[mirror_ubuntu-bionic-kernel.git] / net / netfilter / nf_conntrack_expect.c

/* Expectation handling for nf_conntrack. */

/* (C) 1999-2001 Paul `Rusty' Russell
 * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
 * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

#include <linux/types.h>
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
#include <linux/stddef.h>
#include <linux/slab.h>
#include <linux/err.h>
#include <linux/percpu.h>
#include <linux/kernel.h>
#include <linux/jhash.h>
#include <net/net_namespace.h>

#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_expect.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_tuple.h>

unsigned int nf_ct_expect_hsize __read_mostly;
EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);

static unsigned int nf_ct_expect_hash_rnd __read_mostly;
unsigned int nf_ct_expect_max __read_mostly;
static int nf_ct_expect_hash_rnd_initted __read_mostly;

static struct kmem_cache *nf_ct_expect_cachep __read_mostly;

/* nf_conntrack_expect helper functions */
void nf_ct_unlink_expect(struct nf_conntrack_expect *exp)
{
	struct nf_conn_help *master_help = nfct_help(exp->master);
	struct net *net = nf_ct_exp_net(exp);

	NF_CT_ASSERT(master_help);
	NF_CT_ASSERT(!timer_pending(&exp->timeout));

	hlist_del_rcu(&exp->hnode);
	net->ct.expect_count--;

	hlist_del(&exp->lnode);
	master_help->expecting[exp->class]--;
	nf_ct_expect_put(exp);

	NF_CT_STAT_INC(expect_delete);
}
EXPORT_SYMBOL_GPL(nf_ct_unlink_expect);

static void nf_ct_expectation_timed_out(unsigned long ul_expect)
{
	struct nf_conntrack_expect *exp = (void *)ul_expect;

	spin_lock_bh(&nf_conntrack_lock);
	nf_ct_unlink_expect(exp);
	spin_unlock_bh(&nf_conntrack_lock);
	nf_ct_expect_put(exp);
}

static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple)
{
	unsigned int hash;

	if (unlikely(!nf_ct_expect_hash_rnd_initted)) {
		get_random_bytes(&nf_ct_expect_hash_rnd, 4);
		nf_ct_expect_hash_rnd_initted = 1;
	}

	hash = jhash2(tuple->dst.u3.all, ARRAY_SIZE(tuple->dst.u3.all),
		      (((tuple->dst.protonum ^ tuple->src.l3num) << 16) |
		       (__force __u16)tuple->dst.u.all) ^ nf_ct_expect_hash_rnd);
	return ((u64)hash * nf_ct_expect_hsize) >> 32;
}

struct nf_conntrack_expect *
__nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple)
{
	struct nf_conntrack_expect *i;
	struct hlist_node *n;
	unsigned int h;

	if (!net->ct.expect_count)
		return NULL;

	h = nf_ct_expect_dst_hash(tuple);
	hlist_for_each_entry_rcu(i, n, &net->ct.expect_hash[h], hnode) {
		if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask))
			return i;
	}
	return NULL;
}
EXPORT_SYMBOL_GPL(__nf_ct_expect_find);

/* Just find a expectation corresponding to a tuple. */
struct nf_conntrack_expect *
nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_tuple *tuple)
{
	struct nf_conntrack_expect *i;

	rcu_read_lock();
	i = __nf_ct_expect_find(net, tuple);
	if (i && !atomic_inc_not_zero(&i->use))
		i = NULL;
	rcu_read_unlock();

	return i;
}
EXPORT_SYMBOL_GPL(nf_ct_expect_find_get);

/* If an expectation for this connection is found, it gets delete from
 * global list then returned. */
struct nf_conntrack_expect *
nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple)
{
	struct nf_conntrack_expect *i, *exp = NULL;
	struct hlist_node *n;
	unsigned int h;

	if (!net->ct.expect_count)
		return NULL;

	h = nf_ct_expect_dst_hash(tuple);
	hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) {
		if (!(i->flags & NF_CT_EXPECT_INACTIVE) &&
		    nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) {
			exp = i;
			break;
		}
	}
	if (!exp)
		return NULL;

	/* If master is not in hash table yet (ie. packet hasn't left
	   this machine yet), how can other end know about expected?
	   Hence these are not the droids you are looking for (if
	   master ct never got confirmed, we'd hold a reference to it
	   and weird things would happen to future packets). */
	if (!nf_ct_is_confirmed(exp->master))
		return NULL;

	if (exp->flags & NF_CT_EXPECT_PERMANENT) {
		atomic_inc(&exp->use);
		return exp;
	} else if (del_timer(&exp->timeout)) {
		nf_ct_unlink_expect(exp);
		return exp;
	}

	return NULL;
}

/* delete all expectations for this conntrack */
void nf_ct_remove_expectations(struct nf_conn *ct)
{
	struct nf_conn_help *help = nfct_help(ct);
	struct nf_conntrack_expect *exp;
	struct hlist_node *n, *next;

	/* Optimization: most connection never expect any others. */
	if (!help)
		return;

	hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
		if (del_timer(&exp->timeout)) {
			nf_ct_unlink_expect(exp);
			nf_ct_expect_put(exp);
		}
	}
}
EXPORT_SYMBOL_GPL(nf_ct_remove_expectations);

/* Would two expected things clash? */
static inline int expect_clash(const struct nf_conntrack_expect *a,
			       const struct nf_conntrack_expect *b)
{
	/* Part covered by intersection of masks must be unequal,
	   otherwise they clash */
	struct nf_conntrack_tuple_mask intersect_mask;
	int count;

	intersect_mask.src.u.all = a->mask.src.u.all & b->mask.src.u.all;

	for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
		intersect_mask.src.u3.all[count] =
			a->mask.src.u3.all[count] & b->mask.src.u3.all[count];
	}

	return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
}

static inline int expect_matches(const struct nf_conntrack_expect *a,
				 const struct nf_conntrack_expect *b)
{
	return a->master == b->master && a->class == b->class
		&& nf_ct_tuple_equal(&a->tuple, &b->tuple)
		&& nf_ct_tuple_mask_equal(&a->mask, &b->mask);
}

/* Generally a bad idea to call this: could have matched already. */
void nf_ct_unexpect_related(struct nf_conntrack_expect *exp)
{
	spin_lock_bh(&nf_conntrack_lock);
	if (del_timer(&exp->timeout)) {
		nf_ct_unlink_expect(exp);
		nf_ct_expect_put(exp);
	}
	spin_unlock_bh(&nf_conntrack_lock);
}
EXPORT_SYMBOL_GPL(nf_ct_unexpect_related);

/* We don't increase the master conntrack refcount for non-fulfilled
 * conntracks. During the conntrack destruction, the expectations are
 * always killed before the conntrack itself */
struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me)
{
	struct nf_conntrack_expect *new;

	new = kmem_cache_alloc(nf_ct_expect_cachep, GFP_ATOMIC);
	if (!new)
		return NULL;

	new->master = me;
	atomic_set(&new->use, 1);
	INIT_RCU_HEAD(&new->rcu);
	return new;
}
EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);

void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,
		       u_int8_t family,
		       const union nf_inet_addr *saddr,
		       const union nf_inet_addr *daddr,
		       u_int8_t proto, const __be16 *src, const __be16 *dst)
{
	int len;

	if (family == AF_INET)
		len = 4;
	else
		len = 16;

	exp->flags = 0;
	exp->class = class;
	exp->expectfn = NULL;
	exp->helper = NULL;
	exp->tuple.src.l3num = family;
	exp->tuple.dst.protonum = proto;

	if (saddr) {
		memcpy(&exp->tuple.src.u3, saddr, len);
		if (sizeof(exp->tuple.src.u3) > len)
			/* address needs to be cleared for nf_ct_tuple_equal */
			memset((void *)&exp->tuple.src.u3 + len, 0x00,
			       sizeof(exp->tuple.src.u3) - len);
		memset(&exp->mask.src.u3, 0xFF, len);
		if (sizeof(exp->mask.src.u3) > len)
			memset((void *)&exp->mask.src.u3 + len, 0x00,
			       sizeof(exp->mask.src.u3) - len);
	} else {
		memset(&exp->tuple.src.u3, 0x00, sizeof(exp->tuple.src.u3));
		memset(&exp->mask.src.u3, 0x00, sizeof(exp->mask.src.u3));
	}

	if (src) {
		exp->tuple.src.u.all = *src;
		exp->mask.src.u.all = htons(0xFFFF);
	} else {
		exp->tuple.src.u.all = 0;
		exp->mask.src.u.all = 0;
	}

	memcpy(&exp->tuple.dst.u3, daddr, len);
	if (sizeof(exp->tuple.dst.u3) > len)
		/* address needs to be cleared for nf_ct_tuple_equal */
		memset((void *)&exp->tuple.dst.u3 + len, 0x00,
		       sizeof(exp->tuple.dst.u3) - len);

	exp->tuple.dst.u.all = *dst;
}
EXPORT_SYMBOL_GPL(nf_ct_expect_init);

static void nf_ct_expect_free_rcu(struct rcu_head *head)
{
	struct nf_conntrack_expect *exp;

	exp = container_of(head, struct nf_conntrack_expect, rcu);
	kmem_cache_free(nf_ct_expect_cachep, exp);
}

void nf_ct_expect_put(struct nf_conntrack_expect *exp)
{
	if (atomic_dec_and_test(&exp->use))
		call_rcu(&exp->rcu, nf_ct_expect_free_rcu);
}
EXPORT_SYMBOL_GPL(nf_ct_expect_put);

static void nf_ct_expect_insert(struct nf_conntrack_expect *exp)
{
	struct nf_conn_help *master_help = nfct_help(exp->master);
	struct net *net = nf_ct_exp_net(exp);
	const struct nf_conntrack_expect_policy *p;
	unsigned int h = nf_ct_expect_dst_hash(&exp->tuple);

	atomic_inc(&exp->use);

	hlist_add_head(&exp->lnode, &master_help->expectations);
	master_help->expecting[exp->class]++;

	hlist_add_head_rcu(&exp->hnode, &net->ct.expect_hash[h]);
	net->ct.expect_count++;

	setup_timer(&exp->timeout, nf_ct_expectation_timed_out,
		    (unsigned long)exp);
	p = &master_help->helper->expect_policy[exp->class];
	exp->timeout.expires = jiffies + p->timeout * HZ;
	add_timer(&exp->timeout);

	atomic_inc(&exp->use);
	NF_CT_STAT_INC(expect_create);
}

/* Race with expectations being used means we could have none to find; OK. */
static void evict_oldest_expect(struct nf_conn *master,
				struct nf_conntrack_expect *new)
{
	struct nf_conn_help *master_help = nfct_help(master);
	struct nf_conntrack_expect *exp, *last = NULL;
	struct hlist_node *n;

	hlist_for_each_entry(exp, n, &master_help->expectations, lnode) {
		if (exp->class == new->class)
			last = exp;
	}

	if (last && del_timer(&last->timeout)) {
		nf_ct_unlink_expect(last);
		nf_ct_expect_put(last);
	}
}

static inline int refresh_timer(struct nf_conntrack_expect *i)
{
	struct nf_conn_help *master_help = nfct_help(i->master);
	const struct nf_conntrack_expect_policy *p;

	if (!del_timer(&i->timeout))
		return 0;

	p = &master_help->helper->expect_policy[i->class];
	i->timeout.expires = jiffies + p->timeout * HZ;
	add_timer(&i->timeout);
	return 1;
}

int nf_ct_expect_related(struct nf_conntrack_expect *expect)
{
	const struct nf_conntrack_expect_policy *p;
	struct nf_conntrack_expect *i;
	struct nf_conn *master = expect->master;
	struct nf_conn_help *master_help = nfct_help(master);
	struct net *net = nf_ct_exp_net(expect);
	struct hlist_node *n;
	unsigned int h;
	int ret;

	NF_CT_ASSERT(master_help);

	spin_lock_bh(&nf_conntrack_lock);
	if (!master_help->helper) {
		ret = -ESHUTDOWN;
		goto out;
	}
	h = nf_ct_expect_dst_hash(&expect->tuple);
	hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) {
		if (expect_matches(i, expect)) {
			/* Refresh timer: if it's dying, ignore.. */
			if (refresh_timer(i)) {
				ret = 0;
				goto out;
			}
		} else if (expect_clash(i, expect)) {
			ret = -EBUSY;
			goto out;
		}
	}
	/* Will be over limit? */
	p = &master_help->helper->expect_policy[expect->class];
	if (p->max_expected &&
	    master_help->expecting[expect->class] >= p->max_expected) {
		evict_oldest_expect(master, expect);
		if (master_help->expecting[expect->class] >= p->max_expected) {
			ret = -EMFILE;
			goto out;
		}
	}

	if (net->ct.expect_count >= nf_ct_expect_max) {
		if (net_ratelimit())
			printk(KERN_WARNING
			       "nf_conntrack: expectation table full\n");
		ret = -EMFILE;
		goto out;
	}

	nf_ct_expect_insert(expect);
	nf_ct_expect_event(IPEXP_NEW, expect);
	ret = 0;
out:
	spin_unlock_bh(&nf_conntrack_lock);
	return ret;
}
EXPORT_SYMBOL_GPL(nf_ct_expect_related);

#ifdef CONFIG_PROC_FS
struct ct_expect_iter_state {
	struct seq_net_private p;
	unsigned int bucket;
};

static struct hlist_node *ct_expect_get_first(struct seq_file *seq)
{
	struct net *net = seq_file_net(seq);
	struct ct_expect_iter_state *st = seq->private;
	struct hlist_node *n;

	for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) {
		n = rcu_dereference(net->ct.expect_hash[st->bucket].first);
		if (n)
			return n;
	}
	return NULL;
}

static struct hlist_node *ct_expect_get_next(struct seq_file *seq,
					     struct hlist_node *head)
{
	struct net *net = seq_file_net(seq);
	struct ct_expect_iter_state *st = seq->private;

	head = rcu_dereference(head->next);
	while (head == NULL) {
		if (++st->bucket >= nf_ct_expect_hsize)
			return NULL;
		head = rcu_dereference(net->ct.expect_hash[st->bucket].first);
	}
	return head;
}

static struct hlist_node *ct_expect_get_idx(struct seq_file *seq, loff_t pos)
{
	struct hlist_node *head = ct_expect_get_first(seq);

	if (head)
		while (pos && (head = ct_expect_get_next(seq, head)))
			pos--;
	return pos ? NULL : head;
}

static void *exp_seq_start(struct seq_file *seq, loff_t *pos)
	__acquires(RCU)
{
	rcu_read_lock();
	return ct_expect_get_idx(seq, *pos);
}

static void *exp_seq_next(struct seq_file *seq, void *v, loff_t *pos)
{
	(*pos)++;
	return ct_expect_get_next(seq, v);
}

static void exp_seq_stop(struct seq_file *seq, void *v)
	__releases(RCU)
{
	rcu_read_unlock();
}

static int exp_seq_show(struct seq_file *s, void *v)
{
	struct nf_conntrack_expect *expect;
	struct hlist_node *n = v;
	char *delim = "";

	expect = hlist_entry(n, struct nf_conntrack_expect, hnode);

	if (expect->timeout.function)
		seq_printf(s, "%ld ", timer_pending(&expect->timeout)
			   ? (long)(expect->timeout.expires - jiffies)/HZ : 0);
	else
		seq_printf(s, "- ");
	seq_printf(s, "l3proto = %u proto=%u ",
		   expect->tuple.src.l3num,
		   expect->tuple.dst.protonum);
	print_tuple(s, &expect->tuple,
		    __nf_ct_l3proto_find(expect->tuple.src.l3num),
		    __nf_ct_l4proto_find(expect->tuple.src.l3num,
				       expect->tuple.dst.protonum));

	if (expect->flags & NF_CT_EXPECT_PERMANENT) {
		seq_printf(s, "PERMANENT");
		delim = ",";
	}
	if (expect->flags & NF_CT_EXPECT_INACTIVE)
		seq_printf(s, "%sINACTIVE", delim);

	return seq_putc(s, '\n');
}

static const struct seq_operations exp_seq_ops = {
	.start = exp_seq_start,
	.next = exp_seq_next,
	.stop = exp_seq_stop,
	.show = exp_seq_show
};

static int exp_open(struct inode *inode, struct file *file)
{
	return seq_open_net(inode, file, &exp_seq_ops,
			sizeof(struct ct_expect_iter_state));
}

static const struct file_operations exp_file_ops = {
	.owner   = THIS_MODULE,
	.open    = exp_open,
	.read    = seq_read,
	.llseek  = seq_lseek,
	.release = seq_release_net,
};
#endif /* CONFIG_PROC_FS */

static int exp_proc_init(struct net *net)
{
#ifdef CONFIG_PROC_FS
	struct proc_dir_entry *proc;

	proc = proc_net_fops_create(net, "nf_conntrack_expect", 0440, &exp_file_ops);
	if (!proc)
		return -ENOMEM;
#endif /* CONFIG_PROC_FS */
	return 0;
}

static void exp_proc_remove(struct net *net)
{
#ifdef CONFIG_PROC_FS
	proc_net_remove(net, "nf_conntrack_expect");
#endif /* CONFIG_PROC_FS */
}

module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0600);

int nf_conntrack_expect_init(struct net *net)
{
	int err = -ENOMEM;

	if (!nf_ct_expect_hsize) {
		nf_ct_expect_hsize = nf_conntrack_htable_size / 256;
		if (!nf_ct_expect_hsize)
			nf_ct_expect_hsize = 1;
	}
	nf_ct_expect_max = nf_ct_expect_hsize * 4;

	net->ct.expect_count = 0;
	net->ct.expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,
						  &net->ct.expect_vmalloc);
	if (net->ct.expect_hash == NULL)
		goto err1;

	nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect",
					sizeof(struct nf_conntrack_expect),
					0, 0, NULL);
	if (!nf_ct_expect_cachep)
		goto err2;

	err = exp_proc_init(net);
	if (err < 0)
		goto err3;

	return 0;

err3:
	kmem_cache_destroy(nf_ct_expect_cachep);
err2:
	nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc,
			     nf_ct_expect_hsize);
err1:
	return err;
}

void nf_conntrack_expect_fini(struct net *net)
{
	exp_proc_remove(net);
	kmem_cache_destroy(nf_ct_expect_cachep);
	nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc,
			     nf_ct_expect_hsize);
}
Commit	Line	Data
77ab9cff MJ	1	/* Expectation handling for nf_conntrack. */
	2
	3	/* (C) 1999-2001 Paul `Rusty' Russell
	4	* (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
	5	* (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
	6	*
	7	* This program is free software; you can redistribute it and/or modify
	8	* it under the terms of the GNU General Public License version 2 as
	9	* published by the Free Software Foundation.
	10	*/
	11
	12	#include <linux/types.h>
	13	#include <linux/netfilter.h>
	14	#include <linux/skbuff.h>
	15	#include <linux/proc_fs.h>
	16	#include <linux/seq_file.h>
	17	#include <linux/stddef.h>
	18	#include <linux/slab.h>
	19	#include <linux/err.h>
	20	#include <linux/percpu.h>
	21	#include <linux/kernel.h>
a71c0855	22	#include <linux/jhash.h>
457c4cbc	23	#include <net/net_namespace.h>
77ab9cff MJ	24
	25	#include <net/netfilter/nf_conntrack.h>
	26	#include <net/netfilter/nf_conntrack_core.h>
	27	#include <net/netfilter/nf_conntrack_expect.h>
	28	#include <net/netfilter/nf_conntrack_helper.h>
	29	#include <net/netfilter/nf_conntrack_tuple.h>
	30
a71c0855 PM	31	unsigned int nf_ct_expect_hsize __read_mostly;
	32	EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
	33
	34	static unsigned int nf_ct_expect_hash_rnd __read_mostly;
f264a7df	35	unsigned int nf_ct_expect_max __read_mostly;
a71c0855	36	static int nf_ct_expect_hash_rnd_initted __read_mostly;
a71c0855	37
e9c1b084	38	static struct kmem_cache *nf_ct_expect_cachep __read_mostly;
77ab9cff MJ	39
	40	/* nf_conntrack_expect helper functions */
	41	void nf_ct_unlink_expect(struct nf_conntrack_expect *exp)
	42	{
	43	struct nf_conn_help *master_help = nfct_help(exp->master);
9b03f38d	44	struct net *net = nf_ct_exp_net(exp);
77ab9cff MJ	45
	46	NF_CT_ASSERT(master_help);
	47	NF_CT_ASSERT(!timer_pending(&exp->timeout));
	48
7d0742da	49	hlist_del_rcu(&exp->hnode);
9b03f38d	50	net->ct.expect_count--;
a71c0855	51
b560580a	52	hlist_del(&exp->lnode);
6002f266	53	master_help->expecting[exp->class]--;
6823645d	54	nf_ct_expect_put(exp);
b560580a PM	55
b560580a PM	56	NF_CT_STAT_INC(expect_delete);
77ab9cff	57	}
13b18339	58	EXPORT_SYMBOL_GPL(nf_ct_unlink_expect);
77ab9cff	59
6823645d	60	static void nf_ct_expectation_timed_out(unsigned long ul_expect)
77ab9cff MJ	61	{
	62	struct nf_conntrack_expect exp = (void )ul_expect;
	63
f8ba1aff	64	spin_lock_bh(&nf_conntrack_lock);
77ab9cff	65	nf_ct_unlink_expect(exp);
f8ba1aff	66	spin_unlock_bh(&nf_conntrack_lock);
6823645d	67	nf_ct_expect_put(exp);
77ab9cff MJ	68	}
77ab9cff MJ	69
a71c0855 PM	70	static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple)
a71c0855 PM	71	{
34498825 PM	72	unsigned int hash;
34498825 PM	73
a71c0855 PM	74	if (unlikely(!nf_ct_expect_hash_rnd_initted)) {
	75	get_random_bytes(&nf_ct_expect_hash_rnd, 4);
	76	nf_ct_expect_hash_rnd_initted = 1;
	77	}
	78
34498825	79	hash = jhash2(tuple->dst.u3.all, ARRAY_SIZE(tuple->dst.u3.all),
a71c0855	80	(((tuple->dst.protonum ^ tuple->src.l3num) << 16) \|
34498825 PM	81	(__force __u16)tuple->dst.u.all) ^ nf_ct_expect_hash_rnd);
34498825 PM	82	return ((u64)hash * nf_ct_expect_hsize) >> 32;
a71c0855 PM	83	}
a71c0855 PM	84
77ab9cff	85	struct nf_conntrack_expect *
9b03f38d	86	__nf_ct_expect_find(struct net net, const struct nf_conntrack_tuple tuple)
77ab9cff MJ	87	{
77ab9cff MJ	88	struct nf_conntrack_expect *i;
a71c0855 PM	89	struct hlist_node *n;
	90	unsigned int h;
	91
9b03f38d	92	if (!net->ct.expect_count)
a71c0855	93	return NULL;
77ab9cff	94
a71c0855	95	h = nf_ct_expect_dst_hash(tuple);
9b03f38d	96	hlist_for_each_entry_rcu(i, n, &net->ct.expect_hash[h], hnode) {
77ab9cff MJ	97	if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask))
	98	return i;
	99	}
	100	return NULL;
	101	}
6823645d	102	EXPORT_SYMBOL_GPL(__nf_ct_expect_find);
77ab9cff MJ	103
	104	/* Just find a expectation corresponding to a tuple. */
	105	struct nf_conntrack_expect *
9b03f38d	106	nf_ct_expect_find_get(struct net net, const struct nf_conntrack_tuple tuple)
77ab9cff MJ	107	{
	108	struct nf_conntrack_expect *i;
	109
7d0742da	110	rcu_read_lock();
9b03f38d	111	i = __nf_ct_expect_find(net, tuple);
7d0742da PM	112	if (i && !atomic_inc_not_zero(&i->use))
	113	i = NULL;
	114	rcu_read_unlock();
77ab9cff MJ	115
	116	return i;
	117	}
6823645d	118	EXPORT_SYMBOL_GPL(nf_ct_expect_find_get);
77ab9cff MJ	119
	120	/* If an expectation for this connection is found, it gets delete from
	121	* global list then returned. */
	122	struct nf_conntrack_expect *
9b03f38d	123	nf_ct_find_expectation(struct net net, const struct nf_conntrack_tuple tuple)
77ab9cff	124	{
359b9ab6 PM	125	struct nf_conntrack_expect i, exp = NULL;
	126	struct hlist_node *n;
	127	unsigned int h;
	128
9b03f38d	129	if (!net->ct.expect_count)
359b9ab6	130	return NULL;
ece00641	131
359b9ab6	132	h = nf_ct_expect_dst_hash(tuple);
9b03f38d	133	hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) {
359b9ab6 PM	134	if (!(i->flags & NF_CT_EXPECT_INACTIVE) &&
	135	nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) {
	136	exp = i;
	137	break;
	138	}
	139	}
ece00641 YK	140	if (!exp)
ece00641 YK	141	return NULL;
77ab9cff	142
77ab9cff MJ	143	/* If master is not in hash table yet (ie. packet hasn't left
	144	this machine yet), how can other end know about expected?
	145	Hence these are not the droids you are looking for (if
	146	master ct never got confirmed, we'd hold a reference to it
	147	and weird things would happen to future packets). */
ece00641 YK	148	if (!nf_ct_is_confirmed(exp->master))
	149	return NULL;
	150
	151	if (exp->flags & NF_CT_EXPECT_PERMANENT) {
	152	atomic_inc(&exp->use);
	153	return exp;
	154	} else if (del_timer(&exp->timeout)) {
	155	nf_ct_unlink_expect(exp);
	156	return exp;
77ab9cff	157	}
ece00641	158
77ab9cff MJ	159	return NULL;
	160	}
	161
	162	/* delete all expectations for this conntrack */
	163	void nf_ct_remove_expectations(struct nf_conn *ct)
	164	{
77ab9cff	165	struct nf_conn_help *help = nfct_help(ct);
b560580a PM	166	struct nf_conntrack_expect *exp;
b560580a PM	167	struct hlist_node n, next;
77ab9cff MJ	168
77ab9cff MJ	169	/* Optimization: most connection never expect any others. */
6002f266	170	if (!help)
77ab9cff MJ	171	return;
77ab9cff MJ	172
b560580a PM	173	hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
	174	if (del_timer(&exp->timeout)) {
	175	nf_ct_unlink_expect(exp);
	176	nf_ct_expect_put(exp);
601e68e1	177	}
77ab9cff MJ	178	}
77ab9cff MJ	179	}
13b18339	180	EXPORT_SYMBOL_GPL(nf_ct_remove_expectations);
77ab9cff MJ	181
	182	/* Would two expected things clash? */
	183	static inline int expect_clash(const struct nf_conntrack_expect *a,
	184	const struct nf_conntrack_expect *b)
	185	{
	186	/* Part covered by intersection of masks must be unequal,
	187	otherwise they clash */
d4156e8c	188	struct nf_conntrack_tuple_mask intersect_mask;
77ab9cff MJ	189	int count;
77ab9cff MJ	190
77ab9cff	191	intersect_mask.src.u.all = a->mask.src.u.all & b->mask.src.u.all;
77ab9cff MJ	192
	193	for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
	194	intersect_mask.src.u3.all[count] =
	195	a->mask.src.u3.all[count] & b->mask.src.u3.all[count];
	196	}
	197
77ab9cff MJ	198	return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
	199	}
	200
	201	static inline int expect_matches(const struct nf_conntrack_expect *a,
	202	const struct nf_conntrack_expect *b)
	203	{
6002f266	204	return a->master == b->master && a->class == b->class
77ab9cff	205	&& nf_ct_tuple_equal(&a->tuple, &b->tuple)
d4156e8c	206	&& nf_ct_tuple_mask_equal(&a->mask, &b->mask);
77ab9cff MJ	207	}
	208
	209	/* Generally a bad idea to call this: could have matched already. */
6823645d	210	void nf_ct_unexpect_related(struct nf_conntrack_expect *exp)
77ab9cff	211	{
f8ba1aff	212	spin_lock_bh(&nf_conntrack_lock);
4e1d4e6c PM	213	if (del_timer(&exp->timeout)) {
	214	nf_ct_unlink_expect(exp);
	215	nf_ct_expect_put(exp);
77ab9cff	216	}
f8ba1aff	217	spin_unlock_bh(&nf_conntrack_lock);
77ab9cff	218	}
6823645d	219	EXPORT_SYMBOL_GPL(nf_ct_unexpect_related);
77ab9cff MJ	220
	221	/* We don't increase the master conntrack refcount for non-fulfilled
	222	* conntracks. During the conntrack destruction, the expectations are
	223	* always killed before the conntrack itself */
6823645d	224	struct nf_conntrack_expect nf_ct_expect_alloc(struct nf_conn me)
77ab9cff MJ	225	{
	226	struct nf_conntrack_expect *new;
	227
6823645d	228	new = kmem_cache_alloc(nf_ct_expect_cachep, GFP_ATOMIC);
77ab9cff MJ	229	if (!new)
	230	return NULL;
	231
	232	new->master = me;
	233	atomic_set(&new->use, 1);
7d0742da	234	INIT_RCU_HEAD(&new->rcu);
77ab9cff MJ	235	return new;
77ab9cff MJ	236	}
6823645d	237	EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);
77ab9cff	238
6002f266	239	void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,
76108cea	240	u_int8_t family,
1d9d7522 PM	241	const union nf_inet_addr *saddr,
	242	const union nf_inet_addr *daddr,
	243	u_int8_t proto, const __be16 src, const __be16 dst)
d6a9b650 PM	244	{
	245	int len;
	246
	247	if (family == AF_INET)
	248	len = 4;
	249	else
	250	len = 16;
	251
	252	exp->flags = 0;
6002f266	253	exp->class = class;
d6a9b650 PM	254	exp->expectfn = NULL;
	255	exp->helper = NULL;
	256	exp->tuple.src.l3num = family;
	257	exp->tuple.dst.protonum = proto;
d6a9b650 PM	258
	259	if (saddr) {
	260	memcpy(&exp->tuple.src.u3, saddr, len);
	261	if (sizeof(exp->tuple.src.u3) > len)
	262	/* address needs to be cleared for nf_ct_tuple_equal */
	263	memset((void *)&exp->tuple.src.u3 + len, 0x00,
	264	sizeof(exp->tuple.src.u3) - len);
	265	memset(&exp->mask.src.u3, 0xFF, len);
	266	if (sizeof(exp->mask.src.u3) > len)
	267	memset((void *)&exp->mask.src.u3 + len, 0x00,
	268	sizeof(exp->mask.src.u3) - len);
	269	} else {
	270	memset(&exp->tuple.src.u3, 0x00, sizeof(exp->tuple.src.u3));
	271	memset(&exp->mask.src.u3, 0x00, sizeof(exp->mask.src.u3));
	272	}
	273
d6a9b650	274	if (src) {
a34c4589 AV	275	exp->tuple.src.u.all = *src;
a34c4589 AV	276	exp->mask.src.u.all = htons(0xFFFF);
d6a9b650 PM	277	} else {
	278	exp->tuple.src.u.all = 0;
	279	exp->mask.src.u.all = 0;
	280	}
	281
d4156e8c PM	282	memcpy(&exp->tuple.dst.u3, daddr, len);
	283	if (sizeof(exp->tuple.dst.u3) > len)
	284	/* address needs to be cleared for nf_ct_tuple_equal */
	285	memset((void *)&exp->tuple.dst.u3 + len, 0x00,
	286	sizeof(exp->tuple.dst.u3) - len);
	287
a34c4589	288	exp->tuple.dst.u.all = *dst;
d6a9b650	289	}
6823645d	290	EXPORT_SYMBOL_GPL(nf_ct_expect_init);
d6a9b650	291
7d0742da PM	292	static void nf_ct_expect_free_rcu(struct rcu_head *head)
	293	{
	294	struct nf_conntrack_expect *exp;
	295
	296	exp = container_of(head, struct nf_conntrack_expect, rcu);
	297	kmem_cache_free(nf_ct_expect_cachep, exp);
	298	}
	299
6823645d	300	void nf_ct_expect_put(struct nf_conntrack_expect *exp)
77ab9cff MJ	301	{
77ab9cff MJ	302	if (atomic_dec_and_test(&exp->use))
7d0742da	303	call_rcu(&exp->rcu, nf_ct_expect_free_rcu);
77ab9cff	304	}
6823645d	305	EXPORT_SYMBOL_GPL(nf_ct_expect_put);
77ab9cff	306
6823645d	307	static void nf_ct_expect_insert(struct nf_conntrack_expect *exp)
77ab9cff MJ	308	{
77ab9cff MJ	309	struct nf_conn_help *master_help = nfct_help(exp->master);
9b03f38d	310	struct net *net = nf_ct_exp_net(exp);
6002f266	311	const struct nf_conntrack_expect_policy *p;
a71c0855	312	unsigned int h = nf_ct_expect_dst_hash(&exp->tuple);
77ab9cff MJ	313
77ab9cff MJ	314	atomic_inc(&exp->use);
b560580a PM	315
b560580a PM	316	hlist_add_head(&exp->lnode, &master_help->expectations);
6002f266	317	master_help->expecting[exp->class]++;
a71c0855	318
9b03f38d AD	319	hlist_add_head_rcu(&exp->hnode, &net->ct.expect_hash[h]);
9b03f38d AD	320	net->ct.expect_count++;
77ab9cff	321
6823645d PM	322	setup_timer(&exp->timeout, nf_ct_expectation_timed_out,
6823645d PM	323	(unsigned long)exp);
6002f266 PM	324	p = &master_help->helper->expect_policy[exp->class];
6002f266 PM	325	exp->timeout.expires = jiffies + p->timeout * HZ;
77ab9cff MJ	326	add_timer(&exp->timeout);
77ab9cff MJ	327
77ab9cff MJ	328	atomic_inc(&exp->use);
	329	NF_CT_STAT_INC(expect_create);
	330	}
	331
	332	/* Race with expectations being used means we could have none to find; OK. */
6002f266 PM	333	static void evict_oldest_expect(struct nf_conn *master,
6002f266 PM	334	struct nf_conntrack_expect *new)
77ab9cff	335	{
b560580a	336	struct nf_conn_help *master_help = nfct_help(master);
6002f266	337	struct nf_conntrack_expect exp, last = NULL;
b560580a	338	struct hlist_node *n;
77ab9cff	339
6002f266 PM	340	hlist_for_each_entry(exp, n, &master_help->expectations, lnode) {
	341	if (exp->class == new->class)
	342	last = exp;
	343	}
b560580a	344
6002f266 PM	345	if (last && del_timer(&last->timeout)) {
	346	nf_ct_unlink_expect(last);
	347	nf_ct_expect_put(last);
77ab9cff MJ	348	}
	349	}
	350
	351	static inline int refresh_timer(struct nf_conntrack_expect *i)
	352	{
	353	struct nf_conn_help *master_help = nfct_help(i->master);
6002f266	354	const struct nf_conntrack_expect_policy *p;
77ab9cff MJ	355
	356	if (!del_timer(&i->timeout))
	357	return 0;
	358
6002f266 PM	359	p = &master_help->helper->expect_policy[i->class];
6002f266 PM	360	i->timeout.expires = jiffies + p->timeout * HZ;
77ab9cff MJ	361	add_timer(&i->timeout);
	362	return 1;
	363	}
	364
6823645d	365	int nf_ct_expect_related(struct nf_conntrack_expect *expect)
77ab9cff	366	{
6002f266	367	const struct nf_conntrack_expect_policy *p;
77ab9cff MJ	368	struct nf_conntrack_expect *i;
	369	struct nf_conn *master = expect->master;
	370	struct nf_conn_help *master_help = nfct_help(master);
9b03f38d	371	struct net *net = nf_ct_exp_net(expect);
a71c0855 PM	372	struct hlist_node *n;
a71c0855 PM	373	unsigned int h;
77ab9cff MJ	374	int ret;
	375
	376	NF_CT_ASSERT(master_help);
	377
f8ba1aff	378	spin_lock_bh(&nf_conntrack_lock);
3c158f7f PM	379	if (!master_help->helper) {
	380	ret = -ESHUTDOWN;
	381	goto out;
	382	}
a71c0855	383	h = nf_ct_expect_dst_hash(&expect->tuple);
9b03f38d	384	hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) {
77ab9cff MJ	385	if (expect_matches(i, expect)) {
	386	/* Refresh timer: if it's dying, ignore.. */
	387	if (refresh_timer(i)) {
	388	ret = 0;
	389	goto out;
	390	}
	391	} else if (expect_clash(i, expect)) {
	392	ret = -EBUSY;
	393	goto out;
	394	}
	395	}
	396	/* Will be over limit? */
6002f266 PM	397	p = &master_help->helper->expect_policy[expect->class];
	398	if (p->max_expected &&
	399	master_help->expecting[expect->class] >= p->max_expected) {
	400	evict_oldest_expect(master, expect);
	401	if (master_help->expecting[expect->class] >= p->max_expected) {
	402	ret = -EMFILE;
	403	goto out;
	404	}
	405	}
77ab9cff	406
9b03f38d	407	if (net->ct.expect_count >= nf_ct_expect_max) {
f264a7df PM	408	if (net_ratelimit())
f264a7df PM	409	printk(KERN_WARNING
3d89e9cf	410	"nf_conntrack: expectation table full\n");
f264a7df PM	411	ret = -EMFILE;
	412	goto out;
	413	}
	414
6823645d PM	415	nf_ct_expect_insert(expect);
6823645d PM	416	nf_ct_expect_event(IPEXP_NEW, expect);
77ab9cff MJ	417	ret = 0;
77ab9cff MJ	418	out:
f8ba1aff	419	spin_unlock_bh(&nf_conntrack_lock);
77ab9cff MJ	420	return ret;
77ab9cff MJ	421	}
6823645d	422	EXPORT_SYMBOL_GPL(nf_ct_expect_related);
77ab9cff MJ	423
77ab9cff MJ	424	#ifdef CONFIG_PROC_FS
5d08ad44	425	struct ct_expect_iter_state {
dc5129f8	426	struct seq_net_private p;
5d08ad44 PM	427	unsigned int bucket;
	428	};
	429
	430	static struct hlist_node ct_expect_get_first(struct seq_file seq)
77ab9cff	431	{
dc5129f8	432	struct net *net = seq_file_net(seq);
5d08ad44	433	struct ct_expect_iter_state *st = seq->private;
7d0742da	434	struct hlist_node *n;
77ab9cff	435
5d08ad44	436	for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) {
9b03f38d	437	n = rcu_dereference(net->ct.expect_hash[st->bucket].first);
7d0742da PM	438	if (n)
7d0742da PM	439	return n;
5d08ad44 PM	440	}
	441	return NULL;
	442	}
77ab9cff	443
5d08ad44 PM	444	static struct hlist_node ct_expect_get_next(struct seq_file seq,
	445	struct hlist_node *head)
	446	{
dc5129f8	447	struct net *net = seq_file_net(seq);
5d08ad44	448	struct ct_expect_iter_state *st = seq->private;
77ab9cff	449
7d0742da	450	head = rcu_dereference(head->next);
5d08ad44 PM	451	while (head == NULL) {
5d08ad44 PM	452	if (++st->bucket >= nf_ct_expect_hsize)
77ab9cff	453	return NULL;
9b03f38d	454	head = rcu_dereference(net->ct.expect_hash[st->bucket].first);
77ab9cff	455	}
5d08ad44	456	return head;
77ab9cff MJ	457	}
77ab9cff MJ	458
5d08ad44	459	static struct hlist_node ct_expect_get_idx(struct seq_file seq, loff_t pos)
77ab9cff	460	{
5d08ad44	461	struct hlist_node *head = ct_expect_get_first(seq);
77ab9cff	462
5d08ad44 PM	463	if (head)
	464	while (pos && (head = ct_expect_get_next(seq, head)))
	465	pos--;
	466	return pos ? NULL : head;
	467	}
77ab9cff	468
5d08ad44	469	static void exp_seq_start(struct seq_file seq, loff_t *pos)
7d0742da	470	__acquires(RCU)
5d08ad44	471	{
7d0742da	472	rcu_read_lock();
5d08ad44 PM	473	return ct_expect_get_idx(seq, *pos);
5d08ad44 PM	474	}
77ab9cff	475
5d08ad44 PM	476	static void exp_seq_next(struct seq_file seq, void v, loff_t pos)
	477	{
	478	(*pos)++;
	479	return ct_expect_get_next(seq, v);
77ab9cff MJ	480	}
77ab9cff MJ	481
5d08ad44	482	static void exp_seq_stop(struct seq_file seq, void v)
7d0742da	483	__releases(RCU)
77ab9cff	484	{
7d0742da	485	rcu_read_unlock();
77ab9cff MJ	486	}
	487
	488	static int exp_seq_show(struct seq_file s, void v)
	489	{
5d08ad44 PM	490	struct nf_conntrack_expect *expect;
5d08ad44 PM	491	struct hlist_node *n = v;
359b9ab6	492	char *delim = "";
5d08ad44 PM	493
5d08ad44 PM	494	expect = hlist_entry(n, struct nf_conntrack_expect, hnode);
77ab9cff MJ	495
	496	if (expect->timeout.function)
	497	seq_printf(s, "%ld ", timer_pending(&expect->timeout)
	498	? (long)(expect->timeout.expires - jiffies)/HZ : 0);
	499	else
	500	seq_printf(s, "- ");
	501	seq_printf(s, "l3proto = %u proto=%u ",
	502	expect->tuple.src.l3num,
	503	expect->tuple.dst.protonum);
	504	print_tuple(s, &expect->tuple,
	505	__nf_ct_l3proto_find(expect->tuple.src.l3num),
605dcad6	506	__nf_ct_l4proto_find(expect->tuple.src.l3num,
77ab9cff	507	expect->tuple.dst.protonum));
4bb119ea	508
359b9ab6 PM	509	if (expect->flags & NF_CT_EXPECT_PERMANENT) {
	510	seq_printf(s, "PERMANENT");
	511	delim = ",";
	512	}
	513	if (expect->flags & NF_CT_EXPECT_INACTIVE)
	514	seq_printf(s, "%sINACTIVE", delim);
4bb119ea	515
77ab9cff MJ	516	return seq_putc(s, '\n');
	517	}
	518
56b3d975	519	static const struct seq_operations exp_seq_ops = {
77ab9cff MJ	520	.start = exp_seq_start,
	521	.next = exp_seq_next,
	522	.stop = exp_seq_stop,
	523	.show = exp_seq_show
	524	};
	525
	526	static int exp_open(struct inode inode, struct file file)
	527	{
dc5129f8	528	return seq_open_net(inode, file, &exp_seq_ops,
e2da5913	529	sizeof(struct ct_expect_iter_state));
77ab9cff MJ	530	}
77ab9cff MJ	531
5d08ad44	532	static const struct file_operations exp_file_ops = {
77ab9cff MJ	533	.owner = THIS_MODULE,
	534	.open = exp_open,
	535	.read = seq_read,
	536	.llseek = seq_lseek,
dc5129f8	537	.release = seq_release_net,
77ab9cff MJ	538	};
77ab9cff MJ	539	#endif /* CONFIG_PROC_FS */
e9c1b084	540
dc5129f8	541	static int exp_proc_init(struct net *net)
e9c1b084 PM	542	{
	543	#ifdef CONFIG_PROC_FS
	544	struct proc_dir_entry *proc;
	545
dc5129f8	546	proc = proc_net_fops_create(net, "nf_conntrack_expect", 0440, &exp_file_ops);
e9c1b084 PM	547	if (!proc)
	548	return -ENOMEM;
	549	#endif /* CONFIG_PROC_FS */
	550	return 0;
	551	}
	552
dc5129f8	553	static void exp_proc_remove(struct net *net)
e9c1b084 PM	554	{
e9c1b084 PM	555	#ifdef CONFIG_PROC_FS
dc5129f8	556	proc_net_remove(net, "nf_conntrack_expect");
e9c1b084 PM	557	#endif /* CONFIG_PROC_FS */
	558	}
	559
a71c0855 PM	560	module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0600);
a71c0855 PM	561
9b03f38d	562	int nf_conntrack_expect_init(struct net *net)
e9c1b084	563	{
a71c0855 PM	564	int err = -ENOMEM;
	565
	566	if (!nf_ct_expect_hsize) {
	567	nf_ct_expect_hsize = nf_conntrack_htable_size / 256;
	568	if (!nf_ct_expect_hsize)
	569	nf_ct_expect_hsize = 1;
	570	}
f264a7df	571	nf_ct_expect_max = nf_ct_expect_hsize * 4;
a71c0855	572
9b03f38d AD	573	net->ct.expect_count = 0;
	574	net->ct.expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,
	575	&net->ct.expect_vmalloc);
	576	if (net->ct.expect_hash == NULL)
a71c0855	577	goto err1;
e9c1b084 PM	578
	579	nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect",
	580	sizeof(struct nf_conntrack_expect),
20c2df83	581	0, 0, NULL);
e9c1b084	582	if (!nf_ct_expect_cachep)
a71c0855	583	goto err2;
e9c1b084	584
dc5129f8	585	err = exp_proc_init(net);
e9c1b084	586	if (err < 0)
a71c0855	587	goto err3;
e9c1b084 PM	588
	589	return 0;
	590
a71c0855	591	err3:
12293bf9 AD	592	kmem_cache_destroy(nf_ct_expect_cachep);
12293bf9 AD	593	err2:
9b03f38d	594	nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc,
a71c0855	595	nf_ct_expect_hsize);
a71c0855	596	err1:
e9c1b084 PM	597	return err;
	598	}
	599
9b03f38d	600	void nf_conntrack_expect_fini(struct net *net)
e9c1b084	601	{
dc5129f8	602	exp_proc_remove(net);
e9c1b084	603	kmem_cache_destroy(nf_ct_expect_cachep);
9b03f38d	604	nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc,
a71c0855	605	nf_ct_expect_hsize);
e9c1b084	606	}