2 * (C) 2012 Pablo Neira Ayuso <pablo@netfilter.org>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation (or any later at your option).
8 * This software has been sponsored by Vyatta Inc. <http://www.vyatta.com>
10 #include <linux/init.h>
11 #include <linux/module.h>
12 #include <linux/kernel.h>
13 #include <linux/skbuff.h>
14 #include <linux/netlink.h>
15 #include <linux/rculist.h>
16 #include <linux/slab.h>
17 #include <linux/types.h>
18 #include <linux/list.h>
19 #include <linux/errno.h>
20 #include <net/netlink.h>
23 #include <net/netfilter/nf_conntrack_helper.h>
24 #include <net/netfilter/nf_conntrack_expect.h>
25 #include <net/netfilter/nf_conntrack_ecache.h>
27 #include <linux/netfilter/nfnetlink.h>
28 #include <linux/netfilter/nfnetlink_conntrack.h>
29 #include <linux/netfilter/nfnetlink_cthelper.h>
31 MODULE_LICENSE("GPL");
32 MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
33 MODULE_DESCRIPTION("nfnl_cthelper: User-space connection tracking helpers");
36 nfnl_userspace_cthelper(struct sk_buff *skb, unsigned int protoff,
37 struct nf_conn *ct, enum ip_conntrack_info ctinfo)
39 const struct nf_conn_help *help;
40 struct nf_conntrack_helper *helper;
46 /* rcu_read_lock()ed by nf_hook_thresh */
47 helper = rcu_dereference(help->helper);
51 /* This is an user-space helper not yet configured, skip. */
53 (NF_CT_HELPER_F_USERSPACE | NF_CT_HELPER_F_CONFIGURED)) ==
54 NF_CT_HELPER_F_USERSPACE)
57 /* If the user-space helper is not available, don't block traffic. */
58 return NF_QUEUE_NR(helper->queue_num) | NF_VERDICT_FLAG_QUEUE_BYPASS;
61 static const struct nla_policy nfnl_cthelper_tuple_pol[NFCTH_TUPLE_MAX+1] = {
62 [NFCTH_TUPLE_L3PROTONUM] = { .type = NLA_U16, },
63 [NFCTH_TUPLE_L4PROTONUM] = { .type = NLA_U8, },
67 nfnl_cthelper_parse_tuple(struct nf_conntrack_tuple *tuple,
68 const struct nlattr *attr)
71 struct nlattr *tb[NFCTH_TUPLE_MAX+1];
73 err = nla_parse_nested(tb, NFCTH_TUPLE_MAX, attr, nfnl_cthelper_tuple_pol);
77 if (!tb[NFCTH_TUPLE_L3PROTONUM] || !tb[NFCTH_TUPLE_L4PROTONUM])
80 /* Not all fields are initialized so first zero the tuple */
81 memset(tuple, 0, sizeof(struct nf_conntrack_tuple));
83 tuple->src.l3num = ntohs(nla_get_be16(tb[NFCTH_TUPLE_L3PROTONUM]));
84 tuple->dst.protonum = nla_get_u8(tb[NFCTH_TUPLE_L4PROTONUM]);
90 nfnl_cthelper_from_nlattr(struct nlattr *attr, struct nf_conn *ct)
92 struct nf_conn_help *help = nfct_help(ct);
97 if (help->helper->data_len == 0)
100 memcpy(help->data, nla_data(attr), help->helper->data_len);
105 nfnl_cthelper_to_nlattr(struct sk_buff *skb, const struct nf_conn *ct)
107 const struct nf_conn_help *help = nfct_help(ct);
109 if (help->helper->data_len &&
110 nla_put(skb, CTA_HELP_INFO, help->helper->data_len, &help->data))
111 goto nla_put_failure;
119 static const struct nla_policy nfnl_cthelper_expect_pol[NFCTH_POLICY_MAX+1] = {
120 [NFCTH_POLICY_NAME] = { .type = NLA_NUL_STRING,
121 .len = NF_CT_HELPER_NAME_LEN-1 },
122 [NFCTH_POLICY_EXPECT_MAX] = { .type = NLA_U32, },
123 [NFCTH_POLICY_EXPECT_TIMEOUT] = { .type = NLA_U32, },
127 nfnl_cthelper_expect_policy(struct nf_conntrack_expect_policy *expect_policy,
128 const struct nlattr *attr)
131 struct nlattr *tb[NFCTH_POLICY_MAX+1];
133 err = nla_parse_nested(tb, NFCTH_POLICY_MAX, attr, nfnl_cthelper_expect_pol);
137 if (!tb[NFCTH_POLICY_NAME] ||
138 !tb[NFCTH_POLICY_EXPECT_MAX] ||
139 !tb[NFCTH_POLICY_EXPECT_TIMEOUT])
142 strncpy(expect_policy->name,
143 nla_data(tb[NFCTH_POLICY_NAME]), NF_CT_HELPER_NAME_LEN);
144 expect_policy->max_expected =
145 ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_MAX]));
146 expect_policy->timeout =
147 ntohl(nla_get_be32(tb[NFCTH_POLICY_EXPECT_TIMEOUT]));
152 static const struct nla_policy
153 nfnl_cthelper_expect_policy_set[NFCTH_POLICY_SET_MAX+1] = {
154 [NFCTH_POLICY_SET_NUM] = { .type = NLA_U32, },
158 nfnl_cthelper_parse_expect_policy(struct nf_conntrack_helper *helper,
159 const struct nlattr *attr)
162 struct nf_conntrack_expect_policy *expect_policy;
163 struct nlattr *tb[NFCTH_POLICY_SET_MAX+1];
165 ret = nla_parse_nested(tb, NFCTH_POLICY_SET_MAX, attr,
166 nfnl_cthelper_expect_policy_set);
170 if (!tb[NFCTH_POLICY_SET_NUM])
173 helper->expect_class_max =
174 ntohl(nla_get_be32(tb[NFCTH_POLICY_SET_NUM]));
176 if (helper->expect_class_max != 0 &&
177 helper->expect_class_max > NF_CT_MAX_EXPECT_CLASSES)
180 expect_policy = kzalloc(sizeof(struct nf_conntrack_expect_policy) *
181 helper->expect_class_max, GFP_KERNEL);
182 if (expect_policy == NULL)
185 for (i=0; i<helper->expect_class_max; i++) {
186 if (!tb[NFCTH_POLICY_SET+i])
189 ret = nfnl_cthelper_expect_policy(&expect_policy[i],
190 tb[NFCTH_POLICY_SET+i]);
194 helper->expect_policy = expect_policy;
197 kfree(expect_policy);
202 nfnl_cthelper_create(const struct nlattr * const tb[],
203 struct nf_conntrack_tuple *tuple)
205 struct nf_conntrack_helper *helper;
208 if (!tb[NFCTH_TUPLE] || !tb[NFCTH_POLICY] || !tb[NFCTH_PRIV_DATA_LEN])
211 helper = kzalloc(sizeof(struct nf_conntrack_helper), GFP_KERNEL);
215 ret = nfnl_cthelper_parse_expect_policy(helper, tb[NFCTH_POLICY]);
219 strncpy(helper->name, nla_data(tb[NFCTH_NAME]), NF_CT_HELPER_NAME_LEN);
220 helper->data_len = ntohl(nla_get_be32(tb[NFCTH_PRIV_DATA_LEN]));
221 helper->flags |= NF_CT_HELPER_F_USERSPACE;
222 memcpy(&helper->tuple, tuple, sizeof(struct nf_conntrack_tuple));
224 helper->me = THIS_MODULE;
225 helper->help = nfnl_userspace_cthelper;
226 helper->from_nlattr = nfnl_cthelper_from_nlattr;
227 helper->to_nlattr = nfnl_cthelper_to_nlattr;
229 /* Default to queue number zero, this can be updated at any time. */
230 if (tb[NFCTH_QUEUE_NUM])
231 helper->queue_num = ntohl(nla_get_be32(tb[NFCTH_QUEUE_NUM]));
233 if (tb[NFCTH_STATUS]) {
234 int status = ntohl(nla_get_be32(tb[NFCTH_STATUS]));
237 case NFCT_HELPER_STATUS_ENABLED:
238 helper->flags |= NF_CT_HELPER_F_CONFIGURED;
240 case NFCT_HELPER_STATUS_DISABLED:
241 helper->flags &= ~NF_CT_HELPER_F_CONFIGURED;
246 ret = nf_conntrack_helper_register(helper);
257 nfnl_cthelper_update(const struct nlattr * const tb[],
258 struct nf_conntrack_helper *helper)
262 if (tb[NFCTH_PRIV_DATA_LEN])
265 if (tb[NFCTH_POLICY]) {
266 ret = nfnl_cthelper_parse_expect_policy(helper,
271 if (tb[NFCTH_QUEUE_NUM])
272 helper->queue_num = ntohl(nla_get_be32(tb[NFCTH_QUEUE_NUM]));
274 if (tb[NFCTH_STATUS]) {
275 int status = ntohl(nla_get_be32(tb[NFCTH_STATUS]));
278 case NFCT_HELPER_STATUS_ENABLED:
279 helper->flags |= NF_CT_HELPER_F_CONFIGURED;
281 case NFCT_HELPER_STATUS_DISABLED:
282 helper->flags &= ~NF_CT_HELPER_F_CONFIGURED;
289 static int nfnl_cthelper_new(struct net *net, struct sock *nfnl,
290 struct sk_buff *skb, const struct nlmsghdr *nlh,
291 const struct nlattr * const tb[])
293 const char *helper_name;
294 struct nf_conntrack_helper *cur, *helper = NULL;
295 struct nf_conntrack_tuple tuple;
298 if (!tb[NFCTH_NAME] || !tb[NFCTH_TUPLE])
301 helper_name = nla_data(tb[NFCTH_NAME]);
303 ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);
308 for (i = 0; i < nf_ct_helper_hsize && !helper; i++) {
309 hlist_for_each_entry_rcu(cur, &nf_ct_helper_hash[i], hnode) {
311 /* skip non-userspace conntrack helpers. */
312 if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
315 if (strncmp(cur->name, helper_name,
316 NF_CT_HELPER_NAME_LEN) != 0)
319 if ((tuple.src.l3num != cur->tuple.src.l3num ||
320 tuple.dst.protonum != cur->tuple.dst.protonum))
323 if (nlh->nlmsg_flags & NLM_F_EXCL) {
334 ret = nfnl_cthelper_create(tb, &tuple);
336 ret = nfnl_cthelper_update(tb, helper);
345 nfnl_cthelper_dump_tuple(struct sk_buff *skb,
346 struct nf_conntrack_helper *helper)
348 struct nlattr *nest_parms;
350 nest_parms = nla_nest_start(skb, NFCTH_TUPLE | NLA_F_NESTED);
351 if (nest_parms == NULL)
352 goto nla_put_failure;
354 if (nla_put_be16(skb, NFCTH_TUPLE_L3PROTONUM,
355 htons(helper->tuple.src.l3num)))
356 goto nla_put_failure;
358 if (nla_put_u8(skb, NFCTH_TUPLE_L4PROTONUM, helper->tuple.dst.protonum))
359 goto nla_put_failure;
361 nla_nest_end(skb, nest_parms);
369 nfnl_cthelper_dump_policy(struct sk_buff *skb,
370 struct nf_conntrack_helper *helper)
373 struct nlattr *nest_parms1, *nest_parms2;
375 nest_parms1 = nla_nest_start(skb, NFCTH_POLICY | NLA_F_NESTED);
376 if (nest_parms1 == NULL)
377 goto nla_put_failure;
379 if (nla_put_be32(skb, NFCTH_POLICY_SET_NUM,
380 htonl(helper->expect_class_max)))
381 goto nla_put_failure;
383 for (i=0; i<helper->expect_class_max; i++) {
384 nest_parms2 = nla_nest_start(skb,
385 (NFCTH_POLICY_SET+i) | NLA_F_NESTED);
386 if (nest_parms2 == NULL)
387 goto nla_put_failure;
389 if (nla_put_string(skb, NFCTH_POLICY_NAME,
390 helper->expect_policy[i].name))
391 goto nla_put_failure;
393 if (nla_put_be32(skb, NFCTH_POLICY_EXPECT_MAX,
394 htonl(helper->expect_policy[i].max_expected)))
395 goto nla_put_failure;
397 if (nla_put_be32(skb, NFCTH_POLICY_EXPECT_TIMEOUT,
398 htonl(helper->expect_policy[i].timeout)))
399 goto nla_put_failure;
401 nla_nest_end(skb, nest_parms2);
403 nla_nest_end(skb, nest_parms1);
411 nfnl_cthelper_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
412 int event, struct nf_conntrack_helper *helper)
414 struct nlmsghdr *nlh;
415 struct nfgenmsg *nfmsg;
416 unsigned int flags = portid ? NLM_F_MULTI : 0;
419 event |= NFNL_SUBSYS_CTHELPER << 8;
420 nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
424 nfmsg = nlmsg_data(nlh);
425 nfmsg->nfgen_family = AF_UNSPEC;
426 nfmsg->version = NFNETLINK_V0;
429 if (nla_put_string(skb, NFCTH_NAME, helper->name))
430 goto nla_put_failure;
432 if (nla_put_be32(skb, NFCTH_QUEUE_NUM, htonl(helper->queue_num)))
433 goto nla_put_failure;
435 if (nfnl_cthelper_dump_tuple(skb, helper) < 0)
436 goto nla_put_failure;
438 if (nfnl_cthelper_dump_policy(skb, helper) < 0)
439 goto nla_put_failure;
441 if (nla_put_be32(skb, NFCTH_PRIV_DATA_LEN, htonl(helper->data_len)))
442 goto nla_put_failure;
444 if (helper->flags & NF_CT_HELPER_F_CONFIGURED)
445 status = NFCT_HELPER_STATUS_ENABLED;
447 status = NFCT_HELPER_STATUS_DISABLED;
449 if (nla_put_be32(skb, NFCTH_STATUS, htonl(status)))
450 goto nla_put_failure;
457 nlmsg_cancel(skb, nlh);
462 nfnl_cthelper_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
464 struct nf_conntrack_helper *cur, *last;
467 last = (struct nf_conntrack_helper *)cb->args[1];
468 for (; cb->args[0] < nf_ct_helper_hsize; cb->args[0]++) {
470 hlist_for_each_entry_rcu(cur,
471 &nf_ct_helper_hash[cb->args[0]], hnode) {
473 /* skip non-userspace conntrack helpers. */
474 if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
482 if (nfnl_cthelper_fill_info(skb,
483 NETLINK_CB(cb->skb).portid,
485 NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
486 NFNL_MSG_CTHELPER_NEW, cur) < 0) {
487 cb->args[1] = (unsigned long)cur;
501 static int nfnl_cthelper_get(struct net *net, struct sock *nfnl,
502 struct sk_buff *skb, const struct nlmsghdr *nlh,
503 const struct nlattr * const tb[])
505 int ret = -ENOENT, i;
506 struct nf_conntrack_helper *cur;
507 struct sk_buff *skb2;
508 char *helper_name = NULL;
509 struct nf_conntrack_tuple tuple;
510 bool tuple_set = false;
512 if (nlh->nlmsg_flags & NLM_F_DUMP) {
513 struct netlink_dump_control c = {
514 .dump = nfnl_cthelper_dump_table,
516 return netlink_dump_start(nfnl, skb, nlh, &c);
520 helper_name = nla_data(tb[NFCTH_NAME]);
522 if (tb[NFCTH_TUPLE]) {
523 ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);
530 for (i = 0; i < nf_ct_helper_hsize; i++) {
531 hlist_for_each_entry_rcu(cur, &nf_ct_helper_hash[i], hnode) {
533 /* skip non-userspace conntrack helpers. */
534 if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
537 if (helper_name && strncmp(cur->name, helper_name,
538 NF_CT_HELPER_NAME_LEN) != 0) {
542 (tuple.src.l3num != cur->tuple.src.l3num ||
543 tuple.dst.protonum != cur->tuple.dst.protonum))
546 skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
552 ret = nfnl_cthelper_fill_info(skb2, NETLINK_CB(skb).portid,
554 NFNL_MSG_TYPE(nlh->nlmsg_type),
555 NFNL_MSG_CTHELPER_NEW, cur);
561 ret = netlink_unicast(nfnl, skb2, NETLINK_CB(skb).portid,
566 /* this avoids a loop in nfnetlink. */
567 return ret == -EAGAIN ? -ENOBUFS : ret;
573 static int nfnl_cthelper_del(struct net *net, struct sock *nfnl,
574 struct sk_buff *skb, const struct nlmsghdr *nlh,
575 const struct nlattr * const tb[])
577 char *helper_name = NULL;
578 struct nf_conntrack_helper *cur;
579 struct hlist_node *tmp;
580 struct nf_conntrack_tuple tuple;
581 bool tuple_set = false, found = false;
585 helper_name = nla_data(tb[NFCTH_NAME]);
587 if (tb[NFCTH_TUPLE]) {
588 ret = nfnl_cthelper_parse_tuple(&tuple, tb[NFCTH_TUPLE]);
595 for (i = 0; i < nf_ct_helper_hsize; i++) {
596 hlist_for_each_entry_safe(cur, tmp, &nf_ct_helper_hash[i],
598 /* skip non-userspace conntrack helpers. */
599 if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
604 if (helper_name && strncmp(cur->name, helper_name,
605 NF_CT_HELPER_NAME_LEN) != 0) {
609 (tuple.src.l3num != cur->tuple.src.l3num ||
610 tuple.dst.protonum != cur->tuple.dst.protonum))
614 nf_conntrack_helper_unregister(cur);
617 /* Make sure we return success if we flush and there is no helpers */
618 return (found || j == 0) ? 0 : -ENOENT;
621 static const struct nla_policy nfnl_cthelper_policy[NFCTH_MAX+1] = {
622 [NFCTH_NAME] = { .type = NLA_NUL_STRING,
623 .len = NF_CT_HELPER_NAME_LEN-1 },
624 [NFCTH_QUEUE_NUM] = { .type = NLA_U32, },
627 static const struct nfnl_callback nfnl_cthelper_cb[NFNL_MSG_CTHELPER_MAX] = {
628 [NFNL_MSG_CTHELPER_NEW] = { .call = nfnl_cthelper_new,
629 .attr_count = NFCTH_MAX,
630 .policy = nfnl_cthelper_policy },
631 [NFNL_MSG_CTHELPER_GET] = { .call = nfnl_cthelper_get,
632 .attr_count = NFCTH_MAX,
633 .policy = nfnl_cthelper_policy },
634 [NFNL_MSG_CTHELPER_DEL] = { .call = nfnl_cthelper_del,
635 .attr_count = NFCTH_MAX,
636 .policy = nfnl_cthelper_policy },
639 static const struct nfnetlink_subsystem nfnl_cthelper_subsys = {
641 .subsys_id = NFNL_SUBSYS_CTHELPER,
642 .cb_count = NFNL_MSG_CTHELPER_MAX,
643 .cb = nfnl_cthelper_cb,
646 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTHELPER);
648 static int __init nfnl_cthelper_init(void)
652 ret = nfnetlink_subsys_register(&nfnl_cthelper_subsys);
654 pr_err("nfnl_cthelper: cannot register with nfnetlink.\n");
662 static void __exit nfnl_cthelper_exit(void)
664 struct nf_conntrack_helper *cur;
665 struct hlist_node *tmp;
668 nfnetlink_subsys_unregister(&nfnl_cthelper_subsys);
670 for (i=0; i<nf_ct_helper_hsize; i++) {
671 hlist_for_each_entry_safe(cur, tmp, &nf_ct_helper_hash[i],
673 /* skip non-userspace conntrack helpers. */
674 if (!(cur->flags & NF_CT_HELPER_F_USERSPACE))
677 nf_conntrack_helper_unregister(cur);
682 module_init(nfnl_cthelper_init);
683 module_exit(nfnl_cthelper_exit);
projects / cascardo / linux.git / blob