Eric Lee / smarc-fsl-linux-kernel

Download as
Browse Code ยป

Commit 440f0d588555892601cfe511728a0fc0c8204063

Authored by Patrick McHardy
1 parent a31e1ffd22

netfilter: nf_conntrack: use per-conntrack locks for protocol data 

Introduce per-conntrack locks and use them instead of the global protocol
locks to avoid contention. Especially tcp_lock shows up very high in
profiles on larger machines.

This will also allow to simplify the upcoming reliable event delivery patches.

Signed-off-by: Patrick McHardy <kaber@trash.net>

Showing 8 changed files with 49 additions and 55 deletions Inline Diff

include/net/netfilter/nf_conntrack.h
Diff comments   View file @ 440f0d5
1 /* 1 /*
2 * Connection state tracking for netfilter. This is separated from, 2 * Connection state tracking for netfilter. This is separated from,
3 * but required by, the (future) NAT layer; it can also be used by an iptables 3 * but required by, the (future) NAT layer; it can also be used by an iptables
4 * extension. 4 * extension.
5 * 5 *
6 * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp> 6 * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
7 * - generalize L3 protocol dependent part. 7 * - generalize L3 protocol dependent part.
8 * 8 *
9 * Derived from include/linux/netfiter_ipv4/ip_conntrack.h 9 * Derived from include/linux/netfiter_ipv4/ip_conntrack.h
10 */ 10 */
11 11
12 #ifndef _NF_CONNTRACK_H 12 #ifndef _NF_CONNTRACK_H
13 #define _NF_CONNTRACK_H 13 #define _NF_CONNTRACK_H
14 14
15 #include <linux/netfilter/nf_conntrack_common.h> 15 #include <linux/netfilter/nf_conntrack_common.h>
16 16
17 #ifdef __KERNEL__ 17 #ifdef __KERNEL__
18 #include <linux/bitops.h> 18 #include <linux/bitops.h>
19 #include <linux/compiler.h> 19 #include <linux/compiler.h>
20 #include <asm/atomic.h> 20 #include <asm/atomic.h>
21 21
22 #include <linux/netfilter/nf_conntrack_tcp.h> 22 #include <linux/netfilter/nf_conntrack_tcp.h>
23 #include <linux/netfilter/nf_conntrack_dccp.h> 23 #include <linux/netfilter/nf_conntrack_dccp.h>
24 #include <linux/netfilter/nf_conntrack_sctp.h> 24 #include <linux/netfilter/nf_conntrack_sctp.h>
25 #include <linux/netfilter/nf_conntrack_proto_gre.h> 25 #include <linux/netfilter/nf_conntrack_proto_gre.h>
26 #include <net/netfilter/ipv6/nf_conntrack_icmpv6.h> 26 #include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
27 27
28 #include <net/netfilter/nf_conntrack_tuple.h> 28 #include <net/netfilter/nf_conntrack_tuple.h>
29 29
30 /* per conntrack: protocol private data */ 30 /* per conntrack: protocol private data */
31 union nf_conntrack_proto { 31 union nf_conntrack_proto {
32 /* insert conntrack proto private data here */ 32 /* insert conntrack proto private data here */
33 struct nf_ct_dccp dccp; 33 struct nf_ct_dccp dccp;
34 struct ip_ct_sctp sctp; 34 struct ip_ct_sctp sctp;
35 struct ip_ct_tcp tcp; 35 struct ip_ct_tcp tcp;
36 struct nf_ct_gre gre; 36 struct nf_ct_gre gre;
37 }; 37 };
38 38
39 union nf_conntrack_expect_proto { 39 union nf_conntrack_expect_proto {
40 /* insert expect proto private data here */ 40 /* insert expect proto private data here */
41 }; 41 };
42 42
43 /* Add protocol helper include file here */ 43 /* Add protocol helper include file here */
44 #include <linux/netfilter/nf_conntrack_ftp.h> 44 #include <linux/netfilter/nf_conntrack_ftp.h>
45 #include <linux/netfilter/nf_conntrack_pptp.h> 45 #include <linux/netfilter/nf_conntrack_pptp.h>
46 #include <linux/netfilter/nf_conntrack_h323.h> 46 #include <linux/netfilter/nf_conntrack_h323.h>
47 #include <linux/netfilter/nf_conntrack_sane.h> 47 #include <linux/netfilter/nf_conntrack_sane.h>
48 #include <linux/netfilter/nf_conntrack_sip.h> 48 #include <linux/netfilter/nf_conntrack_sip.h>
49 49
50 /* per conntrack: application helper private data */ 50 /* per conntrack: application helper private data */
51 union nf_conntrack_help { 51 union nf_conntrack_help {
52 /* insert conntrack helper private data (master) here */ 52 /* insert conntrack helper private data (master) here */
53 struct nf_ct_ftp_master ct_ftp_info; 53 struct nf_ct_ftp_master ct_ftp_info;
54 struct nf_ct_pptp_master ct_pptp_info; 54 struct nf_ct_pptp_master ct_pptp_info;
55 struct nf_ct_h323_master ct_h323_info; 55 struct nf_ct_h323_master ct_h323_info;
56 struct nf_ct_sane_master ct_sane_info; 56 struct nf_ct_sane_master ct_sane_info;
57 struct nf_ct_sip_master ct_sip_info; 57 struct nf_ct_sip_master ct_sip_info;
58 }; 58 };
59 59
60 #include <linux/types.h> 60 #include <linux/types.h>
61 #include <linux/skbuff.h> 61 #include <linux/skbuff.h>
62 #include <linux/timer.h> 62 #include <linux/timer.h>
63 63
64 #ifdef CONFIG_NETFILTER_DEBUG 64 #ifdef CONFIG_NETFILTER_DEBUG
65 #define NF_CT_ASSERT(x) WARN_ON(!(x)) 65 #define NF_CT_ASSERT(x) WARN_ON(!(x))
66 #else 66 #else
67 #define NF_CT_ASSERT(x) 67 #define NF_CT_ASSERT(x)
68 #endif 68 #endif
69 69
70 struct nf_conntrack_helper; 70 struct nf_conntrack_helper;
71 71
72 /* Must be kept in sync with the classes defined by helpers */ 72 /* Must be kept in sync with the classes defined by helpers */
73 #define NF_CT_MAX_EXPECT_CLASSES 3 73 #define NF_CT_MAX_EXPECT_CLASSES 3
74 74
75 /* nf_conn feature for connections that have a helper */ 75 /* nf_conn feature for connections that have a helper */
76 struct nf_conn_help { 76 struct nf_conn_help {
77 /* Helper. if any */ 77 /* Helper. if any */
78 struct nf_conntrack_helper *helper; 78 struct nf_conntrack_helper *helper;
79 79
80 union nf_conntrack_help help; 80 union nf_conntrack_help help;
81 81
82 struct hlist_head expectations; 82 struct hlist_head expectations;
83 83
84 /* Current number of expected connections */ 84 /* Current number of expected connections */
85 u8 expecting[NF_CT_MAX_EXPECT_CLASSES]; 85 u8 expecting[NF_CT_MAX_EXPECT_CLASSES];
86 }; 86 };
87 87
88 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h> 88 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
89 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h> 89 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
90 90
91 struct nf_conn { 91 struct nf_conn {
92 /* Usage count in here is 1 for hash table/destruct timer, 1 per skb, 92 /* Usage count in here is 1 for hash table/destruct timer, 1 per skb,
93 plus 1 for any connection(s) we are `master' for */ 93 plus 1 for any connection(s) we are `master' for */
94 struct nf_conntrack ct_general; 94 struct nf_conntrack ct_general;
95 95
96 spinlock_t lock;
97
96 /* XXX should I move this to the tail ? - Y.K */ 98 /* XXX should I move this to the tail ? - Y.K */
97 /* These are my tuples; original and reply */ 99 /* These are my tuples; original and reply */
98 struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX]; 100 struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
99 101
100 /* Have we seen traffic both ways yet? (bitset) */ 102 /* Have we seen traffic both ways yet? (bitset) */
101 unsigned long status; 103 unsigned long status;
102 104
103 /* If we were expected by an expectation, this will be it */ 105 /* If we were expected by an expectation, this will be it */
104 struct nf_conn *master; 106 struct nf_conn *master;
105 107
106 /* Timer function; drops refcnt when it goes off. */ 108 /* Timer function; drops refcnt when it goes off. */
107 struct timer_list timeout; 109 struct timer_list timeout;
108 110
109 #if defined(CONFIG_NF_CONNTRACK_MARK) 111 #if defined(CONFIG_NF_CONNTRACK_MARK)
110 u_int32_t mark; 112 u_int32_t mark;
111 #endif 113 #endif
112 114
113 #ifdef CONFIG_NF_CONNTRACK_SECMARK 115 #ifdef CONFIG_NF_CONNTRACK_SECMARK
114 u_int32_t secmark; 116 u_int32_t secmark;
115 #endif 117 #endif
116 118
117 /* Storage reserved for other modules: */ 119 /* Storage reserved for other modules: */
118 union nf_conntrack_proto proto; 120 union nf_conntrack_proto proto;
119 121
120 /* Extensions */ 122 /* Extensions */
121 struct nf_ct_ext *ext; 123 struct nf_ct_ext *ext;
122 #ifdef CONFIG_NET_NS 124 #ifdef CONFIG_NET_NS
123 struct net *ct_net; 125 struct net *ct_net;
124 #endif 126 #endif
125 }; 127 };
126 128
127 static inline struct nf_conn * 129 static inline struct nf_conn *
128 nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash) 130 nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash)
129 { 131 {
130 return container_of(hash, struct nf_conn, 132 return container_of(hash, struct nf_conn,
131 tuplehash[hash->tuple.dst.dir]); 133 tuplehash[hash->tuple.dst.dir]);
132 } 134 }
133 135
134 static inline u_int16_t nf_ct_l3num(const struct nf_conn *ct) 136 static inline u_int16_t nf_ct_l3num(const struct nf_conn *ct)
135 { 137 {
136 return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num; 138 return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
137 } 139 }
138 140
139 static inline u_int8_t nf_ct_protonum(const struct nf_conn *ct) 141 static inline u_int8_t nf_ct_protonum(const struct nf_conn *ct)
140 { 142 {
141 return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum; 143 return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
142 } 144 }
143 145
144 #define nf_ct_tuple(ct, dir) (&(ct)->tuplehash[dir].tuple) 146 #define nf_ct_tuple(ct, dir) (&(ct)->tuplehash[dir].tuple)
145 147
146 /* get master conntrack via master expectation */ 148 /* get master conntrack via master expectation */
147 #define master_ct(conntr) (conntr->master) 149 #define master_ct(conntr) (conntr->master)
148 150
149 extern struct net init_net; 151 extern struct net init_net;
150 152
151 static inline struct net *nf_ct_net(const struct nf_conn *ct) 153 static inline struct net *nf_ct_net(const struct nf_conn *ct)
152 { 154 {
153 #ifdef CONFIG_NET_NS 155 #ifdef CONFIG_NET_NS
154 return ct->ct_net; 156 return ct->ct_net;
155 #else 157 #else
156 return &init_net; 158 return &init_net;
157 #endif 159 #endif
158 } 160 }
159 161
160 /* Alter reply tuple (maybe alter helper). */ 162 /* Alter reply tuple (maybe alter helper). */
161 extern void 163 extern void
162 nf_conntrack_alter_reply(struct nf_conn *ct, 164 nf_conntrack_alter_reply(struct nf_conn *ct,
163 const struct nf_conntrack_tuple *newreply); 165 const struct nf_conntrack_tuple *newreply);
164 166
165 /* Is this tuple taken? (ignoring any belonging to the given 167 /* Is this tuple taken? (ignoring any belonging to the given
166 conntrack). */ 168 conntrack). */
167 extern int 169 extern int
168 nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, 170 nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
169 const struct nf_conn *ignored_conntrack); 171 const struct nf_conn *ignored_conntrack);
170 172
171 /* Return conntrack_info and tuple hash for given skb. */ 173 /* Return conntrack_info and tuple hash for given skb. */
172 static inline struct nf_conn * 174 static inline struct nf_conn *
173 nf_ct_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo) 175 nf_ct_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo)
174 { 176 {
175 *ctinfo = skb->nfctinfo; 177 *ctinfo = skb->nfctinfo;
176 return (struct nf_conn *)skb->nfct; 178 return (struct nf_conn *)skb->nfct;
177 } 179 }
178 180
179 /* decrement reference count on a conntrack */ 181 /* decrement reference count on a conntrack */
180 static inline void nf_ct_put(struct nf_conn *ct) 182 static inline void nf_ct_put(struct nf_conn *ct)
181 { 183 {
182 NF_CT_ASSERT(ct); 184 NF_CT_ASSERT(ct);
183 nf_conntrack_put(&ct->ct_general); 185 nf_conntrack_put(&ct->ct_general);
184 } 186 }
185 187
186 /* Protocol module loading */ 188 /* Protocol module loading */
187 extern int nf_ct_l3proto_try_module_get(unsigned short l3proto); 189 extern int nf_ct_l3proto_try_module_get(unsigned short l3proto);
188 extern void nf_ct_l3proto_module_put(unsigned short l3proto); 190 extern void nf_ct_l3proto_module_put(unsigned short l3proto);
189 191
190 /* 192 /*
191 * Allocate a hashtable of hlist_head (if nulls == 0), 193 * Allocate a hashtable of hlist_head (if nulls == 0),
192 * or hlist_nulls_head (if nulls == 1) 194 * or hlist_nulls_head (if nulls == 1)
193 */ 195 */
194 extern void *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced, int nulls); 196 extern void *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced, int nulls);
195 197
196 extern void nf_ct_free_hashtable(void *hash, int vmalloced, unsigned int size); 198 extern void nf_ct_free_hashtable(void *hash, int vmalloced, unsigned int size);
197 199
198 extern struct nf_conntrack_tuple_hash * 200 extern struct nf_conntrack_tuple_hash *
199 __nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple); 201 __nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple);
200 202
201 extern void nf_conntrack_hash_insert(struct nf_conn *ct); 203 extern void nf_conntrack_hash_insert(struct nf_conn *ct);
202 204
203 extern void nf_conntrack_flush_report(struct net *net, u32 pid, int report); 205 extern void nf_conntrack_flush_report(struct net *net, u32 pid, int report);
204 206
205 extern bool nf_ct_get_tuplepr(const struct sk_buff *skb, 207 extern bool nf_ct_get_tuplepr(const struct sk_buff *skb,
206 unsigned int nhoff, u_int16_t l3num, 208 unsigned int nhoff, u_int16_t l3num,
207 struct nf_conntrack_tuple *tuple); 209 struct nf_conntrack_tuple *tuple);
208 extern bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, 210 extern bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
209 const struct nf_conntrack_tuple *orig); 211 const struct nf_conntrack_tuple *orig);
210 212
211 extern void __nf_ct_refresh_acct(struct nf_conn *ct, 213 extern void __nf_ct_refresh_acct(struct nf_conn *ct,
212 enum ip_conntrack_info ctinfo, 214 enum ip_conntrack_info ctinfo,
213 const struct sk_buff *skb, 215 const struct sk_buff *skb,
214 unsigned long extra_jiffies, 216 unsigned long extra_jiffies,
215 int do_acct); 217 int do_acct);
216 218
217 /* Refresh conntrack for this many jiffies and do accounting */ 219 /* Refresh conntrack for this many jiffies and do accounting */
218 static inline void nf_ct_refresh_acct(struct nf_conn *ct, 220 static inline void nf_ct_refresh_acct(struct nf_conn *ct,
219 enum ip_conntrack_info ctinfo, 221 enum ip_conntrack_info ctinfo,
220 const struct sk_buff *skb, 222 const struct sk_buff *skb,
221 unsigned long extra_jiffies) 223 unsigned long extra_jiffies)
222 { 224 {
223 __nf_ct_refresh_acct(ct, ctinfo, skb, extra_jiffies, 1); 225 __nf_ct_refresh_acct(ct, ctinfo, skb, extra_jiffies, 1);
224 } 226 }
225 227
226 /* Refresh conntrack for this many jiffies */ 228 /* Refresh conntrack for this many jiffies */
227 static inline void nf_ct_refresh(struct nf_conn *ct, 229 static inline void nf_ct_refresh(struct nf_conn *ct,
228 const struct sk_buff *skb, 230 const struct sk_buff *skb,
229 unsigned long extra_jiffies) 231 unsigned long extra_jiffies)
230 { 232 {
231 __nf_ct_refresh_acct(ct, 0, skb, extra_jiffies, 0); 233 __nf_ct_refresh_acct(ct, 0, skb, extra_jiffies, 0);
232 } 234 }
233 235
234 extern bool __nf_ct_kill_acct(struct nf_conn *ct, 236 extern bool __nf_ct_kill_acct(struct nf_conn *ct,
235 enum ip_conntrack_info ctinfo, 237 enum ip_conntrack_info ctinfo,
236 const struct sk_buff *skb, 238 const struct sk_buff *skb,
237 int do_acct); 239 int do_acct);
238 240
239 /* kill conntrack and do accounting */ 241 /* kill conntrack and do accounting */
240 static inline bool nf_ct_kill_acct(struct nf_conn *ct, 242 static inline bool nf_ct_kill_acct(struct nf_conn *ct,
241 enum ip_conntrack_info ctinfo, 243 enum ip_conntrack_info ctinfo,
242 const struct sk_buff *skb) 244 const struct sk_buff *skb)
243 { 245 {
244 return __nf_ct_kill_acct(ct, ctinfo, skb, 1); 246 return __nf_ct_kill_acct(ct, ctinfo, skb, 1);
245 } 247 }
246 248
247 /* kill conntrack without accounting */ 249 /* kill conntrack without accounting */
248 static inline bool nf_ct_kill(struct nf_conn *ct) 250 static inline bool nf_ct_kill(struct nf_conn *ct)
249 { 251 {
250 return __nf_ct_kill_acct(ct, 0, NULL, 0); 252 return __nf_ct_kill_acct(ct, 0, NULL, 0);
251 } 253 }
252 254
253 /* These are for NAT. Icky. */ 255 /* These are for NAT. Icky. */
254 /* Update TCP window tracking data when NAT mangles the packet */ 256 /* Update TCP window tracking data when NAT mangles the packet */
255 extern void nf_conntrack_tcp_update(const struct sk_buff *skb, 257 extern void nf_conntrack_tcp_update(const struct sk_buff *skb,
256 unsigned int dataoff, 258 unsigned int dataoff,
257 struct nf_conn *ct, 259 struct nf_conn *ct,
258 int dir); 260 int dir);
259 261
260 /* Fake conntrack entry for untracked connections */ 262 /* Fake conntrack entry for untracked connections */
261 extern struct nf_conn nf_conntrack_untracked; 263 extern struct nf_conn nf_conntrack_untracked;
262 264
263 /* Iterate over all conntracks: if iter returns true, it's deleted. */ 265 /* Iterate over all conntracks: if iter returns true, it's deleted. */
264 extern void 266 extern void
265 nf_ct_iterate_cleanup(struct net *net, int (*iter)(struct nf_conn *i, void *data), void *data); 267 nf_ct_iterate_cleanup(struct net *net, int (*iter)(struct nf_conn *i, void *data), void *data);
266 extern void nf_conntrack_free(struct nf_conn *ct); 268 extern void nf_conntrack_free(struct nf_conn *ct);
267 extern struct nf_conn * 269 extern struct nf_conn *
268 nf_conntrack_alloc(struct net *net, 270 nf_conntrack_alloc(struct net *net,
269 const struct nf_conntrack_tuple *orig, 271 const struct nf_conntrack_tuple *orig,
270 const struct nf_conntrack_tuple *repl, 272 const struct nf_conntrack_tuple *repl,
271 gfp_t gfp); 273 gfp_t gfp);
272 274
273 /* It's confirmed if it is, or has been in the hash table. */ 275 /* It's confirmed if it is, or has been in the hash table. */
274 static inline int nf_ct_is_confirmed(struct nf_conn *ct) 276 static inline int nf_ct_is_confirmed(struct nf_conn *ct)
275 { 277 {
276 return test_bit(IPS_CONFIRMED_BIT, &ct->status); 278 return test_bit(IPS_CONFIRMED_BIT, &ct->status);
277 } 279 }
278 280
279 static inline int nf_ct_is_dying(struct nf_conn *ct) 281 static inline int nf_ct_is_dying(struct nf_conn *ct)
280 { 282 {
281 return test_bit(IPS_DYING_BIT, &ct->status); 283 return test_bit(IPS_DYING_BIT, &ct->status);
282 } 284 }
283 285
284 static inline int nf_ct_is_untracked(const struct sk_buff *skb) 286 static inline int nf_ct_is_untracked(const struct sk_buff *skb)
285 { 287 {
286 return (skb->nfct == &nf_conntrack_untracked.ct_general); 288 return (skb->nfct == &nf_conntrack_untracked.ct_general);
287 } 289 }
288 290
289 extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp); 291 extern int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp);
290 extern unsigned int nf_conntrack_htable_size; 292 extern unsigned int nf_conntrack_htable_size;
291 extern unsigned int nf_conntrack_max; 293 extern unsigned int nf_conntrack_max;
292 294
293 #define NF_CT_STAT_INC(net, count) \ 295 #define NF_CT_STAT_INC(net, count) \
294 (per_cpu_ptr((net)->ct.stat, raw_smp_processor_id())->count++) 296 (per_cpu_ptr((net)->ct.stat, raw_smp_processor_id())->count++)
295 #define NF_CT_STAT_INC_ATOMIC(net, count) \ 297 #define NF_CT_STAT_INC_ATOMIC(net, count) \
296 do { \ 298 do { \
297 local_bh_disable(); \ 299 local_bh_disable(); \
298 per_cpu_ptr((net)->ct.stat, raw_smp_processor_id())->count++; \ 300 per_cpu_ptr((net)->ct.stat, raw_smp_processor_id())->count++; \
299 local_bh_enable(); \ 301 local_bh_enable(); \
300 } while (0) 302 } while (0)
301 303
302 #define MODULE_ALIAS_NFCT_HELPER(helper) \ 304 #define MODULE_ALIAS_NFCT_HELPER(helper) \
303 MODULE_ALIAS("nfct-helper-" helper) 305 MODULE_ALIAS("nfct-helper-" helper)
304 306
305 #endif /* __KERNEL__ */ 307 #endif /* __KERNEL__ */
306 #endif /* _NF_CONNTRACK_H */ 308 #endif /* _NF_CONNTRACK_H */
307 309
include/net/netfilter/nf_conntrack_l4proto.h
Diff comments   View file @ 440f0d5
1 /* 1 /*
2 * Header for use in defining a given L4 protocol for connection tracking. 2 * Header for use in defining a given L4 protocol for connection tracking.
3 * 3 *
4 * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp> 4 * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
5 * - generalized L3 protocol dependent part. 5 * - generalized L3 protocol dependent part.
6 * 6 *
7 * Derived from include/linux/netfiter_ipv4/ip_conntrack_protcol.h 7 * Derived from include/linux/netfiter_ipv4/ip_conntrack_protcol.h
8 */ 8 */
9 9
10 #ifndef _NF_CONNTRACK_L4PROTO_H 10 #ifndef _NF_CONNTRACK_L4PROTO_H
11 #define _NF_CONNTRACK_L4PROTO_H 11 #define _NF_CONNTRACK_L4PROTO_H
12 #include <linux/netlink.h> 12 #include <linux/netlink.h>
13 #include <net/netlink.h> 13 #include <net/netlink.h>
14 #include <net/netfilter/nf_conntrack.h> 14 #include <net/netfilter/nf_conntrack.h>
15 15
16 struct seq_file; 16 struct seq_file;
17 17
18 struct nf_conntrack_l4proto 18 struct nf_conntrack_l4proto
19 { 19 {
20 /* L3 Protocol number. */ 20 /* L3 Protocol number. */
21 u_int16_t l3proto; 21 u_int16_t l3proto;
22 22
23 /* L4 Protocol number. */ 23 /* L4 Protocol number. */
24 u_int8_t l4proto; 24 u_int8_t l4proto;
25 25
26 /* Try to fill in the third arg: dataoff is offset past network protocol 26 /* Try to fill in the third arg: dataoff is offset past network protocol
27 hdr. Return true if possible. */ 27 hdr. Return true if possible. */
28 bool (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int dataoff, 28 bool (*pkt_to_tuple)(const struct sk_buff *skb, unsigned int dataoff,
29 struct nf_conntrack_tuple *tuple); 29 struct nf_conntrack_tuple *tuple);
30 30
31 /* Invert the per-proto part of the tuple: ie. turn xmit into reply. 31 /* Invert the per-proto part of the tuple: ie. turn xmit into reply.
32 * Some packets can't be inverted: return 0 in that case. 32 * Some packets can't be inverted: return 0 in that case.
33 */ 33 */
34 bool (*invert_tuple)(struct nf_conntrack_tuple *inverse, 34 bool (*invert_tuple)(struct nf_conntrack_tuple *inverse,
35 const struct nf_conntrack_tuple *orig); 35 const struct nf_conntrack_tuple *orig);
36 36
37 /* Returns verdict for packet, or -1 for invalid. */ 37 /* Returns verdict for packet, or -1 for invalid. */
38 int (*packet)(struct nf_conn *ct, 38 int (*packet)(struct nf_conn *ct,
39 const struct sk_buff *skb, 39 const struct sk_buff *skb,
40 unsigned int dataoff, 40 unsigned int dataoff,
41 enum ip_conntrack_info ctinfo, 41 enum ip_conntrack_info ctinfo,
42 u_int8_t pf, 42 u_int8_t pf,
43 unsigned int hooknum); 43 unsigned int hooknum);
44 44
45 /* Called when a new connection for this protocol found; 45 /* Called when a new connection for this protocol found;
46 * returns TRUE if it's OK. If so, packet() called next. */ 46 * returns TRUE if it's OK. If so, packet() called next. */
47 bool (*new)(struct nf_conn *ct, const struct sk_buff *skb, 47 bool (*new)(struct nf_conn *ct, const struct sk_buff *skb,
48 unsigned int dataoff); 48 unsigned int dataoff);
49 49
50 /* Called when a conntrack entry is destroyed */ 50 /* Called when a conntrack entry is destroyed */
51 void (*destroy)(struct nf_conn *ct); 51 void (*destroy)(struct nf_conn *ct);
52 52
53 int (*error)(struct net *net, struct sk_buff *skb, unsigned int dataoff, 53 int (*error)(struct net *net, struct sk_buff *skb, unsigned int dataoff,
54 enum ip_conntrack_info *ctinfo, 54 enum ip_conntrack_info *ctinfo,
55 u_int8_t pf, unsigned int hooknum); 55 u_int8_t pf, unsigned int hooknum);
56 56
57 /* Print out the per-protocol part of the tuple. Return like seq_* */ 57 /* Print out the per-protocol part of the tuple. Return like seq_* */
58 int (*print_tuple)(struct seq_file *s, 58 int (*print_tuple)(struct seq_file *s,
59 const struct nf_conntrack_tuple *); 59 const struct nf_conntrack_tuple *);
60 60
61 /* Print out the private part of the conntrack. */ 61 /* Print out the private part of the conntrack. */
62 int (*print_conntrack)(struct seq_file *s, const struct nf_conn *); 62 int (*print_conntrack)(struct seq_file *s, struct nf_conn *);
63 63
64 /* convert protoinfo to nfnetink attributes */ 64 /* convert protoinfo to nfnetink attributes */
65 int (*to_nlattr)(struct sk_buff *skb, struct nlattr *nla, 65 int (*to_nlattr)(struct sk_buff *skb, struct nlattr *nla,
66 const struct nf_conn *ct); 66 struct nf_conn *ct);
67 /* Calculate protoinfo nlattr size */ 67 /* Calculate protoinfo nlattr size */
68 int (*nlattr_size)(void); 68 int (*nlattr_size)(void);
69 69
70 /* convert nfnetlink attributes to protoinfo */ 70 /* convert nfnetlink attributes to protoinfo */
71 int (*from_nlattr)(struct nlattr *tb[], struct nf_conn *ct); 71 int (*from_nlattr)(struct nlattr *tb[], struct nf_conn *ct);
72 72
73 int (*tuple_to_nlattr)(struct sk_buff *skb, 73 int (*tuple_to_nlattr)(struct sk_buff *skb,
74 const struct nf_conntrack_tuple *t); 74 const struct nf_conntrack_tuple *t);
75 /* Calculate tuple nlattr size */ 75 /* Calculate tuple nlattr size */
76 int (*nlattr_tuple_size)(void); 76 int (*nlattr_tuple_size)(void);
77 int (*nlattr_to_tuple)(struct nlattr *tb[], 77 int (*nlattr_to_tuple)(struct nlattr *tb[],
78 struct nf_conntrack_tuple *t); 78 struct nf_conntrack_tuple *t);
79 const struct nla_policy *nla_policy; 79 const struct nla_policy *nla_policy;
80 80
81 size_t nla_size; 81 size_t nla_size;
82 82
83 #ifdef CONFIG_SYSCTL 83 #ifdef CONFIG_SYSCTL
84 struct ctl_table_header **ctl_table_header; 84 struct ctl_table_header **ctl_table_header;
85 struct ctl_table *ctl_table; 85 struct ctl_table *ctl_table;
86 unsigned int *ctl_table_users; 86 unsigned int *ctl_table_users;
87 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 87 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
88 struct ctl_table_header *ctl_compat_table_header; 88 struct ctl_table_header *ctl_compat_table_header;
89 struct ctl_table *ctl_compat_table; 89 struct ctl_table *ctl_compat_table;
90 #endif 90 #endif
91 #endif 91 #endif
92 /* Protocol name */ 92 /* Protocol name */
93 const char *name; 93 const char *name;
94 94
95 /* Module (if any) which this is connected to. */ 95 /* Module (if any) which this is connected to. */
96 struct module *me; 96 struct module *me;
97 }; 97 };
98 98
99 /* Existing built-in generic protocol */ 99 /* Existing built-in generic protocol */
100 extern struct nf_conntrack_l4proto nf_conntrack_l4proto_generic; 100 extern struct nf_conntrack_l4proto nf_conntrack_l4proto_generic;
101 101
102 #define MAX_NF_CT_PROTO 256 102 #define MAX_NF_CT_PROTO 256
103 103
104 extern struct nf_conntrack_l4proto * 104 extern struct nf_conntrack_l4proto *
105 __nf_ct_l4proto_find(u_int16_t l3proto, u_int8_t l4proto); 105 __nf_ct_l4proto_find(u_int16_t l3proto, u_int8_t l4proto);
106 106
107 /* Protocol registration. */ 107 /* Protocol registration. */
108 extern int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *proto); 108 extern int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *proto);
109 extern void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *proto); 109 extern void nf_conntrack_l4proto_unregister(struct nf_conntrack_l4proto *proto);
110 110
111 /* Generic netlink helpers */ 111 /* Generic netlink helpers */
112 extern int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb, 112 extern int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb,
113 const struct nf_conntrack_tuple *tuple); 113 const struct nf_conntrack_tuple *tuple);
114 extern int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[], 114 extern int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[],
115 struct nf_conntrack_tuple *t); 115 struct nf_conntrack_tuple *t);
116 extern int nf_ct_port_nlattr_tuple_size(void); 116 extern int nf_ct_port_nlattr_tuple_size(void);
117 extern const struct nla_policy nf_ct_port_nla_policy[]; 117 extern const struct nla_policy nf_ct_port_nla_policy[];
118 118
119 #ifdef CONFIG_SYSCTL 119 #ifdef CONFIG_SYSCTL
120 #ifdef DEBUG_INVALID_PACKETS 120 #ifdef DEBUG_INVALID_PACKETS
121 #define LOG_INVALID(net, proto) \ 121 #define LOG_INVALID(net, proto) \
122 ((net)->ct.sysctl_log_invalid == (proto) || \ 122 ((net)->ct.sysctl_log_invalid == (proto) || \
123 (net)->ct.sysctl_log_invalid == IPPROTO_RAW) 123 (net)->ct.sysctl_log_invalid == IPPROTO_RAW)
124 #else 124 #else
125 #define LOG_INVALID(net, proto) \ 125 #define LOG_INVALID(net, proto) \
126 (((net)->ct.sysctl_log_invalid == (proto) || \ 126 (((net)->ct.sysctl_log_invalid == (proto) || \
127 (net)->ct.sysctl_log_invalid == IPPROTO_RAW) \ 127 (net)->ct.sysctl_log_invalid == IPPROTO_RAW) \
128 && net_ratelimit()) 128 && net_ratelimit())
129 #endif 129 #endif
130 #else 130 #else
131 static inline int LOG_INVALID(struct net *net, int proto) { return 0; } 131 static inline int LOG_INVALID(struct net *net, int proto) { return 0; }
132 #endif /* CONFIG_SYSCTL */ 132 #endif /* CONFIG_SYSCTL */
133 133
134 #endif /*_NF_CONNTRACK_PROTOCOL_H*/ 134 #endif /*_NF_CONNTRACK_PROTOCOL_H*/
135 135
net/netfilter/nf_conntrack_core.c
Diff comments   View file @ 440f0d5
1 /* Connection state tracking for netfilter. This is separated from, 1 /* Connection state tracking for netfilter. This is separated from,
2 but required by, the NAT layer; it can also be used by an iptables 2 but required by, the NAT layer; it can also be used by an iptables
3 extension. */ 3 extension. */
4 4
5 /* (C) 1999-2001 Paul `Rusty' Russell 5 /* (C) 1999-2001 Paul `Rusty' Russell
6 * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org> 6 * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
7 * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org> 7 * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
8 * 8 *
9 * This program is free software; you can redistribute it and/or modify 9 * This program is free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License version 2 as 10 * it under the terms of the GNU General Public License version 2 as
11 * published by the Free Software Foundation. 11 * published by the Free Software Foundation.
12 */ 12 */
13 13
14 #include <linux/types.h> 14 #include <linux/types.h>
15 #include <linux/netfilter.h> 15 #include <linux/netfilter.h>
16 #include <linux/module.h> 16 #include <linux/module.h>
17 #include <linux/skbuff.h> 17 #include <linux/skbuff.h>
18 #include <linux/proc_fs.h> 18 #include <linux/proc_fs.h>
19 #include <linux/vmalloc.h> 19 #include <linux/vmalloc.h>
20 #include <linux/stddef.h> 20 #include <linux/stddef.h>
21 #include <linux/slab.h> 21 #include <linux/slab.h>
22 #include <linux/random.h> 22 #include <linux/random.h>
23 #include <linux/jhash.h> 23 #include <linux/jhash.h>
24 #include <linux/err.h> 24 #include <linux/err.h>
25 #include <linux/percpu.h> 25 #include <linux/percpu.h>
26 #include <linux/moduleparam.h> 26 #include <linux/moduleparam.h>
27 #include <linux/notifier.h> 27 #include <linux/notifier.h>
28 #include <linux/kernel.h> 28 #include <linux/kernel.h>
29 #include <linux/netdevice.h> 29 #include <linux/netdevice.h>
30 #include <linux/socket.h> 30 #include <linux/socket.h>
31 #include <linux/mm.h> 31 #include <linux/mm.h>
32 #include <linux/rculist_nulls.h> 32 #include <linux/rculist_nulls.h>
33 33
34 #include <net/netfilter/nf_conntrack.h> 34 #include <net/netfilter/nf_conntrack.h>
35 #include <net/netfilter/nf_conntrack_l3proto.h> 35 #include <net/netfilter/nf_conntrack_l3proto.h>
36 #include <net/netfilter/nf_conntrack_l4proto.h> 36 #include <net/netfilter/nf_conntrack_l4proto.h>
37 #include <net/netfilter/nf_conntrack_expect.h> 37 #include <net/netfilter/nf_conntrack_expect.h>
38 #include <net/netfilter/nf_conntrack_helper.h> 38 #include <net/netfilter/nf_conntrack_helper.h>
39 #include <net/netfilter/nf_conntrack_core.h> 39 #include <net/netfilter/nf_conntrack_core.h>
40 #include <net/netfilter/nf_conntrack_extend.h> 40 #include <net/netfilter/nf_conntrack_extend.h>
41 #include <net/netfilter/nf_conntrack_acct.h> 41 #include <net/netfilter/nf_conntrack_acct.h>
42 #include <net/netfilter/nf_nat.h> 42 #include <net/netfilter/nf_nat.h>
43 #include <net/netfilter/nf_nat_core.h> 43 #include <net/netfilter/nf_nat_core.h>
44 44
45 #define NF_CONNTRACK_VERSION "0.5.0" 45 #define NF_CONNTRACK_VERSION "0.5.0"
46 46
47 int (*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct, 47 int (*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct,
48 enum nf_nat_manip_type manip, 48 enum nf_nat_manip_type manip,
49 struct nlattr *attr) __read_mostly; 49 struct nlattr *attr) __read_mostly;
50 EXPORT_SYMBOL_GPL(nfnetlink_parse_nat_setup_hook); 50 EXPORT_SYMBOL_GPL(nfnetlink_parse_nat_setup_hook);
51 51
52 DEFINE_SPINLOCK(nf_conntrack_lock); 52 DEFINE_SPINLOCK(nf_conntrack_lock);
53 EXPORT_SYMBOL_GPL(nf_conntrack_lock); 53 EXPORT_SYMBOL_GPL(nf_conntrack_lock);
54 54
55 unsigned int nf_conntrack_htable_size __read_mostly; 55 unsigned int nf_conntrack_htable_size __read_mostly;
56 EXPORT_SYMBOL_GPL(nf_conntrack_htable_size); 56 EXPORT_SYMBOL_GPL(nf_conntrack_htable_size);
57 57
58 unsigned int nf_conntrack_max __read_mostly; 58 unsigned int nf_conntrack_max __read_mostly;
59 EXPORT_SYMBOL_GPL(nf_conntrack_max); 59 EXPORT_SYMBOL_GPL(nf_conntrack_max);
60 60
61 struct nf_conn nf_conntrack_untracked __read_mostly; 61 struct nf_conn nf_conntrack_untracked __read_mostly;
62 EXPORT_SYMBOL_GPL(nf_conntrack_untracked); 62 EXPORT_SYMBOL_GPL(nf_conntrack_untracked);
63 63
64 static struct kmem_cache *nf_conntrack_cachep __read_mostly; 64 static struct kmem_cache *nf_conntrack_cachep __read_mostly;
65 65
66 static int nf_conntrack_hash_rnd_initted; 66 static int nf_conntrack_hash_rnd_initted;
67 static unsigned int nf_conntrack_hash_rnd; 67 static unsigned int nf_conntrack_hash_rnd;
68 68
69 static u_int32_t __hash_conntrack(const struct nf_conntrack_tuple *tuple, 69 static u_int32_t __hash_conntrack(const struct nf_conntrack_tuple *tuple,
70 unsigned int size, unsigned int rnd) 70 unsigned int size, unsigned int rnd)
71 { 71 {
72 unsigned int n; 72 unsigned int n;
73 u_int32_t h; 73 u_int32_t h;
74 74
75 /* The direction must be ignored, so we hash everything up to the 75 /* The direction must be ignored, so we hash everything up to the
76 * destination ports (which is a multiple of 4) and treat the last 76 * destination ports (which is a multiple of 4) and treat the last
77 * three bytes manually. 77 * three bytes manually.
78 */ 78 */
79 n = (sizeof(tuple->src) + sizeof(tuple->dst.u3)) / sizeof(u32); 79 n = (sizeof(tuple->src) + sizeof(tuple->dst.u3)) / sizeof(u32);
80 h = jhash2((u32 *)tuple, n, 80 h = jhash2((u32 *)tuple, n,
81 rnd ^ (((__force __u16)tuple->dst.u.all << 16) | 81 rnd ^ (((__force __u16)tuple->dst.u.all << 16) |
82 tuple->dst.protonum)); 82 tuple->dst.protonum));
83 83
84 return ((u64)h * size) >> 32; 84 return ((u64)h * size) >> 32;
85 } 85 }
86 86
87 static inline u_int32_t hash_conntrack(const struct nf_conntrack_tuple *tuple) 87 static inline u_int32_t hash_conntrack(const struct nf_conntrack_tuple *tuple)
88 { 88 {
89 return __hash_conntrack(tuple, nf_conntrack_htable_size, 89 return __hash_conntrack(tuple, nf_conntrack_htable_size,
90 nf_conntrack_hash_rnd); 90 nf_conntrack_hash_rnd);
91 } 91 }
92 92
93 bool 93 bool
94 nf_ct_get_tuple(const struct sk_buff *skb, 94 nf_ct_get_tuple(const struct sk_buff *skb,
95 unsigned int nhoff, 95 unsigned int nhoff,
96 unsigned int dataoff, 96 unsigned int dataoff,
97 u_int16_t l3num, 97 u_int16_t l3num,
98 u_int8_t protonum, 98 u_int8_t protonum,
99 struct nf_conntrack_tuple *tuple, 99 struct nf_conntrack_tuple *tuple,
100 const struct nf_conntrack_l3proto *l3proto, 100 const struct nf_conntrack_l3proto *l3proto,
101 const struct nf_conntrack_l4proto *l4proto) 101 const struct nf_conntrack_l4proto *l4proto)
102 { 102 {
103 memset(tuple, 0, sizeof(*tuple)); 103 memset(tuple, 0, sizeof(*tuple));
104 104
105 tuple->src.l3num = l3num; 105 tuple->src.l3num = l3num;
106 if (l3proto->pkt_to_tuple(skb, nhoff, tuple) == 0) 106 if (l3proto->pkt_to_tuple(skb, nhoff, tuple) == 0)
107 return false; 107 return false;
108 108
109 tuple->dst.protonum = protonum; 109 tuple->dst.protonum = protonum;
110 tuple->dst.dir = IP_CT_DIR_ORIGINAL; 110 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
111 111
112 return l4proto->pkt_to_tuple(skb, dataoff, tuple); 112 return l4proto->pkt_to_tuple(skb, dataoff, tuple);
113 } 113 }
114 EXPORT_SYMBOL_GPL(nf_ct_get_tuple); 114 EXPORT_SYMBOL_GPL(nf_ct_get_tuple);
115 115
116 bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff, 116 bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff,
117 u_int16_t l3num, struct nf_conntrack_tuple *tuple) 117 u_int16_t l3num, struct nf_conntrack_tuple *tuple)
118 { 118 {
119 struct nf_conntrack_l3proto *l3proto; 119 struct nf_conntrack_l3proto *l3proto;
120 struct nf_conntrack_l4proto *l4proto; 120 struct nf_conntrack_l4proto *l4proto;
121 unsigned int protoff; 121 unsigned int protoff;
122 u_int8_t protonum; 122 u_int8_t protonum;
123 int ret; 123 int ret;
124 124
125 rcu_read_lock(); 125 rcu_read_lock();
126 126
127 l3proto = __nf_ct_l3proto_find(l3num); 127 l3proto = __nf_ct_l3proto_find(l3num);
128 ret = l3proto->get_l4proto(skb, nhoff, &protoff, &protonum); 128 ret = l3proto->get_l4proto(skb, nhoff, &protoff, &protonum);
129 if (ret != NF_ACCEPT) { 129 if (ret != NF_ACCEPT) {
130 rcu_read_unlock(); 130 rcu_read_unlock();
131 return false; 131 return false;
132 } 132 }
133 133
134 l4proto = __nf_ct_l4proto_find(l3num, protonum); 134 l4proto = __nf_ct_l4proto_find(l3num, protonum);
135 135
136 ret = nf_ct_get_tuple(skb, nhoff, protoff, l3num, protonum, tuple, 136 ret = nf_ct_get_tuple(skb, nhoff, protoff, l3num, protonum, tuple,
137 l3proto, l4proto); 137 l3proto, l4proto);
138 138
139 rcu_read_unlock(); 139 rcu_read_unlock();
140 return ret; 140 return ret;
141 } 141 }
142 EXPORT_SYMBOL_GPL(nf_ct_get_tuplepr); 142 EXPORT_SYMBOL_GPL(nf_ct_get_tuplepr);
143 143
144 bool 144 bool
145 nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, 145 nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
146 const struct nf_conntrack_tuple *orig, 146 const struct nf_conntrack_tuple *orig,
147 const struct nf_conntrack_l3proto *l3proto, 147 const struct nf_conntrack_l3proto *l3proto,
148 const struct nf_conntrack_l4proto *l4proto) 148 const struct nf_conntrack_l4proto *l4proto)
149 { 149 {
150 memset(inverse, 0, sizeof(*inverse)); 150 memset(inverse, 0, sizeof(*inverse));
151 151
152 inverse->src.l3num = orig->src.l3num; 152 inverse->src.l3num = orig->src.l3num;
153 if (l3proto->invert_tuple(inverse, orig) == 0) 153 if (l3proto->invert_tuple(inverse, orig) == 0)
154 return false; 154 return false;
155 155
156 inverse->dst.dir = !orig->dst.dir; 156 inverse->dst.dir = !orig->dst.dir;
157 157
158 inverse->dst.protonum = orig->dst.protonum; 158 inverse->dst.protonum = orig->dst.protonum;
159 return l4proto->invert_tuple(inverse, orig); 159 return l4proto->invert_tuple(inverse, orig);
160 } 160 }
161 EXPORT_SYMBOL_GPL(nf_ct_invert_tuple); 161 EXPORT_SYMBOL_GPL(nf_ct_invert_tuple);
162 162
163 static void 163 static void
164 clean_from_lists(struct nf_conn *ct) 164 clean_from_lists(struct nf_conn *ct)
165 { 165 {
166 pr_debug("clean_from_lists(%p)\n", ct); 166 pr_debug("clean_from_lists(%p)\n", ct);
167 hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode); 167 hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);
168 hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode); 168 hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode);
169 169
170 /* Destroy all pending expectations */ 170 /* Destroy all pending expectations */
171 nf_ct_remove_expectations(ct); 171 nf_ct_remove_expectations(ct);
172 } 172 }
173 173
174 static void 174 static void
175 destroy_conntrack(struct nf_conntrack *nfct) 175 destroy_conntrack(struct nf_conntrack *nfct)
176 { 176 {
177 struct nf_conn *ct = (struct nf_conn *)nfct; 177 struct nf_conn *ct = (struct nf_conn *)nfct;
178 struct net *net = nf_ct_net(ct); 178 struct net *net = nf_ct_net(ct);
179 struct nf_conntrack_l4proto *l4proto; 179 struct nf_conntrack_l4proto *l4proto;
180 180
181 pr_debug("destroy_conntrack(%p)\n", ct); 181 pr_debug("destroy_conntrack(%p)\n", ct);
182 NF_CT_ASSERT(atomic_read(&nfct->use) == 0); 182 NF_CT_ASSERT(atomic_read(&nfct->use) == 0);
183 NF_CT_ASSERT(!timer_pending(&ct->timeout)); 183 NF_CT_ASSERT(!timer_pending(&ct->timeout));
184 184
185 if (!test_bit(IPS_DYING_BIT, &ct->status)) 185 if (!test_bit(IPS_DYING_BIT, &ct->status))
186 nf_conntrack_event(IPCT_DESTROY, ct); 186 nf_conntrack_event(IPCT_DESTROY, ct);
187 set_bit(IPS_DYING_BIT, &ct->status); 187 set_bit(IPS_DYING_BIT, &ct->status);
188 188
189 /* To make sure we don't get any weird locking issues here: 189 /* To make sure we don't get any weird locking issues here:
190 * destroy_conntrack() MUST NOT be called with a write lock 190 * destroy_conntrack() MUST NOT be called with a write lock
191 * to nf_conntrack_lock!!! -HW */ 191 * to nf_conntrack_lock!!! -HW */
192 rcu_read_lock(); 192 rcu_read_lock();
193 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 193 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
194 if (l4proto && l4proto->destroy) 194 if (l4proto && l4proto->destroy)
195 l4proto->destroy(ct); 195 l4proto->destroy(ct);
196 196
197 rcu_read_unlock(); 197 rcu_read_unlock();
198 198
199 spin_lock_bh(&nf_conntrack_lock); 199 spin_lock_bh(&nf_conntrack_lock);
200 /* Expectations will have been removed in clean_from_lists, 200 /* Expectations will have been removed in clean_from_lists,
201 * except TFTP can create an expectation on the first packet, 201 * except TFTP can create an expectation on the first packet,
202 * before connection is in the list, so we need to clean here, 202 * before connection is in the list, so we need to clean here,
203 * too. */ 203 * too. */
204 nf_ct_remove_expectations(ct); 204 nf_ct_remove_expectations(ct);
205 205
206 /* We overload first tuple to link into unconfirmed list. */ 206 /* We overload first tuple to link into unconfirmed list. */
207 if (!nf_ct_is_confirmed(ct)) { 207 if (!nf_ct_is_confirmed(ct)) {
208 BUG_ON(hlist_nulls_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode)); 208 BUG_ON(hlist_nulls_unhashed(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode));
209 hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode); 209 hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);
210 } 210 }
211 211
212 NF_CT_STAT_INC(net, delete); 212 NF_CT_STAT_INC(net, delete);
213 spin_unlock_bh(&nf_conntrack_lock); 213 spin_unlock_bh(&nf_conntrack_lock);
214 214
215 if (ct->master) 215 if (ct->master)
216 nf_ct_put(ct->master); 216 nf_ct_put(ct->master);
217 217
218 pr_debug("destroy_conntrack: returning ct=%p to slab\n", ct); 218 pr_debug("destroy_conntrack: returning ct=%p to slab\n", ct);
219 nf_conntrack_free(ct); 219 nf_conntrack_free(ct);
220 } 220 }
221 221
222 static void death_by_timeout(unsigned long ul_conntrack) 222 static void death_by_timeout(unsigned long ul_conntrack)
223 { 223 {
224 struct nf_conn *ct = (void *)ul_conntrack; 224 struct nf_conn *ct = (void *)ul_conntrack;
225 struct net *net = nf_ct_net(ct); 225 struct net *net = nf_ct_net(ct);
226 struct nf_conn_help *help = nfct_help(ct); 226 struct nf_conn_help *help = nfct_help(ct);
227 struct nf_conntrack_helper *helper; 227 struct nf_conntrack_helper *helper;
228 228
229 if (help) { 229 if (help) {
230 rcu_read_lock(); 230 rcu_read_lock();
231 helper = rcu_dereference(help->helper); 231 helper = rcu_dereference(help->helper);
232 if (helper && helper->destroy) 232 if (helper && helper->destroy)
233 helper->destroy(ct); 233 helper->destroy(ct);
234 rcu_read_unlock(); 234 rcu_read_unlock();
235 } 235 }
236 236
237 spin_lock_bh(&nf_conntrack_lock); 237 spin_lock_bh(&nf_conntrack_lock);
238 /* Inside lock so preempt is disabled on module removal path. 238 /* Inside lock so preempt is disabled on module removal path.
239 * Otherwise we can get spurious warnings. */ 239 * Otherwise we can get spurious warnings. */
240 NF_CT_STAT_INC(net, delete_list); 240 NF_CT_STAT_INC(net, delete_list);
241 clean_from_lists(ct); 241 clean_from_lists(ct);
242 spin_unlock_bh(&nf_conntrack_lock); 242 spin_unlock_bh(&nf_conntrack_lock);
243 nf_ct_put(ct); 243 nf_ct_put(ct);
244 } 244 }
245 245
246 /* 246 /*
247 * Warning : 247 * Warning :
248 * - Caller must take a reference on returned object 248 * - Caller must take a reference on returned object
249 * and recheck nf_ct_tuple_equal(tuple, &h->tuple) 249 * and recheck nf_ct_tuple_equal(tuple, &h->tuple)
250 * OR 250 * OR
251 * - Caller must lock nf_conntrack_lock before calling this function 251 * - Caller must lock nf_conntrack_lock before calling this function
252 */ 252 */
253 struct nf_conntrack_tuple_hash * 253 struct nf_conntrack_tuple_hash *
254 __nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple) 254 __nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple)
255 { 255 {
256 struct nf_conntrack_tuple_hash *h; 256 struct nf_conntrack_tuple_hash *h;
257 struct hlist_nulls_node *n; 257 struct hlist_nulls_node *n;
258 unsigned int hash = hash_conntrack(tuple); 258 unsigned int hash = hash_conntrack(tuple);
259 259
260 /* Disable BHs the entire time since we normally need to disable them 260 /* Disable BHs the entire time since we normally need to disable them
261 * at least once for the stats anyway. 261 * at least once for the stats anyway.
262 */ 262 */
263 local_bh_disable(); 263 local_bh_disable();
264 begin: 264 begin:
265 hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash], hnnode) { 265 hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash], hnnode) {
266 if (nf_ct_tuple_equal(tuple, &h->tuple)) { 266 if (nf_ct_tuple_equal(tuple, &h->tuple)) {
267 NF_CT_STAT_INC(net, found); 267 NF_CT_STAT_INC(net, found);
268 local_bh_enable(); 268 local_bh_enable();
269 return h; 269 return h;
270 } 270 }
271 NF_CT_STAT_INC(net, searched); 271 NF_CT_STAT_INC(net, searched);
272 } 272 }
273 /* 273 /*
274 * if the nulls value we got at the end of this lookup is 274 * if the nulls value we got at the end of this lookup is
275 * not the expected one, we must restart lookup. 275 * not the expected one, we must restart lookup.
276 * We probably met an item that was moved to another chain. 276 * We probably met an item that was moved to another chain.
277 */ 277 */
278 if (get_nulls_value(n) != hash) 278 if (get_nulls_value(n) != hash)
279 goto begin; 279 goto begin;
280 local_bh_enable(); 280 local_bh_enable();
281 281
282 return NULL; 282 return NULL;
283 } 283 }
284 EXPORT_SYMBOL_GPL(__nf_conntrack_find); 284 EXPORT_SYMBOL_GPL(__nf_conntrack_find);
285 285
286 /* Find a connection corresponding to a tuple. */ 286 /* Find a connection corresponding to a tuple. */
287 struct nf_conntrack_tuple_hash * 287 struct nf_conntrack_tuple_hash *
288 nf_conntrack_find_get(struct net *net, const struct nf_conntrack_tuple *tuple) 288 nf_conntrack_find_get(struct net *net, const struct nf_conntrack_tuple *tuple)
289 { 289 {
290 struct nf_conntrack_tuple_hash *h; 290 struct nf_conntrack_tuple_hash *h;
291 struct nf_conn *ct; 291 struct nf_conn *ct;
292 292
293 rcu_read_lock(); 293 rcu_read_lock();
294 begin: 294 begin:
295 h = __nf_conntrack_find(net, tuple); 295 h = __nf_conntrack_find(net, tuple);
296 if (h) { 296 if (h) {
297 ct = nf_ct_tuplehash_to_ctrack(h); 297 ct = nf_ct_tuplehash_to_ctrack(h);
298 if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use))) 298 if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use)))
299 h = NULL; 299 h = NULL;
300 else { 300 else {
301 if (unlikely(!nf_ct_tuple_equal(tuple, &h->tuple))) { 301 if (unlikely(!nf_ct_tuple_equal(tuple, &h->tuple))) {
302 nf_ct_put(ct); 302 nf_ct_put(ct);
303 goto begin; 303 goto begin;
304 } 304 }
305 } 305 }
306 } 306 }
307 rcu_read_unlock(); 307 rcu_read_unlock();
308 308
309 return h; 309 return h;
310 } 310 }
311 EXPORT_SYMBOL_GPL(nf_conntrack_find_get); 311 EXPORT_SYMBOL_GPL(nf_conntrack_find_get);
312 312
313 static void __nf_conntrack_hash_insert(struct nf_conn *ct, 313 static void __nf_conntrack_hash_insert(struct nf_conn *ct,
314 unsigned int hash, 314 unsigned int hash,
315 unsigned int repl_hash) 315 unsigned int repl_hash)
316 { 316 {
317 struct net *net = nf_ct_net(ct); 317 struct net *net = nf_ct_net(ct);
318 318
319 hlist_nulls_add_head_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode, 319 hlist_nulls_add_head_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode,
320 &net->ct.hash[hash]); 320 &net->ct.hash[hash]);
321 hlist_nulls_add_head_rcu(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode, 321 hlist_nulls_add_head_rcu(&ct->tuplehash[IP_CT_DIR_REPLY].hnnode,
322 &net->ct.hash[repl_hash]); 322 &net->ct.hash[repl_hash]);
323 } 323 }
324 324
325 void nf_conntrack_hash_insert(struct nf_conn *ct) 325 void nf_conntrack_hash_insert(struct nf_conn *ct)
326 { 326 {
327 unsigned int hash, repl_hash; 327 unsigned int hash, repl_hash;
328 328
329 hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); 329 hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
330 repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); 330 repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
331 331
332 __nf_conntrack_hash_insert(ct, hash, repl_hash); 332 __nf_conntrack_hash_insert(ct, hash, repl_hash);
333 } 333 }
334 EXPORT_SYMBOL_GPL(nf_conntrack_hash_insert); 334 EXPORT_SYMBOL_GPL(nf_conntrack_hash_insert);
335 335
336 /* Confirm a connection given skb; places it in hash table */ 336 /* Confirm a connection given skb; places it in hash table */
337 int 337 int
338 __nf_conntrack_confirm(struct sk_buff *skb) 338 __nf_conntrack_confirm(struct sk_buff *skb)
339 { 339 {
340 unsigned int hash, repl_hash; 340 unsigned int hash, repl_hash;
341 struct nf_conntrack_tuple_hash *h; 341 struct nf_conntrack_tuple_hash *h;
342 struct nf_conn *ct; 342 struct nf_conn *ct;
343 struct nf_conn_help *help; 343 struct nf_conn_help *help;
344 struct hlist_nulls_node *n; 344 struct hlist_nulls_node *n;
345 enum ip_conntrack_info ctinfo; 345 enum ip_conntrack_info ctinfo;
346 struct net *net; 346 struct net *net;
347 347
348 ct = nf_ct_get(skb, &ctinfo); 348 ct = nf_ct_get(skb, &ctinfo);
349 net = nf_ct_net(ct); 349 net = nf_ct_net(ct);
350 350
351 /* ipt_REJECT uses nf_conntrack_attach to attach related 351 /* ipt_REJECT uses nf_conntrack_attach to attach related
352 ICMP/TCP RST packets in other direction. Actual packet 352 ICMP/TCP RST packets in other direction. Actual packet
353 which created connection will be IP_CT_NEW or for an 353 which created connection will be IP_CT_NEW or for an
354 expected connection, IP_CT_RELATED. */ 354 expected connection, IP_CT_RELATED. */
355 if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL) 355 if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
356 return NF_ACCEPT; 356 return NF_ACCEPT;
357 357
358 hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); 358 hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
359 repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple); 359 repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
360 360
361 /* We're not in hash table, and we refuse to set up related 361 /* We're not in hash table, and we refuse to set up related
362 connections for unconfirmed conns. But packet copies and 362 connections for unconfirmed conns. But packet copies and
363 REJECT will give spurious warnings here. */ 363 REJECT will give spurious warnings here. */
364 /* NF_CT_ASSERT(atomic_read(&ct->ct_general.use) == 1); */ 364 /* NF_CT_ASSERT(atomic_read(&ct->ct_general.use) == 1); */
365 365
366 /* No external references means noone else could have 366 /* No external references means noone else could have
367 confirmed us. */ 367 confirmed us. */
368 NF_CT_ASSERT(!nf_ct_is_confirmed(ct)); 368 NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
369 pr_debug("Confirming conntrack %p\n", ct); 369 pr_debug("Confirming conntrack %p\n", ct);
370 370
371 spin_lock_bh(&nf_conntrack_lock); 371 spin_lock_bh(&nf_conntrack_lock);
372 372
373 /* See if there's one in the list already, including reverse: 373 /* See if there's one in the list already, including reverse:
374 NAT could have grabbed it without realizing, since we're 374 NAT could have grabbed it without realizing, since we're
375 not in the hash. If there is, we lost race. */ 375 not in the hash. If there is, we lost race. */
376 hlist_nulls_for_each_entry(h, n, &net->ct.hash[hash], hnnode) 376 hlist_nulls_for_each_entry(h, n, &net->ct.hash[hash], hnnode)
377 if (nf_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 377 if (nf_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
378 &h->tuple)) 378 &h->tuple))
379 goto out; 379 goto out;
380 hlist_nulls_for_each_entry(h, n, &net->ct.hash[repl_hash], hnnode) 380 hlist_nulls_for_each_entry(h, n, &net->ct.hash[repl_hash], hnnode)
381 if (nf_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_REPLY].tuple, 381 if (nf_ct_tuple_equal(&ct->tuplehash[IP_CT_DIR_REPLY].tuple,
382 &h->tuple)) 382 &h->tuple))
383 goto out; 383 goto out;
384 384
385 /* Remove from unconfirmed list */ 385 /* Remove from unconfirmed list */
386 hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode); 386 hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode);
387 387
388 __nf_conntrack_hash_insert(ct, hash, repl_hash); 388 __nf_conntrack_hash_insert(ct, hash, repl_hash);
389 /* Timer relative to confirmation time, not original 389 /* Timer relative to confirmation time, not original
390 setting time, otherwise we'd get timer wrap in 390 setting time, otherwise we'd get timer wrap in
391 weird delay cases. */ 391 weird delay cases. */
392 ct->timeout.expires += jiffies; 392 ct->timeout.expires += jiffies;
393 add_timer(&ct->timeout); 393 add_timer(&ct->timeout);
394 atomic_inc(&ct->ct_general.use); 394 atomic_inc(&ct->ct_general.use);
395 set_bit(IPS_CONFIRMED_BIT, &ct->status); 395 set_bit(IPS_CONFIRMED_BIT, &ct->status);
396 NF_CT_STAT_INC(net, insert); 396 NF_CT_STAT_INC(net, insert);
397 spin_unlock_bh(&nf_conntrack_lock); 397 spin_unlock_bh(&nf_conntrack_lock);
398 help = nfct_help(ct); 398 help = nfct_help(ct);
399 if (help && help->helper) 399 if (help && help->helper)
400 nf_conntrack_event_cache(IPCT_HELPER, ct); 400 nf_conntrack_event_cache(IPCT_HELPER, ct);
401 401
402 nf_conntrack_event_cache(master_ct(ct) ? 402 nf_conntrack_event_cache(master_ct(ct) ?
403 IPCT_RELATED : IPCT_NEW, ct); 403 IPCT_RELATED : IPCT_NEW, ct);
404 return NF_ACCEPT; 404 return NF_ACCEPT;
405 405
406 out: 406 out:
407 NF_CT_STAT_INC(net, insert_failed); 407 NF_CT_STAT_INC(net, insert_failed);
408 spin_unlock_bh(&nf_conntrack_lock); 408 spin_unlock_bh(&nf_conntrack_lock);
409 return NF_DROP; 409 return NF_DROP;
410 } 410 }
411 EXPORT_SYMBOL_GPL(__nf_conntrack_confirm); 411 EXPORT_SYMBOL_GPL(__nf_conntrack_confirm);
412 412
413 /* Returns true if a connection correspondings to the tuple (required 413 /* Returns true if a connection correspondings to the tuple (required
414 for NAT). */ 414 for NAT). */
415 int 415 int
416 nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple, 416 nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
417 const struct nf_conn *ignored_conntrack) 417 const struct nf_conn *ignored_conntrack)
418 { 418 {
419 struct net *net = nf_ct_net(ignored_conntrack); 419 struct net *net = nf_ct_net(ignored_conntrack);
420 struct nf_conntrack_tuple_hash *h; 420 struct nf_conntrack_tuple_hash *h;
421 struct hlist_nulls_node *n; 421 struct hlist_nulls_node *n;
422 unsigned int hash = hash_conntrack(tuple); 422 unsigned int hash = hash_conntrack(tuple);
423 423
424 /* Disable BHs the entire time since we need to disable them at 424 /* Disable BHs the entire time since we need to disable them at
425 * least once for the stats anyway. 425 * least once for the stats anyway.
426 */ 426 */
427 rcu_read_lock_bh(); 427 rcu_read_lock_bh();
428 hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash], hnnode) { 428 hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash], hnnode) {
429 if (nf_ct_tuplehash_to_ctrack(h) != ignored_conntrack && 429 if (nf_ct_tuplehash_to_ctrack(h) != ignored_conntrack &&
430 nf_ct_tuple_equal(tuple, &h->tuple)) { 430 nf_ct_tuple_equal(tuple, &h->tuple)) {
431 NF_CT_STAT_INC(net, found); 431 NF_CT_STAT_INC(net, found);
432 rcu_read_unlock_bh(); 432 rcu_read_unlock_bh();
433 return 1; 433 return 1;
434 } 434 }
435 NF_CT_STAT_INC(net, searched); 435 NF_CT_STAT_INC(net, searched);
436 } 436 }
437 rcu_read_unlock_bh(); 437 rcu_read_unlock_bh();
438 438
439 return 0; 439 return 0;
440 } 440 }
441 EXPORT_SYMBOL_GPL(nf_conntrack_tuple_taken); 441 EXPORT_SYMBOL_GPL(nf_conntrack_tuple_taken);
442 442
443 #define NF_CT_EVICTION_RANGE 8 443 #define NF_CT_EVICTION_RANGE 8
444 444
445 /* There's a small race here where we may free a just-assured 445 /* There's a small race here where we may free a just-assured
446 connection. Too bad: we're in trouble anyway. */ 446 connection. Too bad: we're in trouble anyway. */
447 static noinline int early_drop(struct net *net, unsigned int hash) 447 static noinline int early_drop(struct net *net, unsigned int hash)
448 { 448 {
449 /* Use oldest entry, which is roughly LRU */ 449 /* Use oldest entry, which is roughly LRU */
450 struct nf_conntrack_tuple_hash *h; 450 struct nf_conntrack_tuple_hash *h;
451 struct nf_conn *ct = NULL, *tmp; 451 struct nf_conn *ct = NULL, *tmp;
452 struct hlist_nulls_node *n; 452 struct hlist_nulls_node *n;
453 unsigned int i, cnt = 0; 453 unsigned int i, cnt = 0;
454 int dropped = 0; 454 int dropped = 0;
455 455
456 rcu_read_lock(); 456 rcu_read_lock();
457 for (i = 0; i < nf_conntrack_htable_size; i++) { 457 for (i = 0; i < nf_conntrack_htable_size; i++) {
458 hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash], 458 hlist_nulls_for_each_entry_rcu(h, n, &net->ct.hash[hash],
459 hnnode) { 459 hnnode) {
460 tmp = nf_ct_tuplehash_to_ctrack(h); 460 tmp = nf_ct_tuplehash_to_ctrack(h);
461 if (!test_bit(IPS_ASSURED_BIT, &tmp->status)) 461 if (!test_bit(IPS_ASSURED_BIT, &tmp->status))
462 ct = tmp; 462 ct = tmp;
463 cnt++; 463 cnt++;
464 } 464 }
465 465
466 if (ct && unlikely(!atomic_inc_not_zero(&ct->ct_general.use))) 466 if (ct && unlikely(!atomic_inc_not_zero(&ct->ct_general.use)))
467 ct = NULL; 467 ct = NULL;
468 if (ct || cnt >= NF_CT_EVICTION_RANGE) 468 if (ct || cnt >= NF_CT_EVICTION_RANGE)
469 break; 469 break;
470 hash = (hash + 1) % nf_conntrack_htable_size; 470 hash = (hash + 1) % nf_conntrack_htable_size;
471 } 471 }
472 rcu_read_unlock(); 472 rcu_read_unlock();
473 473
474 if (!ct) 474 if (!ct)
475 return dropped; 475 return dropped;
476 476
477 if (del_timer(&ct->timeout)) { 477 if (del_timer(&ct->timeout)) {
478 death_by_timeout((unsigned long)ct); 478 death_by_timeout((unsigned long)ct);
479 dropped = 1; 479 dropped = 1;
480 NF_CT_STAT_INC_ATOMIC(net, early_drop); 480 NF_CT_STAT_INC_ATOMIC(net, early_drop);
481 } 481 }
482 nf_ct_put(ct); 482 nf_ct_put(ct);
483 return dropped; 483 return dropped;
484 } 484 }
485 485
486 struct nf_conn *nf_conntrack_alloc(struct net *net, 486 struct nf_conn *nf_conntrack_alloc(struct net *net,
487 const struct nf_conntrack_tuple *orig, 487 const struct nf_conntrack_tuple *orig,
488 const struct nf_conntrack_tuple *repl, 488 const struct nf_conntrack_tuple *repl,
489 gfp_t gfp) 489 gfp_t gfp)
490 { 490 {
491 struct nf_conn *ct; 491 struct nf_conn *ct;
492 492
493 if (unlikely(!nf_conntrack_hash_rnd_initted)) { 493 if (unlikely(!nf_conntrack_hash_rnd_initted)) {
494 get_random_bytes(&nf_conntrack_hash_rnd, 494 get_random_bytes(&nf_conntrack_hash_rnd,
495 sizeof(nf_conntrack_hash_rnd)); 495 sizeof(nf_conntrack_hash_rnd));
496 nf_conntrack_hash_rnd_initted = 1; 496 nf_conntrack_hash_rnd_initted = 1;
497 } 497 }
498 498
499 /* We don't want any race condition at early drop stage */ 499 /* We don't want any race condition at early drop stage */
500 atomic_inc(&net->ct.count); 500 atomic_inc(&net->ct.count);
501 501
502 if (nf_conntrack_max && 502 if (nf_conntrack_max &&
503 unlikely(atomic_read(&net->ct.count) > nf_conntrack_max)) { 503 unlikely(atomic_read(&net->ct.count) > nf_conntrack_max)) {
504 unsigned int hash = hash_conntrack(orig); 504 unsigned int hash = hash_conntrack(orig);
505 if (!early_drop(net, hash)) { 505 if (!early_drop(net, hash)) {
506 atomic_dec(&net->ct.count); 506 atomic_dec(&net->ct.count);
507 if (net_ratelimit()) 507 if (net_ratelimit())
508 printk(KERN_WARNING 508 printk(KERN_WARNING
509 "nf_conntrack: table full, dropping" 509 "nf_conntrack: table full, dropping"
510 " packet.\n"); 510 " packet.\n");
511 return ERR_PTR(-ENOMEM); 511 return ERR_PTR(-ENOMEM);
512 } 512 }
513 } 513 }
514 514
515 ct = kmem_cache_zalloc(nf_conntrack_cachep, gfp); 515 ct = kmem_cache_zalloc(nf_conntrack_cachep, gfp);
516 if (ct == NULL) { 516 if (ct == NULL) {
517 pr_debug("nf_conntrack_alloc: Can't alloc conntrack.\n"); 517 pr_debug("nf_conntrack_alloc: Can't alloc conntrack.\n");
518 atomic_dec(&net->ct.count); 518 atomic_dec(&net->ct.count);
519 return ERR_PTR(-ENOMEM); 519 return ERR_PTR(-ENOMEM);
520 } 520 }
521 521
522 spin_lock_init(&ct->lock);
522 atomic_set(&ct->ct_general.use, 1); 523 atomic_set(&ct->ct_general.use, 1);
523 ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig; 524 ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig;
524 ct->tuplehash[IP_CT_DIR_REPLY].tuple = *repl; 525 ct->tuplehash[IP_CT_DIR_REPLY].tuple = *repl;
525 /* Don't set timer yet: wait for confirmation */ 526 /* Don't set timer yet: wait for confirmation */
526 setup_timer(&ct->timeout, death_by_timeout, (unsigned long)ct); 527 setup_timer(&ct->timeout, death_by_timeout, (unsigned long)ct);
527 #ifdef CONFIG_NET_NS 528 #ifdef CONFIG_NET_NS
528 ct->ct_net = net; 529 ct->ct_net = net;
529 #endif 530 #endif
530 531
531 return ct; 532 return ct;
532 } 533 }
533 EXPORT_SYMBOL_GPL(nf_conntrack_alloc); 534 EXPORT_SYMBOL_GPL(nf_conntrack_alloc);
534 535
535 void nf_conntrack_free(struct nf_conn *ct) 536 void nf_conntrack_free(struct nf_conn *ct)
536 { 537 {
537 struct net *net = nf_ct_net(ct); 538 struct net *net = nf_ct_net(ct);
538 539
539 nf_ct_ext_destroy(ct); 540 nf_ct_ext_destroy(ct);
540 atomic_dec(&net->ct.count); 541 atomic_dec(&net->ct.count);
541 nf_ct_ext_free(ct); 542 nf_ct_ext_free(ct);
542 kmem_cache_free(nf_conntrack_cachep, ct); 543 kmem_cache_free(nf_conntrack_cachep, ct);
543 } 544 }
544 EXPORT_SYMBOL_GPL(nf_conntrack_free); 545 EXPORT_SYMBOL_GPL(nf_conntrack_free);
545 546
546 /* Allocate a new conntrack: we return -ENOMEM if classification 547 /* Allocate a new conntrack: we return -ENOMEM if classification
547 failed due to stress. Otherwise it really is unclassifiable. */ 548 failed due to stress. Otherwise it really is unclassifiable. */
548 static struct nf_conntrack_tuple_hash * 549 static struct nf_conntrack_tuple_hash *
549 init_conntrack(struct net *net, 550 init_conntrack(struct net *net,
550 const struct nf_conntrack_tuple *tuple, 551 const struct nf_conntrack_tuple *tuple,
551 struct nf_conntrack_l3proto *l3proto, 552 struct nf_conntrack_l3proto *l3proto,
552 struct nf_conntrack_l4proto *l4proto, 553 struct nf_conntrack_l4proto *l4proto,
553 struct sk_buff *skb, 554 struct sk_buff *skb,
554 unsigned int dataoff) 555 unsigned int dataoff)
555 { 556 {
556 struct nf_conn *ct; 557 struct nf_conn *ct;
557 struct nf_conn_help *help; 558 struct nf_conn_help *help;
558 struct nf_conntrack_tuple repl_tuple; 559 struct nf_conntrack_tuple repl_tuple;
559 struct nf_conntrack_expect *exp; 560 struct nf_conntrack_expect *exp;
560 561
561 if (!nf_ct_invert_tuple(&repl_tuple, tuple, l3proto, l4proto)) { 562 if (!nf_ct_invert_tuple(&repl_tuple, tuple, l3proto, l4proto)) {
562 pr_debug("Can't invert tuple.\n"); 563 pr_debug("Can't invert tuple.\n");
563 return NULL; 564 return NULL;
564 } 565 }
565 566
566 ct = nf_conntrack_alloc(net, tuple, &repl_tuple, GFP_ATOMIC); 567 ct = nf_conntrack_alloc(net, tuple, &repl_tuple, GFP_ATOMIC);
567 if (IS_ERR(ct)) { 568 if (IS_ERR(ct)) {
568 pr_debug("Can't allocate conntrack.\n"); 569 pr_debug("Can't allocate conntrack.\n");
569 return (struct nf_conntrack_tuple_hash *)ct; 570 return (struct nf_conntrack_tuple_hash *)ct;
570 } 571 }
571 572
572 if (!l4proto->new(ct, skb, dataoff)) { 573 if (!l4proto->new(ct, skb, dataoff)) {
573 nf_conntrack_free(ct); 574 nf_conntrack_free(ct);
574 pr_debug("init conntrack: can't track with proto module\n"); 575 pr_debug("init conntrack: can't track with proto module\n");
575 return NULL; 576 return NULL;
576 } 577 }
577 578
578 nf_ct_acct_ext_add(ct, GFP_ATOMIC); 579 nf_ct_acct_ext_add(ct, GFP_ATOMIC);
579 580
580 spin_lock_bh(&nf_conntrack_lock); 581 spin_lock_bh(&nf_conntrack_lock);
581 exp = nf_ct_find_expectation(net, tuple); 582 exp = nf_ct_find_expectation(net, tuple);
582 if (exp) { 583 if (exp) {
583 pr_debug("conntrack: expectation arrives ct=%p exp=%p\n", 584 pr_debug("conntrack: expectation arrives ct=%p exp=%p\n",
584 ct, exp); 585 ct, exp);
585 /* Welcome, Mr. Bond. We've been expecting you... */ 586 /* Welcome, Mr. Bond. We've been expecting you... */
586 __set_bit(IPS_EXPECTED_BIT, &ct->status); 587 __set_bit(IPS_EXPECTED_BIT, &ct->status);
587 ct->master = exp->master; 588 ct->master = exp->master;
588 if (exp->helper) { 589 if (exp->helper) {
589 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); 590 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
590 if (help) 591 if (help)
591 rcu_assign_pointer(help->helper, exp->helper); 592 rcu_assign_pointer(help->helper, exp->helper);
592 } 593 }
593 594
594 #ifdef CONFIG_NF_CONNTRACK_MARK 595 #ifdef CONFIG_NF_CONNTRACK_MARK
595 ct->mark = exp->master->mark; 596 ct->mark = exp->master->mark;
596 #endif 597 #endif
597 #ifdef CONFIG_NF_CONNTRACK_SECMARK 598 #ifdef CONFIG_NF_CONNTRACK_SECMARK
598 ct->secmark = exp->master->secmark; 599 ct->secmark = exp->master->secmark;
599 #endif 600 #endif
600 nf_conntrack_get(&ct->master->ct_general); 601 nf_conntrack_get(&ct->master->ct_general);
601 NF_CT_STAT_INC(net, expect_new); 602 NF_CT_STAT_INC(net, expect_new);
602 } else { 603 } else {
603 __nf_ct_try_assign_helper(ct, GFP_ATOMIC); 604 __nf_ct_try_assign_helper(ct, GFP_ATOMIC);
604 NF_CT_STAT_INC(net, new); 605 NF_CT_STAT_INC(net, new);
605 } 606 }
606 607
607 /* Overload tuple linked list to put us in unconfirmed list. */ 608 /* Overload tuple linked list to put us in unconfirmed list. */
608 hlist_nulls_add_head_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode, 609 hlist_nulls_add_head_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode,
609 &net->ct.unconfirmed); 610 &net->ct.unconfirmed);
610 611
611 spin_unlock_bh(&nf_conntrack_lock); 612 spin_unlock_bh(&nf_conntrack_lock);
612 613
613 if (exp) { 614 if (exp) {
614 if (exp->expectfn) 615 if (exp->expectfn)
615 exp->expectfn(ct, exp); 616 exp->expectfn(ct, exp);
616 nf_ct_expect_put(exp); 617 nf_ct_expect_put(exp);
617 } 618 }
618 619
619 return &ct->tuplehash[IP_CT_DIR_ORIGINAL]; 620 return &ct->tuplehash[IP_CT_DIR_ORIGINAL];
620 } 621 }
621 622
622 /* On success, returns conntrack ptr, sets skb->nfct and ctinfo */ 623 /* On success, returns conntrack ptr, sets skb->nfct and ctinfo */
623 static inline struct nf_conn * 624 static inline struct nf_conn *
624 resolve_normal_ct(struct net *net, 625 resolve_normal_ct(struct net *net,
625 struct sk_buff *skb, 626 struct sk_buff *skb,
626 unsigned int dataoff, 627 unsigned int dataoff,
627 u_int16_t l3num, 628 u_int16_t l3num,
628 u_int8_t protonum, 629 u_int8_t protonum,
629 struct nf_conntrack_l3proto *l3proto, 630 struct nf_conntrack_l3proto *l3proto,
630 struct nf_conntrack_l4proto *l4proto, 631 struct nf_conntrack_l4proto *l4proto,
631 int *set_reply, 632 int *set_reply,
632 enum ip_conntrack_info *ctinfo) 633 enum ip_conntrack_info *ctinfo)
633 { 634 {
634 struct nf_conntrack_tuple tuple; 635 struct nf_conntrack_tuple tuple;
635 struct nf_conntrack_tuple_hash *h; 636 struct nf_conntrack_tuple_hash *h;
636 struct nf_conn *ct; 637 struct nf_conn *ct;
637 638
638 if (!nf_ct_get_tuple(skb, skb_network_offset(skb), 639 if (!nf_ct_get_tuple(skb, skb_network_offset(skb),
639 dataoff, l3num, protonum, &tuple, l3proto, 640 dataoff, l3num, protonum, &tuple, l3proto,
640 l4proto)) { 641 l4proto)) {
641 pr_debug("resolve_normal_ct: Can't get tuple\n"); 642 pr_debug("resolve_normal_ct: Can't get tuple\n");
642 return NULL; 643 return NULL;
643 } 644 }
644 645
645 /* look for tuple match */ 646 /* look for tuple match */
646 h = nf_conntrack_find_get(net, &tuple); 647 h = nf_conntrack_find_get(net, &tuple);
647 if (!h) { 648 if (!h) {
648 h = init_conntrack(net, &tuple, l3proto, l4proto, skb, dataoff); 649 h = init_conntrack(net, &tuple, l3proto, l4proto, skb, dataoff);
649 if (!h) 650 if (!h)
650 return NULL; 651 return NULL;
651 if (IS_ERR(h)) 652 if (IS_ERR(h))
652 return (void *)h; 653 return (void *)h;
653 } 654 }
654 ct = nf_ct_tuplehash_to_ctrack(h); 655 ct = nf_ct_tuplehash_to_ctrack(h);
655 656
656 /* It exists; we have (non-exclusive) reference. */ 657 /* It exists; we have (non-exclusive) reference. */
657 if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) { 658 if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) {
658 *ctinfo = IP_CT_ESTABLISHED + IP_CT_IS_REPLY; 659 *ctinfo = IP_CT_ESTABLISHED + IP_CT_IS_REPLY;
659 /* Please set reply bit if this packet OK */ 660 /* Please set reply bit if this packet OK */
660 *set_reply = 1; 661 *set_reply = 1;
661 } else { 662 } else {
662 /* Once we've had two way comms, always ESTABLISHED. */ 663 /* Once we've had two way comms, always ESTABLISHED. */
663 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { 664 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
664 pr_debug("nf_conntrack_in: normal packet for %p\n", ct); 665 pr_debug("nf_conntrack_in: normal packet for %p\n", ct);
665 *ctinfo = IP_CT_ESTABLISHED; 666 *ctinfo = IP_CT_ESTABLISHED;
666 } else if (test_bit(IPS_EXPECTED_BIT, &ct->status)) { 667 } else if (test_bit(IPS_EXPECTED_BIT, &ct->status)) {
667 pr_debug("nf_conntrack_in: related packet for %p\n", 668 pr_debug("nf_conntrack_in: related packet for %p\n",
668 ct); 669 ct);
669 *ctinfo = IP_CT_RELATED; 670 *ctinfo = IP_CT_RELATED;
670 } else { 671 } else {
671 pr_debug("nf_conntrack_in: new packet for %p\n", ct); 672 pr_debug("nf_conntrack_in: new packet for %p\n", ct);
672 *ctinfo = IP_CT_NEW; 673 *ctinfo = IP_CT_NEW;
673 } 674 }
674 *set_reply = 0; 675 *set_reply = 0;
675 } 676 }
676 skb->nfct = &ct->ct_general; 677 skb->nfct = &ct->ct_general;
677 skb->nfctinfo = *ctinfo; 678 skb->nfctinfo = *ctinfo;
678 return ct; 679 return ct;
679 } 680 }
680 681
681 unsigned int 682 unsigned int
682 nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, 683 nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
683 struct sk_buff *skb) 684 struct sk_buff *skb)
684 { 685 {
685 struct nf_conn *ct; 686 struct nf_conn *ct;
686 enum ip_conntrack_info ctinfo; 687 enum ip_conntrack_info ctinfo;
687 struct nf_conntrack_l3proto *l3proto; 688 struct nf_conntrack_l3proto *l3proto;
688 struct nf_conntrack_l4proto *l4proto; 689 struct nf_conntrack_l4proto *l4proto;
689 unsigned int dataoff; 690 unsigned int dataoff;
690 u_int8_t protonum; 691 u_int8_t protonum;
691 int set_reply = 0; 692 int set_reply = 0;
692 int ret; 693 int ret;
693 694
694 /* Previously seen (loopback or untracked)? Ignore. */ 695 /* Previously seen (loopback or untracked)? Ignore. */
695 if (skb->nfct) { 696 if (skb->nfct) {
696 NF_CT_STAT_INC_ATOMIC(net, ignore); 697 NF_CT_STAT_INC_ATOMIC(net, ignore);
697 return NF_ACCEPT; 698 return NF_ACCEPT;
698 } 699 }
699 700
700 /* rcu_read_lock()ed by nf_hook_slow */ 701 /* rcu_read_lock()ed by nf_hook_slow */
701 l3proto = __nf_ct_l3proto_find(pf); 702 l3proto = __nf_ct_l3proto_find(pf);
702 ret = l3proto->get_l4proto(skb, skb_network_offset(skb), 703 ret = l3proto->get_l4proto(skb, skb_network_offset(skb),
703 &dataoff, &protonum); 704 &dataoff, &protonum);
704 if (ret <= 0) { 705 if (ret <= 0) {
705 pr_debug("not prepared to track yet or error occured\n"); 706 pr_debug("not prepared to track yet or error occured\n");
706 NF_CT_STAT_INC_ATOMIC(net, error); 707 NF_CT_STAT_INC_ATOMIC(net, error);
707 NF_CT_STAT_INC_ATOMIC(net, invalid); 708 NF_CT_STAT_INC_ATOMIC(net, invalid);
708 return -ret; 709 return -ret;
709 } 710 }
710 711
711 l4proto = __nf_ct_l4proto_find(pf, protonum); 712 l4proto = __nf_ct_l4proto_find(pf, protonum);
712 713
713 /* It may be an special packet, error, unclean... 714 /* It may be an special packet, error, unclean...
714 * inverse of the return code tells to the netfilter 715 * inverse of the return code tells to the netfilter
715 * core what to do with the packet. */ 716 * core what to do with the packet. */
716 if (l4proto->error != NULL) { 717 if (l4proto->error != NULL) {
717 ret = l4proto->error(net, skb, dataoff, &ctinfo, pf, hooknum); 718 ret = l4proto->error(net, skb, dataoff, &ctinfo, pf, hooknum);
718 if (ret <= 0) { 719 if (ret <= 0) {
719 NF_CT_STAT_INC_ATOMIC(net, error); 720 NF_CT_STAT_INC_ATOMIC(net, error);
720 NF_CT_STAT_INC_ATOMIC(net, invalid); 721 NF_CT_STAT_INC_ATOMIC(net, invalid);
721 return -ret; 722 return -ret;
722 } 723 }
723 } 724 }
724 725
725 ct = resolve_normal_ct(net, skb, dataoff, pf, protonum, 726 ct = resolve_normal_ct(net, skb, dataoff, pf, protonum,
726 l3proto, l4proto, &set_reply, &ctinfo); 727 l3proto, l4proto, &set_reply, &ctinfo);
727 if (!ct) { 728 if (!ct) {
728 /* Not valid part of a connection */ 729 /* Not valid part of a connection */
729 NF_CT_STAT_INC_ATOMIC(net, invalid); 730 NF_CT_STAT_INC_ATOMIC(net, invalid);
730 return NF_ACCEPT; 731 return NF_ACCEPT;
731 } 732 }
732 733
733 if (IS_ERR(ct)) { 734 if (IS_ERR(ct)) {
734 /* Too stressed to deal. */ 735 /* Too stressed to deal. */
735 NF_CT_STAT_INC_ATOMIC(net, drop); 736 NF_CT_STAT_INC_ATOMIC(net, drop);
736 return NF_DROP; 737 return NF_DROP;
737 } 738 }
738 739
739 NF_CT_ASSERT(skb->nfct); 740 NF_CT_ASSERT(skb->nfct);
740 741
741 ret = l4proto->packet(ct, skb, dataoff, ctinfo, pf, hooknum); 742 ret = l4proto->packet(ct, skb, dataoff, ctinfo, pf, hooknum);
742 if (ret <= 0) { 743 if (ret <= 0) {
743 /* Invalid: inverse of the return code tells 744 /* Invalid: inverse of the return code tells
744 * the netfilter core what to do */ 745 * the netfilter core what to do */
745 pr_debug("nf_conntrack_in: Can't track with proto module\n"); 746 pr_debug("nf_conntrack_in: Can't track with proto module\n");
746 nf_conntrack_put(skb->nfct); 747 nf_conntrack_put(skb->nfct);
747 skb->nfct = NULL; 748 skb->nfct = NULL;
748 NF_CT_STAT_INC_ATOMIC(net, invalid); 749 NF_CT_STAT_INC_ATOMIC(net, invalid);
749 if (ret == -NF_DROP) 750 if (ret == -NF_DROP)
750 NF_CT_STAT_INC_ATOMIC(net, drop); 751 NF_CT_STAT_INC_ATOMIC(net, drop);
751 return -ret; 752 return -ret;
752 } 753 }
753 754
754 if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status)) 755 if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
755 nf_conntrack_event_cache(IPCT_STATUS, ct); 756 nf_conntrack_event_cache(IPCT_STATUS, ct);
756 757
757 return ret; 758 return ret;
758 } 759 }
759 EXPORT_SYMBOL_GPL(nf_conntrack_in); 760 EXPORT_SYMBOL_GPL(nf_conntrack_in);
760 761
761 bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, 762 bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
762 const struct nf_conntrack_tuple *orig) 763 const struct nf_conntrack_tuple *orig)
763 { 764 {
764 bool ret; 765 bool ret;
765 766
766 rcu_read_lock(); 767 rcu_read_lock();
767 ret = nf_ct_invert_tuple(inverse, orig, 768 ret = nf_ct_invert_tuple(inverse, orig,
768 __nf_ct_l3proto_find(orig->src.l3num), 769 __nf_ct_l3proto_find(orig->src.l3num),
769 __nf_ct_l4proto_find(orig->src.l3num, 770 __nf_ct_l4proto_find(orig->src.l3num,
770 orig->dst.protonum)); 771 orig->dst.protonum));
771 rcu_read_unlock(); 772 rcu_read_unlock();
772 return ret; 773 return ret;
773 } 774 }
774 EXPORT_SYMBOL_GPL(nf_ct_invert_tuplepr); 775 EXPORT_SYMBOL_GPL(nf_ct_invert_tuplepr);
775 776
776 /* Alter reply tuple (maybe alter helper). This is for NAT, and is 777 /* Alter reply tuple (maybe alter helper). This is for NAT, and is
777 implicitly racy: see __nf_conntrack_confirm */ 778 implicitly racy: see __nf_conntrack_confirm */
778 void nf_conntrack_alter_reply(struct nf_conn *ct, 779 void nf_conntrack_alter_reply(struct nf_conn *ct,
779 const struct nf_conntrack_tuple *newreply) 780 const struct nf_conntrack_tuple *newreply)
780 { 781 {
781 struct nf_conn_help *help = nfct_help(ct); 782 struct nf_conn_help *help = nfct_help(ct);
782 783
783 /* Should be unconfirmed, so not in hash table yet */ 784 /* Should be unconfirmed, so not in hash table yet */
784 NF_CT_ASSERT(!nf_ct_is_confirmed(ct)); 785 NF_CT_ASSERT(!nf_ct_is_confirmed(ct));
785 786
786 pr_debug("Altering reply tuple of %p to ", ct); 787 pr_debug("Altering reply tuple of %p to ", ct);
787 nf_ct_dump_tuple(newreply); 788 nf_ct_dump_tuple(newreply);
788 789
789 ct->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply; 790 ct->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
790 if (ct->master || (help && !hlist_empty(&help->expectations))) 791 if (ct->master || (help && !hlist_empty(&help->expectations)))
791 return; 792 return;
792 793
793 rcu_read_lock(); 794 rcu_read_lock();
794 __nf_ct_try_assign_helper(ct, GFP_ATOMIC); 795 __nf_ct_try_assign_helper(ct, GFP_ATOMIC);
795 rcu_read_unlock(); 796 rcu_read_unlock();
796 } 797 }
797 EXPORT_SYMBOL_GPL(nf_conntrack_alter_reply); 798 EXPORT_SYMBOL_GPL(nf_conntrack_alter_reply);
798 799
799 /* Refresh conntrack for this many jiffies and do accounting if do_acct is 1 */ 800 /* Refresh conntrack for this many jiffies and do accounting if do_acct is 1 */
800 void __nf_ct_refresh_acct(struct nf_conn *ct, 801 void __nf_ct_refresh_acct(struct nf_conn *ct,
801 enum ip_conntrack_info ctinfo, 802 enum ip_conntrack_info ctinfo,
802 const struct sk_buff *skb, 803 const struct sk_buff *skb,
803 unsigned long extra_jiffies, 804 unsigned long extra_jiffies,
804 int do_acct) 805 int do_acct)
805 { 806 {
806 NF_CT_ASSERT(ct->timeout.data == (unsigned long)ct); 807 NF_CT_ASSERT(ct->timeout.data == (unsigned long)ct);
807 NF_CT_ASSERT(skb); 808 NF_CT_ASSERT(skb);
808 809
809 spin_lock_bh(&nf_conntrack_lock); 810 spin_lock_bh(&nf_conntrack_lock);
810 811
811 /* Only update if this is not a fixed timeout */ 812 /* Only update if this is not a fixed timeout */
812 if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status)) 813 if (test_bit(IPS_FIXED_TIMEOUT_BIT, &ct->status))
813 goto acct; 814 goto acct;
814 815
815 /* If not in hash table, timer will not be active yet */ 816 /* If not in hash table, timer will not be active yet */
816 if (!nf_ct_is_confirmed(ct)) { 817 if (!nf_ct_is_confirmed(ct)) {
817 ct->timeout.expires = extra_jiffies; 818 ct->timeout.expires = extra_jiffies;
818 } else { 819 } else {
819 unsigned long newtime = jiffies + extra_jiffies; 820 unsigned long newtime = jiffies + extra_jiffies;
820 821
821 /* Only update the timeout if the new timeout is at least 822 /* Only update the timeout if the new timeout is at least
822 HZ jiffies from the old timeout. Need del_timer for race 823 HZ jiffies from the old timeout. Need del_timer for race
823 avoidance (may already be dying). */ 824 avoidance (may already be dying). */
824 if (newtime - ct->timeout.expires >= HZ 825 if (newtime - ct->timeout.expires >= HZ
825 && del_timer(&ct->timeout)) { 826 && del_timer(&ct->timeout)) {
826 ct->timeout.expires = newtime; 827 ct->timeout.expires = newtime;
827 add_timer(&ct->timeout); 828 add_timer(&ct->timeout);
828 } 829 }
829 } 830 }
830 831
831 acct: 832 acct:
832 if (do_acct) { 833 if (do_acct) {
833 struct nf_conn_counter *acct; 834 struct nf_conn_counter *acct;
834 835
835 acct = nf_conn_acct_find(ct); 836 acct = nf_conn_acct_find(ct);
836 if (acct) { 837 if (acct) {
837 acct[CTINFO2DIR(ctinfo)].packets++; 838 acct[CTINFO2DIR(ctinfo)].packets++;
838 acct[CTINFO2DIR(ctinfo)].bytes += 839 acct[CTINFO2DIR(ctinfo)].bytes +=
839 skb->len - skb_network_offset(skb); 840 skb->len - skb_network_offset(skb);
840 } 841 }
841 } 842 }
842 843
843 spin_unlock_bh(&nf_conntrack_lock); 844 spin_unlock_bh(&nf_conntrack_lock);
844 } 845 }
845 EXPORT_SYMBOL_GPL(__nf_ct_refresh_acct); 846 EXPORT_SYMBOL_GPL(__nf_ct_refresh_acct);
846 847
847 bool __nf_ct_kill_acct(struct nf_conn *ct, 848 bool __nf_ct_kill_acct(struct nf_conn *ct,
848 enum ip_conntrack_info ctinfo, 849 enum ip_conntrack_info ctinfo,
849 const struct sk_buff *skb, 850 const struct sk_buff *skb,
850 int do_acct) 851 int do_acct)
851 { 852 {
852 if (do_acct) { 853 if (do_acct) {
853 struct nf_conn_counter *acct; 854 struct nf_conn_counter *acct;
854 855
855 spin_lock_bh(&nf_conntrack_lock); 856 spin_lock_bh(&nf_conntrack_lock);
856 acct = nf_conn_acct_find(ct); 857 acct = nf_conn_acct_find(ct);
857 if (acct) { 858 if (acct) {
858 acct[CTINFO2DIR(ctinfo)].packets++; 859 acct[CTINFO2DIR(ctinfo)].packets++;
859 acct[CTINFO2DIR(ctinfo)].bytes += 860 acct[CTINFO2DIR(ctinfo)].bytes +=
860 skb->len - skb_network_offset(skb); 861 skb->len - skb_network_offset(skb);
861 } 862 }
862 spin_unlock_bh(&nf_conntrack_lock); 863 spin_unlock_bh(&nf_conntrack_lock);
863 } 864 }
864 865
865 if (del_timer(&ct->timeout)) { 866 if (del_timer(&ct->timeout)) {
866 ct->timeout.function((unsigned long)ct); 867 ct->timeout.function((unsigned long)ct);
867 return true; 868 return true;
868 } 869 }
869 return false; 870 return false;
870 } 871 }
871 EXPORT_SYMBOL_GPL(__nf_ct_kill_acct); 872 EXPORT_SYMBOL_GPL(__nf_ct_kill_acct);
872 873
873 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 874 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
874 875
875 #include <linux/netfilter/nfnetlink.h> 876 #include <linux/netfilter/nfnetlink.h>
876 #include <linux/netfilter/nfnetlink_conntrack.h> 877 #include <linux/netfilter/nfnetlink_conntrack.h>
877 #include <linux/mutex.h> 878 #include <linux/mutex.h>
878 879
879 /* Generic function for tcp/udp/sctp/dccp and alike. This needs to be 880 /* Generic function for tcp/udp/sctp/dccp and alike. This needs to be
880 * in ip_conntrack_core, since we don't want the protocols to autoload 881 * in ip_conntrack_core, since we don't want the protocols to autoload
881 * or depend on ctnetlink */ 882 * or depend on ctnetlink */
882 int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb, 883 int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb,
883 const struct nf_conntrack_tuple *tuple) 884 const struct nf_conntrack_tuple *tuple)
884 { 885 {
885 NLA_PUT_BE16(skb, CTA_PROTO_SRC_PORT, tuple->src.u.tcp.port); 886 NLA_PUT_BE16(skb, CTA_PROTO_SRC_PORT, tuple->src.u.tcp.port);
886 NLA_PUT_BE16(skb, CTA_PROTO_DST_PORT, tuple->dst.u.tcp.port); 887 NLA_PUT_BE16(skb, CTA_PROTO_DST_PORT, tuple->dst.u.tcp.port);
887 return 0; 888 return 0;
888 889
889 nla_put_failure: 890 nla_put_failure:
890 return -1; 891 return -1;
891 } 892 }
892 EXPORT_SYMBOL_GPL(nf_ct_port_tuple_to_nlattr); 893 EXPORT_SYMBOL_GPL(nf_ct_port_tuple_to_nlattr);
893 894
894 const struct nla_policy nf_ct_port_nla_policy[CTA_PROTO_MAX+1] = { 895 const struct nla_policy nf_ct_port_nla_policy[CTA_PROTO_MAX+1] = {
895 [CTA_PROTO_SRC_PORT] = { .type = NLA_U16 }, 896 [CTA_PROTO_SRC_PORT] = { .type = NLA_U16 },
896 [CTA_PROTO_DST_PORT] = { .type = NLA_U16 }, 897 [CTA_PROTO_DST_PORT] = { .type = NLA_U16 },
897 }; 898 };
898 EXPORT_SYMBOL_GPL(nf_ct_port_nla_policy); 899 EXPORT_SYMBOL_GPL(nf_ct_port_nla_policy);
899 900
900 int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[], 901 int nf_ct_port_nlattr_to_tuple(struct nlattr *tb[],
901 struct nf_conntrack_tuple *t) 902 struct nf_conntrack_tuple *t)
902 { 903 {
903 if (!tb[CTA_PROTO_SRC_PORT] || !tb[CTA_PROTO_DST_PORT]) 904 if (!tb[CTA_PROTO_SRC_PORT] || !tb[CTA_PROTO_DST_PORT])
904 return -EINVAL; 905 return -EINVAL;
905 906
906 t->src.u.tcp.port = nla_get_be16(tb[CTA_PROTO_SRC_PORT]); 907 t->src.u.tcp.port = nla_get_be16(tb[CTA_PROTO_SRC_PORT]);
907 t->dst.u.tcp.port = nla_get_be16(tb[CTA_PROTO_DST_PORT]); 908 t->dst.u.tcp.port = nla_get_be16(tb[CTA_PROTO_DST_PORT]);
908 909
909 return 0; 910 return 0;
910 } 911 }
911 EXPORT_SYMBOL_GPL(nf_ct_port_nlattr_to_tuple); 912 EXPORT_SYMBOL_GPL(nf_ct_port_nlattr_to_tuple);
912 913
913 int nf_ct_port_nlattr_tuple_size(void) 914 int nf_ct_port_nlattr_tuple_size(void)
914 { 915 {
915 return nla_policy_len(nf_ct_port_nla_policy, CTA_PROTO_MAX + 1); 916 return nla_policy_len(nf_ct_port_nla_policy, CTA_PROTO_MAX + 1);
916 } 917 }
917 EXPORT_SYMBOL_GPL(nf_ct_port_nlattr_tuple_size); 918 EXPORT_SYMBOL_GPL(nf_ct_port_nlattr_tuple_size);
918 #endif 919 #endif
919 920
920 /* Used by ipt_REJECT and ip6t_REJECT. */ 921 /* Used by ipt_REJECT and ip6t_REJECT. */
921 static void nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb) 922 static void nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb)
922 { 923 {
923 struct nf_conn *ct; 924 struct nf_conn *ct;
924 enum ip_conntrack_info ctinfo; 925 enum ip_conntrack_info ctinfo;
925 926
926 /* This ICMP is in reverse direction to the packet which caused it */ 927 /* This ICMP is in reverse direction to the packet which caused it */
927 ct = nf_ct_get(skb, &ctinfo); 928 ct = nf_ct_get(skb, &ctinfo);
928 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) 929 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
929 ctinfo = IP_CT_RELATED + IP_CT_IS_REPLY; 930 ctinfo = IP_CT_RELATED + IP_CT_IS_REPLY;
930 else 931 else
931 ctinfo = IP_CT_RELATED; 932 ctinfo = IP_CT_RELATED;
932 933
933 /* Attach to new skbuff, and increment count */ 934 /* Attach to new skbuff, and increment count */
934 nskb->nfct = &ct->ct_general; 935 nskb->nfct = &ct->ct_general;
935 nskb->nfctinfo = ctinfo; 936 nskb->nfctinfo = ctinfo;
936 nf_conntrack_get(nskb->nfct); 937 nf_conntrack_get(nskb->nfct);
937 } 938 }
938 939
939 /* Bring out ya dead! */ 940 /* Bring out ya dead! */
940 static struct nf_conn * 941 static struct nf_conn *
941 get_next_corpse(struct net *net, int (*iter)(struct nf_conn *i, void *data), 942 get_next_corpse(struct net *net, int (*iter)(struct nf_conn *i, void *data),
942 void *data, unsigned int *bucket) 943 void *data, unsigned int *bucket)
943 { 944 {
944 struct nf_conntrack_tuple_hash *h; 945 struct nf_conntrack_tuple_hash *h;
945 struct nf_conn *ct; 946 struct nf_conn *ct;
946 struct hlist_nulls_node *n; 947 struct hlist_nulls_node *n;
947 948
948 spin_lock_bh(&nf_conntrack_lock); 949 spin_lock_bh(&nf_conntrack_lock);
949 for (; *bucket < nf_conntrack_htable_size; (*bucket)++) { 950 for (; *bucket < nf_conntrack_htable_size; (*bucket)++) {
950 hlist_nulls_for_each_entry(h, n, &net->ct.hash[*bucket], hnnode) { 951 hlist_nulls_for_each_entry(h, n, &net->ct.hash[*bucket], hnnode) {
951 ct = nf_ct_tuplehash_to_ctrack(h); 952 ct = nf_ct_tuplehash_to_ctrack(h);
952 if (iter(ct, data)) 953 if (iter(ct, data))
953 goto found; 954 goto found;
954 } 955 }
955 } 956 }
956 hlist_nulls_for_each_entry(h, n, &net->ct.unconfirmed, hnnode) { 957 hlist_nulls_for_each_entry(h, n, &net->ct.unconfirmed, hnnode) {
957 ct = nf_ct_tuplehash_to_ctrack(h); 958 ct = nf_ct_tuplehash_to_ctrack(h);
958 if (iter(ct, data)) 959 if (iter(ct, data))
959 set_bit(IPS_DYING_BIT, &ct->status); 960 set_bit(IPS_DYING_BIT, &ct->status);
960 } 961 }
961 spin_unlock_bh(&nf_conntrack_lock); 962 spin_unlock_bh(&nf_conntrack_lock);
962 return NULL; 963 return NULL;
963 found: 964 found:
964 atomic_inc(&ct->ct_general.use); 965 atomic_inc(&ct->ct_general.use);
965 spin_unlock_bh(&nf_conntrack_lock); 966 spin_unlock_bh(&nf_conntrack_lock);
966 return ct; 967 return ct;
967 } 968 }
968 969
969 void nf_ct_iterate_cleanup(struct net *net, 970 void nf_ct_iterate_cleanup(struct net *net,
970 int (*iter)(struct nf_conn *i, void *data), 971 int (*iter)(struct nf_conn *i, void *data),
971 void *data) 972 void *data)
972 { 973 {
973 struct nf_conn *ct; 974 struct nf_conn *ct;
974 unsigned int bucket = 0; 975 unsigned int bucket = 0;
975 976
976 while ((ct = get_next_corpse(net, iter, data, &bucket)) != NULL) { 977 while ((ct = get_next_corpse(net, iter, data, &bucket)) != NULL) {
977 /* Time to push up daises... */ 978 /* Time to push up daises... */
978 if (del_timer(&ct->timeout)) 979 if (del_timer(&ct->timeout))
979 death_by_timeout((unsigned long)ct); 980 death_by_timeout((unsigned long)ct);
980 /* ... else the timer will get him soon. */ 981 /* ... else the timer will get him soon. */
981 982
982 nf_ct_put(ct); 983 nf_ct_put(ct);
983 } 984 }
984 } 985 }
985 EXPORT_SYMBOL_GPL(nf_ct_iterate_cleanup); 986 EXPORT_SYMBOL_GPL(nf_ct_iterate_cleanup);
986 987
987 struct __nf_ct_flush_report { 988 struct __nf_ct_flush_report {
988 u32 pid; 989 u32 pid;
989 int report; 990 int report;
990 }; 991 };
991 992
992 static int kill_report(struct nf_conn *i, void *data) 993 static int kill_report(struct nf_conn *i, void *data)
993 { 994 {
994 struct __nf_ct_flush_report *fr = (struct __nf_ct_flush_report *)data; 995 struct __nf_ct_flush_report *fr = (struct __nf_ct_flush_report *)data;
995 996
996 /* get_next_corpse sets the dying bit for us */ 997 /* get_next_corpse sets the dying bit for us */
997 nf_conntrack_event_report(IPCT_DESTROY, 998 nf_conntrack_event_report(IPCT_DESTROY,
998 i, 999 i,
999 fr->pid, 1000 fr->pid,
1000 fr->report); 1001 fr->report);
1001 return 1; 1002 return 1;
1002 } 1003 }
1003 1004
1004 static int kill_all(struct nf_conn *i, void *data) 1005 static int kill_all(struct nf_conn *i, void *data)
1005 { 1006 {
1006 return 1; 1007 return 1;
1007 } 1008 }
1008 1009
1009 void nf_ct_free_hashtable(void *hash, int vmalloced, unsigned int size) 1010 void nf_ct_free_hashtable(void *hash, int vmalloced, unsigned int size)
1010 { 1011 {
1011 if (vmalloced) 1012 if (vmalloced)
1012 vfree(hash); 1013 vfree(hash);
1013 else 1014 else
1014 free_pages((unsigned long)hash, 1015 free_pages((unsigned long)hash,
1015 get_order(sizeof(struct hlist_head) * size)); 1016 get_order(sizeof(struct hlist_head) * size));
1016 } 1017 }
1017 EXPORT_SYMBOL_GPL(nf_ct_free_hashtable); 1018 EXPORT_SYMBOL_GPL(nf_ct_free_hashtable);
1018 1019
1019 void nf_conntrack_flush_report(struct net *net, u32 pid, int report) 1020 void nf_conntrack_flush_report(struct net *net, u32 pid, int report)
1020 { 1021 {
1021 struct __nf_ct_flush_report fr = { 1022 struct __nf_ct_flush_report fr = {
1022 .pid = pid, 1023 .pid = pid,
1023 .report = report, 1024 .report = report,
1024 }; 1025 };
1025 nf_ct_iterate_cleanup(net, kill_report, &fr); 1026 nf_ct_iterate_cleanup(net, kill_report, &fr);
1026 } 1027 }
1027 EXPORT_SYMBOL_GPL(nf_conntrack_flush_report); 1028 EXPORT_SYMBOL_GPL(nf_conntrack_flush_report);
1028 1029
1029 static void nf_conntrack_cleanup_init_net(void) 1030 static void nf_conntrack_cleanup_init_net(void)
1030 { 1031 {
1031 nf_conntrack_helper_fini(); 1032 nf_conntrack_helper_fini();
1032 nf_conntrack_proto_fini(); 1033 nf_conntrack_proto_fini();
1033 kmem_cache_destroy(nf_conntrack_cachep); 1034 kmem_cache_destroy(nf_conntrack_cachep);
1034 } 1035 }
1035 1036
1036 static void nf_conntrack_cleanup_net(struct net *net) 1037 static void nf_conntrack_cleanup_net(struct net *net)
1037 { 1038 {
1038 nf_ct_event_cache_flush(net); 1039 nf_ct_event_cache_flush(net);
1039 nf_conntrack_ecache_fini(net); 1040 nf_conntrack_ecache_fini(net);
1040 i_see_dead_people: 1041 i_see_dead_people:
1041 nf_ct_iterate_cleanup(net, kill_all, NULL); 1042 nf_ct_iterate_cleanup(net, kill_all, NULL);
1042 if (atomic_read(&net->ct.count) != 0) { 1043 if (atomic_read(&net->ct.count) != 0) {
1043 schedule(); 1044 schedule();
1044 goto i_see_dead_people; 1045 goto i_see_dead_people;
1045 } 1046 }
1046 /* wait until all references to nf_conntrack_untracked are dropped */ 1047 /* wait until all references to nf_conntrack_untracked are dropped */
1047 while (atomic_read(&nf_conntrack_untracked.ct_general.use) > 1) 1048 while (atomic_read(&nf_conntrack_untracked.ct_general.use) > 1)
1048 schedule(); 1049 schedule();
1049 1050
1050 nf_ct_free_hashtable(net->ct.hash, net->ct.hash_vmalloc, 1051 nf_ct_free_hashtable(net->ct.hash, net->ct.hash_vmalloc,
1051 nf_conntrack_htable_size); 1052 nf_conntrack_htable_size);
1052 nf_conntrack_acct_fini(net); 1053 nf_conntrack_acct_fini(net);
1053 nf_conntrack_expect_fini(net); 1054 nf_conntrack_expect_fini(net);
1054 free_percpu(net->ct.stat); 1055 free_percpu(net->ct.stat);
1055 } 1056 }
1056 1057
1057 /* Mishearing the voices in his head, our hero wonders how he's 1058 /* Mishearing the voices in his head, our hero wonders how he's
1058 supposed to kill the mall. */ 1059 supposed to kill the mall. */
1059 void nf_conntrack_cleanup(struct net *net) 1060 void nf_conntrack_cleanup(struct net *net)
1060 { 1061 {
1061 if (net_eq(net, &init_net)) 1062 if (net_eq(net, &init_net))
1062 rcu_assign_pointer(ip_ct_attach, NULL); 1063 rcu_assign_pointer(ip_ct_attach, NULL);
1063 1064
1064 /* This makes sure all current packets have passed through 1065 /* This makes sure all current packets have passed through
1065 netfilter framework. Roll on, two-stage module 1066 netfilter framework. Roll on, two-stage module
1066 delete... */ 1067 delete... */
1067 synchronize_net(); 1068 synchronize_net();
1068 1069
1069 nf_conntrack_cleanup_net(net); 1070 nf_conntrack_cleanup_net(net);
1070 1071
1071 if (net_eq(net, &init_net)) { 1072 if (net_eq(net, &init_net)) {
1072 rcu_assign_pointer(nf_ct_destroy, NULL); 1073 rcu_assign_pointer(nf_ct_destroy, NULL);
1073 nf_conntrack_cleanup_init_net(); 1074 nf_conntrack_cleanup_init_net();
1074 } 1075 }
1075 } 1076 }
1076 1077
1077 void *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced, int nulls) 1078 void *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced, int nulls)
1078 { 1079 {
1079 struct hlist_nulls_head *hash; 1080 struct hlist_nulls_head *hash;
1080 unsigned int nr_slots, i; 1081 unsigned int nr_slots, i;
1081 size_t sz; 1082 size_t sz;
1082 1083
1083 *vmalloced = 0; 1084 *vmalloced = 0;
1084 1085
1085 BUILD_BUG_ON(sizeof(struct hlist_nulls_head) != sizeof(struct hlist_head)); 1086 BUILD_BUG_ON(sizeof(struct hlist_nulls_head) != sizeof(struct hlist_head));
1086 nr_slots = *sizep = roundup(*sizep, PAGE_SIZE / sizeof(struct hlist_nulls_head)); 1087 nr_slots = *sizep = roundup(*sizep, PAGE_SIZE / sizeof(struct hlist_nulls_head));
1087 sz = nr_slots * sizeof(struct hlist_nulls_head); 1088 sz = nr_slots * sizeof(struct hlist_nulls_head);
1088 hash = (void *)__get_free_pages(GFP_KERNEL | __GFP_NOWARN | __GFP_ZERO, 1089 hash = (void *)__get_free_pages(GFP_KERNEL | __GFP_NOWARN | __GFP_ZERO,
1089 get_order(sz)); 1090 get_order(sz));
1090 if (!hash) { 1091 if (!hash) {
1091 *vmalloced = 1; 1092 *vmalloced = 1;
1092 printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n"); 1093 printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
1093 hash = __vmalloc(sz, GFP_KERNEL | __GFP_ZERO, PAGE_KERNEL); 1094 hash = __vmalloc(sz, GFP_KERNEL | __GFP_ZERO, PAGE_KERNEL);
1094 } 1095 }
1095 1096
1096 if (hash && nulls) 1097 if (hash && nulls)
1097 for (i = 0; i < nr_slots; i++) 1098 for (i = 0; i < nr_slots; i++)
1098 INIT_HLIST_NULLS_HEAD(&hash[i], i); 1099 INIT_HLIST_NULLS_HEAD(&hash[i], i);
1099 1100
1100 return hash; 1101 return hash;
1101 } 1102 }
1102 EXPORT_SYMBOL_GPL(nf_ct_alloc_hashtable); 1103 EXPORT_SYMBOL_GPL(nf_ct_alloc_hashtable);
1103 1104
1104 int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp) 1105 int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp)
1105 { 1106 {
1106 int i, bucket, vmalloced, old_vmalloced; 1107 int i, bucket, vmalloced, old_vmalloced;
1107 unsigned int hashsize, old_size; 1108 unsigned int hashsize, old_size;
1108 int rnd; 1109 int rnd;
1109 struct hlist_nulls_head *hash, *old_hash; 1110 struct hlist_nulls_head *hash, *old_hash;
1110 struct nf_conntrack_tuple_hash *h; 1111 struct nf_conntrack_tuple_hash *h;
1111 1112
1112 /* On boot, we can set this without any fancy locking. */ 1113 /* On boot, we can set this without any fancy locking. */
1113 if (!nf_conntrack_htable_size) 1114 if (!nf_conntrack_htable_size)
1114 return param_set_uint(val, kp); 1115 return param_set_uint(val, kp);
1115 1116
1116 hashsize = simple_strtoul(val, NULL, 0); 1117 hashsize = simple_strtoul(val, NULL, 0);
1117 if (!hashsize) 1118 if (!hashsize)
1118 return -EINVAL; 1119 return -EINVAL;
1119 1120
1120 hash = nf_ct_alloc_hashtable(&hashsize, &vmalloced, 1); 1121 hash = nf_ct_alloc_hashtable(&hashsize, &vmalloced, 1);
1121 if (!hash) 1122 if (!hash)
1122 return -ENOMEM; 1123 return -ENOMEM;
1123 1124
1124 /* We have to rehahs for the new table anyway, so we also can 1125 /* We have to rehahs for the new table anyway, so we also can
1125 * use a newrandom seed */ 1126 * use a newrandom seed */
1126 get_random_bytes(&rnd, sizeof(rnd)); 1127 get_random_bytes(&rnd, sizeof(rnd));
1127 1128
1128 /* Lookups in the old hash might happen in parallel, which means we 1129 /* Lookups in the old hash might happen in parallel, which means we
1129 * might get false negatives during connection lookup. New connections 1130 * might get false negatives during connection lookup. New connections
1130 * created because of a false negative won't make it into the hash 1131 * created because of a false negative won't make it into the hash
1131 * though since that required taking the lock. 1132 * though since that required taking the lock.
1132 */ 1133 */
1133 spin_lock_bh(&nf_conntrack_lock); 1134 spin_lock_bh(&nf_conntrack_lock);
1134 for (i = 0; i < nf_conntrack_htable_size; i++) { 1135 for (i = 0; i < nf_conntrack_htable_size; i++) {
1135 while (!hlist_nulls_empty(&init_net.ct.hash[i])) { 1136 while (!hlist_nulls_empty(&init_net.ct.hash[i])) {
1136 h = hlist_nulls_entry(init_net.ct.hash[i].first, 1137 h = hlist_nulls_entry(init_net.ct.hash[i].first,
1137 struct nf_conntrack_tuple_hash, hnnode); 1138 struct nf_conntrack_tuple_hash, hnnode);
1138 hlist_nulls_del_rcu(&h->hnnode); 1139 hlist_nulls_del_rcu(&h->hnnode);
1139 bucket = __hash_conntrack(&h->tuple, hashsize, rnd); 1140 bucket = __hash_conntrack(&h->tuple, hashsize, rnd);
1140 hlist_nulls_add_head_rcu(&h->hnnode, &hash[bucket]); 1141 hlist_nulls_add_head_rcu(&h->hnnode, &hash[bucket]);
1141 } 1142 }
1142 } 1143 }
1143 old_size = nf_conntrack_htable_size; 1144 old_size = nf_conntrack_htable_size;
1144 old_vmalloced = init_net.ct.hash_vmalloc; 1145 old_vmalloced = init_net.ct.hash_vmalloc;
1145 old_hash = init_net.ct.hash; 1146 old_hash = init_net.ct.hash;
1146 1147
1147 nf_conntrack_htable_size = hashsize; 1148 nf_conntrack_htable_size = hashsize;
1148 init_net.ct.hash_vmalloc = vmalloced; 1149 init_net.ct.hash_vmalloc = vmalloced;
1149 init_net.ct.hash = hash; 1150 init_net.ct.hash = hash;
1150 nf_conntrack_hash_rnd = rnd; 1151 nf_conntrack_hash_rnd = rnd;
1151 spin_unlock_bh(&nf_conntrack_lock); 1152 spin_unlock_bh(&nf_conntrack_lock);
1152 1153
1153 nf_ct_free_hashtable(old_hash, old_vmalloced, old_size); 1154 nf_ct_free_hashtable(old_hash, old_vmalloced, old_size);
1154 return 0; 1155 return 0;
1155 } 1156 }
1156 EXPORT_SYMBOL_GPL(nf_conntrack_set_hashsize); 1157 EXPORT_SYMBOL_GPL(nf_conntrack_set_hashsize);
1157 1158
1158 module_param_call(hashsize, nf_conntrack_set_hashsize, param_get_uint, 1159 module_param_call(hashsize, nf_conntrack_set_hashsize, param_get_uint,
1159 &nf_conntrack_htable_size, 0600); 1160 &nf_conntrack_htable_size, 0600);
1160 1161
1161 static int nf_conntrack_init_init_net(void) 1162 static int nf_conntrack_init_init_net(void)
1162 { 1163 {
1163 int max_factor = 8; 1164 int max_factor = 8;
1164 int ret; 1165 int ret;
1165 1166
1166 /* Idea from tcp.c: use 1/16384 of memory. On i386: 32MB 1167 /* Idea from tcp.c: use 1/16384 of memory. On i386: 32MB
1167 * machine has 512 buckets. >= 1GB machines have 16384 buckets. */ 1168 * machine has 512 buckets. >= 1GB machines have 16384 buckets. */
1168 if (!nf_conntrack_htable_size) { 1169 if (!nf_conntrack_htable_size) {
1169 nf_conntrack_htable_size 1170 nf_conntrack_htable_size
1170 = (((num_physpages << PAGE_SHIFT) / 16384) 1171 = (((num_physpages << PAGE_SHIFT) / 16384)
1171 / sizeof(struct hlist_head)); 1172 / sizeof(struct hlist_head));
1172 if (num_physpages > (1024 * 1024 * 1024 / PAGE_SIZE)) 1173 if (num_physpages > (1024 * 1024 * 1024 / PAGE_SIZE))
1173 nf_conntrack_htable_size = 16384; 1174 nf_conntrack_htable_size = 16384;
1174 if (nf_conntrack_htable_size < 32) 1175 if (nf_conntrack_htable_size < 32)
1175 nf_conntrack_htable_size = 32; 1176 nf_conntrack_htable_size = 32;
1176 1177
1177 /* Use a max. factor of four by default to get the same max as 1178 /* Use a max. factor of four by default to get the same max as
1178 * with the old struct list_heads. When a table size is given 1179 * with the old struct list_heads. When a table size is given
1179 * we use the old value of 8 to avoid reducing the max. 1180 * we use the old value of 8 to avoid reducing the max.
1180 * entries. */ 1181 * entries. */
1181 max_factor = 4; 1182 max_factor = 4;
1182 } 1183 }
1183 nf_conntrack_max = max_factor * nf_conntrack_htable_size; 1184 nf_conntrack_max = max_factor * nf_conntrack_htable_size;
1184 1185
1185 printk("nf_conntrack version %s (%u buckets, %d max)\n", 1186 printk("nf_conntrack version %s (%u buckets, %d max)\n",
1186 NF_CONNTRACK_VERSION, nf_conntrack_htable_size, 1187 NF_CONNTRACK_VERSION, nf_conntrack_htable_size,
1187 nf_conntrack_max); 1188 nf_conntrack_max);
1188 1189
1189 nf_conntrack_cachep = kmem_cache_create("nf_conntrack", 1190 nf_conntrack_cachep = kmem_cache_create("nf_conntrack",
1190 sizeof(struct nf_conn), 1191 sizeof(struct nf_conn),
1191 0, SLAB_DESTROY_BY_RCU, NULL); 1192 0, SLAB_DESTROY_BY_RCU, NULL);
1192 if (!nf_conntrack_cachep) { 1193 if (!nf_conntrack_cachep) {
1193 printk(KERN_ERR "Unable to create nf_conn slab cache\n"); 1194 printk(KERN_ERR "Unable to create nf_conn slab cache\n");
1194 ret = -ENOMEM; 1195 ret = -ENOMEM;
1195 goto err_cache; 1196 goto err_cache;
1196 } 1197 }
1197 1198
1198 ret = nf_conntrack_proto_init(); 1199 ret = nf_conntrack_proto_init();
1199 if (ret < 0) 1200 if (ret < 0)
1200 goto err_proto; 1201 goto err_proto;
1201 1202
1202 ret = nf_conntrack_helper_init(); 1203 ret = nf_conntrack_helper_init();
1203 if (ret < 0) 1204 if (ret < 0)
1204 goto err_helper; 1205 goto err_helper;
1205 1206
1206 return 0; 1207 return 0;
1207 1208
1208 err_helper: 1209 err_helper:
1209 nf_conntrack_proto_fini(); 1210 nf_conntrack_proto_fini();
1210 err_proto: 1211 err_proto:
1211 kmem_cache_destroy(nf_conntrack_cachep); 1212 kmem_cache_destroy(nf_conntrack_cachep);
1212 err_cache: 1213 err_cache:
1213 return ret; 1214 return ret;
1214 } 1215 }
1215 1216
1216 static int nf_conntrack_init_net(struct net *net) 1217 static int nf_conntrack_init_net(struct net *net)
1217 { 1218 {
1218 int ret; 1219 int ret;
1219 1220
1220 atomic_set(&net->ct.count, 0); 1221 atomic_set(&net->ct.count, 0);
1221 INIT_HLIST_NULLS_HEAD(&net->ct.unconfirmed, 0); 1222 INIT_HLIST_NULLS_HEAD(&net->ct.unconfirmed, 0);
1222 net->ct.stat = alloc_percpu(struct ip_conntrack_stat); 1223 net->ct.stat = alloc_percpu(struct ip_conntrack_stat);
1223 if (!net->ct.stat) { 1224 if (!net->ct.stat) {
1224 ret = -ENOMEM; 1225 ret = -ENOMEM;
1225 goto err_stat; 1226 goto err_stat;
1226 } 1227 }
1227 ret = nf_conntrack_ecache_init(net); 1228 ret = nf_conntrack_ecache_init(net);
1228 if (ret < 0) 1229 if (ret < 0)
1229 goto err_ecache; 1230 goto err_ecache;
1230 net->ct.hash = nf_ct_alloc_hashtable(&nf_conntrack_htable_size, 1231 net->ct.hash = nf_ct_alloc_hashtable(&nf_conntrack_htable_size,
1231 &net->ct.hash_vmalloc, 1); 1232 &net->ct.hash_vmalloc, 1);
1232 if (!net->ct.hash) { 1233 if (!net->ct.hash) {
1233 ret = -ENOMEM; 1234 ret = -ENOMEM;
1234 printk(KERN_ERR "Unable to create nf_conntrack_hash\n"); 1235 printk(KERN_ERR "Unable to create nf_conntrack_hash\n");
1235 goto err_hash; 1236 goto err_hash;
1236 } 1237 }
1237 ret = nf_conntrack_expect_init(net); 1238 ret = nf_conntrack_expect_init(net);
1238 if (ret < 0) 1239 if (ret < 0)
1239 goto err_expect; 1240 goto err_expect;
1240 ret = nf_conntrack_acct_init(net); 1241 ret = nf_conntrack_acct_init(net);
1241 if (ret < 0) 1242 if (ret < 0)
1242 goto err_acct; 1243 goto err_acct;
1243 1244
1244 /* Set up fake conntrack: 1245 /* Set up fake conntrack:
1245 - to never be deleted, not in any hashes */ 1246 - to never be deleted, not in any hashes */
1246 #ifdef CONFIG_NET_NS 1247 #ifdef CONFIG_NET_NS
1247 nf_conntrack_untracked.ct_net = &init_net; 1248 nf_conntrack_untracked.ct_net = &init_net;
1248 #endif 1249 #endif
1249 atomic_set(&nf_conntrack_untracked.ct_general.use, 1); 1250 atomic_set(&nf_conntrack_untracked.ct_general.use, 1);
1250 /* - and look it like as a confirmed connection */ 1251 /* - and look it like as a confirmed connection */
1251 set_bit(IPS_CONFIRMED_BIT, &nf_conntrack_untracked.status); 1252 set_bit(IPS_CONFIRMED_BIT, &nf_conntrack_untracked.status);
1252 1253
1253 return 0; 1254 return 0;
1254 1255
1255 err_acct: 1256 err_acct:
1256 nf_conntrack_expect_fini(net); 1257 nf_conntrack_expect_fini(net);
1257 err_expect: 1258 err_expect:
1258 nf_ct_free_hashtable(net->ct.hash, net->ct.hash_vmalloc, 1259 nf_ct_free_hashtable(net->ct.hash, net->ct.hash_vmalloc,
1259 nf_conntrack_htable_size); 1260 nf_conntrack_htable_size);
1260 err_hash: 1261 err_hash:
1261 nf_conntrack_ecache_fini(net); 1262 nf_conntrack_ecache_fini(net);
1262 err_ecache: 1263 err_ecache:
1263 free_percpu(net->ct.stat); 1264 free_percpu(net->ct.stat);
1264 err_stat: 1265 err_stat:
1265 return ret; 1266 return ret;
1266 } 1267 }
1267 1268
1268 int nf_conntrack_init(struct net *net) 1269 int nf_conntrack_init(struct net *net)
1269 { 1270 {
1270 int ret; 1271 int ret;
1271 1272
1272 if (net_eq(net, &init_net)) { 1273 if (net_eq(net, &init_net)) {
1273 ret = nf_conntrack_init_init_net(); 1274 ret = nf_conntrack_init_init_net();
1274 if (ret < 0) 1275 if (ret < 0)
1275 goto out_init_net; 1276 goto out_init_net;
1276 } 1277 }
1277 ret = nf_conntrack_init_net(net); 1278 ret = nf_conntrack_init_net(net);
1278 if (ret < 0) 1279 if (ret < 0)
1279 goto out_net; 1280 goto out_net;
1280 1281
1281 if (net_eq(net, &init_net)) { 1282 if (net_eq(net, &init_net)) {
1282 /* For use by REJECT target */ 1283 /* For use by REJECT target */
1283 rcu_assign_pointer(ip_ct_attach, nf_conntrack_attach); 1284 rcu_assign_pointer(ip_ct_attach, nf_conntrack_attach);
1284 rcu_assign_pointer(nf_ct_destroy, destroy_conntrack); 1285 rcu_assign_pointer(nf_ct_destroy, destroy_conntrack);
1285 } 1286 }
1286 return 0; 1287 return 0;
1287 1288
1288 out_net: 1289 out_net:
1289 if (net_eq(net, &init_net)) 1290 if (net_eq(net, &init_net))
1290 nf_conntrack_cleanup_init_net(); 1291 nf_conntrack_cleanup_init_net();
1291 out_init_net: 1292 out_init_net:
1292 return ret; 1293 return ret;
1293 } 1294 }
1294 1295
net/netfilter/nf_conntrack_netlink.c
Diff comments   View file @ 440f0d5
1 /* Connection tracking via netlink socket. Allows for user space 1 /* Connection tracking via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace. 2 * protocol helpers and general trouble making from userspace.
3 * 3 *
4 * (C) 2001 by Jay Schulist <jschlst@samba.org> 4 * (C) 2001 by Jay Schulist <jschlst@samba.org>
5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org> 5 * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2003 by Patrick Mchardy <kaber@trash.net> 6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7 * (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org> 7 * (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
8 * 8 *
9 * Initial connection tracking via netlink development funded and 9 * Initial connection tracking via netlink development funded and
10 * generally made possible by Network Robots, Inc. (www.networkrobots.com) 10 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
11 * 11 *
12 * Further development of this code funded by Astaro AG (http://www.astaro.com) 12 * Further development of this code funded by Astaro AG (http://www.astaro.com)
13 * 13 *
14 * This software may be used and distributed according to the terms 14 * This software may be used and distributed according to the terms
15 * of the GNU General Public License, incorporated herein by reference. 15 * of the GNU General Public License, incorporated herein by reference.
16 */ 16 */
17 17
18 #include <linux/init.h> 18 #include <linux/init.h>
19 #include <linux/module.h> 19 #include <linux/module.h>
20 #include <linux/kernel.h> 20 #include <linux/kernel.h>
21 #include <linux/rculist.h> 21 #include <linux/rculist.h>
22 #include <linux/rculist_nulls.h> 22 #include <linux/rculist_nulls.h>
23 #include <linux/types.h> 23 #include <linux/types.h>
24 #include <linux/timer.h> 24 #include <linux/timer.h>
25 #include <linux/skbuff.h> 25 #include <linux/skbuff.h>
26 #include <linux/errno.h> 26 #include <linux/errno.h>
27 #include <linux/netlink.h> 27 #include <linux/netlink.h>
28 #include <linux/spinlock.h> 28 #include <linux/spinlock.h>
29 #include <linux/interrupt.h> 29 #include <linux/interrupt.h>
30 30
31 #include <linux/netfilter.h> 31 #include <linux/netfilter.h>
32 #include <net/netlink.h> 32 #include <net/netlink.h>
33 #include <net/netfilter/nf_conntrack.h> 33 #include <net/netfilter/nf_conntrack.h>
34 #include <net/netfilter/nf_conntrack_core.h> 34 #include <net/netfilter/nf_conntrack_core.h>
35 #include <net/netfilter/nf_conntrack_expect.h> 35 #include <net/netfilter/nf_conntrack_expect.h>
36 #include <net/netfilter/nf_conntrack_helper.h> 36 #include <net/netfilter/nf_conntrack_helper.h>
37 #include <net/netfilter/nf_conntrack_l3proto.h> 37 #include <net/netfilter/nf_conntrack_l3proto.h>
38 #include <net/netfilter/nf_conntrack_l4proto.h> 38 #include <net/netfilter/nf_conntrack_l4proto.h>
39 #include <net/netfilter/nf_conntrack_tuple.h> 39 #include <net/netfilter/nf_conntrack_tuple.h>
40 #include <net/netfilter/nf_conntrack_acct.h> 40 #include <net/netfilter/nf_conntrack_acct.h>
41 #ifdef CONFIG_NF_NAT_NEEDED 41 #ifdef CONFIG_NF_NAT_NEEDED
42 #include <net/netfilter/nf_nat_core.h> 42 #include <net/netfilter/nf_nat_core.h>
43 #include <net/netfilter/nf_nat_protocol.h> 43 #include <net/netfilter/nf_nat_protocol.h>
44 #endif 44 #endif
45 45
46 #include <linux/netfilter/nfnetlink.h> 46 #include <linux/netfilter/nfnetlink.h>
47 #include <linux/netfilter/nfnetlink_conntrack.h> 47 #include <linux/netfilter/nfnetlink_conntrack.h>
48 48
49 MODULE_LICENSE("GPL"); 49 MODULE_LICENSE("GPL");
50 50
51 static char __initdata version[] = "0.93"; 51 static char __initdata version[] = "0.93";
52 52
53 static inline int 53 static inline int
54 ctnetlink_dump_tuples_proto(struct sk_buff *skb, 54 ctnetlink_dump_tuples_proto(struct sk_buff *skb,
55 const struct nf_conntrack_tuple *tuple, 55 const struct nf_conntrack_tuple *tuple,
56 struct nf_conntrack_l4proto *l4proto) 56 struct nf_conntrack_l4proto *l4proto)
57 { 57 {
58 int ret = 0; 58 int ret = 0;
59 struct nlattr *nest_parms; 59 struct nlattr *nest_parms;
60 60
61 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED); 61 nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED);
62 if (!nest_parms) 62 if (!nest_parms)
63 goto nla_put_failure; 63 goto nla_put_failure;
64 NLA_PUT_U8(skb, CTA_PROTO_NUM, tuple->dst.protonum); 64 NLA_PUT_U8(skb, CTA_PROTO_NUM, tuple->dst.protonum);
65 65
66 if (likely(l4proto->tuple_to_nlattr)) 66 if (likely(l4proto->tuple_to_nlattr))
67 ret = l4proto->tuple_to_nlattr(skb, tuple); 67 ret = l4proto->tuple_to_nlattr(skb, tuple);
68 68
69 nla_nest_end(skb, nest_parms); 69 nla_nest_end(skb, nest_parms);
70 70
71 return ret; 71 return ret;
72 72
73 nla_put_failure: 73 nla_put_failure:
74 return -1; 74 return -1;
75 } 75 }
76 76
77 static inline int 77 static inline int
78 ctnetlink_dump_tuples_ip(struct sk_buff *skb, 78 ctnetlink_dump_tuples_ip(struct sk_buff *skb,
79 const struct nf_conntrack_tuple *tuple, 79 const struct nf_conntrack_tuple *tuple,
80 struct nf_conntrack_l3proto *l3proto) 80 struct nf_conntrack_l3proto *l3proto)
81 { 81 {
82 int ret = 0; 82 int ret = 0;
83 struct nlattr *nest_parms; 83 struct nlattr *nest_parms;
84 84
85 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED); 85 nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED);
86 if (!nest_parms) 86 if (!nest_parms)
87 goto nla_put_failure; 87 goto nla_put_failure;
88 88
89 if (likely(l3proto->tuple_to_nlattr)) 89 if (likely(l3proto->tuple_to_nlattr))
90 ret = l3proto->tuple_to_nlattr(skb, tuple); 90 ret = l3proto->tuple_to_nlattr(skb, tuple);
91 91
92 nla_nest_end(skb, nest_parms); 92 nla_nest_end(skb, nest_parms);
93 93
94 return ret; 94 return ret;
95 95
96 nla_put_failure: 96 nla_put_failure:
97 return -1; 97 return -1;
98 } 98 }
99 99
100 static int 100 static int
101 ctnetlink_dump_tuples(struct sk_buff *skb, 101 ctnetlink_dump_tuples(struct sk_buff *skb,
102 const struct nf_conntrack_tuple *tuple) 102 const struct nf_conntrack_tuple *tuple)
103 { 103 {
104 int ret; 104 int ret;
105 struct nf_conntrack_l3proto *l3proto; 105 struct nf_conntrack_l3proto *l3proto;
106 struct nf_conntrack_l4proto *l4proto; 106 struct nf_conntrack_l4proto *l4proto;
107 107
108 l3proto = __nf_ct_l3proto_find(tuple->src.l3num); 108 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
109 ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto); 109 ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
110 110
111 if (unlikely(ret < 0)) 111 if (unlikely(ret < 0))
112 return ret; 112 return ret;
113 113
114 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum); 114 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
115 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto); 115 ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
116 116
117 return ret; 117 return ret;
118 } 118 }
119 119
120 static inline int 120 static inline int
121 ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct) 121 ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
122 { 122 {
123 NLA_PUT_BE32(skb, CTA_STATUS, htonl(ct->status)); 123 NLA_PUT_BE32(skb, CTA_STATUS, htonl(ct->status));
124 return 0; 124 return 0;
125 125
126 nla_put_failure: 126 nla_put_failure:
127 return -1; 127 return -1;
128 } 128 }
129 129
130 static inline int 130 static inline int
131 ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct) 131 ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
132 { 132 {
133 long timeout = (ct->timeout.expires - jiffies) / HZ; 133 long timeout = (ct->timeout.expires - jiffies) / HZ;
134 134
135 if (timeout < 0) 135 if (timeout < 0)
136 timeout = 0; 136 timeout = 0;
137 137
138 NLA_PUT_BE32(skb, CTA_TIMEOUT, htonl(timeout)); 138 NLA_PUT_BE32(skb, CTA_TIMEOUT, htonl(timeout));
139 return 0; 139 return 0;
140 140
141 nla_put_failure: 141 nla_put_failure:
142 return -1; 142 return -1;
143 } 143 }
144 144
145 static inline int 145 static inline int
146 ctnetlink_dump_protoinfo(struct sk_buff *skb, const struct nf_conn *ct) 146 ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct)
147 { 147 {
148 struct nf_conntrack_l4proto *l4proto; 148 struct nf_conntrack_l4proto *l4proto;
149 struct nlattr *nest_proto; 149 struct nlattr *nest_proto;
150 int ret; 150 int ret;
151 151
152 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 152 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
153 if (!l4proto->to_nlattr) 153 if (!l4proto->to_nlattr)
154 return 0; 154 return 0;
155 155
156 nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED); 156 nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED);
157 if (!nest_proto) 157 if (!nest_proto)
158 goto nla_put_failure; 158 goto nla_put_failure;
159 159
160 ret = l4proto->to_nlattr(skb, nest_proto, ct); 160 ret = l4proto->to_nlattr(skb, nest_proto, ct);
161 161
162 nla_nest_end(skb, nest_proto); 162 nla_nest_end(skb, nest_proto);
163 163
164 return ret; 164 return ret;
165 165
166 nla_put_failure: 166 nla_put_failure:
167 return -1; 167 return -1;
168 } 168 }
169 169
170 static inline int 170 static inline int
171 ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct) 171 ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct)
172 { 172 {
173 struct nlattr *nest_helper; 173 struct nlattr *nest_helper;
174 const struct nf_conn_help *help = nfct_help(ct); 174 const struct nf_conn_help *help = nfct_help(ct);
175 struct nf_conntrack_helper *helper; 175 struct nf_conntrack_helper *helper;
176 176
177 if (!help) 177 if (!help)
178 return 0; 178 return 0;
179 179
180 helper = rcu_dereference(help->helper); 180 helper = rcu_dereference(help->helper);
181 if (!helper) 181 if (!helper)
182 goto out; 182 goto out;
183 183
184 nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED); 184 nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED);
185 if (!nest_helper) 185 if (!nest_helper)
186 goto nla_put_failure; 186 goto nla_put_failure;
187 NLA_PUT_STRING(skb, CTA_HELP_NAME, helper->name); 187 NLA_PUT_STRING(skb, CTA_HELP_NAME, helper->name);
188 188
189 if (helper->to_nlattr) 189 if (helper->to_nlattr)
190 helper->to_nlattr(skb, ct); 190 helper->to_nlattr(skb, ct);
191 191
192 nla_nest_end(skb, nest_helper); 192 nla_nest_end(skb, nest_helper);
193 out: 193 out:
194 return 0; 194 return 0;
195 195
196 nla_put_failure: 196 nla_put_failure:
197 return -1; 197 return -1;
198 } 198 }
199 199
200 static int 200 static int
201 ctnetlink_dump_counters(struct sk_buff *skb, const struct nf_conn *ct, 201 ctnetlink_dump_counters(struct sk_buff *skb, const struct nf_conn *ct,
202 enum ip_conntrack_dir dir) 202 enum ip_conntrack_dir dir)
203 { 203 {
204 enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG; 204 enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
205 struct nlattr *nest_count; 205 struct nlattr *nest_count;
206 const struct nf_conn_counter *acct; 206 const struct nf_conn_counter *acct;
207 207
208 acct = nf_conn_acct_find(ct); 208 acct = nf_conn_acct_find(ct);
209 if (!acct) 209 if (!acct)
210 return 0; 210 return 0;
211 211
212 nest_count = nla_nest_start(skb, type | NLA_F_NESTED); 212 nest_count = nla_nest_start(skb, type | NLA_F_NESTED);
213 if (!nest_count) 213 if (!nest_count)
214 goto nla_put_failure; 214 goto nla_put_failure;
215 215
216 NLA_PUT_BE64(skb, CTA_COUNTERS_PACKETS, 216 NLA_PUT_BE64(skb, CTA_COUNTERS_PACKETS,
217 cpu_to_be64(acct[dir].packets)); 217 cpu_to_be64(acct[dir].packets));
218 NLA_PUT_BE64(skb, CTA_COUNTERS_BYTES, 218 NLA_PUT_BE64(skb, CTA_COUNTERS_BYTES,
219 cpu_to_be64(acct[dir].bytes)); 219 cpu_to_be64(acct[dir].bytes));
220 220
221 nla_nest_end(skb, nest_count); 221 nla_nest_end(skb, nest_count);
222 222
223 return 0; 223 return 0;
224 224
225 nla_put_failure: 225 nla_put_failure:
226 return -1; 226 return -1;
227 } 227 }
228 228
229 #ifdef CONFIG_NF_CONNTRACK_MARK 229 #ifdef CONFIG_NF_CONNTRACK_MARK
230 static inline int 230 static inline int
231 ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct) 231 ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
232 { 232 {
233 NLA_PUT_BE32(skb, CTA_MARK, htonl(ct->mark)); 233 NLA_PUT_BE32(skb, CTA_MARK, htonl(ct->mark));
234 return 0; 234 return 0;
235 235
236 nla_put_failure: 236 nla_put_failure:
237 return -1; 237 return -1;
238 } 238 }
239 #else 239 #else
240 #define ctnetlink_dump_mark(a, b) (0) 240 #define ctnetlink_dump_mark(a, b) (0)
241 #endif 241 #endif
242 242
243 #ifdef CONFIG_NF_CONNTRACK_SECMARK 243 #ifdef CONFIG_NF_CONNTRACK_SECMARK
244 static inline int 244 static inline int
245 ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct) 245 ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct)
246 { 246 {
247 NLA_PUT_BE32(skb, CTA_SECMARK, htonl(ct->secmark)); 247 NLA_PUT_BE32(skb, CTA_SECMARK, htonl(ct->secmark));
248 return 0; 248 return 0;
249 249
250 nla_put_failure: 250 nla_put_failure:
251 return -1; 251 return -1;
252 } 252 }
253 #else 253 #else
254 #define ctnetlink_dump_secmark(a, b) (0) 254 #define ctnetlink_dump_secmark(a, b) (0)
255 #endif 255 #endif
256 256
257 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple) 257 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
258 258
259 static inline int 259 static inline int
260 ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct) 260 ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
261 { 261 {
262 struct nlattr *nest_parms; 262 struct nlattr *nest_parms;
263 263
264 if (!(ct->status & IPS_EXPECTED)) 264 if (!(ct->status & IPS_EXPECTED))
265 return 0; 265 return 0;
266 266
267 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED); 267 nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED);
268 if (!nest_parms) 268 if (!nest_parms)
269 goto nla_put_failure; 269 goto nla_put_failure;
270 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0) 270 if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
271 goto nla_put_failure; 271 goto nla_put_failure;
272 nla_nest_end(skb, nest_parms); 272 nla_nest_end(skb, nest_parms);
273 273
274 return 0; 274 return 0;
275 275
276 nla_put_failure: 276 nla_put_failure:
277 return -1; 277 return -1;
278 } 278 }
279 279
280 #ifdef CONFIG_NF_NAT_NEEDED 280 #ifdef CONFIG_NF_NAT_NEEDED
281 static int 281 static int
282 dump_nat_seq_adj(struct sk_buff *skb, const struct nf_nat_seq *natseq, int type) 282 dump_nat_seq_adj(struct sk_buff *skb, const struct nf_nat_seq *natseq, int type)
283 { 283 {
284 struct nlattr *nest_parms; 284 struct nlattr *nest_parms;
285 285
286 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED); 286 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
287 if (!nest_parms) 287 if (!nest_parms)
288 goto nla_put_failure; 288 goto nla_put_failure;
289 289
290 NLA_PUT_BE32(skb, CTA_NAT_SEQ_CORRECTION_POS, 290 NLA_PUT_BE32(skb, CTA_NAT_SEQ_CORRECTION_POS,
291 htonl(natseq->correction_pos)); 291 htonl(natseq->correction_pos));
292 NLA_PUT_BE32(skb, CTA_NAT_SEQ_OFFSET_BEFORE, 292 NLA_PUT_BE32(skb, CTA_NAT_SEQ_OFFSET_BEFORE,
293 htonl(natseq->offset_before)); 293 htonl(natseq->offset_before));
294 NLA_PUT_BE32(skb, CTA_NAT_SEQ_OFFSET_AFTER, 294 NLA_PUT_BE32(skb, CTA_NAT_SEQ_OFFSET_AFTER,
295 htonl(natseq->offset_after)); 295 htonl(natseq->offset_after));
296 296
297 nla_nest_end(skb, nest_parms); 297 nla_nest_end(skb, nest_parms);
298 298
299 return 0; 299 return 0;
300 300
301 nla_put_failure: 301 nla_put_failure:
302 return -1; 302 return -1;
303 } 303 }
304 304
305 static inline int 305 static inline int
306 ctnetlink_dump_nat_seq_adj(struct sk_buff *skb, const struct nf_conn *ct) 306 ctnetlink_dump_nat_seq_adj(struct sk_buff *skb, const struct nf_conn *ct)
307 { 307 {
308 struct nf_nat_seq *natseq; 308 struct nf_nat_seq *natseq;
309 struct nf_conn_nat *nat = nfct_nat(ct); 309 struct nf_conn_nat *nat = nfct_nat(ct);
310 310
311 if (!(ct->status & IPS_SEQ_ADJUST) || !nat) 311 if (!(ct->status & IPS_SEQ_ADJUST) || !nat)
312 return 0; 312 return 0;
313 313
314 natseq = &nat->seq[IP_CT_DIR_ORIGINAL]; 314 natseq = &nat->seq[IP_CT_DIR_ORIGINAL];
315 if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_ORIG) == -1) 315 if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_ORIG) == -1)
316 return -1; 316 return -1;
317 317
318 natseq = &nat->seq[IP_CT_DIR_REPLY]; 318 natseq = &nat->seq[IP_CT_DIR_REPLY];
319 if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_REPLY) == -1) 319 if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_REPLY) == -1)
320 return -1; 320 return -1;
321 321
322 return 0; 322 return 0;
323 } 323 }
324 #else 324 #else
325 #define ctnetlink_dump_nat_seq_adj(a, b) (0) 325 #define ctnetlink_dump_nat_seq_adj(a, b) (0)
326 #endif 326 #endif
327 327
328 static inline int 328 static inline int
329 ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct) 329 ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
330 { 330 {
331 NLA_PUT_BE32(skb, CTA_ID, htonl((unsigned long)ct)); 331 NLA_PUT_BE32(skb, CTA_ID, htonl((unsigned long)ct));
332 return 0; 332 return 0;
333 333
334 nla_put_failure: 334 nla_put_failure:
335 return -1; 335 return -1;
336 } 336 }
337 337
338 static inline int 338 static inline int
339 ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct) 339 ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
340 { 340 {
341 NLA_PUT_BE32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use))); 341 NLA_PUT_BE32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use)));
342 return 0; 342 return 0;
343 343
344 nla_put_failure: 344 nla_put_failure:
345 return -1; 345 return -1;
346 } 346 }
347 347
348 static int 348 static int
349 ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq, 349 ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
350 int event, const struct nf_conn *ct) 350 int event, struct nf_conn *ct)
351 { 351 {
352 struct nlmsghdr *nlh; 352 struct nlmsghdr *nlh;
353 struct nfgenmsg *nfmsg; 353 struct nfgenmsg *nfmsg;
354 struct nlattr *nest_parms; 354 struct nlattr *nest_parms;
355 unsigned int flags = pid ? NLM_F_MULTI : 0; 355 unsigned int flags = pid ? NLM_F_MULTI : 0;
356 356
357 event |= NFNL_SUBSYS_CTNETLINK << 8; 357 event |= NFNL_SUBSYS_CTNETLINK << 8;
358 nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags); 358 nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags);
359 if (nlh == NULL) 359 if (nlh == NULL)
360 goto nlmsg_failure; 360 goto nlmsg_failure;
361 361
362 nfmsg = nlmsg_data(nlh); 362 nfmsg = nlmsg_data(nlh);
363 nfmsg->nfgen_family = nf_ct_l3num(ct); 363 nfmsg->nfgen_family = nf_ct_l3num(ct);
364 nfmsg->version = NFNETLINK_V0; 364 nfmsg->version = NFNETLINK_V0;
365 nfmsg->res_id = 0; 365 nfmsg->res_id = 0;
366 366
367 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 367 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
368 if (!nest_parms) 368 if (!nest_parms)
369 goto nla_put_failure; 369 goto nla_put_failure;
370 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 370 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
371 goto nla_put_failure; 371 goto nla_put_failure;
372 nla_nest_end(skb, nest_parms); 372 nla_nest_end(skb, nest_parms);
373 373
374 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 374 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
375 if (!nest_parms) 375 if (!nest_parms)
376 goto nla_put_failure; 376 goto nla_put_failure;
377 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 377 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
378 goto nla_put_failure; 378 goto nla_put_failure;
379 nla_nest_end(skb, nest_parms); 379 nla_nest_end(skb, nest_parms);
380 380
381 if (ctnetlink_dump_status(skb, ct) < 0 || 381 if (ctnetlink_dump_status(skb, ct) < 0 ||
382 ctnetlink_dump_timeout(skb, ct) < 0 || 382 ctnetlink_dump_timeout(skb, ct) < 0 ||
383 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 || 383 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
384 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 || 384 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 ||
385 ctnetlink_dump_protoinfo(skb, ct) < 0 || 385 ctnetlink_dump_protoinfo(skb, ct) < 0 ||
386 ctnetlink_dump_helpinfo(skb, ct) < 0 || 386 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
387 ctnetlink_dump_mark(skb, ct) < 0 || 387 ctnetlink_dump_mark(skb, ct) < 0 ||
388 ctnetlink_dump_secmark(skb, ct) < 0 || 388 ctnetlink_dump_secmark(skb, ct) < 0 ||
389 ctnetlink_dump_id(skb, ct) < 0 || 389 ctnetlink_dump_id(skb, ct) < 0 ||
390 ctnetlink_dump_use(skb, ct) < 0 || 390 ctnetlink_dump_use(skb, ct) < 0 ||
391 ctnetlink_dump_master(skb, ct) < 0 || 391 ctnetlink_dump_master(skb, ct) < 0 ||
392 ctnetlink_dump_nat_seq_adj(skb, ct) < 0) 392 ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
393 goto nla_put_failure; 393 goto nla_put_failure;
394 394
395 nlmsg_end(skb, nlh); 395 nlmsg_end(skb, nlh);
396 return skb->len; 396 return skb->len;
397 397
398 nlmsg_failure: 398 nlmsg_failure:
399 nla_put_failure: 399 nla_put_failure:
400 nlmsg_cancel(skb, nlh); 400 nlmsg_cancel(skb, nlh);
401 return -1; 401 return -1;
402 } 402 }
403 403
404 #ifdef CONFIG_NF_CONNTRACK_EVENTS 404 #ifdef CONFIG_NF_CONNTRACK_EVENTS
405 static inline size_t 405 static inline size_t
406 ctnetlink_proto_size(const struct nf_conn *ct) 406 ctnetlink_proto_size(const struct nf_conn *ct)
407 { 407 {
408 struct nf_conntrack_l3proto *l3proto; 408 struct nf_conntrack_l3proto *l3proto;
409 struct nf_conntrack_l4proto *l4proto; 409 struct nf_conntrack_l4proto *l4proto;
410 size_t len = 0; 410 size_t len = 0;
411 411
412 rcu_read_lock(); 412 rcu_read_lock();
413 l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct)); 413 l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
414 len += l3proto->nla_size; 414 len += l3proto->nla_size;
415 415
416 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 416 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
417 len += l4proto->nla_size; 417 len += l4proto->nla_size;
418 rcu_read_unlock(); 418 rcu_read_unlock();
419 419
420 return len; 420 return len;
421 } 421 }
422 422
423 static inline size_t 423 static inline size_t
424 ctnetlink_nlmsg_size(const struct nf_conn *ct) 424 ctnetlink_nlmsg_size(const struct nf_conn *ct)
425 { 425 {
426 return NLMSG_ALIGN(sizeof(struct nfgenmsg)) 426 return NLMSG_ALIGN(sizeof(struct nfgenmsg))
427 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */ 427 + 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
428 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */ 428 + 3 * nla_total_size(0) /* CTA_TUPLE_IP */
429 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */ 429 + 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
430 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */ 430 + 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
431 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */ 431 + nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
432 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */ 432 + nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
433 #ifdef CONFIG_NF_CT_ACCT 433 #ifdef CONFIG_NF_CT_ACCT
434 + 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */ 434 + 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
435 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */ 435 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
436 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */ 436 + 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
437 #endif 437 #endif
438 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */ 438 + nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
439 + nla_total_size(0) /* CTA_PROTOINFO */ 439 + nla_total_size(0) /* CTA_PROTOINFO */
440 + nla_total_size(0) /* CTA_HELP */ 440 + nla_total_size(0) /* CTA_HELP */
441 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */ 441 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
442 #ifdef CONFIG_NF_CONNTRACK_SECMARK 442 #ifdef CONFIG_NF_CONNTRACK_SECMARK
443 + nla_total_size(sizeof(u_int32_t)) /* CTA_SECMARK */ 443 + nla_total_size(sizeof(u_int32_t)) /* CTA_SECMARK */
444 #endif 444 #endif
445 #ifdef CONFIG_NF_NAT_NEEDED 445 #ifdef CONFIG_NF_NAT_NEEDED
446 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */ 446 + 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
447 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */ 447 + 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
448 #endif 448 #endif
449 #ifdef CONFIG_NF_CONNTRACK_MARK 449 #ifdef CONFIG_NF_CONNTRACK_MARK
450 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */ 450 + nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
451 #endif 451 #endif
452 + ctnetlink_proto_size(ct) 452 + ctnetlink_proto_size(ct)
453 ; 453 ;
454 } 454 }
455 455
456 static int 456 static int
457 ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item) 457 ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
458 { 458 {
459 struct nlmsghdr *nlh; 459 struct nlmsghdr *nlh;
460 struct nfgenmsg *nfmsg; 460 struct nfgenmsg *nfmsg;
461 struct nlattr *nest_parms; 461 struct nlattr *nest_parms;
462 struct nf_conn *ct = item->ct; 462 struct nf_conn *ct = item->ct;
463 struct sk_buff *skb; 463 struct sk_buff *skb;
464 unsigned int type; 464 unsigned int type;
465 unsigned int flags = 0, group; 465 unsigned int flags = 0, group;
466 466
467 /* ignore our fake conntrack entry */ 467 /* ignore our fake conntrack entry */
468 if (ct == &nf_conntrack_untracked) 468 if (ct == &nf_conntrack_untracked)
469 return 0; 469 return 0;
470 470
471 if (events & IPCT_DESTROY) { 471 if (events & IPCT_DESTROY) {
472 type = IPCTNL_MSG_CT_DELETE; 472 type = IPCTNL_MSG_CT_DELETE;
473 group = NFNLGRP_CONNTRACK_DESTROY; 473 group = NFNLGRP_CONNTRACK_DESTROY;
474 } else if (events & (IPCT_NEW | IPCT_RELATED)) { 474 } else if (events & (IPCT_NEW | IPCT_RELATED)) {
475 type = IPCTNL_MSG_CT_NEW; 475 type = IPCTNL_MSG_CT_NEW;
476 flags = NLM_F_CREATE|NLM_F_EXCL; 476 flags = NLM_F_CREATE|NLM_F_EXCL;
477 group = NFNLGRP_CONNTRACK_NEW; 477 group = NFNLGRP_CONNTRACK_NEW;
478 } else if (events) { 478 } else if (events) {
479 type = IPCTNL_MSG_CT_NEW; 479 type = IPCTNL_MSG_CT_NEW;
480 group = NFNLGRP_CONNTRACK_UPDATE; 480 group = NFNLGRP_CONNTRACK_UPDATE;
481 } else 481 } else
482 return 0; 482 return 0;
483 483
484 if (!item->report && !nfnetlink_has_listeners(group)) 484 if (!item->report && !nfnetlink_has_listeners(group))
485 return 0; 485 return 0;
486 486
487 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC); 487 skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
488 if (skb == NULL) 488 if (skb == NULL)
489 goto errout; 489 goto errout;
490 490
491 type |= NFNL_SUBSYS_CTNETLINK << 8; 491 type |= NFNL_SUBSYS_CTNETLINK << 8;
492 nlh = nlmsg_put(skb, item->pid, 0, type, sizeof(*nfmsg), flags); 492 nlh = nlmsg_put(skb, item->pid, 0, type, sizeof(*nfmsg), flags);
493 if (nlh == NULL) 493 if (nlh == NULL)
494 goto nlmsg_failure; 494 goto nlmsg_failure;
495 495
496 nfmsg = nlmsg_data(nlh); 496 nfmsg = nlmsg_data(nlh);
497 nfmsg->nfgen_family = nf_ct_l3num(ct); 497 nfmsg->nfgen_family = nf_ct_l3num(ct);
498 nfmsg->version = NFNETLINK_V0; 498 nfmsg->version = NFNETLINK_V0;
499 nfmsg->res_id = 0; 499 nfmsg->res_id = 0;
500 500
501 rcu_read_lock(); 501 rcu_read_lock();
502 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED); 502 nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
503 if (!nest_parms) 503 if (!nest_parms)
504 goto nla_put_failure; 504 goto nla_put_failure;
505 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0) 505 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
506 goto nla_put_failure; 506 goto nla_put_failure;
507 nla_nest_end(skb, nest_parms); 507 nla_nest_end(skb, nest_parms);
508 508
509 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED); 509 nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
510 if (!nest_parms) 510 if (!nest_parms)
511 goto nla_put_failure; 511 goto nla_put_failure;
512 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0) 512 if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
513 goto nla_put_failure; 513 goto nla_put_failure;
514 nla_nest_end(skb, nest_parms); 514 nla_nest_end(skb, nest_parms);
515 515
516 if (ctnetlink_dump_id(skb, ct) < 0) 516 if (ctnetlink_dump_id(skb, ct) < 0)
517 goto nla_put_failure; 517 goto nla_put_failure;
518 518
519 if (ctnetlink_dump_status(skb, ct) < 0) 519 if (ctnetlink_dump_status(skb, ct) < 0)
520 goto nla_put_failure; 520 goto nla_put_failure;
521 521
522 if (events & IPCT_DESTROY) { 522 if (events & IPCT_DESTROY) {
523 if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 || 523 if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
524 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0) 524 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
525 goto nla_put_failure; 525 goto nla_put_failure;
526 } else { 526 } else {
527 if (ctnetlink_dump_timeout(skb, ct) < 0) 527 if (ctnetlink_dump_timeout(skb, ct) < 0)
528 goto nla_put_failure; 528 goto nla_put_failure;
529 529
530 if (events & IPCT_PROTOINFO 530 if (events & IPCT_PROTOINFO
531 && ctnetlink_dump_protoinfo(skb, ct) < 0) 531 && ctnetlink_dump_protoinfo(skb, ct) < 0)
532 goto nla_put_failure; 532 goto nla_put_failure;
533 533
534 if ((events & IPCT_HELPER || nfct_help(ct)) 534 if ((events & IPCT_HELPER || nfct_help(ct))
535 && ctnetlink_dump_helpinfo(skb, ct) < 0) 535 && ctnetlink_dump_helpinfo(skb, ct) < 0)
536 goto nla_put_failure; 536 goto nla_put_failure;
537 537
538 #ifdef CONFIG_NF_CONNTRACK_SECMARK 538 #ifdef CONFIG_NF_CONNTRACK_SECMARK
539 if ((events & IPCT_SECMARK || ct->secmark) 539 if ((events & IPCT_SECMARK || ct->secmark)
540 && ctnetlink_dump_secmark(skb, ct) < 0) 540 && ctnetlink_dump_secmark(skb, ct) < 0)
541 goto nla_put_failure; 541 goto nla_put_failure;
542 #endif 542 #endif
543 543
544 if (events & IPCT_RELATED && 544 if (events & IPCT_RELATED &&
545 ctnetlink_dump_master(skb, ct) < 0) 545 ctnetlink_dump_master(skb, ct) < 0)
546 goto nla_put_failure; 546 goto nla_put_failure;
547 547
548 if (events & IPCT_NATSEQADJ && 548 if (events & IPCT_NATSEQADJ &&
549 ctnetlink_dump_nat_seq_adj(skb, ct) < 0) 549 ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
550 goto nla_put_failure; 550 goto nla_put_failure;
551 } 551 }
552 552
553 #ifdef CONFIG_NF_CONNTRACK_MARK 553 #ifdef CONFIG_NF_CONNTRACK_MARK
554 if ((events & IPCT_MARK || ct->mark) 554 if ((events & IPCT_MARK || ct->mark)
555 && ctnetlink_dump_mark(skb, ct) < 0) 555 && ctnetlink_dump_mark(skb, ct) < 0)
556 goto nla_put_failure; 556 goto nla_put_failure;
557 #endif 557 #endif
558 rcu_read_unlock(); 558 rcu_read_unlock();
559 559
560 nlmsg_end(skb, nlh); 560 nlmsg_end(skb, nlh);
561 nfnetlink_send(skb, item->pid, group, item->report, GFP_ATOMIC); 561 nfnetlink_send(skb, item->pid, group, item->report, GFP_ATOMIC);
562 return 0; 562 return 0;
563 563
564 nla_put_failure: 564 nla_put_failure:
565 rcu_read_unlock(); 565 rcu_read_unlock();
566 nlmsg_cancel(skb, nlh); 566 nlmsg_cancel(skb, nlh);
567 nlmsg_failure: 567 nlmsg_failure:
568 kfree_skb(skb); 568 kfree_skb(skb);
569 errout: 569 errout:
570 nfnetlink_set_err(0, group, -ENOBUFS); 570 nfnetlink_set_err(0, group, -ENOBUFS);
571 return 0; 571 return 0;
572 } 572 }
573 #endif /* CONFIG_NF_CONNTRACK_EVENTS */ 573 #endif /* CONFIG_NF_CONNTRACK_EVENTS */
574 574
575 static int ctnetlink_done(struct netlink_callback *cb) 575 static int ctnetlink_done(struct netlink_callback *cb)
576 { 576 {
577 if (cb->args[1]) 577 if (cb->args[1])
578 nf_ct_put((struct nf_conn *)cb->args[1]); 578 nf_ct_put((struct nf_conn *)cb->args[1]);
579 return 0; 579 return 0;
580 } 580 }
581 581
582 static int 582 static int
583 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 583 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
584 { 584 {
585 struct nf_conn *ct, *last; 585 struct nf_conn *ct, *last;
586 struct nf_conntrack_tuple_hash *h; 586 struct nf_conntrack_tuple_hash *h;
587 struct hlist_nulls_node *n; 587 struct hlist_nulls_node *n;
588 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 588 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
589 u_int8_t l3proto = nfmsg->nfgen_family; 589 u_int8_t l3proto = nfmsg->nfgen_family;
590 590
591 rcu_read_lock(); 591 rcu_read_lock();
592 last = (struct nf_conn *)cb->args[1]; 592 last = (struct nf_conn *)cb->args[1];
593 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) { 593 for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
594 restart: 594 restart:
595 hlist_nulls_for_each_entry_rcu(h, n, &init_net.ct.hash[cb->args[0]], 595 hlist_nulls_for_each_entry_rcu(h, n, &init_net.ct.hash[cb->args[0]],
596 hnnode) { 596 hnnode) {
597 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL) 597 if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
598 continue; 598 continue;
599 ct = nf_ct_tuplehash_to_ctrack(h); 599 ct = nf_ct_tuplehash_to_ctrack(h);
600 if (!atomic_inc_not_zero(&ct->ct_general.use)) 600 if (!atomic_inc_not_zero(&ct->ct_general.use))
601 continue; 601 continue;
602 /* Dump entries of a given L3 protocol number. 602 /* Dump entries of a given L3 protocol number.
603 * If it is not specified, ie. l3proto == 0, 603 * If it is not specified, ie. l3proto == 0,
604 * then dump everything. */ 604 * then dump everything. */
605 if (l3proto && nf_ct_l3num(ct) != l3proto) 605 if (l3proto && nf_ct_l3num(ct) != l3proto)
606 goto releasect; 606 goto releasect;
607 if (cb->args[1]) { 607 if (cb->args[1]) {
608 if (ct != last) 608 if (ct != last)
609 goto releasect; 609 goto releasect;
610 cb->args[1] = 0; 610 cb->args[1] = 0;
611 } 611 }
612 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid, 612 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
613 cb->nlh->nlmsg_seq, 613 cb->nlh->nlmsg_seq,
614 IPCTNL_MSG_CT_NEW, ct) < 0) { 614 IPCTNL_MSG_CT_NEW, ct) < 0) {
615 cb->args[1] = (unsigned long)ct; 615 cb->args[1] = (unsigned long)ct;
616 goto out; 616 goto out;
617 } 617 }
618 618
619 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) == 619 if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) ==
620 IPCTNL_MSG_CT_GET_CTRZERO) { 620 IPCTNL_MSG_CT_GET_CTRZERO) {
621 struct nf_conn_counter *acct; 621 struct nf_conn_counter *acct;
622 622
623 acct = nf_conn_acct_find(ct); 623 acct = nf_conn_acct_find(ct);
624 if (acct) 624 if (acct)
625 memset(acct, 0, sizeof(struct nf_conn_counter[IP_CT_DIR_MAX])); 625 memset(acct, 0, sizeof(struct nf_conn_counter[IP_CT_DIR_MAX]));
626 } 626 }
627 releasect: 627 releasect:
628 nf_ct_put(ct); 628 nf_ct_put(ct);
629 } 629 }
630 if (cb->args[1]) { 630 if (cb->args[1]) {
631 cb->args[1] = 0; 631 cb->args[1] = 0;
632 goto restart; 632 goto restart;
633 } 633 }
634 } 634 }
635 out: 635 out:
636 rcu_read_unlock(); 636 rcu_read_unlock();
637 if (last) 637 if (last)
638 nf_ct_put(last); 638 nf_ct_put(last);
639 639
640 return skb->len; 640 return skb->len;
641 } 641 }
642 642
643 static inline int 643 static inline int
644 ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple) 644 ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple)
645 { 645 {
646 struct nlattr *tb[CTA_IP_MAX+1]; 646 struct nlattr *tb[CTA_IP_MAX+1];
647 struct nf_conntrack_l3proto *l3proto; 647 struct nf_conntrack_l3proto *l3proto;
648 int ret = 0; 648 int ret = 0;
649 649
650 nla_parse_nested(tb, CTA_IP_MAX, attr, NULL); 650 nla_parse_nested(tb, CTA_IP_MAX, attr, NULL);
651 651
652 rcu_read_lock(); 652 rcu_read_lock();
653 l3proto = __nf_ct_l3proto_find(tuple->src.l3num); 653 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
654 654
655 if (likely(l3proto->nlattr_to_tuple)) { 655 if (likely(l3proto->nlattr_to_tuple)) {
656 ret = nla_validate_nested(attr, CTA_IP_MAX, 656 ret = nla_validate_nested(attr, CTA_IP_MAX,
657 l3proto->nla_policy); 657 l3proto->nla_policy);
658 if (ret == 0) 658 if (ret == 0)
659 ret = l3proto->nlattr_to_tuple(tb, tuple); 659 ret = l3proto->nlattr_to_tuple(tb, tuple);
660 } 660 }
661 661
662 rcu_read_unlock(); 662 rcu_read_unlock();
663 663
664 return ret; 664 return ret;
665 } 665 }
666 666
667 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = { 667 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
668 [CTA_PROTO_NUM] = { .type = NLA_U8 }, 668 [CTA_PROTO_NUM] = { .type = NLA_U8 },
669 }; 669 };
670 670
671 static inline int 671 static inline int
672 ctnetlink_parse_tuple_proto(struct nlattr *attr, 672 ctnetlink_parse_tuple_proto(struct nlattr *attr,
673 struct nf_conntrack_tuple *tuple) 673 struct nf_conntrack_tuple *tuple)
674 { 674 {
675 struct nlattr *tb[CTA_PROTO_MAX+1]; 675 struct nlattr *tb[CTA_PROTO_MAX+1];
676 struct nf_conntrack_l4proto *l4proto; 676 struct nf_conntrack_l4proto *l4proto;
677 int ret = 0; 677 int ret = 0;
678 678
679 ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy); 679 ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy);
680 if (ret < 0) 680 if (ret < 0)
681 return ret; 681 return ret;
682 682
683 if (!tb[CTA_PROTO_NUM]) 683 if (!tb[CTA_PROTO_NUM])
684 return -EINVAL; 684 return -EINVAL;
685 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]); 685 tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
686 686
687 rcu_read_lock(); 687 rcu_read_lock();
688 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum); 688 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
689 689
690 if (likely(l4proto->nlattr_to_tuple)) { 690 if (likely(l4proto->nlattr_to_tuple)) {
691 ret = nla_validate_nested(attr, CTA_PROTO_MAX, 691 ret = nla_validate_nested(attr, CTA_PROTO_MAX,
692 l4proto->nla_policy); 692 l4proto->nla_policy);
693 if (ret == 0) 693 if (ret == 0)
694 ret = l4proto->nlattr_to_tuple(tb, tuple); 694 ret = l4proto->nlattr_to_tuple(tb, tuple);
695 } 695 }
696 696
697 rcu_read_unlock(); 697 rcu_read_unlock();
698 698
699 return ret; 699 return ret;
700 } 700 }
701 701
702 static int 702 static int
703 ctnetlink_parse_tuple(struct nlattr *cda[], struct nf_conntrack_tuple *tuple, 703 ctnetlink_parse_tuple(struct nlattr *cda[], struct nf_conntrack_tuple *tuple,
704 enum ctattr_tuple type, u_int8_t l3num) 704 enum ctattr_tuple type, u_int8_t l3num)
705 { 705 {
706 struct nlattr *tb[CTA_TUPLE_MAX+1]; 706 struct nlattr *tb[CTA_TUPLE_MAX+1];
707 int err; 707 int err;
708 708
709 memset(tuple, 0, sizeof(*tuple)); 709 memset(tuple, 0, sizeof(*tuple));
710 710
711 nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], NULL); 711 nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], NULL);
712 712
713 if (!tb[CTA_TUPLE_IP]) 713 if (!tb[CTA_TUPLE_IP])
714 return -EINVAL; 714 return -EINVAL;
715 715
716 tuple->src.l3num = l3num; 716 tuple->src.l3num = l3num;
717 717
718 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple); 718 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
719 if (err < 0) 719 if (err < 0)
720 return err; 720 return err;
721 721
722 if (!tb[CTA_TUPLE_PROTO]) 722 if (!tb[CTA_TUPLE_PROTO])
723 return -EINVAL; 723 return -EINVAL;
724 724
725 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple); 725 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple);
726 if (err < 0) 726 if (err < 0)
727 return err; 727 return err;
728 728
729 /* orig and expect tuples get DIR_ORIGINAL */ 729 /* orig and expect tuples get DIR_ORIGINAL */
730 if (type == CTA_TUPLE_REPLY) 730 if (type == CTA_TUPLE_REPLY)
731 tuple->dst.dir = IP_CT_DIR_REPLY; 731 tuple->dst.dir = IP_CT_DIR_REPLY;
732 else 732 else
733 tuple->dst.dir = IP_CT_DIR_ORIGINAL; 733 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
734 734
735 return 0; 735 return 0;
736 } 736 }
737 737
738 static inline int 738 static inline int
739 ctnetlink_parse_help(struct nlattr *attr, char **helper_name) 739 ctnetlink_parse_help(struct nlattr *attr, char **helper_name)
740 { 740 {
741 struct nlattr *tb[CTA_HELP_MAX+1]; 741 struct nlattr *tb[CTA_HELP_MAX+1];
742 742
743 nla_parse_nested(tb, CTA_HELP_MAX, attr, NULL); 743 nla_parse_nested(tb, CTA_HELP_MAX, attr, NULL);
744 744
745 if (!tb[CTA_HELP_NAME]) 745 if (!tb[CTA_HELP_NAME])
746 return -EINVAL; 746 return -EINVAL;
747 747
748 *helper_name = nla_data(tb[CTA_HELP_NAME]); 748 *helper_name = nla_data(tb[CTA_HELP_NAME]);
749 749
750 return 0; 750 return 0;
751 } 751 }
752 752
753 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = { 753 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
754 [CTA_STATUS] = { .type = NLA_U32 }, 754 [CTA_STATUS] = { .type = NLA_U32 },
755 [CTA_TIMEOUT] = { .type = NLA_U32 }, 755 [CTA_TIMEOUT] = { .type = NLA_U32 },
756 [CTA_MARK] = { .type = NLA_U32 }, 756 [CTA_MARK] = { .type = NLA_U32 },
757 [CTA_USE] = { .type = NLA_U32 }, 757 [CTA_USE] = { .type = NLA_U32 },
758 [CTA_ID] = { .type = NLA_U32 }, 758 [CTA_ID] = { .type = NLA_U32 },
759 }; 759 };
760 760
761 static int 761 static int
762 ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, 762 ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
763 struct nlmsghdr *nlh, struct nlattr *cda[]) 763 struct nlmsghdr *nlh, struct nlattr *cda[])
764 { 764 {
765 struct nf_conntrack_tuple_hash *h; 765 struct nf_conntrack_tuple_hash *h;
766 struct nf_conntrack_tuple tuple; 766 struct nf_conntrack_tuple tuple;
767 struct nf_conn *ct; 767 struct nf_conn *ct;
768 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 768 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
769 u_int8_t u3 = nfmsg->nfgen_family; 769 u_int8_t u3 = nfmsg->nfgen_family;
770 int err = 0; 770 int err = 0;
771 771
772 if (cda[CTA_TUPLE_ORIG]) 772 if (cda[CTA_TUPLE_ORIG])
773 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3); 773 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
774 else if (cda[CTA_TUPLE_REPLY]) 774 else if (cda[CTA_TUPLE_REPLY])
775 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3); 775 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
776 else { 776 else {
777 /* Flush the whole table */ 777 /* Flush the whole table */
778 nf_conntrack_flush_report(&init_net, 778 nf_conntrack_flush_report(&init_net,
779 NETLINK_CB(skb).pid, 779 NETLINK_CB(skb).pid,
780 nlmsg_report(nlh)); 780 nlmsg_report(nlh));
781 return 0; 781 return 0;
782 } 782 }
783 783
784 if (err < 0) 784 if (err < 0)
785 return err; 785 return err;
786 786
787 h = nf_conntrack_find_get(&init_net, &tuple); 787 h = nf_conntrack_find_get(&init_net, &tuple);
788 if (!h) 788 if (!h)
789 return -ENOENT; 789 return -ENOENT;
790 790
791 ct = nf_ct_tuplehash_to_ctrack(h); 791 ct = nf_ct_tuplehash_to_ctrack(h);
792 792
793 if (cda[CTA_ID]) { 793 if (cda[CTA_ID]) {
794 u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID])); 794 u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
795 if (id != (u32)(unsigned long)ct) { 795 if (id != (u32)(unsigned long)ct) {
796 nf_ct_put(ct); 796 nf_ct_put(ct);
797 return -ENOENT; 797 return -ENOENT;
798 } 798 }
799 } 799 }
800 800
801 nf_conntrack_event_report(IPCT_DESTROY, 801 nf_conntrack_event_report(IPCT_DESTROY,
802 ct, 802 ct,
803 NETLINK_CB(skb).pid, 803 NETLINK_CB(skb).pid,
804 nlmsg_report(nlh)); 804 nlmsg_report(nlh));
805 805
806 /* death_by_timeout would report the event again */ 806 /* death_by_timeout would report the event again */
807 set_bit(IPS_DYING_BIT, &ct->status); 807 set_bit(IPS_DYING_BIT, &ct->status);
808 808
809 nf_ct_kill(ct); 809 nf_ct_kill(ct);
810 nf_ct_put(ct); 810 nf_ct_put(ct);
811 811
812 return 0; 812 return 0;
813 } 813 }
814 814
815 static int 815 static int
816 ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb, 816 ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
817 struct nlmsghdr *nlh, struct nlattr *cda[]) 817 struct nlmsghdr *nlh, struct nlattr *cda[])
818 { 818 {
819 struct nf_conntrack_tuple_hash *h; 819 struct nf_conntrack_tuple_hash *h;
820 struct nf_conntrack_tuple tuple; 820 struct nf_conntrack_tuple tuple;
821 struct nf_conn *ct; 821 struct nf_conn *ct;
822 struct sk_buff *skb2 = NULL; 822 struct sk_buff *skb2 = NULL;
823 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 823 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
824 u_int8_t u3 = nfmsg->nfgen_family; 824 u_int8_t u3 = nfmsg->nfgen_family;
825 int err = 0; 825 int err = 0;
826 826
827 if (nlh->nlmsg_flags & NLM_F_DUMP) 827 if (nlh->nlmsg_flags & NLM_F_DUMP)
828 return netlink_dump_start(ctnl, skb, nlh, ctnetlink_dump_table, 828 return netlink_dump_start(ctnl, skb, nlh, ctnetlink_dump_table,
829 ctnetlink_done); 829 ctnetlink_done);
830 830
831 if (cda[CTA_TUPLE_ORIG]) 831 if (cda[CTA_TUPLE_ORIG])
832 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3); 832 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
833 else if (cda[CTA_TUPLE_REPLY]) 833 else if (cda[CTA_TUPLE_REPLY])
834 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3); 834 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
835 else 835 else
836 return -EINVAL; 836 return -EINVAL;
837 837
838 if (err < 0) 838 if (err < 0)
839 return err; 839 return err;
840 840
841 h = nf_conntrack_find_get(&init_net, &tuple); 841 h = nf_conntrack_find_get(&init_net, &tuple);
842 if (!h) 842 if (!h)
843 return -ENOENT; 843 return -ENOENT;
844 844
845 ct = nf_ct_tuplehash_to_ctrack(h); 845 ct = nf_ct_tuplehash_to_ctrack(h);
846 846
847 err = -ENOMEM; 847 err = -ENOMEM;
848 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 848 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
849 if (skb2 == NULL) { 849 if (skb2 == NULL) {
850 nf_ct_put(ct); 850 nf_ct_put(ct);
851 return -ENOMEM; 851 return -ENOMEM;
852 } 852 }
853 853
854 rcu_read_lock(); 854 rcu_read_lock();
855 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq, 855 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq,
856 IPCTNL_MSG_CT_NEW, ct); 856 IPCTNL_MSG_CT_NEW, ct);
857 rcu_read_unlock(); 857 rcu_read_unlock();
858 nf_ct_put(ct); 858 nf_ct_put(ct);
859 if (err <= 0) 859 if (err <= 0)
860 goto free; 860 goto free;
861 861
862 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); 862 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
863 if (err < 0) 863 if (err < 0)
864 goto out; 864 goto out;
865 865
866 return 0; 866 return 0;
867 867
868 free: 868 free:
869 kfree_skb(skb2); 869 kfree_skb(skb2);
870 out: 870 out:
871 return err; 871 return err;
872 } 872 }
873 873
874 #ifdef CONFIG_NF_NAT_NEEDED 874 #ifdef CONFIG_NF_NAT_NEEDED
875 static int 875 static int
876 ctnetlink_parse_nat_setup(struct nf_conn *ct, 876 ctnetlink_parse_nat_setup(struct nf_conn *ct,
877 enum nf_nat_manip_type manip, 877 enum nf_nat_manip_type manip,
878 struct nlattr *attr) 878 struct nlattr *attr)
879 { 879 {
880 typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup; 880 typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup;
881 881
882 parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook); 882 parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook);
883 if (!parse_nat_setup) { 883 if (!parse_nat_setup) {
884 #ifdef CONFIG_MODULES 884 #ifdef CONFIG_MODULES
885 rcu_read_unlock(); 885 rcu_read_unlock();
886 spin_unlock_bh(&nf_conntrack_lock); 886 spin_unlock_bh(&nf_conntrack_lock);
887 nfnl_unlock(); 887 nfnl_unlock();
888 if (request_module("nf-nat-ipv4") < 0) { 888 if (request_module("nf-nat-ipv4") < 0) {
889 nfnl_lock(); 889 nfnl_lock();
890 spin_lock_bh(&nf_conntrack_lock); 890 spin_lock_bh(&nf_conntrack_lock);
891 rcu_read_lock(); 891 rcu_read_lock();
892 return -EOPNOTSUPP; 892 return -EOPNOTSUPP;
893 } 893 }
894 nfnl_lock(); 894 nfnl_lock();
895 spin_lock_bh(&nf_conntrack_lock); 895 spin_lock_bh(&nf_conntrack_lock);
896 rcu_read_lock(); 896 rcu_read_lock();
897 if (nfnetlink_parse_nat_setup_hook) 897 if (nfnetlink_parse_nat_setup_hook)
898 return -EAGAIN; 898 return -EAGAIN;
899 #endif 899 #endif
900 return -EOPNOTSUPP; 900 return -EOPNOTSUPP;
901 } 901 }
902 902
903 return parse_nat_setup(ct, manip, attr); 903 return parse_nat_setup(ct, manip, attr);
904 } 904 }
905 #endif 905 #endif
906 906
907 static int 907 static int
908 ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[]) 908 ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
909 { 909 {
910 unsigned long d; 910 unsigned long d;
911 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS])); 911 unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
912 d = ct->status ^ status; 912 d = ct->status ^ status;
913 913
914 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING)) 914 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
915 /* unchangeable */ 915 /* unchangeable */
916 return -EBUSY; 916 return -EBUSY;
917 917
918 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY)) 918 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
919 /* SEEN_REPLY bit can only be set */ 919 /* SEEN_REPLY bit can only be set */
920 return -EBUSY; 920 return -EBUSY;
921 921
922 if (d & IPS_ASSURED && !(status & IPS_ASSURED)) 922 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
923 /* ASSURED bit can only be set */ 923 /* ASSURED bit can only be set */
924 return -EBUSY; 924 return -EBUSY;
925 925
926 /* Be careful here, modifying NAT bits can screw up things, 926 /* Be careful here, modifying NAT bits can screw up things,
927 * so don't let users modify them directly if they don't pass 927 * so don't let users modify them directly if they don't pass
928 * nf_nat_range. */ 928 * nf_nat_range. */
929 ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK); 929 ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
930 return 0; 930 return 0;
931 } 931 }
932 932
933 static int 933 static int
934 ctnetlink_change_nat(struct nf_conn *ct, struct nlattr *cda[]) 934 ctnetlink_change_nat(struct nf_conn *ct, struct nlattr *cda[])
935 { 935 {
936 #ifdef CONFIG_NF_NAT_NEEDED 936 #ifdef CONFIG_NF_NAT_NEEDED
937 int ret; 937 int ret;
938 938
939 if (cda[CTA_NAT_DST]) { 939 if (cda[CTA_NAT_DST]) {
940 ret = ctnetlink_parse_nat_setup(ct, 940 ret = ctnetlink_parse_nat_setup(ct,
941 IP_NAT_MANIP_DST, 941 IP_NAT_MANIP_DST,
942 cda[CTA_NAT_DST]); 942 cda[CTA_NAT_DST]);
943 if (ret < 0) 943 if (ret < 0)
944 return ret; 944 return ret;
945 } 945 }
946 if (cda[CTA_NAT_SRC]) { 946 if (cda[CTA_NAT_SRC]) {
947 ret = ctnetlink_parse_nat_setup(ct, 947 ret = ctnetlink_parse_nat_setup(ct,
948 IP_NAT_MANIP_SRC, 948 IP_NAT_MANIP_SRC,
949 cda[CTA_NAT_SRC]); 949 cda[CTA_NAT_SRC]);
950 if (ret < 0) 950 if (ret < 0)
951 return ret; 951 return ret;
952 } 952 }
953 return 0; 953 return 0;
954 #else 954 #else
955 return -EOPNOTSUPP; 955 return -EOPNOTSUPP;
956 #endif 956 #endif
957 } 957 }
958 958
959 static inline int 959 static inline int
960 ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[]) 960 ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
961 { 961 {
962 struct nf_conntrack_helper *helper; 962 struct nf_conntrack_helper *helper;
963 struct nf_conn_help *help = nfct_help(ct); 963 struct nf_conn_help *help = nfct_help(ct);
964 char *helpname = NULL; 964 char *helpname = NULL;
965 int err; 965 int err;
966 966
967 /* don't change helper of sibling connections */ 967 /* don't change helper of sibling connections */
968 if (ct->master) 968 if (ct->master)
969 return -EBUSY; 969 return -EBUSY;
970 970
971 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname); 971 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
972 if (err < 0) 972 if (err < 0)
973 return err; 973 return err;
974 974
975 if (!strcmp(helpname, "")) { 975 if (!strcmp(helpname, "")) {
976 if (help && help->helper) { 976 if (help && help->helper) {
977 /* we had a helper before ... */ 977 /* we had a helper before ... */
978 nf_ct_remove_expectations(ct); 978 nf_ct_remove_expectations(ct);
979 rcu_assign_pointer(help->helper, NULL); 979 rcu_assign_pointer(help->helper, NULL);
980 } 980 }
981 981
982 return 0; 982 return 0;
983 } 983 }
984 984
985 helper = __nf_conntrack_helper_find_byname(helpname); 985 helper = __nf_conntrack_helper_find_byname(helpname);
986 if (helper == NULL) { 986 if (helper == NULL) {
987 #ifdef CONFIG_MODULES 987 #ifdef CONFIG_MODULES
988 spin_unlock_bh(&nf_conntrack_lock); 988 spin_unlock_bh(&nf_conntrack_lock);
989 989
990 if (request_module("nfct-helper-%s", helpname) < 0) { 990 if (request_module("nfct-helper-%s", helpname) < 0) {
991 spin_lock_bh(&nf_conntrack_lock); 991 spin_lock_bh(&nf_conntrack_lock);
992 return -EOPNOTSUPP; 992 return -EOPNOTSUPP;
993 } 993 }
994 994
995 spin_lock_bh(&nf_conntrack_lock); 995 spin_lock_bh(&nf_conntrack_lock);
996 helper = __nf_conntrack_helper_find_byname(helpname); 996 helper = __nf_conntrack_helper_find_byname(helpname);
997 if (helper) 997 if (helper)
998 return -EAGAIN; 998 return -EAGAIN;
999 #endif 999 #endif
1000 return -EOPNOTSUPP; 1000 return -EOPNOTSUPP;
1001 } 1001 }
1002 1002
1003 if (help) { 1003 if (help) {
1004 if (help->helper == helper) 1004 if (help->helper == helper)
1005 return 0; 1005 return 0;
1006 if (help->helper) 1006 if (help->helper)
1007 return -EBUSY; 1007 return -EBUSY;
1008 /* need to zero data of old helper */ 1008 /* need to zero data of old helper */
1009 memset(&help->help, 0, sizeof(help->help)); 1009 memset(&help->help, 0, sizeof(help->help));
1010 } else { 1010 } else {
1011 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); 1011 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
1012 if (help == NULL) 1012 if (help == NULL)
1013 return -ENOMEM; 1013 return -ENOMEM;
1014 } 1014 }
1015 1015
1016 rcu_assign_pointer(help->helper, helper); 1016 rcu_assign_pointer(help->helper, helper);
1017 1017
1018 return 0; 1018 return 0;
1019 } 1019 }
1020 1020
1021 static inline int 1021 static inline int
1022 ctnetlink_change_timeout(struct nf_conn *ct, struct nlattr *cda[]) 1022 ctnetlink_change_timeout(struct nf_conn *ct, struct nlattr *cda[])
1023 { 1023 {
1024 u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT])); 1024 u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
1025 1025
1026 if (!del_timer(&ct->timeout)) 1026 if (!del_timer(&ct->timeout))
1027 return -ETIME; 1027 return -ETIME;
1028 1028
1029 ct->timeout.expires = jiffies + timeout * HZ; 1029 ct->timeout.expires = jiffies + timeout * HZ;
1030 add_timer(&ct->timeout); 1030 add_timer(&ct->timeout);
1031 1031
1032 return 0; 1032 return 0;
1033 } 1033 }
1034 1034
1035 static inline int 1035 static inline int
1036 ctnetlink_change_protoinfo(struct nf_conn *ct, struct nlattr *cda[]) 1036 ctnetlink_change_protoinfo(struct nf_conn *ct, struct nlattr *cda[])
1037 { 1037 {
1038 struct nlattr *tb[CTA_PROTOINFO_MAX+1], *attr = cda[CTA_PROTOINFO]; 1038 struct nlattr *tb[CTA_PROTOINFO_MAX+1], *attr = cda[CTA_PROTOINFO];
1039 struct nf_conntrack_l4proto *l4proto; 1039 struct nf_conntrack_l4proto *l4proto;
1040 int err = 0; 1040 int err = 0;
1041 1041
1042 nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, NULL); 1042 nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, NULL);
1043 1043
1044 rcu_read_lock(); 1044 rcu_read_lock();
1045 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct)); 1045 l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
1046 if (l4proto->from_nlattr) 1046 if (l4proto->from_nlattr)
1047 err = l4proto->from_nlattr(tb, ct); 1047 err = l4proto->from_nlattr(tb, ct);
1048 rcu_read_unlock(); 1048 rcu_read_unlock();
1049 1049
1050 return err; 1050 return err;
1051 } 1051 }
1052 1052
1053 #ifdef CONFIG_NF_NAT_NEEDED 1053 #ifdef CONFIG_NF_NAT_NEEDED
1054 static inline int 1054 static inline int
1055 change_nat_seq_adj(struct nf_nat_seq *natseq, struct nlattr *attr) 1055 change_nat_seq_adj(struct nf_nat_seq *natseq, struct nlattr *attr)
1056 { 1056 {
1057 struct nlattr *cda[CTA_NAT_SEQ_MAX+1]; 1057 struct nlattr *cda[CTA_NAT_SEQ_MAX+1];
1058 1058
1059 nla_parse_nested(cda, CTA_NAT_SEQ_MAX, attr, NULL); 1059 nla_parse_nested(cda, CTA_NAT_SEQ_MAX, attr, NULL);
1060 1060
1061 if (!cda[CTA_NAT_SEQ_CORRECTION_POS]) 1061 if (!cda[CTA_NAT_SEQ_CORRECTION_POS])
1062 return -EINVAL; 1062 return -EINVAL;
1063 1063
1064 natseq->correction_pos = 1064 natseq->correction_pos =
1065 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_CORRECTION_POS])); 1065 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_CORRECTION_POS]));
1066 1066
1067 if (!cda[CTA_NAT_SEQ_OFFSET_BEFORE]) 1067 if (!cda[CTA_NAT_SEQ_OFFSET_BEFORE])
1068 return -EINVAL; 1068 return -EINVAL;
1069 1069
1070 natseq->offset_before = 1070 natseq->offset_before =
1071 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_BEFORE])); 1071 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_BEFORE]));
1072 1072
1073 if (!cda[CTA_NAT_SEQ_OFFSET_AFTER]) 1073 if (!cda[CTA_NAT_SEQ_OFFSET_AFTER])
1074 return -EINVAL; 1074 return -EINVAL;
1075 1075
1076 natseq->offset_after = 1076 natseq->offset_after =
1077 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_AFTER])); 1077 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_AFTER]));
1078 1078
1079 return 0; 1079 return 0;
1080 } 1080 }
1081 1081
1082 static int 1082 static int
1083 ctnetlink_change_nat_seq_adj(struct nf_conn *ct, struct nlattr *cda[]) 1083 ctnetlink_change_nat_seq_adj(struct nf_conn *ct, struct nlattr *cda[])
1084 { 1084 {
1085 int ret = 0; 1085 int ret = 0;
1086 struct nf_conn_nat *nat = nfct_nat(ct); 1086 struct nf_conn_nat *nat = nfct_nat(ct);
1087 1087
1088 if (!nat) 1088 if (!nat)
1089 return 0; 1089 return 0;
1090 1090
1091 if (cda[CTA_NAT_SEQ_ADJ_ORIG]) { 1091 if (cda[CTA_NAT_SEQ_ADJ_ORIG]) {
1092 ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_ORIGINAL], 1092 ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_ORIGINAL],
1093 cda[CTA_NAT_SEQ_ADJ_ORIG]); 1093 cda[CTA_NAT_SEQ_ADJ_ORIG]);
1094 if (ret < 0) 1094 if (ret < 0)
1095 return ret; 1095 return ret;
1096 1096
1097 ct->status |= IPS_SEQ_ADJUST; 1097 ct->status |= IPS_SEQ_ADJUST;
1098 } 1098 }
1099 1099
1100 if (cda[CTA_NAT_SEQ_ADJ_REPLY]) { 1100 if (cda[CTA_NAT_SEQ_ADJ_REPLY]) {
1101 ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_REPLY], 1101 ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_REPLY],
1102 cda[CTA_NAT_SEQ_ADJ_REPLY]); 1102 cda[CTA_NAT_SEQ_ADJ_REPLY]);
1103 if (ret < 0) 1103 if (ret < 0)
1104 return ret; 1104 return ret;
1105 1105
1106 ct->status |= IPS_SEQ_ADJUST; 1106 ct->status |= IPS_SEQ_ADJUST;
1107 } 1107 }
1108 1108
1109 return 0; 1109 return 0;
1110 } 1110 }
1111 #endif 1111 #endif
1112 1112
1113 static int 1113 static int
1114 ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[]) 1114 ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[])
1115 { 1115 {
1116 int err; 1116 int err;
1117 1117
1118 /* only allow NAT changes and master assignation for new conntracks */ 1118 /* only allow NAT changes and master assignation for new conntracks */
1119 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER]) 1119 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
1120 return -EOPNOTSUPP; 1120 return -EOPNOTSUPP;
1121 1121
1122 if (cda[CTA_HELP]) { 1122 if (cda[CTA_HELP]) {
1123 err = ctnetlink_change_helper(ct, cda); 1123 err = ctnetlink_change_helper(ct, cda);
1124 if (err < 0) 1124 if (err < 0)
1125 return err; 1125 return err;
1126 } 1126 }
1127 1127
1128 if (cda[CTA_TIMEOUT]) { 1128 if (cda[CTA_TIMEOUT]) {
1129 err = ctnetlink_change_timeout(ct, cda); 1129 err = ctnetlink_change_timeout(ct, cda);
1130 if (err < 0) 1130 if (err < 0)
1131 return err; 1131 return err;
1132 } 1132 }
1133 1133
1134 if (cda[CTA_STATUS]) { 1134 if (cda[CTA_STATUS]) {
1135 err = ctnetlink_change_status(ct, cda); 1135 err = ctnetlink_change_status(ct, cda);
1136 if (err < 0) 1136 if (err < 0)
1137 return err; 1137 return err;
1138 } 1138 }
1139 1139
1140 if (cda[CTA_PROTOINFO]) { 1140 if (cda[CTA_PROTOINFO]) {
1141 err = ctnetlink_change_protoinfo(ct, cda); 1141 err = ctnetlink_change_protoinfo(ct, cda);
1142 if (err < 0) 1142 if (err < 0)
1143 return err; 1143 return err;
1144 } 1144 }
1145 1145
1146 #if defined(CONFIG_NF_CONNTRACK_MARK) 1146 #if defined(CONFIG_NF_CONNTRACK_MARK)
1147 if (cda[CTA_MARK]) 1147 if (cda[CTA_MARK])
1148 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); 1148 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1149 #endif 1149 #endif
1150 1150
1151 #ifdef CONFIG_NF_NAT_NEEDED 1151 #ifdef CONFIG_NF_NAT_NEEDED
1152 if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) { 1152 if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) {
1153 err = ctnetlink_change_nat_seq_adj(ct, cda); 1153 err = ctnetlink_change_nat_seq_adj(ct, cda);
1154 if (err < 0) 1154 if (err < 0)
1155 return err; 1155 return err;
1156 } 1156 }
1157 #endif 1157 #endif
1158 1158
1159 return 0; 1159 return 0;
1160 } 1160 }
1161 1161
1162 static struct nf_conn * 1162 static struct nf_conn *
1163 ctnetlink_create_conntrack(struct nlattr *cda[], 1163 ctnetlink_create_conntrack(struct nlattr *cda[],
1164 struct nf_conntrack_tuple *otuple, 1164 struct nf_conntrack_tuple *otuple,
1165 struct nf_conntrack_tuple *rtuple, 1165 struct nf_conntrack_tuple *rtuple,
1166 u8 u3) 1166 u8 u3)
1167 { 1167 {
1168 struct nf_conn *ct; 1168 struct nf_conn *ct;
1169 int err = -EINVAL; 1169 int err = -EINVAL;
1170 struct nf_conntrack_helper *helper; 1170 struct nf_conntrack_helper *helper;
1171 1171
1172 ct = nf_conntrack_alloc(&init_net, otuple, rtuple, GFP_ATOMIC); 1172 ct = nf_conntrack_alloc(&init_net, otuple, rtuple, GFP_ATOMIC);
1173 if (IS_ERR(ct)) 1173 if (IS_ERR(ct))
1174 return ERR_PTR(-ENOMEM); 1174 return ERR_PTR(-ENOMEM);
1175 1175
1176 if (!cda[CTA_TIMEOUT]) 1176 if (!cda[CTA_TIMEOUT])
1177 goto err1; 1177 goto err1;
1178 ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT])); 1178 ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
1179 1179
1180 ct->timeout.expires = jiffies + ct->timeout.expires * HZ; 1180 ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
1181 ct->status |= IPS_CONFIRMED; 1181 ct->status |= IPS_CONFIRMED;
1182 1182
1183 rcu_read_lock(); 1183 rcu_read_lock();
1184 if (cda[CTA_HELP]) { 1184 if (cda[CTA_HELP]) {
1185 char *helpname = NULL; 1185 char *helpname = NULL;
1186 1186
1187 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname); 1187 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
1188 if (err < 0) 1188 if (err < 0)
1189 goto err2; 1189 goto err2;
1190 1190
1191 helper = __nf_conntrack_helper_find_byname(helpname); 1191 helper = __nf_conntrack_helper_find_byname(helpname);
1192 if (helper == NULL) { 1192 if (helper == NULL) {
1193 rcu_read_unlock(); 1193 rcu_read_unlock();
1194 #ifdef CONFIG_MODULES 1194 #ifdef CONFIG_MODULES
1195 if (request_module("nfct-helper-%s", helpname) < 0) { 1195 if (request_module("nfct-helper-%s", helpname) < 0) {
1196 err = -EOPNOTSUPP; 1196 err = -EOPNOTSUPP;
1197 goto err1; 1197 goto err1;
1198 } 1198 }
1199 1199
1200 rcu_read_lock(); 1200 rcu_read_lock();
1201 helper = __nf_conntrack_helper_find_byname(helpname); 1201 helper = __nf_conntrack_helper_find_byname(helpname);
1202 if (helper) { 1202 if (helper) {
1203 err = -EAGAIN; 1203 err = -EAGAIN;
1204 goto err2; 1204 goto err2;
1205 } 1205 }
1206 rcu_read_unlock(); 1206 rcu_read_unlock();
1207 #endif 1207 #endif
1208 err = -EOPNOTSUPP; 1208 err = -EOPNOTSUPP;
1209 goto err1; 1209 goto err1;
1210 } else { 1210 } else {
1211 struct nf_conn_help *help; 1211 struct nf_conn_help *help;
1212 1212
1213 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); 1213 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
1214 if (help == NULL) { 1214 if (help == NULL) {
1215 err = -ENOMEM; 1215 err = -ENOMEM;
1216 goto err2; 1216 goto err2;
1217 } 1217 }
1218 1218
1219 /* not in hash table yet so not strictly necessary */ 1219 /* not in hash table yet so not strictly necessary */
1220 rcu_assign_pointer(help->helper, helper); 1220 rcu_assign_pointer(help->helper, helper);
1221 } 1221 }
1222 } else { 1222 } else {
1223 /* try an implicit helper assignation */ 1223 /* try an implicit helper assignation */
1224 err = __nf_ct_try_assign_helper(ct, GFP_ATOMIC); 1224 err = __nf_ct_try_assign_helper(ct, GFP_ATOMIC);
1225 if (err < 0) 1225 if (err < 0)
1226 goto err2; 1226 goto err2;
1227 } 1227 }
1228 1228
1229 if (cda[CTA_STATUS]) { 1229 if (cda[CTA_STATUS]) {
1230 err = ctnetlink_change_status(ct, cda); 1230 err = ctnetlink_change_status(ct, cda);
1231 if (err < 0) 1231 if (err < 0)
1232 goto err2; 1232 goto err2;
1233 } 1233 }
1234 1234
1235 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) { 1235 if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
1236 err = ctnetlink_change_nat(ct, cda); 1236 err = ctnetlink_change_nat(ct, cda);
1237 if (err < 0) 1237 if (err < 0)
1238 goto err2; 1238 goto err2;
1239 } 1239 }
1240 1240
1241 #ifdef CONFIG_NF_NAT_NEEDED 1241 #ifdef CONFIG_NF_NAT_NEEDED
1242 if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) { 1242 if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) {
1243 err = ctnetlink_change_nat_seq_adj(ct, cda); 1243 err = ctnetlink_change_nat_seq_adj(ct, cda);
1244 if (err < 0) 1244 if (err < 0)
1245 goto err2; 1245 goto err2;
1246 } 1246 }
1247 #endif 1247 #endif
1248 1248
1249 if (cda[CTA_PROTOINFO]) { 1249 if (cda[CTA_PROTOINFO]) {
1250 err = ctnetlink_change_protoinfo(ct, cda); 1250 err = ctnetlink_change_protoinfo(ct, cda);
1251 if (err < 0) 1251 if (err < 0)
1252 goto err2; 1252 goto err2;
1253 } 1253 }
1254 1254
1255 nf_ct_acct_ext_add(ct, GFP_ATOMIC); 1255 nf_ct_acct_ext_add(ct, GFP_ATOMIC);
1256 1256
1257 #if defined(CONFIG_NF_CONNTRACK_MARK) 1257 #if defined(CONFIG_NF_CONNTRACK_MARK)
1258 if (cda[CTA_MARK]) 1258 if (cda[CTA_MARK])
1259 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK])); 1259 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1260 #endif 1260 #endif
1261 1261
1262 /* setup master conntrack: this is a confirmed expectation */ 1262 /* setup master conntrack: this is a confirmed expectation */
1263 if (cda[CTA_TUPLE_MASTER]) { 1263 if (cda[CTA_TUPLE_MASTER]) {
1264 struct nf_conntrack_tuple master; 1264 struct nf_conntrack_tuple master;
1265 struct nf_conntrack_tuple_hash *master_h; 1265 struct nf_conntrack_tuple_hash *master_h;
1266 struct nf_conn *master_ct; 1266 struct nf_conn *master_ct;
1267 1267
1268 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER, u3); 1268 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER, u3);
1269 if (err < 0) 1269 if (err < 0)
1270 goto err2; 1270 goto err2;
1271 1271
1272 master_h = nf_conntrack_find_get(&init_net, &master); 1272 master_h = nf_conntrack_find_get(&init_net, &master);
1273 if (master_h == NULL) { 1273 if (master_h == NULL) {
1274 err = -ENOENT; 1274 err = -ENOENT;
1275 goto err2; 1275 goto err2;
1276 } 1276 }
1277 master_ct = nf_ct_tuplehash_to_ctrack(master_h); 1277 master_ct = nf_ct_tuplehash_to_ctrack(master_h);
1278 __set_bit(IPS_EXPECTED_BIT, &ct->status); 1278 __set_bit(IPS_EXPECTED_BIT, &ct->status);
1279 ct->master = master_ct; 1279 ct->master = master_ct;
1280 } 1280 }
1281 1281
1282 add_timer(&ct->timeout); 1282 add_timer(&ct->timeout);
1283 nf_conntrack_hash_insert(ct); 1283 nf_conntrack_hash_insert(ct);
1284 rcu_read_unlock(); 1284 rcu_read_unlock();
1285 1285
1286 return ct; 1286 return ct;
1287 1287
1288 err2: 1288 err2:
1289 rcu_read_unlock(); 1289 rcu_read_unlock();
1290 err1: 1290 err1:
1291 nf_conntrack_free(ct); 1291 nf_conntrack_free(ct);
1292 return ERR_PTR(err); 1292 return ERR_PTR(err);
1293 } 1293 }
1294 1294
1295 static int 1295 static int
1296 ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, 1296 ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1297 struct nlmsghdr *nlh, struct nlattr *cda[]) 1297 struct nlmsghdr *nlh, struct nlattr *cda[])
1298 { 1298 {
1299 struct nf_conntrack_tuple otuple, rtuple; 1299 struct nf_conntrack_tuple otuple, rtuple;
1300 struct nf_conntrack_tuple_hash *h = NULL; 1300 struct nf_conntrack_tuple_hash *h = NULL;
1301 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1301 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1302 u_int8_t u3 = nfmsg->nfgen_family; 1302 u_int8_t u3 = nfmsg->nfgen_family;
1303 int err = 0; 1303 int err = 0;
1304 1304
1305 if (cda[CTA_TUPLE_ORIG]) { 1305 if (cda[CTA_TUPLE_ORIG]) {
1306 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3); 1306 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3);
1307 if (err < 0) 1307 if (err < 0)
1308 return err; 1308 return err;
1309 } 1309 }
1310 1310
1311 if (cda[CTA_TUPLE_REPLY]) { 1311 if (cda[CTA_TUPLE_REPLY]) {
1312 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, u3); 1312 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, u3);
1313 if (err < 0) 1313 if (err < 0)
1314 return err; 1314 return err;
1315 } 1315 }
1316 1316
1317 spin_lock_bh(&nf_conntrack_lock); 1317 spin_lock_bh(&nf_conntrack_lock);
1318 if (cda[CTA_TUPLE_ORIG]) 1318 if (cda[CTA_TUPLE_ORIG])
1319 h = __nf_conntrack_find(&init_net, &otuple); 1319 h = __nf_conntrack_find(&init_net, &otuple);
1320 else if (cda[CTA_TUPLE_REPLY]) 1320 else if (cda[CTA_TUPLE_REPLY])
1321 h = __nf_conntrack_find(&init_net, &rtuple); 1321 h = __nf_conntrack_find(&init_net, &rtuple);
1322 1322
1323 if (h == NULL) { 1323 if (h == NULL) {
1324 err = -ENOENT; 1324 err = -ENOENT;
1325 if (nlh->nlmsg_flags & NLM_F_CREATE) { 1325 if (nlh->nlmsg_flags & NLM_F_CREATE) {
1326 struct nf_conn *ct; 1326 struct nf_conn *ct;
1327 enum ip_conntrack_events events; 1327 enum ip_conntrack_events events;
1328 1328
1329 ct = ctnetlink_create_conntrack(cda, &otuple, 1329 ct = ctnetlink_create_conntrack(cda, &otuple,
1330 &rtuple, u3); 1330 &rtuple, u3);
1331 if (IS_ERR(ct)) { 1331 if (IS_ERR(ct)) {
1332 err = PTR_ERR(ct); 1332 err = PTR_ERR(ct);
1333 goto out_unlock; 1333 goto out_unlock;
1334 } 1334 }
1335 err = 0; 1335 err = 0;
1336 nf_conntrack_get(&ct->ct_general); 1336 nf_conntrack_get(&ct->ct_general);
1337 spin_unlock_bh(&nf_conntrack_lock); 1337 spin_unlock_bh(&nf_conntrack_lock);
1338 if (test_bit(IPS_EXPECTED_BIT, &ct->status)) 1338 if (test_bit(IPS_EXPECTED_BIT, &ct->status))
1339 events = IPCT_RELATED; 1339 events = IPCT_RELATED;
1340 else 1340 else
1341 events = IPCT_NEW; 1341 events = IPCT_NEW;
1342 1342
1343 nf_conntrack_event_report(IPCT_STATUS | 1343 nf_conntrack_event_report(IPCT_STATUS |
1344 IPCT_HELPER | 1344 IPCT_HELPER |
1345 IPCT_PROTOINFO | 1345 IPCT_PROTOINFO |
1346 IPCT_NATSEQADJ | 1346 IPCT_NATSEQADJ |
1347 IPCT_MARK | events, 1347 IPCT_MARK | events,
1348 ct, NETLINK_CB(skb).pid, 1348 ct, NETLINK_CB(skb).pid,
1349 nlmsg_report(nlh)); 1349 nlmsg_report(nlh));
1350 nf_ct_put(ct); 1350 nf_ct_put(ct);
1351 } else 1351 } else
1352 spin_unlock_bh(&nf_conntrack_lock); 1352 spin_unlock_bh(&nf_conntrack_lock);
1353 1353
1354 return err; 1354 return err;
1355 } 1355 }
1356 /* implicit 'else' */ 1356 /* implicit 'else' */
1357 1357
1358 /* We manipulate the conntrack inside the global conntrack table lock, 1358 /* We manipulate the conntrack inside the global conntrack table lock,
1359 * so there's no need to increase the refcount */ 1359 * so there's no need to increase the refcount */
1360 err = -EEXIST; 1360 err = -EEXIST;
1361 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) { 1361 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
1362 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h); 1362 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
1363 1363
1364 err = ctnetlink_change_conntrack(ct, cda); 1364 err = ctnetlink_change_conntrack(ct, cda);
1365 if (err == 0) { 1365 if (err == 0) {
1366 nf_conntrack_get(&ct->ct_general); 1366 nf_conntrack_get(&ct->ct_general);
1367 spin_unlock_bh(&nf_conntrack_lock); 1367 spin_unlock_bh(&nf_conntrack_lock);
1368 nf_conntrack_event_report(IPCT_STATUS | 1368 nf_conntrack_event_report(IPCT_STATUS |
1369 IPCT_HELPER | 1369 IPCT_HELPER |
1370 IPCT_PROTOINFO | 1370 IPCT_PROTOINFO |
1371 IPCT_NATSEQADJ | 1371 IPCT_NATSEQADJ |
1372 IPCT_MARK, 1372 IPCT_MARK,
1373 ct, NETLINK_CB(skb).pid, 1373 ct, NETLINK_CB(skb).pid,
1374 nlmsg_report(nlh)); 1374 nlmsg_report(nlh));
1375 nf_ct_put(ct); 1375 nf_ct_put(ct);
1376 } else 1376 } else
1377 spin_unlock_bh(&nf_conntrack_lock); 1377 spin_unlock_bh(&nf_conntrack_lock);
1378 1378
1379 return err; 1379 return err;
1380 } 1380 }
1381 1381
1382 out_unlock: 1382 out_unlock:
1383 spin_unlock_bh(&nf_conntrack_lock); 1383 spin_unlock_bh(&nf_conntrack_lock);
1384 return err; 1384 return err;
1385 } 1385 }
1386 1386
1387 /*********************************************************************** 1387 /***********************************************************************
1388 * EXPECT 1388 * EXPECT
1389 ***********************************************************************/ 1389 ***********************************************************************/
1390 1390
1391 static inline int 1391 static inline int
1392 ctnetlink_exp_dump_tuple(struct sk_buff *skb, 1392 ctnetlink_exp_dump_tuple(struct sk_buff *skb,
1393 const struct nf_conntrack_tuple *tuple, 1393 const struct nf_conntrack_tuple *tuple,
1394 enum ctattr_expect type) 1394 enum ctattr_expect type)
1395 { 1395 {
1396 struct nlattr *nest_parms; 1396 struct nlattr *nest_parms;
1397 1397
1398 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED); 1398 nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
1399 if (!nest_parms) 1399 if (!nest_parms)
1400 goto nla_put_failure; 1400 goto nla_put_failure;
1401 if (ctnetlink_dump_tuples(skb, tuple) < 0) 1401 if (ctnetlink_dump_tuples(skb, tuple) < 0)
1402 goto nla_put_failure; 1402 goto nla_put_failure;
1403 nla_nest_end(skb, nest_parms); 1403 nla_nest_end(skb, nest_parms);
1404 1404
1405 return 0; 1405 return 0;
1406 1406
1407 nla_put_failure: 1407 nla_put_failure:
1408 return -1; 1408 return -1;
1409 } 1409 }
1410 1410
1411 static inline int 1411 static inline int
1412 ctnetlink_exp_dump_mask(struct sk_buff *skb, 1412 ctnetlink_exp_dump_mask(struct sk_buff *skb,
1413 const struct nf_conntrack_tuple *tuple, 1413 const struct nf_conntrack_tuple *tuple,
1414 const struct nf_conntrack_tuple_mask *mask) 1414 const struct nf_conntrack_tuple_mask *mask)
1415 { 1415 {
1416 int ret; 1416 int ret;
1417 struct nf_conntrack_l3proto *l3proto; 1417 struct nf_conntrack_l3proto *l3proto;
1418 struct nf_conntrack_l4proto *l4proto; 1418 struct nf_conntrack_l4proto *l4proto;
1419 struct nf_conntrack_tuple m; 1419 struct nf_conntrack_tuple m;
1420 struct nlattr *nest_parms; 1420 struct nlattr *nest_parms;
1421 1421
1422 memset(&m, 0xFF, sizeof(m)); 1422 memset(&m, 0xFF, sizeof(m));
1423 m.src.u.all = mask->src.u.all; 1423 m.src.u.all = mask->src.u.all;
1424 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3)); 1424 memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
1425 1425
1426 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED); 1426 nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED);
1427 if (!nest_parms) 1427 if (!nest_parms)
1428 goto nla_put_failure; 1428 goto nla_put_failure;
1429 1429
1430 l3proto = __nf_ct_l3proto_find(tuple->src.l3num); 1430 l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
1431 ret = ctnetlink_dump_tuples_ip(skb, &m, l3proto); 1431 ret = ctnetlink_dump_tuples_ip(skb, &m, l3proto);
1432 1432
1433 if (unlikely(ret < 0)) 1433 if (unlikely(ret < 0))
1434 goto nla_put_failure; 1434 goto nla_put_failure;
1435 1435
1436 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum); 1436 l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
1437 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto); 1437 ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
1438 if (unlikely(ret < 0)) 1438 if (unlikely(ret < 0))
1439 goto nla_put_failure; 1439 goto nla_put_failure;
1440 1440
1441 nla_nest_end(skb, nest_parms); 1441 nla_nest_end(skb, nest_parms);
1442 1442
1443 return 0; 1443 return 0;
1444 1444
1445 nla_put_failure: 1445 nla_put_failure:
1446 return -1; 1446 return -1;
1447 } 1447 }
1448 1448
1449 static int 1449 static int
1450 ctnetlink_exp_dump_expect(struct sk_buff *skb, 1450 ctnetlink_exp_dump_expect(struct sk_buff *skb,
1451 const struct nf_conntrack_expect *exp) 1451 const struct nf_conntrack_expect *exp)
1452 { 1452 {
1453 struct nf_conn *master = exp->master; 1453 struct nf_conn *master = exp->master;
1454 long timeout = (exp->timeout.expires - jiffies) / HZ; 1454 long timeout = (exp->timeout.expires - jiffies) / HZ;
1455 1455
1456 if (timeout < 0) 1456 if (timeout < 0)
1457 timeout = 0; 1457 timeout = 0;
1458 1458
1459 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0) 1459 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
1460 goto nla_put_failure; 1460 goto nla_put_failure;
1461 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0) 1461 if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
1462 goto nla_put_failure; 1462 goto nla_put_failure;
1463 if (ctnetlink_exp_dump_tuple(skb, 1463 if (ctnetlink_exp_dump_tuple(skb,
1464 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 1464 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
1465 CTA_EXPECT_MASTER) < 0) 1465 CTA_EXPECT_MASTER) < 0)
1466 goto nla_put_failure; 1466 goto nla_put_failure;
1467 1467
1468 NLA_PUT_BE32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout)); 1468 NLA_PUT_BE32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout));
1469 NLA_PUT_BE32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp)); 1469 NLA_PUT_BE32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp));
1470 1470
1471 return 0; 1471 return 0;
1472 1472
1473 nla_put_failure: 1473 nla_put_failure:
1474 return -1; 1474 return -1;
1475 } 1475 }
1476 1476
1477 static int 1477 static int
1478 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq, 1478 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
1479 int event, const struct nf_conntrack_expect *exp) 1479 int event, const struct nf_conntrack_expect *exp)
1480 { 1480 {
1481 struct nlmsghdr *nlh; 1481 struct nlmsghdr *nlh;
1482 struct nfgenmsg *nfmsg; 1482 struct nfgenmsg *nfmsg;
1483 unsigned int flags = pid ? NLM_F_MULTI : 0; 1483 unsigned int flags = pid ? NLM_F_MULTI : 0;
1484 1484
1485 event |= NFNL_SUBSYS_CTNETLINK_EXP << 8; 1485 event |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1486 nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags); 1486 nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags);
1487 if (nlh == NULL) 1487 if (nlh == NULL)
1488 goto nlmsg_failure; 1488 goto nlmsg_failure;
1489 1489
1490 nfmsg = nlmsg_data(nlh); 1490 nfmsg = nlmsg_data(nlh);
1491 nfmsg->nfgen_family = exp->tuple.src.l3num; 1491 nfmsg->nfgen_family = exp->tuple.src.l3num;
1492 nfmsg->version = NFNETLINK_V0; 1492 nfmsg->version = NFNETLINK_V0;
1493 nfmsg->res_id = 0; 1493 nfmsg->res_id = 0;
1494 1494
1495 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 1495 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1496 goto nla_put_failure; 1496 goto nla_put_failure;
1497 1497
1498 nlmsg_end(skb, nlh); 1498 nlmsg_end(skb, nlh);
1499 return skb->len; 1499 return skb->len;
1500 1500
1501 nlmsg_failure: 1501 nlmsg_failure:
1502 nla_put_failure: 1502 nla_put_failure:
1503 nlmsg_cancel(skb, nlh); 1503 nlmsg_cancel(skb, nlh);
1504 return -1; 1504 return -1;
1505 } 1505 }
1506 1506
1507 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1507 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1508 static int 1508 static int
1509 ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item) 1509 ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item)
1510 { 1510 {
1511 struct nlmsghdr *nlh; 1511 struct nlmsghdr *nlh;
1512 struct nfgenmsg *nfmsg; 1512 struct nfgenmsg *nfmsg;
1513 struct nf_conntrack_expect *exp = item->exp; 1513 struct nf_conntrack_expect *exp = item->exp;
1514 struct sk_buff *skb; 1514 struct sk_buff *skb;
1515 unsigned int type; 1515 unsigned int type;
1516 int flags = 0; 1516 int flags = 0;
1517 1517
1518 if (events & IPEXP_NEW) { 1518 if (events & IPEXP_NEW) {
1519 type = IPCTNL_MSG_EXP_NEW; 1519 type = IPCTNL_MSG_EXP_NEW;
1520 flags = NLM_F_CREATE|NLM_F_EXCL; 1520 flags = NLM_F_CREATE|NLM_F_EXCL;
1521 } else 1521 } else
1522 return 0; 1522 return 0;
1523 1523
1524 if (!item->report && 1524 if (!item->report &&
1525 !nfnetlink_has_listeners(NFNLGRP_CONNTRACK_EXP_NEW)) 1525 !nfnetlink_has_listeners(NFNLGRP_CONNTRACK_EXP_NEW))
1526 return 0; 1526 return 0;
1527 1527
1528 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC); 1528 skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
1529 if (skb == NULL) 1529 if (skb == NULL)
1530 goto errout; 1530 goto errout;
1531 1531
1532 type |= NFNL_SUBSYS_CTNETLINK_EXP << 8; 1532 type |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1533 nlh = nlmsg_put(skb, item->pid, 0, type, sizeof(*nfmsg), flags); 1533 nlh = nlmsg_put(skb, item->pid, 0, type, sizeof(*nfmsg), flags);
1534 if (nlh == NULL) 1534 if (nlh == NULL)
1535 goto nlmsg_failure; 1535 goto nlmsg_failure;
1536 1536
1537 nfmsg = nlmsg_data(nlh); 1537 nfmsg = nlmsg_data(nlh);
1538 nfmsg->nfgen_family = exp->tuple.src.l3num; 1538 nfmsg->nfgen_family = exp->tuple.src.l3num;
1539 nfmsg->version = NFNETLINK_V0; 1539 nfmsg->version = NFNETLINK_V0;
1540 nfmsg->res_id = 0; 1540 nfmsg->res_id = 0;
1541 1541
1542 rcu_read_lock(); 1542 rcu_read_lock();
1543 if (ctnetlink_exp_dump_expect(skb, exp) < 0) 1543 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1544 goto nla_put_failure; 1544 goto nla_put_failure;
1545 rcu_read_unlock(); 1545 rcu_read_unlock();
1546 1546
1547 nlmsg_end(skb, nlh); 1547 nlmsg_end(skb, nlh);
1548 nfnetlink_send(skb, item->pid, NFNLGRP_CONNTRACK_EXP_NEW, 1548 nfnetlink_send(skb, item->pid, NFNLGRP_CONNTRACK_EXP_NEW,
1549 item->report, GFP_ATOMIC); 1549 item->report, GFP_ATOMIC);
1550 return 0; 1550 return 0;
1551 1551
1552 nla_put_failure: 1552 nla_put_failure:
1553 rcu_read_unlock(); 1553 rcu_read_unlock();
1554 nlmsg_cancel(skb, nlh); 1554 nlmsg_cancel(skb, nlh);
1555 nlmsg_failure: 1555 nlmsg_failure:
1556 kfree_skb(skb); 1556 kfree_skb(skb);
1557 errout: 1557 errout:
1558 nfnetlink_set_err(0, 0, -ENOBUFS); 1558 nfnetlink_set_err(0, 0, -ENOBUFS);
1559 return 0; 1559 return 0;
1560 } 1560 }
1561 #endif 1561 #endif
1562 static int ctnetlink_exp_done(struct netlink_callback *cb) 1562 static int ctnetlink_exp_done(struct netlink_callback *cb)
1563 { 1563 {
1564 if (cb->args[1]) 1564 if (cb->args[1])
1565 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]); 1565 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
1566 return 0; 1566 return 0;
1567 } 1567 }
1568 1568
1569 static int 1569 static int
1570 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb) 1570 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
1571 { 1571 {
1572 struct net *net = &init_net; 1572 struct net *net = &init_net;
1573 struct nf_conntrack_expect *exp, *last; 1573 struct nf_conntrack_expect *exp, *last;
1574 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh); 1574 struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1575 struct hlist_node *n; 1575 struct hlist_node *n;
1576 u_int8_t l3proto = nfmsg->nfgen_family; 1576 u_int8_t l3proto = nfmsg->nfgen_family;
1577 1577
1578 rcu_read_lock(); 1578 rcu_read_lock();
1579 last = (struct nf_conntrack_expect *)cb->args[1]; 1579 last = (struct nf_conntrack_expect *)cb->args[1];
1580 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) { 1580 for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
1581 restart: 1581 restart:
1582 hlist_for_each_entry(exp, n, &net->ct.expect_hash[cb->args[0]], 1582 hlist_for_each_entry(exp, n, &net->ct.expect_hash[cb->args[0]],
1583 hnode) { 1583 hnode) {
1584 if (l3proto && exp->tuple.src.l3num != l3proto) 1584 if (l3proto && exp->tuple.src.l3num != l3proto)
1585 continue; 1585 continue;
1586 if (cb->args[1]) { 1586 if (cb->args[1]) {
1587 if (exp != last) 1587 if (exp != last)
1588 continue; 1588 continue;
1589 cb->args[1] = 0; 1589 cb->args[1] = 0;
1590 } 1590 }
1591 if (ctnetlink_exp_fill_info(skb, 1591 if (ctnetlink_exp_fill_info(skb,
1592 NETLINK_CB(cb->skb).pid, 1592 NETLINK_CB(cb->skb).pid,
1593 cb->nlh->nlmsg_seq, 1593 cb->nlh->nlmsg_seq,
1594 IPCTNL_MSG_EXP_NEW, 1594 IPCTNL_MSG_EXP_NEW,
1595 exp) < 0) { 1595 exp) < 0) {
1596 if (!atomic_inc_not_zero(&exp->use)) 1596 if (!atomic_inc_not_zero(&exp->use))
1597 continue; 1597 continue;
1598 cb->args[1] = (unsigned long)exp; 1598 cb->args[1] = (unsigned long)exp;
1599 goto out; 1599 goto out;
1600 } 1600 }
1601 } 1601 }
1602 if (cb->args[1]) { 1602 if (cb->args[1]) {
1603 cb->args[1] = 0; 1603 cb->args[1] = 0;
1604 goto restart; 1604 goto restart;
1605 } 1605 }
1606 } 1606 }
1607 out: 1607 out:
1608 rcu_read_unlock(); 1608 rcu_read_unlock();
1609 if (last) 1609 if (last)
1610 nf_ct_expect_put(last); 1610 nf_ct_expect_put(last);
1611 1611
1612 return skb->len; 1612 return skb->len;
1613 } 1613 }
1614 1614
1615 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = { 1615 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
1616 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 }, 1616 [CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
1617 [CTA_EXPECT_ID] = { .type = NLA_U32 }, 1617 [CTA_EXPECT_ID] = { .type = NLA_U32 },
1618 }; 1618 };
1619 1619
1620 static int 1620 static int
1621 ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb, 1621 ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
1622 struct nlmsghdr *nlh, struct nlattr *cda[]) 1622 struct nlmsghdr *nlh, struct nlattr *cda[])
1623 { 1623 {
1624 struct nf_conntrack_tuple tuple; 1624 struct nf_conntrack_tuple tuple;
1625 struct nf_conntrack_expect *exp; 1625 struct nf_conntrack_expect *exp;
1626 struct sk_buff *skb2; 1626 struct sk_buff *skb2;
1627 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1627 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1628 u_int8_t u3 = nfmsg->nfgen_family; 1628 u_int8_t u3 = nfmsg->nfgen_family;
1629 int err = 0; 1629 int err = 0;
1630 1630
1631 if (nlh->nlmsg_flags & NLM_F_DUMP) { 1631 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1632 return netlink_dump_start(ctnl, skb, nlh, 1632 return netlink_dump_start(ctnl, skb, nlh,
1633 ctnetlink_exp_dump_table, 1633 ctnetlink_exp_dump_table,
1634 ctnetlink_exp_done); 1634 ctnetlink_exp_done);
1635 } 1635 }
1636 1636
1637 if (cda[CTA_EXPECT_MASTER]) 1637 if (cda[CTA_EXPECT_MASTER])
1638 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3); 1638 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3);
1639 else 1639 else
1640 return -EINVAL; 1640 return -EINVAL;
1641 1641
1642 if (err < 0) 1642 if (err < 0)
1643 return err; 1643 return err;
1644 1644
1645 exp = nf_ct_expect_find_get(&init_net, &tuple); 1645 exp = nf_ct_expect_find_get(&init_net, &tuple);
1646 if (!exp) 1646 if (!exp)
1647 return -ENOENT; 1647 return -ENOENT;
1648 1648
1649 if (cda[CTA_EXPECT_ID]) { 1649 if (cda[CTA_EXPECT_ID]) {
1650 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 1650 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
1651 if (ntohl(id) != (u32)(unsigned long)exp) { 1651 if (ntohl(id) != (u32)(unsigned long)exp) {
1652 nf_ct_expect_put(exp); 1652 nf_ct_expect_put(exp);
1653 return -ENOENT; 1653 return -ENOENT;
1654 } 1654 }
1655 } 1655 }
1656 1656
1657 err = -ENOMEM; 1657 err = -ENOMEM;
1658 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); 1658 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1659 if (skb2 == NULL) 1659 if (skb2 == NULL)
1660 goto out; 1660 goto out;
1661 1661
1662 rcu_read_lock(); 1662 rcu_read_lock();
1663 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid, 1663 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid,
1664 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp); 1664 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp);
1665 rcu_read_unlock(); 1665 rcu_read_unlock();
1666 if (err <= 0) 1666 if (err <= 0)
1667 goto free; 1667 goto free;
1668 1668
1669 nf_ct_expect_put(exp); 1669 nf_ct_expect_put(exp);
1670 1670
1671 return netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT); 1671 return netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1672 1672
1673 free: 1673 free:
1674 kfree_skb(skb2); 1674 kfree_skb(skb2);
1675 out: 1675 out:
1676 nf_ct_expect_put(exp); 1676 nf_ct_expect_put(exp);
1677 return err; 1677 return err;
1678 } 1678 }
1679 1679
1680 static int 1680 static int
1681 ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb, 1681 ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
1682 struct nlmsghdr *nlh, struct nlattr *cda[]) 1682 struct nlmsghdr *nlh, struct nlattr *cda[])
1683 { 1683 {
1684 struct nf_conntrack_expect *exp; 1684 struct nf_conntrack_expect *exp;
1685 struct nf_conntrack_tuple tuple; 1685 struct nf_conntrack_tuple tuple;
1686 struct nf_conntrack_helper *h; 1686 struct nf_conntrack_helper *h;
1687 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1687 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1688 struct hlist_node *n, *next; 1688 struct hlist_node *n, *next;
1689 u_int8_t u3 = nfmsg->nfgen_family; 1689 u_int8_t u3 = nfmsg->nfgen_family;
1690 unsigned int i; 1690 unsigned int i;
1691 int err; 1691 int err;
1692 1692
1693 if (cda[CTA_EXPECT_TUPLE]) { 1693 if (cda[CTA_EXPECT_TUPLE]) {
1694 /* delete a single expect by tuple */ 1694 /* delete a single expect by tuple */
1695 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); 1695 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1696 if (err < 0) 1696 if (err < 0)
1697 return err; 1697 return err;
1698 1698
1699 /* bump usage count to 2 */ 1699 /* bump usage count to 2 */
1700 exp = nf_ct_expect_find_get(&init_net, &tuple); 1700 exp = nf_ct_expect_find_get(&init_net, &tuple);
1701 if (!exp) 1701 if (!exp)
1702 return -ENOENT; 1702 return -ENOENT;
1703 1703
1704 if (cda[CTA_EXPECT_ID]) { 1704 if (cda[CTA_EXPECT_ID]) {
1705 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]); 1705 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
1706 if (ntohl(id) != (u32)(unsigned long)exp) { 1706 if (ntohl(id) != (u32)(unsigned long)exp) {
1707 nf_ct_expect_put(exp); 1707 nf_ct_expect_put(exp);
1708 return -ENOENT; 1708 return -ENOENT;
1709 } 1709 }
1710 } 1710 }
1711 1711
1712 /* after list removal, usage count == 1 */ 1712 /* after list removal, usage count == 1 */
1713 nf_ct_unexpect_related(exp); 1713 nf_ct_unexpect_related(exp);
1714 /* have to put what we 'get' above. 1714 /* have to put what we 'get' above.
1715 * after this line usage count == 0 */ 1715 * after this line usage count == 0 */
1716 nf_ct_expect_put(exp); 1716 nf_ct_expect_put(exp);
1717 } else if (cda[CTA_EXPECT_HELP_NAME]) { 1717 } else if (cda[CTA_EXPECT_HELP_NAME]) {
1718 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]); 1718 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
1719 struct nf_conn_help *m_help; 1719 struct nf_conn_help *m_help;
1720 1720
1721 /* delete all expectations for this helper */ 1721 /* delete all expectations for this helper */
1722 spin_lock_bh(&nf_conntrack_lock); 1722 spin_lock_bh(&nf_conntrack_lock);
1723 h = __nf_conntrack_helper_find_byname(name); 1723 h = __nf_conntrack_helper_find_byname(name);
1724 if (!h) { 1724 if (!h) {
1725 spin_unlock_bh(&nf_conntrack_lock); 1725 spin_unlock_bh(&nf_conntrack_lock);
1726 return -EOPNOTSUPP; 1726 return -EOPNOTSUPP;
1727 } 1727 }
1728 for (i = 0; i < nf_ct_expect_hsize; i++) { 1728 for (i = 0; i < nf_ct_expect_hsize; i++) {
1729 hlist_for_each_entry_safe(exp, n, next, 1729 hlist_for_each_entry_safe(exp, n, next,
1730 &init_net.ct.expect_hash[i], 1730 &init_net.ct.expect_hash[i],
1731 hnode) { 1731 hnode) {
1732 m_help = nfct_help(exp->master); 1732 m_help = nfct_help(exp->master);
1733 if (m_help->helper == h 1733 if (m_help->helper == h
1734 && del_timer(&exp->timeout)) { 1734 && del_timer(&exp->timeout)) {
1735 nf_ct_unlink_expect(exp); 1735 nf_ct_unlink_expect(exp);
1736 nf_ct_expect_put(exp); 1736 nf_ct_expect_put(exp);
1737 } 1737 }
1738 } 1738 }
1739 } 1739 }
1740 spin_unlock_bh(&nf_conntrack_lock); 1740 spin_unlock_bh(&nf_conntrack_lock);
1741 } else { 1741 } else {
1742 /* This basically means we have to flush everything*/ 1742 /* This basically means we have to flush everything*/
1743 spin_lock_bh(&nf_conntrack_lock); 1743 spin_lock_bh(&nf_conntrack_lock);
1744 for (i = 0; i < nf_ct_expect_hsize; i++) { 1744 for (i = 0; i < nf_ct_expect_hsize; i++) {
1745 hlist_for_each_entry_safe(exp, n, next, 1745 hlist_for_each_entry_safe(exp, n, next,
1746 &init_net.ct.expect_hash[i], 1746 &init_net.ct.expect_hash[i],
1747 hnode) { 1747 hnode) {
1748 if (del_timer(&exp->timeout)) { 1748 if (del_timer(&exp->timeout)) {
1749 nf_ct_unlink_expect(exp); 1749 nf_ct_unlink_expect(exp);
1750 nf_ct_expect_put(exp); 1750 nf_ct_expect_put(exp);
1751 } 1751 }
1752 } 1752 }
1753 } 1753 }
1754 spin_unlock_bh(&nf_conntrack_lock); 1754 spin_unlock_bh(&nf_conntrack_lock);
1755 } 1755 }
1756 1756
1757 return 0; 1757 return 0;
1758 } 1758 }
1759 static int 1759 static int
1760 ctnetlink_change_expect(struct nf_conntrack_expect *x, struct nlattr *cda[]) 1760 ctnetlink_change_expect(struct nf_conntrack_expect *x, struct nlattr *cda[])
1761 { 1761 {
1762 return -EOPNOTSUPP; 1762 return -EOPNOTSUPP;
1763 } 1763 }
1764 1764
1765 static int 1765 static int
1766 ctnetlink_create_expect(struct nlattr *cda[], u_int8_t u3, u32 pid, int report) 1766 ctnetlink_create_expect(struct nlattr *cda[], u_int8_t u3, u32 pid, int report)
1767 { 1767 {
1768 struct nf_conntrack_tuple tuple, mask, master_tuple; 1768 struct nf_conntrack_tuple tuple, mask, master_tuple;
1769 struct nf_conntrack_tuple_hash *h = NULL; 1769 struct nf_conntrack_tuple_hash *h = NULL;
1770 struct nf_conntrack_expect *exp; 1770 struct nf_conntrack_expect *exp;
1771 struct nf_conn *ct; 1771 struct nf_conn *ct;
1772 struct nf_conn_help *help; 1772 struct nf_conn_help *help;
1773 int err = 0; 1773 int err = 0;
1774 1774
1775 /* caller guarantees that those three CTA_EXPECT_* exist */ 1775 /* caller guarantees that those three CTA_EXPECT_* exist */
1776 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); 1776 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1777 if (err < 0) 1777 if (err < 0)
1778 return err; 1778 return err;
1779 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, u3); 1779 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, u3);
1780 if (err < 0) 1780 if (err < 0)
1781 return err; 1781 return err;
1782 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, u3); 1782 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, u3);
1783 if (err < 0) 1783 if (err < 0)
1784 return err; 1784 return err;
1785 1785
1786 /* Look for master conntrack of this expectation */ 1786 /* Look for master conntrack of this expectation */
1787 h = nf_conntrack_find_get(&init_net, &master_tuple); 1787 h = nf_conntrack_find_get(&init_net, &master_tuple);
1788 if (!h) 1788 if (!h)
1789 return -ENOENT; 1789 return -ENOENT;
1790 ct = nf_ct_tuplehash_to_ctrack(h); 1790 ct = nf_ct_tuplehash_to_ctrack(h);
1791 help = nfct_help(ct); 1791 help = nfct_help(ct);
1792 1792
1793 if (!help || !help->helper) { 1793 if (!help || !help->helper) {
1794 /* such conntrack hasn't got any helper, abort */ 1794 /* such conntrack hasn't got any helper, abort */
1795 err = -EOPNOTSUPP; 1795 err = -EOPNOTSUPP;
1796 goto out; 1796 goto out;
1797 } 1797 }
1798 1798
1799 exp = nf_ct_expect_alloc(ct); 1799 exp = nf_ct_expect_alloc(ct);
1800 if (!exp) { 1800 if (!exp) {
1801 err = -ENOMEM; 1801 err = -ENOMEM;
1802 goto out; 1802 goto out;
1803 } 1803 }
1804 1804
1805 exp->class = 0; 1805 exp->class = 0;
1806 exp->expectfn = NULL; 1806 exp->expectfn = NULL;
1807 exp->flags = 0; 1807 exp->flags = 0;
1808 exp->master = ct; 1808 exp->master = ct;
1809 exp->helper = NULL; 1809 exp->helper = NULL;
1810 memcpy(&exp->tuple, &tuple, sizeof(struct nf_conntrack_tuple)); 1810 memcpy(&exp->tuple, &tuple, sizeof(struct nf_conntrack_tuple));
1811 memcpy(&exp->mask.src.u3, &mask.src.u3, sizeof(exp->mask.src.u3)); 1811 memcpy(&exp->mask.src.u3, &mask.src.u3, sizeof(exp->mask.src.u3));
1812 exp->mask.src.u.all = mask.src.u.all; 1812 exp->mask.src.u.all = mask.src.u.all;
1813 1813
1814 err = nf_ct_expect_related_report(exp, pid, report); 1814 err = nf_ct_expect_related_report(exp, pid, report);
1815 nf_ct_expect_put(exp); 1815 nf_ct_expect_put(exp);
1816 1816
1817 out: 1817 out:
1818 nf_ct_put(nf_ct_tuplehash_to_ctrack(h)); 1818 nf_ct_put(nf_ct_tuplehash_to_ctrack(h));
1819 return err; 1819 return err;
1820 } 1820 }
1821 1821
1822 static int 1822 static int
1823 ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb, 1823 ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
1824 struct nlmsghdr *nlh, struct nlattr *cda[]) 1824 struct nlmsghdr *nlh, struct nlattr *cda[])
1825 { 1825 {
1826 struct nf_conntrack_tuple tuple; 1826 struct nf_conntrack_tuple tuple;
1827 struct nf_conntrack_expect *exp; 1827 struct nf_conntrack_expect *exp;
1828 struct nfgenmsg *nfmsg = nlmsg_data(nlh); 1828 struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1829 u_int8_t u3 = nfmsg->nfgen_family; 1829 u_int8_t u3 = nfmsg->nfgen_family;
1830 int err = 0; 1830 int err = 0;
1831 1831
1832 if (!cda[CTA_EXPECT_TUPLE] 1832 if (!cda[CTA_EXPECT_TUPLE]
1833 || !cda[CTA_EXPECT_MASK] 1833 || !cda[CTA_EXPECT_MASK]
1834 || !cda[CTA_EXPECT_MASTER]) 1834 || !cda[CTA_EXPECT_MASTER])
1835 return -EINVAL; 1835 return -EINVAL;
1836 1836
1837 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3); 1837 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1838 if (err < 0) 1838 if (err < 0)
1839 return err; 1839 return err;
1840 1840
1841 spin_lock_bh(&nf_conntrack_lock); 1841 spin_lock_bh(&nf_conntrack_lock);
1842 exp = __nf_ct_expect_find(&init_net, &tuple); 1842 exp = __nf_ct_expect_find(&init_net, &tuple);
1843 1843
1844 if (!exp) { 1844 if (!exp) {
1845 spin_unlock_bh(&nf_conntrack_lock); 1845 spin_unlock_bh(&nf_conntrack_lock);
1846 err = -ENOENT; 1846 err = -ENOENT;
1847 if (nlh->nlmsg_flags & NLM_F_CREATE) { 1847 if (nlh->nlmsg_flags & NLM_F_CREATE) {
1848 err = ctnetlink_create_expect(cda, 1848 err = ctnetlink_create_expect(cda,
1849 u3, 1849 u3,
1850 NETLINK_CB(skb).pid, 1850 NETLINK_CB(skb).pid,
1851 nlmsg_report(nlh)); 1851 nlmsg_report(nlh));
1852 } 1852 }
1853 return err; 1853 return err;
1854 } 1854 }
1855 1855
1856 err = -EEXIST; 1856 err = -EEXIST;
1857 if (!(nlh->nlmsg_flags & NLM_F_EXCL)) 1857 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
1858 err = ctnetlink_change_expect(exp, cda); 1858 err = ctnetlink_change_expect(exp, cda);
1859 spin_unlock_bh(&nf_conntrack_lock); 1859 spin_unlock_bh(&nf_conntrack_lock);
1860 1860
1861 return err; 1861 return err;
1862 } 1862 }
1863 1863
1864 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1864 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1865 static struct nf_ct_event_notifier ctnl_notifier = { 1865 static struct nf_ct_event_notifier ctnl_notifier = {
1866 .fcn = ctnetlink_conntrack_event, 1866 .fcn = ctnetlink_conntrack_event,
1867 }; 1867 };
1868 1868
1869 static struct nf_exp_event_notifier ctnl_notifier_exp = { 1869 static struct nf_exp_event_notifier ctnl_notifier_exp = {
1870 .fcn = ctnetlink_expect_event, 1870 .fcn = ctnetlink_expect_event,
1871 }; 1871 };
1872 #endif 1872 #endif
1873 1873
1874 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = { 1874 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
1875 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack, 1875 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
1876 .attr_count = CTA_MAX, 1876 .attr_count = CTA_MAX,
1877 .policy = ct_nla_policy }, 1877 .policy = ct_nla_policy },
1878 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack, 1878 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
1879 .attr_count = CTA_MAX, 1879 .attr_count = CTA_MAX,
1880 .policy = ct_nla_policy }, 1880 .policy = ct_nla_policy },
1881 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack, 1881 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
1882 .attr_count = CTA_MAX, 1882 .attr_count = CTA_MAX,
1883 .policy = ct_nla_policy }, 1883 .policy = ct_nla_policy },
1884 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack, 1884 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
1885 .attr_count = CTA_MAX, 1885 .attr_count = CTA_MAX,
1886 .policy = ct_nla_policy }, 1886 .policy = ct_nla_policy },
1887 }; 1887 };
1888 1888
1889 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = { 1889 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
1890 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect, 1890 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
1891 .attr_count = CTA_EXPECT_MAX, 1891 .attr_count = CTA_EXPECT_MAX,
1892 .policy = exp_nla_policy }, 1892 .policy = exp_nla_policy },
1893 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect, 1893 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
1894 .attr_count = CTA_EXPECT_MAX, 1894 .attr_count = CTA_EXPECT_MAX,
1895 .policy = exp_nla_policy }, 1895 .policy = exp_nla_policy },
1896 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect, 1896 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
1897 .attr_count = CTA_EXPECT_MAX, 1897 .attr_count = CTA_EXPECT_MAX,
1898 .policy = exp_nla_policy }, 1898 .policy = exp_nla_policy },
1899 }; 1899 };
1900 1900
1901 static const struct nfnetlink_subsystem ctnl_subsys = { 1901 static const struct nfnetlink_subsystem ctnl_subsys = {
1902 .name = "conntrack", 1902 .name = "conntrack",
1903 .subsys_id = NFNL_SUBSYS_CTNETLINK, 1903 .subsys_id = NFNL_SUBSYS_CTNETLINK,
1904 .cb_count = IPCTNL_MSG_MAX, 1904 .cb_count = IPCTNL_MSG_MAX,
1905 .cb = ctnl_cb, 1905 .cb = ctnl_cb,
1906 }; 1906 };
1907 1907
1908 static const struct nfnetlink_subsystem ctnl_exp_subsys = { 1908 static const struct nfnetlink_subsystem ctnl_exp_subsys = {
1909 .name = "conntrack_expect", 1909 .name = "conntrack_expect",
1910 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP, 1910 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
1911 .cb_count = IPCTNL_MSG_EXP_MAX, 1911 .cb_count = IPCTNL_MSG_EXP_MAX,
1912 .cb = ctnl_exp_cb, 1912 .cb = ctnl_exp_cb,
1913 }; 1913 };
1914 1914
1915 MODULE_ALIAS("ip_conntrack_netlink"); 1915 MODULE_ALIAS("ip_conntrack_netlink");
1916 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK); 1916 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
1917 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP); 1917 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
1918 1918
1919 static int __init ctnetlink_init(void) 1919 static int __init ctnetlink_init(void)
1920 { 1920 {
1921 int ret; 1921 int ret;
1922 1922
1923 printk("ctnetlink v%s: registering with nfnetlink.\n", version); 1923 printk("ctnetlink v%s: registering with nfnetlink.\n", version);
1924 ret = nfnetlink_subsys_register(&ctnl_subsys); 1924 ret = nfnetlink_subsys_register(&ctnl_subsys);
1925 if (ret < 0) { 1925 if (ret < 0) {
1926 printk("ctnetlink_init: cannot register with nfnetlink.\n"); 1926 printk("ctnetlink_init: cannot register with nfnetlink.\n");
1927 goto err_out; 1927 goto err_out;
1928 } 1928 }
1929 1929
1930 ret = nfnetlink_subsys_register(&ctnl_exp_subsys); 1930 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
1931 if (ret < 0) { 1931 if (ret < 0) {
1932 printk("ctnetlink_init: cannot register exp with nfnetlink.\n"); 1932 printk("ctnetlink_init: cannot register exp with nfnetlink.\n");
1933 goto err_unreg_subsys; 1933 goto err_unreg_subsys;
1934 } 1934 }
1935 1935
1936 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1936 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1937 ret = nf_conntrack_register_notifier(&ctnl_notifier); 1937 ret = nf_conntrack_register_notifier(&ctnl_notifier);
1938 if (ret < 0) { 1938 if (ret < 0) {
1939 printk("ctnetlink_init: cannot register notifier.\n"); 1939 printk("ctnetlink_init: cannot register notifier.\n");
1940 goto err_unreg_exp_subsys; 1940 goto err_unreg_exp_subsys;
1941 } 1941 }
1942 1942
1943 ret = nf_ct_expect_register_notifier(&ctnl_notifier_exp); 1943 ret = nf_ct_expect_register_notifier(&ctnl_notifier_exp);
1944 if (ret < 0) { 1944 if (ret < 0) {
1945 printk("ctnetlink_init: cannot expect register notifier.\n"); 1945 printk("ctnetlink_init: cannot expect register notifier.\n");
1946 goto err_unreg_notifier; 1946 goto err_unreg_notifier;
1947 } 1947 }
1948 #endif 1948 #endif
1949 1949
1950 return 0; 1950 return 0;
1951 1951
1952 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1952 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1953 err_unreg_notifier: 1953 err_unreg_notifier:
1954 nf_conntrack_unregister_notifier(&ctnl_notifier); 1954 nf_conntrack_unregister_notifier(&ctnl_notifier);
1955 err_unreg_exp_subsys: 1955 err_unreg_exp_subsys:
1956 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 1956 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1957 #endif 1957 #endif
1958 err_unreg_subsys: 1958 err_unreg_subsys:
1959 nfnetlink_subsys_unregister(&ctnl_subsys); 1959 nfnetlink_subsys_unregister(&ctnl_subsys);
1960 err_out: 1960 err_out:
1961 return ret; 1961 return ret;
1962 } 1962 }
1963 1963
1964 static void __exit ctnetlink_exit(void) 1964 static void __exit ctnetlink_exit(void)
1965 { 1965 {
1966 printk("ctnetlink: unregistering from nfnetlink.\n"); 1966 printk("ctnetlink: unregistering from nfnetlink.\n");
1967 1967
1968 #ifdef CONFIG_NF_CONNTRACK_EVENTS 1968 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1969 nf_ct_expect_unregister_notifier(&ctnl_notifier_exp); 1969 nf_ct_expect_unregister_notifier(&ctnl_notifier_exp);
1970 nf_conntrack_unregister_notifier(&ctnl_notifier); 1970 nf_conntrack_unregister_notifier(&ctnl_notifier);
1971 #endif 1971 #endif
1972 1972
1973 nfnetlink_subsys_unregister(&ctnl_exp_subsys); 1973 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1974 nfnetlink_subsys_unregister(&ctnl_subsys); 1974 nfnetlink_subsys_unregister(&ctnl_subsys);
1975 return; 1975 return;
1976 } 1976 }
1977 1977
1978 module_init(ctnetlink_init); 1978 module_init(ctnetlink_init);
1979 module_exit(ctnetlink_exit); 1979 module_exit(ctnetlink_exit);
1980 1980
net/netfilter/nf_conntrack_proto_dccp.c
Diff comments   View file @ 440f0d5
1 /* 1 /*
2 * DCCP connection tracking protocol helper 2 * DCCP connection tracking protocol helper
3 * 3 *
4 * Copyright (c) 2005, 2006, 2008 Patrick McHardy <kaber@trash.net> 4 * Copyright (c) 2005, 2006, 2008 Patrick McHardy <kaber@trash.net>
5 * 5 *
6 * This program is free software; you can redistribute it and/or modify 6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as 7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation. 8 * published by the Free Software Foundation.
9 * 9 *
10 */ 10 */
11 #include <linux/kernel.h> 11 #include <linux/kernel.h>
12 #include <linux/module.h> 12 #include <linux/module.h>
13 #include <linux/init.h> 13 #include <linux/init.h>
14 #include <linux/sysctl.h> 14 #include <linux/sysctl.h>
15 #include <linux/spinlock.h> 15 #include <linux/spinlock.h>
16 #include <linux/skbuff.h> 16 #include <linux/skbuff.h>
17 #include <linux/dccp.h> 17 #include <linux/dccp.h>
18 18
19 #include <net/net_namespace.h> 19 #include <net/net_namespace.h>
20 #include <net/netns/generic.h> 20 #include <net/netns/generic.h>
21 21
22 #include <linux/netfilter/nfnetlink_conntrack.h> 22 #include <linux/netfilter/nfnetlink_conntrack.h>
23 #include <net/netfilter/nf_conntrack.h> 23 #include <net/netfilter/nf_conntrack.h>
24 #include <net/netfilter/nf_conntrack_l4proto.h> 24 #include <net/netfilter/nf_conntrack_l4proto.h>
25 #include <net/netfilter/nf_log.h> 25 #include <net/netfilter/nf_log.h>
26 26
27 static DEFINE_RWLOCK(dccp_lock);
28
29 /* Timeouts are based on values from RFC4340: 27 /* Timeouts are based on values from RFC4340:
30 * 28 *
31 * - REQUEST: 29 * - REQUEST:
32 * 30 *
33 * 8.1.2. Client Request 31 * 8.1.2. Client Request
34 * 32 *
35 * A client MAY give up on its DCCP-Requests after some time 33 * A client MAY give up on its DCCP-Requests after some time
36 * (3 minutes, for example). 34 * (3 minutes, for example).
37 * 35 *
38 * - RESPOND: 36 * - RESPOND:
39 * 37 *
40 * 8.1.3. Server Response 38 * 8.1.3. Server Response
41 * 39 *
42 * It MAY also leave the RESPOND state for CLOSED after a timeout of 40 * It MAY also leave the RESPOND state for CLOSED after a timeout of
43 * not less than 4MSL (8 minutes); 41 * not less than 4MSL (8 minutes);
44 * 42 *
45 * - PARTOPEN: 43 * - PARTOPEN:
46 * 44 *
47 * 8.1.5. Handshake Completion 45 * 8.1.5. Handshake Completion
48 * 46 *
49 * If the client remains in PARTOPEN for more than 4MSL (8 minutes), 47 * If the client remains in PARTOPEN for more than 4MSL (8 minutes),
50 * it SHOULD reset the connection with Reset Code 2, "Aborted". 48 * it SHOULD reset the connection with Reset Code 2, "Aborted".
51 * 49 *
52 * - OPEN: 50 * - OPEN:
53 * 51 *
54 * The DCCP timestamp overflows after 11.9 hours. If the connection 52 * The DCCP timestamp overflows after 11.9 hours. If the connection
55 * stays idle this long the sequence number won't be recognized 53 * stays idle this long the sequence number won't be recognized
56 * as valid anymore. 54 * as valid anymore.
57 * 55 *
58 * - CLOSEREQ/CLOSING: 56 * - CLOSEREQ/CLOSING:
59 * 57 *
60 * 8.3. Termination 58 * 8.3. Termination
61 * 59 *
62 * The retransmission timer should initially be set to go off in two 60 * The retransmission timer should initially be set to go off in two
63 * round-trip times and should back off to not less than once every 61 * round-trip times and should back off to not less than once every
64 * 64 seconds ... 62 * 64 seconds ...
65 * 63 *
66 * - TIMEWAIT: 64 * - TIMEWAIT:
67 * 65 *
68 * 4.3. States 66 * 4.3. States
69 * 67 *
70 * A server or client socket remains in this state for 2MSL (4 minutes) 68 * A server or client socket remains in this state for 2MSL (4 minutes)
71 * after the connection has been town down, ... 69 * after the connection has been town down, ...
72 */ 70 */
73 71
74 #define DCCP_MSL (2 * 60 * HZ) 72 #define DCCP_MSL (2 * 60 * HZ)
75 73
76 static const char * const dccp_state_names[] = { 74 static const char * const dccp_state_names[] = {
77 [CT_DCCP_NONE] = "NONE", 75 [CT_DCCP_NONE] = "NONE",
78 [CT_DCCP_REQUEST] = "REQUEST", 76 [CT_DCCP_REQUEST] = "REQUEST",
79 [CT_DCCP_RESPOND] = "RESPOND", 77 [CT_DCCP_RESPOND] = "RESPOND",
80 [CT_DCCP_PARTOPEN] = "PARTOPEN", 78 [CT_DCCP_PARTOPEN] = "PARTOPEN",
81 [CT_DCCP_OPEN] = "OPEN", 79 [CT_DCCP_OPEN] = "OPEN",
82 [CT_DCCP_CLOSEREQ] = "CLOSEREQ", 80 [CT_DCCP_CLOSEREQ] = "CLOSEREQ",
83 [CT_DCCP_CLOSING] = "CLOSING", 81 [CT_DCCP_CLOSING] = "CLOSING",
84 [CT_DCCP_TIMEWAIT] = "TIMEWAIT", 82 [CT_DCCP_TIMEWAIT] = "TIMEWAIT",
85 [CT_DCCP_IGNORE] = "IGNORE", 83 [CT_DCCP_IGNORE] = "IGNORE",
86 [CT_DCCP_INVALID] = "INVALID", 84 [CT_DCCP_INVALID] = "INVALID",
87 }; 85 };
88 86
89 #define sNO CT_DCCP_NONE 87 #define sNO CT_DCCP_NONE
90 #define sRQ CT_DCCP_REQUEST 88 #define sRQ CT_DCCP_REQUEST
91 #define sRS CT_DCCP_RESPOND 89 #define sRS CT_DCCP_RESPOND
92 #define sPO CT_DCCP_PARTOPEN 90 #define sPO CT_DCCP_PARTOPEN
93 #define sOP CT_DCCP_OPEN 91 #define sOP CT_DCCP_OPEN
94 #define sCR CT_DCCP_CLOSEREQ 92 #define sCR CT_DCCP_CLOSEREQ
95 #define sCG CT_DCCP_CLOSING 93 #define sCG CT_DCCP_CLOSING
96 #define sTW CT_DCCP_TIMEWAIT 94 #define sTW CT_DCCP_TIMEWAIT
97 #define sIG CT_DCCP_IGNORE 95 #define sIG CT_DCCP_IGNORE
98 #define sIV CT_DCCP_INVALID 96 #define sIV CT_DCCP_INVALID
99 97
100 /* 98 /*
101 * DCCP state transistion table 99 * DCCP state transistion table
102 * 100 *
103 * The assumption is the same as for TCP tracking: 101 * The assumption is the same as for TCP tracking:
104 * 102 *
105 * We are the man in the middle. All the packets go through us but might 103 * We are the man in the middle. All the packets go through us but might
106 * get lost in transit to the destination. It is assumed that the destination 104 * get lost in transit to the destination. It is assumed that the destination
107 * can't receive segments we haven't seen. 105 * can't receive segments we haven't seen.
108 * 106 *
109 * The following states exist: 107 * The following states exist:
110 * 108 *
111 * NONE: Initial state, expecting Request 109 * NONE: Initial state, expecting Request
112 * REQUEST: Request seen, waiting for Response from server 110 * REQUEST: Request seen, waiting for Response from server
113 * RESPOND: Response from server seen, waiting for Ack from client 111 * RESPOND: Response from server seen, waiting for Ack from client
114 * PARTOPEN: Ack after Response seen, waiting for packet other than Response, 112 * PARTOPEN: Ack after Response seen, waiting for packet other than Response,
115 * Reset or Sync from server 113 * Reset or Sync from server
116 * OPEN: Packet other than Response, Reset or Sync seen 114 * OPEN: Packet other than Response, Reset or Sync seen
117 * CLOSEREQ: CloseReq from server seen, expecting Close from client 115 * CLOSEREQ: CloseReq from server seen, expecting Close from client
118 * CLOSING: Close seen, expecting Reset 116 * CLOSING: Close seen, expecting Reset
119 * TIMEWAIT: Reset seen 117 * TIMEWAIT: Reset seen
120 * IGNORE: Not determinable whether packet is valid 118 * IGNORE: Not determinable whether packet is valid
121 * 119 *
122 * Some states exist only on one side of the connection: REQUEST, RESPOND, 120 * Some states exist only on one side of the connection: REQUEST, RESPOND,
123 * PARTOPEN, CLOSEREQ. For the other side these states are equivalent to 121 * PARTOPEN, CLOSEREQ. For the other side these states are equivalent to
124 * the one it was in before. 122 * the one it was in before.
125 * 123 *
126 * Packets are marked as ignored (sIG) if we don't know if they're valid 124 * Packets are marked as ignored (sIG) if we don't know if they're valid
127 * (for example a reincarnation of a connection we didn't notice is dead 125 * (for example a reincarnation of a connection we didn't notice is dead
128 * already) and the server may send back a connection closing Reset or a 126 * already) and the server may send back a connection closing Reset or a
129 * Response. They're also used for Sync/SyncAck packets, which we don't 127 * Response. They're also used for Sync/SyncAck packets, which we don't
130 * care about. 128 * care about.
131 */ 129 */
132 static const u_int8_t 130 static const u_int8_t
133 dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = { 131 dccp_state_table[CT_DCCP_ROLE_MAX + 1][DCCP_PKT_SYNCACK + 1][CT_DCCP_MAX + 1] = {
134 [CT_DCCP_ROLE_CLIENT] = { 132 [CT_DCCP_ROLE_CLIENT] = {
135 [DCCP_PKT_REQUEST] = { 133 [DCCP_PKT_REQUEST] = {
136 /* 134 /*
137 * sNO -> sRQ Regular Request 135 * sNO -> sRQ Regular Request
138 * sRQ -> sRQ Retransmitted Request or reincarnation 136 * sRQ -> sRQ Retransmitted Request or reincarnation
139 * sRS -> sRS Retransmitted Request (apparently Response 137 * sRS -> sRS Retransmitted Request (apparently Response
140 * got lost after we saw it) or reincarnation 138 * got lost after we saw it) or reincarnation
141 * sPO -> sIG Ignore, conntrack might be out of sync 139 * sPO -> sIG Ignore, conntrack might be out of sync
142 * sOP -> sIG Ignore, conntrack might be out of sync 140 * sOP -> sIG Ignore, conntrack might be out of sync
143 * sCR -> sIG Ignore, conntrack might be out of sync 141 * sCR -> sIG Ignore, conntrack might be out of sync
144 * sCG -> sIG Ignore, conntrack might be out of sync 142 * sCG -> sIG Ignore, conntrack might be out of sync
145 * sTW -> sRQ Reincarnation 143 * sTW -> sRQ Reincarnation
146 * 144 *
147 * sNO, sRQ, sRS, sPO. sOP, sCR, sCG, sTW, */ 145 * sNO, sRQ, sRS, sPO. sOP, sCR, sCG, sTW, */
148 sRQ, sRQ, sRS, sIG, sIG, sIG, sIG, sRQ, 146 sRQ, sRQ, sRS, sIG, sIG, sIG, sIG, sRQ,
149 }, 147 },
150 [DCCP_PKT_RESPONSE] = { 148 [DCCP_PKT_RESPONSE] = {
151 /* 149 /*
152 * sNO -> sIV Invalid 150 * sNO -> sIV Invalid
153 * sRQ -> sIG Ignore, might be response to ignored Request 151 * sRQ -> sIG Ignore, might be response to ignored Request
154 * sRS -> sIG Ignore, might be response to ignored Request 152 * sRS -> sIG Ignore, might be response to ignored Request
155 * sPO -> sIG Ignore, might be response to ignored Request 153 * sPO -> sIG Ignore, might be response to ignored Request
156 * sOP -> sIG Ignore, might be response to ignored Request 154 * sOP -> sIG Ignore, might be response to ignored Request
157 * sCR -> sIG Ignore, might be response to ignored Request 155 * sCR -> sIG Ignore, might be response to ignored Request
158 * sCG -> sIG Ignore, might be response to ignored Request 156 * sCG -> sIG Ignore, might be response to ignored Request
159 * sTW -> sIV Invalid, reincarnation in reverse direction 157 * sTW -> sIV Invalid, reincarnation in reverse direction
160 * goes through sRQ 158 * goes through sRQ
161 * 159 *
162 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 160 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
163 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIV, 161 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIV,
164 }, 162 },
165 [DCCP_PKT_ACK] = { 163 [DCCP_PKT_ACK] = {
166 /* 164 /*
167 * sNO -> sIV No connection 165 * sNO -> sIV No connection
168 * sRQ -> sIV No connection 166 * sRQ -> sIV No connection
169 * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.) 167 * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.)
170 * sPO -> sPO Retransmitted Ack for Response, remain in PARTOPEN 168 * sPO -> sPO Retransmitted Ack for Response, remain in PARTOPEN
171 * sOP -> sOP Regular ACK, remain in OPEN 169 * sOP -> sOP Regular ACK, remain in OPEN
172 * sCR -> sCR Ack in CLOSEREQ MAY be processed (8.3.) 170 * sCR -> sCR Ack in CLOSEREQ MAY be processed (8.3.)
173 * sCG -> sCG Ack in CLOSING MAY be processed (8.3.) 171 * sCG -> sCG Ack in CLOSING MAY be processed (8.3.)
174 * sTW -> sIV 172 * sTW -> sIV
175 * 173 *
176 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 174 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
177 sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV 175 sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
178 }, 176 },
179 [DCCP_PKT_DATA] = { 177 [DCCP_PKT_DATA] = {
180 /* 178 /*
181 * sNO -> sIV No connection 179 * sNO -> sIV No connection
182 * sRQ -> sIV No connection 180 * sRQ -> sIV No connection
183 * sRS -> sIV No connection 181 * sRS -> sIV No connection
184 * sPO -> sIV MUST use DataAck in PARTOPEN state (8.1.5.) 182 * sPO -> sIV MUST use DataAck in PARTOPEN state (8.1.5.)
185 * sOP -> sOP Regular Data packet 183 * sOP -> sOP Regular Data packet
186 * sCR -> sCR Data in CLOSEREQ MAY be processed (8.3.) 184 * sCR -> sCR Data in CLOSEREQ MAY be processed (8.3.)
187 * sCG -> sCG Data in CLOSING MAY be processed (8.3.) 185 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
188 * sTW -> sIV 186 * sTW -> sIV
189 * 187 *
190 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 188 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
191 sIV, sIV, sIV, sIV, sOP, sCR, sCG, sIV, 189 sIV, sIV, sIV, sIV, sOP, sCR, sCG, sIV,
192 }, 190 },
193 [DCCP_PKT_DATAACK] = { 191 [DCCP_PKT_DATAACK] = {
194 /* 192 /*
195 * sNO -> sIV No connection 193 * sNO -> sIV No connection
196 * sRQ -> sIV No connection 194 * sRQ -> sIV No connection
197 * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.) 195 * sRS -> sPO Ack for Response, move to PARTOPEN (8.1.5.)
198 * sPO -> sPO Remain in PARTOPEN state 196 * sPO -> sPO Remain in PARTOPEN state
199 * sOP -> sOP Regular DataAck packet in OPEN state 197 * sOP -> sOP Regular DataAck packet in OPEN state
200 * sCR -> sCR DataAck in CLOSEREQ MAY be processed (8.3.) 198 * sCR -> sCR DataAck in CLOSEREQ MAY be processed (8.3.)
201 * sCG -> sCG DataAck in CLOSING MAY be processed (8.3.) 199 * sCG -> sCG DataAck in CLOSING MAY be processed (8.3.)
202 * sTW -> sIV 200 * sTW -> sIV
203 * 201 *
204 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 202 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
205 sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV 203 sIV, sIV, sPO, sPO, sOP, sCR, sCG, sIV
206 }, 204 },
207 [DCCP_PKT_CLOSEREQ] = { 205 [DCCP_PKT_CLOSEREQ] = {
208 /* 206 /*
209 * CLOSEREQ may only be sent by the server. 207 * CLOSEREQ may only be sent by the server.
210 * 208 *
211 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 209 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
212 sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV 210 sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV
213 }, 211 },
214 [DCCP_PKT_CLOSE] = { 212 [DCCP_PKT_CLOSE] = {
215 /* 213 /*
216 * sNO -> sIV No connection 214 * sNO -> sIV No connection
217 * sRQ -> sIV No connection 215 * sRQ -> sIV No connection
218 * sRS -> sIV No connection 216 * sRS -> sIV No connection
219 * sPO -> sCG Client-initiated close 217 * sPO -> sCG Client-initiated close
220 * sOP -> sCG Client-initiated close 218 * sOP -> sCG Client-initiated close
221 * sCR -> sCG Close in response to CloseReq (8.3.) 219 * sCR -> sCG Close in response to CloseReq (8.3.)
222 * sCG -> sCG Retransmit 220 * sCG -> sCG Retransmit
223 * sTW -> sIV Late retransmit, already in TIME_WAIT 221 * sTW -> sIV Late retransmit, already in TIME_WAIT
224 * 222 *
225 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 223 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
226 sIV, sIV, sIV, sCG, sCG, sCG, sIV, sIV 224 sIV, sIV, sIV, sCG, sCG, sCG, sIV, sIV
227 }, 225 },
228 [DCCP_PKT_RESET] = { 226 [DCCP_PKT_RESET] = {
229 /* 227 /*
230 * sNO -> sIV No connection 228 * sNO -> sIV No connection
231 * sRQ -> sTW Sync received or timeout, SHOULD send Reset (8.1.1.) 229 * sRQ -> sTW Sync received or timeout, SHOULD send Reset (8.1.1.)
232 * sRS -> sTW Response received without Request 230 * sRS -> sTW Response received without Request
233 * sPO -> sTW Timeout, SHOULD send Reset (8.1.5.) 231 * sPO -> sTW Timeout, SHOULD send Reset (8.1.5.)
234 * sOP -> sTW Connection reset 232 * sOP -> sTW Connection reset
235 * sCR -> sTW Connection reset 233 * sCR -> sTW Connection reset
236 * sCG -> sTW Connection reset 234 * sCG -> sTW Connection reset
237 * sTW -> sIG Ignore (don't refresh timer) 235 * sTW -> sIG Ignore (don't refresh timer)
238 * 236 *
239 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 237 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
240 sIV, sTW, sTW, sTW, sTW, sTW, sTW, sIG 238 sIV, sTW, sTW, sTW, sTW, sTW, sTW, sIG
241 }, 239 },
242 [DCCP_PKT_SYNC] = { 240 [DCCP_PKT_SYNC] = {
243 /* 241 /*
244 * We currently ignore Sync packets 242 * We currently ignore Sync packets
245 * 243 *
246 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 244 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
247 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, 245 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
248 }, 246 },
249 [DCCP_PKT_SYNCACK] = { 247 [DCCP_PKT_SYNCACK] = {
250 /* 248 /*
251 * We currently ignore SyncAck packets 249 * We currently ignore SyncAck packets
252 * 250 *
253 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 251 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
254 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, 252 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
255 }, 253 },
256 }, 254 },
257 [CT_DCCP_ROLE_SERVER] = { 255 [CT_DCCP_ROLE_SERVER] = {
258 [DCCP_PKT_REQUEST] = { 256 [DCCP_PKT_REQUEST] = {
259 /* 257 /*
260 * sNO -> sIV Invalid 258 * sNO -> sIV Invalid
261 * sRQ -> sIG Ignore, conntrack might be out of sync 259 * sRQ -> sIG Ignore, conntrack might be out of sync
262 * sRS -> sIG Ignore, conntrack might be out of sync 260 * sRS -> sIG Ignore, conntrack might be out of sync
263 * sPO -> sIG Ignore, conntrack might be out of sync 261 * sPO -> sIG Ignore, conntrack might be out of sync
264 * sOP -> sIG Ignore, conntrack might be out of sync 262 * sOP -> sIG Ignore, conntrack might be out of sync
265 * sCR -> sIG Ignore, conntrack might be out of sync 263 * sCR -> sIG Ignore, conntrack might be out of sync
266 * sCG -> sIG Ignore, conntrack might be out of sync 264 * sCG -> sIG Ignore, conntrack might be out of sync
267 * sTW -> sRQ Reincarnation, must reverse roles 265 * sTW -> sRQ Reincarnation, must reverse roles
268 * 266 *
269 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 267 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
270 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sRQ 268 sIV, sIG, sIG, sIG, sIG, sIG, sIG, sRQ
271 }, 269 },
272 [DCCP_PKT_RESPONSE] = { 270 [DCCP_PKT_RESPONSE] = {
273 /* 271 /*
274 * sNO -> sIV Response without Request 272 * sNO -> sIV Response without Request
275 * sRQ -> sRS Response to clients Request 273 * sRQ -> sRS Response to clients Request
276 * sRS -> sRS Retransmitted Response (8.1.3. SHOULD NOT) 274 * sRS -> sRS Retransmitted Response (8.1.3. SHOULD NOT)
277 * sPO -> sIG Response to an ignored Request or late retransmit 275 * sPO -> sIG Response to an ignored Request or late retransmit
278 * sOP -> sIG Ignore, might be response to ignored Request 276 * sOP -> sIG Ignore, might be response to ignored Request
279 * sCR -> sIG Ignore, might be response to ignored Request 277 * sCR -> sIG Ignore, might be response to ignored Request
280 * sCG -> sIG Ignore, might be response to ignored Request 278 * sCG -> sIG Ignore, might be response to ignored Request
281 * sTW -> sIV Invalid, Request from client in sTW moves to sRQ 279 * sTW -> sIV Invalid, Request from client in sTW moves to sRQ
282 * 280 *
283 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 281 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
284 sIV, sRS, sRS, sIG, sIG, sIG, sIG, sIV 282 sIV, sRS, sRS, sIG, sIG, sIG, sIG, sIV
285 }, 283 },
286 [DCCP_PKT_ACK] = { 284 [DCCP_PKT_ACK] = {
287 /* 285 /*
288 * sNO -> sIV No connection 286 * sNO -> sIV No connection
289 * sRQ -> sIV No connection 287 * sRQ -> sIV No connection
290 * sRS -> sIV No connection 288 * sRS -> sIV No connection
291 * sPO -> sOP Enter OPEN state (8.1.5.) 289 * sPO -> sOP Enter OPEN state (8.1.5.)
292 * sOP -> sOP Regular Ack in OPEN state 290 * sOP -> sOP Regular Ack in OPEN state
293 * sCR -> sIV Waiting for Close from client 291 * sCR -> sIV Waiting for Close from client
294 * sCG -> sCG Ack in CLOSING MAY be processed (8.3.) 292 * sCG -> sCG Ack in CLOSING MAY be processed (8.3.)
295 * sTW -> sIV 293 * sTW -> sIV
296 * 294 *
297 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 295 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
298 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV 296 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
299 }, 297 },
300 [DCCP_PKT_DATA] = { 298 [DCCP_PKT_DATA] = {
301 /* 299 /*
302 * sNO -> sIV No connection 300 * sNO -> sIV No connection
303 * sRQ -> sIV No connection 301 * sRQ -> sIV No connection
304 * sRS -> sIV No connection 302 * sRS -> sIV No connection
305 * sPO -> sOP Enter OPEN state (8.1.5.) 303 * sPO -> sOP Enter OPEN state (8.1.5.)
306 * sOP -> sOP Regular Data packet in OPEN state 304 * sOP -> sOP Regular Data packet in OPEN state
307 * sCR -> sIV Waiting for Close from client 305 * sCR -> sIV Waiting for Close from client
308 * sCG -> sCG Data in CLOSING MAY be processed (8.3.) 306 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
309 * sTW -> sIV 307 * sTW -> sIV
310 * 308 *
311 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 309 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
312 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV 310 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
313 }, 311 },
314 [DCCP_PKT_DATAACK] = { 312 [DCCP_PKT_DATAACK] = {
315 /* 313 /*
316 * sNO -> sIV No connection 314 * sNO -> sIV No connection
317 * sRQ -> sIV No connection 315 * sRQ -> sIV No connection
318 * sRS -> sIV No connection 316 * sRS -> sIV No connection
319 * sPO -> sOP Enter OPEN state (8.1.5.) 317 * sPO -> sOP Enter OPEN state (8.1.5.)
320 * sOP -> sOP Regular DataAck in OPEN state 318 * sOP -> sOP Regular DataAck in OPEN state
321 * sCR -> sIV Waiting for Close from client 319 * sCR -> sIV Waiting for Close from client
322 * sCG -> sCG Data in CLOSING MAY be processed (8.3.) 320 * sCG -> sCG Data in CLOSING MAY be processed (8.3.)
323 * sTW -> sIV 321 * sTW -> sIV
324 * 322 *
325 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 323 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
326 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV 324 sIV, sIV, sIV, sOP, sOP, sIV, sCG, sIV
327 }, 325 },
328 [DCCP_PKT_CLOSEREQ] = { 326 [DCCP_PKT_CLOSEREQ] = {
329 /* 327 /*
330 * sNO -> sIV No connection 328 * sNO -> sIV No connection
331 * sRQ -> sIV No connection 329 * sRQ -> sIV No connection
332 * sRS -> sIV No connection 330 * sRS -> sIV No connection
333 * sPO -> sOP -> sCR Move directly to CLOSEREQ (8.1.5.) 331 * sPO -> sOP -> sCR Move directly to CLOSEREQ (8.1.5.)
334 * sOP -> sCR CloseReq in OPEN state 332 * sOP -> sCR CloseReq in OPEN state
335 * sCR -> sCR Retransmit 333 * sCR -> sCR Retransmit
336 * sCG -> sCR Simultaneous close, client sends another Close 334 * sCG -> sCR Simultaneous close, client sends another Close
337 * sTW -> sIV Already closed 335 * sTW -> sIV Already closed
338 * 336 *
339 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 337 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
340 sIV, sIV, sIV, sCR, sCR, sCR, sCR, sIV 338 sIV, sIV, sIV, sCR, sCR, sCR, sCR, sIV
341 }, 339 },
342 [DCCP_PKT_CLOSE] = { 340 [DCCP_PKT_CLOSE] = {
343 /* 341 /*
344 * sNO -> sIV No connection 342 * sNO -> sIV No connection
345 * sRQ -> sIV No connection 343 * sRQ -> sIV No connection
346 * sRS -> sIV No connection 344 * sRS -> sIV No connection
347 * sPO -> sOP -> sCG Move direcly to CLOSING 345 * sPO -> sOP -> sCG Move direcly to CLOSING
348 * sOP -> sCG Move to CLOSING 346 * sOP -> sCG Move to CLOSING
349 * sCR -> sIV Close after CloseReq is invalid 347 * sCR -> sIV Close after CloseReq is invalid
350 * sCG -> sCG Retransmit 348 * sCG -> sCG Retransmit
351 * sTW -> sIV Already closed 349 * sTW -> sIV Already closed
352 * 350 *
353 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 351 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
354 sIV, sIV, sIV, sCG, sCG, sIV, sCG, sIV 352 sIV, sIV, sIV, sCG, sCG, sIV, sCG, sIV
355 }, 353 },
356 [DCCP_PKT_RESET] = { 354 [DCCP_PKT_RESET] = {
357 /* 355 /*
358 * sNO -> sIV No connection 356 * sNO -> sIV No connection
359 * sRQ -> sTW Reset in response to Request 357 * sRQ -> sTW Reset in response to Request
360 * sRS -> sTW Timeout, SHOULD send Reset (8.1.3.) 358 * sRS -> sTW Timeout, SHOULD send Reset (8.1.3.)
361 * sPO -> sTW Timeout, SHOULD send Reset (8.1.3.) 359 * sPO -> sTW Timeout, SHOULD send Reset (8.1.3.)
362 * sOP -> sTW 360 * sOP -> sTW
363 * sCR -> sTW 361 * sCR -> sTW
364 * sCG -> sTW 362 * sCG -> sTW
365 * sTW -> sIG Ignore (don't refresh timer) 363 * sTW -> sIG Ignore (don't refresh timer)
366 * 364 *
367 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW, sTW */ 365 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW, sTW */
368 sIV, sTW, sTW, sTW, sTW, sTW, sTW, sTW, sIG 366 sIV, sTW, sTW, sTW, sTW, sTW, sTW, sTW, sIG
369 }, 367 },
370 [DCCP_PKT_SYNC] = { 368 [DCCP_PKT_SYNC] = {
371 /* 369 /*
372 * We currently ignore Sync packets 370 * We currently ignore Sync packets
373 * 371 *
374 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 372 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
375 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, 373 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
376 }, 374 },
377 [DCCP_PKT_SYNCACK] = { 375 [DCCP_PKT_SYNCACK] = {
378 /* 376 /*
379 * We currently ignore SyncAck packets 377 * We currently ignore SyncAck packets
380 * 378 *
381 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */ 379 * sNO, sRQ, sRS, sPO, sOP, sCR, sCG, sTW */
382 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG, 380 sIG, sIG, sIG, sIG, sIG, sIG, sIG, sIG,
383 }, 381 },
384 }, 382 },
385 }; 383 };
386 384
387 /* this module per-net specifics */ 385 /* this module per-net specifics */
388 static int dccp_net_id; 386 static int dccp_net_id;
389 struct dccp_net { 387 struct dccp_net {
390 int dccp_loose; 388 int dccp_loose;
391 unsigned int dccp_timeout[CT_DCCP_MAX + 1]; 389 unsigned int dccp_timeout[CT_DCCP_MAX + 1];
392 #ifdef CONFIG_SYSCTL 390 #ifdef CONFIG_SYSCTL
393 struct ctl_table_header *sysctl_header; 391 struct ctl_table_header *sysctl_header;
394 struct ctl_table *sysctl_table; 392 struct ctl_table *sysctl_table;
395 #endif 393 #endif
396 }; 394 };
397 395
398 static inline struct dccp_net *dccp_pernet(struct net *net) 396 static inline struct dccp_net *dccp_pernet(struct net *net)
399 { 397 {
400 return net_generic(net, dccp_net_id); 398 return net_generic(net, dccp_net_id);
401 } 399 }
402 400
403 static bool dccp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff, 401 static bool dccp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
404 struct nf_conntrack_tuple *tuple) 402 struct nf_conntrack_tuple *tuple)
405 { 403 {
406 struct dccp_hdr _hdr, *dh; 404 struct dccp_hdr _hdr, *dh;
407 405
408 dh = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr); 406 dh = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);
409 if (dh == NULL) 407 if (dh == NULL)
410 return false; 408 return false;
411 409
412 tuple->src.u.dccp.port = dh->dccph_sport; 410 tuple->src.u.dccp.port = dh->dccph_sport;
413 tuple->dst.u.dccp.port = dh->dccph_dport; 411 tuple->dst.u.dccp.port = dh->dccph_dport;
414 return true; 412 return true;
415 } 413 }
416 414
417 static bool dccp_invert_tuple(struct nf_conntrack_tuple *inv, 415 static bool dccp_invert_tuple(struct nf_conntrack_tuple *inv,
418 const struct nf_conntrack_tuple *tuple) 416 const struct nf_conntrack_tuple *tuple)
419 { 417 {
420 inv->src.u.dccp.port = tuple->dst.u.dccp.port; 418 inv->src.u.dccp.port = tuple->dst.u.dccp.port;
421 inv->dst.u.dccp.port = tuple->src.u.dccp.port; 419 inv->dst.u.dccp.port = tuple->src.u.dccp.port;
422 return true; 420 return true;
423 } 421 }
424 422
425 static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb, 423 static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,
426 unsigned int dataoff) 424 unsigned int dataoff)
427 { 425 {
428 struct net *net = nf_ct_net(ct); 426 struct net *net = nf_ct_net(ct);
429 struct dccp_net *dn; 427 struct dccp_net *dn;
430 struct dccp_hdr _dh, *dh; 428 struct dccp_hdr _dh, *dh;
431 const char *msg; 429 const char *msg;
432 u_int8_t state; 430 u_int8_t state;
433 431
434 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); 432 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
435 BUG_ON(dh == NULL); 433 BUG_ON(dh == NULL);
436 434
437 state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE]; 435 state = dccp_state_table[CT_DCCP_ROLE_CLIENT][dh->dccph_type][CT_DCCP_NONE];
438 switch (state) { 436 switch (state) {
439 default: 437 default:
440 dn = dccp_pernet(net); 438 dn = dccp_pernet(net);
441 if (dn->dccp_loose == 0) { 439 if (dn->dccp_loose == 0) {
442 msg = "nf_ct_dccp: not picking up existing connection "; 440 msg = "nf_ct_dccp: not picking up existing connection ";
443 goto out_invalid; 441 goto out_invalid;
444 } 442 }
445 case CT_DCCP_REQUEST: 443 case CT_DCCP_REQUEST:
446 break; 444 break;
447 case CT_DCCP_INVALID: 445 case CT_DCCP_INVALID:
448 msg = "nf_ct_dccp: invalid state transition "; 446 msg = "nf_ct_dccp: invalid state transition ";
449 goto out_invalid; 447 goto out_invalid;
450 } 448 }
451 449
452 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT; 450 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
453 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER; 451 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
454 ct->proto.dccp.state = CT_DCCP_NONE; 452 ct->proto.dccp.state = CT_DCCP_NONE;
455 return true; 453 return true;
456 454
457 out_invalid: 455 out_invalid:
458 if (LOG_INVALID(net, IPPROTO_DCCP)) 456 if (LOG_INVALID(net, IPPROTO_DCCP))
459 nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL, msg); 457 nf_log_packet(nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL, msg);
460 return false; 458 return false;
461 } 459 }
462 460
463 static u64 dccp_ack_seq(const struct dccp_hdr *dh) 461 static u64 dccp_ack_seq(const struct dccp_hdr *dh)
464 { 462 {
465 const struct dccp_hdr_ack_bits *dhack; 463 const struct dccp_hdr_ack_bits *dhack;
466 464
467 dhack = (void *)dh + __dccp_basic_hdr_len(dh); 465 dhack = (void *)dh + __dccp_basic_hdr_len(dh);
468 return ((u64)ntohs(dhack->dccph_ack_nr_high) << 32) + 466 return ((u64)ntohs(dhack->dccph_ack_nr_high) << 32) +
469 ntohl(dhack->dccph_ack_nr_low); 467 ntohl(dhack->dccph_ack_nr_low);
470 } 468 }
471 469
472 static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, 470 static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
473 unsigned int dataoff, enum ip_conntrack_info ctinfo, 471 unsigned int dataoff, enum ip_conntrack_info ctinfo,
474 u_int8_t pf, unsigned int hooknum) 472 u_int8_t pf, unsigned int hooknum)
475 { 473 {
476 struct net *net = nf_ct_net(ct); 474 struct net *net = nf_ct_net(ct);
477 struct dccp_net *dn; 475 struct dccp_net *dn;
478 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 476 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
479 struct dccp_hdr _dh, *dh; 477 struct dccp_hdr _dh, *dh;
480 u_int8_t type, old_state, new_state; 478 u_int8_t type, old_state, new_state;
481 enum ct_dccp_roles role; 479 enum ct_dccp_roles role;
482 480
483 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); 481 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
484 BUG_ON(dh == NULL); 482 BUG_ON(dh == NULL);
485 type = dh->dccph_type; 483 type = dh->dccph_type;
486 484
487 if (type == DCCP_PKT_RESET && 485 if (type == DCCP_PKT_RESET &&
488 !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { 486 !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
489 /* Tear down connection immediately if only reply is a RESET */ 487 /* Tear down connection immediately if only reply is a RESET */
490 nf_ct_kill_acct(ct, ctinfo, skb); 488 nf_ct_kill_acct(ct, ctinfo, skb);
491 return NF_ACCEPT; 489 return NF_ACCEPT;
492 } 490 }
493 491
494 write_lock_bh(&dccp_lock); 492 spin_lock_bh(&ct->lock);
495 493
496 role = ct->proto.dccp.role[dir]; 494 role = ct->proto.dccp.role[dir];
497 old_state = ct->proto.dccp.state; 495 old_state = ct->proto.dccp.state;
498 new_state = dccp_state_table[role][type][old_state]; 496 new_state = dccp_state_table[role][type][old_state];
499 497
500 switch (new_state) { 498 switch (new_state) {
501 case CT_DCCP_REQUEST: 499 case CT_DCCP_REQUEST:
502 if (old_state == CT_DCCP_TIMEWAIT && 500 if (old_state == CT_DCCP_TIMEWAIT &&
503 role == CT_DCCP_ROLE_SERVER) { 501 role == CT_DCCP_ROLE_SERVER) {
504 /* Reincarnation in the reverse direction: reopen and 502 /* Reincarnation in the reverse direction: reopen and
505 * reverse client/server roles. */ 503 * reverse client/server roles. */
506 ct->proto.dccp.role[dir] = CT_DCCP_ROLE_CLIENT; 504 ct->proto.dccp.role[dir] = CT_DCCP_ROLE_CLIENT;
507 ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_SERVER; 505 ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_SERVER;
508 } 506 }
509 break; 507 break;
510 case CT_DCCP_RESPOND: 508 case CT_DCCP_RESPOND:
511 if (old_state == CT_DCCP_REQUEST) 509 if (old_state == CT_DCCP_REQUEST)
512 ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh); 510 ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
513 break; 511 break;
514 case CT_DCCP_PARTOPEN: 512 case CT_DCCP_PARTOPEN:
515 if (old_state == CT_DCCP_RESPOND && 513 if (old_state == CT_DCCP_RESPOND &&
516 type == DCCP_PKT_ACK && 514 type == DCCP_PKT_ACK &&
517 dccp_ack_seq(dh) == ct->proto.dccp.handshake_seq) 515 dccp_ack_seq(dh) == ct->proto.dccp.handshake_seq)
518 set_bit(IPS_ASSURED_BIT, &ct->status); 516 set_bit(IPS_ASSURED_BIT, &ct->status);
519 break; 517 break;
520 case CT_DCCP_IGNORE: 518 case CT_DCCP_IGNORE:
521 /* 519 /*
522 * Connection tracking might be out of sync, so we ignore 520 * Connection tracking might be out of sync, so we ignore
523 * packets that might establish a new connection and resync 521 * packets that might establish a new connection and resync
524 * if the server responds with a valid Response. 522 * if the server responds with a valid Response.
525 */ 523 */
526 if (ct->proto.dccp.last_dir == !dir && 524 if (ct->proto.dccp.last_dir == !dir &&
527 ct->proto.dccp.last_pkt == DCCP_PKT_REQUEST && 525 ct->proto.dccp.last_pkt == DCCP_PKT_REQUEST &&
528 type == DCCP_PKT_RESPONSE) { 526 type == DCCP_PKT_RESPONSE) {
529 ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_CLIENT; 527 ct->proto.dccp.role[!dir] = CT_DCCP_ROLE_CLIENT;
530 ct->proto.dccp.role[dir] = CT_DCCP_ROLE_SERVER; 528 ct->proto.dccp.role[dir] = CT_DCCP_ROLE_SERVER;
531 ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh); 529 ct->proto.dccp.handshake_seq = dccp_hdr_seq(dh);
532 new_state = CT_DCCP_RESPOND; 530 new_state = CT_DCCP_RESPOND;
533 break; 531 break;
534 } 532 }
535 ct->proto.dccp.last_dir = dir; 533 ct->proto.dccp.last_dir = dir;
536 ct->proto.dccp.last_pkt = type; 534 ct->proto.dccp.last_pkt = type;
537 535
538 write_unlock_bh(&dccp_lock); 536 spin_unlock_bh(&ct->lock);
539 if (LOG_INVALID(net, IPPROTO_DCCP)) 537 if (LOG_INVALID(net, IPPROTO_DCCP))
540 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 538 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
541 "nf_ct_dccp: invalid packet ignored "); 539 "nf_ct_dccp: invalid packet ignored ");
542 return NF_ACCEPT; 540 return NF_ACCEPT;
543 case CT_DCCP_INVALID: 541 case CT_DCCP_INVALID:
544 write_unlock_bh(&dccp_lock); 542 spin_unlock_bh(&ct->lock);
545 if (LOG_INVALID(net, IPPROTO_DCCP)) 543 if (LOG_INVALID(net, IPPROTO_DCCP))
546 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 544 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
547 "nf_ct_dccp: invalid state transition "); 545 "nf_ct_dccp: invalid state transition ");
548 return -NF_ACCEPT; 546 return -NF_ACCEPT;
549 } 547 }
550 548
551 ct->proto.dccp.last_dir = dir; 549 ct->proto.dccp.last_dir = dir;
552 ct->proto.dccp.last_pkt = type; 550 ct->proto.dccp.last_pkt = type;
553 ct->proto.dccp.state = new_state; 551 ct->proto.dccp.state = new_state;
554 write_unlock_bh(&dccp_lock); 552 spin_unlock_bh(&ct->lock);
555 553
556 dn = dccp_pernet(net); 554 dn = dccp_pernet(net);
557 nf_ct_refresh_acct(ct, ctinfo, skb, dn->dccp_timeout[new_state]); 555 nf_ct_refresh_acct(ct, ctinfo, skb, dn->dccp_timeout[new_state]);
558 556
559 return NF_ACCEPT; 557 return NF_ACCEPT;
560 } 558 }
561 559
562 static int dccp_error(struct net *net, struct sk_buff *skb, 560 static int dccp_error(struct net *net, struct sk_buff *skb,
563 unsigned int dataoff, enum ip_conntrack_info *ctinfo, 561 unsigned int dataoff, enum ip_conntrack_info *ctinfo,
564 u_int8_t pf, unsigned int hooknum) 562 u_int8_t pf, unsigned int hooknum)
565 { 563 {
566 struct dccp_hdr _dh, *dh; 564 struct dccp_hdr _dh, *dh;
567 unsigned int dccp_len = skb->len - dataoff; 565 unsigned int dccp_len = skb->len - dataoff;
568 unsigned int cscov; 566 unsigned int cscov;
569 const char *msg; 567 const char *msg;
570 568
571 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh); 569 dh = skb_header_pointer(skb, dataoff, sizeof(_dh), &dh);
572 if (dh == NULL) { 570 if (dh == NULL) {
573 msg = "nf_ct_dccp: short packet "; 571 msg = "nf_ct_dccp: short packet ";
574 goto out_invalid; 572 goto out_invalid;
575 } 573 }
576 574
577 if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) || 575 if (dh->dccph_doff * 4 < sizeof(struct dccp_hdr) ||
578 dh->dccph_doff * 4 > dccp_len) { 576 dh->dccph_doff * 4 > dccp_len) {
579 msg = "nf_ct_dccp: truncated/malformed packet "; 577 msg = "nf_ct_dccp: truncated/malformed packet ";
580 goto out_invalid; 578 goto out_invalid;
581 } 579 }
582 580
583 cscov = dccp_len; 581 cscov = dccp_len;
584 if (dh->dccph_cscov) { 582 if (dh->dccph_cscov) {
585 cscov = (dh->dccph_cscov - 1) * 4; 583 cscov = (dh->dccph_cscov - 1) * 4;
586 if (cscov > dccp_len) { 584 if (cscov > dccp_len) {
587 msg = "nf_ct_dccp: bad checksum coverage "; 585 msg = "nf_ct_dccp: bad checksum coverage ";
588 goto out_invalid; 586 goto out_invalid;
589 } 587 }
590 } 588 }
591 589
592 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && 590 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
593 nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_DCCP, 591 nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_DCCP,
594 pf)) { 592 pf)) {
595 msg = "nf_ct_dccp: bad checksum "; 593 msg = "nf_ct_dccp: bad checksum ";
596 goto out_invalid; 594 goto out_invalid;
597 } 595 }
598 596
599 if (dh->dccph_type >= DCCP_PKT_INVALID) { 597 if (dh->dccph_type >= DCCP_PKT_INVALID) {
600 msg = "nf_ct_dccp: reserved packet type "; 598 msg = "nf_ct_dccp: reserved packet type ";
601 goto out_invalid; 599 goto out_invalid;
602 } 600 }
603 601
604 return NF_ACCEPT; 602 return NF_ACCEPT;
605 603
606 out_invalid: 604 out_invalid:
607 if (LOG_INVALID(net, IPPROTO_DCCP)) 605 if (LOG_INVALID(net, IPPROTO_DCCP))
608 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, msg); 606 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, msg);
609 return -NF_ACCEPT; 607 return -NF_ACCEPT;
610 } 608 }
611 609
612 static int dccp_print_tuple(struct seq_file *s, 610 static int dccp_print_tuple(struct seq_file *s,
613 const struct nf_conntrack_tuple *tuple) 611 const struct nf_conntrack_tuple *tuple)
614 { 612 {
615 return seq_printf(s, "sport=%hu dport=%hu ", 613 return seq_printf(s, "sport=%hu dport=%hu ",
616 ntohs(tuple->src.u.dccp.port), 614 ntohs(tuple->src.u.dccp.port),
617 ntohs(tuple->dst.u.dccp.port)); 615 ntohs(tuple->dst.u.dccp.port));
618 } 616 }
619 617
620 static int dccp_print_conntrack(struct seq_file *s, const struct nf_conn *ct) 618 static int dccp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
621 { 619 {
622 return seq_printf(s, "%s ", dccp_state_names[ct->proto.dccp.state]); 620 return seq_printf(s, "%s ", dccp_state_names[ct->proto.dccp.state]);
623 } 621 }
624 622
625 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 623 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
626 static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, 624 static int dccp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
627 const struct nf_conn *ct) 625 struct nf_conn *ct)
628 { 626 {
629 struct nlattr *nest_parms; 627 struct nlattr *nest_parms;
630 628
631 read_lock_bh(&dccp_lock); 629 spin_lock_bh(&ct->lock);
632 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_DCCP | NLA_F_NESTED); 630 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_DCCP | NLA_F_NESTED);
633 if (!nest_parms) 631 if (!nest_parms)
634 goto nla_put_failure; 632 goto nla_put_failure;
635 NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state); 633 NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_STATE, ct->proto.dccp.state);
636 NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_ROLE, 634 NLA_PUT_U8(skb, CTA_PROTOINFO_DCCP_ROLE,
637 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]); 635 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL]);
638 NLA_PUT_BE64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ, 636 NLA_PUT_BE64(skb, CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ,
639 cpu_to_be64(ct->proto.dccp.handshake_seq)); 637 cpu_to_be64(ct->proto.dccp.handshake_seq));
640 nla_nest_end(skb, nest_parms); 638 nla_nest_end(skb, nest_parms);
641 read_unlock_bh(&dccp_lock); 639 spin_unlock_bh(&ct->lock);
642 return 0; 640 return 0;
643 641
644 nla_put_failure: 642 nla_put_failure:
645 read_unlock_bh(&dccp_lock); 643 spin_unlock_bh(&ct->lock);
646 return -1; 644 return -1;
647 } 645 }
648 646
649 static const struct nla_policy dccp_nla_policy[CTA_PROTOINFO_DCCP_MAX + 1] = { 647 static const struct nla_policy dccp_nla_policy[CTA_PROTOINFO_DCCP_MAX + 1] = {
650 [CTA_PROTOINFO_DCCP_STATE] = { .type = NLA_U8 }, 648 [CTA_PROTOINFO_DCCP_STATE] = { .type = NLA_U8 },
651 [CTA_PROTOINFO_DCCP_ROLE] = { .type = NLA_U8 }, 649 [CTA_PROTOINFO_DCCP_ROLE] = { .type = NLA_U8 },
652 [CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ] = { .type = NLA_U64 }, 650 [CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ] = { .type = NLA_U64 },
653 }; 651 };
654 652
655 static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct) 653 static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
656 { 654 {
657 struct nlattr *attr = cda[CTA_PROTOINFO_DCCP]; 655 struct nlattr *attr = cda[CTA_PROTOINFO_DCCP];
658 struct nlattr *tb[CTA_PROTOINFO_DCCP_MAX + 1]; 656 struct nlattr *tb[CTA_PROTOINFO_DCCP_MAX + 1];
659 int err; 657 int err;
660 658
661 if (!attr) 659 if (!attr)
662 return 0; 660 return 0;
663 661
664 err = nla_parse_nested(tb, CTA_PROTOINFO_DCCP_MAX, attr, 662 err = nla_parse_nested(tb, CTA_PROTOINFO_DCCP_MAX, attr,
665 dccp_nla_policy); 663 dccp_nla_policy);
666 if (err < 0) 664 if (err < 0)
667 return err; 665 return err;
668 666
669 if (!tb[CTA_PROTOINFO_DCCP_STATE] || 667 if (!tb[CTA_PROTOINFO_DCCP_STATE] ||
670 !tb[CTA_PROTOINFO_DCCP_ROLE] || 668 !tb[CTA_PROTOINFO_DCCP_ROLE] ||
671 nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) > CT_DCCP_ROLE_MAX || 669 nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) > CT_DCCP_ROLE_MAX ||
672 nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]) >= CT_DCCP_IGNORE) { 670 nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]) >= CT_DCCP_IGNORE) {
673 return -EINVAL; 671 return -EINVAL;
674 } 672 }
675 673
676 write_lock_bh(&dccp_lock); 674 spin_lock_bh(&ct->lock);
677 ct->proto.dccp.state = nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]); 675 ct->proto.dccp.state = nla_get_u8(tb[CTA_PROTOINFO_DCCP_STATE]);
678 if (nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) == CT_DCCP_ROLE_CLIENT) { 676 if (nla_get_u8(tb[CTA_PROTOINFO_DCCP_ROLE]) == CT_DCCP_ROLE_CLIENT) {
679 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT; 677 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_CLIENT;
680 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER; 678 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_SERVER;
681 } else { 679 } else {
682 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_SERVER; 680 ct->proto.dccp.role[IP_CT_DIR_ORIGINAL] = CT_DCCP_ROLE_SERVER;
683 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_CLIENT; 681 ct->proto.dccp.role[IP_CT_DIR_REPLY] = CT_DCCP_ROLE_CLIENT;
684 } 682 }
685 if (tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]) { 683 if (tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]) {
686 ct->proto.dccp.handshake_seq = 684 ct->proto.dccp.handshake_seq =
687 be64_to_cpu(nla_get_be64(tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ])); 685 be64_to_cpu(nla_get_be64(tb[CTA_PROTOINFO_DCCP_HANDSHAKE_SEQ]));
688 } 686 }
689 write_unlock_bh(&dccp_lock); 687 spin_unlock_bh(&ct->lock);
690 return 0; 688 return 0;
691 } 689 }
692 690
693 static int dccp_nlattr_size(void) 691 static int dccp_nlattr_size(void)
694 { 692 {
695 return nla_total_size(0) /* CTA_PROTOINFO_DCCP */ 693 return nla_total_size(0) /* CTA_PROTOINFO_DCCP */
696 + nla_policy_len(dccp_nla_policy, CTA_PROTOINFO_DCCP_MAX + 1); 694 + nla_policy_len(dccp_nla_policy, CTA_PROTOINFO_DCCP_MAX + 1);
697 } 695 }
698 #endif 696 #endif
699 697
700 #ifdef CONFIG_SYSCTL 698 #ifdef CONFIG_SYSCTL
701 /* template, data assigned later */ 699 /* template, data assigned later */
702 static struct ctl_table dccp_sysctl_table[] = { 700 static struct ctl_table dccp_sysctl_table[] = {
703 { 701 {
704 .ctl_name = CTL_UNNUMBERED, 702 .ctl_name = CTL_UNNUMBERED,
705 .procname = "nf_conntrack_dccp_timeout_request", 703 .procname = "nf_conntrack_dccp_timeout_request",
706 .maxlen = sizeof(unsigned int), 704 .maxlen = sizeof(unsigned int),
707 .mode = 0644, 705 .mode = 0644,
708 .proc_handler = proc_dointvec_jiffies, 706 .proc_handler = proc_dointvec_jiffies,
709 }, 707 },
710 { 708 {
711 .ctl_name = CTL_UNNUMBERED, 709 .ctl_name = CTL_UNNUMBERED,
712 .procname = "nf_conntrack_dccp_timeout_respond", 710 .procname = "nf_conntrack_dccp_timeout_respond",
713 .maxlen = sizeof(unsigned int), 711 .maxlen = sizeof(unsigned int),
714 .mode = 0644, 712 .mode = 0644,
715 .proc_handler = proc_dointvec_jiffies, 713 .proc_handler = proc_dointvec_jiffies,
716 }, 714 },
717 { 715 {
718 .ctl_name = CTL_UNNUMBERED, 716 .ctl_name = CTL_UNNUMBERED,
719 .procname = "nf_conntrack_dccp_timeout_partopen", 717 .procname = "nf_conntrack_dccp_timeout_partopen",
720 .maxlen = sizeof(unsigned int), 718 .maxlen = sizeof(unsigned int),
721 .mode = 0644, 719 .mode = 0644,
722 .proc_handler = proc_dointvec_jiffies, 720 .proc_handler = proc_dointvec_jiffies,
723 }, 721 },
724 { 722 {
725 .ctl_name = CTL_UNNUMBERED, 723 .ctl_name = CTL_UNNUMBERED,
726 .procname = "nf_conntrack_dccp_timeout_open", 724 .procname = "nf_conntrack_dccp_timeout_open",
727 .maxlen = sizeof(unsigned int), 725 .maxlen = sizeof(unsigned int),
728 .mode = 0644, 726 .mode = 0644,
729 .proc_handler = proc_dointvec_jiffies, 727 .proc_handler = proc_dointvec_jiffies,
730 }, 728 },
731 { 729 {
732 .ctl_name = CTL_UNNUMBERED, 730 .ctl_name = CTL_UNNUMBERED,
733 .procname = "nf_conntrack_dccp_timeout_closereq", 731 .procname = "nf_conntrack_dccp_timeout_closereq",
734 .maxlen = sizeof(unsigned int), 732 .maxlen = sizeof(unsigned int),
735 .mode = 0644, 733 .mode = 0644,
736 .proc_handler = proc_dointvec_jiffies, 734 .proc_handler = proc_dointvec_jiffies,
737 }, 735 },
738 { 736 {
739 .ctl_name = CTL_UNNUMBERED, 737 .ctl_name = CTL_UNNUMBERED,
740 .procname = "nf_conntrack_dccp_timeout_closing", 738 .procname = "nf_conntrack_dccp_timeout_closing",
741 .maxlen = sizeof(unsigned int), 739 .maxlen = sizeof(unsigned int),
742 .mode = 0644, 740 .mode = 0644,
743 .proc_handler = proc_dointvec_jiffies, 741 .proc_handler = proc_dointvec_jiffies,
744 }, 742 },
745 { 743 {
746 .ctl_name = CTL_UNNUMBERED, 744 .ctl_name = CTL_UNNUMBERED,
747 .procname = "nf_conntrack_dccp_timeout_timewait", 745 .procname = "nf_conntrack_dccp_timeout_timewait",
748 .maxlen = sizeof(unsigned int), 746 .maxlen = sizeof(unsigned int),
749 .mode = 0644, 747 .mode = 0644,
750 .proc_handler = proc_dointvec_jiffies, 748 .proc_handler = proc_dointvec_jiffies,
751 }, 749 },
752 { 750 {
753 .ctl_name = CTL_UNNUMBERED, 751 .ctl_name = CTL_UNNUMBERED,
754 .procname = "nf_conntrack_dccp_loose", 752 .procname = "nf_conntrack_dccp_loose",
755 .maxlen = sizeof(int), 753 .maxlen = sizeof(int),
756 .mode = 0644, 754 .mode = 0644,
757 .proc_handler = proc_dointvec, 755 .proc_handler = proc_dointvec,
758 }, 756 },
759 { 757 {
760 .ctl_name = 0, 758 .ctl_name = 0,
761 } 759 }
762 }; 760 };
763 #endif /* CONFIG_SYSCTL */ 761 #endif /* CONFIG_SYSCTL */
764 762
765 static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = { 763 static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = {
766 .l3proto = AF_INET, 764 .l3proto = AF_INET,
767 .l4proto = IPPROTO_DCCP, 765 .l4proto = IPPROTO_DCCP,
768 .name = "dccp", 766 .name = "dccp",
769 .pkt_to_tuple = dccp_pkt_to_tuple, 767 .pkt_to_tuple = dccp_pkt_to_tuple,
770 .invert_tuple = dccp_invert_tuple, 768 .invert_tuple = dccp_invert_tuple,
771 .new = dccp_new, 769 .new = dccp_new,
772 .packet = dccp_packet, 770 .packet = dccp_packet,
773 .error = dccp_error, 771 .error = dccp_error,
774 .print_tuple = dccp_print_tuple, 772 .print_tuple = dccp_print_tuple,
775 .print_conntrack = dccp_print_conntrack, 773 .print_conntrack = dccp_print_conntrack,
776 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 774 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
777 .to_nlattr = dccp_to_nlattr, 775 .to_nlattr = dccp_to_nlattr,
778 .nlattr_size = dccp_nlattr_size, 776 .nlattr_size = dccp_nlattr_size,
779 .from_nlattr = nlattr_to_dccp, 777 .from_nlattr = nlattr_to_dccp,
780 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 778 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
781 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 779 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
782 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 780 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
783 .nla_policy = nf_ct_port_nla_policy, 781 .nla_policy = nf_ct_port_nla_policy,
784 #endif 782 #endif
785 }; 783 };
786 784
787 static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = { 785 static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = {
788 .l3proto = AF_INET6, 786 .l3proto = AF_INET6,
789 .l4proto = IPPROTO_DCCP, 787 .l4proto = IPPROTO_DCCP,
790 .name = "dccp", 788 .name = "dccp",
791 .pkt_to_tuple = dccp_pkt_to_tuple, 789 .pkt_to_tuple = dccp_pkt_to_tuple,
792 .invert_tuple = dccp_invert_tuple, 790 .invert_tuple = dccp_invert_tuple,
793 .new = dccp_new, 791 .new = dccp_new,
794 .packet = dccp_packet, 792 .packet = dccp_packet,
795 .error = dccp_error, 793 .error = dccp_error,
796 .print_tuple = dccp_print_tuple, 794 .print_tuple = dccp_print_tuple,
797 .print_conntrack = dccp_print_conntrack, 795 .print_conntrack = dccp_print_conntrack,
798 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 796 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
799 .to_nlattr = dccp_to_nlattr, 797 .to_nlattr = dccp_to_nlattr,
800 .nlattr_size = dccp_nlattr_size, 798 .nlattr_size = dccp_nlattr_size,
801 .from_nlattr = nlattr_to_dccp, 799 .from_nlattr = nlattr_to_dccp,
802 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 800 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
803 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 801 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
804 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 802 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
805 .nla_policy = nf_ct_port_nla_policy, 803 .nla_policy = nf_ct_port_nla_policy,
806 #endif 804 #endif
807 }; 805 };
808 806
809 static __net_init int dccp_net_init(struct net *net) 807 static __net_init int dccp_net_init(struct net *net)
810 { 808 {
811 struct dccp_net *dn; 809 struct dccp_net *dn;
812 int err; 810 int err;
813 811
814 dn = kmalloc(sizeof(*dn), GFP_KERNEL); 812 dn = kmalloc(sizeof(*dn), GFP_KERNEL);
815 if (!dn) 813 if (!dn)
816 return -ENOMEM; 814 return -ENOMEM;
817 815
818 /* default values */ 816 /* default values */
819 dn->dccp_loose = 1; 817 dn->dccp_loose = 1;
820 dn->dccp_timeout[CT_DCCP_REQUEST] = 2 * DCCP_MSL; 818 dn->dccp_timeout[CT_DCCP_REQUEST] = 2 * DCCP_MSL;
821 dn->dccp_timeout[CT_DCCP_RESPOND] = 4 * DCCP_MSL; 819 dn->dccp_timeout[CT_DCCP_RESPOND] = 4 * DCCP_MSL;
822 dn->dccp_timeout[CT_DCCP_PARTOPEN] = 4 * DCCP_MSL; 820 dn->dccp_timeout[CT_DCCP_PARTOPEN] = 4 * DCCP_MSL;
823 dn->dccp_timeout[CT_DCCP_OPEN] = 12 * 3600 * HZ; 821 dn->dccp_timeout[CT_DCCP_OPEN] = 12 * 3600 * HZ;
824 dn->dccp_timeout[CT_DCCP_CLOSEREQ] = 64 * HZ; 822 dn->dccp_timeout[CT_DCCP_CLOSEREQ] = 64 * HZ;
825 dn->dccp_timeout[CT_DCCP_CLOSING] = 64 * HZ; 823 dn->dccp_timeout[CT_DCCP_CLOSING] = 64 * HZ;
826 dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL; 824 dn->dccp_timeout[CT_DCCP_TIMEWAIT] = 2 * DCCP_MSL;
827 825
828 err = net_assign_generic(net, dccp_net_id, dn); 826 err = net_assign_generic(net, dccp_net_id, dn);
829 if (err) 827 if (err)
830 goto out; 828 goto out;
831 829
832 #ifdef CONFIG_SYSCTL 830 #ifdef CONFIG_SYSCTL
833 err = -ENOMEM; 831 err = -ENOMEM;
834 dn->sysctl_table = kmemdup(dccp_sysctl_table, 832 dn->sysctl_table = kmemdup(dccp_sysctl_table,
835 sizeof(dccp_sysctl_table), GFP_KERNEL); 833 sizeof(dccp_sysctl_table), GFP_KERNEL);
836 if (!dn->sysctl_table) 834 if (!dn->sysctl_table)
837 goto out; 835 goto out;
838 836
839 dn->sysctl_table[0].data = &dn->dccp_timeout[CT_DCCP_REQUEST]; 837 dn->sysctl_table[0].data = &dn->dccp_timeout[CT_DCCP_REQUEST];
840 dn->sysctl_table[1].data = &dn->dccp_timeout[CT_DCCP_RESPOND]; 838 dn->sysctl_table[1].data = &dn->dccp_timeout[CT_DCCP_RESPOND];
841 dn->sysctl_table[2].data = &dn->dccp_timeout[CT_DCCP_PARTOPEN]; 839 dn->sysctl_table[2].data = &dn->dccp_timeout[CT_DCCP_PARTOPEN];
842 dn->sysctl_table[3].data = &dn->dccp_timeout[CT_DCCP_OPEN]; 840 dn->sysctl_table[3].data = &dn->dccp_timeout[CT_DCCP_OPEN];
843 dn->sysctl_table[4].data = &dn->dccp_timeout[CT_DCCP_CLOSEREQ]; 841 dn->sysctl_table[4].data = &dn->dccp_timeout[CT_DCCP_CLOSEREQ];
844 dn->sysctl_table[5].data = &dn->dccp_timeout[CT_DCCP_CLOSING]; 842 dn->sysctl_table[5].data = &dn->dccp_timeout[CT_DCCP_CLOSING];
845 dn->sysctl_table[6].data = &dn->dccp_timeout[CT_DCCP_TIMEWAIT]; 843 dn->sysctl_table[6].data = &dn->dccp_timeout[CT_DCCP_TIMEWAIT];
846 dn->sysctl_table[7].data = &dn->dccp_loose; 844 dn->sysctl_table[7].data = &dn->dccp_loose;
847 845
848 dn->sysctl_header = register_net_sysctl_table(net, 846 dn->sysctl_header = register_net_sysctl_table(net,
849 nf_net_netfilter_sysctl_path, dn->sysctl_table); 847 nf_net_netfilter_sysctl_path, dn->sysctl_table);
850 if (!dn->sysctl_header) { 848 if (!dn->sysctl_header) {
851 kfree(dn->sysctl_table); 849 kfree(dn->sysctl_table);
852 goto out; 850 goto out;
853 } 851 }
854 #endif 852 #endif
855 853
856 return 0; 854 return 0;
857 855
858 out: 856 out:
859 kfree(dn); 857 kfree(dn);
860 return err; 858 return err;
861 } 859 }
862 860
863 static __net_exit void dccp_net_exit(struct net *net) 861 static __net_exit void dccp_net_exit(struct net *net)
864 { 862 {
865 struct dccp_net *dn = dccp_pernet(net); 863 struct dccp_net *dn = dccp_pernet(net);
866 #ifdef CONFIG_SYSCTL 864 #ifdef CONFIG_SYSCTL
867 unregister_net_sysctl_table(dn->sysctl_header); 865 unregister_net_sysctl_table(dn->sysctl_header);
868 kfree(dn->sysctl_table); 866 kfree(dn->sysctl_table);
869 #endif 867 #endif
870 kfree(dn); 868 kfree(dn);
871 869
872 net_assign_generic(net, dccp_net_id, NULL); 870 net_assign_generic(net, dccp_net_id, NULL);
873 } 871 }
874 872
875 static struct pernet_operations dccp_net_ops = { 873 static struct pernet_operations dccp_net_ops = {
876 .init = dccp_net_init, 874 .init = dccp_net_init,
877 .exit = dccp_net_exit, 875 .exit = dccp_net_exit,
878 }; 876 };
879 877
880 static int __init nf_conntrack_proto_dccp_init(void) 878 static int __init nf_conntrack_proto_dccp_init(void)
881 { 879 {
882 int err; 880 int err;
883 881
884 err = register_pernet_gen_subsys(&dccp_net_id, &dccp_net_ops); 882 err = register_pernet_gen_subsys(&dccp_net_id, &dccp_net_ops);
885 if (err < 0) 883 if (err < 0)
886 goto err1; 884 goto err1;
887 885
888 err = nf_conntrack_l4proto_register(&dccp_proto4); 886 err = nf_conntrack_l4proto_register(&dccp_proto4);
889 if (err < 0) 887 if (err < 0)
890 goto err2; 888 goto err2;
891 889
892 err = nf_conntrack_l4proto_register(&dccp_proto6); 890 err = nf_conntrack_l4proto_register(&dccp_proto6);
893 if (err < 0) 891 if (err < 0)
894 goto err3; 892 goto err3;
895 return 0; 893 return 0;
896 894
897 err3: 895 err3:
898 nf_conntrack_l4proto_unregister(&dccp_proto4); 896 nf_conntrack_l4proto_unregister(&dccp_proto4);
899 err2: 897 err2:
900 unregister_pernet_gen_subsys(dccp_net_id, &dccp_net_ops); 898 unregister_pernet_gen_subsys(dccp_net_id, &dccp_net_ops);
901 err1: 899 err1:
902 return err; 900 return err;
903 } 901 }
904 902
905 static void __exit nf_conntrack_proto_dccp_fini(void) 903 static void __exit nf_conntrack_proto_dccp_fini(void)
906 { 904 {
907 unregister_pernet_gen_subsys(dccp_net_id, &dccp_net_ops); 905 unregister_pernet_gen_subsys(dccp_net_id, &dccp_net_ops);
908 nf_conntrack_l4proto_unregister(&dccp_proto6); 906 nf_conntrack_l4proto_unregister(&dccp_proto6);
909 nf_conntrack_l4proto_unregister(&dccp_proto4); 907 nf_conntrack_l4proto_unregister(&dccp_proto4);
910 } 908 }
911 909
912 module_init(nf_conntrack_proto_dccp_init); 910 module_init(nf_conntrack_proto_dccp_init);
913 module_exit(nf_conntrack_proto_dccp_fini); 911 module_exit(nf_conntrack_proto_dccp_fini);
914 912
915 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); 913 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
916 MODULE_DESCRIPTION("DCCP connection tracking protocol helper"); 914 MODULE_DESCRIPTION("DCCP connection tracking protocol helper");
917 MODULE_LICENSE("GPL"); 915 MODULE_LICENSE("GPL");
918 916
net/netfilter/nf_conntrack_proto_gre.c
Diff comments   View file @ 440f0d5
1 /* 1 /*
2 * ip_conntrack_proto_gre.c - Version 3.0 2 * ip_conntrack_proto_gre.c - Version 3.0
3 * 3 *
4 * Connection tracking protocol helper module for GRE. 4 * Connection tracking protocol helper module for GRE.
5 * 5 *
6 * GRE is a generic encapsulation protocol, which is generally not very 6 * GRE is a generic encapsulation protocol, which is generally not very
7 * suited for NAT, as it has no protocol-specific part as port numbers. 7 * suited for NAT, as it has no protocol-specific part as port numbers.
8 * 8 *
9 * It has an optional key field, which may help us distinguishing two 9 * It has an optional key field, which may help us distinguishing two
10 * connections between the same two hosts. 10 * connections between the same two hosts.
11 * 11 *
12 * GRE is defined in RFC 1701 and RFC 1702, as well as RFC 2784 12 * GRE is defined in RFC 1701 and RFC 1702, as well as RFC 2784
13 * 13 *
14 * PPTP is built on top of a modified version of GRE, and has a mandatory 14 * PPTP is built on top of a modified version of GRE, and has a mandatory
15 * field called "CallID", which serves us for the same purpose as the key 15 * field called "CallID", which serves us for the same purpose as the key
16 * field in plain GRE. 16 * field in plain GRE.
17 * 17 *
18 * Documentation about PPTP can be found in RFC 2637 18 * Documentation about PPTP can be found in RFC 2637
19 * 19 *
20 * (C) 2000-2005 by Harald Welte <laforge@gnumonks.org> 20 * (C) 2000-2005 by Harald Welte <laforge@gnumonks.org>
21 * 21 *
22 * Development of this code funded by Astaro AG (http://www.astaro.com/) 22 * Development of this code funded by Astaro AG (http://www.astaro.com/)
23 * 23 *
24 */ 24 */
25 25
26 #include <linux/module.h> 26 #include <linux/module.h>
27 #include <linux/types.h> 27 #include <linux/types.h>
28 #include <linux/timer.h> 28 #include <linux/timer.h>
29 #include <linux/list.h> 29 #include <linux/list.h>
30 #include <linux/seq_file.h> 30 #include <linux/seq_file.h>
31 #include <linux/in.h> 31 #include <linux/in.h>
32 #include <linux/netdevice.h> 32 #include <linux/netdevice.h>
33 #include <linux/skbuff.h> 33 #include <linux/skbuff.h>
34 #include <net/dst.h> 34 #include <net/dst.h>
35 #include <net/net_namespace.h> 35 #include <net/net_namespace.h>
36 #include <net/netns/generic.h> 36 #include <net/netns/generic.h>
37 #include <net/netfilter/nf_conntrack_l4proto.h> 37 #include <net/netfilter/nf_conntrack_l4proto.h>
38 #include <net/netfilter/nf_conntrack_helper.h> 38 #include <net/netfilter/nf_conntrack_helper.h>
39 #include <net/netfilter/nf_conntrack_core.h> 39 #include <net/netfilter/nf_conntrack_core.h>
40 #include <linux/netfilter/nf_conntrack_proto_gre.h> 40 #include <linux/netfilter/nf_conntrack_proto_gre.h>
41 #include <linux/netfilter/nf_conntrack_pptp.h> 41 #include <linux/netfilter/nf_conntrack_pptp.h>
42 42
43 #define GRE_TIMEOUT (30 * HZ) 43 #define GRE_TIMEOUT (30 * HZ)
44 #define GRE_STREAM_TIMEOUT (180 * HZ) 44 #define GRE_STREAM_TIMEOUT (180 * HZ)
45 45
46 static int proto_gre_net_id; 46 static int proto_gre_net_id;
47 struct netns_proto_gre { 47 struct netns_proto_gre {
48 rwlock_t keymap_lock; 48 rwlock_t keymap_lock;
49 struct list_head keymap_list; 49 struct list_head keymap_list;
50 }; 50 };
51 51
52 void nf_ct_gre_keymap_flush(struct net *net) 52 void nf_ct_gre_keymap_flush(struct net *net)
53 { 53 {
54 struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id); 54 struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
55 struct nf_ct_gre_keymap *km, *tmp; 55 struct nf_ct_gre_keymap *km, *tmp;
56 56
57 write_lock_bh(&net_gre->keymap_lock); 57 write_lock_bh(&net_gre->keymap_lock);
58 list_for_each_entry_safe(km, tmp, &net_gre->keymap_list, list) { 58 list_for_each_entry_safe(km, tmp, &net_gre->keymap_list, list) {
59 list_del(&km->list); 59 list_del(&km->list);
60 kfree(km); 60 kfree(km);
61 } 61 }
62 write_unlock_bh(&net_gre->keymap_lock); 62 write_unlock_bh(&net_gre->keymap_lock);
63 } 63 }
64 EXPORT_SYMBOL(nf_ct_gre_keymap_flush); 64 EXPORT_SYMBOL(nf_ct_gre_keymap_flush);
65 65
66 static inline int gre_key_cmpfn(const struct nf_ct_gre_keymap *km, 66 static inline int gre_key_cmpfn(const struct nf_ct_gre_keymap *km,
67 const struct nf_conntrack_tuple *t) 67 const struct nf_conntrack_tuple *t)
68 { 68 {
69 return km->tuple.src.l3num == t->src.l3num && 69 return km->tuple.src.l3num == t->src.l3num &&
70 !memcmp(&km->tuple.src.u3, &t->src.u3, sizeof(t->src.u3)) && 70 !memcmp(&km->tuple.src.u3, &t->src.u3, sizeof(t->src.u3)) &&
71 !memcmp(&km->tuple.dst.u3, &t->dst.u3, sizeof(t->dst.u3)) && 71 !memcmp(&km->tuple.dst.u3, &t->dst.u3, sizeof(t->dst.u3)) &&
72 km->tuple.dst.protonum == t->dst.protonum && 72 km->tuple.dst.protonum == t->dst.protonum &&
73 km->tuple.dst.u.all == t->dst.u.all; 73 km->tuple.dst.u.all == t->dst.u.all;
74 } 74 }
75 75
76 /* look up the source key for a given tuple */ 76 /* look up the source key for a given tuple */
77 static __be16 gre_keymap_lookup(struct net *net, struct nf_conntrack_tuple *t) 77 static __be16 gre_keymap_lookup(struct net *net, struct nf_conntrack_tuple *t)
78 { 78 {
79 struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id); 79 struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
80 struct nf_ct_gre_keymap *km; 80 struct nf_ct_gre_keymap *km;
81 __be16 key = 0; 81 __be16 key = 0;
82 82
83 read_lock_bh(&net_gre->keymap_lock); 83 read_lock_bh(&net_gre->keymap_lock);
84 list_for_each_entry(km, &net_gre->keymap_list, list) { 84 list_for_each_entry(km, &net_gre->keymap_list, list) {
85 if (gre_key_cmpfn(km, t)) { 85 if (gre_key_cmpfn(km, t)) {
86 key = km->tuple.src.u.gre.key; 86 key = km->tuple.src.u.gre.key;
87 break; 87 break;
88 } 88 }
89 } 89 }
90 read_unlock_bh(&net_gre->keymap_lock); 90 read_unlock_bh(&net_gre->keymap_lock);
91 91
92 pr_debug("lookup src key 0x%x for ", key); 92 pr_debug("lookup src key 0x%x for ", key);
93 nf_ct_dump_tuple(t); 93 nf_ct_dump_tuple(t);
94 94
95 return key; 95 return key;
96 } 96 }
97 97
98 /* add a single keymap entry, associate with specified master ct */ 98 /* add a single keymap entry, associate with specified master ct */
99 int nf_ct_gre_keymap_add(struct nf_conn *ct, enum ip_conntrack_dir dir, 99 int nf_ct_gre_keymap_add(struct nf_conn *ct, enum ip_conntrack_dir dir,
100 struct nf_conntrack_tuple *t) 100 struct nf_conntrack_tuple *t)
101 { 101 {
102 struct net *net = nf_ct_net(ct); 102 struct net *net = nf_ct_net(ct);
103 struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id); 103 struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
104 struct nf_conn_help *help = nfct_help(ct); 104 struct nf_conn_help *help = nfct_help(ct);
105 struct nf_ct_gre_keymap **kmp, *km; 105 struct nf_ct_gre_keymap **kmp, *km;
106 106
107 kmp = &help->help.ct_pptp_info.keymap[dir]; 107 kmp = &help->help.ct_pptp_info.keymap[dir];
108 if (*kmp) { 108 if (*kmp) {
109 /* check whether it's a retransmission */ 109 /* check whether it's a retransmission */
110 read_lock_bh(&net_gre->keymap_lock); 110 read_lock_bh(&net_gre->keymap_lock);
111 list_for_each_entry(km, &net_gre->keymap_list, list) { 111 list_for_each_entry(km, &net_gre->keymap_list, list) {
112 if (gre_key_cmpfn(km, t) && km == *kmp) { 112 if (gre_key_cmpfn(km, t) && km == *kmp) {
113 read_unlock_bh(&net_gre->keymap_lock); 113 read_unlock_bh(&net_gre->keymap_lock);
114 return 0; 114 return 0;
115 } 115 }
116 } 116 }
117 read_unlock_bh(&net_gre->keymap_lock); 117 read_unlock_bh(&net_gre->keymap_lock);
118 pr_debug("trying to override keymap_%s for ct %p\n", 118 pr_debug("trying to override keymap_%s for ct %p\n",
119 dir == IP_CT_DIR_REPLY ? "reply" : "orig", ct); 119 dir == IP_CT_DIR_REPLY ? "reply" : "orig", ct);
120 return -EEXIST; 120 return -EEXIST;
121 } 121 }
122 122
123 km = kmalloc(sizeof(*km), GFP_ATOMIC); 123 km = kmalloc(sizeof(*km), GFP_ATOMIC);
124 if (!km) 124 if (!km)
125 return -ENOMEM; 125 return -ENOMEM;
126 memcpy(&km->tuple, t, sizeof(*t)); 126 memcpy(&km->tuple, t, sizeof(*t));
127 *kmp = km; 127 *kmp = km;
128 128
129 pr_debug("adding new entry %p: ", km); 129 pr_debug("adding new entry %p: ", km);
130 nf_ct_dump_tuple(&km->tuple); 130 nf_ct_dump_tuple(&km->tuple);
131 131
132 write_lock_bh(&net_gre->keymap_lock); 132 write_lock_bh(&net_gre->keymap_lock);
133 list_add_tail(&km->list, &net_gre->keymap_list); 133 list_add_tail(&km->list, &net_gre->keymap_list);
134 write_unlock_bh(&net_gre->keymap_lock); 134 write_unlock_bh(&net_gre->keymap_lock);
135 135
136 return 0; 136 return 0;
137 } 137 }
138 EXPORT_SYMBOL_GPL(nf_ct_gre_keymap_add); 138 EXPORT_SYMBOL_GPL(nf_ct_gre_keymap_add);
139 139
140 /* destroy the keymap entries associated with specified master ct */ 140 /* destroy the keymap entries associated with specified master ct */
141 void nf_ct_gre_keymap_destroy(struct nf_conn *ct) 141 void nf_ct_gre_keymap_destroy(struct nf_conn *ct)
142 { 142 {
143 struct net *net = nf_ct_net(ct); 143 struct net *net = nf_ct_net(ct);
144 struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id); 144 struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
145 struct nf_conn_help *help = nfct_help(ct); 145 struct nf_conn_help *help = nfct_help(ct);
146 enum ip_conntrack_dir dir; 146 enum ip_conntrack_dir dir;
147 147
148 pr_debug("entering for ct %p\n", ct); 148 pr_debug("entering for ct %p\n", ct);
149 149
150 write_lock_bh(&net_gre->keymap_lock); 150 write_lock_bh(&net_gre->keymap_lock);
151 for (dir = IP_CT_DIR_ORIGINAL; dir < IP_CT_DIR_MAX; dir++) { 151 for (dir = IP_CT_DIR_ORIGINAL; dir < IP_CT_DIR_MAX; dir++) {
152 if (help->help.ct_pptp_info.keymap[dir]) { 152 if (help->help.ct_pptp_info.keymap[dir]) {
153 pr_debug("removing %p from list\n", 153 pr_debug("removing %p from list\n",
154 help->help.ct_pptp_info.keymap[dir]); 154 help->help.ct_pptp_info.keymap[dir]);
155 list_del(&help->help.ct_pptp_info.keymap[dir]->list); 155 list_del(&help->help.ct_pptp_info.keymap[dir]->list);
156 kfree(help->help.ct_pptp_info.keymap[dir]); 156 kfree(help->help.ct_pptp_info.keymap[dir]);
157 help->help.ct_pptp_info.keymap[dir] = NULL; 157 help->help.ct_pptp_info.keymap[dir] = NULL;
158 } 158 }
159 } 159 }
160 write_unlock_bh(&net_gre->keymap_lock); 160 write_unlock_bh(&net_gre->keymap_lock);
161 } 161 }
162 EXPORT_SYMBOL_GPL(nf_ct_gre_keymap_destroy); 162 EXPORT_SYMBOL_GPL(nf_ct_gre_keymap_destroy);
163 163
164 /* PUBLIC CONNTRACK PROTO HELPER FUNCTIONS */ 164 /* PUBLIC CONNTRACK PROTO HELPER FUNCTIONS */
165 165
166 /* invert gre part of tuple */ 166 /* invert gre part of tuple */
167 static bool gre_invert_tuple(struct nf_conntrack_tuple *tuple, 167 static bool gre_invert_tuple(struct nf_conntrack_tuple *tuple,
168 const struct nf_conntrack_tuple *orig) 168 const struct nf_conntrack_tuple *orig)
169 { 169 {
170 tuple->dst.u.gre.key = orig->src.u.gre.key; 170 tuple->dst.u.gre.key = orig->src.u.gre.key;
171 tuple->src.u.gre.key = orig->dst.u.gre.key; 171 tuple->src.u.gre.key = orig->dst.u.gre.key;
172 return true; 172 return true;
173 } 173 }
174 174
175 /* gre hdr info to tuple */ 175 /* gre hdr info to tuple */
176 static bool gre_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff, 176 static bool gre_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
177 struct nf_conntrack_tuple *tuple) 177 struct nf_conntrack_tuple *tuple)
178 { 178 {
179 struct net *net = dev_net(skb->dev ? skb->dev : skb->dst->dev); 179 struct net *net = dev_net(skb->dev ? skb->dev : skb->dst->dev);
180 const struct gre_hdr_pptp *pgrehdr; 180 const struct gre_hdr_pptp *pgrehdr;
181 struct gre_hdr_pptp _pgrehdr; 181 struct gre_hdr_pptp _pgrehdr;
182 __be16 srckey; 182 __be16 srckey;
183 const struct gre_hdr *grehdr; 183 const struct gre_hdr *grehdr;
184 struct gre_hdr _grehdr; 184 struct gre_hdr _grehdr;
185 185
186 /* first only delinearize old RFC1701 GRE header */ 186 /* first only delinearize old RFC1701 GRE header */
187 grehdr = skb_header_pointer(skb, dataoff, sizeof(_grehdr), &_grehdr); 187 grehdr = skb_header_pointer(skb, dataoff, sizeof(_grehdr), &_grehdr);
188 if (!grehdr || grehdr->version != GRE_VERSION_PPTP) { 188 if (!grehdr || grehdr->version != GRE_VERSION_PPTP) {
189 /* try to behave like "nf_conntrack_proto_generic" */ 189 /* try to behave like "nf_conntrack_proto_generic" */
190 tuple->src.u.all = 0; 190 tuple->src.u.all = 0;
191 tuple->dst.u.all = 0; 191 tuple->dst.u.all = 0;
192 return true; 192 return true;
193 } 193 }
194 194
195 /* PPTP header is variable length, only need up to the call_id field */ 195 /* PPTP header is variable length, only need up to the call_id field */
196 pgrehdr = skb_header_pointer(skb, dataoff, 8, &_pgrehdr); 196 pgrehdr = skb_header_pointer(skb, dataoff, 8, &_pgrehdr);
197 if (!pgrehdr) 197 if (!pgrehdr)
198 return true; 198 return true;
199 199
200 if (ntohs(grehdr->protocol) != GRE_PROTOCOL_PPTP) { 200 if (ntohs(grehdr->protocol) != GRE_PROTOCOL_PPTP) {
201 pr_debug("GRE_VERSION_PPTP but unknown proto\n"); 201 pr_debug("GRE_VERSION_PPTP but unknown proto\n");
202 return false; 202 return false;
203 } 203 }
204 204
205 tuple->dst.u.gre.key = pgrehdr->call_id; 205 tuple->dst.u.gre.key = pgrehdr->call_id;
206 srckey = gre_keymap_lookup(net, tuple); 206 srckey = gre_keymap_lookup(net, tuple);
207 tuple->src.u.gre.key = srckey; 207 tuple->src.u.gre.key = srckey;
208 208
209 return true; 209 return true;
210 } 210 }
211 211
212 /* print gre part of tuple */ 212 /* print gre part of tuple */
213 static int gre_print_tuple(struct seq_file *s, 213 static int gre_print_tuple(struct seq_file *s,
214 const struct nf_conntrack_tuple *tuple) 214 const struct nf_conntrack_tuple *tuple)
215 { 215 {
216 return seq_printf(s, "srckey=0x%x dstkey=0x%x ", 216 return seq_printf(s, "srckey=0x%x dstkey=0x%x ",
217 ntohs(tuple->src.u.gre.key), 217 ntohs(tuple->src.u.gre.key),
218 ntohs(tuple->dst.u.gre.key)); 218 ntohs(tuple->dst.u.gre.key));
219 } 219 }
220 220
221 /* print private data for conntrack */ 221 /* print private data for conntrack */
222 static int gre_print_conntrack(struct seq_file *s, 222 static int gre_print_conntrack(struct seq_file *s, struct nf_conn *ct)
223 const struct nf_conn *ct)
224 { 223 {
225 return seq_printf(s, "timeout=%u, stream_timeout=%u ", 224 return seq_printf(s, "timeout=%u, stream_timeout=%u ",
226 (ct->proto.gre.timeout / HZ), 225 (ct->proto.gre.timeout / HZ),
227 (ct->proto.gre.stream_timeout / HZ)); 226 (ct->proto.gre.stream_timeout / HZ));
228 } 227 }
229 228
230 /* Returns verdict for packet, and may modify conntrack */ 229 /* Returns verdict for packet, and may modify conntrack */
231 static int gre_packet(struct nf_conn *ct, 230 static int gre_packet(struct nf_conn *ct,
232 const struct sk_buff *skb, 231 const struct sk_buff *skb,
233 unsigned int dataoff, 232 unsigned int dataoff,
234 enum ip_conntrack_info ctinfo, 233 enum ip_conntrack_info ctinfo,
235 u_int8_t pf, 234 u_int8_t pf,
236 unsigned int hooknum) 235 unsigned int hooknum)
237 { 236 {
238 /* If we've seen traffic both ways, this is a GRE connection. 237 /* If we've seen traffic both ways, this is a GRE connection.
239 * Extend timeout. */ 238 * Extend timeout. */
240 if (ct->status & IPS_SEEN_REPLY) { 239 if (ct->status & IPS_SEEN_REPLY) {
241 nf_ct_refresh_acct(ct, ctinfo, skb, 240 nf_ct_refresh_acct(ct, ctinfo, skb,
242 ct->proto.gre.stream_timeout); 241 ct->proto.gre.stream_timeout);
243 /* Also, more likely to be important, and not a probe. */ 242 /* Also, more likely to be important, and not a probe. */
244 set_bit(IPS_ASSURED_BIT, &ct->status); 243 set_bit(IPS_ASSURED_BIT, &ct->status);
245 nf_conntrack_event_cache(IPCT_STATUS, ct); 244 nf_conntrack_event_cache(IPCT_STATUS, ct);
246 } else 245 } else
247 nf_ct_refresh_acct(ct, ctinfo, skb, 246 nf_ct_refresh_acct(ct, ctinfo, skb,
248 ct->proto.gre.timeout); 247 ct->proto.gre.timeout);
249 248
250 return NF_ACCEPT; 249 return NF_ACCEPT;
251 } 250 }
252 251
253 /* Called when a new connection for this protocol found. */ 252 /* Called when a new connection for this protocol found. */
254 static bool gre_new(struct nf_conn *ct, const struct sk_buff *skb, 253 static bool gre_new(struct nf_conn *ct, const struct sk_buff *skb,
255 unsigned int dataoff) 254 unsigned int dataoff)
256 { 255 {
257 pr_debug(": "); 256 pr_debug(": ");
258 nf_ct_dump_tuple(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple); 257 nf_ct_dump_tuple(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
259 258
260 /* initialize to sane value. Ideally a conntrack helper 259 /* initialize to sane value. Ideally a conntrack helper
261 * (e.g. in case of pptp) is increasing them */ 260 * (e.g. in case of pptp) is increasing them */
262 ct->proto.gre.stream_timeout = GRE_STREAM_TIMEOUT; 261 ct->proto.gre.stream_timeout = GRE_STREAM_TIMEOUT;
263 ct->proto.gre.timeout = GRE_TIMEOUT; 262 ct->proto.gre.timeout = GRE_TIMEOUT;
264 263
265 return true; 264 return true;
266 } 265 }
267 266
268 /* Called when a conntrack entry has already been removed from the hashes 267 /* Called when a conntrack entry has already been removed from the hashes
269 * and is about to be deleted from memory */ 268 * and is about to be deleted from memory */
270 static void gre_destroy(struct nf_conn *ct) 269 static void gre_destroy(struct nf_conn *ct)
271 { 270 {
272 struct nf_conn *master = ct->master; 271 struct nf_conn *master = ct->master;
273 pr_debug(" entering\n"); 272 pr_debug(" entering\n");
274 273
275 if (!master) 274 if (!master)
276 pr_debug("no master !?!\n"); 275 pr_debug("no master !?!\n");
277 else 276 else
278 nf_ct_gre_keymap_destroy(master); 277 nf_ct_gre_keymap_destroy(master);
279 } 278 }
280 279
281 /* protocol helper struct */ 280 /* protocol helper struct */
282 static struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 __read_mostly = { 281 static struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 __read_mostly = {
283 .l3proto = AF_INET, 282 .l3proto = AF_INET,
284 .l4proto = IPPROTO_GRE, 283 .l4proto = IPPROTO_GRE,
285 .name = "gre", 284 .name = "gre",
286 .pkt_to_tuple = gre_pkt_to_tuple, 285 .pkt_to_tuple = gre_pkt_to_tuple,
287 .invert_tuple = gre_invert_tuple, 286 .invert_tuple = gre_invert_tuple,
288 .print_tuple = gre_print_tuple, 287 .print_tuple = gre_print_tuple,
289 .print_conntrack = gre_print_conntrack, 288 .print_conntrack = gre_print_conntrack,
290 .packet = gre_packet, 289 .packet = gre_packet,
291 .new = gre_new, 290 .new = gre_new,
292 .destroy = gre_destroy, 291 .destroy = gre_destroy,
293 .me = THIS_MODULE, 292 .me = THIS_MODULE,
294 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 293 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
295 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 294 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
296 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 295 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
297 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 296 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
298 .nla_policy = nf_ct_port_nla_policy, 297 .nla_policy = nf_ct_port_nla_policy,
299 #endif 298 #endif
300 }; 299 };
301 300
302 static int proto_gre_net_init(struct net *net) 301 static int proto_gre_net_init(struct net *net)
303 { 302 {
304 struct netns_proto_gre *net_gre; 303 struct netns_proto_gre *net_gre;
305 int rv; 304 int rv;
306 305
307 net_gre = kmalloc(sizeof(struct netns_proto_gre), GFP_KERNEL); 306 net_gre = kmalloc(sizeof(struct netns_proto_gre), GFP_KERNEL);
308 if (!net_gre) 307 if (!net_gre)
309 return -ENOMEM; 308 return -ENOMEM;
310 rwlock_init(&net_gre->keymap_lock); 309 rwlock_init(&net_gre->keymap_lock);
311 INIT_LIST_HEAD(&net_gre->keymap_list); 310 INIT_LIST_HEAD(&net_gre->keymap_list);
312 311
313 rv = net_assign_generic(net, proto_gre_net_id, net_gre); 312 rv = net_assign_generic(net, proto_gre_net_id, net_gre);
314 if (rv < 0) 313 if (rv < 0)
315 kfree(net_gre); 314 kfree(net_gre);
316 return rv; 315 return rv;
317 } 316 }
318 317
319 static void proto_gre_net_exit(struct net *net) 318 static void proto_gre_net_exit(struct net *net)
320 { 319 {
321 struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id); 320 struct netns_proto_gre *net_gre = net_generic(net, proto_gre_net_id);
322 321
323 nf_ct_gre_keymap_flush(net); 322 nf_ct_gre_keymap_flush(net);
324 kfree(net_gre); 323 kfree(net_gre);
325 } 324 }
326 325
327 static struct pernet_operations proto_gre_net_ops = { 326 static struct pernet_operations proto_gre_net_ops = {
328 .init = proto_gre_net_init, 327 .init = proto_gre_net_init,
329 .exit = proto_gre_net_exit, 328 .exit = proto_gre_net_exit,
330 }; 329 };
331 330
332 static int __init nf_ct_proto_gre_init(void) 331 static int __init nf_ct_proto_gre_init(void)
333 { 332 {
334 int rv; 333 int rv;
335 334
336 rv = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_gre4); 335 rv = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_gre4);
337 if (rv < 0) 336 if (rv < 0)
338 return rv; 337 return rv;
339 rv = register_pernet_gen_subsys(&proto_gre_net_id, &proto_gre_net_ops); 338 rv = register_pernet_gen_subsys(&proto_gre_net_id, &proto_gre_net_ops);
340 if (rv < 0) 339 if (rv < 0)
341 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_gre4); 340 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_gre4);
342 return rv; 341 return rv;
343 } 342 }
344 343
345 static void __exit nf_ct_proto_gre_fini(void) 344 static void __exit nf_ct_proto_gre_fini(void)
346 { 345 {
347 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_gre4); 346 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_gre4);
348 unregister_pernet_gen_subsys(proto_gre_net_id, &proto_gre_net_ops); 347 unregister_pernet_gen_subsys(proto_gre_net_id, &proto_gre_net_ops);
349 } 348 }
350 349
351 module_init(nf_ct_proto_gre_init); 350 module_init(nf_ct_proto_gre_init);
352 module_exit(nf_ct_proto_gre_fini); 351 module_exit(nf_ct_proto_gre_fini);
353 352
354 MODULE_LICENSE("GPL"); 353 MODULE_LICENSE("GPL");
355 354
net/netfilter/nf_conntrack_proto_sctp.c
Diff comments   View file @ 440f0d5
1 /* 1 /*
2 * Connection tracking protocol helper module for SCTP. 2 * Connection tracking protocol helper module for SCTP.
3 * 3 *
4 * SCTP is defined in RFC 2960. References to various sections in this code 4 * SCTP is defined in RFC 2960. References to various sections in this code
5 * are to this RFC. 5 * are to this RFC.
6 * 6 *
7 * This program is free software; you can redistribute it and/or modify 7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as 8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation. 9 * published by the Free Software Foundation.
10 */ 10 */
11 11
12 #include <linux/types.h> 12 #include <linux/types.h>
13 #include <linux/timer.h> 13 #include <linux/timer.h>
14 #include <linux/netfilter.h> 14 #include <linux/netfilter.h>
15 #include <linux/module.h> 15 #include <linux/module.h>
16 #include <linux/in.h> 16 #include <linux/in.h>
17 #include <linux/ip.h> 17 #include <linux/ip.h>
18 #include <linux/sctp.h> 18 #include <linux/sctp.h>
19 #include <linux/string.h> 19 #include <linux/string.h>
20 #include <linux/seq_file.h> 20 #include <linux/seq_file.h>
21 #include <linux/spinlock.h> 21 #include <linux/spinlock.h>
22 #include <linux/interrupt.h> 22 #include <linux/interrupt.h>
23 23
24 #include <net/netfilter/nf_conntrack.h> 24 #include <net/netfilter/nf_conntrack.h>
25 #include <net/netfilter/nf_conntrack_l4proto.h> 25 #include <net/netfilter/nf_conntrack_l4proto.h>
26 #include <net/netfilter/nf_conntrack_ecache.h> 26 #include <net/netfilter/nf_conntrack_ecache.h>
27 27
28 /* Protects ct->proto.sctp */
29 static DEFINE_RWLOCK(sctp_lock);
30
31 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more 28 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
32 closely. They're more complex. --RR 29 closely. They're more complex. --RR
33 30
34 And so for me for SCTP :D -Kiran */ 31 And so for me for SCTP :D -Kiran */
35 32
36 static const char *const sctp_conntrack_names[] = { 33 static const char *const sctp_conntrack_names[] = {
37 "NONE", 34 "NONE",
38 "CLOSED", 35 "CLOSED",
39 "COOKIE_WAIT", 36 "COOKIE_WAIT",
40 "COOKIE_ECHOED", 37 "COOKIE_ECHOED",
41 "ESTABLISHED", 38 "ESTABLISHED",
42 "SHUTDOWN_SENT", 39 "SHUTDOWN_SENT",
43 "SHUTDOWN_RECD", 40 "SHUTDOWN_RECD",
44 "SHUTDOWN_ACK_SENT", 41 "SHUTDOWN_ACK_SENT",
45 }; 42 };
46 43
47 #define SECS * HZ 44 #define SECS * HZ
48 #define MINS * 60 SECS 45 #define MINS * 60 SECS
49 #define HOURS * 60 MINS 46 #define HOURS * 60 MINS
50 #define DAYS * 24 HOURS 47 #define DAYS * 24 HOURS
51 48
52 static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = { 49 static unsigned int sctp_timeouts[SCTP_CONNTRACK_MAX] __read_mostly = {
53 [SCTP_CONNTRACK_CLOSED] = 10 SECS, 50 [SCTP_CONNTRACK_CLOSED] = 10 SECS,
54 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS, 51 [SCTP_CONNTRACK_COOKIE_WAIT] = 3 SECS,
55 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS, 52 [SCTP_CONNTRACK_COOKIE_ECHOED] = 3 SECS,
56 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS, 53 [SCTP_CONNTRACK_ESTABLISHED] = 5 DAYS,
57 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000, 54 [SCTP_CONNTRACK_SHUTDOWN_SENT] = 300 SECS / 1000,
58 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000, 55 [SCTP_CONNTRACK_SHUTDOWN_RECD] = 300 SECS / 1000,
59 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS, 56 [SCTP_CONNTRACK_SHUTDOWN_ACK_SENT] = 3 SECS,
60 }; 57 };
61 58
62 #define sNO SCTP_CONNTRACK_NONE 59 #define sNO SCTP_CONNTRACK_NONE
63 #define sCL SCTP_CONNTRACK_CLOSED 60 #define sCL SCTP_CONNTRACK_CLOSED
64 #define sCW SCTP_CONNTRACK_COOKIE_WAIT 61 #define sCW SCTP_CONNTRACK_COOKIE_WAIT
65 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED 62 #define sCE SCTP_CONNTRACK_COOKIE_ECHOED
66 #define sES SCTP_CONNTRACK_ESTABLISHED 63 #define sES SCTP_CONNTRACK_ESTABLISHED
67 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT 64 #define sSS SCTP_CONNTRACK_SHUTDOWN_SENT
68 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD 65 #define sSR SCTP_CONNTRACK_SHUTDOWN_RECD
69 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT 66 #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
70 #define sIV SCTP_CONNTRACK_MAX 67 #define sIV SCTP_CONNTRACK_MAX
71 68
72 /* 69 /*
73 These are the descriptions of the states: 70 These are the descriptions of the states:
74 71
75 NOTE: These state names are tantalizingly similar to the states of an 72 NOTE: These state names are tantalizingly similar to the states of an
76 SCTP endpoint. But the interpretation of the states is a little different, 73 SCTP endpoint. But the interpretation of the states is a little different,
77 considering that these are the states of the connection and not of an end 74 considering that these are the states of the connection and not of an end
78 point. Please note the subtleties. -Kiran 75 point. Please note the subtleties. -Kiran
79 76
80 NONE - Nothing so far. 77 NONE - Nothing so far.
81 COOKIE WAIT - We have seen an INIT chunk in the original direction, or also 78 COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
82 an INIT_ACK chunk in the reply direction. 79 an INIT_ACK chunk in the reply direction.
83 COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. 80 COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
84 ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. 81 ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
85 SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. 82 SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
86 SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin. 83 SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
87 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite 84 SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
88 to that of the SHUTDOWN chunk. 85 to that of the SHUTDOWN chunk.
89 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of 86 CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
90 the SHUTDOWN chunk. Connection is closed. 87 the SHUTDOWN chunk. Connection is closed.
91 */ 88 */
92 89
93 /* TODO 90 /* TODO
94 - I have assumed that the first INIT is in the original direction. 91 - I have assumed that the first INIT is in the original direction.
95 This messes things when an INIT comes in the reply direction in CLOSED 92 This messes things when an INIT comes in the reply direction in CLOSED
96 state. 93 state.
97 - Check the error type in the reply dir before transitioning from 94 - Check the error type in the reply dir before transitioning from
98 cookie echoed to closed. 95 cookie echoed to closed.
99 - Sec 5.2.4 of RFC 2960 96 - Sec 5.2.4 of RFC 2960
100 - Multi Homing support. 97 - Multi Homing support.
101 */ 98 */
102 99
103 /* SCTP conntrack state transitions */ 100 /* SCTP conntrack state transitions */
104 static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = { 101 static const u8 sctp_conntracks[2][9][SCTP_CONNTRACK_MAX] = {
105 { 102 {
106 /* ORIGINAL */ 103 /* ORIGINAL */
107 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */ 104 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */
108 /* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA}, 105 /* init */ {sCW, sCW, sCW, sCE, sES, sSS, sSR, sSA},
109 /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA}, 106 /* init_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},
110 /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 107 /* abort */ {sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
111 /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA}, 108 /* shutdown */ {sCL, sCL, sCW, sCE, sSS, sSS, sSR, sSA},
112 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA}, 109 /* shutdown_ack */ {sSA, sCL, sCW, sCE, sES, sSA, sSA, sSA},
113 /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant have Stale cookie*/ 110 /* error */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant have Stale cookie*/
114 /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA},/* 5.2.4 - Big TODO */ 111 /* cookie_echo */ {sCL, sCL, sCE, sCE, sES, sSS, sSR, sSA},/* 5.2.4 - Big TODO */
115 /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in orig dir */ 112 /* cookie_ack */ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in orig dir */
116 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL} 113 /* shutdown_comp*/ {sCL, sCL, sCW, sCE, sES, sSS, sSR, sCL}
117 }, 114 },
118 { 115 {
119 /* REPLY */ 116 /* REPLY */
120 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */ 117 /* sNO, sCL, sCW, sCE, sES, sSS, sSR, sSA */
121 /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* INIT in sCL Big TODO */ 118 /* init */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* INIT in sCL Big TODO */
122 /* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA}, 119 /* init_ack */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},
123 /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL}, 120 /* abort */ {sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL},
124 /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA}, 121 /* shutdown */ {sIV, sCL, sCW, sCE, sSR, sSS, sSR, sSA},
125 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA}, 122 /* shutdown_ack */ {sIV, sCL, sCW, sCE, sES, sSA, sSA, sSA},
126 /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA}, 123 /* error */ {sIV, sCL, sCW, sCL, sES, sSS, sSR, sSA},
127 /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in reply dir */ 124 /* cookie_echo */ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sSA},/* Cant come in reply dir */
128 /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA}, 125 /* cookie_ack */ {sIV, sCL, sCW, sES, sES, sSS, sSR, sSA},
129 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL} 126 /* shutdown_comp*/ {sIV, sCL, sCW, sCE, sES, sSS, sSR, sCL}
130 } 127 }
131 }; 128 };
132 129
133 static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff, 130 static bool sctp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
134 struct nf_conntrack_tuple *tuple) 131 struct nf_conntrack_tuple *tuple)
135 { 132 {
136 const struct sctphdr *hp; 133 const struct sctphdr *hp;
137 struct sctphdr _hdr; 134 struct sctphdr _hdr;
138 135
139 /* Actually only need first 8 bytes. */ 136 /* Actually only need first 8 bytes. */
140 hp = skb_header_pointer(skb, dataoff, 8, &_hdr); 137 hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
141 if (hp == NULL) 138 if (hp == NULL)
142 return false; 139 return false;
143 140
144 tuple->src.u.sctp.port = hp->source; 141 tuple->src.u.sctp.port = hp->source;
145 tuple->dst.u.sctp.port = hp->dest; 142 tuple->dst.u.sctp.port = hp->dest;
146 return true; 143 return true;
147 } 144 }
148 145
149 static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple, 146 static bool sctp_invert_tuple(struct nf_conntrack_tuple *tuple,
150 const struct nf_conntrack_tuple *orig) 147 const struct nf_conntrack_tuple *orig)
151 { 148 {
152 tuple->src.u.sctp.port = orig->dst.u.sctp.port; 149 tuple->src.u.sctp.port = orig->dst.u.sctp.port;
153 tuple->dst.u.sctp.port = orig->src.u.sctp.port; 150 tuple->dst.u.sctp.port = orig->src.u.sctp.port;
154 return true; 151 return true;
155 } 152 }
156 153
157 /* Print out the per-protocol part of the tuple. */ 154 /* Print out the per-protocol part of the tuple. */
158 static int sctp_print_tuple(struct seq_file *s, 155 static int sctp_print_tuple(struct seq_file *s,
159 const struct nf_conntrack_tuple *tuple) 156 const struct nf_conntrack_tuple *tuple)
160 { 157 {
161 return seq_printf(s, "sport=%hu dport=%hu ", 158 return seq_printf(s, "sport=%hu dport=%hu ",
162 ntohs(tuple->src.u.sctp.port), 159 ntohs(tuple->src.u.sctp.port),
163 ntohs(tuple->dst.u.sctp.port)); 160 ntohs(tuple->dst.u.sctp.port));
164 } 161 }
165 162
166 /* Print out the private part of the conntrack. */ 163 /* Print out the private part of the conntrack. */
167 static int sctp_print_conntrack(struct seq_file *s, const struct nf_conn *ct) 164 static int sctp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
168 { 165 {
169 enum sctp_conntrack state; 166 enum sctp_conntrack state;
170 167
171 read_lock_bh(&sctp_lock); 168 spin_lock_bh(&ct->lock);
172 state = ct->proto.sctp.state; 169 state = ct->proto.sctp.state;
173 read_unlock_bh(&sctp_lock); 170 spin_unlock_bh(&ct->lock);
174 171
175 return seq_printf(s, "%s ", sctp_conntrack_names[state]); 172 return seq_printf(s, "%s ", sctp_conntrack_names[state]);
176 } 173 }
177 174
178 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \ 175 #define for_each_sctp_chunk(skb, sch, _sch, offset, dataoff, count) \
179 for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0; \ 176 for ((offset) = (dataoff) + sizeof(sctp_sctphdr_t), (count) = 0; \
180 (offset) < (skb)->len && \ 177 (offset) < (skb)->len && \
181 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \ 178 ((sch) = skb_header_pointer((skb), (offset), sizeof(_sch), &(_sch))); \
182 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++) 179 (offset) += (ntohs((sch)->length) + 3) & ~3, (count)++)
183 180
184 /* Some validity checks to make sure the chunks are fine */ 181 /* Some validity checks to make sure the chunks are fine */
185 static int do_basic_checks(struct nf_conn *ct, 182 static int do_basic_checks(struct nf_conn *ct,
186 const struct sk_buff *skb, 183 const struct sk_buff *skb,
187 unsigned int dataoff, 184 unsigned int dataoff,
188 unsigned long *map) 185 unsigned long *map)
189 { 186 {
190 u_int32_t offset, count; 187 u_int32_t offset, count;
191 sctp_chunkhdr_t _sch, *sch; 188 sctp_chunkhdr_t _sch, *sch;
192 int flag; 189 int flag;
193 190
194 flag = 0; 191 flag = 0;
195 192
196 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 193 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
197 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type); 194 pr_debug("Chunk Num: %d Type: %d\n", count, sch->type);
198 195
199 if (sch->type == SCTP_CID_INIT || 196 if (sch->type == SCTP_CID_INIT ||
200 sch->type == SCTP_CID_INIT_ACK || 197 sch->type == SCTP_CID_INIT_ACK ||
201 sch->type == SCTP_CID_SHUTDOWN_COMPLETE) 198 sch->type == SCTP_CID_SHUTDOWN_COMPLETE)
202 flag = 1; 199 flag = 1;
203 200
204 /* 201 /*
205 * Cookie Ack/Echo chunks not the first OR 202 * Cookie Ack/Echo chunks not the first OR
206 * Init / Init Ack / Shutdown compl chunks not the only chunks 203 * Init / Init Ack / Shutdown compl chunks not the only chunks
207 * OR zero-length. 204 * OR zero-length.
208 */ 205 */
209 if (((sch->type == SCTP_CID_COOKIE_ACK || 206 if (((sch->type == SCTP_CID_COOKIE_ACK ||
210 sch->type == SCTP_CID_COOKIE_ECHO || 207 sch->type == SCTP_CID_COOKIE_ECHO ||
211 flag) && 208 flag) &&
212 count != 0) || !sch->length) { 209 count != 0) || !sch->length) {
213 pr_debug("Basic checks failed\n"); 210 pr_debug("Basic checks failed\n");
214 return 1; 211 return 1;
215 } 212 }
216 213
217 if (map) 214 if (map)
218 set_bit(sch->type, map); 215 set_bit(sch->type, map);
219 } 216 }
220 217
221 pr_debug("Basic checks passed\n"); 218 pr_debug("Basic checks passed\n");
222 return count == 0; 219 return count == 0;
223 } 220 }
224 221
225 static int sctp_new_state(enum ip_conntrack_dir dir, 222 static int sctp_new_state(enum ip_conntrack_dir dir,
226 enum sctp_conntrack cur_state, 223 enum sctp_conntrack cur_state,
227 int chunk_type) 224 int chunk_type)
228 { 225 {
229 int i; 226 int i;
230 227
231 pr_debug("Chunk type: %d\n", chunk_type); 228 pr_debug("Chunk type: %d\n", chunk_type);
232 229
233 switch (chunk_type) { 230 switch (chunk_type) {
234 case SCTP_CID_INIT: 231 case SCTP_CID_INIT:
235 pr_debug("SCTP_CID_INIT\n"); 232 pr_debug("SCTP_CID_INIT\n");
236 i = 0; 233 i = 0;
237 break; 234 break;
238 case SCTP_CID_INIT_ACK: 235 case SCTP_CID_INIT_ACK:
239 pr_debug("SCTP_CID_INIT_ACK\n"); 236 pr_debug("SCTP_CID_INIT_ACK\n");
240 i = 1; 237 i = 1;
241 break; 238 break;
242 case SCTP_CID_ABORT: 239 case SCTP_CID_ABORT:
243 pr_debug("SCTP_CID_ABORT\n"); 240 pr_debug("SCTP_CID_ABORT\n");
244 i = 2; 241 i = 2;
245 break; 242 break;
246 case SCTP_CID_SHUTDOWN: 243 case SCTP_CID_SHUTDOWN:
247 pr_debug("SCTP_CID_SHUTDOWN\n"); 244 pr_debug("SCTP_CID_SHUTDOWN\n");
248 i = 3; 245 i = 3;
249 break; 246 break;
250 case SCTP_CID_SHUTDOWN_ACK: 247 case SCTP_CID_SHUTDOWN_ACK:
251 pr_debug("SCTP_CID_SHUTDOWN_ACK\n"); 248 pr_debug("SCTP_CID_SHUTDOWN_ACK\n");
252 i = 4; 249 i = 4;
253 break; 250 break;
254 case SCTP_CID_ERROR: 251 case SCTP_CID_ERROR:
255 pr_debug("SCTP_CID_ERROR\n"); 252 pr_debug("SCTP_CID_ERROR\n");
256 i = 5; 253 i = 5;
257 break; 254 break;
258 case SCTP_CID_COOKIE_ECHO: 255 case SCTP_CID_COOKIE_ECHO:
259 pr_debug("SCTP_CID_COOKIE_ECHO\n"); 256 pr_debug("SCTP_CID_COOKIE_ECHO\n");
260 i = 6; 257 i = 6;
261 break; 258 break;
262 case SCTP_CID_COOKIE_ACK: 259 case SCTP_CID_COOKIE_ACK:
263 pr_debug("SCTP_CID_COOKIE_ACK\n"); 260 pr_debug("SCTP_CID_COOKIE_ACK\n");
264 i = 7; 261 i = 7;
265 break; 262 break;
266 case SCTP_CID_SHUTDOWN_COMPLETE: 263 case SCTP_CID_SHUTDOWN_COMPLETE:
267 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n"); 264 pr_debug("SCTP_CID_SHUTDOWN_COMPLETE\n");
268 i = 8; 265 i = 8;
269 break; 266 break;
270 default: 267 default:
271 /* Other chunks like DATA, SACK, HEARTBEAT and 268 /* Other chunks like DATA, SACK, HEARTBEAT and
272 its ACK do not cause a change in state */ 269 its ACK do not cause a change in state */
273 pr_debug("Unknown chunk type, Will stay in %s\n", 270 pr_debug("Unknown chunk type, Will stay in %s\n",
274 sctp_conntrack_names[cur_state]); 271 sctp_conntrack_names[cur_state]);
275 return cur_state; 272 return cur_state;
276 } 273 }
277 274
278 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n", 275 pr_debug("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
279 dir, sctp_conntrack_names[cur_state], chunk_type, 276 dir, sctp_conntrack_names[cur_state], chunk_type,
280 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]); 277 sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
281 278
282 return sctp_conntracks[dir][i][cur_state]; 279 return sctp_conntracks[dir][i][cur_state];
283 } 280 }
284 281
285 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */ 282 /* Returns verdict for packet, or -NF_ACCEPT for invalid. */
286 static int sctp_packet(struct nf_conn *ct, 283 static int sctp_packet(struct nf_conn *ct,
287 const struct sk_buff *skb, 284 const struct sk_buff *skb,
288 unsigned int dataoff, 285 unsigned int dataoff,
289 enum ip_conntrack_info ctinfo, 286 enum ip_conntrack_info ctinfo,
290 u_int8_t pf, 287 u_int8_t pf,
291 unsigned int hooknum) 288 unsigned int hooknum)
292 { 289 {
293 enum sctp_conntrack new_state, old_state; 290 enum sctp_conntrack new_state, old_state;
294 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); 291 enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
295 const struct sctphdr *sh; 292 const struct sctphdr *sh;
296 struct sctphdr _sctph; 293 struct sctphdr _sctph;
297 const struct sctp_chunkhdr *sch; 294 const struct sctp_chunkhdr *sch;
298 struct sctp_chunkhdr _sch; 295 struct sctp_chunkhdr _sch;
299 u_int32_t offset, count; 296 u_int32_t offset, count;
300 unsigned long map[256 / sizeof(unsigned long)] = { 0 }; 297 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
301 298
302 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); 299 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
303 if (sh == NULL) 300 if (sh == NULL)
304 goto out; 301 goto out;
305 302
306 if (do_basic_checks(ct, skb, dataoff, map) != 0) 303 if (do_basic_checks(ct, skb, dataoff, map) != 0)
307 goto out; 304 goto out;
308 305
309 /* Check the verification tag (Sec 8.5) */ 306 /* Check the verification tag (Sec 8.5) */
310 if (!test_bit(SCTP_CID_INIT, map) && 307 if (!test_bit(SCTP_CID_INIT, map) &&
311 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) && 308 !test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) &&
312 !test_bit(SCTP_CID_COOKIE_ECHO, map) && 309 !test_bit(SCTP_CID_COOKIE_ECHO, map) &&
313 !test_bit(SCTP_CID_ABORT, map) && 310 !test_bit(SCTP_CID_ABORT, map) &&
314 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) && 311 !test_bit(SCTP_CID_SHUTDOWN_ACK, map) &&
315 sh->vtag != ct->proto.sctp.vtag[dir]) { 312 sh->vtag != ct->proto.sctp.vtag[dir]) {
316 pr_debug("Verification tag check failed\n"); 313 pr_debug("Verification tag check failed\n");
317 goto out; 314 goto out;
318 } 315 }
319 316
320 old_state = new_state = SCTP_CONNTRACK_NONE; 317 old_state = new_state = SCTP_CONNTRACK_NONE;
321 write_lock_bh(&sctp_lock); 318 spin_lock_bh(&ct->lock);
322 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 319 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
323 /* Special cases of Verification tag check (Sec 8.5.1) */ 320 /* Special cases of Verification tag check (Sec 8.5.1) */
324 if (sch->type == SCTP_CID_INIT) { 321 if (sch->type == SCTP_CID_INIT) {
325 /* Sec 8.5.1 (A) */ 322 /* Sec 8.5.1 (A) */
326 if (sh->vtag != 0) 323 if (sh->vtag != 0)
327 goto out_unlock; 324 goto out_unlock;
328 } else if (sch->type == SCTP_CID_ABORT) { 325 } else if (sch->type == SCTP_CID_ABORT) {
329 /* Sec 8.5.1 (B) */ 326 /* Sec 8.5.1 (B) */
330 if (sh->vtag != ct->proto.sctp.vtag[dir] && 327 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
331 sh->vtag != ct->proto.sctp.vtag[!dir]) 328 sh->vtag != ct->proto.sctp.vtag[!dir])
332 goto out_unlock; 329 goto out_unlock;
333 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { 330 } else if (sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
334 /* Sec 8.5.1 (C) */ 331 /* Sec 8.5.1 (C) */
335 if (sh->vtag != ct->proto.sctp.vtag[dir] && 332 if (sh->vtag != ct->proto.sctp.vtag[dir] &&
336 sh->vtag != ct->proto.sctp.vtag[!dir] && 333 sh->vtag != ct->proto.sctp.vtag[!dir] &&
337 sch->flags & SCTP_CHUNK_FLAG_T) 334 sch->flags & SCTP_CHUNK_FLAG_T)
338 goto out_unlock; 335 goto out_unlock;
339 } else if (sch->type == SCTP_CID_COOKIE_ECHO) { 336 } else if (sch->type == SCTP_CID_COOKIE_ECHO) {
340 /* Sec 8.5.1 (D) */ 337 /* Sec 8.5.1 (D) */
341 if (sh->vtag != ct->proto.sctp.vtag[dir]) 338 if (sh->vtag != ct->proto.sctp.vtag[dir])
342 goto out_unlock; 339 goto out_unlock;
343 } 340 }
344 341
345 old_state = ct->proto.sctp.state; 342 old_state = ct->proto.sctp.state;
346 new_state = sctp_new_state(dir, old_state, sch->type); 343 new_state = sctp_new_state(dir, old_state, sch->type);
347 344
348 /* Invalid */ 345 /* Invalid */
349 if (new_state == SCTP_CONNTRACK_MAX) { 346 if (new_state == SCTP_CONNTRACK_MAX) {
350 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u " 347 pr_debug("nf_conntrack_sctp: Invalid dir=%i ctype=%u "
351 "conntrack=%u\n", 348 "conntrack=%u\n",
352 dir, sch->type, old_state); 349 dir, sch->type, old_state);
353 goto out_unlock; 350 goto out_unlock;
354 } 351 }
355 352
356 /* If it is an INIT or an INIT ACK note down the vtag */ 353 /* If it is an INIT or an INIT ACK note down the vtag */
357 if (sch->type == SCTP_CID_INIT || 354 if (sch->type == SCTP_CID_INIT ||
358 sch->type == SCTP_CID_INIT_ACK) { 355 sch->type == SCTP_CID_INIT_ACK) {
359 sctp_inithdr_t _inithdr, *ih; 356 sctp_inithdr_t _inithdr, *ih;
360 357
361 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t), 358 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
362 sizeof(_inithdr), &_inithdr); 359 sizeof(_inithdr), &_inithdr);
363 if (ih == NULL) 360 if (ih == NULL)
364 goto out_unlock; 361 goto out_unlock;
365 pr_debug("Setting vtag %x for dir %d\n", 362 pr_debug("Setting vtag %x for dir %d\n",
366 ih->init_tag, !dir); 363 ih->init_tag, !dir);
367 ct->proto.sctp.vtag[!dir] = ih->init_tag; 364 ct->proto.sctp.vtag[!dir] = ih->init_tag;
368 } 365 }
369 366
370 ct->proto.sctp.state = new_state; 367 ct->proto.sctp.state = new_state;
371 if (old_state != new_state) 368 if (old_state != new_state)
372 nf_conntrack_event_cache(IPCT_PROTOINFO, ct); 369 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
373 } 370 }
374 write_unlock_bh(&sctp_lock); 371 spin_unlock_bh(&ct->lock);
375 372
376 nf_ct_refresh_acct(ct, ctinfo, skb, sctp_timeouts[new_state]); 373 nf_ct_refresh_acct(ct, ctinfo, skb, sctp_timeouts[new_state]);
377 374
378 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED && 375 if (old_state == SCTP_CONNTRACK_COOKIE_ECHOED &&
379 dir == IP_CT_DIR_REPLY && 376 dir == IP_CT_DIR_REPLY &&
380 new_state == SCTP_CONNTRACK_ESTABLISHED) { 377 new_state == SCTP_CONNTRACK_ESTABLISHED) {
381 pr_debug("Setting assured bit\n"); 378 pr_debug("Setting assured bit\n");
382 set_bit(IPS_ASSURED_BIT, &ct->status); 379 set_bit(IPS_ASSURED_BIT, &ct->status);
383 nf_conntrack_event_cache(IPCT_STATUS, ct); 380 nf_conntrack_event_cache(IPCT_STATUS, ct);
384 } 381 }
385 382
386 return NF_ACCEPT; 383 return NF_ACCEPT;
387 384
388 out_unlock: 385 out_unlock:
389 write_unlock_bh(&sctp_lock); 386 spin_unlock_bh(&ct->lock);
390 out: 387 out:
391 return -NF_ACCEPT; 388 return -NF_ACCEPT;
392 } 389 }
393 390
394 /* Called when a new connection for this protocol found. */ 391 /* Called when a new connection for this protocol found. */
395 static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb, 392 static bool sctp_new(struct nf_conn *ct, const struct sk_buff *skb,
396 unsigned int dataoff) 393 unsigned int dataoff)
397 { 394 {
398 enum sctp_conntrack new_state; 395 enum sctp_conntrack new_state;
399 const struct sctphdr *sh; 396 const struct sctphdr *sh;
400 struct sctphdr _sctph; 397 struct sctphdr _sctph;
401 const struct sctp_chunkhdr *sch; 398 const struct sctp_chunkhdr *sch;
402 struct sctp_chunkhdr _sch; 399 struct sctp_chunkhdr _sch;
403 u_int32_t offset, count; 400 u_int32_t offset, count;
404 unsigned long map[256 / sizeof(unsigned long)] = { 0 }; 401 unsigned long map[256 / sizeof(unsigned long)] = { 0 };
405 402
406 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph); 403 sh = skb_header_pointer(skb, dataoff, sizeof(_sctph), &_sctph);
407 if (sh == NULL) 404 if (sh == NULL)
408 return false; 405 return false;
409 406
410 if (do_basic_checks(ct, skb, dataoff, map) != 0) 407 if (do_basic_checks(ct, skb, dataoff, map) != 0)
411 return false; 408 return false;
412 409
413 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */ 410 /* If an OOTB packet has any of these chunks discard (Sec 8.4) */
414 if (test_bit(SCTP_CID_ABORT, map) || 411 if (test_bit(SCTP_CID_ABORT, map) ||
415 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) || 412 test_bit(SCTP_CID_SHUTDOWN_COMPLETE, map) ||
416 test_bit(SCTP_CID_COOKIE_ACK, map)) 413 test_bit(SCTP_CID_COOKIE_ACK, map))
417 return false; 414 return false;
418 415
419 new_state = SCTP_CONNTRACK_MAX; 416 new_state = SCTP_CONNTRACK_MAX;
420 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { 417 for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
421 /* Don't need lock here: this conntrack not in circulation yet */ 418 /* Don't need lock here: this conntrack not in circulation yet */
422 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL, 419 new_state = sctp_new_state(IP_CT_DIR_ORIGINAL,
423 SCTP_CONNTRACK_NONE, sch->type); 420 SCTP_CONNTRACK_NONE, sch->type);
424 421
425 /* Invalid: delete conntrack */ 422 /* Invalid: delete conntrack */
426 if (new_state == SCTP_CONNTRACK_NONE || 423 if (new_state == SCTP_CONNTRACK_NONE ||
427 new_state == SCTP_CONNTRACK_MAX) { 424 new_state == SCTP_CONNTRACK_MAX) {
428 pr_debug("nf_conntrack_sctp: invalid new deleting.\n"); 425 pr_debug("nf_conntrack_sctp: invalid new deleting.\n");
429 return false; 426 return false;
430 } 427 }
431 428
432 /* Copy the vtag into the state info */ 429 /* Copy the vtag into the state info */
433 if (sch->type == SCTP_CID_INIT) { 430 if (sch->type == SCTP_CID_INIT) {
434 if (sh->vtag == 0) { 431 if (sh->vtag == 0) {
435 sctp_inithdr_t _inithdr, *ih; 432 sctp_inithdr_t _inithdr, *ih;
436 433
437 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t), 434 ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
438 sizeof(_inithdr), &_inithdr); 435 sizeof(_inithdr), &_inithdr);
439 if (ih == NULL) 436 if (ih == NULL)
440 return false; 437 return false;
441 438
442 pr_debug("Setting vtag %x for new conn\n", 439 pr_debug("Setting vtag %x for new conn\n",
443 ih->init_tag); 440 ih->init_tag);
444 441
445 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = 442 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
446 ih->init_tag; 443 ih->init_tag;
447 } else { 444 } else {
448 /* Sec 8.5.1 (A) */ 445 /* Sec 8.5.1 (A) */
449 return false; 446 return false;
450 } 447 }
451 } 448 }
452 /* If it is a shutdown ack OOTB packet, we expect a return 449 /* If it is a shutdown ack OOTB packet, we expect a return
453 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */ 450 shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
454 else { 451 else {
455 pr_debug("Setting vtag %x for new conn OOTB\n", 452 pr_debug("Setting vtag %x for new conn OOTB\n",
456 sh->vtag); 453 sh->vtag);
457 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag; 454 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
458 } 455 }
459 456
460 ct->proto.sctp.state = new_state; 457 ct->proto.sctp.state = new_state;
461 } 458 }
462 459
463 return true; 460 return true;
464 } 461 }
465 462
466 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 463 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
467 464
468 #include <linux/netfilter/nfnetlink.h> 465 #include <linux/netfilter/nfnetlink.h>
469 #include <linux/netfilter/nfnetlink_conntrack.h> 466 #include <linux/netfilter/nfnetlink_conntrack.h>
470 467
471 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, 468 static int sctp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
472 const struct nf_conn *ct) 469 struct nf_conn *ct)
473 { 470 {
474 struct nlattr *nest_parms; 471 struct nlattr *nest_parms;
475 472
476 read_lock_bh(&sctp_lock); 473 spin_lock_bh(&ct->lock);
477 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED); 474 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_SCTP | NLA_F_NESTED);
478 if (!nest_parms) 475 if (!nest_parms)
479 goto nla_put_failure; 476 goto nla_put_failure;
480 477
481 NLA_PUT_U8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state); 478 NLA_PUT_U8(skb, CTA_PROTOINFO_SCTP_STATE, ct->proto.sctp.state);
482 479
483 NLA_PUT_BE32(skb, 480 NLA_PUT_BE32(skb,
484 CTA_PROTOINFO_SCTP_VTAG_ORIGINAL, 481 CTA_PROTOINFO_SCTP_VTAG_ORIGINAL,
485 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]); 482 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL]);
486 483
487 NLA_PUT_BE32(skb, 484 NLA_PUT_BE32(skb,
488 CTA_PROTOINFO_SCTP_VTAG_REPLY, 485 CTA_PROTOINFO_SCTP_VTAG_REPLY,
489 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]); 486 ct->proto.sctp.vtag[IP_CT_DIR_REPLY]);
490 487
491 read_unlock_bh(&sctp_lock); 488 spin_unlock_bh(&ct->lock);
492 489
493 nla_nest_end(skb, nest_parms); 490 nla_nest_end(skb, nest_parms);
494 491
495 return 0; 492 return 0;
496 493
497 nla_put_failure: 494 nla_put_failure:
498 read_unlock_bh(&sctp_lock); 495 spin_unlock_bh(&ct->lock);
499 return -1; 496 return -1;
500 } 497 }
501 498
502 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = { 499 static const struct nla_policy sctp_nla_policy[CTA_PROTOINFO_SCTP_MAX+1] = {
503 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 }, 500 [CTA_PROTOINFO_SCTP_STATE] = { .type = NLA_U8 },
504 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 }, 501 [CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] = { .type = NLA_U32 },
505 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 }, 502 [CTA_PROTOINFO_SCTP_VTAG_REPLY] = { .type = NLA_U32 },
506 }; 503 };
507 504
508 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct) 505 static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
509 { 506 {
510 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP]; 507 struct nlattr *attr = cda[CTA_PROTOINFO_SCTP];
511 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1]; 508 struct nlattr *tb[CTA_PROTOINFO_SCTP_MAX+1];
512 int err; 509 int err;
513 510
514 /* updates may not contain the internal protocol info, skip parsing */ 511 /* updates may not contain the internal protocol info, skip parsing */
515 if (!attr) 512 if (!attr)
516 return 0; 513 return 0;
517 514
518 err = nla_parse_nested(tb, 515 err = nla_parse_nested(tb,
519 CTA_PROTOINFO_SCTP_MAX, 516 CTA_PROTOINFO_SCTP_MAX,
520 attr, 517 attr,
521 sctp_nla_policy); 518 sctp_nla_policy);
522 if (err < 0) 519 if (err < 0)
523 return err; 520 return err;
524 521
525 if (!tb[CTA_PROTOINFO_SCTP_STATE] || 522 if (!tb[CTA_PROTOINFO_SCTP_STATE] ||
526 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] || 523 !tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL] ||
527 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]) 524 !tb[CTA_PROTOINFO_SCTP_VTAG_REPLY])
528 return -EINVAL; 525 return -EINVAL;
529 526
530 write_lock_bh(&sctp_lock); 527 spin_lock_bh(&ct->lock);
531 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]); 528 ct->proto.sctp.state = nla_get_u8(tb[CTA_PROTOINFO_SCTP_STATE]);
532 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] = 529 ct->proto.sctp.vtag[IP_CT_DIR_ORIGINAL] =
533 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]); 530 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_ORIGINAL]);
534 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] = 531 ct->proto.sctp.vtag[IP_CT_DIR_REPLY] =
535 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]); 532 nla_get_be32(tb[CTA_PROTOINFO_SCTP_VTAG_REPLY]);
536 write_unlock_bh(&sctp_lock); 533 spin_unlock_bh(&ct->lock);
537 534
538 return 0; 535 return 0;
539 } 536 }
540 537
541 static int sctp_nlattr_size(void) 538 static int sctp_nlattr_size(void)
542 { 539 {
543 return nla_total_size(0) /* CTA_PROTOINFO_SCTP */ 540 return nla_total_size(0) /* CTA_PROTOINFO_SCTP */
544 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1); 541 + nla_policy_len(sctp_nla_policy, CTA_PROTOINFO_SCTP_MAX + 1);
545 } 542 }
546 #endif 543 #endif
547 544
548 #ifdef CONFIG_SYSCTL 545 #ifdef CONFIG_SYSCTL
549 static unsigned int sctp_sysctl_table_users; 546 static unsigned int sctp_sysctl_table_users;
550 static struct ctl_table_header *sctp_sysctl_header; 547 static struct ctl_table_header *sctp_sysctl_header;
551 static struct ctl_table sctp_sysctl_table[] = { 548 static struct ctl_table sctp_sysctl_table[] = {
552 { 549 {
553 .procname = "nf_conntrack_sctp_timeout_closed", 550 .procname = "nf_conntrack_sctp_timeout_closed",
554 .data = &sctp_timeouts[SCTP_CONNTRACK_CLOSED], 551 .data = &sctp_timeouts[SCTP_CONNTRACK_CLOSED],
555 .maxlen = sizeof(unsigned int), 552 .maxlen = sizeof(unsigned int),
556 .mode = 0644, 553 .mode = 0644,
557 .proc_handler = proc_dointvec_jiffies, 554 .proc_handler = proc_dointvec_jiffies,
558 }, 555 },
559 { 556 {
560 .procname = "nf_conntrack_sctp_timeout_cookie_wait", 557 .procname = "nf_conntrack_sctp_timeout_cookie_wait",
561 .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT], 558 .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
562 .maxlen = sizeof(unsigned int), 559 .maxlen = sizeof(unsigned int),
563 .mode = 0644, 560 .mode = 0644,
564 .proc_handler = proc_dointvec_jiffies, 561 .proc_handler = proc_dointvec_jiffies,
565 }, 562 },
566 { 563 {
567 .procname = "nf_conntrack_sctp_timeout_cookie_echoed", 564 .procname = "nf_conntrack_sctp_timeout_cookie_echoed",
568 .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED], 565 .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
569 .maxlen = sizeof(unsigned int), 566 .maxlen = sizeof(unsigned int),
570 .mode = 0644, 567 .mode = 0644,
571 .proc_handler = proc_dointvec_jiffies, 568 .proc_handler = proc_dointvec_jiffies,
572 }, 569 },
573 { 570 {
574 .procname = "nf_conntrack_sctp_timeout_established", 571 .procname = "nf_conntrack_sctp_timeout_established",
575 .data = &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED], 572 .data = &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
576 .maxlen = sizeof(unsigned int), 573 .maxlen = sizeof(unsigned int),
577 .mode = 0644, 574 .mode = 0644,
578 .proc_handler = proc_dointvec_jiffies, 575 .proc_handler = proc_dointvec_jiffies,
579 }, 576 },
580 { 577 {
581 .procname = "nf_conntrack_sctp_timeout_shutdown_sent", 578 .procname = "nf_conntrack_sctp_timeout_shutdown_sent",
582 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT], 579 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
583 .maxlen = sizeof(unsigned int), 580 .maxlen = sizeof(unsigned int),
584 .mode = 0644, 581 .mode = 0644,
585 .proc_handler = proc_dointvec_jiffies, 582 .proc_handler = proc_dointvec_jiffies,
586 }, 583 },
587 { 584 {
588 .procname = "nf_conntrack_sctp_timeout_shutdown_recd", 585 .procname = "nf_conntrack_sctp_timeout_shutdown_recd",
589 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD], 586 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
590 .maxlen = sizeof(unsigned int), 587 .maxlen = sizeof(unsigned int),
591 .mode = 0644, 588 .mode = 0644,
592 .proc_handler = proc_dointvec_jiffies, 589 .proc_handler = proc_dointvec_jiffies,
593 }, 590 },
594 { 591 {
595 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent", 592 .procname = "nf_conntrack_sctp_timeout_shutdown_ack_sent",
596 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT], 593 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
597 .maxlen = sizeof(unsigned int), 594 .maxlen = sizeof(unsigned int),
598 .mode = 0644, 595 .mode = 0644,
599 .proc_handler = proc_dointvec_jiffies, 596 .proc_handler = proc_dointvec_jiffies,
600 }, 597 },
601 { 598 {
602 .ctl_name = 0 599 .ctl_name = 0
603 } 600 }
604 }; 601 };
605 602
606 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 603 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
607 static struct ctl_table sctp_compat_sysctl_table[] = { 604 static struct ctl_table sctp_compat_sysctl_table[] = {
608 { 605 {
609 .procname = "ip_conntrack_sctp_timeout_closed", 606 .procname = "ip_conntrack_sctp_timeout_closed",
610 .data = &sctp_timeouts[SCTP_CONNTRACK_CLOSED], 607 .data = &sctp_timeouts[SCTP_CONNTRACK_CLOSED],
611 .maxlen = sizeof(unsigned int), 608 .maxlen = sizeof(unsigned int),
612 .mode = 0644, 609 .mode = 0644,
613 .proc_handler = proc_dointvec_jiffies, 610 .proc_handler = proc_dointvec_jiffies,
614 }, 611 },
615 { 612 {
616 .procname = "ip_conntrack_sctp_timeout_cookie_wait", 613 .procname = "ip_conntrack_sctp_timeout_cookie_wait",
617 .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT], 614 .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_WAIT],
618 .maxlen = sizeof(unsigned int), 615 .maxlen = sizeof(unsigned int),
619 .mode = 0644, 616 .mode = 0644,
620 .proc_handler = proc_dointvec_jiffies, 617 .proc_handler = proc_dointvec_jiffies,
621 }, 618 },
622 { 619 {
623 .procname = "ip_conntrack_sctp_timeout_cookie_echoed", 620 .procname = "ip_conntrack_sctp_timeout_cookie_echoed",
624 .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED], 621 .data = &sctp_timeouts[SCTP_CONNTRACK_COOKIE_ECHOED],
625 .maxlen = sizeof(unsigned int), 622 .maxlen = sizeof(unsigned int),
626 .mode = 0644, 623 .mode = 0644,
627 .proc_handler = proc_dointvec_jiffies, 624 .proc_handler = proc_dointvec_jiffies,
628 }, 625 },
629 { 626 {
630 .procname = "ip_conntrack_sctp_timeout_established", 627 .procname = "ip_conntrack_sctp_timeout_established",
631 .data = &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED], 628 .data = &sctp_timeouts[SCTP_CONNTRACK_ESTABLISHED],
632 .maxlen = sizeof(unsigned int), 629 .maxlen = sizeof(unsigned int),
633 .mode = 0644, 630 .mode = 0644,
634 .proc_handler = proc_dointvec_jiffies, 631 .proc_handler = proc_dointvec_jiffies,
635 }, 632 },
636 { 633 {
637 .procname = "ip_conntrack_sctp_timeout_shutdown_sent", 634 .procname = "ip_conntrack_sctp_timeout_shutdown_sent",
638 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT], 635 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_SENT],
639 .maxlen = sizeof(unsigned int), 636 .maxlen = sizeof(unsigned int),
640 .mode = 0644, 637 .mode = 0644,
641 .proc_handler = proc_dointvec_jiffies, 638 .proc_handler = proc_dointvec_jiffies,
642 }, 639 },
643 { 640 {
644 .procname = "ip_conntrack_sctp_timeout_shutdown_recd", 641 .procname = "ip_conntrack_sctp_timeout_shutdown_recd",
645 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD], 642 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_RECD],
646 .maxlen = sizeof(unsigned int), 643 .maxlen = sizeof(unsigned int),
647 .mode = 0644, 644 .mode = 0644,
648 .proc_handler = proc_dointvec_jiffies, 645 .proc_handler = proc_dointvec_jiffies,
649 }, 646 },
650 { 647 {
651 .procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent", 648 .procname = "ip_conntrack_sctp_timeout_shutdown_ack_sent",
652 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT], 649 .data = &sctp_timeouts[SCTP_CONNTRACK_SHUTDOWN_ACK_SENT],
653 .maxlen = sizeof(unsigned int), 650 .maxlen = sizeof(unsigned int),
654 .mode = 0644, 651 .mode = 0644,
655 .proc_handler = proc_dointvec_jiffies, 652 .proc_handler = proc_dointvec_jiffies,
656 }, 653 },
657 { 654 {
658 .ctl_name = 0 655 .ctl_name = 0
659 } 656 }
660 }; 657 };
661 #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */ 658 #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
662 #endif 659 #endif
663 660
664 static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = { 661 static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
665 .l3proto = PF_INET, 662 .l3proto = PF_INET,
666 .l4proto = IPPROTO_SCTP, 663 .l4proto = IPPROTO_SCTP,
667 .name = "sctp", 664 .name = "sctp",
668 .pkt_to_tuple = sctp_pkt_to_tuple, 665 .pkt_to_tuple = sctp_pkt_to_tuple,
669 .invert_tuple = sctp_invert_tuple, 666 .invert_tuple = sctp_invert_tuple,
670 .print_tuple = sctp_print_tuple, 667 .print_tuple = sctp_print_tuple,
671 .print_conntrack = sctp_print_conntrack, 668 .print_conntrack = sctp_print_conntrack,
672 .packet = sctp_packet, 669 .packet = sctp_packet,
673 .new = sctp_new, 670 .new = sctp_new,
674 .me = THIS_MODULE, 671 .me = THIS_MODULE,
675 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 672 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
676 .to_nlattr = sctp_to_nlattr, 673 .to_nlattr = sctp_to_nlattr,
677 .nlattr_size = sctp_nlattr_size, 674 .nlattr_size = sctp_nlattr_size,
678 .from_nlattr = nlattr_to_sctp, 675 .from_nlattr = nlattr_to_sctp,
679 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 676 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
680 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 677 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
681 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 678 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
682 .nla_policy = nf_ct_port_nla_policy, 679 .nla_policy = nf_ct_port_nla_policy,
683 #endif 680 #endif
684 #ifdef CONFIG_SYSCTL 681 #ifdef CONFIG_SYSCTL
685 .ctl_table_users = &sctp_sysctl_table_users, 682 .ctl_table_users = &sctp_sysctl_table_users,
686 .ctl_table_header = &sctp_sysctl_header, 683 .ctl_table_header = &sctp_sysctl_header,
687 .ctl_table = sctp_sysctl_table, 684 .ctl_table = sctp_sysctl_table,
688 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 685 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
689 .ctl_compat_table = sctp_compat_sysctl_table, 686 .ctl_compat_table = sctp_compat_sysctl_table,
690 #endif 687 #endif
691 #endif 688 #endif
692 }; 689 };
693 690
694 static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = { 691 static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
695 .l3proto = PF_INET6, 692 .l3proto = PF_INET6,
696 .l4proto = IPPROTO_SCTP, 693 .l4proto = IPPROTO_SCTP,
697 .name = "sctp", 694 .name = "sctp",
698 .pkt_to_tuple = sctp_pkt_to_tuple, 695 .pkt_to_tuple = sctp_pkt_to_tuple,
699 .invert_tuple = sctp_invert_tuple, 696 .invert_tuple = sctp_invert_tuple,
700 .print_tuple = sctp_print_tuple, 697 .print_tuple = sctp_print_tuple,
701 .print_conntrack = sctp_print_conntrack, 698 .print_conntrack = sctp_print_conntrack,
702 .packet = sctp_packet, 699 .packet = sctp_packet,
703 .new = sctp_new, 700 .new = sctp_new,
704 .me = THIS_MODULE, 701 .me = THIS_MODULE,
705 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 702 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
706 .to_nlattr = sctp_to_nlattr, 703 .to_nlattr = sctp_to_nlattr,
707 .nlattr_size = sctp_nlattr_size, 704 .nlattr_size = sctp_nlattr_size,
708 .from_nlattr = nlattr_to_sctp, 705 .from_nlattr = nlattr_to_sctp,
709 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 706 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
710 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size, 707 .nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
711 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 708 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
712 .nla_policy = nf_ct_port_nla_policy, 709 .nla_policy = nf_ct_port_nla_policy,
713 #endif 710 #endif
714 #ifdef CONFIG_SYSCTL 711 #ifdef CONFIG_SYSCTL
715 .ctl_table_users = &sctp_sysctl_table_users, 712 .ctl_table_users = &sctp_sysctl_table_users,
716 .ctl_table_header = &sctp_sysctl_header, 713 .ctl_table_header = &sctp_sysctl_header,
717 .ctl_table = sctp_sysctl_table, 714 .ctl_table = sctp_sysctl_table,
718 #endif 715 #endif
719 }; 716 };
720 717
721 static int __init nf_conntrack_proto_sctp_init(void) 718 static int __init nf_conntrack_proto_sctp_init(void)
722 { 719 {
723 int ret; 720 int ret;
724 721
725 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp4); 722 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp4);
726 if (ret) { 723 if (ret) {
727 printk("nf_conntrack_l4proto_sctp4: protocol register failed\n"); 724 printk("nf_conntrack_l4proto_sctp4: protocol register failed\n");
728 goto out; 725 goto out;
729 } 726 }
730 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp6); 727 ret = nf_conntrack_l4proto_register(&nf_conntrack_l4proto_sctp6);
731 if (ret) { 728 if (ret) {
732 printk("nf_conntrack_l4proto_sctp6: protocol register failed\n"); 729 printk("nf_conntrack_l4proto_sctp6: protocol register failed\n");
733 goto cleanup_sctp4; 730 goto cleanup_sctp4;
734 } 731 }
735 732
736 return ret; 733 return ret;
737 734
738 cleanup_sctp4: 735 cleanup_sctp4:
739 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4); 736 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
740 out: 737 out:
741 return ret; 738 return ret;
742 } 739 }
743 740
744 static void __exit nf_conntrack_proto_sctp_fini(void) 741 static void __exit nf_conntrack_proto_sctp_fini(void)
745 { 742 {
746 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6); 743 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp6);
747 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4); 744 nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
748 } 745 }
749 746
750 module_init(nf_conntrack_proto_sctp_init); 747 module_init(nf_conntrack_proto_sctp_init);
751 module_exit(nf_conntrack_proto_sctp_fini); 748 module_exit(nf_conntrack_proto_sctp_fini);
752 749
753 MODULE_LICENSE("GPL"); 750 MODULE_LICENSE("GPL");
754 MODULE_AUTHOR("Kiran Kumar Immidi"); 751 MODULE_AUTHOR("Kiran Kumar Immidi");
755 MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP"); 752 MODULE_DESCRIPTION("Netfilter connection tracking protocol helper for SCTP");
756 MODULE_ALIAS("ip_conntrack_proto_sctp"); 753 MODULE_ALIAS("ip_conntrack_proto_sctp");
757 754
net/netfilter/nf_conntrack_proto_tcp.c
Diff comments   View file @ 440f0d5
1 /* (C) 1999-2001 Paul `Rusty' Russell 1 /* (C) 1999-2001 Paul `Rusty' Russell
2 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org> 2 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
3 * 3 *
4 * This program is free software; you can redistribute it and/or modify 4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as 5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation. 6 * published by the Free Software Foundation.
7 */ 7 */
8 8
9 #include <linux/types.h> 9 #include <linux/types.h>
10 #include <linux/timer.h> 10 #include <linux/timer.h>
11 #include <linux/module.h> 11 #include <linux/module.h>
12 #include <linux/in.h> 12 #include <linux/in.h>
13 #include <linux/tcp.h> 13 #include <linux/tcp.h>
14 #include <linux/spinlock.h> 14 #include <linux/spinlock.h>
15 #include <linux/skbuff.h> 15 #include <linux/skbuff.h>
16 #include <linux/ipv6.h> 16 #include <linux/ipv6.h>
17 #include <net/ip6_checksum.h> 17 #include <net/ip6_checksum.h>
18 #include <asm/unaligned.h> 18 #include <asm/unaligned.h>
19 19
20 #include <net/tcp.h> 20 #include <net/tcp.h>
21 21
22 #include <linux/netfilter.h> 22 #include <linux/netfilter.h>
23 #include <linux/netfilter_ipv4.h> 23 #include <linux/netfilter_ipv4.h>
24 #include <linux/netfilter_ipv6.h> 24 #include <linux/netfilter_ipv6.h>
25 #include <net/netfilter/nf_conntrack.h> 25 #include <net/netfilter/nf_conntrack.h>
26 #include <net/netfilter/nf_conntrack_l4proto.h> 26 #include <net/netfilter/nf_conntrack_l4proto.h>
27 #include <net/netfilter/nf_conntrack_ecache.h> 27 #include <net/netfilter/nf_conntrack_ecache.h>
28 #include <net/netfilter/nf_log.h> 28 #include <net/netfilter/nf_log.h>
29 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h> 29 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
30 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h> 30 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
31 31
32 /* Protects ct->proto.tcp */
33 static DEFINE_RWLOCK(tcp_lock);
34
35 /* "Be conservative in what you do, 32 /* "Be conservative in what you do,
36 be liberal in what you accept from others." 33 be liberal in what you accept from others."
37 If it's non-zero, we mark only out of window RST segments as INVALID. */ 34 If it's non-zero, we mark only out of window RST segments as INVALID. */
38 static int nf_ct_tcp_be_liberal __read_mostly = 0; 35 static int nf_ct_tcp_be_liberal __read_mostly = 0;
39 36
40 /* If it is set to zero, we disable picking up already established 37 /* If it is set to zero, we disable picking up already established
41 connections. */ 38 connections. */
42 static int nf_ct_tcp_loose __read_mostly = 1; 39 static int nf_ct_tcp_loose __read_mostly = 1;
43 40
44 /* Max number of the retransmitted packets without receiving an (acceptable) 41 /* Max number of the retransmitted packets without receiving an (acceptable)
45 ACK from the destination. If this number is reached, a shorter timer 42 ACK from the destination. If this number is reached, a shorter timer
46 will be started. */ 43 will be started. */
47 static int nf_ct_tcp_max_retrans __read_mostly = 3; 44 static int nf_ct_tcp_max_retrans __read_mostly = 3;
48 45
49 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more 46 /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
50 closely. They're more complex. --RR */ 47 closely. They're more complex. --RR */
51 48
52 static const char *const tcp_conntrack_names[] = { 49 static const char *const tcp_conntrack_names[] = {
53 "NONE", 50 "NONE",
54 "SYN_SENT", 51 "SYN_SENT",
55 "SYN_RECV", 52 "SYN_RECV",
56 "ESTABLISHED", 53 "ESTABLISHED",
57 "FIN_WAIT", 54 "FIN_WAIT",
58 "CLOSE_WAIT", 55 "CLOSE_WAIT",
59 "LAST_ACK", 56 "LAST_ACK",
60 "TIME_WAIT", 57 "TIME_WAIT",
61 "CLOSE", 58 "CLOSE",
62 "SYN_SENT2", 59 "SYN_SENT2",
63 }; 60 };
64 61
65 #define SECS * HZ 62 #define SECS * HZ
66 #define MINS * 60 SECS 63 #define MINS * 60 SECS
67 #define HOURS * 60 MINS 64 #define HOURS * 60 MINS
68 #define DAYS * 24 HOURS 65 #define DAYS * 24 HOURS
69 66
70 /* RFC1122 says the R2 limit should be at least 100 seconds. 67 /* RFC1122 says the R2 limit should be at least 100 seconds.
71 Linux uses 15 packets as limit, which corresponds 68 Linux uses 15 packets as limit, which corresponds
72 to ~13-30min depending on RTO. */ 69 to ~13-30min depending on RTO. */
73 static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly = 5 MINS; 70 static unsigned int nf_ct_tcp_timeout_max_retrans __read_mostly = 5 MINS;
74 static unsigned int nf_ct_tcp_timeout_unacknowledged __read_mostly = 5 MINS; 71 static unsigned int nf_ct_tcp_timeout_unacknowledged __read_mostly = 5 MINS;
75 72
76 static unsigned int tcp_timeouts[TCP_CONNTRACK_MAX] __read_mostly = { 73 static unsigned int tcp_timeouts[TCP_CONNTRACK_MAX] __read_mostly = {
77 [TCP_CONNTRACK_SYN_SENT] = 2 MINS, 74 [TCP_CONNTRACK_SYN_SENT] = 2 MINS,
78 [TCP_CONNTRACK_SYN_RECV] = 60 SECS, 75 [TCP_CONNTRACK_SYN_RECV] = 60 SECS,
79 [TCP_CONNTRACK_ESTABLISHED] = 5 DAYS, 76 [TCP_CONNTRACK_ESTABLISHED] = 5 DAYS,
80 [TCP_CONNTRACK_FIN_WAIT] = 2 MINS, 77 [TCP_CONNTRACK_FIN_WAIT] = 2 MINS,
81 [TCP_CONNTRACK_CLOSE_WAIT] = 60 SECS, 78 [TCP_CONNTRACK_CLOSE_WAIT] = 60 SECS,
82 [TCP_CONNTRACK_LAST_ACK] = 30 SECS, 79 [TCP_CONNTRACK_LAST_ACK] = 30 SECS,
83 [TCP_CONNTRACK_TIME_WAIT] = 2 MINS, 80 [TCP_CONNTRACK_TIME_WAIT] = 2 MINS,
84 [TCP_CONNTRACK_CLOSE] = 10 SECS, 81 [TCP_CONNTRACK_CLOSE] = 10 SECS,
85 [TCP_CONNTRACK_SYN_SENT2] = 2 MINS, 82 [TCP_CONNTRACK_SYN_SENT2] = 2 MINS,
86 }; 83 };
87 84
88 #define sNO TCP_CONNTRACK_NONE 85 #define sNO TCP_CONNTRACK_NONE
89 #define sSS TCP_CONNTRACK_SYN_SENT 86 #define sSS TCP_CONNTRACK_SYN_SENT
90 #define sSR TCP_CONNTRACK_SYN_RECV 87 #define sSR TCP_CONNTRACK_SYN_RECV
91 #define sES TCP_CONNTRACK_ESTABLISHED 88 #define sES TCP_CONNTRACK_ESTABLISHED
92 #define sFW TCP_CONNTRACK_FIN_WAIT 89 #define sFW TCP_CONNTRACK_FIN_WAIT
93 #define sCW TCP_CONNTRACK_CLOSE_WAIT 90 #define sCW TCP_CONNTRACK_CLOSE_WAIT
94 #define sLA TCP_CONNTRACK_LAST_ACK 91 #define sLA TCP_CONNTRACK_LAST_ACK
95 #define sTW TCP_CONNTRACK_TIME_WAIT 92 #define sTW TCP_CONNTRACK_TIME_WAIT
96 #define sCL TCP_CONNTRACK_CLOSE 93 #define sCL TCP_CONNTRACK_CLOSE
97 #define sS2 TCP_CONNTRACK_SYN_SENT2 94 #define sS2 TCP_CONNTRACK_SYN_SENT2
98 #define sIV TCP_CONNTRACK_MAX 95 #define sIV TCP_CONNTRACK_MAX
99 #define sIG TCP_CONNTRACK_IGNORE 96 #define sIG TCP_CONNTRACK_IGNORE
100 97
101 /* What TCP flags are set from RST/SYN/FIN/ACK. */ 98 /* What TCP flags are set from RST/SYN/FIN/ACK. */
102 enum tcp_bit_set { 99 enum tcp_bit_set {
103 TCP_SYN_SET, 100 TCP_SYN_SET,
104 TCP_SYNACK_SET, 101 TCP_SYNACK_SET,
105 TCP_FIN_SET, 102 TCP_FIN_SET,
106 TCP_ACK_SET, 103 TCP_ACK_SET,
107 TCP_RST_SET, 104 TCP_RST_SET,
108 TCP_NONE_SET, 105 TCP_NONE_SET,
109 }; 106 };
110 107
111 /* 108 /*
112 * The TCP state transition table needs a few words... 109 * The TCP state transition table needs a few words...
113 * 110 *
114 * We are the man in the middle. All the packets go through us 111 * We are the man in the middle. All the packets go through us
115 * but might get lost in transit to the destination. 112 * but might get lost in transit to the destination.
116 * It is assumed that the destinations can't receive segments 113 * It is assumed that the destinations can't receive segments
117 * we haven't seen. 114 * we haven't seen.
118 * 115 *
119 * The checked segment is in window, but our windows are *not* 116 * The checked segment is in window, but our windows are *not*
120 * equivalent with the ones of the sender/receiver. We always 117 * equivalent with the ones of the sender/receiver. We always
121 * try to guess the state of the current sender. 118 * try to guess the state of the current sender.
122 * 119 *
123 * The meaning of the states are: 120 * The meaning of the states are:
124 * 121 *
125 * NONE: initial state 122 * NONE: initial state
126 * SYN_SENT: SYN-only packet seen 123 * SYN_SENT: SYN-only packet seen
127 * SYN_SENT2: SYN-only packet seen from reply dir, simultaneous open 124 * SYN_SENT2: SYN-only packet seen from reply dir, simultaneous open
128 * SYN_RECV: SYN-ACK packet seen 125 * SYN_RECV: SYN-ACK packet seen
129 * ESTABLISHED: ACK packet seen 126 * ESTABLISHED: ACK packet seen
130 * FIN_WAIT: FIN packet seen 127 * FIN_WAIT: FIN packet seen
131 * CLOSE_WAIT: ACK seen (after FIN) 128 * CLOSE_WAIT: ACK seen (after FIN)
132 * LAST_ACK: FIN seen (after FIN) 129 * LAST_ACK: FIN seen (after FIN)
133 * TIME_WAIT: last ACK seen 130 * TIME_WAIT: last ACK seen
134 * CLOSE: closed connection (RST) 131 * CLOSE: closed connection (RST)
135 * 132 *
136 * Packets marked as IGNORED (sIG): 133 * Packets marked as IGNORED (sIG):
137 * if they may be either invalid or valid 134 * if they may be either invalid or valid
138 * and the receiver may send back a connection 135 * and the receiver may send back a connection
139 * closing RST or a SYN/ACK. 136 * closing RST or a SYN/ACK.
140 * 137 *
141 * Packets marked as INVALID (sIV): 138 * Packets marked as INVALID (sIV):
142 * if we regard them as truly invalid packets 139 * if we regard them as truly invalid packets
143 */ 140 */
144 static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { 141 static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = {
145 { 142 {
146 /* ORIGINAL */ 143 /* ORIGINAL */
147 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 144 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
148 /*syn*/ { sSS, sSS, sIG, sIG, sIG, sIG, sIG, sSS, sSS, sS2 }, 145 /*syn*/ { sSS, sSS, sIG, sIG, sIG, sIG, sIG, sSS, sSS, sS2 },
149 /* 146 /*
150 * sNO -> sSS Initialize a new connection 147 * sNO -> sSS Initialize a new connection
151 * sSS -> sSS Retransmitted SYN 148 * sSS -> sSS Retransmitted SYN
152 * sS2 -> sS2 Late retransmitted SYN 149 * sS2 -> sS2 Late retransmitted SYN
153 * sSR -> sIG 150 * sSR -> sIG
154 * sES -> sIG Error: SYNs in window outside the SYN_SENT state 151 * sES -> sIG Error: SYNs in window outside the SYN_SENT state
155 * are errors. Receiver will reply with RST 152 * are errors. Receiver will reply with RST
156 * and close the connection. 153 * and close the connection.
157 * Or we are not in sync and hold a dead connection. 154 * Or we are not in sync and hold a dead connection.
158 * sFW -> sIG 155 * sFW -> sIG
159 * sCW -> sIG 156 * sCW -> sIG
160 * sLA -> sIG 157 * sLA -> sIG
161 * sTW -> sSS Reopened connection (RFC 1122). 158 * sTW -> sSS Reopened connection (RFC 1122).
162 * sCL -> sSS 159 * sCL -> sSS
163 */ 160 */
164 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 161 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
165 /*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR }, 162 /*synack*/ { sIV, sIV, sIG, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
166 /* 163 /*
167 * sNO -> sIV Too late and no reason to do anything 164 * sNO -> sIV Too late and no reason to do anything
168 * sSS -> sIV Client can't send SYN and then SYN/ACK 165 * sSS -> sIV Client can't send SYN and then SYN/ACK
169 * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open 166 * sS2 -> sSR SYN/ACK sent to SYN2 in simultaneous open
170 * sSR -> sIG 167 * sSR -> sIG
171 * sES -> sIG Error: SYNs in window outside the SYN_SENT state 168 * sES -> sIG Error: SYNs in window outside the SYN_SENT state
172 * are errors. Receiver will reply with RST 169 * are errors. Receiver will reply with RST
173 * and close the connection. 170 * and close the connection.
174 * Or we are not in sync and hold a dead connection. 171 * Or we are not in sync and hold a dead connection.
175 * sFW -> sIG 172 * sFW -> sIG
176 * sCW -> sIG 173 * sCW -> sIG
177 * sLA -> sIG 174 * sLA -> sIG
178 * sTW -> sIG 175 * sTW -> sIG
179 * sCL -> sIG 176 * sCL -> sIG
180 */ 177 */
181 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 178 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
182 /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV }, 179 /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
183 /* 180 /*
184 * sNO -> sIV Too late and no reason to do anything... 181 * sNO -> sIV Too late and no reason to do anything...
185 * sSS -> sIV Client migth not send FIN in this state: 182 * sSS -> sIV Client migth not send FIN in this state:
186 * we enforce waiting for a SYN/ACK reply first. 183 * we enforce waiting for a SYN/ACK reply first.
187 * sS2 -> sIV 184 * sS2 -> sIV
188 * sSR -> sFW Close started. 185 * sSR -> sFW Close started.
189 * sES -> sFW 186 * sES -> sFW
190 * sFW -> sLA FIN seen in both directions, waiting for 187 * sFW -> sLA FIN seen in both directions, waiting for
191 * the last ACK. 188 * the last ACK.
192 * Migth be a retransmitted FIN as well... 189 * Migth be a retransmitted FIN as well...
193 * sCW -> sLA 190 * sCW -> sLA
194 * sLA -> sLA Retransmitted FIN. Remain in the same state. 191 * sLA -> sLA Retransmitted FIN. Remain in the same state.
195 * sTW -> sTW 192 * sTW -> sTW
196 * sCL -> sCL 193 * sCL -> sCL
197 */ 194 */
198 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 195 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
199 /*ack*/ { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV }, 196 /*ack*/ { sES, sIV, sES, sES, sCW, sCW, sTW, sTW, sCL, sIV },
200 /* 197 /*
201 * sNO -> sES Assumed. 198 * sNO -> sES Assumed.
202 * sSS -> sIV ACK is invalid: we haven't seen a SYN/ACK yet. 199 * sSS -> sIV ACK is invalid: we haven't seen a SYN/ACK yet.
203 * sS2 -> sIV 200 * sS2 -> sIV
204 * sSR -> sES Established state is reached. 201 * sSR -> sES Established state is reached.
205 * sES -> sES :-) 202 * sES -> sES :-)
206 * sFW -> sCW Normal close request answered by ACK. 203 * sFW -> sCW Normal close request answered by ACK.
207 * sCW -> sCW 204 * sCW -> sCW
208 * sLA -> sTW Last ACK detected. 205 * sLA -> sTW Last ACK detected.
209 * sTW -> sTW Retransmitted last ACK. Remain in the same state. 206 * sTW -> sTW Retransmitted last ACK. Remain in the same state.
210 * sCL -> sCL 207 * sCL -> sCL
211 */ 208 */
212 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 209 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
213 /*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL }, 210 /*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL },
214 /*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV } 211 /*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
215 }, 212 },
216 { 213 {
217 /* REPLY */ 214 /* REPLY */
218 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 215 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
219 /*syn*/ { sIV, sS2, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sS2 }, 216 /*syn*/ { sIV, sS2, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sS2 },
220 /* 217 /*
221 * sNO -> sIV Never reached. 218 * sNO -> sIV Never reached.
222 * sSS -> sS2 Simultaneous open 219 * sSS -> sS2 Simultaneous open
223 * sS2 -> sS2 Retransmitted simultaneous SYN 220 * sS2 -> sS2 Retransmitted simultaneous SYN
224 * sSR -> sIV Invalid SYN packets sent by the server 221 * sSR -> sIV Invalid SYN packets sent by the server
225 * sES -> sIV 222 * sES -> sIV
226 * sFW -> sIV 223 * sFW -> sIV
227 * sCW -> sIV 224 * sCW -> sIV
228 * sLA -> sIV 225 * sLA -> sIV
229 * sTW -> sIV Reopened connection, but server may not do it. 226 * sTW -> sIV Reopened connection, but server may not do it.
230 * sCL -> sIV 227 * sCL -> sIV
231 */ 228 */
232 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 229 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
233 /*synack*/ { sIV, sSR, sSR, sIG, sIG, sIG, sIG, sIG, sIG, sSR }, 230 /*synack*/ { sIV, sSR, sSR, sIG, sIG, sIG, sIG, sIG, sIG, sSR },
234 /* 231 /*
235 * sSS -> sSR Standard open. 232 * sSS -> sSR Standard open.
236 * sS2 -> sSR Simultaneous open 233 * sS2 -> sSR Simultaneous open
237 * sSR -> sSR Retransmitted SYN/ACK. 234 * sSR -> sSR Retransmitted SYN/ACK.
238 * sES -> sIG Late retransmitted SYN/ACK? 235 * sES -> sIG Late retransmitted SYN/ACK?
239 * sFW -> sIG Might be SYN/ACK answering ignored SYN 236 * sFW -> sIG Might be SYN/ACK answering ignored SYN
240 * sCW -> sIG 237 * sCW -> sIG
241 * sLA -> sIG 238 * sLA -> sIG
242 * sTW -> sIG 239 * sTW -> sIG
243 * sCL -> sIG 240 * sCL -> sIG
244 */ 241 */
245 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 242 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
246 /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV }, 243 /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV },
247 /* 244 /*
248 * sSS -> sIV Server might not send FIN in this state. 245 * sSS -> sIV Server might not send FIN in this state.
249 * sS2 -> sIV 246 * sS2 -> sIV
250 * sSR -> sFW Close started. 247 * sSR -> sFW Close started.
251 * sES -> sFW 248 * sES -> sFW
252 * sFW -> sLA FIN seen in both directions. 249 * sFW -> sLA FIN seen in both directions.
253 * sCW -> sLA 250 * sCW -> sLA
254 * sLA -> sLA Retransmitted FIN. 251 * sLA -> sLA Retransmitted FIN.
255 * sTW -> sTW 252 * sTW -> sTW
256 * sCL -> sCL 253 * sCL -> sCL
257 */ 254 */
258 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 255 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
259 /*ack*/ { sIV, sIG, sSR, sES, sCW, sCW, sTW, sTW, sCL, sIG }, 256 /*ack*/ { sIV, sIG, sSR, sES, sCW, sCW, sTW, sTW, sCL, sIG },
260 /* 257 /*
261 * sSS -> sIG Might be a half-open connection. 258 * sSS -> sIG Might be a half-open connection.
262 * sS2 -> sIG 259 * sS2 -> sIG
263 * sSR -> sSR Might answer late resent SYN. 260 * sSR -> sSR Might answer late resent SYN.
264 * sES -> sES :-) 261 * sES -> sES :-)
265 * sFW -> sCW Normal close request answered by ACK. 262 * sFW -> sCW Normal close request answered by ACK.
266 * sCW -> sCW 263 * sCW -> sCW
267 * sLA -> sTW Last ACK detected. 264 * sLA -> sTW Last ACK detected.
268 * sTW -> sTW Retransmitted last ACK. 265 * sTW -> sTW Retransmitted last ACK.
269 * sCL -> sCL 266 * sCL -> sCL
270 */ 267 */
271 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */ 268 /* sNO, sSS, sSR, sES, sFW, sCW, sLA, sTW, sCL, sS2 */
272 /*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL }, 269 /*rst*/ { sIV, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL, sCL },
273 /*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV } 270 /*none*/ { sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV, sIV }
274 } 271 }
275 }; 272 };
276 273
277 static bool tcp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff, 274 static bool tcp_pkt_to_tuple(const struct sk_buff *skb, unsigned int dataoff,
278 struct nf_conntrack_tuple *tuple) 275 struct nf_conntrack_tuple *tuple)
279 { 276 {
280 const struct tcphdr *hp; 277 const struct tcphdr *hp;
281 struct tcphdr _hdr; 278 struct tcphdr _hdr;
282 279
283 /* Actually only need first 8 bytes. */ 280 /* Actually only need first 8 bytes. */
284 hp = skb_header_pointer(skb, dataoff, 8, &_hdr); 281 hp = skb_header_pointer(skb, dataoff, 8, &_hdr);
285 if (hp == NULL) 282 if (hp == NULL)
286 return false; 283 return false;
287 284
288 tuple->src.u.tcp.port = hp->source; 285 tuple->src.u.tcp.port = hp->source;
289 tuple->dst.u.tcp.port = hp->dest; 286 tuple->dst.u.tcp.port = hp->dest;
290 287
291 return true; 288 return true;
292 } 289 }
293 290
294 static bool tcp_invert_tuple(struct nf_conntrack_tuple *tuple, 291 static bool tcp_invert_tuple(struct nf_conntrack_tuple *tuple,
295 const struct nf_conntrack_tuple *orig) 292 const struct nf_conntrack_tuple *orig)
296 { 293 {
297 tuple->src.u.tcp.port = orig->dst.u.tcp.port; 294 tuple->src.u.tcp.port = orig->dst.u.tcp.port;
298 tuple->dst.u.tcp.port = orig->src.u.tcp.port; 295 tuple->dst.u.tcp.port = orig->src.u.tcp.port;
299 return true; 296 return true;
300 } 297 }
301 298
302 /* Print out the per-protocol part of the tuple. */ 299 /* Print out the per-protocol part of the tuple. */
303 static int tcp_print_tuple(struct seq_file *s, 300 static int tcp_print_tuple(struct seq_file *s,
304 const struct nf_conntrack_tuple *tuple) 301 const struct nf_conntrack_tuple *tuple)
305 { 302 {
306 return seq_printf(s, "sport=%hu dport=%hu ", 303 return seq_printf(s, "sport=%hu dport=%hu ",
307 ntohs(tuple->src.u.tcp.port), 304 ntohs(tuple->src.u.tcp.port),
308 ntohs(tuple->dst.u.tcp.port)); 305 ntohs(tuple->dst.u.tcp.port));
309 } 306 }
310 307
311 /* Print out the private part of the conntrack. */ 308 /* Print out the private part of the conntrack. */
312 static int tcp_print_conntrack(struct seq_file *s, const struct nf_conn *ct) 309 static int tcp_print_conntrack(struct seq_file *s, struct nf_conn *ct)
313 { 310 {
314 enum tcp_conntrack state; 311 enum tcp_conntrack state;
315 312
316 read_lock_bh(&tcp_lock); 313 spin_lock_bh(&ct->lock);
317 state = ct->proto.tcp.state; 314 state = ct->proto.tcp.state;
318 read_unlock_bh(&tcp_lock); 315 spin_unlock_bh(&ct->lock);
319 316
320 return seq_printf(s, "%s ", tcp_conntrack_names[state]); 317 return seq_printf(s, "%s ", tcp_conntrack_names[state]);
321 } 318 }
322 319
323 static unsigned int get_conntrack_index(const struct tcphdr *tcph) 320 static unsigned int get_conntrack_index(const struct tcphdr *tcph)
324 { 321 {
325 if (tcph->rst) return TCP_RST_SET; 322 if (tcph->rst) return TCP_RST_SET;
326 else if (tcph->syn) return (tcph->ack ? TCP_SYNACK_SET : TCP_SYN_SET); 323 else if (tcph->syn) return (tcph->ack ? TCP_SYNACK_SET : TCP_SYN_SET);
327 else if (tcph->fin) return TCP_FIN_SET; 324 else if (tcph->fin) return TCP_FIN_SET;
328 else if (tcph->ack) return TCP_ACK_SET; 325 else if (tcph->ack) return TCP_ACK_SET;
329 else return TCP_NONE_SET; 326 else return TCP_NONE_SET;
330 } 327 }
331 328
332 /* TCP connection tracking based on 'Real Stateful TCP Packet Filtering 329 /* TCP connection tracking based on 'Real Stateful TCP Packet Filtering
333 in IP Filter' by Guido van Rooij. 330 in IP Filter' by Guido van Rooij.
334 331
335 http://www.nluug.nl/events/sane2000/papers.html 332 http://www.nluug.nl/events/sane2000/papers.html
336 http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz 333 http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz
337 334
338 The boundaries and the conditions are changed according to RFC793: 335 The boundaries and the conditions are changed according to RFC793:
339 the packet must intersect the window (i.e. segments may be 336 the packet must intersect the window (i.e. segments may be
340 after the right or before the left edge) and thus receivers may ACK 337 after the right or before the left edge) and thus receivers may ACK
341 segments after the right edge of the window. 338 segments after the right edge of the window.
342 339
343 td_maxend = max(sack + max(win,1)) seen in reply packets 340 td_maxend = max(sack + max(win,1)) seen in reply packets
344 td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets 341 td_maxwin = max(max(win, 1)) + (sack - ack) seen in sent packets
345 td_maxwin += seq + len - sender.td_maxend 342 td_maxwin += seq + len - sender.td_maxend
346 if seq + len > sender.td_maxend 343 if seq + len > sender.td_maxend
347 td_end = max(seq + len) seen in sent packets 344 td_end = max(seq + len) seen in sent packets
348 345
349 I. Upper bound for valid data: seq <= sender.td_maxend 346 I. Upper bound for valid data: seq <= sender.td_maxend
350 II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin 347 II. Lower bound for valid data: seq + len >= sender.td_end - receiver.td_maxwin
351 III. Upper bound for valid (s)ack: sack <= receiver.td_end 348 III. Upper bound for valid (s)ack: sack <= receiver.td_end
352 IV. Lower bound for valid (s)ack: sack >= receiver.td_end - MAXACKWINDOW 349 IV. Lower bound for valid (s)ack: sack >= receiver.td_end - MAXACKWINDOW
353 350
354 where sack is the highest right edge of sack block found in the packet 351 where sack is the highest right edge of sack block found in the packet
355 or ack in the case of packet without SACK option. 352 or ack in the case of packet without SACK option.
356 353
357 The upper bound limit for a valid (s)ack is not ignored - 354 The upper bound limit for a valid (s)ack is not ignored -
358 we doesn't have to deal with fragments. 355 we doesn't have to deal with fragments.
359 */ 356 */
360 357
361 static inline __u32 segment_seq_plus_len(__u32 seq, 358 static inline __u32 segment_seq_plus_len(__u32 seq,
362 size_t len, 359 size_t len,
363 unsigned int dataoff, 360 unsigned int dataoff,
364 const struct tcphdr *tcph) 361 const struct tcphdr *tcph)
365 { 362 {
366 /* XXX Should I use payload length field in IP/IPv6 header ? 363 /* XXX Should I use payload length field in IP/IPv6 header ?
367 * - YK */ 364 * - YK */
368 return (seq + len - dataoff - tcph->doff*4 365 return (seq + len - dataoff - tcph->doff*4
369 + (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0)); 366 + (tcph->syn ? 1 : 0) + (tcph->fin ? 1 : 0));
370 } 367 }
371 368
372 /* Fixme: what about big packets? */ 369 /* Fixme: what about big packets? */
373 #define MAXACKWINCONST 66000 370 #define MAXACKWINCONST 66000
374 #define MAXACKWINDOW(sender) \ 371 #define MAXACKWINDOW(sender) \
375 ((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin \ 372 ((sender)->td_maxwin > MAXACKWINCONST ? (sender)->td_maxwin \
376 : MAXACKWINCONST) 373 : MAXACKWINCONST)
377 374
378 /* 375 /*
379 * Simplified tcp_parse_options routine from tcp_input.c 376 * Simplified tcp_parse_options routine from tcp_input.c
380 */ 377 */
381 static void tcp_options(const struct sk_buff *skb, 378 static void tcp_options(const struct sk_buff *skb,
382 unsigned int dataoff, 379 unsigned int dataoff,
383 const struct tcphdr *tcph, 380 const struct tcphdr *tcph,
384 struct ip_ct_tcp_state *state) 381 struct ip_ct_tcp_state *state)
385 { 382 {
386 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; 383 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
387 const unsigned char *ptr; 384 const unsigned char *ptr;
388 int length = (tcph->doff*4) - sizeof(struct tcphdr); 385 int length = (tcph->doff*4) - sizeof(struct tcphdr);
389 386
390 if (!length) 387 if (!length)
391 return; 388 return;
392 389
393 ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr), 390 ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr),
394 length, buff); 391 length, buff);
395 BUG_ON(ptr == NULL); 392 BUG_ON(ptr == NULL);
396 393
397 state->td_scale = 394 state->td_scale =
398 state->flags = 0; 395 state->flags = 0;
399 396
400 while (length > 0) { 397 while (length > 0) {
401 int opcode=*ptr++; 398 int opcode=*ptr++;
402 int opsize; 399 int opsize;
403 400
404 switch (opcode) { 401 switch (opcode) {
405 case TCPOPT_EOL: 402 case TCPOPT_EOL:
406 return; 403 return;
407 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */ 404 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
408 length--; 405 length--;
409 continue; 406 continue;
410 default: 407 default:
411 opsize=*ptr++; 408 opsize=*ptr++;
412 if (opsize < 2) /* "silly options" */ 409 if (opsize < 2) /* "silly options" */
413 return; 410 return;
414 if (opsize > length) 411 if (opsize > length)
415 break; /* don't parse partial options */ 412 break; /* don't parse partial options */
416 413
417 if (opcode == TCPOPT_SACK_PERM 414 if (opcode == TCPOPT_SACK_PERM
418 && opsize == TCPOLEN_SACK_PERM) 415 && opsize == TCPOLEN_SACK_PERM)
419 state->flags |= IP_CT_TCP_FLAG_SACK_PERM; 416 state->flags |= IP_CT_TCP_FLAG_SACK_PERM;
420 else if (opcode == TCPOPT_WINDOW 417 else if (opcode == TCPOPT_WINDOW
421 && opsize == TCPOLEN_WINDOW) { 418 && opsize == TCPOLEN_WINDOW) {
422 state->td_scale = *(u_int8_t *)ptr; 419 state->td_scale = *(u_int8_t *)ptr;
423 420
424 if (state->td_scale > 14) { 421 if (state->td_scale > 14) {
425 /* See RFC1323 */ 422 /* See RFC1323 */
426 state->td_scale = 14; 423 state->td_scale = 14;
427 } 424 }
428 state->flags |= 425 state->flags |=
429 IP_CT_TCP_FLAG_WINDOW_SCALE; 426 IP_CT_TCP_FLAG_WINDOW_SCALE;
430 } 427 }
431 ptr += opsize - 2; 428 ptr += opsize - 2;
432 length -= opsize; 429 length -= opsize;
433 } 430 }
434 } 431 }
435 } 432 }
436 433
437 static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff, 434 static void tcp_sack(const struct sk_buff *skb, unsigned int dataoff,
438 const struct tcphdr *tcph, __u32 *sack) 435 const struct tcphdr *tcph, __u32 *sack)
439 { 436 {
440 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)]; 437 unsigned char buff[(15 * 4) - sizeof(struct tcphdr)];
441 const unsigned char *ptr; 438 const unsigned char *ptr;
442 int length = (tcph->doff*4) - sizeof(struct tcphdr); 439 int length = (tcph->doff*4) - sizeof(struct tcphdr);
443 __u32 tmp; 440 __u32 tmp;
444 441
445 if (!length) 442 if (!length)
446 return; 443 return;
447 444
448 ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr), 445 ptr = skb_header_pointer(skb, dataoff + sizeof(struct tcphdr),
449 length, buff); 446 length, buff);
450 BUG_ON(ptr == NULL); 447 BUG_ON(ptr == NULL);
451 448
452 /* Fast path for timestamp-only option */ 449 /* Fast path for timestamp-only option */
453 if (length == TCPOLEN_TSTAMP_ALIGNED*4 450 if (length == TCPOLEN_TSTAMP_ALIGNED*4
454 && *(__be32 *)ptr == htonl((TCPOPT_NOP << 24) 451 && *(__be32 *)ptr == htonl((TCPOPT_NOP << 24)
455 | (TCPOPT_NOP << 16) 452 | (TCPOPT_NOP << 16)
456 | (TCPOPT_TIMESTAMP << 8) 453 | (TCPOPT_TIMESTAMP << 8)
457 | TCPOLEN_TIMESTAMP)) 454 | TCPOLEN_TIMESTAMP))
458 return; 455 return;
459 456
460 while (length > 0) { 457 while (length > 0) {
461 int opcode = *ptr++; 458 int opcode = *ptr++;
462 int opsize, i; 459 int opsize, i;
463 460
464 switch (opcode) { 461 switch (opcode) {
465 case TCPOPT_EOL: 462 case TCPOPT_EOL:
466 return; 463 return;
467 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */ 464 case TCPOPT_NOP: /* Ref: RFC 793 section 3.1 */
468 length--; 465 length--;
469 continue; 466 continue;
470 default: 467 default:
471 opsize = *ptr++; 468 opsize = *ptr++;
472 if (opsize < 2) /* "silly options" */ 469 if (opsize < 2) /* "silly options" */
473 return; 470 return;
474 if (opsize > length) 471 if (opsize > length)
475 break; /* don't parse partial options */ 472 break; /* don't parse partial options */
476 473
477 if (opcode == TCPOPT_SACK 474 if (opcode == TCPOPT_SACK
478 && opsize >= (TCPOLEN_SACK_BASE 475 && opsize >= (TCPOLEN_SACK_BASE
479 + TCPOLEN_SACK_PERBLOCK) 476 + TCPOLEN_SACK_PERBLOCK)
480 && !((opsize - TCPOLEN_SACK_BASE) 477 && !((opsize - TCPOLEN_SACK_BASE)
481 % TCPOLEN_SACK_PERBLOCK)) { 478 % TCPOLEN_SACK_PERBLOCK)) {
482 for (i = 0; 479 for (i = 0;
483 i < (opsize - TCPOLEN_SACK_BASE); 480 i < (opsize - TCPOLEN_SACK_BASE);
484 i += TCPOLEN_SACK_PERBLOCK) { 481 i += TCPOLEN_SACK_PERBLOCK) {
485 tmp = get_unaligned_be32((__be32 *)(ptr+i)+1); 482 tmp = get_unaligned_be32((__be32 *)(ptr+i)+1);
486 483
487 if (after(tmp, *sack)) 484 if (after(tmp, *sack))
488 *sack = tmp; 485 *sack = tmp;
489 } 486 }
490 return; 487 return;
491 } 488 }
492 ptr += opsize - 2; 489 ptr += opsize - 2;
493 length -= opsize; 490 length -= opsize;
494 } 491 }
495 } 492 }
496 } 493 }
497 494
498 static bool tcp_in_window(const struct nf_conn *ct, 495 static bool tcp_in_window(const struct nf_conn *ct,
499 struct ip_ct_tcp *state, 496 struct ip_ct_tcp *state,
500 enum ip_conntrack_dir dir, 497 enum ip_conntrack_dir dir,
501 unsigned int index, 498 unsigned int index,
502 const struct sk_buff *skb, 499 const struct sk_buff *skb,
503 unsigned int dataoff, 500 unsigned int dataoff,
504 const struct tcphdr *tcph, 501 const struct tcphdr *tcph,
505 u_int8_t pf) 502 u_int8_t pf)
506 { 503 {
507 struct net *net = nf_ct_net(ct); 504 struct net *net = nf_ct_net(ct);
508 struct ip_ct_tcp_state *sender = &state->seen[dir]; 505 struct ip_ct_tcp_state *sender = &state->seen[dir];
509 struct ip_ct_tcp_state *receiver = &state->seen[!dir]; 506 struct ip_ct_tcp_state *receiver = &state->seen[!dir];
510 const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple; 507 const struct nf_conntrack_tuple *tuple = &ct->tuplehash[dir].tuple;
511 __u32 seq, ack, sack, end, win, swin; 508 __u32 seq, ack, sack, end, win, swin;
512 bool res; 509 bool res;
513 510
514 /* 511 /*
515 * Get the required data from the packet. 512 * Get the required data from the packet.
516 */ 513 */
517 seq = ntohl(tcph->seq); 514 seq = ntohl(tcph->seq);
518 ack = sack = ntohl(tcph->ack_seq); 515 ack = sack = ntohl(tcph->ack_seq);
519 win = ntohs(tcph->window); 516 win = ntohs(tcph->window);
520 end = segment_seq_plus_len(seq, skb->len, dataoff, tcph); 517 end = segment_seq_plus_len(seq, skb->len, dataoff, tcph);
521 518
522 if (receiver->flags & IP_CT_TCP_FLAG_SACK_PERM) 519 if (receiver->flags & IP_CT_TCP_FLAG_SACK_PERM)
523 tcp_sack(skb, dataoff, tcph, &sack); 520 tcp_sack(skb, dataoff, tcph, &sack);
524 521
525 pr_debug("tcp_in_window: START\n"); 522 pr_debug("tcp_in_window: START\n");
526 pr_debug("tcp_in_window: "); 523 pr_debug("tcp_in_window: ");
527 nf_ct_dump_tuple(tuple); 524 nf_ct_dump_tuple(tuple);
528 pr_debug("seq=%u ack=%u sack=%u win=%u end=%u\n", 525 pr_debug("seq=%u ack=%u sack=%u win=%u end=%u\n",
529 seq, ack, sack, win, end); 526 seq, ack, sack, win, end);
530 pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " 527 pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
531 "receiver end=%u maxend=%u maxwin=%u scale=%i\n", 528 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
532 sender->td_end, sender->td_maxend, sender->td_maxwin, 529 sender->td_end, sender->td_maxend, sender->td_maxwin,
533 sender->td_scale, 530 sender->td_scale,
534 receiver->td_end, receiver->td_maxend, receiver->td_maxwin, 531 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
535 receiver->td_scale); 532 receiver->td_scale);
536 533
537 if (sender->td_maxwin == 0) { 534 if (sender->td_maxwin == 0) {
538 /* 535 /*
539 * Initialize sender data. 536 * Initialize sender data.
540 */ 537 */
541 if (tcph->syn) { 538 if (tcph->syn) {
542 /* 539 /*
543 * SYN-ACK in reply to a SYN 540 * SYN-ACK in reply to a SYN
544 * or SYN from reply direction in simultaneous open. 541 * or SYN from reply direction in simultaneous open.
545 */ 542 */
546 sender->td_end = 543 sender->td_end =
547 sender->td_maxend = end; 544 sender->td_maxend = end;
548 sender->td_maxwin = (win == 0 ? 1 : win); 545 sender->td_maxwin = (win == 0 ? 1 : win);
549 546
550 tcp_options(skb, dataoff, tcph, sender); 547 tcp_options(skb, dataoff, tcph, sender);
551 /* 548 /*
552 * RFC 1323: 549 * RFC 1323:
553 * Both sides must send the Window Scale option 550 * Both sides must send the Window Scale option
554 * to enable window scaling in either direction. 551 * to enable window scaling in either direction.
555 */ 552 */
556 if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE 553 if (!(sender->flags & IP_CT_TCP_FLAG_WINDOW_SCALE
557 && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE)) 554 && receiver->flags & IP_CT_TCP_FLAG_WINDOW_SCALE))
558 sender->td_scale = 555 sender->td_scale =
559 receiver->td_scale = 0; 556 receiver->td_scale = 0;
560 if (!tcph->ack) 557 if (!tcph->ack)
561 /* Simultaneous open */ 558 /* Simultaneous open */
562 return true; 559 return true;
563 } else { 560 } else {
564 /* 561 /*
565 * We are in the middle of a connection, 562 * We are in the middle of a connection,
566 * its history is lost for us. 563 * its history is lost for us.
567 * Let's try to use the data from the packet. 564 * Let's try to use the data from the packet.
568 */ 565 */
569 sender->td_end = end; 566 sender->td_end = end;
570 sender->td_maxwin = (win == 0 ? 1 : win); 567 sender->td_maxwin = (win == 0 ? 1 : win);
571 sender->td_maxend = end + sender->td_maxwin; 568 sender->td_maxend = end + sender->td_maxwin;
572 } 569 }
573 } else if (((state->state == TCP_CONNTRACK_SYN_SENT 570 } else if (((state->state == TCP_CONNTRACK_SYN_SENT
574 && dir == IP_CT_DIR_ORIGINAL) 571 && dir == IP_CT_DIR_ORIGINAL)
575 || (state->state == TCP_CONNTRACK_SYN_RECV 572 || (state->state == TCP_CONNTRACK_SYN_RECV
576 && dir == IP_CT_DIR_REPLY)) 573 && dir == IP_CT_DIR_REPLY))
577 && after(end, sender->td_end)) { 574 && after(end, sender->td_end)) {
578 /* 575 /*
579 * RFC 793: "if a TCP is reinitialized ... then it need 576 * RFC 793: "if a TCP is reinitialized ... then it need
580 * not wait at all; it must only be sure to use sequence 577 * not wait at all; it must only be sure to use sequence
581 * numbers larger than those recently used." 578 * numbers larger than those recently used."
582 */ 579 */
583 sender->td_end = 580 sender->td_end =
584 sender->td_maxend = end; 581 sender->td_maxend = end;
585 sender->td_maxwin = (win == 0 ? 1 : win); 582 sender->td_maxwin = (win == 0 ? 1 : win);
586 583
587 tcp_options(skb, dataoff, tcph, sender); 584 tcp_options(skb, dataoff, tcph, sender);
588 } 585 }
589 586
590 if (!(tcph->ack)) { 587 if (!(tcph->ack)) {
591 /* 588 /*
592 * If there is no ACK, just pretend it was set and OK. 589 * If there is no ACK, just pretend it was set and OK.
593 */ 590 */
594 ack = sack = receiver->td_end; 591 ack = sack = receiver->td_end;
595 } else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) == 592 } else if (((tcp_flag_word(tcph) & (TCP_FLAG_ACK|TCP_FLAG_RST)) ==
596 (TCP_FLAG_ACK|TCP_FLAG_RST)) 593 (TCP_FLAG_ACK|TCP_FLAG_RST))
597 && (ack == 0)) { 594 && (ack == 0)) {
598 /* 595 /*
599 * Broken TCP stacks, that set ACK in RST packets as well 596 * Broken TCP stacks, that set ACK in RST packets as well
600 * with zero ack value. 597 * with zero ack value.
601 */ 598 */
602 ack = sack = receiver->td_end; 599 ack = sack = receiver->td_end;
603 } 600 }
604 601
605 if (seq == end 602 if (seq == end
606 && (!tcph->rst 603 && (!tcph->rst
607 || (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT))) 604 || (seq == 0 && state->state == TCP_CONNTRACK_SYN_SENT)))
608 /* 605 /*
609 * Packets contains no data: we assume it is valid 606 * Packets contains no data: we assume it is valid
610 * and check the ack value only. 607 * and check the ack value only.
611 * However RST segments are always validated by their 608 * However RST segments are always validated by their
612 * SEQ number, except when seq == 0 (reset sent answering 609 * SEQ number, except when seq == 0 (reset sent answering
613 * SYN. 610 * SYN.
614 */ 611 */
615 seq = end = sender->td_end; 612 seq = end = sender->td_end;
616 613
617 pr_debug("tcp_in_window: "); 614 pr_debug("tcp_in_window: ");
618 nf_ct_dump_tuple(tuple); 615 nf_ct_dump_tuple(tuple);
619 pr_debug("seq=%u ack=%u sack =%u win=%u end=%u\n", 616 pr_debug("seq=%u ack=%u sack =%u win=%u end=%u\n",
620 seq, ack, sack, win, end); 617 seq, ack, sack, win, end);
621 pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i " 618 pr_debug("tcp_in_window: sender end=%u maxend=%u maxwin=%u scale=%i "
622 "receiver end=%u maxend=%u maxwin=%u scale=%i\n", 619 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
623 sender->td_end, sender->td_maxend, sender->td_maxwin, 620 sender->td_end, sender->td_maxend, sender->td_maxwin,
624 sender->td_scale, 621 sender->td_scale,
625 receiver->td_end, receiver->td_maxend, receiver->td_maxwin, 622 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
626 receiver->td_scale); 623 receiver->td_scale);
627 624
628 pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n", 625 pr_debug("tcp_in_window: I=%i II=%i III=%i IV=%i\n",
629 before(seq, sender->td_maxend + 1), 626 before(seq, sender->td_maxend + 1),
630 after(end, sender->td_end - receiver->td_maxwin - 1), 627 after(end, sender->td_end - receiver->td_maxwin - 1),
631 before(sack, receiver->td_end + 1), 628 before(sack, receiver->td_end + 1),
632 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)); 629 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1));
633 630
634 if (before(seq, sender->td_maxend + 1) && 631 if (before(seq, sender->td_maxend + 1) &&
635 after(end, sender->td_end - receiver->td_maxwin - 1) && 632 after(end, sender->td_end - receiver->td_maxwin - 1) &&
636 before(sack, receiver->td_end + 1) && 633 before(sack, receiver->td_end + 1) &&
637 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) { 634 after(sack, receiver->td_end - MAXACKWINDOW(sender) - 1)) {
638 /* 635 /*
639 * Take into account window scaling (RFC 1323). 636 * Take into account window scaling (RFC 1323).
640 */ 637 */
641 if (!tcph->syn) 638 if (!tcph->syn)
642 win <<= sender->td_scale; 639 win <<= sender->td_scale;
643 640
644 /* 641 /*
645 * Update sender data. 642 * Update sender data.
646 */ 643 */
647 swin = win + (sack - ack); 644 swin = win + (sack - ack);
648 if (sender->td_maxwin < swin) 645 if (sender->td_maxwin < swin)
649 sender->td_maxwin = swin; 646 sender->td_maxwin = swin;
650 if (after(end, sender->td_end)) { 647 if (after(end, sender->td_end)) {
651 sender->td_end = end; 648 sender->td_end = end;
652 sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED; 649 sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
653 } 650 }
654 /* 651 /*
655 * Update receiver data. 652 * Update receiver data.
656 */ 653 */
657 if (after(end, sender->td_maxend)) 654 if (after(end, sender->td_maxend))
658 receiver->td_maxwin += end - sender->td_maxend; 655 receiver->td_maxwin += end - sender->td_maxend;
659 if (after(sack + win, receiver->td_maxend - 1)) { 656 if (after(sack + win, receiver->td_maxend - 1)) {
660 receiver->td_maxend = sack + win; 657 receiver->td_maxend = sack + win;
661 if (win == 0) 658 if (win == 0)
662 receiver->td_maxend++; 659 receiver->td_maxend++;
663 } 660 }
664 if (ack == receiver->td_end) 661 if (ack == receiver->td_end)
665 receiver->flags &= ~IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED; 662 receiver->flags &= ~IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
666 663
667 /* 664 /*
668 * Check retransmissions. 665 * Check retransmissions.
669 */ 666 */
670 if (index == TCP_ACK_SET) { 667 if (index == TCP_ACK_SET) {
671 if (state->last_dir == dir 668 if (state->last_dir == dir
672 && state->last_seq == seq 669 && state->last_seq == seq
673 && state->last_ack == ack 670 && state->last_ack == ack
674 && state->last_end == end 671 && state->last_end == end
675 && state->last_win == win) 672 && state->last_win == win)
676 state->retrans++; 673 state->retrans++;
677 else { 674 else {
678 state->last_dir = dir; 675 state->last_dir = dir;
679 state->last_seq = seq; 676 state->last_seq = seq;
680 state->last_ack = ack; 677 state->last_ack = ack;
681 state->last_end = end; 678 state->last_end = end;
682 state->last_win = win; 679 state->last_win = win;
683 state->retrans = 0; 680 state->retrans = 0;
684 } 681 }
685 } 682 }
686 res = true; 683 res = true;
687 } else { 684 } else {
688 res = false; 685 res = false;
689 if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL || 686 if (sender->flags & IP_CT_TCP_FLAG_BE_LIBERAL ||
690 nf_ct_tcp_be_liberal) 687 nf_ct_tcp_be_liberal)
691 res = true; 688 res = true;
692 if (!res && LOG_INVALID(net, IPPROTO_TCP)) 689 if (!res && LOG_INVALID(net, IPPROTO_TCP))
693 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 690 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
694 "nf_ct_tcp: %s ", 691 "nf_ct_tcp: %s ",
695 before(seq, sender->td_maxend + 1) ? 692 before(seq, sender->td_maxend + 1) ?
696 after(end, sender->td_end - receiver->td_maxwin - 1) ? 693 after(end, sender->td_end - receiver->td_maxwin - 1) ?
697 before(sack, receiver->td_end + 1) ? 694 before(sack, receiver->td_end + 1) ?
698 after(ack, receiver->td_end - MAXACKWINDOW(sender)) ? "BUG" 695 after(ack, receiver->td_end - MAXACKWINDOW(sender)) ? "BUG"
699 : "ACK is under the lower bound (possible overly delayed ACK)" 696 : "ACK is under the lower bound (possible overly delayed ACK)"
700 : "ACK is over the upper bound (ACKed data not seen yet)" 697 : "ACK is over the upper bound (ACKed data not seen yet)"
701 : "SEQ is under the lower bound (already ACKed data retransmitted)" 698 : "SEQ is under the lower bound (already ACKed data retransmitted)"
702 : "SEQ is over the upper bound (over the window of the receiver)"); 699 : "SEQ is over the upper bound (over the window of the receiver)");
703 } 700 }
704 701
705 pr_debug("tcp_in_window: res=%u sender end=%u maxend=%u maxwin=%u " 702 pr_debug("tcp_in_window: res=%u sender end=%u maxend=%u maxwin=%u "
706 "receiver end=%u maxend=%u maxwin=%u\n", 703 "receiver end=%u maxend=%u maxwin=%u\n",
707 res, sender->td_end, sender->td_maxend, sender->td_maxwin, 704 res, sender->td_end, sender->td_maxend, sender->td_maxwin,
708 receiver->td_end, receiver->td_maxend, receiver->td_maxwin); 705 receiver->td_end, receiver->td_maxend, receiver->td_maxwin);
709 706
710 return res; 707 return res;
711 } 708 }
712 709
713 #ifdef CONFIG_NF_NAT_NEEDED 710 #ifdef CONFIG_NF_NAT_NEEDED
714 /* Update sender->td_end after NAT successfully mangled the packet */ 711 /* Update sender->td_end after NAT successfully mangled the packet */
715 /* Caller must linearize skb at tcp header. */ 712 /* Caller must linearize skb at tcp header. */
716 void nf_conntrack_tcp_update(const struct sk_buff *skb, 713 void nf_conntrack_tcp_update(const struct sk_buff *skb,
717 unsigned int dataoff, 714 unsigned int dataoff,
718 struct nf_conn *ct, 715 struct nf_conn *ct,
719 int dir) 716 int dir)
720 { 717 {
721 const struct tcphdr *tcph = (const void *)skb->data + dataoff; 718 const struct tcphdr *tcph = (const void *)skb->data + dataoff;
722 const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[dir]; 719 const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[dir];
723 const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[!dir]; 720 const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[!dir];
724 __u32 end; 721 __u32 end;
725 722
726 end = segment_seq_plus_len(ntohl(tcph->seq), skb->len, dataoff, tcph); 723 end = segment_seq_plus_len(ntohl(tcph->seq), skb->len, dataoff, tcph);
727 724
728 write_lock_bh(&tcp_lock); 725 spin_lock_bh(&ct->lock);
729 /* 726 /*
730 * We have to worry for the ack in the reply packet only... 727 * We have to worry for the ack in the reply packet only...
731 */ 728 */
732 if (after(end, ct->proto.tcp.seen[dir].td_end)) 729 if (after(end, ct->proto.tcp.seen[dir].td_end))
733 ct->proto.tcp.seen[dir].td_end = end; 730 ct->proto.tcp.seen[dir].td_end = end;
734 ct->proto.tcp.last_end = end; 731 ct->proto.tcp.last_end = end;
735 write_unlock_bh(&tcp_lock); 732 spin_unlock_bh(&ct->lock);
736 pr_debug("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i " 733 pr_debug("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i "
737 "receiver end=%u maxend=%u maxwin=%u scale=%i\n", 734 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
738 sender->td_end, sender->td_maxend, sender->td_maxwin, 735 sender->td_end, sender->td_maxend, sender->td_maxwin,
739 sender->td_scale, 736 sender->td_scale,
740 receiver->td_end, receiver->td_maxend, receiver->td_maxwin, 737 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
741 receiver->td_scale); 738 receiver->td_scale);
742 } 739 }
743 EXPORT_SYMBOL_GPL(nf_conntrack_tcp_update); 740 EXPORT_SYMBOL_GPL(nf_conntrack_tcp_update);
744 #endif 741 #endif
745 742
746 #define TH_FIN 0x01 743 #define TH_FIN 0x01
747 #define TH_SYN 0x02 744 #define TH_SYN 0x02
748 #define TH_RST 0x04 745 #define TH_RST 0x04
749 #define TH_PUSH 0x08 746 #define TH_PUSH 0x08
750 #define TH_ACK 0x10 747 #define TH_ACK 0x10
751 #define TH_URG 0x20 748 #define TH_URG 0x20
752 #define TH_ECE 0x40 749 #define TH_ECE 0x40
753 #define TH_CWR 0x80 750 #define TH_CWR 0x80
754 751
755 /* table of valid flag combinations - PUSH, ECE and CWR are always valid */ 752 /* table of valid flag combinations - PUSH, ECE and CWR are always valid */
756 static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] = 753 static const u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] =
757 { 754 {
758 [TH_SYN] = 1, 755 [TH_SYN] = 1,
759 [TH_SYN|TH_URG] = 1, 756 [TH_SYN|TH_URG] = 1,
760 [TH_SYN|TH_ACK] = 1, 757 [TH_SYN|TH_ACK] = 1,
761 [TH_RST] = 1, 758 [TH_RST] = 1,
762 [TH_RST|TH_ACK] = 1, 759 [TH_RST|TH_ACK] = 1,
763 [TH_FIN|TH_ACK] = 1, 760 [TH_FIN|TH_ACK] = 1,
764 [TH_FIN|TH_ACK|TH_URG] = 1, 761 [TH_FIN|TH_ACK|TH_URG] = 1,
765 [TH_ACK] = 1, 762 [TH_ACK] = 1,
766 [TH_ACK|TH_URG] = 1, 763 [TH_ACK|TH_URG] = 1,
767 }; 764 };
768 765
769 /* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */ 766 /* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */
770 static int tcp_error(struct net *net, 767 static int tcp_error(struct net *net,
771 struct sk_buff *skb, 768 struct sk_buff *skb,
772 unsigned int dataoff, 769 unsigned int dataoff,
773 enum ip_conntrack_info *ctinfo, 770 enum ip_conntrack_info *ctinfo,
774 u_int8_t pf, 771 u_int8_t pf,
775 unsigned int hooknum) 772 unsigned int hooknum)
776 { 773 {
777 const struct tcphdr *th; 774 const struct tcphdr *th;
778 struct tcphdr _tcph; 775 struct tcphdr _tcph;
779 unsigned int tcplen = skb->len - dataoff; 776 unsigned int tcplen = skb->len - dataoff;
780 u_int8_t tcpflags; 777 u_int8_t tcpflags;
781 778
782 /* Smaller that minimal TCP header? */ 779 /* Smaller that minimal TCP header? */
783 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph); 780 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
784 if (th == NULL) { 781 if (th == NULL) {
785 if (LOG_INVALID(net, IPPROTO_TCP)) 782 if (LOG_INVALID(net, IPPROTO_TCP))
786 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 783 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
787 "nf_ct_tcp: short packet "); 784 "nf_ct_tcp: short packet ");
788 return -NF_ACCEPT; 785 return -NF_ACCEPT;
789 } 786 }
790 787
791 /* Not whole TCP header or malformed packet */ 788 /* Not whole TCP header or malformed packet */
792 if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) { 789 if (th->doff*4 < sizeof(struct tcphdr) || tcplen < th->doff*4) {
793 if (LOG_INVALID(net, IPPROTO_TCP)) 790 if (LOG_INVALID(net, IPPROTO_TCP))
794 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 791 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
795 "nf_ct_tcp: truncated/malformed packet "); 792 "nf_ct_tcp: truncated/malformed packet ");
796 return -NF_ACCEPT; 793 return -NF_ACCEPT;
797 } 794 }
798 795
799 /* Checksum invalid? Ignore. 796 /* Checksum invalid? Ignore.
800 * We skip checking packets on the outgoing path 797 * We skip checking packets on the outgoing path
801 * because the checksum is assumed to be correct. 798 * because the checksum is assumed to be correct.
802 */ 799 */
803 /* FIXME: Source route IP option packets --RR */ 800 /* FIXME: Source route IP option packets --RR */
804 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING && 801 if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&
805 nf_checksum(skb, hooknum, dataoff, IPPROTO_TCP, pf)) { 802 nf_checksum(skb, hooknum, dataoff, IPPROTO_TCP, pf)) {
806 if (LOG_INVALID(net, IPPROTO_TCP)) 803 if (LOG_INVALID(net, IPPROTO_TCP))
807 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 804 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
808 "nf_ct_tcp: bad TCP checksum "); 805 "nf_ct_tcp: bad TCP checksum ");
809 return -NF_ACCEPT; 806 return -NF_ACCEPT;
810 } 807 }
811 808
812 /* Check TCP flags. */ 809 /* Check TCP flags. */
813 tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR|TH_PUSH)); 810 tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR|TH_PUSH));
814 if (!tcp_valid_flags[tcpflags]) { 811 if (!tcp_valid_flags[tcpflags]) {
815 if (LOG_INVALID(net, IPPROTO_TCP)) 812 if (LOG_INVALID(net, IPPROTO_TCP))
816 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 813 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
817 "nf_ct_tcp: invalid TCP flag combination "); 814 "nf_ct_tcp: invalid TCP flag combination ");
818 return -NF_ACCEPT; 815 return -NF_ACCEPT;
819 } 816 }
820 817
821 return NF_ACCEPT; 818 return NF_ACCEPT;
822 } 819 }
823 820
824 /* Returns verdict for packet, or -1 for invalid. */ 821 /* Returns verdict for packet, or -1 for invalid. */
825 static int tcp_packet(struct nf_conn *ct, 822 static int tcp_packet(struct nf_conn *ct,
826 const struct sk_buff *skb, 823 const struct sk_buff *skb,
827 unsigned int dataoff, 824 unsigned int dataoff,
828 enum ip_conntrack_info ctinfo, 825 enum ip_conntrack_info ctinfo,
829 u_int8_t pf, 826 u_int8_t pf,
830 unsigned int hooknum) 827 unsigned int hooknum)
831 { 828 {
832 struct net *net = nf_ct_net(ct); 829 struct net *net = nf_ct_net(ct);
833 struct nf_conntrack_tuple *tuple; 830 struct nf_conntrack_tuple *tuple;
834 enum tcp_conntrack new_state, old_state; 831 enum tcp_conntrack new_state, old_state;
835 enum ip_conntrack_dir dir; 832 enum ip_conntrack_dir dir;
836 const struct tcphdr *th; 833 const struct tcphdr *th;
837 struct tcphdr _tcph; 834 struct tcphdr _tcph;
838 unsigned long timeout; 835 unsigned long timeout;
839 unsigned int index; 836 unsigned int index;
840 837
841 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph); 838 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
842 BUG_ON(th == NULL); 839 BUG_ON(th == NULL);
843 840
844 write_lock_bh(&tcp_lock); 841 spin_lock_bh(&ct->lock);
845 old_state = ct->proto.tcp.state; 842 old_state = ct->proto.tcp.state;
846 dir = CTINFO2DIR(ctinfo); 843 dir = CTINFO2DIR(ctinfo);
847 index = get_conntrack_index(th); 844 index = get_conntrack_index(th);
848 new_state = tcp_conntracks[dir][index][old_state]; 845 new_state = tcp_conntracks[dir][index][old_state];
849 tuple = &ct->tuplehash[dir].tuple; 846 tuple = &ct->tuplehash[dir].tuple;
850 847
851 switch (new_state) { 848 switch (new_state) {
852 case TCP_CONNTRACK_SYN_SENT: 849 case TCP_CONNTRACK_SYN_SENT:
853 if (old_state < TCP_CONNTRACK_TIME_WAIT) 850 if (old_state < TCP_CONNTRACK_TIME_WAIT)
854 break; 851 break;
855 /* RFC 1122: "When a connection is closed actively, 852 /* RFC 1122: "When a connection is closed actively,
856 * it MUST linger in TIME-WAIT state for a time 2xMSL 853 * it MUST linger in TIME-WAIT state for a time 2xMSL
857 * (Maximum Segment Lifetime). However, it MAY accept 854 * (Maximum Segment Lifetime). However, it MAY accept
858 * a new SYN from the remote TCP to reopen the connection 855 * a new SYN from the remote TCP to reopen the connection
859 * directly from TIME-WAIT state, if..." 856 * directly from TIME-WAIT state, if..."
860 * We ignore the conditions because we are in the 857 * We ignore the conditions because we are in the
861 * TIME-WAIT state anyway. 858 * TIME-WAIT state anyway.
862 * 859 *
863 * Handle aborted connections: we and the server 860 * Handle aborted connections: we and the server
864 * think there is an existing connection but the client 861 * think there is an existing connection but the client
865 * aborts it and starts a new one. 862 * aborts it and starts a new one.
866 */ 863 */
867 if (((ct->proto.tcp.seen[dir].flags 864 if (((ct->proto.tcp.seen[dir].flags
868 | ct->proto.tcp.seen[!dir].flags) 865 | ct->proto.tcp.seen[!dir].flags)
869 & IP_CT_TCP_FLAG_CLOSE_INIT) 866 & IP_CT_TCP_FLAG_CLOSE_INIT)
870 || (ct->proto.tcp.last_dir == dir 867 || (ct->proto.tcp.last_dir == dir
871 && ct->proto.tcp.last_index == TCP_RST_SET)) { 868 && ct->proto.tcp.last_index == TCP_RST_SET)) {
872 /* Attempt to reopen a closed/aborted connection. 869 /* Attempt to reopen a closed/aborted connection.
873 * Delete this connection and look up again. */ 870 * Delete this connection and look up again. */
874 write_unlock_bh(&tcp_lock); 871 spin_unlock_bh(&ct->lock);
875 872
876 /* Only repeat if we can actually remove the timer. 873 /* Only repeat if we can actually remove the timer.
877 * Destruction may already be in progress in process 874 * Destruction may already be in progress in process
878 * context and we must give it a chance to terminate. 875 * context and we must give it a chance to terminate.
879 */ 876 */
880 if (nf_ct_kill(ct)) 877 if (nf_ct_kill(ct))
881 return -NF_REPEAT; 878 return -NF_REPEAT;
882 return NF_DROP; 879 return NF_DROP;
883 } 880 }
884 /* Fall through */ 881 /* Fall through */
885 case TCP_CONNTRACK_IGNORE: 882 case TCP_CONNTRACK_IGNORE:
886 /* Ignored packets: 883 /* Ignored packets:
887 * 884 *
888 * Our connection entry may be out of sync, so ignore 885 * Our connection entry may be out of sync, so ignore
889 * packets which may signal the real connection between 886 * packets which may signal the real connection between
890 * the client and the server. 887 * the client and the server.
891 * 888 *
892 * a) SYN in ORIGINAL 889 * a) SYN in ORIGINAL
893 * b) SYN/ACK in REPLY 890 * b) SYN/ACK in REPLY
894 * c) ACK in reply direction after initial SYN in original. 891 * c) ACK in reply direction after initial SYN in original.
895 * 892 *
896 * If the ignored packet is invalid, the receiver will send 893 * If the ignored packet is invalid, the receiver will send
897 * a RST we'll catch below. 894 * a RST we'll catch below.
898 */ 895 */
899 if (index == TCP_SYNACK_SET 896 if (index == TCP_SYNACK_SET
900 && ct->proto.tcp.last_index == TCP_SYN_SET 897 && ct->proto.tcp.last_index == TCP_SYN_SET
901 && ct->proto.tcp.last_dir != dir 898 && ct->proto.tcp.last_dir != dir
902 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) { 899 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
903 /* b) This SYN/ACK acknowledges a SYN that we earlier 900 /* b) This SYN/ACK acknowledges a SYN that we earlier
904 * ignored as invalid. This means that the client and 901 * ignored as invalid. This means that the client and
905 * the server are both in sync, while the firewall is 902 * the server are both in sync, while the firewall is
906 * not. We kill this session and block the SYN/ACK so 903 * not. We kill this session and block the SYN/ACK so
907 * that the client cannot but retransmit its SYN and 904 * that the client cannot but retransmit its SYN and
908 * thus initiate a clean new session. 905 * thus initiate a clean new session.
909 */ 906 */
910 write_unlock_bh(&tcp_lock); 907 spin_unlock_bh(&ct->lock);
911 if (LOG_INVALID(net, IPPROTO_TCP)) 908 if (LOG_INVALID(net, IPPROTO_TCP))
912 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 909 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
913 "nf_ct_tcp: killing out of sync session "); 910 "nf_ct_tcp: killing out of sync session ");
914 nf_ct_kill(ct); 911 nf_ct_kill(ct);
915 return NF_DROP; 912 return NF_DROP;
916 } 913 }
917 ct->proto.tcp.last_index = index; 914 ct->proto.tcp.last_index = index;
918 ct->proto.tcp.last_dir = dir; 915 ct->proto.tcp.last_dir = dir;
919 ct->proto.tcp.last_seq = ntohl(th->seq); 916 ct->proto.tcp.last_seq = ntohl(th->seq);
920 ct->proto.tcp.last_end = 917 ct->proto.tcp.last_end =
921 segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th); 918 segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th);
922 919
923 write_unlock_bh(&tcp_lock); 920 spin_unlock_bh(&ct->lock);
924 if (LOG_INVALID(net, IPPROTO_TCP)) 921 if (LOG_INVALID(net, IPPROTO_TCP))
925 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 922 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
926 "nf_ct_tcp: invalid packet ignored "); 923 "nf_ct_tcp: invalid packet ignored ");
927 return NF_ACCEPT; 924 return NF_ACCEPT;
928 case TCP_CONNTRACK_MAX: 925 case TCP_CONNTRACK_MAX:
929 /* Invalid packet */ 926 /* Invalid packet */
930 pr_debug("nf_ct_tcp: Invalid dir=%i index=%u ostate=%u\n", 927 pr_debug("nf_ct_tcp: Invalid dir=%i index=%u ostate=%u\n",
931 dir, get_conntrack_index(th), old_state); 928 dir, get_conntrack_index(th), old_state);
932 write_unlock_bh(&tcp_lock); 929 spin_unlock_bh(&ct->lock);
933 if (LOG_INVALID(net, IPPROTO_TCP)) 930 if (LOG_INVALID(net, IPPROTO_TCP))
934 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 931 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
935 "nf_ct_tcp: invalid state "); 932 "nf_ct_tcp: invalid state ");
936 return -NF_ACCEPT; 933 return -NF_ACCEPT;
937 case TCP_CONNTRACK_CLOSE: 934 case TCP_CONNTRACK_CLOSE:
938 if (index == TCP_RST_SET 935 if (index == TCP_RST_SET
939 && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status) 936 && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
940 && ct->proto.tcp.last_index == TCP_SYN_SET) 937 && ct->proto.tcp.last_index == TCP_SYN_SET)
941 || (!test_bit(IPS_ASSURED_BIT, &ct->status) 938 || (!test_bit(IPS_ASSURED_BIT, &ct->status)
942 && ct->proto.tcp.last_index == TCP_ACK_SET)) 939 && ct->proto.tcp.last_index == TCP_ACK_SET))
943 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) { 940 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
944 /* RST sent to invalid SYN or ACK we had let through 941 /* RST sent to invalid SYN or ACK we had let through
945 * at a) and c) above: 942 * at a) and c) above:
946 * 943 *
947 * a) SYN was in window then 944 * a) SYN was in window then
948 * c) we hold a half-open connection. 945 * c) we hold a half-open connection.
949 * 946 *
950 * Delete our connection entry. 947 * Delete our connection entry.
951 * We skip window checking, because packet might ACK 948 * We skip window checking, because packet might ACK
952 * segments we ignored. */ 949 * segments we ignored. */
953 goto in_window; 950 goto in_window;
954 } 951 }
955 /* Just fall through */ 952 /* Just fall through */
956 default: 953 default:
957 /* Keep compilers happy. */ 954 /* Keep compilers happy. */
958 break; 955 break;
959 } 956 }
960 957
961 if (!tcp_in_window(ct, &ct->proto.tcp, dir, index, 958 if (!tcp_in_window(ct, &ct->proto.tcp, dir, index,
962 skb, dataoff, th, pf)) { 959 skb, dataoff, th, pf)) {
963 write_unlock_bh(&tcp_lock); 960 spin_unlock_bh(&ct->lock);
964 return -NF_ACCEPT; 961 return -NF_ACCEPT;
965 } 962 }
966 in_window: 963 in_window:
967 /* From now on we have got in-window packets */ 964 /* From now on we have got in-window packets */
968 ct->proto.tcp.last_index = index; 965 ct->proto.tcp.last_index = index;
969 ct->proto.tcp.last_dir = dir; 966 ct->proto.tcp.last_dir = dir;
970 967
971 pr_debug("tcp_conntracks: "); 968 pr_debug("tcp_conntracks: ");
972 nf_ct_dump_tuple(tuple); 969 nf_ct_dump_tuple(tuple);
973 pr_debug("syn=%i ack=%i fin=%i rst=%i old=%i new=%i\n", 970 pr_debug("syn=%i ack=%i fin=%i rst=%i old=%i new=%i\n",
974 (th->syn ? 1 : 0), (th->ack ? 1 : 0), 971 (th->syn ? 1 : 0), (th->ack ? 1 : 0),
975 (th->fin ? 1 : 0), (th->rst ? 1 : 0), 972 (th->fin ? 1 : 0), (th->rst ? 1 : 0),
976 old_state, new_state); 973 old_state, new_state);
977 974
978 ct->proto.tcp.state = new_state; 975 ct->proto.tcp.state = new_state;
979 if (old_state != new_state 976 if (old_state != new_state
980 && new_state == TCP_CONNTRACK_FIN_WAIT) 977 && new_state == TCP_CONNTRACK_FIN_WAIT)
981 ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT; 978 ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
982 979
983 if (ct->proto.tcp.retrans >= nf_ct_tcp_max_retrans && 980 if (ct->proto.tcp.retrans >= nf_ct_tcp_max_retrans &&
984 tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans) 981 tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans)
985 timeout = nf_ct_tcp_timeout_max_retrans; 982 timeout = nf_ct_tcp_timeout_max_retrans;
986 else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) & 983 else if ((ct->proto.tcp.seen[0].flags | ct->proto.tcp.seen[1].flags) &
987 IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED && 984 IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED &&
988 tcp_timeouts[new_state] > nf_ct_tcp_timeout_unacknowledged) 985 tcp_timeouts[new_state] > nf_ct_tcp_timeout_unacknowledged)
989 timeout = nf_ct_tcp_timeout_unacknowledged; 986 timeout = nf_ct_tcp_timeout_unacknowledged;
990 else 987 else
991 timeout = tcp_timeouts[new_state]; 988 timeout = tcp_timeouts[new_state];
992 write_unlock_bh(&tcp_lock); 989 spin_unlock_bh(&ct->lock);
993 990
994 if (new_state != old_state) 991 if (new_state != old_state)
995 nf_conntrack_event_cache(IPCT_PROTOINFO, ct); 992 nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
996 993
997 if (!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { 994 if (!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
998 /* If only reply is a RST, we can consider ourselves not to 995 /* If only reply is a RST, we can consider ourselves not to
999 have an established connection: this is a fairly common 996 have an established connection: this is a fairly common
1000 problem case, so we can delete the conntrack 997 problem case, so we can delete the conntrack
1001 immediately. --RR */ 998 immediately. --RR */
1002 if (th->rst) { 999 if (th->rst) {
1003 nf_ct_kill_acct(ct, ctinfo, skb); 1000 nf_ct_kill_acct(ct, ctinfo, skb);
1004 return NF_ACCEPT; 1001 return NF_ACCEPT;
1005 } 1002 }
1006 } else if (!test_bit(IPS_ASSURED_BIT, &ct->status) 1003 } else if (!test_bit(IPS_ASSURED_BIT, &ct->status)
1007 && (old_state == TCP_CONNTRACK_SYN_RECV 1004 && (old_state == TCP_CONNTRACK_SYN_RECV
1008 || old_state == TCP_CONNTRACK_ESTABLISHED) 1005 || old_state == TCP_CONNTRACK_ESTABLISHED)
1009 && new_state == TCP_CONNTRACK_ESTABLISHED) { 1006 && new_state == TCP_CONNTRACK_ESTABLISHED) {
1010 /* Set ASSURED if we see see valid ack in ESTABLISHED 1007 /* Set ASSURED if we see see valid ack in ESTABLISHED
1011 after SYN_RECV or a valid answer for a picked up 1008 after SYN_RECV or a valid answer for a picked up
1012 connection. */ 1009 connection. */
1013 set_bit(IPS_ASSURED_BIT, &ct->status); 1010 set_bit(IPS_ASSURED_BIT, &ct->status);
1014 nf_conntrack_event_cache(IPCT_STATUS, ct); 1011 nf_conntrack_event_cache(IPCT_STATUS, ct);
1015 } 1012 }
1016 nf_ct_refresh_acct(ct, ctinfo, skb, timeout); 1013 nf_ct_refresh_acct(ct, ctinfo, skb, timeout);
1017 1014
1018 return NF_ACCEPT; 1015 return NF_ACCEPT;
1019 } 1016 }
1020 1017
1021 /* Called when a new connection for this protocol found. */ 1018 /* Called when a new connection for this protocol found. */
1022 static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb, 1019 static bool tcp_new(struct nf_conn *ct, const struct sk_buff *skb,
1023 unsigned int dataoff) 1020 unsigned int dataoff)
1024 { 1021 {
1025 enum tcp_conntrack new_state; 1022 enum tcp_conntrack new_state;
1026 const struct tcphdr *th; 1023 const struct tcphdr *th;
1027 struct tcphdr _tcph; 1024 struct tcphdr _tcph;
1028 const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0]; 1025 const struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0];
1029 const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1]; 1026 const struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1];
1030 1027
1031 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph); 1028 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
1032 BUG_ON(th == NULL); 1029 BUG_ON(th == NULL);
1033 1030
1034 /* Don't need lock here: this conntrack not in circulation yet */ 1031 /* Don't need lock here: this conntrack not in circulation yet */
1035 new_state 1032 new_state
1036 = tcp_conntracks[0][get_conntrack_index(th)] 1033 = tcp_conntracks[0][get_conntrack_index(th)]
1037 [TCP_CONNTRACK_NONE]; 1034 [TCP_CONNTRACK_NONE];
1038 1035
1039 /* Invalid: delete conntrack */ 1036 /* Invalid: delete conntrack */
1040 if (new_state >= TCP_CONNTRACK_MAX) { 1037 if (new_state >= TCP_CONNTRACK_MAX) {
1041 pr_debug("nf_ct_tcp: invalid new deleting.\n"); 1038 pr_debug("nf_ct_tcp: invalid new deleting.\n");
1042 return false; 1039 return false;
1043 } 1040 }
1044 1041
1045 if (new_state == TCP_CONNTRACK_SYN_SENT) { 1042 if (new_state == TCP_CONNTRACK_SYN_SENT) {
1046 /* SYN packet */ 1043 /* SYN packet */
1047 ct->proto.tcp.seen[0].td_end = 1044 ct->proto.tcp.seen[0].td_end =
1048 segment_seq_plus_len(ntohl(th->seq), skb->len, 1045 segment_seq_plus_len(ntohl(th->seq), skb->len,
1049 dataoff, th); 1046 dataoff, th);
1050 ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window); 1047 ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window);
1051 if (ct->proto.tcp.seen[0].td_maxwin == 0) 1048 if (ct->proto.tcp.seen[0].td_maxwin == 0)
1052 ct->proto.tcp.seen[0].td_maxwin = 1; 1049 ct->proto.tcp.seen[0].td_maxwin = 1;
1053 ct->proto.tcp.seen[0].td_maxend = 1050 ct->proto.tcp.seen[0].td_maxend =
1054 ct->proto.tcp.seen[0].td_end; 1051 ct->proto.tcp.seen[0].td_end;
1055 1052
1056 tcp_options(skb, dataoff, th, &ct->proto.tcp.seen[0]); 1053 tcp_options(skb, dataoff, th, &ct->proto.tcp.seen[0]);
1057 ct->proto.tcp.seen[1].flags = 0; 1054 ct->proto.tcp.seen[1].flags = 0;
1058 } else if (nf_ct_tcp_loose == 0) { 1055 } else if (nf_ct_tcp_loose == 0) {
1059 /* Don't try to pick up connections. */ 1056 /* Don't try to pick up connections. */
1060 return false; 1057 return false;
1061 } else { 1058 } else {
1062 /* 1059 /*
1063 * We are in the middle of a connection, 1060 * We are in the middle of a connection,
1064 * its history is lost for us. 1061 * its history is lost for us.
1065 * Let's try to use the data from the packet. 1062 * Let's try to use the data from the packet.
1066 */ 1063 */
1067 ct->proto.tcp.seen[0].td_end = 1064 ct->proto.tcp.seen[0].td_end =
1068 segment_seq_plus_len(ntohl(th->seq), skb->len, 1065 segment_seq_plus_len(ntohl(th->seq), skb->len,
1069 dataoff, th); 1066 dataoff, th);
1070 ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window); 1067 ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window);
1071 if (ct->proto.tcp.seen[0].td_maxwin == 0) 1068 if (ct->proto.tcp.seen[0].td_maxwin == 0)
1072 ct->proto.tcp.seen[0].td_maxwin = 1; 1069 ct->proto.tcp.seen[0].td_maxwin = 1;
1073 ct->proto.tcp.seen[0].td_maxend = 1070 ct->proto.tcp.seen[0].td_maxend =
1074 ct->proto.tcp.seen[0].td_end + 1071 ct->proto.tcp.seen[0].td_end +
1075 ct->proto.tcp.seen[0].td_maxwin; 1072 ct->proto.tcp.seen[0].td_maxwin;
1076 ct->proto.tcp.seen[0].td_scale = 0; 1073 ct->proto.tcp.seen[0].td_scale = 0;
1077 1074
1078 /* We assume SACK and liberal window checking to handle 1075 /* We assume SACK and liberal window checking to handle
1079 * window scaling */ 1076 * window scaling */
1080 ct->proto.tcp.seen[0].flags = 1077 ct->proto.tcp.seen[0].flags =
1081 ct->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM | 1078 ct->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM |
1082 IP_CT_TCP_FLAG_BE_LIBERAL; 1079 IP_CT_TCP_FLAG_BE_LIBERAL;
1083 } 1080 }
1084 1081
1085 ct->proto.tcp.seen[1].td_end = 0; 1082 ct->proto.tcp.seen[1].td_end = 0;
1086 ct->proto.tcp.seen[1].td_maxend = 0; 1083 ct->proto.tcp.seen[1].td_maxend = 0;
1087 ct->proto.tcp.seen[1].td_maxwin = 0; 1084 ct->proto.tcp.seen[1].td_maxwin = 0;
1088 ct->proto.tcp.seen[1].td_scale = 0; 1085 ct->proto.tcp.seen[1].td_scale = 0;
1089 1086
1090 /* tcp_packet will set them */ 1087 /* tcp_packet will set them */
1091 ct->proto.tcp.state = TCP_CONNTRACK_NONE; 1088 ct->proto.tcp.state = TCP_CONNTRACK_NONE;
1092 ct->proto.tcp.last_index = TCP_NONE_SET; 1089 ct->proto.tcp.last_index = TCP_NONE_SET;
1093 1090
1094 pr_debug("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i " 1091 pr_debug("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i "
1095 "receiver end=%u maxend=%u maxwin=%u scale=%i\n", 1092 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
1096 sender->td_end, sender->td_maxend, sender->td_maxwin, 1093 sender->td_end, sender->td_maxend, sender->td_maxwin,
1097 sender->td_scale, 1094 sender->td_scale,
1098 receiver->td_end, receiver->td_maxend, receiver->td_maxwin, 1095 receiver->td_end, receiver->td_maxend, receiver->td_maxwin,
1099 receiver->td_scale); 1096 receiver->td_scale);
1100 return true; 1097 return true;
1101 } 1098 }
1102 1099
1103 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 1100 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
1104 1101
1105 #include <linux/netfilter/nfnetlink.h> 1102 #include <linux/netfilter/nfnetlink.h>
1106 #include <linux/netfilter/nfnetlink_conntrack.h> 1103 #include <linux/netfilter/nfnetlink_conntrack.h>
1107 1104
1108 static int tcp_to_nlattr(struct sk_buff *skb, struct nlattr *nla, 1105 static int tcp_to_nlattr(struct sk_buff *skb, struct nlattr *nla,
1109 const struct nf_conn *ct) 1106 struct nf_conn *ct)
1110 { 1107 {
1111 struct nlattr *nest_parms; 1108 struct nlattr *nest_parms;
1112 struct nf_ct_tcp_flags tmp = {}; 1109 struct nf_ct_tcp_flags tmp = {};
1113 1110
1114 read_lock_bh(&tcp_lock); 1111 spin_lock_bh(&ct->lock);
1115 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_TCP | NLA_F_NESTED); 1112 nest_parms = nla_nest_start(skb, CTA_PROTOINFO_TCP | NLA_F_NESTED);
1116 if (!nest_parms) 1113 if (!nest_parms)
1117 goto nla_put_failure; 1114 goto nla_put_failure;
1118 1115
1119 NLA_PUT_U8(skb, CTA_PROTOINFO_TCP_STATE, ct->proto.tcp.state); 1116 NLA_PUT_U8(skb, CTA_PROTOINFO_TCP_STATE, ct->proto.tcp.state);
1120 1117
1121 NLA_PUT_U8(skb, CTA_PROTOINFO_TCP_WSCALE_ORIGINAL, 1118 NLA_PUT_U8(skb, CTA_PROTOINFO_TCP_WSCALE_ORIGINAL,
1122 ct->proto.tcp.seen[0].td_scale); 1119 ct->proto.tcp.seen[0].td_scale);
1123 1120
1124 NLA_PUT_U8(skb, CTA_PROTOINFO_TCP_WSCALE_REPLY, 1121 NLA_PUT_U8(skb, CTA_PROTOINFO_TCP_WSCALE_REPLY,
1125 ct->proto.tcp.seen[1].td_scale); 1122 ct->proto.tcp.seen[1].td_scale);
1126 1123
1127 tmp.flags = ct->proto.tcp.seen[0].flags; 1124 tmp.flags = ct->proto.tcp.seen[0].flags;
1128 NLA_PUT(skb, CTA_PROTOINFO_TCP_FLAGS_ORIGINAL, 1125 NLA_PUT(skb, CTA_PROTOINFO_TCP_FLAGS_ORIGINAL,
1129 sizeof(struct nf_ct_tcp_flags), &tmp); 1126 sizeof(struct nf_ct_tcp_flags), &tmp);
1130 1127
1131 tmp.flags = ct->proto.tcp.seen[1].flags; 1128 tmp.flags = ct->proto.tcp.seen[1].flags;
1132 NLA_PUT(skb, CTA_PROTOINFO_TCP_FLAGS_REPLY, 1129 NLA_PUT(skb, CTA_PROTOINFO_TCP_FLAGS_REPLY,
1133 sizeof(struct nf_ct_tcp_flags), &tmp); 1130 sizeof(struct nf_ct_tcp_flags), &tmp);
1134 read_unlock_bh(&tcp_lock); 1131 spin_unlock_bh(&ct->lock);
1135 1132
1136 nla_nest_end(skb, nest_parms); 1133 nla_nest_end(skb, nest_parms);
1137 1134
1138 return 0; 1135 return 0;
1139 1136
1140 nla_put_failure: 1137 nla_put_failure:
1141 read_unlock_bh(&tcp_lock); 1138 spin_unlock_bh(&ct->lock);
1142 return -1; 1139 return -1;
1143 } 1140 }
1144 1141
1145 static const struct nla_policy tcp_nla_policy[CTA_PROTOINFO_TCP_MAX+1] = { 1142 static const struct nla_policy tcp_nla_policy[CTA_PROTOINFO_TCP_MAX+1] = {
1146 [CTA_PROTOINFO_TCP_STATE] = { .type = NLA_U8 }, 1143 [CTA_PROTOINFO_TCP_STATE] = { .type = NLA_U8 },
1147 [CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = { .type = NLA_U8 }, 1144 [CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] = { .type = NLA_U8 },
1148 [CTA_PROTOINFO_TCP_WSCALE_REPLY] = { .type = NLA_U8 }, 1145 [CTA_PROTOINFO_TCP_WSCALE_REPLY] = { .type = NLA_U8 },
1149 [CTA_PROTOINFO_TCP_FLAGS_ORIGINAL] = { .len = sizeof(struct nf_ct_tcp_flags) }, 1146 [CTA_PROTOINFO_TCP_FLAGS_ORIGINAL] = { .len = sizeof(struct nf_ct_tcp_flags) },
1150 [CTA_PROTOINFO_TCP_FLAGS_REPLY] = { .len = sizeof(struct nf_ct_tcp_flags) }, 1147 [CTA_PROTOINFO_TCP_FLAGS_REPLY] = { .len = sizeof(struct nf_ct_tcp_flags) },
1151 }; 1148 };
1152 1149
1153 static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct) 1150 static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
1154 { 1151 {
1155 struct nlattr *pattr = cda[CTA_PROTOINFO_TCP]; 1152 struct nlattr *pattr = cda[CTA_PROTOINFO_TCP];
1156 struct nlattr *tb[CTA_PROTOINFO_TCP_MAX+1]; 1153 struct nlattr *tb[CTA_PROTOINFO_TCP_MAX+1];
1157 int err; 1154 int err;
1158 1155
1159 /* updates could not contain anything about the private 1156 /* updates could not contain anything about the private
1160 * protocol info, in that case skip the parsing */ 1157 * protocol info, in that case skip the parsing */
1161 if (!pattr) 1158 if (!pattr)
1162 return 0; 1159 return 0;
1163 1160
1164 err = nla_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, pattr, tcp_nla_policy); 1161 err = nla_parse_nested(tb, CTA_PROTOINFO_TCP_MAX, pattr, tcp_nla_policy);
1165 if (err < 0) 1162 if (err < 0)
1166 return err; 1163 return err;
1167 1164
1168 if (tb[CTA_PROTOINFO_TCP_STATE] && 1165 if (tb[CTA_PROTOINFO_TCP_STATE] &&
1169 nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]) >= TCP_CONNTRACK_MAX) 1166 nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]) >= TCP_CONNTRACK_MAX)
1170 return -EINVAL; 1167 return -EINVAL;
1171 1168
1172 write_lock_bh(&tcp_lock); 1169 spin_lock_bh(&ct->lock);
1173 if (tb[CTA_PROTOINFO_TCP_STATE]) 1170 if (tb[CTA_PROTOINFO_TCP_STATE])
1174 ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]); 1171 ct->proto.tcp.state = nla_get_u8(tb[CTA_PROTOINFO_TCP_STATE]);
1175 1172
1176 if (tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]) { 1173 if (tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]) {
1177 struct nf_ct_tcp_flags *attr = 1174 struct nf_ct_tcp_flags *attr =
1178 nla_data(tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]); 1175 nla_data(tb[CTA_PROTOINFO_TCP_FLAGS_ORIGINAL]);
1179 ct->proto.tcp.seen[0].flags &= ~attr->mask; 1176 ct->proto.tcp.seen[0].flags &= ~attr->mask;
1180 ct->proto.tcp.seen[0].flags |= attr->flags & attr->mask; 1177 ct->proto.tcp.seen[0].flags |= attr->flags & attr->mask;
1181 } 1178 }
1182 1179
1183 if (tb[CTA_PROTOINFO_TCP_FLAGS_REPLY]) { 1180 if (tb[CTA_PROTOINFO_TCP_FLAGS_REPLY]) {
1184 struct nf_ct_tcp_flags *attr = 1181 struct nf_ct_tcp_flags *attr =
1185 nla_data(tb[CTA_PROTOINFO_TCP_FLAGS_REPLY]); 1182 nla_data(tb[CTA_PROTOINFO_TCP_FLAGS_REPLY]);
1186 ct->proto.tcp.seen[1].flags &= ~attr->mask; 1183 ct->proto.tcp.seen[1].flags &= ~attr->mask;
1187 ct->proto.tcp.seen[1].flags |= attr->flags & attr->mask; 1184 ct->proto.tcp.seen[1].flags |= attr->flags & attr->mask;
1188 } 1185 }
1189 1186
1190 if (tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] && 1187 if (tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL] &&
1191 tb[CTA_PROTOINFO_TCP_WSCALE_REPLY] && 1188 tb[CTA_PROTOINFO_TCP_WSCALE_REPLY] &&
1192 ct->proto.tcp.seen[0].flags & IP_CT_TCP_FLAG_WINDOW_SCALE && 1189 ct->proto.tcp.seen[0].flags & IP_CT_TCP_FLAG_WINDOW_SCALE &&
1193 ct->proto.tcp.seen[1].flags & IP_CT_TCP_FLAG_WINDOW_SCALE) { 1190 ct->proto.tcp.seen[1].flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
1194 ct->proto.tcp.seen[0].td_scale = 1191 ct->proto.tcp.seen[0].td_scale =
1195 nla_get_u8(tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL]); 1192 nla_get_u8(tb[CTA_PROTOINFO_TCP_WSCALE_ORIGINAL]);
1196 ct->proto.tcp.seen[1].td_scale = 1193 ct->proto.tcp.seen[1].td_scale =
1197 nla_get_u8(tb[CTA_PROTOINFO_TCP_WSCALE_REPLY]); 1194 nla_get_u8(tb[CTA_PROTOINFO_TCP_WSCALE_REPLY]);
1198 } 1195 }
1199 write_unlock_bh(&tcp_lock); 1196 spin_unlock_bh(&ct->lock);
1200 1197
1201 return 0; 1198 return 0;
1202 } 1199 }
1203 1200
1204 static int tcp_nlattr_size(void) 1201 static int tcp_nlattr_size(void)
1205 { 1202 {
1206 return nla_total_size(0) /* CTA_PROTOINFO_TCP */ 1203 return nla_total_size(0) /* CTA_PROTOINFO_TCP */
1207 + nla_policy_len(tcp_nla_policy, CTA_PROTOINFO_TCP_MAX + 1); 1204 + nla_policy_len(tcp_nla_policy, CTA_PROTOINFO_TCP_MAX + 1);
1208 } 1205 }
1209 1206
1210 static int tcp_nlattr_tuple_size(void) 1207 static int tcp_nlattr_tuple_size(void)
1211 { 1208 {
1212 return nla_policy_len(nf_ct_port_nla_policy, CTA_PROTO_MAX + 1); 1209 return nla_policy_len(nf_ct_port_nla_policy, CTA_PROTO_MAX + 1);
1213 } 1210 }
1214 #endif 1211 #endif
1215 1212
1216 #ifdef CONFIG_SYSCTL 1213 #ifdef CONFIG_SYSCTL
1217 static unsigned int tcp_sysctl_table_users; 1214 static unsigned int tcp_sysctl_table_users;
1218 static struct ctl_table_header *tcp_sysctl_header; 1215 static struct ctl_table_header *tcp_sysctl_header;
1219 static struct ctl_table tcp_sysctl_table[] = { 1216 static struct ctl_table tcp_sysctl_table[] = {
1220 { 1217 {
1221 .procname = "nf_conntrack_tcp_timeout_syn_sent", 1218 .procname = "nf_conntrack_tcp_timeout_syn_sent",
1222 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT], 1219 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT],
1223 .maxlen = sizeof(unsigned int), 1220 .maxlen = sizeof(unsigned int),
1224 .mode = 0644, 1221 .mode = 0644,
1225 .proc_handler = proc_dointvec_jiffies, 1222 .proc_handler = proc_dointvec_jiffies,
1226 }, 1223 },
1227 { 1224 {
1228 .procname = "nf_conntrack_tcp_timeout_syn_recv", 1225 .procname = "nf_conntrack_tcp_timeout_syn_recv",
1229 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV], 1226 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
1230 .maxlen = sizeof(unsigned int), 1227 .maxlen = sizeof(unsigned int),
1231 .mode = 0644, 1228 .mode = 0644,
1232 .proc_handler = proc_dointvec_jiffies, 1229 .proc_handler = proc_dointvec_jiffies,
1233 }, 1230 },
1234 { 1231 {
1235 .procname = "nf_conntrack_tcp_timeout_established", 1232 .procname = "nf_conntrack_tcp_timeout_established",
1236 .data = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED], 1233 .data = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED],
1237 .maxlen = sizeof(unsigned int), 1234 .maxlen = sizeof(unsigned int),
1238 .mode = 0644, 1235 .mode = 0644,
1239 .proc_handler = proc_dointvec_jiffies, 1236 .proc_handler = proc_dointvec_jiffies,
1240 }, 1237 },
1241 { 1238 {
1242 .procname = "nf_conntrack_tcp_timeout_fin_wait", 1239 .procname = "nf_conntrack_tcp_timeout_fin_wait",
1243 .data = &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT], 1240 .data = &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT],
1244 .maxlen = sizeof(unsigned int), 1241 .maxlen = sizeof(unsigned int),
1245 .mode = 0644, 1242 .mode = 0644,
1246 .proc_handler = proc_dointvec_jiffies, 1243 .proc_handler = proc_dointvec_jiffies,
1247 }, 1244 },
1248 { 1245 {
1249 .procname = "nf_conntrack_tcp_timeout_close_wait", 1246 .procname = "nf_conntrack_tcp_timeout_close_wait",
1250 .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT], 1247 .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT],
1251 .maxlen = sizeof(unsigned int), 1248 .maxlen = sizeof(unsigned int),
1252 .mode = 0644, 1249 .mode = 0644,
1253 .proc_handler = proc_dointvec_jiffies, 1250 .proc_handler = proc_dointvec_jiffies,
1254 }, 1251 },
1255 { 1252 {
1256 .procname = "nf_conntrack_tcp_timeout_last_ack", 1253 .procname = "nf_conntrack_tcp_timeout_last_ack",
1257 .data = &tcp_timeouts[TCP_CONNTRACK_LAST_ACK], 1254 .data = &tcp_timeouts[TCP_CONNTRACK_LAST_ACK],
1258 .maxlen = sizeof(unsigned int), 1255 .maxlen = sizeof(unsigned int),
1259 .mode = 0644, 1256 .mode = 0644,
1260 .proc_handler = proc_dointvec_jiffies, 1257 .proc_handler = proc_dointvec_jiffies,
1261 }, 1258 },
1262 { 1259 {
1263 .procname = "nf_conntrack_tcp_timeout_time_wait", 1260 .procname = "nf_conntrack_tcp_timeout_time_wait",
1264 .data = &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT], 1261 .data = &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT],
1265 .maxlen = sizeof(unsigned int), 1262 .maxlen = sizeof(unsigned int),
1266 .mode = 0644, 1263 .mode = 0644,
1267 .proc_handler = proc_dointvec_jiffies, 1264 .proc_handler = proc_dointvec_jiffies,
1268 }, 1265 },
1269 { 1266 {
1270 .procname = "nf_conntrack_tcp_timeout_close", 1267 .procname = "nf_conntrack_tcp_timeout_close",
1271 .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE], 1268 .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE],
1272 .maxlen = sizeof(unsigned int), 1269 .maxlen = sizeof(unsigned int),
1273 .mode = 0644, 1270 .mode = 0644,
1274 .proc_handler = proc_dointvec_jiffies, 1271 .proc_handler = proc_dointvec_jiffies,
1275 }, 1272 },
1276 { 1273 {
1277 .procname = "nf_conntrack_tcp_timeout_max_retrans", 1274 .procname = "nf_conntrack_tcp_timeout_max_retrans",
1278 .data = &nf_ct_tcp_timeout_max_retrans, 1275 .data = &nf_ct_tcp_timeout_max_retrans,
1279 .maxlen = sizeof(unsigned int), 1276 .maxlen = sizeof(unsigned int),
1280 .mode = 0644, 1277 .mode = 0644,
1281 .proc_handler = proc_dointvec_jiffies, 1278 .proc_handler = proc_dointvec_jiffies,
1282 }, 1279 },
1283 { 1280 {
1284 .procname = "nf_conntrack_tcp_timeout_unacknowledged", 1281 .procname = "nf_conntrack_tcp_timeout_unacknowledged",
1285 .data = &nf_ct_tcp_timeout_unacknowledged, 1282 .data = &nf_ct_tcp_timeout_unacknowledged,
1286 .maxlen = sizeof(unsigned int), 1283 .maxlen = sizeof(unsigned int),
1287 .mode = 0644, 1284 .mode = 0644,
1288 .proc_handler = proc_dointvec_jiffies, 1285 .proc_handler = proc_dointvec_jiffies,
1289 }, 1286 },
1290 { 1287 {
1291 .ctl_name = NET_NF_CONNTRACK_TCP_LOOSE, 1288 .ctl_name = NET_NF_CONNTRACK_TCP_LOOSE,
1292 .procname = "nf_conntrack_tcp_loose", 1289 .procname = "nf_conntrack_tcp_loose",
1293 .data = &nf_ct_tcp_loose, 1290 .data = &nf_ct_tcp_loose,
1294 .maxlen = sizeof(unsigned int), 1291 .maxlen = sizeof(unsigned int),
1295 .mode = 0644, 1292 .mode = 0644,
1296 .proc_handler = proc_dointvec, 1293 .proc_handler = proc_dointvec,
1297 }, 1294 },
1298 { 1295 {
1299 .ctl_name = NET_NF_CONNTRACK_TCP_BE_LIBERAL, 1296 .ctl_name = NET_NF_CONNTRACK_TCP_BE_LIBERAL,
1300 .procname = "nf_conntrack_tcp_be_liberal", 1297 .procname = "nf_conntrack_tcp_be_liberal",
1301 .data = &nf_ct_tcp_be_liberal, 1298 .data = &nf_ct_tcp_be_liberal,
1302 .maxlen = sizeof(unsigned int), 1299 .maxlen = sizeof(unsigned int),
1303 .mode = 0644, 1300 .mode = 0644,
1304 .proc_handler = proc_dointvec, 1301 .proc_handler = proc_dointvec,
1305 }, 1302 },
1306 { 1303 {
1307 .ctl_name = NET_NF_CONNTRACK_TCP_MAX_RETRANS, 1304 .ctl_name = NET_NF_CONNTRACK_TCP_MAX_RETRANS,
1308 .procname = "nf_conntrack_tcp_max_retrans", 1305 .procname = "nf_conntrack_tcp_max_retrans",
1309 .data = &nf_ct_tcp_max_retrans, 1306 .data = &nf_ct_tcp_max_retrans,
1310 .maxlen = sizeof(unsigned int), 1307 .maxlen = sizeof(unsigned int),
1311 .mode = 0644, 1308 .mode = 0644,
1312 .proc_handler = proc_dointvec, 1309 .proc_handler = proc_dointvec,
1313 }, 1310 },
1314 { 1311 {
1315 .ctl_name = 0 1312 .ctl_name = 0
1316 } 1313 }
1317 }; 1314 };
1318 1315
1319 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 1316 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
1320 static struct ctl_table tcp_compat_sysctl_table[] = { 1317 static struct ctl_table tcp_compat_sysctl_table[] = {
1321 { 1318 {
1322 .procname = "ip_conntrack_tcp_timeout_syn_sent", 1319 .procname = "ip_conntrack_tcp_timeout_syn_sent",
1323 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT], 1320 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT],
1324 .maxlen = sizeof(unsigned int), 1321 .maxlen = sizeof(unsigned int),
1325 .mode = 0644, 1322 .mode = 0644,
1326 .proc_handler = proc_dointvec_jiffies, 1323 .proc_handler = proc_dointvec_jiffies,
1327 }, 1324 },
1328 { 1325 {
1329 .procname = "ip_conntrack_tcp_timeout_syn_sent2", 1326 .procname = "ip_conntrack_tcp_timeout_syn_sent2",
1330 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT2], 1327 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_SENT2],
1331 .maxlen = sizeof(unsigned int), 1328 .maxlen = sizeof(unsigned int),
1332 .mode = 0644, 1329 .mode = 0644,
1333 .proc_handler = proc_dointvec_jiffies, 1330 .proc_handler = proc_dointvec_jiffies,
1334 }, 1331 },
1335 { 1332 {
1336 .procname = "ip_conntrack_tcp_timeout_syn_recv", 1333 .procname = "ip_conntrack_tcp_timeout_syn_recv",
1337 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV], 1334 .data = &tcp_timeouts[TCP_CONNTRACK_SYN_RECV],
1338 .maxlen = sizeof(unsigned int), 1335 .maxlen = sizeof(unsigned int),
1339 .mode = 0644, 1336 .mode = 0644,
1340 .proc_handler = proc_dointvec_jiffies, 1337 .proc_handler = proc_dointvec_jiffies,
1341 }, 1338 },
1342 { 1339 {
1343 .procname = "ip_conntrack_tcp_timeout_established", 1340 .procname = "ip_conntrack_tcp_timeout_established",
1344 .data = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED], 1341 .data = &tcp_timeouts[TCP_CONNTRACK_ESTABLISHED],
1345 .maxlen = sizeof(unsigned int), 1342 .maxlen = sizeof(unsigned int),
1346 .mode = 0644, 1343 .mode = 0644,
1347 .proc_handler = proc_dointvec_jiffies, 1344 .proc_handler = proc_dointvec_jiffies,
1348 }, 1345 },
1349 { 1346 {
1350 .procname = "ip_conntrack_tcp_timeout_fin_wait", 1347 .procname = "ip_conntrack_tcp_timeout_fin_wait",
1351 .data = &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT], 1348 .data = &tcp_timeouts[TCP_CONNTRACK_FIN_WAIT],
1352 .maxlen = sizeof(unsigned int), 1349 .maxlen = sizeof(unsigned int),
1353 .mode = 0644, 1350 .mode = 0644,
1354 .proc_handler = proc_dointvec_jiffies, 1351 .proc_handler = proc_dointvec_jiffies,
1355 }, 1352 },
1356 { 1353 {
1357 .procname = "ip_conntrack_tcp_timeout_close_wait", 1354 .procname = "ip_conntrack_tcp_timeout_close_wait",
1358 .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT], 1355 .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE_WAIT],
1359 .maxlen = sizeof(unsigned int), 1356 .maxlen = sizeof(unsigned int),
1360 .mode = 0644, 1357 .mode = 0644,
1361 .proc_handler = proc_dointvec_jiffies, 1358 .proc_handler = proc_dointvec_jiffies,
1362 }, 1359 },
1363 { 1360 {
1364 .procname = "ip_conntrack_tcp_timeout_last_ack", 1361 .procname = "ip_conntrack_tcp_timeout_last_ack",
1365 .data = &tcp_timeouts[TCP_CONNTRACK_LAST_ACK], 1362 .data = &tcp_timeouts[TCP_CONNTRACK_LAST_ACK],
1366 .maxlen = sizeof(unsigned int), 1363 .maxlen = sizeof(unsigned int),
1367 .mode = 0644, 1364 .mode = 0644,
1368 .proc_handler = proc_dointvec_jiffies, 1365 .proc_handler = proc_dointvec_jiffies,
1369 }, 1366 },
1370 { 1367 {
1371 .procname = "ip_conntrack_tcp_timeout_time_wait", 1368 .procname = "ip_conntrack_tcp_timeout_time_wait",
1372 .data = &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT], 1369 .data = &tcp_timeouts[TCP_CONNTRACK_TIME_WAIT],
1373 .maxlen = sizeof(unsigned int), 1370 .maxlen = sizeof(unsigned int),
1374 .mode = 0644, 1371 .mode = 0644,
1375 .proc_handler = proc_dointvec_jiffies, 1372 .proc_handler = proc_dointvec_jiffies,
1376 }, 1373 },
1377 { 1374 {
1378 .procname = "ip_conntrack_tcp_timeout_close", 1375 .procname = "ip_conntrack_tcp_timeout_close",
1379 .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE], 1376 .data = &tcp_timeouts[TCP_CONNTRACK_CLOSE],
1380 .maxlen = sizeof(unsigned int), 1377 .maxlen = sizeof(unsigned int),
1381 .mode = 0644, 1378 .mode = 0644,
1382 .proc_handler = proc_dointvec_jiffies, 1379 .proc_handler = proc_dointvec_jiffies,
1383 }, 1380 },
1384 { 1381 {
1385 .procname = "ip_conntrack_tcp_timeout_max_retrans", 1382 .procname = "ip_conntrack_tcp_timeout_max_retrans",
1386 .data = &nf_ct_tcp_timeout_max_retrans, 1383 .data = &nf_ct_tcp_timeout_max_retrans,
1387 .maxlen = sizeof(unsigned int), 1384 .maxlen = sizeof(unsigned int),
1388 .mode = 0644, 1385 .mode = 0644,
1389 .proc_handler = proc_dointvec_jiffies, 1386 .proc_handler = proc_dointvec_jiffies,
1390 }, 1387 },
1391 { 1388 {
1392 .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_LOOSE, 1389 .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_LOOSE,
1393 .procname = "ip_conntrack_tcp_loose", 1390 .procname = "ip_conntrack_tcp_loose",
1394 .data = &nf_ct_tcp_loose, 1391 .data = &nf_ct_tcp_loose,
1395 .maxlen = sizeof(unsigned int), 1392 .maxlen = sizeof(unsigned int),
1396 .mode = 0644, 1393 .mode = 0644,
1397 .proc_handler = proc_dointvec, 1394 .proc_handler = proc_dointvec,
1398 }, 1395 },
1399 { 1396 {
1400 .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_BE_LIBERAL, 1397 .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_BE_LIBERAL,
1401 .procname = "ip_conntrack_tcp_be_liberal", 1398 .procname = "ip_conntrack_tcp_be_liberal",
1402 .data = &nf_ct_tcp_be_liberal, 1399 .data = &nf_ct_tcp_be_liberal,
1403 .maxlen = sizeof(unsigned int), 1400 .maxlen = sizeof(unsigned int),
1404 .mode = 0644, 1401 .mode = 0644,
1405 .proc_handler = proc_dointvec, 1402 .proc_handler = proc_dointvec,
1406 }, 1403 },
1407 { 1404 {
1408 .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_MAX_RETRANS, 1405 .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_MAX_RETRANS,
1409 .procname = "ip_conntrack_tcp_max_retrans", 1406 .procname = "ip_conntrack_tcp_max_retrans",
1410 .data = &nf_ct_tcp_max_retrans, 1407 .data = &nf_ct_tcp_max_retrans,
1411 .maxlen = sizeof(unsigned int), 1408 .maxlen = sizeof(unsigned int),
1412 .mode = 0644, 1409 .mode = 0644,
1413 .proc_handler = proc_dointvec, 1410 .proc_handler = proc_dointvec,
1414 }, 1411 },
1415 { 1412 {
1416 .ctl_name = 0 1413 .ctl_name = 0
1417 } 1414 }
1418 }; 1415 };
1419 #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */ 1416 #endif /* CONFIG_NF_CONNTRACK_PROC_COMPAT */
1420 #endif /* CONFIG_SYSCTL */ 1417 #endif /* CONFIG_SYSCTL */
1421 1418
1422 struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly = 1419 struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly =
1423 { 1420 {
1424 .l3proto = PF_INET, 1421 .l3proto = PF_INET,
1425 .l4proto = IPPROTO_TCP, 1422 .l4proto = IPPROTO_TCP,
1426 .name = "tcp", 1423 .name = "tcp",
1427 .pkt_to_tuple = tcp_pkt_to_tuple, 1424 .pkt_to_tuple = tcp_pkt_to_tuple,
1428 .invert_tuple = tcp_invert_tuple, 1425 .invert_tuple = tcp_invert_tuple,
1429 .print_tuple = tcp_print_tuple, 1426 .print_tuple = tcp_print_tuple,
1430 .print_conntrack = tcp_print_conntrack, 1427 .print_conntrack = tcp_print_conntrack,
1431 .packet = tcp_packet, 1428 .packet = tcp_packet,
1432 .new = tcp_new, 1429 .new = tcp_new,
1433 .error = tcp_error, 1430 .error = tcp_error,
1434 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 1431 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
1435 .to_nlattr = tcp_to_nlattr, 1432 .to_nlattr = tcp_to_nlattr,
1436 .nlattr_size = tcp_nlattr_size, 1433 .nlattr_size = tcp_nlattr_size,
1437 .from_nlattr = nlattr_to_tcp, 1434 .from_nlattr = nlattr_to_tcp,
1438 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 1435 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
1439 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 1436 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
1440 .nlattr_tuple_size = tcp_nlattr_tuple_size, 1437 .nlattr_tuple_size = tcp_nlattr_tuple_size,
1441 .nla_policy = nf_ct_port_nla_policy, 1438 .nla_policy = nf_ct_port_nla_policy,
1442 #endif 1439 #endif
1443 #ifdef CONFIG_SYSCTL 1440 #ifdef CONFIG_SYSCTL
1444 .ctl_table_users = &tcp_sysctl_table_users, 1441 .ctl_table_users = &tcp_sysctl_table_users,
1445 .ctl_table_header = &tcp_sysctl_header, 1442 .ctl_table_header = &tcp_sysctl_header,
1446 .ctl_table = tcp_sysctl_table, 1443 .ctl_table = tcp_sysctl_table,
1447 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT 1444 #ifdef CONFIG_NF_CONNTRACK_PROC_COMPAT
1448 .ctl_compat_table = tcp_compat_sysctl_table, 1445 .ctl_compat_table = tcp_compat_sysctl_table,
1449 #endif 1446 #endif
1450 #endif 1447 #endif
1451 }; 1448 };
1452 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp4); 1449 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp4);
1453 1450
1454 struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly = 1451 struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly =
1455 { 1452 {
1456 .l3proto = PF_INET6, 1453 .l3proto = PF_INET6,
1457 .l4proto = IPPROTO_TCP, 1454 .l4proto = IPPROTO_TCP,
1458 .name = "tcp", 1455 .name = "tcp",
1459 .pkt_to_tuple = tcp_pkt_to_tuple, 1456 .pkt_to_tuple = tcp_pkt_to_tuple,
1460 .invert_tuple = tcp_invert_tuple, 1457 .invert_tuple = tcp_invert_tuple,
1461 .print_tuple = tcp_print_tuple, 1458 .print_tuple = tcp_print_tuple,
1462 .print_conntrack = tcp_print_conntrack, 1459 .print_conntrack = tcp_print_conntrack,
1463 .packet = tcp_packet, 1460 .packet = tcp_packet,
1464 .new = tcp_new, 1461 .new = tcp_new,
1465 .error = tcp_error, 1462 .error = tcp_error,
1466 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 1463 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
1467 .to_nlattr = tcp_to_nlattr, 1464 .to_nlattr = tcp_to_nlattr,
1468 .nlattr_size = tcp_nlattr_size, 1465 .nlattr_size = tcp_nlattr_size,
1469 .from_nlattr = nlattr_to_tcp, 1466 .from_nlattr = nlattr_to_tcp,
1470 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr, 1467 .tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
1471 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple, 1468 .nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
1472 .nlattr_tuple_size = tcp_nlattr_tuple_size, 1469 .nlattr_tuple_size = tcp_nlattr_tuple_size,
1473 .nla_policy = nf_ct_port_nla_policy, 1470 .nla_policy = nf_ct_port_nla_policy,
1474 #endif 1471 #endif
1475 #ifdef CONFIG_SYSCTL 1472 #ifdef CONFIG_SYSCTL
1476 .ctl_table_users = &tcp_sysctl_table_users, 1473 .ctl_table_users = &tcp_sysctl_table_users,
1477 .ctl_table_header = &tcp_sysctl_header, 1474 .ctl_table_header = &tcp_sysctl_header,
1478 .ctl_table = tcp_sysctl_table, 1475 .ctl_table = tcp_sysctl_table,
1479 #endif 1476 #endif
1480 }; 1477 };
1481 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp6); 1478 EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp6);
1482 1479