]> git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/blame - net/netfilter/nfnetlink_cthelper.c
projects / mirror_ubuntu-bionic-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
netfilter: nfnl_cthelper: fix runtime expectation policy updates
[mirror_ubuntu-bionic-kernel.git] / net / netfilter / nfnetlink_cthelper.c
CommitLineData
12f7a505
PNA		 1/*
2 * (C) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
3 *
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation (or any later at your option).
7 *
8 * This software has been sponsored by Vyatta Inc. <http://www.vyatta.com>
9 */
10#include <linux/init.h>
11#include <linux/module.h>
12#include <linux/kernel.h>
13#include <linux/skbuff.h>
14#include <linux/netlink.h>
15#include <linux/rculist.h>
16#include <linux/slab.h>
17#include <linux/types.h>
18#include <linux/list.h>
19#include <linux/errno.h>
20#include <net/netlink.h>
21#include <net/sock.h>
22
23#include <net/netfilter/nf_conntrack_helper.h>
24#include <net/netfilter/nf_conntrack_expect.h>
25#include <net/netfilter/nf_conntrack_ecache.h>
26
27#include <linux/netfilter/nfnetlink.h>
28#include <linux/netfilter/nfnetlink_conntrack.h>
29#include <linux/netfilter/nfnetlink_cthelper.h>
30
31MODULE_LICENSE("GPL");
32MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
33MODULE_DESCRIPTION("nfnl_cthelper: User-space connection tracking helpers");
34
35static int
36nfnl_userspace_cthelper(struct sk_buff *skb, unsigned int protoff,
37 struct nf_conn *ct, enum ip_conntrack_info ctinfo)
38{
39 const struct nf_conn_help *help;
40 struct nf_conntrack_helper *helper;
41
42 help = nfct_help(ct);
43 if (help == NULL)
44 return NF_DROP;
45
e2361cb9 46 /* rcu_read_lock()ed by nf_hook_thresh */
12f7a505
PNA		 47 helper = rcu_dereference(help->helper);
48 if (helper == NULL)
49 return NF_DROP;
50
9332ef9d 51 /* This is a user-space helper not yet configured, skip. */
12f7a505
PNA		 52 if ((helper->flags &
53 (NF_CT_HELPER_F_USERSPACE | NF_CT_HELPER_F_CONFIGURED)) ==
54 NF_CT_HELPER_F_USERSPACE)
55 return NF_ACCEPT;
56
57 /* If the user-space helper is not available, don't block traffic. */
58 return NF_QUEUE_NR(helper->queue_num) | NF_VERDICT_FLAG_QUEUE_BYPASS;
59}
60
61static const struct nla_policy nfnl_cthelper_tuple_pol[NFCTH_TUPLE_MAX+1] = {
62 [NFCTH_TUPLE_L3PROTONUM] = { .type = NLA_U16, },
63 [NFCTH_TUPLE_L4PROTONUM] = { .type = NLA_U8, },
64};
65
66static int
67nfnl_cthelper_parse_tuple(struct nf_conntrack_tuple *tuple,
68 const struct nlattr *attr)
69{
130ffbc2 70 int err;
12f7a505
PNA		 71 struct nlattr *tb[NFCTH_TUPLE_MAX+1];
72
130ffbc2
DB		 73 err = nla_parse_nested(tb, NFCTH_TUPLE_MAX, attr, nfnl_cthelper_tuple_pol);
74 if (err < 0)
75 return err;
12f7a505
PNA		 76
77 if (!tb[NFCTH_TUPLE_L3PROTONUM] || !tb[NFCTH_TUPLE_L4PROTONUM])
78 return -EINVAL;
79
78146572
IW		 80 /* Not all fields are initialized so first zero the tuple */
81 memset(tuple, 0, sizeof(struct nf_conntrack_tuple));
82
fe31d1a8 83 tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
12f7a505
PNA		 84 tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);
85
86 return 0;
87}
88
89static int
90nfnl_cthelper_from_nlattr(struct nlattr *attr, struct nf_conn *ct)
91{
b18c5d15 92 struct nf_conn_help *help = nfct_help(ct);
12f7a505 93
7be54ca4
PNA		 94 if (attr == NULL)
95 return -EINVAL;
96
12f7a505
PNA		 97 if (help->helper->data_len == 0)
98 return -EINVAL;
99
b18c5d15 100 memcpy(help->data, nla_data(attr), help->helper->data_len);
12f7a505
PNA		 101 return 0;
102}
103
104static int
105nfnl_cthelper_to_nlattr(struct sk_buff *skb, const struct nf_conn *ct)
106{
107 const struct nf_conn_help *help = nfct_help(ct);
108
109 if (help->helper->data_len &&
110 nla_put(skb, CTA_HELP_INFO, help->helper->data_len, &help->data))
111 goto nla_put_failure;
112
113 return 0;
114
115nla_put_failure:
116 return -ENOSPC;
117}
118
119static const struct nla_policy nfnl_cthelper_expect_pol[NFCTH_POLICY_MAX+1] = {
120 [NFCTH_POLICY_NAME] = { .type = NLA_NUL_STRING,
121 .len = NF_CT_HELPER_NAME_LEN-1 },
122 [NFCTH_POLICY_EXPECT_MAX] = { .type = NLA_U32, },
123 [NFCTH_POLICY_EXPECT_TIMEOUT] = { .type = NLA_U32, },
124};
125
126static int
127nfnl_cthelper_expect_policy(struct nf_conntrack_expect_policy *expect_policy,
128 const struct nlattr *attr)
129{
130ffbc2 130 int err;
12f7a505
PNA		 131 struct nlattr *tb[NFCTH_POLICY_MAX+1];
132
130ffbc2
DB		 133 err = nla_parse_nested(tb, NFCTH_POLICY_MAX, attr, nfnl_cthelper_expect_pol);
134 if (err < 0)
135 return err;
12f7a505
PNA		 136
137 if (!tb[NFCTH_POLICY_NAME] ||
138 !tb[NFCTH_POLICY_EXPECT_MAX] ||
139 !tb[NFCTH_POLICY_EXPECT_TIMEOUT])
140 return -EINVAL;
141
142 strncpy(expect_policy->name,
143 nla_data(tb[NFCTH_POLICY_NAME]), NF_CT_HELPER_NAME_LEN);
144 expect_policy->max_expected =
145 ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX]));
146 expect_policy->timeout =
147 ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT]));
148
149 return 0;
150}
151
152static const struct nla_policy
153nfnl_cthelper_expect_policy_set[NFCTH_POLICY_SET_MAX+1] = {
154 [NFCTH_POLICY_SET_NUM] = { .type = NLA_U32, },
155};
156
157static int
158nfnl_cthelper_parse_expect_policy(struct nf_conntrack_helper *helper,
159 const struct nlattr *attr)
160{
161 int i, ret;
162 struct nf_conntrack_expect_policy *expect_policy;
163 struct nlattr *tb[NFCTH_POLICY_SET_MAX+1];
ae5c6821 164 unsigned int class_max;
12f7a505 165
130ffbc2
DB		 166 ret = nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr,
167 nfnl_cthelper_expect_policy_set);
168 if (ret < 0)
169 return ret;
12f7a505
PNA		 170
171 if (!tb[NFCTH_POLICY_SET_NUM])
172 return -EINVAL;
173
ae5c6821
LZ		 174 class_max = ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
175 if (class_max == 0)
176 return -EINVAL;
177 if (class_max > NF_CT_MAX_EXPECT_CLASSES)
12f7a505
PNA		 178 return -EOVERFLOW;
179
180 expect_policy = kzalloc(sizeof(struct nf_conntrack_expect_policy) *
ae5c6821 181 class_max, GFP_KERNEL);
12f7a505
PNA		 182 if (expect_policy == NULL)
183 return -ENOMEM;
184
ae5c6821 185 for (i = 0; i < class_max; i++) {
12f7a505
PNA		 186 if (!tb[NFCTH_POLICY_SET+i])
187 goto err;
188
189 ret = nfnl_cthelper_expect_policy(&expect_policy[i],
190 tb[NFCTH_POLICY_SET+i]);
191 if (ret < 0)
192 goto err;
193 }
ae5c6821
LZ		 194
195 helper->expect_class_max = class_max - 1;
12f7a505
PNA		 196 helper->expect_policy = expect_policy;
197 return 0;
198err:
199 kfree(expect_policy);
200 return -EINVAL;
201}
202
203static int
204nfnl_cthelper_create(const struct nlattr * const tb[],
205 struct nf_conntrack_tuple *tuple)
206{
207 struct nf_conntrack_helper *helper;
208 int ret;
209
210 if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY] || !tb[NFCTH_PRIV_DATA_LEN])
211 return -EINVAL;
212
213 helper = kzalloc(sizeof(struct nf_conntrack_helper), GFP_KERNEL);
214 if (helper == NULL)
215 return -ENOMEM;
216
217 ret = nfnl_cthelper_parse_expect_policy(helper, tb[NFCTH_POLICY]);
218 if (ret < 0)
219 goto err;
220
221 strncpy(helper->name, nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN);
222 helper->data_len = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
223 helper->flags |= NF_CT_HELPER_F_USERSPACE;
224 memcpy(&helper->tuple, tuple, sizeof(struct nf_conntrack_tuple));
225
226 helper->me = THIS_MODULE;
227 helper->help = nfnl_userspace_cthelper;
228 helper->from_nlattr = nfnl_cthelper_from_nlattr;
229 helper->to_nlattr = nfnl_cthelper_to_nlattr;
230
231 /* Default to queue number zero, this can be updated at any time. */
232 if (tb[NFCTH_QUEUE_NUM])
233 helper->queue_num = ntohl(nla_get_be32(tb[NFCTH_QUEUE_NUM]));
234
235 if (tb[NFCTH_STATUS]) {
236 int status = ntohl(nla_get_be32(tb[NFCTH_STATUS]));
237
238 switch(status) {
239 case NFCT_HELPER_STATUS_ENABLED:
240 helper->flags |= NF_CT_HELPER_F_CONFIGURED;
241 break;
242 case NFCT_HELPER_STATUS_DISABLED:
243 helper->flags &= ~NF_CT_HELPER_F_CONFIGURED;
244 break;
245 }
246 }
247
248 ret = nf_conntrack_helper_register(helper);
249 if (ret < 0)
250 goto err;
251
252 return 0;
253err:
254 kfree(helper);
255 return ret;
256}
257
2c422257
PNA		 258static int
259nfnl_cthelper_update_policy_one(const struct nf_conntrack_expect_policy *policy,
260 struct nf_conntrack_expect_policy *new_policy,
261 const struct nlattr *attr)
262{
263 struct nlattr *tb[NFCTH_POLICY_MAX + 1];
264 int err;
265
266 err = nla_parse_nested(tb, NFCTH_POLICY_MAX, attr,
267 nfnl_cthelper_expect_pol);
268 if (err < 0)
269 return err;
270
271 if (!tb[NFCTH_POLICY_NAME] ||
272 !tb[NFCTH_POLICY_EXPECT_MAX] ||
273 !tb[NFCTH_POLICY_EXPECT_TIMEOUT])
274 return -EINVAL;
275
276 if (nla_strcmp(tb[NFCTH_POLICY_NAME], policy->name))
277 return -EBUSY;
278
279 new_policy->max_expected =
280 ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX]));
281 new_policy->timeout =
282 ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT]));
283
284 return 0;
285}
286
287static int nfnl_cthelper_update_policy_all(struct nlattr *tb[],
288 struct nf_conntrack_helper *helper)
289{
290 struct nf_conntrack_expect_policy new_policy[helper->expect_class_max + 1];
291 struct nf_conntrack_expect_policy *policy;
292 int i, err;
293
294 /* Check first that all policy attributes are well-formed, so we don't
295 * leave things in inconsistent state on errors.
296 */
297 for (i = 0; i < helper->expect_class_max + 1; i++) {
298
299 if (!tb[NFCTH_POLICY_SET + i])
300 return -EINVAL;
301
302 err = nfnl_cthelper_update_policy_one(&helper->expect_policy[i],
303 &new_policy[i],
304 tb[NFCTH_POLICY_SET + i]);
305 if (err < 0)
306 return err;
307 }
308 /* Now we can safely update them. */
309 for (i = 0; i < helper->expect_class_max + 1; i++) {
310 policy = (struct nf_conntrack_expect_policy *)
311 &helper->expect_policy[i];
312 policy->max_expected = new_policy->max_expected;
313 policy->timeout = new_policy->timeout;
314 }
315
316 return 0;
317}
318
319static int nfnl_cthelper_update_policy(struct nf_conntrack_helper *helper,
320 const struct nlattr *attr)
321{
322 struct nlattr *tb[NFCTH_POLICY_SET_MAX + 1];
323 unsigned int class_max;
324 int err;
325
326 err = nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr,
327 nfnl_cthelper_expect_policy_set);
328 if (err < 0)
329 return err;
330
331 if (!tb[NFCTH_POLICY_SET_NUM])
332 return -EINVAL;
333
334 class_max = ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
335 if (helper->expect_class_max + 1 != class_max)
336 return -EBUSY;
337
338 return nfnl_cthelper_update_policy_all(tb, helper);
339}
340
12f7a505
PNA		 341static int
342nfnl_cthelper_update(const struct nlattr * const tb[],
343 struct nf_conntrack_helper *helper)
344{
345 int ret;
346
347 if (tb[NFCTH_PRIV_DATA_LEN])
348 return -EBUSY;
349
350 if (tb[NFCTH_POLICY]) {
2c422257 351 ret = nfnl_cthelper_update_policy(helper, tb[NFCTH_POLICY]);
12f7a505
PNA		 352 if (ret < 0)
353 return ret;
354 }
355 if (tb[NFCTH_QUEUE_NUM])
356 helper->queue_num = ntohl(nla_get_be32(tb[NFCTH_QUEUE_NUM]));
357
358 if (tb[NFCTH_STATUS]) {
359 int status = ntohl(nla_get_be32(tb[NFCTH_STATUS]));
360
361 switch(status) {
362 case NFCT_HELPER_STATUS_ENABLED:
363 helper->flags |= NF_CT_HELPER_F_CONFIGURED;
364 break;
365 case NFCT_HELPER_STATUS_DISABLED:
366 helper->flags &= ~NF_CT_HELPER_F_CONFIGURED;
367 break;
368 }
369 }
370 return 0;
371}
372
7b8002a1
PNA		 373static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
374 struct sk_buff *skb, const struct nlmsghdr *nlh,
375 const struct nlattr * const tb[])
12f7a505
PNA		 376{
377 const char *helper_name;
378 struct nf_conntrack_helper *cur, *helper = NULL;
379 struct nf_conntrack_tuple tuple;
12f7a505
PNA		 380 int ret = 0, i;
381
382 if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
383 return -EINVAL;
384
385 helper_name = nla_data(tb[NFCTH_NAME]);
386
387 ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);
388 if (ret < 0)
389 return ret;
390
391 rcu_read_lock();
392 for (i = 0; i < nf_ct_helper_hsize && !helper; i++) {
b67bfe0d 393 hlist_for_each_entry_rcu(cur, &nf_ct_helper_hash[i], hnode) {
12f7a505
PNA		 394
395 /* skip non-userspace conntrack helpers. */
396 if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
397 continue;
398
399 if (strncmp(cur->name, helper_name,
400 NF_CT_HELPER_NAME_LEN) != 0)
401 continue;
402
403 if ((tuple.src.l3num != cur->tuple.src.l3num ||
404 tuple.dst.protonum != cur->tuple.dst.protonum))
405 continue;
406
407 if (nlh->nlmsg_flags & NLM_F_EXCL) {
408 ret = -EEXIST;
409 goto err;
410 }
411 helper = cur;
412 break;
413 }
414 }
415 rcu_read_unlock();
416
417 if (helper == NULL)
418 ret = nfnl_cthelper_create(tb, &tuple);
419 else
420 ret = nfnl_cthelper_update(tb, helper);
421
422 return ret;
423err:
424 rcu_read_unlock();
425 return ret;
426}
427
428static int
429nfnl_cthelper_dump_tuple(struct sk_buff *skb,
430 struct nf_conntrack_helper *helper)
431{
432 struct nlattr *nest_parms;
433
434 nest_parms = nla_nest_start(skb, NFCTH_TUPLE | NLA_F_NESTED);
435 if (nest_parms == NULL)
436 goto nla_put_failure;
437
438 if (nla_put_be16(skb, NFCTH_TUPLE_L3PROTONUM,
439 htons(helper->tuple.src.l3num)))
440 goto nla_put_failure;
441
442 if (nla_put_u8(skb, NFCTH_TUPLE_L4PROTONUM, helper->tuple.dst.protonum))
443 goto nla_put_failure;
444
445 nla_nest_end(skb, nest_parms);
446 return 0;
447
448nla_put_failure:
449 return -1;
450}
451
452static int
453nfnl_cthelper_dump_policy(struct sk_buff *skb,
454 struct nf_conntrack_helper *helper)
455{
456 int i;
457 struct nlattr *nest_parms1, *nest_parms2;
458
459 nest_parms1 = nla_nest_start(skb, NFCTH_POLICY | NLA_F_NESTED);
460 if (nest_parms1 == NULL)
461 goto nla_put_failure;
462
463 if (nla_put_be32(skb, NFCTH_POLICY_SET_NUM,
ae5c6821 464 htonl(helper->expect_class_max + 1)))
12f7a505
PNA		 465 goto nla_put_failure;
466
ae5c6821 467 for (i = 0; i < helper->expect_class_max + 1; i++) {
12f7a505
PNA		 468 nest_parms2 = nla_nest_start(skb,
469 (NFCTH_POLICY_SET+i) | NLA_F_NESTED);
470 if (nest_parms2 == NULL)
471 goto nla_put_failure;
472
473 if (nla_put_string(skb, NFCTH_POLICY_NAME,
474 helper->expect_policy[i].name))
475 goto nla_put_failure;
476
477 if (nla_put_be32(skb, NFCTH_POLICY_EXPECT_MAX,
478 htonl(helper->expect_policy[i].max_expected)))
479 goto nla_put_failure;
480
481 if (nla_put_be32(skb, NFCTH_POLICY_EXPECT_TIMEOUT,
482 htonl(helper->expect_policy[i].timeout)))
483 goto nla_put_failure;
484
485 nla_nest_end(skb, nest_parms2);
486 }
487 nla_nest_end(skb, nest_parms1);
488 return 0;
489
490nla_put_failure:
491 return -1;
492}
493
494static int
15e47304 495nfnl_cthelper_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
12f7a505
PNA		 496 int event, struct nf_conntrack_helper *helper)
497{
498 struct nlmsghdr *nlh;
499 struct nfgenmsg *nfmsg;
15e47304 500 unsigned int flags = portid ? NLM_F_MULTI : 0;
12f7a505
PNA		 501 int status;
502
503 event |= NFNL_SUBSYS_CTHELPER << 8;
15e47304 504 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
12f7a505
PNA		 505 if (nlh == NULL)
506 goto nlmsg_failure;
507
508 nfmsg = nlmsg_data(nlh);
509 nfmsg->nfgen_family = AF_UNSPEC;
510 nfmsg->version = NFNETLINK_V0;
511 nfmsg->res_id = 0;
512
513 if (nla_put_string(skb, NFCTH_NAME, helper->name))
514 goto nla_put_failure;
515
516 if (nla_put_be32(skb, NFCTH_QUEUE_NUM, htonl(helper->queue_num)))
517 goto nla_put_failure;
518
519 if (nfnl_cthelper_dump_tuple(skb, helper) < 0)
520 goto nla_put_failure;
521
522 if (nfnl_cthelper_dump_policy(skb, helper) < 0)
523 goto nla_put_failure;
524
525 if (nla_put_be32(skb, NFCTH_PRIV_DATA_LEN, htonl(helper->data_len)))
526 goto nla_put_failure;
527
528 if (helper->flags & NF_CT_HELPER_F_CONFIGURED)
529 status = NFCT_HELPER_STATUS_ENABLED;
530 else
531 status = NFCT_HELPER_STATUS_DISABLED;
532
533 if (nla_put_be32(skb, NFCTH_STATUS, htonl(status)))
534 goto nla_put_failure;
535
536 nlmsg_end(skb, nlh);
537 return skb->len;
538
539nlmsg_failure:
540nla_put_failure:
541 nlmsg_cancel(skb, nlh);
542 return -1;
543}
544
545static int
546nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
547{
548 struct nf_conntrack_helper *cur, *last;
12f7a505
PNA		 549
550 rcu_read_lock();
551 last = (struct nf_conntrack_helper *)cb->args[1];
552 for (; cb->args[0] < nf_ct_helper_hsize; cb->args[0]++) {
553restart:
b67bfe0d 554 hlist_for_each_entry_rcu(cur,
12f7a505
PNA		 555 &nf_ct_helper_hash[cb->args[0]], hnode) {
556
557 /* skip non-userspace conntrack helpers. */
558 if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
559 continue;
560
561 if (cb->args[1]) {
562 if (cur != last)
563 continue;
564 cb->args[1] = 0;
565 }
566 if (nfnl_cthelper_fill_info(skb,
15e47304 567 NETLINK_CB(cb->skb).portid,
12f7a505
PNA		 568 cb->nlh->nlmsg_seq,
569 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
570 NFNL_MSG_CTHELPER_NEW, cur) < 0) {
571 cb->args[1] = (unsigned long)cur;
572 goto out;
573 }
574 }
575 }
576 if (cb->args[1]) {
577 cb->args[1] = 0;
578 goto restart;
579 }
580out:
581 rcu_read_unlock();
582 return skb->len;
583}
584
7b8002a1
PNA		 585static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,
586 struct sk_buff *skb, const struct nlmsghdr *nlh,
587 const struct nlattr * const tb[])
12f7a505
PNA		 588{
589 int ret = -ENOENT, i;
590 struct nf_conntrack_helper *cur;
12f7a505
PNA		 591 struct sk_buff *skb2;
592 char *helper_name = NULL;
593 struct nf_conntrack_tuple tuple;
594 bool tuple_set = false;
595
596 if (nlh->nlmsg_flags & NLM_F_DUMP) {
597 struct netlink_dump_control c = {
598 .dump = nfnl_cthelper_dump_table,
599 };
600 return netlink_dump_start(nfnl, skb, nlh, &c);
601 }
602
603 if (tb[NFCTH_NAME])
604 helper_name = nla_data(tb[NFCTH_NAME]);
605
606 if (tb[NFCTH_TUPLE]) {
607 ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);
608 if (ret < 0)
609 return ret;
610
611 tuple_set = true;
612 }
613
614 for (i = 0; i < nf_ct_helper_hsize; i++) {
b67bfe0d 615 hlist_for_each_entry_rcu(cur, &nf_ct_helper_hash[i], hnode) {
12f7a505
PNA		 616
617 /* skip non-userspace conntrack helpers. */
618 if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
619 continue;
620
621 if (helper_name && strncmp(cur->name, helper_name,
622 NF_CT_HELPER_NAME_LEN) != 0) {
623 continue;
624 }
625 if (tuple_set &&
626 (tuple.src.l3num != cur->tuple.src.l3num ||
627 tuple.dst.protonum != cur->tuple.dst.protonum))
628 continue;
629
630 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
631 if (skb2 == NULL) {
632 ret = -ENOMEM;
633 break;
634 }
635
15e47304 636 ret = nfnl_cthelper_fill_info(skb2, NETLINK_CB(skb).portid,
12f7a505
PNA		 637 nlh->nlmsg_seq,
638 NFNL_MSG_TYPE(nlh->nlmsg_type),
639 NFNL_MSG_CTHELPER_NEW, cur);
640 if (ret <= 0) {
641 kfree_skb(skb2);
642 break;
643 }
644
15e47304 645 ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
12f7a505
PNA		 646 MSG_DONTWAIT);
647 if (ret > 0)
648 ret = 0;
649
650 /* this avoids a loop in nfnetlink. */
651 return ret == -EAGAIN ? -ENOBUFS : ret;
652 }
653 }
654 return ret;
655}
656
7b8002a1
PNA		 657static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
658 struct sk_buff *skb, const struct nlmsghdr *nlh,
659 const struct nlattr * const tb[])
12f7a505
PNA		 660{
661 char *helper_name = NULL;
662 struct nf_conntrack_helper *cur;
b67bfe0d 663 struct hlist_node *tmp;
12f7a505
PNA		 664 struct nf_conntrack_tuple tuple;
665 bool tuple_set = false, found = false;
666 int i, j = 0, ret;
667
668 if (tb[NFCTH_NAME])
669 helper_name = nla_data(tb[NFCTH_NAME]);
670
671 if (tb[NFCTH_TUPLE]) {
672 ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);
673 if (ret < 0)
674 return ret;
675
676 tuple_set = true;
677 }
678
679 for (i = 0; i < nf_ct_helper_hsize; i++) {
b67bfe0d 680 hlist_for_each_entry_safe(cur, tmp, &nf_ct_helper_hash[i],
12f7a505
PNA		 681 hnode) {
682 /* skip non-userspace conntrack helpers. */
683 if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
684 continue;
685
686 j++;
687
688 if (helper_name && strncmp(cur->name, helper_name,
689 NF_CT_HELPER_NAME_LEN) != 0) {
690 continue;
691 }
692 if (tuple_set &&
693 (tuple.src.l3num != cur->tuple.src.l3num ||
694 tuple.dst.protonum != cur->tuple.dst.protonum))
695 continue;
696
697 found = true;
698 nf_conntrack_helper_unregister(cur);
699 }
700 }
701 /* Make sure we return success if we flush and there is no helpers */
702 return (found || j == 0) ? 0 : -ENOENT;
703}
704
705static const struct nla_policy nfnl_cthelper_policy[NFCTH_MAX+1] = {
706 [NFCTH_NAME] = { .type = NLA_NUL_STRING,
707 .len = NF_CT_HELPER_NAME_LEN-1 },
708 [NFCTH_QUEUE_NUM] = { .type = NLA_U32, },
709};
710
711static const struct nfnl_callback nfnl_cthelper_cb[NFNL_MSG_CTHELPER_MAX] = {
712 [NFNL_MSG_CTHELPER_NEW] = { .call = nfnl_cthelper_new,
713 .attr_count = NFCTH_MAX,
714 .policy = nfnl_cthelper_policy },
715 [NFNL_MSG_CTHELPER_GET] = { .call = nfnl_cthelper_get,
716 .attr_count = NFCTH_MAX,
717 .policy = nfnl_cthelper_policy },
718 [NFNL_MSG_CTHELPER_DEL] = { .call = nfnl_cthelper_del,
719 .attr_count = NFCTH_MAX,
720 .policy = nfnl_cthelper_policy },
721};
722
723static const struct nfnetlink_subsystem nfnl_cthelper_subsys = {
724 .name = "cthelper",
725 .subsys_id = NFNL_SUBSYS_CTHELPER,
726 .cb_count = NFNL_MSG_CTHELPER_MAX,
727 .cb = nfnl_cthelper_cb,
728};
729
730MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTHELPER);
731
732static int __init nfnl_cthelper_init(void)
733{
734 int ret;
735
736 ret = nfnetlink_subsys_register(&nfnl_cthelper_subsys);
737 if (ret < 0) {
738 pr_err("nfnl_cthelper: cannot register with nfnetlink.\n");
739 goto err_out;
740 }
741 return 0;
742err_out:
743 return ret;
744}
745
746static void __exit nfnl_cthelper_exit(void)
747{
748 struct nf_conntrack_helper *cur;
b67bfe0d 749 struct hlist_node *tmp;
12f7a505
PNA		 750 int i;
751
752 nfnetlink_subsys_unregister(&nfnl_cthelper_subsys);
753
754 for (i=0; i<nf_ct_helper_hsize; i++) {
b67bfe0d 755 hlist_for_each_entry_safe(cur, tmp, &nf_ct_helper_hash[i],
12f7a505
PNA		 756 hnode) {
757 /* skip non-userspace conntrack helpers. */
758 if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
759 continue;
760
761 nf_conntrack_helper_unregister(cur);
762 }
763 }
764}
765
766module_init(nfnl_cthelper_init);
767module_exit(nfnl_cthelper_exit);
ubuntu-bionic-kernel mirror