Doug / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 12f7a505331e6b2754684b509f2ac8f0011ce644

Authored by Pablo Neira Ayuso
1 parent ae243bee39
Exists in smarc-l5.0.0_1.0.0-ga and in 5 other branches imx_3.10.17_1.0.1_ga, imx_3.10.53_1.1.0_ga, imx_3.14.28_1.0.0_ga, smarc-imx_3.10.53_1.1.0_ga, smarc-imx_3.14.28_1.0.0_ga

netfilter: add user-space connection tracking helper infrastructure 

There are good reasons to supports helpers in user-space instead:

* Rapid connection tracking helper development, as developing code
  in user-space is usually faster.

* Reliability: A buggy helper does not crash the kernel. Moreover,
  we can monitor the helper process and restart it in case of problems.

* Security: Avoid complex string matching and mangling in kernel-space
  running in privileged mode. Going further, we can even think about
  running user-space helpers as a non-root process.

* Extensibility: It allows the development of very specific helpers (most
  likely non-standard proprietary protocols) that are very likely not to be
  accepted for mainline inclusion in the form of kernel-space connection
  tracking helpers.

This patch adds the infrastructure to allow the implementation of
user-space conntrack helpers by means of the new nfnetlink subsystem
`nfnetlink_cthelper' and the existing queueing infrastructure
(nfnetlink_queue).

I had to add the new hook NF_IP6_PRI_CONNTRACK_HELPER to register
ipv[4|6]_helper which results from splitting ipv[4|6]_confirm into
two pieces. This change is required not to break NAT sequence
adjustment and conntrack confirmation for traffic that is enqueued
to our user-space conntrack helpers.

Basic operation, in a few steps:

1) Register user-space helper by means of `nfct':

 nfct helper add ftp inet tcp

 [ It must be a valid existing helper supported by conntrack-tools ]

2) Add rules to enable the FTP user-space helper which is
   used to track traffic going to TCP port 21.

For locally generated packets:

 iptables -I OUTPUT -t raw -p tcp --dport 21 -j CT --helper ftp

For non-locally generated packets:

 iptables -I PREROUTING -t raw -p tcp --dport 21 -j CT --helper ftp

3) Run the test conntrackd in helper mode (see example files under
   doc/helper/conntrackd.conf

 conntrackd

4) Generate FTP traffic going, if everything is OK, then conntrackd
   should create expectations (you can check that with `conntrack':

 conntrack -E expect

    [NEW] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp
[DESTROY] 301 proto=6 src=192.168.1.136 dst=130.89.148.12 sport=0 dport=54037 mask-src=255.255.255.255 mask-dst=255.255.255.255 sport=0 dport=65535 master-src=192.168.1.136 master-dst=130.89.148.12 sport=57127 dport=21 class=0 helper=ftp

This confirms that our test helper is receiving packets including the
conntrack information, and adding expectations in kernel-space.

The user-space helper can also store its private tracking information
in the conntrack structure in the kernel via the CTA_HELP_INFO. The
kernel will consider this a binary blob whose layout is unknown. This
information will be included in the information that is transfered
to user-space via glue code that integrates nfnetlink_queue and
ctnetlink.

Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Showing 12 changed files with 839 additions and 26 deletions Side-by-side Diff

include/linux/netfilter/Kbuild
Diff comments   View file @ 12f7a50
... ... @@ -10,6 +10,7 @@
10 10 header-y += nfnetlink_acct.h
11 11 header-y += nfnetlink_compat.h
12 12 header-y += nfnetlink_conntrack.h
  13 +header-y += nfnetlink_cthelper.h
13 14 header-y += nfnetlink_cttimeout.h
14 15 header-y += nfnetlink_log.h
15 16 header-y += nfnetlink_queue.h
include/linux/netfilter/nfnetlink.h
Diff comments   View file @ 12f7a50
... ... @@ -50,7 +50,8 @@
50 50 #define NFNL_SUBSYS_IPSET 6
51 51 #define NFNL_SUBSYS_ACCT 7
52 52 #define NFNL_SUBSYS_CTNETLINK_TIMEOUT 8
53   -#define NFNL_SUBSYS_COUNT 9
  53 +#define NFNL_SUBSYS_CTHELPER 9
  54 +#define NFNL_SUBSYS_COUNT 10
54 55  
55 56 #ifdef __KERNEL__
56 57  
include/linux/netfilter/nfnetlink_cthelper.h
Diff comments   View file @ 12f7a50
  1 +#ifndef _NFNL_CTHELPER_H_
  2 +#define _NFNL_CTHELPER_H_
  3 +
  4 +#define NFCT_HELPER_STATUS_DISABLED 0
  5 +#define NFCT_HELPER_STATUS_ENABLED 1
  6 +
  7 +enum nfnl_acct_msg_types {
  8 + NFNL_MSG_CTHELPER_NEW,
  9 + NFNL_MSG_CTHELPER_GET,
  10 + NFNL_MSG_CTHELPER_DEL,
  11 + NFNL_MSG_CTHELPER_MAX
  12 +};
  13 +
  14 +enum nfnl_cthelper_type {
  15 + NFCTH_UNSPEC,
  16 + NFCTH_NAME,
  17 + NFCTH_TUPLE,
  18 + NFCTH_QUEUE_NUM,
  19 + NFCTH_POLICY,
  20 + NFCTH_PRIV_DATA_LEN,
  21 + NFCTH_STATUS,
  22 + __NFCTH_MAX
  23 +};
  24 +#define NFCTH_MAX (__NFCTH_MAX - 1)
  25 +
  26 +enum nfnl_cthelper_policy_type {
  27 + NFCTH_POLICY_SET_UNSPEC,
  28 + NFCTH_POLICY_SET_NUM,
  29 + NFCTH_POLICY_SET,
  30 + NFCTH_POLICY_SET1 = NFCTH_POLICY_SET,
  31 + NFCTH_POLICY_SET2,
  32 + NFCTH_POLICY_SET3,
  33 + NFCTH_POLICY_SET4,
  34 + __NFCTH_POLICY_SET_MAX
  35 +};
  36 +#define NFCTH_POLICY_SET_MAX (__NFCTH_POLICY_SET_MAX - 1)
  37 +
  38 +enum nfnl_cthelper_pol_type {
  39 + NFCTH_POLICY_UNSPEC,
  40 + NFCTH_POLICY_NAME,
  41 + NFCTH_POLICY_EXPECT_MAX,
  42 + NFCTH_POLICY_EXPECT_TIMEOUT,
  43 + __NFCTH_POLICY_MAX
  44 +};
  45 +#define NFCTH_POLICY_MAX (__NFCTH_POLICY_MAX - 1)
  46 +
  47 +enum nfnl_cthelper_tuple_type {
  48 + NFCTH_TUPLE_UNSPEC,
  49 + NFCTH_TUPLE_L3PROTONUM,
  50 + NFCTH_TUPLE_L4PROTONUM,
  51 + __NFCTH_TUPLE_MAX,
  52 +};
  53 +#define NFCTH_TUPLE_MAX (__NFCTH_TUPLE_MAX - 1)
  54 +
  55 +#endif /* _NFNL_CTHELPER_H */
include/linux/netfilter_ipv4.h
Diff comments   View file @ 12f7a50
... ... @@ -66,6 +66,7 @@
66 66 NF_IP_PRI_SECURITY = 50,
67 67 NF_IP_PRI_NAT_SRC = 100,
68 68 NF_IP_PRI_SELINUX_LAST = 225,
  69 + NF_IP_PRI_CONNTRACK_HELPER = 300,
69 70 NF_IP_PRI_CONNTRACK_CONFIRM = INT_MAX,
70 71 NF_IP_PRI_LAST = INT_MAX,
71 72 };
include/linux/netfilter_ipv6.h
Diff comments   View file @ 12f7a50
... ... @@ -71,6 +71,7 @@
71 71 NF_IP6_PRI_SECURITY = 50,
72 72 NF_IP6_PRI_NAT_SRC = 100,
73 73 NF_IP6_PRI_SELINUX_LAST = 225,
  74 + NF_IP6_PRI_CONNTRACK_HELPER = 300,
74 75 NF_IP6_PRI_LAST = INT_MAX,
75 76 };
76 77  
include/net/netfilter/nf_conntrack_helper.h
Diff comments   View file @ 12f7a50
... ... @@ -15,6 +15,11 @@
15 15  
16 16 struct module;
17 17  
  18 +enum nf_ct_helper_flags {
  19 + NF_CT_HELPER_F_USERSPACE = (1 << 0),
  20 + NF_CT_HELPER_F_CONFIGURED = (1 << 1),
  21 +};
  22 +
18 23 #define NF_CT_HELPER_NAME_LEN 16
19 24  
20 25 struct nf_conntrack_helper {
... ... @@ -42,6 +47,9 @@
42 47 int (*from_nlattr)(struct nlattr *attr, struct nf_conn *ct);
43 48 int (*to_nlattr)(struct sk_buff *skb, const struct nf_conn *ct);
44 49 unsigned int expect_class_max;
  50 +
  51 + unsigned int flags;
  52 + unsigned int queue_num; /* For user-space helpers. */
45 53 };
46 54  
47 55 extern struct nf_conntrack_helper *
... ... @@ -95,6 +103,9 @@
95 103 nf_ct_helper_expectfn_find_by_name(const char *name);
96 104 struct nf_ct_helper_expectfn *
97 105 nf_ct_helper_expectfn_find_by_symbol(const void *symbol);
  106 +
  107 +extern struct hlist_head *nf_ct_helper_hash;
  108 +extern unsigned int nf_ct_helper_hsize;
98 109  
99 110 #endif /*_NF_CONNTRACK_HELPER_H*/
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
Diff comments   View file @ 12f7a50
... ... @@ -95,11 +95,11 @@
95 95 return NF_ACCEPT;
96 96 }
97 97  
98   -static unsigned int ipv4_confirm(unsigned int hooknum,
99   - struct sk_buff *skb,
100   - const struct net_device *in,
101   - const struct net_device *out,
102   - int (*okfn)(struct sk_buff *))
  98 +static unsigned int ipv4_helper(unsigned int hooknum,
  99 + struct sk_buff *skb,
  100 + const struct net_device *in,
  101 + const struct net_device *out,
  102 + int (*okfn)(struct sk_buff *))
103 103 {
104 104 struct nf_conn *ct;
105 105 enum ip_conntrack_info ctinfo;
106 106  
107 107  
108 108  
109 109  
110 110  
111 111  
... ... @@ -110,25 +110,39 @@
110 110 /* This is where we call the helper: as the packet goes out. */
111 111 ct = nf_ct_get(skb, &ctinfo);
112 112 if (!ct || ctinfo == IP_CT_RELATED_REPLY)
113   - goto out;
  113 + return NF_ACCEPT;
114 114  
115 115 help = nfct_help(ct);
116 116 if (!help)
117   - goto out;
  117 + return NF_ACCEPT;
118 118  
119 119 /* rcu_read_lock()ed by nf_hook_slow */
120 120 helper = rcu_dereference(help->helper);
121 121 if (!helper)
122   - goto out;
  122 + return NF_ACCEPT;
123 123  
124 124 ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
125 125 ct, ctinfo);
126   - if (ret != NF_ACCEPT) {
  126 + if (ret != NF_ACCEPT && (ret & NF_VERDICT_MASK) != NF_QUEUE) {
127 127 nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,
128 128 "nf_ct_%s: dropping packet", helper->name);
129   - return ret;
130 129 }
  130 + return ret;
  131 +}
131 132  
  133 +static unsigned int ipv4_confirm(unsigned int hooknum,
  134 + struct sk_buff *skb,
  135 + const struct net_device *in,
  136 + const struct net_device *out,
  137 + int (*okfn)(struct sk_buff *))
  138 +{
  139 + struct nf_conn *ct;
  140 + enum ip_conntrack_info ctinfo;
  141 +
  142 + ct = nf_ct_get(skb, &ctinfo);
  143 + if (!ct || ctinfo == IP_CT_RELATED_REPLY)
  144 + goto out;
  145 +
132 146 /* adjust seqs for loopback traffic only in outgoing direction */
133 147 if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) &&
134 148 !nf_is_loopback_packet(skb)) {
135 149  
... ... @@ -185,11 +199,25 @@
185 199 .priority = NF_IP_PRI_CONNTRACK,
186 200 },
187 201 {
  202 + .hook = ipv4_helper,
  203 + .owner = THIS_MODULE,
  204 + .pf = NFPROTO_IPV4,
  205 + .hooknum = NF_INET_POST_ROUTING,
  206 + .priority = NF_IP_PRI_CONNTRACK_HELPER,
  207 + },
  208 + {
188 209 .hook = ipv4_confirm,
189 210 .owner = THIS_MODULE,
190 211 .pf = NFPROTO_IPV4,
191 212 .hooknum = NF_INET_POST_ROUTING,
192 213 .priority = NF_IP_PRI_CONNTRACK_CONFIRM,
  214 + },
  215 + {
  216 + .hook = ipv4_helper,
  217 + .owner = THIS_MODULE,
  218 + .pf = NFPROTO_IPV4,
  219 + .hooknum = NF_INET_LOCAL_IN,
  220 + .priority = NF_IP_PRI_CONNTRACK_HELPER,
193 221 },
194 222 {
195 223 .hook = ipv4_confirm,
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
Diff comments   View file @ 12f7a50
... ... @@ -143,11 +143,11 @@
143 143 return NF_ACCEPT;
144 144 }
145 145  
146   -static unsigned int ipv6_confirm(unsigned int hooknum,
147   - struct sk_buff *skb,
148   - const struct net_device *in,
149   - const struct net_device *out,
150   - int (*okfn)(struct sk_buff *))
  146 +static unsigned int ipv6_helper(unsigned int hooknum,
  147 + struct sk_buff *skb,
  148 + const struct net_device *in,
  149 + const struct net_device *out,
  150 + int (*okfn)(struct sk_buff *))
151 151 {
152 152 struct nf_conn *ct;
153 153 const struct nf_conn_help *help;
154 154  
155 155  
... ... @@ -161,15 +161,15 @@
161 161 /* This is where we call the helper: as the packet goes out. */
162 162 ct = nf_ct_get(skb, &ctinfo);
163 163 if (!ct || ctinfo == IP_CT_RELATED_REPLY)
164   - goto out;
  164 + return NF_ACCEPT;
165 165  
166 166 help = nfct_help(ct);
167 167 if (!help)
168   - goto out;
  168 + return NF_ACCEPT;
169 169 /* rcu_read_lock()ed by nf_hook_slow */
170 170 helper = rcu_dereference(help->helper);
171 171 if (!helper)
172   - goto out;
  172 + return NF_ACCEPT;
173 173  
174 174 protoff = nf_ct_ipv6_skip_exthdr(skb, extoff, &pnum,
175 175 skb->len - extoff);
176 176  
177 177  
... ... @@ -179,12 +179,19 @@
179 179 }
180 180  
181 181 ret = helper->help(skb, protoff, ct, ctinfo);
182   - if (ret != NF_ACCEPT) {
  182 + if (ret != NF_ACCEPT && (ret & NF_VERDICT_MASK) != NF_QUEUE) {
183 183 nf_log_packet(NFPROTO_IPV6, hooknum, skb, in, out, NULL,
184 184 "nf_ct_%s: dropping packet", helper->name);
185   - return ret;
186 185 }
187   -out:
  186 + return ret;
  187 +}
  188 +
  189 +static unsigned int ipv6_confirm(unsigned int hooknum,
  190 + struct sk_buff *skb,
  191 + const struct net_device *in,
  192 + const struct net_device *out,
  193 + int (*okfn)(struct sk_buff *))
  194 +{
188 195 /* We've seen it coming out the other side: confirm it */
189 196 return nf_conntrack_confirm(skb);
190 197 }
191 198  
... ... @@ -254,11 +261,25 @@
254 261 .priority = NF_IP6_PRI_CONNTRACK,
255 262 },
256 263 {
  264 + .hook = ipv6_helper,
  265 + .owner = THIS_MODULE,
  266 + .pf = NFPROTO_IPV6,
  267 + .hooknum = NF_INET_POST_ROUTING,
  268 + .priority = NF_IP6_PRI_CONNTRACK_HELPER,
  269 + },
  270 + {
257 271 .hook = ipv6_confirm,
258 272 .owner = THIS_MODULE,
259 273 .pf = NFPROTO_IPV6,
260 274 .hooknum = NF_INET_POST_ROUTING,
261 275 .priority = NF_IP6_PRI_LAST,
  276 + },
  277 + {
  278 + .hook = ipv6_helper,
  279 + .owner = THIS_MODULE,
  280 + .pf = NFPROTO_IPV6,
  281 + .hooknum = NF_INET_LOCAL_IN,
  282 + .priority = NF_IP6_PRI_CONNTRACK_HELPER,
262 283 },
263 284 {
264 285 .hook = ipv6_confirm,
net/netfilter/Kconfig
Diff comments   View file @ 12f7a50
... ... @@ -12,6 +12,14 @@
12 12 If this option is enabled, the kernel will include support
13 13 for extended accounting via NFNETLINK.
14 14  
  15 +config NETFILTER_NETLINK_CTHELPER
  16 +tristate "Netfilter CTHELPER over NFNETLINK interface"
  17 + depends on NETFILTER_ADVANCED
  18 + select NETFILTER_NETLINK
  19 + help
  20 + If this option is enabled, the kernel will include support
  21 + for user-space connection tracking helpers via NFNETLINK.
  22 +
15 23 config NETFILTER_NETLINK_QUEUE
16 24 tristate "Netfilter NFQUEUE over NFNETLINK interface"
17 25 depends on NETFILTER_ADVANCED
net/netfilter/Makefile
Diff comments   View file @ 12f7a50
... ... @@ -9,6 +9,7 @@
9 9  
10 10 obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o
11 11 obj-$(CONFIG_NETFILTER_NETLINK_ACCT) += nfnetlink_acct.o
  12 +obj-$(CONFIG_NETFILTER_NETLINK_CTHELPER) += nfnetlink_cthelper.o
12 13 obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o
13 14 obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o
14 15  
net/netfilter/nf_conntrack_helper.c
Diff comments   View file @ 12f7a50
... ... @@ -30,8 +30,10 @@
30 30 #include <net/netfilter/nf_conntrack_extend.h>
31 31  
32 32 static DEFINE_MUTEX(nf_ct_helper_mutex);
33   -static struct hlist_head *nf_ct_helper_hash __read_mostly;
34   -static unsigned int nf_ct_helper_hsize __read_mostly;
  33 +struct hlist_head *nf_ct_helper_hash __read_mostly;
  34 +EXPORT_SYMBOL_GPL(nf_ct_helper_hash);
  35 +unsigned int nf_ct_helper_hsize __read_mostly;
  36 +EXPORT_SYMBOL_GPL(nf_ct_helper_hsize);
35 37 static unsigned int nf_ct_helper_count __read_mostly;
36 38  
37 39 static bool nf_ct_auto_assign_helper __read_mostly = true;
... ... @@ -322,6 +324,9 @@
322 324  
323 325 int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
324 326 {
  327 + int ret = 0;
  328 + struct nf_conntrack_helper *cur;
  329 + struct hlist_node *n;
325 330 unsigned int h = helper_hash(&me->tuple);
326 331  
327 332 BUG_ON(me->expect_policy == NULL);
328 333  
329 334  
... ... @@ -329,11 +334,19 @@
329 334 BUG_ON(strlen(me->name) > NF_CT_HELPER_NAME_LEN - 1);
330 335  
331 336 mutex_lock(&nf_ct_helper_mutex);
  337 + hlist_for_each_entry(cur, n, &nf_ct_helper_hash[h], hnode) {
  338 + if (strncmp(cur->name, me->name, NF_CT_HELPER_NAME_LEN) == 0 &&
  339 + cur->tuple.src.l3num == me->tuple.src.l3num &&
  340 + cur->tuple.dst.protonum == me->tuple.dst.protonum) {
  341 + ret = -EEXIST;
  342 + goto out;
  343 + }
  344 + }
332 345 hlist_add_head_rcu(&me->hnode, &nf_ct_helper_hash[h]);
333 346 nf_ct_helper_count++;
  347 +out:
334 348 mutex_unlock(&nf_ct_helper_mutex);
335   -
336   - return 0;
  349 + return ret;
337 350 }
338 351 EXPORT_SYMBOL_GPL(nf_conntrack_helper_register);
339 352  
net/netfilter/nfnetlink_cthelper.c
Diff comments   View file @ 12f7a50
  1 +/*
  2 + * (C) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
  3 + *
  4 + * This program is free software; you can redistribute it and/or modify
  5 + * it under the terms of the GNU General Public License version 2 as
  6 + * published by the Free Software Foundation (or any later at your option).
  7 + *
  8 + * This software has been sponsored by Vyatta Inc. <http://www.vyatta.com>
  9 + */
  10 +#include <linux/init.h>
  11 +#include <linux/module.h>
  12 +#include <linux/kernel.h>
  13 +#include <linux/skbuff.h>
  14 +#include <linux/netlink.h>
  15 +#include <linux/rculist.h>
  16 +#include <linux/slab.h>
  17 +#include <linux/types.h>
  18 +#include <linux/list.h>
  19 +#include <linux/errno.h>
  20 +#include <net/netlink.h>
  21 +#include <net/sock.h>
  22 +
  23 +#include <net/netfilter/nf_conntrack_helper.h>
  24 +#include <net/netfilter/nf_conntrack_expect.h>
  25 +#include <net/netfilter/nf_conntrack_ecache.h>
  26 +
  27 +#include <linux/netfilter/nfnetlink.h>
  28 +#include <linux/netfilter/nfnetlink_conntrack.h>
  29 +#include <linux/netfilter/nfnetlink_cthelper.h>
  30 +
  31 +MODULE_LICENSE("GPL");
  32 +MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
  33 +MODULE_DESCRIPTION("nfnl_cthelper: User-space connection tracking helpers");
  34 +
  35 +static int
  36 +nfnl_userspace_cthelper(struct sk_buff *skb, unsigned int protoff,
  37 + struct nf_conn *ct, enum ip_conntrack_info ctinfo)
  38 +{
  39 + const struct nf_conn_help *help;
  40 + struct nf_conntrack_helper *helper;
  41 +
  42 + help = nfct_help(ct);
  43 + if (help == NULL)
  44 + return NF_DROP;
  45 +
  46 + /* rcu_read_lock()ed by nf_hook_slow */
  47 + helper = rcu_dereference(help->helper);
  48 + if (helper == NULL)
  49 + return NF_DROP;
  50 +
  51 + /* This is an user-space helper not yet configured, skip. */
  52 + if ((helper->flags &
  53 + (NF_CT_HELPER_F_USERSPACE | NF_CT_HELPER_F_CONFIGURED)) ==
  54 + NF_CT_HELPER_F_USERSPACE)
  55 + return NF_ACCEPT;
  56 +
  57 + /* If the user-space helper is not available, don't block traffic. */
  58 + return NF_QUEUE_NR(helper->queue_num) | NF_VERDICT_FLAG_QUEUE_BYPASS;
  59 +}
  60 +
  61 +static const struct nla_policy nfnl_cthelper_tuple_pol[NFCTH_TUPLE_MAX+1] = {
  62 + [NFCTH_TUPLE_L3PROTONUM] = { .type = NLA_U16, },
  63 + [NFCTH_TUPLE_L4PROTONUM] = { .type = NLA_U8, },
  64 +};
  65 +
  66 +static int
  67 +nfnl_cthelper_parse_tuple(struct nf_conntrack_tuple *tuple,
  68 + const struct nlattr *attr)
  69 +{
  70 + struct nlattr *tb[NFCTH_TUPLE_MAX+1];
  71 +
  72 + nla_parse_nested(tb, NFCTH_TUPLE_MAX, attr, nfnl_cthelper_tuple_pol);
  73 +
  74 + if (!tb[NFCTH_TUPLE_L3PROTONUM] || !tb[NFCTH_TUPLE_L4PROTONUM])
  75 + return -EINVAL;
  76 +
  77 + tuple->src.l3num = ntohs(nla_get_u16(tb[NFCTH_TUPLE_L3PROTONUM]));
  78 + tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);
  79 +
  80 + return 0;
  81 +}
  82 +
  83 +static int
  84 +nfnl_cthelper_from_nlattr(struct nlattr *attr, struct nf_conn *ct)
  85 +{
  86 + const struct nf_conn_help *help = nfct_help(ct);
  87 +
  88 + if (help->helper->data_len == 0)
  89 + return -EINVAL;
  90 +
  91 + memcpy(&help->data, nla_data(attr), help->helper->data_len);
  92 + return 0;
  93 +}
  94 +
  95 +static int
  96 +nfnl_cthelper_to_nlattr(struct sk_buff *skb, const struct nf_conn *ct)
  97 +{
  98 + const struct nf_conn_help *help = nfct_help(ct);
  99 +
  100 + if (help->helper->data_len &&
  101 + nla_put(skb, CTA_HELP_INFO, help->helper->data_len, &help->data))
  102 + goto nla_put_failure;
  103 +
  104 + return 0;
  105 +
  106 +nla_put_failure:
  107 + return -ENOSPC;
  108 +}
  109 +
  110 +static const struct nla_policy nfnl_cthelper_expect_pol[NFCTH_POLICY_MAX+1] = {
  111 + [NFCTH_POLICY_NAME] = { .type = NLA_NUL_STRING,
  112 + .len = NF_CT_HELPER_NAME_LEN-1 },
  113 + [NFCTH_POLICY_EXPECT_MAX] = { .type = NLA_U32, },
  114 + [NFCTH_POLICY_EXPECT_TIMEOUT] = { .type = NLA_U32, },
  115 +};
  116 +
  117 +static int
  118 +nfnl_cthelper_expect_policy(struct nf_conntrack_expect_policy *expect_policy,
  119 + const struct nlattr *attr)
  120 +{
  121 + struct nlattr *tb[NFCTH_POLICY_MAX+1];
  122 +
  123 + nla_parse_nested(tb, NFCTH_POLICY_MAX, attr, nfnl_cthelper_expect_pol);
  124 +
  125 + if (!tb[NFCTH_POLICY_NAME] ||
  126 + !tb[NFCTH_POLICY_EXPECT_MAX] ||
  127 + !tb[NFCTH_POLICY_EXPECT_TIMEOUT])
  128 + return -EINVAL;
  129 +
  130 + strncpy(expect_policy->name,
  131 + nla_data(tb[NFCTH_POLICY_NAME]), NF_CT_HELPER_NAME_LEN);
  132 + expect_policy->max_expected =
  133 + ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX]));
  134 + expect_policy->timeout =
  135 + ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT]));
  136 +
  137 + return 0;
  138 +}
  139 +
  140 +static const struct nla_policy
  141 +nfnl_cthelper_expect_policy_set[NFCTH_POLICY_SET_MAX+1] = {
  142 + [NFCTH_POLICY_SET_NUM] = { .type = NLA_U32, },
  143 +};
  144 +
  145 +static int
  146 +nfnl_cthelper_parse_expect_policy(struct nf_conntrack_helper *helper,
  147 + const struct nlattr *attr)
  148 +{
  149 + int i, ret;
  150 + struct nf_conntrack_expect_policy *expect_policy;
  151 + struct nlattr *tb[NFCTH_POLICY_SET_MAX+1];
  152 +
  153 + nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr,
  154 + nfnl_cthelper_expect_policy_set);
  155 +
  156 + if (!tb[NFCTH_POLICY_SET_NUM])
  157 + return -EINVAL;
  158 +
  159 + helper->expect_class_max =
  160 + ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
  161 +
  162 + if (helper->expect_class_max != 0 &&
  163 + helper->expect_class_max > NF_CT_MAX_EXPECT_CLASSES)
  164 + return -EOVERFLOW;
  165 +
  166 + expect_policy = kzalloc(sizeof(struct nf_conntrack_expect_policy) *
  167 + helper->expect_class_max, GFP_KERNEL);
  168 + if (expect_policy == NULL)
  169 + return -ENOMEM;
  170 +
  171 + for (i=0; i<helper->expect_class_max; i++) {
  172 + if (!tb[NFCTH_POLICY_SET+i])
  173 + goto err;
  174 +
  175 + ret = nfnl_cthelper_expect_policy(&expect_policy[i],
  176 + tb[NFCTH_POLICY_SET+i]);
  177 + if (ret < 0)
  178 + goto err;
  179 + }
  180 + helper->expect_policy = expect_policy;
  181 + return 0;
  182 +err:
  183 + kfree(expect_policy);
  184 + return -EINVAL;
  185 +}
  186 +
  187 +static int
  188 +nfnl_cthelper_create(const struct nlattr * const tb[],
  189 + struct nf_conntrack_tuple *tuple)
  190 +{
  191 + struct nf_conntrack_helper *helper;
  192 + int ret;
  193 +
  194 + if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY] || !tb[NFCTH_PRIV_DATA_LEN])
  195 + return -EINVAL;
  196 +
  197 + helper = kzalloc(sizeof(struct nf_conntrack_helper), GFP_KERNEL);
  198 + if (helper == NULL)
  199 + return -ENOMEM;
  200 +
  201 + ret = nfnl_cthelper_parse_expect_policy(helper, tb[NFCTH_POLICY]);
  202 + if (ret < 0)
  203 + goto err;
  204 +
  205 + strncpy(helper->name, nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN);
  206 + helper->data_len = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
  207 + helper->flags |= NF_CT_HELPER_F_USERSPACE;
  208 + memcpy(&helper->tuple, tuple, sizeof(struct nf_conntrack_tuple));
  209 +
  210 + helper->me = THIS_MODULE;
  211 + helper->help = nfnl_userspace_cthelper;
  212 + helper->from_nlattr = nfnl_cthelper_from_nlattr;
  213 + helper->to_nlattr = nfnl_cthelper_to_nlattr;
  214 +
  215 + /* Default to queue number zero, this can be updated at any time. */
  216 + if (tb[NFCTH_QUEUE_NUM])
  217 + helper->queue_num = ntohl(nla_get_be32(tb[NFCTH_QUEUE_NUM]));
  218 +
  219 + if (tb[NFCTH_STATUS]) {
  220 + int status = ntohl(nla_get_be32(tb[NFCTH_STATUS]));
  221 +
  222 + switch(status) {
  223 + case NFCT_HELPER_STATUS_ENABLED:
  224 + helper->flags |= NF_CT_HELPER_F_CONFIGURED;
  225 + break;
  226 + case NFCT_HELPER_STATUS_DISABLED:
  227 + helper->flags &= ~NF_CT_HELPER_F_CONFIGURED;
  228 + break;
  229 + }
  230 + }
  231 +
  232 + ret = nf_conntrack_helper_register(helper);
  233 + if (ret < 0)
  234 + goto err;
  235 +
  236 + return 0;
  237 +err:
  238 + kfree(helper);
  239 + return ret;
  240 +}
  241 +
  242 +static int
  243 +nfnl_cthelper_update(const struct nlattr * const tb[],
  244 + struct nf_conntrack_helper *helper)
  245 +{
  246 + int ret;
  247 +
  248 + if (tb[NFCTH_PRIV_DATA_LEN])
  249 + return -EBUSY;
  250 +
  251 + if (tb[NFCTH_POLICY]) {
  252 + ret = nfnl_cthelper_parse_expect_policy(helper,
  253 + tb[NFCTH_POLICY]);
  254 + if (ret < 0)
  255 + return ret;
  256 + }
  257 + if (tb[NFCTH_QUEUE_NUM])
  258 + helper->queue_num = ntohl(nla_get_be32(tb[NFCTH_QUEUE_NUM]));
  259 +
  260 + if (tb[NFCTH_STATUS]) {
  261 + int status = ntohl(nla_get_be32(tb[NFCTH_STATUS]));
  262 +
  263 + switch(status) {
  264 + case NFCT_HELPER_STATUS_ENABLED:
  265 + helper->flags |= NF_CT_HELPER_F_CONFIGURED;
  266 + break;
  267 + case NFCT_HELPER_STATUS_DISABLED:
  268 + helper->flags &= ~NF_CT_HELPER_F_CONFIGURED;
  269 + break;
  270 + }
  271 + }
  272 + return 0;
  273 +}
  274 +
  275 +static int
  276 +nfnl_cthelper_new(struct sock *nfnl, struct sk_buff *skb,
  277 + const struct nlmsghdr *nlh, const struct nlattr * const tb[])
  278 +{
  279 + const char *helper_name;
  280 + struct nf_conntrack_helper *cur, *helper = NULL;
  281 + struct nf_conntrack_tuple tuple;
  282 + struct hlist_node *n;
  283 + int ret = 0, i;
  284 +
  285 + if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
  286 + return -EINVAL;
  287 +
  288 + helper_name = nla_data(tb[NFCTH_NAME]);
  289 +
  290 + ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);
  291 + if (ret < 0)
  292 + return ret;
  293 +
  294 + rcu_read_lock();
  295 + for (i = 0; i < nf_ct_helper_hsize && !helper; i++) {
  296 + hlist_for_each_entry_rcu(cur, n, &nf_ct_helper_hash[i], hnode) {
  297 +
  298 + /* skip non-userspace conntrack helpers. */
  299 + if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
  300 + continue;
  301 +
  302 + if (strncmp(cur->name, helper_name,
  303 + NF_CT_HELPER_NAME_LEN) != 0)
  304 + continue;
  305 +
  306 + if ((tuple.src.l3num != cur->tuple.src.l3num ||
  307 + tuple.dst.protonum != cur->tuple.dst.protonum))
  308 + continue;
  309 +
  310 + if (nlh->nlmsg_flags & NLM_F_EXCL) {
  311 + ret = -EEXIST;
  312 + goto err;
  313 + }
  314 + helper = cur;
  315 + break;
  316 + }
  317 + }
  318 + rcu_read_unlock();
  319 +
  320 + if (helper == NULL)
  321 + ret = nfnl_cthelper_create(tb, &tuple);
  322 + else
  323 + ret = nfnl_cthelper_update(tb, helper);
  324 +
  325 + return ret;
  326 +err:
  327 + rcu_read_unlock();
  328 + return ret;
  329 +}
  330 +
  331 +static int
  332 +nfnl_cthelper_dump_tuple(struct sk_buff *skb,
  333 + struct nf_conntrack_helper *helper)
  334 +{
  335 + struct nlattr *nest_parms;
  336 +
  337 + nest_parms = nla_nest_start(skb, NFCTH_TUPLE | NLA_F_NESTED);
  338 + if (nest_parms == NULL)
  339 + goto nla_put_failure;
  340 +
  341 + if (nla_put_be16(skb, NFCTH_TUPLE_L3PROTONUM,
  342 + htons(helper->tuple.src.l3num)))
  343 + goto nla_put_failure;
  344 +
  345 + if (nla_put_u8(skb, NFCTH_TUPLE_L4PROTONUM, helper->tuple.dst.protonum))
  346 + goto nla_put_failure;
  347 +
  348 + nla_nest_end(skb, nest_parms);
  349 + return 0;
  350 +
  351 +nla_put_failure:
  352 + return -1;
  353 +}
  354 +
  355 +static int
  356 +nfnl_cthelper_dump_policy(struct sk_buff *skb,
  357 + struct nf_conntrack_helper *helper)
  358 +{
  359 + int i;
  360 + struct nlattr *nest_parms1, *nest_parms2;
  361 +
  362 + nest_parms1 = nla_nest_start(skb, NFCTH_POLICY | NLA_F_NESTED);
  363 + if (nest_parms1 == NULL)
  364 + goto nla_put_failure;
  365 +
  366 + if (nla_put_be32(skb, NFCTH_POLICY_SET_NUM,
  367 + htonl(helper->expect_class_max)))
  368 + goto nla_put_failure;
  369 +
  370 + for (i=0; i<helper->expect_class_max; i++) {
  371 + nest_parms2 = nla_nest_start(skb,
  372 + (NFCTH_POLICY_SET+i) | NLA_F_NESTED);
  373 + if (nest_parms2 == NULL)
  374 + goto nla_put_failure;
  375 +
  376 + if (nla_put_string(skb, NFCTH_POLICY_NAME,
  377 + helper->expect_policy[i].name))
  378 + goto nla_put_failure;
  379 +
  380 + if (nla_put_be32(skb, NFCTH_POLICY_EXPECT_MAX,
  381 + htonl(helper->expect_policy[i].max_expected)))
  382 + goto nla_put_failure;
  383 +
  384 + if (nla_put_be32(skb, NFCTH_POLICY_EXPECT_TIMEOUT,
  385 + htonl(helper->expect_policy[i].timeout)))
  386 + goto nla_put_failure;
  387 +
  388 + nla_nest_end(skb, nest_parms2);
  389 + }
  390 + nla_nest_end(skb, nest_parms1);
  391 + return 0;
  392 +
  393 +nla_put_failure:
  394 + return -1;
  395 +}
  396 +
  397 +static int
  398 +nfnl_cthelper_fill_info(struct sk_buff *skb, u32 pid, u32 seq, u32 type,
  399 + int event, struct nf_conntrack_helper *helper)
  400 +{
  401 + struct nlmsghdr *nlh;
  402 + struct nfgenmsg *nfmsg;
  403 + unsigned int flags = pid ? NLM_F_MULTI : 0;
  404 + int status;
  405 +
  406 + event |= NFNL_SUBSYS_CTHELPER << 8;
  407 + nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags);
  408 + if (nlh == NULL)
  409 + goto nlmsg_failure;
  410 +
  411 + nfmsg = nlmsg_data(nlh);
  412 + nfmsg->nfgen_family = AF_UNSPEC;
  413 + nfmsg->version = NFNETLINK_V0;
  414 + nfmsg->res_id = 0;
  415 +
  416 + if (nla_put_string(skb, NFCTH_NAME, helper->name))
  417 + goto nla_put_failure;
  418 +
  419 + if (nla_put_be32(skb, NFCTH_QUEUE_NUM, htonl(helper->queue_num)))
  420 + goto nla_put_failure;
  421 +
  422 + if (nfnl_cthelper_dump_tuple(skb, helper) < 0)
  423 + goto nla_put_failure;
  424 +
  425 + if (nfnl_cthelper_dump_policy(skb, helper) < 0)
  426 + goto nla_put_failure;
  427 +
  428 + if (nla_put_be32(skb, NFCTH_PRIV_DATA_LEN, htonl(helper->data_len)))
  429 + goto nla_put_failure;
  430 +
  431 + if (helper->flags & NF_CT_HELPER_F_CONFIGURED)
  432 + status = NFCT_HELPER_STATUS_ENABLED;
  433 + else
  434 + status = NFCT_HELPER_STATUS_DISABLED;
  435 +
  436 + if (nla_put_be32(skb, NFCTH_STATUS, htonl(status)))
  437 + goto nla_put_failure;
  438 +
  439 + nlmsg_end(skb, nlh);
  440 + return skb->len;
  441 +
  442 +nlmsg_failure:
  443 +nla_put_failure:
  444 + nlmsg_cancel(skb, nlh);
  445 + return -1;
  446 +}
  447 +
  448 +static int
  449 +nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
  450 +{
  451 + struct nf_conntrack_helper *cur, *last;
  452 + struct hlist_node *n;
  453 +
  454 + rcu_read_lock();
  455 + last = (struct nf_conntrack_helper *)cb->args[1];
  456 + for (; cb->args[0] < nf_ct_helper_hsize; cb->args[0]++) {
  457 +restart:
  458 + hlist_for_each_entry_rcu(cur, n,
  459 + &nf_ct_helper_hash[cb->args[0]], hnode) {
  460 +
  461 + /* skip non-userspace conntrack helpers. */
  462 + if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
  463 + continue;
  464 +
  465 + if (cb->args[1]) {
  466 + if (cur != last)
  467 + continue;
  468 + cb->args[1] = 0;
  469 + }
  470 + if (nfnl_cthelper_fill_info(skb,
  471 + NETLINK_CB(cb->skb).pid,
  472 + cb->nlh->nlmsg_seq,
  473 + NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
  474 + NFNL_MSG_CTHELPER_NEW, cur) < 0) {
  475 + cb->args[1] = (unsigned long)cur;
  476 + goto out;
  477 + }
  478 + }
  479 + }
  480 + if (cb->args[1]) {
  481 + cb->args[1] = 0;
  482 + goto restart;
  483 + }
  484 +out:
  485 + rcu_read_unlock();
  486 + return skb->len;
  487 +}
  488 +
  489 +static int
  490 +nfnl_cthelper_get(struct sock *nfnl, struct sk_buff *skb,
  491 + const struct nlmsghdr *nlh, const struct nlattr * const tb[])
  492 +{
  493 + int ret = -ENOENT, i;
  494 + struct nf_conntrack_helper *cur;
  495 + struct hlist_node *n;
  496 + struct sk_buff *skb2;
  497 + char *helper_name = NULL;
  498 + struct nf_conntrack_tuple tuple;
  499 + bool tuple_set = false;
  500 +
  501 + if (nlh->nlmsg_flags & NLM_F_DUMP) {
  502 + struct netlink_dump_control c = {
  503 + .dump = nfnl_cthelper_dump_table,
  504 + };
  505 + return netlink_dump_start(nfnl, skb, nlh, &c);
  506 + }
  507 +
  508 + if (tb[NFCTH_NAME])
  509 + helper_name = nla_data(tb[NFCTH_NAME]);
  510 +
  511 + if (tb[NFCTH_TUPLE]) {
  512 + ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);
  513 + if (ret < 0)
  514 + return ret;
  515 +
  516 + tuple_set = true;
  517 + }
  518 +
  519 + for (i = 0; i < nf_ct_helper_hsize; i++) {
  520 + hlist_for_each_entry_rcu(cur, n, &nf_ct_helper_hash[i], hnode) {
  521 +
  522 + /* skip non-userspace conntrack helpers. */
  523 + if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
  524 + continue;
  525 +
  526 + if (helper_name && strncmp(cur->name, helper_name,
  527 + NF_CT_HELPER_NAME_LEN) != 0) {
  528 + continue;
  529 + }
  530 + if (tuple_set &&
  531 + (tuple.src.l3num != cur->tuple.src.l3num ||
  532 + tuple.dst.protonum != cur->tuple.dst.protonum))
  533 + continue;
  534 +
  535 + skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
  536 + if (skb2 == NULL) {
  537 + ret = -ENOMEM;
  538 + break;
  539 + }
  540 +
  541 + ret = nfnl_cthelper_fill_info(skb2, NETLINK_CB(skb).pid,
  542 + nlh->nlmsg_seq,
  543 + NFNL_MSG_TYPE(nlh->nlmsg_type),
  544 + NFNL_MSG_CTHELPER_NEW, cur);
  545 + if (ret <= 0) {
  546 + kfree_skb(skb2);
  547 + break;
  548 + }
  549 +
  550 + ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).pid,
  551 + MSG_DONTWAIT);
  552 + if (ret > 0)
  553 + ret = 0;
  554 +
  555 + /* this avoids a loop in nfnetlink. */
  556 + return ret == -EAGAIN ? -ENOBUFS : ret;
  557 + }
  558 + }
  559 + return ret;
  560 +}
  561 +
  562 +static int
  563 +nfnl_cthelper_del(struct sock *nfnl, struct sk_buff *skb,
  564 + const struct nlmsghdr *nlh, const struct nlattr * const tb[])
  565 +{
  566 + char *helper_name = NULL;
  567 + struct nf_conntrack_helper *cur;
  568 + struct hlist_node *n, *tmp;
  569 + struct nf_conntrack_tuple tuple;
  570 + bool tuple_set = false, found = false;
  571 + int i, j = 0, ret;
  572 +
  573 + if (tb[NFCTH_NAME])
  574 + helper_name = nla_data(tb[NFCTH_NAME]);
  575 +
  576 + if (tb[NFCTH_TUPLE]) {
  577 + ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);
  578 + if (ret < 0)
  579 + return ret;
  580 +
  581 + tuple_set = true;
  582 + }
  583 +
  584 + for (i = 0; i < nf_ct_helper_hsize; i++) {
  585 + hlist_for_each_entry_safe(cur, n, tmp, &nf_ct_helper_hash[i],
  586 + hnode) {
  587 + /* skip non-userspace conntrack helpers. */
  588 + if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
  589 + continue;
  590 +
  591 + j++;
  592 +
  593 + if (helper_name && strncmp(cur->name, helper_name,
  594 + NF_CT_HELPER_NAME_LEN) != 0) {
  595 + continue;
  596 + }
  597 + if (tuple_set &&
  598 + (tuple.src.l3num != cur->tuple.src.l3num ||
  599 + tuple.dst.protonum != cur->tuple.dst.protonum))
  600 + continue;
  601 +
  602 + found = true;
  603 + nf_conntrack_helper_unregister(cur);
  604 + }
  605 + }
  606 + /* Make sure we return success if we flush and there is no helpers */
  607 + return (found || j == 0) ? 0 : -ENOENT;
  608 +}
  609 +
  610 +static const struct nla_policy nfnl_cthelper_policy[NFCTH_MAX+1] = {
  611 + [NFCTH_NAME] = { .type = NLA_NUL_STRING,
  612 + .len = NF_CT_HELPER_NAME_LEN-1 },
  613 + [NFCTH_QUEUE_NUM] = { .type = NLA_U32, },
  614 +};
  615 +
  616 +static const struct nfnl_callback nfnl_cthelper_cb[NFNL_MSG_CTHELPER_MAX] = {
  617 + [NFNL_MSG_CTHELPER_NEW] = { .call = nfnl_cthelper_new,
  618 + .attr_count = NFCTH_MAX,
  619 + .policy = nfnl_cthelper_policy },
  620 + [NFNL_MSG_CTHELPER_GET] = { .call = nfnl_cthelper_get,
  621 + .attr_count = NFCTH_MAX,
  622 + .policy = nfnl_cthelper_policy },
  623 + [NFNL_MSG_CTHELPER_DEL] = { .call = nfnl_cthelper_del,
  624 + .attr_count = NFCTH_MAX,
  625 + .policy = nfnl_cthelper_policy },
  626 +};
  627 +
  628 +static const struct nfnetlink_subsystem nfnl_cthelper_subsys = {
  629 + .name = "cthelper",
  630 + .subsys_id = NFNL_SUBSYS_CTHELPER,
  631 + .cb_count = NFNL_MSG_CTHELPER_MAX,
  632 + .cb = nfnl_cthelper_cb,
  633 +};
  634 +
  635 +MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTHELPER);
  636 +
  637 +static int __init nfnl_cthelper_init(void)
  638 +{
  639 + int ret;
  640 +
  641 + ret = nfnetlink_subsys_register(&nfnl_cthelper_subsys);
  642 + if (ret < 0) {
  643 + pr_err("nfnl_cthelper: cannot register with nfnetlink.\n");
  644 + goto err_out;
  645 + }
  646 + return 0;
  647 +err_out:
  648 + return ret;
  649 +}
  650 +
  651 +static void __exit nfnl_cthelper_exit(void)
  652 +{
  653 + struct nf_conntrack_helper *cur;
  654 + struct hlist_node *n, *tmp;
  655 + int i;
  656 +
  657 + nfnetlink_subsys_unregister(&nfnl_cthelper_subsys);
  658 +
  659 + for (i=0; i<nf_ct_helper_hsize; i++) {
  660 + hlist_for_each_entry_safe(cur, n, tmp, &nf_ct_helper_hash[i],
  661 + hnode) {
  662 + /* skip non-userspace conntrack helpers. */
  663 + if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
  664 + continue;
  665 +
  666 + nf_conntrack_helper_unregister(cur);
  667 + }
  668 + }
  669 +}
  670 +
  671 +module_init(nfnl_cthelper_init);
  672 +module_exit(nfnl_cthelper_exit);