nf_conntrack_netlink.c 51.8 KB
Newer Older
1
2
3
4
/* Connection tracking via netlink socket. Allows for user space
 * protocol helpers and general trouble making from userspace.
 *
 * (C) 2001 by Jay Schulist <jschlst@samba.org>
5
 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
6
 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7
 * (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
8
 *
9
 * Initial connection tracking via netlink development funded and
10
11
12
13
14
15
16
17
18
19
20
 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
 *
 * Further development of this code funded by Astaro AG (http://www.astaro.com)
 *
 * This software may be used and distributed according to the terms
 * of the GNU General Public License, incorporated herein by reference.
 */

#include <linux/init.h>
#include <linux/module.h>
#include <linux/kernel.h>
21
#include <linux/rculist.h>
22
#include <linux/rculist_nulls.h>
23
24
#include <linux/types.h>
#include <linux/timer.h>
25
#include <linux/security.h>
26
27
28
29
#include <linux/skbuff.h>
#include <linux/errno.h>
#include <linux/netlink.h>
#include <linux/spinlock.h>
30
#include <linux/interrupt.h>
31
#include <linux/slab.h>
32
33

#include <linux/netfilter.h>
34
#include <net/netlink.h>
35
#include <net/sock.h>
36
37
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
38
#include <net/netfilter/nf_conntrack_expect.h>
39
40
#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_l3proto.h>
41
#include <net/netfilter/nf_conntrack_l4proto.h>
42
#include <net/netfilter/nf_conntrack_tuple.h>
43
#include <net/netfilter/nf_conntrack_acct.h>
44
#include <net/netfilter/nf_conntrack_zones.h>
45
46
47
48
#ifdef CONFIG_NF_NAT_NEEDED
#include <net/netfilter/nf_nat_core.h>
#include <net/netfilter/nf_nat_protocol.h>
#endif
49
50
51
52
53
54

#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_conntrack.h>

MODULE_LICENSE("GPL");

55
static char __initdata version[] = "0.93";
56
57

static inline int
58
ctnetlink_dump_tuples_proto(struct sk_buff *skb,
59
			    const struct nf_conntrack_tuple *tuple,
60
			    struct nf_conntrack_l4proto *l4proto)
61
62
{
	int ret = 0;
63
	struct nlattr *nest_parms;
64

65
66
67
	nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED);
	if (!nest_parms)
		goto nla_put_failure;
68
	NLA_PUT_U8(skb, CTA_PROTO_NUM, tuple->dst.protonum);
69

70
71
	if (likely(l4proto->tuple_to_nlattr))
		ret = l4proto->tuple_to_nlattr(skb, tuple);
72

73
	nla_nest_end(skb, nest_parms);
74
75
76

	return ret;

77
nla_put_failure:
78
79
80
81
	return -1;
}

static inline int
82
83
84
ctnetlink_dump_tuples_ip(struct sk_buff *skb,
			 const struct nf_conntrack_tuple *tuple,
			 struct nf_conntrack_l3proto *l3proto)
85
86
{
	int ret = 0;
87
88
89
90
91
	struct nlattr *nest_parms;

	nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED);
	if (!nest_parms)
		goto nla_put_failure;
92

93
94
	if (likely(l3proto->tuple_to_nlattr))
		ret = l3proto->tuple_to_nlattr(skb, tuple);
95

96
	nla_nest_end(skb, nest_parms);
97

98
99
	return ret;

100
nla_put_failure:
101
102
103
	return -1;
}

104
static int
105
106
107
108
109
ctnetlink_dump_tuples(struct sk_buff *skb,
		      const struct nf_conntrack_tuple *tuple)
{
	int ret;
	struct nf_conntrack_l3proto *l3proto;
110
	struct nf_conntrack_l4proto *l4proto;
111

112
	l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
113
	ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
114
115
116
117

	if (unlikely(ret < 0))
		return ret;

118
	l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
119
	ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
120
121
122
123
124
125
126

	return ret;
}

static inline int
ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
{
127
	NLA_PUT_BE32(skb, CTA_STATUS, htonl(ct->status));
128
129
	return 0;

130
nla_put_failure:
131
132
133
134
135
136
	return -1;
}

static inline int
ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
{
137
	long timeout = (ct->timeout.expires - jiffies) / HZ;
138

139
	if (timeout < 0)
140
		timeout = 0;
141

142
	NLA_PUT_BE32(skb, CTA_TIMEOUT, htonl(timeout));
143
144
	return 0;

145
nla_put_failure:
146
147
148
149
	return -1;
}

static inline int
150
ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct)
151
{
152
	struct nf_conntrack_l4proto *l4proto;
153
	struct nlattr *nest_proto;
154
155
	int ret;

156
157
	l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
	if (!l4proto->to_nlattr)
158
		return 0;
159

160
161
162
	nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED);
	if (!nest_proto)
		goto nla_put_failure;
163

164
	ret = l4proto->to_nlattr(skb, nest_proto, ct);
165

166
	nla_nest_end(skb, nest_proto);
167
168
169

	return ret;

170
nla_put_failure:
171
172
173
174
175
176
	return -1;
}

static inline int
ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct)
{
177
	struct nlattr *nest_helper;
178
	const struct nf_conn_help *help = nfct_help(ct);
179
	struct nf_conntrack_helper *helper;
180

181
	if (!help)
182
		return 0;
183

184
185
186
187
	helper = rcu_dereference(help->helper);
	if (!helper)
		goto out;

188
189
190
	nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED);
	if (!nest_helper)
		goto nla_put_failure;
191
	NLA_PUT_STRING(skb, CTA_HELP_NAME, helper->name);
192

193
194
	if (helper->to_nlattr)
		helper->to_nlattr(skb, ct);
195

196
	nla_nest_end(skb, nest_helper);
197
out:
198
199
	return 0;

200
nla_put_failure:
201
202
203
	return -1;
}

204
static int
205
206
207
208
ctnetlink_dump_counters(struct sk_buff *skb, const struct nf_conn *ct,
			enum ip_conntrack_dir dir)
{
	enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
209
	struct nlattr *nest_count;
210
211
212
213
214
	const struct nf_conn_counter *acct;

	acct = nf_conn_acct_find(ct);
	if (!acct)
		return 0;
215

216
217
218
219
	nest_count = nla_nest_start(skb, type | NLA_F_NESTED);
	if (!nest_count)
		goto nla_put_failure;

220
221
222
223
	NLA_PUT_BE64(skb, CTA_COUNTERS_PACKETS,
		     cpu_to_be64(acct[dir].packets));
	NLA_PUT_BE64(skb, CTA_COUNTERS_BYTES,
		     cpu_to_be64(acct[dir].bytes));
224

225
	nla_nest_end(skb, nest_count);
226
227
228

	return 0;

229
nla_put_failure:
230
231
232
233
234
235
236
	return -1;
}

#ifdef CONFIG_NF_CONNTRACK_MARK
static inline int
ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
{
237
	NLA_PUT_BE32(skb, CTA_MARK, htonl(ct->mark));
238
239
	return 0;

240
nla_put_failure:
241
242
243
244
245
246
	return -1;
}
#else
#define ctnetlink_dump_mark(a, b) (0)
#endif

247
248
#ifdef CONFIG_NF_CONNTRACK_SECMARK
static inline int
249
ctnetlink_dump_secctx(struct sk_buff *skb, const struct nf_conn *ct)
250
{
251
252
253
254
255
256
	struct nlattr *nest_secctx;
	int len, ret;
	char *secctx;

	ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
	if (ret)
257
		return 0;
258
259
260
261
262

	ret = -1;
	nest_secctx = nla_nest_start(skb, CTA_SECCTX | NLA_F_NESTED);
	if (!nest_secctx)
		goto nla_put_failure;
263

264
265
266
267
	NLA_PUT_STRING(skb, CTA_SECCTX_NAME, secctx);
	nla_nest_end(skb, nest_secctx);

	ret = 0;
268
nla_put_failure:
269
270
	security_release_secctx(secctx, len);
	return ret;
271
272
}
#else
273
#define ctnetlink_dump_secctx(a, b) (0)
274
275
#endif

276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
#define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)

static inline int
ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
{
	struct nlattr *nest_parms;

	if (!(ct->status & IPS_EXPECTED))
		return 0;

	nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED);
	if (!nest_parms)
		goto nla_put_failure;
	if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
		goto nla_put_failure;
	nla_nest_end(skb, nest_parms);

	return 0;

nla_put_failure:
	return -1;
}

299
#ifdef CONFIG_NF_NAT_NEEDED
300
static int
301
302
303
304
305
306
307
308
dump_nat_seq_adj(struct sk_buff *skb, const struct nf_nat_seq *natseq, int type)
{
	struct nlattr *nest_parms;

	nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
	if (!nest_parms)
		goto nla_put_failure;

309
310
311
312
313
314
	NLA_PUT_BE32(skb, CTA_NAT_SEQ_CORRECTION_POS,
		     htonl(natseq->correction_pos));
	NLA_PUT_BE32(skb, CTA_NAT_SEQ_OFFSET_BEFORE,
		     htonl(natseq->offset_before));
	NLA_PUT_BE32(skb, CTA_NAT_SEQ_OFFSET_AFTER,
		     htonl(natseq->offset_after));
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346

	nla_nest_end(skb, nest_parms);

	return 0;

nla_put_failure:
	return -1;
}

static inline int
ctnetlink_dump_nat_seq_adj(struct sk_buff *skb, const struct nf_conn *ct)
{
	struct nf_nat_seq *natseq;
	struct nf_conn_nat *nat = nfct_nat(ct);

	if (!(ct->status & IPS_SEQ_ADJUST) || !nat)
		return 0;

	natseq = &nat->seq[IP_CT_DIR_ORIGINAL];
	if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_ORIG) == -1)
		return -1;

	natseq = &nat->seq[IP_CT_DIR_REPLY];
	if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_REPLY) == -1)
		return -1;

	return 0;
}
#else
#define ctnetlink_dump_nat_seq_adj(a, b) (0)
#endif

347
348
349
static inline int
ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
{
350
	NLA_PUT_BE32(skb, CTA_ID, htonl((unsigned long)ct));
351
352
	return 0;

353
nla_put_failure:
354
355
356
357
358
359
	return -1;
}

static inline int
ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
{
360
	NLA_PUT_BE32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use)));
361
362
	return 0;

363
nla_put_failure:
364
365
366
367
368
	return -1;
}

static int
ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
369
		    int event, struct nf_conn *ct)
370
371
372
{
	struct nlmsghdr *nlh;
	struct nfgenmsg *nfmsg;
373
	struct nlattr *nest_parms;
374
	unsigned int flags = pid ? NLM_F_MULTI : 0;
375
376

	event |= NFNL_SUBSYS_CTNETLINK << 8;
377
378
379
	nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags);
	if (nlh == NULL)
		goto nlmsg_failure;
380

381
	nfmsg = nlmsg_data(nlh);
382
	nfmsg->nfgen_family = nf_ct_l3num(ct);
383
384
385
	nfmsg->version      = NFNETLINK_V0;
	nfmsg->res_id	    = 0;

386
387
388
	nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
	if (!nest_parms)
		goto nla_put_failure;
389
	if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
390
391
		goto nla_put_failure;
	nla_nest_end(skb, nest_parms);
392

393
394
395
	nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
	if (!nest_parms)
		goto nla_put_failure;
396
	if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
397
398
		goto nla_put_failure;
	nla_nest_end(skb, nest_parms);
399

400
401
402
	if (nf_ct_zone(ct))
		NLA_PUT_BE16(skb, CTA_ZONE, htons(nf_ct_zone(ct)));

403
404
405
406
407
408
409
	if (ctnetlink_dump_status(skb, ct) < 0 ||
	    ctnetlink_dump_timeout(skb, ct) < 0 ||
	    ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
	    ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 ||
	    ctnetlink_dump_protoinfo(skb, ct) < 0 ||
	    ctnetlink_dump_helpinfo(skb, ct) < 0 ||
	    ctnetlink_dump_mark(skb, ct) < 0 ||
410
	    ctnetlink_dump_secctx(skb, ct) < 0 ||
411
	    ctnetlink_dump_id(skb, ct) < 0 ||
412
	    ctnetlink_dump_use(skb, ct) < 0 ||
413
	    ctnetlink_dump_master(skb, ct) < 0 ||
414
	    ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
415
		goto nla_put_failure;
416

417
	nlmsg_end(skb, nlh);
418
419
420
	return skb->len;

nlmsg_failure:
421
nla_put_failure:
422
	nlmsg_cancel(skb, nlh);
423
424
425
426
	return -1;
}

#ifdef CONFIG_NF_CONNTRACK_EVENTS
427
428
static inline size_t
ctnetlink_proto_size(const struct nf_conn *ct)
429
430
431
{
	struct nf_conntrack_l3proto *l3proto;
	struct nf_conntrack_l4proto *l4proto;
432
433
434
435
436
437
438
439
440
441
442
443
444
	size_t len = 0;

	rcu_read_lock();
	l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
	len += l3proto->nla_size;

	l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
	len += l4proto->nla_size;
	rcu_read_unlock();

	return len;
}

445
446
447
448
449
450
451
452
453
454
455
static inline size_t
ctnetlink_counters_size(const struct nf_conn *ct)
{
	if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
		return 0;
	return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
	       + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
	       + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
	       ;
}

456
457
static inline int
ctnetlink_secctx_size(const struct nf_conn *ct)
458
{
459
460
#ifdef CONFIG_NF_CONNTRACK_SECMARK
	int len, ret;
461

462
463
464
	ret = security_secid_to_secctx(ct->secmark, NULL, &len);
	if (ret)
		return 0;
465

466
467
468
469
	return nla_total_size(0) /* CTA_SECCTX */
	       + nla_total_size(sizeof(char) * len); /* CTA_SECCTX_NAME */
#else
	return 0;
470
#endif
471
}
472

473
474
475
476
477
478
479
480
481
482
static inline size_t
ctnetlink_nlmsg_size(const struct nf_conn *ct)
{
	return NLMSG_ALIGN(sizeof(struct nfgenmsg))
	       + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
	       + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
	       + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
	       + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
	       + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
	       + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
483
	       + ctnetlink_counters_size(ct)
484
485
486
487
	       + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
	       + nla_total_size(0) /* CTA_PROTOINFO */
	       + nla_total_size(0) /* CTA_HELP */
	       + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
488
	       + ctnetlink_secctx_size(ct)
489
#ifdef CONFIG_NF_NAT_NEEDED
490
491
	       + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
	       + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
492
493
#endif
#ifdef CONFIG_NF_CONNTRACK_MARK
494
	       + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
495
#endif
496
497
	       + ctnetlink_proto_size(ct)
	       ;
498
499
}

500
501
static int
ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
502
{
503
	struct net *net;
504
505
	struct nlmsghdr *nlh;
	struct nfgenmsg *nfmsg;
506
	struct nlattr *nest_parms;
507
	struct nf_conn *ct = item->ct;
508
509
510
	struct sk_buff *skb;
	unsigned int type;
	unsigned int flags = 0, group;
511
	int err;
512
513

	/* ignore our fake conntrack entry */
514
	if (nf_ct_is_untracked(ct))
515
		return 0;
516

517
	if (events & (1 << IPCT_DESTROY)) {
518
519
		type = IPCTNL_MSG_CT_DELETE;
		group = NFNLGRP_CONNTRACK_DESTROY;
520
	} else  if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {
521
522
523
		type = IPCTNL_MSG_CT_NEW;
		flags = NLM_F_CREATE|NLM_F_EXCL;
		group = NFNLGRP_CONNTRACK_NEW;
524
	} else  if (events) {
525
526
527
		type = IPCTNL_MSG_CT_NEW;
		group = NFNLGRP_CONNTRACK_UPDATE;
	} else
528
		return 0;
529

530
531
	net = nf_ct_net(ct);
	if (!item->report && !nfnetlink_has_listeners(net, group))
532
		return 0;
533

534
535
	skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
	if (skb == NULL)
536
		goto errout;
537
538

	type |= NFNL_SUBSYS_CTNETLINK << 8;
539
540
541
	nlh = nlmsg_put(skb, item->pid, 0, type, sizeof(*nfmsg), flags);
	if (nlh == NULL)
		goto nlmsg_failure;
542

543
	nfmsg = nlmsg_data(nlh);
544
	nfmsg->nfgen_family = nf_ct_l3num(ct);
545
546
547
	nfmsg->version	= NFNETLINK_V0;
	nfmsg->res_id	= 0;

548
	rcu_read_lock();
549
550
551
	nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
	if (!nest_parms)
		goto nla_put_failure;
552
	if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
553
554
		goto nla_put_failure;
	nla_nest_end(skb, nest_parms);
555

556
557
558
	nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
	if (!nest_parms)
		goto nla_put_failure;
559
	if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
560
561
		goto nla_put_failure;
	nla_nest_end(skb, nest_parms);
562

563
564
565
	if (nf_ct_zone(ct))
		NLA_PUT_BE16(skb, CTA_ZONE, htons(nf_ct_zone(ct)));

566
567
568
	if (ctnetlink_dump_id(skb, ct) < 0)
		goto nla_put_failure;

569
570
571
	if (ctnetlink_dump_status(skb, ct) < 0)
		goto nla_put_failure;

572
	if (events & (1 << IPCT_DESTROY)) {
573
574
		if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
		    ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
575
			goto nla_put_failure;
576
577
	} else {
		if (ctnetlink_dump_timeout(skb, ct) < 0)
578
			goto nla_put_failure;
579

580
		if (events & (1 << IPCT_PROTOINFO)
581
		    && ctnetlink_dump_protoinfo(skb, ct) < 0)
582
			goto nla_put_failure;
583

584
		if ((events & (1 << IPCT_HELPER) || nfct_help(ct))
585
		    && ctnetlink_dump_helpinfo(skb, ct) < 0)
586
			goto nla_put_failure;
587

588
#ifdef CONFIG_NF_CONNTRACK_SECMARK
589
		if ((events & (1 << IPCT_SECMARK) || ct->secmark)
590
		    && ctnetlink_dump_secctx(skb, ct) < 0)
591
			goto nla_put_failure;
592
#endif
593

594
		if (events & (1 << IPCT_RELATED) &&
595
596
597
		    ctnetlink_dump_master(skb, ct) < 0)
			goto nla_put_failure;

598
		if (events & (1 << IPCT_NATSEQADJ) &&
599
600
		    ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
			goto nla_put_failure;
601
	}
602

603
#ifdef CONFIG_NF_CONNTRACK_MARK
604
	if ((events & (1 << IPCT_MARK) || ct->mark)
605
606
607
	    && ctnetlink_dump_mark(skb, ct) < 0)
		goto nla_put_failure;
#endif
608
	rcu_read_unlock();
609

610
	nlmsg_end(skb, nlh);
611
	err = nfnetlink_send(skb, net, item->pid, group, item->report,
612
			     GFP_ATOMIC);
613
614
615
	if (err == -ENOBUFS || err == -EAGAIN)
		return -ENOBUFS;

616
	return 0;
617

618
nla_put_failure:
619
	rcu_read_unlock();
620
	nlmsg_cancel(skb, nlh);
621
nlmsg_failure:
622
	kfree_skb(skb);
623
errout:
624
625
626
	if (nfnetlink_set_err(net, 0, group, -ENOBUFS) > 0)
		return -ENOBUFS;

627
	return 0;
628
629
630
631
632
}
#endif /* CONFIG_NF_CONNTRACK_EVENTS */

static int ctnetlink_done(struct netlink_callback *cb)
{
633
634
	if (cb->args[1])
		nf_ct_put((struct nf_conn *)cb->args[1]);
635
636
637
638
639
640
	return 0;
}

static int
ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
{
641
	struct net *net = sock_net(skb->sk);
642
	struct nf_conn *ct, *last;
643
	struct nf_conntrack_tuple_hash *h;
644
	struct hlist_nulls_node *n;
645
	struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
646
	u_int8_t l3proto = nfmsg->nfgen_family;
647

648
	spin_lock_bh(&nf_conntrack_lock);
649
	last = (struct nf_conn *)cb->args[1];
650
	for (; cb->args[0] < net->ct.htable_size; cb->args[0]++) {
651
restart:
652
		hlist_nulls_for_each_entry(h, n, &net->ct.hash[cb->args[0]],
653
					 hnnode) {
654
			if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
655
656
				continue;
			ct = nf_ct_tuplehash_to_ctrack(h);
657
658
659
			/* Dump entries of a given L3 protocol number.
			 * If it is not specified, ie. l3proto == 0,
			 * then dump everything. */
660
			if (l3proto && nf_ct_l3num(ct) != l3proto)
661
				continue;
662
663
			if (cb->args[1]) {
				if (ct != last)
664
					continue;
665
				cb->args[1] = 0;
666
			}
667
			if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
668
						cb->nlh->nlmsg_seq,
669
						IPCTNL_MSG_CT_NEW, ct) < 0) {
670
				cb->args[1] = (unsigned long)ct;
671
				goto out;
672
			}
673

674
			if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) ==
675
676
677
678
679
680
681
						IPCTNL_MSG_CT_GET_CTRZERO) {
				struct nf_conn_counter *acct;

				acct = nf_conn_acct_find(ct);
				if (acct)
					memset(acct, 0, sizeof(struct nf_conn_counter[IP_CT_DIR_MAX]));
			}
682
		}
683
		if (cb->args[1]) {
684
685
			cb->args[1] = 0;
			goto restart;
686
687
		}
	}
688
out:
689
	spin_unlock_bh(&nf_conntrack_lock);
690
691
	if (last)
		nf_ct_put(last);
692
693
694
695
696

	return skb->len;
}

static inline int
697
ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple)
698
{
699
	struct nlattr *tb[CTA_IP_MAX+1];
700
701
702
	struct nf_conntrack_l3proto *l3proto;
	int ret = 0;

703
	nla_parse_nested(tb, CTA_IP_MAX, attr, NULL);
704

705
706
	rcu_read_lock();
	l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
707

708
709
710
711
712
713
	if (likely(l3proto->nlattr_to_tuple)) {
		ret = nla_validate_nested(attr, CTA_IP_MAX,
					  l3proto->nla_policy);
		if (ret == 0)
			ret = l3proto->nlattr_to_tuple(tb, tuple);
	}
714

715
	rcu_read_unlock();
716
717
718
719

	return ret;
}

720
721
static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
	[CTA_PROTO_NUM]	= { .type = NLA_U8 },
722
723
724
};

static inline int
725
ctnetlink_parse_tuple_proto(struct nlattr *attr,
726
727
			    struct nf_conntrack_tuple *tuple)
{
728
	struct nlattr *tb[CTA_PROTO_MAX+1];
729
	struct nf_conntrack_l4proto *l4proto;
730
731
	int ret = 0;

732
733
734
	ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy);
	if (ret < 0)
		return ret;
735

736
	if (!tb[CTA_PROTO_NUM])
737
		return -EINVAL;
738
	tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
739

740
741
	rcu_read_lock();
	l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
742

743
744
745
746
747
748
	if (likely(l4proto->nlattr_to_tuple)) {
		ret = nla_validate_nested(attr, CTA_PROTO_MAX,
					  l4proto->nla_policy);
		if (ret == 0)
			ret = l4proto->nlattr_to_tuple(tb, tuple);
	}
749

750
	rcu_read_unlock();
751

752
753
754
	return ret;
}

755
756
757
758
759
static const struct nla_policy tuple_nla_policy[CTA_TUPLE_MAX+1] = {
	[CTA_TUPLE_IP]		= { .type = NLA_NESTED },
	[CTA_TUPLE_PROTO]	= { .type = NLA_NESTED },
};

760
static int
761
762
ctnetlink_parse_tuple(const struct nlattr * const cda[],
		      struct nf_conntrack_tuple *tuple,
763
764
		      enum ctattr_tuple type, u_int8_t l3num)
{
765
	struct nlattr *tb[CTA_TUPLE_MAX+1];
766
767
768
769
	int err;

	memset(tuple, 0, sizeof(*tuple));

770
	nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], tuple_nla_policy);
771

772
	if (!tb[CTA_TUPLE_IP])
773
774
775
776
		return -EINVAL;

	tuple->src.l3num = l3num;

777
	err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
778
779
780
	if (err < 0)
		return err;

781
	if (!tb[CTA_TUPLE_PROTO])
782
783
		return -EINVAL;

784
	err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple);
785
786
787
788
789
790
791
792
793
794
795
796
	if (err < 0)
		return err;

	/* orig and expect tuples get DIR_ORIGINAL */
	if (type == CTA_TUPLE_REPLY)
		tuple->dst.dir = IP_CT_DIR_REPLY;
	else
		tuple->dst.dir = IP_CT_DIR_ORIGINAL;

	return 0;
}

797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
static int
ctnetlink_parse_zone(const struct nlattr *attr, u16 *zone)
{
	if (attr)
#ifdef CONFIG_NF_CONNTRACK_ZONES
		*zone = ntohs(nla_get_be16(attr));
#else
		return -EOPNOTSUPP;
#endif
	else
		*zone = 0;

	return 0;
}

812
813
814
815
static const struct nla_policy help_nla_policy[CTA_HELP_MAX+1] = {
	[CTA_HELP_NAME]		= { .type = NLA_NUL_STRING },
};

816
static inline int
817
ctnetlink_parse_help(const struct nlattr *attr, char **helper_name)
818
{
819
	struct nlattr *tb[CTA_HELP_MAX+1];
820

821
	nla_parse_nested(tb, CTA_HELP_MAX, attr, help_nla_policy);
822

823
	if (!tb[CTA_HELP_NAME])
824
825
		return -EINVAL;

826
	*helper_name = nla_data(tb[CTA_HELP_NAME]);
827
828
829
830

	return 0;
}

831
static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
832
833
	[CTA_TUPLE_ORIG]	= { .type = NLA_NESTED },
	[CTA_TUPLE_REPLY]	= { .type = NLA_NESTED },
834
	[CTA_STATUS] 		= { .type = NLA_U32 },
835
836
837
	[CTA_PROTOINFO]		= { .type = NLA_NESTED },
	[CTA_HELP]		= { .type = NLA_NESTED },
	[CTA_NAT_SRC]		= { .type = NLA_NESTED },
838
839
840
	[CTA_TIMEOUT] 		= { .type = NLA_U32 },
	[CTA_MARK]		= { .type = NLA_U32 },
	[CTA_ID]		= { .type = NLA_U32 },
841
842
	[CTA_NAT_DST]		= { .type = NLA_NESTED },
	[CTA_TUPLE_MASTER]	= { .type = NLA_NESTED },
843
	[CTA_ZONE]		= { .type = NLA_U16 },
844
845
846
};

static int
847
ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
848
849
			const struct nlmsghdr *nlh,
			const struct nlattr * const cda[])
850
{
851
	struct net *net = sock_net(ctnl);
852
853
854
	struct nf_conntrack_tuple_hash *h;
	struct nf_conntrack_tuple tuple;
	struct nf_conn *ct;
855
	struct nfgenmsg *nfmsg = nlmsg_data(nlh);
856
	u_int8_t u3 = nfmsg->nfgen_family;
857
858
859
860
861
862
	u16 zone;
	int err;

	err = ctnetlink_parse_zone(cda[CTA_ZONE], &zone);
	if (err < 0)
		return err;
863

864
	if (cda[CTA_TUPLE_ORIG])
865
		err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
866
	else if (cda[CTA_TUPLE_REPLY])
867
868
869
		err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
	else {
		/* Flush the whole table */
870
		nf_conntrack_flush_report(net,
871
872
					 NETLINK_CB(skb).pid,
					 nlmsg_report(nlh));
873
874
875
876
877
878
		return 0;
	}

	if (err < 0)
		return err;

879
	h = nf_conntrack_find_get(net, zone, &tuple);
880
	if (!h)
881
882
883
		return -ENOENT;

	ct = nf_ct_tuplehash_to_ctrack(h);
884

885
	if (cda[CTA_ID]) {
886
		u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
887
		if (id != (u32)(unsigned long)ct) {
888
889
890
			nf_ct_put(ct);
			return -ENOENT;
		}
891
	}
892

893
894
895
896
897
898
899
900
901
	if (nf_conntrack_event_report(IPCT_DESTROY, ct,
				      NETLINK_CB(skb).pid,
				      nlmsg_report(nlh)) < 0) {
		nf_ct_delete_from_lists(ct);
		/* we failed to report the event, try later */
		nf_ct_insert_dying_list(ct);
		nf_ct_put(ct);
		return 0;
	}
902
903
904
905

	/* death_by_timeout would report the event again */
	set_bit(IPS_DYING_BIT, &ct->status);

906
	nf_ct_kill(ct);
907
908
909
910
911
912
	nf_ct_put(ct);

	return 0;
}

static int
913
ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
914
915
			const struct nlmsghdr *nlh,
			const struct nlattr * const cda[])
916
{
917
	struct net *net = sock_net(ctnl);
918
919
920
921
	struct nf_conntrack_tuple_hash *h;
	struct nf_conntrack_tuple tuple;
	struct nf_conn *ct;
	struct sk_buff *skb2 = NULL;
922
	struct nfgenmsg *nfmsg = nlmsg_data(nlh);
923
	u_int8_t u3 = nfmsg->nfgen_family;
924
925
	u16 zone;
	int err;