net/netfilter/xt_CT.c at master

tjh.dev / kernel
fork
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork
kernel / net / netfilter / xt_CT.c
at master 441 lines 10 kB view raw
wrap content
  1// SPDX-License-Identifier: GPL-2.0-only
  2/*
  3 * Copyright (c) 2010 Patrick McHardy <kaber@trash.net>
  4 */
  5#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
  6#include <linux/module.h>
  7#include <linux/gfp.h>
  8#include <linux/skbuff.h>
  9#include <linux/netfilter_ipv4/ip_tables.h>
 10#include <linux/netfilter_ipv6/ip6_tables.h>
 11#include <linux/netfilter/x_tables.h>
 12#include <linux/netfilter/xt_CT.h>
 13#include <net/netfilter/nf_conntrack.h>
 14#include <net/netfilter/nf_conntrack_l4proto.h>
 15#include <net/netfilter/nf_conntrack_helper.h>
 16#include <net/netfilter/nf_conntrack_ecache.h>
 17#include <net/netfilter/nf_conntrack_timeout.h>
 18#include <net/netfilter/nf_conntrack_zones.h>
 19#include "nf_internals.h"
 20
 21static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct)
 22{
 23	/* Previously seen (loopback)? Ignore. */
 24	if (skb->_nfct != 0)
 25		return XT_CONTINUE;
 26
 27	if (ct) {
 28		refcount_inc(&ct->ct_general.use);
 29		nf_ct_set(skb, ct, IP_CT_NEW);
 30	} else {
 31		nf_ct_set(skb, ct, IP_CT_UNTRACKED);
 32	}
 33
 34	return XT_CONTINUE;
 35}
 36
 37static unsigned int xt_ct_target_v0(struct sk_buff *skb,
 38				    const struct xt_action_param *par)
 39{
 40	const struct xt_ct_target_info *info = par->targinfo;
 41	struct nf_conn *ct = info->ct;
 42
 43	return xt_ct_target(skb, ct);
 44}
 45
 46static unsigned int xt_ct_target_v1(struct sk_buff *skb,
 47				    const struct xt_action_param *par)
 48{
 49	const struct xt_ct_target_info_v1 *info = par->targinfo;
 50	struct nf_conn *ct = info->ct;
 51
 52	return xt_ct_target(skb, ct);
 53}
 54
 55static u8 xt_ct_find_proto(const struct xt_tgchk_param *par)
 56{
 57	if (par->family == NFPROTO_IPV4) {
 58		const struct ipt_entry *e = par->entryinfo;
 59
 60		if (e->ip.invflags & IPT_INV_PROTO)
 61			return 0;
 62		return e->ip.proto;
 63	} else if (par->family == NFPROTO_IPV6) {
 64		const struct ip6t_entry *e = par->entryinfo;
 65
 66		if (e->ipv6.invflags & IP6T_INV_PROTO)
 67			return 0;
 68		return e->ipv6.proto;
 69	} else
 70		return 0;
 71}
 72
 73static int
 74xt_ct_set_helper(struct nf_conn *ct, const char *helper_name,
 75		 const struct xt_tgchk_param *par)
 76{
 77	struct nf_conntrack_helper *helper;
 78	struct nf_conn_help *help;
 79	u8 proto;
 80
 81	proto = xt_ct_find_proto(par);
 82	if (!proto) {
 83		pr_info_ratelimited("You must specify a L4 protocol and not use inversions on it\n");
 84		return -ENOENT;
 85	}
 86
 87	helper = nf_conntrack_helper_try_module_get(helper_name, par->family,
 88						    proto);
 89	if (helper == NULL) {
 90		pr_info_ratelimited("No such helper \"%s\"\n", helper_name);
 91		return -ENOENT;
 92	}
 93
 94	help = nf_ct_helper_ext_add(ct, GFP_KERNEL);
 95	if (help == NULL) {
 96		nf_conntrack_helper_put(helper);
 97		return -ENOMEM;
 98	}
 99
100	rcu_assign_pointer(help->helper, helper);
101	return 0;
102}
103
104static int
105xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
106		  const char *timeout_name)
107{
108#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
109	const struct nf_conntrack_l4proto *l4proto;
110	u8 proto;
111
112	proto = xt_ct_find_proto(par);
113	if (!proto) {
114		pr_info_ratelimited("You must specify a L4 protocol and not "
115				    "use inversions on it");
116		return -EINVAL;
117	}
118	l4proto = nf_ct_l4proto_find(proto);
119	return nf_ct_set_timeout(par->net, ct, par->family, l4proto->l4proto,
120				 timeout_name);
121
122#else
123	return -EOPNOTSUPP;
124#endif
125}
126
127static u16 xt_ct_flags_to_dir(const struct xt_ct_target_info_v1 *info)
128{
129	switch (info->flags & (XT_CT_ZONE_DIR_ORIG |
130			       XT_CT_ZONE_DIR_REPL)) {
131	case XT_CT_ZONE_DIR_ORIG:
132		return NF_CT_ZONE_DIR_ORIG;
133	case XT_CT_ZONE_DIR_REPL:
134		return NF_CT_ZONE_DIR_REPL;
135	default:
136		return NF_CT_DEFAULT_ZONE_DIR;
137	}
138}
139
140static void xt_ct_put_helper(struct nf_conn_help *help)
141{
142	struct nf_conntrack_helper *helper;
143
144	if (!help)
145		return;
146
147	/* not yet exposed to other cpus, or ruleset
148	 * already detached (post-replacement).
149	 */
150	helper = rcu_dereference_raw(help->helper);
151	if (helper)
152		nf_conntrack_helper_put(helper);
153}
154
155static int xt_ct_tg_check(const struct xt_tgchk_param *par,
156			  struct xt_ct_target_info_v1 *info)
157{
158	struct nf_conntrack_zone zone;
159	struct nf_conn_help *help;
160	struct nf_conn *ct;
161	int ret = -EOPNOTSUPP;
162
163	if (info->flags & XT_CT_NOTRACK) {
164		ct = NULL;
165		goto out;
166	}
167
168#ifndef CONFIG_NF_CONNTRACK_ZONES
169	if (info->zone || info->flags & (XT_CT_ZONE_DIR_ORIG |
170					 XT_CT_ZONE_DIR_REPL |
171					 XT_CT_ZONE_MARK))
172		goto err1;
173#endif
174
175	ret = nf_ct_netns_get(par->net, par->family);
176	if (ret < 0)
177		goto err1;
178
179	memset(&zone, 0, sizeof(zone));
180	zone.id = info->zone;
181	zone.dir = xt_ct_flags_to_dir(info);
182	if (info->flags & XT_CT_ZONE_MARK)
183		zone.flags |= NF_CT_FLAG_MARK;
184
185	ct = nf_ct_tmpl_alloc(par->net, &zone, GFP_KERNEL);
186	if (!ct) {
187		ret = -ENOMEM;
188		goto err2;
189	}
190
191	if ((info->ct_events || info->exp_events) &&
192	    !nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events,
193				  GFP_KERNEL)) {
194		ret = -EINVAL;
195		goto err3;
196	}
197
198	if (info->helper[0]) {
199		if (strnlen(info->helper, sizeof(info->helper)) == sizeof(info->helper)) {
200			ret = -ENAMETOOLONG;
201			goto err3;
202		}
203
204		ret = xt_ct_set_helper(ct, info->helper, par);
205		if (ret < 0)
206			goto err3;
207	}
208
209	if (info->timeout[0]) {
210		if (strnlen(info->timeout, sizeof(info->timeout)) == sizeof(info->timeout)) {
211			ret = -ENAMETOOLONG;
212			goto err4;
213		}
214
215		ret = xt_ct_set_timeout(ct, par, info->timeout);
216		if (ret < 0)
217			goto err4;
218	}
219	__set_bit(IPS_CONFIRMED_BIT, &ct->status);
220out:
221	info->ct = ct;
222	return 0;
223
224err4:
225	help = nfct_help(ct);
226	xt_ct_put_helper(help);
227err3:
228	nf_ct_tmpl_free(ct);
229err2:
230	nf_ct_netns_put(par->net, par->family);
231err1:
232	return ret;
233}
234
235static int xt_ct_tg_check_v0(const struct xt_tgchk_param *par)
236{
237	struct xt_ct_target_info *info = par->targinfo;
238	struct xt_ct_target_info_v1 info_v1 = {
239		.flags 		= info->flags,
240		.zone		= info->zone,
241		.ct_events	= info->ct_events,
242		.exp_events	= info->exp_events,
243	};
244	int ret;
245
246	if (info->flags & ~XT_CT_NOTRACK)
247		return -EINVAL;
248
249	memcpy(info_v1.helper, info->helper, sizeof(info->helper));
250
251	ret = xt_ct_tg_check(par, &info_v1);
252	if (ret < 0)
253		return ret;
254
255	info->ct = info_v1.ct;
256
257	return ret;
258}
259
260static int xt_ct_tg_check_v1(const struct xt_tgchk_param *par)
261{
262	struct xt_ct_target_info_v1 *info = par->targinfo;
263
264	if (info->flags & ~XT_CT_NOTRACK)
265		return -EINVAL;
266
267	return xt_ct_tg_check(par, par->targinfo);
268}
269
270static int xt_ct_tg_check_v2(const struct xt_tgchk_param *par)
271{
272	struct xt_ct_target_info_v1 *info = par->targinfo;
273
274	if (info->flags & ~XT_CT_MASK)
275		return -EINVAL;
276
277	return xt_ct_tg_check(par, par->targinfo);
278}
279
280static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par,
281			     struct xt_ct_target_info_v1 *info)
282{
283	struct nf_conn *ct = info->ct;
284	struct nf_conn_help *help;
285
286	if (ct) {
287		if (info->helper[0] || info->timeout[0])
288			nf_queue_nf_hook_drop(par->net);
289
290		help = nfct_help(ct);
291		xt_ct_put_helper(help);
292
293		nf_ct_netns_put(par->net, par->family);
294
295		nf_ct_destroy_timeout(ct);
296		nf_ct_put(info->ct);
297	}
298}
299
300static void xt_ct_tg_destroy_v0(const struct xt_tgdtor_param *par)
301{
302	struct xt_ct_target_info *info = par->targinfo;
303	struct xt_ct_target_info_v1 info_v1 = {
304		.flags 		= info->flags,
305		.zone		= info->zone,
306		.ct_events	= info->ct_events,
307		.exp_events	= info->exp_events,
308		.ct		= info->ct,
309	};
310	memcpy(info_v1.helper, info->helper, sizeof(info->helper));
311
312	xt_ct_tg_destroy(par, &info_v1);
313}
314
315static void xt_ct_tg_destroy_v1(const struct xt_tgdtor_param *par)
316{
317	xt_ct_tg_destroy(par, par->targinfo);
318}
319
320static unsigned int
321notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
322{
323	/* Previously seen (loopback)? Ignore. */
324	if (skb->_nfct != 0)
325		return XT_CONTINUE;
326
327	nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
328
329	return XT_CONTINUE;
330}
331
332static struct xt_target xt_ct_tg_reg[] __read_mostly = {
333	{
334		.name		= "NOTRACK",
335		.revision	= 0,
336		.family		= NFPROTO_IPV4,
337		.target		= notrack_tg,
338		.table		= "raw",
339		.me		= THIS_MODULE,
340	},
341	{
342		.name		= "CT",
343		.family		= NFPROTO_IPV4,
344		.targetsize	= sizeof(struct xt_ct_target_info),
345		.usersize	= offsetof(struct xt_ct_target_info, ct),
346		.checkentry	= xt_ct_tg_check_v0,
347		.destroy	= xt_ct_tg_destroy_v0,
348		.target		= xt_ct_target_v0,
349		.table		= "raw",
350		.me		= THIS_MODULE,
351	},
352	{
353		.name		= "CT",
354		.family		= NFPROTO_IPV4,
355		.revision	= 1,
356		.targetsize	= sizeof(struct xt_ct_target_info_v1),
357		.usersize	= offsetof(struct xt_ct_target_info, ct),
358		.checkentry	= xt_ct_tg_check_v1,
359		.destroy	= xt_ct_tg_destroy_v1,
360		.target		= xt_ct_target_v1,
361		.table		= "raw",
362		.me		= THIS_MODULE,
363	},
364	{
365		.name		= "CT",
366		.family		= NFPROTO_IPV4,
367		.revision	= 2,
368		.targetsize	= sizeof(struct xt_ct_target_info_v1),
369		.usersize	= offsetof(struct xt_ct_target_info, ct),
370		.checkentry	= xt_ct_tg_check_v2,
371		.destroy	= xt_ct_tg_destroy_v1,
372		.target		= xt_ct_target_v1,
373		.table		= "raw",
374		.me		= THIS_MODULE,
375	},
376#if IS_ENABLED(CONFIG_IP6_NF_IPTABLES)
377	{
378		.name		= "NOTRACK",
379		.revision	= 0,
380		.family		= NFPROTO_IPV6,
381		.target		= notrack_tg,
382		.table		= "raw",
383		.me		= THIS_MODULE,
384	},
385	{
386		.name		= "CT",
387		.family		= NFPROTO_IPV6,
388		.targetsize	= sizeof(struct xt_ct_target_info),
389		.usersize	= offsetof(struct xt_ct_target_info, ct),
390		.checkentry	= xt_ct_tg_check_v0,
391		.destroy	= xt_ct_tg_destroy_v0,
392		.target		= xt_ct_target_v0,
393		.table		= "raw",
394		.me		= THIS_MODULE,
395	},
396	{
397		.name		= "CT",
398		.family		= NFPROTO_IPV6,
399		.revision	= 1,
400		.targetsize	= sizeof(struct xt_ct_target_info_v1),
401		.usersize	= offsetof(struct xt_ct_target_info, ct),
402		.checkentry	= xt_ct_tg_check_v1,
403		.destroy	= xt_ct_tg_destroy_v1,
404		.target		= xt_ct_target_v1,
405		.table		= "raw",
406		.me		= THIS_MODULE,
407	},
408	{
409		.name		= "CT",
410		.family		= NFPROTO_IPV6,
411		.revision	= 2,
412		.targetsize	= sizeof(struct xt_ct_target_info_v1),
413		.usersize	= offsetof(struct xt_ct_target_info, ct),
414		.checkentry	= xt_ct_tg_check_v2,
415		.destroy	= xt_ct_tg_destroy_v1,
416		.target		= xt_ct_target_v1,
417		.table		= "raw",
418		.me		= THIS_MODULE,
419	},
420#endif
421};
422
423static int __init xt_ct_tg_init(void)
424{
425	return xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
426}
427
428static void __exit xt_ct_tg_exit(void)
429{
430	xt_unregister_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
431}
432
433module_init(xt_ct_tg_init);
434module_exit(xt_ct_tg_exit);
435
436MODULE_LICENSE("GPL");
437MODULE_DESCRIPTION("Xtables: connection tracking target");
438MODULE_ALIAS("ipt_CT");
439MODULE_ALIAS("ip6t_CT");
440MODULE_ALIAS("ipt_NOTRACK");
441MODULE_ALIAS("ip6t_NOTRACK");
Configure Feed

Configure Feed
