[mirror_ubuntu-artful-kernel.git] / net / netfilter / nf_synproxy_core.c

/*
 * Copyright (c) 2013 Patrick McHardy <kaber@trash.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

#include <linux/module.h>
#include <linux/skbuff.h>
#include <asm/unaligned.h>
#include <net/tcp.h>
#include <net/netns/generic.h>

#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_tcpudp.h>
#include <linux/netfilter/xt_SYNPROXY.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_extend.h>
#include <net/netfilter/nf_conntrack_seqadj.h>
#include <net/netfilter/nf_conntrack_synproxy.h>

int synproxy_net_id;
EXPORT_SYMBOL_GPL(synproxy_net_id);

void
synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
		       const struct tcphdr *th, struct synproxy_options *opts)
{
	int length = (th->doff * 4) - sizeof(*th);
	u8 buf[40], *ptr;

	ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf);
	BUG_ON(ptr == NULL);

	opts->options = 0;
	while (length > 0) {
		int opcode = *ptr++;
		int opsize;

		switch (opcode) {
		case TCPOPT_EOL:
			return;
		case TCPOPT_NOP:
			length--;
			continue;
		default:
			opsize = *ptr++;
			if (opsize < 2)
				return;
			if (opsize > length)
				return;

			switch (opcode) {
			case TCPOPT_MSS:
				if (opsize == TCPOLEN_MSS) {
					opts->mss = get_unaligned_be16(ptr);
					opts->options |= XT_SYNPROXY_OPT_MSS;
				}
				break;
			case TCPOPT_WINDOW:
				if (opsize == TCPOLEN_WINDOW) {
					opts->wscale = *ptr;
					if (opts->wscale > 14)
						opts->wscale = 14;
					opts->options |= XT_SYNPROXY_OPT_WSCALE;
				}
				break;
			case TCPOPT_TIMESTAMP:
				if (opsize == TCPOLEN_TIMESTAMP) {
					opts->tsval = get_unaligned_be32(ptr);
					opts->tsecr = get_unaligned_be32(ptr + 4);
					opts->options |= XT_SYNPROXY_OPT_TIMESTAMP;
				}
				break;
			case TCPOPT_SACK_PERM:
				if (opsize == TCPOLEN_SACK_PERM)
					opts->options |= XT_SYNPROXY_OPT_SACK_PERM;
				break;
			}

			ptr += opsize - 2;
			length -= opsize;
		}
	}
}
EXPORT_SYMBOL_GPL(synproxy_parse_options);

unsigned int synproxy_options_size(const struct synproxy_options *opts)
{
	unsigned int size = 0;

	if (opts->options & XT_SYNPROXY_OPT_MSS)
		size += TCPOLEN_MSS_ALIGNED;
	if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP)
		size += TCPOLEN_TSTAMP_ALIGNED;
	else if (opts->options & XT_SYNPROXY_OPT_SACK_PERM)
		size += TCPOLEN_SACKPERM_ALIGNED;
	if (opts->options & XT_SYNPROXY_OPT_WSCALE)
		size += TCPOLEN_WSCALE_ALIGNED;

	return size;
}
EXPORT_SYMBOL_GPL(synproxy_options_size);

void
synproxy_build_options(struct tcphdr *th, const struct synproxy_options *opts)
{
	__be32 *ptr = (__be32 *)(th + 1);
	u8 options = opts->options;

	if (options & XT_SYNPROXY_OPT_MSS)
		*ptr++ = htonl((TCPOPT_MSS << 24) |
			       (TCPOLEN_MSS << 16) |
			       opts->mss);

	if (options & XT_SYNPROXY_OPT_TIMESTAMP) {
		if (options & XT_SYNPROXY_OPT_SACK_PERM)
			*ptr++ = htonl((TCPOPT_SACK_PERM << 24) |
				       (TCPOLEN_SACK_PERM << 16) |
				       (TCPOPT_TIMESTAMP << 8) |
				       TCPOLEN_TIMESTAMP);
		else
			*ptr++ = htonl((TCPOPT_NOP << 24) |
				       (TCPOPT_NOP << 16) |
				       (TCPOPT_TIMESTAMP << 8) |
				       TCPOLEN_TIMESTAMP);

		*ptr++ = htonl(opts->tsval);
		*ptr++ = htonl(opts->tsecr);
	} else if (options & XT_SYNPROXY_OPT_SACK_PERM)
		*ptr++ = htonl((TCPOPT_NOP << 24) |
			       (TCPOPT_NOP << 16) |
			       (TCPOPT_SACK_PERM << 8) |
			       TCPOLEN_SACK_PERM);

	if (options & XT_SYNPROXY_OPT_WSCALE)
		*ptr++ = htonl((TCPOPT_NOP << 24) |
			       (TCPOPT_WINDOW << 16) |
			       (TCPOLEN_WINDOW << 8) |
			       opts->wscale);
}
EXPORT_SYMBOL_GPL(synproxy_build_options);

void synproxy_init_timestamp_cookie(const struct xt_synproxy_info *info,
				    struct synproxy_options *opts)
{
	opts->tsecr = opts->tsval;
	opts->tsval = tcp_time_stamp & ~0x3f;

	if (opts->options & XT_SYNPROXY_OPT_WSCALE)
		opts->tsval |= info->wscale;
	else
		opts->tsval |= 0xf;

	if (opts->options & XT_SYNPROXY_OPT_SACK_PERM)
		opts->tsval |= 1 << 4;

	if (opts->options & XT_SYNPROXY_OPT_ECN)
		opts->tsval |= 1 << 5;
}
EXPORT_SYMBOL_GPL(synproxy_init_timestamp_cookie);

void synproxy_check_timestamp_cookie(struct synproxy_options *opts)
{
	opts->wscale = opts->tsecr & 0xf;
	if (opts->wscale != 0xf)
		opts->options |= XT_SYNPROXY_OPT_WSCALE;

	opts->options |= opts->tsecr & (1 << 4) ? XT_SYNPROXY_OPT_SACK_PERM : 0;

	opts->options |= opts->tsecr & (1 << 5) ? XT_SYNPROXY_OPT_ECN : 0;
}
EXPORT_SYMBOL_GPL(synproxy_check_timestamp_cookie);

unsigned int synproxy_tstamp_adjust(struct sk_buff *skb,
				    unsigned int protoff,
				    struct tcphdr *th,
				    struct nf_conn *ct,
				    enum ip_conntrack_info ctinfo,
				    const struct nf_conn_synproxy *synproxy)
{
	unsigned int optoff, optend;
	u32 *ptr, old;

	if (synproxy->tsoff == 0)
		return 1;

	optoff = protoff + sizeof(struct tcphdr);
	optend = protoff + th->doff * 4;

	if (!skb_make_writable(skb, optend))
		return 0;

	while (optoff < optend) {
		unsigned char *op = skb->data + optoff;

		switch (op[0]) {
		case TCPOPT_EOL:
			return 1;
		case TCPOPT_NOP:
			optoff++;
			continue;
		default:
			if (optoff + 1 == optend ||
			    optoff + op[1] > optend ||
			    op[1] < 2)
				return 0;
			if (op[0] == TCPOPT_TIMESTAMP &&
			    op[1] == TCPOLEN_TIMESTAMP) {
				if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) {
					ptr = (u32 *)&op[2];
					old = *ptr;
					*ptr = htonl(ntohl(*ptr) -
						     synproxy->tsoff);
				} else {
					ptr = (u32 *)&op[6];
					old = *ptr;
					*ptr = htonl(ntohl(*ptr) +
						     synproxy->tsoff);
				}
				inet_proto_csum_replace4(&th->check, skb,
							 old, *ptr, 0);
				return 1;
			}
			optoff += op[1];
		}
	}
	return 1;
}
EXPORT_SYMBOL_GPL(synproxy_tstamp_adjust);

static struct nf_ct_ext_type nf_ct_synproxy_extend __read_mostly = {
	.len		= sizeof(struct nf_conn_synproxy),
	.align		= __alignof__(struct nf_conn_synproxy),
	.id		= NF_CT_EXT_SYNPROXY,
};

#ifdef CONFIG_PROC_FS
static void *synproxy_cpu_seq_start(struct seq_file *seq, loff_t *pos)
{
	struct synproxy_net *snet = synproxy_pernet(seq_file_net(seq));
	int cpu;

	if (*pos == 0)
		return SEQ_START_TOKEN;

	for (cpu = *pos - 1; cpu < nr_cpu_ids; cpu++) {
		if (!cpu_possible(cpu))
			continue;
		*pos = cpu + 1;
		return per_cpu_ptr(snet->stats, cpu);
	}

	return NULL;
}

static void *synproxy_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos)
{
	struct synproxy_net *snet = synproxy_pernet(seq_file_net(seq));
	int cpu;

	for (cpu = *pos; cpu < nr_cpu_ids; cpu++) {
		if (!cpu_possible(cpu))
			continue;
		*pos = cpu + 1;
		return per_cpu_ptr(snet->stats, cpu);
	}

	return NULL;
}

static void synproxy_cpu_seq_stop(struct seq_file *seq, void *v)
{
	return;
}

static int synproxy_cpu_seq_show(struct seq_file *seq, void *v)
{
	struct synproxy_stats *stats = v;

	if (v == SEQ_START_TOKEN) {
		seq_printf(seq, "entries\t\tsyn_received\t"
				"cookie_invalid\tcookie_valid\t"
				"cookie_retrans\tconn_reopened\n");
		return 0;
	}

	seq_printf(seq, "%08x\t%08x\t%08x\t%08x\t%08x\t%08x\n", 0,
		   stats->syn_received,
		   stats->cookie_invalid,
		   stats->cookie_valid,
		   stats->cookie_retrans,
		   stats->conn_reopened);

	return 0;
}

static const struct seq_operations synproxy_cpu_seq_ops = {
	.start		= synproxy_cpu_seq_start,
	.next		= synproxy_cpu_seq_next,
	.stop		= synproxy_cpu_seq_stop,
	.show		= synproxy_cpu_seq_show,
};

static int synproxy_cpu_seq_open(struct inode *inode, struct file *file)
{
	return seq_open_net(inode, file, &synproxy_cpu_seq_ops,
			    sizeof(struct seq_net_private));
}

static const struct file_operations synproxy_cpu_seq_fops = {
	.owner		= THIS_MODULE,
	.open		= synproxy_cpu_seq_open,
	.read		= seq_read,
	.llseek		= seq_lseek,
	.release	= seq_release_net,
};

static int __net_init synproxy_proc_init(struct net *net)
{
	if (!proc_create("synproxy", S_IRUGO, net->proc_net_stat,
			 &synproxy_cpu_seq_fops))
		return -ENOMEM;
	return 0;
}

static void __net_exit synproxy_proc_exit(struct net *net)
{
	remove_proc_entry("synproxy", net->proc_net_stat);
}
#else
static int __net_init synproxy_proc_init(struct net *net)
{
	return 0;
}

static void __net_exit synproxy_proc_exit(struct net *net)
{
	return;
}
#endif /* CONFIG_PROC_FS */

static int __net_init synproxy_net_init(struct net *net)
{
	struct synproxy_net *snet = synproxy_pernet(net);
	struct nf_conntrack_tuple t;
	struct nf_conn *ct;
	int err = -ENOMEM;

	memset(&t, 0, sizeof(t));
	ct = nf_conntrack_alloc(net, 0, &t, &t, GFP_KERNEL);
	if (IS_ERR(ct)) {
		err = PTR_ERR(ct);
		goto err1;
	}

	__set_bit(IPS_TEMPLATE_BIT, &ct->status);
	__set_bit(IPS_CONFIRMED_BIT, &ct->status);
	if (!nfct_seqadj_ext_add(ct))
		goto err2;
	if (!nfct_synproxy_ext_add(ct))
		goto err2;

	snet->tmpl = ct;

	snet->stats = alloc_percpu(struct synproxy_stats);
	if (snet->stats == NULL)
		goto err2;

	err = synproxy_proc_init(net);
	if (err < 0)
		goto err3;

	return 0;

err3:
	free_percpu(snet->stats);
err2:
	nf_conntrack_free(ct);
err1:
	return err;
}

static void __net_exit synproxy_net_exit(struct net *net)
{
	struct synproxy_net *snet = synproxy_pernet(net);

	nf_conntrack_free(snet->tmpl);
	synproxy_proc_exit(net);
	free_percpu(snet->stats);
}

static struct pernet_operations synproxy_net_ops = {
	.init		= synproxy_net_init,
	.exit		= synproxy_net_exit,
	.id		= &synproxy_net_id,
	.size		= sizeof(struct synproxy_net),
};

static int __init synproxy_core_init(void)
{
	int err;

	err = nf_ct_extend_register(&nf_ct_synproxy_extend);
	if (err < 0)
		goto err1;

	err = register_pernet_subsys(&synproxy_net_ops);
	if (err < 0)
		goto err2;

	return 0;

err2:
	nf_ct_extend_unregister(&nf_ct_synproxy_extend);
err1:
	return err;
}

static void __exit synproxy_core_exit(void)
{
	unregister_pernet_subsys(&synproxy_net_ops);
	nf_ct_extend_unregister(&nf_ct_synproxy_extend);
}

module_init(synproxy_core_init);
module_exit(synproxy_core_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
Commit	Line	Data
48b1de4c PM	1	/*
	2	* Copyright (c) 2013 Patrick McHardy <kaber@trash.net>
	3	*
	4	* This program is free software; you can redistribute it and/or modify
	5	* it under the terms of the GNU General Public License version 2 as
	6	* published by the Free Software Foundation.
	7	*/
	8
	9	#include <linux/module.h>
	10	#include <linux/skbuff.h>
	11	#include <asm/unaligned.h>
	12	#include <net/tcp.h>
	13	#include <net/netns/generic.h>
	14
	15	#include <linux/netfilter_ipv4/ip_tables.h>
	16	#include <linux/netfilter/x_tables.h>
	17	#include <linux/netfilter/xt_tcpudp.h>
	18	#include <linux/netfilter/xt_SYNPROXY.h>
	19	#include <net/netfilter/nf_conntrack.h>
	20	#include <net/netfilter/nf_conntrack_extend.h>
	21	#include <net/netfilter/nf_conntrack_seqadj.h>
	22	#include <net/netfilter/nf_conntrack_synproxy.h>
	23
	24	int synproxy_net_id;
	25	EXPORT_SYMBOL_GPL(synproxy_net_id);
	26
	27	void
	28	synproxy_parse_options(const struct sk_buff *skb, unsigned int doff,
	29	const struct tcphdr th, struct synproxy_options opts)
	30	{
	31	int length = (th->doff * 4) - sizeof(*th);
	32	u8 buf[40], *ptr;
	33
	34	ptr = skb_header_pointer(skb, doff + sizeof(*th), length, buf);
	35	BUG_ON(ptr == NULL);
	36
	37	opts->options = 0;
	38	while (length > 0) {
	39	int opcode = *ptr++;
	40	int opsize;
	41
	42	switch (opcode) {
	43	case TCPOPT_EOL:
	44	return;
	45	case TCPOPT_NOP:
	46	length--;
	47	continue;
	48	default:
	49	opsize = *ptr++;
	50	if (opsize < 2)
	51	return;
	52	if (opsize > length)
	53	return;
	54
	55	switch (opcode) {
	56	case TCPOPT_MSS:
	57	if (opsize == TCPOLEN_MSS) {
	58	opts->mss = get_unaligned_be16(ptr);
	59	opts->options \|= XT_SYNPROXY_OPT_MSS;
	60	}
	61	break;
	62	case TCPOPT_WINDOW:
	63	if (opsize == TCPOLEN_WINDOW) {
	64	opts->wscale = *ptr;
65	if (opts->wscale > 14)
66	opts->wscale = 14;
67	opts->options \|= XT_SYNPROXY_OPT_WSCALE;
68	}
69	break;
70	case TCPOPT_TIMESTAMP:
71	if (opsize == TCPOLEN_TIMESTAMP) {
72	opts->tsval = get_unaligned_be32(ptr);
73	opts->tsecr = get_unaligned_be32(ptr + 4);
74	opts->options \|= XT_SYNPROXY_OPT_TIMESTAMP;
75	}
76	break;
77	case TCPOPT_SACK_PERM:
78	if (opsize == TCPOLEN_SACK_PERM)
79	opts->options \|= XT_SYNPROXY_OPT_SACK_PERM;
80	break;
81	}
82
83	ptr += opsize - 2;
84	length -= opsize;
85	}
86	}
87	}
88	EXPORT_SYMBOL_GPL(synproxy_parse_options);
89
90	unsigned int synproxy_options_size(const struct synproxy_options *opts)
91	{
92	unsigned int size = 0;
93
94	if (opts->options & XT_SYNPROXY_OPT_MSS)
95	size += TCPOLEN_MSS_ALIGNED;
96	if (opts->options & XT_SYNPROXY_OPT_TIMESTAMP)
97	size += TCPOLEN_TSTAMP_ALIGNED;
98	else if (opts->options & XT_SYNPROXY_OPT_SACK_PERM)
99	size += TCPOLEN_SACKPERM_ALIGNED;
100	if (opts->options & XT_SYNPROXY_OPT_WSCALE)
101	size += TCPOLEN_WSCALE_ALIGNED;
102
103	return size;
104	}
105	EXPORT_SYMBOL_GPL(synproxy_options_size);
106
107	void
108	synproxy_build_options(struct tcphdr th, const struct synproxy_options opts)
109	{
110	__be32 ptr = (__be32 )(th + 1);
111	u8 options = opts->options;
112
113	if (options & XT_SYNPROXY_OPT_MSS)
114	*ptr++ = htonl((TCPOPT_MSS << 24) \|
115	(TCPOLEN_MSS << 16) \|
116	opts->mss);
117
118	if (options & XT_SYNPROXY_OPT_TIMESTAMP) {
119	if (options & XT_SYNPROXY_OPT_SACK_PERM)
120	*ptr++ = htonl((TCPOPT_SACK_PERM << 24) \|
121	(TCPOLEN_SACK_PERM << 16) \|
122	(TCPOPT_TIMESTAMP << 8) \|
123	TCPOLEN_TIMESTAMP);
124	else
125	*ptr++ = htonl((TCPOPT_NOP << 24) \|
126	(TCPOPT_NOP << 16) \|
127	(TCPOPT_TIMESTAMP << 8) \|
128	TCPOLEN_TIMESTAMP);
129
130	*ptr++ = htonl(opts->tsval);
131	*ptr++ = htonl(opts->tsecr);
132	} else if (options & XT_SYNPROXY_OPT_SACK_PERM)
133	*ptr++ = htonl((TCPOPT_NOP << 24) \|
134	(TCPOPT_NOP << 16) \|
135	(TCPOPT_SACK_PERM << 8) \|
136	TCPOLEN_SACK_PERM);
137
138	if (options & XT_SYNPROXY_OPT_WSCALE)
139	*ptr++ = htonl((TCPOPT_NOP << 24) \|
140	(TCPOPT_WINDOW << 16) \|
141	(TCPOLEN_WINDOW << 8) \|
142	opts->wscale);
143	}
144	EXPORT_SYMBOL_GPL(synproxy_build_options);
145
146	void synproxy_init_timestamp_cookie(const struct xt_synproxy_info *info,
147	struct synproxy_options *opts)
148	{
149	opts->tsecr = opts->tsval;
150	opts->tsval = tcp_time_stamp & ~0x3f;
151
152	if (opts->options & XT_SYNPROXY_OPT_WSCALE)
153	opts->tsval \|= info->wscale;
154	else
155	opts->tsval \|= 0xf;
156
157	if (opts->options & XT_SYNPROXY_OPT_SACK_PERM)
158	opts->tsval \|= 1 << 4;
159
160	if (opts->options & XT_SYNPROXY_OPT_ECN)
161	opts->tsval \|= 1 << 5;
162	}
163	EXPORT_SYMBOL_GPL(synproxy_init_timestamp_cookie);
164
165	void synproxy_check_timestamp_cookie(struct synproxy_options *opts)
166	{
167	opts->wscale = opts->tsecr & 0xf;
168	if (opts->wscale != 0xf)
169	opts->options \|= XT_SYNPROXY_OPT_WSCALE;
170
171	opts->options \|= opts->tsecr & (1 << 4) ? XT_SYNPROXY_OPT_SACK_PERM : 0;
172
173	opts->options \|= opts->tsecr & (1 << 5) ? XT_SYNPROXY_OPT_ECN : 0;
174	}
175	EXPORT_SYMBOL_GPL(synproxy_check_timestamp_cookie);
176
177	unsigned int synproxy_tstamp_adjust(struct sk_buff *skb,
178	unsigned int protoff,
179	struct tcphdr *th,
180	struct nf_conn *ct,
181	enum ip_conntrack_info ctinfo,
182	const struct nf_conn_synproxy *synproxy)
183	{
184	unsigned int optoff, optend;
185	u32 *ptr, old;
186
187	if (synproxy->tsoff == 0)
188	return 1;
189
190	optoff = protoff + sizeof(struct tcphdr);
191	optend = protoff + th->doff * 4;
192
193	if (!skb_make_writable(skb, optend))
194	return 0;
195
196	while (optoff < optend) {
197	unsigned char *op = skb->data + optoff;
198
199	switch (op[0]) {
200	case TCPOPT_EOL:
201	return 1;
202	case TCPOPT_NOP:
203	optoff++;
204	continue;
205	default:
206	if (optoff + 1 == optend \|\|
207	optoff + op[1] > optend \|\|
208	op[1] < 2)
209	return 0;
210	if (op[0] == TCPOPT_TIMESTAMP &&
211	op[1] == TCPOLEN_TIMESTAMP) {
212	if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) {
213	ptr = (u32 *)&op[2];
214	old = *ptr;
215	ptr = htonl(ntohl(ptr) -
216	synproxy->tsoff);
217	} else {
218	ptr = (u32 *)&op[6];
219	old = *ptr;
220	ptr = htonl(ntohl(ptr) +
221	synproxy->tsoff);
222	}
223	inet_proto_csum_replace4(&th->check, skb,
224	old, *ptr, 0);
225	return 1;
226	}
227	optoff += op[1];
228	}
229	}
230	return 1;
231	}
232	EXPORT_SYMBOL_GPL(synproxy_tstamp_adjust);
233
234	static struct nf_ct_ext_type nf_ct_synproxy_extend __read_mostly = {
235	.len = sizeof(struct nf_conn_synproxy),
236	.align = __alignof__(struct nf_conn_synproxy),
237	.id = NF_CT_EXT_SYNPROXY,
238	};
239
240	#ifdef CONFIG_PROC_FS
241	static void synproxy_cpu_seq_start(struct seq_file seq, loff_t *pos)
242	{
243	struct synproxy_net *snet = synproxy_pernet(seq_file_net(seq));
244	int cpu;
245
246	if (*pos == 0)
247	return SEQ_START_TOKEN;
248
249	for (cpu = *pos - 1; cpu < nr_cpu_ids; cpu++) {
250	if (!cpu_possible(cpu))
251	continue;
252	*pos = cpu + 1;
253	return per_cpu_ptr(snet->stats, cpu);
254	}
255
256	return NULL;
257	}
258
259	static void synproxy_cpu_seq_next(struct seq_file seq, void v, loff_t pos)
260	{
261	struct synproxy_net *snet = synproxy_pernet(seq_file_net(seq));
262	int cpu;
263
264	for (cpu = *pos; cpu < nr_cpu_ids; cpu++) {
265	if (!cpu_possible(cpu))
266	continue;
267	*pos = cpu + 1;
268	return per_cpu_ptr(snet->stats, cpu);
269	}
270
271	return NULL;
272	}
273
274	static void synproxy_cpu_seq_stop(struct seq_file seq, void v)
275	{
276	return;
277	}
278
279	static int synproxy_cpu_seq_show(struct seq_file seq, void v)
280	{
281	struct synproxy_stats *stats = v;
282
283	if (v == SEQ_START_TOKEN) {
284	seq_printf(seq, "entries\t\tsyn_received\t"
285	"cookie_invalid\tcookie_valid\t"
286	"cookie_retrans\tconn_reopened\n");
287	return 0;
288	}
289
290	seq_printf(seq, "%08x\t%08x\t%08x\t%08x\t%08x\t%08x\n", 0,
291	stats->syn_received,
292	stats->cookie_invalid,
293	stats->cookie_valid,
294	stats->cookie_retrans,
295	stats->conn_reopened);
296
297	return 0;
298	}
299
300	static const struct seq_operations synproxy_cpu_seq_ops = {
301	.start = synproxy_cpu_seq_start,
302	.next = synproxy_cpu_seq_next,
303	.stop = synproxy_cpu_seq_stop,
304	.show = synproxy_cpu_seq_show,
305	};
306
307	static int synproxy_cpu_seq_open(struct inode inode, struct file file)
308	{
309	return seq_open_net(inode, file, &synproxy_cpu_seq_ops,
310	sizeof(struct seq_net_private));
311	}
312
313	static const struct file_operations synproxy_cpu_seq_fops = {
314	.owner = THIS_MODULE,
315	.open = synproxy_cpu_seq_open,
316	.read = seq_read,
317	.llseek = seq_lseek,
318	.release = seq_release_net,
319	};
320
321	static int __net_init synproxy_proc_init(struct net *net)
322	{
323	if (!proc_create("synproxy", S_IRUGO, net->proc_net_stat,
324	&synproxy_cpu_seq_fops))
325	return -ENOMEM;
326	return 0;
327	}
328
329	static void __net_exit synproxy_proc_exit(struct net *net)
330	{
331	remove_proc_entry("synproxy", net->proc_net_stat);
332	}
333	#else
334	static int __net_init synproxy_proc_init(struct net *net)
335	{
336	return 0;
337	}
338
339	static void __net_exit synproxy_proc_exit(struct net *net)
340	{
341	return;
342	}
343	#endif /* CONFIG_PROC_FS */
344
345	static int __net_init synproxy_net_init(struct net *net)
346	{
347	struct synproxy_net *snet = synproxy_pernet(net);
348	struct nf_conntrack_tuple t;
349	struct nf_conn *ct;
350	int err = -ENOMEM;
351
352	memset(&t, 0, sizeof(t));
353	ct = nf_conntrack_alloc(net, 0, &t, &t, GFP_KERNEL);
354	if (IS_ERR(ct)) {
355	err = PTR_ERR(ct);
356	goto err1;
357	}
358
359	__set_bit(IPS_TEMPLATE_BIT, &ct->status);
360	__set_bit(IPS_CONFIRMED_BIT, &ct->status);
361	if (!nfct_seqadj_ext_add(ct))
362	goto err2;
363	if (!nfct_synproxy_ext_add(ct))
364	goto err2;
365
366	snet->tmpl = ct;
367
368	snet->stats = alloc_percpu(struct synproxy_stats);
369	if (snet->stats == NULL)
370	goto err2;
371
372	err = synproxy_proc_init(net);
373	if (err < 0)
374	goto err3;
375
376	return 0;
377
378	err3:
379	free_percpu(snet->stats);
380	err2:
381	nf_conntrack_free(ct);
382	err1:
383	return err;
384	}
385
386	static void __net_exit synproxy_net_exit(struct net *net)
387	{
388	struct synproxy_net *snet = synproxy_pernet(net);
389
390	nf_conntrack_free(snet->tmpl);
391	synproxy_proc_exit(net);
392	free_percpu(snet->stats);
393	}
394
395	static struct pernet_operations synproxy_net_ops = {
396	.init = synproxy_net_init,
397	.exit = synproxy_net_exit,
398	.id = &synproxy_net_id,
399	.size = sizeof(struct synproxy_net),
400	};
401
402	static int __init synproxy_core_init(void)
403	{
404	int err;
405
406	err = nf_ct_extend_register(&nf_ct_synproxy_extend);
407	if (err < 0)
408	goto err1;
409
410	err = register_pernet_subsys(&synproxy_net_ops);
411	if (err < 0)
412	goto err2;
413
414	return 0;
415
416	err2:
417	nf_ct_extend_unregister(&nf_ct_synproxy_extend);
418	err1:
419	return err;
420	}
421
422	static void __exit synproxy_core_exit(void)
423	{
424	unregister_pernet_subsys(&synproxy_net_ops);
425	nf_ct_extend_unregister(&nf_ct_synproxy_extend);
426	}
427
428	module_init(synproxy_core_init);
429	module_exit(synproxy_core_exit);
430
431	MODULE_LICENSE("GPL");
432	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");