1 // SPDX-License-Identifier: GPL-2.0-or-later 2 /* 3 * (C) 2011 Pablo Neira Ayuso <pablo@netfilter.org> 4 * (C) 2011 Intra2net AG <http://www.intra2net.com> 5 */ 6 #include <linux/init.h> 7 #include <linux/module.h> 8 #include <linux/kernel.h> 9 #include <linux/skbuff.h> 10 #include <linux/atomic.h> 11 #include <linux/refcount.h> 12 #include <linux/netlink.h> 13 #include <linux/rculist.h> 14 #include <linux/slab.h> 15 #include <linux/types.h> 16 #include <linux/errno.h> 17 #include <net/netlink.h> 18 #include <net/sock.h> 19 20 #include <linux/netfilter.h> 21 #include <linux/netfilter/nfnetlink.h> 22 #include <linux/netfilter/nfnetlink_acct.h> 23 24 MODULE_LICENSE("GPL"); 25 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>"); 26 MODULE_DESCRIPTION("nfacct: Extended Netfilter accounting infrastructure"); 27 28 struct nf_acct { 29 atomic64_t pkts; 30 atomic64_t bytes; 31 unsigned long flags; 32 struct list_head head; 33 refcount_t refcnt; 34 char name[NFACCT_NAME_MAX]; 35 struct rcu_head rcu_head; 36 char data[0]; 37 }; 38 39 struct nfacct_filter { 40 u32 value; 41 u32 mask; 42 }; 43 44 #define NFACCT_F_QUOTA (NFACCT_F_QUOTA_PKTS | NFACCT_F_QUOTA_BYTES) 45 #define NFACCT_OVERQUOTA_BIT 2 /* NFACCT_F_OVERQUOTA */ 46 47 static int nfnl_acct_new(struct net *net, struct sock *nfnl, 48 struct sk_buff *skb, const struct nlmsghdr *nlh, 49 const struct nlattr * const tb[], 50 struct netlink_ext_ack *extack) 51 { 52 struct nf_acct *nfacct, *matching = NULL; 53 char *acct_name; 54 unsigned int size = 0; 55 u32 flags = 0; 56 57 if (!tb[NFACCT_NAME]) 58 return -EINVAL; 59 60 acct_name = nla_data(tb[NFACCT_NAME]); 61 if (strlen(acct_name) == 0) 62 return -EINVAL; 63 64 list_for_each_entry(nfacct, &net->nfnl_acct_list, head) { 65 if (strncmp(nfacct->name, acct_name, NFACCT_NAME_MAX) != 0) 66 continue; 67 68 if (nlh->nlmsg_flags & NLM_F_EXCL) 69 return -EEXIST; 70 71 matching = nfacct; 72 break; 73 } 74 75 if (matching) { 76 if (nlh->nlmsg_flags & NLM_F_REPLACE) { 77 /* reset counters if you request a replacement. */ 78 atomic64_set(&matching->pkts, 0); 79 atomic64_set(&matching->bytes, 0); 80 smp_mb__before_atomic(); 81 /* reset overquota flag if quota is enabled. */ 82 if ((matching->flags & NFACCT_F_QUOTA)) 83 clear_bit(NFACCT_OVERQUOTA_BIT, 84 &matching->flags); 85 return 0; 86 } 87 return -EBUSY; 88 } 89 90 if (tb[NFACCT_FLAGS]) { 91 flags = ntohl(nla_get_be32(tb[NFACCT_FLAGS])); 92 if (flags & ~NFACCT_F_QUOTA) 93 return -EOPNOTSUPP; 94 if ((flags & NFACCT_F_QUOTA) == NFACCT_F_QUOTA) 95 return -EINVAL; 96 if (flags & NFACCT_F_OVERQUOTA) 97 return -EINVAL; 98 if ((flags & NFACCT_F_QUOTA) && !tb[NFACCT_QUOTA]) 99 return -EINVAL; 100 101 size += sizeof(u64); 102 } 103 104 nfacct = kzalloc(sizeof(struct nf_acct) + size, GFP_KERNEL); 105 if (nfacct == NULL) 106 return -ENOMEM; 107 108 if (flags & NFACCT_F_QUOTA) { 109 u64 *quota = (u64 *)nfacct->data; 110 111 *quota = be64_to_cpu(nla_get_be64(tb[NFACCT_QUOTA])); 112 nfacct->flags = flags; 113 } 114 115 nla_strlcpy(nfacct->name, tb[NFACCT_NAME], NFACCT_NAME_MAX); 116 117 if (tb[NFACCT_BYTES]) { 118 atomic64_set(&nfacct->bytes, 119 be64_to_cpu(nla_get_be64(tb[NFACCT_BYTES]))); 120 } 121 if (tb[NFACCT_PKTS]) { 122 atomic64_set(&nfacct->pkts, 123 be64_to_cpu(nla_get_be64(tb[NFACCT_PKTS]))); 124 } 125 refcount_set(&nfacct->refcnt, 1); 126 list_add_tail_rcu(&nfacct->head, &net->nfnl_acct_list); 127 return 0; 128 } 129 130 static int 131 nfnl_acct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, 132 int event, struct nf_acct *acct) 133 { 134 struct nlmsghdr *nlh; 135 struct nfgenmsg *nfmsg; 136 unsigned int flags = portid ? NLM_F_MULTI : 0; 137 u64 pkts, bytes; 138 u32 old_flags; 139 140 event = nfnl_msg_type(NFNL_SUBSYS_ACCT, event); 141 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); 142 if (nlh == NULL) 143 goto nlmsg_failure; 144 145 nfmsg = nlmsg_data(nlh); 146 nfmsg->nfgen_family = AF_UNSPEC; 147 nfmsg->version = NFNETLINK_V0; 148 nfmsg->res_id = 0; 149 150 if (nla_put_string(skb, NFACCT_NAME, acct->name)) 151 goto nla_put_failure; 152 153 old_flags = acct->flags; 154 if (type == NFNL_MSG_ACCT_GET_CTRZERO) { 155 pkts = atomic64_xchg(&acct->pkts, 0); 156 bytes = atomic64_xchg(&acct->bytes, 0); 157 smp_mb__before_atomic(); 158 if (acct->flags & NFACCT_F_QUOTA) 159 clear_bit(NFACCT_OVERQUOTA_BIT, &acct->flags); 160 } else { 161 pkts = atomic64_read(&acct->pkts); 162 bytes = atomic64_read(&acct->bytes); 163 } 164 if (nla_put_be64(skb, NFACCT_PKTS, cpu_to_be64(pkts), 165 NFACCT_PAD) || 166 nla_put_be64(skb, NFACCT_BYTES, cpu_to_be64(bytes), 167 NFACCT_PAD) || 168 nla_put_be32(skb, NFACCT_USE, htonl(refcount_read(&acct->refcnt)))) 169 goto nla_put_failure; 170 if (acct->flags & NFACCT_F_QUOTA) { 171 u64 *quota = (u64 *)acct->data; 172 173 if (nla_put_be32(skb, NFACCT_FLAGS, htonl(old_flags)) || 174 nla_put_be64(skb, NFACCT_QUOTA, cpu_to_be64(*quota), 175 NFACCT_PAD)) 176 goto nla_put_failure; 177 } 178 nlmsg_end(skb, nlh); 179 return skb->len; 180 181 nlmsg_failure: 182 nla_put_failure: 183 nlmsg_cancel(skb, nlh); 184 return -1; 185 } 186 187 static int 188 nfnl_acct_dump(struct sk_buff *skb, struct netlink_callback *cb) 189 { 190 struct net *net = sock_net(skb->sk); 191 struct nf_acct *cur, *last; 192 const struct nfacct_filter *filter = cb->data; 193 194 if (cb->args[2]) 195 return 0; 196 197 last = (struct nf_acct *)cb->args[1]; 198 if (cb->args[1]) 199 cb->args[1] = 0; 200 201 rcu_read_lock(); 202 list_for_each_entry_rcu(cur, &net->nfnl_acct_list, head) { 203 if (last) { 204 if (cur != last) 205 continue; 206 207 last = NULL; 208 } 209 210 if (filter && (cur->flags & filter->mask) != filter->value) 211 continue; 212 213 if (nfnl_acct_fill_info(skb, NETLINK_CB(cb->skb).portid, 214 cb->nlh->nlmsg_seq, 215 NFNL_MSG_TYPE(cb->nlh->nlmsg_type), 216 NFNL_MSG_ACCT_NEW, cur) < 0) { 217 cb->args[1] = (unsigned long)cur; 218 break; 219 } 220 } 221 if (!cb->args[1]) 222 cb->args[2] = 1; 223 rcu_read_unlock(); 224 return skb->len; 225 } 226 227 static int nfnl_acct_done(struct netlink_callback *cb) 228 { 229 kfree(cb->data); 230 return 0; 231 } 232 233 static const struct nla_policy filter_policy[NFACCT_FILTER_MAX + 1] = { 234 [NFACCT_FILTER_MASK] = { .type = NLA_U32 }, 235 [NFACCT_FILTER_VALUE] = { .type = NLA_U32 }, 236 }; 237 238 static int nfnl_acct_start(struct netlink_callback *cb) 239 { 240 const struct nlattr *const attr = cb->data; 241 struct nlattr *tb[NFACCT_FILTER_MAX + 1]; 242 struct nfacct_filter *filter; 243 int err; 244 245 if (!attr) 246 return 0; 247 248 err = nla_parse_nested_deprecated(tb, NFACCT_FILTER_MAX, attr, 249 filter_policy, NULL); 250 if (err < 0) 251 return err; 252 253 if (!tb[NFACCT_FILTER_MASK] || !tb[NFACCT_FILTER_VALUE]) 254 return -EINVAL; 255 256 filter = kzalloc(sizeof(struct nfacct_filter), GFP_KERNEL); 257 if (!filter) 258 return -ENOMEM; 259 260 filter->mask = ntohl(nla_get_be32(tb[NFACCT_FILTER_MASK])); 261 filter->value = ntohl(nla_get_be32(tb[NFACCT_FILTER_VALUE])); 262 cb->data = filter; 263 264 return 0; 265 } 266 267 static int nfnl_acct_get(struct net *net, struct sock *nfnl, 268 struct sk_buff *skb, const struct nlmsghdr *nlh, 269 const struct nlattr * const tb[], 270 struct netlink_ext_ack *extack) 271 { 272 int ret = -ENOENT; 273 struct nf_acct *cur; 274 char *acct_name; 275 276 if (nlh->nlmsg_flags & NLM_F_DUMP) { 277 struct netlink_dump_control c = { 278 .dump = nfnl_acct_dump, 279 .start = nfnl_acct_start, 280 .done = nfnl_acct_done, 281 .data = (void *)tb[NFACCT_FILTER], 282 }; 283 284 return netlink_dump_start(nfnl, skb, nlh, &c); 285 } 286 287 if (!tb[NFACCT_NAME]) 288 return -EINVAL; 289 acct_name = nla_data(tb[NFACCT_NAME]); 290 291 list_for_each_entry(cur, &net->nfnl_acct_list, head) { 292 struct sk_buff *skb2; 293 294 if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX)!= 0) 295 continue; 296 297 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 298 if (skb2 == NULL) { 299 ret = -ENOMEM; 300 break; 301 } 302 303 ret = nfnl_acct_fill_info(skb2, NETLINK_CB(skb).portid, 304 nlh->nlmsg_seq, 305 NFNL_MSG_TYPE(nlh->nlmsg_type), 306 NFNL_MSG_ACCT_NEW, cur); 307 if (ret <= 0) { 308 kfree_skb(skb2); 309 break; 310 } 311 ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid, 312 MSG_DONTWAIT); 313 if (ret > 0) 314 ret = 0; 315 316 /* this avoids a loop in nfnetlink. */ 317 return ret == -EAGAIN ? -ENOBUFS : ret; 318 } 319 return ret; 320 } 321 322 /* try to delete object, fail if it is still in use. */ 323 static int nfnl_acct_try_del(struct nf_acct *cur) 324 { 325 int ret = 0; 326 327 /* We want to avoid races with nfnl_acct_put. So only when the current 328 * refcnt is 1, we decrease it to 0. 329 */ 330 if (refcount_dec_if_one(&cur->refcnt)) { 331 /* We are protected by nfnl mutex. */ 332 list_del_rcu(&cur->head); 333 kfree_rcu(cur, rcu_head); 334 } else { 335 ret = -EBUSY; 336 } 337 return ret; 338 } 339 340 static int nfnl_acct_del(struct net *net, struct sock *nfnl, 341 struct sk_buff *skb, const struct nlmsghdr *nlh, 342 const struct nlattr * const tb[], 343 struct netlink_ext_ack *extack) 344 { 345 struct nf_acct *cur, *tmp; 346 int ret = -ENOENT; 347 char *acct_name; 348 349 if (!tb[NFACCT_NAME]) { 350 list_for_each_entry_safe(cur, tmp, &net->nfnl_acct_list, head) 351 nfnl_acct_try_del(cur); 352 353 return 0; 354 } 355 acct_name = nla_data(tb[NFACCT_NAME]); 356 357 list_for_each_entry(cur, &net->nfnl_acct_list, head) { 358 if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX) != 0) 359 continue; 360 361 ret = nfnl_acct_try_del(cur); 362 if (ret < 0) 363 return ret; 364 365 break; 366 } 367 return ret; 368 } 369 370 static const struct nla_policy nfnl_acct_policy[NFACCT_MAX+1] = { 371 [NFACCT_NAME] = { .type = NLA_NUL_STRING, .len = NFACCT_NAME_MAX-1 }, 372 [NFACCT_BYTES] = { .type = NLA_U64 }, 373 [NFACCT_PKTS] = { .type = NLA_U64 }, 374 [NFACCT_FLAGS] = { .type = NLA_U32 }, 375 [NFACCT_QUOTA] = { .type = NLA_U64 }, 376 [NFACCT_FILTER] = {.type = NLA_NESTED }, 377 }; 378 379 static const struct nfnl_callback nfnl_acct_cb[NFNL_MSG_ACCT_MAX] = { 380 [NFNL_MSG_ACCT_NEW] = { .call = nfnl_acct_new, 381 .attr_count = NFACCT_MAX, 382 .policy = nfnl_acct_policy }, 383 [NFNL_MSG_ACCT_GET] = { .call = nfnl_acct_get, 384 .attr_count = NFACCT_MAX, 385 .policy = nfnl_acct_policy }, 386 [NFNL_MSG_ACCT_GET_CTRZERO] = { .call = nfnl_acct_get, 387 .attr_count = NFACCT_MAX, 388 .policy = nfnl_acct_policy }, 389 [NFNL_MSG_ACCT_DEL] = { .call = nfnl_acct_del, 390 .attr_count = NFACCT_MAX, 391 .policy = nfnl_acct_policy }, 392 }; 393 394 static const struct nfnetlink_subsystem nfnl_acct_subsys = { 395 .name = "acct", 396 .subsys_id = NFNL_SUBSYS_ACCT, 397 .cb_count = NFNL_MSG_ACCT_MAX, 398 .cb = nfnl_acct_cb, 399 }; 400 401 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_ACCT); 402 403 struct nf_acct *nfnl_acct_find_get(struct net *net, const char *acct_name) 404 { 405 struct nf_acct *cur, *acct = NULL; 406 407 rcu_read_lock(); 408 list_for_each_entry_rcu(cur, &net->nfnl_acct_list, head) { 409 if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX)!= 0) 410 continue; 411 412 if (!try_module_get(THIS_MODULE)) 413 goto err; 414 415 if (!refcount_inc_not_zero(&cur->refcnt)) { 416 module_put(THIS_MODULE); 417 goto err; 418 } 419 420 acct = cur; 421 break; 422 } 423 err: 424 rcu_read_unlock(); 425 return acct; 426 } 427 EXPORT_SYMBOL_GPL(nfnl_acct_find_get); 428 429 void nfnl_acct_put(struct nf_acct *acct) 430 { 431 if (refcount_dec_and_test(&acct->refcnt)) 432 kfree_rcu(acct, rcu_head); 433 434 module_put(THIS_MODULE); 435 } 436 EXPORT_SYMBOL_GPL(nfnl_acct_put); 437 438 void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct) 439 { 440 atomic64_inc(&nfacct->pkts); 441 atomic64_add(skb->len, &nfacct->bytes); 442 } 443 EXPORT_SYMBOL_GPL(nfnl_acct_update); 444 445 static void nfnl_overquota_report(struct net *net, struct nf_acct *nfacct) 446 { 447 int ret; 448 struct sk_buff *skb; 449 450 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 451 if (skb == NULL) 452 return; 453 454 ret = nfnl_acct_fill_info(skb, 0, 0, NFNL_MSG_ACCT_OVERQUOTA, 0, 455 nfacct); 456 if (ret <= 0) { 457 kfree_skb(skb); 458 return; 459 } 460 netlink_broadcast(net->nfnl, skb, 0, NFNLGRP_ACCT_QUOTA, 461 GFP_ATOMIC); 462 } 463 464 int nfnl_acct_overquota(struct net *net, struct nf_acct *nfacct) 465 { 466 u64 now; 467 u64 *quota; 468 int ret = NFACCT_UNDERQUOTA; 469 470 /* no place here if we don't have a quota */ 471 if (!(nfacct->flags & NFACCT_F_QUOTA)) 472 return NFACCT_NO_QUOTA; 473 474 quota = (u64 *)nfacct->data; 475 now = (nfacct->flags & NFACCT_F_QUOTA_PKTS) ? 476 atomic64_read(&nfacct->pkts) : atomic64_read(&nfacct->bytes); 477 478 ret = now > *quota; 479 480 if (now >= *quota && 481 !test_and_set_bit(NFACCT_OVERQUOTA_BIT, &nfacct->flags)) { 482 nfnl_overquota_report(net, nfacct); 483 } 484 485 return ret; 486 } 487 EXPORT_SYMBOL_GPL(nfnl_acct_overquota); 488 489 static int __net_init nfnl_acct_net_init(struct net *net) 490 { 491 INIT_LIST_HEAD(&net->nfnl_acct_list); 492 493 return 0; 494 } 495 496 static void __net_exit nfnl_acct_net_exit(struct net *net) 497 { 498 struct nf_acct *cur, *tmp; 499 500 list_for_each_entry_safe(cur, tmp, &net->nfnl_acct_list, head) { 501 list_del_rcu(&cur->head); 502 503 if (refcount_dec_and_test(&cur->refcnt)) 504 kfree_rcu(cur, rcu_head); 505 } 506 } 507 508 static struct pernet_operations nfnl_acct_ops = { 509 .init = nfnl_acct_net_init, 510 .exit = nfnl_acct_net_exit, 511 }; 512 513 static int __init nfnl_acct_init(void) 514 { 515 int ret; 516 517 ret = register_pernet_subsys(&nfnl_acct_ops); 518 if (ret < 0) { 519 pr_err("nfnl_acct_init: failed to register pernet ops\n"); 520 goto err_out; 521 } 522 523 ret = nfnetlink_subsys_register(&nfnl_acct_subsys); 524 if (ret < 0) { 525 pr_err("nfnl_acct_init: cannot register with nfnetlink.\n"); 526 goto cleanup_pernet; 527 } 528 return 0; 529 530 cleanup_pernet: 531 unregister_pernet_subsys(&nfnl_acct_ops); 532 err_out: 533 return ret; 534 } 535 536 static void __exit nfnl_acct_exit(void) 537 { 538 nfnetlink_subsys_unregister(&nfnl_acct_subsys); 539 unregister_pernet_subsys(&nfnl_acct_ops); 540 } 541 542 module_init(nfnl_acct_init); 543 module_exit(nfnl_acct_exit); 544