nf_conntrack_zone *zone) 1499 { 1500 return ctnetlink_parse_tuple_filter(cda, tuple, type, l3num, zone, 1501 CTA_FILTER_FLAG(ALL)); 1502 } 1503 1504 static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = { 1505 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING, 1506 .len = NF_CT_HELPER_NAME_LEN - 1 }, 1507 }; 1508 1509 static int ctnetlink_parse_help(const struct nlattr *attr, char **helper_name, 1510 struct nlattr **helpinfo) 1511 { 1512 int err; 1513 struct nlattr *tb[CTA_HELP_MAX+1]; 1514 1515 err = nla_parse_nested_deprecated(tb, CTA_HELP_MAX, attr, 1516 help_nla_policy, NULL); 1517 if (err < 0) 1518 return err; 1519 1520 if (!tb[CTA_HELP_NAME]) 1521 return -EINVAL; 1522 1523 *helper_name = nla_data(tb[CTA_HELP_NAME]); 1524 1525 if (tb[CTA_HELP_INFO]) 1526 *helpinfo = tb[CTA_HELP_INFO]; 1527 1528 return 0; 1529 } 1530 1531 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { 1532 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED }, 1533 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED }, 1534 [CTA_STATUS] = { .type = NLA_U32 }, 1535 [CTA_PROTOINFO] = { .type = NLA_NESTED }, 1536 [CTA_HELP] = { .type = NLA_NESTED }, 1537 [CTA_NAT_SRC] = { .type = NLA_NESTED }, 1538 [CTA_TIMEOUT] = { .type = NLA_U32 }, 1539 [CTA_MARK] = { .type = NLA_U32 }, 1540 [CTA_ID] = { .type = NLA_U32 }, 1541 [CTA_NAT_DST] = { .type = NLA_NESTED }, 1542 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED }, 1543 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED }, 1544 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED }, 1545 [CTA_ZONE] = { .type = NLA_U16 }, 1546 [CTA_MARK_MASK] = { .type = NLA_U32 }, 1547 [CTA_LABELS] = { .type = NLA_BINARY, 1548 .len = NF_CT_LABELS_MAX_SIZE }, 1549 [CTA_LABELS_MASK] = { .type = NLA_BINARY, 1550 .len = NF_CT_LABELS_MAX_SIZE }, 1551 [CTA_FILTER] = { .type = NLA_NESTED }, 1552 [CTA_STATUS_MASK] = { .type = NLA_U32 }, 1553 }; 1554 1555 static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data) 1556 { 1557 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 1558 return 0; 1559 1560 return ctnetlink_filter_match(ct, data); 1561 } 1562 1563 static int ctnetlink_flush_conntrack(struct net *net, 1564 const struct nlattr * const cda[], 1565 u32 portid, int report, u8 family) 1566 { 1567 struct ctnetlink_filter *filter = NULL; 1568 struct nf_ct_iter_data iter = { 1569 .net = net, 1570 .portid = portid, 1571 .report = report, 1572 }; 1573 1574 if (ctnetlink_needs_filter(family, cda)) { 1575 if (cda[CTA_FILTER]) 1576 return -EOPNOTSUPP; 1577 1578 filter = ctnetlink_alloc_filter(cda, family); 1579 if (IS_ERR(filter)) 1580 return PTR_ERR(filter); 1581 1582 iter.data = filter; 1583 } 1584 1585 nf_ct_iterate_cleanup_net(ctnetlink_flush_iterate, &iter); 1586 kfree(filter); 1587 1588 return 0; 1589 } 1590 1591 static int ctnetlink_del_conntrack(struct sk_buff *skb, 1592 const struct nfnl_info *info, 1593 const struct nlattr * const cda[]) 1594 { 1595 u8 family = info->nfmsg->nfgen_family; 1596 struct nf_conntrack_tuple_hash *h; 1597 struct nf_conntrack_tuple tuple; 1598 struct nf_conntrack_zone zone; 1599 struct nf_conn *ct; 1600 int err; 1601 1602 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1603 if (err < 0) 1604 return err; 1605 1606 if (cda[CTA_TUPLE_ORIG]) 1607 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, 1608 family, &zone); 1609 else if (cda[CTA_TUPLE_REPLY]) 1610 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, 1611 family, &zone); 1612 else { 1613 u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC; 1614 1615 return ctnetlink_flush_conntrack(info->net, cda, 1616 NETLINK_CB(skb).portid, 1617 nlmsg_report(info->nlh), u3); 1618 } 1619 1620 if (err < 0) 1621 return err; 1622 1623 h = nf_conntrack_find_get(info->net, &zone, &tuple); 1624 if (!h) 1625 return -ENOENT; 1626 1627 ct = nf_ct_tuplehash_to_ctrack(h); 1628 1629 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) { 1630 nf_ct_put(ct); 1631 return -EBUSY; 1632 } 1633 1634 if (cda[CTA_ID]) { 1635 __be32 id = nla_get_be32(cda[CTA_ID]); 1636 1637 if (id != (__force __be32)nf_ct_get_id(ct)) { 1638 nf_ct_put(ct); 1639 return -ENOENT; 1640 } 1641 } 1642 1643 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(info->nlh)); 1644 nf_ct_put(ct); 1645 1646 return 0; 1647 } 1648 1649 static int ctnetlink_get_conntrack(struct sk_buff *skb, 1650 const struct nfnl_info *info, 1651 const struct nlattr * const cda[]) 1652 { 1653 u_int8_t u3 = info->nfmsg->nfgen_family; 1654 struct nf_conntrack_tuple_hash *h; 1655 struct nf_conntrack_tuple tuple; 1656 struct nf_conntrack_zone zone; 1657 struct sk_buff *skb2; 1658 struct nf_conn *ct; 1659 int err; 1660 1661 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1662 struct netlink_dump_control c = { 1663 .start = ctnetlink_start, 1664 .dump = ctnetlink_dump_table, 1665 .done = ctnetlink_done, 1666 .data = (void *)cda, 1667 }; 1668 1669 return netlink_dump_start(info->sk, skb, info->nlh, &c); 1670 } 1671 1672 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1673 if (err < 0) 1674 return err; 1675 1676 if (cda[CTA_TUPLE_ORIG]) 1677 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, 1678 u3, &zone); 1679 else if (cda[CTA_TUPLE_REPLY]) 1680 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, 1681 u3, &zone); 1682 else 1683 return -EINVAL; 1684 1685 if (err < 0) 1686 return err; 1687 1688 h = nf_conntrack_find_get(info->net, &zone, &tuple); 1689 if (!h) 1690 return -ENOENT; 1691 1692 ct = nf_ct_tuplehash_to_ctrack(h); 1693 1694 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1695 if (!skb2) { 1696 nf_ct_put(ct); 1697 return -ENOMEM; 1698 } 1699 1700 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, 1701 info->nlh->nlmsg_seq, 1702 NFNL_MSG_TYPE(info->nlh->nlmsg_type), ct, 1703 true, 0); 1704 nf_ct_put(ct); 1705 if (err <= 0) { 1706 kfree_skb(skb2); 1707 return -ENOMEM; 1708 } 1709 1710 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 1711 } 1712 1713 static int ctnetlink_done_list(struct netlink_callback *cb) 1714 { 1715 struct ctnetlink_list_dump_ctx *ctx = (void *)cb->ctx; 1716 1717 if (ctx->last) 1718 nf_ct_put(ctx->last); 1719 1720 return 0; 1721 } 1722 1723 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1724 static int ctnetlink_dump_one_entry(struct sk_buff *skb, 1725 struct netlink_callback *cb, 1726 struct nf_conn *ct, 1727 bool dying) 1728 { 1729 struct ctnetlink_list_dump_ctx *ctx = (void *)cb->ctx; 1730 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1731 u8 l3proto = nfmsg->nfgen_family; 1732 int res; 1733 1734 if (l3proto && nf_ct_l3num(ct) != l3proto) 1735 return 0; 1736 1737 if (ctx->last) { 1738 if (ct != ctx->last) 1739 return 0; 1740 1741 ctx->last = NULL; 1742 } 1743 1744 /* We can't dump extension info for the unconfirmed 1745 * list because unconfirmed conntracks can have 1746 * ct->ext reallocated (and thus freed). 1747 * 1748 * In the dying list case ct->ext can't be free'd 1749 * until after we drop pcpu->lock. 1750 */ 1751 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid, 1752 cb->nlh->nlmsg_seq, 1753 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 1754 ct, dying, 0); 1755 if (res < 0) { 1756 if (!refcount_inc_not_zero(&ct->ct_general.use)) 1757 return 0; 1758 1759 ctx->last = ct; 1760 } 1761 1762 return res; 1763 } 1764 #endif 1765 1766 static int 1767 ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb) 1768 { 1769 return 0; 1770 } 1771 1772 static int 1773 ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb) 1774 { 1775 struct ctnetlink_list_dump_ctx *ctx = (void *)cb->ctx; 1776 struct nf_conn *last = ctx->last; 1777 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1778 const struct net *net = sock_net(skb->sk); 1779 struct nf_conntrack_net_ecache *ecache_net; 1780 struct nf_conntrack_tuple_hash *h; 1781 struct hlist_nulls_node *n; 1782 #endif 1783 1784 if (ctx->done) 1785 return 0; 1786 1787 ctx->last = NULL; 1788 1789 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1790 ecache_net = nf_conn_pernet_ecache(net); 1791 spin_lock_bh(&ecache_net->dying_lock); 1792 1793 hlist_nulls_for_each_entry(h, n, &ecache_net->dying_list, hnnode) { 1794 struct nf_conn *ct; 1795 int res; 1796 1797 ct = nf_ct_tuplehash_to_ctrack(h); 1798 if (last && last != ct) 1799 continue; 1800 1801 res = ctnetlink_dump_one_entry(skb, cb, ct, true); 1802 if (res < 0) { 1803 spin_unlock_bh(&ecache_net->dying_lock); 1804 nf_ct_put(last); 1805 return skb->len; 1806 } 1807 1808 nf_ct_put(last); 1809 last = NULL; 1810 } 1811 1812 spin_unlock_bh(&ecache_net->dying_lock); 1813 #endif 1814 ctx->done = true; 1815 nf_ct_put(last); 1816 1817 return skb->len; 1818 } 1819 1820 static int ctnetlink_get_ct_dying(struct sk_buff *skb, 1821 const struct nfnl_info *info, 1822 const struct nlattr * const cda[]) 1823 { 1824 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1825 struct netlink_dump_control c = { 1826 .dump = ctnetlink_dump_dying, 1827 .done = ctnetlink_done_list, 1828 }; 1829 return netlink_dump_start(info->sk, skb, info->nlh, &c); 1830 } 1831 1832 return -EOPNOTSUPP; 1833 } 1834 1835 static int ctnetlink_get_ct_unconfirmed(struct sk_buff *skb, 1836 const struct nfnl_info *info, 1837 const struct nlattr * const cda[]) 1838 { 1839 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1840 struct netlink_dump_control c = { 1841 .dump = ctnetlink_dump_unconfirmed, 1842 .done = ctnetlink_done_list, 1843 }; 1844 return netlink_dump_start(info->sk, skb, info->nlh, &c); 1845 } 1846 1847 return -EOPNOTSUPP; 1848 } 1849 1850 #if IS_ENABLED(CONFIG_NF_NAT) 1851 static int 1852 ctnetlink_parse_nat_setup(struct nf_conn *ct, 1853 enum nf_nat_manip_type manip, 1854 const struct nlattr *attr) 1855 __must_hold(RCU) 1856 { 1857 const struct nf_nat_hook *nat_hook; 1858 int err; 1859 1860 nat_hook = rcu_dereference(nf_nat_hook); 1861 if (!nat_hook) { 1862 #ifdef CONFIG_MODULES 1863 rcu_read_unlock(); 1864 nfnl_unlock(NFNL_SUBSYS_CTNETLINK); 1865 if (request_module("nf-nat") < 0) { 1866 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1867 rcu_read_lock(); 1868 return -EOPNOTSUPP; 1869 } 1870 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1871 rcu_read_lock(); 1872 nat_hook = rcu_dereference(nf_nat_hook); 1873 if (nat_hook) 1874 return -EAGAIN; 1875 #endif 1876 return -EOPNOTSUPP; 1877 } 1878 1879 err = nat_hook->parse_nat_setup(ct, manip, attr); 1880 if (err == -EAGAIN) { 1881 #ifdef CONFIG_MODULES 1882 rcu_read_unlock(); 1883 nfnl_unlock(NFNL_SUBSYS_CTNETLINK); 1884 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) { 1885 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1886 rcu_read_lock(); 1887 return -EOPNOTSUPP; 1888 } 1889 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1890 rcu_read_lock(); 1891 #else 1892 err = -EOPNOTSUPP; 1893 #endif 1894 } 1895 return err; 1896 } 1897 #endif 1898 1899 static int 1900 ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) 1901 { 1902 return nf_ct_change_status_common(ct, ntohl(nla_get_be32(cda[CTA_STATUS]))); 1903 } 1904 1905 static int 1906 ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[]) 1907 { 1908 #if IS_ENABLED(CONFIG_NF_NAT) 1909 int ret; 1910 1911 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC]) 1912 return 0; 1913 1914 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST, 1915 cda[CTA_NAT_DST]); 1916 if (ret < 0) 1917 return ret; 1918 1919 return ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC, 1920 cda[CTA_NAT_SRC]); 1921 #else 1922 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC]) 1923 return 0; 1924 return -EOPNOTSUPP; 1925 #endif 1926 } 1927 1928 static int ctnetlink_change_helper(struct nf_conn *ct, 1929 const struct nlattr * const cda[]) 1930 { 1931 struct nf_conntrack_helper *helper; 1932 struct nf_conn_help *help = nfct_help(ct); 1933 char *helpname = NULL; 1934 struct nlattr *helpinfo = NULL; 1935 int err; 1936 1937 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo); 1938 if (err < 0) 1939 return err; 1940 1941 /* don't change helper of sibling connections */ 1942 if (ct->master) { 1943 /* If we try to change the helper to the same thing twice, 1944 * treat the second attempt as a no-op instead of returning 1945 * an error. 1946 */ 1947 err = -EBUSY; 1948 if (help) { 1949 rcu_read_lock(); 1950 helper = rcu_dereference(help->helper); 1951 if (helper && !strcmp(helper->name, helpname)) 1952 err = 0; 1953 rcu_read_unlock(); 1954 } 1955 1956 return err; 1957 } 1958 1959 if (!strcmp(helpname, "")) { 1960 if (help && help->helper) { 1961 /* we had a helper before ... */ 1962 nf_ct_remove_expectations(ct); 1963 RCU_INIT_POINTER(help->helper, NULL); 1964 } 1965 1966 return 0; 1967 } 1968 1969 rcu_read_lock(); 1970 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 1971 nf_ct_protonum(ct)); 1972 if (helper == NULL) { 1973 rcu_read_unlock(); 1974 return -EOPNOTSUPP; 1975 } 1976 1977 if (help) { 1978 if (rcu_access_pointer(help->helper) == helper) { 1979 /* update private helper data if allowed. */ 1980 if (helper->from_nlattr) 1981 helper->from_nlattr(helpinfo, ct); 1982 err = 0; 1983 } else 1984 err = -EBUSY; 1985 } else { 1986 /* we cannot set a helper for an existing conntrack */ 1987 err = -EOPNOTSUPP; 1988 } 1989 1990 rcu_read_unlock(); 1991 return err; 1992 } 1993 1994 static int ctnetlink_change_timeout(struct nf_conn *ct, 1995 const struct nlattr * const cda[]) 1996 { 1997 return __nf_ct_change_timeout(ct, (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ); 1998 } 1999 2000 #if defined(CONFIG_NF_CONNTRACK_MARK) 2001 static void ctnetlink_change_mark(struct nf_conn *ct, 2002 const struct nlattr * const cda[]) 2003 { 2004 u32 mark, newmark, mask = 0; 2005 2006 if (cda[CTA_MARK_MASK]) 2007 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK])); 2008 2009 mark = ntohl(nla_get_be32(cda[CTA_MARK])); 2010 newmark = (READ_ONCE(ct->mark) & mask) ^ mark; 2011 if (newmark != READ_ONCE(ct->mark)) 2012 WRITE_ONCE(ct->mark, newmark); 2013 } 2014 #endif 2015 2016 static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = { 2017 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED }, 2018 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED }, 2019 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED }, 2020 }; 2021 2022 static int ctnetlink_change_protoinfo(struct nf_conn *ct, 2023 const struct nlattr * const cda[]) 2024 { 2025 const struct nlattr *attr = cda[CTA_PROTOINFO]; 2026 const struct nf_conntrack_l4proto *l4proto; 2027 struct nlattr *tb[CTA_PROTOINFO_MAX+1]; 2028 int err = 0; 2029 2030 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_MAX, attr, 2031 protoinfo_policy, NULL); 2032 if (err < 0) 2033 return err; 2034 2035 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 2036 if (l4proto->from_nlattr) 2037 err = l4proto->from_nlattr(tb, ct); 2038 2039 return err; 2040 } 2041 2042 static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = { 2043 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 }, 2044 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 }, 2045 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 }, 2046 }; 2047 2048 static int change_seq_adj(struct nf_ct_seqadj *seq, 2049 const struct nlattr * const attr) 2050 { 2051 int err; 2052 struct nlattr *cda[CTA_SEQADJ_MAX+1]; 2053 2054 err = nla_parse_nested_deprecated(cda, CTA_SEQADJ_MAX, attr, 2055 seqadj_policy, NULL); 2056 if (err < 0) 2057 return err; 2058 2059 if (!cda[CTA_SEQADJ_CORRECTION_POS]) 2060 return -EINVAL; 2061 2062 seq->correction_pos = 2063 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS])); 2064 2065 if (!cda[CTA_SEQADJ_OFFSET_BEFORE]) 2066 return -EINVAL; 2067 2068 seq->offset_before = 2069 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE])); 2070 2071 if (!cda[CTA_SEQADJ_OFFSET_AFTER]) 2072 return -EINVAL; 2073 2074 seq->offset_after = 2075 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER])); 2076 2077 return 0; 2078 } 2079 2080 static int 2081 ctnetlink_change_seq_adj(struct nf_conn *ct, 2082 const struct nlattr * const cda[]) 2083 { 2084 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct); 2085 int ret = 0; 2086 2087 if (!seqadj) 2088 return 0; 2089 2090 spin_lock_bh(&ct->lock); 2091 if (cda[CTA_SEQ_ADJ_ORIG]) { 2092 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL], 2093 cda[CTA_SEQ_ADJ_ORIG]); 2094 if (ret < 0) 2095 goto err; 2096 2097 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status); 2098 } 2099 2100 if (cda[CTA_SEQ_ADJ_REPLY]) { 2101 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY], 2102 cda[CTA_SEQ_ADJ_REPLY]); 2103 if (ret < 0) 2104 goto err; 2105 2106 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status); 2107 } 2108 2109 spin_unlock_bh(&ct->lock); 2110 return 0; 2111 err: 2112 spin_unlock_bh(&ct->lock); 2113 return ret; 2114 } 2115 2116 static const struct nla_policy synproxy_policy[CTA_SYNPROXY_MAX + 1] = { 2117 [CTA_SYNPROXY_ISN] = { .type = NLA_U32 }, 2118 [CTA_SYNPROXY_ITS] = { .type = NLA_U32 }, 2119 [CTA_SYNPROXY_TSOFF] = { .type = NLA_U32 }, 2120 }; 2121 2122 static int ctnetlink_change_synproxy(struct nf_conn *ct, 2123 const struct nlattr * const cda[]) 2124 { 2125 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct); 2126 struct nlattr *tb[CTA_SYNPROXY_MAX + 1]; 2127 int err; 2128 2129 if (!synproxy) 2130 return 0; 2131 2132 err = nla_parse_nested_deprecated(tb, CTA_SYNPROXY_MAX, 2133 cda[CTA_SYNPROXY], synproxy_policy, 2134 NULL); 2135 if (err < 0) 2136 return err; 2137 2138 if (!tb[CTA_SYNPROXY_ISN] || 2139 !tb[CTA_SYNPROXY_ITS] || 2140 !tb[CTA_SYNPROXY_TSOFF]) 2141 return -EINVAL; 2142 2143 synproxy->isn = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ISN])); 2144 synproxy->its = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ITS])); 2145 synproxy->tsoff = ntohl(nla_get_be32(tb[CTA_SYNPROXY_TSOFF])); 2146 2147 return 0; 2148 } 2149 2150 static int 2151 ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[]) 2152 { 2153 #ifdef CONFIG_NF_CONNTRACK_LABELS 2154 size_t len = nla_len(cda[CTA_LABELS]); 2155 const void *mask = cda[CTA_LABELS_MASK]; 2156 2157 if (len & (sizeof(u32)-1)) /* must be multiple of u32 */ 2158 return -EINVAL; 2159 2160 if (mask) { 2161 if (nla_len(cda[CTA_LABELS_MASK]) == 0 || 2162 nla_len(cda[CTA_LABELS_MASK]) != len) 2163 return -EINVAL; 2164 mask = nla_data(cda[CTA_LABELS_MASK]); 2165 } 2166 2167 len /= sizeof(u32); 2168 2169 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len); 2170 #else 2171 return -EOPNOTSUPP; 2172 #endif 2173 } 2174 2175 static int 2176 ctnetlink_change_conntrack(struct nf_conn *ct, 2177 const struct nlattr * const cda[]) 2178 { 2179 int err; 2180 2181 /* only allow NAT changes and master assignation for new conntracks */ 2182 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER]) 2183 return -EOPNOTSUPP; 2184 2185 if (cda[CTA_HELP]) { 2186 err = ctnetlink_change_helper(ct, cda); 2187 if (err < 0) 2188 return err; 2189 } 2190 2191 if (cda[CTA_TIMEOUT]) { 2192 err = ctnetlink_change_timeout(ct, cda); 2193 if (err < 0) 2194 return err; 2195 } 2196 2197 if (cda[CTA_STATUS]) { 2198 err = ctnetlink_change_status(ct, cda); 2199 if (err < 0) 2200 return err; 2201 } 2202 2203 if (cda[CTA_PROTOINFO]) { 2204 err = ctnetlink_change_protoinfo(ct, cda); 2205 if (err < 0) 2206 return err; 2207 } 2208 2209 #if defined(CONFIG_NF_CONNTRACK_MARK) 2210 if (cda[CTA_MARK]) 2211 ctnetlink_change_mark(ct, cda); 2212 #endif 2213 2214 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) { 2215 err = ctnetlink_change_seq_adj(ct, cda); 2216 if (err < 0) 2217 return err; 2218 } 2219 2220 if (cda[CTA_SYNPROXY]) { 2221 err = ctnetlink_change_synproxy(ct, cda); 2222 if (err < 0) 2223 return err; 2224 } 2225 2226 if (cda[CTA_LABELS]) { 2227 err = ctnetlink_attach_labels(ct, cda); 2228 if (err < 0) 2229 return err; 2230 } 2231 2232 return 0; 2233 } 2234 2235 static struct nf_conn * 2236 ctnetlink_create_conntrack(struct net *net, 2237 const struct nf_conntrack_zone *zone, 2238 const struct nlattr * const cda[], 2239 struct nf_conntrack_tuple *otuple, 2240 struct nf_conntrack_tuple *rtuple, 2241 u8 u3) 2242 { 2243 struct nf_conn *ct; 2244 int err = -EINVAL; 2245 struct nf_conntrack_helper *helper; 2246 struct nf_conn_tstamp *tstamp; 2247 u64 timeout; 2248 2249 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC); 2250 if (IS_ERR(ct)) 2251 return ERR_PTR(-ENOMEM); 2252 2253 if (!cda[CTA_TIMEOUT]) 2254 goto err1; 2255 2256 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ; 2257 __nf_ct_set_timeout(ct, timeout); 2258 2259 rcu_read_lock(); 2260 if (cda[CTA_HELP]) { 2261 char *helpname = NULL; 2262 struct nlattr *helpinfo = NULL; 2263 2264 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo); 2265 if (err < 0) 2266 goto err2; 2267 2268 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 2269 nf_ct_protonum(ct)); 2270 if (helper == NULL) { 2271 rcu_read_unlock(); 2272 #ifdef CONFIG_MODULES 2273 if (request_module("nfct-helper-%s", helpname) < 0) { 2274 err = -EOPNOTSUPP; 2275 goto err1; 2276 } 2277 2278 rcu_read_lock(); 2279 helper = __nf_conntrack_helper_find(helpname, 2280 nf_ct_l3num(ct), 2281 nf_ct_protonum(ct)); 2282 if (helper) { 2283 err = -EAGAIN; 2284 goto err2; 2285 } 2286 rcu_read_unlock(); 2287 #endif 2288 err = -EOPNOTSUPP; 2289 goto err1; 2290 } else { 2291 struct nf_conn_help *help; 2292 2293 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); 2294 if (help == NULL) { 2295 err = -ENOMEM; 2296 goto err2; 2297 } 2298 /* set private helper data if allowed. */ 2299 if (helper->from_nlattr) 2300 helper->from_nlattr(helpinfo, ct); 2301 2302 /* disable helper auto-assignment for this entry */ 2303 ct->status |= IPS_HELPER; 2304 RCU_INIT_POINTER(help->helper, helper); 2305 } 2306 } 2307 2308 err = ctnetlink_setup_nat(ct, cda); 2309 if (err < 0) 2310 goto err2; 2311 2312 nf_ct_acct_ext_add(ct, GFP_ATOMIC); 2313 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); 2314 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); 2315 nf_ct_labels_ext_add(ct); 2316 nfct_seqadj_ext_add(ct); 2317 nfct_synproxy_ext_add(ct); 2318 2319 if (cda[CTA_STATUS]) { 2320 err = ctnetlink_change_status(ct, cda); 2321 if (err < 0) 2322 goto err2; 2323 } 2324 2325 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) { 2326 err = ctnetlink_change_seq_adj(ct, cda); 2327 if (err < 0) 2328 goto err2; 2329 } 2330 2331 memset(&ct->proto, 0, sizeof(ct->proto)); 2332 if (cda[CTA_PROTOINFO]) { 2333 err = ctnetlink_change_protoinfo(ct, cda); 2334 if (err < 0) 2335 goto err2; 2336 } 2337 2338 if (cda[CTA_SYNPROXY]) { 2339 err = ctnetlink_change_synproxy(ct, cda); 2340 if (err < 0) 2341 goto err2; 2342 } 2343 2344 #if defined(CONFIG_NF_CONNTRACK_MARK) 2345 if (cda[CTA_MARK]) 2346 ctnetlink_change_mark(ct, cda); 2347 #endif 2348 2349 /* setup master conntrack: this is a confirmed expectation */ 2350 if (cda[CTA_TUPLE_MASTER]) { 2351 struct nf_conntrack_tuple master; 2352 struct nf_conntrack_tuple_hash *master_h; 2353 struct nf_conn *master_ct; 2354 2355 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER, 2356 u3, NULL); 2357 if (err < 0) 2358 goto err2; 2359 2360 master_h = nf_conntrack_find_get(net, zone, &master); 2361 if (master_h == NULL) { 2362 err = -ENOENT; 2363 goto err2; 2364 } 2365 master_ct = nf_ct_tuplehash_to_ctrack(master_h); 2366 __set_bit(IPS_EXPECTED_BIT, &ct->status); 2367 ct->master = master_ct; 2368 } 2369 tstamp = nf_conn_tstamp_find(ct); 2370 if (tstamp) 2371 tstamp->start = ktime_get_real_ns(); 2372 2373 err = nf_conntrack_hash_check_insert(ct); 2374 if (err < 0) 2375 goto err3; 2376 2377 rcu_read_unlock(); 2378 2379 return ct; 2380 2381 err3: 2382 if (ct->master) 2383 nf_ct_put(ct->master); 2384 err2: 2385 rcu_read_unlock(); 2386 err1: 2387 nf_conntrack_free(ct); 2388 return ERR_PTR(err); 2389 } 2390 2391 static int ctnetlink_new_conntrack(struct sk_buff *skb, 2392 const struct nfnl_info *info, 2393 const struct nlattr * const cda[]) 2394 { 2395 struct nf_conntrack_tuple otuple, rtuple; 2396 struct nf_conntrack_tuple_hash *h = NULL; 2397 u_int8_t u3 = info->nfmsg->nfgen_family; 2398 struct nf_conntrack_zone zone; 2399 struct nf_conn *ct; 2400 int err; 2401 2402 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 2403 if (err < 0) 2404 return err; 2405 2406 if (cda[CTA_TUPLE_ORIG]) { 2407 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, 2408 u3, &zone); 2409 if (err < 0) 2410 return err; 2411 } 2412 2413 if (cda[CTA_TUPLE_REPLY]) { 2414 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, 2415 u3, &zone); 2416 if (err < 0) 2417 return err; 2418 } 2419 2420 if (cda[CTA_TUPLE_ORIG]) 2421 h = nf_conntrack_find_get(info->net, &zone, &otuple); 2422 else if (cda[CTA_TUPLE_REPLY]) 2423 h = nf_conntrack_find_get(info->net, &zone, &rtuple); 2424 2425 if (h == NULL) { 2426 err = -ENOENT; 2427 if (info->nlh->nlmsg_flags & NLM_F_CREATE) { 2428 enum ip_conntrack_events events; 2429 2430 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY]) 2431 return -EINVAL; 2432 if (otuple.dst.protonum != rtuple.dst.protonum) 2433 return -EINVAL; 2434 2435 ct = ctnetlink_create_conntrack(info->net, &zone, cda, 2436 &otuple, &rtuple, u3); 2437 if (IS_ERR(ct)) 2438 return PTR_ERR(ct); 2439 2440 err = 0; 2441 if (test_bit(IPS_EXPECTED_BIT, &ct->status)) 2442 events = 1 << IPCT_RELATED; 2443 else 2444 events = 1 << IPCT_NEW; 2445 2446 if (cda[CTA_LABELS] && 2447 ctnetlink_attach_labels(ct, cda) == 0) 2448 events |= (1 << IPCT_LABEL); 2449 2450 nf_conntrack_eventmask_report((1 << IPCT_REPLY) | 2451 (1 << IPCT_ASSURED) | 2452 (1 << IPCT_HELPER) | 2453 (1 << IPCT_PROTOINFO) | 2454 (1 << IPCT_SEQADJ) | 2455 (1 << IPCT_MARK) | 2456 (1 << IPCT_SYNPROXY) | 2457 events, 2458 ct, NETLINK_CB(skb).portid, 2459 nlmsg_report(info->nlh)); 2460 nf_ct_put(ct); 2461 } 2462 2463 return err; 2464 } 2465 /* implicit 'else' */ 2466 2467 err = -EEXIST; 2468 ct = nf_ct_tuplehash_to_ctrack(h); 2469 if (!(info->nlh->nlmsg_flags & NLM_F_EXCL)) { 2470 err = ctnetlink_change_conntrack(ct, cda); 2471 if (err == 0) { 2472 nf_conntrack_eventmask_report((1 << IPCT_REPLY) | 2473 (1 << IPCT_ASSURED) | 2474 (1 << IPCT_HELPER) | 2475 (1 << IPCT_LABEL) | 2476 (1 << IPCT_PROTOINFO) | 2477 (1 << IPCT_SEQADJ) | 2478 (1 << IPCT_MARK) | 2479 (1 << IPCT_SYNPROXY), 2480 ct, NETLINK_CB(skb).portid, 2481 nlmsg_report(info->nlh)); 2482 } 2483 } 2484 2485 nf_ct_put(ct); 2486 return err; 2487 } 2488 2489 static int 2490 ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq, 2491 __u16 cpu, const struct ip_conntrack_stat *st) 2492 { 2493 struct nlmsghdr *nlh; 2494 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 2495 2496 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, 2497 IPCTNL_MSG_CT_GET_STATS_CPU); 2498 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, 2499 NFNETLINK_V0, htons(cpu)); 2500 if (!nlh) 2501 goto nlmsg_failure; 2502 2503 if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) || 2504 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) || 2505 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) || 2506 nla_put_be32(skb, CTA_STATS_INSERT_FAILED, 2507 htonl(st->insert_failed)) || 2508 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) || 2509 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) || 2510 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) || 2511 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART, 2512 htonl(st->search_restart)) || 2513 nla_put_be32(skb, CTA_STATS_CLASH_RESOLVE, 2514 htonl(st->clash_resolve)) || 2515 nla_put_be32(skb, CTA_STATS_CHAIN_TOOLONG, 2516 htonl(st->chaintoolong))) 2517 goto nla_put_failure; 2518 2519 nlmsg_end(skb, nlh); 2520 return skb->len; 2521 2522 nla_put_failure: 2523 nlmsg_failure: 2524 nlmsg_cancel(skb, nlh); 2525 return -1; 2526 } 2527 2528 static int 2529 ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb) 2530 { 2531 int cpu; 2532 struct net *net = sock_net(skb->sk); 2533 2534 if (cb->args[0] == nr_cpu_ids) 2535 return 0; 2536 2537 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 2538 const struct ip_conntrack_stat *st; 2539 2540 if (!cpu_possible(cpu)) 2541 continue; 2542 2543 st = per_cpu_ptr(net->ct.stat, cpu); 2544 if (ctnetlink_ct_stat_cpu_fill_info(skb, 2545 NETLINK_CB(cb->skb).portid, 2546 cb->nlh->nlmsg_seq, 2547 cpu, st) < 0) 2548 break; 2549 } 2550 cb->args[0] = cpu; 2551 2552 return skb->len; 2553 } 2554 2555 static int ctnetlink_stat_ct_cpu(struct sk_buff *skb, 2556 const struct nfnl_info *info, 2557 const struct nlattr * const cda[]) 2558 { 2559 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 2560 struct netlink_dump_control c = { 2561 .dump = ctnetlink_ct_stat_cpu_dump, 2562 }; 2563 return netlink_dump_start(info->sk, skb, info->nlh, &c); 2564 } 2565 2566 return 0; 2567 } 2568 2569 static int 2570 ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 2571 struct net *net) 2572 { 2573 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 2574 unsigned int nr_conntracks; 2575 struct nlmsghdr *nlh; 2576 2577 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS); 2578 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, 2579 NFNETLINK_V0, 0); 2580 if (!nlh) 2581 goto nlmsg_failure; 2582 2583 nr_conntracks = nf_conntrack_count(net); 2584 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks))) 2585 goto nla_put_failure; 2586 2587 if (nla_put_be32(skb, CTA_STATS_GLOBAL_MAX_ENTRIES, htonl(nf_conntrack_max))) 2588 goto nla_put_failure; 2589 2590 nlmsg_end(skb, nlh); 2591 return skb->len; 2592 2593 nla_put_failure: 2594 nlmsg_failure: 2595 nlmsg_cancel(skb, nlh); 2596 return -1; 2597 } 2598 2599 static int ctnetlink_stat_ct(struct sk_buff *skb, const struct nfnl_info *info, 2600 const struct nlattr * const cda[]) 2601 { 2602 struct sk_buff *skb2; 2603 int err; 2604 2605 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 2606 if (skb2 == NULL) 2607 return -ENOMEM; 2608 2609 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid, 2610 info->nlh->nlmsg_seq, 2611 NFNL_MSG_TYPE(info->nlh->nlmsg_type), 2612 sock_net(skb->sk)); 2613 if (err <= 0) { 2614 kfree_skb(skb2); 2615 return -ENOMEM; 2616 } 2617 2618 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 2619 } 2620 2621 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = { 2622 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED }, 2623 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED }, 2624 [CTA_EXPECT_MASK] = { .type = NLA_NESTED }, 2625 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 }, 2626 [CTA_EXPECT_ID] = { .type = NLA_U32 }, 2627 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING, 2628 .len = NF_CT_HELPER_NAME_LEN - 1 }, 2629 [CTA_EXPECT_ZONE] = { .type = NLA_U16 }, 2630 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 }, 2631 [CTA_EXPECT_CLASS] = { .type = NLA_U32 }, 2632 [CTA_EXPECT_NAT] = { .type = NLA_NESTED }, 2633 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING }, 2634 }; 2635 2636 static struct nf_conntrack_expect * 2637 ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct, 2638 struct nf_conntrack_helper *helper, 2639 struct nf_conntrack_tuple *tuple, 2640 struct nf_conntrack_tuple *mask); 2641 2642 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 2643 static size_t 2644 ctnetlink_glue_build_size(const struct nf_conn *ct) 2645 { 2646 return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 2647 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 2648 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 2649 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 2650 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 2651 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 2652 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 2653 + nla_total_size(0) /* CTA_PROTOINFO */ 2654 + nla_total_size(0) /* CTA_HELP */ 2655 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 2656 + ctnetlink_secctx_size(ct) 2657 + ctnetlink_acct_size(ct) 2658 + ctnetlink_timestamp_size(ct) 2659 #if IS_ENABLED(CONFIG_NF_NAT) 2660 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 2661 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 2662 #endif 2663 #ifdef CONFIG_NF_CONNTRACK_MARK 2664 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 2665 #endif 2666 #ifdef CONFIG_NF_CONNTRACK_ZONES 2667 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */ 2668 #endif 2669 + ctnetlink_proto_size(ct) 2670 ; 2671 } 2672 2673 static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct) 2674 { 2675 const struct nf_conntrack_zone *zone; 2676 struct nlattr *nest_parms; 2677 2678 zone = nf_ct_zone(ct); 2679 2680 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG); 2681 if (!nest_parms) 2682 goto nla_put_failure; 2683 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 2684 goto nla_put_failure; 2685 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 2686 NF_CT_ZONE_DIR_ORIG) < 0) 2687 goto nla_put_failure; 2688 nla_nest_end(skb, nest_parms); 2689 2690 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY); 2691 if (!nest_parms) 2692 goto nla_put_failure; 2693 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 2694 goto nla_put_failure; 2695 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 2696 NF_CT_ZONE_DIR_REPL) < 0) 2697 goto nla_put_failure; 2698 nla_nest_end(skb, nest_parms); 2699 2700 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 2701 NF_CT_DEFAULT_ZONE_DIR) < 0) 2702 goto nla_put_failure; 2703 2704 if (ctnetlink_dump_id(skb, ct) < 0) 2705 goto nla_put_failure; 2706 2707 if (ctnetlink_dump_status(skb, ct) < 0) 2708 goto nla_put_failure; 2709 2710 if (ctnetlink_dump_timeout(skb, ct, false) < 0) 2711 goto nla_put_failure; 2712 2713 if (ctnetlink_dump_protoinfo(skb, ct, false) < 0) 2714 goto nla_put_failure; 2715 2716 if (ctnetlink_dump_acct(skb, ct, IPCTNL_MSG_CT_GET) < 0 || 2717 ctnetlink_dump_timestamp(skb, ct) < 0) 2718 goto nla_put_failure; 2719 2720 if (ctnetlink_dump_helpinfo(skb, ct) < 0) 2721 goto nla_put_failure; 2722 2723 #ifdef CONFIG_NF_CONNTRACK_SECMARK 2724 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0) 2725 goto nla_put_failure; 2726 #endif 2727 if (ct->master && ctnetlink_dump_master(skb, ct) < 0) 2728 goto nla_put_failure; 2729 2730 if ((ct->status & IPS_SEQ_ADJUST) && 2731 ctnetlink_dump_ct_seq_adj(skb, ct) < 0) 2732 goto nla_put_failure; 2733 2734 if (ctnetlink_dump_ct_synproxy(skb, ct) < 0) 2735 goto nla_put_failure; 2736 2737 #ifdef CONFIG_NF_CONNTRACK_MARK 2738 if (ctnetlink_dump_mark(skb, ct, true) < 0) 2739 goto nla_put_failure; 2740 #endif 2741 if (ctnetlink_dump_labels(skb, ct) < 0) 2742 goto nla_put_failure; 2743 return 0; 2744 2745 nla_put_failure: 2746 return -ENOSPC; 2747 } 2748 2749 static int 2750 ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct, 2751 enum ip_conntrack_info ctinfo, 2752 u_int16_t ct_attr, u_int16_t ct_info_attr) 2753 { 2754 struct nlattr *nest_parms; 2755 2756 nest_parms = nla_nest_start(skb, ct_attr); 2757 if (!nest_parms) 2758 goto nla_put_failure; 2759 2760 if (__ctnetlink_glue_build(skb, ct) < 0) 2761 goto nla_put_failure; 2762 2763 nla_nest_end(skb, nest_parms); 2764 2765 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo))) 2766 goto nla_put_failure; 2767 2768 return 0; 2769 2770 nla_put_failure: 2771 return -ENOSPC; 2772 } 2773 2774 static int 2775 ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[]) 2776 { 2777 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); 2778 unsigned long d = ct->status ^ status; 2779 2780 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) 2781 /* SEEN_REPLY bit can only be set */ 2782 return -EBUSY; 2783 2784 if (d & IPS_ASSURED && !(status & IPS_ASSURED)) 2785 /* ASSURED bit can only be set */ 2786 return -EBUSY; 2787 2788 /* This check is less strict than ctnetlink_change_status() 2789 * because callers often flip IPS_EXPECTED bits when sending 2790 * an NFQA_CT attribute to the kernel. So ignore the 2791 * unchangeable bits but do not error out. Also user programs 2792 * are allowed to clear the bits that they are allowed to change. 2793 */ 2794 __nf_ct_change_status(ct, status, ~status); 2795 return 0; 2796 } 2797 2798 static int 2799 ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct) 2800 { 2801 int err; 2802 2803 if (cda[CTA_TIMEOUT]) { 2804 err = ctnetlink_change_timeout(ct, cda); 2805 if (err < 0) 2806 return err; 2807 } 2808 if (cda[CTA_STATUS]) { 2809 err = ctnetlink_update_status(ct, cda); 2810 if (err < 0) 2811 return err; 2812 } 2813 if (cda[CTA_HELP]) { 2814 err = ctnetlink_change_helper(ct, cda); 2815 if (err < 0) 2816 return err; 2817 } 2818 if (cda[CTA_LABELS]) { 2819 err = ctnetlink_attach_labels(ct, cda); 2820 if (err < 0) 2821 return err; 2822 } 2823 #if defined(CONFIG_NF_CONNTRACK_MARK) 2824 if (cda[CTA_MARK]) { 2825 ctnetlink_change_mark(ct, cda); 2826 } 2827 #endif 2828 return 0; 2829 } 2830 2831 static int 2832 ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct) 2833 { 2834 struct nlattr *cda[CTA_MAX+1]; 2835 int ret; 2836 2837 ret = nla_parse_nested_deprecated(cda, CTA_MAX, attr, ct_nla_policy, 2838 NULL); 2839 if (ret < 0) 2840 return ret; 2841 2842 return ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct); 2843 } 2844 2845 static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda, 2846 const struct nf_conn *ct, 2847 struct nf_conntrack_tuple *tuple, 2848 struct nf_conntrack_tuple *mask) 2849 { 2850 int err; 2851 2852 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE, 2853 nf_ct_l3num(ct), NULL); 2854 if (err < 0) 2855 return err; 2856 2857 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK, 2858 nf_ct_l3num(ct), NULL); 2859 } 2860 2861 static int 2862 ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct, 2863 u32 portid, u32 report) 2864 { 2865 struct nlattr *cda[CTA_EXPECT_MAX+1]; 2866 struct nf_conntrack_tuple tuple, mask; 2867 struct nf_conntrack_helper *helper = NULL; 2868 struct nf_conntrack_expect *exp; 2869 int err; 2870 2871 err = nla_parse_nested_deprecated(cda, CTA_EXPECT_MAX, attr, 2872 exp_nla_policy, NULL); 2873 if (err < 0) 2874 return err; 2875 2876 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda, 2877 ct, &tuple, &mask); 2878 if (err < 0) 2879 return err; 2880 2881 if (cda[CTA_EXPECT_HELP_NAME]) { 2882 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); 2883 2884 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 2885 nf_ct_protonum(ct)); 2886 if (helper == NULL) 2887 return -EOPNOTSUPP; 2888 } 2889 2890 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct, 2891 helper, &tuple, &mask); 2892 if (IS_ERR(exp)) 2893 return PTR_ERR(exp); 2894 2895 err = nf_ct_expect_related_report(exp, portid, report, 0); 2896 nf_ct_expect_put(exp); 2897 return err; 2898 } 2899 2900 static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct, 2901 enum ip_conntrack_info ctinfo, int diff) 2902 { 2903 if (!(ct->status & IPS_NAT_MASK)) 2904 return; 2905 2906 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff); 2907 } 2908 2909 static const struct nfnl_ct_hook ctnetlink_glue_hook = { 2910 .build_size = ctnetlink_glue_build_size, 2911 .build = ctnetlink_glue_build, 2912 .parse = ctnetlink_glue_parse, 2913 .attach_expect = ctnetlink_glue_attach_expect, 2914 .seq_adjust = ctnetlink_glue_seqadj, 2915 }; 2916 #endif /* CONFIG_NETFILTER_NETLINK_GLUE_CT */ 2917 2918 /*********************************************************************** 2919 * EXPECT 2920 ***********************************************************************/ 2921 2922 static int ctnetlink_exp_dump_tuple(struct sk_buff *skb, 2923 const struct nf_conntrack_tuple *tuple, 2924 u32 type) 2925 { 2926 struct nlattr *nest_parms; 2927 2928 nest_parms = nla_nest_start(skb, type); 2929 if (!nest_parms) 2930 goto nla_put_failure; 2931 if (ctnetlink_dump_tuples(skb, tuple) < 0) 2932 goto nla_put_failure; 2933 nla_nest_end(skb, nest_parms); 2934 2935 return 0; 2936 2937 nla_put_failure: 2938 return -1; 2939 } 2940 2941 static int ctnetlink_exp_dump_mask(struct sk_buff *skb, 2942 const struct nf_conntrack_tuple *tuple, 2943 const struct nf_conntrack_tuple_mask *mask) 2944 { 2945 const struct nf_conntrack_l4proto *l4proto; 2946 struct nf_conntrack_tuple m; 2947 struct nlattr *nest_parms; 2948 int ret; 2949 2950 memset(&m, 0xFF, sizeof(m)); 2951 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3)); 2952 m.src.u.all = mask->src.u.all; 2953 m.src.l3num = tuple->src.l3num; 2954 m.dst.protonum = tuple->dst.protonum; 2955 2956 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK); 2957 if (!nest_parms) 2958 goto nla_put_failure; 2959 2960 rcu_read_lock(); 2961 ret = ctnetlink_dump_tuples_ip(skb, &m); 2962 if (ret >= 0) { 2963 l4proto = nf_ct_l4proto_find(tuple->dst.protonum); 2964 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto); 2965 } 2966 rcu_read_unlock(); 2967 2968 if (unlikely(ret < 0)) 2969 goto nla_put_failure; 2970 2971 nla_nest_end(skb, nest_parms); 2972 2973 return 0; 2974 2975 nla_put_failure: 2976 return -1; 2977 } 2978 2979 static const union nf_inet_addr any_addr; 2980 2981 static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp) 2982 { 2983 static siphash_aligned_key_t exp_id_seed; 2984 unsigned long a, b, c, d; 2985 2986 net_get_random_once(&exp_id_seed, sizeof(exp_id_seed)); 2987 2988 a = (unsigned long)exp; 2989 b = (unsigned long)exp->helper; 2990 c = (unsigned long)exp->master; 2991 d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed); 2992 2993 #ifdef CONFIG_64BIT 2994 return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed); 2995 #else 2996 return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed); 2997 #endif 2998 } 2999 3000 static int 3001 ctnetlink_exp_dump_expect(struct sk_buff *skb, 3002 const struct nf_conntrack_expect *exp) 3003 { 3004 struct nf_conn *master = exp->master; 3005 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ; 3006 struct nf_conn_help *help; 3007 #if IS_ENABLED(CONFIG_NF_NAT) 3008 struct nlattr *nest_parms; 3009 struct nf_conntrack_tuple nat_tuple = {}; 3010 #endif 3011 struct nf_ct_helper_expectfn *expfn; 3012 3013 if (timeout < 0) 3014 timeout = 0; 3015 3016 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0) 3017 goto nla_put_failure; 3018 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0) 3019 goto nla_put_failure; 3020 if (ctnetlink_exp_dump_tuple(skb, 3021 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 3022 CTA_EXPECT_MASTER) < 0) 3023 goto nla_put_failure; 3024 3025 #if IS_ENABLED(CONFIG_NF_NAT) 3026 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) || 3027 exp->saved_proto.all) { 3028 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT); 3029 if (!nest_parms) 3030 goto nla_put_failure; 3031 3032 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir))) 3033 goto nla_put_failure; 3034 3035 nat_tuple.src.l3num = nf_ct_l3num(master); 3036 nat_tuple.src.u3 = exp->saved_addr; 3037 nat_tuple.dst.protonum = nf_ct_protonum(master); 3038 nat_tuple.src.u = exp->saved_proto; 3039 3040 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple, 3041 CTA_EXPECT_NAT_TUPLE) < 0) 3042 goto nla_put_failure; 3043 nla_nest_end(skb, nest_parms); 3044 } 3045 #endif 3046 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) || 3047 nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) || 3048 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) || 3049 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class))) 3050 goto nla_put_failure; 3051 help = nfct_help(master); 3052 if (help) { 3053 struct nf_conntrack_helper *helper; 3054 3055 helper = rcu_dereference(help->helper); 3056 if (helper && 3057 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name)) 3058 goto nla_put_failure; 3059 } 3060 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn); 3061 if (expfn != NULL && 3062 nla_put_string(skb, CTA_EXPECT_FN, expfn->name)) 3063 goto nla_put_failure; 3064 3065 return 0; 3066 3067 nla_put_failure: 3068 return -1; 3069 } 3070 3071 static int 3072 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq, 3073 int event, const struct nf_conntrack_expect *exp) 3074 { 3075 struct nlmsghdr *nlh; 3076 unsigned int flags = portid ? NLM_F_MULTI : 0; 3077 3078 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event); 3079 nlh = nfnl_msg_put(skb, portid, seq, event, flags, 3080 exp->tuple.src.l3num, NFNETLINK_V0, 0); 3081 if (!nlh) 3082 goto nlmsg_failure; 3083 3084 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 3085 goto nla_put_failure; 3086 3087 nlmsg_end(skb, nlh); 3088 return skb->len; 3089 3090 nlmsg_failure: 3091 nla_put_failure: 3092 nlmsg_cancel(skb, nlh); 3093 return -1; 3094 } 3095 3096 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3097 static int 3098 ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item) 3099 { 3100 struct nf_conntrack_expect *exp = item->exp; 3101 struct net *net = nf_ct_exp_net(exp); 3102 struct nlmsghdr *nlh; 3103 struct sk_buff *skb; 3104 unsigned int type, group; 3105 int flags = 0; 3106 3107 if (events & (1 << IPEXP_DESTROY)) { 3108 type = IPCTNL_MSG_EXP_DELETE; 3109 group = NFNLGRP_CONNTRACK_EXP_DESTROY; 3110 } else if (events & (1 << IPEXP_NEW)) { 3111 type = IPCTNL_MSG_EXP_NEW; 3112 flags = NLM_F_CREATE|NLM_F_EXCL; 3113 group = NFNLGRP_CONNTRACK_EXP_NEW; 3114 } else 3115 return 0; 3116 3117 if (!item->report && !nfnetlink_has_listeners(net, group)) 3118 return 0; 3119 3120 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 3121 if (skb == NULL) 3122 goto errout; 3123 3124 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type); 3125 nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, 3126 exp->tuple.src.l3num, NFNETLINK_V0, 0); 3127 if (!nlh) 3128 goto nlmsg_failure; 3129 3130 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 3131 goto nla_put_failure; 3132 3133 nlmsg_end(skb, nlh); 3134 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC); 3135 return 0; 3136 3137 nla_put_failure: 3138 nlmsg_cancel(skb, nlh); 3139 nlmsg_failure: 3140 kfree_skb(skb); 3141 errout: 3142 nfnetlink_set_err(net, 0, 0, -ENOBUFS); 3143 return 0; 3144 } 3145 #endif 3146 static int ctnetlink_exp_done(struct netlink_callback *cb) 3147 { 3148 if (cb->args[1]) 3149 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); 3150 return 0; 3151 } 3152 3153 static int 3154 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 3155 { 3156 struct net *net = sock_net(skb->sk); 3157 struct nf_conntrack_expect *exp, *last; 3158 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3159 u_int8_t l3proto = nfmsg->nfgen_family; 3160 3161 rcu_read_lock(); 3162 last = (struct nf_conntrack_expect *)cb->args[1]; 3163 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { 3164 restart: 3165 hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]], 3166 hnode) { 3167 if (l3proto && exp->tuple.src.l3num != l3proto) 3168 continue; 3169 3170 if (!net_eq(nf_ct_net(exp->master), net)) 3171 continue; 3172 3173 if (cb->args[1]) { 3174 if (exp != last) 3175 continue; 3176 cb->args[1] = 0; 3177 } 3178 if (ctnetlink_exp_fill_info(skb, 3179 NETLINK_CB(cb->skb).portid, 3180 cb->nlh->nlmsg_seq, 3181 IPCTNL_MSG_EXP_NEW, 3182 exp) < 0) { 3183 if (!refcount_inc_not_zero(&exp->use)) 3184 continue; 3185 cb->args[1] = (unsigned long)exp; 3186 goto out; 3187 } 3188 } 3189 if (cb->args[1]) { 3190 cb->args[1] = 0; 3191 goto restart; 3192 } 3193 } 3194 out: 3195 rcu_read_unlock(); 3196 if (last) 3197 nf_ct_expect_put(last); 3198 3199 return skb->len; 3200 } 3201 3202 static int 3203 ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 3204 { 3205 struct nf_conntrack_expect *exp, *last; 3206 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3207 struct nf_conn *ct = cb->data; 3208 struct nf_conn_help *help = nfct_help(ct); 3209 u_int8_t l3proto = nfmsg->nfgen_family; 3210 3211 if (cb->args[0]) 3212 return 0; 3213 3214 rcu_read_lock(); 3215 last = (struct nf_conntrack_expect *)cb->args[1]; 3216 restart: 3217 hlist_for_each_entry_rcu(exp, &help->expectations, lnode) { 3218 if (l3proto && exp->tuple.src.l3num != l3proto) 3219 continue; 3220 if (cb->args[1]) { 3221 if (exp != last) 3222 continue; 3223 cb->args[1] = 0; 3224 } 3225 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid, 3226 cb->nlh->nlmsg_seq, 3227 IPCTNL_MSG_EXP_NEW, 3228 exp) < 0) { 3229 if (!refcount_inc_not_zero(&exp->use)) 3230 continue; 3231 cb->args[1] = (unsigned long)exp; 3232 goto out; 3233 } 3234 } 3235 if (cb->args[1]) { 3236 cb->args[1] = 0; 3237 goto restart; 3238 } 3239 cb->args[0] = 1; 3240 out: 3241 rcu_read_unlock(); 3242 if (last) 3243 nf_ct_expect_put(last); 3244 3245 return skb->len; 3246 } 3247 3248 static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, 3249 struct sk_buff *skb, 3250 const struct nlmsghdr *nlh, 3251 const struct nlattr * const cda[], 3252 struct netlink_ext_ack *extack) 3253 { 3254 int err; 3255 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3256 u_int8_t u3 = nfmsg->nfgen_family; 3257 struct nf_conntrack_tuple tuple; 3258 struct nf_conntrack_tuple_hash *h; 3259 struct nf_conn *ct; 3260 struct nf_conntrack_zone zone; 3261 struct netlink_dump_control c = { 3262 .dump = ctnetlink_exp_ct_dump_table, 3263 .done = ctnetlink_exp_done, 3264 }; 3265 3266 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, 3267 u3, NULL); 3268 if (err < 0) 3269 return err; 3270 3271 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3272 if (err < 0) 3273 return err; 3274 3275 h = nf_conntrack_find_get(net, &zone, &tuple); 3276 if (!h) 3277 return -ENOENT; 3278 3279 ct = nf_ct_tuplehash_to_ctrack(h); 3280 /* No expectation linked to this connection tracking. */ 3281 if (!nfct_help(ct)) { 3282 nf_ct_put(ct); 3283 return 0; 3284 } 3285 3286 c.data = ct; 3287 3288 err = netlink_dump_start(ctnl, skb, nlh, &c); 3289 nf_ct_put(ct); 3290 3291 return err; 3292 } 3293 3294 static int ctnetlink_get_expect(struct sk_buff *skb, 3295 const struct nfnl_info *info, 3296 const struct nlattr * const cda[]) 3297 { 3298 u_int8_t u3 = info->nfmsg->nfgen_family; 3299 struct nf_conntrack_tuple tuple; 3300 struct nf_conntrack_expect *exp; 3301 struct nf_conntrack_zone zone; 3302 struct sk_buff *skb2; 3303 int err; 3304 3305 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3306 if (cda[CTA_EXPECT_MASTER]) 3307 return ctnetlink_dump_exp_ct(info->net, info->sk, skb, 3308 info->nlh, cda, 3309 info->extack); 3310 else { 3311 struct netlink_dump_control c = { 3312 .dump = ctnetlink_exp_dump_table, 3313 .done = ctnetlink_exp_done, 3314 }; 3315 return netlink_dump_start(info->sk, skb, info->nlh, &c); 3316 } 3317 } 3318 3319 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3320 if (err < 0) 3321 return err; 3322 3323 if (cda[CTA_EXPECT_TUPLE]) 3324 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3325 u3, NULL); 3326 else if (cda[CTA_EXPECT_MASTER]) 3327 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, 3328 u3, NULL); 3329 else 3330 return -EINVAL; 3331 3332 if (err < 0) 3333 return err; 3334 3335 exp = nf_ct_expect_find_get(info->net, &zone, &tuple); 3336 if (!exp) 3337 return -ENOENT; 3338 3339 if (cda[CTA_EXPECT_ID]) { 3340 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 3341 3342 if (id != nf_expect_get_id(exp)) { 3343 nf_ct_expect_put(exp); 3344 return -ENOENT; 3345 } 3346 } 3347 3348 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 3349 if (!skb2) { 3350 nf_ct_expect_put(exp); 3351 return -ENOMEM; 3352 } 3353 3354 rcu_read_lock(); 3355 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid, 3356 info->nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, 3357 exp); 3358 rcu_read_unlock(); 3359 nf_ct_expect_put(exp); 3360 if (err <= 0) { 3361 kfree_skb(skb2); 3362 return -ENOMEM; 3363 } 3364 3365 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 3366 } 3367 3368 static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data) 3369 { 3370 struct nf_conntrack_helper *helper; 3371 const struct nf_conn_help *m_help; 3372 const char *name = data; 3373 3374 m_help = nfct_help(exp->master); 3375 3376 helper = rcu_dereference(m_help->helper); 3377 if (!helper) 3378 return false; 3379 3380 return strcmp(helper->name, name) == 0; 3381 } 3382 3383 static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data) 3384 { 3385 return true; 3386 } 3387 3388 static int ctnetlink_del_expect(struct sk_buff *skb, 3389 const struct nfnl_info *info, 3390 const struct nlattr * const cda[]) 3391 { 3392 u_int8_t u3 = info->nfmsg->nfgen_family; 3393 struct nf_conntrack_expect *exp; 3394 struct nf_conntrack_tuple tuple; 3395 struct nf_conntrack_zone zone; 3396 int err; 3397 3398 if (cda[CTA_EXPECT_TUPLE]) { 3399 /* delete a single expect by tuple */ 3400 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3401 if (err < 0) 3402 return err; 3403 3404 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3405 u3, NULL); 3406 if (err < 0) 3407 return err; 3408 3409 /* bump usage count to 2 */ 3410 exp = nf_ct_expect_find_get(info->net, &zone, &tuple); 3411 if (!exp) 3412 return -ENOENT; 3413 3414 if (cda[CTA_EXPECT_ID]) { 3415 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 3416 if (ntohl(id) != (u32)(unsigned long)exp) { 3417 nf_ct_expect_put(exp); 3418 return -ENOENT; 3419 } 3420 } 3421 3422 /* after list removal, usage count == 1 */ 3423 spin_lock_bh(&nf_conntrack_expect_lock); 3424 if (del_timer(&exp->timeout)) { 3425 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid, 3426 nlmsg_report(info->nlh)); 3427 nf_ct_expect_put(exp); 3428 } 3429 spin_unlock_bh(&nf_conntrack_expect_lock); 3430 /* have to put what we 'get' above. 3431 * after this line usage count == 0 */ 3432 nf_ct_expect_put(exp); 3433 } else if (cda[CTA_EXPECT_HELP_NAME]) { 3434 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]); 3435 3436 nf_ct_expect_iterate_net(info->net, expect_iter_name, name, 3437 NETLINK_CB(skb).portid, 3438 nlmsg_report(info->nlh)); 3439 } else { 3440 /* This basically means we have to flush everything*/ 3441 nf_ct_expect_iterate_net(info->net, expect_iter_all, NULL, 3442 NETLINK_CB(skb).portid, 3443 nlmsg_report(info->nlh)); 3444 } 3445 3446 return 0; 3447 } 3448 static int 3449 ctnetlink_change_expect(struct nf_conntrack_expect *x, 3450 const struct nlattr * const cda[]) 3451 { 3452 if (cda[CTA_EXPECT_TIMEOUT]) { 3453 if (!del_timer(&x->timeout)) 3454 return -ETIME; 3455 3456 x->timeout.expires = jiffies + 3457 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ; 3458 add_timer(&x->timeout); 3459 } 3460 return 0; 3461 } 3462 3463 static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = { 3464 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 }, 3465 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED }, 3466 }; 3467 3468 static int 3469 ctnetlink_parse_expect_nat(const struct nlattr *attr, 3470 struct nf_conntrack_expect *exp, 3471 u_int8_t u3) 3472 { 3473 #if IS_ENABLED(CONFIG_NF_NAT) 3474 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1]; 3475 struct nf_conntrack_tuple nat_tuple = {}; 3476 int err; 3477 3478 err = nla_parse_nested_deprecated(tb, CTA_EXPECT_NAT_MAX, attr, 3479 exp_nat_nla_policy, NULL); 3480 if (err < 0) 3481 return err; 3482 3483 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE]) 3484 return -EINVAL; 3485 3486 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb, 3487 &nat_tuple, CTA_EXPECT_NAT_TUPLE, 3488 u3, NULL); 3489 if (err < 0) 3490 return err; 3491 3492 exp->saved_addr = nat_tuple.src.u3; 3493 exp->saved_proto = nat_tuple.src.u; 3494 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR])); 3495 3496 return 0; 3497 #else 3498 return -EOPNOTSUPP; 3499 #endif 3500 } 3501 3502 static struct nf_conntrack_expect * 3503 ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct, 3504 struct nf_conntrack_helper *helper, 3505 struct nf_conntrack_tuple *tuple, 3506 struct nf_conntrack_tuple *mask) 3507 { 3508 u_int32_t class = 0; 3509 struct nf_conntrack_expect *exp; 3510 struct nf_conn_help *help; 3511 int err; 3512 3513 help = nfct_help(ct); 3514 if (!help) 3515 return ERR_PTR(-EOPNOTSUPP); 3516 3517 if (cda[CTA_EXPECT_CLASS] && helper) { 3518 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS])); 3519 if (class > helper->expect_class_max) 3520 return ERR_PTR(-EINVAL); 3521 } 3522 exp = nf_ct_expect_alloc(ct); 3523 if (!exp) 3524 return ERR_PTR(-ENOMEM); 3525 3526 if (cda[CTA_EXPECT_FLAGS]) { 3527 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS])); 3528 exp->flags &= ~NF_CT_EXPECT_USERSPACE; 3529 } else { 3530 exp->flags = 0; 3531 } 3532 if (cda[CTA_EXPECT_FN]) { 3533 const char *name = nla_data(cda[CTA_EXPECT_FN]); 3534 struct nf_ct_helper_expectfn *expfn; 3535 3536 expfn = nf_ct_helper_expectfn_find_by_name(name); 3537 if (expfn == NULL) { 3538 err = -EINVAL; 3539 goto err_out; 3540 } 3541 exp->expectfn = expfn->expectfn; 3542 } else 3543 exp->expectfn = NULL; 3544 3545 exp->class = class; 3546 exp->master = ct; 3547 exp->helper = helper; 3548 exp->tuple = *tuple; 3549 exp->mask.src.u3 = mask->src.u3; 3550 exp->mask.src.u.all = mask->src.u.all; 3551 3552 if (cda[CTA_EXPECT_NAT]) { 3553 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT], 3554 exp, nf_ct_l3num(ct)); 3555 if (err < 0) 3556 goto err_out; 3557 } 3558 return exp; 3559 err_out: 3560 nf_ct_expect_put(exp); 3561 return ERR_PTR(err); 3562 } 3563 3564 static int 3565 ctnetlink_create_expect(struct net *net, 3566 const struct nf_conntrack_zone *zone, 3567 const struct nlattr * const cda[], 3568 u_int8_t u3, u32 portid, int report) 3569 { 3570 struct nf_conntrack_tuple tuple, mask, master_tuple; 3571 struct nf_conntrack_tuple_hash *h = NULL; 3572 struct nf_conntrack_helper *helper = NULL; 3573 struct nf_conntrack_expect *exp; 3574 struct nf_conn *ct; 3575 int err; 3576 3577 /* caller guarantees that those three CTA_EXPECT_* exist */ 3578 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3579 u3, NULL); 3580 if (err < 0) 3581 return err; 3582 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, 3583 u3, NULL); 3584 if (err < 0) 3585 return err; 3586 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, 3587 u3, NULL); 3588 if (err < 0) 3589 return err; 3590 3591 /* Look for master conntrack of this expectation */ 3592 h = nf_conntrack_find_get(net, zone, &master_tuple); 3593 if (!h) 3594 return -ENOENT; 3595 ct = nf_ct_tuplehash_to_ctrack(h); 3596 3597 rcu_read_lock(); 3598 if (cda[CTA_EXPECT_HELP_NAME]) { 3599 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); 3600 3601 helper = __nf_conntrack_helper_find(helpname, u3, 3602 nf_ct_protonum(ct)); 3603 if (helper == NULL) { 3604 rcu_read_unlock(); 3605 #ifdef CONFIG_MODULES 3606 if (request_module("nfct-helper-%s", helpname) < 0) { 3607 err = -EOPNOTSUPP; 3608 goto err_ct; 3609 } 3610 rcu_read_lock(); 3611 helper = __nf_conntrack_helper_find(helpname, u3, 3612 nf_ct_protonum(ct)); 3613 if (helper) { 3614 err = -EAGAIN; 3615 goto err_rcu; 3616 } 3617 rcu_read_unlock(); 3618 #endif 3619 err = -EOPNOTSUPP; 3620 goto err_ct; 3621 } 3622 } 3623 3624 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask); 3625 if (IS_ERR(exp)) { 3626 err = PTR_ERR(exp); 3627 goto err_rcu; 3628 } 3629 3630 err = nf_ct_expect_related_report(exp, portid, report, 0); 3631 nf_ct_expect_put(exp); 3632 err_rcu: 3633 rcu_read_unlock(); 3634 err_ct: 3635 nf_ct_put(ct); 3636 return err; 3637 } 3638 3639 static int ctnetlink_new_expect(struct sk_buff *skb, 3640 const struct nfnl_info *info, 3641 const struct nlattr * const cda[]) 3642 { 3643 u_int8_t u3 = info->nfmsg->nfgen_family; 3644 struct nf_conntrack_tuple tuple; 3645 struct nf_conntrack_expect *exp; 3646 struct nf_conntrack_zone zone; 3647 int err; 3648 3649 if (!cda[CTA_EXPECT_TUPLE] 3650 || !cda[CTA_EXPECT_MASK] 3651 || !cda[CTA_EXPECT_MASTER]) 3652 return -EINVAL; 3653 3654 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3655 if (err < 0) 3656 return err; 3657 3658 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3659 u3, NULL); 3660 if (err < 0) 3661 return err; 3662 3663 spin_lock_bh(&nf_conntrack_expect_lock); 3664 exp = __nf_ct_expect_find(info->net, &zone, &tuple); 3665 if (!exp) { 3666 spin_unlock_bh(&nf_conntrack_expect_lock); 3667 err = -ENOENT; 3668 if (info->nlh->nlmsg_flags & NLM_F_CREATE) { 3669 err = ctnetlink_create_expect(info->net, &zone, cda, u3, 3670 NETLINK_CB(skb).portid, 3671 nlmsg_report(info->nlh)); 3672 } 3673 return err; 3674 } 3675 3676 err = -EEXIST; 3677 if (!(info->nlh->nlmsg_flags & NLM_F_EXCL)) 3678 err = ctnetlink_change_expect(exp, cda); 3679 spin_unlock_bh(&nf_conntrack_expect_lock); 3680 3681 return err; 3682 } 3683 3684 static int 3685 ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu, 3686 const struct ip_conntrack_stat *st) 3687 { 3688 struct nlmsghdr *nlh; 3689 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 3690 3691 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, 3692 IPCTNL_MSG_EXP_GET_STATS_CPU); 3693 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, 3694 NFNETLINK_V0, htons(cpu)); 3695 if (!nlh) 3696 goto nlmsg_failure; 3697 3698 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) || 3699 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) || 3700 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete))) 3701 goto nla_put_failure; 3702 3703 nlmsg_end(skb, nlh); 3704 return skb->len; 3705 3706 nla_put_failure: 3707 nlmsg_failure: 3708 nlmsg_cancel(skb, nlh); 3709 return -1; 3710 } 3711 3712 static int 3713 ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb) 3714 { 3715 int cpu; 3716 struct net *net = sock_net(skb->sk); 3717 3718 if (cb->args[0] == nr_cpu_ids) 3719 return 0; 3720 3721 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 3722 const struct ip_conntrack_stat *st; 3723 3724 if (!cpu_possible(cpu)) 3725 continue; 3726 3727 st = per_cpu_ptr(net->ct.stat, cpu); 3728 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid, 3729 cb->nlh->nlmsg_seq, 3730 cpu, st) < 0) 3731 break; 3732 } 3733 cb->args[0] = cpu; 3734 3735 return skb->len; 3736 } 3737 3738 static int ctnetlink_stat_exp_cpu(struct sk_buff *skb, 3739 const struct nfnl_info *info, 3740 const struct nlattr * const cda[]) 3741 { 3742 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3743 struct netlink_dump_control c = { 3744 .dump = ctnetlink_exp_stat_cpu_dump, 3745 }; 3746 return netlink_dump_start(info->sk, skb, info->nlh, &c); 3747 } 3748 3749 return 0; 3750 } 3751 3752 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3753 static struct nf_ct_event_notifier ctnl_notifier = { 3754 .ct_event = ctnetlink_conntrack_event, 3755 .exp_event = ctnetlink_expect_event, 3756 }; 3757 #endif 3758 3759 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = { 3760 [IPCTNL_MSG_CT_NEW] = { 3761 .call = ctnetlink_new_conntrack, 3762 .type = NFNL_CB_MUTEX, 3763 .attr_count = CTA_MAX, 3764 .policy = ct_nla_policy 3765 }, 3766 [IPCTNL_MSG_CT_GET] = { 3767 .call = ctnetlink_get_conntrack, 3768 .type = NFNL_CB_MUTEX, 3769 .attr_count = CTA_MAX, 3770 .policy = ct_nla_policy 3771 }, 3772 [IPCTNL_MSG_CT_DELETE] = { 3773 .call = ctnetlink_del_conntrack, 3774 .type = NFNL_CB_MUTEX, 3775 .attr_count = CTA_MAX, 3776 .policy = ct_nla_policy 3777 }, 3778 [IPCTNL_MSG_CT_GET_CTRZERO] = { 3779 .call = ctnetlink_get_conntrack, 3780 .type = NFNL_CB_MUTEX, 3781 .attr_count = CTA_MAX, 3782 .policy = ct_nla_policy 3783 }, 3784 [IPCTNL_MSG_CT_GET_STATS_CPU] = { 3785 .call = ctnetlink_stat_ct_cpu, 3786 .type = NFNL_CB_MUTEX, 3787 }, 3788 [IPCTNL_MSG_CT_GET_STATS] = { 3789 .call = ctnetlink_stat_ct, 3790 .type = NFNL_CB_MUTEX, 3791 }, 3792 [IPCTNL_MSG_CT_GET_DYING] = { 3793 .call = ctnetlink_get_ct_dying, 3794 .type = NFNL_CB_MUTEX, 3795 }, 3796 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = { 3797 .call = ctnetlink_get_ct_unconfirmed, 3798 .type = NFNL_CB_MUTEX, 3799 }, 3800 }; 3801 3802 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = { 3803 [IPCTNL_MSG_EXP_GET] = { 3804 .call = ctnetlink_get_expect, 3805 .type = NFNL_CB_MUTEX, 3806 .attr_count = CTA_EXPECT_MAX, 3807 .policy = exp_nla_policy 3808 }, 3809 [IPCTNL_MSG_EXP_NEW] = { 3810 .call = ctnetlink_new_expect, 3811 .type = NFNL_CB_MUTEX, 3812 .attr_count = CTA_EXPECT_MAX, 3813 .policy = exp_nla_policy 3814 }, 3815 [IPCTNL_MSG_EXP_DELETE] = { 3816 .call = ctnetlink_del_expect, 3817 .type = NFNL_CB_MUTEX, 3818 .attr_count = CTA_EXPECT_MAX, 3819 .policy = exp_nla_policy 3820 }, 3821 [IPCTNL_MSG_EXP_GET_STATS_CPU] = { 3822 .call = ctnetlink_stat_exp_cpu, 3823 .type = NFNL_CB_MUTEX, 3824 }, 3825 }; 3826 3827 static const struct nfnetlink_subsystem ctnl_subsys = { 3828 .name = "conntrack", 3829 .subsys_id = NFNL_SUBSYS_CTNETLINK, 3830 .cb_count = IPCTNL_MSG_MAX, 3831 .cb = ctnl_cb, 3832 }; 3833 3834 static const struct nfnetlink_subsystem ctnl_exp_subsys = { 3835 .name = "conntrack_expect", 3836 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP, 3837 .cb_count = IPCTNL_MSG_EXP_MAX, 3838 .cb = ctnl_exp_cb, 3839 }; 3840 3841 MODULE_ALIAS("ip_conntrack_netlink"); 3842 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK); 3843 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP); 3844 3845 static int __net_init ctnetlink_net_init(struct net *net) 3846 { 3847 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3848 nf_conntrack_register_notifier(net, &ctnl_notifier); 3849 #endif 3850 return 0; 3851 } 3852 3853 static void ctnetlink_net_pre_exit(struct net *net) 3854 { 3855 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3856 nf_conntrack_unregister_notifier(net); 3857 #endif 3858 } 3859 3860 static struct pernet_operations ctnetlink_net_ops = { 3861 .init = ctnetlink_net_init, 3862 .pre_exit = ctnetlink_net_pre_exit, 3863 }; 3864 3865 static int __init ctnetlink_init(void) 3866 { 3867 int ret; 3868 3869 NL_ASSERT_DUMP_CTX_FITS(struct ctnetlink_list_dump_ctx); 3870 3871 ret = nfnetlink_subsys_register(&ctnl_subsys); 3872 if (ret < 0) { 3873 pr_err("ctnetlink_init: cannot register with nfnetlink.\n"); 3874 goto err_out; 3875 } 3876 3877 ret = nfnetlink_subsys_register(&ctnl_exp_subsys); 3878 if (ret < 0) { 3879 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n"); 3880 goto err_unreg_subsys; 3881 } 3882 3883 ret = register_pernet_subsys(&ctnetlink_net_ops); 3884 if (ret < 0) { 3885 pr_err("ctnetlink_init: cannot register pernet operations\n"); 3886 goto err_unreg_exp_subsys; 3887 } 3888 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 3889 /* setup interaction between nf_queue and nf_conntrack_netlink. */ 3890 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook); 3891 #endif 3892 return 0; 3893 3894 err_unreg_exp_subsys: 3895 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 3896 err_unreg_subsys: 3897 nfnetlink_subsys_unregister(&ctnl_subsys); 3898 err_out: 3899 return ret; 3900 } 3901 3902 static void __exit ctnetlink_exit(void) 3903 { 3904 unregister_pernet_subsys(&ctnetlink_net_ops); 3905 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 3906 nfnetlink_subsys_unregister(&ctnl_subsys); 3907 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 3908 RCU_INIT_POINTER(nfnl_ct_hook, NULL); 3909 #endif 3910 synchronize_rcu(); 3911 } 3912 3913 module_init(ctnetlink_init); 3914 module_exit(ctnetlink_exit); 3915