1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18#include <linux/init.h>
19#include <linux/module.h>
20#include <linux/kernel.h>
21#include <linux/rculist.h>
22#include <linux/rculist_nulls.h>
23#include <linux/types.h>
24#include <linux/timer.h>
25#include <linux/security.h>
26#include <linux/skbuff.h>
27#include <linux/errno.h>
28#include <linux/netlink.h>
29#include <linux/spinlock.h>
30#include <linux/interrupt.h>
31#include <linux/slab.h>
32#include <linux/siphash.h>
33
34#include <linux/netfilter.h>
35#include <net/netlink.h>
36#include <net/sock.h>
37#include <net/netfilter/nf_conntrack.h>
38#include <net/netfilter/nf_conntrack_core.h>
39#include <net/netfilter/nf_conntrack_expect.h>
40#include <net/netfilter/nf_conntrack_helper.h>
41#include <net/netfilter/nf_conntrack_seqadj.h>
42#include <net/netfilter/nf_conntrack_l4proto.h>
43#include <net/netfilter/nf_conntrack_tuple.h>
44#include <net/netfilter/nf_conntrack_acct.h>
45#include <net/netfilter/nf_conntrack_zones.h>
46#include <net/netfilter/nf_conntrack_timestamp.h>
47#include <net/netfilter/nf_conntrack_labels.h>
48#include <net/netfilter/nf_conntrack_synproxy.h>
49#ifdef CONFIG_NF_NAT_NEEDED
50#include <net/netfilter/nf_nat.h>
51#include <net/netfilter/nf_nat_helper.h>
52#endif
53
54#include <linux/netfilter/nfnetlink.h>
55#include <linux/netfilter/nfnetlink_conntrack.h>
56
57#include "nf_internals.h"
58
59MODULE_LICENSE("GPL");
60
61static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,
62 const struct nf_conntrack_tuple *tuple,
63 const struct nf_conntrack_l4proto *l4proto)
64{
65 int ret = 0;
66 struct nlattr *nest_parms;
67
68 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO);
69 if (!nest_parms)
70 goto nla_put_failure;
71 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum))
72 goto nla_put_failure;
73
74 if (likely(l4proto->tuple_to_nlattr))
75 ret = l4proto->tuple_to_nlattr(skb, tuple);
76
77 nla_nest_end(skb, nest_parms);
78
79 return ret;
80
81nla_put_failure:
82 return -1;
83}
84
85static int ipv4_tuple_to_nlattr(struct sk_buff *skb,
86 const struct nf_conntrack_tuple *tuple)
87{
88 if (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) ||
89 nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip))
90 return -EMSGSIZE;
91 return 0;
92}
93
94static int ipv6_tuple_to_nlattr(struct sk_buff *skb,
95 const struct nf_conntrack_tuple *tuple)
96{
97 if (nla_put_in6_addr(skb, CTA_IP_V6_SRC, &tuple->src.u3.in6) ||
98 nla_put_in6_addr(skb, CTA_IP_V6_DST, &tuple->dst.u3.in6))
99 return -EMSGSIZE;
100 return 0;
101}
102
103static int ctnetlink_dump_tuples_ip(struct sk_buff *skb,
104 const struct nf_conntrack_tuple *tuple)
105{
106 int ret = 0;
107 struct nlattr *nest_parms;
108
109 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP);
110 if (!nest_parms)
111 goto nla_put_failure;
112
113 switch (tuple->src.l3num) {
114 case NFPROTO_IPV4:
115 ret = ipv4_tuple_to_nlattr(skb, tuple);
116 break;
117 case NFPROTO_IPV6:
118 ret = ipv6_tuple_to_nlattr(skb, tuple);
119 break;
120 }
121
122 nla_nest_end(skb, nest_parms);
123
124 return ret;
125
126nla_put_failure:
127 return -1;
128}
129
130static int ctnetlink_dump_tuples(struct sk_buff *skb,
131 const struct nf_conntrack_tuple *tuple)
132{
133 const struct nf_conntrack_l4proto *l4proto;
134 int ret;
135
136 rcu_read_lock();
137 ret = ctnetlink_dump_tuples_ip(skb, tuple);
138
139 if (ret >= 0) {
140 l4proto = __nf_ct_l4proto_find(tuple->dst.protonum);
141 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
142 }
143 rcu_read_unlock();
144 return ret;
145}
146
147static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype,
148 const struct nf_conntrack_zone *zone, int dir)
149{
150 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir)
151 return 0;
152 if (nla_put_be16(skb, attrtype, htons(zone->id)))
153 goto nla_put_failure;
154 return 0;
155
156nla_put_failure:
157 return -1;
158}
159
160static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
161{
162 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
163 goto nla_put_failure;
164 return 0;
165
166nla_put_failure:
167 return -1;
168}
169
170static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct,
171 bool skip_zero)
172{
173 long timeout = nf_ct_expires(ct) / HZ;
174
175 if (skip_zero && timeout == 0)
176 return 0;
177
178 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))
179 goto nla_put_failure;
180 return 0;
181
182nla_put_failure:
183 return -1;
184}
185
186static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct,
187 bool destroy)
188{
189 const struct nf_conntrack_l4proto *l4proto;
190 struct nlattr *nest_proto;
191 int ret;
192
193 l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));
194 if (!l4proto->to_nlattr)
195 return 0;
196
197 nest_proto = nla_nest_start(skb, CTA_PROTOINFO);
198 if (!nest_proto)
199 goto nla_put_failure;
200
201 ret = l4proto->to_nlattr(skb, nest_proto, ct, destroy);
202
203 nla_nest_end(skb, nest_proto);
204
205 return ret;
206
207nla_put_failure:
208 return -1;
209}
210
211static int ctnetlink_dump_helpinfo(struct sk_buff *skb,
212 const struct nf_conn *ct)
213{
214 struct nlattr *nest_helper;
215 const struct nf_conn_help *help = nfct_help(ct);
216 struct nf_conntrack_helper *helper;
217
218 if (!help)
219 return 0;
220
221 rcu_read_lock();
222 helper = rcu_dereference(help->helper);
223 if (!helper)
224 goto out;
225
226 nest_helper = nla_nest_start(skb, CTA_HELP);
227 if (!nest_helper)
228 goto nla_put_failure;
229 if (nla_put_string(skb, CTA_HELP_NAME, helper->name))
230 goto nla_put_failure;
231
232 if (helper->to_nlattr)
233 helper->to_nlattr(skb, ct);
234
235 nla_nest_end(skb, nest_helper);
236out:
237 rcu_read_unlock();
238 return 0;
239
240nla_put_failure:
241 rcu_read_unlock();
242 return -1;
243}
244
245static int
246dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct,
247 enum ip_conntrack_dir dir, int type)
248{
249 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
250 struct nf_conn_counter *counter = acct->counter;
251 struct nlattr *nest_count;
252 u64 pkts, bytes;
253
254 if (type == IPCTNL_MSG_CT_GET_CTRZERO) {
255 pkts = atomic64_xchg(&counter[dir].packets, 0);
256 bytes = atomic64_xchg(&counter[dir].bytes, 0);
257 } else {
258 pkts = atomic64_read(&counter[dir].packets);
259 bytes = atomic64_read(&counter[dir].bytes);
260 }
261
262 nest_count = nla_nest_start(skb, attr);
263 if (!nest_count)
264 goto nla_put_failure;
265
266 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts),
267 CTA_COUNTERS_PAD) ||
268 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes),
269 CTA_COUNTERS_PAD))
270 goto nla_put_failure;
271
272 nla_nest_end(skb, nest_count);
273
274 return 0;
275
276nla_put_failure:
277 return -1;
278}
279
280static int
281ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type)
282{
283 struct nf_conn_acct *acct = nf_conn_acct_find(ct);
284
285 if (!acct)
286 return 0;
287
288 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0)
289 return -1;
290 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0)
291 return -1;
292
293 return 0;
294}
295
296static int
297ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
298{
299 struct nlattr *nest_count;
300 const struct nf_conn_tstamp *tstamp;
301
302 tstamp = nf_conn_tstamp_find(ct);
303 if (!tstamp)
304 return 0;
305
306 nest_count = nla_nest_start(skb, CTA_TIMESTAMP);
307 if (!nest_count)
308 goto nla_put_failure;
309
310 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start),
311 CTA_TIMESTAMP_PAD) ||
312 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP,
313 cpu_to_be64(tstamp->stop),
314 CTA_TIMESTAMP_PAD)))
315 goto nla_put_failure;
316 nla_nest_end(skb, nest_count);
317
318 return 0;
319
320nla_put_failure:
321 return -1;
322}
323
324#ifdef CONFIG_NF_CONNTRACK_MARK
325static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
326{
327 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))
328 goto nla_put_failure;
329 return 0;
330
331nla_put_failure:
332 return -1;
333}
334#else
335#define ctnetlink_dump_mark(a, b) (0)
336#endif
337
338#ifdef CONFIG_NF_CONNTRACK_SECMARK
339static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
340{
341 struct nlattr *nest_secctx;
342 int len, ret;
343 char *secctx;
344
345 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
346 if (ret)
347 return 0;
348
349 ret = -1;
350 nest_secctx = nla_nest_start(skb, CTA_SECCTX);
351 if (!nest_secctx)
352 goto nla_put_failure;
353
354 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
355 goto nla_put_failure;
356 nla_nest_end(skb, nest_secctx);
357
358 ret = 0;
359nla_put_failure:
360 security_release_secctx(secctx, len);
361 return ret;
362}
363#else
364#define ctnetlink_dump_secctx(a, b) (0)
365#endif
366
367#ifdef CONFIG_NF_CONNTRACK_LABELS
368static inline int ctnetlink_label_size(const struct nf_conn *ct)
369{
370 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
371
372 if (!labels)
373 return 0;
374 return nla_total_size(sizeof(labels->bits));
375}
376
377static int
378ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
379{
380 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
381 unsigned int i;
382
383 if (!labels)
384 return 0;
385
386 i = 0;
387 do {
388 if (labels->bits[i] != 0)
389 return nla_put(skb, CTA_LABELS, sizeof(labels->bits),
390 labels->bits);
391 i++;
392 } while (i < ARRAY_SIZE(labels->bits));
393
394 return 0;
395}
396#else
397#define ctnetlink_dump_labels(a, b) (0)
398#define ctnetlink_label_size(a) (0)
399#endif
400
401#define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
402
403static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
404{
405 struct nlattr *nest_parms;
406
407 if (!(ct->status & IPS_EXPECTED))
408 return 0;
409
410 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER);
411 if (!nest_parms)
412 goto nla_put_failure;
413 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
414 goto nla_put_failure;
415 nla_nest_end(skb, nest_parms);
416
417 return 0;
418
419nla_put_failure:
420 return -1;
421}
422
423static int
424dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type)
425{
426 struct nlattr *nest_parms;
427
428 nest_parms = nla_nest_start(skb, type);
429 if (!nest_parms)
430 goto nla_put_failure;
431
432 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS,
433 htonl(seq->correction_pos)) ||
434 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE,
435 htonl(seq->offset_before)) ||
436 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER,
437 htonl(seq->offset_after)))
438 goto nla_put_failure;
439
440 nla_nest_end(skb, nest_parms);
441
442 return 0;
443
444nla_put_failure:
445 return -1;
446}
447
448static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
449{
450 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
451 struct nf_ct_seqadj *seq;
452
453 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj)
454 return 0;
455
456 spin_lock_bh(&ct->lock);
457 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL];
458 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1)
459 goto err;
460
461 seq = &seqadj->seq[IP_CT_DIR_REPLY];
462 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1)
463 goto err;
464
465 spin_unlock_bh(&ct->lock);
466 return 0;
467err:
468 spin_unlock_bh(&ct->lock);
469 return -1;
470}
471
472static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
473{
474 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
475 struct nlattr *nest_parms;
476
477 if (!synproxy)
478 return 0;
479
480 nest_parms = nla_nest_start(skb, CTA_SYNPROXY);
481 if (!nest_parms)
482 goto nla_put_failure;
483
484 if (nla_put_be32(skb, CTA_SYNPROXY_ISN, htonl(synproxy->isn)) ||
485 nla_put_be32(skb, CTA_SYNPROXY_ITS, htonl(synproxy->its)) ||
486 nla_put_be32(skb, CTA_SYNPROXY_TSOFF, htonl(synproxy->tsoff)))
487 goto nla_put_failure;
488
489 nla_nest_end(skb, nest_parms);
490
491 return 0;
492
493nla_put_failure:
494 return -1;
495}
496
497static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
498{
499 __be32 id = (__force __be32)nf_ct_get_id(ct);
500
501 if (nla_put_be32(skb, CTA_ID, id))
502 goto nla_put_failure;
503 return 0;
504
505nla_put_failure:
506 return -1;
507}
508
509static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
510{
511 if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use))))
512 goto nla_put_failure;
513 return 0;
514
515nla_put_failure:
516 return -1;
517}
518
519
520
521
522
523static int ctnetlink_dump_extinfo(struct sk_buff *skb,
524 struct nf_conn *ct, u32 type)
525{
526 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
527 ctnetlink_dump_timestamp(skb, ct) < 0 ||
528 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
529 ctnetlink_dump_labels(skb, ct) < 0 ||
530 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
531 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
532 return -1;
533
534 return 0;
535}
536
537static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
538{
539 if (ctnetlink_dump_status(skb, ct) < 0 ||
540 ctnetlink_dump_mark(skb, ct) < 0 ||
541 ctnetlink_dump_secctx(skb, ct) < 0 ||
542 ctnetlink_dump_id(skb, ct) < 0 ||
543 ctnetlink_dump_use(skb, ct) < 0 ||
544 ctnetlink_dump_master(skb, ct) < 0)
545 return -1;
546
547 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
548 (ctnetlink_dump_timeout(skb, ct, false) < 0 ||
549 ctnetlink_dump_protoinfo(skb, ct, false) < 0))
550 return -1;
551
552 return 0;
553}
554
555static int
556ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
557 struct nf_conn *ct, bool extinfo, unsigned int flags)
558{
559 const struct nf_conntrack_zone *zone;
560 struct nlmsghdr *nlh;
561 struct nfgenmsg *nfmsg;
562 struct nlattr *nest_parms;
563 unsigned int event;
564
565 if (portid)
566 flags |= NLM_F_MULTI;
567 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW);
568 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
569 if (nlh == NULL)
570 goto nlmsg_failure;
571
572 nfmsg = nlmsg_data(nlh);
573 nfmsg->nfgen_family = nf_ct_l3num(ct);
574 nfmsg->version = NFNETLINK_V0;
575 nfmsg->res_id = 0;
576
577 zone = nf_ct_zone(ct);
578
579 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
580 if (!nest_parms)
581 goto nla_put_failure;
582 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
583 goto nla_put_failure;
584 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
585 NF_CT_ZONE_DIR_ORIG) < 0)
586 goto nla_put_failure;
587 nla_nest_end(skb, nest_parms);
588
589 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
590 if (!nest_parms)
591 goto nla_put_failure;
592 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
593 goto nla_put_failure;
594 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
595 NF_CT_ZONE_DIR_REPL) < 0)
596 goto nla_put_failure;
597 nla_nest_end(skb, nest_parms);
598
599 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
600 NF_CT_DEFAULT_ZONE_DIR) < 0)
601 goto nla_put_failure;
602
603 if (ctnetlink_dump_info(skb, ct) < 0)
604 goto nla_put_failure;
605 if (extinfo && ctnetlink_dump_extinfo(skb, ct, type) < 0)
606 goto nla_put_failure;
607
608 nlmsg_end(skb, nlh);
609 return skb->len;
610
611nlmsg_failure:
612nla_put_failure:
613 nlmsg_cancel(skb, nlh);
614 return -1;
615}
616
617static const struct nla_policy cta_ip_nla_policy[CTA_IP_MAX + 1] = {
618 [CTA_IP_V4_SRC] = { .type = NLA_U32 },
619 [CTA_IP_V4_DST] = { .type = NLA_U32 },
620 [CTA_IP_V6_SRC] = { .len = sizeof(__be32) * 4 },
621 [CTA_IP_V6_DST] = { .len = sizeof(__be32) * 4 },
622};
623
624#if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS)
625static size_t ctnetlink_proto_size(const struct nf_conn *ct)
626{
627 const struct nf_conntrack_l4proto *l4proto;
628 size_t len, len4 = 0;
629
630 len = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1);
631 len *= 3u;
632
633 l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));
634 len += l4proto->nlattr_size;
635 if (l4proto->nlattr_tuple_size) {
636 len4 = l4proto->nlattr_tuple_size();
637 len4 *= 3u;
638 }
639
640 return len + len4;
641}
642#endif
643
644static inline size_t ctnetlink_acct_size(const struct nf_conn *ct)
645{
646 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
647 return 0;
648 return 2 * nla_total_size(0)
649 + 2 * nla_total_size_64bit(sizeof(uint64_t))
650 + 2 * nla_total_size_64bit(sizeof(uint64_t))
651 ;
652}
653
654static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
655{
656#ifdef CONFIG_NF_CONNTRACK_SECMARK
657 int len, ret;
658
659 ret = security_secid_to_secctx(ct->secmark, NULL, &len);
660 if (ret)
661 return 0;
662
663 return nla_total_size(0)
664 + nla_total_size(sizeof(char) * len);
665#else
666 return 0;
667#endif
668}
669
670static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct)
671{
672#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
673 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
674 return 0;
675 return nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t));
676#else
677 return 0;
678#endif
679}
680
681#ifdef CONFIG_NF_CONNTRACK_EVENTS
682static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)
683{
684 return NLMSG_ALIGN(sizeof(struct nfgenmsg))
685 + 3 * nla_total_size(0)
686 + 3 * nla_total_size(0)
687 + 3 * nla_total_size(0)
688 + 3 * nla_total_size(sizeof(u_int8_t))
689 + nla_total_size(sizeof(u_int32_t))
690 + nla_total_size(sizeof(u_int32_t))
691 + ctnetlink_acct_size(ct)
692 + ctnetlink_timestamp_size(ct)
693 + nla_total_size(sizeof(u_int32_t))
694 + nla_total_size(0)
695 + nla_total_size(0)
696 + nla_total_size(NF_CT_HELPER_NAME_LEN)
697 + ctnetlink_secctx_size(ct)
698#ifdef CONFIG_NF_NAT_NEEDED
699 + 2 * nla_total_size(0)
700 + 6 * nla_total_size(sizeof(u_int32_t))
701#endif
702#ifdef CONFIG_NF_CONNTRACK_MARK
703 + nla_total_size(sizeof(u_int32_t))
704#endif
705#ifdef CONFIG_NF_CONNTRACK_ZONES
706 + nla_total_size(sizeof(u_int16_t))
707#endif
708 + ctnetlink_proto_size(ct)
709 + ctnetlink_label_size(ct)
710 ;
711}
712
713static int
714ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
715{
716 const struct nf_conntrack_zone *zone;
717 struct net *net;
718 struct nlmsghdr *nlh;
719 struct nfgenmsg *nfmsg;
720 struct nlattr *nest_parms;
721 struct nf_conn *ct = item->ct;
722 struct sk_buff *skb;
723 unsigned int type;
724 unsigned int flags = 0, group;
725 int err;
726
727 if (events & (1 << IPCT_DESTROY)) {
728 type = IPCTNL_MSG_CT_DELETE;
729 group = NFNLGRP_CONNTRACK_DESTROY;
730 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {
731 type = IPCTNL_MSG_CT_NEW;
732 flags = NLM_F_CREATE|NLM_F_EXCL;
733 group = NFNLGRP_CONNTRACK_NEW;
734 } else if (events) {
735 type = IPCTNL_MSG_CT_NEW;
736 group = NFNLGRP_CONNTRACK_UPDATE;
737 } else
738 return 0;
739
740 net = nf_ct_net(ct);
741 if (!item->report && !nfnetlink_has_listeners(net, group))
742 return 0;
743
744 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
745 if (skb == NULL)
746 goto errout;
747
748 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type);
749 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
750 if (nlh == NULL)
751 goto nlmsg_failure;
752
753 nfmsg = nlmsg_data(nlh);
754 nfmsg->nfgen_family = nf_ct_l3num(ct);
755 nfmsg->version = NFNETLINK_V0;
756 nfmsg->res_id = 0;
757
758 zone = nf_ct_zone(ct);
759
760 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
761 if (!nest_parms)
762 goto nla_put_failure;
763 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
764 goto nla_put_failure;
765 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
766 NF_CT_ZONE_DIR_ORIG) < 0)
767 goto nla_put_failure;
768 nla_nest_end(skb, nest_parms);
769
770 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
771 if (!nest_parms)
772 goto nla_put_failure;
773 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
774 goto nla_put_failure;
775 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
776 NF_CT_ZONE_DIR_REPL) < 0)
777 goto nla_put_failure;
778 nla_nest_end(skb, nest_parms);
779
780 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
781 NF_CT_DEFAULT_ZONE_DIR) < 0)
782 goto nla_put_failure;
783
784 if (ctnetlink_dump_id(skb, ct) < 0)
785 goto nla_put_failure;
786
787 if (ctnetlink_dump_status(skb, ct) < 0)
788 goto nla_put_failure;
789
790 if (events & (1 << IPCT_DESTROY)) {
791 if (ctnetlink_dump_timeout(skb, ct, true) < 0)
792 goto nla_put_failure;
793
794 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
795 ctnetlink_dump_timestamp(skb, ct) < 0 ||
796 ctnetlink_dump_protoinfo(skb, ct, true) < 0)
797 goto nla_put_failure;
798 } else {
799 if (ctnetlink_dump_timeout(skb, ct, false) < 0)
800 goto nla_put_failure;
801
802 if (events & (1 << IPCT_PROTOINFO) &&
803 ctnetlink_dump_protoinfo(skb, ct, false) < 0)
804 goto nla_put_failure;
805
806 if ((events & (1 << IPCT_HELPER) || nfct_help(ct))
807 && ctnetlink_dump_helpinfo(skb, ct) < 0)
808 goto nla_put_failure;
809
810#ifdef CONFIG_NF_CONNTRACK_SECMARK
811 if ((events & (1 << IPCT_SECMARK) || ct->secmark)
812 && ctnetlink_dump_secctx(skb, ct) < 0)
813 goto nla_put_failure;
814#endif
815 if (events & (1 << IPCT_LABEL) &&
816 ctnetlink_dump_labels(skb, ct) < 0)
817 goto nla_put_failure;
818
819 if (events & (1 << IPCT_RELATED) &&
820 ctnetlink_dump_master(skb, ct) < 0)
821 goto nla_put_failure;
822
823 if (events & (1 << IPCT_SEQADJ) &&
824 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
825 goto nla_put_failure;
826
827 if (events & (1 << IPCT_SYNPROXY) &&
828 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
829 goto nla_put_failure;
830 }
831
832#ifdef CONFIG_NF_CONNTRACK_MARK
833 if ((events & (1 << IPCT_MARK) || ct->mark)
834 && ctnetlink_dump_mark(skb, ct) < 0)
835 goto nla_put_failure;
836#endif
837 nlmsg_end(skb, nlh);
838 err = nfnetlink_send(skb, net, item->portid, group, item->report,
839 GFP_ATOMIC);
840 if (err == -ENOBUFS || err == -EAGAIN)
841 return -ENOBUFS;
842
843 return 0;
844
845nla_put_failure:
846 nlmsg_cancel(skb, nlh);
847nlmsg_failure:
848 kfree_skb(skb);
849errout:
850 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
851 return -ENOBUFS;
852
853 return 0;
854}
855#endif
856
857static int ctnetlink_done(struct netlink_callback *cb)
858{
859 if (cb->args[1])
860 nf_ct_put((struct nf_conn *)cb->args[1]);
861 kfree(cb->data);
862 return 0;
863}
864
865struct ctnetlink_filter_u32 {
866 u32 val;
867 u32 mask;
868};
869
870struct ctnetlink_filter {
871 u8 family;
872
873 u_int32_t orig_flags;
874 u_int32_t reply_flags;
875
876 struct nf_conntrack_tuple orig;
877 struct nf_conntrack_tuple reply;
878 struct nf_conntrack_zone zone;
879
880 struct ctnetlink_filter_u32 mark;
881 struct ctnetlink_filter_u32 status;
882};
883
884static const struct nla_policy cta_filter_nla_policy[CTA_FILTER_MAX + 1] = {
885 [CTA_FILTER_ORIG_FLAGS] = { .type = NLA_U32 },
886 [CTA_FILTER_REPLY_FLAGS] = { .type = NLA_U32 },
887};
888
889static int ctnetlink_parse_filter(const struct nlattr *attr,
890 struct ctnetlink_filter *filter)
891{
892 struct nlattr *tb[CTA_FILTER_MAX + 1];
893 int ret = 0;
894
895 ret = nla_parse_nested(tb, CTA_FILTER_MAX, attr, cta_filter_nla_policy,
896 NULL);
897 if (ret)
898 return ret;
899
900 if (tb[CTA_FILTER_ORIG_FLAGS]) {
901 filter->orig_flags = nla_get_u32(tb[CTA_FILTER_ORIG_FLAGS]);
902 if (filter->orig_flags & ~CTA_FILTER_F_ALL)
903 return -EOPNOTSUPP;
904 }
905
906 if (tb[CTA_FILTER_REPLY_FLAGS]) {
907 filter->reply_flags = nla_get_u32(tb[CTA_FILTER_REPLY_FLAGS]);
908 if (filter->reply_flags & ~CTA_FILTER_F_ALL)
909 return -EOPNOTSUPP;
910 }
911
912 return 0;
913}
914
915static int ctnetlink_parse_zone(const struct nlattr *attr,
916 struct nf_conntrack_zone *zone);
917static int ctnetlink_parse_tuple_filter(const struct nlattr * const cda[],
918 struct nf_conntrack_tuple *tuple,
919 u32 type, u_int8_t l3num,
920 struct nf_conntrack_zone *zone,
921 u_int32_t flags);
922
923static int ctnetlink_filter_parse_mark(struct ctnetlink_filter_u32 *mark,
924 const struct nlattr * const cda[])
925{
926#ifdef CONFIG_NF_CONNTRACK_MARK
927 if (cda[CTA_MARK]) {
928 mark->val = ntohl(nla_get_be32(cda[CTA_MARK]));
929
930 if (cda[CTA_MARK_MASK])
931 mark->mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
932 else
933 mark->mask = 0xffffffff;
934 } else if (cda[CTA_MARK_MASK]) {
935 return -EINVAL;
936 }
937#endif
938 return 0;
939}
940
941static int ctnetlink_filter_parse_status(struct ctnetlink_filter_u32 *status,
942 const struct nlattr * const cda[])
943{
944 if (cda[CTA_STATUS]) {
945 status->val = ntohl(nla_get_be32(cda[CTA_STATUS]));
946 if (cda[CTA_STATUS_MASK])
947 status->mask = ntohl(nla_get_be32(cda[CTA_STATUS_MASK]));
948 else
949 status->mask = status->val;
950
951
952 if (status->mask == 0)
953 return -EINVAL;
954 } else if (cda[CTA_STATUS_MASK]) {
955 return -EINVAL;
956 }
957
958
959 BUILD_BUG_ON(__IPS_MAX_BIT >= 32);
960 return 0;
961}
962
963static struct ctnetlink_filter *
964ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family)
965{
966 struct ctnetlink_filter *filter;
967 int err;
968
969#ifndef CONFIG_NF_CONNTRACK_MARK
970 if (cda[CTA_MARK] || cda[CTA_MARK_MASK])
971 return ERR_PTR(-EOPNOTSUPP);
972#endif
973
974 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
975 if (filter == NULL)
976 return ERR_PTR(-ENOMEM);
977
978 filter->family = family;
979
980 err = ctnetlink_filter_parse_mark(&filter->mark, cda);
981 if (err)
982 goto err_filter;
983
984 err = ctnetlink_filter_parse_status(&filter->status, cda);
985 if (err)
986 goto err_filter;
987
988 if (!cda[CTA_FILTER])
989 return filter;
990
991 err = ctnetlink_parse_zone(cda[CTA_ZONE], &filter->zone);
992 if (err < 0)
993 goto err_filter;
994
995 err = ctnetlink_parse_filter(cda[CTA_FILTER], filter);
996 if (err < 0)
997 goto err_filter;
998
999 if (filter->orig_flags) {
1000 if (!cda[CTA_TUPLE_ORIG]) {
1001 err = -EINVAL;
1002 goto err_filter;
1003 }
1004
1005 err = ctnetlink_parse_tuple_filter(cda, &filter->orig,
1006 CTA_TUPLE_ORIG,
1007 filter->family,
1008 &filter->zone,
1009 filter->orig_flags);
1010 if (err < 0)
1011 goto err_filter;
1012 }
1013
1014 if (filter->reply_flags) {
1015 if (!cda[CTA_TUPLE_REPLY]) {
1016 err = -EINVAL;
1017 goto err_filter;
1018 }
1019
1020 err = ctnetlink_parse_tuple_filter(cda, &filter->reply,
1021 CTA_TUPLE_REPLY,
1022 filter->family,
1023 &filter->zone,
1024 filter->reply_flags);
1025 if (err < 0)
1026 goto err_filter;
1027 }
1028
1029 return filter;
1030
1031err_filter:
1032 kfree(filter);
1033
1034 return ERR_PTR(err);
1035}
1036
1037static bool ctnetlink_needs_filter(u8 family, const struct nlattr * const *cda)
1038{
1039 return family || cda[CTA_MARK] || cda[CTA_FILTER] || cda[CTA_STATUS];
1040}
1041
1042static int ctnetlink_start(struct netlink_callback *cb)
1043{
1044 const struct nlattr * const *cda = cb->data;
1045 struct ctnetlink_filter *filter = NULL;
1046 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1047 u8 family = nfmsg->nfgen_family;
1048
1049 if (ctnetlink_needs_filter(family, cda)) {
1050 filter = ctnetlink_alloc_filter(cda, family);
1051 if (IS_ERR(filter))
1052 return PTR_ERR(filter);
1053 }
1054
1055 cb->data = filter;
1056 return 0;
1057}
1058
1059static int ctnetlink_filter_match_tuple(struct nf_conntrack_tuple *filter_tuple,
1060 struct nf_conntrack_tuple *ct_tuple,
1061 u_int32_t flags, int family)
1062{
1063 switch (family) {
1064 case NFPROTO_IPV4:
1065 if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) &&
1066 filter_tuple->src.u3.ip != ct_tuple->src.u3.ip)
1067 return 0;
1068
1069 if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) &&
1070 filter_tuple->dst.u3.ip != ct_tuple->dst.u3.ip)
1071 return 0;
1072 break;
1073 case NFPROTO_IPV6:
1074 if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) &&
1075 !ipv6_addr_cmp(&filter_tuple->src.u3.in6,
1076 &ct_tuple->src.u3.in6))
1077 return 0;
1078
1079 if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) &&
1080 !ipv6_addr_cmp(&filter_tuple->dst.u3.in6,
1081 &ct_tuple->dst.u3.in6))
1082 return 0;
1083 break;
1084 }
1085
1086 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) &&
1087 filter_tuple->dst.protonum != ct_tuple->dst.protonum)
1088 return 0;
1089
1090 switch (ct_tuple->dst.protonum) {
1091 case IPPROTO_TCP:
1092 case IPPROTO_UDP:
1093 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_SRC_PORT)) &&
1094 filter_tuple->src.u.tcp.port != ct_tuple->src.u.tcp.port)
1095 return 0;
1096
1097 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_DST_PORT)) &&
1098 filter_tuple->dst.u.tcp.port != ct_tuple->dst.u.tcp.port)
1099 return 0;
1100 break;
1101 case IPPROTO_ICMP:
1102 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_TYPE)) &&
1103 filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type)
1104 return 0;
1105 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_CODE)) &&
1106 filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code)
1107 return 0;
1108 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_ID)) &&
1109 filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id)
1110 return 0;
1111 break;
1112 case IPPROTO_ICMPV6:
1113 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_TYPE)) &&
1114 filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type)
1115 return 0;
1116 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_CODE)) &&
1117 filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code)
1118 return 0;
1119 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_ID)) &&
1120 filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id)
1121 return 0;
1122 break;
1123 }
1124
1125 return 1;
1126}
1127
1128static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
1129{
1130 struct ctnetlink_filter *filter = data;
1131 struct nf_conntrack_tuple *tuple;
1132 u32 status;
1133
1134 if (filter == NULL)
1135 goto out;
1136
1137
1138
1139
1140
1141 if (filter->family && nf_ct_l3num(ct) != filter->family)
1142 goto ignore_entry;
1143
1144 if (filter->orig_flags) {
1145 tuple = nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL);
1146 if (!ctnetlink_filter_match_tuple(&filter->orig, tuple,
1147 filter->orig_flags,
1148 filter->family))
1149 goto ignore_entry;
1150 }
1151
1152 if (filter->reply_flags) {
1153 tuple = nf_ct_tuple(ct, IP_CT_DIR_REPLY);
1154 if (!ctnetlink_filter_match_tuple(&filter->reply, tuple,
1155 filter->reply_flags,
1156 filter->family))
1157 goto ignore_entry;
1158 }
1159
1160#ifdef CONFIG_NF_CONNTRACK_MARK
1161 if ((ct->mark & filter->mark.mask) != filter->mark.val)
1162 goto ignore_entry;
1163#endif
1164 status = (u32)READ_ONCE(ct->status);
1165 if ((status & filter->status.mask) != filter->status.val)
1166 goto ignore_entry;
1167
1168out:
1169 return 1;
1170
1171ignore_entry:
1172 return 0;
1173}
1174
1175static int
1176ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
1177{
1178 unsigned int flags = cb->data ? NLM_F_DUMP_FILTERED : 0;
1179 struct net *net = sock_net(skb->sk);
1180 struct nf_conn *ct, *last;
1181 struct nf_conntrack_tuple_hash *h;
1182 struct hlist_nulls_node *n;
1183 struct nf_conn *nf_ct_evict[8];
1184 int res, i;
1185 spinlock_t *lockp;
1186
1187 last = (struct nf_conn *)cb->args[1];
1188 i = 0;
1189
1190 local_bh_disable();
1191 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
1192restart:
1193 while (i) {
1194 i--;
1195 if (nf_ct_should_gc(nf_ct_evict[i]))
1196 nf_ct_kill(nf_ct_evict[i]);
1197 nf_ct_put(nf_ct_evict[i]);
1198 }
1199
1200 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS];
1201 nf_conntrack_lock(lockp);
1202 if (cb->args[0] >= nf_conntrack_htable_size) {
1203 spin_unlock(lockp);
1204 goto out;
1205 }
1206 hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]],
1207 hnnode) {
1208 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
1209 continue;
1210 ct = nf_ct_tuplehash_to_ctrack(h);
1211 if (nf_ct_is_expired(ct)) {
1212 if (i < ARRAY_SIZE(nf_ct_evict) &&
1213 atomic_inc_not_zero(&ct->ct_general.use))
1214 nf_ct_evict[i++] = ct;
1215 continue;
1216 }
1217
1218 if (!net_eq(net, nf_ct_net(ct)))
1219 continue;
1220
1221 if (cb->args[1]) {
1222 if (ct != last)
1223 continue;
1224 cb->args[1] = 0;
1225 }
1226 if (!ctnetlink_filter_match(ct, cb->data))
1227 continue;
1228
1229 res =
1230 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
1231 cb->nlh->nlmsg_seq,
1232 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
1233 ct, true, flags);
1234 if (res < 0) {
1235 nf_conntrack_get(&ct->ct_general);
1236 cb->args[1] = (unsigned long)ct;
1237 spin_unlock(lockp);
1238 goto out;
1239 }
1240 }
1241 spin_unlock(lockp);
1242 if (cb->args[1]) {
1243 cb->args[1] = 0;
1244 goto restart;
1245 }
1246 }
1247out:
1248 local_bh_enable();
1249 if (last) {
1250
1251 if ((struct nf_conn *)cb->args[1] == last)
1252 cb->args[1] = 0;
1253
1254 nf_ct_put(last);
1255 }
1256
1257 while (i) {
1258 i--;
1259 if (nf_ct_should_gc(nf_ct_evict[i]))
1260 nf_ct_kill(nf_ct_evict[i]);
1261 nf_ct_put(nf_ct_evict[i]);
1262 }
1263
1264 return skb->len;
1265}
1266
1267static int ipv4_nlattr_to_tuple(struct nlattr *tb[],
1268 struct nf_conntrack_tuple *t,
1269 u_int32_t flags)
1270{
1271 if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
1272 if (!tb[CTA_IP_V4_SRC])
1273 return -EINVAL;
1274
1275 t->src.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_SRC]);
1276 }
1277
1278 if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) {
1279 if (!tb[CTA_IP_V4_DST])
1280 return -EINVAL;
1281
1282 t->dst.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_DST]);
1283 }
1284
1285 return 0;
1286}
1287
1288static int ipv6_nlattr_to_tuple(struct nlattr *tb[],
1289 struct nf_conntrack_tuple *t,
1290 u_int32_t flags)
1291{
1292 if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
1293 if (!tb[CTA_IP_V6_SRC])
1294 return -EINVAL;
1295
1296 t->src.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_SRC]);
1297 }
1298
1299 if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) {
1300 if (!tb[CTA_IP_V6_DST])
1301 return -EINVAL;
1302
1303 t->dst.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_DST]);
1304 }
1305
1306 return 0;
1307}
1308
1309static int ctnetlink_parse_tuple_ip(struct nlattr *attr,
1310 struct nf_conntrack_tuple *tuple,
1311 u_int32_t flags)
1312{
1313 struct nlattr *tb[CTA_IP_MAX+1];
1314 int ret = 0;
1315
1316 ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, NULL, NULL);
1317 if (ret < 0)
1318 return ret;
1319
1320 ret = nla_validate_nested_deprecated(attr, CTA_IP_MAX,
1321 cta_ip_nla_policy, NULL);
1322 if (ret)
1323 return ret;
1324
1325 switch (tuple->src.l3num) {
1326 case NFPROTO_IPV4:
1327 ret = ipv4_nlattr_to_tuple(tb, tuple, flags);
1328 break;
1329 case NFPROTO_IPV6:
1330 ret = ipv6_nlattr_to_tuple(tb, tuple, flags);
1331 break;
1332 }
1333
1334 return ret;
1335}
1336
1337static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
1338 [CTA_PROTO_NUM] = { .type = NLA_U8 },
1339};
1340
1341static int ctnetlink_parse_tuple_proto(struct nlattr *attr,
1342 struct nf_conntrack_tuple *tuple,
1343 u_int32_t flags)
1344{
1345 const struct nf_conntrack_l4proto *l4proto;
1346 struct nlattr *tb[CTA_PROTO_MAX+1];
1347 int ret = 0;
1348
1349 ret = nla_parse_nested_deprecated(tb, CTA_PROTO_MAX, attr,
1350 proto_nla_policy, NULL);
1351 if (ret < 0)
1352 return ret;
1353
1354 if (!(flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)))
1355 return 0;
1356
1357 if (!tb[CTA_PROTO_NUM])
1358 return -EINVAL;
1359
1360 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
1361
1362 rcu_read_lock();
1363 l4proto = __nf_ct_l4proto_find(tuple->dst.protonum);
1364
1365 if (likely(l4proto->nlattr_to_tuple)) {
1366 ret = nla_validate_nested_deprecated(attr, CTA_PROTO_MAX,
1367 l4proto->nla_policy,
1368 NULL);
1369 if (ret == 0)
1370 ret = l4proto->nlattr_to_tuple(tb, tuple, flags);
1371 }
1372
1373 rcu_read_unlock();
1374
1375 return ret;
1376}
1377
1378static int
1379ctnetlink_parse_zone(const struct nlattr *attr,
1380 struct nf_conntrack_zone *zone)
1381{
1382 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID,
1383 NF_CT_DEFAULT_ZONE_DIR, 0);
1384#ifdef CONFIG_NF_CONNTRACK_ZONES
1385 if (attr)
1386 zone->id = ntohs(nla_get_be16(attr));
1387#else
1388 if (attr)
1389 return -EOPNOTSUPP;
1390#endif
1391 return 0;
1392}
1393
1394static int
1395ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type,
1396 struct nf_conntrack_zone *zone)
1397{
1398 int ret;
1399
1400 if (zone->id != NF_CT_DEFAULT_ZONE_ID)
1401 return -EINVAL;
1402
1403 ret = ctnetlink_parse_zone(attr, zone);
1404 if (ret < 0)
1405 return ret;
1406
1407 if (type == CTA_TUPLE_REPLY)
1408 zone->dir = NF_CT_ZONE_DIR_REPL;
1409 else
1410 zone->dir = NF_CT_ZONE_DIR_ORIG;
1411
1412 return 0;
1413}
1414
1415static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
1416 [CTA_TUPLE_IP] = { .type = NLA_NESTED },
1417 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED },
1418 [CTA_TUPLE_ZONE] = { .type = NLA_U16 },
1419};
1420
1421#define CTA_FILTER_F_ALL_CTA_PROTO \
1422 (CTA_FILTER_F_CTA_PROTO_SRC_PORT | \
1423 CTA_FILTER_F_CTA_PROTO_DST_PORT | \
1424 CTA_FILTER_F_CTA_PROTO_ICMP_TYPE | \
1425 CTA_FILTER_F_CTA_PROTO_ICMP_CODE | \
1426 CTA_FILTER_F_CTA_PROTO_ICMP_ID | \
1427 CTA_FILTER_F_CTA_PROTO_ICMPV6_TYPE | \
1428 CTA_FILTER_F_CTA_PROTO_ICMPV6_CODE | \
1429 CTA_FILTER_F_CTA_PROTO_ICMPV6_ID)
1430
1431static int
1432ctnetlink_parse_tuple_filter(const struct nlattr * const cda[],
1433 struct nf_conntrack_tuple *tuple, u32 type,
1434 u_int8_t l3num, struct nf_conntrack_zone *zone,
1435 u_int32_t flags)
1436{
1437 struct nlattr *tb[CTA_TUPLE_MAX+1];
1438 int err;
1439
1440 memset(tuple, 0, sizeof(*tuple));
1441
1442 err = nla_parse_nested_deprecated(tb, CTA_TUPLE_MAX, cda[type],
1443 tuple_nla_policy, NULL);
1444 if (err < 0)
1445 return err;
1446
1447 if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
1448 return -EOPNOTSUPP;
1449 tuple->src.l3num = l3num;
1450
1451 if (flags & CTA_FILTER_FLAG(CTA_IP_DST) ||
1452 flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
1453 if (!tb[CTA_TUPLE_IP])
1454 return -EINVAL;
1455
1456 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple, flags);
1457 if (err < 0)
1458 return err;
1459 }
1460
1461 if (flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) {
1462 if (!tb[CTA_TUPLE_PROTO])
1463 return -EINVAL;
1464
1465 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple, flags);
1466 if (err < 0)
1467 return err;
1468 } else if (flags & CTA_FILTER_FLAG(ALL_CTA_PROTO)) {
1469
1470 return -EINVAL;
1471 }
1472
1473 if ((flags & CTA_FILTER_FLAG(CTA_TUPLE_ZONE)) && tb[CTA_TUPLE_ZONE]) {
1474 if (!zone)
1475 return -EINVAL;
1476
1477 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE],
1478 type, zone);
1479 if (err < 0)
1480 return err;
1481 }
1482
1483
1484 if (type == CTA_TUPLE_REPLY)
1485 tuple->dst.dir = IP_CT_DIR_REPLY;
1486 else
1487 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
1488
1489 return 0;
1490}
1491
1492static int
1493ctnetlink_parse_tuple(const struct nlattr * const cda[],
1494 struct nf_conntrack_tuple *tuple, u32 type,
1495 u_int8_t l3num, struct nf_conntrack_zone *zone)
1496{
1497 return ctnetlink_parse_tuple_filter(cda, tuple, type, l3num, zone,
1498 CTA_FILTER_FLAG(ALL));
1499}
1500
1501static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {
1502 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING,
1503 .len = NF_CT_HELPER_NAME_LEN - 1 },
1504};
1505
1506static int ctnetlink_parse_help(const struct nlattr *attr, char **helper_name,
1507 struct nlattr **helpinfo)
1508{
1509 int err;
1510 struct nlattr *tb[CTA_HELP_MAX+1];
1511
1512 err = nla_parse_nested_deprecated(tb, CTA_HELP_MAX, attr,
1513 help_nla_policy, NULL);
1514 if (err < 0)
1515 return err;
1516
1517 if (!tb[CTA_HELP_NAME])
1518 return -EINVAL;
1519
1520 *helper_name = nla_data(tb[CTA_HELP_NAME]);
1521
1522 if (tb[CTA_HELP_INFO])
1523 *helpinfo = tb[CTA_HELP_INFO];
1524
1525 return 0;
1526}
1527
1528static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
1529 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED },
1530 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED },
1531 [CTA_STATUS] = { .type = NLA_U32 },
1532 [CTA_PROTOINFO] = { .type = NLA_NESTED },
1533 [CTA_HELP] = { .type = NLA_NESTED },
1534 [CTA_NAT_SRC] = { .type = NLA_NESTED },
1535 [CTA_TIMEOUT] = { .type = NLA_U32 },
1536 [CTA_MARK] = { .type = NLA_U32 },
1537 [CTA_ID] = { .type = NLA_U32 },
1538 [CTA_NAT_DST] = { .type = NLA_NESTED },
1539 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED },
1540 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED },
1541 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED },
1542 [CTA_ZONE] = { .type = NLA_U16 },
1543 [CTA_MARK_MASK] = { .type = NLA_U32 },
1544 [CTA_LABELS] = { .type = NLA_BINARY,
1545 .len = NF_CT_LABELS_MAX_SIZE },
1546 [CTA_LABELS_MASK] = { .type = NLA_BINARY,
1547 .len = NF_CT_LABELS_MAX_SIZE },
1548 [CTA_FILTER] = { .type = NLA_NESTED },
1549 [CTA_STATUS_MASK] = { .type = NLA_U32 },
1550};
1551
1552static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data)
1553{
1554 if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
1555 return 0;
1556
1557 return ctnetlink_filter_match(ct, data);
1558}
1559
1560static int ctnetlink_flush_conntrack(struct net *net,
1561 const struct nlattr * const cda[],
1562 u32 portid, int report, u8 family)
1563{
1564 struct ctnetlink_filter *filter = NULL;
1565
1566 if (ctnetlink_needs_filter(family, cda)) {
1567 if (cda[CTA_FILTER])
1568 return -EOPNOTSUPP;
1569
1570 filter = ctnetlink_alloc_filter(cda, family);
1571 if (IS_ERR(filter))
1572 return PTR_ERR(filter);
1573 }
1574
1575 nf_ct_iterate_cleanup_net(net, ctnetlink_flush_iterate, filter,
1576 portid, report);
1577 kfree(filter);
1578
1579 return 0;
1580}
1581
1582static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
1583 struct sk_buff *skb,
1584 const struct nlmsghdr *nlh,
1585 const struct nlattr * const cda[],
1586 struct netlink_ext_ack *extack)
1587{
1588 struct nf_conntrack_tuple_hash *h;
1589 struct nf_conntrack_tuple tuple;
1590 struct nf_conn *ct;
1591 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1592 struct nf_conntrack_zone zone;
1593 int err;
1594
1595 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1596 if (err < 0)
1597 return err;
1598
1599 if (cda[CTA_TUPLE_ORIG])
1600 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1601 nfmsg->nfgen_family, &zone);
1602 else if (cda[CTA_TUPLE_REPLY])
1603 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1604 nfmsg->nfgen_family, &zone);
1605 else {
1606 u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;
1607
1608 return ctnetlink_flush_conntrack(net, cda,
1609 NETLINK_CB(skb).portid,
1610 nlmsg_report(nlh), u3);
1611 }
1612
1613 if (err < 0)
1614 return err;
1615
1616 h = nf_conntrack_find_get(net, &zone, &tuple);
1617 if (!h)
1618 return -ENOENT;
1619
1620 ct = nf_ct_tuplehash_to_ctrack(h);
1621
1622 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) {
1623 nf_ct_put(ct);
1624 return -EBUSY;
1625 }
1626
1627 if (cda[CTA_ID]) {
1628 __be32 id = nla_get_be32(cda[CTA_ID]);
1629
1630 if (id != (__force __be32)nf_ct_get_id(ct)) {
1631 nf_ct_put(ct);
1632 return -ENOENT;
1633 }
1634 }
1635
1636 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(nlh));
1637 nf_ct_put(ct);
1638
1639 return 0;
1640}
1641
1642static int ctnetlink_get_conntrack(struct net *net, struct sock *ctnl,
1643 struct sk_buff *skb,
1644 const struct nlmsghdr *nlh,
1645 const struct nlattr * const cda[],
1646 struct netlink_ext_ack *extack)
1647{
1648 struct nf_conntrack_tuple_hash *h;
1649 struct nf_conntrack_tuple tuple;
1650 struct nf_conn *ct;
1651 struct sk_buff *skb2 = NULL;
1652 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1653 u_int8_t u3 = nfmsg->nfgen_family;
1654 struct nf_conntrack_zone zone;
1655 int err;
1656
1657 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1658 struct netlink_dump_control c = {
1659 .start = ctnetlink_start,
1660 .dump = ctnetlink_dump_table,
1661 .done = ctnetlink_done,
1662 .data = (void *)cda,
1663 };
1664
1665 return netlink_dump_start(ctnl, skb, nlh, &c);
1666 }
1667
1668 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1669 if (err < 0)
1670 return err;
1671
1672 if (cda[CTA_TUPLE_ORIG])
1673 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1674 u3, &zone);
1675 else if (cda[CTA_TUPLE_REPLY])
1676 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1677 u3, &zone);
1678 else
1679 return -EINVAL;
1680
1681 if (err < 0)
1682 return err;
1683
1684 h = nf_conntrack_find_get(net, &zone, &tuple);
1685 if (!h)
1686 return -ENOENT;
1687
1688 ct = nf_ct_tuplehash_to_ctrack(h);
1689
1690 err = -ENOMEM;
1691 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1692 if (skb2 == NULL) {
1693 nf_ct_put(ct);
1694 return -ENOMEM;
1695 }
1696
1697 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq,
1698 NFNL_MSG_TYPE(nlh->nlmsg_type), ct, true, 0);
1699 nf_ct_put(ct);
1700 if (err <= 0)
1701 goto free;
1702
1703 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1704 if (err < 0)
1705 goto out;
1706
1707 return 0;
1708
1709free:
1710 kfree_skb(skb2);
1711out:
1712
1713 return err == -EAGAIN ? -ENOBUFS : err;
1714}
1715
1716static int ctnetlink_done_list(struct netlink_callback *cb)
1717{
1718 if (cb->args[1])
1719 nf_ct_put((struct nf_conn *)cb->args[1]);
1720 return 0;
1721}
1722
1723static int
1724ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying)
1725{
1726 struct nf_conn *ct, *last;
1727 struct nf_conntrack_tuple_hash *h;
1728 struct hlist_nulls_node *n;
1729 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1730 u_int8_t l3proto = nfmsg->nfgen_family;
1731 int res;
1732 int cpu;
1733 struct hlist_nulls_head *list;
1734 struct net *net = sock_net(skb->sk);
1735
1736 if (cb->args[2])
1737 return 0;
1738
1739 last = (struct nf_conn *)cb->args[1];
1740
1741 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
1742 struct ct_pcpu *pcpu;
1743
1744 if (!cpu_possible(cpu))
1745 continue;
1746
1747 pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu);
1748 spin_lock_bh(&pcpu->lock);
1749 list = dying ? &pcpu->dying : &pcpu->unconfirmed;
1750restart:
1751 hlist_nulls_for_each_entry(h, n, list, hnnode) {
1752 ct = nf_ct_tuplehash_to_ctrack(h);
1753 if (l3proto && nf_ct_l3num(ct) != l3proto)
1754 continue;
1755 if (cb->args[1]) {
1756 if (ct != last)
1757 continue;
1758 cb->args[1] = 0;
1759 }
1760
1761
1762
1763
1764
1765
1766
1767
1768 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
1769 cb->nlh->nlmsg_seq,
1770 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
1771 ct, dying ? true : false, 0);
1772 if (res < 0) {
1773 if (!atomic_inc_not_zero(&ct->ct_general.use))
1774 continue;
1775 cb->args[0] = cpu;
1776 cb->args[1] = (unsigned long)ct;
1777 spin_unlock_bh(&pcpu->lock);
1778 goto out;
1779 }
1780 }
1781 if (cb->args[1]) {
1782 cb->args[1] = 0;
1783 goto restart;
1784 }
1785 spin_unlock_bh(&pcpu->lock);
1786 }
1787 cb->args[2] = 1;
1788out:
1789 if (last)
1790 nf_ct_put(last);
1791
1792 return skb->len;
1793}
1794
1795static int
1796ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb)
1797{
1798 return ctnetlink_dump_list(skb, cb, true);
1799}
1800
1801static int ctnetlink_get_ct_dying(struct net *net, struct sock *ctnl,
1802 struct sk_buff *skb,
1803 const struct nlmsghdr *nlh,
1804 const struct nlattr * const cda[],
1805 struct netlink_ext_ack *extack)
1806{
1807 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1808 struct netlink_dump_control c = {
1809 .dump = ctnetlink_dump_dying,
1810 .done = ctnetlink_done_list,
1811 };
1812 return netlink_dump_start(ctnl, skb, nlh, &c);
1813 }
1814
1815 return -EOPNOTSUPP;
1816}
1817
1818static int
1819ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb)
1820{
1821 return ctnetlink_dump_list(skb, cb, false);
1822}
1823
1824static int ctnetlink_get_ct_unconfirmed(struct net *net, struct sock *ctnl,
1825 struct sk_buff *skb,
1826 const struct nlmsghdr *nlh,
1827 const struct nlattr * const cda[],
1828 struct netlink_ext_ack *extack)
1829{
1830 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1831 struct netlink_dump_control c = {
1832 .dump = ctnetlink_dump_unconfirmed,
1833 .done = ctnetlink_done_list,
1834 };
1835 return netlink_dump_start(ctnl, skb, nlh, &c);
1836 }
1837
1838 return -EOPNOTSUPP;
1839}
1840
1841#ifdef CONFIG_NF_NAT_NEEDED
1842static int
1843ctnetlink_parse_nat_setup(struct nf_conn *ct,
1844 enum nf_nat_manip_type manip,
1845 const struct nlattr *attr)
1846{
1847 struct nf_nat_hook *nat_hook;
1848 int err;
1849
1850 nat_hook = rcu_dereference(nf_nat_hook);
1851 if (!nat_hook) {
1852#ifdef CONFIG_MODULES
1853 rcu_read_unlock();
1854 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1855 if (request_module("nf-nat") < 0) {
1856 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1857 rcu_read_lock();
1858 return -EOPNOTSUPP;
1859 }
1860 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1861 rcu_read_lock();
1862 nat_hook = rcu_dereference(nf_nat_hook);
1863 if (nat_hook)
1864 return -EAGAIN;
1865#endif
1866 return -EOPNOTSUPP;
1867 }
1868
1869 err = nat_hook->parse_nat_setup(ct, manip, attr);
1870 if (err == -EAGAIN) {
1871#ifdef CONFIG_MODULES
1872 rcu_read_unlock();
1873 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1874 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) {
1875 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1876 rcu_read_lock();
1877 return -EOPNOTSUPP;
1878 }
1879 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1880 rcu_read_lock();
1881#else
1882 err = -EOPNOTSUPP;
1883#endif
1884 }
1885 return err;
1886}
1887#endif
1888
1889static void
1890__ctnetlink_change_status(struct nf_conn *ct, unsigned long on,
1891 unsigned long off)
1892{
1893 unsigned int bit;
1894
1895
1896 on &= ~IPS_UNCHANGEABLE_MASK;
1897 off &= ~IPS_UNCHANGEABLE_MASK;
1898
1899 for (bit = 0; bit < __IPS_MAX_BIT; bit++) {
1900 if (on & (1 << bit))
1901 set_bit(bit, &ct->status);
1902 else if (off & (1 << bit))
1903 clear_bit(bit, &ct->status);
1904 }
1905}
1906
1907static int
1908ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
1909{
1910 unsigned long d;
1911 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
1912 d = ct->status ^ status;
1913
1914 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
1915
1916 return -EBUSY;
1917
1918 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
1919
1920 return -EBUSY;
1921
1922 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
1923
1924 return -EBUSY;
1925
1926 __ctnetlink_change_status(ct, status, 0);
1927 return 0;
1928}
1929
1930static int
1931ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
1932{
1933#ifdef CONFIG_NF_NAT_NEEDED
1934 int ret;
1935
1936 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1937 return 0;
1938
1939 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
1940 cda[CTA_NAT_DST]);
1941 if (ret < 0)
1942 return ret;
1943
1944 return ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC,
1945 cda[CTA_NAT_SRC]);
1946#else
1947 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1948 return 0;
1949 return -EOPNOTSUPP;
1950#endif
1951}
1952
1953static int ctnetlink_change_helper(struct nf_conn *ct,
1954 const struct nlattr * const cda[])
1955{
1956 struct nf_conntrack_helper *helper;
1957 struct nf_conn_help *help = nfct_help(ct);
1958 char *helpname = NULL;
1959 struct nlattr *helpinfo = NULL;
1960 int err;
1961
1962 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1963 if (err < 0)
1964 return err;
1965
1966
1967 if (ct->master) {
1968
1969
1970
1971
1972 err = -EBUSY;
1973 if (help) {
1974 rcu_read_lock();
1975 helper = rcu_dereference(help->helper);
1976 if (helper && !strcmp(helper->name, helpname))
1977 err = 0;
1978 rcu_read_unlock();
1979 }
1980
1981 return err;
1982 }
1983
1984 if (!strcmp(helpname, "")) {
1985 if (help && help->helper) {
1986
1987 nf_ct_remove_expectations(ct);
1988 RCU_INIT_POINTER(help->helper, NULL);
1989 }
1990
1991 return 0;
1992 }
1993
1994 rcu_read_lock();
1995 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1996 nf_ct_protonum(ct));
1997 if (helper == NULL) {
1998 rcu_read_unlock();
1999 return -EOPNOTSUPP;
2000 }
2001
2002 if (help) {
2003 if (help->helper == helper) {
2004
2005 if (helper->from_nlattr)
2006 helper->from_nlattr(helpinfo, ct);
2007 err = 0;
2008 } else
2009 err = -EBUSY;
2010 } else {
2011
2012 err = -EOPNOTSUPP;
2013 }
2014
2015 rcu_read_unlock();
2016 return err;
2017}
2018
2019static int ctnetlink_change_timeout(struct nf_conn *ct,
2020 const struct nlattr * const cda[])
2021{
2022 u64 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
2023
2024 if (timeout > INT_MAX)
2025 timeout = INT_MAX;
2026 ct->timeout = nfct_time_stamp + (u32)timeout;
2027
2028 if (test_bit(IPS_DYING_BIT, &ct->status))
2029 return -ETIME;
2030
2031 return 0;
2032}
2033
2034#if defined(CONFIG_NF_CONNTRACK_MARK)
2035static void ctnetlink_change_mark(struct nf_conn *ct,
2036 const struct nlattr * const cda[])
2037{
2038 u32 mark, newmark, mask = 0;
2039
2040 if (cda[CTA_MARK_MASK])
2041 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
2042
2043 mark = ntohl(nla_get_be32(cda[CTA_MARK]));
2044 newmark = (ct->mark & mask) ^ mark;
2045 if (newmark != ct->mark)
2046 ct->mark = newmark;
2047}
2048#endif
2049
2050static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = {
2051 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED },
2052 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED },
2053 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED },
2054};
2055
2056static int ctnetlink_change_protoinfo(struct nf_conn *ct,
2057 const struct nlattr * const cda[])
2058{
2059 const struct nlattr *attr = cda[CTA_PROTOINFO];
2060 const struct nf_conntrack_l4proto *l4proto;
2061 struct nlattr *tb[CTA_PROTOINFO_MAX+1];
2062 int err = 0;
2063
2064 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_MAX, attr,
2065 protoinfo_policy, NULL);
2066 if (err < 0)
2067 return err;
2068
2069 rcu_read_lock();
2070 l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));
2071 if (l4proto->from_nlattr)
2072 err = l4proto->from_nlattr(tb, ct);
2073 rcu_read_unlock();
2074
2075 return err;
2076}
2077
2078static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = {
2079 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 },
2080 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 },
2081 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 },
2082};
2083
2084static int change_seq_adj(struct nf_ct_seqadj *seq,
2085 const struct nlattr * const attr)
2086{
2087 int err;
2088 struct nlattr *cda[CTA_SEQADJ_MAX+1];
2089
2090 err = nla_parse_nested_deprecated(cda, CTA_SEQADJ_MAX, attr,
2091 seqadj_policy, NULL);
2092 if (err < 0)
2093 return err;
2094
2095 if (!cda[CTA_SEQADJ_CORRECTION_POS])
2096 return -EINVAL;
2097
2098 seq->correction_pos =
2099 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS]));
2100
2101 if (!cda[CTA_SEQADJ_OFFSET_BEFORE])
2102 return -EINVAL;
2103
2104 seq->offset_before =
2105 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE]));
2106
2107 if (!cda[CTA_SEQADJ_OFFSET_AFTER])
2108 return -EINVAL;
2109
2110 seq->offset_after =
2111 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER]));
2112
2113 return 0;
2114}
2115
2116static int
2117ctnetlink_change_seq_adj(struct nf_conn *ct,
2118 const struct nlattr * const cda[])
2119{
2120 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
2121 int ret = 0;
2122
2123 if (!seqadj)
2124 return 0;
2125
2126 spin_lock_bh(&ct->lock);
2127 if (cda[CTA_SEQ_ADJ_ORIG]) {
2128 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL],
2129 cda[CTA_SEQ_ADJ_ORIG]);
2130 if (ret < 0)
2131 goto err;
2132
2133 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
2134 }
2135
2136 if (cda[CTA_SEQ_ADJ_REPLY]) {
2137 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY],
2138 cda[CTA_SEQ_ADJ_REPLY]);
2139 if (ret < 0)
2140 goto err;
2141
2142 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
2143 }
2144
2145 spin_unlock_bh(&ct->lock);
2146 return 0;
2147err:
2148 spin_unlock_bh(&ct->lock);
2149 return ret;
2150}
2151
2152static const struct nla_policy synproxy_policy[CTA_SYNPROXY_MAX + 1] = {
2153 [CTA_SYNPROXY_ISN] = { .type = NLA_U32 },
2154 [CTA_SYNPROXY_ITS] = { .type = NLA_U32 },
2155 [CTA_SYNPROXY_TSOFF] = { .type = NLA_U32 },
2156};
2157
2158static int ctnetlink_change_synproxy(struct nf_conn *ct,
2159 const struct nlattr * const cda[])
2160{
2161 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
2162 struct nlattr *tb[CTA_SYNPROXY_MAX + 1];
2163 int err;
2164
2165 if (!synproxy)
2166 return 0;
2167
2168 err = nla_parse_nested_deprecated(tb, CTA_SYNPROXY_MAX,
2169 cda[CTA_SYNPROXY], synproxy_policy,
2170 NULL);
2171 if (err < 0)
2172 return err;
2173
2174 if (!tb[CTA_SYNPROXY_ISN] ||
2175 !tb[CTA_SYNPROXY_ITS] ||
2176 !tb[CTA_SYNPROXY_TSOFF])
2177 return -EINVAL;
2178
2179 synproxy->isn = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ISN]));
2180 synproxy->its = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ITS]));
2181 synproxy->tsoff = ntohl(nla_get_be32(tb[CTA_SYNPROXY_TSOFF]));
2182
2183 return 0;
2184}
2185
2186static int
2187ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[])
2188{
2189#ifdef CONFIG_NF_CONNTRACK_LABELS
2190 size_t len = nla_len(cda[CTA_LABELS]);
2191 const void *mask = cda[CTA_LABELS_MASK];
2192
2193 if (len & (sizeof(u32)-1))
2194 return -EINVAL;
2195
2196 if (mask) {
2197 if (nla_len(cda[CTA_LABELS_MASK]) == 0 ||
2198 nla_len(cda[CTA_LABELS_MASK]) != len)
2199 return -EINVAL;
2200 mask = nla_data(cda[CTA_LABELS_MASK]);
2201 }
2202
2203 len /= sizeof(u32);
2204
2205 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len);
2206#else
2207 return -EOPNOTSUPP;
2208#endif
2209}
2210
2211static int
2212ctnetlink_change_conntrack(struct nf_conn *ct,
2213 const struct nlattr * const cda[])
2214{
2215 int err;
2216
2217
2218 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
2219 return -EOPNOTSUPP;
2220
2221 if (cda[CTA_HELP]) {
2222 err = ctnetlink_change_helper(ct, cda);
2223 if (err < 0)
2224 return err;
2225 }
2226
2227 if (cda[CTA_TIMEOUT]) {
2228 err = ctnetlink_change_timeout(ct, cda);
2229 if (err < 0)
2230 return err;
2231 }
2232
2233 if (cda[CTA_STATUS]) {
2234 err = ctnetlink_change_status(ct, cda);
2235 if (err < 0)
2236 return err;
2237 }
2238
2239 if (cda[CTA_PROTOINFO]) {
2240 err = ctnetlink_change_protoinfo(ct, cda);
2241 if (err < 0)
2242 return err;
2243 }
2244
2245#if defined(CONFIG_NF_CONNTRACK_MARK)
2246 if (cda[CTA_MARK])
2247 ctnetlink_change_mark(ct, cda);
2248#endif
2249
2250 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
2251 err = ctnetlink_change_seq_adj(ct, cda);
2252 if (err < 0)
2253 return err;
2254 }
2255
2256 if (cda[CTA_SYNPROXY]) {
2257 err = ctnetlink_change_synproxy(ct, cda);
2258 if (err < 0)
2259 return err;
2260 }
2261
2262 if (cda[CTA_LABELS]) {
2263 err = ctnetlink_attach_labels(ct, cda);
2264 if (err < 0)
2265 return err;
2266 }
2267
2268 return 0;
2269}
2270
2271static struct nf_conn *
2272ctnetlink_create_conntrack(struct net *net,
2273 const struct nf_conntrack_zone *zone,
2274 const struct nlattr * const cda[],
2275 struct nf_conntrack_tuple *otuple,
2276 struct nf_conntrack_tuple *rtuple,
2277 u8 u3)
2278{
2279 struct nf_conn *ct;
2280 int err = -EINVAL;
2281 struct nf_conntrack_helper *helper;
2282 struct nf_conn_tstamp *tstamp;
2283 u64 timeout;
2284
2285 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
2286 if (IS_ERR(ct))
2287 return ERR_PTR(-ENOMEM);
2288
2289 if (!cda[CTA_TIMEOUT])
2290 goto err1;
2291
2292 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
2293 if (timeout > INT_MAX)
2294 timeout = INT_MAX;
2295 ct->timeout = (u32)timeout + nfct_time_stamp;
2296
2297 rcu_read_lock();
2298 if (cda[CTA_HELP]) {
2299 char *helpname = NULL;
2300 struct nlattr *helpinfo = NULL;
2301
2302 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
2303 if (err < 0)
2304 goto err2;
2305
2306 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2307 nf_ct_protonum(ct));
2308 if (helper == NULL) {
2309 rcu_read_unlock();
2310#ifdef CONFIG_MODULES
2311 if (request_module("nfct-helper-%s", helpname) < 0) {
2312 err = -EOPNOTSUPP;
2313 goto err1;
2314 }
2315
2316 rcu_read_lock();
2317 helper = __nf_conntrack_helper_find(helpname,
2318 nf_ct_l3num(ct),
2319 nf_ct_protonum(ct));
2320 if (helper) {
2321 err = -EAGAIN;
2322 goto err2;
2323 }
2324 rcu_read_unlock();
2325#endif
2326 err = -EOPNOTSUPP;
2327 goto err1;
2328 } else {
2329 struct nf_conn_help *help;
2330
2331 help = nf_ct_helper_ext_add(ct, helper, GFP_ATOMIC);
2332 if (help == NULL) {
2333 err = -ENOMEM;
2334 goto err2;
2335 }
2336
2337 if (helper->from_nlattr)
2338 helper->from_nlattr(helpinfo, ct);
2339
2340
2341 RCU_INIT_POINTER(help->helper, helper);
2342 }
2343 } else {
2344
2345 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC);
2346 if (err < 0)
2347 goto err2;
2348 }
2349
2350 err = ctnetlink_setup_nat(ct, cda);
2351 if (err < 0)
2352 goto err2;
2353
2354 nf_ct_acct_ext_add(ct, GFP_ATOMIC);
2355 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
2356 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
2357 nf_ct_labels_ext_add(ct);
2358 nfct_seqadj_ext_add(ct);
2359 nfct_synproxy_ext_add(ct);
2360
2361
2362 ct->status |= IPS_CONFIRMED;
2363
2364 if (cda[CTA_STATUS]) {
2365 err = ctnetlink_change_status(ct, cda);
2366 if (err < 0)
2367 goto err2;
2368 }
2369
2370 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
2371 err = ctnetlink_change_seq_adj(ct, cda);
2372 if (err < 0)
2373 goto err2;
2374 }
2375
2376 memset(&ct->proto, 0, sizeof(ct->proto));
2377 if (cda[CTA_PROTOINFO]) {
2378 err = ctnetlink_change_protoinfo(ct, cda);
2379 if (err < 0)
2380 goto err2;
2381 }
2382
2383 if (cda[CTA_SYNPROXY]) {
2384 err = ctnetlink_change_synproxy(ct, cda);
2385 if (err < 0)
2386 goto err2;
2387 }
2388
2389#if defined(CONFIG_NF_CONNTRACK_MARK)
2390 if (cda[CTA_MARK])
2391 ctnetlink_change_mark(ct, cda);
2392#endif
2393
2394
2395 if (cda[CTA_TUPLE_MASTER]) {
2396 struct nf_conntrack_tuple master;
2397 struct nf_conntrack_tuple_hash *master_h;
2398 struct nf_conn *master_ct;
2399
2400 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER,
2401 u3, NULL);
2402 if (err < 0)
2403 goto err2;
2404
2405 master_h = nf_conntrack_find_get(net, zone, &master);
2406 if (master_h == NULL) {
2407 err = -ENOENT;
2408 goto err2;
2409 }
2410 master_ct = nf_ct_tuplehash_to_ctrack(master_h);
2411 __set_bit(IPS_EXPECTED_BIT, &ct->status);
2412 ct->master = master_ct;
2413 }
2414 tstamp = nf_conn_tstamp_find(ct);
2415 if (tstamp)
2416 tstamp->start = ktime_get_real_ns();
2417
2418 err = nf_conntrack_hash_check_insert(ct);
2419 if (err < 0)
2420 goto err2;
2421
2422 rcu_read_unlock();
2423
2424 return ct;
2425
2426err2:
2427 rcu_read_unlock();
2428err1:
2429 nf_conntrack_free(ct);
2430 return ERR_PTR(err);
2431}
2432
2433static int ctnetlink_new_conntrack(struct net *net, struct sock *ctnl,
2434 struct sk_buff *skb,
2435 const struct nlmsghdr *nlh,
2436 const struct nlattr * const cda[],
2437 struct netlink_ext_ack *extack)
2438{
2439 struct nf_conntrack_tuple otuple, rtuple;
2440 struct nf_conntrack_tuple_hash *h = NULL;
2441 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2442 struct nf_conn *ct;
2443 u_int8_t u3 = nfmsg->nfgen_family;
2444 struct nf_conntrack_zone zone;
2445 int err;
2446
2447 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
2448 if (err < 0)
2449 return err;
2450
2451 if (cda[CTA_TUPLE_ORIG]) {
2452 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG,
2453 u3, &zone);
2454 if (err < 0)
2455 return err;
2456 }
2457
2458 if (cda[CTA_TUPLE_REPLY]) {
2459 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY,
2460 u3, &zone);
2461 if (err < 0)
2462 return err;
2463 }
2464
2465 if (cda[CTA_TUPLE_ORIG])
2466 h = nf_conntrack_find_get(net, &zone, &otuple);
2467 else if (cda[CTA_TUPLE_REPLY])
2468 h = nf_conntrack_find_get(net, &zone, &rtuple);
2469
2470 if (h == NULL) {
2471 err = -ENOENT;
2472 if (nlh->nlmsg_flags & NLM_F_CREATE) {
2473 enum ip_conntrack_events events;
2474
2475 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY])
2476 return -EINVAL;
2477 if (otuple.dst.protonum != rtuple.dst.protonum)
2478 return -EINVAL;
2479
2480 ct = ctnetlink_create_conntrack(net, &zone, cda, &otuple,
2481 &rtuple, u3);
2482 if (IS_ERR(ct))
2483 return PTR_ERR(ct);
2484
2485 err = 0;
2486 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
2487 events = 1 << IPCT_RELATED;
2488 else
2489 events = 1 << IPCT_NEW;
2490
2491 if (cda[CTA_LABELS] &&
2492 ctnetlink_attach_labels(ct, cda) == 0)
2493 events |= (1 << IPCT_LABEL);
2494
2495 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2496 (1 << IPCT_ASSURED) |
2497 (1 << IPCT_HELPER) |
2498 (1 << IPCT_PROTOINFO) |
2499 (1 << IPCT_SEQADJ) |
2500 (1 << IPCT_MARK) |
2501 (1 << IPCT_SYNPROXY) |
2502 events,
2503 ct, NETLINK_CB(skb).portid,
2504 nlmsg_report(nlh));
2505 nf_ct_put(ct);
2506 }
2507
2508 return err;
2509 }
2510
2511
2512 err = -EEXIST;
2513 ct = nf_ct_tuplehash_to_ctrack(h);
2514 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
2515 err = ctnetlink_change_conntrack(ct, cda);
2516 if (err == 0) {
2517 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2518 (1 << IPCT_ASSURED) |
2519 (1 << IPCT_HELPER) |
2520 (1 << IPCT_LABEL) |
2521 (1 << IPCT_PROTOINFO) |
2522 (1 << IPCT_SEQADJ) |
2523 (1 << IPCT_MARK) |
2524 (1 << IPCT_SYNPROXY),
2525 ct, NETLINK_CB(skb).portid,
2526 nlmsg_report(nlh));
2527 }
2528 }
2529
2530 nf_ct_put(ct);
2531 return err;
2532}
2533
2534static int
2535ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2536 __u16 cpu, const struct ip_conntrack_stat *st)
2537{
2538 struct nlmsghdr *nlh;
2539 struct nfgenmsg *nfmsg;
2540 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2541
2542 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
2543 IPCTNL_MSG_CT_GET_STATS_CPU);
2544 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2545 if (nlh == NULL)
2546 goto nlmsg_failure;
2547
2548 nfmsg = nlmsg_data(nlh);
2549 nfmsg->nfgen_family = AF_UNSPEC;
2550 nfmsg->version = NFNETLINK_V0;
2551 nfmsg->res_id = htons(cpu);
2552
2553 if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) ||
2554 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) ||
2555 nla_put_be32(skb, CTA_STATS_IGNORE, 0) ||
2556 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) ||
2557 nla_put_be32(skb, CTA_STATS_INSERT_FAILED,
2558 htonl(st->insert_failed)) ||
2559 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) ||
2560 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) ||
2561 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) ||
2562 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART,
2563 htonl(st->search_restart)) ||
2564 nla_put_be32(skb, CTA_STATS_CLASH_RESOLVE,
2565 htonl(st->clash_resolve)))
2566 goto nla_put_failure;
2567
2568 nlmsg_end(skb, nlh);
2569 return skb->len;
2570
2571nla_put_failure:
2572nlmsg_failure:
2573 nlmsg_cancel(skb, nlh);
2574 return -1;
2575}
2576
2577static int
2578ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
2579{
2580 int cpu;
2581 struct net *net = sock_net(skb->sk);
2582
2583 if (cb->args[0] == nr_cpu_ids)
2584 return 0;
2585
2586 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
2587 const struct ip_conntrack_stat *st;
2588
2589 if (!cpu_possible(cpu))
2590 continue;
2591
2592 st = per_cpu_ptr(net->ct.stat, cpu);
2593 if (ctnetlink_ct_stat_cpu_fill_info(skb,
2594 NETLINK_CB(cb->skb).portid,
2595 cb->nlh->nlmsg_seq,
2596 cpu, st) < 0)
2597 break;
2598 }
2599 cb->args[0] = cpu;
2600
2601 return skb->len;
2602}
2603
2604static int ctnetlink_stat_ct_cpu(struct net *net, struct sock *ctnl,
2605 struct sk_buff *skb,
2606 const struct nlmsghdr *nlh,
2607 const struct nlattr * const cda[],
2608 struct netlink_ext_ack *extack)
2609{
2610 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2611 struct netlink_dump_control c = {
2612 .dump = ctnetlink_ct_stat_cpu_dump,
2613 };
2614 return netlink_dump_start(ctnl, skb, nlh, &c);
2615 }
2616
2617 return 0;
2618}
2619
2620static int
2621ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
2622 struct net *net)
2623{
2624 struct nlmsghdr *nlh;
2625 struct nfgenmsg *nfmsg;
2626 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2627 unsigned int nr_conntracks = atomic_read(&net->ct.count);
2628
2629 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS);
2630 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2631 if (nlh == NULL)
2632 goto nlmsg_failure;
2633
2634 nfmsg = nlmsg_data(nlh);
2635 nfmsg->nfgen_family = AF_UNSPEC;
2636 nfmsg->version = NFNETLINK_V0;
2637 nfmsg->res_id = 0;
2638
2639 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks)))
2640 goto nla_put_failure;
2641
2642 if (nla_put_be32(skb, CTA_STATS_GLOBAL_MAX_ENTRIES, htonl(nf_conntrack_max)))
2643 goto nla_put_failure;
2644
2645 nlmsg_end(skb, nlh);
2646 return skb->len;
2647
2648nla_put_failure:
2649nlmsg_failure:
2650 nlmsg_cancel(skb, nlh);
2651 return -1;
2652}
2653
2654static int ctnetlink_stat_ct(struct net *net, struct sock *ctnl,
2655 struct sk_buff *skb, const struct nlmsghdr *nlh,
2656 const struct nlattr * const cda[],
2657 struct netlink_ext_ack *extack)
2658{
2659 struct sk_buff *skb2;
2660 int err;
2661
2662 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2663 if (skb2 == NULL)
2664 return -ENOMEM;
2665
2666 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid,
2667 nlh->nlmsg_seq,
2668 NFNL_MSG_TYPE(nlh->nlmsg_type),
2669 sock_net(skb->sk));
2670 if (err <= 0)
2671 goto free;
2672
2673 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
2674 if (err < 0)
2675 goto out;
2676
2677 return 0;
2678
2679free:
2680 kfree_skb(skb2);
2681out:
2682
2683 return err == -EAGAIN ? -ENOBUFS : err;
2684}
2685
2686static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
2687 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED },
2688 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED },
2689 [CTA_EXPECT_MASK] = { .type = NLA_NESTED },
2690 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
2691 [CTA_EXPECT_ID] = { .type = NLA_U32 },
2692 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING,
2693 .len = NF_CT_HELPER_NAME_LEN - 1 },
2694 [CTA_EXPECT_ZONE] = { .type = NLA_U16 },
2695 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 },
2696 [CTA_EXPECT_CLASS] = { .type = NLA_U32 },
2697 [CTA_EXPECT_NAT] = { .type = NLA_NESTED },
2698 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING },
2699};
2700
2701static struct nf_conntrack_expect *
2702ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
2703 struct nf_conntrack_helper *helper,
2704 struct nf_conntrack_tuple *tuple,
2705 struct nf_conntrack_tuple *mask);
2706
2707#ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
2708static size_t
2709ctnetlink_glue_build_size(const struct nf_conn *ct)
2710{
2711 return 3 * nla_total_size(0)
2712 + 3 * nla_total_size(0)
2713 + 3 * nla_total_size(0)
2714 + 3 * nla_total_size(sizeof(u_int8_t))
2715 + nla_total_size(sizeof(u_int32_t))
2716 + nla_total_size(sizeof(u_int32_t))
2717 + nla_total_size(sizeof(u_int32_t))
2718 + nla_total_size(0)
2719 + nla_total_size(0)
2720 + nla_total_size(NF_CT_HELPER_NAME_LEN)
2721 + ctnetlink_secctx_size(ct)
2722#ifdef CONFIG_NF_NAT_NEEDED
2723 + 2 * nla_total_size(0)
2724 + 6 * nla_total_size(sizeof(u_int32_t))
2725#endif
2726#ifdef CONFIG_NF_CONNTRACK_MARK
2727 + nla_total_size(sizeof(u_int32_t))
2728#endif
2729#ifdef CONFIG_NF_CONNTRACK_ZONES
2730 + nla_total_size(sizeof(u_int16_t))
2731#endif
2732 + ctnetlink_proto_size(ct)
2733 ;
2734}
2735
2736static struct nf_conn *ctnetlink_glue_get_ct(const struct sk_buff *skb,
2737 enum ip_conntrack_info *ctinfo)
2738{
2739 return nf_ct_get(skb, ctinfo);
2740}
2741
2742static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
2743{
2744 const struct nf_conntrack_zone *zone;
2745 struct nlattr *nest_parms;
2746
2747 zone = nf_ct_zone(ct);
2748
2749 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
2750 if (!nest_parms)
2751 goto nla_put_failure;
2752 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
2753 goto nla_put_failure;
2754 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2755 NF_CT_ZONE_DIR_ORIG) < 0)
2756 goto nla_put_failure;
2757 nla_nest_end(skb, nest_parms);
2758
2759 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
2760 if (!nest_parms)
2761 goto nla_put_failure;
2762 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
2763 goto nla_put_failure;
2764 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2765 NF_CT_ZONE_DIR_REPL) < 0)
2766 goto nla_put_failure;
2767 nla_nest_end(skb, nest_parms);
2768
2769 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
2770 NF_CT_DEFAULT_ZONE_DIR) < 0)
2771 goto nla_put_failure;
2772
2773 if (ctnetlink_dump_id(skb, ct) < 0)
2774 goto nla_put_failure;
2775
2776 if (ctnetlink_dump_status(skb, ct) < 0)
2777 goto nla_put_failure;
2778
2779 if (ctnetlink_dump_timeout(skb, ct, false) < 0)
2780 goto nla_put_failure;
2781
2782 if (ctnetlink_dump_protoinfo(skb, ct, false) < 0)
2783 goto nla_put_failure;
2784
2785 if (ctnetlink_dump_helpinfo(skb, ct) < 0)
2786 goto nla_put_failure;
2787
2788#ifdef CONFIG_NF_CONNTRACK_SECMARK
2789 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0)
2790 goto nla_put_failure;
2791#endif
2792 if (ct->master && ctnetlink_dump_master(skb, ct) < 0)
2793 goto nla_put_failure;
2794
2795 if ((ct->status & IPS_SEQ_ADJUST) &&
2796 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
2797 goto nla_put_failure;
2798
2799 if (ctnetlink_dump_ct_synproxy(skb, ct) < 0)
2800 goto nla_put_failure;
2801
2802#ifdef CONFIG_NF_CONNTRACK_MARK
2803 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0)
2804 goto nla_put_failure;
2805#endif
2806 if (ctnetlink_dump_labels(skb, ct) < 0)
2807 goto nla_put_failure;
2808 return 0;
2809
2810nla_put_failure:
2811 return -ENOSPC;
2812}
2813
2814static int
2815ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct,
2816 enum ip_conntrack_info ctinfo,
2817 u_int16_t ct_attr, u_int16_t ct_info_attr)
2818{
2819 struct nlattr *nest_parms;
2820
2821 nest_parms = nla_nest_start(skb, ct_attr);
2822 if (!nest_parms)
2823 goto nla_put_failure;
2824
2825 if (__ctnetlink_glue_build(skb, ct) < 0)
2826 goto nla_put_failure;
2827
2828 nla_nest_end(skb, nest_parms);
2829
2830 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo)))
2831 goto nla_put_failure;
2832
2833 return 0;
2834
2835nla_put_failure:
2836 return -ENOSPC;
2837}
2838
2839static int
2840ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[])
2841{
2842 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
2843 unsigned long d = ct->status ^ status;
2844
2845 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
2846
2847 return -EBUSY;
2848
2849 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
2850
2851 return -EBUSY;
2852
2853
2854
2855
2856
2857
2858
2859 __ctnetlink_change_status(ct, status, ~status);
2860 return 0;
2861}
2862
2863static int
2864ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
2865{
2866 int err;
2867
2868 if (cda[CTA_TIMEOUT]) {
2869 err = ctnetlink_change_timeout(ct, cda);
2870 if (err < 0)
2871 return err;
2872 }
2873 if (cda[CTA_STATUS]) {
2874 err = ctnetlink_update_status(ct, cda);
2875 if (err < 0)
2876 return err;
2877 }
2878 if (cda[CTA_HELP]) {
2879 err = ctnetlink_change_helper(ct, cda);
2880 if (err < 0)
2881 return err;
2882 }
2883 if (cda[CTA_LABELS]) {
2884 err = ctnetlink_attach_labels(ct, cda);
2885 if (err < 0)
2886 return err;
2887 }
2888#if defined(CONFIG_NF_CONNTRACK_MARK)
2889 if (cda[CTA_MARK]) {
2890 ctnetlink_change_mark(ct, cda);
2891 }
2892#endif
2893 return 0;
2894}
2895
2896static int
2897ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct)
2898{
2899 struct nlattr *cda[CTA_MAX+1];
2900 int ret;
2901
2902 ret = nla_parse_nested_deprecated(cda, CTA_MAX, attr, ct_nla_policy,
2903 NULL);
2904 if (ret < 0)
2905 return ret;
2906
2907 return ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct);
2908}
2909
2910static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda,
2911 const struct nf_conn *ct,
2912 struct nf_conntrack_tuple *tuple,
2913 struct nf_conntrack_tuple *mask)
2914{
2915 int err;
2916
2917 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE,
2918 nf_ct_l3num(ct), NULL);
2919 if (err < 0)
2920 return err;
2921
2922 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK,
2923 nf_ct_l3num(ct), NULL);
2924}
2925
2926static int
2927ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
2928 u32 portid, u32 report)
2929{
2930 struct nlattr *cda[CTA_EXPECT_MAX+1];
2931 struct nf_conntrack_tuple tuple, mask;
2932 struct nf_conntrack_helper *helper = NULL;
2933 struct nf_conntrack_expect *exp;
2934 int err;
2935
2936 err = nla_parse_nested_deprecated(cda, CTA_EXPECT_MAX, attr,
2937 exp_nla_policy, NULL);
2938 if (err < 0)
2939 return err;
2940
2941 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda,
2942 ct, &tuple, &mask);
2943 if (err < 0)
2944 return err;
2945
2946 if (cda[CTA_EXPECT_HELP_NAME]) {
2947 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2948
2949 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2950 nf_ct_protonum(ct));
2951 if (helper == NULL)
2952 return -EOPNOTSUPP;
2953 }
2954
2955 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct,
2956 helper, &tuple, &mask);
2957 if (IS_ERR(exp))
2958 return PTR_ERR(exp);
2959
2960 err = nf_ct_expect_related_report(exp, portid, report);
2961 nf_ct_expect_put(exp);
2962 return err;
2963}
2964
2965static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct,
2966 enum ip_conntrack_info ctinfo, int diff)
2967{
2968 if (!(ct->status & IPS_NAT_MASK))
2969 return;
2970
2971 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff);
2972}
2973
2974static struct nfnl_ct_hook ctnetlink_glue_hook = {
2975 .get_ct = ctnetlink_glue_get_ct,
2976 .build_size = ctnetlink_glue_build_size,
2977 .build = ctnetlink_glue_build,
2978 .parse = ctnetlink_glue_parse,
2979 .attach_expect = ctnetlink_glue_attach_expect,
2980 .seq_adjust = ctnetlink_glue_seqadj,
2981};
2982#endif
2983
2984
2985
2986
2987
2988static int ctnetlink_exp_dump_tuple(struct sk_buff *skb,
2989 const struct nf_conntrack_tuple *tuple,
2990 u32 type)
2991{
2992 struct nlattr *nest_parms;
2993
2994 nest_parms = nla_nest_start(skb, type);
2995 if (!nest_parms)
2996 goto nla_put_failure;
2997 if (ctnetlink_dump_tuples(skb, tuple) < 0)
2998 goto nla_put_failure;
2999 nla_nest_end(skb, nest_parms);
3000
3001 return 0;
3002
3003nla_put_failure:
3004 return -1;
3005}
3006
3007static int ctnetlink_exp_dump_mask(struct sk_buff *skb,
3008 const struct nf_conntrack_tuple *tuple,
3009 const struct nf_conntrack_tuple_mask *mask)
3010{
3011 const struct nf_conntrack_l4proto *l4proto;
3012 struct nf_conntrack_tuple m;
3013 struct nlattr *nest_parms;
3014 int ret;
3015
3016 memset(&m, 0xFF, sizeof(m));
3017 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
3018 m.src.u.all = mask->src.u.all;
3019 m.src.l3num = tuple->src.l3num;
3020 m.dst.protonum = tuple->dst.protonum;
3021
3022 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK);
3023 if (!nest_parms)
3024 goto nla_put_failure;
3025
3026 rcu_read_lock();
3027 ret = ctnetlink_dump_tuples_ip(skb, &m);
3028 if (ret >= 0) {
3029 l4proto = __nf_ct_l4proto_find(tuple->dst.protonum);
3030 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
3031 }
3032 rcu_read_unlock();
3033
3034 if (unlikely(ret < 0))
3035 goto nla_put_failure;
3036
3037 nla_nest_end(skb, nest_parms);
3038
3039 return 0;
3040
3041nla_put_failure:
3042 return -1;
3043}
3044
3045static const union nf_inet_addr any_addr;
3046
3047static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp)
3048{
3049 static __read_mostly siphash_key_t exp_id_seed;
3050 unsigned long a, b, c, d;
3051
3052 net_get_random_once(&exp_id_seed, sizeof(exp_id_seed));
3053
3054 a = (unsigned long)exp;
3055 b = (unsigned long)exp->helper;
3056 c = (unsigned long)exp->master;
3057 d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed);
3058
3059#ifdef CONFIG_64BIT
3060 return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed);
3061#else
3062 return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed);
3063#endif
3064}
3065
3066static int
3067ctnetlink_exp_dump_expect(struct sk_buff *skb,
3068 const struct nf_conntrack_expect *exp)
3069{
3070 struct nf_conn *master = exp->master;
3071 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ;
3072 struct nf_conn_help *help;
3073#ifdef CONFIG_NF_NAT_NEEDED
3074 struct nlattr *nest_parms;
3075 struct nf_conntrack_tuple nat_tuple = {};
3076#endif
3077 struct nf_ct_helper_expectfn *expfn;
3078
3079 if (timeout < 0)
3080 timeout = 0;
3081
3082 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
3083 goto nla_put_failure;
3084 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
3085 goto nla_put_failure;
3086 if (ctnetlink_exp_dump_tuple(skb,
3087 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
3088 CTA_EXPECT_MASTER) < 0)
3089 goto nla_put_failure;
3090
3091#ifdef CONFIG_NF_NAT_NEEDED
3092 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) ||
3093 exp->saved_proto.all) {
3094 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT);
3095 if (!nest_parms)
3096 goto nla_put_failure;
3097
3098 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir)))
3099 goto nla_put_failure;
3100
3101 nat_tuple.src.l3num = nf_ct_l3num(master);
3102 nat_tuple.src.u3 = exp->saved_addr;
3103 nat_tuple.dst.protonum = nf_ct_protonum(master);
3104 nat_tuple.src.u = exp->saved_proto;
3105
3106 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple,
3107 CTA_EXPECT_NAT_TUPLE) < 0)
3108 goto nla_put_failure;
3109 nla_nest_end(skb, nest_parms);
3110 }
3111#endif
3112 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
3113 nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) ||
3114 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
3115 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
3116 goto nla_put_failure;
3117 help = nfct_help(master);
3118 if (help) {
3119 struct nf_conntrack_helper *helper;
3120
3121 helper = rcu_dereference(help->helper);
3122 if (helper &&
3123 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name))
3124 goto nla_put_failure;
3125 }
3126 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn);
3127 if (expfn != NULL &&
3128 nla_put_string(skb, CTA_EXPECT_FN, expfn->name))
3129 goto nla_put_failure;
3130
3131 return 0;
3132
3133nla_put_failure:
3134 return -1;
3135}
3136
3137static int
3138ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
3139 int event, const struct nf_conntrack_expect *exp)
3140{
3141 struct nlmsghdr *nlh;
3142 struct nfgenmsg *nfmsg;
3143 unsigned int flags = portid ? NLM_F_MULTI : 0;
3144
3145 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event);
3146 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
3147 if (nlh == NULL)
3148 goto nlmsg_failure;
3149
3150 nfmsg = nlmsg_data(nlh);
3151 nfmsg->nfgen_family = exp->tuple.src.l3num;
3152 nfmsg->version = NFNETLINK_V0;
3153 nfmsg->res_id = 0;
3154
3155 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
3156 goto nla_put_failure;
3157
3158 nlmsg_end(skb, nlh);
3159 return skb->len;
3160
3161nlmsg_failure:
3162nla_put_failure:
3163 nlmsg_cancel(skb, nlh);
3164 return -1;
3165}
3166
3167#ifdef CONFIG_NF_CONNTRACK_EVENTS
3168static int
3169ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item)
3170{
3171 struct nf_conntrack_expect *exp = item->exp;
3172 struct net *net = nf_ct_exp_net(exp);
3173 struct nlmsghdr *nlh;
3174 struct nfgenmsg *nfmsg;
3175 struct sk_buff *skb;
3176 unsigned int type, group;
3177 int flags = 0;
3178
3179 if (events & (1 << IPEXP_DESTROY)) {
3180 type = IPCTNL_MSG_EXP_DELETE;
3181 group = NFNLGRP_CONNTRACK_EXP_DESTROY;
3182 } else if (events & (1 << IPEXP_NEW)) {
3183 type = IPCTNL_MSG_EXP_NEW;
3184 flags = NLM_F_CREATE|NLM_F_EXCL;
3185 group = NFNLGRP_CONNTRACK_EXP_NEW;
3186 } else
3187 return 0;
3188
3189 if (!item->report && !nfnetlink_has_listeners(net, group))
3190 return 0;
3191
3192 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
3193 if (skb == NULL)
3194 goto errout;
3195
3196 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type);
3197 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
3198 if (nlh == NULL)
3199 goto nlmsg_failure;
3200
3201 nfmsg = nlmsg_data(nlh);
3202 nfmsg->nfgen_family = exp->tuple.src.l3num;
3203 nfmsg->version = NFNETLINK_V0;
3204 nfmsg->res_id = 0;
3205
3206 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
3207 goto nla_put_failure;
3208
3209 nlmsg_end(skb, nlh);
3210 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC);
3211 return 0;
3212
3213nla_put_failure:
3214 nlmsg_cancel(skb, nlh);
3215nlmsg_failure:
3216 kfree_skb(skb);
3217errout:
3218 nfnetlink_set_err(net, 0, 0, -ENOBUFS);
3219 return 0;
3220}
3221#endif
3222static int ctnetlink_exp_done(struct netlink_callback *cb)
3223{
3224 if (cb->args[1])
3225 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
3226 return 0;
3227}
3228
3229static int
3230ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
3231{
3232 struct net *net = sock_net(skb->sk);
3233 struct nf_conntrack_expect *exp, *last;
3234 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3235 u_int8_t l3proto = nfmsg->nfgen_family;
3236
3237 rcu_read_lock();
3238 last = (struct nf_conntrack_expect *)cb->args[1];
3239 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
3240restart:
3241 hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
3242 hnode) {
3243 if (l3proto && exp->tuple.src.l3num != l3proto)
3244 continue;
3245
3246 if (!net_eq(nf_ct_net(exp->master), net))
3247 continue;
3248
3249 if (cb->args[1]) {
3250 if (exp != last)
3251 continue;
3252 cb->args[1] = 0;
3253 }
3254 if (ctnetlink_exp_fill_info(skb,
3255 NETLINK_CB(cb->skb).portid,
3256 cb->nlh->nlmsg_seq,
3257 IPCTNL_MSG_EXP_NEW,
3258 exp) < 0) {
3259 if (!refcount_inc_not_zero(&exp->use))
3260 continue;
3261 cb->args[1] = (unsigned long)exp;
3262 goto out;
3263 }
3264 }
3265 if (cb->args[1]) {
3266 cb->args[1] = 0;
3267 goto restart;
3268 }
3269 }
3270out:
3271 rcu_read_unlock();
3272 if (last)
3273 nf_ct_expect_put(last);
3274
3275 return skb->len;
3276}
3277
3278static int
3279ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
3280{
3281 struct nf_conntrack_expect *exp, *last;
3282 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3283 struct nf_conn *ct = cb->data;
3284 struct nf_conn_help *help = nfct_help(ct);
3285 u_int8_t l3proto = nfmsg->nfgen_family;
3286
3287 if (cb->args[0])
3288 return 0;
3289
3290 rcu_read_lock();
3291 last = (struct nf_conntrack_expect *)cb->args[1];
3292restart:
3293 hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {
3294 if (l3proto && exp->tuple.src.l3num != l3proto)
3295 continue;
3296 if (cb->args[1]) {
3297 if (exp != last)
3298 continue;
3299 cb->args[1] = 0;
3300 }
3301 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid,
3302 cb->nlh->nlmsg_seq,
3303 IPCTNL_MSG_EXP_NEW,
3304 exp) < 0) {
3305 if (!refcount_inc_not_zero(&exp->use))
3306 continue;
3307 cb->args[1] = (unsigned long)exp;
3308 goto out;
3309 }
3310 }
3311 if (cb->args[1]) {
3312 cb->args[1] = 0;
3313 goto restart;
3314 }
3315 cb->args[0] = 1;
3316out:
3317 rcu_read_unlock();
3318 if (last)
3319 nf_ct_expect_put(last);
3320
3321 return skb->len;
3322}
3323
3324static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
3325 struct sk_buff *skb,
3326 const struct nlmsghdr *nlh,
3327 const struct nlattr * const cda[],
3328 struct netlink_ext_ack *extack)
3329{
3330 int err;
3331 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3332 u_int8_t u3 = nfmsg->nfgen_family;
3333 struct nf_conntrack_tuple tuple;
3334 struct nf_conntrack_tuple_hash *h;
3335 struct nf_conn *ct;
3336 struct nf_conntrack_zone zone;
3337 struct netlink_dump_control c = {
3338 .dump = ctnetlink_exp_ct_dump_table,
3339 .done = ctnetlink_exp_done,
3340 };
3341
3342 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
3343 u3, NULL);
3344 if (err < 0)
3345 return err;
3346
3347 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3348 if (err < 0)
3349 return err;
3350
3351 h = nf_conntrack_find_get(net, &zone, &tuple);
3352 if (!h)
3353 return -ENOENT;
3354
3355 ct = nf_ct_tuplehash_to_ctrack(h);
3356
3357 if (!nfct_help(ct)) {
3358 nf_ct_put(ct);
3359 return 0;
3360 }
3361
3362 c.data = ct;
3363
3364 err = netlink_dump_start(ctnl, skb, nlh, &c);
3365 nf_ct_put(ct);
3366
3367 return err;
3368}
3369
3370static int ctnetlink_get_expect(struct net *net, struct sock *ctnl,
3371 struct sk_buff *skb, const struct nlmsghdr *nlh,
3372 const struct nlattr * const cda[],
3373 struct netlink_ext_ack *extack)
3374{
3375 struct nf_conntrack_tuple tuple;
3376 struct nf_conntrack_expect *exp;
3377 struct sk_buff *skb2;
3378 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3379 u_int8_t u3 = nfmsg->nfgen_family;
3380 struct nf_conntrack_zone zone;
3381 int err;
3382
3383 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3384 if (cda[CTA_EXPECT_MASTER])
3385 return ctnetlink_dump_exp_ct(net, ctnl, skb, nlh, cda,
3386 extack);
3387 else {
3388 struct netlink_dump_control c = {
3389 .dump = ctnetlink_exp_dump_table,
3390 .done = ctnetlink_exp_done,
3391 };
3392 return netlink_dump_start(ctnl, skb, nlh, &c);
3393 }
3394 }
3395
3396 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3397 if (err < 0)
3398 return err;
3399
3400 if (cda[CTA_EXPECT_TUPLE])
3401 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3402 u3, NULL);
3403 else if (cda[CTA_EXPECT_MASTER])
3404 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
3405 u3, NULL);
3406 else
3407 return -EINVAL;
3408
3409 if (err < 0)
3410 return err;
3411
3412 exp = nf_ct_expect_find_get(net, &zone, &tuple);
3413 if (!exp)
3414 return -ENOENT;
3415
3416 if (cda[CTA_EXPECT_ID]) {
3417 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3418
3419 if (id != nf_expect_get_id(exp)) {
3420 nf_ct_expect_put(exp);
3421 return -ENOENT;
3422 }
3423 }
3424
3425 err = -ENOMEM;
3426 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3427 if (skb2 == NULL) {
3428 nf_ct_expect_put(exp);
3429 goto out;
3430 }
3431
3432 rcu_read_lock();
3433 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
3434 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp);
3435 rcu_read_unlock();
3436 nf_ct_expect_put(exp);
3437 if (err <= 0)
3438 goto free;
3439
3440 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
3441 if (err < 0)
3442 goto out;
3443
3444 return 0;
3445
3446free:
3447 kfree_skb(skb2);
3448out:
3449
3450 return err == -EAGAIN ? -ENOBUFS : err;
3451}
3452
3453static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data)
3454{
3455 const struct nf_conn_help *m_help;
3456 const char *name = data;
3457
3458 m_help = nfct_help(exp->master);
3459
3460 return strcmp(m_help->helper->name, name) == 0;
3461}
3462
3463static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data)
3464{
3465 return true;
3466}
3467
3468static int ctnetlink_del_expect(struct net *net, struct sock *ctnl,
3469 struct sk_buff *skb, const struct nlmsghdr *nlh,
3470 const struct nlattr * const cda[],
3471 struct netlink_ext_ack *extack)
3472{
3473 struct nf_conntrack_expect *exp;
3474 struct nf_conntrack_tuple tuple;
3475 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3476 u_int8_t u3 = nfmsg->nfgen_family;
3477 struct nf_conntrack_zone zone;
3478 int err;
3479
3480 if (cda[CTA_EXPECT_TUPLE]) {
3481
3482 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3483 if (err < 0)
3484 return err;
3485
3486 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3487 u3, NULL);
3488 if (err < 0)
3489 return err;
3490
3491
3492 exp = nf_ct_expect_find_get(net, &zone, &tuple);
3493 if (!exp)
3494 return -ENOENT;
3495
3496 if (cda[CTA_EXPECT_ID]) {
3497 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3498 if (ntohl(id) != (u32)(unsigned long)exp) {
3499 nf_ct_expect_put(exp);
3500 return -ENOENT;
3501 }
3502 }
3503
3504
3505 spin_lock_bh(&nf_conntrack_expect_lock);
3506 if (del_timer(&exp->timeout)) {
3507 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
3508 nlmsg_report(nlh));
3509 nf_ct_expect_put(exp);
3510 }
3511 spin_unlock_bh(&nf_conntrack_expect_lock);
3512
3513
3514 nf_ct_expect_put(exp);
3515 } else if (cda[CTA_EXPECT_HELP_NAME]) {
3516 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3517
3518 nf_ct_expect_iterate_net(net, expect_iter_name, name,
3519 NETLINK_CB(skb).portid,
3520 nlmsg_report(nlh));
3521 } else {
3522
3523 nf_ct_expect_iterate_net(net, expect_iter_all, NULL,
3524 NETLINK_CB(skb).portid,
3525 nlmsg_report(nlh));
3526 }
3527
3528 return 0;
3529}
3530static int
3531ctnetlink_change_expect(struct nf_conntrack_expect *x,
3532 const struct nlattr * const cda[])
3533{
3534 if (cda[CTA_EXPECT_TIMEOUT]) {
3535 if (!del_timer(&x->timeout))
3536 return -ETIME;
3537
3538 x->timeout.expires = jiffies +
3539 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
3540 add_timer(&x->timeout);
3541 }
3542 return 0;
3543}
3544
3545static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
3546 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
3547 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
3548};
3549
3550static int
3551ctnetlink_parse_expect_nat(const struct nlattr *attr,
3552 struct nf_conntrack_expect *exp,
3553 u_int8_t u3)
3554{
3555#ifdef CONFIG_NF_NAT_NEEDED
3556 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1];
3557 struct nf_conntrack_tuple nat_tuple = {};
3558 int err;
3559
3560 err = nla_parse_nested_deprecated(tb, CTA_EXPECT_NAT_MAX, attr,
3561 exp_nat_nla_policy, NULL);
3562 if (err < 0)
3563 return err;
3564
3565 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE])
3566 return -EINVAL;
3567
3568 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb,
3569 &nat_tuple, CTA_EXPECT_NAT_TUPLE,
3570 u3, NULL);
3571 if (err < 0)
3572 return err;
3573
3574 exp->saved_addr = nat_tuple.src.u3;
3575 exp->saved_proto = nat_tuple.src.u;
3576 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR]));
3577
3578 return 0;
3579#else
3580 return -EOPNOTSUPP;
3581#endif
3582}
3583
3584static struct nf_conntrack_expect *
3585ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
3586 struct nf_conntrack_helper *helper,
3587 struct nf_conntrack_tuple *tuple,
3588 struct nf_conntrack_tuple *mask)
3589{
3590 u_int32_t class = 0;
3591 struct nf_conntrack_expect *exp;
3592 struct nf_conn_help *help;
3593 int err;
3594
3595 help = nfct_help(ct);
3596 if (!help)
3597 return ERR_PTR(-EOPNOTSUPP);
3598
3599 if (cda[CTA_EXPECT_CLASS] && helper) {
3600 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));
3601 if (class > helper->expect_class_max)
3602 return ERR_PTR(-EINVAL);
3603 }
3604 exp = nf_ct_expect_alloc(ct);
3605 if (!exp)
3606 return ERR_PTR(-ENOMEM);
3607
3608 if (cda[CTA_EXPECT_FLAGS]) {
3609 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
3610 exp->flags &= ~NF_CT_EXPECT_USERSPACE;
3611 } else {
3612 exp->flags = 0;
3613 }
3614 if (cda[CTA_EXPECT_FN]) {
3615 const char *name = nla_data(cda[CTA_EXPECT_FN]);
3616 struct nf_ct_helper_expectfn *expfn;
3617
3618 expfn = nf_ct_helper_expectfn_find_by_name(name);
3619 if (expfn == NULL) {
3620 err = -EINVAL;
3621 goto err_out;
3622 }
3623 exp->expectfn = expfn->expectfn;
3624 } else
3625 exp->expectfn = NULL;
3626
3627 exp->class = class;
3628 exp->master = ct;
3629 exp->helper = helper;
3630 exp->tuple = *tuple;
3631 exp->mask.src.u3 = mask->src.u3;
3632 exp->mask.src.u.all = mask->src.u.all;
3633
3634 if (cda[CTA_EXPECT_NAT]) {
3635 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT],
3636 exp, nf_ct_l3num(ct));
3637 if (err < 0)
3638 goto err_out;
3639 }
3640 return exp;
3641err_out:
3642 nf_ct_expect_put(exp);
3643 return ERR_PTR(err);
3644}
3645
3646static int
3647ctnetlink_create_expect(struct net *net,
3648 const struct nf_conntrack_zone *zone,
3649 const struct nlattr * const cda[],
3650 u_int8_t u3, u32 portid, int report)
3651{
3652 struct nf_conntrack_tuple tuple, mask, master_tuple;
3653 struct nf_conntrack_tuple_hash *h = NULL;
3654 struct nf_conntrack_helper *helper = NULL;
3655 struct nf_conntrack_expect *exp;
3656 struct nf_conn *ct;
3657 int err;
3658
3659
3660 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3661 u3, NULL);
3662 if (err < 0)
3663 return err;
3664 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK,
3665 u3, NULL);
3666 if (err < 0)
3667 return err;
3668 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER,
3669 u3, NULL);
3670 if (err < 0)
3671 return err;
3672
3673
3674 h = nf_conntrack_find_get(net, zone, &master_tuple);
3675 if (!h)
3676 return -ENOENT;
3677 ct = nf_ct_tuplehash_to_ctrack(h);
3678
3679 rcu_read_lock();
3680 if (cda[CTA_EXPECT_HELP_NAME]) {
3681 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3682
3683 helper = __nf_conntrack_helper_find(helpname, u3,
3684 nf_ct_protonum(ct));
3685 if (helper == NULL) {
3686 rcu_read_unlock();
3687#ifdef CONFIG_MODULES
3688 if (request_module("nfct-helper-%s", helpname) < 0) {
3689 err = -EOPNOTSUPP;
3690 goto err_ct;
3691 }
3692 rcu_read_lock();
3693 helper = __nf_conntrack_helper_find(helpname, u3,
3694 nf_ct_protonum(ct));
3695 if (helper) {
3696 err = -EAGAIN;
3697 goto err_rcu;
3698 }
3699 rcu_read_unlock();
3700#endif
3701 err = -EOPNOTSUPP;
3702 goto err_ct;
3703 }
3704 }
3705
3706 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask);
3707 if (IS_ERR(exp)) {
3708 err = PTR_ERR(exp);
3709 goto err_rcu;
3710 }
3711
3712 err = nf_ct_expect_related_report(exp, portid, report);
3713 nf_ct_expect_put(exp);
3714err_rcu:
3715 rcu_read_unlock();
3716err_ct:
3717 nf_ct_put(ct);
3718 return err;
3719}
3720
3721static int ctnetlink_new_expect(struct net *net, struct sock *ctnl,
3722 struct sk_buff *skb, const struct nlmsghdr *nlh,
3723 const struct nlattr * const cda[],
3724 struct netlink_ext_ack *extack)
3725{
3726 struct nf_conntrack_tuple tuple;
3727 struct nf_conntrack_expect *exp;
3728 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3729 u_int8_t u3 = nfmsg->nfgen_family;
3730 struct nf_conntrack_zone zone;
3731 int err;
3732
3733 if (!cda[CTA_EXPECT_TUPLE]
3734 || !cda[CTA_EXPECT_MASK]
3735 || !cda[CTA_EXPECT_MASTER])
3736 return -EINVAL;
3737
3738 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3739 if (err < 0)
3740 return err;
3741
3742 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3743 u3, NULL);
3744 if (err < 0)
3745 return err;
3746
3747 spin_lock_bh(&nf_conntrack_expect_lock);
3748 exp = __nf_ct_expect_find(net, &zone, &tuple);
3749 if (!exp) {
3750 spin_unlock_bh(&nf_conntrack_expect_lock);
3751 err = -ENOENT;
3752 if (nlh->nlmsg_flags & NLM_F_CREATE) {
3753 err = ctnetlink_create_expect(net, &zone, cda, u3,
3754 NETLINK_CB(skb).portid,
3755 nlmsg_report(nlh));
3756 }
3757 return err;
3758 }
3759
3760 err = -EEXIST;
3761 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
3762 err = ctnetlink_change_expect(exp, cda);
3763 spin_unlock_bh(&nf_conntrack_expect_lock);
3764
3765 return err;
3766}
3767
3768static int
3769ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu,
3770 const struct ip_conntrack_stat *st)
3771{
3772 struct nlmsghdr *nlh;
3773 struct nfgenmsg *nfmsg;
3774 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
3775
3776 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
3777 IPCTNL_MSG_EXP_GET_STATS_CPU);
3778 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
3779 if (nlh == NULL)
3780 goto nlmsg_failure;
3781
3782 nfmsg = nlmsg_data(nlh);
3783 nfmsg->nfgen_family = AF_UNSPEC;
3784 nfmsg->version = NFNETLINK_V0;
3785 nfmsg->res_id = htons(cpu);
3786
3787 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) ||
3788 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) ||
3789 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete)))
3790 goto nla_put_failure;
3791
3792 nlmsg_end(skb, nlh);
3793 return skb->len;
3794
3795nla_put_failure:
3796nlmsg_failure:
3797 nlmsg_cancel(skb, nlh);
3798 return -1;
3799}
3800
3801static int
3802ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
3803{
3804 int cpu;
3805 struct net *net = sock_net(skb->sk);
3806
3807 if (cb->args[0] == nr_cpu_ids)
3808 return 0;
3809
3810 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
3811 const struct ip_conntrack_stat *st;
3812
3813 if (!cpu_possible(cpu))
3814 continue;
3815
3816 st = per_cpu_ptr(net->ct.stat, cpu);
3817 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid,
3818 cb->nlh->nlmsg_seq,
3819 cpu, st) < 0)
3820 break;
3821 }
3822 cb->args[0] = cpu;
3823
3824 return skb->len;
3825}
3826
3827static int ctnetlink_stat_exp_cpu(struct net *net, struct sock *ctnl,
3828 struct sk_buff *skb,
3829 const struct nlmsghdr *nlh,
3830 const struct nlattr * const cda[],
3831 struct netlink_ext_ack *extack)
3832{
3833 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3834 struct netlink_dump_control c = {
3835 .dump = ctnetlink_exp_stat_cpu_dump,
3836 };
3837 return netlink_dump_start(ctnl, skb, nlh, &c);
3838 }
3839
3840 return 0;
3841}
3842
3843#ifdef CONFIG_NF_CONNTRACK_EVENTS
3844static struct nf_ct_event_notifier ctnl_notifier = {
3845 .fcn = ctnetlink_conntrack_event,
3846};
3847
3848static struct nf_exp_event_notifier ctnl_notifier_exp = {
3849 .fcn = ctnetlink_expect_event,
3850};
3851#endif
3852
3853static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
3854 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
3855 .attr_count = CTA_MAX,
3856 .policy = ct_nla_policy },
3857 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
3858 .attr_count = CTA_MAX,
3859 .policy = ct_nla_policy },
3860 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
3861 .attr_count = CTA_MAX,
3862 .policy = ct_nla_policy },
3863 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
3864 .attr_count = CTA_MAX,
3865 .policy = ct_nla_policy },
3866 [IPCTNL_MSG_CT_GET_STATS_CPU] = { .call = ctnetlink_stat_ct_cpu },
3867 [IPCTNL_MSG_CT_GET_STATS] = { .call = ctnetlink_stat_ct },
3868 [IPCTNL_MSG_CT_GET_DYING] = { .call = ctnetlink_get_ct_dying },
3869 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = { .call = ctnetlink_get_ct_unconfirmed },
3870};
3871
3872static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
3873 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
3874 .attr_count = CTA_EXPECT_MAX,
3875 .policy = exp_nla_policy },
3876 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
3877 .attr_count = CTA_EXPECT_MAX,
3878 .policy = exp_nla_policy },
3879 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
3880 .attr_count = CTA_EXPECT_MAX,
3881 .policy = exp_nla_policy },
3882 [IPCTNL_MSG_EXP_GET_STATS_CPU] = { .call = ctnetlink_stat_exp_cpu },
3883};
3884
3885static const struct nfnetlink_subsystem ctnl_subsys = {
3886 .name = "conntrack",
3887 .subsys_id = NFNL_SUBSYS_CTNETLINK,
3888 .cb_count = IPCTNL_MSG_MAX,
3889 .cb = ctnl_cb,
3890};
3891
3892static const struct nfnetlink_subsystem ctnl_exp_subsys = {
3893 .name = "conntrack_expect",
3894 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
3895 .cb_count = IPCTNL_MSG_EXP_MAX,
3896 .cb = ctnl_exp_cb,
3897};
3898
3899MODULE_ALIAS("ip_conntrack_netlink");
3900MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
3901MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
3902
3903static int __net_init ctnetlink_net_init(struct net *net)
3904{
3905#ifdef CONFIG_NF_CONNTRACK_EVENTS
3906 int ret;
3907
3908 ret = nf_conntrack_register_notifier(net, &ctnl_notifier);
3909 if (ret < 0) {
3910 pr_err("ctnetlink_init: cannot register notifier.\n");
3911 goto err_out;
3912 }
3913
3914 ret = nf_ct_expect_register_notifier(net, &ctnl_notifier_exp);
3915 if (ret < 0) {
3916 pr_err("ctnetlink_init: cannot expect register notifier.\n");
3917 goto err_unreg_notifier;
3918 }
3919#endif
3920 return 0;
3921
3922#ifdef CONFIG_NF_CONNTRACK_EVENTS
3923err_unreg_notifier:
3924 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
3925err_out:
3926 return ret;
3927#endif
3928}
3929
3930static void ctnetlink_net_exit(struct net *net)
3931{
3932#ifdef CONFIG_NF_CONNTRACK_EVENTS
3933 nf_ct_expect_unregister_notifier(net, &ctnl_notifier_exp);
3934 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
3935#endif
3936}
3937
3938static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list)
3939{
3940 struct net *net;
3941
3942 list_for_each_entry(net, net_exit_list, exit_list)
3943 ctnetlink_net_exit(net);
3944
3945
3946 synchronize_rcu();
3947}
3948
3949static struct pernet_operations ctnetlink_net_ops = {
3950 .init = ctnetlink_net_init,
3951 .exit_batch = ctnetlink_net_exit_batch,
3952};
3953
3954static int __init ctnetlink_init(void)
3955{
3956 int ret;
3957
3958 ret = nfnetlink_subsys_register(&ctnl_subsys);
3959 if (ret < 0) {
3960 pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
3961 goto err_out;
3962 }
3963
3964 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
3965 if (ret < 0) {
3966 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
3967 goto err_unreg_subsys;
3968 }
3969
3970 ret = register_pernet_subsys(&ctnetlink_net_ops);
3971 if (ret < 0) {
3972 pr_err("ctnetlink_init: cannot register pernet operations\n");
3973 goto err_unreg_exp_subsys;
3974 }
3975#ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3976
3977 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook);
3978#endif
3979 return 0;
3980
3981err_unreg_exp_subsys:
3982 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3983err_unreg_subsys:
3984 nfnetlink_subsys_unregister(&ctnl_subsys);
3985err_out:
3986 return ret;
3987}
3988
3989static void __exit ctnetlink_exit(void)
3990{
3991 unregister_pernet_subsys(&ctnetlink_net_ops);
3992 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3993 nfnetlink_subsys_unregister(&ctnl_subsys);
3994#ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3995 RCU_INIT_POINTER(nfnl_ct_hook, NULL);
3996#endif
3997 synchronize_rcu();
3998}
3999
4000module_init(ctnetlink_init);
4001module_exit(ctnetlink_exit);
4002
