diff options
author | Harald Welte <laforge@netfilter.org> | 2005-08-09 22:32:58 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2005-08-29 18:31:49 -0400 |
commit | 080774a243f56ce2195ace96fba3d18548ee48ce (patch) | |
tree | 2065041cb2b85891ca45648122122796122c38dc | |
parent | 6f1cf16582160c4839f05007c978743911aa022b (diff) |
[NETFILTER]: Add ctnetlink subsystem
Add ctnetlink subsystem for userspace-access to ip_conntrack table.
This allows reading and updating of existing entries, as well as
creating new ones (and new expect's) via nfnetlink.
Please note the 'strange' byte order: nfattr (tag+length) are in host
byte order, while the payload is always guaranteed to be in network
byte order. This allows a simple userspace process to encapsulate netlink
messages into arch-independent udp packets by just processing/swapping the
headers and not knowing anything about the actual payload.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
23 files changed, 2277 insertions, 100 deletions
diff --git a/include/linux/netfilter/nfnetlink.h b/include/linux/netfilter/nfnetlink.h index 8f1bfb8d650b..ace7a7be0742 100644 --- a/include/linux/netfilter/nfnetlink.h +++ b/include/linux/netfilter/nfnetlink.h | |||
@@ -56,7 +56,7 @@ struct nfgenmsg { | |||
56 | u_int16_t res_id; /* resource id */ | 56 | u_int16_t res_id; /* resource id */ |
57 | } __attribute__ ((packed)); | 57 | } __attribute__ ((packed)); |
58 | 58 | ||
59 | #define NFNETLINK_V1 1 | 59 | #define NFNETLINK_V0 0 |
60 | 60 | ||
61 | #define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \ | 61 | #define NFM_NFA(n) ((struct nfattr *)(((char *)(n)) \ |
62 | + NLMSG_ALIGN(sizeof(struct nfgenmsg)))) | 62 | + NLMSG_ALIGN(sizeof(struct nfgenmsg)))) |
@@ -81,6 +81,7 @@ enum nfnl_subsys_id { | |||
81 | 81 | ||
82 | #ifdef __KERNEL__ | 82 | #ifdef __KERNEL__ |
83 | 83 | ||
84 | #include <linux/netlink.h> | ||
84 | #include <linux/capability.h> | 85 | #include <linux/capability.h> |
85 | 86 | ||
86 | struct nfnl_callback | 87 | struct nfnl_callback |
diff --git a/include/linux/netfilter/nfnetlink_conntrack.h b/include/linux/netfilter/nfnetlink_conntrack.h new file mode 100644 index 000000000000..fb528e0e3bd9 --- /dev/null +++ b/include/linux/netfilter/nfnetlink_conntrack.h | |||
@@ -0,0 +1,123 @@ | |||
1 | #ifndef _IPCONNTRACK_NETLINK_H | ||
2 | #define _IPCONNTRACK_NETLINK_H | ||
3 | #include <linux/netfilter/nfnetlink.h> | ||
4 | |||
5 | enum cntl_msg_types { | ||
6 | IPCTNL_MSG_CT_NEW, | ||
7 | IPCTNL_MSG_CT_GET, | ||
8 | IPCTNL_MSG_CT_DELETE, | ||
9 | IPCTNL_MSG_CT_GET_CTRZERO, | ||
10 | |||
11 | IPCTNL_MSG_MAX | ||
12 | }; | ||
13 | |||
14 | enum ctnl_exp_msg_types { | ||
15 | IPCTNL_MSG_EXP_NEW, | ||
16 | IPCTNL_MSG_EXP_GET, | ||
17 | IPCTNL_MSG_EXP_DELETE, | ||
18 | |||
19 | IPCTNL_MSG_EXP_MAX | ||
20 | }; | ||
21 | |||
22 | |||
23 | enum ctattr_type { | ||
24 | CTA_UNSPEC, | ||
25 | CTA_TUPLE_ORIG, | ||
26 | CTA_TUPLE_REPLY, | ||
27 | CTA_STATUS, | ||
28 | CTA_PROTOINFO, | ||
29 | CTA_HELP, | ||
30 | CTA_NAT, | ||
31 | CTA_TIMEOUT, | ||
32 | CTA_MARK, | ||
33 | CTA_COUNTERS_ORIG, | ||
34 | CTA_COUNTERS_REPLY, | ||
35 | CTA_USE, | ||
36 | CTA_EXPECT, | ||
37 | CTA_ID, | ||
38 | __CTA_MAX | ||
39 | }; | ||
40 | #define CTA_MAX (__CTA_MAX - 1) | ||
41 | |||
42 | enum ctattr_tuple { | ||
43 | CTA_TUPLE_UNSPEC, | ||
44 | CTA_TUPLE_IP, | ||
45 | CTA_TUPLE_PROTO, | ||
46 | __CTA_TUPLE_MAX | ||
47 | }; | ||
48 | #define CTA_TUPLE_MAX (__CTA_TUPLE_MAX - 1) | ||
49 | |||
50 | enum ctattr_ip { | ||
51 | CTA_IP_UNSPEC, | ||
52 | CTA_IP_V4_SRC, | ||
53 | CTA_IP_V4_DST, | ||
54 | CTA_IP_V6_SRC, | ||
55 | CTA_IP_V6_DST, | ||
56 | __CTA_IP_MAX | ||
57 | }; | ||
58 | #define CTA_IP_MAX (__CTA_IP_MAX - 1) | ||
59 | |||
60 | enum ctattr_l4proto { | ||
61 | CTA_PROTO_UNSPEC, | ||
62 | CTA_PROTO_NUM, | ||
63 | CTA_PROTO_SRC_PORT, | ||
64 | CTA_PROTO_DST_PORT, | ||
65 | CTA_PROTO_ICMP_ID, | ||
66 | CTA_PROTO_ICMP_TYPE, | ||
67 | CTA_PROTO_ICMP_CODE, | ||
68 | __CTA_PROTO_MAX | ||
69 | }; | ||
70 | #define CTA_PROTO_MAX (__CTA_PROTO_MAX - 1) | ||
71 | |||
72 | enum ctattr_protoinfo { | ||
73 | CTA_PROTOINFO_UNSPEC, | ||
74 | CTA_PROTOINFO_TCP_STATE, | ||
75 | __CTA_PROTOINFO_MAX | ||
76 | }; | ||
77 | #define CTA_PROTOINFO_MAX (__CTA_PROTOINFO_MAX - 1) | ||
78 | |||
79 | enum ctattr_counters { | ||
80 | CTA_COUNTERS_UNSPEC, | ||
81 | CTA_COUNTERS_PACKETS, | ||
82 | CTA_COUNTERS_BYTES, | ||
83 | __CTA_COUNTERS_MAX | ||
84 | }; | ||
85 | #define CTA_COUNTERS_MAX (__CTA_COUNTERS_MAX - 1) | ||
86 | |||
87 | enum ctattr_nat { | ||
88 | CTA_NAT_UNSPEC, | ||
89 | CTA_NAT_MINIP, | ||
90 | CTA_NAT_MAXIP, | ||
91 | CTA_NAT_PROTO, | ||
92 | __CTA_NAT_MAX | ||
93 | }; | ||
94 | #define CTA_NAT_MAX (__CTA_NAT_MAX - 1) | ||
95 | |||
96 | enum ctattr_protonat { | ||
97 | CTA_PROTONAT_UNSPEC, | ||
98 | CTA_PROTONAT_PORT_MIN, | ||
99 | CTA_PROTONAT_PORT_MAX, | ||
100 | __CTA_PROTONAT_MAX | ||
101 | }; | ||
102 | #define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1) | ||
103 | |||
104 | enum ctattr_expect { | ||
105 | CTA_EXPECT_UNSPEC, | ||
106 | CTA_EXPECT_TUPLE, | ||
107 | CTA_EXPECT_MASK, | ||
108 | CTA_EXPECT_TIMEOUT, | ||
109 | CTA_EXPECT_ID, | ||
110 | __CTA_EXPECT_MAX | ||
111 | }; | ||
112 | #define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1) | ||
113 | |||
114 | enum ctattr_help { | ||
115 | CTA_HELP_UNSPEC, | ||
116 | CTA_HELP_NAME, | ||
117 | __CTA_HELP_MAX | ||
118 | }; | ||
119 | #define CTA_HELP_MAX (__CTA_HELP_MAX - 1) | ||
120 | |||
121 | #define CTA_HELP_MAXNAMESIZE 32 | ||
122 | |||
123 | #endif /* _IPCONNTRACK_NETLINK_H */ | ||
diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h index ae1270c97b50..ff2c1c6001f9 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack.h +++ b/include/linux/netfilter_ipv4/ip_conntrack.h | |||
@@ -209,6 +209,9 @@ struct ip_conntrack | |||
209 | /* Current number of expected connections */ | 209 | /* Current number of expected connections */ |
210 | unsigned int expecting; | 210 | unsigned int expecting; |
211 | 211 | ||
212 | /* Unique ID that identifies this conntrack*/ | ||
213 | unsigned int id; | ||
214 | |||
212 | /* Helper, if any. */ | 215 | /* Helper, if any. */ |
213 | struct ip_conntrack_helper *helper; | 216 | struct ip_conntrack_helper *helper; |
214 | 217 | ||
@@ -257,6 +260,9 @@ struct ip_conntrack_expect | |||
257 | /* Usage count. */ | 260 | /* Usage count. */ |
258 | atomic_t use; | 261 | atomic_t use; |
259 | 262 | ||
263 | /* Unique ID */ | ||
264 | unsigned int id; | ||
265 | |||
260 | #ifdef CONFIG_IP_NF_NAT_NEEDED | 266 | #ifdef CONFIG_IP_NF_NAT_NEEDED |
261 | /* This is the original per-proto part, used to map the | 267 | /* This is the original per-proto part, used to map the |
262 | * expected connection the way the recipient expects. */ | 268 | * expected connection the way the recipient expects. */ |
@@ -296,7 +302,12 @@ ip_conntrack_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo) | |||
296 | } | 302 | } |
297 | 303 | ||
298 | /* decrement reference count on a conntrack */ | 304 | /* decrement reference count on a conntrack */ |
299 | extern void ip_conntrack_put(struct ip_conntrack *ct); | 305 | static inline void |
306 | ip_conntrack_put(struct ip_conntrack *ct) | ||
307 | { | ||
308 | IP_NF_ASSERT(ct); | ||
309 | nf_conntrack_put(&ct->ct_general); | ||
310 | } | ||
300 | 311 | ||
301 | /* call to create an explicit dependency on ip_conntrack. */ | 312 | /* call to create an explicit dependency on ip_conntrack. */ |
302 | extern void need_ip_conntrack(void); | 313 | extern void need_ip_conntrack(void); |
@@ -331,6 +342,39 @@ extern void | |||
331 | ip_ct_iterate_cleanup(int (*iter)(struct ip_conntrack *i, void *data), | 342 | ip_ct_iterate_cleanup(int (*iter)(struct ip_conntrack *i, void *data), |
332 | void *data); | 343 | void *data); |
333 | 344 | ||
345 | extern struct ip_conntrack_helper * | ||
346 | __ip_conntrack_helper_find_byname(const char *); | ||
347 | extern struct ip_conntrack_helper * | ||
348 | ip_conntrack_helper_find_get(const struct ip_conntrack_tuple *tuple); | ||
349 | extern void ip_conntrack_helper_put(struct ip_conntrack_helper *helper); | ||
350 | |||
351 | extern struct ip_conntrack_protocol * | ||
352 | __ip_conntrack_proto_find(u_int8_t protocol); | ||
353 | extern struct ip_conntrack_protocol * | ||
354 | ip_conntrack_proto_find_get(u_int8_t protocol); | ||
355 | extern void ip_conntrack_proto_put(struct ip_conntrack_protocol *proto); | ||
356 | |||
357 | extern void ip_ct_remove_expectations(struct ip_conntrack *ct); | ||
358 | |||
359 | extern struct ip_conntrack *ip_conntrack_alloc(struct ip_conntrack_tuple *, | ||
360 | struct ip_conntrack_tuple *); | ||
361 | |||
362 | extern void ip_conntrack_free(struct ip_conntrack *ct); | ||
363 | |||
364 | extern void ip_conntrack_hash_insert(struct ip_conntrack *ct); | ||
365 | |||
366 | extern struct ip_conntrack_expect * | ||
367 | __ip_conntrack_expect_find(const struct ip_conntrack_tuple *tuple); | ||
368 | |||
369 | extern struct ip_conntrack_expect * | ||
370 | ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple); | ||
371 | |||
372 | extern struct ip_conntrack_tuple_hash * | ||
373 | __ip_conntrack_find(const struct ip_conntrack_tuple *tuple, | ||
374 | const struct ip_conntrack *ignored_conntrack); | ||
375 | |||
376 | extern void ip_conntrack_flush(void); | ||
377 | |||
334 | /* It's confirmed if it is, or has been in the hash table. */ | 378 | /* It's confirmed if it is, or has been in the hash table. */ |
335 | static inline int is_confirmed(struct ip_conntrack *ct) | 379 | static inline int is_confirmed(struct ip_conntrack *ct) |
336 | { | 380 | { |
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_core.h b/include/linux/netfilter_ipv4/ip_conntrack_core.h index 46eeea1e2733..fbf6c3e41647 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_core.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_core.h | |||
@@ -2,6 +2,9 @@ | |||
2 | #define _IP_CONNTRACK_CORE_H | 2 | #define _IP_CONNTRACK_CORE_H |
3 | #include <linux/netfilter.h> | 3 | #include <linux/netfilter.h> |
4 | 4 | ||
5 | #define MAX_IP_CT_PROTO 256 | ||
6 | extern struct ip_conntrack_protocol *ip_ct_protos[MAX_IP_CT_PROTO]; | ||
7 | |||
5 | /* This header is used to share core functionality between the | 8 | /* This header is used to share core functionality between the |
6 | standalone connection tracking module, and the compatibility layer's use | 9 | standalone connection tracking module, and the compatibility layer's use |
7 | of connection tracking. */ | 10 | of connection tracking. */ |
@@ -53,6 +56,8 @@ struct ip_conntrack_ecache; | |||
53 | extern void __ip_ct_deliver_cached_events(struct ip_conntrack_ecache *ec); | 56 | extern void __ip_ct_deliver_cached_events(struct ip_conntrack_ecache *ec); |
54 | #endif | 57 | #endif |
55 | 58 | ||
59 | extern void __ip_ct_expect_unlink_destroy(struct ip_conntrack_expect *exp); | ||
60 | |||
56 | extern struct list_head *ip_conntrack_hash; | 61 | extern struct list_head *ip_conntrack_hash; |
57 | extern struct list_head ip_conntrack_expect_list; | 62 | extern struct list_head ip_conntrack_expect_list; |
58 | extern rwlock_t ip_conntrack_lock; | 63 | extern rwlock_t ip_conntrack_lock; |
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_helper.h b/include/linux/netfilter_ipv4/ip_conntrack_helper.h index 3692daa93dec..8d69279ccfe4 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_helper.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_helper.h | |||
@@ -24,6 +24,8 @@ struct ip_conntrack_helper | |||
24 | int (*help)(struct sk_buff **pskb, | 24 | int (*help)(struct sk_buff **pskb, |
25 | struct ip_conntrack *ct, | 25 | struct ip_conntrack *ct, |
26 | enum ip_conntrack_info conntrackinfo); | 26 | enum ip_conntrack_info conntrackinfo); |
27 | |||
28 | int (*to_nfattr)(struct sk_buff *skb, const struct ip_conntrack *ct); | ||
27 | }; | 29 | }; |
28 | 30 | ||
29 | extern int ip_conntrack_helper_register(struct ip_conntrack_helper *); | 31 | extern int ip_conntrack_helper_register(struct ip_conntrack_helper *); |
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h index e20b57c5e1b7..b6b99be8632a 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h | |||
@@ -2,6 +2,7 @@ | |||
2 | #ifndef _IP_CONNTRACK_PROTOCOL_H | 2 | #ifndef _IP_CONNTRACK_PROTOCOL_H |
3 | #define _IP_CONNTRACK_PROTOCOL_H | 3 | #define _IP_CONNTRACK_PROTOCOL_H |
4 | #include <linux/netfilter_ipv4/ip_conntrack.h> | 4 | #include <linux/netfilter_ipv4/ip_conntrack.h> |
5 | #include <linux/netfilter/nfnetlink_conntrack.h> | ||
5 | 6 | ||
6 | struct seq_file; | 7 | struct seq_file; |
7 | 8 | ||
@@ -47,22 +48,22 @@ struct ip_conntrack_protocol | |||
47 | int (*error)(struct sk_buff *skb, enum ip_conntrack_info *ctinfo, | 48 | int (*error)(struct sk_buff *skb, enum ip_conntrack_info *ctinfo, |
48 | unsigned int hooknum); | 49 | unsigned int hooknum); |
49 | 50 | ||
51 | /* convert protoinfo to nfnetink attributes */ | ||
52 | int (*to_nfattr)(struct sk_buff *skb, struct nfattr *nfa, | ||
53 | const struct ip_conntrack *ct); | ||
54 | |||
55 | int (*tuple_to_nfattr)(struct sk_buff *skb, | ||
56 | const struct ip_conntrack_tuple *t); | ||
57 | int (*nfattr_to_tuple)(struct nfattr *tb[], | ||
58 | struct ip_conntrack_tuple *t); | ||
59 | |||
50 | /* Module (if any) which this is connected to. */ | 60 | /* Module (if any) which this is connected to. */ |
51 | struct module *me; | 61 | struct module *me; |
52 | }; | 62 | }; |
53 | 63 | ||
54 | #define MAX_IP_CT_PROTO 256 | ||
55 | extern struct ip_conntrack_protocol *ip_ct_protos[MAX_IP_CT_PROTO]; | ||
56 | |||
57 | /* Protocol registration. */ | 64 | /* Protocol registration. */ |
58 | extern int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto); | 65 | extern int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto); |
59 | extern void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto); | 66 | extern void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto); |
60 | |||
61 | static inline struct ip_conntrack_protocol *ip_ct_find_proto(u_int8_t protocol) | ||
62 | { | ||
63 | return ip_ct_protos[protocol]; | ||
64 | } | ||
65 | |||
66 | /* Existing built-in protocols */ | 67 | /* Existing built-in protocols */ |
67 | extern struct ip_conntrack_protocol ip_conntrack_protocol_tcp; | 68 | extern struct ip_conntrack_protocol ip_conntrack_protocol_tcp; |
68 | extern struct ip_conntrack_protocol ip_conntrack_protocol_udp; | 69 | extern struct ip_conntrack_protocol ip_conntrack_protocol_udp; |
@@ -73,6 +74,11 @@ extern int ip_conntrack_protocol_tcp_init(void); | |||
73 | /* Log invalid packets */ | 74 | /* Log invalid packets */ |
74 | extern unsigned int ip_ct_log_invalid; | 75 | extern unsigned int ip_ct_log_invalid; |
75 | 76 | ||
77 | extern int ip_ct_port_tuple_to_nfattr(struct sk_buff *, | ||
78 | const struct ip_conntrack_tuple *); | ||
79 | extern int ip_ct_port_nfattr_to_tuple(struct nfattr *tb[], | ||
80 | struct ip_conntrack_tuple *); | ||
81 | |||
76 | #ifdef CONFIG_SYSCTL | 82 | #ifdef CONFIG_SYSCTL |
77 | #ifdef DEBUG_INVALID_PACKETS | 83 | #ifdef DEBUG_INVALID_PACKETS |
78 | #define LOG_INVALID(proto) \ | 84 | #define LOG_INVALID(proto) \ |
diff --git a/include/linux/netfilter_ipv4/ip_nat_protocol.h b/include/linux/netfilter_ipv4/ip_nat_protocol.h index 129708c22386..ef63aa991a06 100644 --- a/include/linux/netfilter_ipv4/ip_nat_protocol.h +++ b/include/linux/netfilter_ipv4/ip_nat_protocol.h | |||
@@ -4,6 +4,9 @@ | |||
4 | #include <linux/init.h> | 4 | #include <linux/init.h> |
5 | #include <linux/list.h> | 5 | #include <linux/list.h> |
6 | 6 | ||
7 | #include <linux/netfilter_ipv4/ip_nat.h> | ||
8 | #include <linux/netfilter/nfnetlink_conntrack.h> | ||
9 | |||
7 | struct iphdr; | 10 | struct iphdr; |
8 | struct ip_nat_range; | 11 | struct ip_nat_range; |
9 | 12 | ||
@@ -15,6 +18,8 @@ struct ip_nat_protocol | |||
15 | /* Protocol number. */ | 18 | /* Protocol number. */ |
16 | unsigned int protonum; | 19 | unsigned int protonum; |
17 | 20 | ||
21 | struct module *me; | ||
22 | |||
18 | /* Translate a packet to the target according to manip type. | 23 | /* Translate a packet to the target according to manip type. |
19 | Return true if succeeded. */ | 24 | Return true if succeeded. */ |
20 | int (*manip_pkt)(struct sk_buff **pskb, | 25 | int (*manip_pkt)(struct sk_buff **pskb, |
@@ -43,19 +48,20 @@ struct ip_nat_protocol | |||
43 | 48 | ||
44 | unsigned int (*print_range)(char *buffer, | 49 | unsigned int (*print_range)(char *buffer, |
45 | const struct ip_nat_range *range); | 50 | const struct ip_nat_range *range); |
46 | }; | ||
47 | 51 | ||
48 | #define MAX_IP_NAT_PROTO 256 | 52 | int (*range_to_nfattr)(struct sk_buff *skb, |
49 | extern struct ip_nat_protocol *ip_nat_protos[MAX_IP_NAT_PROTO]; | 53 | const struct ip_nat_range *range); |
54 | |||
55 | int (*nfattr_to_range)(struct nfattr *tb[], | ||
56 | struct ip_nat_range *range); | ||
57 | }; | ||
50 | 58 | ||
51 | /* Protocol registration. */ | 59 | /* Protocol registration. */ |
52 | extern int ip_nat_protocol_register(struct ip_nat_protocol *proto); | 60 | extern int ip_nat_protocol_register(struct ip_nat_protocol *proto); |
53 | extern void ip_nat_protocol_unregister(struct ip_nat_protocol *proto); | 61 | extern void ip_nat_protocol_unregister(struct ip_nat_protocol *proto); |
54 | 62 | ||
55 | static inline struct ip_nat_protocol *ip_nat_find_proto(u_int8_t protocol) | 63 | extern struct ip_nat_protocol *ip_nat_proto_find_get(u_int8_t protocol); |
56 | { | 64 | extern void ip_nat_proto_put(struct ip_nat_protocol *proto); |
57 | return ip_nat_protos[protocol]; | ||
58 | } | ||
59 | 65 | ||
60 | /* Built-in protocols. */ | 66 | /* Built-in protocols. */ |
61 | extern struct ip_nat_protocol ip_nat_protocol_tcp; | 67 | extern struct ip_nat_protocol ip_nat_protocol_tcp; |
@@ -67,4 +73,9 @@ extern int init_protocols(void) __init; | |||
67 | extern void cleanup_protocols(void); | 73 | extern void cleanup_protocols(void); |
68 | extern struct ip_nat_protocol *find_nat_proto(u_int16_t protonum); | 74 | extern struct ip_nat_protocol *find_nat_proto(u_int16_t protonum); |
69 | 75 | ||
76 | extern int ip_nat_port_range_to_nfattr(struct sk_buff *skb, | ||
77 | const struct ip_nat_range *range); | ||
78 | extern int ip_nat_port_nfattr_to_range(struct nfattr *tb[], | ||
79 | struct ip_nat_range *range); | ||
80 | |||
70 | #endif /*_IP_NAT_PROTO_H*/ | 81 | #endif /*_IP_NAT_PROTO_H*/ |
diff --git a/net/ipv4/netfilter/Kconfig b/net/ipv4/netfilter/Kconfig index ff3393eba924..e47ba39eb657 100644 --- a/net/ipv4/netfilter/Kconfig +++ b/net/ipv4/netfilter/Kconfig | |||
@@ -702,5 +702,12 @@ config IP_NF_ARP_MANGLE | |||
702 | Allows altering the ARP packet payload: source and destination | 702 | Allows altering the ARP packet payload: source and destination |
703 | hardware and network addresses. | 703 | hardware and network addresses. |
704 | 704 | ||
705 | config IP_NF_CONNTRACK_NETLINK | ||
706 | tristate 'Connection tracking netlink interface' | ||
707 | depends on IP_NF_CONNTRACK && NETFILTER_NETLINK | ||
708 | help | ||
709 | This option enables support for a netlink-based userspace interface | ||
710 | |||
711 | |||
705 | endmenu | 712 | endmenu |
706 | 713 | ||
diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index 45796d5924dd..abf2a7d1a584 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile | |||
@@ -9,6 +9,10 @@ iptable_nat-objs := ip_nat_standalone.o ip_nat_rule.o ip_nat_core.o ip_nat_helpe | |||
9 | # connection tracking | 9 | # connection tracking |
10 | obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o | 10 | obj-$(CONFIG_IP_NF_CONNTRACK) += ip_conntrack.o |
11 | 11 | ||
12 | # conntrack netlink interface | ||
13 | obj-$(CONFIG_IP_NF_CONNTRACK_NETLINK) += ip_conntrack_netlink.o | ||
14 | |||
15 | |||
12 | # SCTP protocol connection tracking | 16 | # SCTP protocol connection tracking |
13 | obj-$(CONFIG_IP_NF_CT_PROTO_SCTP) += ip_conntrack_proto_sctp.o | 17 | obj-$(CONFIG_IP_NF_CT_PROTO_SCTP) += ip_conntrack_proto_sctp.o |
14 | 18 | ||
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c index caf89deae116..d9fddae8d787 100644 --- a/net/ipv4/netfilter/ip_conntrack_core.c +++ b/net/ipv4/netfilter/ip_conntrack_core.c | |||
@@ -50,7 +50,7 @@ | |||
50 | #include <linux/netfilter_ipv4/ip_conntrack_core.h> | 50 | #include <linux/netfilter_ipv4/ip_conntrack_core.h> |
51 | #include <linux/netfilter_ipv4/listhelp.h> | 51 | #include <linux/netfilter_ipv4/listhelp.h> |
52 | 52 | ||
53 | #define IP_CONNTRACK_VERSION "2.2" | 53 | #define IP_CONNTRACK_VERSION "2.3" |
54 | 54 | ||
55 | #if 0 | 55 | #if 0 |
56 | #define DEBUGP printk | 56 | #define DEBUGP printk |
@@ -77,6 +77,8 @@ unsigned int ip_ct_log_invalid; | |||
77 | static LIST_HEAD(unconfirmed); | 77 | static LIST_HEAD(unconfirmed); |
78 | static int ip_conntrack_vmalloc; | 78 | static int ip_conntrack_vmalloc; |
79 | 79 | ||
80 | static unsigned int ip_conntrack_next_id = 1; | ||
81 | static unsigned int ip_conntrack_expect_next_id = 1; | ||
80 | #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS | 82 | #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS |
81 | struct notifier_block *ip_conntrack_chain; | 83 | struct notifier_block *ip_conntrack_chain; |
82 | struct notifier_block *ip_conntrack_expect_chain; | 84 | struct notifier_block *ip_conntrack_expect_chain; |
@@ -154,13 +156,6 @@ void ip_conntrack_event_cache_init(const struct sk_buff *skb) | |||
154 | 156 | ||
155 | DEFINE_PER_CPU(struct ip_conntrack_stat, ip_conntrack_stat); | 157 | DEFINE_PER_CPU(struct ip_conntrack_stat, ip_conntrack_stat); |
156 | 158 | ||
157 | void | ||
158 | ip_conntrack_put(struct ip_conntrack *ct) | ||
159 | { | ||
160 | IP_NF_ASSERT(ct); | ||
161 | nf_conntrack_put(&ct->ct_general); | ||
162 | } | ||
163 | |||
164 | static int ip_conntrack_hash_rnd_initted; | 159 | static int ip_conntrack_hash_rnd_initted; |
165 | static unsigned int ip_conntrack_hash_rnd; | 160 | static unsigned int ip_conntrack_hash_rnd; |
166 | 161 | ||
@@ -222,6 +217,12 @@ static void unlink_expect(struct ip_conntrack_expect *exp) | |||
222 | exp->master->expecting--; | 217 | exp->master->expecting--; |
223 | } | 218 | } |
224 | 219 | ||
220 | void __ip_ct_expect_unlink_destroy(struct ip_conntrack_expect *exp) | ||
221 | { | ||
222 | unlink_expect(exp); | ||
223 | ip_conntrack_expect_put(exp); | ||
224 | } | ||
225 | |||
225 | static void expectation_timed_out(unsigned long ul_expect) | 226 | static void expectation_timed_out(unsigned long ul_expect) |
226 | { | 227 | { |
227 | struct ip_conntrack_expect *exp = (void *)ul_expect; | 228 | struct ip_conntrack_expect *exp = (void *)ul_expect; |
@@ -232,6 +233,33 @@ static void expectation_timed_out(unsigned long ul_expect) | |||
232 | ip_conntrack_expect_put(exp); | 233 | ip_conntrack_expect_put(exp); |
233 | } | 234 | } |
234 | 235 | ||
236 | struct ip_conntrack_expect * | ||
237 | __ip_conntrack_expect_find(const struct ip_conntrack_tuple *tuple) | ||
238 | { | ||
239 | struct ip_conntrack_expect *i; | ||
240 | |||
241 | list_for_each_entry(i, &ip_conntrack_expect_list, list) { | ||
242 | if (ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) { | ||
243 | atomic_inc(&i->use); | ||
244 | return i; | ||
245 | } | ||
246 | } | ||
247 | return NULL; | ||
248 | } | ||
249 | |||
250 | /* Just find a expectation corresponding to a tuple. */ | ||
251 | struct ip_conntrack_expect * | ||
252 | ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple) | ||
253 | { | ||
254 | struct ip_conntrack_expect *i; | ||
255 | |||
256 | read_lock_bh(&ip_conntrack_lock); | ||
257 | i = __ip_conntrack_expect_find(tuple); | ||
258 | read_unlock_bh(&ip_conntrack_lock); | ||
259 | |||
260 | return i; | ||
261 | } | ||
262 | |||
235 | /* If an expectation for this connection is found, it gets delete from | 263 | /* If an expectation for this connection is found, it gets delete from |
236 | * global list then returned. */ | 264 | * global list then returned. */ |
237 | static struct ip_conntrack_expect * | 265 | static struct ip_conntrack_expect * |
@@ -256,7 +284,7 @@ find_expectation(const struct ip_conntrack_tuple *tuple) | |||
256 | } | 284 | } |
257 | 285 | ||
258 | /* delete all expectations for this conntrack */ | 286 | /* delete all expectations for this conntrack */ |
259 | static void remove_expectations(struct ip_conntrack *ct) | 287 | void ip_ct_remove_expectations(struct ip_conntrack *ct) |
260 | { | 288 | { |
261 | struct ip_conntrack_expect *i, *tmp; | 289 | struct ip_conntrack_expect *i, *tmp; |
262 | 290 | ||
@@ -286,7 +314,7 @@ clean_from_lists(struct ip_conntrack *ct) | |||
286 | LIST_DELETE(&ip_conntrack_hash[hr], &ct->tuplehash[IP_CT_DIR_REPLY]); | 314 | LIST_DELETE(&ip_conntrack_hash[hr], &ct->tuplehash[IP_CT_DIR_REPLY]); |
287 | 315 | ||
288 | /* Destroy all pending expectations */ | 316 | /* Destroy all pending expectations */ |
289 | remove_expectations(ct); | 317 | ip_ct_remove_expectations(ct); |
290 | } | 318 | } |
291 | 319 | ||
292 | static void | 320 | static void |
@@ -304,7 +332,7 @@ destroy_conntrack(struct nf_conntrack *nfct) | |||
304 | /* To make sure we don't get any weird locking issues here: | 332 | /* To make sure we don't get any weird locking issues here: |
305 | * destroy_conntrack() MUST NOT be called with a write lock | 333 | * destroy_conntrack() MUST NOT be called with a write lock |
306 | * to ip_conntrack_lock!!! -HW */ | 334 | * to ip_conntrack_lock!!! -HW */ |
307 | proto = ip_ct_find_proto(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum); | 335 | proto = __ip_conntrack_proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum); |
308 | if (proto && proto->destroy) | 336 | if (proto && proto->destroy) |
309 | proto->destroy(ct); | 337 | proto->destroy(ct); |
310 | 338 | ||
@@ -316,7 +344,7 @@ destroy_conntrack(struct nf_conntrack *nfct) | |||
316 | * except TFTP can create an expectation on the first packet, | 344 | * except TFTP can create an expectation on the first packet, |
317 | * before connection is in the list, so we need to clean here, | 345 | * before connection is in the list, so we need to clean here, |
318 | * too. */ | 346 | * too. */ |
319 | remove_expectations(ct); | 347 | ip_ct_remove_expectations(ct); |
320 | 348 | ||
321 | /* We overload first tuple to link into unconfirmed list. */ | 349 | /* We overload first tuple to link into unconfirmed list. */ |
322 | if (!is_confirmed(ct)) { | 350 | if (!is_confirmed(ct)) { |
@@ -331,8 +359,7 @@ destroy_conntrack(struct nf_conntrack *nfct) | |||
331 | ip_conntrack_put(ct->master); | 359 | ip_conntrack_put(ct->master); |
332 | 360 | ||
333 | DEBUGP("destroy_conntrack: returning ct=%p to slab\n", ct); | 361 | DEBUGP("destroy_conntrack: returning ct=%p to slab\n", ct); |
334 | kmem_cache_free(ip_conntrack_cachep, ct); | 362 | ip_conntrack_free(ct); |
335 | atomic_dec(&ip_conntrack_count); | ||
336 | } | 363 | } |
337 | 364 | ||
338 | static void death_by_timeout(unsigned long ul_conntrack) | 365 | static void death_by_timeout(unsigned long ul_conntrack) |
@@ -359,7 +386,7 @@ conntrack_tuple_cmp(const struct ip_conntrack_tuple_hash *i, | |||
359 | && ip_ct_tuple_equal(tuple, &i->tuple); | 386 | && ip_ct_tuple_equal(tuple, &i->tuple); |
360 | } | 387 | } |
361 | 388 | ||
362 | static struct ip_conntrack_tuple_hash * | 389 | struct ip_conntrack_tuple_hash * |
363 | __ip_conntrack_find(const struct ip_conntrack_tuple *tuple, | 390 | __ip_conntrack_find(const struct ip_conntrack_tuple *tuple, |
364 | const struct ip_conntrack *ignored_conntrack) | 391 | const struct ip_conntrack *ignored_conntrack) |
365 | { | 392 | { |
@@ -394,6 +421,29 @@ ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple, | |||
394 | return h; | 421 | return h; |
395 | } | 422 | } |
396 | 423 | ||
424 | static void __ip_conntrack_hash_insert(struct ip_conntrack *ct, | ||
425 | unsigned int hash, | ||
426 | unsigned int repl_hash) | ||
427 | { | ||
428 | ct->id = ++ip_conntrack_next_id; | ||
429 | list_prepend(&ip_conntrack_hash[hash], | ||
430 | &ct->tuplehash[IP_CT_DIR_ORIGINAL].list); | ||
431 | list_prepend(&ip_conntrack_hash[repl_hash], | ||
432 | &ct->tuplehash[IP_CT_DIR_REPLY].list); | ||
433 | } | ||
434 | |||
435 | void ip_conntrack_hash_insert(struct ip_conntrack *ct) | ||
436 | { | ||
437 | unsigned int hash, repl_hash; | ||
438 | |||
439 | hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); | ||
440 | repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); | ||
441 | |||
442 | write_lock_bh(&ip_conntrack_lock); | ||
443 | __ip_conntrack_hash_insert(ct, hash, repl_hash); | ||
444 | write_unlock_bh(&ip_conntrack_lock); | ||
445 | } | ||
446 | |||
397 | /* Confirm a connection given skb; places it in hash table */ | 447 | /* Confirm a connection given skb; places it in hash table */ |
398 | int | 448 | int |
399 | __ip_conntrack_confirm(struct sk_buff **pskb) | 449 | __ip_conntrack_confirm(struct sk_buff **pskb) |
@@ -440,10 +490,7 @@ __ip_conntrack_confirm(struct sk_buff **pskb) | |||
440 | /* Remove from unconfirmed list */ | 490 | /* Remove from unconfirmed list */ |
441 | list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list); | 491 | list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list); |
442 | 492 | ||
443 | list_prepend(&ip_conntrack_hash[hash], | 493 | __ip_conntrack_hash_insert(ct, hash, repl_hash); |
444 | &ct->tuplehash[IP_CT_DIR_ORIGINAL]); | ||
445 | list_prepend(&ip_conntrack_hash[repl_hash], | ||
446 | &ct->tuplehash[IP_CT_DIR_REPLY]); | ||
447 | /* Timer relative to confirmation time, not original | 494 | /* Timer relative to confirmation time, not original |
448 | setting time, otherwise we'd get timer wrap in | 495 | setting time, otherwise we'd get timer wrap in |
449 | weird delay cases. */ | 496 | weird delay cases. */ |
@@ -527,34 +574,84 @@ static inline int helper_cmp(const struct ip_conntrack_helper *i, | |||
527 | return ip_ct_tuple_mask_cmp(rtuple, &i->tuple, &i->mask); | 574 | return ip_ct_tuple_mask_cmp(rtuple, &i->tuple, &i->mask); |
528 | } | 575 | } |
529 | 576 | ||
530 | static struct ip_conntrack_helper *ip_ct_find_helper(const struct ip_conntrack_tuple *tuple) | 577 | static struct ip_conntrack_helper * |
578 | __ip_conntrack_helper_find( const struct ip_conntrack_tuple *tuple) | ||
531 | { | 579 | { |
532 | return LIST_FIND(&helpers, helper_cmp, | 580 | return LIST_FIND(&helpers, helper_cmp, |
533 | struct ip_conntrack_helper *, | 581 | struct ip_conntrack_helper *, |
534 | tuple); | 582 | tuple); |
535 | } | 583 | } |
536 | 584 | ||
537 | /* Allocate a new conntrack: we return -ENOMEM if classification | 585 | struct ip_conntrack_helper * |
538 | failed due to stress. Otherwise it really is unclassifiable. */ | 586 | ip_conntrack_helper_find_get( const struct ip_conntrack_tuple *tuple) |
539 | static struct ip_conntrack_tuple_hash * | 587 | { |
540 | init_conntrack(const struct ip_conntrack_tuple *tuple, | 588 | struct ip_conntrack_helper *helper; |
541 | struct ip_conntrack_protocol *protocol, | 589 | |
542 | struct sk_buff *skb) | 590 | /* need ip_conntrack_lock to assure that helper exists until |
591 | * try_module_get() is called */ | ||
592 | read_lock_bh(&ip_conntrack_lock); | ||
593 | |||
594 | helper = __ip_conntrack_helper_find(tuple); | ||
595 | if (helper) { | ||
596 | /* need to increase module usage count to assure helper will | ||
597 | * not go away while the caller is e.g. busy putting a | ||
598 | * conntrack in the hash that uses the helper */ | ||
599 | if (!try_module_get(helper->me)) | ||
600 | helper = NULL; | ||
601 | } | ||
602 | |||
603 | read_unlock_bh(&ip_conntrack_lock); | ||
604 | |||
605 | return helper; | ||
606 | } | ||
607 | |||
608 | void ip_conntrack_helper_put(struct ip_conntrack_helper *helper) | ||
609 | { | ||
610 | module_put(helper->me); | ||
611 | } | ||
612 | |||
613 | struct ip_conntrack_protocol * | ||
614 | __ip_conntrack_proto_find(u_int8_t protocol) | ||
615 | { | ||
616 | return ip_ct_protos[protocol]; | ||
617 | } | ||
618 | |||
619 | /* this is guaranteed to always return a valid protocol helper, since | ||
620 | * it falls back to generic_protocol */ | ||
621 | struct ip_conntrack_protocol * | ||
622 | ip_conntrack_proto_find_get(u_int8_t protocol) | ||
623 | { | ||
624 | struct ip_conntrack_protocol *p; | ||
625 | |||
626 | preempt_disable(); | ||
627 | p = __ip_conntrack_proto_find(protocol); | ||
628 | if (p) { | ||
629 | if (!try_module_get(p->me)) | ||
630 | p = &ip_conntrack_generic_protocol; | ||
631 | } | ||
632 | preempt_enable(); | ||
633 | |||
634 | return p; | ||
635 | } | ||
636 | |||
637 | void ip_conntrack_proto_put(struct ip_conntrack_protocol *p) | ||
638 | { | ||
639 | module_put(p->me); | ||
640 | } | ||
641 | |||
642 | struct ip_conntrack *ip_conntrack_alloc(struct ip_conntrack_tuple *orig, | ||
643 | struct ip_conntrack_tuple *repl) | ||
543 | { | 644 | { |
544 | struct ip_conntrack *conntrack; | 645 | struct ip_conntrack *conntrack; |
545 | struct ip_conntrack_tuple repl_tuple; | ||
546 | size_t hash; | ||
547 | struct ip_conntrack_expect *exp; | ||
548 | 646 | ||
549 | if (!ip_conntrack_hash_rnd_initted) { | 647 | if (!ip_conntrack_hash_rnd_initted) { |
550 | get_random_bytes(&ip_conntrack_hash_rnd, 4); | 648 | get_random_bytes(&ip_conntrack_hash_rnd, 4); |
551 | ip_conntrack_hash_rnd_initted = 1; | 649 | ip_conntrack_hash_rnd_initted = 1; |
552 | } | 650 | } |
553 | 651 | ||
554 | hash = hash_conntrack(tuple); | ||
555 | |||
556 | if (ip_conntrack_max | 652 | if (ip_conntrack_max |
557 | && atomic_read(&ip_conntrack_count) >= ip_conntrack_max) { | 653 | && atomic_read(&ip_conntrack_count) >= ip_conntrack_max) { |
654 | unsigned int hash = hash_conntrack(orig); | ||
558 | /* Try dropping from this hash chain. */ | 655 | /* Try dropping from this hash chain. */ |
559 | if (!early_drop(&ip_conntrack_hash[hash])) { | 656 | if (!early_drop(&ip_conntrack_hash[hash])) { |
560 | if (net_ratelimit()) | 657 | if (net_ratelimit()) |
@@ -565,31 +662,58 @@ init_conntrack(const struct ip_conntrack_tuple *tuple, | |||
565 | } | 662 | } |
566 | } | 663 | } |
567 | 664 | ||
568 | if (!ip_ct_invert_tuple(&repl_tuple, tuple, protocol)) { | ||
569 | DEBUGP("Can't invert tuple.\n"); | ||
570 | return NULL; | ||
571 | } | ||
572 | |||
573 | conntrack = kmem_cache_alloc(ip_conntrack_cachep, GFP_ATOMIC); | 665 | conntrack = kmem_cache_alloc(ip_conntrack_cachep, GFP_ATOMIC); |
574 | if (!conntrack) { | 666 | if (!conntrack) { |
575 | DEBUGP("Can't allocate conntrack.\n"); | 667 | DEBUGP("Can't allocate conntrack.\n"); |
576 | return ERR_PTR(-ENOMEM); | 668 | return NULL; |
577 | } | 669 | } |
578 | 670 | ||
579 | memset(conntrack, 0, sizeof(*conntrack)); | 671 | memset(conntrack, 0, sizeof(*conntrack)); |
580 | atomic_set(&conntrack->ct_general.use, 1); | 672 | atomic_set(&conntrack->ct_general.use, 1); |
581 | conntrack->ct_general.destroy = destroy_conntrack; | 673 | conntrack->ct_general.destroy = destroy_conntrack; |
582 | conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *tuple; | 674 | conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig; |
583 | conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = repl_tuple; | 675 | conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *repl; |
584 | if (!protocol->new(conntrack, skb)) { | ||
585 | kmem_cache_free(ip_conntrack_cachep, conntrack); | ||
586 | return NULL; | ||
587 | } | ||
588 | /* Don't set timer yet: wait for confirmation */ | 676 | /* Don't set timer yet: wait for confirmation */ |
589 | init_timer(&conntrack->timeout); | 677 | init_timer(&conntrack->timeout); |
590 | conntrack->timeout.data = (unsigned long)conntrack; | 678 | conntrack->timeout.data = (unsigned long)conntrack; |
591 | conntrack->timeout.function = death_by_timeout; | 679 | conntrack->timeout.function = death_by_timeout; |
592 | 680 | ||
681 | atomic_inc(&ip_conntrack_count); | ||
682 | |||
683 | return conntrack; | ||
684 | } | ||
685 | |||
686 | void | ||
687 | ip_conntrack_free(struct ip_conntrack *conntrack) | ||
688 | { | ||
689 | atomic_dec(&ip_conntrack_count); | ||
690 | kmem_cache_free(ip_conntrack_cachep, conntrack); | ||
691 | } | ||
692 | |||
693 | /* Allocate a new conntrack: we return -ENOMEM if classification | ||
694 | * failed due to stress. Otherwise it really is unclassifiable */ | ||
695 | static struct ip_conntrack_tuple_hash * | ||
696 | init_conntrack(struct ip_conntrack_tuple *tuple, | ||
697 | struct ip_conntrack_protocol *protocol, | ||
698 | struct sk_buff *skb) | ||
699 | { | ||
700 | struct ip_conntrack *conntrack; | ||
701 | struct ip_conntrack_tuple repl_tuple; | ||
702 | struct ip_conntrack_expect *exp; | ||
703 | |||
704 | if (!ip_ct_invert_tuple(&repl_tuple, tuple, protocol)) { | ||
705 | DEBUGP("Can't invert tuple.\n"); | ||
706 | return NULL; | ||
707 | } | ||
708 | |||
709 | if (!(conntrack = ip_conntrack_alloc(tuple, &repl_tuple))) | ||
710 | return NULL; | ||
711 | |||
712 | if (!protocol->new(conntrack, skb)) { | ||
713 | ip_conntrack_free(conntrack); | ||
714 | return NULL; | ||
715 | } | ||
716 | |||
593 | write_lock_bh(&ip_conntrack_lock); | 717 | write_lock_bh(&ip_conntrack_lock); |
594 | exp = find_expectation(tuple); | 718 | exp = find_expectation(tuple); |
595 | 719 | ||
@@ -610,7 +734,7 @@ init_conntrack(const struct ip_conntrack_tuple *tuple, | |||
610 | nf_conntrack_get(&conntrack->master->ct_general); | 734 | nf_conntrack_get(&conntrack->master->ct_general); |
611 | CONNTRACK_STAT_INC(expect_new); | 735 | CONNTRACK_STAT_INC(expect_new); |
612 | } else { | 736 | } else { |
613 | conntrack->helper = ip_ct_find_helper(&repl_tuple); | 737 | conntrack->helper = __ip_conntrack_helper_find(&repl_tuple); |
614 | 738 | ||
615 | CONNTRACK_STAT_INC(new); | 739 | CONNTRACK_STAT_INC(new); |
616 | } | 740 | } |
@@ -618,7 +742,6 @@ init_conntrack(const struct ip_conntrack_tuple *tuple, | |||
618 | /* Overload tuple linked list to put us in unconfirmed list. */ | 742 | /* Overload tuple linked list to put us in unconfirmed list. */ |
619 | list_add(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL].list, &unconfirmed); | 743 | list_add(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL].list, &unconfirmed); |
620 | 744 | ||
621 | atomic_inc(&ip_conntrack_count); | ||
622 | write_unlock_bh(&ip_conntrack_lock); | 745 | write_unlock_bh(&ip_conntrack_lock); |
623 | 746 | ||
624 | if (exp) { | 747 | if (exp) { |
@@ -729,7 +852,7 @@ unsigned int ip_conntrack_in(unsigned int hooknum, | |||
729 | } | 852 | } |
730 | #endif | 853 | #endif |
731 | 854 | ||
732 | proto = ip_ct_find_proto((*pskb)->nh.iph->protocol); | 855 | proto = __ip_conntrack_proto_find((*pskb)->nh.iph->protocol); |
733 | 856 | ||
734 | /* It may be an special packet, error, unclean... | 857 | /* It may be an special packet, error, unclean... |
735 | * inverse of the return code tells to the netfilter | 858 | * inverse of the return code tells to the netfilter |
@@ -777,7 +900,7 @@ int invert_tuplepr(struct ip_conntrack_tuple *inverse, | |||
777 | const struct ip_conntrack_tuple *orig) | 900 | const struct ip_conntrack_tuple *orig) |
778 | { | 901 | { |
779 | return ip_ct_invert_tuple(inverse, orig, | 902 | return ip_ct_invert_tuple(inverse, orig, |
780 | ip_ct_find_proto(orig->dst.protonum)); | 903 | __ip_conntrack_proto_find(orig->dst.protonum)); |
781 | } | 904 | } |
782 | 905 | ||
783 | /* Would two expected things clash? */ | 906 | /* Would two expected things clash? */ |
@@ -857,6 +980,8 @@ static void ip_conntrack_expect_insert(struct ip_conntrack_expect *exp) | |||
857 | exp->timeout.expires = jiffies + exp->master->helper->timeout * HZ; | 980 | exp->timeout.expires = jiffies + exp->master->helper->timeout * HZ; |
858 | add_timer(&exp->timeout); | 981 | add_timer(&exp->timeout); |
859 | 982 | ||
983 | exp->id = ++ip_conntrack_expect_next_id; | ||
984 | atomic_inc(&exp->use); | ||
860 | CONNTRACK_STAT_INC(expect_create); | 985 | CONNTRACK_STAT_INC(expect_create); |
861 | } | 986 | } |
862 | 987 | ||
@@ -936,7 +1061,7 @@ void ip_conntrack_alter_reply(struct ip_conntrack *conntrack, | |||
936 | 1061 | ||
937 | conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply; | 1062 | conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply; |
938 | if (!conntrack->master && conntrack->expecting == 0) | 1063 | if (!conntrack->master && conntrack->expecting == 0) |
939 | conntrack->helper = ip_ct_find_helper(newreply); | 1064 | conntrack->helper = __ip_conntrack_helper_find(newreply); |
940 | write_unlock_bh(&ip_conntrack_lock); | 1065 | write_unlock_bh(&ip_conntrack_lock); |
941 | } | 1066 | } |
942 | 1067 | ||
@@ -950,6 +1075,19 @@ int ip_conntrack_helper_register(struct ip_conntrack_helper *me) | |||
950 | return 0; | 1075 | return 0; |
951 | } | 1076 | } |
952 | 1077 | ||
1078 | struct ip_conntrack_helper * | ||
1079 | __ip_conntrack_helper_find_byname(const char *name) | ||
1080 | { | ||
1081 | struct ip_conntrack_helper *h; | ||
1082 | |||
1083 | list_for_each_entry(h, &helpers, list) { | ||
1084 | if (!strcmp(h->name, name)) | ||
1085 | return h; | ||
1086 | } | ||
1087 | |||
1088 | return NULL; | ||
1089 | } | ||
1090 | |||
953 | static inline int unhelp(struct ip_conntrack_tuple_hash *i, | 1091 | static inline int unhelp(struct ip_conntrack_tuple_hash *i, |
954 | const struct ip_conntrack_helper *me) | 1092 | const struct ip_conntrack_helper *me) |
955 | { | 1093 | { |
@@ -1025,6 +1163,39 @@ void ip_ct_refresh_acct(struct ip_conntrack *ct, | |||
1025 | } | 1163 | } |
1026 | } | 1164 | } |
1027 | 1165 | ||
1166 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | ||
1167 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) | ||
1168 | /* Generic function for tcp/udp/sctp/dccp and alike. This needs to be | ||
1169 | * in ip_conntrack_core, since we don't want the protocols to autoload | ||
1170 | * or depend on ctnetlink */ | ||
1171 | int ip_ct_port_tuple_to_nfattr(struct sk_buff *skb, | ||
1172 | const struct ip_conntrack_tuple *tuple) | ||
1173 | { | ||
1174 | NFA_PUT(skb, CTA_PROTO_SRC_PORT, sizeof(u_int16_t), | ||
1175 | &tuple->src.u.tcp.port); | ||
1176 | NFA_PUT(skb, CTA_PROTO_DST_PORT, sizeof(u_int16_t), | ||
1177 | &tuple->dst.u.tcp.port); | ||
1178 | return 0; | ||
1179 | |||
1180 | nfattr_failure: | ||
1181 | return -1; | ||
1182 | } | ||
1183 | |||
1184 | int ip_ct_port_nfattr_to_tuple(struct nfattr *tb[], | ||
1185 | struct ip_conntrack_tuple *t) | ||
1186 | { | ||
1187 | if (!tb[CTA_PROTO_SRC_PORT-1] || !tb[CTA_PROTO_DST_PORT-1]) | ||
1188 | return -EINVAL; | ||
1189 | |||
1190 | t->src.u.tcp.port = | ||
1191 | *(u_int16_t *)NFA_DATA(tb[CTA_PROTO_SRC_PORT-1]); | ||
1192 | t->dst.u.tcp.port = | ||
1193 | *(u_int16_t *)NFA_DATA(tb[CTA_PROTO_DST_PORT-1]); | ||
1194 | |||
1195 | return 0; | ||
1196 | } | ||
1197 | #endif | ||
1198 | |||
1028 | /* Returns new sk_buff, or NULL */ | 1199 | /* Returns new sk_buff, or NULL */ |
1029 | struct sk_buff * | 1200 | struct sk_buff * |
1030 | ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user) | 1201 | ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user) |
@@ -1203,16 +1374,13 @@ static void free_conntrack_hash(void) | |||
1203 | * ip_conntrack_htable_size)); | 1374 | * ip_conntrack_htable_size)); |
1204 | } | 1375 | } |
1205 | 1376 | ||
1206 | /* Mishearing the voices in his head, our hero wonders how he's | 1377 | void ip_conntrack_flush() |
1207 | supposed to kill the mall. */ | ||
1208 | void ip_conntrack_cleanup(void) | ||
1209 | { | 1378 | { |
1210 | ip_ct_attach = NULL; | ||
1211 | /* This makes sure all current packets have passed through | 1379 | /* This makes sure all current packets have passed through |
1212 | netfilter framework. Roll on, two-stage module | 1380 | netfilter framework. Roll on, two-stage module |
1213 | delete... */ | 1381 | delete... */ |
1214 | synchronize_net(); | 1382 | synchronize_net(); |
1215 | 1383 | ||
1216 | i_see_dead_people: | 1384 | i_see_dead_people: |
1217 | ip_ct_iterate_cleanup(kill_all, NULL); | 1385 | ip_ct_iterate_cleanup(kill_all, NULL); |
1218 | if (atomic_read(&ip_conntrack_count) != 0) { | 1386 | if (atomic_read(&ip_conntrack_count) != 0) { |
@@ -1222,7 +1390,14 @@ void ip_conntrack_cleanup(void) | |||
1222 | /* wait until all references to ip_conntrack_untracked are dropped */ | 1390 | /* wait until all references to ip_conntrack_untracked are dropped */ |
1223 | while (atomic_read(&ip_conntrack_untracked.ct_general.use) > 1) | 1391 | while (atomic_read(&ip_conntrack_untracked.ct_general.use) > 1) |
1224 | schedule(); | 1392 | schedule(); |
1393 | } | ||
1225 | 1394 | ||
1395 | /* Mishearing the voices in his head, our hero wonders how he's | ||
1396 | supposed to kill the mall. */ | ||
1397 | void ip_conntrack_cleanup(void) | ||
1398 | { | ||
1399 | ip_ct_attach = NULL; | ||
1400 | ip_conntrack_flush(); | ||
1226 | kmem_cache_destroy(ip_conntrack_cachep); | 1401 | kmem_cache_destroy(ip_conntrack_cachep); |
1227 | kmem_cache_destroy(ip_conntrack_expect_cachep); | 1402 | kmem_cache_destroy(ip_conntrack_expect_cachep); |
1228 | free_conntrack_hash(); | 1403 | free_conntrack_hash(); |
diff --git a/net/ipv4/netfilter/ip_conntrack_netlink.c b/net/ipv4/netfilter/ip_conntrack_netlink.c new file mode 100644 index 000000000000..f43ec18c9166 --- /dev/null +++ b/net/ipv4/netfilter/ip_conntrack_netlink.c | |||
@@ -0,0 +1,1588 @@ | |||
1 | /* Connection tracking via netlink socket. Allows for user space | ||
2 | * protocol helpers and general trouble making from userspace. | ||
3 | * | ||
4 | * (C) 2001 by Jay Schulist <jschlst@samba.org> | ||
5 | * (C) 2002-2005 by Harald Welte <laforge@gnumonks.org> | ||
6 | * (C) 2003 by Patrick Mchardy <kaber@trash.net> | ||
7 | * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net> | ||
8 | * | ||
9 | * I've reworked this stuff to use attributes instead of conntrack | ||
10 | * structures. 5.44 am. I need more tea. --pablo 05/07/11. | ||
11 | * | ||
12 | * Initial connection tracking via netlink development funded and | ||
13 | * generally made possible by Network Robots, Inc. (www.networkrobots.com) | ||
14 | * | ||
15 | * Further development of this code funded by Astaro AG (http://www.astaro.com) | ||
16 | * | ||
17 | * This software may be used and distributed according to the terms | ||
18 | * of the GNU General Public License, incorporated herein by reference. | ||
19 | */ | ||
20 | |||
21 | #include <linux/init.h> | ||
22 | #include <linux/module.h> | ||
23 | #include <linux/kernel.h> | ||
24 | #include <linux/types.h> | ||
25 | #include <linux/timer.h> | ||
26 | #include <linux/skbuff.h> | ||
27 | #include <linux/errno.h> | ||
28 | #include <linux/netlink.h> | ||
29 | #include <linux/spinlock.h> | ||
30 | #include <linux/notifier.h> | ||
31 | #include <linux/rtnetlink.h> | ||
32 | |||
33 | #include <linux/netfilter.h> | ||
34 | #include <linux/netfilter_ipv4.h> | ||
35 | #include <linux/netfilter_ipv4/ip_tables.h> | ||
36 | #include <linux/netfilter_ipv4/ip_conntrack.h> | ||
37 | #include <linux/netfilter_ipv4/ip_conntrack_core.h> | ||
38 | #include <linux/netfilter_ipv4/ip_conntrack_helper.h> | ||
39 | #include <linux/netfilter_ipv4/ip_conntrack_protocol.h> | ||
40 | #include <linux/netfilter_ipv4/ip_nat_protocol.h> | ||
41 | |||
42 | #include <linux/netfilter/nfnetlink.h> | ||
43 | #include <linux/netfilter/nfnetlink_conntrack.h> | ||
44 | |||
45 | MODULE_LICENSE("GPL"); | ||
46 | |||
47 | static char __initdata version[] = "0.90"; | ||
48 | |||
49 | #if 0 | ||
50 | #define DEBUGP printk | ||
51 | #else | ||
52 | #define DEBUGP(format, args...) | ||
53 | #endif | ||
54 | |||
55 | |||
56 | static inline int | ||
57 | ctnetlink_dump_tuples_proto(struct sk_buff *skb, | ||
58 | const struct ip_conntrack_tuple *tuple) | ||
59 | { | ||
60 | struct ip_conntrack_protocol *proto; | ||
61 | |||
62 | NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum); | ||
63 | |||
64 | proto = ip_conntrack_proto_find_get(tuple->dst.protonum); | ||
65 | if (proto && proto->tuple_to_nfattr) | ||
66 | return proto->tuple_to_nfattr(skb, tuple); | ||
67 | |||
68 | return 0; | ||
69 | |||
70 | nfattr_failure: | ||
71 | return -1; | ||
72 | } | ||
73 | |||
74 | static inline int | ||
75 | ctnetlink_dump_tuples(struct sk_buff *skb, | ||
76 | const struct ip_conntrack_tuple *tuple) | ||
77 | { | ||
78 | struct nfattr *nest_parms; | ||
79 | |||
80 | nest_parms = NFA_NEST(skb, CTA_TUPLE_IP); | ||
81 | NFA_PUT(skb, CTA_IP_V4_SRC, sizeof(u_int32_t), &tuple->src.ip); | ||
82 | NFA_PUT(skb, CTA_IP_V4_DST, sizeof(u_int32_t), &tuple->dst.ip); | ||
83 | NFA_NEST_END(skb, nest_parms); | ||
84 | |||
85 | nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO); | ||
86 | ctnetlink_dump_tuples_proto(skb, tuple); | ||
87 | NFA_NEST_END(skb, nest_parms); | ||
88 | |||
89 | return 0; | ||
90 | |||
91 | nfattr_failure: | ||
92 | return -1; | ||
93 | } | ||
94 | |||
95 | static inline int | ||
96 | ctnetlink_dump_status(struct sk_buff *skb, const struct ip_conntrack *ct) | ||
97 | { | ||
98 | u_int32_t status = htonl((u_int32_t) ct->status); | ||
99 | NFA_PUT(skb, CTA_STATUS, sizeof(status), &status); | ||
100 | return 0; | ||
101 | |||
102 | nfattr_failure: | ||
103 | return -1; | ||
104 | } | ||
105 | |||
106 | static inline int | ||
107 | ctnetlink_dump_timeout(struct sk_buff *skb, const struct ip_conntrack *ct) | ||
108 | { | ||
109 | long timeout_l = ct->timeout.expires - jiffies; | ||
110 | u_int32_t timeout; | ||
111 | |||
112 | if (timeout_l < 0) | ||
113 | timeout = 0; | ||
114 | else | ||
115 | timeout = htonl(timeout_l / HZ); | ||
116 | |||
117 | NFA_PUT(skb, CTA_TIMEOUT, sizeof(timeout), &timeout); | ||
118 | return 0; | ||
119 | |||
120 | nfattr_failure: | ||
121 | return -1; | ||
122 | } | ||
123 | |||
124 | static inline int | ||
125 | ctnetlink_dump_protoinfo(struct sk_buff *skb, const struct ip_conntrack *ct) | ||
126 | { | ||
127 | struct ip_conntrack_protocol *proto = ip_conntrack_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum); | ||
128 | |||
129 | struct nfattr *nest_proto; | ||
130 | int ret; | ||
131 | |||
132 | if (!proto || !proto->to_nfattr) | ||
133 | return 0; | ||
134 | |||
135 | nest_proto = NFA_NEST(skb, CTA_PROTOINFO); | ||
136 | |||
137 | ret = proto->to_nfattr(skb, nest_proto, ct); | ||
138 | |||
139 | ip_conntrack_proto_put(proto); | ||
140 | |||
141 | NFA_NEST_END(skb, nest_proto); | ||
142 | |||
143 | return ret; | ||
144 | |||
145 | nfattr_failure: | ||
146 | return -1; | ||
147 | } | ||
148 | |||
149 | static inline int | ||
150 | ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct ip_conntrack *ct) | ||
151 | { | ||
152 | struct nfattr *nest_helper; | ||
153 | |||
154 | if (!ct->helper) | ||
155 | return 0; | ||
156 | |||
157 | nest_helper = NFA_NEST(skb, CTA_HELP); | ||
158 | NFA_PUT(skb, CTA_HELP_NAME, CTA_HELP_MAXNAMESIZE, &ct->helper->name); | ||
159 | |||
160 | if (ct->helper->to_nfattr) | ||
161 | ct->helper->to_nfattr(skb, ct); | ||
162 | |||
163 | NFA_NEST_END(skb, nest_helper); | ||
164 | |||
165 | return 0; | ||
166 | |||
167 | nfattr_failure: | ||
168 | return -1; | ||
169 | } | ||
170 | |||
171 | #ifdef CONFIG_IP_NF_CT_ACCT | ||
172 | static inline int | ||
173 | ctnetlink_dump_counters(struct sk_buff *skb, const struct ip_conntrack *ct, | ||
174 | enum ip_conntrack_dir dir) | ||
175 | { | ||
176 | enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG; | ||
177 | struct nfattr *nest_count = NFA_NEST(skb, type); | ||
178 | u_int64_t tmp; | ||
179 | |||
180 | tmp = cpu_to_be64(ct->counters[dir].packets); | ||
181 | NFA_PUT(skb, CTA_COUNTERS_PACKETS, sizeof(u_int64_t), &tmp); | ||
182 | |||
183 | tmp = cpu_to_be64(ct->counters[dir].bytes); | ||
184 | NFA_PUT(skb, CTA_COUNTERS_BYTES, sizeof(u_int64_t), &tmp); | ||
185 | |||
186 | NFA_NEST_END(skb, nest_count); | ||
187 | |||
188 | return 0; | ||
189 | |||
190 | nfattr_failure: | ||
191 | return -1; | ||
192 | } | ||
193 | #else | ||
194 | #define ctnetlink_dump_counters(a, b, c) (0) | ||
195 | #endif | ||
196 | |||
197 | #ifdef CONFIG_IP_NF_CONNTRACK_MARK | ||
198 | static inline int | ||
199 | ctnetlink_dump_mark(struct sk_buff *skb, const struct ip_conntrack *ct) | ||
200 | { | ||
201 | u_int32_t mark = htonl(ct->mark); | ||
202 | |||
203 | NFA_PUT(skb, CTA_MARK, sizeof(u_int32_t), &mark); | ||
204 | return 0; | ||
205 | |||
206 | nfattr_failure: | ||
207 | return -1; | ||
208 | } | ||
209 | #else | ||
210 | #define ctnetlink_dump_mark(a, b) (0) | ||
211 | #endif | ||
212 | |||
213 | static inline int | ||
214 | ctnetlink_dump_id(struct sk_buff *skb, const struct ip_conntrack *ct) | ||
215 | { | ||
216 | u_int32_t id = htonl(ct->id); | ||
217 | NFA_PUT(skb, CTA_ID, sizeof(u_int32_t), &id); | ||
218 | return 0; | ||
219 | |||
220 | nfattr_failure: | ||
221 | return -1; | ||
222 | } | ||
223 | |||
224 | static inline int | ||
225 | ctnetlink_dump_use(struct sk_buff *skb, const struct ip_conntrack *ct) | ||
226 | { | ||
227 | unsigned int use = htonl(atomic_read(&ct->ct_general.use)); | ||
228 | |||
229 | NFA_PUT(skb, CTA_USE, sizeof(u_int32_t), &use); | ||
230 | return 0; | ||
231 | |||
232 | nfattr_failure: | ||
233 | return -1; | ||
234 | } | ||
235 | |||
236 | #define tuple(ct, dir) (&(ct)->tuplehash[dir].tuple) | ||
237 | |||
238 | static int | ||
239 | ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq, | ||
240 | int event, int nowait, | ||
241 | const struct ip_conntrack *ct) | ||
242 | { | ||
243 | struct nlmsghdr *nlh; | ||
244 | struct nfgenmsg *nfmsg; | ||
245 | struct nfattr *nest_parms; | ||
246 | unsigned char *b; | ||
247 | |||
248 | b = skb->tail; | ||
249 | |||
250 | event |= NFNL_SUBSYS_CTNETLINK << 8; | ||
251 | nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg)); | ||
252 | nfmsg = NLMSG_DATA(nlh); | ||
253 | |||
254 | nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0; | ||
255 | nfmsg->nfgen_family = AF_INET; | ||
256 | nfmsg->version = NFNETLINK_V0; | ||
257 | nfmsg->res_id = 0; | ||
258 | |||
259 | nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG); | ||
260 | if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) | ||
261 | goto nfattr_failure; | ||
262 | NFA_NEST_END(skb, nest_parms); | ||
263 | |||
264 | nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY); | ||
265 | if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0) | ||
266 | goto nfattr_failure; | ||
267 | NFA_NEST_END(skb, nest_parms); | ||
268 | |||
269 | if (ctnetlink_dump_status(skb, ct) < 0 || | ||
270 | ctnetlink_dump_timeout(skb, ct) < 0 || | ||
271 | ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 || | ||
272 | ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 || | ||
273 | ctnetlink_dump_protoinfo(skb, ct) < 0 || | ||
274 | ctnetlink_dump_helpinfo(skb, ct) < 0 || | ||
275 | ctnetlink_dump_mark(skb, ct) < 0 || | ||
276 | ctnetlink_dump_id(skb, ct) < 0 || | ||
277 | ctnetlink_dump_use(skb, ct) < 0) | ||
278 | goto nfattr_failure; | ||
279 | |||
280 | nlh->nlmsg_len = skb->tail - b; | ||
281 | return skb->len; | ||
282 | |||
283 | nlmsg_failure: | ||
284 | nfattr_failure: | ||
285 | skb_trim(skb, b - skb->data); | ||
286 | return -1; | ||
287 | } | ||
288 | |||
289 | #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS | ||
290 | static int ctnetlink_conntrack_event(struct notifier_block *this, | ||
291 | unsigned long events, void *ptr) | ||
292 | { | ||
293 | struct nlmsghdr *nlh; | ||
294 | struct nfgenmsg *nfmsg; | ||
295 | struct nfattr *nest_parms; | ||
296 | struct ip_conntrack *ct = (struct ip_conntrack *)ptr; | ||
297 | struct sk_buff *skb; | ||
298 | unsigned int type; | ||
299 | unsigned char *b; | ||
300 | unsigned int flags = 0, groups; | ||
301 | |||
302 | /* ignore our fake conntrack entry */ | ||
303 | if (ct == &ip_conntrack_untracked) | ||
304 | return NOTIFY_DONE; | ||
305 | |||
306 | if (events & IPCT_DESTROY) { | ||
307 | type = IPCTNL_MSG_CT_DELETE; | ||
308 | groups = NF_NETLINK_CONNTRACK_DESTROY; | ||
309 | goto alloc_skb; | ||
310 | } | ||
311 | if (events & (IPCT_NEW | IPCT_RELATED)) { | ||
312 | type = IPCTNL_MSG_CT_NEW; | ||
313 | flags = NLM_F_CREATE|NLM_F_EXCL; | ||
314 | /* dump everything */ | ||
315 | events = ~0UL; | ||
316 | groups = NF_NETLINK_CONNTRACK_NEW; | ||
317 | goto alloc_skb; | ||
318 | } | ||
319 | if (events & (IPCT_STATUS | | ||
320 | IPCT_PROTOINFO | | ||
321 | IPCT_HELPER | | ||
322 | IPCT_HELPINFO | | ||
323 | IPCT_NATINFO)) { | ||
324 | type = IPCTNL_MSG_CT_NEW; | ||
325 | groups = NF_NETLINK_CONNTRACK_UPDATE; | ||
326 | goto alloc_skb; | ||
327 | } | ||
328 | |||
329 | return NOTIFY_DONE; | ||
330 | |||
331 | alloc_skb: | ||
332 | /* FIXME: Check if there are any listeners before, don't hurt performance */ | ||
333 | |||
334 | skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); | ||
335 | if (!skb) | ||
336 | return NOTIFY_DONE; | ||
337 | |||
338 | b = skb->tail; | ||
339 | |||
340 | type |= NFNL_SUBSYS_CTNETLINK << 8; | ||
341 | nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg)); | ||
342 | nfmsg = NLMSG_DATA(nlh); | ||
343 | |||
344 | nlh->nlmsg_flags = flags; | ||
345 | nfmsg->nfgen_family = AF_INET; | ||
346 | nfmsg->version = NFNETLINK_V0; | ||
347 | nfmsg->res_id = 0; | ||
348 | |||
349 | nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG); | ||
350 | if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) | ||
351 | goto nfattr_failure; | ||
352 | NFA_NEST_END(skb, nest_parms); | ||
353 | |||
354 | nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY); | ||
355 | if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0) | ||
356 | goto nfattr_failure; | ||
357 | NFA_NEST_END(skb, nest_parms); | ||
358 | |||
359 | /* NAT stuff is now a status flag */ | ||
360 | if ((events & IPCT_STATUS || events & IPCT_NATINFO) | ||
361 | && ctnetlink_dump_status(skb, ct) < 0) | ||
362 | goto nfattr_failure; | ||
363 | if (events & IPCT_REFRESH | ||
364 | && ctnetlink_dump_timeout(skb, ct) < 0) | ||
365 | goto nfattr_failure; | ||
366 | if (events & IPCT_PROTOINFO | ||
367 | && ctnetlink_dump_protoinfo(skb, ct) < 0) | ||
368 | goto nfattr_failure; | ||
369 | if (events & IPCT_HELPINFO | ||
370 | && ctnetlink_dump_helpinfo(skb, ct) < 0) | ||
371 | goto nfattr_failure; | ||
372 | |||
373 | if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 || | ||
374 | ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0) | ||
375 | goto nfattr_failure; | ||
376 | |||
377 | nlh->nlmsg_len = skb->tail - b; | ||
378 | nfnetlink_send(skb, 0, groups, 0); | ||
379 | return NOTIFY_DONE; | ||
380 | |||
381 | nlmsg_failure: | ||
382 | nfattr_failure: | ||
383 | kfree_skb(skb); | ||
384 | return NOTIFY_DONE; | ||
385 | } | ||
386 | #endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */ | ||
387 | |||
388 | static int ctnetlink_done(struct netlink_callback *cb) | ||
389 | { | ||
390 | DEBUGP("entered %s\n", __FUNCTION__); | ||
391 | return 0; | ||
392 | } | ||
393 | |||
394 | static int | ||
395 | ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) | ||
396 | { | ||
397 | struct ip_conntrack *ct = NULL; | ||
398 | struct ip_conntrack_tuple_hash *h; | ||
399 | struct list_head *i; | ||
400 | u_int32_t *id = (u_int32_t *) &cb->args[1]; | ||
401 | |||
402 | DEBUGP("entered %s, last bucket=%lu id=%u\n", __FUNCTION__, | ||
403 | cb->args[0], *id); | ||
404 | |||
405 | read_lock_bh(&ip_conntrack_lock); | ||
406 | for (; cb->args[0] < ip_conntrack_htable_size; cb->args[0]++, *id = 0) { | ||
407 | list_for_each(i, &ip_conntrack_hash[cb->args[0]]) { | ||
408 | h = (struct ip_conntrack_tuple_hash *) i; | ||
409 | if (DIRECTION(h) != IP_CT_DIR_ORIGINAL) | ||
410 | continue; | ||
411 | ct = tuplehash_to_ctrack(h); | ||
412 | if (ct->id <= *id) | ||
413 | continue; | ||
414 | if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid, | ||
415 | cb->nlh->nlmsg_seq, | ||
416 | IPCTNL_MSG_CT_NEW, | ||
417 | 1, ct) < 0) | ||
418 | goto out; | ||
419 | *id = ct->id; | ||
420 | } | ||
421 | } | ||
422 | out: | ||
423 | read_unlock_bh(&ip_conntrack_lock); | ||
424 | |||
425 | DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id); | ||
426 | |||
427 | return skb->len; | ||
428 | } | ||
429 | |||
430 | #ifdef CONFIG_IP_NF_CT_ACCT | ||
431 | static int | ||
432 | ctnetlink_dump_table_w(struct sk_buff *skb, struct netlink_callback *cb) | ||
433 | { | ||
434 | struct ip_conntrack *ct = NULL; | ||
435 | struct ip_conntrack_tuple_hash *h; | ||
436 | struct list_head *i; | ||
437 | u_int32_t *id = (u_int32_t *) &cb->args[1]; | ||
438 | |||
439 | DEBUGP("entered %s, last bucket=%u id=%u\n", __FUNCTION__, | ||
440 | cb->args[0], *id); | ||
441 | |||
442 | write_lock_bh(&ip_conntrack_lock); | ||
443 | for (; cb->args[0] < ip_conntrack_htable_size; cb->args[0]++, *id = 0) { | ||
444 | list_for_each(i, &ip_conntrack_hash[cb->args[0]]) { | ||
445 | h = (struct ip_conntrack_tuple_hash *) i; | ||
446 | if (DIRECTION(h) != IP_CT_DIR_ORIGINAL) | ||
447 | continue; | ||
448 | ct = tuplehash_to_ctrack(h); | ||
449 | if (ct->id <= *id) | ||
450 | continue; | ||
451 | if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid, | ||
452 | cb->nlh->nlmsg_seq, | ||
453 | IPCTNL_MSG_CT_NEW, | ||
454 | 1, ct) < 0) | ||
455 | goto out; | ||
456 | *id = ct->id; | ||
457 | |||
458 | memset(&ct->counters, 0, sizeof(ct->counters)); | ||
459 | } | ||
460 | } | ||
461 | out: | ||
462 | write_unlock_bh(&ip_conntrack_lock); | ||
463 | |||
464 | DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id); | ||
465 | |||
466 | return skb->len; | ||
467 | } | ||
468 | #endif | ||
469 | |||
470 | static const int cta_min_ip[CTA_IP_MAX] = { | ||
471 | [CTA_IP_V4_SRC-1] = sizeof(u_int32_t), | ||
472 | [CTA_IP_V4_DST-1] = sizeof(u_int32_t), | ||
473 | }; | ||
474 | |||
475 | static inline int | ||
476 | ctnetlink_parse_tuple_ip(struct nfattr *attr, struct ip_conntrack_tuple *tuple) | ||
477 | { | ||
478 | struct nfattr *tb[CTA_IP_MAX]; | ||
479 | |||
480 | DEBUGP("entered %s\n", __FUNCTION__); | ||
481 | |||
482 | memset(tb, 0, CTA_IP_MAX * sizeof(tb)); | ||
483 | |||
484 | if (nfattr_parse_nested(tb, CTA_IP_MAX, attr) < 0) | ||
485 | goto nfattr_failure; | ||
486 | |||
487 | if (nfattr_bad_size(tb, CTA_IP_MAX, cta_min_ip)) | ||
488 | return -EINVAL; | ||
489 | |||
490 | if (!tb[CTA_IP_V4_SRC-1]) | ||
491 | return -EINVAL; | ||
492 | tuple->src.ip = *(u_int32_t *)NFA_DATA(tb[CTA_IP_V4_SRC-1]); | ||
493 | |||
494 | if (!tb[CTA_IP_V4_DST-1]) | ||
495 | return -EINVAL; | ||
496 | tuple->dst.ip = *(u_int32_t *)NFA_DATA(tb[CTA_IP_V4_DST-1]); | ||
497 | |||
498 | DEBUGP("leaving\n"); | ||
499 | |||
500 | return 0; | ||
501 | |||
502 | nfattr_failure: | ||
503 | return -1; | ||
504 | } | ||
505 | |||
506 | static const int cta_min_proto[CTA_PROTO_MAX] = { | ||
507 | [CTA_PROTO_NUM-1] = sizeof(u_int16_t), | ||
508 | [CTA_PROTO_SRC_PORT-1] = sizeof(u_int16_t), | ||
509 | [CTA_PROTO_DST_PORT-1] = sizeof(u_int16_t), | ||
510 | [CTA_PROTO_ICMP_TYPE-1] = sizeof(u_int8_t), | ||
511 | [CTA_PROTO_ICMP_CODE-1] = sizeof(u_int8_t), | ||
512 | [CTA_PROTO_ICMP_ID-1] = sizeof(u_int16_t), | ||
513 | }; | ||
514 | |||
515 | static inline int | ||
516 | ctnetlink_parse_tuple_proto(struct nfattr *attr, | ||
517 | struct ip_conntrack_tuple *tuple) | ||
518 | { | ||
519 | struct nfattr *tb[CTA_PROTO_MAX]; | ||
520 | struct ip_conntrack_protocol *proto; | ||
521 | int ret = 0; | ||
522 | |||
523 | DEBUGP("entered %s\n", __FUNCTION__); | ||
524 | |||
525 | memset(tb, 0, CTA_PROTO_MAX * sizeof(tb)); | ||
526 | |||
527 | if (nfattr_parse_nested(tb, CTA_PROTO_MAX, attr) < 0) | ||
528 | goto nfattr_failure; | ||
529 | |||
530 | if (nfattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto)) | ||
531 | return -EINVAL; | ||
532 | |||
533 | if (!tb[CTA_PROTO_NUM-1]) | ||
534 | return -EINVAL; | ||
535 | tuple->dst.protonum = *(u_int16_t *)NFA_DATA(tb[CTA_PROTO_NUM-1]); | ||
536 | |||
537 | proto = ip_conntrack_proto_find_get(tuple->dst.protonum); | ||
538 | |||
539 | if (likely(proto && proto->nfattr_to_tuple)) { | ||
540 | ret = proto->nfattr_to_tuple(tb, tuple); | ||
541 | ip_conntrack_proto_put(proto); | ||
542 | } | ||
543 | |||
544 | return ret; | ||
545 | |||
546 | nfattr_failure: | ||
547 | return -1; | ||
548 | } | ||
549 | |||
550 | static inline int | ||
551 | ctnetlink_parse_tuple(struct nfattr *cda[], struct ip_conntrack_tuple *tuple, | ||
552 | enum ctattr_tuple type) | ||
553 | { | ||
554 | struct nfattr *tb[CTA_TUPLE_MAX]; | ||
555 | int err; | ||
556 | |||
557 | DEBUGP("entered %s\n", __FUNCTION__); | ||
558 | |||
559 | memset(tb, 0, CTA_TUPLE_MAX * sizeof(tb)); | ||
560 | memset(tuple, 0, sizeof(*tuple)); | ||
561 | |||
562 | if (nfattr_parse_nested(tb, CTA_TUPLE_MAX, cda[type-1]) < 0) | ||
563 | goto nfattr_failure; | ||
564 | |||
565 | if (!tb[CTA_TUPLE_IP-1]) | ||
566 | return -EINVAL; | ||
567 | |||
568 | err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP-1], tuple); | ||
569 | if (err < 0) | ||
570 | return err; | ||
571 | |||
572 | if (!tb[CTA_TUPLE_PROTO-1]) | ||
573 | return -EINVAL; | ||
574 | |||
575 | err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO-1], tuple); | ||
576 | if (err < 0) | ||
577 | return err; | ||
578 | |||
579 | /* orig and expect tuples get DIR_ORIGINAL */ | ||
580 | if (type == CTA_TUPLE_REPLY) | ||
581 | tuple->dst.dir = IP_CT_DIR_REPLY; | ||
582 | else | ||
583 | tuple->dst.dir = IP_CT_DIR_ORIGINAL; | ||
584 | |||
585 | DUMP_TUPLE(tuple); | ||
586 | |||
587 | DEBUGP("leaving\n"); | ||
588 | |||
589 | return 0; | ||
590 | |||
591 | nfattr_failure: | ||
592 | return -1; | ||
593 | } | ||
594 | |||
595 | #ifdef CONFIG_IP_NF_NAT_NEEDED | ||
596 | static const int cta_min_protonat[CTA_PROTONAT_MAX] = { | ||
597 | [CTA_PROTONAT_PORT_MIN-1] = sizeof(u_int16_t), | ||
598 | [CTA_PROTONAT_PORT_MAX-1] = sizeof(u_int16_t), | ||
599 | }; | ||
600 | |||
601 | static int ctnetlink_parse_nat_proto(struct nfattr *attr, | ||
602 | const struct ip_conntrack *ct, | ||
603 | struct ip_nat_range *range) | ||
604 | { | ||
605 | struct nfattr *tb[CTA_PROTONAT_MAX]; | ||
606 | struct ip_nat_protocol *npt; | ||
607 | |||
608 | DEBUGP("entered %s\n", __FUNCTION__); | ||
609 | |||
610 | memset(tb, 0, CTA_PROTONAT_MAX * sizeof(tb)); | ||
611 | |||
612 | if (nfattr_parse_nested(tb, CTA_PROTONAT_MAX, attr) < 0) | ||
613 | goto nfattr_failure; | ||
614 | |||
615 | if (nfattr_bad_size(tb, CTA_PROTONAT_MAX, cta_min_protonat)) | ||
616 | goto nfattr_failure; | ||
617 | |||
618 | npt = ip_nat_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum); | ||
619 | if (!npt) | ||
620 | return 0; | ||
621 | |||
622 | if (!npt->nfattr_to_range) { | ||
623 | ip_nat_proto_put(npt); | ||
624 | return 0; | ||
625 | } | ||
626 | |||
627 | /* nfattr_to_range returns 1 if it parsed, 0 if not, neg. on error */ | ||
628 | if (npt->nfattr_to_range(tb, range) > 0) | ||
629 | range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED; | ||
630 | |||
631 | ip_nat_proto_put(npt); | ||
632 | |||
633 | DEBUGP("leaving\n"); | ||
634 | return 0; | ||
635 | |||
636 | nfattr_failure: | ||
637 | return -1; | ||
638 | } | ||
639 | |||
640 | static inline int | ||
641 | ctnetlink_parse_nat(struct nfattr *cda[], | ||
642 | const struct ip_conntrack *ct, struct ip_nat_range *range) | ||
643 | { | ||
644 | struct nfattr *tb[CTA_NAT_MAX]; | ||
645 | int err; | ||
646 | |||
647 | DEBUGP("entered %s\n", __FUNCTION__); | ||
648 | |||
649 | memset(tb, 0, CTA_NAT_MAX * sizeof(tb)); | ||
650 | memset(range, 0, sizeof(*range)); | ||
651 | |||
652 | if (nfattr_parse_nested(tb, CTA_NAT_MAX, cda[CTA_NAT-1]) < 0) | ||
653 | goto nfattr_failure; | ||
654 | |||
655 | if (tb[CTA_NAT_MINIP-1]) | ||
656 | range->min_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MINIP-1]); | ||
657 | |||
658 | if (!tb[CTA_NAT_MAXIP-1]) | ||
659 | range->max_ip = range->min_ip; | ||
660 | else | ||
661 | range->max_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MAXIP-1]); | ||
662 | |||
663 | if (range->min_ip) | ||
664 | range->flags |= IP_NAT_RANGE_MAP_IPS; | ||
665 | |||
666 | if (!tb[CTA_NAT_PROTO-1]) | ||
667 | return 0; | ||
668 | |||
669 | err = ctnetlink_parse_nat_proto(tb[CTA_NAT_PROTO-1], ct, range); | ||
670 | if (err < 0) | ||
671 | return err; | ||
672 | |||
673 | DEBUGP("leaving\n"); | ||
674 | return 0; | ||
675 | |||
676 | nfattr_failure: | ||
677 | return -1; | ||
678 | } | ||
679 | #endif | ||
680 | |||
681 | static inline int | ||
682 | ctnetlink_parse_help(struct nfattr *attr, char **helper_name) | ||
683 | { | ||
684 | struct nfattr *tb[CTA_HELP_MAX]; | ||
685 | |||
686 | DEBUGP("entered %s\n", __FUNCTION__); | ||
687 | memset(tb, 0, CTA_HELP_MAX * sizeof(tb)); | ||
688 | |||
689 | if (nfattr_parse_nested(tb, CTA_HELP_MAX, attr) < 0) | ||
690 | goto nfattr_failure; | ||
691 | |||
692 | if (!tb[CTA_HELP_NAME-1]) | ||
693 | return -EINVAL; | ||
694 | |||
695 | *helper_name = NFA_DATA(tb[CTA_HELP_NAME-1]); | ||
696 | |||
697 | return 0; | ||
698 | |||
699 | nfattr_failure: | ||
700 | return -1; | ||
701 | } | ||
702 | |||
703 | static int | ||
704 | ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, | ||
705 | struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) | ||
706 | { | ||
707 | struct ip_conntrack_tuple_hash *h; | ||
708 | struct ip_conntrack_tuple tuple; | ||
709 | struct ip_conntrack *ct; | ||
710 | int err = 0; | ||
711 | |||
712 | DEBUGP("entered %s\n", __FUNCTION__); | ||
713 | |||
714 | if (cda[CTA_TUPLE_ORIG-1]) | ||
715 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG); | ||
716 | else if (cda[CTA_TUPLE_REPLY-1]) | ||
717 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY); | ||
718 | else { | ||
719 | /* Flush the whole table */ | ||
720 | ip_conntrack_flush(); | ||
721 | return 0; | ||
722 | } | ||
723 | |||
724 | if (err < 0) | ||
725 | return err; | ||
726 | |||
727 | h = ip_conntrack_find_get(&tuple, NULL); | ||
728 | if (!h) { | ||
729 | DEBUGP("tuple not found in conntrack hash\n"); | ||
730 | return -ENOENT; | ||
731 | } | ||
732 | |||
733 | ct = tuplehash_to_ctrack(h); | ||
734 | |||
735 | if (cda[CTA_ID-1]) { | ||
736 | u_int32_t id = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_ID-1])); | ||
737 | if (ct->id != id) { | ||
738 | ip_conntrack_put(ct); | ||
739 | return -ENOENT; | ||
740 | } | ||
741 | } | ||
742 | if (del_timer(&ct->timeout)) { | ||
743 | ip_conntrack_put(ct); | ||
744 | ct->timeout.function((unsigned long)ct); | ||
745 | return 0; | ||
746 | } | ||
747 | ip_conntrack_put(ct); | ||
748 | DEBUGP("leaving\n"); | ||
749 | |||
750 | return 0; | ||
751 | } | ||
752 | |||
753 | static int | ||
754 | ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, | ||
755 | struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) | ||
756 | { | ||
757 | struct ip_conntrack_tuple_hash *h; | ||
758 | struct ip_conntrack_tuple tuple; | ||
759 | struct ip_conntrack *ct; | ||
760 | struct sk_buff *skb2 = NULL; | ||
761 | int err = 0; | ||
762 | |||
763 | DEBUGP("entered %s\n", __FUNCTION__); | ||
764 | |||
765 | if (nlh->nlmsg_flags & NLM_F_DUMP) { | ||
766 | struct nfgenmsg *msg = NLMSG_DATA(nlh); | ||
767 | u32 rlen; | ||
768 | |||
769 | if (msg->nfgen_family != AF_INET) | ||
770 | return -EAFNOSUPPORT; | ||
771 | |||
772 | if (NFNL_MSG_TYPE(nlh->nlmsg_type) == | ||
773 | IPCTNL_MSG_CT_GET_CTRZERO) { | ||
774 | #ifdef CONFIG_IP_NF_CT_ACCT | ||
775 | if ((*errp = netlink_dump_start(ctnl, skb, nlh, | ||
776 | ctnetlink_dump_table_w, | ||
777 | ctnetlink_done)) != 0) | ||
778 | return -EINVAL; | ||
779 | #else | ||
780 | return -ENOTSUPP; | ||
781 | #endif | ||
782 | } else { | ||
783 | if ((*errp = netlink_dump_start(ctnl, skb, nlh, | ||
784 | ctnetlink_dump_table, | ||
785 | ctnetlink_done)) != 0) | ||
786 | return -EINVAL; | ||
787 | } | ||
788 | |||
789 | rlen = NLMSG_ALIGN(nlh->nlmsg_len); | ||
790 | if (rlen > skb->len) | ||
791 | rlen = skb->len; | ||
792 | skb_pull(skb, rlen); | ||
793 | return 0; | ||
794 | } | ||
795 | |||
796 | if (cda[CTA_TUPLE_ORIG-1]) | ||
797 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG); | ||
798 | else if (cda[CTA_TUPLE_REPLY-1]) | ||
799 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY); | ||
800 | else | ||
801 | return -EINVAL; | ||
802 | |||
803 | if (err < 0) | ||
804 | return err; | ||
805 | |||
806 | h = ip_conntrack_find_get(&tuple, NULL); | ||
807 | if (!h) { | ||
808 | DEBUGP("tuple not found in conntrack hash"); | ||
809 | return -ENOENT; | ||
810 | } | ||
811 | DEBUGP("tuple found\n"); | ||
812 | ct = tuplehash_to_ctrack(h); | ||
813 | |||
814 | err = -ENOMEM; | ||
815 | skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); | ||
816 | if (!skb2) { | ||
817 | ip_conntrack_put(ct); | ||
818 | return -ENOMEM; | ||
819 | } | ||
820 | NETLINK_CB(skb2).dst_pid = NETLINK_CB(skb).pid; | ||
821 | |||
822 | err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, | ||
823 | IPCTNL_MSG_CT_NEW, 1, ct); | ||
824 | ip_conntrack_put(ct); | ||
825 | if (err <= 0) | ||
826 | goto out; | ||
827 | |||
828 | err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); | ||
829 | if (err < 0) | ||
830 | goto out; | ||
831 | |||
832 | DEBUGP("leaving\n"); | ||
833 | return 0; | ||
834 | |||
835 | out: | ||
836 | if (skb2) | ||
837 | kfree_skb(skb2); | ||
838 | return -1; | ||
839 | } | ||
840 | |||
841 | static inline int | ||
842 | ctnetlink_change_status(struct ip_conntrack *ct, struct nfattr *cda[]) | ||
843 | { | ||
844 | unsigned long d, status = *(u_int32_t *)NFA_DATA(cda[CTA_STATUS-1]); | ||
845 | d = ct->status ^ status; | ||
846 | |||
847 | if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) | ||
848 | /* unchangeable */ | ||
849 | return -EINVAL; | ||
850 | |||
851 | if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) | ||
852 | /* SEEN_REPLY bit can only be set */ | ||
853 | return -EINVAL; | ||
854 | |||
855 | |||
856 | if (d & IPS_ASSURED && !(status & IPS_ASSURED)) | ||
857 | /* ASSURED bit can only be set */ | ||
858 | return -EINVAL; | ||
859 | |||
860 | if (cda[CTA_NAT-1]) { | ||
861 | #ifndef CONFIG_IP_NF_NAT_NEEDED | ||
862 | return -EINVAL; | ||
863 | #else | ||
864 | unsigned int hooknum; | ||
865 | struct ip_nat_range range; | ||
866 | |||
867 | if (ctnetlink_parse_nat(cda, ct, &range) < 0) | ||
868 | return -EINVAL; | ||
869 | |||
870 | DEBUGP("NAT: %u.%u.%u.%u-%u.%u.%u.%u:%u-%u\n", | ||
871 | NIPQUAD(range.min_ip), NIPQUAD(range.max_ip), | ||
872 | htons(range.min.all), htons(range.max.all)); | ||
873 | |||
874 | /* This is tricky but it works. ip_nat_setup_info needs the | ||
875 | * hook number as parameter, so let's do the correct | ||
876 | * conversion and run away */ | ||
877 | if (status & IPS_SRC_NAT_DONE) | ||
878 | hooknum = NF_IP_POST_ROUTING; /* IP_NAT_MANIP_SRC */ | ||
879 | else if (status & IPS_DST_NAT_DONE) | ||
880 | hooknum = NF_IP_PRE_ROUTING; /* IP_NAT_MANIP_DST */ | ||
881 | else | ||
882 | return -EINVAL; /* Missing NAT flags */ | ||
883 | |||
884 | DEBUGP("NAT status: %lu\n", | ||
885 | status & (IPS_NAT_MASK | IPS_NAT_DONE_MASK)); | ||
886 | |||
887 | if (ip_nat_initialized(ct, hooknum)) | ||
888 | return -EEXIST; | ||
889 | ip_nat_setup_info(ct, &range, hooknum); | ||
890 | |||
891 | DEBUGP("NAT status after setup_info: %lu\n", | ||
892 | ct->status & (IPS_NAT_MASK | IPS_NAT_DONE_MASK)); | ||
893 | #endif | ||
894 | } | ||
895 | |||
896 | /* Be careful here, modifying NAT bits can screw up things, | ||
897 | * so don't let users modify them directly if they don't pass | ||
898 | * ip_nat_range. */ | ||
899 | ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK); | ||
900 | return 0; | ||
901 | } | ||
902 | |||
903 | |||
904 | static inline int | ||
905 | ctnetlink_change_helper(struct ip_conntrack *ct, struct nfattr *cda[]) | ||
906 | { | ||
907 | struct ip_conntrack_helper *helper; | ||
908 | char *helpname; | ||
909 | int err; | ||
910 | |||
911 | DEBUGP("entered %s\n", __FUNCTION__); | ||
912 | |||
913 | /* don't change helper of sibling connections */ | ||
914 | if (ct->master) | ||
915 | return -EINVAL; | ||
916 | |||
917 | err = ctnetlink_parse_help(cda[CTA_HELP-1], &helpname); | ||
918 | if (err < 0) | ||
919 | return err; | ||
920 | |||
921 | helper = __ip_conntrack_helper_find_byname(helpname); | ||
922 | if (!helper) { | ||
923 | if (!strcmp(helpname, "")) | ||
924 | helper = NULL; | ||
925 | else | ||
926 | return -EINVAL; | ||
927 | } | ||
928 | |||
929 | if (ct->helper) { | ||
930 | if (!helper) { | ||
931 | /* we had a helper before ... */ | ||
932 | ip_ct_remove_expectations(ct); | ||
933 | ct->helper = NULL; | ||
934 | } else { | ||
935 | /* need to zero data of old helper */ | ||
936 | memset(&ct->help, 0, sizeof(ct->help)); | ||
937 | } | ||
938 | } | ||
939 | |||
940 | ct->helper = helper; | ||
941 | |||
942 | return 0; | ||
943 | } | ||
944 | |||
945 | static inline int | ||
946 | ctnetlink_change_timeout(struct ip_conntrack *ct, struct nfattr *cda[]) | ||
947 | { | ||
948 | u_int32_t timeout = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1])); | ||
949 | |||
950 | if (!del_timer(&ct->timeout)) | ||
951 | return -ETIME; | ||
952 | |||
953 | ct->timeout.expires = jiffies + timeout * HZ; | ||
954 | add_timer(&ct->timeout); | ||
955 | |||
956 | return 0; | ||
957 | } | ||
958 | |||
959 | static int | ||
960 | ctnetlink_change_conntrack(struct ip_conntrack *ct, struct nfattr *cda[]) | ||
961 | { | ||
962 | int err; | ||
963 | |||
964 | DEBUGP("entered %s\n", __FUNCTION__); | ||
965 | |||
966 | if (cda[CTA_HELP-1]) { | ||
967 | err = ctnetlink_change_helper(ct, cda); | ||
968 | if (err < 0) | ||
969 | return err; | ||
970 | } | ||
971 | |||
972 | if (cda[CTA_TIMEOUT-1]) { | ||
973 | err = ctnetlink_change_timeout(ct, cda); | ||
974 | if (err < 0) | ||
975 | return err; | ||
976 | } | ||
977 | |||
978 | if (cda[CTA_STATUS-1]) { | ||
979 | err = ctnetlink_change_status(ct, cda); | ||
980 | if (err < 0) | ||
981 | return err; | ||
982 | } | ||
983 | |||
984 | DEBUGP("all done\n"); | ||
985 | return 0; | ||
986 | } | ||
987 | |||
988 | static int | ||
989 | ctnetlink_create_conntrack(struct nfattr *cda[], | ||
990 | struct ip_conntrack_tuple *otuple, | ||
991 | struct ip_conntrack_tuple *rtuple) | ||
992 | { | ||
993 | struct ip_conntrack *ct; | ||
994 | int err = -EINVAL; | ||
995 | |||
996 | DEBUGP("entered %s\n", __FUNCTION__); | ||
997 | |||
998 | ct = ip_conntrack_alloc(otuple, rtuple); | ||
999 | if (ct == NULL || IS_ERR(ct)) | ||
1000 | return -ENOMEM; | ||
1001 | |||
1002 | if (!cda[CTA_TIMEOUT-1]) | ||
1003 | goto err; | ||
1004 | ct->timeout.expires = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1])); | ||
1005 | |||
1006 | ct->timeout.expires = jiffies + ct->timeout.expires * HZ; | ||
1007 | ct->status |= IPS_CONFIRMED; | ||
1008 | |||
1009 | err = ctnetlink_change_status(ct, cda); | ||
1010 | if (err < 0) | ||
1011 | goto err; | ||
1012 | |||
1013 | ct->helper = ip_conntrack_helper_find_get(rtuple); | ||
1014 | |||
1015 | add_timer(&ct->timeout); | ||
1016 | ip_conntrack_hash_insert(ct); | ||
1017 | |||
1018 | if (ct->helper) | ||
1019 | ip_conntrack_helper_put(ct->helper); | ||
1020 | |||
1021 | DEBUGP("conntrack with id %u inserted\n", ct->id); | ||
1022 | return 0; | ||
1023 | |||
1024 | err: | ||
1025 | ip_conntrack_free(ct); | ||
1026 | return err; | ||
1027 | } | ||
1028 | |||
1029 | static int | ||
1030 | ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | ||
1031 | struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) | ||
1032 | { | ||
1033 | struct ip_conntrack_tuple otuple, rtuple; | ||
1034 | struct ip_conntrack_tuple_hash *h = NULL; | ||
1035 | int err = 0; | ||
1036 | |||
1037 | DEBUGP("entered %s\n", __FUNCTION__); | ||
1038 | |||
1039 | if (cda[CTA_TUPLE_ORIG-1]) { | ||
1040 | err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG); | ||
1041 | if (err < 0) | ||
1042 | return err; | ||
1043 | } | ||
1044 | |||
1045 | if (cda[CTA_TUPLE_REPLY-1]) { | ||
1046 | err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY); | ||
1047 | if (err < 0) | ||
1048 | return err; | ||
1049 | } | ||
1050 | |||
1051 | write_lock_bh(&ip_conntrack_lock); | ||
1052 | if (cda[CTA_TUPLE_ORIG-1]) | ||
1053 | h = __ip_conntrack_find(&otuple, NULL); | ||
1054 | else if (cda[CTA_TUPLE_REPLY-1]) | ||
1055 | h = __ip_conntrack_find(&rtuple, NULL); | ||
1056 | |||
1057 | if (h == NULL) { | ||
1058 | write_unlock_bh(&ip_conntrack_lock); | ||
1059 | DEBUGP("no such conntrack, create new\n"); | ||
1060 | err = -ENOENT; | ||
1061 | if (nlh->nlmsg_flags & NLM_F_CREATE) | ||
1062 | err = ctnetlink_create_conntrack(cda, &otuple, &rtuple); | ||
1063 | goto out_unlock; | ||
1064 | } else { | ||
1065 | /* we only allow nat config for new conntracks */ | ||
1066 | if (cda[CTA_NAT-1]) { | ||
1067 | err = -EINVAL; | ||
1068 | goto out_unlock; | ||
1069 | } | ||
1070 | } | ||
1071 | |||
1072 | /* We manipulate the conntrack inside the global conntrack table lock, | ||
1073 | * so there's no need to increase the refcount */ | ||
1074 | DEBUGP("conntrack found\n"); | ||
1075 | err = -EEXIST; | ||
1076 | if (!(nlh->nlmsg_flags & NLM_F_EXCL)) | ||
1077 | err = ctnetlink_change_conntrack(tuplehash_to_ctrack(h), cda); | ||
1078 | |||
1079 | out_unlock: | ||
1080 | write_unlock_bh(&ip_conntrack_lock); | ||
1081 | return err; | ||
1082 | } | ||
1083 | |||
1084 | /*********************************************************************** | ||
1085 | * EXPECT | ||
1086 | ***********************************************************************/ | ||
1087 | |||
1088 | static inline int | ||
1089 | ctnetlink_exp_dump_tuple(struct sk_buff *skb, | ||
1090 | const struct ip_conntrack_tuple *tuple, | ||
1091 | enum ctattr_expect type) | ||
1092 | { | ||
1093 | struct nfattr *nest_parms = NFA_NEST(skb, type); | ||
1094 | |||
1095 | if (ctnetlink_dump_tuples(skb, tuple) < 0) | ||
1096 | goto nfattr_failure; | ||
1097 | |||
1098 | NFA_NEST_END(skb, nest_parms); | ||
1099 | |||
1100 | return 0; | ||
1101 | |||
1102 | nfattr_failure: | ||
1103 | return -1; | ||
1104 | } | ||
1105 | |||
1106 | static inline int | ||
1107 | ctnetlink_exp_dump_expect(struct sk_buff *skb, | ||
1108 | const struct ip_conntrack_expect *exp) | ||
1109 | { | ||
1110 | u_int32_t timeout = htonl((exp->timeout.expires - jiffies) / HZ); | ||
1111 | u_int32_t id = htonl(exp->id); | ||
1112 | struct nfattr *nest_parms = NFA_NEST(skb, CTA_EXPECT); | ||
1113 | |||
1114 | if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0) | ||
1115 | goto nfattr_failure; | ||
1116 | if (ctnetlink_exp_dump_tuple(skb, &exp->mask, CTA_EXPECT_MASK) < 0) | ||
1117 | goto nfattr_failure; | ||
1118 | |||
1119 | NFA_PUT(skb, CTA_EXPECT_TIMEOUT, sizeof(timeout), &timeout); | ||
1120 | NFA_PUT(skb, CTA_EXPECT_ID, sizeof(u_int32_t), &id); | ||
1121 | NFA_NEST_END(skb, nest_parms); | ||
1122 | |||
1123 | return 0; | ||
1124 | |||
1125 | nfattr_failure: | ||
1126 | return -1; | ||
1127 | } | ||
1128 | |||
1129 | static int | ||
1130 | ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq, | ||
1131 | int event, | ||
1132 | int nowait, | ||
1133 | const struct ip_conntrack_expect *exp) | ||
1134 | { | ||
1135 | struct nlmsghdr *nlh; | ||
1136 | struct nfgenmsg *nfmsg; | ||
1137 | unsigned char *b; | ||
1138 | |||
1139 | b = skb->tail; | ||
1140 | |||
1141 | event |= NFNL_SUBSYS_CTNETLINK_EXP << 8; | ||
1142 | nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg)); | ||
1143 | nfmsg = NLMSG_DATA(nlh); | ||
1144 | |||
1145 | nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0; | ||
1146 | nfmsg->nfgen_family = AF_INET; | ||
1147 | nfmsg->version = NFNETLINK_V0; | ||
1148 | nfmsg->res_id = 0; | ||
1149 | |||
1150 | if (ctnetlink_exp_dump_expect(skb, exp) < 0) | ||
1151 | goto nfattr_failure; | ||
1152 | |||
1153 | nlh->nlmsg_len = skb->tail - b; | ||
1154 | return skb->len; | ||
1155 | |||
1156 | nlmsg_failure: | ||
1157 | nfattr_failure: | ||
1158 | skb_trim(skb, b - skb->data); | ||
1159 | return -1; | ||
1160 | } | ||
1161 | |||
1162 | #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS | ||
1163 | static int ctnetlink_expect_event(struct notifier_block *this, | ||
1164 | unsigned long events, void *ptr) | ||
1165 | { | ||
1166 | struct nlmsghdr *nlh; | ||
1167 | struct nfgenmsg *nfmsg; | ||
1168 | struct ip_conntrack_expect *exp = (struct ip_conntrack_expect *)ptr; | ||
1169 | struct sk_buff *skb; | ||
1170 | unsigned int type; | ||
1171 | unsigned char *b; | ||
1172 | int flags = 0; | ||
1173 | u16 proto; | ||
1174 | |||
1175 | if (events & IPEXP_NEW) { | ||
1176 | type = IPCTNL_MSG_EXP_NEW; | ||
1177 | flags = NLM_F_CREATE|NLM_F_EXCL; | ||
1178 | } else | ||
1179 | return NOTIFY_DONE; | ||
1180 | |||
1181 | skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC); | ||
1182 | if (!skb) | ||
1183 | return NOTIFY_DONE; | ||
1184 | |||
1185 | b = skb->tail; | ||
1186 | |||
1187 | type |= NFNL_SUBSYS_CTNETLINK << 8; | ||
1188 | nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg)); | ||
1189 | nfmsg = NLMSG_DATA(nlh); | ||
1190 | |||
1191 | nlh->nlmsg_flags = flags; | ||
1192 | nfmsg->nfgen_family = AF_INET; | ||
1193 | nfmsg->version = NFNETLINK_V0; | ||
1194 | nfmsg->res_id = 0; | ||
1195 | |||
1196 | if (ctnetlink_exp_dump_expect(skb, exp) < 0) | ||
1197 | goto nfattr_failure; | ||
1198 | |||
1199 | nlh->nlmsg_len = skb->tail - b; | ||
1200 | proto = exp->tuple.dst.protonum; | ||
1201 | nfnetlink_send(skb, 0, NF_NETLINK_CONNTRACK_EXP_NEW, 0); | ||
1202 | return NOTIFY_DONE; | ||
1203 | |||
1204 | nlmsg_failure: | ||
1205 | nfattr_failure: | ||
1206 | kfree_skb(skb); | ||
1207 | return NOTIFY_DONE; | ||
1208 | } | ||
1209 | #endif | ||
1210 | |||
1211 | static int | ||
1212 | ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) | ||
1213 | { | ||
1214 | struct ip_conntrack_expect *exp = NULL; | ||
1215 | struct list_head *i; | ||
1216 | u_int32_t *id = (u_int32_t *) &cb->args[0]; | ||
1217 | |||
1218 | DEBUGP("entered %s, last id=%llu\n", __FUNCTION__, *id); | ||
1219 | |||
1220 | read_lock_bh(&ip_conntrack_lock); | ||
1221 | list_for_each(i, &ip_conntrack_expect_list) { | ||
1222 | exp = (struct ip_conntrack_expect *) i; | ||
1223 | if (exp->id <= *id) | ||
1224 | continue; | ||
1225 | if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).pid, | ||
1226 | cb->nlh->nlmsg_seq, | ||
1227 | IPCTNL_MSG_EXP_NEW, | ||
1228 | 1, exp) < 0) | ||
1229 | goto out; | ||
1230 | *id = exp->id; | ||
1231 | } | ||
1232 | out: | ||
1233 | read_unlock_bh(&ip_conntrack_lock); | ||
1234 | |||
1235 | DEBUGP("leaving, last id=%llu\n", *id); | ||
1236 | |||
1237 | return skb->len; | ||
1238 | } | ||
1239 | |||
1240 | static int | ||
1241 | ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, | ||
1242 | struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) | ||
1243 | { | ||
1244 | struct ip_conntrack_tuple tuple; | ||
1245 | struct ip_conntrack_expect *exp; | ||
1246 | struct sk_buff *skb2; | ||
1247 | int err = 0; | ||
1248 | |||
1249 | DEBUGP("entered %s\n", __FUNCTION__); | ||
1250 | |||
1251 | if (nlh->nlmsg_flags & NLM_F_DUMP) { | ||
1252 | struct nfgenmsg *msg = NLMSG_DATA(nlh); | ||
1253 | u32 rlen; | ||
1254 | |||
1255 | if (msg->nfgen_family != AF_INET) | ||
1256 | return -EAFNOSUPPORT; | ||
1257 | |||
1258 | if ((*errp = netlink_dump_start(ctnl, skb, nlh, | ||
1259 | ctnetlink_exp_dump_table, | ||
1260 | ctnetlink_done)) != 0) | ||
1261 | return -EINVAL; | ||
1262 | rlen = NLMSG_ALIGN(nlh->nlmsg_len); | ||
1263 | if (rlen > skb->len) | ||
1264 | rlen = skb->len; | ||
1265 | skb_pull(skb, rlen); | ||
1266 | return 0; | ||
1267 | } | ||
1268 | |||
1269 | if (cda[CTA_TUPLE_ORIG-1]) | ||
1270 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG); | ||
1271 | else if (cda[CTA_TUPLE_REPLY-1]) | ||
1272 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY); | ||
1273 | else | ||
1274 | return -EINVAL; | ||
1275 | |||
1276 | if (err < 0) | ||
1277 | return err; | ||
1278 | |||
1279 | exp = ip_conntrack_expect_find_get(&tuple); | ||
1280 | if (!exp) | ||
1281 | return -ENOENT; | ||
1282 | |||
1283 | err = -ENOMEM; | ||
1284 | skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL); | ||
1285 | if (!skb2) | ||
1286 | goto out; | ||
1287 | NETLINK_CB(skb2).dst_pid = NETLINK_CB(skb).pid; | ||
1288 | |||
1289 | err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid, | ||
1290 | nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, | ||
1291 | 1, exp); | ||
1292 | if (err <= 0) | ||
1293 | goto out; | ||
1294 | |||
1295 | ip_conntrack_expect_put(exp); | ||
1296 | |||
1297 | err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); | ||
1298 | if (err < 0) | ||
1299 | goto free; | ||
1300 | |||
1301 | return err; | ||
1302 | |||
1303 | out: | ||
1304 | ip_conntrack_expect_put(exp); | ||
1305 | free: | ||
1306 | if (skb2) | ||
1307 | kfree_skb(skb2); | ||
1308 | return err; | ||
1309 | } | ||
1310 | |||
1311 | static int | ||
1312 | ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, | ||
1313 | struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) | ||
1314 | { | ||
1315 | struct ip_conntrack_expect *exp, *tmp; | ||
1316 | struct ip_conntrack_tuple tuple; | ||
1317 | struct ip_conntrack_helper *h; | ||
1318 | int err; | ||
1319 | |||
1320 | /* delete by tuple needs either orig or reply tuple */ | ||
1321 | if (cda[CTA_TUPLE_ORIG-1]) | ||
1322 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG); | ||
1323 | else if (cda[CTA_TUPLE_REPLY-1]) | ||
1324 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY); | ||
1325 | else if (cda[CTA_HELP_NAME-1]) { | ||
1326 | char *name = NFA_DATA(cda[CTA_HELP_NAME-1]); | ||
1327 | |||
1328 | /* delete all expectations for this helper */ | ||
1329 | write_lock_bh(&ip_conntrack_lock); | ||
1330 | h = __ip_conntrack_helper_find_byname(name); | ||
1331 | if (!h) { | ||
1332 | write_unlock_bh(&ip_conntrack_lock); | ||
1333 | return -EINVAL; | ||
1334 | } | ||
1335 | list_for_each_entry_safe(exp, tmp, &ip_conntrack_expect_list, | ||
1336 | list) { | ||
1337 | if (exp->master->helper == h | ||
1338 | && del_timer(&exp->timeout)) | ||
1339 | __ip_ct_expect_unlink_destroy(exp); | ||
1340 | } | ||
1341 | write_unlock(&ip_conntrack_lock); | ||
1342 | return 0; | ||
1343 | } else { | ||
1344 | /* This basically means we have to flush everything*/ | ||
1345 | write_lock_bh(&ip_conntrack_lock); | ||
1346 | list_for_each_entry_safe(exp, tmp, &ip_conntrack_expect_list, | ||
1347 | list) { | ||
1348 | if (del_timer(&exp->timeout)) | ||
1349 | __ip_ct_expect_unlink_destroy(exp); | ||
1350 | } | ||
1351 | write_unlock_bh(&ip_conntrack_lock); | ||
1352 | return 0; | ||
1353 | } | ||
1354 | |||
1355 | if (err < 0) | ||
1356 | return err; | ||
1357 | |||
1358 | /* bump usage count to 2 */ | ||
1359 | exp = ip_conntrack_expect_find_get(&tuple); | ||
1360 | if (!exp) | ||
1361 | return -ENOENT; | ||
1362 | |||
1363 | if (cda[CTA_EXPECT_ID-1]) { | ||
1364 | u_int32_t id = *(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_ID-1]); | ||
1365 | if (exp->id != ntohl(id)) { | ||
1366 | ip_conntrack_expect_put(exp); | ||
1367 | return -ENOENT; | ||
1368 | } | ||
1369 | } | ||
1370 | |||
1371 | /* after list removal, usage count == 1 */ | ||
1372 | ip_conntrack_unexpect_related(exp); | ||
1373 | /* have to put what we 'get' above. after this line usage count == 0 */ | ||
1374 | ip_conntrack_expect_put(exp); | ||
1375 | |||
1376 | return 0; | ||
1377 | } | ||
1378 | static int | ||
1379 | ctnetlink_change_expect(struct ip_conntrack_expect *x, struct nfattr *cda[]) | ||
1380 | { | ||
1381 | return -EOPNOTSUPP; | ||
1382 | } | ||
1383 | |||
1384 | static int | ||
1385 | ctnetlink_create_expect(struct nfattr *cda[]) | ||
1386 | { | ||
1387 | struct ip_conntrack_tuple tuple, mask, master_tuple; | ||
1388 | struct ip_conntrack_tuple_hash *h = NULL; | ||
1389 | struct ip_conntrack_expect *exp; | ||
1390 | struct ip_conntrack *ct; | ||
1391 | int err = 0; | ||
1392 | |||
1393 | DEBUGP("entered %s\n", __FUNCTION__); | ||
1394 | |||
1395 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE); | ||
1396 | if (err < 0) | ||
1397 | return err; | ||
1398 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASK); | ||
1399 | if (err < 0) | ||
1400 | return err; | ||
1401 | |||
1402 | if (cda[CTA_TUPLE_ORIG-1]) | ||
1403 | err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_TUPLE_ORIG); | ||
1404 | else if (cda[CTA_TUPLE_REPLY-1]) | ||
1405 | err = ctnetlink_parse_tuple(cda, &master_tuple, | ||
1406 | CTA_TUPLE_REPLY); | ||
1407 | else | ||
1408 | return -EINVAL; | ||
1409 | |||
1410 | if (err < 0) | ||
1411 | return err; | ||
1412 | |||
1413 | /* Look for master conntrack of this expectation */ | ||
1414 | h = ip_conntrack_find_get(&master_tuple, NULL); | ||
1415 | if (!h) | ||
1416 | return -ENOENT; | ||
1417 | ct = tuplehash_to_ctrack(h); | ||
1418 | |||
1419 | if (!ct->helper) { | ||
1420 | /* such conntrack hasn't got any helper, abort */ | ||
1421 | err = -EINVAL; | ||
1422 | goto out; | ||
1423 | } | ||
1424 | |||
1425 | exp = ip_conntrack_expect_alloc(ct); | ||
1426 | if (!exp) { | ||
1427 | err = -ENOMEM; | ||
1428 | goto out; | ||
1429 | } | ||
1430 | |||
1431 | exp->expectfn = NULL; | ||
1432 | exp->master = ct; | ||
1433 | memcpy(&exp->tuple, &tuple, sizeof(struct ip_conntrack_tuple)); | ||
1434 | memcpy(&exp->mask, &mask, sizeof(struct ip_conntrack_tuple)); | ||
1435 | |||
1436 | err = ip_conntrack_expect_related(exp); | ||
1437 | ip_conntrack_expect_put(exp); | ||
1438 | |||
1439 | out: | ||
1440 | ip_conntrack_put(tuplehash_to_ctrack(h)); | ||
1441 | return err; | ||
1442 | } | ||
1443 | |||
1444 | static int | ||
1445 | ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb, | ||
1446 | struct nlmsghdr *nlh, struct nfattr *cda[], int *errp) | ||
1447 | { | ||
1448 | struct ip_conntrack_tuple tuple; | ||
1449 | struct ip_conntrack_expect *exp; | ||
1450 | int err = 0; | ||
1451 | |||
1452 | DEBUGP("entered %s\n", __FUNCTION__); | ||
1453 | |||
1454 | if (!cda[CTA_EXPECT_TUPLE-1] || !cda[CTA_EXPECT_MASK-1]) | ||
1455 | return -EINVAL; | ||
1456 | |||
1457 | err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE); | ||
1458 | if (err < 0) | ||
1459 | return err; | ||
1460 | |||
1461 | write_lock_bh(&ip_conntrack_lock); | ||
1462 | exp = __ip_conntrack_expect_find(&tuple); | ||
1463 | |||
1464 | if (!exp) { | ||
1465 | write_unlock_bh(&ip_conntrack_lock); | ||
1466 | err = -ENOENT; | ||
1467 | if (nlh->nlmsg_flags & NLM_F_CREATE) | ||
1468 | err = ctnetlink_create_expect(cda); | ||
1469 | return err; | ||
1470 | } | ||
1471 | |||
1472 | err = -EEXIST; | ||
1473 | if (!(nlh->nlmsg_flags & NLM_F_EXCL)) | ||
1474 | err = ctnetlink_change_expect(exp, cda); | ||
1475 | write_unlock_bh(&ip_conntrack_lock); | ||
1476 | |||
1477 | DEBUGP("leaving\n"); | ||
1478 | |||
1479 | return err; | ||
1480 | } | ||
1481 | |||
1482 | #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS | ||
1483 | static struct notifier_block ctnl_notifier = { | ||
1484 | .notifier_call = ctnetlink_conntrack_event, | ||
1485 | }; | ||
1486 | |||
1487 | static struct notifier_block ctnl_notifier_exp = { | ||
1488 | .notifier_call = ctnetlink_expect_event, | ||
1489 | }; | ||
1490 | #endif | ||
1491 | |||
1492 | static struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = { | ||
1493 | [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack, | ||
1494 | .cap_required = CAP_NET_ADMIN }, | ||
1495 | [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack, | ||
1496 | .cap_required = CAP_NET_ADMIN }, | ||
1497 | [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack, | ||
1498 | .cap_required = CAP_NET_ADMIN }, | ||
1499 | [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack, | ||
1500 | .cap_required = CAP_NET_ADMIN }, | ||
1501 | }; | ||
1502 | |||
1503 | static struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_MAX] = { | ||
1504 | [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect, | ||
1505 | .cap_required = CAP_NET_ADMIN }, | ||
1506 | [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect, | ||
1507 | .cap_required = CAP_NET_ADMIN }, | ||
1508 | [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect, | ||
1509 | .cap_required = CAP_NET_ADMIN }, | ||
1510 | }; | ||
1511 | |||
1512 | static struct nfnetlink_subsystem ctnl_subsys = { | ||
1513 | .name = "conntrack", | ||
1514 | .subsys_id = NFNL_SUBSYS_CTNETLINK, | ||
1515 | .cb_count = IPCTNL_MSG_MAX, | ||
1516 | .attr_count = CTA_MAX, | ||
1517 | .cb = ctnl_cb, | ||
1518 | }; | ||
1519 | |||
1520 | static struct nfnetlink_subsystem ctnl_exp_subsys = { | ||
1521 | .name = "conntrack_expect", | ||
1522 | .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP, | ||
1523 | .cb_count = IPCTNL_MSG_EXP_MAX, | ||
1524 | .attr_count = CTA_MAX, | ||
1525 | .cb = ctnl_exp_cb, | ||
1526 | }; | ||
1527 | |||
1528 | static int __init ctnetlink_init(void) | ||
1529 | { | ||
1530 | int ret; | ||
1531 | |||
1532 | printk("ctnetlink v%s: registering with nfnetlink.\n", version); | ||
1533 | ret = nfnetlink_subsys_register(&ctnl_subsys); | ||
1534 | if (ret < 0) { | ||
1535 | printk("ctnetlink_init: cannot register with nfnetlink.\n"); | ||
1536 | goto err_out; | ||
1537 | } | ||
1538 | |||
1539 | ret = nfnetlink_subsys_register(&ctnl_exp_subsys); | ||
1540 | if (ret < 0) { | ||
1541 | printk("ctnetlink_init: cannot register exp with nfnetlink.\n"); | ||
1542 | goto err_unreg_subsys; | ||
1543 | } | ||
1544 | |||
1545 | #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS | ||
1546 | ret = ip_conntrack_register_notifier(&ctnl_notifier); | ||
1547 | if (ret < 0) { | ||
1548 | printk("ctnetlink_init: cannot register notifier.\n"); | ||
1549 | goto err_unreg_exp_subsys; | ||
1550 | } | ||
1551 | |||
1552 | ret = ip_conntrack_expect_register_notifier(&ctnl_notifier_exp); | ||
1553 | if (ret < 0) { | ||
1554 | printk("ctnetlink_init: cannot expect register notifier.\n"); | ||
1555 | goto err_unreg_notifier; | ||
1556 | } | ||
1557 | #endif | ||
1558 | |||
1559 | return 0; | ||
1560 | |||
1561 | #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS | ||
1562 | err_unreg_notifier: | ||
1563 | ip_conntrack_unregister_notifier(&ctnl_notifier); | ||
1564 | err_unreg_exp_subsys: | ||
1565 | nfnetlink_subsys_unregister(&ctnl_exp_subsys); | ||
1566 | #endif | ||
1567 | err_unreg_subsys: | ||
1568 | nfnetlink_subsys_unregister(&ctnl_subsys); | ||
1569 | err_out: | ||
1570 | return ret; | ||
1571 | } | ||
1572 | |||
1573 | static void __exit ctnetlink_exit(void) | ||
1574 | { | ||
1575 | printk("ctnetlink: unregistering from nfnetlink.\n"); | ||
1576 | |||
1577 | #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS | ||
1578 | ip_conntrack_unregister_notifier(&ctnl_notifier_exp); | ||
1579 | ip_conntrack_unregister_notifier(&ctnl_notifier); | ||
1580 | #endif | ||
1581 | |||
1582 | nfnetlink_subsys_unregister(&ctnl_exp_subsys); | ||
1583 | nfnetlink_subsys_unregister(&ctnl_subsys); | ||
1584 | return; | ||
1585 | } | ||
1586 | |||
1587 | module_init(ctnetlink_init); | ||
1588 | module_exit(ctnetlink_exit); | ||
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c index dca1f63d6f51..3f90cb9979ac 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c | |||
@@ -109,16 +109,17 @@ static int icmp_packet(struct ip_conntrack *ct, | |||
109 | return NF_ACCEPT; | 109 | return NF_ACCEPT; |
110 | } | 110 | } |
111 | 111 | ||
112 | static u_int8_t valid_new[] = { | ||
113 | [ICMP_ECHO] = 1, | ||
114 | [ICMP_TIMESTAMP] = 1, | ||
115 | [ICMP_INFO_REQUEST] = 1, | ||
116 | [ICMP_ADDRESS] = 1 | ||
117 | }; | ||
118 | |||
112 | /* Called when a new connection for this protocol found. */ | 119 | /* Called when a new connection for this protocol found. */ |
113 | static int icmp_new(struct ip_conntrack *conntrack, | 120 | static int icmp_new(struct ip_conntrack *conntrack, |
114 | const struct sk_buff *skb) | 121 | const struct sk_buff *skb) |
115 | { | 122 | { |
116 | static u_int8_t valid_new[] | ||
117 | = { [ICMP_ECHO] = 1, | ||
118 | [ICMP_TIMESTAMP] = 1, | ||
119 | [ICMP_INFO_REQUEST] = 1, | ||
120 | [ICMP_ADDRESS] = 1 }; | ||
121 | |||
122 | if (conntrack->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) | 123 | if (conntrack->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) |
123 | || !valid_new[conntrack->tuplehash[0].tuple.dst.u.icmp.type]) { | 124 | || !valid_new[conntrack->tuplehash[0].tuple.dst.u.icmp.type]) { |
124 | /* Can't create a new ICMP `conn' with this. */ | 125 | /* Can't create a new ICMP `conn' with this. */ |
@@ -159,11 +160,12 @@ icmp_error_message(struct sk_buff *skb, | |||
159 | return NF_ACCEPT; | 160 | return NF_ACCEPT; |
160 | } | 161 | } |
161 | 162 | ||
162 | innerproto = ip_ct_find_proto(inside->ip.protocol); | 163 | innerproto = ip_conntrack_proto_find_get(inside->ip.protocol); |
163 | dataoff = skb->nh.iph->ihl*4 + sizeof(inside->icmp) + inside->ip.ihl*4; | 164 | dataoff = skb->nh.iph->ihl*4 + sizeof(inside->icmp) + inside->ip.ihl*4; |
164 | /* Are they talking about one of our connections? */ | 165 | /* Are they talking about one of our connections? */ |
165 | if (!ip_ct_get_tuple(&inside->ip, skb, dataoff, &origtuple, innerproto)) { | 166 | if (!ip_ct_get_tuple(&inside->ip, skb, dataoff, &origtuple, innerproto)) { |
166 | DEBUGP("icmp_error: ! get_tuple p=%u", inside->ip.protocol); | 167 | DEBUGP("icmp_error: ! get_tuple p=%u", inside->ip.protocol); |
168 | ip_conntrack_proto_put(innerproto); | ||
167 | return NF_ACCEPT; | 169 | return NF_ACCEPT; |
168 | } | 170 | } |
169 | 171 | ||
@@ -171,8 +173,10 @@ icmp_error_message(struct sk_buff *skb, | |||
171 | been preserved inside the ICMP. */ | 173 | been preserved inside the ICMP. */ |
172 | if (!ip_ct_invert_tuple(&innertuple, &origtuple, innerproto)) { | 174 | if (!ip_ct_invert_tuple(&innertuple, &origtuple, innerproto)) { |
173 | DEBUGP("icmp_error_track: Can't invert tuple\n"); | 175 | DEBUGP("icmp_error_track: Can't invert tuple\n"); |
176 | ip_conntrack_proto_put(innerproto); | ||
174 | return NF_ACCEPT; | 177 | return NF_ACCEPT; |
175 | } | 178 | } |
179 | ip_conntrack_proto_put(innerproto); | ||
176 | 180 | ||
177 | *ctinfo = IP_CT_RELATED; | 181 | *ctinfo = IP_CT_RELATED; |
178 | 182 | ||
@@ -266,6 +270,47 @@ checksum_skipped: | |||
266 | return icmp_error_message(skb, ctinfo, hooknum); | 270 | return icmp_error_message(skb, ctinfo, hooknum); |
267 | } | 271 | } |
268 | 272 | ||
273 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | ||
274 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) | ||
275 | static int icmp_tuple_to_nfattr(struct sk_buff *skb, | ||
276 | const struct ip_conntrack_tuple *t) | ||
277 | { | ||
278 | NFA_PUT(skb, CTA_PROTO_ICMP_ID, sizeof(u_int16_t), | ||
279 | &t->src.u.icmp.id); | ||
280 | NFA_PUT(skb, CTA_PROTO_ICMP_TYPE, sizeof(u_int8_t), | ||
281 | &t->dst.u.icmp.type); | ||
282 | NFA_PUT(skb, CTA_PROTO_ICMP_CODE, sizeof(u_int8_t), | ||
283 | &t->dst.u.icmp.code); | ||
284 | |||
285 | if (t->dst.u.icmp.type >= sizeof(valid_new) | ||
286 | || !valid_new[t->dst.u.icmp.type]) | ||
287 | return -EINVAL; | ||
288 | |||
289 | return 0; | ||
290 | |||
291 | nfattr_failure: | ||
292 | return -1; | ||
293 | } | ||
294 | |||
295 | static int icmp_nfattr_to_tuple(struct nfattr *tb[], | ||
296 | struct ip_conntrack_tuple *tuple) | ||
297 | { | ||
298 | if (!tb[CTA_PROTO_ICMP_TYPE-1] | ||
299 | || !tb[CTA_PROTO_ICMP_CODE-1] | ||
300 | || !tb[CTA_PROTO_ICMP_ID-1]) | ||
301 | return -1; | ||
302 | |||
303 | tuple->dst.u.icmp.type = | ||
304 | *(u_int8_t *)NFA_DATA(tb[CTA_PROTO_ICMP_TYPE-1]); | ||
305 | tuple->dst.u.icmp.code = | ||
306 | *(u_int8_t *)NFA_DATA(tb[CTA_PROTO_ICMP_CODE-1]); | ||
307 | tuple->src.u.icmp.id = | ||
308 | *(u_int8_t *)NFA_DATA(tb[CTA_PROTO_ICMP_ID-1]); | ||
309 | |||
310 | return 0; | ||
311 | } | ||
312 | #endif | ||
313 | |||
269 | struct ip_conntrack_protocol ip_conntrack_protocol_icmp = | 314 | struct ip_conntrack_protocol ip_conntrack_protocol_icmp = |
270 | { | 315 | { |
271 | .proto = IPPROTO_ICMP, | 316 | .proto = IPPROTO_ICMP, |
@@ -277,4 +322,9 @@ struct ip_conntrack_protocol ip_conntrack_protocol_icmp = | |||
277 | .packet = icmp_packet, | 322 | .packet = icmp_packet, |
278 | .new = icmp_new, | 323 | .new = icmp_new, |
279 | .error = icmp_error, | 324 | .error = icmp_error, |
325 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | ||
326 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) | ||
327 | .tuple_to_nfattr = icmp_tuple_to_nfattr, | ||
328 | .nfattr_to_tuple = icmp_nfattr_to_tuple, | ||
329 | #endif | ||
280 | }; | 330 | }; |
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c index 3d5f878a07d1..a875f35e576d 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_sctp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_sctp.c | |||
@@ -505,7 +505,12 @@ static struct ip_conntrack_protocol ip_conntrack_protocol_sctp = { | |||
505 | .packet = sctp_packet, | 505 | .packet = sctp_packet, |
506 | .new = sctp_new, | 506 | .new = sctp_new, |
507 | .destroy = NULL, | 507 | .destroy = NULL, |
508 | .me = THIS_MODULE | 508 | .me = THIS_MODULE, |
509 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | ||
510 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) | ||
511 | .tuple_to_nfattr = ip_ct_port_tuple_to_nfattr, | ||
512 | .nfattr_to_tuple = ip_ct_port_nfattr_to_tuple, | ||
513 | #endif | ||
509 | }; | 514 | }; |
510 | 515 | ||
511 | #ifdef CONFIG_SYSCTL | 516 | #ifdef CONFIG_SYSCTL |
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c index a569ad1ee4d9..c2bce22d4031 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c | |||
@@ -336,6 +336,23 @@ static int tcp_print_conntrack(struct seq_file *s, | |||
336 | return seq_printf(s, "%s ", tcp_conntrack_names[state]); | 336 | return seq_printf(s, "%s ", tcp_conntrack_names[state]); |
337 | } | 337 | } |
338 | 338 | ||
339 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | ||
340 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) | ||
341 | static int tcp_to_nfattr(struct sk_buff *skb, struct nfattr *nfa, | ||
342 | const struct ip_conntrack *ct) | ||
343 | { | ||
344 | read_lock_bh(&tcp_lock); | ||
345 | NFA_PUT(skb, CTA_PROTOINFO_TCP_STATE, sizeof(u_int8_t), | ||
346 | &ct->proto.tcp.state); | ||
347 | read_unlock_bh(&tcp_lock); | ||
348 | |||
349 | return 0; | ||
350 | |||
351 | nfattr_failure: | ||
352 | return -1; | ||
353 | } | ||
354 | #endif | ||
355 | |||
339 | static unsigned int get_conntrack_index(const struct tcphdr *tcph) | 356 | static unsigned int get_conntrack_index(const struct tcphdr *tcph) |
340 | { | 357 | { |
341 | if (tcph->rst) return TCP_RST_SET; | 358 | if (tcph->rst) return TCP_RST_SET; |
@@ -1100,4 +1117,10 @@ struct ip_conntrack_protocol ip_conntrack_protocol_tcp = | |||
1100 | .packet = tcp_packet, | 1117 | .packet = tcp_packet, |
1101 | .new = tcp_new, | 1118 | .new = tcp_new, |
1102 | .error = tcp_error, | 1119 | .error = tcp_error, |
1120 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | ||
1121 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) | ||
1122 | .to_nfattr = tcp_to_nfattr, | ||
1123 | .tuple_to_nfattr = ip_ct_port_tuple_to_nfattr, | ||
1124 | .nfattr_to_tuple = ip_ct_port_nfattr_to_tuple, | ||
1125 | #endif | ||
1103 | }; | 1126 | }; |
diff --git a/net/ipv4/netfilter/ip_conntrack_proto_udp.c b/net/ipv4/netfilter/ip_conntrack_proto_udp.c index 6066eaf4d825..14130169cbfd 100644 --- a/net/ipv4/netfilter/ip_conntrack_proto_udp.c +++ b/net/ipv4/netfilter/ip_conntrack_proto_udp.c | |||
@@ -145,4 +145,9 @@ struct ip_conntrack_protocol ip_conntrack_protocol_udp = | |||
145 | .packet = udp_packet, | 145 | .packet = udp_packet, |
146 | .new = udp_new, | 146 | .new = udp_new, |
147 | .error = udp_error, | 147 | .error = udp_error, |
148 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | ||
149 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) | ||
150 | .tuple_to_nfattr = ip_ct_port_tuple_to_nfattr, | ||
151 | .nfattr_to_tuple = ip_ct_port_nfattr_to_tuple, | ||
152 | #endif | ||
148 | }; | 153 | }; |
diff --git a/net/ipv4/netfilter/ip_conntrack_standalone.c b/net/ipv4/netfilter/ip_conntrack_standalone.c index f0880004115d..ca97c3ac2f2a 100644 --- a/net/ipv4/netfilter/ip_conntrack_standalone.c +++ b/net/ipv4/netfilter/ip_conntrack_standalone.c | |||
@@ -5,7 +5,7 @@ | |||
5 | */ | 5 | */ |
6 | 6 | ||
7 | /* (C) 1999-2001 Paul `Rusty' Russell | 7 | /* (C) 1999-2001 Paul `Rusty' Russell |
8 | * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> | 8 | * (C) 2002-2005 Netfilter Core Team <coreteam@netfilter.org> |
9 | * | 9 | * |
10 | * This program is free software; you can redistribute it and/or modify | 10 | * This program is free software; you can redistribute it and/or modify |
11 | * it under the terms of the GNU General Public License version 2 as | 11 | * it under the terms of the GNU General Public License version 2 as |
@@ -147,8 +147,7 @@ static int ct_seq_show(struct seq_file *s, void *v) | |||
147 | if (DIRECTION(hash)) | 147 | if (DIRECTION(hash)) |
148 | return 0; | 148 | return 0; |
149 | 149 | ||
150 | proto = ip_ct_find_proto(conntrack->tuplehash[IP_CT_DIR_ORIGINAL] | 150 | proto = __ip_conntrack_proto_find(conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum); |
151 | .tuple.dst.protonum); | ||
152 | IP_NF_ASSERT(proto); | 151 | IP_NF_ASSERT(proto); |
153 | 152 | ||
154 | if (seq_printf(s, "%-8s %u %ld ", | 153 | if (seq_printf(s, "%-8s %u %ld ", |
@@ -283,7 +282,7 @@ static int exp_seq_show(struct seq_file *s, void *v) | |||
283 | seq_printf(s, "proto=%u ", expect->tuple.dst.protonum); | 282 | seq_printf(s, "proto=%u ", expect->tuple.dst.protonum); |
284 | 283 | ||
285 | print_tuple(s, &expect->tuple, | 284 | print_tuple(s, &expect->tuple, |
286 | ip_ct_find_proto(expect->tuple.dst.protonum)); | 285 | __ip_conntrack_proto_find(expect->tuple.dst.protonum)); |
287 | return seq_putc(s, '\n'); | 286 | return seq_putc(s, '\n'); |
288 | } | 287 | } |
289 | 288 | ||
@@ -992,12 +991,16 @@ EXPORT_SYMBOL(ip_conntrack_helper_register); | |||
992 | EXPORT_SYMBOL(ip_conntrack_helper_unregister); | 991 | EXPORT_SYMBOL(ip_conntrack_helper_unregister); |
993 | EXPORT_SYMBOL(ip_ct_iterate_cleanup); | 992 | EXPORT_SYMBOL(ip_ct_iterate_cleanup); |
994 | EXPORT_SYMBOL(ip_ct_refresh_acct); | 993 | EXPORT_SYMBOL(ip_ct_refresh_acct); |
995 | EXPORT_SYMBOL(ip_ct_protos); | 994 | |
996 | EXPORT_SYMBOL(ip_ct_find_proto); | ||
997 | EXPORT_SYMBOL(ip_conntrack_expect_alloc); | 995 | EXPORT_SYMBOL(ip_conntrack_expect_alloc); |
998 | EXPORT_SYMBOL(ip_conntrack_expect_put); | 996 | EXPORT_SYMBOL(ip_conntrack_expect_put); |
997 | EXPORT_SYMBOL_GPL(ip_conntrack_expect_find_get); | ||
999 | EXPORT_SYMBOL(ip_conntrack_expect_related); | 998 | EXPORT_SYMBOL(ip_conntrack_expect_related); |
1000 | EXPORT_SYMBOL(ip_conntrack_unexpect_related); | 999 | EXPORT_SYMBOL(ip_conntrack_unexpect_related); |
1000 | EXPORT_SYMBOL_GPL(ip_conntrack_expect_list); | ||
1001 | EXPORT_SYMBOL_GPL(__ip_conntrack_expect_find); | ||
1002 | EXPORT_SYMBOL_GPL(__ip_ct_expect_unlink_destroy); | ||
1003 | |||
1001 | EXPORT_SYMBOL(ip_conntrack_tuple_taken); | 1004 | EXPORT_SYMBOL(ip_conntrack_tuple_taken); |
1002 | EXPORT_SYMBOL(ip_ct_gather_frags); | 1005 | EXPORT_SYMBOL(ip_ct_gather_frags); |
1003 | EXPORT_SYMBOL(ip_conntrack_htable_size); | 1006 | EXPORT_SYMBOL(ip_conntrack_htable_size); |
@@ -1005,7 +1008,28 @@ EXPORT_SYMBOL(ip_conntrack_lock); | |||
1005 | EXPORT_SYMBOL(ip_conntrack_hash); | 1008 | EXPORT_SYMBOL(ip_conntrack_hash); |
1006 | EXPORT_SYMBOL(ip_conntrack_untracked); | 1009 | EXPORT_SYMBOL(ip_conntrack_untracked); |
1007 | EXPORT_SYMBOL_GPL(ip_conntrack_find_get); | 1010 | EXPORT_SYMBOL_GPL(ip_conntrack_find_get); |
1008 | EXPORT_SYMBOL_GPL(ip_conntrack_put); | ||
1009 | #ifdef CONFIG_IP_NF_NAT_NEEDED | 1011 | #ifdef CONFIG_IP_NF_NAT_NEEDED |
1010 | EXPORT_SYMBOL(ip_conntrack_tcp_update); | 1012 | EXPORT_SYMBOL(ip_conntrack_tcp_update); |
1011 | #endif | 1013 | #endif |
1014 | |||
1015 | EXPORT_SYMBOL_GPL(ip_conntrack_flush); | ||
1016 | EXPORT_SYMBOL_GPL(__ip_conntrack_find); | ||
1017 | |||
1018 | EXPORT_SYMBOL_GPL(ip_conntrack_alloc); | ||
1019 | EXPORT_SYMBOL_GPL(ip_conntrack_free); | ||
1020 | EXPORT_SYMBOL_GPL(ip_conntrack_hash_insert); | ||
1021 | |||
1022 | EXPORT_SYMBOL_GPL(ip_ct_remove_expectations); | ||
1023 | |||
1024 | EXPORT_SYMBOL_GPL(ip_conntrack_helper_find_get); | ||
1025 | EXPORT_SYMBOL_GPL(ip_conntrack_helper_put); | ||
1026 | EXPORT_SYMBOL_GPL(__ip_conntrack_helper_find_byname); | ||
1027 | |||
1028 | EXPORT_SYMBOL_GPL(ip_conntrack_proto_find_get); | ||
1029 | EXPORT_SYMBOL_GPL(ip_conntrack_proto_put); | ||
1030 | EXPORT_SYMBOL_GPL(__ip_conntrack_proto_find); | ||
1031 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | ||
1032 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) | ||
1033 | EXPORT_SYMBOL_GPL(ip_ct_port_tuple_to_nfattr); | ||
1034 | EXPORT_SYMBOL_GPL(ip_ct_port_nfattr_to_tuple); | ||
1035 | #endif | ||
diff --git a/net/ipv4/netfilter/ip_nat_core.c b/net/ipv4/netfilter/ip_nat_core.c index ed4d731880f7..567c802fecf0 100644 --- a/net/ipv4/netfilter/ip_nat_core.c +++ b/net/ipv4/netfilter/ip_nat_core.c | |||
@@ -47,8 +47,39 @@ DEFINE_RWLOCK(ip_nat_lock); | |||
47 | static unsigned int ip_nat_htable_size; | 47 | static unsigned int ip_nat_htable_size; |
48 | 48 | ||
49 | static struct list_head *bysource; | 49 | static struct list_head *bysource; |
50 | |||
51 | #define MAX_IP_NAT_PROTO 256 | ||
50 | struct ip_nat_protocol *ip_nat_protos[MAX_IP_NAT_PROTO]; | 52 | struct ip_nat_protocol *ip_nat_protos[MAX_IP_NAT_PROTO]; |
51 | 53 | ||
54 | static inline struct ip_nat_protocol * | ||
55 | __ip_nat_proto_find(u_int8_t protonum) | ||
56 | { | ||
57 | return ip_nat_protos[protonum]; | ||
58 | } | ||
59 | |||
60 | struct ip_nat_protocol * | ||
61 | ip_nat_proto_find_get(u_int8_t protonum) | ||
62 | { | ||
63 | struct ip_nat_protocol *p; | ||
64 | |||
65 | /* we need to disable preemption to make sure 'p' doesn't get | ||
66 | * removed until we've grabbed the reference */ | ||
67 | preempt_disable(); | ||
68 | p = __ip_nat_proto_find(protonum); | ||
69 | if (p) { | ||
70 | if (!try_module_get(p->me)) | ||
71 | p = &ip_nat_unknown_protocol; | ||
72 | } | ||
73 | preempt_enable(); | ||
74 | |||
75 | return p; | ||
76 | } | ||
77 | |||
78 | void | ||
79 | ip_nat_proto_put(struct ip_nat_protocol *p) | ||
80 | { | ||
81 | module_put(p->me); | ||
82 | } | ||
52 | 83 | ||
53 | /* We keep an extra hash for each conntrack, for fast searching. */ | 84 | /* We keep an extra hash for each conntrack, for fast searching. */ |
54 | static inline unsigned int | 85 | static inline unsigned int |
@@ -103,7 +134,8 @@ static int | |||
103 | in_range(const struct ip_conntrack_tuple *tuple, | 134 | in_range(const struct ip_conntrack_tuple *tuple, |
104 | const struct ip_nat_range *range) | 135 | const struct ip_nat_range *range) |
105 | { | 136 | { |
106 | struct ip_nat_protocol *proto = ip_nat_find_proto(tuple->dst.protonum); | 137 | struct ip_nat_protocol *proto = |
138 | __ip_nat_proto_find(tuple->dst.protonum); | ||
107 | 139 | ||
108 | /* If we are supposed to map IPs, then we must be in the | 140 | /* If we are supposed to map IPs, then we must be in the |
109 | range specified, otherwise let this drag us onto a new src IP. */ | 141 | range specified, otherwise let this drag us onto a new src IP. */ |
@@ -216,8 +248,7 @@ get_unique_tuple(struct ip_conntrack_tuple *tuple, | |||
216 | struct ip_conntrack *conntrack, | 248 | struct ip_conntrack *conntrack, |
217 | enum ip_nat_manip_type maniptype) | 249 | enum ip_nat_manip_type maniptype) |
218 | { | 250 | { |
219 | struct ip_nat_protocol *proto | 251 | struct ip_nat_protocol *proto; |
220 | = ip_nat_find_proto(orig_tuple->dst.protonum); | ||
221 | 252 | ||
222 | /* 1) If this srcip/proto/src-proto-part is currently mapped, | 253 | /* 1) If this srcip/proto/src-proto-part is currently mapped, |
223 | and that same mapping gives a unique tuple within the given | 254 | and that same mapping gives a unique tuple within the given |
@@ -242,14 +273,20 @@ get_unique_tuple(struct ip_conntrack_tuple *tuple, | |||
242 | /* 3) The per-protocol part of the manip is made to map into | 273 | /* 3) The per-protocol part of the manip is made to map into |
243 | the range to make a unique tuple. */ | 274 | the range to make a unique tuple. */ |
244 | 275 | ||
276 | proto = ip_nat_proto_find_get(orig_tuple->dst.protonum); | ||
277 | |||
245 | /* Only bother mapping if it's not already in range and unique */ | 278 | /* Only bother mapping if it's not already in range and unique */ |
246 | if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) | 279 | if ((!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED) |
247 | || proto->in_range(tuple, maniptype, &range->min, &range->max)) | 280 | || proto->in_range(tuple, maniptype, &range->min, &range->max)) |
248 | && !ip_nat_used_tuple(tuple, conntrack)) | 281 | && !ip_nat_used_tuple(tuple, conntrack)) { |
282 | ip_nat_proto_put(proto); | ||
249 | return; | 283 | return; |
284 | } | ||
250 | 285 | ||
251 | /* Last change: get protocol to try to obtain unique tuple. */ | 286 | /* Last change: get protocol to try to obtain unique tuple. */ |
252 | proto->unique_tuple(tuple, range, maniptype, conntrack); | 287 | proto->unique_tuple(tuple, range, maniptype, conntrack); |
288 | |||
289 | ip_nat_proto_put(proto); | ||
253 | } | 290 | } |
254 | 291 | ||
255 | unsigned int | 292 | unsigned int |
@@ -320,6 +357,7 @@ manip_pkt(u_int16_t proto, | |||
320 | enum ip_nat_manip_type maniptype) | 357 | enum ip_nat_manip_type maniptype) |
321 | { | 358 | { |
322 | struct iphdr *iph; | 359 | struct iphdr *iph; |
360 | struct ip_nat_protocol *p; | ||
323 | 361 | ||
324 | if (!skb_ip_make_writable(pskb, iphdroff + sizeof(*iph))) | 362 | if (!skb_ip_make_writable(pskb, iphdroff + sizeof(*iph))) |
325 | return 0; | 363 | return 0; |
@@ -327,9 +365,12 @@ manip_pkt(u_int16_t proto, | |||
327 | iph = (void *)(*pskb)->data + iphdroff; | 365 | iph = (void *)(*pskb)->data + iphdroff; |
328 | 366 | ||
329 | /* Manipulate protcol part. */ | 367 | /* Manipulate protcol part. */ |
330 | if (!ip_nat_find_proto(proto)->manip_pkt(pskb, iphdroff, | 368 | p = ip_nat_proto_find_get(proto); |
331 | target, maniptype)) | 369 | if (!p->manip_pkt(pskb, iphdroff, target, maniptype)) { |
370 | ip_nat_proto_put(p); | ||
332 | return 0; | 371 | return 0; |
372 | } | ||
373 | ip_nat_proto_put(p); | ||
333 | 374 | ||
334 | iph = (void *)(*pskb)->data + iphdroff; | 375 | iph = (void *)(*pskb)->data + iphdroff; |
335 | 376 | ||
@@ -425,7 +466,8 @@ int icmp_reply_translation(struct sk_buff **pskb, | |||
425 | 466 | ||
426 | if (!ip_ct_get_tuple(&inside->ip, *pskb, (*pskb)->nh.iph->ihl*4 + | 467 | if (!ip_ct_get_tuple(&inside->ip, *pskb, (*pskb)->nh.iph->ihl*4 + |
427 | sizeof(struct icmphdr) + inside->ip.ihl*4, | 468 | sizeof(struct icmphdr) + inside->ip.ihl*4, |
428 | &inner, ip_ct_find_proto(inside->ip.protocol))) | 469 | &inner, |
470 | __ip_conntrack_proto_find(inside->ip.protocol))) | ||
429 | return 0; | 471 | return 0; |
430 | 472 | ||
431 | /* Change inner back to look like incoming packet. We do the | 473 | /* Change inner back to look like incoming packet. We do the |
@@ -495,6 +537,49 @@ void ip_nat_protocol_unregister(struct ip_nat_protocol *proto) | |||
495 | synchronize_net(); | 537 | synchronize_net(); |
496 | } | 538 | } |
497 | 539 | ||
540 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | ||
541 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) | ||
542 | int | ||
543 | ip_nat_port_range_to_nfattr(struct sk_buff *skb, | ||
544 | const struct ip_nat_range *range) | ||
545 | { | ||
546 | NFA_PUT(skb, CTA_PROTONAT_PORT_MIN, sizeof(u_int16_t), | ||
547 | &range->min.tcp.port); | ||
548 | NFA_PUT(skb, CTA_PROTONAT_PORT_MAX, sizeof(u_int16_t), | ||
549 | &range->max.tcp.port); | ||
550 | |||
551 | return 0; | ||
552 | |||
553 | nfattr_failure: | ||
554 | return -1; | ||
555 | } | ||
556 | |||
557 | int | ||
558 | ip_nat_port_nfattr_to_range(struct nfattr *tb[], struct ip_nat_range *range) | ||
559 | { | ||
560 | int ret = 0; | ||
561 | |||
562 | /* we have to return whether we actually parsed something or not */ | ||
563 | |||
564 | if (tb[CTA_PROTONAT_PORT_MIN-1]) { | ||
565 | ret = 1; | ||
566 | range->min.tcp.port = | ||
567 | *(u_int16_t *)NFA_DATA(tb[CTA_PROTONAT_PORT_MIN-1]); | ||
568 | } | ||
569 | |||
570 | if (!tb[CTA_PROTONAT_PORT_MAX-1]) { | ||
571 | if (ret) | ||
572 | range->max.tcp.port = range->min.tcp.port; | ||
573 | } else { | ||
574 | ret = 1; | ||
575 | range->max.tcp.port = | ||
576 | *(u_int16_t *)NFA_DATA(tb[CTA_PROTONAT_PORT_MAX-1]); | ||
577 | } | ||
578 | |||
579 | return ret; | ||
580 | } | ||
581 | #endif | ||
582 | |||
498 | int __init ip_nat_init(void) | 583 | int __init ip_nat_init(void) |
499 | { | 584 | { |
500 | size_t i; | 585 | size_t i; |
diff --git a/net/ipv4/netfilter/ip_nat_proto_icmp.c b/net/ipv4/netfilter/ip_nat_proto_icmp.c index 6596c9ee1655..38fdfc2093c4 100644 --- a/net/ipv4/netfilter/ip_nat_proto_icmp.c +++ b/net/ipv4/netfilter/ip_nat_proto_icmp.c | |||
@@ -107,10 +107,15 @@ icmp_print_range(char *buffer, const struct ip_nat_range *range) | |||
107 | } | 107 | } |
108 | 108 | ||
109 | struct ip_nat_protocol ip_nat_protocol_icmp | 109 | struct ip_nat_protocol ip_nat_protocol_icmp |
110 | = { "ICMP", IPPROTO_ICMP, | 110 | = { "ICMP", IPPROTO_ICMP, THIS_MODULE, |
111 | icmp_manip_pkt, | 111 | icmp_manip_pkt, |
112 | icmp_in_range, | 112 | icmp_in_range, |
113 | icmp_unique_tuple, | 113 | icmp_unique_tuple, |
114 | icmp_print, | 114 | icmp_print, |
115 | icmp_print_range | 115 | icmp_print_range, |
116 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | ||
117 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) | ||
118 | ip_nat_port_range_to_nfattr, | ||
119 | ip_nat_port_nfattr_to_range, | ||
120 | #endif | ||
116 | }; | 121 | }; |
diff --git a/net/ipv4/netfilter/ip_nat_proto_tcp.c b/net/ipv4/netfilter/ip_nat_proto_tcp.c index a98e36d2b3c6..f03cd0f0c2bf 100644 --- a/net/ipv4/netfilter/ip_nat_proto_tcp.c +++ b/net/ipv4/netfilter/ip_nat_proto_tcp.c | |||
@@ -12,6 +12,7 @@ | |||
12 | #include <linux/ip.h> | 12 | #include <linux/ip.h> |
13 | #include <linux/tcp.h> | 13 | #include <linux/tcp.h> |
14 | #include <linux/if.h> | 14 | #include <linux/if.h> |
15 | #include <linux/netfilter/nfnetlink_conntrack.h> | ||
15 | #include <linux/netfilter_ipv4/ip_nat.h> | 16 | #include <linux/netfilter_ipv4/ip_nat.h> |
16 | #include <linux/netfilter_ipv4/ip_nat_rule.h> | 17 | #include <linux/netfilter_ipv4/ip_nat_rule.h> |
17 | #include <linux/netfilter_ipv4/ip_nat_protocol.h> | 18 | #include <linux/netfilter_ipv4/ip_nat_protocol.h> |
@@ -170,10 +171,15 @@ tcp_print_range(char *buffer, const struct ip_nat_range *range) | |||
170 | } | 171 | } |
171 | 172 | ||
172 | struct ip_nat_protocol ip_nat_protocol_tcp | 173 | struct ip_nat_protocol ip_nat_protocol_tcp |
173 | = { "TCP", IPPROTO_TCP, | 174 | = { "TCP", IPPROTO_TCP, THIS_MODULE, |
174 | tcp_manip_pkt, | 175 | tcp_manip_pkt, |
175 | tcp_in_range, | 176 | tcp_in_range, |
176 | tcp_unique_tuple, | 177 | tcp_unique_tuple, |
177 | tcp_print, | 178 | tcp_print, |
178 | tcp_print_range | 179 | tcp_print_range, |
180 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | ||
181 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) | ||
182 | ip_nat_port_range_to_nfattr, | ||
183 | ip_nat_port_nfattr_to_range, | ||
184 | #endif | ||
179 | }; | 185 | }; |
diff --git a/net/ipv4/netfilter/ip_nat_proto_udp.c b/net/ipv4/netfilter/ip_nat_proto_udp.c index 9f66e5625664..7a4e66ecbc0a 100644 --- a/net/ipv4/netfilter/ip_nat_proto_udp.c +++ b/net/ipv4/netfilter/ip_nat_proto_udp.c | |||
@@ -157,10 +157,15 @@ udp_print_range(char *buffer, const struct ip_nat_range *range) | |||
157 | } | 157 | } |
158 | 158 | ||
159 | struct ip_nat_protocol ip_nat_protocol_udp | 159 | struct ip_nat_protocol ip_nat_protocol_udp |
160 | = { "UDP", IPPROTO_UDP, | 160 | = { "UDP", IPPROTO_UDP, THIS_MODULE, |
161 | udp_manip_pkt, | 161 | udp_manip_pkt, |
162 | udp_in_range, | 162 | udp_in_range, |
163 | udp_unique_tuple, | 163 | udp_unique_tuple, |
164 | udp_print, | 164 | udp_print, |
165 | udp_print_range | 165 | udp_print_range, |
166 | #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \ | ||
167 | defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE) | ||
168 | ip_nat_port_range_to_nfattr, | ||
169 | ip_nat_port_nfattr_to_range, | ||
170 | #endif | ||
166 | }; | 171 | }; |
diff --git a/net/ipv4/netfilter/ip_nat_proto_unknown.c b/net/ipv4/netfilter/ip_nat_proto_unknown.c index f5525bd58d16..512d8f2fb824 100644 --- a/net/ipv4/netfilter/ip_nat_proto_unknown.c +++ b/net/ipv4/netfilter/ip_nat_proto_unknown.c | |||
@@ -61,7 +61,7 @@ unknown_print_range(char *buffer, const struct ip_nat_range *range) | |||
61 | } | 61 | } |
62 | 62 | ||
63 | struct ip_nat_protocol ip_nat_unknown_protocol = { | 63 | struct ip_nat_protocol ip_nat_unknown_protocol = { |
64 | "unknown", 0, | 64 | "unknown", 0, THIS_MODULE, |
65 | unknown_manip_pkt, | 65 | unknown_manip_pkt, |
66 | unknown_in_range, | 66 | unknown_in_range, |
67 | unknown_unique_tuple, | 67 | unknown_unique_tuple, |
diff --git a/net/ipv4/netfilter/ip_nat_standalone.c b/net/ipv4/netfilter/ip_nat_standalone.c index 9ecba979033a..89db052add81 100644 --- a/net/ipv4/netfilter/ip_nat_standalone.c +++ b/net/ipv4/netfilter/ip_nat_standalone.c | |||
@@ -394,6 +394,8 @@ module_exit(fini); | |||
394 | EXPORT_SYMBOL(ip_nat_setup_info); | 394 | EXPORT_SYMBOL(ip_nat_setup_info); |
395 | EXPORT_SYMBOL(ip_nat_protocol_register); | 395 | EXPORT_SYMBOL(ip_nat_protocol_register); |
396 | EXPORT_SYMBOL(ip_nat_protocol_unregister); | 396 | EXPORT_SYMBOL(ip_nat_protocol_unregister); |
397 | EXPORT_SYMBOL_GPL(ip_nat_proto_find_get); | ||
398 | EXPORT_SYMBOL_GPL(ip_nat_proto_put); | ||
397 | EXPORT_SYMBOL(ip_nat_cheat_check); | 399 | EXPORT_SYMBOL(ip_nat_cheat_check); |
398 | EXPORT_SYMBOL(ip_nat_mangle_tcp_packet); | 400 | EXPORT_SYMBOL(ip_nat_mangle_tcp_packet); |
399 | EXPORT_SYMBOL(ip_nat_mangle_udp_packet); | 401 | EXPORT_SYMBOL(ip_nat_mangle_udp_packet); |
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index 710acd77cc4c..b0ed57981847 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c | |||
@@ -121,6 +121,7 @@ void __nfa_fill(struct sk_buff *skb, int attrtype, int attrlen, | |||
121 | nfa->nfa_type = attrtype; | 121 | nfa->nfa_type = attrtype; |
122 | nfa->nfa_len = size; | 122 | nfa->nfa_len = size; |
123 | memcpy(NFA_DATA(nfa), data, attrlen); | 123 | memcpy(NFA_DATA(nfa), data, attrlen); |
124 | memset(NFA_DATA(nfa) + attrlen, 0, NFA_ALIGN(size) - size); | ||
124 | } | 125 | } |
125 | 126 | ||
126 | int nfattr_parse(struct nfattr *tb[], int maxattr, struct nfattr *nfa, int len) | 127 | int nfattr_parse(struct nfattr *tb[], int maxattr, struct nfattr *nfa, int len) |