1 /* Connection tracking via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace.
4 * (C) 2001 by Jay Schulist <jschlst@samba.org>
5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7 * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
9 * Initial connection tracking via netlink development funded and
10 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
12 * Further development of this code funded by Astaro AG (http://www.astaro.com)
14 * This software may be used and distributed according to the terms
15 * of the GNU General Public License, incorporated herein by reference.
18 #include <linux/init.h>
19 #include <linux/module.h>
20 #include <linux/kernel.h>
21 #include <linux/rculist.h>
22 #include <linux/rculist_nulls.h>
23 #include <linux/types.h>
24 #include <linux/timer.h>
25 #include <linux/security.h>
26 #include <linux/skbuff.h>
27 #include <linux/errno.h>
28 #include <linux/netlink.h>
29 #include <linux/spinlock.h>
30 #include <linux/interrupt.h>
31 #include <linux/slab.h>
33 #include <linux/netfilter.h>
34 #include <net/netlink.h>
36 #include <net/netfilter/nf_conntrack.h>
37 #include <net/netfilter/nf_conntrack_core.h>
38 #include <net/netfilter/nf_conntrack_expect.h>
39 #include <net/netfilter/nf_conntrack_helper.h>
40 #include <net/netfilter/nf_conntrack_seqadj.h>
41 #include <net/netfilter/nf_conntrack_l3proto.h>
42 #include <net/netfilter/nf_conntrack_l4proto.h>
43 #include <net/netfilter/nf_conntrack_tuple.h>
44 #include <net/netfilter/nf_conntrack_acct.h>
45 #include <net/netfilter/nf_conntrack_zones.h>
46 #include <net/netfilter/nf_conntrack_timestamp.h>
47 #include <net/netfilter/nf_conntrack_labels.h>
48 #ifdef CONFIG_NF_NAT_NEEDED
49 #include <net/netfilter/nf_nat_core.h>
50 #include <net/netfilter/nf_nat_l4proto.h>
51 #include <net/netfilter/nf_nat_helper.h>
54 #include <linux/netfilter/nfnetlink.h>
55 #include <linux/netfilter/nfnetlink_conntrack.h>
57 MODULE_LICENSE("GPL");
59 static char __initdata version[] = "0.93";
62 ctnetlink_dump_tuples_proto(struct sk_buff *skb,
63 const struct nf_conntrack_tuple *tuple,
64 struct nf_conntrack_l4proto *l4proto)
67 struct nlattr *nest_parms;
69 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED);
72 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum))
75 if (likely(l4proto->tuple_to_nlattr))
76 ret = l4proto->tuple_to_nlattr(skb, tuple);
78 nla_nest_end(skb, nest_parms);
87 ctnetlink_dump_tuples_ip(struct sk_buff *skb,
88 const struct nf_conntrack_tuple *tuple,
89 struct nf_conntrack_l3proto *l3proto)
92 struct nlattr *nest_parms;
94 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED);
98 if (likely(l3proto->tuple_to_nlattr))
99 ret = l3proto->tuple_to_nlattr(skb, tuple);
101 nla_nest_end(skb, nest_parms);
110 ctnetlink_dump_tuples(struct sk_buff *skb,
111 const struct nf_conntrack_tuple *tuple)
114 struct nf_conntrack_l3proto *l3proto;
115 struct nf_conntrack_l4proto *l4proto;
118 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
119 ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
122 l4proto = __nf_ct_l4proto_find(tuple->src.l3num,
123 tuple->dst.protonum);
124 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
131 ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
133 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
134 goto nla_put_failure;
142 ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
144 long timeout = ((long)ct->timeout.expires - (long)jiffies) / HZ;
149 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))
150 goto nla_put_failure;
158 ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct)
160 struct nf_conntrack_l4proto *l4proto;
161 struct nlattr *nest_proto;
164 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
165 if (!l4proto->to_nlattr)
168 nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED);
170 goto nla_put_failure;
172 ret = l4proto->to_nlattr(skb, nest_proto, ct);
174 nla_nest_end(skb, nest_proto);
183 ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct)
185 struct nlattr *nest_helper;
186 const struct nf_conn_help *help = nfct_help(ct);
187 struct nf_conntrack_helper *helper;
192 helper = rcu_dereference(help->helper);
196 nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED);
198 goto nla_put_failure;
199 if (nla_put_string(skb, CTA_HELP_NAME, helper->name))
200 goto nla_put_failure;
202 if (helper->to_nlattr)
203 helper->to_nlattr(skb, ct);
205 nla_nest_end(skb, nest_helper);
214 dump_counters(struct sk_buff *skb, u64 pkts, u64 bytes,
215 enum ip_conntrack_dir dir)
217 enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
218 struct nlattr *nest_count;
220 nest_count = nla_nest_start(skb, type | NLA_F_NESTED);
222 goto nla_put_failure;
224 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts)) ||
225 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes)))
226 goto nla_put_failure;
228 nla_nest_end(skb, nest_count);
237 ctnetlink_dump_counters(struct sk_buff *skb, const struct nf_conn *ct,
238 enum ip_conntrack_dir dir, int type)
240 struct nf_conn_counter *acct;
243 acct = nf_conn_acct_find(ct);
247 if (type == IPCTNL_MSG_CT_GET_CTRZERO) {
248 pkts = atomic64_xchg(&acct[dir].packets, 0);
249 bytes = atomic64_xchg(&acct[dir].bytes, 0);
251 pkts = atomic64_read(&acct[dir].packets);
252 bytes = atomic64_read(&acct[dir].bytes);
254 return dump_counters(skb, pkts, bytes, dir);
258 ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
260 struct nlattr *nest_count;
261 const struct nf_conn_tstamp *tstamp;
263 tstamp = nf_conn_tstamp_find(ct);
267 nest_count = nla_nest_start(skb, CTA_TIMESTAMP | NLA_F_NESTED);
269 goto nla_put_failure;
271 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start)) ||
272 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP,
273 cpu_to_be64(tstamp->stop))))
274 goto nla_put_failure;
275 nla_nest_end(skb, nest_count);
283 #ifdef CONFIG_NF_CONNTRACK_MARK
285 ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
287 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))
288 goto nla_put_failure;
295 #define ctnetlink_dump_mark(a, b) (0)
298 #ifdef CONFIG_NF_CONNTRACK_SECMARK
300 ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
302 struct nlattr *nest_secctx;
306 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
311 nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED);
313 goto nla_put_failure;
315 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
316 goto nla_put_failure;
317 nla_nest_end(skb, nest_secctx);
321 security_release_secctx(secctx, len);
325 #define ctnetlink_dump_secctx(a, b) (0)
328 #ifdef CONFIG_NF_CONNTRACK_LABELS
329 static int ctnetlink_label_size(const struct nf_conn *ct)
331 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
335 return nla_total_size(labels->words * sizeof(long));
339 ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
341 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
347 len = labels->words * sizeof(long);
350 if (labels->bits[i] != 0)
351 return nla_put(skb, CTA_LABELS, len, labels->bits);
353 } while (i < labels->words);
358 #define ctnetlink_dump_labels(a, b) (0)
359 #define ctnetlink_label_size(a) (0)
362 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
365 ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
367 struct nlattr *nest_parms;
369 if (!(ct->status & IPS_EXPECTED))
372 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED);
374 goto nla_put_failure;
375 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
376 goto nla_put_failure;
377 nla_nest_end(skb, nest_parms);
386 dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type)
388 struct nlattr *nest_parms;
390 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
392 goto nla_put_failure;
394 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS,
395 htonl(seq->correction_pos)) ||
396 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE,
397 htonl(seq->offset_before)) ||
398 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER,
399 htonl(seq->offset_after)))
400 goto nla_put_failure;
402 nla_nest_end(skb, nest_parms);
411 ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, const struct nf_conn *ct)
413 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
414 struct nf_ct_seqadj *seq;
416 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj)
419 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL];
420 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1)
423 seq = &seqadj->seq[IP_CT_DIR_REPLY];
424 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1)
431 ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
433 if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct)))
434 goto nla_put_failure;
442 ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
444 if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use))))
445 goto nla_put_failure;
453 ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
456 struct nlmsghdr *nlh;
457 struct nfgenmsg *nfmsg;
458 struct nlattr *nest_parms;
459 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
461 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_NEW);
462 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
466 nfmsg = nlmsg_data(nlh);
467 nfmsg->nfgen_family = nf_ct_l3num(ct);
468 nfmsg->version = NFNETLINK_V0;
471 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
473 goto nla_put_failure;
474 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
475 goto nla_put_failure;
476 nla_nest_end(skb, nest_parms);
478 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
480 goto nla_put_failure;
481 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
482 goto nla_put_failure;
483 nla_nest_end(skb, nest_parms);
485 if (nf_ct_zone(ct) &&
486 nla_put_be16(skb, CTA_ZONE, htons(nf_ct_zone(ct))))
487 goto nla_put_failure;
489 if (ctnetlink_dump_status(skb, ct) < 0 ||
490 ctnetlink_dump_timeout(skb, ct) < 0 ||
491 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL, type) < 0 ||
492 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY, type) < 0 ||
493 ctnetlink_dump_timestamp(skb, ct) < 0 ||
494 ctnetlink_dump_protoinfo(skb, ct) < 0 ||
495 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
496 ctnetlink_dump_mark(skb, ct) < 0 ||
497 ctnetlink_dump_secctx(skb, ct) < 0 ||
498 ctnetlink_dump_labels(skb, ct) < 0 ||
499 ctnetlink_dump_id(skb, ct) < 0 ||
500 ctnetlink_dump_use(skb, ct) < 0 ||
501 ctnetlink_dump_master(skb, ct) < 0 ||
502 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
503 goto nla_put_failure;
510 nlmsg_cancel(skb, nlh);
515 ctnetlink_proto_size(const struct nf_conn *ct)
517 struct nf_conntrack_l3proto *l3proto;
518 struct nf_conntrack_l4proto *l4proto;
522 l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
523 len += l3proto->nla_size;
525 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
526 len += l4proto->nla_size;
533 ctnetlink_counters_size(const struct nf_conn *ct)
535 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
537 return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
538 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
539 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
544 ctnetlink_secctx_size(const struct nf_conn *ct)
546 #ifdef CONFIG_NF_CONNTRACK_SECMARK
549 ret = security_secid_to_secctx(ct->secmark, NULL, &len);
553 return nla_total_size(0) /* CTA_SECCTX */
554 + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
561 ctnetlink_timestamp_size(const struct nf_conn *ct)
563 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
564 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
566 return nla_total_size(0) + 2 * nla_total_size(sizeof(uint64_t));
573 ctnetlink_nlmsg_size(const struct nf_conn *ct)
575 return NLMSG_ALIGN(sizeof(struct nfgenmsg))
576 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
577 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
578 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
579 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
580 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
581 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
582 + ctnetlink_counters_size(ct)
583 + ctnetlink_timestamp_size(ct)
584 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
585 + nla_total_size(0) /* CTA_PROTOINFO */
586 + nla_total_size(0) /* CTA_HELP */
587 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
588 + ctnetlink_secctx_size(ct)
589 #ifdef CONFIG_NF_NAT_NEEDED
590 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
591 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
593 #ifdef CONFIG_NF_CONNTRACK_MARK
594 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
596 + ctnetlink_proto_size(ct)
597 + ctnetlink_label_size(ct)
601 #ifdef CONFIG_NF_CONNTRACK_EVENTS
603 ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
606 struct nlmsghdr *nlh;
607 struct nfgenmsg *nfmsg;
608 struct nlattr *nest_parms;
609 struct nf_conn *ct = item->ct;
612 unsigned int flags = 0, group;
615 /* ignore our fake conntrack entry */
616 if (nf_ct_is_untracked(ct))
619 if (events & (1 << IPCT_DESTROY)) {
620 type = IPCTNL_MSG_CT_DELETE;
621 group = NFNLGRP_CONNTRACK_DESTROY;
622 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {
623 type = IPCTNL_MSG_CT_NEW;
624 flags = NLM_F_CREATE|NLM_F_EXCL;
625 group = NFNLGRP_CONNTRACK_NEW;
627 type = IPCTNL_MSG_CT_NEW;
628 group = NFNLGRP_CONNTRACK_UPDATE;
633 if (!item->report && !nfnetlink_has_listeners(net, group))
636 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
640 type |= NFNL_SUBSYS_CTNETLINK << 8;
641 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
645 nfmsg = nlmsg_data(nlh);
646 nfmsg->nfgen_family = nf_ct_l3num(ct);
647 nfmsg->version = NFNETLINK_V0;
651 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
653 goto nla_put_failure;
654 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
655 goto nla_put_failure;
656 nla_nest_end(skb, nest_parms);
658 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
660 goto nla_put_failure;
661 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
662 goto nla_put_failure;
663 nla_nest_end(skb, nest_parms);
665 if (nf_ct_zone(ct) &&
666 nla_put_be16(skb, CTA_ZONE, htons(nf_ct_zone(ct))))
667 goto nla_put_failure;
669 if (ctnetlink_dump_id(skb, ct) < 0)
670 goto nla_put_failure;
672 if (ctnetlink_dump_status(skb, ct) < 0)
673 goto nla_put_failure;
675 if (events & (1 << IPCT_DESTROY)) {
676 if (ctnetlink_dump_counters(skb, ct,
677 IP_CT_DIR_ORIGINAL, type) < 0 ||
678 ctnetlink_dump_counters(skb, ct,
679 IP_CT_DIR_REPLY, type) < 0 ||
680 ctnetlink_dump_timestamp(skb, ct) < 0)
681 goto nla_put_failure;
683 if (ctnetlink_dump_timeout(skb, ct) < 0)
684 goto nla_put_failure;
686 if (events & (1 << IPCT_PROTOINFO)
687 && ctnetlink_dump_protoinfo(skb, ct) < 0)
688 goto nla_put_failure;
690 if ((events & (1 << IPCT_HELPER) || nfct_help(ct))
691 && ctnetlink_dump_helpinfo(skb, ct) < 0)
692 goto nla_put_failure;
694 #ifdef CONFIG_NF_CONNTRACK_SECMARK
695 if ((events & (1 << IPCT_SECMARK) || ct->secmark)
696 && ctnetlink_dump_secctx(skb, ct) < 0)
697 goto nla_put_failure;
699 if (events & (1 << IPCT_LABEL) &&
700 ctnetlink_dump_labels(skb, ct) < 0)
701 goto nla_put_failure;
703 if (events & (1 << IPCT_RELATED) &&
704 ctnetlink_dump_master(skb, ct) < 0)
705 goto nla_put_failure;
707 if (events & (1 << IPCT_SEQADJ) &&
708 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
709 goto nla_put_failure;
712 #ifdef CONFIG_NF_CONNTRACK_MARK
713 if ((events & (1 << IPCT_MARK) || ct->mark)
714 && ctnetlink_dump_mark(skb, ct) < 0)
715 goto nla_put_failure;
720 err = nfnetlink_send(skb, net, item->portid, group, item->report,
722 if (err == -ENOBUFS || err == -EAGAIN)
729 nlmsg_cancel(skb, nlh);
733 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
738 #endif /* CONFIG_NF_CONNTRACK_EVENTS */
740 static int ctnetlink_done(struct netlink_callback *cb)
743 nf_ct_put((struct nf_conn *)cb->args[1]);
749 struct ctnetlink_dump_filter {
757 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
759 struct net *net = sock_net(skb->sk);
760 struct nf_conn *ct, *last;
761 struct nf_conntrack_tuple_hash *h;
762 struct hlist_nulls_node *n;
763 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
764 u_int8_t l3proto = nfmsg->nfgen_family;
766 #ifdef CONFIG_NF_CONNTRACK_MARK
767 const struct ctnetlink_dump_filter *filter = cb->data;
770 spin_lock_bh(&nf_conntrack_lock);
771 last = (struct nf_conn *)cb->args[1];
772 for (; cb->args[0] < net->ct.htable_size; cb->args[0]++) {
774 hlist_nulls_for_each_entry(h, n, &net->ct.hash[cb->args[0]],
776 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
778 ct = nf_ct_tuplehash_to_ctrack(h);
779 /* Dump entries of a given L3 protocol number.
780 * If it is not specified, ie. l3proto == 0,
781 * then dump everything. */
782 if (l3proto && nf_ct_l3num(ct) != l3proto)
789 #ifdef CONFIG_NF_CONNTRACK_MARK
790 if (filter && !((ct->mark & filter->mark.mask) ==
797 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
799 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
803 nf_conntrack_get(&ct->ct_general);
804 cb->args[1] = (unsigned long)ct;
814 spin_unlock_bh(&nf_conntrack_lock);
822 ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple)
824 struct nlattr *tb[CTA_IP_MAX+1];
825 struct nf_conntrack_l3proto *l3proto;
828 ret = nla_parse_nested(tb, CTA_IP_MAX, attr, NULL);
833 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
835 if (likely(l3proto->nlattr_to_tuple)) {
836 ret = nla_validate_nested(attr, CTA_IP_MAX,
837 l3proto->nla_policy);
839 ret = l3proto->nlattr_to_tuple(tb, tuple);
847 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
848 [CTA_PROTO_NUM] = { .type = NLA_U8 },
852 ctnetlink_parse_tuple_proto(struct nlattr *attr,
853 struct nf_conntrack_tuple *tuple)
855 struct nlattr *tb[CTA_PROTO_MAX+1];
856 struct nf_conntrack_l4proto *l4proto;
859 ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy);
863 if (!tb[CTA_PROTO_NUM])
865 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
868 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
870 if (likely(l4proto->nlattr_to_tuple)) {
871 ret = nla_validate_nested(attr, CTA_PROTO_MAX,
872 l4proto->nla_policy);
874 ret = l4proto->nlattr_to_tuple(tb, tuple);
882 static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
883 [CTA_TUPLE_IP] = { .type = NLA_NESTED },
884 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED },
888 ctnetlink_parse_tuple(const struct nlattr * const cda[],
889 struct nf_conntrack_tuple *tuple,
890 enum ctattr_type type, u_int8_t l3num)
892 struct nlattr *tb[CTA_TUPLE_MAX+1];
895 memset(tuple, 0, sizeof(*tuple));
897 err = nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy);
901 if (!tb[CTA_TUPLE_IP])
904 tuple->src.l3num = l3num;
906 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
910 if (!tb[CTA_TUPLE_PROTO])
913 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple);
917 /* orig and expect tuples get DIR_ORIGINAL */
918 if (type == CTA_TUPLE_REPLY)
919 tuple->dst.dir = IP_CT_DIR_REPLY;
921 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
927 ctnetlink_parse_zone(const struct nlattr *attr, u16 *zone)
930 #ifdef CONFIG_NF_CONNTRACK_ZONES
931 *zone = ntohs(nla_get_be16(attr));
941 static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {
942 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING,
943 .len = NF_CT_HELPER_NAME_LEN - 1 },
947 ctnetlink_parse_help(const struct nlattr *attr, char **helper_name,
948 struct nlattr **helpinfo)
951 struct nlattr *tb[CTA_HELP_MAX+1];
953 err = nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy);
957 if (!tb[CTA_HELP_NAME])
960 *helper_name = nla_data(tb[CTA_HELP_NAME]);
962 if (tb[CTA_HELP_INFO])
963 *helpinfo = tb[CTA_HELP_INFO];
968 #define __CTA_LABELS_MAX_LENGTH ((XT_CONNLABEL_MAXBIT + 1) / BITS_PER_BYTE)
969 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
970 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED },
971 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED },
972 [CTA_STATUS] = { .type = NLA_U32 },
973 [CTA_PROTOINFO] = { .type = NLA_NESTED },
974 [CTA_HELP] = { .type = NLA_NESTED },
975 [CTA_NAT_SRC] = { .type = NLA_NESTED },
976 [CTA_TIMEOUT] = { .type = NLA_U32 },
977 [CTA_MARK] = { .type = NLA_U32 },
978 [CTA_ID] = { .type = NLA_U32 },
979 [CTA_NAT_DST] = { .type = NLA_NESTED },
980 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED },
981 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED },
982 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED },
983 [CTA_ZONE] = { .type = NLA_U16 },
984 [CTA_MARK_MASK] = { .type = NLA_U32 },
985 [CTA_LABELS] = { .type = NLA_BINARY,
986 .len = __CTA_LABELS_MAX_LENGTH },
987 [CTA_LABELS_MASK] = { .type = NLA_BINARY,
988 .len = __CTA_LABELS_MAX_LENGTH },
992 ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
993 const struct nlmsghdr *nlh,
994 const struct nlattr * const cda[])
996 struct net *net = sock_net(ctnl);
997 struct nf_conntrack_tuple_hash *h;
998 struct nf_conntrack_tuple tuple;
1000 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1001 u_int8_t u3 = nfmsg->nfgen_family;
1005 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1009 if (cda[CTA_TUPLE_ORIG])
1010 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
1011 else if (cda[CTA_TUPLE_REPLY])
1012 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
1014 /* Flush the whole table */
1015 nf_conntrack_flush_report(net,
1016 NETLINK_CB(skb).portid,
1024 h = nf_conntrack_find_get(net, zone, &tuple);
1028 ct = nf_ct_tuplehash_to_ctrack(h);
1031 u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
1032 if (id != (u32)(unsigned long)ct) {
1038 if (del_timer(&ct->timeout))
1039 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(nlh));
1047 ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
1048 const struct nlmsghdr *nlh,
1049 const struct nlattr * const cda[])
1051 struct net *net = sock_net(ctnl);
1052 struct nf_conntrack_tuple_hash *h;
1053 struct nf_conntrack_tuple tuple;
1055 struct sk_buff *skb2 = NULL;
1056 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1057 u_int8_t u3 = nfmsg->nfgen_family;
1061 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1062 struct netlink_dump_control c = {
1063 .dump = ctnetlink_dump_table,
1064 .done = ctnetlink_done,
1066 #ifdef CONFIG_NF_CONNTRACK_MARK
1067 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
1068 struct ctnetlink_dump_filter *filter;
1070 filter = kzalloc(sizeof(struct ctnetlink_dump_filter),
1075 filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK]));
1077 ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
1081 return netlink_dump_start(ctnl, skb, nlh, &c);
1084 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1088 if (cda[CTA_TUPLE_ORIG])
1089 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
1090 else if (cda[CTA_TUPLE_REPLY])
1091 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
1098 h = nf_conntrack_find_get(net, zone, &tuple);
1102 ct = nf_ct_tuplehash_to_ctrack(h);
1105 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1112 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq,
1113 NFNL_MSG_TYPE(nlh->nlmsg_type), ct);
1119 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1128 /* this avoids a loop in nfnetlink. */
1129 return err == -EAGAIN ? -ENOBUFS : err;
1132 static int ctnetlink_done_list(struct netlink_callback *cb)
1135 nf_ct_put((struct nf_conn *)cb->args[1]);
1140 ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb,
1141 struct hlist_nulls_head *list)
1143 struct nf_conn *ct, *last;
1144 struct nf_conntrack_tuple_hash *h;
1145 struct hlist_nulls_node *n;
1146 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1147 u_int8_t l3proto = nfmsg->nfgen_family;
1153 spin_lock_bh(&nf_conntrack_lock);
1154 last = (struct nf_conn *)cb->args[1];
1156 hlist_nulls_for_each_entry(h, n, list, hnnode) {
1157 ct = nf_ct_tuplehash_to_ctrack(h);
1158 if (l3proto && nf_ct_l3num(ct) != l3proto)
1166 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
1168 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
1172 nf_conntrack_get(&ct->ct_general);
1173 cb->args[1] = (unsigned long)ct;
1183 spin_unlock_bh(&nf_conntrack_lock);
1191 ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb)
1193 struct net *net = sock_net(skb->sk);
1195 return ctnetlink_dump_list(skb, cb, &net->ct.dying);
1199 ctnetlink_get_ct_dying(struct sock *ctnl, struct sk_buff *skb,
1200 const struct nlmsghdr *nlh,
1201 const struct nlattr * const cda[])
1203 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1204 struct netlink_dump_control c = {
1205 .dump = ctnetlink_dump_dying,
1206 .done = ctnetlink_done_list,
1208 return netlink_dump_start(ctnl, skb, nlh, &c);
1215 ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb)
1217 struct net *net = sock_net(skb->sk);
1219 return ctnetlink_dump_list(skb, cb, &net->ct.unconfirmed);
1223 ctnetlink_get_ct_unconfirmed(struct sock *ctnl, struct sk_buff *skb,
1224 const struct nlmsghdr *nlh,
1225 const struct nlattr * const cda[])
1227 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1228 struct netlink_dump_control c = {
1229 .dump = ctnetlink_dump_unconfirmed,
1230 .done = ctnetlink_done_list,
1232 return netlink_dump_start(ctnl, skb, nlh, &c);
1238 #ifdef CONFIG_NF_NAT_NEEDED
1240 ctnetlink_parse_nat_setup(struct nf_conn *ct,
1241 enum nf_nat_manip_type manip,
1242 const struct nlattr *attr)
1244 typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup;
1247 parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook);
1248 if (!parse_nat_setup) {
1249 #ifdef CONFIG_MODULES
1251 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1252 if (request_module("nf-nat") < 0) {
1253 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1257 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1259 if (nfnetlink_parse_nat_setup_hook)
1265 err = parse_nat_setup(ct, manip, attr);
1266 if (err == -EAGAIN) {
1267 #ifdef CONFIG_MODULES
1269 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1270 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) {
1271 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1275 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1286 ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
1289 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
1290 d = ct->status ^ status;
1292 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
1296 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
1297 /* SEEN_REPLY bit can only be set */
1300 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
1301 /* ASSURED bit can only be set */
1304 /* Be careful here, modifying NAT bits can screw up things,
1305 * so don't let users modify them directly if they don't pass
1307 ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
1312 ctnetlink_change_nat(struct nf_conn *ct, const struct nlattr * const cda[])
1314 #ifdef CONFIG_NF_NAT_NEEDED
1317 if (cda[CTA_NAT_DST]) {
1318 ret = ctnetlink_parse_nat_setup(ct,
1324 if (cda[CTA_NAT_SRC]) {
1325 ret = ctnetlink_parse_nat_setup(ct,
1338 ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[])
1340 struct nf_conntrack_helper *helper;
1341 struct nf_conn_help *help = nfct_help(ct);
1342 char *helpname = NULL;
1343 struct nlattr *helpinfo = NULL;
1346 /* don't change helper of sibling connections */
1350 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1354 if (!strcmp(helpname, "")) {
1355 if (help && help->helper) {
1356 /* we had a helper before ... */
1357 nf_ct_remove_expectations(ct);
1358 RCU_INIT_POINTER(help->helper, NULL);
1364 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1365 nf_ct_protonum(ct));
1366 if (helper == NULL) {
1367 #ifdef CONFIG_MODULES
1368 spin_unlock_bh(&nf_conntrack_lock);
1370 if (request_module("nfct-helper-%s", helpname) < 0) {
1371 spin_lock_bh(&nf_conntrack_lock);
1375 spin_lock_bh(&nf_conntrack_lock);
1376 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1377 nf_ct_protonum(ct));
1385 if (help->helper == helper) {
1386 /* update private helper data if allowed. */
1387 if (helper->from_nlattr)
1388 helper->from_nlattr(helpinfo, ct);
1394 /* we cannot set a helper for an existing conntrack */
1399 ctnetlink_change_timeout(struct nf_conn *ct, const struct nlattr * const cda[])
1401 u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
1403 if (!del_timer(&ct->timeout))
1406 ct->timeout.expires = jiffies + timeout * HZ;
1407 add_timer(&ct->timeout);
1412 static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = {
1413 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED },
1414 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED },
1415 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED },
1419 ctnetlink_change_protoinfo(struct nf_conn *ct, const struct nlattr * const cda[])
1421 const struct nlattr *attr = cda[CTA_PROTOINFO];
1422 struct nlattr *tb[CTA_PROTOINFO_MAX+1];
1423 struct nf_conntrack_l4proto *l4proto;
1426 err = nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, protoinfo_policy);
1431 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
1432 if (l4proto->from_nlattr)
1433 err = l4proto->from_nlattr(tb, ct);
1439 static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = {
1440 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 },
1441 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 },
1442 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 },
1446 change_seq_adj(struct nf_ct_seqadj *seq, const struct nlattr * const attr)
1449 struct nlattr *cda[CTA_SEQADJ_MAX+1];
1451 err = nla_parse_nested(cda, CTA_SEQADJ_MAX, attr, seqadj_policy);
1455 if (!cda[CTA_SEQADJ_CORRECTION_POS])
1458 seq->correction_pos =
1459 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS]));
1461 if (!cda[CTA_SEQADJ_OFFSET_BEFORE])
1464 seq->offset_before =
1465 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE]));
1467 if (!cda[CTA_SEQADJ_OFFSET_AFTER])
1471 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER]));
1477 ctnetlink_change_seq_adj(struct nf_conn *ct,
1478 const struct nlattr * const cda[])
1480 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
1486 if (cda[CTA_SEQ_ADJ_ORIG]) {
1487 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL],
1488 cda[CTA_SEQ_ADJ_ORIG]);
1492 ct->status |= IPS_SEQ_ADJUST;
1495 if (cda[CTA_SEQ_ADJ_REPLY]) {
1496 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY],
1497 cda[CTA_SEQ_ADJ_REPLY]);
1501 ct->status |= IPS_SEQ_ADJUST;
1508 ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[])
1510 #ifdef CONFIG_NF_CONNTRACK_LABELS
1511 size_t len = nla_len(cda[CTA_LABELS]);
1512 const void *mask = cda[CTA_LABELS_MASK];
1514 if (len & (sizeof(u32)-1)) /* must be multiple of u32 */
1518 if (nla_len(cda[CTA_LABELS_MASK]) == 0 ||
1519 nla_len(cda[CTA_LABELS_MASK]) != len)
1521 mask = nla_data(cda[CTA_LABELS_MASK]);
1526 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len);
1533 ctnetlink_change_conntrack(struct nf_conn *ct,
1534 const struct nlattr * const cda[])
1538 /* only allow NAT changes and master assignation for new conntracks */
1539 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
1542 if (cda[CTA_HELP]) {
1543 err = ctnetlink_change_helper(ct, cda);
1548 if (cda[CTA_TIMEOUT]) {
1549 err = ctnetlink_change_timeout(ct, cda);
1554 if (cda[CTA_STATUS]) {
1555 err = ctnetlink_change_status(ct, cda);
1560 if (cda[CTA_PROTOINFO]) {
1561 err = ctnetlink_change_protoinfo(ct, cda);
1566 #if defined(CONFIG_NF_CONNTRACK_MARK)
1568 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1571 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
1572 err = ctnetlink_change_seq_adj(ct, cda);
1577 if (cda[CTA_LABELS]) {
1578 err = ctnetlink_attach_labels(ct, cda);
1586 static struct nf_conn *
1587 ctnetlink_create_conntrack(struct net *net, u16 zone,
1588 const struct nlattr * const cda[],
1589 struct nf_conntrack_tuple *otuple,
1590 struct nf_conntrack_tuple *rtuple,
1595 struct nf_conntrack_helper *helper;
1596 struct nf_conn_tstamp *tstamp;
1598 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
1600 return ERR_PTR(-ENOMEM);
1602 if (!cda[CTA_TIMEOUT])
1604 ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
1606 ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
1609 if (cda[CTA_HELP]) {
1610 char *helpname = NULL;
1611 struct nlattr *helpinfo = NULL;
1613 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1617 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1618 nf_ct_protonum(ct));
1619 if (helper == NULL) {
1621 #ifdef CONFIG_MODULES
1622 if (request_module("nfct-helper-%s", helpname) < 0) {
1628 helper = __nf_conntrack_helper_find(helpname,
1630 nf_ct_protonum(ct));
1640 struct nf_conn_help *help;
1642 help = nf_ct_helper_ext_add(ct, helper, GFP_ATOMIC);
1647 /* set private helper data if allowed. */
1648 if (helper->from_nlattr)
1649 helper->from_nlattr(helpinfo, ct);
1651 /* not in hash table yet so not strictly necessary */
1652 RCU_INIT_POINTER(help->helper, helper);
1655 /* try an implicit helper assignation */
1656 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC);
1661 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
1662 err = ctnetlink_change_nat(ct, cda);
1667 nf_ct_acct_ext_add(ct, GFP_ATOMIC);
1668 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
1669 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
1670 nf_ct_labels_ext_add(ct);
1672 /* we must add conntrack extensions before confirmation. */
1673 ct->status |= IPS_CONFIRMED;
1675 if (cda[CTA_STATUS]) {
1676 err = ctnetlink_change_status(ct, cda);
1681 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
1682 err = ctnetlink_change_seq_adj(ct, cda);
1687 memset(&ct->proto, 0, sizeof(ct->proto));
1688 if (cda[CTA_PROTOINFO]) {
1689 err = ctnetlink_change_protoinfo(ct, cda);
1694 #if defined(CONFIG_NF_CONNTRACK_MARK)
1696 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1699 /* setup master conntrack: this is a confirmed expectation */
1700 if (cda[CTA_TUPLE_MASTER]) {
1701 struct nf_conntrack_tuple master;
1702 struct nf_conntrack_tuple_hash *master_h;
1703 struct nf_conn *master_ct;
1705 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER, u3);
1709 master_h = nf_conntrack_find_get(net, zone, &master);
1710 if (master_h == NULL) {
1714 master_ct = nf_ct_tuplehash_to_ctrack(master_h);
1715 __set_bit(IPS_EXPECTED_BIT, &ct->status);
1716 ct->master = master_ct;
1718 tstamp = nf_conn_tstamp_find(ct);
1720 tstamp->start = ktime_to_ns(ktime_get_real());
1722 err = nf_conntrack_hash_check_insert(ct);
1733 nf_conntrack_free(ct);
1734 return ERR_PTR(err);
1738 ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1739 const struct nlmsghdr *nlh,
1740 const struct nlattr * const cda[])
1742 struct net *net = sock_net(ctnl);
1743 struct nf_conntrack_tuple otuple, rtuple;
1744 struct nf_conntrack_tuple_hash *h = NULL;
1745 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1747 u_int8_t u3 = nfmsg->nfgen_family;
1751 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1755 if (cda[CTA_TUPLE_ORIG]) {
1756 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3);
1761 if (cda[CTA_TUPLE_REPLY]) {
1762 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, u3);
1767 if (cda[CTA_TUPLE_ORIG])
1768 h = nf_conntrack_find_get(net, zone, &otuple);
1769 else if (cda[CTA_TUPLE_REPLY])
1770 h = nf_conntrack_find_get(net, zone, &rtuple);
1774 if (nlh->nlmsg_flags & NLM_F_CREATE) {
1775 enum ip_conntrack_events events;
1777 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY])
1780 ct = ctnetlink_create_conntrack(net, zone, cda, &otuple,
1786 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
1787 events = IPCT_RELATED;
1791 if (cda[CTA_LABELS] &&
1792 ctnetlink_attach_labels(ct, cda) == 0)
1793 events |= (1 << IPCT_LABEL);
1795 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
1796 (1 << IPCT_ASSURED) |
1797 (1 << IPCT_HELPER) |
1798 (1 << IPCT_PROTOINFO) |
1799 (1 << IPCT_SEQADJ) |
1800 (1 << IPCT_MARK) | events,
1801 ct, NETLINK_CB(skb).portid,
1808 /* implicit 'else' */
1811 ct = nf_ct_tuplehash_to_ctrack(h);
1812 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
1813 spin_lock_bh(&nf_conntrack_lock);
1814 err = ctnetlink_change_conntrack(ct, cda);
1815 spin_unlock_bh(&nf_conntrack_lock);
1817 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
1818 (1 << IPCT_ASSURED) |
1819 (1 << IPCT_HELPER) |
1821 (1 << IPCT_PROTOINFO) |
1822 (1 << IPCT_SEQADJ) |
1824 ct, NETLINK_CB(skb).portid,
1834 ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
1835 __u16 cpu, const struct ip_conntrack_stat *st)
1837 struct nlmsghdr *nlh;
1838 struct nfgenmsg *nfmsg;
1839 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
1841 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_GET_STATS_CPU);
1842 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
1846 nfmsg = nlmsg_data(nlh);
1847 nfmsg->nfgen_family = AF_UNSPEC;
1848 nfmsg->version = NFNETLINK_V0;
1849 nfmsg->res_id = htons(cpu);
1851 if (nla_put_be32(skb, CTA_STATS_SEARCHED, htonl(st->searched)) ||
1852 nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) ||
1853 nla_put_be32(skb, CTA_STATS_NEW, htonl(st->new)) ||
1854 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) ||
1855 nla_put_be32(skb, CTA_STATS_IGNORE, htonl(st->ignore)) ||
1856 nla_put_be32(skb, CTA_STATS_DELETE, htonl(st->delete)) ||
1857 nla_put_be32(skb, CTA_STATS_DELETE_LIST, htonl(st->delete_list)) ||
1858 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) ||
1859 nla_put_be32(skb, CTA_STATS_INSERT_FAILED,
1860 htonl(st->insert_failed)) ||
1861 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) ||
1862 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) ||
1863 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) ||
1864 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART,
1865 htonl(st->search_restart)))
1866 goto nla_put_failure;
1868 nlmsg_end(skb, nlh);
1873 nlmsg_cancel(skb, nlh);
1878 ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
1881 struct net *net = sock_net(skb->sk);
1883 if (cb->args[0] == nr_cpu_ids)
1886 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
1887 const struct ip_conntrack_stat *st;
1889 if (!cpu_possible(cpu))
1892 st = per_cpu_ptr(net->ct.stat, cpu);
1893 if (ctnetlink_ct_stat_cpu_fill_info(skb,
1894 NETLINK_CB(cb->skb).portid,
1905 ctnetlink_stat_ct_cpu(struct sock *ctnl, struct sk_buff *skb,
1906 const struct nlmsghdr *nlh,
1907 const struct nlattr * const cda[])
1909 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1910 struct netlink_dump_control c = {
1911 .dump = ctnetlink_ct_stat_cpu_dump,
1913 return netlink_dump_start(ctnl, skb, nlh, &c);
1920 ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
1923 struct nlmsghdr *nlh;
1924 struct nfgenmsg *nfmsg;
1925 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
1926 unsigned int nr_conntracks = atomic_read(&net->ct.count);
1928 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_GET_STATS);
1929 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
1933 nfmsg = nlmsg_data(nlh);
1934 nfmsg->nfgen_family = AF_UNSPEC;
1935 nfmsg->version = NFNETLINK_V0;
1938 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks)))
1939 goto nla_put_failure;
1941 nlmsg_end(skb, nlh);
1946 nlmsg_cancel(skb, nlh);
1951 ctnetlink_stat_ct(struct sock *ctnl, struct sk_buff *skb,
1952 const struct nlmsghdr *nlh,
1953 const struct nlattr * const cda[])
1955 struct sk_buff *skb2;
1958 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1962 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid,
1964 NFNL_MSG_TYPE(nlh->nlmsg_type),
1969 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1978 /* this avoids a loop in nfnetlink. */
1979 return err == -EAGAIN ? -ENOBUFS : err;
1982 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
1983 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED },
1984 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED },
1985 [CTA_EXPECT_MASK] = { .type = NLA_NESTED },
1986 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
1987 [CTA_EXPECT_ID] = { .type = NLA_U32 },
1988 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING,
1989 .len = NF_CT_HELPER_NAME_LEN - 1 },
1990 [CTA_EXPECT_ZONE] = { .type = NLA_U16 },
1991 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 },
1992 [CTA_EXPECT_CLASS] = { .type = NLA_U32 },
1993 [CTA_EXPECT_NAT] = { .type = NLA_NESTED },
1994 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING },
1997 static struct nf_conntrack_expect *
1998 ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
1999 struct nf_conntrack_helper *helper,
2000 struct nf_conntrack_tuple *tuple,
2001 struct nf_conntrack_tuple *mask);
2003 #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
2005 ctnetlink_nfqueue_build_size(const struct nf_conn *ct)
2007 return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
2008 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
2009 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
2010 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
2011 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
2012 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
2013 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
2014 + nla_total_size(0) /* CTA_PROTOINFO */
2015 + nla_total_size(0) /* CTA_HELP */
2016 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
2017 + ctnetlink_secctx_size(ct)
2018 #ifdef CONFIG_NF_NAT_NEEDED
2019 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
2020 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
2022 #ifdef CONFIG_NF_CONNTRACK_MARK
2023 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
2025 + ctnetlink_proto_size(ct)
2030 ctnetlink_nfqueue_build(struct sk_buff *skb, struct nf_conn *ct)
2032 struct nlattr *nest_parms;
2035 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
2037 goto nla_put_failure;
2038 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
2039 goto nla_put_failure;
2040 nla_nest_end(skb, nest_parms);
2042 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
2044 goto nla_put_failure;
2045 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
2046 goto nla_put_failure;
2047 nla_nest_end(skb, nest_parms);
2049 if (nf_ct_zone(ct)) {
2050 if (nla_put_be16(skb, CTA_ZONE, htons(nf_ct_zone(ct))))
2051 goto nla_put_failure;
2054 if (ctnetlink_dump_id(skb, ct) < 0)
2055 goto nla_put_failure;
2057 if (ctnetlink_dump_status(skb, ct) < 0)
2058 goto nla_put_failure;
2060 if (ctnetlink_dump_timeout(skb, ct) < 0)
2061 goto nla_put_failure;
2063 if (ctnetlink_dump_protoinfo(skb, ct) < 0)
2064 goto nla_put_failure;
2066 if (ctnetlink_dump_helpinfo(skb, ct) < 0)
2067 goto nla_put_failure;
2069 #ifdef CONFIG_NF_CONNTRACK_SECMARK
2070 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0)
2071 goto nla_put_failure;
2073 if (ct->master && ctnetlink_dump_master(skb, ct) < 0)
2074 goto nla_put_failure;
2076 if ((ct->status & IPS_SEQ_ADJUST) &&
2077 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
2078 goto nla_put_failure;
2080 #ifdef CONFIG_NF_CONNTRACK_MARK
2081 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0)
2082 goto nla_put_failure;
2084 if (ctnetlink_dump_labels(skb, ct) < 0)
2085 goto nla_put_failure;
2095 ctnetlink_nfqueue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
2099 if (cda[CTA_TIMEOUT]) {
2100 err = ctnetlink_change_timeout(ct, cda);
2104 if (cda[CTA_STATUS]) {
2105 err = ctnetlink_change_status(ct, cda);
2109 if (cda[CTA_HELP]) {
2110 err = ctnetlink_change_helper(ct, cda);
2114 if (cda[CTA_LABELS]) {
2115 err = ctnetlink_attach_labels(ct, cda);
2119 #if defined(CONFIG_NF_CONNTRACK_MARK)
2121 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
2127 ctnetlink_nfqueue_parse(const struct nlattr *attr, struct nf_conn *ct)
2129 struct nlattr *cda[CTA_MAX+1];
2132 ret = nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy);
2136 spin_lock_bh(&nf_conntrack_lock);
2137 ret = ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct);
2138 spin_unlock_bh(&nf_conntrack_lock);
2143 static int ctnetlink_nfqueue_exp_parse(const struct nlattr * const *cda,
2144 const struct nf_conn *ct,
2145 struct nf_conntrack_tuple *tuple,
2146 struct nf_conntrack_tuple *mask)
2150 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE,
2155 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK,
2160 ctnetlink_nfqueue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
2161 u32 portid, u32 report)
2163 struct nlattr *cda[CTA_EXPECT_MAX+1];
2164 struct nf_conntrack_tuple tuple, mask;
2165 struct nf_conntrack_helper *helper = NULL;
2166 struct nf_conntrack_expect *exp;
2169 err = nla_parse_nested(cda, CTA_EXPECT_MAX, attr, exp_nla_policy);
2173 err = ctnetlink_nfqueue_exp_parse((const struct nlattr * const *)cda,
2178 if (cda[CTA_EXPECT_HELP_NAME]) {
2179 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2181 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2182 nf_ct_protonum(ct));
2187 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct,
2188 helper, &tuple, &mask);
2190 return PTR_ERR(exp);
2192 err = nf_ct_expect_related_report(exp, portid, report);
2194 nf_ct_expect_put(exp);
2201 static struct nfq_ct_hook ctnetlink_nfqueue_hook = {
2202 .build_size = ctnetlink_nfqueue_build_size,
2203 .build = ctnetlink_nfqueue_build,
2204 .parse = ctnetlink_nfqueue_parse,
2205 .attach_expect = ctnetlink_nfqueue_attach_expect,
2206 .seq_adjust = nf_ct_tcp_seqadj_set,
2208 #endif /* CONFIG_NETFILTER_NETLINK_QUEUE_CT */
2210 /***********************************************************************
2212 ***********************************************************************/
2215 ctnetlink_exp_dump_tuple(struct sk_buff *skb,
2216 const struct nf_conntrack_tuple *tuple,
2217 enum ctattr_expect type)
2219 struct nlattr *nest_parms;
2221 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
2223 goto nla_put_failure;
2224 if (ctnetlink_dump_tuples(skb, tuple) < 0)
2225 goto nla_put_failure;
2226 nla_nest_end(skb, nest_parms);
2235 ctnetlink_exp_dump_mask(struct sk_buff *skb,
2236 const struct nf_conntrack_tuple *tuple,
2237 const struct nf_conntrack_tuple_mask *mask)
2240 struct nf_conntrack_l3proto *l3proto;
2241 struct nf_conntrack_l4proto *l4proto;
2242 struct nf_conntrack_tuple m;
2243 struct nlattr *nest_parms;
2245 memset(&m, 0xFF, sizeof(m));
2246 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
2247 m.src.u.all = mask->src.u.all;
2248 m.dst.protonum = tuple->dst.protonum;
2250 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED);
2252 goto nla_put_failure;
2255 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
2256 ret = ctnetlink_dump_tuples_ip(skb, &m, l3proto);
2258 l4proto = __nf_ct_l4proto_find(tuple->src.l3num,
2259 tuple->dst.protonum);
2260 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
2264 if (unlikely(ret < 0))
2265 goto nla_put_failure;
2267 nla_nest_end(skb, nest_parms);
2275 static const union nf_inet_addr any_addr;
2278 ctnetlink_exp_dump_expect(struct sk_buff *skb,
2279 const struct nf_conntrack_expect *exp)
2281 struct nf_conn *master = exp->master;
2282 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ;
2283 struct nf_conn_help *help;
2284 #ifdef CONFIG_NF_NAT_NEEDED
2285 struct nlattr *nest_parms;
2286 struct nf_conntrack_tuple nat_tuple = {};
2288 struct nf_ct_helper_expectfn *expfn;
2293 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
2294 goto nla_put_failure;
2295 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
2296 goto nla_put_failure;
2297 if (ctnetlink_exp_dump_tuple(skb,
2298 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
2299 CTA_EXPECT_MASTER) < 0)
2300 goto nla_put_failure;
2302 #ifdef CONFIG_NF_NAT_NEEDED
2303 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) ||
2304 exp->saved_proto.all) {
2305 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT | NLA_F_NESTED);
2307 goto nla_put_failure;
2309 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir)))
2310 goto nla_put_failure;
2312 nat_tuple.src.l3num = nf_ct_l3num(master);
2313 nat_tuple.src.u3 = exp->saved_addr;
2314 nat_tuple.dst.protonum = nf_ct_protonum(master);
2315 nat_tuple.src.u = exp->saved_proto;
2317 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple,
2318 CTA_EXPECT_NAT_TUPLE) < 0)
2319 goto nla_put_failure;
2320 nla_nest_end(skb, nest_parms);
2323 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
2324 nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) ||
2325 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
2326 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
2327 goto nla_put_failure;
2328 help = nfct_help(master);
2330 struct nf_conntrack_helper *helper;
2332 helper = rcu_dereference(help->helper);
2334 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name))
2335 goto nla_put_failure;
2337 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn);
2338 if (expfn != NULL &&
2339 nla_put_string(skb, CTA_EXPECT_FN, expfn->name))
2340 goto nla_put_failure;
2349 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2350 int event, const struct nf_conntrack_expect *exp)
2352 struct nlmsghdr *nlh;
2353 struct nfgenmsg *nfmsg;
2354 unsigned int flags = portid ? NLM_F_MULTI : 0;
2356 event |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
2357 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2361 nfmsg = nlmsg_data(nlh);
2362 nfmsg->nfgen_family = exp->tuple.src.l3num;
2363 nfmsg->version = NFNETLINK_V0;
2366 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
2367 goto nla_put_failure;
2369 nlmsg_end(skb, nlh);
2374 nlmsg_cancel(skb, nlh);
2378 #ifdef CONFIG_NF_CONNTRACK_EVENTS
2380 ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item)
2382 struct nf_conntrack_expect *exp = item->exp;
2383 struct net *net = nf_ct_exp_net(exp);
2384 struct nlmsghdr *nlh;
2385 struct nfgenmsg *nfmsg;
2386 struct sk_buff *skb;
2387 unsigned int type, group;
2390 if (events & (1 << IPEXP_DESTROY)) {
2391 type = IPCTNL_MSG_EXP_DELETE;
2392 group = NFNLGRP_CONNTRACK_EXP_DESTROY;
2393 } else if (events & (1 << IPEXP_NEW)) {
2394 type = IPCTNL_MSG_EXP_NEW;
2395 flags = NLM_F_CREATE|NLM_F_EXCL;
2396 group = NFNLGRP_CONNTRACK_EXP_NEW;
2400 if (!item->report && !nfnetlink_has_listeners(net, group))
2403 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
2407 type |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
2408 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
2412 nfmsg = nlmsg_data(nlh);
2413 nfmsg->nfgen_family = exp->tuple.src.l3num;
2414 nfmsg->version = NFNETLINK_V0;
2418 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
2419 goto nla_put_failure;
2422 nlmsg_end(skb, nlh);
2423 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC);
2428 nlmsg_cancel(skb, nlh);
2432 nfnetlink_set_err(net, 0, 0, -ENOBUFS);
2436 static int ctnetlink_exp_done(struct netlink_callback *cb)
2439 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
2444 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
2446 struct net *net = sock_net(skb->sk);
2447 struct nf_conntrack_expect *exp, *last;
2448 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2449 u_int8_t l3proto = nfmsg->nfgen_family;
2452 last = (struct nf_conntrack_expect *)cb->args[1];
2453 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
2455 hlist_for_each_entry(exp, &net->ct.expect_hash[cb->args[0]],
2457 if (l3proto && exp->tuple.src.l3num != l3proto)
2464 if (ctnetlink_exp_fill_info(skb,
2465 NETLINK_CB(cb->skb).portid,
2469 if (!atomic_inc_not_zero(&exp->use))
2471 cb->args[1] = (unsigned long)exp;
2483 nf_ct_expect_put(last);
2489 ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
2491 struct nf_conntrack_expect *exp, *last;
2492 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2493 struct nf_conn *ct = cb->data;
2494 struct nf_conn_help *help = nfct_help(ct);
2495 u_int8_t l3proto = nfmsg->nfgen_family;
2501 last = (struct nf_conntrack_expect *)cb->args[1];
2503 hlist_for_each_entry(exp, &help->expectations, lnode) {
2504 if (l3proto && exp->tuple.src.l3num != l3proto)
2511 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid,
2515 if (!atomic_inc_not_zero(&exp->use))
2517 cb->args[1] = (unsigned long)exp;
2529 nf_ct_expect_put(last);
2534 static int ctnetlink_dump_exp_ct(struct sock *ctnl, struct sk_buff *skb,
2535 const struct nlmsghdr *nlh,
2536 const struct nlattr * const cda[])
2539 struct net *net = sock_net(ctnl);
2540 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2541 u_int8_t u3 = nfmsg->nfgen_family;
2542 struct nf_conntrack_tuple tuple;
2543 struct nf_conntrack_tuple_hash *h;
2546 struct netlink_dump_control c = {
2547 .dump = ctnetlink_exp_ct_dump_table,
2548 .done = ctnetlink_exp_done,
2551 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3);
2555 if (cda[CTA_EXPECT_ZONE]) {
2556 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2561 h = nf_conntrack_find_get(net, zone, &tuple);
2565 ct = nf_ct_tuplehash_to_ctrack(h);
2568 err = netlink_dump_start(ctnl, skb, nlh, &c);
2575 ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
2576 const struct nlmsghdr *nlh,
2577 const struct nlattr * const cda[])
2579 struct net *net = sock_net(ctnl);
2580 struct nf_conntrack_tuple tuple;
2581 struct nf_conntrack_expect *exp;
2582 struct sk_buff *skb2;
2583 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2584 u_int8_t u3 = nfmsg->nfgen_family;
2588 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2589 if (cda[CTA_EXPECT_MASTER])
2590 return ctnetlink_dump_exp_ct(ctnl, skb, nlh, cda);
2592 struct netlink_dump_control c = {
2593 .dump = ctnetlink_exp_dump_table,
2594 .done = ctnetlink_exp_done,
2596 return netlink_dump_start(ctnl, skb, nlh, &c);
2600 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2604 if (cda[CTA_EXPECT_TUPLE])
2605 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
2606 else if (cda[CTA_EXPECT_MASTER])
2607 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3);
2614 exp = nf_ct_expect_find_get(net, zone, &tuple);
2618 if (cda[CTA_EXPECT_ID]) {
2619 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
2620 if (ntohl(id) != (u32)(unsigned long)exp) {
2621 nf_ct_expect_put(exp);
2627 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2629 nf_ct_expect_put(exp);
2634 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
2635 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp);
2637 nf_ct_expect_put(exp);
2641 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
2650 /* this avoids a loop in nfnetlink. */
2651 return err == -EAGAIN ? -ENOBUFS : err;
2655 ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
2656 const struct nlmsghdr *nlh,
2657 const struct nlattr * const cda[])
2659 struct net *net = sock_net(ctnl);
2660 struct nf_conntrack_expect *exp;
2661 struct nf_conntrack_tuple tuple;
2662 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2663 struct hlist_node *next;
2664 u_int8_t u3 = nfmsg->nfgen_family;
2669 if (cda[CTA_EXPECT_TUPLE]) {
2670 /* delete a single expect by tuple */
2671 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2675 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
2679 /* bump usage count to 2 */
2680 exp = nf_ct_expect_find_get(net, zone, &tuple);
2684 if (cda[CTA_EXPECT_ID]) {
2685 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
2686 if (ntohl(id) != (u32)(unsigned long)exp) {
2687 nf_ct_expect_put(exp);
2692 /* after list removal, usage count == 1 */
2693 spin_lock_bh(&nf_conntrack_lock);
2694 if (del_timer(&exp->timeout)) {
2695 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
2697 nf_ct_expect_put(exp);
2699 spin_unlock_bh(&nf_conntrack_lock);
2700 /* have to put what we 'get' above.
2701 * after this line usage count == 0 */
2702 nf_ct_expect_put(exp);
2703 } else if (cda[CTA_EXPECT_HELP_NAME]) {
2704 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2705 struct nf_conn_help *m_help;
2707 /* delete all expectations for this helper */
2708 spin_lock_bh(&nf_conntrack_lock);
2709 for (i = 0; i < nf_ct_expect_hsize; i++) {
2710 hlist_for_each_entry_safe(exp, next,
2711 &net->ct.expect_hash[i],
2713 m_help = nfct_help(exp->master);
2714 if (!strcmp(m_help->helper->name, name) &&
2715 del_timer(&exp->timeout)) {
2716 nf_ct_unlink_expect_report(exp,
2717 NETLINK_CB(skb).portid,
2719 nf_ct_expect_put(exp);
2723 spin_unlock_bh(&nf_conntrack_lock);
2725 /* This basically means we have to flush everything*/
2726 spin_lock_bh(&nf_conntrack_lock);
2727 for (i = 0; i < nf_ct_expect_hsize; i++) {
2728 hlist_for_each_entry_safe(exp, next,
2729 &net->ct.expect_hash[i],
2731 if (del_timer(&exp->timeout)) {
2732 nf_ct_unlink_expect_report(exp,
2733 NETLINK_CB(skb).portid,
2735 nf_ct_expect_put(exp);
2739 spin_unlock_bh(&nf_conntrack_lock);
2745 ctnetlink_change_expect(struct nf_conntrack_expect *x,
2746 const struct nlattr * const cda[])
2748 if (cda[CTA_EXPECT_TIMEOUT]) {
2749 if (!del_timer(&x->timeout))
2752 x->timeout.expires = jiffies +
2753 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
2754 add_timer(&x->timeout);
2759 static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
2760 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
2761 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
2765 ctnetlink_parse_expect_nat(const struct nlattr *attr,
2766 struct nf_conntrack_expect *exp,
2769 #ifdef CONFIG_NF_NAT_NEEDED
2770 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1];
2771 struct nf_conntrack_tuple nat_tuple = {};
2774 err = nla_parse_nested(tb, CTA_EXPECT_NAT_MAX, attr, exp_nat_nla_policy);
2778 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE])
2781 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb,
2782 &nat_tuple, CTA_EXPECT_NAT_TUPLE, u3);
2786 exp->saved_addr = nat_tuple.src.u3;
2787 exp->saved_proto = nat_tuple.src.u;
2788 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR]));
2796 static struct nf_conntrack_expect *
2797 ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
2798 struct nf_conntrack_helper *helper,
2799 struct nf_conntrack_tuple *tuple,
2800 struct nf_conntrack_tuple *mask)
2802 u_int32_t class = 0;
2803 struct nf_conntrack_expect *exp;
2804 struct nf_conn_help *help;
2807 if (cda[CTA_EXPECT_CLASS] && helper) {
2808 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));
2809 if (class > helper->expect_class_max)
2810 return ERR_PTR(-EINVAL);
2812 exp = nf_ct_expect_alloc(ct);
2814 return ERR_PTR(-ENOMEM);
2816 help = nfct_help(ct);
2818 if (!cda[CTA_EXPECT_TIMEOUT]) {
2822 exp->timeout.expires =
2823 jiffies + ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
2825 exp->flags = NF_CT_EXPECT_USERSPACE;
2826 if (cda[CTA_EXPECT_FLAGS]) {
2828 ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
2831 if (cda[CTA_EXPECT_FLAGS]) {
2832 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
2833 exp->flags &= ~NF_CT_EXPECT_USERSPACE;
2837 if (cda[CTA_EXPECT_FN]) {
2838 const char *name = nla_data(cda[CTA_EXPECT_FN]);
2839 struct nf_ct_helper_expectfn *expfn;
2841 expfn = nf_ct_helper_expectfn_find_by_name(name);
2842 if (expfn == NULL) {
2846 exp->expectfn = expfn->expectfn;
2848 exp->expectfn = NULL;
2852 exp->helper = helper;
2853 exp->tuple = *tuple;
2854 exp->mask.src.u3 = mask->src.u3;
2855 exp->mask.src.u.all = mask->src.u.all;
2857 if (cda[CTA_EXPECT_NAT]) {
2858 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT],
2859 exp, nf_ct_l3num(ct));
2865 nf_ct_expect_put(exp);
2866 return ERR_PTR(err);
2870 ctnetlink_create_expect(struct net *net, u16 zone,
2871 const struct nlattr * const cda[],
2872 u_int8_t u3, u32 portid, int report)
2874 struct nf_conntrack_tuple tuple, mask, master_tuple;
2875 struct nf_conntrack_tuple_hash *h = NULL;
2876 struct nf_conntrack_helper *helper = NULL;
2877 struct nf_conntrack_expect *exp;
2881 /* caller guarantees that those three CTA_EXPECT_* exist */
2882 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
2885 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, u3);
2888 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, u3);
2892 /* Look for master conntrack of this expectation */
2893 h = nf_conntrack_find_get(net, zone, &master_tuple);
2896 ct = nf_ct_tuplehash_to_ctrack(h);
2898 if (cda[CTA_EXPECT_HELP_NAME]) {
2899 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2901 helper = __nf_conntrack_helper_find(helpname, u3,
2902 nf_ct_protonum(ct));
2903 if (helper == NULL) {
2904 #ifdef CONFIG_MODULES
2905 if (request_module("nfct-helper-%s", helpname) < 0) {
2909 helper = __nf_conntrack_helper_find(helpname, u3,
2910 nf_ct_protonum(ct));
2921 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask);
2927 err = nf_ct_expect_related_report(exp, portid, report);
2933 nf_ct_expect_put(exp);
2940 ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
2941 const struct nlmsghdr *nlh,
2942 const struct nlattr * const cda[])
2944 struct net *net = sock_net(ctnl);
2945 struct nf_conntrack_tuple tuple;
2946 struct nf_conntrack_expect *exp;
2947 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2948 u_int8_t u3 = nfmsg->nfgen_family;
2952 if (!cda[CTA_EXPECT_TUPLE]
2953 || !cda[CTA_EXPECT_MASK]
2954 || !cda[CTA_EXPECT_MASTER])
2957 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2961 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
2965 spin_lock_bh(&nf_conntrack_lock);
2966 exp = __nf_ct_expect_find(net, zone, &tuple);
2969 spin_unlock_bh(&nf_conntrack_lock);
2971 if (nlh->nlmsg_flags & NLM_F_CREATE) {
2972 err = ctnetlink_create_expect(net, zone, cda,
2974 NETLINK_CB(skb).portid,
2981 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
2982 err = ctnetlink_change_expect(exp, cda);
2983 spin_unlock_bh(&nf_conntrack_lock);
2989 ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu,
2990 const struct ip_conntrack_stat *st)
2992 struct nlmsghdr *nlh;
2993 struct nfgenmsg *nfmsg;
2994 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2996 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_EXP_GET_STATS_CPU);
2997 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
3001 nfmsg = nlmsg_data(nlh);
3002 nfmsg->nfgen_family = AF_UNSPEC;
3003 nfmsg->version = NFNETLINK_V0;
3004 nfmsg->res_id = htons(cpu);
3006 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) ||
3007 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) ||
3008 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete)))
3009 goto nla_put_failure;
3011 nlmsg_end(skb, nlh);
3016 nlmsg_cancel(skb, nlh);
3021 ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
3024 struct net *net = sock_net(skb->sk);
3026 if (cb->args[0] == nr_cpu_ids)
3029 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
3030 const struct ip_conntrack_stat *st;
3032 if (!cpu_possible(cpu))
3035 st = per_cpu_ptr(net->ct.stat, cpu);
3036 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid,
3047 ctnetlink_stat_exp_cpu(struct sock *ctnl, struct sk_buff *skb,
3048 const struct nlmsghdr *nlh,
3049 const struct nlattr * const cda[])
3051 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3052 struct netlink_dump_control c = {
3053 .dump = ctnetlink_exp_stat_cpu_dump,
3055 return netlink_dump_start(ctnl, skb, nlh, &c);
3061 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3062 static struct nf_ct_event_notifier ctnl_notifier = {
3063 .fcn = ctnetlink_conntrack_event,
3066 static struct nf_exp_event_notifier ctnl_notifier_exp = {
3067 .fcn = ctnetlink_expect_event,
3071 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
3072 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
3073 .attr_count = CTA_MAX,
3074 .policy = ct_nla_policy },
3075 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
3076 .attr_count = CTA_MAX,
3077 .policy = ct_nla_policy },
3078 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
3079 .attr_count = CTA_MAX,
3080 .policy = ct_nla_policy },
3081 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
3082 .attr_count = CTA_MAX,
3083 .policy = ct_nla_policy },
3084 [IPCTNL_MSG_CT_GET_STATS_CPU] = { .call = ctnetlink_stat_ct_cpu },
3085 [IPCTNL_MSG_CT_GET_STATS] = { .call = ctnetlink_stat_ct },
3086 [IPCTNL_MSG_CT_GET_DYING] = { .call = ctnetlink_get_ct_dying },
3087 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = { .call = ctnetlink_get_ct_unconfirmed },
3090 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
3091 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
3092 .attr_count = CTA_EXPECT_MAX,
3093 .policy = exp_nla_policy },
3094 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
3095 .attr_count = CTA_EXPECT_MAX,
3096 .policy = exp_nla_policy },
3097 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
3098 .attr_count = CTA_EXPECT_MAX,
3099 .policy = exp_nla_policy },
3100 [IPCTNL_MSG_EXP_GET_STATS_CPU] = { .call = ctnetlink_stat_exp_cpu },
3103 static const struct nfnetlink_subsystem ctnl_subsys = {
3104 .name = "conntrack",
3105 .subsys_id = NFNL_SUBSYS_CTNETLINK,
3106 .cb_count = IPCTNL_MSG_MAX,
3110 static const struct nfnetlink_subsystem ctnl_exp_subsys = {
3111 .name = "conntrack_expect",
3112 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
3113 .cb_count = IPCTNL_MSG_EXP_MAX,
3117 MODULE_ALIAS("ip_conntrack_netlink");
3118 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
3119 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
3121 static int __net_init ctnetlink_net_init(struct net *net)
3123 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3126 ret = nf_conntrack_register_notifier(net, &ctnl_notifier);
3128 pr_err("ctnetlink_init: cannot register notifier.\n");
3132 ret = nf_ct_expect_register_notifier(net, &ctnl_notifier_exp);
3134 pr_err("ctnetlink_init: cannot expect register notifier.\n");
3135 goto err_unreg_notifier;
3140 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3142 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
3148 static void ctnetlink_net_exit(struct net *net)
3150 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3151 nf_ct_expect_unregister_notifier(net, &ctnl_notifier_exp);
3152 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
3156 static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list)
3160 list_for_each_entry(net, net_exit_list, exit_list)
3161 ctnetlink_net_exit(net);
3164 static struct pernet_operations ctnetlink_net_ops = {
3165 .init = ctnetlink_net_init,
3166 .exit_batch = ctnetlink_net_exit_batch,
3169 static int __init ctnetlink_init(void)
3173 pr_info("ctnetlink v%s: registering with nfnetlink.\n", version);
3174 ret = nfnetlink_subsys_register(&ctnl_subsys);
3176 pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
3180 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
3182 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
3183 goto err_unreg_subsys;
3186 ret = register_pernet_subsys(&ctnetlink_net_ops);
3188 pr_err("ctnetlink_init: cannot register pernet operations\n");
3189 goto err_unreg_exp_subsys;
3191 #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
3192 /* setup interaction between nf_queue and nf_conntrack_netlink. */
3193 RCU_INIT_POINTER(nfq_ct_hook, &ctnetlink_nfqueue_hook);
3197 err_unreg_exp_subsys:
3198 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3200 nfnetlink_subsys_unregister(&ctnl_subsys);
3205 static void __exit ctnetlink_exit(void)
3207 pr_info("ctnetlink: unregistering from nfnetlink.\n");
3209 unregister_pernet_subsys(&ctnetlink_net_ops);
3210 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3211 nfnetlink_subsys_unregister(&ctnl_subsys);
3212 #ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
3213 RCU_INIT_POINTER(nfq_ct_hook, NULL);
3217 module_init(ctnetlink_init);
3218 module_exit(ctnetlink_exit);
projects / karo-tx-linux.git / blob