netfilter/nft_ct.c

   1 // SPDX-License-Identifier: GPL-2.0-only
   2 /*
   3  * Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
   4  * Copyright (c) 2016 Pablo Neira Ayuso <pablo@netfilter.org>
   5  *
   6  * Development of this code funded by Astaro AG (http://www.astaro.com/)
   7  */
   8
   9 #include <linux/kernel.h>
  10 #include <linux/init.h>
  11 #include <linux/module.h>
  12 #include <linux/netlink.h>
  13 #include <linux/netfilter.h>
  14 #include <linux/netfilter/nf_tables.h>
  15 #include <net/netfilter/nf_tables.h>
  16 #include <net/netfilter/nf_conntrack.h>
  17 #include <net/netfilter/nf_conntrack_acct.h>
  18 #include <net/netfilter/nf_conntrack_tuple.h>
  19 #include <net/netfilter/nf_conntrack_helper.h>
  20 #include <net/netfilter/nf_conntrack_ecache.h>
  21 #include <net/netfilter/nf_conntrack_labels.h>
  22 #include <net/netfilter/nf_conntrack_timeout.h>
  23 #include <net/netfilter/nf_conntrack_l4proto.h>
  24 #include <net/netfilter/nf_conntrack_expect.h>
  25
  26 struct nft_ct {
  27         enum nft_ct_keys        key:8;
  28         enum ip_conntrack_dir   dir:8;
  29         u8                      len;
  30         union {
  31                 u8              dreg;
  32                 u8              sreg;
  33         };
  34 };
  35
  36 struct nft_ct_helper_obj  {
  37         struct nf_conntrack_helper *helper4;
  38         struct nf_conntrack_helper *helper6;
  39         u8 l4proto;
  40 };
  41
  42 #ifdef CONFIG_NF_CONNTRACK_ZONES
  43 static DEFINE_PER_CPU(struct nf_conn *, nft_ct_pcpu_template);
  44 static unsigned int nft_ct_pcpu_template_refcnt __read_mostly;
  45 static DEFINE_MUTEX(nft_ct_pcpu_mutex);
  46 #endif
  47
  48 static u64 nft_ct_get_eval_counter(const struct nf_conn_counter *c,
  49                                    enum nft_ct_keys k,
  50                                    enum ip_conntrack_dir d)
  51 {
  52         if (d < IP_CT_DIR_MAX)
  53                 return k == NFT_CT_BYTES ? atomic64_read(&c[d].bytes) :
  54                                            atomic64_read(&c[d].packets);
  55
  56         return nft_ct_get_eval_counter(c, k, IP_CT_DIR_ORIGINAL) +
  57                nft_ct_get_eval_counter(c, k, IP_CT_DIR_REPLY);
  58 }
  59
  60 static void nft_ct_get_eval(const struct nft_expr *expr,
  61                             struct nft_regs *regs,
  62                             const struct nft_pktinfo *pkt)
  63 {
  64         const struct nft_ct *priv = nft_expr_priv(expr);
  65         u32 *dest = &regs->data[priv->dreg];
  66         enum ip_conntrack_info ctinfo;
  67         const struct nf_conn *ct;
  68         const struct nf_conn_help *help;
  69         const struct nf_conntrack_tuple *tuple;
  70         const struct nf_conntrack_helper *helper;
  71         unsigned int state;
  72
  73         ct = nf_ct_get(pkt->skb, &ctinfo);
  74
  75         switch (priv->key) {
  76         case NFT_CT_STATE:
  77                 if (ct)
  78                         state = NF_CT_STATE_BIT(ctinfo);
  79                 else if (ctinfo == IP_CT_UNTRACKED)
  80                         state = NF_CT_STATE_UNTRACKED_BIT;
  81                 else
  82                         state = NF_CT_STATE_INVALID_BIT;
  83                 *dest = state;
  84                 return;
  85         default:
  86                 break;
  87         }
  88
  89         if (ct == NULL)
  90                 goto err;
  91
  92         switch (priv->key) {
  93         case NFT_CT_DIRECTION:
  94                 nft_reg_store8(dest, CTINFO2DIR(ctinfo));
  95                 return;
  96         case NFT_CT_STATUS:
  97                 *dest = ct->status;
  98                 return;
  99 #ifdef CONFIG_NF_CONNTRACK_MARK
 100         case NFT_CT_MARK:
 101                 *dest = READ_ONCE(ct->mark);
 102                 return;
 103 #endif
 104 #ifdef CONFIG_NF_CONNTRACK_SECMARK
 105         case NFT_CT_SECMARK:
 106                 *dest = ct->secmark;
 107                 return;
 108 #endif
 109         case NFT_CT_EXPIRATION:
 110                 *dest = jiffies_to_msecs(nf_ct_expires(ct));
 111                 return;
 112         case NFT_CT_HELPER:
 113                 if (ct->master == NULL)
 114                         goto err;
 115                 help = nfct_help(ct->master);
 116                 if (help == NULL)
 117                         goto err;
 118                 helper = rcu_dereference(help->helper);
 119                 if (helper == NULL)
 120                         goto err;
 121                 strncpy((char *)dest, helper->name, NF_CT_HELPER_NAME_LEN);
 122                 return;
 123 #ifdef CONFIG_NF_CONNTRACK_LABELS
 124         case NFT_CT_LABELS: {
 125                 struct nf_conn_labels *labels = nf_ct_labels_find(ct);
 126
 127                 if (labels)
 128                         memcpy(dest, labels->bits, NF_CT_LABELS_MAX_SIZE);
 129                 else
 130                         memset(dest, 0, NF_CT_LABELS_MAX_SIZE);
 131                 return;
 132         }
 133 #endif
 134         case NFT_CT_BYTES:
 135         case NFT_CT_PKTS: {
 136                 const struct nf_conn_acct *acct = nf_conn_acct_find(ct);
 137                 u64 count = 0;
 138
 139                 if (acct)
 140                         count = nft_ct_get_eval_counter(acct->counter,
 141                                                         priv->key, priv->dir);
 142                 memcpy(dest, &count, sizeof(count));
 143                 return;
 144         }
 145         case NFT_CT_AVGPKT: {
 146                 const struct nf_conn_acct *acct = nf_conn_acct_find(ct);
 147                 u64 avgcnt = 0, bcnt = 0, pcnt = 0;
 148
 149                 if (acct) {
 150                         pcnt = nft_ct_get_eval_counter(acct->counter,
 151                                                        NFT_CT_PKTS, priv->dir);
 152                         bcnt = nft_ct_get_eval_counter(acct->counter,
 153                                                        NFT_CT_BYTES, priv->dir);
 154                         if (pcnt != 0)
 155                                 avgcnt = div64_u64(bcnt, pcnt);
 156                 }
 157
 158                 memcpy(dest, &avgcnt, sizeof(avgcnt));
 159                 return;
 160         }
 161         case NFT_CT_L3PROTOCOL:
 162                 nft_reg_store8(dest, nf_ct_l3num(ct));
 163                 return;
 164         case NFT_CT_PROTOCOL:
 165                 nft_reg_store8(dest, nf_ct_protonum(ct));
 166                 return;
 167 #ifdef CONFIG_NF_CONNTRACK_ZONES
 168         case NFT_CT_ZONE: {
 169                 const struct nf_conntrack_zone *zone = nf_ct_zone(ct);
 170                 u16 zoneid;
 171
 172                 if (priv->dir < IP_CT_DIR_MAX)
 173                         zoneid = nf_ct_zone_id(zone, priv->dir);
 174                 else
 175                         zoneid = zone->id;
 176
 177                 nft_reg_store16(dest, zoneid);
 178                 return;
 179         }
 180 #endif
 181         case NFT_CT_ID:
 182                 *dest = nf_ct_get_id(ct);
 183                 return;
 184         default:
 185                 break;
 186         }
 187
 188         tuple = &ct->tuplehash[priv->dir].tuple;
 189         switch (priv->key) {
 190         case NFT_CT_SRC:
 191                 memcpy(dest, tuple->src.u3.all,
 192                        nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
 193                 return;
 194         case NFT_CT_DST:
 195                 memcpy(dest, tuple->dst.u3.all,
 196                        nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
 197                 return;
 198         case NFT_CT_PROTO_SRC:
 199                 nft_reg_store16(dest, (__force u16)tuple->src.u.all);
 200                 return;
 201         case NFT_CT_PROTO_DST:
 202                 nft_reg_store16(dest, (__force u16)tuple->dst.u.all);
 203                 return;
 204         case NFT_CT_SRC_IP:
 205                 if (nf_ct_l3num(ct) != NFPROTO_IPV4)
 206                         goto err;
 207                 *dest = (__force __u32)tuple->src.u3.ip;
 208                 return;
 209         case NFT_CT_DST_IP:
 210                 if (nf_ct_l3num(ct) != NFPROTO_IPV4)
 211                         goto err;
 212                 *dest = (__force __u32)tuple->dst.u3.ip;
 213                 return;
 214         case NFT_CT_SRC_IP6:
 215                 if (nf_ct_l3num(ct) != NFPROTO_IPV6)
 216                         goto err;
 217                 memcpy(dest, tuple->src.u3.ip6, sizeof(struct in6_addr));
 218                 return;
 219         case NFT_CT_DST_IP6:
 220                 if (nf_ct_l3num(ct) != NFPROTO_IPV6)
 221                         goto err;
 222                 memcpy(dest, tuple->dst.u3.ip6, sizeof(struct in6_addr));
 223                 return;
 224         default:
 225                 break;
 226         }
 227         return;
 228 err:
 229         regs->verdict.code = NFT_BREAK;
 230 }
 231
 232 #ifdef CONFIG_NF_CONNTRACK_ZONES
 233 static void nft_ct_set_zone_eval(const struct nft_expr *expr,
 234                                  struct nft_regs *regs,
 235                                  const struct nft_pktinfo *pkt)
 236 {
 237         struct nf_conntrack_zone zone = { .dir = NF_CT_DEFAULT_ZONE_DIR };
 238         const struct nft_ct *priv = nft_expr_priv(expr);
 239         struct sk_buff *skb = pkt->skb;
 240         enum ip_conntrack_info ctinfo;
 241         u16 value = nft_reg_load16(&regs->data[priv->sreg]);
 242         struct nf_conn *ct;
 243
 244         ct = nf_ct_get(skb, &ctinfo);
 245         if (ct) /* already tracked */
 246                 return;
 247
 248         zone.id = value;
 249
 250         switch (priv->dir) {
 251         case IP_CT_DIR_ORIGINAL:
 252                 zone.dir = NF_CT_ZONE_DIR_ORIG;
 253                 break;
 254         case IP_CT_DIR_REPLY:
 255                 zone.dir = NF_CT_ZONE_DIR_REPL;
 256                 break;
 257         default:
 258                 break;
 259         }
 260
 261         ct = this_cpu_read(nft_ct_pcpu_template);
 262
 263         if (likely(refcount_read(&ct->ct_general.use) == 1)) {
 264                 refcount_inc(&ct->ct_general.use);
 265                 nf_ct_zone_add(ct, &zone);
 266         } else {
 267                 /* previous skb got queued to userspace, allocate temporary
 268                  * one until percpu template can be reused.
 269                  */
 270                 ct = nf_ct_tmpl_alloc(nft_net(pkt), &zone, GFP_ATOMIC);
 271                 if (!ct) {
 272                         regs->verdict.code = NF_DROP;
 273                         return;
 274                 }
 275         }
 276
 277         nf_ct_set(skb, ct, IP_CT_NEW);
 278 }
 279 #endif
 280
 281 static void nft_ct_set_eval(const struct nft_expr *expr,
 282                             struct nft_regs *regs,
 283                             const struct nft_pktinfo *pkt)
 284 {
 285         const struct nft_ct *priv = nft_expr_priv(expr);
 286         struct sk_buff *skb = pkt->skb;
 287 #if defined(CONFIG_NF_CONNTRACK_MARK) || defined(CONFIG_NF_CONNTRACK_SECMARK)
 288         u32 value = regs->data[priv->sreg];
 289 #endif
 290         enum ip_conntrack_info ctinfo;
 291         struct nf_conn *ct;
 292
 293         ct = nf_ct_get(skb, &ctinfo);
 294         if (ct == NULL || nf_ct_is_template(ct))
 295                 return;
 296
 297         switch (priv->key) {
 298 #ifdef CONFIG_NF_CONNTRACK_MARK
 299         case NFT_CT_MARK:
 300                 if (READ_ONCE(ct->mark) != value) {
 301                         WRITE_ONCE(ct->mark, value);
 302                         nf_conntrack_event_cache(IPCT_MARK, ct);
 303                 }
 304                 break;
 305 #endif
 306 #ifdef CONFIG_NF_CONNTRACK_SECMARK
 307         case NFT_CT_SECMARK:
 308                 if (ct->secmark != value) {
 309                         ct->secmark = value;
 310                         nf_conntrack_event_cache(IPCT_SECMARK, ct);
 311                 }
 312                 break;
 313 #endif
 314 #ifdef CONFIG_NF_CONNTRACK_LABELS
 315         case NFT_CT_LABELS:
 316                 nf_connlabels_replace(ct,
 317                                       &regs->data[priv->sreg],
 318                                       &regs->data[priv->sreg],
 319                                       NF_CT_LABELS_MAX_SIZE / sizeof(u32));
 320                 break;
 321 #endif
 322 #ifdef CONFIG_NF_CONNTRACK_EVENTS
 323         case NFT_CT_EVENTMASK: {
 324                 struct nf_conntrack_ecache *e = nf_ct_ecache_find(ct);
 325                 u32 ctmask = regs->data[priv->sreg];
 326
 327                 if (e) {
 328                         if (e->ctmask != ctmask)
 329                                 e->ctmask = ctmask;
 330                         break;
 331                 }
 332
 333                 if (ctmask && !nf_ct_is_confirmed(ct))
 334                         nf_ct_ecache_ext_add(ct, ctmask, 0, GFP_ATOMIC);
 335                 break;
 336         }
 337 #endif
 338         default:
 339                 break;
 340         }
 341 }
 342
 343 static const struct nla_policy nft_ct_policy[NFTA_CT_MAX + 1] = {
 344         [NFTA_CT_DREG]          = { .type = NLA_U32 },
 345         [NFTA_CT_KEY]           = { .type = NLA_U32 },
 346         [NFTA_CT_DIRECTION]     = { .type = NLA_U8 },
 347         [NFTA_CT_SREG]          = { .type = NLA_U32 },
 348 };
 349
 350 #ifdef CONFIG_NF_CONNTRACK_ZONES
 351 static void nft_ct_tmpl_put_pcpu(void)
 352 {
 353         struct nf_conn *ct;
 354         int cpu;
 355
 356         for_each_possible_cpu(cpu) {
 357                 ct = per_cpu(nft_ct_pcpu_template, cpu);
 358                 if (!ct)
 359                         break;
 360                 nf_ct_put(ct);
 361                 per_cpu(nft_ct_pcpu_template, cpu) = NULL;
 362         }
 363 }
 364
 365 static bool nft_ct_tmpl_alloc_pcpu(void)
 366 {
 367         struct nf_conntrack_zone zone = { .id = 0 };
 368         struct nf_conn *tmp;
 369         int cpu;
 370
 371         if (nft_ct_pcpu_template_refcnt)
 372                 return true;
 373
 374         for_each_possible_cpu(cpu) {
 375                 tmp = nf_ct_tmpl_alloc(&init_net, &zone, GFP_KERNEL);
 376                 if (!tmp) {
 377                         nft_ct_tmpl_put_pcpu();
 378                         return false;
 379                 }
 380
 381                 per_cpu(nft_ct_pcpu_template, cpu) = tmp;
 382         }
 383
 384         return true;
 385 }
 386 #endif
 387
 388 static int nft_ct_get_init(const struct nft_ctx *ctx,
 389                            const struct nft_expr *expr,
 390                            const struct nlattr * const tb[])
 391 {
 392         struct nft_ct *priv = nft_expr_priv(expr);
 393         unsigned int len;
 394         int err;
 395
 396         priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));
 397         priv->dir = IP_CT_DIR_MAX;
 398         switch (priv->key) {
 399         case NFT_CT_DIRECTION:
 400                 if (tb[NFTA_CT_DIRECTION] != NULL)
 401                         return -EINVAL;
 402                 len = sizeof(u8);
 403                 break;
 404         case NFT_CT_STATE:
 405         case NFT_CT_STATUS:
 406 #ifdef CONFIG_NF_CONNTRACK_MARK
 407         case NFT_CT_MARK:
 408 #endif
 409 #ifdef CONFIG_NF_CONNTRACK_SECMARK
 410         case NFT_CT_SECMARK:
 411 #endif
 412         case NFT_CT_EXPIRATION:
 413                 if (tb[NFTA_CT_DIRECTION] != NULL)
 414                         return -EINVAL;
 415                 len = sizeof(u32);
 416                 break;
 417 #ifdef CONFIG_NF_CONNTRACK_LABELS
 418         case NFT_CT_LABELS:
 419                 if (tb[NFTA_CT_DIRECTION] != NULL)
 420                         return -EINVAL;
 421                 len = NF_CT_LABELS_MAX_SIZE;
 422                 break;
 423 #endif
 424         case NFT_CT_HELPER:
 425                 if (tb[NFTA_CT_DIRECTION] != NULL)
 426                         return -EINVAL;
 427                 len = NF_CT_HELPER_NAME_LEN;
 428                 break;
 429
 430         case NFT_CT_L3PROTOCOL:
 431         case NFT_CT_PROTOCOL:
 432                 /* For compatibility, do not report error if NFTA_CT_DIRECTION
 433                  * attribute is specified.
 434                  */
 435                 len = sizeof(u8);
 436                 break;
 437         case NFT_CT_SRC:
 438         case NFT_CT_DST:
 439                 if (tb[NFTA_CT_DIRECTION] == NULL)
 440                         return -EINVAL;
 441
 442                 switch (ctx->family) {
 443                 case NFPROTO_IPV4:
 444                         len = sizeof_field(struct nf_conntrack_tuple,
 445                                            src.u3.ip);
 446                         break;
 447                 case NFPROTO_IPV6:
 448                 case NFPROTO_INET:
 449                         len = sizeof_field(struct nf_conntrack_tuple,
 450                                            src.u3.ip6);
 451                         break;
 452                 default:
 453                         return -EAFNOSUPPORT;
 454                 }
 455                 break;
 456         case NFT_CT_SRC_IP:
 457         case NFT_CT_DST_IP:
 458                 if (tb[NFTA_CT_DIRECTION] == NULL)
 459                         return -EINVAL;
 460
 461                 len = sizeof_field(struct nf_conntrack_tuple, src.u3.ip);
 462                 break;
 463         case NFT_CT_SRC_IP6:
 464         case NFT_CT_DST_IP6:
 465                 if (tb[NFTA_CT_DIRECTION] == NULL)
 466                         return -EINVAL;
 467
 468                 len = sizeof_field(struct nf_conntrack_tuple, src.u3.ip6);
 469                 break;
 470         case NFT_CT_PROTO_SRC:
 471         case NFT_CT_PROTO_DST:
 472                 if (tb[NFTA_CT_DIRECTION] == NULL)
 473                         return -EINVAL;
 474                 len = sizeof_field(struct nf_conntrack_tuple, src.u.all);
 475                 break;
 476         case NFT_CT_BYTES:
 477         case NFT_CT_PKTS:
 478         case NFT_CT_AVGPKT:
 479                 len = sizeof(u64);
 480                 break;
 481 #ifdef CONFIG_NF_CONNTRACK_ZONES
 482         case NFT_CT_ZONE:
 483                 len = sizeof(u16);
 484                 break;
 485 #endif
 486         case NFT_CT_ID:
 487                 if (tb[NFTA_CT_DIRECTION])
 488                         return -EINVAL;
 489
 490                 len = sizeof(u32);
 491                 break;
 492         default:
 493                 return -EOPNOTSUPP;
 494         }
 495
 496         if (tb[NFTA_CT_DIRECTION] != NULL) {
 497                 priv->dir = nla_get_u8(tb[NFTA_CT_DIRECTION]);
 498                 switch (priv->dir) {
 499                 case IP_CT_DIR_ORIGINAL:
 500                 case IP_CT_DIR_REPLY:
 501                         break;
 502                 default:
 503                         return -EINVAL;
 504                 }
 505         }
 506
 507         priv->len = len;
 508         err = nft_parse_register_store(ctx, tb[NFTA_CT_DREG], &priv->dreg, NULL,
 509                                        NFT_DATA_VALUE, len);
 510         if (err < 0)
 511                 return err;
 512
 513         err = nf_ct_netns_get(ctx->net, ctx->family);
 514         if (err < 0)
 515                 return err;
 516
 517         if (priv->key == NFT_CT_BYTES ||
 518             priv->key == NFT_CT_PKTS  ||
 519             priv->key == NFT_CT_AVGPKT)
 520                 nf_ct_set_acct(ctx->net, true);
 521
 522         return 0;
 523 }
 524
 525 static void __nft_ct_set_destroy(const struct nft_ctx *ctx, struct nft_ct *priv)
 526 {
 527         switch (priv->key) {
 528 #ifdef CONFIG_NF_CONNTRACK_LABELS
 529         case NFT_CT_LABELS:
 530                 nf_connlabels_put(ctx->net);
 531                 break;
 532 #endif
 533 #ifdef CONFIG_NF_CONNTRACK_ZONES
 534         case NFT_CT_ZONE:
 535                 mutex_lock(&nft_ct_pcpu_mutex);
 536                 if (--nft_ct_pcpu_template_refcnt == 0)
 537                         nft_ct_tmpl_put_pcpu();
 538                 mutex_unlock(&nft_ct_pcpu_mutex);
 539                 break;
 540 #endif
 541         default:
 542                 break;
 543         }
 544 }
 545
 546 static int nft_ct_set_init(const struct nft_ctx *ctx,
 547                            const struct nft_expr *expr,
 548                            const struct nlattr * const tb[])
 549 {
 550         struct nft_ct *priv = nft_expr_priv(expr);
 551         unsigned int len;
 552         int err;
 553
 554         priv->dir = IP_CT_DIR_MAX;
 555         priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));
 556         switch (priv->key) {
 557 #ifdef CONFIG_NF_CONNTRACK_MARK
 558         case NFT_CT_MARK:
 559                 if (tb[NFTA_CT_DIRECTION])
 560                         return -EINVAL;
 561                 len = sizeof_field(struct nf_conn, mark);
 562                 break;
 563 #endif
 564 #ifdef CONFIG_NF_CONNTRACK_LABELS
 565         case NFT_CT_LABELS:
 566                 if (tb[NFTA_CT_DIRECTION])
 567                         return -EINVAL;
 568                 len = NF_CT_LABELS_MAX_SIZE;
 569                 err = nf_connlabels_get(ctx->net, (len * BITS_PER_BYTE) - 1);
 570                 if (err)
 571                         return err;
 572                 break;
 573 #endif
 574 #ifdef CONFIG_NF_CONNTRACK_ZONES
 575         case NFT_CT_ZONE:
 576                 mutex_lock(&nft_ct_pcpu_mutex);
 577                 if (!nft_ct_tmpl_alloc_pcpu()) {
 578                         mutex_unlock(&nft_ct_pcpu_mutex);
 579                         return -ENOMEM;
 580                 }
 581                 nft_ct_pcpu_template_refcnt++;
 582                 mutex_unlock(&nft_ct_pcpu_mutex);
 583                 len = sizeof(u16);
 584                 break;
 585 #endif
 586 #ifdef CONFIG_NF_CONNTRACK_EVENTS
 587         case NFT_CT_EVENTMASK:
 588                 if (tb[NFTA_CT_DIRECTION])
 589                         return -EINVAL;
 590                 len = sizeof(u32);
 591                 break;
 592 #endif
 593 #ifdef CONFIG_NF_CONNTRACK_SECMARK
 594         case NFT_CT_SECMARK:
 595                 if (tb[NFTA_CT_DIRECTION])
 596                         return -EINVAL;
 597                 len = sizeof(u32);
 598                 break;
 599 #endif
 600         default:
 601                 return -EOPNOTSUPP;
 602         }
 603
 604         if (tb[NFTA_CT_DIRECTION]) {
 605                 priv->dir = nla_get_u8(tb[NFTA_CT_DIRECTION]);
 606                 switch (priv->dir) {
 607                 case IP_CT_DIR_ORIGINAL:
 608                 case IP_CT_DIR_REPLY:
 609                         break;
 610                 default:
 611                         err = -EINVAL;
 612                         goto err1;
 613                 }
 614         }
 615
 616         priv->len = len;
 617         err = nft_parse_register_load(tb[NFTA_CT_SREG], &priv->sreg, len);
 618         if (err < 0)
 619                 goto err1;
 620
 621         err = nf_ct_netns_get(ctx->net, ctx->family);
 622         if (err < 0)
 623                 goto err1;
 624
 625         return 0;
 626
 627 err1:
 628         __nft_ct_set_destroy(ctx, priv);
 629         return err;
 630 }
 631
 632 static void nft_ct_get_destroy(const struct nft_ctx *ctx,
 633                                const struct nft_expr *expr)
 634 {
 635         nf_ct_netns_put(ctx->net, ctx->family);
 636 }
 637
 638 static void nft_ct_set_destroy(const struct nft_ctx *ctx,
 639                                const struct nft_expr *expr)
 640 {
 641         struct nft_ct *priv = nft_expr_priv(expr);
 642
 643         __nft_ct_set_destroy(ctx, priv);
 644         nf_ct_netns_put(ctx->net, ctx->family);
 645 }
 646
 647 static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
 648 {
 649         const struct nft_ct *priv = nft_expr_priv(expr);
 650
 651         if (nft_dump_register(skb, NFTA_CT_DREG, priv->dreg))
 652                 goto nla_put_failure;
 653         if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
 654                 goto nla_put_failure;
 655
 656         switch (priv->key) {
 657         case NFT_CT_SRC:
 658         case NFT_CT_DST:
 659         case NFT_CT_SRC_IP:
 660         case NFT_CT_DST_IP:
 661         case NFT_CT_SRC_IP6:
 662         case NFT_CT_DST_IP6:
 663         case NFT_CT_PROTO_SRC:
 664         case NFT_CT_PROTO_DST:
 665                 if (nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
 666                         goto nla_put_failure;
 667                 break;
 668         case NFT_CT_BYTES:
 669         case NFT_CT_PKTS:
 670         case NFT_CT_AVGPKT:
 671         case NFT_CT_ZONE:
 672                 if (priv->dir < IP_CT_DIR_MAX &&
 673                     nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
 674                         goto nla_put_failure;
 675                 break;
 676         default:
 677                 break;
 678         }
 679
 680         return 0;
 681
 682 nla_put_failure:
 683         return -1;
 684 }
 685
 686 static bool nft_ct_get_reduce(struct nft_regs_track *track,
 687                               const struct nft_expr *expr)
 688 {
 689         const struct nft_ct *priv = nft_expr_priv(expr);
 690         const struct nft_ct *ct;
 691
 692         if (!nft_reg_track_cmp(track, expr, priv->dreg)) {
 693                 nft_reg_track_update(track, expr, priv->dreg, priv->len);
 694                 return false;
 695         }
 696
 697         ct = nft_expr_priv(track->regs[priv->dreg].selector);
 698         if (priv->key != ct->key) {
 699                 nft_reg_track_update(track, expr, priv->dreg, priv->len);
 700                 return false;
 701         }
 702
 703         if (!track->regs[priv->dreg].bitwise)
 704                 return true;
 705
 706         return nft_expr_reduce_bitwise(track, expr);
 707 }
 708
 709 static int nft_ct_set_dump(struct sk_buff *skb, const struct nft_expr *expr)
 710 {
 711         const struct nft_ct *priv = nft_expr_priv(expr);
 712
 713         if (nft_dump_register(skb, NFTA_CT_SREG, priv->sreg))
 714                 goto nla_put_failure;
 715         if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
 716                 goto nla_put_failure;
 717
 718         switch (priv->key) {
 719         case NFT_CT_ZONE:
 720                 if (priv->dir < IP_CT_DIR_MAX &&
 721                     nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
 722                         goto nla_put_failure;
 723                 break;
 724         default:
 725                 break;
 726         }
 727
 728         return 0;
 729
 730 nla_put_failure:
 731         return -1;
 732 }
 733
 734 static struct nft_expr_type nft_ct_type;
 735 static const struct nft_expr_ops nft_ct_get_ops = {
 736         .type           = &nft_ct_type,
 737         .size           = NFT_EXPR_SIZE(sizeof(struct nft_ct)),
 738         .eval           = nft_ct_get_eval,
 739         .init           = nft_ct_get_init,
 740         .destroy        = nft_ct_get_destroy,
 741         .dump           = nft_ct_get_dump,
 742         .reduce         = nft_ct_get_reduce,
 743 };
 744
 745 static bool nft_ct_set_reduce(struct nft_regs_track *track,
 746                               const struct nft_expr *expr)
 747 {
 748         int i;
 749
 750         for (i = 0; i < NFT_REG32_NUM; i++) {
 751                 if (!track->regs[i].selector)
 752                         continue;
 753
 754                 if (track->regs[i].selector->ops != &nft_ct_get_ops)
 755                         continue;
 756
 757                 __nft_reg_track_cancel(track, i);
 758         }
 759
 760         return false;
 761 }
 762
 763 static const struct nft_expr_ops nft_ct_set_ops = {
 764         .type           = &nft_ct_type,
 765         .size           = NFT_EXPR_SIZE(sizeof(struct nft_ct)),
 766         .eval           = nft_ct_set_eval,
 767         .init           = nft_ct_set_init,
 768         .destroy        = nft_ct_set_destroy,
 769         .dump           = nft_ct_set_dump,
 770         .reduce         = nft_ct_set_reduce,
 771 };
 772
 773 #ifdef CONFIG_NF_CONNTRACK_ZONES
 774 static const struct nft_expr_ops nft_ct_set_zone_ops = {
 775         .type           = &nft_ct_type,
 776         .size           = NFT_EXPR_SIZE(sizeof(struct nft_ct)),
 777         .eval           = nft_ct_set_zone_eval,
 778         .init           = nft_ct_set_init,
 779         .destroy        = nft_ct_set_destroy,
 780         .dump           = nft_ct_set_dump,
 781         .reduce         = nft_ct_set_reduce,
 782 };
 783 #endif
 784
 785 static const struct nft_expr_ops *
 786 nft_ct_select_ops(const struct nft_ctx *ctx,
 787                     const struct nlattr * const tb[])
 788 {
 789         if (tb[NFTA_CT_KEY] == NULL)
 790                 return ERR_PTR(-EINVAL);
 791
 792         if (tb[NFTA_CT_DREG] && tb[NFTA_CT_SREG])
 793                 return ERR_PTR(-EINVAL);
 794
 795         if (tb[NFTA_CT_DREG])
 796                 return &nft_ct_get_ops;
 797
 798         if (tb[NFTA_CT_SREG]) {
 799 #ifdef CONFIG_NF_CONNTRACK_ZONES
 800                 if (nla_get_be32(tb[NFTA_CT_KEY]) == htonl(NFT_CT_ZONE))
 801                         return &nft_ct_set_zone_ops;
 802 #endif
 803                 return &nft_ct_set_ops;
 804         }
 805
 806         return ERR_PTR(-EINVAL);
 807 }
 808
 809 static struct nft_expr_type nft_ct_type __read_mostly = {
 810         .name           = "ct",
 811         .select_ops     = nft_ct_select_ops,
 812         .policy         = nft_ct_policy,
 813         .maxattr        = NFTA_CT_MAX,
 814         .owner          = THIS_MODULE,
 815 };
 816
 817 static void nft_notrack_eval(const struct nft_expr *expr,
 818                              struct nft_regs *regs,
 819                              const struct nft_pktinfo *pkt)
 820 {
 821         struct sk_buff *skb = pkt->skb;
 822         enum ip_conntrack_info ctinfo;
 823         struct nf_conn *ct;
 824
 825         ct = nf_ct_get(pkt->skb, &ctinfo);
 826         /* Previously seen (loopback or untracked)?  Ignore. */
 827         if (ct || ctinfo == IP_CT_UNTRACKED)
 828                 return;
 829
 830         nf_ct_set(skb, ct, IP_CT_UNTRACKED);
 831 }
 832
 833 static struct nft_expr_type nft_notrack_type;
 834 static const struct nft_expr_ops nft_notrack_ops = {
 835         .type           = &nft_notrack_type,
 836         .size           = NFT_EXPR_SIZE(0),
 837         .eval           = nft_notrack_eval,
 838         .reduce         = NFT_REDUCE_READONLY,
 839 };
 840
 841 static struct nft_expr_type nft_notrack_type __read_mostly = {
 842         .name           = "notrack",
 843         .ops            = &nft_notrack_ops,
 844         .owner          = THIS_MODULE,
 845 };
 846
 847 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 848 static int
 849 nft_ct_timeout_parse_policy(void *timeouts,
 850                             const struct nf_conntrack_l4proto *l4proto,
 851                             struct net *net, const struct nlattr *attr)
 852 {
 853         struct nlattr **tb;
 854         int ret = 0;
 855
 856         tb = kcalloc(l4proto->ctnl_timeout.nlattr_max + 1, sizeof(*tb),
 857                      GFP_KERNEL);
 858
 859         if (!tb)
 860                 return -ENOMEM;
 861
 862         ret = nla_parse_nested_deprecated(tb,
 863                                           l4proto->ctnl_timeout.nlattr_max,
 864                                           attr,
 865                                           l4proto->ctnl_timeout.nla_policy,
 866                                           NULL);
 867         if (ret < 0)
 868                 goto err;
 869
 870         ret = l4proto->ctnl_timeout.nlattr_to_obj(tb, net, timeouts);
 871
 872 err:
 873         kfree(tb);
 874         return ret;
 875 }
 876
 877 struct nft_ct_timeout_obj {
 878         struct nf_ct_timeout    *timeout;
 879         u8                      l4proto;
 880 };
 881
 882 static void nft_ct_timeout_obj_eval(struct nft_object *obj,
 883                                     struct nft_regs *regs,
 884                                     const struct nft_pktinfo *pkt)
 885 {
 886         const struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
 887         struct nf_conn *ct = (struct nf_conn *)skb_nfct(pkt->skb);
 888         struct nf_conn_timeout *timeout;
 889         const unsigned int *values;
 890
 891         if (priv->l4proto != pkt->tprot)
 892                 return;
 893
 894         if (!ct || nf_ct_is_template(ct) || nf_ct_is_confirmed(ct))
 895                 return;
 896
 897         timeout = nf_ct_timeout_find(ct);
 898         if (!timeout) {
 899                 timeout = nf_ct_timeout_ext_add(ct, priv->timeout, GFP_ATOMIC);
 900                 if (!timeout) {
 901                         regs->verdict.code = NF_DROP;
 902                         return;
 903                 }
 904         }
 905
 906         rcu_assign_pointer(timeout->timeout, priv->timeout);
 907
 908         /* adjust the timeout as per 'new' state. ct is unconfirmed,
 909          * so the current timestamp must not be added.
 910          */
 911         values = nf_ct_timeout_data(timeout);
 912         if (values)
 913                 nf_ct_refresh(ct, pkt->skb, values[0]);
 914 }
 915
 916 static int nft_ct_timeout_obj_init(const struct nft_ctx *ctx,
 917                                    const struct nlattr * const tb[],
 918                                    struct nft_object *obj)
 919 {
 920         struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
 921         const struct nf_conntrack_l4proto *l4proto;
 922         struct nf_ct_timeout *timeout;
 923         int l3num = ctx->family;
 924         __u8 l4num;
 925         int ret;
 926
 927         if (!tb[NFTA_CT_TIMEOUT_L4PROTO] ||
 928             !tb[NFTA_CT_TIMEOUT_DATA])
 929                 return -EINVAL;
 930
 931         if (tb[NFTA_CT_TIMEOUT_L3PROTO])
 932                 l3num = ntohs(nla_get_be16(tb[NFTA_CT_TIMEOUT_L3PROTO]));
 933
 934         l4num = nla_get_u8(tb[NFTA_CT_TIMEOUT_L4PROTO]);
 935         priv->l4proto = l4num;
 936
 937         l4proto = nf_ct_l4proto_find(l4num);
 938
 939         if (l4proto->l4proto != l4num) {
 940                 ret = -EOPNOTSUPP;
 941                 goto err_proto_put;
 942         }
 943
 944         timeout = kzalloc(sizeof(struct nf_ct_timeout) +
 945                           l4proto->ctnl_timeout.obj_size, GFP_KERNEL);
 946         if (timeout == NULL) {
 947                 ret = -ENOMEM;
 948                 goto err_proto_put;
 949         }
 950
 951         ret = nft_ct_timeout_parse_policy(&timeout->data, l4proto, ctx->net,
 952                                           tb[NFTA_CT_TIMEOUT_DATA]);
 953         if (ret < 0)
 954                 goto err_free_timeout;
 955
 956         timeout->l3num = l3num;
 957         timeout->l4proto = l4proto;
 958
 959         ret = nf_ct_netns_get(ctx->net, ctx->family);
 960         if (ret < 0)
 961                 goto err_free_timeout;
 962
 963         priv->timeout = timeout;
 964         return 0;
 965
 966 err_free_timeout:
 967         kfree(timeout);
 968 err_proto_put:
 969         return ret;
 970 }
 971
 972 static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx,
 973                                        struct nft_object *obj)
 974 {
 975         struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
 976         struct nf_ct_timeout *timeout = priv->timeout;
 977
 978         nf_ct_untimeout(ctx->net, timeout);
 979         nf_ct_netns_put(ctx->net, ctx->family);
 980         kfree(priv->timeout);
 981 }
 982
 983 static int nft_ct_timeout_obj_dump(struct sk_buff *skb,
 984                                    struct nft_object *obj, bool reset)
 985 {
 986         const struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
 987         const struct nf_ct_timeout *timeout = priv->timeout;
 988         struct nlattr *nest_params;
 989         int ret;
 990
 991         if (nla_put_u8(skb, NFTA_CT_TIMEOUT_L4PROTO, timeout->l4proto->l4proto) ||
 992             nla_put_be16(skb, NFTA_CT_TIMEOUT_L3PROTO, htons(timeout->l3num)))
 993                 return -1;
 994
 995         nest_params = nla_nest_start(skb, NFTA_CT_TIMEOUT_DATA);
 996         if (!nest_params)
 997                 return -1;
 998
 999         ret = timeout->l4proto->ctnl_timeout.obj_to_nlattr(skb, &timeout->data);
1000         if (ret < 0)
1001                 return -1;
1002         nla_nest_end(skb, nest_params);
1003         return 0;
1004 }
1005
1006 static const struct nla_policy nft_ct_timeout_policy[NFTA_CT_TIMEOUT_MAX + 1] = {
1007         [NFTA_CT_TIMEOUT_L3PROTO] = {.type = NLA_U16 },
1008         [NFTA_CT_TIMEOUT_L4PROTO] = {.type = NLA_U8 },
1009         [NFTA_CT_TIMEOUT_DATA]    = {.type = NLA_NESTED },
1010 };
1011
1012 static struct nft_object_type nft_ct_timeout_obj_type;
1013
1014 static const struct nft_object_ops nft_ct_timeout_obj_ops = {
1015         .type           = &nft_ct_timeout_obj_type,
1016         .size           = sizeof(struct nft_ct_timeout_obj),
1017         .eval           = nft_ct_timeout_obj_eval,
1018         .init           = nft_ct_timeout_obj_init,
1019         .destroy        = nft_ct_timeout_obj_destroy,
1020         .dump           = nft_ct_timeout_obj_dump,
1021 };
1022
1023 static struct nft_object_type nft_ct_timeout_obj_type __read_mostly = {
1024         .type           = NFT_OBJECT_CT_TIMEOUT,
1025         .ops            = &nft_ct_timeout_obj_ops,
1026         .maxattr        = NFTA_CT_TIMEOUT_MAX,
1027         .policy         = nft_ct_timeout_policy,
1028         .owner          = THIS_MODULE,
1029 };
1030 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
1031
1032 static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
1033                                   const struct nlattr * const tb[],
1034                                   struct nft_object *obj)
1035 {
1036         struct nft_ct_helper_obj *priv = nft_obj_data(obj);
1037         struct nf_conntrack_helper *help4, *help6;
1038         char name[NF_CT_HELPER_NAME_LEN];
1039         int family = ctx->family;
1040         int err;
1041
1042         if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO])
1043                 return -EINVAL;
1044
1045         priv->l4proto = nla_get_u8(tb[NFTA_CT_HELPER_L4PROTO]);
1046         if (!priv->l4proto)
1047                 return -ENOENT;
1048
1049         nla_strscpy(name, tb[NFTA_CT_HELPER_NAME], sizeof(name));
1050
1051         if (tb[NFTA_CT_HELPER_L3PROTO])
1052                 family = ntohs(nla_get_be16(tb[NFTA_CT_HELPER_L3PROTO]));
1053
1054         help4 = NULL;
1055         help6 = NULL;
1056
1057         switch (family) {
1058         case NFPROTO_IPV4:
1059                 if (ctx->family == NFPROTO_IPV6)
1060                         return -EINVAL;
1061
1062                 help4 = nf_conntrack_helper_try_module_get(name, family,
1063                                                            priv->l4proto);
1064                 break;
1065         case NFPROTO_IPV6:
1066                 if (ctx->family == NFPROTO_IPV4)
1067                         return -EINVAL;
1068
1069                 help6 = nf_conntrack_helper_try_module_get(name, family,
1070                                                            priv->l4proto);
1071                 break;
1072         case NFPROTO_NETDEV:
1073         case NFPROTO_BRIDGE:
1074         case NFPROTO_INET:
1075                 help4 = nf_conntrack_helper_try_module_get(name, NFPROTO_IPV4,
1076                                                            priv->l4proto);
1077                 help6 = nf_conntrack_helper_try_module_get(name, NFPROTO_IPV6,
1078                                                            priv->l4proto);
1079                 break;
1080         default:
1081                 return -EAFNOSUPPORT;
1082         }
1083
1084         /* && is intentional; only error if INET found neither ipv4 or ipv6 */
1085         if (!help4 && !help6)
1086                 return -ENOENT;
1087
1088         priv->helper4 = help4;
1089         priv->helper6 = help6;
1090
1091         err = nf_ct_netns_get(ctx->net, ctx->family);
1092         if (err < 0)
1093                 goto err_put_helper;
1094
1095         return 0;
1096
1097 err_put_helper:
1098         if (priv->helper4)
1099                 nf_conntrack_helper_put(priv->helper4);
1100         if (priv->helper6)
1101                 nf_conntrack_helper_put(priv->helper6);
1102         return err;
1103 }
1104
1105 static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx,
1106                                       struct nft_object *obj)
1107 {
1108         struct nft_ct_helper_obj *priv = nft_obj_data(obj);
1109
1110         if (priv->helper4)
1111                 nf_conntrack_helper_put(priv->helper4);
1112         if (priv->helper6)
1113                 nf_conntrack_helper_put(priv->helper6);
1114
1115         nf_ct_netns_put(ctx->net, ctx->family);
1116 }
1117
1118 static void nft_ct_helper_obj_eval(struct nft_object *obj,
1119                                    struct nft_regs *regs,
1120                                    const struct nft_pktinfo *pkt)
1121 {
1122         const struct nft_ct_helper_obj *priv = nft_obj_data(obj);
1123         struct nf_conn *ct = (struct nf_conn *)skb_nfct(pkt->skb);
1124         struct nf_conntrack_helper *to_assign = NULL;
1125         struct nf_conn_help *help;
1126
1127         if (!ct ||
1128             nf_ct_is_confirmed(ct) ||
1129             nf_ct_is_template(ct) ||
1130             priv->l4proto != nf_ct_protonum(ct))
1131                 return;
1132
1133         switch (nf_ct_l3num(ct)) {
1134         case NFPROTO_IPV4:
1135                 to_assign = priv->helper4;
1136                 break;
1137         case NFPROTO_IPV6:
1138                 to_assign = priv->helper6;
1139                 break;
1140         default:
1141                 WARN_ON_ONCE(1);
1142                 return;
1143         }
1144
1145         if (!to_assign)
1146                 return;
1147
1148         if (test_bit(IPS_HELPER_BIT, &ct->status))
1149                 return;
1150
1151         help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
1152         if (help) {
1153                 rcu_assign_pointer(help->helper, to_assign);
1154                 set_bit(IPS_HELPER_BIT, &ct->status);
1155         }
1156 }
1157
1158 static int nft_ct_helper_obj_dump(struct sk_buff *skb,
1159                                   struct nft_object *obj, bool reset)
1160 {
1161         const struct nft_ct_helper_obj *priv = nft_obj_data(obj);
1162         const struct nf_conntrack_helper *helper;
1163         u16 family;
1164
1165         if (priv->helper4 && priv->helper6) {
1166                 family = NFPROTO_INET;
1167                 helper = priv->helper4;
1168         } else if (priv->helper6) {
1169                 family = NFPROTO_IPV6;
1170                 helper = priv->helper6;
1171         } else {
1172                 family = NFPROTO_IPV4;
1173                 helper = priv->helper4;
1174         }
1175
1176         if (nla_put_string(skb, NFTA_CT_HELPER_NAME, helper->name))
1177                 return -1;
1178
1179         if (nla_put_u8(skb, NFTA_CT_HELPER_L4PROTO, priv->l4proto))
1180                 return -1;
1181
1182         if (nla_put_be16(skb, NFTA_CT_HELPER_L3PROTO, htons(family)))
1183                 return -1;
1184
1185         return 0;
1186 }
1187
1188 static const struct nla_policy nft_ct_helper_policy[NFTA_CT_HELPER_MAX + 1] = {
1189         [NFTA_CT_HELPER_NAME] = { .type = NLA_STRING,
1190                                   .len = NF_CT_HELPER_NAME_LEN - 1 },
1191         [NFTA_CT_HELPER_L3PROTO] = { .type = NLA_U16 },
1192         [NFTA_CT_HELPER_L4PROTO] = { .type = NLA_U8 },
1193 };
1194
1195 static struct nft_object_type nft_ct_helper_obj_type;
1196 static const struct nft_object_ops nft_ct_helper_obj_ops = {
1197         .type           = &nft_ct_helper_obj_type,
1198         .size           = sizeof(struct nft_ct_helper_obj),
1199         .eval           = nft_ct_helper_obj_eval,
1200         .init           = nft_ct_helper_obj_init,
1201         .destroy        = nft_ct_helper_obj_destroy,
1202         .dump           = nft_ct_helper_obj_dump,
1203 };
1204
1205 static struct nft_object_type nft_ct_helper_obj_type __read_mostly = {
1206         .type           = NFT_OBJECT_CT_HELPER,
1207         .ops            = &nft_ct_helper_obj_ops,
1208         .maxattr        = NFTA_CT_HELPER_MAX,
1209         .policy         = nft_ct_helper_policy,
1210         .owner          = THIS_MODULE,
1211 };
1212
1213 struct nft_ct_expect_obj {
1214         u16             l3num;
1215         __be16          dport;
1216         u8              l4proto;
1217         u8              size;
1218         u32             timeout;
1219 };
1220
1221 static int nft_ct_expect_obj_init(const struct nft_ctx *ctx,
1222                                   const struct nlattr * const tb[],
1223                                   struct nft_object *obj)
1224 {
1225         struct nft_ct_expect_obj *priv = nft_obj_data(obj);
1226
1227         if (!tb[NFTA_CT_EXPECT_L4PROTO] ||
1228             !tb[NFTA_CT_EXPECT_DPORT] ||
1229             !tb[NFTA_CT_EXPECT_TIMEOUT] ||
1230             !tb[NFTA_CT_EXPECT_SIZE])
1231                 return -EINVAL;
1232
1233         priv->l3num = ctx->family;
1234         if (tb[NFTA_CT_EXPECT_L3PROTO])
1235                 priv->l3num = ntohs(nla_get_be16(tb[NFTA_CT_EXPECT_L3PROTO]));
1236
1237         switch (priv->l3num) {
1238         case NFPROTO_IPV4:
1239         case NFPROTO_IPV6:
1240                 if (priv->l3num == ctx->family || ctx->family == NFPROTO_INET)
1241                         break;
1242
1243                 return -EINVAL;
1244         case NFPROTO_INET: /* tuple.src.l3num supports NFPROTO_IPV4/6 only */
1245         default:
1246                 return -EAFNOSUPPORT;
1247         }
1248
1249         priv->l4proto = nla_get_u8(tb[NFTA_CT_EXPECT_L4PROTO]);
1250         switch (priv->l4proto) {
1251         case IPPROTO_TCP:
1252         case IPPROTO_UDP:
1253         case IPPROTO_UDPLITE:
1254         case IPPROTO_DCCP:
1255         case IPPROTO_SCTP:
1256                 break;
1257         default:
1258                 return -EOPNOTSUPP;
1259         }
1260
1261         priv->dport = nla_get_be16(tb[NFTA_CT_EXPECT_DPORT]);
1262         priv->timeout = nla_get_u32(tb[NFTA_CT_EXPECT_TIMEOUT]);
1263         priv->size = nla_get_u8(tb[NFTA_CT_EXPECT_SIZE]);
1264
1265         return nf_ct_netns_get(ctx->net, ctx->family);
1266 }
1267
1268 static void nft_ct_expect_obj_destroy(const struct nft_ctx *ctx,
1269                                        struct nft_object *obj)
1270 {
1271         nf_ct_netns_put(ctx->net, ctx->family);
1272 }
1273
1274 static int nft_ct_expect_obj_dump(struct sk_buff *skb,
1275                                   struct nft_object *obj, bool reset)
1276 {
1277         const struct nft_ct_expect_obj *priv = nft_obj_data(obj);
1278
1279         if (nla_put_be16(skb, NFTA_CT_EXPECT_L3PROTO, htons(priv->l3num)) ||
1280             nla_put_u8(skb, NFTA_CT_EXPECT_L4PROTO, priv->l4proto) ||
1281             nla_put_be16(skb, NFTA_CT_EXPECT_DPORT, priv->dport) ||
1282             nla_put_u32(skb, NFTA_CT_EXPECT_TIMEOUT, priv->timeout) ||
1283             nla_put_u8(skb, NFTA_CT_EXPECT_SIZE, priv->size))
1284                 return -1;
1285
1286         return 0;
1287 }
1288
1289 static void nft_ct_expect_obj_eval(struct nft_object *obj,
1290                                    struct nft_regs *regs,
1291                                    const struct nft_pktinfo *pkt)
1292 {
1293         const struct nft_ct_expect_obj *priv = nft_obj_data(obj);
1294         struct nf_conntrack_expect *exp;
1295         enum ip_conntrack_info ctinfo;
1296         struct nf_conn_help *help;
1297         enum ip_conntrack_dir dir;
1298         u16 l3num = priv->l3num;
1299         struct nf_conn *ct;
1300
1301         ct = nf_ct_get(pkt->skb, &ctinfo);
1302         if (!ct || nf_ct_is_confirmed(ct) || nf_ct_is_template(ct)) {
1303                 regs->verdict.code = NFT_BREAK;
1304                 return;
1305         }
1306         dir = CTINFO2DIR(ctinfo);
1307
1308         help = nfct_help(ct);
1309         if (!help)
1310                 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
1311         if (!help) {
1312                 regs->verdict.code = NF_DROP;
1313                 return;
1314         }
1315
1316         if (help->expecting[NF_CT_EXPECT_CLASS_DEFAULT] >= priv->size) {
1317                 regs->verdict.code = NFT_BREAK;
1318                 return;
1319         }
1320         if (l3num == NFPROTO_INET)
1321                 l3num = nf_ct_l3num(ct);
1322
1323         exp = nf_ct_expect_alloc(ct);
1324         if (exp == NULL) {
1325                 regs->verdict.code = NF_DROP;
1326                 return;
1327         }
1328         nf_ct_expect_init(exp, NF_CT_EXPECT_CLASS_DEFAULT, l3num,
1329                           &ct->tuplehash[!dir].tuple.src.u3,
1330                           &ct->tuplehash[!dir].tuple.dst.u3,
1331                           priv->l4proto, NULL, &priv->dport);
1332         exp->timeout.expires = jiffies + priv->timeout * HZ;
1333
1334         if (nf_ct_expect_related(exp, 0) != 0)
1335                 regs->verdict.code = NF_DROP;
1336 }
1337
1338 static const struct nla_policy nft_ct_expect_policy[NFTA_CT_EXPECT_MAX + 1] = {
1339         [NFTA_CT_EXPECT_L3PROTO]        = { .type = NLA_U16 },
1340         [NFTA_CT_EXPECT_L4PROTO]        = { .type = NLA_U8 },
1341         [NFTA_CT_EXPECT_DPORT]          = { .type = NLA_U16 },
1342         [NFTA_CT_EXPECT_TIMEOUT]        = { .type = NLA_U32 },
1343         [NFTA_CT_EXPECT_SIZE]           = { .type = NLA_U8 },
1344 };
1345
1346 static struct nft_object_type nft_ct_expect_obj_type;
1347
1348 static const struct nft_object_ops nft_ct_expect_obj_ops = {
1349         .type           = &nft_ct_expect_obj_type,
1350         .size           = sizeof(struct nft_ct_expect_obj),
1351         .eval           = nft_ct_expect_obj_eval,
1352         .init           = nft_ct_expect_obj_init,
1353         .destroy        = nft_ct_expect_obj_destroy,
1354         .dump           = nft_ct_expect_obj_dump,
1355 };
1356
1357 static struct nft_object_type nft_ct_expect_obj_type __read_mostly = {
1358         .type           = NFT_OBJECT_CT_EXPECT,
1359         .ops            = &nft_ct_expect_obj_ops,
1360         .maxattr        = NFTA_CT_EXPECT_MAX,
1361         .policy         = nft_ct_expect_policy,
1362         .owner          = THIS_MODULE,
1363 };
1364
1365 static int __init nft_ct_module_init(void)
1366 {
1367         int err;
1368
1369         BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE > NFT_REG_SIZE);
1370
1371         err = nft_register_expr(&nft_ct_type);
1372         if (err < 0)
1373                 return err;
1374
1375         err = nft_register_expr(&nft_notrack_type);
1376         if (err < 0)
1377                 goto err1;
1378
1379         err = nft_register_obj(&nft_ct_helper_obj_type);
1380         if (err < 0)
1381                 goto err2;
1382
1383         err = nft_register_obj(&nft_ct_expect_obj_type);
1384         if (err < 0)
1385                 goto err3;
1386 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
1387         err = nft_register_obj(&nft_ct_timeout_obj_type);
1388         if (err < 0)
1389                 goto err4;
1390 #endif
1391         return 0;
1392
1393 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
1394 err4:
1395         nft_unregister_obj(&nft_ct_expect_obj_type);
1396 #endif
1397 err3:
1398         nft_unregister_obj(&nft_ct_helper_obj_type);
1399 err2:
1400         nft_unregister_expr(&nft_notrack_type);
1401 err1:
1402         nft_unregister_expr(&nft_ct_type);
1403         return err;
1404 }
1405
1406 static void __exit nft_ct_module_exit(void)
1407 {
1408 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
1409         nft_unregister_obj(&nft_ct_timeout_obj_type);
1410 #endif
1411         nft_unregister_obj(&nft_ct_expect_obj_type);
1412         nft_unregister_obj(&nft_ct_helper_obj_type);
1413         nft_unregister_expr(&nft_notrack_type);
1414         nft_unregister_expr(&nft_ct_type);
1415 }
1416
1417 module_init(nft_ct_module_init);
1418 module_exit(nft_ct_module_exit);
1419
1420 MODULE_LICENSE("GPL");
1421 MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
1422 MODULE_ALIAS_NFT_EXPR("ct");
1423 MODULE_ALIAS_NFT_EXPR("notrack");
1424 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_HELPER);
1425 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_TIMEOUT);
1426 MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_EXPECT);
1427 MODULE_DESCRIPTION("Netfilter nf_tables conntrack module");