1 /* Connection tracking via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace.
4 * (C) 2001 by Jay Schulist <jschlst@samba.org>
5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7 * (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net>
9 * I've reworked this stuff to use attributes instead of conntrack
10 * structures. 5.44 am. I need more tea. --pablo 05/07/11.
12 * Initial connection tracking via netlink development funded and
13 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
15 * Further development of this code funded by Astaro AG (http://www.astaro.com)
17 * This software may be used and distributed according to the terms
18 * of the GNU General Public License, incorporated herein by reference.
20 * Derived from ip_conntrack_netlink.c: Port by Pablo Neira Ayuso (05/11/14)
23 #include <linux/init.h>
24 #include <linux/module.h>
25 #include <linux/kernel.h>
26 #include <linux/types.h>
27 #include <linux/timer.h>
28 #include <linux/skbuff.h>
29 #include <linux/errno.h>
30 #include <linux/netlink.h>
31 #include <linux/spinlock.h>
32 #include <linux/interrupt.h>
33 #include <linux/notifier.h>
35 #include <linux/netfilter.h>
36 #include <net/netfilter/nf_conntrack.h>
37 #include <net/netfilter/nf_conntrack_core.h>
38 #include <net/netfilter/nf_conntrack_helper.h>
39 #include <net/netfilter/nf_conntrack_l3proto.h>
40 #include <net/netfilter/nf_conntrack_protocol.h>
41 #include <linux/netfilter_ipv4/ip_nat_protocol.h>
43 #include <linux/netfilter/nfnetlink.h>
44 #include <linux/netfilter/nfnetlink_conntrack.h>
46 MODULE_LICENSE("GPL");
48 static char __initdata version[] = "0.93";
51 ctnetlink_dump_tuples_proto(struct sk_buff *skb,
52 const struct nf_conntrack_tuple *tuple,
53 struct nf_conntrack_protocol *proto)
56 struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
58 NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum);
60 if (likely(proto->tuple_to_nfattr))
61 ret = proto->tuple_to_nfattr(skb, tuple);
63 NFA_NEST_END(skb, nest_parms);
72 ctnetlink_dump_tuples_ip(struct sk_buff *skb,
73 const struct nf_conntrack_tuple *tuple,
74 struct nf_conntrack_l3proto *l3proto)
77 struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
79 if (likely(l3proto->tuple_to_nfattr))
80 ret = l3proto->tuple_to_nfattr(skb, tuple);
82 NFA_NEST_END(skb, nest_parms);
91 ctnetlink_dump_tuples(struct sk_buff *skb,
92 const struct nf_conntrack_tuple *tuple)
95 struct nf_conntrack_l3proto *l3proto;
96 struct nf_conntrack_protocol *proto;
98 l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
99 ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
100 nf_ct_l3proto_put(l3proto);
102 if (unlikely(ret < 0))
105 proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
106 ret = ctnetlink_dump_tuples_proto(skb, tuple, proto);
107 nf_ct_proto_put(proto);
113 ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
115 u_int32_t status = htonl((u_int32_t) ct->status);
116 NFA_PUT(skb, CTA_STATUS, sizeof(status), &status);
124 ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
126 long timeout_l = ct->timeout.expires - jiffies;
132 timeout = htonl(timeout_l / HZ);
134 NFA_PUT(skb, CTA_TIMEOUT, sizeof(timeout), &timeout);
142 ctnetlink_dump_protoinfo(struct sk_buff *skb, const struct nf_conn *ct)
144 struct nf_conntrack_protocol *proto = nf_ct_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num, ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
145 struct nfattr *nest_proto;
148 if (!proto->to_nfattr) {
149 nf_ct_proto_put(proto);
153 nest_proto = NFA_NEST(skb, CTA_PROTOINFO);
155 ret = proto->to_nfattr(skb, nest_proto, ct);
157 nf_ct_proto_put(proto);
159 NFA_NEST_END(skb, nest_proto);
168 ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct)
170 struct nfattr *nest_helper;
171 const struct nf_conn_help *help = nfct_help(ct);
173 if (!help || !help->helper)
176 nest_helper = NFA_NEST(skb, CTA_HELP);
177 NFA_PUT(skb, CTA_HELP_NAME, strlen(help->helper->name), help->helper->name);
179 if (help->helper->to_nfattr)
180 help->helper->to_nfattr(skb, ct);
182 NFA_NEST_END(skb, nest_helper);
190 #ifdef CONFIG_NF_CT_ACCT
192 ctnetlink_dump_counters(struct sk_buff *skb, const struct nf_conn *ct,
193 enum ip_conntrack_dir dir)
195 enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
196 struct nfattr *nest_count = NFA_NEST(skb, type);
199 tmp = htonl(ct->counters[dir].packets);
200 NFA_PUT(skb, CTA_COUNTERS32_PACKETS, sizeof(u_int32_t), &tmp);
202 tmp = htonl(ct->counters[dir].bytes);
203 NFA_PUT(skb, CTA_COUNTERS32_BYTES, sizeof(u_int32_t), &tmp);
205 NFA_NEST_END(skb, nest_count);
213 #define ctnetlink_dump_counters(a, b, c) (0)
216 #ifdef CONFIG_NF_CONNTRACK_MARK
218 ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
220 u_int32_t mark = htonl(ct->mark);
222 NFA_PUT(skb, CTA_MARK, sizeof(u_int32_t), &mark);
229 #define ctnetlink_dump_mark(a, b) (0)
233 ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
235 u_int32_t id = htonl(ct->id);
236 NFA_PUT(skb, CTA_ID, sizeof(u_int32_t), &id);
244 ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
246 u_int32_t use = htonl(atomic_read(&ct->ct_general.use));
248 NFA_PUT(skb, CTA_USE, sizeof(u_int32_t), &use);
255 #define tuple(ct, dir) (&(ct)->tuplehash[dir].tuple)
258 ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
259 int event, int nowait,
260 const struct nf_conn *ct)
262 struct nlmsghdr *nlh;
263 struct nfgenmsg *nfmsg;
264 struct nfattr *nest_parms;
269 event |= NFNL_SUBSYS_CTNETLINK << 8;
270 nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg));
271 nfmsg = NLMSG_DATA(nlh);
273 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0;
274 nfmsg->nfgen_family =
275 ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
276 nfmsg->version = NFNETLINK_V0;
279 nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG);
280 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
282 NFA_NEST_END(skb, nest_parms);
284 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
285 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
287 NFA_NEST_END(skb, nest_parms);
289 if (ctnetlink_dump_status(skb, ct) < 0 ||
290 ctnetlink_dump_timeout(skb, ct) < 0 ||
291 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
292 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 ||
293 ctnetlink_dump_protoinfo(skb, ct) < 0 ||
294 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
295 ctnetlink_dump_mark(skb, ct) < 0 ||
296 ctnetlink_dump_id(skb, ct) < 0 ||
297 ctnetlink_dump_use(skb, ct) < 0)
300 nlh->nlmsg_len = skb->tail - b;
305 skb_trim(skb, b - skb->data);
309 #ifdef CONFIG_NF_CONNTRACK_EVENTS
310 static int ctnetlink_conntrack_event(struct notifier_block *this,
311 unsigned long events, void *ptr)
313 struct nlmsghdr *nlh;
314 struct nfgenmsg *nfmsg;
315 struct nfattr *nest_parms;
316 struct nf_conn *ct = (struct nf_conn *)ptr;
320 unsigned int flags = 0, group;
322 /* ignore our fake conntrack entry */
323 if (ct == &nf_conntrack_untracked)
326 if (events & IPCT_DESTROY) {
327 type = IPCTNL_MSG_CT_DELETE;
328 group = NFNLGRP_CONNTRACK_DESTROY;
329 } else if (events & (IPCT_NEW | IPCT_RELATED)) {
330 type = IPCTNL_MSG_CT_NEW;
331 flags = NLM_F_CREATE|NLM_F_EXCL;
332 /* dump everything */
334 group = NFNLGRP_CONNTRACK_NEW;
335 } else if (events & (IPCT_STATUS | IPCT_PROTOINFO)) {
336 type = IPCTNL_MSG_CT_NEW;
337 group = NFNLGRP_CONNTRACK_UPDATE;
341 if (!nfnetlink_has_listeners(group))
344 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
350 type |= NFNL_SUBSYS_CTNETLINK << 8;
351 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg));
352 nfmsg = NLMSG_DATA(nlh);
354 nlh->nlmsg_flags = flags;
355 nfmsg->nfgen_family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
356 nfmsg->version = NFNETLINK_V0;
359 nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG);
360 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
362 NFA_NEST_END(skb, nest_parms);
364 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
365 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
367 NFA_NEST_END(skb, nest_parms);
369 /* NAT stuff is now a status flag */
370 if ((events & IPCT_STATUS || events & IPCT_NATINFO)
371 && ctnetlink_dump_status(skb, ct) < 0)
373 if (events & IPCT_REFRESH
374 && ctnetlink_dump_timeout(skb, ct) < 0)
376 if (events & IPCT_PROTOINFO
377 && ctnetlink_dump_protoinfo(skb, ct) < 0)
379 if (events & IPCT_HELPINFO
380 && ctnetlink_dump_helpinfo(skb, ct) < 0)
383 if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
384 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
387 if (events & IPCT_MARK
388 && ctnetlink_dump_mark(skb, ct) < 0)
391 nlh->nlmsg_len = skb->tail - b;
392 nfnetlink_send(skb, 0, group, 0);
400 #endif /* CONFIG_NF_CONNTRACK_EVENTS */
402 static int ctnetlink_done(struct netlink_callback *cb)
405 nf_ct_put((struct nf_conn *)cb->args[1]);
409 #define L3PROTO(ct) ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num
412 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
414 struct nf_conn *ct, *last;
415 struct nf_conntrack_tuple_hash *h;
417 struct nfgenmsg *nfmsg = NLMSG_DATA(cb->nlh);
418 u_int8_t l3proto = nfmsg->nfgen_family;
420 read_lock_bh(&nf_conntrack_lock);
421 last = (struct nf_conn *)cb->args[1];
422 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
424 list_for_each_prev(i, &nf_conntrack_hash[cb->args[0]]) {
425 h = (struct nf_conntrack_tuple_hash *) i;
426 if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
428 ct = nf_ct_tuplehash_to_ctrack(h);
429 /* Dump entries of a given L3 protocol number.
430 * If it is not specified, ie. l3proto == 0,
431 * then dump everything. */
432 if (l3proto && L3PROTO(ct) != l3proto)
439 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
443 nf_conntrack_get(&ct->ct_general);
444 cb->args[1] = (unsigned long)ct;
447 #ifdef CONFIG_NF_CT_ACCT
448 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) ==
449 IPCTNL_MSG_CT_GET_CTRZERO)
450 memset(&ct->counters, 0, sizeof(ct->counters));
459 read_unlock_bh(&nf_conntrack_lock);
467 ctnetlink_parse_tuple_ip(struct nfattr *attr, struct nf_conntrack_tuple *tuple)
469 struct nfattr *tb[CTA_IP_MAX];
470 struct nf_conntrack_l3proto *l3proto;
473 nfattr_parse_nested(tb, CTA_IP_MAX, attr);
475 l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
477 if (likely(l3proto->nfattr_to_tuple))
478 ret = l3proto->nfattr_to_tuple(tb, tuple);
480 nf_ct_l3proto_put(l3proto);
485 static const size_t cta_min_proto[CTA_PROTO_MAX] = {
486 [CTA_PROTO_NUM-1] = sizeof(u_int8_t),
490 ctnetlink_parse_tuple_proto(struct nfattr *attr,
491 struct nf_conntrack_tuple *tuple)
493 struct nfattr *tb[CTA_PROTO_MAX];
494 struct nf_conntrack_protocol *proto;
497 nfattr_parse_nested(tb, CTA_PROTO_MAX, attr);
499 if (nfattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto))
502 if (!tb[CTA_PROTO_NUM-1])
504 tuple->dst.protonum = *(u_int8_t *)NFA_DATA(tb[CTA_PROTO_NUM-1]);
506 proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
508 if (likely(proto->nfattr_to_tuple))
509 ret = proto->nfattr_to_tuple(tb, tuple);
511 nf_ct_proto_put(proto);
517 ctnetlink_parse_tuple(struct nfattr *cda[], struct nf_conntrack_tuple *tuple,
518 enum ctattr_tuple type, u_int8_t l3num)
520 struct nfattr *tb[CTA_TUPLE_MAX];
523 memset(tuple, 0, sizeof(*tuple));
525 nfattr_parse_nested(tb, CTA_TUPLE_MAX, cda[type-1]);
527 if (!tb[CTA_TUPLE_IP-1])
530 tuple->src.l3num = l3num;
532 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP-1], tuple);
536 if (!tb[CTA_TUPLE_PROTO-1])
539 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO-1], tuple);
543 /* orig and expect tuples get DIR_ORIGINAL */
544 if (type == CTA_TUPLE_REPLY)
545 tuple->dst.dir = IP_CT_DIR_REPLY;
547 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
552 #ifdef CONFIG_IP_NF_NAT_NEEDED
553 static const size_t cta_min_protonat[CTA_PROTONAT_MAX] = {
554 [CTA_PROTONAT_PORT_MIN-1] = sizeof(u_int16_t),
555 [CTA_PROTONAT_PORT_MAX-1] = sizeof(u_int16_t),
558 static int ctnetlink_parse_nat_proto(struct nfattr *attr,
559 const struct nf_conn *ct,
560 struct ip_nat_range *range)
562 struct nfattr *tb[CTA_PROTONAT_MAX];
563 struct ip_nat_protocol *npt;
565 nfattr_parse_nested(tb, CTA_PROTONAT_MAX, attr);
567 if (nfattr_bad_size(tb, CTA_PROTONAT_MAX, cta_min_protonat))
570 npt = ip_nat_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
572 if (!npt->nfattr_to_range) {
573 ip_nat_proto_put(npt);
577 /* nfattr_to_range returns 1 if it parsed, 0 if not, neg. on error */
578 if (npt->nfattr_to_range(tb, range) > 0)
579 range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
581 ip_nat_proto_put(npt);
586 static const size_t cta_min_nat[CTA_NAT_MAX] = {
587 [CTA_NAT_MINIP-1] = sizeof(u_int32_t),
588 [CTA_NAT_MAXIP-1] = sizeof(u_int32_t),
592 ctnetlink_parse_nat(struct nfattr *nat,
593 const struct nf_conn *ct, struct ip_nat_range *range)
595 struct nfattr *tb[CTA_NAT_MAX];
598 memset(range, 0, sizeof(*range));
600 nfattr_parse_nested(tb, CTA_NAT_MAX, nat);
602 if (nfattr_bad_size(tb, CTA_NAT_MAX, cta_min_nat))
605 if (tb[CTA_NAT_MINIP-1])
606 range->min_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MINIP-1]);
608 if (!tb[CTA_NAT_MAXIP-1])
609 range->max_ip = range->min_ip;
611 range->max_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MAXIP-1]);
614 range->flags |= IP_NAT_RANGE_MAP_IPS;
616 if (!tb[CTA_NAT_PROTO-1])
619 err = ctnetlink_parse_nat_proto(tb[CTA_NAT_PROTO-1], ct, range);
628 ctnetlink_parse_help(struct nfattr *attr, char **helper_name)
630 struct nfattr *tb[CTA_HELP_MAX];
632 nfattr_parse_nested(tb, CTA_HELP_MAX, attr);
634 if (!tb[CTA_HELP_NAME-1])
637 *helper_name = NFA_DATA(tb[CTA_HELP_NAME-1]);
642 static const size_t cta_min[CTA_MAX] = {
643 [CTA_STATUS-1] = sizeof(u_int32_t),
644 [CTA_TIMEOUT-1] = sizeof(u_int32_t),
645 [CTA_MARK-1] = sizeof(u_int32_t),
646 [CTA_USE-1] = sizeof(u_int32_t),
647 [CTA_ID-1] = sizeof(u_int32_t)
651 ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
652 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
654 struct nf_conntrack_tuple_hash *h;
655 struct nf_conntrack_tuple tuple;
657 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
658 u_int8_t u3 = nfmsg->nfgen_family;
661 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
664 if (cda[CTA_TUPLE_ORIG-1])
665 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
666 else if (cda[CTA_TUPLE_REPLY-1])
667 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
669 /* Flush the whole table */
670 nf_conntrack_flush();
677 h = nf_conntrack_find_get(&tuple, NULL);
681 ct = nf_ct_tuplehash_to_ctrack(h);
684 u_int32_t id = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_ID-1]));
690 if (del_timer(&ct->timeout))
691 ct->timeout.function((unsigned long)ct);
699 ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
700 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
702 struct nf_conntrack_tuple_hash *h;
703 struct nf_conntrack_tuple tuple;
705 struct sk_buff *skb2 = NULL;
706 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
707 u_int8_t u3 = nfmsg->nfgen_family;
710 if (nlh->nlmsg_flags & NLM_F_DUMP) {
713 #ifndef CONFIG_NF_CT_ACCT
714 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == IPCTNL_MSG_CT_GET_CTRZERO)
717 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
718 ctnetlink_dump_table,
719 ctnetlink_done)) != 0)
722 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
729 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
732 if (cda[CTA_TUPLE_ORIG-1])
733 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
734 else if (cda[CTA_TUPLE_REPLY-1])
735 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
742 h = nf_conntrack_find_get(&tuple, NULL);
746 ct = nf_ct_tuplehash_to_ctrack(h);
749 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
754 NETLINK_CB(skb2).dst_pid = NETLINK_CB(skb).pid;
756 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq,
757 IPCTNL_MSG_CT_NEW, 1, ct);
762 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
775 ctnetlink_change_status(struct nf_conn *ct, struct nfattr *cda[])
778 unsigned status = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_STATUS-1]));
779 d = ct->status ^ status;
781 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
785 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
786 /* SEEN_REPLY bit can only be set */
790 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
791 /* ASSURED bit can only be set */
794 if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) {
795 #ifndef CONFIG_IP_NF_NAT_NEEDED
798 struct ip_nat_range range;
800 if (cda[CTA_NAT_DST-1]) {
801 if (ctnetlink_parse_nat(cda[CTA_NAT_DST-1], ct,
804 if (ip_nat_initialized(ct,
805 HOOK2MANIP(NF_IP_PRE_ROUTING)))
807 ip_nat_setup_info(ct, &range, hooknum);
809 if (cda[CTA_NAT_SRC-1]) {
810 if (ctnetlink_parse_nat(cda[CTA_NAT_SRC-1], ct,
813 if (ip_nat_initialized(ct,
814 HOOK2MANIP(NF_IP_POST_ROUTING)))
816 ip_nat_setup_info(ct, &range, hooknum);
821 /* Be careful here, modifying NAT bits can screw up things,
822 * so don't let users modify them directly if they don't pass
824 ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
830 ctnetlink_change_helper(struct nf_conn *ct, struct nfattr *cda[])
832 struct nf_conntrack_helper *helper;
833 struct nf_conn_help *help = nfct_help(ct);
838 /* FIXME: we need to reallocate and rehash */
842 /* don't change helper of sibling connections */
846 err = ctnetlink_parse_help(cda[CTA_HELP-1], &helpname);
850 helper = __nf_conntrack_helper_find_byname(helpname);
852 if (!strcmp(helpname, ""))
860 /* we had a helper before ... */
861 nf_ct_remove_expectations(ct);
864 /* need to zero data of old helper */
865 memset(&help->help, 0, sizeof(help->help));
869 help->helper = helper;
875 ctnetlink_change_timeout(struct nf_conn *ct, struct nfattr *cda[])
877 u_int32_t timeout = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1]));
879 if (!del_timer(&ct->timeout))
882 ct->timeout.expires = jiffies + timeout * HZ;
883 add_timer(&ct->timeout);
889 ctnetlink_change_protoinfo(struct nf_conn *ct, struct nfattr *cda[])
891 struct nfattr *tb[CTA_PROTOINFO_MAX], *attr = cda[CTA_PROTOINFO-1];
892 struct nf_conntrack_protocol *proto;
893 u_int16_t npt = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
894 u_int16_t l3num = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
897 nfattr_parse_nested(tb, CTA_PROTOINFO_MAX, attr);
899 proto = nf_ct_proto_find_get(l3num, npt);
901 if (proto->from_nfattr)
902 err = proto->from_nfattr(tb, ct);
903 nf_ct_proto_put(proto);
909 ctnetlink_change_conntrack(struct nf_conn *ct, struct nfattr *cda[])
913 if (cda[CTA_HELP-1]) {
914 err = ctnetlink_change_helper(ct, cda);
919 if (cda[CTA_TIMEOUT-1]) {
920 err = ctnetlink_change_timeout(ct, cda);
925 if (cda[CTA_STATUS-1]) {
926 err = ctnetlink_change_status(ct, cda);
931 if (cda[CTA_PROTOINFO-1]) {
932 err = ctnetlink_change_protoinfo(ct, cda);
937 #if defined(CONFIG_NF_CONNTRACK_MARK)
939 ct->mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
946 ctnetlink_create_conntrack(struct nfattr *cda[],
947 struct nf_conntrack_tuple *otuple,
948 struct nf_conntrack_tuple *rtuple)
952 struct nf_conn_help *help;
954 ct = nf_conntrack_alloc(otuple, rtuple);
955 if (ct == NULL || IS_ERR(ct))
958 if (!cda[CTA_TIMEOUT-1])
960 ct->timeout.expires = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1]));
962 ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
963 ct->status |= IPS_CONFIRMED;
965 err = ctnetlink_change_status(ct, cda);
969 if (cda[CTA_PROTOINFO-1]) {
970 err = ctnetlink_change_protoinfo(ct, cda);
975 #if defined(CONFIG_NF_CONNTRACK_MARK)
977 ct->mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
980 help = nfct_help(ct);
982 help->helper = nf_ct_helper_find_get(rtuple);
984 add_timer(&ct->timeout);
985 nf_conntrack_hash_insert(ct);
987 if (help && help->helper)
988 nf_ct_helper_put(help->helper);
993 nf_conntrack_free(ct);
998 ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
999 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1001 struct nf_conntrack_tuple otuple, rtuple;
1002 struct nf_conntrack_tuple_hash *h = NULL;
1003 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
1004 u_int8_t u3 = nfmsg->nfgen_family;
1007 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
1010 if (cda[CTA_TUPLE_ORIG-1]) {
1011 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3);
1016 if (cda[CTA_TUPLE_REPLY-1]) {
1017 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, u3);
1022 write_lock_bh(&nf_conntrack_lock);
1023 if (cda[CTA_TUPLE_ORIG-1])
1024 h = __nf_conntrack_find(&otuple, NULL);
1025 else if (cda[CTA_TUPLE_REPLY-1])
1026 h = __nf_conntrack_find(&rtuple, NULL);
1029 write_unlock_bh(&nf_conntrack_lock);
1031 if (nlh->nlmsg_flags & NLM_F_CREATE)
1032 err = ctnetlink_create_conntrack(cda, &otuple, &rtuple);
1035 /* implicit 'else' */
1037 /* we only allow nat config for new conntracks */
1038 if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) {
1043 /* We manipulate the conntrack inside the global conntrack table lock,
1044 * so there's no need to increase the refcount */
1046 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
1047 err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h), cda);
1050 write_unlock_bh(&nf_conntrack_lock);
1054 /***********************************************************************
1056 ***********************************************************************/
1059 ctnetlink_exp_dump_tuple(struct sk_buff *skb,
1060 const struct nf_conntrack_tuple *tuple,
1061 enum ctattr_expect type)
1063 struct nfattr *nest_parms = NFA_NEST(skb, type);
1065 if (ctnetlink_dump_tuples(skb, tuple) < 0)
1066 goto nfattr_failure;
1068 NFA_NEST_END(skb, nest_parms);
1077 ctnetlink_exp_dump_mask(struct sk_buff *skb,
1078 const struct nf_conntrack_tuple *tuple,
1079 const struct nf_conntrack_tuple *mask)
1082 struct nf_conntrack_l3proto *l3proto;
1083 struct nf_conntrack_protocol *proto;
1084 struct nfattr *nest_parms = NFA_NEST(skb, CTA_EXPECT_MASK);
1086 l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
1087 ret = ctnetlink_dump_tuples_ip(skb, mask, l3proto);
1088 nf_ct_l3proto_put(l3proto);
1090 if (unlikely(ret < 0))
1091 goto nfattr_failure;
1093 proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
1094 ret = ctnetlink_dump_tuples_proto(skb, mask, proto);
1095 nf_ct_proto_put(proto);
1096 if (unlikely(ret < 0))
1097 goto nfattr_failure;
1099 NFA_NEST_END(skb, nest_parms);
1108 ctnetlink_exp_dump_expect(struct sk_buff *skb,
1109 const struct nf_conntrack_expect *exp)
1111 struct nf_conn *master = exp->master;
1112 u_int32_t timeout = htonl((exp->timeout.expires - jiffies) / HZ);
1113 u_int32_t id = htonl(exp->id);
1115 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
1116 goto nfattr_failure;
1117 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
1118 goto nfattr_failure;
1119 if (ctnetlink_exp_dump_tuple(skb,
1120 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
1121 CTA_EXPECT_MASTER) < 0)
1122 goto nfattr_failure;
1124 NFA_PUT(skb, CTA_EXPECT_TIMEOUT, sizeof(timeout), &timeout);
1125 NFA_PUT(skb, CTA_EXPECT_ID, sizeof(u_int32_t), &id);
1134 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
1137 const struct nf_conntrack_expect *exp)
1139 struct nlmsghdr *nlh;
1140 struct nfgenmsg *nfmsg;
1145 event |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1146 nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg));
1147 nfmsg = NLMSG_DATA(nlh);
1149 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0;
1150 nfmsg->nfgen_family = exp->tuple.src.l3num;
1151 nfmsg->version = NFNETLINK_V0;
1154 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1155 goto nfattr_failure;
1157 nlh->nlmsg_len = skb->tail - b;
1162 skb_trim(skb, b - skb->data);
1166 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1167 static int ctnetlink_expect_event(struct notifier_block *this,
1168 unsigned long events, void *ptr)
1170 struct nlmsghdr *nlh;
1171 struct nfgenmsg *nfmsg;
1172 struct nf_conntrack_expect *exp = (struct nf_conntrack_expect *)ptr;
1173 struct sk_buff *skb;
1178 if (events & IPEXP_NEW) {
1179 type = IPCTNL_MSG_EXP_NEW;
1180 flags = NLM_F_CREATE|NLM_F_EXCL;
1184 if (!nfnetlink_has_listeners(NFNLGRP_CONNTRACK_EXP_NEW))
1187 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1193 type |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1194 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg));
1195 nfmsg = NLMSG_DATA(nlh);
1197 nlh->nlmsg_flags = flags;
1198 nfmsg->nfgen_family = exp->tuple.src.l3num;
1199 nfmsg->version = NFNETLINK_V0;
1202 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1203 goto nfattr_failure;
1205 nlh->nlmsg_len = skb->tail - b;
1206 nfnetlink_send(skb, 0, NFNLGRP_CONNTRACK_EXP_NEW, 0);
1217 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
1219 struct nf_conntrack_expect *exp = NULL;
1220 struct list_head *i;
1221 u_int32_t *id = (u_int32_t *) &cb->args[0];
1222 struct nfgenmsg *nfmsg = NLMSG_DATA(cb->nlh);
1223 u_int8_t l3proto = nfmsg->nfgen_family;
1225 read_lock_bh(&nf_conntrack_lock);
1226 list_for_each_prev(i, &nf_conntrack_expect_list) {
1227 exp = (struct nf_conntrack_expect *) i;
1228 if (l3proto && exp->tuple.src.l3num != l3proto)
1232 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).pid,
1240 read_unlock_bh(&nf_conntrack_lock);
1245 static const size_t cta_min_exp[CTA_EXPECT_MAX] = {
1246 [CTA_EXPECT_TIMEOUT-1] = sizeof(u_int32_t),
1247 [CTA_EXPECT_ID-1] = sizeof(u_int32_t)
1251 ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
1252 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1254 struct nf_conntrack_tuple tuple;
1255 struct nf_conntrack_expect *exp;
1256 struct sk_buff *skb2;
1257 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
1258 u_int8_t u3 = nfmsg->nfgen_family;
1261 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1264 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1267 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
1268 ctnetlink_exp_dump_table,
1269 ctnetlink_done)) != 0)
1271 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
1272 if (rlen > skb->len)
1274 skb_pull(skb, rlen);
1278 if (cda[CTA_EXPECT_MASTER-1])
1279 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3);
1286 exp = nf_conntrack_expect_find(&tuple);
1290 if (cda[CTA_EXPECT_ID-1]) {
1291 u_int32_t id = *(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_ID-1]);
1292 if (exp->id != ntohl(id)) {
1293 nf_conntrack_expect_put(exp);
1299 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1302 NETLINK_CB(skb2).dst_pid = NETLINK_CB(skb).pid;
1304 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid,
1305 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
1310 nf_conntrack_expect_put(exp);
1312 return netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1317 nf_conntrack_expect_put(exp);
1322 ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
1323 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1325 struct nf_conntrack_expect *exp, *tmp;
1326 struct nf_conntrack_tuple tuple;
1327 struct nf_conntrack_helper *h;
1328 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
1329 u_int8_t u3 = nfmsg->nfgen_family;
1332 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1335 if (cda[CTA_EXPECT_TUPLE-1]) {
1336 /* delete a single expect by tuple */
1337 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1341 /* bump usage count to 2 */
1342 exp = nf_conntrack_expect_find(&tuple);
1346 if (cda[CTA_EXPECT_ID-1]) {
1348 *(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_ID-1]);
1349 if (exp->id != ntohl(id)) {
1350 nf_conntrack_expect_put(exp);
1355 /* after list removal, usage count == 1 */
1356 nf_conntrack_unexpect_related(exp);
1357 /* have to put what we 'get' above.
1358 * after this line usage count == 0 */
1359 nf_conntrack_expect_put(exp);
1360 } else if (cda[CTA_EXPECT_HELP_NAME-1]) {
1361 char *name = NFA_DATA(cda[CTA_EXPECT_HELP_NAME-1]);
1363 /* delete all expectations for this helper */
1364 write_lock_bh(&nf_conntrack_lock);
1365 h = __nf_conntrack_helper_find_byname(name);
1367 write_unlock_bh(&nf_conntrack_lock);
1370 list_for_each_entry_safe(exp, tmp, &nf_conntrack_expect_list,
1372 struct nf_conn_help *m_help = nfct_help(exp->master);
1373 if (m_help->helper == h
1374 && del_timer(&exp->timeout)) {
1375 nf_ct_unlink_expect(exp);
1376 nf_conntrack_expect_put(exp);
1379 write_unlock_bh(&nf_conntrack_lock);
1381 /* This basically means we have to flush everything*/
1382 write_lock_bh(&nf_conntrack_lock);
1383 list_for_each_entry_safe(exp, tmp, &nf_conntrack_expect_list,
1385 if (del_timer(&exp->timeout)) {
1386 nf_ct_unlink_expect(exp);
1387 nf_conntrack_expect_put(exp);
1390 write_unlock_bh(&nf_conntrack_lock);
1396 ctnetlink_change_expect(struct nf_conntrack_expect *x, struct nfattr *cda[])
1402 ctnetlink_create_expect(struct nfattr *cda[], u_int8_t u3)
1404 struct nf_conntrack_tuple tuple, mask, master_tuple;
1405 struct nf_conntrack_tuple_hash *h = NULL;
1406 struct nf_conntrack_expect *exp;
1408 struct nf_conn_help *help;
1411 /* caller guarantees that those three CTA_EXPECT_* exist */
1412 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1415 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, u3);
1418 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, u3);
1422 /* Look for master conntrack of this expectation */
1423 h = nf_conntrack_find_get(&master_tuple, NULL);
1426 ct = nf_ct_tuplehash_to_ctrack(h);
1427 help = nfct_help(ct);
1429 if (!help || !help->helper) {
1430 /* such conntrack hasn't got any helper, abort */
1435 exp = nf_conntrack_expect_alloc(ct);
1441 exp->expectfn = NULL;
1444 memcpy(&exp->tuple, &tuple, sizeof(struct nf_conntrack_tuple));
1445 memcpy(&exp->mask, &mask, sizeof(struct nf_conntrack_tuple));
1447 err = nf_conntrack_expect_related(exp);
1448 nf_conntrack_expect_put(exp);
1451 nf_ct_put(nf_ct_tuplehash_to_ctrack(h));
1456 ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
1457 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1459 struct nf_conntrack_tuple tuple;
1460 struct nf_conntrack_expect *exp;
1461 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
1462 u_int8_t u3 = nfmsg->nfgen_family;
1465 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1468 if (!cda[CTA_EXPECT_TUPLE-1]
1469 || !cda[CTA_EXPECT_MASK-1]
1470 || !cda[CTA_EXPECT_MASTER-1])
1473 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1477 write_lock_bh(&nf_conntrack_lock);
1478 exp = __nf_conntrack_expect_find(&tuple);
1481 write_unlock_bh(&nf_conntrack_lock);
1483 if (nlh->nlmsg_flags & NLM_F_CREATE)
1484 err = ctnetlink_create_expect(cda, u3);
1489 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
1490 err = ctnetlink_change_expect(exp, cda);
1491 write_unlock_bh(&nf_conntrack_lock);
1496 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1497 static struct notifier_block ctnl_notifier = {
1498 .notifier_call = ctnetlink_conntrack_event,
1501 static struct notifier_block ctnl_notifier_exp = {
1502 .notifier_call = ctnetlink_expect_event,
1506 static struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
1507 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
1508 .attr_count = CTA_MAX, },
1509 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
1510 .attr_count = CTA_MAX, },
1511 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
1512 .attr_count = CTA_MAX, },
1513 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
1514 .attr_count = CTA_MAX, },
1517 static struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
1518 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
1519 .attr_count = CTA_EXPECT_MAX, },
1520 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
1521 .attr_count = CTA_EXPECT_MAX, },
1522 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
1523 .attr_count = CTA_EXPECT_MAX, },
1526 static struct nfnetlink_subsystem ctnl_subsys = {
1527 .name = "conntrack",
1528 .subsys_id = NFNL_SUBSYS_CTNETLINK,
1529 .cb_count = IPCTNL_MSG_MAX,
1533 static struct nfnetlink_subsystem ctnl_exp_subsys = {
1534 .name = "conntrack_expect",
1535 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
1536 .cb_count = IPCTNL_MSG_EXP_MAX,
1540 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
1541 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
1543 static int __init ctnetlink_init(void)
1547 printk("ctnetlink v%s: registering with nfnetlink.\n", version);
1548 ret = nfnetlink_subsys_register(&ctnl_subsys);
1550 printk("ctnetlink_init: cannot register with nfnetlink.\n");
1554 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
1556 printk("ctnetlink_init: cannot register exp with nfnetlink.\n");
1557 goto err_unreg_subsys;
1560 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1561 ret = nf_conntrack_register_notifier(&ctnl_notifier);
1563 printk("ctnetlink_init: cannot register notifier.\n");
1564 goto err_unreg_exp_subsys;
1567 ret = nf_conntrack_expect_register_notifier(&ctnl_notifier_exp);
1569 printk("ctnetlink_init: cannot expect register notifier.\n");
1570 goto err_unreg_notifier;
1576 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1578 nf_conntrack_unregister_notifier(&ctnl_notifier);
1579 err_unreg_exp_subsys:
1580 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1583 nfnetlink_subsys_unregister(&ctnl_subsys);
1588 static void __exit ctnetlink_exit(void)
1590 printk("ctnetlink: unregistering from nfnetlink.\n");
1592 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1593 nf_conntrack_expect_unregister_notifier(&ctnl_notifier_exp);
1594 nf_conntrack_unregister_notifier(&ctnl_notifier);
1597 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1598 nfnetlink_subsys_unregister(&ctnl_subsys);
1602 module_init(ctnetlink_init);
1603 module_exit(ctnetlink_exit);
projects / mv-sheeva.git / blob