[mirror_ubuntu-bionic-kernel.git] / net / netfilter / nft_ct.c

/*
 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 *
 * Development of this code funded by Astaro AG (http://www.astaro.com/)
 */

#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_tuple.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_conntrack_labels.h>

struct nft_ct {
	enum nft_ct_keys	key:8;
	enum ip_conntrack_dir	dir:8;
	union {
		enum nft_registers	dreg:8;
		enum nft_registers	sreg:8;
	};
};

static void nft_ct_get_eval(const struct nft_expr *expr,
			    struct nft_data data[NFT_REG_MAX + 1],
			    const struct nft_pktinfo *pkt)
{
	const struct nft_ct *priv = nft_expr_priv(expr);
	struct nft_data *dest = &data[priv->dreg];
	enum ip_conntrack_info ctinfo;
	const struct nf_conn *ct;
	const struct nf_conn_help *help;
	const struct nf_conntrack_tuple *tuple;
	const struct nf_conntrack_helper *helper;
	long diff;
	unsigned int state;

	ct = nf_ct_get(pkt->skb, &ctinfo);

	switch (priv->key) {
	case NFT_CT_STATE:
		if (ct == NULL)
			state = NF_CT_STATE_INVALID_BIT;
		else if (nf_ct_is_untracked(ct))
			state = NF_CT_STATE_UNTRACKED_BIT;
		else
			state = NF_CT_STATE_BIT(ctinfo);
		dest->data[0] = state;
		return;
	}

	if (ct == NULL)
		goto err;

	switch (priv->key) {
	case NFT_CT_DIRECTION:
		dest->data[0] = CTINFO2DIR(ctinfo);
		return;
	case NFT_CT_STATUS:
		dest->data[0] = ct->status;
		return;
#ifdef CONFIG_NF_CONNTRACK_MARK
	case NFT_CT_MARK:
		dest->data[0] = ct->mark;
		return;
#endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
	case NFT_CT_SECMARK:
		dest->data[0] = ct->secmark;
		return;
#endif
	case NFT_CT_EXPIRATION:
		diff = (long)jiffies - (long)ct->timeout.expires;
		if (diff < 0)
			diff = 0;
		dest->data[0] = jiffies_to_msecs(diff);
		return;
	case NFT_CT_HELPER:
		if (ct->master == NULL)
			goto err;
		help = nfct_help(ct->master);
		if (help == NULL)
			goto err;
		helper = rcu_dereference(help->helper);
		if (helper == NULL)
			goto err;
		if (strlen(helper->name) >= sizeof(dest->data))
			goto err;
		strncpy((char *)dest->data, helper->name, sizeof(dest->data));
		return;
#ifdef CONFIG_NF_CONNTRACK_LABELS
	case NFT_CT_LABELS: {
		struct nf_conn_labels *labels = nf_ct_labels_find(ct);
		unsigned int size;

		if (!labels) {
			memset(dest->data, 0, sizeof(dest->data));
			return;
		}

		BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE > sizeof(dest->data));
		size = labels->words * sizeof(long);

		memcpy(dest->data, labels->bits, size);
		if (size < sizeof(dest->data))
			memset(((char *) dest->data) + size, 0,
			       sizeof(dest->data) - size);
		return;
	}
#endif
	}

	tuple = &ct->tuplehash[priv->dir].tuple;
	switch (priv->key) {
	case NFT_CT_L3PROTOCOL:
		dest->data[0] = nf_ct_l3num(ct);
		return;
	case NFT_CT_SRC:
		memcpy(dest->data, tuple->src.u3.all,
		       nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
		return;
	case NFT_CT_DST:
		memcpy(dest->data, tuple->dst.u3.all,
		       nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
		return;
	case NFT_CT_PROTOCOL:
		dest->data[0] = nf_ct_protonum(ct);
		return;
	case NFT_CT_PROTO_SRC:
		dest->data[0] = (__force __u16)tuple->src.u.all;
		return;
	case NFT_CT_PROTO_DST:
		dest->data[0] = (__force __u16)tuple->dst.u.all;
		return;
	}
	return;
err:
	data[NFT_REG_VERDICT].verdict = NFT_BREAK;
}

static void nft_ct_set_eval(const struct nft_expr *expr,
			    struct nft_data data[NFT_REG_MAX + 1],
			    const struct nft_pktinfo *pkt)
{
	const struct nft_ct *priv = nft_expr_priv(expr);
	struct sk_buff *skb = pkt->skb;
#ifdef CONFIG_NF_CONNTRACK_MARK
	u32 value = data[priv->sreg].data[0];
#endif
	enum ip_conntrack_info ctinfo;
	struct nf_conn *ct;

	ct = nf_ct_get(skb, &ctinfo);
	if (ct == NULL)
		return;

	switch (priv->key) {
#ifdef CONFIG_NF_CONNTRACK_MARK
	case NFT_CT_MARK:
		if (ct->mark != value) {
			ct->mark = value;
			nf_conntrack_event_cache(IPCT_MARK, ct);
		}
		break;
#endif
	}
}

static const struct nla_policy nft_ct_policy[NFTA_CT_MAX + 1] = {
	[NFTA_CT_DREG]		= { .type = NLA_U32 },
	[NFTA_CT_KEY]		= { .type = NLA_U32 },
	[NFTA_CT_DIRECTION]	= { .type = NLA_U8 },
	[NFTA_CT_SREG]		= { .type = NLA_U32 },
};

static int nft_ct_l3proto_try_module_get(uint8_t family)
{
	int err;

	if (family == NFPROTO_INET) {
		err = nf_ct_l3proto_try_module_get(NFPROTO_IPV4);
		if (err < 0)
			goto err1;
		err = nf_ct_l3proto_try_module_get(NFPROTO_IPV6);
		if (err < 0)
			goto err2;
	} else {
		err = nf_ct_l3proto_try_module_get(family);
		if (err < 0)
			goto err1;
	}
	return 0;

err2:
	nf_ct_l3proto_module_put(NFPROTO_IPV4);
err1:
	return err;
}

static void nft_ct_l3proto_module_put(uint8_t family)
{
	if (family == NFPROTO_INET) {
		nf_ct_l3proto_module_put(NFPROTO_IPV4);
		nf_ct_l3proto_module_put(NFPROTO_IPV6);
	} else
		nf_ct_l3proto_module_put(family);
}

static int nft_ct_init_validate_get(const struct nft_expr *expr,
				    const struct nlattr * const tb[])
{
	struct nft_ct *priv = nft_expr_priv(expr);

	if (tb[NFTA_CT_DIRECTION] != NULL) {
		priv->dir = nla_get_u8(tb[NFTA_CT_DIRECTION]);
		switch (priv->dir) {
		case IP_CT_DIR_ORIGINAL:
		case IP_CT_DIR_REPLY:
			break;
		default:
			return -EINVAL;
		}
	}

	switch (priv->key) {
	case NFT_CT_STATE:
	case NFT_CT_DIRECTION:
	case NFT_CT_STATUS:
#ifdef CONFIG_NF_CONNTRACK_MARK
	case NFT_CT_MARK:
#endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
	case NFT_CT_SECMARK:
#endif
#ifdef CONFIG_NF_CONNTRACK_LABELS
	case NFT_CT_LABELS:
#endif
	case NFT_CT_EXPIRATION:
	case NFT_CT_HELPER:
		if (tb[NFTA_CT_DIRECTION] != NULL)
			return -EINVAL;
		break;
	case NFT_CT_L3PROTOCOL:
	case NFT_CT_PROTOCOL:
	case NFT_CT_SRC:
	case NFT_CT_DST:
	case NFT_CT_PROTO_SRC:
	case NFT_CT_PROTO_DST:
		if (tb[NFTA_CT_DIRECTION] == NULL)
			return -EINVAL;
		break;
	default:
		return -EOPNOTSUPP;
	}

	return 0;
}

static int nft_ct_init_validate_set(uint32_t key)
{
	switch (key) {
#ifdef CONFIG_NF_CONNTRACK_MARK
	case NFT_CT_MARK:
		break;
#endif
	default:
		return -EOPNOTSUPP;
	}

	return 0;
}

static int nft_ct_init(const struct nft_ctx *ctx,
		       const struct nft_expr *expr,
		       const struct nlattr * const tb[])
{
	struct nft_ct *priv = nft_expr_priv(expr);
	int err;

	priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));

	if (tb[NFTA_CT_DREG]) {
		err = nft_ct_init_validate_get(expr, tb);
		if (err < 0)
			return err;

		priv->dreg = ntohl(nla_get_be32(tb[NFTA_CT_DREG]));
		err = nft_validate_output_register(priv->dreg);
		if (err < 0)
			return err;

		err = nft_validate_data_load(ctx, priv->dreg, NULL,
					     NFT_DATA_VALUE);
		if (err < 0)
			return err;
	} else {
		err = nft_ct_init_validate_set(priv->key);
		if (err < 0)
			return err;

		priv->sreg = ntohl(nla_get_be32(tb[NFTA_CT_SREG]));
		err = nft_validate_input_register(priv->sreg);
		if (err < 0)
			return err;
	}

	err = nft_ct_l3proto_try_module_get(ctx->afi->family);
	if (err < 0)
		return err;

	return 0;
}

static void nft_ct_destroy(const struct nft_ctx *ctx,
			   const struct nft_expr *expr)
{
	nft_ct_l3proto_module_put(ctx->afi->family);
}

static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
	const struct nft_ct *priv = nft_expr_priv(expr);

	if (nla_put_be32(skb, NFTA_CT_DREG, htonl(priv->dreg)))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
		goto nla_put_failure;

	switch (priv->key) {
	case NFT_CT_PROTOCOL:
	case NFT_CT_SRC:
	case NFT_CT_DST:
	case NFT_CT_PROTO_SRC:
	case NFT_CT_PROTO_DST:
		if (nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
			goto nla_put_failure;
	default:
		break;
	}

	return 0;

nla_put_failure:
	return -1;
}

static int nft_ct_set_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
	const struct nft_ct *priv = nft_expr_priv(expr);

	if (nla_put_be32(skb, NFTA_CT_SREG, htonl(priv->sreg)))
		goto nla_put_failure;
	if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
		goto nla_put_failure;
	return 0;

nla_put_failure:
	return -1;
}

static struct nft_expr_type nft_ct_type;
static const struct nft_expr_ops nft_ct_get_ops = {
	.type		= &nft_ct_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_ct)),
	.eval		= nft_ct_get_eval,
	.init		= nft_ct_init,
	.destroy	= nft_ct_destroy,
	.dump		= nft_ct_get_dump,
};

static const struct nft_expr_ops nft_ct_set_ops = {
	.type		= &nft_ct_type,
	.size		= NFT_EXPR_SIZE(sizeof(struct nft_ct)),
	.eval		= nft_ct_set_eval,
	.init		= nft_ct_init,
	.destroy	= nft_ct_destroy,
	.dump		= nft_ct_set_dump,
};

static const struct nft_expr_ops *
nft_ct_select_ops(const struct nft_ctx *ctx,
		    const struct nlattr * const tb[])
{
	if (tb[NFTA_CT_KEY] == NULL)
		return ERR_PTR(-EINVAL);

	if (tb[NFTA_CT_DREG] && tb[NFTA_CT_SREG])
		return ERR_PTR(-EINVAL);

	if (tb[NFTA_CT_DREG])
		return &nft_ct_get_ops;

	if (tb[NFTA_CT_SREG])
		return &nft_ct_set_ops;

	return ERR_PTR(-EINVAL);
}

static struct nft_expr_type nft_ct_type __read_mostly = {
	.name		= "ct",
	.select_ops	= &nft_ct_select_ops,
	.policy		= nft_ct_policy,
	.maxattr	= NFTA_CT_MAX,
	.owner		= THIS_MODULE,
};

static int __init nft_ct_module_init(void)
{
	return nft_register_expr(&nft_ct_type);
}

static void __exit nft_ct_module_exit(void)
{
	nft_unregister_expr(&nft_ct_type);
}

module_init(nft_ct_module_init);
module_exit(nft_ct_module_exit);

MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_EXPR("ct");
Commit	Line	Data
96518518	1	/*
ef1f7df9	2	* Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
96518518 PM	3	*
	4	* This program is free software; you can redistribute it and/or modify
	5	* it under the terms of the GNU General Public License version 2 as
	6	* published by the Free Software Foundation.
	7	*
	8	* Development of this code funded by Astaro AG (http://www.astaro.com/)
	9	*/
	10
	11	#include <linux/kernel.h>
	12	#include <linux/init.h>
	13	#include <linux/module.h>
	14	#include <linux/netlink.h>
	15	#include <linux/netfilter.h>
	16	#include <linux/netfilter/nf_tables.h>
	17	#include <net/netfilter/nf_tables.h>
	18	#include <net/netfilter/nf_conntrack.h>
	19	#include <net/netfilter/nf_conntrack_tuple.h>
	20	#include <net/netfilter/nf_conntrack_helper.h>
c4ede3d3	21	#include <net/netfilter/nf_conntrack_ecache.h>
d2bf2f34	22	#include <net/netfilter/nf_conntrack_labels.h>
96518518 PM	23
	24	struct nft_ct {
	25	enum nft_ct_keys key:8;
	26	enum ip_conntrack_dir dir:8;
d46f2cd2	27	union {
c4ede3d3 KE	28	enum nft_registers dreg:8;
	29	enum nft_registers sreg:8;
	30	};
96518518 PM	31	};
96518518 PM	32
c4ede3d3 KE	33	static void nft_ct_get_eval(const struct nft_expr *expr,
	34	struct nft_data data[NFT_REG_MAX + 1],
	35	const struct nft_pktinfo *pkt)
96518518 PM	36	{
	37	const struct nft_ct *priv = nft_expr_priv(expr);
	38	struct nft_data *dest = &data[priv->dreg];
	39	enum ip_conntrack_info ctinfo;
	40	const struct nf_conn *ct;
	41	const struct nf_conn_help *help;
	42	const struct nf_conntrack_tuple *tuple;
	43	const struct nf_conntrack_helper *helper;
	44	long diff;
	45	unsigned int state;
	46
	47	ct = nf_ct_get(pkt->skb, &ctinfo);
	48
	49	switch (priv->key) {
	50	case NFT_CT_STATE:
	51	if (ct == NULL)
	52	state = NF_CT_STATE_INVALID_BIT;
	53	else if (nf_ct_is_untracked(ct))
	54	state = NF_CT_STATE_UNTRACKED_BIT;
	55	else
	56	state = NF_CT_STATE_BIT(ctinfo);
	57	dest->data[0] = state;
	58	return;
	59	}
	60
	61	if (ct == NULL)
	62	goto err;
	63
	64	switch (priv->key) {
	65	case NFT_CT_DIRECTION:
	66	dest->data[0] = CTINFO2DIR(ctinfo);
	67	return;
	68	case NFT_CT_STATUS:
	69	dest->data[0] = ct->status;
	70	return;
	71	#ifdef CONFIG_NF_CONNTRACK_MARK
	72	case NFT_CT_MARK:
	73	dest->data[0] = ct->mark;
	74	return;
	75	#endif
	76	#ifdef CONFIG_NF_CONNTRACK_SECMARK
	77	case NFT_CT_SECMARK:
	78	dest->data[0] = ct->secmark;
	79	return;
	80	#endif
	81	case NFT_CT_EXPIRATION:
	82	diff = (long)jiffies - (long)ct->timeout.expires;
	83	if (diff < 0)
	84	diff = 0;
	85	dest->data[0] = jiffies_to_msecs(diff);
	86	return;
	87	case NFT_CT_HELPER:
	88	if (ct->master == NULL)
	89	goto err;
	90	help = nfct_help(ct->master);
	91	if (help == NULL)
	92	goto err;
	93	helper = rcu_dereference(help->helper);
	94	if (helper == NULL)
	95	goto err;
	96	if (strlen(helper->name) >= sizeof(dest->data))
	97	goto err;
	98	strncpy((char *)dest->data, helper->name, sizeof(dest->data));
	99	return;
d2bf2f34 FW	100	#ifdef CONFIG_NF_CONNTRACK_LABELS
	101	case NFT_CT_LABELS: {
	102	struct nf_conn_labels *labels = nf_ct_labels_find(ct);
	103	unsigned int size;
	104
	105	if (!labels) {
	106	memset(dest->data, 0, sizeof(dest->data));
	107	return;
	108	}
	109
	110	BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE > sizeof(dest->data));
	111	size = labels->words * sizeof(long);
	112
	113	memcpy(dest->data, labels->bits, size);
	114	if (size < sizeof(dest->data))
	115	memset(((char *) dest->data) + size, 0,
	116	sizeof(dest->data) - size);
	117	return;
	118	}
	119	#endif
96518518 PM	120	}
	121
	122	tuple = &ct->tuplehash[priv->dir].tuple;
	123	switch (priv->key) {
	124	case NFT_CT_L3PROTOCOL:
	125	dest->data[0] = nf_ct_l3num(ct);
	126	return;
	127	case NFT_CT_SRC:
	128	memcpy(dest->data, tuple->src.u3.all,
	129	nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
	130	return;
	131	case NFT_CT_DST:
	132	memcpy(dest->data, tuple->dst.u3.all,
	133	nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
	134	return;
	135	case NFT_CT_PROTOCOL:
	136	dest->data[0] = nf_ct_protonum(ct);
	137	return;
	138	case NFT_CT_PROTO_SRC:
	139	dest->data[0] = (__force __u16)tuple->src.u.all;
	140	return;
	141	case NFT_CT_PROTO_DST:
	142	dest->data[0] = (__force __u16)tuple->dst.u.all;
	143	return;
	144	}
	145	return;
	146	err:
	147	data[NFT_REG_VERDICT].verdict = NFT_BREAK;
	148	}
	149
c4ede3d3 KE	150	static void nft_ct_set_eval(const struct nft_expr *expr,
	151	struct nft_data data[NFT_REG_MAX + 1],
	152	const struct nft_pktinfo *pkt)
	153	{
	154	const struct nft_ct *priv = nft_expr_priv(expr);
	155	struct sk_buff *skb = pkt->skb;
847c8e29	156	#ifdef CONFIG_NF_CONNTRACK_MARK
c4ede3d3	157	u32 value = data[priv->sreg].data[0];
847c8e29	158	#endif
c4ede3d3 KE	159	enum ip_conntrack_info ctinfo;
	160	struct nf_conn *ct;
	161
	162	ct = nf_ct_get(skb, &ctinfo);
	163	if (ct == NULL)
	164	return;
	165
	166	switch (priv->key) {
	167	#ifdef CONFIG_NF_CONNTRACK_MARK
	168	case NFT_CT_MARK:
	169	if (ct->mark != value) {
	170	ct->mark = value;
	171	nf_conntrack_event_cache(IPCT_MARK, ct);
	172	}
	173	break;
	174	#endif
	175	}
	176	}
	177
96518518 PM	178	static const struct nla_policy nft_ct_policy[NFTA_CT_MAX + 1] = {
	179	[NFTA_CT_DREG] = { .type = NLA_U32 },
	180	[NFTA_CT_KEY] = { .type = NLA_U32 },
	181	[NFTA_CT_DIRECTION] = { .type = NLA_U8 },
c4ede3d3	182	[NFTA_CT_SREG] = { .type = NLA_U32 },
96518518 PM	183	};
96518518 PM	184
9638f33e PM	185	static int nft_ct_l3proto_try_module_get(uint8_t family)
	186	{
	187	int err;
	188
	189	if (family == NFPROTO_INET) {
	190	err = nf_ct_l3proto_try_module_get(NFPROTO_IPV4);
	191	if (err < 0)
	192	goto err1;
	193	err = nf_ct_l3proto_try_module_get(NFPROTO_IPV6);
	194	if (err < 0)
	195	goto err2;
	196	} else {
	197	err = nf_ct_l3proto_try_module_get(family);
	198	if (err < 0)
	199	goto err1;
	200	}
	201	return 0;
	202
	203	err2:
	204	nf_ct_l3proto_module_put(NFPROTO_IPV4);
	205	err1:
	206	return err;
	207	}
	208
	209	static void nft_ct_l3proto_module_put(uint8_t family)
	210	{
	211	if (family == NFPROTO_INET) {
	212	nf_ct_l3proto_module_put(NFPROTO_IPV4);
	213	nf_ct_l3proto_module_put(NFPROTO_IPV6);
	214	} else
	215	nf_ct_l3proto_module_put(family);
	216	}
	217
c4ede3d3 KE	218	static int nft_ct_init_validate_get(const struct nft_expr *expr,
c4ede3d3 KE	219	const struct nlattr * const tb[])
96518518 PM	220	{
96518518 PM	221	struct nft_ct *priv = nft_expr_priv(expr);
96518518	222
96518518 PM	223	if (tb[NFTA_CT_DIRECTION] != NULL) {
	224	priv->dir = nla_get_u8(tb[NFTA_CT_DIRECTION]);
	225	switch (priv->dir) {
	226	case IP_CT_DIR_ORIGINAL:
	227	case IP_CT_DIR_REPLY:
	228	break;
	229	default:
	230	return -EINVAL;
	231	}
	232	}
	233
	234	switch (priv->key) {
	235	case NFT_CT_STATE:
	236	case NFT_CT_DIRECTION:
	237	case NFT_CT_STATUS:
	238	#ifdef CONFIG_NF_CONNTRACK_MARK
	239	case NFT_CT_MARK:
	240	#endif
	241	#ifdef CONFIG_NF_CONNTRACK_SECMARK
	242	case NFT_CT_SECMARK:
d2bf2f34 FW	243	#endif
	244	#ifdef CONFIG_NF_CONNTRACK_LABELS
	245	case NFT_CT_LABELS:
96518518 PM	246	#endif
	247	case NFT_CT_EXPIRATION:
	248	case NFT_CT_HELPER:
	249	if (tb[NFTA_CT_DIRECTION] != NULL)
	250	return -EINVAL;
	251	break;
51292c07	252	case NFT_CT_L3PROTOCOL:
96518518 PM	253	case NFT_CT_PROTOCOL:
	254	case NFT_CT_SRC:
	255	case NFT_CT_DST:
	256	case NFT_CT_PROTO_SRC:
	257	case NFT_CT_PROTO_DST:
	258	if (tb[NFTA_CT_DIRECTION] == NULL)
	259	return -EINVAL;
	260	break;
	261	default:
	262	return -EOPNOTSUPP;
	263	}
	264
c4ede3d3 KE	265	return 0;
	266	}
	267
	268	static int nft_ct_init_validate_set(uint32_t key)
	269	{
	270	switch (key) {
e88e514e	271	#ifdef CONFIG_NF_CONNTRACK_MARK
c4ede3d3 KE	272	case NFT_CT_MARK:
c4ede3d3 KE	273	break;
e88e514e	274	#endif
c4ede3d3 KE	275	default:
	276	return -EOPNOTSUPP;
	277	}
	278
	279	return 0;
	280	}
	281
	282	static int nft_ct_init(const struct nft_ctx *ctx,
	283	const struct nft_expr *expr,
	284	const struct nlattr * const tb[])
	285	{
	286	struct nft_ct *priv = nft_expr_priv(expr);
	287	int err;
	288
	289	priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));
	290
	291	if (tb[NFTA_CT_DREG]) {
	292	err = nft_ct_init_validate_get(expr, tb);
	293	if (err < 0)
	294	return err;
	295
	296	priv->dreg = ntohl(nla_get_be32(tb[NFTA_CT_DREG]));
	297	err = nft_validate_output_register(priv->dreg);
	298	if (err < 0)
	299	return err;
	300
	301	err = nft_validate_data_load(ctx, priv->dreg, NULL,
	302	NFT_DATA_VALUE);
	303	if (err < 0)
	304	return err;
	305	} else {
	306	err = nft_ct_init_validate_set(priv->key);
	307	if (err < 0)
	308	return err;
	309
	310	priv->sreg = ntohl(nla_get_be32(tb[NFTA_CT_SREG]));
	311	err = nft_validate_input_register(priv->sreg);
	312	if (err < 0)
	313	return err;
	314	}
	315
9638f33e	316	err = nft_ct_l3proto_try_module_get(ctx->afi->family);
96518518 PM	317	if (err < 0)
96518518 PM	318	return err;
96518518	319
96518518	320	return 0;
96518518 PM	321	}
96518518 PM	322
62472bce PM	323	static void nft_ct_destroy(const struct nft_ctx *ctx,
62472bce PM	324	const struct nft_expr *expr)
96518518	325	{
d46f2cd2	326	nft_ct_l3proto_module_put(ctx->afi->family);
96518518 PM	327	}
96518518 PM	328
c4ede3d3	329	static int nft_ct_get_dump(struct sk_buff skb, const struct nft_expr expr)
96518518 PM	330	{
	331	const struct nft_ct *priv = nft_expr_priv(expr);
	332
	333	if (nla_put_be32(skb, NFTA_CT_DREG, htonl(priv->dreg)))
	334	goto nla_put_failure;
	335	if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
	336	goto nla_put_failure;
2a53bfb3 AB	337
	338	switch (priv->key) {
	339	case NFT_CT_PROTOCOL:
	340	case NFT_CT_SRC:
	341	case NFT_CT_DST:
	342	case NFT_CT_PROTO_SRC:
	343	case NFT_CT_PROTO_DST:
	344	if (nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
	345	goto nla_put_failure;
	346	default:
	347	break;
	348	}
	349
96518518 PM	350	return 0;
	351
	352	nla_put_failure:
	353	return -1;
	354	}
	355
c4ede3d3 KE	356	static int nft_ct_set_dump(struct sk_buff skb, const struct nft_expr expr)
	357	{
	358	const struct nft_ct *priv = nft_expr_priv(expr);
	359
	360	if (nla_put_be32(skb, NFTA_CT_SREG, htonl(priv->sreg)))
	361	goto nla_put_failure;
	362	if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
	363	goto nla_put_failure;
	364	return 0;
	365
	366	nla_put_failure:
	367	return -1;
	368	}
	369
ef1f7df9	370	static struct nft_expr_type nft_ct_type;
c4ede3d3	371	static const struct nft_expr_ops nft_ct_get_ops = {
ef1f7df9	372	.type = &nft_ct_type,
96518518	373	.size = NFT_EXPR_SIZE(sizeof(struct nft_ct)),
c4ede3d3	374	.eval = nft_ct_get_eval,
96518518 PM	375	.init = nft_ct_init,
96518518 PM	376	.destroy = nft_ct_destroy,
c4ede3d3	377	.dump = nft_ct_get_dump,
ef1f7df9 PM	378	};
ef1f7df9 PM	379
c4ede3d3 KE	380	static const struct nft_expr_ops nft_ct_set_ops = {
	381	.type = &nft_ct_type,
	382	.size = NFT_EXPR_SIZE(sizeof(struct nft_ct)),
	383	.eval = nft_ct_set_eval,
	384	.init = nft_ct_init,
	385	.destroy = nft_ct_destroy,
	386	.dump = nft_ct_set_dump,
	387	};
	388
	389	static const struct nft_expr_ops *
	390	nft_ct_select_ops(const struct nft_ctx *ctx,
	391	const struct nlattr * const tb[])
	392	{
	393	if (tb[NFTA_CT_KEY] == NULL)
	394	return ERR_PTR(-EINVAL);
	395
	396	if (tb[NFTA_CT_DREG] && tb[NFTA_CT_SREG])
	397	return ERR_PTR(-EINVAL);
	398
	399	if (tb[NFTA_CT_DREG])
	400	return &nft_ct_get_ops;
	401
	402	if (tb[NFTA_CT_SREG])
	403	return &nft_ct_set_ops;
	404
	405	return ERR_PTR(-EINVAL);
	406	}
	407
ef1f7df9 PM	408	static struct nft_expr_type nft_ct_type __read_mostly = {
ef1f7df9 PM	409	.name = "ct",
c4ede3d3	410	.select_ops = &nft_ct_select_ops,
96518518 PM	411	.policy = nft_ct_policy,
96518518 PM	412	.maxattr = NFTA_CT_MAX,
ef1f7df9	413	.owner = THIS_MODULE,
96518518 PM	414	};
	415
	416	static int __init nft_ct_module_init(void)
	417	{
ef1f7df9	418	return nft_register_expr(&nft_ct_type);
96518518 PM	419	}
	420
	421	static void __exit nft_ct_module_exit(void)
	422	{
ef1f7df9	423	nft_unregister_expr(&nft_ct_type);
96518518 PM	424	}
	425
	426	module_init(nft_ct_module_init);
	427	module_exit(nft_ct_module_exit);
	428
	429	MODULE_LICENSE("GPL");
	430	MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
	431	MODULE_ALIAS_NFT_EXPR("ct");