1 /* Connection tracking via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace.
4 * (C) 2001 by Jay Schulist <jschlst@samba.org>
5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7 * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
9 * Initial connection tracking via netlink development funded and
10 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
12 * Further development of this code funded by Astaro AG (http://www.astaro.com)
14 * This software may be used and distributed according to the terms
15 * of the GNU General Public License, incorporated herein by reference.
18 #include <linux/init.h>
19 #include <linux/module.h>
20 #include <linux/kernel.h>
21 #include <linux/rculist.h>
22 #include <linux/rculist_nulls.h>
23 #include <linux/types.h>
24 #include <linux/timer.h>
25 #include <linux/security.h>
26 #include <linux/skbuff.h>
27 #include <linux/errno.h>
28 #include <linux/netlink.h>
29 #include <linux/spinlock.h>
30 #include <linux/interrupt.h>
31 #include <linux/slab.h>
32 #include <linux/siphash.h>
34 #include <linux/netfilter.h>
35 #include <net/netlink.h>
37 #include <net/netfilter/nf_conntrack.h>
38 #include <net/netfilter/nf_conntrack_core.h>
39 #include <net/netfilter/nf_conntrack_expect.h>
40 #include <net/netfilter/nf_conntrack_helper.h>
41 #include <net/netfilter/nf_conntrack_seqadj.h>
42 #include <net/netfilter/nf_conntrack_l4proto.h>
43 #include <net/netfilter/nf_conntrack_tuple.h>
44 #include <net/netfilter/nf_conntrack_acct.h>
45 #include <net/netfilter/nf_conntrack_zones.h>
46 #include <net/netfilter/nf_conntrack_timestamp.h>
47 #include <net/netfilter/nf_conntrack_labels.h>
48 #include <net/netfilter/nf_conntrack_synproxy.h>
49 #if IS_ENABLED(CONFIG_NF_NAT)
50 #include <net/netfilter/nf_nat.h>
51 #include <net/netfilter/nf_nat_helper.h>
54 #include <linux/netfilter/nfnetlink.h>
55 #include <linux/netfilter/nfnetlink_conntrack.h>
57 #include "nf_internals.h"
59 MODULE_LICENSE("GPL");
61 static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,
62 const struct nf_conntrack_tuple *tuple,
63 const struct nf_conntrack_l4proto *l4proto)
66 struct nlattr *nest_parms;
68 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO);
71 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum))
74 if (likely(l4proto->tuple_to_nlattr))
75 ret = l4proto->tuple_to_nlattr(skb, tuple);
77 nla_nest_end(skb, nest_parms);
85 static int ipv4_tuple_to_nlattr(struct sk_buff *skb,
86 const struct nf_conntrack_tuple *tuple)
88 if (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) ||
89 nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip))
94 static int ipv6_tuple_to_nlattr(struct sk_buff *skb,
95 const struct nf_conntrack_tuple *tuple)
97 if (nla_put_in6_addr(skb, CTA_IP_V6_SRC, &tuple->src.u3.in6) ||
98 nla_put_in6_addr(skb, CTA_IP_V6_DST, &tuple->dst.u3.in6))
103 static int ctnetlink_dump_tuples_ip(struct sk_buff *skb,
104 const struct nf_conntrack_tuple *tuple)
107 struct nlattr *nest_parms;
109 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP);
111 goto nla_put_failure;
113 switch (tuple->src.l3num) {
115 ret = ipv4_tuple_to_nlattr(skb, tuple);
118 ret = ipv6_tuple_to_nlattr(skb, tuple);
122 nla_nest_end(skb, nest_parms);
130 static int ctnetlink_dump_tuples(struct sk_buff *skb,
131 const struct nf_conntrack_tuple *tuple)
133 const struct nf_conntrack_l4proto *l4proto;
137 ret = ctnetlink_dump_tuples_ip(skb, tuple);
140 l4proto = nf_ct_l4proto_find(tuple->dst.protonum);
141 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
147 static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype,
148 const struct nf_conntrack_zone *zone, int dir)
150 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir)
152 if (nla_put_be16(skb, attrtype, htons(zone->id)))
153 goto nla_put_failure;
160 static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
162 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
163 goto nla_put_failure;
170 static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct,
173 long timeout = nf_ct_expires(ct) / HZ;
175 if (skip_zero && timeout == 0)
178 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))
179 goto nla_put_failure;
186 static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct,
189 const struct nf_conntrack_l4proto *l4proto;
190 struct nlattr *nest_proto;
193 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
194 if (!l4proto->to_nlattr)
197 nest_proto = nla_nest_start(skb, CTA_PROTOINFO);
199 goto nla_put_failure;
201 ret = l4proto->to_nlattr(skb, nest_proto, ct, destroy);
203 nla_nest_end(skb, nest_proto);
211 static int ctnetlink_dump_helpinfo(struct sk_buff *skb,
212 const struct nf_conn *ct)
214 struct nlattr *nest_helper;
215 const struct nf_conn_help *help = nfct_help(ct);
216 struct nf_conntrack_helper *helper;
222 helper = rcu_dereference(help->helper);
226 nest_helper = nla_nest_start(skb, CTA_HELP);
228 goto nla_put_failure;
229 if (nla_put_string(skb, CTA_HELP_NAME, helper->name))
230 goto nla_put_failure;
232 if (helper->to_nlattr)
233 helper->to_nlattr(skb, ct);
235 nla_nest_end(skb, nest_helper);
246 dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct,
247 enum ip_conntrack_dir dir, int type)
249 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
250 struct nf_conn_counter *counter = acct->counter;
251 struct nlattr *nest_count;
254 if (type == IPCTNL_MSG_CT_GET_CTRZERO) {
255 pkts = atomic64_xchg(&counter[dir].packets, 0);
256 bytes = atomic64_xchg(&counter[dir].bytes, 0);
258 pkts = atomic64_read(&counter[dir].packets);
259 bytes = atomic64_read(&counter[dir].bytes);
262 nest_count = nla_nest_start(skb, attr);
264 goto nla_put_failure;
266 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts),
268 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes),
270 goto nla_put_failure;
272 nla_nest_end(skb, nest_count);
281 ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type)
283 struct nf_conn_acct *acct = nf_conn_acct_find(ct);
288 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0)
290 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0)
297 ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
299 struct nlattr *nest_count;
300 const struct nf_conn_tstamp *tstamp;
302 tstamp = nf_conn_tstamp_find(ct);
306 nest_count = nla_nest_start(skb, CTA_TIMESTAMP);
308 goto nla_put_failure;
310 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start),
311 CTA_TIMESTAMP_PAD) ||
312 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP,
313 cpu_to_be64(tstamp->stop),
315 goto nla_put_failure;
316 nla_nest_end(skb, nest_count);
324 #ifdef CONFIG_NF_CONNTRACK_MARK
325 static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
327 u32 mark = READ_ONCE(ct->mark);
332 if (nla_put_be32(skb, CTA_MARK, htonl(mark)))
333 goto nla_put_failure;
340 #define ctnetlink_dump_mark(a, b) (0)
343 #ifdef CONFIG_NF_CONNTRACK_SECMARK
344 static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
346 struct nlattr *nest_secctx;
350 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
355 nest_secctx = nla_nest_start(skb, CTA_SECCTX);
357 goto nla_put_failure;
359 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
360 goto nla_put_failure;
361 nla_nest_end(skb, nest_secctx);
365 security_release_secctx(secctx, len);
369 #define ctnetlink_dump_secctx(a, b) (0)
372 #ifdef CONFIG_NF_CONNTRACK_LABELS
373 static inline int ctnetlink_label_size(const struct nf_conn *ct)
375 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
379 return nla_total_size(sizeof(labels->bits));
383 ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
385 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
393 if (labels->bits[i] != 0)
394 return nla_put(skb, CTA_LABELS, sizeof(labels->bits),
397 } while (i < ARRAY_SIZE(labels->bits));
402 #define ctnetlink_dump_labels(a, b) (0)
403 #define ctnetlink_label_size(a) (0)
406 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
408 static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
410 struct nlattr *nest_parms;
412 if (!(ct->status & IPS_EXPECTED))
415 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER);
417 goto nla_put_failure;
418 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
419 goto nla_put_failure;
420 nla_nest_end(skb, nest_parms);
429 dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type)
431 struct nlattr *nest_parms;
433 nest_parms = nla_nest_start(skb, type);
435 goto nla_put_failure;
437 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS,
438 htonl(seq->correction_pos)) ||
439 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE,
440 htonl(seq->offset_before)) ||
441 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER,
442 htonl(seq->offset_after)))
443 goto nla_put_failure;
445 nla_nest_end(skb, nest_parms);
453 static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
455 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
456 struct nf_ct_seqadj *seq;
458 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj)
461 spin_lock_bh(&ct->lock);
462 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL];
463 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1)
466 seq = &seqadj->seq[IP_CT_DIR_REPLY];
467 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1)
470 spin_unlock_bh(&ct->lock);
473 spin_unlock_bh(&ct->lock);
477 static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
479 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
480 struct nlattr *nest_parms;
485 nest_parms = nla_nest_start(skb, CTA_SYNPROXY);
487 goto nla_put_failure;
489 if (nla_put_be32(skb, CTA_SYNPROXY_ISN, htonl(synproxy->isn)) ||
490 nla_put_be32(skb, CTA_SYNPROXY_ITS, htonl(synproxy->its)) ||
491 nla_put_be32(skb, CTA_SYNPROXY_TSOFF, htonl(synproxy->tsoff)))
492 goto nla_put_failure;
494 nla_nest_end(skb, nest_parms);
502 static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
504 __be32 id = (__force __be32)nf_ct_get_id(ct);
506 if (nla_put_be32(skb, CTA_ID, id))
507 goto nla_put_failure;
514 static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
516 if (nla_put_be32(skb, CTA_USE, htonl(refcount_read(&ct->ct_general.use))))
517 goto nla_put_failure;
524 /* all these functions access ct->ext. Caller must either hold a reference
525 * on ct or prevent its deletion by holding either the bucket spinlock or
526 * pcpu dying list lock.
528 static int ctnetlink_dump_extinfo(struct sk_buff *skb,
529 struct nf_conn *ct, u32 type)
531 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
532 ctnetlink_dump_timestamp(skb, ct) < 0 ||
533 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
534 ctnetlink_dump_labels(skb, ct) < 0 ||
535 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
536 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
542 static int ctnetlink_dump_info(struct sk_buff *skb, struct nf_conn *ct)
544 if (ctnetlink_dump_status(skb, ct) < 0 ||
545 ctnetlink_dump_mark(skb, ct) < 0 ||
546 ctnetlink_dump_secctx(skb, ct) < 0 ||
547 ctnetlink_dump_id(skb, ct) < 0 ||
548 ctnetlink_dump_use(skb, ct) < 0 ||
549 ctnetlink_dump_master(skb, ct) < 0)
552 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
553 (ctnetlink_dump_timeout(skb, ct, false) < 0 ||
554 ctnetlink_dump_protoinfo(skb, ct, false) < 0))
561 ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
562 struct nf_conn *ct, bool extinfo, unsigned int flags)
564 const struct nf_conntrack_zone *zone;
565 struct nlmsghdr *nlh;
566 struct nlattr *nest_parms;
570 flags |= NLM_F_MULTI;
571 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW);
572 nlh = nfnl_msg_put(skb, portid, seq, event, flags, nf_ct_l3num(ct),
577 zone = nf_ct_zone(ct);
579 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
581 goto nla_put_failure;
582 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
583 goto nla_put_failure;
584 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
585 NF_CT_ZONE_DIR_ORIG) < 0)
586 goto nla_put_failure;
587 nla_nest_end(skb, nest_parms);
589 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
591 goto nla_put_failure;
592 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
593 goto nla_put_failure;
594 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
595 NF_CT_ZONE_DIR_REPL) < 0)
596 goto nla_put_failure;
597 nla_nest_end(skb, nest_parms);
599 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
600 NF_CT_DEFAULT_ZONE_DIR) < 0)
601 goto nla_put_failure;
603 if (ctnetlink_dump_info(skb, ct) < 0)
604 goto nla_put_failure;
605 if (extinfo && ctnetlink_dump_extinfo(skb, ct, type) < 0)
606 goto nla_put_failure;
613 nlmsg_cancel(skb, nlh);
617 static const struct nla_policy cta_ip_nla_policy[CTA_IP_MAX + 1] = {
618 [CTA_IP_V4_SRC] = { .type = NLA_U32 },
619 [CTA_IP_V4_DST] = { .type = NLA_U32 },
620 [CTA_IP_V6_SRC] = { .len = sizeof(__be32) * 4 },
621 [CTA_IP_V6_DST] = { .len = sizeof(__be32) * 4 },
624 #if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS)
625 static size_t ctnetlink_proto_size(const struct nf_conn *ct)
627 const struct nf_conntrack_l4proto *l4proto;
628 size_t len, len4 = 0;
630 len = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1);
631 len *= 3u; /* ORIG, REPLY, MASTER */
633 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
634 len += l4proto->nlattr_size;
635 if (l4proto->nlattr_tuple_size) {
636 len4 = l4proto->nlattr_tuple_size();
637 len4 *= 3u; /* ORIG, REPLY, MASTER */
644 static inline size_t ctnetlink_acct_size(const struct nf_conn *ct)
646 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
648 return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
649 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
650 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
654 static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
656 #ifdef CONFIG_NF_CONNTRACK_SECMARK
659 ret = security_secid_to_secctx(ct->secmark, NULL, &len);
663 return nla_total_size(0) /* CTA_SECCTX */
664 + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
670 static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct)
672 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
673 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
675 return nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t));
681 #ifdef CONFIG_NF_CONNTRACK_EVENTS
682 static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)
684 return NLMSG_ALIGN(sizeof(struct nfgenmsg))
685 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
686 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
687 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
688 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
689 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
690 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
691 + ctnetlink_acct_size(ct)
692 + ctnetlink_timestamp_size(ct)
693 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
694 + nla_total_size(0) /* CTA_PROTOINFO */
695 + nla_total_size(0) /* CTA_HELP */
696 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
697 + ctnetlink_secctx_size(ct)
698 #if IS_ENABLED(CONFIG_NF_NAT)
699 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
700 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
702 #ifdef CONFIG_NF_CONNTRACK_MARK
703 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
705 #ifdef CONFIG_NF_CONNTRACK_ZONES
706 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */
708 + ctnetlink_proto_size(ct)
709 + ctnetlink_label_size(ct)
714 ctnetlink_conntrack_event(unsigned int events, const struct nf_ct_event *item)
716 const struct nf_conntrack_zone *zone;
718 struct nlmsghdr *nlh;
719 struct nlattr *nest_parms;
720 struct nf_conn *ct = item->ct;
723 unsigned int flags = 0, group;
726 if (events & (1 << IPCT_DESTROY)) {
727 type = IPCTNL_MSG_CT_DELETE;
728 group = NFNLGRP_CONNTRACK_DESTROY;
729 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {
730 type = IPCTNL_MSG_CT_NEW;
731 flags = NLM_F_CREATE|NLM_F_EXCL;
732 group = NFNLGRP_CONNTRACK_NEW;
734 type = IPCTNL_MSG_CT_NEW;
735 group = NFNLGRP_CONNTRACK_UPDATE;
740 if (!item->report && !nfnetlink_has_listeners(net, group))
743 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
747 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type);
748 nlh = nfnl_msg_put(skb, item->portid, 0, type, flags, nf_ct_l3num(ct),
753 zone = nf_ct_zone(ct);
755 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
757 goto nla_put_failure;
758 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
759 goto nla_put_failure;
760 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
761 NF_CT_ZONE_DIR_ORIG) < 0)
762 goto nla_put_failure;
763 nla_nest_end(skb, nest_parms);
765 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
767 goto nla_put_failure;
768 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
769 goto nla_put_failure;
770 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
771 NF_CT_ZONE_DIR_REPL) < 0)
772 goto nla_put_failure;
773 nla_nest_end(skb, nest_parms);
775 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
776 NF_CT_DEFAULT_ZONE_DIR) < 0)
777 goto nla_put_failure;
779 if (ctnetlink_dump_id(skb, ct) < 0)
780 goto nla_put_failure;
782 if (ctnetlink_dump_status(skb, ct) < 0)
783 goto nla_put_failure;
785 if (events & (1 << IPCT_DESTROY)) {
786 if (ctnetlink_dump_timeout(skb, ct, true) < 0)
787 goto nla_put_failure;
789 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
790 ctnetlink_dump_timestamp(skb, ct) < 0 ||
791 ctnetlink_dump_protoinfo(skb, ct, true) < 0)
792 goto nla_put_failure;
794 if (ctnetlink_dump_timeout(skb, ct, false) < 0)
795 goto nla_put_failure;
797 if (events & (1 << IPCT_PROTOINFO) &&
798 ctnetlink_dump_protoinfo(skb, ct, false) < 0)
799 goto nla_put_failure;
801 if ((events & (1 << IPCT_HELPER) || nfct_help(ct))
802 && ctnetlink_dump_helpinfo(skb, ct) < 0)
803 goto nla_put_failure;
805 #ifdef CONFIG_NF_CONNTRACK_SECMARK
806 if ((events & (1 << IPCT_SECMARK) || ct->secmark)
807 && ctnetlink_dump_secctx(skb, ct) < 0)
808 goto nla_put_failure;
810 if (events & (1 << IPCT_LABEL) &&
811 ctnetlink_dump_labels(skb, ct) < 0)
812 goto nla_put_failure;
814 if (events & (1 << IPCT_RELATED) &&
815 ctnetlink_dump_master(skb, ct) < 0)
816 goto nla_put_failure;
818 if (events & (1 << IPCT_SEQADJ) &&
819 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
820 goto nla_put_failure;
822 if (events & (1 << IPCT_SYNPROXY) &&
823 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
824 goto nla_put_failure;
827 #ifdef CONFIG_NF_CONNTRACK_MARK
828 if (events & (1 << IPCT_MARK) &&
829 ctnetlink_dump_mark(skb, ct) < 0)
830 goto nla_put_failure;
833 err = nfnetlink_send(skb, net, item->portid, group, item->report,
835 if (err == -ENOBUFS || err == -EAGAIN)
841 nlmsg_cancel(skb, nlh);
845 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
850 #endif /* CONFIG_NF_CONNTRACK_EVENTS */
852 static int ctnetlink_done(struct netlink_callback *cb)
855 nf_ct_put((struct nf_conn *)cb->args[1]);
860 struct ctnetlink_filter_u32 {
865 struct ctnetlink_filter {
868 u_int32_t orig_flags;
869 u_int32_t reply_flags;
871 struct nf_conntrack_tuple orig;
872 struct nf_conntrack_tuple reply;
873 struct nf_conntrack_zone zone;
875 struct ctnetlink_filter_u32 mark;
876 struct ctnetlink_filter_u32 status;
879 static const struct nla_policy cta_filter_nla_policy[CTA_FILTER_MAX + 1] = {
880 [CTA_FILTER_ORIG_FLAGS] = { .type = NLA_U32 },
881 [CTA_FILTER_REPLY_FLAGS] = { .type = NLA_U32 },
884 static int ctnetlink_parse_filter(const struct nlattr *attr,
885 struct ctnetlink_filter *filter)
887 struct nlattr *tb[CTA_FILTER_MAX + 1];
890 ret = nla_parse_nested(tb, CTA_FILTER_MAX, attr, cta_filter_nla_policy,
895 if (tb[CTA_FILTER_ORIG_FLAGS]) {
896 filter->orig_flags = nla_get_u32(tb[CTA_FILTER_ORIG_FLAGS]);
897 if (filter->orig_flags & ~CTA_FILTER_F_ALL)
901 if (tb[CTA_FILTER_REPLY_FLAGS]) {
902 filter->reply_flags = nla_get_u32(tb[CTA_FILTER_REPLY_FLAGS]);
903 if (filter->reply_flags & ~CTA_FILTER_F_ALL)
910 static int ctnetlink_parse_zone(const struct nlattr *attr,
911 struct nf_conntrack_zone *zone);
912 static int ctnetlink_parse_tuple_filter(const struct nlattr * const cda[],
913 struct nf_conntrack_tuple *tuple,
914 u32 type, u_int8_t l3num,
915 struct nf_conntrack_zone *zone,
918 static int ctnetlink_filter_parse_mark(struct ctnetlink_filter_u32 *mark,
919 const struct nlattr * const cda[])
921 #ifdef CONFIG_NF_CONNTRACK_MARK
923 mark->val = ntohl(nla_get_be32(cda[CTA_MARK]));
925 if (cda[CTA_MARK_MASK])
926 mark->mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
928 mark->mask = 0xffffffff;
929 } else if (cda[CTA_MARK_MASK]) {
936 static int ctnetlink_filter_parse_status(struct ctnetlink_filter_u32 *status,
937 const struct nlattr * const cda[])
939 if (cda[CTA_STATUS]) {
940 status->val = ntohl(nla_get_be32(cda[CTA_STATUS]));
941 if (cda[CTA_STATUS_MASK])
942 status->mask = ntohl(nla_get_be32(cda[CTA_STATUS_MASK]));
944 status->mask = status->val;
946 /* status->val == 0? always true, else always false. */
947 if (status->mask == 0)
949 } else if (cda[CTA_STATUS_MASK]) {
953 /* CTA_STATUS is NLA_U32, if this fires UAPI needs to be extended */
954 BUILD_BUG_ON(__IPS_MAX_BIT >= 32);
958 static struct ctnetlink_filter *
959 ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family)
961 struct ctnetlink_filter *filter;
964 #ifndef CONFIG_NF_CONNTRACK_MARK
965 if (cda[CTA_MARK] || cda[CTA_MARK_MASK])
966 return ERR_PTR(-EOPNOTSUPP);
969 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
971 return ERR_PTR(-ENOMEM);
973 filter->family = family;
975 err = ctnetlink_filter_parse_mark(&filter->mark, cda);
979 err = ctnetlink_filter_parse_status(&filter->status, cda);
983 if (!cda[CTA_FILTER])
986 err = ctnetlink_parse_zone(cda[CTA_ZONE], &filter->zone);
990 err = ctnetlink_parse_filter(cda[CTA_FILTER], filter);
994 if (filter->orig_flags) {
995 if (!cda[CTA_TUPLE_ORIG]) {
1000 err = ctnetlink_parse_tuple_filter(cda, &filter->orig,
1004 filter->orig_flags);
1009 if (filter->reply_flags) {
1010 if (!cda[CTA_TUPLE_REPLY]) {
1015 err = ctnetlink_parse_tuple_filter(cda, &filter->reply,
1019 filter->reply_flags);
1029 return ERR_PTR(err);
1032 static bool ctnetlink_needs_filter(u8 family, const struct nlattr * const *cda)
1034 return family || cda[CTA_MARK] || cda[CTA_FILTER] || cda[CTA_STATUS];
1037 static int ctnetlink_start(struct netlink_callback *cb)
1039 const struct nlattr * const *cda = cb->data;
1040 struct ctnetlink_filter *filter = NULL;
1041 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1042 u8 family = nfmsg->nfgen_family;
1044 if (ctnetlink_needs_filter(family, cda)) {
1045 filter = ctnetlink_alloc_filter(cda, family);
1047 return PTR_ERR(filter);
1054 static int ctnetlink_filter_match_tuple(struct nf_conntrack_tuple *filter_tuple,
1055 struct nf_conntrack_tuple *ct_tuple,
1056 u_int32_t flags, int family)
1060 if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) &&
1061 filter_tuple->src.u3.ip != ct_tuple->src.u3.ip)
1064 if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) &&
1065 filter_tuple->dst.u3.ip != ct_tuple->dst.u3.ip)
1069 if ((flags & CTA_FILTER_FLAG(CTA_IP_SRC)) &&
1070 !ipv6_addr_cmp(&filter_tuple->src.u3.in6,
1071 &ct_tuple->src.u3.in6))
1074 if ((flags & CTA_FILTER_FLAG(CTA_IP_DST)) &&
1075 !ipv6_addr_cmp(&filter_tuple->dst.u3.in6,
1076 &ct_tuple->dst.u3.in6))
1081 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) &&
1082 filter_tuple->dst.protonum != ct_tuple->dst.protonum)
1085 switch (ct_tuple->dst.protonum) {
1088 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_SRC_PORT)) &&
1089 filter_tuple->src.u.tcp.port != ct_tuple->src.u.tcp.port)
1092 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_DST_PORT)) &&
1093 filter_tuple->dst.u.tcp.port != ct_tuple->dst.u.tcp.port)
1097 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_TYPE)) &&
1098 filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type)
1100 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_CODE)) &&
1101 filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code)
1103 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMP_ID)) &&
1104 filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id)
1107 case IPPROTO_ICMPV6:
1108 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_TYPE)) &&
1109 filter_tuple->dst.u.icmp.type != ct_tuple->dst.u.icmp.type)
1111 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_CODE)) &&
1112 filter_tuple->dst.u.icmp.code != ct_tuple->dst.u.icmp.code)
1114 if ((flags & CTA_FILTER_FLAG(CTA_PROTO_ICMPV6_ID)) &&
1115 filter_tuple->src.u.icmp.id != ct_tuple->src.u.icmp.id)
1123 static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
1125 struct ctnetlink_filter *filter = data;
1126 struct nf_conntrack_tuple *tuple;
1132 /* Match entries of a given L3 protocol number.
1133 * If it is not specified, ie. l3proto == 0,
1134 * then match everything.
1136 if (filter->family && nf_ct_l3num(ct) != filter->family)
1139 if (filter->orig_flags) {
1140 tuple = nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL);
1141 if (!ctnetlink_filter_match_tuple(&filter->orig, tuple,
1147 if (filter->reply_flags) {
1148 tuple = nf_ct_tuple(ct, IP_CT_DIR_REPLY);
1149 if (!ctnetlink_filter_match_tuple(&filter->reply, tuple,
1150 filter->reply_flags,
1155 #ifdef CONFIG_NF_CONNTRACK_MARK
1156 if ((READ_ONCE(ct->mark) & filter->mark.mask) != filter->mark.val)
1159 status = (u32)READ_ONCE(ct->status);
1160 if ((status & filter->status.mask) != filter->status.val)
1171 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
1173 unsigned int flags = cb->data ? NLM_F_DUMP_FILTERED : 0;
1174 struct net *net = sock_net(skb->sk);
1175 struct nf_conn *ct, *last;
1176 struct nf_conntrack_tuple_hash *h;
1177 struct hlist_nulls_node *n;
1178 struct nf_conn *nf_ct_evict[8];
1182 last = (struct nf_conn *)cb->args[1];
1186 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
1190 if (nf_ct_should_gc(nf_ct_evict[i]))
1191 nf_ct_kill(nf_ct_evict[i]);
1192 nf_ct_put(nf_ct_evict[i]);
1195 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS];
1196 nf_conntrack_lock(lockp);
1197 if (cb->args[0] >= nf_conntrack_htable_size) {
1201 hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]],
1203 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
1205 ct = nf_ct_tuplehash_to_ctrack(h);
1206 if (nf_ct_is_expired(ct)) {
1207 if (i < ARRAY_SIZE(nf_ct_evict) &&
1208 refcount_inc_not_zero(&ct->ct_general.use))
1209 nf_ct_evict[i++] = ct;
1213 if (!net_eq(net, nf_ct_net(ct)))
1221 if (!ctnetlink_filter_match(ct, cb->data))
1225 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
1227 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
1230 nf_conntrack_get(&ct->ct_general);
1231 cb->args[1] = (unsigned long)ct;
1245 /* nf ct hash resize happened, now clear the leftover. */
1246 if ((struct nf_conn *)cb->args[1] == last)
1254 if (nf_ct_should_gc(nf_ct_evict[i]))
1255 nf_ct_kill(nf_ct_evict[i]);
1256 nf_ct_put(nf_ct_evict[i]);
1262 static int ipv4_nlattr_to_tuple(struct nlattr *tb[],
1263 struct nf_conntrack_tuple *t,
1266 if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
1267 if (!tb[CTA_IP_V4_SRC])
1270 t->src.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_SRC]);
1273 if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) {
1274 if (!tb[CTA_IP_V4_DST])
1277 t->dst.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_DST]);
1283 static int ipv6_nlattr_to_tuple(struct nlattr *tb[],
1284 struct nf_conntrack_tuple *t,
1287 if (flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
1288 if (!tb[CTA_IP_V6_SRC])
1291 t->src.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_SRC]);
1294 if (flags & CTA_FILTER_FLAG(CTA_IP_DST)) {
1295 if (!tb[CTA_IP_V6_DST])
1298 t->dst.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_DST]);
1304 static int ctnetlink_parse_tuple_ip(struct nlattr *attr,
1305 struct nf_conntrack_tuple *tuple,
1308 struct nlattr *tb[CTA_IP_MAX+1];
1311 ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, NULL, NULL);
1315 ret = nla_validate_nested_deprecated(attr, CTA_IP_MAX,
1316 cta_ip_nla_policy, NULL);
1320 switch (tuple->src.l3num) {
1322 ret = ipv4_nlattr_to_tuple(tb, tuple, flags);
1325 ret = ipv6_nlattr_to_tuple(tb, tuple, flags);
1332 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
1333 [CTA_PROTO_NUM] = { .type = NLA_U8 },
1336 static int ctnetlink_parse_tuple_proto(struct nlattr *attr,
1337 struct nf_conntrack_tuple *tuple,
1340 const struct nf_conntrack_l4proto *l4proto;
1341 struct nlattr *tb[CTA_PROTO_MAX+1];
1344 ret = nla_parse_nested_deprecated(tb, CTA_PROTO_MAX, attr,
1345 proto_nla_policy, NULL);
1349 if (!(flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)))
1352 if (!tb[CTA_PROTO_NUM])
1355 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
1358 l4proto = nf_ct_l4proto_find(tuple->dst.protonum);
1360 if (likely(l4proto->nlattr_to_tuple)) {
1361 ret = nla_validate_nested_deprecated(attr, CTA_PROTO_MAX,
1362 l4proto->nla_policy,
1365 ret = l4proto->nlattr_to_tuple(tb, tuple, flags);
1374 ctnetlink_parse_zone(const struct nlattr *attr,
1375 struct nf_conntrack_zone *zone)
1377 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID,
1378 NF_CT_DEFAULT_ZONE_DIR, 0);
1379 #ifdef CONFIG_NF_CONNTRACK_ZONES
1381 zone->id = ntohs(nla_get_be16(attr));
1390 ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type,
1391 struct nf_conntrack_zone *zone)
1395 if (zone->id != NF_CT_DEFAULT_ZONE_ID)
1398 ret = ctnetlink_parse_zone(attr, zone);
1402 if (type == CTA_TUPLE_REPLY)
1403 zone->dir = NF_CT_ZONE_DIR_REPL;
1405 zone->dir = NF_CT_ZONE_DIR_ORIG;
1410 static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
1411 [CTA_TUPLE_IP] = { .type = NLA_NESTED },
1412 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED },
1413 [CTA_TUPLE_ZONE] = { .type = NLA_U16 },
1416 #define CTA_FILTER_F_ALL_CTA_PROTO \
1417 (CTA_FILTER_F_CTA_PROTO_SRC_PORT | \
1418 CTA_FILTER_F_CTA_PROTO_DST_PORT | \
1419 CTA_FILTER_F_CTA_PROTO_ICMP_TYPE | \
1420 CTA_FILTER_F_CTA_PROTO_ICMP_CODE | \
1421 CTA_FILTER_F_CTA_PROTO_ICMP_ID | \
1422 CTA_FILTER_F_CTA_PROTO_ICMPV6_TYPE | \
1423 CTA_FILTER_F_CTA_PROTO_ICMPV6_CODE | \
1424 CTA_FILTER_F_CTA_PROTO_ICMPV6_ID)
1427 ctnetlink_parse_tuple_filter(const struct nlattr * const cda[],
1428 struct nf_conntrack_tuple *tuple, u32 type,
1429 u_int8_t l3num, struct nf_conntrack_zone *zone,
1432 struct nlattr *tb[CTA_TUPLE_MAX+1];
1435 memset(tuple, 0, sizeof(*tuple));
1437 err = nla_parse_nested_deprecated(tb, CTA_TUPLE_MAX, cda[type],
1438 tuple_nla_policy, NULL);
1442 if (l3num != NFPROTO_IPV4 && l3num != NFPROTO_IPV6)
1444 tuple->src.l3num = l3num;
1446 if (flags & CTA_FILTER_FLAG(CTA_IP_DST) ||
1447 flags & CTA_FILTER_FLAG(CTA_IP_SRC)) {
1448 if (!tb[CTA_TUPLE_IP])
1451 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple, flags);
1456 if (flags & CTA_FILTER_FLAG(CTA_PROTO_NUM)) {
1457 if (!tb[CTA_TUPLE_PROTO])
1460 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple, flags);
1463 } else if (flags & CTA_FILTER_FLAG(ALL_CTA_PROTO)) {
1464 /* Can't manage proto flags without a protonum */
1468 if ((flags & CTA_FILTER_FLAG(CTA_TUPLE_ZONE)) && tb[CTA_TUPLE_ZONE]) {
1472 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE],
1478 /* orig and expect tuples get DIR_ORIGINAL */
1479 if (type == CTA_TUPLE_REPLY)
1480 tuple->dst.dir = IP_CT_DIR_REPLY;
1482 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
1488 ctnetlink_parse_tuple(const struct nlattr * const cda[],
1489 struct nf_conntrack_tuple *tuple, u32 type,
1490 u_int8_t l3num, struct nf_conntrack_zone *zone)
1492 return ctnetlink_parse_tuple_filter(cda, tuple, type, l3num, zone,
1493 CTA_FILTER_FLAG(ALL));
1496 static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {
1497 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING,
1498 .len = NF_CT_HELPER_NAME_LEN - 1 },
1501 static int ctnetlink_parse_help(const struct nlattr *attr, char **helper_name,
1502 struct nlattr **helpinfo)
1505 struct nlattr *tb[CTA_HELP_MAX+1];
1507 err = nla_parse_nested_deprecated(tb, CTA_HELP_MAX, attr,
1508 help_nla_policy, NULL);
1512 if (!tb[CTA_HELP_NAME])
1515 *helper_name = nla_data(tb[CTA_HELP_NAME]);
1517 if (tb[CTA_HELP_INFO])
1518 *helpinfo = tb[CTA_HELP_INFO];
1523 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
1524 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED },
1525 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED },
1526 [CTA_STATUS] = { .type = NLA_U32 },
1527 [CTA_PROTOINFO] = { .type = NLA_NESTED },
1528 [CTA_HELP] = { .type = NLA_NESTED },
1529 [CTA_NAT_SRC] = { .type = NLA_NESTED },
1530 [CTA_TIMEOUT] = { .type = NLA_U32 },
1531 [CTA_MARK] = { .type = NLA_U32 },
1532 [CTA_ID] = { .type = NLA_U32 },
1533 [CTA_NAT_DST] = { .type = NLA_NESTED },
1534 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED },
1535 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED },
1536 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED },
1537 [CTA_ZONE] = { .type = NLA_U16 },
1538 [CTA_MARK_MASK] = { .type = NLA_U32 },
1539 [CTA_LABELS] = { .type = NLA_BINARY,
1540 .len = NF_CT_LABELS_MAX_SIZE },
1541 [CTA_LABELS_MASK] = { .type = NLA_BINARY,
1542 .len = NF_CT_LABELS_MAX_SIZE },
1543 [CTA_FILTER] = { .type = NLA_NESTED },
1544 [CTA_STATUS_MASK] = { .type = NLA_U32 },
1547 static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data)
1549 if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
1552 return ctnetlink_filter_match(ct, data);
1555 static int ctnetlink_flush_conntrack(struct net *net,
1556 const struct nlattr * const cda[],
1557 u32 portid, int report, u8 family)
1559 struct ctnetlink_filter *filter = NULL;
1561 if (ctnetlink_needs_filter(family, cda)) {
1562 if (cda[CTA_FILTER])
1565 filter = ctnetlink_alloc_filter(cda, family);
1567 return PTR_ERR(filter);
1570 nf_ct_iterate_cleanup_net(net, ctnetlink_flush_iterate, filter,
1577 static int ctnetlink_del_conntrack(struct sk_buff *skb,
1578 const struct nfnl_info *info,
1579 const struct nlattr * const cda[])
1581 u8 family = info->nfmsg->nfgen_family;
1582 struct nf_conntrack_tuple_hash *h;
1583 struct nf_conntrack_tuple tuple;
1584 struct nf_conntrack_zone zone;
1588 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1592 if (cda[CTA_TUPLE_ORIG])
1593 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1595 else if (cda[CTA_TUPLE_REPLY])
1596 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1599 u_int8_t u3 = info->nfmsg->version ? family : AF_UNSPEC;
1601 return ctnetlink_flush_conntrack(info->net, cda,
1602 NETLINK_CB(skb).portid,
1603 nlmsg_report(info->nlh), u3);
1609 h = nf_conntrack_find_get(info->net, &zone, &tuple);
1613 ct = nf_ct_tuplehash_to_ctrack(h);
1615 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) {
1621 __be32 id = nla_get_be32(cda[CTA_ID]);
1623 if (id != (__force __be32)nf_ct_get_id(ct)) {
1629 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(info->nlh));
1635 static int ctnetlink_get_conntrack(struct sk_buff *skb,
1636 const struct nfnl_info *info,
1637 const struct nlattr * const cda[])
1639 u_int8_t u3 = info->nfmsg->nfgen_family;
1640 struct nf_conntrack_tuple_hash *h;
1641 struct nf_conntrack_tuple tuple;
1642 struct nf_conntrack_zone zone;
1643 struct sk_buff *skb2;
1647 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1648 struct netlink_dump_control c = {
1649 .start = ctnetlink_start,
1650 .dump = ctnetlink_dump_table,
1651 .done = ctnetlink_done,
1652 .data = (void *)cda,
1655 return netlink_dump_start(info->sk, skb, info->nlh, &c);
1658 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1662 if (cda[CTA_TUPLE_ORIG])
1663 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1665 else if (cda[CTA_TUPLE_REPLY])
1666 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1674 h = nf_conntrack_find_get(info->net, &zone, &tuple);
1678 ct = nf_ct_tuplehash_to_ctrack(h);
1680 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1686 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid,
1687 info->nlh->nlmsg_seq,
1688 NFNL_MSG_TYPE(info->nlh->nlmsg_type), ct,
1696 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
1699 static int ctnetlink_done_list(struct netlink_callback *cb)
1702 nf_ct_put((struct nf_conn *)cb->args[1]);
1707 ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying)
1709 struct nf_conn *ct, *last;
1710 struct nf_conntrack_tuple_hash *h;
1711 struct hlist_nulls_node *n;
1712 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1713 u_int8_t l3proto = nfmsg->nfgen_family;
1716 struct hlist_nulls_head *list;
1717 struct net *net = sock_net(skb->sk);
1722 last = (struct nf_conn *)cb->args[1];
1724 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
1725 struct ct_pcpu *pcpu;
1727 if (!cpu_possible(cpu))
1730 pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu);
1731 spin_lock_bh(&pcpu->lock);
1732 list = dying ? &pcpu->dying : &pcpu->unconfirmed;
1734 hlist_nulls_for_each_entry(h, n, list, hnnode) {
1735 ct = nf_ct_tuplehash_to_ctrack(h);
1736 if (l3proto && nf_ct_l3num(ct) != l3proto)
1744 /* We can't dump extension info for the unconfirmed
1745 * list because unconfirmed conntracks can have
1746 * ct->ext reallocated (and thus freed).
1748 * In the dying list case ct->ext can't be free'd
1749 * until after we drop pcpu->lock.
1751 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
1753 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
1754 ct, dying ? true : false, 0);
1756 if (!refcount_inc_not_zero(&ct->ct_general.use))
1759 cb->args[1] = (unsigned long)ct;
1760 spin_unlock_bh(&pcpu->lock);
1768 spin_unlock_bh(&pcpu->lock);
1779 ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb)
1781 return ctnetlink_dump_list(skb, cb, true);
1784 static int ctnetlink_get_ct_dying(struct sk_buff *skb,
1785 const struct nfnl_info *info,
1786 const struct nlattr * const cda[])
1788 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1789 struct netlink_dump_control c = {
1790 .dump = ctnetlink_dump_dying,
1791 .done = ctnetlink_done_list,
1793 return netlink_dump_start(info->sk, skb, info->nlh, &c);
1800 ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb)
1802 return ctnetlink_dump_list(skb, cb, false);
1805 static int ctnetlink_get_ct_unconfirmed(struct sk_buff *skb,
1806 const struct nfnl_info *info,
1807 const struct nlattr * const cda[])
1809 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
1810 struct netlink_dump_control c = {
1811 .dump = ctnetlink_dump_unconfirmed,
1812 .done = ctnetlink_done_list,
1814 return netlink_dump_start(info->sk, skb, info->nlh, &c);
1820 #if IS_ENABLED(CONFIG_NF_NAT)
1822 ctnetlink_parse_nat_setup(struct nf_conn *ct,
1823 enum nf_nat_manip_type manip,
1824 const struct nlattr *attr)
1827 struct nf_nat_hook *nat_hook;
1830 nat_hook = rcu_dereference(nf_nat_hook);
1832 #ifdef CONFIG_MODULES
1834 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1835 if (request_module("nf-nat") < 0) {
1836 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1840 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1842 nat_hook = rcu_dereference(nf_nat_hook);
1849 err = nat_hook->parse_nat_setup(ct, manip, attr);
1850 if (err == -EAGAIN) {
1851 #ifdef CONFIG_MODULES
1853 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1854 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) {
1855 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1859 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1870 __ctnetlink_change_status(struct nf_conn *ct, unsigned long on,
1875 /* Ignore these unchangable bits */
1876 on &= ~IPS_UNCHANGEABLE_MASK;
1877 off &= ~IPS_UNCHANGEABLE_MASK;
1879 for (bit = 0; bit < __IPS_MAX_BIT; bit++) {
1880 if (on & (1 << bit))
1881 set_bit(bit, &ct->status);
1882 else if (off & (1 << bit))
1883 clear_bit(bit, &ct->status);
1888 ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
1891 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
1892 d = ct->status ^ status;
1894 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
1898 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
1899 /* SEEN_REPLY bit can only be set */
1902 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
1903 /* ASSURED bit can only be set */
1906 __ctnetlink_change_status(ct, status, 0);
1911 ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
1913 #if IS_ENABLED(CONFIG_NF_NAT)
1916 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1919 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
1924 return ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC,
1927 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1933 static int ctnetlink_change_helper(struct nf_conn *ct,
1934 const struct nlattr * const cda[])
1936 struct nf_conntrack_helper *helper;
1937 struct nf_conn_help *help = nfct_help(ct);
1938 char *helpname = NULL;
1939 struct nlattr *helpinfo = NULL;
1942 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1946 /* don't change helper of sibling connections */
1948 /* If we try to change the helper to the same thing twice,
1949 * treat the second attempt as a no-op instead of returning
1955 helper = rcu_dereference(help->helper);
1956 if (helper && !strcmp(helper->name, helpname))
1964 if (!strcmp(helpname, "")) {
1965 if (help && help->helper) {
1966 /* we had a helper before ... */
1967 nf_ct_remove_expectations(ct);
1968 RCU_INIT_POINTER(help->helper, NULL);
1975 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1976 nf_ct_protonum(ct));
1977 if (helper == NULL) {
1983 if (help->helper == helper) {
1984 /* update private helper data if allowed. */
1985 if (helper->from_nlattr)
1986 helper->from_nlattr(helpinfo, ct);
1991 /* we cannot set a helper for an existing conntrack */
1999 static int ctnetlink_change_timeout(struct nf_conn *ct,
2000 const struct nlattr * const cda[])
2002 u64 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
2004 if (timeout > INT_MAX)
2006 WRITE_ONCE(ct->timeout, nfct_time_stamp + (u32)timeout);
2008 if (test_bit(IPS_DYING_BIT, &ct->status))
2014 #if defined(CONFIG_NF_CONNTRACK_MARK)
2015 static void ctnetlink_change_mark(struct nf_conn *ct,
2016 const struct nlattr * const cda[])
2018 u32 mark, newmark, mask = 0;
2020 if (cda[CTA_MARK_MASK])
2021 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
2023 mark = ntohl(nla_get_be32(cda[CTA_MARK]));
2024 newmark = (READ_ONCE(ct->mark) & mask) ^ mark;
2025 if (newmark != READ_ONCE(ct->mark))
2026 WRITE_ONCE(ct->mark, newmark);
2030 static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = {
2031 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED },
2032 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED },
2033 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED },
2036 static int ctnetlink_change_protoinfo(struct nf_conn *ct,
2037 const struct nlattr * const cda[])
2039 const struct nlattr *attr = cda[CTA_PROTOINFO];
2040 const struct nf_conntrack_l4proto *l4proto;
2041 struct nlattr *tb[CTA_PROTOINFO_MAX+1];
2044 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_MAX, attr,
2045 protoinfo_policy, NULL);
2049 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
2050 if (l4proto->from_nlattr)
2051 err = l4proto->from_nlattr(tb, ct);
2056 static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = {
2057 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 },
2058 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 },
2059 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 },
2062 static int change_seq_adj(struct nf_ct_seqadj *seq,
2063 const struct nlattr * const attr)
2066 struct nlattr *cda[CTA_SEQADJ_MAX+1];
2068 err = nla_parse_nested_deprecated(cda, CTA_SEQADJ_MAX, attr,
2069 seqadj_policy, NULL);
2073 if (!cda[CTA_SEQADJ_CORRECTION_POS])
2076 seq->correction_pos =
2077 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS]));
2079 if (!cda[CTA_SEQADJ_OFFSET_BEFORE])
2082 seq->offset_before =
2083 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE]));
2085 if (!cda[CTA_SEQADJ_OFFSET_AFTER])
2089 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER]));
2095 ctnetlink_change_seq_adj(struct nf_conn *ct,
2096 const struct nlattr * const cda[])
2098 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
2104 spin_lock_bh(&ct->lock);
2105 if (cda[CTA_SEQ_ADJ_ORIG]) {
2106 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL],
2107 cda[CTA_SEQ_ADJ_ORIG]);
2111 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
2114 if (cda[CTA_SEQ_ADJ_REPLY]) {
2115 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY],
2116 cda[CTA_SEQ_ADJ_REPLY]);
2120 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
2123 spin_unlock_bh(&ct->lock);
2126 spin_unlock_bh(&ct->lock);
2130 static const struct nla_policy synproxy_policy[CTA_SYNPROXY_MAX + 1] = {
2131 [CTA_SYNPROXY_ISN] = { .type = NLA_U32 },
2132 [CTA_SYNPROXY_ITS] = { .type = NLA_U32 },
2133 [CTA_SYNPROXY_TSOFF] = { .type = NLA_U32 },
2136 static int ctnetlink_change_synproxy(struct nf_conn *ct,
2137 const struct nlattr * const cda[])
2139 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
2140 struct nlattr *tb[CTA_SYNPROXY_MAX + 1];
2146 err = nla_parse_nested_deprecated(tb, CTA_SYNPROXY_MAX,
2147 cda[CTA_SYNPROXY], synproxy_policy,
2152 if (!tb[CTA_SYNPROXY_ISN] ||
2153 !tb[CTA_SYNPROXY_ITS] ||
2154 !tb[CTA_SYNPROXY_TSOFF])
2157 synproxy->isn = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ISN]));
2158 synproxy->its = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ITS]));
2159 synproxy->tsoff = ntohl(nla_get_be32(tb[CTA_SYNPROXY_TSOFF]));
2165 ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[])
2167 #ifdef CONFIG_NF_CONNTRACK_LABELS
2168 size_t len = nla_len(cda[CTA_LABELS]);
2169 const void *mask = cda[CTA_LABELS_MASK];
2171 if (len & (sizeof(u32)-1)) /* must be multiple of u32 */
2175 if (nla_len(cda[CTA_LABELS_MASK]) == 0 ||
2176 nla_len(cda[CTA_LABELS_MASK]) != len)
2178 mask = nla_data(cda[CTA_LABELS_MASK]);
2183 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len);
2190 ctnetlink_change_conntrack(struct nf_conn *ct,
2191 const struct nlattr * const cda[])
2195 /* only allow NAT changes and master assignation for new conntracks */
2196 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
2199 if (cda[CTA_HELP]) {
2200 err = ctnetlink_change_helper(ct, cda);
2205 if (cda[CTA_TIMEOUT]) {
2206 err = ctnetlink_change_timeout(ct, cda);
2211 if (cda[CTA_STATUS]) {
2212 err = ctnetlink_change_status(ct, cda);
2217 if (cda[CTA_PROTOINFO]) {
2218 err = ctnetlink_change_protoinfo(ct, cda);
2223 #if defined(CONFIG_NF_CONNTRACK_MARK)
2225 ctnetlink_change_mark(ct, cda);
2228 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
2229 err = ctnetlink_change_seq_adj(ct, cda);
2234 if (cda[CTA_SYNPROXY]) {
2235 err = ctnetlink_change_synproxy(ct, cda);
2240 if (cda[CTA_LABELS]) {
2241 err = ctnetlink_attach_labels(ct, cda);
2249 static struct nf_conn *
2250 ctnetlink_create_conntrack(struct net *net,
2251 const struct nf_conntrack_zone *zone,
2252 const struct nlattr * const cda[],
2253 struct nf_conntrack_tuple *otuple,
2254 struct nf_conntrack_tuple *rtuple,
2259 struct nf_conntrack_helper *helper;
2260 struct nf_conn_tstamp *tstamp;
2263 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
2265 return ERR_PTR(-ENOMEM);
2267 if (!cda[CTA_TIMEOUT])
2270 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
2271 if (timeout > INT_MAX)
2273 ct->timeout = (u32)timeout + nfct_time_stamp;
2276 if (cda[CTA_HELP]) {
2277 char *helpname = NULL;
2278 struct nlattr *helpinfo = NULL;
2280 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
2284 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2285 nf_ct_protonum(ct));
2286 if (helper == NULL) {
2288 #ifdef CONFIG_MODULES
2289 if (request_module("nfct-helper-%s", helpname) < 0) {
2295 helper = __nf_conntrack_helper_find(helpname,
2297 nf_ct_protonum(ct));
2307 struct nf_conn_help *help;
2309 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
2314 /* set private helper data if allowed. */
2315 if (helper->from_nlattr)
2316 helper->from_nlattr(helpinfo, ct);
2318 /* disable helper auto-assignment for this entry */
2319 ct->status |= IPS_HELPER;
2320 RCU_INIT_POINTER(help->helper, helper);
2323 /* try an implicit helper assignation */
2324 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC);
2329 err = ctnetlink_setup_nat(ct, cda);
2333 nf_ct_acct_ext_add(ct, GFP_ATOMIC);
2334 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
2335 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
2336 nf_ct_labels_ext_add(ct);
2337 nfct_seqadj_ext_add(ct);
2338 nfct_synproxy_ext_add(ct);
2340 /* we must add conntrack extensions before confirmation. */
2341 ct->status |= IPS_CONFIRMED;
2343 if (cda[CTA_STATUS]) {
2344 err = ctnetlink_change_status(ct, cda);
2349 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
2350 err = ctnetlink_change_seq_adj(ct, cda);
2355 memset(&ct->proto, 0, sizeof(ct->proto));
2356 if (cda[CTA_PROTOINFO]) {
2357 err = ctnetlink_change_protoinfo(ct, cda);
2362 if (cda[CTA_SYNPROXY]) {
2363 err = ctnetlink_change_synproxy(ct, cda);
2368 #if defined(CONFIG_NF_CONNTRACK_MARK)
2370 ctnetlink_change_mark(ct, cda);
2373 /* setup master conntrack: this is a confirmed expectation */
2374 if (cda[CTA_TUPLE_MASTER]) {
2375 struct nf_conntrack_tuple master;
2376 struct nf_conntrack_tuple_hash *master_h;
2377 struct nf_conn *master_ct;
2379 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER,
2384 master_h = nf_conntrack_find_get(net, zone, &master);
2385 if (master_h == NULL) {
2389 master_ct = nf_ct_tuplehash_to_ctrack(master_h);
2390 __set_bit(IPS_EXPECTED_BIT, &ct->status);
2391 ct->master = master_ct;
2393 tstamp = nf_conn_tstamp_find(ct);
2395 tstamp->start = ktime_get_real_ns();
2397 err = nf_conntrack_hash_check_insert(ct);
2408 nf_conntrack_free(ct);
2409 return ERR_PTR(err);
2412 static int ctnetlink_new_conntrack(struct sk_buff *skb,
2413 const struct nfnl_info *info,
2414 const struct nlattr * const cda[])
2416 struct nf_conntrack_tuple otuple, rtuple;
2417 struct nf_conntrack_tuple_hash *h = NULL;
2418 u_int8_t u3 = info->nfmsg->nfgen_family;
2419 struct nf_conntrack_zone zone;
2423 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
2427 if (cda[CTA_TUPLE_ORIG]) {
2428 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG,
2434 if (cda[CTA_TUPLE_REPLY]) {
2435 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY,
2441 if (cda[CTA_TUPLE_ORIG])
2442 h = nf_conntrack_find_get(info->net, &zone, &otuple);
2443 else if (cda[CTA_TUPLE_REPLY])
2444 h = nf_conntrack_find_get(info->net, &zone, &rtuple);
2448 if (info->nlh->nlmsg_flags & NLM_F_CREATE) {
2449 enum ip_conntrack_events events;
2451 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY])
2453 if (otuple.dst.protonum != rtuple.dst.protonum)
2456 ct = ctnetlink_create_conntrack(info->net, &zone, cda,
2457 &otuple, &rtuple, u3);
2462 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
2463 events = 1 << IPCT_RELATED;
2465 events = 1 << IPCT_NEW;
2467 if (cda[CTA_LABELS] &&
2468 ctnetlink_attach_labels(ct, cda) == 0)
2469 events |= (1 << IPCT_LABEL);
2471 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2472 (1 << IPCT_ASSURED) |
2473 (1 << IPCT_HELPER) |
2474 (1 << IPCT_PROTOINFO) |
2475 (1 << IPCT_SEQADJ) |
2477 (1 << IPCT_SYNPROXY) |
2479 ct, NETLINK_CB(skb).portid,
2480 nlmsg_report(info->nlh));
2486 /* implicit 'else' */
2489 ct = nf_ct_tuplehash_to_ctrack(h);
2490 if (!(info->nlh->nlmsg_flags & NLM_F_EXCL)) {
2491 err = ctnetlink_change_conntrack(ct, cda);
2493 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2494 (1 << IPCT_ASSURED) |
2495 (1 << IPCT_HELPER) |
2497 (1 << IPCT_PROTOINFO) |
2498 (1 << IPCT_SEQADJ) |
2500 (1 << IPCT_SYNPROXY),
2501 ct, NETLINK_CB(skb).portid,
2502 nlmsg_report(info->nlh));
2511 ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2512 __u16 cpu, const struct ip_conntrack_stat *st)
2514 struct nlmsghdr *nlh;
2515 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2517 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
2518 IPCTNL_MSG_CT_GET_STATS_CPU);
2519 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
2520 NFNETLINK_V0, htons(cpu));
2524 if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) ||
2525 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) ||
2526 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) ||
2527 nla_put_be32(skb, CTA_STATS_INSERT_FAILED,
2528 htonl(st->insert_failed)) ||
2529 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) ||
2530 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) ||
2531 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) ||
2532 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART,
2533 htonl(st->search_restart)) ||
2534 nla_put_be32(skb, CTA_STATS_CLASH_RESOLVE,
2535 htonl(st->clash_resolve)) ||
2536 nla_put_be32(skb, CTA_STATS_CHAIN_TOOLONG,
2537 htonl(st->chaintoolong)))
2538 goto nla_put_failure;
2540 nlmsg_end(skb, nlh);
2545 nlmsg_cancel(skb, nlh);
2550 ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
2553 struct net *net = sock_net(skb->sk);
2555 if (cb->args[0] == nr_cpu_ids)
2558 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
2559 const struct ip_conntrack_stat *st;
2561 if (!cpu_possible(cpu))
2564 st = per_cpu_ptr(net->ct.stat, cpu);
2565 if (ctnetlink_ct_stat_cpu_fill_info(skb,
2566 NETLINK_CB(cb->skb).portid,
2576 static int ctnetlink_stat_ct_cpu(struct sk_buff *skb,
2577 const struct nfnl_info *info,
2578 const struct nlattr * const cda[])
2580 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
2581 struct netlink_dump_control c = {
2582 .dump = ctnetlink_ct_stat_cpu_dump,
2584 return netlink_dump_start(info->sk, skb, info->nlh, &c);
2591 ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
2594 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2595 unsigned int nr_conntracks;
2596 struct nlmsghdr *nlh;
2598 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS);
2599 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
2604 nr_conntracks = nf_conntrack_count(net);
2605 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks)))
2606 goto nla_put_failure;
2608 if (nla_put_be32(skb, CTA_STATS_GLOBAL_MAX_ENTRIES, htonl(nf_conntrack_max)))
2609 goto nla_put_failure;
2611 nlmsg_end(skb, nlh);
2616 nlmsg_cancel(skb, nlh);
2620 static int ctnetlink_stat_ct(struct sk_buff *skb, const struct nfnl_info *info,
2621 const struct nlattr * const cda[])
2623 struct sk_buff *skb2;
2626 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2630 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid,
2631 info->nlh->nlmsg_seq,
2632 NFNL_MSG_TYPE(info->nlh->nlmsg_type),
2639 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
2642 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
2643 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED },
2644 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED },
2645 [CTA_EXPECT_MASK] = { .type = NLA_NESTED },
2646 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
2647 [CTA_EXPECT_ID] = { .type = NLA_U32 },
2648 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING,
2649 .len = NF_CT_HELPER_NAME_LEN - 1 },
2650 [CTA_EXPECT_ZONE] = { .type = NLA_U16 },
2651 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 },
2652 [CTA_EXPECT_CLASS] = { .type = NLA_U32 },
2653 [CTA_EXPECT_NAT] = { .type = NLA_NESTED },
2654 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING },
2657 static struct nf_conntrack_expect *
2658 ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
2659 struct nf_conntrack_helper *helper,
2660 struct nf_conntrack_tuple *tuple,
2661 struct nf_conntrack_tuple *mask);
2663 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
2665 ctnetlink_glue_build_size(const struct nf_conn *ct)
2667 return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
2668 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
2669 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
2670 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
2671 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
2672 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
2673 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
2674 + nla_total_size(0) /* CTA_PROTOINFO */
2675 + nla_total_size(0) /* CTA_HELP */
2676 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
2677 + ctnetlink_secctx_size(ct)
2678 + ctnetlink_acct_size(ct)
2679 + ctnetlink_timestamp_size(ct)
2680 #if IS_ENABLED(CONFIG_NF_NAT)
2681 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
2682 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
2684 #ifdef CONFIG_NF_CONNTRACK_MARK
2685 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
2687 #ifdef CONFIG_NF_CONNTRACK_ZONES
2688 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */
2690 + ctnetlink_proto_size(ct)
2694 static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
2696 const struct nf_conntrack_zone *zone;
2697 struct nlattr *nest_parms;
2699 zone = nf_ct_zone(ct);
2701 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
2703 goto nla_put_failure;
2704 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
2705 goto nla_put_failure;
2706 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2707 NF_CT_ZONE_DIR_ORIG) < 0)
2708 goto nla_put_failure;
2709 nla_nest_end(skb, nest_parms);
2711 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
2713 goto nla_put_failure;
2714 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
2715 goto nla_put_failure;
2716 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2717 NF_CT_ZONE_DIR_REPL) < 0)
2718 goto nla_put_failure;
2719 nla_nest_end(skb, nest_parms);
2721 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
2722 NF_CT_DEFAULT_ZONE_DIR) < 0)
2723 goto nla_put_failure;
2725 if (ctnetlink_dump_id(skb, ct) < 0)
2726 goto nla_put_failure;
2728 if (ctnetlink_dump_status(skb, ct) < 0)
2729 goto nla_put_failure;
2731 if (ctnetlink_dump_timeout(skb, ct, false) < 0)
2732 goto nla_put_failure;
2734 if (ctnetlink_dump_protoinfo(skb, ct, false) < 0)
2735 goto nla_put_failure;
2737 if (ctnetlink_dump_acct(skb, ct, IPCTNL_MSG_CT_GET) < 0 ||
2738 ctnetlink_dump_timestamp(skb, ct) < 0)
2739 goto nla_put_failure;
2741 if (ctnetlink_dump_helpinfo(skb, ct) < 0)
2742 goto nla_put_failure;
2744 #ifdef CONFIG_NF_CONNTRACK_SECMARK
2745 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0)
2746 goto nla_put_failure;
2748 if (ct->master && ctnetlink_dump_master(skb, ct) < 0)
2749 goto nla_put_failure;
2751 if ((ct->status & IPS_SEQ_ADJUST) &&
2752 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
2753 goto nla_put_failure;
2755 if (ctnetlink_dump_ct_synproxy(skb, ct) < 0)
2756 goto nla_put_failure;
2758 #ifdef CONFIG_NF_CONNTRACK_MARK
2759 if (ctnetlink_dump_mark(skb, ct) < 0)
2760 goto nla_put_failure;
2762 if (ctnetlink_dump_labels(skb, ct) < 0)
2763 goto nla_put_failure;
2771 ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct,
2772 enum ip_conntrack_info ctinfo,
2773 u_int16_t ct_attr, u_int16_t ct_info_attr)
2775 struct nlattr *nest_parms;
2777 nest_parms = nla_nest_start(skb, ct_attr);
2779 goto nla_put_failure;
2781 if (__ctnetlink_glue_build(skb, ct) < 0)
2782 goto nla_put_failure;
2784 nla_nest_end(skb, nest_parms);
2786 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo)))
2787 goto nla_put_failure;
2796 ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[])
2798 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
2799 unsigned long d = ct->status ^ status;
2801 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
2802 /* SEEN_REPLY bit can only be set */
2805 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
2806 /* ASSURED bit can only be set */
2809 /* This check is less strict than ctnetlink_change_status()
2810 * because callers often flip IPS_EXPECTED bits when sending
2811 * an NFQA_CT attribute to the kernel. So ignore the
2812 * unchangeable bits but do not error out. Also user programs
2813 * are allowed to clear the bits that they are allowed to change.
2815 __ctnetlink_change_status(ct, status, ~status);
2820 ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
2824 if (cda[CTA_TIMEOUT]) {
2825 err = ctnetlink_change_timeout(ct, cda);
2829 if (cda[CTA_STATUS]) {
2830 err = ctnetlink_update_status(ct, cda);
2834 if (cda[CTA_HELP]) {
2835 err = ctnetlink_change_helper(ct, cda);
2839 if (cda[CTA_LABELS]) {
2840 err = ctnetlink_attach_labels(ct, cda);
2844 #if defined(CONFIG_NF_CONNTRACK_MARK)
2845 if (cda[CTA_MARK]) {
2846 ctnetlink_change_mark(ct, cda);
2853 ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct)
2855 struct nlattr *cda[CTA_MAX+1];
2858 ret = nla_parse_nested_deprecated(cda, CTA_MAX, attr, ct_nla_policy,
2863 return ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct);
2866 static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda,
2867 const struct nf_conn *ct,
2868 struct nf_conntrack_tuple *tuple,
2869 struct nf_conntrack_tuple *mask)
2873 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE,
2874 nf_ct_l3num(ct), NULL);
2878 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK,
2879 nf_ct_l3num(ct), NULL);
2883 ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
2884 u32 portid, u32 report)
2886 struct nlattr *cda[CTA_EXPECT_MAX+1];
2887 struct nf_conntrack_tuple tuple, mask;
2888 struct nf_conntrack_helper *helper = NULL;
2889 struct nf_conntrack_expect *exp;
2892 err = nla_parse_nested_deprecated(cda, CTA_EXPECT_MAX, attr,
2893 exp_nla_policy, NULL);
2897 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda,
2902 if (cda[CTA_EXPECT_HELP_NAME]) {
2903 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2905 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2906 nf_ct_protonum(ct));
2911 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct,
2912 helper, &tuple, &mask);
2914 return PTR_ERR(exp);
2916 err = nf_ct_expect_related_report(exp, portid, report, 0);
2917 nf_ct_expect_put(exp);
2921 static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct,
2922 enum ip_conntrack_info ctinfo, int diff)
2924 if (!(ct->status & IPS_NAT_MASK))
2927 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff);
2930 static struct nfnl_ct_hook ctnetlink_glue_hook = {
2931 .build_size = ctnetlink_glue_build_size,
2932 .build = ctnetlink_glue_build,
2933 .parse = ctnetlink_glue_parse,
2934 .attach_expect = ctnetlink_glue_attach_expect,
2935 .seq_adjust = ctnetlink_glue_seqadj,
2937 #endif /* CONFIG_NETFILTER_NETLINK_GLUE_CT */
2939 /***********************************************************************
2941 ***********************************************************************/
2943 static int ctnetlink_exp_dump_tuple(struct sk_buff *skb,
2944 const struct nf_conntrack_tuple *tuple,
2947 struct nlattr *nest_parms;
2949 nest_parms = nla_nest_start(skb, type);
2951 goto nla_put_failure;
2952 if (ctnetlink_dump_tuples(skb, tuple) < 0)
2953 goto nla_put_failure;
2954 nla_nest_end(skb, nest_parms);
2962 static int ctnetlink_exp_dump_mask(struct sk_buff *skb,
2963 const struct nf_conntrack_tuple *tuple,
2964 const struct nf_conntrack_tuple_mask *mask)
2966 const struct nf_conntrack_l4proto *l4proto;
2967 struct nf_conntrack_tuple m;
2968 struct nlattr *nest_parms;
2971 memset(&m, 0xFF, sizeof(m));
2972 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
2973 m.src.u.all = mask->src.u.all;
2974 m.src.l3num = tuple->src.l3num;
2975 m.dst.protonum = tuple->dst.protonum;
2977 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK);
2979 goto nla_put_failure;
2982 ret = ctnetlink_dump_tuples_ip(skb, &m);
2984 l4proto = nf_ct_l4proto_find(tuple->dst.protonum);
2985 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
2989 if (unlikely(ret < 0))
2990 goto nla_put_failure;
2992 nla_nest_end(skb, nest_parms);
3000 static const union nf_inet_addr any_addr;
3002 static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp)
3004 static __read_mostly siphash_key_t exp_id_seed;
3005 unsigned long a, b, c, d;
3007 net_get_random_once(&exp_id_seed, sizeof(exp_id_seed));
3009 a = (unsigned long)exp;
3010 b = (unsigned long)exp->helper;
3011 c = (unsigned long)exp->master;
3012 d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed);
3015 return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed);
3017 return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed);
3022 ctnetlink_exp_dump_expect(struct sk_buff *skb,
3023 const struct nf_conntrack_expect *exp)
3025 struct nf_conn *master = exp->master;
3026 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ;
3027 struct nf_conn_help *help;
3028 #if IS_ENABLED(CONFIG_NF_NAT)
3029 struct nlattr *nest_parms;
3030 struct nf_conntrack_tuple nat_tuple = {};
3032 struct nf_ct_helper_expectfn *expfn;
3037 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
3038 goto nla_put_failure;
3039 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
3040 goto nla_put_failure;
3041 if (ctnetlink_exp_dump_tuple(skb,
3042 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
3043 CTA_EXPECT_MASTER) < 0)
3044 goto nla_put_failure;
3046 #if IS_ENABLED(CONFIG_NF_NAT)
3047 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) ||
3048 exp->saved_proto.all) {
3049 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT);
3051 goto nla_put_failure;
3053 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir)))
3054 goto nla_put_failure;
3056 nat_tuple.src.l3num = nf_ct_l3num(master);
3057 nat_tuple.src.u3 = exp->saved_addr;
3058 nat_tuple.dst.protonum = nf_ct_protonum(master);
3059 nat_tuple.src.u = exp->saved_proto;
3061 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple,
3062 CTA_EXPECT_NAT_TUPLE) < 0)
3063 goto nla_put_failure;
3064 nla_nest_end(skb, nest_parms);
3067 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
3068 nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) ||
3069 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
3070 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
3071 goto nla_put_failure;
3072 help = nfct_help(master);
3074 struct nf_conntrack_helper *helper;
3076 helper = rcu_dereference(help->helper);
3078 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name))
3079 goto nla_put_failure;
3081 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn);
3082 if (expfn != NULL &&
3083 nla_put_string(skb, CTA_EXPECT_FN, expfn->name))
3084 goto nla_put_failure;
3093 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
3094 int event, const struct nf_conntrack_expect *exp)
3096 struct nlmsghdr *nlh;
3097 unsigned int flags = portid ? NLM_F_MULTI : 0;
3099 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event);
3100 nlh = nfnl_msg_put(skb, portid, seq, event, flags,
3101 exp->tuple.src.l3num, NFNETLINK_V0, 0);
3105 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
3106 goto nla_put_failure;
3108 nlmsg_end(skb, nlh);
3113 nlmsg_cancel(skb, nlh);
3117 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3119 ctnetlink_expect_event(unsigned int events, const struct nf_exp_event *item)
3121 struct nf_conntrack_expect *exp = item->exp;
3122 struct net *net = nf_ct_exp_net(exp);
3123 struct nlmsghdr *nlh;
3124 struct sk_buff *skb;
3125 unsigned int type, group;
3128 if (events & (1 << IPEXP_DESTROY)) {
3129 type = IPCTNL_MSG_EXP_DELETE;
3130 group = NFNLGRP_CONNTRACK_EXP_DESTROY;
3131 } else if (events & (1 << IPEXP_NEW)) {
3132 type = IPCTNL_MSG_EXP_NEW;
3133 flags = NLM_F_CREATE|NLM_F_EXCL;
3134 group = NFNLGRP_CONNTRACK_EXP_NEW;
3138 if (!item->report && !nfnetlink_has_listeners(net, group))
3141 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
3145 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type);
3146 nlh = nfnl_msg_put(skb, item->portid, 0, type, flags,
3147 exp->tuple.src.l3num, NFNETLINK_V0, 0);
3151 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
3152 goto nla_put_failure;
3154 nlmsg_end(skb, nlh);
3155 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC);
3159 nlmsg_cancel(skb, nlh);
3163 nfnetlink_set_err(net, 0, 0, -ENOBUFS);
3167 static int ctnetlink_exp_done(struct netlink_callback *cb)
3170 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
3175 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
3177 struct net *net = sock_net(skb->sk);
3178 struct nf_conntrack_expect *exp, *last;
3179 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3180 u_int8_t l3proto = nfmsg->nfgen_family;
3183 last = (struct nf_conntrack_expect *)cb->args[1];
3184 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
3186 hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
3188 if (l3proto && exp->tuple.src.l3num != l3proto)
3191 if (!net_eq(nf_ct_net(exp->master), net))
3199 if (ctnetlink_exp_fill_info(skb,
3200 NETLINK_CB(cb->skb).portid,
3204 if (!refcount_inc_not_zero(&exp->use))
3206 cb->args[1] = (unsigned long)exp;
3218 nf_ct_expect_put(last);
3224 ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
3226 struct nf_conntrack_expect *exp, *last;
3227 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
3228 struct nf_conn *ct = cb->data;
3229 struct nf_conn_help *help = nfct_help(ct);
3230 u_int8_t l3proto = nfmsg->nfgen_family;
3236 last = (struct nf_conntrack_expect *)cb->args[1];
3238 hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {
3239 if (l3proto && exp->tuple.src.l3num != l3proto)
3246 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid,
3250 if (!refcount_inc_not_zero(&exp->use))
3252 cb->args[1] = (unsigned long)exp;
3264 nf_ct_expect_put(last);
3269 static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
3270 struct sk_buff *skb,
3271 const struct nlmsghdr *nlh,
3272 const struct nlattr * const cda[],
3273 struct netlink_ext_ack *extack)
3276 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3277 u_int8_t u3 = nfmsg->nfgen_family;
3278 struct nf_conntrack_tuple tuple;
3279 struct nf_conntrack_tuple_hash *h;
3281 struct nf_conntrack_zone zone;
3282 struct netlink_dump_control c = {
3283 .dump = ctnetlink_exp_ct_dump_table,
3284 .done = ctnetlink_exp_done,
3287 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
3292 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3296 h = nf_conntrack_find_get(net, &zone, &tuple);
3300 ct = nf_ct_tuplehash_to_ctrack(h);
3301 /* No expectation linked to this connection tracking. */
3302 if (!nfct_help(ct)) {
3309 err = netlink_dump_start(ctnl, skb, nlh, &c);
3315 static int ctnetlink_get_expect(struct sk_buff *skb,
3316 const struct nfnl_info *info,
3317 const struct nlattr * const cda[])
3319 u_int8_t u3 = info->nfmsg->nfgen_family;
3320 struct nf_conntrack_tuple tuple;
3321 struct nf_conntrack_expect *exp;
3322 struct nf_conntrack_zone zone;
3323 struct sk_buff *skb2;
3326 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3327 if (cda[CTA_EXPECT_MASTER])
3328 return ctnetlink_dump_exp_ct(info->net, info->sk, skb,
3332 struct netlink_dump_control c = {
3333 .dump = ctnetlink_exp_dump_table,
3334 .done = ctnetlink_exp_done,
3336 return netlink_dump_start(info->sk, skb, info->nlh, &c);
3340 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3344 if (cda[CTA_EXPECT_TUPLE])
3345 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3347 else if (cda[CTA_EXPECT_MASTER])
3348 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
3356 exp = nf_ct_expect_find_get(info->net, &zone, &tuple);
3360 if (cda[CTA_EXPECT_ID]) {
3361 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3363 if (id != nf_expect_get_id(exp)) {
3364 nf_ct_expect_put(exp);
3369 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3371 nf_ct_expect_put(exp);
3376 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
3377 info->nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
3380 nf_ct_expect_put(exp);
3386 return nfnetlink_unicast(skb2, info->net, NETLINK_CB(skb).portid);
3389 static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data)
3391 const struct nf_conn_help *m_help;
3392 const char *name = data;
3394 m_help = nfct_help(exp->master);
3396 return strcmp(m_help->helper->name, name) == 0;
3399 static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data)
3404 static int ctnetlink_del_expect(struct sk_buff *skb,
3405 const struct nfnl_info *info,
3406 const struct nlattr * const cda[])
3408 u_int8_t u3 = info->nfmsg->nfgen_family;
3409 struct nf_conntrack_expect *exp;
3410 struct nf_conntrack_tuple tuple;
3411 struct nf_conntrack_zone zone;
3414 if (cda[CTA_EXPECT_TUPLE]) {
3415 /* delete a single expect by tuple */
3416 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3420 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3425 /* bump usage count to 2 */
3426 exp = nf_ct_expect_find_get(info->net, &zone, &tuple);
3430 if (cda[CTA_EXPECT_ID]) {
3431 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3432 if (ntohl(id) != (u32)(unsigned long)exp) {
3433 nf_ct_expect_put(exp);
3438 /* after list removal, usage count == 1 */
3439 spin_lock_bh(&nf_conntrack_expect_lock);
3440 if (del_timer(&exp->timeout)) {
3441 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
3442 nlmsg_report(info->nlh));
3443 nf_ct_expect_put(exp);
3445 spin_unlock_bh(&nf_conntrack_expect_lock);
3446 /* have to put what we 'get' above.
3447 * after this line usage count == 0 */
3448 nf_ct_expect_put(exp);
3449 } else if (cda[CTA_EXPECT_HELP_NAME]) {
3450 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3452 nf_ct_expect_iterate_net(info->net, expect_iter_name, name,
3453 NETLINK_CB(skb).portid,
3454 nlmsg_report(info->nlh));
3456 /* This basically means we have to flush everything*/
3457 nf_ct_expect_iterate_net(info->net, expect_iter_all, NULL,
3458 NETLINK_CB(skb).portid,
3459 nlmsg_report(info->nlh));
3465 ctnetlink_change_expect(struct nf_conntrack_expect *x,
3466 const struct nlattr * const cda[])
3468 if (cda[CTA_EXPECT_TIMEOUT]) {
3469 if (!del_timer(&x->timeout))
3472 x->timeout.expires = jiffies +
3473 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
3474 add_timer(&x->timeout);
3479 static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
3480 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
3481 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
3485 ctnetlink_parse_expect_nat(const struct nlattr *attr,
3486 struct nf_conntrack_expect *exp,
3489 #if IS_ENABLED(CONFIG_NF_NAT)
3490 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1];
3491 struct nf_conntrack_tuple nat_tuple = {};
3494 err = nla_parse_nested_deprecated(tb, CTA_EXPECT_NAT_MAX, attr,
3495 exp_nat_nla_policy, NULL);
3499 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE])
3502 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb,
3503 &nat_tuple, CTA_EXPECT_NAT_TUPLE,
3508 exp->saved_addr = nat_tuple.src.u3;
3509 exp->saved_proto = nat_tuple.src.u;
3510 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR]));
3518 static struct nf_conntrack_expect *
3519 ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
3520 struct nf_conntrack_helper *helper,
3521 struct nf_conntrack_tuple *tuple,
3522 struct nf_conntrack_tuple *mask)
3524 u_int32_t class = 0;
3525 struct nf_conntrack_expect *exp;
3526 struct nf_conn_help *help;
3529 help = nfct_help(ct);
3531 return ERR_PTR(-EOPNOTSUPP);
3533 if (cda[CTA_EXPECT_CLASS] && helper) {
3534 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));
3535 if (class > helper->expect_class_max)
3536 return ERR_PTR(-EINVAL);
3538 exp = nf_ct_expect_alloc(ct);
3540 return ERR_PTR(-ENOMEM);
3542 if (cda[CTA_EXPECT_FLAGS]) {
3543 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
3544 exp->flags &= ~NF_CT_EXPECT_USERSPACE;
3548 if (cda[CTA_EXPECT_FN]) {
3549 const char *name = nla_data(cda[CTA_EXPECT_FN]);
3550 struct nf_ct_helper_expectfn *expfn;
3552 expfn = nf_ct_helper_expectfn_find_by_name(name);
3553 if (expfn == NULL) {
3557 exp->expectfn = expfn->expectfn;
3559 exp->expectfn = NULL;
3563 exp->helper = helper;
3564 exp->tuple = *tuple;
3565 exp->mask.src.u3 = mask->src.u3;
3566 exp->mask.src.u.all = mask->src.u.all;
3568 if (cda[CTA_EXPECT_NAT]) {
3569 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT],
3570 exp, nf_ct_l3num(ct));
3576 nf_ct_expect_put(exp);
3577 return ERR_PTR(err);
3581 ctnetlink_create_expect(struct net *net,
3582 const struct nf_conntrack_zone *zone,
3583 const struct nlattr * const cda[],
3584 u_int8_t u3, u32 portid, int report)
3586 struct nf_conntrack_tuple tuple, mask, master_tuple;
3587 struct nf_conntrack_tuple_hash *h = NULL;
3588 struct nf_conntrack_helper *helper = NULL;
3589 struct nf_conntrack_expect *exp;
3593 /* caller guarantees that those three CTA_EXPECT_* exist */
3594 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3598 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK,
3602 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER,
3607 /* Look for master conntrack of this expectation */
3608 h = nf_conntrack_find_get(net, zone, &master_tuple);
3611 ct = nf_ct_tuplehash_to_ctrack(h);
3614 if (cda[CTA_EXPECT_HELP_NAME]) {
3615 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3617 helper = __nf_conntrack_helper_find(helpname, u3,
3618 nf_ct_protonum(ct));
3619 if (helper == NULL) {
3621 #ifdef CONFIG_MODULES
3622 if (request_module("nfct-helper-%s", helpname) < 0) {
3627 helper = __nf_conntrack_helper_find(helpname, u3,
3628 nf_ct_protonum(ct));
3640 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask);
3646 err = nf_ct_expect_related_report(exp, portid, report, 0);
3647 nf_ct_expect_put(exp);
3655 static int ctnetlink_new_expect(struct sk_buff *skb,
3656 const struct nfnl_info *info,
3657 const struct nlattr * const cda[])
3659 u_int8_t u3 = info->nfmsg->nfgen_family;
3660 struct nf_conntrack_tuple tuple;
3661 struct nf_conntrack_expect *exp;
3662 struct nf_conntrack_zone zone;
3665 if (!cda[CTA_EXPECT_TUPLE]
3666 || !cda[CTA_EXPECT_MASK]
3667 || !cda[CTA_EXPECT_MASTER])
3670 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3674 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3679 spin_lock_bh(&nf_conntrack_expect_lock);
3680 exp = __nf_ct_expect_find(info->net, &zone, &tuple);
3682 spin_unlock_bh(&nf_conntrack_expect_lock);
3684 if (info->nlh->nlmsg_flags & NLM_F_CREATE) {
3685 err = ctnetlink_create_expect(info->net, &zone, cda, u3,
3686 NETLINK_CB(skb).portid,
3687 nlmsg_report(info->nlh));
3693 if (!(info->nlh->nlmsg_flags & NLM_F_EXCL))
3694 err = ctnetlink_change_expect(exp, cda);
3695 spin_unlock_bh(&nf_conntrack_expect_lock);
3701 ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu,
3702 const struct ip_conntrack_stat *st)
3704 struct nlmsghdr *nlh;
3705 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
3707 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
3708 IPCTNL_MSG_EXP_GET_STATS_CPU);
3709 nlh = nfnl_msg_put(skb, portid, seq, event, flags, AF_UNSPEC,
3710 NFNETLINK_V0, htons(cpu));
3714 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) ||
3715 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) ||
3716 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete)))
3717 goto nla_put_failure;
3719 nlmsg_end(skb, nlh);
3724 nlmsg_cancel(skb, nlh);
3729 ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
3732 struct net *net = sock_net(skb->sk);
3734 if (cb->args[0] == nr_cpu_ids)
3737 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
3738 const struct ip_conntrack_stat *st;
3740 if (!cpu_possible(cpu))
3743 st = per_cpu_ptr(net->ct.stat, cpu);
3744 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid,
3754 static int ctnetlink_stat_exp_cpu(struct sk_buff *skb,
3755 const struct nfnl_info *info,
3756 const struct nlattr * const cda[])
3758 if (info->nlh->nlmsg_flags & NLM_F_DUMP) {
3759 struct netlink_dump_control c = {
3760 .dump = ctnetlink_exp_stat_cpu_dump,
3762 return netlink_dump_start(info->sk, skb, info->nlh, &c);
3768 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3769 static struct nf_ct_event_notifier ctnl_notifier = {
3770 .ct_event = ctnetlink_conntrack_event,
3771 .exp_event = ctnetlink_expect_event,
3775 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
3776 [IPCTNL_MSG_CT_NEW] = {
3777 .call = ctnetlink_new_conntrack,
3778 .type = NFNL_CB_MUTEX,
3779 .attr_count = CTA_MAX,
3780 .policy = ct_nla_policy
3782 [IPCTNL_MSG_CT_GET] = {
3783 .call = ctnetlink_get_conntrack,
3784 .type = NFNL_CB_MUTEX,
3785 .attr_count = CTA_MAX,
3786 .policy = ct_nla_policy
3788 [IPCTNL_MSG_CT_DELETE] = {
3789 .call = ctnetlink_del_conntrack,
3790 .type = NFNL_CB_MUTEX,
3791 .attr_count = CTA_MAX,
3792 .policy = ct_nla_policy
3794 [IPCTNL_MSG_CT_GET_CTRZERO] = {
3795 .call = ctnetlink_get_conntrack,
3796 .type = NFNL_CB_MUTEX,
3797 .attr_count = CTA_MAX,
3798 .policy = ct_nla_policy
3800 [IPCTNL_MSG_CT_GET_STATS_CPU] = {
3801 .call = ctnetlink_stat_ct_cpu,
3802 .type = NFNL_CB_MUTEX,
3804 [IPCTNL_MSG_CT_GET_STATS] = {
3805 .call = ctnetlink_stat_ct,
3806 .type = NFNL_CB_MUTEX,
3808 [IPCTNL_MSG_CT_GET_DYING] = {
3809 .call = ctnetlink_get_ct_dying,
3810 .type = NFNL_CB_MUTEX,
3812 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = {
3813 .call = ctnetlink_get_ct_unconfirmed,
3814 .type = NFNL_CB_MUTEX,
3818 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
3819 [IPCTNL_MSG_EXP_GET] = {
3820 .call = ctnetlink_get_expect,
3821 .type = NFNL_CB_MUTEX,
3822 .attr_count = CTA_EXPECT_MAX,
3823 .policy = exp_nla_policy
3825 [IPCTNL_MSG_EXP_NEW] = {
3826 .call = ctnetlink_new_expect,
3827 .type = NFNL_CB_MUTEX,
3828 .attr_count = CTA_EXPECT_MAX,
3829 .policy = exp_nla_policy
3831 [IPCTNL_MSG_EXP_DELETE] = {
3832 .call = ctnetlink_del_expect,
3833 .type = NFNL_CB_MUTEX,
3834 .attr_count = CTA_EXPECT_MAX,
3835 .policy = exp_nla_policy
3837 [IPCTNL_MSG_EXP_GET_STATS_CPU] = {
3838 .call = ctnetlink_stat_exp_cpu,
3839 .type = NFNL_CB_MUTEX,
3843 static const struct nfnetlink_subsystem ctnl_subsys = {
3844 .name = "conntrack",
3845 .subsys_id = NFNL_SUBSYS_CTNETLINK,
3846 .cb_count = IPCTNL_MSG_MAX,
3850 static const struct nfnetlink_subsystem ctnl_exp_subsys = {
3851 .name = "conntrack_expect",
3852 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
3853 .cb_count = IPCTNL_MSG_EXP_MAX,
3857 MODULE_ALIAS("ip_conntrack_netlink");
3858 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
3859 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
3861 static int __net_init ctnetlink_net_init(struct net *net)
3863 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3864 nf_conntrack_register_notifier(net, &ctnl_notifier);
3869 static void ctnetlink_net_pre_exit(struct net *net)
3871 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3872 nf_conntrack_unregister_notifier(net);
3876 static struct pernet_operations ctnetlink_net_ops = {
3877 .init = ctnetlink_net_init,
3878 .pre_exit = ctnetlink_net_pre_exit,
3881 static int __init ctnetlink_init(void)
3885 ret = nfnetlink_subsys_register(&ctnl_subsys);
3887 pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
3891 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
3893 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
3894 goto err_unreg_subsys;
3897 ret = register_pernet_subsys(&ctnetlink_net_ops);
3899 pr_err("ctnetlink_init: cannot register pernet operations\n");
3900 goto err_unreg_exp_subsys;
3902 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3903 /* setup interaction between nf_queue and nf_conntrack_netlink. */
3904 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook);
3908 err_unreg_exp_subsys:
3909 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3911 nfnetlink_subsys_unregister(&ctnl_subsys);
3916 static void __exit ctnetlink_exit(void)
3918 unregister_pernet_subsys(&ctnetlink_net_ops);
3919 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3920 nfnetlink_subsys_unregister(&ctnl_subsys);
3921 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3922 RCU_INIT_POINTER(nfnl_ct_hook, NULL);
3927 module_init(ctnetlink_init);
3928 module_exit(ctnetlink_exit);
projects / platform / kernel / linux-rpi.git / blob