]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blob - net/ipv4/netfilter/ip_conntrack_core.c
projects / mirror_ubuntu-artful-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
[PATCH] slab: remove kmem_cache_t
[mirror_ubuntu-artful-kernel.git] / net / ipv4 / netfilter / ip_conntrack_core.c
1 /* Connection state tracking for netfilter. This is separated from,
2 but required by, the NAT layer; it can also be used by an iptables
3 extension. */
4
5 /* (C) 1999-2001 Paul `Rusty' Russell
6 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
7 *
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
11 *
12 * 23 Apr 2001: Harald Welte <laforge@gnumonks.org>
13 * - new API and handling of conntrack/nat helpers
14 * - now capable of multiple expectations for one master
15 * 16 Jul 2002: Harald Welte <laforge@gnumonks.org>
16 * - add usage/reference counts to ip_conntrack_expect
17 * - export ip_conntrack[_expect]_{find_get,put} functions
18 * */
19
20 #include <linux/types.h>
21 #include <linux/icmp.h>
22 #include <linux/ip.h>
23 #include <linux/netfilter.h>
24 #include <linux/netfilter_ipv4.h>
25 #include <linux/module.h>
26 #include <linux/skbuff.h>
27 #include <linux/proc_fs.h>
28 #include <linux/vmalloc.h>
29 #include <net/checksum.h>
30 #include <net/ip.h>
31 #include <linux/stddef.h>
32 #include <linux/sysctl.h>
33 #include <linux/slab.h>
34 #include <linux/random.h>
35 #include <linux/jhash.h>
36 #include <linux/err.h>
37 #include <linux/percpu.h>
38 #include <linux/moduleparam.h>
39 #include <linux/notifier.h>
40
41 /* ip_conntrack_lock protects the main hash table, protocol/helper/expected
42 registrations, conntrack timers*/
43 #include <linux/netfilter_ipv4/ip_conntrack.h>
44 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
45 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
46 #include <linux/netfilter_ipv4/ip_conntrack_core.h>
47
48 #define IP_CONNTRACK_VERSION "2.4"
49
50 #if 0
51 #define DEBUGP printk
52 #else
53 #define DEBUGP(format, args...)
54 #endif
55
56 DEFINE_RWLOCK(ip_conntrack_lock);
57
58 /* ip_conntrack_standalone needs this */
59 atomic_t ip_conntrack_count = ATOMIC_INIT(0);
60
61 void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack) = NULL;
62 LIST_HEAD(ip_conntrack_expect_list);
63 struct ip_conntrack_protocol *ip_ct_protos[MAX_IP_CT_PROTO] __read_mostly;
64 static LIST_HEAD(helpers);
65 unsigned int ip_conntrack_htable_size __read_mostly = 0;
66 int ip_conntrack_max __read_mostly;
67 struct list_head *ip_conntrack_hash __read_mostly;
68 static struct kmem_cache *ip_conntrack_cachep __read_mostly;
69 static struct kmem_cache *ip_conntrack_expect_cachep __read_mostly;
70 struct ip_conntrack ip_conntrack_untracked;
71 unsigned int ip_ct_log_invalid __read_mostly;
72 static LIST_HEAD(unconfirmed);
73 static int ip_conntrack_vmalloc __read_mostly;
74
75 static unsigned int ip_conntrack_next_id;
76 static unsigned int ip_conntrack_expect_next_id;
77 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
78 ATOMIC_NOTIFIER_HEAD(ip_conntrack_chain);
79 ATOMIC_NOTIFIER_HEAD(ip_conntrack_expect_chain);
80
81 DEFINE_PER_CPU(struct ip_conntrack_ecache, ip_conntrack_ecache);
82
83 /* deliver cached events and clear cache entry - must be called with locally
84 * disabled softirqs */
85 static inline void
86 __ip_ct_deliver_cached_events(struct ip_conntrack_ecache *ecache)
87 {
88 DEBUGP("ecache: delivering events for %p\n", ecache->ct);
89 if (is_confirmed(ecache->ct) && !is_dying(ecache->ct) && ecache->events)
90 atomic_notifier_call_chain(&ip_conntrack_chain, ecache->events,
91 ecache->ct);
92 ecache->events = 0;
93 ip_conntrack_put(ecache->ct);
94 ecache->ct = NULL;
95 }
96
97 /* Deliver all cached events for a particular conntrack. This is called
98 * by code prior to async packet handling or freeing the skb */
99 void ip_ct_deliver_cached_events(const struct ip_conntrack *ct)
100 {
101 struct ip_conntrack_ecache *ecache;
102
103 local_bh_disable();
104 ecache = &__get_cpu_var(ip_conntrack_ecache);
105 if (ecache->ct == ct)
106 __ip_ct_deliver_cached_events(ecache);
107 local_bh_enable();
108 }
109
110 void __ip_ct_event_cache_init(struct ip_conntrack *ct)
111 {
112 struct ip_conntrack_ecache *ecache;
113
114 /* take care of delivering potentially old events */
115 ecache = &__get_cpu_var(ip_conntrack_ecache);
116 BUG_ON(ecache->ct == ct);
117 if (ecache->ct)
118 __ip_ct_deliver_cached_events(ecache);
119 /* initialize for this conntrack/packet */
120 ecache->ct = ct;
121 nf_conntrack_get(&ct->ct_general);
122 }
123
124 /* flush the event cache - touches other CPU's data and must not be called while
125 * packets are still passing through the code */
126 static void ip_ct_event_cache_flush(void)
127 {
128 struct ip_conntrack_ecache *ecache;
129 int cpu;
130
131 for_each_possible_cpu(cpu) {
132 ecache = &per_cpu(ip_conntrack_ecache, cpu);
133 if (ecache->ct)
134 ip_conntrack_put(ecache->ct);
135 }
136 }
137 #else
138 static inline void ip_ct_event_cache_flush(void) {}
139 #endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */
140
141 DEFINE_PER_CPU(struct ip_conntrack_stat, ip_conntrack_stat);
142
143 static int ip_conntrack_hash_rnd_initted;
144 static unsigned int ip_conntrack_hash_rnd;
145
146 static u_int32_t __hash_conntrack(const struct ip_conntrack_tuple *tuple,
147 unsigned int size, unsigned int rnd)
148 {
149 return (jhash_3words((__force u32)tuple->src.ip,
150 ((__force u32)tuple->dst.ip ^ tuple->dst.protonum),
151 (tuple->src.u.all | (tuple->dst.u.all << 16)),
152 rnd) % size);
153 }
154
155 static u_int32_t
156 hash_conntrack(const struct ip_conntrack_tuple *tuple)
157 {
158 return __hash_conntrack(tuple, ip_conntrack_htable_size,
159 ip_conntrack_hash_rnd);
160 }
161
162 int
163 ip_ct_get_tuple(const struct iphdr *iph,
164 const struct sk_buff *skb,
165 unsigned int dataoff,
166 struct ip_conntrack_tuple *tuple,
167 const struct ip_conntrack_protocol *protocol)
168 {
169 /* Never happen */
170 if (iph->frag_off & htons(IP_OFFSET)) {
171 printk("ip_conntrack_core: Frag of proto %u.\n",
172 iph->protocol);
173 return 0;
174 }
175
176 tuple->src.ip = iph->saddr;
177 tuple->dst.ip = iph->daddr;
178 tuple->dst.protonum = iph->protocol;
179 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
180
181 return protocol->pkt_to_tuple(skb, dataoff, tuple);
182 }
183
184 int
185 ip_ct_invert_tuple(struct ip_conntrack_tuple *inverse,
186 const struct ip_conntrack_tuple *orig,
187 const struct ip_conntrack_protocol *protocol)
188 {
189 inverse->src.ip = orig->dst.ip;
190 inverse->dst.ip = orig->src.ip;
191 inverse->dst.protonum = orig->dst.protonum;
192 inverse->dst.dir = !orig->dst.dir;
193
194 return protocol->invert_tuple(inverse, orig);
195 }
196
197
198 /* ip_conntrack_expect helper functions */
199 void ip_ct_unlink_expect(struct ip_conntrack_expect *exp)
200 {
201 IP_NF_ASSERT(!timer_pending(&exp->timeout));
202 list_del(&exp->list);
203 CONNTRACK_STAT_INC(expect_delete);
204 exp->master->expecting--;
205 ip_conntrack_expect_put(exp);
206 }
207
208 static void expectation_timed_out(unsigned long ul_expect)
209 {
210 struct ip_conntrack_expect *exp = (void *)ul_expect;
211
212 write_lock_bh(&ip_conntrack_lock);
213 ip_ct_unlink_expect(exp);
214 write_unlock_bh(&ip_conntrack_lock);
215 ip_conntrack_expect_put(exp);
216 }
217
218 struct ip_conntrack_expect *
219 __ip_conntrack_expect_find(const struct ip_conntrack_tuple *tuple)
220 {
221 struct ip_conntrack_expect *i;
222
223 list_for_each_entry(i, &ip_conntrack_expect_list, list) {
224 if (ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask))
225 return i;
226 }
227 return NULL;
228 }
229
230 /* Just find a expectation corresponding to a tuple. */
231 struct ip_conntrack_expect *
232 ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple)
233 {
234 struct ip_conntrack_expect *i;
235
236 read_lock_bh(&ip_conntrack_lock);
237 i = __ip_conntrack_expect_find(tuple);
238 if (i)
239 atomic_inc(&i->use);
240 read_unlock_bh(&ip_conntrack_lock);
241
242 return i;
243 }
244
245 /* If an expectation for this connection is found, it gets delete from
246 * global list then returned. */
247 static struct ip_conntrack_expect *
248 find_expectation(const struct ip_conntrack_tuple *tuple)
249 {
250 struct ip_conntrack_expect *i;
251
252 list_for_each_entry(i, &ip_conntrack_expect_list, list) {
253 /* If master is not in hash table yet (ie. packet hasn't left
254 this machine yet), how can other end know about expected?
255 Hence these are not the droids you are looking for (if
256 master ct never got confirmed, we'd hold a reference to it
257 and weird things would happen to future packets). */
258 if (ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)
259 && is_confirmed(i->master)) {
260 if (i->flags & IP_CT_EXPECT_PERMANENT) {
261 atomic_inc(&i->use);
262 return i;
263 } else if (del_timer(&i->timeout)) {
264 ip_ct_unlink_expect(i);
265 return i;
266 }
267 }
268 }
269 return NULL;
270 }
271
272 /* delete all expectations for this conntrack */
273 void ip_ct_remove_expectations(struct ip_conntrack *ct)
274 {
275 struct ip_conntrack_expect *i, *tmp;
276
277 /* Optimization: most connection never expect any others. */
278 if (ct->expecting == 0)
279 return;
280
281 list_for_each_entry_safe(i, tmp, &ip_conntrack_expect_list, list) {
282 if (i->master == ct && del_timer(&i->timeout)) {
283 ip_ct_unlink_expect(i);
284 ip_conntrack_expect_put(i);
285 }
286 }
287 }
288
289 static void
290 clean_from_lists(struct ip_conntrack *ct)
291 {
292 DEBUGP("clean_from_lists(%p)\n", ct);
293 list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
294 list_del(&ct->tuplehash[IP_CT_DIR_REPLY].list);
295
296 /* Destroy all pending expectations */
297 ip_ct_remove_expectations(ct);
298 }
299
300 static void
301 destroy_conntrack(struct nf_conntrack *nfct)
302 {
303 struct ip_conntrack *ct = (struct ip_conntrack *)nfct;
304 struct ip_conntrack_protocol *proto;
305 struct ip_conntrack_helper *helper;
306
307 DEBUGP("destroy_conntrack(%p)\n", ct);
308 IP_NF_ASSERT(atomic_read(&nfct->use) == 0);
309 IP_NF_ASSERT(!timer_pending(&ct->timeout));
310
311 ip_conntrack_event(IPCT_DESTROY, ct);
312 set_bit(IPS_DYING_BIT, &ct->status);
313
314 helper = ct->helper;
315 if (helper && helper->destroy)
316 helper->destroy(ct);
317
318 /* To make sure we don't get any weird locking issues here:
319 * destroy_conntrack() MUST NOT be called with a write lock
320 * to ip_conntrack_lock!!! -HW */
321 proto = __ip_conntrack_proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum);
322 if (proto && proto->destroy)
323 proto->destroy(ct);
324
325 if (ip_conntrack_destroyed)
326 ip_conntrack_destroyed(ct);
327
328 write_lock_bh(&ip_conntrack_lock);
329 /* Expectations will have been removed in clean_from_lists,
330 * except TFTP can create an expectation on the first packet,
331 * before connection is in the list, so we need to clean here,
332 * too. */
333 ip_ct_remove_expectations(ct);
334
335 /* We overload first tuple to link into unconfirmed list. */
336 if (!is_confirmed(ct)) {
337 BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
338 list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
339 }
340
341 CONNTRACK_STAT_INC(delete);
342 write_unlock_bh(&ip_conntrack_lock);
343
344 if (ct->master)
345 ip_conntrack_put(ct->master);
346
347 DEBUGP("destroy_conntrack: returning ct=%p to slab\n", ct);
348 ip_conntrack_free(ct);
349 }
350
351 static void death_by_timeout(unsigned long ul_conntrack)
352 {
353 struct ip_conntrack *ct = (void *)ul_conntrack;
354
355 write_lock_bh(&ip_conntrack_lock);
356 /* Inside lock so preempt is disabled on module removal path.
357 * Otherwise we can get spurious warnings. */
358 CONNTRACK_STAT_INC(delete_list);
359 clean_from_lists(ct);
360 write_unlock_bh(&ip_conntrack_lock);
361 ip_conntrack_put(ct);
362 }
363
364 struct ip_conntrack_tuple_hash *
365 __ip_conntrack_find(const struct ip_conntrack_tuple *tuple,
366 const struct ip_conntrack *ignored_conntrack)
367 {
368 struct ip_conntrack_tuple_hash *h;
369 unsigned int hash = hash_conntrack(tuple);
370
371 list_for_each_entry(h, &ip_conntrack_hash[hash], list) {
372 if (tuplehash_to_ctrack(h) != ignored_conntrack &&
373 ip_ct_tuple_equal(tuple, &h->tuple)) {
374 CONNTRACK_STAT_INC(found);
375 return h;
376 }
377 CONNTRACK_STAT_INC(searched);
378 }
379
380 return NULL;
381 }
382
383 /* Find a connection corresponding to a tuple. */
384 struct ip_conntrack_tuple_hash *
385 ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
386 const struct ip_conntrack *ignored_conntrack)
387 {
388 struct ip_conntrack_tuple_hash *h;
389
390 read_lock_bh(&ip_conntrack_lock);
391 h = __ip_conntrack_find(tuple, ignored_conntrack);
392 if (h)
393 atomic_inc(&tuplehash_to_ctrack(h)->ct_general.use);
394 read_unlock_bh(&ip_conntrack_lock);
395
396 return h;
397 }
398
399 static void __ip_conntrack_hash_insert(struct ip_conntrack *ct,
400 unsigned int hash,
401 unsigned int repl_hash)
402 {
403 ct->id = ++ip_conntrack_next_id;
404 list_add(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list,
405 &ip_conntrack_hash[hash]);
406 list_add(&ct->tuplehash[IP_CT_DIR_REPLY].list,
407 &ip_conntrack_hash[repl_hash]);
408 }
409
410 void ip_conntrack_hash_insert(struct ip_conntrack *ct)
411 {
412 unsigned int hash, repl_hash;
413
414 hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
415 repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
416
417 write_lock_bh(&ip_conntrack_lock);
418 __ip_conntrack_hash_insert(ct, hash, repl_hash);
419 write_unlock_bh(&ip_conntrack_lock);
420 }
421
422 /* Confirm a connection given skb; places it in hash table */
423 int
424 __ip_conntrack_confirm(struct sk_buff **pskb)
425 {
426 unsigned int hash, repl_hash;
427 struct ip_conntrack_tuple_hash *h;
428 struct ip_conntrack *ct;
429 enum ip_conntrack_info ctinfo;
430
431 ct = ip_conntrack_get(*pskb, &ctinfo);
432
433 /* ipt_REJECT uses ip_conntrack_attach to attach related
434 ICMP/TCP RST packets in other direction. Actual packet
435 which created connection will be IP_CT_NEW or for an
436 expected connection, IP_CT_RELATED. */
437 if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
438 return NF_ACCEPT;
439
440 hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
441 repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
442
443 /* We're not in hash table, and we refuse to set up related
444 connections for unconfirmed conns. But packet copies and
445 REJECT will give spurious warnings here. */
446 /* IP_NF_ASSERT(atomic_read(&ct->ct_general.use) == 1); */
447
448 /* No external references means noone else could have
449 confirmed us. */
450 IP_NF_ASSERT(!is_confirmed(ct));
451 DEBUGP("Confirming conntrack %p\n", ct);
452
453 write_lock_bh(&ip_conntrack_lock);
454
455 /* See if there's one in the list already, including reverse:
456 NAT could have grabbed it without realizing, since we're
457 not in the hash. If there is, we lost race. */
458 list_for_each_entry(h, &ip_conntrack_hash[hash], list)
459 if (ip_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
460 &h->tuple))
461 goto out;
462 list_for_each_entry(h, &ip_conntrack_hash[repl_hash], list)
463 if (ip_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_REPLY].tuple,
464 &h->tuple))
465 goto out;
466
467 /* Remove from unconfirmed list */
468 list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
469
470 __ip_conntrack_hash_insert(ct, hash, repl_hash);
471 /* Timer relative to confirmation time, not original
472 setting time, otherwise we'd get timer wrap in
473 weird delay cases. */
474 ct->timeout.expires += jiffies;
475 add_timer(&ct->timeout);
476 atomic_inc(&ct->ct_general.use);
477 set_bit(IPS_CONFIRMED_BIT, &ct->status);
478 CONNTRACK_STAT_INC(insert);
479 write_unlock_bh(&ip_conntrack_lock);
480 if (ct->helper)
481 ip_conntrack_event_cache(IPCT_HELPER, *pskb);
482 #ifdef CONFIG_IP_NF_NAT_NEEDED
483 if (test_bit(IPS_SRC_NAT_DONE_BIT, &ct->status) ||
484 test_bit(IPS_DST_NAT_DONE_BIT, &ct->status))
485 ip_conntrack_event_cache(IPCT_NATINFO, *pskb);
486 #endif
487 ip_conntrack_event_cache(master_ct(ct) ?
488 IPCT_RELATED : IPCT_NEW, *pskb);
489
490 return NF_ACCEPT;
491
492 out:
493 CONNTRACK_STAT_INC(insert_failed);
494 write_unlock_bh(&ip_conntrack_lock);
495 return NF_DROP;
496 }
497
498 /* Returns true if a connection correspondings to the tuple (required
499 for NAT). */
500 int
501 ip_conntrack_tuple_taken(const struct ip_conntrack_tuple *tuple,
502 const struct ip_conntrack *ignored_conntrack)
503 {
504 struct ip_conntrack_tuple_hash *h;
505
506 read_lock_bh(&ip_conntrack_lock);
507 h = __ip_conntrack_find(tuple, ignored_conntrack);
508 read_unlock_bh(&ip_conntrack_lock);
509
510 return h != NULL;
511 }
512
513 /* There's a small race here where we may free a just-assured
514 connection. Too bad: we're in trouble anyway. */
515 static int early_drop(struct list_head *chain)
516 {
517 /* Traverse backwards: gives us oldest, which is roughly LRU */
518 struct ip_conntrack_tuple_hash *h;
519 struct ip_conntrack *ct = NULL, *tmp;
520 int dropped = 0;
521
522 read_lock_bh(&ip_conntrack_lock);
523 list_for_each_entry_reverse(h, chain, list) {
524 tmp = tuplehash_to_ctrack(h);
525 if (!test_bit(IPS_ASSURED_BIT, &tmp->status)) {
526 ct = tmp;
527 atomic_inc(&ct->ct_general.use);
528 break;
529 }
530 }
531 read_unlock_bh(&ip_conntrack_lock);
532
533 if (!ct)
534 return dropped;
535
536 if (del_timer(&ct->timeout)) {
537 death_by_timeout((unsigned long)ct);
538 dropped = 1;
539 CONNTRACK_STAT_INC(early_drop);
540 }
541 ip_conntrack_put(ct);
542 return dropped;
543 }
544
545 static struct ip_conntrack_helper *
546 __ip_conntrack_helper_find( const struct ip_conntrack_tuple *tuple)
547 {
548 struct ip_conntrack_helper *h;
549
550 list_for_each_entry(h, &helpers, list) {
551 if (ip_ct_tuple_mask_cmp(tuple, &h->tuple, &h->mask))
552 return h;
553 }
554 return NULL;
555 }
556
557 struct ip_conntrack_helper *
558 ip_conntrack_helper_find_get( const struct ip_conntrack_tuple *tuple)
559 {
560 struct ip_conntrack_helper *helper;
561
562 /* need ip_conntrack_lock to assure that helper exists until
563 * try_module_get() is called */
564 read_lock_bh(&ip_conntrack_lock);
565
566 helper = __ip_conntrack_helper_find(tuple);
567 if (helper) {
568 /* need to increase module usage count to assure helper will
569 * not go away while the caller is e.g. busy putting a
570 * conntrack in the hash that uses the helper */
571 if (!try_module_get(helper->me))
572 helper = NULL;
573 }
574
575 read_unlock_bh(&ip_conntrack_lock);
576
577 return helper;
578 }
579
580 void ip_conntrack_helper_put(struct ip_conntrack_helper *helper)
581 {
582 module_put(helper->me);
583 }
584
585 struct ip_conntrack_protocol *
586 __ip_conntrack_proto_find(u_int8_t protocol)
587 {
588 return ip_ct_protos[protocol];
589 }
590
591 /* this is guaranteed to always return a valid protocol helper, since
592 * it falls back to generic_protocol */
593 struct ip_conntrack_protocol *
594 ip_conntrack_proto_find_get(u_int8_t protocol)
595 {
596 struct ip_conntrack_protocol *p;
597
598 preempt_disable();
599 p = __ip_conntrack_proto_find(protocol);
600 if (p) {
601 if (!try_module_get(p->me))
602 p = &ip_conntrack_generic_protocol;
603 }
604 preempt_enable();
605
606 return p;
607 }
608
609 void ip_conntrack_proto_put(struct ip_conntrack_protocol *p)
610 {
611 module_put(p->me);
612 }
613
614 struct ip_conntrack *ip_conntrack_alloc(struct ip_conntrack_tuple *orig,
615 struct ip_conntrack_tuple *repl)
616 {
617 struct ip_conntrack *conntrack;
618
619 if (!ip_conntrack_hash_rnd_initted) {
620 get_random_bytes(&ip_conntrack_hash_rnd, 4);
621 ip_conntrack_hash_rnd_initted = 1;
622 }
623
624 /* We don't want any race condition at early drop stage */
625 atomic_inc(&ip_conntrack_count);
626
627 if (ip_conntrack_max
628 && atomic_read(&ip_conntrack_count) > ip_conntrack_max) {
629 unsigned int hash = hash_conntrack(orig);
630 /* Try dropping from this hash chain. */
631 if (!early_drop(&ip_conntrack_hash[hash])) {
632 atomic_dec(&ip_conntrack_count);
633 if (net_ratelimit())
634 printk(KERN_WARNING
635 "ip_conntrack: table full, dropping"
636 " packet.\n");
637 return ERR_PTR(-ENOMEM);
638 }
639 }
640
641 conntrack = kmem_cache_alloc(ip_conntrack_cachep, GFP_ATOMIC);
642 if (!conntrack) {
643 DEBUGP("Can't allocate conntrack.\n");
644 atomic_dec(&ip_conntrack_count);
645 return ERR_PTR(-ENOMEM);
646 }
647
648 memset(conntrack, 0, sizeof(*conntrack));
649 atomic_set(&conntrack->ct_general.use, 1);
650 conntrack->ct_general.destroy = destroy_conntrack;
651 conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig;
652 conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *repl;
653 /* Don't set timer yet: wait for confirmation */
654 init_timer(&conntrack->timeout);
655 conntrack->timeout.data = (unsigned long)conntrack;
656 conntrack->timeout.function = death_by_timeout;
657
658 return conntrack;
659 }
660
661 void
662 ip_conntrack_free(struct ip_conntrack *conntrack)
663 {
664 atomic_dec(&ip_conntrack_count);
665 kmem_cache_free(ip_conntrack_cachep, conntrack);
666 }
667
668 /* Allocate a new conntrack: we return -ENOMEM if classification
669 * failed due to stress. Otherwise it really is unclassifiable */
670 static struct ip_conntrack_tuple_hash *
671 init_conntrack(struct ip_conntrack_tuple *tuple,
672 struct ip_conntrack_protocol *protocol,
673 struct sk_buff *skb)
674 {
675 struct ip_conntrack *conntrack;
676 struct ip_conntrack_tuple repl_tuple;
677 struct ip_conntrack_expect *exp;
678
679 if (!ip_ct_invert_tuple(&repl_tuple, tuple, protocol)) {
680 DEBUGP("Can't invert tuple.\n");
681 return NULL;
682 }
683
684 conntrack = ip_conntrack_alloc(tuple, &repl_tuple);
685 if (conntrack == NULL || IS_ERR(conntrack))
686 return (struct ip_conntrack_tuple_hash *)conntrack;
687
688 if (!protocol->new(conntrack, skb)) {
689 ip_conntrack_free(conntrack);
690 return NULL;
691 }
692
693 write_lock_bh(&ip_conntrack_lock);
694 exp = find_expectation(tuple);
695
696 if (exp) {
697 DEBUGP("conntrack: expectation arrives ct=%p exp=%p\n",
698 conntrack, exp);
699 /* Welcome, Mr. Bond. We've been expecting you... */
700 __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
701 conntrack->master = exp->master;
702 #ifdef CONFIG_IP_NF_CONNTRACK_MARK
703 conntrack->mark = exp->master->mark;
704 #endif
705 #if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \
706 defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
707 /* this is ugly, but there is no other place where to put it */
708 conntrack->nat.masq_index = exp->master->nat.masq_index;
709 #endif
710 #ifdef CONFIG_IP_NF_CONNTRACK_SECMARK
711 conntrack->secmark = exp->master->secmark;
712 #endif
713 nf_conntrack_get(&conntrack->master->ct_general);
714 CONNTRACK_STAT_INC(expect_new);
715 } else {
716 conntrack->helper = __ip_conntrack_helper_find(&repl_tuple);
717
718 CONNTRACK_STAT_INC(new);
719 }
720
721 /* Overload tuple linked list to put us in unconfirmed list. */
722 list_add(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL].list, &unconfirmed);
723
724 write_unlock_bh(&ip_conntrack_lock);
725
726 if (exp) {
727 if (exp->expectfn)
728 exp->expectfn(conntrack, exp);
729 ip_conntrack_expect_put(exp);
730 }
731
732 return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL];
733 }
734
735 /* On success, returns conntrack ptr, sets skb->nfct and ctinfo */
736 static inline struct ip_conntrack *
737 resolve_normal_ct(struct sk_buff *skb,
738 struct ip_conntrack_protocol *proto,
739 int *set_reply,
740 unsigned int hooknum,
741 enum ip_conntrack_info *ctinfo)
742 {
743 struct ip_conntrack_tuple tuple;
744 struct ip_conntrack_tuple_hash *h;
745 struct ip_conntrack *ct;
746
747 IP_NF_ASSERT((skb->nh.iph->frag_off & htons(IP_OFFSET)) == 0);
748
749 if (!ip_ct_get_tuple(skb->nh.iph, skb, skb->nh.iph->ihl*4,
750 &tuple,proto))
751 return NULL;
752
753 /* look for tuple match */
754 h = ip_conntrack_find_get(&tuple, NULL);
755 if (!h) {
756 h = init_conntrack(&tuple, proto, skb);
757 if (!h)
758 return NULL;
759 if (IS_ERR(h))
760 return (void *)h;
761 }
762 ct = tuplehash_to_ctrack(h);
763
764 /* It exists; we have (non-exclusive) reference. */
765 if (DIRECTION(h) == IP_CT_DIR_REPLY) {
766 *ctinfo = IP_CT_ESTABLISHED + IP_CT_IS_REPLY;
767 /* Please set reply bit if this packet OK */
768 *set_reply = 1;
769 } else {
770 /* Once we've had two way comms, always ESTABLISHED. */
771 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
772 DEBUGP("ip_conntrack_in: normal packet for %p\n",
773 ct);
774 *ctinfo = IP_CT_ESTABLISHED;
775 } else if (test_bit(IPS_EXPECTED_BIT, &ct->status)) {
776 DEBUGP("ip_conntrack_in: related packet for %p\n",
777 ct);
778 *ctinfo = IP_CT_RELATED;
779 } else {
780 DEBUGP("ip_conntrack_in: new packet for %p\n",
781 ct);
782 *ctinfo = IP_CT_NEW;
783 }
784 *set_reply = 0;
785 }
786 skb->nfct = &ct->ct_general;
787 skb->nfctinfo = *ctinfo;
788 return ct;
789 }
790
791 /* Netfilter hook itself. */
792 unsigned int ip_conntrack_in(unsigned int hooknum,
793 struct sk_buff **pskb,
794 const struct net_device *in,
795 const struct net_device *out,
796 int (*okfn)(struct sk_buff *))
797 {
798 struct ip_conntrack *ct;
799 enum ip_conntrack_info ctinfo;
800 struct ip_conntrack_protocol *proto;
801 int set_reply = 0;
802 int ret;
803
804 /* Previously seen (loopback or untracked)? Ignore. */
805 if ((*pskb)->nfct) {
806 CONNTRACK_STAT_INC(ignore);
807 return NF_ACCEPT;
808 }
809
810 /* Never happen */
811 if ((*pskb)->nh.iph->frag_off & htons(IP_OFFSET)) {
812 if (net_ratelimit()) {
813 printk(KERN_ERR "ip_conntrack_in: Frag of proto %u (hook=%u)\n",
814 (*pskb)->nh.iph->protocol, hooknum);
815 }
816 return NF_DROP;
817 }
818
819 /* Doesn't cover locally-generated broadcast, so not worth it. */
820 #if 0
821 /* Ignore broadcast: no `connection'. */
822 if ((*pskb)->pkt_type == PACKET_BROADCAST) {
823 printk("Broadcast packet!\n");
824 return NF_ACCEPT;
825 } else if (((*pskb)->nh.iph->daddr & htonl(0x000000FF))
826 == htonl(0x000000FF)) {
827 printk("Should bcast: %u.%u.%u.%u->%u.%u.%u.%u (sk=%p, ptype=%u)\n",
828 NIPQUAD((*pskb)->nh.iph->saddr),
829 NIPQUAD((*pskb)->nh.iph->daddr),
830 (*pskb)->sk, (*pskb)->pkt_type);
831 }
832 #endif
833
834 proto = __ip_conntrack_proto_find((*pskb)->nh.iph->protocol);
835
836 /* It may be an special packet, error, unclean...
837 * inverse of the return code tells to the netfilter
838 * core what to do with the packet. */
839 if (proto->error != NULL
840 && (ret = proto->error(*pskb, &ctinfo, hooknum)) <= 0) {
841 CONNTRACK_STAT_INC(error);
842 CONNTRACK_STAT_INC(invalid);
843 return -ret;
844 }
845
846 if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo))) {
847 /* Not valid part of a connection */
848 CONNTRACK_STAT_INC(invalid);
849 return NF_ACCEPT;
850 }
851
852 if (IS_ERR(ct)) {
853 /* Too stressed to deal. */
854 CONNTRACK_STAT_INC(drop);
855 return NF_DROP;
856 }
857
858 IP_NF_ASSERT((*pskb)->nfct);
859
860 ret = proto->packet(ct, *pskb, ctinfo);
861 if (ret < 0) {
862 /* Invalid: inverse of the return code tells
863 * the netfilter core what to do*/
864 nf_conntrack_put((*pskb)->nfct);
865 (*pskb)->nfct = NULL;
866 CONNTRACK_STAT_INC(invalid);
867 return -ret;
868 }
869
870 if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
871 ip_conntrack_event_cache(IPCT_STATUS, *pskb);
872
873 return ret;
874 }
875
876 int invert_tuplepr(struct ip_conntrack_tuple *inverse,
877 const struct ip_conntrack_tuple *orig)
878 {
879 return ip_ct_invert_tuple(inverse, orig,
880 __ip_conntrack_proto_find(orig->dst.protonum));
881 }
882
883 /* Would two expected things clash? */
884 static inline int expect_clash(const struct ip_conntrack_expect *a,
885 const struct ip_conntrack_expect *b)
886 {
887 /* Part covered by intersection of masks must be unequal,
888 otherwise they clash */
889 struct ip_conntrack_tuple intersect_mask
890 = { { a->mask.src.ip & b->mask.src.ip,
891 { a->mask.src.u.all & b->mask.src.u.all } },
892 { a->mask.dst.ip & b->mask.dst.ip,
893 { a->mask.dst.u.all & b->mask.dst.u.all },
894 a->mask.dst.protonum & b->mask.dst.protonum } };
895
896 return ip_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
897 }
898
899 static inline int expect_matches(const struct ip_conntrack_expect *a,
900 const struct ip_conntrack_expect *b)
901 {
902 return a->master == b->master
903 && ip_ct_tuple_equal(&a->tuple, &b->tuple)
904 && ip_ct_tuple_equal(&a->mask, &b->mask);
905 }
906
907 /* Generally a bad idea to call this: could have matched already. */
908 void ip_conntrack_unexpect_related(struct ip_conntrack_expect *exp)
909 {
910 struct ip_conntrack_expect *i;
911
912 write_lock_bh(&ip_conntrack_lock);
913 /* choose the the oldest expectation to evict */
914 list_for_each_entry_reverse(i, &ip_conntrack_expect_list, list) {
915 if (expect_matches(i, exp) && del_timer(&i->timeout)) {
916 ip_ct_unlink_expect(i);
917 write_unlock_bh(&ip_conntrack_lock);
918 ip_conntrack_expect_put(i);
919 return;
920 }
921 }
922 write_unlock_bh(&ip_conntrack_lock);
923 }
924
925 /* We don't increase the master conntrack refcount for non-fulfilled
926 * conntracks. During the conntrack destruction, the expectations are
927 * always killed before the conntrack itself */
928 struct ip_conntrack_expect *ip_conntrack_expect_alloc(struct ip_conntrack *me)
929 {
930 struct ip_conntrack_expect *new;
931
932 new = kmem_cache_alloc(ip_conntrack_expect_cachep, GFP_ATOMIC);
933 if (!new) {
934 DEBUGP("expect_related: OOM allocating expect\n");
935 return NULL;
936 }
937 new->master = me;
938 atomic_set(&new->use, 1);
939 return new;
940 }
941
942 void ip_conntrack_expect_put(struct ip_conntrack_expect *exp)
943 {
944 if (atomic_dec_and_test(&exp->use))
945 kmem_cache_free(ip_conntrack_expect_cachep, exp);
946 }
947
948 static void ip_conntrack_expect_insert(struct ip_conntrack_expect *exp)
949 {
950 atomic_inc(&exp->use);
951 exp->master->expecting++;
952 list_add(&exp->list, &ip_conntrack_expect_list);
953
954 init_timer(&exp->timeout);
955 exp->timeout.data = (unsigned long)exp;
956 exp->timeout.function = expectation_timed_out;
957 exp->timeout.expires = jiffies + exp->master->helper->timeout * HZ;
958 add_timer(&exp->timeout);
959
960 exp->id = ++ip_conntrack_expect_next_id;
961 atomic_inc(&exp->use);
962 CONNTRACK_STAT_INC(expect_create);
963 }
964
965 /* Race with expectations being used means we could have none to find; OK. */
966 static void evict_oldest_expect(struct ip_conntrack *master)
967 {
968 struct ip_conntrack_expect *i;
969
970 list_for_each_entry_reverse(i, &ip_conntrack_expect_list, list) {
971 if (i->master == master) {
972 if (del_timer(&i->timeout)) {
973 ip_ct_unlink_expect(i);
974 ip_conntrack_expect_put(i);
975 }
976 break;
977 }
978 }
979 }
980
981 static inline int refresh_timer(struct ip_conntrack_expect *i)
982 {
983 if (!del_timer(&i->timeout))
984 return 0;
985
986 i->timeout.expires = jiffies + i->master->helper->timeout*HZ;
987 add_timer(&i->timeout);
988 return 1;
989 }
990
991 int ip_conntrack_expect_related(struct ip_conntrack_expect *expect)
992 {
993 struct ip_conntrack_expect *i;
994 int ret;
995
996 DEBUGP("ip_conntrack_expect_related %p\n", related_to);
997 DEBUGP("tuple: "); DUMP_TUPLE(&expect->tuple);
998 DEBUGP("mask: "); DUMP_TUPLE(&expect->mask);
999
1000 write_lock_bh(&ip_conntrack_lock);
1001 list_for_each_entry(i, &ip_conntrack_expect_list, list) {
1002 if (expect_matches(i, expect)) {
1003 /* Refresh timer: if it's dying, ignore.. */
1004 if (refresh_timer(i)) {
1005 ret = 0;
1006 goto out;
1007 }
1008 } else if (expect_clash(i, expect)) {
1009 ret = -EBUSY;
1010 goto out;
1011 }
1012 }
1013
1014 /* Will be over limit? */
1015 if (expect->master->helper->max_expected &&
1016 expect->master->expecting >= expect->master->helper->max_expected)
1017 evict_oldest_expect(expect->master);
1018
1019 ip_conntrack_expect_insert(expect);
1020 ip_conntrack_expect_event(IPEXP_NEW, expect);
1021 ret = 0;
1022 out:
1023 write_unlock_bh(&ip_conntrack_lock);
1024 return ret;
1025 }
1026
1027 /* Alter reply tuple (maybe alter helper). This is for NAT, and is
1028 implicitly racy: see __ip_conntrack_confirm */
1029 void ip_conntrack_alter_reply(struct ip_conntrack *conntrack,
1030 const struct ip_conntrack_tuple *newreply)
1031 {
1032 write_lock_bh(&ip_conntrack_lock);
1033 /* Should be unconfirmed, so not in hash table yet */
1034 IP_NF_ASSERT(!is_confirmed(conntrack));
1035
1036 DEBUGP("Altering reply tuple of %p to ", conntrack);
1037 DUMP_TUPLE(newreply);
1038
1039 conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
1040 if (!conntrack->master && conntrack->expecting == 0)
1041 conntrack->helper = __ip_conntrack_helper_find(newreply);
1042 write_unlock_bh(&ip_conntrack_lock);
1043 }
1044
1045 int ip_conntrack_helper_register(struct ip_conntrack_helper *me)
1046 {
1047 BUG_ON(me->timeout == 0);
1048 write_lock_bh(&ip_conntrack_lock);
1049 list_add(&me->list, &helpers);
1050 write_unlock_bh(&ip_conntrack_lock);
1051
1052 return 0;
1053 }
1054
1055 struct ip_conntrack_helper *
1056 __ip_conntrack_helper_find_byname(const char *name)
1057 {
1058 struct ip_conntrack_helper *h;
1059
1060 list_for_each_entry(h, &helpers, list) {
1061 if (!strcmp(h->name, name))
1062 return h;
1063 }
1064
1065 return NULL;
1066 }
1067
1068 static inline void unhelp(struct ip_conntrack_tuple_hash *i,
1069 const struct ip_conntrack_helper *me)
1070 {
1071 if (tuplehash_to_ctrack(i)->helper == me) {
1072 ip_conntrack_event(IPCT_HELPER, tuplehash_to_ctrack(i));
1073 tuplehash_to_ctrack(i)->helper = NULL;
1074 }
1075 }
1076
1077 void ip_conntrack_helper_unregister(struct ip_conntrack_helper *me)
1078 {
1079 unsigned int i;
1080 struct ip_conntrack_tuple_hash *h;
1081 struct ip_conntrack_expect *exp, *tmp;
1082
1083 /* Need write lock here, to delete helper. */
1084 write_lock_bh(&ip_conntrack_lock);
1085 list_del(&me->list);
1086
1087 /* Get rid of expectations */
1088 list_for_each_entry_safe(exp, tmp, &ip_conntrack_expect_list, list) {
1089 if (exp->master->helper == me && del_timer(&exp->timeout)) {
1090 ip_ct_unlink_expect(exp);
1091 ip_conntrack_expect_put(exp);
1092 }
1093 }
1094 /* Get rid of expecteds, set helpers to NULL. */
1095 list_for_each_entry(h, &unconfirmed, list)
1096 unhelp(h, me);
1097 for (i = 0; i < ip_conntrack_htable_size; i++) {
1098 list_for_each_entry(h, &ip_conntrack_hash[i], list)
1099 unhelp(h, me);
1100 }
1101 write_unlock_bh(&ip_conntrack_lock);
1102
1103 /* Someone could be still looking at the helper in a bh. */
1104 synchronize_net();
1105 }
1106
1107 /* Refresh conntrack for this many jiffies and do accounting if do_acct is 1 */
1108 void __ip_ct_refresh_acct(struct ip_conntrack *ct,
1109 enum ip_conntrack_info ctinfo,
1110 const struct sk_buff *skb,
1111 unsigned long extra_jiffies,
1112 int do_acct)
1113 {
1114 int event = 0;
1115
1116 IP_NF_ASSERT(ct->timeout.data == (unsigned long)ct);
1117 IP_NF_ASSERT(skb);
1118
1119 write_lock_bh(&ip_conntrack_lock);
1120
1121 /* Only update if this is not a fixed timeout */
1122 if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)) {
1123 write_unlock_bh(&ip_conntrack_lock);
1124 return;
1125 }
1126
1127 /* If not in hash table, timer will not be active yet */
1128 if (!is_confirmed(ct)) {
1129 ct->timeout.expires = extra_jiffies;
1130 event = IPCT_REFRESH;
1131 } else {
1132 /* Need del_timer for race avoidance (may already be dying). */
1133 if (del_timer(&ct->timeout)) {
1134 ct->timeout.expires = jiffies + extra_jiffies;
1135 add_timer(&ct->timeout);
1136 event = IPCT_REFRESH;
1137 }
1138 }
1139
1140 #ifdef CONFIG_IP_NF_CT_ACCT
1141 if (do_acct) {
1142 ct->counters[CTINFO2DIR(ctinfo)].packets++;
1143 ct->counters[CTINFO2DIR(ctinfo)].bytes +=
1144 ntohs(skb->nh.iph->tot_len);
1145 if ((ct->counters[CTINFO2DIR(ctinfo)].packets & 0x80000000)
1146 || (ct->counters[CTINFO2DIR(ctinfo)].bytes & 0x80000000))
1147 event |= IPCT_COUNTER_FILLING;
1148 }
1149 #endif
1150
1151 write_unlock_bh(&ip_conntrack_lock);
1152
1153 /* must be unlocked when calling event cache */
1154 if (event)
1155 ip_conntrack_event_cache(event, skb);
1156 }
1157
1158 #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
1159 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
1160 /* Generic function for tcp/udp/sctp/dccp and alike. This needs to be
1161 * in ip_conntrack_core, since we don't want the protocols to autoload
1162 * or depend on ctnetlink */
1163 int ip_ct_port_tuple_to_nfattr(struct sk_buff *skb,
1164 const struct ip_conntrack_tuple *tuple)
1165 {
1166 NFA_PUT(skb, CTA_PROTO_SRC_PORT, sizeof(__be16),
1167 &tuple->src.u.tcp.port);
1168 NFA_PUT(skb, CTA_PROTO_DST_PORT, sizeof(__be16),
1169 &tuple->dst.u.tcp.port);
1170 return 0;
1171
1172 nfattr_failure:
1173 return -1;
1174 }
1175
1176 int ip_ct_port_nfattr_to_tuple(struct nfattr *tb[],
1177 struct ip_conntrack_tuple *t)
1178 {
1179 if (!tb[CTA_PROTO_SRC_PORT-1] || !tb[CTA_PROTO_DST_PORT-1])
1180 return -EINVAL;
1181
1182 t->src.u.tcp.port =
1183 *(__be16 *)NFA_DATA(tb[CTA_PROTO_SRC_PORT-1]);
1184 t->dst.u.tcp.port =
1185 *(__be16 *)NFA_DATA(tb[CTA_PROTO_DST_PORT-1]);
1186
1187 return 0;
1188 }
1189 #endif
1190
1191 /* Returns new sk_buff, or NULL */
1192 struct sk_buff *
1193 ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user)
1194 {
1195 skb_orphan(skb);
1196
1197 local_bh_disable();
1198 skb = ip_defrag(skb, user);
1199 local_bh_enable();
1200
1201 if (skb)
1202 ip_send_check(skb->nh.iph);
1203 return skb;
1204 }
1205
1206 /* Used by ipt_REJECT. */
1207 static void ip_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb)
1208 {
1209 struct ip_conntrack *ct;
1210 enum ip_conntrack_info ctinfo;
1211
1212 /* This ICMP is in reverse direction to the packet which caused it */
1213 ct = ip_conntrack_get(skb, &ctinfo);
1214
1215 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
1216 ctinfo = IP_CT_RELATED + IP_CT_IS_REPLY;
1217 else
1218 ctinfo = IP_CT_RELATED;
1219
1220 /* Attach to new skbuff, and increment count */
1221 nskb->nfct = &ct->ct_general;
1222 nskb->nfctinfo = ctinfo;
1223 nf_conntrack_get(nskb->nfct);
1224 }
1225
1226 /* Bring out ya dead! */
1227 static struct ip_conntrack *
1228 get_next_corpse(int (*iter)(struct ip_conntrack *i, void *data),
1229 void *data, unsigned int *bucket)
1230 {
1231 struct ip_conntrack_tuple_hash *h;
1232 struct ip_conntrack *ct;
1233
1234 write_lock_bh(&ip_conntrack_lock);
1235 for (; *bucket < ip_conntrack_htable_size; (*bucket)++) {
1236 list_for_each_entry(h, &ip_conntrack_hash[*bucket], list) {
1237 ct = tuplehash_to_ctrack(h);
1238 if (iter(ct, data))
1239 goto found;
1240 }
1241 }
1242 list_for_each_entry(h, &unconfirmed, list) {
1243 ct = tuplehash_to_ctrack(h);
1244 if (iter(ct, data))
1245 goto found;
1246 }
1247 write_unlock_bh(&ip_conntrack_lock);
1248 return NULL;
1249
1250 found:
1251 atomic_inc(&ct->ct_general.use);
1252 write_unlock_bh(&ip_conntrack_lock);
1253 return ct;
1254 }
1255
1256 void
1257 ip_ct_iterate_cleanup(int (*iter)(struct ip_conntrack *i, void *), void *data)
1258 {
1259 struct ip_conntrack *ct;
1260 unsigned int bucket = 0;
1261
1262 while ((ct = get_next_corpse(iter, data, &bucket)) != NULL) {
1263 /* Time to push up daises... */
1264 if (del_timer(&ct->timeout))
1265 death_by_timeout((unsigned long)ct);
1266 /* ... else the timer will get him soon. */
1267
1268 ip_conntrack_put(ct);
1269 }
1270 }
1271
1272 /* Fast function for those who don't want to parse /proc (and I don't
1273 blame them). */
1274 /* Reversing the socket's dst/src point of view gives us the reply
1275 mapping. */
1276 static int
1277 getorigdst(struct sock *sk, int optval, void __user *user, int *len)
1278 {
1279 struct inet_sock *inet = inet_sk(sk);
1280 struct ip_conntrack_tuple_hash *h;
1281 struct ip_conntrack_tuple tuple;
1282
1283 IP_CT_TUPLE_U_BLANK(&tuple);
1284 tuple.src.ip = inet->rcv_saddr;
1285 tuple.src.u.tcp.port = inet->sport;
1286 tuple.dst.ip = inet->daddr;
1287 tuple.dst.u.tcp.port = inet->dport;
1288 tuple.dst.protonum = IPPROTO_TCP;
1289
1290 /* We only do TCP at the moment: is there a better way? */
1291 if (strcmp(sk->sk_prot->name, "TCP")) {
1292 DEBUGP("SO_ORIGINAL_DST: Not a TCP socket\n");
1293 return -ENOPROTOOPT;
1294 }
1295
1296 if ((unsigned int) *len < sizeof(struct sockaddr_in)) {
1297 DEBUGP("SO_ORIGINAL_DST: len %u not %u\n",
1298 *len, sizeof(struct sockaddr_in));
1299 return -EINVAL;
1300 }
1301
1302 h = ip_conntrack_find_get(&tuple, NULL);
1303 if (h) {
1304 struct sockaddr_in sin;
1305 struct ip_conntrack *ct = tuplehash_to_ctrack(h);
1306
1307 sin.sin_family = AF_INET;
1308 sin.sin_port = ct->tuplehash[IP_CT_DIR_ORIGINAL]
1309 .tuple.dst.u.tcp.port;
1310 sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL]
1311 .tuple.dst.ip;
1312 memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
1313
1314 DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n",
1315 NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port));
1316 ip_conntrack_put(ct);
1317 if (copy_to_user(user, &sin, sizeof(sin)) != 0)
1318 return -EFAULT;
1319 else
1320 return 0;
1321 }
1322 DEBUGP("SO_ORIGINAL_DST: Can't find %u.%u.%u.%u/%u-%u.%u.%u.%u/%u.\n",
1323 NIPQUAD(tuple.src.ip), ntohs(tuple.src.u.tcp.port),
1324 NIPQUAD(tuple.dst.ip), ntohs(tuple.dst.u.tcp.port));
1325 return -ENOENT;
1326 }
1327
1328 static struct nf_sockopt_ops so_getorigdst = {
1329 .pf = PF_INET,
1330 .get_optmin = SO_ORIGINAL_DST,
1331 .get_optmax = SO_ORIGINAL_DST+1,
1332 .get = &getorigdst,
1333 };
1334
1335 static int kill_all(struct ip_conntrack *i, void *data)
1336 {
1337 return 1;
1338 }
1339
1340 void ip_conntrack_flush(void)
1341 {
1342 ip_ct_iterate_cleanup(kill_all, NULL);
1343 }
1344
1345 static void free_conntrack_hash(struct list_head *hash, int vmalloced,int size)
1346 {
1347 if (vmalloced)
1348 vfree(hash);
1349 else
1350 free_pages((unsigned long)hash,
1351 get_order(sizeof(struct list_head) * size));
1352 }
1353
1354 /* Mishearing the voices in his head, our hero wonders how he's
1355 supposed to kill the mall. */
1356 void ip_conntrack_cleanup(void)
1357 {
1358 ip_ct_attach = NULL;
1359
1360 /* This makes sure all current packets have passed through
1361 netfilter framework. Roll on, two-stage module
1362 delete... */
1363 synchronize_net();
1364
1365 ip_ct_event_cache_flush();
1366 i_see_dead_people:
1367 ip_conntrack_flush();
1368 if (atomic_read(&ip_conntrack_count) != 0) {
1369 schedule();
1370 goto i_see_dead_people;
1371 }
1372 /* wait until all references to ip_conntrack_untracked are dropped */
1373 while (atomic_read(&ip_conntrack_untracked.ct_general.use) > 1)
1374 schedule();
1375
1376 kmem_cache_destroy(ip_conntrack_cachep);
1377 kmem_cache_destroy(ip_conntrack_expect_cachep);
1378 free_conntrack_hash(ip_conntrack_hash, ip_conntrack_vmalloc,
1379 ip_conntrack_htable_size);
1380 nf_unregister_sockopt(&so_getorigdst);
1381 }
1382
1383 static struct list_head *alloc_hashtable(int size, int *vmalloced)
1384 {
1385 struct list_head *hash;
1386 unsigned int i;
1387
1388 *vmalloced = 0;
1389 hash = (void*)__get_free_pages(GFP_KERNEL,
1390 get_order(sizeof(struct list_head)
1391 * size));
1392 if (!hash) {
1393 *vmalloced = 1;
1394 printk(KERN_WARNING"ip_conntrack: falling back to vmalloc.\n");
1395 hash = vmalloc(sizeof(struct list_head) * size);
1396 }
1397
1398 if (hash)
1399 for (i = 0; i < size; i++)
1400 INIT_LIST_HEAD(&hash[i]);
1401
1402 return hash;
1403 }
1404
1405 static int set_hashsize(const char *val, struct kernel_param *kp)
1406 {
1407 int i, bucket, hashsize, vmalloced;
1408 int old_vmalloced, old_size;
1409 int rnd;
1410 struct list_head *hash, *old_hash;
1411 struct ip_conntrack_tuple_hash *h;
1412
1413 /* On boot, we can set this without any fancy locking. */
1414 if (!ip_conntrack_htable_size)
1415 return param_set_int(val, kp);
1416
1417 hashsize = simple_strtol(val, NULL, 0);
1418 if (!hashsize)
1419 return -EINVAL;
1420
1421 hash = alloc_hashtable(hashsize, &vmalloced);
1422 if (!hash)
1423 return -ENOMEM;
1424
1425 /* We have to rehash for the new table anyway, so we also can
1426 * use a new random seed */
1427 get_random_bytes(&rnd, 4);
1428
1429 write_lock_bh(&ip_conntrack_lock);
1430 for (i = 0; i < ip_conntrack_htable_size; i++) {
1431 while (!list_empty(&ip_conntrack_hash[i])) {
1432 h = list_entry(ip_conntrack_hash[i].next,
1433 struct ip_conntrack_tuple_hash, list);
1434 list_del(&h->list);
1435 bucket = __hash_conntrack(&h->tuple, hashsize, rnd);
1436 list_add_tail(&h->list, &hash[bucket]);
1437 }
1438 }
1439 old_size = ip_conntrack_htable_size;
1440 old_vmalloced = ip_conntrack_vmalloc;
1441 old_hash = ip_conntrack_hash;
1442
1443 ip_conntrack_htable_size = hashsize;
1444 ip_conntrack_vmalloc = vmalloced;
1445 ip_conntrack_hash = hash;
1446 ip_conntrack_hash_rnd = rnd;
1447 write_unlock_bh(&ip_conntrack_lock);
1448
1449 free_conntrack_hash(old_hash, old_vmalloced, old_size);
1450 return 0;
1451 }
1452
1453 module_param_call(hashsize, set_hashsize, param_get_uint,
1454 &ip_conntrack_htable_size, 0600);
1455
1456 int __init ip_conntrack_init(void)
1457 {
1458 unsigned int i;
1459 int ret;
1460
1461 /* Idea from tcp.c: use 1/16384 of memory. On i386: 32MB
1462 * machine has 256 buckets. >= 1GB machines have 8192 buckets. */
1463 if (!ip_conntrack_htable_size) {
1464 ip_conntrack_htable_size
1465 = (((num_physpages << PAGE_SHIFT) / 16384)
1466 / sizeof(struct list_head));
1467 if (num_physpages > (1024 * 1024 * 1024 / PAGE_SIZE))
1468 ip_conntrack_htable_size = 8192;
1469 if (ip_conntrack_htable_size < 16)
1470 ip_conntrack_htable_size = 16;
1471 }
1472 ip_conntrack_max = 8 * ip_conntrack_htable_size;
1473
1474 printk("ip_conntrack version %s (%u buckets, %d max)"
1475 " - %Zd bytes per conntrack\n", IP_CONNTRACK_VERSION,
1476 ip_conntrack_htable_size, ip_conntrack_max,
1477 sizeof(struct ip_conntrack));
1478
1479 ret = nf_register_sockopt(&so_getorigdst);
1480 if (ret != 0) {
1481 printk(KERN_ERR "Unable to register netfilter socket option\n");
1482 return ret;
1483 }
1484
1485 ip_conntrack_hash = alloc_hashtable(ip_conntrack_htable_size,
1486 &ip_conntrack_vmalloc);
1487 if (!ip_conntrack_hash) {
1488 printk(KERN_ERR "Unable to create ip_conntrack_hash\n");
1489 goto err_unreg_sockopt;
1490 }
1491
1492 ip_conntrack_cachep = kmem_cache_create("ip_conntrack",
1493 sizeof(struct ip_conntrack), 0,
1494 0, NULL, NULL);
1495 if (!ip_conntrack_cachep) {
1496 printk(KERN_ERR "Unable to create ip_conntrack slab cache\n");
1497 goto err_free_hash;
1498 }
1499
1500 ip_conntrack_expect_cachep = kmem_cache_create("ip_conntrack_expect",
1501 sizeof(struct ip_conntrack_expect),
1502 0, 0, NULL, NULL);
1503 if (!ip_conntrack_expect_cachep) {
1504 printk(KERN_ERR "Unable to create ip_expect slab cache\n");
1505 goto err_free_conntrack_slab;
1506 }
1507
1508 /* Don't NEED lock here, but good form anyway. */
1509 write_lock_bh(&ip_conntrack_lock);
1510 for (i = 0; i < MAX_IP_CT_PROTO; i++)
1511 ip_ct_protos[i] = &ip_conntrack_generic_protocol;
1512 /* Sew in builtin protocols. */
1513 ip_ct_protos[IPPROTO_TCP] = &ip_conntrack_protocol_tcp;
1514 ip_ct_protos[IPPROTO_UDP] = &ip_conntrack_protocol_udp;
1515 ip_ct_protos[IPPROTO_ICMP] = &ip_conntrack_protocol_icmp;
1516 write_unlock_bh(&ip_conntrack_lock);
1517
1518 /* For use by ipt_REJECT */
1519 ip_ct_attach = ip_conntrack_attach;
1520
1521 /* Set up fake conntrack:
1522 - to never be deleted, not in any hashes */
1523 atomic_set(&ip_conntrack_untracked.ct_general.use, 1);
1524 /* - and look it like as a confirmed connection */
1525 set_bit(IPS_CONFIRMED_BIT, &ip_conntrack_untracked.status);
1526
1527 return ret;
1528
1529 err_free_conntrack_slab:
1530 kmem_cache_destroy(ip_conntrack_cachep);
1531 err_free_hash:
1532 free_conntrack_hash(ip_conntrack_hash, ip_conntrack_vmalloc,
1533 ip_conntrack_htable_size);
1534 err_unreg_sockopt:
1535 nf_unregister_sockopt(&so_getorigdst);
1536
1537 return -ENOMEM;
1538 }
Ubuntu Artful kernel mirror