]> git.proxmox.com Git - mirror_ubuntu-artful-kernel.git/blame - net/netfilter/nf_conntrack_core.c
projects / mirror_ubuntu-artful-kernel.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
[TCP] Vegas: Increase default alpha to 2 and beta to 4.
[mirror_ubuntu-artful-kernel.git] / net / netfilter / nf_conntrack_core.c
CommitLineData
9fb9cbb1
YK		 1/* Connection state tracking for netfilter. This is separated from,
2 but required by, the NAT layer; it can also be used by an iptables
3 extension. */
4
5/* (C) 1999-2001 Paul `Rusty' Russell
dc808fe2 6 * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
9fb9cbb1
YK		 7 * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
8 *
9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License version 2 as
11 * published by the Free Software Foundation.
12 *
13 * 23 Apr 2001: Harald Welte <laforge@gnumonks.org>
14 * - new API and handling of conntrack/nat helpers
15 * - now capable of multiple expectations for one master
16 * 16 Jul 2002: Harald Welte <laforge@gnumonks.org>
17 * - add usage/reference counts to ip_conntrack_expect
18 * - export ip_conntrack[_expect]_{find_get,put} functions
19 * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
20 * - generalize L3 protocol denendent part.
21 * 23 Mar 2004: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
22 * - add support various size of conntrack structures.
dc808fe2
HW		 23 * 26 Jan 2006: Harald Welte <laforge@netfilter.org>
24 * - restructure nf_conn (introduce nf_conn_help)
25 * - redesign 'features' how they were originally intended
b9f78f9f
PNA		 26 * 26 Feb 2006: Pablo Neira Ayuso <pablo@eurodev.net>
27 * - add support for L3 protocol module load on demand.
9fb9cbb1
YK		 28 *
29 * Derived from net/ipv4/netfilter/ip_conntrack_core.c
30 */
31
9fb9cbb1
YK		 32#include <linux/types.h>
33#include <linux/netfilter.h>
34#include <linux/module.h>
35#include <linux/skbuff.h>
36#include <linux/proc_fs.h>
37#include <linux/vmalloc.h>
38#include <linux/stddef.h>
39#include <linux/slab.h>
40#include <linux/random.h>
41#include <linux/jhash.h>
42#include <linux/err.h>
43#include <linux/percpu.h>
44#include <linux/moduleparam.h>
45#include <linux/notifier.h>
46#include <linux/kernel.h>
47#include <linux/netdevice.h>
48#include <linux/socket.h>
49
50/* This rwlock protects the main hash table, protocol/helper/expected
51 registrations, conntrack timers*/
52#define ASSERT_READ_LOCK(x)
53#define ASSERT_WRITE_LOCK(x)
54
55#include <net/netfilter/nf_conntrack.h>
56#include <net/netfilter/nf_conntrack_l3proto.h>
57#include <net/netfilter/nf_conntrack_protocol.h>
58#include <net/netfilter/nf_conntrack_helper.h>
59#include <net/netfilter/nf_conntrack_core.h>
9fb9cbb1 60
dc808fe2 61#define NF_CONNTRACK_VERSION "0.5.0"
9fb9cbb1
YK		 62
63#if 0
64#define DEBUGP printk
65#else
66#define DEBUGP(format, args...)
67#endif
68
69DEFINE_RWLOCK(nf_conntrack_lock);
70
71/* nf_conntrack_standalone needs this */
72atomic_t nf_conntrack_count = ATOMIC_INIT(0);
73
74void (*nf_conntrack_destroyed)(struct nf_conn *conntrack) = NULL;
75LIST_HEAD(nf_conntrack_expect_list);
1192e403
BH		 76struct nf_conntrack_protocol **nf_ct_protos[PF_MAX] __read_mostly;
77struct nf_conntrack_l3proto *nf_ct_l3protos[PF_MAX] __read_mostly;
9fb9cbb1 78static LIST_HEAD(helpers);
94aec08e
BH		 79unsigned int nf_conntrack_htable_size __read_mostly = 0;
80int nf_conntrack_max __read_mostly;
1192e403
BH		 81struct list_head *nf_conntrack_hash __read_mostly;
82static kmem_cache_t *nf_conntrack_expect_cachep __read_mostly;
9fb9cbb1 83struct nf_conn nf_conntrack_untracked;
94aec08e 84unsigned int nf_ct_log_invalid __read_mostly;
9fb9cbb1 85static LIST_HEAD(unconfirmed);
1192e403 86static int nf_conntrack_vmalloc __read_mostly;
9fb9cbb1 87
4e3882f7
PNA		 88static unsigned int nf_conntrack_next_id;
89static unsigned int nf_conntrack_expect_next_id;
9fb9cbb1 90#ifdef CONFIG_NF_CONNTRACK_EVENTS
e041c683
AS		 91ATOMIC_NOTIFIER_HEAD(nf_conntrack_chain);
92ATOMIC_NOTIFIER_HEAD(nf_conntrack_expect_chain);
9fb9cbb1
YK		 93
94DEFINE_PER_CPU(struct nf_conntrack_ecache, nf_conntrack_ecache);
95
96/* deliver cached events and clear cache entry - must be called with locally
97 * disabled softirqs */
98static inline void
99__nf_ct_deliver_cached_events(struct nf_conntrack_ecache *ecache)
100{
101 DEBUGP("ecache: delivering events for %p\n", ecache->ct);
102 if (nf_ct_is_confirmed(ecache->ct) && !nf_ct_is_dying(ecache->ct)
103 && ecache->events)
e041c683 104 atomic_notifier_call_chain(&nf_conntrack_chain, ecache->events,
9fb9cbb1
YK		 105 ecache->ct);
106
107 ecache->events = 0;
108 nf_ct_put(ecache->ct);
109 ecache->ct = NULL;
110}
111
112/* Deliver all cached events for a particular conntrack. This is called
113 * by code prior to async packet handling for freeing the skb */
114void nf_ct_deliver_cached_events(const struct nf_conn *ct)
115{
116 struct nf_conntrack_ecache *ecache;
117
118 local_bh_disable();
119 ecache = &__get_cpu_var(nf_conntrack_ecache);
120 if (ecache->ct == ct)
121 __nf_ct_deliver_cached_events(ecache);
122 local_bh_enable();
123}
124
125/* Deliver cached events for old pending events, if current conntrack != old */
126void __nf_ct_event_cache_init(struct nf_conn *ct)
127{
128 struct nf_conntrack_ecache *ecache;
129
130 /* take care of delivering potentially old events */
131 ecache = &__get_cpu_var(nf_conntrack_ecache);
132 BUG_ON(ecache->ct == ct);
133 if (ecache->ct)
134 __nf_ct_deliver_cached_events(ecache);
135 /* initialize for this conntrack/packet */
136 ecache->ct = ct;
137 nf_conntrack_get(&ct->ct_general);
138}
139
140/* flush the event cache - touches other CPU's data and must not be called
141 * while packets are still passing through the code */
142static void nf_ct_event_cache_flush(void)
143{
144 struct nf_conntrack_ecache *ecache;
145 int cpu;
146
6f912042 147 for_each_possible_cpu(cpu) {
9fb9cbb1
YK		 148 ecache = &per_cpu(nf_conntrack_ecache, cpu);
149 if (ecache->ct)
150 nf_ct_put(ecache->ct);
151 }
152}
153#else
154static inline void nf_ct_event_cache_flush(void) {}
155#endif /* CONFIG_NF_CONNTRACK_EVENTS */
156
157DEFINE_PER_CPU(struct ip_conntrack_stat, nf_conntrack_stat);
158EXPORT_PER_CPU_SYMBOL(nf_conntrack_stat);
159
160/*
161 * This scheme offers various size of "struct nf_conn" dependent on
162 * features(helper, nat, ...)
163 */
164
165#define NF_CT_FEATURES_NAMELEN 256
166static struct {
167 /* name of slab cache. printed in /proc/slabinfo */
168 char *name;
169
170 /* size of slab cache */
171 size_t size;
172
173 /* slab cache pointer */
174 kmem_cache_t *cachep;
175
176 /* allocated slab cache + modules which uses this slab cache */
177 int use;
178
9fb9cbb1
YK		 179} nf_ct_cache[NF_CT_F_NUM];
180
181/* protect members of nf_ct_cache except of "use" */
182DEFINE_RWLOCK(nf_ct_cache_lock);
183
184/* This avoids calling kmem_cache_create() with same name simultaneously */
57b47a53 185static DEFINE_MUTEX(nf_ct_cache_mutex);
9fb9cbb1
YK		 186
187extern struct nf_conntrack_protocol nf_conntrack_generic_protocol;
188struct nf_conntrack_protocol *
c1d10adb 189__nf_ct_proto_find(u_int16_t l3proto, u_int8_t protocol)
9fb9cbb1 190{
ddc8d029 191 if (unlikely(l3proto >= AF_MAX || nf_ct_protos[l3proto] == NULL))
9fb9cbb1
YK		 192 return &nf_conntrack_generic_protocol;
193
194 return nf_ct_protos[l3proto][protocol];
195}
196
c1d10adb
PNA		 197/* this is guaranteed to always return a valid protocol helper, since
198 * it falls back to generic_protocol */
199struct nf_conntrack_protocol *
200nf_ct_proto_find_get(u_int16_t l3proto, u_int8_t protocol)
201{
202 struct nf_conntrack_protocol *p;
203
204 preempt_disable();
205 p = __nf_ct_proto_find(l3proto, protocol);
e1bbdebd
YK		 206 if (!try_module_get(p->me))
207 p = &nf_conntrack_generic_protocol;
c1d10adb
PNA		 208 preempt_enable();
209
210 return p;
211}
212
213void nf_ct_proto_put(struct nf_conntrack_protocol *p)
214{
215 module_put(p->me);
216}
217
218struct nf_conntrack_l3proto *
219nf_ct_l3proto_find_get(u_int16_t l3proto)
220{
221 struct nf_conntrack_l3proto *p;
222
223 preempt_disable();
224 p = __nf_ct_l3proto_find(l3proto);
e1bbdebd
YK		 225 if (!try_module_get(p->me))
226 p = &nf_conntrack_generic_l3proto;
c1d10adb
PNA		 227 preempt_enable();
228
229 return p;
230}
231
232void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p)
233{
234 module_put(p->me);
235}
236
b9f78f9f
PNA		 237int
238nf_ct_l3proto_try_module_get(unsigned short l3proto)
239{
240 int ret;
241 struct nf_conntrack_l3proto *p;
242
243retry: p = nf_ct_l3proto_find_get(l3proto);
244 if (p == &nf_conntrack_generic_l3proto) {
245 ret = request_module("nf_conntrack-%d", l3proto);
246 if (!ret)
247 goto retry;
248
249 return -EPROTOTYPE;
250 }
251
252 return 0;
253}
254
255void nf_ct_l3proto_module_put(unsigned short l3proto)
256{
257 struct nf_conntrack_l3proto *p;
258
259 preempt_disable();
260 p = __nf_ct_l3proto_find(l3proto);
261 preempt_enable();
262
263 module_put(p->me);
264}
265
9fb9cbb1
YK		 266static int nf_conntrack_hash_rnd_initted;
267static unsigned int nf_conntrack_hash_rnd;
268
269static u_int32_t __hash_conntrack(const struct nf_conntrack_tuple *tuple,
270 unsigned int size, unsigned int rnd)
271{
272 unsigned int a, b;
273 a = jhash((void *)tuple->src.u3.all, sizeof(tuple->src.u3.all),
274 ((tuple->src.l3num) << 16) | tuple->dst.protonum);
275 b = jhash((void *)tuple->dst.u3.all, sizeof(tuple->dst.u3.all),
276 (tuple->src.u.all << 16) | tuple->dst.u.all);
277
278 return jhash_2words(a, b, rnd) % size;
279}
280
281static inline u_int32_t hash_conntrack(const struct nf_conntrack_tuple *tuple)
282{
283 return __hash_conntrack(tuple, nf_conntrack_htable_size,
284 nf_conntrack_hash_rnd);
285}
286
9fb9cbb1 287int nf_conntrack_register_cache(u_int32_t features, const char *name,
dc808fe2 288 size_t size)
9fb9cbb1
YK		 289{
290 int ret = 0;
291 char *cache_name;
292 kmem_cache_t *cachep;
293
294 DEBUGP("nf_conntrack_register_cache: features=0x%x, name=%s, size=%d\n",
295 features, name, size);
296
297 if (features < NF_CT_F_BASIC || features >= NF_CT_F_NUM) {
298 DEBUGP("nf_conntrack_register_cache: invalid features.: 0x%x\n",
299 features);
300 return -EINVAL;
301 }
302
57b47a53 303 mutex_lock(&nf_ct_cache_mutex);
9fb9cbb1
YK		 304
305 write_lock_bh(&nf_ct_cache_lock);
306 /* e.g: multiple helpers are loaded */
307 if (nf_ct_cache[features].use > 0) {
308 DEBUGP("nf_conntrack_register_cache: already resisterd.\n");
309 if ((!strncmp(nf_ct_cache[features].name, name,
310 NF_CT_FEATURES_NAMELEN))
dc808fe2 311 && nf_ct_cache[features].size == size) {
9fb9cbb1
YK		 312 DEBUGP("nf_conntrack_register_cache: reusing.\n");
313 nf_ct_cache[features].use++;
314 ret = 0;
315 } else
316 ret = -EBUSY;
317
318 write_unlock_bh(&nf_ct_cache_lock);
57b47a53 319 mutex_unlock(&nf_ct_cache_mutex);
9fb9cbb1
YK		 320 return ret;
321 }
322 write_unlock_bh(&nf_ct_cache_lock);
323
324 /*
325 * The memory space for name of slab cache must be alive until
326 * cache is destroyed.
327 */
328 cache_name = kmalloc(sizeof(char)*NF_CT_FEATURES_NAMELEN, GFP_ATOMIC);
329 if (cache_name == NULL) {
330 DEBUGP("nf_conntrack_register_cache: can't alloc cache_name\n");
331 ret = -ENOMEM;
332 goto out_up_mutex;
333 }
334
335 if (strlcpy(cache_name, name, NF_CT_FEATURES_NAMELEN)
336 >= NF_CT_FEATURES_NAMELEN) {
337 printk("nf_conntrack_register_cache: name too long\n");
338 ret = -EINVAL;
339 goto out_free_name;
340 }
341
342 cachep = kmem_cache_create(cache_name, size, 0, 0,
343 NULL, NULL);
344 if (!cachep) {
345 printk("nf_conntrack_register_cache: Can't create slab cache "
346 "for the features = 0x%x\n", features);
347 ret = -ENOMEM;
348 goto out_free_name;
349 }
350
351 write_lock_bh(&nf_ct_cache_lock);
352 nf_ct_cache[features].use = 1;
353 nf_ct_cache[features].size = size;
9fb9cbb1
YK		 354 nf_ct_cache[features].cachep = cachep;
355 nf_ct_cache[features].name = cache_name;
356 write_unlock_bh(&nf_ct_cache_lock);
357
358 goto out_up_mutex;
359
360out_free_name:
361 kfree(cache_name);
362out_up_mutex:
57b47a53 363 mutex_unlock(&nf_ct_cache_mutex);
9fb9cbb1
YK		 364 return ret;
365}
366
367/* FIXME: In the current, only nf_conntrack_cleanup() can call this function. */
368void nf_conntrack_unregister_cache(u_int32_t features)
369{
370 kmem_cache_t *cachep;
371 char *name;
372
373 /*
374 * This assures that kmem_cache_create() isn't called before destroying
375 * slab cache.
376 */
377 DEBUGP("nf_conntrack_unregister_cache: 0x%04x\n", features);
57b47a53 378 mutex_lock(&nf_ct_cache_mutex);
9fb9cbb1
YK		 379
380 write_lock_bh(&nf_ct_cache_lock);
381 if (--nf_ct_cache[features].use > 0) {
382 write_unlock_bh(&nf_ct_cache_lock);
57b47a53 383 mutex_unlock(&nf_ct_cache_mutex);
9fb9cbb1
YK		 384 return;
385 }
386 cachep = nf_ct_cache[features].cachep;
387 name = nf_ct_cache[features].name;
388 nf_ct_cache[features].cachep = NULL;
389 nf_ct_cache[features].name = NULL;
9fb9cbb1
YK		 390 nf_ct_cache[features].size = 0;
391 write_unlock_bh(&nf_ct_cache_lock);
392
393 synchronize_net();
394
395 kmem_cache_destroy(cachep);
396 kfree(name);
397
57b47a53 398 mutex_unlock(&nf_ct_cache_mutex);
9fb9cbb1
YK		 399}
400
401int
402nf_ct_get_tuple(const struct sk_buff *skb,
403 unsigned int nhoff,
404 unsigned int dataoff,
405 u_int16_t l3num,
406 u_int8_t protonum,
407 struct nf_conntrack_tuple *tuple,
408 const struct nf_conntrack_l3proto *l3proto,
409 const struct nf_conntrack_protocol *protocol)
410{
411 NF_CT_TUPLE_U_BLANK(tuple);
412
413 tuple->src.l3num = l3num;
414 if (l3proto->pkt_to_tuple(skb, nhoff, tuple) == 0)
415 return 0;
416
417 tuple->dst.protonum = protonum;
418 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
419
420 return protocol->pkt_to_tuple(skb, dataoff, tuple);
421}
422
423int
424nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
425 const struct nf_conntrack_tuple *orig,
426 const struct nf_conntrack_l3proto *l3proto,
427 const struct nf_conntrack_protocol *protocol)
428{
429 NF_CT_TUPLE_U_BLANK(inverse);
430
431 inverse->src.l3num = orig->src.l3num;
432 if (l3proto->invert_tuple(inverse, orig) == 0)
433 return 0;
434
435 inverse->dst.dir = !orig->dst.dir;
436
437 inverse->dst.protonum = orig->dst.protonum;
438 return protocol->invert_tuple(inverse, orig);
439}
440
441/* nf_conntrack_expect helper functions */
c1d10adb 442void nf_ct_unlink_expect(struct nf_conntrack_expect *exp)
9fb9cbb1 443{
dc808fe2
HW		 444 struct nf_conn_help *master_help = nfct_help(exp->master);
445
446 NF_CT_ASSERT(master_help);
9fb9cbb1 447 ASSERT_WRITE_LOCK(&nf_conntrack_lock);
4a59a810 448 NF_CT_ASSERT(!timer_pending(&exp->timeout));
dc808fe2 449
9fb9cbb1
YK		 450 list_del(&exp->list);
451 NF_CT_STAT_INC(expect_delete);
dc808fe2 452 master_help->expecting--;
9fb9cbb1
YK		 453 nf_conntrack_expect_put(exp);
454}
455
456static void expectation_timed_out(unsigned long ul_expect)
457{
458 struct nf_conntrack_expect *exp = (void *)ul_expect;
459
460 write_lock_bh(&nf_conntrack_lock);
461 nf_ct_unlink_expect(exp);
462 write_unlock_bh(&nf_conntrack_lock);
463 nf_conntrack_expect_put(exp);
464}
465
c1d10adb
PNA		 466struct nf_conntrack_expect *
467__nf_conntrack_expect_find(const struct nf_conntrack_tuple *tuple)
468{
469 struct nf_conntrack_expect *i;
470
471 list_for_each_entry(i, &nf_conntrack_expect_list, list) {
2e47c264 472 if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask))
c1d10adb 473 return i;
c1d10adb
PNA		 474 }
475 return NULL;
476}
477
478/* Just find a expectation corresponding to a tuple. */
479struct nf_conntrack_expect *
480nf_conntrack_expect_find(const struct nf_conntrack_tuple *tuple)
481{
482 struct nf_conntrack_expect *i;
483
484 read_lock_bh(&nf_conntrack_lock);
485 i = __nf_conntrack_expect_find(tuple);
2e47c264
YK		 486 if (i)
487 atomic_inc(&i->use);
c1d10adb
PNA		 488 read_unlock_bh(&nf_conntrack_lock);
489
490 return i;
491}
492
9fb9cbb1
YK		 493/* If an expectation for this connection is found, it gets delete from
494 * global list then returned. */
495static struct nf_conntrack_expect *
496find_expectation(const struct nf_conntrack_tuple *tuple)
497{
498 struct nf_conntrack_expect *i;
499
500 list_for_each_entry(i, &nf_conntrack_expect_list, list) {
501 /* If master is not in hash table yet (ie. packet hasn't left
502 this machine yet), how can other end know about expected?
503 Hence these are not the droids you are looking for (if
504 master ct never got confirmed, we'd hold a reference to it
505 and weird things would happen to future packets). */
506 if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)
507 && nf_ct_is_confirmed(i->master)) {
508 if (i->flags & NF_CT_EXPECT_PERMANENT) {
509 atomic_inc(&i->use);
510 return i;
511 } else if (del_timer(&i->timeout)) {
512 nf_ct_unlink_expect(i);
513 return i;
514 }
515 }
516 }
517 return NULL;
518}
519
520/* delete all expectations for this conntrack */
c1d10adb 521void nf_ct_remove_expectations(struct nf_conn *ct)
9fb9cbb1
YK		 522{
523 struct nf_conntrack_expect *i, *tmp;
dc808fe2 524 struct nf_conn_help *help = nfct_help(ct);
9fb9cbb1
YK		 525
526 /* Optimization: most connection never expect any others. */
dc808fe2 527 if (!help || help->expecting == 0)
9fb9cbb1
YK		 528 return;
529
530 list_for_each_entry_safe(i, tmp, &nf_conntrack_expect_list, list) {
531 if (i->master == ct && del_timer(&i->timeout)) {
532 nf_ct_unlink_expect(i);
533 nf_conntrack_expect_put(i);
534 }
535 }
536}
537
538static void
539clean_from_lists(struct nf_conn *ct)
540{
9fb9cbb1
YK		 541 DEBUGP("clean_from_lists(%p)\n", ct);
542 ASSERT_WRITE_LOCK(&nf_conntrack_lock);
df0933dc
PM		 543 list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
544 list_del(&ct->tuplehash[IP_CT_DIR_REPLY].list);
9fb9cbb1
YK		 545
546 /* Destroy all pending expectations */
c1d10adb 547 nf_ct_remove_expectations(ct);
9fb9cbb1
YK		 548}
549
550static void
551destroy_conntrack(struct nf_conntrack *nfct)
552{
553 struct nf_conn *ct = (struct nf_conn *)nfct;
554 struct nf_conntrack_l3proto *l3proto;
555 struct nf_conntrack_protocol *proto;
556
557 DEBUGP("destroy_conntrack(%p)\n", ct);
558 NF_CT_ASSERT(atomic_read(&nfct->use) == 0);
559 NF_CT_ASSERT(!timer_pending(&ct->timeout));
560
561 nf_conntrack_event(IPCT_DESTROY, ct);
562 set_bit(IPS_DYING_BIT, &ct->status);
563
564 /* To make sure we don't get any weird locking issues here:
565 * destroy_conntrack() MUST NOT be called with a write lock
566 * to nf_conntrack_lock!!! -HW */
c1d10adb 567 l3proto = __nf_ct_l3proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.l3num);
9fb9cbb1
YK		 568 if (l3proto && l3proto->destroy)
569 l3proto->destroy(ct);
570
c1d10adb 571 proto = __nf_ct_proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.l3num, ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum);
9fb9cbb1
YK		 572 if (proto && proto->destroy)
573 proto->destroy(ct);
574
575 if (nf_conntrack_destroyed)
576 nf_conntrack_destroyed(ct);
577
578 write_lock_bh(&nf_conntrack_lock);
579 /* Expectations will have been removed in clean_from_lists,
580 * except TFTP can create an expectation on the first packet,
581 * before connection is in the list, so we need to clean here,
582 * too. */
c1d10adb 583 nf_ct_remove_expectations(ct);
9fb9cbb1
YK		 584
585 /* We overload first tuple to link into unconfirmed list. */
586 if (!nf_ct_is_confirmed(ct)) {
587 BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
588 list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
589 }
590
591 NF_CT_STAT_INC(delete);
592 write_unlock_bh(&nf_conntrack_lock);
593
594 if (ct->master)
595 nf_ct_put(ct->master);
596
597 DEBUGP("destroy_conntrack: returning ct=%p to slab\n", ct);
598 nf_conntrack_free(ct);
599}
600
601static void death_by_timeout(unsigned long ul_conntrack)
602{
603 struct nf_conn *ct = (void *)ul_conntrack;
604
605 write_lock_bh(&nf_conntrack_lock);
606 /* Inside lock so preempt is disabled on module removal path.
607 * Otherwise we can get spurious warnings. */
608 NF_CT_STAT_INC(delete_list);
609 clean_from_lists(ct);
610 write_unlock_bh(&nf_conntrack_lock);
611 nf_ct_put(ct);
612}
613
c1d10adb 614struct nf_conntrack_tuple_hash *
9fb9cbb1
YK		 615__nf_conntrack_find(const struct nf_conntrack_tuple *tuple,
616 const struct nf_conn *ignored_conntrack)
617{
618 struct nf_conntrack_tuple_hash *h;
619 unsigned int hash = hash_conntrack(tuple);
620
621 ASSERT_READ_LOCK(&nf_conntrack_lock);
622 list_for_each_entry(h, &nf_conntrack_hash[hash], list) {
df0933dc
PM		 623 if (nf_ct_tuplehash_to_ctrack(h) != ignored_conntrack &&
624 nf_ct_tuple_equal(tuple, &h->tuple)) {
9fb9cbb1
YK		 625 NF_CT_STAT_INC(found);
626 return h;
627 }
628 NF_CT_STAT_INC(searched);
629 }
630
631 return NULL;
632}
633
634/* Find a connection corresponding to a tuple. */
635struct nf_conntrack_tuple_hash *
636nf_conntrack_find_get(const struct nf_conntrack_tuple *tuple,
637 const struct nf_conn *ignored_conntrack)
638{
639 struct nf_conntrack_tuple_hash *h;
640
641 read_lock_bh(&nf_conntrack_lock);
642 h = __nf_conntrack_find(tuple, ignored_conntrack);
643 if (h)
644 atomic_inc(&nf_ct_tuplehash_to_ctrack(h)->ct_general.use);
645 read_unlock_bh(&nf_conntrack_lock);
646
647 return h;
648}
649
c1d10adb
PNA		 650static void __nf_conntrack_hash_insert(struct nf_conn *ct,
651 unsigned int hash,
652 unsigned int repl_hash)
653{
654 ct->id = ++nf_conntrack_next_id;
df0933dc
PM		 655 list_add(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list,
656 &nf_conntrack_hash[hash]);
657 list_add(&ct->tuplehash[IP_CT_DIR_REPLY].list,
658 &nf_conntrack_hash[repl_hash]);
c1d10adb
PNA		 659}
660
661void nf_conntrack_hash_insert(struct nf_conn *ct)
662{
663 unsigned int hash, repl_hash;
664
665 hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
666 repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
667
668 write_lock_bh(&nf_conntrack_lock);
669 __nf_conntrack_hash_insert(ct, hash, repl_hash);
670 write_unlock_bh(&nf_conntrack_lock);
671}
672
9fb9cbb1
YK		 673/* Confirm a connection given skb; places it in hash table */
674int
675__nf_conntrack_confirm(struct sk_buff **pskb)
676{
677 unsigned int hash, repl_hash;
df0933dc 678 struct nf_conntrack_tuple_hash *h;
9fb9cbb1 679 struct nf_conn *ct;
df0933dc 680 struct nf_conn_help *help;
9fb9cbb1
YK		 681 enum ip_conntrack_info ctinfo;
682
683 ct = nf_ct_get(*pskb, &ctinfo);
684
685 /* ipt_REJECT uses nf_conntrack_attach to attach related
686 ICMP/TCP RST packets in other direction. Actual packet
687 which created connection will be IP_CT_NEW or for an
688 expected connection, IP_CT_RELATED. */
689 if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
690 return NF_ACCEPT;
691
692 hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
693 repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
694
695 /* We're not in hash table, and we refuse to set up related
696 connections for unconfirmed conns. But packet copies and
697 REJECT will give spurious warnings here. */
698 /* NF_CT_ASSERT(atomic_read(&ct->ct_general.use) == 1); */
699
700 /* No external references means noone else could have
701 confirmed us. */
702 NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
703 DEBUGP("Confirming conntrack %p\n", ct);
704
705 write_lock_bh(&nf_conntrack_lock);
706
707 /* See if there's one in the list already, including reverse:
708 NAT could have grabbed it without realizing, since we're
709 not in the hash. If there is, we lost race. */
df0933dc
PM		 710 list_for_each_entry(h, &nf_conntrack_hash[hash], list)
711 if (nf_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
712 &h->tuple))
713 goto out;
714 list_for_each_entry(h, &nf_conntrack_hash[repl_hash], list)
715 if (nf_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_REPLY].tuple,
716 &h->tuple))
717 goto out;
9fb9cbb1 718
df0933dc
PM		 719 /* Remove from unconfirmed list */
720 list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
721
722 __nf_conntrack_hash_insert(ct, hash, repl_hash);
723 /* Timer relative to confirmation time, not original
724 setting time, otherwise we'd get timer wrap in
725 weird delay cases. */
726 ct->timeout.expires += jiffies;
727 add_timer(&ct->timeout);
728 atomic_inc(&ct->ct_general.use);
729 set_bit(IPS_CONFIRMED_BIT, &ct->status);
730 NF_CT_STAT_INC(insert);
731 write_unlock_bh(&nf_conntrack_lock);
732 help = nfct_help(ct);
733 if (help && help->helper)
734 nf_conntrack_event_cache(IPCT_HELPER, *pskb);
9fb9cbb1 735#ifdef CONFIG_NF_NAT_NEEDED
df0933dc
PM		 736 if (test_bit(IPS_SRC_NAT_DONE_BIT, &ct->status) ||
737 test_bit(IPS_DST_NAT_DONE_BIT, &ct->status))
738 nf_conntrack_event_cache(IPCT_NATINFO, *pskb);
9fb9cbb1 739#endif
df0933dc
PM		 740 nf_conntrack_event_cache(master_ct(ct) ?
741 IPCT_RELATED : IPCT_NEW, *pskb);
742 return NF_ACCEPT;
9fb9cbb1 743
df0933dc 744out:
9fb9cbb1
YK		 745 NF_CT_STAT_INC(insert_failed);
746 write_unlock_bh(&nf_conntrack_lock);
747 return NF_DROP;
748}
749
750/* Returns true if a connection correspondings to the tuple (required
751 for NAT). */
752int
753nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
754 const struct nf_conn *ignored_conntrack)
755{
756 struct nf_conntrack_tuple_hash *h;
757
758 read_lock_bh(&nf_conntrack_lock);
759 h = __nf_conntrack_find(tuple, ignored_conntrack);
760 read_unlock_bh(&nf_conntrack_lock);
761
762 return h != NULL;
763}
764
765/* There's a small race here where we may free a just-assured
766 connection. Too bad: we're in trouble anyway. */
9fb9cbb1
YK		 767static int early_drop(struct list_head *chain)
768{
769 /* Traverse backwards: gives us oldest, which is roughly LRU */
770 struct nf_conntrack_tuple_hash *h;
df0933dc 771 struct nf_conn *ct = NULL, *tmp;
9fb9cbb1
YK		 772 int dropped = 0;
773
774 read_lock_bh(&nf_conntrack_lock);
df0933dc
PM		 775 list_for_each_entry_reverse(h, chain, list) {
776 tmp = nf_ct_tuplehash_to_ctrack(h);
777 if (!test_bit(IPS_ASSURED_BIT, &tmp->status)) {
778 ct = tmp;
779 atomic_inc(&ct->ct_general.use);
780 break;
781 }
9fb9cbb1
YK		 782 }
783 read_unlock_bh(&nf_conntrack_lock);
784
785 if (!ct)
786 return dropped;
787
788 if (del_timer(&ct->timeout)) {
789 death_by_timeout((unsigned long)ct);
790 dropped = 1;
791 NF_CT_STAT_INC(early_drop);
792 }
793 nf_ct_put(ct);
794 return dropped;
795}
796
9fb9cbb1 797static struct nf_conntrack_helper *
c1d10adb 798__nf_ct_helper_find(const struct nf_conntrack_tuple *tuple)
9fb9cbb1 799{
df0933dc
PM		 800 struct nf_conntrack_helper *h;
801
802 list_for_each_entry(h, &helpers, list) {
803 if (nf_ct_tuple_mask_cmp(tuple, &h->tuple, &h->mask))
804 return h;
805 }
806 return NULL;
9fb9cbb1
YK		 807}
808
c1d10adb
PNA		 809struct nf_conntrack_helper *
810nf_ct_helper_find_get( const struct nf_conntrack_tuple *tuple)
811{
812 struct nf_conntrack_helper *helper;
813
814 /* need nf_conntrack_lock to assure that helper exists until
815 * try_module_get() is called */
816 read_lock_bh(&nf_conntrack_lock);
817
818 helper = __nf_ct_helper_find(tuple);
819 if (helper) {
820 /* need to increase module usage count to assure helper will
821 * not go away while the caller is e.g. busy putting a
822 * conntrack in the hash that uses the helper */
823 if (!try_module_get(helper->me))
824 helper = NULL;
825 }
826
827 read_unlock_bh(&nf_conntrack_lock);
828
829 return helper;
830}
831
832void nf_ct_helper_put(struct nf_conntrack_helper *helper)
833{
834 module_put(helper->me);
835}
836
9fb9cbb1
YK		 837static struct nf_conn *
838__nf_conntrack_alloc(const struct nf_conntrack_tuple *orig,
839 const struct nf_conntrack_tuple *repl,
840 const struct nf_conntrack_l3proto *l3proto)
841{
842 struct nf_conn *conntrack = NULL;
843 u_int32_t features = 0;
dc808fe2 844 struct nf_conntrack_helper *helper;
9fb9cbb1 845
dc808fe2 846 if (unlikely(!nf_conntrack_hash_rnd_initted)) {
9fb9cbb1
YK		 847 get_random_bytes(&nf_conntrack_hash_rnd, 4);
848 nf_conntrack_hash_rnd_initted = 1;
849 }
850
5251e2d2
PNA		 851 /* We don't want any race condition at early drop stage */
852 atomic_inc(&nf_conntrack_count);
853
9fb9cbb1 854 if (nf_conntrack_max
5251e2d2 855 && atomic_read(&nf_conntrack_count) > nf_conntrack_max) {
9fb9cbb1
YK		 856 unsigned int hash = hash_conntrack(orig);
857 /* Try dropping from this hash chain. */
858 if (!early_drop(&nf_conntrack_hash[hash])) {
5251e2d2 859 atomic_dec(&nf_conntrack_count);
9fb9cbb1
YK		 860 if (net_ratelimit())
861 printk(KERN_WARNING
862 "nf_conntrack: table full, dropping"
863 " packet.\n");
864 return ERR_PTR(-ENOMEM);
865 }
866 }
867
868 /* find features needed by this conntrack. */
869 features = l3proto->get_features(orig);
dc808fe2
HW		 870
871 /* FIXME: protect helper list per RCU */
9fb9cbb1 872 read_lock_bh(&nf_conntrack_lock);
dc808fe2
HW		 873 helper = __nf_ct_helper_find(repl);
874 if (helper)
9fb9cbb1
YK		 875 features |= NF_CT_F_HELP;
876 read_unlock_bh(&nf_conntrack_lock);
877
878 DEBUGP("nf_conntrack_alloc: features=0x%x\n", features);
879
880 read_lock_bh(&nf_ct_cache_lock);
881
dc808fe2 882 if (unlikely(!nf_ct_cache[features].use)) {
9fb9cbb1
YK		 883 DEBUGP("nf_conntrack_alloc: not supported features = 0x%x\n",
884 features);
885 goto out;
886 }
887
888 conntrack = kmem_cache_alloc(nf_ct_cache[features].cachep, GFP_ATOMIC);
889 if (conntrack == NULL) {
890 DEBUGP("nf_conntrack_alloc: Can't alloc conntrack from cache\n");
891 goto out;
892 }
893
894 memset(conntrack, 0, nf_ct_cache[features].size);
895 conntrack->features = features;
9fb9cbb1
YK		 896 atomic_set(&conntrack->ct_general.use, 1);
897 conntrack->ct_general.destroy = destroy_conntrack;
898 conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig;
899 conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *repl;
900 /* Don't set timer yet: wait for confirmation */
901 init_timer(&conntrack->timeout);
902 conntrack->timeout.data = (unsigned long)conntrack;
903 conntrack->timeout.function = death_by_timeout;
5251e2d2 904 read_unlock_bh(&nf_ct_cache_lock);
9fb9cbb1 905
5251e2d2 906 return conntrack;
9fb9cbb1
YK		 907out:
908 read_unlock_bh(&nf_ct_cache_lock);
5251e2d2 909 atomic_dec(&nf_conntrack_count);
9fb9cbb1
YK		 910 return conntrack;
911}
912
913struct nf_conn *nf_conntrack_alloc(const struct nf_conntrack_tuple *orig,
914 const struct nf_conntrack_tuple *repl)
915{
916 struct nf_conntrack_l3proto *l3proto;
917
c1d10adb 918 l3proto = __nf_ct_l3proto_find(orig->src.l3num);
9fb9cbb1
YK		 919 return __nf_conntrack_alloc(orig, repl, l3proto);
920}
921
922void nf_conntrack_free(struct nf_conn *conntrack)
923{
924 u_int32_t features = conntrack->features;
925 NF_CT_ASSERT(features >= NF_CT_F_BASIC && features < NF_CT_F_NUM);
926 DEBUGP("nf_conntrack_free: features = 0x%x, conntrack=%p\n", features,
927 conntrack);
928 kmem_cache_free(nf_ct_cache[features].cachep, conntrack);
929 atomic_dec(&nf_conntrack_count);
930}
931
932/* Allocate a new conntrack: we return -ENOMEM if classification
933 failed due to stress. Otherwise it really is unclassifiable. */
934static struct nf_conntrack_tuple_hash *
935init_conntrack(const struct nf_conntrack_tuple *tuple,
936 struct nf_conntrack_l3proto *l3proto,
937 struct nf_conntrack_protocol *protocol,
938 struct sk_buff *skb,
939 unsigned int dataoff)
940{
941 struct nf_conn *conntrack;
942 struct nf_conntrack_tuple repl_tuple;
943 struct nf_conntrack_expect *exp;
944
945 if (!nf_ct_invert_tuple(&repl_tuple, tuple, l3proto, protocol)) {
946 DEBUGP("Can't invert tuple.\n");
947 return NULL;
948 }
949
950 conntrack = __nf_conntrack_alloc(tuple, &repl_tuple, l3proto);
951 if (conntrack == NULL || IS_ERR(conntrack)) {
952 DEBUGP("Can't allocate conntrack.\n");
953 return (struct nf_conntrack_tuple_hash *)conntrack;
954 }
955
956 if (!protocol->new(conntrack, skb, dataoff)) {
957 nf_conntrack_free(conntrack);
958 DEBUGP("init conntrack: can't track with proto module\n");
959 return NULL;
960 }
961
962 write_lock_bh(&nf_conntrack_lock);
963 exp = find_expectation(tuple);
964
965 if (exp) {
966 DEBUGP("conntrack: expectation arrives ct=%p exp=%p\n",
967 conntrack, exp);
968 /* Welcome, Mr. Bond. We've been expecting you... */
969 __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
970 conntrack->master = exp->master;
971#ifdef CONFIG_NF_CONNTRACK_MARK
972 conntrack->mark = exp->master->mark;
7c9728c3
JM		 973#endif
974#ifdef CONFIG_NF_CONNTRACK_SECMARK
975 conntrack->secmark = exp->master->secmark;
9fb9cbb1
YK		 976#endif
977 nf_conntrack_get(&conntrack->master->ct_general);
978 NF_CT_STAT_INC(expect_new);
22e7410b
YK		 979 } else {
980 struct nf_conn_help *help = nfct_help(conntrack);
981
982 if (help)
983 help->helper = __nf_ct_helper_find(&repl_tuple);
9fb9cbb1 984 NF_CT_STAT_INC(new);
22e7410b 985 }
9fb9cbb1
YK		 986
987 /* Overload tuple linked list to put us in unconfirmed list. */
988 list_add(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL].list, &unconfirmed);
989
990 write_unlock_bh(&nf_conntrack_lock);
991
992 if (exp) {
993 if (exp->expectfn)
994 exp->expectfn(conntrack, exp);
995 nf_conntrack_expect_put(exp);
996 }
997
998 return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL];
999}
1000
1001/* On success, returns conntrack ptr, sets skb->nfct and ctinfo */
1002static inline struct nf_conn *
1003resolve_normal_ct(struct sk_buff *skb,
1004 unsigned int dataoff,
1005 u_int16_t l3num,
1006 u_int8_t protonum,
1007 struct nf_conntrack_l3proto *l3proto,
1008 struct nf_conntrack_protocol *proto,
1009 int *set_reply,
1010 enum ip_conntrack_info *ctinfo)
1011{
1012 struct nf_conntrack_tuple tuple;
1013 struct nf_conntrack_tuple_hash *h;
1014 struct nf_conn *ct;
1015
1016 if (!nf_ct_get_tuple(skb, (unsigned int)(skb->nh.raw - skb->data),
1017 dataoff, l3num, protonum, &tuple, l3proto,
1018 proto)) {
1019 DEBUGP("resolve_normal_ct: Can't get tuple\n");
1020 return NULL;
1021 }
1022
1023 /* look for tuple match */
1024 h = nf_conntrack_find_get(&tuple, NULL);
1025 if (!h) {
1026 h = init_conntrack(&tuple, l3proto, proto, skb, dataoff);
1027 if (!h)
1028 return NULL;
1029 if (IS_ERR(h))
1030 return (void *)h;
1031 }
1032 ct = nf_ct_tuplehash_to_ctrack(h);
1033
1034 /* It exists; we have (non-exclusive) reference. */
1035 if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) {
1036 *ctinfo = IP_CT_ESTABLISHED + IP_CT_IS_REPLY;
1037 /* Please set reply bit if this packet OK */
1038 *set_reply = 1;
1039 } else {
1040 /* Once we've had two way comms, always ESTABLISHED. */
1041 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
1042 DEBUGP("nf_conntrack_in: normal packet for %p\n", ct);
1043 *ctinfo = IP_CT_ESTABLISHED;
1044 } else if (test_bit(IPS_EXPECTED_BIT, &ct->status)) {
1045 DEBUGP("nf_conntrack_in: related packet for %p\n", ct);
1046 *ctinfo = IP_CT_RELATED;
1047 } else {
1048 DEBUGP("nf_conntrack_in: new packet for %p\n", ct);
1049 *ctinfo = IP_CT_NEW;
1050 }
1051 *set_reply = 0;
1052 }
1053 skb->nfct = &ct->ct_general;
1054 skb->nfctinfo = *ctinfo;
1055 return ct;
1056}
1057
1058unsigned int
1059nf_conntrack_in(int pf, unsigned int hooknum, struct sk_buff **pskb)
1060{
1061 struct nf_conn *ct;
1062 enum ip_conntrack_info ctinfo;
1063 struct nf_conntrack_l3proto *l3proto;
1064 struct nf_conntrack_protocol *proto;
1065 unsigned int dataoff;
1066 u_int8_t protonum;
1067 int set_reply = 0;
1068 int ret;
1069
1070 /* Previously seen (loopback or untracked)? Ignore. */
1071 if ((*pskb)->nfct) {
1072 NF_CT_STAT_INC(ignore);
1073 return NF_ACCEPT;
1074 }
1075
c1d10adb 1076 l3proto = __nf_ct_l3proto_find((u_int16_t)pf);
9fb9cbb1
YK		 1077 if ((ret = l3proto->prepare(pskb, hooknum, &dataoff, &protonum)) <= 0) {
1078 DEBUGP("not prepared to track yet or error occured\n");
1079 return -ret;
1080 }
1081
c1d10adb 1082 proto = __nf_ct_proto_find((u_int16_t)pf, protonum);
9fb9cbb1
YK		 1083
1084 /* It may be an special packet, error, unclean...
1085 * inverse of the return code tells to the netfilter
1086 * core what to do with the packet. */
1087 if (proto->error != NULL &&
1088 (ret = proto->error(*pskb, dataoff, &ctinfo, pf, hooknum)) <= 0) {
1089 NF_CT_STAT_INC(error);
1090 NF_CT_STAT_INC(invalid);
1091 return -ret;
1092 }
1093
1094 ct = resolve_normal_ct(*pskb, dataoff, pf, protonum, l3proto, proto,
1095 &set_reply, &ctinfo);
1096 if (!ct) {
1097 /* Not valid part of a connection */
1098 NF_CT_STAT_INC(invalid);
1099 return NF_ACCEPT;
1100 }
1101
1102 if (IS_ERR(ct)) {
1103 /* Too stressed to deal. */
1104 NF_CT_STAT_INC(drop);
1105 return NF_DROP;
1106 }
1107
1108 NF_CT_ASSERT((*pskb)->nfct);
1109
1110 ret = proto->packet(ct, *pskb, dataoff, ctinfo, pf, hooknum);
1111 if (ret < 0) {
1112 /* Invalid: inverse of the return code tells
1113 * the netfilter core what to do */
1114 DEBUGP("nf_conntrack_in: Can't track with proto module\n");
1115 nf_conntrack_put((*pskb)->nfct);
1116 (*pskb)->nfct = NULL;
1117 NF_CT_STAT_INC(invalid);
1118 return -ret;
1119 }
1120
1121 if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
1122 nf_conntrack_event_cache(IPCT_STATUS, *pskb);
1123
1124 return ret;
1125}
1126
1127int nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
1128 const struct nf_conntrack_tuple *orig)
1129{
1130 return nf_ct_invert_tuple(inverse, orig,
c1d10adb
PNA		 1131 __nf_ct_l3proto_find(orig->src.l3num),
1132 __nf_ct_proto_find(orig->src.l3num,
1133 orig->dst.protonum));
9fb9cbb1
YK		 1134}
1135
1136/* Would two expected things clash? */
1137static inline int expect_clash(const struct nf_conntrack_expect *a,
1138 const struct nf_conntrack_expect *b)
1139{
1140 /* Part covered by intersection of masks must be unequal,
1141 otherwise they clash */
1142 struct nf_conntrack_tuple intersect_mask;
1143 int count;
1144
1145 intersect_mask.src.l3num = a->mask.src.l3num & b->mask.src.l3num;
1146 intersect_mask.src.u.all = a->mask.src.u.all & b->mask.src.u.all;
1147 intersect_mask.dst.u.all = a->mask.dst.u.all & b->mask.dst.u.all;
1148 intersect_mask.dst.protonum = a->mask.dst.protonum
1149 & b->mask.dst.protonum;
1150
1151 for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
1152 intersect_mask.src.u3.all[count] =
1153 a->mask.src.u3.all[count] & b->mask.src.u3.all[count];
1154 }
1155
1156 for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
1157 intersect_mask.dst.u3.all[count] =
1158 a->mask.dst.u3.all[count] & b->mask.dst.u3.all[count];
1159 }
1160
1161 return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
1162}
1163
1164static inline int expect_matches(const struct nf_conntrack_expect *a,
1165 const struct nf_conntrack_expect *b)
1166{
1167 return a->master == b->master
1168 && nf_ct_tuple_equal(&a->tuple, &b->tuple)
1169 && nf_ct_tuple_equal(&a->mask, &b->mask);
1170}
1171
1172/* Generally a bad idea to call this: could have matched already. */
1173void nf_conntrack_unexpect_related(struct nf_conntrack_expect *exp)
1174{
1175 struct nf_conntrack_expect *i;
1176
1177 write_lock_bh(&nf_conntrack_lock);
1178 /* choose the the oldest expectation to evict */
1179 list_for_each_entry_reverse(i, &nf_conntrack_expect_list, list) {
1180 if (expect_matches(i, exp) && del_timer(&i->timeout)) {
1181 nf_ct_unlink_expect(i);
1182 write_unlock_bh(&nf_conntrack_lock);
1183 nf_conntrack_expect_put(i);
1184 return;
1185 }
1186 }
1187 write_unlock_bh(&nf_conntrack_lock);
1188}
1189
1190/* We don't increase the master conntrack refcount for non-fulfilled
1191 * conntracks. During the conntrack destruction, the expectations are
1192 * always killed before the conntrack itself */
1193struct nf_conntrack_expect *nf_conntrack_expect_alloc(struct nf_conn *me)
1194{
1195 struct nf_conntrack_expect *new;
1196
1197 new = kmem_cache_alloc(nf_conntrack_expect_cachep, GFP_ATOMIC);
1198 if (!new) {
1199 DEBUGP("expect_related: OOM allocating expect\n");
1200 return NULL;
1201 }
1202 new->master = me;
1203 atomic_set(&new->use, 1);
1204 return new;
1205}
1206
1207void nf_conntrack_expect_put(struct nf_conntrack_expect *exp)
1208{
1209 if (atomic_dec_and_test(&exp->use))
1210 kmem_cache_free(nf_conntrack_expect_cachep, exp);
1211}
1212
1213static void nf_conntrack_expect_insert(struct nf_conntrack_expect *exp)
1214{
dc808fe2
HW		 1215 struct nf_conn_help *master_help = nfct_help(exp->master);
1216
9fb9cbb1 1217 atomic_inc(&exp->use);
dc808fe2 1218 master_help->expecting++;
9fb9cbb1
YK		 1219 list_add(&exp->list, &nf_conntrack_expect_list);
1220
1221 init_timer(&exp->timeout);
1222 exp->timeout.data = (unsigned long)exp;
1223 exp->timeout.function = expectation_timed_out;
dc808fe2 1224 exp->timeout.expires = jiffies + master_help->helper->timeout * HZ;
9fb9cbb1
YK		 1225 add_timer(&exp->timeout);
1226
c1d10adb 1227 exp->id = ++nf_conntrack_expect_next_id;
9fb9cbb1
YK		 1228 atomic_inc(&exp->use);
1229 NF_CT_STAT_INC(expect_create);
1230}
1231
1232/* Race with expectations being used means we could have none to find; OK. */
1233static void evict_oldest_expect(struct nf_conn *master)
1234{
1235 struct nf_conntrack_expect *i;
1236
1237 list_for_each_entry_reverse(i, &nf_conntrack_expect_list, list) {
1238 if (i->master == master) {
1239 if (del_timer(&i->timeout)) {
1240 nf_ct_unlink_expect(i);
1241 nf_conntrack_expect_put(i);
1242 }
1243 break;
1244 }
1245 }
1246}
1247
1248static inline int refresh_timer(struct nf_conntrack_expect *i)
1249{
dc808fe2
HW		 1250 struct nf_conn_help *master_help = nfct_help(i->master);
1251
9fb9cbb1
YK		 1252 if (!del_timer(&i->timeout))
1253 return 0;
1254
dc808fe2 1255 i->timeout.expires = jiffies + master_help->helper->timeout*HZ;
9fb9cbb1
YK		 1256 add_timer(&i->timeout);
1257 return 1;
1258}
1259
1260int nf_conntrack_expect_related(struct nf_conntrack_expect *expect)
1261{
1262 struct nf_conntrack_expect *i;
d695aa8a 1263 struct nf_conn *master = expect->master;
dc808fe2 1264 struct nf_conn_help *master_help = nfct_help(master);
9fb9cbb1
YK		 1265 int ret;
1266
dc808fe2
HW		 1267 NF_CT_ASSERT(master_help);
1268
9fb9cbb1
YK		 1269 DEBUGP("nf_conntrack_expect_related %p\n", related_to);
1270 DEBUGP("tuple: "); NF_CT_DUMP_TUPLE(&expect->tuple);
1271 DEBUGP("mask: "); NF_CT_DUMP_TUPLE(&expect->mask);
1272
1273 write_lock_bh(&nf_conntrack_lock);
1274 list_for_each_entry(i, &nf_conntrack_expect_list, list) {
1275 if (expect_matches(i, expect)) {
1276 /* Refresh timer: if it's dying, ignore.. */
1277 if (refresh_timer(i)) {
1278 ret = 0;
1279 goto out;
1280 }
1281 } else if (expect_clash(i, expect)) {
1282 ret = -EBUSY;
1283 goto out;
1284 }
1285 }
1286 /* Will be over limit? */
dc808fe2
HW		 1287 if (master_help->helper->max_expected &&
1288 master_help->expecting >= master_help->helper->max_expected)
d695aa8a 1289 evict_oldest_expect(master);
9fb9cbb1
YK		 1290
1291 nf_conntrack_expect_insert(expect);
1292 nf_conntrack_expect_event(IPEXP_NEW, expect);
1293 ret = 0;
1294out:
1295 write_unlock_bh(&nf_conntrack_lock);
1296 return ret;
1297}
1298
9fb9cbb1
YK		 1299int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
1300{
1301 int ret;
1302 BUG_ON(me->timeout == 0);
1303
1304 ret = nf_conntrack_register_cache(NF_CT_F_HELP, "nf_conntrack:help",
1305 sizeof(struct nf_conn)
dc808fe2
HW		 1306 + sizeof(struct nf_conn_help)
1307 + __alignof__(struct nf_conn_help));
9fb9cbb1
YK		 1308 if (ret < 0) {
1309 printk(KERN_ERR "nf_conntrack_helper_reigster: Unable to create slab cache for conntracks\n");
1310 return ret;
1311 }
1312 write_lock_bh(&nf_conntrack_lock);
df0933dc 1313 list_add(&me->list, &helpers);
9fb9cbb1
YK		 1314 write_unlock_bh(&nf_conntrack_lock);
1315
1316 return 0;
1317}
1318
c1d10adb
PNA		 1319struct nf_conntrack_helper *
1320__nf_conntrack_helper_find_byname(const char *name)
1321{
1322 struct nf_conntrack_helper *h;
1323
1324 list_for_each_entry(h, &helpers, list) {
1325 if (!strcmp(h->name, name))
1326 return h;
1327 }
1328
1329 return NULL;
1330}
1331
df0933dc
PM		 1332static inline void unhelp(struct nf_conntrack_tuple_hash *i,
1333 const struct nf_conntrack_helper *me)
9fb9cbb1 1334{
dc808fe2
HW		 1335 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(i);
1336 struct nf_conn_help *help = nfct_help(ct);
1337
1338 if (help && help->helper == me) {
1339 nf_conntrack_event(IPCT_HELPER, ct);
1340 help->helper = NULL;
9fb9cbb1 1341 }
9fb9cbb1
YK		 1342}
1343
1344void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
1345{
1346 unsigned int i;
df0933dc 1347 struct nf_conntrack_tuple_hash *h;
9fb9cbb1
YK		 1348 struct nf_conntrack_expect *exp, *tmp;
1349
1350 /* Need write lock here, to delete helper. */
1351 write_lock_bh(&nf_conntrack_lock);
df0933dc 1352 list_del(&me->list);
9fb9cbb1
YK		 1353
1354 /* Get rid of expectations */
1355 list_for_each_entry_safe(exp, tmp, &nf_conntrack_expect_list, list) {
dc808fe2
HW		 1356 struct nf_conn_help *help = nfct_help(exp->master);
1357 if (help->helper == me && del_timer(&exp->timeout)) {
9fb9cbb1
YK		 1358 nf_ct_unlink_expect(exp);
1359 nf_conntrack_expect_put(exp);
1360 }
1361 }
1362
1363 /* Get rid of expecteds, set helpers to NULL. */
df0933dc
PM		 1364 list_for_each_entry(h, &unconfirmed, list)
1365 unhelp(h, me);
1366 for (i = 0; i < nf_conntrack_htable_size; i++) {
1367 list_for_each_entry(h, &nf_conntrack_hash[i], list)
1368 unhelp(h, me);
1369 }
9fb9cbb1
YK		 1370 write_unlock_bh(&nf_conntrack_lock);
1371
1372 /* Someone could be still looking at the helper in a bh. */
1373 synchronize_net();
1374}
1375
1376/* Refresh conntrack for this many jiffies and do accounting if do_acct is 1 */
1377void __nf_ct_refresh_acct(struct nf_conn *ct,
1378 enum ip_conntrack_info ctinfo,
1379 const struct sk_buff *skb,
1380 unsigned long extra_jiffies,
1381 int do_acct)
1382{
1383 int event = 0;
1384
1385 NF_CT_ASSERT(ct->timeout.data == (unsigned long)ct);
1386 NF_CT_ASSERT(skb);
1387
1388 write_lock_bh(&nf_conntrack_lock);
1389
997ae831
EL		 1390 /* Only update if this is not a fixed timeout */
1391 if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)) {
1392 write_unlock_bh(&nf_conntrack_lock);
1393 return;
1394 }
1395
9fb9cbb1
YK		 1396 /* If not in hash table, timer will not be active yet */
1397 if (!nf_ct_is_confirmed(ct)) {
1398 ct->timeout.expires = extra_jiffies;
1399 event = IPCT_REFRESH;
1400 } else {
1401 /* Need del_timer for race avoidance (may already be dying). */
1402 if (del_timer(&ct->timeout)) {
1403 ct->timeout.expires = jiffies + extra_jiffies;
1404 add_timer(&ct->timeout);
1405 event = IPCT_REFRESH;
1406 }
1407 }
1408
1409#ifdef CONFIG_NF_CT_ACCT
1410 if (do_acct) {
1411 ct->counters[CTINFO2DIR(ctinfo)].packets++;
1412 ct->counters[CTINFO2DIR(ctinfo)].bytes +=
1413 skb->len - (unsigned int)(skb->nh.raw - skb->data);
1414 if ((ct->counters[CTINFO2DIR(ctinfo)].packets & 0x80000000)
1415 || (ct->counters[CTINFO2DIR(ctinfo)].bytes & 0x80000000))
1416 event |= IPCT_COUNTER_FILLING;
1417 }
1418#endif
1419
1420 write_unlock_bh(&nf_conntrack_lock);
1421
1422 /* must be unlocked when calling event cache */
1423 if (event)
1424 nf_conntrack_event_cache(event, skb);
1425}
1426
c1d10adb
PNA		 1427#if defined(CONFIG_NF_CT_NETLINK) || \
1428 defined(CONFIG_NF_CT_NETLINK_MODULE)
1429
1430#include <linux/netfilter/nfnetlink.h>
1431#include <linux/netfilter/nfnetlink_conntrack.h>
57b47a53
IM		 1432#include <linux/mutex.h>
1433
c1d10adb
PNA		 1434
1435/* Generic function for tcp/udp/sctp/dccp and alike. This needs to be
1436 * in ip_conntrack_core, since we don't want the protocols to autoload
1437 * or depend on ctnetlink */
1438int nf_ct_port_tuple_to_nfattr(struct sk_buff *skb,
1439 const struct nf_conntrack_tuple *tuple)
1440{
1441 NFA_PUT(skb, CTA_PROTO_SRC_PORT, sizeof(u_int16_t),
1442 &tuple->src.u.tcp.port);
1443 NFA_PUT(skb, CTA_PROTO_DST_PORT, sizeof(u_int16_t),
1444 &tuple->dst.u.tcp.port);
1445 return 0;
1446
1447nfattr_failure:
1448 return -1;
1449}
1450
1451static const size_t cta_min_proto[CTA_PROTO_MAX] = {
1452 [CTA_PROTO_SRC_PORT-1] = sizeof(u_int16_t),
1453 [CTA_PROTO_DST_PORT-1] = sizeof(u_int16_t)
1454};
1455
1456int nf_ct_port_nfattr_to_tuple(struct nfattr *tb[],
1457 struct nf_conntrack_tuple *t)
1458{
1459 if (!tb[CTA_PROTO_SRC_PORT-1] || !tb[CTA_PROTO_DST_PORT-1])
1460 return -EINVAL;
1461
1462 if (nfattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto))
1463 return -EINVAL;
1464
1465 t->src.u.tcp.port =
1466 *(u_int16_t *)NFA_DATA(tb[CTA_PROTO_SRC_PORT-1]);
1467 t->dst.u.tcp.port =
1468 *(u_int16_t *)NFA_DATA(tb[CTA_PROTO_DST_PORT-1]);
1469
1470 return 0;
1471}
1472#endif
1473
9fb9cbb1
YK		 1474/* Used by ipt_REJECT and ip6t_REJECT. */
1475void __nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb)
1476{
1477 struct nf_conn *ct;
1478 enum ip_conntrack_info ctinfo;
1479
1480 /* This ICMP is in reverse direction to the packet which caused it */
1481 ct = nf_ct_get(skb, &ctinfo);
1482 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
1483 ctinfo = IP_CT_RELATED + IP_CT_IS_REPLY;
1484 else
1485 ctinfo = IP_CT_RELATED;
1486
1487 /* Attach to new skbuff, and increment count */
1488 nskb->nfct = &ct->ct_general;
1489 nskb->nfctinfo = ctinfo;
1490 nf_conntrack_get(nskb->nfct);
1491}
1492
1493static inline int
1494do_iter(const struct nf_conntrack_tuple_hash *i,
1495 int (*iter)(struct nf_conn *i, void *data),
1496 void *data)
1497{
1498 return iter(nf_ct_tuplehash_to_ctrack(i), data);
1499}
1500
1501/* Bring out ya dead! */
df0933dc 1502static struct nf_conn *
9fb9cbb1
YK		 1503get_next_corpse(int (*iter)(struct nf_conn *i, void *data),
1504 void *data, unsigned int *bucket)
1505{
df0933dc
PM		 1506 struct nf_conntrack_tuple_hash *h;
1507 struct nf_conn *ct;
9fb9cbb1
YK		 1508
1509 write_lock_bh(&nf_conntrack_lock);
1510 for (; *bucket < nf_conntrack_htable_size; (*bucket)++) {
df0933dc
PM		 1511 list_for_each_entry(h, &nf_conntrack_hash[*bucket], list) {
1512 ct = nf_ct_tuplehash_to_ctrack(h);
1513 if (iter(ct, data))
1514 goto found;
1515 }
9fb9cbb1 1516 }
df0933dc
PM		 1517 list_for_each_entry(h, &unconfirmed, list) {
1518 ct = nf_ct_tuplehash_to_ctrack(h);
1519 if (iter(ct, data))
1520 goto found;
1521 }
c073e3fa 1522 write_unlock_bh(&nf_conntrack_lock);
df0933dc
PM		 1523 return NULL;
1524found:
c073e3fa 1525 atomic_inc(&ct->ct_general.use);
9fb9cbb1 1526 write_unlock_bh(&nf_conntrack_lock);
df0933dc 1527 return ct;
9fb9cbb1
YK		 1528}
1529
1530void
1531nf_ct_iterate_cleanup(int (*iter)(struct nf_conn *i, void *data), void *data)
1532{
df0933dc 1533 struct nf_conn *ct;
9fb9cbb1
YK		 1534 unsigned int bucket = 0;
1535
df0933dc 1536 while ((ct = get_next_corpse(iter, data, &bucket)) != NULL) {
9fb9cbb1
YK		 1537 /* Time to push up daises... */
1538 if (del_timer(&ct->timeout))
1539 death_by_timeout((unsigned long)ct);
1540 /* ... else the timer will get him soon. */
1541
1542 nf_ct_put(ct);
1543 }
1544}
1545
1546static int kill_all(struct nf_conn *i, void *data)
1547{
1548 return 1;
1549}
1550
1551static void free_conntrack_hash(struct list_head *hash, int vmalloced, int size)
1552{
1553 if (vmalloced)
1554 vfree(hash);
1555 else
1556 free_pages((unsigned long)hash,
1557 get_order(sizeof(struct list_head) * size));
1558}
1559
c1d10adb
PNA		 1560void nf_conntrack_flush()
1561{
1562 nf_ct_iterate_cleanup(kill_all, NULL);
1563}
1564
9fb9cbb1
YK		 1565/* Mishearing the voices in his head, our hero wonders how he's
1566 supposed to kill the mall. */
1567void nf_conntrack_cleanup(void)
1568{
1569 int i;
1570
7d3cdc6b
YK		 1571 ip_ct_attach = NULL;
1572
9fb9cbb1
YK		 1573 /* This makes sure all current packets have passed through
1574 netfilter framework. Roll on, two-stage module
1575 delete... */
1576 synchronize_net();
1577
1578 nf_ct_event_cache_flush();
1579 i_see_dead_people:
c1d10adb 1580 nf_conntrack_flush();
9fb9cbb1
YK		 1581 if (atomic_read(&nf_conntrack_count) != 0) {
1582 schedule();
1583 goto i_see_dead_people;
1584 }
6636568c
PM		 1585 /* wait until all references to nf_conntrack_untracked are dropped */
1586 while (atomic_read(&nf_conntrack_untracked.ct_general.use) > 1)
1587 schedule();
9fb9cbb1
YK		 1588
1589 for (i = 0; i < NF_CT_F_NUM; i++) {
1590 if (nf_ct_cache[i].use == 0)
1591 continue;
1592
1593 NF_CT_ASSERT(nf_ct_cache[i].use == 1);
1594 nf_ct_cache[i].use = 1;
1595 nf_conntrack_unregister_cache(i);
1596 }
1597 kmem_cache_destroy(nf_conntrack_expect_cachep);
1598 free_conntrack_hash(nf_conntrack_hash, nf_conntrack_vmalloc,
1599 nf_conntrack_htable_size);
5a6f294e
KK		 1600
1601 /* free l3proto protocol tables */
1602 for (i = 0; i < PF_MAX; i++)
1603 if (nf_ct_protos[i]) {
1604 kfree(nf_ct_protos[i]);
1605 nf_ct_protos[i] = NULL;
1606 }
9fb9cbb1
YK		 1607}
1608
1609static struct list_head *alloc_hashtable(int size, int *vmalloced)
1610{
1611 struct list_head *hash;
1612 unsigned int i;
1613
1614 *vmalloced = 0;
1615 hash = (void*)__get_free_pages(GFP_KERNEL,
1616 get_order(sizeof(struct list_head)
1617 * size));
1618 if (!hash) {
1619 *vmalloced = 1;
1620 printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
1621 hash = vmalloc(sizeof(struct list_head) * size);
1622 }
1623
1624 if (hash)
1625 for (i = 0; i < size; i++)
1626 INIT_LIST_HEAD(&hash[i]);
1627
1628 return hash;
1629}
1630
1631int set_hashsize(const char *val, struct kernel_param *kp)
1632{
1633 int i, bucket, hashsize, vmalloced;
1634 int old_vmalloced, old_size;
1635 int rnd;
1636 struct list_head *hash, *old_hash;
1637 struct nf_conntrack_tuple_hash *h;
1638
1639 /* On boot, we can set this without any fancy locking. */
1640 if (!nf_conntrack_htable_size)
1641 return param_set_uint(val, kp);
1642
1643 hashsize = simple_strtol(val, NULL, 0);
1644 if (!hashsize)
1645 return -EINVAL;
1646
1647 hash = alloc_hashtable(hashsize, &vmalloced);
1648 if (!hash)
1649 return -ENOMEM;
1650
1651 /* We have to rehahs for the new table anyway, so we also can
1652 * use a newrandom seed */
1653 get_random_bytes(&rnd, 4);
1654
1655 write_lock_bh(&nf_conntrack_lock);
1656 for (i = 0; i < nf_conntrack_htable_size; i++) {
1657 while (!list_empty(&nf_conntrack_hash[i])) {
1658 h = list_entry(nf_conntrack_hash[i].next,
1659 struct nf_conntrack_tuple_hash, list);
1660 list_del(&h->list);
1661 bucket = __hash_conntrack(&h->tuple, hashsize, rnd);
1662 list_add_tail(&h->list, &hash[bucket]);
1663 }
1664 }
1665 old_size = nf_conntrack_htable_size;
1666 old_vmalloced = nf_conntrack_vmalloc;
1667 old_hash = nf_conntrack_hash;
1668
1669 nf_conntrack_htable_size = hashsize;
1670 nf_conntrack_vmalloc = vmalloced;
1671 nf_conntrack_hash = hash;
1672 nf_conntrack_hash_rnd = rnd;
1673 write_unlock_bh(&nf_conntrack_lock);
1674
1675 free_conntrack_hash(old_hash, old_vmalloced, old_size);
1676 return 0;
1677}
1678
1679module_param_call(hashsize, set_hashsize, param_get_uint,
1680 &nf_conntrack_htable_size, 0600);
1681
1682int __init nf_conntrack_init(void)
1683{
1684 unsigned int i;
1685 int ret;
1686
1687 /* Idea from tcp.c: use 1/16384 of memory. On i386: 32MB
1688 * machine has 256 buckets. >= 1GB machines have 8192 buckets. */
1689 if (!nf_conntrack_htable_size) {
1690 nf_conntrack_htable_size
1691 = (((num_physpages << PAGE_SHIFT) / 16384)
1692 / sizeof(struct list_head));
1693 if (num_physpages > (1024 * 1024 * 1024 / PAGE_SIZE))
1694 nf_conntrack_htable_size = 8192;
1695 if (nf_conntrack_htable_size < 16)
1696 nf_conntrack_htable_size = 16;
1697 }
1698 nf_conntrack_max = 8 * nf_conntrack_htable_size;
1699
1700 printk("nf_conntrack version %s (%u buckets, %d max)\n",
1701 NF_CONNTRACK_VERSION, nf_conntrack_htable_size,
1702 nf_conntrack_max);
1703
1704 nf_conntrack_hash = alloc_hashtable(nf_conntrack_htable_size,
1705 &nf_conntrack_vmalloc);
1706 if (!nf_conntrack_hash) {
1707 printk(KERN_ERR "Unable to create nf_conntrack_hash\n");
1708 goto err_out;
1709 }
1710
1711 ret = nf_conntrack_register_cache(NF_CT_F_BASIC, "nf_conntrack:basic",
dc808fe2 1712 sizeof(struct nf_conn));
9fb9cbb1
YK		 1713 if (ret < 0) {
1714 printk(KERN_ERR "Unable to create nf_conn slab cache\n");
1715 goto err_free_hash;
1716 }
1717
1718 nf_conntrack_expect_cachep = kmem_cache_create("nf_conntrack_expect",
1719 sizeof(struct nf_conntrack_expect),
1720 0, 0, NULL, NULL);
1721 if (!nf_conntrack_expect_cachep) {
1722 printk(KERN_ERR "Unable to create nf_expect slab cache\n");
1723 goto err_free_conntrack_slab;
1724 }
1725
1726 /* Don't NEED lock here, but good form anyway. */
1727 write_lock_bh(&nf_conntrack_lock);
1728 for (i = 0; i < PF_MAX; i++)
1729 nf_ct_l3protos[i] = &nf_conntrack_generic_l3proto;
1730 write_unlock_bh(&nf_conntrack_lock);
1731
7d3cdc6b
YK		 1732 /* For use by REJECT target */
1733 ip_ct_attach = __nf_conntrack_attach;
1734
9fb9cbb1
YK		 1735 /* Set up fake conntrack:
1736 - to never be deleted, not in any hashes */
1737 atomic_set(&nf_conntrack_untracked.ct_general.use, 1);
1738 /* - and look it like as a confirmed connection */
1739 set_bit(IPS_CONFIRMED_BIT, &nf_conntrack_untracked.status);
1740
1741 return ret;
1742
1743err_free_conntrack_slab:
1744 nf_conntrack_unregister_cache(NF_CT_F_BASIC);
1745err_free_hash:
1746 free_conntrack_hash(nf_conntrack_hash, nf_conntrack_vmalloc,
1747 nf_conntrack_htable_size);
1748err_out:
1749 return -ENOMEM;
1750}
Ubuntu Artful kernel mirror