search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge tag 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mst/vhost
[cris-mirror.git] / net / netfilter / nft_ct.c
blob6ab274b14484055e4d4dfeac5fadd60420f8abe9
1 /*
2 * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
3 * Copyright (c) 2016 Pablo Neira Ayuso <pablo@netfilter.org>
4 *
5 * This program is free software; you can redistribute it and/or modify
6 * it under the terms of the GNU General Public License version 2 as
7 * published by the Free Software Foundation.
8 *
9 * Development of this code funded by Astaro AG (http://www.astaro.com/)
10 */
11
12 #include <linux/kernel.h>
13 #include <linux/init.h>
14 #include <linux/module.h>
15 #include <linux/netlink.h>
16 #include <linux/netfilter.h>
17 #include <linux/netfilter/nf_tables.h>
18 #include <net/netfilter/nf_tables.h>
19 #include <net/netfilter/nf_conntrack.h>
20 #include <net/netfilter/nf_conntrack_acct.h>
21 #include <net/netfilter/nf_conntrack_tuple.h>
22 #include <net/netfilter/nf_conntrack_helper.h>
23 #include <net/netfilter/nf_conntrack_ecache.h>
24 #include <net/netfilter/nf_conntrack_labels.h>
25
26 struct nft_ct {
27 enum nft_ct_keys key:8;
28 enum ip_conntrack_dir dir:8;
29 union {
30 enum nft_registers dreg:8;
31 enum nft_registers sreg:8;
32 };
33 };
34
35 struct nft_ct_helper_obj {
36 struct nf_conntrack_helper *helper4;
37 struct nf_conntrack_helper *helper6;
38 u8 l4proto;
39 };
40
41 #ifdef CONFIG_NF_CONNTRACK_ZONES
42 static DEFINE_PER_CPU(struct nf_conn *, nft_ct_pcpu_template);
43 static unsigned int nft_ct_pcpu_template_refcnt __read_mostly;
44 #endif
45
46 static u64 nft_ct_get_eval_counter(const struct nf_conn_counter *c,
47 enum nft_ct_keys k,
48 enum ip_conntrack_dir d)
49 {
50 if (d < IP_CT_DIR_MAX)
51 return k == NFT_CT_BYTES ? atomic64_read(&c[d].bytes) :
52 atomic64_read(&c[d].packets);
53
54 return nft_ct_get_eval_counter(c, k, IP_CT_DIR_ORIGINAL) +
55 nft_ct_get_eval_counter(c, k, IP_CT_DIR_REPLY);
56 }
57
58 static void nft_ct_get_eval(const struct nft_expr *expr,
59 struct nft_regs *regs,
60 const struct nft_pktinfo *pkt)
61 {
62 const struct nft_ct *priv = nft_expr_priv(expr);
63 u32 *dest = &regs->data[priv->dreg];
64 enum ip_conntrack_info ctinfo;
65 const struct nf_conn *ct;
66 const struct nf_conn_help *help;
67 const struct nf_conntrack_tuple *tuple;
68 const struct nf_conntrack_helper *helper;
69 unsigned int state;
70
71 ct = nf_ct_get(pkt->skb, &ctinfo);
72
73 switch (priv->key) {
74 case NFT_CT_STATE:
75 if (ct)
76 state = NF_CT_STATE_BIT(ctinfo);
77 else if (ctinfo == IP_CT_UNTRACKED)
78 state = NF_CT_STATE_UNTRACKED_BIT;
79 else
80 state = NF_CT_STATE_INVALID_BIT;
81 *dest = state;
82 return;
83 default:
84 break;
85 }
86
87 if (ct == NULL)
88 goto err;
89
90 switch (priv->key) {
91 case NFT_CT_DIRECTION:
92 nft_reg_store8(dest, CTINFO2DIR(ctinfo));
93 return;
94 case NFT_CT_STATUS:
95 *dest = ct->status;
96 return;
97 #ifdef CONFIG_NF_CONNTRACK_MARK
98 case NFT_CT_MARK:
99 *dest = ct->mark;
100 return;
101 #endif
102 #ifdef CONFIG_NF_CONNTRACK_SECMARK
103 case NFT_CT_SECMARK:
104 *dest = ct->secmark;
105 return;
106 #endif
107 case NFT_CT_EXPIRATION:
108 *dest = jiffies_to_msecs(nf_ct_expires(ct));
109 return;
110 case NFT_CT_HELPER:
111 if (ct->master == NULL)
112 goto err;
113 help = nfct_help(ct->master);
114 if (help == NULL)
115 goto err;
116 helper = rcu_dereference(help->helper);
117 if (helper == NULL)
118 goto err;
119 strncpy((char *)dest, helper->name, NF_CT_HELPER_NAME_LEN);
120 return;
121 #ifdef CONFIG_NF_CONNTRACK_LABELS
122 case NFT_CT_LABELS: {
123 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
124
125 if (labels)
126 memcpy(dest, labels->bits, NF_CT_LABELS_MAX_SIZE);
127 else
128 memset(dest, 0, NF_CT_LABELS_MAX_SIZE);
129 return;
130 }
131 #endif
132 case NFT_CT_BYTES: /* fallthrough */
133 case NFT_CT_PKTS: {
134 const struct nf_conn_acct *acct = nf_conn_acct_find(ct);
135 u64 count = 0;
136
137 if (acct)
138 count = nft_ct_get_eval_counter(acct->counter,
139 priv->key, priv->dir);
140 memcpy(dest, &count, sizeof(count));
141 return;
142 }
143 case NFT_CT_AVGPKT: {
144 const struct nf_conn_acct *acct = nf_conn_acct_find(ct);
145 u64 avgcnt = 0, bcnt = 0, pcnt = 0;
146
147 if (acct) {
148 pcnt = nft_ct_get_eval_counter(acct->counter,
149 NFT_CT_PKTS, priv->dir);
150 bcnt = nft_ct_get_eval_counter(acct->counter,
151 NFT_CT_BYTES, priv->dir);
152 if (pcnt != 0)
153 avgcnt = div64_u64(bcnt, pcnt);
154 }
155
156 memcpy(dest, &avgcnt, sizeof(avgcnt));
157 return;
158 }
159 case NFT_CT_L3PROTOCOL:
160 nft_reg_store8(dest, nf_ct_l3num(ct));
161 return;
162 case NFT_CT_PROTOCOL:
163 nft_reg_store8(dest, nf_ct_protonum(ct));
164 return;
165 #ifdef CONFIG_NF_CONNTRACK_ZONES
166 case NFT_CT_ZONE: {
167 const struct nf_conntrack_zone *zone = nf_ct_zone(ct);
168 u16 zoneid;
169
170 if (priv->dir < IP_CT_DIR_MAX)
171 zoneid = nf_ct_zone_id(zone, priv->dir);
172 else
173 zoneid = zone->id;
174
175 nft_reg_store16(dest, zoneid);
176 return;
177 }
178 #endif
179 default:
180 break;
181 }
182
183 tuple = &ct->tuplehash[priv->dir].tuple;
184 switch (priv->key) {
185 case NFT_CT_SRC:
186 memcpy(dest, tuple->src.u3.all,
187 nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
188 return;
189 case NFT_CT_DST:
190 memcpy(dest, tuple->dst.u3.all,
191 nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
192 return;
193 case NFT_CT_PROTO_SRC:
194 nft_reg_store16(dest, (__force u16)tuple->src.u.all);
195 return;
196 case NFT_CT_PROTO_DST:
197 nft_reg_store16(dest, (__force u16)tuple->dst.u.all);
198 return;
199 default:
200 break;
201 }
202 return;
203 err:
204 regs->verdict.code = NFT_BREAK;
205 }
206
207 #ifdef CONFIG_NF_CONNTRACK_ZONES
208 static void nft_ct_set_zone_eval(const struct nft_expr *expr,
209 struct nft_regs *regs,
210 const struct nft_pktinfo *pkt)
211 {
212 struct nf_conntrack_zone zone = { .dir = NF_CT_DEFAULT_ZONE_DIR };
213 const struct nft_ct *priv = nft_expr_priv(expr);
214 struct sk_buff *skb = pkt->skb;
215 enum ip_conntrack_info ctinfo;
216 u16 value = nft_reg_load16(&regs->data[priv->sreg]);
217 struct nf_conn *ct;
218
219 ct = nf_ct_get(skb, &ctinfo);
220 if (ct) /* already tracked */
221 return;
222
223 zone.id = value;
224
225 switch (priv->dir) {
226 case IP_CT_DIR_ORIGINAL:
227 zone.dir = NF_CT_ZONE_DIR_ORIG;
228 break;
229 case IP_CT_DIR_REPLY:
230 zone.dir = NF_CT_ZONE_DIR_REPL;
231 break;
232 default:
233 break;
234 }
235
236 ct = this_cpu_read(nft_ct_pcpu_template);
237
238 if (likely(atomic_read(&ct->ct_general.use) == 1)) {
239 nf_ct_zone_add(ct, &zone);
240 } else {
241 /* previous skb got queued to userspace */
242 ct = nf_ct_tmpl_alloc(nft_net(pkt), &zone, GFP_ATOMIC);
243 if (!ct) {
244 regs->verdict.code = NF_DROP;
245 return;
246 }
247 }
248
249 atomic_inc(&ct->ct_general.use);
250 nf_ct_set(skb, ct, IP_CT_NEW);
251 }
252 #endif
253
254 static void nft_ct_set_eval(const struct nft_expr *expr,
255 struct nft_regs *regs,
256 const struct nft_pktinfo *pkt)
257 {
258 const struct nft_ct *priv = nft_expr_priv(expr);
259 struct sk_buff *skb = pkt->skb;
260 #ifdef CONFIG_NF_CONNTRACK_MARK
261 u32 value = regs->data[priv->sreg];
262 #endif
263 enum ip_conntrack_info ctinfo;
264 struct nf_conn *ct;
265
266 ct = nf_ct_get(skb, &ctinfo);
267 if (ct == NULL || nf_ct_is_template(ct))
268 return;
269
270 switch (priv->key) {
271 #ifdef CONFIG_NF_CONNTRACK_MARK
272 case NFT_CT_MARK:
273 if (ct->mark != value) {
274 ct->mark = value;
275 nf_conntrack_event_cache(IPCT_MARK, ct);
276 }
277 break;
278 #endif
279 #ifdef CONFIG_NF_CONNTRACK_LABELS
280 case NFT_CT_LABELS:
281 nf_connlabels_replace(ct,
282 &regs->data[priv->sreg],
283 &regs->data[priv->sreg],
284 NF_CT_LABELS_MAX_SIZE / sizeof(u32));
285 break;
286 #endif
287 #ifdef CONFIG_NF_CONNTRACK_EVENTS
288 case NFT_CT_EVENTMASK: {
289 struct nf_conntrack_ecache *e = nf_ct_ecache_find(ct);
290 u32 ctmask = regs->data[priv->sreg];
291
292 if (e) {
293 if (e->ctmask != ctmask)
294 e->ctmask = ctmask;
295 break;
296 }
297
298 if (ctmask && !nf_ct_is_confirmed(ct))
299 nf_ct_ecache_ext_add(ct, ctmask, 0, GFP_ATOMIC);
300 break;
301 }
302 #endif
303 default:
304 break;
305 }
306 }
307
308 static const struct nla_policy nft_ct_policy[NFTA_CT_MAX + 1] = {
309 [NFTA_CT_DREG] = { .type = NLA_U32 },
310 [NFTA_CT_KEY] = { .type = NLA_U32 },
311 [NFTA_CT_DIRECTION] = { .type = NLA_U8 },
312 [NFTA_CT_SREG] = { .type = NLA_U32 },
313 };
314
315 #ifdef CONFIG_NF_CONNTRACK_ZONES
316 static void nft_ct_tmpl_put_pcpu(void)
317 {
318 struct nf_conn *ct;
319 int cpu;
320
321 for_each_possible_cpu(cpu) {
322 ct = per_cpu(nft_ct_pcpu_template, cpu);
323 if (!ct)
324 break;
325 nf_ct_put(ct);
326 per_cpu(nft_ct_pcpu_template, cpu) = NULL;
327 }
328 }
329
330 static bool nft_ct_tmpl_alloc_pcpu(void)
331 {
332 struct nf_conntrack_zone zone = { .id = 0 };
333 struct nf_conn *tmp;
334 int cpu;
335
336 if (nft_ct_pcpu_template_refcnt)
337 return true;
338
339 for_each_possible_cpu(cpu) {
340 tmp = nf_ct_tmpl_alloc(&init_net, &zone, GFP_KERNEL);
341 if (!tmp) {
342 nft_ct_tmpl_put_pcpu();
343 return false;
344 }
345
346 atomic_set(&tmp->ct_general.use, 1);
347 per_cpu(nft_ct_pcpu_template, cpu) = tmp;
348 }
349
350 return true;
351 }
352 #endif
353
354 static int nft_ct_get_init(const struct nft_ctx *ctx,
355 const struct nft_expr *expr,
356 const struct nlattr * const tb[])
357 {
358 struct nft_ct *priv = nft_expr_priv(expr);
359 unsigned int len;
360 int err;
361
362 priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));
363 priv->dir = IP_CT_DIR_MAX;
364 switch (priv->key) {
365 case NFT_CT_DIRECTION:
366 if (tb[NFTA_CT_DIRECTION] != NULL)
367 return -EINVAL;
368 len = sizeof(u8);
369 break;
370 case NFT_CT_STATE:
371 case NFT_CT_STATUS:
372 #ifdef CONFIG_NF_CONNTRACK_MARK
373 case NFT_CT_MARK:
374 #endif
375 #ifdef CONFIG_NF_CONNTRACK_SECMARK
376 case NFT_CT_SECMARK:
377 #endif
378 case NFT_CT_EXPIRATION:
379 if (tb[NFTA_CT_DIRECTION] != NULL)
380 return -EINVAL;
381 len = sizeof(u32);
382 break;
383 #ifdef CONFIG_NF_CONNTRACK_LABELS
384 case NFT_CT_LABELS:
385 if (tb[NFTA_CT_DIRECTION] != NULL)
386 return -EINVAL;
387 len = NF_CT_LABELS_MAX_SIZE;
388 break;
389 #endif
390 case NFT_CT_HELPER:
391 if (tb[NFTA_CT_DIRECTION] != NULL)
392 return -EINVAL;
393 len = NF_CT_HELPER_NAME_LEN;
394 break;
395
396 case NFT_CT_L3PROTOCOL:
397 case NFT_CT_PROTOCOL:
398 /* For compatibility, do not report error if NFTA_CT_DIRECTION
399 * attribute is specified.
400 */
401 len = sizeof(u8);
402 break;
403 case NFT_CT_SRC:
404 case NFT_CT_DST:
405 if (tb[NFTA_CT_DIRECTION] == NULL)
406 return -EINVAL;
407
408 switch (ctx->family) {
409 case NFPROTO_IPV4:
410 len = FIELD_SIZEOF(struct nf_conntrack_tuple,
411 src.u3.ip);
412 break;
413 case NFPROTO_IPV6:
414 case NFPROTO_INET:
415 len = FIELD_SIZEOF(struct nf_conntrack_tuple,
416 src.u3.ip6);
417 break;
418 default:
419 return -EAFNOSUPPORT;
420 }
421 break;
422 case NFT_CT_PROTO_SRC:
423 case NFT_CT_PROTO_DST:
424 if (tb[NFTA_CT_DIRECTION] == NULL)
425 return -EINVAL;
426 len = FIELD_SIZEOF(struct nf_conntrack_tuple, src.u.all);
427 break;
428 case NFT_CT_BYTES:
429 case NFT_CT_PKTS:
430 case NFT_CT_AVGPKT:
431 len = sizeof(u64);
432 break;
433 #ifdef CONFIG_NF_CONNTRACK_ZONES
434 case NFT_CT_ZONE:
435 len = sizeof(u16);
436 break;
437 #endif
438 default:
439 return -EOPNOTSUPP;
440 }
441
442 if (tb[NFTA_CT_DIRECTION] != NULL) {
443 priv->dir = nla_get_u8(tb[NFTA_CT_DIRECTION]);
444 switch (priv->dir) {
445 case IP_CT_DIR_ORIGINAL:
446 case IP_CT_DIR_REPLY:
447 break;
448 default:
449 return -EINVAL;
450 }
451 }
452
453 priv->dreg = nft_parse_register(tb[NFTA_CT_DREG]);
454 err = nft_validate_register_store(ctx, priv->dreg, NULL,
455 NFT_DATA_VALUE, len);
456 if (err < 0)
457 return err;
458
459 err = nf_ct_netns_get(ctx->net, ctx->family);
460 if (err < 0)
461 return err;
462
463 if (priv->key == NFT_CT_BYTES ||
464 priv->key == NFT_CT_PKTS ||
465 priv->key == NFT_CT_AVGPKT)
466 nf_ct_set_acct(ctx->net, true);
467
468 return 0;
469 }
470
471 static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv)
472 {
473 switch (priv->key) {
474 #ifdef CONFIG_NF_CONNTRACK_LABELS
475 case NFT_CT_LABELS:
476 nf_connlabels_put(ctx->net);
477 break;
478 #endif
479 #ifdef CONFIG_NF_CONNTRACK_ZONES
480 case NFT_CT_ZONE:
481 if (--nft_ct_pcpu_template_refcnt == 0)
482 nft_ct_tmpl_put_pcpu();
483 #endif
484 default:
485 break;
486 }
487 }
488
489 static int nft_ct_set_init(const struct nft_ctx *ctx,
490 const struct nft_expr *expr,
491 const struct nlattr * const tb[])
492 {
493 struct nft_ct *priv = nft_expr_priv(expr);
494 unsigned int len;
495 int err;
496
497 priv->dir = IP_CT_DIR_MAX;
498 priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));
499 switch (priv->key) {
500 #ifdef CONFIG_NF_CONNTRACK_MARK
501 case NFT_CT_MARK:
502 if (tb[NFTA_CT_DIRECTION])
503 return -EINVAL;
504 len = FIELD_SIZEOF(struct nf_conn, mark);
505 break;
506 #endif
507 #ifdef CONFIG_NF_CONNTRACK_LABELS
508 case NFT_CT_LABELS:
509 if (tb[NFTA_CT_DIRECTION])
510 return -EINVAL;
511 len = NF_CT_LABELS_MAX_SIZE;
512 err = nf_connlabels_get(ctx->net, (len * BITS_PER_BYTE) - 1);
513 if (err)
514 return err;
515 break;
516 #endif
517 #ifdef CONFIG_NF_CONNTRACK_ZONES
518 case NFT_CT_ZONE:
519 if (!nft_ct_tmpl_alloc_pcpu())
520 return -ENOMEM;
521 nft_ct_pcpu_template_refcnt++;
522 len = sizeof(u16);
523 break;
524 #endif
525 #ifdef CONFIG_NF_CONNTRACK_EVENTS
526 case NFT_CT_EVENTMASK:
527 if (tb[NFTA_CT_DIRECTION])
528 return -EINVAL;
529 len = sizeof(u32);
530 break;
531 #endif
532 default:
533 return -EOPNOTSUPP;
534 }
535
536 if (tb[NFTA_CT_DIRECTION]) {
537 priv->dir = nla_get_u8(tb[NFTA_CT_DIRECTION]);
538 switch (priv->dir) {
539 case IP_CT_DIR_ORIGINAL:
540 case IP_CT_DIR_REPLY:
541 break;
542 default:
543 err = -EINVAL;
544 goto err1;
545 }
546 }
547
548 priv->sreg = nft_parse_register(tb[NFTA_CT_SREG]);
549 err = nft_validate_register_load(priv->sreg, len);
550 if (err < 0)
551 goto err1;
552
553 err = nf_ct_netns_get(ctx->net, ctx->family);
554 if (err < 0)
555 goto err1;
556
557 return 0;
558
559 err1:
560 __nft_ct_set_destroy(ctx, priv);
561 return err;
562 }
563
564 static void nft_ct_get_destroy(const struct nft_ctx *ctx,
565 const struct nft_expr *expr)
566 {
567 nf_ct_netns_put(ctx->net, ctx->family);
568 }
569
570 static void nft_ct_set_destroy(const struct nft_ctx *ctx,
571 const struct nft_expr *expr)
572 {
573 struct nft_ct *priv = nft_expr_priv(expr);
574
575 __nft_ct_set_destroy(ctx, priv);
576 nf_ct_netns_put(ctx->net, ctx->family);
577 }
578
579 static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
580 {
581 const struct nft_ct *priv = nft_expr_priv(expr);
582
583 if (nft_dump_register(skb, NFTA_CT_DREG, priv->dreg))
584 goto nla_put_failure;
585 if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
586 goto nla_put_failure;
587
588 switch (priv->key) {
589 case NFT_CT_SRC:
590 case NFT_CT_DST:
591 case NFT_CT_PROTO_SRC:
592 case NFT_CT_PROTO_DST:
593 if (nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
594 goto nla_put_failure;
595 break;
596 case NFT_CT_BYTES:
597 case NFT_CT_PKTS:
598 case NFT_CT_AVGPKT:
599 case NFT_CT_ZONE:
600 if (priv->dir < IP_CT_DIR_MAX &&
601 nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
602 goto nla_put_failure;
603 break;
604 default:
605 break;
606 }
607
608 return 0;
609
610 nla_put_failure:
611 return -1;
612 }
613
614 static int nft_ct_set_dump(struct sk_buff *skb, const struct nft_expr *expr)
615 {
616 const struct nft_ct *priv = nft_expr_priv(expr);
617
618 if (nft_dump_register(skb, NFTA_CT_SREG, priv->sreg))
619 goto nla_put_failure;
620 if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
621 goto nla_put_failure;
622
623 switch (priv->key) {
624 case NFT_CT_ZONE:
625 if (priv->dir < IP_CT_DIR_MAX &&
626 nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
627 goto nla_put_failure;
628 break;
629 default:
630 break;
631 }
632
633 return 0;
634
635 nla_put_failure:
636 return -1;
637 }
638
639 static struct nft_expr_type nft_ct_type;
640 static const struct nft_expr_ops nft_ct_get_ops = {
641 .type = &nft_ct_type,
642 .size = NFT_EXPR_SIZE(sizeof(struct nft_ct)),
643 .eval = nft_ct_get_eval,
644 .init = nft_ct_get_init,
645 .destroy = nft_ct_get_destroy,
646 .dump = nft_ct_get_dump,
647 };
648
649 static const struct nft_expr_ops nft_ct_set_ops = {
650 .type = &nft_ct_type,
651 .size = NFT_EXPR_SIZE(sizeof(struct nft_ct)),
652 .eval = nft_ct_set_eval,
653 .init = nft_ct_set_init,
654 .destroy = nft_ct_set_destroy,
655 .dump = nft_ct_set_dump,
656 };
657
658 #ifdef CONFIG_NF_CONNTRACK_ZONES
659 static const struct nft_expr_ops nft_ct_set_zone_ops = {
660 .type = &nft_ct_type,
661 .size = NFT_EXPR_SIZE(sizeof(struct nft_ct)),
662 .eval = nft_ct_set_zone_eval,
663 .init = nft_ct_set_init,
664 .destroy = nft_ct_set_destroy,
665 .dump = nft_ct_set_dump,
666 };
667 #endif
668
669 static const struct nft_expr_ops *
670 nft_ct_select_ops(const struct nft_ctx *ctx,
671 const struct nlattr * const tb[])
672 {
673 if (tb[NFTA_CT_KEY] == NULL)
674 return ERR_PTR(-EINVAL);
675
676 if (tb[NFTA_CT_DREG] && tb[NFTA_CT_SREG])
677 return ERR_PTR(-EINVAL);
678
679 if (tb[NFTA_CT_DREG])
680 return &nft_ct_get_ops;
681
682 if (tb[NFTA_CT_SREG]) {
683 #ifdef CONFIG_NF_CONNTRACK_ZONES
684 if (nla_get_be32(tb[NFTA_CT_KEY]) == htonl(NFT_CT_ZONE))
685 return &nft_ct_set_zone_ops;
686 #endif
687 return &nft_ct_set_ops;
688 }
689
690 return ERR_PTR(-EINVAL);
691 }
692
693 static struct nft_expr_type nft_ct_type __read_mostly = {
694 .name = "ct",
695 .select_ops = nft_ct_select_ops,
696 .policy = nft_ct_policy,
697 .maxattr = NFTA_CT_MAX,
698 .owner = THIS_MODULE,
699 };
700
701 static void nft_notrack_eval(const struct nft_expr *expr,
702 struct nft_regs *regs,
703 const struct nft_pktinfo *pkt)
704 {
705 struct sk_buff *skb = pkt->skb;
706 enum ip_conntrack_info ctinfo;
707 struct nf_conn *ct;
708
709 ct = nf_ct_get(pkt->skb, &ctinfo);
710 /* Previously seen (loopback or untracked)? Ignore. */
711 if (ct || ctinfo == IP_CT_UNTRACKED)
712 return;
713
714 nf_ct_set(skb, ct, IP_CT_UNTRACKED);
715 }
716
717 static struct nft_expr_type nft_notrack_type;
718 static const struct nft_expr_ops nft_notrack_ops = {
719 .type = &nft_notrack_type,
720 .size = NFT_EXPR_SIZE(0),
721 .eval = nft_notrack_eval,
722 };
723
724 static struct nft_expr_type nft_notrack_type __read_mostly = {
725 .name = "notrack",
726 .ops = &nft_notrack_ops,
727 .owner = THIS_MODULE,
728 };
729
730 static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
731 const struct nlattr * const tb[],
732 struct nft_object *obj)
733 {
734 struct nft_ct_helper_obj *priv = nft_obj_data(obj);
735 struct nf_conntrack_helper *help4, *help6;
736 char name[NF_CT_HELPER_NAME_LEN];
737 int family = ctx->family;
738
739 if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO])
740 return -EINVAL;
741
742 priv->l4proto = nla_get_u8(tb[NFTA_CT_HELPER_L4PROTO]);
743 if (!priv->l4proto)
744 return -ENOENT;
745
746 nla_strlcpy(name, tb[NFTA_CT_HELPER_NAME], sizeof(name));
747
748 if (tb[NFTA_CT_HELPER_L3PROTO])
749 family = ntohs(nla_get_be16(tb[NFTA_CT_HELPER_L3PROTO]));
750
751 help4 = NULL;
752 help6 = NULL;
753
754 switch (family) {
755 case NFPROTO_IPV4:
756 if (ctx->family == NFPROTO_IPV6)
757 return -EINVAL;
758
759 help4 = nf_conntrack_helper_try_module_get(name, family,
760 priv->l4proto);
761 break;
762 case NFPROTO_IPV6:
763 if (ctx->family == NFPROTO_IPV4)
764 return -EINVAL;
765
766 help6 = nf_conntrack_helper_try_module_get(name, family,
767 priv->l4proto);
768 break;
769 case NFPROTO_NETDEV: /* fallthrough */
770 case NFPROTO_BRIDGE: /* same */
771 case NFPROTO_INET:
772 help4 = nf_conntrack_helper_try_module_get(name, NFPROTO_IPV4,
773 priv->l4proto);
774 help6 = nf_conntrack_helper_try_module_get(name, NFPROTO_IPV6,
775 priv->l4proto);
776 break;
777 default:
778 return -EAFNOSUPPORT;
779 }
780
781 /* && is intentional; only error if INET found neither ipv4 or ipv6 */
782 if (!help4 && !help6)
783 return -ENOENT;
784
785 priv->helper4 = help4;
786 priv->helper6 = help6;
787
788 return 0;
789 }
790
791 static void nft_ct_helper_obj_destroy(struct nft_object *obj)
792 {
793 struct nft_ct_helper_obj *priv = nft_obj_data(obj);
794
795 if (priv->helper4)
796 nf_conntrack_helper_put(priv->helper4);
797 if (priv->helper6)
798 nf_conntrack_helper_put(priv->helper6);
799 }
800
801 static void nft_ct_helper_obj_eval(struct nft_object *obj,
802 struct nft_regs *regs,
803 const struct nft_pktinfo *pkt)
804 {
805 const struct nft_ct_helper_obj *priv = nft_obj_data(obj);
806 struct nf_conn *ct = (struct nf_conn *)skb_nfct(pkt->skb);
807 struct nf_conntrack_helper *to_assign = NULL;
808 struct nf_conn_help *help;
809
810 if (!ct ||
811 nf_ct_is_confirmed(ct) ||
812 nf_ct_is_template(ct) ||
813 priv->l4proto != nf_ct_protonum(ct))
814 return;
815
816 switch (nf_ct_l3num(ct)) {
817 case NFPROTO_IPV4:
818 to_assign = priv->helper4;
819 break;
820 case NFPROTO_IPV6:
821 to_assign = priv->helper6;
822 break;
823 default:
824 WARN_ON_ONCE(1);
825 return;
826 }
827
828 if (!to_assign)
829 return;
830
831 if (test_bit(IPS_HELPER_BIT, &ct->status))
832 return;
833
834 help = nf_ct_helper_ext_add(ct, to_assign, GFP_ATOMIC);
835 if (help) {
836 rcu_assign_pointer(help->helper, to_assign);
837 set_bit(IPS_HELPER_BIT, &ct->status);
838 }
839 }
840
841 static int nft_ct_helper_obj_dump(struct sk_buff *skb,
842 struct nft_object *obj, bool reset)
843 {
844 const struct nft_ct_helper_obj *priv = nft_obj_data(obj);
845 const struct nf_conntrack_helper *helper = priv->helper4;
846 u16 family;
847
848 if (nla_put_string(skb, NFTA_CT_HELPER_NAME, helper->name))
849 return -1;
850
851 if (nla_put_u8(skb, NFTA_CT_HELPER_L4PROTO, priv->l4proto))
852 return -1;
853
854 if (priv->helper4 && priv->helper6)
855 family = NFPROTO_INET;
856 else if (priv->helper6)
857 family = NFPROTO_IPV6;
858 else
859 family = NFPROTO_IPV4;
860
861 if (nla_put_be16(skb, NFTA_CT_HELPER_L3PROTO, htons(family)))
862 return -1;
863
864 return 0;
865 }
866
867 static const struct nla_policy nft_ct_helper_policy[NFTA_CT_HELPER_MAX + 1] = {
868 [NFTA_CT_HELPER_NAME] = { .type = NLA_STRING,
869 .len = NF_CT_HELPER_NAME_LEN - 1 },
870 [NFTA_CT_HELPER_L3PROTO] = { .type = NLA_U16 },
871 [NFTA_CT_HELPER_L4PROTO] = { .type = NLA_U8 },
872 };
873
874 static struct nft_object_type nft_ct_helper_obj_type;
875 static const struct nft_object_ops nft_ct_helper_obj_ops = {
876 .type = &nft_ct_helper_obj_type,
877 .size = sizeof(struct nft_ct_helper_obj),
878 .eval = nft_ct_helper_obj_eval,
879 .init = nft_ct_helper_obj_init,
880 .destroy = nft_ct_helper_obj_destroy,
881 .dump = nft_ct_helper_obj_dump,
882 };
883
884 static struct nft_object_type nft_ct_helper_obj_type __read_mostly = {
885 .type = NFT_OBJECT_CT_HELPER,
886 .ops = &nft_ct_helper_obj_ops,
887 .maxattr = NFTA_CT_HELPER_MAX,
888 .policy = nft_ct_helper_policy,
889 .owner = THIS_MODULE,
890 };
891
892 static int __init nft_ct_module_init(void)
893 {
894 int err;
895
896 BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE > NFT_REG_SIZE);
897
898 err = nft_register_expr(&nft_ct_type);
899 if (err < 0)
900 return err;
901
902 err = nft_register_expr(&nft_notrack_type);
903 if (err < 0)
904 goto err1;
905
906 err = nft_register_obj(&nft_ct_helper_obj_type);
907 if (err < 0)
908 goto err2;
909
910 return 0;
911
912 err2:
913 nft_unregister_expr(&nft_notrack_type);
914 err1:
915 nft_unregister_expr(&nft_ct_type);
916 return err;
917 }
918
919 static void __exit nft_ct_module_exit(void)
920 {
921 nft_unregister_obj(&nft_ct_helper_obj_type);
922 nft_unregister_expr(&nft_notrack_type);
923 nft_unregister_expr(&nft_ct_type);
924 }
925
926 module_init(nft_ct_module_init);
927 module_exit(nft_ct_module_exit);
928
929 MODULE_LICENSE("GPL");
930 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
931 MODULE_ALIAS_NFT_EXPR("ct");
932 MODULE_ALIAS_NFT_EXPR("notrack");
933 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_HELPER);
CRIS linux kernel tree