Eric Lee / smarc-fsl-linux-kernel

Commit 2c352f444ccfa966a1aa4fd8e9ee29381c467448

Authored by Gao feng 2012-05-29 05:04:09 +0800

Committed by Pablo Neira Ayuso 2012-06-07 20:58:39 +0800

netfilter: nf_conntrack: prepare namespace support for l4 protocol trackers

This patch prepares the namespace support for layer 4 protocol trackers.
Basically, this modifies the following interfaces:

* nf_ct_[un]register_sysctl
* nf_conntrack_l4proto_[un]register

to include the namespace parameter. We still use init_net in this patch
to prepare the ground for follow-up patches for each layer 4 protocol
tracker.

We add a new net_id field to struct nf_conntrack_l4proto that is used
to store the pernet_operations id for each layer 4 protocol tracker.

Note that AF_INET6's protocols do not need to do sysctl compat. Thus,
we only register compat sysctl when l4proto.l3proto != AF_INET6.

Acked-by: Eric W. Biederman <ebiederm@xmission.com>
Signed-off-by: Gao feng <gaofeng@cn.fujitsu.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

Showing 9 changed files with 159 additions and 79 deletions Inline Diff

include/net/netfilter/nf_conntrack_l4proto.h
include/net/netns/conntrack.h
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
net/netfilter/nf_conntrack_proto.c
net/netfilter/nf_conntrack_proto_dccp.c
net/netfilter/nf_conntrack_proto_gre.c
net/netfilter/nf_conntrack_proto_sctp.c
net/netfilter/nf_conntrack_proto_udplite.c

include/net/netfilter/nf_conntrack_l4proto.h

Diff comments View file @ 2c352f4

 /*
  * Header for use in defining a given L4 protocol for connection tracking.
  *
  * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
  *	- generalized L3 protocol dependent part.
  *
  * Derived from include/linux/netfiter_ipv4/ip_conntrack_protcol.h
  */
 #ifndef _NF_CONNTRACK_L4PROTO_H
 #define _NF_CONNTRACK_L4PROTO_H
 #include <linux/netlink.h>
 #include <net/netlink.h>
 #include <net/netfilter/nf_conntrack.h>
+#include <net/netns/generic.h>
 struct seq_file;
 struct nf_conntrack_l4proto {
 	/* L3 Protocol number. */
 	u_int16_t l3proto;
 	/* L4 Protocol number. */
 	u_int8_t l4proto;
 	/* Try to fill in the third arg: dataoff is offset past network protocol
            hdr.  Return true if possible. */
 	bool (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int dataoff,
 			     struct nf_conntrack_tuple *tuple);
 	/* Invert the per-proto part of the tuple: ie. turn xmit into reply.
 	 * Some packets can't be inverted: return 0 in that case.
 	 */
 	bool (*invert_tuple)(struct nf_conntrack_tuple *inverse,
 			     const struct nf_conntrack_tuple *orig);
 	/* Returns verdict for packet, or -1 for invalid. */
 	int (*packet)(struct nf_conn *ct,
 		      const struct sk_buff *skb,
 		      unsigned int dataoff,
 		      enum ip_conntrack_info ctinfo,
 		      u_int8_t pf,
 		      unsigned int hooknum,
 		      unsigned int *timeouts);
 	/* Called when a new connection for this protocol found;
 	 * returns TRUE if it's OK.  If so, packet() called next. */
 	bool (*new)(struct nf_conn *ct, const struct sk_buff *skb,
 		    unsigned int dataoff, unsigned int *timeouts);
 	/* Called when a conntrack entry is destroyed */
 	void (*destroy)(struct nf_conn *ct);
 	int (*error)(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
 		     unsigned int dataoff, enum ip_conntrack_info *ctinfo,
 		     u_int8_t pf, unsigned int hooknum);
 	/* Print out the per-protocol part of the tuple. Return like seq_* */
 	int (*print_tuple)(struct seq_file *s,
 			   const struct nf_conntrack_tuple *);
 	/* Print out the private part of the conntrack. */
 	int (*print_conntrack)(struct seq_file *s, struct nf_conn *);
 	/* Return the array of timeouts for this protocol. */
 	unsigned int *(*get_timeouts)(struct net *net);
 	/* convert protoinfo to nfnetink attributes */
 	int (*to_nlattr)(struct sk_buff *skb, struct nlattr *nla,
 			 struct nf_conn *ct);
 	/* Calculate protoinfo nlattr size */
 	int (*nlattr_size)(void);
 	/* convert nfnetlink attributes to protoinfo */
 	int (*from_nlattr)(struct nlattr *tb[], struct nf_conn *ct);
 	int (*tuple_to_nlattr)(struct sk_buff *skb,
 			       const struct nf_conntrack_tuple *t);
 	/* Calculate tuple nlattr size */
 	int (*nlattr_tuple_size)(void);
 	int (*nlattr_to_tuple)(struct nlattr *tb[],
 			       struct nf_conntrack_tuple *t);
 	const struct nla_policy *nla_policy;
 	size_t nla_size;
 #if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
 	struct {
 		size_t obj_size;
 		int (*nlattr_to_obj)(struct nlattr *tb[], void *data);
 		int (*obj_to_nlattr)(struct sk_buff *skb, const void *data);
 		unsigned int nlattr_max;
 		const struct nla_policy *nla_policy;
 	} ctnl_timeout;
 #endif
 #ifdef CONFIG_SYSCTL
 	struct ctl_table_header	**ctl_table_header;
 	struct ctl_table	*ctl_table;
 	unsigned int		*ctl_table_users;
 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
 	struct ctl_table_header	*ctl_compat_table_header;
 	struct ctl_table	*ctl_compat_table;
 #endif
 #endif
+	int	*net_id;
+	/* Init l4proto pernet data */
+	int (*init_net)(struct net *net);
 	/* Protocol name */
 	const char *name;
 	/* Module (if any) which this is connected to. */
 	struct module *me;
 };
 /* Existing built-in generic protocol */
 extern struct nf_conntrack_l4proto nf_conntrack_l4proto_generic;
 #define MAX_NF_CT_PROTO 256
 extern struct nf_conntrack_l4proto *
 __nf_ct_l4proto_find(u_int16_t l3proto, u_int8_t l4proto);
 extern struct nf_conntrack_l4proto *
 nf_ct_l4proto_find_get(u_int16_t l3proto, u_int8_t l4proto);
 extern void nf_ct_l4proto_put(struct nf_conntrack_l4proto *p);
 /* Protocol registration. */
-extern int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *proto);
+extern int nf_conntrack_l4proto_register(struct net *net,
-extern void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *proto);
+					 struct nf_conntrack_l4proto *proto);
+extern void nf_conntrack_l4proto_unregister(struct net *net,
+					    struct nf_conntrack_l4proto *proto);
 /* Generic netlink helpers */
 extern int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb,
 				      const struct nf_conntrack_tuple *tuple);
 extern int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[],
 				      struct nf_conntrack_tuple *t);
 extern int nf_ct_port_nlattr_tuple_size(void);
 extern const struct nla_policy nf_ct_port_nla_policy[];
 #ifdef CONFIG_SYSCTL
 #ifdef DEBUG_INVALID_PACKETS
 #define LOG_INVALID(net, proto)				\
 	((net)->ct.sysctl_log_invalid == (proto) ||	\
 	 (net)->ct.sysctl_log_invalid == IPPROTO_RAW)
 #else
 #define LOG_INVALID(net, proto)				\
 	(((net)->ct.sysctl_log_invalid == (proto) ||	\
 	  (net)->ct.sysctl_log_invalid == IPPROTO_RAW)	\
 	 && net_ratelimit())
 #endif
 #else
 static inline int LOG_INVALID(struct net *net, int proto) { return 0; }
 #endif /* CONFIG_SYSCTL */
 #endif /*_NF_CONNTRACK_PROTOCOL_H*/

include/net/netns/conntrack.h

Diff comments View file @ 2c352f4

 #ifndef __NETNS_CONNTRACK_H
 #define __NETNS_CONNTRACK_H
 #include <linux/list.h>
 #include <linux/list_nulls.h>
 #include <linux/atomic.h>
 struct ctl_table_header;
 struct nf_conntrack_ecache;
+struct nf_proto_net {
+#ifdef CONFIG_SYSCTL
+	struct ctl_table_header *ctl_table_header;
+	struct ctl_table        *ctl_table;
+#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
+	struct ctl_table_header *ctl_compat_header;
+	struct ctl_table        *ctl_compat_table;
+#endif
+#endif
+	unsigned int		users;
+};
 struct netns_ct {
 	atomic_t		count;
 	unsigned int		expect_count;
 	unsigned int		htable_size;
 	struct kmem_cache	*nf_conntrack_cachep;
 	struct hlist_nulls_head	*hash;
 	struct hlist_head	*expect_hash;
 	struct hlist_nulls_head	unconfirmed;
 	struct hlist_nulls_head	dying;
 	struct ip_conntrack_stat __percpu *stat;
 	struct nf_ct_event_notifier __rcu *nf_conntrack_event_cb;
 	struct nf_exp_event_notifier __rcu *nf_expect_event_cb;
 	int			sysctl_events;
 	unsigned int		sysctl_events_retry_timeout;
 	int			sysctl_acct;
 	int			sysctl_tstamp;
 	int			sysctl_checksum;
 	unsigned int		sysctl_log_invalid; /* Log invalid packets */
 	int			sysctl_auto_assign_helper;
 	bool			auto_assign_helper_warned;
 #ifdef CONFIG_SYSCTL
 	struct ctl_table_header	*sysctl_header;
 	struct ctl_table_header	*acct_sysctl_header;
 	struct ctl_table_header	*tstamp_sysctl_header;
 	struct ctl_table_header	*event_sysctl_header;
 	struct ctl_table_header	*helper_sysctl_header;
 #endif
 	char			*slabname;
 };
 #endif

net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c

Diff comments View file @ 2c352f4

1		1
2	/* (C) 1999-2001 Paul `Rusty' Russell	2	/* (C) 1999-2001 Paul `Rusty' Russell
3	* (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>	3	* (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
4	*	4	*
5	* This program is free software; you can redistribute it and/or modify	5	* This program is free software; you can redistribute it and/or modify
6	* it under the terms of the GNU General Public License version 2 as	6	* it under the terms of the GNU General Public License version 2 as
7	* published by the Free Software Foundation.	7	* published by the Free Software Foundation.
8	*/	8	*/
9		9
10	#include <linux/types.h>	10	#include <linux/types.h>
11	#include <linux/ip.h>	11	#include <linux/ip.h>
12	#include <linux/netfilter.h>	12	#include <linux/netfilter.h>
13	#include <linux/module.h>	13	#include <linux/module.h>
14	#include <linux/skbuff.h>	14	#include <linux/skbuff.h>
15	#include <linux/icmp.h>	15	#include <linux/icmp.h>
16	#include <linux/sysctl.h>	16	#include <linux/sysctl.h>
17	#include <net/route.h>	17	#include <net/route.h>
18	#include <net/ip.h>	18	#include <net/ip.h>
19		19
20	#include <linux/netfilter_ipv4.h>	20	#include <linux/netfilter_ipv4.h>
21	#include <net/netfilter/nf_conntrack.h>	21	#include <net/netfilter/nf_conntrack.h>
22	#include <net/netfilter/nf_conntrack_helper.h>	22	#include <net/netfilter/nf_conntrack_helper.h>
23	#include <net/netfilter/nf_conntrack_l4proto.h>	23	#include <net/netfilter/nf_conntrack_l4proto.h>
24	#include <net/netfilter/nf_conntrack_l3proto.h>	24	#include <net/netfilter/nf_conntrack_l3proto.h>
25	#include <net/netfilter/nf_conntrack_zones.h>	25	#include <net/netfilter/nf_conntrack_zones.h>
26	#include <net/netfilter/nf_conntrack_core.h>	26	#include <net/netfilter/nf_conntrack_core.h>
27	#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>	27	#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
28	#include <net/netfilter/nf_nat_helper.h>	28	#include <net/netfilter/nf_nat_helper.h>
29	#include <net/netfilter/ipv4/nf_defrag_ipv4.h>	29	#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
30	#include <net/netfilter/nf_log.h>	30	#include <net/netfilter/nf_log.h>
31		31
32	int (nf_nat_seq_adjust_hook)(struct sk_buff skb,	32	int (nf_nat_seq_adjust_hook)(struct sk_buff skb,
33	struct nf_conn *ct,	33	struct nf_conn *ct,
34	enum ip_conntrack_info ctinfo);	34	enum ip_conntrack_info ctinfo);
35	EXPORT_SYMBOL_GPL(nf_nat_seq_adjust_hook);	35	EXPORT_SYMBOL_GPL(nf_nat_seq_adjust_hook);
36		36
37	static bool ipv4_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,	37	static bool ipv4_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
38	struct nf_conntrack_tuple *tuple)	38	struct nf_conntrack_tuple *tuple)
39	{	39	{
40	const __be32 *ap;	40	const __be32 *ap;
41	__be32 _addrs[2];	41	__be32 _addrs[2];
42	ap = skb_header_pointer(skb, nhoff + offsetof(struct iphdr, saddr),	42	ap = skb_header_pointer(skb, nhoff + offsetof(struct iphdr, saddr),
43	sizeof(u_int32_t) * 2, _addrs);	43	sizeof(u_int32_t) * 2, _addrs);
44	if (ap == NULL)	44	if (ap == NULL)
45	return false;	45	return false;
46		46
47	tuple->src.u3.ip = ap[0];	47	tuple->src.u3.ip = ap[0];
48	tuple->dst.u3.ip = ap[1];	48	tuple->dst.u3.ip = ap[1];
49		49
50	return true;	50	return true;
51	}	51	}
52		52
53	static bool ipv4_invert_tuple(struct nf_conntrack_tuple *tuple,	53	static bool ipv4_invert_tuple(struct nf_conntrack_tuple *tuple,
54	const struct nf_conntrack_tuple *orig)	54	const struct nf_conntrack_tuple *orig)
55	{	55	{
56	tuple->src.u3.ip = orig->dst.u3.ip;	56	tuple->src.u3.ip = orig->dst.u3.ip;
57	tuple->dst.u3.ip = orig->src.u3.ip;	57	tuple->dst.u3.ip = orig->src.u3.ip;
58		58
59	return true;	59	return true;
60	}	60	}
61		61
62	static int ipv4_print_tuple(struct seq_file *s,	62	static int ipv4_print_tuple(struct seq_file *s,
63	const struct nf_conntrack_tuple *tuple)	63	const struct nf_conntrack_tuple *tuple)
64	{	64	{
65	return seq_printf(s, "src=%pI4 dst=%pI4 ",	65	return seq_printf(s, "src=%pI4 dst=%pI4 ",
66	&tuple->src.u3.ip, &tuple->dst.u3.ip);	66	&tuple->src.u3.ip, &tuple->dst.u3.ip);
67	}	67	}
68		68
69	static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,	69	static int ipv4_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
70	unsigned int dataoff, u_int8_t protonum)	70	unsigned int dataoff, u_int8_t protonum)
71	{	71	{
72	const struct iphdr *iph;	72	const struct iphdr *iph;
73	struct iphdr _iph;	73	struct iphdr _iph;
74		74
75	iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);	75	iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph);
76	if (iph == NULL)	76	if (iph == NULL)
77	return -NF_ACCEPT;	77	return -NF_ACCEPT;
78		78
79	/* Conntrack defragments packets, we might still see fragments	79	/* Conntrack defragments packets, we might still see fragments
80	* inside ICMP packets though. */	80	* inside ICMP packets though. */
81	if (iph->frag_off & htons(IP_OFFSET))	81	if (iph->frag_off & htons(IP_OFFSET))
82	return -NF_ACCEPT;	82	return -NF_ACCEPT;
83		83
84	*dataoff = nhoff + (iph->ihl << 2);	84	*dataoff = nhoff + (iph->ihl << 2);
85	*protonum = iph->protocol;	85	*protonum = iph->protocol;
86		86
87	/* Check bogus IP headers */	87	/* Check bogus IP headers */
88	if (*dataoff > skb->len) {	88	if (*dataoff > skb->len) {
89	pr_debug("nf_conntrack_ipv4: bogus IPv4 packet: "	89	pr_debug("nf_conntrack_ipv4: bogus IPv4 packet: "
90	"nhoff %u, ihl %u, skblen %u\n",	90	"nhoff %u, ihl %u, skblen %u\n",
91	nhoff, iph->ihl << 2, skb->len);	91	nhoff, iph->ihl << 2, skb->len);
92	return -NF_ACCEPT;	92	return -NF_ACCEPT;
93	}	93	}
94		94
95	return NF_ACCEPT;	95	return NF_ACCEPT;
96	}	96	}
97		97
98	static unsigned int ipv4_confirm(unsigned int hooknum,	98	static unsigned int ipv4_confirm(unsigned int hooknum,
99	struct sk_buff *skb,	99	struct sk_buff *skb,
100	const struct net_device *in,	100	const struct net_device *in,
101	const struct net_device *out,	101	const struct net_device *out,
102	int (okfn)(struct sk_buff ))	102	int (okfn)(struct sk_buff ))
103	{	103	{
104	struct nf_conn *ct;	104	struct nf_conn *ct;
105	enum ip_conntrack_info ctinfo;	105	enum ip_conntrack_info ctinfo;
106	const struct nf_conn_help *help;	106	const struct nf_conn_help *help;
107	const struct nf_conntrack_helper *helper;	107	const struct nf_conntrack_helper *helper;
108	unsigned int ret;	108	unsigned int ret;
109		109
110	/* This is where we call the helper: as the packet goes out. */	110	/* This is where we call the helper: as the packet goes out. */
111	ct = nf_ct_get(skb, &ctinfo);	111	ct = nf_ct_get(skb, &ctinfo);
112	if (!ct \|\| ctinfo == IP_CT_RELATED_REPLY)	112	if (!ct \|\| ctinfo == IP_CT_RELATED_REPLY)
113	goto out;	113	goto out;
114		114
115	help = nfct_help(ct);	115	help = nfct_help(ct);
116	if (!help)	116	if (!help)
117	goto out;	117	goto out;
118		118
119	/* rcu_read_lock()ed by nf_hook_slow */	119	/* rcu_read_lock()ed by nf_hook_slow */
120	helper = rcu_dereference(help->helper);	120	helper = rcu_dereference(help->helper);
121	if (!helper)	121	if (!helper)
122	goto out;	122	goto out;
123		123
124	ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),	124	ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
125	ct, ctinfo);	125	ct, ctinfo);
126	if (ret != NF_ACCEPT) {	126	if (ret != NF_ACCEPT) {
127	nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,	127	nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,
128	"nf_ct_%s: dropping packet", helper->name);	128	"nf_ct_%s: dropping packet", helper->name);
129	return ret;	129	return ret;
130	}	130	}
131		131
132	/* adjust seqs for loopback traffic only in outgoing direction */	132	/* adjust seqs for loopback traffic only in outgoing direction */
133	if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) &&	133	if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) &&
134	!nf_is_loopback_packet(skb)) {	134	!nf_is_loopback_packet(skb)) {
135	typeof(nf_nat_seq_adjust_hook) seq_adjust;	135	typeof(nf_nat_seq_adjust_hook) seq_adjust;
136		136
137	seq_adjust = rcu_dereference(nf_nat_seq_adjust_hook);	137	seq_adjust = rcu_dereference(nf_nat_seq_adjust_hook);
138	if (!seq_adjust \|\| !seq_adjust(skb, ct, ctinfo)) {	138	if (!seq_adjust \|\| !seq_adjust(skb, ct, ctinfo)) {
139	NF_CT_STAT_INC_ATOMIC(nf_ct_net(ct), drop);	139	NF_CT_STAT_INC_ATOMIC(nf_ct_net(ct), drop);
140	return NF_DROP;	140	return NF_DROP;
141	}	141	}
142	}	142	}
143	out:	143	out:
144	/* We've seen it coming out the other side: confirm it */	144	/* We've seen it coming out the other side: confirm it */
145	return nf_conntrack_confirm(skb);	145	return nf_conntrack_confirm(skb);
146	}	146	}
147		147
148	static unsigned int ipv4_conntrack_in(unsigned int hooknum,	148	static unsigned int ipv4_conntrack_in(unsigned int hooknum,
149	struct sk_buff *skb,	149	struct sk_buff *skb,
150	const struct net_device *in,	150	const struct net_device *in,
151	const struct net_device *out,	151	const struct net_device *out,
152	int (okfn)(struct sk_buff ))	152	int (okfn)(struct sk_buff ))
153	{	153	{
154	return nf_conntrack_in(dev_net(in), PF_INET, hooknum, skb);	154	return nf_conntrack_in(dev_net(in), PF_INET, hooknum, skb);
155	}	155	}
156		156
157	static unsigned int ipv4_conntrack_local(unsigned int hooknum,	157	static unsigned int ipv4_conntrack_local(unsigned int hooknum,
158	struct sk_buff *skb,	158	struct sk_buff *skb,
159	const struct net_device *in,	159	const struct net_device *in,
160	const struct net_device *out,	160	const struct net_device *out,
161	int (okfn)(struct sk_buff ))	161	int (okfn)(struct sk_buff ))
162	{	162	{
163	/* root is playing with raw sockets. */	163	/* root is playing with raw sockets. */
164	if (skb->len < sizeof(struct iphdr) \|\|	164	if (skb->len < sizeof(struct iphdr) \|\|
165	ip_hdrlen(skb) < sizeof(struct iphdr))	165	ip_hdrlen(skb) < sizeof(struct iphdr))
166	return NF_ACCEPT;	166	return NF_ACCEPT;
167	return nf_conntrack_in(dev_net(out), PF_INET, hooknum, skb);	167	return nf_conntrack_in(dev_net(out), PF_INET, hooknum, skb);
168	}	168	}
169		169
170	/* Connection tracking may drop packets, but never alters them, so	170	/* Connection tracking may drop packets, but never alters them, so
171	make it the first hook. */	171	make it the first hook. */
172	static struct nf_hook_ops ipv4_conntrack_ops[] __read_mostly = {	172	static struct nf_hook_ops ipv4_conntrack_ops[] __read_mostly = {
173	{	173	{
174	.hook = ipv4_conntrack_in,	174	.hook = ipv4_conntrack_in,
175	.owner = THIS_MODULE,	175	.owner = THIS_MODULE,
176	.pf = NFPROTO_IPV4,	176	.pf = NFPROTO_IPV4,
177	.hooknum = NF_INET_PRE_ROUTING,	177	.hooknum = NF_INET_PRE_ROUTING,
178	.priority = NF_IP_PRI_CONNTRACK,	178	.priority = NF_IP_PRI_CONNTRACK,
179	},	179	},
180	{	180	{
181	.hook = ipv4_conntrack_local,	181	.hook = ipv4_conntrack_local,
182	.owner = THIS_MODULE,	182	.owner = THIS_MODULE,
183	.pf = NFPROTO_IPV4,	183	.pf = NFPROTO_IPV4,
184	.hooknum = NF_INET_LOCAL_OUT,	184	.hooknum = NF_INET_LOCAL_OUT,
185	.priority = NF_IP_PRI_CONNTRACK,	185	.priority = NF_IP_PRI_CONNTRACK,
186	},	186	},
187	{	187	{
188	.hook = ipv4_confirm,	188	.hook = ipv4_confirm,
189	.owner = THIS_MODULE,	189	.owner = THIS_MODULE,
190	.pf = NFPROTO_IPV4,	190	.pf = NFPROTO_IPV4,
191	.hooknum = NF_INET_POST_ROUTING,	191	.hooknum = NF_INET_POST_ROUTING,
192	.priority = NF_IP_PRI_CONNTRACK_CONFIRM,	192	.priority = NF_IP_PRI_CONNTRACK_CONFIRM,
193	},	193	},
194	{	194	{
195	.hook = ipv4_confirm,	195	.hook = ipv4_confirm,
196	.owner = THIS_MODULE,	196	.owner = THIS_MODULE,
197	.pf = NFPROTO_IPV4,	197	.pf = NFPROTO_IPV4,
198	.hooknum = NF_INET_LOCAL_IN,	198	.hooknum = NF_INET_LOCAL_IN,
199	.priority = NF_IP_PRI_CONNTRACK_CONFIRM,	199	.priority = NF_IP_PRI_CONNTRACK_CONFIRM,
200	},	200	},
201	};	201	};
202		202
203	#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)	203	#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
204	static int log_invalid_proto_min = 0;	204	static int log_invalid_proto_min = 0;
205	static int log_invalid_proto_max = 255;	205	static int log_invalid_proto_max = 255;
206		206
207	static ctl_table ip_ct_sysctl_table[] = {	207	static ctl_table ip_ct_sysctl_table[] = {
208	{	208	{
209	.procname = "ip_conntrack_max",	209	.procname = "ip_conntrack_max",
210	.data = &nf_conntrack_max,	210	.data = &nf_conntrack_max,
211	.maxlen = sizeof(int),	211	.maxlen = sizeof(int),
212	.mode = 0644,	212	.mode = 0644,
213	.proc_handler = proc_dointvec,	213	.proc_handler = proc_dointvec,
214	},	214	},
215	{	215	{
216	.procname = "ip_conntrack_count",	216	.procname = "ip_conntrack_count",
217	.data = &init_net.ct.count,	217	.data = &init_net.ct.count,
218	.maxlen = sizeof(int),	218	.maxlen = sizeof(int),
219	.mode = 0444,	219	.mode = 0444,
220	.proc_handler = proc_dointvec,	220	.proc_handler = proc_dointvec,
221	},	221	},
222	{	222	{
223	.procname = "ip_conntrack_buckets",	223	.procname = "ip_conntrack_buckets",
224	.data = &init_net.ct.htable_size,	224	.data = &init_net.ct.htable_size,
225	.maxlen = sizeof(unsigned int),	225	.maxlen = sizeof(unsigned int),
226	.mode = 0444,	226	.mode = 0444,
227	.proc_handler = proc_dointvec,	227	.proc_handler = proc_dointvec,
228	},	228	},
229	{	229	{
230	.procname = "ip_conntrack_checksum",	230	.procname = "ip_conntrack_checksum",
231	.data = &init_net.ct.sysctl_checksum,	231	.data = &init_net.ct.sysctl_checksum,
232	.maxlen = sizeof(int),	232	.maxlen = sizeof(int),
233	.mode = 0644,	233	.mode = 0644,
234	.proc_handler = proc_dointvec,	234	.proc_handler = proc_dointvec,
235	},	235	},
236	{	236	{
237	.procname = "ip_conntrack_log_invalid",	237	.procname = "ip_conntrack_log_invalid",
238	.data = &init_net.ct.sysctl_log_invalid,	238	.data = &init_net.ct.sysctl_log_invalid,
239	.maxlen = sizeof(unsigned int),	239	.maxlen = sizeof(unsigned int),
240	.mode = 0644,	240	.mode = 0644,
241	.proc_handler = proc_dointvec_minmax,	241	.proc_handler = proc_dointvec_minmax,
242	.extra1 = &log_invalid_proto_min,	242	.extra1 = &log_invalid_proto_min,
243	.extra2 = &log_invalid_proto_max,	243	.extra2 = &log_invalid_proto_max,
244	},	244	},
245	{ }	245	{ }
246	};	246	};
247	#endif /* CONFIG_SYSCTL && CONFIG_NF_CONNTRACK_PROC_COMPAT */	247	#endif /* CONFIG_SYSCTL && CONFIG_NF_CONNTRACK_PROC_COMPAT */
248		248
249	/* Fast function for those who don't want to parse /proc (and I don't	249	/* Fast function for those who don't want to parse /proc (and I don't
250	blame them). */	250	blame them). */
251	/* Reversing the socket's dst/src point of view gives us the reply	251	/* Reversing the socket's dst/src point of view gives us the reply
252	mapping. */	252	mapping. */
253	static int	253	static int
254	getorigdst(struct sock sk, int optval, void __user user, int *len)	254	getorigdst(struct sock sk, int optval, void __user user, int *len)
255	{	255	{
256	const struct inet_sock *inet = inet_sk(sk);	256	const struct inet_sock *inet = inet_sk(sk);
257	const struct nf_conntrack_tuple_hash *h;	257	const struct nf_conntrack_tuple_hash *h;
258	struct nf_conntrack_tuple tuple;	258	struct nf_conntrack_tuple tuple;
259		259
260	memset(&tuple, 0, sizeof(tuple));	260	memset(&tuple, 0, sizeof(tuple));
261	tuple.src.u3.ip = inet->inet_rcv_saddr;	261	tuple.src.u3.ip = inet->inet_rcv_saddr;
262	tuple.src.u.tcp.port = inet->inet_sport;	262	tuple.src.u.tcp.port = inet->inet_sport;
263	tuple.dst.u3.ip = inet->inet_daddr;	263	tuple.dst.u3.ip = inet->inet_daddr;
264	tuple.dst.u.tcp.port = inet->inet_dport;	264	tuple.dst.u.tcp.port = inet->inet_dport;
265	tuple.src.l3num = PF_INET;	265	tuple.src.l3num = PF_INET;
266	tuple.dst.protonum = sk->sk_protocol;	266	tuple.dst.protonum = sk->sk_protocol;
267		267
268	/* We only do TCP and SCTP at the moment: is there a better way? */	268	/* We only do TCP and SCTP at the moment: is there a better way? */
269	if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP) {	269	if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP) {
270	pr_debug("SO_ORIGINAL_DST: Not a TCP/SCTP socket\n");	270	pr_debug("SO_ORIGINAL_DST: Not a TCP/SCTP socket\n");
271	return -ENOPROTOOPT;	271	return -ENOPROTOOPT;
272	}	272	}
273		273
274	if ((unsigned int) *len < sizeof(struct sockaddr_in)) {	274	if ((unsigned int) *len < sizeof(struct sockaddr_in)) {
275	pr_debug("SO_ORIGINAL_DST: len %d not %Zu\n",	275	pr_debug("SO_ORIGINAL_DST: len %d not %Zu\n",
276	*len, sizeof(struct sockaddr_in));	276	*len, sizeof(struct sockaddr_in));
277	return -EINVAL;	277	return -EINVAL;
278	}	278	}
279		279
280	h = nf_conntrack_find_get(sock_net(sk), NF_CT_DEFAULT_ZONE, &tuple);	280	h = nf_conntrack_find_get(sock_net(sk), NF_CT_DEFAULT_ZONE, &tuple);
281	if (h) {	281	if (h) {
282	struct sockaddr_in sin;	282	struct sockaddr_in sin;
283	struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);	283	struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
284		284
285	sin.sin_family = AF_INET;	285	sin.sin_family = AF_INET;
286	sin.sin_port = ct->tuplehash[IP_CT_DIR_ORIGINAL]	286	sin.sin_port = ct->tuplehash[IP_CT_DIR_ORIGINAL]
287	.tuple.dst.u.tcp.port;	287	.tuple.dst.u.tcp.port;
288	sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL]	288	sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL]
289	.tuple.dst.u3.ip;	289	.tuple.dst.u3.ip;
290	memset(sin.sin_zero, 0, sizeof(sin.sin_zero));	290	memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
291		291
292	pr_debug("SO_ORIGINAL_DST: %pI4 %u\n",	292	pr_debug("SO_ORIGINAL_DST: %pI4 %u\n",
293	&sin.sin_addr.s_addr, ntohs(sin.sin_port));	293	&sin.sin_addr.s_addr, ntohs(sin.sin_port));
294	nf_ct_put(ct);	294	nf_ct_put(ct);
295	if (copy_to_user(user, &sin, sizeof(sin)) != 0)	295	if (copy_to_user(user, &sin, sizeof(sin)) != 0)
296	return -EFAULT;	296	return -EFAULT;
297	else	297	else
298	return 0;	298	return 0;
299	}	299	}
300	pr_debug("SO_ORIGINAL_DST: Can't find %pI4/%u-%pI4/%u.\n",	300	pr_debug("SO_ORIGINAL_DST: Can't find %pI4/%u-%pI4/%u.\n",
301	&tuple.src.u3.ip, ntohs(tuple.src.u.tcp.port),	301	&tuple.src.u3.ip, ntohs(tuple.src.u.tcp.port),
302	&tuple.dst.u3.ip, ntohs(tuple.dst.u.tcp.port));	302	&tuple.dst.u3.ip, ntohs(tuple.dst.u.tcp.port));
303	return -ENOENT;	303	return -ENOENT;
304	}	304	}
305		305
306	#if defined(CONFIG_NF_CT_NETLINK) \|\| defined(CONFIG_NF_CT_NETLINK_MODULE)	306	#if defined(CONFIG_NF_CT_NETLINK) \|\| defined(CONFIG_NF_CT_NETLINK_MODULE)
307		307
308	#include <linux/netfilter/nfnetlink.h>	308	#include <linux/netfilter/nfnetlink.h>
309	#include <linux/netfilter/nfnetlink_conntrack.h>	309	#include <linux/netfilter/nfnetlink_conntrack.h>
310		310
311	static int ipv4_tuple_to_nlattr(struct sk_buff *skb,	311	static int ipv4_tuple_to_nlattr(struct sk_buff *skb,
312	const struct nf_conntrack_tuple *tuple)	312	const struct nf_conntrack_tuple *tuple)
313	{	313	{
314	if (nla_put_be32(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) \|\|	314	if (nla_put_be32(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) \|\|
315	nla_put_be32(skb, CTA_IP_V4_DST, tuple->dst.u3.ip))	315	nla_put_be32(skb, CTA_IP_V4_DST, tuple->dst.u3.ip))
316	goto nla_put_failure;	316	goto nla_put_failure;
317	return 0;	317	return 0;
318		318
319	nla_put_failure:	319	nla_put_failure:
320	return -1;	320	return -1;
321	}	321	}
322		322
323	static const struct nla_policy ipv4_nla_policy[CTA_IP_MAX+1] = {	323	static const struct nla_policy ipv4_nla_policy[CTA_IP_MAX+1] = {
324	[CTA_IP_V4_SRC] = { .type = NLA_U32 },	324	[CTA_IP_V4_SRC] = { .type = NLA_U32 },
325	[CTA_IP_V4_DST] = { .type = NLA_U32 },	325	[CTA_IP_V4_DST] = { .type = NLA_U32 },
326	};	326	};
327		327
328	static int ipv4_nlattr_to_tuple(struct nlattr *tb[],	328	static int ipv4_nlattr_to_tuple(struct nlattr *tb[],
329	struct nf_conntrack_tuple *t)	329	struct nf_conntrack_tuple *t)
330	{	330	{
331	if (!tb[CTA_IP_V4_SRC] \|\| !tb[CTA_IP_V4_DST])	331	if (!tb[CTA_IP_V4_SRC] \|\| !tb[CTA_IP_V4_DST])
332	return -EINVAL;	332	return -EINVAL;
333		333
334	t->src.u3.ip = nla_get_be32(tb[CTA_IP_V4_SRC]);	334	t->src.u3.ip = nla_get_be32(tb[CTA_IP_V4_SRC]);
335	t->dst.u3.ip = nla_get_be32(tb[CTA_IP_V4_DST]);	335	t->dst.u3.ip = nla_get_be32(tb[CTA_IP_V4_DST]);
336		336
337	return 0;	337	return 0;
338	}	338	}
339		339
340	static int ipv4_nlattr_tuple_size(void)	340	static int ipv4_nlattr_tuple_size(void)
341	{	341	{
342	return nla_policy_len(ipv4_nla_policy, CTA_IP_MAX + 1);	342	return nla_policy_len(ipv4_nla_policy, CTA_IP_MAX + 1);
343	}	343	}
344	#endif	344	#endif
345		345
346	static struct nf_sockopt_ops so_getorigdst = {	346	static struct nf_sockopt_ops so_getorigdst = {
347	.pf = PF_INET,	347	.pf = PF_INET,
348	.get_optmin = SO_ORIGINAL_DST,	348	.get_optmin = SO_ORIGINAL_DST,
349	.get_optmax = SO_ORIGINAL_DST+1,	349	.get_optmax = SO_ORIGINAL_DST+1,
350	.get = &getorigdst,	350	.get = &getorigdst,
351	.owner = THIS_MODULE,	351	.owner = THIS_MODULE,
352	};	352	};
353		353
354	struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {	354	struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
355	.l3proto = PF_INET,	355	.l3proto = PF_INET,
356	.name = "ipv4",	356	.name = "ipv4",
357	.pkt_to_tuple = ipv4_pkt_to_tuple,	357	.pkt_to_tuple = ipv4_pkt_to_tuple,
358	.invert_tuple = ipv4_invert_tuple,	358	.invert_tuple = ipv4_invert_tuple,
359	.print_tuple = ipv4_print_tuple,	359	.print_tuple = ipv4_print_tuple,
360	.get_l4proto = ipv4_get_l4proto,	360	.get_l4proto = ipv4_get_l4proto,
361	#if defined(CONFIG_NF_CT_NETLINK) \|\| defined(CONFIG_NF_CT_NETLINK_MODULE)	361	#if defined(CONFIG_NF_CT_NETLINK) \|\| defined(CONFIG_NF_CT_NETLINK_MODULE)
362	.tuple_to_nlattr = ipv4_tuple_to_nlattr,	362	.tuple_to_nlattr = ipv4_tuple_to_nlattr,
363	.nlattr_tuple_size = ipv4_nlattr_tuple_size,	363	.nlattr_tuple_size = ipv4_nlattr_tuple_size,
364	.nlattr_to_tuple = ipv4_nlattr_to_tuple,	364	.nlattr_to_tuple = ipv4_nlattr_to_tuple,
365	.nla_policy = ipv4_nla_policy,	365	.nla_policy = ipv4_nla_policy,
366	#endif	366	#endif
367	#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)	367	#if defined(CONFIG_SYSCTL) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
368	.ctl_table_path = "net/ipv4/netfilter",	368	.ctl_table_path = "net/ipv4/netfilter",
369	.ctl_table = ip_ct_sysctl_table,	369	.ctl_table = ip_ct_sysctl_table,
370	#endif	370	#endif
371	.me = THIS_MODULE,	371	.me = THIS_MODULE,
372	};	372	};
373		373
374	module_param_call(hashsize, nf_conntrack_set_hashsize, param_get_uint,	374	module_param_call(hashsize, nf_conntrack_set_hashsize, param_get_uint,
375	&nf_conntrack_htable_size, 0600);	375	&nf_conntrack_htable_size, 0600);
376		376
377	MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET));	377	MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET));
378	MODULE_ALIAS("ip_conntrack");	378	MODULE_ALIAS("ip_conntrack");
379	MODULE_LICENSE("GPL");	379	MODULE_LICENSE("GPL");
380		380
381	static int __init nf_conntrack_l3proto_ipv4_init(void)	381	static int __init nf_conntrack_l3proto_ipv4_init(void)
382	{	382	{
383	int ret = 0;	383	int ret = 0;
384		384
385	need_conntrack();	385	need_conntrack();
386	nf_defrag_ipv4_enable();	386	nf_defrag_ipv4_enable();
387		387
388	ret = nf_register_sockopt(&so_getorigdst);	388	ret = nf_register_sockopt(&so_getorigdst);
389	if (ret < 0) {	389	if (ret < 0) {
390	printk(KERN_ERR "Unable to register netfilter socket option\n");	390	printk(KERN_ERR "Unable to register netfilter socket option\n");
391	return ret;	391	return ret;
392	}	392	}
393		393
394	ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp4);	394	ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_tcp4);
395	if (ret < 0) {	395	if (ret < 0) {
396	pr_err("nf_conntrack_ipv4: can't register tcp.\n");	396	pr_err("nf_conntrack_ipv4: can't register tcp.\n");
397	goto cleanup_sockopt;	397	goto cleanup_sockopt;
398	}	398	}
399		399
400	ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp4);	400	ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udp4);
401	if (ret < 0) {	401	if (ret < 0) {
402	pr_err("nf_conntrack_ipv4: can't register udp.\n");	402	pr_err("nf_conntrack_ipv4: can't register udp.\n");
403	goto cleanup_tcp;	403	goto cleanup_tcp;
404	}	404	}
405		405
406	ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmp);	406	ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_icmp);
407	if (ret < 0) {	407	if (ret < 0) {
408	pr_err("nf_conntrack_ipv4: can't register icmp.\n");	408	pr_err("nf_conntrack_ipv4: can't register icmp.\n");
409	goto cleanup_udp;	409	goto cleanup_udp;
410	}	410	}
411		411
412	ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv4);	412	ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv4);
413	if (ret < 0) {	413	if (ret < 0) {
414	pr_err("nf_conntrack_ipv4: can't register ipv4\n");	414	pr_err("nf_conntrack_ipv4: can't register ipv4\n");
415	goto cleanup_icmp;	415	goto cleanup_icmp;
416	}	416	}
417		417
418	ret = nf_register_hooks(ipv4_conntrack_ops,	418	ret = nf_register_hooks(ipv4_conntrack_ops,
419	ARRAY_SIZE(ipv4_conntrack_ops));	419	ARRAY_SIZE(ipv4_conntrack_ops));
420	if (ret < 0) {	420	if (ret < 0) {
421	pr_err("nf_conntrack_ipv4: can't register hooks.\n");	421	pr_err("nf_conntrack_ipv4: can't register hooks.\n");
422	goto cleanup_ipv4;	422	goto cleanup_ipv4;
423	}	423	}
424	#if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)	424	#if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
425	ret = nf_conntrack_ipv4_compat_init();	425	ret = nf_conntrack_ipv4_compat_init();
426	if (ret < 0)	426	if (ret < 0)
427	goto cleanup_hooks;	427	goto cleanup_hooks;
428	#endif	428	#endif
429	return ret;	429	return ret;
430	#if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)	430	#if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
431	cleanup_hooks:	431	cleanup_hooks:
432	nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));	432	nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
433	#endif	433	#endif
434	cleanup_ipv4:	434	cleanup_ipv4:
435	nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);	435	nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
436	cleanup_icmp:	436	cleanup_icmp:
437	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmp);	437	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
438	cleanup_udp:	438	cleanup_udp:
439	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp4);	439	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
440	cleanup_tcp:	440	cleanup_tcp:
441	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp4);	441	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
442	cleanup_sockopt:	442	cleanup_sockopt:
443	nf_unregister_sockopt(&so_getorigdst);	443	nf_unregister_sockopt(&so_getorigdst);
444	return ret;	444	return ret;
445	}	445	}
446		446
447	static void __exit nf_conntrack_l3proto_ipv4_fini(void)	447	static void __exit nf_conntrack_l3proto_ipv4_fini(void)
448	{	448	{
449	synchronize_net();	449	synchronize_net();
450	#if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)	450	#if defined(CONFIG_PROC_FS) && defined(CONFIG_NF_CONNTRACK_PROC_COMPAT)
451	nf_conntrack_ipv4_compat_fini();	451	nf_conntrack_ipv4_compat_fini();
452	#endif	452	#endif
453	nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));	453	nf_unregister_hooks(ipv4_conntrack_ops, ARRAY_SIZE(ipv4_conntrack_ops));
454	nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);	454	nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv4);
455	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmp);	455	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmp);
456	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp4);	456	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp4);
457	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp4);	457	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp4);
458	nf_unregister_sockopt(&so_getorigdst);	458	nf_unregister_sockopt(&so_getorigdst);
459	}	459	}
460		460
461	module_init(nf_conntrack_l3proto_ipv4_init);	461	module_init(nf_conntrack_l3proto_ipv4_init);
462	module_exit(nf_conntrack_l3proto_ipv4_fini);	462	module_exit(nf_conntrack_l3proto_ipv4_fini);
463		463
464	void need_ipv4_conntrack(void)	464	void need_ipv4_conntrack(void)
465	{	465	{
466	return;	466	return;
467	}	467	}
468	EXPORT_SYMBOL_GPL(need_ipv4_conntrack);	468	EXPORT_SYMBOL_GPL(need_ipv4_conntrack);
469		469

net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c

Diff comments View file @ 2c352f4

1	/*	1	/*
2	* Copyright (C)2004 USAGI/WIDE Project	2	* Copyright (C)2004 USAGI/WIDE Project
3	*	3	*
4	* This program is free software; you can redistribute it and/or modify	4	* This program is free software; you can redistribute it and/or modify
5	* it under the terms of the GNU General Public License version 2 as	5	* it under the terms of the GNU General Public License version 2 as
6	* published by the Free Software Foundation.	6	* published by the Free Software Foundation.
7	*	7	*
8	* Author:	8	* Author:
9	* Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>	9	* Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
10	*/	10	*/
11		11
12	#include <linux/types.h>	12	#include <linux/types.h>
13	#include <linux/ipv6.h>	13	#include <linux/ipv6.h>
14	#include <linux/in6.h>	14	#include <linux/in6.h>
15	#include <linux/netfilter.h>	15	#include <linux/netfilter.h>
16	#include <linux/module.h>	16	#include <linux/module.h>
17	#include <linux/skbuff.h>	17	#include <linux/skbuff.h>
18	#include <linux/icmp.h>	18	#include <linux/icmp.h>
19	#include <net/ipv6.h>	19	#include <net/ipv6.h>
20	#include <net/inet_frag.h>	20	#include <net/inet_frag.h>
21		21
22	#include <linux/netfilter_bridge.h>	22	#include <linux/netfilter_bridge.h>
23	#include <linux/netfilter_ipv6.h>	23	#include <linux/netfilter_ipv6.h>
24	#include <net/netfilter/nf_conntrack.h>	24	#include <net/netfilter/nf_conntrack.h>
25	#include <net/netfilter/nf_conntrack_helper.h>	25	#include <net/netfilter/nf_conntrack_helper.h>
26	#include <net/netfilter/nf_conntrack_l4proto.h>	26	#include <net/netfilter/nf_conntrack_l4proto.h>
27	#include <net/netfilter/nf_conntrack_l3proto.h>	27	#include <net/netfilter/nf_conntrack_l3proto.h>
28	#include <net/netfilter/nf_conntrack_core.h>	28	#include <net/netfilter/nf_conntrack_core.h>
29	#include <net/netfilter/nf_conntrack_zones.h>	29	#include <net/netfilter/nf_conntrack_zones.h>
30	#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>	30	#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
31	#include <net/netfilter/ipv6/nf_defrag_ipv6.h>	31	#include <net/netfilter/ipv6/nf_defrag_ipv6.h>
32	#include <net/netfilter/nf_log.h>	32	#include <net/netfilter/nf_log.h>
33		33
34	static bool ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,	34	static bool ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
35	struct nf_conntrack_tuple *tuple)	35	struct nf_conntrack_tuple *tuple)
36	{	36	{
37	const u_int32_t *ap;	37	const u_int32_t *ap;
38	u_int32_t _addrs[8];	38	u_int32_t _addrs[8];
39		39
40	ap = skb_header_pointer(skb, nhoff + offsetof(struct ipv6hdr, saddr),	40	ap = skb_header_pointer(skb, nhoff + offsetof(struct ipv6hdr, saddr),
41	sizeof(_addrs), _addrs);	41	sizeof(_addrs), _addrs);
42	if (ap == NULL)	42	if (ap == NULL)
43	return false;	43	return false;
44		44
45	memcpy(tuple->src.u3.ip6, ap, sizeof(tuple->src.u3.ip6));	45	memcpy(tuple->src.u3.ip6, ap, sizeof(tuple->src.u3.ip6));
46	memcpy(tuple->dst.u3.ip6, ap + 4, sizeof(tuple->dst.u3.ip6));	46	memcpy(tuple->dst.u3.ip6, ap + 4, sizeof(tuple->dst.u3.ip6));
47		47
48	return true;	48	return true;
49	}	49	}
50		50
51	static bool ipv6_invert_tuple(struct nf_conntrack_tuple *tuple,	51	static bool ipv6_invert_tuple(struct nf_conntrack_tuple *tuple,
52	const struct nf_conntrack_tuple *orig)	52	const struct nf_conntrack_tuple *orig)
53	{	53	{
54	memcpy(tuple->src.u3.ip6, orig->dst.u3.ip6, sizeof(tuple->src.u3.ip6));	54	memcpy(tuple->src.u3.ip6, orig->dst.u3.ip6, sizeof(tuple->src.u3.ip6));
55	memcpy(tuple->dst.u3.ip6, orig->src.u3.ip6, sizeof(tuple->dst.u3.ip6));	55	memcpy(tuple->dst.u3.ip6, orig->src.u3.ip6, sizeof(tuple->dst.u3.ip6));
56		56
57	return true;	57	return true;
58	}	58	}
59		59
60	static int ipv6_print_tuple(struct seq_file *s,	60	static int ipv6_print_tuple(struct seq_file *s,
61	const struct nf_conntrack_tuple *tuple)	61	const struct nf_conntrack_tuple *tuple)
62	{	62	{
63	return seq_printf(s, "src=%pI6 dst=%pI6 ",	63	return seq_printf(s, "src=%pI6 dst=%pI6 ",
64	tuple->src.u3.ip6, tuple->dst.u3.ip6);	64	tuple->src.u3.ip6, tuple->dst.u3.ip6);
65	}	65	}
66		66
67	/*	67	/*
68	* Based on ipv6_skip_exthdr() in net/ipv6/exthdr.c	68	* Based on ipv6_skip_exthdr() in net/ipv6/exthdr.c
69	*	69	*
70	* This function parses (probably truncated) exthdr set "hdr"	70	* This function parses (probably truncated) exthdr set "hdr"
71	* of length "len". "nexthdrp" initially points to some place,	71	* of length "len". "nexthdrp" initially points to some place,
72	* where type of the first header can be found.	72	* where type of the first header can be found.
73	*	73	*
74	* It skips all well-known exthdrs, and returns pointer to the start	74	* It skips all well-known exthdrs, and returns pointer to the start
75	* of unparsable area i.e. the first header with unknown type.	75	* of unparsable area i.e. the first header with unknown type.
76	* if success, *nexthdr is updated by type/protocol of this header.	76	* if success, *nexthdr is updated by type/protocol of this header.
77	*	77	*
78	* NOTES: - it may return pointer pointing beyond end of packet,	78	* NOTES: - it may return pointer pointing beyond end of packet,
79	* if the last recognized header is truncated in the middle.	79	* if the last recognized header is truncated in the middle.
80	* - if packet is truncated, so that all parsed headers are skipped,	80	* - if packet is truncated, so that all parsed headers are skipped,
81	* it returns -1.	81	* it returns -1.
82	* - if packet is fragmented, return pointer of the fragment header.	82	* - if packet is fragmented, return pointer of the fragment header.
83	* - ESP is unparsable for now and considered like	83	* - ESP is unparsable for now and considered like
84	* normal payload protocol.	84	* normal payload protocol.
85	* - Note also special handling of AUTH header. Thanks to IPsec wizards.	85	* - Note also special handling of AUTH header. Thanks to IPsec wizards.
86	*/	86	*/
87		87
88	static int nf_ct_ipv6_skip_exthdr(const struct sk_buff *skb, int start,	88	static int nf_ct_ipv6_skip_exthdr(const struct sk_buff *skb, int start,
89	u8 *nexthdrp, int len)	89	u8 *nexthdrp, int len)
90	{	90	{
91	u8 nexthdr = *nexthdrp;	91	u8 nexthdr = *nexthdrp;
92		92
93	while (ipv6_ext_hdr(nexthdr)) {	93	while (ipv6_ext_hdr(nexthdr)) {
94	struct ipv6_opt_hdr hdr;	94	struct ipv6_opt_hdr hdr;
95	int hdrlen;	95	int hdrlen;
96		96
97	if (len < (int)sizeof(struct ipv6_opt_hdr))	97	if (len < (int)sizeof(struct ipv6_opt_hdr))
98	return -1;	98	return -1;
99	if (nexthdr == NEXTHDR_NONE)	99	if (nexthdr == NEXTHDR_NONE)
100	break;	100	break;
101	if (nexthdr == NEXTHDR_FRAGMENT)	101	if (nexthdr == NEXTHDR_FRAGMENT)
102	break;	102	break;
103	if (skb_copy_bits(skb, start, &hdr, sizeof(hdr)))	103	if (skb_copy_bits(skb, start, &hdr, sizeof(hdr)))
104	BUG();	104	BUG();
105	if (nexthdr == NEXTHDR_AUTH)	105	if (nexthdr == NEXTHDR_AUTH)
106	hdrlen = (hdr.hdrlen+2)<<2;	106	hdrlen = (hdr.hdrlen+2)<<2;
107	else	107	else
108	hdrlen = ipv6_optlen(&hdr);	108	hdrlen = ipv6_optlen(&hdr);
109		109
110	nexthdr = hdr.nexthdr;	110	nexthdr = hdr.nexthdr;
111	len -= hdrlen;	111	len -= hdrlen;
112	start += hdrlen;	112	start += hdrlen;
113	}	113	}
114		114
115	*nexthdrp = nexthdr;	115	*nexthdrp = nexthdr;
116	return start;	116	return start;
117	}	117	}
118		118
119	static int ipv6_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,	119	static int ipv6_get_l4proto(const struct sk_buff *skb, unsigned int nhoff,
120	unsigned int dataoff, u_int8_t protonum)	120	unsigned int dataoff, u_int8_t protonum)
121	{	121	{
122	unsigned int extoff = nhoff + sizeof(struct ipv6hdr);	122	unsigned int extoff = nhoff + sizeof(struct ipv6hdr);
123	unsigned char pnum;	123	unsigned char pnum;
124	int protoff;	124	int protoff;
125		125
126	if (skb_copy_bits(skb, nhoff + offsetof(struct ipv6hdr, nexthdr),	126	if (skb_copy_bits(skb, nhoff + offsetof(struct ipv6hdr, nexthdr),
127	&pnum, sizeof(pnum)) != 0) {	127	&pnum, sizeof(pnum)) != 0) {
128	pr_debug("ip6_conntrack_core: can't get nexthdr\n");	128	pr_debug("ip6_conntrack_core: can't get nexthdr\n");
129	return -NF_ACCEPT;	129	return -NF_ACCEPT;
130	}	130	}
131	protoff = nf_ct_ipv6_skip_exthdr(skb, extoff, &pnum, skb->len - extoff);	131	protoff = nf_ct_ipv6_skip_exthdr(skb, extoff, &pnum, skb->len - extoff);
132	/*	132	/*
133	* (protoff == skb->len) mean that the packet doesn't have no data	133	* (protoff == skb->len) mean that the packet doesn't have no data
134	* except of IPv6 & ext headers. but it's tracked anyway. - YK	134	* except of IPv6 & ext headers. but it's tracked anyway. - YK
135	*/	135	*/
136	if ((protoff < 0) \|\| (protoff > skb->len)) {	136	if ((protoff < 0) \|\| (protoff > skb->len)) {
137	pr_debug("ip6_conntrack_core: can't find proto in pkt\n");	137	pr_debug("ip6_conntrack_core: can't find proto in pkt\n");
138	return -NF_ACCEPT;	138	return -NF_ACCEPT;
139	}	139	}
140		140
141	*dataoff = protoff;	141	*dataoff = protoff;
142	*protonum = pnum;	142	*protonum = pnum;
143	return NF_ACCEPT;	143	return NF_ACCEPT;
144	}	144	}
145		145
146	static unsigned int ipv6_confirm(unsigned int hooknum,	146	static unsigned int ipv6_confirm(unsigned int hooknum,
147	struct sk_buff *skb,	147	struct sk_buff *skb,
148	const struct net_device *in,	148	const struct net_device *in,
149	const struct net_device *out,	149	const struct net_device *out,
150	int (okfn)(struct sk_buff ))	150	int (okfn)(struct sk_buff ))
151	{	151	{
152	struct nf_conn *ct;	152	struct nf_conn *ct;
153	const struct nf_conn_help *help;	153	const struct nf_conn_help *help;
154	const struct nf_conntrack_helper *helper;	154	const struct nf_conntrack_helper *helper;
155	enum ip_conntrack_info ctinfo;	155	enum ip_conntrack_info ctinfo;
156	unsigned int ret, protoff;	156	unsigned int ret, protoff;
157	unsigned int extoff = (u8 *)(ipv6_hdr(skb) + 1) - skb->data;	157	unsigned int extoff = (u8 *)(ipv6_hdr(skb) + 1) - skb->data;
158	unsigned char pnum = ipv6_hdr(skb)->nexthdr;	158	unsigned char pnum = ipv6_hdr(skb)->nexthdr;
159		159
160		160
161	/* This is where we call the helper: as the packet goes out. */	161	/* This is where we call the helper: as the packet goes out. */
162	ct = nf_ct_get(skb, &ctinfo);	162	ct = nf_ct_get(skb, &ctinfo);
163	if (!ct \|\| ctinfo == IP_CT_RELATED_REPLY)	163	if (!ct \|\| ctinfo == IP_CT_RELATED_REPLY)
164	goto out;	164	goto out;
165		165
166	help = nfct_help(ct);	166	help = nfct_help(ct);
167	if (!help)	167	if (!help)
168	goto out;	168	goto out;
169	/* rcu_read_lock()ed by nf_hook_slow */	169	/* rcu_read_lock()ed by nf_hook_slow */
170	helper = rcu_dereference(help->helper);	170	helper = rcu_dereference(help->helper);
171	if (!helper)	171	if (!helper)
172	goto out;	172	goto out;
173		173
174	protoff = nf_ct_ipv6_skip_exthdr(skb, extoff, &pnum,	174	protoff = nf_ct_ipv6_skip_exthdr(skb, extoff, &pnum,
175	skb->len - extoff);	175	skb->len - extoff);
176	if (protoff > skb->len \|\| pnum == NEXTHDR_FRAGMENT) {	176	if (protoff > skb->len \|\| pnum == NEXTHDR_FRAGMENT) {
177	pr_debug("proto header not found\n");	177	pr_debug("proto header not found\n");
178	return NF_ACCEPT;	178	return NF_ACCEPT;
179	}	179	}
180		180
181	ret = helper->help(skb, protoff, ct, ctinfo);	181	ret = helper->help(skb, protoff, ct, ctinfo);
182	if (ret != NF_ACCEPT) {	182	if (ret != NF_ACCEPT) {
183	nf_log_packet(NFPROTO_IPV6, hooknum, skb, in, out, NULL,	183	nf_log_packet(NFPROTO_IPV6, hooknum, skb, in, out, NULL,
184	"nf_ct_%s: dropping packet", helper->name);	184	"nf_ct_%s: dropping packet", helper->name);
185	return ret;	185	return ret;
186	}	186	}
187	out:	187	out:
188	/* We've seen it coming out the other side: confirm it */	188	/* We've seen it coming out the other side: confirm it */
189	return nf_conntrack_confirm(skb);	189	return nf_conntrack_confirm(skb);
190	}	190	}
191		191
192	static unsigned int __ipv6_conntrack_in(struct net *net,	192	static unsigned int __ipv6_conntrack_in(struct net *net,
193	unsigned int hooknum,	193	unsigned int hooknum,
194	struct sk_buff *skb,	194	struct sk_buff *skb,
195	int (okfn)(struct sk_buff ))	195	int (okfn)(struct sk_buff ))
196	{	196	{
197	struct sk_buff *reasm = skb->nfct_reasm;	197	struct sk_buff *reasm = skb->nfct_reasm;
198		198
199	/* This packet is fragmented and has reassembled packet. */	199	/* This packet is fragmented and has reassembled packet. */
200	if (reasm) {	200	if (reasm) {
201	/* Reassembled packet isn't parsed yet ? */	201	/* Reassembled packet isn't parsed yet ? */
202	if (!reasm->nfct) {	202	if (!reasm->nfct) {
203	unsigned int ret;	203	unsigned int ret;
204		204
205	ret = nf_conntrack_in(net, PF_INET6, hooknum, reasm);	205	ret = nf_conntrack_in(net, PF_INET6, hooknum, reasm);
206	if (ret != NF_ACCEPT)	206	if (ret != NF_ACCEPT)
207	return ret;	207	return ret;
208	}	208	}
209	nf_conntrack_get(reasm->nfct);	209	nf_conntrack_get(reasm->nfct);
210	skb->nfct = reasm->nfct;	210	skb->nfct = reasm->nfct;
211	skb->nfctinfo = reasm->nfctinfo;	211	skb->nfctinfo = reasm->nfctinfo;
212	return NF_ACCEPT;	212	return NF_ACCEPT;
213	}	213	}
214		214
215	return nf_conntrack_in(net, PF_INET6, hooknum, skb);	215	return nf_conntrack_in(net, PF_INET6, hooknum, skb);
216	}	216	}
217		217
218	static unsigned int ipv6_conntrack_in(unsigned int hooknum,	218	static unsigned int ipv6_conntrack_in(unsigned int hooknum,
219	struct sk_buff *skb,	219	struct sk_buff *skb,
220	const struct net_device *in,	220	const struct net_device *in,
221	const struct net_device *out,	221	const struct net_device *out,
222	int (okfn)(struct sk_buff ))	222	int (okfn)(struct sk_buff ))
223	{	223	{
224	return __ipv6_conntrack_in(dev_net(in), hooknum, skb, okfn);	224	return __ipv6_conntrack_in(dev_net(in), hooknum, skb, okfn);
225	}	225	}
226		226
227	static unsigned int ipv6_conntrack_local(unsigned int hooknum,	227	static unsigned int ipv6_conntrack_local(unsigned int hooknum,
228	struct sk_buff *skb,	228	struct sk_buff *skb,
229	const struct net_device *in,	229	const struct net_device *in,
230	const struct net_device *out,	230	const struct net_device *out,
231	int (okfn)(struct sk_buff ))	231	int (okfn)(struct sk_buff ))
232	{	232	{
233	/* root is playing with raw sockets. */	233	/* root is playing with raw sockets. */
234	if (skb->len < sizeof(struct ipv6hdr)) {	234	if (skb->len < sizeof(struct ipv6hdr)) {
235	net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");	235	net_notice_ratelimited("ipv6_conntrack_local: packet too short\n");
236	return NF_ACCEPT;	236	return NF_ACCEPT;
237	}	237	}
238	return __ipv6_conntrack_in(dev_net(out), hooknum, skb, okfn);	238	return __ipv6_conntrack_in(dev_net(out), hooknum, skb, okfn);
239	}	239	}
240		240
241	static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {	241	static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
242	{	242	{
243	.hook = ipv6_conntrack_in,	243	.hook = ipv6_conntrack_in,
244	.owner = THIS_MODULE,	244	.owner = THIS_MODULE,
245	.pf = NFPROTO_IPV6,	245	.pf = NFPROTO_IPV6,
246	.hooknum = NF_INET_PRE_ROUTING,	246	.hooknum = NF_INET_PRE_ROUTING,
247	.priority = NF_IP6_PRI_CONNTRACK,	247	.priority = NF_IP6_PRI_CONNTRACK,
248	},	248	},
249	{	249	{
250	.hook = ipv6_conntrack_local,	250	.hook = ipv6_conntrack_local,
251	.owner = THIS_MODULE,	251	.owner = THIS_MODULE,
252	.pf = NFPROTO_IPV6,	252	.pf = NFPROTO_IPV6,
253	.hooknum = NF_INET_LOCAL_OUT,	253	.hooknum = NF_INET_LOCAL_OUT,
254	.priority = NF_IP6_PRI_CONNTRACK,	254	.priority = NF_IP6_PRI_CONNTRACK,
255	},	255	},
256	{	256	{
257	.hook = ipv6_confirm,	257	.hook = ipv6_confirm,
258	.owner = THIS_MODULE,	258	.owner = THIS_MODULE,
259	.pf = NFPROTO_IPV6,	259	.pf = NFPROTO_IPV6,
260	.hooknum = NF_INET_POST_ROUTING,	260	.hooknum = NF_INET_POST_ROUTING,
261	.priority = NF_IP6_PRI_LAST,	261	.priority = NF_IP6_PRI_LAST,
262	},	262	},
263	{	263	{
264	.hook = ipv6_confirm,	264	.hook = ipv6_confirm,
265	.owner = THIS_MODULE,	265	.owner = THIS_MODULE,
266	.pf = NFPROTO_IPV6,	266	.pf = NFPROTO_IPV6,
267	.hooknum = NF_INET_LOCAL_IN,	267	.hooknum = NF_INET_LOCAL_IN,
268	.priority = NF_IP6_PRI_LAST-1,	268	.priority = NF_IP6_PRI_LAST-1,
269	},	269	},
270	};	270	};
271		271
272	#if defined(CONFIG_NF_CT_NETLINK) \|\| defined(CONFIG_NF_CT_NETLINK_MODULE)	272	#if defined(CONFIG_NF_CT_NETLINK) \|\| defined(CONFIG_NF_CT_NETLINK_MODULE)
273		273
274	#include <linux/netfilter/nfnetlink.h>	274	#include <linux/netfilter/nfnetlink.h>
275	#include <linux/netfilter/nfnetlink_conntrack.h>	275	#include <linux/netfilter/nfnetlink_conntrack.h>
276		276
277	static int ipv6_tuple_to_nlattr(struct sk_buff *skb,	277	static int ipv6_tuple_to_nlattr(struct sk_buff *skb,
278	const struct nf_conntrack_tuple *tuple)	278	const struct nf_conntrack_tuple *tuple)
279	{	279	{
280	if (nla_put(skb, CTA_IP_V6_SRC, sizeof(u_int32_t) * 4,	280	if (nla_put(skb, CTA_IP_V6_SRC, sizeof(u_int32_t) * 4,
281	&tuple->src.u3.ip6) \|\|	281	&tuple->src.u3.ip6) \|\|
282	nla_put(skb, CTA_IP_V6_DST, sizeof(u_int32_t) * 4,	282	nla_put(skb, CTA_IP_V6_DST, sizeof(u_int32_t) * 4,
283	&tuple->dst.u3.ip6))	283	&tuple->dst.u3.ip6))
284	goto nla_put_failure;	284	goto nla_put_failure;
285	return 0;	285	return 0;
286		286
287	nla_put_failure:	287	nla_put_failure:
288	return -1;	288	return -1;
289	}	289	}
290		290
291	static const struct nla_policy ipv6_nla_policy[CTA_IP_MAX+1] = {	291	static const struct nla_policy ipv6_nla_policy[CTA_IP_MAX+1] = {
292	[CTA_IP_V6_SRC] = { .len = sizeof(u_int32_t)*4 },	292	[CTA_IP_V6_SRC] = { .len = sizeof(u_int32_t)*4 },
293	[CTA_IP_V6_DST] = { .len = sizeof(u_int32_t)*4 },	293	[CTA_IP_V6_DST] = { .len = sizeof(u_int32_t)*4 },
294	};	294	};
295		295
296	static int ipv6_nlattr_to_tuple(struct nlattr *tb[],	296	static int ipv6_nlattr_to_tuple(struct nlattr *tb[],
297	struct nf_conntrack_tuple *t)	297	struct nf_conntrack_tuple *t)
298	{	298	{
299	if (!tb[CTA_IP_V6_SRC] \|\| !tb[CTA_IP_V6_DST])	299	if (!tb[CTA_IP_V6_SRC] \|\| !tb[CTA_IP_V6_DST])
300	return -EINVAL;	300	return -EINVAL;
301		301
302	memcpy(&t->src.u3.ip6, nla_data(tb[CTA_IP_V6_SRC]),	302	memcpy(&t->src.u3.ip6, nla_data(tb[CTA_IP_V6_SRC]),
303	sizeof(u_int32_t) * 4);	303	sizeof(u_int32_t) * 4);
304	memcpy(&t->dst.u3.ip6, nla_data(tb[CTA_IP_V6_DST]),	304	memcpy(&t->dst.u3.ip6, nla_data(tb[CTA_IP_V6_DST]),
305	sizeof(u_int32_t) * 4);	305	sizeof(u_int32_t) * 4);
306		306
307	return 0;	307	return 0;
308	}	308	}
309		309
310	static int ipv6_nlattr_tuple_size(void)	310	static int ipv6_nlattr_tuple_size(void)
311	{	311	{
312	return nla_policy_len(ipv6_nla_policy, CTA_IP_MAX + 1);	312	return nla_policy_len(ipv6_nla_policy, CTA_IP_MAX + 1);
313	}	313	}
314	#endif	314	#endif
315		315
316	struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6 __read_mostly = {	316	struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6 __read_mostly = {
317	.l3proto = PF_INET6,	317	.l3proto = PF_INET6,
318	.name = "ipv6",	318	.name = "ipv6",
319	.pkt_to_tuple = ipv6_pkt_to_tuple,	319	.pkt_to_tuple = ipv6_pkt_to_tuple,
320	.invert_tuple = ipv6_invert_tuple,	320	.invert_tuple = ipv6_invert_tuple,
321	.print_tuple = ipv6_print_tuple,	321	.print_tuple = ipv6_print_tuple,
322	.get_l4proto = ipv6_get_l4proto,	322	.get_l4proto = ipv6_get_l4proto,
323	#if defined(CONFIG_NF_CT_NETLINK) \|\| defined(CONFIG_NF_CT_NETLINK_MODULE)	323	#if defined(CONFIG_NF_CT_NETLINK) \|\| defined(CONFIG_NF_CT_NETLINK_MODULE)
324	.tuple_to_nlattr = ipv6_tuple_to_nlattr,	324	.tuple_to_nlattr = ipv6_tuple_to_nlattr,
325	.nlattr_tuple_size = ipv6_nlattr_tuple_size,	325	.nlattr_tuple_size = ipv6_nlattr_tuple_size,
326	.nlattr_to_tuple = ipv6_nlattr_to_tuple,	326	.nlattr_to_tuple = ipv6_nlattr_to_tuple,
327	.nla_policy = ipv6_nla_policy,	327	.nla_policy = ipv6_nla_policy,
328	#endif	328	#endif
329	.me = THIS_MODULE,	329	.me = THIS_MODULE,
330	};	330	};
331		331
332	MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET6));	332	MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET6));
333	MODULE_LICENSE("GPL");	333	MODULE_LICENSE("GPL");
334	MODULE_AUTHOR("Yasuyuki KOZAKAI @USAGI <yasuyuki.kozakai@toshiba.co.jp>");	334	MODULE_AUTHOR("Yasuyuki KOZAKAI @USAGI <yasuyuki.kozakai@toshiba.co.jp>");
335		335
336	static int __init nf_conntrack_l3proto_ipv6_init(void)	336	static int __init nf_conntrack_l3proto_ipv6_init(void)
337	{	337	{
338	int ret = 0;	338	int ret = 0;
339		339
340	need_conntrack();	340	need_conntrack();
341	nf_defrag_ipv6_enable();	341	nf_defrag_ipv6_enable();
342		342
343	ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_tcp6);	343	ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_tcp6);
344	if (ret < 0) {	344	if (ret < 0) {
345	pr_err("nf_conntrack_ipv6: can't register tcp.\n");	345	pr_err("nf_conntrack_ipv6: can't register tcp.\n");
346	return ret;	346	return ret;
347	}	347	}
348		348
349	ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udp6);	349	ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udp6);
350	if (ret < 0) {	350	if (ret < 0) {
351	pr_err("nf_conntrack_ipv6: can't register udp.\n");	351	pr_err("nf_conntrack_ipv6: can't register udp.\n");
352	goto cleanup_tcp;	352	goto cleanup_tcp;
353	}	353	}
354		354
355	ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_icmpv6);	355	ret = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_icmpv6);
356	if (ret < 0) {	356	if (ret < 0) {
357	pr_err("nf_conntrack_ipv6: can't register icmpv6.\n");	357	pr_err("nf_conntrack_ipv6: can't register icmpv6.\n");
358	goto cleanup_udp;	358	goto cleanup_udp;
359	}	359	}
360		360
361	ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv6);	361	ret = nf_conntrack_l3proto_register(&nf_conntrack_l3proto_ipv6);
362	if (ret < 0) {	362	if (ret < 0) {
363	pr_err("nf_conntrack_ipv6: can't register ipv6\n");	363	pr_err("nf_conntrack_ipv6: can't register ipv6\n");
364	goto cleanup_icmpv6;	364	goto cleanup_icmpv6;
365	}	365	}
366		366
367	ret = nf_register_hooks(ipv6_conntrack_ops,	367	ret = nf_register_hooks(ipv6_conntrack_ops,
368	ARRAY_SIZE(ipv6_conntrack_ops));	368	ARRAY_SIZE(ipv6_conntrack_ops));
369	if (ret < 0) {	369	if (ret < 0) {
370	pr_err("nf_conntrack_ipv6: can't register pre-routing defrag "	370	pr_err("nf_conntrack_ipv6: can't register pre-routing defrag "
371	"hook.\n");	371	"hook.\n");
372	goto cleanup_ipv6;	372	goto cleanup_ipv6;
373	}	373	}
374	return ret;	374	return ret;
375		375
376	cleanup_ipv6:	376	cleanup_ipv6:
377	nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);	377	nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
378	cleanup_icmpv6:	378	cleanup_icmpv6:
379	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmpv6);	379	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
380	cleanup_udp:	380	cleanup_udp:
381	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp6);	381	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
382	cleanup_tcp:	382	cleanup_tcp:
383	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp6);	383	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
384	return ret;	384	return ret;
385	}	385	}
386		386
387	static void __exit nf_conntrack_l3proto_ipv6_fini(void)	387	static void __exit nf_conntrack_l3proto_ipv6_fini(void)
388	{	388	{
389	synchronize_net();	389	synchronize_net();
390	nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));	390	nf_unregister_hooks(ipv6_conntrack_ops, ARRAY_SIZE(ipv6_conntrack_ops));
391	nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);	391	nf_conntrack_l3proto_unregister(&nf_conntrack_l3proto_ipv6);
392	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_icmpv6);	392	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_icmpv6);
393	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udp6);	393	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udp6);
394	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_tcp6);	394	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_tcp6);
395	}	395	}
396		396
397	module_init(nf_conntrack_l3proto_ipv6_init);	397	module_init(nf_conntrack_l3proto_ipv6_init);
398	module_exit(nf_conntrack_l3proto_ipv6_fini);	398	module_exit(nf_conntrack_l3proto_ipv6_fini);
399		399

net/netfilter/nf_conntrack_proto.c

Diff comments View file @ 2c352f4

1	/* L3/L4 protocol support for nf_conntrack. */	1	/* L3/L4 protocol support for nf_conntrack. */
2		2
3	/* (C) 1999-2001 Paul `Rusty' Russell	3	/* (C) 1999-2001 Paul `Rusty' Russell
4	* (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>	4	* (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
5	* (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>	5	* (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
6	*	6	*
7	* This program is free software; you can redistribute it and/or modify	7	* This program is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License version 2 as	8	* it under the terms of the GNU General Public License version 2 as
9	* published by the Free Software Foundation.	9	* published by the Free Software Foundation.
10	*/	10	*/
11		11
12	#include <linux/types.h>	12	#include <linux/types.h>
13	#include <linux/netfilter.h>	13	#include <linux/netfilter.h>
14	#include <linux/module.h>	14	#include <linux/module.h>
15	#include <linux/slab.h>	15	#include <linux/slab.h>
16	#include <linux/mutex.h>	16	#include <linux/mutex.h>
17	#include <linux/vmalloc.h>	17	#include <linux/vmalloc.h>
18	#include <linux/stddef.h>	18	#include <linux/stddef.h>
19	#include <linux/err.h>	19	#include <linux/err.h>
20	#include <linux/percpu.h>	20	#include <linux/percpu.h>
21	#include <linux/notifier.h>	21	#include <linux/notifier.h>
22	#include <linux/kernel.h>	22	#include <linux/kernel.h>
23	#include <linux/netdevice.h>	23	#include <linux/netdevice.h>
24	#include <linux/rtnetlink.h>	24	#include <linux/rtnetlink.h>
25		25
26	#include <net/netfilter/nf_conntrack.h>	26	#include <net/netfilter/nf_conntrack.h>
27	#include <net/netfilter/nf_conntrack_l3proto.h>	27	#include <net/netfilter/nf_conntrack_l3proto.h>
28	#include <net/netfilter/nf_conntrack_l4proto.h>	28	#include <net/netfilter/nf_conntrack_l4proto.h>
29	#include <net/netfilter/nf_conntrack_core.h>	29	#include <net/netfilter/nf_conntrack_core.h>
30		30
31	static struct nf_conntrack_l4proto __rcu **nf_ct_protos[PF_MAX] __read_mostly;	31	static struct nf_conntrack_l4proto __rcu **nf_ct_protos[PF_MAX] __read_mostly;
32	struct nf_conntrack_l3proto __rcu *nf_ct_l3protos[AF_MAX] __read_mostly;	32	struct nf_conntrack_l3proto __rcu *nf_ct_l3protos[AF_MAX] __read_mostly;
33	EXPORT_SYMBOL_GPL(nf_ct_l3protos);	33	EXPORT_SYMBOL_GPL(nf_ct_l3protos);
34		34
35	static DEFINE_MUTEX(nf_ct_proto_mutex);	35	static DEFINE_MUTEX(nf_ct_proto_mutex);
36		36
37	#ifdef CONFIG_SYSCTL	37	#ifdef CONFIG_SYSCTL
38	static int	38	static int
39	nf_ct_register_sysctl(struct ctl_table_header *header, const char path,	39	nf_ct_register_sysctl(struct net *net,
40	struct ctl_table table, unsigned int users)	40	struct ctl_table_header **header,
		41	const char *path,
		42	struct ctl_table *table,
		43	unsigned int *users)
41	{	44	{
42	if (*header == NULL) {	45	if (*header == NULL) {
43	*header = register_net_sysctl(&init_net, path, table);	46	*header = register_net_sysctl(net, path, table);
44	if (*header == NULL)	47	if (*header == NULL)
45	return -ENOMEM;	48	return -ENOMEM;
46	}	49	}
47	if (users != NULL)	50	if (users != NULL)
48	(*users)++;	51	(*users)++;
		52
49	return 0;	53	return 0;
50	}	54	}
51		55
52	static void	56	static void
53	nf_ct_unregister_sysctl(struct ctl_table_header **header,	57	nf_ct_unregister_sysctl(struct ctl_table_header **header,
54	struct ctl_table table, unsigned int users)	58	struct ctl_table **table,
		59	unsigned int *users)
55	{	60	{
56	if (users != NULL && --*users > 0)	61	if (users != NULL && --*users > 0)
57	return;	62	return;
58		63
59	unregister_net_sysctl_table(*header);	64	unregister_net_sysctl_table(*header);
		65	kfree(*table);
60	*header = NULL;	66	*header = NULL;
		67	*table = NULL;
61	}	68	}
62	#endif	69	#endif
63		70
64	struct nf_conntrack_l4proto *	71	struct nf_conntrack_l4proto *
65	__nf_ct_l4proto_find(u_int16_t l3proto, u_int8_t l4proto)	72	__nf_ct_l4proto_find(u_int16_t l3proto, u_int8_t l4proto)
66	{	73	{
67	if (unlikely(l3proto >= AF_MAX \|\| nf_ct_protos[l3proto] == NULL))	74	if (unlikely(l3proto >= AF_MAX \|\| nf_ct_protos[l3proto] == NULL))
68	return &nf_conntrack_l4proto_generic;	75	return &nf_conntrack_l4proto_generic;
69		76
70	return rcu_dereference(nf_ct_protos[l3proto][l4proto]);	77	return rcu_dereference(nf_ct_protos[l3proto][l4proto]);
71	}	78	}
72	EXPORT_SYMBOL_GPL(__nf_ct_l4proto_find);	79	EXPORT_SYMBOL_GPL(__nf_ct_l4proto_find);
73		80
74	/* this is guaranteed to always return a valid protocol helper, since	81	/* this is guaranteed to always return a valid protocol helper, since
75	* it falls back to generic_protocol */	82	* it falls back to generic_protocol */
76	struct nf_conntrack_l3proto *	83	struct nf_conntrack_l3proto *
77	nf_ct_l3proto_find_get(u_int16_t l3proto)	84	nf_ct_l3proto_find_get(u_int16_t l3proto)
78	{	85	{
79	struct nf_conntrack_l3proto *p;	86	struct nf_conntrack_l3proto *p;
80		87
81	rcu_read_lock();	88	rcu_read_lock();
82	p = __nf_ct_l3proto_find(l3proto);	89	p = __nf_ct_l3proto_find(l3proto);
83	if (!try_module_get(p->me))	90	if (!try_module_get(p->me))
84	p = &nf_conntrack_l3proto_generic;	91	p = &nf_conntrack_l3proto_generic;
85	rcu_read_unlock();	92	rcu_read_unlock();
86		93
87	return p;	94	return p;
88	}	95	}
89	EXPORT_SYMBOL_GPL(nf_ct_l3proto_find_get);	96	EXPORT_SYMBOL_GPL(nf_ct_l3proto_find_get);
90		97
91	void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p)	98	void nf_ct_l3proto_put(struct nf_conntrack_l3proto *p)
92	{	99	{
93	module_put(p->me);	100	module_put(p->me);
94	}	101	}
95	EXPORT_SYMBOL_GPL(nf_ct_l3proto_put);	102	EXPORT_SYMBOL_GPL(nf_ct_l3proto_put);
96		103
97	int	104	int
98	nf_ct_l3proto_try_module_get(unsigned short l3proto)	105	nf_ct_l3proto_try_module_get(unsigned short l3proto)
99	{	106	{
100	int ret;	107	int ret;
101	struct nf_conntrack_l3proto *p;	108	struct nf_conntrack_l3proto *p;
102		109
103	retry: p = nf_ct_l3proto_find_get(l3proto);	110	retry: p = nf_ct_l3proto_find_get(l3proto);
104	if (p == &nf_conntrack_l3proto_generic) {	111	if (p == &nf_conntrack_l3proto_generic) {
105	ret = request_module("nf_conntrack-%d", l3proto);	112	ret = request_module("nf_conntrack-%d", l3proto);
106	if (!ret)	113	if (!ret)
107	goto retry;	114	goto retry;
108		115
109	return -EPROTOTYPE;	116	return -EPROTOTYPE;
110	}	117	}
111		118
112	return 0;	119	return 0;
113	}	120	}
114	EXPORT_SYMBOL_GPL(nf_ct_l3proto_try_module_get);	121	EXPORT_SYMBOL_GPL(nf_ct_l3proto_try_module_get);
115		122
116	void nf_ct_l3proto_module_put(unsigned short l3proto)	123	void nf_ct_l3proto_module_put(unsigned short l3proto)
117	{	124	{
118	struct nf_conntrack_l3proto *p;	125	struct nf_conntrack_l3proto *p;
119		126
120	/* rcu_read_lock not necessary since the caller holds a reference, but	127	/* rcu_read_lock not necessary since the caller holds a reference, but
121	* taken anyways to avoid lockdep warnings in __nf_ct_l3proto_find()	128	* taken anyways to avoid lockdep warnings in __nf_ct_l3proto_find()
122	*/	129	*/
123	rcu_read_lock();	130	rcu_read_lock();
124	p = __nf_ct_l3proto_find(l3proto);	131	p = __nf_ct_l3proto_find(l3proto);
125	module_put(p->me);	132	module_put(p->me);
126	rcu_read_unlock();	133	rcu_read_unlock();
127	}	134	}
128	EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put);	135	EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put);
129		136
130	struct nf_conntrack_l4proto *	137	struct nf_conntrack_l4proto *
131	nf_ct_l4proto_find_get(u_int16_t l3num, u_int8_t l4num)	138	nf_ct_l4proto_find_get(u_int16_t l3num, u_int8_t l4num)
132	{	139	{
133	struct nf_conntrack_l4proto *p;	140	struct nf_conntrack_l4proto *p;
134		141
135	rcu_read_lock();	142	rcu_read_lock();
136	p = __nf_ct_l4proto_find(l3num, l4num);	143	p = __nf_ct_l4proto_find(l3num, l4num);
137	if (!try_module_get(p->me))	144	if (!try_module_get(p->me))
138	p = &nf_conntrack_l4proto_generic;	145	p = &nf_conntrack_l4proto_generic;
139	rcu_read_unlock();	146	rcu_read_unlock();
140		147
141	return p;	148	return p;
142	}	149	}
143	EXPORT_SYMBOL_GPL(nf_ct_l4proto_find_get);	150	EXPORT_SYMBOL_GPL(nf_ct_l4proto_find_get);
144		151
145	void nf_ct_l4proto_put(struct nf_conntrack_l4proto *p)	152	void nf_ct_l4proto_put(struct nf_conntrack_l4proto *p)
146	{	153	{
147	module_put(p->me);	154	module_put(p->me);
148	}	155	}
149	EXPORT_SYMBOL_GPL(nf_ct_l4proto_put);	156	EXPORT_SYMBOL_GPL(nf_ct_l4proto_put);
150		157
151	static int kill_l3proto(struct nf_conn i, void data)	158	static int kill_l3proto(struct nf_conn i, void data)
152	{	159	{
153	return nf_ct_l3num(i) == ((struct nf_conntrack_l3proto *)data)->l3proto;	160	return nf_ct_l3num(i) == ((struct nf_conntrack_l3proto *)data)->l3proto;
154	}	161	}
155		162
156	static int kill_l4proto(struct nf_conn i, void data)	163	static int kill_l4proto(struct nf_conn i, void data)
157	{	164	{
158	struct nf_conntrack_l4proto *l4proto;	165	struct nf_conntrack_l4proto *l4proto;
159	l4proto = (struct nf_conntrack_l4proto *)data;	166	l4proto = (struct nf_conntrack_l4proto *)data;
160	return nf_ct_protonum(i) == l4proto->l4proto &&	167	return nf_ct_protonum(i) == l4proto->l4proto &&
161	nf_ct_l3num(i) == l4proto->l3proto;	168	nf_ct_l3num(i) == l4proto->l3proto;
162	}	169	}
163		170
164	static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)	171	static int nf_ct_l3proto_register_sysctl(struct nf_conntrack_l3proto *l3proto)
165	{	172	{
166	int err = 0;	173	int err = 0;
167		174
168	#ifdef CONFIG_SYSCTL	175	#ifdef CONFIG_SYSCTL
169	if (l3proto->ctl_table != NULL) {	176	if (l3proto->ctl_table != NULL) {
170	err = nf_ct_register_sysctl(&l3proto->ctl_table_header,	177	err = nf_ct_register_sysctl(&init_net,
		178	&l3proto->ctl_table_header,
171	l3proto->ctl_table_path,	179	l3proto->ctl_table_path,
172	l3proto->ctl_table, NULL);	180	l3proto->ctl_table, NULL);
173	}	181	}
174	#endif	182	#endif
175	return err;	183	return err;
176	}	184	}
177		185
178	static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto)	186	static void nf_ct_l3proto_unregister_sysctl(struct nf_conntrack_l3proto *l3proto)
179	{	187	{
180	#ifdef CONFIG_SYSCTL	188	#ifdef CONFIG_SYSCTL
181	if (l3proto->ctl_table_header != NULL)	189	if (l3proto->ctl_table_header != NULL)
182	nf_ct_unregister_sysctl(&l3proto->ctl_table_header,	190	nf_ct_unregister_sysctl(&l3proto->ctl_table_header,
183	l3proto->ctl_table, NULL);	191	&l3proto->ctl_table, NULL);
184	#endif	192	#endif
185	}	193	}
186		194
187	int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)	195	int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
188	{	196	{
189	int ret = 0;	197	int ret = 0;
190	struct nf_conntrack_l3proto *old;	198	struct nf_conntrack_l3proto *old;
191		199
192	if (proto->l3proto >= AF_MAX)	200	if (proto->l3proto >= AF_MAX)
193	return -EBUSY;	201	return -EBUSY;
194		202
195	if (proto->tuple_to_nlattr && !proto->nlattr_tuple_size)	203	if (proto->tuple_to_nlattr && !proto->nlattr_tuple_size)
196	return -EINVAL;	204	return -EINVAL;
197		205
198	mutex_lock(&nf_ct_proto_mutex);	206	mutex_lock(&nf_ct_proto_mutex);
199	old = rcu_dereference_protected(nf_ct_l3protos[proto->l3proto],	207	old = rcu_dereference_protected(nf_ct_l3protos[proto->l3proto],
200	lockdep_is_held(&nf_ct_proto_mutex));	208	lockdep_is_held(&nf_ct_proto_mutex));
201	if (old != &nf_conntrack_l3proto_generic) {	209	if (old != &nf_conntrack_l3proto_generic) {
202	ret = -EBUSY;	210	ret = -EBUSY;
203	goto out_unlock;	211	goto out_unlock;
204	}	212	}
205		213
206	ret = nf_ct_l3proto_register_sysctl(proto);	214	ret = nf_ct_l3proto_register_sysctl(proto);
207	if (ret < 0)	215	if (ret < 0)
208	goto out_unlock;	216	goto out_unlock;
209		217
210	if (proto->nlattr_tuple_size)	218	if (proto->nlattr_tuple_size)
211	proto->nla_size = 3 * proto->nlattr_tuple_size();	219	proto->nla_size = 3 * proto->nlattr_tuple_size();
212		220
213	rcu_assign_pointer(nf_ct_l3protos[proto->l3proto], proto);	221	rcu_assign_pointer(nf_ct_l3protos[proto->l3proto], proto);
214		222
215	out_unlock:	223	out_unlock:
216	mutex_unlock(&nf_ct_proto_mutex);	224	mutex_unlock(&nf_ct_proto_mutex);
217	return ret;	225	return ret;
218	}	226	}
219	EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_register);	227	EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_register);
220		228
221	void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)	229	void nf_conntrack_l3proto_unregister(struct nf_conntrack_l3proto *proto)
222	{	230	{
223	struct net *net;	231	struct net *net;
224		232
225	BUG_ON(proto->l3proto >= AF_MAX);	233	BUG_ON(proto->l3proto >= AF_MAX);
226		234
227	mutex_lock(&nf_ct_proto_mutex);	235	mutex_lock(&nf_ct_proto_mutex);
228	BUG_ON(rcu_dereference_protected(nf_ct_l3protos[proto->l3proto],	236	BUG_ON(rcu_dereference_protected(nf_ct_l3protos[proto->l3proto],
229	lockdep_is_held(&nf_ct_proto_mutex)	237	lockdep_is_held(&nf_ct_proto_mutex)
230	) != proto);	238	) != proto);
231	rcu_assign_pointer(nf_ct_l3protos[proto->l3proto],	239	rcu_assign_pointer(nf_ct_l3protos[proto->l3proto],
232	&nf_conntrack_l3proto_generic);	240	&nf_conntrack_l3proto_generic);
233	nf_ct_l3proto_unregister_sysctl(proto);	241	nf_ct_l3proto_unregister_sysctl(proto);
234	mutex_unlock(&nf_ct_proto_mutex);	242	mutex_unlock(&nf_ct_proto_mutex);
235		243
236	synchronize_rcu();	244	synchronize_rcu();
237		245
238	/* Remove all contrack entries for this protocol */	246	/* Remove all contrack entries for this protocol */
239	rtnl_lock();	247	rtnl_lock();
240	for_each_net(net)	248	for_each_net(net)
241	nf_ct_iterate_cleanup(net, kill_l3proto, proto);	249	nf_ct_iterate_cleanup(net, kill_l3proto, proto);
242	rtnl_unlock();	250	rtnl_unlock();
243	}	251	}
244	EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);	252	EXPORT_SYMBOL_GPL(nf_conntrack_l3proto_unregister);
245		253
246	static int nf_ct_l4proto_register_sysctl(struct nf_conntrack_l4proto *l4proto)	254	static struct nf_proto_net nf_ct_l4proto_net(struct net net,
		255	struct nf_conntrack_l4proto *l4proto)
247	{	256	{
		257	if (l4proto->net_id)
		258	return net_generic(net, *l4proto->net_id);
		259	else
		260	return NULL;
		261	}
		262
		263	static
		264	int nf_ct_l4proto_register_sysctl(struct net *net,
		265	struct nf_conntrack_l4proto *l4proto)
		266	{
248	int err = 0;	267	int err = 0;
		268	struct nf_proto_net *pn = nf_ct_l4proto_net(net, l4proto);
		269	if (pn == NULL)
		270	return 0;
249		271
250	#ifdef CONFIG_SYSCTL	272	#ifdef CONFIG_SYSCTL
251	if (l4proto->ctl_table != NULL) {	273	if (pn->ctl_table != NULL) {
252	err = nf_ct_register_sysctl(l4proto->ctl_table_header,	274	err = nf_ct_register_sysctl(net,
		275	&pn->ctl_table_header,
253	"net/netfilter",	276	"net/netfilter",
254	l4proto->ctl_table,	277	pn->ctl_table,
255	l4proto->ctl_table_users);	278	&pn->users);
256	if (err < 0)	279	if (err < 0) {
		280	if (!pn->users) {
		281	kfree(pn->ctl_table);
		282	pn->ctl_table = NULL;
		283	}
257	goto out;	284	goto out;
		285	}
258	}	286	}
259	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT	287	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
260	if (l4proto->ctl_compat_table != NULL) {	288	if (l4proto->l3proto != AF_INET6 && pn->ctl_compat_table != NULL) {
261	err = nf_ct_register_sysctl(&l4proto->ctl_compat_table_header,	289	err = nf_ct_register_sysctl(net,
		290	&pn->ctl_compat_header,
262	"net/ipv4/netfilter",	291	"net/ipv4/netfilter",
263	l4proto->ctl_compat_table, NULL);	292	pn->ctl_compat_table,
		293	NULL);
264	if (err == 0)	294	if (err == 0)
265	goto out;	295	goto out;
266	nf_ct_unregister_sysctl(l4proto->ctl_table_header,	296
267	l4proto->ctl_table,	297	kfree(pn->ctl_compat_table);
268	l4proto->ctl_table_users);	298	pn->ctl_compat_table = NULL;
		299	nf_ct_unregister_sysctl(&pn->ctl_table_header,
		300	&pn->ctl_table,
		301	&pn->users);
269	}	302	}
270	#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */	303	#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
271	out:	304	out:
272	#endif /* CONFIG_SYSCTL */	305	#endif /* CONFIG_SYSCTL */
273	return err;	306	return err;
274	}	307	}
275		308
276	static void nf_ct_l4proto_unregister_sysctl(struct nf_conntrack_l4proto *l4proto)	309	static
		310	void nf_ct_l4proto_unregister_sysctl(struct net *net,
		311	struct nf_conntrack_l4proto *l4proto)
277	{	312	{
		313	struct nf_proto_net *pn = nf_ct_l4proto_net(net, l4proto);
		314	if (pn == NULL)
		315	return;
278	#ifdef CONFIG_SYSCTL	316	#ifdef CONFIG_SYSCTL
279	if (l4proto->ctl_table_header != NULL &&	317	if (pn->ctl_table_header != NULL)
280	*l4proto->ctl_table_header != NULL)	318	nf_ct_unregister_sysctl(&pn->ctl_table_header,
281	nf_ct_unregister_sysctl(l4proto->ctl_table_header,	319	&pn->ctl_table,
282	l4proto->ctl_table,	320	&pn->users);
283	l4proto->ctl_table_users);	321
284	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT	322	#ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
285	if (l4proto->ctl_compat_table_header != NULL)	323	if (l4proto->l3proto != AF_INET6 && pn->ctl_compat_header != NULL)
286	nf_ct_unregister_sysctl(&l4proto->ctl_compat_table_header,	324	nf_ct_unregister_sysctl(&pn->ctl_compat_header,
287	l4proto->ctl_compat_table, NULL);	325	&pn->ctl_compat_table,
		326	NULL);
288	#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */	327	#endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
		328	#else
		329	pn->users--;
289	#endif /* CONFIG_SYSCTL */	330	#endif /* CONFIG_SYSCTL */
290	}	331	}
291		332
292	/* FIXME: Allow NULL functions and sub in pointers to generic for	333	/* FIXME: Allow NULL functions and sub in pointers to generic for
293	them. --RR */	334	them. --RR */
294	int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)	335	static int
		336	nf_conntrack_l4proto_register_net(struct nf_conntrack_l4proto *l4proto)
295	{	337	{
296	int ret = 0;	338	int ret = 0;
297		339
298	if (l4proto->l3proto >= PF_MAX)	340	if (l4proto->l3proto >= PF_MAX)
299	return -EBUSY;	341	return -EBUSY;
300		342
301	if ((l4proto->to_nlattr && !l4proto->nlattr_size)	343	if ((l4proto->to_nlattr && !l4proto->nlattr_size)
302	\|\| (l4proto->tuple_to_nlattr && !l4proto->nlattr_tuple_size))	344	\|\| (l4proto->tuple_to_nlattr && !l4proto->nlattr_tuple_size))
303	return -EINVAL;	345	return -EINVAL;
304		346
305	mutex_lock(&nf_ct_proto_mutex);	347	mutex_lock(&nf_ct_proto_mutex);
306	if (!nf_ct_protos[l4proto->l3proto]) {	348	if (!nf_ct_protos[l4proto->l3proto]) {
307	/* l3proto may be loaded latter. */	349	/* l3proto may be loaded latter. */
308	struct nf_conntrack_l4proto __rcu **proto_array;	350	struct nf_conntrack_l4proto __rcu **proto_array;
309	int i;	351	int i;
310		352
311	proto_array = kmalloc(MAX_NF_CT_PROTO *	353	proto_array = kmalloc(MAX_NF_CT_PROTO *
312	sizeof(struct nf_conntrack_l4proto *),	354	sizeof(struct nf_conntrack_l4proto *),
313	GFP_KERNEL);	355	GFP_KERNEL);
314	if (proto_array == NULL) {	356	if (proto_array == NULL) {
315	ret = -ENOMEM;	357	ret = -ENOMEM;
316	goto out_unlock;	358	goto out_unlock;
317	}	359	}
318		360
319	for (i = 0; i < MAX_NF_CT_PROTO; i++)	361	for (i = 0; i < MAX_NF_CT_PROTO; i++)
320	RCU_INIT_POINTER(proto_array[i], &nf_conntrack_l4proto_generic);	362	RCU_INIT_POINTER(proto_array[i], &nf_conntrack_l4proto_generic);
321		363
322	/* Before making proto_array visible to lockless readers,	364	/* Before making proto_array visible to lockless readers,
323	* we must make sure its content is committed to memory.	365	* we must make sure its content is committed to memory.
324	*/	366	*/
325	smp_wmb();	367	smp_wmb();
326		368
327	nf_ct_protos[l4proto->l3proto] = proto_array;	369	nf_ct_protos[l4proto->l3proto] = proto_array;
328	} else if (rcu_dereference_protected(	370	} else if (rcu_dereference_protected(
329	nf_ct_protos[l4proto->l3proto][l4proto->l4proto],	371	nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
330	lockdep_is_held(&nf_ct_proto_mutex)	372	lockdep_is_held(&nf_ct_proto_mutex)
331	) != &nf_conntrack_l4proto_generic) {	373	) != &nf_conntrack_l4proto_generic) {
332	ret = -EBUSY;	374	ret = -EBUSY;
333	goto out_unlock;	375	goto out_unlock;
334	}	376	}
335		377
336	ret = nf_ct_l4proto_register_sysctl(l4proto);
337	if (ret < 0)
338	goto out_unlock;
339
340	l4proto->nla_size = 0;	378	l4proto->nla_size = 0;
341	if (l4proto->nlattr_size)	379	if (l4proto->nlattr_size)
342	l4proto->nla_size += l4proto->nlattr_size();	380	l4proto->nla_size += l4proto->nlattr_size();
343	if (l4proto->nlattr_tuple_size)	381	if (l4proto->nlattr_tuple_size)
344	l4proto->nla_size += 3 * l4proto->nlattr_tuple_size();	382	l4proto->nla_size += 3 * l4proto->nlattr_tuple_size();
345		383
346	rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],	384	rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
347	l4proto);	385	l4proto);
348
349	out_unlock:	386	out_unlock:
350	mutex_unlock(&nf_ct_proto_mutex);	387	mutex_unlock(&nf_ct_proto_mutex);
351	return ret;	388	return ret;
352	}	389	}
353	EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_register);
354		390
355	void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *l4proto)	391	int nf_conntrack_l4proto_register(struct net *net,
		392	struct nf_conntrack_l4proto *l4proto)
356	{	393	{
357	struct net *net;	394	int ret = 0;
		395	if (net == &init_net)
		396	ret = nf_conntrack_l4proto_register_net(l4proto);
358		397
		398	if (ret < 0)
		399	return ret;
		400
		401	if (l4proto->init_net)
		402	ret = l4proto->init_net(net);
		403
		404	if (ret < 0)
		405	return ret;
		406
		407	return nf_ct_l4proto_register_sysctl(net, l4proto);
		408	}
		409	EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_register);
		410
		411	static void
		412	nf_conntrack_l4proto_unregister_net(struct nf_conntrack_l4proto *l4proto)
		413	{
359	BUG_ON(l4proto->l3proto >= PF_MAX);	414	BUG_ON(l4proto->l3proto >= PF_MAX);
360		415
361	mutex_lock(&nf_ct_proto_mutex);	416	mutex_lock(&nf_ct_proto_mutex);
362	BUG_ON(rcu_dereference_protected(	417	BUG_ON(rcu_dereference_protected(
363	nf_ct_protos[l4proto->l3proto][l4proto->l4proto],	418	nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
364	lockdep_is_held(&nf_ct_proto_mutex)	419	lockdep_is_held(&nf_ct_proto_mutex)
365	) != l4proto);	420	) != l4proto);
366	rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],	421	rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
367	&nf_conntrack_l4proto_generic);	422	&nf_conntrack_l4proto_generic);
368	nf_ct_l4proto_unregister_sysctl(l4proto);
369	mutex_unlock(&nf_ct_proto_mutex);	423	mutex_unlock(&nf_ct_proto_mutex);
370		424
371	synchronize_rcu();	425	synchronize_rcu();
		426	}
372		427
		428	void nf_conntrack_l4proto_unregister(struct net *net,
		429	struct nf_conntrack_l4proto *l4proto)
		430	{
		431	if (net == &init_net)
		432	nf_conntrack_l4proto_unregister_net(l4proto);
		433
		434	nf_ct_l4proto_unregister_sysctl(net, l4proto);
373	/* Remove all contrack entries for this protocol */	435	/* Remove all contrack entries for this protocol */
374	rtnl_lock();	436	rtnl_lock();
375	for_each_net(net)	437	nf_ct_iterate_cleanup(net, kill_l4proto, l4proto);
376	nf_ct_iterate_cleanup(net, kill_l4proto, l4proto);
377	rtnl_unlock();	438	rtnl_unlock();
378	}	439	}
379	EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);	440	EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_unregister);
380		441
381	int nf_conntrack_proto_init(void)	442	int nf_conntrack_proto_init(void)
382	{	443	{
383	unsigned int i;	444	unsigned int i;
384	int err;	445	int err;
385		446
386	err = nf_ct_l4proto_register_sysctl(&nf_conntrack_l4proto_generic);	447	err = nf_ct_l4proto_register_sysctl(&init_net, &nf_conntrack_l4proto_generic);
387	if (err < 0)	448	if (err < 0)
388	return err;	449	return err;
389		450
390	for (i = 0; i < AF_MAX; i++)	451	for (i = 0; i < AF_MAX; i++)
391	rcu_assign_pointer(nf_ct_l3protos[i],	452	rcu_assign_pointer(nf_ct_l3protos[i],
392	&nf_conntrack_l3proto_generic);	453	&nf_conntrack_l3proto_generic);
393	return 0;	454	return 0;
394	}	455	}
395		456
396	void nf_conntrack_proto_fini(void)	457	void nf_conntrack_proto_fini(void)
397	{	458	{
398	unsigned int i;	459	unsigned int i;

net/netfilter/nf_conntrack_proto_dccp.c

Diff comments View file @ 2c352f4

net/netfilter/nf_conntrack_proto_gre.c

Diff comments View file @ 2c352f4

net/netfilter/nf_conntrack_proto_sctp.c

Diff comments View file @ 2c352f4

net/netfilter/nf_conntrack_proto_udplite.c

Diff comments View file @ 2c352f4

1	/* (C) 1999-2001 Paul `Rusty' Russell	1	/* (C) 1999-2001 Paul `Rusty' Russell
2	* (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>	2	* (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
3	* (C) 2007 Patrick McHardy <kaber@trash.net>	3	* (C) 2007 Patrick McHardy <kaber@trash.net>
4	*	4	*
5	* This program is free software; you can redistribute it and/or modify	5	* This program is free software; you can redistribute it and/or modify
6	* it under the terms of the GNU General Public License version 2 as	6	* it under the terms of the GNU General Public License version 2 as
7	* published by the Free Software Foundation.	7	* published by the Free Software Foundation.
8	*/	8	*/
9		9
10	#include <linux/types.h>	10	#include <linux/types.h>
11	#include <linux/timer.h>	11	#include <linux/timer.h>
12	#include <linux/module.h>	12	#include <linux/module.h>
13	#include <linux/udp.h>	13	#include <linux/udp.h>
14	#include <linux/seq_file.h>	14	#include <linux/seq_file.h>
15	#include <linux/skbuff.h>	15	#include <linux/skbuff.h>
16	#include <linux/ipv6.h>	16	#include <linux/ipv6.h>
17	#include <net/ip6_checksum.h>	17	#include <net/ip6_checksum.h>
18	#include <net/checksum.h>	18	#include <net/checksum.h>
19		19
20	#include <linux/netfilter.h>	20	#include <linux/netfilter.h>
21	#include <linux/netfilter_ipv4.h>	21	#include <linux/netfilter_ipv4.h>
22	#include <linux/netfilter_ipv6.h>	22	#include <linux/netfilter_ipv6.h>
23	#include <net/netfilter/nf_conntrack_l4proto.h>	23	#include <net/netfilter/nf_conntrack_l4proto.h>
24	#include <net/netfilter/nf_conntrack_ecache.h>	24	#include <net/netfilter/nf_conntrack_ecache.h>
25	#include <net/netfilter/nf_log.h>	25	#include <net/netfilter/nf_log.h>
26		26
27	enum udplite_conntrack {	27	enum udplite_conntrack {
28	UDPLITE_CT_UNREPLIED,	28	UDPLITE_CT_UNREPLIED,
29	UDPLITE_CT_REPLIED,	29	UDPLITE_CT_REPLIED,
30	UDPLITE_CT_MAX	30	UDPLITE_CT_MAX
31	};	31	};
32		32
33	static unsigned int udplite_timeouts[UDPLITE_CT_MAX] = {	33	static unsigned int udplite_timeouts[UDPLITE_CT_MAX] = {
34	[UDPLITE_CT_UNREPLIED] = 30*HZ,	34	[UDPLITE_CT_UNREPLIED] = 30*HZ,
35	[UDPLITE_CT_REPLIED] = 180*HZ,	35	[UDPLITE_CT_REPLIED] = 180*HZ,
36	};	36	};
37		37
38	static bool udplite_pkt_to_tuple(const struct sk_buff *skb,	38	static bool udplite_pkt_to_tuple(const struct sk_buff *skb,
39	unsigned int dataoff,	39	unsigned int dataoff,
40	struct nf_conntrack_tuple *tuple)	40	struct nf_conntrack_tuple *tuple)
41	{	41	{
42	const struct udphdr *hp;	42	const struct udphdr *hp;
43	struct udphdr _hdr;	43	struct udphdr _hdr;
44		44
45	hp = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);	45	hp = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
46	if (hp == NULL)	46	if (hp == NULL)
47	return false;	47	return false;
48		48
49	tuple->src.u.udp.port = hp->source;	49	tuple->src.u.udp.port = hp->source;
50	tuple->dst.u.udp.port = hp->dest;	50	tuple->dst.u.udp.port = hp->dest;
51	return true;	51	return true;
52	}	52	}
53		53
54	static bool udplite_invert_tuple(struct nf_conntrack_tuple *tuple,	54	static bool udplite_invert_tuple(struct nf_conntrack_tuple *tuple,
55	const struct nf_conntrack_tuple *orig)	55	const struct nf_conntrack_tuple *orig)
56	{	56	{
57	tuple->src.u.udp.port = orig->dst.u.udp.port;	57	tuple->src.u.udp.port = orig->dst.u.udp.port;
58	tuple->dst.u.udp.port = orig->src.u.udp.port;	58	tuple->dst.u.udp.port = orig->src.u.udp.port;
59	return true;	59	return true;
60	}	60	}
61		61
62	/* Print out the per-protocol part of the tuple. */	62	/* Print out the per-protocol part of the tuple. */
63	static int udplite_print_tuple(struct seq_file *s,	63	static int udplite_print_tuple(struct seq_file *s,
64	const struct nf_conntrack_tuple *tuple)	64	const struct nf_conntrack_tuple *tuple)
65	{	65	{
66	return seq_printf(s, "sport=%hu dport=%hu ",	66	return seq_printf(s, "sport=%hu dport=%hu ",
67	ntohs(tuple->src.u.udp.port),	67	ntohs(tuple->src.u.udp.port),
68	ntohs(tuple->dst.u.udp.port));	68	ntohs(tuple->dst.u.udp.port));
69	}	69	}
70		70
71	static unsigned int udplite_get_timeouts(struct net net)	71	static unsigned int udplite_get_timeouts(struct net net)
72	{	72	{
73	return udplite_timeouts;	73	return udplite_timeouts;
74	}	74	}
75		75
76	/* Returns verdict for packet, and may modify conntracktype */	76	/* Returns verdict for packet, and may modify conntracktype */
77	static int udplite_packet(struct nf_conn *ct,	77	static int udplite_packet(struct nf_conn *ct,
78	const struct sk_buff *skb,	78	const struct sk_buff *skb,
79	unsigned int dataoff,	79	unsigned int dataoff,
80	enum ip_conntrack_info ctinfo,	80	enum ip_conntrack_info ctinfo,
81	u_int8_t pf,	81	u_int8_t pf,
82	unsigned int hooknum,	82	unsigned int hooknum,
83	unsigned int *timeouts)	83	unsigned int *timeouts)
84	{	84	{
85	/* If we've seen traffic both ways, this is some kind of UDP	85	/* If we've seen traffic both ways, this is some kind of UDP
86	stream. Extend timeout. */	86	stream. Extend timeout. */
87	if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {	87	if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
88	nf_ct_refresh_acct(ct, ctinfo, skb,	88	nf_ct_refresh_acct(ct, ctinfo, skb,
89	timeouts[UDPLITE_CT_REPLIED]);	89	timeouts[UDPLITE_CT_REPLIED]);
90	/* Also, more likely to be important, and not a probe */	90	/* Also, more likely to be important, and not a probe */
91	if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))	91	if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
92	nf_conntrack_event_cache(IPCT_ASSURED, ct);	92	nf_conntrack_event_cache(IPCT_ASSURED, ct);
93	} else {	93	} else {
94	nf_ct_refresh_acct(ct, ctinfo, skb,	94	nf_ct_refresh_acct(ct, ctinfo, skb,
95	timeouts[UDPLITE_CT_UNREPLIED]);	95	timeouts[UDPLITE_CT_UNREPLIED]);
96	}	96	}
97	return NF_ACCEPT;	97	return NF_ACCEPT;
98	}	98	}
99		99
100	/* Called when a new connection for this protocol found. */	100	/* Called when a new connection for this protocol found. */
101	static bool udplite_new(struct nf_conn ct, const struct sk_buff skb,	101	static bool udplite_new(struct nf_conn ct, const struct sk_buff skb,
102	unsigned int dataoff, unsigned int *timeouts)	102	unsigned int dataoff, unsigned int *timeouts)
103	{	103	{
104	return true;	104	return true;
105	}	105	}
106		106
107	static int udplite_error(struct net net, struct nf_conn tmpl,	107	static int udplite_error(struct net net, struct nf_conn tmpl,
108	struct sk_buff *skb,	108	struct sk_buff *skb,
109	unsigned int dataoff,	109	unsigned int dataoff,
110	enum ip_conntrack_info *ctinfo,	110	enum ip_conntrack_info *ctinfo,
111	u_int8_t pf,	111	u_int8_t pf,
112	unsigned int hooknum)	112	unsigned int hooknum)
113	{	113	{
114	unsigned int udplen = skb->len - dataoff;	114	unsigned int udplen = skb->len - dataoff;
115	const struct udphdr *hdr;	115	const struct udphdr *hdr;
116	struct udphdr _hdr;	116	struct udphdr _hdr;
117	unsigned int cscov;	117	unsigned int cscov;
118		118
119	/* Header is too small? */	119	/* Header is too small? */
120	hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);	120	hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
121	if (hdr == NULL) {	121	if (hdr == NULL) {
122	if (LOG_INVALID(net, IPPROTO_UDPLITE))	122	if (LOG_INVALID(net, IPPROTO_UDPLITE))
123	nf_log_packet(pf, 0, skb, NULL, NULL, NULL,	123	nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
124	"nf_ct_udplite: short packet ");	124	"nf_ct_udplite: short packet ");
125	return -NF_ACCEPT;	125	return -NF_ACCEPT;
126	}	126	}
127		127
128	cscov = ntohs(hdr->len);	128	cscov = ntohs(hdr->len);
129	if (cscov == 0)	129	if (cscov == 0)
130	cscov = udplen;	130	cscov = udplen;
131	else if (cscov < sizeof(*hdr) \|\| cscov > udplen) {	131	else if (cscov < sizeof(*hdr) \|\| cscov > udplen) {
132	if (LOG_INVALID(net, IPPROTO_UDPLITE))	132	if (LOG_INVALID(net, IPPROTO_UDPLITE))
133	nf_log_packet(pf, 0, skb, NULL, NULL, NULL,	133	nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
134	"nf_ct_udplite: invalid checksum coverage ");	134	"nf_ct_udplite: invalid checksum coverage ");
135	return -NF_ACCEPT;	135	return -NF_ACCEPT;
136	}	136	}
137		137
138	/* UDPLITE mandates checksums */	138	/* UDPLITE mandates checksums */
139	if (!hdr->check) {	139	if (!hdr->check) {
140	if (LOG_INVALID(net, IPPROTO_UDPLITE))	140	if (LOG_INVALID(net, IPPROTO_UDPLITE))
141	nf_log_packet(pf, 0, skb, NULL, NULL, NULL,	141	nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
142	"nf_ct_udplite: checksum missing ");	142	"nf_ct_udplite: checksum missing ");
143	return -NF_ACCEPT;	143	return -NF_ACCEPT;
144	}	144	}
145		145
146	/* Checksum invalid? Ignore. */	146	/* Checksum invalid? Ignore. */
147	if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&	147	if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
148	nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_UDP,	148	nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_UDP,
149	pf)) {	149	pf)) {
150	if (LOG_INVALID(net, IPPROTO_UDPLITE))	150	if (LOG_INVALID(net, IPPROTO_UDPLITE))
151	nf_log_packet(pf, 0, skb, NULL, NULL, NULL,	151	nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
152	"nf_ct_udplite: bad UDPLite checksum ");	152	"nf_ct_udplite: bad UDPLite checksum ");
153	return -NF_ACCEPT;	153	return -NF_ACCEPT;
154	}	154	}
155		155
156	return NF_ACCEPT;	156	return NF_ACCEPT;
157	}	157	}
158		158
159	#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)	159	#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
160		160
161	#include <linux/netfilter/nfnetlink.h>	161	#include <linux/netfilter/nfnetlink.h>
162	#include <linux/netfilter/nfnetlink_cttimeout.h>	162	#include <linux/netfilter/nfnetlink_cttimeout.h>
163		163
164	static int udplite_timeout_nlattr_to_obj(struct nlattr tb[], void data)	164	static int udplite_timeout_nlattr_to_obj(struct nlattr tb[], void data)
165	{	165	{
166	unsigned int *timeouts = data;	166	unsigned int *timeouts = data;
167		167
168	/* set default timeouts for UDPlite. */	168	/* set default timeouts for UDPlite. */
169	timeouts[UDPLITE_CT_UNREPLIED] = udplite_timeouts[UDPLITE_CT_UNREPLIED];	169	timeouts[UDPLITE_CT_UNREPLIED] = udplite_timeouts[UDPLITE_CT_UNREPLIED];
170	timeouts[UDPLITE_CT_REPLIED] = udplite_timeouts[UDPLITE_CT_REPLIED];	170	timeouts[UDPLITE_CT_REPLIED] = udplite_timeouts[UDPLITE_CT_REPLIED];
171		171
172	if (tb[CTA_TIMEOUT_UDPLITE_UNREPLIED]) {	172	if (tb[CTA_TIMEOUT_UDPLITE_UNREPLIED]) {
173	timeouts[UDPLITE_CT_UNREPLIED] =	173	timeouts[UDPLITE_CT_UNREPLIED] =
174	ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDPLITE_UNREPLIED])) * HZ;	174	ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDPLITE_UNREPLIED])) * HZ;
175	}	175	}
176	if (tb[CTA_TIMEOUT_UDPLITE_REPLIED]) {	176	if (tb[CTA_TIMEOUT_UDPLITE_REPLIED]) {
177	timeouts[UDPLITE_CT_REPLIED] =	177	timeouts[UDPLITE_CT_REPLIED] =
178	ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDPLITE_REPLIED])) * HZ;	178	ntohl(nla_get_be32(tb[CTA_TIMEOUT_UDPLITE_REPLIED])) * HZ;
179	}	179	}
180	return 0;	180	return 0;
181	}	181	}
182		182
183	static int	183	static int
184	udplite_timeout_obj_to_nlattr(struct sk_buff skb, const void data)	184	udplite_timeout_obj_to_nlattr(struct sk_buff skb, const void data)
185	{	185	{
186	const unsigned int *timeouts = data;	186	const unsigned int *timeouts = data;
187		187
188	if (nla_put_be32(skb, CTA_TIMEOUT_UDPLITE_UNREPLIED,	188	if (nla_put_be32(skb, CTA_TIMEOUT_UDPLITE_UNREPLIED,
189	htonl(timeouts[UDPLITE_CT_UNREPLIED] / HZ)) \|\|	189	htonl(timeouts[UDPLITE_CT_UNREPLIED] / HZ)) \|\|
190	nla_put_be32(skb, CTA_TIMEOUT_UDPLITE_REPLIED,	190	nla_put_be32(skb, CTA_TIMEOUT_UDPLITE_REPLIED,
191	htonl(timeouts[UDPLITE_CT_REPLIED] / HZ)))	191	htonl(timeouts[UDPLITE_CT_REPLIED] / HZ)))
192	goto nla_put_failure;	192	goto nla_put_failure;
193	return 0;	193	return 0;
194		194
195	nla_put_failure:	195	nla_put_failure:
196	return -ENOSPC;	196	return -ENOSPC;
197	}	197	}
198		198
199	static const struct nla_policy	199	static const struct nla_policy
200	udplite_timeout_nla_policy[CTA_TIMEOUT_UDPLITE_MAX+1] = {	200	udplite_timeout_nla_policy[CTA_TIMEOUT_UDPLITE_MAX+1] = {
201	[CTA_TIMEOUT_UDPLITE_UNREPLIED] = { .type = NLA_U32 },	201	[CTA_TIMEOUT_UDPLITE_UNREPLIED] = { .type = NLA_U32 },
202	[CTA_TIMEOUT_UDPLITE_REPLIED] = { .type = NLA_U32 },	202	[CTA_TIMEOUT_UDPLITE_REPLIED] = { .type = NLA_U32 },
203	};	203	};
204	#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */	204	#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
205		205
206	#ifdef CONFIG_SYSCTL	206	#ifdef CONFIG_SYSCTL
207	static unsigned int udplite_sysctl_table_users;	207	static unsigned int udplite_sysctl_table_users;
208	static struct ctl_table_header *udplite_sysctl_header;	208	static struct ctl_table_header *udplite_sysctl_header;
209	static struct ctl_table udplite_sysctl_table[] = {	209	static struct ctl_table udplite_sysctl_table[] = {
210	{	210	{
211	.procname = "nf_conntrack_udplite_timeout",	211	.procname = "nf_conntrack_udplite_timeout",
212	.data = &udplite_timeouts[UDPLITE_CT_UNREPLIED],	212	.data = &udplite_timeouts[UDPLITE_CT_UNREPLIED],
213	.maxlen = sizeof(unsigned int),	213	.maxlen = sizeof(unsigned int),
214	.mode = 0644,	214	.mode = 0644,
215	.proc_handler = proc_dointvec_jiffies,	215	.proc_handler = proc_dointvec_jiffies,
216	},	216	},
217	{	217	{
218	.procname = "nf_conntrack_udplite_timeout_stream",	218	.procname = "nf_conntrack_udplite_timeout_stream",
219	.data = &udplite_timeouts[UDPLITE_CT_REPLIED],	219	.data = &udplite_timeouts[UDPLITE_CT_REPLIED],
220	.maxlen = sizeof(unsigned int),	220	.maxlen = sizeof(unsigned int),
221	.mode = 0644,	221	.mode = 0644,
222	.proc_handler = proc_dointvec_jiffies,	222	.proc_handler = proc_dointvec_jiffies,
223	},	223	},
224	{ }	224	{ }
225	};	225	};
226	#endif /* CONFIG_SYSCTL */	226	#endif /* CONFIG_SYSCTL */
227		227
228	static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =	228	static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
229	{	229	{
230	.l3proto = PF_INET,	230	.l3proto = PF_INET,
231	.l4proto = IPPROTO_UDPLITE,	231	.l4proto = IPPROTO_UDPLITE,
232	.name = "udplite",	232	.name = "udplite",
233	.pkt_to_tuple = udplite_pkt_to_tuple,	233	.pkt_to_tuple = udplite_pkt_to_tuple,
234	.invert_tuple = udplite_invert_tuple,	234	.invert_tuple = udplite_invert_tuple,
235	.print_tuple = udplite_print_tuple,	235	.print_tuple = udplite_print_tuple,
236	.packet = udplite_packet,	236	.packet = udplite_packet,
237	.get_timeouts = udplite_get_timeouts,	237	.get_timeouts = udplite_get_timeouts,
238	.new = udplite_new,	238	.new = udplite_new,
239	.error = udplite_error,	239	.error = udplite_error,
240	#if IS_ENABLED(CONFIG_NF_CT_NETLINK)	240	#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
241	.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,	241	.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
242	.nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,	242	.nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
243	.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,	243	.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
244	.nla_policy = nf_ct_port_nla_policy,	244	.nla_policy = nf_ct_port_nla_policy,
245	#endif	245	#endif
246	#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)	246	#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
247	.ctnl_timeout = {	247	.ctnl_timeout = {
248	.nlattr_to_obj = udplite_timeout_nlattr_to_obj,	248	.nlattr_to_obj = udplite_timeout_nlattr_to_obj,
249	.obj_to_nlattr = udplite_timeout_obj_to_nlattr,	249	.obj_to_nlattr = udplite_timeout_obj_to_nlattr,
250	.nlattr_max = CTA_TIMEOUT_UDPLITE_MAX,	250	.nlattr_max = CTA_TIMEOUT_UDPLITE_MAX,
251	.obj_size = sizeof(unsigned int) *	251	.obj_size = sizeof(unsigned int) *
252	CTA_TIMEOUT_UDPLITE_MAX,	252	CTA_TIMEOUT_UDPLITE_MAX,
253	.nla_policy = udplite_timeout_nla_policy,	253	.nla_policy = udplite_timeout_nla_policy,
254	},	254	},
255	#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */	255	#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
256	#ifdef CONFIG_SYSCTL	256	#ifdef CONFIG_SYSCTL
257	.ctl_table_users = &udplite_sysctl_table_users,	257	.ctl_table_users = &udplite_sysctl_table_users,
258	.ctl_table_header = &udplite_sysctl_header,	258	.ctl_table_header = &udplite_sysctl_header,
259	.ctl_table = udplite_sysctl_table,	259	.ctl_table = udplite_sysctl_table,
260	#endif	260	#endif
261	};	261	};
262		262
263	static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =	263	static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =
264	{	264	{
265	.l3proto = PF_INET6,	265	.l3proto = PF_INET6,
266	.l4proto = IPPROTO_UDPLITE,	266	.l4proto = IPPROTO_UDPLITE,
267	.name = "udplite",	267	.name = "udplite",
268	.pkt_to_tuple = udplite_pkt_to_tuple,	268	.pkt_to_tuple = udplite_pkt_to_tuple,
269	.invert_tuple = udplite_invert_tuple,	269	.invert_tuple = udplite_invert_tuple,
270	.print_tuple = udplite_print_tuple,	270	.print_tuple = udplite_print_tuple,
271	.packet = udplite_packet,	271	.packet = udplite_packet,
272	.get_timeouts = udplite_get_timeouts,	272	.get_timeouts = udplite_get_timeouts,
273	.new = udplite_new,	273	.new = udplite_new,
274	.error = udplite_error,	274	.error = udplite_error,
275	#if IS_ENABLED(CONFIG_NF_CT_NETLINK)	275	#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
276	.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,	276	.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
277	.nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,	277	.nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
278	.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,	278	.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
279	.nla_policy = nf_ct_port_nla_policy,	279	.nla_policy = nf_ct_port_nla_policy,
280	#endif	280	#endif
281	#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)	281	#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
282	.ctnl_timeout = {	282	.ctnl_timeout = {
283	.nlattr_to_obj = udplite_timeout_nlattr_to_obj,	283	.nlattr_to_obj = udplite_timeout_nlattr_to_obj,
284	.obj_to_nlattr = udplite_timeout_obj_to_nlattr,	284	.obj_to_nlattr = udplite_timeout_obj_to_nlattr,
285	.nlattr_max = CTA_TIMEOUT_UDPLITE_MAX,	285	.nlattr_max = CTA_TIMEOUT_UDPLITE_MAX,
286	.obj_size = sizeof(unsigned int) *	286	.obj_size = sizeof(unsigned int) *
287	CTA_TIMEOUT_UDPLITE_MAX,	287	CTA_TIMEOUT_UDPLITE_MAX,
288	.nla_policy = udplite_timeout_nla_policy,	288	.nla_policy = udplite_timeout_nla_policy,
289	},	289	},
290	#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */	290	#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */
291	#ifdef CONFIG_SYSCTL	291	#ifdef CONFIG_SYSCTL
292	.ctl_table_users = &udplite_sysctl_table_users,	292	.ctl_table_users = &udplite_sysctl_table_users,
293	.ctl_table_header = &udplite_sysctl_header,	293	.ctl_table_header = &udplite_sysctl_header,
294	.ctl_table = udplite_sysctl_table,	294	.ctl_table = udplite_sysctl_table,
295	#endif	295	#endif
296	};	296	};
297		297
298	static int __init nf_conntrack_proto_udplite_init(void)	298	static int __init nf_conntrack_proto_udplite_init(void)
299	{	299	{
300	int err;	300	int err;
301		301
302	err = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udplite4);	302	err = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udplite4);
303	if (err < 0)	303	if (err < 0)
304	goto err1;	304	goto err1;
305	err = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_udplite6);	305	err = nf_conntrack_l4proto_register(&init_net, &nf_conntrack_l4proto_udplite6);
306	if (err < 0)	306	if (err < 0)
307	goto err2;	307	goto err2;
308	return 0;	308	return 0;
309	err2:	309	err2:
310	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite4);	310	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite4);
311	err1:	311	err1:
312	return err;	312	return err;
313	}	313	}
314		314
315	static void __exit nf_conntrack_proto_udplite_exit(void)	315	static void __exit nf_conntrack_proto_udplite_exit(void)
316	{	316	{
317	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite6);	317	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite6);
318	nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_udplite4);	318	nf_conntrack_l4proto_unregister(&init_net, &nf_conntrack_l4proto_udplite4);
319	}	319	}
320		320
321	module_init(nf_conntrack_proto_udplite_init);	321	module_init(nf_conntrack_proto_udplite_init);
322	module_exit(nf_conntrack_proto_udplite_exit);	322	module_exit(nf_conntrack_proto_udplite_exit);
323		323
324	MODULE_LICENSE("GPL");	324	MODULE_LICENSE("GPL");
325		325

Link here
Eric Lee 2015-01-20 16:23:53 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2015-01-20 16:24:50 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2015-01-20 16:25:05 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2015-05-06 17:17:26 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2015-06-23 15:32:50 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2015-08-04 07:15:18 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2015-08-04 08:03:11 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2016-04-06 11:10:26 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2016-04-06 11:24:30 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2016-05-23 04:40:09 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2016-05-23 16:52:17 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2016-07-29 03:39:24 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2016-09-28 07:04:35 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2017-01-15 15:04:52 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2017-03-06 10:11:31 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2018-09-03 11:49:40 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2018-09-03 12:46:50 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2018-09-03 13:07:58 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2018-11-28 03:21:12 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2019-01-14 08:31:17 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2019-01-23 06:42:09 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2019-03-27 12:37:28 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2019-04-03 08:21:30 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2019-04-27 07:54:36 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2019-07-10 04:14:49 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2019-11-01 15:32:01 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2019-11-11 03:01:01 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2019-11-25 02:38:41 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2019-12-09 03:01:19 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2020-01-15 02:28:09 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2020-04-16 03:51:03 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2020-05-08 05:47:45 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2020-07-07 11:00:34 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2020-08-14 06:19:14 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2020-09-08 09:05:02 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2021-04-28 07:51:48 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2021-10-31 07:34:48 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2021-12-10 07:02:12 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2021-12-14 03:54:49 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2022-06-14 08:08:25 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2023-05-03 12:28:01 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2023-05-08 10:17:41 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel
Link here
Eric Lee 2023-05-26 07:55:40 UTC

mentioned in commit fa0f61

_mentioned in commit fa0f61_

Choose File ... File name...
Cancel

1	/*	1	/*
2	* DCCP connection tracking protocol helper	2	* DCCP connection tracking protocol helper
3	*	3	*
4	* Copyright (c) 2005, 2006, 2008 Patrick McHardy <kaber@trash.net>	4	* Copyright (c) 2005, 2006, 2008 Patrick McHardy <kaber@trash.net>
5	*	5	*
6	* This program is free software; you can redistribute it and/or modify	6	* This program is free software; you can redistribute it and/or modify
7	* it under the terms of the GNU General Public License version 2 as	7	* it under the terms of the GNU General Public License version 2 as
8	* published by the Free Software Foundation.	8	* published by the Free Software Foundation.
9	*	9	*
10	*/	10	*/
11	#include <linux/kernel.h>	11	#include <linux/kernel.h>
12	#include <linux/module.h>	12	#include <linux/module.h>
13	#include <linux/init.h>	13	#include <linux/init.h>
14	#include <linux/sysctl.h>	14	#include <linux/sysctl.h>
15	#include <linux/spinlock.h>	15	#include <linux/spinlock.h>
16	#include <linux/skbuff.h>	16	#include <linux/skbuff.h>
17	#include <linux/dccp.h>	17	#include <linux/dccp.h>
18	#include <linux/slab.h>	18	#include <linux/slab.h>
19		19
20	#include <net/net_namespace.h>	20	#include <net/net_namespace.h>
21	#include <net/netns/generic.h>	21	#include <net/netns/generic.h>
22		22
23	#include <linux/netfilter/nfnetlink_conntrack.h>	23	#include <linux/netfilter/nfnetlink_conntrack.h>
24	#include <net/netfilter/nf_conntrack.h>	24	#include <net/netfilter/nf_conntrack.h>
25	#include <net/netfilter/nf_conntrack_l4proto.h>	25	#include <net/netfilter/nf_conntrack_l4proto.h>
26	#include <net/netfilter/nf_conntrack_ecache.h>	26	#include <net/netfilter/nf_conntrack_ecache.h>
27	#include <net/netfilter/nf_log.h>	27	#include <net/netfilter/nf_log.h>
28		28
29	/* Timeouts are based on values from RFC4340:	29	/* Timeouts are based on values from RFC4340:
30	*	30	*
31	* - REQUEST:	31	* - REQUEST:
32	*	32	*
33	* 8.1.2. Client Request	33	* 8.1.2. Client Request
34	*	34	*
35	* A client MAY give up on its DCCP-Requests after some time	35	* A client MAY give up on its DCCP-Requests after some time
36	* (3 minutes, for example).	36	* (3 minutes, for example).
37	*	37	*
38	* - RESPOND:	38	* - RESPOND:
39	*	39	*
40	* 8.1.3. Server Response	40	* 8.1.3. Server Response

1	/*	1	/*
2	* Connection tracking protocol helper module for SCTP.	2	* Connection tracking protocol helper module for SCTP.
3	*	3	*
4	* SCTP is defined in RFC 2960. References to various sections in this code	4	* SCTP is defined in RFC 2960. References to various sections in this code
5	* are to this RFC.	5	* are to this RFC.
6	*	6	*
7	* This program is free software; you can redistribute it and/or modify	7	* This program is free software; you can redistribute it and/or modify
8	* it under the terms of the GNU General Public License version 2 as	8	* it under the terms of the GNU General Public License version 2 as
9	* published by the Free Software Foundation.	9	* published by the Free Software Foundation.
10	*/	10	*/
11		11
12	#include <linux/types.h>	12	#include <linux/types.h>
13	#include <linux/timer.h>	13	#include <linux/timer.h>
14	#include <linux/netfilter.h>	14	#include <linux/netfilter.h>
15	#include <linux/module.h>	15	#include <linux/module.h>
16	#include <linux/in.h>	16	#include <linux/in.h>
17	#include <linux/ip.h>	17	#include <linux/ip.h>
18	#include <linux/sctp.h>	18	#include <linux/sctp.h>
19	#include <linux/string.h>	19	#include <linux/string.h>
20	#include <linux/seq_file.h>	20	#include <linux/seq_file.h>
21	#include <linux/spinlock.h>	21	#include <linux/spinlock.h>
22	#include <linux/interrupt.h>	22	#include <linux/interrupt.h>
23		23
24	#include <net/netfilter/nf_conntrack.h>	24	#include <net/netfilter/nf_conntrack.h>
25	#include <net/netfilter/nf_conntrack_l4proto.h>	25	#include <net/netfilter/nf_conntrack_l4proto.h>
26	#include <net/netfilter/nf_conntrack_ecache.h>	26	#include <net/netfilter/nf_conntrack_ecache.h>
27		27
28	/* FIXME: Examine ipfilter's timeouts and conntrack transitions more	28	/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
29	closely. They're more complex. --RR	29	closely. They're more complex. --RR
30		30
31	And so for me for SCTP :D -Kiran */	31	And so for me for SCTP :D -Kiran */
32		32
33	static const char *const sctp_conntrack_names[] = {	33	static const char *const sctp_conntrack_names[] = {
34	"NONE",	34	"NONE",
35	"CLOSED",	35	"CLOSED",
36	"COOKIE_WAIT",	36	"COOKIE_WAIT",
37	"COOKIE_ECHOED",	37	"COOKIE_ECHOED",
38	"ESTABLISHED",	38	"ESTABLISHED",
39	"SHUTDOWN_SENT",	39	"SHUTDOWN_SENT",
40	"SHUTDOWN_RECD",	40	"SHUTDOWN_RECD",