1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18#include <linux/init.h>
19#include <linux/module.h>
20#include <linux/kernel.h>
21#include <linux/rculist.h>
22#include <linux/rculist_nulls.h>
23#include <linux/types.h>
24#include <linux/timer.h>
25#include <linux/security.h>
26#include <linux/skbuff.h>
27#include <linux/errno.h>
28#include <linux/netlink.h>
29#include <linux/spinlock.h>
30#include <linux/interrupt.h>
31#include <linux/slab.h>
32
33#include <linux/netfilter.h>
34#include <net/netlink.h>
35#include <net/sock.h>
36#include <net/netfilter/nf_conntrack.h>
37#include <net/netfilter/nf_conntrack_core.h>
38#include <net/netfilter/nf_conntrack_expect.h>
39#include <net/netfilter/nf_conntrack_helper.h>
40#include <net/netfilter/nf_conntrack_seqadj.h>
41#include <net/netfilter/nf_conntrack_l3proto.h>
42#include <net/netfilter/nf_conntrack_l4proto.h>
43#include <net/netfilter/nf_conntrack_tuple.h>
44#include <net/netfilter/nf_conntrack_acct.h>
45#include <net/netfilter/nf_conntrack_zones.h>
46#include <net/netfilter/nf_conntrack_timestamp.h>
47#include <net/netfilter/nf_conntrack_labels.h>
48#include <net/netfilter/nf_conntrack_synproxy.h>
49#ifdef CONFIG_NF_NAT_NEEDED
50#include <net/netfilter/nf_nat_core.h>
51#include <net/netfilter/nf_nat_l4proto.h>
52#include <net/netfilter/nf_nat_helper.h>
53#endif
54
55#include <linux/netfilter/nfnetlink.h>
56#include <linux/netfilter/nfnetlink_conntrack.h>
57
58MODULE_LICENSE("GPL");
59
60static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,
61 const struct nf_conntrack_tuple *tuple,
62 const struct nf_conntrack_l4proto *l4proto)
63{
64 int ret = 0;
65 struct nlattr *nest_parms;
66
67 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED);
68 if (!nest_parms)
69 goto nla_put_failure;
70 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum))
71 goto nla_put_failure;
72
73 if (likely(l4proto->tuple_to_nlattr))
74 ret = l4proto->tuple_to_nlattr(skb, tuple);
75
76 nla_nest_end(skb, nest_parms);
77
78 return ret;
79
80nla_put_failure:
81 return -1;
82}
83
84static int ctnetlink_dump_tuples_ip(struct sk_buff *skb,
85 const struct nf_conntrack_tuple *tuple,
86 const struct nf_conntrack_l3proto *l3proto)
87{
88 int ret = 0;
89 struct nlattr *nest_parms;
90
91 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED);
92 if (!nest_parms)
93 goto nla_put_failure;
94
95 if (likely(l3proto->tuple_to_nlattr))
96 ret = l3proto->tuple_to_nlattr(skb, tuple);
97
98 nla_nest_end(skb, nest_parms);
99
100 return ret;
101
102nla_put_failure:
103 return -1;
104}
105
106static int ctnetlink_dump_tuples(struct sk_buff *skb,
107 const struct nf_conntrack_tuple *tuple)
108{
109 const struct nf_conntrack_l3proto *l3proto;
110 const struct nf_conntrack_l4proto *l4proto;
111 int ret;
112
113 rcu_read_lock();
114 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
115 ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
116
117 if (ret >= 0) {
118 l4proto = __nf_ct_l4proto_find(tuple->src.l3num,
119 tuple->dst.protonum);
120 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
121 }
122 rcu_read_unlock();
123 return ret;
124}
125
126static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype,
127 const struct nf_conntrack_zone *zone, int dir)
128{
129 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir)
130 return 0;
131 if (nla_put_be16(skb, attrtype, htons(zone->id)))
132 goto nla_put_failure;
133 return 0;
134
135nla_put_failure:
136 return -1;
137}
138
139static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
140{
141 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
142 goto nla_put_failure;
143 return 0;
144
145nla_put_failure:
146 return -1;
147}
148
149static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
150{
151 long timeout = nf_ct_expires(ct) / HZ;
152
153 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))
154 goto nla_put_failure;
155 return 0;
156
157nla_put_failure:
158 return -1;
159}
160
161static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct)
162{
163 const struct nf_conntrack_l4proto *l4proto;
164 struct nlattr *nest_proto;
165 int ret;
166
167 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
168 if (!l4proto->to_nlattr)
169 return 0;
170
171 nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED);
172 if (!nest_proto)
173 goto nla_put_failure;
174
175 ret = l4proto->to_nlattr(skb, nest_proto, ct);
176
177 nla_nest_end(skb, nest_proto);
178
179 return ret;
180
181nla_put_failure:
182 return -1;
183}
184
185static int ctnetlink_dump_helpinfo(struct sk_buff *skb,
186 const struct nf_conn *ct)
187{
188 struct nlattr *nest_helper;
189 const struct nf_conn_help *help = nfct_help(ct);
190 struct nf_conntrack_helper *helper;
191
192 if (!help)
193 return 0;
194
195 helper = rcu_dereference(help->helper);
196 if (!helper)
197 goto out;
198
199 nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED);
200 if (!nest_helper)
201 goto nla_put_failure;
202 if (nla_put_string(skb, CTA_HELP_NAME, helper->name))
203 goto nla_put_failure;
204
205 if (helper->to_nlattr)
206 helper->to_nlattr(skb, ct);
207
208 nla_nest_end(skb, nest_helper);
209out:
210 return 0;
211
212nla_put_failure:
213 return -1;
214}
215
216static int
217dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct,
218 enum ip_conntrack_dir dir, int type)
219{
220 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
221 struct nf_conn_counter *counter = acct->counter;
222 struct nlattr *nest_count;
223 u64 pkts, bytes;
224
225 if (type == IPCTNL_MSG_CT_GET_CTRZERO) {
226 pkts = atomic64_xchg(&counter[dir].packets, 0);
227 bytes = atomic64_xchg(&counter[dir].bytes, 0);
228 } else {
229 pkts = atomic64_read(&counter[dir].packets);
230 bytes = atomic64_read(&counter[dir].bytes);
231 }
232
233 nest_count = nla_nest_start(skb, attr | NLA_F_NESTED);
234 if (!nest_count)
235 goto nla_put_failure;
236
237 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts),
238 CTA_COUNTERS_PAD) ||
239 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes),
240 CTA_COUNTERS_PAD))
241 goto nla_put_failure;
242
243 nla_nest_end(skb, nest_count);
244
245 return 0;
246
247nla_put_failure:
248 return -1;
249}
250
251static int
252ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type)
253{
254 struct nf_conn_acct *acct = nf_conn_acct_find(ct);
255
256 if (!acct)
257 return 0;
258
259 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0)
260 return -1;
261 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0)
262 return -1;
263
264 return 0;
265}
266
267static int
268ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
269{
270 struct nlattr *nest_count;
271 const struct nf_conn_tstamp *tstamp;
272
273 tstamp = nf_conn_tstamp_find(ct);
274 if (!tstamp)
275 return 0;
276
277 nest_count = nla_nest_start(skb, CTA_TIMESTAMP | NLA_F_NESTED);
278 if (!nest_count)
279 goto nla_put_failure;
280
281 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start),
282 CTA_TIMESTAMP_PAD) ||
283 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP,
284 cpu_to_be64(tstamp->stop),
285 CTA_TIMESTAMP_PAD)))
286 goto nla_put_failure;
287 nla_nest_end(skb, nest_count);
288
289 return 0;
290
291nla_put_failure:
292 return -1;
293}
294
295#ifdef CONFIG_NF_CONNTRACK_MARK
296static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
297{
298 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))
299 goto nla_put_failure;
300 return 0;
301
302nla_put_failure:
303 return -1;
304}
305#else
306#define ctnetlink_dump_mark(a, b) (0)
307#endif
308
309#ifdef CONFIG_NF_CONNTRACK_SECMARK
310static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
311{
312 struct nlattr *nest_secctx;
313 int len, ret;
314 char *secctx;
315
316 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
317 if (ret)
318 return 0;
319
320 ret = -1;
321 nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED);
322 if (!nest_secctx)
323 goto nla_put_failure;
324
325 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
326 goto nla_put_failure;
327 nla_nest_end(skb, nest_secctx);
328
329 ret = 0;
330nla_put_failure:
331 security_release_secctx(secctx, len);
332 return ret;
333}
334#else
335#define ctnetlink_dump_secctx(a, b) (0)
336#endif
337
338#ifdef CONFIG_NF_CONNTRACK_LABELS
339static inline int ctnetlink_label_size(const struct nf_conn *ct)
340{
341 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
342
343 if (!labels)
344 return 0;
345 return nla_total_size(sizeof(labels->bits));
346}
347
348static int
349ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
350{
351 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
352 unsigned int i;
353
354 if (!labels)
355 return 0;
356
357 i = 0;
358 do {
359 if (labels->bits[i] != 0)
360 return nla_put(skb, CTA_LABELS, sizeof(labels->bits),
361 labels->bits);
362 i++;
363 } while (i < ARRAY_SIZE(labels->bits));
364
365 return 0;
366}
367#else
368#define ctnetlink_dump_labels(a, b) (0)
369#define ctnetlink_label_size(a) (0)
370#endif
371
372#define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
373
374static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
375{
376 struct nlattr *nest_parms;
377
378 if (!(ct->status & IPS_EXPECTED))
379 return 0;
380
381 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED);
382 if (!nest_parms)
383 goto nla_put_failure;
384 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
385 goto nla_put_failure;
386 nla_nest_end(skb, nest_parms);
387
388 return 0;
389
390nla_put_failure:
391 return -1;
392}
393
394static int
395dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type)
396{
397 struct nlattr *nest_parms;
398
399 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
400 if (!nest_parms)
401 goto nla_put_failure;
402
403 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS,
404 htonl(seq->correction_pos)) ||
405 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE,
406 htonl(seq->offset_before)) ||
407 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER,
408 htonl(seq->offset_after)))
409 goto nla_put_failure;
410
411 nla_nest_end(skb, nest_parms);
412
413 return 0;
414
415nla_put_failure:
416 return -1;
417}
418
419static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
420{
421 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
422 struct nf_ct_seqadj *seq;
423
424 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj)
425 return 0;
426
427 spin_lock_bh(&ct->lock);
428 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL];
429 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1)
430 goto err;
431
432 seq = &seqadj->seq[IP_CT_DIR_REPLY];
433 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1)
434 goto err;
435
436 spin_unlock_bh(&ct->lock);
437 return 0;
438err:
439 spin_unlock_bh(&ct->lock);
440 return -1;
441}
442
443static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
444{
445 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
446 struct nlattr *nest_parms;
447
448 if (!synproxy)
449 return 0;
450
451 nest_parms = nla_nest_start(skb, CTA_SYNPROXY | NLA_F_NESTED);
452 if (!nest_parms)
453 goto nla_put_failure;
454
455 if (nla_put_be32(skb, CTA_SYNPROXY_ISN, htonl(synproxy->isn)) ||
456 nla_put_be32(skb, CTA_SYNPROXY_ITS, htonl(synproxy->its)) ||
457 nla_put_be32(skb, CTA_SYNPROXY_TSOFF, htonl(synproxy->tsoff)))
458 goto nla_put_failure;
459
460 nla_nest_end(skb, nest_parms);
461
462 return 0;
463
464nla_put_failure:
465 return -1;
466}
467
468static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
469{
470 if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct)))
471 goto nla_put_failure;
472 return 0;
473
474nla_put_failure:
475 return -1;
476}
477
478static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
479{
480 if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use))))
481 goto nla_put_failure;
482 return 0;
483
484nla_put_failure:
485 return -1;
486}
487
488static int
489ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
490 struct nf_conn *ct)
491{
492 const struct nf_conntrack_zone *zone;
493 struct nlmsghdr *nlh;
494 struct nfgenmsg *nfmsg;
495 struct nlattr *nest_parms;
496 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
497
498 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW);
499 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
500 if (nlh == NULL)
501 goto nlmsg_failure;
502
503 nfmsg = nlmsg_data(nlh);
504 nfmsg->nfgen_family = nf_ct_l3num(ct);
505 nfmsg->version = NFNETLINK_V0;
506 nfmsg->res_id = 0;
507
508 zone = nf_ct_zone(ct);
509
510 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
511 if (!nest_parms)
512 goto nla_put_failure;
513 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
514 goto nla_put_failure;
515 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
516 NF_CT_ZONE_DIR_ORIG) < 0)
517 goto nla_put_failure;
518 nla_nest_end(skb, nest_parms);
519
520 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
521 if (!nest_parms)
522 goto nla_put_failure;
523 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
524 goto nla_put_failure;
525 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
526 NF_CT_ZONE_DIR_REPL) < 0)
527 goto nla_put_failure;
528 nla_nest_end(skb, nest_parms);
529
530 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
531 NF_CT_DEFAULT_ZONE_DIR) < 0)
532 goto nla_put_failure;
533
534 if (ctnetlink_dump_status(skb, ct) < 0 ||
535 ctnetlink_dump_timeout(skb, ct) < 0 ||
536 ctnetlink_dump_acct(skb, ct, type) < 0 ||
537 ctnetlink_dump_timestamp(skb, ct) < 0 ||
538 ctnetlink_dump_protoinfo(skb, ct) < 0 ||
539 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
540 ctnetlink_dump_mark(skb, ct) < 0 ||
541 ctnetlink_dump_secctx(skb, ct) < 0 ||
542 ctnetlink_dump_labels(skb, ct) < 0 ||
543 ctnetlink_dump_id(skb, ct) < 0 ||
544 ctnetlink_dump_use(skb, ct) < 0 ||
545 ctnetlink_dump_master(skb, ct) < 0 ||
546 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
547 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
548 goto nla_put_failure;
549
550 nlmsg_end(skb, nlh);
551 return skb->len;
552
553nlmsg_failure:
554nla_put_failure:
555 nlmsg_cancel(skb, nlh);
556 return -1;
557}
558
559#if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS)
560static size_t ctnetlink_proto_size(const struct nf_conn *ct)
561{
562 const struct nf_conntrack_l3proto *l3proto;
563 const struct nf_conntrack_l4proto *l4proto;
564 size_t len, len4 = 0;
565
566 l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
567 len = l3proto->nla_size;
568 len *= 3u;
569
570 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
571 len += l4proto->nlattr_size;
572 if (l4proto->nlattr_tuple_size) {
573 len4 = l4proto->nlattr_tuple_size();
574 len4 *= 3u;
575 }
576
577 return len + len4;
578}
579#endif
580
581static inline size_t ctnetlink_acct_size(const struct nf_conn *ct)
582{
583 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
584 return 0;
585 return 2 * nla_total_size(0)
586 + 2 * nla_total_size_64bit(sizeof(uint64_t))
587 + 2 * nla_total_size_64bit(sizeof(uint64_t))
588 ;
589}
590
591static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
592{
593#ifdef CONFIG_NF_CONNTRACK_SECMARK
594 int len, ret;
595
596 ret = security_secid_to_secctx(ct->secmark, NULL, &len);
597 if (ret)
598 return 0;
599
600 return nla_total_size(0)
601 + nla_total_size(sizeof(char) * len);
602#else
603 return 0;
604#endif
605}
606
607static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct)
608{
609#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
610 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
611 return 0;
612 return nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t));
613#else
614 return 0;
615#endif
616}
617
618#ifdef CONFIG_NF_CONNTRACK_EVENTS
619static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)
620{
621 return NLMSG_ALIGN(sizeof(struct nfgenmsg))
622 + 3 * nla_total_size(0)
623 + 3 * nla_total_size(0)
624 + 3 * nla_total_size(0)
625 + 3 * nla_total_size(sizeof(u_int8_t))
626 + nla_total_size(sizeof(u_int32_t))
627 + nla_total_size(sizeof(u_int32_t))
628 + ctnetlink_acct_size(ct)
629 + ctnetlink_timestamp_size(ct)
630 + nla_total_size(sizeof(u_int32_t))
631 + nla_total_size(0)
632 + nla_total_size(0)
633 + nla_total_size(NF_CT_HELPER_NAME_LEN)
634 + ctnetlink_secctx_size(ct)
635#ifdef CONFIG_NF_NAT_NEEDED
636 + 2 * nla_total_size(0)
637 + 6 * nla_total_size(sizeof(u_int32_t))
638#endif
639#ifdef CONFIG_NF_CONNTRACK_MARK
640 + nla_total_size(sizeof(u_int32_t))
641#endif
642#ifdef CONFIG_NF_CONNTRACK_ZONES
643 + nla_total_size(sizeof(u_int16_t))
644#endif
645 + ctnetlink_proto_size(ct)
646 + ctnetlink_label_size(ct)
647 ;
648}
649
650static int
651ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
652{
653 const struct nf_conntrack_zone *zone;
654 struct net *net;
655 struct nlmsghdr *nlh;
656 struct nfgenmsg *nfmsg;
657 struct nlattr *nest_parms;
658 struct nf_conn *ct = item->ct;
659 struct sk_buff *skb;
660 unsigned int type;
661 unsigned int flags = 0, group;
662 int err;
663
664 if (events & (1 << IPCT_DESTROY)) {
665 type = IPCTNL_MSG_CT_DELETE;
666 group = NFNLGRP_CONNTRACK_DESTROY;
667 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {
668 type = IPCTNL_MSG_CT_NEW;
669 flags = NLM_F_CREATE|NLM_F_EXCL;
670 group = NFNLGRP_CONNTRACK_NEW;
671 } else if (events) {
672 type = IPCTNL_MSG_CT_NEW;
673 group = NFNLGRP_CONNTRACK_UPDATE;
674 } else
675 return 0;
676
677 net = nf_ct_net(ct);
678 if (!item->report && !nfnetlink_has_listeners(net, group))
679 return 0;
680
681 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
682 if (skb == NULL)
683 goto errout;
684
685 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type);
686 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
687 if (nlh == NULL)
688 goto nlmsg_failure;
689
690 nfmsg = nlmsg_data(nlh);
691 nfmsg->nfgen_family = nf_ct_l3num(ct);
692 nfmsg->version = NFNETLINK_V0;
693 nfmsg->res_id = 0;
694
695 zone = nf_ct_zone(ct);
696
697 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
698 if (!nest_parms)
699 goto nla_put_failure;
700 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
701 goto nla_put_failure;
702 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
703 NF_CT_ZONE_DIR_ORIG) < 0)
704 goto nla_put_failure;
705 nla_nest_end(skb, nest_parms);
706
707 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
708 if (!nest_parms)
709 goto nla_put_failure;
710 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
711 goto nla_put_failure;
712 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
713 NF_CT_ZONE_DIR_REPL) < 0)
714 goto nla_put_failure;
715 nla_nest_end(skb, nest_parms);
716
717 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
718 NF_CT_DEFAULT_ZONE_DIR) < 0)
719 goto nla_put_failure;
720
721 if (ctnetlink_dump_id(skb, ct) < 0)
722 goto nla_put_failure;
723
724 if (ctnetlink_dump_status(skb, ct) < 0)
725 goto nla_put_failure;
726
727 if (events & (1 << IPCT_DESTROY)) {
728 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
729 ctnetlink_dump_timestamp(skb, ct) < 0)
730 goto nla_put_failure;
731 } else {
732 if (ctnetlink_dump_timeout(skb, ct) < 0)
733 goto nla_put_failure;
734
735 if (events & (1 << IPCT_PROTOINFO)
736 && ctnetlink_dump_protoinfo(skb, ct) < 0)
737 goto nla_put_failure;
738
739 if ((events & (1 << IPCT_HELPER) || nfct_help(ct))
740 && ctnetlink_dump_helpinfo(skb, ct) < 0)
741 goto nla_put_failure;
742
743#ifdef CONFIG_NF_CONNTRACK_SECMARK
744 if ((events & (1 << IPCT_SECMARK) || ct->secmark)
745 && ctnetlink_dump_secctx(skb, ct) < 0)
746 goto nla_put_failure;
747#endif
748 if (events & (1 << IPCT_LABEL) &&
749 ctnetlink_dump_labels(skb, ct) < 0)
750 goto nla_put_failure;
751
752 if (events & (1 << IPCT_RELATED) &&
753 ctnetlink_dump_master(skb, ct) < 0)
754 goto nla_put_failure;
755
756 if (events & (1 << IPCT_SEQADJ) &&
757 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
758 goto nla_put_failure;
759
760 if (events & (1 << IPCT_SYNPROXY) &&
761 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
762 goto nla_put_failure;
763 }
764
765#ifdef CONFIG_NF_CONNTRACK_MARK
766 if ((events & (1 << IPCT_MARK) || ct->mark)
767 && ctnetlink_dump_mark(skb, ct) < 0)
768 goto nla_put_failure;
769#endif
770 nlmsg_end(skb, nlh);
771 err = nfnetlink_send(skb, net, item->portid, group, item->report,
772 GFP_ATOMIC);
773 if (err == -ENOBUFS || err == -EAGAIN)
774 return -ENOBUFS;
775
776 return 0;
777
778nla_put_failure:
779 nlmsg_cancel(skb, nlh);
780nlmsg_failure:
781 kfree_skb(skb);
782errout:
783 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
784 return -ENOBUFS;
785
786 return 0;
787}
788#endif
789
790static int ctnetlink_done(struct netlink_callback *cb)
791{
792 if (cb->args[1])
793 nf_ct_put((struct nf_conn *)cb->args[1]);
794 kfree(cb->data);
795 return 0;
796}
797
798struct ctnetlink_filter {
799 struct {
800 u_int32_t val;
801 u_int32_t mask;
802 } mark;
803};
804
805static struct ctnetlink_filter *
806ctnetlink_alloc_filter(const struct nlattr * const cda[])
807{
808#ifdef CONFIG_NF_CONNTRACK_MARK
809 struct ctnetlink_filter *filter;
810
811 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
812 if (filter == NULL)
813 return ERR_PTR(-ENOMEM);
814
815 filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK]));
816 filter->mark.mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
817
818 return filter;
819#else
820 return ERR_PTR(-EOPNOTSUPP);
821#endif
822}
823
824static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
825{
826 struct ctnetlink_filter *filter = data;
827
828 if (filter == NULL)
829 return 1;
830
831#ifdef CONFIG_NF_CONNTRACK_MARK
832 if ((ct->mark & filter->mark.mask) == filter->mark.val)
833 return 1;
834#endif
835
836 return 0;
837}
838
839static int
840ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
841{
842 struct net *net = sock_net(skb->sk);
843 struct nf_conn *ct, *last;
844 struct nf_conntrack_tuple_hash *h;
845 struct hlist_nulls_node *n;
846 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
847 u_int8_t l3proto = nfmsg->nfgen_family;
848 struct nf_conn *nf_ct_evict[8];
849 int res, i;
850 spinlock_t *lockp;
851
852 last = (struct nf_conn *)cb->args[1];
853 i = 0;
854
855 local_bh_disable();
856 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
857restart:
858 while (i) {
859 i--;
860 if (nf_ct_should_gc(nf_ct_evict[i]))
861 nf_ct_kill(nf_ct_evict[i]);
862 nf_ct_put(nf_ct_evict[i]);
863 }
864
865 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS];
866 nf_conntrack_lock(lockp);
867 if (cb->args[0] >= nf_conntrack_htable_size) {
868 spin_unlock(lockp);
869 goto out;
870 }
871 hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]],
872 hnnode) {
873 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
874 continue;
875 ct = nf_ct_tuplehash_to_ctrack(h);
876 if (nf_ct_is_expired(ct)) {
877 if (i < ARRAY_SIZE(nf_ct_evict) &&
878 atomic_inc_not_zero(&ct->ct_general.use))
879 nf_ct_evict[i++] = ct;
880 continue;
881 }
882
883 if (!net_eq(net, nf_ct_net(ct)))
884 continue;
885
886
887
888
889 if (l3proto && nf_ct_l3num(ct) != l3proto)
890 continue;
891 if (cb->args[1]) {
892 if (ct != last)
893 continue;
894 cb->args[1] = 0;
895 }
896 if (!ctnetlink_filter_match(ct, cb->data))
897 continue;
898
899 rcu_read_lock();
900 res =
901 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
902 cb->nlh->nlmsg_seq,
903 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
904 ct);
905 rcu_read_unlock();
906 if (res < 0) {
907 nf_conntrack_get(&ct->ct_general);
908 cb->args[1] = (unsigned long)ct;
909 spin_unlock(lockp);
910 goto out;
911 }
912 }
913 spin_unlock(lockp);
914 if (cb->args[1]) {
915 cb->args[1] = 0;
916 goto restart;
917 }
918 }
919out:
920 local_bh_enable();
921 if (last) {
922
923 if ((struct nf_conn *)cb->args[1] == last)
924 cb->args[1] = 0;
925
926 nf_ct_put(last);
927 }
928
929 while (i) {
930 i--;
931 if (nf_ct_should_gc(nf_ct_evict[i]))
932 nf_ct_kill(nf_ct_evict[i]);
933 nf_ct_put(nf_ct_evict[i]);
934 }
935
936 return skb->len;
937}
938
939static int ctnetlink_parse_tuple_ip(struct nlattr *attr,
940 struct nf_conntrack_tuple *tuple)
941{
942 struct nlattr *tb[CTA_IP_MAX+1];
943 struct nf_conntrack_l3proto *l3proto;
944 int ret = 0;
945
946 ret = nla_parse_nested(tb, CTA_IP_MAX, attr, NULL, NULL);
947 if (ret < 0)
948 return ret;
949
950 rcu_read_lock();
951 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
952
953 if (likely(l3proto->nlattr_to_tuple)) {
954 ret = nla_validate_nested(attr, CTA_IP_MAX,
955 l3proto->nla_policy, NULL);
956 if (ret == 0)
957 ret = l3proto->nlattr_to_tuple(tb, tuple);
958 }
959
960 rcu_read_unlock();
961
962 return ret;
963}
964
965static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
966 [CTA_PROTO_NUM] = { .type = NLA_U8 },
967};
968
969static int ctnetlink_parse_tuple_proto(struct nlattr *attr,
970 struct nf_conntrack_tuple *tuple)
971{
972 const struct nf_conntrack_l4proto *l4proto;
973 struct nlattr *tb[CTA_PROTO_MAX+1];
974 int ret = 0;
975
976 ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy,
977 NULL);
978 if (ret < 0)
979 return ret;
980
981 if (!tb[CTA_PROTO_NUM])
982 return -EINVAL;
983 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
984
985 rcu_read_lock();
986 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
987
988 if (likely(l4proto->nlattr_to_tuple)) {
989 ret = nla_validate_nested(attr, CTA_PROTO_MAX,
990 l4proto->nla_policy, NULL);
991 if (ret == 0)
992 ret = l4proto->nlattr_to_tuple(tb, tuple);
993 }
994
995 rcu_read_unlock();
996
997 return ret;
998}
999
1000static int
1001ctnetlink_parse_zone(const struct nlattr *attr,
1002 struct nf_conntrack_zone *zone)
1003{
1004 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID,
1005 NF_CT_DEFAULT_ZONE_DIR, 0);
1006#ifdef CONFIG_NF_CONNTRACK_ZONES
1007 if (attr)
1008 zone->id = ntohs(nla_get_be16(attr));
1009#else
1010 if (attr)
1011 return -EOPNOTSUPP;
1012#endif
1013 return 0;
1014}
1015
1016static int
1017ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type,
1018 struct nf_conntrack_zone *zone)
1019{
1020 int ret;
1021
1022 if (zone->id != NF_CT_DEFAULT_ZONE_ID)
1023 return -EINVAL;
1024
1025 ret = ctnetlink_parse_zone(attr, zone);
1026 if (ret < 0)
1027 return ret;
1028
1029 if (type == CTA_TUPLE_REPLY)
1030 zone->dir = NF_CT_ZONE_DIR_REPL;
1031 else
1032 zone->dir = NF_CT_ZONE_DIR_ORIG;
1033
1034 return 0;
1035}
1036
1037static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
1038 [CTA_TUPLE_IP] = { .type = NLA_NESTED },
1039 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED },
1040 [CTA_TUPLE_ZONE] = { .type = NLA_U16 },
1041};
1042
1043static int
1044ctnetlink_parse_tuple(const struct nlattr * const cda[],
1045 struct nf_conntrack_tuple *tuple, u32 type,
1046 u_int8_t l3num, struct nf_conntrack_zone *zone)
1047{
1048 struct nlattr *tb[CTA_TUPLE_MAX+1];
1049 int err;
1050
1051 memset(tuple, 0, sizeof(*tuple));
1052
1053 err = nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy,
1054 NULL);
1055 if (err < 0)
1056 return err;
1057
1058 if (!tb[CTA_TUPLE_IP])
1059 return -EINVAL;
1060
1061 tuple->src.l3num = l3num;
1062
1063 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
1064 if (err < 0)
1065 return err;
1066
1067 if (!tb[CTA_TUPLE_PROTO])
1068 return -EINVAL;
1069
1070 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple);
1071 if (err < 0)
1072 return err;
1073
1074 if (tb[CTA_TUPLE_ZONE]) {
1075 if (!zone)
1076 return -EINVAL;
1077
1078 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE],
1079 type, zone);
1080 if (err < 0)
1081 return err;
1082 }
1083
1084
1085 if (type == CTA_TUPLE_REPLY)
1086 tuple->dst.dir = IP_CT_DIR_REPLY;
1087 else
1088 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
1089
1090 return 0;
1091}
1092
1093static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {
1094 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING,
1095 .len = NF_CT_HELPER_NAME_LEN - 1 },
1096};
1097
1098static int ctnetlink_parse_help(const struct nlattr *attr, char **helper_name,
1099 struct nlattr **helpinfo)
1100{
1101 int err;
1102 struct nlattr *tb[CTA_HELP_MAX+1];
1103
1104 err = nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy, NULL);
1105 if (err < 0)
1106 return err;
1107
1108 if (!tb[CTA_HELP_NAME])
1109 return -EINVAL;
1110
1111 *helper_name = nla_data(tb[CTA_HELP_NAME]);
1112
1113 if (tb[CTA_HELP_INFO])
1114 *helpinfo = tb[CTA_HELP_INFO];
1115
1116 return 0;
1117}
1118
1119static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
1120 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED },
1121 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED },
1122 [CTA_STATUS] = { .type = NLA_U32 },
1123 [CTA_PROTOINFO] = { .type = NLA_NESTED },
1124 [CTA_HELP] = { .type = NLA_NESTED },
1125 [CTA_NAT_SRC] = { .type = NLA_NESTED },
1126 [CTA_TIMEOUT] = { .type = NLA_U32 },
1127 [CTA_MARK] = { .type = NLA_U32 },
1128 [CTA_ID] = { .type = NLA_U32 },
1129 [CTA_NAT_DST] = { .type = NLA_NESTED },
1130 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED },
1131 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED },
1132 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED },
1133 [CTA_ZONE] = { .type = NLA_U16 },
1134 [CTA_MARK_MASK] = { .type = NLA_U32 },
1135 [CTA_LABELS] = { .type = NLA_BINARY,
1136 .len = NF_CT_LABELS_MAX_SIZE },
1137 [CTA_LABELS_MASK] = { .type = NLA_BINARY,
1138 .len = NF_CT_LABELS_MAX_SIZE },
1139};
1140
1141static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data)
1142{
1143 if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
1144 return 0;
1145
1146 return ctnetlink_filter_match(ct, data);
1147}
1148
1149static int ctnetlink_flush_conntrack(struct net *net,
1150 const struct nlattr * const cda[],
1151 u32 portid, int report)
1152{
1153 struct ctnetlink_filter *filter = NULL;
1154
1155 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
1156 filter = ctnetlink_alloc_filter(cda);
1157 if (IS_ERR(filter))
1158 return PTR_ERR(filter);
1159 }
1160
1161 nf_ct_iterate_cleanup_net(net, ctnetlink_flush_iterate, filter,
1162 portid, report);
1163 kfree(filter);
1164
1165 return 0;
1166}
1167
1168static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
1169 struct sk_buff *skb,
1170 const struct nlmsghdr *nlh,
1171 const struct nlattr * const cda[],
1172 struct netlink_ext_ack *extack)
1173{
1174 struct nf_conntrack_tuple_hash *h;
1175 struct nf_conntrack_tuple tuple;
1176 struct nf_conn *ct;
1177 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1178 u_int8_t u3 = nfmsg->nfgen_family;
1179 struct nf_conntrack_zone zone;
1180 int err;
1181
1182 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1183 if (err < 0)
1184 return err;
1185
1186 if (cda[CTA_TUPLE_ORIG])
1187 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1188 u3, &zone);
1189 else if (cda[CTA_TUPLE_REPLY])
1190 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1191 u3, &zone);
1192 else {
1193 return ctnetlink_flush_conntrack(net, cda,
1194 NETLINK_CB(skb).portid,
1195 nlmsg_report(nlh));
1196 }
1197
1198 if (err < 0)
1199 return err;
1200
1201 h = nf_conntrack_find_get(net, &zone, &tuple);
1202 if (!h)
1203 return -ENOENT;
1204
1205 ct = nf_ct_tuplehash_to_ctrack(h);
1206
1207 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) {
1208 nf_ct_put(ct);
1209 return -EBUSY;
1210 }
1211
1212 if (cda[CTA_ID]) {
1213 u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
1214 if (id != (u32)(unsigned long)ct) {
1215 nf_ct_put(ct);
1216 return -ENOENT;
1217 }
1218 }
1219
1220 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(nlh));
1221 nf_ct_put(ct);
1222
1223 return 0;
1224}
1225
1226static int ctnetlink_get_conntrack(struct net *net, struct sock *ctnl,
1227 struct sk_buff *skb,
1228 const struct nlmsghdr *nlh,
1229 const struct nlattr * const cda[],
1230 struct netlink_ext_ack *extack)
1231{
1232 struct nf_conntrack_tuple_hash *h;
1233 struct nf_conntrack_tuple tuple;
1234 struct nf_conn *ct;
1235 struct sk_buff *skb2 = NULL;
1236 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1237 u_int8_t u3 = nfmsg->nfgen_family;
1238 struct nf_conntrack_zone zone;
1239 int err;
1240
1241 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1242 struct netlink_dump_control c = {
1243 .dump = ctnetlink_dump_table,
1244 .done = ctnetlink_done,
1245 };
1246
1247 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
1248 struct ctnetlink_filter *filter;
1249
1250 filter = ctnetlink_alloc_filter(cda);
1251 if (IS_ERR(filter))
1252 return PTR_ERR(filter);
1253
1254 c.data = filter;
1255 }
1256 return netlink_dump_start(ctnl, skb, nlh, &c);
1257 }
1258
1259 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1260 if (err < 0)
1261 return err;
1262
1263 if (cda[CTA_TUPLE_ORIG])
1264 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1265 u3, &zone);
1266 else if (cda[CTA_TUPLE_REPLY])
1267 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1268 u3, &zone);
1269 else
1270 return -EINVAL;
1271
1272 if (err < 0)
1273 return err;
1274
1275 h = nf_conntrack_find_get(net, &zone, &tuple);
1276 if (!h)
1277 return -ENOENT;
1278
1279 ct = nf_ct_tuplehash_to_ctrack(h);
1280
1281 err = -ENOMEM;
1282 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1283 if (skb2 == NULL) {
1284 nf_ct_put(ct);
1285 return -ENOMEM;
1286 }
1287
1288 rcu_read_lock();
1289 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq,
1290 NFNL_MSG_TYPE(nlh->nlmsg_type), ct);
1291 rcu_read_unlock();
1292 nf_ct_put(ct);
1293 if (err <= 0)
1294 goto free;
1295
1296 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1297 if (err < 0)
1298 goto out;
1299
1300 return 0;
1301
1302free:
1303 kfree_skb(skb2);
1304out:
1305
1306 return err == -EAGAIN ? -ENOBUFS : err;
1307}
1308
1309static int ctnetlink_done_list(struct netlink_callback *cb)
1310{
1311 if (cb->args[1])
1312 nf_ct_put((struct nf_conn *)cb->args[1]);
1313 return 0;
1314}
1315
1316static int
1317ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying)
1318{
1319 struct nf_conn *ct, *last;
1320 struct nf_conntrack_tuple_hash *h;
1321 struct hlist_nulls_node *n;
1322 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1323 u_int8_t l3proto = nfmsg->nfgen_family;
1324 int res;
1325 int cpu;
1326 struct hlist_nulls_head *list;
1327 struct net *net = sock_net(skb->sk);
1328
1329 if (cb->args[2])
1330 return 0;
1331
1332 last = (struct nf_conn *)cb->args[1];
1333
1334 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
1335 struct ct_pcpu *pcpu;
1336
1337 if (!cpu_possible(cpu))
1338 continue;
1339
1340 pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu);
1341 spin_lock_bh(&pcpu->lock);
1342 list = dying ? &pcpu->dying : &pcpu->unconfirmed;
1343restart:
1344 hlist_nulls_for_each_entry(h, n, list, hnnode) {
1345 ct = nf_ct_tuplehash_to_ctrack(h);
1346 if (l3proto && nf_ct_l3num(ct) != l3proto)
1347 continue;
1348 if (cb->args[1]) {
1349 if (ct != last)
1350 continue;
1351 cb->args[1] = 0;
1352 }
1353 rcu_read_lock();
1354 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
1355 cb->nlh->nlmsg_seq,
1356 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
1357 ct);
1358 rcu_read_unlock();
1359 if (res < 0) {
1360 if (!atomic_inc_not_zero(&ct->ct_general.use))
1361 continue;
1362 cb->args[0] = cpu;
1363 cb->args[1] = (unsigned long)ct;
1364 spin_unlock_bh(&pcpu->lock);
1365 goto out;
1366 }
1367 }
1368 if (cb->args[1]) {
1369 cb->args[1] = 0;
1370 goto restart;
1371 }
1372 spin_unlock_bh(&pcpu->lock);
1373 }
1374 cb->args[2] = 1;
1375out:
1376 if (last)
1377 nf_ct_put(last);
1378
1379 return skb->len;
1380}
1381
1382static int
1383ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb)
1384{
1385 return ctnetlink_dump_list(skb, cb, true);
1386}
1387
1388static int ctnetlink_get_ct_dying(struct net *net, struct sock *ctnl,
1389 struct sk_buff *skb,
1390 const struct nlmsghdr *nlh,
1391 const struct nlattr * const cda[],
1392 struct netlink_ext_ack *extack)
1393{
1394 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1395 struct netlink_dump_control c = {
1396 .dump = ctnetlink_dump_dying,
1397 .done = ctnetlink_done_list,
1398 };
1399 return netlink_dump_start(ctnl, skb, nlh, &c);
1400 }
1401
1402 return -EOPNOTSUPP;
1403}
1404
1405static int
1406ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb)
1407{
1408 return ctnetlink_dump_list(skb, cb, false);
1409}
1410
1411static int ctnetlink_get_ct_unconfirmed(struct net *net, struct sock *ctnl,
1412 struct sk_buff *skb,
1413 const struct nlmsghdr *nlh,
1414 const struct nlattr * const cda[],
1415 struct netlink_ext_ack *extack)
1416{
1417 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1418 struct netlink_dump_control c = {
1419 .dump = ctnetlink_dump_unconfirmed,
1420 .done = ctnetlink_done_list,
1421 };
1422 return netlink_dump_start(ctnl, skb, nlh, &c);
1423 }
1424
1425 return -EOPNOTSUPP;
1426}
1427
1428#ifdef CONFIG_NF_NAT_NEEDED
1429static int
1430ctnetlink_parse_nat_setup(struct nf_conn *ct,
1431 enum nf_nat_manip_type manip,
1432 const struct nlattr *attr)
1433{
1434 typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup;
1435 int err;
1436
1437 parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook);
1438 if (!parse_nat_setup) {
1439#ifdef CONFIG_MODULES
1440 rcu_read_unlock();
1441 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1442 if (request_module("nf-nat") < 0) {
1443 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1444 rcu_read_lock();
1445 return -EOPNOTSUPP;
1446 }
1447 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1448 rcu_read_lock();
1449 if (nfnetlink_parse_nat_setup_hook)
1450 return -EAGAIN;
1451#endif
1452 return -EOPNOTSUPP;
1453 }
1454
1455 err = parse_nat_setup(ct, manip, attr);
1456 if (err == -EAGAIN) {
1457#ifdef CONFIG_MODULES
1458 rcu_read_unlock();
1459 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1460 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) {
1461 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1462 rcu_read_lock();
1463 return -EOPNOTSUPP;
1464 }
1465 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1466 rcu_read_lock();
1467#else
1468 err = -EOPNOTSUPP;
1469#endif
1470 }
1471 return err;
1472}
1473#endif
1474
1475static void
1476__ctnetlink_change_status(struct nf_conn *ct, unsigned long on,
1477 unsigned long off)
1478{
1479 unsigned int bit;
1480
1481
1482 on &= ~IPS_UNCHANGEABLE_MASK;
1483 off &= ~IPS_UNCHANGEABLE_MASK;
1484
1485 for (bit = 0; bit < __IPS_MAX_BIT; bit++) {
1486 if (on & (1 << bit))
1487 set_bit(bit, &ct->status);
1488 else if (off & (1 << bit))
1489 clear_bit(bit, &ct->status);
1490 }
1491}
1492
1493static int
1494ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
1495{
1496 unsigned long d;
1497 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
1498 d = ct->status ^ status;
1499
1500 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
1501
1502 return -EBUSY;
1503
1504 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
1505
1506 return -EBUSY;
1507
1508 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
1509
1510 return -EBUSY;
1511
1512 __ctnetlink_change_status(ct, status, 0);
1513 return 0;
1514}
1515
1516static int
1517ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
1518{
1519#ifdef CONFIG_NF_NAT_NEEDED
1520 int ret;
1521
1522 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1523 return 0;
1524
1525 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
1526 cda[CTA_NAT_DST]);
1527 if (ret < 0)
1528 return ret;
1529
1530 return ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC,
1531 cda[CTA_NAT_SRC]);
1532#else
1533 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1534 return 0;
1535 return -EOPNOTSUPP;
1536#endif
1537}
1538
1539static int ctnetlink_change_helper(struct nf_conn *ct,
1540 const struct nlattr * const cda[])
1541{
1542 struct nf_conntrack_helper *helper;
1543 struct nf_conn_help *help = nfct_help(ct);
1544 char *helpname = NULL;
1545 struct nlattr *helpinfo = NULL;
1546 int err;
1547
1548 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1549 if (err < 0)
1550 return err;
1551
1552
1553 if (ct->master) {
1554
1555
1556
1557
1558 err = -EBUSY;
1559 if (help) {
1560 rcu_read_lock();
1561 helper = rcu_dereference(help->helper);
1562 if (helper && !strcmp(helper->name, helpname))
1563 err = 0;
1564 rcu_read_unlock();
1565 }
1566
1567 return err;
1568 }
1569
1570 if (!strcmp(helpname, "")) {
1571 if (help && help->helper) {
1572
1573 nf_ct_remove_expectations(ct);
1574 RCU_INIT_POINTER(help->helper, NULL);
1575 }
1576
1577 return 0;
1578 }
1579
1580 rcu_read_lock();
1581 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1582 nf_ct_protonum(ct));
1583 if (helper == NULL) {
1584 rcu_read_unlock();
1585 return -EOPNOTSUPP;
1586 }
1587
1588 if (help) {
1589 if (help->helper == helper) {
1590
1591 if (helper->from_nlattr)
1592 helper->from_nlattr(helpinfo, ct);
1593 err = 0;
1594 } else
1595 err = -EBUSY;
1596 } else {
1597
1598 err = -EOPNOTSUPP;
1599 }
1600
1601 rcu_read_unlock();
1602 return err;
1603}
1604
1605static int ctnetlink_change_timeout(struct nf_conn *ct,
1606 const struct nlattr * const cda[])
1607{
1608 u64 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
1609
1610 if (timeout > INT_MAX)
1611 timeout = INT_MAX;
1612 ct->timeout = nfct_time_stamp + (u32)timeout;
1613
1614 if (test_bit(IPS_DYING_BIT, &ct->status))
1615 return -ETIME;
1616
1617 return 0;
1618}
1619
1620static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = {
1621 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED },
1622 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED },
1623 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED },
1624};
1625
1626static int ctnetlink_change_protoinfo(struct nf_conn *ct,
1627 const struct nlattr * const cda[])
1628{
1629 const struct nlattr *attr = cda[CTA_PROTOINFO];
1630 const struct nf_conntrack_l4proto *l4proto;
1631 struct nlattr *tb[CTA_PROTOINFO_MAX+1];
1632 int err = 0;
1633
1634 err = nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, protoinfo_policy,
1635 NULL);
1636 if (err < 0)
1637 return err;
1638
1639 rcu_read_lock();
1640 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
1641 if (l4proto->from_nlattr)
1642 err = l4proto->from_nlattr(tb, ct);
1643 rcu_read_unlock();
1644
1645 return err;
1646}
1647
1648static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = {
1649 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 },
1650 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 },
1651 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 },
1652};
1653
1654static int change_seq_adj(struct nf_ct_seqadj *seq,
1655 const struct nlattr * const attr)
1656{
1657 int err;
1658 struct nlattr *cda[CTA_SEQADJ_MAX+1];
1659
1660 err = nla_parse_nested(cda, CTA_SEQADJ_MAX, attr, seqadj_policy, NULL);
1661 if (err < 0)
1662 return err;
1663
1664 if (!cda[CTA_SEQADJ_CORRECTION_POS])
1665 return -EINVAL;
1666
1667 seq->correction_pos =
1668 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS]));
1669
1670 if (!cda[CTA_SEQADJ_OFFSET_BEFORE])
1671 return -EINVAL;
1672
1673 seq->offset_before =
1674 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE]));
1675
1676 if (!cda[CTA_SEQADJ_OFFSET_AFTER])
1677 return -EINVAL;
1678
1679 seq->offset_after =
1680 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER]));
1681
1682 return 0;
1683}
1684
1685static int
1686ctnetlink_change_seq_adj(struct nf_conn *ct,
1687 const struct nlattr * const cda[])
1688{
1689 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
1690 int ret = 0;
1691
1692 if (!seqadj)
1693 return 0;
1694
1695 spin_lock_bh(&ct->lock);
1696 if (cda[CTA_SEQ_ADJ_ORIG]) {
1697 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL],
1698 cda[CTA_SEQ_ADJ_ORIG]);
1699 if (ret < 0)
1700 goto err;
1701
1702 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
1703 }
1704
1705 if (cda[CTA_SEQ_ADJ_REPLY]) {
1706 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY],
1707 cda[CTA_SEQ_ADJ_REPLY]);
1708 if (ret < 0)
1709 goto err;
1710
1711 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
1712 }
1713
1714 spin_unlock_bh(&ct->lock);
1715 return 0;
1716err:
1717 spin_unlock_bh(&ct->lock);
1718 return ret;
1719}
1720
1721static const struct nla_policy synproxy_policy[CTA_SYNPROXY_MAX + 1] = {
1722 [CTA_SYNPROXY_ISN] = { .type = NLA_U32 },
1723 [CTA_SYNPROXY_ITS] = { .type = NLA_U32 },
1724 [CTA_SYNPROXY_TSOFF] = { .type = NLA_U32 },
1725};
1726
1727static int ctnetlink_change_synproxy(struct nf_conn *ct,
1728 const struct nlattr * const cda[])
1729{
1730 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
1731 struct nlattr *tb[CTA_SYNPROXY_MAX + 1];
1732 int err;
1733
1734 if (!synproxy)
1735 return 0;
1736
1737 err = nla_parse_nested(tb, CTA_SYNPROXY_MAX, cda[CTA_SYNPROXY],
1738 synproxy_policy, NULL);
1739 if (err < 0)
1740 return err;
1741
1742 if (!tb[CTA_SYNPROXY_ISN] ||
1743 !tb[CTA_SYNPROXY_ITS] ||
1744 !tb[CTA_SYNPROXY_TSOFF])
1745 return -EINVAL;
1746
1747 synproxy->isn = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ISN]));
1748 synproxy->its = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ITS]));
1749 synproxy->tsoff = ntohl(nla_get_be32(tb[CTA_SYNPROXY_TSOFF]));
1750
1751 return 0;
1752}
1753
1754static int
1755ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[])
1756{
1757#ifdef CONFIG_NF_CONNTRACK_LABELS
1758 size_t len = nla_len(cda[CTA_LABELS]);
1759 const void *mask = cda[CTA_LABELS_MASK];
1760
1761 if (len & (sizeof(u32)-1))
1762 return -EINVAL;
1763
1764 if (mask) {
1765 if (nla_len(cda[CTA_LABELS_MASK]) == 0 ||
1766 nla_len(cda[CTA_LABELS_MASK]) != len)
1767 return -EINVAL;
1768 mask = nla_data(cda[CTA_LABELS_MASK]);
1769 }
1770
1771 len /= sizeof(u32);
1772
1773 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len);
1774#else
1775 return -EOPNOTSUPP;
1776#endif
1777}
1778
1779static int
1780ctnetlink_change_conntrack(struct nf_conn *ct,
1781 const struct nlattr * const cda[])
1782{
1783 int err;
1784
1785
1786 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
1787 return -EOPNOTSUPP;
1788
1789 if (cda[CTA_HELP]) {
1790 err = ctnetlink_change_helper(ct, cda);
1791 if (err < 0)
1792 return err;
1793 }
1794
1795 if (cda[CTA_TIMEOUT]) {
1796 err = ctnetlink_change_timeout(ct, cda);
1797 if (err < 0)
1798 return err;
1799 }
1800
1801 if (cda[CTA_STATUS]) {
1802 err = ctnetlink_change_status(ct, cda);
1803 if (err < 0)
1804 return err;
1805 }
1806
1807 if (cda[CTA_PROTOINFO]) {
1808 err = ctnetlink_change_protoinfo(ct, cda);
1809 if (err < 0)
1810 return err;
1811 }
1812
1813#if defined(CONFIG_NF_CONNTRACK_MARK)
1814 if (cda[CTA_MARK])
1815 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1816#endif
1817
1818 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
1819 err = ctnetlink_change_seq_adj(ct, cda);
1820 if (err < 0)
1821 return err;
1822 }
1823
1824 if (cda[CTA_SYNPROXY]) {
1825 err = ctnetlink_change_synproxy(ct, cda);
1826 if (err < 0)
1827 return err;
1828 }
1829
1830 if (cda[CTA_LABELS]) {
1831 err = ctnetlink_attach_labels(ct, cda);
1832 if (err < 0)
1833 return err;
1834 }
1835
1836 return 0;
1837}
1838
1839static struct nf_conn *
1840ctnetlink_create_conntrack(struct net *net,
1841 const struct nf_conntrack_zone *zone,
1842 const struct nlattr * const cda[],
1843 struct nf_conntrack_tuple *otuple,
1844 struct nf_conntrack_tuple *rtuple,
1845 u8 u3)
1846{
1847 struct nf_conn *ct;
1848 int err = -EINVAL;
1849 struct nf_conntrack_helper *helper;
1850 struct nf_conn_tstamp *tstamp;
1851 u64 timeout;
1852
1853 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
1854 if (IS_ERR(ct))
1855 return ERR_PTR(-ENOMEM);
1856
1857 if (!cda[CTA_TIMEOUT])
1858 goto err1;
1859
1860 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
1861 if (timeout > INT_MAX)
1862 timeout = INT_MAX;
1863 ct->timeout = (u32)timeout + nfct_time_stamp;
1864
1865 rcu_read_lock();
1866 if (cda[CTA_HELP]) {
1867 char *helpname = NULL;
1868 struct nlattr *helpinfo = NULL;
1869
1870 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1871 if (err < 0)
1872 goto err2;
1873
1874 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1875 nf_ct_protonum(ct));
1876 if (helper == NULL) {
1877 rcu_read_unlock();
1878#ifdef CONFIG_MODULES
1879 if (request_module("nfct-helper-%s", helpname) < 0) {
1880 err = -EOPNOTSUPP;
1881 goto err1;
1882 }
1883
1884 rcu_read_lock();
1885 helper = __nf_conntrack_helper_find(helpname,
1886 nf_ct_l3num(ct),
1887 nf_ct_protonum(ct));
1888 if (helper) {
1889 err = -EAGAIN;
1890 goto err2;
1891 }
1892 rcu_read_unlock();
1893#endif
1894 err = -EOPNOTSUPP;
1895 goto err1;
1896 } else {
1897 struct nf_conn_help *help;
1898
1899 help = nf_ct_helper_ext_add(ct, helper, GFP_ATOMIC);
1900 if (help == NULL) {
1901 err = -ENOMEM;
1902 goto err2;
1903 }
1904
1905 if (helper->from_nlattr)
1906 helper->from_nlattr(helpinfo, ct);
1907
1908
1909 RCU_INIT_POINTER(help->helper, helper);
1910 }
1911 } else {
1912
1913 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC);
1914 if (err < 0)
1915 goto err2;
1916 }
1917
1918 err = ctnetlink_setup_nat(ct, cda);
1919 if (err < 0)
1920 goto err2;
1921
1922 nf_ct_acct_ext_add(ct, GFP_ATOMIC);
1923 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
1924 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
1925 nf_ct_labels_ext_add(ct);
1926 nfct_seqadj_ext_add(ct);
1927 nfct_synproxy_ext_add(ct);
1928
1929
1930 ct->status |= IPS_CONFIRMED;
1931
1932 if (cda[CTA_STATUS]) {
1933 err = ctnetlink_change_status(ct, cda);
1934 if (err < 0)
1935 goto err2;
1936 }
1937
1938 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
1939 err = ctnetlink_change_seq_adj(ct, cda);
1940 if (err < 0)
1941 goto err2;
1942 }
1943
1944 memset(&ct->proto, 0, sizeof(ct->proto));
1945 if (cda[CTA_PROTOINFO]) {
1946 err = ctnetlink_change_protoinfo(ct, cda);
1947 if (err < 0)
1948 goto err2;
1949 }
1950
1951 if (cda[CTA_SYNPROXY]) {
1952 err = ctnetlink_change_synproxy(ct, cda);
1953 if (err < 0)
1954 goto err2;
1955 }
1956
1957#if defined(CONFIG_NF_CONNTRACK_MARK)
1958 if (cda[CTA_MARK])
1959 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1960#endif
1961
1962
1963 if (cda[CTA_TUPLE_MASTER]) {
1964 struct nf_conntrack_tuple master;
1965 struct nf_conntrack_tuple_hash *master_h;
1966 struct nf_conn *master_ct;
1967
1968 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER,
1969 u3, NULL);
1970 if (err < 0)
1971 goto err2;
1972
1973 master_h = nf_conntrack_find_get(net, zone, &master);
1974 if (master_h == NULL) {
1975 err = -ENOENT;
1976 goto err2;
1977 }
1978 master_ct = nf_ct_tuplehash_to_ctrack(master_h);
1979 __set_bit(IPS_EXPECTED_BIT, &ct->status);
1980 ct->master = master_ct;
1981 }
1982 tstamp = nf_conn_tstamp_find(ct);
1983 if (tstamp)
1984 tstamp->start = ktime_get_real_ns();
1985
1986 err = nf_conntrack_hash_check_insert(ct);
1987 if (err < 0)
1988 goto err2;
1989
1990 rcu_read_unlock();
1991
1992 return ct;
1993
1994err2:
1995 rcu_read_unlock();
1996err1:
1997 nf_conntrack_free(ct);
1998 return ERR_PTR(err);
1999}
2000
2001static int ctnetlink_new_conntrack(struct net *net, struct sock *ctnl,
2002 struct sk_buff *skb,
2003 const struct nlmsghdr *nlh,
2004 const struct nlattr * const cda[],
2005 struct netlink_ext_ack *extack)
2006{
2007 struct nf_conntrack_tuple otuple, rtuple;
2008 struct nf_conntrack_tuple_hash *h = NULL;
2009 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2010 struct nf_conn *ct;
2011 u_int8_t u3 = nfmsg->nfgen_family;
2012 struct nf_conntrack_zone zone;
2013 int err;
2014
2015 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
2016 if (err < 0)
2017 return err;
2018
2019 if (cda[CTA_TUPLE_ORIG]) {
2020 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG,
2021 u3, &zone);
2022 if (err < 0)
2023 return err;
2024 }
2025
2026 if (cda[CTA_TUPLE_REPLY]) {
2027 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY,
2028 u3, &zone);
2029 if (err < 0)
2030 return err;
2031 }
2032
2033 if (cda[CTA_TUPLE_ORIG])
2034 h = nf_conntrack_find_get(net, &zone, &otuple);
2035 else if (cda[CTA_TUPLE_REPLY])
2036 h = nf_conntrack_find_get(net, &zone, &rtuple);
2037
2038 if (h == NULL) {
2039 err = -ENOENT;
2040 if (nlh->nlmsg_flags & NLM_F_CREATE) {
2041 enum ip_conntrack_events events;
2042
2043 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY])
2044 return -EINVAL;
2045 if (otuple.dst.protonum != rtuple.dst.protonum)
2046 return -EINVAL;
2047
2048 ct = ctnetlink_create_conntrack(net, &zone, cda, &otuple,
2049 &rtuple, u3);
2050 if (IS_ERR(ct))
2051 return PTR_ERR(ct);
2052
2053 err = 0;
2054 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
2055 events = 1 << IPCT_RELATED;
2056 else
2057 events = 1 << IPCT_NEW;
2058
2059 if (cda[CTA_LABELS] &&
2060 ctnetlink_attach_labels(ct, cda) == 0)
2061 events |= (1 << IPCT_LABEL);
2062
2063 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2064 (1 << IPCT_ASSURED) |
2065 (1 << IPCT_HELPER) |
2066 (1 << IPCT_PROTOINFO) |
2067 (1 << IPCT_SEQADJ) |
2068 (1 << IPCT_MARK) |
2069 (1 << IPCT_SYNPROXY) |
2070 events,
2071 ct, NETLINK_CB(skb).portid,
2072 nlmsg_report(nlh));
2073 nf_ct_put(ct);
2074 }
2075
2076 return err;
2077 }
2078
2079
2080 err = -EEXIST;
2081 ct = nf_ct_tuplehash_to_ctrack(h);
2082 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
2083 err = ctnetlink_change_conntrack(ct, cda);
2084 if (err == 0) {
2085 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2086 (1 << IPCT_ASSURED) |
2087 (1 << IPCT_HELPER) |
2088 (1 << IPCT_LABEL) |
2089 (1 << IPCT_PROTOINFO) |
2090 (1 << IPCT_SEQADJ) |
2091 (1 << IPCT_MARK) |
2092 (1 << IPCT_SYNPROXY),
2093 ct, NETLINK_CB(skb).portid,
2094 nlmsg_report(nlh));
2095 }
2096 }
2097
2098 nf_ct_put(ct);
2099 return err;
2100}
2101
2102static int
2103ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2104 __u16 cpu, const struct ip_conntrack_stat *st)
2105{
2106 struct nlmsghdr *nlh;
2107 struct nfgenmsg *nfmsg;
2108 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2109
2110 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
2111 IPCTNL_MSG_CT_GET_STATS_CPU);
2112 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2113 if (nlh == NULL)
2114 goto nlmsg_failure;
2115
2116 nfmsg = nlmsg_data(nlh);
2117 nfmsg->nfgen_family = AF_UNSPEC;
2118 nfmsg->version = NFNETLINK_V0;
2119 nfmsg->res_id = htons(cpu);
2120
2121 if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) ||
2122 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) ||
2123 nla_put_be32(skb, CTA_STATS_IGNORE, htonl(st->ignore)) ||
2124 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) ||
2125 nla_put_be32(skb, CTA_STATS_INSERT_FAILED,
2126 htonl(st->insert_failed)) ||
2127 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) ||
2128 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) ||
2129 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) ||
2130 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART,
2131 htonl(st->search_restart)))
2132 goto nla_put_failure;
2133
2134 nlmsg_end(skb, nlh);
2135 return skb->len;
2136
2137nla_put_failure:
2138nlmsg_failure:
2139 nlmsg_cancel(skb, nlh);
2140 return -1;
2141}
2142
2143static int
2144ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
2145{
2146 int cpu;
2147 struct net *net = sock_net(skb->sk);
2148
2149 if (cb->args[0] == nr_cpu_ids)
2150 return 0;
2151
2152 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
2153 const struct ip_conntrack_stat *st;
2154
2155 if (!cpu_possible(cpu))
2156 continue;
2157
2158 st = per_cpu_ptr(net->ct.stat, cpu);
2159 if (ctnetlink_ct_stat_cpu_fill_info(skb,
2160 NETLINK_CB(cb->skb).portid,
2161 cb->nlh->nlmsg_seq,
2162 cpu, st) < 0)
2163 break;
2164 }
2165 cb->args[0] = cpu;
2166
2167 return skb->len;
2168}
2169
2170static int ctnetlink_stat_ct_cpu(struct net *net, struct sock *ctnl,
2171 struct sk_buff *skb,
2172 const struct nlmsghdr *nlh,
2173 const struct nlattr * const cda[],
2174 struct netlink_ext_ack *extack)
2175{
2176 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2177 struct netlink_dump_control c = {
2178 .dump = ctnetlink_ct_stat_cpu_dump,
2179 };
2180 return netlink_dump_start(ctnl, skb, nlh, &c);
2181 }
2182
2183 return 0;
2184}
2185
2186static int
2187ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
2188 struct net *net)
2189{
2190 struct nlmsghdr *nlh;
2191 struct nfgenmsg *nfmsg;
2192 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2193 unsigned int nr_conntracks = atomic_read(&net->ct.count);
2194
2195 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS);
2196 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2197 if (nlh == NULL)
2198 goto nlmsg_failure;
2199
2200 nfmsg = nlmsg_data(nlh);
2201 nfmsg->nfgen_family = AF_UNSPEC;
2202 nfmsg->version = NFNETLINK_V0;
2203 nfmsg->res_id = 0;
2204
2205 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks)))
2206 goto nla_put_failure;
2207
2208 nlmsg_end(skb, nlh);
2209 return skb->len;
2210
2211nla_put_failure:
2212nlmsg_failure:
2213 nlmsg_cancel(skb, nlh);
2214 return -1;
2215}
2216
2217static int ctnetlink_stat_ct(struct net *net, struct sock *ctnl,
2218 struct sk_buff *skb, const struct nlmsghdr *nlh,
2219 const struct nlattr * const cda[],
2220 struct netlink_ext_ack *extack)
2221{
2222 struct sk_buff *skb2;
2223 int err;
2224
2225 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2226 if (skb2 == NULL)
2227 return -ENOMEM;
2228
2229 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid,
2230 nlh->nlmsg_seq,
2231 NFNL_MSG_TYPE(nlh->nlmsg_type),
2232 sock_net(skb->sk));
2233 if (err <= 0)
2234 goto free;
2235
2236 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
2237 if (err < 0)
2238 goto out;
2239
2240 return 0;
2241
2242free:
2243 kfree_skb(skb2);
2244out:
2245
2246 return err == -EAGAIN ? -ENOBUFS : err;
2247}
2248
2249static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
2250 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED },
2251 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED },
2252 [CTA_EXPECT_MASK] = { .type = NLA_NESTED },
2253 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
2254 [CTA_EXPECT_ID] = { .type = NLA_U32 },
2255 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING,
2256 .len = NF_CT_HELPER_NAME_LEN - 1 },
2257 [CTA_EXPECT_ZONE] = { .type = NLA_U16 },
2258 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 },
2259 [CTA_EXPECT_CLASS] = { .type = NLA_U32 },
2260 [CTA_EXPECT_NAT] = { .type = NLA_NESTED },
2261 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING },
2262};
2263
2264static struct nf_conntrack_expect *
2265ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
2266 struct nf_conntrack_helper *helper,
2267 struct nf_conntrack_tuple *tuple,
2268 struct nf_conntrack_tuple *mask);
2269
2270#ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
2271static size_t
2272ctnetlink_glue_build_size(const struct nf_conn *ct)
2273{
2274 return 3 * nla_total_size(0)
2275 + 3 * nla_total_size(0)
2276 + 3 * nla_total_size(0)
2277 + 3 * nla_total_size(sizeof(u_int8_t))
2278 + nla_total_size(sizeof(u_int32_t))
2279 + nla_total_size(sizeof(u_int32_t))
2280 + nla_total_size(sizeof(u_int32_t))
2281 + nla_total_size(0)
2282 + nla_total_size(0)
2283 + nla_total_size(NF_CT_HELPER_NAME_LEN)
2284 + ctnetlink_secctx_size(ct)
2285#ifdef CONFIG_NF_NAT_NEEDED
2286 + 2 * nla_total_size(0)
2287 + 6 * nla_total_size(sizeof(u_int32_t))
2288#endif
2289#ifdef CONFIG_NF_CONNTRACK_MARK
2290 + nla_total_size(sizeof(u_int32_t))
2291#endif
2292#ifdef CONFIG_NF_CONNTRACK_ZONES
2293 + nla_total_size(sizeof(u_int16_t))
2294#endif
2295 + ctnetlink_proto_size(ct)
2296 ;
2297}
2298
2299static struct nf_conn *ctnetlink_glue_get_ct(const struct sk_buff *skb,
2300 enum ip_conntrack_info *ctinfo)
2301{
2302 return nf_ct_get(skb, ctinfo);
2303}
2304
2305static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
2306{
2307 const struct nf_conntrack_zone *zone;
2308 struct nlattr *nest_parms;
2309
2310 zone = nf_ct_zone(ct);
2311
2312 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
2313 if (!nest_parms)
2314 goto nla_put_failure;
2315 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
2316 goto nla_put_failure;
2317 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2318 NF_CT_ZONE_DIR_ORIG) < 0)
2319 goto nla_put_failure;
2320 nla_nest_end(skb, nest_parms);
2321
2322 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
2323 if (!nest_parms)
2324 goto nla_put_failure;
2325 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
2326 goto nla_put_failure;
2327 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2328 NF_CT_ZONE_DIR_REPL) < 0)
2329 goto nla_put_failure;
2330 nla_nest_end(skb, nest_parms);
2331
2332 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
2333 NF_CT_DEFAULT_ZONE_DIR) < 0)
2334 goto nla_put_failure;
2335
2336 if (ctnetlink_dump_id(skb, ct) < 0)
2337 goto nla_put_failure;
2338
2339 if (ctnetlink_dump_status(skb, ct) < 0)
2340 goto nla_put_failure;
2341
2342 if (ctnetlink_dump_timeout(skb, ct) < 0)
2343 goto nla_put_failure;
2344
2345 if (ctnetlink_dump_protoinfo(skb, ct) < 0)
2346 goto nla_put_failure;
2347
2348 if (ctnetlink_dump_helpinfo(skb, ct) < 0)
2349 goto nla_put_failure;
2350
2351#ifdef CONFIG_NF_CONNTRACK_SECMARK
2352 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0)
2353 goto nla_put_failure;
2354#endif
2355 if (ct->master && ctnetlink_dump_master(skb, ct) < 0)
2356 goto nla_put_failure;
2357
2358 if ((ct->status & IPS_SEQ_ADJUST) &&
2359 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
2360 goto nla_put_failure;
2361
2362 if (ctnetlink_dump_ct_synproxy(skb, ct) < 0)
2363 goto nla_put_failure;
2364
2365#ifdef CONFIG_NF_CONNTRACK_MARK
2366 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0)
2367 goto nla_put_failure;
2368#endif
2369 if (ctnetlink_dump_labels(skb, ct) < 0)
2370 goto nla_put_failure;
2371 return 0;
2372
2373nla_put_failure:
2374 return -ENOSPC;
2375}
2376
2377static int
2378ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct,
2379 enum ip_conntrack_info ctinfo,
2380 u_int16_t ct_attr, u_int16_t ct_info_attr)
2381{
2382 struct nlattr *nest_parms;
2383
2384 nest_parms = nla_nest_start(skb, ct_attr | NLA_F_NESTED);
2385 if (!nest_parms)
2386 goto nla_put_failure;
2387
2388 if (__ctnetlink_glue_build(skb, ct) < 0)
2389 goto nla_put_failure;
2390
2391 nla_nest_end(skb, nest_parms);
2392
2393 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo)))
2394 goto nla_put_failure;
2395
2396 return 0;
2397
2398nla_put_failure:
2399 return -ENOSPC;
2400}
2401
2402static int
2403ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[])
2404{
2405 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
2406 unsigned long d = ct->status ^ status;
2407
2408 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
2409
2410 return -EBUSY;
2411
2412 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
2413
2414 return -EBUSY;
2415
2416
2417
2418
2419
2420
2421
2422 __ctnetlink_change_status(ct, status, ~status);
2423 return 0;
2424}
2425
2426static int
2427ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
2428{
2429 int err;
2430
2431 if (cda[CTA_TIMEOUT]) {
2432 err = ctnetlink_change_timeout(ct, cda);
2433 if (err < 0)
2434 return err;
2435 }
2436 if (cda[CTA_STATUS]) {
2437 err = ctnetlink_update_status(ct, cda);
2438 if (err < 0)
2439 return err;
2440 }
2441 if (cda[CTA_HELP]) {
2442 err = ctnetlink_change_helper(ct, cda);
2443 if (err < 0)
2444 return err;
2445 }
2446 if (cda[CTA_LABELS]) {
2447 err = ctnetlink_attach_labels(ct, cda);
2448 if (err < 0)
2449 return err;
2450 }
2451#if defined(CONFIG_NF_CONNTRACK_MARK)
2452 if (cda[CTA_MARK]) {
2453 u32 mask = 0, mark, newmark;
2454 if (cda[CTA_MARK_MASK])
2455 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
2456
2457 mark = ntohl(nla_get_be32(cda[CTA_MARK]));
2458 newmark = (ct->mark & mask) ^ mark;
2459 if (newmark != ct->mark)
2460 ct->mark = newmark;
2461 }
2462#endif
2463 return 0;
2464}
2465
2466static int
2467ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct)
2468{
2469 struct nlattr *cda[CTA_MAX+1];
2470 int ret;
2471
2472 ret = nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy, NULL);
2473 if (ret < 0)
2474 return ret;
2475
2476 return ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct);
2477}
2478
2479static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda,
2480 const struct nf_conn *ct,
2481 struct nf_conntrack_tuple *tuple,
2482 struct nf_conntrack_tuple *mask)
2483{
2484 int err;
2485
2486 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE,
2487 nf_ct_l3num(ct), NULL);
2488 if (err < 0)
2489 return err;
2490
2491 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK,
2492 nf_ct_l3num(ct), NULL);
2493}
2494
2495static int
2496ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
2497 u32 portid, u32 report)
2498{
2499 struct nlattr *cda[CTA_EXPECT_MAX+1];
2500 struct nf_conntrack_tuple tuple, mask;
2501 struct nf_conntrack_helper *helper = NULL;
2502 struct nf_conntrack_expect *exp;
2503 int err;
2504
2505 err = nla_parse_nested(cda, CTA_EXPECT_MAX, attr, exp_nla_policy,
2506 NULL);
2507 if (err < 0)
2508 return err;
2509
2510 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda,
2511 ct, &tuple, &mask);
2512 if (err < 0)
2513 return err;
2514
2515 if (cda[CTA_EXPECT_HELP_NAME]) {
2516 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2517
2518 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2519 nf_ct_protonum(ct));
2520 if (helper == NULL)
2521 return -EOPNOTSUPP;
2522 }
2523
2524 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct,
2525 helper, &tuple, &mask);
2526 if (IS_ERR(exp))
2527 return PTR_ERR(exp);
2528
2529 err = nf_ct_expect_related_report(exp, portid, report);
2530 nf_ct_expect_put(exp);
2531 return err;
2532}
2533
2534static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct,
2535 enum ip_conntrack_info ctinfo, int diff)
2536{
2537 if (!(ct->status & IPS_NAT_MASK))
2538 return;
2539
2540 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff);
2541}
2542
2543static struct nfnl_ct_hook ctnetlink_glue_hook = {
2544 .get_ct = ctnetlink_glue_get_ct,
2545 .build_size = ctnetlink_glue_build_size,
2546 .build = ctnetlink_glue_build,
2547 .parse = ctnetlink_glue_parse,
2548 .attach_expect = ctnetlink_glue_attach_expect,
2549 .seq_adjust = ctnetlink_glue_seqadj,
2550};
2551#endif
2552
2553
2554
2555
2556
2557static int ctnetlink_exp_dump_tuple(struct sk_buff *skb,
2558 const struct nf_conntrack_tuple *tuple,
2559 u32 type)
2560{
2561 struct nlattr *nest_parms;
2562
2563 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
2564 if (!nest_parms)
2565 goto nla_put_failure;
2566 if (ctnetlink_dump_tuples(skb, tuple) < 0)
2567 goto nla_put_failure;
2568 nla_nest_end(skb, nest_parms);
2569
2570 return 0;
2571
2572nla_put_failure:
2573 return -1;
2574}
2575
2576static int ctnetlink_exp_dump_mask(struct sk_buff *skb,
2577 const struct nf_conntrack_tuple *tuple,
2578 const struct nf_conntrack_tuple_mask *mask)
2579{
2580 const struct nf_conntrack_l3proto *l3proto;
2581 const struct nf_conntrack_l4proto *l4proto;
2582 struct nf_conntrack_tuple m;
2583 struct nlattr *nest_parms;
2584 int ret;
2585
2586 memset(&m, 0xFF, sizeof(m));
2587 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
2588 m.src.u.all = mask->src.u.all;
2589 m.dst.protonum = tuple->dst.protonum;
2590
2591 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED);
2592 if (!nest_parms)
2593 goto nla_put_failure;
2594
2595 rcu_read_lock();
2596 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
2597 ret = ctnetlink_dump_tuples_ip(skb, &m, l3proto);
2598 if (ret >= 0) {
2599 l4proto = __nf_ct_l4proto_find(tuple->src.l3num,
2600 tuple->dst.protonum);
2601 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
2602 }
2603 rcu_read_unlock();
2604
2605 if (unlikely(ret < 0))
2606 goto nla_put_failure;
2607
2608 nla_nest_end(skb, nest_parms);
2609
2610 return 0;
2611
2612nla_put_failure:
2613 return -1;
2614}
2615
2616static const union nf_inet_addr any_addr;
2617
2618static int
2619ctnetlink_exp_dump_expect(struct sk_buff *skb,
2620 const struct nf_conntrack_expect *exp)
2621{
2622 struct nf_conn *master = exp->master;
2623 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ;
2624 struct nf_conn_help *help;
2625#ifdef CONFIG_NF_NAT_NEEDED
2626 struct nlattr *nest_parms;
2627 struct nf_conntrack_tuple nat_tuple = {};
2628#endif
2629 struct nf_ct_helper_expectfn *expfn;
2630
2631 if (timeout < 0)
2632 timeout = 0;
2633
2634 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
2635 goto nla_put_failure;
2636 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
2637 goto nla_put_failure;
2638 if (ctnetlink_exp_dump_tuple(skb,
2639 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
2640 CTA_EXPECT_MASTER) < 0)
2641 goto nla_put_failure;
2642
2643#ifdef CONFIG_NF_NAT_NEEDED
2644 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) ||
2645 exp->saved_proto.all) {
2646 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT | NLA_F_NESTED);
2647 if (!nest_parms)
2648 goto nla_put_failure;
2649
2650 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir)))
2651 goto nla_put_failure;
2652
2653 nat_tuple.src.l3num = nf_ct_l3num(master);
2654 nat_tuple.src.u3 = exp->saved_addr;
2655 nat_tuple.dst.protonum = nf_ct_protonum(master);
2656 nat_tuple.src.u = exp->saved_proto;
2657
2658 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple,
2659 CTA_EXPECT_NAT_TUPLE) < 0)
2660 goto nla_put_failure;
2661 nla_nest_end(skb, nest_parms);
2662 }
2663#endif
2664 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
2665 nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) ||
2666 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
2667 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
2668 goto nla_put_failure;
2669 help = nfct_help(master);
2670 if (help) {
2671 struct nf_conntrack_helper *helper;
2672
2673 helper = rcu_dereference(help->helper);
2674 if (helper &&
2675 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name))
2676 goto nla_put_failure;
2677 }
2678 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn);
2679 if (expfn != NULL &&
2680 nla_put_string(skb, CTA_EXPECT_FN, expfn->name))
2681 goto nla_put_failure;
2682
2683 return 0;
2684
2685nla_put_failure:
2686 return -1;
2687}
2688
2689static int
2690ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2691 int event, const struct nf_conntrack_expect *exp)
2692{
2693 struct nlmsghdr *nlh;
2694 struct nfgenmsg *nfmsg;
2695 unsigned int flags = portid ? NLM_F_MULTI : 0;
2696
2697 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event);
2698 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2699 if (nlh == NULL)
2700 goto nlmsg_failure;
2701
2702 nfmsg = nlmsg_data(nlh);
2703 nfmsg->nfgen_family = exp->tuple.src.l3num;
2704 nfmsg->version = NFNETLINK_V0;
2705 nfmsg->res_id = 0;
2706
2707 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
2708 goto nla_put_failure;
2709
2710 nlmsg_end(skb, nlh);
2711 return skb->len;
2712
2713nlmsg_failure:
2714nla_put_failure:
2715 nlmsg_cancel(skb, nlh);
2716 return -1;
2717}
2718
2719#ifdef CONFIG_NF_CONNTRACK_EVENTS
2720static int
2721ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item)
2722{
2723 struct nf_conntrack_expect *exp = item->exp;
2724 struct net *net = nf_ct_exp_net(exp);
2725 struct nlmsghdr *nlh;
2726 struct nfgenmsg *nfmsg;
2727 struct sk_buff *skb;
2728 unsigned int type, group;
2729 int flags = 0;
2730
2731 if (events & (1 << IPEXP_DESTROY)) {
2732 type = IPCTNL_MSG_EXP_DELETE;
2733 group = NFNLGRP_CONNTRACK_EXP_DESTROY;
2734 } else if (events & (1 << IPEXP_NEW)) {
2735 type = IPCTNL_MSG_EXP_NEW;
2736 flags = NLM_F_CREATE|NLM_F_EXCL;
2737 group = NFNLGRP_CONNTRACK_EXP_NEW;
2738 } else
2739 return 0;
2740
2741 if (!item->report && !nfnetlink_has_listeners(net, group))
2742 return 0;
2743
2744 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
2745 if (skb == NULL)
2746 goto errout;
2747
2748 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type);
2749 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
2750 if (nlh == NULL)
2751 goto nlmsg_failure;
2752
2753 nfmsg = nlmsg_data(nlh);
2754 nfmsg->nfgen_family = exp->tuple.src.l3num;
2755 nfmsg->version = NFNETLINK_V0;
2756 nfmsg->res_id = 0;
2757
2758 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
2759 goto nla_put_failure;
2760
2761 nlmsg_end(skb, nlh);
2762 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC);
2763 return 0;
2764
2765nla_put_failure:
2766 nlmsg_cancel(skb, nlh);
2767nlmsg_failure:
2768 kfree_skb(skb);
2769errout:
2770 nfnetlink_set_err(net, 0, 0, -ENOBUFS);
2771 return 0;
2772}
2773#endif
2774static int ctnetlink_exp_done(struct netlink_callback *cb)
2775{
2776 if (cb->args[1])
2777 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
2778 return 0;
2779}
2780
2781static int
2782ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
2783{
2784 struct net *net = sock_net(skb->sk);
2785 struct nf_conntrack_expect *exp, *last;
2786 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2787 u_int8_t l3proto = nfmsg->nfgen_family;
2788
2789 rcu_read_lock();
2790 last = (struct nf_conntrack_expect *)cb->args[1];
2791 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
2792restart:
2793 hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
2794 hnode) {
2795 if (l3proto && exp->tuple.src.l3num != l3proto)
2796 continue;
2797
2798 if (!net_eq(nf_ct_net(exp->master), net))
2799 continue;
2800
2801 if (cb->args[1]) {
2802 if (exp != last)
2803 continue;
2804 cb->args[1] = 0;
2805 }
2806 if (ctnetlink_exp_fill_info(skb,
2807 NETLINK_CB(cb->skb).portid,
2808 cb->nlh->nlmsg_seq,
2809 IPCTNL_MSG_EXP_NEW,
2810 exp) < 0) {
2811 if (!refcount_inc_not_zero(&exp->use))
2812 continue;
2813 cb->args[1] = (unsigned long)exp;
2814 goto out;
2815 }
2816 }
2817 if (cb->args[1]) {
2818 cb->args[1] = 0;
2819 goto restart;
2820 }
2821 }
2822out:
2823 rcu_read_unlock();
2824 if (last)
2825 nf_ct_expect_put(last);
2826
2827 return skb->len;
2828}
2829
2830static int
2831ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
2832{
2833 struct nf_conntrack_expect *exp, *last;
2834 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2835 struct nf_conn *ct = cb->data;
2836 struct nf_conn_help *help = nfct_help(ct);
2837 u_int8_t l3proto = nfmsg->nfgen_family;
2838
2839 if (cb->args[0])
2840 return 0;
2841
2842 rcu_read_lock();
2843 last = (struct nf_conntrack_expect *)cb->args[1];
2844restart:
2845 hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {
2846 if (l3proto && exp->tuple.src.l3num != l3proto)
2847 continue;
2848 if (cb->args[1]) {
2849 if (exp != last)
2850 continue;
2851 cb->args[1] = 0;
2852 }
2853 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid,
2854 cb->nlh->nlmsg_seq,
2855 IPCTNL_MSG_EXP_NEW,
2856 exp) < 0) {
2857 if (!refcount_inc_not_zero(&exp->use))
2858 continue;
2859 cb->args[1] = (unsigned long)exp;
2860 goto out;
2861 }
2862 }
2863 if (cb->args[1]) {
2864 cb->args[1] = 0;
2865 goto restart;
2866 }
2867 cb->args[0] = 1;
2868out:
2869 rcu_read_unlock();
2870 if (last)
2871 nf_ct_expect_put(last);
2872
2873 return skb->len;
2874}
2875
2876static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
2877 struct sk_buff *skb,
2878 const struct nlmsghdr *nlh,
2879 const struct nlattr * const cda[],
2880 struct netlink_ext_ack *extack)
2881{
2882 int err;
2883 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2884 u_int8_t u3 = nfmsg->nfgen_family;
2885 struct nf_conntrack_tuple tuple;
2886 struct nf_conntrack_tuple_hash *h;
2887 struct nf_conn *ct;
2888 struct nf_conntrack_zone zone;
2889 struct netlink_dump_control c = {
2890 .dump = ctnetlink_exp_ct_dump_table,
2891 .done = ctnetlink_exp_done,
2892 };
2893
2894 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
2895 u3, NULL);
2896 if (err < 0)
2897 return err;
2898
2899 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2900 if (err < 0)
2901 return err;
2902
2903 h = nf_conntrack_find_get(net, &zone, &tuple);
2904 if (!h)
2905 return -ENOENT;
2906
2907 ct = nf_ct_tuplehash_to_ctrack(h);
2908
2909 if (!nfct_help(ct)) {
2910 nf_ct_put(ct);
2911 return 0;
2912 }
2913
2914 c.data = ct;
2915
2916 err = netlink_dump_start(ctnl, skb, nlh, &c);
2917 nf_ct_put(ct);
2918
2919 return err;
2920}
2921
2922static int ctnetlink_get_expect(struct net *net, struct sock *ctnl,
2923 struct sk_buff *skb, const struct nlmsghdr *nlh,
2924 const struct nlattr * const cda[],
2925 struct netlink_ext_ack *extack)
2926{
2927 struct nf_conntrack_tuple tuple;
2928 struct nf_conntrack_expect *exp;
2929 struct sk_buff *skb2;
2930 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2931 u_int8_t u3 = nfmsg->nfgen_family;
2932 struct nf_conntrack_zone zone;
2933 int err;
2934
2935 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2936 if (cda[CTA_EXPECT_MASTER])
2937 return ctnetlink_dump_exp_ct(net, ctnl, skb, nlh, cda,
2938 extack);
2939 else {
2940 struct netlink_dump_control c = {
2941 .dump = ctnetlink_exp_dump_table,
2942 .done = ctnetlink_exp_done,
2943 };
2944 return netlink_dump_start(ctnl, skb, nlh, &c);
2945 }
2946 }
2947
2948 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2949 if (err < 0)
2950 return err;
2951
2952 if (cda[CTA_EXPECT_TUPLE])
2953 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
2954 u3, NULL);
2955 else if (cda[CTA_EXPECT_MASTER])
2956 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
2957 u3, NULL);
2958 else
2959 return -EINVAL;
2960
2961 if (err < 0)
2962 return err;
2963
2964 exp = nf_ct_expect_find_get(net, &zone, &tuple);
2965 if (!exp)
2966 return -ENOENT;
2967
2968 if (cda[CTA_EXPECT_ID]) {
2969 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
2970 if (ntohl(id) != (u32)(unsigned long)exp) {
2971 nf_ct_expect_put(exp);
2972 return -ENOENT;
2973 }
2974 }
2975
2976 err = -ENOMEM;
2977 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2978 if (skb2 == NULL) {
2979 nf_ct_expect_put(exp);
2980 goto out;
2981 }
2982
2983 rcu_read_lock();
2984 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
2985 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp);
2986 rcu_read_unlock();
2987 nf_ct_expect_put(exp);
2988 if (err <= 0)
2989 goto free;
2990
2991 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
2992 if (err < 0)
2993 goto out;
2994
2995 return 0;
2996
2997free:
2998 kfree_skb(skb2);
2999out:
3000
3001 return err == -EAGAIN ? -ENOBUFS : err;
3002}
3003
3004static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data)
3005{
3006 const struct nf_conn_help *m_help;
3007 const char *name = data;
3008
3009 m_help = nfct_help(exp->master);
3010
3011 return strcmp(m_help->helper->name, name) == 0;
3012}
3013
3014static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data)
3015{
3016 return true;
3017}
3018
3019static int ctnetlink_del_expect(struct net *net, struct sock *ctnl,
3020 struct sk_buff *skb, const struct nlmsghdr *nlh,
3021 const struct nlattr * const cda[],
3022 struct netlink_ext_ack *extack)
3023{
3024 struct nf_conntrack_expect *exp;
3025 struct nf_conntrack_tuple tuple;
3026 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3027 u_int8_t u3 = nfmsg->nfgen_family;
3028 struct nf_conntrack_zone zone;
3029 int err;
3030
3031 if (cda[CTA_EXPECT_TUPLE]) {
3032
3033 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3034 if (err < 0)
3035 return err;
3036
3037 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3038 u3, NULL);
3039 if (err < 0)
3040 return err;
3041
3042
3043 exp = nf_ct_expect_find_get(net, &zone, &tuple);
3044 if (!exp)
3045 return -ENOENT;
3046
3047 if (cda[CTA_EXPECT_ID]) {
3048 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3049 if (ntohl(id) != (u32)(unsigned long)exp) {
3050 nf_ct_expect_put(exp);
3051 return -ENOENT;
3052 }
3053 }
3054
3055
3056 spin_lock_bh(&nf_conntrack_expect_lock);
3057 if (del_timer(&exp->timeout)) {
3058 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
3059 nlmsg_report(nlh));
3060 nf_ct_expect_put(exp);
3061 }
3062 spin_unlock_bh(&nf_conntrack_expect_lock);
3063
3064
3065 nf_ct_expect_put(exp);
3066 } else if (cda[CTA_EXPECT_HELP_NAME]) {
3067 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3068
3069 nf_ct_expect_iterate_net(net, expect_iter_name, name,
3070 NETLINK_CB(skb).portid,
3071 nlmsg_report(nlh));
3072 } else {
3073
3074 nf_ct_expect_iterate_net(net, expect_iter_all, NULL,
3075 NETLINK_CB(skb).portid,
3076 nlmsg_report(nlh));
3077 }
3078
3079 return 0;
3080}
3081static int
3082ctnetlink_change_expect(struct nf_conntrack_expect *x,
3083 const struct nlattr * const cda[])
3084{
3085 if (cda[CTA_EXPECT_TIMEOUT]) {
3086 if (!del_timer(&x->timeout))
3087 return -ETIME;
3088
3089 x->timeout.expires = jiffies +
3090 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
3091 add_timer(&x->timeout);
3092 }
3093 return 0;
3094}
3095
3096static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
3097 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
3098 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
3099};
3100
3101static int
3102ctnetlink_parse_expect_nat(const struct nlattr *attr,
3103 struct nf_conntrack_expect *exp,
3104 u_int8_t u3)
3105{
3106#ifdef CONFIG_NF_NAT_NEEDED
3107 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1];
3108 struct nf_conntrack_tuple nat_tuple = {};
3109 int err;
3110
3111 err = nla_parse_nested(tb, CTA_EXPECT_NAT_MAX, attr,
3112 exp_nat_nla_policy, NULL);
3113 if (err < 0)
3114 return err;
3115
3116 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE])
3117 return -EINVAL;
3118
3119 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb,
3120 &nat_tuple, CTA_EXPECT_NAT_TUPLE,
3121 u3, NULL);
3122 if (err < 0)
3123 return err;
3124
3125 exp->saved_addr = nat_tuple.src.u3;
3126 exp->saved_proto = nat_tuple.src.u;
3127 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR]));
3128
3129 return 0;
3130#else
3131 return -EOPNOTSUPP;
3132#endif
3133}
3134
3135static struct nf_conntrack_expect *
3136ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
3137 struct nf_conntrack_helper *helper,
3138 struct nf_conntrack_tuple *tuple,
3139 struct nf_conntrack_tuple *mask)
3140{
3141 u_int32_t class = 0;
3142 struct nf_conntrack_expect *exp;
3143 struct nf_conn_help *help;
3144 int err;
3145
3146 help = nfct_help(ct);
3147 if (!help)
3148 return ERR_PTR(-EOPNOTSUPP);
3149
3150 if (cda[CTA_EXPECT_CLASS] && helper) {
3151 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));
3152 if (class > helper->expect_class_max)
3153 return ERR_PTR(-EINVAL);
3154 }
3155 exp = nf_ct_expect_alloc(ct);
3156 if (!exp)
3157 return ERR_PTR(-ENOMEM);
3158
3159 if (cda[CTA_EXPECT_FLAGS]) {
3160 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
3161 exp->flags &= ~NF_CT_EXPECT_USERSPACE;
3162 } else {
3163 exp->flags = 0;
3164 }
3165 if (cda[CTA_EXPECT_FN]) {
3166 const char *name = nla_data(cda[CTA_EXPECT_FN]);
3167 struct nf_ct_helper_expectfn *expfn;
3168
3169 expfn = nf_ct_helper_expectfn_find_by_name(name);
3170 if (expfn == NULL) {
3171 err = -EINVAL;
3172 goto err_out;
3173 }
3174 exp->expectfn = expfn->expectfn;
3175 } else
3176 exp->expectfn = NULL;
3177
3178 exp->class = class;
3179 exp->master = ct;
3180 exp->helper = helper;
3181 exp->tuple = *tuple;
3182 exp->mask.src.u3 = mask->src.u3;
3183 exp->mask.src.u.all = mask->src.u.all;
3184
3185 if (cda[CTA_EXPECT_NAT]) {
3186 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT],
3187 exp, nf_ct_l3num(ct));
3188 if (err < 0)
3189 goto err_out;
3190 }
3191 return exp;
3192err_out:
3193 nf_ct_expect_put(exp);
3194 return ERR_PTR(err);
3195}
3196
3197static int
3198ctnetlink_create_expect(struct net *net,
3199 const struct nf_conntrack_zone *zone,
3200 const struct nlattr * const cda[],
3201 u_int8_t u3, u32 portid, int report)
3202{
3203 struct nf_conntrack_tuple tuple, mask, master_tuple;
3204 struct nf_conntrack_tuple_hash *h = NULL;
3205 struct nf_conntrack_helper *helper = NULL;
3206 struct nf_conntrack_expect *exp;
3207 struct nf_conn *ct;
3208 int err;
3209
3210
3211 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3212 u3, NULL);
3213 if (err < 0)
3214 return err;
3215 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK,
3216 u3, NULL);
3217 if (err < 0)
3218 return err;
3219 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER,
3220 u3, NULL);
3221 if (err < 0)
3222 return err;
3223
3224
3225 h = nf_conntrack_find_get(net, zone, &master_tuple);
3226 if (!h)
3227 return -ENOENT;
3228 ct = nf_ct_tuplehash_to_ctrack(h);
3229
3230 rcu_read_lock();
3231 if (cda[CTA_EXPECT_HELP_NAME]) {
3232 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3233
3234 helper = __nf_conntrack_helper_find(helpname, u3,
3235 nf_ct_protonum(ct));
3236 if (helper == NULL) {
3237 rcu_read_unlock();
3238#ifdef CONFIG_MODULES
3239 if (request_module("nfct-helper-%s", helpname) < 0) {
3240 err = -EOPNOTSUPP;
3241 goto err_ct;
3242 }
3243 rcu_read_lock();
3244 helper = __nf_conntrack_helper_find(helpname, u3,
3245 nf_ct_protonum(ct));
3246 if (helper) {
3247 err = -EAGAIN;
3248 goto err_rcu;
3249 }
3250 rcu_read_unlock();
3251#endif
3252 err = -EOPNOTSUPP;
3253 goto err_ct;
3254 }
3255 }
3256
3257 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask);
3258 if (IS_ERR(exp)) {
3259 err = PTR_ERR(exp);
3260 goto err_rcu;
3261 }
3262
3263 err = nf_ct_expect_related_report(exp, portid, report);
3264 nf_ct_expect_put(exp);
3265err_rcu:
3266 rcu_read_unlock();
3267err_ct:
3268 nf_ct_put(ct);
3269 return err;
3270}
3271
3272static int ctnetlink_new_expect(struct net *net, struct sock *ctnl,
3273 struct sk_buff *skb, const struct nlmsghdr *nlh,
3274 const struct nlattr * const cda[],
3275 struct netlink_ext_ack *extack)
3276{
3277 struct nf_conntrack_tuple tuple;
3278 struct nf_conntrack_expect *exp;
3279 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3280 u_int8_t u3 = nfmsg->nfgen_family;
3281 struct nf_conntrack_zone zone;
3282 int err;
3283
3284 if (!cda[CTA_EXPECT_TUPLE]
3285 || !cda[CTA_EXPECT_MASK]
3286 || !cda[CTA_EXPECT_MASTER])
3287 return -EINVAL;
3288
3289 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3290 if (err < 0)
3291 return err;
3292
3293 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3294 u3, NULL);
3295 if (err < 0)
3296 return err;
3297
3298 spin_lock_bh(&nf_conntrack_expect_lock);
3299 exp = __nf_ct_expect_find(net, &zone, &tuple);
3300 if (!exp) {
3301 spin_unlock_bh(&nf_conntrack_expect_lock);
3302 err = -ENOENT;
3303 if (nlh->nlmsg_flags & NLM_F_CREATE) {
3304 err = ctnetlink_create_expect(net, &zone, cda, u3,
3305 NETLINK_CB(skb).portid,
3306 nlmsg_report(nlh));
3307 }
3308 return err;
3309 }
3310
3311 err = -EEXIST;
3312 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
3313 err = ctnetlink_change_expect(exp, cda);
3314 spin_unlock_bh(&nf_conntrack_expect_lock);
3315
3316 return err;
3317}
3318
3319static int
3320ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu,
3321 const struct ip_conntrack_stat *st)
3322{
3323 struct nlmsghdr *nlh;
3324 struct nfgenmsg *nfmsg;
3325 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
3326
3327 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
3328 IPCTNL_MSG_EXP_GET_STATS_CPU);
3329 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
3330 if (nlh == NULL)
3331 goto nlmsg_failure;
3332
3333 nfmsg = nlmsg_data(nlh);
3334 nfmsg->nfgen_family = AF_UNSPEC;
3335 nfmsg->version = NFNETLINK_V0;
3336 nfmsg->res_id = htons(cpu);
3337
3338 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) ||
3339 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) ||
3340 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete)))
3341 goto nla_put_failure;
3342
3343 nlmsg_end(skb, nlh);
3344 return skb->len;
3345
3346nla_put_failure:
3347nlmsg_failure:
3348 nlmsg_cancel(skb, nlh);
3349 return -1;
3350}
3351
3352static int
3353ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
3354{
3355 int cpu;
3356 struct net *net = sock_net(skb->sk);
3357
3358 if (cb->args[0] == nr_cpu_ids)
3359 return 0;
3360
3361 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
3362 const struct ip_conntrack_stat *st;
3363
3364 if (!cpu_possible(cpu))
3365 continue;
3366
3367 st = per_cpu_ptr(net->ct.stat, cpu);
3368 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid,
3369 cb->nlh->nlmsg_seq,
3370 cpu, st) < 0)
3371 break;
3372 }
3373 cb->args[0] = cpu;
3374
3375 return skb->len;
3376}
3377
3378static int ctnetlink_stat_exp_cpu(struct net *net, struct sock *ctnl,
3379 struct sk_buff *skb,
3380 const struct nlmsghdr *nlh,
3381 const struct nlattr * const cda[],
3382 struct netlink_ext_ack *extack)
3383{
3384 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3385 struct netlink_dump_control c = {
3386 .dump = ctnetlink_exp_stat_cpu_dump,
3387 };
3388 return netlink_dump_start(ctnl, skb, nlh, &c);
3389 }
3390
3391 return 0;
3392}
3393
3394#ifdef CONFIG_NF_CONNTRACK_EVENTS
3395static struct nf_ct_event_notifier ctnl_notifier = {
3396 .fcn = ctnetlink_conntrack_event,
3397};
3398
3399static struct nf_exp_event_notifier ctnl_notifier_exp = {
3400 .fcn = ctnetlink_expect_event,
3401};
3402#endif
3403
3404static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
3405 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
3406 .attr_count = CTA_MAX,
3407 .policy = ct_nla_policy },
3408 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
3409 .attr_count = CTA_MAX,
3410 .policy = ct_nla_policy },
3411 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
3412 .attr_count = CTA_MAX,
3413 .policy = ct_nla_policy },
3414 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
3415 .attr_count = CTA_MAX,
3416 .policy = ct_nla_policy },
3417 [IPCTNL_MSG_CT_GET_STATS_CPU] = { .call = ctnetlink_stat_ct_cpu },
3418 [IPCTNL_MSG_CT_GET_STATS] = { .call = ctnetlink_stat_ct },
3419 [IPCTNL_MSG_CT_GET_DYING] = { .call = ctnetlink_get_ct_dying },
3420 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = { .call = ctnetlink_get_ct_unconfirmed },
3421};
3422
3423static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
3424 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
3425 .attr_count = CTA_EXPECT_MAX,
3426 .policy = exp_nla_policy },
3427 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
3428 .attr_count = CTA_EXPECT_MAX,
3429 .policy = exp_nla_policy },
3430 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
3431 .attr_count = CTA_EXPECT_MAX,
3432 .policy = exp_nla_policy },
3433 [IPCTNL_MSG_EXP_GET_STATS_CPU] = { .call = ctnetlink_stat_exp_cpu },
3434};
3435
3436static const struct nfnetlink_subsystem ctnl_subsys = {
3437 .name = "conntrack",
3438 .subsys_id = NFNL_SUBSYS_CTNETLINK,
3439 .cb_count = IPCTNL_MSG_MAX,
3440 .cb = ctnl_cb,
3441};
3442
3443static const struct nfnetlink_subsystem ctnl_exp_subsys = {
3444 .name = "conntrack_expect",
3445 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
3446 .cb_count = IPCTNL_MSG_EXP_MAX,
3447 .cb = ctnl_exp_cb,
3448};
3449
3450MODULE_ALIAS("ip_conntrack_netlink");
3451MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
3452MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
3453
3454static int __net_init ctnetlink_net_init(struct net *net)
3455{
3456#ifdef CONFIG_NF_CONNTRACK_EVENTS
3457 int ret;
3458
3459 ret = nf_conntrack_register_notifier(net, &ctnl_notifier);
3460 if (ret < 0) {
3461 pr_err("ctnetlink_init: cannot register notifier.\n");
3462 goto err_out;
3463 }
3464
3465 ret = nf_ct_expect_register_notifier(net, &ctnl_notifier_exp);
3466 if (ret < 0) {
3467 pr_err("ctnetlink_init: cannot expect register notifier.\n");
3468 goto err_unreg_notifier;
3469 }
3470#endif
3471 return 0;
3472
3473#ifdef CONFIG_NF_CONNTRACK_EVENTS
3474err_unreg_notifier:
3475 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
3476err_out:
3477 return ret;
3478#endif
3479}
3480
3481static void ctnetlink_net_exit(struct net *net)
3482{
3483#ifdef CONFIG_NF_CONNTRACK_EVENTS
3484 nf_ct_expect_unregister_notifier(net, &ctnl_notifier_exp);
3485 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
3486#endif
3487}
3488
3489static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list)
3490{
3491 struct net *net;
3492
3493 list_for_each_entry(net, net_exit_list, exit_list)
3494 ctnetlink_net_exit(net);
3495}
3496
3497static struct pernet_operations ctnetlink_net_ops = {
3498 .init = ctnetlink_net_init,
3499 .exit_batch = ctnetlink_net_exit_batch,
3500};
3501
3502static int __init ctnetlink_init(void)
3503{
3504 int ret;
3505
3506 ret = nfnetlink_subsys_register(&ctnl_subsys);
3507 if (ret < 0) {
3508 pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
3509 goto err_out;
3510 }
3511
3512 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
3513 if (ret < 0) {
3514 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
3515 goto err_unreg_subsys;
3516 }
3517
3518 ret = register_pernet_subsys(&ctnetlink_net_ops);
3519 if (ret < 0) {
3520 pr_err("ctnetlink_init: cannot register pernet operations\n");
3521 goto err_unreg_exp_subsys;
3522 }
3523#ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3524
3525 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook);
3526#endif
3527 return 0;
3528
3529err_unreg_exp_subsys:
3530 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3531err_unreg_subsys:
3532 nfnetlink_subsys_unregister(&ctnl_subsys);
3533err_out:
3534 return ret;
3535}
3536
3537static void __exit ctnetlink_exit(void)
3538{
3539 unregister_pernet_subsys(&ctnetlink_net_ops);
3540 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3541 nfnetlink_subsys_unregister(&ctnl_subsys);
3542#ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3543 RCU_INIT_POINTER(nfnl_ct_hook, NULL);
3544#endif
3545 synchronize_rcu();
3546}
3547
3548module_init(ctnetlink_init);
3549module_exit(ctnetlink_exit);
3550
