[mirror_ubuntu-bionic-kernel.git] / net / netfilter / nft_ct.c

/*
 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
 * Copyright (c) 2016 Pablo Neira Ayuso <pablo@netfilter.org>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 *
 * Development of this code funded by Astaro AG (http://www.astaro.com/)
 */

#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_acct.h>
#include <net/netfilter/nf_conntrack_tuple.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_conntrack_labels.h>

struct nft_ct {
	enum nft_ct_keys	key:8;
	enum ip_conntrack_dir	dir:8;
	union {
		enum nft_registers	dreg:8;
		enum nft_registers	sreg:8;
	};
};

static u64 nft_ct_get_eval_counter(const struct nf_conn_counter *c,
				   enum nft_ct_keys k,
				   enum ip_conntrack_dir d)
{
	if (d < IP_CT_DIR_MAX)
		return k == NFT_CT_BYTES ? atomic64_read(&c[d].bytes) :
					   atomic64_read(&c[d].packets);

	return nft_ct_get_eval_counter(c, k, IP_CT_DIR_ORIGINAL) +
	       nft_ct_get_eval_counter(c, k, IP_CT_DIR_REPLY);
}

static void nft_ct_get_eval(const struct nft_expr *expr,
			    struct nft_regs *regs,
			    const struct nft_pktinfo *pkt)
{
	const struct nft_ct *priv = nft_expr_priv(expr);
	u32 *dest = &regs->data[priv->dreg];
	enum ip_conntrack_info ctinfo;
	const struct nf_conn *ct;
	const struct nf_conn_help *help;
	const struct nf_conntrack_tuple *tuple;
	const struct nf_conntrack_helper *helper;
	unsigned int state;

	ct = nf_ct_get(pkt->skb, &ctinfo);

	switch (priv->key) {
	case NFT_CT_STATE:
		if (ct == NULL)
			state = NF_CT_STATE_INVALID_BIT;
		else if (nf_ct_is_untracked(ct))
			state = NF_CT_STATE_UNTRACKED_BIT;
		else
			state = NF_CT_STATE_BIT(ctinfo);
		*dest = state;
		return;
	default:
		break;
	}

	if (ct == NULL)
		goto err;

	switch (priv->key) {
	case NFT_CT_DIRECTION:
		*dest = CTINFO2DIR(ctinfo);
		return;
	case NFT_CT_STATUS:
		*dest = ct->status;
		return;
#ifdef CONFIG_NF_CONNTRACK_MARK
	case NFT_CT_MARK:
		*dest = ct->mark;
		return;
#endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
	case NFT_CT_SECMARK:
		*dest = ct->secmark;
		return;
#endif
	case NFT_CT_EXPIRATION:
		*dest = jiffies_to_msecs(nf_ct_expires(ct));
		return;
	case NFT_CT_HELPER:
		if (ct->master == NULL)
			goto err;
		help = nfct_help(ct->master);
		if (help == NULL)
			goto err;
		helper = rcu_dereference(help->helper);
		if (helper == NULL)
			goto err;
		strncpy((char *)dest, helper->name, NF_CT_HELPER_NAME_LEN);
		return;
#ifdef CONFIG_NF_CONNTRACK_LABELS
	case NFT_CT_LABELS: {
		struct nf_conn_labels *labels = nf_ct_labels_find(ct);

		if (labels)
			memcpy(dest, labels->bits, NF_CT_LABELS_MAX_SIZE);
		else
			memset(dest, 0, NF_CT_LABELS_MAX_SIZE);
		return;
	}
#endif
	case NFT_CT_BYTES: /* fallthrough */
	case NFT_CT_PKTS: {
		const struct nf_conn_acct *acct = nf_conn_acct_find(ct);
		u64 count = 0;

		if (acct)
			count = nft_ct_get_eval_counter(acct->counter,
							priv->key, priv->dir);
		memcpy(dest, &count, sizeof(count));
		return;
	}
	case NFT_CT_AVGPKT: {
		const struct nf_conn_acct *acct = nf_conn_acct_find(ct);
		u64 avgcnt = 0, bcnt = 0, pcnt = 0;

		if (acct) {
			pcnt = nft_ct_get_eval_counter(acct->counter,
						       NFT_CT_PKTS, priv->dir);
			bcnt = nft_ct_get_eval_counter(acct->counter,
						       NFT_CT_BYTES, priv->dir);
			if (pcnt != 0)
				avgcnt = div64_u64(bcnt, pcnt);
		}

		memcpy(dest, &avgcnt, sizeof(avgcnt));
		return;
	}
	case NFT_CT_L3PROTOCOL:
		*dest = nf_ct_l3num(ct);
		return;
	case NFT_CT_PROTOCOL:
		*dest = nf_ct_protonum(ct);
		return;
	default:
		break;
	}

	tuple = &ct->tuplehash[priv->dir].tuple;
	switch (priv->key) {
	case NFT_CT_SRC:
		memcpy(dest, tuple->src.u3.all,
		       nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
		return;
	case NFT_CT_DST:
		memcpy(dest, tuple->dst.u3.all,
		       nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
		return;
	case NFT_CT_PROTO_SRC:
		*dest = (__force __u16)tuple->src.u.all;
		return;
	case NFT_CT_PROTO_DST:
		*dest = (__force __u16)tuple->dst.u.all;
		return;
	default:
		break;
	}
	return;
err:
	regs->verdict.code = NFT_BREAK;
}

static void nft_ct_set_eval(const struct nft_expr *expr,
			    struct nft_regs *regs,
			    const struct nft_pktinfo *pkt)
{
	const struct nft_ct *priv = nft_expr_priv(expr);
	struct sk_buff *skb = pkt->skb;
#ifdef CONFIG_NF_CONNTRACK_MARK
	u32 value = regs->data[priv->sreg];
#endif
	enum ip_conntrack_info ctinfo;
	struct nf_conn *ct;

	ct = nf_ct_get(skb, &ctinfo);
	if (ct == NULL)
		return;

	switch (priv->key) {
#ifdef CONFIG_NF_CONNTRACK_MARK
	case NFT_CT_MARK:
		if (ct->mark != value) {
			ct->mark = value;
			nf_conntrack_event_cache(IPCT_MARK, ct);
		}
		break;
#endif
#ifdef CONFIG_NF_CONNTRACK_LABELS
	case NFT_CT_LABELS:
		nf_connlabels_replace(ct,
				      &regs->data[priv->sreg],
				      &regs->data[priv->sreg],
				      NF_CT_LABELS_MAX_SIZE / sizeof(u32));
		break;
#endif
	default:
		break;
	}
}

static const struct nla_policy nft_ct_policy[NFTA_CT_MAX + 1] = {
	[NFTA_CT_DREG]		= { .type = NLA_U32 },
	[NFTA_CT_KEY]		= { .type = NLA_U32 },
	[NFTA_CT_DIRECTION]	= { .type = NLA_U8 },
	[NFTA_CT_SREG]		= { .type = NLA_U32 },
};

static int nft_ct_netns_get(struct net *net, uint8_t family)
{
	int err;

	if (family == NFPROTO_INET) {
		err = nf_ct_netns_get(net, NFPROTO_IPV4);
		if (err < 0)
			goto err1;
		err = nf_ct_netns_get(net, NFPROTO_IPV6);
		if (err < 0)
			goto err2;
	} else {
		err = nf_ct_netns_get(net, family);
		if (err < 0)
			goto err1;
	}
	return 0;

err2:
	nf_ct_netns_put(net, NFPROTO_IPV4);
err1:
	return err;
}

static void nft_ct_netns_put(struct net *net, uint8_t family)
{
	if (family == NFPROTO_INET) {
		nf_ct_netns_put(net, NFPROTO_IPV4);
		nf_ct_netns_put(net, NFPROTO_IPV6);
	} else
		nf_ct_netns_put(net, family);
}

static int nft_ct_get_init(const struct nft_ctx *ctx,
			   const struct nft_expr *expr,
			   const struct nlattr * const tb[])
{
	struct nft_ct *priv = nft_expr_priv(expr);
	unsigned int len;
	int err;

	priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));
	switch (priv->key) {
	case NFT_CT_DIRECTION:
		if (tb[NFTA_CT_DIRECTION] != NULL)
			return -EINVAL;
		len = sizeof(u8);
		break;
	case NFT_CT_STATE:
	case NFT_CT_STATUS:
#ifdef CONFIG_NF_CONNTRACK_MARK
	case NFT_CT_MARK:
#endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
	case NFT_CT_SECMARK:
#endif
	case NFT_CT_EXPIRATION:
		if (tb[NFTA_CT_DIRECTION] != NULL)
			return -EINVAL;
		len = sizeof(u32);
		break;
#ifdef CONFIG_NF_CONNTRACK_LABELS
	case NFT_CT_LABELS:
		if (tb[NFTA_CT_DIRECTION] != NULL)
			return -EINVAL;
		len = NF_CT_LABELS_MAX_SIZE;
		break;
#endif
	case NFT_CT_HELPER:
		if (tb[NFTA_CT_DIRECTION] != NULL)
			return -EINVAL;
		len = NF_CT_HELPER_NAME_LEN;
		break;

	case NFT_CT_L3PROTOCOL:
	case NFT_CT_PROTOCOL:
		/* For compatibility, do not report error if NFTA_CT_DIRECTION
		 * attribute is specified.
		 */
		len = sizeof(u8);
		break;
	case NFT_CT_SRC:
	case NFT_CT_DST:
		if (tb[NFTA_CT_DIRECTION] == NULL)
			return -EINVAL;

		switch (ctx->afi->family) {
		case NFPROTO_IPV4:
			len = FIELD_SIZEOF(struct nf_conntrack_tuple,
					   src.u3.ip);
			break;
		case NFPROTO_IPV6:
		case NFPROTO_INET:
			len = FIELD_SIZEOF(struct nf_conntrack_tuple,
					   src.u3.ip6);
			break;
		default:
			return -EAFNOSUPPORT;
		}
		break;
	case NFT_CT_PROTO_SRC:
	case NFT_CT_PROTO_DST:
		if (tb[NFTA_CT_DIRECTION] == NULL)
			return -EINVAL;
		len = FIELD_SIZEOF(struct nf_conntrack_tuple, src.u.all);
		break;
	case NFT_CT_BYTES:
	case NFT_CT_PKTS:
	case NFT_CT_AVGPKT:
		/* no direction? return sum of original + reply */
		if (tb[NFTA_CT_DIRECTION] == NULL)
			priv->dir = IP_CT_DIR_MAX;
		len = sizeof(u64);
		break;
	default:
		return -EOPNOTSUPP;
	}

	if (tb[NFTA_CT_DIRECTION] != NULL) {
		priv->dir = nla_get_u8(tb[NFTA_CT_DIRECTION]);
		switch (priv->dir) {
		case IP_CT_DIR_ORIGINAL:
		case IP_CT_DIR_REPLY:
			break;
		default:
			return -EINVAL;
		}
	}

	priv->dreg = nft_parse_register(tb[NFTA_CT_DREG]);
	err = nft_validate_register_store(ctx, priv->dreg, NULL,
					  NFT_DATA_VALUE, len);
	if (err < 0)
		return err;

	err = nft_ct_netns_get(ctx->net, ctx->afi->family);
	if (err < 0)
		return err;

	if (priv->key == NFT_CT_BYTES ||
	    priv->key == NFT_CT_PKTS  ||
	    priv->key == NFT_CT_AVGPKT)
		nf_ct_set_acct(ctx->net, true);

	return 0;
}

static int nft_ct_set_init(const struct nft_ctx *ctx,
			   const struct nft_expr *expr,
			   const struct nlattr * const tb[])
{
	struct nft_ct *priv = nft_expr_priv(expr);
	bool label_got = false;
	unsigned int len;
	int err;

	priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));
	switch (priv->key) {
#ifdef CONFIG_NF_CONNTRACK_MARK
	case NFT_CT_MARK:
		if (tb[NFTA_CT_DIRECTION])
			return -EINVAL;
		len = FIELD_SIZEOF(struct nf_conn, mark);
		break;
#endif
#ifdef CONFIG_NF_CONNTRACK_LABELS
	case NFT_CT_LABELS:
		if (tb[NFTA_CT_DIRECTION])
			return -EINVAL;
		len = NF_CT_LABELS_MAX_SIZE;
		err = nf_connlabels_get(ctx->net, (len * BITS_PER_BYTE) - 1);
		if (err)
			return err;
		label_got = true;
		break;
#endif
	default:
		return -EOPNOTSUPP;
	}

	priv->sreg = nft_parse_register(tb[NFTA_CT_SREG]);
	err = nft_validate_register_load(priv->sreg, len);
	if (err < 0)
		goto err1;

	err = nft_ct_netns_get(ctx->net, ctx->afi->family);
	if (err < 0)
		goto err1;

	return 0;

err1:
	if (label_got)
		nf_connlabels_put(ctx->net);
	return err;
}

static void nft_ct_get_destroy(const struct nft_ctx *ctx,
			       const struct nft_expr *expr)
{
	nf_ct_netns_put(ctx->net, ctx->afi->family);
}

static void nft_ct_set_destroy(const struct nft_ctx *ctx,
			       const struct nft_expr *expr)
{
	struct nft_ct *priv = nft_expr_priv(expr);

	switch (priv->key) {
#ifdef CONFIG_NF_CONNTRACK_LABELS
	case NFT_CT_LABELS:
		nf_connlabels_put(ctx->net);
		break;
#endif
	default:
		break;
	}

	nft_ct_netns_put(ctx->net, ctx->afi->family);
}

static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
	const struct nft_ct *priv = nft_expr_priv(expr);

	if (nft_dump_register(skb, NFTA_CT_DREG, priv->dreg))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
		goto nla_put_failure;

	switch (priv->key) {
	case NFT_CT_SRC:
	case NFT_CT_DST:
	case NFT_CT_PROTO_SRC:
	case NFT_CT_PROTO_DST:
		if (nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
			goto nla_put_failure;
		break;
	case NFT_CT_BYTES:
	case NFT_CT_PKTS:
	case NFT_CT_AVGPKT:
		if (priv->dir < IP_CT_DIR_MAX &&
		    nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
			goto nla_put_failure;
		break;
	default:
		break;
	}

	return 0;

nla_put_failure:
	return -1;
}

static int nft_ct_set_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
	const struct nft_ct *priv = nft_expr_priv(expr);

	if (nft_dump_register(skb, NFTA_CT_SREG, priv->sreg))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
		goto nla_put_failure;
	return 0;

nla_put_failure:
	return -1;
}

static struct nft_expr_type nft_ct_type;
static const struct nft_expr_ops nft_ct_get_ops = {
	.type		= &nft_ct_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_ct)),
	.eval		= nft_ct_get_eval,
	.init		= nft_ct_get_init,
	.destroy	= nft_ct_get_destroy,
	.dump		= nft_ct_get_dump,
};

static const struct nft_expr_ops nft_ct_set_ops = {
	.type		= &nft_ct_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_ct)),
	.eval		= nft_ct_set_eval,
	.init		= nft_ct_set_init,
	.destroy	= nft_ct_set_destroy,
	.dump		= nft_ct_set_dump,
};

static const struct nft_expr_ops *
nft_ct_select_ops(const struct nft_ctx *ctx,
		    const struct nlattr * const tb[])
{
	if (tb[NFTA_CT_KEY] == NULL)
		return ERR_PTR(-EINVAL);

	if (tb[NFTA_CT_DREG] && tb[NFTA_CT_SREG])
		return ERR_PTR(-EINVAL);

	if (tb[NFTA_CT_DREG])
		return &nft_ct_get_ops;

	if (tb[NFTA_CT_SREG])
		return &nft_ct_set_ops;

	return ERR_PTR(-EINVAL);
}

static struct nft_expr_type nft_ct_type __read_mostly = {
	.name		= "ct",
	.select_ops	= &nft_ct_select_ops,
	.policy		= nft_ct_policy,
	.maxattr	= NFTA_CT_MAX,
	.owner		= THIS_MODULE,
};

static void nft_notrack_eval(const struct nft_expr *expr,
			     struct nft_regs *regs,
			     const struct nft_pktinfo *pkt)
{
	struct sk_buff *skb = pkt->skb;
	enum ip_conntrack_info ctinfo;
	struct nf_conn *ct;

	ct = nf_ct_get(pkt->skb, &ctinfo);
	/* Previously seen (loopback or untracked)?  Ignore. */
	if (ct)
		return;

	ct = nf_ct_untracked_get();
	atomic_inc(&ct->ct_general.use);
	nf_ct_set(skb, ct, IP_CT_NEW);
}

static struct nft_expr_type nft_notrack_type;
static const struct nft_expr_ops nft_notrack_ops = {
	.type		= &nft_notrack_type,
	.size		= NFT_EXPR_SIZE(0),
	.eval		= nft_notrack_eval,
};

static struct nft_expr_type nft_notrack_type __read_mostly = {
	.name		= "notrack",
	.ops		= &nft_notrack_ops,
	.owner		= THIS_MODULE,
};

static int __init nft_ct_module_init(void)
{
	int err;

	BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE > NFT_REG_SIZE);

	err = nft_register_expr(&nft_ct_type);
	if (err < 0)
		return err;

	err = nft_register_expr(&nft_notrack_type);
	if (err < 0)
		goto err1;

	return 0;
err1:
	nft_unregister_expr(&nft_ct_type);
	return err;
}

static void __exit nft_ct_module_exit(void)
{
	nft_unregister_expr(&nft_notrack_type);
	nft_unregister_expr(&nft_ct_type);
}

module_init(nft_ct_module_init);
module_exit(nft_ct_module_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_EXPR("ct");
MODULE_ALIAS_NFT_EXPR("notrack");
Commit	Line	Data
96518518	1	/*
ef1f7df9	2	* Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
25443261	3	* Copyright (c) 2016 Pablo Neira Ayuso <pablo@netfilter.org>
96518518 PM	4	*
	5	* This program is free software; you can redistribute it and/or modify
	6	* it under the terms of the GNU General Public License version 2 as
	7	* published by the Free Software Foundation.
	8	*
	9	* Development of this code funded by Astaro AG (http://www.astaro.com/)
	10	*/
	11
	12	#include <linux/kernel.h>
	13	#include <linux/init.h>
	14	#include <linux/module.h>
	15	#include <linux/netlink.h>
	16	#include <linux/netfilter.h>
	17	#include <linux/netfilter/nf_tables.h>
	18	#include <net/netfilter/nf_tables.h>
	19	#include <net/netfilter/nf_conntrack.h>
48f66c90	20	#include <net/netfilter/nf_conntrack_acct.h>
96518518 PM	21	#include <net/netfilter/nf_conntrack_tuple.h>
96518518 PM	22	#include <net/netfilter/nf_conntrack_helper.h>
c4ede3d3	23	#include <net/netfilter/nf_conntrack_ecache.h>
d2bf2f34	24	#include <net/netfilter/nf_conntrack_labels.h>
96518518 PM	25
	26	struct nft_ct {
	27	enum nft_ct_keys key:8;
	28	enum ip_conntrack_dir dir:8;
d46f2cd2	29	union {
c4ede3d3 KE	30	enum nft_registers dreg:8;
	31	enum nft_registers sreg:8;
	32	};
96518518 PM	33	};
96518518 PM	34
48f66c90 FW	35	static u64 nft_ct_get_eval_counter(const struct nf_conn_counter *c,
	36	enum nft_ct_keys k,
	37	enum ip_conntrack_dir d)
	38	{
	39	if (d < IP_CT_DIR_MAX)
	40	return k == NFT_CT_BYTES ? atomic64_read(&c[d].bytes) :
	41	atomic64_read(&c[d].packets);
	42
	43	return nft_ct_get_eval_counter(c, k, IP_CT_DIR_ORIGINAL) +
	44	nft_ct_get_eval_counter(c, k, IP_CT_DIR_REPLY);
	45	}
	46
c4ede3d3	47	static void nft_ct_get_eval(const struct nft_expr *expr,
a55e22e9	48	struct nft_regs *regs,
c4ede3d3	49	const struct nft_pktinfo *pkt)
96518518 PM	50	{
96518518 PM	51	const struct nft_ct *priv = nft_expr_priv(expr);
49499c3e	52	u32 *dest = &regs->data[priv->dreg];
96518518 PM	53	enum ip_conntrack_info ctinfo;
	54	const struct nf_conn *ct;
	55	const struct nf_conn_help *help;
	56	const struct nf_conntrack_tuple *tuple;
	57	const struct nf_conntrack_helper *helper;
96518518 PM	58	unsigned int state;
	59
	60	ct = nf_ct_get(pkt->skb, &ctinfo);
	61
	62	switch (priv->key) {
	63	case NFT_CT_STATE:
	64	if (ct == NULL)
	65	state = NF_CT_STATE_INVALID_BIT;
	66	else if (nf_ct_is_untracked(ct))
	67	state = NF_CT_STATE_UNTRACKED_BIT;
	68	else
	69	state = NF_CT_STATE_BIT(ctinfo);
fad136ea	70	*dest = state;
96518518	71	return;
c1f86676 DM	72	default:
c1f86676 DM	73	break;
96518518 PM	74	}
	75
	76	if (ct == NULL)
	77	goto err;
	78
	79	switch (priv->key) {
	80	case NFT_CT_DIRECTION:
fad136ea	81	*dest = CTINFO2DIR(ctinfo);
96518518 PM	82	return;
96518518 PM	83	case NFT_CT_STATUS:
fad136ea	84	*dest = ct->status;
96518518 PM	85	return;
	86	#ifdef CONFIG_NF_CONNTRACK_MARK
	87	case NFT_CT_MARK:
fad136ea	88	*dest = ct->mark;
96518518 PM	89	return;
	90	#endif
	91	#ifdef CONFIG_NF_CONNTRACK_SECMARK
	92	case NFT_CT_SECMARK:
fad136ea	93	*dest = ct->secmark;
96518518 PM	94	return;
	95	#endif
	96	case NFT_CT_EXPIRATION:
c8607e02	97	*dest = jiffies_to_msecs(nf_ct_expires(ct));
96518518 PM	98	return;
	99	case NFT_CT_HELPER:
	100	if (ct->master == NULL)
	101	goto err;
	102	help = nfct_help(ct->master);
	103	if (help == NULL)
	104	goto err;
	105	helper = rcu_dereference(help->helper);
	106	if (helper == NULL)
	107	goto err;
fad136ea	108	strncpy((char *)dest, helper->name, NF_CT_HELPER_NAME_LEN);
96518518	109	return;
d2bf2f34 FW	110	#ifdef CONFIG_NF_CONNTRACK_LABELS
	111	case NFT_CT_LABELS: {
	112	struct nf_conn_labels *labels = nf_ct_labels_find(ct);
d2bf2f34	113
23014011 FW	114	if (labels)
	115	memcpy(dest, labels->bits, NF_CT_LABELS_MAX_SIZE);
	116	else
fad136ea	117	memset(dest, 0, NF_CT_LABELS_MAX_SIZE);
d2bf2f34 FW	118	return;
d2bf2f34 FW	119	}
efaea94a	120	#endif
48f66c90 FW	121	case NFT_CT_BYTES: /* fallthrough */
	122	case NFT_CT_PKTS: {
	123	const struct nf_conn_acct *acct = nf_conn_acct_find(ct);
	124	u64 count = 0;
	125
	126	if (acct)
	127	count = nft_ct_get_eval_counter(acct->counter,
	128	priv->key, priv->dir);
	129	memcpy(dest, &count, sizeof(count));
	130	return;
	131	}
949a3584 LZ	132	case NFT_CT_AVGPKT: {
	133	const struct nf_conn_acct *acct = nf_conn_acct_find(ct);
	134	u64 avgcnt = 0, bcnt = 0, pcnt = 0;
	135
	136	if (acct) {
	137	pcnt = nft_ct_get_eval_counter(acct->counter,
	138	NFT_CT_PKTS, priv->dir);
	139	bcnt = nft_ct_get_eval_counter(acct->counter,
	140	NFT_CT_BYTES, priv->dir);
	141	if (pcnt != 0)
	142	avgcnt = div64_u64(bcnt, pcnt);
	143	}
	144
	145	memcpy(dest, &avgcnt, sizeof(avgcnt));
	146	return;
	147	}
d767ff2c LZ	148	case NFT_CT_L3PROTOCOL:
	149	*dest = nf_ct_l3num(ct);
	150	return;
	151	case NFT_CT_PROTOCOL:
	152	*dest = nf_ct_protonum(ct);
	153	return;
c1f86676 DM	154	default:
c1f86676 DM	155	break;
96518518 PM	156	}
	157
	158	tuple = &ct->tuplehash[priv->dir].tuple;
	159	switch (priv->key) {
96518518	160	case NFT_CT_SRC:
fad136ea	161	memcpy(dest, tuple->src.u3.all,
96518518 PM	162	nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
	163	return;
	164	case NFT_CT_DST:
fad136ea	165	memcpy(dest, tuple->dst.u3.all,
96518518 PM	166	nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
96518518 PM	167	return;
96518518	168	case NFT_CT_PROTO_SRC:
fad136ea	169	*dest = (__force __u16)tuple->src.u.all;
96518518 PM	170	return;
96518518 PM	171	case NFT_CT_PROTO_DST:
fad136ea	172	*dest = (__force __u16)tuple->dst.u.all;
96518518	173	return;
c1f86676 DM	174	default:
c1f86676 DM	175	break;
96518518 PM	176	}
	177	return;
	178	err:
a55e22e9	179	regs->verdict.code = NFT_BREAK;
96518518 PM	180	}
96518518 PM	181
c4ede3d3	182	static void nft_ct_set_eval(const struct nft_expr *expr,
a55e22e9	183	struct nft_regs *regs,
c4ede3d3 KE	184	const struct nft_pktinfo *pkt)
	185	{
	186	const struct nft_ct *priv = nft_expr_priv(expr);
	187	struct sk_buff *skb = pkt->skb;
847c8e29	188	#ifdef CONFIG_NF_CONNTRACK_MARK
49499c3e	189	u32 value = regs->data[priv->sreg];
847c8e29	190	#endif
c4ede3d3 KE	191	enum ip_conntrack_info ctinfo;
	192	struct nf_conn *ct;
	193
	194	ct = nf_ct_get(skb, &ctinfo);
	195	if (ct == NULL)
	196	return;
	197
	198	switch (priv->key) {
	199	#ifdef CONFIG_NF_CONNTRACK_MARK
	200	case NFT_CT_MARK:
	201	if (ct->mark != value) {
	202	ct->mark = value;
	203	nf_conntrack_event_cache(IPCT_MARK, ct);
	204	}
	205	break;
1ad8f48d FW	206	#endif
	207	#ifdef CONFIG_NF_CONNTRACK_LABELS
	208	case NFT_CT_LABELS:
	209	nf_connlabels_replace(ct,
	210	&regs->data[priv->sreg],
	211	&regs->data[priv->sreg],
	212	NF_CT_LABELS_MAX_SIZE / sizeof(u32));
	213	break;
c4ede3d3	214	#endif
c1f86676 DM	215	default:
c1f86676 DM	216	break;
c4ede3d3 KE	217	}
	218	}
	219
96518518 PM	220	static const struct nla_policy nft_ct_policy[NFTA_CT_MAX + 1] = {
	221	[NFTA_CT_DREG] = { .type = NLA_U32 },
	222	[NFTA_CT_KEY] = { .type = NLA_U32 },
	223	[NFTA_CT_DIRECTION] = { .type = NLA_U8 },
c4ede3d3	224	[NFTA_CT_SREG] = { .type = NLA_U32 },
96518518 PM	225	};
96518518 PM	226
ecb2421b	227	static int nft_ct_netns_get(struct net *net, uint8_t family)
9638f33e PM	228	{
	229	int err;
	230
	231	if (family == NFPROTO_INET) {
ecb2421b	232	err = nf_ct_netns_get(net, NFPROTO_IPV4);
9638f33e PM	233	if (err < 0)
9638f33e PM	234	goto err1;
ecb2421b	235	err = nf_ct_netns_get(net, NFPROTO_IPV6);
9638f33e PM	236	if (err < 0)
	237	goto err2;
	238	} else {
ecb2421b	239	err = nf_ct_netns_get(net, family);
9638f33e PM	240	if (err < 0)
	241	goto err1;
	242	}
	243	return 0;
	244
	245	err2:
ecb2421b	246	nf_ct_netns_put(net, NFPROTO_IPV4);
9638f33e PM	247	err1:
	248	return err;
	249	}
	250
ecb2421b	251	static void nft_ct_netns_put(struct net *net, uint8_t family)
9638f33e PM	252	{
9638f33e PM	253	if (family == NFPROTO_INET) {
ecb2421b FW	254	nf_ct_netns_put(net, NFPROTO_IPV4);
ecb2421b FW	255	nf_ct_netns_put(net, NFPROTO_IPV6);
9638f33e	256	} else
ecb2421b	257	nf_ct_netns_put(net, family);
9638f33e PM	258	}
9638f33e PM	259
fe92ca45 PM	260	static int nft_ct_get_init(const struct nft_ctx *ctx,
	261	const struct nft_expr *expr,
	262	const struct nlattr * const tb[])
96518518 PM	263	{
96518518 PM	264	struct nft_ct *priv = nft_expr_priv(expr);
45d9bcda	265	unsigned int len;
fe92ca45	266	int err;
96518518	267
fe92ca45	268	priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));
96518518	269	switch (priv->key) {
96518518	270	case NFT_CT_DIRECTION:
45d9bcda PM	271	if (tb[NFTA_CT_DIRECTION] != NULL)
	272	return -EINVAL;
	273	len = sizeof(u8);
	274	break;
	275	case NFT_CT_STATE:
96518518 PM	276	case NFT_CT_STATUS:
	277	#ifdef CONFIG_NF_CONNTRACK_MARK
	278	case NFT_CT_MARK:
	279	#endif
	280	#ifdef CONFIG_NF_CONNTRACK_SECMARK
	281	case NFT_CT_SECMARK:
d2bf2f34	282	#endif
45d9bcda PM	283	case NFT_CT_EXPIRATION:
	284	if (tb[NFTA_CT_DIRECTION] != NULL)
	285	return -EINVAL;
	286	len = sizeof(u32);
	287	break;
d2bf2f34 FW	288	#ifdef CONFIG_NF_CONNTRACK_LABELS
d2bf2f34 FW	289	case NFT_CT_LABELS:
45d9bcda PM	290	if (tb[NFTA_CT_DIRECTION] != NULL)
	291	return -EINVAL;
	292	len = NF_CT_LABELS_MAX_SIZE;
	293	break;
96518518	294	#endif
96518518 PM	295	case NFT_CT_HELPER:
	296	if (tb[NFTA_CT_DIRECTION] != NULL)
	297	return -EINVAL;
45d9bcda	298	len = NF_CT_HELPER_NAME_LEN;
96518518	299	break;
45d9bcda	300
51292c07	301	case NFT_CT_L3PROTOCOL:
96518518	302	case NFT_CT_PROTOCOL:
d767ff2c LZ	303	/* For compatibility, do not report error if NFTA_CT_DIRECTION
	304	* attribute is specified.
	305	*/
45d9bcda PM	306	len = sizeof(u8);
45d9bcda PM	307	break;
96518518 PM	308	case NFT_CT_SRC:
96518518 PM	309	case NFT_CT_DST:
45d9bcda PM	310	if (tb[NFTA_CT_DIRECTION] == NULL)
	311	return -EINVAL;
	312
	313	switch (ctx->afi->family) {
	314	case NFPROTO_IPV4:
	315	len = FIELD_SIZEOF(struct nf_conntrack_tuple,
	316	src.u3.ip);
	317	break;
	318	case NFPROTO_IPV6:
	319	case NFPROTO_INET:
	320	len = FIELD_SIZEOF(struct nf_conntrack_tuple,
	321	src.u3.ip6);
	322	break;
	323	default:
	324	return -EAFNOSUPPORT;
	325	}
	326	break;
96518518 PM	327	case NFT_CT_PROTO_SRC:
	328	case NFT_CT_PROTO_DST:
	329	if (tb[NFTA_CT_DIRECTION] == NULL)
	330	return -EINVAL;
45d9bcda	331	len = FIELD_SIZEOF(struct nf_conntrack_tuple, src.u.all);
96518518	332	break;
48f66c90 FW	333	case NFT_CT_BYTES:
48f66c90 FW	334	case NFT_CT_PKTS:
949a3584	335	case NFT_CT_AVGPKT:
48f66c90 FW	336	/* no direction? return sum of original + reply */
	337	if (tb[NFTA_CT_DIRECTION] == NULL)
	338	priv->dir = IP_CT_DIR_MAX;
	339	len = sizeof(u64);
	340	break;
96518518 PM	341	default:
	342	return -EOPNOTSUPP;
	343	}
	344
fe92ca45 PM	345	if (tb[NFTA_CT_DIRECTION] != NULL) {
	346	priv->dir = nla_get_u8(tb[NFTA_CT_DIRECTION]);
	347	switch (priv->dir) {
	348	case IP_CT_DIR_ORIGINAL:
	349	case IP_CT_DIR_REPLY:
	350	break;
	351	default:
	352	return -EINVAL;
	353	}
	354	}
	355
b1c96ed3	356	priv->dreg = nft_parse_register(tb[NFTA_CT_DREG]);
1ec10212 PM	357	err = nft_validate_register_store(ctx, priv->dreg, NULL,
1ec10212 PM	358	NFT_DATA_VALUE, len);
fe92ca45 PM	359	if (err < 0)
	360	return err;
	361
ecb2421b	362	err = nft_ct_netns_get(ctx->net, ctx->afi->family);
fe92ca45 PM	363	if (err < 0)
	364	return err;
	365
949a3584 LZ	366	if (priv->key == NFT_CT_BYTES \|\|
	367	priv->key == NFT_CT_PKTS \|\|
	368	priv->key == NFT_CT_AVGPKT)
3f8b61b7 LZ	369	nf_ct_set_acct(ctx->net, true);
3f8b61b7 LZ	370
c4ede3d3 KE	371	return 0;
	372	}
	373
fe92ca45 PM	374	static int nft_ct_set_init(const struct nft_ctx *ctx,
	375	const struct nft_expr *expr,
	376	const struct nlattr * const tb[])
c4ede3d3	377	{
fe92ca45	378	struct nft_ct *priv = nft_expr_priv(expr);
590025a2	379	bool label_got = false;
d07db988	380	unsigned int len;
fe92ca45 PM	381	int err;
	382
	383	priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));
	384	switch (priv->key) {
e88e514e	385	#ifdef CONFIG_NF_CONNTRACK_MARK
c4ede3d3	386	case NFT_CT_MARK:
7bfdde70 LZ	387	if (tb[NFTA_CT_DIRECTION])
7bfdde70 LZ	388	return -EINVAL;
d07db988	389	len = FIELD_SIZEOF(struct nf_conn, mark);
c4ede3d3	390	break;
1ad8f48d FW	391	#endif
	392	#ifdef CONFIG_NF_CONNTRACK_LABELS
	393	case NFT_CT_LABELS:
	394	if (tb[NFTA_CT_DIRECTION])
	395	return -EINVAL;
	396	len = NF_CT_LABELS_MAX_SIZE;
	397	err = nf_connlabels_get(ctx->net, (len * BITS_PER_BYTE) - 1);
	398	if (err)
	399	return err;
590025a2	400	label_got = true;
1ad8f48d	401	break;
e88e514e	402	#endif
c4ede3d3 KE	403	default:
	404	return -EOPNOTSUPP;
	405	}
	406
b1c96ed3	407	priv->sreg = nft_parse_register(tb[NFTA_CT_SREG]);
d07db988	408	err = nft_validate_register_load(priv->sreg, len);
fe92ca45	409	if (err < 0)
590025a2	410	goto err1;
c4ede3d3	411
ecb2421b	412	err = nft_ct_netns_get(ctx->net, ctx->afi->family);
96518518	413	if (err < 0)
590025a2	414	goto err1;
96518518	415
96518518	416	return 0;
590025a2 LZ	417
	418	err1:
	419	if (label_got)
	420	nf_connlabels_put(ctx->net);
	421	return err;
	422	}
	423
	424	static void nft_ct_get_destroy(const struct nft_ctx *ctx,
	425	const struct nft_expr *expr)
	426	{
ecb2421b	427	nf_ct_netns_put(ctx->net, ctx->afi->family);
96518518 PM	428	}
96518518 PM	429
590025a2 LZ	430	static void nft_ct_set_destroy(const struct nft_ctx *ctx,
590025a2 LZ	431	const struct nft_expr *expr)
96518518	432	{
1ad8f48d FW	433	struct nft_ct *priv = nft_expr_priv(expr);
	434
	435	switch (priv->key) {
	436	#ifdef CONFIG_NF_CONNTRACK_LABELS
	437	case NFT_CT_LABELS:
	438	nf_connlabels_put(ctx->net);
	439	break;
	440	#endif
	441	default:
	442	break;
	443	}
	444
ecb2421b	445	nft_ct_netns_put(ctx->net, ctx->afi->family);
96518518 PM	446	}
96518518 PM	447
c4ede3d3	448	static int nft_ct_get_dump(struct sk_buff skb, const struct nft_expr expr)
96518518 PM	449	{
	450	const struct nft_ct *priv = nft_expr_priv(expr);
	451
b1c96ed3	452	if (nft_dump_register(skb, NFTA_CT_DREG, priv->dreg))
96518518 PM	453	goto nla_put_failure;
	454	if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
	455	goto nla_put_failure;
2a53bfb3 AB	456
2a53bfb3 AB	457	switch (priv->key) {
2a53bfb3 AB	458	case NFT_CT_SRC:
	459	case NFT_CT_DST:
	460	case NFT_CT_PROTO_SRC:
	461	case NFT_CT_PROTO_DST:
	462	if (nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
	463	goto nla_put_failure;
48f66c90 FW	464	break;
	465	case NFT_CT_BYTES:
	466	case NFT_CT_PKTS:
949a3584	467	case NFT_CT_AVGPKT:
48f66c90 FW	468	if (priv->dir < IP_CT_DIR_MAX &&
	469	nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
	470	goto nla_put_failure;
	471	break;
2a53bfb3 AB	472	default:
	473	break;
	474	}
	475
96518518 PM	476	return 0;
	477
	478	nla_put_failure:
	479	return -1;
	480	}
	481
c4ede3d3 KE	482	static int nft_ct_set_dump(struct sk_buff skb, const struct nft_expr expr)
	483	{
	484	const struct nft_ct *priv = nft_expr_priv(expr);
	485
b1c96ed3	486	if (nft_dump_register(skb, NFTA_CT_SREG, priv->sreg))
c4ede3d3 KE	487	goto nla_put_failure;
	488	if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
	489	goto nla_put_failure;
	490	return 0;
	491
	492	nla_put_failure:
	493	return -1;
	494	}
	495
ef1f7df9	496	static struct nft_expr_type nft_ct_type;
c4ede3d3	497	static const struct nft_expr_ops nft_ct_get_ops = {
ef1f7df9	498	.type = &nft_ct_type,
96518518	499	.size = NFT_EXPR_SIZE(sizeof(struct nft_ct)),
c4ede3d3	500	.eval = nft_ct_get_eval,
fe92ca45	501	.init = nft_ct_get_init,
590025a2	502	.destroy = nft_ct_get_destroy,
c4ede3d3	503	.dump = nft_ct_get_dump,
ef1f7df9 PM	504	};
ef1f7df9 PM	505
c4ede3d3 KE	506	static const struct nft_expr_ops nft_ct_set_ops = {
	507	.type = &nft_ct_type,
	508	.size = NFT_EXPR_SIZE(sizeof(struct nft_ct)),
	509	.eval = nft_ct_set_eval,
fe92ca45	510	.init = nft_ct_set_init,
590025a2	511	.destroy = nft_ct_set_destroy,
c4ede3d3 KE	512	.dump = nft_ct_set_dump,
	513	};
	514
	515	static const struct nft_expr_ops *
	516	nft_ct_select_ops(const struct nft_ctx *ctx,
	517	const struct nlattr * const tb[])
	518	{
	519	if (tb[NFTA_CT_KEY] == NULL)
	520	return ERR_PTR(-EINVAL);
	521
	522	if (tb[NFTA_CT_DREG] && tb[NFTA_CT_SREG])
	523	return ERR_PTR(-EINVAL);
	524
	525	if (tb[NFTA_CT_DREG])
	526	return &nft_ct_get_ops;
	527
	528	if (tb[NFTA_CT_SREG])
	529	return &nft_ct_set_ops;
	530
	531	return ERR_PTR(-EINVAL);
	532	}
	533
ef1f7df9 PM	534	static struct nft_expr_type nft_ct_type __read_mostly = {
ef1f7df9 PM	535	.name = "ct",
c4ede3d3	536	.select_ops = &nft_ct_select_ops,
96518518 PM	537	.policy = nft_ct_policy,
96518518 PM	538	.maxattr = NFTA_CT_MAX,
ef1f7df9	539	.owner = THIS_MODULE,
96518518 PM	540	};
96518518 PM	541
25443261 PNA	542	static void nft_notrack_eval(const struct nft_expr *expr,
	543	struct nft_regs *regs,
	544	const struct nft_pktinfo *pkt)
	545	{
	546	struct sk_buff *skb = pkt->skb;
	547	enum ip_conntrack_info ctinfo;
	548	struct nf_conn *ct;
	549
	550	ct = nf_ct_get(pkt->skb, &ctinfo);
	551	/* Previously seen (loopback or untracked)? Ignore. */
	552	if (ct)
	553	return;
	554
	555	ct = nf_ct_untracked_get();
	556	atomic_inc(&ct->ct_general.use);
c74454fa	557	nf_ct_set(skb, ct, IP_CT_NEW);
25443261 PNA	558	}
	559
	560	static struct nft_expr_type nft_notrack_type;
	561	static const struct nft_expr_ops nft_notrack_ops = {
	562	.type = &nft_notrack_type,
	563	.size = NFT_EXPR_SIZE(0),
	564	.eval = nft_notrack_eval,
	565	};
	566
	567	static struct nft_expr_type nft_notrack_type __read_mostly = {
	568	.name = "notrack",
	569	.ops = &nft_notrack_ops,
	570	.owner = THIS_MODULE,
	571	};
	572
96518518 PM	573	static int __init nft_ct_module_init(void)
96518518 PM	574	{
25443261 PNA	575	int err;
25443261 PNA	576
adff6c65 FW	577	BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE > NFT_REG_SIZE);
adff6c65 FW	578
25443261 PNA	579	err = nft_register_expr(&nft_ct_type);
	580	if (err < 0)
	581	return err;
	582
	583	err = nft_register_expr(&nft_notrack_type);
	584	if (err < 0)
	585	goto err1;
	586
	587	return 0;
	588	err1:
	589	nft_unregister_expr(&nft_ct_type);
	590	return err;
96518518 PM	591	}
	592
	593	static void __exit nft_ct_module_exit(void)
	594	{
25443261	595	nft_unregister_expr(&nft_notrack_type);
ef1f7df9	596	nft_unregister_expr(&nft_ct_type);
96518518 PM	597	}
	598
	599	module_init(nft_ct_module_init);
	600	module_exit(nft_ct_module_exit);
	601
	602	MODULE_LICENSE("GPL");
	603	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
	604	MODULE_ALIAS_NFT_EXPR("ct");
25443261	605	MODULE_ALIAS_NFT_EXPR("notrack");