/* Netfilter messages via netlink socket. Allows for user space
   * protocol helpers and general trouble making from userspace.
   *
   * (C) 2001 by Jay Schulist <jschlst@samba.org>,
   * (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>

   * (C) 2005,2007 by Pablo Neira Ayuso <pablo@netfilter.org>

   *
   * Initial netfilter messages via netlink development funded and
   * generally made possible by Network Robots, Inc. (www.networkrobots.com)
   *
   * Further development of this code funded by Astaro AG (http://www.astaro.com)
   *
   * This software may be used and distributed according to the terms
   * of the GNU General Public License, incorporated herein by reference.
   */

  #include <linux/module.h>
  #include <linux/types.h>
  #include <linux/socket.h>
  #include <linux/kernel.h>

  #include <linux/string.h>
  #include <linux/sockios.h>
  #include <linux/net.h>

  #include <linux/skbuff.h>
  #include <asm/uaccess.h>

  #include <net/sock.h>
  #include <linux/init.h>

  #include <net/netlink.h>

  #include <linux/netfilter/nfnetlink.h>
  
  MODULE_LICENSE("GPL");

  MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
  MODULE_ALIAS_NET_PF_PROTO(PF_NETLINK, NETLINK_NETFILTER);

  
  static char __initdata nfversion[] = "0.30";

  static struct {
  	struct mutex				mutex;
  	const struct nfnetlink_subsystem __rcu	*subsys;
  } table[NFNL_SUBSYS_COUNT];

  static const int nfnl_group2type[NFNLGRP_MAX+1] = {
  	[NFNLGRP_CONNTRACK_NEW]		= NFNL_SUBSYS_CTNETLINK,
  	[NFNLGRP_CONNTRACK_UPDATE]	= NFNL_SUBSYS_CTNETLINK,
  	[NFNLGRP_CONNTRACK_DESTROY]	= NFNL_SUBSYS_CTNETLINK,
  	[NFNLGRP_CONNTRACK_EXP_NEW]	= NFNL_SUBSYS_CTNETLINK_EXP,
  	[NFNLGRP_CONNTRACK_EXP_UPDATE]	= NFNL_SUBSYS_CTNETLINK_EXP,
  	[NFNLGRP_CONNTRACK_EXP_DESTROY] = NFNL_SUBSYS_CTNETLINK_EXP,
  };

  void nfnl_lock(__u8 subsys_id)

  {

  	mutex_lock(&table[subsys_id].mutex);

  }

  EXPORT_SYMBOL_GPL(nfnl_lock);

  void nfnl_unlock(__u8 subsys_id)

  {

  	mutex_unlock(&table[subsys_id].mutex);

  }

  EXPORT_SYMBOL_GPL(nfnl_unlock);

  int nfnetlink_subsys_register(const struct nfnetlink_subsystem *n)

  {

  	nfnl_lock(n->subsys_id);
  	if (table[n->subsys_id].subsys) {
  		nfnl_unlock(n->subsys_id);

  		return -EBUSY;
  	}

  	rcu_assign_pointer(table[n->subsys_id].subsys, n);
  	nfnl_unlock(n->subsys_id);

  
  	return 0;
  }

  EXPORT_SYMBOL_GPL(nfnetlink_subsys_register);

  int nfnetlink_subsys_unregister(const struct nfnetlink_subsystem *n)

  {

  	nfnl_lock(n->subsys_id);
  	table[n->subsys_id].subsys = NULL;
  	nfnl_unlock(n->subsys_id);

  	synchronize_rcu();

  	return 0;
  }

  EXPORT_SYMBOL_GPL(nfnetlink_subsys_unregister);

  static inline const struct nfnetlink_subsystem *nfnetlink_get_subsys(u_int16_t type)

  {
  	u_int8_t subsys_id = NFNL_SUBSYS_ID(type);

  	if (subsys_id >= NFNL_SUBSYS_COUNT)

  		return NULL;

  	return rcu_dereference(table[subsys_id].subsys);

  }

  static inline const struct nfnl_callback *
  nfnetlink_find_client(u_int16_t type, const struct nfnetlink_subsystem *ss)

  {
  	u_int8_t cb_id = NFNL_MSG_TYPE(type);

  	if (cb_id >= ss->cb_count)

  		return NULL;

  
  	return &ss->cb[cb_id];
  }

  int nfnetlink_has_listeners(struct net *net, unsigned int group)

  {

  	return netlink_has_listeners(net->nfnl, group);

  }
  EXPORT_SYMBOL_GPL(nfnetlink_has_listeners);

  struct sk_buff *nfnetlink_alloc_skb(struct net *net, unsigned int size,
  				    u32 dst_portid, gfp_t gfp_mask)
  {
  	return netlink_alloc_skb(net->nfnl, size, dst_portid, gfp_mask);
  }
  EXPORT_SYMBOL_GPL(nfnetlink_alloc_skb);

  int nfnetlink_send(struct sk_buff *skb, struct net *net, u32 portid,

  		   unsigned int group, int echo, gfp_t flags)

  {

  	return nlmsg_notify(net->nfnl, skb, portid, group, echo, flags);

  }

  EXPORT_SYMBOL_GPL(nfnetlink_send);

  int nfnetlink_set_err(struct net *net, u32 portid, u32 group, int error)

  {

  	return netlink_set_err(net->nfnl, portid, group, error);

  }
  EXPORT_SYMBOL_GPL(nfnetlink_set_err);

  int nfnetlink_unicast(struct sk_buff *skb, struct net *net, u32 portid,
  		      int flags)

  {

  	return netlink_unicast(net->nfnl, skb, portid, flags);

  }

  EXPORT_SYMBOL_GPL(nfnetlink_unicast);

  
  /* Process one complete nfnetlink message. */

  static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)

  {

  	struct net *net = sock_net(skb->sk);

  	const struct nfnl_callback *nc;
  	const struct nfnetlink_subsystem *ss;

  	int type, err;

  	if (!ns_capable(net->user_ns, CAP_NET_ADMIN))

  		return -EPERM;

  	/* All the messages must at least contain nfgenmsg */

  	if (nlmsg_len(nlh) < sizeof(struct nfgenmsg))

  		return 0;

  
  	type = nlh->nlmsg_type;

  replay:

  	rcu_read_lock();

  	ss = nfnetlink_get_subsys(type);

  	if (!ss) {

  #ifdef CONFIG_MODULES

  		rcu_read_unlock();

  		request_module("nfnetlink-subsys-%d", NFNL_SUBSYS_ID(type));

  		rcu_read_lock();

  		ss = nfnetlink_get_subsys(type);

  		if (!ss)
  #endif

  		{
  			rcu_read_unlock();

  			return -EINVAL;

  		}

  	}

  
  	nc = nfnetlink_find_client(type, ss);

  	if (!nc) {
  		rcu_read_unlock();

  		return -EINVAL;

  	}

  	{

  		int min_len = nlmsg_total_size(sizeof(struct nfgenmsg));

  		u_int8_t cb_id = NFNL_MSG_TYPE(nlh->nlmsg_type);

  		struct nlattr *cda[ss->cb[cb_id].attr_count + 1];
  		struct nlattr *attr = (void *)nlh + min_len;
  		int attrlen = nlh->nlmsg_len - min_len;

  		__u8 subsys_id = NFNL_SUBSYS_ID(type);

  
  		err = nla_parse(cda, ss->cb[cb_id].attr_count,
  				attr, attrlen, ss->cb[cb_id].policy);

  		if (err < 0) {
  			rcu_read_unlock();

  			return err;

  		}

  		if (nc->call_rcu) {
  			err = nc->call_rcu(net->nfnl, skb, nlh,
  					   (const struct nlattr **)cda);
  			rcu_read_unlock();
  		} else {
  			rcu_read_unlock();

  			nfnl_lock(subsys_id);
  			if (rcu_dereference_protected(table[subsys_id].subsys,

  				lockdep_is_held(&table[subsys_id].mutex)) != ss ||

  			    nfnetlink_find_client(type, ss) != nc)
  				err = -EAGAIN;

  			else if (nc->call)

  				err = nc->call(net->nfnl, skb, nlh,
  						   (const struct nlattr **)cda);

  			else
  				err = -EINVAL;

  			nfnl_unlock(subsys_id);

  		}

  		if (err == -EAGAIN)
  			goto replay;
  		return err;

  	}

  }

  static void nfnetlink_rcv(struct sk_buff *skb)

  {

  	netlink_rcv_skb(skb, &nfnetlink_rcv_msg);

  }

  #ifdef CONFIG_MODULES
  static void nfnetlink_bind(int group)
  {
  	const struct nfnetlink_subsystem *ss;
  	int type = nfnl_group2type[group];
  
  	rcu_read_lock();
  	ss = nfnetlink_get_subsys(type);
  	if (!ss) {
  		rcu_read_unlock();
  		request_module("nfnetlink-subsys-%d", type);
  		return;
  	}
  	rcu_read_unlock();
  }
  #endif

  static int __net_init nfnetlink_net_init(struct net *net)

  {

  	struct sock *nfnl;

  	struct netlink_kernel_cfg cfg = {
  		.groups	= NFNLGRP_MAX,
  		.input	= nfnetlink_rcv,

  #ifdef CONFIG_MODULES
  		.bind	= nfnetlink_bind,
  #endif

  	};

  	nfnl = netlink_kernel_create(net, NETLINK_NETFILTER, &cfg);

  	if (!nfnl)
  		return -ENOMEM;
  	net->nfnl_stash = nfnl;

  	rcu_assign_pointer(net->nfnl, nfnl);

  	return 0;

  }

  static void __net_exit nfnetlink_net_exit_batch(struct list_head *net_exit_list)

  {

  	struct net *net;

  	list_for_each_entry(net, net_exit_list, exit_list)

  		RCU_INIT_POINTER(net->nfnl, NULL);

  	synchronize_net();
  	list_for_each_entry(net, net_exit_list, exit_list)
  		netlink_kernel_release(net->nfnl_stash);
  }

  static struct pernet_operations nfnetlink_net_ops = {
  	.init		= nfnetlink_net_init,
  	.exit_batch	= nfnetlink_net_exit_batch,
  };
  
  static int __init nfnetlink_init(void)
  {

  	int i;
  
  	for (i=0; i<NFNL_SUBSYS_COUNT; i++)
  		mutex_init(&table[i].mutex);

  	pr_info("Netfilter messages via NETLINK v%s.
  ", nfversion);

  	return register_pernet_subsys(&nfnetlink_net_ops);

  }

  static void __exit nfnetlink_exit(void)
  {

  	pr_info("Removing netfilter NETLINK layer.
  ");

  	unregister_pernet_subsys(&nfnetlink_net_ops);
  }

  module_init(nfnetlink_init);
  module_exit(nfnetlink_exit);