1 /* Connection tracking via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace.
3 *
4 * (C) 2001 by Jay Schulist <jschlst@samba.org>
5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7 * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
8 *
9 * Initial connection tracking via netlink development funded and
10 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
11 *
12 * Further development of this code funded by Astaro AG (http://www.astaro.com)
13 *
14 * This software may be used and distributed according to the terms
15 * of the GNU General Public License, incorporated herein by reference.
16 */
17
18 #include <linux/init.h>
19 #include <linux/module.h>
20 #include <linux/kernel.h>
21 #include <linux/rculist.h>
22 #include <linux/rculist_nulls.h>
23 #include <linux/types.h>
24 #include <linux/timer.h>
25 #include <linux/security.h>
26 #include <linux/skbuff.h>
27 #include <linux/errno.h>
28 #include <linux/netlink.h>
29 #include <linux/spinlock.h>
30 #include <linux/interrupt.h>
31 #include <linux/slab.h>
32
33 #include <linux/netfilter.h>
34 #include <net/netlink.h>
35 #include <net/sock.h>
36 #include <net/netfilter/nf_conntrack.h>
37 #include <net/netfilter/nf_conntrack_core.h>
38 #include <net/netfilter/nf_conntrack_expect.h>
39 #include <net/netfilter/nf_conntrack_helper.h>
40 #include <net/netfilter/nf_conntrack_seqadj.h>
41 #include <net/netfilter/nf_conntrack_l4proto.h>
42 #include <net/netfilter/nf_conntrack_tuple.h>
43 #include <net/netfilter/nf_conntrack_acct.h>
44 #include <net/netfilter/nf_conntrack_zones.h>
45 #include <net/netfilter/nf_conntrack_timestamp.h>
46 #include <net/netfilter/nf_conntrack_labels.h>
47 #include <net/netfilter/nf_conntrack_synproxy.h>
48 #ifdef CONFIG_NF_NAT_NEEDED
49 #include <net/netfilter/nf_nat_core.h>
50 #include <net/netfilter/nf_nat_l4proto.h>
51 #include <net/netfilter/nf_nat_helper.h>
52 #endif
53
54 #include <linux/netfilter/nfnetlink.h>
55 #include <linux/netfilter/nfnetlink_conntrack.h>
56
57 MODULE_LICENSE("GPL");
58
ctnetlink_dump_tuples_proto(struct sk_buff * skb,const struct nf_conntrack_tuple * tuple,const struct nf_conntrack_l4proto * l4proto)59 static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,
60 const struct nf_conntrack_tuple *tuple,
61 const struct nf_conntrack_l4proto *l4proto)
62 {
63 int ret = 0;
64 struct nlattr *nest_parms;
65
66 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED);
67 if (!nest_parms)
68 goto nla_put_failure;
69 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum))
70 goto nla_put_failure;
71
72 if (likely(l4proto->tuple_to_nlattr))
73 ret = l4proto->tuple_to_nlattr(skb, tuple);
74
75 nla_nest_end(skb, nest_parms);
76
77 return ret;
78
79 nla_put_failure:
80 return -1;
81 }
82
ipv4_tuple_to_nlattr(struct sk_buff * skb,const struct nf_conntrack_tuple * tuple)83 static int ipv4_tuple_to_nlattr(struct sk_buff *skb,
84 const struct nf_conntrack_tuple *tuple)
85 {
86 if (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) ||
87 nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip))
88 return -EMSGSIZE;
89 return 0;
90 }
91
ipv6_tuple_to_nlattr(struct sk_buff * skb,const struct nf_conntrack_tuple * tuple)92 static int ipv6_tuple_to_nlattr(struct sk_buff *skb,
93 const struct nf_conntrack_tuple *tuple)
94 {
95 if (nla_put_in6_addr(skb, CTA_IP_V6_SRC, &tuple->src.u3.in6) ||
96 nla_put_in6_addr(skb, CTA_IP_V6_DST, &tuple->dst.u3.in6))
97 return -EMSGSIZE;
98 return 0;
99 }
100
ctnetlink_dump_tuples_ip(struct sk_buff * skb,const struct nf_conntrack_tuple * tuple)101 static int ctnetlink_dump_tuples_ip(struct sk_buff *skb,
102 const struct nf_conntrack_tuple *tuple)
103 {
104 int ret = 0;
105 struct nlattr *nest_parms;
106
107 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED);
108 if (!nest_parms)
109 goto nla_put_failure;
110
111 switch (tuple->src.l3num) {
112 case NFPROTO_IPV4:
113 ret = ipv4_tuple_to_nlattr(skb, tuple);
114 break;
115 case NFPROTO_IPV6:
116 ret = ipv6_tuple_to_nlattr(skb, tuple);
117 break;
118 }
119
120 nla_nest_end(skb, nest_parms);
121
122 return ret;
123
124 nla_put_failure:
125 return -1;
126 }
127
ctnetlink_dump_tuples(struct sk_buff * skb,const struct nf_conntrack_tuple * tuple)128 static int ctnetlink_dump_tuples(struct sk_buff *skb,
129 const struct nf_conntrack_tuple *tuple)
130 {
131 const struct nf_conntrack_l4proto *l4proto;
132 int ret;
133
134 rcu_read_lock();
135 ret = ctnetlink_dump_tuples_ip(skb, tuple);
136
137 if (ret >= 0) {
138 l4proto = __nf_ct_l4proto_find(tuple->src.l3num,
139 tuple->dst.protonum);
140 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
141 }
142 rcu_read_unlock();
143 return ret;
144 }
145
ctnetlink_dump_zone_id(struct sk_buff * skb,int attrtype,const struct nf_conntrack_zone * zone,int dir)146 static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype,
147 const struct nf_conntrack_zone *zone, int dir)
148 {
149 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir)
150 return 0;
151 if (nla_put_be16(skb, attrtype, htons(zone->id)))
152 goto nla_put_failure;
153 return 0;
154
155 nla_put_failure:
156 return -1;
157 }
158
ctnetlink_dump_status(struct sk_buff * skb,const struct nf_conn * ct)159 static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
160 {
161 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
162 goto nla_put_failure;
163 return 0;
164
165 nla_put_failure:
166 return -1;
167 }
168
ctnetlink_dump_timeout(struct sk_buff * skb,const struct nf_conn * ct)169 static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
170 {
171 long timeout = nf_ct_expires(ct) / HZ;
172
173 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))
174 goto nla_put_failure;
175 return 0;
176
177 nla_put_failure:
178 return -1;
179 }
180
ctnetlink_dump_protoinfo(struct sk_buff * skb,struct nf_conn * ct)181 static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct)
182 {
183 const struct nf_conntrack_l4proto *l4proto;
184 struct nlattr *nest_proto;
185 int ret;
186
187 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
188 if (!l4proto->to_nlattr)
189 return 0;
190
191 nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED);
192 if (!nest_proto)
193 goto nla_put_failure;
194
195 ret = l4proto->to_nlattr(skb, nest_proto, ct);
196
197 nla_nest_end(skb, nest_proto);
198
199 return ret;
200
201 nla_put_failure:
202 return -1;
203 }
204
ctnetlink_dump_helpinfo(struct sk_buff * skb,const struct nf_conn * ct)205 static int ctnetlink_dump_helpinfo(struct sk_buff *skb,
206 const struct nf_conn *ct)
207 {
208 struct nlattr *nest_helper;
209 const struct nf_conn_help *help = nfct_help(ct);
210 struct nf_conntrack_helper *helper;
211
212 if (!help)
213 return 0;
214
215 helper = rcu_dereference(help->helper);
216 if (!helper)
217 goto out;
218
219 nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED);
220 if (!nest_helper)
221 goto nla_put_failure;
222 if (nla_put_string(skb, CTA_HELP_NAME, helper->name))
223 goto nla_put_failure;
224
225 if (helper->to_nlattr)
226 helper->to_nlattr(skb, ct);
227
228 nla_nest_end(skb, nest_helper);
229 out:
230 return 0;
231
232 nla_put_failure:
233 return -1;
234 }
235
236 static int
dump_counters(struct sk_buff * skb,struct nf_conn_acct * acct,enum ip_conntrack_dir dir,int type)237 dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct,
238 enum ip_conntrack_dir dir, int type)
239 {
240 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
241 struct nf_conn_counter *counter = acct->counter;
242 struct nlattr *nest_count;
243 u64 pkts, bytes;
244
245 if (type == IPCTNL_MSG_CT_GET_CTRZERO) {
246 pkts = atomic64_xchg(&counter[dir].packets, 0);
247 bytes = atomic64_xchg(&counter[dir].bytes, 0);
248 } else {
249 pkts = atomic64_read(&counter[dir].packets);
250 bytes = atomic64_read(&counter[dir].bytes);
251 }
252
253 nest_count = nla_nest_start(skb, attr | NLA_F_NESTED);
254 if (!nest_count)
255 goto nla_put_failure;
256
257 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts),
258 CTA_COUNTERS_PAD) ||
259 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes),
260 CTA_COUNTERS_PAD))
261 goto nla_put_failure;
262
263 nla_nest_end(skb, nest_count);
264
265 return 0;
266
267 nla_put_failure:
268 return -1;
269 }
270
271 static int
ctnetlink_dump_acct(struct sk_buff * skb,const struct nf_conn * ct,int type)272 ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type)
273 {
274 struct nf_conn_acct *acct = nf_conn_acct_find(ct);
275
276 if (!acct)
277 return 0;
278
279 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0)
280 return -1;
281 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0)
282 return -1;
283
284 return 0;
285 }
286
287 static int
ctnetlink_dump_timestamp(struct sk_buff * skb,const struct nf_conn * ct)288 ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
289 {
290 struct nlattr *nest_count;
291 const struct nf_conn_tstamp *tstamp;
292
293 tstamp = nf_conn_tstamp_find(ct);
294 if (!tstamp)
295 return 0;
296
297 nest_count = nla_nest_start(skb, CTA_TIMESTAMP | NLA_F_NESTED);
298 if (!nest_count)
299 goto nla_put_failure;
300
301 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start),
302 CTA_TIMESTAMP_PAD) ||
303 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP,
304 cpu_to_be64(tstamp->stop),
305 CTA_TIMESTAMP_PAD)))
306 goto nla_put_failure;
307 nla_nest_end(skb, nest_count);
308
309 return 0;
310
311 nla_put_failure:
312 return -1;
313 }
314
315 #ifdef CONFIG_NF_CONNTRACK_MARK
ctnetlink_dump_mark(struct sk_buff * skb,const struct nf_conn * ct)316 static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
317 {
318 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))
319 goto nla_put_failure;
320 return 0;
321
322 nla_put_failure:
323 return -1;
324 }
325 #else
326 #define ctnetlink_dump_mark(a, b) (0)
327 #endif
328
329 #ifdef CONFIG_NF_CONNTRACK_SECMARK
ctnetlink_dump_secctx(struct sk_buff * skb,const struct nf_conn * ct)330 static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
331 {
332 struct nlattr *nest_secctx;
333 int len, ret;
334 char *secctx;
335
336 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
337 if (ret)
338 return 0;
339
340 ret = -1;
341 nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED);
342 if (!nest_secctx)
343 goto nla_put_failure;
344
345 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
346 goto nla_put_failure;
347 nla_nest_end(skb, nest_secctx);
348
349 ret = 0;
350 nla_put_failure:
351 security_release_secctx(secctx, len);
352 return ret;
353 }
354 #else
355 #define ctnetlink_dump_secctx(a, b) (0)
356 #endif
357
358 #ifdef CONFIG_NF_CONNTRACK_LABELS
ctnetlink_label_size(const struct nf_conn * ct)359 static inline int ctnetlink_label_size(const struct nf_conn *ct)
360 {
361 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
362
363 if (!labels)
364 return 0;
365 return nla_total_size(sizeof(labels->bits));
366 }
367
368 static int
ctnetlink_dump_labels(struct sk_buff * skb,const struct nf_conn * ct)369 ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
370 {
371 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
372 unsigned int i;
373
374 if (!labels)
375 return 0;
376
377 i = 0;
378 do {
379 if (labels->bits[i] != 0)
380 return nla_put(skb, CTA_LABELS, sizeof(labels->bits),
381 labels->bits);
382 i++;
383 } while (i < ARRAY_SIZE(labels->bits));
384
385 return 0;
386 }
387 #else
388 #define ctnetlink_dump_labels(a, b) (0)
389 #define ctnetlink_label_size(a) (0)
390 #endif
391
392 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
393
ctnetlink_dump_master(struct sk_buff * skb,const struct nf_conn * ct)394 static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
395 {
396 struct nlattr *nest_parms;
397
398 if (!(ct->status & IPS_EXPECTED))
399 return 0;
400
401 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED);
402 if (!nest_parms)
403 goto nla_put_failure;
404 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
405 goto nla_put_failure;
406 nla_nest_end(skb, nest_parms);
407
408 return 0;
409
410 nla_put_failure:
411 return -1;
412 }
413
414 static int
dump_ct_seq_adj(struct sk_buff * skb,const struct nf_ct_seqadj * seq,int type)415 dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type)
416 {
417 struct nlattr *nest_parms;
418
419 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
420 if (!nest_parms)
421 goto nla_put_failure;
422
423 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS,
424 htonl(seq->correction_pos)) ||
425 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE,
426 htonl(seq->offset_before)) ||
427 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER,
428 htonl(seq->offset_after)))
429 goto nla_put_failure;
430
431 nla_nest_end(skb, nest_parms);
432
433 return 0;
434
435 nla_put_failure:
436 return -1;
437 }
438
ctnetlink_dump_ct_seq_adj(struct sk_buff * skb,struct nf_conn * ct)439 static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
440 {
441 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
442 struct nf_ct_seqadj *seq;
443
444 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj)
445 return 0;
446
447 spin_lock_bh(&ct->lock);
448 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL];
449 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1)
450 goto err;
451
452 seq = &seqadj->seq[IP_CT_DIR_REPLY];
453 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1)
454 goto err;
455
456 spin_unlock_bh(&ct->lock);
457 return 0;
458 err:
459 spin_unlock_bh(&ct->lock);
460 return -1;
461 }
462
ctnetlink_dump_ct_synproxy(struct sk_buff * skb,struct nf_conn * ct)463 static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
464 {
465 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
466 struct nlattr *nest_parms;
467
468 if (!synproxy)
469 return 0;
470
471 nest_parms = nla_nest_start(skb, CTA_SYNPROXY | NLA_F_NESTED);
472 if (!nest_parms)
473 goto nla_put_failure;
474
475 if (nla_put_be32(skb, CTA_SYNPROXY_ISN, htonl(synproxy->isn)) ||
476 nla_put_be32(skb, CTA_SYNPROXY_ITS, htonl(synproxy->its)) ||
477 nla_put_be32(skb, CTA_SYNPROXY_TSOFF, htonl(synproxy->tsoff)))
478 goto nla_put_failure;
479
480 nla_nest_end(skb, nest_parms);
481
482 return 0;
483
484 nla_put_failure:
485 return -1;
486 }
487
ctnetlink_dump_id(struct sk_buff * skb,const struct nf_conn * ct)488 static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
489 {
490 if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct)))
491 goto nla_put_failure;
492 return 0;
493
494 nla_put_failure:
495 return -1;
496 }
497
ctnetlink_dump_use(struct sk_buff * skb,const struct nf_conn * ct)498 static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
499 {
500 if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use))))
501 goto nla_put_failure;
502 return 0;
503
504 nla_put_failure:
505 return -1;
506 }
507
508 static int
ctnetlink_fill_info(struct sk_buff * skb,u32 portid,u32 seq,u32 type,struct nf_conn * ct)509 ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
510 struct nf_conn *ct)
511 {
512 const struct nf_conntrack_zone *zone;
513 struct nlmsghdr *nlh;
514 struct nfgenmsg *nfmsg;
515 struct nlattr *nest_parms;
516 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
517
518 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW);
519 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
520 if (nlh == NULL)
521 goto nlmsg_failure;
522
523 nfmsg = nlmsg_data(nlh);
524 nfmsg->nfgen_family = nf_ct_l3num(ct);
525 nfmsg->version = NFNETLINK_V0;
526 nfmsg->res_id = 0;
527
528 zone = nf_ct_zone(ct);
529
530 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
531 if (!nest_parms)
532 goto nla_put_failure;
533 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
534 goto nla_put_failure;
535 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
536 NF_CT_ZONE_DIR_ORIG) < 0)
537 goto nla_put_failure;
538 nla_nest_end(skb, nest_parms);
539
540 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
541 if (!nest_parms)
542 goto nla_put_failure;
543 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
544 goto nla_put_failure;
545 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
546 NF_CT_ZONE_DIR_REPL) < 0)
547 goto nla_put_failure;
548 nla_nest_end(skb, nest_parms);
549
550 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
551 NF_CT_DEFAULT_ZONE_DIR) < 0)
552 goto nla_put_failure;
553
554 if (ctnetlink_dump_status(skb, ct) < 0 ||
555 ctnetlink_dump_timeout(skb, ct) < 0 ||
556 ctnetlink_dump_acct(skb, ct, type) < 0 ||
557 ctnetlink_dump_timestamp(skb, ct) < 0 ||
558 ctnetlink_dump_protoinfo(skb, ct) < 0 ||
559 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
560 ctnetlink_dump_mark(skb, ct) < 0 ||
561 ctnetlink_dump_secctx(skb, ct) < 0 ||
562 ctnetlink_dump_labels(skb, ct) < 0 ||
563 ctnetlink_dump_id(skb, ct) < 0 ||
564 ctnetlink_dump_use(skb, ct) < 0 ||
565 ctnetlink_dump_master(skb, ct) < 0 ||
566 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
567 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
568 goto nla_put_failure;
569
570 nlmsg_end(skb, nlh);
571 return skb->len;
572
573 nlmsg_failure:
574 nla_put_failure:
575 nlmsg_cancel(skb, nlh);
576 return -1;
577 }
578
579 static const struct nla_policy cta_ip_nla_policy[CTA_IP_MAX + 1] = {
580 [CTA_IP_V4_SRC] = { .type = NLA_U32 },
581 [CTA_IP_V4_DST] = { .type = NLA_U32 },
582 [CTA_IP_V6_SRC] = { .len = sizeof(__be32) * 4 },
583 [CTA_IP_V6_DST] = { .len = sizeof(__be32) * 4 },
584 };
585
586 #if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS)
ctnetlink_proto_size(const struct nf_conn * ct)587 static size_t ctnetlink_proto_size(const struct nf_conn *ct)
588 {
589 const struct nf_conntrack_l4proto *l4proto;
590 size_t len, len4 = 0;
591
592 len = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1);
593 len *= 3u; /* ORIG, REPLY, MASTER */
594
595 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
596 len += l4proto->nlattr_size;
597 if (l4proto->nlattr_tuple_size) {
598 len4 = l4proto->nlattr_tuple_size();
599 len4 *= 3u; /* ORIG, REPLY, MASTER */
600 }
601
602 return len + len4;
603 }
604 #endif
605
ctnetlink_acct_size(const struct nf_conn * ct)606 static inline size_t ctnetlink_acct_size(const struct nf_conn *ct)
607 {
608 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
609 return 0;
610 return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
611 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
612 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
613 ;
614 }
615
ctnetlink_secctx_size(const struct nf_conn * ct)616 static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
617 {
618 #ifdef CONFIG_NF_CONNTRACK_SECMARK
619 int len, ret;
620
621 ret = security_secid_to_secctx(ct->secmark, NULL, &len);
622 if (ret)
623 return 0;
624
625 return nla_total_size(0) /* CTA_SECCTX */
626 + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
627 #else
628 return 0;
629 #endif
630 }
631
ctnetlink_timestamp_size(const struct nf_conn * ct)632 static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct)
633 {
634 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
635 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
636 return 0;
637 return nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t));
638 #else
639 return 0;
640 #endif
641 }
642
643 #ifdef CONFIG_NF_CONNTRACK_EVENTS
ctnetlink_nlmsg_size(const struct nf_conn * ct)644 static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)
645 {
646 return NLMSG_ALIGN(sizeof(struct nfgenmsg))
647 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
648 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
649 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
650 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
651 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
652 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
653 + ctnetlink_acct_size(ct)
654 + ctnetlink_timestamp_size(ct)
655 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
656 + nla_total_size(0) /* CTA_PROTOINFO */
657 + nla_total_size(0) /* CTA_HELP */
658 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
659 + ctnetlink_secctx_size(ct)
660 #ifdef CONFIG_NF_NAT_NEEDED
661 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
662 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
663 #endif
664 #ifdef CONFIG_NF_CONNTRACK_MARK
665 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
666 #endif
667 #ifdef CONFIG_NF_CONNTRACK_ZONES
668 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */
669 #endif
670 + ctnetlink_proto_size(ct)
671 + ctnetlink_label_size(ct)
672 ;
673 }
674
675 static int
ctnetlink_conntrack_event(unsigned int events,struct nf_ct_event * item)676 ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
677 {
678 const struct nf_conntrack_zone *zone;
679 struct net *net;
680 struct nlmsghdr *nlh;
681 struct nfgenmsg *nfmsg;
682 struct nlattr *nest_parms;
683 struct nf_conn *ct = item->ct;
684 struct sk_buff *skb;
685 unsigned int type;
686 unsigned int flags = 0, group;
687 int err;
688
689 if (events & (1 << IPCT_DESTROY)) {
690 type = IPCTNL_MSG_CT_DELETE;
691 group = NFNLGRP_CONNTRACK_DESTROY;
692 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {
693 type = IPCTNL_MSG_CT_NEW;
694 flags = NLM_F_CREATE|NLM_F_EXCL;
695 group = NFNLGRP_CONNTRACK_NEW;
696 } else if (events) {
697 type = IPCTNL_MSG_CT_NEW;
698 group = NFNLGRP_CONNTRACK_UPDATE;
699 } else
700 return 0;
701
702 net = nf_ct_net(ct);
703 if (!item->report && !nfnetlink_has_listeners(net, group))
704 return 0;
705
706 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
707 if (skb == NULL)
708 goto errout;
709
710 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type);
711 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
712 if (nlh == NULL)
713 goto nlmsg_failure;
714
715 nfmsg = nlmsg_data(nlh);
716 nfmsg->nfgen_family = nf_ct_l3num(ct);
717 nfmsg->version = NFNETLINK_V0;
718 nfmsg->res_id = 0;
719
720 zone = nf_ct_zone(ct);
721
722 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
723 if (!nest_parms)
724 goto nla_put_failure;
725 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
726 goto nla_put_failure;
727 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
728 NF_CT_ZONE_DIR_ORIG) < 0)
729 goto nla_put_failure;
730 nla_nest_end(skb, nest_parms);
731
732 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
733 if (!nest_parms)
734 goto nla_put_failure;
735 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
736 goto nla_put_failure;
737 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
738 NF_CT_ZONE_DIR_REPL) < 0)
739 goto nla_put_failure;
740 nla_nest_end(skb, nest_parms);
741
742 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
743 NF_CT_DEFAULT_ZONE_DIR) < 0)
744 goto nla_put_failure;
745
746 if (ctnetlink_dump_id(skb, ct) < 0)
747 goto nla_put_failure;
748
749 if (ctnetlink_dump_status(skb, ct) < 0)
750 goto nla_put_failure;
751
752 if (events & (1 << IPCT_DESTROY)) {
753 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
754 ctnetlink_dump_timestamp(skb, ct) < 0)
755 goto nla_put_failure;
756 } else {
757 if (ctnetlink_dump_timeout(skb, ct) < 0)
758 goto nla_put_failure;
759
760 if (events & (1 << IPCT_PROTOINFO)
761 && ctnetlink_dump_protoinfo(skb, ct) < 0)
762 goto nla_put_failure;
763
764 if ((events & (1 << IPCT_HELPER) || nfct_help(ct))
765 && ctnetlink_dump_helpinfo(skb, ct) < 0)
766 goto nla_put_failure;
767
768 #ifdef CONFIG_NF_CONNTRACK_SECMARK
769 if ((events & (1 << IPCT_SECMARK) || ct->secmark)
770 && ctnetlink_dump_secctx(skb, ct) < 0)
771 goto nla_put_failure;
772 #endif
773 if (events & (1 << IPCT_LABEL) &&
774 ctnetlink_dump_labels(skb, ct) < 0)
775 goto nla_put_failure;
776
777 if (events & (1 << IPCT_RELATED) &&
778 ctnetlink_dump_master(skb, ct) < 0)
779 goto nla_put_failure;
780
781 if (events & (1 << IPCT_SEQADJ) &&
782 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
783 goto nla_put_failure;
784
785 if (events & (1 << IPCT_SYNPROXY) &&
786 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
787 goto nla_put_failure;
788 }
789
790 #ifdef CONFIG_NF_CONNTRACK_MARK
791 if ((events & (1 << IPCT_MARK) || ct->mark)
792 && ctnetlink_dump_mark(skb, ct) < 0)
793 goto nla_put_failure;
794 #endif
795 nlmsg_end(skb, nlh);
796 err = nfnetlink_send(skb, net, item->portid, group, item->report,
797 GFP_ATOMIC);
798 if (err == -ENOBUFS || err == -EAGAIN)
799 return -ENOBUFS;
800
801 return 0;
802
803 nla_put_failure:
804 nlmsg_cancel(skb, nlh);
805 nlmsg_failure:
806 kfree_skb(skb);
807 errout:
808 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
809 return -ENOBUFS;
810
811 return 0;
812 }
813 #endif /* CONFIG_NF_CONNTRACK_EVENTS */
814
ctnetlink_done(struct netlink_callback * cb)815 static int ctnetlink_done(struct netlink_callback *cb)
816 {
817 if (cb->args[1])
818 nf_ct_put((struct nf_conn *)cb->args[1]);
819 kfree(cb->data);
820 return 0;
821 }
822
823 struct ctnetlink_filter {
824 struct {
825 u_int32_t val;
826 u_int32_t mask;
827 } mark;
828 };
829
830 static struct ctnetlink_filter *
ctnetlink_alloc_filter(const struct nlattr * const cda[])831 ctnetlink_alloc_filter(const struct nlattr * const cda[])
832 {
833 #ifdef CONFIG_NF_CONNTRACK_MARK
834 struct ctnetlink_filter *filter;
835
836 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
837 if (filter == NULL)
838 return ERR_PTR(-ENOMEM);
839
840 filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK]));
841 filter->mark.mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
842
843 return filter;
844 #else
845 return ERR_PTR(-EOPNOTSUPP);
846 #endif
847 }
848
ctnetlink_start(struct netlink_callback * cb)849 static int ctnetlink_start(struct netlink_callback *cb)
850 {
851 const struct nlattr * const *cda = cb->data;
852 struct ctnetlink_filter *filter = NULL;
853
854 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
855 filter = ctnetlink_alloc_filter(cda);
856 if (IS_ERR(filter))
857 return PTR_ERR(filter);
858 }
859
860 cb->data = filter;
861 return 0;
862 }
863
ctnetlink_filter_match(struct nf_conn * ct,void * data)864 static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
865 {
866 struct ctnetlink_filter *filter = data;
867
868 if (filter == NULL)
869 return 1;
870
871 #ifdef CONFIG_NF_CONNTRACK_MARK
872 if ((ct->mark & filter->mark.mask) == filter->mark.val)
873 return 1;
874 #endif
875
876 return 0;
877 }
878
879 static int
ctnetlink_dump_table(struct sk_buff * skb,struct netlink_callback * cb)880 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
881 {
882 struct net *net = sock_net(skb->sk);
883 struct nf_conn *ct, *last;
884 struct nf_conntrack_tuple_hash *h;
885 struct hlist_nulls_node *n;
886 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
887 u_int8_t l3proto = nfmsg->nfgen_family;
888 struct nf_conn *nf_ct_evict[8];
889 int res, i;
890 spinlock_t *lockp;
891
892 last = (struct nf_conn *)cb->args[1];
893 i = 0;
894
895 local_bh_disable();
896 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
897 restart:
898 while (i) {
899 i--;
900 if (nf_ct_should_gc(nf_ct_evict[i]))
901 nf_ct_kill(nf_ct_evict[i]);
902 nf_ct_put(nf_ct_evict[i]);
903 }
904
905 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS];
906 nf_conntrack_lock(lockp);
907 if (cb->args[0] >= nf_conntrack_htable_size) {
908 spin_unlock(lockp);
909 goto out;
910 }
911 hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]],
912 hnnode) {
913 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
914 continue;
915 ct = nf_ct_tuplehash_to_ctrack(h);
916 if (nf_ct_is_expired(ct)) {
917 if (i < ARRAY_SIZE(nf_ct_evict) &&
918 atomic_inc_not_zero(&ct->ct_general.use))
919 nf_ct_evict[i++] = ct;
920 continue;
921 }
922
923 if (!net_eq(net, nf_ct_net(ct)))
924 continue;
925
926 /* Dump entries of a given L3 protocol number.
927 * If it is not specified, ie. l3proto == 0,
928 * then dump everything. */
929 if (l3proto && nf_ct_l3num(ct) != l3proto)
930 continue;
931 if (cb->args[1]) {
932 if (ct != last)
933 continue;
934 cb->args[1] = 0;
935 }
936 if (!ctnetlink_filter_match(ct, cb->data))
937 continue;
938
939 rcu_read_lock();
940 res =
941 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
942 cb->nlh->nlmsg_seq,
943 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
944 ct);
945 rcu_read_unlock();
946 if (res < 0) {
947 nf_conntrack_get(&ct->ct_general);
948 cb->args[1] = (unsigned long)ct;
949 spin_unlock(lockp);
950 goto out;
951 }
952 }
953 spin_unlock(lockp);
954 if (cb->args[1]) {
955 cb->args[1] = 0;
956 goto restart;
957 }
958 }
959 out:
960 local_bh_enable();
961 if (last) {
962 /* nf ct hash resize happened, now clear the leftover. */
963 if ((struct nf_conn *)cb->args[1] == last)
964 cb->args[1] = 0;
965
966 nf_ct_put(last);
967 }
968
969 while (i) {
970 i--;
971 if (nf_ct_should_gc(nf_ct_evict[i]))
972 nf_ct_kill(nf_ct_evict[i]);
973 nf_ct_put(nf_ct_evict[i]);
974 }
975
976 return skb->len;
977 }
978
ipv4_nlattr_to_tuple(struct nlattr * tb[],struct nf_conntrack_tuple * t)979 static int ipv4_nlattr_to_tuple(struct nlattr *tb[],
980 struct nf_conntrack_tuple *t)
981 {
982 if (!tb[CTA_IP_V4_SRC] || !tb[CTA_IP_V4_DST])
983 return -EINVAL;
984
985 t->src.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_SRC]);
986 t->dst.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_DST]);
987
988 return 0;
989 }
990
ipv6_nlattr_to_tuple(struct nlattr * tb[],struct nf_conntrack_tuple * t)991 static int ipv6_nlattr_to_tuple(struct nlattr *tb[],
992 struct nf_conntrack_tuple *t)
993 {
994 if (!tb[CTA_IP_V6_SRC] || !tb[CTA_IP_V6_DST])
995 return -EINVAL;
996
997 t->src.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_SRC]);
998 t->dst.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_DST]);
999
1000 return 0;
1001 }
1002
ctnetlink_parse_tuple_ip(struct nlattr * attr,struct nf_conntrack_tuple * tuple)1003 static int ctnetlink_parse_tuple_ip(struct nlattr *attr,
1004 struct nf_conntrack_tuple *tuple)
1005 {
1006 struct nlattr *tb[CTA_IP_MAX+1];
1007 int ret = 0;
1008
1009 ret = nla_parse_nested(tb, CTA_IP_MAX, attr, NULL, NULL);
1010 if (ret < 0)
1011 return ret;
1012
1013 ret = nla_validate_nested(attr, CTA_IP_MAX,
1014 cta_ip_nla_policy, NULL);
1015 if (ret)
1016 return ret;
1017
1018 switch (tuple->src.l3num) {
1019 case NFPROTO_IPV4:
1020 ret = ipv4_nlattr_to_tuple(tb, tuple);
1021 break;
1022 case NFPROTO_IPV6:
1023 ret = ipv6_nlattr_to_tuple(tb, tuple);
1024 break;
1025 }
1026
1027 return ret;
1028 }
1029
1030 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
1031 [CTA_PROTO_NUM] = { .type = NLA_U8 },
1032 };
1033
ctnetlink_parse_tuple_proto(struct nlattr * attr,struct nf_conntrack_tuple * tuple)1034 static int ctnetlink_parse_tuple_proto(struct nlattr *attr,
1035 struct nf_conntrack_tuple *tuple)
1036 {
1037 const struct nf_conntrack_l4proto *l4proto;
1038 struct nlattr *tb[CTA_PROTO_MAX+1];
1039 int ret = 0;
1040
1041 ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy,
1042 NULL);
1043 if (ret < 0)
1044 return ret;
1045
1046 if (!tb[CTA_PROTO_NUM])
1047 return -EINVAL;
1048 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
1049
1050 rcu_read_lock();
1051 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
1052
1053 if (likely(l4proto->nlattr_to_tuple)) {
1054 ret = nla_validate_nested(attr, CTA_PROTO_MAX,
1055 l4proto->nla_policy, NULL);
1056 if (ret == 0)
1057 ret = l4proto->nlattr_to_tuple(tb, tuple);
1058 }
1059
1060 rcu_read_unlock();
1061
1062 return ret;
1063 }
1064
1065 static int
ctnetlink_parse_zone(const struct nlattr * attr,struct nf_conntrack_zone * zone)1066 ctnetlink_parse_zone(const struct nlattr *attr,
1067 struct nf_conntrack_zone *zone)
1068 {
1069 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID,
1070 NF_CT_DEFAULT_ZONE_DIR, 0);
1071 #ifdef CONFIG_NF_CONNTRACK_ZONES
1072 if (attr)
1073 zone->id = ntohs(nla_get_be16(attr));
1074 #else
1075 if (attr)
1076 return -EOPNOTSUPP;
1077 #endif
1078 return 0;
1079 }
1080
1081 static int
ctnetlink_parse_tuple_zone(struct nlattr * attr,enum ctattr_type type,struct nf_conntrack_zone * zone)1082 ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type,
1083 struct nf_conntrack_zone *zone)
1084 {
1085 int ret;
1086
1087 if (zone->id != NF_CT_DEFAULT_ZONE_ID)
1088 return -EINVAL;
1089
1090 ret = ctnetlink_parse_zone(attr, zone);
1091 if (ret < 0)
1092 return ret;
1093
1094 if (type == CTA_TUPLE_REPLY)
1095 zone->dir = NF_CT_ZONE_DIR_REPL;
1096 else
1097 zone->dir = NF_CT_ZONE_DIR_ORIG;
1098
1099 return 0;
1100 }
1101
1102 static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
1103 [CTA_TUPLE_IP] = { .type = NLA_NESTED },
1104 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED },
1105 [CTA_TUPLE_ZONE] = { .type = NLA_U16 },
1106 };
1107
1108 static int
ctnetlink_parse_tuple(const struct nlattr * const cda[],struct nf_conntrack_tuple * tuple,u32 type,u_int8_t l3num,struct nf_conntrack_zone * zone)1109 ctnetlink_parse_tuple(const struct nlattr * const cda[],
1110 struct nf_conntrack_tuple *tuple, u32 type,
1111 u_int8_t l3num, struct nf_conntrack_zone *zone)
1112 {
1113 struct nlattr *tb[CTA_TUPLE_MAX+1];
1114 int err;
1115
1116 memset(tuple, 0, sizeof(*tuple));
1117
1118 err = nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy,
1119 NULL);
1120 if (err < 0)
1121 return err;
1122
1123 if (!tb[CTA_TUPLE_IP])
1124 return -EINVAL;
1125
1126 tuple->src.l3num = l3num;
1127
1128 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
1129 if (err < 0)
1130 return err;
1131
1132 if (!tb[CTA_TUPLE_PROTO])
1133 return -EINVAL;
1134
1135 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple);
1136 if (err < 0)
1137 return err;
1138
1139 if (tb[CTA_TUPLE_ZONE]) {
1140 if (!zone)
1141 return -EINVAL;
1142
1143 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE],
1144 type, zone);
1145 if (err < 0)
1146 return err;
1147 }
1148
1149 /* orig and expect tuples get DIR_ORIGINAL */
1150 if (type == CTA_TUPLE_REPLY)
1151 tuple->dst.dir = IP_CT_DIR_REPLY;
1152 else
1153 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
1154
1155 return 0;
1156 }
1157
1158 static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {
1159 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING,
1160 .len = NF_CT_HELPER_NAME_LEN - 1 },
1161 };
1162
ctnetlink_parse_help(const struct nlattr * attr,char ** helper_name,struct nlattr ** helpinfo)1163 static int ctnetlink_parse_help(const struct nlattr *attr, char **helper_name,
1164 struct nlattr **helpinfo)
1165 {
1166 int err;
1167 struct nlattr *tb[CTA_HELP_MAX+1];
1168
1169 err = nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy, NULL);
1170 if (err < 0)
1171 return err;
1172
1173 if (!tb[CTA_HELP_NAME])
1174 return -EINVAL;
1175
1176 *helper_name = nla_data(tb[CTA_HELP_NAME]);
1177
1178 if (tb[CTA_HELP_INFO])
1179 *helpinfo = tb[CTA_HELP_INFO];
1180
1181 return 0;
1182 }
1183
1184 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
1185 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED },
1186 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED },
1187 [CTA_STATUS] = { .type = NLA_U32 },
1188 [CTA_PROTOINFO] = { .type = NLA_NESTED },
1189 [CTA_HELP] = { .type = NLA_NESTED },
1190 [CTA_NAT_SRC] = { .type = NLA_NESTED },
1191 [CTA_TIMEOUT] = { .type = NLA_U32 },
1192 [CTA_MARK] = { .type = NLA_U32 },
1193 [CTA_ID] = { .type = NLA_U32 },
1194 [CTA_NAT_DST] = { .type = NLA_NESTED },
1195 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED },
1196 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED },
1197 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED },
1198 [CTA_ZONE] = { .type = NLA_U16 },
1199 [CTA_MARK_MASK] = { .type = NLA_U32 },
1200 [CTA_LABELS] = { .type = NLA_BINARY,
1201 .len = NF_CT_LABELS_MAX_SIZE },
1202 [CTA_LABELS_MASK] = { .type = NLA_BINARY,
1203 .len = NF_CT_LABELS_MAX_SIZE },
1204 };
1205
ctnetlink_flush_iterate(struct nf_conn * ct,void * data)1206 static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data)
1207 {
1208 if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
1209 return 0;
1210
1211 return ctnetlink_filter_match(ct, data);
1212 }
1213
ctnetlink_flush_conntrack(struct net * net,const struct nlattr * const cda[],u32 portid,int report)1214 static int ctnetlink_flush_conntrack(struct net *net,
1215 const struct nlattr * const cda[],
1216 u32 portid, int report)
1217 {
1218 struct ctnetlink_filter *filter = NULL;
1219
1220 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
1221 filter = ctnetlink_alloc_filter(cda);
1222 if (IS_ERR(filter))
1223 return PTR_ERR(filter);
1224 }
1225
1226 nf_ct_iterate_cleanup_net(net, ctnetlink_flush_iterate, filter,
1227 portid, report);
1228 kfree(filter);
1229
1230 return 0;
1231 }
1232
ctnetlink_del_conntrack(struct net * net,struct sock * ctnl,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const cda[],struct netlink_ext_ack * extack)1233 static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
1234 struct sk_buff *skb,
1235 const struct nlmsghdr *nlh,
1236 const struct nlattr * const cda[],
1237 struct netlink_ext_ack *extack)
1238 {
1239 struct nf_conntrack_tuple_hash *h;
1240 struct nf_conntrack_tuple tuple;
1241 struct nf_conn *ct;
1242 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1243 u_int8_t u3 = nfmsg->nfgen_family;
1244 struct nf_conntrack_zone zone;
1245 int err;
1246
1247 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1248 if (err < 0)
1249 return err;
1250
1251 if (cda[CTA_TUPLE_ORIG])
1252 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1253 u3, &zone);
1254 else if (cda[CTA_TUPLE_REPLY])
1255 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1256 u3, &zone);
1257 else {
1258 return ctnetlink_flush_conntrack(net, cda,
1259 NETLINK_CB(skb).portid,
1260 nlmsg_report(nlh));
1261 }
1262
1263 if (err < 0)
1264 return err;
1265
1266 h = nf_conntrack_find_get(net, &zone, &tuple);
1267 if (!h)
1268 return -ENOENT;
1269
1270 ct = nf_ct_tuplehash_to_ctrack(h);
1271
1272 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) {
1273 nf_ct_put(ct);
1274 return -EBUSY;
1275 }
1276
1277 if (cda[CTA_ID]) {
1278 u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
1279 if (id != (u32)(unsigned long)ct) {
1280 nf_ct_put(ct);
1281 return -ENOENT;
1282 }
1283 }
1284
1285 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(nlh));
1286 nf_ct_put(ct);
1287
1288 return 0;
1289 }
1290
ctnetlink_get_conntrack(struct net * net,struct sock * ctnl,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const cda[],struct netlink_ext_ack * extack)1291 static int ctnetlink_get_conntrack(struct net *net, struct sock *ctnl,
1292 struct sk_buff *skb,
1293 const struct nlmsghdr *nlh,
1294 const struct nlattr * const cda[],
1295 struct netlink_ext_ack *extack)
1296 {
1297 struct nf_conntrack_tuple_hash *h;
1298 struct nf_conntrack_tuple tuple;
1299 struct nf_conn *ct;
1300 struct sk_buff *skb2 = NULL;
1301 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1302 u_int8_t u3 = nfmsg->nfgen_family;
1303 struct nf_conntrack_zone zone;
1304 int err;
1305
1306 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1307 struct netlink_dump_control c = {
1308 .start = ctnetlink_start,
1309 .dump = ctnetlink_dump_table,
1310 .done = ctnetlink_done,
1311 .data = (void *)cda,
1312 };
1313
1314 return netlink_dump_start(ctnl, skb, nlh, &c);
1315 }
1316
1317 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1318 if (err < 0)
1319 return err;
1320
1321 if (cda[CTA_TUPLE_ORIG])
1322 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1323 u3, &zone);
1324 else if (cda[CTA_TUPLE_REPLY])
1325 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1326 u3, &zone);
1327 else
1328 return -EINVAL;
1329
1330 if (err < 0)
1331 return err;
1332
1333 h = nf_conntrack_find_get(net, &zone, &tuple);
1334 if (!h)
1335 return -ENOENT;
1336
1337 ct = nf_ct_tuplehash_to_ctrack(h);
1338
1339 err = -ENOMEM;
1340 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1341 if (skb2 == NULL) {
1342 nf_ct_put(ct);
1343 return -ENOMEM;
1344 }
1345
1346 rcu_read_lock();
1347 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq,
1348 NFNL_MSG_TYPE(nlh->nlmsg_type), ct);
1349 rcu_read_unlock();
1350 nf_ct_put(ct);
1351 if (err <= 0)
1352 goto free;
1353
1354 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1355 if (err < 0)
1356 goto out;
1357
1358 return 0;
1359
1360 free:
1361 kfree_skb(skb2);
1362 out:
1363 /* this avoids a loop in nfnetlink. */
1364 return err == -EAGAIN ? -ENOBUFS : err;
1365 }
1366
ctnetlink_done_list(struct netlink_callback * cb)1367 static int ctnetlink_done_list(struct netlink_callback *cb)
1368 {
1369 if (cb->args[1])
1370 nf_ct_put((struct nf_conn *)cb->args[1]);
1371 return 0;
1372 }
1373
1374 static int
ctnetlink_dump_list(struct sk_buff * skb,struct netlink_callback * cb,bool dying)1375 ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying)
1376 {
1377 struct nf_conn *ct, *last;
1378 struct nf_conntrack_tuple_hash *h;
1379 struct hlist_nulls_node *n;
1380 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1381 u_int8_t l3proto = nfmsg->nfgen_family;
1382 int res;
1383 int cpu;
1384 struct hlist_nulls_head *list;
1385 struct net *net = sock_net(skb->sk);
1386
1387 if (cb->args[2])
1388 return 0;
1389
1390 last = (struct nf_conn *)cb->args[1];
1391
1392 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
1393 struct ct_pcpu *pcpu;
1394
1395 if (!cpu_possible(cpu))
1396 continue;
1397
1398 pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu);
1399 spin_lock_bh(&pcpu->lock);
1400 list = dying ? &pcpu->dying : &pcpu->unconfirmed;
1401 restart:
1402 hlist_nulls_for_each_entry(h, n, list, hnnode) {
1403 ct = nf_ct_tuplehash_to_ctrack(h);
1404 if (l3proto && nf_ct_l3num(ct) != l3proto)
1405 continue;
1406 if (cb->args[1]) {
1407 if (ct != last)
1408 continue;
1409 cb->args[1] = 0;
1410 }
1411 rcu_read_lock();
1412 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
1413 cb->nlh->nlmsg_seq,
1414 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
1415 ct);
1416 rcu_read_unlock();
1417 if (res < 0) {
1418 if (!atomic_inc_not_zero(&ct->ct_general.use))
1419 continue;
1420 cb->args[0] = cpu;
1421 cb->args[1] = (unsigned long)ct;
1422 spin_unlock_bh(&pcpu->lock);
1423 goto out;
1424 }
1425 }
1426 if (cb->args[1]) {
1427 cb->args[1] = 0;
1428 goto restart;
1429 }
1430 spin_unlock_bh(&pcpu->lock);
1431 }
1432 cb->args[2] = 1;
1433 out:
1434 if (last)
1435 nf_ct_put(last);
1436
1437 return skb->len;
1438 }
1439
1440 static int
ctnetlink_dump_dying(struct sk_buff * skb,struct netlink_callback * cb)1441 ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb)
1442 {
1443 return ctnetlink_dump_list(skb, cb, true);
1444 }
1445
ctnetlink_get_ct_dying(struct net * net,struct sock * ctnl,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const cda[],struct netlink_ext_ack * extack)1446 static int ctnetlink_get_ct_dying(struct net *net, struct sock *ctnl,
1447 struct sk_buff *skb,
1448 const struct nlmsghdr *nlh,
1449 const struct nlattr * const cda[],
1450 struct netlink_ext_ack *extack)
1451 {
1452 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1453 struct netlink_dump_control c = {
1454 .dump = ctnetlink_dump_dying,
1455 .done = ctnetlink_done_list,
1456 };
1457 return netlink_dump_start(ctnl, skb, nlh, &c);
1458 }
1459
1460 return -EOPNOTSUPP;
1461 }
1462
1463 static int
ctnetlink_dump_unconfirmed(struct sk_buff * skb,struct netlink_callback * cb)1464 ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb)
1465 {
1466 return ctnetlink_dump_list(skb, cb, false);
1467 }
1468
ctnetlink_get_ct_unconfirmed(struct net * net,struct sock * ctnl,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const cda[],struct netlink_ext_ack * extack)1469 static int ctnetlink_get_ct_unconfirmed(struct net *net, struct sock *ctnl,
1470 struct sk_buff *skb,
1471 const struct nlmsghdr *nlh,
1472 const struct nlattr * const cda[],
1473 struct netlink_ext_ack *extack)
1474 {
1475 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1476 struct netlink_dump_control c = {
1477 .dump = ctnetlink_dump_unconfirmed,
1478 .done = ctnetlink_done_list,
1479 };
1480 return netlink_dump_start(ctnl, skb, nlh, &c);
1481 }
1482
1483 return -EOPNOTSUPP;
1484 }
1485
1486 #ifdef CONFIG_NF_NAT_NEEDED
1487 static int
ctnetlink_parse_nat_setup(struct nf_conn * ct,enum nf_nat_manip_type manip,const struct nlattr * attr)1488 ctnetlink_parse_nat_setup(struct nf_conn *ct,
1489 enum nf_nat_manip_type manip,
1490 const struct nlattr *attr)
1491 {
1492 struct nf_nat_hook *nat_hook;
1493 int err;
1494
1495 nat_hook = rcu_dereference(nf_nat_hook);
1496 if (!nat_hook) {
1497 #ifdef CONFIG_MODULES
1498 rcu_read_unlock();
1499 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1500 if (request_module("nf-nat") < 0) {
1501 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1502 rcu_read_lock();
1503 return -EOPNOTSUPP;
1504 }
1505 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1506 rcu_read_lock();
1507 nat_hook = rcu_dereference(nf_nat_hook);
1508 if (nat_hook)
1509 return -EAGAIN;
1510 #endif
1511 return -EOPNOTSUPP;
1512 }
1513
1514 err = nat_hook->parse_nat_setup(ct, manip, attr);
1515 if (err == -EAGAIN) {
1516 #ifdef CONFIG_MODULES
1517 rcu_read_unlock();
1518 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1519 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) {
1520 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1521 rcu_read_lock();
1522 return -EOPNOTSUPP;
1523 }
1524 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1525 rcu_read_lock();
1526 #else
1527 err = -EOPNOTSUPP;
1528 #endif
1529 }
1530 return err;
1531 }
1532 #endif
1533
1534 static void
__ctnetlink_change_status(struct nf_conn * ct,unsigned long on,unsigned long off)1535 __ctnetlink_change_status(struct nf_conn *ct, unsigned long on,
1536 unsigned long off)
1537 {
1538 unsigned int bit;
1539
1540 /* Ignore these unchangable bits */
1541 on &= ~IPS_UNCHANGEABLE_MASK;
1542 off &= ~IPS_UNCHANGEABLE_MASK;
1543
1544 for (bit = 0; bit < __IPS_MAX_BIT; bit++) {
1545 if (on & (1 << bit))
1546 set_bit(bit, &ct->status);
1547 else if (off & (1 << bit))
1548 clear_bit(bit, &ct->status);
1549 }
1550 }
1551
1552 static int
ctnetlink_change_status(struct nf_conn * ct,const struct nlattr * const cda[])1553 ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
1554 {
1555 unsigned long d;
1556 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
1557 d = ct->status ^ status;
1558
1559 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
1560 /* unchangeable */
1561 return -EBUSY;
1562
1563 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
1564 /* SEEN_REPLY bit can only be set */
1565 return -EBUSY;
1566
1567 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
1568 /* ASSURED bit can only be set */
1569 return -EBUSY;
1570
1571 __ctnetlink_change_status(ct, status, 0);
1572 return 0;
1573 }
1574
1575 static int
ctnetlink_setup_nat(struct nf_conn * ct,const struct nlattr * const cda[])1576 ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
1577 {
1578 #ifdef CONFIG_NF_NAT_NEEDED
1579 int ret;
1580
1581 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1582 return 0;
1583
1584 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
1585 cda[CTA_NAT_DST]);
1586 if (ret < 0)
1587 return ret;
1588
1589 return ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC,
1590 cda[CTA_NAT_SRC]);
1591 #else
1592 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1593 return 0;
1594 return -EOPNOTSUPP;
1595 #endif
1596 }
1597
ctnetlink_change_helper(struct nf_conn * ct,const struct nlattr * const cda[])1598 static int ctnetlink_change_helper(struct nf_conn *ct,
1599 const struct nlattr * const cda[])
1600 {
1601 struct nf_conntrack_helper *helper;
1602 struct nf_conn_help *help = nfct_help(ct);
1603 char *helpname = NULL;
1604 struct nlattr *helpinfo = NULL;
1605 int err;
1606
1607 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1608 if (err < 0)
1609 return err;
1610
1611 /* don't change helper of sibling connections */
1612 if (ct->master) {
1613 /* If we try to change the helper to the same thing twice,
1614 * treat the second attempt as a no-op instead of returning
1615 * an error.
1616 */
1617 err = -EBUSY;
1618 if (help) {
1619 rcu_read_lock();
1620 helper = rcu_dereference(help->helper);
1621 if (helper && !strcmp(helper->name, helpname))
1622 err = 0;
1623 rcu_read_unlock();
1624 }
1625
1626 return err;
1627 }
1628
1629 if (!strcmp(helpname, "")) {
1630 if (help && help->helper) {
1631 /* we had a helper before ... */
1632 nf_ct_remove_expectations(ct);
1633 RCU_INIT_POINTER(help->helper, NULL);
1634 }
1635
1636 return 0;
1637 }
1638
1639 rcu_read_lock();
1640 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1641 nf_ct_protonum(ct));
1642 if (helper == NULL) {
1643 rcu_read_unlock();
1644 return -EOPNOTSUPP;
1645 }
1646
1647 if (help) {
1648 if (help->helper == helper) {
1649 /* update private helper data if allowed. */
1650 if (helper->from_nlattr)
1651 helper->from_nlattr(helpinfo, ct);
1652 err = 0;
1653 } else
1654 err = -EBUSY;
1655 } else {
1656 /* we cannot set a helper for an existing conntrack */
1657 err = -EOPNOTSUPP;
1658 }
1659
1660 rcu_read_unlock();
1661 return err;
1662 }
1663
ctnetlink_change_timeout(struct nf_conn * ct,const struct nlattr * const cda[])1664 static int ctnetlink_change_timeout(struct nf_conn *ct,
1665 const struct nlattr * const cda[])
1666 {
1667 u64 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
1668
1669 if (timeout > INT_MAX)
1670 timeout = INT_MAX;
1671 ct->timeout = nfct_time_stamp + (u32)timeout;
1672
1673 if (test_bit(IPS_DYING_BIT, &ct->status))
1674 return -ETIME;
1675
1676 return 0;
1677 }
1678
1679 static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = {
1680 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED },
1681 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED },
1682 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED },
1683 };
1684
ctnetlink_change_protoinfo(struct nf_conn * ct,const struct nlattr * const cda[])1685 static int ctnetlink_change_protoinfo(struct nf_conn *ct,
1686 const struct nlattr * const cda[])
1687 {
1688 const struct nlattr *attr = cda[CTA_PROTOINFO];
1689 const struct nf_conntrack_l4proto *l4proto;
1690 struct nlattr *tb[CTA_PROTOINFO_MAX+1];
1691 int err = 0;
1692
1693 err = nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, protoinfo_policy,
1694 NULL);
1695 if (err < 0)
1696 return err;
1697
1698 rcu_read_lock();
1699 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
1700 if (l4proto->from_nlattr)
1701 err = l4proto->from_nlattr(tb, ct);
1702 rcu_read_unlock();
1703
1704 return err;
1705 }
1706
1707 static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = {
1708 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 },
1709 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 },
1710 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 },
1711 };
1712
change_seq_adj(struct nf_ct_seqadj * seq,const struct nlattr * const attr)1713 static int change_seq_adj(struct nf_ct_seqadj *seq,
1714 const struct nlattr * const attr)
1715 {
1716 int err;
1717 struct nlattr *cda[CTA_SEQADJ_MAX+1];
1718
1719 err = nla_parse_nested(cda, CTA_SEQADJ_MAX, attr, seqadj_policy, NULL);
1720 if (err < 0)
1721 return err;
1722
1723 if (!cda[CTA_SEQADJ_CORRECTION_POS])
1724 return -EINVAL;
1725
1726 seq->correction_pos =
1727 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS]));
1728
1729 if (!cda[CTA_SEQADJ_OFFSET_BEFORE])
1730 return -EINVAL;
1731
1732 seq->offset_before =
1733 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE]));
1734
1735 if (!cda[CTA_SEQADJ_OFFSET_AFTER])
1736 return -EINVAL;
1737
1738 seq->offset_after =
1739 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER]));
1740
1741 return 0;
1742 }
1743
1744 static int
ctnetlink_change_seq_adj(struct nf_conn * ct,const struct nlattr * const cda[])1745 ctnetlink_change_seq_adj(struct nf_conn *ct,
1746 const struct nlattr * const cda[])
1747 {
1748 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
1749 int ret = 0;
1750
1751 if (!seqadj)
1752 return 0;
1753
1754 spin_lock_bh(&ct->lock);
1755 if (cda[CTA_SEQ_ADJ_ORIG]) {
1756 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL],
1757 cda[CTA_SEQ_ADJ_ORIG]);
1758 if (ret < 0)
1759 goto err;
1760
1761 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
1762 }
1763
1764 if (cda[CTA_SEQ_ADJ_REPLY]) {
1765 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY],
1766 cda[CTA_SEQ_ADJ_REPLY]);
1767 if (ret < 0)
1768 goto err;
1769
1770 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
1771 }
1772
1773 spin_unlock_bh(&ct->lock);
1774 return 0;
1775 err:
1776 spin_unlock_bh(&ct->lock);
1777 return ret;
1778 }
1779
1780 static const struct nla_policy synproxy_policy[CTA_SYNPROXY_MAX + 1] = {
1781 [CTA_SYNPROXY_ISN] = { .type = NLA_U32 },
1782 [CTA_SYNPROXY_ITS] = { .type = NLA_U32 },
1783 [CTA_SYNPROXY_TSOFF] = { .type = NLA_U32 },
1784 };
1785
ctnetlink_change_synproxy(struct nf_conn * ct,const struct nlattr * const cda[])1786 static int ctnetlink_change_synproxy(struct nf_conn *ct,
1787 const struct nlattr * const cda[])
1788 {
1789 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
1790 struct nlattr *tb[CTA_SYNPROXY_MAX + 1];
1791 int err;
1792
1793 if (!synproxy)
1794 return 0;
1795
1796 err = nla_parse_nested(tb, CTA_SYNPROXY_MAX, cda[CTA_SYNPROXY],
1797 synproxy_policy, NULL);
1798 if (err < 0)
1799 return err;
1800
1801 if (!tb[CTA_SYNPROXY_ISN] ||
1802 !tb[CTA_SYNPROXY_ITS] ||
1803 !tb[CTA_SYNPROXY_TSOFF])
1804 return -EINVAL;
1805
1806 synproxy->isn = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ISN]));
1807 synproxy->its = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ITS]));
1808 synproxy->tsoff = ntohl(nla_get_be32(tb[CTA_SYNPROXY_TSOFF]));
1809
1810 return 0;
1811 }
1812
1813 static int
ctnetlink_attach_labels(struct nf_conn * ct,const struct nlattr * const cda[])1814 ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[])
1815 {
1816 #ifdef CONFIG_NF_CONNTRACK_LABELS
1817 size_t len = nla_len(cda[CTA_LABELS]);
1818 const void *mask = cda[CTA_LABELS_MASK];
1819
1820 if (len & (sizeof(u32)-1)) /* must be multiple of u32 */
1821 return -EINVAL;
1822
1823 if (mask) {
1824 if (nla_len(cda[CTA_LABELS_MASK]) == 0 ||
1825 nla_len(cda[CTA_LABELS_MASK]) != len)
1826 return -EINVAL;
1827 mask = nla_data(cda[CTA_LABELS_MASK]);
1828 }
1829
1830 len /= sizeof(u32);
1831
1832 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len);
1833 #else
1834 return -EOPNOTSUPP;
1835 #endif
1836 }
1837
1838 static int
ctnetlink_change_conntrack(struct nf_conn * ct,const struct nlattr * const cda[])1839 ctnetlink_change_conntrack(struct nf_conn *ct,
1840 const struct nlattr * const cda[])
1841 {
1842 int err;
1843
1844 /* only allow NAT changes and master assignation for new conntracks */
1845 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
1846 return -EOPNOTSUPP;
1847
1848 if (cda[CTA_HELP]) {
1849 err = ctnetlink_change_helper(ct, cda);
1850 if (err < 0)
1851 return err;
1852 }
1853
1854 if (cda[CTA_TIMEOUT]) {
1855 err = ctnetlink_change_timeout(ct, cda);
1856 if (err < 0)
1857 return err;
1858 }
1859
1860 if (cda[CTA_STATUS]) {
1861 err = ctnetlink_change_status(ct, cda);
1862 if (err < 0)
1863 return err;
1864 }
1865
1866 if (cda[CTA_PROTOINFO]) {
1867 err = ctnetlink_change_protoinfo(ct, cda);
1868 if (err < 0)
1869 return err;
1870 }
1871
1872 #if defined(CONFIG_NF_CONNTRACK_MARK)
1873 if (cda[CTA_MARK])
1874 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1875 #endif
1876
1877 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
1878 err = ctnetlink_change_seq_adj(ct, cda);
1879 if (err < 0)
1880 return err;
1881 }
1882
1883 if (cda[CTA_SYNPROXY]) {
1884 err = ctnetlink_change_synproxy(ct, cda);
1885 if (err < 0)
1886 return err;
1887 }
1888
1889 if (cda[CTA_LABELS]) {
1890 err = ctnetlink_attach_labels(ct, cda);
1891 if (err < 0)
1892 return err;
1893 }
1894
1895 return 0;
1896 }
1897
1898 static struct nf_conn *
ctnetlink_create_conntrack(struct net * net,const struct nf_conntrack_zone * zone,const struct nlattr * const cda[],struct nf_conntrack_tuple * otuple,struct nf_conntrack_tuple * rtuple,u8 u3)1899 ctnetlink_create_conntrack(struct net *net,
1900 const struct nf_conntrack_zone *zone,
1901 const struct nlattr * const cda[],
1902 struct nf_conntrack_tuple *otuple,
1903 struct nf_conntrack_tuple *rtuple,
1904 u8 u3)
1905 {
1906 struct nf_conn *ct;
1907 int err = -EINVAL;
1908 struct nf_conntrack_helper *helper;
1909 struct nf_conn_tstamp *tstamp;
1910 u64 timeout;
1911
1912 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
1913 if (IS_ERR(ct))
1914 return ERR_PTR(-ENOMEM);
1915
1916 if (!cda[CTA_TIMEOUT])
1917 goto err1;
1918
1919 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
1920 if (timeout > INT_MAX)
1921 timeout = INT_MAX;
1922 ct->timeout = (u32)timeout + nfct_time_stamp;
1923
1924 rcu_read_lock();
1925 if (cda[CTA_HELP]) {
1926 char *helpname = NULL;
1927 struct nlattr *helpinfo = NULL;
1928
1929 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1930 if (err < 0)
1931 goto err2;
1932
1933 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1934 nf_ct_protonum(ct));
1935 if (helper == NULL) {
1936 rcu_read_unlock();
1937 #ifdef CONFIG_MODULES
1938 if (request_module("nfct-helper-%s", helpname) < 0) {
1939 err = -EOPNOTSUPP;
1940 goto err1;
1941 }
1942
1943 rcu_read_lock();
1944 helper = __nf_conntrack_helper_find(helpname,
1945 nf_ct_l3num(ct),
1946 nf_ct_protonum(ct));
1947 if (helper) {
1948 err = -EAGAIN;
1949 goto err2;
1950 }
1951 rcu_read_unlock();
1952 #endif
1953 err = -EOPNOTSUPP;
1954 goto err1;
1955 } else {
1956 struct nf_conn_help *help;
1957
1958 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
1959 if (help == NULL) {
1960 err = -ENOMEM;
1961 goto err2;
1962 }
1963 /* set private helper data if allowed. */
1964 if (helper->from_nlattr)
1965 helper->from_nlattr(helpinfo, ct);
1966
1967 /* not in hash table yet so not strictly necessary */
1968 RCU_INIT_POINTER(help->helper, helper);
1969 }
1970 } else {
1971 /* try an implicit helper assignation */
1972 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC);
1973 if (err < 0)
1974 goto err2;
1975 }
1976
1977 err = ctnetlink_setup_nat(ct, cda);
1978 if (err < 0)
1979 goto err2;
1980
1981 nf_ct_acct_ext_add(ct, GFP_ATOMIC);
1982 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
1983 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
1984 nf_ct_labels_ext_add(ct);
1985 nfct_seqadj_ext_add(ct);
1986 nfct_synproxy_ext_add(ct);
1987
1988 /* we must add conntrack extensions before confirmation. */
1989 ct->status |= IPS_CONFIRMED;
1990
1991 if (cda[CTA_STATUS]) {
1992 err = ctnetlink_change_status(ct, cda);
1993 if (err < 0)
1994 goto err2;
1995 }
1996
1997 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
1998 err = ctnetlink_change_seq_adj(ct, cda);
1999 if (err < 0)
2000 goto err2;
2001 }
2002
2003 memset(&ct->proto, 0, sizeof(ct->proto));
2004 if (cda[CTA_PROTOINFO]) {
2005 err = ctnetlink_change_protoinfo(ct, cda);
2006 if (err < 0)
2007 goto err2;
2008 }
2009
2010 if (cda[CTA_SYNPROXY]) {
2011 err = ctnetlink_change_synproxy(ct, cda);
2012 if (err < 0)
2013 goto err2;
2014 }
2015
2016 #if defined(CONFIG_NF_CONNTRACK_MARK)
2017 if (cda[CTA_MARK])
2018 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
2019 #endif
2020
2021 /* setup master conntrack: this is a confirmed expectation */
2022 if (cda[CTA_TUPLE_MASTER]) {
2023 struct nf_conntrack_tuple master;
2024 struct nf_conntrack_tuple_hash *master_h;
2025 struct nf_conn *master_ct;
2026
2027 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER,
2028 u3, NULL);
2029 if (err < 0)
2030 goto err2;
2031
2032 master_h = nf_conntrack_find_get(net, zone, &master);
2033 if (master_h == NULL) {
2034 err = -ENOENT;
2035 goto err2;
2036 }
2037 master_ct = nf_ct_tuplehash_to_ctrack(master_h);
2038 __set_bit(IPS_EXPECTED_BIT, &ct->status);
2039 ct->master = master_ct;
2040 }
2041 tstamp = nf_conn_tstamp_find(ct);
2042 if (tstamp)
2043 tstamp->start = ktime_get_real_ns();
2044
2045 err = nf_conntrack_hash_check_insert(ct);
2046 if (err < 0)
2047 goto err2;
2048
2049 rcu_read_unlock();
2050
2051 return ct;
2052
2053 err2:
2054 rcu_read_unlock();
2055 err1:
2056 nf_conntrack_free(ct);
2057 return ERR_PTR(err);
2058 }
2059
ctnetlink_new_conntrack(struct net * net,struct sock * ctnl,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const cda[],struct netlink_ext_ack * extack)2060 static int ctnetlink_new_conntrack(struct net *net, struct sock *ctnl,
2061 struct sk_buff *skb,
2062 const struct nlmsghdr *nlh,
2063 const struct nlattr * const cda[],
2064 struct netlink_ext_ack *extack)
2065 {
2066 struct nf_conntrack_tuple otuple, rtuple;
2067 struct nf_conntrack_tuple_hash *h = NULL;
2068 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2069 struct nf_conn *ct;
2070 u_int8_t u3 = nfmsg->nfgen_family;
2071 struct nf_conntrack_zone zone;
2072 int err;
2073
2074 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
2075 if (err < 0)
2076 return err;
2077
2078 if (cda[CTA_TUPLE_ORIG]) {
2079 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG,
2080 u3, &zone);
2081 if (err < 0)
2082 return err;
2083 }
2084
2085 if (cda[CTA_TUPLE_REPLY]) {
2086 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY,
2087 u3, &zone);
2088 if (err < 0)
2089 return err;
2090 }
2091
2092 if (cda[CTA_TUPLE_ORIG])
2093 h = nf_conntrack_find_get(net, &zone, &otuple);
2094 else if (cda[CTA_TUPLE_REPLY])
2095 h = nf_conntrack_find_get(net, &zone, &rtuple);
2096
2097 if (h == NULL) {
2098 err = -ENOENT;
2099 if (nlh->nlmsg_flags & NLM_F_CREATE) {
2100 enum ip_conntrack_events events;
2101
2102 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY])
2103 return -EINVAL;
2104 if (otuple.dst.protonum != rtuple.dst.protonum)
2105 return -EINVAL;
2106
2107 ct = ctnetlink_create_conntrack(net, &zone, cda, &otuple,
2108 &rtuple, u3);
2109 if (IS_ERR(ct))
2110 return PTR_ERR(ct);
2111
2112 err = 0;
2113 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
2114 events = 1 << IPCT_RELATED;
2115 else
2116 events = 1 << IPCT_NEW;
2117
2118 if (cda[CTA_LABELS] &&
2119 ctnetlink_attach_labels(ct, cda) == 0)
2120 events |= (1 << IPCT_LABEL);
2121
2122 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2123 (1 << IPCT_ASSURED) |
2124 (1 << IPCT_HELPER) |
2125 (1 << IPCT_PROTOINFO) |
2126 (1 << IPCT_SEQADJ) |
2127 (1 << IPCT_MARK) |
2128 (1 << IPCT_SYNPROXY) |
2129 events,
2130 ct, NETLINK_CB(skb).portid,
2131 nlmsg_report(nlh));
2132 nf_ct_put(ct);
2133 }
2134
2135 return err;
2136 }
2137 /* implicit 'else' */
2138
2139 err = -EEXIST;
2140 ct = nf_ct_tuplehash_to_ctrack(h);
2141 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
2142 err = ctnetlink_change_conntrack(ct, cda);
2143 if (err == 0) {
2144 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2145 (1 << IPCT_ASSURED) |
2146 (1 << IPCT_HELPER) |
2147 (1 << IPCT_LABEL) |
2148 (1 << IPCT_PROTOINFO) |
2149 (1 << IPCT_SEQADJ) |
2150 (1 << IPCT_MARK) |
2151 (1 << IPCT_SYNPROXY),
2152 ct, NETLINK_CB(skb).portid,
2153 nlmsg_report(nlh));
2154 }
2155 }
2156
2157 nf_ct_put(ct);
2158 return err;
2159 }
2160
2161 static int
ctnetlink_ct_stat_cpu_fill_info(struct sk_buff * skb,u32 portid,u32 seq,__u16 cpu,const struct ip_conntrack_stat * st)2162 ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2163 __u16 cpu, const struct ip_conntrack_stat *st)
2164 {
2165 struct nlmsghdr *nlh;
2166 struct nfgenmsg *nfmsg;
2167 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2168
2169 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
2170 IPCTNL_MSG_CT_GET_STATS_CPU);
2171 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2172 if (nlh == NULL)
2173 goto nlmsg_failure;
2174
2175 nfmsg = nlmsg_data(nlh);
2176 nfmsg->nfgen_family = AF_UNSPEC;
2177 nfmsg->version = NFNETLINK_V0;
2178 nfmsg->res_id = htons(cpu);
2179
2180 if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) ||
2181 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) ||
2182 nla_put_be32(skb, CTA_STATS_IGNORE, htonl(st->ignore)) ||
2183 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) ||
2184 nla_put_be32(skb, CTA_STATS_INSERT_FAILED,
2185 htonl(st->insert_failed)) ||
2186 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) ||
2187 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) ||
2188 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) ||
2189 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART,
2190 htonl(st->search_restart)))
2191 goto nla_put_failure;
2192
2193 nlmsg_end(skb, nlh);
2194 return skb->len;
2195
2196 nla_put_failure:
2197 nlmsg_failure:
2198 nlmsg_cancel(skb, nlh);
2199 return -1;
2200 }
2201
2202 static int
ctnetlink_ct_stat_cpu_dump(struct sk_buff * skb,struct netlink_callback * cb)2203 ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
2204 {
2205 int cpu;
2206 struct net *net = sock_net(skb->sk);
2207
2208 if (cb->args[0] == nr_cpu_ids)
2209 return 0;
2210
2211 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
2212 const struct ip_conntrack_stat *st;
2213
2214 if (!cpu_possible(cpu))
2215 continue;
2216
2217 st = per_cpu_ptr(net->ct.stat, cpu);
2218 if (ctnetlink_ct_stat_cpu_fill_info(skb,
2219 NETLINK_CB(cb->skb).portid,
2220 cb->nlh->nlmsg_seq,
2221 cpu, st) < 0)
2222 break;
2223 }
2224 cb->args[0] = cpu;
2225
2226 return skb->len;
2227 }
2228
ctnetlink_stat_ct_cpu(struct net * net,struct sock * ctnl,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const cda[],struct netlink_ext_ack * extack)2229 static int ctnetlink_stat_ct_cpu(struct net *net, struct sock *ctnl,
2230 struct sk_buff *skb,
2231 const struct nlmsghdr *nlh,
2232 const struct nlattr * const cda[],
2233 struct netlink_ext_ack *extack)
2234 {
2235 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2236 struct netlink_dump_control c = {
2237 .dump = ctnetlink_ct_stat_cpu_dump,
2238 };
2239 return netlink_dump_start(ctnl, skb, nlh, &c);
2240 }
2241
2242 return 0;
2243 }
2244
2245 static int
ctnetlink_stat_ct_fill_info(struct sk_buff * skb,u32 portid,u32 seq,u32 type,struct net * net)2246 ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
2247 struct net *net)
2248 {
2249 struct nlmsghdr *nlh;
2250 struct nfgenmsg *nfmsg;
2251 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2252 unsigned int nr_conntracks = atomic_read(&net->ct.count);
2253
2254 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS);
2255 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2256 if (nlh == NULL)
2257 goto nlmsg_failure;
2258
2259 nfmsg = nlmsg_data(nlh);
2260 nfmsg->nfgen_family = AF_UNSPEC;
2261 nfmsg->version = NFNETLINK_V0;
2262 nfmsg->res_id = 0;
2263
2264 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks)))
2265 goto nla_put_failure;
2266
2267 if (nla_put_be32(skb, CTA_STATS_GLOBAL_MAX_ENTRIES, htonl(nf_conntrack_max)))
2268 goto nla_put_failure;
2269
2270 nlmsg_end(skb, nlh);
2271 return skb->len;
2272
2273 nla_put_failure:
2274 nlmsg_failure:
2275 nlmsg_cancel(skb, nlh);
2276 return -1;
2277 }
2278
ctnetlink_stat_ct(struct net * net,struct sock * ctnl,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const cda[],struct netlink_ext_ack * extack)2279 static int ctnetlink_stat_ct(struct net *net, struct sock *ctnl,
2280 struct sk_buff *skb, const struct nlmsghdr *nlh,
2281 const struct nlattr * const cda[],
2282 struct netlink_ext_ack *extack)
2283 {
2284 struct sk_buff *skb2;
2285 int err;
2286
2287 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2288 if (skb2 == NULL)
2289 return -ENOMEM;
2290
2291 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid,
2292 nlh->nlmsg_seq,
2293 NFNL_MSG_TYPE(nlh->nlmsg_type),
2294 sock_net(skb->sk));
2295 if (err <= 0)
2296 goto free;
2297
2298 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
2299 if (err < 0)
2300 goto out;
2301
2302 return 0;
2303
2304 free:
2305 kfree_skb(skb2);
2306 out:
2307 /* this avoids a loop in nfnetlink. */
2308 return err == -EAGAIN ? -ENOBUFS : err;
2309 }
2310
2311 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
2312 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED },
2313 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED },
2314 [CTA_EXPECT_MASK] = { .type = NLA_NESTED },
2315 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
2316 [CTA_EXPECT_ID] = { .type = NLA_U32 },
2317 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING,
2318 .len = NF_CT_HELPER_NAME_LEN - 1 },
2319 [CTA_EXPECT_ZONE] = { .type = NLA_U16 },
2320 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 },
2321 [CTA_EXPECT_CLASS] = { .type = NLA_U32 },
2322 [CTA_EXPECT_NAT] = { .type = NLA_NESTED },
2323 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING },
2324 };
2325
2326 static struct nf_conntrack_expect *
2327 ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
2328 struct nf_conntrack_helper *helper,
2329 struct nf_conntrack_tuple *tuple,
2330 struct nf_conntrack_tuple *mask);
2331
2332 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
2333 static size_t
ctnetlink_glue_build_size(const struct nf_conn * ct)2334 ctnetlink_glue_build_size(const struct nf_conn *ct)
2335 {
2336 return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
2337 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
2338 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
2339 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
2340 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
2341 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
2342 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
2343 + nla_total_size(0) /* CTA_PROTOINFO */
2344 + nla_total_size(0) /* CTA_HELP */
2345 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
2346 + ctnetlink_secctx_size(ct)
2347 #ifdef CONFIG_NF_NAT_NEEDED
2348 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
2349 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
2350 #endif
2351 #ifdef CONFIG_NF_CONNTRACK_MARK
2352 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
2353 #endif
2354 #ifdef CONFIG_NF_CONNTRACK_ZONES
2355 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */
2356 #endif
2357 + ctnetlink_proto_size(ct)
2358 ;
2359 }
2360
ctnetlink_glue_get_ct(const struct sk_buff * skb,enum ip_conntrack_info * ctinfo)2361 static struct nf_conn *ctnetlink_glue_get_ct(const struct sk_buff *skb,
2362 enum ip_conntrack_info *ctinfo)
2363 {
2364 return nf_ct_get(skb, ctinfo);
2365 }
2366
__ctnetlink_glue_build(struct sk_buff * skb,struct nf_conn * ct)2367 static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
2368 {
2369 const struct nf_conntrack_zone *zone;
2370 struct nlattr *nest_parms;
2371
2372 zone = nf_ct_zone(ct);
2373
2374 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
2375 if (!nest_parms)
2376 goto nla_put_failure;
2377 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
2378 goto nla_put_failure;
2379 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2380 NF_CT_ZONE_DIR_ORIG) < 0)
2381 goto nla_put_failure;
2382 nla_nest_end(skb, nest_parms);
2383
2384 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
2385 if (!nest_parms)
2386 goto nla_put_failure;
2387 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
2388 goto nla_put_failure;
2389 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2390 NF_CT_ZONE_DIR_REPL) < 0)
2391 goto nla_put_failure;
2392 nla_nest_end(skb, nest_parms);
2393
2394 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
2395 NF_CT_DEFAULT_ZONE_DIR) < 0)
2396 goto nla_put_failure;
2397
2398 if (ctnetlink_dump_id(skb, ct) < 0)
2399 goto nla_put_failure;
2400
2401 if (ctnetlink_dump_status(skb, ct) < 0)
2402 goto nla_put_failure;
2403
2404 if (ctnetlink_dump_timeout(skb, ct) < 0)
2405 goto nla_put_failure;
2406
2407 if (ctnetlink_dump_protoinfo(skb, ct) < 0)
2408 goto nla_put_failure;
2409
2410 if (ctnetlink_dump_helpinfo(skb, ct) < 0)
2411 goto nla_put_failure;
2412
2413 #ifdef CONFIG_NF_CONNTRACK_SECMARK
2414 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0)
2415 goto nla_put_failure;
2416 #endif
2417 if (ct->master && ctnetlink_dump_master(skb, ct) < 0)
2418 goto nla_put_failure;
2419
2420 if ((ct->status & IPS_SEQ_ADJUST) &&
2421 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
2422 goto nla_put_failure;
2423
2424 if (ctnetlink_dump_ct_synproxy(skb, ct) < 0)
2425 goto nla_put_failure;
2426
2427 #ifdef CONFIG_NF_CONNTRACK_MARK
2428 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0)
2429 goto nla_put_failure;
2430 #endif
2431 if (ctnetlink_dump_labels(skb, ct) < 0)
2432 goto nla_put_failure;
2433 return 0;
2434
2435 nla_put_failure:
2436 return -ENOSPC;
2437 }
2438
2439 static int
ctnetlink_glue_build(struct sk_buff * skb,struct nf_conn * ct,enum ip_conntrack_info ctinfo,u_int16_t ct_attr,u_int16_t ct_info_attr)2440 ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct,
2441 enum ip_conntrack_info ctinfo,
2442 u_int16_t ct_attr, u_int16_t ct_info_attr)
2443 {
2444 struct nlattr *nest_parms;
2445
2446 nest_parms = nla_nest_start(skb, ct_attr | NLA_F_NESTED);
2447 if (!nest_parms)
2448 goto nla_put_failure;
2449
2450 if (__ctnetlink_glue_build(skb, ct) < 0)
2451 goto nla_put_failure;
2452
2453 nla_nest_end(skb, nest_parms);
2454
2455 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo)))
2456 goto nla_put_failure;
2457
2458 return 0;
2459
2460 nla_put_failure:
2461 return -ENOSPC;
2462 }
2463
2464 static int
ctnetlink_update_status(struct nf_conn * ct,const struct nlattr * const cda[])2465 ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[])
2466 {
2467 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
2468 unsigned long d = ct->status ^ status;
2469
2470 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
2471 /* SEEN_REPLY bit can only be set */
2472 return -EBUSY;
2473
2474 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
2475 /* ASSURED bit can only be set */
2476 return -EBUSY;
2477
2478 /* This check is less strict than ctnetlink_change_status()
2479 * because callers often flip IPS_EXPECTED bits when sending
2480 * an NFQA_CT attribute to the kernel. So ignore the
2481 * unchangeable bits but do not error out. Also user programs
2482 * are allowed to clear the bits that they are allowed to change.
2483 */
2484 __ctnetlink_change_status(ct, status, ~status);
2485 return 0;
2486 }
2487
2488 static int
ctnetlink_glue_parse_ct(const struct nlattr * cda[],struct nf_conn * ct)2489 ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
2490 {
2491 int err;
2492
2493 if (cda[CTA_TIMEOUT]) {
2494 err = ctnetlink_change_timeout(ct, cda);
2495 if (err < 0)
2496 return err;
2497 }
2498 if (cda[CTA_STATUS]) {
2499 err = ctnetlink_update_status(ct, cda);
2500 if (err < 0)
2501 return err;
2502 }
2503 if (cda[CTA_HELP]) {
2504 err = ctnetlink_change_helper(ct, cda);
2505 if (err < 0)
2506 return err;
2507 }
2508 if (cda[CTA_LABELS]) {
2509 err = ctnetlink_attach_labels(ct, cda);
2510 if (err < 0)
2511 return err;
2512 }
2513 #if defined(CONFIG_NF_CONNTRACK_MARK)
2514 if (cda[CTA_MARK]) {
2515 u32 mask = 0, mark, newmark;
2516 if (cda[CTA_MARK_MASK])
2517 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
2518
2519 mark = ntohl(nla_get_be32(cda[CTA_MARK]));
2520 newmark = (ct->mark & mask) ^ mark;
2521 if (newmark != ct->mark)
2522 ct->mark = newmark;
2523 }
2524 #endif
2525 return 0;
2526 }
2527
2528 static int
ctnetlink_glue_parse(const struct nlattr * attr,struct nf_conn * ct)2529 ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct)
2530 {
2531 struct nlattr *cda[CTA_MAX+1];
2532 int ret;
2533
2534 ret = nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy, NULL);
2535 if (ret < 0)
2536 return ret;
2537
2538 return ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct);
2539 }
2540
ctnetlink_glue_exp_parse(const struct nlattr * const * cda,const struct nf_conn * ct,struct nf_conntrack_tuple * tuple,struct nf_conntrack_tuple * mask)2541 static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda,
2542 const struct nf_conn *ct,
2543 struct nf_conntrack_tuple *tuple,
2544 struct nf_conntrack_tuple *mask)
2545 {
2546 int err;
2547
2548 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE,
2549 nf_ct_l3num(ct), NULL);
2550 if (err < 0)
2551 return err;
2552
2553 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK,
2554 nf_ct_l3num(ct), NULL);
2555 }
2556
2557 static int
ctnetlink_glue_attach_expect(const struct nlattr * attr,struct nf_conn * ct,u32 portid,u32 report)2558 ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
2559 u32 portid, u32 report)
2560 {
2561 struct nlattr *cda[CTA_EXPECT_MAX+1];
2562 struct nf_conntrack_tuple tuple, mask;
2563 struct nf_conntrack_helper *helper = NULL;
2564 struct nf_conntrack_expect *exp;
2565 int err;
2566
2567 err = nla_parse_nested(cda, CTA_EXPECT_MAX, attr, exp_nla_policy,
2568 NULL);
2569 if (err < 0)
2570 return err;
2571
2572 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda,
2573 ct, &tuple, &mask);
2574 if (err < 0)
2575 return err;
2576
2577 if (cda[CTA_EXPECT_HELP_NAME]) {
2578 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2579
2580 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2581 nf_ct_protonum(ct));
2582 if (helper == NULL)
2583 return -EOPNOTSUPP;
2584 }
2585
2586 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct,
2587 helper, &tuple, &mask);
2588 if (IS_ERR(exp))
2589 return PTR_ERR(exp);
2590
2591 err = nf_ct_expect_related_report(exp, portid, report);
2592 nf_ct_expect_put(exp);
2593 return err;
2594 }
2595
ctnetlink_glue_seqadj(struct sk_buff * skb,struct nf_conn * ct,enum ip_conntrack_info ctinfo,int diff)2596 static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct,
2597 enum ip_conntrack_info ctinfo, int diff)
2598 {
2599 if (!(ct->status & IPS_NAT_MASK))
2600 return;
2601
2602 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff);
2603 }
2604
2605 static struct nfnl_ct_hook ctnetlink_glue_hook = {
2606 .get_ct = ctnetlink_glue_get_ct,
2607 .build_size = ctnetlink_glue_build_size,
2608 .build = ctnetlink_glue_build,
2609 .parse = ctnetlink_glue_parse,
2610 .attach_expect = ctnetlink_glue_attach_expect,
2611 .seq_adjust = ctnetlink_glue_seqadj,
2612 };
2613 #endif /* CONFIG_NETFILTER_NETLINK_GLUE_CT */
2614
2615 /***********************************************************************
2616 * EXPECT
2617 ***********************************************************************/
2618
ctnetlink_exp_dump_tuple(struct sk_buff * skb,const struct nf_conntrack_tuple * tuple,u32 type)2619 static int ctnetlink_exp_dump_tuple(struct sk_buff *skb,
2620 const struct nf_conntrack_tuple *tuple,
2621 u32 type)
2622 {
2623 struct nlattr *nest_parms;
2624
2625 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
2626 if (!nest_parms)
2627 goto nla_put_failure;
2628 if (ctnetlink_dump_tuples(skb, tuple) < 0)
2629 goto nla_put_failure;
2630 nla_nest_end(skb, nest_parms);
2631
2632 return 0;
2633
2634 nla_put_failure:
2635 return -1;
2636 }
2637
ctnetlink_exp_dump_mask(struct sk_buff * skb,const struct nf_conntrack_tuple * tuple,const struct nf_conntrack_tuple_mask * mask)2638 static int ctnetlink_exp_dump_mask(struct sk_buff *skb,
2639 const struct nf_conntrack_tuple *tuple,
2640 const struct nf_conntrack_tuple_mask *mask)
2641 {
2642 const struct nf_conntrack_l4proto *l4proto;
2643 struct nf_conntrack_tuple m;
2644 struct nlattr *nest_parms;
2645 int ret;
2646
2647 memset(&m, 0xFF, sizeof(m));
2648 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
2649 m.src.u.all = mask->src.u.all;
2650 m.dst.protonum = tuple->dst.protonum;
2651
2652 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED);
2653 if (!nest_parms)
2654 goto nla_put_failure;
2655
2656 rcu_read_lock();
2657 ret = ctnetlink_dump_tuples_ip(skb, &m);
2658 if (ret >= 0) {
2659 l4proto = __nf_ct_l4proto_find(tuple->src.l3num,
2660 tuple->dst.protonum);
2661 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
2662 }
2663 rcu_read_unlock();
2664
2665 if (unlikely(ret < 0))
2666 goto nla_put_failure;
2667
2668 nla_nest_end(skb, nest_parms);
2669
2670 return 0;
2671
2672 nla_put_failure:
2673 return -1;
2674 }
2675
2676 static const union nf_inet_addr any_addr;
2677
2678 static int
ctnetlink_exp_dump_expect(struct sk_buff * skb,const struct nf_conntrack_expect * exp)2679 ctnetlink_exp_dump_expect(struct sk_buff *skb,
2680 const struct nf_conntrack_expect *exp)
2681 {
2682 struct nf_conn *master = exp->master;
2683 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ;
2684 struct nf_conn_help *help;
2685 #ifdef CONFIG_NF_NAT_NEEDED
2686 struct nlattr *nest_parms;
2687 struct nf_conntrack_tuple nat_tuple = {};
2688 #endif
2689 struct nf_ct_helper_expectfn *expfn;
2690
2691 if (timeout < 0)
2692 timeout = 0;
2693
2694 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
2695 goto nla_put_failure;
2696 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
2697 goto nla_put_failure;
2698 if (ctnetlink_exp_dump_tuple(skb,
2699 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
2700 CTA_EXPECT_MASTER) < 0)
2701 goto nla_put_failure;
2702
2703 #ifdef CONFIG_NF_NAT_NEEDED
2704 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) ||
2705 exp->saved_proto.all) {
2706 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT | NLA_F_NESTED);
2707 if (!nest_parms)
2708 goto nla_put_failure;
2709
2710 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir)))
2711 goto nla_put_failure;
2712
2713 nat_tuple.src.l3num = nf_ct_l3num(master);
2714 nat_tuple.src.u3 = exp->saved_addr;
2715 nat_tuple.dst.protonum = nf_ct_protonum(master);
2716 nat_tuple.src.u = exp->saved_proto;
2717
2718 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple,
2719 CTA_EXPECT_NAT_TUPLE) < 0)
2720 goto nla_put_failure;
2721 nla_nest_end(skb, nest_parms);
2722 }
2723 #endif
2724 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
2725 nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) ||
2726 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
2727 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
2728 goto nla_put_failure;
2729 help = nfct_help(master);
2730 if (help) {
2731 struct nf_conntrack_helper *helper;
2732
2733 helper = rcu_dereference(help->helper);
2734 if (helper &&
2735 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name))
2736 goto nla_put_failure;
2737 }
2738 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn);
2739 if (expfn != NULL &&
2740 nla_put_string(skb, CTA_EXPECT_FN, expfn->name))
2741 goto nla_put_failure;
2742
2743 return 0;
2744
2745 nla_put_failure:
2746 return -1;
2747 }
2748
2749 static int
ctnetlink_exp_fill_info(struct sk_buff * skb,u32 portid,u32 seq,int event,const struct nf_conntrack_expect * exp)2750 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2751 int event, const struct nf_conntrack_expect *exp)
2752 {
2753 struct nlmsghdr *nlh;
2754 struct nfgenmsg *nfmsg;
2755 unsigned int flags = portid ? NLM_F_MULTI : 0;
2756
2757 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event);
2758 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2759 if (nlh == NULL)
2760 goto nlmsg_failure;
2761
2762 nfmsg = nlmsg_data(nlh);
2763 nfmsg->nfgen_family = exp->tuple.src.l3num;
2764 nfmsg->version = NFNETLINK_V0;
2765 nfmsg->res_id = 0;
2766
2767 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
2768 goto nla_put_failure;
2769
2770 nlmsg_end(skb, nlh);
2771 return skb->len;
2772
2773 nlmsg_failure:
2774 nla_put_failure:
2775 nlmsg_cancel(skb, nlh);
2776 return -1;
2777 }
2778
2779 #ifdef CONFIG_NF_CONNTRACK_EVENTS
2780 static int
ctnetlink_expect_event(unsigned int events,struct nf_exp_event * item)2781 ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item)
2782 {
2783 struct nf_conntrack_expect *exp = item->exp;
2784 struct net *net = nf_ct_exp_net(exp);
2785 struct nlmsghdr *nlh;
2786 struct nfgenmsg *nfmsg;
2787 struct sk_buff *skb;
2788 unsigned int type, group;
2789 int flags = 0;
2790
2791 if (events & (1 << IPEXP_DESTROY)) {
2792 type = IPCTNL_MSG_EXP_DELETE;
2793 group = NFNLGRP_CONNTRACK_EXP_DESTROY;
2794 } else if (events & (1 << IPEXP_NEW)) {
2795 type = IPCTNL_MSG_EXP_NEW;
2796 flags = NLM_F_CREATE|NLM_F_EXCL;
2797 group = NFNLGRP_CONNTRACK_EXP_NEW;
2798 } else
2799 return 0;
2800
2801 if (!item->report && !nfnetlink_has_listeners(net, group))
2802 return 0;
2803
2804 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
2805 if (skb == NULL)
2806 goto errout;
2807
2808 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type);
2809 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
2810 if (nlh == NULL)
2811 goto nlmsg_failure;
2812
2813 nfmsg = nlmsg_data(nlh);
2814 nfmsg->nfgen_family = exp->tuple.src.l3num;
2815 nfmsg->version = NFNETLINK_V0;
2816 nfmsg->res_id = 0;
2817
2818 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
2819 goto nla_put_failure;
2820
2821 nlmsg_end(skb, nlh);
2822 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC);
2823 return 0;
2824
2825 nla_put_failure:
2826 nlmsg_cancel(skb, nlh);
2827 nlmsg_failure:
2828 kfree_skb(skb);
2829 errout:
2830 nfnetlink_set_err(net, 0, 0, -ENOBUFS);
2831 return 0;
2832 }
2833 #endif
ctnetlink_exp_done(struct netlink_callback * cb)2834 static int ctnetlink_exp_done(struct netlink_callback *cb)
2835 {
2836 if (cb->args[1])
2837 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
2838 return 0;
2839 }
2840
2841 static int
ctnetlink_exp_dump_table(struct sk_buff * skb,struct netlink_callback * cb)2842 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
2843 {
2844 struct net *net = sock_net(skb->sk);
2845 struct nf_conntrack_expect *exp, *last;
2846 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2847 u_int8_t l3proto = nfmsg->nfgen_family;
2848
2849 rcu_read_lock();
2850 last = (struct nf_conntrack_expect *)cb->args[1];
2851 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
2852 restart:
2853 hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
2854 hnode) {
2855 if (l3proto && exp->tuple.src.l3num != l3proto)
2856 continue;
2857
2858 if (!net_eq(nf_ct_net(exp->master), net))
2859 continue;
2860
2861 if (cb->args[1]) {
2862 if (exp != last)
2863 continue;
2864 cb->args[1] = 0;
2865 }
2866 if (ctnetlink_exp_fill_info(skb,
2867 NETLINK_CB(cb->skb).portid,
2868 cb->nlh->nlmsg_seq,
2869 IPCTNL_MSG_EXP_NEW,
2870 exp) < 0) {
2871 if (!refcount_inc_not_zero(&exp->use))
2872 continue;
2873 cb->args[1] = (unsigned long)exp;
2874 goto out;
2875 }
2876 }
2877 if (cb->args[1]) {
2878 cb->args[1] = 0;
2879 goto restart;
2880 }
2881 }
2882 out:
2883 rcu_read_unlock();
2884 if (last)
2885 nf_ct_expect_put(last);
2886
2887 return skb->len;
2888 }
2889
2890 static int
ctnetlink_exp_ct_dump_table(struct sk_buff * skb,struct netlink_callback * cb)2891 ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
2892 {
2893 struct nf_conntrack_expect *exp, *last;
2894 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2895 struct nf_conn *ct = cb->data;
2896 struct nf_conn_help *help = nfct_help(ct);
2897 u_int8_t l3proto = nfmsg->nfgen_family;
2898
2899 if (cb->args[0])
2900 return 0;
2901
2902 rcu_read_lock();
2903 last = (struct nf_conntrack_expect *)cb->args[1];
2904 restart:
2905 hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {
2906 if (l3proto && exp->tuple.src.l3num != l3proto)
2907 continue;
2908 if (cb->args[1]) {
2909 if (exp != last)
2910 continue;
2911 cb->args[1] = 0;
2912 }
2913 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid,
2914 cb->nlh->nlmsg_seq,
2915 IPCTNL_MSG_EXP_NEW,
2916 exp) < 0) {
2917 if (!refcount_inc_not_zero(&exp->use))
2918 continue;
2919 cb->args[1] = (unsigned long)exp;
2920 goto out;
2921 }
2922 }
2923 if (cb->args[1]) {
2924 cb->args[1] = 0;
2925 goto restart;
2926 }
2927 cb->args[0] = 1;
2928 out:
2929 rcu_read_unlock();
2930 if (last)
2931 nf_ct_expect_put(last);
2932
2933 return skb->len;
2934 }
2935
ctnetlink_dump_exp_ct(struct net * net,struct sock * ctnl,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const cda[],struct netlink_ext_ack * extack)2936 static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
2937 struct sk_buff *skb,
2938 const struct nlmsghdr *nlh,
2939 const struct nlattr * const cda[],
2940 struct netlink_ext_ack *extack)
2941 {
2942 int err;
2943 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2944 u_int8_t u3 = nfmsg->nfgen_family;
2945 struct nf_conntrack_tuple tuple;
2946 struct nf_conntrack_tuple_hash *h;
2947 struct nf_conn *ct;
2948 struct nf_conntrack_zone zone;
2949 struct netlink_dump_control c = {
2950 .dump = ctnetlink_exp_ct_dump_table,
2951 .done = ctnetlink_exp_done,
2952 };
2953
2954 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
2955 u3, NULL);
2956 if (err < 0)
2957 return err;
2958
2959 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2960 if (err < 0)
2961 return err;
2962
2963 h = nf_conntrack_find_get(net, &zone, &tuple);
2964 if (!h)
2965 return -ENOENT;
2966
2967 ct = nf_ct_tuplehash_to_ctrack(h);
2968 /* No expectation linked to this connection tracking. */
2969 if (!nfct_help(ct)) {
2970 nf_ct_put(ct);
2971 return 0;
2972 }
2973
2974 c.data = ct;
2975
2976 err = netlink_dump_start(ctnl, skb, nlh, &c);
2977 nf_ct_put(ct);
2978
2979 return err;
2980 }
2981
ctnetlink_get_expect(struct net * net,struct sock * ctnl,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const cda[],struct netlink_ext_ack * extack)2982 static int ctnetlink_get_expect(struct net *net, struct sock *ctnl,
2983 struct sk_buff *skb, const struct nlmsghdr *nlh,
2984 const struct nlattr * const cda[],
2985 struct netlink_ext_ack *extack)
2986 {
2987 struct nf_conntrack_tuple tuple;
2988 struct nf_conntrack_expect *exp;
2989 struct sk_buff *skb2;
2990 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2991 u_int8_t u3 = nfmsg->nfgen_family;
2992 struct nf_conntrack_zone zone;
2993 int err;
2994
2995 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2996 if (cda[CTA_EXPECT_MASTER])
2997 return ctnetlink_dump_exp_ct(net, ctnl, skb, nlh, cda,
2998 extack);
2999 else {
3000 struct netlink_dump_control c = {
3001 .dump = ctnetlink_exp_dump_table,
3002 .done = ctnetlink_exp_done,
3003 };
3004 return netlink_dump_start(ctnl, skb, nlh, &c);
3005 }
3006 }
3007
3008 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3009 if (err < 0)
3010 return err;
3011
3012 if (cda[CTA_EXPECT_TUPLE])
3013 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3014 u3, NULL);
3015 else if (cda[CTA_EXPECT_MASTER])
3016 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
3017 u3, NULL);
3018 else
3019 return -EINVAL;
3020
3021 if (err < 0)
3022 return err;
3023
3024 exp = nf_ct_expect_find_get(net, &zone, &tuple);
3025 if (!exp)
3026 return -ENOENT;
3027
3028 if (cda[CTA_EXPECT_ID]) {
3029 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3030 if (ntohl(id) != (u32)(unsigned long)exp) {
3031 nf_ct_expect_put(exp);
3032 return -ENOENT;
3033 }
3034 }
3035
3036 err = -ENOMEM;
3037 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3038 if (skb2 == NULL) {
3039 nf_ct_expect_put(exp);
3040 goto out;
3041 }
3042
3043 rcu_read_lock();
3044 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
3045 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp);
3046 rcu_read_unlock();
3047 nf_ct_expect_put(exp);
3048 if (err <= 0)
3049 goto free;
3050
3051 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
3052 if (err < 0)
3053 goto out;
3054
3055 return 0;
3056
3057 free:
3058 kfree_skb(skb2);
3059 out:
3060 /* this avoids a loop in nfnetlink. */
3061 return err == -EAGAIN ? -ENOBUFS : err;
3062 }
3063
expect_iter_name(struct nf_conntrack_expect * exp,void * data)3064 static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data)
3065 {
3066 const struct nf_conn_help *m_help;
3067 const char *name = data;
3068
3069 m_help = nfct_help(exp->master);
3070
3071 return strcmp(m_help->helper->name, name) == 0;
3072 }
3073
expect_iter_all(struct nf_conntrack_expect * exp,void * data)3074 static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data)
3075 {
3076 return true;
3077 }
3078
ctnetlink_del_expect(struct net * net,struct sock * ctnl,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const cda[],struct netlink_ext_ack * extack)3079 static int ctnetlink_del_expect(struct net *net, struct sock *ctnl,
3080 struct sk_buff *skb, const struct nlmsghdr *nlh,
3081 const struct nlattr * const cda[],
3082 struct netlink_ext_ack *extack)
3083 {
3084 struct nf_conntrack_expect *exp;
3085 struct nf_conntrack_tuple tuple;
3086 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3087 u_int8_t u3 = nfmsg->nfgen_family;
3088 struct nf_conntrack_zone zone;
3089 int err;
3090
3091 if (cda[CTA_EXPECT_TUPLE]) {
3092 /* delete a single expect by tuple */
3093 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3094 if (err < 0)
3095 return err;
3096
3097 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3098 u3, NULL);
3099 if (err < 0)
3100 return err;
3101
3102 /* bump usage count to 2 */
3103 exp = nf_ct_expect_find_get(net, &zone, &tuple);
3104 if (!exp)
3105 return -ENOENT;
3106
3107 if (cda[CTA_EXPECT_ID]) {
3108 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3109 if (ntohl(id) != (u32)(unsigned long)exp) {
3110 nf_ct_expect_put(exp);
3111 return -ENOENT;
3112 }
3113 }
3114
3115 /* after list removal, usage count == 1 */
3116 spin_lock_bh(&nf_conntrack_expect_lock);
3117 if (del_timer(&exp->timeout)) {
3118 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
3119 nlmsg_report(nlh));
3120 nf_ct_expect_put(exp);
3121 }
3122 spin_unlock_bh(&nf_conntrack_expect_lock);
3123 /* have to put what we 'get' above.
3124 * after this line usage count == 0 */
3125 nf_ct_expect_put(exp);
3126 } else if (cda[CTA_EXPECT_HELP_NAME]) {
3127 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3128
3129 nf_ct_expect_iterate_net(net, expect_iter_name, name,
3130 NETLINK_CB(skb).portid,
3131 nlmsg_report(nlh));
3132 } else {
3133 /* This basically means we have to flush everything*/
3134 nf_ct_expect_iterate_net(net, expect_iter_all, NULL,
3135 NETLINK_CB(skb).portid,
3136 nlmsg_report(nlh));
3137 }
3138
3139 return 0;
3140 }
3141 static int
ctnetlink_change_expect(struct nf_conntrack_expect * x,const struct nlattr * const cda[])3142 ctnetlink_change_expect(struct nf_conntrack_expect *x,
3143 const struct nlattr * const cda[])
3144 {
3145 if (cda[CTA_EXPECT_TIMEOUT]) {
3146 if (!del_timer(&x->timeout))
3147 return -ETIME;
3148
3149 x->timeout.expires = jiffies +
3150 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
3151 add_timer(&x->timeout);
3152 }
3153 return 0;
3154 }
3155
3156 static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
3157 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
3158 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
3159 };
3160
3161 static int
ctnetlink_parse_expect_nat(const struct nlattr * attr,struct nf_conntrack_expect * exp,u_int8_t u3)3162 ctnetlink_parse_expect_nat(const struct nlattr *attr,
3163 struct nf_conntrack_expect *exp,
3164 u_int8_t u3)
3165 {
3166 #ifdef CONFIG_NF_NAT_NEEDED
3167 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1];
3168 struct nf_conntrack_tuple nat_tuple = {};
3169 int err;
3170
3171 err = nla_parse_nested(tb, CTA_EXPECT_NAT_MAX, attr,
3172 exp_nat_nla_policy, NULL);
3173 if (err < 0)
3174 return err;
3175
3176 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE])
3177 return -EINVAL;
3178
3179 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb,
3180 &nat_tuple, CTA_EXPECT_NAT_TUPLE,
3181 u3, NULL);
3182 if (err < 0)
3183 return err;
3184
3185 exp->saved_addr = nat_tuple.src.u3;
3186 exp->saved_proto = nat_tuple.src.u;
3187 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR]));
3188
3189 return 0;
3190 #else
3191 return -EOPNOTSUPP;
3192 #endif
3193 }
3194
3195 static struct nf_conntrack_expect *
ctnetlink_alloc_expect(const struct nlattr * const cda[],struct nf_conn * ct,struct nf_conntrack_helper * helper,struct nf_conntrack_tuple * tuple,struct nf_conntrack_tuple * mask)3196 ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
3197 struct nf_conntrack_helper *helper,
3198 struct nf_conntrack_tuple *tuple,
3199 struct nf_conntrack_tuple *mask)
3200 {
3201 u_int32_t class = 0;
3202 struct nf_conntrack_expect *exp;
3203 struct nf_conn_help *help;
3204 int err;
3205
3206 help = nfct_help(ct);
3207 if (!help)
3208 return ERR_PTR(-EOPNOTSUPP);
3209
3210 if (cda[CTA_EXPECT_CLASS] && helper) {
3211 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));
3212 if (class > helper->expect_class_max)
3213 return ERR_PTR(-EINVAL);
3214 }
3215 exp = nf_ct_expect_alloc(ct);
3216 if (!exp)
3217 return ERR_PTR(-ENOMEM);
3218
3219 if (cda[CTA_EXPECT_FLAGS]) {
3220 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
3221 exp->flags &= ~NF_CT_EXPECT_USERSPACE;
3222 } else {
3223 exp->flags = 0;
3224 }
3225 if (cda[CTA_EXPECT_FN]) {
3226 const char *name = nla_data(cda[CTA_EXPECT_FN]);
3227 struct nf_ct_helper_expectfn *expfn;
3228
3229 expfn = nf_ct_helper_expectfn_find_by_name(name);
3230 if (expfn == NULL) {
3231 err = -EINVAL;
3232 goto err_out;
3233 }
3234 exp->expectfn = expfn->expectfn;
3235 } else
3236 exp->expectfn = NULL;
3237
3238 exp->class = class;
3239 exp->master = ct;
3240 exp->helper = helper;
3241 exp->tuple = *tuple;
3242 exp->mask.src.u3 = mask->src.u3;
3243 exp->mask.src.u.all = mask->src.u.all;
3244
3245 if (cda[CTA_EXPECT_NAT]) {
3246 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT],
3247 exp, nf_ct_l3num(ct));
3248 if (err < 0)
3249 goto err_out;
3250 }
3251 return exp;
3252 err_out:
3253 nf_ct_expect_put(exp);
3254 return ERR_PTR(err);
3255 }
3256
3257 static int
ctnetlink_create_expect(struct net * net,const struct nf_conntrack_zone * zone,const struct nlattr * const cda[],u_int8_t u3,u32 portid,int report)3258 ctnetlink_create_expect(struct net *net,
3259 const struct nf_conntrack_zone *zone,
3260 const struct nlattr * const cda[],
3261 u_int8_t u3, u32 portid, int report)
3262 {
3263 struct nf_conntrack_tuple tuple, mask, master_tuple;
3264 struct nf_conntrack_tuple_hash *h = NULL;
3265 struct nf_conntrack_helper *helper = NULL;
3266 struct nf_conntrack_expect *exp;
3267 struct nf_conn *ct;
3268 int err;
3269
3270 /* caller guarantees that those three CTA_EXPECT_* exist */
3271 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3272 u3, NULL);
3273 if (err < 0)
3274 return err;
3275 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK,
3276 u3, NULL);
3277 if (err < 0)
3278 return err;
3279 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER,
3280 u3, NULL);
3281 if (err < 0)
3282 return err;
3283
3284 /* Look for master conntrack of this expectation */
3285 h = nf_conntrack_find_get(net, zone, &master_tuple);
3286 if (!h)
3287 return -ENOENT;
3288 ct = nf_ct_tuplehash_to_ctrack(h);
3289
3290 rcu_read_lock();
3291 if (cda[CTA_EXPECT_HELP_NAME]) {
3292 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3293
3294 helper = __nf_conntrack_helper_find(helpname, u3,
3295 nf_ct_protonum(ct));
3296 if (helper == NULL) {
3297 rcu_read_unlock();
3298 #ifdef CONFIG_MODULES
3299 if (request_module("nfct-helper-%s", helpname) < 0) {
3300 err = -EOPNOTSUPP;
3301 goto err_ct;
3302 }
3303 rcu_read_lock();
3304 helper = __nf_conntrack_helper_find(helpname, u3,
3305 nf_ct_protonum(ct));
3306 if (helper) {
3307 err = -EAGAIN;
3308 goto err_rcu;
3309 }
3310 rcu_read_unlock();
3311 #endif
3312 err = -EOPNOTSUPP;
3313 goto err_ct;
3314 }
3315 }
3316
3317 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask);
3318 if (IS_ERR(exp)) {
3319 err = PTR_ERR(exp);
3320 goto err_rcu;
3321 }
3322
3323 err = nf_ct_expect_related_report(exp, portid, report);
3324 nf_ct_expect_put(exp);
3325 err_rcu:
3326 rcu_read_unlock();
3327 err_ct:
3328 nf_ct_put(ct);
3329 return err;
3330 }
3331
ctnetlink_new_expect(struct net * net,struct sock * ctnl,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const cda[],struct netlink_ext_ack * extack)3332 static int ctnetlink_new_expect(struct net *net, struct sock *ctnl,
3333 struct sk_buff *skb, const struct nlmsghdr *nlh,
3334 const struct nlattr * const cda[],
3335 struct netlink_ext_ack *extack)
3336 {
3337 struct nf_conntrack_tuple tuple;
3338 struct nf_conntrack_expect *exp;
3339 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3340 u_int8_t u3 = nfmsg->nfgen_family;
3341 struct nf_conntrack_zone zone;
3342 int err;
3343
3344 if (!cda[CTA_EXPECT_TUPLE]
3345 || !cda[CTA_EXPECT_MASK]
3346 || !cda[CTA_EXPECT_MASTER])
3347 return -EINVAL;
3348
3349 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3350 if (err < 0)
3351 return err;
3352
3353 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3354 u3, NULL);
3355 if (err < 0)
3356 return err;
3357
3358 spin_lock_bh(&nf_conntrack_expect_lock);
3359 exp = __nf_ct_expect_find(net, &zone, &tuple);
3360 if (!exp) {
3361 spin_unlock_bh(&nf_conntrack_expect_lock);
3362 err = -ENOENT;
3363 if (nlh->nlmsg_flags & NLM_F_CREATE) {
3364 err = ctnetlink_create_expect(net, &zone, cda, u3,
3365 NETLINK_CB(skb).portid,
3366 nlmsg_report(nlh));
3367 }
3368 return err;
3369 }
3370
3371 err = -EEXIST;
3372 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
3373 err = ctnetlink_change_expect(exp, cda);
3374 spin_unlock_bh(&nf_conntrack_expect_lock);
3375
3376 return err;
3377 }
3378
3379 static int
ctnetlink_exp_stat_fill_info(struct sk_buff * skb,u32 portid,u32 seq,int cpu,const struct ip_conntrack_stat * st)3380 ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu,
3381 const struct ip_conntrack_stat *st)
3382 {
3383 struct nlmsghdr *nlh;
3384 struct nfgenmsg *nfmsg;
3385 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
3386
3387 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
3388 IPCTNL_MSG_EXP_GET_STATS_CPU);
3389 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
3390 if (nlh == NULL)
3391 goto nlmsg_failure;
3392
3393 nfmsg = nlmsg_data(nlh);
3394 nfmsg->nfgen_family = AF_UNSPEC;
3395 nfmsg->version = NFNETLINK_V0;
3396 nfmsg->res_id = htons(cpu);
3397
3398 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) ||
3399 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) ||
3400 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete)))
3401 goto nla_put_failure;
3402
3403 nlmsg_end(skb, nlh);
3404 return skb->len;
3405
3406 nla_put_failure:
3407 nlmsg_failure:
3408 nlmsg_cancel(skb, nlh);
3409 return -1;
3410 }
3411
3412 static int
ctnetlink_exp_stat_cpu_dump(struct sk_buff * skb,struct netlink_callback * cb)3413 ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
3414 {
3415 int cpu;
3416 struct net *net = sock_net(skb->sk);
3417
3418 if (cb->args[0] == nr_cpu_ids)
3419 return 0;
3420
3421 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
3422 const struct ip_conntrack_stat *st;
3423
3424 if (!cpu_possible(cpu))
3425 continue;
3426
3427 st = per_cpu_ptr(net->ct.stat, cpu);
3428 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid,
3429 cb->nlh->nlmsg_seq,
3430 cpu, st) < 0)
3431 break;
3432 }
3433 cb->args[0] = cpu;
3434
3435 return skb->len;
3436 }
3437
ctnetlink_stat_exp_cpu(struct net * net,struct sock * ctnl,struct sk_buff * skb,const struct nlmsghdr * nlh,const struct nlattr * const cda[],struct netlink_ext_ack * extack)3438 static int ctnetlink_stat_exp_cpu(struct net *net, struct sock *ctnl,
3439 struct sk_buff *skb,
3440 const struct nlmsghdr *nlh,
3441 const struct nlattr * const cda[],
3442 struct netlink_ext_ack *extack)
3443 {
3444 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3445 struct netlink_dump_control c = {
3446 .dump = ctnetlink_exp_stat_cpu_dump,
3447 };
3448 return netlink_dump_start(ctnl, skb, nlh, &c);
3449 }
3450
3451 return 0;
3452 }
3453
3454 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3455 static struct nf_ct_event_notifier ctnl_notifier = {
3456 .fcn = ctnetlink_conntrack_event,
3457 };
3458
3459 static struct nf_exp_event_notifier ctnl_notifier_exp = {
3460 .fcn = ctnetlink_expect_event,
3461 };
3462 #endif
3463
3464 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
3465 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
3466 .attr_count = CTA_MAX,
3467 .policy = ct_nla_policy },
3468 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
3469 .attr_count = CTA_MAX,
3470 .policy = ct_nla_policy },
3471 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
3472 .attr_count = CTA_MAX,
3473 .policy = ct_nla_policy },
3474 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
3475 .attr_count = CTA_MAX,
3476 .policy = ct_nla_policy },
3477 [IPCTNL_MSG_CT_GET_STATS_CPU] = { .call = ctnetlink_stat_ct_cpu },
3478 [IPCTNL_MSG_CT_GET_STATS] = { .call = ctnetlink_stat_ct },
3479 [IPCTNL_MSG_CT_GET_DYING] = { .call = ctnetlink_get_ct_dying },
3480 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = { .call = ctnetlink_get_ct_unconfirmed },
3481 };
3482
3483 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
3484 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
3485 .attr_count = CTA_EXPECT_MAX,
3486 .policy = exp_nla_policy },
3487 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
3488 .attr_count = CTA_EXPECT_MAX,
3489 .policy = exp_nla_policy },
3490 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
3491 .attr_count = CTA_EXPECT_MAX,
3492 .policy = exp_nla_policy },
3493 [IPCTNL_MSG_EXP_GET_STATS_CPU] = { .call = ctnetlink_stat_exp_cpu },
3494 };
3495
3496 static const struct nfnetlink_subsystem ctnl_subsys = {
3497 .name = "conntrack",
3498 .subsys_id = NFNL_SUBSYS_CTNETLINK,
3499 .cb_count = IPCTNL_MSG_MAX,
3500 .cb = ctnl_cb,
3501 };
3502
3503 static const struct nfnetlink_subsystem ctnl_exp_subsys = {
3504 .name = "conntrack_expect",
3505 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
3506 .cb_count = IPCTNL_MSG_EXP_MAX,
3507 .cb = ctnl_exp_cb,
3508 };
3509
3510 MODULE_ALIAS("ip_conntrack_netlink");
3511 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
3512 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
3513
ctnetlink_net_init(struct net * net)3514 static int __net_init ctnetlink_net_init(struct net *net)
3515 {
3516 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3517 int ret;
3518
3519 ret = nf_conntrack_register_notifier(net, &ctnl_notifier);
3520 if (ret < 0) {
3521 pr_err("ctnetlink_init: cannot register notifier.\n");
3522 goto err_out;
3523 }
3524
3525 ret = nf_ct_expect_register_notifier(net, &ctnl_notifier_exp);
3526 if (ret < 0) {
3527 pr_err("ctnetlink_init: cannot expect register notifier.\n");
3528 goto err_unreg_notifier;
3529 }
3530 #endif
3531 return 0;
3532
3533 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3534 err_unreg_notifier:
3535 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
3536 err_out:
3537 return ret;
3538 #endif
3539 }
3540
ctnetlink_net_exit(struct net * net)3541 static void ctnetlink_net_exit(struct net *net)
3542 {
3543 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3544 nf_ct_expect_unregister_notifier(net, &ctnl_notifier_exp);
3545 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
3546 #endif
3547 }
3548
ctnetlink_net_exit_batch(struct list_head * net_exit_list)3549 static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list)
3550 {
3551 struct net *net;
3552
3553 list_for_each_entry(net, net_exit_list, exit_list)
3554 ctnetlink_net_exit(net);
3555 }
3556
3557 static struct pernet_operations ctnetlink_net_ops = {
3558 .init = ctnetlink_net_init,
3559 .exit_batch = ctnetlink_net_exit_batch,
3560 };
3561
ctnetlink_init(void)3562 static int __init ctnetlink_init(void)
3563 {
3564 int ret;
3565
3566 ret = nfnetlink_subsys_register(&ctnl_subsys);
3567 if (ret < 0) {
3568 pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
3569 goto err_out;
3570 }
3571
3572 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
3573 if (ret < 0) {
3574 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
3575 goto err_unreg_subsys;
3576 }
3577
3578 ret = register_pernet_subsys(&ctnetlink_net_ops);
3579 if (ret < 0) {
3580 pr_err("ctnetlink_init: cannot register pernet operations\n");
3581 goto err_unreg_exp_subsys;
3582 }
3583 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3584 /* setup interaction between nf_queue and nf_conntrack_netlink. */
3585 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook);
3586 #endif
3587 return 0;
3588
3589 err_unreg_exp_subsys:
3590 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3591 err_unreg_subsys:
3592 nfnetlink_subsys_unregister(&ctnl_subsys);
3593 err_out:
3594 return ret;
3595 }
3596
ctnetlink_exit(void)3597 static void __exit ctnetlink_exit(void)
3598 {
3599 unregister_pernet_subsys(&ctnetlink_net_ops);
3600 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3601 nfnetlink_subsys_unregister(&ctnl_subsys);
3602 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3603 RCU_INIT_POINTER(nfnl_ct_hook, NULL);
3604 #endif
3605 synchronize_rcu();
3606 }
3607
3608 module_init(ctnetlink_init);
3609 module_exit(ctnetlink_exit);
3610
