2 * Copyright (c) 2010 Patrick McHardy <kaber@trash.net>
4 * This program is free software; you can redistribute it and/or modify
5 * it under the terms of the GNU General Public License version 2 as
6 * published by the Free Software Foundation.
8 #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9 #include <linux/module.h>
10 #include <linux/gfp.h>
11 #include <linux/skbuff.h>
12 #include <linux/netfilter_ipv4/ip_tables.h>
13 #include <linux/netfilter_ipv6/ip6_tables.h>
14 #include <linux/netfilter/x_tables.h>
15 #include <linux/netfilter/xt_CT.h>
16 #include <net/netfilter/nf_conntrack.h>
17 #include <net/netfilter/nf_conntrack_l4proto.h>
18 #include <net/netfilter/nf_conntrack_helper.h>
19 #include <net/netfilter/nf_conntrack_ecache.h>
20 #include <net/netfilter/nf_conntrack_timeout.h>
21 #include <net/netfilter/nf_conntrack_zones.h>
23 static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct)
25 /* Previously seen (loopback)? Ignore. */
30 atomic_inc(&ct->ct_general.use);
31 nf_ct_set(skb, ct, IP_CT_NEW);
33 nf_ct_set(skb, ct, IP_CT_UNTRACKED);
39 static unsigned int xt_ct_target_v0(struct sk_buff *skb,
40 const struct xt_action_param *par)
42 const struct xt_ct_target_info *info = par->targinfo;
43 struct nf_conn *ct = info->ct;
45 return xt_ct_target(skb, ct);
48 static unsigned int xt_ct_target_v1(struct sk_buff *skb,
49 const struct xt_action_param *par)
51 const struct xt_ct_target_info_v1 *info = par->targinfo;
52 struct nf_conn *ct = info->ct;
54 return xt_ct_target(skb, ct);
57 static u8 xt_ct_find_proto(const struct xt_tgchk_param *par)
59 if (par->family == NFPROTO_IPV4) {
60 const struct ipt_entry *e = par->entryinfo;
62 if (e->ip.invflags & IPT_INV_PROTO)
65 } else if (par->family == NFPROTO_IPV6) {
66 const struct ip6t_entry *e = par->entryinfo;
68 if (e->ipv6.invflags & IP6T_INV_PROTO)
76 xt_ct_set_helper(struct nf_conn *ct, const char *helper_name,
77 const struct xt_tgchk_param *par)
79 struct nf_conntrack_helper *helper;
80 struct nf_conn_help *help;
83 proto = xt_ct_find_proto(par);
85 pr_info_ratelimited("You must specify a L4 protocol and not use inversions on it\n");
89 helper = nf_conntrack_helper_try_module_get(helper_name, par->family,
92 pr_info_ratelimited("No such helper \"%s\"\n", helper_name);
96 help = nf_ct_helper_ext_add(ct, GFP_KERNEL);
98 nf_conntrack_helper_put(helper);
102 help->helper = helper;
107 xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
108 const char *timeout_name)
110 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
111 const struct nf_conntrack_l4proto *l4proto;
114 proto = xt_ct_find_proto(par);
116 pr_info_ratelimited("You must specify a L4 protocol and not "
117 "use inversions on it");
120 l4proto = nf_ct_l4proto_find(proto);
121 return nf_ct_set_timeout(par->net, ct, par->family, l4proto->l4proto,
129 static u16 xt_ct_flags_to_dir(const struct xt_ct_target_info_v1 *info)
131 switch (info->flags & (XT_CT_ZONE_DIR_ORIG |
132 XT_CT_ZONE_DIR_REPL)) {
133 case XT_CT_ZONE_DIR_ORIG:
134 return NF_CT_ZONE_DIR_ORIG;
135 case XT_CT_ZONE_DIR_REPL:
136 return NF_CT_ZONE_DIR_REPL;
138 return NF_CT_DEFAULT_ZONE_DIR;
142 static int xt_ct_tg_check(const struct xt_tgchk_param *par,
143 struct xt_ct_target_info_v1 *info)
145 struct nf_conntrack_zone zone;
146 struct nf_conn_help *help;
148 int ret = -EOPNOTSUPP;
150 if (info->flags & XT_CT_NOTRACK) {
155 #ifndef CONFIG_NF_CONNTRACK_ZONES
156 if (info->zone || info->flags & (XT_CT_ZONE_DIR_ORIG |
157 XT_CT_ZONE_DIR_REPL |
162 ret = nf_ct_netns_get(par->net, par->family);
166 memset(&zone, 0, sizeof(zone));
167 zone.id = info->zone;
168 zone.dir = xt_ct_flags_to_dir(info);
169 if (info->flags & XT_CT_ZONE_MARK)
170 zone.flags |= NF_CT_FLAG_MARK;
172 ct = nf_ct_tmpl_alloc(par->net, &zone, GFP_KERNEL);
179 if ((info->ct_events || info->exp_events) &&
180 !nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events,
186 if (info->helper[0]) {
187 if (strnlen(info->helper, sizeof(info->helper)) == sizeof(info->helper)) {
192 ret = xt_ct_set_helper(ct, info->helper, par);
197 if (info->timeout[0]) {
198 if (strnlen(info->timeout, sizeof(info->timeout)) == sizeof(info->timeout)) {
203 ret = xt_ct_set_timeout(ct, par, info->timeout);
207 __set_bit(IPS_CONFIRMED_BIT, &ct->status);
208 nf_conntrack_get(&ct->ct_general);
214 help = nfct_help(ct);
216 nf_conntrack_helper_put(help->helper);
220 nf_ct_netns_put(par->net, par->family);
225 static int xt_ct_tg_check_v0(const struct xt_tgchk_param *par)
227 struct xt_ct_target_info *info = par->targinfo;
228 struct xt_ct_target_info_v1 info_v1 = {
229 .flags = info->flags,
231 .ct_events = info->ct_events,
232 .exp_events = info->exp_events,
236 if (info->flags & ~XT_CT_NOTRACK)
239 memcpy(info_v1.helper, info->helper, sizeof(info->helper));
241 ret = xt_ct_tg_check(par, &info_v1);
245 info->ct = info_v1.ct;
250 static int xt_ct_tg_check_v1(const struct xt_tgchk_param *par)
252 struct xt_ct_target_info_v1 *info = par->targinfo;
254 if (info->flags & ~XT_CT_NOTRACK)
257 return xt_ct_tg_check(par, par->targinfo);
260 static int xt_ct_tg_check_v2(const struct xt_tgchk_param *par)
262 struct xt_ct_target_info_v1 *info = par->targinfo;
264 if (info->flags & ~XT_CT_MASK)
267 return xt_ct_tg_check(par, par->targinfo);
270 static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par,
271 struct xt_ct_target_info_v1 *info)
273 struct nf_conn *ct = info->ct;
274 struct nf_conn_help *help;
277 help = nfct_help(ct);
279 nf_conntrack_helper_put(help->helper);
281 nf_ct_netns_put(par->net, par->family);
283 nf_ct_destroy_timeout(ct);
288 static void xt_ct_tg_destroy_v0(const struct xt_tgdtor_param *par)
290 struct xt_ct_target_info *info = par->targinfo;
291 struct xt_ct_target_info_v1 info_v1 = {
292 .flags = info->flags,
294 .ct_events = info->ct_events,
295 .exp_events = info->exp_events,
298 memcpy(info_v1.helper, info->helper, sizeof(info->helper));
300 xt_ct_tg_destroy(par, &info_v1);
303 static void xt_ct_tg_destroy_v1(const struct xt_tgdtor_param *par)
305 xt_ct_tg_destroy(par, par->targinfo);
308 static struct xt_target xt_ct_tg_reg[] __read_mostly = {
311 .family = NFPROTO_UNSPEC,
312 .targetsize = sizeof(struct xt_ct_target_info),
313 .usersize = offsetof(struct xt_ct_target_info, ct),
314 .checkentry = xt_ct_tg_check_v0,
315 .destroy = xt_ct_tg_destroy_v0,
316 .target = xt_ct_target_v0,
322 .family = NFPROTO_UNSPEC,
324 .targetsize = sizeof(struct xt_ct_target_info_v1),
325 .usersize = offsetof(struct xt_ct_target_info, ct),
326 .checkentry = xt_ct_tg_check_v1,
327 .destroy = xt_ct_tg_destroy_v1,
328 .target = xt_ct_target_v1,
334 .family = NFPROTO_UNSPEC,
336 .targetsize = sizeof(struct xt_ct_target_info_v1),
337 .usersize = offsetof(struct xt_ct_target_info, ct),
338 .checkentry = xt_ct_tg_check_v2,
339 .destroy = xt_ct_tg_destroy_v1,
340 .target = xt_ct_target_v1,
347 notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
349 /* Previously seen (loopback)? Ignore. */
353 nf_ct_set(skb, NULL, IP_CT_UNTRACKED);
358 static int notrack_chk(const struct xt_tgchk_param *par)
360 if (!par->net->xt.notrack_deprecated_warning) {
361 pr_info("netfilter: NOTRACK target is deprecated, "
362 "use CT instead or upgrade iptables\n");
363 par->net->xt.notrack_deprecated_warning = true;
368 static struct xt_target notrack_tg_reg __read_mostly = {
371 .family = NFPROTO_UNSPEC,
372 .checkentry = notrack_chk,
373 .target = notrack_tg,
378 static int __init xt_ct_tg_init(void)
382 ret = xt_register_target(¬rack_tg_reg);
386 ret = xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
388 xt_unregister_target(¬rack_tg_reg);
394 static void __exit xt_ct_tg_exit(void)
396 xt_unregister_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
397 xt_unregister_target(¬rack_tg_reg);
400 module_init(xt_ct_tg_init);
401 module_exit(xt_ct_tg_exit);
403 MODULE_LICENSE("GPL");
404 MODULE_DESCRIPTION("Xtables: connection tracking target");
405 MODULE_ALIAS("ipt_CT");
406 MODULE_ALIAS("ip6t_CT");
407 MODULE_ALIAS("ipt_NOTRACK");
408 MODULE_ALIAS("ip6t_NOTRACK");
projects / linux-2.6-microblaze.git / blob