]> git.proxmox.com Git - mirror_ubuntu-focal-kernel.git/blob - net/netfilter/nf_conntrack_netlink.c
projects / mirror_ubuntu-focal-kernel.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
netfilter: ctnetlink: netns exit must wait for callbacks
[mirror_ubuntu-focal-kernel.git] / net / netfilter / nf_conntrack_netlink.c
1 /* Connection tracking via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace.
3 *
4 * (C) 2001 by Jay Schulist <jschlst@samba.org>
5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7 * (C) 2005-2012 by Pablo Neira Ayuso <pablo@netfilter.org>
8 *
9 * Initial connection tracking via netlink development funded and
10 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
11 *
12 * Further development of this code funded by Astaro AG (http://www.astaro.com)
13 *
14 * This software may be used and distributed according to the terms
15 * of the GNU General Public License, incorporated herein by reference.
16 */
17
18 #include <linux/init.h>
19 #include <linux/module.h>
20 #include <linux/kernel.h>
21 #include <linux/rculist.h>
22 #include <linux/rculist_nulls.h>
23 #include <linux/types.h>
24 #include <linux/timer.h>
25 #include <linux/security.h>
26 #include <linux/skbuff.h>
27 #include <linux/errno.h>
28 #include <linux/netlink.h>
29 #include <linux/spinlock.h>
30 #include <linux/interrupt.h>
31 #include <linux/slab.h>
32 #include <linux/siphash.h>
33
34 #include <linux/netfilter.h>
35 #include <net/netlink.h>
36 #include <net/sock.h>
37 #include <net/netfilter/nf_conntrack.h>
38 #include <net/netfilter/nf_conntrack_core.h>
39 #include <net/netfilter/nf_conntrack_expect.h>
40 #include <net/netfilter/nf_conntrack_helper.h>
41 #include <net/netfilter/nf_conntrack_seqadj.h>
42 #include <net/netfilter/nf_conntrack_l4proto.h>
43 #include <net/netfilter/nf_conntrack_tuple.h>
44 #include <net/netfilter/nf_conntrack_acct.h>
45 #include <net/netfilter/nf_conntrack_zones.h>
46 #include <net/netfilter/nf_conntrack_timestamp.h>
47 #include <net/netfilter/nf_conntrack_labels.h>
48 #include <net/netfilter/nf_conntrack_synproxy.h>
49 #if IS_ENABLED(CONFIG_NF_NAT)
50 #include <net/netfilter/nf_nat.h>
51 #include <net/netfilter/nf_nat_helper.h>
52 #endif
53
54 #include <linux/netfilter/nfnetlink.h>
55 #include <linux/netfilter/nfnetlink_conntrack.h>
56
57 MODULE_LICENSE("GPL");
58
59 static int ctnetlink_dump_tuples_proto(struct sk_buff *skb,
60 const struct nf_conntrack_tuple *tuple,
61 const struct nf_conntrack_l4proto *l4proto)
62 {
63 int ret = 0;
64 struct nlattr *nest_parms;
65
66 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO);
67 if (!nest_parms)
68 goto nla_put_failure;
69 if (nla_put_u8(skb, CTA_PROTO_NUM, tuple->dst.protonum))
70 goto nla_put_failure;
71
72 if (likely(l4proto->tuple_to_nlattr))
73 ret = l4proto->tuple_to_nlattr(skb, tuple);
74
75 nla_nest_end(skb, nest_parms);
76
77 return ret;
78
79 nla_put_failure:
80 return -1;
81 }
82
83 static int ipv4_tuple_to_nlattr(struct sk_buff *skb,
84 const struct nf_conntrack_tuple *tuple)
85 {
86 if (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) ||
87 nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip))
88 return -EMSGSIZE;
89 return 0;
90 }
91
92 static int ipv6_tuple_to_nlattr(struct sk_buff *skb,
93 const struct nf_conntrack_tuple *tuple)
94 {
95 if (nla_put_in6_addr(skb, CTA_IP_V6_SRC, &tuple->src.u3.in6) ||
96 nla_put_in6_addr(skb, CTA_IP_V6_DST, &tuple->dst.u3.in6))
97 return -EMSGSIZE;
98 return 0;
99 }
100
101 static int ctnetlink_dump_tuples_ip(struct sk_buff *skb,
102 const struct nf_conntrack_tuple *tuple)
103 {
104 int ret = 0;
105 struct nlattr *nest_parms;
106
107 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP);
108 if (!nest_parms)
109 goto nla_put_failure;
110
111 switch (tuple->src.l3num) {
112 case NFPROTO_IPV4:
113 ret = ipv4_tuple_to_nlattr(skb, tuple);
114 break;
115 case NFPROTO_IPV6:
116 ret = ipv6_tuple_to_nlattr(skb, tuple);
117 break;
118 }
119
120 nla_nest_end(skb, nest_parms);
121
122 return ret;
123
124 nla_put_failure:
125 return -1;
126 }
127
128 static int ctnetlink_dump_tuples(struct sk_buff *skb,
129 const struct nf_conntrack_tuple *tuple)
130 {
131 const struct nf_conntrack_l4proto *l4proto;
132 int ret;
133
134 rcu_read_lock();
135 ret = ctnetlink_dump_tuples_ip(skb, tuple);
136
137 if (ret >= 0) {
138 l4proto = nf_ct_l4proto_find(tuple->dst.protonum);
139 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
140 }
141 rcu_read_unlock();
142 return ret;
143 }
144
145 static int ctnetlink_dump_zone_id(struct sk_buff *skb, int attrtype,
146 const struct nf_conntrack_zone *zone, int dir)
147 {
148 if (zone->id == NF_CT_DEFAULT_ZONE_ID || zone->dir != dir)
149 return 0;
150 if (nla_put_be16(skb, attrtype, htons(zone->id)))
151 goto nla_put_failure;
152 return 0;
153
154 nla_put_failure:
155 return -1;
156 }
157
158 static int ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
159 {
160 if (nla_put_be32(skb, CTA_STATUS, htonl(ct->status)))
161 goto nla_put_failure;
162 return 0;
163
164 nla_put_failure:
165 return -1;
166 }
167
168 static int ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
169 {
170 long timeout = nf_ct_expires(ct) / HZ;
171
172 if (nla_put_be32(skb, CTA_TIMEOUT, htonl(timeout)))
173 goto nla_put_failure;
174 return 0;
175
176 nla_put_failure:
177 return -1;
178 }
179
180 static int ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct)
181 {
182 const struct nf_conntrack_l4proto *l4proto;
183 struct nlattr *nest_proto;
184 int ret;
185
186 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
187 if (!l4proto->to_nlattr)
188 return 0;
189
190 nest_proto = nla_nest_start(skb, CTA_PROTOINFO);
191 if (!nest_proto)
192 goto nla_put_failure;
193
194 ret = l4proto->to_nlattr(skb, nest_proto, ct);
195
196 nla_nest_end(skb, nest_proto);
197
198 return ret;
199
200 nla_put_failure:
201 return -1;
202 }
203
204 static int ctnetlink_dump_helpinfo(struct sk_buff *skb,
205 const struct nf_conn *ct)
206 {
207 struct nlattr *nest_helper;
208 const struct nf_conn_help *help = nfct_help(ct);
209 struct nf_conntrack_helper *helper;
210
211 if (!help)
212 return 0;
213
214 helper = rcu_dereference(help->helper);
215 if (!helper)
216 goto out;
217
218 nest_helper = nla_nest_start(skb, CTA_HELP);
219 if (!nest_helper)
220 goto nla_put_failure;
221 if (nla_put_string(skb, CTA_HELP_NAME, helper->name))
222 goto nla_put_failure;
223
224 if (helper->to_nlattr)
225 helper->to_nlattr(skb, ct);
226
227 nla_nest_end(skb, nest_helper);
228 out:
229 return 0;
230
231 nla_put_failure:
232 return -1;
233 }
234
235 static int
236 dump_counters(struct sk_buff *skb, struct nf_conn_acct *acct,
237 enum ip_conntrack_dir dir, int type)
238 {
239 enum ctattr_type attr = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
240 struct nf_conn_counter *counter = acct->counter;
241 struct nlattr *nest_count;
242 u64 pkts, bytes;
243
244 if (type == IPCTNL_MSG_CT_GET_CTRZERO) {
245 pkts = atomic64_xchg(&counter[dir].packets, 0);
246 bytes = atomic64_xchg(&counter[dir].bytes, 0);
247 } else {
248 pkts = atomic64_read(&counter[dir].packets);
249 bytes = atomic64_read(&counter[dir].bytes);
250 }
251
252 nest_count = nla_nest_start(skb, attr);
253 if (!nest_count)
254 goto nla_put_failure;
255
256 if (nla_put_be64(skb, CTA_COUNTERS_PACKETS, cpu_to_be64(pkts),
257 CTA_COUNTERS_PAD) ||
258 nla_put_be64(skb, CTA_COUNTERS_BYTES, cpu_to_be64(bytes),
259 CTA_COUNTERS_PAD))
260 goto nla_put_failure;
261
262 nla_nest_end(skb, nest_count);
263
264 return 0;
265
266 nla_put_failure:
267 return -1;
268 }
269
270 static int
271 ctnetlink_dump_acct(struct sk_buff *skb, const struct nf_conn *ct, int type)
272 {
273 struct nf_conn_acct *acct = nf_conn_acct_find(ct);
274
275 if (!acct)
276 return 0;
277
278 if (dump_counters(skb, acct, IP_CT_DIR_ORIGINAL, type) < 0)
279 return -1;
280 if (dump_counters(skb, acct, IP_CT_DIR_REPLY, type) < 0)
281 return -1;
282
283 return 0;
284 }
285
286 static int
287 ctnetlink_dump_timestamp(struct sk_buff *skb, const struct nf_conn *ct)
288 {
289 struct nlattr *nest_count;
290 const struct nf_conn_tstamp *tstamp;
291
292 tstamp = nf_conn_tstamp_find(ct);
293 if (!tstamp)
294 return 0;
295
296 nest_count = nla_nest_start(skb, CTA_TIMESTAMP);
297 if (!nest_count)
298 goto nla_put_failure;
299
300 if (nla_put_be64(skb, CTA_TIMESTAMP_START, cpu_to_be64(tstamp->start),
301 CTA_TIMESTAMP_PAD) ||
302 (tstamp->stop != 0 && nla_put_be64(skb, CTA_TIMESTAMP_STOP,
303 cpu_to_be64(tstamp->stop),
304 CTA_TIMESTAMP_PAD)))
305 goto nla_put_failure;
306 nla_nest_end(skb, nest_count);
307
308 return 0;
309
310 nla_put_failure:
311 return -1;
312 }
313
314 #ifdef CONFIG_NF_CONNTRACK_MARK
315 static int ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
316 {
317 if (nla_put_be32(skb, CTA_MARK, htonl(ct->mark)))
318 goto nla_put_failure;
319 return 0;
320
321 nla_put_failure:
322 return -1;
323 }
324 #else
325 #define ctnetlink_dump_mark(a, b) (0)
326 #endif
327
328 #ifdef CONFIG_NF_CONNTRACK_SECMARK
329 static int ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
330 {
331 struct nlattr *nest_secctx;
332 int len, ret;
333 char *secctx;
334
335 ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
336 if (ret)
337 return 0;
338
339 ret = -1;
340 nest_secctx = nla_nest_start(skb, CTA_SECCTX);
341 if (!nest_secctx)
342 goto nla_put_failure;
343
344 if (nla_put_string(skb, CTA_SECCTX_NAME, secctx))
345 goto nla_put_failure;
346 nla_nest_end(skb, nest_secctx);
347
348 ret = 0;
349 nla_put_failure:
350 security_release_secctx(secctx, len);
351 return ret;
352 }
353 #else
354 #define ctnetlink_dump_secctx(a, b) (0)
355 #endif
356
357 #ifdef CONFIG_NF_CONNTRACK_LABELS
358 static inline int ctnetlink_label_size(const struct nf_conn *ct)
359 {
360 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
361
362 if (!labels)
363 return 0;
364 return nla_total_size(sizeof(labels->bits));
365 }
366
367 static int
368 ctnetlink_dump_labels(struct sk_buff *skb, const struct nf_conn *ct)
369 {
370 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
371 unsigned int i;
372
373 if (!labels)
374 return 0;
375
376 i = 0;
377 do {
378 if (labels->bits[i] != 0)
379 return nla_put(skb, CTA_LABELS, sizeof(labels->bits),
380 labels->bits);
381 i++;
382 } while (i < ARRAY_SIZE(labels->bits));
383
384 return 0;
385 }
386 #else
387 #define ctnetlink_dump_labels(a, b) (0)
388 #define ctnetlink_label_size(a) (0)
389 #endif
390
391 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
392
393 static int ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
394 {
395 struct nlattr *nest_parms;
396
397 if (!(ct->status & IPS_EXPECTED))
398 return 0;
399
400 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER);
401 if (!nest_parms)
402 goto nla_put_failure;
403 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
404 goto nla_put_failure;
405 nla_nest_end(skb, nest_parms);
406
407 return 0;
408
409 nla_put_failure:
410 return -1;
411 }
412
413 static int
414 dump_ct_seq_adj(struct sk_buff *skb, const struct nf_ct_seqadj *seq, int type)
415 {
416 struct nlattr *nest_parms;
417
418 nest_parms = nla_nest_start(skb, type);
419 if (!nest_parms)
420 goto nla_put_failure;
421
422 if (nla_put_be32(skb, CTA_SEQADJ_CORRECTION_POS,
423 htonl(seq->correction_pos)) ||
424 nla_put_be32(skb, CTA_SEQADJ_OFFSET_BEFORE,
425 htonl(seq->offset_before)) ||
426 nla_put_be32(skb, CTA_SEQADJ_OFFSET_AFTER,
427 htonl(seq->offset_after)))
428 goto nla_put_failure;
429
430 nla_nest_end(skb, nest_parms);
431
432 return 0;
433
434 nla_put_failure:
435 return -1;
436 }
437
438 static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
439 {
440 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
441 struct nf_ct_seqadj *seq;
442
443 if (!(ct->status & IPS_SEQ_ADJUST) || !seqadj)
444 return 0;
445
446 spin_lock_bh(&ct->lock);
447 seq = &seqadj->seq[IP_CT_DIR_ORIGINAL];
448 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_ORIG) == -1)
449 goto err;
450
451 seq = &seqadj->seq[IP_CT_DIR_REPLY];
452 if (dump_ct_seq_adj(skb, seq, CTA_SEQ_ADJ_REPLY) == -1)
453 goto err;
454
455 spin_unlock_bh(&ct->lock);
456 return 0;
457 err:
458 spin_unlock_bh(&ct->lock);
459 return -1;
460 }
461
462 static int ctnetlink_dump_ct_synproxy(struct sk_buff *skb, struct nf_conn *ct)
463 {
464 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
465 struct nlattr *nest_parms;
466
467 if (!synproxy)
468 return 0;
469
470 nest_parms = nla_nest_start(skb, CTA_SYNPROXY);
471 if (!nest_parms)
472 goto nla_put_failure;
473
474 if (nla_put_be32(skb, CTA_SYNPROXY_ISN, htonl(synproxy->isn)) ||
475 nla_put_be32(skb, CTA_SYNPROXY_ITS, htonl(synproxy->its)) ||
476 nla_put_be32(skb, CTA_SYNPROXY_TSOFF, htonl(synproxy->tsoff)))
477 goto nla_put_failure;
478
479 nla_nest_end(skb, nest_parms);
480
481 return 0;
482
483 nla_put_failure:
484 return -1;
485 }
486
487 static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
488 {
489 __be32 id = (__force __be32)nf_ct_get_id(ct);
490
491 if (nla_put_be32(skb, CTA_ID, id))
492 goto nla_put_failure;
493 return 0;
494
495 nla_put_failure:
496 return -1;
497 }
498
499 static int ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
500 {
501 if (nla_put_be32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use))))
502 goto nla_put_failure;
503 return 0;
504
505 nla_put_failure:
506 return -1;
507 }
508
509 static int
510 ctnetlink_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
511 struct nf_conn *ct)
512 {
513 const struct nf_conntrack_zone *zone;
514 struct nlmsghdr *nlh;
515 struct nfgenmsg *nfmsg;
516 struct nlattr *nest_parms;
517 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
518
519 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_NEW);
520 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
521 if (nlh == NULL)
522 goto nlmsg_failure;
523
524 nfmsg = nlmsg_data(nlh);
525 nfmsg->nfgen_family = nf_ct_l3num(ct);
526 nfmsg->version = NFNETLINK_V0;
527 nfmsg->res_id = 0;
528
529 zone = nf_ct_zone(ct);
530
531 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
532 if (!nest_parms)
533 goto nla_put_failure;
534 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
535 goto nla_put_failure;
536 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
537 NF_CT_ZONE_DIR_ORIG) < 0)
538 goto nla_put_failure;
539 nla_nest_end(skb, nest_parms);
540
541 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
542 if (!nest_parms)
543 goto nla_put_failure;
544 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
545 goto nla_put_failure;
546 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
547 NF_CT_ZONE_DIR_REPL) < 0)
548 goto nla_put_failure;
549 nla_nest_end(skb, nest_parms);
550
551 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
552 NF_CT_DEFAULT_ZONE_DIR) < 0)
553 goto nla_put_failure;
554
555 if (ctnetlink_dump_status(skb, ct) < 0 ||
556 ctnetlink_dump_acct(skb, ct, type) < 0 ||
557 ctnetlink_dump_timestamp(skb, ct) < 0 ||
558 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
559 ctnetlink_dump_mark(skb, ct) < 0 ||
560 ctnetlink_dump_secctx(skb, ct) < 0 ||
561 ctnetlink_dump_labels(skb, ct) < 0 ||
562 ctnetlink_dump_id(skb, ct) < 0 ||
563 ctnetlink_dump_use(skb, ct) < 0 ||
564 ctnetlink_dump_master(skb, ct) < 0 ||
565 ctnetlink_dump_ct_seq_adj(skb, ct) < 0 ||
566 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
567 goto nla_put_failure;
568
569 if (!test_bit(IPS_OFFLOAD_BIT, &ct->status) &&
570 (ctnetlink_dump_timeout(skb, ct) < 0 ||
571 ctnetlink_dump_protoinfo(skb, ct) < 0))
572 goto nla_put_failure;
573
574 nlmsg_end(skb, nlh);
575 return skb->len;
576
577 nlmsg_failure:
578 nla_put_failure:
579 nlmsg_cancel(skb, nlh);
580 return -1;
581 }
582
583 static const struct nla_policy cta_ip_nla_policy[CTA_IP_MAX + 1] = {
584 [CTA_IP_V4_SRC] = { .type = NLA_U32 },
585 [CTA_IP_V4_DST] = { .type = NLA_U32 },
586 [CTA_IP_V6_SRC] = { .len = sizeof(__be32) * 4 },
587 [CTA_IP_V6_DST] = { .len = sizeof(__be32) * 4 },
588 };
589
590 #if defined(CONFIG_NETFILTER_NETLINK_GLUE_CT) || defined(CONFIG_NF_CONNTRACK_EVENTS)
591 static size_t ctnetlink_proto_size(const struct nf_conn *ct)
592 {
593 const struct nf_conntrack_l4proto *l4proto;
594 size_t len, len4 = 0;
595
596 len = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1);
597 len *= 3u; /* ORIG, REPLY, MASTER */
598
599 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
600 len += l4proto->nlattr_size;
601 if (l4proto->nlattr_tuple_size) {
602 len4 = l4proto->nlattr_tuple_size();
603 len4 *= 3u; /* ORIG, REPLY, MASTER */
604 }
605
606 return len + len4;
607 }
608 #endif
609
610 static inline size_t ctnetlink_acct_size(const struct nf_conn *ct)
611 {
612 if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
613 return 0;
614 return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
615 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
616 + 2 * nla_total_size_64bit(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
617 ;
618 }
619
620 static inline int ctnetlink_secctx_size(const struct nf_conn *ct)
621 {
622 #ifdef CONFIG_NF_CONNTRACK_SECMARK
623 int len, ret;
624
625 ret = security_secid_to_secctx(ct->secmark, NULL, &len);
626 if (ret)
627 return 0;
628
629 return nla_total_size(0) /* CTA_SECCTX */
630 + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
631 #else
632 return 0;
633 #endif
634 }
635
636 static inline size_t ctnetlink_timestamp_size(const struct nf_conn *ct)
637 {
638 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
639 if (!nf_ct_ext_exist(ct, NF_CT_EXT_TSTAMP))
640 return 0;
641 return nla_total_size(0) + 2 * nla_total_size_64bit(sizeof(uint64_t));
642 #else
643 return 0;
644 #endif
645 }
646
647 #ifdef CONFIG_NF_CONNTRACK_EVENTS
648 static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)
649 {
650 return NLMSG_ALIGN(sizeof(struct nfgenmsg))
651 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
652 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
653 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
654 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
655 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
656 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
657 + ctnetlink_acct_size(ct)
658 + ctnetlink_timestamp_size(ct)
659 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
660 + nla_total_size(0) /* CTA_PROTOINFO */
661 + nla_total_size(0) /* CTA_HELP */
662 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
663 + ctnetlink_secctx_size(ct)
664 #if IS_ENABLED(CONFIG_NF_NAT)
665 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
666 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
667 #endif
668 #ifdef CONFIG_NF_CONNTRACK_MARK
669 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
670 #endif
671 #ifdef CONFIG_NF_CONNTRACK_ZONES
672 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */
673 #endif
674 + ctnetlink_proto_size(ct)
675 + ctnetlink_label_size(ct)
676 ;
677 }
678
679 static int
680 ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
681 {
682 const struct nf_conntrack_zone *zone;
683 struct net *net;
684 struct nlmsghdr *nlh;
685 struct nfgenmsg *nfmsg;
686 struct nlattr *nest_parms;
687 struct nf_conn *ct = item->ct;
688 struct sk_buff *skb;
689 unsigned int type;
690 unsigned int flags = 0, group;
691 int err;
692
693 if (events & (1 << IPCT_DESTROY)) {
694 type = IPCTNL_MSG_CT_DELETE;
695 group = NFNLGRP_CONNTRACK_DESTROY;
696 } else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {
697 type = IPCTNL_MSG_CT_NEW;
698 flags = NLM_F_CREATE|NLM_F_EXCL;
699 group = NFNLGRP_CONNTRACK_NEW;
700 } else if (events) {
701 type = IPCTNL_MSG_CT_NEW;
702 group = NFNLGRP_CONNTRACK_UPDATE;
703 } else
704 return 0;
705
706 net = nf_ct_net(ct);
707 if (!item->report && !nfnetlink_has_listeners(net, group))
708 return 0;
709
710 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
711 if (skb == NULL)
712 goto errout;
713
714 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, type);
715 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
716 if (nlh == NULL)
717 goto nlmsg_failure;
718
719 nfmsg = nlmsg_data(nlh);
720 nfmsg->nfgen_family = nf_ct_l3num(ct);
721 nfmsg->version = NFNETLINK_V0;
722 nfmsg->res_id = 0;
723
724 zone = nf_ct_zone(ct);
725
726 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
727 if (!nest_parms)
728 goto nla_put_failure;
729 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
730 goto nla_put_failure;
731 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
732 NF_CT_ZONE_DIR_ORIG) < 0)
733 goto nla_put_failure;
734 nla_nest_end(skb, nest_parms);
735
736 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
737 if (!nest_parms)
738 goto nla_put_failure;
739 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
740 goto nla_put_failure;
741 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
742 NF_CT_ZONE_DIR_REPL) < 0)
743 goto nla_put_failure;
744 nla_nest_end(skb, nest_parms);
745
746 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
747 NF_CT_DEFAULT_ZONE_DIR) < 0)
748 goto nla_put_failure;
749
750 if (ctnetlink_dump_id(skb, ct) < 0)
751 goto nla_put_failure;
752
753 if (ctnetlink_dump_status(skb, ct) < 0)
754 goto nla_put_failure;
755
756 if (events & (1 << IPCT_DESTROY)) {
757 if (ctnetlink_dump_acct(skb, ct, type) < 0 ||
758 ctnetlink_dump_timestamp(skb, ct) < 0)
759 goto nla_put_failure;
760 } else {
761 if (ctnetlink_dump_timeout(skb, ct) < 0)
762 goto nla_put_failure;
763
764 if (events & (1 << IPCT_PROTOINFO)
765 && ctnetlink_dump_protoinfo(skb, ct) < 0)
766 goto nla_put_failure;
767
768 if ((events & (1 << IPCT_HELPER) || nfct_help(ct))
769 && ctnetlink_dump_helpinfo(skb, ct) < 0)
770 goto nla_put_failure;
771
772 #ifdef CONFIG_NF_CONNTRACK_SECMARK
773 if ((events & (1 << IPCT_SECMARK) || ct->secmark)
774 && ctnetlink_dump_secctx(skb, ct) < 0)
775 goto nla_put_failure;
776 #endif
777 if (events & (1 << IPCT_LABEL) &&
778 ctnetlink_dump_labels(skb, ct) < 0)
779 goto nla_put_failure;
780
781 if (events & (1 << IPCT_RELATED) &&
782 ctnetlink_dump_master(skb, ct) < 0)
783 goto nla_put_failure;
784
785 if (events & (1 << IPCT_SEQADJ) &&
786 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
787 goto nla_put_failure;
788
789 if (events & (1 << IPCT_SYNPROXY) &&
790 ctnetlink_dump_ct_synproxy(skb, ct) < 0)
791 goto nla_put_failure;
792 }
793
794 #ifdef CONFIG_NF_CONNTRACK_MARK
795 if ((events & (1 << IPCT_MARK) || ct->mark)
796 && ctnetlink_dump_mark(skb, ct) < 0)
797 goto nla_put_failure;
798 #endif
799 nlmsg_end(skb, nlh);
800 err = nfnetlink_send(skb, net, item->portid, group, item->report,
801 GFP_ATOMIC);
802 if (err == -ENOBUFS || err == -EAGAIN)
803 return -ENOBUFS;
804
805 return 0;
806
807 nla_put_failure:
808 nlmsg_cancel(skb, nlh);
809 nlmsg_failure:
810 kfree_skb(skb);
811 errout:
812 if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
813 return -ENOBUFS;
814
815 return 0;
816 }
817 #endif /* CONFIG_NF_CONNTRACK_EVENTS */
818
819 static int ctnetlink_done(struct netlink_callback *cb)
820 {
821 if (cb->args[1])
822 nf_ct_put((struct nf_conn *)cb->args[1]);
823 kfree(cb->data);
824 return 0;
825 }
826
827 struct ctnetlink_filter {
828 u8 family;
829 struct {
830 u_int32_t val;
831 u_int32_t mask;
832 } mark;
833 };
834
835 static struct ctnetlink_filter *
836 ctnetlink_alloc_filter(const struct nlattr * const cda[], u8 family)
837 {
838 struct ctnetlink_filter *filter;
839
840 #ifndef CONFIG_NF_CONNTRACK_MARK
841 if (cda[CTA_MARK] && cda[CTA_MARK_MASK])
842 return ERR_PTR(-EOPNOTSUPP);
843 #endif
844
845 filter = kzalloc(sizeof(*filter), GFP_KERNEL);
846 if (filter == NULL)
847 return ERR_PTR(-ENOMEM);
848
849 filter->family = family;
850
851 #ifdef CONFIG_NF_CONNTRACK_MARK
852 if (cda[CTA_MARK] && cda[CTA_MARK_MASK]) {
853 filter->mark.val = ntohl(nla_get_be32(cda[CTA_MARK]));
854 filter->mark.mask = ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
855 }
856 #endif
857 return filter;
858 }
859
860 static int ctnetlink_start(struct netlink_callback *cb)
861 {
862 const struct nlattr * const *cda = cb->data;
863 struct ctnetlink_filter *filter = NULL;
864 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
865 u8 family = nfmsg->nfgen_family;
866
867 if (family || (cda[CTA_MARK] && cda[CTA_MARK_MASK])) {
868 filter = ctnetlink_alloc_filter(cda, family);
869 if (IS_ERR(filter))
870 return PTR_ERR(filter);
871 }
872
873 cb->data = filter;
874 return 0;
875 }
876
877 static int ctnetlink_filter_match(struct nf_conn *ct, void *data)
878 {
879 struct ctnetlink_filter *filter = data;
880
881 if (filter == NULL)
882 goto out;
883
884 /* Match entries of a given L3 protocol number.
885 * If it is not specified, ie. l3proto == 0,
886 * then match everything.
887 */
888 if (filter->family && nf_ct_l3num(ct) != filter->family)
889 goto ignore_entry;
890
891 #ifdef CONFIG_NF_CONNTRACK_MARK
892 if ((ct->mark & filter->mark.mask) != filter->mark.val)
893 goto ignore_entry;
894 #endif
895
896 out:
897 return 1;
898
899 ignore_entry:
900 return 0;
901 }
902
903 static int
904 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
905 {
906 struct net *net = sock_net(skb->sk);
907 struct nf_conn *ct, *last;
908 struct nf_conntrack_tuple_hash *h;
909 struct hlist_nulls_node *n;
910 struct nf_conn *nf_ct_evict[8];
911 int res, i;
912 spinlock_t *lockp;
913
914 last = (struct nf_conn *)cb->args[1];
915 i = 0;
916
917 local_bh_disable();
918 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
919 restart:
920 while (i) {
921 i--;
922 if (nf_ct_should_gc(nf_ct_evict[i]))
923 nf_ct_kill(nf_ct_evict[i]);
924 nf_ct_put(nf_ct_evict[i]);
925 }
926
927 lockp = &nf_conntrack_locks[cb->args[0] % CONNTRACK_LOCKS];
928 nf_conntrack_lock(lockp);
929 if (cb->args[0] >= nf_conntrack_htable_size) {
930 spin_unlock(lockp);
931 goto out;
932 }
933 hlist_nulls_for_each_entry(h, n, &nf_conntrack_hash[cb->args[0]],
934 hnnode) {
935 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
936 continue;
937 ct = nf_ct_tuplehash_to_ctrack(h);
938 if (nf_ct_is_expired(ct)) {
939 if (i < ARRAY_SIZE(nf_ct_evict) &&
940 atomic_inc_not_zero(&ct->ct_general.use))
941 nf_ct_evict[i++] = ct;
942 continue;
943 }
944
945 if (!net_eq(net, nf_ct_net(ct)))
946 continue;
947
948 if (cb->args[1]) {
949 if (ct != last)
950 continue;
951 cb->args[1] = 0;
952 }
953 if (!ctnetlink_filter_match(ct, cb->data))
954 continue;
955
956 rcu_read_lock();
957 res =
958 ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
959 cb->nlh->nlmsg_seq,
960 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
961 ct);
962 rcu_read_unlock();
963 if (res < 0) {
964 nf_conntrack_get(&ct->ct_general);
965 cb->args[1] = (unsigned long)ct;
966 spin_unlock(lockp);
967 goto out;
968 }
969 }
970 spin_unlock(lockp);
971 if (cb->args[1]) {
972 cb->args[1] = 0;
973 goto restart;
974 }
975 }
976 out:
977 local_bh_enable();
978 if (last) {
979 /* nf ct hash resize happened, now clear the leftover. */
980 if ((struct nf_conn *)cb->args[1] == last)
981 cb->args[1] = 0;
982
983 nf_ct_put(last);
984 }
985
986 while (i) {
987 i--;
988 if (nf_ct_should_gc(nf_ct_evict[i]))
989 nf_ct_kill(nf_ct_evict[i]);
990 nf_ct_put(nf_ct_evict[i]);
991 }
992
993 return skb->len;
994 }
995
996 static int ipv4_nlattr_to_tuple(struct nlattr *tb[],
997 struct nf_conntrack_tuple *t)
998 {
999 if (!tb[CTA_IP_V4_SRC] || !tb[CTA_IP_V4_DST])
1000 return -EINVAL;
1001
1002 t->src.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_SRC]);
1003 t->dst.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_DST]);
1004
1005 return 0;
1006 }
1007
1008 static int ipv6_nlattr_to_tuple(struct nlattr *tb[],
1009 struct nf_conntrack_tuple *t)
1010 {
1011 if (!tb[CTA_IP_V6_SRC] || !tb[CTA_IP_V6_DST])
1012 return -EINVAL;
1013
1014 t->src.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_SRC]);
1015 t->dst.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_DST]);
1016
1017 return 0;
1018 }
1019
1020 static int ctnetlink_parse_tuple_ip(struct nlattr *attr,
1021 struct nf_conntrack_tuple *tuple)
1022 {
1023 struct nlattr *tb[CTA_IP_MAX+1];
1024 int ret = 0;
1025
1026 ret = nla_parse_nested_deprecated(tb, CTA_IP_MAX, attr, NULL, NULL);
1027 if (ret < 0)
1028 return ret;
1029
1030 ret = nla_validate_nested_deprecated(attr, CTA_IP_MAX,
1031 cta_ip_nla_policy, NULL);
1032 if (ret)
1033 return ret;
1034
1035 switch (tuple->src.l3num) {
1036 case NFPROTO_IPV4:
1037 ret = ipv4_nlattr_to_tuple(tb, tuple);
1038 break;
1039 case NFPROTO_IPV6:
1040 ret = ipv6_nlattr_to_tuple(tb, tuple);
1041 break;
1042 }
1043
1044 return ret;
1045 }
1046
1047 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
1048 [CTA_PROTO_NUM] = { .type = NLA_U8 },
1049 };
1050
1051 static int ctnetlink_parse_tuple_proto(struct nlattr *attr,
1052 struct nf_conntrack_tuple *tuple)
1053 {
1054 const struct nf_conntrack_l4proto *l4proto;
1055 struct nlattr *tb[CTA_PROTO_MAX+1];
1056 int ret = 0;
1057
1058 ret = nla_parse_nested_deprecated(tb, CTA_PROTO_MAX, attr,
1059 proto_nla_policy, NULL);
1060 if (ret < 0)
1061 return ret;
1062
1063 if (!tb[CTA_PROTO_NUM])
1064 return -EINVAL;
1065 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
1066
1067 rcu_read_lock();
1068 l4proto = nf_ct_l4proto_find(tuple->dst.protonum);
1069
1070 if (likely(l4proto->nlattr_to_tuple)) {
1071 ret = nla_validate_nested_deprecated(attr, CTA_PROTO_MAX,
1072 l4proto->nla_policy,
1073 NULL);
1074 if (ret == 0)
1075 ret = l4proto->nlattr_to_tuple(tb, tuple);
1076 }
1077
1078 rcu_read_unlock();
1079
1080 return ret;
1081 }
1082
1083 static int
1084 ctnetlink_parse_zone(const struct nlattr *attr,
1085 struct nf_conntrack_zone *zone)
1086 {
1087 nf_ct_zone_init(zone, NF_CT_DEFAULT_ZONE_ID,
1088 NF_CT_DEFAULT_ZONE_DIR, 0);
1089 #ifdef CONFIG_NF_CONNTRACK_ZONES
1090 if (attr)
1091 zone->id = ntohs(nla_get_be16(attr));
1092 #else
1093 if (attr)
1094 return -EOPNOTSUPP;
1095 #endif
1096 return 0;
1097 }
1098
1099 static int
1100 ctnetlink_parse_tuple_zone(struct nlattr *attr, enum ctattr_type type,
1101 struct nf_conntrack_zone *zone)
1102 {
1103 int ret;
1104
1105 if (zone->id != NF_CT_DEFAULT_ZONE_ID)
1106 return -EINVAL;
1107
1108 ret = ctnetlink_parse_zone(attr, zone);
1109 if (ret < 0)
1110 return ret;
1111
1112 if (type == CTA_TUPLE_REPLY)
1113 zone->dir = NF_CT_ZONE_DIR_REPL;
1114 else
1115 zone->dir = NF_CT_ZONE_DIR_ORIG;
1116
1117 return 0;
1118 }
1119
1120 static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
1121 [CTA_TUPLE_IP] = { .type = NLA_NESTED },
1122 [CTA_TUPLE_PROTO] = { .type = NLA_NESTED },
1123 [CTA_TUPLE_ZONE] = { .type = NLA_U16 },
1124 };
1125
1126 static int
1127 ctnetlink_parse_tuple(const struct nlattr * const cda[],
1128 struct nf_conntrack_tuple *tuple, u32 type,
1129 u_int8_t l3num, struct nf_conntrack_zone *zone)
1130 {
1131 struct nlattr *tb[CTA_TUPLE_MAX+1];
1132 int err;
1133
1134 memset(tuple, 0, sizeof(*tuple));
1135
1136 err = nla_parse_nested_deprecated(tb, CTA_TUPLE_MAX, cda[type],
1137 tuple_nla_policy, NULL);
1138 if (err < 0)
1139 return err;
1140
1141 if (!tb[CTA_TUPLE_IP])
1142 return -EINVAL;
1143
1144 tuple->src.l3num = l3num;
1145
1146 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
1147 if (err < 0)
1148 return err;
1149
1150 if (!tb[CTA_TUPLE_PROTO])
1151 return -EINVAL;
1152
1153 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple);
1154 if (err < 0)
1155 return err;
1156
1157 if (tb[CTA_TUPLE_ZONE]) {
1158 if (!zone)
1159 return -EINVAL;
1160
1161 err = ctnetlink_parse_tuple_zone(tb[CTA_TUPLE_ZONE],
1162 type, zone);
1163 if (err < 0)
1164 return err;
1165 }
1166
1167 /* orig and expect tuples get DIR_ORIGINAL */
1168 if (type == CTA_TUPLE_REPLY)
1169 tuple->dst.dir = IP_CT_DIR_REPLY;
1170 else
1171 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
1172
1173 return 0;
1174 }
1175
1176 static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {
1177 [CTA_HELP_NAME] = { .type = NLA_NUL_STRING,
1178 .len = NF_CT_HELPER_NAME_LEN - 1 },
1179 };
1180
1181 static int ctnetlink_parse_help(const struct nlattr *attr, char **helper_name,
1182 struct nlattr **helpinfo)
1183 {
1184 int err;
1185 struct nlattr *tb[CTA_HELP_MAX+1];
1186
1187 err = nla_parse_nested_deprecated(tb, CTA_HELP_MAX, attr,
1188 help_nla_policy, NULL);
1189 if (err < 0)
1190 return err;
1191
1192 if (!tb[CTA_HELP_NAME])
1193 return -EINVAL;
1194
1195 *helper_name = nla_data(tb[CTA_HELP_NAME]);
1196
1197 if (tb[CTA_HELP_INFO])
1198 *helpinfo = tb[CTA_HELP_INFO];
1199
1200 return 0;
1201 }
1202
1203 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
1204 [CTA_TUPLE_ORIG] = { .type = NLA_NESTED },
1205 [CTA_TUPLE_REPLY] = { .type = NLA_NESTED },
1206 [CTA_STATUS] = { .type = NLA_U32 },
1207 [CTA_PROTOINFO] = { .type = NLA_NESTED },
1208 [CTA_HELP] = { .type = NLA_NESTED },
1209 [CTA_NAT_SRC] = { .type = NLA_NESTED },
1210 [CTA_TIMEOUT] = { .type = NLA_U32 },
1211 [CTA_MARK] = { .type = NLA_U32 },
1212 [CTA_ID] = { .type = NLA_U32 },
1213 [CTA_NAT_DST] = { .type = NLA_NESTED },
1214 [CTA_TUPLE_MASTER] = { .type = NLA_NESTED },
1215 [CTA_NAT_SEQ_ADJ_ORIG] = { .type = NLA_NESTED },
1216 [CTA_NAT_SEQ_ADJ_REPLY] = { .type = NLA_NESTED },
1217 [CTA_ZONE] = { .type = NLA_U16 },
1218 [CTA_MARK_MASK] = { .type = NLA_U32 },
1219 [CTA_LABELS] = { .type = NLA_BINARY,
1220 .len = NF_CT_LABELS_MAX_SIZE },
1221 [CTA_LABELS_MASK] = { .type = NLA_BINARY,
1222 .len = NF_CT_LABELS_MAX_SIZE },
1223 };
1224
1225 static int ctnetlink_flush_iterate(struct nf_conn *ct, void *data)
1226 {
1227 if (test_bit(IPS_OFFLOAD_BIT, &ct->status))
1228 return 0;
1229
1230 return ctnetlink_filter_match(ct, data);
1231 }
1232
1233 static int ctnetlink_flush_conntrack(struct net *net,
1234 const struct nlattr * const cda[],
1235 u32 portid, int report, u8 family)
1236 {
1237 struct ctnetlink_filter *filter = NULL;
1238
1239 if (family || (cda[CTA_MARK] && cda[CTA_MARK_MASK])) {
1240 filter = ctnetlink_alloc_filter(cda, family);
1241 if (IS_ERR(filter))
1242 return PTR_ERR(filter);
1243 }
1244
1245 nf_ct_iterate_cleanup_net(net, ctnetlink_flush_iterate, filter,
1246 portid, report);
1247 kfree(filter);
1248
1249 return 0;
1250 }
1251
1252 static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
1253 struct sk_buff *skb,
1254 const struct nlmsghdr *nlh,
1255 const struct nlattr * const cda[],
1256 struct netlink_ext_ack *extack)
1257 {
1258 struct nf_conntrack_tuple_hash *h;
1259 struct nf_conntrack_tuple tuple;
1260 struct nf_conn *ct;
1261 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1262 struct nf_conntrack_zone zone;
1263 int err;
1264
1265 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1266 if (err < 0)
1267 return err;
1268
1269 if (cda[CTA_TUPLE_ORIG])
1270 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1271 nfmsg->nfgen_family, &zone);
1272 else if (cda[CTA_TUPLE_REPLY])
1273 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1274 nfmsg->nfgen_family, &zone);
1275 else {
1276 u_int8_t u3 = nfmsg->version ? nfmsg->nfgen_family : AF_UNSPEC;
1277
1278 return ctnetlink_flush_conntrack(net, cda,
1279 NETLINK_CB(skb).portid,
1280 nlmsg_report(nlh), u3);
1281 }
1282
1283 if (err < 0)
1284 return err;
1285
1286 h = nf_conntrack_find_get(net, &zone, &tuple);
1287 if (!h)
1288 return -ENOENT;
1289
1290 ct = nf_ct_tuplehash_to_ctrack(h);
1291
1292 if (test_bit(IPS_OFFLOAD_BIT, &ct->status)) {
1293 nf_ct_put(ct);
1294 return -EBUSY;
1295 }
1296
1297 if (cda[CTA_ID]) {
1298 __be32 id = nla_get_be32(cda[CTA_ID]);
1299
1300 if (id != (__force __be32)nf_ct_get_id(ct)) {
1301 nf_ct_put(ct);
1302 return -ENOENT;
1303 }
1304 }
1305
1306 nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(nlh));
1307 nf_ct_put(ct);
1308
1309 return 0;
1310 }
1311
1312 static int ctnetlink_get_conntrack(struct net *net, struct sock *ctnl,
1313 struct sk_buff *skb,
1314 const struct nlmsghdr *nlh,
1315 const struct nlattr * const cda[],
1316 struct netlink_ext_ack *extack)
1317 {
1318 struct nf_conntrack_tuple_hash *h;
1319 struct nf_conntrack_tuple tuple;
1320 struct nf_conn *ct;
1321 struct sk_buff *skb2 = NULL;
1322 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1323 u_int8_t u3 = nfmsg->nfgen_family;
1324 struct nf_conntrack_zone zone;
1325 int err;
1326
1327 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1328 struct netlink_dump_control c = {
1329 .start = ctnetlink_start,
1330 .dump = ctnetlink_dump_table,
1331 .done = ctnetlink_done,
1332 .data = (void *)cda,
1333 };
1334
1335 return netlink_dump_start(ctnl, skb, nlh, &c);
1336 }
1337
1338 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
1339 if (err < 0)
1340 return err;
1341
1342 if (cda[CTA_TUPLE_ORIG])
1343 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG,
1344 u3, &zone);
1345 else if (cda[CTA_TUPLE_REPLY])
1346 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY,
1347 u3, &zone);
1348 else
1349 return -EINVAL;
1350
1351 if (err < 0)
1352 return err;
1353
1354 h = nf_conntrack_find_get(net, &zone, &tuple);
1355 if (!h)
1356 return -ENOENT;
1357
1358 ct = nf_ct_tuplehash_to_ctrack(h);
1359
1360 err = -ENOMEM;
1361 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1362 if (skb2 == NULL) {
1363 nf_ct_put(ct);
1364 return -ENOMEM;
1365 }
1366
1367 rcu_read_lock();
1368 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).portid, nlh->nlmsg_seq,
1369 NFNL_MSG_TYPE(nlh->nlmsg_type), ct);
1370 rcu_read_unlock();
1371 nf_ct_put(ct);
1372 if (err <= 0)
1373 goto free;
1374
1375 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
1376 if (err < 0)
1377 goto out;
1378
1379 return 0;
1380
1381 free:
1382 kfree_skb(skb2);
1383 out:
1384 /* this avoids a loop in nfnetlink. */
1385 return err == -EAGAIN ? -ENOBUFS : err;
1386 }
1387
1388 static int ctnetlink_done_list(struct netlink_callback *cb)
1389 {
1390 if (cb->args[1])
1391 nf_ct_put((struct nf_conn *)cb->args[1]);
1392 return 0;
1393 }
1394
1395 static int
1396 ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying)
1397 {
1398 struct nf_conn *ct, *last;
1399 struct nf_conntrack_tuple_hash *h;
1400 struct hlist_nulls_node *n;
1401 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1402 u_int8_t l3proto = nfmsg->nfgen_family;
1403 int res;
1404 int cpu;
1405 struct hlist_nulls_head *list;
1406 struct net *net = sock_net(skb->sk);
1407
1408 if (cb->args[2])
1409 return 0;
1410
1411 last = (struct nf_conn *)cb->args[1];
1412
1413 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
1414 struct ct_pcpu *pcpu;
1415
1416 if (!cpu_possible(cpu))
1417 continue;
1418
1419 pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu);
1420 spin_lock_bh(&pcpu->lock);
1421 list = dying ? &pcpu->dying : &pcpu->unconfirmed;
1422 restart:
1423 hlist_nulls_for_each_entry(h, n, list, hnnode) {
1424 ct = nf_ct_tuplehash_to_ctrack(h);
1425 if (l3proto && nf_ct_l3num(ct) != l3proto)
1426 continue;
1427 if (cb->args[1]) {
1428 if (ct != last)
1429 continue;
1430 cb->args[1] = 0;
1431 }
1432 rcu_read_lock();
1433 res = ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).portid,
1434 cb->nlh->nlmsg_seq,
1435 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
1436 ct);
1437 rcu_read_unlock();
1438 if (res < 0) {
1439 if (!atomic_inc_not_zero(&ct->ct_general.use))
1440 continue;
1441 cb->args[0] = cpu;
1442 cb->args[1] = (unsigned long)ct;
1443 spin_unlock_bh(&pcpu->lock);
1444 goto out;
1445 }
1446 }
1447 if (cb->args[1]) {
1448 cb->args[1] = 0;
1449 goto restart;
1450 }
1451 spin_unlock_bh(&pcpu->lock);
1452 }
1453 cb->args[2] = 1;
1454 out:
1455 if (last)
1456 nf_ct_put(last);
1457
1458 return skb->len;
1459 }
1460
1461 static int
1462 ctnetlink_dump_dying(struct sk_buff *skb, struct netlink_callback *cb)
1463 {
1464 return ctnetlink_dump_list(skb, cb, true);
1465 }
1466
1467 static int ctnetlink_get_ct_dying(struct net *net, struct sock *ctnl,
1468 struct sk_buff *skb,
1469 const struct nlmsghdr *nlh,
1470 const struct nlattr * const cda[],
1471 struct netlink_ext_ack *extack)
1472 {
1473 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1474 struct netlink_dump_control c = {
1475 .dump = ctnetlink_dump_dying,
1476 .done = ctnetlink_done_list,
1477 };
1478 return netlink_dump_start(ctnl, skb, nlh, &c);
1479 }
1480
1481 return -EOPNOTSUPP;
1482 }
1483
1484 static int
1485 ctnetlink_dump_unconfirmed(struct sk_buff *skb, struct netlink_callback *cb)
1486 {
1487 return ctnetlink_dump_list(skb, cb, false);
1488 }
1489
1490 static int ctnetlink_get_ct_unconfirmed(struct net *net, struct sock *ctnl,
1491 struct sk_buff *skb,
1492 const struct nlmsghdr *nlh,
1493 const struct nlattr * const cda[],
1494 struct netlink_ext_ack *extack)
1495 {
1496 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1497 struct netlink_dump_control c = {
1498 .dump = ctnetlink_dump_unconfirmed,
1499 .done = ctnetlink_done_list,
1500 };
1501 return netlink_dump_start(ctnl, skb, nlh, &c);
1502 }
1503
1504 return -EOPNOTSUPP;
1505 }
1506
1507 #if IS_ENABLED(CONFIG_NF_NAT)
1508 static int
1509 ctnetlink_parse_nat_setup(struct nf_conn *ct,
1510 enum nf_nat_manip_type manip,
1511 const struct nlattr *attr)
1512 {
1513 struct nf_nat_hook *nat_hook;
1514 int err;
1515
1516 nat_hook = rcu_dereference(nf_nat_hook);
1517 if (!nat_hook) {
1518 #ifdef CONFIG_MODULES
1519 rcu_read_unlock();
1520 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1521 if (request_module("nf-nat") < 0) {
1522 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1523 rcu_read_lock();
1524 return -EOPNOTSUPP;
1525 }
1526 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1527 rcu_read_lock();
1528 nat_hook = rcu_dereference(nf_nat_hook);
1529 if (nat_hook)
1530 return -EAGAIN;
1531 #endif
1532 return -EOPNOTSUPP;
1533 }
1534
1535 err = nat_hook->parse_nat_setup(ct, manip, attr);
1536 if (err == -EAGAIN) {
1537 #ifdef CONFIG_MODULES
1538 rcu_read_unlock();
1539 nfnl_unlock(NFNL_SUBSYS_CTNETLINK);
1540 if (request_module("nf-nat-%u", nf_ct_l3num(ct)) < 0) {
1541 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1542 rcu_read_lock();
1543 return -EOPNOTSUPP;
1544 }
1545 nfnl_lock(NFNL_SUBSYS_CTNETLINK);
1546 rcu_read_lock();
1547 #else
1548 err = -EOPNOTSUPP;
1549 #endif
1550 }
1551 return err;
1552 }
1553 #endif
1554
1555 static void
1556 __ctnetlink_change_status(struct nf_conn *ct, unsigned long on,
1557 unsigned long off)
1558 {
1559 unsigned int bit;
1560
1561 /* Ignore these unchangable bits */
1562 on &= ~IPS_UNCHANGEABLE_MASK;
1563 off &= ~IPS_UNCHANGEABLE_MASK;
1564
1565 for (bit = 0; bit < __IPS_MAX_BIT; bit++) {
1566 if (on & (1 << bit))
1567 set_bit(bit, &ct->status);
1568 else if (off & (1 << bit))
1569 clear_bit(bit, &ct->status);
1570 }
1571 }
1572
1573 static int
1574 ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
1575 {
1576 unsigned long d;
1577 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
1578 d = ct->status ^ status;
1579
1580 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
1581 /* unchangeable */
1582 return -EBUSY;
1583
1584 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
1585 /* SEEN_REPLY bit can only be set */
1586 return -EBUSY;
1587
1588 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
1589 /* ASSURED bit can only be set */
1590 return -EBUSY;
1591
1592 __ctnetlink_change_status(ct, status, 0);
1593 return 0;
1594 }
1595
1596 static int
1597 ctnetlink_setup_nat(struct nf_conn *ct, const struct nlattr * const cda[])
1598 {
1599 #if IS_ENABLED(CONFIG_NF_NAT)
1600 int ret;
1601
1602 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1603 return 0;
1604
1605 ret = ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_DST,
1606 cda[CTA_NAT_DST]);
1607 if (ret < 0)
1608 return ret;
1609
1610 return ctnetlink_parse_nat_setup(ct, NF_NAT_MANIP_SRC,
1611 cda[CTA_NAT_SRC]);
1612 #else
1613 if (!cda[CTA_NAT_DST] && !cda[CTA_NAT_SRC])
1614 return 0;
1615 return -EOPNOTSUPP;
1616 #endif
1617 }
1618
1619 static int ctnetlink_change_helper(struct nf_conn *ct,
1620 const struct nlattr * const cda[])
1621 {
1622 struct nf_conntrack_helper *helper;
1623 struct nf_conn_help *help = nfct_help(ct);
1624 char *helpname = NULL;
1625 struct nlattr *helpinfo = NULL;
1626 int err;
1627
1628 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1629 if (err < 0)
1630 return err;
1631
1632 /* don't change helper of sibling connections */
1633 if (ct->master) {
1634 /* If we try to change the helper to the same thing twice,
1635 * treat the second attempt as a no-op instead of returning
1636 * an error.
1637 */
1638 err = -EBUSY;
1639 if (help) {
1640 rcu_read_lock();
1641 helper = rcu_dereference(help->helper);
1642 if (helper && !strcmp(helper->name, helpname))
1643 err = 0;
1644 rcu_read_unlock();
1645 }
1646
1647 return err;
1648 }
1649
1650 if (!strcmp(helpname, "")) {
1651 if (help && help->helper) {
1652 /* we had a helper before ... */
1653 nf_ct_remove_expectations(ct);
1654 RCU_INIT_POINTER(help->helper, NULL);
1655 }
1656
1657 return 0;
1658 }
1659
1660 rcu_read_lock();
1661 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1662 nf_ct_protonum(ct));
1663 if (helper == NULL) {
1664 rcu_read_unlock();
1665 return -EOPNOTSUPP;
1666 }
1667
1668 if (help) {
1669 if (help->helper == helper) {
1670 /* update private helper data if allowed. */
1671 if (helper->from_nlattr)
1672 helper->from_nlattr(helpinfo, ct);
1673 err = 0;
1674 } else
1675 err = -EBUSY;
1676 } else {
1677 /* we cannot set a helper for an existing conntrack */
1678 err = -EOPNOTSUPP;
1679 }
1680
1681 rcu_read_unlock();
1682 return err;
1683 }
1684
1685 static int ctnetlink_change_timeout(struct nf_conn *ct,
1686 const struct nlattr * const cda[])
1687 {
1688 u64 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
1689
1690 if (timeout > INT_MAX)
1691 timeout = INT_MAX;
1692 ct->timeout = nfct_time_stamp + (u32)timeout;
1693
1694 if (test_bit(IPS_DYING_BIT, &ct->status))
1695 return -ETIME;
1696
1697 return 0;
1698 }
1699
1700 #if defined(CONFIG_NF_CONNTRACK_MARK)
1701 static void ctnetlink_change_mark(struct nf_conn *ct,
1702 const struct nlattr * const cda[])
1703 {
1704 u32 mark, newmark, mask = 0;
1705
1706 if (cda[CTA_MARK_MASK])
1707 mask = ~ntohl(nla_get_be32(cda[CTA_MARK_MASK]));
1708
1709 mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1710 newmark = (ct->mark & mask) ^ mark;
1711 if (newmark != ct->mark)
1712 ct->mark = newmark;
1713 }
1714 #endif
1715
1716 static const struct nla_policy protoinfo_policy[CTA_PROTOINFO_MAX+1] = {
1717 [CTA_PROTOINFO_TCP] = { .type = NLA_NESTED },
1718 [CTA_PROTOINFO_DCCP] = { .type = NLA_NESTED },
1719 [CTA_PROTOINFO_SCTP] = { .type = NLA_NESTED },
1720 };
1721
1722 static int ctnetlink_change_protoinfo(struct nf_conn *ct,
1723 const struct nlattr * const cda[])
1724 {
1725 const struct nlattr *attr = cda[CTA_PROTOINFO];
1726 const struct nf_conntrack_l4proto *l4proto;
1727 struct nlattr *tb[CTA_PROTOINFO_MAX+1];
1728 int err = 0;
1729
1730 err = nla_parse_nested_deprecated(tb, CTA_PROTOINFO_MAX, attr,
1731 protoinfo_policy, NULL);
1732 if (err < 0)
1733 return err;
1734
1735 l4proto = nf_ct_l4proto_find(nf_ct_protonum(ct));
1736 if (l4proto->from_nlattr)
1737 err = l4proto->from_nlattr(tb, ct);
1738
1739 return err;
1740 }
1741
1742 static const struct nla_policy seqadj_policy[CTA_SEQADJ_MAX+1] = {
1743 [CTA_SEQADJ_CORRECTION_POS] = { .type = NLA_U32 },
1744 [CTA_SEQADJ_OFFSET_BEFORE] = { .type = NLA_U32 },
1745 [CTA_SEQADJ_OFFSET_AFTER] = { .type = NLA_U32 },
1746 };
1747
1748 static int change_seq_adj(struct nf_ct_seqadj *seq,
1749 const struct nlattr * const attr)
1750 {
1751 int err;
1752 struct nlattr *cda[CTA_SEQADJ_MAX+1];
1753
1754 err = nla_parse_nested_deprecated(cda, CTA_SEQADJ_MAX, attr,
1755 seqadj_policy, NULL);
1756 if (err < 0)
1757 return err;
1758
1759 if (!cda[CTA_SEQADJ_CORRECTION_POS])
1760 return -EINVAL;
1761
1762 seq->correction_pos =
1763 ntohl(nla_get_be32(cda[CTA_SEQADJ_CORRECTION_POS]));
1764
1765 if (!cda[CTA_SEQADJ_OFFSET_BEFORE])
1766 return -EINVAL;
1767
1768 seq->offset_before =
1769 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_BEFORE]));
1770
1771 if (!cda[CTA_SEQADJ_OFFSET_AFTER])
1772 return -EINVAL;
1773
1774 seq->offset_after =
1775 ntohl(nla_get_be32(cda[CTA_SEQADJ_OFFSET_AFTER]));
1776
1777 return 0;
1778 }
1779
1780 static int
1781 ctnetlink_change_seq_adj(struct nf_conn *ct,
1782 const struct nlattr * const cda[])
1783 {
1784 struct nf_conn_seqadj *seqadj = nfct_seqadj(ct);
1785 int ret = 0;
1786
1787 if (!seqadj)
1788 return 0;
1789
1790 spin_lock_bh(&ct->lock);
1791 if (cda[CTA_SEQ_ADJ_ORIG]) {
1792 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_ORIGINAL],
1793 cda[CTA_SEQ_ADJ_ORIG]);
1794 if (ret < 0)
1795 goto err;
1796
1797 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
1798 }
1799
1800 if (cda[CTA_SEQ_ADJ_REPLY]) {
1801 ret = change_seq_adj(&seqadj->seq[IP_CT_DIR_REPLY],
1802 cda[CTA_SEQ_ADJ_REPLY]);
1803 if (ret < 0)
1804 goto err;
1805
1806 set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
1807 }
1808
1809 spin_unlock_bh(&ct->lock);
1810 return 0;
1811 err:
1812 spin_unlock_bh(&ct->lock);
1813 return ret;
1814 }
1815
1816 static const struct nla_policy synproxy_policy[CTA_SYNPROXY_MAX + 1] = {
1817 [CTA_SYNPROXY_ISN] = { .type = NLA_U32 },
1818 [CTA_SYNPROXY_ITS] = { .type = NLA_U32 },
1819 [CTA_SYNPROXY_TSOFF] = { .type = NLA_U32 },
1820 };
1821
1822 static int ctnetlink_change_synproxy(struct nf_conn *ct,
1823 const struct nlattr * const cda[])
1824 {
1825 struct nf_conn_synproxy *synproxy = nfct_synproxy(ct);
1826 struct nlattr *tb[CTA_SYNPROXY_MAX + 1];
1827 int err;
1828
1829 if (!synproxy)
1830 return 0;
1831
1832 err = nla_parse_nested_deprecated(tb, CTA_SYNPROXY_MAX,
1833 cda[CTA_SYNPROXY], synproxy_policy,
1834 NULL);
1835 if (err < 0)
1836 return err;
1837
1838 if (!tb[CTA_SYNPROXY_ISN] ||
1839 !tb[CTA_SYNPROXY_ITS] ||
1840 !tb[CTA_SYNPROXY_TSOFF])
1841 return -EINVAL;
1842
1843 synproxy->isn = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ISN]));
1844 synproxy->its = ntohl(nla_get_be32(tb[CTA_SYNPROXY_ITS]));
1845 synproxy->tsoff = ntohl(nla_get_be32(tb[CTA_SYNPROXY_TSOFF]));
1846
1847 return 0;
1848 }
1849
1850 static int
1851 ctnetlink_attach_labels(struct nf_conn *ct, const struct nlattr * const cda[])
1852 {
1853 #ifdef CONFIG_NF_CONNTRACK_LABELS
1854 size_t len = nla_len(cda[CTA_LABELS]);
1855 const void *mask = cda[CTA_LABELS_MASK];
1856
1857 if (len & (sizeof(u32)-1)) /* must be multiple of u32 */
1858 return -EINVAL;
1859
1860 if (mask) {
1861 if (nla_len(cda[CTA_LABELS_MASK]) == 0 ||
1862 nla_len(cda[CTA_LABELS_MASK]) != len)
1863 return -EINVAL;
1864 mask = nla_data(cda[CTA_LABELS_MASK]);
1865 }
1866
1867 len /= sizeof(u32);
1868
1869 return nf_connlabels_replace(ct, nla_data(cda[CTA_LABELS]), mask, len);
1870 #else
1871 return -EOPNOTSUPP;
1872 #endif
1873 }
1874
1875 static int
1876 ctnetlink_change_conntrack(struct nf_conn *ct,
1877 const struct nlattr * const cda[])
1878 {
1879 int err;
1880
1881 /* only allow NAT changes and master assignation for new conntracks */
1882 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
1883 return -EOPNOTSUPP;
1884
1885 if (cda[CTA_HELP]) {
1886 err = ctnetlink_change_helper(ct, cda);
1887 if (err < 0)
1888 return err;
1889 }
1890
1891 if (cda[CTA_TIMEOUT]) {
1892 err = ctnetlink_change_timeout(ct, cda);
1893 if (err < 0)
1894 return err;
1895 }
1896
1897 if (cda[CTA_STATUS]) {
1898 err = ctnetlink_change_status(ct, cda);
1899 if (err < 0)
1900 return err;
1901 }
1902
1903 if (cda[CTA_PROTOINFO]) {
1904 err = ctnetlink_change_protoinfo(ct, cda);
1905 if (err < 0)
1906 return err;
1907 }
1908
1909 #if defined(CONFIG_NF_CONNTRACK_MARK)
1910 if (cda[CTA_MARK])
1911 ctnetlink_change_mark(ct, cda);
1912 #endif
1913
1914 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
1915 err = ctnetlink_change_seq_adj(ct, cda);
1916 if (err < 0)
1917 return err;
1918 }
1919
1920 if (cda[CTA_SYNPROXY]) {
1921 err = ctnetlink_change_synproxy(ct, cda);
1922 if (err < 0)
1923 return err;
1924 }
1925
1926 if (cda[CTA_LABELS]) {
1927 err = ctnetlink_attach_labels(ct, cda);
1928 if (err < 0)
1929 return err;
1930 }
1931
1932 return 0;
1933 }
1934
1935 static struct nf_conn *
1936 ctnetlink_create_conntrack(struct net *net,
1937 const struct nf_conntrack_zone *zone,
1938 const struct nlattr * const cda[],
1939 struct nf_conntrack_tuple *otuple,
1940 struct nf_conntrack_tuple *rtuple,
1941 u8 u3)
1942 {
1943 struct nf_conn *ct;
1944 int err = -EINVAL;
1945 struct nf_conntrack_helper *helper;
1946 struct nf_conn_tstamp *tstamp;
1947 u64 timeout;
1948
1949 ct = nf_conntrack_alloc(net, zone, otuple, rtuple, GFP_ATOMIC);
1950 if (IS_ERR(ct))
1951 return ERR_PTR(-ENOMEM);
1952
1953 if (!cda[CTA_TIMEOUT])
1954 goto err1;
1955
1956 timeout = (u64)ntohl(nla_get_be32(cda[CTA_TIMEOUT])) * HZ;
1957 if (timeout > INT_MAX)
1958 timeout = INT_MAX;
1959 ct->timeout = (u32)timeout + nfct_time_stamp;
1960
1961 rcu_read_lock();
1962 if (cda[CTA_HELP]) {
1963 char *helpname = NULL;
1964 struct nlattr *helpinfo = NULL;
1965
1966 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
1967 if (err < 0)
1968 goto err2;
1969
1970 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
1971 nf_ct_protonum(ct));
1972 if (helper == NULL) {
1973 rcu_read_unlock();
1974 #ifdef CONFIG_MODULES
1975 if (request_module("nfct-helper-%s", helpname) < 0) {
1976 err = -EOPNOTSUPP;
1977 goto err1;
1978 }
1979
1980 rcu_read_lock();
1981 helper = __nf_conntrack_helper_find(helpname,
1982 nf_ct_l3num(ct),
1983 nf_ct_protonum(ct));
1984 if (helper) {
1985 err = -EAGAIN;
1986 goto err2;
1987 }
1988 rcu_read_unlock();
1989 #endif
1990 err = -EOPNOTSUPP;
1991 goto err1;
1992 } else {
1993 struct nf_conn_help *help;
1994
1995 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
1996 if (help == NULL) {
1997 err = -ENOMEM;
1998 goto err2;
1999 }
2000 /* set private helper data if allowed. */
2001 if (helper->from_nlattr)
2002 helper->from_nlattr(helpinfo, ct);
2003
2004 /* not in hash table yet so not strictly necessary */
2005 RCU_INIT_POINTER(help->helper, helper);
2006 }
2007 } else {
2008 /* try an implicit helper assignation */
2009 err = __nf_ct_try_assign_helper(ct, NULL, GFP_ATOMIC);
2010 if (err < 0)
2011 goto err2;
2012 }
2013
2014 err = ctnetlink_setup_nat(ct, cda);
2015 if (err < 0)
2016 goto err2;
2017
2018 nf_ct_acct_ext_add(ct, GFP_ATOMIC);
2019 nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
2020 nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
2021 nf_ct_labels_ext_add(ct);
2022 nfct_seqadj_ext_add(ct);
2023 nfct_synproxy_ext_add(ct);
2024
2025 /* we must add conntrack extensions before confirmation. */
2026 ct->status |= IPS_CONFIRMED;
2027
2028 if (cda[CTA_STATUS]) {
2029 err = ctnetlink_change_status(ct, cda);
2030 if (err < 0)
2031 goto err2;
2032 }
2033
2034 if (cda[CTA_SEQ_ADJ_ORIG] || cda[CTA_SEQ_ADJ_REPLY]) {
2035 err = ctnetlink_change_seq_adj(ct, cda);
2036 if (err < 0)
2037 goto err2;
2038 }
2039
2040 memset(&ct->proto, 0, sizeof(ct->proto));
2041 if (cda[CTA_PROTOINFO]) {
2042 err = ctnetlink_change_protoinfo(ct, cda);
2043 if (err < 0)
2044 goto err2;
2045 }
2046
2047 if (cda[CTA_SYNPROXY]) {
2048 err = ctnetlink_change_synproxy(ct, cda);
2049 if (err < 0)
2050 goto err2;
2051 }
2052
2053 #if defined(CONFIG_NF_CONNTRACK_MARK)
2054 if (cda[CTA_MARK])
2055 ctnetlink_change_mark(ct, cda);
2056 #endif
2057
2058 /* setup master conntrack: this is a confirmed expectation */
2059 if (cda[CTA_TUPLE_MASTER]) {
2060 struct nf_conntrack_tuple master;
2061 struct nf_conntrack_tuple_hash *master_h;
2062 struct nf_conn *master_ct;
2063
2064 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER,
2065 u3, NULL);
2066 if (err < 0)
2067 goto err2;
2068
2069 master_h = nf_conntrack_find_get(net, zone, &master);
2070 if (master_h == NULL) {
2071 err = -ENOENT;
2072 goto err2;
2073 }
2074 master_ct = nf_ct_tuplehash_to_ctrack(master_h);
2075 __set_bit(IPS_EXPECTED_BIT, &ct->status);
2076 ct->master = master_ct;
2077 }
2078 tstamp = nf_conn_tstamp_find(ct);
2079 if (tstamp)
2080 tstamp->start = ktime_get_real_ns();
2081
2082 err = nf_conntrack_hash_check_insert(ct);
2083 if (err < 0)
2084 goto err2;
2085
2086 rcu_read_unlock();
2087
2088 return ct;
2089
2090 err2:
2091 rcu_read_unlock();
2092 err1:
2093 nf_conntrack_free(ct);
2094 return ERR_PTR(err);
2095 }
2096
2097 static int ctnetlink_new_conntrack(struct net *net, struct sock *ctnl,
2098 struct sk_buff *skb,
2099 const struct nlmsghdr *nlh,
2100 const struct nlattr * const cda[],
2101 struct netlink_ext_ack *extack)
2102 {
2103 struct nf_conntrack_tuple otuple, rtuple;
2104 struct nf_conntrack_tuple_hash *h = NULL;
2105 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2106 struct nf_conn *ct;
2107 u_int8_t u3 = nfmsg->nfgen_family;
2108 struct nf_conntrack_zone zone;
2109 int err;
2110
2111 err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
2112 if (err < 0)
2113 return err;
2114
2115 if (cda[CTA_TUPLE_ORIG]) {
2116 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG,
2117 u3, &zone);
2118 if (err < 0)
2119 return err;
2120 }
2121
2122 if (cda[CTA_TUPLE_REPLY]) {
2123 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY,
2124 u3, &zone);
2125 if (err < 0)
2126 return err;
2127 }
2128
2129 if (cda[CTA_TUPLE_ORIG])
2130 h = nf_conntrack_find_get(net, &zone, &otuple);
2131 else if (cda[CTA_TUPLE_REPLY])
2132 h = nf_conntrack_find_get(net, &zone, &rtuple);
2133
2134 if (h == NULL) {
2135 err = -ENOENT;
2136 if (nlh->nlmsg_flags & NLM_F_CREATE) {
2137 enum ip_conntrack_events events;
2138
2139 if (!cda[CTA_TUPLE_ORIG] || !cda[CTA_TUPLE_REPLY])
2140 return -EINVAL;
2141 if (otuple.dst.protonum != rtuple.dst.protonum)
2142 return -EINVAL;
2143
2144 ct = ctnetlink_create_conntrack(net, &zone, cda, &otuple,
2145 &rtuple, u3);
2146 if (IS_ERR(ct))
2147 return PTR_ERR(ct);
2148
2149 err = 0;
2150 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
2151 events = 1 << IPCT_RELATED;
2152 else
2153 events = 1 << IPCT_NEW;
2154
2155 if (cda[CTA_LABELS] &&
2156 ctnetlink_attach_labels(ct, cda) == 0)
2157 events |= (1 << IPCT_LABEL);
2158
2159 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2160 (1 << IPCT_ASSURED) |
2161 (1 << IPCT_HELPER) |
2162 (1 << IPCT_PROTOINFO) |
2163 (1 << IPCT_SEQADJ) |
2164 (1 << IPCT_MARK) |
2165 (1 << IPCT_SYNPROXY) |
2166 events,
2167 ct, NETLINK_CB(skb).portid,
2168 nlmsg_report(nlh));
2169 nf_ct_put(ct);
2170 }
2171
2172 return err;
2173 }
2174 /* implicit 'else' */
2175
2176 err = -EEXIST;
2177 ct = nf_ct_tuplehash_to_ctrack(h);
2178 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
2179 err = ctnetlink_change_conntrack(ct, cda);
2180 if (err == 0) {
2181 nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
2182 (1 << IPCT_ASSURED) |
2183 (1 << IPCT_HELPER) |
2184 (1 << IPCT_LABEL) |
2185 (1 << IPCT_PROTOINFO) |
2186 (1 << IPCT_SEQADJ) |
2187 (1 << IPCT_MARK) |
2188 (1 << IPCT_SYNPROXY),
2189 ct, NETLINK_CB(skb).portid,
2190 nlmsg_report(nlh));
2191 }
2192 }
2193
2194 nf_ct_put(ct);
2195 return err;
2196 }
2197
2198 static int
2199 ctnetlink_ct_stat_cpu_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2200 __u16 cpu, const struct ip_conntrack_stat *st)
2201 {
2202 struct nlmsghdr *nlh;
2203 struct nfgenmsg *nfmsg;
2204 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2205
2206 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
2207 IPCTNL_MSG_CT_GET_STATS_CPU);
2208 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2209 if (nlh == NULL)
2210 goto nlmsg_failure;
2211
2212 nfmsg = nlmsg_data(nlh);
2213 nfmsg->nfgen_family = AF_UNSPEC;
2214 nfmsg->version = NFNETLINK_V0;
2215 nfmsg->res_id = htons(cpu);
2216
2217 if (nla_put_be32(skb, CTA_STATS_FOUND, htonl(st->found)) ||
2218 nla_put_be32(skb, CTA_STATS_INVALID, htonl(st->invalid)) ||
2219 nla_put_be32(skb, CTA_STATS_IGNORE, htonl(st->ignore)) ||
2220 nla_put_be32(skb, CTA_STATS_INSERT, htonl(st->insert)) ||
2221 nla_put_be32(skb, CTA_STATS_INSERT_FAILED,
2222 htonl(st->insert_failed)) ||
2223 nla_put_be32(skb, CTA_STATS_DROP, htonl(st->drop)) ||
2224 nla_put_be32(skb, CTA_STATS_EARLY_DROP, htonl(st->early_drop)) ||
2225 nla_put_be32(skb, CTA_STATS_ERROR, htonl(st->error)) ||
2226 nla_put_be32(skb, CTA_STATS_SEARCH_RESTART,
2227 htonl(st->search_restart)))
2228 goto nla_put_failure;
2229
2230 nlmsg_end(skb, nlh);
2231 return skb->len;
2232
2233 nla_put_failure:
2234 nlmsg_failure:
2235 nlmsg_cancel(skb, nlh);
2236 return -1;
2237 }
2238
2239 static int
2240 ctnetlink_ct_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
2241 {
2242 int cpu;
2243 struct net *net = sock_net(skb->sk);
2244
2245 if (cb->args[0] == nr_cpu_ids)
2246 return 0;
2247
2248 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
2249 const struct ip_conntrack_stat *st;
2250
2251 if (!cpu_possible(cpu))
2252 continue;
2253
2254 st = per_cpu_ptr(net->ct.stat, cpu);
2255 if (ctnetlink_ct_stat_cpu_fill_info(skb,
2256 NETLINK_CB(cb->skb).portid,
2257 cb->nlh->nlmsg_seq,
2258 cpu, st) < 0)
2259 break;
2260 }
2261 cb->args[0] = cpu;
2262
2263 return skb->len;
2264 }
2265
2266 static int ctnetlink_stat_ct_cpu(struct net *net, struct sock *ctnl,
2267 struct sk_buff *skb,
2268 const struct nlmsghdr *nlh,
2269 const struct nlattr * const cda[],
2270 struct netlink_ext_ack *extack)
2271 {
2272 if (nlh->nlmsg_flags & NLM_F_DUMP) {
2273 struct netlink_dump_control c = {
2274 .dump = ctnetlink_ct_stat_cpu_dump,
2275 };
2276 return netlink_dump_start(ctnl, skb, nlh, &c);
2277 }
2278
2279 return 0;
2280 }
2281
2282 static int
2283 ctnetlink_stat_ct_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
2284 struct net *net)
2285 {
2286 struct nlmsghdr *nlh;
2287 struct nfgenmsg *nfmsg;
2288 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
2289 unsigned int nr_conntracks = atomic_read(&net->ct.count);
2290
2291 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK, IPCTNL_MSG_CT_GET_STATS);
2292 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2293 if (nlh == NULL)
2294 goto nlmsg_failure;
2295
2296 nfmsg = nlmsg_data(nlh);
2297 nfmsg->nfgen_family = AF_UNSPEC;
2298 nfmsg->version = NFNETLINK_V0;
2299 nfmsg->res_id = 0;
2300
2301 if (nla_put_be32(skb, CTA_STATS_GLOBAL_ENTRIES, htonl(nr_conntracks)))
2302 goto nla_put_failure;
2303
2304 if (nla_put_be32(skb, CTA_STATS_GLOBAL_MAX_ENTRIES, htonl(nf_conntrack_max)))
2305 goto nla_put_failure;
2306
2307 nlmsg_end(skb, nlh);
2308 return skb->len;
2309
2310 nla_put_failure:
2311 nlmsg_failure:
2312 nlmsg_cancel(skb, nlh);
2313 return -1;
2314 }
2315
2316 static int ctnetlink_stat_ct(struct net *net, struct sock *ctnl,
2317 struct sk_buff *skb, const struct nlmsghdr *nlh,
2318 const struct nlattr * const cda[],
2319 struct netlink_ext_ack *extack)
2320 {
2321 struct sk_buff *skb2;
2322 int err;
2323
2324 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
2325 if (skb2 == NULL)
2326 return -ENOMEM;
2327
2328 err = ctnetlink_stat_ct_fill_info(skb2, NETLINK_CB(skb).portid,
2329 nlh->nlmsg_seq,
2330 NFNL_MSG_TYPE(nlh->nlmsg_type),
2331 sock_net(skb->sk));
2332 if (err <= 0)
2333 goto free;
2334
2335 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
2336 if (err < 0)
2337 goto out;
2338
2339 return 0;
2340
2341 free:
2342 kfree_skb(skb2);
2343 out:
2344 /* this avoids a loop in nfnetlink. */
2345 return err == -EAGAIN ? -ENOBUFS : err;
2346 }
2347
2348 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
2349 [CTA_EXPECT_MASTER] = { .type = NLA_NESTED },
2350 [CTA_EXPECT_TUPLE] = { .type = NLA_NESTED },
2351 [CTA_EXPECT_MASK] = { .type = NLA_NESTED },
2352 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
2353 [CTA_EXPECT_ID] = { .type = NLA_U32 },
2354 [CTA_EXPECT_HELP_NAME] = { .type = NLA_NUL_STRING,
2355 .len = NF_CT_HELPER_NAME_LEN - 1 },
2356 [CTA_EXPECT_ZONE] = { .type = NLA_U16 },
2357 [CTA_EXPECT_FLAGS] = { .type = NLA_U32 },
2358 [CTA_EXPECT_CLASS] = { .type = NLA_U32 },
2359 [CTA_EXPECT_NAT] = { .type = NLA_NESTED },
2360 [CTA_EXPECT_FN] = { .type = NLA_NUL_STRING },
2361 };
2362
2363 static struct nf_conntrack_expect *
2364 ctnetlink_alloc_expect(const struct nlattr *const cda[], struct nf_conn *ct,
2365 struct nf_conntrack_helper *helper,
2366 struct nf_conntrack_tuple *tuple,
2367 struct nf_conntrack_tuple *mask);
2368
2369 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
2370 static size_t
2371 ctnetlink_glue_build_size(const struct nf_conn *ct)
2372 {
2373 return 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
2374 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
2375 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
2376 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
2377 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
2378 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
2379 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
2380 + nla_total_size(0) /* CTA_PROTOINFO */
2381 + nla_total_size(0) /* CTA_HELP */
2382 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
2383 + ctnetlink_secctx_size(ct)
2384 #if IS_ENABLED(CONFIG_NF_NAT)
2385 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
2386 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
2387 #endif
2388 #ifdef CONFIG_NF_CONNTRACK_MARK
2389 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
2390 #endif
2391 #ifdef CONFIG_NF_CONNTRACK_ZONES
2392 + nla_total_size(sizeof(u_int16_t)) /* CTA_ZONE|CTA_TUPLE_ZONE */
2393 #endif
2394 + ctnetlink_proto_size(ct)
2395 ;
2396 }
2397
2398 static struct nf_conn *ctnetlink_glue_get_ct(const struct sk_buff *skb,
2399 enum ip_conntrack_info *ctinfo)
2400 {
2401 return nf_ct_get(skb, ctinfo);
2402 }
2403
2404 static int __ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct)
2405 {
2406 const struct nf_conntrack_zone *zone;
2407 struct nlattr *nest_parms;
2408
2409 zone = nf_ct_zone(ct);
2410
2411 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG);
2412 if (!nest_parms)
2413 goto nla_put_failure;
2414 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
2415 goto nla_put_failure;
2416 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2417 NF_CT_ZONE_DIR_ORIG) < 0)
2418 goto nla_put_failure;
2419 nla_nest_end(skb, nest_parms);
2420
2421 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY);
2422 if (!nest_parms)
2423 goto nla_put_failure;
2424 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
2425 goto nla_put_failure;
2426 if (ctnetlink_dump_zone_id(skb, CTA_TUPLE_ZONE, zone,
2427 NF_CT_ZONE_DIR_REPL) < 0)
2428 goto nla_put_failure;
2429 nla_nest_end(skb, nest_parms);
2430
2431 if (ctnetlink_dump_zone_id(skb, CTA_ZONE, zone,
2432 NF_CT_DEFAULT_ZONE_DIR) < 0)
2433 goto nla_put_failure;
2434
2435 if (ctnetlink_dump_id(skb, ct) < 0)
2436 goto nla_put_failure;
2437
2438 if (ctnetlink_dump_status(skb, ct) < 0)
2439 goto nla_put_failure;
2440
2441 if (ctnetlink_dump_timeout(skb, ct) < 0)
2442 goto nla_put_failure;
2443
2444 if (ctnetlink_dump_protoinfo(skb, ct) < 0)
2445 goto nla_put_failure;
2446
2447 if (ctnetlink_dump_helpinfo(skb, ct) < 0)
2448 goto nla_put_failure;
2449
2450 #ifdef CONFIG_NF_CONNTRACK_SECMARK
2451 if (ct->secmark && ctnetlink_dump_secctx(skb, ct) < 0)
2452 goto nla_put_failure;
2453 #endif
2454 if (ct->master && ctnetlink_dump_master(skb, ct) < 0)
2455 goto nla_put_failure;
2456
2457 if ((ct->status & IPS_SEQ_ADJUST) &&
2458 ctnetlink_dump_ct_seq_adj(skb, ct) < 0)
2459 goto nla_put_failure;
2460
2461 if (ctnetlink_dump_ct_synproxy(skb, ct) < 0)
2462 goto nla_put_failure;
2463
2464 #ifdef CONFIG_NF_CONNTRACK_MARK
2465 if (ct->mark && ctnetlink_dump_mark(skb, ct) < 0)
2466 goto nla_put_failure;
2467 #endif
2468 if (ctnetlink_dump_labels(skb, ct) < 0)
2469 goto nla_put_failure;
2470 return 0;
2471
2472 nla_put_failure:
2473 return -ENOSPC;
2474 }
2475
2476 static int
2477 ctnetlink_glue_build(struct sk_buff *skb, struct nf_conn *ct,
2478 enum ip_conntrack_info ctinfo,
2479 u_int16_t ct_attr, u_int16_t ct_info_attr)
2480 {
2481 struct nlattr *nest_parms;
2482
2483 nest_parms = nla_nest_start(skb, ct_attr);
2484 if (!nest_parms)
2485 goto nla_put_failure;
2486
2487 if (__ctnetlink_glue_build(skb, ct) < 0)
2488 goto nla_put_failure;
2489
2490 nla_nest_end(skb, nest_parms);
2491
2492 if (nla_put_be32(skb, ct_info_attr, htonl(ctinfo)))
2493 goto nla_put_failure;
2494
2495 return 0;
2496
2497 nla_put_failure:
2498 return -ENOSPC;
2499 }
2500
2501 static int
2502 ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[])
2503 {
2504 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
2505 unsigned long d = ct->status ^ status;
2506
2507 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
2508 /* SEEN_REPLY bit can only be set */
2509 return -EBUSY;
2510
2511 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
2512 /* ASSURED bit can only be set */
2513 return -EBUSY;
2514
2515 /* This check is less strict than ctnetlink_change_status()
2516 * because callers often flip IPS_EXPECTED bits when sending
2517 * an NFQA_CT attribute to the kernel. So ignore the
2518 * unchangeable bits but do not error out. Also user programs
2519 * are allowed to clear the bits that they are allowed to change.
2520 */
2521 __ctnetlink_change_status(ct, status, ~status);
2522 return 0;
2523 }
2524
2525 static int
2526 ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
2527 {
2528 int err;
2529
2530 if (cda[CTA_TIMEOUT]) {
2531 err = ctnetlink_change_timeout(ct, cda);
2532 if (err < 0)
2533 return err;
2534 }
2535 if (cda[CTA_STATUS]) {
2536 err = ctnetlink_update_status(ct, cda);
2537 if (err < 0)
2538 return err;
2539 }
2540 if (cda[CTA_HELP]) {
2541 err = ctnetlink_change_helper(ct, cda);
2542 if (err < 0)
2543 return err;
2544 }
2545 if (cda[CTA_LABELS]) {
2546 err = ctnetlink_attach_labels(ct, cda);
2547 if (err < 0)
2548 return err;
2549 }
2550 #if defined(CONFIG_NF_CONNTRACK_MARK)
2551 if (cda[CTA_MARK]) {
2552 ctnetlink_change_mark(ct, cda);
2553 }
2554 #endif
2555 return 0;
2556 }
2557
2558 static int
2559 ctnetlink_glue_parse(const struct nlattr *attr, struct nf_conn *ct)
2560 {
2561 struct nlattr *cda[CTA_MAX+1];
2562 int ret;
2563
2564 ret = nla_parse_nested_deprecated(cda, CTA_MAX, attr, ct_nla_policy,
2565 NULL);
2566 if (ret < 0)
2567 return ret;
2568
2569 return ctnetlink_glue_parse_ct((const struct nlattr **)cda, ct);
2570 }
2571
2572 static int ctnetlink_glue_exp_parse(const struct nlattr * const *cda,
2573 const struct nf_conn *ct,
2574 struct nf_conntrack_tuple *tuple,
2575 struct nf_conntrack_tuple *mask)
2576 {
2577 int err;
2578
2579 err = ctnetlink_parse_tuple(cda, tuple, CTA_EXPECT_TUPLE,
2580 nf_ct_l3num(ct), NULL);
2581 if (err < 0)
2582 return err;
2583
2584 return ctnetlink_parse_tuple(cda, mask, CTA_EXPECT_MASK,
2585 nf_ct_l3num(ct), NULL);
2586 }
2587
2588 static int
2589 ctnetlink_glue_attach_expect(const struct nlattr *attr, struct nf_conn *ct,
2590 u32 portid, u32 report)
2591 {
2592 struct nlattr *cda[CTA_EXPECT_MAX+1];
2593 struct nf_conntrack_tuple tuple, mask;
2594 struct nf_conntrack_helper *helper = NULL;
2595 struct nf_conntrack_expect *exp;
2596 int err;
2597
2598 err = nla_parse_nested_deprecated(cda, CTA_EXPECT_MAX, attr,
2599 exp_nla_policy, NULL);
2600 if (err < 0)
2601 return err;
2602
2603 err = ctnetlink_glue_exp_parse((const struct nlattr * const *)cda,
2604 ct, &tuple, &mask);
2605 if (err < 0)
2606 return err;
2607
2608 if (cda[CTA_EXPECT_HELP_NAME]) {
2609 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
2610
2611 helper = __nf_conntrack_helper_find(helpname, nf_ct_l3num(ct),
2612 nf_ct_protonum(ct));
2613 if (helper == NULL)
2614 return -EOPNOTSUPP;
2615 }
2616
2617 exp = ctnetlink_alloc_expect((const struct nlattr * const *)cda, ct,
2618 helper, &tuple, &mask);
2619 if (IS_ERR(exp))
2620 return PTR_ERR(exp);
2621
2622 err = nf_ct_expect_related_report(exp, portid, report, 0);
2623 nf_ct_expect_put(exp);
2624 return err;
2625 }
2626
2627 static void ctnetlink_glue_seqadj(struct sk_buff *skb, struct nf_conn *ct,
2628 enum ip_conntrack_info ctinfo, int diff)
2629 {
2630 if (!(ct->status & IPS_NAT_MASK))
2631 return;
2632
2633 nf_ct_tcp_seqadj_set(skb, ct, ctinfo, diff);
2634 }
2635
2636 static struct nfnl_ct_hook ctnetlink_glue_hook = {
2637 .get_ct = ctnetlink_glue_get_ct,
2638 .build_size = ctnetlink_glue_build_size,
2639 .build = ctnetlink_glue_build,
2640 .parse = ctnetlink_glue_parse,
2641 .attach_expect = ctnetlink_glue_attach_expect,
2642 .seq_adjust = ctnetlink_glue_seqadj,
2643 };
2644 #endif /* CONFIG_NETFILTER_NETLINK_GLUE_CT */
2645
2646 /***********************************************************************
2647 * EXPECT
2648 ***********************************************************************/
2649
2650 static int ctnetlink_exp_dump_tuple(struct sk_buff *skb,
2651 const struct nf_conntrack_tuple *tuple,
2652 u32 type)
2653 {
2654 struct nlattr *nest_parms;
2655
2656 nest_parms = nla_nest_start(skb, type);
2657 if (!nest_parms)
2658 goto nla_put_failure;
2659 if (ctnetlink_dump_tuples(skb, tuple) < 0)
2660 goto nla_put_failure;
2661 nla_nest_end(skb, nest_parms);
2662
2663 return 0;
2664
2665 nla_put_failure:
2666 return -1;
2667 }
2668
2669 static int ctnetlink_exp_dump_mask(struct sk_buff *skb,
2670 const struct nf_conntrack_tuple *tuple,
2671 const struct nf_conntrack_tuple_mask *mask)
2672 {
2673 const struct nf_conntrack_l4proto *l4proto;
2674 struct nf_conntrack_tuple m;
2675 struct nlattr *nest_parms;
2676 int ret;
2677
2678 memset(&m, 0xFF, sizeof(m));
2679 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
2680 m.src.u.all = mask->src.u.all;
2681 m.dst.protonum = tuple->dst.protonum;
2682
2683 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK);
2684 if (!nest_parms)
2685 goto nla_put_failure;
2686
2687 rcu_read_lock();
2688 ret = ctnetlink_dump_tuples_ip(skb, &m);
2689 if (ret >= 0) {
2690 l4proto = nf_ct_l4proto_find(tuple->dst.protonum);
2691 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
2692 }
2693 rcu_read_unlock();
2694
2695 if (unlikely(ret < 0))
2696 goto nla_put_failure;
2697
2698 nla_nest_end(skb, nest_parms);
2699
2700 return 0;
2701
2702 nla_put_failure:
2703 return -1;
2704 }
2705
2706 static const union nf_inet_addr any_addr;
2707
2708 static __be32 nf_expect_get_id(const struct nf_conntrack_expect *exp)
2709 {
2710 static __read_mostly siphash_key_t exp_id_seed;
2711 unsigned long a, b, c, d;
2712
2713 net_get_random_once(&exp_id_seed, sizeof(exp_id_seed));
2714
2715 a = (unsigned long)exp;
2716 b = (unsigned long)exp->helper;
2717 c = (unsigned long)exp->master;
2718 d = (unsigned long)siphash(&exp->tuple, sizeof(exp->tuple), &exp_id_seed);
2719
2720 #ifdef CONFIG_64BIT
2721 return (__force __be32)siphash_4u64((u64)a, (u64)b, (u64)c, (u64)d, &exp_id_seed);
2722 #else
2723 return (__force __be32)siphash_4u32((u32)a, (u32)b, (u32)c, (u32)d, &exp_id_seed);
2724 #endif
2725 }
2726
2727 static int
2728 ctnetlink_exp_dump_expect(struct sk_buff *skb,
2729 const struct nf_conntrack_expect *exp)
2730 {
2731 struct nf_conn *master = exp->master;
2732 long timeout = ((long)exp->timeout.expires - (long)jiffies) / HZ;
2733 struct nf_conn_help *help;
2734 #if IS_ENABLED(CONFIG_NF_NAT)
2735 struct nlattr *nest_parms;
2736 struct nf_conntrack_tuple nat_tuple = {};
2737 #endif
2738 struct nf_ct_helper_expectfn *expfn;
2739
2740 if (timeout < 0)
2741 timeout = 0;
2742
2743 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
2744 goto nla_put_failure;
2745 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
2746 goto nla_put_failure;
2747 if (ctnetlink_exp_dump_tuple(skb,
2748 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
2749 CTA_EXPECT_MASTER) < 0)
2750 goto nla_put_failure;
2751
2752 #if IS_ENABLED(CONFIG_NF_NAT)
2753 if (!nf_inet_addr_cmp(&exp->saved_addr, &any_addr) ||
2754 exp->saved_proto.all) {
2755 nest_parms = nla_nest_start(skb, CTA_EXPECT_NAT);
2756 if (!nest_parms)
2757 goto nla_put_failure;
2758
2759 if (nla_put_be32(skb, CTA_EXPECT_NAT_DIR, htonl(exp->dir)))
2760 goto nla_put_failure;
2761
2762 nat_tuple.src.l3num = nf_ct_l3num(master);
2763 nat_tuple.src.u3 = exp->saved_addr;
2764 nat_tuple.dst.protonum = nf_ct_protonum(master);
2765 nat_tuple.src.u = exp->saved_proto;
2766
2767 if (ctnetlink_exp_dump_tuple(skb, &nat_tuple,
2768 CTA_EXPECT_NAT_TUPLE) < 0)
2769 goto nla_put_failure;
2770 nla_nest_end(skb, nest_parms);
2771 }
2772 #endif
2773 if (nla_put_be32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)) ||
2774 nla_put_be32(skb, CTA_EXPECT_ID, nf_expect_get_id(exp)) ||
2775 nla_put_be32(skb, CTA_EXPECT_FLAGS, htonl(exp->flags)) ||
2776 nla_put_be32(skb, CTA_EXPECT_CLASS, htonl(exp->class)))
2777 goto nla_put_failure;
2778 help = nfct_help(master);
2779 if (help) {
2780 struct nf_conntrack_helper *helper;
2781
2782 helper = rcu_dereference(help->helper);
2783 if (helper &&
2784 nla_put_string(skb, CTA_EXPECT_HELP_NAME, helper->name))
2785 goto nla_put_failure;
2786 }
2787 expfn = nf_ct_helper_expectfn_find_by_symbol(exp->expectfn);
2788 if (expfn != NULL &&
2789 nla_put_string(skb, CTA_EXPECT_FN, expfn->name))
2790 goto nla_put_failure;
2791
2792 return 0;
2793
2794 nla_put_failure:
2795 return -1;
2796 }
2797
2798 static int
2799 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 portid, u32 seq,
2800 int event, const struct nf_conntrack_expect *exp)
2801 {
2802 struct nlmsghdr *nlh;
2803 struct nfgenmsg *nfmsg;
2804 unsigned int flags = portid ? NLM_F_MULTI : 0;
2805
2806 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, event);
2807 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
2808 if (nlh == NULL)
2809 goto nlmsg_failure;
2810
2811 nfmsg = nlmsg_data(nlh);
2812 nfmsg->nfgen_family = exp->tuple.src.l3num;
2813 nfmsg->version = NFNETLINK_V0;
2814 nfmsg->res_id = 0;
2815
2816 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
2817 goto nla_put_failure;
2818
2819 nlmsg_end(skb, nlh);
2820 return skb->len;
2821
2822 nlmsg_failure:
2823 nla_put_failure:
2824 nlmsg_cancel(skb, nlh);
2825 return -1;
2826 }
2827
2828 #ifdef CONFIG_NF_CONNTRACK_EVENTS
2829 static int
2830 ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item)
2831 {
2832 struct nf_conntrack_expect *exp = item->exp;
2833 struct net *net = nf_ct_exp_net(exp);
2834 struct nlmsghdr *nlh;
2835 struct nfgenmsg *nfmsg;
2836 struct sk_buff *skb;
2837 unsigned int type, group;
2838 int flags = 0;
2839
2840 if (events & (1 << IPEXP_DESTROY)) {
2841 type = IPCTNL_MSG_EXP_DELETE;
2842 group = NFNLGRP_CONNTRACK_EXP_DESTROY;
2843 } else if (events & (1 << IPEXP_NEW)) {
2844 type = IPCTNL_MSG_EXP_NEW;
2845 flags = NLM_F_CREATE|NLM_F_EXCL;
2846 group = NFNLGRP_CONNTRACK_EXP_NEW;
2847 } else
2848 return 0;
2849
2850 if (!item->report && !nfnetlink_has_listeners(net, group))
2851 return 0;
2852
2853 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
2854 if (skb == NULL)
2855 goto errout;
2856
2857 type = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_EXP, type);
2858 nlh = nlmsg_put(skb, item->portid, 0, type, sizeof(*nfmsg), flags);
2859 if (nlh == NULL)
2860 goto nlmsg_failure;
2861
2862 nfmsg = nlmsg_data(nlh);
2863 nfmsg->nfgen_family = exp->tuple.src.l3num;
2864 nfmsg->version = NFNETLINK_V0;
2865 nfmsg->res_id = 0;
2866
2867 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
2868 goto nla_put_failure;
2869
2870 nlmsg_end(skb, nlh);
2871 nfnetlink_send(skb, net, item->portid, group, item->report, GFP_ATOMIC);
2872 return 0;
2873
2874 nla_put_failure:
2875 nlmsg_cancel(skb, nlh);
2876 nlmsg_failure:
2877 kfree_skb(skb);
2878 errout:
2879 nfnetlink_set_err(net, 0, 0, -ENOBUFS);
2880 return 0;
2881 }
2882 #endif
2883 static int ctnetlink_exp_done(struct netlink_callback *cb)
2884 {
2885 if (cb->args[1])
2886 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
2887 return 0;
2888 }
2889
2890 static int
2891 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
2892 {
2893 struct net *net = sock_net(skb->sk);
2894 struct nf_conntrack_expect *exp, *last;
2895 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2896 u_int8_t l3proto = nfmsg->nfgen_family;
2897
2898 rcu_read_lock();
2899 last = (struct nf_conntrack_expect *)cb->args[1];
2900 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
2901 restart:
2902 hlist_for_each_entry_rcu(exp, &nf_ct_expect_hash[cb->args[0]],
2903 hnode) {
2904 if (l3proto && exp->tuple.src.l3num != l3proto)
2905 continue;
2906
2907 if (!net_eq(nf_ct_net(exp->master), net))
2908 continue;
2909
2910 if (cb->args[1]) {
2911 if (exp != last)
2912 continue;
2913 cb->args[1] = 0;
2914 }
2915 if (ctnetlink_exp_fill_info(skb,
2916 NETLINK_CB(cb->skb).portid,
2917 cb->nlh->nlmsg_seq,
2918 IPCTNL_MSG_EXP_NEW,
2919 exp) < 0) {
2920 if (!refcount_inc_not_zero(&exp->use))
2921 continue;
2922 cb->args[1] = (unsigned long)exp;
2923 goto out;
2924 }
2925 }
2926 if (cb->args[1]) {
2927 cb->args[1] = 0;
2928 goto restart;
2929 }
2930 }
2931 out:
2932 rcu_read_unlock();
2933 if (last)
2934 nf_ct_expect_put(last);
2935
2936 return skb->len;
2937 }
2938
2939 static int
2940 ctnetlink_exp_ct_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
2941 {
2942 struct nf_conntrack_expect *exp, *last;
2943 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
2944 struct nf_conn *ct = cb->data;
2945 struct nf_conn_help *help = nfct_help(ct);
2946 u_int8_t l3proto = nfmsg->nfgen_family;
2947
2948 if (cb->args[0])
2949 return 0;
2950
2951 rcu_read_lock();
2952 last = (struct nf_conntrack_expect *)cb->args[1];
2953 restart:
2954 hlist_for_each_entry_rcu(exp, &help->expectations, lnode) {
2955 if (l3proto && exp->tuple.src.l3num != l3proto)
2956 continue;
2957 if (cb->args[1]) {
2958 if (exp != last)
2959 continue;
2960 cb->args[1] = 0;
2961 }
2962 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).portid,
2963 cb->nlh->nlmsg_seq,
2964 IPCTNL_MSG_EXP_NEW,
2965 exp) < 0) {
2966 if (!refcount_inc_not_zero(&exp->use))
2967 continue;
2968 cb->args[1] = (unsigned long)exp;
2969 goto out;
2970 }
2971 }
2972 if (cb->args[1]) {
2973 cb->args[1] = 0;
2974 goto restart;
2975 }
2976 cb->args[0] = 1;
2977 out:
2978 rcu_read_unlock();
2979 if (last)
2980 nf_ct_expect_put(last);
2981
2982 return skb->len;
2983 }
2984
2985 static int ctnetlink_dump_exp_ct(struct net *net, struct sock *ctnl,
2986 struct sk_buff *skb,
2987 const struct nlmsghdr *nlh,
2988 const struct nlattr * const cda[],
2989 struct netlink_ext_ack *extack)
2990 {
2991 int err;
2992 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
2993 u_int8_t u3 = nfmsg->nfgen_family;
2994 struct nf_conntrack_tuple tuple;
2995 struct nf_conntrack_tuple_hash *h;
2996 struct nf_conn *ct;
2997 struct nf_conntrack_zone zone;
2998 struct netlink_dump_control c = {
2999 .dump = ctnetlink_exp_ct_dump_table,
3000 .done = ctnetlink_exp_done,
3001 };
3002
3003 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
3004 u3, NULL);
3005 if (err < 0)
3006 return err;
3007
3008 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3009 if (err < 0)
3010 return err;
3011
3012 h = nf_conntrack_find_get(net, &zone, &tuple);
3013 if (!h)
3014 return -ENOENT;
3015
3016 ct = nf_ct_tuplehash_to_ctrack(h);
3017 /* No expectation linked to this connection tracking. */
3018 if (!nfct_help(ct)) {
3019 nf_ct_put(ct);
3020 return 0;
3021 }
3022
3023 c.data = ct;
3024
3025 err = netlink_dump_start(ctnl, skb, nlh, &c);
3026 nf_ct_put(ct);
3027
3028 return err;
3029 }
3030
3031 static int ctnetlink_get_expect(struct net *net, struct sock *ctnl,
3032 struct sk_buff *skb, const struct nlmsghdr *nlh,
3033 const struct nlattr * const cda[],
3034 struct netlink_ext_ack *extack)
3035 {
3036 struct nf_conntrack_tuple tuple;
3037 struct nf_conntrack_expect *exp;
3038 struct sk_buff *skb2;
3039 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3040 u_int8_t u3 = nfmsg->nfgen_family;
3041 struct nf_conntrack_zone zone;
3042 int err;
3043
3044 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3045 if (cda[CTA_EXPECT_MASTER])
3046 return ctnetlink_dump_exp_ct(net, ctnl, skb, nlh, cda,
3047 extack);
3048 else {
3049 struct netlink_dump_control c = {
3050 .dump = ctnetlink_exp_dump_table,
3051 .done = ctnetlink_exp_done,
3052 };
3053 return netlink_dump_start(ctnl, skb, nlh, &c);
3054 }
3055 }
3056
3057 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3058 if (err < 0)
3059 return err;
3060
3061 if (cda[CTA_EXPECT_TUPLE])
3062 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3063 u3, NULL);
3064 else if (cda[CTA_EXPECT_MASTER])
3065 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER,
3066 u3, NULL);
3067 else
3068 return -EINVAL;
3069
3070 if (err < 0)
3071 return err;
3072
3073 exp = nf_ct_expect_find_get(net, &zone, &tuple);
3074 if (!exp)
3075 return -ENOENT;
3076
3077 if (cda[CTA_EXPECT_ID]) {
3078 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3079
3080 if (id != nf_expect_get_id(exp)) {
3081 nf_ct_expect_put(exp);
3082 return -ENOENT;
3083 }
3084 }
3085
3086 err = -ENOMEM;
3087 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
3088 if (skb2 == NULL) {
3089 nf_ct_expect_put(exp);
3090 goto out;
3091 }
3092
3093 rcu_read_lock();
3094 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).portid,
3095 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp);
3096 rcu_read_unlock();
3097 nf_ct_expect_put(exp);
3098 if (err <= 0)
3099 goto free;
3100
3101 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
3102 if (err < 0)
3103 goto out;
3104
3105 return 0;
3106
3107 free:
3108 kfree_skb(skb2);
3109 out:
3110 /* this avoids a loop in nfnetlink. */
3111 return err == -EAGAIN ? -ENOBUFS : err;
3112 }
3113
3114 static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data)
3115 {
3116 const struct nf_conn_help *m_help;
3117 const char *name = data;
3118
3119 m_help = nfct_help(exp->master);
3120
3121 return strcmp(m_help->helper->name, name) == 0;
3122 }
3123
3124 static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data)
3125 {
3126 return true;
3127 }
3128
3129 static int ctnetlink_del_expect(struct net *net, struct sock *ctnl,
3130 struct sk_buff *skb, const struct nlmsghdr *nlh,
3131 const struct nlattr * const cda[],
3132 struct netlink_ext_ack *extack)
3133 {
3134 struct nf_conntrack_expect *exp;
3135 struct nf_conntrack_tuple tuple;
3136 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3137 u_int8_t u3 = nfmsg->nfgen_family;
3138 struct nf_conntrack_zone zone;
3139 int err;
3140
3141 if (cda[CTA_EXPECT_TUPLE]) {
3142 /* delete a single expect by tuple */
3143 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3144 if (err < 0)
3145 return err;
3146
3147 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3148 u3, NULL);
3149 if (err < 0)
3150 return err;
3151
3152 /* bump usage count to 2 */
3153 exp = nf_ct_expect_find_get(net, &zone, &tuple);
3154 if (!exp)
3155 return -ENOENT;
3156
3157 if (cda[CTA_EXPECT_ID]) {
3158 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
3159 if (ntohl(id) != (u32)(unsigned long)exp) {
3160 nf_ct_expect_put(exp);
3161 return -ENOENT;
3162 }
3163 }
3164
3165 /* after list removal, usage count == 1 */
3166 spin_lock_bh(&nf_conntrack_expect_lock);
3167 if (del_timer(&exp->timeout)) {
3168 nf_ct_unlink_expect_report(exp, NETLINK_CB(skb).portid,
3169 nlmsg_report(nlh));
3170 nf_ct_expect_put(exp);
3171 }
3172 spin_unlock_bh(&nf_conntrack_expect_lock);
3173 /* have to put what we 'get' above.
3174 * after this line usage count == 0 */
3175 nf_ct_expect_put(exp);
3176 } else if (cda[CTA_EXPECT_HELP_NAME]) {
3177 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3178
3179 nf_ct_expect_iterate_net(net, expect_iter_name, name,
3180 NETLINK_CB(skb).portid,
3181 nlmsg_report(nlh));
3182 } else {
3183 /* This basically means we have to flush everything*/
3184 nf_ct_expect_iterate_net(net, expect_iter_all, NULL,
3185 NETLINK_CB(skb).portid,
3186 nlmsg_report(nlh));
3187 }
3188
3189 return 0;
3190 }
3191 static int
3192 ctnetlink_change_expect(struct nf_conntrack_expect *x,
3193 const struct nlattr * const cda[])
3194 {
3195 if (cda[CTA_EXPECT_TIMEOUT]) {
3196 if (!del_timer(&x->timeout))
3197 return -ETIME;
3198
3199 x->timeout.expires = jiffies +
3200 ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ;
3201 add_timer(&x->timeout);
3202 }
3203 return 0;
3204 }
3205
3206 static const struct nla_policy exp_nat_nla_policy[CTA_EXPECT_NAT_MAX+1] = {
3207 [CTA_EXPECT_NAT_DIR] = { .type = NLA_U32 },
3208 [CTA_EXPECT_NAT_TUPLE] = { .type = NLA_NESTED },
3209 };
3210
3211 static int
3212 ctnetlink_parse_expect_nat(const struct nlattr *attr,
3213 struct nf_conntrack_expect *exp,
3214 u_int8_t u3)
3215 {
3216 #if IS_ENABLED(CONFIG_NF_NAT)
3217 struct nlattr *tb[CTA_EXPECT_NAT_MAX+1];
3218 struct nf_conntrack_tuple nat_tuple = {};
3219 int err;
3220
3221 err = nla_parse_nested_deprecated(tb, CTA_EXPECT_NAT_MAX, attr,
3222 exp_nat_nla_policy, NULL);
3223 if (err < 0)
3224 return err;
3225
3226 if (!tb[CTA_EXPECT_NAT_DIR] || !tb[CTA_EXPECT_NAT_TUPLE])
3227 return -EINVAL;
3228
3229 err = ctnetlink_parse_tuple((const struct nlattr * const *)tb,
3230 &nat_tuple, CTA_EXPECT_NAT_TUPLE,
3231 u3, NULL);
3232 if (err < 0)
3233 return err;
3234
3235 exp->saved_addr = nat_tuple.src.u3;
3236 exp->saved_proto = nat_tuple.src.u;
3237 exp->dir = ntohl(nla_get_be32(tb[CTA_EXPECT_NAT_DIR]));
3238
3239 return 0;
3240 #else
3241 return -EOPNOTSUPP;
3242 #endif
3243 }
3244
3245 static struct nf_conntrack_expect *
3246 ctnetlink_alloc_expect(const struct nlattr * const cda[], struct nf_conn *ct,
3247 struct nf_conntrack_helper *helper,
3248 struct nf_conntrack_tuple *tuple,
3249 struct nf_conntrack_tuple *mask)
3250 {
3251 u_int32_t class = 0;
3252 struct nf_conntrack_expect *exp;
3253 struct nf_conn_help *help;
3254 int err;
3255
3256 help = nfct_help(ct);
3257 if (!help)
3258 return ERR_PTR(-EOPNOTSUPP);
3259
3260 if (cda[CTA_EXPECT_CLASS] && helper) {
3261 class = ntohl(nla_get_be32(cda[CTA_EXPECT_CLASS]));
3262 if (class > helper->expect_class_max)
3263 return ERR_PTR(-EINVAL);
3264 }
3265 exp = nf_ct_expect_alloc(ct);
3266 if (!exp)
3267 return ERR_PTR(-ENOMEM);
3268
3269 if (cda[CTA_EXPECT_FLAGS]) {
3270 exp->flags = ntohl(nla_get_be32(cda[CTA_EXPECT_FLAGS]));
3271 exp->flags &= ~NF_CT_EXPECT_USERSPACE;
3272 } else {
3273 exp->flags = 0;
3274 }
3275 if (cda[CTA_EXPECT_FN]) {
3276 const char *name = nla_data(cda[CTA_EXPECT_FN]);
3277 struct nf_ct_helper_expectfn *expfn;
3278
3279 expfn = nf_ct_helper_expectfn_find_by_name(name);
3280 if (expfn == NULL) {
3281 err = -EINVAL;
3282 goto err_out;
3283 }
3284 exp->expectfn = expfn->expectfn;
3285 } else
3286 exp->expectfn = NULL;
3287
3288 exp->class = class;
3289 exp->master = ct;
3290 exp->helper = helper;
3291 exp->tuple = *tuple;
3292 exp->mask.src.u3 = mask->src.u3;
3293 exp->mask.src.u.all = mask->src.u.all;
3294
3295 if (cda[CTA_EXPECT_NAT]) {
3296 err = ctnetlink_parse_expect_nat(cda[CTA_EXPECT_NAT],
3297 exp, nf_ct_l3num(ct));
3298 if (err < 0)
3299 goto err_out;
3300 }
3301 return exp;
3302 err_out:
3303 nf_ct_expect_put(exp);
3304 return ERR_PTR(err);
3305 }
3306
3307 static int
3308 ctnetlink_create_expect(struct net *net,
3309 const struct nf_conntrack_zone *zone,
3310 const struct nlattr * const cda[],
3311 u_int8_t u3, u32 portid, int report)
3312 {
3313 struct nf_conntrack_tuple tuple, mask, master_tuple;
3314 struct nf_conntrack_tuple_hash *h = NULL;
3315 struct nf_conntrack_helper *helper = NULL;
3316 struct nf_conntrack_expect *exp;
3317 struct nf_conn *ct;
3318 int err;
3319
3320 /* caller guarantees that those three CTA_EXPECT_* exist */
3321 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3322 u3, NULL);
3323 if (err < 0)
3324 return err;
3325 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK,
3326 u3, NULL);
3327 if (err < 0)
3328 return err;
3329 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER,
3330 u3, NULL);
3331 if (err < 0)
3332 return err;
3333
3334 /* Look for master conntrack of this expectation */
3335 h = nf_conntrack_find_get(net, zone, &master_tuple);
3336 if (!h)
3337 return -ENOENT;
3338 ct = nf_ct_tuplehash_to_ctrack(h);
3339
3340 rcu_read_lock();
3341 if (cda[CTA_EXPECT_HELP_NAME]) {
3342 const char *helpname = nla_data(cda[CTA_EXPECT_HELP_NAME]);
3343
3344 helper = __nf_conntrack_helper_find(helpname, u3,
3345 nf_ct_protonum(ct));
3346 if (helper == NULL) {
3347 rcu_read_unlock();
3348 #ifdef CONFIG_MODULES
3349 if (request_module("nfct-helper-%s", helpname) < 0) {
3350 err = -EOPNOTSUPP;
3351 goto err_ct;
3352 }
3353 rcu_read_lock();
3354 helper = __nf_conntrack_helper_find(helpname, u3,
3355 nf_ct_protonum(ct));
3356 if (helper) {
3357 err = -EAGAIN;
3358 goto err_rcu;
3359 }
3360 rcu_read_unlock();
3361 #endif
3362 err = -EOPNOTSUPP;
3363 goto err_ct;
3364 }
3365 }
3366
3367 exp = ctnetlink_alloc_expect(cda, ct, helper, &tuple, &mask);
3368 if (IS_ERR(exp)) {
3369 err = PTR_ERR(exp);
3370 goto err_rcu;
3371 }
3372
3373 err = nf_ct_expect_related_report(exp, portid, report, 0);
3374 nf_ct_expect_put(exp);
3375 err_rcu:
3376 rcu_read_unlock();
3377 err_ct:
3378 nf_ct_put(ct);
3379 return err;
3380 }
3381
3382 static int ctnetlink_new_expect(struct net *net, struct sock *ctnl,
3383 struct sk_buff *skb, const struct nlmsghdr *nlh,
3384 const struct nlattr * const cda[],
3385 struct netlink_ext_ack *extack)
3386 {
3387 struct nf_conntrack_tuple tuple;
3388 struct nf_conntrack_expect *exp;
3389 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
3390 u_int8_t u3 = nfmsg->nfgen_family;
3391 struct nf_conntrack_zone zone;
3392 int err;
3393
3394 if (!cda[CTA_EXPECT_TUPLE]
3395 || !cda[CTA_EXPECT_MASK]
3396 || !cda[CTA_EXPECT_MASTER])
3397 return -EINVAL;
3398
3399 err = ctnetlink_parse_zone(cda[CTA_EXPECT_ZONE], &zone);
3400 if (err < 0)
3401 return err;
3402
3403 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE,
3404 u3, NULL);
3405 if (err < 0)
3406 return err;
3407
3408 spin_lock_bh(&nf_conntrack_expect_lock);
3409 exp = __nf_ct_expect_find(net, &zone, &tuple);
3410 if (!exp) {
3411 spin_unlock_bh(&nf_conntrack_expect_lock);
3412 err = -ENOENT;
3413 if (nlh->nlmsg_flags & NLM_F_CREATE) {
3414 err = ctnetlink_create_expect(net, &zone, cda, u3,
3415 NETLINK_CB(skb).portid,
3416 nlmsg_report(nlh));
3417 }
3418 return err;
3419 }
3420
3421 err = -EEXIST;
3422 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
3423 err = ctnetlink_change_expect(exp, cda);
3424 spin_unlock_bh(&nf_conntrack_expect_lock);
3425
3426 return err;
3427 }
3428
3429 static int
3430 ctnetlink_exp_stat_fill_info(struct sk_buff *skb, u32 portid, u32 seq, int cpu,
3431 const struct ip_conntrack_stat *st)
3432 {
3433 struct nlmsghdr *nlh;
3434 struct nfgenmsg *nfmsg;
3435 unsigned int flags = portid ? NLM_F_MULTI : 0, event;
3436
3437 event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK,
3438 IPCTNL_MSG_EXP_GET_STATS_CPU);
3439 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
3440 if (nlh == NULL)
3441 goto nlmsg_failure;
3442
3443 nfmsg = nlmsg_data(nlh);
3444 nfmsg->nfgen_family = AF_UNSPEC;
3445 nfmsg->version = NFNETLINK_V0;
3446 nfmsg->res_id = htons(cpu);
3447
3448 if (nla_put_be32(skb, CTA_STATS_EXP_NEW, htonl(st->expect_new)) ||
3449 nla_put_be32(skb, CTA_STATS_EXP_CREATE, htonl(st->expect_create)) ||
3450 nla_put_be32(skb, CTA_STATS_EXP_DELETE, htonl(st->expect_delete)))
3451 goto nla_put_failure;
3452
3453 nlmsg_end(skb, nlh);
3454 return skb->len;
3455
3456 nla_put_failure:
3457 nlmsg_failure:
3458 nlmsg_cancel(skb, nlh);
3459 return -1;
3460 }
3461
3462 static int
3463 ctnetlink_exp_stat_cpu_dump(struct sk_buff *skb, struct netlink_callback *cb)
3464 {
3465 int cpu;
3466 struct net *net = sock_net(skb->sk);
3467
3468 if (cb->args[0] == nr_cpu_ids)
3469 return 0;
3470
3471 for (cpu = cb->args[0]; cpu < nr_cpu_ids; cpu++) {
3472 const struct ip_conntrack_stat *st;
3473
3474 if (!cpu_possible(cpu))
3475 continue;
3476
3477 st = per_cpu_ptr(net->ct.stat, cpu);
3478 if (ctnetlink_exp_stat_fill_info(skb, NETLINK_CB(cb->skb).portid,
3479 cb->nlh->nlmsg_seq,
3480 cpu, st) < 0)
3481 break;
3482 }
3483 cb->args[0] = cpu;
3484
3485 return skb->len;
3486 }
3487
3488 static int ctnetlink_stat_exp_cpu(struct net *net, struct sock *ctnl,
3489 struct sk_buff *skb,
3490 const struct nlmsghdr *nlh,
3491 const struct nlattr * const cda[],
3492 struct netlink_ext_ack *extack)
3493 {
3494 if (nlh->nlmsg_flags & NLM_F_DUMP) {
3495 struct netlink_dump_control c = {
3496 .dump = ctnetlink_exp_stat_cpu_dump,
3497 };
3498 return netlink_dump_start(ctnl, skb, nlh, &c);
3499 }
3500
3501 return 0;
3502 }
3503
3504 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3505 static struct nf_ct_event_notifier ctnl_notifier = {
3506 .fcn = ctnetlink_conntrack_event,
3507 };
3508
3509 static struct nf_exp_event_notifier ctnl_notifier_exp = {
3510 .fcn = ctnetlink_expect_event,
3511 };
3512 #endif
3513
3514 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
3515 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
3516 .attr_count = CTA_MAX,
3517 .policy = ct_nla_policy },
3518 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
3519 .attr_count = CTA_MAX,
3520 .policy = ct_nla_policy },
3521 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
3522 .attr_count = CTA_MAX,
3523 .policy = ct_nla_policy },
3524 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
3525 .attr_count = CTA_MAX,
3526 .policy = ct_nla_policy },
3527 [IPCTNL_MSG_CT_GET_STATS_CPU] = { .call = ctnetlink_stat_ct_cpu },
3528 [IPCTNL_MSG_CT_GET_STATS] = { .call = ctnetlink_stat_ct },
3529 [IPCTNL_MSG_CT_GET_DYING] = { .call = ctnetlink_get_ct_dying },
3530 [IPCTNL_MSG_CT_GET_UNCONFIRMED] = { .call = ctnetlink_get_ct_unconfirmed },
3531 };
3532
3533 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
3534 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
3535 .attr_count = CTA_EXPECT_MAX,
3536 .policy = exp_nla_policy },
3537 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
3538 .attr_count = CTA_EXPECT_MAX,
3539 .policy = exp_nla_policy },
3540 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
3541 .attr_count = CTA_EXPECT_MAX,
3542 .policy = exp_nla_policy },
3543 [IPCTNL_MSG_EXP_GET_STATS_CPU] = { .call = ctnetlink_stat_exp_cpu },
3544 };
3545
3546 static const struct nfnetlink_subsystem ctnl_subsys = {
3547 .name = "conntrack",
3548 .subsys_id = NFNL_SUBSYS_CTNETLINK,
3549 .cb_count = IPCTNL_MSG_MAX,
3550 .cb = ctnl_cb,
3551 };
3552
3553 static const struct nfnetlink_subsystem ctnl_exp_subsys = {
3554 .name = "conntrack_expect",
3555 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
3556 .cb_count = IPCTNL_MSG_EXP_MAX,
3557 .cb = ctnl_exp_cb,
3558 };
3559
3560 MODULE_ALIAS("ip_conntrack_netlink");
3561 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
3562 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
3563
3564 static int __net_init ctnetlink_net_init(struct net *net)
3565 {
3566 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3567 int ret;
3568
3569 ret = nf_conntrack_register_notifier(net, &ctnl_notifier);
3570 if (ret < 0) {
3571 pr_err("ctnetlink_init: cannot register notifier.\n");
3572 goto err_out;
3573 }
3574
3575 ret = nf_ct_expect_register_notifier(net, &ctnl_notifier_exp);
3576 if (ret < 0) {
3577 pr_err("ctnetlink_init: cannot expect register notifier.\n");
3578 goto err_unreg_notifier;
3579 }
3580 #endif
3581 return 0;
3582
3583 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3584 err_unreg_notifier:
3585 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
3586 err_out:
3587 return ret;
3588 #endif
3589 }
3590
3591 static void ctnetlink_net_exit(struct net *net)
3592 {
3593 #ifdef CONFIG_NF_CONNTRACK_EVENTS
3594 nf_ct_expect_unregister_notifier(net, &ctnl_notifier_exp);
3595 nf_conntrack_unregister_notifier(net, &ctnl_notifier);
3596 #endif
3597 }
3598
3599 static void __net_exit ctnetlink_net_exit_batch(struct list_head *net_exit_list)
3600 {
3601 struct net *net;
3602
3603 list_for_each_entry(net, net_exit_list, exit_list)
3604 ctnetlink_net_exit(net);
3605
3606 /* wait for other cpus until they are done with ctnl_notifiers */
3607 synchronize_rcu();
3608 }
3609
3610 static struct pernet_operations ctnetlink_net_ops = {
3611 .init = ctnetlink_net_init,
3612 .exit_batch = ctnetlink_net_exit_batch,
3613 };
3614
3615 static int __init ctnetlink_init(void)
3616 {
3617 int ret;
3618
3619 ret = nfnetlink_subsys_register(&ctnl_subsys);
3620 if (ret < 0) {
3621 pr_err("ctnetlink_init: cannot register with nfnetlink.\n");
3622 goto err_out;
3623 }
3624
3625 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
3626 if (ret < 0) {
3627 pr_err("ctnetlink_init: cannot register exp with nfnetlink.\n");
3628 goto err_unreg_subsys;
3629 }
3630
3631 ret = register_pernet_subsys(&ctnetlink_net_ops);
3632 if (ret < 0) {
3633 pr_err("ctnetlink_init: cannot register pernet operations\n");
3634 goto err_unreg_exp_subsys;
3635 }
3636 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3637 /* setup interaction between nf_queue and nf_conntrack_netlink. */
3638 RCU_INIT_POINTER(nfnl_ct_hook, &ctnetlink_glue_hook);
3639 #endif
3640 return 0;
3641
3642 err_unreg_exp_subsys:
3643 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3644 err_unreg_subsys:
3645 nfnetlink_subsys_unregister(&ctnl_subsys);
3646 err_out:
3647 return ret;
3648 }
3649
3650 static void __exit ctnetlink_exit(void)
3651 {
3652 unregister_pernet_subsys(&ctnetlink_net_ops);
3653 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
3654 nfnetlink_subsys_unregister(&ctnl_subsys);
3655 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
3656 RCU_INIT_POINTER(nfnl_ct_hook, NULL);
3657 #endif
3658 synchronize_rcu();
3659 }
3660
3661 module_init(ctnetlink_init);
3662 module_exit(ctnetlink_exit);
Ubuntu Focal Linux kernel mirror