3 files changed, 361 insertions, 0 deletions
diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig
index d5597b759ba3..77326acd1f57 100644
--- a/net/netfilter/Kconfig
+++ b/net/netfilter/Kconfig
@@ -4,6 +4,14 @@ menu "Core Netfilter Configuration"
 config NETFILTER_NETLINK
        tristate
+config NETFILTER_NETLINK_ACCT
+tristate "Netfilter NFACCT over NFNETLINK interface"
+        depends on NETFILTER_ADVANCED
+        select NETFILTER_NETLINK
+        help
+          If this option is enabled, the kernel will include support
+          for extended accounting via NFNETLINK.
 config NETFILTER_NETLINK_QUEUE
        tristate "Netfilter NFQUEUE over NFNETLINK interface"
        depends on NETFILTER_ADVANCED
diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile
index 1a02853df863..4da1c879644f 100644
--- a/net/netfilter/Makefile
+++ b/net/netfilter/Makefile
@@ -7,6 +7,7 @@ nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
 obj-$(CONFIG_NETFILTER) = netfilter.o
 obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o
+obj-$(CONFIG_NETFILTER_NETLINK_ACCT) += nfnetlink_acct.o
 obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o
 obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o
diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
new file mode 100644
index 000000000000..362ab6ca3dc1
--- /dev/null
+++ b/net/netfilter/nfnetlink_acct.c
@@ -0,0 +1,352 @@
+/*
+ * (C) 2011 Pablo Neira Ayuso <pablo@netfilter.org>
+ * (C) 2011 Intra2net AG <http://www.intra2net.com>
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation (or any later at your option).
+ */
+#include <linux/init.h>
+#include <linux/module.h>
+#include <linux/kernel.h>
+#include <linux/skbuff.h>
+#include <linux/netlink.h>
+#include <linux/rculist.h>
+#include <linux/slab.h>
+#include <linux/types.h>
+#include <linux/errno.h>
+#include <net/netlink.h>
+#include <net/sock.h>
+#include <asm/atomic.h>
+#include <linux/netfilter.h>
+#include <linux/netfilter/nfnetlink.h>
+#include <linux/netfilter/nfnetlink_acct.h>
+MODULE_LICENSE("GPL");
+MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
+MODULE_DESCRIPTION("nfacct: Extended Netfilter accounting infrastructure");
+static LIST_HEAD(nfnl_acct_list);
+struct nf_acct {
+        atomic64_t              pkts;
+        atomic64_t              bytes;
+        struct list_head        head;
+        atomic_t                refcnt;
+        char                    name[NFACCT_NAME_MAX];
+        struct rcu_head         rcu_head;
+};
+static int
+nfnl_acct_new(struct sock *nfnl, struct sk_buff *skb,
+             const struct nlmsghdr *nlh, const struct nlattr * const tb[])
+{
+        struct nf_acct *nfacct, *matching = NULL;
+        char *acct_name;
+        if (!tb[NFACCT_NAME])
+                return -EINVAL;
+        acct_name = nla_data(tb[NFACCT_NAME]);
+        list_for_each_entry(nfacct, &nfnl_acct_list, head) {
+                if (strncmp(nfacct->name, acct_name, NFACCT_NAME_MAX) != 0)
+                        continue;
+                if (nlh->nlmsg_flags & NLM_F_EXCL)
+                        return -EEXIST;
+                matching = nfacct;
+                break;
+        }
+        if (matching) {
+                if (nlh->nlmsg_flags & NLM_F_REPLACE) {
+                        /* reset counters if you request a replacement. */
+                        atomic64_set(&matching->pkts, 0);
+                        atomic64_set(&matching->bytes, 0);
+                        return 0;
+                }
+                return -EBUSY;
+        }
+        nfacct = kzalloc(sizeof(struct nf_acct), GFP_KERNEL);
+        if (nfacct == NULL)
+                return -ENOMEM;
+        strncpy(nfacct->name, nla_data(tb[NFACCT_NAME]), NFACCT_NAME_MAX);
+        if (tb[NFACCT_BYTES]) {
+                atomic64_set(&nfacct->bytes,
+                             be64_to_cpu(nla_get_u64(tb[NFACCT_BYTES])));
+        }
+        if (tb[NFACCT_PKTS]) {
+                atomic64_set(&nfacct->pkts,
+                             be64_to_cpu(nla_get_u64(tb[NFACCT_PKTS])));
+        }
+        atomic_set(&nfacct->refcnt, 1);
+        list_add_tail_rcu(&nfacct->head, &nfnl_acct_list);
+        return 0;
+}
+static int
+nfnl_acct_fill_info(struct sk_buff *skb, u32 pid, u32 seq, u32 type,
+                   int event, struct nf_acct *acct)
+{
+        struct nlmsghdr *nlh;
+        struct nfgenmsg *nfmsg;
+        unsigned int flags = pid ? NLM_F_MULTI : 0;
+        u64 pkts, bytes;
+        event |= NFNL_SUBSYS_ACCT << 8;
+        nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags);
+        if (nlh == NULL)
+                goto nlmsg_failure;
+        nfmsg = nlmsg_data(nlh);
+        nfmsg->nfgen_family = AF_UNSPEC;
+        nfmsg->version = NFNETLINK_V0;
+        nfmsg->res_id = 0;
+        NLA_PUT_STRING(skb, NFACCT_NAME, acct->name);
+        if (type == NFNL_MSG_ACCT_GET_CTRZERO) {
+                pkts = atomic64_xchg(&acct->pkts, 0);
+                bytes = atomic64_xchg(&acct->bytes, 0);
+        } else {
+                pkts = atomic64_read(&acct->pkts);
+                bytes = atomic64_read(&acct->bytes);
+        }
+        NLA_PUT_BE64(skb, NFACCT_PKTS, cpu_to_be64(pkts));
+        NLA_PUT_BE64(skb, NFACCT_BYTES, cpu_to_be64(bytes));
+        NLA_PUT_BE32(skb, NFACCT_USE, htonl(atomic_read(&acct->refcnt)));
+        nlmsg_end(skb, nlh);
+        return skb->len;
+nlmsg_failure:
+nla_put_failure:
+        nlmsg_cancel(skb, nlh);
+        return -1;
+}
+static int
+nfnl_acct_dump(struct sk_buff *skb, struct netlink_callback *cb)
+{
+        struct nf_acct *cur, *last;
+        if (cb->args[2])
+                return 0;
+        last = (struct nf_acct *)cb->args[1];
+        if (cb->args[1])
+                cb->args[1] = 0;
+        rcu_read_lock();
+        list_for_each_entry_rcu(cur, &nfnl_acct_list, head) {
+                if (last && cur != last)
+                        continue;
+                if (nfnl_acct_fill_info(skb, NETLINK_CB(cb->skb).pid,
+                                       cb->nlh->nlmsg_seq,
+                                       NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
+                                       NFNL_MSG_ACCT_NEW, cur) < 0) {
+                        cb->args[1] = (unsigned long)cur;
+                        break;
+                }
+        }
+        if (!cb->args[1])
+                cb->args[2] = 1;
+        rcu_read_unlock();
+        return skb->len;
+}
+static int
+nfnl_acct_get(struct sock *nfnl, struct sk_buff *skb,
+             const struct nlmsghdr *nlh, const struct nlattr * const tb[])
+{
+        int ret = 0;
+        struct nf_acct *cur;
+        char *acct_name;
+        if (nlh->nlmsg_flags & NLM_F_DUMP) {
+                return netlink_dump_start(nfnl, skb, nlh, nfnl_acct_dump,
+                                          NULL, 0);
+        }
+        if (!tb[NFACCT_NAME])
+                return -EINVAL;
+        acct_name = nla_data(tb[NFACCT_NAME]);
+        list_for_each_entry(cur, &nfnl_acct_list, head) {
+                struct sk_buff *skb2;
+                if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX)!= 0)
+                        continue;
+                skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
+                if (skb2 == NULL)
+                        break;
+                ret = nfnl_acct_fill_info(skb2, NETLINK_CB(skb).pid,
+                                         nlh->nlmsg_seq,
+                                         NFNL_MSG_TYPE(nlh->nlmsg_type),
+                                         NFNL_MSG_ACCT_NEW, cur);
+                if (ret <= 0)
+                        kfree_skb(skb2);
+                break;
+        }
+        return ret;
+}
+/* try to delete object, fail if it is still in use. */
+static int nfnl_acct_try_del(struct nf_acct *cur)
+{
+        int ret = 0;
+        /* we want to avoid races with nfnl_acct_find_get. */
+        if (atomic_dec_and_test(&cur->refcnt)) {
+                /* We are protected by nfnl mutex. */
+                list_del_rcu(&cur->head);
+                kfree_rcu(cur, rcu_head);
+        } else {
+                /* still in use, restore reference counter. */
+                atomic_inc(&cur->refcnt);
+                ret = -EBUSY;
+        }
+        return ret;
+}
+static int
+nfnl_acct_del(struct sock *nfnl, struct sk_buff *skb,
+             const struct nlmsghdr *nlh, const struct nlattr * const tb[])
+{
+        char *acct_name;
+        struct nf_acct *cur;
+        int ret = -ENOENT;
+        if (!tb[NFACCT_NAME]) {
+                list_for_each_entry(cur, &nfnl_acct_list, head)
+                        nfnl_acct_try_del(cur);
+                return 0;
+        }
+        acct_name = nla_data(tb[NFACCT_NAME]);
+        list_for_each_entry(cur, &nfnl_acct_list, head) {
+                if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX) != 0)
+                        continue;
+                ret = nfnl_acct_try_del(cur);
+                if (ret < 0)
+                        return ret;
+                break;
+        }
+        return ret;
+}
+static const struct nla_policy nfnl_acct_policy[NFACCT_MAX+1] = {
+        [NFACCT_NAME] = { .type = NLA_NUL_STRING, .len = NFACCT_NAME_MAX-1 },
+        [NFACCT_BYTES] = { .type = NLA_U64 },
+        [NFACCT_PKTS] = { .type = NLA_U64 },
+};
+static const struct nfnl_callback nfnl_acct_cb[NFNL_MSG_ACCT_MAX] = {
+        [NFNL_MSG_ACCT_NEW]             = { .call = nfnl_acct_new,
+                                            .attr_count = NFACCT_MAX,
+                                            .policy = nfnl_acct_policy },
+        [NFNL_MSG_ACCT_GET]             = { .call = nfnl_acct_get,
+                                            .attr_count = NFACCT_MAX,
+                                            .policy = nfnl_acct_policy },
+        [NFNL_MSG_ACCT_GET_CTRZERO]     = { .call = nfnl_acct_get,
+                                            .attr_count = NFACCT_MAX,
+                                            .policy = nfnl_acct_policy },
+        [NFNL_MSG_ACCT_DEL]             = { .call = nfnl_acct_del,
+                                            .attr_count = NFACCT_MAX,
+                                            .policy = nfnl_acct_policy },
+};
+static const struct nfnetlink_subsystem nfnl_acct_subsys = {
+        .name                           = "acct",
+        .subsys_id                      = NFNL_SUBSYS_ACCT,
+        .cb_count                       = NFNL_MSG_ACCT_MAX,
+        .cb                             = nfnl_acct_cb,
+};
+MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_ACCT);
+struct nf_acct *nfnl_acct_find_get(const char *acct_name)
+{
+        struct nf_acct *cur, *acct = NULL;
+        rcu_read_lock();
+        list_for_each_entry_rcu(cur, &nfnl_acct_list, head) {
+                if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX)!= 0)
+                        continue;
+                if (!try_module_get(THIS_MODULE))
+                        goto err;
+                if (!atomic_inc_not_zero(&cur->refcnt)) {
+                        module_put(THIS_MODULE);
+                        goto err;
+                }
+                acct = cur;
+                break;
+        }
+err:
+        rcu_read_unlock();
+        return acct;
+}
+EXPORT_SYMBOL_GPL(nfnl_acct_find_get);
+void nfnl_acct_put(struct nf_acct *acct)
+{
+        atomic_dec(&acct->refcnt);
+        module_put(THIS_MODULE);
+}
+EXPORT_SYMBOL_GPL(nfnl_acct_put);
+void nfnl_acct_update(const struct sk_buff *skb, struct nf_acct *nfacct)
+{
+        atomic64_inc(&nfacct->pkts);
+        atomic64_add(skb->len, &nfacct->bytes);
+}
+EXPORT_SYMBOL_GPL(nfnl_acct_update);
+static int __init nfnl_acct_init(void)
+{
+        int ret;
+        pr_info("nfnl_acct: registering with nfnetlink.\n");
+        ret = nfnetlink_subsys_register(&nfnl_acct_subsys);
+        if (ret < 0) {
+                pr_err("nfnl_acct_init: cannot register with nfnetlink.\n");
+                goto err_out;
+        }
+        return 0;
+err_out:
+        return ret;
+}
+static void __exit nfnl_acct_exit(void)
+{
+        struct nf_acct *cur, *tmp;
+        pr_info("nfnl_acct: unregistering from nfnetlink.\n");
+        nfnetlink_subsys_unregister(&nfnl_acct_subsys);
+        list_for_each_entry_safe(cur, tmp, &nfnl_acct_list, head) {
+                list_del_rcu(&cur->head);
+                /* We are sure that our objects have no clients at this point,
+                 * it's safe to release them all without checking refcnt. */
+                kfree_rcu(cur, rcu_head);
+        }
+}
+module_init(nfnl_acct_init);
+module_exit(nfnl_acct_exit);

diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index d5597b759ba3..77326acd1f57 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig
@@ -4,6 +4,14 @@ menu "Core Netfilter Configuration"
4	config NETFILTER_NETLINK	4	config NETFILTER_NETLINK
5	tristate	5	tristate
6		6
		7	config NETFILTER_NETLINK_ACCT
		8	tristate "Netfilter NFACCT over NFNETLINK interface"
		9	depends on NETFILTER_ADVANCED
		10	select NETFILTER_NETLINK
		11	help
		12	If this option is enabled, the kernel will include support
		13	for extended accounting via NFNETLINK.
		14
7	config NETFILTER_NETLINK_QUEUE	15	config NETFILTER_NETLINK_QUEUE
8	tristate "Netfilter NFQUEUE over NFNETLINK interface"	16	tristate "Netfilter NFQUEUE over NFNETLINK interface"
9	depends on NETFILTER_ADVANCED	17	depends on NETFILTER_ADVANCED


diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 1a02853df863..4da1c879644f 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile
@@ -7,6 +7,7 @@ nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o
7	obj-$(CONFIG_NETFILTER) = netfilter.o	7	obj-$(CONFIG_NETFILTER) = netfilter.o
8		8
9	obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o	9	obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o
		10	obj-$(CONFIG_NETFILTER_NETLINK_ACCT) += nfnetlink_acct.o
10	obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o	11	obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o
11	obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o	12	obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o
12		13


diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c new file mode 100644 index 000000000000..362ab6ca3dc1 --- /dev/null +++ b/net/netfilter/nfnetlink_acct.c
@@ -0,0 +1,352 @@
		1	/*
		2	* (C) 2011 Pablo Neira Ayuso <pablo@netfilter.org>
		3	* (C) 2011 Intra2net AG <http://www.intra2net.com>
		4	*
		5	* This program is free software; you can redistribute it and/or modify
		6	* it under the terms of the GNU General Public License version 2 as
		7	* published by the Free Software Foundation (or any later at your option).
		8	*/
		9	#include <linux/init.h>
		10	#include <linux/module.h>
		11	#include <linux/kernel.h>
		12	#include <linux/skbuff.h>
		13	#include <linux/netlink.h>
		14	#include <linux/rculist.h>
		15	#include <linux/slab.h>
		16	#include <linux/types.h>
		17	#include <linux/errno.h>
		18	#include <net/netlink.h>
		19	#include <net/sock.h>
		20	#include <asm/atomic.h>
		21
		22	#include <linux/netfilter.h>
		23	#include <linux/netfilter/nfnetlink.h>
		24	#include <linux/netfilter/nfnetlink_acct.h>
		25
		26	MODULE_LICENSE("GPL");
		27	MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
		28	MODULE_DESCRIPTION("nfacct: Extended Netfilter accounting infrastructure");
		29
		30	static LIST_HEAD(nfnl_acct_list);
		31
		32	struct nf_acct {
		33	atomic64_t pkts;
		34	atomic64_t bytes;
		35	struct list_head head;
		36	atomic_t refcnt;
		37	char name[NFACCT_NAME_MAX];
		38	struct rcu_head rcu_head;
		39	};
		40
		41	static int
		42	nfnl_acct_new(struct sock nfnl, struct sk_buff skb,
		43	const struct nlmsghdr nlh, const struct nlattr const tb[])
		44	{
		45	struct nf_acct nfacct, matching = NULL;
		46	char *acct_name;
		47
		48	if (!tb[NFACCT_NAME])
		49	return -EINVAL;
		50
		51	acct_name = nla_data(tb[NFACCT_NAME]);
		52
		53	list_for_each_entry(nfacct, &nfnl_acct_list, head) {
		54	if (strncmp(nfacct->name, acct_name, NFACCT_NAME_MAX) != 0)
		55	continue;
		56
		57	if (nlh->nlmsg_flags & NLM_F_EXCL)
		58	return -EEXIST;
		59
		60	matching = nfacct;
		61	break;
		62	}
		63
		64	if (matching) {
		65	if (nlh->nlmsg_flags & NLM_F_REPLACE) {
		66	/* reset counters if you request a replacement. */
		67	atomic64_set(&matching->pkts, 0);
		68	atomic64_set(&matching->bytes, 0);
		69	return 0;
		70	}
		71	return -EBUSY;
		72	}
		73
		74	nfacct = kzalloc(sizeof(struct nf_acct), GFP_KERNEL);
		75	if (nfacct == NULL)
		76	return -ENOMEM;
		77
		78	strncpy(nfacct->name, nla_data(tb[NFACCT_NAME]), NFACCT_NAME_MAX);
		79
		80	if (tb[NFACCT_BYTES]) {
		81	atomic64_set(&nfacct->bytes,
		82	be64_to_cpu(nla_get_u64(tb[NFACCT_BYTES])));
		83	}
		84	if (tb[NFACCT_PKTS]) {
		85	atomic64_set(&nfacct->pkts,
		86	be64_to_cpu(nla_get_u64(tb[NFACCT_PKTS])));
		87	}
		88	atomic_set(&nfacct->refcnt, 1);
		89	list_add_tail_rcu(&nfacct->head, &nfnl_acct_list);
		90	return 0;
		91	}
		92
		93	static int
		94	nfnl_acct_fill_info(struct sk_buff *skb, u32 pid, u32 seq, u32 type,
		95	int event, struct nf_acct *acct)
		96	{
		97	struct nlmsghdr *nlh;
		98	struct nfgenmsg *nfmsg;
		99	unsigned int flags = pid ? NLM_F_MULTI : 0;
		100	u64 pkts, bytes;
		101
		102	event \|= NFNL_SUBSYS_ACCT << 8;
		103	nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags);
		104	if (nlh == NULL)
		105	goto nlmsg_failure;
		106
		107	nfmsg = nlmsg_data(nlh);
		108	nfmsg->nfgen_family = AF_UNSPEC;
		109	nfmsg->version = NFNETLINK_V0;
		110	nfmsg->res_id = 0;
		111
		112	NLA_PUT_STRING(skb, NFACCT_NAME, acct->name);
		113
		114	if (type == NFNL_MSG_ACCT_GET_CTRZERO) {
		115	pkts = atomic64_xchg(&acct->pkts, 0);
		116	bytes = atomic64_xchg(&acct->bytes, 0);
		117	} else {
		118	pkts = atomic64_read(&acct->pkts);
		119	bytes = atomic64_read(&acct->bytes);
		120	}
		121	NLA_PUT_BE64(skb, NFACCT_PKTS, cpu_to_be64(pkts));
		122	NLA_PUT_BE64(skb, NFACCT_BYTES, cpu_to_be64(bytes));
		123	NLA_PUT_BE32(skb, NFACCT_USE, htonl(atomic_read(&acct->refcnt)));
		124
		125	nlmsg_end(skb, nlh);
		126	return skb->len;
		127
		128	nlmsg_failure:
		129	nla_put_failure:
		130	nlmsg_cancel(skb, nlh);
		131	return -1;
		132	}
		133
		134	static int
		135	nfnl_acct_dump(struct sk_buff skb, struct netlink_callback cb)
		136	{
		137	struct nf_acct cur, last;
		138
		139	if (cb->args[2])
		140	return 0;
		141
		142	last = (struct nf_acct *)cb->args[1];
		143	if (cb->args[1])
		144	cb->args[1] = 0;
		145
		146	rcu_read_lock();
		147	list_for_each_entry_rcu(cur, &nfnl_acct_list, head) {
		148	if (last && cur != last)
		149	continue;
		150
		151	if (nfnl_acct_fill_info(skb, NETLINK_CB(cb->skb).pid,
		152	cb->nlh->nlmsg_seq,
		153	NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
		154	NFNL_MSG_ACCT_NEW, cur) < 0) {
		155	cb->args[1] = (unsigned long)cur;
		156	break;
		157	}
		158	}
		159	if (!cb->args[1])
		160	cb->args[2] = 1;
		161	rcu_read_unlock();
		162	return skb->len;
		163	}
		164
		165	static int
		166	nfnl_acct_get(struct sock nfnl, struct sk_buff skb,
		167	const struct nlmsghdr nlh, const struct nlattr const tb[])
		168	{
		169	int ret = 0;
		170	struct nf_acct *cur;
		171	char *acct_name;
		172
		173	if (nlh->nlmsg_flags & NLM_F_DUMP) {
		174	return netlink_dump_start(nfnl, skb, nlh, nfnl_acct_dump,
		175	NULL, 0);
		176	}
		177
		178	if (!tb[NFACCT_NAME])
		179	return -EINVAL;
		180	acct_name = nla_data(tb[NFACCT_NAME]);
		181
		182	list_for_each_entry(cur, &nfnl_acct_list, head) {
		183	struct sk_buff *skb2;
		184
		185	if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX)!= 0)
		186	continue;
		187
		188	skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
		189	if (skb2 == NULL)
		190	break;
		191
		192	ret = nfnl_acct_fill_info(skb2, NETLINK_CB(skb).pid,
		193	nlh->nlmsg_seq,
		194	NFNL_MSG_TYPE(nlh->nlmsg_type),
		195	NFNL_MSG_ACCT_NEW, cur);
		196	if (ret <= 0)
		197	kfree_skb(skb2);
		198
		199	break;
		200	}
		201	return ret;
		202	}
		203
		204	/* try to delete object, fail if it is still in use. */
		205	static int nfnl_acct_try_del(struct nf_acct *cur)
		206	{
		207	int ret = 0;
		208
		209	/* we want to avoid races with nfnl_acct_find_get. */
		210	if (atomic_dec_and_test(&cur->refcnt)) {
		211	/* We are protected by nfnl mutex. */
		212	list_del_rcu(&cur->head);
		213	kfree_rcu(cur, rcu_head);
		214	} else {
		215	/* still in use, restore reference counter. */
		216	atomic_inc(&cur->refcnt);
		217	ret = -EBUSY;
		218	}
		219	return ret;
		220	}
		221
		222	static int
		223	nfnl_acct_del(struct sock nfnl, struct sk_buff skb,
		224	const struct nlmsghdr nlh, const struct nlattr const tb[])
		225	{
		226	char *acct_name;
		227	struct nf_acct *cur;
		228	int ret = -ENOENT;
		229
		230	if (!tb[NFACCT_NAME]) {
		231	list_for_each_entry(cur, &nfnl_acct_list, head)
		232	nfnl_acct_try_del(cur);
		233
		234	return 0;
		235	}
		236	acct_name = nla_data(tb[NFACCT_NAME]);
		237
		238	list_for_each_entry(cur, &nfnl_acct_list, head) {
		239	if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX) != 0)
		240	continue;
		241
		242	ret = nfnl_acct_try_del(cur);
		243	if (ret < 0)
		244	return ret;
		245
		246	break;
		247	}
		248	return ret;
		249	}
		250
		251	static const struct nla_policy nfnl_acct_policy[NFACCT_MAX+1] = {
		252	[NFACCT_NAME] = { .type = NLA_NUL_STRING, .len = NFACCT_NAME_MAX-1 },
		253	[NFACCT_BYTES] = { .type = NLA_U64 },
		254	[NFACCT_PKTS] = { .type = NLA_U64 },
		255	};
		256
		257	static const struct nfnl_callback nfnl_acct_cb[NFNL_MSG_ACCT_MAX] = {
		258	[NFNL_MSG_ACCT_NEW] = { .call = nfnl_acct_new,
		259	.attr_count = NFACCT_MAX,
		260	.policy = nfnl_acct_policy },
		261	[NFNL_MSG_ACCT_GET] = { .call = nfnl_acct_get,
		262	.attr_count = NFACCT_MAX,
		263	.policy = nfnl_acct_policy },
		264	[NFNL_MSG_ACCT_GET_CTRZERO] = { .call = nfnl_acct_get,
		265	.attr_count = NFACCT_MAX,
		266	.policy = nfnl_acct_policy },
		267	[NFNL_MSG_ACCT_DEL] = { .call = nfnl_acct_del,
		268	.attr_count = NFACCT_MAX,
		269	.policy = nfnl_acct_policy },
		270	};
		271
		272	static const struct nfnetlink_subsystem nfnl_acct_subsys = {
		273	.name = "acct",
		274	.subsys_id = NFNL_SUBSYS_ACCT,
		275	.cb_count = NFNL_MSG_ACCT_MAX,
		276	.cb = nfnl_acct_cb,
		277	};
		278
		279	MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_ACCT);
		280
		281	struct nf_acct nfnl_acct_find_get(const char acct_name)
		282	{
		283	struct nf_acct cur, acct = NULL;
		284
		285	rcu_read_lock();
		286	list_for_each_entry_rcu(cur, &nfnl_acct_list, head) {
		287	if (strncmp(cur->name, acct_name, NFACCT_NAME_MAX)!= 0)
		288	continue;
		289
		290	if (!try_module_get(THIS_MODULE))
		291	goto err;
		292
		293	if (!atomic_inc_not_zero(&cur->refcnt)) {
		294	module_put(THIS_MODULE);
		295	goto err;
		296	}
		297
		298	acct = cur;
		299	break;
		300	}
		301	err:
		302	rcu_read_unlock();
		303	return acct;
		304	}
		305	EXPORT_SYMBOL_GPL(nfnl_acct_find_get);
		306
		307	void nfnl_acct_put(struct nf_acct *acct)
		308	{
		309	atomic_dec(&acct->refcnt);
		310	module_put(THIS_MODULE);
		311	}
		312	EXPORT_SYMBOL_GPL(nfnl_acct_put);
		313
		314	void nfnl_acct_update(const struct sk_buff skb, struct nf_acct nfacct)
		315	{
		316	atomic64_inc(&nfacct->pkts);
		317	atomic64_add(skb->len, &nfacct->bytes);
		318	}
		319	EXPORT_SYMBOL_GPL(nfnl_acct_update);
		320
		321	static int __init nfnl_acct_init(void)
		322	{
		323	int ret;
		324
		325	pr_info("nfnl_acct: registering with nfnetlink.\n");
		326	ret = nfnetlink_subsys_register(&nfnl_acct_subsys);
		327	if (ret < 0) {
		328	pr_err("nfnl_acct_init: cannot register with nfnetlink.\n");
		329	goto err_out;
		330	}
		331	return 0;
		332	err_out:
		333	return ret;
		334	}
		335
		336	static void __exit nfnl_acct_exit(void)
		337	{
		338	struct nf_acct cur, tmp;
		339
		340	pr_info("nfnl_acct: unregistering from nfnetlink.\n");
		341	nfnetlink_subsys_unregister(&nfnl_acct_subsys);
		342
		343	list_for_each_entry_safe(cur, tmp, &nfnl_acct_list, head) {
		344	list_del_rcu(&cur->head);
		345	/* We are sure that our objects have no clients at this point,
		346	* it's safe to release them all without checking refcnt. */
		347	kfree_rcu(cur, rcu_head);
		348	}
		349	}
		350
		351	module_init(nfnl_acct_init);
		352	module_exit(nfnl_acct_exit);