0001
0002
0003
0004
0005
0006
0007
0008
0009
0010
0011
0012
0013
0014
0015
0016
0017
0018 #include <linux/init.h>
0019 #include <linux/module.h>
0020 #include <linux/kernel.h>
0021 #include <linux/rculist.h>
0022 #include <linux/rculist_nulls.h>
0023 #include <linux/types.h>
0024 #include <linux/timer.h>
0025 #include <linux/security.h>
0026 #include <linux/skbuff.h>
0027 #include <linux/errno.h>
0028 #include <linux/netlink.h>
0029 #include <linux/spinlock.h>
0030 #include <linux/interrupt.h>
0031 #include <linux/slab.h>
0032 #include <linux/siphash.h>
0033
0034 #include <linux/netfilter.h>
0035 #include <net/netlink.h>
0036 #include <net/sock.h>
0037 #include <net/netfilter/nf_conntrack.h>
0038 #include <net/netfilter/nf_conntrack_core.h>
0039 #include <net/netfilter/nf_conntrack_expect.h>
0040 #include <net/netfilter/nf_conntrack_helper.h>
0041 #include <net/netfilter/nf_conntrack_seqadj.h>
0042 #include <net/netfilter/nf_conntrack_l4proto.h>
0043 #include <net/netfilter/nf_conntrack_tuple.h>
0044 #include <net/netfilter/nf_conntrack_acct.h>
0045 #include <net/netfilter/nf_conntrack_zones.h>
0046 #include <net/netfilter/nf_conntrack_timestamp.h>
0047 #include <net/netfilter/nf_conntrack_labels.h>
0048 #include <net/netfilter/nf_conntrack_synproxy.h>
0049 #if IS_ENABLED(CONFIG_NF_NAT)
0050 #include <net/netfilter/nf_nat.h>
0051 #include <net/netfilter/nf_nat_helper.h>
0052 #endif
0053
0054 #include <linux/netfilter/nfnetlink.h>
0055 #include <linux/netfilter/nfnetlink_conntrack.h>
0056
0057 #include "nf_internals.h"
0058
0059 MODULE_LICENSE("GPL");
0060
0061 struct ctnetlink_list_dump_ctx {
0062 struct nf_conn *last;
0063 unsigned int cpu;
0064 bool done;
0065 };
0066
0067 static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,
0068 const struct nf_conntrack_tuple *tuple,
0069 const struct nf_conntrack_l4proto *l4proto)
0070 {
0071 int ret = 0;
0072 struct nlattr *nest_parms;
0073
0074 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO);
0075 if (!nest_parms)
0076 goto nla_put_failure;
0077 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum))
0078 goto nla_put_failure;
0079
0080 if (likely(l4proto->tuple_to_nlattr))
0081 ret = l4proto->tuple_to_nlattr(skb, tuple);
0082
0083 nla_nest_end(skb, nest_parms);
0084
0085 return ret;
0086
0087 nla_put_failure:
0088 return -1;
0089 }
0090
0091 static int ipv4_tuple_to_nlattr(struct sk_buff *skb,
0092 const struct nf_conntrack_tuple *tuple)
0093 {
0094 if (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) ||
0095 nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip))
0096 return -EMSGSIZE;
0097 return 0;
0098 }
0099
0100 static int ipv6_tuple_to_nlattr(struct sk_buff *skb,
0101 const struct nf_conntrack_tuple *tuple)
0102 {
0103 if (nla_put_in6_addr(skb, CTA_IP_V6_SRC, &tuple->src.u3.in6) ||
0104 nla_put_in6_addr(skb, CTA_IP_V6_DST, &tuple->dst.u3.in6))
0105 return -EMSGSIZE;
0106 return 0;
0107 }
0108
0109 static int ctnetlink_dump_tuples_ip(struct sk_buff *skb,
0110 const struct nf_conntrack_tuple *tuple)
0111 {
0112 int ret = 0;
0113 struct nlattr *nest_parms;
0114
0115 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP);
0116 if (!nest_parms)
0117 goto nla_put_failure;
0118
0119 switch (tuple->src.l3num) {
0120 case NFPROTO_IPV4:
0121 ret = ipv4_tuple_to_nlattr(skb, tuple);
0122 break;
0123 case NFPROTO_IPV6:
0124 ret = ipv6_tuple_to_nlattr(skb, tuple);
0125 break;
0126 }
0127
0128 nla_nest_end(skb, nest_parms);
0129
0130 return ret;
0131
0132 nla_put_failure:
0133 return -1;
0134 }
0135
0136 static int ctnetlink_dump_tuples(struct sk_buff *skb,
0137 const struct nf_conntrack_tuple *tuple)
0138 {
0139 const struct nf_conntrack_l4proto *l4proto;
0140 int ret;
0141
0142 rcu_read_lock();
0143 ret = ctnetlink_dump_tuples_ip(skb, tuple);
0144
0145 if (ret >= 0) {
0146 l4proto = nf_ct_l4proto_find(tuple->dst.protonum);
0147 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
0148 }
0149 rcu_read_unlock();
0150 return ret;
0151 }
0152
0153 static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype,
0154 const struct nf_conntrack_zone *zone, int dir)
0155 {
0156 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir)
0157 return 0;
0158 if (nla_put_be16(skb, attrtype, htons(zone->id)))
0159 goto nla_put_failure;
0160 return 0;
0161
0162 nla_put_failure:
0163 return -1;
0164 }
0165
0166 static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
0167 {
0168 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
0169 goto nla_put_failure;
0170 return 0;
0171
0172 nla_put_failure:
0173 return -1;
0174 }
0175
0176 static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct,
0177 bool skip_zero)
0178 {
0179 long timeout = nf_ct_expires(ct) / HZ;
0180
0181 if (skip_zero && timeout == 0)
0182 return 0;
0183
0184 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))
0185 goto nla_put_failure;
0186 return 0;
0187
0188 nla_put_failure:
0189 return -1;
0190 }
0191
0192 static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct,
0193 bool destroy)
0194 {
0195 const struct nf_conntrack_l4proto *l4proto;
0196 struct nlattr *nest_proto;
0197 int ret;
0198
0199 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
0200 if (!l4proto->to_nlattr)
0201 return 0;
0202
0203 nest_proto = nla_nest_start(skb, CTA_PROTOINFO);
0204 if (!nest_proto)
0205 goto nla_put_failure;
0206
0207 ret = l4proto->to_nlattr(skb, nest_proto, ct, destroy);
0208
0209 nla_nest_end(skb, nest_proto);
0210
0211 return ret;
0212
0213 nla_put_failure:
0214 return -1;
0215 }
0216
0217 static int ctnetlink_dump_helpinfo(struct sk_buff *skb,
0218 const struct nf_conn *ct)
0219 {
0220 struct nlattr *nest_helper;
0221 const struct nf_conn_help *help = nfct_help(ct);
0222 struct nf_conntrack_helper *helper;
0223
0224 if (!help)
0225 return 0;
0226
0227 rcu_read_lock();
0228 helper = rcu_dereference(help->helper);
0229 if (!helper)
0230 goto out;
0231
0232 nest_helper = nla_nest_start(skb, CTA_HELP);
0233 if (!nest_helper)
0234 goto nla_put_failure;
0235 if (nla_put_string(skb, CTA_HELP_NAME, helper->name))
0236 goto nla_put_failure;
0237
0238 if (helper->to_nlattr)
0239 helper->to_nlattr(skb, ct);
0240
0241 nla_nest_end(skb, nest_helper);
0242 out:
0243 rcu_read_unlock();
0244 return 0;
0245
0246 nla_put_failure:
0247 rcu_read_unlock();
0248 return -1;
0249 }
0250
0251 static int
0252 dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct,
0253 enum ip_conntrack_dir dir, int type)
0254 {
0255 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
0256 struct nf_conn_counter *counter = acct->counter;
0257 struct nlattr *nest_count;
0258 u64 pkts, bytes;
0259
0260 if (type == IPCTNL_MSG_CT_GET_CTRZERO) {
0261 pkts = atomic64_xchg(&counter[dir].packets, 0);
0262 bytes = atomic64_xchg(&counter[dir].bytes, 0);
0263 } else {
0264 pkts = atomic64_read(&counter[dir].packets);
0265 bytes = atomic64_read(&counter[dir].bytes);
0266 }
0267
0268 nest_count = nla_nest_start(skb, attr);
0269 if (!nest_count)
0270 goto nla_put_failure;
0271
0272 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts),
0273 CTA_COUNTERS_PAD) ||
0274 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes),
0275 CTA_COUNTERS_PAD))
0276 goto nla_put_failure;
0277
0278 nla_nest_end(skb, nest_count);
0279
0280 return 0;
0281
0282 nla_put_failure:
0283 return -1;
0284 }
0285
0286 static int
0287 ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type)
0288 {
0289 struct nf_conn_acct *acct = nf_conn_acct_find(ct);
0290
0291 if (!acct)
0292 return 0;
0293
0294 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0)
0295 return -1;
0296 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0)
0297 return -1;
0298
0299 return 0;
0300 }
0301
0302 static int
0303 ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
0304 {
0305 struct nlattr *nest_count;
0306 const struct nf_conn_tstamp *tstamp;
0307
0308 tstamp = nf_conn_tstamp_find(ct);
0309 if (!tstamp)
0310 return 0;
0311
0312 nest_count = nla_nest_start(skb, CTA_TIMESTAMP);
0313 if (!nest_count)
0314 goto nla_put_failure;
0315
0316 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start),
0317 CTA_TIMESTAMP_PAD) ||
0318 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP,
0319 cpu_to_be64(tstamp->stop),
0320 CTA_TIMESTAMP_PAD)))
0321 goto nla_put_failure;
0322 nla_nest_end(skb, nest_count);
0323
0324 return 0;
0325
0326 nla_put_failure:
0327 return -1;
0328 }
0329
0330 #ifdef CONFIG_NF_CONNTRACK_MARK
0331 static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
0332 {
0333 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))
0334 goto nla_put_failure;
0335 return 0;
0336
0337 nla_put_failure:
0338 return -1;
0339 }
0340 #else
0341 #define ctnetlink_dump_mark(a, b) (0)
0342 #endif
0343
0344 #ifdef CONFIG_NF_CONNTRACK_SECMARK
0345 static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
0346 {
0347 struct nlattr *nest_secctx;
0348 int len, ret;
0349 char *secctx;
0350
0351 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
0352 if (ret)
0353 return 0;
0354
0355 ret = -1;
0356 nest_secctx = nla_nest_start(skb, CTA_SECCTX);
0357 if (!nest_secctx)
0358 goto nla_put_failure;
0359
0360 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
0361 goto nla_put_failure;
0362 nla_nest_end(skb, nest_secctx);
0363
0364 ret = 0;
0365 nla_put_failure:
0366 security_release_secctx(secctx, len);
0367 return ret;
0368 }
0369 #else
0370 #define ctnetlink_dump_secctx(a, b) (0)
0371 #endif
0372
0373 #ifdef CONFIG_NF_CONNTRACK_LABELS
0374 static inline int ctnetlink_label_size(const struct nf_conn *ct)
0375 {
0376 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
0377
0378 if (!labels)
0379 return 0;
0380 return nla_total_size(sizeof(labels->bits));
0381 }
0382
0383 static int
0384 ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
0385 {
0386 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
0387 unsigned int i;
0388
0389 if (!labels)
0390 return 0;
0391
0392 i = 0;
0393 do {
0394 if (labels->bits[i] != 0)
0395 return nla_put(skb, CTA_LABELS, sizeof(labels->bits),
0396 labels->bits);
0397 i++;
0398 } while (i < ARRAY_SIZE(labels->bits));
0399
0400 return 0;
0401 }
0402 #else
0403 #define ctnetlink_dump_labels(a, b) (0)
0404 #define ctnetlink_label_size(a) (0)
0405 #endif
0406
0407 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
0408
0409 static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
0410 {
0411 struct nlattr *nest_parms;
0412
0413 if (!(ct->status & IPS_EXPECTED))
0414 return 0;
0415
0416 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER);
0417 if (!nest_parms)
0418 goto nla_put_failure;
0419 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
0420 goto nla_put_failure;
0421 nla_nest_end(skb, nest_parms);
0422
0423 return 0;
0424
0425 nla_put_failure:
0426 return -1;
0427 }
0428
0429 static int
0430 dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type)
0431 {
0432 struct nlattr *nest_parms;
0433
0434 nest_parms = nla_nest_start(skb, type);
0435 if (!nest_parms)
0436 goto nla_put_failure;
0437
0438 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS,
0439 htonl(seq->correction_pos)) ||
0440 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE,
0441 htonl(seq->offset_before)) ||
0442 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER,
0443 htonl(seq->offset_after)))
0444 goto nla_put_failure;
0445
0446 nla_nest_end(skb, nest_parms);
0447
0448 return 0;
0449
0450 nla_put_failure:
0451 return -1;
0452 }
0453
0454 static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
0455 {
0456 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
0457 struct nf_ct_seqadj *seq;
0458
0459 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj)
0460 return 0;
0461
0462 spin_lock_bh(&ct->lock);
0463 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL];
0464 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1)
0465 goto err;
0466
0467 seq = &seqadj->seq[IP_CT_DIR_REPLY];
0468 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1)
0469 goto err;
0470
0471 spin_unlock_bh(&ct->lock);
0472 return 0;
0473 err:
0474 spin_unlock_bh(&ct->lock);
0475 return -1;
0476 }
0477
0478 static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
0479 {
0480 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
0481 struct nlattr *nest_parms;
0482
0483 if (!synproxy)
0484 return 0;
0485
0486 nest_parms = nla_nest_start(skb, CTA_SYNPROXY);
0487 if (!nest_parms)
0488 goto nla_put_failure;
0489
0490 if (nla_put_be32(skb, CTA_SYNPROXY_ISN, htonl(synproxy->isn)) ||
0491 nla_put_be32(skb, CTA_SYNPROXY_ITS, htonl(synproxy->its)) ||
0492 nla_put_be32(skb, CTA_SYNPROXY_TSOFF, htonl(synproxy->tsoff)))
0493 goto nla_put_failure;
0494
0495 nla_nest_end(skb, nest_parms);
0496
0497 return 0;
0498
0499 nla_put_failure:
0500 return -1;
0501 }
0502
0503 static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
0504 {
0505 __be32 id = (__force __be32)nf_ct_get_id(ct);
0506
0507 if (nla_put_be32(skb, CTA_ID, id))
0508 goto nla_put_failure;
0509 return 0;
0510
0511 nla_put_failure:
0512 return -1;
0513 }
0514
0515 static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
0516 {
0517 if (nla_put_be32(skb, CTA_USE, htonl(refcount_read(&ct->ct_general.use))))
0518 goto nla_put_failure;
0519 return 0;
0520
0521 nla_put_failure:
0522 return -1;
0523 }
0524
0525
0526
0527
0528
0529 static int ctnetlink_dump_extinfo(struct sk_buff *skb,
0530 struct nf_conn *ct, u32 type)
0531 {
0532 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
0533 ctnetlink_dump_timestamp(skb, ct) < 0 ||
0534 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
0535 ctnetlink_dump_labels(skb, ct) < 0 ||
0536 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
0537 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
0538 return -1;
0539
0540 return 0;
0541 }
0542
0543 static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
0544 {
0545 if (ctnetlink_dump_status(skb, ct) < 0 ||
0546 ctnetlink_dump_mark(skb, ct) < 0 ||
0547 ctnetlink_dump_secctx(skb, ct) < 0 ||
0548 ctnetlink_dump_id(skb, ct) < 0 ||
0549 ctnetlink_dump_use(skb, ct) < 0 ||
0550 ctnetlink_dump_master(skb, ct) < 0)
0551 return -1;
0552
0553 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
0554 (ctnetlink_dump_timeout(skb, ct, false) < 0 ||
0555 ctnetlink_dump_protoinfo(skb, ct, false) < 0))
0556 return -1;
0557
0558 return 0;
0559 }
0560
0561 static int
0562 ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
0563 struct nf_conn *ct, bool extinfo, unsigned int flags)
0564 {
0565 const struct nf_conntrack_zone *zone;
0566 struct nlmsghdr *nlh;
0567 struct nlattr *nest_parms;
0568 unsigned int event;
0569
0570 if (portid)
0571 flags |= NLM_F_MULTI;
0572 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW);
0573 nlh = nfnl_msg_put(skb, portid, seq, event, flags, nf_ct_l3num(ct),
0574 NFNETLINK_V0, 0);
0575 if (!nlh)
0576 goto nlmsg_failure;
0577
0578 zone = nf_ct_zone(ct);
0579
0580 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
0581 if (!nest_parms)
0582 goto nla_put_failure;
0583 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
0584 goto nla_put_failure;
0585 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
0586 NF_CT_ZONE_DIR_ORIG) < 0)
0587 goto nla_put_failure;
0588 nla_nest_end(skb, nest_parms);
0589
0590 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
0591 if (!nest_parms)
0592 goto nla_put_failure;
0593 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
0594 goto nla_put_failure;
0595 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
0596 NF_CT_ZONE_DIR_REPL) < 0)
0597 goto nla_put_failure;
0598 nla_nest_end(skb, nest_parms);
0599
0600 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
0601 NF_CT_DEFAULT_ZONE_DIR) < 0)
0602 goto nla_put_failure;
0603
0604 if (ctnetlink_dump_info(skb, ct) < 0)
0605 goto nla_put_failure;
0606 if (extinfo && ctnetlink_dump_extinfo(skb, ct, type) < 0)
0607 goto nla_put_failure;
0608
0609 nlmsg_end(skb, nlh);
0610 return skb->len;
0611
0612 nlmsg_failure:
0613 nla_put_failure:
0614 nlmsg_cancel(skb, nlh);
0615 return -1;
0616 }
0617
0618 static const struct nla_policy cta_ip_nla_policy[CTA_IP_MAX + 1] = {
0619 [CTA_IP_V4_SRC] = { .type = NLA_U32 },
0620 [CTA_IP_V4_DST] = { .type = NLA_U32 },
0621 [CTA_IP_V6_SRC] = { .len = sizeof(__be32) * 4 },
0622 [CTA_IP_V6_DST] = { .len = sizeof(__be32) * 4 },
0623 };
0624
0625 #if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS)
0626 static size_t ctnetlink_proto_size(const struct nf_conn *ct)
0627 {
0628 const struct nf_conntrack_l4proto *l4proto;
0629 size_t len, len4 = 0;
0630
0631 len = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1);
0632 len *= 3u;
0633
0634 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
0635 len += l4proto->nlattr_size;
0636 if (l4proto->nlattr_tuple_size) {
0637 len4 = l4proto->nlattr_tuple_size();
0638 len4 *= 3u;
0639 }
0640
0641 return len + len4;
0642 }
0643 #endif
0644
0645 static inline size_t ctnetlink_acct_size(const struct nf_conn *ct)
0646 {
0647 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
0648 return 0;
0649 return 2 * nla_total_size(0)
0650 + 2 * nla_total_size_64bit(sizeof(uint64_t))
0651 + 2 * nla_total_size_64bit(sizeof(uint64_t))
0652 ;
0653 }
0654
0655 static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
0656 {
0657 #ifdef CONFIG_NF_CONNTRACK_SECMARK
0658 int len, ret;
0659
0660 ret = security_secid_to_secctx(ct->secmark, NULL, &len);
0661 if (ret)
0662 return 0;
0663
0664 return nla_total_size(0)
0665 + nla_total_size(sizeof(char) * len);
0666 #else
0667 return 0;
0668 #endif
0669 }
0670
0671 static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct)
0672 {
0673 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
0674 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
0675 return 0;
0676 return nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t));
0677 #else
0678 return 0;
0679 #endif
0680 }
0681
0682 #ifdef CONFIG_NF_CONNTRACK_EVENTS
0683 static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)
0684 {
0685 return NLMSG_ALIGN(sizeof(struct nfgenmsg))
0686 + 3 * nla_total_size(0)
0687 + 3 * nla_total_size(0)
0688 + 3 * nla_total_size(0)
0689 + 3 * nla_total_size(sizeof(u_int8_t))
0690 + nla_total_size(sizeof(u_int32_t))
0691 + nla_total_size(sizeof(u_int32_t))
0692 + ctnetlink_acct_size(ct)
0693 + ctnetlink_timestamp_size(ct)
0694 + nla_total_size(sizeof(u_int32_t))
0695 + nla_total_size(0)
0696 + nla_total_size(0)
0697 + nla_total_size(NF_CT_HELPER_NAME_LEN)
0698 + ctnetlink_secctx_size(ct)
0699 #if IS_ENABLED(CONFIG_NF_NAT)
0700 + 2 * nla_total_size(0)
0701 + 6 * nla_total_size(sizeof(u_int32_t))
0702 #endif
0703 #ifdef CONFIG_NF_CONNTRACK_MARK
0704 + nla_total_size(sizeof(u_int32_t))
0705 #endif
0706 #ifdef CONFIG_NF_CONNTRACK_ZONES
0707 + nla_total_size(sizeof(u_int16_t))
0708 #endif
0709 + ctnetlink_proto_size(ct)
0710 + ctnetlink_label_size(ct)
0711 ;
0712 }
0713
0714 static int
0715 ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item)
0716 {
0717 const struct nf_conntrack_zone *zone;
0718 struct net *net;
0719 struct nlmsghdr *nlh;
0720 struct nlattr *nest_parms;
0721 struct nf_conn *ct = item->ct;
0722 struct sk_buff *skb;
0723 unsigned int type;
0724 unsigned int flags = 0, group;
0725 int err;
0726
0727 if (events & (1 << IPCT_DESTROY)) {
0728 type = IPCTNL_MSG_CT_DELETE;
0729 group = NFNLGRP_CONNTRACK_DESTROY;
0730 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {
0731 type = IPCTNL_MSG_CT_NEW;
0732 flags = NLM_F_CREATE|NLM_F_EXCL;
0733 group = NFNLGRP_CONNTRACK_NEW;
0734 } else if (events) {
0735 type = IPCTNL_MSG_CT_NEW;
0736 group = NFNLGRP_CONNTRACK_UPDATE;
0737 } else
0738 return 0;
0739
0740 net = nf_ct_net(ct);
0741 if (!item->report && !nfnetlink_has_listeners(net, group))
0742 return 0;
0743
0744 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
0745 if (skb == NULL)
0746 goto errout;
0747
0748 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type);
0749 nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, nf_ct_l3num(ct),
0750 NFNETLINK_V0, 0);
0751 if (!nlh)
0752 goto nlmsg_failure;
0753
0754 zone = nf_ct_zone(ct);
0755
0756 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
0757 if (!nest_parms)
0758 goto nla_put_failure;
0759 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
0760 goto nla_put_failure;
0761 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
0762 NF_CT_ZONE_DIR_ORIG) < 0)
0763 goto nla_put_failure;
0764 nla_nest_end(skb, nest_parms);
0765
0766 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
0767 if (!nest_parms)
0768 goto nla_put_failure;
0769 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
0770 goto nla_put_failure;
0771 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
0772 NF_CT_ZONE_DIR_REPL) < 0)
0773 goto nla_put_failure;
0774 nla_nest_end(skb, nest_parms);
0775
0776 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
0777 NF_CT_DEFAULT_ZONE_DIR) < 0)
0778 goto nla_put_failure;
0779
0780 if (ctnetlink_dump_id(skb, ct) < 0)
0781 goto nla_put_failure;
0782
0783 if (ctnetlink_dump_status(skb, ct) < 0)
0784 goto nla_put_failure;
0785
0786 if (events & (1 << IPCT_DESTROY)) {
0787 if (ctnetlink_dump_timeout(skb, ct, true) < 0)
0788 goto nla_put_failure;
0789
0790 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
0791 ctnetlink_dump_timestamp(skb, ct) < 0 ||
0792 ctnetlink_dump_protoinfo(skb, ct, true) < 0)
0793 goto nla_put_failure;
0794 } else {
0795 if (ctnetlink_dump_timeout(skb, ct, false) < 0)
0796 goto nla_put_failure;
0797
0798 if (events & (1 << IPCT_PROTOINFO) &&
0799 ctnetlink_dump_protoinfo(skb, ct, false) < 0)
0800 goto nla_put_failure;
0801
0802 if ((events & (1 << IPCT_HELPER) || nfct_help(ct))
0803 && ctnetlink_dump_helpinfo(skb, ct) < 0)
0804 goto nla_put_failure;
0805
0806 #ifdef CONFIG_NF_CONNTRACK_SECMARK
0807 if ((events & (1 << IPCT_SECMARK) || ct->secmark)
0808 && ctnetlink_dump_secctx(skb, ct) < 0)
0809 goto nla_put_failure;
0810 #endif
0811 if (events & (1 << IPCT_LABEL) &&
0812 ctnetlink_dump_labels(skb, ct) < 0)
0813 goto nla_put_failure;
0814
0815 if (events & (1 << IPCT_RELATED) &&
0816 ctnetlink_dump_master(skb, ct) < 0)
0817 goto nla_put_failure;
0818
0819 if (events & (1 << IPCT_SEQADJ) &&
0820 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
0821 goto nla_put_failure;
0822
0823 if (events & (1 << IPCT_SYNPROXY) &&
0824 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
0825 goto nla_put_failure;
0826 }
0827
0828 #ifdef CONFIG_NF_CONNTRACK_MARK
0829 if ((events & (1 << IPCT_MARK) || ct->mark)
0830 && ctnetlink_dump_mark(skb, ct) < 0)
0831 goto nla_put_failure;
0832 #endif
0833 nlmsg_end(skb, nlh);
0834 err = nfnetlink_send(skb, net, item->portid, group, item->report,
0835 GFP_ATOMIC);
0836 if (err == -ENOBUFS || err == -EAGAIN)
0837 return -ENOBUFS;
0838
0839 return 0;
0840
0841 nla_put_failure:
0842 nlmsg_cancel(skb, nlh);
0843 nlmsg_failure:
0844 kfree_skb(skb);
0845 errout:
0846 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
0847 return -ENOBUFS;
0848
0849 return 0;
0850 }
0851 #endif
0852
0853 static int ctnetlink_done(struct netlink_callback *cb)
0854 {
0855 if (cb->args[1])
0856 nf_ct_put((struct nf_conn *)cb->args[1]);
0857 kfree(cb->data);
0858 return 0;
0859 }
0860
0861 struct ctnetlink_filter_u32 {
0862 u32 val;
0863 u32 mask;
0864 };
0865
0866 struct ctnetlink_filter {
0867 u8 family;
0868
0869 u_int32_t orig_flags;
0870 u_int32_t reply_flags;
0871
0872 struct nf_conntrack_tuple orig;
0873 struct nf_conntrack_tuple reply;
0874 struct nf_conntrack_zone zone;
0875
0876 struct ctnetlink_filter_u32 mark;
0877 struct ctnetlink_filter_u32 status;
0878 };
0879
0880 static const struct nla_policy cta_filter_nla_policy[CTA_FILTER_MAX + 1] = {
0881 [CTA_FILTER_ORIG_FLAGS] = { .type = NLA_U32 },
0882 [CTA_FILTER_REPLY_FLAGS] = { .type = NLA_U32 },
0883 };
0884
0885 static int ctnetlink_parse_filter(const struct nlattr *attr,
0886 struct ctnetlink_filter *filter)
0887 {
0888 struct nlattr *tb[CTA_FILTER_MAX + 1];
0889 int ret = 0;
0890
0891 ret = nla_parse_nested(tb, CTA_FILTER_MAX, attr, cta_filter_nla_policy,
0892 NULL);
0893 if (ret)
0894 return ret;
0895
0896 if (tb[CTA_FILTER_ORIG_FLAGS]) {
0897 filter->orig_flags = nla_get_u32(tb[CTA_FILTER_ORIG_FLAGS]);
0898 if (filter->orig_flags & ~CTA_FILTER_F_ALL)
0899 return -EOPNOTSUPP;
0900 }
0901
0902 if (tb[CTA_FILTER_REPLY_FLAGS]) {
0903 filter->reply_flags = nla_get_u32(tb[CTA_FILTER_REPLY_FLAGS]);
0904 if (filter->reply_flags & ~CTA_FILTER_F_ALL)
0905 return -EOPNOTSUPP;
0906 }
0907
0908 return 0;
0909 }
0910
0911 static int ctnetlink_parse_zone(const struct nlattr *attr,
0912 struct nf_conntrack_zone *zone);
0913 static int ctnetlink_parse_tuple_filter(const struct nlattr * const cda[],
0914 struct nf_conntrack_tuple *tuple,
0915 u32 type, u_int8_t l3num,
0916 struct nf_conntrack_zone *zone,
0917 u_int32_t flags);
0918
0919 static int ctnetlink_filter_parse_mark(struct ctnetlink_filter_u32 *mark,
0920 const struct nlattr * const cda[])
0921 {
0922 #ifdef CONFIG_NF_CONNTRACK_MARK
0923 if (cda[CTA_MARK]) {
0924 mark->val = ntohl(nla_get_be32(cda[CTA_MARK]));
0925
0926 if (cda[CTA_MARK_MASK])
0927 mark->mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
0928 else
0929 mark->mask = 0xffffffff;
0930 } else if (cda[CTA_MARK_MASK]) {
0931 return -EINVAL;
0932 }
0933 #endif
0934 return 0;
0935 }
0936
0937 static int ctnetlink_filter_parse_status(struct ctnetlink_filter_u32 *status,
0938 const struct nlattr * const cda[])
0939 {
0940 if (cda[CTA_STATUS]) {
0941 status->val = ntohl(nla_get_be32(cda[CTA_STATUS]));
0942 if (cda[CTA_STATUS_MASK])
0943 status->mask = ntohl(nla_get_be32(cda[CTA_STATUS_MASK]));
0944 else
0945 status->mask = status->val;
0946
0947
0948 if (status->mask == 0)
0949 return -EINVAL;
0950 } else if (cda[CTA_STATUS_MASK]) {
0951 return -EINVAL;
0952 }
0953
0954
0955 BUILD_BUG_ON(__IPS_MAX_BIT >= 32);
0956 return 0;
0957 }
0958
0959 static struct ctnetlink_filter *
0960 ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family)
0961 {
0962 struct ctnetlink_filter *filter;
0963 int err;
0964
0965 #ifndef CONFIG_NF_CONNTRACK_MARK
0966 if (cda[CTA_MARK] || cda[CTA_MARK_MASK])
0967 return ERR_PTR(-EOPNOTSUPP);
0968 #endif
0969
0970 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
0971 if (filter == NULL)
0972 return ERR_PTR(-ENOMEM);
0973
0974 filter->family = family;
0975
0976 err = ctnetlink_filter_parse_mark(&filter->mark, cda);
0977 if (err)
0978 goto err_filter;
0979
0980 err = ctnetlink_filter_parse_status(&filter->status, cda);
0981 if (err)
0982 goto err_filter;
0983
0984 if (!cda[CTA_FILTER])
0985 return filter;
0986
0987 err = ctnetlink_parse_zone(cda[CTA_ZONE], &filter->zone);
0988 if (err < 0)
0989 goto err_filter;
0990
0991 err = ctnetlink_parse_filter(cda[CTA_FILTER], filter);
0992 if (err < 0)
0993 goto err_filter;
0994
0995 if (filter->orig_flags) {
0996 if (!cda[CTA_TUPLE_ORIG]) {
0997 err = -EINVAL;
0998 goto err_filter;
0999 }
1000
1001 err = ctnetlink_parse_tuple_filter(cda, &filter->orig,
1002 CTA_TUPLE_ORIG,
1003 filter->family,
1004 &filter->zone,
1005 filter->orig_flags);
1006 if (err < 0)
1007 goto err_filter;
1008 }
1009
1010 if (filter->reply_flags) {
1011 if (!cda[CTA_TUPLE_REPLY]) {
1012 err = -EINVAL;
1013 goto err_filter;
1014 }
1015
1016 err = ctnetlink_parse_tuple_filter(cda, &filter->reply,
1017 CTA_TUPLE_REPLY,
1018 filter->family,
1019 &filter->zone,
1020 filter->reply_flags);
1021 if (err < 0)
1022 goto err_filter;
1023 }
1024
1025 return filter;
1026
1027 err_filter:
1028 kfree(filter);
1029
1030 return ERR_PTR(err);
1031 }
1032
1033 static bool ctnetlink_needs_filter(u8 family, const struct nlattr * const *cda)
1034 {
1035 return family || cda[CTA_MARK] || cda[CTA_FILTER] || cda[CTA_STATUS];
1036 }
1037
1038 static int ctnetlink_start(struct netlink_callback *cb)
1039 {
1040 const struct nlattr * const *cda = cb->data;
1041 struct ctnetlink_filter *filter = NULL;
1042 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1043 u8 family = nfmsg->nfgen_family;
1044
1045 if (ctnetlink_needs_filter(family, cda)) {
1046 filter = ctnetlink_alloc_filter(cda, family);
1047 if (IS_ERR(filter))
1048 return PTR_ERR(filter);
1049 }
1050
1051 cb->data = filter;
1052 return 0;
1053 }
1054
1055 static int ctnetlink_filter_match_tuple(struct nf_conntrack_tuple *filter_tuple,
1056 struct nf_conntrack_tuple *ct_tuple,
1057 u_int32_t flags, int family)
1058 {
1059 switch (family) {
1060 case NFPROTO_IPV4:
1061 if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) &&
1062 filter_tuple->src.u3.ip != ct_tuple->src.u3.ip)
1063 return 0;
1064
1065 if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) &&
1066 filter_tuple->dst.u3.ip != ct_tuple->dst.u3.ip)
1067 return 0;
1068 break;
1069 case NFPROTO_IPV6:
1070 if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) &&
1071 !ipv6_addr_cmp(&filter_tuple->src.u3.in6,
1072 &ct_tuple->src.u3.in6))
1073 return 0;
1074
1075 if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) &&
1076 !ipv6_addr_cmp(&filter_tuple->dst.u3.in6,
1077 &ct_tuple->dst.u3.in6))
1078 return 0;
1079 break;
1080 }
1081
1082 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) &&
1083 filter_tuple->dst.protonum != ct_tuple->dst.protonum)
1084 return 0;
1085
1086 switch (ct_tuple->dst.protonum) {
1087 case IPPROTO_TCP:
1088 case IPPROTO_UDP:
1089 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_SRC_PORT)) &&
1090 filter_tuple->src.u.tcp.port != ct_tuple->src.u.tcp.port)
1091 return 0;
1092
1093 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_DST_PORT)) &&
1094 filter_tuple->dst.u.tcp.port != ct_tuple->dst.u.tcp.port)
1095 return 0;
1096 break;
1097 case IPPROTO_ICMP:
1098 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_TYPE)) &&
1099 filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type)
1100 return 0;
1101 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_CODE)) &&
1102 filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code)
1103 return 0;
1104 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_ID)) &&
1105 filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id)
1106 return 0;
1107 break;
1108 case IPPROTO_ICMPV6:
1109 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_TYPE)) &&
1110 filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type)
1111 return 0;
1112 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_CODE)) &&
1113 filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code)
1114 return 0;
1115 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_ID)) &&
1116 filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id)
1117 return 0;
1118 break;
1119 }
1120
1121 return 1;
1122 }
1123
1124 static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
1125 {
1126 struct ctnetlink_filter *filter = data;
1127 struct nf_conntrack_tuple *tuple;
1128 u32 status;
1129
1130 if (filter == NULL)
1131 goto out;
1132
1133
1134
1135
1136
1137 if (filter->family && nf_ct_l3num(ct) != filter->family)
1138 goto ignore_entry;
1139
1140 if (filter->orig_flags) {
1141 tuple = nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL);
1142 if (!ctnetlink_filter_match_tuple(&filter->orig, tuple,
1143 filter->orig_flags,
1144 filter->family))
1145 goto ignore_entry;
1146 }
1147
1148 if (filter->reply_flags) {
1149 tuple = nf_ct_tuple(ct, IP_CT_DIR_REPLY);
1150 if (!ctnetlink_filter_match_tuple(&filter->reply, tuple,
1151 filter->reply_flags,
1152 filter->family))
1153 goto ignore_entry;
1154 }
1155
1156 #ifdef CONFIG_NF_CONNTRACK_MARK
1157 if ((ct->mark & filter->mark.mask) != filter->mark.val)
1158 goto ignore_entry;
1159 #endif
1160 status = (u32)READ_ONCE(ct->status);
1161 if ((status & filter->status.mask) != filter->status.val)
1162 goto ignore_entry;
1163
1164 out:
1165 return 1;
1166
1167 ignore_entry:
1168 return 0;
1169 }
1170
1171 static int
1172 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
1173 {
1174 unsigned int flags = cb->data ? NLM_F_DUMP_FILTERED : 0;
1175 struct net *net = sock_net(skb->sk);
1176 struct nf_conn *ct, *last;
1177 struct nf_conntrack_tuple_hash *h;
1178 struct hlist_nulls_node *n;
1179 struct nf_conn *nf_ct_evict[8];
1180 int res, i;
1181 spinlock_t *lockp;
1182
1183 last = (struct nf_conn *)cb->args[1];
1184 i = 0;
1185
1186 local_bh_disable();
1187 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
1188 restart:
1189 while (i) {
1190 i--;
1191 if (nf_ct_should_gc(nf_ct_evict[i]))
1192 nf_ct_kill(nf_ct_evict[i]);
1193 nf_ct_put(nf_ct_evict[i]);
1194 }
1195
1196 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS];
1197 nf_conntrack_lock(lockp);
1198 if (cb->args[0] >= nf_conntrack_htable_size) {
1199 spin_unlock(lockp);
1200 goto out;
1201 }
1202 hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]],
1203 hnnode) {
1204 ct = nf_ct_tuplehash_to_ctrack(h);
1205 if (nf_ct_is_expired(ct)) {
1206
1207 if (i < ARRAY_SIZE(nf_ct_evict) &&
1208 refcount_inc_not_zero(&ct->ct_general.use))
1209 nf_ct_evict[i++] = ct;
1210 continue;
1211 }
1212
1213 if (!net_eq(net, nf_ct_net(ct)))
1214 continue;
1215
1216 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
1217 continue;
1218
1219 if (cb->args[1]) {
1220 if (ct != last)
1221 continue;
1222 cb->args[1] = 0;
1223 }
1224 if (!ctnetlink_filter_match(ct, cb->data))
1225 continue;
1226
1227 res =
1228 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
1229 cb->nlh->nlmsg_seq,
1230 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
1231 ct, true, flags);
1232 if (res < 0) {
1233 nf_conntrack_get(&ct->ct_general);
1234 cb->args[1] = (unsigned long)ct;
1235 spin_unlock(lockp);
1236 goto out;
1237 }
1238 }
1239 spin_unlock(lockp);
1240 if (cb->args[1]) {
1241 cb->args[1] = 0;
1242 goto restart;
1243 }
1244 }
1245 out:
1246 local_bh_enable();
1247 if (last) {
1248
1249 if ((struct nf_conn *)cb->args[1] == last)
1250 cb->args[1] = 0;
1251
1252 nf_ct_put(last);
1253 }
1254
1255 while (i) {
1256 i--;
1257 if (nf_ct_should_gc(nf_ct_evict[i]))
1258 nf_ct_kill(nf_ct_evict[i]);
1259 nf_ct_put(nf_ct_evict[i]);
1260 }
1261
1262 return skb->len;
1263 }
1264
1265 static int ipv4_nlattr_to_tuple(struct nlattr *tb[],
1266 struct nf_conntrack_tuple *t,
1267 u_int32_t flags)
1268 {
1269 if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
1270 if (!tb[CTA_IP_V4_SRC])
1271 return -EINVAL;
1272
1273 t->src.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_SRC]);
1274 }
1275
1276 if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) {
1277 if (!tb[CTA_IP_V4_DST])
1278 return -EINVAL;
1279
1280 t->dst.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_DST]);
1281 }
1282
1283 return 0;
1284 }
1285
1286 static int ipv6_nlattr_to_tuple(struct nlattr *tb[],
1287 struct nf_conntrack_tuple *t,
1288 u_int32_t flags)
1289 {
1290 if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
1291 if (!tb[CTA_IP_V6_SRC])
1292 return -EINVAL;
1293
1294 t->src.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_SRC]);
1295 }
1296
1297 if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) {
1298 if (!tb[CTA_IP_V6_DST])
1299 return -EINVAL;
1300
1301 t->dst.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_DST]);
1302 }
1303
1304 return 0;
1305 }
1306
1307 static int ctnetlink_parse_tuple_ip(struct nlattr *attr,
1308 struct nf_conntrack_tuple *tuple,
1309 u_int32_t flags)
1310 {
1311 struct nlattr *tb[CTA_IP_MAX+1];
1312 int ret = 0;
1313
1314 ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, NULL, NULL);
1315 if (ret < 0)
1316 return ret;
1317
1318 ret = nla_validate_nested_deprecated(attr, CTA_IP_MAX,
1319 cta_ip_nla_policy, NULL);
1320 if (ret)
1321 return ret;
1322
1323 switch (tuple->src.l3num) {
1324 case NFPROTO_IPV4:
1325 ret = ipv4_nlattr_to_tuple(tb, tuple, flags);
1326 break;
1327 case NFPROTO_IPV6:
1328 ret = ipv6_nlattr_to_tuple(tb, tuple, flags);
1329 break;
1330 }
1331
1332 return ret;
1333 }
1334
1335 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
1336 [CTA_PROTO_NUM] = { .type = NLA_U8 },
1337 };
1338
1339 static int ctnetlink_parse_tuple_proto(struct nlattr *attr,
1340 struct nf_conntrack_tuple *tuple,
1341 u_int32_t flags)
1342 {
1343 const struct nf_conntrack_l4proto *l4proto;
1344 struct nlattr *tb[CTA_PROTO_MAX+1];
1345 int ret = 0;
1346
1347 ret = nla_parse_nested_deprecated(tb, CTA_PROTO_MAX, attr,
1348 proto_nla_policy, NULL);
1349 if (ret < 0)
1350 return ret;
1351
1352 if (!(flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)))
1353 return 0;
1354
1355 if (!tb[CTA_PROTO_NUM])
1356 return -EINVAL;
1357
1358 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
1359
1360 rcu_read_lock();
1361 l4proto = nf_ct_l4proto_find(tuple->dst.protonum);
1362
1363 if (likely(l4proto->nlattr_to_tuple)) {
1364 ret = nla_validate_nested_deprecated(attr, CTA_PROTO_MAX,
1365 l4proto->nla_policy,
1366 NULL);
1367 if (ret == 0)
1368 ret = l4proto->nlattr_to_tuple(tb, tuple, flags);
1369 }
1370
1371 rcu_read_unlock();
1372
1373 return ret;
1374 }
1375
1376 static int
1377 ctnetlink_parse_zone(const struct nlattr *attr,
1378 struct nf_conntrack_zone *zone)
1379 {
1380 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID,
1381 NF_CT_DEFAULT_ZONE_DIR, 0);
1382 #ifdef CONFIG_NF_CONNTRACK_ZONES
1383 if (attr)
1384 zone->id = ntohs(nla_get_be16(attr));
1385 #else
1386 if (attr)
1387 return -EOPNOTSUPP;
1388 #endif
1389 return 0;
1390 }
1391
1392 static int
1393 ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type,
1394 struct nf_conntrack_zone *zone)
1395 {
1396 int ret;
1397
1398 if (zone->id != NF_CT_DEFAULT_ZONE_ID)
1399 return -EINVAL;
1400
1401 ret = ctnetlink_parse_zone(attr, zone);
1402 if (ret < 0)
1403 return ret;
1404
1405 if (type == CTA_TUPLE_REPLY)
1406 zone->dir = NF_CT_ZONE_DIR_REPL;
1407 else
1408 zone->dir = NF_CT_ZONE_DIR_ORIG;
1409
1410 return 0;
1411 }
1412
1413 static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
1414 [CTA_TUPLE_IP] = { .type = NLA_NESTED },
1415 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED },
1416 [CTA_TUPLE_ZONE] = { .type = NLA_U16 },
1417 };
1418
1419 #define CTA_FILTER_F_ALL_CTA_PROTO \
1420 (CTA_FILTER_F_CTA_PROTO_SRC_PORT | \
1421 CTA_FILTER_F_CTA_PROTO_DST_PORT | \
1422 CTA_FILTER_F_CTA_PROTO_ICMP_TYPE | \
1423 CTA_FILTER_F_CTA_PROTO_ICMP_CODE | \
1424 CTA_FILTER_F_CTA_PROTO_ICMP_ID | \
1425 CTA_FILTER_F_CTA_PROTO_ICMPV6_TYPE | \
1426 CTA_FILTER_F_CTA_PROTO_ICMPV6_CODE | \
1427 CTA_FILTER_F_CTA_PROTO_ICMPV6_ID)
1428
1429 static int
1430 ctnetlink_parse_tuple_filter(const struct nlattr * const cda[],
1431 struct nf_conntrack_tuple *tuple, u32 type,
1432 u_int8_t l3num, struct nf_conntrack_zone *zone,
1433 u_int32_t flags)
1434 {
1435 struct nlattr *tb[CTA_TUPLE_MAX+1];
1436 int err;
1437
1438 memset(tuple, 0, sizeof(*tuple));
1439
1440 err = nla_parse_nested_deprecated(tb, CTA_TUPLE_MAX, cda[type],
1441 tuple_nla_policy, NULL);
1442 if (err < 0)
1443 return err;
1444
1445 if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
1446 return -EOPNOTSUPP;
1447 tuple->src.l3num = l3num;
1448
1449 if (flags & CTA_FILTER_FLAG(CTA_IP_DST) ||
1450 flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
1451 if (!tb[CTA_TUPLE_IP])
1452 return -EINVAL;
1453
1454 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple, flags);
1455 if (err < 0)
1456 return err;
1457 }
1458
1459 if (flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) {
1460 if (!tb[CTA_TUPLE_PROTO])
1461 return -EINVAL;
1462
1463 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple, flags);
1464 if (err < 0)
1465 return err;
1466 } else if (flags & CTA_FILTER_FLAG(ALL_CTA_PROTO)) {
1467
1468 return -EINVAL;
1469 }
1470
1471 if ((flags & CTA_FILTER_FLAG(CTA_TUPLE_ZONE)) && tb[CTA_TUPLE_ZONE]) {
1472 if (!zone)
1473 return -EINVAL;
1474
1475 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE],
1476 type, zone);
1477 if (err < 0)
1478 return err;
1479 }
1480
1481
1482 if (type == CTA_TUPLE_REPLY)
1483 tuple->dst.dir = IP_CT_DIR_REPLY;
1484 else
1485 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
1486
1487 return 0;
1488 }
1489
1490 static int
1491 ctnetlink_parse_tuple(const struct nlattr * const cda[],
1492 struct nf_conntrack_tuple *tuple, u32 type,
1493 u_int8_t l3num, struct nf_conntrack_zone *zone)
1494 {
1495 return ctnetlink_parse_tuple_filter(cda, tuple, type, l3num, zone,
1496 CTA_FILTER_FLAG(ALL));
1497 }
1498
1499 static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {
1500 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING,
1501 .len = NF_CT_HELPER_NAME_LEN - 1 },
1502 };
1503
1504 static int ctnetlink_parse_help(const struct nlattr *attr, char **helper_name,
1505 struct nlattr **helpinfo)
1506 {
1507 int err;
1508 struct nlattr *tb[CTA_HELP_MAX+1];
1509
1510 err = nla_parse_nested_deprecated(tb, CTA_HELP_MAX, attr,
1511 help_nla_policy, NULL);
1512 if (err < 0)
1513 return err;
1514
1515 if (!tb[CTA_HELP_NAME])
1516 return -EINVAL;
1517
1518 *helper_name = nla_data(tb[CTA_HELP_NAME]);
1519
1520 if (tb[CTA_HELP_INFO])
1521 *helpinfo = tb[CTA_HELP_INFO];
1522
1523 return 0;
1524 }
1525
1526 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
1527 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED },
1528 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED },
1529 [CTA_STATUS] = { .type = NLA_U32 },
1530 [CTA_PROTOINFO] = { .type = NLA_NESTED },
1531 [CTA_HELP] = { .type = NLA_NESTED },
1532 [CTA_NAT_SRC] = { .type = NLA_NESTED },
1533 [CTA_TIMEOUT] = { .type = NLA_U32 },
1534 [CTA_MARK] = { .type = NLA_U32 },
1535 [CTA_ID] = { .type = NLA_U32 },
1536 [CTA_NAT_DST] = { .type = NLA_NESTED },
1537 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED },
1538 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED },
1539 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED },
1540 [CTA_ZONE] = { .type = NLA_U16 },
1541 [CTA_MARK_MASK] = { .type = NLA_U32 },
1542 [CTA_LABELS] = { .type = NLA_BINARY,
1543 .len = NF_CT_LABELS_MAX_SIZE },
1544 [CTA_LABELS_MASK] = { .type = NLA_BINARY,
1545 .len = NF_CT_LABELS_MAX_SIZE },
1546 [CTA_FILTER] = { .type = NLA_NESTED },
1547 [CTA_STATUS_MASK] = { .type = NLA_U32 },
1548 };
1549
1550 static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data)
1551 {
1552 if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
1553 return 0;
1554
1555 return ctnetlink_filter_match(ct, data);
1556 }
1557
1558 static int ctnetlink_flush_conntrack(struct net *net,
1559 const struct nlattr * const cda[],
1560 u32 portid, int report, u8 family)
1561 {
1562 struct ctnetlink_filter *filter = NULL;
1563 struct nf_ct_iter_data iter = {
1564 .net = net,
1565 .portid = portid,
1566 .report = report,
1567 };
1568
1569 if (ctnetlink_needs_filter(family, cda)) {
1570 if (cda[CTA_FILTER])
1571 return -EOPNOTSUPP;
1572
1573 filter = ctnetlink_alloc_filter(cda, family);
1574 if (IS_ERR(filter))
1575 return PTR_ERR(filter);
1576
1577 iter.data = filter;
1578 }
1579
1580 nf_ct_iterate_cleanup_net(ctnetlink_flush_iterate, &iter);
1581 kfree(filter);
1582
1583 return 0;
1584 }
1585
1586 static int ctnetlink_del_conntrack(struct sk_buff *skb,
1587 const struct nfnl_info *info,
1588 const struct nlattr * const cda[])
1589 {
1590 u8 family = info->nfmsg->nfgen_family;
1591 struct nf_conntrack_tuple_hash *h;
1592 struct nf_conntrack_tuple tuple;
1593 struct nf_conntrack_zone zone;
1594 struct nf_conn *ct;
1595 int err;
1596
1597 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1598 if (err < 0)
1599 return err;
1600
1601 if (cda[CTA_TUPLE_ORIG])
1602 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1603 family, &zone);
1604 else if (cda[CTA_TUPLE_REPLY])
1605 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1606 family, &zone);
1607 else {
1608 u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
1609
1610 return ctnetlink_flush_conntrack(info->net, cda,
1611 NETLINK_CB(skb).portid,
1612 nlmsg_report(info->nlh), u3);
1613 }
1614
1615 if (err < 0)
1616 return err;
1617
1618 h = nf_conntrack_find_get(info->net, &zone, &tuple);
1619 if (!h)
1620 return -ENOENT;
1621
1622 ct = nf_ct_tuplehash_to_ctrack(h);
1623
1624 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) {
1625 nf_ct_put(ct);
1626 return -EBUSY;
1627 }
1628
1629 if (cda[CTA_ID]) {
1630 __be32 id = nla_get_be32(cda[CTA_ID]);
1631
1632 if (id != (__force __be32)nf_ct_get_id(ct)) {
1633 nf_ct_put(ct);
1634 return -ENOENT;
1635 }
1636 }
1637
1638 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(info->nlh));
1639 nf_ct_put(ct);
1640
1641 return 0;
1642 }
1643
1644 static int ctnetlink_get_conntrack(struct sk_buff *skb,
1645 const struct nfnl_info *info,
1646 const struct nlattr * const cda[])
1647 {
1648 u_int8_t u3 = info->nfmsg->nfgen_family;
1649 struct nf_conntrack_tuple_hash *h;
1650 struct nf_conntrack_tuple tuple;
1651 struct nf_conntrack_zone zone;
1652 struct sk_buff *skb2;
1653 struct nf_conn *ct;
1654 int err;
1655
1656 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1657 struct netlink_dump_control c = {
1658 .start = ctnetlink_start,
1659 .dump = ctnetlink_dump_table,
1660 .done = ctnetlink_done,
1661 .data = (void *)cda,
1662 };
1663
1664 return netlink_dump_start(info->sk, skb, info->nlh, &c);
1665 }
1666
1667 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1668 if (err < 0)
1669 return err;
1670
1671 if (cda[CTA_TUPLE_ORIG])
1672 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1673 u3, &zone);
1674 else if (cda[CTA_TUPLE_REPLY])
1675 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1676 u3, &zone);
1677 else
1678 return -EINVAL;
1679
1680 if (err < 0)
1681 return err;
1682
1683 h = nf_conntrack_find_get(info->net, &zone, &tuple);
1684 if (!h)
1685 return -ENOENT;
1686
1687 ct = nf_ct_tuplehash_to_ctrack(h);
1688
1689 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1690 if (!skb2) {
1691 nf_ct_put(ct);
1692 return -ENOMEM;
1693 }
1694
1695 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid,
1696 info->nlh->nlmsg_seq,
1697 NFNL_MSG_TYPE(info->nlh->nlmsg_type), ct,
1698 true, 0);
1699 nf_ct_put(ct);
1700 if (err <= 0) {
1701 kfree_skb(skb2);
1702 return -ENOMEM;
1703 }
1704
1705 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
1706 }
1707
1708 static int ctnetlink_done_list(struct netlink_callback *cb)
1709 {
1710 struct ctnetlink_list_dump_ctx *ctx = (void *)cb->ctx;
1711
1712 if (ctx->last)
1713 nf_ct_put(ctx->last);
1714
1715 return 0;
1716 }
1717
1718 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1719 static int ctnetlink_dump_one_entry(struct sk_buff *skb,
1720 struct netlink_callback *cb,
1721 struct nf_conn *ct,
1722 bool dying)
1723 {
1724 struct ctnetlink_list_dump_ctx *ctx = (void *)cb->ctx;
1725 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1726 u8 l3proto = nfmsg->nfgen_family;
1727 int res;
1728
1729 if (l3proto && nf_ct_l3num(ct) != l3proto)
1730 return 0;
1731
1732 if (ctx->last) {
1733 if (ct != ctx->last)
1734 return 0;
1735
1736 ctx->last = NULL;
1737 }
1738
1739
1740
1741
1742
1743
1744
1745
1746 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
1747 cb->nlh->nlmsg_seq,
1748 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
1749 ct, dying, 0);
1750 if (res < 0) {
1751 if (!refcount_inc_not_zero(&ct->ct_general.use))
1752 return 0;
1753
1754 ctx->last = ct;
1755 }
1756
1757 return res;
1758 }
1759 #endif
1760
1761 static int
1762 ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb)
1763 {
1764 return 0;
1765 }
1766
1767 static int
1768 ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb)
1769 {
1770 struct ctnetlink_list_dump_ctx *ctx = (void *)cb->ctx;
1771 struct nf_conn *last = ctx->last;
1772 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1773 const struct net *net = sock_net(skb->sk);
1774 struct nf_conntrack_net_ecache *ecache_net;
1775 struct nf_conntrack_tuple_hash *h;
1776 struct hlist_nulls_node *n;
1777 #endif
1778
1779 if (ctx->done)
1780 return 0;
1781
1782 ctx->last = NULL;
1783
1784 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1785 ecache_net = nf_conn_pernet_ecache(net);
1786 spin_lock_bh(&ecache_net->dying_lock);
1787
1788 hlist_nulls_for_each_entry(h, n, &ecache_net->dying_list, hnnode) {
1789 struct nf_conn *ct;
1790 int res;
1791
1792 ct = nf_ct_tuplehash_to_ctrack(h);
1793 if (last && last != ct)
1794 continue;
1795
1796 res = ctnetlink_dump_one_entry(skb, cb, ct, true);
1797 if (res < 0) {
1798 spin_unlock_bh(&ecache_net->dying_lock);
1799 nf_ct_put(last);
1800 return skb->len;
1801 }
1802
1803 nf_ct_put(last);
1804 last = NULL;
1805 }
1806
1807 spin_unlock_bh(&ecache_net->dying_lock);
1808 #endif
1809 ctx->done = true;
1810 nf_ct_put(last);
1811
1812 return skb->len;
1813 }
1814
1815 static int ctnetlink_get_ct_dying(struct sk_buff *skb,
1816 const struct nfnl_info *info,
1817 const struct nlattr * const cda[])
1818 {
1819 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1820 struct netlink_dump_control c = {
1821 .dump = ctnetlink_dump_dying,
1822 .done = ctnetlink_done_list,
1823 };
1824 return netlink_dump_start(info->sk, skb, info->nlh, &c);
1825 }
1826
1827 return -EOPNOTSUPP;
1828 }
1829
1830 static int ctnetlink_get_ct_unconfirmed(struct sk_buff *skb,
1831 const struct nfnl_info *info,
1832 const struct nlattr * const cda[])
1833 {
1834 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1835 struct netlink_dump_control c = {
1836 .dump = ctnetlink_dump_unconfirmed,
1837 .done = ctnetlink_done_list,
1838 };
1839 return netlink_dump_start(info->sk, skb, info->nlh, &c);
1840 }
1841
1842 return -EOPNOTSUPP;
1843 }
1844
1845 #if IS_ENABLED(CONFIG_NF_NAT)
1846 static int
1847 ctnetlink_parse_nat_setup(struct nf_conn *ct,
1848 enum nf_nat_manip_type manip,
1849 const struct nlattr *attr)
1850 __must_hold(RCU)
1851 {
1852 const struct nf_nat_hook *nat_hook;
1853 int err;
1854
1855 nat_hook = rcu_dereference(nf_nat_hook);
1856 if (!nat_hook) {
1857 #ifdef CONFIG_MODULES
1858 rcu_read_unlock();
1859 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1860 if (request_module("nf-nat") < 0) {
1861 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1862 rcu_read_lock();
1863 return -EOPNOTSUPP;
1864 }
1865 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1866 rcu_read_lock();
1867 nat_hook = rcu_dereference(nf_nat_hook);
1868 if (nat_hook)
1869 return -EAGAIN;
1870 #endif
1871 return -EOPNOTSUPP;
1872 }
1873
1874 err = nat_hook->parse_nat_setup(ct, manip, attr);
1875 if (err == -EAGAIN) {
1876 #ifdef CONFIG_MODULES
1877 rcu_read_unlock();
1878 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1879 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) {
1880 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1881 rcu_read_lock();
1882 return -EOPNOTSUPP;
1883 }
1884 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1885 rcu_read_lock();
1886 #else
1887 err = -EOPNOTSUPP;
1888 #endif
1889 }
1890 return err;
1891 }
1892 #endif
1893
1894 static int
1895 ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
1896 {
1897 return nf_ct_change_status_common(ct, ntohl(nla_get_be32(cda[CTA_STATUS])));
1898 }
1899
1900 static int
1901 ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
1902 {
1903 #if IS_ENABLED(CONFIG_NF_NAT)
1904 int ret;
1905
1906 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1907 return 0;
1908
1909 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
1910 cda[CTA_NAT_DST]);
1911 if (ret < 0)
1912 return ret;
1913
1914 return ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC,
1915 cda[CTA_NAT_SRC]);
1916 #else
1917 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1918 return 0;
1919 return -EOPNOTSUPP;
1920 #endif
1921 }
1922
1923 static int ctnetlink_change_helper(struct nf_conn *ct,
1924 const struct nlattr * const cda[])
1925 {
1926 struct nf_conntrack_helper *helper;
1927 struct nf_conn_help *help = nfct_help(ct);
1928 char *helpname = NULL;
1929 struct nlattr *helpinfo = NULL;
1930 int err;
1931
1932 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1933 if (err < 0)
1934 return err;
1935
1936
1937 if (ct->master) {
1938
1939
1940
1941
1942 err = -EBUSY;
1943 if (help) {
1944 rcu_read_lock();
1945 helper = rcu_dereference(help->helper);
1946 if (helper && !strcmp(helper->name, helpname))
1947 err = 0;
1948 rcu_read_unlock();
1949 }
1950
1951 return err;
1952 }
1953
1954 if (!strcmp(helpname, "")) {
1955 if (help && help->helper) {
1956
1957 nf_ct_remove_expectations(ct);
1958 RCU_INIT_POINTER(help->helper, NULL);
1959 }
1960
1961 return 0;
1962 }
1963
1964 rcu_read_lock();
1965 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1966 nf_ct_protonum(ct));
1967 if (helper == NULL) {
1968 rcu_read_unlock();
1969 return -EOPNOTSUPP;
1970 }
1971
1972 if (help) {
1973 if (rcu_access_pointer(help->helper) == helper) {
1974
1975 if (helper->from_nlattr)
1976 helper->from_nlattr(helpinfo, ct);
1977 err = 0;
1978 } else
1979 err = -EBUSY;
1980 } else {
1981
1982 err = -EOPNOTSUPP;
1983 }
1984
1985 rcu_read_unlock();
1986 return err;
1987 }
1988
1989 static int ctnetlink_change_timeout(struct nf_conn *ct,
1990 const struct nlattr * const cda[])
1991 {
1992 return __nf_ct_change_timeout(ct, (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ);
1993 }
1994
1995 #if defined(CONFIG_NF_CONNTRACK_MARK)
1996 static void ctnetlink_change_mark(struct nf_conn *ct,
1997 const struct nlattr * const cda[])
1998 {
1999 u32 mark, newmark, mask = 0;
2000
2001 if (cda[CTA_MARK_MASK])
2002 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
2003
2004 mark = ntohl(nla_get_be32(cda[CTA_MARK]));
2005 newmark = (ct->mark & mask) ^ mark;
2006 if (newmark != ct->mark)
2007 ct->mark = newmark;
2008 }
2009 #endif
2010
2011 static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = {
2012 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED },
2013 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED },
2014 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED },
2015 };
2016
2017 static int ctnetlink_change_protoinfo(struct nf_conn *ct,
2018 const struct nlattr * const cda[])
2019 {
2020 const struct nlattr *attr = cda[CTA_PROTOINFO];
2021 const struct nf_conntrack_l4proto *l4proto;
2022 struct nlattr *tb[CTA_PROTOINFO_MAX+1];
2023 int err = 0;
2024
2025 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_MAX, attr,
2026 protoinfo_policy, NULL);
2027 if (err < 0)
2028 return err;
2029
2030 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
2031 if (l4proto->from_nlattr)
2032 err = l4proto->from_nlattr(tb, ct);
2033
2034 return err;
2035 }
2036
2037 static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = {
2038 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 },
2039 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 },
2040 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 },
2041 };
2042
2043 static int change_seq_adj(struct nf_ct_seqadj *seq,
2044 const struct nlattr * const attr)
2045 {
2046 int err;
2047 struct nlattr *cda[CTA_SEQADJ_MAX+1];
2048
2049 err = nla_parse_nested_deprecated(cda, CTA_SEQADJ_MAX, attr,
2050 seqadj_policy, NULL);
2051 if (err < 0)
2052 return err;
2053
2054 if (!cda[CTA_SEQADJ_CORRECTION_POS])
2055 return -EINVAL;
2056
2057 seq->correction_pos =
2058 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS]));
2059
2060 if (!cda[CTA_SEQADJ_OFFSET_BEFORE])
2061 return -EINVAL;
2062
2063 seq->offset_before =
2064 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE]));
2065
2066 if (!cda[CTA_SEQADJ_OFFSET_AFTER])
2067 return -EINVAL;
2068
2069 seq->offset_after =
2070 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER]));
2071
2072 return 0;
2073 }
2074
2075 static int
2076 ctnetlink_change_seq_adj(struct nf_conn *ct,
2077 const struct nlattr * const cda[])
2078 {
2079 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
2080 int ret = 0;
2081
2082 if (!seqadj)
2083 return 0;
2084
2085 spin_lock_bh(&ct->lock);
2086 if (cda[CTA_SEQ_ADJ_ORIG]) {
2087 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL],
2088 cda[CTA_SEQ_ADJ_ORIG]);
2089 if (ret < 0)
2090 goto err;
2091
2092 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
2093 }
2094
2095 if (cda[CTA_SEQ_ADJ_REPLY]) {
2096 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY],
2097 cda[CTA_SEQ_ADJ_REPLY]);
2098 if (ret < 0)
2099 goto err;
2100
2101 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
2102 }
2103
2104 spin_unlock_bh(&ct->lock);
2105 return 0;
2106 err:
2107 spin_unlock_bh(&ct->lock);
2108 return ret;
2109 }
2110
2111 static const struct nla_policy synproxy_policy[CTA_SYNPROXY_MAX + 1] = {
2112 [CTA_SYNPROXY_ISN] = { .type = NLA_U32 },
2113 [CTA_SYNPROXY_ITS] = { .type = NLA_U32 },
2114 [CTA_SYNPROXY_TSOFF] = { .type = NLA_U32 },
2115 };
2116
2117 static int ctnetlink_change_synproxy(struct nf_conn *ct,
2118 const struct nlattr * const cda[])
2119 {
2120 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
2121 struct nlattr *tb[CTA_SYNPROXY_MAX + 1];
2122 int err;
2123
2124 if (!synproxy)
2125 return 0;
2126
2127 err = nla_parse_nested_deprecated(tb, CTA_SYNPROXY_MAX,
2128 cda[CTA_SYNPROXY], synproxy_policy,
2129 NULL);
2130 if (err < 0)
2131 return err;
2132
2133 if (!tb[CTA_SYNPROXY_ISN] ||
2134 !tb[CTA_SYNPROXY_ITS] ||
2135 !tb[CTA_SYNPROXY_TSOFF])
2136 return -EINVAL;
2137
2138 synproxy->isn = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ISN]));
2139 synproxy->its = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ITS]));
2140 synproxy->tsoff = ntohl(nla_get_be32(tb[CTA_SYNPROXY_TSOFF]));
2141
2142 return 0;
2143 }
2144
2145 static int
2146 ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[])
2147 {
2148 #ifdef CONFIG_NF_CONNTRACK_LABELS
2149 size_t len = nla_len(cda[CTA_LABELS]);
2150 const void *mask = cda[CTA_LABELS_MASK];
2151
2152 if (len & (sizeof(u32)-1))
2153 return -EINVAL;
2154
2155 if (mask) {
2156 if (nla_len(cda[CTA_LABELS_MASK]) == 0 ||
2157 nla_len(cda[CTA_LABELS_MASK]) != len)
2158 return -EINVAL;
2159 mask = nla_data(cda[CTA_LABELS_MASK]);
2160 }
2161
2162 len /= sizeof(u32);
2163
2164 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len);
2165 #else
2166 return -EOPNOTSUPP;
2167 #endif
2168 }
2169
2170 static int
2171 ctnetlink_change_conntrack(struct nf_conn *ct,
2172 const struct nlattr * const cda[])
2173 {
2174 int err;
2175
2176
2177 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
2178 return -EOPNOTSUPP;
2179
2180 if (cda[CTA_HELP]) {
2181 err = ctnetlink_change_helper(ct, cda);
2182 if (err < 0)
2183 return err;
2184 }
2185
2186 if (cda[CTA_TIMEOUT]) {
2187 err = ctnetlink_change_timeout(ct, cda);
2188 if (err < 0)
2189 return err;
2190 }
2191
2192 if (cda[CTA_STATUS]) {
2193 err = ctnetlink_change_status(ct, cda);
2194 if (err < 0)
2195 return err;
2196 }
2197
2198 if (cda[CTA_PROTOINFO]) {
2199 err = ctnetlink_change_protoinfo(ct, cda);
2200 if (err < 0)
2201 return err;
2202 }
2203
2204 #if defined(CONFIG_NF_CONNTRACK_MARK)
2205 if (cda[CTA_MARK])
2206 ctnetlink_change_mark(ct, cda);
2207 #endif
2208
2209 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
2210 err = ctnetlink_change_seq_adj(ct, cda);
2211 if (err < 0)
2212 return err;
2213 }
2214
2215 if (cda[CTA_SYNPROXY]) {
2216 err = ctnetlink_change_synproxy(ct, cda);
2217 if (err < 0)
2218 return err;
2219 }
2220
2221 if (cda[CTA_LABELS]) {
2222 err = ctnetlink_attach_labels(ct, cda);
2223 if (err < 0)
2224 return err;
2225 }
2226
2227 return 0;
2228 }
2229
2230 static struct nf_conn *
2231 ctnetlink_create_conntrack(struct net *net,
2232 const struct nf_conntrack_zone *zone,
2233 const struct nlattr * const cda[],
2234 struct nf_conntrack_tuple *otuple,
2235 struct nf_conntrack_tuple *rtuple,
2236 u8 u3)
2237 {
2238 struct nf_conn *ct;
2239 int err = -EINVAL;
2240 struct nf_conntrack_helper *helper;
2241 struct nf_conn_tstamp *tstamp;
2242 u64 timeout;
2243
2244 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
2245 if (IS_ERR(ct))
2246 return ERR_PTR(-ENOMEM);
2247
2248 if (!cda[CTA_TIMEOUT])
2249 goto err1;
2250
2251 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
2252 __nf_ct_set_timeout(ct, timeout);
2253
2254 rcu_read_lock();
2255 if (cda[CTA_HELP]) {
2256 char *helpname = NULL;
2257 struct nlattr *helpinfo = NULL;
2258
2259 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
2260 if (err < 0)
2261 goto err2;
2262
2263 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2264 nf_ct_protonum(ct));
2265 if (helper == NULL) {
2266 rcu_read_unlock();
2267 #ifdef CONFIG_MODULES
2268 if (request_module("nfct-helper-%s", helpname) < 0) {
2269 err = -EOPNOTSUPP;
2270 goto err1;
2271 }
2272
2273 rcu_read_lock();
2274 helper = __nf_conntrack_helper_find(helpname,
2275 nf_ct_l3num(ct),
2276 nf_ct_protonum(ct));
2277 if (helper) {
2278 err = -EAGAIN;
2279 goto err2;
2280 }
2281 rcu_read_unlock();
2282 #endif
2283 err = -EOPNOTSUPP;
2284 goto err1;
2285 } else {
2286 struct nf_conn_help *help;
2287
2288 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
2289 if (help == NULL) {
2290 err = -ENOMEM;
2291 goto err2;
2292 }
2293
2294 if (helper->from_nlattr)
2295 helper->from_nlattr(helpinfo, ct);
2296
2297
2298 ct->status |= IPS_HELPER;
2299 RCU_INIT_POINTER(help->helper, helper);
2300 }
2301 }
2302
2303 err = ctnetlink_setup_nat(ct, cda);
2304 if (err < 0)
2305 goto err2;
2306
2307 nf_ct_acct_ext_add(ct, GFP_ATOMIC);
2308 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
2309 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
2310 nf_ct_labels_ext_add(ct);
2311 nfct_seqadj_ext_add(ct);
2312 nfct_synproxy_ext_add(ct);
2313
2314
2315 ct->status |= IPS_CONFIRMED;
2316
2317 if (cda[CTA_STATUS]) {
2318 err = ctnetlink_change_status(ct, cda);
2319 if (err < 0)
2320 goto err2;
2321 }
2322
2323 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
2324 err = ctnetlink_change_seq_adj(ct, cda);
2325 if (err < 0)
2326 goto err2;
2327 }
2328
2329 memset(&ct->proto, 0, sizeof(ct->proto));
2330 if (cda[CTA_PROTOINFO]) {
2331 err = ctnetlink_change_protoinfo(ct, cda);
2332 if (err < 0)
2333 goto err2;
2334 }
2335
2336 if (cda[CTA_SYNPROXY]) {
2337 err = ctnetlink_change_synproxy(ct, cda);
2338 if (err < 0)
2339 goto err2;
2340 }
2341
2342 #if defined(CONFIG_NF_CONNTRACK_MARK)
2343 if (cda[CTA_MARK])
2344 ctnetlink_change_mark(ct, cda);
2345 #endif
2346
2347
2348 if (cda[CTA_TUPLE_MASTER]) {
2349 struct nf_conntrack_tuple master;
2350 struct nf_conntrack_tuple_hash *master_h;
2351 struct nf_conn *master_ct;
2352
2353 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER,
2354 u3, NULL);
2355 if (err < 0)
2356 goto err2;
2357
2358 master_h = nf_conntrack_find_get(net, zone, &master);
2359 if (master_h == NULL) {
2360 err = -ENOENT;
2361 goto err2;
2362 }
2363 master_ct = nf_ct_tuplehash_to_ctrack(master_h);
2364 __set_bit(IPS_EXPECTED_BIT, &ct->status);
2365 ct->master = master_ct;
2366 }
2367 tstamp = nf_conn_tstamp_find(ct);
2368 if (tstamp)
2369 tstamp->start = ktime_get_real_ns();
2370
2371 err = nf_conntrack_hash_check_insert(ct);
2372 if (err < 0)
2373 goto err2;
2374
2375 rcu_read_unlock();
2376
2377 return ct;
2378
2379 err2:
2380 rcu_read_unlock();
2381 err1:
2382 nf_conntrack_free(ct);
2383 return ERR_PTR(err);
2384 }
2385
2386 static int ctnetlink_new_conntrack(struct sk_buff *skb,
2387 const struct nfnl_info *info,
2388 const struct nlattr * const cda[])
2389 {
2390 struct nf_conntrack_tuple otuple, rtuple;
2391 struct nf_conntrack_tuple_hash *h = NULL;
2392 u_int8_t u3 = info->nfmsg->nfgen_family;
2393 struct nf_conntrack_zone zone;
2394 struct nf_conn *ct;
2395 int err;
2396
2397 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
2398 if (err < 0)
2399 return err;
2400
2401 if (cda[CTA_TUPLE_ORIG]) {
2402 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG,
2403 u3, &zone);
2404 if (err < 0)
2405 return err;
2406 }
2407
2408 if (cda[CTA_TUPLE_REPLY]) {
2409 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY,
2410 u3, &zone);
2411 if (err < 0)
2412 return err;
2413 }
2414
2415 if (cda[CTA_TUPLE_ORIG])
2416 h = nf_conntrack_find_get(info->net, &zone, &otuple);
2417 else if (cda[CTA_TUPLE_REPLY])
2418 h = nf_conntrack_find_get(info->net, &zone, &rtuple);
2419
2420 if (h == NULL) {
2421 err = -ENOENT;
2422 if (info->nlh->nlmsg_flags & NLM_F_CREATE) {
2423 enum ip_conntrack_events events;
2424
2425 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY])
2426 return -EINVAL;
2427 if (otuple.dst.protonum != rtuple.dst.protonum)
2428 return -EINVAL;
2429
2430 ct = ctnetlink_create_conntrack(info->net, &zone, cda,
2431 &otuple, &rtuple, u3);
2432 if (IS_ERR(ct))
2433 return PTR_ERR(ct);
2434
2435 err = 0;
2436 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
2437 events = 1 << IPCT_RELATED;
2438 else
2439 events = 1 << IPCT_NEW;
2440
2441 if (cda[CTA_LABELS] &&
2442 ctnetlink_attach_labels(ct, cda) == 0)
2443 events |= (1 << IPCT_LABEL);
2444
2445 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2446 (1 << IPCT_ASSURED) |
2447 (1 << IPCT_HELPER) |
2448 (1 << IPCT_PROTOINFO) |
2449 (1 << IPCT_SEQADJ) |
2450 (1 << IPCT_MARK) |
2451 (1 << IPCT_SYNPROXY) |
2452 events,
2453 ct, NETLINK_CB(skb).portid,
2454 nlmsg_report(info->nlh));
2455 nf_ct_put(ct);
2456 }
2457
2458 return err;
2459 }
2460
2461
2462 err = -EEXIST;
2463 ct = nf_ct_tuplehash_to_ctrack(h);
2464 if (!(info->nlh->nlmsg_flags & NLM_F_EXCL)) {
2465 err = ctnetlink_change_conntrack(ct, cda);
2466 if (err == 0) {
2467 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2468 (1 << IPCT_ASSURED) |
2469 (1 << IPCT_HELPER) |
2470 (1 << IPCT_LABEL) |
2471 (1 << IPCT_PROTOINFO) |
2472 (1 << IPCT_SEQADJ) |
2473 (1 << IPCT_MARK) |
2474 (1 << IPCT_SYNPROXY),
2475 ct, NETLINK_CB(skb).portid,
2476 nlmsg_report(info->nlh));
2477 }
2478 }
2479
2480 nf_ct_put(ct);
2481 return err;
2482 }
2483
2484 static int
2485 ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2486 __u16 cpu, const struct ip_conntrack_stat *st)
2487 {
2488 struct nlmsghdr *nlh;
2489 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2490
2491 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
2492 IPCTNL_MSG_CT_GET_STATS_CPU);
2493 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
2494 NFNETLINK_V0, htons(cpu));
2495 if (!nlh)
2496 goto nlmsg_failure;
2497
2498 if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) ||
2499 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) ||
2500 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) ||
2501 nla_put_be32(skb, CTA_STATS_INSERT_FAILED,
2502 htonl(st->insert_failed)) ||
2503 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) ||
2504 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) ||
2505 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) ||
2506 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART,
2507 htonl(st->search_restart)) ||
2508 nla_put_be32(skb, CTA_STATS_CLASH_RESOLVE,
2509 htonl(st->clash_resolve)) ||
2510 nla_put_be32(skb, CTA_STATS_CHAIN_TOOLONG,
2511 htonl(st->chaintoolong)))
2512 goto nla_put_failure;
2513
2514 nlmsg_end(skb, nlh);
2515 return skb->len;
2516
2517 nla_put_failure:
2518 nlmsg_failure:
2519 nlmsg_cancel(skb, nlh);
2520 return -1;
2521 }
2522
2523 static int
2524 ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
2525 {
2526 int cpu;
2527 struct net *net = sock_net(skb->sk);
2528
2529 if (cb->args[0] == nr_cpu_ids)
2530 return 0;
2531
2532 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
2533 const struct ip_conntrack_stat *st;
2534
2535 if (!cpu_possible(cpu))
2536 continue;
2537
2538 st = per_cpu_ptr(net->ct.stat, cpu);
2539 if (ctnetlink_ct_stat_cpu_fill_info(skb,
2540 NETLINK_CB(cb->skb).portid,
2541 cb->nlh->nlmsg_seq,
2542 cpu, st) < 0)
2543 break;
2544 }
2545 cb->args[0] = cpu;
2546
2547 return skb->len;
2548 }
2549
2550 static int ctnetlink_stat_ct_cpu(struct sk_buff *skb,
2551 const struct nfnl_info *info,
2552 const struct nlattr * const cda[])
2553 {
2554 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
2555 struct netlink_dump_control c = {
2556 .dump = ctnetlink_ct_stat_cpu_dump,
2557 };
2558 return netlink_dump_start(info->sk, skb, info->nlh, &c);
2559 }
2560
2561 return 0;
2562 }
2563
2564 static int
2565 ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
2566 struct net *net)
2567 {
2568 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2569 unsigned int nr_conntracks;
2570 struct nlmsghdr *nlh;
2571
2572 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS);
2573 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
2574 NFNETLINK_V0, 0);
2575 if (!nlh)
2576 goto nlmsg_failure;
2577
2578 nr_conntracks = nf_conntrack_count(net);
2579 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks)))
2580 goto nla_put_failure;
2581
2582 if (nla_put_be32(skb, CTA_STATS_GLOBAL_MAX_ENTRIES, htonl(nf_conntrack_max)))
2583 goto nla_put_failure;
2584
2585 nlmsg_end(skb, nlh);
2586 return skb->len;
2587
2588 nla_put_failure:
2589 nlmsg_failure:
2590 nlmsg_cancel(skb, nlh);
2591 return -1;
2592 }
2593
2594 static int ctnetlink_stat_ct(struct sk_buff *skb, const struct nfnl_info *info,
2595 const struct nlattr * const cda[])
2596 {
2597 struct sk_buff *skb2;
2598 int err;
2599
2600 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2601 if (skb2 == NULL)
2602 return -ENOMEM;
2603
2604 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid,
2605 info->nlh->nlmsg_seq,
2606 NFNL_MSG_TYPE(info->nlh->nlmsg_type),
2607 sock_net(skb->sk));
2608 if (err <= 0) {
2609 kfree_skb(skb2);
2610 return -ENOMEM;
2611 }
2612
2613 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
2614 }
2615
2616 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
2617 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED },
2618 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED },
2619 [CTA_EXPECT_MASK] = { .type = NLA_NESTED },
2620 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
2621 [CTA_EXPECT_ID] = { .type = NLA_U32 },
2622 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING,
2623 .len = NF_CT_HELPER_NAME_LEN - 1 },
2624 [CTA_EXPECT_ZONE] = { .type = NLA_U16 },
2625 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 },
2626 [CTA_EXPECT_CLASS] = { .type = NLA_U32 },
2627 [CTA_EXPECT_NAT] = { .type = NLA_NESTED },
2628 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING },
2629 };
2630
2631 static struct nf_conntrack_expect *
2632 ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
2633 struct nf_conntrack_helper *helper,
2634 struct nf_conntrack_tuple *tuple,
2635 struct nf_conntrack_tuple *mask);
2636
2637 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
2638 static size_t
2639 ctnetlink_glue_build_size(const struct nf_conn *ct)
2640 {
2641 return 3 * nla_total_size(0)
2642 + 3 * nla_total_size(0)
2643 + 3 * nla_total_size(0)
2644 + 3 * nla_total_size(sizeof(u_int8_t))
2645 + nla_total_size(sizeof(u_int32_t))
2646 + nla_total_size(sizeof(u_int32_t))
2647 + nla_total_size(sizeof(u_int32_t))
2648 + nla_total_size(0)
2649 + nla_total_size(0)
2650 + nla_total_size(NF_CT_HELPER_NAME_LEN)
2651 + ctnetlink_secctx_size(ct)
2652 + ctnetlink_acct_size(ct)
2653 + ctnetlink_timestamp_size(ct)
2654 #if IS_ENABLED(CONFIG_NF_NAT)
2655 + 2 * nla_total_size(0)
2656 + 6 * nla_total_size(sizeof(u_int32_t))
2657 #endif
2658 #ifdef CONFIG_NF_CONNTRACK_MARK
2659 + nla_total_size(sizeof(u_int32_t))
2660 #endif
2661 #ifdef CONFIG_NF_CONNTRACK_ZONES
2662 + nla_total_size(sizeof(u_int16_t))
2663 #endif
2664 + ctnetlink_proto_size(ct)
2665 ;
2666 }
2667
2668 static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
2669 {
2670 const struct nf_conntrack_zone *zone;
2671 struct nlattr *nest_parms;
2672
2673 zone = nf_ct_zone(ct);
2674
2675 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
2676 if (!nest_parms)
2677 goto nla_put_failure;
2678 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
2679 goto nla_put_failure;
2680 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2681 NF_CT_ZONE_DIR_ORIG) < 0)
2682 goto nla_put_failure;
2683 nla_nest_end(skb, nest_parms);
2684
2685 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
2686 if (!nest_parms)
2687 goto nla_put_failure;
2688 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
2689 goto nla_put_failure;
2690 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2691 NF_CT_ZONE_DIR_REPL) < 0)
2692 goto nla_put_failure;
2693 nla_nest_end(skb, nest_parms);
2694
2695 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
2696 NF_CT_DEFAULT_ZONE_DIR) < 0)
2697 goto nla_put_failure;
2698
2699 if (ctnetlink_dump_id(skb, ct) < 0)
2700 goto nla_put_failure;
2701
2702 if (ctnetlink_dump_status(skb, ct) < 0)
2703 goto nla_put_failure;
2704
2705 if (ctnetlink_dump_timeout(skb, ct, false) < 0)
2706 goto nla_put_failure;
2707
2708 if (ctnetlink_dump_protoinfo(skb, ct, false) < 0)
2709 goto nla_put_failure;
2710
2711 if (ctnetlink_dump_acct(skb, ct, IPCTNL_MSG_CT_GET) < 0 ||
2712 ctnetlink_dump_timestamp(skb, ct) < 0)
2713 goto nla_put_failure;
2714
2715 if (ctnetlink_dump_helpinfo(skb, ct) < 0)
2716 goto nla_put_failure;
2717
2718 #ifdef CONFIG_NF_CONNTRACK_SECMARK
2719 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0)
2720 goto nla_put_failure;
2721 #endif
2722 if (ct->master && ctnetlink_dump_master(skb, ct) < 0)
2723 goto nla_put_failure;
2724
2725 if ((ct->status & IPS_SEQ_ADJUST) &&
2726 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
2727 goto nla_put_failure;
2728
2729 if (ctnetlink_dump_ct_synproxy(skb, ct) < 0)
2730 goto nla_put_failure;
2731
2732 #ifdef CONFIG_NF_CONNTRACK_MARK
2733 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0)
2734 goto nla_put_failure;
2735 #endif
2736 if (ctnetlink_dump_labels(skb, ct) < 0)
2737 goto nla_put_failure;
2738 return 0;
2739
2740 nla_put_failure:
2741 return -ENOSPC;
2742 }
2743
2744 static int
2745 ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct,
2746 enum ip_conntrack_info ctinfo,
2747 u_int16_t ct_attr, u_int16_t ct_info_attr)
2748 {
2749 struct nlattr *nest_parms;
2750
2751 nest_parms = nla_nest_start(skb, ct_attr);
2752 if (!nest_parms)
2753 goto nla_put_failure;
2754
2755 if (__ctnetlink_glue_build(skb, ct) < 0)
2756 goto nla_put_failure;
2757
2758 nla_nest_end(skb, nest_parms);
2759
2760 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo)))
2761 goto nla_put_failure;
2762
2763 return 0;
2764
2765 nla_put_failure:
2766 return -ENOSPC;
2767 }
2768
2769 static int
2770 ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[])
2771 {
2772 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
2773 unsigned long d = ct->status ^ status;
2774
2775 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
2776
2777 return -EBUSY;
2778
2779 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
2780
2781 return -EBUSY;
2782
2783
2784
2785
2786
2787
2788
2789 __nf_ct_change_status(ct, status, ~status);
2790 return 0;
2791 }
2792
2793 static int
2794 ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
2795 {
2796 int err;
2797
2798 if (cda[CTA_TIMEOUT]) {
2799 err = ctnetlink_change_timeout(ct, cda);
2800 if (err < 0)
2801 return err;
2802 }
2803 if (cda[CTA_STATUS]) {
2804 err = ctnetlink_update_status(ct, cda);
2805 if (err < 0)
2806 return err;
2807 }
2808 if (cda[CTA_HELP]) {
2809 err = ctnetlink_change_helper(ct, cda);
2810 if (err < 0)
2811 return err;
2812 }
2813 if (cda[CTA_LABELS]) {
2814 err = ctnetlink_attach_labels(ct, cda);
2815 if (err < 0)
2816 return err;
2817 }
2818 #if defined(CONFIG_NF_CONNTRACK_MARK)
2819 if (cda[CTA_MARK]) {
2820 ctnetlink_change_mark(ct, cda);
2821 }
2822 #endif
2823 return 0;
2824 }
2825
2826 static int
2827 ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct)
2828 {
2829 struct nlattr *cda[CTA_MAX+1];
2830 int ret;
2831
2832 ret = nla_parse_nested_deprecated(cda, CTA_MAX, attr, ct_nla_policy,
2833 NULL);
2834 if (ret < 0)
2835 return ret;
2836
2837 return ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct);
2838 }
2839
2840 static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda,
2841 const struct nf_conn *ct,
2842 struct nf_conntrack_tuple *tuple,
2843 struct nf_conntrack_tuple *mask)
2844 {
2845 int err;
2846
2847 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE,
2848 nf_ct_l3num(ct), NULL);
2849 if (err < 0)
2850 return err;
2851
2852 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK,
2853 nf_ct_l3num(ct), NULL);
2854 }
2855
2856 static int
2857 ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
2858 u32 portid, u32 report)
2859 {
2860 struct nlattr *cda[CTA_EXPECT_MAX+1];
2861 struct nf_conntrack_tuple tuple, mask;
2862 struct nf_conntrack_helper *helper = NULL;
2863 struct nf_conntrack_expect *exp;
2864 int err;
2865
2866 err = nla_parse_nested_deprecated(cda, CTA_EXPECT_MAX, attr,
2867 exp_nla_policy, NULL);
2868 if (err < 0)
2869 return err;
2870
2871 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda,
2872 ct, &tuple, &mask);
2873 if (err < 0)
2874 return err;
2875
2876 if (cda[CTA_EXPECT_HELP_NAME]) {
2877 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2878
2879 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2880 nf_ct_protonum(ct));
2881 if (helper == NULL)
2882 return -EOPNOTSUPP;
2883 }
2884
2885 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct,
2886 helper, &tuple, &mask);
2887 if (IS_ERR(exp))
2888 return PTR_ERR(exp);
2889
2890 err = nf_ct_expect_related_report(exp, portid, report, 0);
2891 nf_ct_expect_put(exp);
2892 return err;
2893 }
2894
2895 static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct,
2896 enum ip_conntrack_info ctinfo, int diff)
2897 {
2898 if (!(ct->status & IPS_NAT_MASK))
2899 return;
2900
2901 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff);
2902 }
2903
2904 static const struct nfnl_ct_hook ctnetlink_glue_hook = {
2905 .build_size = ctnetlink_glue_build_size,
2906 .build = ctnetlink_glue_build,
2907 .parse = ctnetlink_glue_parse,
2908 .attach_expect = ctnetlink_glue_attach_expect,
2909 .seq_adjust = ctnetlink_glue_seqadj,
2910 };
2911 #endif
2912
2913
2914
2915
2916
2917 static int ctnetlink_exp_dump_tuple(struct sk_buff *skb,
2918 const struct nf_conntrack_tuple *tuple,
2919 u32 type)
2920 {
2921 struct nlattr *nest_parms;
2922
2923 nest_parms = nla_nest_start(skb, type);
2924 if (!nest_parms)
2925 goto nla_put_failure;
2926 if (ctnetlink_dump_tuples(skb, tuple) < 0)
2927 goto nla_put_failure;
2928 nla_nest_end(skb, nest_parms);
2929
2930 return 0;
2931
2932 nla_put_failure:
2933 return -1;
2934 }
2935
2936 static int ctnetlink_exp_dump_mask(struct sk_buff *skb,
2937 const struct nf_conntrack_tuple *tuple,
2938 const struct nf_conntrack_tuple_mask *mask)
2939 {
2940 const struct nf_conntrack_l4proto *l4proto;
2941 struct nf_conntrack_tuple m;
2942 struct nlattr *nest_parms;
2943 int ret;
2944
2945 memset(&m, 0xFF, sizeof(m));
2946 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
2947 m.src.u.all = mask->src.u.all;
2948 m.src.l3num = tuple->src.l3num;
2949 m.dst.protonum = tuple->dst.protonum;
2950
2951 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK);
2952 if (!nest_parms)
2953 goto nla_put_failure;
2954
2955 rcu_read_lock();
2956 ret = ctnetlink_dump_tuples_ip(skb, &m);
2957 if (ret >= 0) {
2958 l4proto = nf_ct_l4proto_find(tuple->dst.protonum);
2959 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
2960 }
2961 rcu_read_unlock();
2962
2963 if (unlikely(ret < 0))
2964 goto nla_put_failure;
2965
2966 nla_nest_end(skb, nest_parms);
2967
2968 return 0;
2969
2970 nla_put_failure:
2971 return -1;
2972 }
2973
2974 static const union nf_inet_addr any_addr;
2975
2976 static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp)
2977 {
2978 static siphash_aligned_key_t exp_id_seed;
2979 unsigned long a, b, c, d;
2980
2981 net_get_random_once(&exp_id_seed, sizeof(exp_id_seed));
2982
2983 a = (unsigned long)exp;
2984 b = (unsigned long)exp->helper;
2985 c = (unsigned long)exp->master;
2986 d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed);
2987
2988 #ifdef CONFIG_64BIT
2989 return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed);
2990 #else
2991 return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed);
2992 #endif
2993 }
2994
2995 static int
2996 ctnetlink_exp_dump_expect(struct sk_buff *skb,
2997 const struct nf_conntrack_expect *exp)
2998 {
2999 struct nf_conn *master = exp->master;
3000 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ;
3001 struct nf_conn_help *help;
3002 #if IS_ENABLED(CONFIG_NF_NAT)
3003 struct nlattr *nest_parms;
3004 struct nf_conntrack_tuple nat_tuple = {};
3005 #endif
3006 struct nf_ct_helper_expectfn *expfn;
3007
3008 if (timeout < 0)
3009 timeout = 0;
3010
3011 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
3012 goto nla_put_failure;
3013 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
3014 goto nla_put_failure;
3015 if (ctnetlink_exp_dump_tuple(skb,
3016 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
3017 CTA_EXPECT_MASTER) < 0)
3018 goto nla_put_failure;
3019
3020 #if IS_ENABLED(CONFIG_NF_NAT)
3021 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) ||
3022 exp->saved_proto.all) {
3023 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT);
3024 if (!nest_parms)
3025 goto nla_put_failure;
3026
3027 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir)))
3028 goto nla_put_failure;
3029
3030 nat_tuple.src.l3num = nf_ct_l3num(master);
3031 nat_tuple.src.u3 = exp->saved_addr;
3032 nat_tuple.dst.protonum = nf_ct_protonum(master);
3033 nat_tuple.src.u = exp->saved_proto;
3034
3035 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple,
3036 CTA_EXPECT_NAT_TUPLE) < 0)
3037 goto nla_put_failure;
3038 nla_nest_end(skb, nest_parms);
3039 }
3040 #endif
3041 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
3042 nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) ||
3043 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
3044 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
3045 goto nla_put_failure;
3046 help = nfct_help(master);
3047 if (help) {
3048 struct nf_conntrack_helper *helper;
3049
3050 helper = rcu_dereference(help->helper);
3051 if (helper &&
3052 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name))
3053 goto nla_put_failure;
3054 }
3055 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn);
3056 if (expfn != NULL &&
3057 nla_put_string(skb, CTA_EXPECT_FN, expfn->name))
3058 goto nla_put_failure;
3059
3060 return 0;
3061
3062 nla_put_failure:
3063 return -1;
3064 }
3065
3066 static int
3067 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
3068 int event, const struct nf_conntrack_expect *exp)
3069 {
3070 struct nlmsghdr *nlh;
3071 unsigned int flags = portid ? NLM_F_MULTI : 0;
3072
3073 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event);
3074 nlh = nfnl_msg_put(skb, portid, seq, event, flags,
3075 exp->tuple.src.l3num, NFNETLINK_V0, 0);
3076 if (!nlh)
3077 goto nlmsg_failure;
3078
3079 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
3080 goto nla_put_failure;
3081
3082 nlmsg_end(skb, nlh);
3083 return skb->len;
3084
3085 nlmsg_failure:
3086 nla_put_failure:
3087 nlmsg_cancel(skb, nlh);
3088 return -1;
3089 }
3090
3091 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3092 static int
3093 ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item)
3094 {
3095 struct nf_conntrack_expect *exp = item->exp;
3096 struct net *net = nf_ct_exp_net(exp);
3097 struct nlmsghdr *nlh;
3098 struct sk_buff *skb;
3099 unsigned int type, group;
3100 int flags = 0;
3101
3102 if (events & (1 << IPEXP_DESTROY)) {
3103 type = IPCTNL_MSG_EXP_DELETE;
3104 group = NFNLGRP_CONNTRACK_EXP_DESTROY;
3105 } else if (events & (1 << IPEXP_NEW)) {
3106 type = IPCTNL_MSG_EXP_NEW;
3107 flags = NLM_F_CREATE|NLM_F_EXCL;
3108 group = NFNLGRP_CONNTRACK_EXP_NEW;
3109 } else
3110 return 0;
3111
3112 if (!item->report && !nfnetlink_has_listeners(net, group))
3113 return 0;
3114
3115 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
3116 if (skb == NULL)
3117 goto errout;
3118
3119 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type);
3120 nlh = nfnl_msg_put(skb, item->portid, 0, type, flags,
3121 exp->tuple.src.l3num, NFNETLINK_V0, 0);
3122 if (!nlh)
3123 goto nlmsg_failure;
3124
3125 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
3126 goto nla_put_failure;
3127
3128 nlmsg_end(skb, nlh);
3129 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC);
3130 return 0;
3131
3132 nla_put_failure:
3133 nlmsg_cancel(skb, nlh);
3134 nlmsg_failure:
3135 kfree_skb(skb);
3136 errout:
3137 nfnetlink_set_err(net, 0, 0, -ENOBUFS);
3138 return 0;
3139 }
3140 #endif
3141 static int ctnetlink_exp_done(struct netlink_callback *cb)
3142 {
3143 if (cb->args[1])
3144 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
3145 return 0;
3146 }
3147
3148 static int
3149 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
3150 {
3151 struct net *net = sock_net(skb->sk);
3152 struct nf_conntrack_expect *exp, *last;
3153 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3154 u_int8_t l3proto = nfmsg->nfgen_family;
3155
3156 rcu_read_lock();
3157 last = (struct nf_conntrack_expect *)cb->args[1];
3158 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
3159 restart:
3160 hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
3161 hnode) {
3162 if (l3proto && exp->tuple.src.l3num != l3proto)
3163 continue;
3164
3165 if (!net_eq(nf_ct_net(exp->master), net))
3166 continue;
3167
3168 if (cb->args[1]) {
3169 if (exp != last)
3170 continue;
3171 cb->args[1] = 0;
3172 }
3173 if (ctnetlink_exp_fill_info(skb,
3174 NETLINK_CB(cb->skb).portid,
3175 cb->nlh->nlmsg_seq,
3176 IPCTNL_MSG_EXP_NEW,
3177 exp) < 0) {
3178 if (!refcount_inc_not_zero(&exp->use))
3179 continue;
3180 cb->args[1] = (unsigned long)exp;
3181 goto out;
3182 }
3183 }
3184 if (cb->args[1]) {
3185 cb->args[1] = 0;
3186 goto restart;
3187 }
3188 }
3189 out:
3190 rcu_read_unlock();
3191 if (last)
3192 nf_ct_expect_put(last);
3193
3194 return skb->len;
3195 }
3196
3197 static int
3198 ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
3199 {
3200 struct nf_conntrack_expect *exp, *last;
3201 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3202 struct nf_conn *ct = cb->data;
3203 struct nf_conn_help *help = nfct_help(ct);
3204 u_int8_t l3proto = nfmsg->nfgen_family;
3205
3206 if (cb->args[0])
3207 return 0;
3208
3209 rcu_read_lock();
3210 last = (struct nf_conntrack_expect *)cb->args[1];
3211 restart:
3212 hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {
3213 if (l3proto && exp->tuple.src.l3num != l3proto)
3214 continue;
3215 if (cb->args[1]) {
3216 if (exp != last)
3217 continue;
3218 cb->args[1] = 0;
3219 }
3220 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid,
3221 cb->nlh->nlmsg_seq,
3222 IPCTNL_MSG_EXP_NEW,
3223 exp) < 0) {
3224 if (!refcount_inc_not_zero(&exp->use))
3225 continue;
3226 cb->args[1] = (unsigned long)exp;
3227 goto out;
3228 }
3229 }
3230 if (cb->args[1]) {
3231 cb->args[1] = 0;
3232 goto restart;
3233 }
3234 cb->args[0] = 1;
3235 out:
3236 rcu_read_unlock();
3237 if (last)
3238 nf_ct_expect_put(last);
3239
3240 return skb->len;
3241 }
3242
3243 static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
3244 struct sk_buff *skb,
3245 const struct nlmsghdr *nlh,
3246 const struct nlattr * const cda[],
3247 struct netlink_ext_ack *extack)
3248 {
3249 int err;
3250 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3251 u_int8_t u3 = nfmsg->nfgen_family;
3252 struct nf_conntrack_tuple tuple;
3253 struct nf_conntrack_tuple_hash *h;
3254 struct nf_conn *ct;
3255 struct nf_conntrack_zone zone;
3256 struct netlink_dump_control c = {
3257 .dump = ctnetlink_exp_ct_dump_table,
3258 .done = ctnetlink_exp_done,
3259 };
3260
3261 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
3262 u3, NULL);
3263 if (err < 0)
3264 return err;
3265
3266 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3267 if (err < 0)
3268 return err;
3269
3270 h = nf_conntrack_find_get(net, &zone, &tuple);
3271 if (!h)
3272 return -ENOENT;
3273
3274 ct = nf_ct_tuplehash_to_ctrack(h);
3275
3276 if (!nfct_help(ct)) {
3277 nf_ct_put(ct);
3278 return 0;
3279 }
3280
3281 c.data = ct;
3282
3283 err = netlink_dump_start(ctnl, skb, nlh, &c);
3284 nf_ct_put(ct);
3285
3286 return err;
3287 }
3288
3289 static int ctnetlink_get_expect(struct sk_buff *skb,
3290 const struct nfnl_info *info,
3291 const struct nlattr * const cda[])
3292 {
3293 u_int8_t u3 = info->nfmsg->nfgen_family;
3294 struct nf_conntrack_tuple tuple;
3295 struct nf_conntrack_expect *exp;
3296 struct nf_conntrack_zone zone;
3297 struct sk_buff *skb2;
3298 int err;
3299
3300 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3301 if (cda[CTA_EXPECT_MASTER])
3302 return ctnetlink_dump_exp_ct(info->net, info->sk, skb,
3303 info->nlh, cda,
3304 info->extack);
3305 else {
3306 struct netlink_dump_control c = {
3307 .dump = ctnetlink_exp_dump_table,
3308 .done = ctnetlink_exp_done,
3309 };
3310 return netlink_dump_start(info->sk, skb, info->nlh, &c);
3311 }
3312 }
3313
3314 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3315 if (err < 0)
3316 return err;
3317
3318 if (cda[CTA_EXPECT_TUPLE])
3319 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3320 u3, NULL);
3321 else if (cda[CTA_EXPECT_MASTER])
3322 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
3323 u3, NULL);
3324 else
3325 return -EINVAL;
3326
3327 if (err < 0)
3328 return err;
3329
3330 exp = nf_ct_expect_find_get(info->net, &zone, &tuple);
3331 if (!exp)
3332 return -ENOENT;
3333
3334 if (cda[CTA_EXPECT_ID]) {
3335 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3336
3337 if (id != nf_expect_get_id(exp)) {
3338 nf_ct_expect_put(exp);
3339 return -ENOENT;
3340 }
3341 }
3342
3343 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3344 if (!skb2) {
3345 nf_ct_expect_put(exp);
3346 return -ENOMEM;
3347 }
3348
3349 rcu_read_lock();
3350 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
3351 info->nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
3352 exp);
3353 rcu_read_unlock();
3354 nf_ct_expect_put(exp);
3355 if (err <= 0) {
3356 kfree_skb(skb2);
3357 return -ENOMEM;
3358 }
3359
3360 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
3361 }
3362
3363 static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data)
3364 {
3365 struct nf_conntrack_helper *helper;
3366 const struct nf_conn_help *m_help;
3367 const char *name = data;
3368
3369 m_help = nfct_help(exp->master);
3370
3371 helper = rcu_dereference(m_help->helper);
3372 if (!helper)
3373 return false;
3374
3375 return strcmp(helper->name, name) == 0;
3376 }
3377
3378 static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data)
3379 {
3380 return true;
3381 }
3382
3383 static int ctnetlink_del_expect(struct sk_buff *skb,
3384 const struct nfnl_info *info,
3385 const struct nlattr * const cda[])
3386 {
3387 u_int8_t u3 = info->nfmsg->nfgen_family;
3388 struct nf_conntrack_expect *exp;
3389 struct nf_conntrack_tuple tuple;
3390 struct nf_conntrack_zone zone;
3391 int err;
3392
3393 if (cda[CTA_EXPECT_TUPLE]) {
3394
3395 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3396 if (err < 0)
3397 return err;
3398
3399 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3400 u3, NULL);
3401 if (err < 0)
3402 return err;
3403
3404
3405 exp = nf_ct_expect_find_get(info->net, &zone, &tuple);
3406 if (!exp)
3407 return -ENOENT;
3408
3409 if (cda[CTA_EXPECT_ID]) {
3410 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3411 if (ntohl(id) != (u32)(unsigned long)exp) {
3412 nf_ct_expect_put(exp);
3413 return -ENOENT;
3414 }
3415 }
3416
3417
3418 spin_lock_bh(&nf_conntrack_expect_lock);
3419 if (del_timer(&exp->timeout)) {
3420 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
3421 nlmsg_report(info->nlh));
3422 nf_ct_expect_put(exp);
3423 }
3424 spin_unlock_bh(&nf_conntrack_expect_lock);
3425
3426
3427 nf_ct_expect_put(exp);
3428 } else if (cda[CTA_EXPECT_HELP_NAME]) {
3429 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3430
3431 nf_ct_expect_iterate_net(info->net, expect_iter_name, name,
3432 NETLINK_CB(skb).portid,
3433 nlmsg_report(info->nlh));
3434 } else {
3435
3436 nf_ct_expect_iterate_net(info->net, expect_iter_all, NULL,
3437 NETLINK_CB(skb).portid,
3438 nlmsg_report(info->nlh));
3439 }
3440
3441 return 0;
3442 }
3443 static int
3444 ctnetlink_change_expect(struct nf_conntrack_expect *x,
3445 const struct nlattr * const cda[])
3446 {
3447 if (cda[CTA_EXPECT_TIMEOUT]) {
3448 if (!del_timer(&x->timeout))
3449 return -ETIME;
3450
3451 x->timeout.expires = jiffies +
3452 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
3453 add_timer(&x->timeout);
3454 }
3455 return 0;
3456 }
3457
3458 static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
3459 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
3460 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
3461 };
3462
3463 static int
3464 ctnetlink_parse_expect_nat(const struct nlattr *attr,
3465 struct nf_conntrack_expect *exp,
3466 u_int8_t u3)
3467 {
3468 #if IS_ENABLED(CONFIG_NF_NAT)
3469 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1];
3470 struct nf_conntrack_tuple nat_tuple = {};
3471 int err;
3472
3473 err = nla_parse_nested_deprecated(tb, CTA_EXPECT_NAT_MAX, attr,
3474 exp_nat_nla_policy, NULL);
3475 if (err < 0)
3476 return err;
3477
3478 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE])
3479 return -EINVAL;
3480
3481 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb,
3482 &nat_tuple, CTA_EXPECT_NAT_TUPLE,
3483 u3, NULL);
3484 if (err < 0)
3485 return err;
3486
3487 exp->saved_addr = nat_tuple.src.u3;
3488 exp->saved_proto = nat_tuple.src.u;
3489 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR]));
3490
3491 return 0;
3492 #else
3493 return -EOPNOTSUPP;
3494 #endif
3495 }
3496
3497 static struct nf_conntrack_expect *
3498 ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
3499 struct nf_conntrack_helper *helper,
3500 struct nf_conntrack_tuple *tuple,
3501 struct nf_conntrack_tuple *mask)
3502 {
3503 u_int32_t class = 0;
3504 struct nf_conntrack_expect *exp;
3505 struct nf_conn_help *help;
3506 int err;
3507
3508 help = nfct_help(ct);
3509 if (!help)
3510 return ERR_PTR(-EOPNOTSUPP);
3511
3512 if (cda[CTA_EXPECT_CLASS] && helper) {
3513 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));
3514 if (class > helper->expect_class_max)
3515 return ERR_PTR(-EINVAL);
3516 }
3517 exp = nf_ct_expect_alloc(ct);
3518 if (!exp)
3519 return ERR_PTR(-ENOMEM);
3520
3521 if (cda[CTA_EXPECT_FLAGS]) {
3522 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
3523 exp->flags &= ~NF_CT_EXPECT_USERSPACE;
3524 } else {
3525 exp->flags = 0;
3526 }
3527 if (cda[CTA_EXPECT_FN]) {
3528 const char *name = nla_data(cda[CTA_EXPECT_FN]);
3529 struct nf_ct_helper_expectfn *expfn;
3530
3531 expfn = nf_ct_helper_expectfn_find_by_name(name);
3532 if (expfn == NULL) {
3533 err = -EINVAL;
3534 goto err_out;
3535 }
3536 exp->expectfn = expfn->expectfn;
3537 } else
3538 exp->expectfn = NULL;
3539
3540 exp->class = class;
3541 exp->master = ct;
3542 exp->helper = helper;
3543 exp->tuple = *tuple;
3544 exp->mask.src.u3 = mask->src.u3;
3545 exp->mask.src.u.all = mask->src.u.all;
3546
3547 if (cda[CTA_EXPECT_NAT]) {
3548 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT],
3549 exp, nf_ct_l3num(ct));
3550 if (err < 0)
3551 goto err_out;
3552 }
3553 return exp;
3554 err_out:
3555 nf_ct_expect_put(exp);
3556 return ERR_PTR(err);
3557 }
3558
3559 static int
3560 ctnetlink_create_expect(struct net *net,
3561 const struct nf_conntrack_zone *zone,
3562 const struct nlattr * const cda[],
3563 u_int8_t u3, u32 portid, int report)
3564 {
3565 struct nf_conntrack_tuple tuple, mask, master_tuple;
3566 struct nf_conntrack_tuple_hash *h = NULL;
3567 struct nf_conntrack_helper *helper = NULL;
3568 struct nf_conntrack_expect *exp;
3569 struct nf_conn *ct;
3570 int err;
3571
3572
3573 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3574 u3, NULL);
3575 if (err < 0)
3576 return err;
3577 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK,
3578 u3, NULL);
3579 if (err < 0)
3580 return err;
3581 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER,
3582 u3, NULL);
3583 if (err < 0)
3584 return err;
3585
3586
3587 h = nf_conntrack_find_get(net, zone, &master_tuple);
3588 if (!h)
3589 return -ENOENT;
3590 ct = nf_ct_tuplehash_to_ctrack(h);
3591
3592 rcu_read_lock();
3593 if (cda[CTA_EXPECT_HELP_NAME]) {
3594 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3595
3596 helper = __nf_conntrack_helper_find(helpname, u3,
3597 nf_ct_protonum(ct));
3598 if (helper == NULL) {
3599 rcu_read_unlock();
3600 #ifdef CONFIG_MODULES
3601 if (request_module("nfct-helper-%s", helpname) < 0) {
3602 err = -EOPNOTSUPP;
3603 goto err_ct;
3604 }
3605 rcu_read_lock();
3606 helper = __nf_conntrack_helper_find(helpname, u3,
3607 nf_ct_protonum(ct));
3608 if (helper) {
3609 err = -EAGAIN;
3610 goto err_rcu;
3611 }
3612 rcu_read_unlock();
3613 #endif
3614 err = -EOPNOTSUPP;
3615 goto err_ct;
3616 }
3617 }
3618
3619 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask);
3620 if (IS_ERR(exp)) {
3621 err = PTR_ERR(exp);
3622 goto err_rcu;
3623 }
3624
3625 err = nf_ct_expect_related_report(exp, portid, report, 0);
3626 nf_ct_expect_put(exp);
3627 err_rcu:
3628 rcu_read_unlock();
3629 err_ct:
3630 nf_ct_put(ct);
3631 return err;
3632 }
3633
3634 static int ctnetlink_new_expect(struct sk_buff *skb,
3635 const struct nfnl_info *info,
3636 const struct nlattr * const cda[])
3637 {
3638 u_int8_t u3 = info->nfmsg->nfgen_family;
3639 struct nf_conntrack_tuple tuple;
3640 struct nf_conntrack_expect *exp;
3641 struct nf_conntrack_zone zone;
3642 int err;
3643
3644 if (!cda[CTA_EXPECT_TUPLE]
3645 || !cda[CTA_EXPECT_MASK]
3646 || !cda[CTA_EXPECT_MASTER])
3647 return -EINVAL;
3648
3649 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3650 if (err < 0)
3651 return err;
3652
3653 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3654 u3, NULL);
3655 if (err < 0)
3656 return err;
3657
3658 spin_lock_bh(&nf_conntrack_expect_lock);
3659 exp = __nf_ct_expect_find(info->net, &zone, &tuple);
3660 if (!exp) {
3661 spin_unlock_bh(&nf_conntrack_expect_lock);
3662 err = -ENOENT;
3663 if (info->nlh->nlmsg_flags & NLM_F_CREATE) {
3664 err = ctnetlink_create_expect(info->net, &zone, cda, u3,
3665 NETLINK_CB(skb).portid,
3666 nlmsg_report(info->nlh));
3667 }
3668 return err;
3669 }
3670
3671 err = -EEXIST;
3672 if (!(info->nlh->nlmsg_flags & NLM_F_EXCL))
3673 err = ctnetlink_change_expect(exp, cda);
3674 spin_unlock_bh(&nf_conntrack_expect_lock);
3675
3676 return err;
3677 }
3678
3679 static int
3680 ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu,
3681 const struct ip_conntrack_stat *st)
3682 {
3683 struct nlmsghdr *nlh;
3684 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
3685
3686 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
3687 IPCTNL_MSG_EXP_GET_STATS_CPU);
3688 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
3689 NFNETLINK_V0, htons(cpu));
3690 if (!nlh)
3691 goto nlmsg_failure;
3692
3693 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) ||
3694 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) ||
3695 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete)))
3696 goto nla_put_failure;
3697
3698 nlmsg_end(skb, nlh);
3699 return skb->len;
3700
3701 nla_put_failure:
3702 nlmsg_failure:
3703 nlmsg_cancel(skb, nlh);
3704 return -1;
3705 }
3706
3707 static int
3708 ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
3709 {
3710 int cpu;
3711 struct net *net = sock_net(skb->sk);
3712
3713 if (cb->args[0] == nr_cpu_ids)
3714 return 0;
3715
3716 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
3717 const struct ip_conntrack_stat *st;
3718
3719 if (!cpu_possible(cpu))
3720 continue;
3721
3722 st = per_cpu_ptr(net->ct.stat, cpu);
3723 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid,
3724 cb->nlh->nlmsg_seq,
3725 cpu, st) < 0)
3726 break;
3727 }
3728 cb->args[0] = cpu;
3729
3730 return skb->len;
3731 }
3732
3733 static int ctnetlink_stat_exp_cpu(struct sk_buff *skb,
3734 const struct nfnl_info *info,
3735 const struct nlattr * const cda[])
3736 {
3737 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3738 struct netlink_dump_control c = {
3739 .dump = ctnetlink_exp_stat_cpu_dump,
3740 };
3741 return netlink_dump_start(info->sk, skb, info->nlh, &c);
3742 }
3743
3744 return 0;
3745 }
3746
3747 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3748 static struct nf_ct_event_notifier ctnl_notifier = {
3749 .ct_event = ctnetlink_conntrack_event,
3750 .exp_event = ctnetlink_expect_event,
3751 };
3752 #endif
3753
3754 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
3755 [IPCTNL_MSG_CT_NEW] = {
3756 .call = ctnetlink_new_conntrack,
3757 .type = NFNL_CB_MUTEX,
3758 .attr_count = CTA_MAX,
3759 .policy = ct_nla_policy
3760 },
3761 [IPCTNL_MSG_CT_GET] = {
3762 .call = ctnetlink_get_conntrack,
3763 .type = NFNL_CB_MUTEX,
3764 .attr_count = CTA_MAX,
3765 .policy = ct_nla_policy
3766 },
3767 [IPCTNL_MSG_CT_DELETE] = {
3768 .call = ctnetlink_del_conntrack,
3769 .type = NFNL_CB_MUTEX,
3770 .attr_count = CTA_MAX,
3771 .policy = ct_nla_policy
3772 },
3773 [IPCTNL_MSG_CT_GET_CTRZERO] = {
3774 .call = ctnetlink_get_conntrack,
3775 .type = NFNL_CB_MUTEX,
3776 .attr_count = CTA_MAX,
3777 .policy = ct_nla_policy
3778 },
3779 [IPCTNL_MSG_CT_GET_STATS_CPU] = {
3780 .call = ctnetlink_stat_ct_cpu,
3781 .type = NFNL_CB_MUTEX,
3782 },
3783 [IPCTNL_MSG_CT_GET_STATS] = {
3784 .call = ctnetlink_stat_ct,
3785 .type = NFNL_CB_MUTEX,
3786 },
3787 [IPCTNL_MSG_CT_GET_DYING] = {
3788 .call = ctnetlink_get_ct_dying,
3789 .type = NFNL_CB_MUTEX,
3790 },
3791 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = {
3792 .call = ctnetlink_get_ct_unconfirmed,
3793 .type = NFNL_CB_MUTEX,
3794 },
3795 };
3796
3797 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
3798 [IPCTNL_MSG_EXP_GET] = {
3799 .call = ctnetlink_get_expect,
3800 .type = NFNL_CB_MUTEX,
3801 .attr_count = CTA_EXPECT_MAX,
3802 .policy = exp_nla_policy
3803 },
3804 [IPCTNL_MSG_EXP_NEW] = {
3805 .call = ctnetlink_new_expect,
3806 .type = NFNL_CB_MUTEX,
3807 .attr_count = CTA_EXPECT_MAX,
3808 .policy = exp_nla_policy
3809 },
3810 [IPCTNL_MSG_EXP_DELETE] = {
3811 .call = ctnetlink_del_expect,
3812 .type = NFNL_CB_MUTEX,
3813 .attr_count = CTA_EXPECT_MAX,
3814 .policy = exp_nla_policy
3815 },
3816 [IPCTNL_MSG_EXP_GET_STATS_CPU] = {
3817 .call = ctnetlink_stat_exp_cpu,
3818 .type = NFNL_CB_MUTEX,
3819 },
3820 };
3821
3822 static const struct nfnetlink_subsystem ctnl_subsys = {
3823 .name = "conntrack",
3824 .subsys_id = NFNL_SUBSYS_CTNETLINK,
3825 .cb_count = IPCTNL_MSG_MAX,
3826 .cb = ctnl_cb,
3827 };
3828
3829 static const struct nfnetlink_subsystem ctnl_exp_subsys = {
3830 .name = "conntrack_expect",
3831 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
3832 .cb_count = IPCTNL_MSG_EXP_MAX,
3833 .cb = ctnl_exp_cb,
3834 };
3835
3836 MODULE_ALIAS("ip_conntrack_netlink");
3837 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
3838 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
3839
3840 static int __net_init ctnetlink_net_init(struct net *net)
3841 {
3842 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3843 nf_conntrack_register_notifier(net, &ctnl_notifier);
3844 #endif
3845 return 0;
3846 }
3847
3848 static void ctnetlink_net_pre_exit(struct net *net)
3849 {
3850 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3851 nf_conntrack_unregister_notifier(net);
3852 #endif
3853 }
3854
3855 static struct pernet_operations ctnetlink_net_ops = {
3856 .init = ctnetlink_net_init,
3857 .pre_exit = ctnetlink_net_pre_exit,
3858 };
3859
3860 static int __init ctnetlink_init(void)
3861 {
3862 int ret;
3863
3864 BUILD_BUG_ON(sizeof(struct ctnetlink_list_dump_ctx) > sizeof_field(struct netlink_callback, ctx));
3865
3866 ret = nfnetlink_subsys_register(&ctnl_subsys);
3867 if (ret < 0) {
3868 pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
3869 goto err_out;
3870 }
3871
3872 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
3873 if (ret < 0) {
3874 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
3875 goto err_unreg_subsys;
3876 }
3877
3878 ret = register_pernet_subsys(&ctnetlink_net_ops);
3879 if (ret < 0) {
3880 pr_err("ctnetlink_init: cannot register pernet operations\n");
3881 goto err_unreg_exp_subsys;
3882 }
3883 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3884
3885 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook);
3886 #endif
3887 return 0;
3888
3889 err_unreg_exp_subsys:
3890 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3891 err_unreg_subsys:
3892 nfnetlink_subsys_unregister(&ctnl_subsys);
3893 err_out:
3894 return ret;
3895 }
3896
3897 static void __exit ctnetlink_exit(void)
3898 {
3899 unregister_pernet_subsys(&ctnetlink_net_ops);
3900 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3901 nfnetlink_subsys_unregister(&ctnl_subsys);
3902 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3903 RCU_INIT_POINTER(nfnl_ct_hook, NULL);
3904 #endif
3905 synchronize_rcu();
3906 }
3907
3908 module_init(ctnetlink_init);
3909 module_exit(ctnetlink_exit);
