1 // SPDX-License-Identifier: GPL-2.0-only 2 /* 3 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net> 4 * Copyright (c) 2016 Pablo Neira Ayuso <pablo@netfilter.org> 5 * 6 * Development of this code funded by Astaro AG (http://www.astaro.com/) 7 */ 8 9 #include <linux/kernel.h> 10 #include <linux/init.h> 11 #include <linux/module.h> 12 #include <linux/netlink.h> 13 #include <linux/netfilter.h> 14 #include <linux/netfilter/nf_tables.h> 15 #include <net/netfilter/nf_tables_core.h> 16 #include <net/netfilter/nf_conntrack.h> 17 #include <net/netfilter/nf_conntrack_acct.h> 18 #include <net/netfilter/nf_conntrack_tuple.h> 19 #include <net/netfilter/nf_conntrack_helper.h> 20 #include <net/netfilter/nf_conntrack_ecache.h> 21 #include <net/netfilter/nf_conntrack_labels.h> 22 #include <net/netfilter/nf_conntrack_timeout.h> 23 #include <net/netfilter/nf_conntrack_l4proto.h> 24 #include <net/netfilter/nf_conntrack_expect.h> 25 26 struct nft_ct_helper_obj { 27 struct nf_conntrack_helper *helper4; 28 struct nf_conntrack_helper *helper6; 29 u8 l4proto; 30 }; 31 32 #ifdef CONFIG_NF_CONNTRACK_ZONES 33 static DEFINE_PER_CPU(struct nf_conn *, nft_ct_pcpu_template); 34 static unsigned int nft_ct_pcpu_template_refcnt __read_mostly; 35 static DEFINE_MUTEX(nft_ct_pcpu_mutex); 36 #endif 37 38 static u64 nft_ct_get_eval_counter(const struct nf_conn_counter *c, 39 enum nft_ct_keys k, 40 enum ip_conntrack_dir d) 41 { 42 if (d < IP_CT_DIR_MAX) 43 return k == NFT_CT_BYTES ? atomic64_read(&c[d].bytes) : 44 atomic64_read(&c[d].packets); 45 46 return nft_ct_get_eval_counter(c, k, IP_CT_DIR_ORIGINAL) + 47 nft_ct_get_eval_counter(c, k, IP_CT_DIR_REPLY); 48 } 49 50 static void nft_ct_get_eval(const struct nft_expr *expr, 51 struct nft_regs *regs, 52 const struct nft_pktinfo *pkt) 53 { 54 const struct nft_ct *priv = nft_expr_priv(expr); 55 u32 *dest = ®s->data[priv->dreg]; 56 enum ip_conntrack_info ctinfo; 57 const struct nf_conn *ct; 58 const struct nf_conn_help *help; 59 const struct nf_conntrack_tuple *tuple; 60 const struct nf_conntrack_helper *helper; 61 unsigned int state; 62 63 ct = nf_ct_get(pkt->skb, &ctinfo); 64 65 switch (priv->key) { 66 case NFT_CT_STATE: 67 if (ct) 68 state = NF_CT_STATE_BIT(ctinfo); 69 else if (ctinfo == IP_CT_UNTRACKED) 70 state = NF_CT_STATE_UNTRACKED_BIT; 71 else 72 state = NF_CT_STATE_INVALID_BIT; 73 *dest = state; 74 return; 75 default: 76 break; 77 } 78 79 if (ct == NULL) 80 goto err; 81 82 switch (priv->key) { 83 case NFT_CT_DIRECTION: 84 nft_reg_store8(dest, CTINFO2DIR(ctinfo)); 85 return; 86 case NFT_CT_STATUS: 87 *dest = ct->status; 88 return; 89 #ifdef CONFIG_NF_CONNTRACK_MARK 90 case NFT_CT_MARK: 91 *dest = READ_ONCE(ct->mark); 92 return; 93 #endif 94 #ifdef CONFIG_NF_CONNTRACK_SECMARK 95 case NFT_CT_SECMARK: 96 *dest = ct->secmark; 97 return; 98 #endif 99 case NFT_CT_EXPIRATION: 100 *dest = jiffies_to_msecs(nf_ct_expires(ct)); 101 return; 102 case NFT_CT_HELPER: 103 if (ct->master == NULL) 104 goto err; 105 help = nfct_help(ct->master); 106 if (help == NULL) 107 goto err; 108 helper = rcu_dereference(help->helper); 109 if (helper == NULL) 110 goto err; 111 strncpy((char *)dest, helper->name, NF_CT_HELPER_NAME_LEN); 112 return; 113 #ifdef CONFIG_NF_CONNTRACK_LABELS 114 case NFT_CT_LABELS: { 115 struct nf_conn_labels *labels = nf_ct_labels_find(ct); 116 117 if (labels) 118 memcpy(dest, labels->bits, NF_CT_LABELS_MAX_SIZE); 119 else 120 memset(dest, 0, NF_CT_LABELS_MAX_SIZE); 121 return; 122 } 123 #endif 124 case NFT_CT_BYTES: 125 case NFT_CT_PKTS: { 126 const struct nf_conn_acct *acct = nf_conn_acct_find(ct); 127 u64 count = 0; 128 129 if (acct) 130 count = nft_ct_get_eval_counter(acct->counter, 131 priv->key, priv->dir); 132 memcpy(dest, &count, sizeof(count)); 133 return; 134 } 135 case NFT_CT_AVGPKT: { 136 const struct nf_conn_acct *acct = nf_conn_acct_find(ct); 137 u64 avgcnt = 0, bcnt = 0, pcnt = 0; 138 139 if (acct) { 140 pcnt = nft_ct_get_eval_counter(acct->counter, 141 NFT_CT_PKTS, priv->dir); 142 bcnt = nft_ct_get_eval_counter(acct->counter, 143 NFT_CT_BYTES, priv->dir); 144 if (pcnt != 0) 145 avgcnt = div64_u64(bcnt, pcnt); 146 } 147 148 memcpy(dest, &avgcnt, sizeof(avgcnt)); 149 return; 150 } 151 case NFT_CT_L3PROTOCOL: 152 nft_reg_store8(dest, nf_ct_l3num(ct)); 153 return; 154 case NFT_CT_PROTOCOL: 155 nft_reg_store8(dest, nf_ct_protonum(ct)); 156 return; 157 #ifdef CONFIG_NF_CONNTRACK_ZONES 158 case NFT_CT_ZONE: { 159 const struct nf_conntrack_zone *zone = nf_ct_zone(ct); 160 u16 zoneid; 161 162 if (priv->dir < IP_CT_DIR_MAX) 163 zoneid = nf_ct_zone_id(zone, priv->dir); 164 else 165 zoneid = zone->id; 166 167 nft_reg_store16(dest, zoneid); 168 return; 169 } 170 #endif 171 case NFT_CT_ID: 172 *dest = nf_ct_get_id(ct); 173 return; 174 default: 175 break; 176 } 177 178 tuple = &ct->tuplehash[priv->dir].tuple; 179 switch (priv->key) { 180 case NFT_CT_SRC: 181 memcpy(dest, tuple->src.u3.all, 182 nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16); 183 return; 184 case NFT_CT_DST: 185 memcpy(dest, tuple->dst.u3.all, 186 nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16); 187 return; 188 case NFT_CT_PROTO_SRC: 189 nft_reg_store16(dest, (__force u16)tuple->src.u.all); 190 return; 191 case NFT_CT_PROTO_DST: 192 nft_reg_store16(dest, (__force u16)tuple->dst.u.all); 193 return; 194 case NFT_CT_SRC_IP: 195 if (nf_ct_l3num(ct) != NFPROTO_IPV4) 196 goto err; 197 *dest = (__force __u32)tuple->src.u3.ip; 198 return; 199 case NFT_CT_DST_IP: 200 if (nf_ct_l3num(ct) != NFPROTO_IPV4) 201 goto err; 202 *dest = (__force __u32)tuple->dst.u3.ip; 203 return; 204 case NFT_CT_SRC_IP6: 205 if (nf_ct_l3num(ct) != NFPROTO_IPV6) 206 goto err; 207 memcpy(dest, tuple->src.u3.ip6, sizeof(struct in6_addr)); 208 return; 209 case NFT_CT_DST_IP6: 210 if (nf_ct_l3num(ct) != NFPROTO_IPV6) 211 goto err; 212 memcpy(dest, tuple->dst.u3.ip6, sizeof(struct in6_addr)); 213 return; 214 default: 215 break; 216 } 217 return; 218 err: 219 regs->verdict.code = NFT_BREAK; 220 } 221 222 #ifdef CONFIG_NF_CONNTRACK_ZONES 223 static void nft_ct_set_zone_eval(const struct nft_expr *expr, 224 struct nft_regs *regs, 225 const struct nft_pktinfo *pkt) 226 { 227 struct nf_conntrack_zone zone = { .dir = NF_CT_DEFAULT_ZONE_DIR }; 228 const struct nft_ct *priv = nft_expr_priv(expr); 229 struct sk_buff *skb = pkt->skb; 230 enum ip_conntrack_info ctinfo; 231 u16 value = nft_reg_load16(®s->data[priv->sreg]); 232 struct nf_conn *ct; 233 234 ct = nf_ct_get(skb, &ctinfo); 235 if (ct) /* already tracked */ 236 return; 237 238 zone.id = value; 239 240 switch (priv->dir) { 241 case IP_CT_DIR_ORIGINAL: 242 zone.dir = NF_CT_ZONE_DIR_ORIG; 243 break; 244 case IP_CT_DIR_REPLY: 245 zone.dir = NF_CT_ZONE_DIR_REPL; 246 break; 247 default: 248 break; 249 } 250 251 ct = this_cpu_read(nft_ct_pcpu_template); 252 253 if (likely(refcount_read(&ct->ct_general.use) == 1)) { 254 refcount_inc(&ct->ct_general.use); 255 nf_ct_zone_add(ct, &zone); 256 } else { 257 /* previous skb got queued to userspace, allocate temporary 258 * one until percpu template can be reused. 259 */ 260 ct = nf_ct_tmpl_alloc(nft_net(pkt), &zone, GFP_ATOMIC); 261 if (!ct) { 262 regs->verdict.code = NF_DROP; 263 return; 264 } 265 } 266 267 nf_ct_set(skb, ct, IP_CT_NEW); 268 } 269 #endif 270 271 static void nft_ct_set_eval(const struct nft_expr *expr, 272 struct nft_regs *regs, 273 const struct nft_pktinfo *pkt) 274 { 275 const struct nft_ct *priv = nft_expr_priv(expr); 276 struct sk_buff *skb = pkt->skb; 277 #if defined(CONFIG_NF_CONNTRACK_MARK) || defined(CONFIG_NF_CONNTRACK_SECMARK) 278 u32 value = regs->data[priv->sreg]; 279 #endif 280 enum ip_conntrack_info ctinfo; 281 struct nf_conn *ct; 282 283 ct = nf_ct_get(skb, &ctinfo); 284 if (ct == NULL || nf_ct_is_template(ct)) 285 return; 286 287 switch (priv->key) { 288 #ifdef CONFIG_NF_CONNTRACK_MARK 289 case NFT_CT_MARK: 290 if (READ_ONCE(ct->mark) != value) { 291 WRITE_ONCE(ct->mark, value); 292 nf_conntrack_event_cache(IPCT_MARK, ct); 293 } 294 break; 295 #endif 296 #ifdef CONFIG_NF_CONNTRACK_SECMARK 297 case NFT_CT_SECMARK: 298 if (ct->secmark != value) { 299 ct->secmark = value; 300 nf_conntrack_event_cache(IPCT_SECMARK, ct); 301 } 302 break; 303 #endif 304 #ifdef CONFIG_NF_CONNTRACK_LABELS 305 case NFT_CT_LABELS: 306 nf_connlabels_replace(ct, 307 ®s->data[priv->sreg], 308 ®s->data[priv->sreg], 309 NF_CT_LABELS_MAX_SIZE / sizeof(u32)); 310 break; 311 #endif 312 #ifdef CONFIG_NF_CONNTRACK_EVENTS 313 case NFT_CT_EVENTMASK: { 314 struct nf_conntrack_ecache *e = nf_ct_ecache_find(ct); 315 u32 ctmask = regs->data[priv->sreg]; 316 317 if (e) { 318 if (e->ctmask != ctmask) 319 e->ctmask = ctmask; 320 break; 321 } 322 323 if (ctmask && !nf_ct_is_confirmed(ct)) 324 nf_ct_ecache_ext_add(ct, ctmask, 0, GFP_ATOMIC); 325 break; 326 } 327 #endif 328 default: 329 break; 330 } 331 } 332 333 static const struct nla_policy nft_ct_policy[NFTA_CT_MAX + 1] = { 334 [NFTA_CT_DREG] = { .type = NLA_U32 }, 335 [NFTA_CT_KEY] = { .type = NLA_U32 }, 336 [NFTA_CT_DIRECTION] = { .type = NLA_U8 }, 337 [NFTA_CT_SREG] = { .type = NLA_U32 }, 338 }; 339 340 #ifdef CONFIG_NF_CONNTRACK_ZONES 341 static void nft_ct_tmpl_put_pcpu(void) 342 { 343 struct nf_conn *ct; 344 int cpu; 345 346 for_each_possible_cpu(cpu) { 347 ct = per_cpu(nft_ct_pcpu_template, cpu); 348 if (!ct) 349 break; 350 nf_ct_put(ct); 351 per_cpu(nft_ct_pcpu_template, cpu) = NULL; 352 } 353 } 354 355 static bool nft_ct_tmpl_alloc_pcpu(void) 356 { 357 struct nf_conntrack_zone zone = { .id = 0 }; 358 struct nf_conn *tmp; 359 int cpu; 360 361 if (nft_ct_pcpu_template_refcnt) 362 return true; 363 364 for_each_possible_cpu(cpu) { 365 tmp = nf_ct_tmpl_alloc(&init_net, &zone, GFP_KERNEL); 366 if (!tmp) { 367 nft_ct_tmpl_put_pcpu(); 368 return false; 369 } 370 371 per_cpu(nft_ct_pcpu_template, cpu) = tmp; 372 } 373 374 return true; 375 } 376 #endif 377 378 static int nft_ct_get_init(const struct nft_ctx *ctx, 379 const struct nft_expr *expr, 380 const struct nlattr * const tb[]) 381 { 382 struct nft_ct *priv = nft_expr_priv(expr); 383 unsigned int len; 384 int err; 385 386 priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY])); 387 priv->dir = IP_CT_DIR_MAX; 388 switch (priv->key) { 389 case NFT_CT_DIRECTION: 390 if (tb[NFTA_CT_DIRECTION] != NULL) 391 return -EINVAL; 392 len = sizeof(u8); 393 break; 394 case NFT_CT_STATE: 395 case NFT_CT_STATUS: 396 #ifdef CONFIG_NF_CONNTRACK_MARK 397 case NFT_CT_MARK: 398 #endif 399 #ifdef CONFIG_NF_CONNTRACK_SECMARK 400 case NFT_CT_SECMARK: 401 #endif 402 case NFT_CT_EXPIRATION: 403 if (tb[NFTA_CT_DIRECTION] != NULL) 404 return -EINVAL; 405 len = sizeof(u32); 406 break; 407 #ifdef CONFIG_NF_CONNTRACK_LABELS 408 case NFT_CT_LABELS: 409 if (tb[NFTA_CT_DIRECTION] != NULL) 410 return -EINVAL; 411 len = NF_CT_LABELS_MAX_SIZE; 412 break; 413 #endif 414 case NFT_CT_HELPER: 415 if (tb[NFTA_CT_DIRECTION] != NULL) 416 return -EINVAL; 417 len = NF_CT_HELPER_NAME_LEN; 418 break; 419 420 case NFT_CT_L3PROTOCOL: 421 case NFT_CT_PROTOCOL: 422 /* For compatibility, do not report error if NFTA_CT_DIRECTION 423 * attribute is specified. 424 */ 425 len = sizeof(u8); 426 break; 427 case NFT_CT_SRC: 428 case NFT_CT_DST: 429 if (tb[NFTA_CT_DIRECTION] == NULL) 430 return -EINVAL; 431 432 switch (ctx->family) { 433 case NFPROTO_IPV4: 434 len = sizeof_field(struct nf_conntrack_tuple, 435 src.u3.ip); 436 break; 437 case NFPROTO_IPV6: 438 case NFPROTO_INET: 439 len = sizeof_field(struct nf_conntrack_tuple, 440 src.u3.ip6); 441 break; 442 default: 443 return -EAFNOSUPPORT; 444 } 445 break; 446 case NFT_CT_SRC_IP: 447 case NFT_CT_DST_IP: 448 if (tb[NFTA_CT_DIRECTION] == NULL) 449 return -EINVAL; 450 451 len = sizeof_field(struct nf_conntrack_tuple, src.u3.ip); 452 break; 453 case NFT_CT_SRC_IP6: 454 case NFT_CT_DST_IP6: 455 if (tb[NFTA_CT_DIRECTION] == NULL) 456 return -EINVAL; 457 458 len = sizeof_field(struct nf_conntrack_tuple, src.u3.ip6); 459 break; 460 case NFT_CT_PROTO_SRC: 461 case NFT_CT_PROTO_DST: 462 if (tb[NFTA_CT_DIRECTION] == NULL) 463 return -EINVAL; 464 len = sizeof_field(struct nf_conntrack_tuple, src.u.all); 465 break; 466 case NFT_CT_BYTES: 467 case NFT_CT_PKTS: 468 case NFT_CT_AVGPKT: 469 len = sizeof(u64); 470 break; 471 #ifdef CONFIG_NF_CONNTRACK_ZONES 472 case NFT_CT_ZONE: 473 len = sizeof(u16); 474 break; 475 #endif 476 case NFT_CT_ID: 477 len = sizeof(u32); 478 break; 479 default: 480 return -EOPNOTSUPP; 481 } 482 483 if (tb[NFTA_CT_DIRECTION] != NULL) { 484 priv->dir = nla_get_u8(tb[NFTA_CT_DIRECTION]); 485 switch (priv->dir) { 486 case IP_CT_DIR_ORIGINAL: 487 case IP_CT_DIR_REPLY: 488 break; 489 default: 490 return -EINVAL; 491 } 492 } 493 494 priv->len = len; 495 err = nft_parse_register_store(ctx, tb[NFTA_CT_DREG], &priv->dreg, NULL, 496 NFT_DATA_VALUE, len); 497 if (err < 0) 498 return err; 499 500 err = nf_ct_netns_get(ctx->net, ctx->family); 501 if (err < 0) 502 return err; 503 504 if (priv->key == NFT_CT_BYTES || 505 priv->key == NFT_CT_PKTS || 506 priv->key == NFT_CT_AVGPKT) 507 nf_ct_set_acct(ctx->net, true); 508 509 return 0; 510 } 511 512 static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv) 513 { 514 switch (priv->key) { 515 #ifdef CONFIG_NF_CONNTRACK_LABELS 516 case NFT_CT_LABELS: 517 nf_connlabels_put(ctx->net); 518 break; 519 #endif 520 #ifdef CONFIG_NF_CONNTRACK_ZONES 521 case NFT_CT_ZONE: 522 mutex_lock(&nft_ct_pcpu_mutex); 523 if (--nft_ct_pcpu_template_refcnt == 0) 524 nft_ct_tmpl_put_pcpu(); 525 mutex_unlock(&nft_ct_pcpu_mutex); 526 break; 527 #endif 528 default: 529 break; 530 } 531 } 532 533 static int nft_ct_set_init(const struct nft_ctx *ctx, 534 const struct nft_expr *expr, 535 const struct nlattr * const tb[]) 536 { 537 struct nft_ct *priv = nft_expr_priv(expr); 538 unsigned int len; 539 int err; 540 541 priv->dir = IP_CT_DIR_MAX; 542 priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY])); 543 switch (priv->key) { 544 #ifdef CONFIG_NF_CONNTRACK_MARK 545 case NFT_CT_MARK: 546 if (tb[NFTA_CT_DIRECTION]) 547 return -EINVAL; 548 len = sizeof_field(struct nf_conn, mark); 549 break; 550 #endif 551 #ifdef CONFIG_NF_CONNTRACK_LABELS 552 case NFT_CT_LABELS: 553 if (tb[NFTA_CT_DIRECTION]) 554 return -EINVAL; 555 len = NF_CT_LABELS_MAX_SIZE; 556 err = nf_connlabels_get(ctx->net, (len * BITS_PER_BYTE) - 1); 557 if (err) 558 return err; 559 break; 560 #endif 561 #ifdef CONFIG_NF_CONNTRACK_ZONES 562 case NFT_CT_ZONE: 563 mutex_lock(&nft_ct_pcpu_mutex); 564 if (!nft_ct_tmpl_alloc_pcpu()) { 565 mutex_unlock(&nft_ct_pcpu_mutex); 566 return -ENOMEM; 567 } 568 nft_ct_pcpu_template_refcnt++; 569 mutex_unlock(&nft_ct_pcpu_mutex); 570 len = sizeof(u16); 571 break; 572 #endif 573 #ifdef CONFIG_NF_CONNTRACK_EVENTS 574 case NFT_CT_EVENTMASK: 575 if (tb[NFTA_CT_DIRECTION]) 576 return -EINVAL; 577 len = sizeof(u32); 578 break; 579 #endif 580 #ifdef CONFIG_NF_CONNTRACK_SECMARK 581 case NFT_CT_SECMARK: 582 if (tb[NFTA_CT_DIRECTION]) 583 return -EINVAL; 584 len = sizeof(u32); 585 break; 586 #endif 587 default: 588 return -EOPNOTSUPP; 589 } 590 591 if (tb[NFTA_CT_DIRECTION]) { 592 priv->dir = nla_get_u8(tb[NFTA_CT_DIRECTION]); 593 switch (priv->dir) { 594 case IP_CT_DIR_ORIGINAL: 595 case IP_CT_DIR_REPLY: 596 break; 597 default: 598 err = -EINVAL; 599 goto err1; 600 } 601 } 602 603 priv->len = len; 604 err = nft_parse_register_load(tb[NFTA_CT_SREG], &priv->sreg, len); 605 if (err < 0) 606 goto err1; 607 608 err = nf_ct_netns_get(ctx->net, ctx->family); 609 if (err < 0) 610 goto err1; 611 612 return 0; 613 614 err1: 615 __nft_ct_set_destroy(ctx, priv); 616 return err; 617 } 618 619 static void nft_ct_get_destroy(const struct nft_ctx *ctx, 620 const struct nft_expr *expr) 621 { 622 nf_ct_netns_put(ctx->net, ctx->family); 623 } 624 625 static void nft_ct_set_destroy(const struct nft_ctx *ctx, 626 const struct nft_expr *expr) 627 { 628 struct nft_ct *priv = nft_expr_priv(expr); 629 630 __nft_ct_set_destroy(ctx, priv); 631 nf_ct_netns_put(ctx->net, ctx->family); 632 } 633 634 static int nft_ct_get_dump(struct sk_buff *skb, 635 const struct nft_expr *expr, bool reset) 636 { 637 const struct nft_ct *priv = nft_expr_priv(expr); 638 639 if (nft_dump_register(skb, NFTA_CT_DREG, priv->dreg)) 640 goto nla_put_failure; 641 if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key))) 642 goto nla_put_failure; 643 644 switch (priv->key) { 645 case NFT_CT_SRC: 646 case NFT_CT_DST: 647 case NFT_CT_SRC_IP: 648 case NFT_CT_DST_IP: 649 case NFT_CT_SRC_IP6: 650 case NFT_CT_DST_IP6: 651 case NFT_CT_PROTO_SRC: 652 case NFT_CT_PROTO_DST: 653 if (nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir)) 654 goto nla_put_failure; 655 break; 656 case NFT_CT_BYTES: 657 case NFT_CT_PKTS: 658 case NFT_CT_AVGPKT: 659 case NFT_CT_ZONE: 660 if (priv->dir < IP_CT_DIR_MAX && 661 nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir)) 662 goto nla_put_failure; 663 break; 664 default: 665 break; 666 } 667 668 return 0; 669 670 nla_put_failure: 671 return -1; 672 } 673 674 static bool nft_ct_get_reduce(struct nft_regs_track *track, 675 const struct nft_expr *expr) 676 { 677 const struct nft_ct *priv = nft_expr_priv(expr); 678 const struct nft_ct *ct; 679 680 if (!nft_reg_track_cmp(track, expr, priv->dreg)) { 681 nft_reg_track_update(track, expr, priv->dreg, priv->len); 682 return false; 683 } 684 685 ct = nft_expr_priv(track->regs[priv->dreg].selector); 686 if (priv->key != ct->key) { 687 nft_reg_track_update(track, expr, priv->dreg, priv->len); 688 return false; 689 } 690 691 if (!track->regs[priv->dreg].bitwise) 692 return true; 693 694 return nft_expr_reduce_bitwise(track, expr); 695 } 696 697 static int nft_ct_set_dump(struct sk_buff *skb, 698 const struct nft_expr *expr, bool reset) 699 { 700 const struct nft_ct *priv = nft_expr_priv(expr); 701 702 if (nft_dump_register(skb, NFTA_CT_SREG, priv->sreg)) 703 goto nla_put_failure; 704 if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key))) 705 goto nla_put_failure; 706 707 switch (priv->key) { 708 case NFT_CT_ZONE: 709 if (priv->dir < IP_CT_DIR_MAX && 710 nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir)) 711 goto nla_put_failure; 712 break; 713 default: 714 break; 715 } 716 717 return 0; 718 719 nla_put_failure: 720 return -1; 721 } 722 723 static struct nft_expr_type nft_ct_type; 724 static const struct nft_expr_ops nft_ct_get_ops = { 725 .type = &nft_ct_type, 726 .size = NFT_EXPR_SIZE(sizeof(struct nft_ct)), 727 .eval = nft_ct_get_eval, 728 .init = nft_ct_get_init, 729 .destroy = nft_ct_get_destroy, 730 .dump = nft_ct_get_dump, 731 .reduce = nft_ct_get_reduce, 732 }; 733 734 static bool nft_ct_set_reduce(struct nft_regs_track *track, 735 const struct nft_expr *expr) 736 { 737 int i; 738 739 for (i = 0; i < NFT_REG32_NUM; i++) { 740 if (!track->regs[i].selector) 741 continue; 742 743 if (track->regs[i].selector->ops != &nft_ct_get_ops) 744 continue; 745 746 __nft_reg_track_cancel(track, i); 747 } 748 749 return false; 750 } 751 752 #ifdef CONFIG_RETPOLINE 753 static const struct nft_expr_ops nft_ct_get_fast_ops = { 754 .type = &nft_ct_type, 755 .size = NFT_EXPR_SIZE(sizeof(struct nft_ct)), 756 .eval = nft_ct_get_fast_eval, 757 .init = nft_ct_get_init, 758 .destroy = nft_ct_get_destroy, 759 .dump = nft_ct_get_dump, 760 .reduce = nft_ct_set_reduce, 761 }; 762 #endif 763 764 static const struct nft_expr_ops nft_ct_set_ops = { 765 .type = &nft_ct_type, 766 .size = NFT_EXPR_SIZE(sizeof(struct nft_ct)), 767 .eval = nft_ct_set_eval, 768 .init = nft_ct_set_init, 769 .destroy = nft_ct_set_destroy, 770 .dump = nft_ct_set_dump, 771 .reduce = nft_ct_set_reduce, 772 }; 773 774 #ifdef CONFIG_NF_CONNTRACK_ZONES 775 static const struct nft_expr_ops nft_ct_set_zone_ops = { 776 .type = &nft_ct_type, 777 .size = NFT_EXPR_SIZE(sizeof(struct nft_ct)), 778 .eval = nft_ct_set_zone_eval, 779 .init = nft_ct_set_init, 780 .destroy = nft_ct_set_destroy, 781 .dump = nft_ct_set_dump, 782 .reduce = nft_ct_set_reduce, 783 }; 784 #endif 785 786 static const struct nft_expr_ops * 787 nft_ct_select_ops(const struct nft_ctx *ctx, 788 const struct nlattr * const tb[]) 789 { 790 if (tb[NFTA_CT_KEY] == NULL) 791 return ERR_PTR(-EINVAL); 792 793 if (tb[NFTA_CT_DREG] && tb[NFTA_CT_SREG]) 794 return ERR_PTR(-EINVAL); 795 796 if (tb[NFTA_CT_DREG]) { 797 #ifdef CONFIG_RETPOLINE 798 u32 k = ntohl(nla_get_be32(tb[NFTA_CT_KEY])); 799 800 switch (k) { 801 case NFT_CT_STATE: 802 case NFT_CT_DIRECTION: 803 case NFT_CT_STATUS: 804 case NFT_CT_MARK: 805 case NFT_CT_SECMARK: 806 return &nft_ct_get_fast_ops; 807 } 808 #endif 809 return &nft_ct_get_ops; 810 } 811 812 if (tb[NFTA_CT_SREG]) { 813 #ifdef CONFIG_NF_CONNTRACK_ZONES 814 if (nla_get_be32(tb[NFTA_CT_KEY]) == htonl(NFT_CT_ZONE)) 815 return &nft_ct_set_zone_ops; 816 #endif 817 return &nft_ct_set_ops; 818 } 819 820 return ERR_PTR(-EINVAL); 821 } 822 823 static struct nft_expr_type nft_ct_type __read_mostly = { 824 .name = "ct", 825 .select_ops = nft_ct_select_ops, 826 .policy = nft_ct_policy, 827 .maxattr = NFTA_CT_MAX, 828 .owner = THIS_MODULE, 829 }; 830 831 static void nft_notrack_eval(const struct nft_expr *expr, 832 struct nft_regs *regs, 833 const struct nft_pktinfo *pkt) 834 { 835 struct sk_buff *skb = pkt->skb; 836 enum ip_conntrack_info ctinfo; 837 struct nf_conn *ct; 838 839 ct = nf_ct_get(pkt->skb, &ctinfo); 840 /* Previously seen (loopback or untracked)? Ignore. */ 841 if (ct || ctinfo == IP_CT_UNTRACKED) 842 return; 843 844 nf_ct_set(skb, ct, IP_CT_UNTRACKED); 845 } 846 847 static struct nft_expr_type nft_notrack_type; 848 static const struct nft_expr_ops nft_notrack_ops = { 849 .type = &nft_notrack_type, 850 .size = NFT_EXPR_SIZE(0), 851 .eval = nft_notrack_eval, 852 .reduce = NFT_REDUCE_READONLY, 853 }; 854 855 static struct nft_expr_type nft_notrack_type __read_mostly = { 856 .name = "notrack", 857 .ops = &nft_notrack_ops, 858 .owner = THIS_MODULE, 859 }; 860 861 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 862 static int 863 nft_ct_timeout_parse_policy(void *timeouts, 864 const struct nf_conntrack_l4proto *l4proto, 865 struct net *net, const struct nlattr *attr) 866 { 867 struct nlattr **tb; 868 int ret = 0; 869 870 tb = kcalloc(l4proto->ctnl_timeout.nlattr_max + 1, sizeof(*tb), 871 GFP_KERNEL); 872 873 if (!tb) 874 return -ENOMEM; 875 876 ret = nla_parse_nested_deprecated(tb, 877 l4proto->ctnl_timeout.nlattr_max, 878 attr, 879 l4proto->ctnl_timeout.nla_policy, 880 NULL); 881 if (ret < 0) 882 goto err; 883 884 ret = l4proto->ctnl_timeout.nlattr_to_obj(tb, net, timeouts); 885 886 err: 887 kfree(tb); 888 return ret; 889 } 890 891 struct nft_ct_timeout_obj { 892 struct nf_ct_timeout *timeout; 893 u8 l4proto; 894 }; 895 896 static void nft_ct_timeout_obj_eval(struct nft_object *obj, 897 struct nft_regs *regs, 898 const struct nft_pktinfo *pkt) 899 { 900 const struct nft_ct_timeout_obj *priv = nft_obj_data(obj); 901 struct nf_conn *ct = (struct nf_conn *)skb_nfct(pkt->skb); 902 struct nf_conn_timeout *timeout; 903 const unsigned int *values; 904 905 if (priv->l4proto != pkt->tprot) 906 return; 907 908 if (!ct || nf_ct_is_template(ct) || nf_ct_is_confirmed(ct)) 909 return; 910 911 timeout = nf_ct_timeout_find(ct); 912 if (!timeout) { 913 timeout = nf_ct_timeout_ext_add(ct, priv->timeout, GFP_ATOMIC); 914 if (!timeout) { 915 regs->verdict.code = NF_DROP; 916 return; 917 } 918 } 919 920 rcu_assign_pointer(timeout->timeout, priv->timeout); 921 922 /* adjust the timeout as per 'new' state. ct is unconfirmed, 923 * so the current timestamp must not be added. 924 */ 925 values = nf_ct_timeout_data(timeout); 926 if (values) 927 nf_ct_refresh(ct, pkt->skb, values[0]); 928 } 929 930 static int nft_ct_timeout_obj_init(const struct nft_ctx *ctx, 931 const struct nlattr * const tb[], 932 struct nft_object *obj) 933 { 934 struct nft_ct_timeout_obj *priv = nft_obj_data(obj); 935 const struct nf_conntrack_l4proto *l4proto; 936 struct nf_ct_timeout *timeout; 937 int l3num = ctx->family; 938 __u8 l4num; 939 int ret; 940 941 if (!tb[NFTA_CT_TIMEOUT_L4PROTO] || 942 !tb[NFTA_CT_TIMEOUT_DATA]) 943 return -EINVAL; 944 945 if (tb[NFTA_CT_TIMEOUT_L3PROTO]) 946 l3num = ntohs(nla_get_be16(tb[NFTA_CT_TIMEOUT_L3PROTO])); 947 948 l4num = nla_get_u8(tb[NFTA_CT_TIMEOUT_L4PROTO]); 949 priv->l4proto = l4num; 950 951 l4proto = nf_ct_l4proto_find(l4num); 952 953 if (l4proto->l4proto != l4num) { 954 ret = -EOPNOTSUPP; 955 goto err_proto_put; 956 } 957 958 timeout = kzalloc(sizeof(struct nf_ct_timeout) + 959 l4proto->ctnl_timeout.obj_size, GFP_KERNEL); 960 if (timeout == NULL) { 961 ret = -ENOMEM; 962 goto err_proto_put; 963 } 964 965 ret = nft_ct_timeout_parse_policy(&timeout->data, l4proto, ctx->net, 966 tb[NFTA_CT_TIMEOUT_DATA]); 967 if (ret < 0) 968 goto err_free_timeout; 969 970 timeout->l3num = l3num; 971 timeout->l4proto = l4proto; 972 973 ret = nf_ct_netns_get(ctx->net, ctx->family); 974 if (ret < 0) 975 goto err_free_timeout; 976 977 priv->timeout = timeout; 978 return 0; 979 980 err_free_timeout: 981 kfree(timeout); 982 err_proto_put: 983 return ret; 984 } 985 986 static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx, 987 struct nft_object *obj) 988 { 989 struct nft_ct_timeout_obj *priv = nft_obj_data(obj); 990 struct nf_ct_timeout *timeout = priv->timeout; 991 992 nf_ct_untimeout(ctx->net, timeout); 993 nf_ct_netns_put(ctx->net, ctx->family); 994 kfree(priv->timeout); 995 } 996 997 static int nft_ct_timeout_obj_dump(struct sk_buff *skb, 998 struct nft_object *obj, bool reset) 999 { 1000 const struct nft_ct_timeout_obj *priv = nft_obj_data(obj); 1001 const struct nf_ct_timeout *timeout = priv->timeout; 1002 struct nlattr *nest_params; 1003 int ret; 1004 1005 if (nla_put_u8(skb, NFTA_CT_TIMEOUT_L4PROTO, timeout->l4proto->l4proto) || 1006 nla_put_be16(skb, NFTA_CT_TIMEOUT_L3PROTO, htons(timeout->l3num))) 1007 return -1; 1008 1009 nest_params = nla_nest_start(skb, NFTA_CT_TIMEOUT_DATA); 1010 if (!nest_params) 1011 return -1; 1012 1013 ret = timeout->l4proto->ctnl_timeout.obj_to_nlattr(skb, &timeout->data); 1014 if (ret < 0) 1015 return -1; 1016 nla_nest_end(skb, nest_params); 1017 return 0; 1018 } 1019 1020 static const struct nla_policy nft_ct_timeout_policy[NFTA_CT_TIMEOUT_MAX + 1] = { 1021 [NFTA_CT_TIMEOUT_L3PROTO] = {.type = NLA_U16 }, 1022 [NFTA_CT_TIMEOUT_L4PROTO] = {.type = NLA_U8 }, 1023 [NFTA_CT_TIMEOUT_DATA] = {.type = NLA_NESTED }, 1024 }; 1025 1026 static struct nft_object_type nft_ct_timeout_obj_type; 1027 1028 static const struct nft_object_ops nft_ct_timeout_obj_ops = { 1029 .type = &nft_ct_timeout_obj_type, 1030 .size = sizeof(struct nft_ct_timeout_obj), 1031 .eval = nft_ct_timeout_obj_eval, 1032 .init = nft_ct_timeout_obj_init, 1033 .destroy = nft_ct_timeout_obj_destroy, 1034 .dump = nft_ct_timeout_obj_dump, 1035 }; 1036 1037 static struct nft_object_type nft_ct_timeout_obj_type __read_mostly = { 1038 .type = NFT_OBJECT_CT_TIMEOUT, 1039 .ops = &nft_ct_timeout_obj_ops, 1040 .maxattr = NFTA_CT_TIMEOUT_MAX, 1041 .policy = nft_ct_timeout_policy, 1042 .owner = THIS_MODULE, 1043 }; 1044 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ 1045 1046 static int nft_ct_helper_obj_init(const struct nft_ctx *ctx, 1047 const struct nlattr * const tb[], 1048 struct nft_object *obj) 1049 { 1050 struct nft_ct_helper_obj *priv = nft_obj_data(obj); 1051 struct nf_conntrack_helper *help4, *help6; 1052 char name[NF_CT_HELPER_NAME_LEN]; 1053 int family = ctx->family; 1054 int err; 1055 1056 if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO]) 1057 return -EINVAL; 1058 1059 priv->l4proto = nla_get_u8(tb[NFTA_CT_HELPER_L4PROTO]); 1060 if (!priv->l4proto) 1061 return -ENOENT; 1062 1063 nla_strscpy(name, tb[NFTA_CT_HELPER_NAME], sizeof(name)); 1064 1065 if (tb[NFTA_CT_HELPER_L3PROTO]) 1066 family = ntohs(nla_get_be16(tb[NFTA_CT_HELPER_L3PROTO])); 1067 1068 help4 = NULL; 1069 help6 = NULL; 1070 1071 switch (family) { 1072 case NFPROTO_IPV4: 1073 if (ctx->family == NFPROTO_IPV6) 1074 return -EINVAL; 1075 1076 help4 = nf_conntrack_helper_try_module_get(name, family, 1077 priv->l4proto); 1078 break; 1079 case NFPROTO_IPV6: 1080 if (ctx->family == NFPROTO_IPV4) 1081 return -EINVAL; 1082 1083 help6 = nf_conntrack_helper_try_module_get(name, family, 1084 priv->l4proto); 1085 break; 1086 case NFPROTO_NETDEV: 1087 case NFPROTO_BRIDGE: 1088 case NFPROTO_INET: 1089 help4 = nf_conntrack_helper_try_module_get(name, NFPROTO_IPV4, 1090 priv->l4proto); 1091 help6 = nf_conntrack_helper_try_module_get(name, NFPROTO_IPV6, 1092 priv->l4proto); 1093 break; 1094 default: 1095 return -EAFNOSUPPORT; 1096 } 1097 1098 /* && is intentional; only error if INET found neither ipv4 or ipv6 */ 1099 if (!help4 && !help6) 1100 return -ENOENT; 1101 1102 priv->helper4 = help4; 1103 priv->helper6 = help6; 1104 1105 err = nf_ct_netns_get(ctx->net, ctx->family); 1106 if (err < 0) 1107 goto err_put_helper; 1108 1109 return 0; 1110 1111 err_put_helper: 1112 if (priv->helper4) 1113 nf_conntrack_helper_put(priv->helper4); 1114 if (priv->helper6) 1115 nf_conntrack_helper_put(priv->helper6); 1116 return err; 1117 } 1118 1119 static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx, 1120 struct nft_object *obj) 1121 { 1122 struct nft_ct_helper_obj *priv = nft_obj_data(obj); 1123 1124 if (priv->helper4) 1125 nf_conntrack_helper_put(priv->helper4); 1126 if (priv->helper6) 1127 nf_conntrack_helper_put(priv->helper6); 1128 1129 nf_ct_netns_put(ctx->net, ctx->family); 1130 } 1131 1132 static void nft_ct_helper_obj_eval(struct nft_object *obj, 1133 struct nft_regs *regs, 1134 const struct nft_pktinfo *pkt) 1135 { 1136 const struct nft_ct_helper_obj *priv = nft_obj_data(obj); 1137 struct nf_conn *ct = (struct nf_conn *)skb_nfct(pkt->skb); 1138 struct nf_conntrack_helper *to_assign = NULL; 1139 struct nf_conn_help *help; 1140 1141 if (!ct || 1142 nf_ct_is_confirmed(ct) || 1143 nf_ct_is_template(ct) || 1144 priv->l4proto != nf_ct_protonum(ct)) 1145 return; 1146 1147 switch (nf_ct_l3num(ct)) { 1148 case NFPROTO_IPV4: 1149 to_assign = priv->helper4; 1150 break; 1151 case NFPROTO_IPV6: 1152 to_assign = priv->helper6; 1153 break; 1154 default: 1155 WARN_ON_ONCE(1); 1156 return; 1157 } 1158 1159 if (!to_assign) 1160 return; 1161 1162 if (test_bit(IPS_HELPER_BIT, &ct->status)) 1163 return; 1164 1165 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); 1166 if (help) { 1167 rcu_assign_pointer(help->helper, to_assign); 1168 set_bit(IPS_HELPER_BIT, &ct->status); 1169 } 1170 } 1171 1172 static int nft_ct_helper_obj_dump(struct sk_buff *skb, 1173 struct nft_object *obj, bool reset) 1174 { 1175 const struct nft_ct_helper_obj *priv = nft_obj_data(obj); 1176 const struct nf_conntrack_helper *helper; 1177 u16 family; 1178 1179 if (priv->helper4 && priv->helper6) { 1180 family = NFPROTO_INET; 1181 helper = priv->helper4; 1182 } else if (priv->helper6) { 1183 family = NFPROTO_IPV6; 1184 helper = priv->helper6; 1185 } else { 1186 family = NFPROTO_IPV4; 1187 helper = priv->helper4; 1188 } 1189 1190 if (nla_put_string(skb, NFTA_CT_HELPER_NAME, helper->name)) 1191 return -1; 1192 1193 if (nla_put_u8(skb, NFTA_CT_HELPER_L4PROTO, priv->l4proto)) 1194 return -1; 1195 1196 if (nla_put_be16(skb, NFTA_CT_HELPER_L3PROTO, htons(family))) 1197 return -1; 1198 1199 return 0; 1200 } 1201 1202 static const struct nla_policy nft_ct_helper_policy[NFTA_CT_HELPER_MAX + 1] = { 1203 [NFTA_CT_HELPER_NAME] = { .type = NLA_STRING, 1204 .len = NF_CT_HELPER_NAME_LEN - 1 }, 1205 [NFTA_CT_HELPER_L3PROTO] = { .type = NLA_U16 }, 1206 [NFTA_CT_HELPER_L4PROTO] = { .type = NLA_U8 }, 1207 }; 1208 1209 static struct nft_object_type nft_ct_helper_obj_type; 1210 static const struct nft_object_ops nft_ct_helper_obj_ops = { 1211 .type = &nft_ct_helper_obj_type, 1212 .size = sizeof(struct nft_ct_helper_obj), 1213 .eval = nft_ct_helper_obj_eval, 1214 .init = nft_ct_helper_obj_init, 1215 .destroy = nft_ct_helper_obj_destroy, 1216 .dump = nft_ct_helper_obj_dump, 1217 }; 1218 1219 static struct nft_object_type nft_ct_helper_obj_type __read_mostly = { 1220 .type = NFT_OBJECT_CT_HELPER, 1221 .ops = &nft_ct_helper_obj_ops, 1222 .maxattr = NFTA_CT_HELPER_MAX, 1223 .policy = nft_ct_helper_policy, 1224 .owner = THIS_MODULE, 1225 }; 1226 1227 struct nft_ct_expect_obj { 1228 u16 l3num; 1229 __be16 dport; 1230 u8 l4proto; 1231 u8 size; 1232 u32 timeout; 1233 }; 1234 1235 static int nft_ct_expect_obj_init(const struct nft_ctx *ctx, 1236 const struct nlattr * const tb[], 1237 struct nft_object *obj) 1238 { 1239 struct nft_ct_expect_obj *priv = nft_obj_data(obj); 1240 1241 if (!tb[NFTA_CT_EXPECT_L4PROTO] || 1242 !tb[NFTA_CT_EXPECT_DPORT] || 1243 !tb[NFTA_CT_EXPECT_TIMEOUT] || 1244 !tb[NFTA_CT_EXPECT_SIZE]) 1245 return -EINVAL; 1246 1247 priv->l3num = ctx->family; 1248 if (tb[NFTA_CT_EXPECT_L3PROTO]) 1249 priv->l3num = ntohs(nla_get_be16(tb[NFTA_CT_EXPECT_L3PROTO])); 1250 1251 priv->l4proto = nla_get_u8(tb[NFTA_CT_EXPECT_L4PROTO]); 1252 priv->dport = nla_get_be16(tb[NFTA_CT_EXPECT_DPORT]); 1253 priv->timeout = nla_get_u32(tb[NFTA_CT_EXPECT_TIMEOUT]); 1254 priv->size = nla_get_u8(tb[NFTA_CT_EXPECT_SIZE]); 1255 1256 return nf_ct_netns_get(ctx->net, ctx->family); 1257 } 1258 1259 static void nft_ct_expect_obj_destroy(const struct nft_ctx *ctx, 1260 struct nft_object *obj) 1261 { 1262 nf_ct_netns_put(ctx->net, ctx->family); 1263 } 1264 1265 static int nft_ct_expect_obj_dump(struct sk_buff *skb, 1266 struct nft_object *obj, bool reset) 1267 { 1268 const struct nft_ct_expect_obj *priv = nft_obj_data(obj); 1269 1270 if (nla_put_be16(skb, NFTA_CT_EXPECT_L3PROTO, htons(priv->l3num)) || 1271 nla_put_u8(skb, NFTA_CT_EXPECT_L4PROTO, priv->l4proto) || 1272 nla_put_be16(skb, NFTA_CT_EXPECT_DPORT, priv->dport) || 1273 nla_put_u32(skb, NFTA_CT_EXPECT_TIMEOUT, priv->timeout) || 1274 nla_put_u8(skb, NFTA_CT_EXPECT_SIZE, priv->size)) 1275 return -1; 1276 1277 return 0; 1278 } 1279 1280 static void nft_ct_expect_obj_eval(struct nft_object *obj, 1281 struct nft_regs *regs, 1282 const struct nft_pktinfo *pkt) 1283 { 1284 const struct nft_ct_expect_obj *priv = nft_obj_data(obj); 1285 struct nf_conntrack_expect *exp; 1286 enum ip_conntrack_info ctinfo; 1287 struct nf_conn_help *help; 1288 enum ip_conntrack_dir dir; 1289 u16 l3num = priv->l3num; 1290 struct nf_conn *ct; 1291 1292 ct = nf_ct_get(pkt->skb, &ctinfo); 1293 if (!ct || nf_ct_is_confirmed(ct) || nf_ct_is_template(ct)) { 1294 regs->verdict.code = NFT_BREAK; 1295 return; 1296 } 1297 dir = CTINFO2DIR(ctinfo); 1298 1299 help = nfct_help(ct); 1300 if (!help) 1301 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); 1302 if (!help) { 1303 regs->verdict.code = NF_DROP; 1304 return; 1305 } 1306 1307 if (help->expecting[NF_CT_EXPECT_CLASS_DEFAULT] >= priv->size) { 1308 regs->verdict.code = NFT_BREAK; 1309 return; 1310 } 1311 if (l3num == NFPROTO_INET) 1312 l3num = nf_ct_l3num(ct); 1313 1314 exp = nf_ct_expect_alloc(ct); 1315 if (exp == NULL) { 1316 regs->verdict.code = NF_DROP; 1317 return; 1318 } 1319 nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, l3num, 1320 &ct->tuplehash[!dir].tuple.src.u3, 1321 &ct->tuplehash[!dir].tuple.dst.u3, 1322 priv->l4proto, NULL, &priv->dport); 1323 exp->timeout.expires = jiffies + priv->timeout * HZ; 1324 1325 if (nf_ct_expect_related(exp, 0) != 0) 1326 regs->verdict.code = NF_DROP; 1327 } 1328 1329 static const struct nla_policy nft_ct_expect_policy[NFTA_CT_EXPECT_MAX + 1] = { 1330 [NFTA_CT_EXPECT_L3PROTO] = { .type = NLA_U16 }, 1331 [NFTA_CT_EXPECT_L4PROTO] = { .type = NLA_U8 }, 1332 [NFTA_CT_EXPECT_DPORT] = { .type = NLA_U16 }, 1333 [NFTA_CT_EXPECT_TIMEOUT] = { .type = NLA_U32 }, 1334 [NFTA_CT_EXPECT_SIZE] = { .type = NLA_U8 }, 1335 }; 1336 1337 static struct nft_object_type nft_ct_expect_obj_type; 1338 1339 static const struct nft_object_ops nft_ct_expect_obj_ops = { 1340 .type = &nft_ct_expect_obj_type, 1341 .size = sizeof(struct nft_ct_expect_obj), 1342 .eval = nft_ct_expect_obj_eval, 1343 .init = nft_ct_expect_obj_init, 1344 .destroy = nft_ct_expect_obj_destroy, 1345 .dump = nft_ct_expect_obj_dump, 1346 }; 1347 1348 static struct nft_object_type nft_ct_expect_obj_type __read_mostly = { 1349 .type = NFT_OBJECT_CT_EXPECT, 1350 .ops = &nft_ct_expect_obj_ops, 1351 .maxattr = NFTA_CT_EXPECT_MAX, 1352 .policy = nft_ct_expect_policy, 1353 .owner = THIS_MODULE, 1354 }; 1355 1356 static int __init nft_ct_module_init(void) 1357 { 1358 int err; 1359 1360 BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE > NFT_REG_SIZE); 1361 1362 err = nft_register_expr(&nft_ct_type); 1363 if (err < 0) 1364 return err; 1365 1366 err = nft_register_expr(&nft_notrack_type); 1367 if (err < 0) 1368 goto err1; 1369 1370 err = nft_register_obj(&nft_ct_helper_obj_type); 1371 if (err < 0) 1372 goto err2; 1373 1374 err = nft_register_obj(&nft_ct_expect_obj_type); 1375 if (err < 0) 1376 goto err3; 1377 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 1378 err = nft_register_obj(&nft_ct_timeout_obj_type); 1379 if (err < 0) 1380 goto err4; 1381 #endif 1382 return 0; 1383 1384 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 1385 err4: 1386 nft_unregister_obj(&nft_ct_expect_obj_type); 1387 #endif 1388 err3: 1389 nft_unregister_obj(&nft_ct_helper_obj_type); 1390 err2: 1391 nft_unregister_expr(&nft_notrack_type); 1392 err1: 1393 nft_unregister_expr(&nft_ct_type); 1394 return err; 1395 } 1396 1397 static void __exit nft_ct_module_exit(void) 1398 { 1399 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT 1400 nft_unregister_obj(&nft_ct_timeout_obj_type); 1401 #endif 1402 nft_unregister_obj(&nft_ct_expect_obj_type); 1403 nft_unregister_obj(&nft_ct_helper_obj_type); 1404 nft_unregister_expr(&nft_notrack_type); 1405 nft_unregister_expr(&nft_ct_type); 1406 } 1407 1408 module_init(nft_ct_module_init); 1409 module_exit(nft_ct_module_exit); 1410 1411 MODULE_LICENSE("GPL"); 1412 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 1413 MODULE_ALIAS_NFT_EXPR("ct"); 1414 MODULE_ALIAS_NFT_EXPR("notrack"); 1415 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_HELPER); 1416 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_TIMEOUT); 1417 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_EXPECT); 1418 MODULE_DESCRIPTION("Netfilter nf_tables conntrack module"); 1419