git.oblomov.eu Git - linux-2.6/blob - net/netfilter/nf_conntrack_expect.c

   1 /* Expectation handling for nf_conntrack. */
   2
   3 /* (C) 1999-2001 Paul `Rusty' Russell
   4  * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
   5  * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
   6  *
   7  * This program is free software; you can redistribute it and/or modify
   8  * it under the terms of the GNU General Public License version 2 as
   9  * published by the Free Software Foundation.
  10  */
  11
  12 #include <linux/types.h>
  13 #include <linux/netfilter.h>
  14 #include <linux/skbuff.h>
  15 #include <linux/proc_fs.h>
  16 #include <linux/seq_file.h>
  17 #include <linux/stddef.h>
  18 #include <linux/slab.h>
  19 #include <linux/err.h>
  20 #include <linux/percpu.h>
  21 #include <linux/kernel.h>
  22 #include <linux/jhash.h>
  23
  24 #include <net/netfilter/nf_conntrack.h>
  25 #include <net/netfilter/nf_conntrack_core.h>
  26 #include <net/netfilter/nf_conntrack_expect.h>
  27 #include <net/netfilter/nf_conntrack_helper.h>
  28 #include <net/netfilter/nf_conntrack_tuple.h>
  29
  30 LIST_HEAD(nf_ct_expect_list);
  31 EXPORT_SYMBOL_GPL(nf_ct_expect_list);
  32
  33 struct hlist_head *nf_ct_expect_hash __read_mostly;
  34 EXPORT_SYMBOL_GPL(nf_ct_expect_hash);
  35
  36 unsigned int nf_ct_expect_hsize __read_mostly;
  37 EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
  38
  39 static unsigned int nf_ct_expect_hash_rnd __read_mostly;
  40 static unsigned int nf_ct_expect_count;
  41 static int nf_ct_expect_hash_rnd_initted __read_mostly;
  42 static int nf_ct_expect_vmalloc;
  43
  44 static struct kmem_cache *nf_ct_expect_cachep __read_mostly;
  45 static unsigned int nf_ct_expect_next_id;
  46
  47 /* nf_conntrack_expect helper functions */
  48 void nf_ct_unlink_expect(struct nf_conntrack_expect *exp)
  49 {
  50         struct nf_conn_help *master_help = nfct_help(exp->master);
  51
  52         NF_CT_ASSERT(master_help);
  53         NF_CT_ASSERT(!timer_pending(&exp->timeout));
  54
  55         list_del(&exp->list);
  56         hlist_del(&exp->hnode);
  57         nf_ct_expect_count--;
  58
  59         NF_CT_STAT_INC(expect_delete);
  60         master_help->expecting--;
  61         nf_ct_expect_put(exp);
  62 }
  63 EXPORT_SYMBOL_GPL(nf_ct_unlink_expect);
  64
  65 static void nf_ct_expectation_timed_out(unsigned long ul_expect)
  66 {
  67         struct nf_conntrack_expect *exp = (void *)ul_expect;
  68
  69         write_lock_bh(&nf_conntrack_lock);
  70         nf_ct_unlink_expect(exp);
  71         write_unlock_bh(&nf_conntrack_lock);
  72         nf_ct_expect_put(exp);
  73 }
  74
  75 static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple)
  76 {
  77         if (unlikely(!nf_ct_expect_hash_rnd_initted)) {
  78                 get_random_bytes(&nf_ct_expect_hash_rnd, 4);
  79                 nf_ct_expect_hash_rnd_initted = 1;
  80         }
  81
  82         return jhash2(tuple->dst.u3.all, ARRAY_SIZE(tuple->dst.u3.all),
  83                       (((tuple->dst.protonum ^ tuple->src.l3num) << 16) |
  84                        tuple->dst.u.all) ^ nf_ct_expect_hash_rnd) %
  85                nf_ct_expect_hsize;
  86 }
  87
  88 struct nf_conntrack_expect *
  89 __nf_ct_expect_find(const struct nf_conntrack_tuple *tuple)
  90 {
  91         struct nf_conntrack_expect *i;
  92         struct hlist_node *n;
  93         unsigned int h;
  94
  95         if (!nf_ct_expect_count)
  96                 return NULL;
  97
  98         h = nf_ct_expect_dst_hash(tuple);
  99         hlist_for_each_entry(i, n, &nf_ct_expect_hash[h], hnode) {
 100                 if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask))
 101                         return i;
 102         }
 103         return NULL;
 104 }
 105 EXPORT_SYMBOL_GPL(__nf_ct_expect_find);
 106
 107 /* Just find a expectation corresponding to a tuple. */
 108 struct nf_conntrack_expect *
 109 nf_ct_expect_find_get(const struct nf_conntrack_tuple *tuple)
 110 {
 111         struct nf_conntrack_expect *i;
 112
 113         read_lock_bh(&nf_conntrack_lock);
 114         i = __nf_ct_expect_find(tuple);
 115         if (i)
 116                 atomic_inc(&i->use);
 117         read_unlock_bh(&nf_conntrack_lock);
 118
 119         return i;
 120 }
 121 EXPORT_SYMBOL_GPL(nf_ct_expect_find_get);
 122
 123 /* If an expectation for this connection is found, it gets delete from
 124  * global list then returned. */
 125 struct nf_conntrack_expect *
 126 nf_ct_find_expectation(const struct nf_conntrack_tuple *tuple)
 127 {
 128         struct nf_conntrack_expect *exp;
 129
 130         exp = __nf_ct_expect_find(tuple);
 131         if (!exp)
 132                 return NULL;
 133
 134         /* If master is not in hash table yet (ie. packet hasn't left
 135            this machine yet), how can other end know about expected?
 136            Hence these are not the droids you are looking for (if
 137            master ct never got confirmed, we'd hold a reference to it
 138            and weird things would happen to future packets). */
 139         if (!nf_ct_is_confirmed(exp->master))
 140                 return NULL;
 141
 142         if (exp->flags & NF_CT_EXPECT_PERMANENT) {
 143                 atomic_inc(&exp->use);
 144                 return exp;
 145         } else if (del_timer(&exp->timeout)) {
 146                 nf_ct_unlink_expect(exp);
 147                 return exp;
 148         }
 149
 150         return NULL;
 151 }
 152
 153 /* delete all expectations for this conntrack */
 154 void nf_ct_remove_expectations(struct nf_conn *ct)
 155 {
 156         struct nf_conntrack_expect *i, *tmp;
 157         struct nf_conn_help *help = nfct_help(ct);
 158
 159         /* Optimization: most connection never expect any others. */
 160         if (!help || help->expecting == 0)
 161                 return;
 162
 163         list_for_each_entry_safe(i, tmp, &nf_ct_expect_list, list) {
 164                 if (i->master == ct && del_timer(&i->timeout)) {
 165                         nf_ct_unlink_expect(i);
 166                         nf_ct_expect_put(i);
 167                 }
 168         }
 169 }
 170 EXPORT_SYMBOL_GPL(nf_ct_remove_expectations);
 171
 172 /* Would two expected things clash? */
 173 static inline int expect_clash(const struct nf_conntrack_expect *a,
 174                                const struct nf_conntrack_expect *b)
 175 {
 176         /* Part covered by intersection of masks must be unequal,
 177            otherwise they clash */
 178         struct nf_conntrack_tuple_mask intersect_mask;
 179         int count;
 180
 181         intersect_mask.src.u.all = a->mask.src.u.all & b->mask.src.u.all;
 182
 183         for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
 184                 intersect_mask.src.u3.all[count] =
 185                         a->mask.src.u3.all[count] & b->mask.src.u3.all[count];
 186         }
 187
 188         return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
 189 }
 190
 191 static inline int expect_matches(const struct nf_conntrack_expect *a,
 192                                  const struct nf_conntrack_expect *b)
 193 {
 194         return a->master == b->master
 195                 && nf_ct_tuple_equal(&a->tuple, &b->tuple)
 196                 && nf_ct_tuple_mask_equal(&a->mask, &b->mask);
 197 }
 198
 199 /* Generally a bad idea to call this: could have matched already. */
 200 void nf_ct_unexpect_related(struct nf_conntrack_expect *exp)
 201 {
 202         write_lock_bh(&nf_conntrack_lock);
 203         if (del_timer(&exp->timeout)) {
 204                 nf_ct_unlink_expect(exp);
 205                 nf_ct_expect_put(exp);
 206         }
 207         write_unlock_bh(&nf_conntrack_lock);
 208 }
 209 EXPORT_SYMBOL_GPL(nf_ct_unexpect_related);
 210
 211 /* We don't increase the master conntrack refcount for non-fulfilled
 212  * conntracks. During the conntrack destruction, the expectations are
 213  * always killed before the conntrack itself */
 214 struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me)
 215 {
 216         struct nf_conntrack_expect *new;
 217
 218         new = kmem_cache_alloc(nf_ct_expect_cachep, GFP_ATOMIC);
 219         if (!new)
 220                 return NULL;
 221
 222         new->master = me;
 223         atomic_set(&new->use, 1);
 224         return new;
 225 }
 226 EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);
 227
 228 void nf_ct_expect_init(struct nf_conntrack_expect *exp, int family,
 229                        union nf_conntrack_address *saddr,
 230                        union nf_conntrack_address *daddr,
 231                        u_int8_t proto, __be16 *src, __be16 *dst)
 232 {
 233         int len;
 234
 235         if (family == AF_INET)
 236                 len = 4;
 237         else
 238                 len = 16;
 239
 240         exp->flags = 0;
 241         exp->expectfn = NULL;
 242         exp->helper = NULL;
 243         exp->tuple.src.l3num = family;
 244         exp->tuple.dst.protonum = proto;
 245
 246         if (saddr) {
 247                 memcpy(&exp->tuple.src.u3, saddr, len);
 248                 if (sizeof(exp->tuple.src.u3) > len)
 249                         /* address needs to be cleared for nf_ct_tuple_equal */
 250                         memset((void *)&exp->tuple.src.u3 + len, 0x00,
 251                                sizeof(exp->tuple.src.u3) - len);
 252                 memset(&exp->mask.src.u3, 0xFF, len);
 253                 if (sizeof(exp->mask.src.u3) > len)
 254                         memset((void *)&exp->mask.src.u3 + len, 0x00,
 255                                sizeof(exp->mask.src.u3) - len);
 256         } else {
 257                 memset(&exp->tuple.src.u3, 0x00, sizeof(exp->tuple.src.u3));
 258                 memset(&exp->mask.src.u3, 0x00, sizeof(exp->mask.src.u3));
 259         }
 260
 261         if (src) {
 262                 exp->tuple.src.u.all = (__force u16)*src;
 263                 exp->mask.src.u.all = 0xFFFF;
 264         } else {
 265                 exp->tuple.src.u.all = 0;
 266                 exp->mask.src.u.all = 0;
 267         }
 268
 269         memcpy(&exp->tuple.dst.u3, daddr, len);
 270         if (sizeof(exp->tuple.dst.u3) > len)
 271                 /* address needs to be cleared for nf_ct_tuple_equal */
 272                 memset((void *)&exp->tuple.dst.u3 + len, 0x00,
 273                        sizeof(exp->tuple.dst.u3) - len);
 274
 275         exp->tuple.dst.u.all = (__force u16)*dst;
 276 }
 277 EXPORT_SYMBOL_GPL(nf_ct_expect_init);
 278
 279 void nf_ct_expect_put(struct nf_conntrack_expect *exp)
 280 {
 281         if (atomic_dec_and_test(&exp->use))
 282                 kmem_cache_free(nf_ct_expect_cachep, exp);
 283 }
 284 EXPORT_SYMBOL_GPL(nf_ct_expect_put);
 285
 286 static void nf_ct_expect_insert(struct nf_conntrack_expect *exp)
 287 {
 288         struct nf_conn_help *master_help = nfct_help(exp->master);
 289         unsigned int h = nf_ct_expect_dst_hash(&exp->tuple);
 290
 291         atomic_inc(&exp->use);
 292         master_help->expecting++;
 293
 294         list_add(&exp->list, &nf_ct_expect_list);
 295         hlist_add_head(&exp->hnode, &nf_ct_expect_hash[h]);
 296         nf_ct_expect_count++;
 297
 298         setup_timer(&exp->timeout, nf_ct_expectation_timed_out,
 299                     (unsigned long)exp);
 300         exp->timeout.expires = jiffies + master_help->helper->timeout * HZ;
 301         add_timer(&exp->timeout);
 302
 303         exp->id = ++nf_ct_expect_next_id;
 304         atomic_inc(&exp->use);
 305         NF_CT_STAT_INC(expect_create);
 306 }
 307
 308 /* Race with expectations being used means we could have none to find; OK. */
 309 static void evict_oldest_expect(struct nf_conn *master)
 310 {
 311         struct nf_conntrack_expect *i;
 312
 313         list_for_each_entry_reverse(i, &nf_ct_expect_list, list) {
 314                 if (i->master == master) {
 315                         if (del_timer(&i->timeout)) {
 316                                 nf_ct_unlink_expect(i);
 317                                 nf_ct_expect_put(i);
 318                         }
 319                         break;
 320                 }
 321         }
 322 }
 323
 324 static inline int refresh_timer(struct nf_conntrack_expect *i)
 325 {
 326         struct nf_conn_help *master_help = nfct_help(i->master);
 327
 328         if (!del_timer(&i->timeout))
 329                 return 0;
 330
 331         i->timeout.expires = jiffies + master_help->helper->timeout*HZ;
 332         add_timer(&i->timeout);
 333         return 1;
 334 }
 335
 336 int nf_ct_expect_related(struct nf_conntrack_expect *expect)
 337 {
 338         struct nf_conntrack_expect *i;
 339         struct nf_conn *master = expect->master;
 340         struct nf_conn_help *master_help = nfct_help(master);
 341         struct hlist_node *n;
 342         unsigned int h;
 343         int ret;
 344
 345         NF_CT_ASSERT(master_help);
 346
 347         write_lock_bh(&nf_conntrack_lock);
 348         if (!master_help->helper) {
 349                 ret = -ESHUTDOWN;
 350                 goto out;
 351         }
 352         h = nf_ct_expect_dst_hash(&expect->tuple);
 353         hlist_for_each_entry(i, n, &nf_ct_expect_hash[h], hnode) {
 354                 if (expect_matches(i, expect)) {
 355                         /* Refresh timer: if it's dying, ignore.. */
 356                         if (refresh_timer(i)) {
 357                                 ret = 0;
 358                                 goto out;
 359                         }
 360                 } else if (expect_clash(i, expect)) {
 361                         ret = -EBUSY;
 362                         goto out;
 363                 }
 364         }
 365         /* Will be over limit? */
 366         if (master_help->helper->max_expected &&
 367             master_help->expecting >= master_help->helper->max_expected)
 368                 evict_oldest_expect(master);
 369
 370         nf_ct_expect_insert(expect);
 371         nf_ct_expect_event(IPEXP_NEW, expect);
 372         ret = 0;
 373 out:
 374         write_unlock_bh(&nf_conntrack_lock);
 375         return ret;
 376 }
 377 EXPORT_SYMBOL_GPL(nf_ct_expect_related);
 378
 379 #ifdef CONFIG_PROC_FS
 380 static void *exp_seq_start(struct seq_file *s, loff_t *pos)
 381 {
 382         struct list_head *e = &nf_ct_expect_list;
 383         loff_t i;
 384
 385         /* strange seq_file api calls stop even if we fail,
 386          * thus we need to grab lock since stop unlocks */
 387         read_lock_bh(&nf_conntrack_lock);
 388
 389         if (list_empty(e))
 390                 return NULL;
 391
 392         for (i = 0; i <= *pos; i++) {
 393                 e = e->next;
 394                 if (e == &nf_ct_expect_list)
 395                         return NULL;
 396         }
 397         return e;
 398 }
 399
 400 static void *exp_seq_next(struct seq_file *s, void *v, loff_t *pos)
 401 {
 402         struct list_head *e = v;
 403
 404         ++*pos;
 405         e = e->next;
 406
 407         if (e == &nf_ct_expect_list)
 408                 return NULL;
 409
 410         return e;
 411 }
 412
 413 static void exp_seq_stop(struct seq_file *s, void *v)
 414 {
 415         read_unlock_bh(&nf_conntrack_lock);
 416 }
 417
 418 static int exp_seq_show(struct seq_file *s, void *v)
 419 {
 420         struct nf_conntrack_expect *expect = v;
 421
 422         if (expect->timeout.function)
 423                 seq_printf(s, "%ld ", timer_pending(&expect->timeout)
 424                            ? (long)(expect->timeout.expires - jiffies)/HZ : 0);
 425         else
 426                 seq_printf(s, "- ");
 427         seq_printf(s, "l3proto = %u proto=%u ",
 428                    expect->tuple.src.l3num,
 429                    expect->tuple.dst.protonum);
 430         print_tuple(s, &expect->tuple,
 431                     __nf_ct_l3proto_find(expect->tuple.src.l3num),
 432                     __nf_ct_l4proto_find(expect->tuple.src.l3num,
 433                                        expect->tuple.dst.protonum));
 434         return seq_putc(s, '\n');
 435 }
 436
 437 static struct seq_operations exp_seq_ops = {
 438         .start = exp_seq_start,
 439         .next = exp_seq_next,
 440         .stop = exp_seq_stop,
 441         .show = exp_seq_show
 442 };
 443
 444 static int exp_open(struct inode *inode, struct file *file)
 445 {
 446         return seq_open(file, &exp_seq_ops);
 447 }
 448
 449 const struct file_operations exp_file_ops = {
 450         .owner   = THIS_MODULE,
 451         .open    = exp_open,
 452         .read    = seq_read,
 453         .llseek  = seq_lseek,
 454         .release = seq_release
 455 };
 456 #endif /* CONFIG_PROC_FS */
 457
 458 static int __init exp_proc_init(void)
 459 {
 460 #ifdef CONFIG_PROC_FS
 461         struct proc_dir_entry *proc;
 462
 463         proc = proc_net_fops_create("nf_conntrack_expect", 0440, &exp_file_ops);
 464         if (!proc)
 465                 return -ENOMEM;
 466 #endif /* CONFIG_PROC_FS */
 467         return 0;
 468 }
 469
 470 static void exp_proc_remove(void)
 471 {
 472 #ifdef CONFIG_PROC_FS
 473         proc_net_remove("nf_conntrack_expect");
 474 #endif /* CONFIG_PROC_FS */
 475 }
 476
 477 module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0600);
 478
 479 int __init nf_conntrack_expect_init(void)
 480 {
 481         int err = -ENOMEM;
 482
 483         if (!nf_ct_expect_hsize) {
 484                 nf_ct_expect_hsize = nf_conntrack_htable_size / 256;
 485                 if (!nf_ct_expect_hsize)
 486                         nf_ct_expect_hsize = 1;
 487         }
 488
 489         nf_ct_expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,
 490                                                   &nf_ct_expect_vmalloc);
 491         if (nf_ct_expect_hash == NULL)
 492                 goto err1;
 493
 494         nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect",
 495                                         sizeof(struct nf_conntrack_expect),
 496                                         0, 0, NULL, NULL);
 497         if (!nf_ct_expect_cachep)
 498                 goto err2;
 499
 500         err = exp_proc_init();
 501         if (err < 0)
 502                 goto err3;
 503
 504         return 0;
 505
 506 err3:
 507         nf_ct_free_hashtable(nf_ct_expect_hash, nf_ct_expect_vmalloc,
 508                              nf_ct_expect_hsize);
 509 err2:
 510         kmem_cache_destroy(nf_ct_expect_cachep);
 511 err1:
 512         return err;
 513 }
 514
 515 void nf_conntrack_expect_fini(void)
 516 {
 517         exp_proc_remove();
 518         kmem_cache_destroy(nf_ct_expect_cachep);
 519         nf_ct_free_hashtable(nf_ct_expect_hash, nf_ct_expect_vmalloc,
 520                              nf_ct_expect_hsize);
 521 }