aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Welte <laforge@netfilter.org>2005-08-09 22:32:58 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2005-08-29 18:31:49 -0400
commit080774a243f56ce2195ace96fba3d18548ee48ce (patch)
tree2065041cb2b85891ca45648122122796122c38dc
parent6f1cf16582160c4839f05007c978743911aa022b (diff)
[NETFILTER]: Add ctnetlink subsystem
Add ctnetlink subsystem for userspace-access to ip_conntrack table. This allows reading and updating of existing entries, as well as creating new ones (and new expect's) via nfnetlink. Please note the 'strange' byte order: nfattr (tag+length) are in host byte order, while the payload is always guaranteed to be in network byte order. This allows a simple userspace process to encapsulate netlink messages into arch-independent udp packets by just processing/swapping the headers and not knowing anything about the actual payload. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/linux/netfilter/nfnetlink.h3
-rw-r--r--include/linux/netfilter/nfnetlink_conntrack.h123
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack.h46
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack_core.h5
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack_helper.h2
-rw-r--r--include/linux/netfilter_ipv4/ip_conntrack_protocol.h24
-rw-r--r--include/linux/netfilter_ipv4/ip_nat_protocol.h25
-rw-r--r--net/ipv4/netfilter/Kconfig7
-rw-r--r--net/ipv4/netfilter/Makefile4
-rw-r--r--net/ipv4/netfilter/ip_conntrack_core.c281
-rw-r--r--net/ipv4/netfilter/ip_conntrack_netlink.c1588
-rw-r--r--net/ipv4/netfilter/ip_conntrack_proto_icmp.c64
-rw-r--r--net/ipv4/netfilter/ip_conntrack_proto_sctp.c7
-rw-r--r--net/ipv4/netfilter/ip_conntrack_proto_tcp.c23
-rw-r--r--net/ipv4/netfilter/ip_conntrack_proto_udp.c5
-rw-r--r--net/ipv4/netfilter/ip_conntrack_standalone.c38
-rw-r--r--net/ipv4/netfilter/ip_nat_core.c99
-rw-r--r--net/ipv4/netfilter/ip_nat_proto_icmp.c9
-rw-r--r--net/ipv4/netfilter/ip_nat_proto_tcp.c10
-rw-r--r--net/ipv4/netfilter/ip_nat_proto_udp.c9
-rw-r--r--net/ipv4/netfilter/ip_nat_proto_unknown.c2
-rw-r--r--net/ipv4/netfilter/ip_nat_standalone.c2
-rw-r--r--net/netfilter/nfnetlink.c1
23 files changed, 2277 insertions, 100 deletions
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h
index 8f1bfb8d650b..ace7a7be0742 100644
--- a/include/linux/netfilter/nfnetlink.h
+++ b/include/linux/netfilter/nfnetlink.h
@@ -56,7 +56,7 @@ struct nfgenmsg {
56 u_int16_t res_id; /* resource id */ 56 u_int16_t res_id; /* resource id */
57} __attribute__ ((packed)); 57} __attribute__ ((packed));
58 58
59#define NFNETLINK_V1 1 59#define NFNETLINK_V0 0
60 60
61#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \ 61#define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \
62 + NLMSG_ALIGN(sizeof(struct nfgenmsg)))) 62 + NLMSG_ALIGN(sizeof(struct nfgenmsg))))
@@ -81,6 +81,7 @@ enum nfnl_subsys_id {
81 81
82#ifdef __KERNEL__ 82#ifdef __KERNEL__
83 83
84#include <linux/netlink.h>
84#include <linux/capability.h> 85#include <linux/capability.h>
85 86
86struct nfnl_callback 87struct nfnl_callback
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h
new file mode 100644
index 000000000000..fb528e0e3bd9
--- /dev/null
+++ b/include/linux/netfilter/nfnetlink_conntrack.h
@@ -0,0 +1,123 @@
1#ifndef _IPCONNTRACK_NETLINK_H
2#define _IPCONNTRACK_NETLINK_H
3#include <linux/netfilter/nfnetlink.h>
4
5enum cntl_msg_types {
6 IPCTNL_MSG_CT_NEW,
7 IPCTNL_MSG_CT_GET,
8 IPCTNL_MSG_CT_DELETE,
9 IPCTNL_MSG_CT_GET_CTRZERO,
10
11 IPCTNL_MSG_MAX
12};
13
14enum ctnl_exp_msg_types {
15 IPCTNL_MSG_EXP_NEW,
16 IPCTNL_MSG_EXP_GET,
17 IPCTNL_MSG_EXP_DELETE,
18
19 IPCTNL_MSG_EXP_MAX
20};
21
22
23enum ctattr_type {
24 CTA_UNSPEC,
25 CTA_TUPLE_ORIG,
26 CTA_TUPLE_REPLY,
27 CTA_STATUS,
28 CTA_PROTOINFO,
29 CTA_HELP,
30 CTA_NAT,
31 CTA_TIMEOUT,
32 CTA_MARK,
33 CTA_COUNTERS_ORIG,
34 CTA_COUNTERS_REPLY,
35 CTA_USE,
36 CTA_EXPECT,
37 CTA_ID,
38 __CTA_MAX
39};
40#define CTA_MAX (__CTA_MAX - 1)
41
42enum ctattr_tuple {
43 CTA_TUPLE_UNSPEC,
44 CTA_TUPLE_IP,
45 CTA_TUPLE_PROTO,
46 __CTA_TUPLE_MAX
47};
48#define CTA_TUPLE_MAX (__CTA_TUPLE_MAX - 1)
49
50enum ctattr_ip {
51 CTA_IP_UNSPEC,
52 CTA_IP_V4_SRC,
53 CTA_IP_V4_DST,
54 CTA_IP_V6_SRC,
55 CTA_IP_V6_DST,
56 __CTA_IP_MAX
57};
58#define CTA_IP_MAX (__CTA_IP_MAX - 1)
59
60enum ctattr_l4proto {
61 CTA_PROTO_UNSPEC,
62 CTA_PROTO_NUM,
63 CTA_PROTO_SRC_PORT,
64 CTA_PROTO_DST_PORT,
65 CTA_PROTO_ICMP_ID,
66 CTA_PROTO_ICMP_TYPE,
67 CTA_PROTO_ICMP_CODE,
68 __CTA_PROTO_MAX
69};
70#define CTA_PROTO_MAX (__CTA_PROTO_MAX - 1)
71
72enum ctattr_protoinfo {
73 CTA_PROTOINFO_UNSPEC,
74 CTA_PROTOINFO_TCP_STATE,
75 __CTA_PROTOINFO_MAX
76};
77#define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1)
78
79enum ctattr_counters {
80 CTA_COUNTERS_UNSPEC,
81 CTA_COUNTERS_PACKETS,
82 CTA_COUNTERS_BYTES,
83 __CTA_COUNTERS_MAX
84};
85#define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1)
86
87enum ctattr_nat {
88 CTA_NAT_UNSPEC,
89 CTA_NAT_MINIP,
90 CTA_NAT_MAXIP,
91 CTA_NAT_PROTO,
92 __CTA_NAT_MAX
93};
94#define CTA_NAT_MAX (__CTA_NAT_MAX - 1)
95
96enum ctattr_protonat {
97 CTA_PROTONAT_UNSPEC,
98 CTA_PROTONAT_PORT_MIN,
99 CTA_PROTONAT_PORT_MAX,
100 __CTA_PROTONAT_MAX
101};
102#define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1)
103
104enum ctattr_expect {
105 CTA_EXPECT_UNSPEC,
106 CTA_EXPECT_TUPLE,
107 CTA_EXPECT_MASK,
108 CTA_EXPECT_TIMEOUT,
109 CTA_EXPECT_ID,
110 __CTA_EXPECT_MAX
111};
112#define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
113
114enum ctattr_help {
115 CTA_HELP_UNSPEC,
116 CTA_HELP_NAME,
117 __CTA_HELP_MAX
118};
119#define CTA_HELP_MAX (__CTA_HELP_MAX - 1)
120
121#define CTA_HELP_MAXNAMESIZE 32
122
123#endif /* _IPCONNTRACK_NETLINK_H */
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h
index ae1270c97b50..ff2c1c6001f9 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h
@@ -209,6 +209,9 @@ struct ip_conntrack
209 /* Current number of expected connections */ 209 /* Current number of expected connections */
210 unsigned int expecting; 210 unsigned int expecting;
211 211
212 /* Unique ID that identifies this conntrack*/
213 unsigned int id;
214
212 /* Helper, if any. */ 215 /* Helper, if any. */
213 struct ip_conntrack_helper *helper; 216 struct ip_conntrack_helper *helper;
214 217
@@ -257,6 +260,9 @@ struct ip_conntrack_expect
257 /* Usage count. */ 260 /* Usage count. */
258 atomic_t use; 261 atomic_t use;
259 262
263 /* Unique ID */
264 unsigned int id;
265
260#ifdef CONFIG_IP_NF_NAT_NEEDED 266#ifdef CONFIG_IP_NF_NAT_NEEDED
261 /* This is the original per-proto part, used to map the 267 /* This is the original per-proto part, used to map the
262 * expected connection the way the recipient expects. */ 268 * expected connection the way the recipient expects. */
@@ -296,7 +302,12 @@ ip_conntrack_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo)
296} 302}
297 303
298/* decrement reference count on a conntrack */ 304/* decrement reference count on a conntrack */
299extern void ip_conntrack_put(struct ip_conntrack *ct); 305static inline void
306ip_conntrack_put(struct ip_conntrack *ct)
307{
308 IP_NF_ASSERT(ct);
309 nf_conntrack_put(&ct->ct_general);
310}
300 311
301/* call to create an explicit dependency on ip_conntrack. */ 312/* call to create an explicit dependency on ip_conntrack. */
302extern void need_ip_conntrack(void); 313extern void need_ip_conntrack(void);
@@ -331,6 +342,39 @@ extern void
331ip_ct_iterate_cleanup(int (*iter)(struct ip_conntrack *i, void *data), 342ip_ct_iterate_cleanup(int (*iter)(struct ip_conntrack *i, void *data),
332 void *data); 343 void *data);
333 344
345extern struct ip_conntrack_helper *
346__ip_conntrack_helper_find_byname(const char *);
347extern struct ip_conntrack_helper *
348ip_conntrack_helper_find_get(const struct ip_conntrack_tuple *tuple);
349extern void ip_conntrack_helper_put(struct ip_conntrack_helper *helper);
350
351extern struct ip_conntrack_protocol *
352__ip_conntrack_proto_find(u_int8_t protocol);
353extern struct ip_conntrack_protocol *
354ip_conntrack_proto_find_get(u_int8_t protocol);
355extern void ip_conntrack_proto_put(struct ip_conntrack_protocol *proto);
356
357extern void ip_ct_remove_expectations(struct ip_conntrack *ct);
358
359extern struct ip_conntrack *ip_conntrack_alloc(struct ip_conntrack_tuple *,
360 struct ip_conntrack_tuple *);
361
362extern void ip_conntrack_free(struct ip_conntrack *ct);
363
364extern void ip_conntrack_hash_insert(struct ip_conntrack *ct);
365
366extern struct ip_conntrack_expect *
367__ip_conntrack_expect_find(const struct ip_conntrack_tuple *tuple);
368
369extern struct ip_conntrack_expect *
370ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple);
371
372extern struct ip_conntrack_tuple_hash *
373__ip_conntrack_find(const struct ip_conntrack_tuple *tuple,
374 const struct ip_conntrack *ignored_conntrack);
375
376extern void ip_conntrack_flush(void);
377
334/* It's confirmed if it is, or has been in the hash table. */ 378/* It's confirmed if it is, or has been in the hash table. */
335static inline int is_confirmed(struct ip_conntrack *ct) 379static inline int is_confirmed(struct ip_conntrack *ct)
336{ 380{
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_core.h b/include/linux/netfilter_ipv4/ip_conntrack_core.h
index 46eeea1e2733..fbf6c3e41647 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_core.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_core.h
@@ -2,6 +2,9 @@
2#define _IP_CONNTRACK_CORE_H 2#define _IP_CONNTRACK_CORE_H
3#include <linux/netfilter.h> 3#include <linux/netfilter.h>
4 4
5#define MAX_IP_CT_PROTO 256
6extern struct ip_conntrack_protocol *ip_ct_protos[MAX_IP_CT_PROTO];
7
5/* This header is used to share core functionality between the 8/* This header is used to share core functionality between the
6 standalone connection tracking module, and the compatibility layer's use 9 standalone connection tracking module, and the compatibility layer's use
7 of connection tracking. */ 10 of connection tracking. */
@@ -53,6 +56,8 @@ struct ip_conntrack_ecache;
53extern void __ip_ct_deliver_cached_events(struct ip_conntrack_ecache *ec); 56extern void __ip_ct_deliver_cached_events(struct ip_conntrack_ecache *ec);
54#endif 57#endif
55 58
59extern void __ip_ct_expect_unlink_destroy(struct ip_conntrack_expect *exp);
60
56extern struct list_head *ip_conntrack_hash; 61extern struct list_head *ip_conntrack_hash;
57extern struct list_head ip_conntrack_expect_list; 62extern struct list_head ip_conntrack_expect_list;
58extern rwlock_t ip_conntrack_lock; 63extern rwlock_t ip_conntrack_lock;
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_helper.h b/include/linux/netfilter_ipv4/ip_conntrack_helper.h
index 3692daa93dec..8d69279ccfe4 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_helper.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_helper.h
@@ -24,6 +24,8 @@ struct ip_conntrack_helper
24 int (*help)(struct sk_buff **pskb, 24 int (*help)(struct sk_buff **pskb,
25 struct ip_conntrack *ct, 25 struct ip_conntrack *ct,
26 enum ip_conntrack_info conntrackinfo); 26 enum ip_conntrack_info conntrackinfo);
27
28 int (*to_nfattr)(struct sk_buff *skb, const struct ip_conntrack *ct);
27}; 29};
28 30
29extern int ip_conntrack_helper_register(struct ip_conntrack_helper *); 31extern int ip_conntrack_helper_register(struct ip_conntrack_helper *);
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h
index e20b57c5e1b7..b6b99be8632a 100644
--- a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h
+++ b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h
@@ -2,6 +2,7 @@
2#ifndef _IP_CONNTRACK_PROTOCOL_H 2#ifndef _IP_CONNTRACK_PROTOCOL_H
3#define _IP_CONNTRACK_PROTOCOL_H 3#define _IP_CONNTRACK_PROTOCOL_H
4#include <linux/netfilter_ipv4/ip_conntrack.h> 4#include <linux/netfilter_ipv4/ip_conntrack.h>
5#include <linux/netfilter/nfnetlink_conntrack.h>
5 6
6struct seq_file; 7struct seq_file;
7 8
@@ -47,22 +48,22 @@ struct ip_conntrack_protocol
47 int (*error)(struct sk_buff *skb, enum ip_conntrack_info *ctinfo, 48 int (*error)(struct sk_buff *skb, enum ip_conntrack_info *ctinfo,
48 unsigned int hooknum); 49 unsigned int hooknum);
49 50
51 /* convert protoinfo to nfnetink attributes */
52 int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa,
53 const struct ip_conntrack *ct);
54
55 int (*tuple_to_nfattr)(struct sk_buff *skb,
56 const struct ip_conntrack_tuple *t);
57 int (*nfattr_to_tuple)(struct nfattr *tb[],
58 struct ip_conntrack_tuple *t);
59
50 /* Module (if any) which this is connected to. */ 60 /* Module (if any) which this is connected to. */
51 struct module *me; 61 struct module *me;
52}; 62};
53 63
54#define MAX_IP_CT_PROTO 256
55extern struct ip_conntrack_protocol *ip_ct_protos[MAX_IP_CT_PROTO];
56
57/* Protocol registration. */ 64/* Protocol registration. */
58extern int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto); 65extern int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto);
59extern void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto); 66extern void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto);
60
61static inline struct ip_conntrack_protocol *ip_ct_find_proto(u_int8_t protocol)
62{
63 return ip_ct_protos[protocol];
64}
65
66/* Existing built-in protocols */ 67/* Existing built-in protocols */
67extern struct ip_conntrack_protocol ip_conntrack_protocol_tcp; 68extern struct ip_conntrack_protocol ip_conntrack_protocol_tcp;
68extern struct ip_conntrack_protocol ip_conntrack_protocol_udp; 69extern struct ip_conntrack_protocol ip_conntrack_protocol_udp;
@@ -73,6 +74,11 @@ extern int ip_conntrack_protocol_tcp_init(void);
73/* Log invalid packets */ 74/* Log invalid packets */
74extern unsigned int ip_ct_log_invalid; 75extern unsigned int ip_ct_log_invalid;
75 76
77extern int ip_ct_port_tuple_to_nfattr(struct sk_buff *,
78 const struct ip_conntrack_tuple *);
79extern int ip_ct_port_nfattr_to_tuple(struct nfattr *tb[],
80 struct ip_conntrack_tuple *);
81
76#ifdef CONFIG_SYSCTL 82#ifdef CONFIG_SYSCTL
77#ifdef DEBUG_INVALID_PACKETS 83#ifdef DEBUG_INVALID_PACKETS
78#define LOG_INVALID(proto) \ 84#define LOG_INVALID(proto) \
diff --git a/include/linux/netfilter_ipv4/ip_nat_protocol.h b/include/linux/netfilter_ipv4/ip_nat_protocol.h
index 129708c22386..ef63aa991a06 100644
--- a/include/linux/netfilter_ipv4/ip_nat_protocol.h
+++ b/include/linux/netfilter_ipv4/ip_nat_protocol.h
@@ -4,6 +4,9 @@
4#include <linux/init.h> 4#include <linux/init.h>
5#include <linux/list.h> 5#include <linux/list.h>
6 6
7#include <linux/netfilter_ipv4/ip_nat.h>
8#include <linux/netfilter/nfnetlink_conntrack.h>
9
7struct iphdr; 10struct iphdr;
8struct ip_nat_range; 11struct ip_nat_range;
9 12
@@ -15,6 +18,8 @@ struct ip_nat_protocol
15 /* Protocol number. */ 18 /* Protocol number. */
16 unsigned int protonum; 19 unsigned int protonum;
17 20
21 struct module *me;
22
18 /* Translate a packet to the target according to manip type. 23 /* Translate a packet to the target according to manip type.
19 Return true if succeeded. */ 24 Return true if succeeded. */
20 int (*manip_pkt)(struct sk_buff **pskb, 25 int (*manip_pkt)(struct sk_buff **pskb,
@@ -43,19 +48,20 @@ struct ip_nat_protocol
43 48
44 unsigned int (*print_range)(char *buffer, 49 unsigned int (*print_range)(char *buffer,
45 const struct ip_nat_range *range); 50 const struct ip_nat_range *range);
46};
47 51
48#define MAX_IP_NAT_PROTO 256 52 int (*range_to_nfattr)(struct sk_buff *skb,
49extern struct ip_nat_protocol *ip_nat_protos[MAX_IP_NAT_PROTO]; 53 const struct ip_nat_range *range);
54
55 int (*nfattr_to_range)(struct nfattr *tb[],
56 struct ip_nat_range *range);
57};
50 58
51/* Protocol registration. */ 59/* Protocol registration. */
52extern int ip_nat_protocol_register(struct ip_nat_protocol *proto); 60extern int ip_nat_protocol_register(struct ip_nat_protocol *proto);
53extern void ip_nat_protocol_unregister(struct ip_nat_protocol *proto); 61extern void ip_nat_protocol_unregister(struct ip_nat_protocol *proto);
54 62
55static inline struct ip_nat_protocol *ip_nat_find_proto(u_int8_t protocol) 63extern struct ip_nat_protocol *ip_nat_proto_find_get(u_int8_t protocol);
56{ 64extern void ip_nat_proto_put(struct ip_nat_protocol *proto);
57 return ip_nat_protos[protocol];
58}
59 65
60/* Built-in protocols. */ 66/* Built-in protocols. */
61extern struct ip_nat_protocol ip_nat_protocol_tcp; 67extern struct ip_nat_protocol ip_nat_protocol_tcp;
@@ -67,4 +73,9 @@ extern int init_protocols(void) __init;
67extern void cleanup_protocols(void); 73extern void cleanup_protocols(void);
68extern struct ip_nat_protocol *find_nat_proto(u_int16_t protonum); 74extern struct ip_nat_protocol *find_nat_proto(u_int16_t protonum);
69 75
76extern int ip_nat_port_range_to_nfattr(struct sk_buff *skb,
77 const struct ip_nat_range *range);
78extern int ip_nat_port_nfattr_to_range(struct nfattr *tb[],
79 struct ip_nat_range *range);
80
70#endif /*_IP_NAT_PROTO_H*/ 81#endif /*_IP_NAT_PROTO_H*/
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig
index ff3393eba924..e47ba39eb657 100644
--- a/net/ipv4/netfilter/Kconfig
+++ b/net/ipv4/netfilter/Kconfig
@@ -702,5 +702,12 @@ config IP_NF_ARP_MANGLE
702 Allows altering the ARP packet payload: source and destination 702 Allows altering the ARP packet payload: source and destination
703 hardware and network addresses. 703 hardware and network addresses.
704 704
705config IP_NF_CONNTRACK_NETLINK
706 tristate 'Connection tracking netlink interface'
707 depends on IP_NF_CONNTRACK && NETFILTER_NETLINK
708 help
709 This option enables support for a netlink-based userspace interface
710
711
705endmenu 712endmenu
706 713
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile
index 45796d5924dd..abf2a7d1a584 100644
--- a/net/ipv4/netfilter/Makefile
+++ b/net/ipv4/netfilter/Makefile
@@ -9,6 +9,10 @@ iptable_nat-objs := ip_nat_standalone.o ip_nat_rule.o ip_nat_core.o ip_nat_helpe
9# connection tracking 9# connection tracking
10obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o 10obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o
11 11
12# conntrack netlink interface
13obj-$(CONFIG_IP_NF_CONNTRACK_NETLINK) += ip_conntrack_netlink.o
14
15
12# SCTP protocol connection tracking 16# SCTP protocol connection tracking
13obj-$(CONFIG_IP_NF_CT_PROTO_SCTP) += ip_conntrack_proto_sctp.o 17obj-$(CONFIG_IP_NF_CT_PROTO_SCTP) += ip_conntrack_proto_sctp.o
14 18
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c
index caf89deae116..d9fddae8d787 100644
--- a/net/ipv4/netfilter/ip_conntrack_core.c
+++ b/net/ipv4/netfilter/ip_conntrack_core.c
@@ -50,7 +50,7 @@
50#include <linux/netfilter_ipv4/ip_conntrack_core.h> 50#include <linux/netfilter_ipv4/ip_conntrack_core.h>
51#include <linux/netfilter_ipv4/listhelp.h> 51#include <linux/netfilter_ipv4/listhelp.h>
52 52
53#define IP_CONNTRACK_VERSION "2.2" 53#define IP_CONNTRACK_VERSION "2.3"
54 54
55#if 0 55#if 0
56#define DEBUGP printk 56#define DEBUGP printk
@@ -77,6 +77,8 @@ unsigned int ip_ct_log_invalid;
77static LIST_HEAD(unconfirmed); 77static LIST_HEAD(unconfirmed);
78static int ip_conntrack_vmalloc; 78static int ip_conntrack_vmalloc;
79 79
80static unsigned int ip_conntrack_next_id = 1;
81static unsigned int ip_conntrack_expect_next_id = 1;
80#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS 82#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
81struct notifier_block *ip_conntrack_chain; 83struct notifier_block *ip_conntrack_chain;
82struct notifier_block *ip_conntrack_expect_chain; 84struct notifier_block *ip_conntrack_expect_chain;
@@ -154,13 +156,6 @@ void ip_conntrack_event_cache_init(const struct sk_buff *skb)
154 156
155DEFINE_PER_CPU(struct ip_conntrack_stat, ip_conntrack_stat); 157DEFINE_PER_CPU(struct ip_conntrack_stat, ip_conntrack_stat);
156 158
157void
158ip_conntrack_put(struct ip_conntrack *ct)
159{
160 IP_NF_ASSERT(ct);
161 nf_conntrack_put(&ct->ct_general);
162}
163
164static int ip_conntrack_hash_rnd_initted; 159static int ip_conntrack_hash_rnd_initted;
165static unsigned int ip_conntrack_hash_rnd; 160static unsigned int ip_conntrack_hash_rnd;
166 161
@@ -222,6 +217,12 @@ static void unlink_expect(struct ip_conntrack_expect *exp)
222 exp->master->expecting--; 217 exp->master->expecting--;
223} 218}
224 219
220void __ip_ct_expect_unlink_destroy(struct ip_conntrack_expect *exp)
221{
222 unlink_expect(exp);
223 ip_conntrack_expect_put(exp);
224}
225
225static void expectation_timed_out(unsigned long ul_expect) 226static void expectation_timed_out(unsigned long ul_expect)
226{ 227{
227 struct ip_conntrack_expect *exp = (void *)ul_expect; 228 struct ip_conntrack_expect *exp = (void *)ul_expect;
@@ -232,6 +233,33 @@ static void expectation_timed_out(unsigned long ul_expect)
232 ip_conntrack_expect_put(exp); 233 ip_conntrack_expect_put(exp);
233} 234}
234 235
236struct ip_conntrack_expect *
237__ip_conntrack_expect_find(const struct ip_conntrack_tuple *tuple)
238{
239 struct ip_conntrack_expect *i;
240
241 list_for_each_entry(i, &ip_conntrack_expect_list, list) {
242 if (ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) {
243 atomic_inc(&i->use);
244 return i;
245 }
246 }
247 return NULL;
248}
249
250/* Just find a expectation corresponding to a tuple. */
251struct ip_conntrack_expect *
252ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple)
253{
254 struct ip_conntrack_expect *i;
255
256 read_lock_bh(&ip_conntrack_lock);
257 i = __ip_conntrack_expect_find(tuple);
258 read_unlock_bh(&ip_conntrack_lock);
259
260 return i;
261}
262
235/* If an expectation for this connection is found, it gets delete from 263/* If an expectation for this connection is found, it gets delete from
236 * global list then returned. */ 264 * global list then returned. */
237static struct ip_conntrack_expect * 265static struct ip_conntrack_expect *
@@ -256,7 +284,7 @@ find_expectation(const struct ip_conntrack_tuple *tuple)
256} 284}
257 285
258/* delete all expectations for this conntrack */ 286/* delete all expectations for this conntrack */
259static void remove_expectations(struct ip_conntrack *ct) 287void ip_ct_remove_expectations(struct ip_conntrack *ct)
260{ 288{
261 struct ip_conntrack_expect *i, *tmp; 289 struct ip_conntrack_expect *i, *tmp;
262 290
@@ -286,7 +314,7 @@ clean_from_lists(struct ip_conntrack *ct)
286 LIST_DELETE(&ip_conntrack_hash[hr], &ct->tuplehash[IP_CT_DIR_REPLY]); 314 LIST_DELETE(&ip_conntrack_hash[hr], &ct->tuplehash[IP_CT_DIR_REPLY]);
287 315
288 /* Destroy all pending expectations */ 316 /* Destroy all pending expectations */
289 remove_expectations(ct); 317 ip_ct_remove_expectations(ct);
290} 318}
291 319
292static void 320static void
@@ -304,7 +332,7 @@ destroy_conntrack(struct nf_conntrack *nfct)
304 /* To make sure we don't get any weird locking issues here: 332 /* To make sure we don't get any weird locking issues here:
305 * destroy_conntrack() MUST NOT be called with a write lock 333 * destroy_conntrack() MUST NOT be called with a write lock
306 * to ip_conntrack_lock!!! -HW */ 334 * to ip_conntrack_lock!!! -HW */
307 proto = ip_ct_find_proto(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum); 335 proto = __ip_conntrack_proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum);
308 if (proto && proto->destroy) 336 if (proto && proto->destroy)
309 proto->destroy(ct); 337 proto->destroy(ct);
310 338
@@ -316,7 +344,7 @@ destroy_conntrack(struct nf_conntrack *nfct)
316 * except TFTP can create an expectation on the first packet, 344 * except TFTP can create an expectation on the first packet,
317 * before connection is in the list, so we need to clean here, 345 * before connection is in the list, so we need to clean here,
318 * too. */ 346 * too. */
319 remove_expectations(ct); 347 ip_ct_remove_expectations(ct);
320 348
321 /* We overload first tuple to link into unconfirmed list. */ 349 /* We overload first tuple to link into unconfirmed list. */
322 if (!is_confirmed(ct)) { 350 if (!is_confirmed(ct)) {
@@ -331,8 +359,7 @@ destroy_conntrack(struct nf_conntrack *nfct)
331 ip_conntrack_put(ct->master); 359 ip_conntrack_put(ct->master);
332 360
333 DEBUGP("destroy_conntrack: returning ct=%p to slab\n", ct); 361 DEBUGP("destroy_conntrack: returning ct=%p to slab\n", ct);
334 kmem_cache_free(ip_conntrack_cachep, ct); 362 ip_conntrack_free(ct);
335 atomic_dec(&ip_conntrack_count);
336} 363}
337 364
338static void death_by_timeout(unsigned long ul_conntrack) 365static void death_by_timeout(unsigned long ul_conntrack)
@@ -359,7 +386,7 @@ conntrack_tuple_cmp(const struct ip_conntrack_tuple_hash *i,
359 && ip_ct_tuple_equal(tuple, &i->tuple); 386 && ip_ct_tuple_equal(tuple, &i->tuple);
360} 387}
361 388
362static struct ip_conntrack_tuple_hash * 389struct ip_conntrack_tuple_hash *
363__ip_conntrack_find(const struct ip_conntrack_tuple *tuple, 390__ip_conntrack_find(const struct ip_conntrack_tuple *tuple,
364 const struct ip_conntrack *ignored_conntrack) 391 const struct ip_conntrack *ignored_conntrack)
365{ 392{
@@ -394,6 +421,29 @@ ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
394 return h; 421 return h;
395} 422}
396 423
424static void __ip_conntrack_hash_insert(struct ip_conntrack *ct,
425 unsigned int hash,
426 unsigned int repl_hash)
427{
428 ct->id = ++ip_conntrack_next_id;
429 list_prepend(&ip_conntrack_hash[hash],
430 &ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
431 list_prepend(&ip_conntrack_hash[repl_hash],
432 &ct->tuplehash[IP_CT_DIR_REPLY].list);
433}
434
435void ip_conntrack_hash_insert(struct ip_conntrack *ct)
436{
437 unsigned int hash, repl_hash;
438
439 hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
440 repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
441
442 write_lock_bh(&ip_conntrack_lock);
443 __ip_conntrack_hash_insert(ct, hash, repl_hash);
444 write_unlock_bh(&ip_conntrack_lock);
445}
446
397/* Confirm a connection given skb; places it in hash table */ 447/* Confirm a connection given skb; places it in hash table */
398int 448int
399__ip_conntrack_confirm(struct sk_buff **pskb) 449__ip_conntrack_confirm(struct sk_buff **pskb)
@@ -440,10 +490,7 @@ __ip_conntrack_confirm(struct sk_buff **pskb)
440 /* Remove from unconfirmed list */ 490 /* Remove from unconfirmed list */
441 list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list); 491 list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
442 492
443 list_prepend(&ip_conntrack_hash[hash], 493 __ip_conntrack_hash_insert(ct, hash, repl_hash);
444 &ct->tuplehash[IP_CT_DIR_ORIGINAL]);
445 list_prepend(&ip_conntrack_hash[repl_hash],
446 &ct->tuplehash[IP_CT_DIR_REPLY]);
447 /* Timer relative to confirmation time, not original 494 /* Timer relative to confirmation time, not original
448 setting time, otherwise we'd get timer wrap in 495 setting time, otherwise we'd get timer wrap in
449 weird delay cases. */ 496 weird delay cases. */
@@ -527,34 +574,84 @@ static inline int helper_cmp(const struct ip_conntrack_helper *i,
527 return ip_ct_tuple_mask_cmp(rtuple, &i->tuple, &i->mask); 574 return ip_ct_tuple_mask_cmp(rtuple, &i->tuple, &i->mask);
528} 575}
529 576
530static struct ip_conntrack_helper *ip_ct_find_helper(const struct ip_conntrack_tuple *tuple) 577static struct ip_conntrack_helper *
578__ip_conntrack_helper_find( const struct ip_conntrack_tuple *tuple)
531{ 579{
532 return LIST_FIND(&helpers, helper_cmp, 580 return LIST_FIND(&helpers, helper_cmp,
533 struct ip_conntrack_helper *, 581 struct ip_conntrack_helper *,
534 tuple); 582 tuple);
535} 583}
536 584
537/* Allocate a new conntrack: we return -ENOMEM if classification 585struct ip_conntrack_helper *
538 failed due to stress. Otherwise it really is unclassifiable. */ 586ip_conntrack_helper_find_get( const struct ip_conntrack_tuple *tuple)
539static struct ip_conntrack_tuple_hash * 587{
540init_conntrack(const struct ip_conntrack_tuple *tuple, 588 struct ip_conntrack_helper *helper;
541 struct ip_conntrack_protocol *protocol, 589
542 struct sk_buff *skb) 590 /* need ip_conntrack_lock to assure that helper exists until
591 * try_module_get() is called */
592 read_lock_bh(&ip_conntrack_lock);
593
594 helper = __ip_conntrack_helper_find(tuple);
595 if (helper) {
596 /* need to increase module usage count to assure helper will
597 * not go away while the caller is e.g. busy putting a
598 * conntrack in the hash that uses the helper */
599 if (!try_module_get(helper->me))
600 helper = NULL;
601 }
602
603 read_unlock_bh(&ip_conntrack_lock);
604
605 return helper;
606}
607
608void ip_conntrack_helper_put(struct ip_conntrack_helper *helper)
609{
610 module_put(helper->me);
611}
612
613struct ip_conntrack_protocol *
614__ip_conntrack_proto_find(u_int8_t protocol)
615{
616 return ip_ct_protos[protocol];
617}
618
619/* this is guaranteed to always return a valid protocol helper, since
620 * it falls back to generic_protocol */
621struct ip_conntrack_protocol *
622ip_conntrack_proto_find_get(u_int8_t protocol)
623{
624 struct ip_conntrack_protocol *p;
625
626 preempt_disable();
627 p = __ip_conntrack_proto_find(protocol);
628 if (p) {
629 if (!try_module_get(p->me))
630 p = &ip_conntrack_generic_protocol;
631 }
632 preempt_enable();
633
634 return p;
635}
636
637void ip_conntrack_proto_put(struct ip_conntrack_protocol *p)
638{
639 module_put(p->me);
640}
641
642struct ip_conntrack *ip_conntrack_alloc(struct ip_conntrack_tuple *orig,
643 struct ip_conntrack_tuple *repl)
543{ 644{
544 struct ip_conntrack *conntrack; 645 struct ip_conntrack *conntrack;
545 struct ip_conntrack_tuple repl_tuple;
546 size_t hash;
547 struct ip_conntrack_expect *exp;
548 646
549 if (!ip_conntrack_hash_rnd_initted) { 647 if (!ip_conntrack_hash_rnd_initted) {
550 get_random_bytes(&ip_conntrack_hash_rnd, 4); 648 get_random_bytes(&ip_conntrack_hash_rnd, 4);
551 ip_conntrack_hash_rnd_initted = 1; 649 ip_conntrack_hash_rnd_initted = 1;
552 } 650 }
553 651
554 hash = hash_conntrack(tuple);
555
556 if (ip_conntrack_max 652 if (ip_conntrack_max
557 && atomic_read(&ip_conntrack_count) >= ip_conntrack_max) { 653 && atomic_read(&ip_conntrack_count) >= ip_conntrack_max) {
654 unsigned int hash = hash_conntrack(orig);
558 /* Try dropping from this hash chain. */ 655 /* Try dropping from this hash chain. */
559 if (!early_drop(&ip_conntrack_hash[hash])) { 656 if (!early_drop(&ip_conntrack_hash[hash])) {
560 if (net_ratelimit()) 657 if (net_ratelimit())
@@ -565,31 +662,58 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
565 } 662 }
566 } 663 }
567 664
568 if (!ip_ct_invert_tuple(&repl_tuple, tuple, protocol)) {
569 DEBUGP("Can't invert tuple.\n");
570 return NULL;
571 }
572
573 conntrack = kmem_cache_alloc(ip_conntrack_cachep, GFP_ATOMIC); 665 conntrack = kmem_cache_alloc(ip_conntrack_cachep, GFP_ATOMIC);
574 if (!conntrack) { 666 if (!conntrack) {
575 DEBUGP("Can't allocate conntrack.\n"); 667 DEBUGP("Can't allocate conntrack.\n");
576 return ERR_PTR(-ENOMEM); 668 return NULL;
577 } 669 }
578 670
579 memset(conntrack, 0, sizeof(*conntrack)); 671 memset(conntrack, 0, sizeof(*conntrack));
580 atomic_set(&conntrack->ct_general.use, 1); 672 atomic_set(&conntrack->ct_general.use, 1);
581 conntrack->ct_general.destroy = destroy_conntrack; 673 conntrack->ct_general.destroy = destroy_conntrack;
582 conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *tuple; 674 conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig;
583 conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = repl_tuple; 675 conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *repl;
584 if (!protocol->new(conntrack, skb)) {
585 kmem_cache_free(ip_conntrack_cachep, conntrack);
586 return NULL;
587 }
588 /* Don't set timer yet: wait for confirmation */ 676 /* Don't set timer yet: wait for confirmation */
589 init_timer(&conntrack->timeout); 677 init_timer(&conntrack->timeout);
590 conntrack->timeout.data = (unsigned long)conntrack; 678 conntrack->timeout.data = (unsigned long)conntrack;
591 conntrack->timeout.function = death_by_timeout; 679 conntrack->timeout.function = death_by_timeout;
592 680
681 atomic_inc(&ip_conntrack_count);
682
683 return conntrack;
684}
685
686void
687ip_conntrack_free(struct ip_conntrack *conntrack)
688{
689 atomic_dec(&ip_conntrack_count);
690 kmem_cache_free(ip_conntrack_cachep, conntrack);
691}
692
693/* Allocate a new conntrack: we return -ENOMEM if classification
694 * failed due to stress. Otherwise it really is unclassifiable */
695static struct ip_conntrack_tuple_hash *
696init_conntrack(struct ip_conntrack_tuple *tuple,
697 struct ip_conntrack_protocol *protocol,
698 struct sk_buff *skb)
699{
700 struct ip_conntrack *conntrack;
701 struct ip_conntrack_tuple repl_tuple;
702 struct ip_conntrack_expect *exp;
703
704 if (!ip_ct_invert_tuple(&repl_tuple, tuple, protocol)) {
705 DEBUGP("Can't invert tuple.\n");
706 return NULL;
707 }
708
709 if (!(conntrack = ip_conntrack_alloc(tuple, &repl_tuple)))
710 return NULL;
711
712 if (!protocol->new(conntrack, skb)) {
713 ip_conntrack_free(conntrack);
714 return NULL;
715 }
716
593 write_lock_bh(&ip_conntrack_lock); 717 write_lock_bh(&ip_conntrack_lock);
594 exp = find_expectation(tuple); 718 exp = find_expectation(tuple);
595 719
@@ -610,7 +734,7 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
610 nf_conntrack_get(&conntrack->master->ct_general); 734 nf_conntrack_get(&conntrack->master->ct_general);
611 CONNTRACK_STAT_INC(expect_new); 735 CONNTRACK_STAT_INC(expect_new);
612 } else { 736 } else {
613 conntrack->helper = ip_ct_find_helper(&repl_tuple); 737 conntrack->helper = __ip_conntrack_helper_find(&repl_tuple);
614 738
615 CONNTRACK_STAT_INC(new); 739 CONNTRACK_STAT_INC(new);
616 } 740 }
@@ -618,7 +742,6 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
618 /* Overload tuple linked list to put us in unconfirmed list. */ 742 /* Overload tuple linked list to put us in unconfirmed list. */
619 list_add(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL].list, &unconfirmed); 743 list_add(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL].list, &unconfirmed);
620 744
621 atomic_inc(&ip_conntrack_count);
622 write_unlock_bh(&ip_conntrack_lock); 745 write_unlock_bh(&ip_conntrack_lock);
623 746
624 if (exp) { 747 if (exp) {
@@ -729,7 +852,7 @@ unsigned int ip_conntrack_in(unsigned int hooknum,
729 } 852 }
730#endif 853#endif
731 854
732 proto = ip_ct_find_proto((*pskb)->nh.iph->protocol); 855 proto = __ip_conntrack_proto_find((*pskb)->nh.iph->protocol);
733 856
734 /* It may be an special packet, error, unclean... 857 /* It may be an special packet, error, unclean...
735 * inverse of the return code tells to the netfilter 858 * inverse of the return code tells to the netfilter
@@ -777,7 +900,7 @@ int invert_tuplepr(struct ip_conntrack_tuple *inverse,
777 const struct ip_conntrack_tuple *orig) 900 const struct ip_conntrack_tuple *orig)
778{ 901{
779 return ip_ct_invert_tuple(inverse, orig, 902 return ip_ct_invert_tuple(inverse, orig,
780 ip_ct_find_proto(orig->dst.protonum)); 903 __ip_conntrack_proto_find(orig->dst.protonum));
781} 904}
782 905
783/* Would two expected things clash? */ 906/* Would two expected things clash? */
@@ -857,6 +980,8 @@ static void ip_conntrack_expect_insert(struct ip_conntrack_expect *exp)
857 exp->timeout.expires = jiffies + exp->master->helper->timeout * HZ; 980 exp->timeout.expires = jiffies + exp->master->helper->timeout * HZ;
858 add_timer(&exp->timeout); 981 add_timer(&exp->timeout);
859 982
983 exp->id = ++ip_conntrack_expect_next_id;
984 atomic_inc(&exp->use);
860 CONNTRACK_STAT_INC(expect_create); 985 CONNTRACK_STAT_INC(expect_create);
861} 986}
862 987
@@ -936,7 +1061,7 @@ void ip_conntrack_alter_reply(struct ip_conntrack *conntrack,
936 1061
937 conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply; 1062 conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
938 if (!conntrack->master && conntrack->expecting == 0) 1063 if (!conntrack->master && conntrack->expecting == 0)
939 conntrack->helper = ip_ct_find_helper(newreply); 1064 conntrack->helper = __ip_conntrack_helper_find(newreply);
940 write_unlock_bh(&ip_conntrack_lock); 1065 write_unlock_bh(&ip_conntrack_lock);
941} 1066}
942 1067
@@ -950,6 +1075,19 @@ int ip_conntrack_helper_register(struct ip_conntrack_helper *me)
950 return 0; 1075 return 0;
951} 1076}
952 1077
1078struct ip_conntrack_helper *
1079__ip_conntrack_helper_find_byname(const char *name)
1080{
1081 struct ip_conntrack_helper *h;
1082
1083 list_for_each_entry(h, &helpers, list) {
1084 if (!strcmp(h->name, name))
1085 return h;
1086 }
1087
1088 return NULL;
1089}
1090
953static inline int unhelp(struct ip_conntrack_tuple_hash *i, 1091static inline int unhelp(struct ip_conntrack_tuple_hash *i,
954 const struct ip_conntrack_helper *me) 1092 const struct ip_conntrack_helper *me)
955{ 1093{
@@ -1025,6 +1163,39 @@ void ip_ct_refresh_acct(struct ip_conntrack *ct,
1025 } 1163 }
1026} 1164}
1027 1165
1166#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
1167 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
1168/* Generic function for tcp/udp/sctp/dccp and alike. This needs to be
1169 * in ip_conntrack_core, since we don't want the protocols to autoload
1170 * or depend on ctnetlink */
1171int ip_ct_port_tuple_to_nfattr(struct sk_buff *skb,
1172 const struct ip_conntrack_tuple *tuple)
1173{
1174 NFA_PUT(skb, CTA_PROTO_SRC_PORT, sizeof(u_int16_t),
1175 &tuple->src.u.tcp.port);
1176 NFA_PUT(skb, CTA_PROTO_DST_PORT, sizeof(u_int16_t),
1177 &tuple->dst.u.tcp.port);
1178 return 0;
1179
1180nfattr_failure:
1181 return -1;
1182}
1183
1184int ip_ct_port_nfattr_to_tuple(struct nfattr *tb[],
1185 struct ip_conntrack_tuple *t)
1186{
1187 if (!tb[CTA_PROTO_SRC_PORT-1] || !tb[CTA_PROTO_DST_PORT-1])
1188 return -EINVAL;
1189
1190 t->src.u.tcp.port =
1191 *(u_int16_t *)NFA_DATA(tb[CTA_PROTO_SRC_PORT-1]);
1192 t->dst.u.tcp.port =
1193 *(u_int16_t *)NFA_DATA(tb[CTA_PROTO_DST_PORT-1]);
1194
1195 return 0;
1196}
1197#endif
1198
1028/* Returns new sk_buff, or NULL */ 1199/* Returns new sk_buff, or NULL */
1029struct sk_buff * 1200struct sk_buff *
1030ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user) 1201ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user)
@@ -1203,16 +1374,13 @@ static void free_conntrack_hash(void)
1203 * ip_conntrack_htable_size)); 1374 * ip_conntrack_htable_size));
1204} 1375}
1205 1376
1206/* Mishearing the voices in his head, our hero wonders how he's 1377void ip_conntrack_flush()
1207 supposed to kill the mall. */
1208void ip_conntrack_cleanup(void)
1209{ 1378{
1210 ip_ct_attach = NULL;
1211 /* This makes sure all current packets have passed through 1379 /* This makes sure all current packets have passed through
1212 netfilter framework. Roll on, two-stage module 1380 netfilter framework. Roll on, two-stage module
1213 delete... */ 1381 delete... */
1214 synchronize_net(); 1382 synchronize_net();
1215 1383
1216 i_see_dead_people: 1384 i_see_dead_people:
1217 ip_ct_iterate_cleanup(kill_all, NULL); 1385 ip_ct_iterate_cleanup(kill_all, NULL);
1218 if (atomic_read(&ip_conntrack_count) != 0) { 1386 if (atomic_read(&ip_conntrack_count) != 0) {
@@ -1222,7 +1390,14 @@ void ip_conntrack_cleanup(void)
1222 /* wait until all references to ip_conntrack_untracked are dropped */ 1390 /* wait until all references to ip_conntrack_untracked are dropped */
1223 while (atomic_read(&ip_conntrack_untracked.ct_general.use) > 1) 1391 while (atomic_read(&ip_conntrack_untracked.ct_general.use) > 1)
1224 schedule(); 1392 schedule();
1393}
1225 1394
1395/* Mishearing the voices in his head, our hero wonders how he's
1396 supposed to kill the mall. */
1397void ip_conntrack_cleanup(void)
1398{
1399 ip_ct_attach = NULL;
1400 ip_conntrack_flush();
1226 kmem_cache_destroy(ip_conntrack_cachep); 1401 kmem_cache_destroy(ip_conntrack_cachep);
1227 kmem_cache_destroy(ip_conntrack_expect_cachep); 1402 kmem_cache_destroy(ip_conntrack_expect_cachep);
1228 free_conntrack_hash(); 1403 free_conntrack_hash();
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c
new file mode 100644
index 000000000000..f43ec18c9166
--- /dev/null
+++ b/net/ipv4/netfilter/ip_conntrack_netlink.c
@@ -0,0 +1,1588 @@
1/* Connection tracking via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace.
3 *
4 * (C) 2001 by Jay Schulist <jschlst@samba.org>
5 * (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7 * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>
8 *
9 * I've reworked this stuff to use attributes instead of conntrack
10 * structures. 5.44 am. I need more tea. --pablo 05/07/11.
11 *
12 * Initial connection tracking via netlink development funded and
13 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
14 *
15 * Further development of this code funded by Astaro AG (http://www.astaro.com)
16 *
17 * This software may be used and distributed according to the terms
18 * of the GNU General Public License, incorporated herein by reference.
19 */
20
21#include <linux/init.h>
22#include <linux/module.h>
23#include <linux/kernel.h>
24#include <linux/types.h>
25#include <linux/timer.h>
26#include <linux/skbuff.h>
27#include <linux/errno.h>
28#include <linux/netlink.h>
29#include <linux/spinlock.h>
30#include <linux/notifier.h>
31#include <linux/rtnetlink.h>
32
33#include <linux/netfilter.h>
34#include <linux/netfilter_ipv4.h>
35#include <linux/netfilter_ipv4/ip_tables.h>
36#include <linux/netfilter_ipv4/ip_conntrack.h>
37#include <linux/netfilter_ipv4/ip_conntrack_core.h>
38#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
39#include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
40#include <linux/netfilter_ipv4/ip_nat_protocol.h>
41
42#include <linux/netfilter/nfnetlink.h>
43#include <linux/netfilter/nfnetlink_conntrack.h>
44
45MODULE_LICENSE("GPL");
46
47static char __initdata version[] = "0.90";
48
49#if 0
50#define DEBUGP printk
51#else
52#define DEBUGP(format, args...)
53#endif
54
55
56static inline int
57ctnetlink_dump_tuples_proto(struct sk_buff *skb,
58 const struct ip_conntrack_tuple *tuple)
59{
60 struct ip_conntrack_protocol *proto;
61
62 NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum);
63
64 proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
65 if (proto && proto->tuple_to_nfattr)
66 return proto->tuple_to_nfattr(skb, tuple);
67
68 return 0;
69
70nfattr_failure:
71 return -1;
72}
73
74static inline int
75ctnetlink_dump_tuples(struct sk_buff *skb,
76 const struct ip_conntrack_tuple *tuple)
77{
78 struct nfattr *nest_parms;
79
80 nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
81 NFA_PUT(skb, CTA_IP_V4_SRC, sizeof(u_int32_t), &tuple->src.ip);
82 NFA_PUT(skb, CTA_IP_V4_DST, sizeof(u_int32_t), &tuple->dst.ip);
83 NFA_NEST_END(skb, nest_parms);
84
85 nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
86 ctnetlink_dump_tuples_proto(skb, tuple);
87 NFA_NEST_END(skb, nest_parms);
88
89 return 0;
90
91nfattr_failure:
92 return -1;
93}
94
95static inline int
96ctnetlink_dump_status(struct sk_buff *skb, const struct ip_conntrack *ct)
97{
98 u_int32_t status = htonl((u_int32_t) ct->status);
99 NFA_PUT(skb, CTA_STATUS, sizeof(status), &status);
100 return 0;
101
102nfattr_failure:
103 return -1;
104}
105
106static inline int
107ctnetlink_dump_timeout(struct sk_buff *skb, const struct ip_conntrack *ct)
108{
109 long timeout_l = ct->timeout.expires - jiffies;
110 u_int32_t timeout;
111
112 if (timeout_l < 0)
113 timeout = 0;
114 else
115 timeout = htonl(timeout_l / HZ);
116
117 NFA_PUT(skb, CTA_TIMEOUT, sizeof(timeout), &timeout);
118 return 0;
119
120nfattr_failure:
121 return -1;
122}
123
124static inline int
125ctnetlink_dump_protoinfo(struct sk_buff *skb, const struct ip_conntrack *ct)
126{
127 struct ip_conntrack_protocol *proto = ip_conntrack_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
128
129 struct nfattr *nest_proto;
130 int ret;
131
132 if (!proto || !proto->to_nfattr)
133 return 0;
134
135 nest_proto = NFA_NEST(skb, CTA_PROTOINFO);
136
137 ret = proto->to_nfattr(skb, nest_proto, ct);
138
139 ip_conntrack_proto_put(proto);
140
141 NFA_NEST_END(skb, nest_proto);
142
143 return ret;
144
145nfattr_failure:
146 return -1;
147}
148
149static inline int
150ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct ip_conntrack *ct)
151{
152 struct nfattr *nest_helper;
153
154 if (!ct->helper)
155 return 0;
156
157 nest_helper = NFA_NEST(skb, CTA_HELP);
158 NFA_PUT(skb, CTA_HELP_NAME, CTA_HELP_MAXNAMESIZE, &ct->helper->name);
159
160 if (ct->helper->to_nfattr)
161 ct->helper->to_nfattr(skb, ct);
162
163 NFA_NEST_END(skb, nest_helper);
164
165 return 0;
166
167nfattr_failure:
168 return -1;
169}
170
171#ifdef CONFIG_IP_NF_CT_ACCT
172static inline int
173ctnetlink_dump_counters(struct sk_buff *skb, const struct ip_conntrack *ct,
174 enum ip_conntrack_dir dir)
175{
176 enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
177 struct nfattr *nest_count = NFA_NEST(skb, type);
178 u_int64_t tmp;
179
180 tmp = cpu_to_be64(ct->counters[dir].packets);
181 NFA_PUT(skb, CTA_COUNTERS_PACKETS, sizeof(u_int64_t), &tmp);
182
183 tmp = cpu_to_be64(ct->counters[dir].bytes);
184 NFA_PUT(skb, CTA_COUNTERS_BYTES, sizeof(u_int64_t), &tmp);
185
186 NFA_NEST_END(skb, nest_count);
187
188 return 0;
189
190nfattr_failure:
191 return -1;
192}
193#else
194#define ctnetlink_dump_counters(a, b, c) (0)
195#endif
196
197#ifdef CONFIG_IP_NF_CONNTRACK_MARK
198static inline int
199ctnetlink_dump_mark(struct sk_buff *skb, const struct ip_conntrack *ct)
200{
201 u_int32_t mark = htonl(ct->mark);
202
203 NFA_PUT(skb, CTA_MARK, sizeof(u_int32_t), &mark);
204 return 0;
205
206nfattr_failure:
207 return -1;
208}
209#else
210#define ctnetlink_dump_mark(a, b) (0)
211#endif
212
213static inline int
214ctnetlink_dump_id(struct sk_buff *skb, const struct ip_conntrack *ct)
215{
216 u_int32_t id = htonl(ct->id);
217 NFA_PUT(skb, CTA_ID, sizeof(u_int32_t), &id);
218 return 0;
219
220nfattr_failure:
221 return -1;
222}
223
224static inline int
225ctnetlink_dump_use(struct sk_buff *skb, const struct ip_conntrack *ct)
226{
227 unsigned int use = htonl(atomic_read(&ct->ct_general.use));
228
229 NFA_PUT(skb, CTA_USE, sizeof(u_int32_t), &use);
230 return 0;
231
232nfattr_failure:
233 return -1;
234}
235
236#define tuple(ct, dir) (&(ct)->tuplehash[dir].tuple)
237
238static int
239ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
240 int event, int nowait,
241 const struct ip_conntrack *ct)
242{
243 struct nlmsghdr *nlh;
244 struct nfgenmsg *nfmsg;
245 struct nfattr *nest_parms;
246 unsigned char *b;
247
248 b = skb->tail;
249
250 event |= NFNL_SUBSYS_CTNETLINK << 8;
251 nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg));
252 nfmsg = NLMSG_DATA(nlh);
253
254 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0;
255 nfmsg->nfgen_family = AF_INET;
256 nfmsg->version = NFNETLINK_V0;
257 nfmsg->res_id = 0;
258
259 nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG);
260 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
261 goto nfattr_failure;
262 NFA_NEST_END(skb, nest_parms);
263
264 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
265 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
266 goto nfattr_failure;
267 NFA_NEST_END(skb, nest_parms);
268
269 if (ctnetlink_dump_status(skb, ct) < 0 ||
270 ctnetlink_dump_timeout(skb, ct) < 0 ||
271 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
272 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 ||
273 ctnetlink_dump_protoinfo(skb, ct) < 0 ||
274 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
275 ctnetlink_dump_mark(skb, ct) < 0 ||
276 ctnetlink_dump_id(skb, ct) < 0 ||
277 ctnetlink_dump_use(skb, ct) < 0)
278 goto nfattr_failure;
279
280 nlh->nlmsg_len = skb->tail - b;
281 return skb->len;
282
283nlmsg_failure:
284nfattr_failure:
285 skb_trim(skb, b - skb->data);
286 return -1;
287}
288
289#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
290static int ctnetlink_conntrack_event(struct notifier_block *this,
291 unsigned long events, void *ptr)
292{
293 struct nlmsghdr *nlh;
294 struct nfgenmsg *nfmsg;
295 struct nfattr *nest_parms;
296 struct ip_conntrack *ct = (struct ip_conntrack *)ptr;
297 struct sk_buff *skb;
298 unsigned int type;
299 unsigned char *b;
300 unsigned int flags = 0, groups;
301
302 /* ignore our fake conntrack entry */
303 if (ct == &ip_conntrack_untracked)
304 return NOTIFY_DONE;
305
306 if (events & IPCT_DESTROY) {
307 type = IPCTNL_MSG_CT_DELETE;
308 groups = NF_NETLINK_CONNTRACK_DESTROY;
309 goto alloc_skb;
310 }
311 if (events & (IPCT_NEW | IPCT_RELATED)) {
312 type = IPCTNL_MSG_CT_NEW;
313 flags = NLM_F_CREATE|NLM_F_EXCL;
314 /* dump everything */
315 events = ~0UL;
316 groups = NF_NETLINK_CONNTRACK_NEW;
317 goto alloc_skb;
318 }
319 if (events & (IPCT_STATUS |
320 IPCT_PROTOINFO |
321 IPCT_HELPER |
322 IPCT_HELPINFO |
323 IPCT_NATINFO)) {
324 type = IPCTNL_MSG_CT_NEW;
325 groups = NF_NETLINK_CONNTRACK_UPDATE;
326 goto alloc_skb;
327 }
328
329 return NOTIFY_DONE;
330
331alloc_skb:
332 /* FIXME: Check if there are any listeners before, don't hurt performance */
333
334 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
335 if (!skb)
336 return NOTIFY_DONE;
337
338 b = skb->tail;
339
340 type |= NFNL_SUBSYS_CTNETLINK << 8;
341 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg));
342 nfmsg = NLMSG_DATA(nlh);
343
344 nlh->nlmsg_flags = flags;
345 nfmsg->nfgen_family = AF_INET;
346 nfmsg->version = NFNETLINK_V0;
347 nfmsg->res_id = 0;
348
349 nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG);
350 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
351 goto nfattr_failure;
352 NFA_NEST_END(skb, nest_parms);
353
354 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
355 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
356 goto nfattr_failure;
357 NFA_NEST_END(skb, nest_parms);
358
359 /* NAT stuff is now a status flag */
360 if ((events & IPCT_STATUS || events & IPCT_NATINFO)
361 && ctnetlink_dump_status(skb, ct) < 0)
362 goto nfattr_failure;
363 if (events & IPCT_REFRESH
364 && ctnetlink_dump_timeout(skb, ct) < 0)
365 goto nfattr_failure;
366 if (events & IPCT_PROTOINFO
367 && ctnetlink_dump_protoinfo(skb, ct) < 0)
368 goto nfattr_failure;
369 if (events & IPCT_HELPINFO
370 && ctnetlink_dump_helpinfo(skb, ct) < 0)
371 goto nfattr_failure;
372
373 if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
374 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
375 goto nfattr_failure;
376
377 nlh->nlmsg_len = skb->tail - b;
378 nfnetlink_send(skb, 0, groups, 0);
379 return NOTIFY_DONE;
380
381nlmsg_failure:
382nfattr_failure:
383 kfree_skb(skb);
384 return NOTIFY_DONE;
385}
386#endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */
387
388static int ctnetlink_done(struct netlink_callback *cb)
389{
390 DEBUGP("entered %s\n", __FUNCTION__);
391 return 0;
392}
393
394static int
395ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
396{
397 struct ip_conntrack *ct = NULL;
398 struct ip_conntrack_tuple_hash *h;
399 struct list_head *i;
400 u_int32_t *id = (u_int32_t *) &cb->args[1];
401
402 DEBUGP("entered %s, last bucket=%lu id=%u\n", __FUNCTION__,
403 cb->args[0], *id);
404
405 read_lock_bh(&ip_conntrack_lock);
406 for (; cb->args[0] < ip_conntrack_htable_size; cb->args[0]++, *id = 0) {
407 list_for_each(i, &ip_conntrack_hash[cb->args[0]]) {
408 h = (struct ip_conntrack_tuple_hash *) i;
409 if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
410 continue;
411 ct = tuplehash_to_ctrack(h);
412 if (ct->id <= *id)
413 continue;
414 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
415 cb->nlh->nlmsg_seq,
416 IPCTNL_MSG_CT_NEW,
417 1, ct) < 0)
418 goto out;
419 *id = ct->id;
420 }
421 }
422out:
423 read_unlock_bh(&ip_conntrack_lock);
424
425 DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id);
426
427 return skb->len;
428}
429
430#ifdef CONFIG_IP_NF_CT_ACCT
431static int
432ctnetlink_dump_table_w(struct sk_buff *skb, struct netlink_callback *cb)
433{
434 struct ip_conntrack *ct = NULL;
435 struct ip_conntrack_tuple_hash *h;
436 struct list_head *i;
437 u_int32_t *id = (u_int32_t *) &cb->args[1];
438
439 DEBUGP("entered %s, last bucket=%u id=%u\n", __FUNCTION__,
440 cb->args[0], *id);
441
442 write_lock_bh(&ip_conntrack_lock);
443 for (; cb->args[0] < ip_conntrack_htable_size; cb->args[0]++, *id = 0) {
444 list_for_each(i, &ip_conntrack_hash[cb->args[0]]) {
445 h = (struct ip_conntrack_tuple_hash *) i;
446 if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
447 continue;
448 ct = tuplehash_to_ctrack(h);
449 if (ct->id <= *id)
450 continue;
451 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
452 cb->nlh->nlmsg_seq,
453 IPCTNL_MSG_CT_NEW,
454 1, ct) < 0)
455 goto out;
456 *id = ct->id;
457
458 memset(&ct->counters, 0, sizeof(ct->counters));
459 }
460 }
461out:
462 write_unlock_bh(&ip_conntrack_lock);
463
464 DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id);
465
466 return skb->len;
467}
468#endif
469
470static const int cta_min_ip[CTA_IP_MAX] = {
471 [CTA_IP_V4_SRC-1] = sizeof(u_int32_t),
472 [CTA_IP_V4_DST-1] = sizeof(u_int32_t),
473};
474
475static inline int
476ctnetlink_parse_tuple_ip(struct nfattr *attr, struct ip_conntrack_tuple *tuple)
477{
478 struct nfattr *tb[CTA_IP_MAX];
479
480 DEBUGP("entered %s\n", __FUNCTION__);
481
482 memset(tb, 0, CTA_IP_MAX * sizeof(tb));
483
484 if (nfattr_parse_nested(tb, CTA_IP_MAX, attr) < 0)
485 goto nfattr_failure;
486
487 if (nfattr_bad_size(tb, CTA_IP_MAX, cta_min_ip))
488 return -EINVAL;
489
490 if (!tb[CTA_IP_V4_SRC-1])
491 return -EINVAL;
492 tuple->src.ip = *(u_int32_t *)NFA_DATA(tb[CTA_IP_V4_SRC-1]);
493
494 if (!tb[CTA_IP_V4_DST-1])
495 return -EINVAL;
496 tuple->dst.ip = *(u_int32_t *)NFA_DATA(tb[CTA_IP_V4_DST-1]);
497
498 DEBUGP("leaving\n");
499
500 return 0;
501
502nfattr_failure:
503 return -1;
504}
505
506static const int cta_min_proto[CTA_PROTO_MAX] = {
507 [CTA_PROTO_NUM-1] = sizeof(u_int16_t),
508 [CTA_PROTO_SRC_PORT-1] = sizeof(u_int16_t),
509 [CTA_PROTO_DST_PORT-1] = sizeof(u_int16_t),
510 [CTA_PROTO_ICMP_TYPE-1] = sizeof(u_int8_t),
511 [CTA_PROTO_ICMP_CODE-1] = sizeof(u_int8_t),
512 [CTA_PROTO_ICMP_ID-1] = sizeof(u_int16_t),
513};
514
515static inline int
516ctnetlink_parse_tuple_proto(struct nfattr *attr,
517 struct ip_conntrack_tuple *tuple)
518{
519 struct nfattr *tb[CTA_PROTO_MAX];
520 struct ip_conntrack_protocol *proto;
521 int ret = 0;
522
523 DEBUGP("entered %s\n", __FUNCTION__);
524
525 memset(tb, 0, CTA_PROTO_MAX * sizeof(tb));
526
527 if (nfattr_parse_nested(tb, CTA_PROTO_MAX, attr) < 0)
528 goto nfattr_failure;
529
530 if (nfattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto))
531 return -EINVAL;
532
533 if (!tb[CTA_PROTO_NUM-1])
534 return -EINVAL;
535 tuple->dst.protonum = *(u_int16_t *)NFA_DATA(tb[CTA_PROTO_NUM-1]);
536
537 proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
538
539 if (likely(proto && proto->nfattr_to_tuple)) {
540 ret = proto->nfattr_to_tuple(tb, tuple);
541 ip_conntrack_proto_put(proto);
542 }
543
544 return ret;
545
546nfattr_failure:
547 return -1;
548}
549
550static inline int
551ctnetlink_parse_tuple(struct nfattr *cda[], struct ip_conntrack_tuple *tuple,
552 enum ctattr_tuple type)
553{
554 struct nfattr *tb[CTA_TUPLE_MAX];
555 int err;
556
557 DEBUGP("entered %s\n", __FUNCTION__);
558
559 memset(tb, 0, CTA_TUPLE_MAX * sizeof(tb));
560 memset(tuple, 0, sizeof(*tuple));
561
562 if (nfattr_parse_nested(tb, CTA_TUPLE_MAX, cda[type-1]) < 0)
563 goto nfattr_failure;
564
565 if (!tb[CTA_TUPLE_IP-1])
566 return -EINVAL;
567
568 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP-1], tuple);
569 if (err < 0)
570 return err;
571
572 if (!tb[CTA_TUPLE_PROTO-1])
573 return -EINVAL;
574
575 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO-1], tuple);
576 if (err < 0)
577 return err;
578
579 /* orig and expect tuples get DIR_ORIGINAL */
580 if (type == CTA_TUPLE_REPLY)
581 tuple->dst.dir = IP_CT_DIR_REPLY;
582 else
583 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
584
585 DUMP_TUPLE(tuple);
586
587 DEBUGP("leaving\n");
588
589 return 0;
590
591nfattr_failure:
592 return -1;
593}
594
595#ifdef CONFIG_IP_NF_NAT_NEEDED
596static const int cta_min_protonat[CTA_PROTONAT_MAX] = {
597 [CTA_PROTONAT_PORT_MIN-1] = sizeof(u_int16_t),
598 [CTA_PROTONAT_PORT_MAX-1] = sizeof(u_int16_t),
599};
600
601static int ctnetlink_parse_nat_proto(struct nfattr *attr,
602 const struct ip_conntrack *ct,
603 struct ip_nat_range *range)
604{
605 struct nfattr *tb[CTA_PROTONAT_MAX];
606 struct ip_nat_protocol *npt;
607
608 DEBUGP("entered %s\n", __FUNCTION__);
609
610 memset(tb, 0, CTA_PROTONAT_MAX * sizeof(tb));
611
612 if (nfattr_parse_nested(tb, CTA_PROTONAT_MAX, attr) < 0)
613 goto nfattr_failure;
614
615 if (nfattr_bad_size(tb, CTA_PROTONAT_MAX, cta_min_protonat))
616 goto nfattr_failure;
617
618 npt = ip_nat_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
619 if (!npt)
620 return 0;
621
622 if (!npt->nfattr_to_range) {
623 ip_nat_proto_put(npt);
624 return 0;
625 }
626
627 /* nfattr_to_range returns 1 if it parsed, 0 if not, neg. on error */
628 if (npt->nfattr_to_range(tb, range) > 0)
629 range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
630
631 ip_nat_proto_put(npt);
632
633 DEBUGP("leaving\n");
634 return 0;
635
636nfattr_failure:
637 return -1;
638}
639
640static inline int
641ctnetlink_parse_nat(struct nfattr *cda[],
642 const struct ip_conntrack *ct, struct ip_nat_range *range)
643{
644 struct nfattr *tb[CTA_NAT_MAX];
645 int err;
646
647 DEBUGP("entered %s\n", __FUNCTION__);
648
649 memset(tb, 0, CTA_NAT_MAX * sizeof(tb));
650 memset(range, 0, sizeof(*range));
651
652 if (nfattr_parse_nested(tb, CTA_NAT_MAX, cda[CTA_NAT-1]) < 0)
653 goto nfattr_failure;
654
655 if (tb[CTA_NAT_MINIP-1])
656 range->min_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MINIP-1]);
657
658 if (!tb[CTA_NAT_MAXIP-1])
659 range->max_ip = range->min_ip;
660 else
661 range->max_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MAXIP-1]);
662
663 if (range->min_ip)
664 range->flags |= IP_NAT_RANGE_MAP_IPS;
665
666 if (!tb[CTA_NAT_PROTO-1])
667 return 0;
668
669 err = ctnetlink_parse_nat_proto(tb[CTA_NAT_PROTO-1], ct, range);
670 if (err < 0)
671 return err;
672
673 DEBUGP("leaving\n");
674 return 0;
675
676nfattr_failure:
677 return -1;
678}
679#endif
680
681static inline int
682ctnetlink_parse_help(struct nfattr *attr, char **helper_name)
683{
684 struct nfattr *tb[CTA_HELP_MAX];
685
686 DEBUGP("entered %s\n", __FUNCTION__);
687 memset(tb, 0, CTA_HELP_MAX * sizeof(tb));
688
689 if (nfattr_parse_nested(tb, CTA_HELP_MAX, attr) < 0)
690 goto nfattr_failure;
691
692 if (!tb[CTA_HELP_NAME-1])
693 return -EINVAL;
694
695 *helper_name = NFA_DATA(tb[CTA_HELP_NAME-1]);
696
697 return 0;
698
699nfattr_failure:
700 return -1;
701}
702
703static int
704ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
705 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
706{
707 struct ip_conntrack_tuple_hash *h;
708 struct ip_conntrack_tuple tuple;
709 struct ip_conntrack *ct;
710 int err = 0;
711
712 DEBUGP("entered %s\n", __FUNCTION__);
713
714 if (cda[CTA_TUPLE_ORIG-1])
715 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG);
716 else if (cda[CTA_TUPLE_REPLY-1])
717 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY);
718 else {
719 /* Flush the whole table */
720 ip_conntrack_flush();
721 return 0;
722 }
723
724 if (err < 0)
725 return err;
726
727 h = ip_conntrack_find_get(&tuple, NULL);
728 if (!h) {
729 DEBUGP("tuple not found in conntrack hash\n");
730 return -ENOENT;
731 }
732
733 ct = tuplehash_to_ctrack(h);
734
735 if (cda[CTA_ID-1]) {
736 u_int32_t id = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_ID-1]));
737 if (ct->id != id) {
738 ip_conntrack_put(ct);
739 return -ENOENT;
740 }
741 }
742 if (del_timer(&ct->timeout)) {
743 ip_conntrack_put(ct);
744 ct->timeout.function((unsigned long)ct);
745 return 0;
746 }
747 ip_conntrack_put(ct);
748 DEBUGP("leaving\n");
749
750 return 0;
751}
752
753static int
754ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
755 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
756{
757 struct ip_conntrack_tuple_hash *h;
758 struct ip_conntrack_tuple tuple;
759 struct ip_conntrack *ct;
760 struct sk_buff *skb2 = NULL;
761 int err = 0;
762
763 DEBUGP("entered %s\n", __FUNCTION__);
764
765 if (nlh->nlmsg_flags & NLM_F_DUMP) {
766 struct nfgenmsg *msg = NLMSG_DATA(nlh);
767 u32 rlen;
768
769 if (msg->nfgen_family != AF_INET)
770 return -EAFNOSUPPORT;
771
772 if (NFNL_MSG_TYPE(nlh->nlmsg_type) ==
773 IPCTNL_MSG_CT_GET_CTRZERO) {
774#ifdef CONFIG_IP_NF_CT_ACCT
775 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
776 ctnetlink_dump_table_w,
777 ctnetlink_done)) != 0)
778 return -EINVAL;
779#else
780 return -ENOTSUPP;
781#endif
782 } else {
783 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
784 ctnetlink_dump_table,
785 ctnetlink_done)) != 0)
786 return -EINVAL;
787 }
788
789 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
790 if (rlen > skb->len)
791 rlen = skb->len;
792 skb_pull(skb, rlen);
793 return 0;
794 }
795
796 if (cda[CTA_TUPLE_ORIG-1])
797 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG);
798 else if (cda[CTA_TUPLE_REPLY-1])
799 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY);
800 else
801 return -EINVAL;
802
803 if (err < 0)
804 return err;
805
806 h = ip_conntrack_find_get(&tuple, NULL);
807 if (!h) {
808 DEBUGP("tuple not found in conntrack hash");
809 return -ENOENT;
810 }
811 DEBUGP("tuple found\n");
812 ct = tuplehash_to_ctrack(h);
813
814 err = -ENOMEM;
815 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
816 if (!skb2) {
817 ip_conntrack_put(ct);
818 return -ENOMEM;
819 }
820 NETLINK_CB(skb2).dst_pid = NETLINK_CB(skb).pid;
821
822 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq,
823 IPCTNL_MSG_CT_NEW, 1, ct);
824 ip_conntrack_put(ct);
825 if (err <= 0)
826 goto out;
827
828 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
829 if (err < 0)
830 goto out;
831
832 DEBUGP("leaving\n");
833 return 0;
834
835out:
836 if (skb2)
837 kfree_skb(skb2);
838 return -1;
839}
840
841static inline int
842ctnetlink_change_status(struct ip_conntrack *ct, struct nfattr *cda[])
843{
844 unsigned long d, status = *(u_int32_t *)NFA_DATA(cda[CTA_STATUS-1]);
845 d = ct->status ^ status;
846
847 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
848 /* unchangeable */
849 return -EINVAL;
850
851 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
852 /* SEEN_REPLY bit can only be set */
853 return -EINVAL;
854
855
856 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
857 /* ASSURED bit can only be set */
858 return -EINVAL;
859
860 if (cda[CTA_NAT-1]) {
861#ifndef CONFIG_IP_NF_NAT_NEEDED
862 return -EINVAL;
863#else
864 unsigned int hooknum;
865 struct ip_nat_range range;
866
867 if (ctnetlink_parse_nat(cda, ct, &range) < 0)
868 return -EINVAL;
869
870 DEBUGP("NAT: %u.%u.%u.%u-%u.%u.%u.%u:%u-%u\n",
871 NIPQUAD(range.min_ip), NIPQUAD(range.max_ip),
872 htons(range.min.all), htons(range.max.all));
873
874 /* This is tricky but it works. ip_nat_setup_info needs the
875 * hook number as parameter, so let's do the correct
876 * conversion and run away */
877 if (status & IPS_SRC_NAT_DONE)
878 hooknum = NF_IP_POST_ROUTING; /* IP_NAT_MANIP_SRC */
879 else if (status & IPS_DST_NAT_DONE)
880 hooknum = NF_IP_PRE_ROUTING; /* IP_NAT_MANIP_DST */
881 else
882 return -EINVAL; /* Missing NAT flags */
883
884 DEBUGP("NAT status: %lu\n",
885 status & (IPS_NAT_MASK | IPS_NAT_DONE_MASK));
886
887 if (ip_nat_initialized(ct, hooknum))
888 return -EEXIST;
889 ip_nat_setup_info(ct, &range, hooknum);
890
891 DEBUGP("NAT status after setup_info: %lu\n",
892 ct->status & (IPS_NAT_MASK | IPS_NAT_DONE_MASK));
893#endif
894 }
895
896 /* Be careful here, modifying NAT bits can screw up things,
897 * so don't let users modify them directly if they don't pass
898 * ip_nat_range. */
899 ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
900 return 0;
901}
902
903
904static inline int
905ctnetlink_change_helper(struct ip_conntrack *ct, struct nfattr *cda[])
906{
907 struct ip_conntrack_helper *helper;
908 char *helpname;
909 int err;
910
911 DEBUGP("entered %s\n", __FUNCTION__);
912
913 /* don't change helper of sibling connections */
914 if (ct->master)
915 return -EINVAL;
916
917 err = ctnetlink_parse_help(cda[CTA_HELP-1], &helpname);
918 if (err < 0)
919 return err;
920
921 helper = __ip_conntrack_helper_find_byname(helpname);
922 if (!helper) {
923 if (!strcmp(helpname, ""))
924 helper = NULL;
925 else
926 return -EINVAL;
927 }
928
929 if (ct->helper) {
930 if (!helper) {
931 /* we had a helper before ... */
932 ip_ct_remove_expectations(ct);
933 ct->helper = NULL;
934 } else {
935 /* need to zero data of old helper */
936 memset(&ct->help, 0, sizeof(ct->help));
937 }
938 }
939
940 ct->helper = helper;
941
942 return 0;
943}
944
945static inline int
946ctnetlink_change_timeout(struct ip_conntrack *ct, struct nfattr *cda[])
947{
948 u_int32_t timeout = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1]));
949
950 if (!del_timer(&ct->timeout))
951 return -ETIME;
952
953 ct->timeout.expires = jiffies + timeout * HZ;
954 add_timer(&ct->timeout);
955
956 return 0;
957}
958
959static int
960ctnetlink_change_conntrack(struct ip_conntrack *ct, struct nfattr *cda[])
961{
962 int err;
963
964 DEBUGP("entered %s\n", __FUNCTION__);
965
966 if (cda[CTA_HELP-1]) {
967 err = ctnetlink_change_helper(ct, cda);
968 if (err < 0)
969 return err;
970 }
971
972 if (cda[CTA_TIMEOUT-1]) {
973 err = ctnetlink_change_timeout(ct, cda);
974 if (err < 0)
975 return err;
976 }
977
978 if (cda[CTA_STATUS-1]) {
979 err = ctnetlink_change_status(ct, cda);
980 if (err < 0)
981 return err;
982 }
983
984 DEBUGP("all done\n");
985 return 0;
986}
987
988static int
989ctnetlink_create_conntrack(struct nfattr *cda[],
990 struct ip_conntrack_tuple *otuple,
991 struct ip_conntrack_tuple *rtuple)
992{
993 struct ip_conntrack *ct;
994 int err = -EINVAL;
995
996 DEBUGP("entered %s\n", __FUNCTION__);
997
998 ct = ip_conntrack_alloc(otuple, rtuple);
999 if (ct == NULL || IS_ERR(ct))
1000 return -ENOMEM;
1001
1002 if (!cda[CTA_TIMEOUT-1])
1003 goto err;
1004 ct->timeout.expires = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1]));
1005
1006 ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
1007 ct->status |= IPS_CONFIRMED;
1008
1009 err = ctnetlink_change_status(ct, cda);
1010 if (err < 0)
1011 goto err;
1012
1013 ct->helper = ip_conntrack_helper_find_get(rtuple);
1014
1015 add_timer(&ct->timeout);
1016 ip_conntrack_hash_insert(ct);
1017
1018 if (ct->helper)
1019 ip_conntrack_helper_put(ct->helper);
1020
1021 DEBUGP("conntrack with id %u inserted\n", ct->id);
1022 return 0;
1023
1024err:
1025 ip_conntrack_free(ct);
1026 return err;
1027}
1028
1029static int
1030ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1031 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1032{
1033 struct ip_conntrack_tuple otuple, rtuple;
1034 struct ip_conntrack_tuple_hash *h = NULL;
1035 int err = 0;
1036
1037 DEBUGP("entered %s\n", __FUNCTION__);
1038
1039 if (cda[CTA_TUPLE_ORIG-1]) {
1040 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG);
1041 if (err < 0)
1042 return err;
1043 }
1044
1045 if (cda[CTA_TUPLE_REPLY-1]) {
1046 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY);
1047 if (err < 0)
1048 return err;
1049 }
1050
1051 write_lock_bh(&ip_conntrack_lock);
1052 if (cda[CTA_TUPLE_ORIG-1])
1053 h = __ip_conntrack_find(&otuple, NULL);
1054 else if (cda[CTA_TUPLE_REPLY-1])
1055 h = __ip_conntrack_find(&rtuple, NULL);
1056
1057 if (h == NULL) {
1058 write_unlock_bh(&ip_conntrack_lock);
1059 DEBUGP("no such conntrack, create new\n");
1060 err = -ENOENT;
1061 if (nlh->nlmsg_flags & NLM_F_CREATE)
1062 err = ctnetlink_create_conntrack(cda, &otuple, &rtuple);
1063 goto out_unlock;
1064 } else {
1065 /* we only allow nat config for new conntracks */
1066 if (cda[CTA_NAT-1]) {
1067 err = -EINVAL;
1068 goto out_unlock;
1069 }
1070 }
1071
1072 /* We manipulate the conntrack inside the global conntrack table lock,
1073 * so there's no need to increase the refcount */
1074 DEBUGP("conntrack found\n");
1075 err = -EEXIST;
1076 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
1077 err = ctnetlink_change_conntrack(tuplehash_to_ctrack(h), cda);
1078
1079out_unlock:
1080 write_unlock_bh(&ip_conntrack_lock);
1081 return err;
1082}
1083
1084/***********************************************************************
1085 * EXPECT
1086 ***********************************************************************/
1087
1088static inline int
1089ctnetlink_exp_dump_tuple(struct sk_buff *skb,
1090 const struct ip_conntrack_tuple *tuple,
1091 enum ctattr_expect type)
1092{
1093 struct nfattr *nest_parms = NFA_NEST(skb, type);
1094
1095 if (ctnetlink_dump_tuples(skb, tuple) < 0)
1096 goto nfattr_failure;
1097
1098 NFA_NEST_END(skb, nest_parms);
1099
1100 return 0;
1101
1102nfattr_failure:
1103 return -1;
1104}
1105
1106static inline int
1107ctnetlink_exp_dump_expect(struct sk_buff *skb,
1108 const struct ip_conntrack_expect *exp)
1109{
1110 u_int32_t timeout = htonl((exp->timeout.expires - jiffies) / HZ);
1111 u_int32_t id = htonl(exp->id);
1112 struct nfattr *nest_parms = NFA_NEST(skb, CTA_EXPECT);
1113
1114 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
1115 goto nfattr_failure;
1116 if (ctnetlink_exp_dump_tuple(skb, &exp->mask, CTA_EXPECT_MASK) < 0)
1117 goto nfattr_failure;
1118
1119 NFA_PUT(skb, CTA_EXPECT_TIMEOUT, sizeof(timeout), &timeout);
1120 NFA_PUT(skb, CTA_EXPECT_ID, sizeof(u_int32_t), &id);
1121 NFA_NEST_END(skb, nest_parms);
1122
1123 return 0;
1124
1125nfattr_failure:
1126 return -1;
1127}
1128
1129static int
1130ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
1131 int event,
1132 int nowait,
1133 const struct ip_conntrack_expect *exp)
1134{
1135 struct nlmsghdr *nlh;
1136 struct nfgenmsg *nfmsg;
1137 unsigned char *b;
1138
1139 b = skb->tail;
1140
1141 event |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1142 nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg));
1143 nfmsg = NLMSG_DATA(nlh);
1144
1145 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0;
1146 nfmsg->nfgen_family = AF_INET;
1147 nfmsg->version = NFNETLINK_V0;
1148 nfmsg->res_id = 0;
1149
1150 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1151 goto nfattr_failure;
1152
1153 nlh->nlmsg_len = skb->tail - b;
1154 return skb->len;
1155
1156nlmsg_failure:
1157nfattr_failure:
1158 skb_trim(skb, b - skb->data);
1159 return -1;
1160}
1161
1162#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1163static int ctnetlink_expect_event(struct notifier_block *this,
1164 unsigned long events, void *ptr)
1165{
1166 struct nlmsghdr *nlh;
1167 struct nfgenmsg *nfmsg;
1168 struct ip_conntrack_expect *exp = (struct ip_conntrack_expect *)ptr;
1169 struct sk_buff *skb;
1170 unsigned int type;
1171 unsigned char *b;
1172 int flags = 0;
1173 u16 proto;
1174
1175 if (events & IPEXP_NEW) {
1176 type = IPCTNL_MSG_EXP_NEW;
1177 flags = NLM_F_CREATE|NLM_F_EXCL;
1178 } else
1179 return NOTIFY_DONE;
1180
1181 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1182 if (!skb)
1183 return NOTIFY_DONE;
1184
1185 b = skb->tail;
1186
1187 type |= NFNL_SUBSYS_CTNETLINK << 8;
1188 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg));
1189 nfmsg = NLMSG_DATA(nlh);
1190
1191 nlh->nlmsg_flags = flags;
1192 nfmsg->nfgen_family = AF_INET;
1193 nfmsg->version = NFNETLINK_V0;
1194 nfmsg->res_id = 0;
1195
1196 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1197 goto nfattr_failure;
1198
1199 nlh->nlmsg_len = skb->tail - b;
1200 proto = exp->tuple.dst.protonum;
1201 nfnetlink_send(skb, 0, NF_NETLINK_CONNTRACK_EXP_NEW, 0);
1202 return NOTIFY_DONE;
1203
1204nlmsg_failure:
1205nfattr_failure:
1206 kfree_skb(skb);
1207 return NOTIFY_DONE;
1208}
1209#endif
1210
1211static int
1212ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
1213{
1214 struct ip_conntrack_expect *exp = NULL;
1215 struct list_head *i;
1216 u_int32_t *id = (u_int32_t *) &cb->args[0];
1217
1218 DEBUGP("entered %s, last id=%llu\n", __FUNCTION__, *id);
1219
1220 read_lock_bh(&ip_conntrack_lock);
1221 list_for_each(i, &ip_conntrack_expect_list) {
1222 exp = (struct ip_conntrack_expect *) i;
1223 if (exp->id <= *id)
1224 continue;
1225 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).pid,
1226 cb->nlh->nlmsg_seq,
1227 IPCTNL_MSG_EXP_NEW,
1228 1, exp) < 0)
1229 goto out;
1230 *id = exp->id;
1231 }
1232out:
1233 read_unlock_bh(&ip_conntrack_lock);
1234
1235 DEBUGP("leaving, last id=%llu\n", *id);
1236
1237 return skb->len;
1238}
1239
1240static int
1241ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
1242 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1243{
1244 struct ip_conntrack_tuple tuple;
1245 struct ip_conntrack_expect *exp;
1246 struct sk_buff *skb2;
1247 int err = 0;
1248
1249 DEBUGP("entered %s\n", __FUNCTION__);
1250
1251 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1252 struct nfgenmsg *msg = NLMSG_DATA(nlh);
1253 u32 rlen;
1254
1255 if (msg->nfgen_family != AF_INET)
1256 return -EAFNOSUPPORT;
1257
1258 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
1259 ctnetlink_exp_dump_table,
1260 ctnetlink_done)) != 0)
1261 return -EINVAL;
1262 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
1263 if (rlen > skb->len)
1264 rlen = skb->len;
1265 skb_pull(skb, rlen);
1266 return 0;
1267 }
1268
1269 if (cda[CTA_TUPLE_ORIG-1])
1270 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG);
1271 else if (cda[CTA_TUPLE_REPLY-1])
1272 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY);
1273 else
1274 return -EINVAL;
1275
1276 if (err < 0)
1277 return err;
1278
1279 exp = ip_conntrack_expect_find_get(&tuple);
1280 if (!exp)
1281 return -ENOENT;
1282
1283 err = -ENOMEM;
1284 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1285 if (!skb2)
1286 goto out;
1287 NETLINK_CB(skb2).dst_pid = NETLINK_CB(skb).pid;
1288
1289 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid,
1290 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
1291 1, exp);
1292 if (err <= 0)
1293 goto out;
1294
1295 ip_conntrack_expect_put(exp);
1296
1297 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1298 if (err < 0)
1299 goto free;
1300
1301 return err;
1302
1303out:
1304 ip_conntrack_expect_put(exp);
1305free:
1306 if (skb2)
1307 kfree_skb(skb2);
1308 return err;
1309}
1310
1311static int
1312ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
1313 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1314{
1315 struct ip_conntrack_expect *exp, *tmp;
1316 struct ip_conntrack_tuple tuple;
1317 struct ip_conntrack_helper *h;
1318 int err;
1319
1320 /* delete by tuple needs either orig or reply tuple */
1321 if (cda[CTA_TUPLE_ORIG-1])
1322 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG);
1323 else if (cda[CTA_TUPLE_REPLY-1])
1324 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY);
1325 else if (cda[CTA_HELP_NAME-1]) {
1326 char *name = NFA_DATA(cda[CTA_HELP_NAME-1]);
1327
1328 /* delete all expectations for this helper */
1329 write_lock_bh(&ip_conntrack_lock);
1330 h = __ip_conntrack_helper_find_byname(name);
1331 if (!h) {
1332 write_unlock_bh(&ip_conntrack_lock);
1333 return -EINVAL;
1334 }
1335 list_for_each_entry_safe(exp, tmp, &ip_conntrack_expect_list,
1336 list) {
1337 if (exp->master->helper == h
1338 && del_timer(&exp->timeout))
1339 __ip_ct_expect_unlink_destroy(exp);
1340 }
1341 write_unlock(&ip_conntrack_lock);
1342 return 0;
1343 } else {
1344 /* This basically means we have to flush everything*/
1345 write_lock_bh(&ip_conntrack_lock);
1346 list_for_each_entry_safe(exp, tmp, &ip_conntrack_expect_list,
1347 list) {
1348 if (del_timer(&exp->timeout))
1349 __ip_ct_expect_unlink_destroy(exp);
1350 }
1351 write_unlock_bh(&ip_conntrack_lock);
1352 return 0;
1353 }
1354
1355 if (err < 0)
1356 return err;
1357
1358 /* bump usage count to 2 */
1359 exp = ip_conntrack_expect_find_get(&tuple);
1360 if (!exp)
1361 return -ENOENT;
1362
1363 if (cda[CTA_EXPECT_ID-1]) {
1364 u_int32_t id = *(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_ID-1]);
1365 if (exp->id != ntohl(id)) {
1366 ip_conntrack_expect_put(exp);
1367 return -ENOENT;
1368 }
1369 }
1370
1371 /* after list removal, usage count == 1 */
1372 ip_conntrack_unexpect_related(exp);
1373 /* have to put what we 'get' above. after this line usage count == 0 */
1374 ip_conntrack_expect_put(exp);
1375
1376 return 0;
1377}
1378static int
1379ctnetlink_change_expect(struct ip_conntrack_expect *x, struct nfattr *cda[])
1380{
1381 return -EOPNOTSUPP;
1382}
1383
1384static int
1385ctnetlink_create_expect(struct nfattr *cda[])
1386{
1387 struct ip_conntrack_tuple tuple, mask, master_tuple;
1388 struct ip_conntrack_tuple_hash *h = NULL;
1389 struct ip_conntrack_expect *exp;
1390 struct ip_conntrack *ct;
1391 int err = 0;
1392
1393 DEBUGP("entered %s\n", __FUNCTION__);
1394
1395 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE);
1396 if (err < 0)
1397 return err;
1398 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASK);
1399 if (err < 0)
1400 return err;
1401
1402 if (cda[CTA_TUPLE_ORIG-1])
1403 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_TUPLE_ORIG);
1404 else if (cda[CTA_TUPLE_REPLY-1])
1405 err = ctnetlink_parse_tuple(cda, &master_tuple,
1406 CTA_TUPLE_REPLY);
1407 else
1408 return -EINVAL;
1409
1410 if (err < 0)
1411 return err;
1412
1413 /* Look for master conntrack of this expectation */
1414 h = ip_conntrack_find_get(&master_tuple, NULL);
1415 if (!h)
1416 return -ENOENT;
1417 ct = tuplehash_to_ctrack(h);
1418
1419 if (!ct->helper) {
1420 /* such conntrack hasn't got any helper, abort */
1421 err = -EINVAL;
1422 goto out;
1423 }
1424
1425 exp = ip_conntrack_expect_alloc(ct);
1426 if (!exp) {
1427 err = -ENOMEM;
1428 goto out;
1429 }
1430
1431 exp->expectfn = NULL;
1432 exp->master = ct;
1433 memcpy(&exp->tuple, &tuple, sizeof(struct ip_conntrack_tuple));
1434 memcpy(&exp->mask, &mask, sizeof(struct ip_conntrack_tuple));
1435
1436 err = ip_conntrack_expect_related(exp);
1437 ip_conntrack_expect_put(exp);
1438
1439out:
1440 ip_conntrack_put(tuplehash_to_ctrack(h));
1441 return err;
1442}
1443
1444static int
1445ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
1446 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1447{
1448 struct ip_conntrack_tuple tuple;
1449 struct ip_conntrack_expect *exp;
1450 int err = 0;
1451
1452 DEBUGP("entered %s\n", __FUNCTION__);
1453
1454 if (!cda[CTA_EXPECT_TUPLE-1] || !cda[CTA_EXPECT_MASK-1])
1455 return -EINVAL;
1456
1457 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE);
1458 if (err < 0)
1459 return err;
1460
1461 write_lock_bh(&ip_conntrack_lock);
1462 exp = __ip_conntrack_expect_find(&tuple);
1463
1464 if (!exp) {
1465 write_unlock_bh(&ip_conntrack_lock);
1466 err = -ENOENT;
1467 if (nlh->nlmsg_flags & NLM_F_CREATE)
1468 err = ctnetlink_create_expect(cda);
1469 return err;
1470 }
1471
1472 err = -EEXIST;
1473 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
1474 err = ctnetlink_change_expect(exp, cda);
1475 write_unlock_bh(&ip_conntrack_lock);
1476
1477 DEBUGP("leaving\n");
1478
1479 return err;
1480}
1481
1482#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1483static struct notifier_block ctnl_notifier = {
1484 .notifier_call = ctnetlink_conntrack_event,
1485};
1486
1487static struct notifier_block ctnl_notifier_exp = {
1488 .notifier_call = ctnetlink_expect_event,
1489};
1490#endif
1491
1492static struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
1493 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
1494 .cap_required = CAP_NET_ADMIN },
1495 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
1496 .cap_required = CAP_NET_ADMIN },
1497 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
1498 .cap_required = CAP_NET_ADMIN },
1499 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
1500 .cap_required = CAP_NET_ADMIN },
1501};
1502
1503static struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_MAX] = {
1504 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
1505 .cap_required = CAP_NET_ADMIN },
1506 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
1507 .cap_required = CAP_NET_ADMIN },
1508 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
1509 .cap_required = CAP_NET_ADMIN },
1510};
1511
1512static struct nfnetlink_subsystem ctnl_subsys = {
1513 .name = "conntrack",
1514 .subsys_id = NFNL_SUBSYS_CTNETLINK,
1515 .cb_count = IPCTNL_MSG_MAX,
1516 .attr_count = CTA_MAX,
1517 .cb = ctnl_cb,
1518};
1519
1520static struct nfnetlink_subsystem ctnl_exp_subsys = {
1521 .name = "conntrack_expect",
1522 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
1523 .cb_count = IPCTNL_MSG_EXP_MAX,
1524 .attr_count = CTA_MAX,
1525 .cb = ctnl_exp_cb,
1526};
1527
1528static int __init ctnetlink_init(void)
1529{
1530 int ret;
1531
1532 printk("ctnetlink v%s: registering with nfnetlink.\n", version);
1533 ret = nfnetlink_subsys_register(&ctnl_subsys);
1534 if (ret < 0) {
1535 printk("ctnetlink_init: cannot register with nfnetlink.\n");
1536 goto err_out;
1537 }
1538
1539 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
1540 if (ret < 0) {
1541 printk("ctnetlink_init: cannot register exp with nfnetlink.\n");
1542 goto err_unreg_subsys;
1543 }
1544
1545#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1546 ret = ip_conntrack_register_notifier(&ctnl_notifier);
1547 if (ret < 0) {
1548 printk("ctnetlink_init: cannot register notifier.\n");
1549 goto err_unreg_exp_subsys;
1550 }
1551
1552 ret = ip_conntrack_expect_register_notifier(&ctnl_notifier_exp);
1553 if (ret < 0) {
1554 printk("ctnetlink_init: cannot expect register notifier.\n");
1555 goto err_unreg_notifier;
1556 }
1557#endif
1558
1559 return 0;
1560
1561#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1562err_unreg_notifier:
1563 ip_conntrack_unregister_notifier(&ctnl_notifier);
1564err_unreg_exp_subsys:
1565 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1566#endif
1567err_unreg_subsys:
1568 nfnetlink_subsys_unregister(&ctnl_subsys);
1569err_out:
1570 return ret;
1571}
1572
1573static void __exit ctnetlink_exit(void)
1574{
1575 printk("ctnetlink: unregistering from nfnetlink.\n");
1576
1577#ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1578 ip_conntrack_unregister_notifier(&ctnl_notifier_exp);
1579 ip_conntrack_unregister_notifier(&ctnl_notifier);
1580#endif
1581
1582 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1583 nfnetlink_subsys_unregister(&ctnl_subsys);
1584 return;
1585}
1586
1587module_init(ctnetlink_init);
1588module_exit(ctnetlink_exit);
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
index dca1f63d6f51..3f90cb9979ac 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c
@@ -109,16 +109,17 @@ static int icmp_packet(struct ip_conntrack *ct,
109 return NF_ACCEPT; 109 return NF_ACCEPT;
110} 110}
111 111
112static u_int8_t valid_new[] = {
113 [ICMP_ECHO] = 1,
114 [ICMP_TIMESTAMP] = 1,
115 [ICMP_INFO_REQUEST] = 1,
116 [ICMP_ADDRESS] = 1
117};
118
112/* Called when a new connection for this protocol found. */ 119/* Called when a new connection for this protocol found. */
113static int icmp_new(struct ip_conntrack *conntrack, 120static int icmp_new(struct ip_conntrack *conntrack,
114 const struct sk_buff *skb) 121 const struct sk_buff *skb)
115{ 122{
116 static u_int8_t valid_new[]
117 = { [ICMP_ECHO] = 1,
118 [ICMP_TIMESTAMP] = 1,
119 [ICMP_INFO_REQUEST] = 1,
120 [ICMP_ADDRESS] = 1 };
121
122 if (conntrack->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) 123 if (conntrack->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new)
123 || !valid_new[conntrack->tuplehash[0].tuple.dst.u.icmp.type]) { 124 || !valid_new[conntrack->tuplehash[0].tuple.dst.u.icmp.type]) {
124 /* Can't create a new ICMP `conn' with this. */ 125 /* Can't create a new ICMP `conn' with this. */
@@ -159,11 +160,12 @@ icmp_error_message(struct sk_buff *skb,
159 return NF_ACCEPT; 160 return NF_ACCEPT;
160 } 161 }
161 162
162 innerproto = ip_ct_find_proto(inside->ip.protocol); 163 innerproto = ip_conntrack_proto_find_get(inside->ip.protocol);
163 dataoff = skb->nh.iph->ihl*4 + sizeof(inside->icmp) + inside->ip.ihl*4; 164 dataoff = skb->nh.iph->ihl*4 + sizeof(inside->icmp) + inside->ip.ihl*4;
164 /* Are they talking about one of our connections? */ 165 /* Are they talking about one of our connections? */
165 if (!ip_ct_get_tuple(&inside->ip, skb, dataoff, &origtuple, innerproto)) { 166 if (!ip_ct_get_tuple(&inside->ip, skb, dataoff, &origtuple, innerproto)) {
166 DEBUGP("icmp_error: ! get_tuple p=%u", inside->ip.protocol); 167 DEBUGP("icmp_error: ! get_tuple p=%u", inside->ip.protocol);
168 ip_conntrack_proto_put(innerproto);
167 return NF_ACCEPT; 169 return NF_ACCEPT;
168 } 170 }
169 171
@@ -171,8 +173,10 @@ icmp_error_message(struct sk_buff *skb,
171 been preserved inside the ICMP. */ 173 been preserved inside the ICMP. */
172 if (!ip_ct_invert_tuple(&innertuple, &origtuple, innerproto)) { 174 if (!ip_ct_invert_tuple(&innertuple, &origtuple, innerproto)) {
173 DEBUGP("icmp_error_track: Can't invert tuple\n"); 175 DEBUGP("icmp_error_track: Can't invert tuple\n");
176 ip_conntrack_proto_put(innerproto);
174 return NF_ACCEPT; 177 return NF_ACCEPT;
175 } 178 }
179 ip_conntrack_proto_put(innerproto);
176 180
177 *ctinfo = IP_CT_RELATED; 181 *ctinfo = IP_CT_RELATED;
178 182
@@ -266,6 +270,47 @@ checksum_skipped:
266 return icmp_error_message(skb, ctinfo, hooknum); 270 return icmp_error_message(skb, ctinfo, hooknum);
267} 271}
268 272
273#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
274 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
275static int icmp_tuple_to_nfattr(struct sk_buff *skb,
276 const struct ip_conntrack_tuple *t)
277{
278 NFA_PUT(skb, CTA_PROTO_ICMP_ID, sizeof(u_int16_t),
279 &t->src.u.icmp.id);
280 NFA_PUT(skb, CTA_PROTO_ICMP_TYPE, sizeof(u_int8_t),
281 &t->dst.u.icmp.type);
282 NFA_PUT(skb, CTA_PROTO_ICMP_CODE, sizeof(u_int8_t),
283 &t->dst.u.icmp.code);
284
285 if (t->dst.u.icmp.type >= sizeof(valid_new)
286 || !valid_new[t->dst.u.icmp.type])
287 return -EINVAL;
288
289 return 0;
290
291nfattr_failure:
292 return -1;
293}
294
295static int icmp_nfattr_to_tuple(struct nfattr *tb[],
296 struct ip_conntrack_tuple *tuple)
297{
298 if (!tb[CTA_PROTO_ICMP_TYPE-1]
299 || !tb[CTA_PROTO_ICMP_CODE-1]
300 || !tb[CTA_PROTO_ICMP_ID-1])
301 return -1;
302
303 tuple->dst.u.icmp.type =
304 *(u_int8_t *)NFA_DATA(tb[CTA_PROTO_ICMP_TYPE-1]);
305 tuple->dst.u.icmp.code =
306 *(u_int8_t *)NFA_DATA(tb[CTA_PROTO_ICMP_CODE-1]);
307 tuple->src.u.icmp.id =
308 *(u_int8_t *)NFA_DATA(tb[CTA_PROTO_ICMP_ID-1]);
309
310 return 0;
311}
312#endif
313
269struct ip_conntrack_protocol ip_conntrack_protocol_icmp = 314struct ip_conntrack_protocol ip_conntrack_protocol_icmp =
270{ 315{
271 .proto = IPPROTO_ICMP, 316 .proto = IPPROTO_ICMP,
@@ -277,4 +322,9 @@ struct ip_conntrack_protocol ip_conntrack_protocol_icmp =
277 .packet = icmp_packet, 322 .packet = icmp_packet,
278 .new = icmp_new, 323 .new = icmp_new,
279 .error = icmp_error, 324 .error = icmp_error,
325#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
326 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
327 .tuple_to_nfattr = icmp_tuple_to_nfattr,
328 .nfattr_to_tuple = icmp_nfattr_to_tuple,
329#endif
280}; 330};
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
index 3d5f878a07d1..a875f35e576d 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c
@@ -505,7 +505,12 @@ static struct ip_conntrack_protocol ip_conntrack_protocol_sctp = {
505 .packet = sctp_packet, 505 .packet = sctp_packet,
506 .new = sctp_new, 506 .new = sctp_new,
507 .destroy = NULL, 507 .destroy = NULL,
508 .me = THIS_MODULE 508 .me = THIS_MODULE,
509#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
510 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
511 .tuple_to_nfattr = ip_ct_port_tuple_to_nfattr,
512 .nfattr_to_tuple = ip_ct_port_nfattr_to_tuple,
513#endif
509}; 514};
510 515
511#ifdef CONFIG_SYSCTL 516#ifdef CONFIG_SYSCTL
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
index a569ad1ee4d9..c2bce22d4031 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c
@@ -336,6 +336,23 @@ static int tcp_print_conntrack(struct seq_file *s,
336 return seq_printf(s, "%s ", tcp_conntrack_names[state]); 336 return seq_printf(s, "%s ", tcp_conntrack_names[state]);
337} 337}
338 338
339#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
340 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
341static int tcp_to_nfattr(struct sk_buff *skb, struct nfattr *nfa,
342 const struct ip_conntrack *ct)
343{
344 read_lock_bh(&tcp_lock);
345 NFA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t),
346 &ct->proto.tcp.state);
347 read_unlock_bh(&tcp_lock);
348
349 return 0;
350
351nfattr_failure:
352 return -1;
353}
354#endif
355
339static unsigned int get_conntrack_index(const struct tcphdr *tcph) 356static unsigned int get_conntrack_index(const struct tcphdr *tcph)
340{ 357{
341 if (tcph->rst) return TCP_RST_SET; 358 if (tcph->rst) return TCP_RST_SET;
@@ -1100,4 +1117,10 @@ struct ip_conntrack_protocol ip_conntrack_protocol_tcp =
1100 .packet = tcp_packet, 1117 .packet = tcp_packet,
1101 .new = tcp_new, 1118 .new = tcp_new,
1102 .error = tcp_error, 1119 .error = tcp_error,
1120#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
1121 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
1122 .to_nfattr = tcp_to_nfattr,
1123 .tuple_to_nfattr = ip_ct_port_tuple_to_nfattr,
1124 .nfattr_to_tuple = ip_ct_port_nfattr_to_tuple,
1125#endif
1103}; 1126};
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_udp.c b/net/ipv4/netfilter/ip_conntrack_proto_udp.c
index 6066eaf4d825..14130169cbfd 100644
--- a/net/ipv4/netfilter/ip_conntrack_proto_udp.c
+++ b/net/ipv4/netfilter/ip_conntrack_proto_udp.c
@@ -145,4 +145,9 @@ struct ip_conntrack_protocol ip_conntrack_protocol_udp =
145 .packet = udp_packet, 145 .packet = udp_packet,
146 .new = udp_new, 146 .new = udp_new,
147 .error = udp_error, 147 .error = udp_error,
148#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
149 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
150 .tuple_to_nfattr = ip_ct_port_tuple_to_nfattr,
151 .nfattr_to_tuple = ip_ct_port_nfattr_to_tuple,
152#endif
148}; 153};
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c
index f0880004115d..ca97c3ac2f2a 100644
--- a/net/ipv4/netfilter/ip_conntrack_standalone.c
+++ b/net/ipv4/netfilter/ip_conntrack_standalone.c
@@ -5,7 +5,7 @@
5*/ 5*/
6 6
7/* (C) 1999-2001 Paul `Rusty' Russell 7/* (C) 1999-2001 Paul `Rusty' Russell
8 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 8 * (C) 2002-2005 Netfilter Core Team <coreteam@netfilter.org>
9 * 9 *
10 * This program is free software; you can redistribute it and/or modify 10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as 11 * it under the terms of the GNU General Public License version 2 as
@@ -147,8 +147,7 @@ static int ct_seq_show(struct seq_file *s, void *v)
147 if (DIRECTION(hash)) 147 if (DIRECTION(hash))
148 return 0; 148 return 0;
149 149
150 proto = ip_ct_find_proto(conntrack->tuplehash[IP_CT_DIR_ORIGINAL] 150 proto = __ip_conntrack_proto_find(conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
151 .tuple.dst.protonum);
152 IP_NF_ASSERT(proto); 151 IP_NF_ASSERT(proto);
153 152
154 if (seq_printf(s, "%-8s %u %ld ", 153 if (seq_printf(s, "%-8s %u %ld ",
@@ -283,7 +282,7 @@ static int exp_seq_show(struct seq_file *s, void *v)
283 seq_printf(s, "proto=%u ", expect->tuple.dst.protonum); 282 seq_printf(s, "proto=%u ", expect->tuple.dst.protonum);
284 283
285 print_tuple(s, &expect->tuple, 284 print_tuple(s, &expect->tuple,
286 ip_ct_find_proto(expect->tuple.dst.protonum)); 285 __ip_conntrack_proto_find(expect->tuple.dst.protonum));
287 return seq_putc(s, '\n'); 286 return seq_putc(s, '\n');
288} 287}
289 288
@@ -992,12 +991,16 @@ EXPORT_SYMBOL(ip_conntrack_helper_register);
992EXPORT_SYMBOL(ip_conntrack_helper_unregister); 991EXPORT_SYMBOL(ip_conntrack_helper_unregister);
993EXPORT_SYMBOL(ip_ct_iterate_cleanup); 992EXPORT_SYMBOL(ip_ct_iterate_cleanup);
994EXPORT_SYMBOL(ip_ct_refresh_acct); 993EXPORT_SYMBOL(ip_ct_refresh_acct);
995EXPORT_SYMBOL(ip_ct_protos); 994
996EXPORT_SYMBOL(ip_ct_find_proto);
997EXPORT_SYMBOL(ip_conntrack_expect_alloc); 995EXPORT_SYMBOL(ip_conntrack_expect_alloc);
998EXPORT_SYMBOL(ip_conntrack_expect_put); 996EXPORT_SYMBOL(ip_conntrack_expect_put);
997EXPORT_SYMBOL_GPL(ip_conntrack_expect_find_get);
999EXPORT_SYMBOL(ip_conntrack_expect_related); 998EXPORT_SYMBOL(ip_conntrack_expect_related);
1000EXPORT_SYMBOL(ip_conntrack_unexpect_related); 999EXPORT_SYMBOL(ip_conntrack_unexpect_related);
1000EXPORT_SYMBOL_GPL(ip_conntrack_expect_list);
1001EXPORT_SYMBOL_GPL(__ip_conntrack_expect_find);
1002EXPORT_SYMBOL_GPL(__ip_ct_expect_unlink_destroy);
1003
1001EXPORT_SYMBOL(ip_conntrack_tuple_taken); 1004EXPORT_SYMBOL(ip_conntrack_tuple_taken);
1002EXPORT_SYMBOL(ip_ct_gather_frags); 1005EXPORT_SYMBOL(ip_ct_gather_frags);
1003EXPORT_SYMBOL(ip_conntrack_htable_size); 1006EXPORT_SYMBOL(ip_conntrack_htable_size);
@@ -1005,7 +1008,28 @@ EXPORT_SYMBOL(ip_conntrack_lock);
1005EXPORT_SYMBOL(ip_conntrack_hash); 1008EXPORT_SYMBOL(ip_conntrack_hash);
1006EXPORT_SYMBOL(ip_conntrack_untracked); 1009EXPORT_SYMBOL(ip_conntrack_untracked);
1007EXPORT_SYMBOL_GPL(ip_conntrack_find_get); 1010EXPORT_SYMBOL_GPL(ip_conntrack_find_get);
1008EXPORT_SYMBOL_GPL(ip_conntrack_put);
1009#ifdef CONFIG_IP_NF_NAT_NEEDED 1011#ifdef CONFIG_IP_NF_NAT_NEEDED
1010EXPORT_SYMBOL(ip_conntrack_tcp_update); 1012EXPORT_SYMBOL(ip_conntrack_tcp_update);
1011#endif 1013#endif
1014
1015EXPORT_SYMBOL_GPL(ip_conntrack_flush);
1016EXPORT_SYMBOL_GPL(__ip_conntrack_find);
1017
1018EXPORT_SYMBOL_GPL(ip_conntrack_alloc);
1019EXPORT_SYMBOL_GPL(ip_conntrack_free);
1020EXPORT_SYMBOL_GPL(ip_conntrack_hash_insert);
1021
1022EXPORT_SYMBOL_GPL(ip_ct_remove_expectations);
1023
1024EXPORT_SYMBOL_GPL(ip_conntrack_helper_find_get);
1025EXPORT_SYMBOL_GPL(ip_conntrack_helper_put);
1026EXPORT_SYMBOL_GPL(__ip_conntrack_helper_find_byname);
1027
1028EXPORT_SYMBOL_GPL(ip_conntrack_proto_find_get);
1029EXPORT_SYMBOL_GPL(ip_conntrack_proto_put);
1030EXPORT_SYMBOL_GPL(__ip_conntrack_proto_find);
1031#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
1032 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
1033EXPORT_SYMBOL_GPL(ip_ct_port_tuple_to_nfattr);
1034EXPORT_SYMBOL_GPL(ip_ct_port_nfattr_to_tuple);
1035#endif
diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c
index ed4d731880f7..567c802fecf0 100644
--- a/net/ipv4/netfilter/ip_nat_core.c
+++ b/net/ipv4/netfilter/ip_nat_core.c
@@ -47,8 +47,39 @@ DEFINE_RWLOCK(ip_nat_lock);
47static unsigned int ip_nat_htable_size; 47static unsigned int ip_nat_htable_size;
48 48
49static struct list_head *bysource; 49static struct list_head *bysource;
50
51#define MAX_IP_NAT_PROTO 256
50struct ip_nat_protocol *ip_nat_protos[MAX_IP_NAT_PROTO]; 52struct ip_nat_protocol *ip_nat_protos[MAX_IP_NAT_PROTO];
51 53
54static inline struct ip_nat_protocol *
55__ip_nat_proto_find(u_int8_t protonum)
56{
57 return ip_nat_protos[protonum];
58}
59
60struct ip_nat_protocol *
61ip_nat_proto_find_get(u_int8_t protonum)
62{
63 struct ip_nat_protocol *p;
64
65 /* we need to disable preemption to make sure 'p' doesn't get
66 * removed until we've grabbed the reference */
67 preempt_disable();
68 p = __ip_nat_proto_find(protonum);
69 if (p) {
70 if (!try_module_get(p->me))
71 p = &ip_nat_unknown_protocol;
72 }
73 preempt_enable();
74
75 return p;
76}
77
78void
79ip_nat_proto_put(struct ip_nat_protocol *p)
80{
81 module_put(p->me);
82}
52 83
53/* We keep an extra hash for each conntrack, for fast searching. */ 84/* We keep an extra hash for each conntrack, for fast searching. */
54static inline unsigned int 85static inline unsigned int
@@ -103,7 +134,8 @@ static int
103in_range(const struct ip_conntrack_tuple *tuple, 134in_range(const struct ip_conntrack_tuple *tuple,
104 const struct ip_nat_range *range) 135 const struct ip_nat_range *range)
105{ 136{
106 struct ip_nat_protocol *proto = ip_nat_find_proto(tuple->dst.protonum); 137 struct ip_nat_protocol *proto =
138 __ip_nat_proto_find(tuple->dst.protonum);
107 139
108 /* If we are supposed to map IPs, then we must be in the 140 /* If we are supposed to map IPs, then we must be in the
109 range specified, otherwise let this drag us onto a new src IP. */ 141 range specified, otherwise let this drag us onto a new src IP. */
@@ -216,8 +248,7 @@ get_unique_tuple(struct ip_conntrack_tuple *tuple,
216 struct ip_conntrack *conntrack, 248 struct ip_conntrack *conntrack,
217 enum ip_nat_manip_type maniptype) 249 enum ip_nat_manip_type maniptype)
218{ 250{
219 struct ip_nat_protocol *proto 251 struct ip_nat_protocol *proto;
220 = ip_nat_find_proto(orig_tuple->dst.protonum);
221 252
222 /* 1) If this srcip/proto/src-proto-part is currently mapped, 253 /* 1) If this srcip/proto/src-proto-part is currently mapped,
223 and that same mapping gives a unique tuple within the given 254 and that same mapping gives a unique tuple within the given
@@ -242,14 +273,20 @@ get_unique_tuple(struct ip_conntrack_tuple *tuple,
242 /* 3) The per-protocol part of the manip is made to map into 273 /* 3) The per-protocol part of the manip is made to map into
243 the range to make a unique tuple. */ 274 the range to make a unique tuple. */
244 275
276 proto = ip_nat_proto_find_get(orig_tuple->dst.protonum);
277
245 /* Only bother mapping if it's not already in range and unique */ 278 /* Only bother mapping if it's not already in range and unique */
246 if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) 279 if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)
247 || proto->in_range(tuple, maniptype, &range->min, &range->max)) 280 || proto->in_range(tuple, maniptype, &range->min, &range->max))
248 && !ip_nat_used_tuple(tuple, conntrack)) 281 && !ip_nat_used_tuple(tuple, conntrack)) {
282 ip_nat_proto_put(proto);
249 return; 283 return;
284 }
250 285
251 /* Last change: get protocol to try to obtain unique tuple. */ 286 /* Last change: get protocol to try to obtain unique tuple. */
252 proto->unique_tuple(tuple, range, maniptype, conntrack); 287 proto->unique_tuple(tuple, range, maniptype, conntrack);
288
289 ip_nat_proto_put(proto);
253} 290}
254 291
255unsigned int 292unsigned int
@@ -320,6 +357,7 @@ manip_pkt(u_int16_t proto,
320 enum ip_nat_manip_type maniptype) 357 enum ip_nat_manip_type maniptype)
321{ 358{
322 struct iphdr *iph; 359 struct iphdr *iph;
360 struct ip_nat_protocol *p;
323 361
324 if (!skb_ip_make_writable(pskb, iphdroff + sizeof(*iph))) 362 if (!skb_ip_make_writable(pskb, iphdroff + sizeof(*iph)))
325 return 0; 363 return 0;
@@ -327,9 +365,12 @@ manip_pkt(u_int16_t proto,
327 iph = (void *)(*pskb)->data + iphdroff; 365 iph = (void *)(*pskb)->data + iphdroff;
328 366
329 /* Manipulate protcol part. */ 367 /* Manipulate protcol part. */
330 if (!ip_nat_find_proto(proto)->manip_pkt(pskb, iphdroff, 368 p = ip_nat_proto_find_get(proto);
331 target, maniptype)) 369 if (!p->manip_pkt(pskb, iphdroff, target, maniptype)) {
370 ip_nat_proto_put(p);
332 return 0; 371 return 0;
372 }
373 ip_nat_proto_put(p);
333 374
334 iph = (void *)(*pskb)->data + iphdroff; 375 iph = (void *)(*pskb)->data + iphdroff;
335 376
@@ -425,7 +466,8 @@ int icmp_reply_translation(struct sk_buff **pskb,
425 466
426 if (!ip_ct_get_tuple(&inside->ip, *pskb, (*pskb)->nh.iph->ihl*4 + 467 if (!ip_ct_get_tuple(&inside->ip, *pskb, (*pskb)->nh.iph->ihl*4 +
427 sizeof(struct icmphdr) + inside->ip.ihl*4, 468 sizeof(struct icmphdr) + inside->ip.ihl*4,
428 &inner, ip_ct_find_proto(inside->ip.protocol))) 469 &inner,
470 __ip_conntrack_proto_find(inside->ip.protocol)))
429 return 0; 471 return 0;
430 472
431 /* Change inner back to look like incoming packet. We do the 473 /* Change inner back to look like incoming packet. We do the
@@ -495,6 +537,49 @@ void ip_nat_protocol_unregister(struct ip_nat_protocol *proto)
495 synchronize_net(); 537 synchronize_net();
496} 538}
497 539
540#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
541 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
542int
543ip_nat_port_range_to_nfattr(struct sk_buff *skb,
544 const struct ip_nat_range *range)
545{
546 NFA_PUT(skb, CTA_PROTONAT_PORT_MIN, sizeof(u_int16_t),
547 &range->min.tcp.port);
548 NFA_PUT(skb, CTA_PROTONAT_PORT_MAX, sizeof(u_int16_t),
549 &range->max.tcp.port);
550
551 return 0;
552
553nfattr_failure:
554 return -1;
555}
556
557int
558ip_nat_port_nfattr_to_range(struct nfattr *tb[], struct ip_nat_range *range)
559{
560 int ret = 0;
561
562 /* we have to return whether we actually parsed something or not */
563
564 if (tb[CTA_PROTONAT_PORT_MIN-1]) {
565 ret = 1;
566 range->min.tcp.port =
567 *(u_int16_t *)NFA_DATA(tb[CTA_PROTONAT_PORT_MIN-1]);
568 }
569
570 if (!tb[CTA_PROTONAT_PORT_MAX-1]) {
571 if (ret)
572 range->max.tcp.port = range->min.tcp.port;
573 } else {
574 ret = 1;
575 range->max.tcp.port =
576 *(u_int16_t *)NFA_DATA(tb[CTA_PROTONAT_PORT_MAX-1]);
577 }
578
579 return ret;
580}
581#endif
582
498int __init ip_nat_init(void) 583int __init ip_nat_init(void)
499{ 584{
500 size_t i; 585 size_t i;
diff --git a/net/ipv4/netfilter/ip_nat_proto_icmp.c b/net/ipv4/netfilter/ip_nat_proto_icmp.c
index 6596c9ee1655..38fdfc2093c4 100644
--- a/net/ipv4/netfilter/ip_nat_proto_icmp.c
+++ b/net/ipv4/netfilter/ip_nat_proto_icmp.c
@@ -107,10 +107,15 @@ icmp_print_range(char *buffer, const struct ip_nat_range *range)
107} 107}
108 108
109struct ip_nat_protocol ip_nat_protocol_icmp 109struct ip_nat_protocol ip_nat_protocol_icmp
110= { "ICMP", IPPROTO_ICMP, 110= { "ICMP", IPPROTO_ICMP, THIS_MODULE,
111 icmp_manip_pkt, 111 icmp_manip_pkt,
112 icmp_in_range, 112 icmp_in_range,
113 icmp_unique_tuple, 113 icmp_unique_tuple,
114 icmp_print, 114 icmp_print,
115 icmp_print_range 115 icmp_print_range,
116#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
117 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
118 ip_nat_port_range_to_nfattr,
119 ip_nat_port_nfattr_to_range,
120#endif
116}; 121};
diff --git a/net/ipv4/netfilter/ip_nat_proto_tcp.c b/net/ipv4/netfilter/ip_nat_proto_tcp.c
index a98e36d2b3c6..f03cd0f0c2bf 100644
--- a/net/ipv4/netfilter/ip_nat_proto_tcp.c
+++ b/net/ipv4/netfilter/ip_nat_proto_tcp.c
@@ -12,6 +12,7 @@
12#include <linux/ip.h> 12#include <linux/ip.h>
13#include <linux/tcp.h> 13#include <linux/tcp.h>
14#include <linux/if.h> 14#include <linux/if.h>
15#include <linux/netfilter/nfnetlink_conntrack.h>
15#include <linux/netfilter_ipv4/ip_nat.h> 16#include <linux/netfilter_ipv4/ip_nat.h>
16#include <linux/netfilter_ipv4/ip_nat_rule.h> 17#include <linux/netfilter_ipv4/ip_nat_rule.h>
17#include <linux/netfilter_ipv4/ip_nat_protocol.h> 18#include <linux/netfilter_ipv4/ip_nat_protocol.h>
@@ -170,10 +171,15 @@ tcp_print_range(char *buffer, const struct ip_nat_range *range)
170} 171}
171 172
172struct ip_nat_protocol ip_nat_protocol_tcp 173struct ip_nat_protocol ip_nat_protocol_tcp
173= { "TCP", IPPROTO_TCP, 174= { "TCP", IPPROTO_TCP, THIS_MODULE,
174 tcp_manip_pkt, 175 tcp_manip_pkt,
175 tcp_in_range, 176 tcp_in_range,
176 tcp_unique_tuple, 177 tcp_unique_tuple,
177 tcp_print, 178 tcp_print,
178 tcp_print_range 179 tcp_print_range,
180#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
181 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
182 ip_nat_port_range_to_nfattr,
183 ip_nat_port_nfattr_to_range,
184#endif
179}; 185};
diff --git a/net/ipv4/netfilter/ip_nat_proto_udp.c b/net/ipv4/netfilter/ip_nat_proto_udp.c
index 9f66e5625664..7a4e66ecbc0a 100644
--- a/net/ipv4/netfilter/ip_nat_proto_udp.c
+++ b/net/ipv4/netfilter/ip_nat_proto_udp.c
@@ -157,10 +157,15 @@ udp_print_range(char *buffer, const struct ip_nat_range *range)
157} 157}
158 158
159struct ip_nat_protocol ip_nat_protocol_udp 159struct ip_nat_protocol ip_nat_protocol_udp
160= { "UDP", IPPROTO_UDP, 160= { "UDP", IPPROTO_UDP, THIS_MODULE,
161 udp_manip_pkt, 161 udp_manip_pkt,
162 udp_in_range, 162 udp_in_range,
163 udp_unique_tuple, 163 udp_unique_tuple,
164 udp_print, 164 udp_print,
165 udp_print_range 165 udp_print_range,
166#if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
167 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
168 ip_nat_port_range_to_nfattr,
169 ip_nat_port_nfattr_to_range,
170#endif
166}; 171};
diff --git a/net/ipv4/netfilter/ip_nat_proto_unknown.c b/net/ipv4/netfilter/ip_nat_proto_unknown.c
index f5525bd58d16..512d8f2fb824 100644
--- a/net/ipv4/netfilter/ip_nat_proto_unknown.c
+++ b/net/ipv4/netfilter/ip_nat_proto_unknown.c
@@ -61,7 +61,7 @@ unknown_print_range(char *buffer, const struct ip_nat_range *range)
61} 61}
62 62
63struct ip_nat_protocol ip_nat_unknown_protocol = { 63struct ip_nat_protocol ip_nat_unknown_protocol = {
64 "unknown", 0, 64 "unknown", 0, THIS_MODULE,
65 unknown_manip_pkt, 65 unknown_manip_pkt,
66 unknown_in_range, 66 unknown_in_range,
67 unknown_unique_tuple, 67 unknown_unique_tuple,
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c
index 9ecba979033a..89db052add81 100644
--- a/net/ipv4/netfilter/ip_nat_standalone.c
+++ b/net/ipv4/netfilter/ip_nat_standalone.c
@@ -394,6 +394,8 @@ module_exit(fini);
394EXPORT_SYMBOL(ip_nat_setup_info); 394EXPORT_SYMBOL(ip_nat_setup_info);
395EXPORT_SYMBOL(ip_nat_protocol_register); 395EXPORT_SYMBOL(ip_nat_protocol_register);
396EXPORT_SYMBOL(ip_nat_protocol_unregister); 396EXPORT_SYMBOL(ip_nat_protocol_unregister);
397EXPORT_SYMBOL_GPL(ip_nat_proto_find_get);
398EXPORT_SYMBOL_GPL(ip_nat_proto_put);
397EXPORT_SYMBOL(ip_nat_cheat_check); 399EXPORT_SYMBOL(ip_nat_cheat_check);
398EXPORT_SYMBOL(ip_nat_mangle_tcp_packet); 400EXPORT_SYMBOL(ip_nat_mangle_tcp_packet);
399EXPORT_SYMBOL(ip_nat_mangle_udp_packet); 401EXPORT_SYMBOL(ip_nat_mangle_udp_packet);
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 710acd77cc4c..b0ed57981847 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -121,6 +121,7 @@ void __nfa_fill(struct sk_buff *skb, int attrtype, int attrlen,
121 nfa->nfa_type = attrtype; 121 nfa->nfa_type = attrtype;
122 nfa->nfa_len = size; 122 nfa->nfa_len = size;
123 memcpy(NFA_DATA(nfa), data, attrlen); 123 memcpy(NFA_DATA(nfa), data, attrlen);
124 memset(NFA_DATA(nfa) + attrlen, 0, NFA_ALIGN(size) - size);
124} 125}
125 126
126int nfattr_parse(struct nfattr *tb[], int maxattr, struct nfattr *nfa, int len) 127int nfattr_parse(struct nfattr *tb[], int maxattr, struct nfattr *nfa, int len)