1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18#include <linux/init.h>
19#include <linux/module.h>
20#include <linux/kernel.h>
21#include <linux/rculist.h>
22#include <linux/rculist_nulls.h>
23#include <linux/types.h>
24#include <linux/timer.h>
25#include <linux/security.h>
26#include <linux/skbuff.h>
27#include <linux/errno.h>
28#include <linux/netlink.h>
29#include <linux/spinlock.h>
30#include <linux/interrupt.h>
31#include <linux/slab.h>
32
33#include <linux/netfilter.h>
34#include <net/netlink.h>
35#include <net/sock.h>
36#include <net/netfilter/nf_conntrack.h>
37#include <net/netfilter/nf_conntrack_core.h>
38#include <net/netfilter/nf_conntrack_expect.h>
39#include <net/netfilter/nf_conntrack_helper.h>
40#include <net/netfilter/nf_conntrack_l3proto.h>
41#include <net/netfilter/nf_conntrack_l4proto.h>
42#include <net/netfilter/nf_conntrack_tuple.h>
43#include <net/netfilter/nf_conntrack_acct.h>
44#include <net/netfilter/nf_conntrack_zones.h>
45#include <net/netfilter/nf_conntrack_timestamp.h>
46#ifdef CONFIG_NF_NAT_NEEDED
47#include <net/netfilter/nf_nat_core.h>
48#include <net/netfilter/nf_nat_protocol.h>
49#endif
50
51#include <linux/netfilter/nfnetlink.h>
52#include <linux/netfilter/nfnetlink_conntrack.h>
53
54MODULE_LICENSE("GPL");
55
56static char __initdata version[] = "0.93";
57
58static inline int
59ctnetlink_dump_tuples_proto(struct sk_buff *skb,
60 const struct nf_conntrack_tuple *tuple,
61 struct nf_conntrack_l4proto *l4proto)
62{
63 int ret = 0;
64 struct nlattr *nest_parms;
65
66 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED);
67 if (!nest_parms)
68 goto nla_put_failure;
69 NLA_PUT_U8(skb, CTA_PROTO_NUM, tuple->dst.protonum);
70
71 if (likely(l4proto->tuple_to_nlattr))
72 ret = l4proto->tuple_to_nlattr(skb, tuple);
73
74 nla_nest_end(skb, nest_parms);
75
76 return ret;
77
78nla_put_failure:
79 return -1;
80}
81
82static inline int
83ctnetlink_dump_tuples_ip(struct sk_buff *skb,
84 const struct nf_conntrack_tuple *tuple,
85 struct nf_conntrack_l3proto *l3proto)
86{
87 int ret = 0;
88 struct nlattr *nest_parms;
89
90 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED);
91 if (!nest_parms)
92 goto nla_put_failure;
93
94 if (likely(l3proto->tuple_to_nlattr))
95 ret = l3proto->tuple_to_nlattr(skb, tuple);
96
97 nla_nest_end(skb, nest_parms);
98
99 return ret;
100
101nla_put_failure:
102 return -1;
103}
104
105static int
106ctnetlink_dump_tuples(struct sk_buff *skb,
107 const struct nf_conntrack_tuple *tuple)
108{
109 int ret;
110 struct nf_conntrack_l3proto *l3proto;
111 struct nf_conntrack_l4proto *l4proto;
112
113 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
114 ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
115
116 if (unlikely(ret < 0))
117 return ret;
118
119 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
120 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
121
122 return ret;
123}
124
125static inline int
126ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
127{
128 NLA_PUT_BE32(skb, CTA_STATUS, htonl(ct->status));
129 return 0;
130
131nla_put_failure:
132 return -1;
133}
134
135static inline int
136ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
137{
138 long timeout = ((long)ct->timeout.expires - (long)jiffies) / HZ;
139
140 if (timeout < 0)
141 timeout = 0;
142
143 NLA_PUT_BE32(skb, CTA_TIMEOUT, htonl(timeout));
144 return 0;
145
146nla_put_failure:
147 return -1;
148}
149
150static inline int
151ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct)
152{
153 struct nf_conntrack_l4proto *l4proto;
154 struct nlattr *nest_proto;
155 int ret;
156
157 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
158 if (!l4proto->to_nlattr)
159 return 0;
160
161 nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED);
162 if (!nest_proto)
163 goto nla_put_failure;
164
165 ret = l4proto->to_nlattr(skb, nest_proto, ct);
166
167 nla_nest_end(skb, nest_proto);
168
169 return ret;
170
171nla_put_failure:
172 return -1;
173}
174
175static inline int
176ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct)
177{
178 struct nlattr *nest_helper;
179 const struct nf_conn_help *help = nfct_help(ct);
180 struct nf_conntrack_helper *helper;
181
182 if (!help)
183 return 0;
184
185 helper = rcu_dereference(help->helper);
186 if (!helper)
187 goto out;
188
189 nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED);
190 if (!nest_helper)
191 goto nla_put_failure;
192 NLA_PUT_STRING(skb, CTA_HELP_NAME, helper->name);
193
194 if (helper->to_nlattr)
195 helper->to_nlattr(skb, ct);
196
197 nla_nest_end(skb, nest_helper);
198out:
199 return 0;
200
201nla_put_failure:
202 return -1;
203}
204
205static int
206dump_counters(struct sk_buff *skb, u64 pkts, u64 bytes,
207 enum ip_conntrack_dir dir)
208{
209 enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
210 struct nlattr *nest_count;
211
212 nest_count = nla_nest_start(skb, type | NLA_F_NESTED);
213 if (!nest_count)
214 goto nla_put_failure;
215
216 NLA_PUT_BE64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts));
217 NLA_PUT_BE64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes));
218
219 nla_nest_end(skb, nest_count);
220
221 return 0;
222
223nla_put_failure:
224 return -1;
225}
226
227static int
228ctnetlink_dump_counters(struct sk_buff *skb, const struct nf_conn *ct,
229 enum ip_conntrack_dir dir, int type)
230{
231 struct nf_conn_counter *acct;
232 u64 pkts, bytes;
233
234 acct = nf_conn_acct_find(ct);
235 if (!acct)
236 return 0;
237
238 if (type == IPCTNL_MSG_CT_GET_CTRZERO) {
239 pkts = atomic64_xchg(&acct[dir].packets, 0);
240 bytes = atomic64_xchg(&acct[dir].bytes, 0);
241 } else {
242 pkts = atomic64_read(&acct[dir].packets);
243 bytes = atomic64_read(&acct[dir].bytes);
244 }
245 return dump_counters(skb, pkts, bytes, dir);
246}
247
248static int
249ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
250{
251 struct nlattr *nest_count;
252 const struct nf_conn_tstamp *tstamp;
253
254 tstamp = nf_conn_tstamp_find(ct);
255 if (!tstamp)
256 return 0;
257
258 nest_count = nla_nest_start(skb, CTA_TIMESTAMP | NLA_F_NESTED);
259 if (!nest_count)
260 goto nla_put_failure;
261
262 NLA_PUT_BE64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start));
263 if (tstamp->stop != 0) {
264 NLA_PUT_BE64(skb, CTA_TIMESTAMP_STOP,
265 cpu_to_be64(tstamp->stop));
266 }
267 nla_nest_end(skb, nest_count);
268
269 return 0;
270
271nla_put_failure:
272 return -1;
273}
274
275#ifdef CONFIG_NF_CONNTRACK_MARK
276static inline int
277ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
278{
279 NLA_PUT_BE32(skb, CTA_MARK, htonl(ct->mark));
280 return 0;
281
282nla_put_failure:
283 return -1;
284}
285#else
286#define ctnetlink_dump_mark(a, b) (0)
287#endif
288
289#ifdef CONFIG_NF_CONNTRACK_SECMARK
290static inline int
291ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
292{
293 struct nlattr *nest_secctx;
294 int len, ret;
295 char *secctx;
296
297 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
298 if (ret)
299 return 0;
300
301 ret = -1;
302 nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED);
303 if (!nest_secctx)
304 goto nla_put_failure;
305
306 NLA_PUT_STRING(skb, CTA_SECCTX_NAME, secctx);
307 nla_nest_end(skb, nest_secctx);
308
309 ret = 0;
310nla_put_failure:
311 security_release_secctx(secctx, len);
312 return ret;
313}
314#else
315#define ctnetlink_dump_secctx(a, b) (0)
316#endif
317
318#define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
319
320static inline int
321ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
322{
323 struct nlattr *nest_parms;
324
325 if (!(ct->status & IPS_EXPECTED))
326 return 0;
327
328 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED);
329 if (!nest_parms)
330 goto nla_put_failure;
331 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
332 goto nla_put_failure;
333 nla_nest_end(skb, nest_parms);
334
335 return 0;
336
337nla_put_failure:
338 return -1;
339}
340
341#ifdef CONFIG_NF_NAT_NEEDED
342static int
343dump_nat_seq_adj(struct sk_buff *skb, const struct nf_nat_seq *natseq, int type)
344{
345 struct nlattr *nest_parms;
346
347 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
348 if (!nest_parms)
349 goto nla_put_failure;
350
351 NLA_PUT_BE32(skb, CTA_NAT_SEQ_CORRECTION_POS,
352 htonl(natseq->correction_pos));
353 NLA_PUT_BE32(skb, CTA_NAT_SEQ_OFFSET_BEFORE,
354 htonl(natseq->offset_before));
355 NLA_PUT_BE32(skb, CTA_NAT_SEQ_OFFSET_AFTER,
356 htonl(natseq->offset_after));
357
358 nla_nest_end(skb, nest_parms);
359
360 return 0;
361
362nla_put_failure:
363 return -1;
364}
365
366static inline int
367ctnetlink_dump_nat_seq_adj(struct sk_buff *skb, const struct nf_conn *ct)
368{
369 struct nf_nat_seq *natseq;
370 struct nf_conn_nat *nat = nfct_nat(ct);
371
372 if (!(ct->status & IPS_SEQ_ADJUST) || !nat)
373 return 0;
374
375 natseq = &nat->seq[IP_CT_DIR_ORIGINAL];
376 if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_ORIG) == -1)
377 return -1;
378
379 natseq = &nat->seq[IP_CT_DIR_REPLY];
380 if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_REPLY) == -1)
381 return -1;
382
383 return 0;
384}
385#else
386#define ctnetlink_dump_nat_seq_adj(a, b) (0)
387#endif
388
389static inline int
390ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
391{
392 NLA_PUT_BE32(skb, CTA_ID, htonl((unsigned long)ct));
393 return 0;
394
395nla_put_failure:
396 return -1;
397}
398
399static inline int
400ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
401{
402 NLA_PUT_BE32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use)));
403 return 0;
404
405nla_put_failure:
406 return -1;
407}
408
409static int
410ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq, u32 type,
411 struct nf_conn *ct)
412{
413 struct nlmsghdr *nlh;
414 struct nfgenmsg *nfmsg;
415 struct nlattr *nest_parms;
416 unsigned int flags = pid ? NLM_F_MULTI : 0, event;
417
418 event = (NFNL_SUBSYS_CTNETLINK << 8 | IPCTNL_MSG_CT_NEW);
419 nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags);
420 if (nlh == NULL)
421 goto nlmsg_failure;
422
423 nfmsg = nlmsg_data(nlh);
424 nfmsg->nfgen_family = nf_ct_l3num(ct);
425 nfmsg->version = NFNETLINK_V0;
426 nfmsg->res_id = 0;
427
428 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
429 if (!nest_parms)
430 goto nla_put_failure;
431 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
432 goto nla_put_failure;
433 nla_nest_end(skb, nest_parms);
434
435 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
436 if (!nest_parms)
437 goto nla_put_failure;
438 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
439 goto nla_put_failure;
440 nla_nest_end(skb, nest_parms);
441
442 if (nf_ct_zone(ct))
443 NLA_PUT_BE16(skb, CTA_ZONE, htons(nf_ct_zone(ct)));
444
445 if (ctnetlink_dump_status(skb, ct) < 0 ||
446 ctnetlink_dump_timeout(skb, ct) < 0 ||
447 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL, type) < 0 ||
448 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY, type) < 0 ||
449 ctnetlink_dump_timestamp(skb, ct) < 0 ||
450 ctnetlink_dump_protoinfo(skb, ct) < 0 ||
451 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
452 ctnetlink_dump_mark(skb, ct) < 0 ||
453 ctnetlink_dump_secctx(skb, ct) < 0 ||
454 ctnetlink_dump_id(skb, ct) < 0 ||
455 ctnetlink_dump_use(skb, ct) < 0 ||
456 ctnetlink_dump_master(skb, ct) < 0 ||
457 ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
458 goto nla_put_failure;
459
460 nlmsg_end(skb, nlh);
461 return skb->len;
462
463nlmsg_failure:
464nla_put_failure:
465 nlmsg_cancel(skb, nlh);
466 return -1;
467}
468
469#ifdef CONFIG_NF_CONNTRACK_EVENTS
470static inline size_t
471ctnetlink_proto_size(const struct nf_conn *ct)
472{
473 struct nf_conntrack_l3proto *l3proto;
474 struct nf_conntrack_l4proto *l4proto;
475 size_t len = 0;
476
477 rcu_read_lock();
478 l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
479 len += l3proto->nla_size;
480
481 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
482 len += l4proto->nla_size;
483 rcu_read_unlock();
484
485 return len;
486}
487
488static inline size_t
489ctnetlink_counters_size(const struct nf_conn *ct)
490{
491 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
492 return 0;
493 return 2 * nla_total_size(0)
494 + 2 * nla_total_size(sizeof(uint64_t))
495 + 2 * nla_total_size(sizeof(uint64_t))
496 ;
497}
498
499static inline int
500ctnetlink_secctx_size(const struct nf_conn *ct)
501{
502#ifdef CONFIG_NF_CONNTRACK_SECMARK
503 int len, ret;
504
505 ret = security_secid_to_secctx(ct->secmark, NULL, &len);
506 if (ret)
507 return 0;
508
509 return nla_total_size(0)
510 + nla_total_size(sizeof(char) * len);
511#else
512 return 0;
513#endif
514}
515
516static inline size_t
517ctnetlink_timestamp_size(const struct nf_conn *ct)
518{
519#ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
520 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
521 return 0;
522 return nla_total_size(0) + 2 * nla_total_size(sizeof(uint64_t));
523#else
524 return 0;
525#endif
526}
527
528static inline size_t
529ctnetlink_nlmsg_size(const struct nf_conn *ct)
530{
531 return NLMSG_ALIGN(sizeof(struct nfgenmsg))
532 + 3 * nla_total_size(0)
533 + 3 * nla_total_size(0)
534 + 3 * nla_total_size(0)
535 + 3 * nla_total_size(sizeof(u_int8_t))
536 + nla_total_size(sizeof(u_int32_t))
537 + nla_total_size(sizeof(u_int32_t))
538 + ctnetlink_counters_size(ct)
539 + ctnetlink_timestamp_size(ct)
540 + nla_total_size(sizeof(u_int32_t))
541 + nla_total_size(0)
542 + nla_total_size(0)
543 + nla_total_size(NF_CT_HELPER_NAME_LEN)
544 + ctnetlink_secctx_size(ct)
545#ifdef CONFIG_NF_NAT_NEEDED
546 + 2 * nla_total_size(0)
547 + 6 * nla_total_size(sizeof(u_int32_t))
548#endif
549#ifdef CONFIG_NF_CONNTRACK_MARK
550 + nla_total_size(sizeof(u_int32_t))
551#endif
552 + ctnetlink_proto_size(ct)
553 ;
554}
555
556static int
557ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
558{
559 struct net *net;
560 struct nlmsghdr *nlh;
561 struct nfgenmsg *nfmsg;
562 struct nlattr *nest_parms;
563 struct nf_conn *ct = item->ct;
564 struct sk_buff *skb;
565 unsigned int type;
566 unsigned int flags = 0, group;
567 int err;
568
569
570 if (nf_ct_is_untracked(ct))
571 return 0;
572
573 if (events & (1 << IPCT_DESTROY)) {
574 type = IPCTNL_MSG_CT_DELETE;
575 group = NFNLGRP_CONNTRACK_DESTROY;
576 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {
577 type = IPCTNL_MSG_CT_NEW;
578 flags = NLM_F_CREATE|NLM_F_EXCL;
579 group = NFNLGRP_CONNTRACK_NEW;
580 } else if (events) {
581 type = IPCTNL_MSG_CT_NEW;
582 group = NFNLGRP_CONNTRACK_UPDATE;
583 } else
584 return 0;
585
586 net = nf_ct_net(ct);
587 if (!item->report && !nfnetlink_has_listeners(net, group))
588 return 0;
589
590 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
591 if (skb == NULL)
592 goto errout;
593
594 type |= NFNL_SUBSYS_CTNETLINK << 8;
595 nlh = nlmsg_put(skb, item->pid, 0, type, sizeof(*nfmsg), flags);
596 if (nlh == NULL)
597 goto nlmsg_failure;
598
599 nfmsg = nlmsg_data(nlh);
600 nfmsg->nfgen_family = nf_ct_l3num(ct);
601 nfmsg->version = NFNETLINK_V0;
602 nfmsg->res_id = 0;
603
604 rcu_read_lock();
605 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
606 if (!nest_parms)
607 goto nla_put_failure;
608 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
609 goto nla_put_failure;
610 nla_nest_end(skb, nest_parms);
611
612 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
613 if (!nest_parms)
614 goto nla_put_failure;
615 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
616 goto nla_put_failure;
617 nla_nest_end(skb, nest_parms);
618
619 if (nf_ct_zone(ct))
620 NLA_PUT_BE16(skb, CTA_ZONE, htons(nf_ct_zone(ct)));
621
622 if (ctnetlink_dump_id(skb, ct) < 0)
623 goto nla_put_failure;
624
625 if (ctnetlink_dump_status(skb, ct) < 0)
626 goto nla_put_failure;
627
628 if (events & (1 << IPCT_DESTROY)) {
629 if (ctnetlink_dump_counters(skb, ct,
630 IP_CT_DIR_ORIGINAL, type) < 0 ||
631 ctnetlink_dump_counters(skb, ct,
632 IP_CT_DIR_REPLY, type) < 0 ||
633 ctnetlink_dump_timestamp(skb, ct) < 0)
634 goto nla_put_failure;
635 } else {
636 if (ctnetlink_dump_timeout(skb, ct) < 0)
637 goto nla_put_failure;
638
639 if (events & (1 << IPCT_PROTOINFO)
640 && ctnetlink_dump_protoinfo(skb, ct) < 0)
641 goto nla_put_failure;
642
643 if ((events & (1 << IPCT_HELPER) || nfct_help(ct))
644 && ctnetlink_dump_helpinfo(skb, ct) < 0)
645 goto nla_put_failure;
646
647#ifdef CONFIG_NF_CONNTRACK_SECMARK
648 if ((events & (1 << IPCT_SECMARK) || ct->secmark)
649 && ctnetlink_dump_secctx(skb, ct) < 0)
650 goto nla_put_failure;
651#endif
652
653 if (events & (1 << IPCT_RELATED) &&
654 ctnetlink_dump_master(skb, ct) < 0)
655 goto nla_put_failure;
656
657 if (events & (1 << IPCT_NATSEQADJ) &&
658 ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
659 goto nla_put_failure;
660 }
661
662#ifdef CONFIG_NF_CONNTRACK_MARK
663 if ((events & (1 << IPCT_MARK) || ct->mark)
664 && ctnetlink_dump_mark(skb, ct) < 0)
665 goto nla_put_failure;
666#endif
667 rcu_read_unlock();
668
669 nlmsg_end(skb, nlh);
670 err = nfnetlink_send(skb, net, item->pid, group, item->report,
671 GFP_ATOMIC);
672 if (err == -ENOBUFS || err == -EAGAIN)
673 return -ENOBUFS;
674
675 return 0;
676
677nla_put_failure:
678 rcu_read_unlock();
679 nlmsg_cancel(skb, nlh);
680nlmsg_failure:
681 kfree_skb(skb);
682errout:
683 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
684 return -ENOBUFS;
685
686 return 0;
687}
688#endif
689
690static int ctnetlink_done(struct netlink_callback *cb)
691{
692 if (cb->args[1])
693 nf_ct_put((struct nf_conn *)cb->args[1]);
694 return 0;
695}
696
697static int
698ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
699{
700 struct net *net = sock_net(skb->sk);
701 struct nf_conn *ct, *last;
702 struct nf_conntrack_tuple_hash *h;
703 struct hlist_nulls_node *n;
704 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
705 u_int8_t l3proto = nfmsg->nfgen_family;
706
707 spin_lock_bh(&nf_conntrack_lock);
708 last = (struct nf_conn *)cb->args[1];
709 for (; cb->args[0] < net->ct.htable_size; cb->args[0]++) {
710restart:
711 hlist_nulls_for_each_entry(h, n, &net->ct.hash[cb->args[0]],
712 hnnode) {
713 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
714 continue;
715 ct = nf_ct_tuplehash_to_ctrack(h);
716
717
718
719 if (l3proto && nf_ct_l3num(ct) != l3proto)
720 continue;
721 if (cb->args[1]) {
722 if (ct != last)
723 continue;
724 cb->args[1] = 0;
725 }
726 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
727 cb->nlh->nlmsg_seq,
728 NFNL_MSG_TYPE(
729 cb->nlh->nlmsg_type),
730 ct) < 0) {
731 nf_conntrack_get(&ct->ct_general);
732 cb->args[1] = (unsigned long)ct;
733 goto out;
734 }
735 }
736 if (cb->args[1]) {
737 cb->args[1] = 0;
738 goto restart;
739 }
740 }
741out:
742 spin_unlock_bh(&nf_conntrack_lock);
743 if (last)
744 nf_ct_put(last);
745
746 return skb->len;
747}
748
749static inline int
750ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple)
751{
752 struct nlattr *tb[CTA_IP_MAX+1];
753 struct nf_conntrack_l3proto *l3proto;
754 int ret = 0;
755
756 nla_parse_nested(tb, CTA_IP_MAX, attr, NULL);
757
758 rcu_read_lock();
759 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
760
761 if (likely(l3proto->nlattr_to_tuple)) {
762 ret = nla_validate_nested(attr, CTA_IP_MAX,
763 l3proto->nla_policy);
764 if (ret == 0)
765 ret = l3proto->nlattr_to_tuple(tb, tuple);
766 }
767
768 rcu_read_unlock();
769
770 return ret;
771}
772
773static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
774 [CTA_PROTO_NUM] = { .type = NLA_U8 },
775};
776
777static inline int
778ctnetlink_parse_tuple_proto(struct nlattr *attr,
779 struct nf_conntrack_tuple *tuple)
780{
781 struct nlattr *tb[CTA_PROTO_MAX+1];
782 struct nf_conntrack_l4proto *l4proto;
783 int ret = 0;
784
785 ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy);
786 if (ret < 0)
787 return ret;
788
789 if (!tb[CTA_PROTO_NUM])
790 return -EINVAL;
791 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
792
793 rcu_read_lock();
794 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
795
796 if (likely(l4proto->nlattr_to_tuple)) {
797 ret = nla_validate_nested(attr, CTA_PROTO_MAX,
798 l4proto->nla_policy);
799 if (ret == 0)
800 ret = l4proto->nlattr_to_tuple(tb, tuple);
801 }
802
803 rcu_read_unlock();
804
805 return ret;
806}
807
808static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
809 [CTA_TUPLE_IP] = { .type = NLA_NESTED },
810 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED },
811};
812
813static int
814ctnetlink_parse_tuple(const struct nlattr * const cda[],
815 struct nf_conntrack_tuple *tuple,
816 enum ctattr_type type, u_int8_t l3num)
817{
818 struct nlattr *tb[CTA_TUPLE_MAX+1];
819 int err;
820
821 memset(tuple, 0, sizeof(*tuple));
822
823 nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy);
824
825 if (!tb[CTA_TUPLE_IP])
826 return -EINVAL;
827
828 tuple->src.l3num = l3num;
829
830 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
831 if (err < 0)
832 return err;
833
834 if (!tb[CTA_TUPLE_PROTO])
835 return -EINVAL;
836
837 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple);
838 if (err < 0)
839 return err;
840
841
842 if (type == CTA_TUPLE_REPLY)
843 tuple->dst.dir = IP_CT_DIR_REPLY;
844 else
845 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
846
847 return 0;
848}
849
850static int
851ctnetlink_parse_zone(const struct nlattr *attr, u16 *zone)
852{
853 if (attr)
854#ifdef CONFIG_NF_CONNTRACK_ZONES
855 *zone = ntohs(nla_get_be16(attr));
856#else
857 return -EOPNOTSUPP;
858#endif
859 else
860 *zone = 0;
861
862 return 0;
863}
864
865static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {
866 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING },
867};
868
869static inline int
870ctnetlink_parse_help(const struct nlattr *attr, char **helper_name)
871{
872 struct nlattr *tb[CTA_HELP_MAX+1];
873
874 nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy);
875
876 if (!tb[CTA_HELP_NAME])
877 return -EINVAL;
878
879 *helper_name = nla_data(tb[CTA_HELP_NAME]);
880
881 return 0;
882}
883
884static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
885 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED },
886 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED },
887 [CTA_STATUS] = { .type = NLA_U32 },
888 [CTA_PROTOINFO] = { .type = NLA_NESTED },
889 [CTA_HELP] = { .type = NLA_NESTED },
890 [CTA_NAT_SRC] = { .type = NLA_NESTED },
891 [CTA_TIMEOUT] = { .type = NLA_U32 },
892 [CTA_MARK] = { .type = NLA_U32 },
893 [CTA_ID] = { .type = NLA_U32 },
894 [CTA_NAT_DST] = { .type = NLA_NESTED },
895 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED },
896 [CTA_ZONE] = { .type = NLA_U16 },
897};
898
899static int
900ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
901 const struct nlmsghdr *nlh,
902 const struct nlattr * const cda[])
903{
904 struct net *net = sock_net(ctnl);
905 struct nf_conntrack_tuple_hash *h;
906 struct nf_conntrack_tuple tuple;
907 struct nf_conn *ct;
908 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
909 u_int8_t u3 = nfmsg->nfgen_family;
910 u16 zone;
911 int err;
912
913 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
914 if (err < 0)
915 return err;
916
917 if (cda[CTA_TUPLE_ORIG])
918 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
919 else if (cda[CTA_TUPLE_REPLY])
920 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
921 else {
922
923 nf_conntrack_flush_report(net,
924 NETLINK_CB(skb).pid,
925 nlmsg_report(nlh));
926 return 0;
927 }
928
929 if (err < 0)
930 return err;
931
932 h = nf_conntrack_find_get(net, zone, &tuple);
933 if (!h)
934 return -ENOENT;
935
936 ct = nf_ct_tuplehash_to_ctrack(h);
937
938 if (cda[CTA_ID]) {
939 u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
940 if (id != (u32)(unsigned long)ct) {
941 nf_ct_put(ct);
942 return -ENOENT;
943 }
944 }
945
946 if (del_timer(&ct->timeout)) {
947 if (nf_conntrack_event_report(IPCT_DESTROY, ct,
948 NETLINK_CB(skb).pid,
949 nlmsg_report(nlh)) < 0) {
950 nf_ct_delete_from_lists(ct);
951
952 nf_ct_insert_dying_list(ct);
953 nf_ct_put(ct);
954 return 0;
955 }
956
957 set_bit(IPS_DYING_BIT, &ct->status);
958 nf_ct_delete_from_lists(ct);
959 nf_ct_put(ct);
960 }
961 nf_ct_put(ct);
962
963 return 0;
964}
965
966static int
967ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
968 const struct nlmsghdr *nlh,
969 const struct nlattr * const cda[])
970{
971 struct net *net = sock_net(ctnl);
972 struct nf_conntrack_tuple_hash *h;
973 struct nf_conntrack_tuple tuple;
974 struct nf_conn *ct;
975 struct sk_buff *skb2 = NULL;
976 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
977 u_int8_t u3 = nfmsg->nfgen_family;
978 u16 zone;
979 int err;
980
981 if (nlh->nlmsg_flags & NLM_F_DUMP)
982 return netlink_dump_start(ctnl, skb, nlh, ctnetlink_dump_table,
983 ctnetlink_done, 0);
984
985 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
986 if (err < 0)
987 return err;
988
989 if (cda[CTA_TUPLE_ORIG])
990 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
991 else if (cda[CTA_TUPLE_REPLY])
992 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
993 else
994 return -EINVAL;
995
996 if (err < 0)
997 return err;
998
999 h = nf_conntrack_find_get(net, zone, &tuple);
1000 if (!h)
1001 return -ENOENT;
1002
1003 ct = nf_ct_tuplehash_to_ctrack(h);
1004
1005 err = -ENOMEM;
1006 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1007 if (skb2 == NULL) {
1008 nf_ct_put(ct);
1009 return -ENOMEM;
1010 }
1011
1012 rcu_read_lock();
1013 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq,
1014 NFNL_MSG_TYPE(nlh->nlmsg_type), ct);
1015 rcu_read_unlock();
1016 nf_ct_put(ct);
1017 if (err <= 0)
1018 goto free;
1019
1020 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1021 if (err < 0)
1022 goto out;
1023
1024 return 0;
1025
1026free:
1027 kfree_skb(skb2);
1028out:
1029
1030 return err == -EAGAIN ? -ENOBUFS : err;
1031}
1032
1033#ifdef CONFIG_NF_NAT_NEEDED
1034static int
1035ctnetlink_parse_nat_setup(struct nf_conn *ct,
1036 enum nf_nat_manip_type manip,
1037 const struct nlattr *attr)
1038{
1039 typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup;
1040
1041 parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook);
1042 if (!parse_nat_setup) {
1043#ifdef CONFIG_MODULES
1044 rcu_read_unlock();
1045 nfnl_unlock();
1046 if (request_module("nf-nat-ipv4") < 0) {
1047 nfnl_lock();
1048 rcu_read_lock();
1049 return -EOPNOTSUPP;
1050 }
1051 nfnl_lock();
1052 rcu_read_lock();
1053 if (nfnetlink_parse_nat_setup_hook)
1054 return -EAGAIN;
1055#endif
1056 return -EOPNOTSUPP;
1057 }
1058
1059 return parse_nat_setup(ct, manip, attr);
1060}
1061#endif
1062
1063static int
1064ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
1065{
1066 unsigned long d;
1067 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
1068 d = ct->status ^ status;
1069
1070 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
1071
1072 return -EBUSY;
1073
1074 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
1075
1076 return -EBUSY;
1077
1078 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
1079
1080 return -EBUSY;
1081
1082
1083
1084
1085 ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
1086 return 0;
1087}
1088
1089static int
1090ctnetlink_change_nat(struct nf_conn *ct, const struct nlattr * const cda[])
1091{
1092#ifdef CONFIG_NF_NAT_NEEDED
1093 int ret;
1094
1095 if (cda[CTA_NAT_DST]) {
1096 ret = ctnetlink_parse_nat_setup(ct,
1097 NF_NAT_MANIP_DST,
1098 cda[CTA_NAT_DST]);
1099 if (ret < 0)
1100 return ret;
1101 }
1102 if (cda[CTA_NAT_SRC]) {
1103 ret = ctnetlink_parse_nat_setup(ct,
1104 NF_NAT_MANIP_SRC,
1105 cda[CTA_NAT_SRC]);
1106 if (ret < 0)
1107 return ret;
1108 }
1109 return 0;
1110#else
1111 return -EOPNOTSUPP;
1112#endif
1113}
1114
1115static inline int
1116ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[])
1117{
1118 struct nf_conntrack_helper *helper;
1119 struct nf_conn_help *help = nfct_help(ct);
1120 char *helpname = NULL;
1121 int err;
1122
1123
1124 if (ct->master)
1125 return -EBUSY;
1126
1127 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
1128 if (err < 0)
1129 return err;
1130
1131 if (!strcmp(helpname, "")) {
1132 if (help && help->helper) {
1133
1134 nf_ct_remove_expectations(ct);
1135 RCU_INIT_POINTER(help->helper, NULL);
1136 }
1137
1138 return 0;
1139 }
1140
1141 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1142 nf_ct_protonum(ct));
1143 if (helper == NULL) {
1144#ifdef CONFIG_MODULES
1145 spin_unlock_bh(&nf_conntrack_lock);
1146
1147 if (request_module("nfct-helper-%s", helpname) < 0) {
1148 spin_lock_bh(&nf_conntrack_lock);
1149 return -EOPNOTSUPP;
1150 }
1151
1152 spin_lock_bh(&nf_conntrack_lock);
1153 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1154 nf_ct_protonum(ct));
1155 if (helper)
1156 return -EAGAIN;
1157#endif
1158 return -EOPNOTSUPP;
1159 }
1160
1161 if (help) {
1162 if (help->helper == helper)
1163 return 0;
1164 if (help->helper)
1165 return -EBUSY;
1166
1167 memset(&help->help, 0, sizeof(help->help));
1168 } else {
1169
1170 return -EOPNOTSUPP;
1171 }
1172
1173 rcu_assign_pointer(help->helper, helper);
1174
1175 return 0;
1176}
1177
1178static inline int
1179ctnetlink_change_timeout(struct nf_conn *ct, const struct nlattr * const cda[])
1180{
1181 u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
1182
1183 if (!del_timer(&ct->timeout))
1184 return -ETIME;
1185
1186 ct->timeout.expires = jiffies + timeout * HZ;
1187 add_timer(&ct->timeout);
1188
1189 return 0;
1190}
1191
1192static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = {
1193 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED },
1194 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED },
1195 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED },
1196};
1197
1198static inline int
1199ctnetlink_change_protoinfo(struct nf_conn *ct, const struct nlattr * const cda[])
1200{
1201 const struct nlattr *attr = cda[CTA_PROTOINFO];
1202 struct nlattr *tb[CTA_PROTOINFO_MAX+1];
1203 struct nf_conntrack_l4proto *l4proto;
1204 int err = 0;
1205
1206 nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, protoinfo_policy);
1207
1208 rcu_read_lock();
1209 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
1210 if (l4proto->from_nlattr)
1211 err = l4proto->from_nlattr(tb, ct);
1212 rcu_read_unlock();
1213
1214 return err;
1215}
1216
1217#ifdef CONFIG_NF_NAT_NEEDED
1218static const struct nla_policy nat_seq_policy[CTA_NAT_SEQ_MAX+1] = {
1219 [CTA_NAT_SEQ_CORRECTION_POS] = { .type = NLA_U32 },
1220 [CTA_NAT_SEQ_OFFSET_BEFORE] = { .type = NLA_U32 },
1221 [CTA_NAT_SEQ_OFFSET_AFTER] = { .type = NLA_U32 },
1222};
1223
1224static inline int
1225change_nat_seq_adj(struct nf_nat_seq *natseq, const struct nlattr * const attr)
1226{
1227 struct nlattr *cda[CTA_NAT_SEQ_MAX+1];
1228
1229 nla_parse_nested(cda, CTA_NAT_SEQ_MAX, attr, nat_seq_policy);
1230
1231 if (!cda[CTA_NAT_SEQ_CORRECTION_POS])
1232 return -EINVAL;
1233
1234 natseq->correction_pos =
1235 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_CORRECTION_POS]));
1236
1237 if (!cda[CTA_NAT_SEQ_OFFSET_BEFORE])
1238 return -EINVAL;
1239
1240 natseq->offset_before =
1241 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_BEFORE]));
1242
1243 if (!cda[CTA_NAT_SEQ_OFFSET_AFTER])
1244 return -EINVAL;
1245
1246 natseq->offset_after =
1247 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_AFTER]));
1248
1249 return 0;
1250}
1251
1252static int
1253ctnetlink_change_nat_seq_adj(struct nf_conn *ct,
1254 const struct nlattr * const cda[])
1255{
1256 int ret = 0;
1257 struct nf_conn_nat *nat = nfct_nat(ct);
1258
1259 if (!nat)
1260 return 0;
1261
1262 if (cda[CTA_NAT_SEQ_ADJ_ORIG]) {
1263 ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_ORIGINAL],
1264 cda[CTA_NAT_SEQ_ADJ_ORIG]);
1265 if (ret < 0)
1266 return ret;
1267
1268 ct->status |= IPS_SEQ_ADJUST;
1269 }
1270
1271 if (cda[CTA_NAT_SEQ_ADJ_REPLY]) {
1272 ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_REPLY],
1273 cda[CTA_NAT_SEQ_ADJ_REPLY]);
1274 if (ret < 0)
1275 return ret;
1276
1277 ct->status |= IPS_SEQ_ADJUST;
1278 }
1279
1280 return 0;
1281}
1282#endif
1283
1284static int
1285ctnetlink_change_conntrack(struct nf_conn *ct,
1286 const struct nlattr * const cda[])
1287{
1288 int err;
1289
1290
1291 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
1292 return -EOPNOTSUPP;
1293
1294 if (cda[CTA_HELP]) {
1295 err = ctnetlink_change_helper(ct, cda);
1296 if (err < 0)
1297 return err;
1298 }
1299
1300 if (cda[CTA_TIMEOUT]) {
1301 err = ctnetlink_change_timeout(ct, cda);
1302 if (err < 0)
1303 return err;
1304 }
1305
1306 if (cda[CTA_STATUS]) {
1307 err = ctnetlink_change_status(ct, cda);
1308 if (err < 0)
1309 return err;
1310 }
1311
1312 if (cda[CTA_PROTOINFO]) {
1313 err = ctnetlink_change_protoinfo(ct, cda);
1314 if (err < 0)
1315 return err;
1316 }
1317
1318#if defined(CONFIG_NF_CONNTRACK_MARK)
1319 if (cda[CTA_MARK])
1320 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1321#endif
1322
1323#ifdef CONFIG_NF_NAT_NEEDED
1324 if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) {
1325 err = ctnetlink_change_nat_seq_adj(ct, cda);
1326 if (err < 0)
1327 return err;
1328 }
1329#endif
1330
1331 return 0;
1332}
1333
1334static struct nf_conn *
1335ctnetlink_create_conntrack(struct net *net, u16 zone,
1336 const struct nlattr * const cda[],
1337 struct nf_conntrack_tuple *otuple,
1338 struct nf_conntrack_tuple *rtuple,
1339 u8 u3)
1340{
1341 struct nf_conn *ct;
1342 int err = -EINVAL;
1343 struct nf_conntrack_helper *helper;
1344 struct nf_conn_tstamp *tstamp;
1345
1346 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
1347 if (IS_ERR(ct))
1348 return ERR_PTR(-ENOMEM);
1349
1350 if (!cda[CTA_TIMEOUT])
1351 goto err1;
1352 ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
1353
1354 ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
1355
1356 rcu_read_lock();
1357 if (cda[CTA_HELP]) {
1358 char *helpname = NULL;
1359
1360 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
1361 if (err < 0)
1362 goto err2;
1363
1364 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1365 nf_ct_protonum(ct));
1366 if (helper == NULL) {
1367 rcu_read_unlock();
1368#ifdef CONFIG_MODULES
1369 if (request_module("nfct-helper-%s", helpname) < 0) {
1370 err = -EOPNOTSUPP;
1371 goto err1;
1372 }
1373
1374 rcu_read_lock();
1375 helper = __nf_conntrack_helper_find(helpname,
1376 nf_ct_l3num(ct),
1377 nf_ct_protonum(ct));
1378 if (helper) {
1379 err = -EAGAIN;
1380 goto err2;
1381 }
1382 rcu_read_unlock();
1383#endif
1384 err = -EOPNOTSUPP;
1385 goto err1;
1386 } else {
1387 struct nf_conn_help *help;
1388
1389 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
1390 if (help == NULL) {
1391 err = -ENOMEM;
1392 goto err2;
1393 }
1394
1395
1396 RCU_INIT_POINTER(help->helper, helper);
1397 }
1398 } else {
1399
1400 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC);
1401 if (err < 0)
1402 goto err2;
1403 }
1404
1405 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
1406 err = ctnetlink_change_nat(ct, cda);
1407 if (err < 0)
1408 goto err2;
1409 }
1410
1411 nf_ct_acct_ext_add(ct, GFP_ATOMIC);
1412 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
1413 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
1414
1415 ct->status |= IPS_CONFIRMED;
1416
1417 if (cda[CTA_STATUS]) {
1418 err = ctnetlink_change_status(ct, cda);
1419 if (err < 0)
1420 goto err2;
1421 }
1422
1423#ifdef CONFIG_NF_NAT_NEEDED
1424 if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) {
1425 err = ctnetlink_change_nat_seq_adj(ct, cda);
1426 if (err < 0)
1427 goto err2;
1428 }
1429#endif
1430
1431 memset(&ct->proto, 0, sizeof(ct->proto));
1432 if (cda[CTA_PROTOINFO]) {
1433 err = ctnetlink_change_protoinfo(ct, cda);
1434 if (err < 0)
1435 goto err2;
1436 }
1437
1438#if defined(CONFIG_NF_CONNTRACK_MARK)
1439 if (cda[CTA_MARK])
1440 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1441#endif
1442
1443
1444 if (cda[CTA_TUPLE_MASTER]) {
1445 struct nf_conntrack_tuple master;
1446 struct nf_conntrack_tuple_hash *master_h;
1447 struct nf_conn *master_ct;
1448
1449 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER, u3);
1450 if (err < 0)
1451 goto err2;
1452
1453 master_h = nf_conntrack_find_get(net, zone, &master);
1454 if (master_h == NULL) {
1455 err = -ENOENT;
1456 goto err2;
1457 }
1458 master_ct = nf_ct_tuplehash_to_ctrack(master_h);
1459 __set_bit(IPS_EXPECTED_BIT, &ct->status);
1460 ct->master = master_ct;
1461 }
1462 tstamp = nf_conn_tstamp_find(ct);
1463 if (tstamp)
1464 tstamp->start = ktime_to_ns(ktime_get_real());
1465
1466 err = nf_conntrack_hash_check_insert(ct);
1467 if (err < 0)
1468 goto err2;
1469
1470 rcu_read_unlock();
1471
1472 return ct;
1473
1474err2:
1475 rcu_read_unlock();
1476err1:
1477 nf_conntrack_free(ct);
1478 return ERR_PTR(err);
1479}
1480
1481static int
1482ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1483 const struct nlmsghdr *nlh,
1484 const struct nlattr * const cda[])
1485{
1486 struct net *net = sock_net(ctnl);
1487 struct nf_conntrack_tuple otuple, rtuple;
1488 struct nf_conntrack_tuple_hash *h = NULL;
1489 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1490 struct nf_conn *ct;
1491 u_int8_t u3 = nfmsg->nfgen_family;
1492 u16 zone;
1493 int err;
1494
1495 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1496 if (err < 0)
1497 return err;
1498
1499 if (cda[CTA_TUPLE_ORIG]) {
1500 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3);
1501 if (err < 0)
1502 return err;
1503 }
1504
1505 if (cda[CTA_TUPLE_REPLY]) {
1506 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, u3);
1507 if (err < 0)
1508 return err;
1509 }
1510
1511 if (cda[CTA_TUPLE_ORIG])
1512 h = nf_conntrack_find_get(net, zone, &otuple);
1513 else if (cda[CTA_TUPLE_REPLY])
1514 h = nf_conntrack_find_get(net, zone, &rtuple);
1515
1516 if (h == NULL) {
1517 err = -ENOENT;
1518 if (nlh->nlmsg_flags & NLM_F_CREATE) {
1519 enum ip_conntrack_events events;
1520
1521 ct = ctnetlink_create_conntrack(net, zone, cda, &otuple,
1522 &rtuple, u3);
1523 if (IS_ERR(ct))
1524 return PTR_ERR(ct);
1525
1526 err = 0;
1527 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
1528 events = IPCT_RELATED;
1529 else
1530 events = IPCT_NEW;
1531
1532 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
1533 (1 << IPCT_ASSURED) |
1534 (1 << IPCT_HELPER) |
1535 (1 << IPCT_PROTOINFO) |
1536 (1 << IPCT_NATSEQADJ) |
1537 (1 << IPCT_MARK) | events,
1538 ct, NETLINK_CB(skb).pid,
1539 nlmsg_report(nlh));
1540 nf_ct_put(ct);
1541 }
1542
1543 return err;
1544 }
1545
1546
1547 err = -EEXIST;
1548 ct = nf_ct_tuplehash_to_ctrack(h);
1549 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
1550 spin_lock_bh(&nf_conntrack_lock);
1551 err = ctnetlink_change_conntrack(ct, cda);
1552 spin_unlock_bh(&nf_conntrack_lock);
1553 if (err == 0) {
1554 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
1555 (1 << IPCT_ASSURED) |
1556 (1 << IPCT_HELPER) |
1557 (1 << IPCT_PROTOINFO) |
1558 (1 << IPCT_NATSEQADJ) |
1559 (1 << IPCT_MARK),
1560 ct, NETLINK_CB(skb).pid,
1561 nlmsg_report(nlh));
1562 }
1563 }
1564
1565 nf_ct_put(ct);
1566 return err;
1567}
1568
1569
1570
1571
1572
1573static inline int
1574ctnetlink_exp_dump_tuple(struct sk_buff *skb,
1575 const struct nf_conntrack_tuple *tuple,
1576 enum ctattr_expect type)
1577{
1578 struct nlattr *nest_parms;
1579
1580 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
1581 if (!nest_parms)
1582 goto nla_put_failure;
1583 if (ctnetlink_dump_tuples(skb, tuple) < 0)
1584 goto nla_put_failure;
1585 nla_nest_end(skb, nest_parms);
1586
1587 return 0;
1588
1589nla_put_failure:
1590 return -1;
1591}
1592
1593static inline int
1594ctnetlink_exp_dump_mask(struct sk_buff *skb,
1595 const struct nf_conntrack_tuple *tuple,
1596 const struct nf_conntrack_tuple_mask *mask)
1597{
1598 int ret;
1599 struct nf_conntrack_l3proto *l3proto;
1600 struct nf_conntrack_l4proto *l4proto;
1601 struct nf_conntrack_tuple m;
1602 struct nlattr *nest_parms;
1603
1604 memset(&m, 0xFF, sizeof(m));
1605 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
1606 m.src.u.all = mask->src.u.all;
1607 m.dst.protonum = tuple->dst.protonum;
1608
1609 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED);
1610 if (!nest_parms)
1611 goto nla_put_failure;
1612
1613 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
1614 ret = ctnetlink_dump_tuples_ip(skb, &m, l3proto);
1615
1616 if (unlikely(ret < 0))
1617 goto nla_put_failure;
1618
1619 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
1620 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
1621 if (unlikely(ret < 0))
1622 goto nla_put_failure;
1623
1624 nla_nest_end(skb, nest_parms);
1625
1626 return 0;
1627
1628nla_put_failure:
1629 return -1;
1630}
1631
1632static int
1633ctnetlink_exp_dump_expect(struct sk_buff *skb,
1634 const struct nf_conntrack_expect *exp)
1635{
1636 struct nf_conn *master = exp->master;
1637 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ;
1638 struct nf_conn_help *help;
1639
1640 if (timeout < 0)
1641 timeout = 0;
1642
1643 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
1644 goto nla_put_failure;
1645 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
1646 goto nla_put_failure;
1647 if (ctnetlink_exp_dump_tuple(skb,
1648 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
1649 CTA_EXPECT_MASTER) < 0)
1650 goto nla_put_failure;
1651
1652 NLA_PUT_BE32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout));
1653 NLA_PUT_BE32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp));
1654 NLA_PUT_BE32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags));
1655 help = nfct_help(master);
1656 if (help) {
1657 struct nf_conntrack_helper *helper;
1658
1659 helper = rcu_dereference(help->helper);
1660 if (helper)
1661 NLA_PUT_STRING(skb, CTA_EXPECT_HELP_NAME, helper->name);
1662 }
1663
1664 return 0;
1665
1666nla_put_failure:
1667 return -1;
1668}
1669
1670static int
1671ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
1672 int event, const struct nf_conntrack_expect *exp)
1673{
1674 struct nlmsghdr *nlh;
1675 struct nfgenmsg *nfmsg;
1676 unsigned int flags = pid ? NLM_F_MULTI : 0;
1677
1678 event |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1679 nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags);
1680 if (nlh == NULL)
1681 goto nlmsg_failure;
1682
1683 nfmsg = nlmsg_data(nlh);
1684 nfmsg->nfgen_family = exp->tuple.src.l3num;
1685 nfmsg->version = NFNETLINK_V0;
1686 nfmsg->res_id = 0;
1687
1688 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1689 goto nla_put_failure;
1690
1691 nlmsg_end(skb, nlh);
1692 return skb->len;
1693
1694nlmsg_failure:
1695nla_put_failure:
1696 nlmsg_cancel(skb, nlh);
1697 return -1;
1698}
1699
1700#ifdef CONFIG_NF_CONNTRACK_EVENTS
1701static int
1702ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item)
1703{
1704 struct nf_conntrack_expect *exp = item->exp;
1705 struct net *net = nf_ct_exp_net(exp);
1706 struct nlmsghdr *nlh;
1707 struct nfgenmsg *nfmsg;
1708 struct sk_buff *skb;
1709 unsigned int type, group;
1710 int flags = 0;
1711
1712 if (events & (1 << IPEXP_DESTROY)) {
1713 type = IPCTNL_MSG_EXP_DELETE;
1714 group = NFNLGRP_CONNTRACK_EXP_DESTROY;
1715 } else if (events & (1 << IPEXP_NEW)) {
1716 type = IPCTNL_MSG_EXP_NEW;
1717 flags = NLM_F_CREATE|NLM_F_EXCL;
1718 group = NFNLGRP_CONNTRACK_EXP_NEW;
1719 } else
1720 return 0;
1721
1722 if (!item->report && !nfnetlink_has_listeners(net, group))
1723 return 0;
1724
1725 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
1726 if (skb == NULL)
1727 goto errout;
1728
1729 type |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1730 nlh = nlmsg_put(skb, item->pid, 0, type, sizeof(*nfmsg), flags);
1731 if (nlh == NULL)
1732 goto nlmsg_failure;
1733
1734 nfmsg = nlmsg_data(nlh);
1735 nfmsg->nfgen_family = exp->tuple.src.l3num;
1736 nfmsg->version = NFNETLINK_V0;
1737 nfmsg->res_id = 0;
1738
1739 rcu_read_lock();
1740 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1741 goto nla_put_failure;
1742 rcu_read_unlock();
1743
1744 nlmsg_end(skb, nlh);
1745 nfnetlink_send(skb, net, item->pid, group, item->report, GFP_ATOMIC);
1746 return 0;
1747
1748nla_put_failure:
1749 rcu_read_unlock();
1750 nlmsg_cancel(skb, nlh);
1751nlmsg_failure:
1752 kfree_skb(skb);
1753errout:
1754 nfnetlink_set_err(net, 0, 0, -ENOBUFS);
1755 return 0;
1756}
1757#endif
1758static int ctnetlink_exp_done(struct netlink_callback *cb)
1759{
1760 if (cb->args[1])
1761 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
1762 return 0;
1763}
1764
1765static int
1766ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
1767{
1768 struct net *net = sock_net(skb->sk);
1769 struct nf_conntrack_expect *exp, *last;
1770 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1771 struct hlist_node *n;
1772 u_int8_t l3proto = nfmsg->nfgen_family;
1773
1774 rcu_read_lock();
1775 last = (struct nf_conntrack_expect *)cb->args[1];
1776 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
1777restart:
1778 hlist_for_each_entry(exp, n, &net->ct.expect_hash[cb->args[0]],
1779 hnode) {
1780 if (l3proto && exp->tuple.src.l3num != l3proto)
1781 continue;
1782 if (cb->args[1]) {
1783 if (exp != last)
1784 continue;
1785 cb->args[1] = 0;
1786 }
1787 if (ctnetlink_exp_fill_info(skb,
1788 NETLINK_CB(cb->skb).pid,
1789 cb->nlh->nlmsg_seq,
1790 IPCTNL_MSG_EXP_NEW,
1791 exp) < 0) {
1792 if (!atomic_inc_not_zero(&exp->use))
1793 continue;
1794 cb->args[1] = (unsigned long)exp;
1795 goto out;
1796 }
1797 }
1798 if (cb->args[1]) {
1799 cb->args[1] = 0;
1800 goto restart;
1801 }
1802 }
1803out:
1804 rcu_read_unlock();
1805 if (last)
1806 nf_ct_expect_put(last);
1807
1808 return skb->len;
1809}
1810
1811static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
1812 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED },
1813 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED },
1814 [CTA_EXPECT_MASK] = { .type = NLA_NESTED },
1815 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
1816 [CTA_EXPECT_ID] = { .type = NLA_U32 },
1817 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING },
1818 [CTA_EXPECT_ZONE] = { .type = NLA_U16 },
1819 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 },
1820};
1821
1822static int
1823ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
1824 const struct nlmsghdr *nlh,
1825 const struct nlattr * const cda[])
1826{
1827 struct net *net = sock_net(ctnl);
1828 struct nf_conntrack_tuple tuple;
1829 struct nf_conntrack_expect *exp;
1830 struct sk_buff *skb2;
1831 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1832 u_int8_t u3 = nfmsg->nfgen_family;
1833 u16 zone;
1834 int err;
1835
1836 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1837 return netlink_dump_start(ctnl, skb, nlh,
1838 ctnetlink_exp_dump_table,
1839 ctnetlink_exp_done, 0);
1840 }
1841
1842 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
1843 if (err < 0)
1844 return err;
1845
1846 if (cda[CTA_EXPECT_TUPLE])
1847 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1848 else if (cda[CTA_EXPECT_MASTER])
1849 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3);
1850 else
1851 return -EINVAL;
1852
1853 if (err < 0)
1854 return err;
1855
1856 exp = nf_ct_expect_find_get(net, zone, &tuple);
1857 if (!exp)
1858 return -ENOENT;
1859
1860 if (cda[CTA_EXPECT_ID]) {
1861 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
1862 if (ntohl(id) != (u32)(unsigned long)exp) {
1863 nf_ct_expect_put(exp);
1864 return -ENOENT;
1865 }
1866 }
1867
1868 err = -ENOMEM;
1869 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1870 if (skb2 == NULL) {
1871 nf_ct_expect_put(exp);
1872 goto out;
1873 }
1874
1875 rcu_read_lock();
1876 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid,
1877 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp);
1878 rcu_read_unlock();
1879 nf_ct_expect_put(exp);
1880 if (err <= 0)
1881 goto free;
1882
1883 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1884 if (err < 0)
1885 goto out;
1886
1887 return 0;
1888
1889free:
1890 kfree_skb(skb2);
1891out:
1892
1893 return err == -EAGAIN ? -ENOBUFS : err;
1894}
1895
1896static int
1897ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
1898 const struct nlmsghdr *nlh,
1899 const struct nlattr * const cda[])
1900{
1901 struct net *net = sock_net(ctnl);
1902 struct nf_conntrack_expect *exp;
1903 struct nf_conntrack_tuple tuple;
1904 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1905 struct hlist_node *n, *next;
1906 u_int8_t u3 = nfmsg->nfgen_family;
1907 unsigned int i;
1908 u16 zone;
1909 int err;
1910
1911 if (cda[CTA_EXPECT_TUPLE]) {
1912
1913 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
1914 if (err < 0)
1915 return err;
1916
1917 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1918 if (err < 0)
1919 return err;
1920
1921
1922 exp = nf_ct_expect_find_get(net, zone, &tuple);
1923 if (!exp)
1924 return -ENOENT;
1925
1926 if (cda[CTA_EXPECT_ID]) {
1927 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
1928 if (ntohl(id) != (u32)(unsigned long)exp) {
1929 nf_ct_expect_put(exp);
1930 return -ENOENT;
1931 }
1932 }
1933
1934
1935 spin_lock_bh(&nf_conntrack_lock);
1936 if (del_timer(&exp->timeout)) {
1937 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).pid,
1938 nlmsg_report(nlh));
1939 nf_ct_expect_put(exp);
1940 }
1941 spin_unlock_bh(&nf_conntrack_lock);
1942
1943
1944 nf_ct_expect_put(exp);
1945 } else if (cda[CTA_EXPECT_HELP_NAME]) {
1946 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
1947 struct nf_conn_help *m_help;
1948
1949
1950 spin_lock_bh(&nf_conntrack_lock);
1951 for (i = 0; i < nf_ct_expect_hsize; i++) {
1952 hlist_for_each_entry_safe(exp, n, next,
1953 &net->ct.expect_hash[i],
1954 hnode) {
1955 m_help = nfct_help(exp->master);
1956 if (!strcmp(m_help->helper->name, name) &&
1957 del_timer(&exp->timeout)) {
1958 nf_ct_unlink_expect_report(exp,
1959 NETLINK_CB(skb).pid,
1960 nlmsg_report(nlh));
1961 nf_ct_expect_put(exp);
1962 }
1963 }
1964 }
1965 spin_unlock_bh(&nf_conntrack_lock);
1966 } else {
1967
1968 spin_lock_bh(&nf_conntrack_lock);
1969 for (i = 0; i < nf_ct_expect_hsize; i++) {
1970 hlist_for_each_entry_safe(exp, n, next,
1971 &net->ct.expect_hash[i],
1972 hnode) {
1973 if (del_timer(&exp->timeout)) {
1974 nf_ct_unlink_expect_report(exp,
1975 NETLINK_CB(skb).pid,
1976 nlmsg_report(nlh));
1977 nf_ct_expect_put(exp);
1978 }
1979 }
1980 }
1981 spin_unlock_bh(&nf_conntrack_lock);
1982 }
1983
1984 return 0;
1985}
1986static int
1987ctnetlink_change_expect(struct nf_conntrack_expect *x,
1988 const struct nlattr * const cda[])
1989{
1990 return -EOPNOTSUPP;
1991}
1992
1993static int
1994ctnetlink_create_expect(struct net *net, u16 zone,
1995 const struct nlattr * const cda[],
1996 u_int8_t u3,
1997 u32 pid, int report)
1998{
1999 struct nf_conntrack_tuple tuple, mask, master_tuple;
2000 struct nf_conntrack_tuple_hash *h = NULL;
2001 struct nf_conntrack_expect *exp;
2002 struct nf_conn *ct;
2003 struct nf_conn_help *help;
2004 int err = 0;
2005
2006
2007 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
2008 if (err < 0)
2009 return err;
2010 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, u3);
2011 if (err < 0)
2012 return err;
2013 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, u3);
2014 if (err < 0)
2015 return err;
2016
2017
2018 h = nf_conntrack_find_get(net, zone, &master_tuple);
2019 if (!h)
2020 return -ENOENT;
2021 ct = nf_ct_tuplehash_to_ctrack(h);
2022 exp = nf_ct_expect_alloc(ct);
2023 if (!exp) {
2024 err = -ENOMEM;
2025 goto out;
2026 }
2027 help = nfct_help(ct);
2028 if (!help) {
2029 if (!cda[CTA_EXPECT_TIMEOUT]) {
2030 err = -EINVAL;
2031 goto out;
2032 }
2033 exp->timeout.expires =
2034 jiffies + ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
2035
2036 exp->flags = NF_CT_EXPECT_USERSPACE;
2037 if (cda[CTA_EXPECT_FLAGS]) {
2038 exp->flags |=
2039 ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
2040 }
2041 } else {
2042 if (cda[CTA_EXPECT_FLAGS]) {
2043 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
2044 exp->flags &= ~NF_CT_EXPECT_USERSPACE;
2045 } else
2046 exp->flags = 0;
2047 }
2048
2049 exp->class = 0;
2050 exp->expectfn = NULL;
2051 exp->master = ct;
2052 exp->helper = NULL;
2053 memcpy(&exp->tuple, &tuple, sizeof(struct nf_conntrack_tuple));
2054 memcpy(&exp->mask.src.u3, &mask.src.u3, sizeof(exp->mask.src.u3));
2055 exp->mask.src.u.all = mask.src.u.all;
2056
2057 err = nf_ct_expect_related_report(exp, pid, report);
2058 nf_ct_expect_put(exp);
2059
2060out:
2061 nf_ct_put(nf_ct_tuplehash_to_ctrack(h));
2062 return err;
2063}
2064
2065static int
2066ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
2067 const struct nlmsghdr *nlh,
2068 const struct nlattr * const cda[])
2069{
2070 struct net *net = sock_net(ctnl);
2071 struct nf_conntrack_tuple tuple;
2072 struct nf_conntrack_expect *exp;
2073 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2074 u_int8_t u3 = nfmsg->nfgen_family;
2075 u16 zone;
2076 int err;
2077
2078 if (!cda[CTA_EXPECT_TUPLE]
2079 || !cda[CTA_EXPECT_MASK]
2080 || !cda[CTA_EXPECT_MASTER])
2081 return -EINVAL;
2082
2083 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
2084 if (err < 0)
2085 return err;
2086
2087 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
2088 if (err < 0)
2089 return err;
2090
2091 spin_lock_bh(&nf_conntrack_lock);
2092 exp = __nf_ct_expect_find(net, zone, &tuple);
2093
2094 if (!exp) {
2095 spin_unlock_bh(&nf_conntrack_lock);
2096 err = -ENOENT;
2097 if (nlh->nlmsg_flags & NLM_F_CREATE) {
2098 err = ctnetlink_create_expect(net, zone, cda,
2099 u3,
2100 NETLINK_CB(skb).pid,
2101 nlmsg_report(nlh));
2102 }
2103 return err;
2104 }
2105
2106 err = -EEXIST;
2107 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
2108 err = ctnetlink_change_expect(exp, cda);
2109 spin_unlock_bh(&nf_conntrack_lock);
2110
2111 return err;
2112}
2113
2114#ifdef CONFIG_NF_CONNTRACK_EVENTS
2115static struct nf_ct_event_notifier ctnl_notifier = {
2116 .fcn = ctnetlink_conntrack_event,
2117};
2118
2119static struct nf_exp_event_notifier ctnl_notifier_exp = {
2120 .fcn = ctnetlink_expect_event,
2121};
2122#endif
2123
2124static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
2125 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
2126 .attr_count = CTA_MAX,
2127 .policy = ct_nla_policy },
2128 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
2129 .attr_count = CTA_MAX,
2130 .policy = ct_nla_policy },
2131 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
2132 .attr_count = CTA_MAX,
2133 .policy = ct_nla_policy },
2134 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
2135 .attr_count = CTA_MAX,
2136 .policy = ct_nla_policy },
2137};
2138
2139static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
2140 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
2141 .attr_count = CTA_EXPECT_MAX,
2142 .policy = exp_nla_policy },
2143 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
2144 .attr_count = CTA_EXPECT_MAX,
2145 .policy = exp_nla_policy },
2146 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
2147 .attr_count = CTA_EXPECT_MAX,
2148 .policy = exp_nla_policy },
2149};
2150
2151static const struct nfnetlink_subsystem ctnl_subsys = {
2152 .name = "conntrack",
2153 .subsys_id = NFNL_SUBSYS_CTNETLINK,
2154 .cb_count = IPCTNL_MSG_MAX,
2155 .cb = ctnl_cb,
2156};
2157
2158static const struct nfnetlink_subsystem ctnl_exp_subsys = {
2159 .name = "conntrack_expect",
2160 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
2161 .cb_count = IPCTNL_MSG_EXP_MAX,
2162 .cb = ctnl_exp_cb,
2163};
2164
2165MODULE_ALIAS("ip_conntrack_netlink");
2166MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
2167MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
2168
2169static int __net_init ctnetlink_net_init(struct net *net)
2170{
2171#ifdef CONFIG_NF_CONNTRACK_EVENTS
2172 int ret;
2173
2174 ret = nf_conntrack_register_notifier(net, &ctnl_notifier);
2175 if (ret < 0) {
2176 pr_err("ctnetlink_init: cannot register notifier.\n");
2177 goto err_out;
2178 }
2179
2180 ret = nf_ct_expect_register_notifier(net, &ctnl_notifier_exp);
2181 if (ret < 0) {
2182 pr_err("ctnetlink_init: cannot expect register notifier.\n");
2183 goto err_unreg_notifier;
2184 }
2185#endif
2186 return 0;
2187
2188#ifdef CONFIG_NF_CONNTRACK_EVENTS
2189err_unreg_notifier:
2190 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
2191err_out:
2192 return ret;
2193#endif
2194}
2195
2196static void ctnetlink_net_exit(struct net *net)
2197{
2198#ifdef CONFIG_NF_CONNTRACK_EVENTS
2199 nf_ct_expect_unregister_notifier(net, &ctnl_notifier_exp);
2200 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
2201#endif
2202}
2203
2204static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list)
2205{
2206 struct net *net;
2207
2208 list_for_each_entry(net, net_exit_list, exit_list)
2209 ctnetlink_net_exit(net);
2210}
2211
2212static struct pernet_operations ctnetlink_net_ops = {
2213 .init = ctnetlink_net_init,
2214 .exit_batch = ctnetlink_net_exit_batch,
2215};
2216
2217static int __init ctnetlink_init(void)
2218{
2219 int ret;
2220
2221 pr_info("ctnetlink v%s: registering with nfnetlink.\n", version);
2222 ret = nfnetlink_subsys_register(&ctnl_subsys);
2223 if (ret < 0) {
2224 pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
2225 goto err_out;
2226 }
2227
2228 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
2229 if (ret < 0) {
2230 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
2231 goto err_unreg_subsys;
2232 }
2233
2234 if (register_pernet_subsys(&ctnetlink_net_ops)) {
2235 pr_err("ctnetlink_init: cannot register pernet operations\n");
2236 goto err_unreg_exp_subsys;
2237 }
2238
2239 return 0;
2240
2241err_unreg_exp_subsys:
2242 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
2243err_unreg_subsys:
2244 nfnetlink_subsys_unregister(&ctnl_subsys);
2245err_out:
2246 return ret;
2247}
2248
2249static void __exit ctnetlink_exit(void)
2250{
2251 pr_info("ctnetlink: unregistering from nfnetlink.\n");
2252
2253 unregister_pernet_subsys(&ctnetlink_net_ops);
2254 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
2255 nfnetlink_subsys_unregister(&ctnl_subsys);
2256}
2257
2258module_init(ctnetlink_init);
2259module_exit(ctnetlink_exit);
2260
