]> git.ipfire.org Git - people/ms/linux.git/blob - net/netfilter/nf_conntrack_netlink.c
projects / people / ms / linux.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
netfilter: make function op structures const
[people/ms/linux.git] / net / netfilter / nf_conntrack_netlink.c
1 /* Connection tracking via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace.
3 *
4 * (C) 2001 by Jay Schulist <jschlst@samba.org>
5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7 * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
8 *
9 * Initial connection tracking via netlink development funded and
10 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
11 *
12 * Further development of this code funded by Astaro AG (http://www.astaro.com)
13 *
14 * This software may be used and distributed according to the terms
15 * of the GNU General Public License, incorporated herein by reference.
16 */
17
18 #include <linux/init.h>
19 #include <linux/module.h>
20 #include <linux/kernel.h>
21 #include <linux/rculist.h>
22 #include <linux/rculist_nulls.h>
23 #include <linux/types.h>
24 #include <linux/timer.h>
25 #include <linux/security.h>
26 #include <linux/skbuff.h>
27 #include <linux/errno.h>
28 #include <linux/netlink.h>
29 #include <linux/spinlock.h>
30 #include <linux/interrupt.h>
31 #include <linux/slab.h>
32 #include <linux/siphash.h>
33
34 #include <linux/netfilter.h>
35 #include <net/netlink.h>
36 #include <net/sock.h>
37 #include <net/netfilter/nf_conntrack.h>
38 #include <net/netfilter/nf_conntrack_core.h>
39 #include <net/netfilter/nf_conntrack_expect.h>
40 #include <net/netfilter/nf_conntrack_helper.h>
41 #include <net/netfilter/nf_conntrack_seqadj.h>
42 #include <net/netfilter/nf_conntrack_l4proto.h>
43 #include <net/netfilter/nf_conntrack_tuple.h>
44 #include <net/netfilter/nf_conntrack_acct.h>
45 #include <net/netfilter/nf_conntrack_zones.h>
46 #include <net/netfilter/nf_conntrack_timestamp.h>
47 #include <net/netfilter/nf_conntrack_labels.h>
48 #include <net/netfilter/nf_conntrack_synproxy.h>
49 #if IS_ENABLED(CONFIG_NF_NAT)
50 #include <net/netfilter/nf_nat.h>
51 #include <net/netfilter/nf_nat_helper.h>
52 #endif
53
54 #include <linux/netfilter/nfnetlink.h>
55 #include <linux/netfilter/nfnetlink_conntrack.h>
56
57 #include "nf_internals.h"
58
59 MODULE_LICENSE("GPL");
60
61 static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,
62 const struct nf_conntrack_tuple *tuple,
63 const struct nf_conntrack_l4proto *l4proto)
64 {
65 int ret = 0;
66 struct nlattr *nest_parms;
67
68 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO);
69 if (!nest_parms)
70 goto nla_put_failure;
71 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum))
72 goto nla_put_failure;
73
74 if (likely(l4proto->tuple_to_nlattr))
75 ret = l4proto->tuple_to_nlattr(skb, tuple);
76
77 nla_nest_end(skb, nest_parms);
78
79 return ret;
80
81 nla_put_failure:
82 return -1;
83 }
84
85 static int ipv4_tuple_to_nlattr(struct sk_buff *skb,
86 const struct nf_conntrack_tuple *tuple)
87 {
88 if (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) ||
89 nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip))
90 return -EMSGSIZE;
91 return 0;
92 }
93
94 static int ipv6_tuple_to_nlattr(struct sk_buff *skb,
95 const struct nf_conntrack_tuple *tuple)
96 {
97 if (nla_put_in6_addr(skb, CTA_IP_V6_SRC, &tuple->src.u3.in6) ||
98 nla_put_in6_addr(skb, CTA_IP_V6_DST, &tuple->dst.u3.in6))
99 return -EMSGSIZE;
100 return 0;
101 }
102
103 static int ctnetlink_dump_tuples_ip(struct sk_buff *skb,
104 const struct nf_conntrack_tuple *tuple)
105 {
106 int ret = 0;
107 struct nlattr *nest_parms;
108
109 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP);
110 if (!nest_parms)
111 goto nla_put_failure;
112
113 switch (tuple->src.l3num) {
114 case NFPROTO_IPV4:
115 ret = ipv4_tuple_to_nlattr(skb, tuple);
116 break;
117 case NFPROTO_IPV6:
118 ret = ipv6_tuple_to_nlattr(skb, tuple);
119 break;
120 }
121
122 nla_nest_end(skb, nest_parms);
123
124 return ret;
125
126 nla_put_failure:
127 return -1;
128 }
129
130 static int ctnetlink_dump_tuples(struct sk_buff *skb,
131 const struct nf_conntrack_tuple *tuple)
132 {
133 const struct nf_conntrack_l4proto *l4proto;
134 int ret;
135
136 rcu_read_lock();
137 ret = ctnetlink_dump_tuples_ip(skb, tuple);
138
139 if (ret >= 0) {
140 l4proto = nf_ct_l4proto_find(tuple->dst.protonum);
141 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
142 }
143 rcu_read_unlock();
144 return ret;
145 }
146
147 static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype,
148 const struct nf_conntrack_zone *zone, int dir)
149 {
150 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir)
151 return 0;
152 if (nla_put_be16(skb, attrtype, htons(zone->id)))
153 goto nla_put_failure;
154 return 0;
155
156 nla_put_failure:
157 return -1;
158 }
159
160 static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
161 {
162 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
163 goto nla_put_failure;
164 return 0;
165
166 nla_put_failure:
167 return -1;
168 }
169
170 static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct,
171 bool skip_zero)
172 {
173 long timeout = nf_ct_expires(ct) / HZ;
174
175 if (skip_zero && timeout == 0)
176 return 0;
177
178 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))
179 goto nla_put_failure;
180 return 0;
181
182 nla_put_failure:
183 return -1;
184 }
185
186 static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct,
187 bool destroy)
188 {
189 const struct nf_conntrack_l4proto *l4proto;
190 struct nlattr *nest_proto;
191 int ret;
192
193 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
194 if (!l4proto->to_nlattr)
195 return 0;
196
197 nest_proto = nla_nest_start(skb, CTA_PROTOINFO);
198 if (!nest_proto)
199 goto nla_put_failure;
200
201 ret = l4proto->to_nlattr(skb, nest_proto, ct, destroy);
202
203 nla_nest_end(skb, nest_proto);
204
205 return ret;
206
207 nla_put_failure:
208 return -1;
209 }
210
211 static int ctnetlink_dump_helpinfo(struct sk_buff *skb,
212 const struct nf_conn *ct)
213 {
214 struct nlattr *nest_helper;
215 const struct nf_conn_help *help = nfct_help(ct);
216 struct nf_conntrack_helper *helper;
217
218 if (!help)
219 return 0;
220
221 rcu_read_lock();
222 helper = rcu_dereference(help->helper);
223 if (!helper)
224 goto out;
225
226 nest_helper = nla_nest_start(skb, CTA_HELP);
227 if (!nest_helper)
228 goto nla_put_failure;
229 if (nla_put_string(skb, CTA_HELP_NAME, helper->name))
230 goto nla_put_failure;
231
232 if (helper->to_nlattr)
233 helper->to_nlattr(skb, ct);
234
235 nla_nest_end(skb, nest_helper);
236 out:
237 rcu_read_unlock();
238 return 0;
239
240 nla_put_failure:
241 rcu_read_unlock();
242 return -1;
243 }
244
245 static int
246 dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct,
247 enum ip_conntrack_dir dir, int type)
248 {
249 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
250 struct nf_conn_counter *counter = acct->counter;
251 struct nlattr *nest_count;
252 u64 pkts, bytes;
253
254 if (type == IPCTNL_MSG_CT_GET_CTRZERO) {
255 pkts = atomic64_xchg(&counter[dir].packets, 0);
256 bytes = atomic64_xchg(&counter[dir].bytes, 0);
257 } else {
258 pkts = atomic64_read(&counter[dir].packets);
259 bytes = atomic64_read(&counter[dir].bytes);
260 }
261
262 nest_count = nla_nest_start(skb, attr);
263 if (!nest_count)
264 goto nla_put_failure;
265
266 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts),
267 CTA_COUNTERS_PAD) ||
268 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes),
269 CTA_COUNTERS_PAD))
270 goto nla_put_failure;
271
272 nla_nest_end(skb, nest_count);
273
274 return 0;
275
276 nla_put_failure:
277 return -1;
278 }
279
280 static int
281 ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type)
282 {
283 struct nf_conn_acct *acct = nf_conn_acct_find(ct);
284
285 if (!acct)
286 return 0;
287
288 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0)
289 return -1;
290 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0)
291 return -1;
292
293 return 0;
294 }
295
296 static int
297 ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
298 {
299 struct nlattr *nest_count;
300 const struct nf_conn_tstamp *tstamp;
301
302 tstamp = nf_conn_tstamp_find(ct);
303 if (!tstamp)
304 return 0;
305
306 nest_count = nla_nest_start(skb, CTA_TIMESTAMP);
307 if (!nest_count)
308 goto nla_put_failure;
309
310 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start),
311 CTA_TIMESTAMP_PAD) ||
312 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP,
313 cpu_to_be64(tstamp->stop),
314 CTA_TIMESTAMP_PAD)))
315 goto nla_put_failure;
316 nla_nest_end(skb, nest_count);
317
318 return 0;
319
320 nla_put_failure:
321 return -1;
322 }
323
324 #ifdef CONFIG_NF_CONNTRACK_MARK
325 static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
326 {
327 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))
328 goto nla_put_failure;
329 return 0;
330
331 nla_put_failure:
332 return -1;
333 }
334 #else
335 #define ctnetlink_dump_mark(a, b) (0)
336 #endif
337
338 #ifdef CONFIG_NF_CONNTRACK_SECMARK
339 static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
340 {
341 struct nlattr *nest_secctx;
342 int len, ret;
343 char *secctx;
344
345 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
346 if (ret)
347 return 0;
348
349 ret = -1;
350 nest_secctx = nla_nest_start(skb, CTA_SECCTX);
351 if (!nest_secctx)
352 goto nla_put_failure;
353
354 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
355 goto nla_put_failure;
356 nla_nest_end(skb, nest_secctx);
357
358 ret = 0;
359 nla_put_failure:
360 security_release_secctx(secctx, len);
361 return ret;
362 }
363 #else
364 #define ctnetlink_dump_secctx(a, b) (0)
365 #endif
366
367 #ifdef CONFIG_NF_CONNTRACK_LABELS
368 static inline int ctnetlink_label_size(const struct nf_conn *ct)
369 {
370 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
371
372 if (!labels)
373 return 0;
374 return nla_total_size(sizeof(labels->bits));
375 }
376
377 static int
378 ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
379 {
380 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
381 unsigned int i;
382
383 if (!labels)
384 return 0;
385
386 i = 0;
387 do {
388 if (labels->bits[i] != 0)
389 return nla_put(skb, CTA_LABELS, sizeof(labels->bits),
390 labels->bits);
391 i++;
392 } while (i < ARRAY_SIZE(labels->bits));
393
394 return 0;
395 }
396 #else
397 #define ctnetlink_dump_labels(a, b) (0)
398 #define ctnetlink_label_size(a) (0)
399 #endif
400
401 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
402
403 static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
404 {
405 struct nlattr *nest_parms;
406
407 if (!(ct->status & IPS_EXPECTED))
408 return 0;
409
410 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER);
411 if (!nest_parms)
412 goto nla_put_failure;
413 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
414 goto nla_put_failure;
415 nla_nest_end(skb, nest_parms);
416
417 return 0;
418
419 nla_put_failure:
420 return -1;
421 }
422
423 static int
424 dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type)
425 {
426 struct nlattr *nest_parms;
427
428 nest_parms = nla_nest_start(skb, type);
429 if (!nest_parms)
430 goto nla_put_failure;
431
432 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS,
433 htonl(seq->correction_pos)) ||
434 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE,
435 htonl(seq->offset_before)) ||
436 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER,
437 htonl(seq->offset_after)))
438 goto nla_put_failure;
439
440 nla_nest_end(skb, nest_parms);
441
442 return 0;
443
444 nla_put_failure:
445 return -1;
446 }
447
448 static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
449 {
450 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
451 struct nf_ct_seqadj *seq;
452
453 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj)
454 return 0;
455
456 spin_lock_bh(&ct->lock);
457 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL];
458 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1)
459 goto err;
460
461 seq = &seqadj->seq[IP_CT_DIR_REPLY];
462 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1)
463 goto err;
464
465 spin_unlock_bh(&ct->lock);
466 return 0;
467 err:
468 spin_unlock_bh(&ct->lock);
469 return -1;
470 }
471
472 static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
473 {
474 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
475 struct nlattr *nest_parms;
476
477 if (!synproxy)
478 return 0;
479
480 nest_parms = nla_nest_start(skb, CTA_SYNPROXY);
481 if (!nest_parms)
482 goto nla_put_failure;
483
484 if (nla_put_be32(skb, CTA_SYNPROXY_ISN, htonl(synproxy->isn)) ||
485 nla_put_be32(skb, CTA_SYNPROXY_ITS, htonl(synproxy->its)) ||
486 nla_put_be32(skb, CTA_SYNPROXY_TSOFF, htonl(synproxy->tsoff)))
487 goto nla_put_failure;
488
489 nla_nest_end(skb, nest_parms);
490
491 return 0;
492
493 nla_put_failure:
494 return -1;
495 }
496
497 static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
498 {
499 __be32 id = (__force __be32)nf_ct_get_id(ct);
500
501 if (nla_put_be32(skb, CTA_ID, id))
502 goto nla_put_failure;
503 return 0;
504
505 nla_put_failure:
506 return -1;
507 }
508
509 static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
510 {
511 if (nla_put_be32(skb, CTA_USE, htonl(refcount_read(&ct->ct_general.use))))
512 goto nla_put_failure;
513 return 0;
514
515 nla_put_failure:
516 return -1;
517 }
518
519 /* all these functions access ct->ext. Caller must either hold a reference
520 * on ct or prevent its deletion by holding either the bucket spinlock or
521 * pcpu dying list lock.
522 */
523 static int ctnetlink_dump_extinfo(struct sk_buff *skb,
524 struct nf_conn *ct, u32 type)
525 {
526 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
527 ctnetlink_dump_timestamp(skb, ct) < 0 ||
528 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
529 ctnetlink_dump_labels(skb, ct) < 0 ||
530 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
531 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
532 return -1;
533
534 return 0;
535 }
536
537 static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
538 {
539 if (ctnetlink_dump_status(skb, ct) < 0 ||
540 ctnetlink_dump_mark(skb, ct) < 0 ||
541 ctnetlink_dump_secctx(skb, ct) < 0 ||
542 ctnetlink_dump_id(skb, ct) < 0 ||
543 ctnetlink_dump_use(skb, ct) < 0 ||
544 ctnetlink_dump_master(skb, ct) < 0)
545 return -1;
546
547 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
548 (ctnetlink_dump_timeout(skb, ct, false) < 0 ||
549 ctnetlink_dump_protoinfo(skb, ct, false) < 0))
550 return -1;
551
552 return 0;
553 }
554
555 static int
556 ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
557 struct nf_conn *ct, bool extinfo, unsigned int flags)
558 {
559 const struct nf_conntrack_zone *zone;
560 struct nlmsghdr *nlh;
561 struct nlattr *nest_parms;
562 unsigned int event;
563
564 if (portid)
565 flags |= NLM_F_MULTI;
566 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW);
567 nlh = nfnl_msg_put(skb, portid, seq, event, flags, nf_ct_l3num(ct),
568 NFNETLINK_V0, 0);
569 if (!nlh)
570 goto nlmsg_failure;
571
572 zone = nf_ct_zone(ct);
573
574 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
575 if (!nest_parms)
576 goto nla_put_failure;
577 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
578 goto nla_put_failure;
579 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
580 NF_CT_ZONE_DIR_ORIG) < 0)
581 goto nla_put_failure;
582 nla_nest_end(skb, nest_parms);
583
584 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
585 if (!nest_parms)
586 goto nla_put_failure;
587 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
588 goto nla_put_failure;
589 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
590 NF_CT_ZONE_DIR_REPL) < 0)
591 goto nla_put_failure;
592 nla_nest_end(skb, nest_parms);
593
594 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
595 NF_CT_DEFAULT_ZONE_DIR) < 0)
596 goto nla_put_failure;
597
598 if (ctnetlink_dump_info(skb, ct) < 0)
599 goto nla_put_failure;
600 if (extinfo && ctnetlink_dump_extinfo(skb, ct, type) < 0)
601 goto nla_put_failure;
602
603 nlmsg_end(skb, nlh);
604 return skb->len;
605
606 nlmsg_failure:
607 nla_put_failure:
608 nlmsg_cancel(skb, nlh);
609 return -1;
610 }
611
612 static const struct nla_policy cta_ip_nla_policy[CTA_IP_MAX + 1] = {
613 [CTA_IP_V4_SRC] = { .type = NLA_U32 },
614 [CTA_IP_V4_DST] = { .type = NLA_U32 },
615 [CTA_IP_V6_SRC] = { .len = sizeof(__be32) * 4 },
616 [CTA_IP_V6_DST] = { .len = sizeof(__be32) * 4 },
617 };
618
619 #if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS)
620 static size_t ctnetlink_proto_size(const struct nf_conn *ct)
621 {
622 const struct nf_conntrack_l4proto *l4proto;
623 size_t len, len4 = 0;
624
625 len = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1);
626 len *= 3u; /* ORIG, REPLY, MASTER */
627
628 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
629 len += l4proto->nlattr_size;
630 if (l4proto->nlattr_tuple_size) {
631 len4 = l4proto->nlattr_tuple_size();
632 len4 *= 3u; /* ORIG, REPLY, MASTER */
633 }
634
635 return len + len4;
636 }
637 #endif
638
639 static inline size_t ctnetlink_acct_size(const struct nf_conn *ct)
640 {
641 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
642 return 0;
643 return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
644 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
645 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
646 ;
647 }
648
649 static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
650 {
651 #ifdef CONFIG_NF_CONNTRACK_SECMARK
652 int len, ret;
653
654 ret = security_secid_to_secctx(ct->secmark, NULL, &len);
655 if (ret)
656 return 0;
657
658 return nla_total_size(0) /* CTA_SECCTX */
659 + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
660 #else
661 return 0;
662 #endif
663 }
664
665 static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct)
666 {
667 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
668 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
669 return 0;
670 return nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t));
671 #else
672 return 0;
673 #endif
674 }
675
676 #ifdef CONFIG_NF_CONNTRACK_EVENTS
677 static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)
678 {
679 return NLMSG_ALIGN(sizeof(struct nfgenmsg))
680 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
681 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
682 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
683 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
684 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
685 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
686 + ctnetlink_acct_size(ct)
687 + ctnetlink_timestamp_size(ct)
688 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
689 + nla_total_size(0) /* CTA_PROTOINFO */
690 + nla_total_size(0) /* CTA_HELP */
691 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
692 + ctnetlink_secctx_size(ct)
693 #if IS_ENABLED(CONFIG_NF_NAT)
694 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
695 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
696 #endif
697 #ifdef CONFIG_NF_CONNTRACK_MARK
698 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
699 #endif
700 #ifdef CONFIG_NF_CONNTRACK_ZONES
701 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */
702 #endif
703 + ctnetlink_proto_size(ct)
704 + ctnetlink_label_size(ct)
705 ;
706 }
707
708 static int
709 ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item)
710 {
711 const struct nf_conntrack_zone *zone;
712 struct net *net;
713 struct nlmsghdr *nlh;
714 struct nlattr *nest_parms;
715 struct nf_conn *ct = item->ct;
716 struct sk_buff *skb;
717 unsigned int type;
718 unsigned int flags = 0, group;
719 int err;
720
721 if (events & (1 << IPCT_DESTROY)) {
722 type = IPCTNL_MSG_CT_DELETE;
723 group = NFNLGRP_CONNTRACK_DESTROY;
724 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {
725 type = IPCTNL_MSG_CT_NEW;
726 flags = NLM_F_CREATE|NLM_F_EXCL;
727 group = NFNLGRP_CONNTRACK_NEW;
728 } else if (events) {
729 type = IPCTNL_MSG_CT_NEW;
730 group = NFNLGRP_CONNTRACK_UPDATE;
731 } else
732 return 0;
733
734 net = nf_ct_net(ct);
735 if (!item->report && !nfnetlink_has_listeners(net, group))
736 return 0;
737
738 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
739 if (skb == NULL)
740 goto errout;
741
742 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type);
743 nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, nf_ct_l3num(ct),
744 NFNETLINK_V0, 0);
745 if (!nlh)
746 goto nlmsg_failure;
747
748 zone = nf_ct_zone(ct);
749
750 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
751 if (!nest_parms)
752 goto nla_put_failure;
753 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
754 goto nla_put_failure;
755 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
756 NF_CT_ZONE_DIR_ORIG) < 0)
757 goto nla_put_failure;
758 nla_nest_end(skb, nest_parms);
759
760 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
761 if (!nest_parms)
762 goto nla_put_failure;
763 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
764 goto nla_put_failure;
765 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
766 NF_CT_ZONE_DIR_REPL) < 0)
767 goto nla_put_failure;
768 nla_nest_end(skb, nest_parms);
769
770 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
771 NF_CT_DEFAULT_ZONE_DIR) < 0)
772 goto nla_put_failure;
773
774 if (ctnetlink_dump_id(skb, ct) < 0)
775 goto nla_put_failure;
776
777 if (ctnetlink_dump_status(skb, ct) < 0)
778 goto nla_put_failure;
779
780 if (events & (1 << IPCT_DESTROY)) {
781 if (ctnetlink_dump_timeout(skb, ct, true) < 0)
782 goto nla_put_failure;
783
784 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
785 ctnetlink_dump_timestamp(skb, ct) < 0 ||
786 ctnetlink_dump_protoinfo(skb, ct, true) < 0)
787 goto nla_put_failure;
788 } else {
789 if (ctnetlink_dump_timeout(skb, ct, false) < 0)
790 goto nla_put_failure;
791
792 if (events & (1 << IPCT_PROTOINFO) &&
793 ctnetlink_dump_protoinfo(skb, ct, false) < 0)
794 goto nla_put_failure;
795
796 if ((events & (1 << IPCT_HELPER) || nfct_help(ct))
797 && ctnetlink_dump_helpinfo(skb, ct) < 0)
798 goto nla_put_failure;
799
800 #ifdef CONFIG_NF_CONNTRACK_SECMARK
801 if ((events & (1 << IPCT_SECMARK) || ct->secmark)
802 && ctnetlink_dump_secctx(skb, ct) < 0)
803 goto nla_put_failure;
804 #endif
805 if (events & (1 << IPCT_LABEL) &&
806 ctnetlink_dump_labels(skb, ct) < 0)
807 goto nla_put_failure;
808
809 if (events & (1 << IPCT_RELATED) &&
810 ctnetlink_dump_master(skb, ct) < 0)
811 goto nla_put_failure;
812
813 if (events & (1 << IPCT_SEQADJ) &&
814 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
815 goto nla_put_failure;
816
817 if (events & (1 << IPCT_SYNPROXY) &&
818 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
819 goto nla_put_failure;
820 }
821
822 #ifdef CONFIG_NF_CONNTRACK_MARK
823 if ((events & (1 << IPCT_MARK) || ct->mark)
824 && ctnetlink_dump_mark(skb, ct) < 0)
825 goto nla_put_failure;
826 #endif
827 nlmsg_end(skb, nlh);
828 err = nfnetlink_send(skb, net, item->portid, group, item->report,
829 GFP_ATOMIC);
830 if (err == -ENOBUFS || err == -EAGAIN)
831 return -ENOBUFS;
832
833 return 0;
834
835 nla_put_failure:
836 nlmsg_cancel(skb, nlh);
837 nlmsg_failure:
838 kfree_skb(skb);
839 errout:
840 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
841 return -ENOBUFS;
842
843 return 0;
844 }
845 #endif /* CONFIG_NF_CONNTRACK_EVENTS */
846
847 static int ctnetlink_done(struct netlink_callback *cb)
848 {
849 if (cb->args[1])
850 nf_ct_put((struct nf_conn *)cb->args[1]);
851 kfree(cb->data);
852 return 0;
853 }
854
855 struct ctnetlink_filter_u32 {
856 u32 val;
857 u32 mask;
858 };
859
860 struct ctnetlink_filter {
861 u8 family;
862
863 u_int32_t orig_flags;
864 u_int32_t reply_flags;
865
866 struct nf_conntrack_tuple orig;
867 struct nf_conntrack_tuple reply;
868 struct nf_conntrack_zone zone;
869
870 struct ctnetlink_filter_u32 mark;
871 struct ctnetlink_filter_u32 status;
872 };
873
874 static const struct nla_policy cta_filter_nla_policy[CTA_FILTER_MAX + 1] = {
875 [CTA_FILTER_ORIG_FLAGS] = { .type = NLA_U32 },
876 [CTA_FILTER_REPLY_FLAGS] = { .type = NLA_U32 },
877 };
878
879 static int ctnetlink_parse_filter(const struct nlattr *attr,
880 struct ctnetlink_filter *filter)
881 {
882 struct nlattr *tb[CTA_FILTER_MAX + 1];
883 int ret = 0;
884
885 ret = nla_parse_nested(tb, CTA_FILTER_MAX, attr, cta_filter_nla_policy,
886 NULL);
887 if (ret)
888 return ret;
889
890 if (tb[CTA_FILTER_ORIG_FLAGS]) {
891 filter->orig_flags = nla_get_u32(tb[CTA_FILTER_ORIG_FLAGS]);
892 if (filter->orig_flags & ~CTA_FILTER_F_ALL)
893 return -EOPNOTSUPP;
894 }
895
896 if (tb[CTA_FILTER_REPLY_FLAGS]) {
897 filter->reply_flags = nla_get_u32(tb[CTA_FILTER_REPLY_FLAGS]);
898 if (filter->reply_flags & ~CTA_FILTER_F_ALL)
899 return -EOPNOTSUPP;
900 }
901
902 return 0;
903 }
904
905 static int ctnetlink_parse_zone(const struct nlattr *attr,
906 struct nf_conntrack_zone *zone);
907 static int ctnetlink_parse_tuple_filter(const struct nlattr * const cda[],
908 struct nf_conntrack_tuple *tuple,
909 u32 type, u_int8_t l3num,
910 struct nf_conntrack_zone *zone,
911 u_int32_t flags);
912
913 static int ctnetlink_filter_parse_mark(struct ctnetlink_filter_u32 *mark,
914 const struct nlattr * const cda[])
915 {
916 #ifdef CONFIG_NF_CONNTRACK_MARK
917 if (cda[CTA_MARK]) {
918 mark->val = ntohl(nla_get_be32(cda[CTA_MARK]));
919
920 if (cda[CTA_MARK_MASK])
921 mark->mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
922 else
923 mark->mask = 0xffffffff;
924 } else if (cda[CTA_MARK_MASK]) {
925 return -EINVAL;
926 }
927 #endif
928 return 0;
929 }
930
931 static int ctnetlink_filter_parse_status(struct ctnetlink_filter_u32 *status,
932 const struct nlattr * const cda[])
933 {
934 if (cda[CTA_STATUS]) {
935 status->val = ntohl(nla_get_be32(cda[CTA_STATUS]));
936 if (cda[CTA_STATUS_MASK])
937 status->mask = ntohl(nla_get_be32(cda[CTA_STATUS_MASK]));
938 else
939 status->mask = status->val;
940
941 /* status->val == 0? always true, else always false. */
942 if (status->mask == 0)
943 return -EINVAL;
944 } else if (cda[CTA_STATUS_MASK]) {
945 return -EINVAL;
946 }
947
948 /* CTA_STATUS is NLA_U32, if this fires UAPI needs to be extended */
949 BUILD_BUG_ON(__IPS_MAX_BIT >= 32);
950 return 0;
951 }
952
953 static struct ctnetlink_filter *
954 ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family)
955 {
956 struct ctnetlink_filter *filter;
957 int err;
958
959 #ifndef CONFIG_NF_CONNTRACK_MARK
960 if (cda[CTA_MARK] || cda[CTA_MARK_MASK])
961 return ERR_PTR(-EOPNOTSUPP);
962 #endif
963
964 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
965 if (filter == NULL)
966 return ERR_PTR(-ENOMEM);
967
968 filter->family = family;
969
970 err = ctnetlink_filter_parse_mark(&filter->mark, cda);
971 if (err)
972 goto err_filter;
973
974 err = ctnetlink_filter_parse_status(&filter->status, cda);
975 if (err)
976 goto err_filter;
977
978 if (!cda[CTA_FILTER])
979 return filter;
980
981 err = ctnetlink_parse_zone(cda[CTA_ZONE], &filter->zone);
982 if (err < 0)
983 goto err_filter;
984
985 err = ctnetlink_parse_filter(cda[CTA_FILTER], filter);
986 if (err < 0)
987 goto err_filter;
988
989 if (filter->orig_flags) {
990 if (!cda[CTA_TUPLE_ORIG]) {
991 err = -EINVAL;
992 goto err_filter;
993 }
994
995 err = ctnetlink_parse_tuple_filter(cda, &filter->orig,
996 CTA_TUPLE_ORIG,
997 filter->family,
998 &filter->zone,
999 filter->orig_flags);
1000 if (err < 0)
1001 goto err_filter;
1002 }
1003
1004 if (filter->reply_flags) {
1005 if (!cda[CTA_TUPLE_REPLY]) {
1006 err = -EINVAL;
1007 goto err_filter;
1008 }
1009
1010 err = ctnetlink_parse_tuple_filter(cda, &filter->reply,
1011 CTA_TUPLE_REPLY,
1012 filter->family,
1013 &filter->zone,
1014 filter->reply_flags);
1015 if (err < 0)
1016 goto err_filter;
1017 }
1018
1019 return filter;
1020
1021 err_filter:
1022 kfree(filter);
1023
1024 return ERR_PTR(err);
1025 }
1026
1027 static bool ctnetlink_needs_filter(u8 family, const struct nlattr * const *cda)
1028 {
1029 return family || cda[CTA_MARK] || cda[CTA_FILTER] || cda[CTA_STATUS];
1030 }
1031
1032 static int ctnetlink_start(struct netlink_callback *cb)
1033 {
1034 const struct nlattr * const *cda = cb->data;
1035 struct ctnetlink_filter *filter = NULL;
1036 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1037 u8 family = nfmsg->nfgen_family;
1038
1039 if (ctnetlink_needs_filter(family, cda)) {
1040 filter = ctnetlink_alloc_filter(cda, family);
1041 if (IS_ERR(filter))
1042 return PTR_ERR(filter);
1043 }
1044
1045 cb->data = filter;
1046 return 0;
1047 }
1048
1049 static int ctnetlink_filter_match_tuple(struct nf_conntrack_tuple *filter_tuple,
1050 struct nf_conntrack_tuple *ct_tuple,
1051 u_int32_t flags, int family)
1052 {
1053 switch (family) {
1054 case NFPROTO_IPV4:
1055 if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) &&
1056 filter_tuple->src.u3.ip != ct_tuple->src.u3.ip)
1057 return 0;
1058
1059 if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) &&
1060 filter_tuple->dst.u3.ip != ct_tuple->dst.u3.ip)
1061 return 0;
1062 break;
1063 case NFPROTO_IPV6:
1064 if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) &&
1065 !ipv6_addr_cmp(&filter_tuple->src.u3.in6,
1066 &ct_tuple->src.u3.in6))
1067 return 0;
1068
1069 if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) &&
1070 !ipv6_addr_cmp(&filter_tuple->dst.u3.in6,
1071 &ct_tuple->dst.u3.in6))
1072 return 0;
1073 break;
1074 }
1075
1076 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) &&
1077 filter_tuple->dst.protonum != ct_tuple->dst.protonum)
1078 return 0;
1079
1080 switch (ct_tuple->dst.protonum) {
1081 case IPPROTO_TCP:
1082 case IPPROTO_UDP:
1083 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_SRC_PORT)) &&
1084 filter_tuple->src.u.tcp.port != ct_tuple->src.u.tcp.port)
1085 return 0;
1086
1087 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_DST_PORT)) &&
1088 filter_tuple->dst.u.tcp.port != ct_tuple->dst.u.tcp.port)
1089 return 0;
1090 break;
1091 case IPPROTO_ICMP:
1092 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_TYPE)) &&
1093 filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type)
1094 return 0;
1095 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_CODE)) &&
1096 filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code)
1097 return 0;
1098 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_ID)) &&
1099 filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id)
1100 return 0;
1101 break;
1102 case IPPROTO_ICMPV6:
1103 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_TYPE)) &&
1104 filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type)
1105 return 0;
1106 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_CODE)) &&
1107 filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code)
1108 return 0;
1109 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_ID)) &&
1110 filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id)
1111 return 0;
1112 break;
1113 }
1114
1115 return 1;
1116 }
1117
1118 static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
1119 {
1120 struct ctnetlink_filter *filter = data;
1121 struct nf_conntrack_tuple *tuple;
1122 u32 status;
1123
1124 if (filter == NULL)
1125 goto out;
1126
1127 /* Match entries of a given L3 protocol number.
1128 * If it is not specified, ie. l3proto == 0,
1129 * then match everything.
1130 */
1131 if (filter->family && nf_ct_l3num(ct) != filter->family)
1132 goto ignore_entry;
1133
1134 if (filter->orig_flags) {
1135 tuple = nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL);
1136 if (!ctnetlink_filter_match_tuple(&filter->orig, tuple,
1137 filter->orig_flags,
1138 filter->family))
1139 goto ignore_entry;
1140 }
1141
1142 if (filter->reply_flags) {
1143 tuple = nf_ct_tuple(ct, IP_CT_DIR_REPLY);
1144 if (!ctnetlink_filter_match_tuple(&filter->reply, tuple,
1145 filter->reply_flags,
1146 filter->family))
1147 goto ignore_entry;
1148 }
1149
1150 #ifdef CONFIG_NF_CONNTRACK_MARK
1151 if ((ct->mark & filter->mark.mask) != filter->mark.val)
1152 goto ignore_entry;
1153 #endif
1154 status = (u32)READ_ONCE(ct->status);
1155 if ((status & filter->status.mask) != filter->status.val)
1156 goto ignore_entry;
1157
1158 out:
1159 return 1;
1160
1161 ignore_entry:
1162 return 0;
1163 }
1164
1165 static int
1166 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
1167 {
1168 unsigned int flags = cb->data ? NLM_F_DUMP_FILTERED : 0;
1169 struct net *net = sock_net(skb->sk);
1170 struct nf_conn *ct, *last;
1171 struct nf_conntrack_tuple_hash *h;
1172 struct hlist_nulls_node *n;
1173 struct nf_conn *nf_ct_evict[8];
1174 int res, i;
1175 spinlock_t *lockp;
1176
1177 last = (struct nf_conn *)cb->args[1];
1178 i = 0;
1179
1180 local_bh_disable();
1181 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
1182 restart:
1183 while (i) {
1184 i--;
1185 if (nf_ct_should_gc(nf_ct_evict[i]))
1186 nf_ct_kill(nf_ct_evict[i]);
1187 nf_ct_put(nf_ct_evict[i]);
1188 }
1189
1190 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS];
1191 nf_conntrack_lock(lockp);
1192 if (cb->args[0] >= nf_conntrack_htable_size) {
1193 spin_unlock(lockp);
1194 goto out;
1195 }
1196 hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]],
1197 hnnode) {
1198 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
1199 continue;
1200 ct = nf_ct_tuplehash_to_ctrack(h);
1201 if (nf_ct_is_expired(ct)) {
1202 if (i < ARRAY_SIZE(nf_ct_evict) &&
1203 refcount_inc_not_zero(&ct->ct_general.use))
1204 nf_ct_evict[i++] = ct;
1205 continue;
1206 }
1207
1208 if (!net_eq(net, nf_ct_net(ct)))
1209 continue;
1210
1211 if (cb->args[1]) {
1212 if (ct != last)
1213 continue;
1214 cb->args[1] = 0;
1215 }
1216 if (!ctnetlink_filter_match(ct, cb->data))
1217 continue;
1218
1219 res =
1220 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
1221 cb->nlh->nlmsg_seq,
1222 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
1223 ct, true, flags);
1224 if (res < 0) {
1225 nf_conntrack_get(&ct->ct_general);
1226 cb->args[1] = (unsigned long)ct;
1227 spin_unlock(lockp);
1228 goto out;
1229 }
1230 }
1231 spin_unlock(lockp);
1232 if (cb->args[1]) {
1233 cb->args[1] = 0;
1234 goto restart;
1235 }
1236 }
1237 out:
1238 local_bh_enable();
1239 if (last) {
1240 /* nf ct hash resize happened, now clear the leftover. */
1241 if ((struct nf_conn *)cb->args[1] == last)
1242 cb->args[1] = 0;
1243
1244 nf_ct_put(last);
1245 }
1246
1247 while (i) {
1248 i--;
1249 if (nf_ct_should_gc(nf_ct_evict[i]))
1250 nf_ct_kill(nf_ct_evict[i]);
1251 nf_ct_put(nf_ct_evict[i]);
1252 }
1253
1254 return skb->len;
1255 }
1256
1257 static int ipv4_nlattr_to_tuple(struct nlattr *tb[],
1258 struct nf_conntrack_tuple *t,
1259 u_int32_t flags)
1260 {
1261 if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
1262 if (!tb[CTA_IP_V4_SRC])
1263 return -EINVAL;
1264
1265 t->src.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_SRC]);
1266 }
1267
1268 if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) {
1269 if (!tb[CTA_IP_V4_DST])
1270 return -EINVAL;
1271
1272 t->dst.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_DST]);
1273 }
1274
1275 return 0;
1276 }
1277
1278 static int ipv6_nlattr_to_tuple(struct nlattr *tb[],
1279 struct nf_conntrack_tuple *t,
1280 u_int32_t flags)
1281 {
1282 if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
1283 if (!tb[CTA_IP_V6_SRC])
1284 return -EINVAL;
1285
1286 t->src.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_SRC]);
1287 }
1288
1289 if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) {
1290 if (!tb[CTA_IP_V6_DST])
1291 return -EINVAL;
1292
1293 t->dst.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_DST]);
1294 }
1295
1296 return 0;
1297 }
1298
1299 static int ctnetlink_parse_tuple_ip(struct nlattr *attr,
1300 struct nf_conntrack_tuple *tuple,
1301 u_int32_t flags)
1302 {
1303 struct nlattr *tb[CTA_IP_MAX+1];
1304 int ret = 0;
1305
1306 ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, NULL, NULL);
1307 if (ret < 0)
1308 return ret;
1309
1310 ret = nla_validate_nested_deprecated(attr, CTA_IP_MAX,
1311 cta_ip_nla_policy, NULL);
1312 if (ret)
1313 return ret;
1314
1315 switch (tuple->src.l3num) {
1316 case NFPROTO_IPV4:
1317 ret = ipv4_nlattr_to_tuple(tb, tuple, flags);
1318 break;
1319 case NFPROTO_IPV6:
1320 ret = ipv6_nlattr_to_tuple(tb, tuple, flags);
1321 break;
1322 }
1323
1324 return ret;
1325 }
1326
1327 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
1328 [CTA_PROTO_NUM] = { .type = NLA_U8 },
1329 };
1330
1331 static int ctnetlink_parse_tuple_proto(struct nlattr *attr,
1332 struct nf_conntrack_tuple *tuple,
1333 u_int32_t flags)
1334 {
1335 const struct nf_conntrack_l4proto *l4proto;
1336 struct nlattr *tb[CTA_PROTO_MAX+1];
1337 int ret = 0;
1338
1339 ret = nla_parse_nested_deprecated(tb, CTA_PROTO_MAX, attr,
1340 proto_nla_policy, NULL);
1341 if (ret < 0)
1342 return ret;
1343
1344 if (!(flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)))
1345 return 0;
1346
1347 if (!tb[CTA_PROTO_NUM])
1348 return -EINVAL;
1349
1350 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
1351
1352 rcu_read_lock();
1353 l4proto = nf_ct_l4proto_find(tuple->dst.protonum);
1354
1355 if (likely(l4proto->nlattr_to_tuple)) {
1356 ret = nla_validate_nested_deprecated(attr, CTA_PROTO_MAX,
1357 l4proto->nla_policy,
1358 NULL);
1359 if (ret == 0)
1360 ret = l4proto->nlattr_to_tuple(tb, tuple, flags);
1361 }
1362
1363 rcu_read_unlock();
1364
1365 return ret;
1366 }
1367
1368 static int
1369 ctnetlink_parse_zone(const struct nlattr *attr,
1370 struct nf_conntrack_zone *zone)
1371 {
1372 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID,
1373 NF_CT_DEFAULT_ZONE_DIR, 0);
1374 #ifdef CONFIG_NF_CONNTRACK_ZONES
1375 if (attr)
1376 zone->id = ntohs(nla_get_be16(attr));
1377 #else
1378 if (attr)
1379 return -EOPNOTSUPP;
1380 #endif
1381 return 0;
1382 }
1383
1384 static int
1385 ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type,
1386 struct nf_conntrack_zone *zone)
1387 {
1388 int ret;
1389
1390 if (zone->id != NF_CT_DEFAULT_ZONE_ID)
1391 return -EINVAL;
1392
1393 ret = ctnetlink_parse_zone(attr, zone);
1394 if (ret < 0)
1395 return ret;
1396
1397 if (type == CTA_TUPLE_REPLY)
1398 zone->dir = NF_CT_ZONE_DIR_REPL;
1399 else
1400 zone->dir = NF_CT_ZONE_DIR_ORIG;
1401
1402 return 0;
1403 }
1404
1405 static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
1406 [CTA_TUPLE_IP] = { .type = NLA_NESTED },
1407 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED },
1408 [CTA_TUPLE_ZONE] = { .type = NLA_U16 },
1409 };
1410
1411 #define CTA_FILTER_F_ALL_CTA_PROTO \
1412 (CTA_FILTER_F_CTA_PROTO_SRC_PORT | \
1413 CTA_FILTER_F_CTA_PROTO_DST_PORT | \
1414 CTA_FILTER_F_CTA_PROTO_ICMP_TYPE | \
1415 CTA_FILTER_F_CTA_PROTO_ICMP_CODE | \
1416 CTA_FILTER_F_CTA_PROTO_ICMP_ID | \
1417 CTA_FILTER_F_CTA_PROTO_ICMPV6_TYPE | \
1418 CTA_FILTER_F_CTA_PROTO_ICMPV6_CODE | \
1419 CTA_FILTER_F_CTA_PROTO_ICMPV6_ID)
1420
1421 static int
1422 ctnetlink_parse_tuple_filter(const struct nlattr * const cda[],
1423 struct nf_conntrack_tuple *tuple, u32 type,
1424 u_int8_t l3num, struct nf_conntrack_zone *zone,
1425 u_int32_t flags)
1426 {
1427 struct nlattr *tb[CTA_TUPLE_MAX+1];
1428 int err;
1429
1430 memset(tuple, 0, sizeof(*tuple));
1431
1432 err = nla_parse_nested_deprecated(tb, CTA_TUPLE_MAX, cda[type],
1433 tuple_nla_policy, NULL);
1434 if (err < 0)
1435 return err;
1436
1437 if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
1438 return -EOPNOTSUPP;
1439 tuple->src.l3num = l3num;
1440
1441 if (flags & CTA_FILTER_FLAG(CTA_IP_DST) ||
1442 flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
1443 if (!tb[CTA_TUPLE_IP])
1444 return -EINVAL;
1445
1446 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple, flags);
1447 if (err < 0)
1448 return err;
1449 }
1450
1451 if (flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) {
1452 if (!tb[CTA_TUPLE_PROTO])
1453 return -EINVAL;
1454
1455 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple, flags);
1456 if (err < 0)
1457 return err;
1458 } else if (flags & CTA_FILTER_FLAG(ALL_CTA_PROTO)) {
1459 /* Can't manage proto flags without a protonum */
1460 return -EINVAL;
1461 }
1462
1463 if ((flags & CTA_FILTER_FLAG(CTA_TUPLE_ZONE)) && tb[CTA_TUPLE_ZONE]) {
1464 if (!zone)
1465 return -EINVAL;
1466
1467 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE],
1468 type, zone);
1469 if (err < 0)
1470 return err;
1471 }
1472
1473 /* orig and expect tuples get DIR_ORIGINAL */
1474 if (type == CTA_TUPLE_REPLY)
1475 tuple->dst.dir = IP_CT_DIR_REPLY;
1476 else
1477 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
1478
1479 return 0;
1480 }
1481
1482 static int
1483 ctnetlink_parse_tuple(const struct nlattr * const cda[],
1484 struct nf_conntrack_tuple *tuple, u32 type,
1485 u_int8_t l3num, struct nf_conntrack_zone *zone)
1486 {
1487 return ctnetlink_parse_tuple_filter(cda, tuple, type, l3num, zone,
1488 CTA_FILTER_FLAG(ALL));
1489 }
1490
1491 static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {
1492 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING,
1493 .len = NF_CT_HELPER_NAME_LEN - 1 },
1494 };
1495
1496 static int ctnetlink_parse_help(const struct nlattr *attr, char **helper_name,
1497 struct nlattr **helpinfo)
1498 {
1499 int err;
1500 struct nlattr *tb[CTA_HELP_MAX+1];
1501
1502 err = nla_parse_nested_deprecated(tb, CTA_HELP_MAX, attr,
1503 help_nla_policy, NULL);
1504 if (err < 0)
1505 return err;
1506
1507 if (!tb[CTA_HELP_NAME])
1508 return -EINVAL;
1509
1510 *helper_name = nla_data(tb[CTA_HELP_NAME]);
1511
1512 if (tb[CTA_HELP_INFO])
1513 *helpinfo = tb[CTA_HELP_INFO];
1514
1515 return 0;
1516 }
1517
1518 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
1519 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED },
1520 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED },
1521 [CTA_STATUS] = { .type = NLA_U32 },
1522 [CTA_PROTOINFO] = { .type = NLA_NESTED },
1523 [CTA_HELP] = { .type = NLA_NESTED },
1524 [CTA_NAT_SRC] = { .type = NLA_NESTED },
1525 [CTA_TIMEOUT] = { .type = NLA_U32 },
1526 [CTA_MARK] = { .type = NLA_U32 },
1527 [CTA_ID] = { .type = NLA_U32 },
1528 [CTA_NAT_DST] = { .type = NLA_NESTED },
1529 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED },
1530 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED },
1531 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED },
1532 [CTA_ZONE] = { .type = NLA_U16 },
1533 [CTA_MARK_MASK] = { .type = NLA_U32 },
1534 [CTA_LABELS] = { .type = NLA_BINARY,
1535 .len = NF_CT_LABELS_MAX_SIZE },
1536 [CTA_LABELS_MASK] = { .type = NLA_BINARY,
1537 .len = NF_CT_LABELS_MAX_SIZE },
1538 [CTA_FILTER] = { .type = NLA_NESTED },
1539 [CTA_STATUS_MASK] = { .type = NLA_U32 },
1540 };
1541
1542 static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data)
1543 {
1544 if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
1545 return 0;
1546
1547 return ctnetlink_filter_match(ct, data);
1548 }
1549
1550 static int ctnetlink_flush_conntrack(struct net *net,
1551 const struct nlattr * const cda[],
1552 u32 portid, int report, u8 family)
1553 {
1554 struct ctnetlink_filter *filter = NULL;
1555
1556 if (ctnetlink_needs_filter(family, cda)) {
1557 if (cda[CTA_FILTER])
1558 return -EOPNOTSUPP;
1559
1560 filter = ctnetlink_alloc_filter(cda, family);
1561 if (IS_ERR(filter))
1562 return PTR_ERR(filter);
1563 }
1564
1565 nf_ct_iterate_cleanup_net(net, ctnetlink_flush_iterate, filter,
1566 portid, report);
1567 kfree(filter);
1568
1569 return 0;
1570 }
1571
1572 static int ctnetlink_del_conntrack(struct sk_buff *skb,
1573 const struct nfnl_info *info,
1574 const struct nlattr * const cda[])
1575 {
1576 u8 family = info->nfmsg->nfgen_family;
1577 struct nf_conntrack_tuple_hash *h;
1578 struct nf_conntrack_tuple tuple;
1579 struct nf_conntrack_zone zone;
1580 struct nf_conn *ct;
1581 int err;
1582
1583 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1584 if (err < 0)
1585 return err;
1586
1587 if (cda[CTA_TUPLE_ORIG])
1588 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1589 family, &zone);
1590 else if (cda[CTA_TUPLE_REPLY])
1591 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1592 family, &zone);
1593 else {
1594 u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
1595
1596 return ctnetlink_flush_conntrack(info->net, cda,
1597 NETLINK_CB(skb).portid,
1598 nlmsg_report(info->nlh), u3);
1599 }
1600
1601 if (err < 0)
1602 return err;
1603
1604 h = nf_conntrack_find_get(info->net, &zone, &tuple);
1605 if (!h)
1606 return -ENOENT;
1607
1608 ct = nf_ct_tuplehash_to_ctrack(h);
1609
1610 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) {
1611 nf_ct_put(ct);
1612 return -EBUSY;
1613 }
1614
1615 if (cda[CTA_ID]) {
1616 __be32 id = nla_get_be32(cda[CTA_ID]);
1617
1618 if (id != (__force __be32)nf_ct_get_id(ct)) {
1619 nf_ct_put(ct);
1620 return -ENOENT;
1621 }
1622 }
1623
1624 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(info->nlh));
1625 nf_ct_put(ct);
1626
1627 return 0;
1628 }
1629
1630 static int ctnetlink_get_conntrack(struct sk_buff *skb,
1631 const struct nfnl_info *info,
1632 const struct nlattr * const cda[])
1633 {
1634 u_int8_t u3 = info->nfmsg->nfgen_family;
1635 struct nf_conntrack_tuple_hash *h;
1636 struct nf_conntrack_tuple tuple;
1637 struct nf_conntrack_zone zone;
1638 struct sk_buff *skb2;
1639 struct nf_conn *ct;
1640 int err;
1641
1642 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1643 struct netlink_dump_control c = {
1644 .start = ctnetlink_start,
1645 .dump = ctnetlink_dump_table,
1646 .done = ctnetlink_done,
1647 .data = (void *)cda,
1648 };
1649
1650 return netlink_dump_start(info->sk, skb, info->nlh, &c);
1651 }
1652
1653 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1654 if (err < 0)
1655 return err;
1656
1657 if (cda[CTA_TUPLE_ORIG])
1658 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1659 u3, &zone);
1660 else if (cda[CTA_TUPLE_REPLY])
1661 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1662 u3, &zone);
1663 else
1664 return -EINVAL;
1665
1666 if (err < 0)
1667 return err;
1668
1669 h = nf_conntrack_find_get(info->net, &zone, &tuple);
1670 if (!h)
1671 return -ENOENT;
1672
1673 ct = nf_ct_tuplehash_to_ctrack(h);
1674
1675 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1676 if (!skb2) {
1677 nf_ct_put(ct);
1678 return -ENOMEM;
1679 }
1680
1681 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid,
1682 info->nlh->nlmsg_seq,
1683 NFNL_MSG_TYPE(info->nlh->nlmsg_type), ct,
1684 true, 0);
1685 nf_ct_put(ct);
1686 if (err <= 0) {
1687 kfree_skb(skb2);
1688 return -ENOMEM;
1689 }
1690
1691 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
1692 }
1693
1694 static int ctnetlink_done_list(struct netlink_callback *cb)
1695 {
1696 if (cb->args[1])
1697 nf_ct_put((struct nf_conn *)cb->args[1]);
1698 return 0;
1699 }
1700
1701 static int
1702 ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying)
1703 {
1704 struct nf_conn *ct, *last;
1705 struct nf_conntrack_tuple_hash *h;
1706 struct hlist_nulls_node *n;
1707 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1708 u_int8_t l3proto = nfmsg->nfgen_family;
1709 int res;
1710 int cpu;
1711 struct hlist_nulls_head *list;
1712 struct net *net = sock_net(skb->sk);
1713
1714 if (cb->args[2])
1715 return 0;
1716
1717 last = (struct nf_conn *)cb->args[1];
1718
1719 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
1720 struct ct_pcpu *pcpu;
1721
1722 if (!cpu_possible(cpu))
1723 continue;
1724
1725 pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu);
1726 spin_lock_bh(&pcpu->lock);
1727 list = dying ? &pcpu->dying : &pcpu->unconfirmed;
1728 restart:
1729 hlist_nulls_for_each_entry(h, n, list, hnnode) {
1730 ct = nf_ct_tuplehash_to_ctrack(h);
1731 if (l3proto && nf_ct_l3num(ct) != l3proto)
1732 continue;
1733 if (cb->args[1]) {
1734 if (ct != last)
1735 continue;
1736 cb->args[1] = 0;
1737 }
1738
1739 /* We can't dump extension info for the unconfirmed
1740 * list because unconfirmed conntracks can have
1741 * ct->ext reallocated (and thus freed).
1742 *
1743 * In the dying list case ct->ext can't be free'd
1744 * until after we drop pcpu->lock.
1745 */
1746 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
1747 cb->nlh->nlmsg_seq,
1748 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
1749 ct, dying, 0);
1750 if (res < 0) {
1751 if (!refcount_inc_not_zero(&ct->ct_general.use))
1752 continue;
1753 cb->args[0] = cpu;
1754 cb->args[1] = (unsigned long)ct;
1755 spin_unlock_bh(&pcpu->lock);
1756 goto out;
1757 }
1758 }
1759 if (cb->args[1]) {
1760 cb->args[1] = 0;
1761 goto restart;
1762 }
1763 spin_unlock_bh(&pcpu->lock);
1764 }
1765 cb->args[2] = 1;
1766 out:
1767 if (last)
1768 nf_ct_put(last);
1769
1770 return skb->len;
1771 }
1772
1773 static int
1774 ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb)
1775 {
1776 return ctnetlink_dump_list(skb, cb, true);
1777 }
1778
1779 static int ctnetlink_get_ct_dying(struct sk_buff *skb,
1780 const struct nfnl_info *info,
1781 const struct nlattr * const cda[])
1782 {
1783 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1784 struct netlink_dump_control c = {
1785 .dump = ctnetlink_dump_dying,
1786 .done = ctnetlink_done_list,
1787 };
1788 return netlink_dump_start(info->sk, skb, info->nlh, &c);
1789 }
1790
1791 return -EOPNOTSUPP;
1792 }
1793
1794 static int
1795 ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb)
1796 {
1797 return ctnetlink_dump_list(skb, cb, false);
1798 }
1799
1800 static int ctnetlink_get_ct_unconfirmed(struct sk_buff *skb,
1801 const struct nfnl_info *info,
1802 const struct nlattr * const cda[])
1803 {
1804 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1805 struct netlink_dump_control c = {
1806 .dump = ctnetlink_dump_unconfirmed,
1807 .done = ctnetlink_done_list,
1808 };
1809 return netlink_dump_start(info->sk, skb, info->nlh, &c);
1810 }
1811
1812 return -EOPNOTSUPP;
1813 }
1814
1815 #if IS_ENABLED(CONFIG_NF_NAT)
1816 static int
1817 ctnetlink_parse_nat_setup(struct nf_conn *ct,
1818 enum nf_nat_manip_type manip,
1819 const struct nlattr *attr)
1820 __must_hold(RCU)
1821 {
1822 const struct nf_nat_hook *nat_hook;
1823 int err;
1824
1825 nat_hook = rcu_dereference(nf_nat_hook);
1826 if (!nat_hook) {
1827 #ifdef CONFIG_MODULES
1828 rcu_read_unlock();
1829 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1830 if (request_module("nf-nat") < 0) {
1831 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1832 rcu_read_lock();
1833 return -EOPNOTSUPP;
1834 }
1835 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1836 rcu_read_lock();
1837 nat_hook = rcu_dereference(nf_nat_hook);
1838 if (nat_hook)
1839 return -EAGAIN;
1840 #endif
1841 return -EOPNOTSUPP;
1842 }
1843
1844 err = nat_hook->parse_nat_setup(ct, manip, attr);
1845 if (err == -EAGAIN) {
1846 #ifdef CONFIG_MODULES
1847 rcu_read_unlock();
1848 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1849 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) {
1850 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1851 rcu_read_lock();
1852 return -EOPNOTSUPP;
1853 }
1854 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1855 rcu_read_lock();
1856 #else
1857 err = -EOPNOTSUPP;
1858 #endif
1859 }
1860 return err;
1861 }
1862 #endif
1863
1864 static void
1865 __ctnetlink_change_status(struct nf_conn *ct, unsigned long on,
1866 unsigned long off)
1867 {
1868 unsigned int bit;
1869
1870 /* Ignore these unchangable bits */
1871 on &= ~IPS_UNCHANGEABLE_MASK;
1872 off &= ~IPS_UNCHANGEABLE_MASK;
1873
1874 for (bit = 0; bit < __IPS_MAX_BIT; bit++) {
1875 if (on & (1 << bit))
1876 set_bit(bit, &ct->status);
1877 else if (off & (1 << bit))
1878 clear_bit(bit, &ct->status);
1879 }
1880 }
1881
1882 static int
1883 ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
1884 {
1885 unsigned long d;
1886 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
1887 d = ct->status ^ status;
1888
1889 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
1890 /* unchangeable */
1891 return -EBUSY;
1892
1893 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
1894 /* SEEN_REPLY bit can only be set */
1895 return -EBUSY;
1896
1897 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
1898 /* ASSURED bit can only be set */
1899 return -EBUSY;
1900
1901 __ctnetlink_change_status(ct, status, 0);
1902 return 0;
1903 }
1904
1905 static int
1906 ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
1907 {
1908 #if IS_ENABLED(CONFIG_NF_NAT)
1909 int ret;
1910
1911 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1912 return 0;
1913
1914 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
1915 cda[CTA_NAT_DST]);
1916 if (ret < 0)
1917 return ret;
1918
1919 return ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC,
1920 cda[CTA_NAT_SRC]);
1921 #else
1922 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1923 return 0;
1924 return -EOPNOTSUPP;
1925 #endif
1926 }
1927
1928 static int ctnetlink_change_helper(struct nf_conn *ct,
1929 const struct nlattr * const cda[])
1930 {
1931 struct nf_conntrack_helper *helper;
1932 struct nf_conn_help *help = nfct_help(ct);
1933 char *helpname = NULL;
1934 struct nlattr *helpinfo = NULL;
1935 int err;
1936
1937 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1938 if (err < 0)
1939 return err;
1940
1941 /* don't change helper of sibling connections */
1942 if (ct->master) {
1943 /* If we try to change the helper to the same thing twice,
1944 * treat the second attempt as a no-op instead of returning
1945 * an error.
1946 */
1947 err = -EBUSY;
1948 if (help) {
1949 rcu_read_lock();
1950 helper = rcu_dereference(help->helper);
1951 if (helper && !strcmp(helper->name, helpname))
1952 err = 0;
1953 rcu_read_unlock();
1954 }
1955
1956 return err;
1957 }
1958
1959 if (!strcmp(helpname, "")) {
1960 if (help && help->helper) {
1961 /* we had a helper before ... */
1962 nf_ct_remove_expectations(ct);
1963 RCU_INIT_POINTER(help->helper, NULL);
1964 }
1965
1966 return 0;
1967 }
1968
1969 rcu_read_lock();
1970 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1971 nf_ct_protonum(ct));
1972 if (helper == NULL) {
1973 rcu_read_unlock();
1974 return -EOPNOTSUPP;
1975 }
1976
1977 if (help) {
1978 if (help->helper == helper) {
1979 /* update private helper data if allowed. */
1980 if (helper->from_nlattr)
1981 helper->from_nlattr(helpinfo, ct);
1982 err = 0;
1983 } else
1984 err = -EBUSY;
1985 } else {
1986 /* we cannot set a helper for an existing conntrack */
1987 err = -EOPNOTSUPP;
1988 }
1989
1990 rcu_read_unlock();
1991 return err;
1992 }
1993
1994 static int ctnetlink_change_timeout(struct nf_conn *ct,
1995 const struct nlattr * const cda[])
1996 {
1997 u64 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
1998
1999 if (timeout > INT_MAX)
2000 timeout = INT_MAX;
2001 WRITE_ONCE(ct->timeout, nfct_time_stamp + (u32)timeout);
2002
2003 if (test_bit(IPS_DYING_BIT, &ct->status))
2004 return -ETIME;
2005
2006 return 0;
2007 }
2008
2009 #if defined(CONFIG_NF_CONNTRACK_MARK)
2010 static void ctnetlink_change_mark(struct nf_conn *ct,
2011 const struct nlattr * const cda[])
2012 {
2013 u32 mark, newmark, mask = 0;
2014
2015 if (cda[CTA_MARK_MASK])
2016 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
2017
2018 mark = ntohl(nla_get_be32(cda[CTA_MARK]));
2019 newmark = (ct->mark & mask) ^ mark;
2020 if (newmark != ct->mark)
2021 ct->mark = newmark;
2022 }
2023 #endif
2024
2025 static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = {
2026 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED },
2027 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED },
2028 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED },
2029 };
2030
2031 static int ctnetlink_change_protoinfo(struct nf_conn *ct,
2032 const struct nlattr * const cda[])
2033 {
2034 const struct nlattr *attr = cda[CTA_PROTOINFO];
2035 const struct nf_conntrack_l4proto *l4proto;
2036 struct nlattr *tb[CTA_PROTOINFO_MAX+1];
2037 int err = 0;
2038
2039 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_MAX, attr,
2040 protoinfo_policy, NULL);
2041 if (err < 0)
2042 return err;
2043
2044 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
2045 if (l4proto->from_nlattr)
2046 err = l4proto->from_nlattr(tb, ct);
2047
2048 return err;
2049 }
2050
2051 static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = {
2052 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 },
2053 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 },
2054 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 },
2055 };
2056
2057 static int change_seq_adj(struct nf_ct_seqadj *seq,
2058 const struct nlattr * const attr)
2059 {
2060 int err;
2061 struct nlattr *cda[CTA_SEQADJ_MAX+1];
2062
2063 err = nla_parse_nested_deprecated(cda, CTA_SEQADJ_MAX, attr,
2064 seqadj_policy, NULL);
2065 if (err < 0)
2066 return err;
2067
2068 if (!cda[CTA_SEQADJ_CORRECTION_POS])
2069 return -EINVAL;
2070
2071 seq->correction_pos =
2072 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS]));
2073
2074 if (!cda[CTA_SEQADJ_OFFSET_BEFORE])
2075 return -EINVAL;
2076
2077 seq->offset_before =
2078 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE]));
2079
2080 if (!cda[CTA_SEQADJ_OFFSET_AFTER])
2081 return -EINVAL;
2082
2083 seq->offset_after =
2084 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER]));
2085
2086 return 0;
2087 }
2088
2089 static int
2090 ctnetlink_change_seq_adj(struct nf_conn *ct,
2091 const struct nlattr * const cda[])
2092 {
2093 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
2094 int ret = 0;
2095
2096 if (!seqadj)
2097 return 0;
2098
2099 spin_lock_bh(&ct->lock);
2100 if (cda[CTA_SEQ_ADJ_ORIG]) {
2101 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL],
2102 cda[CTA_SEQ_ADJ_ORIG]);
2103 if (ret < 0)
2104 goto err;
2105
2106 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
2107 }
2108
2109 if (cda[CTA_SEQ_ADJ_REPLY]) {
2110 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY],
2111 cda[CTA_SEQ_ADJ_REPLY]);
2112 if (ret < 0)
2113 goto err;
2114
2115 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
2116 }
2117
2118 spin_unlock_bh(&ct->lock);
2119 return 0;
2120 err:
2121 spin_unlock_bh(&ct->lock);
2122 return ret;
2123 }
2124
2125 static const struct nla_policy synproxy_policy[CTA_SYNPROXY_MAX + 1] = {
2126 [CTA_SYNPROXY_ISN] = { .type = NLA_U32 },
2127 [CTA_SYNPROXY_ITS] = { .type = NLA_U32 },
2128 [CTA_SYNPROXY_TSOFF] = { .type = NLA_U32 },
2129 };
2130
2131 static int ctnetlink_change_synproxy(struct nf_conn *ct,
2132 const struct nlattr * const cda[])
2133 {
2134 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
2135 struct nlattr *tb[CTA_SYNPROXY_MAX + 1];
2136 int err;
2137
2138 if (!synproxy)
2139 return 0;
2140
2141 err = nla_parse_nested_deprecated(tb, CTA_SYNPROXY_MAX,
2142 cda[CTA_SYNPROXY], synproxy_policy,
2143 NULL);
2144 if (err < 0)
2145 return err;
2146
2147 if (!tb[CTA_SYNPROXY_ISN] ||
2148 !tb[CTA_SYNPROXY_ITS] ||
2149 !tb[CTA_SYNPROXY_TSOFF])
2150 return -EINVAL;
2151
2152 synproxy->isn = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ISN]));
2153 synproxy->its = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ITS]));
2154 synproxy->tsoff = ntohl(nla_get_be32(tb[CTA_SYNPROXY_TSOFF]));
2155
2156 return 0;
2157 }
2158
2159 static int
2160 ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[])
2161 {
2162 #ifdef CONFIG_NF_CONNTRACK_LABELS
2163 size_t len = nla_len(cda[CTA_LABELS]);
2164 const void *mask = cda[CTA_LABELS_MASK];
2165
2166 if (len & (sizeof(u32)-1)) /* must be multiple of u32 */
2167 return -EINVAL;
2168
2169 if (mask) {
2170 if (nla_len(cda[CTA_LABELS_MASK]) == 0 ||
2171 nla_len(cda[CTA_LABELS_MASK]) != len)
2172 return -EINVAL;
2173 mask = nla_data(cda[CTA_LABELS_MASK]);
2174 }
2175
2176 len /= sizeof(u32);
2177
2178 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len);
2179 #else
2180 return -EOPNOTSUPP;
2181 #endif
2182 }
2183
2184 static int
2185 ctnetlink_change_conntrack(struct nf_conn *ct,
2186 const struct nlattr * const cda[])
2187 {
2188 int err;
2189
2190 /* only allow NAT changes and master assignation for new conntracks */
2191 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
2192 return -EOPNOTSUPP;
2193
2194 if (cda[CTA_HELP]) {
2195 err = ctnetlink_change_helper(ct, cda);
2196 if (err < 0)
2197 return err;
2198 }
2199
2200 if (cda[CTA_TIMEOUT]) {
2201 err = ctnetlink_change_timeout(ct, cda);
2202 if (err < 0)
2203 return err;
2204 }
2205
2206 if (cda[CTA_STATUS]) {
2207 err = ctnetlink_change_status(ct, cda);
2208 if (err < 0)
2209 return err;
2210 }
2211
2212 if (cda[CTA_PROTOINFO]) {
2213 err = ctnetlink_change_protoinfo(ct, cda);
2214 if (err < 0)
2215 return err;
2216 }
2217
2218 #if defined(CONFIG_NF_CONNTRACK_MARK)
2219 if (cda[CTA_MARK])
2220 ctnetlink_change_mark(ct, cda);
2221 #endif
2222
2223 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
2224 err = ctnetlink_change_seq_adj(ct, cda);
2225 if (err < 0)
2226 return err;
2227 }
2228
2229 if (cda[CTA_SYNPROXY]) {
2230 err = ctnetlink_change_synproxy(ct, cda);
2231 if (err < 0)
2232 return err;
2233 }
2234
2235 if (cda[CTA_LABELS]) {
2236 err = ctnetlink_attach_labels(ct, cda);
2237 if (err < 0)
2238 return err;
2239 }
2240
2241 return 0;
2242 }
2243
2244 static struct nf_conn *
2245 ctnetlink_create_conntrack(struct net *net,
2246 const struct nf_conntrack_zone *zone,
2247 const struct nlattr * const cda[],
2248 struct nf_conntrack_tuple *otuple,
2249 struct nf_conntrack_tuple *rtuple,
2250 u8 u3)
2251 {
2252 struct nf_conn *ct;
2253 int err = -EINVAL;
2254 struct nf_conntrack_helper *helper;
2255 struct nf_conn_tstamp *tstamp;
2256 u64 timeout;
2257
2258 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
2259 if (IS_ERR(ct))
2260 return ERR_PTR(-ENOMEM);
2261
2262 if (!cda[CTA_TIMEOUT])
2263 goto err1;
2264
2265 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
2266 if (timeout > INT_MAX)
2267 timeout = INT_MAX;
2268 ct->timeout = (u32)timeout + nfct_time_stamp;
2269
2270 rcu_read_lock();
2271 if (cda[CTA_HELP]) {
2272 char *helpname = NULL;
2273 struct nlattr *helpinfo = NULL;
2274
2275 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
2276 if (err < 0)
2277 goto err2;
2278
2279 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2280 nf_ct_protonum(ct));
2281 if (helper == NULL) {
2282 rcu_read_unlock();
2283 #ifdef CONFIG_MODULES
2284 if (request_module("nfct-helper-%s", helpname) < 0) {
2285 err = -EOPNOTSUPP;
2286 goto err1;
2287 }
2288
2289 rcu_read_lock();
2290 helper = __nf_conntrack_helper_find(helpname,
2291 nf_ct_l3num(ct),
2292 nf_ct_protonum(ct));
2293 if (helper) {
2294 err = -EAGAIN;
2295 goto err2;
2296 }
2297 rcu_read_unlock();
2298 #endif
2299 err = -EOPNOTSUPP;
2300 goto err1;
2301 } else {
2302 struct nf_conn_help *help;
2303
2304 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
2305 if (help == NULL) {
2306 err = -ENOMEM;
2307 goto err2;
2308 }
2309 /* set private helper data if allowed. */
2310 if (helper->from_nlattr)
2311 helper->from_nlattr(helpinfo, ct);
2312
2313 /* not in hash table yet so not strictly necessary */
2314 RCU_INIT_POINTER(help->helper, helper);
2315 }
2316 } else {
2317 /* try an implicit helper assignation */
2318 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC);
2319 if (err < 0)
2320 goto err2;
2321 }
2322
2323 err = ctnetlink_setup_nat(ct, cda);
2324 if (err < 0)
2325 goto err2;
2326
2327 nf_ct_acct_ext_add(ct, GFP_ATOMIC);
2328 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
2329 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
2330 nf_ct_labels_ext_add(ct);
2331 nfct_seqadj_ext_add(ct);
2332 nfct_synproxy_ext_add(ct);
2333
2334 /* we must add conntrack extensions before confirmation. */
2335 ct->status |= IPS_CONFIRMED;
2336
2337 if (cda[CTA_STATUS]) {
2338 err = ctnetlink_change_status(ct, cda);
2339 if (err < 0)
2340 goto err2;
2341 }
2342
2343 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
2344 err = ctnetlink_change_seq_adj(ct, cda);
2345 if (err < 0)
2346 goto err2;
2347 }
2348
2349 memset(&ct->proto, 0, sizeof(ct->proto));
2350 if (cda[CTA_PROTOINFO]) {
2351 err = ctnetlink_change_protoinfo(ct, cda);
2352 if (err < 0)
2353 goto err2;
2354 }
2355
2356 if (cda[CTA_SYNPROXY]) {
2357 err = ctnetlink_change_synproxy(ct, cda);
2358 if (err < 0)
2359 goto err2;
2360 }
2361
2362 #if defined(CONFIG_NF_CONNTRACK_MARK)
2363 if (cda[CTA_MARK])
2364 ctnetlink_change_mark(ct, cda);
2365 #endif
2366
2367 /* setup master conntrack: this is a confirmed expectation */
2368 if (cda[CTA_TUPLE_MASTER]) {
2369 struct nf_conntrack_tuple master;
2370 struct nf_conntrack_tuple_hash *master_h;
2371 struct nf_conn *master_ct;
2372
2373 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER,
2374 u3, NULL);
2375 if (err < 0)
2376 goto err2;
2377
2378 master_h = nf_conntrack_find_get(net, zone, &master);
2379 if (master_h == NULL) {
2380 err = -ENOENT;
2381 goto err2;
2382 }
2383 master_ct = nf_ct_tuplehash_to_ctrack(master_h);
2384 __set_bit(IPS_EXPECTED_BIT, &ct->status);
2385 ct->master = master_ct;
2386 }
2387 tstamp = nf_conn_tstamp_find(ct);
2388 if (tstamp)
2389 tstamp->start = ktime_get_real_ns();
2390
2391 err = nf_conntrack_hash_check_insert(ct);
2392 if (err < 0)
2393 goto err2;
2394
2395 rcu_read_unlock();
2396
2397 return ct;
2398
2399 err2:
2400 rcu_read_unlock();
2401 err1:
2402 nf_conntrack_free(ct);
2403 return ERR_PTR(err);
2404 }
2405
2406 static int ctnetlink_new_conntrack(struct sk_buff *skb,
2407 const struct nfnl_info *info,
2408 const struct nlattr * const cda[])
2409 {
2410 struct nf_conntrack_tuple otuple, rtuple;
2411 struct nf_conntrack_tuple_hash *h = NULL;
2412 u_int8_t u3 = info->nfmsg->nfgen_family;
2413 struct nf_conntrack_zone zone;
2414 struct nf_conn *ct;
2415 int err;
2416
2417 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
2418 if (err < 0)
2419 return err;
2420
2421 if (cda[CTA_TUPLE_ORIG]) {
2422 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG,
2423 u3, &zone);
2424 if (err < 0)
2425 return err;
2426 }
2427
2428 if (cda[CTA_TUPLE_REPLY]) {
2429 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY,
2430 u3, &zone);
2431 if (err < 0)
2432 return err;
2433 }
2434
2435 if (cda[CTA_TUPLE_ORIG])
2436 h = nf_conntrack_find_get(info->net, &zone, &otuple);
2437 else if (cda[CTA_TUPLE_REPLY])
2438 h = nf_conntrack_find_get(info->net, &zone, &rtuple);
2439
2440 if (h == NULL) {
2441 err = -ENOENT;
2442 if (info->nlh->nlmsg_flags & NLM_F_CREATE) {
2443 enum ip_conntrack_events events;
2444
2445 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY])
2446 return -EINVAL;
2447 if (otuple.dst.protonum != rtuple.dst.protonum)
2448 return -EINVAL;
2449
2450 ct = ctnetlink_create_conntrack(info->net, &zone, cda,
2451 &otuple, &rtuple, u3);
2452 if (IS_ERR(ct))
2453 return PTR_ERR(ct);
2454
2455 err = 0;
2456 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
2457 events = 1 << IPCT_RELATED;
2458 else
2459 events = 1 << IPCT_NEW;
2460
2461 if (cda[CTA_LABELS] &&
2462 ctnetlink_attach_labels(ct, cda) == 0)
2463 events |= (1 << IPCT_LABEL);
2464
2465 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2466 (1 << IPCT_ASSURED) |
2467 (1 << IPCT_HELPER) |
2468 (1 << IPCT_PROTOINFO) |
2469 (1 << IPCT_SEQADJ) |
2470 (1 << IPCT_MARK) |
2471 (1 << IPCT_SYNPROXY) |
2472 events,
2473 ct, NETLINK_CB(skb).portid,
2474 nlmsg_report(info->nlh));
2475 nf_ct_put(ct);
2476 }
2477
2478 return err;
2479 }
2480 /* implicit 'else' */
2481
2482 err = -EEXIST;
2483 ct = nf_ct_tuplehash_to_ctrack(h);
2484 if (!(info->nlh->nlmsg_flags & NLM_F_EXCL)) {
2485 err = ctnetlink_change_conntrack(ct, cda);
2486 if (err == 0) {
2487 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2488 (1 << IPCT_ASSURED) |
2489 (1 << IPCT_HELPER) |
2490 (1 << IPCT_LABEL) |
2491 (1 << IPCT_PROTOINFO) |
2492 (1 << IPCT_SEQADJ) |
2493 (1 << IPCT_MARK) |
2494 (1 << IPCT_SYNPROXY),
2495 ct, NETLINK_CB(skb).portid,
2496 nlmsg_report(info->nlh));
2497 }
2498 }
2499
2500 nf_ct_put(ct);
2501 return err;
2502 }
2503
2504 static int
2505 ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2506 __u16 cpu, const struct ip_conntrack_stat *st)
2507 {
2508 struct nlmsghdr *nlh;
2509 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2510
2511 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
2512 IPCTNL_MSG_CT_GET_STATS_CPU);
2513 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
2514 NFNETLINK_V0, htons(cpu));
2515 if (!nlh)
2516 goto nlmsg_failure;
2517
2518 if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) ||
2519 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) ||
2520 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) ||
2521 nla_put_be32(skb, CTA_STATS_INSERT_FAILED,
2522 htonl(st->insert_failed)) ||
2523 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) ||
2524 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) ||
2525 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) ||
2526 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART,
2527 htonl(st->search_restart)) ||
2528 nla_put_be32(skb, CTA_STATS_CLASH_RESOLVE,
2529 htonl(st->clash_resolve)) ||
2530 nla_put_be32(skb, CTA_STATS_CHAIN_TOOLONG,
2531 htonl(st->chaintoolong)))
2532 goto nla_put_failure;
2533
2534 nlmsg_end(skb, nlh);
2535 return skb->len;
2536
2537 nla_put_failure:
2538 nlmsg_failure:
2539 nlmsg_cancel(skb, nlh);
2540 return -1;
2541 }
2542
2543 static int
2544 ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
2545 {
2546 int cpu;
2547 struct net *net = sock_net(skb->sk);
2548
2549 if (cb->args[0] == nr_cpu_ids)
2550 return 0;
2551
2552 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
2553 const struct ip_conntrack_stat *st;
2554
2555 if (!cpu_possible(cpu))
2556 continue;
2557
2558 st = per_cpu_ptr(net->ct.stat, cpu);
2559 if (ctnetlink_ct_stat_cpu_fill_info(skb,
2560 NETLINK_CB(cb->skb).portid,
2561 cb->nlh->nlmsg_seq,
2562 cpu, st) < 0)
2563 break;
2564 }
2565 cb->args[0] = cpu;
2566
2567 return skb->len;
2568 }
2569
2570 static int ctnetlink_stat_ct_cpu(struct sk_buff *skb,
2571 const struct nfnl_info *info,
2572 const struct nlattr * const cda[])
2573 {
2574 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
2575 struct netlink_dump_control c = {
2576 .dump = ctnetlink_ct_stat_cpu_dump,
2577 };
2578 return netlink_dump_start(info->sk, skb, info->nlh, &c);
2579 }
2580
2581 return 0;
2582 }
2583
2584 static int
2585 ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
2586 struct net *net)
2587 {
2588 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2589 unsigned int nr_conntracks;
2590 struct nlmsghdr *nlh;
2591
2592 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS);
2593 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
2594 NFNETLINK_V0, 0);
2595 if (!nlh)
2596 goto nlmsg_failure;
2597
2598 nr_conntracks = nf_conntrack_count(net);
2599 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks)))
2600 goto nla_put_failure;
2601
2602 if (nla_put_be32(skb, CTA_STATS_GLOBAL_MAX_ENTRIES, htonl(nf_conntrack_max)))
2603 goto nla_put_failure;
2604
2605 nlmsg_end(skb, nlh);
2606 return skb->len;
2607
2608 nla_put_failure:
2609 nlmsg_failure:
2610 nlmsg_cancel(skb, nlh);
2611 return -1;
2612 }
2613
2614 static int ctnetlink_stat_ct(struct sk_buff *skb, const struct nfnl_info *info,
2615 const struct nlattr * const cda[])
2616 {
2617 struct sk_buff *skb2;
2618 int err;
2619
2620 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2621 if (skb2 == NULL)
2622 return -ENOMEM;
2623
2624 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid,
2625 info->nlh->nlmsg_seq,
2626 NFNL_MSG_TYPE(info->nlh->nlmsg_type),
2627 sock_net(skb->sk));
2628 if (err <= 0) {
2629 kfree_skb(skb2);
2630 return -ENOMEM;
2631 }
2632
2633 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
2634 }
2635
2636 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
2637 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED },
2638 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED },
2639 [CTA_EXPECT_MASK] = { .type = NLA_NESTED },
2640 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
2641 [CTA_EXPECT_ID] = { .type = NLA_U32 },
2642 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING,
2643 .len = NF_CT_HELPER_NAME_LEN - 1 },
2644 [CTA_EXPECT_ZONE] = { .type = NLA_U16 },
2645 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 },
2646 [CTA_EXPECT_CLASS] = { .type = NLA_U32 },
2647 [CTA_EXPECT_NAT] = { .type = NLA_NESTED },
2648 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING },
2649 };
2650
2651 static struct nf_conntrack_expect *
2652 ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
2653 struct nf_conntrack_helper *helper,
2654 struct nf_conntrack_tuple *tuple,
2655 struct nf_conntrack_tuple *mask);
2656
2657 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
2658 static size_t
2659 ctnetlink_glue_build_size(const struct nf_conn *ct)
2660 {
2661 return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
2662 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
2663 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
2664 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
2665 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
2666 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
2667 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
2668 + nla_total_size(0) /* CTA_PROTOINFO */
2669 + nla_total_size(0) /* CTA_HELP */
2670 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
2671 + ctnetlink_secctx_size(ct)
2672 + ctnetlink_acct_size(ct)
2673 + ctnetlink_timestamp_size(ct)
2674 #if IS_ENABLED(CONFIG_NF_NAT)
2675 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
2676 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
2677 #endif
2678 #ifdef CONFIG_NF_CONNTRACK_MARK
2679 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
2680 #endif
2681 #ifdef CONFIG_NF_CONNTRACK_ZONES
2682 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */
2683 #endif
2684 + ctnetlink_proto_size(ct)
2685 ;
2686 }
2687
2688 static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
2689 {
2690 const struct nf_conntrack_zone *zone;
2691 struct nlattr *nest_parms;
2692
2693 zone = nf_ct_zone(ct);
2694
2695 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
2696 if (!nest_parms)
2697 goto nla_put_failure;
2698 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
2699 goto nla_put_failure;
2700 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2701 NF_CT_ZONE_DIR_ORIG) < 0)
2702 goto nla_put_failure;
2703 nla_nest_end(skb, nest_parms);
2704
2705 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
2706 if (!nest_parms)
2707 goto nla_put_failure;
2708 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
2709 goto nla_put_failure;
2710 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2711 NF_CT_ZONE_DIR_REPL) < 0)
2712 goto nla_put_failure;
2713 nla_nest_end(skb, nest_parms);
2714
2715 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
2716 NF_CT_DEFAULT_ZONE_DIR) < 0)
2717 goto nla_put_failure;
2718
2719 if (ctnetlink_dump_id(skb, ct) < 0)
2720 goto nla_put_failure;
2721
2722 if (ctnetlink_dump_status(skb, ct) < 0)
2723 goto nla_put_failure;
2724
2725 if (ctnetlink_dump_timeout(skb, ct, false) < 0)
2726 goto nla_put_failure;
2727
2728 if (ctnetlink_dump_protoinfo(skb, ct, false) < 0)
2729 goto nla_put_failure;
2730
2731 if (ctnetlink_dump_acct(skb, ct, IPCTNL_MSG_CT_GET) < 0 ||
2732 ctnetlink_dump_timestamp(skb, ct) < 0)
2733 goto nla_put_failure;
2734
2735 if (ctnetlink_dump_helpinfo(skb, ct) < 0)
2736 goto nla_put_failure;
2737
2738 #ifdef CONFIG_NF_CONNTRACK_SECMARK
2739 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0)
2740 goto nla_put_failure;
2741 #endif
2742 if (ct->master && ctnetlink_dump_master(skb, ct) < 0)
2743 goto nla_put_failure;
2744
2745 if ((ct->status & IPS_SEQ_ADJUST) &&
2746 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
2747 goto nla_put_failure;
2748
2749 if (ctnetlink_dump_ct_synproxy(skb, ct) < 0)
2750 goto nla_put_failure;
2751
2752 #ifdef CONFIG_NF_CONNTRACK_MARK
2753 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0)
2754 goto nla_put_failure;
2755 #endif
2756 if (ctnetlink_dump_labels(skb, ct) < 0)
2757 goto nla_put_failure;
2758 return 0;
2759
2760 nla_put_failure:
2761 return -ENOSPC;
2762 }
2763
2764 static int
2765 ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct,
2766 enum ip_conntrack_info ctinfo,
2767 u_int16_t ct_attr, u_int16_t ct_info_attr)
2768 {
2769 struct nlattr *nest_parms;
2770
2771 nest_parms = nla_nest_start(skb, ct_attr);
2772 if (!nest_parms)
2773 goto nla_put_failure;
2774
2775 if (__ctnetlink_glue_build(skb, ct) < 0)
2776 goto nla_put_failure;
2777
2778 nla_nest_end(skb, nest_parms);
2779
2780 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo)))
2781 goto nla_put_failure;
2782
2783 return 0;
2784
2785 nla_put_failure:
2786 return -ENOSPC;
2787 }
2788
2789 static int
2790 ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[])
2791 {
2792 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
2793 unsigned long d = ct->status ^ status;
2794
2795 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
2796 /* SEEN_REPLY bit can only be set */
2797 return -EBUSY;
2798
2799 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
2800 /* ASSURED bit can only be set */
2801 return -EBUSY;
2802
2803 /* This check is less strict than ctnetlink_change_status()
2804 * because callers often flip IPS_EXPECTED bits when sending
2805 * an NFQA_CT attribute to the kernel. So ignore the
2806 * unchangeable bits but do not error out. Also user programs
2807 * are allowed to clear the bits that they are allowed to change.
2808 */
2809 __ctnetlink_change_status(ct, status, ~status);
2810 return 0;
2811 }
2812
2813 static int
2814 ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
2815 {
2816 int err;
2817
2818 if (cda[CTA_TIMEOUT]) {
2819 err = ctnetlink_change_timeout(ct, cda);
2820 if (err < 0)
2821 return err;
2822 }
2823 if (cda[CTA_STATUS]) {
2824 err = ctnetlink_update_status(ct, cda);
2825 if (err < 0)
2826 return err;
2827 }
2828 if (cda[CTA_HELP]) {
2829 err = ctnetlink_change_helper(ct, cda);
2830 if (err < 0)
2831 return err;
2832 }
2833 if (cda[CTA_LABELS]) {
2834 err = ctnetlink_attach_labels(ct, cda);
2835 if (err < 0)
2836 return err;
2837 }
2838 #if defined(CONFIG_NF_CONNTRACK_MARK)
2839 if (cda[CTA_MARK]) {
2840 ctnetlink_change_mark(ct, cda);
2841 }
2842 #endif
2843 return 0;
2844 }
2845
2846 static int
2847 ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct)
2848 {
2849 struct nlattr *cda[CTA_MAX+1];
2850 int ret;
2851
2852 ret = nla_parse_nested_deprecated(cda, CTA_MAX, attr, ct_nla_policy,
2853 NULL);
2854 if (ret < 0)
2855 return ret;
2856
2857 return ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct);
2858 }
2859
2860 static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda,
2861 const struct nf_conn *ct,
2862 struct nf_conntrack_tuple *tuple,
2863 struct nf_conntrack_tuple *mask)
2864 {
2865 int err;
2866
2867 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE,
2868 nf_ct_l3num(ct), NULL);
2869 if (err < 0)
2870 return err;
2871
2872 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK,
2873 nf_ct_l3num(ct), NULL);
2874 }
2875
2876 static int
2877 ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
2878 u32 portid, u32 report)
2879 {
2880 struct nlattr *cda[CTA_EXPECT_MAX+1];
2881 struct nf_conntrack_tuple tuple, mask;
2882 struct nf_conntrack_helper *helper = NULL;
2883 struct nf_conntrack_expect *exp;
2884 int err;
2885
2886 err = nla_parse_nested_deprecated(cda, CTA_EXPECT_MAX, attr,
2887 exp_nla_policy, NULL);
2888 if (err < 0)
2889 return err;
2890
2891 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda,
2892 ct, &tuple, &mask);
2893 if (err < 0)
2894 return err;
2895
2896 if (cda[CTA_EXPECT_HELP_NAME]) {
2897 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2898
2899 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2900 nf_ct_protonum(ct));
2901 if (helper == NULL)
2902 return -EOPNOTSUPP;
2903 }
2904
2905 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct,
2906 helper, &tuple, &mask);
2907 if (IS_ERR(exp))
2908 return PTR_ERR(exp);
2909
2910 err = nf_ct_expect_related_report(exp, portid, report, 0);
2911 nf_ct_expect_put(exp);
2912 return err;
2913 }
2914
2915 static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct,
2916 enum ip_conntrack_info ctinfo, int diff)
2917 {
2918 if (!(ct->status & IPS_NAT_MASK))
2919 return;
2920
2921 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff);
2922 }
2923
2924 static const struct nfnl_ct_hook ctnetlink_glue_hook = {
2925 .build_size = ctnetlink_glue_build_size,
2926 .build = ctnetlink_glue_build,
2927 .parse = ctnetlink_glue_parse,
2928 .attach_expect = ctnetlink_glue_attach_expect,
2929 .seq_adjust = ctnetlink_glue_seqadj,
2930 };
2931 #endif /* CONFIG_NETFILTER_NETLINK_GLUE_CT */
2932
2933 /***********************************************************************
2934 * EXPECT
2935 ***********************************************************************/
2936
2937 static int ctnetlink_exp_dump_tuple(struct sk_buff *skb,
2938 const struct nf_conntrack_tuple *tuple,
2939 u32 type)
2940 {
2941 struct nlattr *nest_parms;
2942
2943 nest_parms = nla_nest_start(skb, type);
2944 if (!nest_parms)
2945 goto nla_put_failure;
2946 if (ctnetlink_dump_tuples(skb, tuple) < 0)
2947 goto nla_put_failure;
2948 nla_nest_end(skb, nest_parms);
2949
2950 return 0;
2951
2952 nla_put_failure:
2953 return -1;
2954 }
2955
2956 static int ctnetlink_exp_dump_mask(struct sk_buff *skb,
2957 const struct nf_conntrack_tuple *tuple,
2958 const struct nf_conntrack_tuple_mask *mask)
2959 {
2960 const struct nf_conntrack_l4proto *l4proto;
2961 struct nf_conntrack_tuple m;
2962 struct nlattr *nest_parms;
2963 int ret;
2964
2965 memset(&m, 0xFF, sizeof(m));
2966 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
2967 m.src.u.all = mask->src.u.all;
2968 m.src.l3num = tuple->src.l3num;
2969 m.dst.protonum = tuple->dst.protonum;
2970
2971 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK);
2972 if (!nest_parms)
2973 goto nla_put_failure;
2974
2975 rcu_read_lock();
2976 ret = ctnetlink_dump_tuples_ip(skb, &m);
2977 if (ret >= 0) {
2978 l4proto = nf_ct_l4proto_find(tuple->dst.protonum);
2979 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
2980 }
2981 rcu_read_unlock();
2982
2983 if (unlikely(ret < 0))
2984 goto nla_put_failure;
2985
2986 nla_nest_end(skb, nest_parms);
2987
2988 return 0;
2989
2990 nla_put_failure:
2991 return -1;
2992 }
2993
2994 static const union nf_inet_addr any_addr;
2995
2996 static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp)
2997 {
2998 static siphash_aligned_key_t exp_id_seed;
2999 unsigned long a, b, c, d;
3000
3001 net_get_random_once(&exp_id_seed, sizeof(exp_id_seed));
3002
3003 a = (unsigned long)exp;
3004 b = (unsigned long)exp->helper;
3005 c = (unsigned long)exp->master;
3006 d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed);
3007
3008 #ifdef CONFIG_64BIT
3009 return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed);
3010 #else
3011 return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed);
3012 #endif
3013 }
3014
3015 static int
3016 ctnetlink_exp_dump_expect(struct sk_buff *skb,
3017 const struct nf_conntrack_expect *exp)
3018 {
3019 struct nf_conn *master = exp->master;
3020 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ;
3021 struct nf_conn_help *help;
3022 #if IS_ENABLED(CONFIG_NF_NAT)
3023 struct nlattr *nest_parms;
3024 struct nf_conntrack_tuple nat_tuple = {};
3025 #endif
3026 struct nf_ct_helper_expectfn *expfn;
3027
3028 if (timeout < 0)
3029 timeout = 0;
3030
3031 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
3032 goto nla_put_failure;
3033 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
3034 goto nla_put_failure;
3035 if (ctnetlink_exp_dump_tuple(skb,
3036 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
3037 CTA_EXPECT_MASTER) < 0)
3038 goto nla_put_failure;
3039
3040 #if IS_ENABLED(CONFIG_NF_NAT)
3041 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) ||
3042 exp->saved_proto.all) {
3043 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT);
3044 if (!nest_parms)
3045 goto nla_put_failure;
3046
3047 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir)))
3048 goto nla_put_failure;
3049
3050 nat_tuple.src.l3num = nf_ct_l3num(master);
3051 nat_tuple.src.u3 = exp->saved_addr;
3052 nat_tuple.dst.protonum = nf_ct_protonum(master);
3053 nat_tuple.src.u = exp->saved_proto;
3054
3055 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple,
3056 CTA_EXPECT_NAT_TUPLE) < 0)
3057 goto nla_put_failure;
3058 nla_nest_end(skb, nest_parms);
3059 }
3060 #endif
3061 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
3062 nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) ||
3063 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
3064 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
3065 goto nla_put_failure;
3066 help = nfct_help(master);
3067 if (help) {
3068 struct nf_conntrack_helper *helper;
3069
3070 helper = rcu_dereference(help->helper);
3071 if (helper &&
3072 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name))
3073 goto nla_put_failure;
3074 }
3075 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn);
3076 if (expfn != NULL &&
3077 nla_put_string(skb, CTA_EXPECT_FN, expfn->name))
3078 goto nla_put_failure;
3079
3080 return 0;
3081
3082 nla_put_failure:
3083 return -1;
3084 }
3085
3086 static int
3087 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
3088 int event, const struct nf_conntrack_expect *exp)
3089 {
3090 struct nlmsghdr *nlh;
3091 unsigned int flags = portid ? NLM_F_MULTI : 0;
3092
3093 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event);
3094 nlh = nfnl_msg_put(skb, portid, seq, event, flags,
3095 exp->tuple.src.l3num, NFNETLINK_V0, 0);
3096 if (!nlh)
3097 goto nlmsg_failure;
3098
3099 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
3100 goto nla_put_failure;
3101
3102 nlmsg_end(skb, nlh);
3103 return skb->len;
3104
3105 nlmsg_failure:
3106 nla_put_failure:
3107 nlmsg_cancel(skb, nlh);
3108 return -1;
3109 }
3110
3111 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3112 static int
3113 ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item)
3114 {
3115 struct nf_conntrack_expect *exp = item->exp;
3116 struct net *net = nf_ct_exp_net(exp);
3117 struct nlmsghdr *nlh;
3118 struct sk_buff *skb;
3119 unsigned int type, group;
3120 int flags = 0;
3121
3122 if (events & (1 << IPEXP_DESTROY)) {
3123 type = IPCTNL_MSG_EXP_DELETE;
3124 group = NFNLGRP_CONNTRACK_EXP_DESTROY;
3125 } else if (events & (1 << IPEXP_NEW)) {
3126 type = IPCTNL_MSG_EXP_NEW;
3127 flags = NLM_F_CREATE|NLM_F_EXCL;
3128 group = NFNLGRP_CONNTRACK_EXP_NEW;
3129 } else
3130 return 0;
3131
3132 if (!item->report && !nfnetlink_has_listeners(net, group))
3133 return 0;
3134
3135 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
3136 if (skb == NULL)
3137 goto errout;
3138
3139 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type);
3140 nlh = nfnl_msg_put(skb, item->portid, 0, type, flags,
3141 exp->tuple.src.l3num, NFNETLINK_V0, 0);
3142 if (!nlh)
3143 goto nlmsg_failure;
3144
3145 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
3146 goto nla_put_failure;
3147
3148 nlmsg_end(skb, nlh);
3149 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC);
3150 return 0;
3151
3152 nla_put_failure:
3153 nlmsg_cancel(skb, nlh);
3154 nlmsg_failure:
3155 kfree_skb(skb);
3156 errout:
3157 nfnetlink_set_err(net, 0, 0, -ENOBUFS);
3158 return 0;
3159 }
3160 #endif
3161 static int ctnetlink_exp_done(struct netlink_callback *cb)
3162 {
3163 if (cb->args[1])
3164 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
3165 return 0;
3166 }
3167
3168 static int
3169 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
3170 {
3171 struct net *net = sock_net(skb->sk);
3172 struct nf_conntrack_expect *exp, *last;
3173 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3174 u_int8_t l3proto = nfmsg->nfgen_family;
3175
3176 rcu_read_lock();
3177 last = (struct nf_conntrack_expect *)cb->args[1];
3178 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
3179 restart:
3180 hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
3181 hnode) {
3182 if (l3proto && exp->tuple.src.l3num != l3proto)
3183 continue;
3184
3185 if (!net_eq(nf_ct_net(exp->master), net))
3186 continue;
3187
3188 if (cb->args[1]) {
3189 if (exp != last)
3190 continue;
3191 cb->args[1] = 0;
3192 }
3193 if (ctnetlink_exp_fill_info(skb,
3194 NETLINK_CB(cb->skb).portid,
3195 cb->nlh->nlmsg_seq,
3196 IPCTNL_MSG_EXP_NEW,
3197 exp) < 0) {
3198 if (!refcount_inc_not_zero(&exp->use))
3199 continue;
3200 cb->args[1] = (unsigned long)exp;
3201 goto out;
3202 }
3203 }
3204 if (cb->args[1]) {
3205 cb->args[1] = 0;
3206 goto restart;
3207 }
3208 }
3209 out:
3210 rcu_read_unlock();
3211 if (last)
3212 nf_ct_expect_put(last);
3213
3214 return skb->len;
3215 }
3216
3217 static int
3218 ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
3219 {
3220 struct nf_conntrack_expect *exp, *last;
3221 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3222 struct nf_conn *ct = cb->data;
3223 struct nf_conn_help *help = nfct_help(ct);
3224 u_int8_t l3proto = nfmsg->nfgen_family;
3225
3226 if (cb->args[0])
3227 return 0;
3228
3229 rcu_read_lock();
3230 last = (struct nf_conntrack_expect *)cb->args[1];
3231 restart:
3232 hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {
3233 if (l3proto && exp->tuple.src.l3num != l3proto)
3234 continue;
3235 if (cb->args[1]) {
3236 if (exp != last)
3237 continue;
3238 cb->args[1] = 0;
3239 }
3240 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid,
3241 cb->nlh->nlmsg_seq,
3242 IPCTNL_MSG_EXP_NEW,
3243 exp) < 0) {
3244 if (!refcount_inc_not_zero(&exp->use))
3245 continue;
3246 cb->args[1] = (unsigned long)exp;
3247 goto out;
3248 }
3249 }
3250 if (cb->args[1]) {
3251 cb->args[1] = 0;
3252 goto restart;
3253 }
3254 cb->args[0] = 1;
3255 out:
3256 rcu_read_unlock();
3257 if (last)
3258 nf_ct_expect_put(last);
3259
3260 return skb->len;
3261 }
3262
3263 static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
3264 struct sk_buff *skb,
3265 const struct nlmsghdr *nlh,
3266 const struct nlattr * const cda[],
3267 struct netlink_ext_ack *extack)
3268 {
3269 int err;
3270 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3271 u_int8_t u3 = nfmsg->nfgen_family;
3272 struct nf_conntrack_tuple tuple;
3273 struct nf_conntrack_tuple_hash *h;
3274 struct nf_conn *ct;
3275 struct nf_conntrack_zone zone;
3276 struct netlink_dump_control c = {
3277 .dump = ctnetlink_exp_ct_dump_table,
3278 .done = ctnetlink_exp_done,
3279 };
3280
3281 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
3282 u3, NULL);
3283 if (err < 0)
3284 return err;
3285
3286 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3287 if (err < 0)
3288 return err;
3289
3290 h = nf_conntrack_find_get(net, &zone, &tuple);
3291 if (!h)
3292 return -ENOENT;
3293
3294 ct = nf_ct_tuplehash_to_ctrack(h);
3295 /* No expectation linked to this connection tracking. */
3296 if (!nfct_help(ct)) {
3297 nf_ct_put(ct);
3298 return 0;
3299 }
3300
3301 c.data = ct;
3302
3303 err = netlink_dump_start(ctnl, skb, nlh, &c);
3304 nf_ct_put(ct);
3305
3306 return err;
3307 }
3308
3309 static int ctnetlink_get_expect(struct sk_buff *skb,
3310 const struct nfnl_info *info,
3311 const struct nlattr * const cda[])
3312 {
3313 u_int8_t u3 = info->nfmsg->nfgen_family;
3314 struct nf_conntrack_tuple tuple;
3315 struct nf_conntrack_expect *exp;
3316 struct nf_conntrack_zone zone;
3317 struct sk_buff *skb2;
3318 int err;
3319
3320 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3321 if (cda[CTA_EXPECT_MASTER])
3322 return ctnetlink_dump_exp_ct(info->net, info->sk, skb,
3323 info->nlh, cda,
3324 info->extack);
3325 else {
3326 struct netlink_dump_control c = {
3327 .dump = ctnetlink_exp_dump_table,
3328 .done = ctnetlink_exp_done,
3329 };
3330 return netlink_dump_start(info->sk, skb, info->nlh, &c);
3331 }
3332 }
3333
3334 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3335 if (err < 0)
3336 return err;
3337
3338 if (cda[CTA_EXPECT_TUPLE])
3339 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3340 u3, NULL);
3341 else if (cda[CTA_EXPECT_MASTER])
3342 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
3343 u3, NULL);
3344 else
3345 return -EINVAL;
3346
3347 if (err < 0)
3348 return err;
3349
3350 exp = nf_ct_expect_find_get(info->net, &zone, &tuple);
3351 if (!exp)
3352 return -ENOENT;
3353
3354 if (cda[CTA_EXPECT_ID]) {
3355 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3356
3357 if (id != nf_expect_get_id(exp)) {
3358 nf_ct_expect_put(exp);
3359 return -ENOENT;
3360 }
3361 }
3362
3363 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3364 if (!skb2) {
3365 nf_ct_expect_put(exp);
3366 return -ENOMEM;
3367 }
3368
3369 rcu_read_lock();
3370 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
3371 info->nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
3372 exp);
3373 rcu_read_unlock();
3374 nf_ct_expect_put(exp);
3375 if (err <= 0) {
3376 kfree_skb(skb2);
3377 return -ENOMEM;
3378 }
3379
3380 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
3381 }
3382
3383 static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data)
3384 {
3385 const struct nf_conn_help *m_help;
3386 const char *name = data;
3387
3388 m_help = nfct_help(exp->master);
3389
3390 return strcmp(m_help->helper->name, name) == 0;
3391 }
3392
3393 static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data)
3394 {
3395 return true;
3396 }
3397
3398 static int ctnetlink_del_expect(struct sk_buff *skb,
3399 const struct nfnl_info *info,
3400 const struct nlattr * const cda[])
3401 {
3402 u_int8_t u3 = info->nfmsg->nfgen_family;
3403 struct nf_conntrack_expect *exp;
3404 struct nf_conntrack_tuple tuple;
3405 struct nf_conntrack_zone zone;
3406 int err;
3407
3408 if (cda[CTA_EXPECT_TUPLE]) {
3409 /* delete a single expect by tuple */
3410 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3411 if (err < 0)
3412 return err;
3413
3414 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3415 u3, NULL);
3416 if (err < 0)
3417 return err;
3418
3419 /* bump usage count to 2 */
3420 exp = nf_ct_expect_find_get(info->net, &zone, &tuple);
3421 if (!exp)
3422 return -ENOENT;
3423
3424 if (cda[CTA_EXPECT_ID]) {
3425 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3426 if (ntohl(id) != (u32)(unsigned long)exp) {
3427 nf_ct_expect_put(exp);
3428 return -ENOENT;
3429 }
3430 }
3431
3432 /* after list removal, usage count == 1 */
3433 spin_lock_bh(&nf_conntrack_expect_lock);
3434 if (del_timer(&exp->timeout)) {
3435 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
3436 nlmsg_report(info->nlh));
3437 nf_ct_expect_put(exp);
3438 }
3439 spin_unlock_bh(&nf_conntrack_expect_lock);
3440 /* have to put what we 'get' above.
3441 * after this line usage count == 0 */
3442 nf_ct_expect_put(exp);
3443 } else if (cda[CTA_EXPECT_HELP_NAME]) {
3444 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3445
3446 nf_ct_expect_iterate_net(info->net, expect_iter_name, name,
3447 NETLINK_CB(skb).portid,
3448 nlmsg_report(info->nlh));
3449 } else {
3450 /* This basically means we have to flush everything*/
3451 nf_ct_expect_iterate_net(info->net, expect_iter_all, NULL,
3452 NETLINK_CB(skb).portid,
3453 nlmsg_report(info->nlh));
3454 }
3455
3456 return 0;
3457 }
3458 static int
3459 ctnetlink_change_expect(struct nf_conntrack_expect *x,
3460 const struct nlattr * const cda[])
3461 {
3462 if (cda[CTA_EXPECT_TIMEOUT]) {
3463 if (!del_timer(&x->timeout))
3464 return -ETIME;
3465
3466 x->timeout.expires = jiffies +
3467 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
3468 add_timer(&x->timeout);
3469 }
3470 return 0;
3471 }
3472
3473 static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
3474 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
3475 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
3476 };
3477
3478 static int
3479 ctnetlink_parse_expect_nat(const struct nlattr *attr,
3480 struct nf_conntrack_expect *exp,
3481 u_int8_t u3)
3482 {
3483 #if IS_ENABLED(CONFIG_NF_NAT)
3484 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1];
3485 struct nf_conntrack_tuple nat_tuple = {};
3486 int err;
3487
3488 err = nla_parse_nested_deprecated(tb, CTA_EXPECT_NAT_MAX, attr,
3489 exp_nat_nla_policy, NULL);
3490 if (err < 0)
3491 return err;
3492
3493 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE])
3494 return -EINVAL;
3495
3496 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb,
3497 &nat_tuple, CTA_EXPECT_NAT_TUPLE,
3498 u3, NULL);
3499 if (err < 0)
3500 return err;
3501
3502 exp->saved_addr = nat_tuple.src.u3;
3503 exp->saved_proto = nat_tuple.src.u;
3504 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR]));
3505
3506 return 0;
3507 #else
3508 return -EOPNOTSUPP;
3509 #endif
3510 }
3511
3512 static struct nf_conntrack_expect *
3513 ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
3514 struct nf_conntrack_helper *helper,
3515 struct nf_conntrack_tuple *tuple,
3516 struct nf_conntrack_tuple *mask)
3517 {
3518 u_int32_t class = 0;
3519 struct nf_conntrack_expect *exp;
3520 struct nf_conn_help *help;
3521 int err;
3522
3523 help = nfct_help(ct);
3524 if (!help)
3525 return ERR_PTR(-EOPNOTSUPP);
3526
3527 if (cda[CTA_EXPECT_CLASS] && helper) {
3528 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));
3529 if (class > helper->expect_class_max)
3530 return ERR_PTR(-EINVAL);
3531 }
3532 exp = nf_ct_expect_alloc(ct);
3533 if (!exp)
3534 return ERR_PTR(-ENOMEM);
3535
3536 if (cda[CTA_EXPECT_FLAGS]) {
3537 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
3538 exp->flags &= ~NF_CT_EXPECT_USERSPACE;
3539 } else {
3540 exp->flags = 0;
3541 }
3542 if (cda[CTA_EXPECT_FN]) {
3543 const char *name = nla_data(cda[CTA_EXPECT_FN]);
3544 struct nf_ct_helper_expectfn *expfn;
3545
3546 expfn = nf_ct_helper_expectfn_find_by_name(name);
3547 if (expfn == NULL) {
3548 err = -EINVAL;
3549 goto err_out;
3550 }
3551 exp->expectfn = expfn->expectfn;
3552 } else
3553 exp->expectfn = NULL;
3554
3555 exp->class = class;
3556 exp->master = ct;
3557 exp->helper = helper;
3558 exp->tuple = *tuple;
3559 exp->mask.src.u3 = mask->src.u3;
3560 exp->mask.src.u.all = mask->src.u.all;
3561
3562 if (cda[CTA_EXPECT_NAT]) {
3563 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT],
3564 exp, nf_ct_l3num(ct));
3565 if (err < 0)
3566 goto err_out;
3567 }
3568 return exp;
3569 err_out:
3570 nf_ct_expect_put(exp);
3571 return ERR_PTR(err);
3572 }
3573
3574 static int
3575 ctnetlink_create_expect(struct net *net,
3576 const struct nf_conntrack_zone *zone,
3577 const struct nlattr * const cda[],
3578 u_int8_t u3, u32 portid, int report)
3579 {
3580 struct nf_conntrack_tuple tuple, mask, master_tuple;
3581 struct nf_conntrack_tuple_hash *h = NULL;
3582 struct nf_conntrack_helper *helper = NULL;
3583 struct nf_conntrack_expect *exp;
3584 struct nf_conn *ct;
3585 int err;
3586
3587 /* caller guarantees that those three CTA_EXPECT_* exist */
3588 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3589 u3, NULL);
3590 if (err < 0)
3591 return err;
3592 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK,
3593 u3, NULL);
3594 if (err < 0)
3595 return err;
3596 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER,
3597 u3, NULL);
3598 if (err < 0)
3599 return err;
3600
3601 /* Look for master conntrack of this expectation */
3602 h = nf_conntrack_find_get(net, zone, &master_tuple);
3603 if (!h)
3604 return -ENOENT;
3605 ct = nf_ct_tuplehash_to_ctrack(h);
3606
3607 rcu_read_lock();
3608 if (cda[CTA_EXPECT_HELP_NAME]) {
3609 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3610
3611 helper = __nf_conntrack_helper_find(helpname, u3,
3612 nf_ct_protonum(ct));
3613 if (helper == NULL) {
3614 rcu_read_unlock();
3615 #ifdef CONFIG_MODULES
3616 if (request_module("nfct-helper-%s", helpname) < 0) {
3617 err = -EOPNOTSUPP;
3618 goto err_ct;
3619 }
3620 rcu_read_lock();
3621 helper = __nf_conntrack_helper_find(helpname, u3,
3622 nf_ct_protonum(ct));
3623 if (helper) {
3624 err = -EAGAIN;
3625 goto err_rcu;
3626 }
3627 rcu_read_unlock();
3628 #endif
3629 err = -EOPNOTSUPP;
3630 goto err_ct;
3631 }
3632 }
3633
3634 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask);
3635 if (IS_ERR(exp)) {
3636 err = PTR_ERR(exp);
3637 goto err_rcu;
3638 }
3639
3640 err = nf_ct_expect_related_report(exp, portid, report, 0);
3641 nf_ct_expect_put(exp);
3642 err_rcu:
3643 rcu_read_unlock();
3644 err_ct:
3645 nf_ct_put(ct);
3646 return err;
3647 }
3648
3649 static int ctnetlink_new_expect(struct sk_buff *skb,
3650 const struct nfnl_info *info,
3651 const struct nlattr * const cda[])
3652 {
3653 u_int8_t u3 = info->nfmsg->nfgen_family;
3654 struct nf_conntrack_tuple tuple;
3655 struct nf_conntrack_expect *exp;
3656 struct nf_conntrack_zone zone;
3657 int err;
3658
3659 if (!cda[CTA_EXPECT_TUPLE]
3660 || !cda[CTA_EXPECT_MASK]
3661 || !cda[CTA_EXPECT_MASTER])
3662 return -EINVAL;
3663
3664 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3665 if (err < 0)
3666 return err;
3667
3668 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3669 u3, NULL);
3670 if (err < 0)
3671 return err;
3672
3673 spin_lock_bh(&nf_conntrack_expect_lock);
3674 exp = __nf_ct_expect_find(info->net, &zone, &tuple);
3675 if (!exp) {
3676 spin_unlock_bh(&nf_conntrack_expect_lock);
3677 err = -ENOENT;
3678 if (info->nlh->nlmsg_flags & NLM_F_CREATE) {
3679 err = ctnetlink_create_expect(info->net, &zone, cda, u3,
3680 NETLINK_CB(skb).portid,
3681 nlmsg_report(info->nlh));
3682 }
3683 return err;
3684 }
3685
3686 err = -EEXIST;
3687 if (!(info->nlh->nlmsg_flags & NLM_F_EXCL))
3688 err = ctnetlink_change_expect(exp, cda);
3689 spin_unlock_bh(&nf_conntrack_expect_lock);
3690
3691 return err;
3692 }
3693
3694 static int
3695 ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu,
3696 const struct ip_conntrack_stat *st)
3697 {
3698 struct nlmsghdr *nlh;
3699 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
3700
3701 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
3702 IPCTNL_MSG_EXP_GET_STATS_CPU);
3703 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
3704 NFNETLINK_V0, htons(cpu));
3705 if (!nlh)
3706 goto nlmsg_failure;
3707
3708 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) ||
3709 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) ||
3710 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete)))
3711 goto nla_put_failure;
3712
3713 nlmsg_end(skb, nlh);
3714 return skb->len;
3715
3716 nla_put_failure:
3717 nlmsg_failure:
3718 nlmsg_cancel(skb, nlh);
3719 return -1;
3720 }
3721
3722 static int
3723 ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
3724 {
3725 int cpu;
3726 struct net *net = sock_net(skb->sk);
3727
3728 if (cb->args[0] == nr_cpu_ids)
3729 return 0;
3730
3731 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
3732 const struct ip_conntrack_stat *st;
3733
3734 if (!cpu_possible(cpu))
3735 continue;
3736
3737 st = per_cpu_ptr(net->ct.stat, cpu);
3738 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid,
3739 cb->nlh->nlmsg_seq,
3740 cpu, st) < 0)
3741 break;
3742 }
3743 cb->args[0] = cpu;
3744
3745 return skb->len;
3746 }
3747
3748 static int ctnetlink_stat_exp_cpu(struct sk_buff *skb,
3749 const struct nfnl_info *info,
3750 const struct nlattr * const cda[])
3751 {
3752 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3753 struct netlink_dump_control c = {
3754 .dump = ctnetlink_exp_stat_cpu_dump,
3755 };
3756 return netlink_dump_start(info->sk, skb, info->nlh, &c);
3757 }
3758
3759 return 0;
3760 }
3761
3762 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3763 static struct nf_ct_event_notifier ctnl_notifier = {
3764 .ct_event = ctnetlink_conntrack_event,
3765 .exp_event = ctnetlink_expect_event,
3766 };
3767 #endif
3768
3769 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
3770 [IPCTNL_MSG_CT_NEW] = {
3771 .call = ctnetlink_new_conntrack,
3772 .type = NFNL_CB_MUTEX,
3773 .attr_count = CTA_MAX,
3774 .policy = ct_nla_policy
3775 },
3776 [IPCTNL_MSG_CT_GET] = {
3777 .call = ctnetlink_get_conntrack,
3778 .type = NFNL_CB_MUTEX,
3779 .attr_count = CTA_MAX,
3780 .policy = ct_nla_policy
3781 },
3782 [IPCTNL_MSG_CT_DELETE] = {
3783 .call = ctnetlink_del_conntrack,
3784 .type = NFNL_CB_MUTEX,
3785 .attr_count = CTA_MAX,
3786 .policy = ct_nla_policy
3787 },
3788 [IPCTNL_MSG_CT_GET_CTRZERO] = {
3789 .call = ctnetlink_get_conntrack,
3790 .type = NFNL_CB_MUTEX,
3791 .attr_count = CTA_MAX,
3792 .policy = ct_nla_policy
3793 },
3794 [IPCTNL_MSG_CT_GET_STATS_CPU] = {
3795 .call = ctnetlink_stat_ct_cpu,
3796 .type = NFNL_CB_MUTEX,
3797 },
3798 [IPCTNL_MSG_CT_GET_STATS] = {
3799 .call = ctnetlink_stat_ct,
3800 .type = NFNL_CB_MUTEX,
3801 },
3802 [IPCTNL_MSG_CT_GET_DYING] = {
3803 .call = ctnetlink_get_ct_dying,
3804 .type = NFNL_CB_MUTEX,
3805 },
3806 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = {
3807 .call = ctnetlink_get_ct_unconfirmed,
3808 .type = NFNL_CB_MUTEX,
3809 },
3810 };
3811
3812 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
3813 [IPCTNL_MSG_EXP_GET] = {
3814 .call = ctnetlink_get_expect,
3815 .type = NFNL_CB_MUTEX,
3816 .attr_count = CTA_EXPECT_MAX,
3817 .policy = exp_nla_policy
3818 },
3819 [IPCTNL_MSG_EXP_NEW] = {
3820 .call = ctnetlink_new_expect,
3821 .type = NFNL_CB_MUTEX,
3822 .attr_count = CTA_EXPECT_MAX,
3823 .policy = exp_nla_policy
3824 },
3825 [IPCTNL_MSG_EXP_DELETE] = {
3826 .call = ctnetlink_del_expect,
3827 .type = NFNL_CB_MUTEX,
3828 .attr_count = CTA_EXPECT_MAX,
3829 .policy = exp_nla_policy
3830 },
3831 [IPCTNL_MSG_EXP_GET_STATS_CPU] = {
3832 .call = ctnetlink_stat_exp_cpu,
3833 .type = NFNL_CB_MUTEX,
3834 },
3835 };
3836
3837 static const struct nfnetlink_subsystem ctnl_subsys = {
3838 .name = "conntrack",
3839 .subsys_id = NFNL_SUBSYS_CTNETLINK,
3840 .cb_count = IPCTNL_MSG_MAX,
3841 .cb = ctnl_cb,
3842 };
3843
3844 static const struct nfnetlink_subsystem ctnl_exp_subsys = {
3845 .name = "conntrack_expect",
3846 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
3847 .cb_count = IPCTNL_MSG_EXP_MAX,
3848 .cb = ctnl_exp_cb,
3849 };
3850
3851 MODULE_ALIAS("ip_conntrack_netlink");
3852 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
3853 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
3854
3855 static int __net_init ctnetlink_net_init(struct net *net)
3856 {
3857 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3858 nf_conntrack_register_notifier(net, &ctnl_notifier);
3859 #endif
3860 return 0;
3861 }
3862
3863 static void ctnetlink_net_pre_exit(struct net *net)
3864 {
3865 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3866 nf_conntrack_unregister_notifier(net);
3867 #endif
3868 }
3869
3870 static struct pernet_operations ctnetlink_net_ops = {
3871 .init = ctnetlink_net_init,
3872 .pre_exit = ctnetlink_net_pre_exit,
3873 };
3874
3875 static int __init ctnetlink_init(void)
3876 {
3877 int ret;
3878
3879 ret = nfnetlink_subsys_register(&ctnl_subsys);
3880 if (ret < 0) {
3881 pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
3882 goto err_out;
3883 }
3884
3885 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
3886 if (ret < 0) {
3887 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
3888 goto err_unreg_subsys;
3889 }
3890
3891 ret = register_pernet_subsys(&ctnetlink_net_ops);
3892 if (ret < 0) {
3893 pr_err("ctnetlink_init: cannot register pernet operations\n");
3894 goto err_unreg_exp_subsys;
3895 }
3896 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3897 /* setup interaction between nf_queue and nf_conntrack_netlink. */
3898 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook);
3899 #endif
3900 return 0;
3901
3902 err_unreg_exp_subsys:
3903 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3904 err_unreg_subsys:
3905 nfnetlink_subsys_unregister(&ctnl_subsys);
3906 err_out:
3907 return ret;
3908 }
3909
3910 static void __exit ctnetlink_exit(void)
3911 {
3912 unregister_pernet_subsys(&ctnetlink_net_ops);
3913 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3914 nfnetlink_subsys_unregister(&ctnl_subsys);
3915 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3916 RCU_INIT_POINTER(nfnl_ct_hook, NULL);
3917 #endif
3918 synchronize_rcu();
3919 }
3920
3921 module_init(ctnetlink_init);
3922 module_exit(ctnetlink_exit);
Michael's Linux tree.