1 /* Connection tracking via netlink socket. Allows for user space 2 * protocol helpers and general trouble making from userspace. 3 * 4 * (C) 2001 by Jay Schulist <jschlst@samba.org> 5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org> 6 * (C) 2003 by Patrick Mchardy <kaber@trash.net> 7 * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org> 8 * 9 * Initial connection tracking via netlink development funded and 10 * generally made possible by Network Robots, Inc. (www.networkrobots.com) 11 * 12 * Further development of this code funded by Astaro AG (http://www.astaro.com) 13 * 14 * This software may be used and distributed according to the terms 15 * of the GNU General Public License, incorporated herein by reference. 16 */ 17 18 #include <linux/init.h> 19 #include <linux/module.h> 20 #include <linux/kernel.h> 21 #include <linux/rculist.h> 22 #include <linux/rculist_nulls.h> 23 #include <linux/types.h> 24 #include <linux/timer.h> 25 #include <linux/security.h> 26 #include <linux/skbuff.h> 27 #include <linux/errno.h> 28 #include <linux/netlink.h> 29 #include <linux/spinlock.h> 30 #include <linux/interrupt.h> 31 #include <linux/slab.h> 32 #include <linux/siphash.h> 33 34 #include <linux/netfilter.h> 35 #include <net/netlink.h> 36 #include <net/sock.h> 37 #include <net/netfilter/nf_conntrack.h> 38 #include <net/netfilter/nf_conntrack_core.h> 39 #include <net/netfilter/nf_conntrack_expect.h> 40 #include <net/netfilter/nf_conntrack_helper.h> 41 #include <net/netfilter/nf_conntrack_seqadj.h> 42 #include <net/netfilter/nf_conntrack_l4proto.h> 43 #include <net/netfilter/nf_conntrack_tuple.h> 44 #include <net/netfilter/nf_conntrack_acct.h> 45 #include <net/netfilter/nf_conntrack_zones.h> 46 #include <net/netfilter/nf_conntrack_timestamp.h> 47 #include <net/netfilter/nf_conntrack_labels.h> 48 #include <net/netfilter/nf_conntrack_synproxy.h> 49 #if IS_ENABLED(CONFIG_NF_NAT) 50 #include <net/netfilter/nf_nat.h> 51 #include <net/netfilter/nf_nat_helper.h> 52 #endif 53 54 #include <linux/netfilter/nfnetlink.h> 55 #include <linux/netfilter/nfnetlink_conntrack.h> 56 57 #include "nf_internals.h" 58 59 MODULE_LICENSE("GPL"); 60 61 static int ctnetlink_dump_tuples_proto(struct sk_buff *skb, 62 const struct nf_conntrack_tuple *tuple, 63 const struct nf_conntrack_l4proto *l4proto) 64 { 65 int ret = 0; 66 struct nlattr *nest_parms; 67 68 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO); 69 if (!nest_parms) 70 goto nla_put_failure; 71 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum)) 72 goto nla_put_failure; 73 74 if (likely(l4proto->tuple_to_nlattr)) 75 ret = l4proto->tuple_to_nlattr(skb, tuple); 76 77 nla_nest_end(skb, nest_parms); 78 79 return ret; 80 81 nla_put_failure: 82 return -1; 83 } 84 85 static int ipv4_tuple_to_nlattr(struct sk_buff *skb, 86 const struct nf_conntrack_tuple *tuple) 87 { 88 if (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) || 89 nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip)) 90 return -EMSGSIZE; 91 return 0; 92 } 93 94 static int ipv6_tuple_to_nlattr(struct sk_buff *skb, 95 const struct nf_conntrack_tuple *tuple) 96 { 97 if (nla_put_in6_addr(skb, CTA_IP_V6_SRC, &tuple->src.u3.in6) || 98 nla_put_in6_addr(skb, CTA_IP_V6_DST, &tuple->dst.u3.in6)) 99 return -EMSGSIZE; 100 return 0; 101 } 102 103 static int ctnetlink_dump_tuples_ip(struct sk_buff *skb, 104 const struct nf_conntrack_tuple *tuple) 105 { 106 int ret = 0; 107 struct nlattr *nest_parms; 108 109 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP); 110 if (!nest_parms) 111 goto nla_put_failure; 112 113 switch (tuple->src.l3num) { 114 case NFPROTO_IPV4: 115 ret = ipv4_tuple_to_nlattr(skb, tuple); 116 break; 117 case NFPROTO_IPV6: 118 ret = ipv6_tuple_to_nlattr(skb, tuple); 119 break; 120 } 121 122 nla_nest_end(skb, nest_parms); 123 124 return ret; 125 126 nla_put_failure: 127 return -1; 128 } 129 130 static int ctnetlink_dump_tuples(struct sk_buff *skb, 131 const struct nf_conntrack_tuple *tuple) 132 { 133 const struct nf_conntrack_l4proto *l4proto; 134 int ret; 135 136 rcu_read_lock(); 137 ret = ctnetlink_dump_tuples_ip(skb, tuple); 138 139 if (ret >= 0) { 140 l4proto = nf_ct_l4proto_find(tuple->dst.protonum); 141 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto); 142 } 143 rcu_read_unlock(); 144 return ret; 145 } 146 147 static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype, 148 const struct nf_conntrack_zone *zone, int dir) 149 { 150 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir) 151 return 0; 152 if (nla_put_be16(skb, attrtype, htons(zone->id))) 153 goto nla_put_failure; 154 return 0; 155 156 nla_put_failure: 157 return -1; 158 } 159 160 static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct) 161 { 162 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status))) 163 goto nla_put_failure; 164 return 0; 165 166 nla_put_failure: 167 return -1; 168 } 169 170 static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct, 171 bool skip_zero) 172 { 173 long timeout = nf_ct_expires(ct) / HZ; 174 175 if (skip_zero && timeout == 0) 176 return 0; 177 178 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout))) 179 goto nla_put_failure; 180 return 0; 181 182 nla_put_failure: 183 return -1; 184 } 185 186 static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct, 187 bool destroy) 188 { 189 const struct nf_conntrack_l4proto *l4proto; 190 struct nlattr *nest_proto; 191 int ret; 192 193 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 194 if (!l4proto->to_nlattr) 195 return 0; 196 197 nest_proto = nla_nest_start(skb, CTA_PROTOINFO); 198 if (!nest_proto) 199 goto nla_put_failure; 200 201 ret = l4proto->to_nlattr(skb, nest_proto, ct, destroy); 202 203 nla_nest_end(skb, nest_proto); 204 205 return ret; 206 207 nla_put_failure: 208 return -1; 209 } 210 211 static int ctnetlink_dump_helpinfo(struct sk_buff *skb, 212 const struct nf_conn *ct) 213 { 214 struct nlattr *nest_helper; 215 const struct nf_conn_help *help = nfct_help(ct); 216 struct nf_conntrack_helper *helper; 217 218 if (!help) 219 return 0; 220 221 rcu_read_lock(); 222 helper = rcu_dereference(help->helper); 223 if (!helper) 224 goto out; 225 226 nest_helper = nla_nest_start(skb, CTA_HELP); 227 if (!nest_helper) 228 goto nla_put_failure; 229 if (nla_put_string(skb, CTA_HELP_NAME, helper->name)) 230 goto nla_put_failure; 231 232 if (helper->to_nlattr) 233 helper->to_nlattr(skb, ct); 234 235 nla_nest_end(skb, nest_helper); 236 out: 237 rcu_read_unlock(); 238 return 0; 239 240 nla_put_failure: 241 rcu_read_unlock(); 242 return -1; 243 } 244 245 static int 246 dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct, 247 enum ip_conntrack_dir dir, int type) 248 { 249 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG; 250 struct nf_conn_counter *counter = acct->counter; 251 struct nlattr *nest_count; 252 u64 pkts, bytes; 253 254 if (type == IPCTNL_MSG_CT_GET_CTRZERO) { 255 pkts = atomic64_xchg(&counter[dir].packets, 0); 256 bytes = atomic64_xchg(&counter[dir].bytes, 0); 257 } else { 258 pkts = atomic64_read(&counter[dir].packets); 259 bytes = atomic64_read(&counter[dir].bytes); 260 } 261 262 nest_count = nla_nest_start(skb, attr); 263 if (!nest_count) 264 goto nla_put_failure; 265 266 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts), 267 CTA_COUNTERS_PAD) || 268 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes), 269 CTA_COUNTERS_PAD)) 270 goto nla_put_failure; 271 272 nla_nest_end(skb, nest_count); 273 274 return 0; 275 276 nla_put_failure: 277 return -1; 278 } 279 280 static int 281 ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type) 282 { 283 struct nf_conn_acct *acct = nf_conn_acct_find(ct); 284 285 if (!acct) 286 return 0; 287 288 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0) 289 return -1; 290 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0) 291 return -1; 292 293 return 0; 294 } 295 296 static int 297 ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct) 298 { 299 struct nlattr *nest_count; 300 const struct nf_conn_tstamp *tstamp; 301 302 tstamp = nf_conn_tstamp_find(ct); 303 if (!tstamp) 304 return 0; 305 306 nest_count = nla_nest_start(skb, CTA_TIMESTAMP); 307 if (!nest_count) 308 goto nla_put_failure; 309 310 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start), 311 CTA_TIMESTAMP_PAD) || 312 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP, 313 cpu_to_be64(tstamp->stop), 314 CTA_TIMESTAMP_PAD))) 315 goto nla_put_failure; 316 nla_nest_end(skb, nest_count); 317 318 return 0; 319 320 nla_put_failure: 321 return -1; 322 } 323 324 #ifdef CONFIG_NF_CONNTRACK_MARK 325 static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) 326 { 327 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark))) 328 goto nla_put_failure; 329 return 0; 330 331 nla_put_failure: 332 return -1; 333 } 334 #else 335 #define ctnetlink_dump_mark(a, b) (0) 336 #endif 337 338 #ifdef CONFIG_NF_CONNTRACK_SECMARK 339 static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct) 340 { 341 struct nlattr *nest_secctx; 342 int len, ret; 343 char *secctx; 344 345 ret = security_secid_to_secctx(ct->secmark, &secctx, &len); 346 if (ret) 347 return 0; 348 349 ret = -1; 350 nest_secctx = nla_nest_start(skb, CTA_SECCTX); 351 if (!nest_secctx) 352 goto nla_put_failure; 353 354 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx)) 355 goto nla_put_failure; 356 nla_nest_end(skb, nest_secctx); 357 358 ret = 0; 359 nla_put_failure: 360 security_release_secctx(secctx, len); 361 return ret; 362 } 363 #else 364 #define ctnetlink_dump_secctx(a, b) (0) 365 #endif 366 367 #ifdef CONFIG_NF_CONNTRACK_LABELS 368 static inline int ctnetlink_label_size(const struct nf_conn *ct) 369 { 370 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 371 372 if (!labels) 373 return 0; 374 return nla_total_size(sizeof(labels->bits)); 375 } 376 377 static int 378 ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct) 379 { 380 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 381 unsigned int i; 382 383 if (!labels) 384 return 0; 385 386 i = 0; 387 do { 388 if (labels->bits[i] != 0) 389 return nla_put(skb, CTA_LABELS, sizeof(labels->bits), 390 labels->bits); 391 i++; 392 } while (i < ARRAY_SIZE(labels->bits)); 393 394 return 0; 395 } 396 #else 397 #define ctnetlink_dump_labels(a, b) (0) 398 #define ctnetlink_label_size(a) (0) 399 #endif 400 401 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) 402 403 static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct) 404 { 405 struct nlattr *nest_parms; 406 407 if (!(ct->status & IPS_EXPECTED)) 408 return 0; 409 410 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER); 411 if (!nest_parms) 412 goto nla_put_failure; 413 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0) 414 goto nla_put_failure; 415 nla_nest_end(skb, nest_parms); 416 417 return 0; 418 419 nla_put_failure: 420 return -1; 421 } 422 423 static int 424 dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type) 425 { 426 struct nlattr *nest_parms; 427 428 nest_parms = nla_nest_start(skb, type); 429 if (!nest_parms) 430 goto nla_put_failure; 431 432 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS, 433 htonl(seq->correction_pos)) || 434 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE, 435 htonl(seq->offset_before)) || 436 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER, 437 htonl(seq->offset_after))) 438 goto nla_put_failure; 439 440 nla_nest_end(skb, nest_parms); 441 442 return 0; 443 444 nla_put_failure: 445 return -1; 446 } 447 448 static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct) 449 { 450 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct); 451 struct nf_ct_seqadj *seq; 452 453 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj) 454 return 0; 455 456 spin_lock_bh(&ct->lock); 457 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL]; 458 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1) 459 goto err; 460 461 seq = &seqadj->seq[IP_CT_DIR_REPLY]; 462 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1) 463 goto err; 464 465 spin_unlock_bh(&ct->lock); 466 return 0; 467 err: 468 spin_unlock_bh(&ct->lock); 469 return -1; 470 } 471 472 static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct) 473 { 474 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct); 475 struct nlattr *nest_parms; 476 477 if (!synproxy) 478 return 0; 479 480 nest_parms = nla_nest_start(skb, CTA_SYNPROXY); 481 if (!nest_parms) 482 goto nla_put_failure; 483 484 if (nla_put_be32(skb, CTA_SYNPROXY_ISN, htonl(synproxy->isn)) || 485 nla_put_be32(skb, CTA_SYNPROXY_ITS, htonl(synproxy->its)) || 486 nla_put_be32(skb, CTA_SYNPROXY_TSOFF, htonl(synproxy->tsoff))) 487 goto nla_put_failure; 488 489 nla_nest_end(skb, nest_parms); 490 491 return 0; 492 493 nla_put_failure: 494 return -1; 495 } 496 497 static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct) 498 { 499 __be32 id = (__force __be32)nf_ct_get_id(ct); 500 501 if (nla_put_be32(skb, CTA_ID, id)) 502 goto nla_put_failure; 503 return 0; 504 505 nla_put_failure: 506 return -1; 507 } 508 509 static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct) 510 { 511 if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use)))) 512 goto nla_put_failure; 513 return 0; 514 515 nla_put_failure: 516 return -1; 517 } 518 519 /* all these functions access ct->ext. Caller must either hold a reference 520 * on ct or prevent its deletion by holding either the bucket spinlock or 521 * pcpu dying list lock. 522 */ 523 static int ctnetlink_dump_extinfo(struct sk_buff *skb, 524 struct nf_conn *ct, u32 type) 525 { 526 if (ctnetlink_dump_acct(skb, ct, type) < 0 || 527 ctnetlink_dump_timestamp(skb, ct) < 0 || 528 ctnetlink_dump_helpinfo(skb, ct) < 0 || 529 ctnetlink_dump_labels(skb, ct) < 0 || 530 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 || 531 ctnetlink_dump_ct_synproxy(skb, ct) < 0) 532 return -1; 533 534 return 0; 535 } 536 537 static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct) 538 { 539 if (ctnetlink_dump_status(skb, ct) < 0 || 540 ctnetlink_dump_mark(skb, ct) < 0 || 541 ctnetlink_dump_secctx(skb, ct) < 0 || 542 ctnetlink_dump_id(skb, ct) < 0 || 543 ctnetlink_dump_use(skb, ct) < 0 || 544 ctnetlink_dump_master(skb, ct) < 0) 545 return -1; 546 547 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) && 548 (ctnetlink_dump_timeout(skb, ct, false) < 0 || 549 ctnetlink_dump_protoinfo(skb, ct, false) < 0)) 550 return -1; 551 552 return 0; 553 } 554 555 static int 556 ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 557 struct nf_conn *ct, bool extinfo, unsigned int flags) 558 { 559 const struct nf_conntrack_zone *zone; 560 struct nlmsghdr *nlh; 561 struct nlattr *nest_parms; 562 unsigned int event; 563 564 if (portid) 565 flags |= NLM_F_MULTI; 566 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW); 567 nlh = nfnl_msg_put(skb, portid, seq, event, flags, nf_ct_l3num(ct), 568 NFNETLINK_V0, 0); 569 if (!nlh) 570 goto nlmsg_failure; 571 572 zone = nf_ct_zone(ct); 573 574 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG); 575 if (!nest_parms) 576 goto nla_put_failure; 577 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 578 goto nla_put_failure; 579 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 580 NF_CT_ZONE_DIR_ORIG) < 0) 581 goto nla_put_failure; 582 nla_nest_end(skb, nest_parms); 583 584 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY); 585 if (!nest_parms) 586 goto nla_put_failure; 587 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 588 goto nla_put_failure; 589 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 590 NF_CT_ZONE_DIR_REPL) < 0) 591 goto nla_put_failure; 592 nla_nest_end(skb, nest_parms); 593 594 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 595 NF_CT_DEFAULT_ZONE_DIR) < 0) 596 goto nla_put_failure; 597 598 if (ctnetlink_dump_info(skb, ct) < 0) 599 goto nla_put_failure; 600 if (extinfo && ctnetlink_dump_extinfo(skb, ct, type) < 0) 601 goto nla_put_failure; 602 603 nlmsg_end(skb, nlh); 604 return skb->len; 605 606 nlmsg_failure: 607 nla_put_failure: 608 nlmsg_cancel(skb, nlh); 609 return -1; 610 } 611 612 static const struct nla_policy cta_ip_nla_policy[CTA_IP_MAX + 1] = { 613 [CTA_IP_V4_SRC] = { .type = NLA_U32 }, 614 [CTA_IP_V4_DST] = { .type = NLA_U32 }, 615 [CTA_IP_V6_SRC] = { .len = sizeof(__be32) * 4 }, 616 [CTA_IP_V6_DST] = { .len = sizeof(__be32) * 4 }, 617 }; 618 619 #if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS) 620 static size_t ctnetlink_proto_size(const struct nf_conn *ct) 621 { 622 const struct nf_conntrack_l4proto *l4proto; 623 size_t len, len4 = 0; 624 625 len = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1); 626 len *= 3u; /* ORIG, REPLY, MASTER */ 627 628 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 629 len += l4proto->nlattr_size; 630 if (l4proto->nlattr_tuple_size) { 631 len4 = l4proto->nlattr_tuple_size(); 632 len4 *= 3u; /* ORIG, REPLY, MASTER */ 633 } 634 635 return len + len4; 636 } 637 #endif 638 639 static inline size_t ctnetlink_acct_size(const struct nf_conn *ct) 640 { 641 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT)) 642 return 0; 643 return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */ 644 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */ 645 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */ 646 ; 647 } 648 649 static inline int ctnetlink_secctx_size(const struct nf_conn *ct) 650 { 651 #ifdef CONFIG_NF_CONNTRACK_SECMARK 652 int len, ret; 653 654 ret = security_secid_to_secctx(ct->secmark, NULL, &len); 655 if (ret) 656 return 0; 657 658 return nla_total_size(0) /* CTA_SECCTX */ 659 + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */ 660 #else 661 return 0; 662 #endif 663 } 664 665 static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct) 666 { 667 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP 668 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP)) 669 return 0; 670 return nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t)); 671 #else 672 return 0; 673 #endif 674 } 675 676 #ifdef CONFIG_NF_CONNTRACK_EVENTS 677 static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct) 678 { 679 return NLMSG_ALIGN(sizeof(struct nfgenmsg)) 680 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 681 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 682 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 683 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 684 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 685 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 686 + ctnetlink_acct_size(ct) 687 + ctnetlink_timestamp_size(ct) 688 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 689 + nla_total_size(0) /* CTA_PROTOINFO */ 690 + nla_total_size(0) /* CTA_HELP */ 691 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 692 + ctnetlink_secctx_size(ct) 693 #if IS_ENABLED(CONFIG_NF_NAT) 694 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 695 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 696 #endif 697 #ifdef CONFIG_NF_CONNTRACK_MARK 698 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 699 #endif 700 #ifdef CONFIG_NF_CONNTRACK_ZONES 701 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */ 702 #endif 703 + ctnetlink_proto_size(ct) 704 + ctnetlink_label_size(ct) 705 ; 706 } 707 708 static int 709 ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item) 710 { 711 const struct nf_conntrack_zone *zone; 712 struct net *net; 713 struct nlmsghdr *nlh; 714 struct nlattr *nest_parms; 715 struct nf_conn *ct = item->ct; 716 struct sk_buff *skb; 717 unsigned int type; 718 unsigned int flags = 0, group; 719 int err; 720 721 if (events & (1 << IPCT_DESTROY)) { 722 type = IPCTNL_MSG_CT_DELETE; 723 group = NFNLGRP_CONNTRACK_DESTROY; 724 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) { 725 type = IPCTNL_MSG_CT_NEW; 726 flags = NLM_F_CREATE|NLM_F_EXCL; 727 group = NFNLGRP_CONNTRACK_NEW; 728 } else if (events) { 729 type = IPCTNL_MSG_CT_NEW; 730 group = NFNLGRP_CONNTRACK_UPDATE; 731 } else 732 return 0; 733 734 net = nf_ct_net(ct); 735 if (!item->report && !nfnetlink_has_listeners(net, group)) 736 return 0; 737 738 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC); 739 if (skb == NULL) 740 goto errout; 741 742 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type); 743 nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, nf_ct_l3num(ct), 744 NFNETLINK_V0, 0); 745 if (!nlh) 746 goto nlmsg_failure; 747 748 zone = nf_ct_zone(ct); 749 750 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG); 751 if (!nest_parms) 752 goto nla_put_failure; 753 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 754 goto nla_put_failure; 755 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 756 NF_CT_ZONE_DIR_ORIG) < 0) 757 goto nla_put_failure; 758 nla_nest_end(skb, nest_parms); 759 760 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY); 761 if (!nest_parms) 762 goto nla_put_failure; 763 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 764 goto nla_put_failure; 765 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 766 NF_CT_ZONE_DIR_REPL) < 0) 767 goto nla_put_failure; 768 nla_nest_end(skb, nest_parms); 769 770 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 771 NF_CT_DEFAULT_ZONE_DIR) < 0) 772 goto nla_put_failure; 773 774 if (ctnetlink_dump_id(skb, ct) < 0) 775 goto nla_put_failure; 776 777 if (ctnetlink_dump_status(skb, ct) < 0) 778 goto nla_put_failure; 779 780 if (events & (1 << IPCT_DESTROY)) { 781 if (ctnetlink_dump_timeout(skb, ct, true) < 0) 782 goto nla_put_failure; 783 784 if (ctnetlink_dump_acct(skb, ct, type) < 0 || 785 ctnetlink_dump_timestamp(skb, ct) < 0 || 786 ctnetlink_dump_protoinfo(skb, ct, true) < 0) 787 goto nla_put_failure; 788 } else { 789 if (ctnetlink_dump_timeout(skb, ct, false) < 0) 790 goto nla_put_failure; 791 792 if (events & (1 << IPCT_PROTOINFO) && 793 ctnetlink_dump_protoinfo(skb, ct, false) < 0) 794 goto nla_put_failure; 795 796 if ((events & (1 << IPCT_HELPER) || nfct_help(ct)) 797 && ctnetlink_dump_helpinfo(skb, ct) < 0) 798 goto nla_put_failure; 799 800 #ifdef CONFIG_NF_CONNTRACK_SECMARK 801 if ((events & (1 << IPCT_SECMARK) || ct->secmark) 802 && ctnetlink_dump_secctx(skb, ct) < 0) 803 goto nla_put_failure; 804 #endif 805 if (events & (1 << IPCT_LABEL) && 806 ctnetlink_dump_labels(skb, ct) < 0) 807 goto nla_put_failure; 808 809 if (events & (1 << IPCT_RELATED) && 810 ctnetlink_dump_master(skb, ct) < 0) 811 goto nla_put_failure; 812 813 if (events & (1 << IPCT_SEQADJ) && 814 ctnetlink_dump_ct_seq_adj(skb, ct) < 0) 815 goto nla_put_failure; 816 817 if (events & (1 << IPCT_SYNPROXY) && 818 ctnetlink_dump_ct_synproxy(skb, ct) < 0) 819 goto nla_put_failure; 820 } 821 822 #ifdef CONFIG_NF_CONNTRACK_MARK 823 if ((events & (1 << IPCT_MARK) || ct->mark) 824 && ctnetlink_dump_mark(skb, ct) < 0) 825 goto nla_put_failure; 826 #endif 827 nlmsg_end(skb, nlh); 828 err = nfnetlink_send(skb, net, item->portid, group, item->report, 829 GFP_ATOMIC); 830 if (err == -ENOBUFS || err == -EAGAIN) 831 return -ENOBUFS; 832 833 return 0; 834 835 nla_put_failure: 836 nlmsg_cancel(skb, nlh); 837 nlmsg_failure: 838 kfree_skb(skb); 839 errout: 840 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0) 841 return -ENOBUFS; 842 843 return 0; 844 } 845 #endif /* CONFIG_NF_CONNTRACK_EVENTS */ 846 847 static int ctnetlink_done(struct netlink_callback *cb) 848 { 849 if (cb->args[1]) 850 nf_ct_put((struct nf_conn *)cb->args[1]); 851 kfree(cb->data); 852 return 0; 853 } 854 855 struct ctnetlink_filter_u32 { 856 u32 val; 857 u32 mask; 858 }; 859 860 struct ctnetlink_filter { 861 u8 family; 862 863 u_int32_t orig_flags; 864 u_int32_t reply_flags; 865 866 struct nf_conntrack_tuple orig; 867 struct nf_conntrack_tuple reply; 868 struct nf_conntrack_zone zone; 869 870 struct ctnetlink_filter_u32 mark; 871 struct ctnetlink_filter_u32 status; 872 }; 873 874 static const struct nla_policy cta_filter_nla_policy[CTA_FILTER_MAX + 1] = { 875 [CTA_FILTER_ORIG_FLAGS] = { .type = NLA_U32 }, 876 [CTA_FILTER_REPLY_FLAGS] = { .type = NLA_U32 }, 877 }; 878 879 static int ctnetlink_parse_filter(const struct nlattr *attr, 880 struct ctnetlink_filter *filter) 881 { 882 struct nlattr *tb[CTA_FILTER_MAX + 1]; 883 int ret = 0; 884 885 ret = nla_parse_nested(tb, CTA_FILTER_MAX, attr, cta_filter_nla_policy, 886 NULL); 887 if (ret) 888 return ret; 889 890 if (tb[CTA_FILTER_ORIG_FLAGS]) { 891 filter->orig_flags = nla_get_u32(tb[CTA_FILTER_ORIG_FLAGS]); 892 if (filter->orig_flags & ~CTA_FILTER_F_ALL) 893 return -EOPNOTSUPP; 894 } 895 896 if (tb[CTA_FILTER_REPLY_FLAGS]) { 897 filter->reply_flags = nla_get_u32(tb[CTA_FILTER_REPLY_FLAGS]); 898 if (filter->reply_flags & ~CTA_FILTER_F_ALL) 899 return -EOPNOTSUPP; 900 } 901 902 return 0; 903 } 904 905 static int ctnetlink_parse_zone(const struct nlattr *attr, 906 struct nf_conntrack_zone *zone); 907 static int ctnetlink_parse_tuple_filter(const struct nlattr * const cda[], 908 struct nf_conntrack_tuple *tuple, 909 u32 type, u_int8_t l3num, 910 struct nf_conntrack_zone *zone, 911 u_int32_t flags); 912 913 static int ctnetlink_filter_parse_mark(struct ctnetlink_filter_u32 *mark, 914 const struct nlattr * const cda[]) 915 { 916 #ifdef CONFIG_NF_CONNTRACK_MARK 917 if (cda[CTA_MARK]) { 918 mark->val = ntohl(nla_get_be32(cda[CTA_MARK])); 919 920 if (cda[CTA_MARK_MASK]) 921 mark->mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK])); 922 else 923 mark->mask = 0xffffffff; 924 } else if (cda[CTA_MARK_MASK]) { 925 return -EINVAL; 926 } 927 #endif 928 return 0; 929 } 930 931 static int ctnetlink_filter_parse_status(struct ctnetlink_filter_u32 *status, 932 const struct nlattr * const cda[]) 933 { 934 if (cda[CTA_STATUS]) { 935 status->val = ntohl(nla_get_be32(cda[CTA_STATUS])); 936 if (cda[CTA_STATUS_MASK]) 937 status->mask = ntohl(nla_get_be32(cda[CTA_STATUS_MASK])); 938 else 939 status->mask = status->val; 940 941 /* status->val == 0? always true, else always false. */ 942 if (status->mask == 0) 943 return -EINVAL; 944 } else if (cda[CTA_STATUS_MASK]) { 945 return -EINVAL; 946 } 947 948 /* CTA_STATUS is NLA_U32, if this fires UAPI needs to be extended */ 949 BUILD_BUG_ON(__IPS_MAX_BIT >= 32); 950 return 0; 951 } 952 953 static struct ctnetlink_filter * 954 ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family) 955 { 956 struct ctnetlink_filter *filter; 957 int err; 958 959 #ifndef CONFIG_NF_CONNTRACK_MARK 960 if (cda[CTA_MARK] || cda[CTA_MARK_MASK]) 961 return ERR_PTR(-EOPNOTSUPP); 962 #endif 963 964 filter = kzalloc(sizeof(*filter), GFP_KERNEL); 965 if (filter == NULL) 966 return ERR_PTR(-ENOMEM); 967 968 filter->family = family; 969 970 err = ctnetlink_filter_parse_mark(&filter->mark, cda); 971 if (err) 972 goto err_filter; 973 974 err = ctnetlink_filter_parse_status(&filter->status, cda); 975 if (err) 976 goto err_filter; 977 978 if (!cda[CTA_FILTER]) 979 return filter; 980 981 err = ctnetlink_parse_zone(cda[CTA_ZONE], &filter->zone); 982 if (err < 0) 983 goto err_filter; 984 985 err = ctnetlink_parse_filter(cda[CTA_FILTER], filter); 986 if (err < 0) 987 goto err_filter; 988 989 if (filter->orig_flags) { 990 if (!cda[CTA_TUPLE_ORIG]) { 991 err = -EINVAL; 992 goto err_filter; 993 } 994 995 err = ctnetlink_parse_tuple_filter(cda, &filter->orig, 996 CTA_TUPLE_ORIG, 997 filter->family, 998 &filter->zone, 999 filter->orig_flags); 1000 if (err < 0) 1001 goto err_filter; 1002 } 1003 1004 if (filter->reply_flags) { 1005 if (!cda[CTA_TUPLE_REPLY]) { 1006 err = -EINVAL; 1007 goto err_filter; 1008 } 1009 1010 err = ctnetlink_parse_tuple_filter(cda, &filter->reply, 1011 CTA_TUPLE_REPLY, 1012 filter->family, 1013 &filter->zone, 1014 filter->orig_flags); 1015 if (err < 0) { 1016 err = -EINVAL; 1017 goto err_filter; 1018 } 1019 } 1020 1021 return filter; 1022 1023 err_filter: 1024 kfree(filter); 1025 1026 return ERR_PTR(err); 1027 } 1028 1029 static bool ctnetlink_needs_filter(u8 family, const struct nlattr * const *cda) 1030 { 1031 return family || cda[CTA_MARK] || cda[CTA_FILTER] || cda[CTA_STATUS]; 1032 } 1033 1034 static int ctnetlink_start(struct netlink_callback *cb) 1035 { 1036 const struct nlattr * const *cda = cb->data; 1037 struct ctnetlink_filter *filter = NULL; 1038 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1039 u8 family = nfmsg->nfgen_family; 1040 1041 if (ctnetlink_needs_filter(family, cda)) { 1042 filter = ctnetlink_alloc_filter(cda, family); 1043 if (IS_ERR(filter)) 1044 return PTR_ERR(filter); 1045 } 1046 1047 cb->data = filter; 1048 return 0; 1049 } 1050 1051 static int ctnetlink_filter_match_tuple(struct nf_conntrack_tuple *filter_tuple, 1052 struct nf_conntrack_tuple *ct_tuple, 1053 u_int32_t flags, int family) 1054 { 1055 switch (family) { 1056 case NFPROTO_IPV4: 1057 if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) && 1058 filter_tuple->src.u3.ip != ct_tuple->src.u3.ip) 1059 return 0; 1060 1061 if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) && 1062 filter_tuple->dst.u3.ip != ct_tuple->dst.u3.ip) 1063 return 0; 1064 break; 1065 case NFPROTO_IPV6: 1066 if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) && 1067 !ipv6_addr_cmp(&filter_tuple->src.u3.in6, 1068 &ct_tuple->src.u3.in6)) 1069 return 0; 1070 1071 if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) && 1072 !ipv6_addr_cmp(&filter_tuple->dst.u3.in6, 1073 &ct_tuple->dst.u3.in6)) 1074 return 0; 1075 break; 1076 } 1077 1078 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) && 1079 filter_tuple->dst.protonum != ct_tuple->dst.protonum) 1080 return 0; 1081 1082 switch (ct_tuple->dst.protonum) { 1083 case IPPROTO_TCP: 1084 case IPPROTO_UDP: 1085 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_SRC_PORT)) && 1086 filter_tuple->src.u.tcp.port != ct_tuple->src.u.tcp.port) 1087 return 0; 1088 1089 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_DST_PORT)) && 1090 filter_tuple->dst.u.tcp.port != ct_tuple->dst.u.tcp.port) 1091 return 0; 1092 break; 1093 case IPPROTO_ICMP: 1094 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_TYPE)) && 1095 filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type) 1096 return 0; 1097 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_CODE)) && 1098 filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code) 1099 return 0; 1100 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_ID)) && 1101 filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id) 1102 return 0; 1103 break; 1104 case IPPROTO_ICMPV6: 1105 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_TYPE)) && 1106 filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type) 1107 return 0; 1108 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_CODE)) && 1109 filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code) 1110 return 0; 1111 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_ID)) && 1112 filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id) 1113 return 0; 1114 break; 1115 } 1116 1117 return 1; 1118 } 1119 1120 static int ctnetlink_filter_match(struct nf_conn *ct, void *data) 1121 { 1122 struct ctnetlink_filter *filter = data; 1123 struct nf_conntrack_tuple *tuple; 1124 u32 status; 1125 1126 if (filter == NULL) 1127 goto out; 1128 1129 /* Match entries of a given L3 protocol number. 1130 * If it is not specified, ie. l3proto == 0, 1131 * then match everything. 1132 */ 1133 if (filter->family && nf_ct_l3num(ct) != filter->family) 1134 goto ignore_entry; 1135 1136 if (filter->orig_flags) { 1137 tuple = nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL); 1138 if (!ctnetlink_filter_match_tuple(&filter->orig, tuple, 1139 filter->orig_flags, 1140 filter->family)) 1141 goto ignore_entry; 1142 } 1143 1144 if (filter->reply_flags) { 1145 tuple = nf_ct_tuple(ct, IP_CT_DIR_REPLY); 1146 if (!ctnetlink_filter_match_tuple(&filter->reply, tuple, 1147 filter->reply_flags, 1148 filter->family)) 1149 goto ignore_entry; 1150 } 1151 1152 #ifdef CONFIG_NF_CONNTRACK_MARK 1153 if ((ct->mark & filter->mark.mask) != filter->mark.val) 1154 goto ignore_entry; 1155 #endif 1156 status = (u32)READ_ONCE(ct->status); 1157 if ((status & filter->status.mask) != filter->status.val) 1158 goto ignore_entry; 1159 1160 out: 1161 return 1; 1162 1163 ignore_entry: 1164 return 0; 1165 } 1166 1167 static int 1168 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 1169 { 1170 unsigned int flags = cb->data ? NLM_F_DUMP_FILTERED : 0; 1171 struct net *net = sock_net(skb->sk); 1172 struct nf_conn *ct, *last; 1173 struct nf_conntrack_tuple_hash *h; 1174 struct hlist_nulls_node *n; 1175 struct nf_conn *nf_ct_evict[8]; 1176 int res, i; 1177 spinlock_t *lockp; 1178 1179 last = (struct nf_conn *)cb->args[1]; 1180 i = 0; 1181 1182 local_bh_disable(); 1183 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) { 1184 restart: 1185 while (i) { 1186 i--; 1187 if (nf_ct_should_gc(nf_ct_evict[i])) 1188 nf_ct_kill(nf_ct_evict[i]); 1189 nf_ct_put(nf_ct_evict[i]); 1190 } 1191 1192 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS]; 1193 nf_conntrack_lock(lockp); 1194 if (cb->args[0] >= nf_conntrack_htable_size) { 1195 spin_unlock(lockp); 1196 goto out; 1197 } 1198 hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]], 1199 hnnode) { 1200 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) 1201 continue; 1202 ct = nf_ct_tuplehash_to_ctrack(h); 1203 if (nf_ct_is_expired(ct)) { 1204 if (i < ARRAY_SIZE(nf_ct_evict) && 1205 atomic_inc_not_zero(&ct->ct_general.use)) 1206 nf_ct_evict[i++] = ct; 1207 continue; 1208 } 1209 1210 if (!net_eq(net, nf_ct_net(ct))) 1211 continue; 1212 1213 if (cb->args[1]) { 1214 if (ct != last) 1215 continue; 1216 cb->args[1] = 0; 1217 } 1218 if (!ctnetlink_filter_match(ct, cb->data)) 1219 continue; 1220 1221 res = 1222 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid, 1223 cb->nlh->nlmsg_seq, 1224 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 1225 ct, true, flags); 1226 if (res < 0) { 1227 nf_conntrack_get(&ct->ct_general); 1228 cb->args[1] = (unsigned long)ct; 1229 spin_unlock(lockp); 1230 goto out; 1231 } 1232 } 1233 spin_unlock(lockp); 1234 if (cb->args[1]) { 1235 cb->args[1] = 0; 1236 goto restart; 1237 } 1238 } 1239 out: 1240 local_bh_enable(); 1241 if (last) { 1242 /* nf ct hash resize happened, now clear the leftover. */ 1243 if ((struct nf_conn *)cb->args[1] == last) 1244 cb->args[1] = 0; 1245 1246 nf_ct_put(last); 1247 } 1248 1249 while (i) { 1250 i--; 1251 if (nf_ct_should_gc(nf_ct_evict[i])) 1252 nf_ct_kill(nf_ct_evict[i]); 1253 nf_ct_put(nf_ct_evict[i]); 1254 } 1255 1256 return skb->len; 1257 } 1258 1259 static int ipv4_nlattr_to_tuple(struct nlattr *tb[], 1260 struct nf_conntrack_tuple *t, 1261 u_int32_t flags) 1262 { 1263 if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) { 1264 if (!tb[CTA_IP_V4_SRC]) 1265 return -EINVAL; 1266 1267 t->src.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_SRC]); 1268 } 1269 1270 if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) { 1271 if (!tb[CTA_IP_V4_DST]) 1272 return -EINVAL; 1273 1274 t->dst.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_DST]); 1275 } 1276 1277 return 0; 1278 } 1279 1280 static int ipv6_nlattr_to_tuple(struct nlattr *tb[], 1281 struct nf_conntrack_tuple *t, 1282 u_int32_t flags) 1283 { 1284 if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) { 1285 if (!tb[CTA_IP_V6_SRC]) 1286 return -EINVAL; 1287 1288 t->src.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_SRC]); 1289 } 1290 1291 if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) { 1292 if (!tb[CTA_IP_V6_DST]) 1293 return -EINVAL; 1294 1295 t->dst.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_DST]); 1296 } 1297 1298 return 0; 1299 } 1300 1301 static int ctnetlink_parse_tuple_ip(struct nlattr *attr, 1302 struct nf_conntrack_tuple *tuple, 1303 u_int32_t flags) 1304 { 1305 struct nlattr *tb[CTA_IP_MAX+1]; 1306 int ret = 0; 1307 1308 ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, NULL, NULL); 1309 if (ret < 0) 1310 return ret; 1311 1312 ret = nla_validate_nested_deprecated(attr, CTA_IP_MAX, 1313 cta_ip_nla_policy, NULL); 1314 if (ret) 1315 return ret; 1316 1317 switch (tuple->src.l3num) { 1318 case NFPROTO_IPV4: 1319 ret = ipv4_nlattr_to_tuple(tb, tuple, flags); 1320 break; 1321 case NFPROTO_IPV6: 1322 ret = ipv6_nlattr_to_tuple(tb, tuple, flags); 1323 break; 1324 } 1325 1326 return ret; 1327 } 1328 1329 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = { 1330 [CTA_PROTO_NUM] = { .type = NLA_U8 }, 1331 }; 1332 1333 static int ctnetlink_parse_tuple_proto(struct nlattr *attr, 1334 struct nf_conntrack_tuple *tuple, 1335 u_int32_t flags) 1336 { 1337 const struct nf_conntrack_l4proto *l4proto; 1338 struct nlattr *tb[CTA_PROTO_MAX+1]; 1339 int ret = 0; 1340 1341 ret = nla_parse_nested_deprecated(tb, CTA_PROTO_MAX, attr, 1342 proto_nla_policy, NULL); 1343 if (ret < 0) 1344 return ret; 1345 1346 if (!(flags & CTA_FILTER_FLAG(CTA_PROTO_NUM))) 1347 return 0; 1348 1349 if (!tb[CTA_PROTO_NUM]) 1350 return -EINVAL; 1351 1352 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]); 1353 1354 rcu_read_lock(); 1355 l4proto = nf_ct_l4proto_find(tuple->dst.protonum); 1356 1357 if (likely(l4proto->nlattr_to_tuple)) { 1358 ret = nla_validate_nested_deprecated(attr, CTA_PROTO_MAX, 1359 l4proto->nla_policy, 1360 NULL); 1361 if (ret == 0) 1362 ret = l4proto->nlattr_to_tuple(tb, tuple, flags); 1363 } 1364 1365 rcu_read_unlock(); 1366 1367 return ret; 1368 } 1369 1370 static int 1371 ctnetlink_parse_zone(const struct nlattr *attr, 1372 struct nf_conntrack_zone *zone) 1373 { 1374 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID, 1375 NF_CT_DEFAULT_ZONE_DIR, 0); 1376 #ifdef CONFIG_NF_CONNTRACK_ZONES 1377 if (attr) 1378 zone->id = ntohs(nla_get_be16(attr)); 1379 #else 1380 if (attr) 1381 return -EOPNOTSUPP; 1382 #endif 1383 return 0; 1384 } 1385 1386 static int 1387 ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type, 1388 struct nf_conntrack_zone *zone) 1389 { 1390 int ret; 1391 1392 if (zone->id != NF_CT_DEFAULT_ZONE_ID) 1393 return -EINVAL; 1394 1395 ret = ctnetlink_parse_zone(attr, zone); 1396 if (ret < 0) 1397 return ret; 1398 1399 if (type == CTA_TUPLE_REPLY) 1400 zone->dir = NF_CT_ZONE_DIR_REPL; 1401 else 1402 zone->dir = NF_CT_ZONE_DIR_ORIG; 1403 1404 return 0; 1405 } 1406 1407 static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = { 1408 [CTA_TUPLE_IP] = { .type = NLA_NESTED }, 1409 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED }, 1410 [CTA_TUPLE_ZONE] = { .type = NLA_U16 }, 1411 }; 1412 1413 #define CTA_FILTER_F_ALL_CTA_PROTO \ 1414 (CTA_FILTER_F_CTA_PROTO_SRC_PORT | \ 1415 CTA_FILTER_F_CTA_PROTO_DST_PORT | \ 1416 CTA_FILTER_F_CTA_PROTO_ICMP_TYPE | \ 1417 CTA_FILTER_F_CTA_PROTO_ICMP_CODE | \ 1418 CTA_FILTER_F_CTA_PROTO_ICMP_ID | \ 1419 CTA_FILTER_F_CTA_PROTO_ICMPV6_TYPE | \ 1420 CTA_FILTER_F_CTA_PROTO_ICMPV6_CODE | \ 1421 CTA_FILTER_F_CTA_PROTO_ICMPV6_ID) 1422 1423 static int 1424 ctnetlink_parse_tuple_filter(const struct nlattr * const cda[], 1425 struct nf_conntrack_tuple *tuple, u32 type, 1426 u_int8_t l3num, struct nf_conntrack_zone *zone, 1427 u_int32_t flags) 1428 { 1429 struct nlattr *tb[CTA_TUPLE_MAX+1]; 1430 int err; 1431 1432 memset(tuple, 0, sizeof(*tuple)); 1433 1434 err = nla_parse_nested_deprecated(tb, CTA_TUPLE_MAX, cda[type], 1435 tuple_nla_policy, NULL); 1436 if (err < 0) 1437 return err; 1438 1439 if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6) 1440 return -EOPNOTSUPP; 1441 tuple->src.l3num = l3num; 1442 1443 if (flags & CTA_FILTER_FLAG(CTA_IP_DST) || 1444 flags & CTA_FILTER_FLAG(CTA_IP_SRC)) { 1445 if (!tb[CTA_TUPLE_IP]) 1446 return -EINVAL; 1447 1448 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple, flags); 1449 if (err < 0) 1450 return err; 1451 } 1452 1453 if (flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) { 1454 if (!tb[CTA_TUPLE_PROTO]) 1455 return -EINVAL; 1456 1457 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple, flags); 1458 if (err < 0) 1459 return err; 1460 } else if (flags & CTA_FILTER_FLAG(ALL_CTA_PROTO)) { 1461 /* Can't manage proto flags without a protonum */ 1462 return -EINVAL; 1463 } 1464 1465 if ((flags & CTA_FILTER_FLAG(CTA_TUPLE_ZONE)) && tb[CTA_TUPLE_ZONE]) { 1466 if (!zone) 1467 return -EINVAL; 1468 1469 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE], 1470 type, zone); 1471 if (err < 0) 1472 return err; 1473 } 1474 1475 /* orig and expect tuples get DIR_ORIGINAL */ 1476 if (type == CTA_TUPLE_REPLY) 1477 tuple->dst.dir = IP_CT_DIR_REPLY; 1478 else 1479 tuple->dst.dir = IP_CT_DIR_ORIGINAL; 1480 1481 return 0; 1482 } 1483 1484 static int 1485 ctnetlink_parse_tuple(const struct nlattr * const cda[], 1486 struct nf_conntrack_tuple *tuple, u32 type, 1487 u_int8_t l3num, struct nf_conntrack_zone *zone) 1488 { 1489 return ctnetlink_parse_tuple_filter(cda, tuple, type, l3num, zone, 1490 CTA_FILTER_FLAG(ALL)); 1491 } 1492 1493 static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = { 1494 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING, 1495 .len = NF_CT_HELPER_NAME_LEN - 1 }, 1496 }; 1497 1498 static int ctnetlink_parse_help(const struct nlattr *attr, char **helper_name, 1499 struct nlattr **helpinfo) 1500 { 1501 int err; 1502 struct nlattr *tb[CTA_HELP_MAX+1]; 1503 1504 err = nla_parse_nested_deprecated(tb, CTA_HELP_MAX, attr, 1505 help_nla_policy, NULL); 1506 if (err < 0) 1507 return err; 1508 1509 if (!tb[CTA_HELP_NAME]) 1510 return -EINVAL; 1511 1512 *helper_name = nla_data(tb[CTA_HELP_NAME]); 1513 1514 if (tb[CTA_HELP_INFO]) 1515 *helpinfo = tb[CTA_HELP_INFO]; 1516 1517 return 0; 1518 } 1519 1520 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { 1521 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED }, 1522 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED }, 1523 [CTA_STATUS] = { .type = NLA_U32 }, 1524 [CTA_PROTOINFO] = { .type = NLA_NESTED }, 1525 [CTA_HELP] = { .type = NLA_NESTED }, 1526 [CTA_NAT_SRC] = { .type = NLA_NESTED }, 1527 [CTA_TIMEOUT] = { .type = NLA_U32 }, 1528 [CTA_MARK] = { .type = NLA_U32 }, 1529 [CTA_ID] = { .type = NLA_U32 }, 1530 [CTA_NAT_DST] = { .type = NLA_NESTED }, 1531 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED }, 1532 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED }, 1533 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED }, 1534 [CTA_ZONE] = { .type = NLA_U16 }, 1535 [CTA_MARK_MASK] = { .type = NLA_U32 }, 1536 [CTA_LABELS] = { .type = NLA_BINARY, 1537 .len = NF_CT_LABELS_MAX_SIZE }, 1538 [CTA_LABELS_MASK] = { .type = NLA_BINARY, 1539 .len = NF_CT_LABELS_MAX_SIZE }, 1540 [CTA_FILTER] = { .type = NLA_NESTED }, 1541 [CTA_STATUS_MASK] = { .type = NLA_U32 }, 1542 }; 1543 1544 static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data) 1545 { 1546 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) 1547 return 0; 1548 1549 return ctnetlink_filter_match(ct, data); 1550 } 1551 1552 static int ctnetlink_flush_conntrack(struct net *net, 1553 const struct nlattr * const cda[], 1554 u32 portid, int report, u8 family) 1555 { 1556 struct ctnetlink_filter *filter = NULL; 1557 1558 if (ctnetlink_needs_filter(family, cda)) { 1559 if (cda[CTA_FILTER]) 1560 return -EOPNOTSUPP; 1561 1562 filter = ctnetlink_alloc_filter(cda, family); 1563 if (IS_ERR(filter)) 1564 return PTR_ERR(filter); 1565 } 1566 1567 nf_ct_iterate_cleanup_net(net, ctnetlink_flush_iterate, filter, 1568 portid, report); 1569 kfree(filter); 1570 1571 return 0; 1572 } 1573 1574 static int ctnetlink_del_conntrack(struct sk_buff *skb, 1575 const struct nfnl_info *info, 1576 const struct nlattr * const cda[]) 1577 { 1578 u8 family = info->nfmsg->nfgen_family; 1579 struct nf_conntrack_tuple_hash *h; 1580 struct nf_conntrack_tuple tuple; 1581 struct nf_conntrack_zone zone; 1582 struct nf_conn *ct; 1583 int err; 1584 1585 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1586 if (err < 0) 1587 return err; 1588 1589 if (cda[CTA_TUPLE_ORIG]) 1590 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, 1591 family, &zone); 1592 else if (cda[CTA_TUPLE_REPLY]) 1593 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, 1594 family, &zone); 1595 else { 1596 u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC; 1597 1598 return ctnetlink_flush_conntrack(info->net, cda, 1599 NETLINK_CB(skb).portid, 1600 nlmsg_report(info->nlh), u3); 1601 } 1602 1603 if (err < 0) 1604 return err; 1605 1606 h = nf_conntrack_find_get(info->net, &zone, &tuple); 1607 if (!h) 1608 return -ENOENT; 1609 1610 ct = nf_ct_tuplehash_to_ctrack(h); 1611 1612 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) { 1613 nf_ct_put(ct); 1614 return -EBUSY; 1615 } 1616 1617 if (cda[CTA_ID]) { 1618 __be32 id = nla_get_be32(cda[CTA_ID]); 1619 1620 if (id != (__force __be32)nf_ct_get_id(ct)) { 1621 nf_ct_put(ct); 1622 return -ENOENT; 1623 } 1624 } 1625 1626 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(info->nlh)); 1627 nf_ct_put(ct); 1628 1629 return 0; 1630 } 1631 1632 static int ctnetlink_get_conntrack(struct sk_buff *skb, 1633 const struct nfnl_info *info, 1634 const struct nlattr * const cda[]) 1635 { 1636 u_int8_t u3 = info->nfmsg->nfgen_family; 1637 struct nf_conntrack_tuple_hash *h; 1638 struct nf_conntrack_tuple tuple; 1639 struct nf_conntrack_zone zone; 1640 struct sk_buff *skb2; 1641 struct nf_conn *ct; 1642 int err; 1643 1644 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1645 struct netlink_dump_control c = { 1646 .start = ctnetlink_start, 1647 .dump = ctnetlink_dump_table, 1648 .done = ctnetlink_done, 1649 .data = (void *)cda, 1650 }; 1651 1652 return netlink_dump_start(info->sk, skb, info->nlh, &c); 1653 } 1654 1655 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 1656 if (err < 0) 1657 return err; 1658 1659 if (cda[CTA_TUPLE_ORIG]) 1660 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, 1661 u3, &zone); 1662 else if (cda[CTA_TUPLE_REPLY]) 1663 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, 1664 u3, &zone); 1665 else 1666 return -EINVAL; 1667 1668 if (err < 0) 1669 return err; 1670 1671 h = nf_conntrack_find_get(info->net, &zone, &tuple); 1672 if (!h) 1673 return -ENOENT; 1674 1675 ct = nf_ct_tuplehash_to_ctrack(h); 1676 1677 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1678 if (!skb2) { 1679 nf_ct_put(ct); 1680 return -ENOMEM; 1681 } 1682 1683 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, 1684 info->nlh->nlmsg_seq, 1685 NFNL_MSG_TYPE(info->nlh->nlmsg_type), ct, 1686 true, 0); 1687 nf_ct_put(ct); 1688 if (err <= 0) { 1689 kfree_skb(skb2); 1690 return -ENOMEM; 1691 } 1692 1693 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 1694 } 1695 1696 static int ctnetlink_done_list(struct netlink_callback *cb) 1697 { 1698 if (cb->args[1]) 1699 nf_ct_put((struct nf_conn *)cb->args[1]); 1700 return 0; 1701 } 1702 1703 static int 1704 ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying) 1705 { 1706 struct nf_conn *ct, *last; 1707 struct nf_conntrack_tuple_hash *h; 1708 struct hlist_nulls_node *n; 1709 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1710 u_int8_t l3proto = nfmsg->nfgen_family; 1711 int res; 1712 int cpu; 1713 struct hlist_nulls_head *list; 1714 struct net *net = sock_net(skb->sk); 1715 1716 if (cb->args[2]) 1717 return 0; 1718 1719 last = (struct nf_conn *)cb->args[1]; 1720 1721 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 1722 struct ct_pcpu *pcpu; 1723 1724 if (!cpu_possible(cpu)) 1725 continue; 1726 1727 pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu); 1728 spin_lock_bh(&pcpu->lock); 1729 list = dying ? &pcpu->dying : &pcpu->unconfirmed; 1730 restart: 1731 hlist_nulls_for_each_entry(h, n, list, hnnode) { 1732 ct = nf_ct_tuplehash_to_ctrack(h); 1733 if (l3proto && nf_ct_l3num(ct) != l3proto) 1734 continue; 1735 if (cb->args[1]) { 1736 if (ct != last) 1737 continue; 1738 cb->args[1] = 0; 1739 } 1740 1741 /* We can't dump extension info for the unconfirmed 1742 * list because unconfirmed conntracks can have 1743 * ct->ext reallocated (and thus freed). 1744 * 1745 * In the dying list case ct->ext can't be free'd 1746 * until after we drop pcpu->lock. 1747 */ 1748 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid, 1749 cb->nlh->nlmsg_seq, 1750 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 1751 ct, dying ? true : false, 0); 1752 if (res < 0) { 1753 if (!atomic_inc_not_zero(&ct->ct_general.use)) 1754 continue; 1755 cb->args[0] = cpu; 1756 cb->args[1] = (unsigned long)ct; 1757 spin_unlock_bh(&pcpu->lock); 1758 goto out; 1759 } 1760 } 1761 if (cb->args[1]) { 1762 cb->args[1] = 0; 1763 goto restart; 1764 } 1765 spin_unlock_bh(&pcpu->lock); 1766 } 1767 cb->args[2] = 1; 1768 out: 1769 if (last) 1770 nf_ct_put(last); 1771 1772 return skb->len; 1773 } 1774 1775 static int 1776 ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb) 1777 { 1778 return ctnetlink_dump_list(skb, cb, true); 1779 } 1780 1781 static int ctnetlink_get_ct_dying(struct sk_buff *skb, 1782 const struct nfnl_info *info, 1783 const struct nlattr * const cda[]) 1784 { 1785 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1786 struct netlink_dump_control c = { 1787 .dump = ctnetlink_dump_dying, 1788 .done = ctnetlink_done_list, 1789 }; 1790 return netlink_dump_start(info->sk, skb, info->nlh, &c); 1791 } 1792 1793 return -EOPNOTSUPP; 1794 } 1795 1796 static int 1797 ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb) 1798 { 1799 return ctnetlink_dump_list(skb, cb, false); 1800 } 1801 1802 static int ctnetlink_get_ct_unconfirmed(struct sk_buff *skb, 1803 const struct nfnl_info *info, 1804 const struct nlattr * const cda[]) 1805 { 1806 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 1807 struct netlink_dump_control c = { 1808 .dump = ctnetlink_dump_unconfirmed, 1809 .done = ctnetlink_done_list, 1810 }; 1811 return netlink_dump_start(info->sk, skb, info->nlh, &c); 1812 } 1813 1814 return -EOPNOTSUPP; 1815 } 1816 1817 #if IS_ENABLED(CONFIG_NF_NAT) 1818 static int 1819 ctnetlink_parse_nat_setup(struct nf_conn *ct, 1820 enum nf_nat_manip_type manip, 1821 const struct nlattr *attr) 1822 __must_hold(RCU) 1823 { 1824 struct nf_nat_hook *nat_hook; 1825 int err; 1826 1827 nat_hook = rcu_dereference(nf_nat_hook); 1828 if (!nat_hook) { 1829 #ifdef CONFIG_MODULES 1830 rcu_read_unlock(); 1831 nfnl_unlock(NFNL_SUBSYS_CTNETLINK); 1832 if (request_module("nf-nat") < 0) { 1833 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1834 rcu_read_lock(); 1835 return -EOPNOTSUPP; 1836 } 1837 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1838 rcu_read_lock(); 1839 nat_hook = rcu_dereference(nf_nat_hook); 1840 if (nat_hook) 1841 return -EAGAIN; 1842 #endif 1843 return -EOPNOTSUPP; 1844 } 1845 1846 err = nat_hook->parse_nat_setup(ct, manip, attr); 1847 if (err == -EAGAIN) { 1848 #ifdef CONFIG_MODULES 1849 rcu_read_unlock(); 1850 nfnl_unlock(NFNL_SUBSYS_CTNETLINK); 1851 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) { 1852 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1853 rcu_read_lock(); 1854 return -EOPNOTSUPP; 1855 } 1856 nfnl_lock(NFNL_SUBSYS_CTNETLINK); 1857 rcu_read_lock(); 1858 #else 1859 err = -EOPNOTSUPP; 1860 #endif 1861 } 1862 return err; 1863 } 1864 #endif 1865 1866 static void 1867 __ctnetlink_change_status(struct nf_conn *ct, unsigned long on, 1868 unsigned long off) 1869 { 1870 unsigned int bit; 1871 1872 /* Ignore these unchangable bits */ 1873 on &= ~IPS_UNCHANGEABLE_MASK; 1874 off &= ~IPS_UNCHANGEABLE_MASK; 1875 1876 for (bit = 0; bit < __IPS_MAX_BIT; bit++) { 1877 if (on & (1 << bit)) 1878 set_bit(bit, &ct->status); 1879 else if (off & (1 << bit)) 1880 clear_bit(bit, &ct->status); 1881 } 1882 } 1883 1884 static int 1885 ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[]) 1886 { 1887 unsigned long d; 1888 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); 1889 d = ct->status ^ status; 1890 1891 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) 1892 /* unchangeable */ 1893 return -EBUSY; 1894 1895 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) 1896 /* SEEN_REPLY bit can only be set */ 1897 return -EBUSY; 1898 1899 if (d & IPS_ASSURED && !(status & IPS_ASSURED)) 1900 /* ASSURED bit can only be set */ 1901 return -EBUSY; 1902 1903 __ctnetlink_change_status(ct, status, 0); 1904 return 0; 1905 } 1906 1907 static int 1908 ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[]) 1909 { 1910 #if IS_ENABLED(CONFIG_NF_NAT) 1911 int ret; 1912 1913 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC]) 1914 return 0; 1915 1916 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST, 1917 cda[CTA_NAT_DST]); 1918 if (ret < 0) 1919 return ret; 1920 1921 return ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC, 1922 cda[CTA_NAT_SRC]); 1923 #else 1924 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC]) 1925 return 0; 1926 return -EOPNOTSUPP; 1927 #endif 1928 } 1929 1930 static int ctnetlink_change_helper(struct nf_conn *ct, 1931 const struct nlattr * const cda[]) 1932 { 1933 struct nf_conntrack_helper *helper; 1934 struct nf_conn_help *help = nfct_help(ct); 1935 char *helpname = NULL; 1936 struct nlattr *helpinfo = NULL; 1937 int err; 1938 1939 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo); 1940 if (err < 0) 1941 return err; 1942 1943 /* don't change helper of sibling connections */ 1944 if (ct->master) { 1945 /* If we try to change the helper to the same thing twice, 1946 * treat the second attempt as a no-op instead of returning 1947 * an error. 1948 */ 1949 err = -EBUSY; 1950 if (help) { 1951 rcu_read_lock(); 1952 helper = rcu_dereference(help->helper); 1953 if (helper && !strcmp(helper->name, helpname)) 1954 err = 0; 1955 rcu_read_unlock(); 1956 } 1957 1958 return err; 1959 } 1960 1961 if (!strcmp(helpname, "")) { 1962 if (help && help->helper) { 1963 /* we had a helper before ... */ 1964 nf_ct_remove_expectations(ct); 1965 RCU_INIT_POINTER(help->helper, NULL); 1966 } 1967 1968 return 0; 1969 } 1970 1971 rcu_read_lock(); 1972 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 1973 nf_ct_protonum(ct)); 1974 if (helper == NULL) { 1975 rcu_read_unlock(); 1976 return -EOPNOTSUPP; 1977 } 1978 1979 if (help) { 1980 if (help->helper == helper) { 1981 /* update private helper data if allowed. */ 1982 if (helper->from_nlattr) 1983 helper->from_nlattr(helpinfo, ct); 1984 err = 0; 1985 } else 1986 err = -EBUSY; 1987 } else { 1988 /* we cannot set a helper for an existing conntrack */ 1989 err = -EOPNOTSUPP; 1990 } 1991 1992 rcu_read_unlock(); 1993 return err; 1994 } 1995 1996 static int ctnetlink_change_timeout(struct nf_conn *ct, 1997 const struct nlattr * const cda[]) 1998 { 1999 u64 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ; 2000 2001 if (timeout > INT_MAX) 2002 timeout = INT_MAX; 2003 ct->timeout = nfct_time_stamp + (u32)timeout; 2004 2005 if (test_bit(IPS_DYING_BIT, &ct->status)) 2006 return -ETIME; 2007 2008 return 0; 2009 } 2010 2011 #if defined(CONFIG_NF_CONNTRACK_MARK) 2012 static void ctnetlink_change_mark(struct nf_conn *ct, 2013 const struct nlattr * const cda[]) 2014 { 2015 u32 mark, newmark, mask = 0; 2016 2017 if (cda[CTA_MARK_MASK]) 2018 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK])); 2019 2020 mark = ntohl(nla_get_be32(cda[CTA_MARK])); 2021 newmark = (ct->mark & mask) ^ mark; 2022 if (newmark != ct->mark) 2023 ct->mark = newmark; 2024 } 2025 #endif 2026 2027 static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = { 2028 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED }, 2029 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED }, 2030 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED }, 2031 }; 2032 2033 static int ctnetlink_change_protoinfo(struct nf_conn *ct, 2034 const struct nlattr * const cda[]) 2035 { 2036 const struct nlattr *attr = cda[CTA_PROTOINFO]; 2037 const struct nf_conntrack_l4proto *l4proto; 2038 struct nlattr *tb[CTA_PROTOINFO_MAX+1]; 2039 int err = 0; 2040 2041 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_MAX, attr, 2042 protoinfo_policy, NULL); 2043 if (err < 0) 2044 return err; 2045 2046 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct)); 2047 if (l4proto->from_nlattr) 2048 err = l4proto->from_nlattr(tb, ct); 2049 2050 return err; 2051 } 2052 2053 static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = { 2054 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 }, 2055 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 }, 2056 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 }, 2057 }; 2058 2059 static int change_seq_adj(struct nf_ct_seqadj *seq, 2060 const struct nlattr * const attr) 2061 { 2062 int err; 2063 struct nlattr *cda[CTA_SEQADJ_MAX+1]; 2064 2065 err = nla_parse_nested_deprecated(cda, CTA_SEQADJ_MAX, attr, 2066 seqadj_policy, NULL); 2067 if (err < 0) 2068 return err; 2069 2070 if (!cda[CTA_SEQADJ_CORRECTION_POS]) 2071 return -EINVAL; 2072 2073 seq->correction_pos = 2074 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS])); 2075 2076 if (!cda[CTA_SEQADJ_OFFSET_BEFORE]) 2077 return -EINVAL; 2078 2079 seq->offset_before = 2080 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE])); 2081 2082 if (!cda[CTA_SEQADJ_OFFSET_AFTER]) 2083 return -EINVAL; 2084 2085 seq->offset_after = 2086 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER])); 2087 2088 return 0; 2089 } 2090 2091 static int 2092 ctnetlink_change_seq_adj(struct nf_conn *ct, 2093 const struct nlattr * const cda[]) 2094 { 2095 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct); 2096 int ret = 0; 2097 2098 if (!seqadj) 2099 return 0; 2100 2101 spin_lock_bh(&ct->lock); 2102 if (cda[CTA_SEQ_ADJ_ORIG]) { 2103 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL], 2104 cda[CTA_SEQ_ADJ_ORIG]); 2105 if (ret < 0) 2106 goto err; 2107 2108 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status); 2109 } 2110 2111 if (cda[CTA_SEQ_ADJ_REPLY]) { 2112 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY], 2113 cda[CTA_SEQ_ADJ_REPLY]); 2114 if (ret < 0) 2115 goto err; 2116 2117 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status); 2118 } 2119 2120 spin_unlock_bh(&ct->lock); 2121 return 0; 2122 err: 2123 spin_unlock_bh(&ct->lock); 2124 return ret; 2125 } 2126 2127 static const struct nla_policy synproxy_policy[CTA_SYNPROXY_MAX + 1] = { 2128 [CTA_SYNPROXY_ISN] = { .type = NLA_U32 }, 2129 [CTA_SYNPROXY_ITS] = { .type = NLA_U32 }, 2130 [CTA_SYNPROXY_TSOFF] = { .type = NLA_U32 }, 2131 }; 2132 2133 static int ctnetlink_change_synproxy(struct nf_conn *ct, 2134 const struct nlattr * const cda[]) 2135 { 2136 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct); 2137 struct nlattr *tb[CTA_SYNPROXY_MAX + 1]; 2138 int err; 2139 2140 if (!synproxy) 2141 return 0; 2142 2143 err = nla_parse_nested_deprecated(tb, CTA_SYNPROXY_MAX, 2144 cda[CTA_SYNPROXY], synproxy_policy, 2145 NULL); 2146 if (err < 0) 2147 return err; 2148 2149 if (!tb[CTA_SYNPROXY_ISN] || 2150 !tb[CTA_SYNPROXY_ITS] || 2151 !tb[CTA_SYNPROXY_TSOFF]) 2152 return -EINVAL; 2153 2154 synproxy->isn = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ISN])); 2155 synproxy->its = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ITS])); 2156 synproxy->tsoff = ntohl(nla_get_be32(tb[CTA_SYNPROXY_TSOFF])); 2157 2158 return 0; 2159 } 2160 2161 static int 2162 ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[]) 2163 { 2164 #ifdef CONFIG_NF_CONNTRACK_LABELS 2165 size_t len = nla_len(cda[CTA_LABELS]); 2166 const void *mask = cda[CTA_LABELS_MASK]; 2167 2168 if (len & (sizeof(u32)-1)) /* must be multiple of u32 */ 2169 return -EINVAL; 2170 2171 if (mask) { 2172 if (nla_len(cda[CTA_LABELS_MASK]) == 0 || 2173 nla_len(cda[CTA_LABELS_MASK]) != len) 2174 return -EINVAL; 2175 mask = nla_data(cda[CTA_LABELS_MASK]); 2176 } 2177 2178 len /= sizeof(u32); 2179 2180 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len); 2181 #else 2182 return -EOPNOTSUPP; 2183 #endif 2184 } 2185 2186 static int 2187 ctnetlink_change_conntrack(struct nf_conn *ct, 2188 const struct nlattr * const cda[]) 2189 { 2190 int err; 2191 2192 /* only allow NAT changes and master assignation for new conntracks */ 2193 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER]) 2194 return -EOPNOTSUPP; 2195 2196 if (cda[CTA_HELP]) { 2197 err = ctnetlink_change_helper(ct, cda); 2198 if (err < 0) 2199 return err; 2200 } 2201 2202 if (cda[CTA_TIMEOUT]) { 2203 err = ctnetlink_change_timeout(ct, cda); 2204 if (err < 0) 2205 return err; 2206 } 2207 2208 if (cda[CTA_STATUS]) { 2209 err = ctnetlink_change_status(ct, cda); 2210 if (err < 0) 2211 return err; 2212 } 2213 2214 if (cda[CTA_PROTOINFO]) { 2215 err = ctnetlink_change_protoinfo(ct, cda); 2216 if (err < 0) 2217 return err; 2218 } 2219 2220 #if defined(CONFIG_NF_CONNTRACK_MARK) 2221 if (cda[CTA_MARK]) 2222 ctnetlink_change_mark(ct, cda); 2223 #endif 2224 2225 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) { 2226 err = ctnetlink_change_seq_adj(ct, cda); 2227 if (err < 0) 2228 return err; 2229 } 2230 2231 if (cda[CTA_SYNPROXY]) { 2232 err = ctnetlink_change_synproxy(ct, cda); 2233 if (err < 0) 2234 return err; 2235 } 2236 2237 if (cda[CTA_LABELS]) { 2238 err = ctnetlink_attach_labels(ct, cda); 2239 if (err < 0) 2240 return err; 2241 } 2242 2243 return 0; 2244 } 2245 2246 static struct nf_conn * 2247 ctnetlink_create_conntrack(struct net *net, 2248 const struct nf_conntrack_zone *zone, 2249 const struct nlattr * const cda[], 2250 struct nf_conntrack_tuple *otuple, 2251 struct nf_conntrack_tuple *rtuple, 2252 u8 u3) 2253 { 2254 struct nf_conn *ct; 2255 int err = -EINVAL; 2256 struct nf_conntrack_helper *helper; 2257 struct nf_conn_tstamp *tstamp; 2258 u64 timeout; 2259 2260 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC); 2261 if (IS_ERR(ct)) 2262 return ERR_PTR(-ENOMEM); 2263 2264 if (!cda[CTA_TIMEOUT]) 2265 goto err1; 2266 2267 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ; 2268 if (timeout > INT_MAX) 2269 timeout = INT_MAX; 2270 ct->timeout = (u32)timeout + nfct_time_stamp; 2271 2272 rcu_read_lock(); 2273 if (cda[CTA_HELP]) { 2274 char *helpname = NULL; 2275 struct nlattr *helpinfo = NULL; 2276 2277 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo); 2278 if (err < 0) 2279 goto err2; 2280 2281 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 2282 nf_ct_protonum(ct)); 2283 if (helper == NULL) { 2284 rcu_read_unlock(); 2285 #ifdef CONFIG_MODULES 2286 if (request_module("nfct-helper-%s", helpname) < 0) { 2287 err = -EOPNOTSUPP; 2288 goto err1; 2289 } 2290 2291 rcu_read_lock(); 2292 helper = __nf_conntrack_helper_find(helpname, 2293 nf_ct_l3num(ct), 2294 nf_ct_protonum(ct)); 2295 if (helper) { 2296 err = -EAGAIN; 2297 goto err2; 2298 } 2299 rcu_read_unlock(); 2300 #endif 2301 err = -EOPNOTSUPP; 2302 goto err1; 2303 } else { 2304 struct nf_conn_help *help; 2305 2306 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); 2307 if (help == NULL) { 2308 err = -ENOMEM; 2309 goto err2; 2310 } 2311 /* set private helper data if allowed. */ 2312 if (helper->from_nlattr) 2313 helper->from_nlattr(helpinfo, ct); 2314 2315 /* not in hash table yet so not strictly necessary */ 2316 RCU_INIT_POINTER(help->helper, helper); 2317 } 2318 } else { 2319 /* try an implicit helper assignation */ 2320 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC); 2321 if (err < 0) 2322 goto err2; 2323 } 2324 2325 err = ctnetlink_setup_nat(ct, cda); 2326 if (err < 0) 2327 goto err2; 2328 2329 nf_ct_acct_ext_add(ct, GFP_ATOMIC); 2330 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC); 2331 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC); 2332 nf_ct_labels_ext_add(ct); 2333 nfct_seqadj_ext_add(ct); 2334 nfct_synproxy_ext_add(ct); 2335 2336 /* we must add conntrack extensions before confirmation. */ 2337 ct->status |= IPS_CONFIRMED; 2338 2339 if (cda[CTA_STATUS]) { 2340 err = ctnetlink_change_status(ct, cda); 2341 if (err < 0) 2342 goto err2; 2343 } 2344 2345 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) { 2346 err = ctnetlink_change_seq_adj(ct, cda); 2347 if (err < 0) 2348 goto err2; 2349 } 2350 2351 memset(&ct->proto, 0, sizeof(ct->proto)); 2352 if (cda[CTA_PROTOINFO]) { 2353 err = ctnetlink_change_protoinfo(ct, cda); 2354 if (err < 0) 2355 goto err2; 2356 } 2357 2358 if (cda[CTA_SYNPROXY]) { 2359 err = ctnetlink_change_synproxy(ct, cda); 2360 if (err < 0) 2361 goto err2; 2362 } 2363 2364 #if defined(CONFIG_NF_CONNTRACK_MARK) 2365 if (cda[CTA_MARK]) 2366 ctnetlink_change_mark(ct, cda); 2367 #endif 2368 2369 /* setup master conntrack: this is a confirmed expectation */ 2370 if (cda[CTA_TUPLE_MASTER]) { 2371 struct nf_conntrack_tuple master; 2372 struct nf_conntrack_tuple_hash *master_h; 2373 struct nf_conn *master_ct; 2374 2375 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER, 2376 u3, NULL); 2377 if (err < 0) 2378 goto err2; 2379 2380 master_h = nf_conntrack_find_get(net, zone, &master); 2381 if (master_h == NULL) { 2382 err = -ENOENT; 2383 goto err2; 2384 } 2385 master_ct = nf_ct_tuplehash_to_ctrack(master_h); 2386 __set_bit(IPS_EXPECTED_BIT, &ct->status); 2387 ct->master = master_ct; 2388 } 2389 tstamp = nf_conn_tstamp_find(ct); 2390 if (tstamp) 2391 tstamp->start = ktime_get_real_ns(); 2392 2393 err = nf_conntrack_hash_check_insert(ct); 2394 if (err < 0) 2395 goto err2; 2396 2397 rcu_read_unlock(); 2398 2399 return ct; 2400 2401 err2: 2402 rcu_read_unlock(); 2403 err1: 2404 nf_conntrack_free(ct); 2405 return ERR_PTR(err); 2406 } 2407 2408 static int ctnetlink_new_conntrack(struct sk_buff *skb, 2409 const struct nfnl_info *info, 2410 const struct nlattr * const cda[]) 2411 { 2412 struct nf_conntrack_tuple otuple, rtuple; 2413 struct nf_conntrack_tuple_hash *h = NULL; 2414 u_int8_t u3 = info->nfmsg->nfgen_family; 2415 struct nf_conntrack_zone zone; 2416 struct nf_conn *ct; 2417 int err; 2418 2419 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone); 2420 if (err < 0) 2421 return err; 2422 2423 if (cda[CTA_TUPLE_ORIG]) { 2424 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, 2425 u3, &zone); 2426 if (err < 0) 2427 return err; 2428 } 2429 2430 if (cda[CTA_TUPLE_REPLY]) { 2431 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, 2432 u3, &zone); 2433 if (err < 0) 2434 return err; 2435 } 2436 2437 if (cda[CTA_TUPLE_ORIG]) 2438 h = nf_conntrack_find_get(info->net, &zone, &otuple); 2439 else if (cda[CTA_TUPLE_REPLY]) 2440 h = nf_conntrack_find_get(info->net, &zone, &rtuple); 2441 2442 if (h == NULL) { 2443 err = -ENOENT; 2444 if (info->nlh->nlmsg_flags & NLM_F_CREATE) { 2445 enum ip_conntrack_events events; 2446 2447 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY]) 2448 return -EINVAL; 2449 if (otuple.dst.protonum != rtuple.dst.protonum) 2450 return -EINVAL; 2451 2452 ct = ctnetlink_create_conntrack(info->net, &zone, cda, 2453 &otuple, &rtuple, u3); 2454 if (IS_ERR(ct)) 2455 return PTR_ERR(ct); 2456 2457 err = 0; 2458 if (test_bit(IPS_EXPECTED_BIT, &ct->status)) 2459 events = 1 << IPCT_RELATED; 2460 else 2461 events = 1 << IPCT_NEW; 2462 2463 if (cda[CTA_LABELS] && 2464 ctnetlink_attach_labels(ct, cda) == 0) 2465 events |= (1 << IPCT_LABEL); 2466 2467 nf_conntrack_eventmask_report((1 << IPCT_REPLY) | 2468 (1 << IPCT_ASSURED) | 2469 (1 << IPCT_HELPER) | 2470 (1 << IPCT_PROTOINFO) | 2471 (1 << IPCT_SEQADJ) | 2472 (1 << IPCT_MARK) | 2473 (1 << IPCT_SYNPROXY) | 2474 events, 2475 ct, NETLINK_CB(skb).portid, 2476 nlmsg_report(info->nlh)); 2477 nf_ct_put(ct); 2478 } 2479 2480 return err; 2481 } 2482 /* implicit 'else' */ 2483 2484 err = -EEXIST; 2485 ct = nf_ct_tuplehash_to_ctrack(h); 2486 if (!(info->nlh->nlmsg_flags & NLM_F_EXCL)) { 2487 err = ctnetlink_change_conntrack(ct, cda); 2488 if (err == 0) { 2489 nf_conntrack_eventmask_report((1 << IPCT_REPLY) | 2490 (1 << IPCT_ASSURED) | 2491 (1 << IPCT_HELPER) | 2492 (1 << IPCT_LABEL) | 2493 (1 << IPCT_PROTOINFO) | 2494 (1 << IPCT_SEQADJ) | 2495 (1 << IPCT_MARK) | 2496 (1 << IPCT_SYNPROXY), 2497 ct, NETLINK_CB(skb).portid, 2498 nlmsg_report(info->nlh)); 2499 } 2500 } 2501 2502 nf_ct_put(ct); 2503 return err; 2504 } 2505 2506 static int 2507 ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq, 2508 __u16 cpu, const struct ip_conntrack_stat *st) 2509 { 2510 struct nlmsghdr *nlh; 2511 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 2512 2513 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, 2514 IPCTNL_MSG_CT_GET_STATS_CPU); 2515 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, 2516 NFNETLINK_V0, htons(cpu)); 2517 if (!nlh) 2518 goto nlmsg_failure; 2519 2520 if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) || 2521 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) || 2522 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) || 2523 nla_put_be32(skb, CTA_STATS_INSERT_FAILED, 2524 htonl(st->insert_failed)) || 2525 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) || 2526 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) || 2527 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) || 2528 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART, 2529 htonl(st->search_restart)) || 2530 nla_put_be32(skb, CTA_STATS_CLASH_RESOLVE, 2531 htonl(st->clash_resolve)) || 2532 nla_put_be32(skb, CTA_STATS_CHAIN_TOOLONG, 2533 htonl(st->chaintoolong))) 2534 goto nla_put_failure; 2535 2536 nlmsg_end(skb, nlh); 2537 return skb->len; 2538 2539 nla_put_failure: 2540 nlmsg_failure: 2541 nlmsg_cancel(skb, nlh); 2542 return -1; 2543 } 2544 2545 static int 2546 ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb) 2547 { 2548 int cpu; 2549 struct net *net = sock_net(skb->sk); 2550 2551 if (cb->args[0] == nr_cpu_ids) 2552 return 0; 2553 2554 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 2555 const struct ip_conntrack_stat *st; 2556 2557 if (!cpu_possible(cpu)) 2558 continue; 2559 2560 st = per_cpu_ptr(net->ct.stat, cpu); 2561 if (ctnetlink_ct_stat_cpu_fill_info(skb, 2562 NETLINK_CB(cb->skb).portid, 2563 cb->nlh->nlmsg_seq, 2564 cpu, st) < 0) 2565 break; 2566 } 2567 cb->args[0] = cpu; 2568 2569 return skb->len; 2570 } 2571 2572 static int ctnetlink_stat_ct_cpu(struct sk_buff *skb, 2573 const struct nfnl_info *info, 2574 const struct nlattr * const cda[]) 2575 { 2576 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 2577 struct netlink_dump_control c = { 2578 .dump = ctnetlink_ct_stat_cpu_dump, 2579 }; 2580 return netlink_dump_start(info->sk, skb, info->nlh, &c); 2581 } 2582 2583 return 0; 2584 } 2585 2586 static int 2587 ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 2588 struct net *net) 2589 { 2590 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 2591 unsigned int nr_conntracks; 2592 struct nlmsghdr *nlh; 2593 2594 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS); 2595 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, 2596 NFNETLINK_V0, 0); 2597 if (!nlh) 2598 goto nlmsg_failure; 2599 2600 nr_conntracks = nf_conntrack_count(net); 2601 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks))) 2602 goto nla_put_failure; 2603 2604 if (nla_put_be32(skb, CTA_STATS_GLOBAL_MAX_ENTRIES, htonl(nf_conntrack_max))) 2605 goto nla_put_failure; 2606 2607 nlmsg_end(skb, nlh); 2608 return skb->len; 2609 2610 nla_put_failure: 2611 nlmsg_failure: 2612 nlmsg_cancel(skb, nlh); 2613 return -1; 2614 } 2615 2616 static int ctnetlink_stat_ct(struct sk_buff *skb, const struct nfnl_info *info, 2617 const struct nlattr * const cda[]) 2618 { 2619 struct sk_buff *skb2; 2620 int err; 2621 2622 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 2623 if (skb2 == NULL) 2624 return -ENOMEM; 2625 2626 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid, 2627 info->nlh->nlmsg_seq, 2628 NFNL_MSG_TYPE(info->nlh->nlmsg_type), 2629 sock_net(skb->sk)); 2630 if (err <= 0) { 2631 kfree_skb(skb2); 2632 return -ENOMEM; 2633 } 2634 2635 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 2636 } 2637 2638 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = { 2639 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED }, 2640 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED }, 2641 [CTA_EXPECT_MASK] = { .type = NLA_NESTED }, 2642 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 }, 2643 [CTA_EXPECT_ID] = { .type = NLA_U32 }, 2644 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING, 2645 .len = NF_CT_HELPER_NAME_LEN - 1 }, 2646 [CTA_EXPECT_ZONE] = { .type = NLA_U16 }, 2647 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 }, 2648 [CTA_EXPECT_CLASS] = { .type = NLA_U32 }, 2649 [CTA_EXPECT_NAT] = { .type = NLA_NESTED }, 2650 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING }, 2651 }; 2652 2653 static struct nf_conntrack_expect * 2654 ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct, 2655 struct nf_conntrack_helper *helper, 2656 struct nf_conntrack_tuple *tuple, 2657 struct nf_conntrack_tuple *mask); 2658 2659 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 2660 static size_t 2661 ctnetlink_glue_build_size(const struct nf_conn *ct) 2662 { 2663 return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 2664 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 2665 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 2666 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 2667 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 2668 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 2669 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 2670 + nla_total_size(0) /* CTA_PROTOINFO */ 2671 + nla_total_size(0) /* CTA_HELP */ 2672 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 2673 + ctnetlink_secctx_size(ct) 2674 + ctnetlink_acct_size(ct) 2675 + ctnetlink_timestamp_size(ct) 2676 #if IS_ENABLED(CONFIG_NF_NAT) 2677 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 2678 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 2679 #endif 2680 #ifdef CONFIG_NF_CONNTRACK_MARK 2681 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 2682 #endif 2683 #ifdef CONFIG_NF_CONNTRACK_ZONES 2684 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */ 2685 #endif 2686 + ctnetlink_proto_size(ct) 2687 ; 2688 } 2689 2690 static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct) 2691 { 2692 const struct nf_conntrack_zone *zone; 2693 struct nlattr *nest_parms; 2694 2695 zone = nf_ct_zone(ct); 2696 2697 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG); 2698 if (!nest_parms) 2699 goto nla_put_failure; 2700 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 2701 goto nla_put_failure; 2702 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 2703 NF_CT_ZONE_DIR_ORIG) < 0) 2704 goto nla_put_failure; 2705 nla_nest_end(skb, nest_parms); 2706 2707 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY); 2708 if (!nest_parms) 2709 goto nla_put_failure; 2710 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 2711 goto nla_put_failure; 2712 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone, 2713 NF_CT_ZONE_DIR_REPL) < 0) 2714 goto nla_put_failure; 2715 nla_nest_end(skb, nest_parms); 2716 2717 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone, 2718 NF_CT_DEFAULT_ZONE_DIR) < 0) 2719 goto nla_put_failure; 2720 2721 if (ctnetlink_dump_id(skb, ct) < 0) 2722 goto nla_put_failure; 2723 2724 if (ctnetlink_dump_status(skb, ct) < 0) 2725 goto nla_put_failure; 2726 2727 if (ctnetlink_dump_timeout(skb, ct, false) < 0) 2728 goto nla_put_failure; 2729 2730 if (ctnetlink_dump_protoinfo(skb, ct, false) < 0) 2731 goto nla_put_failure; 2732 2733 if (ctnetlink_dump_acct(skb, ct, IPCTNL_MSG_CT_GET) < 0 || 2734 ctnetlink_dump_timestamp(skb, ct) < 0) 2735 goto nla_put_failure; 2736 2737 if (ctnetlink_dump_helpinfo(skb, ct) < 0) 2738 goto nla_put_failure; 2739 2740 #ifdef CONFIG_NF_CONNTRACK_SECMARK 2741 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0) 2742 goto nla_put_failure; 2743 #endif 2744 if (ct->master && ctnetlink_dump_master(skb, ct) < 0) 2745 goto nla_put_failure; 2746 2747 if ((ct->status & IPS_SEQ_ADJUST) && 2748 ctnetlink_dump_ct_seq_adj(skb, ct) < 0) 2749 goto nla_put_failure; 2750 2751 if (ctnetlink_dump_ct_synproxy(skb, ct) < 0) 2752 goto nla_put_failure; 2753 2754 #ifdef CONFIG_NF_CONNTRACK_MARK 2755 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0) 2756 goto nla_put_failure; 2757 #endif 2758 if (ctnetlink_dump_labels(skb, ct) < 0) 2759 goto nla_put_failure; 2760 return 0; 2761 2762 nla_put_failure: 2763 return -ENOSPC; 2764 } 2765 2766 static int 2767 ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct, 2768 enum ip_conntrack_info ctinfo, 2769 u_int16_t ct_attr, u_int16_t ct_info_attr) 2770 { 2771 struct nlattr *nest_parms; 2772 2773 nest_parms = nla_nest_start(skb, ct_attr); 2774 if (!nest_parms) 2775 goto nla_put_failure; 2776 2777 if (__ctnetlink_glue_build(skb, ct) < 0) 2778 goto nla_put_failure; 2779 2780 nla_nest_end(skb, nest_parms); 2781 2782 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo))) 2783 goto nla_put_failure; 2784 2785 return 0; 2786 2787 nla_put_failure: 2788 return -ENOSPC; 2789 } 2790 2791 static int 2792 ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[]) 2793 { 2794 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); 2795 unsigned long d = ct->status ^ status; 2796 2797 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) 2798 /* SEEN_REPLY bit can only be set */ 2799 return -EBUSY; 2800 2801 if (d & IPS_ASSURED && !(status & IPS_ASSURED)) 2802 /* ASSURED bit can only be set */ 2803 return -EBUSY; 2804 2805 /* This check is less strict than ctnetlink_change_status() 2806 * because callers often flip IPS_EXPECTED bits when sending 2807 * an NFQA_CT attribute to the kernel. So ignore the 2808 * unchangeable bits but do not error out. Also user programs 2809 * are allowed to clear the bits that they are allowed to change. 2810 */ 2811 __ctnetlink_change_status(ct, status, ~status); 2812 return 0; 2813 } 2814 2815 static int 2816 ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct) 2817 { 2818 int err; 2819 2820 if (cda[CTA_TIMEOUT]) { 2821 err = ctnetlink_change_timeout(ct, cda); 2822 if (err < 0) 2823 return err; 2824 } 2825 if (cda[CTA_STATUS]) { 2826 err = ctnetlink_update_status(ct, cda); 2827 if (err < 0) 2828 return err; 2829 } 2830 if (cda[CTA_HELP]) { 2831 err = ctnetlink_change_helper(ct, cda); 2832 if (err < 0) 2833 return err; 2834 } 2835 if (cda[CTA_LABELS]) { 2836 err = ctnetlink_attach_labels(ct, cda); 2837 if (err < 0) 2838 return err; 2839 } 2840 #if defined(CONFIG_NF_CONNTRACK_MARK) 2841 if (cda[CTA_MARK]) { 2842 ctnetlink_change_mark(ct, cda); 2843 } 2844 #endif 2845 return 0; 2846 } 2847 2848 static int 2849 ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct) 2850 { 2851 struct nlattr *cda[CTA_MAX+1]; 2852 int ret; 2853 2854 ret = nla_parse_nested_deprecated(cda, CTA_MAX, attr, ct_nla_policy, 2855 NULL); 2856 if (ret < 0) 2857 return ret; 2858 2859 return ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct); 2860 } 2861 2862 static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda, 2863 const struct nf_conn *ct, 2864 struct nf_conntrack_tuple *tuple, 2865 struct nf_conntrack_tuple *mask) 2866 { 2867 int err; 2868 2869 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE, 2870 nf_ct_l3num(ct), NULL); 2871 if (err < 0) 2872 return err; 2873 2874 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK, 2875 nf_ct_l3num(ct), NULL); 2876 } 2877 2878 static int 2879 ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct, 2880 u32 portid, u32 report) 2881 { 2882 struct nlattr *cda[CTA_EXPECT_MAX+1]; 2883 struct nf_conntrack_tuple tuple, mask; 2884 struct nf_conntrack_helper *helper = NULL; 2885 struct nf_conntrack_expect *exp; 2886 int err; 2887 2888 err = nla_parse_nested_deprecated(cda, CTA_EXPECT_MAX, attr, 2889 exp_nla_policy, NULL); 2890 if (err < 0) 2891 return err; 2892 2893 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda, 2894 ct, &tuple, &mask); 2895 if (err < 0) 2896 return err; 2897 2898 if (cda[CTA_EXPECT_HELP_NAME]) { 2899 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); 2900 2901 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct), 2902 nf_ct_protonum(ct)); 2903 if (helper == NULL) 2904 return -EOPNOTSUPP; 2905 } 2906 2907 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct, 2908 helper, &tuple, &mask); 2909 if (IS_ERR(exp)) 2910 return PTR_ERR(exp); 2911 2912 err = nf_ct_expect_related_report(exp, portid, report, 0); 2913 nf_ct_expect_put(exp); 2914 return err; 2915 } 2916 2917 static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct, 2918 enum ip_conntrack_info ctinfo, int diff) 2919 { 2920 if (!(ct->status & IPS_NAT_MASK)) 2921 return; 2922 2923 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff); 2924 } 2925 2926 static struct nfnl_ct_hook ctnetlink_glue_hook = { 2927 .build_size = ctnetlink_glue_build_size, 2928 .build = ctnetlink_glue_build, 2929 .parse = ctnetlink_glue_parse, 2930 .attach_expect = ctnetlink_glue_attach_expect, 2931 .seq_adjust = ctnetlink_glue_seqadj, 2932 }; 2933 #endif /* CONFIG_NETFILTER_NETLINK_GLUE_CT */ 2934 2935 /*********************************************************************** 2936 * EXPECT 2937 ***********************************************************************/ 2938 2939 static int ctnetlink_exp_dump_tuple(struct sk_buff *skb, 2940 const struct nf_conntrack_tuple *tuple, 2941 u32 type) 2942 { 2943 struct nlattr *nest_parms; 2944 2945 nest_parms = nla_nest_start(skb, type); 2946 if (!nest_parms) 2947 goto nla_put_failure; 2948 if (ctnetlink_dump_tuples(skb, tuple) < 0) 2949 goto nla_put_failure; 2950 nla_nest_end(skb, nest_parms); 2951 2952 return 0; 2953 2954 nla_put_failure: 2955 return -1; 2956 } 2957 2958 static int ctnetlink_exp_dump_mask(struct sk_buff *skb, 2959 const struct nf_conntrack_tuple *tuple, 2960 const struct nf_conntrack_tuple_mask *mask) 2961 { 2962 const struct nf_conntrack_l4proto *l4proto; 2963 struct nf_conntrack_tuple m; 2964 struct nlattr *nest_parms; 2965 int ret; 2966 2967 memset(&m, 0xFF, sizeof(m)); 2968 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3)); 2969 m.src.u.all = mask->src.u.all; 2970 m.src.l3num = tuple->src.l3num; 2971 m.dst.protonum = tuple->dst.protonum; 2972 2973 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK); 2974 if (!nest_parms) 2975 goto nla_put_failure; 2976 2977 rcu_read_lock(); 2978 ret = ctnetlink_dump_tuples_ip(skb, &m); 2979 if (ret >= 0) { 2980 l4proto = nf_ct_l4proto_find(tuple->dst.protonum); 2981 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto); 2982 } 2983 rcu_read_unlock(); 2984 2985 if (unlikely(ret < 0)) 2986 goto nla_put_failure; 2987 2988 nla_nest_end(skb, nest_parms); 2989 2990 return 0; 2991 2992 nla_put_failure: 2993 return -1; 2994 } 2995 2996 static const union nf_inet_addr any_addr; 2997 2998 static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp) 2999 { 3000 static __read_mostly siphash_key_t exp_id_seed; 3001 unsigned long a, b, c, d; 3002 3003 net_get_random_once(&exp_id_seed, sizeof(exp_id_seed)); 3004 3005 a = (unsigned long)exp; 3006 b = (unsigned long)exp->helper; 3007 c = (unsigned long)exp->master; 3008 d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed); 3009 3010 #ifdef CONFIG_64BIT 3011 return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed); 3012 #else 3013 return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed); 3014 #endif 3015 } 3016 3017 static int 3018 ctnetlink_exp_dump_expect(struct sk_buff *skb, 3019 const struct nf_conntrack_expect *exp) 3020 { 3021 struct nf_conn *master = exp->master; 3022 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ; 3023 struct nf_conn_help *help; 3024 #if IS_ENABLED(CONFIG_NF_NAT) 3025 struct nlattr *nest_parms; 3026 struct nf_conntrack_tuple nat_tuple = {}; 3027 #endif 3028 struct nf_ct_helper_expectfn *expfn; 3029 3030 if (timeout < 0) 3031 timeout = 0; 3032 3033 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0) 3034 goto nla_put_failure; 3035 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0) 3036 goto nla_put_failure; 3037 if (ctnetlink_exp_dump_tuple(skb, 3038 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 3039 CTA_EXPECT_MASTER) < 0) 3040 goto nla_put_failure; 3041 3042 #if IS_ENABLED(CONFIG_NF_NAT) 3043 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) || 3044 exp->saved_proto.all) { 3045 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT); 3046 if (!nest_parms) 3047 goto nla_put_failure; 3048 3049 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir))) 3050 goto nla_put_failure; 3051 3052 nat_tuple.src.l3num = nf_ct_l3num(master); 3053 nat_tuple.src.u3 = exp->saved_addr; 3054 nat_tuple.dst.protonum = nf_ct_protonum(master); 3055 nat_tuple.src.u = exp->saved_proto; 3056 3057 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple, 3058 CTA_EXPECT_NAT_TUPLE) < 0) 3059 goto nla_put_failure; 3060 nla_nest_end(skb, nest_parms); 3061 } 3062 #endif 3063 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) || 3064 nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) || 3065 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) || 3066 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class))) 3067 goto nla_put_failure; 3068 help = nfct_help(master); 3069 if (help) { 3070 struct nf_conntrack_helper *helper; 3071 3072 helper = rcu_dereference(help->helper); 3073 if (helper && 3074 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name)) 3075 goto nla_put_failure; 3076 } 3077 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn); 3078 if (expfn != NULL && 3079 nla_put_string(skb, CTA_EXPECT_FN, expfn->name)) 3080 goto nla_put_failure; 3081 3082 return 0; 3083 3084 nla_put_failure: 3085 return -1; 3086 } 3087 3088 static int 3089 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq, 3090 int event, const struct nf_conntrack_expect *exp) 3091 { 3092 struct nlmsghdr *nlh; 3093 unsigned int flags = portid ? NLM_F_MULTI : 0; 3094 3095 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event); 3096 nlh = nfnl_msg_put(skb, portid, seq, event, flags, 3097 exp->tuple.src.l3num, NFNETLINK_V0, 0); 3098 if (!nlh) 3099 goto nlmsg_failure; 3100 3101 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 3102 goto nla_put_failure; 3103 3104 nlmsg_end(skb, nlh); 3105 return skb->len; 3106 3107 nlmsg_failure: 3108 nla_put_failure: 3109 nlmsg_cancel(skb, nlh); 3110 return -1; 3111 } 3112 3113 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3114 static int 3115 ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item) 3116 { 3117 struct nf_conntrack_expect *exp = item->exp; 3118 struct net *net = nf_ct_exp_net(exp); 3119 struct nlmsghdr *nlh; 3120 struct sk_buff *skb; 3121 unsigned int type, group; 3122 int flags = 0; 3123 3124 if (events & (1 << IPEXP_DESTROY)) { 3125 type = IPCTNL_MSG_EXP_DELETE; 3126 group = NFNLGRP_CONNTRACK_EXP_DESTROY; 3127 } else if (events & (1 << IPEXP_NEW)) { 3128 type = IPCTNL_MSG_EXP_NEW; 3129 flags = NLM_F_CREATE|NLM_F_EXCL; 3130 group = NFNLGRP_CONNTRACK_EXP_NEW; 3131 } else 3132 return 0; 3133 3134 if (!item->report && !nfnetlink_has_listeners(net, group)) 3135 return 0; 3136 3137 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 3138 if (skb == NULL) 3139 goto errout; 3140 3141 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type); 3142 nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, 3143 exp->tuple.src.l3num, NFNETLINK_V0, 0); 3144 if (!nlh) 3145 goto nlmsg_failure; 3146 3147 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 3148 goto nla_put_failure; 3149 3150 nlmsg_end(skb, nlh); 3151 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC); 3152 return 0; 3153 3154 nla_put_failure: 3155 nlmsg_cancel(skb, nlh); 3156 nlmsg_failure: 3157 kfree_skb(skb); 3158 errout: 3159 nfnetlink_set_err(net, 0, 0, -ENOBUFS); 3160 return 0; 3161 } 3162 #endif 3163 static int ctnetlink_exp_done(struct netlink_callback *cb) 3164 { 3165 if (cb->args[1]) 3166 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); 3167 return 0; 3168 } 3169 3170 static int 3171 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 3172 { 3173 struct net *net = sock_net(skb->sk); 3174 struct nf_conntrack_expect *exp, *last; 3175 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3176 u_int8_t l3proto = nfmsg->nfgen_family; 3177 3178 rcu_read_lock(); 3179 last = (struct nf_conntrack_expect *)cb->args[1]; 3180 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { 3181 restart: 3182 hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]], 3183 hnode) { 3184 if (l3proto && exp->tuple.src.l3num != l3proto) 3185 continue; 3186 3187 if (!net_eq(nf_ct_net(exp->master), net)) 3188 continue; 3189 3190 if (cb->args[1]) { 3191 if (exp != last) 3192 continue; 3193 cb->args[1] = 0; 3194 } 3195 if (ctnetlink_exp_fill_info(skb, 3196 NETLINK_CB(cb->skb).portid, 3197 cb->nlh->nlmsg_seq, 3198 IPCTNL_MSG_EXP_NEW, 3199 exp) < 0) { 3200 if (!refcount_inc_not_zero(&exp->use)) 3201 continue; 3202 cb->args[1] = (unsigned long)exp; 3203 goto out; 3204 } 3205 } 3206 if (cb->args[1]) { 3207 cb->args[1] = 0; 3208 goto restart; 3209 } 3210 } 3211 out: 3212 rcu_read_unlock(); 3213 if (last) 3214 nf_ct_expect_put(last); 3215 3216 return skb->len; 3217 } 3218 3219 static int 3220 ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 3221 { 3222 struct nf_conntrack_expect *exp, *last; 3223 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 3224 struct nf_conn *ct = cb->data; 3225 struct nf_conn_help *help = nfct_help(ct); 3226 u_int8_t l3proto = nfmsg->nfgen_family; 3227 3228 if (cb->args[0]) 3229 return 0; 3230 3231 rcu_read_lock(); 3232 last = (struct nf_conntrack_expect *)cb->args[1]; 3233 restart: 3234 hlist_for_each_entry_rcu(exp, &help->expectations, lnode) { 3235 if (l3proto && exp->tuple.src.l3num != l3proto) 3236 continue; 3237 if (cb->args[1]) { 3238 if (exp != last) 3239 continue; 3240 cb->args[1] = 0; 3241 } 3242 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid, 3243 cb->nlh->nlmsg_seq, 3244 IPCTNL_MSG_EXP_NEW, 3245 exp) < 0) { 3246 if (!refcount_inc_not_zero(&exp->use)) 3247 continue; 3248 cb->args[1] = (unsigned long)exp; 3249 goto out; 3250 } 3251 } 3252 if (cb->args[1]) { 3253 cb->args[1] = 0; 3254 goto restart; 3255 } 3256 cb->args[0] = 1; 3257 out: 3258 rcu_read_unlock(); 3259 if (last) 3260 nf_ct_expect_put(last); 3261 3262 return skb->len; 3263 } 3264 3265 static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl, 3266 struct sk_buff *skb, 3267 const struct nlmsghdr *nlh, 3268 const struct nlattr * const cda[], 3269 struct netlink_ext_ack *extack) 3270 { 3271 int err; 3272 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 3273 u_int8_t u3 = nfmsg->nfgen_family; 3274 struct nf_conntrack_tuple tuple; 3275 struct nf_conntrack_tuple_hash *h; 3276 struct nf_conn *ct; 3277 struct nf_conntrack_zone zone; 3278 struct netlink_dump_control c = { 3279 .dump = ctnetlink_exp_ct_dump_table, 3280 .done = ctnetlink_exp_done, 3281 }; 3282 3283 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, 3284 u3, NULL); 3285 if (err < 0) 3286 return err; 3287 3288 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3289 if (err < 0) 3290 return err; 3291 3292 h = nf_conntrack_find_get(net, &zone, &tuple); 3293 if (!h) 3294 return -ENOENT; 3295 3296 ct = nf_ct_tuplehash_to_ctrack(h); 3297 /* No expectation linked to this connection tracking. */ 3298 if (!nfct_help(ct)) { 3299 nf_ct_put(ct); 3300 return 0; 3301 } 3302 3303 c.data = ct; 3304 3305 err = netlink_dump_start(ctnl, skb, nlh, &c); 3306 nf_ct_put(ct); 3307 3308 return err; 3309 } 3310 3311 static int ctnetlink_get_expect(struct sk_buff *skb, 3312 const struct nfnl_info *info, 3313 const struct nlattr * const cda[]) 3314 { 3315 u_int8_t u3 = info->nfmsg->nfgen_family; 3316 struct nf_conntrack_tuple tuple; 3317 struct nf_conntrack_expect *exp; 3318 struct nf_conntrack_zone zone; 3319 struct sk_buff *skb2; 3320 int err; 3321 3322 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3323 if (cda[CTA_EXPECT_MASTER]) 3324 return ctnetlink_dump_exp_ct(info->net, info->sk, skb, 3325 info->nlh, cda, 3326 info->extack); 3327 else { 3328 struct netlink_dump_control c = { 3329 .dump = ctnetlink_exp_dump_table, 3330 .done = ctnetlink_exp_done, 3331 }; 3332 return netlink_dump_start(info->sk, skb, info->nlh, &c); 3333 } 3334 } 3335 3336 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3337 if (err < 0) 3338 return err; 3339 3340 if (cda[CTA_EXPECT_TUPLE]) 3341 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3342 u3, NULL); 3343 else if (cda[CTA_EXPECT_MASTER]) 3344 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, 3345 u3, NULL); 3346 else 3347 return -EINVAL; 3348 3349 if (err < 0) 3350 return err; 3351 3352 exp = nf_ct_expect_find_get(info->net, &zone, &tuple); 3353 if (!exp) 3354 return -ENOENT; 3355 3356 if (cda[CTA_EXPECT_ID]) { 3357 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 3358 3359 if (id != nf_expect_get_id(exp)) { 3360 nf_ct_expect_put(exp); 3361 return -ENOENT; 3362 } 3363 } 3364 3365 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 3366 if (!skb2) { 3367 nf_ct_expect_put(exp); 3368 return -ENOMEM; 3369 } 3370 3371 rcu_read_lock(); 3372 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid, 3373 info->nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, 3374 exp); 3375 rcu_read_unlock(); 3376 nf_ct_expect_put(exp); 3377 if (err <= 0) { 3378 kfree_skb(skb2); 3379 return -ENOMEM; 3380 } 3381 3382 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid); 3383 } 3384 3385 static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data) 3386 { 3387 const struct nf_conn_help *m_help; 3388 const char *name = data; 3389 3390 m_help = nfct_help(exp->master); 3391 3392 return strcmp(m_help->helper->name, name) == 0; 3393 } 3394 3395 static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data) 3396 { 3397 return true; 3398 } 3399 3400 static int ctnetlink_del_expect(struct sk_buff *skb, 3401 const struct nfnl_info *info, 3402 const struct nlattr * const cda[]) 3403 { 3404 u_int8_t u3 = info->nfmsg->nfgen_family; 3405 struct nf_conntrack_expect *exp; 3406 struct nf_conntrack_tuple tuple; 3407 struct nf_conntrack_zone zone; 3408 int err; 3409 3410 if (cda[CTA_EXPECT_TUPLE]) { 3411 /* delete a single expect by tuple */ 3412 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3413 if (err < 0) 3414 return err; 3415 3416 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3417 u3, NULL); 3418 if (err < 0) 3419 return err; 3420 3421 /* bump usage count to 2 */ 3422 exp = nf_ct_expect_find_get(info->net, &zone, &tuple); 3423 if (!exp) 3424 return -ENOENT; 3425 3426 if (cda[CTA_EXPECT_ID]) { 3427 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 3428 if (ntohl(id) != (u32)(unsigned long)exp) { 3429 nf_ct_expect_put(exp); 3430 return -ENOENT; 3431 } 3432 } 3433 3434 /* after list removal, usage count == 1 */ 3435 spin_lock_bh(&nf_conntrack_expect_lock); 3436 if (del_timer(&exp->timeout)) { 3437 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid, 3438 nlmsg_report(info->nlh)); 3439 nf_ct_expect_put(exp); 3440 } 3441 spin_unlock_bh(&nf_conntrack_expect_lock); 3442 /* have to put what we 'get' above. 3443 * after this line usage count == 0 */ 3444 nf_ct_expect_put(exp); 3445 } else if (cda[CTA_EXPECT_HELP_NAME]) { 3446 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]); 3447 3448 nf_ct_expect_iterate_net(info->net, expect_iter_name, name, 3449 NETLINK_CB(skb).portid, 3450 nlmsg_report(info->nlh)); 3451 } else { 3452 /* This basically means we have to flush everything*/ 3453 nf_ct_expect_iterate_net(info->net, expect_iter_all, NULL, 3454 NETLINK_CB(skb).portid, 3455 nlmsg_report(info->nlh)); 3456 } 3457 3458 return 0; 3459 } 3460 static int 3461 ctnetlink_change_expect(struct nf_conntrack_expect *x, 3462 const struct nlattr * const cda[]) 3463 { 3464 if (cda[CTA_EXPECT_TIMEOUT]) { 3465 if (!del_timer(&x->timeout)) 3466 return -ETIME; 3467 3468 x->timeout.expires = jiffies + 3469 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ; 3470 add_timer(&x->timeout); 3471 } 3472 return 0; 3473 } 3474 3475 static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = { 3476 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 }, 3477 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED }, 3478 }; 3479 3480 static int 3481 ctnetlink_parse_expect_nat(const struct nlattr *attr, 3482 struct nf_conntrack_expect *exp, 3483 u_int8_t u3) 3484 { 3485 #if IS_ENABLED(CONFIG_NF_NAT) 3486 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1]; 3487 struct nf_conntrack_tuple nat_tuple = {}; 3488 int err; 3489 3490 err = nla_parse_nested_deprecated(tb, CTA_EXPECT_NAT_MAX, attr, 3491 exp_nat_nla_policy, NULL); 3492 if (err < 0) 3493 return err; 3494 3495 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE]) 3496 return -EINVAL; 3497 3498 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb, 3499 &nat_tuple, CTA_EXPECT_NAT_TUPLE, 3500 u3, NULL); 3501 if (err < 0) 3502 return err; 3503 3504 exp->saved_addr = nat_tuple.src.u3; 3505 exp->saved_proto = nat_tuple.src.u; 3506 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR])); 3507 3508 return 0; 3509 #else 3510 return -EOPNOTSUPP; 3511 #endif 3512 } 3513 3514 static struct nf_conntrack_expect * 3515 ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct, 3516 struct nf_conntrack_helper *helper, 3517 struct nf_conntrack_tuple *tuple, 3518 struct nf_conntrack_tuple *mask) 3519 { 3520 u_int32_t class = 0; 3521 struct nf_conntrack_expect *exp; 3522 struct nf_conn_help *help; 3523 int err; 3524 3525 help = nfct_help(ct); 3526 if (!help) 3527 return ERR_PTR(-EOPNOTSUPP); 3528 3529 if (cda[CTA_EXPECT_CLASS] && helper) { 3530 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS])); 3531 if (class > helper->expect_class_max) 3532 return ERR_PTR(-EINVAL); 3533 } 3534 exp = nf_ct_expect_alloc(ct); 3535 if (!exp) 3536 return ERR_PTR(-ENOMEM); 3537 3538 if (cda[CTA_EXPECT_FLAGS]) { 3539 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS])); 3540 exp->flags &= ~NF_CT_EXPECT_USERSPACE; 3541 } else { 3542 exp->flags = 0; 3543 } 3544 if (cda[CTA_EXPECT_FN]) { 3545 const char *name = nla_data(cda[CTA_EXPECT_FN]); 3546 struct nf_ct_helper_expectfn *expfn; 3547 3548 expfn = nf_ct_helper_expectfn_find_by_name(name); 3549 if (expfn == NULL) { 3550 err = -EINVAL; 3551 goto err_out; 3552 } 3553 exp->expectfn = expfn->expectfn; 3554 } else 3555 exp->expectfn = NULL; 3556 3557 exp->class = class; 3558 exp->master = ct; 3559 exp->helper = helper; 3560 exp->tuple = *tuple; 3561 exp->mask.src.u3 = mask->src.u3; 3562 exp->mask.src.u.all = mask->src.u.all; 3563 3564 if (cda[CTA_EXPECT_NAT]) { 3565 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT], 3566 exp, nf_ct_l3num(ct)); 3567 if (err < 0) 3568 goto err_out; 3569 } 3570 return exp; 3571 err_out: 3572 nf_ct_expect_put(exp); 3573 return ERR_PTR(err); 3574 } 3575 3576 static int 3577 ctnetlink_create_expect(struct net *net, 3578 const struct nf_conntrack_zone *zone, 3579 const struct nlattr * const cda[], 3580 u_int8_t u3, u32 portid, int report) 3581 { 3582 struct nf_conntrack_tuple tuple, mask, master_tuple; 3583 struct nf_conntrack_tuple_hash *h = NULL; 3584 struct nf_conntrack_helper *helper = NULL; 3585 struct nf_conntrack_expect *exp; 3586 struct nf_conn *ct; 3587 int err; 3588 3589 /* caller guarantees that those three CTA_EXPECT_* exist */ 3590 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3591 u3, NULL); 3592 if (err < 0) 3593 return err; 3594 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, 3595 u3, NULL); 3596 if (err < 0) 3597 return err; 3598 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, 3599 u3, NULL); 3600 if (err < 0) 3601 return err; 3602 3603 /* Look for master conntrack of this expectation */ 3604 h = nf_conntrack_find_get(net, zone, &master_tuple); 3605 if (!h) 3606 return -ENOENT; 3607 ct = nf_ct_tuplehash_to_ctrack(h); 3608 3609 rcu_read_lock(); 3610 if (cda[CTA_EXPECT_HELP_NAME]) { 3611 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]); 3612 3613 helper = __nf_conntrack_helper_find(helpname, u3, 3614 nf_ct_protonum(ct)); 3615 if (helper == NULL) { 3616 rcu_read_unlock(); 3617 #ifdef CONFIG_MODULES 3618 if (request_module("nfct-helper-%s", helpname) < 0) { 3619 err = -EOPNOTSUPP; 3620 goto err_ct; 3621 } 3622 rcu_read_lock(); 3623 helper = __nf_conntrack_helper_find(helpname, u3, 3624 nf_ct_protonum(ct)); 3625 if (helper) { 3626 err = -EAGAIN; 3627 goto err_rcu; 3628 } 3629 rcu_read_unlock(); 3630 #endif 3631 err = -EOPNOTSUPP; 3632 goto err_ct; 3633 } 3634 } 3635 3636 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask); 3637 if (IS_ERR(exp)) { 3638 err = PTR_ERR(exp); 3639 goto err_rcu; 3640 } 3641 3642 err = nf_ct_expect_related_report(exp, portid, report, 0); 3643 nf_ct_expect_put(exp); 3644 err_rcu: 3645 rcu_read_unlock(); 3646 err_ct: 3647 nf_ct_put(ct); 3648 return err; 3649 } 3650 3651 static int ctnetlink_new_expect(struct sk_buff *skb, 3652 const struct nfnl_info *info, 3653 const struct nlattr * const cda[]) 3654 { 3655 u_int8_t u3 = info->nfmsg->nfgen_family; 3656 struct nf_conntrack_tuple tuple; 3657 struct nf_conntrack_expect *exp; 3658 struct nf_conntrack_zone zone; 3659 int err; 3660 3661 if (!cda[CTA_EXPECT_TUPLE] 3662 || !cda[CTA_EXPECT_MASK] 3663 || !cda[CTA_EXPECT_MASTER]) 3664 return -EINVAL; 3665 3666 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone); 3667 if (err < 0) 3668 return err; 3669 3670 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, 3671 u3, NULL); 3672 if (err < 0) 3673 return err; 3674 3675 spin_lock_bh(&nf_conntrack_expect_lock); 3676 exp = __nf_ct_expect_find(info->net, &zone, &tuple); 3677 if (!exp) { 3678 spin_unlock_bh(&nf_conntrack_expect_lock); 3679 err = -ENOENT; 3680 if (info->nlh->nlmsg_flags & NLM_F_CREATE) { 3681 err = ctnetlink_create_expect(info->net, &zone, cda, u3, 3682 NETLINK_CB(skb).portid, 3683 nlmsg_report(info->nlh)); 3684 } 3685 return err; 3686 } 3687 3688 err = -EEXIST; 3689 if (!(info->nlh->nlmsg_flags & NLM_F_EXCL)) 3690 err = ctnetlink_change_expect(exp, cda); 3691 spin_unlock_bh(&nf_conntrack_expect_lock); 3692 3693 return err; 3694 } 3695 3696 static int 3697 ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu, 3698 const struct ip_conntrack_stat *st) 3699 { 3700 struct nlmsghdr *nlh; 3701 unsigned int flags = portid ? NLM_F_MULTI : 0, event; 3702 3703 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, 3704 IPCTNL_MSG_EXP_GET_STATS_CPU); 3705 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC, 3706 NFNETLINK_V0, htons(cpu)); 3707 if (!nlh) 3708 goto nlmsg_failure; 3709 3710 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) || 3711 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) || 3712 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete))) 3713 goto nla_put_failure; 3714 3715 nlmsg_end(skb, nlh); 3716 return skb->len; 3717 3718 nla_put_failure: 3719 nlmsg_failure: 3720 nlmsg_cancel(skb, nlh); 3721 return -1; 3722 } 3723 3724 static int 3725 ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb) 3726 { 3727 int cpu; 3728 struct net *net = sock_net(skb->sk); 3729 3730 if (cb->args[0] == nr_cpu_ids) 3731 return 0; 3732 3733 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) { 3734 const struct ip_conntrack_stat *st; 3735 3736 if (!cpu_possible(cpu)) 3737 continue; 3738 3739 st = per_cpu_ptr(net->ct.stat, cpu); 3740 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid, 3741 cb->nlh->nlmsg_seq, 3742 cpu, st) < 0) 3743 break; 3744 } 3745 cb->args[0] = cpu; 3746 3747 return skb->len; 3748 } 3749 3750 static int ctnetlink_stat_exp_cpu(struct sk_buff *skb, 3751 const struct nfnl_info *info, 3752 const struct nlattr * const cda[]) 3753 { 3754 if (info->nlh->nlmsg_flags & NLM_F_DUMP) { 3755 struct netlink_dump_control c = { 3756 .dump = ctnetlink_exp_stat_cpu_dump, 3757 }; 3758 return netlink_dump_start(info->sk, skb, info->nlh, &c); 3759 } 3760 3761 return 0; 3762 } 3763 3764 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3765 static struct nf_ct_event_notifier ctnl_notifier = { 3766 .ct_event = ctnetlink_conntrack_event, 3767 .exp_event = ctnetlink_expect_event, 3768 }; 3769 #endif 3770 3771 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = { 3772 [IPCTNL_MSG_CT_NEW] = { 3773 .call = ctnetlink_new_conntrack, 3774 .type = NFNL_CB_MUTEX, 3775 .attr_count = CTA_MAX, 3776 .policy = ct_nla_policy 3777 }, 3778 [IPCTNL_MSG_CT_GET] = { 3779 .call = ctnetlink_get_conntrack, 3780 .type = NFNL_CB_MUTEX, 3781 .attr_count = CTA_MAX, 3782 .policy = ct_nla_policy 3783 }, 3784 [IPCTNL_MSG_CT_DELETE] = { 3785 .call = ctnetlink_del_conntrack, 3786 .type = NFNL_CB_MUTEX, 3787 .attr_count = CTA_MAX, 3788 .policy = ct_nla_policy 3789 }, 3790 [IPCTNL_MSG_CT_GET_CTRZERO] = { 3791 .call = ctnetlink_get_conntrack, 3792 .type = NFNL_CB_MUTEX, 3793 .attr_count = CTA_MAX, 3794 .policy = ct_nla_policy 3795 }, 3796 [IPCTNL_MSG_CT_GET_STATS_CPU] = { 3797 .call = ctnetlink_stat_ct_cpu, 3798 .type = NFNL_CB_MUTEX, 3799 }, 3800 [IPCTNL_MSG_CT_GET_STATS] = { 3801 .call = ctnetlink_stat_ct, 3802 .type = NFNL_CB_MUTEX, 3803 }, 3804 [IPCTNL_MSG_CT_GET_DYING] = { 3805 .call = ctnetlink_get_ct_dying, 3806 .type = NFNL_CB_MUTEX, 3807 }, 3808 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = { 3809 .call = ctnetlink_get_ct_unconfirmed, 3810 .type = NFNL_CB_MUTEX, 3811 }, 3812 }; 3813 3814 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = { 3815 [IPCTNL_MSG_EXP_GET] = { 3816 .call = ctnetlink_get_expect, 3817 .type = NFNL_CB_MUTEX, 3818 .attr_count = CTA_EXPECT_MAX, 3819 .policy = exp_nla_policy 3820 }, 3821 [IPCTNL_MSG_EXP_NEW] = { 3822 .call = ctnetlink_new_expect, 3823 .type = NFNL_CB_MUTEX, 3824 .attr_count = CTA_EXPECT_MAX, 3825 .policy = exp_nla_policy 3826 }, 3827 [IPCTNL_MSG_EXP_DELETE] = { 3828 .call = ctnetlink_del_expect, 3829 .type = NFNL_CB_MUTEX, 3830 .attr_count = CTA_EXPECT_MAX, 3831 .policy = exp_nla_policy 3832 }, 3833 [IPCTNL_MSG_EXP_GET_STATS_CPU] = { 3834 .call = ctnetlink_stat_exp_cpu, 3835 .type = NFNL_CB_MUTEX, 3836 }, 3837 }; 3838 3839 static const struct nfnetlink_subsystem ctnl_subsys = { 3840 .name = "conntrack", 3841 .subsys_id = NFNL_SUBSYS_CTNETLINK, 3842 .cb_count = IPCTNL_MSG_MAX, 3843 .cb = ctnl_cb, 3844 }; 3845 3846 static const struct nfnetlink_subsystem ctnl_exp_subsys = { 3847 .name = "conntrack_expect", 3848 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP, 3849 .cb_count = IPCTNL_MSG_EXP_MAX, 3850 .cb = ctnl_exp_cb, 3851 }; 3852 3853 MODULE_ALIAS("ip_conntrack_netlink"); 3854 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK); 3855 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP); 3856 3857 static int __net_init ctnetlink_net_init(struct net *net) 3858 { 3859 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3860 nf_conntrack_register_notifier(net, &ctnl_notifier); 3861 #endif 3862 return 0; 3863 } 3864 3865 static void ctnetlink_net_pre_exit(struct net *net) 3866 { 3867 #ifdef CONFIG_NF_CONNTRACK_EVENTS 3868 nf_conntrack_unregister_notifier(net); 3869 #endif 3870 } 3871 3872 static struct pernet_operations ctnetlink_net_ops = { 3873 .init = ctnetlink_net_init, 3874 .pre_exit = ctnetlink_net_pre_exit, 3875 }; 3876 3877 static int __init ctnetlink_init(void) 3878 { 3879 int ret; 3880 3881 ret = nfnetlink_subsys_register(&ctnl_subsys); 3882 if (ret < 0) { 3883 pr_err("ctnetlink_init: cannot register with nfnetlink.\n"); 3884 goto err_out; 3885 } 3886 3887 ret = nfnetlink_subsys_register(&ctnl_exp_subsys); 3888 if (ret < 0) { 3889 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n"); 3890 goto err_unreg_subsys; 3891 } 3892 3893 ret = register_pernet_subsys(&ctnetlink_net_ops); 3894 if (ret < 0) { 3895 pr_err("ctnetlink_init: cannot register pernet operations\n"); 3896 goto err_unreg_exp_subsys; 3897 } 3898 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 3899 /* setup interaction between nf_queue and nf_conntrack_netlink. */ 3900 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook); 3901 #endif 3902 return 0; 3903 3904 err_unreg_exp_subsys: 3905 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 3906 err_unreg_subsys: 3907 nfnetlink_subsys_unregister(&ctnl_subsys); 3908 err_out: 3909 return ret; 3910 } 3911 3912 static void __exit ctnetlink_exit(void) 3913 { 3914 unregister_pernet_subsys(&ctnetlink_net_ops); 3915 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 3916 nfnetlink_subsys_unregister(&ctnl_subsys); 3917 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT 3918 RCU_INIT_POINTER(nfnl_ct_hook, NULL); 3919 #endif 3920 synchronize_rcu(); 3921 } 3922 3923 module_init(ctnetlink_init); 3924 module_exit(ctnetlink_exit); 3925