1 /* Connection tracking via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace.
4 * (C) 2001 by Jay Schulist <jschlst@samba.org>
5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7 * (C) 2005-2006 by Pablo Neira Ayuso <pablo@eurodev.net>
9 * I've reworked this stuff to use attributes instead of conntrack
10 * structures. 5.44 am. I need more tea. --pablo 05/07/11.
12 * Initial connection tracking via netlink development funded and
13 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
15 * Further development of this code funded by Astaro AG (http://www.astaro.com)
17 * This software may be used and distributed according to the terms
18 * of the GNU General Public License, incorporated herein by reference.
20 * Derived from ip_conntrack_netlink.c: Port by Pablo Neira Ayuso (05/11/14)
23 #include <linux/init.h>
24 #include <linux/module.h>
25 #include <linux/kernel.h>
26 #include <linux/types.h>
27 #include <linux/timer.h>
28 #include <linux/skbuff.h>
29 #include <linux/errno.h>
30 #include <linux/netlink.h>
31 #include <linux/spinlock.h>
32 #include <linux/interrupt.h>
33 #include <linux/notifier.h>
35 #include <linux/netfilter.h>
36 #include <net/netfilter/nf_conntrack.h>
37 #include <net/netfilter/nf_conntrack_core.h>
38 #include <net/netfilter/nf_conntrack_helper.h>
39 #include <net/netfilter/nf_conntrack_l3proto.h>
40 #include <net/netfilter/nf_conntrack_protocol.h>
41 #include <linux/netfilter_ipv4/ip_nat_protocol.h>
43 #include <linux/netfilter/nfnetlink.h>
44 #include <linux/netfilter/nfnetlink_conntrack.h>
46 MODULE_LICENSE("GPL");
48 static char __initdata version[] = "0.93";
51 ctnetlink_dump_tuples_proto(struct sk_buff *skb,
52 const struct nf_conntrack_tuple *tuple,
53 struct nf_conntrack_protocol *proto)
56 struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
58 NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum);
60 if (likely(proto->tuple_to_nfattr))
61 ret = proto->tuple_to_nfattr(skb, tuple);
63 NFA_NEST_END(skb, nest_parms);
72 ctnetlink_dump_tuples_ip(struct sk_buff *skb,
73 const struct nf_conntrack_tuple *tuple,
74 struct nf_conntrack_l3proto *l3proto)
77 struct nfattr *nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
79 if (likely(l3proto->tuple_to_nfattr))
80 ret = l3proto->tuple_to_nfattr(skb, tuple);
82 NFA_NEST_END(skb, nest_parms);
91 ctnetlink_dump_tuples(struct sk_buff *skb,
92 const struct nf_conntrack_tuple *tuple)
95 struct nf_conntrack_l3proto *l3proto;
96 struct nf_conntrack_protocol *proto;
98 l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
99 ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
100 nf_ct_l3proto_put(l3proto);
102 if (unlikely(ret < 0))
105 proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
106 ret = ctnetlink_dump_tuples_proto(skb, tuple, proto);
107 nf_ct_proto_put(proto);
113 ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
115 u_int32_t status = htonl((u_int32_t) ct->status);
116 NFA_PUT(skb, CTA_STATUS, sizeof(status), &status);
124 ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
126 long timeout_l = ct->timeout.expires - jiffies;
132 timeout = htonl(timeout_l / HZ);
134 NFA_PUT(skb, CTA_TIMEOUT, sizeof(timeout), &timeout);
142 ctnetlink_dump_protoinfo(struct sk_buff *skb, const struct nf_conn *ct)
144 struct nf_conntrack_protocol *proto = nf_ct_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num, ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
145 struct nfattr *nest_proto;
148 if (!proto->to_nfattr) {
149 nf_ct_proto_put(proto);
153 nest_proto = NFA_NEST(skb, CTA_PROTOINFO);
155 ret = proto->to_nfattr(skb, nest_proto, ct);
157 nf_ct_proto_put(proto);
159 NFA_NEST_END(skb, nest_proto);
168 ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct)
170 struct nfattr *nest_helper;
171 const struct nf_conn_help *help = nfct_help(ct);
173 if (!help || !help->helper)
176 nest_helper = NFA_NEST(skb, CTA_HELP);
177 NFA_PUT(skb, CTA_HELP_NAME, strlen(help->helper->name), help->helper->name);
179 if (help->helper->to_nfattr)
180 help->helper->to_nfattr(skb, ct);
182 NFA_NEST_END(skb, nest_helper);
190 #ifdef CONFIG_NF_CT_ACCT
192 ctnetlink_dump_counters(struct sk_buff *skb, const struct nf_conn *ct,
193 enum ip_conntrack_dir dir)
195 enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
196 struct nfattr *nest_count = NFA_NEST(skb, type);
199 tmp = htonl(ct->counters[dir].packets);
200 NFA_PUT(skb, CTA_COUNTERS32_PACKETS, sizeof(u_int32_t), &tmp);
202 tmp = htonl(ct->counters[dir].bytes);
203 NFA_PUT(skb, CTA_COUNTERS32_BYTES, sizeof(u_int32_t), &tmp);
205 NFA_NEST_END(skb, nest_count);
213 #define ctnetlink_dump_counters(a, b, c) (0)
216 #ifdef CONFIG_NF_CONNTRACK_MARK
218 ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
220 u_int32_t mark = htonl(ct->mark);
222 NFA_PUT(skb, CTA_MARK, sizeof(u_int32_t), &mark);
229 #define ctnetlink_dump_mark(a, b) (0)
233 ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
235 u_int32_t id = htonl(ct->id);
236 NFA_PUT(skb, CTA_ID, sizeof(u_int32_t), &id);
244 ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
246 u_int32_t use = htonl(atomic_read(&ct->ct_general.use));
248 NFA_PUT(skb, CTA_USE, sizeof(u_int32_t), &use);
255 #define tuple(ct, dir) (&(ct)->tuplehash[dir].tuple)
258 ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
259 int event, int nowait,
260 const struct nf_conn *ct)
262 struct nlmsghdr *nlh;
263 struct nfgenmsg *nfmsg;
264 struct nfattr *nest_parms;
269 event |= NFNL_SUBSYS_CTNETLINK << 8;
270 nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg));
271 nfmsg = NLMSG_DATA(nlh);
273 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0;
274 nfmsg->nfgen_family =
275 ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
276 nfmsg->version = NFNETLINK_V0;
279 nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG);
280 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
282 NFA_NEST_END(skb, nest_parms);
284 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
285 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
287 NFA_NEST_END(skb, nest_parms);
289 if (ctnetlink_dump_status(skb, ct) < 0 ||
290 ctnetlink_dump_timeout(skb, ct) < 0 ||
291 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
292 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 ||
293 ctnetlink_dump_protoinfo(skb, ct) < 0 ||
294 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
295 ctnetlink_dump_mark(skb, ct) < 0 ||
296 ctnetlink_dump_id(skb, ct) < 0 ||
297 ctnetlink_dump_use(skb, ct) < 0)
300 nlh->nlmsg_len = skb->tail - b;
305 skb_trim(skb, b - skb->data);
309 #ifdef CONFIG_NF_CONNTRACK_EVENTS
310 static int ctnetlink_conntrack_event(struct notifier_block *this,
311 unsigned long events, void *ptr)
313 struct nlmsghdr *nlh;
314 struct nfgenmsg *nfmsg;
315 struct nfattr *nest_parms;
316 struct nf_conn *ct = (struct nf_conn *)ptr;
320 unsigned int flags = 0, group;
322 /* ignore our fake conntrack entry */
323 if (ct == &nf_conntrack_untracked)
326 if (events & IPCT_DESTROY) {
327 type = IPCTNL_MSG_CT_DELETE;
328 group = NFNLGRP_CONNTRACK_DESTROY;
329 } else if (events & (IPCT_NEW | IPCT_RELATED)) {
330 type = IPCTNL_MSG_CT_NEW;
331 flags = NLM_F_CREATE|NLM_F_EXCL;
332 /* dump everything */
334 group = NFNLGRP_CONNTRACK_NEW;
335 } else if (events & (IPCT_STATUS | IPCT_PROTOINFO)) {
336 type = IPCTNL_MSG_CT_NEW;
337 group = NFNLGRP_CONNTRACK_UPDATE;
341 if (!nfnetlink_has_listeners(group))
344 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
350 type |= NFNL_SUBSYS_CTNETLINK << 8;
351 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg));
352 nfmsg = NLMSG_DATA(nlh);
354 nlh->nlmsg_flags = flags;
355 nfmsg->nfgen_family = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
356 nfmsg->version = NFNETLINK_V0;
359 nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG);
360 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
362 NFA_NEST_END(skb, nest_parms);
364 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
365 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
367 NFA_NEST_END(skb, nest_parms);
369 /* NAT stuff is now a status flag */
370 if ((events & IPCT_STATUS || events & IPCT_NATINFO)
371 && ctnetlink_dump_status(skb, ct) < 0)
373 if (events & IPCT_REFRESH
374 && ctnetlink_dump_timeout(skb, ct) < 0)
376 if (events & IPCT_PROTOINFO
377 && ctnetlink_dump_protoinfo(skb, ct) < 0)
379 if (events & IPCT_HELPINFO
380 && ctnetlink_dump_helpinfo(skb, ct) < 0)
383 if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
384 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
387 if (events & IPCT_MARK
388 && ctnetlink_dump_mark(skb, ct) < 0)
391 nlh->nlmsg_len = skb->tail - b;
392 nfnetlink_send(skb, 0, group, 0);
400 #endif /* CONFIG_NF_CONNTRACK_EVENTS */
402 static int ctnetlink_done(struct netlink_callback *cb)
405 nf_ct_put((struct nf_conn *)cb->args[1]);
409 #define L3PROTO(ct) ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num
412 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
414 struct nf_conn *ct, *last;
415 struct nf_conntrack_tuple_hash *h;
417 struct nfgenmsg *nfmsg = NLMSG_DATA(cb->nlh);
418 u_int8_t l3proto = nfmsg->nfgen_family;
420 read_lock_bh(&nf_conntrack_lock);
421 last = (struct nf_conn *)cb->args[1];
422 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
424 list_for_each_prev(i, &nf_conntrack_hash[cb->args[0]]) {
425 h = (struct nf_conntrack_tuple_hash *) i;
426 if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
428 ct = nf_ct_tuplehash_to_ctrack(h);
429 /* Dump entries of a given L3 protocol number.
430 * If it is not specified, ie. l3proto == 0,
431 * then dump everything. */
432 if (l3proto && L3PROTO(ct) != l3proto)
439 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
443 nf_conntrack_get(&ct->ct_general);
444 cb->args[1] = (unsigned long)ct;
447 #ifdef CONFIG_NF_CT_ACCT
448 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) ==
449 IPCTNL_MSG_CT_GET_CTRZERO)
450 memset(&ct->counters, 0, sizeof(ct->counters));
459 read_unlock_bh(&nf_conntrack_lock);
467 ctnetlink_parse_tuple_ip(struct nfattr *attr, struct nf_conntrack_tuple *tuple)
469 struct nfattr *tb[CTA_IP_MAX];
470 struct nf_conntrack_l3proto *l3proto;
473 nfattr_parse_nested(tb, CTA_IP_MAX, attr);
475 l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
477 if (likely(l3proto->nfattr_to_tuple))
478 ret = l3proto->nfattr_to_tuple(tb, tuple);
480 nf_ct_l3proto_put(l3proto);
485 static const size_t cta_min_proto[CTA_PROTO_MAX] = {
486 [CTA_PROTO_NUM-1] = sizeof(u_int8_t),
490 ctnetlink_parse_tuple_proto(struct nfattr *attr,
491 struct nf_conntrack_tuple *tuple)
493 struct nfattr *tb[CTA_PROTO_MAX];
494 struct nf_conntrack_protocol *proto;
497 nfattr_parse_nested(tb, CTA_PROTO_MAX, attr);
499 if (nfattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto))
502 if (!tb[CTA_PROTO_NUM-1])
504 tuple->dst.protonum = *(u_int8_t *)NFA_DATA(tb[CTA_PROTO_NUM-1]);
506 proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
508 if (likely(proto->nfattr_to_tuple))
509 ret = proto->nfattr_to_tuple(tb, tuple);
511 nf_ct_proto_put(proto);
517 ctnetlink_parse_tuple(struct nfattr *cda[], struct nf_conntrack_tuple *tuple,
518 enum ctattr_tuple type, u_int8_t l3num)
520 struct nfattr *tb[CTA_TUPLE_MAX];
523 memset(tuple, 0, sizeof(*tuple));
525 nfattr_parse_nested(tb, CTA_TUPLE_MAX, cda[type-1]);
527 if (!tb[CTA_TUPLE_IP-1])
530 tuple->src.l3num = l3num;
532 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP-1], tuple);
536 if (!tb[CTA_TUPLE_PROTO-1])
539 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO-1], tuple);
543 /* orig and expect tuples get DIR_ORIGINAL */
544 if (type == CTA_TUPLE_REPLY)
545 tuple->dst.dir = IP_CT_DIR_REPLY;
547 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
552 #ifdef CONFIG_IP_NF_NAT_NEEDED
553 static const size_t cta_min_protonat[CTA_PROTONAT_MAX] = {
554 [CTA_PROTONAT_PORT_MIN-1] = sizeof(u_int16_t),
555 [CTA_PROTONAT_PORT_MAX-1] = sizeof(u_int16_t),
558 static int ctnetlink_parse_nat_proto(struct nfattr *attr,
559 const struct nf_conn *ct,
560 struct ip_nat_range *range)
562 struct nfattr *tb[CTA_PROTONAT_MAX];
563 struct ip_nat_protocol *npt;
565 nfattr_parse_nested(tb, CTA_PROTONAT_MAX, attr);
567 if (nfattr_bad_size(tb, CTA_PROTONAT_MAX, cta_min_protonat))
570 npt = ip_nat_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
572 if (!npt->nfattr_to_range) {
573 ip_nat_proto_put(npt);
577 /* nfattr_to_range returns 1 if it parsed, 0 if not, neg. on error */
578 if (npt->nfattr_to_range(tb, range) > 0)
579 range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
581 ip_nat_proto_put(npt);
586 static const size_t cta_min_nat[CTA_NAT_MAX] = {
587 [CTA_NAT_MINIP-1] = sizeof(u_int32_t),
588 [CTA_NAT_MAXIP-1] = sizeof(u_int32_t),
592 ctnetlink_parse_nat(struct nfattr *nat,
593 const struct nf_conn *ct, struct ip_nat_range *range)
595 struct nfattr *tb[CTA_NAT_MAX];
598 memset(range, 0, sizeof(*range));
600 nfattr_parse_nested(tb, CTA_NAT_MAX, nat);
602 if (nfattr_bad_size(tb, CTA_NAT_MAX, cta_min_nat))
605 if (tb[CTA_NAT_MINIP-1])
606 range->min_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MINIP-1]);
608 if (!tb[CTA_NAT_MAXIP-1])
609 range->max_ip = range->min_ip;
611 range->max_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MAXIP-1]);
614 range->flags |= IP_NAT_RANGE_MAP_IPS;
616 if (!tb[CTA_NAT_PROTO-1])
619 err = ctnetlink_parse_nat_proto(tb[CTA_NAT_PROTO-1], ct, range);
628 ctnetlink_parse_help(struct nfattr *attr, char **helper_name)
630 struct nfattr *tb[CTA_HELP_MAX];
632 nfattr_parse_nested(tb, CTA_HELP_MAX, attr);
634 if (!tb[CTA_HELP_NAME-1])
637 *helper_name = NFA_DATA(tb[CTA_HELP_NAME-1]);
642 static const size_t cta_min[CTA_MAX] = {
643 [CTA_STATUS-1] = sizeof(u_int32_t),
644 [CTA_TIMEOUT-1] = sizeof(u_int32_t),
645 [CTA_MARK-1] = sizeof(u_int32_t),
646 [CTA_USE-1] = sizeof(u_int32_t),
647 [CTA_ID-1] = sizeof(u_int32_t)
651 ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
652 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
654 struct nf_conntrack_tuple_hash *h;
655 struct nf_conntrack_tuple tuple;
657 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
658 u_int8_t u3 = nfmsg->nfgen_family;
661 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
664 if (cda[CTA_TUPLE_ORIG-1])
665 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
666 else if (cda[CTA_TUPLE_REPLY-1])
667 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
669 /* Flush the whole table */
670 nf_conntrack_flush();
677 h = nf_conntrack_find_get(&tuple, NULL);
681 ct = nf_ct_tuplehash_to_ctrack(h);
684 u_int32_t id = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_ID-1]));
690 if (del_timer(&ct->timeout))
691 ct->timeout.function((unsigned long)ct);
699 ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
700 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
702 struct nf_conntrack_tuple_hash *h;
703 struct nf_conntrack_tuple tuple;
705 struct sk_buff *skb2 = NULL;
706 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
707 u_int8_t u3 = nfmsg->nfgen_family;
710 if (nlh->nlmsg_flags & NLM_F_DUMP) {
713 #ifndef CONFIG_NF_CT_ACCT
714 if (NFNL_MSG_TYPE(nlh->nlmsg_type) == IPCTNL_MSG_CT_GET_CTRZERO)
717 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
718 ctnetlink_dump_table,
719 ctnetlink_done)) != 0)
722 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
729 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
732 if (cda[CTA_TUPLE_ORIG-1])
733 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
734 else if (cda[CTA_TUPLE_REPLY-1])
735 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
742 h = nf_conntrack_find_get(&tuple, NULL);
746 ct = nf_ct_tuplehash_to_ctrack(h);
749 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
754 NETLINK_CB(skb2).dst_pid = NETLINK_CB(skb).pid;
756 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq,
757 IPCTNL_MSG_CT_NEW, 1, ct);
762 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
775 ctnetlink_change_status(struct nf_conn *ct, struct nfattr *cda[])
778 unsigned status = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_STATUS-1]));
779 d = ct->status ^ status;
781 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
785 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
786 /* SEEN_REPLY bit can only be set */
790 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
791 /* ASSURED bit can only be set */
794 if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) {
795 #ifndef CONFIG_IP_NF_NAT_NEEDED
798 struct ip_nat_range range;
800 if (cda[CTA_NAT_DST-1]) {
801 if (ctnetlink_parse_nat(cda[CTA_NAT_DST-1], ct,
804 if (ip_nat_initialized(ct,
805 HOOK2MANIP(NF_IP_PRE_ROUTING)))
807 ip_nat_setup_info(ct, &range, hooknum);
809 if (cda[CTA_NAT_SRC-1]) {
810 if (ctnetlink_parse_nat(cda[CTA_NAT_SRC-1], ct,
813 if (ip_nat_initialized(ct,
814 HOOK2MANIP(NF_IP_POST_ROUTING)))
816 ip_nat_setup_info(ct, &range, hooknum);
821 /* Be careful here, modifying NAT bits can screw up things,
822 * so don't let users modify them directly if they don't pass
824 ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
830 ctnetlink_change_helper(struct nf_conn *ct, struct nfattr *cda[])
832 struct nf_conntrack_helper *helper;
833 struct nf_conn_help *help = nfct_help(ct);
838 /* FIXME: we need to reallocate and rehash */
842 /* don't change helper of sibling connections */
846 err = ctnetlink_parse_help(cda[CTA_HELP-1], &helpname);
850 helper = __nf_conntrack_helper_find_byname(helpname);
852 if (!strcmp(helpname, ""))
860 /* we had a helper before ... */
861 nf_ct_remove_expectations(ct);
864 /* need to zero data of old helper */
865 memset(&help->help, 0, sizeof(help->help));
869 help->helper = helper;
875 ctnetlink_change_timeout(struct nf_conn *ct, struct nfattr *cda[])
877 u_int32_t timeout = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1]));
879 if (!del_timer(&ct->timeout))
882 ct->timeout.expires = jiffies + timeout * HZ;
883 add_timer(&ct->timeout);
889 ctnetlink_change_protoinfo(struct nf_conn *ct, struct nfattr *cda[])
891 struct nfattr *tb[CTA_PROTOINFO_MAX], *attr = cda[CTA_PROTOINFO-1];
892 struct nf_conntrack_protocol *proto;
893 u_int16_t npt = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
894 u_int16_t l3num = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
897 nfattr_parse_nested(tb, CTA_PROTOINFO_MAX, attr);
899 proto = nf_ct_proto_find_get(l3num, npt);
901 if (proto->from_nfattr)
902 err = proto->from_nfattr(tb, ct);
903 nf_ct_proto_put(proto);
909 ctnetlink_change_conntrack(struct nf_conn *ct, struct nfattr *cda[])
913 if (cda[CTA_HELP-1]) {
914 err = ctnetlink_change_helper(ct, cda);
919 if (cda[CTA_TIMEOUT-1]) {
920 err = ctnetlink_change_timeout(ct, cda);
925 if (cda[CTA_STATUS-1]) {
926 err = ctnetlink_change_status(ct, cda);
931 if (cda[CTA_PROTOINFO-1]) {
932 err = ctnetlink_change_protoinfo(ct, cda);
937 #if defined(CONFIG_NF_CONNTRACK_MARK)
939 ct->mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
946 ctnetlink_create_conntrack(struct nfattr *cda[],
947 struct nf_conntrack_tuple *otuple,
948 struct nf_conntrack_tuple *rtuple)
953 ct = nf_conntrack_alloc(otuple, rtuple);
954 if (ct == NULL || IS_ERR(ct))
957 if (!cda[CTA_TIMEOUT-1])
959 ct->timeout.expires = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1]));
961 ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
962 ct->status |= IPS_CONFIRMED;
964 err = ctnetlink_change_status(ct, cda);
968 if (cda[CTA_PROTOINFO-1]) {
969 err = ctnetlink_change_protoinfo(ct, cda);
974 #if defined(CONFIG_NF_CONNTRACK_MARK)
976 ct->mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
979 add_timer(&ct->timeout);
980 nf_conntrack_hash_insert(ct);
985 nf_conntrack_free(ct);
990 ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
991 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
993 struct nf_conntrack_tuple otuple, rtuple;
994 struct nf_conntrack_tuple_hash *h = NULL;
995 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
996 u_int8_t u3 = nfmsg->nfgen_family;
999 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
1002 if (cda[CTA_TUPLE_ORIG-1]) {
1003 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3);
1008 if (cda[CTA_TUPLE_REPLY-1]) {
1009 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, u3);
1014 write_lock_bh(&nf_conntrack_lock);
1015 if (cda[CTA_TUPLE_ORIG-1])
1016 h = __nf_conntrack_find(&otuple, NULL);
1017 else if (cda[CTA_TUPLE_REPLY-1])
1018 h = __nf_conntrack_find(&rtuple, NULL);
1021 write_unlock_bh(&nf_conntrack_lock);
1023 if (nlh->nlmsg_flags & NLM_F_CREATE)
1024 err = ctnetlink_create_conntrack(cda, &otuple, &rtuple);
1027 /* implicit 'else' */
1029 /* we only allow nat config for new conntracks */
1030 if (cda[CTA_NAT_SRC-1] || cda[CTA_NAT_DST-1]) {
1035 /* We manipulate the conntrack inside the global conntrack table lock,
1036 * so there's no need to increase the refcount */
1038 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
1039 err = ctnetlink_change_conntrack(nf_ct_tuplehash_to_ctrack(h), cda);
1042 write_unlock_bh(&nf_conntrack_lock);
1046 /***********************************************************************
1048 ***********************************************************************/
1051 ctnetlink_exp_dump_tuple(struct sk_buff *skb,
1052 const struct nf_conntrack_tuple *tuple,
1053 enum ctattr_expect type)
1055 struct nfattr *nest_parms = NFA_NEST(skb, type);
1057 if (ctnetlink_dump_tuples(skb, tuple) < 0)
1058 goto nfattr_failure;
1060 NFA_NEST_END(skb, nest_parms);
1069 ctnetlink_exp_dump_mask(struct sk_buff *skb,
1070 const struct nf_conntrack_tuple *tuple,
1071 const struct nf_conntrack_tuple *mask)
1074 struct nf_conntrack_l3proto *l3proto;
1075 struct nf_conntrack_protocol *proto;
1076 struct nfattr *nest_parms = NFA_NEST(skb, CTA_EXPECT_MASK);
1078 l3proto = nf_ct_l3proto_find_get(tuple->src.l3num);
1079 ret = ctnetlink_dump_tuples_ip(skb, mask, l3proto);
1080 nf_ct_l3proto_put(l3proto);
1082 if (unlikely(ret < 0))
1083 goto nfattr_failure;
1085 proto = nf_ct_proto_find_get(tuple->src.l3num, tuple->dst.protonum);
1086 ret = ctnetlink_dump_tuples_proto(skb, mask, proto);
1087 nf_ct_proto_put(proto);
1088 if (unlikely(ret < 0))
1089 goto nfattr_failure;
1091 NFA_NEST_END(skb, nest_parms);
1100 ctnetlink_exp_dump_expect(struct sk_buff *skb,
1101 const struct nf_conntrack_expect *exp)
1103 struct nf_conn *master = exp->master;
1104 u_int32_t timeout = htonl((exp->timeout.expires - jiffies) / HZ);
1105 u_int32_t id = htonl(exp->id);
1107 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
1108 goto nfattr_failure;
1109 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
1110 goto nfattr_failure;
1111 if (ctnetlink_exp_dump_tuple(skb,
1112 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
1113 CTA_EXPECT_MASTER) < 0)
1114 goto nfattr_failure;
1116 NFA_PUT(skb, CTA_EXPECT_TIMEOUT, sizeof(timeout), &timeout);
1117 NFA_PUT(skb, CTA_EXPECT_ID, sizeof(u_int32_t), &id);
1126 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
1129 const struct nf_conntrack_expect *exp)
1131 struct nlmsghdr *nlh;
1132 struct nfgenmsg *nfmsg;
1137 event |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1138 nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg));
1139 nfmsg = NLMSG_DATA(nlh);
1141 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0;
1142 nfmsg->nfgen_family = exp->tuple.src.l3num;
1143 nfmsg->version = NFNETLINK_V0;
1146 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1147 goto nfattr_failure;
1149 nlh->nlmsg_len = skb->tail - b;
1154 skb_trim(skb, b - skb->data);
1158 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1159 static int ctnetlink_expect_event(struct notifier_block *this,
1160 unsigned long events, void *ptr)
1162 struct nlmsghdr *nlh;
1163 struct nfgenmsg *nfmsg;
1164 struct nf_conntrack_expect *exp = (struct nf_conntrack_expect *)ptr;
1165 struct sk_buff *skb;
1170 if (events & IPEXP_NEW) {
1171 type = IPCTNL_MSG_EXP_NEW;
1172 flags = NLM_F_CREATE|NLM_F_EXCL;
1176 if (!nfnetlink_has_listeners(NFNLGRP_CONNTRACK_EXP_NEW))
1179 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1185 type |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1186 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg));
1187 nfmsg = NLMSG_DATA(nlh);
1189 nlh->nlmsg_flags = flags;
1190 nfmsg->nfgen_family = exp->tuple.src.l3num;
1191 nfmsg->version = NFNETLINK_V0;
1194 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1195 goto nfattr_failure;
1197 nlh->nlmsg_len = skb->tail - b;
1198 nfnetlink_send(skb, 0, NFNLGRP_CONNTRACK_EXP_NEW, 0);
1209 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
1211 struct nf_conntrack_expect *exp = NULL;
1212 struct list_head *i;
1213 u_int32_t *id = (u_int32_t *) &cb->args[0];
1214 struct nfgenmsg *nfmsg = NLMSG_DATA(cb->nlh);
1215 u_int8_t l3proto = nfmsg->nfgen_family;
1217 read_lock_bh(&nf_conntrack_lock);
1218 list_for_each_prev(i, &nf_conntrack_expect_list) {
1219 exp = (struct nf_conntrack_expect *) i;
1220 if (l3proto && exp->tuple.src.l3num != l3proto)
1224 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).pid,
1232 read_unlock_bh(&nf_conntrack_lock);
1237 static const size_t cta_min_exp[CTA_EXPECT_MAX] = {
1238 [CTA_EXPECT_TIMEOUT-1] = sizeof(u_int32_t),
1239 [CTA_EXPECT_ID-1] = sizeof(u_int32_t)
1243 ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
1244 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1246 struct nf_conntrack_tuple tuple;
1247 struct nf_conntrack_expect *exp;
1248 struct sk_buff *skb2;
1249 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
1250 u_int8_t u3 = nfmsg->nfgen_family;
1253 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1256 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1259 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
1260 ctnetlink_exp_dump_table,
1261 ctnetlink_done)) != 0)
1263 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
1264 if (rlen > skb->len)
1266 skb_pull(skb, rlen);
1270 if (cda[CTA_EXPECT_MASTER-1])
1271 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3);
1278 exp = nf_conntrack_expect_find(&tuple);
1282 if (cda[CTA_EXPECT_ID-1]) {
1283 u_int32_t id = *(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_ID-1]);
1284 if (exp->id != ntohl(id)) {
1285 nf_conntrack_expect_put(exp);
1291 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1294 NETLINK_CB(skb2).dst_pid = NETLINK_CB(skb).pid;
1296 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid,
1297 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
1302 nf_conntrack_expect_put(exp);
1304 return netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1309 nf_conntrack_expect_put(exp);
1314 ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
1315 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1317 struct nf_conntrack_expect *exp, *tmp;
1318 struct nf_conntrack_tuple tuple;
1319 struct nf_conntrack_helper *h;
1320 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
1321 u_int8_t u3 = nfmsg->nfgen_family;
1324 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1327 if (cda[CTA_EXPECT_TUPLE-1]) {
1328 /* delete a single expect by tuple */
1329 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1333 /* bump usage count to 2 */
1334 exp = nf_conntrack_expect_find(&tuple);
1338 if (cda[CTA_EXPECT_ID-1]) {
1340 *(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_ID-1]);
1341 if (exp->id != ntohl(id)) {
1342 nf_conntrack_expect_put(exp);
1347 /* after list removal, usage count == 1 */
1348 nf_conntrack_unexpect_related(exp);
1349 /* have to put what we 'get' above.
1350 * after this line usage count == 0 */
1351 nf_conntrack_expect_put(exp);
1352 } else if (cda[CTA_EXPECT_HELP_NAME-1]) {
1353 char *name = NFA_DATA(cda[CTA_EXPECT_HELP_NAME-1]);
1355 /* delete all expectations for this helper */
1356 write_lock_bh(&nf_conntrack_lock);
1357 h = __nf_conntrack_helper_find_byname(name);
1359 write_unlock_bh(&nf_conntrack_lock);
1362 list_for_each_entry_safe(exp, tmp, &nf_conntrack_expect_list,
1364 struct nf_conn_help *m_help = nfct_help(exp->master);
1365 if (m_help->helper == h
1366 && del_timer(&exp->timeout)) {
1367 nf_ct_unlink_expect(exp);
1368 nf_conntrack_expect_put(exp);
1371 write_unlock_bh(&nf_conntrack_lock);
1373 /* This basically means we have to flush everything*/
1374 write_lock_bh(&nf_conntrack_lock);
1375 list_for_each_entry_safe(exp, tmp, &nf_conntrack_expect_list,
1377 if (del_timer(&exp->timeout)) {
1378 nf_ct_unlink_expect(exp);
1379 nf_conntrack_expect_put(exp);
1382 write_unlock_bh(&nf_conntrack_lock);
1388 ctnetlink_change_expect(struct nf_conntrack_expect *x, struct nfattr *cda[])
1394 ctnetlink_create_expect(struct nfattr *cda[], u_int8_t u3)
1396 struct nf_conntrack_tuple tuple, mask, master_tuple;
1397 struct nf_conntrack_tuple_hash *h = NULL;
1398 struct nf_conntrack_expect *exp;
1400 struct nf_conn_help *help;
1403 /* caller guarantees that those three CTA_EXPECT_* exist */
1404 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1407 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, u3);
1410 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, u3);
1414 /* Look for master conntrack of this expectation */
1415 h = nf_conntrack_find_get(&master_tuple, NULL);
1418 ct = nf_ct_tuplehash_to_ctrack(h);
1419 help = nfct_help(ct);
1421 if (!help || !help->helper) {
1422 /* such conntrack hasn't got any helper, abort */
1427 exp = nf_conntrack_expect_alloc(ct);
1433 exp->expectfn = NULL;
1436 memcpy(&exp->tuple, &tuple, sizeof(struct nf_conntrack_tuple));
1437 memcpy(&exp->mask, &mask, sizeof(struct nf_conntrack_tuple));
1439 err = nf_conntrack_expect_related(exp);
1440 nf_conntrack_expect_put(exp);
1443 nf_ct_put(nf_ct_tuplehash_to_ctrack(h));
1448 ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
1449 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1451 struct nf_conntrack_tuple tuple;
1452 struct nf_conntrack_expect *exp;
1453 struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
1454 u_int8_t u3 = nfmsg->nfgen_family;
1457 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1460 if (!cda[CTA_EXPECT_TUPLE-1]
1461 || !cda[CTA_EXPECT_MASK-1]
1462 || !cda[CTA_EXPECT_MASTER-1])
1465 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1469 write_lock_bh(&nf_conntrack_lock);
1470 exp = __nf_conntrack_expect_find(&tuple);
1473 write_unlock_bh(&nf_conntrack_lock);
1475 if (nlh->nlmsg_flags & NLM_F_CREATE)
1476 err = ctnetlink_create_expect(cda, u3);
1481 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
1482 err = ctnetlink_change_expect(exp, cda);
1483 write_unlock_bh(&nf_conntrack_lock);
1488 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1489 static struct notifier_block ctnl_notifier = {
1490 .notifier_call = ctnetlink_conntrack_event,
1493 static struct notifier_block ctnl_notifier_exp = {
1494 .notifier_call = ctnetlink_expect_event,
1498 static struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
1499 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
1500 .attr_count = CTA_MAX, },
1501 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
1502 .attr_count = CTA_MAX, },
1503 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
1504 .attr_count = CTA_MAX, },
1505 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
1506 .attr_count = CTA_MAX, },
1509 static struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
1510 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
1511 .attr_count = CTA_EXPECT_MAX, },
1512 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
1513 .attr_count = CTA_EXPECT_MAX, },
1514 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
1515 .attr_count = CTA_EXPECT_MAX, },
1518 static struct nfnetlink_subsystem ctnl_subsys = {
1519 .name = "conntrack",
1520 .subsys_id = NFNL_SUBSYS_CTNETLINK,
1521 .cb_count = IPCTNL_MSG_MAX,
1525 static struct nfnetlink_subsystem ctnl_exp_subsys = {
1526 .name = "conntrack_expect",
1527 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
1528 .cb_count = IPCTNL_MSG_EXP_MAX,
1532 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
1533 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
1535 static int __init ctnetlink_init(void)
1539 printk("ctnetlink v%s: registering with nfnetlink.\n", version);
1540 ret = nfnetlink_subsys_register(&ctnl_subsys);
1542 printk("ctnetlink_init: cannot register with nfnetlink.\n");
1546 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
1548 printk("ctnetlink_init: cannot register exp with nfnetlink.\n");
1549 goto err_unreg_subsys;
1552 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1553 ret = nf_conntrack_register_notifier(&ctnl_notifier);
1555 printk("ctnetlink_init: cannot register notifier.\n");
1556 goto err_unreg_exp_subsys;
1559 ret = nf_conntrack_expect_register_notifier(&ctnl_notifier_exp);
1561 printk("ctnetlink_init: cannot expect register notifier.\n");
1562 goto err_unreg_notifier;
1568 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1570 nf_conntrack_unregister_notifier(&ctnl_notifier);
1571 err_unreg_exp_subsys:
1572 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1575 nfnetlink_subsys_unregister(&ctnl_subsys);
1580 static void __exit ctnetlink_exit(void)
1582 printk("ctnetlink: unregistering from nfnetlink.\n");
1584 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1585 nf_conntrack_expect_unregister_notifier(&ctnl_notifier_exp);
1586 nf_conntrack_unregister_notifier(&ctnl_notifier);
1589 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1590 nfnetlink_subsys_unregister(&ctnl_subsys);
1594 module_init(ctnetlink_init);
1595 module_exit(ctnetlink_exit);
git.openpandora.org / pandora-kernel.git / blob