2 * (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
3 * (C) 2012 by Vyatta Inc. <http://www.vyatta.com>
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation (or any later at your option).
9 #include <linux/init.h>
10 #include <linux/module.h>
11 #include <linux/kernel.h>
12 #include <linux/rculist.h>
13 #include <linux/rculist_nulls.h>
14 #include <linux/types.h>
15 #include <linux/timer.h>
16 #include <linux/security.h>
17 #include <linux/skbuff.h>
18 #include <linux/errno.h>
19 #include <linux/netlink.h>
20 #include <linux/spinlock.h>
21 #include <linux/interrupt.h>
22 #include <linux/slab.h>
24 #include <linux/netfilter.h>
25 #include <net/netlink.h>
27 #include <net/netfilter/nf_conntrack.h>
28 #include <net/netfilter/nf_conntrack_core.h>
29 #include <net/netfilter/nf_conntrack_l3proto.h>
30 #include <net/netfilter/nf_conntrack_l4proto.h>
31 #include <net/netfilter/nf_conntrack_tuple.h>
33 #include <linux/netfilter/nfnetlink.h>
34 #include <linux/netfilter/nfnetlink_cttimeout.h>
36 MODULE_LICENSE("GPL");
37 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
38 MODULE_DESCRIPTION("cttimeout: Extended Netfilter Connection Tracking timeout tuning");
40 static LIST_HEAD(cttimeout_list
);
42 static const struct nla_policy cttimeout_nla_policy
[CTA_TIMEOUT_MAX
+1] = {
43 [CTA_TIMEOUT_NAME
] = { .type
= NLA_NUL_STRING
},
44 [CTA_TIMEOUT_L3PROTO
] = { .type
= NLA_U16
},
45 [CTA_TIMEOUT_L4PROTO
] = { .type
= NLA_U8
},
46 [CTA_TIMEOUT_DATA
] = { .type
= NLA_NESTED
},
50 ctnl_timeout_parse_policy(struct ctnl_timeout
*timeout
,
51 struct nf_conntrack_l4proto
*l4proto
,
52 const struct nlattr
*attr
)
56 if (likely(l4proto
->ctnl_timeout
.nlattr_to_obj
)) {
57 struct nlattr
*tb
[l4proto
->ctnl_timeout
.nlattr_max
+1];
59 nla_parse_nested(tb
, l4proto
->ctnl_timeout
.nlattr_max
,
60 attr
, l4proto
->ctnl_timeout
.nla_policy
);
62 ret
= l4proto
->ctnl_timeout
.nlattr_to_obj(tb
, &timeout
->data
);
68 cttimeout_new_timeout(struct sock
*ctnl
, struct sk_buff
*skb
,
69 const struct nlmsghdr
*nlh
,
70 const struct nlattr
* const cda
[])
74 struct nf_conntrack_l4proto
*l4proto
;
75 struct ctnl_timeout
*timeout
, *matching
= NULL
;
79 if (!cda
[CTA_TIMEOUT_NAME
] ||
80 !cda
[CTA_TIMEOUT_L3PROTO
] ||
81 !cda
[CTA_TIMEOUT_L4PROTO
] ||
82 !cda
[CTA_TIMEOUT_DATA
])
85 name
= nla_data(cda
[CTA_TIMEOUT_NAME
]);
86 l3num
= ntohs(nla_get_be16(cda
[CTA_TIMEOUT_L3PROTO
]));
87 l4num
= nla_get_u8(cda
[CTA_TIMEOUT_L4PROTO
]);
89 list_for_each_entry(timeout
, &cttimeout_list
, head
) {
90 if (strncmp(timeout
->name
, name
, CTNL_TIMEOUT_NAME_MAX
) != 0)
93 if (nlh
->nlmsg_flags
& NLM_F_EXCL
)
100 l4proto
= __nf_ct_l4proto_find(l3num
, l4num
);
102 /* This protocol is not supportted, skip. */
103 if (l4proto
->l4proto
!= l4num
)
107 if (nlh
->nlmsg_flags
& NLM_F_REPLACE
) {
108 /* You cannot replace one timeout policy by another of
109 * different kind, sorry.
111 if (matching
->l3num
!= l3num
||
112 matching
->l4num
!= l4num
)
115 ret
= ctnl_timeout_parse_policy(matching
, l4proto
,
116 cda
[CTA_TIMEOUT_DATA
]);
122 timeout
= kzalloc(sizeof(struct ctnl_timeout
) +
123 l4proto
->ctnl_timeout
.obj_size
, GFP_KERNEL
);
127 ret
= ctnl_timeout_parse_policy(timeout
, l4proto
,
128 cda
[CTA_TIMEOUT_DATA
]);
132 strcpy(timeout
->name
, nla_data(cda
[CTA_TIMEOUT_NAME
]));
133 timeout
->l3num
= l3num
;
134 timeout
->l4num
= l4num
;
135 atomic_set(&timeout
->refcnt
, 1);
136 list_add_tail_rcu(&timeout
->head
, &cttimeout_list
);
145 ctnl_timeout_fill_info(struct sk_buff
*skb
, u32 pid
, u32 seq
, u32 type
,
146 int event
, struct ctnl_timeout
*timeout
)
148 struct nlmsghdr
*nlh
;
149 struct nfgenmsg
*nfmsg
;
150 unsigned int flags
= pid
? NLM_F_MULTI
: 0;
151 struct nf_conntrack_l4proto
*l4proto
;
153 event
|= NFNL_SUBSYS_CTNETLINK_TIMEOUT
<< 8;
154 nlh
= nlmsg_put(skb
, pid
, seq
, event
, sizeof(*nfmsg
), flags
);
158 nfmsg
= nlmsg_data(nlh
);
159 nfmsg
->nfgen_family
= AF_UNSPEC
;
160 nfmsg
->version
= NFNETLINK_V0
;
163 NLA_PUT_STRING(skb
, CTA_TIMEOUT_NAME
, timeout
->name
);
164 NLA_PUT_BE16(skb
, CTA_TIMEOUT_L3PROTO
, htons(timeout
->l3num
));
165 NLA_PUT_U8(skb
, CTA_TIMEOUT_L4PROTO
, timeout
->l4num
);
166 NLA_PUT_BE32(skb
, CTA_TIMEOUT_USE
,
167 htonl(atomic_read(&timeout
->refcnt
)));
169 l4proto
= __nf_ct_l4proto_find(timeout
->l3num
, timeout
->l4num
);
171 /* If the timeout object does not match the layer 4 protocol tracker,
172 * then skip dumping the data part since we don't know how to
173 * interpret it. This may happen for UPDlite, SCTP and DCCP since
174 * you can unload the module.
176 if (timeout
->l4num
!= l4proto
->l4proto
)
179 if (likely(l4proto
->ctnl_timeout
.obj_to_nlattr
)) {
180 struct nlattr
*nest_parms
;
183 nest_parms
= nla_nest_start(skb
,
184 CTA_TIMEOUT_DATA
| NLA_F_NESTED
);
186 goto nla_put_failure
;
188 ret
= l4proto
->ctnl_timeout
.obj_to_nlattr(skb
, &timeout
->data
);
190 goto nla_put_failure
;
192 nla_nest_end(skb
, nest_parms
);
200 nlmsg_cancel(skb
, nlh
);
205 ctnl_timeout_dump(struct sk_buff
*skb
, struct netlink_callback
*cb
)
207 struct ctnl_timeout
*cur
, *last
;
212 last
= (struct ctnl_timeout
*)cb
->args
[1];
217 list_for_each_entry_rcu(cur
, &cttimeout_list
, head
) {
218 if (last
&& cur
!= last
)
221 if (ctnl_timeout_fill_info(skb
, NETLINK_CB(cb
->skb
).pid
,
223 NFNL_MSG_TYPE(cb
->nlh
->nlmsg_type
),
224 IPCTNL_MSG_TIMEOUT_NEW
, cur
) < 0) {
225 cb
->args
[1] = (unsigned long)cur
;
236 cttimeout_get_timeout(struct sock
*ctnl
, struct sk_buff
*skb
,
237 const struct nlmsghdr
*nlh
,
238 const struct nlattr
* const cda
[])
242 struct ctnl_timeout
*cur
;
244 if (nlh
->nlmsg_flags
& NLM_F_DUMP
) {
245 struct netlink_dump_control c
= {
246 .dump
= ctnl_timeout_dump
,
248 return netlink_dump_start(ctnl
, skb
, nlh
, &c
);
251 if (!cda
[CTA_TIMEOUT_NAME
])
253 name
= nla_data(cda
[CTA_TIMEOUT_NAME
]);
255 list_for_each_entry(cur
, &cttimeout_list
, head
) {
256 struct sk_buff
*skb2
;
258 if (strncmp(cur
->name
, name
, CTNL_TIMEOUT_NAME_MAX
) != 0)
261 skb2
= nlmsg_new(NLMSG_DEFAULT_SIZE
, GFP_KERNEL
);
267 ret
= ctnl_timeout_fill_info(skb2
, NETLINK_CB(skb
).pid
,
269 NFNL_MSG_TYPE(nlh
->nlmsg_type
),
270 IPCTNL_MSG_TIMEOUT_NEW
, cur
);
275 ret
= netlink_unicast(ctnl
, skb2
, NETLINK_CB(skb
).pid
,
280 /* this avoids a loop in nfnetlink. */
281 return ret
== -EAGAIN
? -ENOBUFS
: ret
;
286 /* try to delete object, fail if it is still in use. */
287 static int ctnl_timeout_try_del(struct ctnl_timeout
*timeout
)
291 /* we want to avoid races with nf_ct_timeout_find_get. */
292 if (atomic_dec_and_test(&timeout
->refcnt
)) {
293 /* We are protected by nfnl mutex. */
294 list_del_rcu(&timeout
->head
);
295 kfree_rcu(timeout
, rcu_head
);
297 /* still in use, restore reference counter. */
298 atomic_inc(&timeout
->refcnt
);
305 cttimeout_del_timeout(struct sock
*ctnl
, struct sk_buff
*skb
,
306 const struct nlmsghdr
*nlh
,
307 const struct nlattr
* const cda
[])
310 struct ctnl_timeout
*cur
;
313 if (!cda
[CTA_TIMEOUT_NAME
]) {
314 list_for_each_entry(cur
, &cttimeout_list
, head
)
315 ctnl_timeout_try_del(cur
);
319 name
= nla_data(cda
[CTA_TIMEOUT_NAME
]);
321 list_for_each_entry(cur
, &cttimeout_list
, head
) {
322 if (strncmp(cur
->name
, name
, CTNL_TIMEOUT_NAME_MAX
) != 0)
325 ret
= ctnl_timeout_try_del(cur
);
334 static const struct nfnl_callback cttimeout_cb
[IPCTNL_MSG_TIMEOUT_MAX
] = {
335 [IPCTNL_MSG_TIMEOUT_NEW
] = { .call
= cttimeout_new_timeout
,
336 .attr_count
= CTA_TIMEOUT_MAX
,
337 .policy
= cttimeout_nla_policy
},
338 [IPCTNL_MSG_TIMEOUT_GET
] = { .call
= cttimeout_get_timeout
,
339 .attr_count
= CTA_TIMEOUT_MAX
,
340 .policy
= cttimeout_nla_policy
},
341 [IPCTNL_MSG_TIMEOUT_DELETE
] = { .call
= cttimeout_del_timeout
,
342 .attr_count
= CTA_TIMEOUT_MAX
,
343 .policy
= cttimeout_nla_policy
},
346 static const struct nfnetlink_subsystem cttimeout_subsys
= {
347 .name
= "conntrack_timeout",
348 .subsys_id
= NFNL_SUBSYS_CTNETLINK_TIMEOUT
,
349 .cb_count
= IPCTNL_MSG_TIMEOUT_MAX
,
353 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_TIMEOUT
);
355 static int __init
cttimeout_init(void)
359 ret
= nfnetlink_subsys_register(&cttimeout_subsys
);
361 pr_err("cttimeout_init: cannot register cttimeout with "
371 static void __exit
cttimeout_exit(void)
373 struct ctnl_timeout
*cur
, *tmp
;
375 pr_info("cttimeout: unregistering from nfnetlink.\n");
377 nfnetlink_subsys_unregister(&cttimeout_subsys
);
378 list_for_each_entry_safe(cur
, tmp
, &cttimeout_list
, head
) {
379 list_del_rcu(&cur
->head
);
380 /* We are sure that our objects have no clients at this point,
381 * it's safe to release them all without checking refcnt.
383 kfree_rcu(cur
, rcu_head
);
387 module_init(cttimeout_init
);
388 module_exit(cttimeout_exit
);