1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18#include <linux/init.h>
19#include <linux/module.h>
20#include <linux/kernel.h>
21#include <linux/rculist.h>
22#include <linux/rculist_nulls.h>
23#include <linux/types.h>
24#include <linux/timer.h>
25#include <linux/security.h>
26#include <linux/skbuff.h>
27#include <linux/errno.h>
28#include <linux/netlink.h>
29#include <linux/spinlock.h>
30#include <linux/interrupt.h>
31#include <linux/slab.h>
32
33#include <linux/netfilter.h>
34#include <net/netlink.h>
35#include <net/sock.h>
36#include <net/netfilter/nf_conntrack.h>
37#include <net/netfilter/nf_conntrack_core.h>
38#include <net/netfilter/nf_conntrack_expect.h>
39#include <net/netfilter/nf_conntrack_helper.h>
40#include <net/netfilter/nf_conntrack_seqadj.h>
41#include <net/netfilter/nf_conntrack_l3proto.h>
42#include <net/netfilter/nf_conntrack_l4proto.h>
43#include <net/netfilter/nf_conntrack_tuple.h>
44#include <net/netfilter/nf_conntrack_acct.h>
45#include <net/netfilter/nf_conntrack_zones.h>
46#include <net/netfilter/nf_conntrack_timestamp.h>
47#include <net/netfilter/nf_conntrack_labels.h>
48#ifdef CONFIG_NF_NAT_NEEDED
49#include <net/netfilter/nf_nat_core.h>
50#include <net/netfilter/nf_nat_l4proto.h>
51#include <net/netfilter/nf_nat_helper.h>
52#endif
53
54#include <linux/netfilter/nfnetlink.h>
55#include <linux/netfilter/nfnetlink_conntrack.h>
56
57MODULE_LICENSE("GPL");
58
59static char __initdata version[] = "0.93";
60
61static inline int
62ctnetlink_dump_tuples_proto(struct sk_buff *skb,
63 const struct nf_conntrack_tuple *tuple,
64 struct nf_conntrack_l4proto *l4proto)
65{
66 int ret = 0;
67 struct nlattr *nest_parms;
68
69 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED);
70 if (!nest_parms)
71 goto nla_put_failure;
72 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum))
73 goto nla_put_failure;
74
75 if (likely(l4proto->tuple_to_nlattr))
76 ret = l4proto->tuple_to_nlattr(skb, tuple);
77
78 nla_nest_end(skb, nest_parms);
79
80 return ret;
81
82nla_put_failure:
83 return -1;
84}
85
86static inline int
87ctnetlink_dump_tuples_ip(struct sk_buff *skb,
88 const struct nf_conntrack_tuple *tuple,
89 struct nf_conntrack_l3proto *l3proto)
90{
91 int ret = 0;
92 struct nlattr *nest_parms;
93
94 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED);
95 if (!nest_parms)
96 goto nla_put_failure;
97
98 if (likely(l3proto->tuple_to_nlattr))
99 ret = l3proto->tuple_to_nlattr(skb, tuple);
100
101 nla_nest_end(skb, nest_parms);
102
103 return ret;
104
105nla_put_failure:
106 return -1;
107}
108
109static int
110ctnetlink_dump_tuples(struct sk_buff *skb,
111 const struct nf_conntrack_tuple *tuple)
112{
113 int ret;
114 struct nf_conntrack_l3proto *l3proto;
115 struct nf_conntrack_l4proto *l4proto;
116
117 rcu_read_lock();
118 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
119 ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
120
121 if (ret >= 0) {
122 l4proto = __nf_ct_l4proto_find(tuple->src.l3num,
123 tuple->dst.protonum);
124 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
125 }
126 rcu_read_unlock();
127 return ret;
128}
129
130static inline int
131ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype,
132 const struct nf_conntrack_zone *zone, int dir)
133{
134 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir)
135 return 0;
136 if (nla_put_be16(skb, attrtype, htons(zone->id)))
137 goto nla_put_failure;
138 return 0;
139
140nla_put_failure:
141 return -1;
142}
143
144static inline int
145ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
146{
147 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
148 goto nla_put_failure;
149 return 0;
150
151nla_put_failure:
152 return -1;
153}
154
155static inline int
156ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
157{
158 long timeout = ((long)ct->timeout.expires - (long)jiffies) / HZ;
159
160 if (timeout < 0)
161 timeout = 0;
162
163 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))
164 goto nla_put_failure;
165 return 0;
166
167nla_put_failure:
168 return -1;
169}
170
171static inline int
172ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct)
173{
174 struct nf_conntrack_l4proto *l4proto;
175 struct nlattr *nest_proto;
176 int ret;
177
178 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
179 if (!l4proto->to_nlattr)
180 return 0;
181
182 nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED);
183 if (!nest_proto)
184 goto nla_put_failure;
185
186 ret = l4proto->to_nlattr(skb, nest_proto, ct);
187
188 nla_nest_end(skb, nest_proto);
189
190 return ret;
191
192nla_put_failure:
193 return -1;
194}
195
196static inline int
197ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct)
198{
199 struct nlattr *nest_helper;
200 const struct nf_conn_help *help = nfct_help(ct);
201 struct nf_conntrack_helper *helper;
202
203 if (!help)
204 return 0;
205
206 helper = rcu_dereference(help->helper);
207 if (!helper)
208 goto out;
209
210 nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED);
211 if (!nest_helper)
212 goto nla_put_failure;
213 if (nla_put_string(skb, CTA_HELP_NAME, helper->name))
214 goto nla_put_failure;
215
216 if (helper->to_nlattr)
217 helper->to_nlattr(skb, ct);
218
219 nla_nest_end(skb, nest_helper);
220out:
221 return 0;
222
223nla_put_failure:
224 return -1;
225}
226
227static int
228dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct,
229 enum ip_conntrack_dir dir, int type)
230{
231 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
232 struct nf_conn_counter *counter = acct->counter;
233 struct nlattr *nest_count;
234 u64 pkts, bytes;
235
236 if (type == IPCTNL_MSG_CT_GET_CTRZERO) {
237 pkts = atomic64_xchg(&counter[dir].packets, 0);
238 bytes = atomic64_xchg(&counter[dir].bytes, 0);
239 } else {
240 pkts = atomic64_read(&counter[dir].packets);
241 bytes = atomic64_read(&counter[dir].bytes);
242 }
243
244 nest_count = nla_nest_start(skb, attr | NLA_F_NESTED);
245 if (!nest_count)
246 goto nla_put_failure;
247
248 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts)) ||
249 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes)))
250 goto nla_put_failure;
251
252 nla_nest_end(skb, nest_count);
253
254 return 0;
255
256nla_put_failure:
257 return -1;
258}
259
260static int
261ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type)
262{
263 struct nf_conn_acct *acct = nf_conn_acct_find(ct);
264
265 if (!acct)
266 return 0;
267
268 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0)
269 return -1;
270 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0)
271 return -1;
272
273 return 0;
274}
275
276static int
277ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
278{
279 struct nlattr *nest_count;
280 const struct nf_conn_tstamp *tstamp;
281
282 tstamp = nf_conn_tstamp_find(ct);
283 if (!tstamp)
284 return 0;
285
286 nest_count = nla_nest_start(skb, CTA_TIMESTAMP | NLA_F_NESTED);
287 if (!nest_count)
288 goto nla_put_failure;
289
290 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start)) ||
291 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP,
292 cpu_to_be64(tstamp->stop))))
293 goto nla_put_failure;
294 nla_nest_end(skb, nest_count);
295
296 return 0;
297
298nla_put_failure:
299 return -1;
300}
301
302#ifdef CONFIG_NF_CONNTRACK_MARK
303static inline int
304ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
305{
306 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))
307 goto nla_put_failure;
308 return 0;
309
310nla_put_failure:
311 return -1;
312}
313#else
314#define ctnetlink_dump_mark(a, b) (0)
315#endif
316
317#ifdef CONFIG_NF_CONNTRACK_SECMARK
318static inline int
319ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
320{
321 struct nlattr *nest_secctx;
322 int len, ret;
323 char *secctx;
324
325 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
326 if (ret)
327 return 0;
328
329 ret = -1;
330 nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED);
331 if (!nest_secctx)
332 goto nla_put_failure;
333
334 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
335 goto nla_put_failure;
336 nla_nest_end(skb, nest_secctx);
337
338 ret = 0;
339nla_put_failure:
340 security_release_secctx(secctx, len);
341 return ret;
342}
343#else
344#define ctnetlink_dump_secctx(a, b) (0)
345#endif
346
347#ifdef CONFIG_NF_CONNTRACK_LABELS
348static int ctnetlink_label_size(const struct nf_conn *ct)
349{
350 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
351
352 if (!labels)
353 return 0;
354 return nla_total_size(labels->words * sizeof(long));
355}
356
357static int
358ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
359{
360 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
361 unsigned int len, i;
362
363 if (!labels)
364 return 0;
365
366 len = labels->words * sizeof(long);
367 i = 0;
368 do {
369 if (labels->bits[i] != 0)
370 return nla_put(skb, CTA_LABELS, len, labels->bits);
371 i++;
372 } while (i < labels->words);
373
374 return 0;
375}
376#else
377#define ctnetlink_dump_labels(a, b) (0)
378#define ctnetlink_label_size(a) (0)
379#endif
380
381#define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
382
383static inline int
384ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
385{
386 struct nlattr *nest_parms;
387
388 if (!(ct->status & IPS_EXPECTED))
389 return 0;
390
391 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED);
392 if (!nest_parms)
393 goto nla_put_failure;
394 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
395 goto nla_put_failure;
396 nla_nest_end(skb, nest_parms);
397
398 return 0;
399
400nla_put_failure:
401 return -1;
402}
403
404static int
405dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type)
406{
407 struct nlattr *nest_parms;
408
409 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
410 if (!nest_parms)
411 goto nla_put_failure;
412
413 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS,
414 htonl(seq->correction_pos)) ||
415 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE,
416 htonl(seq->offset_before)) ||
417 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER,
418 htonl(seq->offset_after)))
419 goto nla_put_failure;
420
421 nla_nest_end(skb, nest_parms);
422
423 return 0;
424
425nla_put_failure:
426 return -1;
427}
428
429static inline int
430ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, const struct nf_conn *ct)
431{
432 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
433 struct nf_ct_seqadj *seq;
434
435 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj)
436 return 0;
437
438 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL];
439 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1)
440 return -1;
441
442 seq = &seqadj->seq[IP_CT_DIR_REPLY];
443 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1)
444 return -1;
445
446 return 0;
447}
448
449static inline int
450ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
451{
452 if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct)))
453 goto nla_put_failure;
454 return 0;
455
456nla_put_failure:
457 return -1;
458}
459
460static inline int
461ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
462{
463 if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use))))
464 goto nla_put_failure;
465 return 0;
466
467nla_put_failure:
468 return -1;
469}
470
471static int
472ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
473 struct nf_conn *ct)
474{
475 const struct nf_conntrack_zone *zone;
476 struct nlmsghdr *nlh;
477 struct nfgenmsg *nfmsg;
478 struct nlattr *nest_parms;
479 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
480
481 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_NEW);
482 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
483 if (nlh == NULL)
484 goto nlmsg_failure;
485
486 nfmsg = nlmsg_data(nlh);
487 nfmsg->nfgen_family = nf_ct_l3num(ct);
488 nfmsg->version = NFNETLINK_V0;
489 nfmsg->res_id = 0;
490
491 zone = nf_ct_zone(ct);
492
493 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
494 if (!nest_parms)
495 goto nla_put_failure;
496 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
497 goto nla_put_failure;
498 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
499 NF_CT_ZONE_DIR_ORIG) < 0)
500 goto nla_put_failure;
501 nla_nest_end(skb, nest_parms);
502
503 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
504 if (!nest_parms)
505 goto nla_put_failure;
506 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
507 goto nla_put_failure;
508 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
509 NF_CT_ZONE_DIR_REPL) < 0)
510 goto nla_put_failure;
511 nla_nest_end(skb, nest_parms);
512
513 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
514 NF_CT_DEFAULT_ZONE_DIR) < 0)
515 goto nla_put_failure;
516
517 if (ctnetlink_dump_status(skb, ct) < 0 ||
518 ctnetlink_dump_timeout(skb, ct) < 0 ||
519 ctnetlink_dump_acct(skb, ct, type) < 0 ||
520 ctnetlink_dump_timestamp(skb, ct) < 0 ||
521 ctnetlink_dump_protoinfo(skb, ct) < 0 ||
522 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
523 ctnetlink_dump_mark(skb, ct) < 0 ||
524 ctnetlink_dump_secctx(skb, ct) < 0 ||
525 ctnetlink_dump_labels(skb, ct) < 0 ||
526 ctnetlink_dump_id(skb, ct) < 0 ||
527 ctnetlink_dump_use(skb, ct) < 0 ||
528 ctnetlink_dump_master(skb, ct) < 0 ||
529 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
530 goto nla_put_failure;
531
532 nlmsg_end(skb, nlh);
533 return skb->len;
534
535nlmsg_failure:
536nla_put_failure:
537 nlmsg_cancel(skb, nlh);
538 return -1;
539}
540
541static inline size_t
542ctnetlink_proto_size(const struct nf_conn *ct)
543{
544 struct nf_conntrack_l3proto *l3proto;
545 struct nf_conntrack_l4proto *l4proto;
546 size_t len = 0;
547
548 rcu_read_lock();
549 l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
550 len += l3proto->nla_size;
551
552 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
553 len += l4proto->nla_size;
554 rcu_read_unlock();
555
556 return len;
557}
558
559static inline size_t
560ctnetlink_acct_size(const struct nf_conn *ct)
561{
562 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
563 return 0;
564 return 2 * nla_total_size(0)
565 + 2 * nla_total_size(sizeof(uint64_t))
566 + 2 * nla_total_size(sizeof(uint64_t))
567 ;
568}
569
570static inline int
571ctnetlink_secctx_size(const struct nf_conn *ct)
572{
573#ifdef CONFIG_NF_CONNTRACK_SECMARK
574 int len, ret;
575
576 ret = security_secid_to_secctx(ct->secmark, NULL, &len);
577 if (ret)
578 return 0;
579
580 return nla_total_size(0)
581 + nla_total_size(sizeof(char) * len);
582#else
583 return 0;
584#endif
585}
586
587static inline size_t
588ctnetlink_timestamp_size(const struct nf_conn *ct)
589{
590#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
591 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
592 return 0;
593 return nla_total_size(0) + 2 * nla_total_size(sizeof(uint64_t));
594#else
595 return 0;
596#endif
597}
598
599static inline size_t
600ctnetlink_nlmsg_size(const struct nf_conn *ct)
601{
602 return NLMSG_ALIGN(sizeof(struct nfgenmsg))
603 + 3 * nla_total_size(0)
604 + 3 * nla_total_size(0)
605 + 3 * nla_total_size(0)
606 + 3 * nla_total_size(sizeof(u_int8_t))
607 + nla_total_size(sizeof(u_int32_t))
608 + nla_total_size(sizeof(u_int32_t))
609 + ctnetlink_acct_size(ct)
610 + ctnetlink_timestamp_size(ct)
611 + nla_total_size(sizeof(u_int32_t))
612 + nla_total_size(0)
613 + nla_total_size(0)
614 + nla_total_size(NF_CT_HELPER_NAME_LEN)
615 + ctnetlink_secctx_size(ct)
616#ifdef CONFIG_NF_NAT_NEEDED
617 + 2 * nla_total_size(0)
618 + 6 * nla_total_size(sizeof(u_int32_t))
619#endif
620#ifdef CONFIG_NF_CONNTRACK_MARK
621 + nla_total_size(sizeof(u_int32_t))
622#endif
623#ifdef CONFIG_NF_CONNTRACK_ZONES
624 + nla_total_size(sizeof(u_int16_t))
625#endif
626 + ctnetlink_proto_size(ct)
627 + ctnetlink_label_size(ct)
628 ;
629}
630
631#ifdef CONFIG_NF_CONNTRACK_EVENTS
632static int
633ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
634{
635 const struct nf_conntrack_zone *zone;
636 struct net *net;
637 struct nlmsghdr *nlh;
638 struct nfgenmsg *nfmsg;
639 struct nlattr *nest_parms;
640 struct nf_conn *ct = item->ct;
641 struct sk_buff *skb;
642 unsigned int type;
643 unsigned int flags = 0, group;
644 int err;
645
646
647 if (nf_ct_is_untracked(ct))
648 return 0;
649
650 if (events & (1 << IPCT_DESTROY)) {
651 type = IPCTNL_MSG_CT_DELETE;
652 group = NFNLGRP_CONNTRACK_DESTROY;
653 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {
654 type = IPCTNL_MSG_CT_NEW;
655 flags = NLM_F_CREATE|NLM_F_EXCL;
656 group = NFNLGRP_CONNTRACK_NEW;
657 } else if (events) {
658 type = IPCTNL_MSG_CT_NEW;
659 group = NFNLGRP_CONNTRACK_UPDATE;
660 } else
661 return 0;
662
663 net = nf_ct_net(ct);
664 if (!item->report && !nfnetlink_has_listeners(net, group))
665 return 0;
666
667 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
668 if (skb == NULL)
669 goto errout;
670
671 type |= NFNL_SUBSYS_CTNETLINK << 8;
672 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
673 if (nlh == NULL)
674 goto nlmsg_failure;
675
676 nfmsg = nlmsg_data(nlh);
677 nfmsg->nfgen_family = nf_ct_l3num(ct);
678 nfmsg->version = NFNETLINK_V0;
679 nfmsg->res_id = 0;
680
681 rcu_read_lock();
682 zone = nf_ct_zone(ct);
683
684 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
685 if (!nest_parms)
686 goto nla_put_failure;
687 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
688 goto nla_put_failure;
689 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
690 NF_CT_ZONE_DIR_ORIG) < 0)
691 goto nla_put_failure;
692 nla_nest_end(skb, nest_parms);
693
694 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
695 if (!nest_parms)
696 goto nla_put_failure;
697 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
698 goto nla_put_failure;
699 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
700 NF_CT_ZONE_DIR_REPL) < 0)
701 goto nla_put_failure;
702 nla_nest_end(skb, nest_parms);
703
704 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
705 NF_CT_DEFAULT_ZONE_DIR) < 0)
706 goto nla_put_failure;
707
708 if (ctnetlink_dump_id(skb, ct) < 0)
709 goto nla_put_failure;
710
711 if (ctnetlink_dump_status(skb, ct) < 0)
712 goto nla_put_failure;
713
714 if (events & (1 << IPCT_DESTROY)) {
715 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
716 ctnetlink_dump_timestamp(skb, ct) < 0)
717 goto nla_put_failure;
718 } else {
719 if (ctnetlink_dump_timeout(skb, ct) < 0)
720 goto nla_put_failure;
721
722 if (events & (1 << IPCT_PROTOINFO)
723 && ctnetlink_dump_protoinfo(skb, ct) < 0)
724 goto nla_put_failure;
725
726 if ((events & (1 << IPCT_HELPER) || nfct_help(ct))
727 && ctnetlink_dump_helpinfo(skb, ct) < 0)
728 goto nla_put_failure;
729
730#ifdef CONFIG_NF_CONNTRACK_SECMARK
731 if ((events & (1 << IPCT_SECMARK) || ct->secmark)
732 && ctnetlink_dump_secctx(skb, ct) < 0)
733 goto nla_put_failure;
734#endif
735 if (events & (1 << IPCT_LABEL) &&
736 ctnetlink_dump_labels(skb, ct) < 0)
737 goto nla_put_failure;
738
739 if (events & (1 << IPCT_RELATED) &&
740 ctnetlink_dump_master(skb, ct) < 0)
741 goto nla_put_failure;
742
743 if (events & (1 << IPCT_SEQADJ) &&
744 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
745 goto nla_put_failure;
746 }
747
748#ifdef CONFIG_NF_CONNTRACK_MARK
749 if ((events & (1 << IPCT_MARK) || ct->mark)
750 && ctnetlink_dump_mark(skb, ct) < 0)
751 goto nla_put_failure;
752#endif
753 rcu_read_unlock();
754
755 nlmsg_end(skb, nlh);
756 err = nfnetlink_send(skb, net, item->portid, group, item->report,
757 GFP_ATOMIC);
758 if (err == -ENOBUFS || err == -EAGAIN)
759 return -ENOBUFS;
760
761 return 0;
762
763nla_put_failure:
764 rcu_read_unlock();
765 nlmsg_cancel(skb, nlh);
766nlmsg_failure:
767 kfree_skb(skb);
768errout:
769 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
770 return -ENOBUFS;
771
772 return 0;
773}
774#endif
775
776static int ctnetlink_done(struct netlink_callback *cb)
777{
778 if (cb->args[1])
779 nf_ct_put((struct nf_conn *)cb->args[1]);
780 kfree(cb->data);
781 return 0;
782}
783
784struct ctnetlink_filter {
785 struct {
786 u_int32_t val;
787 u_int32_t mask;
788 } mark;
789};
790
791static struct ctnetlink_filter *
792ctnetlink_alloc_filter(const struct nlattr * const cda[])
793{
794#ifdef CONFIG_NF_CONNTRACK_MARK
795 struct ctnetlink_filter *filter;
796
797 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
798 if (filter == NULL)
799 return ERR_PTR(-ENOMEM);
800
801 filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK]));
802 filter->mark.mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
803
804 return filter;
805#else
806 return ERR_PTR(-EOPNOTSUPP);
807#endif
808}
809
810static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
811{
812 struct ctnetlink_filter *filter = data;
813
814 if (filter == NULL)
815 return 1;
816
817#ifdef CONFIG_NF_CONNTRACK_MARK
818 if ((ct->mark & filter->mark.mask) == filter->mark.val)
819 return 1;
820#endif
821
822 return 0;
823}
824
825static int
826ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
827{
828 struct net *net = sock_net(skb->sk);
829 struct nf_conn *ct, *last;
830 struct nf_conntrack_tuple_hash *h;
831 struct hlist_nulls_node *n;
832 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
833 u_int8_t l3proto = nfmsg->nfgen_family;
834 int res;
835 spinlock_t *lockp;
836
837 last = (struct nf_conn *)cb->args[1];
838
839 local_bh_disable();
840 for (; cb->args[0] < net->ct.htable_size; cb->args[0]++) {
841restart:
842 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS];
843 nf_conntrack_lock(lockp);
844 if (cb->args[0] >= net->ct.htable_size) {
845 spin_unlock(lockp);
846 goto out;
847 }
848 hlist_nulls_for_each_entry(h, n, &net->ct.hash[cb->args[0]],
849 hnnode) {
850 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
851 continue;
852 ct = nf_ct_tuplehash_to_ctrack(h);
853
854
855
856 if (l3proto && nf_ct_l3num(ct) != l3proto)
857 continue;
858 if (cb->args[1]) {
859 if (ct != last)
860 continue;
861 cb->args[1] = 0;
862 }
863 if (!ctnetlink_filter_match(ct, cb->data))
864 continue;
865
866 rcu_read_lock();
867 res =
868 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
869 cb->nlh->nlmsg_seq,
870 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
871 ct);
872 rcu_read_unlock();
873 if (res < 0) {
874 nf_conntrack_get(&ct->ct_general);
875 cb->args[1] = (unsigned long)ct;
876 spin_unlock(lockp);
877 goto out;
878 }
879 }
880 spin_unlock(lockp);
881 if (cb->args[1]) {
882 cb->args[1] = 0;
883 goto restart;
884 }
885 }
886out:
887 local_bh_enable();
888 if (last)
889 nf_ct_put(last);
890
891 return skb->len;
892}
893
894static inline int
895ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple)
896{
897 struct nlattr *tb[CTA_IP_MAX+1];
898 struct nf_conntrack_l3proto *l3proto;
899 int ret = 0;
900
901 ret = nla_parse_nested(tb, CTA_IP_MAX, attr, NULL);
902 if (ret < 0)
903 return ret;
904
905 rcu_read_lock();
906 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
907
908 if (likely(l3proto->nlattr_to_tuple)) {
909 ret = nla_validate_nested(attr, CTA_IP_MAX,
910 l3proto->nla_policy);
911 if (ret == 0)
912 ret = l3proto->nlattr_to_tuple(tb, tuple);
913 }
914
915 rcu_read_unlock();
916
917 return ret;
918}
919
920static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
921 [CTA_PROTO_NUM] = { .type = NLA_U8 },
922};
923
924static inline int
925ctnetlink_parse_tuple_proto(struct nlattr *attr,
926 struct nf_conntrack_tuple *tuple)
927{
928 struct nlattr *tb[CTA_PROTO_MAX+1];
929 struct nf_conntrack_l4proto *l4proto;
930 int ret = 0;
931
932 ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy);
933 if (ret < 0)
934 return ret;
935
936 if (!tb[CTA_PROTO_NUM])
937 return -EINVAL;
938 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
939
940 rcu_read_lock();
941 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
942
943 if (likely(l4proto->nlattr_to_tuple)) {
944 ret = nla_validate_nested(attr, CTA_PROTO_MAX,
945 l4proto->nla_policy);
946 if (ret == 0)
947 ret = l4proto->nlattr_to_tuple(tb, tuple);
948 }
949
950 rcu_read_unlock();
951
952 return ret;
953}
954
955static int
956ctnetlink_parse_zone(const struct nlattr *attr,
957 struct nf_conntrack_zone *zone)
958{
959 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID,
960 NF_CT_DEFAULT_ZONE_DIR, 0);
961#ifdef CONFIG_NF_CONNTRACK_ZONES
962 if (attr)
963 zone->id = ntohs(nla_get_be16(attr));
964#else
965 if (attr)
966 return -EOPNOTSUPP;
967#endif
968 return 0;
969}
970
971static int
972ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type,
973 struct nf_conntrack_zone *zone)
974{
975 int ret;
976
977 if (zone->id != NF_CT_DEFAULT_ZONE_ID)
978 return -EINVAL;
979
980 ret = ctnetlink_parse_zone(attr, zone);
981 if (ret < 0)
982 return ret;
983
984 if (type == CTA_TUPLE_REPLY)
985 zone->dir = NF_CT_ZONE_DIR_REPL;
986 else
987 zone->dir = NF_CT_ZONE_DIR_ORIG;
988
989 return 0;
990}
991
992static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
993 [CTA_TUPLE_IP] = { .type = NLA_NESTED },
994 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED },
995 [CTA_TUPLE_ZONE] = { .type = NLA_U16 },
996};
997
998static int
999ctnetlink_parse_tuple(const struct nlattr * const cda[],
1000 struct nf_conntrack_tuple *tuple,
1001 enum ctattr_type type, u_int8_t l3num,
1002 struct nf_conntrack_zone *zone)
1003{
1004 struct nlattr *tb[CTA_TUPLE_MAX+1];
1005 int err;
1006
1007 memset(tuple, 0, sizeof(*tuple));
1008
1009 err = nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy);
1010 if (err < 0)
1011 return err;
1012
1013 if (!tb[CTA_TUPLE_IP])
1014 return -EINVAL;
1015
1016 tuple->src.l3num = l3num;
1017
1018 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
1019 if (err < 0)
1020 return err;
1021
1022 if (!tb[CTA_TUPLE_PROTO])
1023 return -EINVAL;
1024
1025 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple);
1026 if (err < 0)
1027 return err;
1028
1029 if (tb[CTA_TUPLE_ZONE]) {
1030 if (!zone)
1031 return -EINVAL;
1032
1033 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE],
1034 type, zone);
1035 if (err < 0)
1036 return err;
1037 }
1038
1039
1040 if (type == CTA_TUPLE_REPLY)
1041 tuple->dst.dir = IP_CT_DIR_REPLY;
1042 else
1043 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
1044
1045 return 0;
1046}
1047
1048static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {
1049 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING,
1050 .len = NF_CT_HELPER_NAME_LEN - 1 },
1051};
1052
1053static inline int
1054ctnetlink_parse_help(const struct nlattr *attr, char **helper_name,
1055 struct nlattr **helpinfo)
1056{
1057 int err;
1058 struct nlattr *tb[CTA_HELP_MAX+1];
1059
1060 err = nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy);
1061 if (err < 0)
1062 return err;
1063
1064 if (!tb[CTA_HELP_NAME])
1065 return -EINVAL;
1066
1067 *helper_name = nla_data(tb[CTA_HELP_NAME]);
1068
1069 if (tb[CTA_HELP_INFO])
1070 *helpinfo = tb[CTA_HELP_INFO];
1071
1072 return 0;
1073}
1074
1075static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
1076 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED },
1077 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED },
1078 [CTA_STATUS] = { .type = NLA_U32 },
1079 [CTA_PROTOINFO] = { .type = NLA_NESTED },
1080 [CTA_HELP] = { .type = NLA_NESTED },
1081 [CTA_NAT_SRC] = { .type = NLA_NESTED },
1082 [CTA_TIMEOUT] = { .type = NLA_U32 },
1083 [CTA_MARK] = { .type = NLA_U32 },
1084 [CTA_ID] = { .type = NLA_U32 },
1085 [CTA_NAT_DST] = { .type = NLA_NESTED },
1086 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED },
1087 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED },
1088 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED },
1089 [CTA_ZONE] = { .type = NLA_U16 },
1090 [CTA_MARK_MASK] = { .type = NLA_U32 },
1091 [CTA_LABELS] = { .type = NLA_BINARY,
1092 .len = NF_CT_LABELS_MAX_SIZE },
1093 [CTA_LABELS_MASK] = { .type = NLA_BINARY,
1094 .len = NF_CT_LABELS_MAX_SIZE },
1095};
1096
1097static int ctnetlink_flush_conntrack(struct net *net,
1098 const struct nlattr * const cda[],
1099 u32 portid, int report)
1100{
1101 struct ctnetlink_filter *filter = NULL;
1102
1103 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
1104 filter = ctnetlink_alloc_filter(cda);
1105 if (IS_ERR(filter))
1106 return PTR_ERR(filter);
1107 }
1108
1109 nf_ct_iterate_cleanup(net, ctnetlink_filter_match, filter,
1110 portid, report);
1111 kfree(filter);
1112
1113 return 0;
1114}
1115
1116static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
1117 struct sk_buff *skb,
1118 const struct nlmsghdr *nlh,
1119 const struct nlattr * const cda[])
1120{
1121 struct nf_conntrack_tuple_hash *h;
1122 struct nf_conntrack_tuple tuple;
1123 struct nf_conn *ct;
1124 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1125 u_int8_t u3 = nfmsg->nfgen_family;
1126 struct nf_conntrack_zone zone;
1127 int err;
1128
1129 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1130 if (err < 0)
1131 return err;
1132
1133 if (cda[CTA_TUPLE_ORIG])
1134 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1135 u3, &zone);
1136 else if (cda[CTA_TUPLE_REPLY])
1137 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1138 u3, &zone);
1139 else {
1140 return ctnetlink_flush_conntrack(net, cda,
1141 NETLINK_CB(skb).portid,
1142 nlmsg_report(nlh));
1143 }
1144
1145 if (err < 0)
1146 return err;
1147
1148 h = nf_conntrack_find_get(net, &zone, &tuple);
1149 if (!h)
1150 return -ENOENT;
1151
1152 ct = nf_ct_tuplehash_to_ctrack(h);
1153
1154 if (cda[CTA_ID]) {
1155 u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
1156 if (id != (u32)(unsigned long)ct) {
1157 nf_ct_put(ct);
1158 return -ENOENT;
1159 }
1160 }
1161
1162 if (del_timer(&ct->timeout))
1163 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(nlh));
1164
1165 nf_ct_put(ct);
1166
1167 return 0;
1168}
1169
1170static int ctnetlink_get_conntrack(struct net *net, struct sock *ctnl,
1171 struct sk_buff *skb,
1172 const struct nlmsghdr *nlh,
1173 const struct nlattr * const cda[])
1174{
1175 struct nf_conntrack_tuple_hash *h;
1176 struct nf_conntrack_tuple tuple;
1177 struct nf_conn *ct;
1178 struct sk_buff *skb2 = NULL;
1179 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1180 u_int8_t u3 = nfmsg->nfgen_family;
1181 struct nf_conntrack_zone zone;
1182 int err;
1183
1184 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1185 struct netlink_dump_control c = {
1186 .dump = ctnetlink_dump_table,
1187 .done = ctnetlink_done,
1188 };
1189
1190 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
1191 struct ctnetlink_filter *filter;
1192
1193 filter = ctnetlink_alloc_filter(cda);
1194 if (IS_ERR(filter))
1195 return PTR_ERR(filter);
1196
1197 c.data = filter;
1198 }
1199 return netlink_dump_start(ctnl, skb, nlh, &c);
1200 }
1201
1202 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1203 if (err < 0)
1204 return err;
1205
1206 if (cda[CTA_TUPLE_ORIG])
1207 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1208 u3, &zone);
1209 else if (cda[CTA_TUPLE_REPLY])
1210 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1211 u3, &zone);
1212 else
1213 return -EINVAL;
1214
1215 if (err < 0)
1216 return err;
1217
1218 h = nf_conntrack_find_get(net, &zone, &tuple);
1219 if (!h)
1220 return -ENOENT;
1221
1222 ct = nf_ct_tuplehash_to_ctrack(h);
1223
1224 err = -ENOMEM;
1225 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1226 if (skb2 == NULL) {
1227 nf_ct_put(ct);
1228 return -ENOMEM;
1229 }
1230
1231 rcu_read_lock();
1232 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq,
1233 NFNL_MSG_TYPE(nlh->nlmsg_type), ct);
1234 rcu_read_unlock();
1235 nf_ct_put(ct);
1236 if (err <= 0)
1237 goto free;
1238
1239 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1240 if (err < 0)
1241 goto out;
1242
1243 return 0;
1244
1245free:
1246 kfree_skb(skb2);
1247out:
1248
1249 return err == -EAGAIN ? -ENOBUFS : err;
1250}
1251
1252static int ctnetlink_done_list(struct netlink_callback *cb)
1253{
1254 if (cb->args[1])
1255 nf_ct_put((struct nf_conn *)cb->args[1]);
1256 return 0;
1257}
1258
1259static int
1260ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying)
1261{
1262 struct nf_conn *ct, *last;
1263 struct nf_conntrack_tuple_hash *h;
1264 struct hlist_nulls_node *n;
1265 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1266 u_int8_t l3proto = nfmsg->nfgen_family;
1267 int res;
1268 int cpu;
1269 struct hlist_nulls_head *list;
1270 struct net *net = sock_net(skb->sk);
1271
1272 if (cb->args[2])
1273 return 0;
1274
1275 last = (struct nf_conn *)cb->args[1];
1276
1277 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
1278 struct ct_pcpu *pcpu;
1279
1280 if (!cpu_possible(cpu))
1281 continue;
1282
1283 pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu);
1284 spin_lock_bh(&pcpu->lock);
1285 list = dying ? &pcpu->dying : &pcpu->unconfirmed;
1286restart:
1287 hlist_nulls_for_each_entry(h, n, list, hnnode) {
1288 ct = nf_ct_tuplehash_to_ctrack(h);
1289 if (l3proto && nf_ct_l3num(ct) != l3proto)
1290 continue;
1291 if (cb->args[1]) {
1292 if (ct != last)
1293 continue;
1294 cb->args[1] = 0;
1295 }
1296 rcu_read_lock();
1297 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
1298 cb->nlh->nlmsg_seq,
1299 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
1300 ct);
1301 rcu_read_unlock();
1302 if (res < 0) {
1303 if (!atomic_inc_not_zero(&ct->ct_general.use))
1304 continue;
1305 cb->args[0] = cpu;
1306 cb->args[1] = (unsigned long)ct;
1307 spin_unlock_bh(&pcpu->lock);
1308 goto out;
1309 }
1310 }
1311 if (cb->args[1]) {
1312 cb->args[1] = 0;
1313 goto restart;
1314 }
1315 spin_unlock_bh(&pcpu->lock);
1316 }
1317 cb->args[2] = 1;
1318out:
1319 if (last)
1320 nf_ct_put(last);
1321
1322 return skb->len;
1323}
1324
1325static int
1326ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb)
1327{
1328 return ctnetlink_dump_list(skb, cb, true);
1329}
1330
1331static int ctnetlink_get_ct_dying(struct net *net, struct sock *ctnl,
1332 struct sk_buff *skb,
1333 const struct nlmsghdr *nlh,
1334 const struct nlattr * const cda[])
1335{
1336 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1337 struct netlink_dump_control c = {
1338 .dump = ctnetlink_dump_dying,
1339 .done = ctnetlink_done_list,
1340 };
1341 return netlink_dump_start(ctnl, skb, nlh, &c);
1342 }
1343
1344 return -EOPNOTSUPP;
1345}
1346
1347static int
1348ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb)
1349{
1350 return ctnetlink_dump_list(skb, cb, false);
1351}
1352
1353static int ctnetlink_get_ct_unconfirmed(struct net *net, struct sock *ctnl,
1354 struct sk_buff *skb,
1355 const struct nlmsghdr *nlh,
1356 const struct nlattr * const cda[])
1357{
1358 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1359 struct netlink_dump_control c = {
1360 .dump = ctnetlink_dump_unconfirmed,
1361 .done = ctnetlink_done_list,
1362 };
1363 return netlink_dump_start(ctnl, skb, nlh, &c);
1364 }
1365
1366 return -EOPNOTSUPP;
1367}
1368
1369#ifdef CONFIG_NF_NAT_NEEDED
1370static int
1371ctnetlink_parse_nat_setup(struct nf_conn *ct,
1372 enum nf_nat_manip_type manip,
1373 const struct nlattr *attr)
1374{
1375 typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup;
1376 int err;
1377
1378 parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook);
1379 if (!parse_nat_setup) {
1380#ifdef CONFIG_MODULES
1381 rcu_read_unlock();
1382 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1383 if (request_module("nf-nat") < 0) {
1384 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1385 rcu_read_lock();
1386 return -EOPNOTSUPP;
1387 }
1388 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1389 rcu_read_lock();
1390 if (nfnetlink_parse_nat_setup_hook)
1391 return -EAGAIN;
1392#endif
1393 return -EOPNOTSUPP;
1394 }
1395
1396 err = parse_nat_setup(ct, manip, attr);
1397 if (err == -EAGAIN) {
1398#ifdef CONFIG_MODULES
1399 rcu_read_unlock();
1400 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1401 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) {
1402 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1403 rcu_read_lock();
1404 return -EOPNOTSUPP;
1405 }
1406 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1407 rcu_read_lock();
1408#else
1409 err = -EOPNOTSUPP;
1410#endif
1411 }
1412 return err;
1413}
1414#endif
1415
1416static int
1417ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
1418{
1419 unsigned long d;
1420 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
1421 d = ct->status ^ status;
1422
1423 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
1424
1425 return -EBUSY;
1426
1427 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
1428
1429 return -EBUSY;
1430
1431 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
1432
1433 return -EBUSY;
1434
1435
1436
1437
1438 ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
1439 return 0;
1440}
1441
1442static int
1443ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
1444{
1445#ifdef CONFIG_NF_NAT_NEEDED
1446 int ret;
1447
1448 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1449 return 0;
1450
1451 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
1452 cda[CTA_NAT_DST]);
1453 if (ret < 0)
1454 return ret;
1455
1456 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC,
1457 cda[CTA_NAT_SRC]);
1458 return ret;
1459#else
1460 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1461 return 0;
1462 return -EOPNOTSUPP;
1463#endif
1464}
1465
1466static inline int
1467ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[])
1468{
1469 struct nf_conntrack_helper *helper;
1470 struct nf_conn_help *help = nfct_help(ct);
1471 char *helpname = NULL;
1472 struct nlattr *helpinfo = NULL;
1473 int err;
1474
1475
1476 if (ct->master)
1477 return -EBUSY;
1478
1479 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1480 if (err < 0)
1481 return err;
1482
1483 if (!strcmp(helpname, "")) {
1484 if (help && help->helper) {
1485
1486 nf_ct_remove_expectations(ct);
1487 RCU_INIT_POINTER(help->helper, NULL);
1488 }
1489
1490 return 0;
1491 }
1492
1493 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1494 nf_ct_protonum(ct));
1495 if (helper == NULL) {
1496#ifdef CONFIG_MODULES
1497 spin_unlock_bh(&nf_conntrack_expect_lock);
1498
1499 if (request_module("nfct-helper-%s", helpname) < 0) {
1500 spin_lock_bh(&nf_conntrack_expect_lock);
1501 return -EOPNOTSUPP;
1502 }
1503
1504 spin_lock_bh(&nf_conntrack_expect_lock);
1505 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1506 nf_ct_protonum(ct));
1507 if (helper)
1508 return -EAGAIN;
1509#endif
1510 return -EOPNOTSUPP;
1511 }
1512
1513 if (help) {
1514 if (help->helper == helper) {
1515
1516 if (helper->from_nlattr)
1517 helper->from_nlattr(helpinfo, ct);
1518 return 0;
1519 } else
1520 return -EBUSY;
1521 }
1522
1523
1524 return -EOPNOTSUPP;
1525}
1526
1527static inline int
1528ctnetlink_change_timeout(struct nf_conn *ct, const struct nlattr * const cda[])
1529{
1530 u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
1531
1532 if (!del_timer(&ct->timeout))
1533 return -ETIME;
1534
1535 ct->timeout.expires = jiffies + timeout * HZ;
1536 add_timer(&ct->timeout);
1537
1538 return 0;
1539}
1540
1541static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = {
1542 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED },
1543 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED },
1544 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED },
1545};
1546
1547static inline int
1548ctnetlink_change_protoinfo(struct nf_conn *ct, const struct nlattr * const cda[])
1549{
1550 const struct nlattr *attr = cda[CTA_PROTOINFO];
1551 struct nlattr *tb[CTA_PROTOINFO_MAX+1];
1552 struct nf_conntrack_l4proto *l4proto;
1553 int err = 0;
1554
1555 err = nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, protoinfo_policy);
1556 if (err < 0)
1557 return err;
1558
1559 rcu_read_lock();
1560 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
1561 if (l4proto->from_nlattr)
1562 err = l4proto->from_nlattr(tb, ct);
1563 rcu_read_unlock();
1564
1565 return err;
1566}
1567
1568static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = {
1569 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 },
1570 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 },
1571 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 },
1572};
1573
1574static inline int
1575change_seq_adj(struct nf_ct_seqadj *seq, const struct nlattr * const attr)
1576{
1577 int err;
1578 struct nlattr *cda[CTA_SEQADJ_MAX+1];
1579
1580 err = nla_parse_nested(cda, CTA_SEQADJ_MAX, attr, seqadj_policy);
1581 if (err < 0)
1582 return err;
1583
1584 if (!cda[CTA_SEQADJ_CORRECTION_POS])
1585 return -EINVAL;
1586
1587 seq->correction_pos =
1588 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS]));
1589
1590 if (!cda[CTA_SEQADJ_OFFSET_BEFORE])
1591 return -EINVAL;
1592
1593 seq->offset_before =
1594 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE]));
1595
1596 if (!cda[CTA_SEQADJ_OFFSET_AFTER])
1597 return -EINVAL;
1598
1599 seq->offset_after =
1600 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER]));
1601
1602 return 0;
1603}
1604
1605static int
1606ctnetlink_change_seq_adj(struct nf_conn *ct,
1607 const struct nlattr * const cda[])
1608{
1609 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
1610 int ret = 0;
1611
1612 if (!seqadj)
1613 return 0;
1614
1615 if (cda[CTA_SEQ_ADJ_ORIG]) {
1616 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL],
1617 cda[CTA_SEQ_ADJ_ORIG]);
1618 if (ret < 0)
1619 return ret;
1620
1621 ct->status |= IPS_SEQ_ADJUST;
1622 }
1623
1624 if (cda[CTA_SEQ_ADJ_REPLY]) {
1625 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY],
1626 cda[CTA_SEQ_ADJ_REPLY]);
1627 if (ret < 0)
1628 return ret;
1629
1630 ct->status |= IPS_SEQ_ADJUST;
1631 }
1632
1633 return 0;
1634}
1635
1636static int
1637ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[])
1638{
1639#ifdef CONFIG_NF_CONNTRACK_LABELS
1640 size_t len = nla_len(cda[CTA_LABELS]);
1641 const void *mask = cda[CTA_LABELS_MASK];
1642
1643 if (len & (sizeof(u32)-1))
1644 return -EINVAL;
1645
1646 if (mask) {
1647 if (nla_len(cda[CTA_LABELS_MASK]) == 0 ||
1648 nla_len(cda[CTA_LABELS_MASK]) != len)
1649 return -EINVAL;
1650 mask = nla_data(cda[CTA_LABELS_MASK]);
1651 }
1652
1653 len /= sizeof(u32);
1654
1655 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len);
1656#else
1657 return -EOPNOTSUPP;
1658#endif
1659}
1660
1661static int
1662ctnetlink_change_conntrack(struct nf_conn *ct,
1663 const struct nlattr * const cda[])
1664{
1665 int err;
1666
1667
1668 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
1669 return -EOPNOTSUPP;
1670
1671 if (cda[CTA_HELP]) {
1672 err = ctnetlink_change_helper(ct, cda);
1673 if (err < 0)
1674 return err;
1675 }
1676
1677 if (cda[CTA_TIMEOUT]) {
1678 err = ctnetlink_change_timeout(ct, cda);
1679 if (err < 0)
1680 return err;
1681 }
1682
1683 if (cda[CTA_STATUS]) {
1684 err = ctnetlink_change_status(ct, cda);
1685 if (err < 0)
1686 return err;
1687 }
1688
1689 if (cda[CTA_PROTOINFO]) {
1690 err = ctnetlink_change_protoinfo(ct, cda);
1691 if (err < 0)
1692 return err;
1693 }
1694
1695#if defined(CONFIG_NF_CONNTRACK_MARK)
1696 if (cda[CTA_MARK])
1697 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1698#endif
1699
1700 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
1701 err = ctnetlink_change_seq_adj(ct, cda);
1702 if (err < 0)
1703 return err;
1704 }
1705
1706 if (cda[CTA_LABELS]) {
1707 err = ctnetlink_attach_labels(ct, cda);
1708 if (err < 0)
1709 return err;
1710 }
1711
1712 return 0;
1713}
1714
1715static struct nf_conn *
1716ctnetlink_create_conntrack(struct net *net,
1717 const struct nf_conntrack_zone *zone,
1718 const struct nlattr * const cda[],
1719 struct nf_conntrack_tuple *otuple,
1720 struct nf_conntrack_tuple *rtuple,
1721 u8 u3)
1722{
1723 struct nf_conn *ct;
1724 int err = -EINVAL;
1725 struct nf_conntrack_helper *helper;
1726 struct nf_conn_tstamp *tstamp;
1727
1728 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
1729 if (IS_ERR(ct))
1730 return ERR_PTR(-ENOMEM);
1731
1732 if (!cda[CTA_TIMEOUT])
1733 goto err1;
1734 ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
1735
1736 ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
1737
1738 rcu_read_lock();
1739 if (cda[CTA_HELP]) {
1740 char *helpname = NULL;
1741 struct nlattr *helpinfo = NULL;
1742
1743 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1744 if (err < 0)
1745 goto err2;
1746
1747 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1748 nf_ct_protonum(ct));
1749 if (helper == NULL) {
1750 rcu_read_unlock();
1751#ifdef CONFIG_MODULES
1752 if (request_module("nfct-helper-%s", helpname) < 0) {
1753 err = -EOPNOTSUPP;
1754 goto err1;
1755 }
1756
1757 rcu_read_lock();
1758 helper = __nf_conntrack_helper_find(helpname,
1759 nf_ct_l3num(ct),
1760 nf_ct_protonum(ct));
1761 if (helper) {
1762 err = -EAGAIN;
1763 goto err2;
1764 }
1765 rcu_read_unlock();
1766#endif
1767 err = -EOPNOTSUPP;
1768 goto err1;
1769 } else {
1770 struct nf_conn_help *help;
1771
1772 help = nf_ct_helper_ext_add(ct, helper, GFP_ATOMIC);
1773 if (help == NULL) {
1774 err = -ENOMEM;
1775 goto err2;
1776 }
1777
1778 if (helper->from_nlattr)
1779 helper->from_nlattr(helpinfo, ct);
1780
1781
1782 RCU_INIT_POINTER(help->helper, helper);
1783 }
1784 } else {
1785
1786 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC);
1787 if (err < 0)
1788 goto err2;
1789 }
1790
1791 err = ctnetlink_setup_nat(ct, cda);
1792 if (err < 0)
1793 goto err2;
1794
1795 nf_ct_acct_ext_add(ct, GFP_ATOMIC);
1796 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
1797 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
1798 nf_ct_labels_ext_add(ct);
1799
1800
1801 ct->status |= IPS_CONFIRMED;
1802
1803 if (cda[CTA_STATUS]) {
1804 err = ctnetlink_change_status(ct, cda);
1805 if (err < 0)
1806 goto err2;
1807 }
1808
1809 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
1810 err = ctnetlink_change_seq_adj(ct, cda);
1811 if (err < 0)
1812 goto err2;
1813 }
1814
1815 memset(&ct->proto, 0, sizeof(ct->proto));
1816 if (cda[CTA_PROTOINFO]) {
1817 err = ctnetlink_change_protoinfo(ct, cda);
1818 if (err < 0)
1819 goto err2;
1820 }
1821
1822#if defined(CONFIG_NF_CONNTRACK_MARK)
1823 if (cda[CTA_MARK])
1824 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1825#endif
1826
1827
1828 if (cda[CTA_TUPLE_MASTER]) {
1829 struct nf_conntrack_tuple master;
1830 struct nf_conntrack_tuple_hash *master_h;
1831 struct nf_conn *master_ct;
1832
1833 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER,
1834 u3, NULL);
1835 if (err < 0)
1836 goto err2;
1837
1838 master_h = nf_conntrack_find_get(net, zone, &master);
1839 if (master_h == NULL) {
1840 err = -ENOENT;
1841 goto err2;
1842 }
1843 master_ct = nf_ct_tuplehash_to_ctrack(master_h);
1844 __set_bit(IPS_EXPECTED_BIT, &ct->status);
1845 ct->master = master_ct;
1846 }
1847 tstamp = nf_conn_tstamp_find(ct);
1848 if (tstamp)
1849 tstamp->start = ktime_get_real_ns();
1850
1851 err = nf_conntrack_hash_check_insert(ct);
1852 if (err < 0)
1853 goto err2;
1854
1855 rcu_read_unlock();
1856
1857 return ct;
1858
1859err2:
1860 rcu_read_unlock();
1861err1:
1862 nf_conntrack_free(ct);
1863 return ERR_PTR(err);
1864}
1865
1866static int ctnetlink_new_conntrack(struct net *net, struct sock *ctnl,
1867 struct sk_buff *skb,
1868 const struct nlmsghdr *nlh,
1869 const struct nlattr * const cda[])
1870{
1871 struct nf_conntrack_tuple otuple, rtuple;
1872 struct nf_conntrack_tuple_hash *h = NULL;
1873 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1874 struct nf_conn *ct;
1875 u_int8_t u3 = nfmsg->nfgen_family;
1876 struct nf_conntrack_zone zone;
1877 int err;
1878
1879 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1880 if (err < 0)
1881 return err;
1882
1883 if (cda[CTA_TUPLE_ORIG]) {
1884 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG,
1885 u3, &zone);
1886 if (err < 0)
1887 return err;
1888 }
1889
1890 if (cda[CTA_TUPLE_REPLY]) {
1891 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY,
1892 u3, &zone);
1893 if (err < 0)
1894 return err;
1895 }
1896
1897 if (cda[CTA_TUPLE_ORIG])
1898 h = nf_conntrack_find_get(net, &zone, &otuple);
1899 else if (cda[CTA_TUPLE_REPLY])
1900 h = nf_conntrack_find_get(net, &zone, &rtuple);
1901
1902 if (h == NULL) {
1903 err = -ENOENT;
1904 if (nlh->nlmsg_flags & NLM_F_CREATE) {
1905 enum ip_conntrack_events events;
1906
1907 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY])
1908 return -EINVAL;
1909
1910 ct = ctnetlink_create_conntrack(net, &zone, cda, &otuple,
1911 &rtuple, u3);
1912 if (IS_ERR(ct))
1913 return PTR_ERR(ct);
1914
1915 err = 0;
1916 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
1917 events = IPCT_RELATED;
1918 else
1919 events = IPCT_NEW;
1920
1921 if (cda[CTA_LABELS] &&
1922 ctnetlink_attach_labels(ct, cda) == 0)
1923 events |= (1 << IPCT_LABEL);
1924
1925 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
1926 (1 << IPCT_ASSURED) |
1927 (1 << IPCT_HELPER) |
1928 (1 << IPCT_PROTOINFO) |
1929 (1 << IPCT_SEQADJ) |
1930 (1 << IPCT_MARK) | events,
1931 ct, NETLINK_CB(skb).portid,
1932 nlmsg_report(nlh));
1933 nf_ct_put(ct);
1934 }
1935
1936 return err;
1937 }
1938
1939
1940 err = -EEXIST;
1941 ct = nf_ct_tuplehash_to_ctrack(h);
1942 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
1943 spin_lock_bh(&nf_conntrack_expect_lock);
1944 err = ctnetlink_change_conntrack(ct, cda);
1945 spin_unlock_bh(&nf_conntrack_expect_lock);
1946 if (err == 0) {
1947 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
1948 (1 << IPCT_ASSURED) |
1949 (1 << IPCT_HELPER) |
1950 (1 << IPCT_LABEL) |
1951 (1 << IPCT_PROTOINFO) |
1952 (1 << IPCT_SEQADJ) |
1953 (1 << IPCT_MARK),
1954 ct, NETLINK_CB(skb).portid,
1955 nlmsg_report(nlh));
1956 }
1957 }
1958
1959 nf_ct_put(ct);
1960 return err;
1961}
1962
1963static int
1964ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
1965 __u16 cpu, const struct ip_conntrack_stat *st)
1966{
1967 struct nlmsghdr *nlh;
1968 struct nfgenmsg *nfmsg;
1969 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
1970
1971 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_GET_STATS_CPU);
1972 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
1973 if (nlh == NULL)
1974 goto nlmsg_failure;
1975
1976 nfmsg = nlmsg_data(nlh);
1977 nfmsg->nfgen_family = AF_UNSPEC;
1978 nfmsg->version = NFNETLINK_V0;
1979 nfmsg->res_id = htons(cpu);
1980
1981 if (nla_put_be32(skb, CTA_STATS_SEARCHED, htonl(st->searched)) ||
1982 nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) ||
1983 nla_put_be32(skb, CTA_STATS_NEW, htonl(st->new)) ||
1984 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) ||
1985 nla_put_be32(skb, CTA_STATS_IGNORE, htonl(st->ignore)) ||
1986 nla_put_be32(skb, CTA_STATS_DELETE, htonl(st->delete)) ||
1987 nla_put_be32(skb, CTA_STATS_DELETE_LIST, htonl(st->delete_list)) ||
1988 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) ||
1989 nla_put_be32(skb, CTA_STATS_INSERT_FAILED,
1990 htonl(st->insert_failed)) ||
1991 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) ||
1992 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) ||
1993 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) ||
1994 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART,
1995 htonl(st->search_restart)))
1996 goto nla_put_failure;
1997
1998 nlmsg_end(skb, nlh);
1999 return skb->len;
2000
2001nla_put_failure:
2002nlmsg_failure:
2003 nlmsg_cancel(skb, nlh);
2004 return -1;
2005}
2006
2007static int
2008ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
2009{
2010 int cpu;
2011 struct net *net = sock_net(skb->sk);
2012
2013 if (cb->args[0] == nr_cpu_ids)
2014 return 0;
2015
2016 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
2017 const struct ip_conntrack_stat *st;
2018
2019 if (!cpu_possible(cpu))
2020 continue;
2021
2022 st = per_cpu_ptr(net->ct.stat, cpu);
2023 if (ctnetlink_ct_stat_cpu_fill_info(skb,
2024 NETLINK_CB(cb->skb).portid,
2025 cb->nlh->nlmsg_seq,
2026 cpu, st) < 0)
2027 break;
2028 }
2029 cb->args[0] = cpu;
2030
2031 return skb->len;
2032}
2033
2034static int ctnetlink_stat_ct_cpu(struct net *net, struct sock *ctnl,
2035 struct sk_buff *skb,
2036 const struct nlmsghdr *nlh,
2037 const struct nlattr * const cda[])
2038{
2039 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2040 struct netlink_dump_control c = {
2041 .dump = ctnetlink_ct_stat_cpu_dump,
2042 };
2043 return netlink_dump_start(ctnl, skb, nlh, &c);
2044 }
2045
2046 return 0;
2047}
2048
2049static int
2050ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
2051 struct net *net)
2052{
2053 struct nlmsghdr *nlh;
2054 struct nfgenmsg *nfmsg;
2055 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2056 unsigned int nr_conntracks = atomic_read(&net->ct.count);
2057
2058 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_GET_STATS);
2059 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2060 if (nlh == NULL)
2061 goto nlmsg_failure;
2062
2063 nfmsg = nlmsg_data(nlh);
2064 nfmsg->nfgen_family = AF_UNSPEC;
2065 nfmsg->version = NFNETLINK_V0;
2066 nfmsg->res_id = 0;
2067
2068 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks)))
2069 goto nla_put_failure;
2070
2071 nlmsg_end(skb, nlh);
2072 return skb->len;
2073
2074nla_put_failure:
2075nlmsg_failure:
2076 nlmsg_cancel(skb, nlh);
2077 return -1;
2078}
2079
2080static int ctnetlink_stat_ct(struct net *net, struct sock *ctnl,
2081 struct sk_buff *skb, const struct nlmsghdr *nlh,
2082 const struct nlattr * const cda[])
2083{
2084 struct sk_buff *skb2;
2085 int err;
2086
2087 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2088 if (skb2 == NULL)
2089 return -ENOMEM;
2090
2091 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid,
2092 nlh->nlmsg_seq,
2093 NFNL_MSG_TYPE(nlh->nlmsg_type),
2094 sock_net(skb->sk));
2095 if (err <= 0)
2096 goto free;
2097
2098 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
2099 if (err < 0)
2100 goto out;
2101
2102 return 0;
2103
2104free:
2105 kfree_skb(skb2);
2106out:
2107
2108 return err == -EAGAIN ? -ENOBUFS : err;
2109}
2110
2111static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
2112 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED },
2113 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED },
2114 [CTA_EXPECT_MASK] = { .type = NLA_NESTED },
2115 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
2116 [CTA_EXPECT_ID] = { .type = NLA_U32 },
2117 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING,
2118 .len = NF_CT_HELPER_NAME_LEN - 1 },
2119 [CTA_EXPECT_ZONE] = { .type = NLA_U16 },
2120 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 },
2121 [CTA_EXPECT_CLASS] = { .type = NLA_U32 },
2122 [CTA_EXPECT_NAT] = { .type = NLA_NESTED },
2123 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING },
2124};
2125
2126static struct nf_conntrack_expect *
2127ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
2128 struct nf_conntrack_helper *helper,
2129 struct nf_conntrack_tuple *tuple,
2130 struct nf_conntrack_tuple *mask);
2131
2132#ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
2133static size_t
2134ctnetlink_glue_build_size(const struct nf_conn *ct)
2135{
2136 return 3 * nla_total_size(0)
2137 + 3 * nla_total_size(0)
2138 + 3 * nla_total_size(0)
2139 + 3 * nla_total_size(sizeof(u_int8_t))
2140 + nla_total_size(sizeof(u_int32_t))
2141 + nla_total_size(sizeof(u_int32_t))
2142 + nla_total_size(sizeof(u_int32_t))
2143 + nla_total_size(0)
2144 + nla_total_size(0)
2145 + nla_total_size(NF_CT_HELPER_NAME_LEN)
2146 + ctnetlink_secctx_size(ct)
2147#ifdef CONFIG_NF_NAT_NEEDED
2148 + 2 * nla_total_size(0)
2149 + 6 * nla_total_size(sizeof(u_int32_t))
2150#endif
2151#ifdef CONFIG_NF_CONNTRACK_MARK
2152 + nla_total_size(sizeof(u_int32_t))
2153#endif
2154#ifdef CONFIG_NF_CONNTRACK_ZONES
2155 + nla_total_size(sizeof(u_int16_t))
2156#endif
2157 + ctnetlink_proto_size(ct)
2158 ;
2159}
2160
2161static struct nf_conn *ctnetlink_glue_get_ct(const struct sk_buff *skb,
2162 enum ip_conntrack_info *ctinfo)
2163{
2164 struct nf_conn *ct;
2165
2166 ct = nf_ct_get(skb, ctinfo);
2167 if (ct && nf_ct_is_untracked(ct))
2168 ct = NULL;
2169
2170 return ct;
2171}
2172
2173static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
2174{
2175 const struct nf_conntrack_zone *zone;
2176 struct nlattr *nest_parms;
2177
2178 rcu_read_lock();
2179 zone = nf_ct_zone(ct);
2180
2181 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
2182 if (!nest_parms)
2183 goto nla_put_failure;
2184 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
2185 goto nla_put_failure;
2186 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2187 NF_CT_ZONE_DIR_ORIG) < 0)
2188 goto nla_put_failure;
2189 nla_nest_end(skb, nest_parms);
2190
2191 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
2192 if (!nest_parms)
2193 goto nla_put_failure;
2194 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
2195 goto nla_put_failure;
2196 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2197 NF_CT_ZONE_DIR_REPL) < 0)
2198 goto nla_put_failure;
2199 nla_nest_end(skb, nest_parms);
2200
2201 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
2202 NF_CT_DEFAULT_ZONE_DIR) < 0)
2203 goto nla_put_failure;
2204
2205 if (ctnetlink_dump_id(skb, ct) < 0)
2206 goto nla_put_failure;
2207
2208 if (ctnetlink_dump_status(skb, ct) < 0)
2209 goto nla_put_failure;
2210
2211 if (ctnetlink_dump_timeout(skb, ct) < 0)
2212 goto nla_put_failure;
2213
2214 if (ctnetlink_dump_protoinfo(skb, ct) < 0)
2215 goto nla_put_failure;
2216
2217 if (ctnetlink_dump_helpinfo(skb, ct) < 0)
2218 goto nla_put_failure;
2219
2220#ifdef CONFIG_NF_CONNTRACK_SECMARK
2221 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0)
2222 goto nla_put_failure;
2223#endif
2224 if (ct->master && ctnetlink_dump_master(skb, ct) < 0)
2225 goto nla_put_failure;
2226
2227 if ((ct->status & IPS_SEQ_ADJUST) &&
2228 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
2229 goto nla_put_failure;
2230
2231#ifdef CONFIG_NF_CONNTRACK_MARK
2232 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0)
2233 goto nla_put_failure;
2234#endif
2235 if (ctnetlink_dump_labels(skb, ct) < 0)
2236 goto nla_put_failure;
2237 rcu_read_unlock();
2238 return 0;
2239
2240nla_put_failure:
2241 rcu_read_unlock();
2242 return -ENOSPC;
2243}
2244
2245static int
2246ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct,
2247 enum ip_conntrack_info ctinfo,
2248 u_int16_t ct_attr, u_int16_t ct_info_attr)
2249{
2250 struct nlattr *nest_parms;
2251
2252 nest_parms = nla_nest_start(skb, ct_attr | NLA_F_NESTED);
2253 if (!nest_parms)
2254 goto nla_put_failure;
2255
2256 if (__ctnetlink_glue_build(skb, ct) < 0)
2257 goto nla_put_failure;
2258
2259 nla_nest_end(skb, nest_parms);
2260
2261 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo)))
2262 goto nla_put_failure;
2263
2264 return 0;
2265
2266nla_put_failure:
2267 return -ENOSPC;
2268}
2269
2270static int
2271ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
2272{
2273 int err;
2274
2275 if (cda[CTA_TIMEOUT]) {
2276 err = ctnetlink_change_timeout(ct, cda);
2277 if (err < 0)
2278 return err;
2279 }
2280 if (cda[CTA_STATUS]) {
2281 err = ctnetlink_change_status(ct, cda);
2282 if (err < 0)
2283 return err;
2284 }
2285 if (cda[CTA_HELP]) {
2286 err = ctnetlink_change_helper(ct, cda);
2287 if (err < 0)
2288 return err;
2289 }
2290 if (cda[CTA_LABELS]) {
2291 err = ctnetlink_attach_labels(ct, cda);
2292 if (err < 0)
2293 return err;
2294 }
2295#if defined(CONFIG_NF_CONNTRACK_MARK)
2296 if (cda[CTA_MARK]) {
2297 u32 mask = 0, mark, newmark;
2298 if (cda[CTA_MARK_MASK])
2299 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
2300
2301 mark = ntohl(nla_get_be32(cda[CTA_MARK]));
2302 newmark = (ct->mark & mask) ^ mark;
2303 if (newmark != ct->mark)
2304 ct->mark = newmark;
2305 }
2306#endif
2307 return 0;
2308}
2309
2310static int
2311ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct)
2312{
2313 struct nlattr *cda[CTA_MAX+1];
2314 int ret;
2315
2316 ret = nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy);
2317 if (ret < 0)
2318 return ret;
2319
2320 spin_lock_bh(&nf_conntrack_expect_lock);
2321 ret = ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct);
2322 spin_unlock_bh(&nf_conntrack_expect_lock);
2323
2324 return ret;
2325}
2326
2327static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda,
2328 const struct nf_conn *ct,
2329 struct nf_conntrack_tuple *tuple,
2330 struct nf_conntrack_tuple *mask)
2331{
2332 int err;
2333
2334 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE,
2335 nf_ct_l3num(ct), NULL);
2336 if (err < 0)
2337 return err;
2338
2339 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK,
2340 nf_ct_l3num(ct), NULL);
2341}
2342
2343static int
2344ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
2345 u32 portid, u32 report)
2346{
2347 struct nlattr *cda[CTA_EXPECT_MAX+1];
2348 struct nf_conntrack_tuple tuple, mask;
2349 struct nf_conntrack_helper *helper = NULL;
2350 struct nf_conntrack_expect *exp;
2351 int err;
2352
2353 err = nla_parse_nested(cda, CTA_EXPECT_MAX, attr, exp_nla_policy);
2354 if (err < 0)
2355 return err;
2356
2357 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda,
2358 ct, &tuple, &mask);
2359 if (err < 0)
2360 return err;
2361
2362 if (cda[CTA_EXPECT_HELP_NAME]) {
2363 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2364
2365 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2366 nf_ct_protonum(ct));
2367 if (helper == NULL)
2368 return -EOPNOTSUPP;
2369 }
2370
2371 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct,
2372 helper, &tuple, &mask);
2373 if (IS_ERR(exp))
2374 return PTR_ERR(exp);
2375
2376 err = nf_ct_expect_related_report(exp, portid, report);
2377 if (err < 0) {
2378 nf_ct_expect_put(exp);
2379 return err;
2380 }
2381
2382 return 0;
2383}
2384
2385static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct,
2386 enum ip_conntrack_info ctinfo, int diff)
2387{
2388 if (!(ct->status & IPS_NAT_MASK))
2389 return;
2390
2391 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff);
2392}
2393
2394static struct nfnl_ct_hook ctnetlink_glue_hook = {
2395 .get_ct = ctnetlink_glue_get_ct,
2396 .build_size = ctnetlink_glue_build_size,
2397 .build = ctnetlink_glue_build,
2398 .parse = ctnetlink_glue_parse,
2399 .attach_expect = ctnetlink_glue_attach_expect,
2400 .seq_adjust = ctnetlink_glue_seqadj,
2401};
2402#endif
2403
2404
2405
2406
2407
2408static inline int
2409ctnetlink_exp_dump_tuple(struct sk_buff *skb,
2410 const struct nf_conntrack_tuple *tuple,
2411 enum ctattr_expect type)
2412{
2413 struct nlattr *nest_parms;
2414
2415 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
2416 if (!nest_parms)
2417 goto nla_put_failure;
2418 if (ctnetlink_dump_tuples(skb, tuple) < 0)
2419 goto nla_put_failure;
2420 nla_nest_end(skb, nest_parms);
2421
2422 return 0;
2423
2424nla_put_failure:
2425 return -1;
2426}
2427
2428static inline int
2429ctnetlink_exp_dump_mask(struct sk_buff *skb,
2430 const struct nf_conntrack_tuple *tuple,
2431 const struct nf_conntrack_tuple_mask *mask)
2432{
2433 int ret;
2434 struct nf_conntrack_l3proto *l3proto;
2435 struct nf_conntrack_l4proto *l4proto;
2436 struct nf_conntrack_tuple m;
2437 struct nlattr *nest_parms;
2438
2439 memset(&m, 0xFF, sizeof(m));
2440 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
2441 m.src.u.all = mask->src.u.all;
2442 m.dst.protonum = tuple->dst.protonum;
2443
2444 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED);
2445 if (!nest_parms)
2446 goto nla_put_failure;
2447
2448 rcu_read_lock();
2449 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
2450 ret = ctnetlink_dump_tuples_ip(skb, &m, l3proto);
2451 if (ret >= 0) {
2452 l4proto = __nf_ct_l4proto_find(tuple->src.l3num,
2453 tuple->dst.protonum);
2454 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
2455 }
2456 rcu_read_unlock();
2457
2458 if (unlikely(ret < 0))
2459 goto nla_put_failure;
2460
2461 nla_nest_end(skb, nest_parms);
2462
2463 return 0;
2464
2465nla_put_failure:
2466 return -1;
2467}
2468
2469static const union nf_inet_addr any_addr;
2470
2471static int
2472ctnetlink_exp_dump_expect(struct sk_buff *skb,
2473 const struct nf_conntrack_expect *exp)
2474{
2475 struct nf_conn *master = exp->master;
2476 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ;
2477 struct nf_conn_help *help;
2478#ifdef CONFIG_NF_NAT_NEEDED
2479 struct nlattr *nest_parms;
2480 struct nf_conntrack_tuple nat_tuple = {};
2481#endif
2482 struct nf_ct_helper_expectfn *expfn;
2483
2484 if (timeout < 0)
2485 timeout = 0;
2486
2487 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
2488 goto nla_put_failure;
2489 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
2490 goto nla_put_failure;
2491 if (ctnetlink_exp_dump_tuple(skb,
2492 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
2493 CTA_EXPECT_MASTER) < 0)
2494 goto nla_put_failure;
2495
2496#ifdef CONFIG_NF_NAT_NEEDED
2497 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) ||
2498 exp->saved_proto.all) {
2499 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT | NLA_F_NESTED);
2500 if (!nest_parms)
2501 goto nla_put_failure;
2502
2503 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir)))
2504 goto nla_put_failure;
2505
2506 nat_tuple.src.l3num = nf_ct_l3num(master);
2507 nat_tuple.src.u3 = exp->saved_addr;
2508 nat_tuple.dst.protonum = nf_ct_protonum(master);
2509 nat_tuple.src.u = exp->saved_proto;
2510
2511 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple,
2512 CTA_EXPECT_NAT_TUPLE) < 0)
2513 goto nla_put_failure;
2514 nla_nest_end(skb, nest_parms);
2515 }
2516#endif
2517 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
2518 nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) ||
2519 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
2520 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
2521 goto nla_put_failure;
2522 help = nfct_help(master);
2523 if (help) {
2524 struct nf_conntrack_helper *helper;
2525
2526 helper = rcu_dereference(help->helper);
2527 if (helper &&
2528 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name))
2529 goto nla_put_failure;
2530 }
2531 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn);
2532 if (expfn != NULL &&
2533 nla_put_string(skb, CTA_EXPECT_FN, expfn->name))
2534 goto nla_put_failure;
2535
2536 return 0;
2537
2538nla_put_failure:
2539 return -1;
2540}
2541
2542static int
2543ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2544 int event, const struct nf_conntrack_expect *exp)
2545{
2546 struct nlmsghdr *nlh;
2547 struct nfgenmsg *nfmsg;
2548 unsigned int flags = portid ? NLM_F_MULTI : 0;
2549
2550 event |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
2551 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2552 if (nlh == NULL)
2553 goto nlmsg_failure;
2554
2555 nfmsg = nlmsg_data(nlh);
2556 nfmsg->nfgen_family = exp->tuple.src.l3num;
2557 nfmsg->version = NFNETLINK_V0;
2558 nfmsg->res_id = 0;
2559
2560 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
2561 goto nla_put_failure;
2562
2563 nlmsg_end(skb, nlh);
2564 return skb->len;
2565
2566nlmsg_failure:
2567nla_put_failure:
2568 nlmsg_cancel(skb, nlh);
2569 return -1;
2570}
2571
2572#ifdef CONFIG_NF_CONNTRACK_EVENTS
2573static int
2574ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item)
2575{
2576 struct nf_conntrack_expect *exp = item->exp;
2577 struct net *net = nf_ct_exp_net(exp);
2578 struct nlmsghdr *nlh;
2579 struct nfgenmsg *nfmsg;
2580 struct sk_buff *skb;
2581 unsigned int type, group;
2582 int flags = 0;
2583
2584 if (events & (1 << IPEXP_DESTROY)) {
2585 type = IPCTNL_MSG_EXP_DELETE;
2586 group = NFNLGRP_CONNTRACK_EXP_DESTROY;
2587 } else if (events & (1 << IPEXP_NEW)) {
2588 type = IPCTNL_MSG_EXP_NEW;
2589 flags = NLM_F_CREATE|NLM_F_EXCL;
2590 group = NFNLGRP_CONNTRACK_EXP_NEW;
2591 } else
2592 return 0;
2593
2594 if (!item->report && !nfnetlink_has_listeners(net, group))
2595 return 0;
2596
2597 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
2598 if (skb == NULL)
2599 goto errout;
2600
2601 type |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
2602 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
2603 if (nlh == NULL)
2604 goto nlmsg_failure;
2605
2606 nfmsg = nlmsg_data(nlh);
2607 nfmsg->nfgen_family = exp->tuple.src.l3num;
2608 nfmsg->version = NFNETLINK_V0;
2609 nfmsg->res_id = 0;
2610
2611 rcu_read_lock();
2612 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
2613 goto nla_put_failure;
2614 rcu_read_unlock();
2615
2616 nlmsg_end(skb, nlh);
2617 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC);
2618 return 0;
2619
2620nla_put_failure:
2621 rcu_read_unlock();
2622 nlmsg_cancel(skb, nlh);
2623nlmsg_failure:
2624 kfree_skb(skb);
2625errout:
2626 nfnetlink_set_err(net, 0, 0, -ENOBUFS);
2627 return 0;
2628}
2629#endif
2630static int ctnetlink_exp_done(struct netlink_callback *cb)
2631{
2632 if (cb->args[1])
2633 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
2634 return 0;
2635}
2636
2637static int
2638ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
2639{
2640 struct net *net = sock_net(skb->sk);
2641 struct nf_conntrack_expect *exp, *last;
2642 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2643 u_int8_t l3proto = nfmsg->nfgen_family;
2644
2645 rcu_read_lock();
2646 last = (struct nf_conntrack_expect *)cb->args[1];
2647 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
2648restart:
2649 hlist_for_each_entry(exp, &net->ct.expect_hash[cb->args[0]],
2650 hnode) {
2651 if (l3proto && exp->tuple.src.l3num != l3proto)
2652 continue;
2653 if (cb->args[1]) {
2654 if (exp != last)
2655 continue;
2656 cb->args[1] = 0;
2657 }
2658 if (ctnetlink_exp_fill_info(skb,
2659 NETLINK_CB(cb->skb).portid,
2660 cb->nlh->nlmsg_seq,
2661 IPCTNL_MSG_EXP_NEW,
2662 exp) < 0) {
2663 if (!atomic_inc_not_zero(&exp->use))
2664 continue;
2665 cb->args[1] = (unsigned long)exp;
2666 goto out;
2667 }
2668 }
2669 if (cb->args[1]) {
2670 cb->args[1] = 0;
2671 goto restart;
2672 }
2673 }
2674out:
2675 rcu_read_unlock();
2676 if (last)
2677 nf_ct_expect_put(last);
2678
2679 return skb->len;
2680}
2681
2682static int
2683ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
2684{
2685 struct nf_conntrack_expect *exp, *last;
2686 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2687 struct nf_conn *ct = cb->data;
2688 struct nf_conn_help *help = nfct_help(ct);
2689 u_int8_t l3proto = nfmsg->nfgen_family;
2690
2691 if (cb->args[0])
2692 return 0;
2693
2694 rcu_read_lock();
2695 last = (struct nf_conntrack_expect *)cb->args[1];
2696restart:
2697 hlist_for_each_entry(exp, &help->expectations, lnode) {
2698 if (l3proto && exp->tuple.src.l3num != l3proto)
2699 continue;
2700 if (cb->args[1]) {
2701 if (exp != last)
2702 continue;
2703 cb->args[1] = 0;
2704 }
2705 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid,
2706 cb->nlh->nlmsg_seq,
2707 IPCTNL_MSG_EXP_NEW,
2708 exp) < 0) {
2709 if (!atomic_inc_not_zero(&exp->use))
2710 continue;
2711 cb->args[1] = (unsigned long)exp;
2712 goto out;
2713 }
2714 }
2715 if (cb->args[1]) {
2716 cb->args[1] = 0;
2717 goto restart;
2718 }
2719 cb->args[0] = 1;
2720out:
2721 rcu_read_unlock();
2722 if (last)
2723 nf_ct_expect_put(last);
2724
2725 return skb->len;
2726}
2727
2728static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
2729 struct sk_buff *skb,
2730 const struct nlmsghdr *nlh,
2731 const struct nlattr * const cda[])
2732{
2733 int err;
2734 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2735 u_int8_t u3 = nfmsg->nfgen_family;
2736 struct nf_conntrack_tuple tuple;
2737 struct nf_conntrack_tuple_hash *h;
2738 struct nf_conn *ct;
2739 struct nf_conntrack_zone zone;
2740 struct netlink_dump_control c = {
2741 .dump = ctnetlink_exp_ct_dump_table,
2742 .done = ctnetlink_exp_done,
2743 };
2744
2745 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
2746 u3, NULL);
2747 if (err < 0)
2748 return err;
2749
2750 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2751 if (err < 0)
2752 return err;
2753
2754 h = nf_conntrack_find_get(net, &zone, &tuple);
2755 if (!h)
2756 return -ENOENT;
2757
2758 ct = nf_ct_tuplehash_to_ctrack(h);
2759 c.data = ct;
2760
2761 err = netlink_dump_start(ctnl, skb, nlh, &c);
2762 nf_ct_put(ct);
2763
2764 return err;
2765}
2766
2767static int ctnetlink_get_expect(struct net *net, struct sock *ctnl,
2768 struct sk_buff *skb, const struct nlmsghdr *nlh,
2769 const struct nlattr * const cda[])
2770{
2771 struct nf_conntrack_tuple tuple;
2772 struct nf_conntrack_expect *exp;
2773 struct sk_buff *skb2;
2774 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2775 u_int8_t u3 = nfmsg->nfgen_family;
2776 struct nf_conntrack_zone zone;
2777 int err;
2778
2779 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2780 if (cda[CTA_EXPECT_MASTER])
2781 return ctnetlink_dump_exp_ct(net, ctnl, skb, nlh, cda);
2782 else {
2783 struct netlink_dump_control c = {
2784 .dump = ctnetlink_exp_dump_table,
2785 .done = ctnetlink_exp_done,
2786 };
2787 return netlink_dump_start(ctnl, skb, nlh, &c);
2788 }
2789 }
2790
2791 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2792 if (err < 0)
2793 return err;
2794
2795 if (cda[CTA_EXPECT_TUPLE])
2796 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
2797 u3, NULL);
2798 else if (cda[CTA_EXPECT_MASTER])
2799 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
2800 u3, NULL);
2801 else
2802 return -EINVAL;
2803
2804 if (err < 0)
2805 return err;
2806
2807 exp = nf_ct_expect_find_get(net, &zone, &tuple);
2808 if (!exp)
2809 return -ENOENT;
2810
2811 if (cda[CTA_EXPECT_ID]) {
2812 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
2813 if (ntohl(id) != (u32)(unsigned long)exp) {
2814 nf_ct_expect_put(exp);
2815 return -ENOENT;
2816 }
2817 }
2818
2819 err = -ENOMEM;
2820 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2821 if (skb2 == NULL) {
2822 nf_ct_expect_put(exp);
2823 goto out;
2824 }
2825
2826 rcu_read_lock();
2827 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
2828 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp);
2829 rcu_read_unlock();
2830 nf_ct_expect_put(exp);
2831 if (err <= 0)
2832 goto free;
2833
2834 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
2835 if (err < 0)
2836 goto out;
2837
2838 return 0;
2839
2840free:
2841 kfree_skb(skb2);
2842out:
2843
2844 return err == -EAGAIN ? -ENOBUFS : err;
2845}
2846
2847static int ctnetlink_del_expect(struct net *net, struct sock *ctnl,
2848 struct sk_buff *skb, const struct nlmsghdr *nlh,
2849 const struct nlattr * const cda[])
2850{
2851 struct nf_conntrack_expect *exp;
2852 struct nf_conntrack_tuple tuple;
2853 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2854 struct hlist_node *next;
2855 u_int8_t u3 = nfmsg->nfgen_family;
2856 struct nf_conntrack_zone zone;
2857 unsigned int i;
2858 int err;
2859
2860 if (cda[CTA_EXPECT_TUPLE]) {
2861
2862 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2863 if (err < 0)
2864 return err;
2865
2866 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
2867 u3, NULL);
2868 if (err < 0)
2869 return err;
2870
2871
2872 exp = nf_ct_expect_find_get(net, &zone, &tuple);
2873 if (!exp)
2874 return -ENOENT;
2875
2876 if (cda[CTA_EXPECT_ID]) {
2877 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
2878 if (ntohl(id) != (u32)(unsigned long)exp) {
2879 nf_ct_expect_put(exp);
2880 return -ENOENT;
2881 }
2882 }
2883
2884
2885 spin_lock_bh(&nf_conntrack_expect_lock);
2886 if (del_timer(&exp->timeout)) {
2887 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
2888 nlmsg_report(nlh));
2889 nf_ct_expect_put(exp);
2890 }
2891 spin_unlock_bh(&nf_conntrack_expect_lock);
2892
2893
2894 nf_ct_expect_put(exp);
2895 } else if (cda[CTA_EXPECT_HELP_NAME]) {
2896 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2897 struct nf_conn_help *m_help;
2898
2899
2900 spin_lock_bh(&nf_conntrack_expect_lock);
2901 for (i = 0; i < nf_ct_expect_hsize; i++) {
2902 hlist_for_each_entry_safe(exp, next,
2903 &net->ct.expect_hash[i],
2904 hnode) {
2905 m_help = nfct_help(exp->master);
2906 if (!strcmp(m_help->helper->name, name) &&
2907 del_timer(&exp->timeout)) {
2908 nf_ct_unlink_expect_report(exp,
2909 NETLINK_CB(skb).portid,
2910 nlmsg_report(nlh));
2911 nf_ct_expect_put(exp);
2912 }
2913 }
2914 }
2915 spin_unlock_bh(&nf_conntrack_expect_lock);
2916 } else {
2917
2918 spin_lock_bh(&nf_conntrack_expect_lock);
2919 for (i = 0; i < nf_ct_expect_hsize; i++) {
2920 hlist_for_each_entry_safe(exp, next,
2921 &net->ct.expect_hash[i],
2922 hnode) {
2923 if (del_timer(&exp->timeout)) {
2924 nf_ct_unlink_expect_report(exp,
2925 NETLINK_CB(skb).portid,
2926 nlmsg_report(nlh));
2927 nf_ct_expect_put(exp);
2928 }
2929 }
2930 }
2931 spin_unlock_bh(&nf_conntrack_expect_lock);
2932 }
2933
2934 return 0;
2935}
2936static int
2937ctnetlink_change_expect(struct nf_conntrack_expect *x,
2938 const struct nlattr * const cda[])
2939{
2940 if (cda[CTA_EXPECT_TIMEOUT]) {
2941 if (!del_timer(&x->timeout))
2942 return -ETIME;
2943
2944 x->timeout.expires = jiffies +
2945 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
2946 add_timer(&x->timeout);
2947 }
2948 return 0;
2949}
2950
2951static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
2952 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
2953 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
2954};
2955
2956static int
2957ctnetlink_parse_expect_nat(const struct nlattr *attr,
2958 struct nf_conntrack_expect *exp,
2959 u_int8_t u3)
2960{
2961#ifdef CONFIG_NF_NAT_NEEDED
2962 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1];
2963 struct nf_conntrack_tuple nat_tuple = {};
2964 int err;
2965
2966 err = nla_parse_nested(tb, CTA_EXPECT_NAT_MAX, attr, exp_nat_nla_policy);
2967 if (err < 0)
2968 return err;
2969
2970 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE])
2971 return -EINVAL;
2972
2973 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb,
2974 &nat_tuple, CTA_EXPECT_NAT_TUPLE,
2975 u3, NULL);
2976 if (err < 0)
2977 return err;
2978
2979 exp->saved_addr = nat_tuple.src.u3;
2980 exp->saved_proto = nat_tuple.src.u;
2981 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR]));
2982
2983 return 0;
2984#else
2985 return -EOPNOTSUPP;
2986#endif
2987}
2988
2989static struct nf_conntrack_expect *
2990ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
2991 struct nf_conntrack_helper *helper,
2992 struct nf_conntrack_tuple *tuple,
2993 struct nf_conntrack_tuple *mask)
2994{
2995 u_int32_t class = 0;
2996 struct nf_conntrack_expect *exp;
2997 struct nf_conn_help *help;
2998 int err;
2999
3000 if (cda[CTA_EXPECT_CLASS] && helper) {
3001 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));
3002 if (class > helper->expect_class_max)
3003 return ERR_PTR(-EINVAL);
3004 }
3005 exp = nf_ct_expect_alloc(ct);
3006 if (!exp)
3007 return ERR_PTR(-ENOMEM);
3008
3009 help = nfct_help(ct);
3010 if (!help) {
3011 if (!cda[CTA_EXPECT_TIMEOUT]) {
3012 err = -EINVAL;
3013 goto err_out;
3014 }
3015 exp->timeout.expires =
3016 jiffies + ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
3017
3018 exp->flags = NF_CT_EXPECT_USERSPACE;
3019 if (cda[CTA_EXPECT_FLAGS]) {
3020 exp->flags |=
3021 ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
3022 }
3023 } else {
3024 if (cda[CTA_EXPECT_FLAGS]) {
3025 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
3026 exp->flags &= ~NF_CT_EXPECT_USERSPACE;
3027 } else
3028 exp->flags = 0;
3029 }
3030 if (cda[CTA_EXPECT_FN]) {
3031 const char *name = nla_data(cda[CTA_EXPECT_FN]);
3032 struct nf_ct_helper_expectfn *expfn;
3033
3034 expfn = nf_ct_helper_expectfn_find_by_name(name);
3035 if (expfn == NULL) {
3036 err = -EINVAL;
3037 goto err_out;
3038 }
3039 exp->expectfn = expfn->expectfn;
3040 } else
3041 exp->expectfn = NULL;
3042
3043 exp->class = class;
3044 exp->master = ct;
3045 exp->helper = helper;
3046 exp->tuple = *tuple;
3047 exp->mask.src.u3 = mask->src.u3;
3048 exp->mask.src.u.all = mask->src.u.all;
3049
3050 if (cda[CTA_EXPECT_NAT]) {
3051 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT],
3052 exp, nf_ct_l3num(ct));
3053 if (err < 0)
3054 goto err_out;
3055 }
3056 return exp;
3057err_out:
3058 nf_ct_expect_put(exp);
3059 return ERR_PTR(err);
3060}
3061
3062static int
3063ctnetlink_create_expect(struct net *net,
3064 const struct nf_conntrack_zone *zone,
3065 const struct nlattr * const cda[],
3066 u_int8_t u3, u32 portid, int report)
3067{
3068 struct nf_conntrack_tuple tuple, mask, master_tuple;
3069 struct nf_conntrack_tuple_hash *h = NULL;
3070 struct nf_conntrack_helper *helper = NULL;
3071 struct nf_conntrack_expect *exp;
3072 struct nf_conn *ct;
3073 int err;
3074
3075
3076 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3077 u3, NULL);
3078 if (err < 0)
3079 return err;
3080 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK,
3081 u3, NULL);
3082 if (err < 0)
3083 return err;
3084 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER,
3085 u3, NULL);
3086 if (err < 0)
3087 return err;
3088
3089
3090 h = nf_conntrack_find_get(net, zone, &master_tuple);
3091 if (!h)
3092 return -ENOENT;
3093 ct = nf_ct_tuplehash_to_ctrack(h);
3094
3095 if (cda[CTA_EXPECT_HELP_NAME]) {
3096 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3097
3098 helper = __nf_conntrack_helper_find(helpname, u3,
3099 nf_ct_protonum(ct));
3100 if (helper == NULL) {
3101#ifdef CONFIG_MODULES
3102 if (request_module("nfct-helper-%s", helpname) < 0) {
3103 err = -EOPNOTSUPP;
3104 goto err_ct;
3105 }
3106 helper = __nf_conntrack_helper_find(helpname, u3,
3107 nf_ct_protonum(ct));
3108 if (helper) {
3109 err = -EAGAIN;
3110 goto err_ct;
3111 }
3112#endif
3113 err = -EOPNOTSUPP;
3114 goto err_ct;
3115 }
3116 }
3117
3118 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask);
3119 if (IS_ERR(exp)) {
3120 err = PTR_ERR(exp);
3121 goto err_ct;
3122 }
3123
3124 err = nf_ct_expect_related_report(exp, portid, report);
3125 nf_ct_expect_put(exp);
3126err_ct:
3127 nf_ct_put(ct);
3128 return err;
3129}
3130
3131static int ctnetlink_new_expect(struct net *net, struct sock *ctnl,
3132 struct sk_buff *skb, const struct nlmsghdr *nlh,
3133 const struct nlattr * const cda[])
3134{
3135 struct nf_conntrack_tuple tuple;
3136 struct nf_conntrack_expect *exp;
3137 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3138 u_int8_t u3 = nfmsg->nfgen_family;
3139 struct nf_conntrack_zone zone;
3140 int err;
3141
3142 if (!cda[CTA_EXPECT_TUPLE]
3143 || !cda[CTA_EXPECT_MASK]
3144 || !cda[CTA_EXPECT_MASTER])
3145 return -EINVAL;
3146
3147 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3148 if (err < 0)
3149 return err;
3150
3151 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3152 u3, NULL);
3153 if (err < 0)
3154 return err;
3155
3156 spin_lock_bh(&nf_conntrack_expect_lock);
3157 exp = __nf_ct_expect_find(net, &zone, &tuple);
3158 if (!exp) {
3159 spin_unlock_bh(&nf_conntrack_expect_lock);
3160 err = -ENOENT;
3161 if (nlh->nlmsg_flags & NLM_F_CREATE) {
3162 err = ctnetlink_create_expect(net, &zone, cda, u3,
3163 NETLINK_CB(skb).portid,
3164 nlmsg_report(nlh));
3165 }
3166 return err;
3167 }
3168
3169 err = -EEXIST;
3170 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
3171 err = ctnetlink_change_expect(exp, cda);
3172 spin_unlock_bh(&nf_conntrack_expect_lock);
3173
3174 return err;
3175}
3176
3177static int
3178ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu,
3179 const struct ip_conntrack_stat *st)
3180{
3181 struct nlmsghdr *nlh;
3182 struct nfgenmsg *nfmsg;
3183 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
3184
3185 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_EXP_GET_STATS_CPU);
3186 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
3187 if (nlh == NULL)
3188 goto nlmsg_failure;
3189
3190 nfmsg = nlmsg_data(nlh);
3191 nfmsg->nfgen_family = AF_UNSPEC;
3192 nfmsg->version = NFNETLINK_V0;
3193 nfmsg->res_id = htons(cpu);
3194
3195 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) ||
3196 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) ||
3197 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete)))
3198 goto nla_put_failure;
3199
3200 nlmsg_end(skb, nlh);
3201 return skb->len;
3202
3203nla_put_failure:
3204nlmsg_failure:
3205 nlmsg_cancel(skb, nlh);
3206 return -1;
3207}
3208
3209static int
3210ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
3211{
3212 int cpu;
3213 struct net *net = sock_net(skb->sk);
3214
3215 if (cb->args[0] == nr_cpu_ids)
3216 return 0;
3217
3218 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
3219 const struct ip_conntrack_stat *st;
3220
3221 if (!cpu_possible(cpu))
3222 continue;
3223
3224 st = per_cpu_ptr(net->ct.stat, cpu);
3225 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid,
3226 cb->nlh->nlmsg_seq,
3227 cpu, st) < 0)
3228 break;
3229 }
3230 cb->args[0] = cpu;
3231
3232 return skb->len;
3233}
3234
3235static int ctnetlink_stat_exp_cpu(struct net *net, struct sock *ctnl,
3236 struct sk_buff *skb,
3237 const struct nlmsghdr *nlh,
3238 const struct nlattr * const cda[])
3239{
3240 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3241 struct netlink_dump_control c = {
3242 .dump = ctnetlink_exp_stat_cpu_dump,
3243 };
3244 return netlink_dump_start(ctnl, skb, nlh, &c);
3245 }
3246
3247 return 0;
3248}
3249
3250#ifdef CONFIG_NF_CONNTRACK_EVENTS
3251static struct nf_ct_event_notifier ctnl_notifier = {
3252 .fcn = ctnetlink_conntrack_event,
3253};
3254
3255static struct nf_exp_event_notifier ctnl_notifier_exp = {
3256 .fcn = ctnetlink_expect_event,
3257};
3258#endif
3259
3260static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
3261 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
3262 .attr_count = CTA_MAX,
3263 .policy = ct_nla_policy },
3264 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
3265 .attr_count = CTA_MAX,
3266 .policy = ct_nla_policy },
3267 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
3268 .attr_count = CTA_MAX,
3269 .policy = ct_nla_policy },
3270 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
3271 .attr_count = CTA_MAX,
3272 .policy = ct_nla_policy },
3273 [IPCTNL_MSG_CT_GET_STATS_CPU] = { .call = ctnetlink_stat_ct_cpu },
3274 [IPCTNL_MSG_CT_GET_STATS] = { .call = ctnetlink_stat_ct },
3275 [IPCTNL_MSG_CT_GET_DYING] = { .call = ctnetlink_get_ct_dying },
3276 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = { .call = ctnetlink_get_ct_unconfirmed },
3277};
3278
3279static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
3280 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
3281 .attr_count = CTA_EXPECT_MAX,
3282 .policy = exp_nla_policy },
3283 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
3284 .attr_count = CTA_EXPECT_MAX,
3285 .policy = exp_nla_policy },
3286 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
3287 .attr_count = CTA_EXPECT_MAX,
3288 .policy = exp_nla_policy },
3289 [IPCTNL_MSG_EXP_GET_STATS_CPU] = { .call = ctnetlink_stat_exp_cpu },
3290};
3291
3292static const struct nfnetlink_subsystem ctnl_subsys = {
3293 .name = "conntrack",
3294 .subsys_id = NFNL_SUBSYS_CTNETLINK,
3295 .cb_count = IPCTNL_MSG_MAX,
3296 .cb = ctnl_cb,
3297};
3298
3299static const struct nfnetlink_subsystem ctnl_exp_subsys = {
3300 .name = "conntrack_expect",
3301 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
3302 .cb_count = IPCTNL_MSG_EXP_MAX,
3303 .cb = ctnl_exp_cb,
3304};
3305
3306MODULE_ALIAS("ip_conntrack_netlink");
3307MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
3308MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
3309
3310static int __net_init ctnetlink_net_init(struct net *net)
3311{
3312#ifdef CONFIG_NF_CONNTRACK_EVENTS
3313 int ret;
3314
3315 ret = nf_conntrack_register_notifier(net, &ctnl_notifier);
3316 if (ret < 0) {
3317 pr_err("ctnetlink_init: cannot register notifier.\n");
3318 goto err_out;
3319 }
3320
3321 ret = nf_ct_expect_register_notifier(net, &ctnl_notifier_exp);
3322 if (ret < 0) {
3323 pr_err("ctnetlink_init: cannot expect register notifier.\n");
3324 goto err_unreg_notifier;
3325 }
3326#endif
3327 return 0;
3328
3329#ifdef CONFIG_NF_CONNTRACK_EVENTS
3330err_unreg_notifier:
3331 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
3332err_out:
3333 return ret;
3334#endif
3335}
3336
3337static void ctnetlink_net_exit(struct net *net)
3338{
3339#ifdef CONFIG_NF_CONNTRACK_EVENTS
3340 nf_ct_expect_unregister_notifier(net, &ctnl_notifier_exp);
3341 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
3342#endif
3343}
3344
3345static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list)
3346{
3347 struct net *net;
3348
3349 list_for_each_entry(net, net_exit_list, exit_list)
3350 ctnetlink_net_exit(net);
3351}
3352
3353static struct pernet_operations ctnetlink_net_ops = {
3354 .init = ctnetlink_net_init,
3355 .exit_batch = ctnetlink_net_exit_batch,
3356};
3357
3358static int __init ctnetlink_init(void)
3359{
3360 int ret;
3361
3362 pr_info("ctnetlink v%s: registering with nfnetlink.\n", version);
3363 ret = nfnetlink_subsys_register(&ctnl_subsys);
3364 if (ret < 0) {
3365 pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
3366 goto err_out;
3367 }
3368
3369 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
3370 if (ret < 0) {
3371 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
3372 goto err_unreg_subsys;
3373 }
3374
3375 ret = register_pernet_subsys(&ctnetlink_net_ops);
3376 if (ret < 0) {
3377 pr_err("ctnetlink_init: cannot register pernet operations\n");
3378 goto err_unreg_exp_subsys;
3379 }
3380#ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3381
3382 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook);
3383#endif
3384 return 0;
3385
3386err_unreg_exp_subsys:
3387 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3388err_unreg_subsys:
3389 nfnetlink_subsys_unregister(&ctnl_subsys);
3390err_out:
3391 return ret;
3392}
3393
3394static void __exit ctnetlink_exit(void)
3395{
3396 pr_info("ctnetlink: unregistering from nfnetlink.\n");
3397
3398 unregister_pernet_subsys(&ctnetlink_net_ops);
3399 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3400 nfnetlink_subsys_unregister(&ctnl_subsys);
3401#ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3402 RCU_INIT_POINTER(nfnl_ct_hook, NULL);
3403#endif
3404}
3405
3406module_init(ctnetlink_init);
3407module_exit(ctnetlink_exit);
3408
