linux/net/netfilter/nf_conntrack_netlink.c
<<
>>
Prefs
   1/* Connection tracking via netlink socket. Allows for user space
   2 * protocol helpers and general trouble making from userspace.
   3 *
   4 * (C) 2001 by Jay Schulist <jschlst@samba.org>
   5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
   6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
   7 * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
   8 *
   9 * Initial connection tracking via netlink development funded and
  10 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
  11 *
  12 * Further development of this code funded by Astaro AG (http://www.astaro.com)
  13 *
  14 * This software may be used and distributed according to the terms
  15 * of the GNU General Public License, incorporated herein by reference.
  16 */
  17
  18#include <linux/init.h>
  19#include <linux/module.h>
  20#include <linux/kernel.h>
  21#include <linux/rculist.h>
  22#include <linux/rculist_nulls.h>
  23#include <linux/types.h>
  24#include <linux/timer.h>
  25#include <linux/security.h>
  26#include <linux/skbuff.h>
  27#include <linux/errno.h>
  28#include <linux/netlink.h>
  29#include <linux/spinlock.h>
  30#include <linux/interrupt.h>
  31#include <linux/slab.h>
  32
  33#include <linux/netfilter.h>
  34#include <net/netlink.h>
  35#include <net/sock.h>
  36#include <net/netfilter/nf_conntrack.h>
  37#include <net/netfilter/nf_conntrack_core.h>
  38#include <net/netfilter/nf_conntrack_expect.h>
  39#include <net/netfilter/nf_conntrack_helper.h>
  40#include <net/netfilter/nf_conntrack_l3proto.h>
  41#include <net/netfilter/nf_conntrack_l4proto.h>
  42#include <net/netfilter/nf_conntrack_tuple.h>
  43#include <net/netfilter/nf_conntrack_acct.h>
  44#include <net/netfilter/nf_conntrack_zones.h>
  45#include <net/netfilter/nf_conntrack_timestamp.h>
  46#ifdef CONFIG_NF_NAT_NEEDED
  47#include <net/netfilter/nf_nat_core.h>
  48#include <net/netfilter/nf_nat_l4proto.h>
  49#include <net/netfilter/nf_nat_helper.h>
  50#endif
  51
  52#include <linux/netfilter/nfnetlink.h>
  53#include <linux/netfilter/nfnetlink_conntrack.h>
  54
  55MODULE_LICENSE("GPL");
  56
  57static char __initdata version[] = "0.93";
  58
  59static inline int
  60ctnetlink_dump_tuples_proto(struct sk_buff *skb,
  61                            const struct nf_conntrack_tuple *tuple,
  62                            struct nf_conntrack_l4proto *l4proto)
  63{
  64        int ret = 0;
  65        struct nlattr *nest_parms;
  66
  67        nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED);
  68        if (!nest_parms)
  69                goto nla_put_failure;
  70        if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum))
  71                goto nla_put_failure;
  72
  73        if (likely(l4proto->tuple_to_nlattr))
  74                ret = l4proto->tuple_to_nlattr(skb, tuple);
  75
  76        nla_nest_end(skb, nest_parms);
  77
  78        return ret;
  79
  80nla_put_failure:
  81        return -1;
  82}
  83
  84static inline int
  85ctnetlink_dump_tuples_ip(struct sk_buff *skb,
  86                         const struct nf_conntrack_tuple *tuple,
  87                         struct nf_conntrack_l3proto *l3proto)
  88{
  89        int ret = 0;
  90        struct nlattr *nest_parms;
  91
  92        nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED);
  93        if (!nest_parms)
  94                goto nla_put_failure;
  95
  96        if (likely(l3proto->tuple_to_nlattr))
  97                ret = l3proto->tuple_to_nlattr(skb, tuple);
  98
  99        nla_nest_end(skb, nest_parms);
 100
 101        return ret;
 102
 103nla_put_failure:
 104        return -1;
 105}
 106
 107static int
 108ctnetlink_dump_tuples(struct sk_buff *skb,
 109                      const struct nf_conntrack_tuple *tuple)
 110{
 111        int ret;
 112        struct nf_conntrack_l3proto *l3proto;
 113        struct nf_conntrack_l4proto *l4proto;
 114
 115        rcu_read_lock();
 116        l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
 117        ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
 118
 119        if (ret >= 0) {
 120                l4proto = __nf_ct_l4proto_find(tuple->src.l3num,
 121                                               tuple->dst.protonum);
 122                ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
 123        }
 124        rcu_read_unlock();
 125        return ret;
 126}
 127
 128static inline int
 129ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
 130{
 131        if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
 132                goto nla_put_failure;
 133        return 0;
 134
 135nla_put_failure:
 136        return -1;
 137}
 138
 139static inline int
 140ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
 141{
 142        long timeout = ((long)ct->timeout.expires - (long)jiffies) / HZ;
 143
 144        if (timeout < 0)
 145                timeout = 0;
 146
 147        if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))
 148                goto nla_put_failure;
 149        return 0;
 150
 151nla_put_failure:
 152        return -1;
 153}
 154
 155static inline int
 156ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct)
 157{
 158        struct nf_conntrack_l4proto *l4proto;
 159        struct nlattr *nest_proto;
 160        int ret;
 161
 162        l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
 163        if (!l4proto->to_nlattr)
 164                return 0;
 165
 166        nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED);
 167        if (!nest_proto)
 168                goto nla_put_failure;
 169
 170        ret = l4proto->to_nlattr(skb, nest_proto, ct);
 171
 172        nla_nest_end(skb, nest_proto);
 173
 174        return ret;
 175
 176nla_put_failure:
 177        return -1;
 178}
 179
 180static inline int
 181ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct)
 182{
 183        struct nlattr *nest_helper;
 184        const struct nf_conn_help *help = nfct_help(ct);
 185        struct nf_conntrack_helper *helper;
 186
 187        if (!help)
 188                return 0;
 189
 190        helper = rcu_dereference(help->helper);
 191        if (!helper)
 192                goto out;
 193
 194        nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED);
 195        if (!nest_helper)
 196                goto nla_put_failure;
 197        if (nla_put_string(skb, CTA_HELP_NAME, helper->name))
 198                goto nla_put_failure;
 199
 200        if (helper->to_nlattr)
 201                helper->to_nlattr(skb, ct);
 202
 203        nla_nest_end(skb, nest_helper);
 204out:
 205        return 0;
 206
 207nla_put_failure:
 208        return -1;
 209}
 210
 211static int
 212dump_counters(struct sk_buff *skb, u64 pkts, u64 bytes,
 213              enum ip_conntrack_dir dir)
 214{
 215        enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
 216        struct nlattr *nest_count;
 217
 218        nest_count = nla_nest_start(skb, type | NLA_F_NESTED);
 219        if (!nest_count)
 220                goto nla_put_failure;
 221
 222        if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts)) ||
 223            nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes)))
 224                goto nla_put_failure;
 225
 226        nla_nest_end(skb, nest_count);
 227
 228        return 0;
 229
 230nla_put_failure:
 231        return -1;
 232}
 233
 234static int
 235ctnetlink_dump_counters(struct sk_buff *skb, const struct nf_conn *ct,
 236                        enum ip_conntrack_dir dir, int type)
 237{
 238        struct nf_conn_counter *acct;
 239        u64 pkts, bytes;
 240
 241        acct = nf_conn_acct_find(ct);
 242        if (!acct)
 243                return 0;
 244
 245        if (type == IPCTNL_MSG_CT_GET_CTRZERO) {
 246                pkts = atomic64_xchg(&acct[dir].packets, 0);
 247                bytes = atomic64_xchg(&acct[dir].bytes, 0);
 248        } else {
 249                pkts = atomic64_read(&acct[dir].packets);
 250                bytes = atomic64_read(&acct[dir].bytes);
 251        }
 252        return dump_counters(skb, pkts, bytes, dir);
 253}
 254
 255static int
 256ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
 257{
 258        struct nlattr *nest_count;
 259        const struct nf_conn_tstamp *tstamp;
 260
 261        tstamp = nf_conn_tstamp_find(ct);
 262        if (!tstamp)
 263                return 0;
 264
 265        nest_count = nla_nest_start(skb, CTA_TIMESTAMP | NLA_F_NESTED);
 266        if (!nest_count)
 267                goto nla_put_failure;
 268
 269        if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start)) ||
 270            (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP,
 271                                               cpu_to_be64(tstamp->stop))))
 272                goto nla_put_failure;
 273        nla_nest_end(skb, nest_count);
 274
 275        return 0;
 276
 277nla_put_failure:
 278        return -1;
 279}
 280
 281#ifdef CONFIG_NF_CONNTRACK_MARK
 282static inline int
 283ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
 284{
 285        if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))
 286                goto nla_put_failure;
 287        return 0;
 288
 289nla_put_failure:
 290        return -1;
 291}
 292#else
 293#define ctnetlink_dump_mark(a, b) (0)
 294#endif
 295
 296#ifdef CONFIG_NF_CONNTRACK_SECMARK
 297static inline int
 298ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
 299{
 300        struct nlattr *nest_secctx;
 301        int len, ret;
 302        char *secctx;
 303
 304        ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
 305        if (ret)
 306                return 0;
 307
 308        ret = -1;
 309        nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED);
 310        if (!nest_secctx)
 311                goto nla_put_failure;
 312
 313        if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
 314                goto nla_put_failure;
 315        nla_nest_end(skb, nest_secctx);
 316
 317        ret = 0;
 318nla_put_failure:
 319        security_release_secctx(secctx, len);
 320        return ret;
 321}
 322#else
 323#define ctnetlink_dump_secctx(a, b) (0)
 324#endif
 325
 326#define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
 327
 328static inline int
 329ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
 330{
 331        struct nlattr *nest_parms;
 332
 333        if (!(ct->status & IPS_EXPECTED))
 334                return 0;
 335
 336        nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED);
 337        if (!nest_parms)
 338                goto nla_put_failure;
 339        if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
 340                goto nla_put_failure;
 341        nla_nest_end(skb, nest_parms);
 342
 343        return 0;
 344
 345nla_put_failure:
 346        return -1;
 347}
 348
 349#ifdef CONFIG_NF_NAT_NEEDED
 350static int
 351dump_nat_seq_adj(struct sk_buff *skb, const struct nf_nat_seq *natseq, int type)
 352{
 353        struct nlattr *nest_parms;
 354
 355        nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
 356        if (!nest_parms)
 357                goto nla_put_failure;
 358
 359        if (nla_put_be32(skb, CTA_NAT_SEQ_CORRECTION_POS,
 360                         htonl(natseq->correction_pos)) ||
 361            nla_put_be32(skb, CTA_NAT_SEQ_OFFSET_BEFORE,
 362                         htonl(natseq->offset_before)) ||
 363            nla_put_be32(skb, CTA_NAT_SEQ_OFFSET_AFTER,
 364                         htonl(natseq->offset_after)))
 365                goto nla_put_failure;
 366
 367        nla_nest_end(skb, nest_parms);
 368
 369        return 0;
 370
 371nla_put_failure:
 372        return -1;
 373}
 374
 375static inline int
 376ctnetlink_dump_nat_seq_adj(struct sk_buff *skb, const struct nf_conn *ct)
 377{
 378        struct nf_nat_seq *natseq;
 379        struct nf_conn_nat *nat = nfct_nat(ct);
 380
 381        if (!(ct->status & IPS_SEQ_ADJUST) || !nat)
 382                return 0;
 383
 384        natseq = &nat->seq[IP_CT_DIR_ORIGINAL];
 385        if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_ORIG) == -1)
 386                return -1;
 387
 388        natseq = &nat->seq[IP_CT_DIR_REPLY];
 389        if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_REPLY) == -1)
 390                return -1;
 391
 392        return 0;
 393}
 394#else
 395#define ctnetlink_dump_nat_seq_adj(a, b) (0)
 396#endif
 397
 398static inline int
 399ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
 400{
 401        if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct)))
 402                goto nla_put_failure;
 403        return 0;
 404
 405nla_put_failure:
 406        return -1;
 407}
 408
 409static inline int
 410ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
 411{
 412        if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use))))
 413                goto nla_put_failure;
 414        return 0;
 415
 416nla_put_failure:
 417        return -1;
 418}
 419
 420static int
 421ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
 422                    struct nf_conn *ct)
 423{
 424        struct nlmsghdr *nlh;
 425        struct nfgenmsg *nfmsg;
 426        struct nlattr *nest_parms;
 427        unsigned int flags = portid ? NLM_F_MULTI : 0, event;
 428
 429        event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_NEW);
 430        nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
 431        if (nlh == NULL)
 432                goto nlmsg_failure;
 433
 434        nfmsg = nlmsg_data(nlh);
 435        nfmsg->nfgen_family = nf_ct_l3num(ct);
 436        nfmsg->version      = NFNETLINK_V0;
 437        nfmsg->res_id       = 0;
 438
 439        nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
 440        if (!nest_parms)
 441                goto nla_put_failure;
 442        if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
 443                goto nla_put_failure;
 444        nla_nest_end(skb, nest_parms);
 445
 446        nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
 447        if (!nest_parms)
 448                goto nla_put_failure;
 449        if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
 450                goto nla_put_failure;
 451        nla_nest_end(skb, nest_parms);
 452
 453        if (nf_ct_zone(ct) &&
 454            nla_put_be16(skb, CTA_ZONE, htons(nf_ct_zone(ct))))
 455                goto nla_put_failure;
 456
 457        if (ctnetlink_dump_status(skb, ct) < 0 ||
 458            ctnetlink_dump_timeout(skb, ct) < 0 ||
 459            ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL, type) < 0 ||
 460            ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY, type) < 0 ||
 461            ctnetlink_dump_timestamp(skb, ct) < 0 ||
 462            ctnetlink_dump_protoinfo(skb, ct) < 0 ||
 463            ctnetlink_dump_helpinfo(skb, ct) < 0 ||
 464            ctnetlink_dump_mark(skb, ct) < 0 ||
 465            ctnetlink_dump_secctx(skb, ct) < 0 ||
 466            ctnetlink_dump_id(skb, ct) < 0 ||
 467            ctnetlink_dump_use(skb, ct) < 0 ||
 468            ctnetlink_dump_master(skb, ct) < 0 ||
 469            ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
 470                goto nla_put_failure;
 471
 472        nlmsg_end(skb, nlh);
 473        return skb->len;
 474
 475nlmsg_failure:
 476nla_put_failure:
 477        nlmsg_cancel(skb, nlh);
 478        return -1;
 479}
 480
 481static inline size_t
 482ctnetlink_proto_size(const struct nf_conn *ct)
 483{
 484        struct nf_conntrack_l3proto *l3proto;
 485        struct nf_conntrack_l4proto *l4proto;
 486        size_t len = 0;
 487
 488        rcu_read_lock();
 489        l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
 490        len += l3proto->nla_size;
 491
 492        l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
 493        len += l4proto->nla_size;
 494        rcu_read_unlock();
 495
 496        return len;
 497}
 498
 499static inline size_t
 500ctnetlink_counters_size(const struct nf_conn *ct)
 501{
 502        if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
 503                return 0;
 504        return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
 505               + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
 506               + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
 507               ;
 508}
 509
 510static inline int
 511ctnetlink_secctx_size(const struct nf_conn *ct)
 512{
 513#ifdef CONFIG_NF_CONNTRACK_SECMARK
 514        int len, ret;
 515
 516        ret = security_secid_to_secctx(ct->secmark, NULL, &len);
 517        if (ret)
 518                return 0;
 519
 520        return nla_total_size(0) /* CTA_SECCTX */
 521               + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
 522#else
 523        return 0;
 524#endif
 525}
 526
 527static inline size_t
 528ctnetlink_timestamp_size(const struct nf_conn *ct)
 529{
 530#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
 531        if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
 532                return 0;
 533        return nla_total_size(0) + 2 * nla_total_size(sizeof(uint64_t));
 534#else
 535        return 0;
 536#endif
 537}
 538
 539static inline size_t
 540ctnetlink_nlmsg_size(const struct nf_conn *ct)
 541{
 542        return NLMSG_ALIGN(sizeof(struct nfgenmsg))
 543               + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
 544               + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
 545               + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
 546               + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
 547               + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
 548               + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
 549               + ctnetlink_counters_size(ct)
 550               + ctnetlink_timestamp_size(ct)
 551               + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
 552               + nla_total_size(0) /* CTA_PROTOINFO */
 553               + nla_total_size(0) /* CTA_HELP */
 554               + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
 555               + ctnetlink_secctx_size(ct)
 556#ifdef CONFIG_NF_NAT_NEEDED
 557               + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
 558               + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
 559#endif
 560#ifdef CONFIG_NF_CONNTRACK_MARK
 561               + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
 562#endif
 563               + ctnetlink_proto_size(ct)
 564               ;
 565}
 566
 567#ifdef CONFIG_NF_CONNTRACK_EVENTS
 568static int
 569ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
 570{
 571        struct net *net;
 572        struct nlmsghdr *nlh;
 573        struct nfgenmsg *nfmsg;
 574        struct nlattr *nest_parms;
 575        struct nf_conn *ct = item->ct;
 576        struct sk_buff *skb;
 577        unsigned int type;
 578        unsigned int flags = 0, group;
 579        int err;
 580
 581        /* ignore our fake conntrack entry */
 582        if (nf_ct_is_untracked(ct))
 583                return 0;
 584
 585        if (events & (1 << IPCT_DESTROY)) {
 586                type = IPCTNL_MSG_CT_DELETE;
 587                group = NFNLGRP_CONNTRACK_DESTROY;
 588        } else  if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {
 589                type = IPCTNL_MSG_CT_NEW;
 590                flags = NLM_F_CREATE|NLM_F_EXCL;
 591                group = NFNLGRP_CONNTRACK_NEW;
 592        } else  if (events) {
 593                type = IPCTNL_MSG_CT_NEW;
 594                group = NFNLGRP_CONNTRACK_UPDATE;
 595        } else
 596                return 0;
 597
 598        net = nf_ct_net(ct);
 599        if (!item->report && !nfnetlink_has_listeners(net, group))
 600                return 0;
 601
 602        skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
 603        if (skb == NULL)
 604                goto errout;
 605
 606        type |= NFNL_SUBSYS_CTNETLINK << 8;
 607        nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
 608        if (nlh == NULL)
 609                goto nlmsg_failure;
 610
 611        nfmsg = nlmsg_data(nlh);
 612        nfmsg->nfgen_family = nf_ct_l3num(ct);
 613        nfmsg->version  = NFNETLINK_V0;
 614        nfmsg->res_id   = 0;
 615
 616        rcu_read_lock();
 617        nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
 618        if (!nest_parms)
 619                goto nla_put_failure;
 620        if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
 621                goto nla_put_failure;
 622        nla_nest_end(skb, nest_parms);
 623
 624        nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
 625        if (!nest_parms)
 626                goto nla_put_failure;
 627        if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
 628                goto nla_put_failure;
 629        nla_nest_end(skb, nest_parms);
 630
 631        if (nf_ct_zone(ct) &&
 632            nla_put_be16(skb, CTA_ZONE, htons(nf_ct_zone(ct))))
 633                goto nla_put_failure;
 634
 635        if (ctnetlink_dump_id(skb, ct) < 0)
 636                goto nla_put_failure;
 637
 638        if (ctnetlink_dump_status(skb, ct) < 0)
 639                goto nla_put_failure;
 640
 641        if (events & (1 << IPCT_DESTROY)) {
 642                if (ctnetlink_dump_counters(skb, ct,
 643                                            IP_CT_DIR_ORIGINAL, type) < 0 ||
 644                    ctnetlink_dump_counters(skb, ct,
 645                                            IP_CT_DIR_REPLY, type) < 0 ||
 646                    ctnetlink_dump_timestamp(skb, ct) < 0)
 647                        goto nla_put_failure;
 648        } else {
 649                if (ctnetlink_dump_timeout(skb, ct) < 0)
 650                        goto nla_put_failure;
 651
 652                if (events & (1 << IPCT_PROTOINFO)
 653                    && ctnetlink_dump_protoinfo(skb, ct) < 0)
 654                        goto nla_put_failure;
 655
 656                if ((events & (1 << IPCT_HELPER) || nfct_help(ct))
 657                    && ctnetlink_dump_helpinfo(skb, ct) < 0)
 658                        goto nla_put_failure;
 659
 660#ifdef CONFIG_NF_CONNTRACK_SECMARK
 661                if ((events & (1 << IPCT_SECMARK) || ct->secmark)
 662                    && ctnetlink_dump_secctx(skb, ct) < 0)
 663                        goto nla_put_failure;
 664#endif
 665
 666                if (events & (1 << IPCT_RELATED) &&
 667                    ctnetlink_dump_master(skb, ct) < 0)
 668                        goto nla_put_failure;
 669
 670                if (events & (1 << IPCT_NATSEQADJ) &&
 671                    ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
 672                        goto nla_put_failure;
 673        }
 674
 675#ifdef CONFIG_NF_CONNTRACK_MARK
 676        if ((events & (1 << IPCT_MARK) || ct->mark)
 677            && ctnetlink_dump_mark(skb, ct) < 0)
 678                goto nla_put_failure;
 679#endif
 680        rcu_read_unlock();
 681
 682        nlmsg_end(skb, nlh);
 683        err = nfnetlink_send(skb, net, item->portid, group, item->report,
 684                             GFP_ATOMIC);
 685        if (err == -ENOBUFS || err == -EAGAIN)
 686                return -ENOBUFS;
 687
 688        return 0;
 689
 690nla_put_failure:
 691        rcu_read_unlock();
 692        nlmsg_cancel(skb, nlh);
 693nlmsg_failure:
 694        kfree_skb(skb);
 695errout:
 696        if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
 697                return -ENOBUFS;
 698
 699        return 0;
 700}
 701#endif /* CONFIG_NF_CONNTRACK_EVENTS */
 702
 703static int ctnetlink_done(struct netlink_callback *cb)
 704{
 705        if (cb->args[1])
 706                nf_ct_put((struct nf_conn *)cb->args[1]);
 707        if (cb->data)
 708                kfree(cb->data);
 709        return 0;
 710}
 711
 712struct ctnetlink_dump_filter {
 713        struct {
 714                u_int32_t val;
 715                u_int32_t mask;
 716        } mark;
 717};
 718
 719static int
 720ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
 721{
 722        struct net *net = sock_net(skb->sk);
 723        struct nf_conn *ct, *last;
 724        struct nf_conntrack_tuple_hash *h;
 725        struct hlist_nulls_node *n;
 726        struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
 727        u_int8_t l3proto = nfmsg->nfgen_family;
 728        int res;
 729#ifdef CONFIG_NF_CONNTRACK_MARK
 730        const struct ctnetlink_dump_filter *filter = cb->data;
 731#endif
 732
 733        spin_lock_bh(&nf_conntrack_lock);
 734        last = (struct nf_conn *)cb->args[1];
 735        for (; cb->args[0] < net->ct.htable_size; cb->args[0]++) {
 736restart:
 737                hlist_nulls_for_each_entry(h, n, &net->ct.hash[cb->args[0]],
 738                                         hnnode) {
 739                        if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
 740                                continue;
 741                        ct = nf_ct_tuplehash_to_ctrack(h);
 742                        /* Dump entries of a given L3 protocol number.
 743                         * If it is not specified, ie. l3proto == 0,
 744                         * then dump everything. */
 745                        if (l3proto && nf_ct_l3num(ct) != l3proto)
 746                                continue;
 747                        if (cb->args[1]) {
 748                                if (ct != last)
 749                                        continue;
 750                                cb->args[1] = 0;
 751                        }
 752#ifdef CONFIG_NF_CONNTRACK_MARK
 753                        if (filter && !((ct->mark & filter->mark.mask) ==
 754                                        filter->mark.val)) {
 755                                continue;
 756                        }
 757#endif
 758                        rcu_read_lock();
 759                        res =
 760                        ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
 761                                            cb->nlh->nlmsg_seq,
 762                                            NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
 763                                            ct);
 764                        rcu_read_unlock();
 765                        if (res < 0) {
 766                                nf_conntrack_get(&ct->ct_general);
 767                                cb->args[1] = (unsigned long)ct;
 768                                goto out;
 769                        }
 770                }
 771                if (cb->args[1]) {
 772                        cb->args[1] = 0;
 773                        goto restart;
 774                }
 775        }
 776out:
 777        spin_unlock_bh(&nf_conntrack_lock);
 778        if (last)
 779                nf_ct_put(last);
 780
 781        return skb->len;
 782}
 783
 784static inline int
 785ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple)
 786{
 787        struct nlattr *tb[CTA_IP_MAX+1];
 788        struct nf_conntrack_l3proto *l3proto;
 789        int ret = 0;
 790
 791        nla_parse_nested(tb, CTA_IP_MAX, attr, NULL);
 792
 793        rcu_read_lock();
 794        l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
 795
 796        if (likely(l3proto->nlattr_to_tuple)) {
 797                ret = nla_validate_nested(attr, CTA_IP_MAX,
 798                                          l3proto->nla_policy);
 799                if (ret == 0)
 800                        ret = l3proto->nlattr_to_tuple(tb, tuple);
 801        }
 802
 803        rcu_read_unlock();
 804
 805        return ret;
 806}
 807
 808static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
 809        [CTA_PROTO_NUM] = { .type = NLA_U8 },
 810};
 811
 812static inline int
 813ctnetlink_parse_tuple_proto(struct nlattr *attr,
 814                            struct nf_conntrack_tuple *tuple)
 815{
 816        struct nlattr *tb[CTA_PROTO_MAX+1];
 817        struct nf_conntrack_l4proto *l4proto;
 818        int ret = 0;
 819
 820        ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy);
 821        if (ret < 0)
 822                return ret;
 823
 824        if (!tb[CTA_PROTO_NUM])
 825                return -EINVAL;
 826        tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
 827
 828        rcu_read_lock();
 829        l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
 830
 831        if (likely(l4proto->nlattr_to_tuple)) {
 832                ret = nla_validate_nested(attr, CTA_PROTO_MAX,
 833                                          l4proto->nla_policy);
 834                if (ret == 0)
 835                        ret = l4proto->nlattr_to_tuple(tb, tuple);
 836        }
 837
 838        rcu_read_unlock();
 839
 840        return ret;
 841}
 842
 843static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
 844        [CTA_TUPLE_IP]          = { .type = NLA_NESTED },
 845        [CTA_TUPLE_PROTO]       = { .type = NLA_NESTED },
 846};
 847
 848static int
 849ctnetlink_parse_tuple(const struct nlattr * const cda[],
 850                      struct nf_conntrack_tuple *tuple,
 851                      enum ctattr_type type, u_int8_t l3num)
 852{
 853        struct nlattr *tb[CTA_TUPLE_MAX+1];
 854        int err;
 855
 856        memset(tuple, 0, sizeof(*tuple));
 857
 858        nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy);
 859
 860        if (!tb[CTA_TUPLE_IP])
 861                return -EINVAL;
 862
 863        tuple->src.l3num = l3num;
 864
 865        err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
 866        if (err < 0)
 867                return err;
 868
 869        if (!tb[CTA_TUPLE_PROTO])
 870                return -EINVAL;
 871
 872        err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple);
 873        if (err < 0)
 874                return err;
 875
 876        /* orig and expect tuples get DIR_ORIGINAL */
 877        if (type == CTA_TUPLE_REPLY)
 878                tuple->dst.dir = IP_CT_DIR_REPLY;
 879        else
 880                tuple->dst.dir = IP_CT_DIR_ORIGINAL;
 881
 882        return 0;
 883}
 884
 885static int
 886ctnetlink_parse_zone(const struct nlattr *attr, u16 *zone)
 887{
 888        if (attr)
 889#ifdef CONFIG_NF_CONNTRACK_ZONES
 890                *zone = ntohs(nla_get_be16(attr));
 891#else
 892                return -EOPNOTSUPP;
 893#endif
 894        else
 895                *zone = 0;
 896
 897        return 0;
 898}
 899
 900static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {
 901        [CTA_HELP_NAME]         = { .type = NLA_NUL_STRING },
 902};
 903
 904static inline int
 905ctnetlink_parse_help(const struct nlattr *attr, char **helper_name,
 906                     struct nlattr **helpinfo)
 907{
 908        struct nlattr *tb[CTA_HELP_MAX+1];
 909
 910        nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy);
 911
 912        if (!tb[CTA_HELP_NAME])
 913                return -EINVAL;
 914
 915        *helper_name = nla_data(tb[CTA_HELP_NAME]);
 916
 917        if (tb[CTA_HELP_INFO])
 918                *helpinfo = tb[CTA_HELP_INFO];
 919
 920        return 0;
 921}
 922
 923static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
 924        [CTA_TUPLE_ORIG]        = { .type = NLA_NESTED },
 925        [CTA_TUPLE_REPLY]       = { .type = NLA_NESTED },
 926        [CTA_STATUS]            = { .type = NLA_U32 },
 927        [CTA_PROTOINFO]         = { .type = NLA_NESTED },
 928        [CTA_HELP]              = { .type = NLA_NESTED },
 929        [CTA_NAT_SRC]           = { .type = NLA_NESTED },
 930        [CTA_TIMEOUT]           = { .type = NLA_U32 },
 931        [CTA_MARK]              = { .type = NLA_U32 },
 932        [CTA_ID]                = { .type = NLA_U32 },
 933        [CTA_NAT_DST]           = { .type = NLA_NESTED },
 934        [CTA_TUPLE_MASTER]      = { .type = NLA_NESTED },
 935        [CTA_ZONE]              = { .type = NLA_U16 },
 936        [CTA_MARK_MASK]         = { .type = NLA_U32 },
 937};
 938
 939static int
 940ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
 941                        const struct nlmsghdr *nlh,
 942                        const struct nlattr * const cda[])
 943{
 944        struct net *net = sock_net(ctnl);
 945        struct nf_conntrack_tuple_hash *h;
 946        struct nf_conntrack_tuple tuple;
 947        struct nf_conn *ct;
 948        struct nfgenmsg *nfmsg = nlmsg_data(nlh);
 949        u_int8_t u3 = nfmsg->nfgen_family;
 950        u16 zone;
 951        int err;
 952
 953        err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
 954        if (err < 0)
 955                return err;
 956
 957        if (cda[CTA_TUPLE_ORIG])
 958                err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
 959        else if (cda[CTA_TUPLE_REPLY])
 960                err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
 961        else {
 962                /* Flush the whole table */
 963                nf_conntrack_flush_report(net,
 964                                         NETLINK_CB(skb).portid,
 965                                         nlmsg_report(nlh));
 966                return 0;
 967        }
 968
 969        if (err < 0)
 970                return err;
 971
 972        h = nf_conntrack_find_get(net, zone, &tuple);
 973        if (!h)
 974                return -ENOENT;
 975
 976        ct = nf_ct_tuplehash_to_ctrack(h);
 977
 978        if (cda[CTA_ID]) {
 979                u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
 980                if (id != (u32)(unsigned long)ct) {
 981                        nf_ct_put(ct);
 982                        return -ENOENT;
 983                }
 984        }
 985
 986        if (del_timer(&ct->timeout)) {
 987                if (nf_conntrack_event_report(IPCT_DESTROY, ct,
 988                                              NETLINK_CB(skb).portid,
 989                                              nlmsg_report(nlh)) < 0) {
 990                        nf_ct_delete_from_lists(ct);
 991                        /* we failed to report the event, try later */
 992                        nf_ct_insert_dying_list(ct);
 993                        nf_ct_put(ct);
 994                        return 0;
 995                }
 996                /* death_by_timeout would report the event again */
 997                set_bit(IPS_DYING_BIT, &ct->status);
 998                nf_ct_delete_from_lists(ct);
 999                nf_ct_put(ct);
1000        }
1001        nf_ct_put(ct);
1002
1003        return 0;
1004}
1005
1006static int
1007ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
1008                        const struct nlmsghdr *nlh,
1009                        const struct nlattr * const cda[])
1010{
1011        struct net *net = sock_net(ctnl);
1012        struct nf_conntrack_tuple_hash *h;
1013        struct nf_conntrack_tuple tuple;
1014        struct nf_conn *ct;
1015        struct sk_buff *skb2 = NULL;
1016        struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1017        u_int8_t u3 = nfmsg->nfgen_family;
1018        u16 zone;
1019        int err;
1020
1021        if (nlh->nlmsg_flags & NLM_F_DUMP) {
1022                struct netlink_dump_control c = {
1023                        .dump = ctnetlink_dump_table,
1024                        .done = ctnetlink_done,
1025                };
1026#ifdef CONFIG_NF_CONNTRACK_MARK
1027                if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
1028                        struct ctnetlink_dump_filter *filter;
1029
1030                        filter = kzalloc(sizeof(struct ctnetlink_dump_filter),
1031                                         GFP_ATOMIC);
1032                        if (filter == NULL)
1033                                return -ENOMEM;
1034
1035                        filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK]));
1036                        filter->mark.mask =
1037                                ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
1038                        c.data = filter;
1039                }
1040#endif
1041                return netlink_dump_start(ctnl, skb, nlh, &c);
1042        }
1043
1044        err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1045        if (err < 0)
1046                return err;
1047
1048        if (cda[CTA_TUPLE_ORIG])
1049                err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
1050        else if (cda[CTA_TUPLE_REPLY])
1051                err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
1052        else
1053                return -EINVAL;
1054
1055        if (err < 0)
1056                return err;
1057
1058        h = nf_conntrack_find_get(net, zone, &tuple);
1059        if (!h)
1060                return -ENOENT;
1061
1062        ct = nf_ct_tuplehash_to_ctrack(h);
1063
1064        err = -ENOMEM;
1065        skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1066        if (skb2 == NULL) {
1067                nf_ct_put(ct);
1068                return -ENOMEM;
1069        }
1070
1071        rcu_read_lock();
1072        err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq,
1073                                  NFNL_MSG_TYPE(nlh->nlmsg_type), ct);
1074        rcu_read_unlock();
1075        nf_ct_put(ct);
1076        if (err <= 0)
1077                goto free;
1078
1079        err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1080        if (err < 0)
1081                goto out;
1082
1083        return 0;
1084
1085free:
1086        kfree_skb(skb2);
1087out:
1088        /* this avoids a loop in nfnetlink. */
1089        return err == -EAGAIN ? -ENOBUFS : err;
1090}
1091
1092#ifdef CONFIG_NF_NAT_NEEDED
1093static int
1094ctnetlink_parse_nat_setup(struct nf_conn *ct,
1095                          enum nf_nat_manip_type manip,
1096                          const struct nlattr *attr)
1097{
1098        typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup;
1099        int err;
1100
1101        parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook);
1102        if (!parse_nat_setup) {
1103#ifdef CONFIG_MODULES
1104                rcu_read_unlock();
1105                nfnl_unlock();
1106                if (request_module("nf-nat") < 0) {
1107                        nfnl_lock();
1108                        rcu_read_lock();
1109                        return -EOPNOTSUPP;
1110                }
1111                nfnl_lock();
1112                rcu_read_lock();
1113                if (nfnetlink_parse_nat_setup_hook)
1114                        return -EAGAIN;
1115#endif
1116                return -EOPNOTSUPP;
1117        }
1118
1119        err = parse_nat_setup(ct, manip, attr);
1120        if (err == -EAGAIN) {
1121#ifdef CONFIG_MODULES
1122                rcu_read_unlock();
1123                nfnl_unlock();
1124                if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) {
1125                        nfnl_lock();
1126                        rcu_read_lock();
1127                        return -EOPNOTSUPP;
1128                }
1129                nfnl_lock();
1130                rcu_read_lock();
1131#else
1132                err = -EOPNOTSUPP;
1133#endif
1134        }
1135        return err;
1136}
1137#endif
1138
1139static int
1140ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
1141{
1142        unsigned long d;
1143        unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
1144        d = ct->status ^ status;
1145
1146        if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
1147                /* unchangeable */
1148                return -EBUSY;
1149
1150        if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
1151                /* SEEN_REPLY bit can only be set */
1152                return -EBUSY;
1153
1154        if (d & IPS_ASSURED && !(status & IPS_ASSURED))
1155                /* ASSURED bit can only be set */
1156                return -EBUSY;
1157
1158        /* Be careful here, modifying NAT bits can screw up things,
1159         * so don't let users modify them directly if they don't pass
1160         * nf_nat_range. */
1161        ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
1162        return 0;
1163}
1164
1165static int
1166ctnetlink_change_nat(struct nf_conn *ct, const struct nlattr * const cda[])
1167{
1168#ifdef CONFIG_NF_NAT_NEEDED
1169        int ret;
1170
1171        if (cda[CTA_NAT_DST]) {
1172                ret = ctnetlink_parse_nat_setup(ct,
1173                                                NF_NAT_MANIP_DST,
1174                                                cda[CTA_NAT_DST]);
1175                if (ret < 0)
1176                        return ret;
1177        }
1178        if (cda[CTA_NAT_SRC]) {
1179                ret = ctnetlink_parse_nat_setup(ct,
1180                                                NF_NAT_MANIP_SRC,
1181                                                cda[CTA_NAT_SRC]);
1182                if (ret < 0)
1183                        return ret;
1184        }
1185        return 0;
1186#else
1187        return -EOPNOTSUPP;
1188#endif
1189}
1190
1191static inline int
1192ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[])
1193{
1194        struct nf_conntrack_helper *helper;
1195        struct nf_conn_help *help = nfct_help(ct);
1196        char *helpname = NULL;
1197        struct nlattr *helpinfo = NULL;
1198        int err;
1199
1200        /* don't change helper of sibling connections */
1201        if (ct->master)
1202                return -EBUSY;
1203
1204        err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1205        if (err < 0)
1206                return err;
1207
1208        if (!strcmp(helpname, "")) {
1209                if (help && help->helper) {
1210                        /* we had a helper before ... */
1211                        nf_ct_remove_expectations(ct);
1212                        RCU_INIT_POINTER(help->helper, NULL);
1213                }
1214
1215                return 0;
1216        }
1217
1218        helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1219                                            nf_ct_protonum(ct));
1220        if (helper == NULL) {
1221#ifdef CONFIG_MODULES
1222                spin_unlock_bh(&nf_conntrack_lock);
1223
1224                if (request_module("nfct-helper-%s", helpname) < 0) {
1225                        spin_lock_bh(&nf_conntrack_lock);
1226                        return -EOPNOTSUPP;
1227                }
1228
1229                spin_lock_bh(&nf_conntrack_lock);
1230                helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1231                                                    nf_ct_protonum(ct));
1232                if (helper)
1233                        return -EAGAIN;
1234#endif
1235                return -EOPNOTSUPP;
1236        }
1237
1238        if (help) {
1239                if (help->helper == helper) {
1240                        /* update private helper data if allowed. */
1241                        if (helper->from_nlattr)
1242                                helper->from_nlattr(helpinfo, ct);
1243                        return 0;
1244                } else
1245                        return -EBUSY;
1246        }
1247
1248        /* we cannot set a helper for an existing conntrack */
1249        return -EOPNOTSUPP;
1250}
1251
1252static inline int
1253ctnetlink_change_timeout(struct nf_conn *ct, const struct nlattr * const cda[])
1254{
1255        u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
1256
1257        if (!del_timer(&ct->timeout))
1258                return -ETIME;
1259
1260        ct->timeout.expires = jiffies + timeout * HZ;
1261        add_timer(&ct->timeout);
1262
1263        return 0;
1264}
1265
1266static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = {
1267        [CTA_PROTOINFO_TCP]     = { .type = NLA_NESTED },
1268        [CTA_PROTOINFO_DCCP]    = { .type = NLA_NESTED },
1269        [CTA_PROTOINFO_SCTP]    = { .type = NLA_NESTED },
1270};
1271
1272static inline int
1273ctnetlink_change_protoinfo(struct nf_conn *ct, const struct nlattr * const cda[])
1274{
1275        const struct nlattr *attr = cda[CTA_PROTOINFO];
1276        struct nlattr *tb[CTA_PROTOINFO_MAX+1];
1277        struct nf_conntrack_l4proto *l4proto;
1278        int err = 0;
1279
1280        nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, protoinfo_policy);
1281
1282        rcu_read_lock();
1283        l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
1284        if (l4proto->from_nlattr)
1285                err = l4proto->from_nlattr(tb, ct);
1286        rcu_read_unlock();
1287
1288        return err;
1289}
1290
1291#ifdef CONFIG_NF_NAT_NEEDED
1292static const struct nla_policy nat_seq_policy[CTA_NAT_SEQ_MAX+1] = {
1293        [CTA_NAT_SEQ_CORRECTION_POS]    = { .type = NLA_U32 },
1294        [CTA_NAT_SEQ_OFFSET_BEFORE]     = { .type = NLA_U32 },
1295        [CTA_NAT_SEQ_OFFSET_AFTER]      = { .type = NLA_U32 },
1296};
1297
1298static inline int
1299change_nat_seq_adj(struct nf_nat_seq *natseq, const struct nlattr * const attr)
1300{
1301        struct nlattr *cda[CTA_NAT_SEQ_MAX+1];
1302
1303        nla_parse_nested(cda, CTA_NAT_SEQ_MAX, attr, nat_seq_policy);
1304
1305        if (!cda[CTA_NAT_SEQ_CORRECTION_POS])
1306                return -EINVAL;
1307
1308        natseq->correction_pos =
1309                ntohl(nla_get_be32(cda[CTA_NAT_SEQ_CORRECTION_POS]));
1310
1311        if (!cda[CTA_NAT_SEQ_OFFSET_BEFORE])
1312                return -EINVAL;
1313
1314        natseq->offset_before =
1315                ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_BEFORE]));
1316
1317        if (!cda[CTA_NAT_SEQ_OFFSET_AFTER])
1318                return -EINVAL;
1319
1320        natseq->offset_after =
1321                ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_AFTER]));
1322
1323        return 0;
1324}
1325
1326static int
1327ctnetlink_change_nat_seq_adj(struct nf_conn *ct,
1328                             const struct nlattr * const cda[])
1329{
1330        int ret = 0;
1331        struct nf_conn_nat *nat = nfct_nat(ct);
1332
1333        if (!nat)
1334                return 0;
1335
1336        if (cda[CTA_NAT_SEQ_ADJ_ORIG]) {
1337                ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_ORIGINAL],
1338                                         cda[CTA_NAT_SEQ_ADJ_ORIG]);
1339                if (ret < 0)
1340                        return ret;
1341
1342                ct->status |= IPS_SEQ_ADJUST;
1343        }
1344
1345        if (cda[CTA_NAT_SEQ_ADJ_REPLY]) {
1346                ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_REPLY],
1347                                         cda[CTA_NAT_SEQ_ADJ_REPLY]);
1348                if (ret < 0)
1349                        return ret;
1350
1351                ct->status |= IPS_SEQ_ADJUST;
1352        }
1353
1354        return 0;
1355}
1356#endif
1357
1358static int
1359ctnetlink_change_conntrack(struct nf_conn *ct,
1360                           const struct nlattr * const cda[])
1361{
1362        int err;
1363
1364        /* only allow NAT changes and master assignation for new conntracks */
1365        if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
1366                return -EOPNOTSUPP;
1367
1368        if (cda[CTA_HELP]) {
1369                err = ctnetlink_change_helper(ct, cda);
1370                if (err < 0)
1371                        return err;
1372        }
1373
1374        if (cda[CTA_TIMEOUT]) {
1375                err = ctnetlink_change_timeout(ct, cda);
1376                if (err < 0)
1377                        return err;
1378        }
1379
1380        if (cda[CTA_STATUS]) {
1381                err = ctnetlink_change_status(ct, cda);
1382                if (err < 0)
1383                        return err;
1384        }
1385
1386        if (cda[CTA_PROTOINFO]) {
1387                err = ctnetlink_change_protoinfo(ct, cda);
1388                if (err < 0)
1389                        return err;
1390        }
1391
1392#if defined(CONFIG_NF_CONNTRACK_MARK)
1393        if (cda[CTA_MARK])
1394                ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1395#endif
1396
1397#ifdef CONFIG_NF_NAT_NEEDED
1398        if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) {
1399                err = ctnetlink_change_nat_seq_adj(ct, cda);
1400                if (err < 0)
1401                        return err;
1402        }
1403#endif
1404
1405        return 0;
1406}
1407
1408static struct nf_conn *
1409ctnetlink_create_conntrack(struct net *net, u16 zone,
1410                           const struct nlattr * const cda[],
1411                           struct nf_conntrack_tuple *otuple,
1412                           struct nf_conntrack_tuple *rtuple,
1413                           u8 u3)
1414{
1415        struct nf_conn *ct;
1416        int err = -EINVAL;
1417        struct nf_conntrack_helper *helper;
1418        struct nf_conn_tstamp *tstamp;
1419
1420        ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
1421        if (IS_ERR(ct))
1422                return ERR_PTR(-ENOMEM);
1423
1424        if (!cda[CTA_TIMEOUT])
1425                goto err1;
1426        ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
1427
1428        ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
1429
1430        rcu_read_lock();
1431        if (cda[CTA_HELP]) {
1432                char *helpname = NULL;
1433                struct nlattr *helpinfo = NULL;
1434
1435                err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1436                if (err < 0)
1437                        goto err2;
1438
1439                helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1440                                                    nf_ct_protonum(ct));
1441                if (helper == NULL) {
1442                        rcu_read_unlock();
1443#ifdef CONFIG_MODULES
1444                        if (request_module("nfct-helper-%s", helpname) < 0) {
1445                                err = -EOPNOTSUPP;
1446                                goto err1;
1447                        }
1448
1449                        rcu_read_lock();
1450                        helper = __nf_conntrack_helper_find(helpname,
1451                                                            nf_ct_l3num(ct),
1452                                                            nf_ct_protonum(ct));
1453                        if (helper) {
1454                                err = -EAGAIN;
1455                                goto err2;
1456                        }
1457                        rcu_read_unlock();
1458#endif
1459                        err = -EOPNOTSUPP;
1460                        goto err1;
1461                } else {
1462                        struct nf_conn_help *help;
1463
1464                        help = nf_ct_helper_ext_add(ct, helper, GFP_ATOMIC);
1465                        if (help == NULL) {
1466                                err = -ENOMEM;
1467                                goto err2;
1468                        }
1469                        /* set private helper data if allowed. */
1470                        if (helper->from_nlattr)
1471                                helper->from_nlattr(helpinfo, ct);
1472
1473                        /* not in hash table yet so not strictly necessary */
1474                        RCU_INIT_POINTER(help->helper, helper);
1475                }
1476        } else {
1477                /* try an implicit helper assignation */
1478                err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC);
1479                if (err < 0)
1480                        goto err2;
1481        }
1482
1483        if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
1484                err = ctnetlink_change_nat(ct, cda);
1485                if (err < 0)
1486                        goto err2;
1487        }
1488
1489        nf_ct_acct_ext_add(ct, GFP_ATOMIC);
1490        nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
1491        nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
1492        /* we must add conntrack extensions before confirmation. */
1493        ct->status |= IPS_CONFIRMED;
1494
1495        if (cda[CTA_STATUS]) {
1496                err = ctnetlink_change_status(ct, cda);
1497                if (err < 0)
1498                        goto err2;
1499        }
1500
1501#ifdef CONFIG_NF_NAT_NEEDED
1502        if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) {
1503                err = ctnetlink_change_nat_seq_adj(ct, cda);
1504                if (err < 0)
1505                        goto err2;
1506        }
1507#endif
1508
1509        memset(&ct->proto, 0, sizeof(ct->proto));
1510        if (cda[CTA_PROTOINFO]) {
1511                err = ctnetlink_change_protoinfo(ct, cda);
1512                if (err < 0)
1513                        goto err2;
1514        }
1515
1516#if defined(CONFIG_NF_CONNTRACK_MARK)
1517        if (cda[CTA_MARK])
1518                ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1519#endif
1520
1521        /* setup master conntrack: this is a confirmed expectation */
1522        if (cda[CTA_TUPLE_MASTER]) {
1523                struct nf_conntrack_tuple master;
1524                struct nf_conntrack_tuple_hash *master_h;
1525                struct nf_conn *master_ct;
1526
1527                err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER, u3);
1528                if (err < 0)
1529                        goto err2;
1530
1531                master_h = nf_conntrack_find_get(net, zone, &master);
1532                if (master_h == NULL) {
1533                        err = -ENOENT;
1534                        goto err2;
1535                }
1536                master_ct = nf_ct_tuplehash_to_ctrack(master_h);
1537                __set_bit(IPS_EXPECTED_BIT, &ct->status);
1538                ct->master = master_ct;
1539        }
1540        tstamp = nf_conn_tstamp_find(ct);
1541        if (tstamp)
1542                tstamp->start = ktime_to_ns(ktime_get_real());
1543
1544        err = nf_conntrack_hash_check_insert(ct);
1545        if (err < 0)
1546                goto err2;
1547
1548        rcu_read_unlock();
1549
1550        return ct;
1551
1552err2:
1553        rcu_read_unlock();
1554err1:
1555        nf_conntrack_free(ct);
1556        return ERR_PTR(err);
1557}
1558
1559static int
1560ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1561                        const struct nlmsghdr *nlh,
1562                        const struct nlattr * const cda[])
1563{
1564        struct net *net = sock_net(ctnl);
1565        struct nf_conntrack_tuple otuple, rtuple;
1566        struct nf_conntrack_tuple_hash *h = NULL;
1567        struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1568        struct nf_conn *ct;
1569        u_int8_t u3 = nfmsg->nfgen_family;
1570        u16 zone;
1571        int err;
1572
1573        err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1574        if (err < 0)
1575                return err;
1576
1577        if (cda[CTA_TUPLE_ORIG]) {
1578                err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3);
1579                if (err < 0)
1580                        return err;
1581        }
1582
1583        if (cda[CTA_TUPLE_REPLY]) {
1584                err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, u3);
1585                if (err < 0)
1586                        return err;
1587        }
1588
1589        if (cda[CTA_TUPLE_ORIG])
1590                h = nf_conntrack_find_get(net, zone, &otuple);
1591        else if (cda[CTA_TUPLE_REPLY])
1592                h = nf_conntrack_find_get(net, zone, &rtuple);
1593
1594        if (h == NULL) {
1595                err = -ENOENT;
1596                if (nlh->nlmsg_flags & NLM_F_CREATE) {
1597                        enum ip_conntrack_events events;
1598
1599                        ct = ctnetlink_create_conntrack(net, zone, cda, &otuple,
1600                                                        &rtuple, u3);
1601                        if (IS_ERR(ct))
1602                                return PTR_ERR(ct);
1603
1604                        err = 0;
1605                        if (test_bit(IPS_EXPECTED_BIT, &ct->status))
1606                                events = IPCT_RELATED;
1607                        else
1608                                events = IPCT_NEW;
1609
1610                        nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
1611                                                      (1 << IPCT_ASSURED) |
1612                                                      (1 << IPCT_HELPER) |
1613                                                      (1 << IPCT_PROTOINFO) |
1614                                                      (1 << IPCT_NATSEQADJ) |
1615                                                      (1 << IPCT_MARK) | events,
1616                                                      ct, NETLINK_CB(skb).portid,
1617                                                      nlmsg_report(nlh));
1618                        nf_ct_put(ct);
1619                }
1620
1621                return err;
1622        }
1623        /* implicit 'else' */
1624
1625        err = -EEXIST;
1626        ct = nf_ct_tuplehash_to_ctrack(h);
1627        if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
1628                spin_lock_bh(&nf_conntrack_lock);
1629                err = ctnetlink_change_conntrack(ct, cda);
1630                spin_unlock_bh(&nf_conntrack_lock);
1631                if (err == 0) {
1632                        nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
1633                                                      (1 << IPCT_ASSURED) |
1634                                                      (1 << IPCT_HELPER) |
1635                                                      (1 << IPCT_PROTOINFO) |
1636                                                      (1 << IPCT_NATSEQADJ) |
1637                                                      (1 << IPCT_MARK),
1638                                                      ct, NETLINK_CB(skb).portid,
1639                                                      nlmsg_report(nlh));
1640                }
1641        }
1642
1643        nf_ct_put(ct);
1644        return err;
1645}
1646
1647static int
1648ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
1649                                __u16 cpu, const struct ip_conntrack_stat *st)
1650{
1651        struct nlmsghdr *nlh;
1652        struct nfgenmsg *nfmsg;
1653        unsigned int flags = portid ? NLM_F_MULTI : 0, event;
1654
1655        event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_GET_STATS_CPU);
1656        nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
1657        if (nlh == NULL)
1658                goto nlmsg_failure;
1659
1660        nfmsg = nlmsg_data(nlh);
1661        nfmsg->nfgen_family = AF_UNSPEC;
1662        nfmsg->version      = NFNETLINK_V0;
1663        nfmsg->res_id       = htons(cpu);
1664
1665        if (nla_put_be32(skb, CTA_STATS_SEARCHED, htonl(st->searched)) ||
1666            nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) ||
1667            nla_put_be32(skb, CTA_STATS_NEW, htonl(st->new)) ||
1668            nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) ||
1669            nla_put_be32(skb, CTA_STATS_IGNORE, htonl(st->ignore)) ||
1670            nla_put_be32(skb, CTA_STATS_DELETE, htonl(st->delete)) ||
1671            nla_put_be32(skb, CTA_STATS_DELETE_LIST, htonl(st->delete_list)) ||
1672            nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) ||
1673            nla_put_be32(skb, CTA_STATS_INSERT_FAILED,
1674                                htonl(st->insert_failed)) ||
1675            nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) ||
1676            nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) ||
1677            nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) ||
1678            nla_put_be32(skb, CTA_STATS_SEARCH_RESTART,
1679                                htonl(st->search_restart)))
1680                goto nla_put_failure;
1681
1682        nlmsg_end(skb, nlh);
1683        return skb->len;
1684
1685nla_put_failure:
1686nlmsg_failure:
1687        nlmsg_cancel(skb, nlh);
1688        return -1;
1689}
1690
1691static int
1692ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
1693{
1694        int cpu;
1695        struct net *net = sock_net(skb->sk);
1696
1697        if (cb->args[0] == nr_cpu_ids)
1698                return 0;
1699
1700        for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
1701                const struct ip_conntrack_stat *st;
1702
1703                if (!cpu_possible(cpu))
1704                        continue;
1705
1706                st = per_cpu_ptr(net->ct.stat, cpu);
1707                if (ctnetlink_ct_stat_cpu_fill_info(skb,
1708                                                    NETLINK_CB(cb->skb).portid,
1709                                                    cb->nlh->nlmsg_seq,
1710                                                    cpu, st) < 0)
1711                                break;
1712        }
1713        cb->args[0] = cpu;
1714
1715        return skb->len;
1716}
1717
1718static int
1719ctnetlink_stat_ct_cpu(struct sock *ctnl, struct sk_buff *skb,
1720                      const struct nlmsghdr *nlh,
1721                      const struct nlattr * const cda[])
1722{
1723        if (nlh->nlmsg_flags & NLM_F_DUMP) {
1724                struct netlink_dump_control c = {
1725                        .dump = ctnetlink_ct_stat_cpu_dump,
1726                };
1727                return netlink_dump_start(ctnl, skb, nlh, &c);
1728        }
1729
1730        return 0;
1731}
1732
1733static int
1734ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
1735                            struct net *net)
1736{
1737        struct nlmsghdr *nlh;
1738        struct nfgenmsg *nfmsg;
1739        unsigned int flags = portid ? NLM_F_MULTI : 0, event;
1740        unsigned int nr_conntracks = atomic_read(&net->ct.count);
1741
1742        event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_GET_STATS);
1743        nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
1744        if (nlh == NULL)
1745                goto nlmsg_failure;
1746
1747        nfmsg = nlmsg_data(nlh);
1748        nfmsg->nfgen_family = AF_UNSPEC;
1749        nfmsg->version      = NFNETLINK_V0;
1750        nfmsg->res_id       = 0;
1751
1752        if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks)))
1753                goto nla_put_failure;
1754
1755        nlmsg_end(skb, nlh);
1756        return skb->len;
1757
1758nla_put_failure:
1759nlmsg_failure:
1760        nlmsg_cancel(skb, nlh);
1761        return -1;
1762}
1763
1764static int
1765ctnetlink_stat_ct(struct sock *ctnl, struct sk_buff *skb,
1766                  const struct nlmsghdr *nlh,
1767                  const struct nlattr * const cda[])
1768{
1769        struct sk_buff *skb2;
1770        int err;
1771
1772        skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1773        if (skb2 == NULL)
1774                return -ENOMEM;
1775
1776        err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid,
1777                                          nlh->nlmsg_seq,
1778                                          NFNL_MSG_TYPE(nlh->nlmsg_type),
1779                                          sock_net(skb->sk));
1780        if (err <= 0)
1781                goto free;
1782
1783        err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1784        if (err < 0)
1785                goto out;
1786
1787        return 0;
1788
1789free:
1790        kfree_skb(skb2);
1791out:
1792        /* this avoids a loop in nfnetlink. */
1793        return err == -EAGAIN ? -ENOBUFS : err;
1794}
1795
1796#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
1797static size_t
1798ctnetlink_nfqueue_build_size(const struct nf_conn *ct)
1799{
1800        return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
1801               + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
1802               + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
1803               + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
1804               + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
1805               + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
1806               + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
1807               + nla_total_size(0) /* CTA_PROTOINFO */
1808               + nla_total_size(0) /* CTA_HELP */
1809               + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
1810               + ctnetlink_secctx_size(ct)
1811#ifdef CONFIG_NF_NAT_NEEDED
1812               + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
1813               + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
1814#endif
1815#ifdef CONFIG_NF_CONNTRACK_MARK
1816               + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
1817#endif
1818               + ctnetlink_proto_size(ct)
1819               ;
1820}
1821
1822static int
1823ctnetlink_nfqueue_build(struct sk_buff *skb, struct nf_conn *ct)
1824{
1825        struct nlattr *nest_parms;
1826
1827        rcu_read_lock();
1828        nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
1829        if (!nest_parms)
1830                goto nla_put_failure;
1831        if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
1832                goto nla_put_failure;
1833        nla_nest_end(skb, nest_parms);
1834
1835        nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
1836        if (!nest_parms)
1837                goto nla_put_failure;
1838        if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
1839                goto nla_put_failure;
1840        nla_nest_end(skb, nest_parms);
1841
1842        if (nf_ct_zone(ct)) {
1843                if (nla_put_be16(skb, CTA_ZONE, htons(nf_ct_zone(ct))))
1844                        goto nla_put_failure;
1845        }
1846
1847        if (ctnetlink_dump_id(skb, ct) < 0)
1848                goto nla_put_failure;
1849
1850        if (ctnetlink_dump_status(skb, ct) < 0)
1851                goto nla_put_failure;
1852
1853        if (ctnetlink_dump_timeout(skb, ct) < 0)
1854                goto nla_put_failure;
1855
1856        if (ctnetlink_dump_protoinfo(skb, ct) < 0)
1857                goto nla_put_failure;
1858
1859        if (ctnetlink_dump_helpinfo(skb, ct) < 0)
1860                goto nla_put_failure;
1861
1862#ifdef CONFIG_NF_CONNTRACK_SECMARK
1863        if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0)
1864                goto nla_put_failure;
1865#endif
1866        if (ct->master && ctnetlink_dump_master(skb, ct) < 0)
1867                goto nla_put_failure;
1868
1869        if ((ct->status & IPS_SEQ_ADJUST) &&
1870            ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
1871                goto nla_put_failure;
1872
1873#ifdef CONFIG_NF_CONNTRACK_MARK
1874        if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0)
1875                goto nla_put_failure;
1876#endif
1877        rcu_read_unlock();
1878        return 0;
1879
1880nla_put_failure:
1881        rcu_read_unlock();
1882        return -ENOSPC;
1883}
1884
1885static int
1886ctnetlink_nfqueue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
1887{
1888        int err;
1889
1890        if (cda[CTA_TIMEOUT]) {
1891                err = ctnetlink_change_timeout(ct, cda);
1892                if (err < 0)
1893                        return err;
1894        }
1895        if (cda[CTA_STATUS]) {
1896                err = ctnetlink_change_status(ct, cda);
1897                if (err < 0)
1898                        return err;
1899        }
1900        if (cda[CTA_HELP]) {
1901                err = ctnetlink_change_helper(ct, cda);
1902                if (err < 0)
1903                        return err;
1904        }
1905#if defined(CONFIG_NF_CONNTRACK_MARK)
1906        if (cda[CTA_MARK])
1907                ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1908#endif
1909        return 0;
1910}
1911
1912static int
1913ctnetlink_nfqueue_parse(const struct nlattr *attr, struct nf_conn *ct)
1914{
1915        struct nlattr *cda[CTA_MAX+1];
1916        int ret;
1917
1918        nla_parse_nested(cda, CTA_MAX, attr, ct_nla_policy);
1919
1920        spin_lock_bh(&nf_conntrack_lock);
1921        ret = ctnetlink_nfqueue_parse_ct((const struct nlattr **)cda, ct);
1922        spin_unlock_bh(&nf_conntrack_lock);
1923
1924        return ret;
1925}
1926
1927static struct nfq_ct_hook ctnetlink_nfqueue_hook = {
1928        .build_size     = ctnetlink_nfqueue_build_size,
1929        .build          = ctnetlink_nfqueue_build,
1930        .parse          = ctnetlink_nfqueue_parse,
1931};
1932#endif /* CONFIG_NETFILTER_NETLINK_QUEUE_CT */
1933
1934/***********************************************************************
1935 * EXPECT
1936 ***********************************************************************/
1937
1938static inline int
1939ctnetlink_exp_dump_tuple(struct sk_buff *skb,
1940                         const struct nf_conntrack_tuple *tuple,
1941                         enum ctattr_expect type)
1942{
1943        struct nlattr *nest_parms;
1944
1945        nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
1946        if (!nest_parms)
1947                goto nla_put_failure;
1948        if (ctnetlink_dump_tuples(skb, tuple) < 0)
1949                goto nla_put_failure;
1950        nla_nest_end(skb, nest_parms);
1951
1952        return 0;
1953
1954nla_put_failure:
1955        return -1;
1956}
1957
1958static inline int
1959ctnetlink_exp_dump_mask(struct sk_buff *skb,
1960                        const struct nf_conntrack_tuple *tuple,
1961                        const struct nf_conntrack_tuple_mask *mask)
1962{
1963        int ret;
1964        struct nf_conntrack_l3proto *l3proto;
1965        struct nf_conntrack_l4proto *l4proto;
1966        struct nf_conntrack_tuple m;
1967        struct nlattr *nest_parms;
1968
1969        memset(&m, 0xFF, sizeof(m));
1970        memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
1971        m.src.u.all = mask->src.u.all;
1972        m.dst.protonum = tuple->dst.protonum;
1973
1974        nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED);
1975        if (!nest_parms)
1976                goto nla_put_failure;
1977
1978        rcu_read_lock();
1979        l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
1980        ret = ctnetlink_dump_tuples_ip(skb, &m, l3proto);
1981        if (ret >= 0) {
1982                l4proto = __nf_ct_l4proto_find(tuple->src.l3num,
1983                                               tuple->dst.protonum);
1984        ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
1985        }
1986        rcu_read_unlock();
1987
1988        if (unlikely(ret < 0))
1989                goto nla_put_failure;
1990
1991        nla_nest_end(skb, nest_parms);
1992
1993        return 0;
1994
1995nla_put_failure:
1996        return -1;
1997}
1998
1999static const union nf_inet_addr any_addr;
2000
2001static int
2002ctnetlink_exp_dump_expect(struct sk_buff *skb,
2003                          const struct nf_conntrack_expect *exp)
2004{
2005        struct nf_conn *master = exp->master;
2006        long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ;
2007        struct nf_conn_help *help;
2008#ifdef CONFIG_NF_NAT_NEEDED
2009        struct nlattr *nest_parms;
2010        struct nf_conntrack_tuple nat_tuple = {};
2011#endif
2012        struct nf_ct_helper_expectfn *expfn;
2013
2014        if (timeout < 0)
2015                timeout = 0;
2016
2017        if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
2018                goto nla_put_failure;
2019        if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
2020                goto nla_put_failure;
2021        if (ctnetlink_exp_dump_tuple(skb,
2022                                 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
2023                                 CTA_EXPECT_MASTER) < 0)
2024                goto nla_put_failure;
2025
2026#ifdef CONFIG_NF_NAT_NEEDED
2027        if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) ||
2028            exp->saved_proto.all) {
2029                nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT | NLA_F_NESTED);
2030                if (!nest_parms)
2031                        goto nla_put_failure;
2032
2033                if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir)))
2034                        goto nla_put_failure;
2035
2036                nat_tuple.src.l3num = nf_ct_l3num(master);
2037                nat_tuple.src.u3 = exp->saved_addr;
2038                nat_tuple.dst.protonum = nf_ct_protonum(master);
2039                nat_tuple.src.u = exp->saved_proto;
2040
2041                if (ctnetlink_exp_dump_tuple(skb, &nat_tuple,
2042                                                CTA_EXPECT_NAT_TUPLE) < 0)
2043                        goto nla_put_failure;
2044                nla_nest_end(skb, nest_parms);
2045        }
2046#endif
2047        if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
2048            nla_put_be32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)) ||
2049            nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
2050            nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
2051                goto nla_put_failure;
2052        help = nfct_help(master);
2053        if (help) {
2054                struct nf_conntrack_helper *helper;
2055
2056                helper = rcu_dereference(help->helper);
2057                if (helper &&
2058                    nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name))
2059                        goto nla_put_failure;
2060        }
2061        expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn);
2062        if (expfn != NULL &&
2063            nla_put_string(skb, CTA_EXPECT_FN, expfn->name))
2064                goto nla_put_failure;
2065
2066        return 0;
2067
2068nla_put_failure:
2069        return -1;
2070}
2071
2072static int
2073ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2074                        int event, const struct nf_conntrack_expect *exp)
2075{
2076        struct nlmsghdr *nlh;
2077        struct nfgenmsg *nfmsg;
2078        unsigned int flags = portid ? NLM_F_MULTI : 0;
2079
2080        event |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
2081        nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2082        if (nlh == NULL)
2083                goto nlmsg_failure;
2084
2085        nfmsg = nlmsg_data(nlh);
2086        nfmsg->nfgen_family = exp->tuple.src.l3num;
2087        nfmsg->version      = NFNETLINK_V0;
2088        nfmsg->res_id       = 0;
2089
2090        if (ctnetlink_exp_dump_expect(skb, exp) < 0)
2091                goto nla_put_failure;
2092
2093        nlmsg_end(skb, nlh);
2094        return skb->len;
2095
2096nlmsg_failure:
2097nla_put_failure:
2098        nlmsg_cancel(skb, nlh);
2099        return -1;
2100}
2101
2102#ifdef CONFIG_NF_CONNTRACK_EVENTS
2103static int
2104ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item)
2105{
2106        struct nf_conntrack_expect *exp = item->exp;
2107        struct net *net = nf_ct_exp_net(exp);
2108        struct nlmsghdr *nlh;
2109        struct nfgenmsg *nfmsg;
2110        struct sk_buff *skb;
2111        unsigned int type, group;
2112        int flags = 0;
2113
2114        if (events & (1 << IPEXP_DESTROY)) {
2115                type = IPCTNL_MSG_EXP_DELETE;
2116                group = NFNLGRP_CONNTRACK_EXP_DESTROY;
2117        } else if (events & (1 << IPEXP_NEW)) {
2118                type = IPCTNL_MSG_EXP_NEW;
2119                flags = NLM_F_CREATE|NLM_F_EXCL;
2120                group = NFNLGRP_CONNTRACK_EXP_NEW;
2121        } else
2122                return 0;
2123
2124        if (!item->report && !nfnetlink_has_listeners(net, group))
2125                return 0;
2126
2127        skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
2128        if (skb == NULL)
2129                goto errout;
2130
2131        type |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
2132        nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
2133        if (nlh == NULL)
2134                goto nlmsg_failure;
2135
2136        nfmsg = nlmsg_data(nlh);
2137        nfmsg->nfgen_family = exp->tuple.src.l3num;
2138        nfmsg->version      = NFNETLINK_V0;
2139        nfmsg->res_id       = 0;
2140
2141        rcu_read_lock();
2142        if (ctnetlink_exp_dump_expect(skb, exp) < 0)
2143                goto nla_put_failure;
2144        rcu_read_unlock();
2145
2146        nlmsg_end(skb, nlh);
2147        nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC);
2148        return 0;
2149
2150nla_put_failure:
2151        rcu_read_unlock();
2152        nlmsg_cancel(skb, nlh);
2153nlmsg_failure:
2154        kfree_skb(skb);
2155errout:
2156        nfnetlink_set_err(net, 0, 0, -ENOBUFS);
2157        return 0;
2158}
2159#endif
2160static int ctnetlink_exp_done(struct netlink_callback *cb)
2161{
2162        if (cb->args[1])
2163                nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
2164        return 0;
2165}
2166
2167static int
2168ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
2169{
2170        struct net *net = sock_net(skb->sk);
2171        struct nf_conntrack_expect *exp, *last;
2172        struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2173        struct hlist_node *n;
2174        u_int8_t l3proto = nfmsg->nfgen_family;
2175
2176        rcu_read_lock();
2177        last = (struct nf_conntrack_expect *)cb->args[1];
2178        for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
2179restart:
2180                hlist_for_each_entry(exp, n, &net->ct.expect_hash[cb->args[0]],
2181                                     hnode) {
2182                        if (l3proto && exp->tuple.src.l3num != l3proto)
2183                                continue;
2184                        if (cb->args[1]) {
2185                                if (exp != last)
2186                                        continue;
2187                                cb->args[1] = 0;
2188                        }
2189                        if (ctnetlink_exp_fill_info(skb,
2190                                                    NETLINK_CB(cb->skb).portid,
2191                                                    cb->nlh->nlmsg_seq,
2192                                                    IPCTNL_MSG_EXP_NEW,
2193                                                    exp) < 0) {
2194                                if (!atomic_inc_not_zero(&exp->use))
2195                                        continue;
2196                                cb->args[1] = (unsigned long)exp;
2197                                goto out;
2198                        }
2199                }
2200                if (cb->args[1]) {
2201                        cb->args[1] = 0;
2202                        goto restart;
2203                }
2204        }
2205out:
2206        rcu_read_unlock();
2207        if (last)
2208                nf_ct_expect_put(last);
2209
2210        return skb->len;
2211}
2212
2213static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
2214        [CTA_EXPECT_MASTER]     = { .type = NLA_NESTED },
2215        [CTA_EXPECT_TUPLE]      = { .type = NLA_NESTED },
2216        [CTA_EXPECT_MASK]       = { .type = NLA_NESTED },
2217        [CTA_EXPECT_TIMEOUT]    = { .type = NLA_U32 },
2218        [CTA_EXPECT_ID]         = { .type = NLA_U32 },
2219        [CTA_EXPECT_HELP_NAME]  = { .type = NLA_NUL_STRING },
2220        [CTA_EXPECT_ZONE]       = { .type = NLA_U16 },
2221        [CTA_EXPECT_FLAGS]      = { .type = NLA_U32 },
2222        [CTA_EXPECT_CLASS]      = { .type = NLA_U32 },
2223        [CTA_EXPECT_NAT]        = { .type = NLA_NESTED },
2224        [CTA_EXPECT_FN]         = { .type = NLA_NUL_STRING },
2225};
2226
2227static int
2228ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
2229                     const struct nlmsghdr *nlh,
2230                     const struct nlattr * const cda[])
2231{
2232        struct net *net = sock_net(ctnl);
2233        struct nf_conntrack_tuple tuple;
2234        struct nf_conntrack_expect *exp;
2235        struct sk_buff *skb2;
2236        struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2237        u_int8_t u3 = nfmsg->nfgen_family;
2238        u16 zone;
2239        int err;
2240
2241        if (nlh->nlmsg_flags & NLM_F_DUMP) {
2242                struct netlink_dump_control c = {
2243                        .dump = ctnetlink_exp_dump_table,
2244                        .done = ctnetlink_exp_done,
2245                };
2246                return netlink_dump_start(ctnl, skb, nlh, &c);
2247        }
2248
2249        err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2250        if (err < 0)
2251                return err;
2252
2253        if (cda[CTA_EXPECT_TUPLE])
2254                err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
2255        else if (cda[CTA_EXPECT_MASTER])
2256                err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3);
2257        else
2258                return -EINVAL;
2259
2260        if (err < 0)
2261                return err;
2262
2263        exp = nf_ct_expect_find_get(net, zone, &tuple);
2264        if (!exp)
2265                return -ENOENT;
2266
2267        if (cda[CTA_EXPECT_ID]) {
2268                __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
2269                if (ntohl(id) != (u32)(unsigned long)exp) {
2270                        nf_ct_expect_put(exp);
2271                        return -ENOENT;
2272                }
2273        }
2274
2275        err = -ENOMEM;
2276        skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2277        if (skb2 == NULL) {
2278                nf_ct_expect_put(exp);
2279                goto out;
2280        }
2281
2282        rcu_read_lock();
2283        err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
2284                                      nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp);
2285        rcu_read_unlock();
2286        nf_ct_expect_put(exp);
2287        if (err <= 0)
2288                goto free;
2289
2290        err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
2291        if (err < 0)
2292                goto out;
2293
2294        return 0;
2295
2296free:
2297        kfree_skb(skb2);
2298out:
2299        /* this avoids a loop in nfnetlink. */
2300        return err == -EAGAIN ? -ENOBUFS : err;
2301}
2302
2303static int
2304ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
2305                     const struct nlmsghdr *nlh,
2306                     const struct nlattr * const cda[])
2307{
2308        struct net *net = sock_net(ctnl);
2309        struct nf_conntrack_expect *exp;
2310        struct nf_conntrack_tuple tuple;
2311        struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2312        struct hlist_node *n, *next;
2313        u_int8_t u3 = nfmsg->nfgen_family;
2314        unsigned int i;
2315        u16 zone;
2316        int err;
2317
2318        if (cda[CTA_EXPECT_TUPLE]) {
2319                /* delete a single expect by tuple */
2320                err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2321                if (err < 0)
2322                        return err;
2323
2324                err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
2325                if (err < 0)
2326                        return err;
2327
2328                /* bump usage count to 2 */
2329                exp = nf_ct_expect_find_get(net, zone, &tuple);
2330                if (!exp)
2331                        return -ENOENT;
2332
2333                if (cda[CTA_EXPECT_ID]) {
2334                        __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
2335                        if (ntohl(id) != (u32)(unsigned long)exp) {
2336                                nf_ct_expect_put(exp);
2337                                return -ENOENT;
2338                        }
2339                }
2340
2341                /* after list removal, usage count == 1 */
2342                spin_lock_bh(&nf_conntrack_lock);
2343                if (del_timer(&exp->timeout)) {
2344                        nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
2345                                                   nlmsg_report(nlh));
2346                        nf_ct_expect_put(exp);
2347                }
2348                spin_unlock_bh(&nf_conntrack_lock);
2349                /* have to put what we 'get' above.
2350                 * after this line usage count == 0 */
2351                nf_ct_expect_put(exp);
2352        } else if (cda[CTA_EXPECT_HELP_NAME]) {
2353                char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2354                struct nf_conn_help *m_help;
2355
2356                /* delete all expectations for this helper */
2357                spin_lock_bh(&nf_conntrack_lock);
2358                for (i = 0; i < nf_ct_expect_hsize; i++) {
2359                        hlist_for_each_entry_safe(exp, n, next,
2360                                                  &net->ct.expect_hash[i],
2361                                                  hnode) {
2362                                m_help = nfct_help(exp->master);
2363                                if (!strcmp(m_help->helper->name, name) &&
2364                                    del_timer(&exp->timeout)) {
2365                                        nf_ct_unlink_expect_report(exp,
2366                                                        NETLINK_CB(skb).portid,
2367                                                        nlmsg_report(nlh));
2368                                        nf_ct_expect_put(exp);
2369                                }
2370                        }
2371                }
2372                spin_unlock_bh(&nf_conntrack_lock);
2373        } else {
2374                /* This basically means we have to flush everything*/
2375                spin_lock_bh(&nf_conntrack_lock);
2376                for (i = 0; i < nf_ct_expect_hsize; i++) {
2377                        hlist_for_each_entry_safe(exp, n, next,
2378                                                  &net->ct.expect_hash[i],
2379                                                  hnode) {
2380                                if (del_timer(&exp->timeout)) {
2381                                        nf_ct_unlink_expect_report(exp,
2382                                                        NETLINK_CB(skb).portid,
2383                                                        nlmsg_report(nlh));
2384                                        nf_ct_expect_put(exp);
2385                                }
2386                        }
2387                }
2388                spin_unlock_bh(&nf_conntrack_lock);
2389        }
2390
2391        return 0;
2392}
2393static int
2394ctnetlink_change_expect(struct nf_conntrack_expect *x,
2395                        const struct nlattr * const cda[])
2396{
2397        if (cda[CTA_EXPECT_TIMEOUT]) {
2398                if (!del_timer(&x->timeout))
2399                        return -ETIME;
2400
2401                x->timeout.expires = jiffies +
2402                        ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
2403                add_timer(&x->timeout);
2404        }
2405        return 0;
2406}
2407
2408static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
2409        [CTA_EXPECT_NAT_DIR]    = { .type = NLA_U32 },
2410        [CTA_EXPECT_NAT_TUPLE]  = { .type = NLA_NESTED },
2411};
2412
2413static int
2414ctnetlink_parse_expect_nat(const struct nlattr *attr,
2415                           struct nf_conntrack_expect *exp,
2416                           u_int8_t u3)
2417{
2418#ifdef CONFIG_NF_NAT_NEEDED
2419        struct nlattr *tb[CTA_EXPECT_NAT_MAX+1];
2420        struct nf_conntrack_tuple nat_tuple = {};
2421        int err;
2422
2423        nla_parse_nested(tb, CTA_EXPECT_NAT_MAX, attr, exp_nat_nla_policy);
2424
2425        if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE])
2426                return -EINVAL;
2427
2428        err = ctnetlink_parse_tuple((const struct nlattr * const *)tb,
2429                                        &nat_tuple, CTA_EXPECT_NAT_TUPLE, u3);
2430        if (err < 0)
2431                return err;
2432
2433        exp->saved_addr = nat_tuple.src.u3;
2434        exp->saved_proto = nat_tuple.src.u;
2435        exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR]));
2436
2437        return 0;
2438#else
2439        return -EOPNOTSUPP;
2440#endif
2441}
2442
2443static int
2444ctnetlink_create_expect(struct net *net, u16 zone,
2445                        const struct nlattr * const cda[],
2446                        u_int8_t u3,
2447                        u32 portid, int report)
2448{
2449        struct nf_conntrack_tuple tuple, mask, master_tuple;
2450        struct nf_conntrack_tuple_hash *h = NULL;
2451        struct nf_conntrack_expect *exp;
2452        struct nf_conn *ct;
2453        struct nf_conn_help *help;
2454        struct nf_conntrack_helper *helper = NULL;
2455        u_int32_t class = 0;
2456        int err = 0;
2457
2458        /* caller guarantees that those three CTA_EXPECT_* exist */
2459        err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
2460        if (err < 0)
2461                return err;
2462        err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, u3);
2463        if (err < 0)
2464                return err;
2465        err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, u3);
2466        if (err < 0)
2467                return err;
2468
2469        /* Look for master conntrack of this expectation */
2470        h = nf_conntrack_find_get(net, zone, &master_tuple);
2471        if (!h)
2472                return -ENOENT;
2473        ct = nf_ct_tuplehash_to_ctrack(h);
2474
2475        /* Look for helper of this expectation */
2476        if (cda[CTA_EXPECT_HELP_NAME]) {
2477                const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2478
2479                helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2480                                                    nf_ct_protonum(ct));
2481                if (helper == NULL) {
2482#ifdef CONFIG_MODULES
2483                        if (request_module("nfct-helper-%s", helpname) < 0) {
2484                                err = -EOPNOTSUPP;
2485                                goto out;
2486                        }
2487
2488                        helper = __nf_conntrack_helper_find(helpname,
2489                                                            nf_ct_l3num(ct),
2490                                                            nf_ct_protonum(ct));
2491                        if (helper) {
2492                                err = -EAGAIN;
2493                                goto out;
2494                        }
2495#endif
2496                        err = -EOPNOTSUPP;
2497                        goto out;
2498                }
2499        }
2500
2501        if (cda[CTA_EXPECT_CLASS] && helper) {
2502                class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));
2503                if (class > helper->expect_class_max) {
2504                        err = -EINVAL;
2505                        goto out;
2506                }
2507        }
2508        exp = nf_ct_expect_alloc(ct);
2509        if (!exp) {
2510                err = -ENOMEM;
2511                goto out;
2512        }
2513        help = nfct_help(ct);
2514        if (!help) {
2515                if (!cda[CTA_EXPECT_TIMEOUT]) {
2516                        err = -EINVAL;
2517                        goto out;
2518                }
2519                exp->timeout.expires =
2520                  jiffies + ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
2521
2522                exp->flags = NF_CT_EXPECT_USERSPACE;
2523                if (cda[CTA_EXPECT_FLAGS]) {
2524                        exp->flags |=
2525                                ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
2526                }
2527        } else {
2528                if (cda[CTA_EXPECT_FLAGS]) {
2529                        exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
2530                        exp->flags &= ~NF_CT_EXPECT_USERSPACE;
2531                } else
2532                        exp->flags = 0;
2533        }
2534        if (cda[CTA_EXPECT_FN]) {
2535                const char *name = nla_data(cda[CTA_EXPECT_FN]);
2536                struct nf_ct_helper_expectfn *expfn;
2537
2538                expfn = nf_ct_helper_expectfn_find_by_name(name);
2539                if (expfn == NULL) {
2540                        err = -EINVAL;
2541                        goto err_out;
2542                }
2543                exp->expectfn = expfn->expectfn;
2544        } else
2545                exp->expectfn = NULL;
2546
2547        exp->class = class;
2548        exp->master = ct;
2549        exp->helper = helper;
2550        memcpy(&exp->tuple, &tuple, sizeof(struct nf_conntrack_tuple));
2551        memcpy(&exp->mask.src.u3, &mask.src.u3, sizeof(exp->mask.src.u3));
2552        exp->mask.src.u.all = mask.src.u.all;
2553
2554        if (cda[CTA_EXPECT_NAT]) {
2555                err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT],
2556                                                 exp, u3);
2557                if (err < 0)
2558                        goto err_out;
2559        }
2560        err = nf_ct_expect_related_report(exp, portid, report);
2561err_out:
2562        nf_ct_expect_put(exp);
2563out:
2564        nf_ct_put(nf_ct_tuplehash_to_ctrack(h));
2565        return err;
2566}
2567
2568static int
2569ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
2570                     const struct nlmsghdr *nlh,
2571                     const struct nlattr * const cda[])
2572{
2573        struct net *net = sock_net(ctnl);
2574        struct nf_conntrack_tuple tuple;
2575        struct nf_conntrack_expect *exp;
2576        struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2577        u_int8_t u3 = nfmsg->nfgen_family;
2578        u16 zone;
2579        int err;
2580
2581        if (!cda[CTA_EXPECT_TUPLE]
2582            || !cda[CTA_EXPECT_MASK]
2583            || !cda[CTA_EXPECT_MASTER])
2584                return -EINVAL;
2585
2586        err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2587        if (err < 0)
2588                return err;
2589
2590        err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
2591        if (err < 0)
2592                return err;
2593
2594        spin_lock_bh(&nf_conntrack_lock);
2595        exp = __nf_ct_expect_find(net, zone, &tuple);
2596
2597        if (!exp) {
2598                spin_unlock_bh(&nf_conntrack_lock);
2599                err = -ENOENT;
2600                if (nlh->nlmsg_flags & NLM_F_CREATE) {
2601                        err = ctnetlink_create_expect(net, zone, cda,
2602                                                      u3,
2603                                                      NETLINK_CB(skb).portid,
2604                                                      nlmsg_report(nlh));
2605                }
2606                return err;
2607        }
2608
2609        err = -EEXIST;
2610        if (!(nlh->nlmsg_flags & NLM_F_EXCL))
2611                err = ctnetlink_change_expect(exp, cda);
2612        spin_unlock_bh(&nf_conntrack_lock);
2613
2614        return err;
2615}
2616
2617static int
2618ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu,
2619                             const struct ip_conntrack_stat *st)
2620{
2621        struct nlmsghdr *nlh;
2622        struct nfgenmsg *nfmsg;
2623        unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2624
2625        event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_EXP_GET_STATS_CPU);
2626        nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2627        if (nlh == NULL)
2628                goto nlmsg_failure;
2629
2630        nfmsg = nlmsg_data(nlh);
2631        nfmsg->nfgen_family = AF_UNSPEC;
2632        nfmsg->version      = NFNETLINK_V0;
2633        nfmsg->res_id       = htons(cpu);
2634
2635        if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) ||
2636            nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) ||
2637            nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete)))
2638                goto nla_put_failure;
2639
2640        nlmsg_end(skb, nlh);
2641        return skb->len;
2642
2643nla_put_failure:
2644nlmsg_failure:
2645        nlmsg_cancel(skb, nlh);
2646        return -1;
2647}
2648
2649static int
2650ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
2651{
2652        int cpu;
2653        struct net *net = sock_net(skb->sk);
2654
2655        if (cb->args[0] == nr_cpu_ids)
2656                return 0;
2657
2658        for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
2659                const struct ip_conntrack_stat *st;
2660
2661                if (!cpu_possible(cpu))
2662                        continue;
2663
2664                st = per_cpu_ptr(net->ct.stat, cpu);
2665                if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid,
2666                                                 cb->nlh->nlmsg_seq,
2667                                                 cpu, st) < 0)
2668                        break;
2669        }
2670        cb->args[0] = cpu;
2671
2672        return skb->len;
2673}
2674
2675static int
2676ctnetlink_stat_exp_cpu(struct sock *ctnl, struct sk_buff *skb,
2677                       const struct nlmsghdr *nlh,
2678                       const struct nlattr * const cda[])
2679{
2680        if (nlh->nlmsg_flags & NLM_F_DUMP) {
2681                struct netlink_dump_control c = {
2682                        .dump = ctnetlink_exp_stat_cpu_dump,
2683                };
2684                return netlink_dump_start(ctnl, skb, nlh, &c);
2685        }
2686
2687        return 0;
2688}
2689
2690#ifdef CONFIG_NF_CONNTRACK_EVENTS
2691static struct nf_ct_event_notifier ctnl_notifier = {
2692        .fcn = ctnetlink_conntrack_event,
2693};
2694
2695static struct nf_exp_event_notifier ctnl_notifier_exp = {
2696        .fcn = ctnetlink_expect_event,
2697};
2698#endif
2699
2700static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
2701        [IPCTNL_MSG_CT_NEW]             = { .call = ctnetlink_new_conntrack,
2702                                            .attr_count = CTA_MAX,
2703                                            .policy = ct_nla_policy },
2704        [IPCTNL_MSG_CT_GET]             = { .call = ctnetlink_get_conntrack,
2705                                            .attr_count = CTA_MAX,
2706                                            .policy = ct_nla_policy },
2707        [IPCTNL_MSG_CT_DELETE]          = { .call = ctnetlink_del_conntrack,
2708                                            .attr_count = CTA_MAX,
2709                                            .policy = ct_nla_policy },
2710        [IPCTNL_MSG_CT_GET_CTRZERO]     = { .call = ctnetlink_get_conntrack,
2711                                            .attr_count = CTA_MAX,
2712                                            .policy = ct_nla_policy },
2713        [IPCTNL_MSG_CT_GET_STATS_CPU]   = { .call = ctnetlink_stat_ct_cpu },
2714        [IPCTNL_MSG_CT_GET_STATS]       = { .call = ctnetlink_stat_ct },
2715};
2716
2717static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
2718        [IPCTNL_MSG_EXP_GET]            = { .call = ctnetlink_get_expect,
2719                                            .attr_count = CTA_EXPECT_MAX,
2720                                            .policy = exp_nla_policy },
2721        [IPCTNL_MSG_EXP_NEW]            = { .call = ctnetlink_new_expect,
2722                                            .attr_count = CTA_EXPECT_MAX,
2723                                            .policy = exp_nla_policy },
2724        [IPCTNL_MSG_EXP_DELETE]         = { .call = ctnetlink_del_expect,
2725                                            .attr_count = CTA_EXPECT_MAX,
2726                                            .policy = exp_nla_policy },
2727        [IPCTNL_MSG_EXP_GET_STATS_CPU]  = { .call = ctnetlink_stat_exp_cpu },
2728};
2729
2730static const struct nfnetlink_subsystem ctnl_subsys = {
2731        .name                           = "conntrack",
2732        .subsys_id                      = NFNL_SUBSYS_CTNETLINK,
2733        .cb_count                       = IPCTNL_MSG_MAX,
2734        .cb                             = ctnl_cb,
2735};
2736
2737static const struct nfnetlink_subsystem ctnl_exp_subsys = {
2738        .name                           = "conntrack_expect",
2739        .subsys_id                      = NFNL_SUBSYS_CTNETLINK_EXP,
2740        .cb_count                       = IPCTNL_MSG_EXP_MAX,
2741        .cb                             = ctnl_exp_cb,
2742};
2743
2744MODULE_ALIAS("ip_conntrack_netlink");
2745MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
2746MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
2747
2748static int __net_init ctnetlink_net_init(struct net *net)
2749{
2750#ifdef CONFIG_NF_CONNTRACK_EVENTS
2751        int ret;
2752
2753        ret = nf_conntrack_register_notifier(net, &ctnl_notifier);
2754        if (ret < 0) {
2755                pr_err("ctnetlink_init: cannot register notifier.\n");
2756                goto err_out;
2757        }
2758
2759        ret = nf_ct_expect_register_notifier(net, &ctnl_notifier_exp);
2760        if (ret < 0) {
2761                pr_err("ctnetlink_init: cannot expect register notifier.\n");
2762                goto err_unreg_notifier;
2763        }
2764#endif
2765        return 0;
2766
2767#ifdef CONFIG_NF_CONNTRACK_EVENTS
2768err_unreg_notifier:
2769        nf_conntrack_unregister_notifier(net, &ctnl_notifier);
2770err_out:
2771        return ret;
2772#endif
2773}
2774
2775static void ctnetlink_net_exit(struct net *net)
2776{
2777#ifdef CONFIG_NF_CONNTRACK_EVENTS
2778        nf_ct_expect_unregister_notifier(net, &ctnl_notifier_exp);
2779        nf_conntrack_unregister_notifier(net, &ctnl_notifier);
2780#endif
2781}
2782
2783static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list)
2784{
2785        struct net *net;
2786
2787        list_for_each_entry(net, net_exit_list, exit_list)
2788                ctnetlink_net_exit(net);
2789}
2790
2791static struct pernet_operations ctnetlink_net_ops = {
2792        .init           = ctnetlink_net_init,
2793        .exit_batch     = ctnetlink_net_exit_batch,
2794};
2795
2796static int __init ctnetlink_init(void)
2797{
2798        int ret;
2799
2800        pr_info("ctnetlink v%s: registering with nfnetlink.\n", version);
2801        ret = nfnetlink_subsys_register(&ctnl_subsys);
2802        if (ret < 0) {
2803                pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
2804                goto err_out;
2805        }
2806
2807        ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
2808        if (ret < 0) {
2809                pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
2810                goto err_unreg_subsys;
2811        }
2812
2813        ret = register_pernet_subsys(&ctnetlink_net_ops);
2814        if (ret < 0) {
2815                pr_err("ctnetlink_init: cannot register pernet operations\n");
2816                goto err_unreg_exp_subsys;
2817        }
2818#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
2819        /* setup interaction between nf_queue and nf_conntrack_netlink. */
2820        RCU_INIT_POINTER(nfq_ct_hook, &ctnetlink_nfqueue_hook);
2821#endif
2822        return 0;
2823
2824err_unreg_exp_subsys:
2825        nfnetlink_subsys_unregister(&ctnl_exp_subsys);
2826err_unreg_subsys:
2827        nfnetlink_subsys_unregister(&ctnl_subsys);
2828err_out:
2829        return ret;
2830}
2831
2832static void __exit ctnetlink_exit(void)
2833{
2834        pr_info("ctnetlink: unregistering from nfnetlink.\n");
2835
2836        unregister_pernet_subsys(&ctnetlink_net_ops);
2837        nfnetlink_subsys_unregister(&ctnl_exp_subsys);
2838        nfnetlink_subsys_unregister(&ctnl_subsys);
2839#ifdef CONFIG_NETFILTER_NETLINK_QUEUE_CT
2840        RCU_INIT_POINTER(nfq_ct_hook, NULL);
2841#endif
2842}
2843
2844module_init(ctnetlink_init);
2845module_exit(ctnetlink_exit);
2846
lxr.linux.no kindly hosted by Redpill Linpro AS, provider of Linux consulting and operations services since 1995.