1
2
3
4
5
6
7
8
9
10
11
12
13#include <linux/types.h>
14#include <linux/netfilter.h>
15#include <linux/skbuff.h>
16#include <linux/proc_fs.h>
17#include <linux/seq_file.h>
18#include <linux/stddef.h>
19#include <linux/slab.h>
20#include <linux/err.h>
21#include <linux/percpu.h>
22#include <linux/kernel.h>
23#include <linux/jhash.h>
24#include <linux/moduleparam.h>
25#include <linux/export.h>
26#include <net/net_namespace.h>
27
28#include <net/netfilter/nf_conntrack.h>
29#include <net/netfilter/nf_conntrack_core.h>
30#include <net/netfilter/nf_conntrack_expect.h>
31#include <net/netfilter/nf_conntrack_helper.h>
32#include <net/netfilter/nf_conntrack_tuple.h>
33#include <net/netfilter/nf_conntrack_zones.h>
34
35unsigned int nf_ct_expect_hsize __read_mostly;
36EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
37
38unsigned int nf_ct_expect_max __read_mostly;
39
40static struct kmem_cache *nf_ct_expect_cachep __read_mostly;
41
42
43void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp,
44 u32 portid, int report)
45{
46 struct nf_conn_help *master_help = nfct_help(exp->master);
47 struct net *net = nf_ct_exp_net(exp);
48
49 NF_CT_ASSERT(master_help);
50 NF_CT_ASSERT(!timer_pending(&exp->timeout));
51
52 hlist_del_rcu(&exp->hnode);
53 net->ct.expect_count--;
54
55 hlist_del(&exp->lnode);
56 master_help->expecting[exp->class]--;
57
58 nf_ct_expect_event_report(IPEXP_DESTROY, exp, portid, report);
59 nf_ct_expect_put(exp);
60
61 NF_CT_STAT_INC(net, expect_delete);
62}
63EXPORT_SYMBOL_GPL(nf_ct_unlink_expect_report);
64
65static void nf_ct_expectation_timed_out(unsigned long ul_expect)
66{
67 struct nf_conntrack_expect *exp = (void *)ul_expect;
68
69 spin_lock_bh(&nf_conntrack_lock);
70 nf_ct_unlink_expect(exp);
71 spin_unlock_bh(&nf_conntrack_lock);
72 nf_ct_expect_put(exp);
73}
74
75static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple)
76{
77 unsigned int hash;
78
79 if (unlikely(!nf_conntrack_hash_rnd)) {
80 init_nf_conntrack_hash_rnd();
81 }
82
83 hash = jhash2(tuple->dst.u3.all, ARRAY_SIZE(tuple->dst.u3.all),
84 (((tuple->dst.protonum ^ tuple->src.l3num) << 16) |
85 (__force __u16)tuple->dst.u.all) ^ nf_conntrack_hash_rnd);
86 return ((u64)hash * nf_ct_expect_hsize) >> 32;
87}
88
89struct nf_conntrack_expect *
90__nf_ct_expect_find(struct net *net, u16 zone,
91 const struct nf_conntrack_tuple *tuple)
92{
93 struct nf_conntrack_expect *i;
94 unsigned int h;
95
96 if (!net->ct.expect_count)
97 return NULL;
98
99 h = nf_ct_expect_dst_hash(tuple);
100 hlist_for_each_entry_rcu(i, &net->ct.expect_hash[h], hnode) {
101 if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) &&
102 nf_ct_zone(i->master) == zone)
103 return i;
104 }
105 return NULL;
106}
107EXPORT_SYMBOL_GPL(__nf_ct_expect_find);
108
109
110struct nf_conntrack_expect *
111nf_ct_expect_find_get(struct net *net, u16 zone,
112 const struct nf_conntrack_tuple *tuple)
113{
114 struct nf_conntrack_expect *i;
115
116 rcu_read_lock();
117 i = __nf_ct_expect_find(net, zone, tuple);
118 if (i && !atomic_inc_not_zero(&i->use))
119 i = NULL;
120 rcu_read_unlock();
121
122 return i;
123}
124EXPORT_SYMBOL_GPL(nf_ct_expect_find_get);
125
126
127
128struct nf_conntrack_expect *
129nf_ct_find_expectation(struct net *net, u16 zone,
130 const struct nf_conntrack_tuple *tuple)
131{
132 struct nf_conntrack_expect *i, *exp = NULL;
133 unsigned int h;
134
135 if (!net->ct.expect_count)
136 return NULL;
137
138 h = nf_ct_expect_dst_hash(tuple);
139 hlist_for_each_entry(i, &net->ct.expect_hash[h], hnode) {
140 if (!(i->flags & NF_CT_EXPECT_INACTIVE) &&
141 nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) &&
142 nf_ct_zone(i->master) == zone) {
143 exp = i;
144 break;
145 }
146 }
147 if (!exp)
148 return NULL;
149
150
151
152
153
154
155 if (!nf_ct_is_confirmed(exp->master))
156 return NULL;
157
158 if (exp->flags & NF_CT_EXPECT_PERMANENT) {
159 atomic_inc(&exp->use);
160 return exp;
161 } else if (del_timer(&exp->timeout)) {
162 nf_ct_unlink_expect(exp);
163 return exp;
164 }
165
166 return NULL;
167}
168
169
170void nf_ct_remove_expectations(struct nf_conn *ct)
171{
172 struct nf_conn_help *help = nfct_help(ct);
173 struct nf_conntrack_expect *exp;
174 struct hlist_node *next;
175
176
177 if (!help)
178 return;
179
180 hlist_for_each_entry_safe(exp, next, &help->expectations, lnode) {
181 if (del_timer(&exp->timeout)) {
182 nf_ct_unlink_expect(exp);
183 nf_ct_expect_put(exp);
184 }
185 }
186}
187EXPORT_SYMBOL_GPL(nf_ct_remove_expectations);
188
189
190static inline int expect_clash(const struct nf_conntrack_expect *a,
191 const struct nf_conntrack_expect *b)
192{
193
194
195 struct nf_conntrack_tuple_mask intersect_mask;
196 int count;
197
198 intersect_mask.src.u.all = a->mask.src.u.all & b->mask.src.u.all;
199
200 for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
201 intersect_mask.src.u3.all[count] =
202 a->mask.src.u3.all[count] & b->mask.src.u3.all[count];
203 }
204
205 return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
206}
207
208static inline int expect_matches(const struct nf_conntrack_expect *a,
209 const struct nf_conntrack_expect *b)
210{
211 return a->master == b->master && a->class == b->class &&
212 nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
213 nf_ct_tuple_mask_equal(&a->mask, &b->mask) &&
214 nf_ct_zone(a->master) == nf_ct_zone(b->master);
215}
216
217
218void nf_ct_unexpect_related(struct nf_conntrack_expect *exp)
219{
220 spin_lock_bh(&nf_conntrack_lock);
221 if (del_timer(&exp->timeout)) {
222 nf_ct_unlink_expect(exp);
223 nf_ct_expect_put(exp);
224 }
225 spin_unlock_bh(&nf_conntrack_lock);
226}
227EXPORT_SYMBOL_GPL(nf_ct_unexpect_related);
228
229
230
231
232struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me)
233{
234 struct nf_conntrack_expect *new;
235
236 new = kmem_cache_alloc(nf_ct_expect_cachep, GFP_ATOMIC);
237 if (!new)
238 return NULL;
239
240 new->master = me;
241 atomic_set(&new->use, 1);
242 return new;
243}
244EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);
245
246void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,
247 u_int8_t family,
248 const union nf_inet_addr *saddr,
249 const union nf_inet_addr *daddr,
250 u_int8_t proto, const __be16 *src, const __be16 *dst)
251{
252 int len;
253
254 if (family == AF_INET)
255 len = 4;
256 else
257 len = 16;
258
259 exp->flags = 0;
260 exp->class = class;
261 exp->expectfn = NULL;
262 exp->helper = NULL;
263 exp->tuple.src.l3num = family;
264 exp->tuple.dst.protonum = proto;
265
266 if (saddr) {
267 memcpy(&exp->tuple.src.u3, saddr, len);
268 if (sizeof(exp->tuple.src.u3) > len)
269
270 memset((void *)&exp->tuple.src.u3 + len, 0x00,
271 sizeof(exp->tuple.src.u3) - len);
272 memset(&exp->mask.src.u3, 0xFF, len);
273 if (sizeof(exp->mask.src.u3) > len)
274 memset((void *)&exp->mask.src.u3 + len, 0x00,
275 sizeof(exp->mask.src.u3) - len);
276 } else {
277 memset(&exp->tuple.src.u3, 0x00, sizeof(exp->tuple.src.u3));
278 memset(&exp->mask.src.u3, 0x00, sizeof(exp->mask.src.u3));
279 }
280
281 if (src) {
282 exp->tuple.src.u.all = *src;
283 exp->mask.src.u.all = htons(0xFFFF);
284 } else {
285 exp->tuple.src.u.all = 0;
286 exp->mask.src.u.all = 0;
287 }
288
289 memcpy(&exp->tuple.dst.u3, daddr, len);
290 if (sizeof(exp->tuple.dst.u3) > len)
291
292 memset((void *)&exp->tuple.dst.u3 + len, 0x00,
293 sizeof(exp->tuple.dst.u3) - len);
294
295 exp->tuple.dst.u.all = *dst;
296}
297EXPORT_SYMBOL_GPL(nf_ct_expect_init);
298
299static void nf_ct_expect_free_rcu(struct rcu_head *head)
300{
301 struct nf_conntrack_expect *exp;
302
303 exp = container_of(head, struct nf_conntrack_expect, rcu);
304 kmem_cache_free(nf_ct_expect_cachep, exp);
305}
306
307void nf_ct_expect_put(struct nf_conntrack_expect *exp)
308{
309 if (atomic_dec_and_test(&exp->use))
310 call_rcu(&exp->rcu, nf_ct_expect_free_rcu);
311}
312EXPORT_SYMBOL_GPL(nf_ct_expect_put);
313
314static int nf_ct_expect_insert(struct nf_conntrack_expect *exp)
315{
316 struct nf_conn_help *master_help = nfct_help(exp->master);
317 struct nf_conntrack_helper *helper;
318 struct net *net = nf_ct_exp_net(exp);
319 unsigned int h = nf_ct_expect_dst_hash(&exp->tuple);
320
321
322 atomic_add(2, &exp->use);
323
324 hlist_add_head(&exp->lnode, &master_help->expectations);
325 master_help->expecting[exp->class]++;
326
327 hlist_add_head_rcu(&exp->hnode, &net->ct.expect_hash[h]);
328 net->ct.expect_count++;
329
330 setup_timer(&exp->timeout, nf_ct_expectation_timed_out,
331 (unsigned long)exp);
332 helper = rcu_dereference_protected(master_help->helper,
333 lockdep_is_held(&nf_conntrack_lock));
334 if (helper) {
335 exp->timeout.expires = jiffies +
336 helper->expect_policy[exp->class].timeout * HZ;
337 }
338 add_timer(&exp->timeout);
339
340 NF_CT_STAT_INC(net, expect_create);
341 return 0;
342}
343
344
345static void evict_oldest_expect(struct nf_conn *master,
346 struct nf_conntrack_expect *new)
347{
348 struct nf_conn_help *master_help = nfct_help(master);
349 struct nf_conntrack_expect *exp, *last = NULL;
350
351 hlist_for_each_entry(exp, &master_help->expectations, lnode) {
352 if (exp->class == new->class)
353 last = exp;
354 }
355
356 if (last && del_timer(&last->timeout)) {
357 nf_ct_unlink_expect(last);
358 nf_ct_expect_put(last);
359 }
360}
361
362static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
363{
364 const struct nf_conntrack_expect_policy *p;
365 struct nf_conntrack_expect *i;
366 struct nf_conn *master = expect->master;
367 struct nf_conn_help *master_help = nfct_help(master);
368 struct nf_conntrack_helper *helper;
369 struct net *net = nf_ct_exp_net(expect);
370 struct hlist_node *next;
371 unsigned int h;
372 int ret = 1;
373
374 if (!master_help) {
375 ret = -ESHUTDOWN;
376 goto out;
377 }
378 h = nf_ct_expect_dst_hash(&expect->tuple);
379 hlist_for_each_entry_safe(i, next, &net->ct.expect_hash[h], hnode) {
380 if (expect_matches(i, expect)) {
381 if (del_timer(&i->timeout)) {
382 nf_ct_unlink_expect(i);
383 nf_ct_expect_put(i);
384 break;
385 }
386 } else if (expect_clash(i, expect)) {
387 ret = -EBUSY;
388 goto out;
389 }
390 }
391
392 helper = rcu_dereference_protected(master_help->helper,
393 lockdep_is_held(&nf_conntrack_lock));
394 if (helper) {
395 p = &helper->expect_policy[expect->class];
396 if (p->max_expected &&
397 master_help->expecting[expect->class] >= p->max_expected) {
398 evict_oldest_expect(master, expect);
399 if (master_help->expecting[expect->class]
400 >= p->max_expected) {
401 ret = -EMFILE;
402 goto out;
403 }
404 }
405 }
406
407 if (net->ct.expect_count >= nf_ct_expect_max) {
408 net_warn_ratelimited("nf_conntrack: expectation table full\n");
409 ret = -EMFILE;
410 }
411out:
412 return ret;
413}
414
415int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
416 u32 portid, int report)
417{
418 int ret;
419
420 spin_lock_bh(&nf_conntrack_lock);
421 ret = __nf_ct_expect_check(expect);
422 if (ret <= 0)
423 goto out;
424
425 ret = nf_ct_expect_insert(expect);
426 if (ret < 0)
427 goto out;
428 spin_unlock_bh(&nf_conntrack_lock);
429 nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report);
430 return ret;
431out:
432 spin_unlock_bh(&nf_conntrack_lock);
433 return ret;
434}
435EXPORT_SYMBOL_GPL(nf_ct_expect_related_report);
436
437#ifdef CONFIG_NF_CONNTRACK_PROCFS
438struct ct_expect_iter_state {
439 struct seq_net_private p;
440 unsigned int bucket;
441};
442
443static struct hlist_node *ct_expect_get_first(struct seq_file *seq)
444{
445 struct net *net = seq_file_net(seq);
446 struct ct_expect_iter_state *st = seq->private;
447 struct hlist_node *n;
448
449 for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) {
450 n = rcu_dereference(hlist_first_rcu(&net->ct.expect_hash[st->bucket]));
451 if (n)
452 return n;
453 }
454 return NULL;
455}
456
457static struct hlist_node *ct_expect_get_next(struct seq_file *seq,
458 struct hlist_node *head)
459{
460 struct net *net = seq_file_net(seq);
461 struct ct_expect_iter_state *st = seq->private;
462
463 head = rcu_dereference(hlist_next_rcu(head));
464 while (head == NULL) {
465 if (++st->bucket >= nf_ct_expect_hsize)
466 return NULL;
467 head = rcu_dereference(hlist_first_rcu(&net->ct.expect_hash[st->bucket]));
468 }
469 return head;
470}
471
472static struct hlist_node *ct_expect_get_idx(struct seq_file *seq, loff_t pos)
473{
474 struct hlist_node *head = ct_expect_get_first(seq);
475
476 if (head)
477 while (pos && (head = ct_expect_get_next(seq, head)))
478 pos--;
479 return pos ? NULL : head;
480}
481
482static void *exp_seq_start(struct seq_file *seq, loff_t *pos)
483 __acquires(RCU)
484{
485 rcu_read_lock();
486 return ct_expect_get_idx(seq, *pos);
487}
488
489static void *exp_seq_next(struct seq_file *seq, void *v, loff_t *pos)
490{
491 (*pos)++;
492 return ct_expect_get_next(seq, v);
493}
494
495static void exp_seq_stop(struct seq_file *seq, void *v)
496 __releases(RCU)
497{
498 rcu_read_unlock();
499}
500
501static int exp_seq_show(struct seq_file *s, void *v)
502{
503 struct nf_conntrack_expect *expect;
504 struct nf_conntrack_helper *helper;
505 struct hlist_node *n = v;
506 char *delim = "";
507
508 expect = hlist_entry(n, struct nf_conntrack_expect, hnode);
509
510 if (expect->timeout.function)
511 seq_printf(s, "%ld ", timer_pending(&expect->timeout)
512 ? (long)(expect->timeout.expires - jiffies)/HZ : 0);
513 else
514 seq_printf(s, "- ");
515 seq_printf(s, "l3proto = %u proto=%u ",
516 expect->tuple.src.l3num,
517 expect->tuple.dst.protonum);
518 print_tuple(s, &expect->tuple,
519 __nf_ct_l3proto_find(expect->tuple.src.l3num),
520 __nf_ct_l4proto_find(expect->tuple.src.l3num,
521 expect->tuple.dst.protonum));
522
523 if (expect->flags & NF_CT_EXPECT_PERMANENT) {
524 seq_printf(s, "PERMANENT");
525 delim = ",";
526 }
527 if (expect->flags & NF_CT_EXPECT_INACTIVE) {
528 seq_printf(s, "%sINACTIVE", delim);
529 delim = ",";
530 }
531 if (expect->flags & NF_CT_EXPECT_USERSPACE)
532 seq_printf(s, "%sUSERSPACE", delim);
533
534 helper = rcu_dereference(nfct_help(expect->master)->helper);
535 if (helper) {
536 seq_printf(s, "%s%s", expect->flags ? " " : "", helper->name);
537 if (helper->expect_policy[expect->class].name)
538 seq_printf(s, "/%s",
539 helper->expect_policy[expect->class].name);
540 }
541
542 return seq_putc(s, '\n');
543}
544
545static const struct seq_operations exp_seq_ops = {
546 .start = exp_seq_start,
547 .next = exp_seq_next,
548 .stop = exp_seq_stop,
549 .show = exp_seq_show
550};
551
552static int exp_open(struct inode *inode, struct file *file)
553{
554 return seq_open_net(inode, file, &exp_seq_ops,
555 sizeof(struct ct_expect_iter_state));
556}
557
558static const struct file_operations exp_file_ops = {
559 .owner = THIS_MODULE,
560 .open = exp_open,
561 .read = seq_read,
562 .llseek = seq_lseek,
563 .release = seq_release_net,
564};
565#endif
566
567static int exp_proc_init(struct net *net)
568{
569#ifdef CONFIG_NF_CONNTRACK_PROCFS
570 struct proc_dir_entry *proc;
571
572 proc = proc_create("nf_conntrack_expect", 0440, net->proc_net,
573 &exp_file_ops);
574 if (!proc)
575 return -ENOMEM;
576#endif
577 return 0;
578}
579
580static void exp_proc_remove(struct net *net)
581{
582#ifdef CONFIG_NF_CONNTRACK_PROCFS
583 remove_proc_entry("nf_conntrack_expect", net->proc_net);
584#endif
585}
586
587module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);
588
589int nf_conntrack_expect_pernet_init(struct net *net)
590{
591 int err = -ENOMEM;
592
593 net->ct.expect_count = 0;
594 net->ct.expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize, 0);
595 if (net->ct.expect_hash == NULL)
596 goto err1;
597
598 err = exp_proc_init(net);
599 if (err < 0)
600 goto err2;
601
602 return 0;
603err2:
604 nf_ct_free_hashtable(net->ct.expect_hash, nf_ct_expect_hsize);
605err1:
606 return err;
607}
608
609void nf_conntrack_expect_pernet_fini(struct net *net)
610{
611 exp_proc_remove(net);
612 nf_ct_free_hashtable(net->ct.expect_hash, nf_ct_expect_hsize);
613}
614
615int nf_conntrack_expect_init(void)
616{
617 if (!nf_ct_expect_hsize) {
618 nf_ct_expect_hsize = nf_conntrack_htable_size / 256;
619 if (!nf_ct_expect_hsize)
620 nf_ct_expect_hsize = 1;
621 }
622 nf_ct_expect_max = nf_ct_expect_hsize * 4;
623 nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect",
624 sizeof(struct nf_conntrack_expect),
625 0, 0, NULL);
626 if (!nf_ct_expect_cachep)
627 return -ENOMEM;
628 return 0;
629}
630
631void nf_conntrack_expect_fini(void)
632{
633 rcu_barrier();
634 kmem_cache_destroy(nf_ct_expect_cachep);
635}
636
