1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18#include <linux/init.h>
19#include <linux/module.h>
20#include <linux/kernel.h>
21#include <linux/rculist.h>
22#include <linux/rculist_nulls.h>
23#include <linux/types.h>
24#include <linux/timer.h>
25#include <linux/security.h>
26#include <linux/skbuff.h>
27#include <linux/errno.h>
28#include <linux/netlink.h>
29#include <linux/spinlock.h>
30#include <linux/interrupt.h>
31#include <linux/slab.h>
32#include <linux/siphash.h>
33
34#include <linux/netfilter.h>
35#include <net/netlink.h>
36#include <net/sock.h>
37#include <net/netfilter/nf_conntrack.h>
38#include <net/netfilter/nf_conntrack_core.h>
39#include <net/netfilter/nf_conntrack_expect.h>
40#include <net/netfilter/nf_conntrack_helper.h>
41#include <net/netfilter/nf_conntrack_seqadj.h>
42#include <net/netfilter/nf_conntrack_l4proto.h>
43#include <net/netfilter/nf_conntrack_tuple.h>
44#include <net/netfilter/nf_conntrack_acct.h>
45#include <net/netfilter/nf_conntrack_zones.h>
46#include <net/netfilter/nf_conntrack_timestamp.h>
47#include <net/netfilter/nf_conntrack_labels.h>
48#include <net/netfilter/nf_conntrack_synproxy.h>
49#ifdef CONFIG_NF_NAT_NEEDED
50#include <net/netfilter/nf_nat.h>
51#include <net/netfilter/nf_nat_helper.h>
52#endif
53
54#include <linux/netfilter/nfnetlink.h>
55#include <linux/netfilter/nfnetlink_conntrack.h>
56
57MODULE_LICENSE("GPL");
58
59static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,
60 const struct nf_conntrack_tuple *tuple,
61 const struct nf_conntrack_l4proto *l4proto)
62{
63 int ret = 0;
64 struct nlattr *nest_parms;
65
66 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO);
67 if (!nest_parms)
68 goto nla_put_failure;
69 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum))
70 goto nla_put_failure;
71
72 if (likely(l4proto->tuple_to_nlattr))
73 ret = l4proto->tuple_to_nlattr(skb, tuple);
74
75 nla_nest_end(skb, nest_parms);
76
77 return ret;
78
79nla_put_failure:
80 return -1;
81}
82
83static int ipv4_tuple_to_nlattr(struct sk_buff *skb,
84 const struct nf_conntrack_tuple *tuple)
85{
86 if (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) ||
87 nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip))
88 return -EMSGSIZE;
89 return 0;
90}
91
92static int ipv6_tuple_to_nlattr(struct sk_buff *skb,
93 const struct nf_conntrack_tuple *tuple)
94{
95 if (nla_put_in6_addr(skb, CTA_IP_V6_SRC, &tuple->src.u3.in6) ||
96 nla_put_in6_addr(skb, CTA_IP_V6_DST, &tuple->dst.u3.in6))
97 return -EMSGSIZE;
98 return 0;
99}
100
101static int ctnetlink_dump_tuples_ip(struct sk_buff *skb,
102 const struct nf_conntrack_tuple *tuple)
103{
104 int ret = 0;
105 struct nlattr *nest_parms;
106
107 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP);
108 if (!nest_parms)
109 goto nla_put_failure;
110
111 switch (tuple->src.l3num) {
112 case NFPROTO_IPV4:
113 ret = ipv4_tuple_to_nlattr(skb, tuple);
114 break;
115 case NFPROTO_IPV6:
116 ret = ipv6_tuple_to_nlattr(skb, tuple);
117 break;
118 }
119
120 nla_nest_end(skb, nest_parms);
121
122 return ret;
123
124nla_put_failure:
125 return -1;
126}
127
128static int ctnetlink_dump_tuples(struct sk_buff *skb,
129 const struct nf_conntrack_tuple *tuple)
130{
131 const struct nf_conntrack_l4proto *l4proto;
132 int ret;
133
134 rcu_read_lock();
135 ret = ctnetlink_dump_tuples_ip(skb, tuple);
136
137 if (ret >= 0) {
138 l4proto = __nf_ct_l4proto_find(tuple->dst.protonum);
139 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
140 }
141 rcu_read_unlock();
142 return ret;
143}
144
145static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype,
146 const struct nf_conntrack_zone *zone, int dir)
147{
148 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir)
149 return 0;
150 if (nla_put_be16(skb, attrtype, htons(zone->id)))
151 goto nla_put_failure;
152 return 0;
153
154nla_put_failure:
155 return -1;
156}
157
158static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
159{
160 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
161 goto nla_put_failure;
162 return 0;
163
164nla_put_failure:
165 return -1;
166}
167
168static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
169{
170 long timeout = nf_ct_expires(ct) / HZ;
171
172 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))
173 goto nla_put_failure;
174 return 0;
175
176nla_put_failure:
177 return -1;
178}
179
180static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct)
181{
182 const struct nf_conntrack_l4proto *l4proto;
183 struct nlattr *nest_proto;
184 int ret;
185
186 l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));
187 if (!l4proto->to_nlattr)
188 return 0;
189
190 nest_proto = nla_nest_start(skb, CTA_PROTOINFO);
191 if (!nest_proto)
192 goto nla_put_failure;
193
194 ret = l4proto->to_nlattr(skb, nest_proto, ct);
195
196 nla_nest_end(skb, nest_proto);
197
198 return ret;
199
200nla_put_failure:
201 return -1;
202}
203
204static int ctnetlink_dump_helpinfo(struct sk_buff *skb,
205 const struct nf_conn *ct)
206{
207 struct nlattr *nest_helper;
208 const struct nf_conn_help *help = nfct_help(ct);
209 struct nf_conntrack_helper *helper;
210
211 if (!help)
212 return 0;
213
214 helper = rcu_dereference(help->helper);
215 if (!helper)
216 goto out;
217
218 nest_helper = nla_nest_start(skb, CTA_HELP);
219 if (!nest_helper)
220 goto nla_put_failure;
221 if (nla_put_string(skb, CTA_HELP_NAME, helper->name))
222 goto nla_put_failure;
223
224 if (helper->to_nlattr)
225 helper->to_nlattr(skb, ct);
226
227 nla_nest_end(skb, nest_helper);
228out:
229 return 0;
230
231nla_put_failure:
232 return -1;
233}
234
235static int
236dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct,
237 enum ip_conntrack_dir dir, int type)
238{
239 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
240 struct nf_conn_counter *counter = acct->counter;
241 struct nlattr *nest_count;
242 u64 pkts, bytes;
243
244 if (type == IPCTNL_MSG_CT_GET_CTRZERO) {
245 pkts = atomic64_xchg(&counter[dir].packets, 0);
246 bytes = atomic64_xchg(&counter[dir].bytes, 0);
247 } else {
248 pkts = atomic64_read(&counter[dir].packets);
249 bytes = atomic64_read(&counter[dir].bytes);
250 }
251
252 nest_count = nla_nest_start(skb, attr);
253 if (!nest_count)
254 goto nla_put_failure;
255
256 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts),
257 CTA_COUNTERS_PAD) ||
258 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes),
259 CTA_COUNTERS_PAD))
260 goto nla_put_failure;
261
262 nla_nest_end(skb, nest_count);
263
264 return 0;
265
266nla_put_failure:
267 return -1;
268}
269
270static int
271ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type)
272{
273 struct nf_conn_acct *acct = nf_conn_acct_find(ct);
274
275 if (!acct)
276 return 0;
277
278 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0)
279 return -1;
280 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0)
281 return -1;
282
283 return 0;
284}
285
286static int
287ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
288{
289 struct nlattr *nest_count;
290 const struct nf_conn_tstamp *tstamp;
291
292 tstamp = nf_conn_tstamp_find(ct);
293 if (!tstamp)
294 return 0;
295
296 nest_count = nla_nest_start(skb, CTA_TIMESTAMP);
297 if (!nest_count)
298 goto nla_put_failure;
299
300 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start),
301 CTA_TIMESTAMP_PAD) ||
302 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP,
303 cpu_to_be64(tstamp->stop),
304 CTA_TIMESTAMP_PAD)))
305 goto nla_put_failure;
306 nla_nest_end(skb, nest_count);
307
308 return 0;
309
310nla_put_failure:
311 return -1;
312}
313
314#ifdef CONFIG_NF_CONNTRACK_MARK
315static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
316{
317 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))
318 goto nla_put_failure;
319 return 0;
320
321nla_put_failure:
322 return -1;
323}
324#else
325#define ctnetlink_dump_mark(a, b) (0)
326#endif
327
328#ifdef CONFIG_NF_CONNTRACK_SECMARK
329static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
330{
331 struct nlattr *nest_secctx;
332 int len, ret;
333 char *secctx;
334
335 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
336 if (ret)
337 return 0;
338
339 ret = -1;
340 nest_secctx = nla_nest_start(skb, CTA_SECCTX);
341 if (!nest_secctx)
342 goto nla_put_failure;
343
344 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
345 goto nla_put_failure;
346 nla_nest_end(skb, nest_secctx);
347
348 ret = 0;
349nla_put_failure:
350 security_release_secctx(secctx, len);
351 return ret;
352}
353#else
354#define ctnetlink_dump_secctx(a, b) (0)
355#endif
356
357#ifdef CONFIG_NF_CONNTRACK_LABELS
358static inline int ctnetlink_label_size(const struct nf_conn *ct)
359{
360 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
361
362 if (!labels)
363 return 0;
364 return nla_total_size(sizeof(labels->bits));
365}
366
367static int
368ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
369{
370 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
371 unsigned int i;
372
373 if (!labels)
374 return 0;
375
376 i = 0;
377 do {
378 if (labels->bits[i] != 0)
379 return nla_put(skb, CTA_LABELS, sizeof(labels->bits),
380 labels->bits);
381 i++;
382 } while (i < ARRAY_SIZE(labels->bits));
383
384 return 0;
385}
386#else
387#define ctnetlink_dump_labels(a, b) (0)
388#define ctnetlink_label_size(a) (0)
389#endif
390
391#define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
392
393static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
394{
395 struct nlattr *nest_parms;
396
397 if (!(ct->status & IPS_EXPECTED))
398 return 0;
399
400 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER);
401 if (!nest_parms)
402 goto nla_put_failure;
403 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
404 goto nla_put_failure;
405 nla_nest_end(skb, nest_parms);
406
407 return 0;
408
409nla_put_failure:
410 return -1;
411}
412
413static int
414dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type)
415{
416 struct nlattr *nest_parms;
417
418 nest_parms = nla_nest_start(skb, type);
419 if (!nest_parms)
420 goto nla_put_failure;
421
422 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS,
423 htonl(seq->correction_pos)) ||
424 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE,
425 htonl(seq->offset_before)) ||
426 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER,
427 htonl(seq->offset_after)))
428 goto nla_put_failure;
429
430 nla_nest_end(skb, nest_parms);
431
432 return 0;
433
434nla_put_failure:
435 return -1;
436}
437
438static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
439{
440 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
441 struct nf_ct_seqadj *seq;
442
443 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj)
444 return 0;
445
446 spin_lock_bh(&ct->lock);
447 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL];
448 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1)
449 goto err;
450
451 seq = &seqadj->seq[IP_CT_DIR_REPLY];
452 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1)
453 goto err;
454
455 spin_unlock_bh(&ct->lock);
456 return 0;
457err:
458 spin_unlock_bh(&ct->lock);
459 return -1;
460}
461
462static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
463{
464 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
465 struct nlattr *nest_parms;
466
467 if (!synproxy)
468 return 0;
469
470 nest_parms = nla_nest_start(skb, CTA_SYNPROXY);
471 if (!nest_parms)
472 goto nla_put_failure;
473
474 if (nla_put_be32(skb, CTA_SYNPROXY_ISN, htonl(synproxy->isn)) ||
475 nla_put_be32(skb, CTA_SYNPROXY_ITS, htonl(synproxy->its)) ||
476 nla_put_be32(skb, CTA_SYNPROXY_TSOFF, htonl(synproxy->tsoff)))
477 goto nla_put_failure;
478
479 nla_nest_end(skb, nest_parms);
480
481 return 0;
482
483nla_put_failure:
484 return -1;
485}
486
487static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
488{
489 __be32 id = (__force __be32)nf_ct_get_id(ct);
490
491 if (nla_put_be32(skb, CTA_ID, id))
492 goto nla_put_failure;
493 return 0;
494
495nla_put_failure:
496 return -1;
497}
498
499static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
500{
501 if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use))))
502 goto nla_put_failure;
503 return 0;
504
505nla_put_failure:
506 return -1;
507}
508
509static int
510ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
511 struct nf_conn *ct)
512{
513 const struct nf_conntrack_zone *zone;
514 struct nlmsghdr *nlh;
515 struct nfgenmsg *nfmsg;
516 struct nlattr *nest_parms;
517 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
518
519 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW);
520 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
521 if (nlh == NULL)
522 goto nlmsg_failure;
523
524 nfmsg = nlmsg_data(nlh);
525 nfmsg->nfgen_family = nf_ct_l3num(ct);
526 nfmsg->version = NFNETLINK_V0;
527 nfmsg->res_id = 0;
528
529 zone = nf_ct_zone(ct);
530
531 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
532 if (!nest_parms)
533 goto nla_put_failure;
534 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
535 goto nla_put_failure;
536 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
537 NF_CT_ZONE_DIR_ORIG) < 0)
538 goto nla_put_failure;
539 nla_nest_end(skb, nest_parms);
540
541 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
542 if (!nest_parms)
543 goto nla_put_failure;
544 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
545 goto nla_put_failure;
546 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
547 NF_CT_ZONE_DIR_REPL) < 0)
548 goto nla_put_failure;
549 nla_nest_end(skb, nest_parms);
550
551 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
552 NF_CT_DEFAULT_ZONE_DIR) < 0)
553 goto nla_put_failure;
554
555 if (ctnetlink_dump_status(skb, ct) < 0 ||
556 ctnetlink_dump_acct(skb, ct, type) < 0 ||
557 ctnetlink_dump_timestamp(skb, ct) < 0 ||
558 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
559 ctnetlink_dump_mark(skb, ct) < 0 ||
560 ctnetlink_dump_secctx(skb, ct) < 0 ||
561 ctnetlink_dump_labels(skb, ct) < 0 ||
562 ctnetlink_dump_id(skb, ct) < 0 ||
563 ctnetlink_dump_use(skb, ct) < 0 ||
564 ctnetlink_dump_master(skb, ct) < 0 ||
565 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
566 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
567 goto nla_put_failure;
568
569 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
570 (ctnetlink_dump_timeout(skb, ct) < 0 ||
571 ctnetlink_dump_protoinfo(skb, ct) < 0))
572 goto nla_put_failure;
573
574 nlmsg_end(skb, nlh);
575 return skb->len;
576
577nlmsg_failure:
578nla_put_failure:
579 nlmsg_cancel(skb, nlh);
580 return -1;
581}
582
583static const struct nla_policy cta_ip_nla_policy[CTA_IP_MAX + 1] = {
584 [CTA_IP_V4_SRC] = { .type = NLA_U32 },
585 [CTA_IP_V4_DST] = { .type = NLA_U32 },
586 [CTA_IP_V6_SRC] = { .len = sizeof(__be32) * 4 },
587 [CTA_IP_V6_DST] = { .len = sizeof(__be32) * 4 },
588};
589
590#if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS)
591static size_t ctnetlink_proto_size(const struct nf_conn *ct)
592{
593 const struct nf_conntrack_l4proto *l4proto;
594 size_t len, len4 = 0;
595
596 len = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1);
597 len *= 3u;
598
599 l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));
600 len += l4proto->nlattr_size;
601 if (l4proto->nlattr_tuple_size) {
602 len4 = l4proto->nlattr_tuple_size();
603 len4 *= 3u;
604 }
605
606 return len + len4;
607}
608#endif
609
610static inline size_t ctnetlink_acct_size(const struct nf_conn *ct)
611{
612 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
613 return 0;
614 return 2 * nla_total_size(0)
615 + 2 * nla_total_size_64bit(sizeof(uint64_t))
616 + 2 * nla_total_size_64bit(sizeof(uint64_t))
617 ;
618}
619
620static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
621{
622#ifdef CONFIG_NF_CONNTRACK_SECMARK
623 int len, ret;
624
625 ret = security_secid_to_secctx(ct->secmark, NULL, &len);
626 if (ret)
627 return 0;
628
629 return nla_total_size(0)
630 + nla_total_size(sizeof(char) * len);
631#else
632 return 0;
633#endif
634}
635
636static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct)
637{
638#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
639 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
640 return 0;
641 return nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t));
642#else
643 return 0;
644#endif
645}
646
647#ifdef CONFIG_NF_CONNTRACK_EVENTS
648static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)
649{
650 return NLMSG_ALIGN(sizeof(struct nfgenmsg))
651 + 3 * nla_total_size(0)
652 + 3 * nla_total_size(0)
653 + 3 * nla_total_size(0)
654 + 3 * nla_total_size(sizeof(u_int8_t))
655 + nla_total_size(sizeof(u_int32_t))
656 + nla_total_size(sizeof(u_int32_t))
657 + ctnetlink_acct_size(ct)
658 + ctnetlink_timestamp_size(ct)
659 + nla_total_size(sizeof(u_int32_t))
660 + nla_total_size(0)
661 + nla_total_size(0)
662 + nla_total_size(NF_CT_HELPER_NAME_LEN)
663 + ctnetlink_secctx_size(ct)
664#ifdef CONFIG_NF_NAT_NEEDED
665 + 2 * nla_total_size(0)
666 + 6 * nla_total_size(sizeof(u_int32_t))
667#endif
668#ifdef CONFIG_NF_CONNTRACK_MARK
669 + nla_total_size(sizeof(u_int32_t))
670#endif
671#ifdef CONFIG_NF_CONNTRACK_ZONES
672 + nla_total_size(sizeof(u_int16_t))
673#endif
674 + ctnetlink_proto_size(ct)
675 + ctnetlink_label_size(ct)
676 ;
677}
678
679static int
680ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
681{
682 const struct nf_conntrack_zone *zone;
683 struct net *net;
684 struct nlmsghdr *nlh;
685 struct nfgenmsg *nfmsg;
686 struct nlattr *nest_parms;
687 struct nf_conn *ct = item->ct;
688 struct sk_buff *skb;
689 unsigned int type;
690 unsigned int flags = 0, group;
691 int err;
692
693 if (events & (1 << IPCT_DESTROY)) {
694 type = IPCTNL_MSG_CT_DELETE;
695 group = NFNLGRP_CONNTRACK_DESTROY;
696 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {
697 type = IPCTNL_MSG_CT_NEW;
698 flags = NLM_F_CREATE|NLM_F_EXCL;
699 group = NFNLGRP_CONNTRACK_NEW;
700 } else if (events) {
701 type = IPCTNL_MSG_CT_NEW;
702 group = NFNLGRP_CONNTRACK_UPDATE;
703 } else
704 return 0;
705
706 net = nf_ct_net(ct);
707 if (!item->report && !nfnetlink_has_listeners(net, group))
708 return 0;
709
710 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
711 if (skb == NULL)
712 goto errout;
713
714 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type);
715 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
716 if (nlh == NULL)
717 goto nlmsg_failure;
718
719 nfmsg = nlmsg_data(nlh);
720 nfmsg->nfgen_family = nf_ct_l3num(ct);
721 nfmsg->version = NFNETLINK_V0;
722 nfmsg->res_id = 0;
723
724 zone = nf_ct_zone(ct);
725
726 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
727 if (!nest_parms)
728 goto nla_put_failure;
729 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
730 goto nla_put_failure;
731 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
732 NF_CT_ZONE_DIR_ORIG) < 0)
733 goto nla_put_failure;
734 nla_nest_end(skb, nest_parms);
735
736 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
737 if (!nest_parms)
738 goto nla_put_failure;
739 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
740 goto nla_put_failure;
741 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
742 NF_CT_ZONE_DIR_REPL) < 0)
743 goto nla_put_failure;
744 nla_nest_end(skb, nest_parms);
745
746 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
747 NF_CT_DEFAULT_ZONE_DIR) < 0)
748 goto nla_put_failure;
749
750 if (ctnetlink_dump_id(skb, ct) < 0)
751 goto nla_put_failure;
752
753 if (ctnetlink_dump_status(skb, ct) < 0)
754 goto nla_put_failure;
755
756 if (events & (1 << IPCT_DESTROY)) {
757 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
758 ctnetlink_dump_timestamp(skb, ct) < 0)
759 goto nla_put_failure;
760 } else {
761 if (ctnetlink_dump_timeout(skb, ct) < 0)
762 goto nla_put_failure;
763
764 if (events & (1 << IPCT_PROTOINFO)
765 && ctnetlink_dump_protoinfo(skb, ct) < 0)
766 goto nla_put_failure;
767
768 if ((events & (1 << IPCT_HELPER) || nfct_help(ct))
769 && ctnetlink_dump_helpinfo(skb, ct) < 0)
770 goto nla_put_failure;
771
772#ifdef CONFIG_NF_CONNTRACK_SECMARK
773 if ((events & (1 << IPCT_SECMARK) || ct->secmark)
774 && ctnetlink_dump_secctx(skb, ct) < 0)
775 goto nla_put_failure;
776#endif
777 if (events & (1 << IPCT_LABEL) &&
778 ctnetlink_dump_labels(skb, ct) < 0)
779 goto nla_put_failure;
780
781 if (events & (1 << IPCT_RELATED) &&
782 ctnetlink_dump_master(skb, ct) < 0)
783 goto nla_put_failure;
784
785 if (events & (1 << IPCT_SEQADJ) &&
786 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
787 goto nla_put_failure;
788
789 if (events & (1 << IPCT_SYNPROXY) &&
790 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
791 goto nla_put_failure;
792 }
793
794#ifdef CONFIG_NF_CONNTRACK_MARK
795 if ((events & (1 << IPCT_MARK) || ct->mark)
796 && ctnetlink_dump_mark(skb, ct) < 0)
797 goto nla_put_failure;
798#endif
799 nlmsg_end(skb, nlh);
800 err = nfnetlink_send(skb, net, item->portid, group, item->report,
801 GFP_ATOMIC);
802 if (err == -ENOBUFS || err == -EAGAIN)
803 return -ENOBUFS;
804
805 return 0;
806
807nla_put_failure:
808 nlmsg_cancel(skb, nlh);
809nlmsg_failure:
810 kfree_skb(skb);
811errout:
812 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
813 return -ENOBUFS;
814
815 return 0;
816}
817#endif
818
819static int ctnetlink_done(struct netlink_callback *cb)
820{
821 if (cb->args[1])
822 nf_ct_put((struct nf_conn *)cb->args[1]);
823 kfree(cb->data);
824 return 0;
825}
826
827struct ctnetlink_filter {
828 struct {
829 u_int32_t val;
830 u_int32_t mask;
831 } mark;
832};
833
834static struct ctnetlink_filter *
835ctnetlink_alloc_filter(const struct nlattr * const cda[])
836{
837#ifdef CONFIG_NF_CONNTRACK_MARK
838 struct ctnetlink_filter *filter;
839
840 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
841 if (filter == NULL)
842 return ERR_PTR(-ENOMEM);
843
844 filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK]));
845 filter->mark.mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
846
847 return filter;
848#else
849 return ERR_PTR(-EOPNOTSUPP);
850#endif
851}
852
853static int ctnetlink_start(struct netlink_callback *cb)
854{
855 const struct nlattr * const *cda = cb->data;
856 struct ctnetlink_filter *filter = NULL;
857
858 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
859 filter = ctnetlink_alloc_filter(cda);
860 if (IS_ERR(filter))
861 return PTR_ERR(filter);
862 }
863
864 cb->data = filter;
865 return 0;
866}
867
868static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
869{
870 struct ctnetlink_filter *filter = data;
871
872 if (filter == NULL)
873 return 1;
874
875#ifdef CONFIG_NF_CONNTRACK_MARK
876 if ((ct->mark & filter->mark.mask) == filter->mark.val)
877 return 1;
878#endif
879
880 return 0;
881}
882
883static int
884ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
885{
886 struct net *net = sock_net(skb->sk);
887 struct nf_conn *ct, *last;
888 struct nf_conntrack_tuple_hash *h;
889 struct hlist_nulls_node *n;
890 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
891 u_int8_t l3proto = nfmsg->nfgen_family;
892 struct nf_conn *nf_ct_evict[8];
893 int res, i;
894 spinlock_t *lockp;
895
896 last = (struct nf_conn *)cb->args[1];
897 i = 0;
898
899 local_bh_disable();
900 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
901restart:
902 while (i) {
903 i--;
904 if (nf_ct_should_gc(nf_ct_evict[i]))
905 nf_ct_kill(nf_ct_evict[i]);
906 nf_ct_put(nf_ct_evict[i]);
907 }
908
909 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS];
910 nf_conntrack_lock(lockp);
911 if (cb->args[0] >= nf_conntrack_htable_size) {
912 spin_unlock(lockp);
913 goto out;
914 }
915 hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]],
916 hnnode) {
917 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
918 continue;
919 ct = nf_ct_tuplehash_to_ctrack(h);
920 if (nf_ct_is_expired(ct)) {
921 if (i < ARRAY_SIZE(nf_ct_evict) &&
922 atomic_inc_not_zero(&ct->ct_general.use))
923 nf_ct_evict[i++] = ct;
924 continue;
925 }
926
927 if (!net_eq(net, nf_ct_net(ct)))
928 continue;
929
930
931
932
933 if (l3proto && nf_ct_l3num(ct) != l3proto)
934 continue;
935 if (cb->args[1]) {
936 if (ct != last)
937 continue;
938 cb->args[1] = 0;
939 }
940 if (!ctnetlink_filter_match(ct, cb->data))
941 continue;
942
943 rcu_read_lock();
944 res =
945 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
946 cb->nlh->nlmsg_seq,
947 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
948 ct);
949 rcu_read_unlock();
950 if (res < 0) {
951 nf_conntrack_get(&ct->ct_general);
952 cb->args[1] = (unsigned long)ct;
953 spin_unlock(lockp);
954 goto out;
955 }
956 }
957 spin_unlock(lockp);
958 if (cb->args[1]) {
959 cb->args[1] = 0;
960 goto restart;
961 }
962 }
963out:
964 local_bh_enable();
965 if (last) {
966
967 if ((struct nf_conn *)cb->args[1] == last)
968 cb->args[1] = 0;
969
970 nf_ct_put(last);
971 }
972
973 while (i) {
974 i--;
975 if (nf_ct_should_gc(nf_ct_evict[i]))
976 nf_ct_kill(nf_ct_evict[i]);
977 nf_ct_put(nf_ct_evict[i]);
978 }
979
980 return skb->len;
981}
982
983static int ipv4_nlattr_to_tuple(struct nlattr *tb[],
984 struct nf_conntrack_tuple *t)
985{
986 if (!tb[CTA_IP_V4_SRC] || !tb[CTA_IP_V4_DST])
987 return -EINVAL;
988
989 t->src.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_SRC]);
990 t->dst.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_DST]);
991
992 return 0;
993}
994
995static int ipv6_nlattr_to_tuple(struct nlattr *tb[],
996 struct nf_conntrack_tuple *t)
997{
998 if (!tb[CTA_IP_V6_SRC] || !tb[CTA_IP_V6_DST])
999 return -EINVAL;
1000
1001 t->src.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_SRC]);
1002 t->dst.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_DST]);
1003
1004 return 0;
1005}
1006
1007static int ctnetlink_parse_tuple_ip(struct nlattr *attr,
1008 struct nf_conntrack_tuple *tuple)
1009{
1010 struct nlattr *tb[CTA_IP_MAX+1];
1011 int ret = 0;
1012
1013 ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, NULL, NULL);
1014 if (ret < 0)
1015 return ret;
1016
1017 ret = nla_validate_nested_deprecated(attr, CTA_IP_MAX,
1018 cta_ip_nla_policy, NULL);
1019 if (ret)
1020 return ret;
1021
1022 switch (tuple->src.l3num) {
1023 case NFPROTO_IPV4:
1024 ret = ipv4_nlattr_to_tuple(tb, tuple);
1025 break;
1026 case NFPROTO_IPV6:
1027 ret = ipv6_nlattr_to_tuple(tb, tuple);
1028 break;
1029 }
1030
1031 return ret;
1032}
1033
1034static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
1035 [CTA_PROTO_NUM] = { .type = NLA_U8 },
1036};
1037
1038static int ctnetlink_parse_tuple_proto(struct nlattr *attr,
1039 struct nf_conntrack_tuple *tuple)
1040{
1041 const struct nf_conntrack_l4proto *l4proto;
1042 struct nlattr *tb[CTA_PROTO_MAX+1];
1043 int ret = 0;
1044
1045 ret = nla_parse_nested_deprecated(tb, CTA_PROTO_MAX, attr,
1046 proto_nla_policy, NULL);
1047 if (ret < 0)
1048 return ret;
1049
1050 if (!tb[CTA_PROTO_NUM])
1051 return -EINVAL;
1052 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
1053
1054 rcu_read_lock();
1055 l4proto = __nf_ct_l4proto_find(tuple->dst.protonum);
1056
1057 if (likely(l4proto->nlattr_to_tuple)) {
1058 ret = nla_validate_nested_deprecated(attr, CTA_PROTO_MAX,
1059 l4proto->nla_policy,
1060 NULL);
1061 if (ret == 0)
1062 ret = l4proto->nlattr_to_tuple(tb, tuple);
1063 }
1064
1065 rcu_read_unlock();
1066
1067 return ret;
1068}
1069
1070static int
1071ctnetlink_parse_zone(const struct nlattr *attr,
1072 struct nf_conntrack_zone *zone)
1073{
1074 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID,
1075 NF_CT_DEFAULT_ZONE_DIR, 0);
1076#ifdef CONFIG_NF_CONNTRACK_ZONES
1077 if (attr)
1078 zone->id = ntohs(nla_get_be16(attr));
1079#else
1080 if (attr)
1081 return -EOPNOTSUPP;
1082#endif
1083 return 0;
1084}
1085
1086static int
1087ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type,
1088 struct nf_conntrack_zone *zone)
1089{
1090 int ret;
1091
1092 if (zone->id != NF_CT_DEFAULT_ZONE_ID)
1093 return -EINVAL;
1094
1095 ret = ctnetlink_parse_zone(attr, zone);
1096 if (ret < 0)
1097 return ret;
1098
1099 if (type == CTA_TUPLE_REPLY)
1100 zone->dir = NF_CT_ZONE_DIR_REPL;
1101 else
1102 zone->dir = NF_CT_ZONE_DIR_ORIG;
1103
1104 return 0;
1105}
1106
1107static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
1108 [CTA_TUPLE_IP] = { .type = NLA_NESTED },
1109 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED },
1110 [CTA_TUPLE_ZONE] = { .type = NLA_U16 },
1111};
1112
1113static int
1114ctnetlink_parse_tuple(const struct nlattr * const cda[],
1115 struct nf_conntrack_tuple *tuple, u32 type,
1116 u_int8_t l3num, struct nf_conntrack_zone *zone)
1117{
1118 struct nlattr *tb[CTA_TUPLE_MAX+1];
1119 int err;
1120
1121 memset(tuple, 0, sizeof(*tuple));
1122
1123 err = nla_parse_nested_deprecated(tb, CTA_TUPLE_MAX, cda[type],
1124 tuple_nla_policy, NULL);
1125 if (err < 0)
1126 return err;
1127
1128 if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
1129 return -EOPNOTSUPP;
1130
1131 if (!tb[CTA_TUPLE_IP])
1132 return -EINVAL;
1133
1134 tuple->src.l3num = l3num;
1135
1136 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
1137 if (err < 0)
1138 return err;
1139
1140 if (!tb[CTA_TUPLE_PROTO])
1141 return -EINVAL;
1142
1143 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple);
1144 if (err < 0)
1145 return err;
1146
1147 if (tb[CTA_TUPLE_ZONE]) {
1148 if (!zone)
1149 return -EINVAL;
1150
1151 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE],
1152 type, zone);
1153 if (err < 0)
1154 return err;
1155 }
1156
1157
1158 if (type == CTA_TUPLE_REPLY)
1159 tuple->dst.dir = IP_CT_DIR_REPLY;
1160 else
1161 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
1162
1163 return 0;
1164}
1165
1166static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {
1167 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING,
1168 .len = NF_CT_HELPER_NAME_LEN - 1 },
1169};
1170
1171static int ctnetlink_parse_help(const struct nlattr *attr, char **helper_name,
1172 struct nlattr **helpinfo)
1173{
1174 int err;
1175 struct nlattr *tb[CTA_HELP_MAX+1];
1176
1177 err = nla_parse_nested_deprecated(tb, CTA_HELP_MAX, attr,
1178 help_nla_policy, NULL);
1179 if (err < 0)
1180 return err;
1181
1182 if (!tb[CTA_HELP_NAME])
1183 return -EINVAL;
1184
1185 *helper_name = nla_data(tb[CTA_HELP_NAME]);
1186
1187 if (tb[CTA_HELP_INFO])
1188 *helpinfo = tb[CTA_HELP_INFO];
1189
1190 return 0;
1191}
1192
1193static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
1194 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED },
1195 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED },
1196 [CTA_STATUS] = { .type = NLA_U32 },
1197 [CTA_PROTOINFO] = { .type = NLA_NESTED },
1198 [CTA_HELP] = { .type = NLA_NESTED },
1199 [CTA_NAT_SRC] = { .type = NLA_NESTED },
1200 [CTA_TIMEOUT] = { .type = NLA_U32 },
1201 [CTA_MARK] = { .type = NLA_U32 },
1202 [CTA_ID] = { .type = NLA_U32 },
1203 [CTA_NAT_DST] = { .type = NLA_NESTED },
1204 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED },
1205 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED },
1206 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED },
1207 [CTA_ZONE] = { .type = NLA_U16 },
1208 [CTA_MARK_MASK] = { .type = NLA_U32 },
1209 [CTA_LABELS] = { .type = NLA_BINARY,
1210 .len = NF_CT_LABELS_MAX_SIZE },
1211 [CTA_LABELS_MASK] = { .type = NLA_BINARY,
1212 .len = NF_CT_LABELS_MAX_SIZE },
1213};
1214
1215static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data)
1216{
1217 if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
1218 return 0;
1219
1220 return ctnetlink_filter_match(ct, data);
1221}
1222
1223static int ctnetlink_flush_conntrack(struct net *net,
1224 const struct nlattr * const cda[],
1225 u32 portid, int report)
1226{
1227 struct ctnetlink_filter *filter = NULL;
1228
1229 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
1230 filter = ctnetlink_alloc_filter(cda);
1231 if (IS_ERR(filter))
1232 return PTR_ERR(filter);
1233 }
1234
1235 nf_ct_iterate_cleanup_net(net, ctnetlink_flush_iterate, filter,
1236 portid, report);
1237 kfree(filter);
1238
1239 return 0;
1240}
1241
1242static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
1243 struct sk_buff *skb,
1244 const struct nlmsghdr *nlh,
1245 const struct nlattr * const cda[],
1246 struct netlink_ext_ack *extack)
1247{
1248 struct nf_conntrack_tuple_hash *h;
1249 struct nf_conntrack_tuple tuple;
1250 struct nf_conn *ct;
1251 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1252 u_int8_t u3 = nfmsg->nfgen_family;
1253 struct nf_conntrack_zone zone;
1254 int err;
1255
1256 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1257 if (err < 0)
1258 return err;
1259
1260 if (cda[CTA_TUPLE_ORIG])
1261 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1262 u3, &zone);
1263 else if (cda[CTA_TUPLE_REPLY])
1264 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1265 u3, &zone);
1266 else {
1267 return ctnetlink_flush_conntrack(net, cda,
1268 NETLINK_CB(skb).portid,
1269 nlmsg_report(nlh));
1270 }
1271
1272 if (err < 0)
1273 return err;
1274
1275 h = nf_conntrack_find_get(net, &zone, &tuple);
1276 if (!h)
1277 return -ENOENT;
1278
1279 ct = nf_ct_tuplehash_to_ctrack(h);
1280
1281 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) {
1282 nf_ct_put(ct);
1283 return -EBUSY;
1284 }
1285
1286 if (cda[CTA_ID]) {
1287 __be32 id = nla_get_be32(cda[CTA_ID]);
1288
1289 if (id != (__force __be32)nf_ct_get_id(ct)) {
1290 nf_ct_put(ct);
1291 return -ENOENT;
1292 }
1293 }
1294
1295 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(nlh));
1296 nf_ct_put(ct);
1297
1298 return 0;
1299}
1300
1301static int ctnetlink_get_conntrack(struct net *net, struct sock *ctnl,
1302 struct sk_buff *skb,
1303 const struct nlmsghdr *nlh,
1304 const struct nlattr * const cda[],
1305 struct netlink_ext_ack *extack)
1306{
1307 struct nf_conntrack_tuple_hash *h;
1308 struct nf_conntrack_tuple tuple;
1309 struct nf_conn *ct;
1310 struct sk_buff *skb2 = NULL;
1311 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1312 u_int8_t u3 = nfmsg->nfgen_family;
1313 struct nf_conntrack_zone zone;
1314 int err;
1315
1316 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1317 struct netlink_dump_control c = {
1318 .start = ctnetlink_start,
1319 .dump = ctnetlink_dump_table,
1320 .done = ctnetlink_done,
1321 .data = (void *)cda,
1322 };
1323
1324 return netlink_dump_start(ctnl, skb, nlh, &c);
1325 }
1326
1327 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1328 if (err < 0)
1329 return err;
1330
1331 if (cda[CTA_TUPLE_ORIG])
1332 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1333 u3, &zone);
1334 else if (cda[CTA_TUPLE_REPLY])
1335 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1336 u3, &zone);
1337 else
1338 return -EINVAL;
1339
1340 if (err < 0)
1341 return err;
1342
1343 h = nf_conntrack_find_get(net, &zone, &tuple);
1344 if (!h)
1345 return -ENOENT;
1346
1347 ct = nf_ct_tuplehash_to_ctrack(h);
1348
1349 err = -ENOMEM;
1350 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1351 if (skb2 == NULL) {
1352 nf_ct_put(ct);
1353 return -ENOMEM;
1354 }
1355
1356 rcu_read_lock();
1357 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq,
1358 NFNL_MSG_TYPE(nlh->nlmsg_type), ct);
1359 rcu_read_unlock();
1360 nf_ct_put(ct);
1361 if (err <= 0)
1362 goto free;
1363
1364 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1365 if (err < 0)
1366 goto out;
1367
1368 return 0;
1369
1370free:
1371 kfree_skb(skb2);
1372out:
1373
1374 return err == -EAGAIN ? -ENOBUFS : err;
1375}
1376
1377static int ctnetlink_done_list(struct netlink_callback *cb)
1378{
1379 if (cb->args[1])
1380 nf_ct_put((struct nf_conn *)cb->args[1]);
1381 return 0;
1382}
1383
1384static int
1385ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying)
1386{
1387 struct nf_conn *ct, *last;
1388 struct nf_conntrack_tuple_hash *h;
1389 struct hlist_nulls_node *n;
1390 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1391 u_int8_t l3proto = nfmsg->nfgen_family;
1392 int res;
1393 int cpu;
1394 struct hlist_nulls_head *list;
1395 struct net *net = sock_net(skb->sk);
1396
1397 if (cb->args[2])
1398 return 0;
1399
1400 last = (struct nf_conn *)cb->args[1];
1401
1402 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
1403 struct ct_pcpu *pcpu;
1404
1405 if (!cpu_possible(cpu))
1406 continue;
1407
1408 pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu);
1409 spin_lock_bh(&pcpu->lock);
1410 list = dying ? &pcpu->dying : &pcpu->unconfirmed;
1411restart:
1412 hlist_nulls_for_each_entry(h, n, list, hnnode) {
1413 ct = nf_ct_tuplehash_to_ctrack(h);
1414 if (l3proto && nf_ct_l3num(ct) != l3proto)
1415 continue;
1416 if (cb->args[1]) {
1417 if (ct != last)
1418 continue;
1419 cb->args[1] = 0;
1420 }
1421 rcu_read_lock();
1422 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
1423 cb->nlh->nlmsg_seq,
1424 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
1425 ct);
1426 rcu_read_unlock();
1427 if (res < 0) {
1428 if (!atomic_inc_not_zero(&ct->ct_general.use))
1429 continue;
1430 cb->args[0] = cpu;
1431 cb->args[1] = (unsigned long)ct;
1432 spin_unlock_bh(&pcpu->lock);
1433 goto out;
1434 }
1435 }
1436 if (cb->args[1]) {
1437 cb->args[1] = 0;
1438 goto restart;
1439 }
1440 spin_unlock_bh(&pcpu->lock);
1441 }
1442 cb->args[2] = 1;
1443out:
1444 if (last)
1445 nf_ct_put(last);
1446
1447 return skb->len;
1448}
1449
1450static int
1451ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb)
1452{
1453 return ctnetlink_dump_list(skb, cb, true);
1454}
1455
1456static int ctnetlink_get_ct_dying(struct net *net, struct sock *ctnl,
1457 struct sk_buff *skb,
1458 const struct nlmsghdr *nlh,
1459 const struct nlattr * const cda[],
1460 struct netlink_ext_ack *extack)
1461{
1462 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1463 struct netlink_dump_control c = {
1464 .dump = ctnetlink_dump_dying,
1465 .done = ctnetlink_done_list,
1466 };
1467 return netlink_dump_start(ctnl, skb, nlh, &c);
1468 }
1469
1470 return -EOPNOTSUPP;
1471}
1472
1473static int
1474ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb)
1475{
1476 return ctnetlink_dump_list(skb, cb, false);
1477}
1478
1479static int ctnetlink_get_ct_unconfirmed(struct net *net, struct sock *ctnl,
1480 struct sk_buff *skb,
1481 const struct nlmsghdr *nlh,
1482 const struct nlattr * const cda[],
1483 struct netlink_ext_ack *extack)
1484{
1485 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1486 struct netlink_dump_control c = {
1487 .dump = ctnetlink_dump_unconfirmed,
1488 .done = ctnetlink_done_list,
1489 };
1490 return netlink_dump_start(ctnl, skb, nlh, &c);
1491 }
1492
1493 return -EOPNOTSUPP;
1494}
1495
1496#ifdef CONFIG_NF_NAT_NEEDED
1497static int
1498ctnetlink_parse_nat_setup(struct nf_conn *ct,
1499 enum nf_nat_manip_type manip,
1500 const struct nlattr *attr)
1501{
1502 struct nf_nat_hook *nat_hook;
1503 int err;
1504
1505 nat_hook = rcu_dereference(nf_nat_hook);
1506 if (!nat_hook) {
1507#ifdef CONFIG_MODULES
1508 rcu_read_unlock();
1509 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1510 if (request_module("nf-nat") < 0) {
1511 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1512 rcu_read_lock();
1513 return -EOPNOTSUPP;
1514 }
1515 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1516 rcu_read_lock();
1517 nat_hook = rcu_dereference(nf_nat_hook);
1518 if (nat_hook)
1519 return -EAGAIN;
1520#endif
1521 return -EOPNOTSUPP;
1522 }
1523
1524 err = nat_hook->parse_nat_setup(ct, manip, attr);
1525 if (err == -EAGAIN) {
1526#ifdef CONFIG_MODULES
1527 rcu_read_unlock();
1528 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1529 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) {
1530 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1531 rcu_read_lock();
1532 return -EOPNOTSUPP;
1533 }
1534 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1535 rcu_read_lock();
1536#else
1537 err = -EOPNOTSUPP;
1538#endif
1539 }
1540 return err;
1541}
1542#endif
1543
1544static void
1545__ctnetlink_change_status(struct nf_conn *ct, unsigned long on,
1546 unsigned long off)
1547{
1548 unsigned int bit;
1549
1550
1551 on &= ~IPS_UNCHANGEABLE_MASK;
1552 off &= ~IPS_UNCHANGEABLE_MASK;
1553
1554 for (bit = 0; bit < __IPS_MAX_BIT; bit++) {
1555 if (on & (1 << bit))
1556 set_bit(bit, &ct->status);
1557 else if (off & (1 << bit))
1558 clear_bit(bit, &ct->status);
1559 }
1560}
1561
1562static int
1563ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
1564{
1565 unsigned long d;
1566 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
1567 d = ct->status ^ status;
1568
1569 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
1570
1571 return -EBUSY;
1572
1573 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
1574
1575 return -EBUSY;
1576
1577 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
1578
1579 return -EBUSY;
1580
1581 __ctnetlink_change_status(ct, status, 0);
1582 return 0;
1583}
1584
1585static int
1586ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
1587{
1588#ifdef CONFIG_NF_NAT_NEEDED
1589 int ret;
1590
1591 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1592 return 0;
1593
1594 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
1595 cda[CTA_NAT_DST]);
1596 if (ret < 0)
1597 return ret;
1598
1599 return ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC,
1600 cda[CTA_NAT_SRC]);
1601#else
1602 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1603 return 0;
1604 return -EOPNOTSUPP;
1605#endif
1606}
1607
1608static int ctnetlink_change_helper(struct nf_conn *ct,
1609 const struct nlattr * const cda[])
1610{
1611 struct nf_conntrack_helper *helper;
1612 struct nf_conn_help *help = nfct_help(ct);
1613 char *helpname = NULL;
1614 struct nlattr *helpinfo = NULL;
1615 int err;
1616
1617 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1618 if (err < 0)
1619 return err;
1620
1621
1622 if (ct->master) {
1623
1624
1625
1626
1627 err = -EBUSY;
1628 if (help) {
1629 rcu_read_lock();
1630 helper = rcu_dereference(help->helper);
1631 if (helper && !strcmp(helper->name, helpname))
1632 err = 0;
1633 rcu_read_unlock();
1634 }
1635
1636 return err;
1637 }
1638
1639 if (!strcmp(helpname, "")) {
1640 if (help && help->helper) {
1641
1642 nf_ct_remove_expectations(ct);
1643 RCU_INIT_POINTER(help->helper, NULL);
1644 }
1645
1646 return 0;
1647 }
1648
1649 rcu_read_lock();
1650 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1651 nf_ct_protonum(ct));
1652 if (helper == NULL) {
1653 rcu_read_unlock();
1654 return -EOPNOTSUPP;
1655 }
1656
1657 if (help) {
1658 if (help->helper == helper) {
1659
1660 if (helper->from_nlattr)
1661 helper->from_nlattr(helpinfo, ct);
1662 err = 0;
1663 } else
1664 err = -EBUSY;
1665 } else {
1666
1667 err = -EOPNOTSUPP;
1668 }
1669
1670 rcu_read_unlock();
1671 return err;
1672}
1673
1674static int ctnetlink_change_timeout(struct nf_conn *ct,
1675 const struct nlattr * const cda[])
1676{
1677 u64 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
1678
1679 if (timeout > INT_MAX)
1680 timeout = INT_MAX;
1681 ct->timeout = nfct_time_stamp + (u32)timeout;
1682
1683 if (test_bit(IPS_DYING_BIT, &ct->status))
1684 return -ETIME;
1685
1686 return 0;
1687}
1688
1689static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = {
1690 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED },
1691 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED },
1692 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED },
1693};
1694
1695static int ctnetlink_change_protoinfo(struct nf_conn *ct,
1696 const struct nlattr * const cda[])
1697{
1698 const struct nlattr *attr = cda[CTA_PROTOINFO];
1699 const struct nf_conntrack_l4proto *l4proto;
1700 struct nlattr *tb[CTA_PROTOINFO_MAX+1];
1701 int err = 0;
1702
1703 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_MAX, attr,
1704 protoinfo_policy, NULL);
1705 if (err < 0)
1706 return err;
1707
1708 rcu_read_lock();
1709 l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));
1710 if (l4proto->from_nlattr)
1711 err = l4proto->from_nlattr(tb, ct);
1712 rcu_read_unlock();
1713
1714 return err;
1715}
1716
1717static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = {
1718 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 },
1719 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 },
1720 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 },
1721};
1722
1723static int change_seq_adj(struct nf_ct_seqadj *seq,
1724 const struct nlattr * const attr)
1725{
1726 int err;
1727 struct nlattr *cda[CTA_SEQADJ_MAX+1];
1728
1729 err = nla_parse_nested_deprecated(cda, CTA_SEQADJ_MAX, attr,
1730 seqadj_policy, NULL);
1731 if (err < 0)
1732 return err;
1733
1734 if (!cda[CTA_SEQADJ_CORRECTION_POS])
1735 return -EINVAL;
1736
1737 seq->correction_pos =
1738 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS]));
1739
1740 if (!cda[CTA_SEQADJ_OFFSET_BEFORE])
1741 return -EINVAL;
1742
1743 seq->offset_before =
1744 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE]));
1745
1746 if (!cda[CTA_SEQADJ_OFFSET_AFTER])
1747 return -EINVAL;
1748
1749 seq->offset_after =
1750 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER]));
1751
1752 return 0;
1753}
1754
1755static int
1756ctnetlink_change_seq_adj(struct nf_conn *ct,
1757 const struct nlattr * const cda[])
1758{
1759 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
1760 int ret = 0;
1761
1762 if (!seqadj)
1763 return 0;
1764
1765 spin_lock_bh(&ct->lock);
1766 if (cda[CTA_SEQ_ADJ_ORIG]) {
1767 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL],
1768 cda[CTA_SEQ_ADJ_ORIG]);
1769 if (ret < 0)
1770 goto err;
1771
1772 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
1773 }
1774
1775 if (cda[CTA_SEQ_ADJ_REPLY]) {
1776 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY],
1777 cda[CTA_SEQ_ADJ_REPLY]);
1778 if (ret < 0)
1779 goto err;
1780
1781 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
1782 }
1783
1784 spin_unlock_bh(&ct->lock);
1785 return 0;
1786err:
1787 spin_unlock_bh(&ct->lock);
1788 return ret;
1789}
1790
1791static const struct nla_policy synproxy_policy[CTA_SYNPROXY_MAX + 1] = {
1792 [CTA_SYNPROXY_ISN] = { .type = NLA_U32 },
1793 [CTA_SYNPROXY_ITS] = { .type = NLA_U32 },
1794 [CTA_SYNPROXY_TSOFF] = { .type = NLA_U32 },
1795};
1796
1797static int ctnetlink_change_synproxy(struct nf_conn *ct,
1798 const struct nlattr * const cda[])
1799{
1800 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
1801 struct nlattr *tb[CTA_SYNPROXY_MAX + 1];
1802 int err;
1803
1804 if (!synproxy)
1805 return 0;
1806
1807 err = nla_parse_nested_deprecated(tb, CTA_SYNPROXY_MAX,
1808 cda[CTA_SYNPROXY], synproxy_policy,
1809 NULL);
1810 if (err < 0)
1811 return err;
1812
1813 if (!tb[CTA_SYNPROXY_ISN] ||
1814 !tb[CTA_SYNPROXY_ITS] ||
1815 !tb[CTA_SYNPROXY_TSOFF])
1816 return -EINVAL;
1817
1818 synproxy->isn = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ISN]));
1819 synproxy->its = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ITS]));
1820 synproxy->tsoff = ntohl(nla_get_be32(tb[CTA_SYNPROXY_TSOFF]));
1821
1822 return 0;
1823}
1824
1825static int
1826ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[])
1827{
1828#ifdef CONFIG_NF_CONNTRACK_LABELS
1829 size_t len = nla_len(cda[CTA_LABELS]);
1830 const void *mask = cda[CTA_LABELS_MASK];
1831
1832 if (len & (sizeof(u32)-1))
1833 return -EINVAL;
1834
1835 if (mask) {
1836 if (nla_len(cda[CTA_LABELS_MASK]) == 0 ||
1837 nla_len(cda[CTA_LABELS_MASK]) != len)
1838 return -EINVAL;
1839 mask = nla_data(cda[CTA_LABELS_MASK]);
1840 }
1841
1842 len /= sizeof(u32);
1843
1844 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len);
1845#else
1846 return -EOPNOTSUPP;
1847#endif
1848}
1849
1850static int
1851ctnetlink_change_conntrack(struct nf_conn *ct,
1852 const struct nlattr * const cda[])
1853{
1854 int err;
1855
1856
1857 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
1858 return -EOPNOTSUPP;
1859
1860 if (cda[CTA_HELP]) {
1861 err = ctnetlink_change_helper(ct, cda);
1862 if (err < 0)
1863 return err;
1864 }
1865
1866 if (cda[CTA_TIMEOUT]) {
1867 err = ctnetlink_change_timeout(ct, cda);
1868 if (err < 0)
1869 return err;
1870 }
1871
1872 if (cda[CTA_STATUS]) {
1873 err = ctnetlink_change_status(ct, cda);
1874 if (err < 0)
1875 return err;
1876 }
1877
1878 if (cda[CTA_PROTOINFO]) {
1879 err = ctnetlink_change_protoinfo(ct, cda);
1880 if (err < 0)
1881 return err;
1882 }
1883
1884#if defined(CONFIG_NF_CONNTRACK_MARK)
1885 if (cda[CTA_MARK])
1886 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1887#endif
1888
1889 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
1890 err = ctnetlink_change_seq_adj(ct, cda);
1891 if (err < 0)
1892 return err;
1893 }
1894
1895 if (cda[CTA_SYNPROXY]) {
1896 err = ctnetlink_change_synproxy(ct, cda);
1897 if (err < 0)
1898 return err;
1899 }
1900
1901 if (cda[CTA_LABELS]) {
1902 err = ctnetlink_attach_labels(ct, cda);
1903 if (err < 0)
1904 return err;
1905 }
1906
1907 return 0;
1908}
1909
1910static struct nf_conn *
1911ctnetlink_create_conntrack(struct net *net,
1912 const struct nf_conntrack_zone *zone,
1913 const struct nlattr * const cda[],
1914 struct nf_conntrack_tuple *otuple,
1915 struct nf_conntrack_tuple *rtuple,
1916 u8 u3)
1917{
1918 struct nf_conn *ct;
1919 int err = -EINVAL;
1920 struct nf_conntrack_helper *helper;
1921 struct nf_conn_tstamp *tstamp;
1922 u64 timeout;
1923
1924 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
1925 if (IS_ERR(ct))
1926 return ERR_PTR(-ENOMEM);
1927
1928 if (!cda[CTA_TIMEOUT])
1929 goto err1;
1930
1931 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
1932 if (timeout > INT_MAX)
1933 timeout = INT_MAX;
1934 ct->timeout = (u32)timeout + nfct_time_stamp;
1935
1936 rcu_read_lock();
1937 if (cda[CTA_HELP]) {
1938 char *helpname = NULL;
1939 struct nlattr *helpinfo = NULL;
1940
1941 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1942 if (err < 0)
1943 goto err2;
1944
1945 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1946 nf_ct_protonum(ct));
1947 if (helper == NULL) {
1948 rcu_read_unlock();
1949#ifdef CONFIG_MODULES
1950 if (request_module("nfct-helper-%s", helpname) < 0) {
1951 err = -EOPNOTSUPP;
1952 goto err1;
1953 }
1954
1955 rcu_read_lock();
1956 helper = __nf_conntrack_helper_find(helpname,
1957 nf_ct_l3num(ct),
1958 nf_ct_protonum(ct));
1959 if (helper) {
1960 err = -EAGAIN;
1961 goto err2;
1962 }
1963 rcu_read_unlock();
1964#endif
1965 err = -EOPNOTSUPP;
1966 goto err1;
1967 } else {
1968 struct nf_conn_help *help;
1969
1970 help = nf_ct_helper_ext_add(ct, helper, GFP_ATOMIC);
1971 if (help == NULL) {
1972 err = -ENOMEM;
1973 goto err2;
1974 }
1975
1976 if (helper->from_nlattr)
1977 helper->from_nlattr(helpinfo, ct);
1978
1979
1980 RCU_INIT_POINTER(help->helper, helper);
1981 }
1982 } else {
1983
1984 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC);
1985 if (err < 0)
1986 goto err2;
1987 }
1988
1989 err = ctnetlink_setup_nat(ct, cda);
1990 if (err < 0)
1991 goto err2;
1992
1993 nf_ct_acct_ext_add(ct, GFP_ATOMIC);
1994 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
1995 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
1996 nf_ct_labels_ext_add(ct);
1997 nfct_seqadj_ext_add(ct);
1998 nfct_synproxy_ext_add(ct);
1999
2000
2001 ct->status |= IPS_CONFIRMED;
2002
2003 if (cda[CTA_STATUS]) {
2004 err = ctnetlink_change_status(ct, cda);
2005 if (err < 0)
2006 goto err2;
2007 }
2008
2009 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
2010 err = ctnetlink_change_seq_adj(ct, cda);
2011 if (err < 0)
2012 goto err2;
2013 }
2014
2015 memset(&ct->proto, 0, sizeof(ct->proto));
2016 if (cda[CTA_PROTOINFO]) {
2017 err = ctnetlink_change_protoinfo(ct, cda);
2018 if (err < 0)
2019 goto err2;
2020 }
2021
2022 if (cda[CTA_SYNPROXY]) {
2023 err = ctnetlink_change_synproxy(ct, cda);
2024 if (err < 0)
2025 goto err2;
2026 }
2027
2028#if defined(CONFIG_NF_CONNTRACK_MARK)
2029 if (cda[CTA_MARK])
2030 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
2031#endif
2032
2033
2034 if (cda[CTA_TUPLE_MASTER]) {
2035 struct nf_conntrack_tuple master;
2036 struct nf_conntrack_tuple_hash *master_h;
2037 struct nf_conn *master_ct;
2038
2039 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER,
2040 u3, NULL);
2041 if (err < 0)
2042 goto err2;
2043
2044 master_h = nf_conntrack_find_get(net, zone, &master);
2045 if (master_h == NULL) {
2046 err = -ENOENT;
2047 goto err2;
2048 }
2049 master_ct = nf_ct_tuplehash_to_ctrack(master_h);
2050 __set_bit(IPS_EXPECTED_BIT, &ct->status);
2051 ct->master = master_ct;
2052 }
2053 tstamp = nf_conn_tstamp_find(ct);
2054 if (tstamp)
2055 tstamp->start = ktime_get_real_ns();
2056
2057 err = nf_conntrack_hash_check_insert(ct);
2058 if (err < 0)
2059 goto err2;
2060
2061 rcu_read_unlock();
2062
2063 return ct;
2064
2065err2:
2066 rcu_read_unlock();
2067err1:
2068 nf_conntrack_free(ct);
2069 return ERR_PTR(err);
2070}
2071
2072static int ctnetlink_new_conntrack(struct net *net, struct sock *ctnl,
2073 struct sk_buff *skb,
2074 const struct nlmsghdr *nlh,
2075 const struct nlattr * const cda[],
2076 struct netlink_ext_ack *extack)
2077{
2078 struct nf_conntrack_tuple otuple, rtuple;
2079 struct nf_conntrack_tuple_hash *h = NULL;
2080 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2081 struct nf_conn *ct;
2082 u_int8_t u3 = nfmsg->nfgen_family;
2083 struct nf_conntrack_zone zone;
2084 int err;
2085
2086 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
2087 if (err < 0)
2088 return err;
2089
2090 if (cda[CTA_TUPLE_ORIG]) {
2091 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG,
2092 u3, &zone);
2093 if (err < 0)
2094 return err;
2095 }
2096
2097 if (cda[CTA_TUPLE_REPLY]) {
2098 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY,
2099 u3, &zone);
2100 if (err < 0)
2101 return err;
2102 }
2103
2104 if (cda[CTA_TUPLE_ORIG])
2105 h = nf_conntrack_find_get(net, &zone, &otuple);
2106 else if (cda[CTA_TUPLE_REPLY])
2107 h = nf_conntrack_find_get(net, &zone, &rtuple);
2108
2109 if (h == NULL) {
2110 err = -ENOENT;
2111 if (nlh->nlmsg_flags & NLM_F_CREATE) {
2112 enum ip_conntrack_events events;
2113
2114 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY])
2115 return -EINVAL;
2116 if (otuple.dst.protonum != rtuple.dst.protonum)
2117 return -EINVAL;
2118
2119 ct = ctnetlink_create_conntrack(net, &zone, cda, &otuple,
2120 &rtuple, u3);
2121 if (IS_ERR(ct))
2122 return PTR_ERR(ct);
2123
2124 err = 0;
2125 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
2126 events = 1 << IPCT_RELATED;
2127 else
2128 events = 1 << IPCT_NEW;
2129
2130 if (cda[CTA_LABELS] &&
2131 ctnetlink_attach_labels(ct, cda) == 0)
2132 events |= (1 << IPCT_LABEL);
2133
2134 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2135 (1 << IPCT_ASSURED) |
2136 (1 << IPCT_HELPER) |
2137 (1 << IPCT_PROTOINFO) |
2138 (1 << IPCT_SEQADJ) |
2139 (1 << IPCT_MARK) |
2140 (1 << IPCT_SYNPROXY) |
2141 events,
2142 ct, NETLINK_CB(skb).portid,
2143 nlmsg_report(nlh));
2144 nf_ct_put(ct);
2145 }
2146
2147 return err;
2148 }
2149
2150
2151 err = -EEXIST;
2152 ct = nf_ct_tuplehash_to_ctrack(h);
2153 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
2154 err = ctnetlink_change_conntrack(ct, cda);
2155 if (err == 0) {
2156 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2157 (1 << IPCT_ASSURED) |
2158 (1 << IPCT_HELPER) |
2159 (1 << IPCT_LABEL) |
2160 (1 << IPCT_PROTOINFO) |
2161 (1 << IPCT_SEQADJ) |
2162 (1 << IPCT_MARK) |
2163 (1 << IPCT_SYNPROXY),
2164 ct, NETLINK_CB(skb).portid,
2165 nlmsg_report(nlh));
2166 }
2167 }
2168
2169 nf_ct_put(ct);
2170 return err;
2171}
2172
2173static int
2174ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2175 __u16 cpu, const struct ip_conntrack_stat *st)
2176{
2177 struct nlmsghdr *nlh;
2178 struct nfgenmsg *nfmsg;
2179 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2180
2181 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
2182 IPCTNL_MSG_CT_GET_STATS_CPU);
2183 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2184 if (nlh == NULL)
2185 goto nlmsg_failure;
2186
2187 nfmsg = nlmsg_data(nlh);
2188 nfmsg->nfgen_family = AF_UNSPEC;
2189 nfmsg->version = NFNETLINK_V0;
2190 nfmsg->res_id = htons(cpu);
2191
2192 if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) ||
2193 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) ||
2194 nla_put_be32(skb, CTA_STATS_IGNORE, 0) ||
2195 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) ||
2196 nla_put_be32(skb, CTA_STATS_INSERT_FAILED,
2197 htonl(st->insert_failed)) ||
2198 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) ||
2199 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) ||
2200 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) ||
2201 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART,
2202 htonl(st->search_restart)) ||
2203 nla_put_be32(skb, CTA_STATS_CLASH_RESOLVE,
2204 htonl(st->clash_resolve)))
2205 goto nla_put_failure;
2206
2207 nlmsg_end(skb, nlh);
2208 return skb->len;
2209
2210nla_put_failure:
2211nlmsg_failure:
2212 nlmsg_cancel(skb, nlh);
2213 return -1;
2214}
2215
2216static int
2217ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
2218{
2219 int cpu;
2220 struct net *net = sock_net(skb->sk);
2221
2222 if (cb->args[0] == nr_cpu_ids)
2223 return 0;
2224
2225 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
2226 const struct ip_conntrack_stat *st;
2227
2228 if (!cpu_possible(cpu))
2229 continue;
2230
2231 st = per_cpu_ptr(net->ct.stat, cpu);
2232 if (ctnetlink_ct_stat_cpu_fill_info(skb,
2233 NETLINK_CB(cb->skb).portid,
2234 cb->nlh->nlmsg_seq,
2235 cpu, st) < 0)
2236 break;
2237 }
2238 cb->args[0] = cpu;
2239
2240 return skb->len;
2241}
2242
2243static int ctnetlink_stat_ct_cpu(struct net *net, struct sock *ctnl,
2244 struct sk_buff *skb,
2245 const struct nlmsghdr *nlh,
2246 const struct nlattr * const cda[],
2247 struct netlink_ext_ack *extack)
2248{
2249 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2250 struct netlink_dump_control c = {
2251 .dump = ctnetlink_ct_stat_cpu_dump,
2252 };
2253 return netlink_dump_start(ctnl, skb, nlh, &c);
2254 }
2255
2256 return 0;
2257}
2258
2259static int
2260ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
2261 struct net *net)
2262{
2263 struct nlmsghdr *nlh;
2264 struct nfgenmsg *nfmsg;
2265 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2266 unsigned int nr_conntracks = atomic_read(&net->ct.count);
2267
2268 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS);
2269 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2270 if (nlh == NULL)
2271 goto nlmsg_failure;
2272
2273 nfmsg = nlmsg_data(nlh);
2274 nfmsg->nfgen_family = AF_UNSPEC;
2275 nfmsg->version = NFNETLINK_V0;
2276 nfmsg->res_id = 0;
2277
2278 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks)))
2279 goto nla_put_failure;
2280
2281 if (nla_put_be32(skb, CTA_STATS_GLOBAL_MAX_ENTRIES, htonl(nf_conntrack_max)))
2282 goto nla_put_failure;
2283
2284 nlmsg_end(skb, nlh);
2285 return skb->len;
2286
2287nla_put_failure:
2288nlmsg_failure:
2289 nlmsg_cancel(skb, nlh);
2290 return -1;
2291}
2292
2293static int ctnetlink_stat_ct(struct net *net, struct sock *ctnl,
2294 struct sk_buff *skb, const struct nlmsghdr *nlh,
2295 const struct nlattr * const cda[],
2296 struct netlink_ext_ack *extack)
2297{
2298 struct sk_buff *skb2;
2299 int err;
2300
2301 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2302 if (skb2 == NULL)
2303 return -ENOMEM;
2304
2305 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid,
2306 nlh->nlmsg_seq,
2307 NFNL_MSG_TYPE(nlh->nlmsg_type),
2308 sock_net(skb->sk));
2309 if (err <= 0)
2310 goto free;
2311
2312 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
2313 if (err < 0)
2314 goto out;
2315
2316 return 0;
2317
2318free:
2319 kfree_skb(skb2);
2320out:
2321
2322 return err == -EAGAIN ? -ENOBUFS : err;
2323}
2324
2325static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
2326 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED },
2327 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED },
2328 [CTA_EXPECT_MASK] = { .type = NLA_NESTED },
2329 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
2330 [CTA_EXPECT_ID] = { .type = NLA_U32 },
2331 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING,
2332 .len = NF_CT_HELPER_NAME_LEN - 1 },
2333 [CTA_EXPECT_ZONE] = { .type = NLA_U16 },
2334 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 },
2335 [CTA_EXPECT_CLASS] = { .type = NLA_U32 },
2336 [CTA_EXPECT_NAT] = { .type = NLA_NESTED },
2337 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING },
2338};
2339
2340static struct nf_conntrack_expect *
2341ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
2342 struct nf_conntrack_helper *helper,
2343 struct nf_conntrack_tuple *tuple,
2344 struct nf_conntrack_tuple *mask);
2345
2346#ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
2347static size_t
2348ctnetlink_glue_build_size(const struct nf_conn *ct)
2349{
2350 return 3 * nla_total_size(0)
2351 + 3 * nla_total_size(0)
2352 + 3 * nla_total_size(0)
2353 + 3 * nla_total_size(sizeof(u_int8_t))
2354 + nla_total_size(sizeof(u_int32_t))
2355 + nla_total_size(sizeof(u_int32_t))
2356 + nla_total_size(sizeof(u_int32_t))
2357 + nla_total_size(0)
2358 + nla_total_size(0)
2359 + nla_total_size(NF_CT_HELPER_NAME_LEN)
2360 + ctnetlink_secctx_size(ct)
2361#ifdef CONFIG_NF_NAT_NEEDED
2362 + 2 * nla_total_size(0)
2363 + 6 * nla_total_size(sizeof(u_int32_t))
2364#endif
2365#ifdef CONFIG_NF_CONNTRACK_MARK
2366 + nla_total_size(sizeof(u_int32_t))
2367#endif
2368#ifdef CONFIG_NF_CONNTRACK_ZONES
2369 + nla_total_size(sizeof(u_int16_t))
2370#endif
2371 + ctnetlink_proto_size(ct)
2372 ;
2373}
2374
2375static struct nf_conn *ctnetlink_glue_get_ct(const struct sk_buff *skb,
2376 enum ip_conntrack_info *ctinfo)
2377{
2378 return nf_ct_get(skb, ctinfo);
2379}
2380
2381static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
2382{
2383 const struct nf_conntrack_zone *zone;
2384 struct nlattr *nest_parms;
2385
2386 zone = nf_ct_zone(ct);
2387
2388 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
2389 if (!nest_parms)
2390 goto nla_put_failure;
2391 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
2392 goto nla_put_failure;
2393 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2394 NF_CT_ZONE_DIR_ORIG) < 0)
2395 goto nla_put_failure;
2396 nla_nest_end(skb, nest_parms);
2397
2398 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
2399 if (!nest_parms)
2400 goto nla_put_failure;
2401 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
2402 goto nla_put_failure;
2403 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2404 NF_CT_ZONE_DIR_REPL) < 0)
2405 goto nla_put_failure;
2406 nla_nest_end(skb, nest_parms);
2407
2408 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
2409 NF_CT_DEFAULT_ZONE_DIR) < 0)
2410 goto nla_put_failure;
2411
2412 if (ctnetlink_dump_id(skb, ct) < 0)
2413 goto nla_put_failure;
2414
2415 if (ctnetlink_dump_status(skb, ct) < 0)
2416 goto nla_put_failure;
2417
2418 if (ctnetlink_dump_timeout(skb, ct) < 0)
2419 goto nla_put_failure;
2420
2421 if (ctnetlink_dump_protoinfo(skb, ct) < 0)
2422 goto nla_put_failure;
2423
2424 if (ctnetlink_dump_helpinfo(skb, ct) < 0)
2425 goto nla_put_failure;
2426
2427#ifdef CONFIG_NF_CONNTRACK_SECMARK
2428 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0)
2429 goto nla_put_failure;
2430#endif
2431 if (ct->master && ctnetlink_dump_master(skb, ct) < 0)
2432 goto nla_put_failure;
2433
2434 if ((ct->status & IPS_SEQ_ADJUST) &&
2435 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
2436 goto nla_put_failure;
2437
2438 if (ctnetlink_dump_ct_synproxy(skb, ct) < 0)
2439 goto nla_put_failure;
2440
2441#ifdef CONFIG_NF_CONNTRACK_MARK
2442 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0)
2443 goto nla_put_failure;
2444#endif
2445 if (ctnetlink_dump_labels(skb, ct) < 0)
2446 goto nla_put_failure;
2447 return 0;
2448
2449nla_put_failure:
2450 return -ENOSPC;
2451}
2452
2453static int
2454ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct,
2455 enum ip_conntrack_info ctinfo,
2456 u_int16_t ct_attr, u_int16_t ct_info_attr)
2457{
2458 struct nlattr *nest_parms;
2459
2460 nest_parms = nla_nest_start(skb, ct_attr);
2461 if (!nest_parms)
2462 goto nla_put_failure;
2463
2464 if (__ctnetlink_glue_build(skb, ct) < 0)
2465 goto nla_put_failure;
2466
2467 nla_nest_end(skb, nest_parms);
2468
2469 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo)))
2470 goto nla_put_failure;
2471
2472 return 0;
2473
2474nla_put_failure:
2475 return -ENOSPC;
2476}
2477
2478static int
2479ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[])
2480{
2481 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
2482 unsigned long d = ct->status ^ status;
2483
2484 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
2485
2486 return -EBUSY;
2487
2488 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
2489
2490 return -EBUSY;
2491
2492
2493
2494
2495
2496
2497
2498 __ctnetlink_change_status(ct, status, ~status);
2499 return 0;
2500}
2501
2502static int
2503ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
2504{
2505 int err;
2506
2507 if (cda[CTA_TIMEOUT]) {
2508 err = ctnetlink_change_timeout(ct, cda);
2509 if (err < 0)
2510 return err;
2511 }
2512 if (cda[CTA_STATUS]) {
2513 err = ctnetlink_update_status(ct, cda);
2514 if (err < 0)
2515 return err;
2516 }
2517 if (cda[CTA_HELP]) {
2518 err = ctnetlink_change_helper(ct, cda);
2519 if (err < 0)
2520 return err;
2521 }
2522 if (cda[CTA_LABELS]) {
2523 err = ctnetlink_attach_labels(ct, cda);
2524 if (err < 0)
2525 return err;
2526 }
2527#if defined(CONFIG_NF_CONNTRACK_MARK)
2528 if (cda[CTA_MARK]) {
2529 u32 mask = 0, mark, newmark;
2530 if (cda[CTA_MARK_MASK])
2531 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
2532
2533 mark = ntohl(nla_get_be32(cda[CTA_MARK]));
2534 newmark = (ct->mark & mask) ^ mark;
2535 if (newmark != ct->mark)
2536 ct->mark = newmark;
2537 }
2538#endif
2539 return 0;
2540}
2541
2542static int
2543ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct)
2544{
2545 struct nlattr *cda[CTA_MAX+1];
2546 int ret;
2547
2548 ret = nla_parse_nested_deprecated(cda, CTA_MAX, attr, ct_nla_policy,
2549 NULL);
2550 if (ret < 0)
2551 return ret;
2552
2553 return ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct);
2554}
2555
2556static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda,
2557 const struct nf_conn *ct,
2558 struct nf_conntrack_tuple *tuple,
2559 struct nf_conntrack_tuple *mask)
2560{
2561 int err;
2562
2563 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE,
2564 nf_ct_l3num(ct), NULL);
2565 if (err < 0)
2566 return err;
2567
2568 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK,
2569 nf_ct_l3num(ct), NULL);
2570}
2571
2572static int
2573ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
2574 u32 portid, u32 report)
2575{
2576 struct nlattr *cda[CTA_EXPECT_MAX+1];
2577 struct nf_conntrack_tuple tuple, mask;
2578 struct nf_conntrack_helper *helper = NULL;
2579 struct nf_conntrack_expect *exp;
2580 int err;
2581
2582 err = nla_parse_nested_deprecated(cda, CTA_EXPECT_MAX, attr,
2583 exp_nla_policy, NULL);
2584 if (err < 0)
2585 return err;
2586
2587 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda,
2588 ct, &tuple, &mask);
2589 if (err < 0)
2590 return err;
2591
2592 if (cda[CTA_EXPECT_HELP_NAME]) {
2593 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2594
2595 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2596 nf_ct_protonum(ct));
2597 if (helper == NULL)
2598 return -EOPNOTSUPP;
2599 }
2600
2601 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct,
2602 helper, &tuple, &mask);
2603 if (IS_ERR(exp))
2604 return PTR_ERR(exp);
2605
2606 err = nf_ct_expect_related_report(exp, portid, report);
2607 nf_ct_expect_put(exp);
2608 return err;
2609}
2610
2611static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct,
2612 enum ip_conntrack_info ctinfo, int diff)
2613{
2614 if (!(ct->status & IPS_NAT_MASK))
2615 return;
2616
2617 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff);
2618}
2619
2620static struct nfnl_ct_hook ctnetlink_glue_hook = {
2621 .get_ct = ctnetlink_glue_get_ct,
2622 .build_size = ctnetlink_glue_build_size,
2623 .build = ctnetlink_glue_build,
2624 .parse = ctnetlink_glue_parse,
2625 .attach_expect = ctnetlink_glue_attach_expect,
2626 .seq_adjust = ctnetlink_glue_seqadj,
2627};
2628#endif
2629
2630
2631
2632
2633
2634static int ctnetlink_exp_dump_tuple(struct sk_buff *skb,
2635 const struct nf_conntrack_tuple *tuple,
2636 u32 type)
2637{
2638 struct nlattr *nest_parms;
2639
2640 nest_parms = nla_nest_start(skb, type);
2641 if (!nest_parms)
2642 goto nla_put_failure;
2643 if (ctnetlink_dump_tuples(skb, tuple) < 0)
2644 goto nla_put_failure;
2645 nla_nest_end(skb, nest_parms);
2646
2647 return 0;
2648
2649nla_put_failure:
2650 return -1;
2651}
2652
2653static int ctnetlink_exp_dump_mask(struct sk_buff *skb,
2654 const struct nf_conntrack_tuple *tuple,
2655 const struct nf_conntrack_tuple_mask *mask)
2656{
2657 const struct nf_conntrack_l4proto *l4proto;
2658 struct nf_conntrack_tuple m;
2659 struct nlattr *nest_parms;
2660 int ret;
2661
2662 memset(&m, 0xFF, sizeof(m));
2663 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
2664 m.src.u.all = mask->src.u.all;
2665 m.src.l3num = tuple->src.l3num;
2666 m.dst.protonum = tuple->dst.protonum;
2667
2668 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK);
2669 if (!nest_parms)
2670 goto nla_put_failure;
2671
2672 rcu_read_lock();
2673 ret = ctnetlink_dump_tuples_ip(skb, &m);
2674 if (ret >= 0) {
2675 l4proto = __nf_ct_l4proto_find(tuple->dst.protonum);
2676 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
2677 }
2678 rcu_read_unlock();
2679
2680 if (unlikely(ret < 0))
2681 goto nla_put_failure;
2682
2683 nla_nest_end(skb, nest_parms);
2684
2685 return 0;
2686
2687nla_put_failure:
2688 return -1;
2689}
2690
2691static const union nf_inet_addr any_addr;
2692
2693static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp)
2694{
2695 static __read_mostly siphash_key_t exp_id_seed;
2696 unsigned long a, b, c, d;
2697
2698 net_get_random_once(&exp_id_seed, sizeof(exp_id_seed));
2699
2700 a = (unsigned long)exp;
2701 b = (unsigned long)exp->helper;
2702 c = (unsigned long)exp->master;
2703 d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed);
2704
2705#ifdef CONFIG_64BIT
2706 return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed);
2707#else
2708 return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed);
2709#endif
2710}
2711
2712static int
2713ctnetlink_exp_dump_expect(struct sk_buff *skb,
2714 const struct nf_conntrack_expect *exp)
2715{
2716 struct nf_conn *master = exp->master;
2717 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ;
2718 struct nf_conn_help *help;
2719#ifdef CONFIG_NF_NAT_NEEDED
2720 struct nlattr *nest_parms;
2721 struct nf_conntrack_tuple nat_tuple = {};
2722#endif
2723 struct nf_ct_helper_expectfn *expfn;
2724
2725 if (timeout < 0)
2726 timeout = 0;
2727
2728 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
2729 goto nla_put_failure;
2730 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
2731 goto nla_put_failure;
2732 if (ctnetlink_exp_dump_tuple(skb,
2733 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
2734 CTA_EXPECT_MASTER) < 0)
2735 goto nla_put_failure;
2736
2737#ifdef CONFIG_NF_NAT_NEEDED
2738 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) ||
2739 exp->saved_proto.all) {
2740 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT);
2741 if (!nest_parms)
2742 goto nla_put_failure;
2743
2744 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir)))
2745 goto nla_put_failure;
2746
2747 nat_tuple.src.l3num = nf_ct_l3num(master);
2748 nat_tuple.src.u3 = exp->saved_addr;
2749 nat_tuple.dst.protonum = nf_ct_protonum(master);
2750 nat_tuple.src.u = exp->saved_proto;
2751
2752 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple,
2753 CTA_EXPECT_NAT_TUPLE) < 0)
2754 goto nla_put_failure;
2755 nla_nest_end(skb, nest_parms);
2756 }
2757#endif
2758 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
2759 nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) ||
2760 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
2761 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
2762 goto nla_put_failure;
2763 help = nfct_help(master);
2764 if (help) {
2765 struct nf_conntrack_helper *helper;
2766
2767 helper = rcu_dereference(help->helper);
2768 if (helper &&
2769 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name))
2770 goto nla_put_failure;
2771 }
2772 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn);
2773 if (expfn != NULL &&
2774 nla_put_string(skb, CTA_EXPECT_FN, expfn->name))
2775 goto nla_put_failure;
2776
2777 return 0;
2778
2779nla_put_failure:
2780 return -1;
2781}
2782
2783static int
2784ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2785 int event, const struct nf_conntrack_expect *exp)
2786{
2787 struct nlmsghdr *nlh;
2788 struct nfgenmsg *nfmsg;
2789 unsigned int flags = portid ? NLM_F_MULTI : 0;
2790
2791 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event);
2792 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2793 if (nlh == NULL)
2794 goto nlmsg_failure;
2795
2796 nfmsg = nlmsg_data(nlh);
2797 nfmsg->nfgen_family = exp->tuple.src.l3num;
2798 nfmsg->version = NFNETLINK_V0;
2799 nfmsg->res_id = 0;
2800
2801 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
2802 goto nla_put_failure;
2803
2804 nlmsg_end(skb, nlh);
2805 return skb->len;
2806
2807nlmsg_failure:
2808nla_put_failure:
2809 nlmsg_cancel(skb, nlh);
2810 return -1;
2811}
2812
2813#ifdef CONFIG_NF_CONNTRACK_EVENTS
2814static int
2815ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item)
2816{
2817 struct nf_conntrack_expect *exp = item->exp;
2818 struct net *net = nf_ct_exp_net(exp);
2819 struct nlmsghdr *nlh;
2820 struct nfgenmsg *nfmsg;
2821 struct sk_buff *skb;
2822 unsigned int type, group;
2823 int flags = 0;
2824
2825 if (events & (1 << IPEXP_DESTROY)) {
2826 type = IPCTNL_MSG_EXP_DELETE;
2827 group = NFNLGRP_CONNTRACK_EXP_DESTROY;
2828 } else if (events & (1 << IPEXP_NEW)) {
2829 type = IPCTNL_MSG_EXP_NEW;
2830 flags = NLM_F_CREATE|NLM_F_EXCL;
2831 group = NFNLGRP_CONNTRACK_EXP_NEW;
2832 } else
2833 return 0;
2834
2835 if (!item->report && !nfnetlink_has_listeners(net, group))
2836 return 0;
2837
2838 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
2839 if (skb == NULL)
2840 goto errout;
2841
2842 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type);
2843 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
2844 if (nlh == NULL)
2845 goto nlmsg_failure;
2846
2847 nfmsg = nlmsg_data(nlh);
2848 nfmsg->nfgen_family = exp->tuple.src.l3num;
2849 nfmsg->version = NFNETLINK_V0;
2850 nfmsg->res_id = 0;
2851
2852 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
2853 goto nla_put_failure;
2854
2855 nlmsg_end(skb, nlh);
2856 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC);
2857 return 0;
2858
2859nla_put_failure:
2860 nlmsg_cancel(skb, nlh);
2861nlmsg_failure:
2862 kfree_skb(skb);
2863errout:
2864 nfnetlink_set_err(net, 0, 0, -ENOBUFS);
2865 return 0;
2866}
2867#endif
2868static int ctnetlink_exp_done(struct netlink_callback *cb)
2869{
2870 if (cb->args[1])
2871 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
2872 return 0;
2873}
2874
2875static int
2876ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
2877{
2878 struct net *net = sock_net(skb->sk);
2879 struct nf_conntrack_expect *exp, *last;
2880 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2881 u_int8_t l3proto = nfmsg->nfgen_family;
2882
2883 rcu_read_lock();
2884 last = (struct nf_conntrack_expect *)cb->args[1];
2885 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
2886restart:
2887 hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
2888 hnode) {
2889 if (l3proto && exp->tuple.src.l3num != l3proto)
2890 continue;
2891
2892 if (!net_eq(nf_ct_net(exp->master), net))
2893 continue;
2894
2895 if (cb->args[1]) {
2896 if (exp != last)
2897 continue;
2898 cb->args[1] = 0;
2899 }
2900 if (ctnetlink_exp_fill_info(skb,
2901 NETLINK_CB(cb->skb).portid,
2902 cb->nlh->nlmsg_seq,
2903 IPCTNL_MSG_EXP_NEW,
2904 exp) < 0) {
2905 if (!refcount_inc_not_zero(&exp->use))
2906 continue;
2907 cb->args[1] = (unsigned long)exp;
2908 goto out;
2909 }
2910 }
2911 if (cb->args[1]) {
2912 cb->args[1] = 0;
2913 goto restart;
2914 }
2915 }
2916out:
2917 rcu_read_unlock();
2918 if (last)
2919 nf_ct_expect_put(last);
2920
2921 return skb->len;
2922}
2923
2924static int
2925ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
2926{
2927 struct nf_conntrack_expect *exp, *last;
2928 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2929 struct nf_conn *ct = cb->data;
2930 struct nf_conn_help *help = nfct_help(ct);
2931 u_int8_t l3proto = nfmsg->nfgen_family;
2932
2933 if (cb->args[0])
2934 return 0;
2935
2936 rcu_read_lock();
2937 last = (struct nf_conntrack_expect *)cb->args[1];
2938restart:
2939 hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {
2940 if (l3proto && exp->tuple.src.l3num != l3proto)
2941 continue;
2942 if (cb->args[1]) {
2943 if (exp != last)
2944 continue;
2945 cb->args[1] = 0;
2946 }
2947 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid,
2948 cb->nlh->nlmsg_seq,
2949 IPCTNL_MSG_EXP_NEW,
2950 exp) < 0) {
2951 if (!refcount_inc_not_zero(&exp->use))
2952 continue;
2953 cb->args[1] = (unsigned long)exp;
2954 goto out;
2955 }
2956 }
2957 if (cb->args[1]) {
2958 cb->args[1] = 0;
2959 goto restart;
2960 }
2961 cb->args[0] = 1;
2962out:
2963 rcu_read_unlock();
2964 if (last)
2965 nf_ct_expect_put(last);
2966
2967 return skb->len;
2968}
2969
2970static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
2971 struct sk_buff *skb,
2972 const struct nlmsghdr *nlh,
2973 const struct nlattr * const cda[],
2974 struct netlink_ext_ack *extack)
2975{
2976 int err;
2977 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2978 u_int8_t u3 = nfmsg->nfgen_family;
2979 struct nf_conntrack_tuple tuple;
2980 struct nf_conntrack_tuple_hash *h;
2981 struct nf_conn *ct;
2982 struct nf_conntrack_zone zone;
2983 struct netlink_dump_control c = {
2984 .dump = ctnetlink_exp_ct_dump_table,
2985 .done = ctnetlink_exp_done,
2986 };
2987
2988 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
2989 u3, NULL);
2990 if (err < 0)
2991 return err;
2992
2993 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2994 if (err < 0)
2995 return err;
2996
2997 h = nf_conntrack_find_get(net, &zone, &tuple);
2998 if (!h)
2999 return -ENOENT;
3000
3001 ct = nf_ct_tuplehash_to_ctrack(h);
3002
3003 if (!nfct_help(ct)) {
3004 nf_ct_put(ct);
3005 return 0;
3006 }
3007
3008 c.data = ct;
3009
3010 err = netlink_dump_start(ctnl, skb, nlh, &c);
3011 nf_ct_put(ct);
3012
3013 return err;
3014}
3015
3016static int ctnetlink_get_expect(struct net *net, struct sock *ctnl,
3017 struct sk_buff *skb, const struct nlmsghdr *nlh,
3018 const struct nlattr * const cda[],
3019 struct netlink_ext_ack *extack)
3020{
3021 struct nf_conntrack_tuple tuple;
3022 struct nf_conntrack_expect *exp;
3023 struct sk_buff *skb2;
3024 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3025 u_int8_t u3 = nfmsg->nfgen_family;
3026 struct nf_conntrack_zone zone;
3027 int err;
3028
3029 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3030 if (cda[CTA_EXPECT_MASTER])
3031 return ctnetlink_dump_exp_ct(net, ctnl, skb, nlh, cda,
3032 extack);
3033 else {
3034 struct netlink_dump_control c = {
3035 .dump = ctnetlink_exp_dump_table,
3036 .done = ctnetlink_exp_done,
3037 };
3038 return netlink_dump_start(ctnl, skb, nlh, &c);
3039 }
3040 }
3041
3042 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3043 if (err < 0)
3044 return err;
3045
3046 if (cda[CTA_EXPECT_TUPLE])
3047 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3048 u3, NULL);
3049 else if (cda[CTA_EXPECT_MASTER])
3050 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
3051 u3, NULL);
3052 else
3053 return -EINVAL;
3054
3055 if (err < 0)
3056 return err;
3057
3058 exp = nf_ct_expect_find_get(net, &zone, &tuple);
3059 if (!exp)
3060 return -ENOENT;
3061
3062 if (cda[CTA_EXPECT_ID]) {
3063 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3064
3065 if (id != nf_expect_get_id(exp)) {
3066 nf_ct_expect_put(exp);
3067 return -ENOENT;
3068 }
3069 }
3070
3071 err = -ENOMEM;
3072 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3073 if (skb2 == NULL) {
3074 nf_ct_expect_put(exp);
3075 goto out;
3076 }
3077
3078 rcu_read_lock();
3079 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
3080 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp);
3081 rcu_read_unlock();
3082 nf_ct_expect_put(exp);
3083 if (err <= 0)
3084 goto free;
3085
3086 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
3087 if (err < 0)
3088 goto out;
3089
3090 return 0;
3091
3092free:
3093 kfree_skb(skb2);
3094out:
3095
3096 return err == -EAGAIN ? -ENOBUFS : err;
3097}
3098
3099static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data)
3100{
3101 const struct nf_conn_help *m_help;
3102 const char *name = data;
3103
3104 m_help = nfct_help(exp->master);
3105
3106 return strcmp(m_help->helper->name, name) == 0;
3107}
3108
3109static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data)
3110{
3111 return true;
3112}
3113
3114static int ctnetlink_del_expect(struct net *net, struct sock *ctnl,
3115 struct sk_buff *skb, const struct nlmsghdr *nlh,
3116 const struct nlattr * const cda[],
3117 struct netlink_ext_ack *extack)
3118{
3119 struct nf_conntrack_expect *exp;
3120 struct nf_conntrack_tuple tuple;
3121 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3122 u_int8_t u3 = nfmsg->nfgen_family;
3123 struct nf_conntrack_zone zone;
3124 int err;
3125
3126 if (cda[CTA_EXPECT_TUPLE]) {
3127
3128 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3129 if (err < 0)
3130 return err;
3131
3132 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3133 u3, NULL);
3134 if (err < 0)
3135 return err;
3136
3137
3138 exp = nf_ct_expect_find_get(net, &zone, &tuple);
3139 if (!exp)
3140 return -ENOENT;
3141
3142 if (cda[CTA_EXPECT_ID]) {
3143 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3144 if (ntohl(id) != (u32)(unsigned long)exp) {
3145 nf_ct_expect_put(exp);
3146 return -ENOENT;
3147 }
3148 }
3149
3150
3151 spin_lock_bh(&nf_conntrack_expect_lock);
3152 if (del_timer(&exp->timeout)) {
3153 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
3154 nlmsg_report(nlh));
3155 nf_ct_expect_put(exp);
3156 }
3157 spin_unlock_bh(&nf_conntrack_expect_lock);
3158
3159
3160 nf_ct_expect_put(exp);
3161 } else if (cda[CTA_EXPECT_HELP_NAME]) {
3162 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3163
3164 nf_ct_expect_iterate_net(net, expect_iter_name, name,
3165 NETLINK_CB(skb).portid,
3166 nlmsg_report(nlh));
3167 } else {
3168
3169 nf_ct_expect_iterate_net(net, expect_iter_all, NULL,
3170 NETLINK_CB(skb).portid,
3171 nlmsg_report(nlh));
3172 }
3173
3174 return 0;
3175}
3176static int
3177ctnetlink_change_expect(struct nf_conntrack_expect *x,
3178 const struct nlattr * const cda[])
3179{
3180 if (cda[CTA_EXPECT_TIMEOUT]) {
3181 if (!del_timer(&x->timeout))
3182 return -ETIME;
3183
3184 x->timeout.expires = jiffies +
3185 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
3186 add_timer(&x->timeout);
3187 }
3188 return 0;
3189}
3190
3191static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
3192 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
3193 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
3194};
3195
3196static int
3197ctnetlink_parse_expect_nat(const struct nlattr *attr,
3198 struct nf_conntrack_expect *exp,
3199 u_int8_t u3)
3200{
3201#ifdef CONFIG_NF_NAT_NEEDED
3202 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1];
3203 struct nf_conntrack_tuple nat_tuple = {};
3204 int err;
3205
3206 err = nla_parse_nested_deprecated(tb, CTA_EXPECT_NAT_MAX, attr,
3207 exp_nat_nla_policy, NULL);
3208 if (err < 0)
3209 return err;
3210
3211 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE])
3212 return -EINVAL;
3213
3214 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb,
3215 &nat_tuple, CTA_EXPECT_NAT_TUPLE,
3216 u3, NULL);
3217 if (err < 0)
3218 return err;
3219
3220 exp->saved_addr = nat_tuple.src.u3;
3221 exp->saved_proto = nat_tuple.src.u;
3222 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR]));
3223
3224 return 0;
3225#else
3226 return -EOPNOTSUPP;
3227#endif
3228}
3229
3230static struct nf_conntrack_expect *
3231ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
3232 struct nf_conntrack_helper *helper,
3233 struct nf_conntrack_tuple *tuple,
3234 struct nf_conntrack_tuple *mask)
3235{
3236 u_int32_t class = 0;
3237 struct nf_conntrack_expect *exp;
3238 struct nf_conn_help *help;
3239 int err;
3240
3241 help = nfct_help(ct);
3242 if (!help)
3243 return ERR_PTR(-EOPNOTSUPP);
3244
3245 if (cda[CTA_EXPECT_CLASS] && helper) {
3246 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));
3247 if (class > helper->expect_class_max)
3248 return ERR_PTR(-EINVAL);
3249 }
3250 exp = nf_ct_expect_alloc(ct);
3251 if (!exp)
3252 return ERR_PTR(-ENOMEM);
3253
3254 if (cda[CTA_EXPECT_FLAGS]) {
3255 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
3256 exp->flags &= ~NF_CT_EXPECT_USERSPACE;
3257 } else {
3258 exp->flags = 0;
3259 }
3260 if (cda[CTA_EXPECT_FN]) {
3261 const char *name = nla_data(cda[CTA_EXPECT_FN]);
3262 struct nf_ct_helper_expectfn *expfn;
3263
3264 expfn = nf_ct_helper_expectfn_find_by_name(name);
3265 if (expfn == NULL) {
3266 err = -EINVAL;
3267 goto err_out;
3268 }
3269 exp->expectfn = expfn->expectfn;
3270 } else
3271 exp->expectfn = NULL;
3272
3273 exp->class = class;
3274 exp->master = ct;
3275 exp->helper = helper;
3276 exp->tuple = *tuple;
3277 exp->mask.src.u3 = mask->src.u3;
3278 exp->mask.src.u.all = mask->src.u.all;
3279
3280 if (cda[CTA_EXPECT_NAT]) {
3281 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT],
3282 exp, nf_ct_l3num(ct));
3283 if (err < 0)
3284 goto err_out;
3285 }
3286 return exp;
3287err_out:
3288 nf_ct_expect_put(exp);
3289 return ERR_PTR(err);
3290}
3291
3292static int
3293ctnetlink_create_expect(struct net *net,
3294 const struct nf_conntrack_zone *zone,
3295 const struct nlattr * const cda[],
3296 u_int8_t u3, u32 portid, int report)
3297{
3298 struct nf_conntrack_tuple tuple, mask, master_tuple;
3299 struct nf_conntrack_tuple_hash *h = NULL;
3300 struct nf_conntrack_helper *helper = NULL;
3301 struct nf_conntrack_expect *exp;
3302 struct nf_conn *ct;
3303 int err;
3304
3305
3306 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3307 u3, NULL);
3308 if (err < 0)
3309 return err;
3310 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK,
3311 u3, NULL);
3312 if (err < 0)
3313 return err;
3314 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER,
3315 u3, NULL);
3316 if (err < 0)
3317 return err;
3318
3319
3320 h = nf_conntrack_find_get(net, zone, &master_tuple);
3321 if (!h)
3322 return -ENOENT;
3323 ct = nf_ct_tuplehash_to_ctrack(h);
3324
3325 rcu_read_lock();
3326 if (cda[CTA_EXPECT_HELP_NAME]) {
3327 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3328
3329 helper = __nf_conntrack_helper_find(helpname, u3,
3330 nf_ct_protonum(ct));
3331 if (helper == NULL) {
3332 rcu_read_unlock();
3333#ifdef CONFIG_MODULES
3334 if (request_module("nfct-helper-%s", helpname) < 0) {
3335 err = -EOPNOTSUPP;
3336 goto err_ct;
3337 }
3338 rcu_read_lock();
3339 helper = __nf_conntrack_helper_find(helpname, u3,
3340 nf_ct_protonum(ct));
3341 if (helper) {
3342 err = -EAGAIN;
3343 goto err_rcu;
3344 }
3345 rcu_read_unlock();
3346#endif
3347 err = -EOPNOTSUPP;
3348 goto err_ct;
3349 }
3350 }
3351
3352 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask);
3353 if (IS_ERR(exp)) {
3354 err = PTR_ERR(exp);
3355 goto err_rcu;
3356 }
3357
3358 err = nf_ct_expect_related_report(exp, portid, report);
3359 nf_ct_expect_put(exp);
3360err_rcu:
3361 rcu_read_unlock();
3362err_ct:
3363 nf_ct_put(ct);
3364 return err;
3365}
3366
3367static int ctnetlink_new_expect(struct net *net, struct sock *ctnl,
3368 struct sk_buff *skb, const struct nlmsghdr *nlh,
3369 const struct nlattr * const cda[],
3370 struct netlink_ext_ack *extack)
3371{
3372 struct nf_conntrack_tuple tuple;
3373 struct nf_conntrack_expect *exp;
3374 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3375 u_int8_t u3 = nfmsg->nfgen_family;
3376 struct nf_conntrack_zone zone;
3377 int err;
3378
3379 if (!cda[CTA_EXPECT_TUPLE]
3380 || !cda[CTA_EXPECT_MASK]
3381 || !cda[CTA_EXPECT_MASTER])
3382 return -EINVAL;
3383
3384 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3385 if (err < 0)
3386 return err;
3387
3388 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3389 u3, NULL);
3390 if (err < 0)
3391 return err;
3392
3393 spin_lock_bh(&nf_conntrack_expect_lock);
3394 exp = __nf_ct_expect_find(net, &zone, &tuple);
3395 if (!exp) {
3396 spin_unlock_bh(&nf_conntrack_expect_lock);
3397 err = -ENOENT;
3398 if (nlh->nlmsg_flags & NLM_F_CREATE) {
3399 err = ctnetlink_create_expect(net, &zone, cda, u3,
3400 NETLINK_CB(skb).portid,
3401 nlmsg_report(nlh));
3402 }
3403 return err;
3404 }
3405
3406 err = -EEXIST;
3407 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
3408 err = ctnetlink_change_expect(exp, cda);
3409 spin_unlock_bh(&nf_conntrack_expect_lock);
3410
3411 return err;
3412}
3413
3414static int
3415ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu,
3416 const struct ip_conntrack_stat *st)
3417{
3418 struct nlmsghdr *nlh;
3419 struct nfgenmsg *nfmsg;
3420 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
3421
3422 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
3423 IPCTNL_MSG_EXP_GET_STATS_CPU);
3424 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
3425 if (nlh == NULL)
3426 goto nlmsg_failure;
3427
3428 nfmsg = nlmsg_data(nlh);
3429 nfmsg->nfgen_family = AF_UNSPEC;
3430 nfmsg->version = NFNETLINK_V0;
3431 nfmsg->res_id = htons(cpu);
3432
3433 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) ||
3434 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) ||
3435 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete)))
3436 goto nla_put_failure;
3437
3438 nlmsg_end(skb, nlh);
3439 return skb->len;
3440
3441nla_put_failure:
3442nlmsg_failure:
3443 nlmsg_cancel(skb, nlh);
3444 return -1;
3445}
3446
3447static int
3448ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
3449{
3450 int cpu;
3451 struct net *net = sock_net(skb->sk);
3452
3453 if (cb->args[0] == nr_cpu_ids)
3454 return 0;
3455
3456 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
3457 const struct ip_conntrack_stat *st;
3458
3459 if (!cpu_possible(cpu))
3460 continue;
3461
3462 st = per_cpu_ptr(net->ct.stat, cpu);
3463 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid,
3464 cb->nlh->nlmsg_seq,
3465 cpu, st) < 0)
3466 break;
3467 }
3468 cb->args[0] = cpu;
3469
3470 return skb->len;
3471}
3472
3473static int ctnetlink_stat_exp_cpu(struct net *net, struct sock *ctnl,
3474 struct sk_buff *skb,
3475 const struct nlmsghdr *nlh,
3476 const struct nlattr * const cda[],
3477 struct netlink_ext_ack *extack)
3478{
3479 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3480 struct netlink_dump_control c = {
3481 .dump = ctnetlink_exp_stat_cpu_dump,
3482 };
3483 return netlink_dump_start(ctnl, skb, nlh, &c);
3484 }
3485
3486 return 0;
3487}
3488
3489#ifdef CONFIG_NF_CONNTRACK_EVENTS
3490static struct nf_ct_event_notifier ctnl_notifier = {
3491 .fcn = ctnetlink_conntrack_event,
3492};
3493
3494static struct nf_exp_event_notifier ctnl_notifier_exp = {
3495 .fcn = ctnetlink_expect_event,
3496};
3497#endif
3498
3499static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
3500 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
3501 .attr_count = CTA_MAX,
3502 .policy = ct_nla_policy },
3503 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
3504 .attr_count = CTA_MAX,
3505 .policy = ct_nla_policy },
3506 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
3507 .attr_count = CTA_MAX,
3508 .policy = ct_nla_policy },
3509 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
3510 .attr_count = CTA_MAX,
3511 .policy = ct_nla_policy },
3512 [IPCTNL_MSG_CT_GET_STATS_CPU] = { .call = ctnetlink_stat_ct_cpu },
3513 [IPCTNL_MSG_CT_GET_STATS] = { .call = ctnetlink_stat_ct },
3514 [IPCTNL_MSG_CT_GET_DYING] = { .call = ctnetlink_get_ct_dying },
3515 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = { .call = ctnetlink_get_ct_unconfirmed },
3516};
3517
3518static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
3519 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
3520 .attr_count = CTA_EXPECT_MAX,
3521 .policy = exp_nla_policy },
3522 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
3523 .attr_count = CTA_EXPECT_MAX,
3524 .policy = exp_nla_policy },
3525 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
3526 .attr_count = CTA_EXPECT_MAX,
3527 .policy = exp_nla_policy },
3528 [IPCTNL_MSG_EXP_GET_STATS_CPU] = { .call = ctnetlink_stat_exp_cpu },
3529};
3530
3531static const struct nfnetlink_subsystem ctnl_subsys = {
3532 .name = "conntrack",
3533 .subsys_id = NFNL_SUBSYS_CTNETLINK,
3534 .cb_count = IPCTNL_MSG_MAX,
3535 .cb = ctnl_cb,
3536};
3537
3538static const struct nfnetlink_subsystem ctnl_exp_subsys = {
3539 .name = "conntrack_expect",
3540 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
3541 .cb_count = IPCTNL_MSG_EXP_MAX,
3542 .cb = ctnl_exp_cb,
3543};
3544
3545MODULE_ALIAS("ip_conntrack_netlink");
3546MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
3547MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
3548
3549static int __net_init ctnetlink_net_init(struct net *net)
3550{
3551#ifdef CONFIG_NF_CONNTRACK_EVENTS
3552 int ret;
3553
3554 ret = nf_conntrack_register_notifier(net, &ctnl_notifier);
3555 if (ret < 0) {
3556 pr_err("ctnetlink_init: cannot register notifier.\n");
3557 goto err_out;
3558 }
3559
3560 ret = nf_ct_expect_register_notifier(net, &ctnl_notifier_exp);
3561 if (ret < 0) {
3562 pr_err("ctnetlink_init: cannot expect register notifier.\n");
3563 goto err_unreg_notifier;
3564 }
3565#endif
3566 return 0;
3567
3568#ifdef CONFIG_NF_CONNTRACK_EVENTS
3569err_unreg_notifier:
3570 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
3571err_out:
3572 return ret;
3573#endif
3574}
3575
3576static void ctnetlink_net_exit(struct net *net)
3577{
3578#ifdef CONFIG_NF_CONNTRACK_EVENTS
3579 nf_ct_expect_unregister_notifier(net, &ctnl_notifier_exp);
3580 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
3581#endif
3582}
3583
3584static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list)
3585{
3586 struct net *net;
3587
3588 list_for_each_entry(net, net_exit_list, exit_list)
3589 ctnetlink_net_exit(net);
3590
3591
3592 synchronize_rcu();
3593}
3594
3595static struct pernet_operations ctnetlink_net_ops = {
3596 .init = ctnetlink_net_init,
3597 .exit_batch = ctnetlink_net_exit_batch,
3598};
3599
3600static int __init ctnetlink_init(void)
3601{
3602 int ret;
3603
3604 ret = nfnetlink_subsys_register(&ctnl_subsys);
3605 if (ret < 0) {
3606 pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
3607 goto err_out;
3608 }
3609
3610 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
3611 if (ret < 0) {
3612 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
3613 goto err_unreg_subsys;
3614 }
3615
3616 ret = register_pernet_subsys(&ctnetlink_net_ops);
3617 if (ret < 0) {
3618 pr_err("ctnetlink_init: cannot register pernet operations\n");
3619 goto err_unreg_exp_subsys;
3620 }
3621#ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3622
3623 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook);
3624#endif
3625 return 0;
3626
3627err_unreg_exp_subsys:
3628 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3629err_unreg_subsys:
3630 nfnetlink_subsys_unregister(&ctnl_subsys);
3631err_out:
3632 return ret;
3633}
3634
3635static void __exit ctnetlink_exit(void)
3636{
3637 unregister_pernet_subsys(&ctnetlink_net_ops);
3638 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3639 nfnetlink_subsys_unregister(&ctnl_subsys);
3640#ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3641 RCU_INIT_POINTER(nfnl_ct_hook, NULL);
3642#endif
3643 synchronize_rcu();
3644}
3645
3646module_init(ctnetlink_init);
3647module_exit(ctnetlink_exit);
3648
