2019-05-22 16:51:23 +09:00
|
|
|
// SPDX-License-Identifier: GPL-2.0-or-later
|
2012-02-29 03:13:48 +09:00
|
|
|
/*
|
|
|
|
|
* (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
|
|
|
|
|
* (C) 2012 by Vyatta Inc. <http://www.vyatta.com>
|
|
|
|
|
*/
|
|
|
|
|
#include <linux/init.h>
|
|
|
|
|
#include <linux/module.h>
|
|
|
|
|
#include <linux/kernel.h>
|
|
|
|
|
#include <linux/rculist.h>
|
|
|
|
|
#include <linux/rculist_nulls.h>
|
|
|
|
|
#include <linux/types.h>
|
|
|
|
|
#include <linux/timer.h>
|
|
|
|
|
#include <linux/security.h>
|
|
|
|
|
#include <linux/skbuff.h>
|
|
|
|
|
#include <linux/errno.h>
|
|
|
|
|
#include <linux/netlink.h>
|
|
|
|
|
#include <linux/spinlock.h>
|
|
|
|
|
#include <linux/interrupt.h>
|
|
|
|
|
#include <linux/slab.h>
|
|
|
|
|
|
|
|
|
|
#include <linux/netfilter.h>
|
|
|
|
|
#include <net/netlink.h>
|
|
|
|
|
#include <net/sock.h>
|
|
|
|
|
#include <net/netfilter/nf_conntrack.h>
|
|
|
|
|
#include <net/netfilter/nf_conntrack_core.h>
|
|
|
|
|
#include <net/netfilter/nf_conntrack_l4proto.h>
|
|
|
|
|
#include <net/netfilter/nf_conntrack_tuple.h>
|
2012-02-29 10:19:19 +09:00
|
|
|
#include <net/netfilter/nf_conntrack_timeout.h>
|
2012-02-29 03:13:48 +09:00
|
|
|
|
|
|
|
|
#include <linux/netfilter/nfnetlink.h>
|
|
|
|
|
#include <linux/netfilter/nfnetlink_cttimeout.h>
|
|
|
|
|
|
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
|
MODULE_AUTHOR("Pablo Neira Ayuso <pablo@netfilter.org>");
|
|
|
|
|
MODULE_DESCRIPTION("cttimeout: Extended Netfilter Connection Tracking timeout tuning");
|
|
|
|
|
|
|
|
|
|
static const struct nla_policy cttimeout_nla_policy[CTA_TIMEOUT_MAX+1] = {
|
2012-11-21 10:37:38 +09:00
|
|
|
[CTA_TIMEOUT_NAME] = { .type = NLA_NUL_STRING,
|
|
|
|
|
.len = CTNL_TIMEOUT_NAME_MAX - 1},
|
2012-02-29 03:13:48 +09:00
|
|
|
[CTA_TIMEOUT_L3PROTO] = { .type = NLA_U16 },
|
|
|
|
|
[CTA_TIMEOUT_L4PROTO] = { .type = NLA_U8 },
|
|
|
|
|
[CTA_TIMEOUT_DATA] = { .type = NLA_NESTED },
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static int
|
2018-06-29 14:46:50 +09:00
|
|
|
ctnl_timeout_parse_policy(void *timeout,
|
2017-08-01 19:25:01 +09:00
|
|
|
const struct nf_conntrack_l4proto *l4proto,
|
2013-09-05 03:57:48 +09:00
|
|
|
struct net *net, const struct nlattr *attr)
|
2012-02-29 03:13:48 +09:00
|
|
|
{
|
2018-03-13 08:14:42 +09:00
|
|
|
struct nlattr **tb;
|
2012-02-29 03:13:48 +09:00
|
|
|
int ret = 0;
|
|
|
|
|
|
2018-03-13 08:14:42 +09:00
|
|
|
tb = kcalloc(l4proto->ctnl_timeout.nlattr_max + 1, sizeof(*tb),
|
|
|
|
|
GFP_KERNEL);
|
2012-02-29 03:13:48 +09:00
|
|
|
|
2018-03-13 08:14:42 +09:00
|
|
|
if (!tb)
|
|
|
|
|
return -ENOMEM;
|
|
|
|
|
|
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 21:07:28 +09:00
|
|
|
ret = nla_parse_nested_deprecated(tb,
|
|
|
|
|
l4proto->ctnl_timeout.nlattr_max,
|
|
|
|
|
attr,
|
|
|
|
|
l4proto->ctnl_timeout.nla_policy,
|
|
|
|
|
NULL);
|
2018-03-13 08:14:42 +09:00
|
|
|
if (ret < 0)
|
|
|
|
|
goto err;
|
|
|
|
|
|
2018-06-29 14:46:50 +09:00
|
|
|
ret = l4proto->ctnl_timeout.nlattr_to_obj(tb, net, timeout);
|
2018-03-13 08:14:42 +09:00
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
kfree(tb);
|
2012-02-29 03:13:48 +09:00
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-16 02:41:56 +09:00
|
|
|
static int cttimeout_new_timeout(struct net *net, struct sock *ctnl,
|
|
|
|
|
struct sk_buff *skb,
|
|
|
|
|
const struct nlmsghdr *nlh,
|
2017-06-20 02:35:46 +09:00
|
|
|
const struct nlattr * const cda[],
|
|
|
|
|
struct netlink_ext_ack *extack)
|
2012-02-29 03:13:48 +09:00
|
|
|
{
|
|
|
|
|
__u16 l3num;
|
|
|
|
|
__u8 l4num;
|
2017-08-12 07:57:08 +09:00
|
|
|
const struct nf_conntrack_l4proto *l4proto;
|
2012-02-29 03:13:48 +09:00
|
|
|
struct ctnl_timeout *timeout, *matching = NULL;
|
|
|
|
|
char *name;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
if (!cda[CTA_TIMEOUT_NAME] ||
|
|
|
|
|
!cda[CTA_TIMEOUT_L3PROTO] ||
|
|
|
|
|
!cda[CTA_TIMEOUT_L4PROTO] ||
|
|
|
|
|
!cda[CTA_TIMEOUT_DATA])
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
name = nla_data(cda[CTA_TIMEOUT_NAME]);
|
|
|
|
|
l3num = ntohs(nla_get_be16(cda[CTA_TIMEOUT_L3PROTO]));
|
|
|
|
|
l4num = nla_get_u8(cda[CTA_TIMEOUT_L4PROTO]);
|
|
|
|
|
|
2015-12-09 22:07:40 +09:00
|
|
|
list_for_each_entry(timeout, &net->nfct_timeout_list, head) {
|
2012-02-29 03:13:48 +09:00
|
|
|
if (strncmp(timeout->name, name, CTNL_TIMEOUT_NAME_MAX) != 0)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (nlh->nlmsg_flags & NLM_F_EXCL)
|
|
|
|
|
return -EEXIST;
|
|
|
|
|
|
|
|
|
|
matching = timeout;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (matching) {
|
|
|
|
|
if (nlh->nlmsg_flags & NLM_F_REPLACE) {
|
|
|
|
|
/* You cannot replace one timeout policy by another of
|
|
|
|
|
* different kind, sorry.
|
|
|
|
|
*/
|
2018-08-08 00:14:15 +09:00
|
|
|
if (matching->timeout.l3num != l3num ||
|
|
|
|
|
matching->timeout.l4proto->l4proto != l4num)
|
2016-08-22 22:58:17 +09:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
2018-08-08 00:14:15 +09:00
|
|
|
return ctnl_timeout_parse_policy(&matching->timeout.data,
|
|
|
|
|
matching->timeout.l4proto,
|
|
|
|
|
net, cda[CTA_TIMEOUT_DATA]);
|
2012-02-29 03:13:48 +09:00
|
|
|
}
|
2016-08-22 22:58:17 +09:00
|
|
|
|
|
|
|
|
return -EBUSY;
|
|
|
|
|
}
|
|
|
|
|
|
2019-01-16 06:03:47 +09:00
|
|
|
l4proto = nf_ct_l4proto_find(l4num);
|
2016-08-22 22:58:17 +09:00
|
|
|
|
|
|
|
|
/* This protocol is not supportted, skip. */
|
|
|
|
|
if (l4proto->l4proto != l4num) {
|
|
|
|
|
ret = -EOPNOTSUPP;
|
2012-03-23 07:40:01 +09:00
|
|
|
goto err_proto_put;
|
2012-02-29 03:13:48 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
timeout = kzalloc(sizeof(struct ctnl_timeout) +
|
|
|
|
|
l4proto->ctnl_timeout.obj_size, GFP_KERNEL);
|
2012-03-23 07:40:01 +09:00
|
|
|
if (timeout == NULL) {
|
|
|
|
|
ret = -ENOMEM;
|
|
|
|
|
goto err_proto_put;
|
|
|
|
|
}
|
2012-02-29 03:13:48 +09:00
|
|
|
|
2018-08-08 00:14:15 +09:00
|
|
|
ret = ctnl_timeout_parse_policy(&timeout->timeout.data, l4proto, net,
|
2012-02-29 03:13:48 +09:00
|
|
|
cda[CTA_TIMEOUT_DATA]);
|
|
|
|
|
if (ret < 0)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
strcpy(timeout->name, nla_data(cda[CTA_TIMEOUT_NAME]));
|
2018-08-08 00:14:15 +09:00
|
|
|
timeout->timeout.l3num = l3num;
|
|
|
|
|
timeout->timeout.l4proto = l4proto;
|
2017-03-16 17:03:34 +09:00
|
|
|
refcount_set(&timeout->refcnt, 1);
|
2015-12-09 22:07:40 +09:00
|
|
|
list_add_tail_rcu(&timeout->head, &net->nfct_timeout_list);
|
2012-02-29 03:13:48 +09:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
err:
|
|
|
|
|
kfree(timeout);
|
2012-03-23 07:40:01 +09:00
|
|
|
err_proto_put:
|
2012-02-29 03:13:48 +09:00
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
2012-09-08 05:12:54 +09:00
|
|
|
ctnl_timeout_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
|
2012-02-29 03:13:48 +09:00
|
|
|
int event, struct ctnl_timeout *timeout)
|
|
|
|
|
{
|
|
|
|
|
struct nlmsghdr *nlh;
|
|
|
|
|
struct nfgenmsg *nfmsg;
|
2012-09-08 05:12:54 +09:00
|
|
|
unsigned int flags = portid ? NLM_F_MULTI : 0;
|
2018-08-08 00:14:15 +09:00
|
|
|
const struct nf_conntrack_l4proto *l4proto = timeout->timeout.l4proto;
|
2018-09-11 09:31:11 +09:00
|
|
|
struct nlattr *nest_parms;
|
|
|
|
|
int ret;
|
2012-02-29 03:13:48 +09:00
|
|
|
|
2017-03-29 01:57:32 +09:00
|
|
|
event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_TIMEOUT, event);
|
2012-09-08 05:12:54 +09:00
|
|
|
nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
|
2012-02-29 03:13:48 +09:00
|
|
|
if (nlh == NULL)
|
|
|
|
|
goto nlmsg_failure;
|
|
|
|
|
|
|
|
|
|
nfmsg = nlmsg_data(nlh);
|
|
|
|
|
nfmsg->nfgen_family = AF_UNSPEC;
|
|
|
|
|
nfmsg->version = NFNETLINK_V0;
|
|
|
|
|
nfmsg->res_id = 0;
|
|
|
|
|
|
2012-04-02 07:46:00 +09:00
|
|
|
if (nla_put_string(skb, CTA_TIMEOUT_NAME, timeout->name) ||
|
2018-08-08 00:14:15 +09:00
|
|
|
nla_put_be16(skb, CTA_TIMEOUT_L3PROTO,
|
|
|
|
|
htons(timeout->timeout.l3num)) ||
|
|
|
|
|
nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, l4proto->l4proto) ||
|
2012-04-02 07:46:00 +09:00
|
|
|
nla_put_be32(skb, CTA_TIMEOUT_USE,
|
2017-03-16 17:03:34 +09:00
|
|
|
htonl(refcount_read(&timeout->refcnt))))
|
2012-04-02 07:46:00 +09:00
|
|
|
goto nla_put_failure;
|
2012-02-29 03:13:48 +09:00
|
|
|
|
2019-04-26 18:13:06 +09:00
|
|
|
nest_parms = nla_nest_start(skb, CTA_TIMEOUT_DATA);
|
2018-09-11 09:31:11 +09:00
|
|
|
if (!nest_parms)
|
|
|
|
|
goto nla_put_failure;
|
2012-02-29 03:13:48 +09:00
|
|
|
|
2018-09-11 09:31:11 +09:00
|
|
|
ret = l4proto->ctnl_timeout.obj_to_nlattr(skb, &timeout->timeout.data);
|
|
|
|
|
if (ret < 0)
|
|
|
|
|
goto nla_put_failure;
|
2012-02-29 03:13:48 +09:00
|
|
|
|
2018-09-11 09:31:11 +09:00
|
|
|
nla_nest_end(skb, nest_parms);
|
2012-03-23 07:40:01 +09:00
|
|
|
|
2012-02-29 03:13:48 +09:00
|
|
|
nlmsg_end(skb, nlh);
|
|
|
|
|
return skb->len;
|
|
|
|
|
|
|
|
|
|
nlmsg_failure:
|
|
|
|
|
nla_put_failure:
|
|
|
|
|
nlmsg_cancel(skb, nlh);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
ctnl_timeout_dump(struct sk_buff *skb, struct netlink_callback *cb)
|
|
|
|
|
{
|
2015-12-09 22:07:40 +09:00
|
|
|
struct net *net = sock_net(skb->sk);
|
2012-02-29 03:13:48 +09:00
|
|
|
struct ctnl_timeout *cur, *last;
|
|
|
|
|
|
|
|
|
|
if (cb->args[2])
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
last = (struct ctnl_timeout *)cb->args[1];
|
|
|
|
|
if (cb->args[1])
|
|
|
|
|
cb->args[1] = 0;
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
2015-12-09 22:07:40 +09:00
|
|
|
list_for_each_entry_rcu(cur, &net->nfct_timeout_list, head) {
|
2013-06-01 22:36:02 +09:00
|
|
|
if (last) {
|
|
|
|
|
if (cur != last)
|
|
|
|
|
continue;
|
2012-02-29 03:13:48 +09:00
|
|
|
|
2013-06-01 22:36:02 +09:00
|
|
|
last = NULL;
|
|
|
|
|
}
|
2012-09-08 05:12:54 +09:00
|
|
|
if (ctnl_timeout_fill_info(skb, NETLINK_CB(cb->skb).portid,
|
2012-02-29 03:13:48 +09:00
|
|
|
cb->nlh->nlmsg_seq,
|
|
|
|
|
NFNL_MSG_TYPE(cb->nlh->nlmsg_type),
|
|
|
|
|
IPCTNL_MSG_TIMEOUT_NEW, cur) < 0) {
|
|
|
|
|
cb->args[1] = (unsigned long)cur;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (!cb->args[1])
|
|
|
|
|
cb->args[2] = 1;
|
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
return skb->len;
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-16 02:41:56 +09:00
|
|
|
static int cttimeout_get_timeout(struct net *net, struct sock *ctnl,
|
|
|
|
|
struct sk_buff *skb,
|
|
|
|
|
const struct nlmsghdr *nlh,
|
2017-06-20 02:35:46 +09:00
|
|
|
const struct nlattr * const cda[],
|
|
|
|
|
struct netlink_ext_ack *extack)
|
2012-02-29 03:13:48 +09:00
|
|
|
{
|
|
|
|
|
int ret = -ENOENT;
|
|
|
|
|
char *name;
|
|
|
|
|
struct ctnl_timeout *cur;
|
|
|
|
|
|
|
|
|
|
if (nlh->nlmsg_flags & NLM_F_DUMP) {
|
|
|
|
|
struct netlink_dump_control c = {
|
|
|
|
|
.dump = ctnl_timeout_dump,
|
|
|
|
|
};
|
|
|
|
|
return netlink_dump_start(ctnl, skb, nlh, &c);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!cda[CTA_TIMEOUT_NAME])
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
name = nla_data(cda[CTA_TIMEOUT_NAME]);
|
|
|
|
|
|
2015-12-09 22:07:40 +09:00
|
|
|
list_for_each_entry(cur, &net->nfct_timeout_list, head) {
|
2012-02-29 03:13:48 +09:00
|
|
|
struct sk_buff *skb2;
|
|
|
|
|
|
|
|
|
|
if (strncmp(cur->name, name, CTNL_TIMEOUT_NAME_MAX) != 0)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
|
|
|
|
|
if (skb2 == NULL) {
|
|
|
|
|
ret = -ENOMEM;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2012-09-08 05:12:54 +09:00
|
|
|
ret = ctnl_timeout_fill_info(skb2, NETLINK_CB(skb).portid,
|
2012-02-29 03:13:48 +09:00
|
|
|
nlh->nlmsg_seq,
|
|
|
|
|
NFNL_MSG_TYPE(nlh->nlmsg_type),
|
|
|
|
|
IPCTNL_MSG_TIMEOUT_NEW, cur);
|
|
|
|
|
if (ret <= 0) {
|
|
|
|
|
kfree_skb(skb2);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2012-09-08 05:12:54 +09:00
|
|
|
ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid,
|
2012-02-29 03:13:48 +09:00
|
|
|
MSG_DONTWAIT);
|
|
|
|
|
if (ret > 0)
|
|
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
|
|
/* this avoids a loop in nfnetlink. */
|
|
|
|
|
return ret == -EAGAIN ? -ENOBUFS : ret;
|
|
|
|
|
}
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* try to delete object, fail if it is still in use. */
|
2015-12-09 22:07:40 +09:00
|
|
|
static int ctnl_timeout_try_del(struct net *net, struct ctnl_timeout *timeout)
|
2012-02-29 03:13:48 +09:00
|
|
|
{
|
|
|
|
|
int ret = 0;
|
|
|
|
|
|
2016-08-18 21:39:05 +09:00
|
|
|
/* We want to avoid races with ctnl_timeout_put. So only when the
|
|
|
|
|
* current refcnt is 1, we decrease it to 0.
|
|
|
|
|
*/
|
2017-03-16 17:03:34 +09:00
|
|
|
if (refcount_dec_if_one(&timeout->refcnt)) {
|
2012-02-29 03:13:48 +09:00
|
|
|
/* We are protected by nfnl mutex. */
|
|
|
|
|
list_del_rcu(&timeout->head);
|
2018-08-08 00:14:15 +09:00
|
|
|
nf_ct_untimeout(net, &timeout->timeout);
|
2012-02-29 03:13:48 +09:00
|
|
|
kfree_rcu(timeout, rcu_head);
|
|
|
|
|
} else {
|
|
|
|
|
ret = -EBUSY;
|
|
|
|
|
}
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-16 02:41:56 +09:00
|
|
|
static int cttimeout_del_timeout(struct net *net, struct sock *ctnl,
|
|
|
|
|
struct sk_buff *skb,
|
|
|
|
|
const struct nlmsghdr *nlh,
|
2017-06-20 02:35:46 +09:00
|
|
|
const struct nlattr * const cda[],
|
|
|
|
|
struct netlink_ext_ack *extack)
|
2012-02-29 03:13:48 +09:00
|
|
|
{
|
2016-08-22 22:58:16 +09:00
|
|
|
struct ctnl_timeout *cur, *tmp;
|
2012-02-29 03:13:48 +09:00
|
|
|
int ret = -ENOENT;
|
2015-12-16 02:41:56 +09:00
|
|
|
char *name;
|
2012-02-29 03:13:48 +09:00
|
|
|
|
|
|
|
|
if (!cda[CTA_TIMEOUT_NAME]) {
|
2016-08-22 22:58:16 +09:00
|
|
|
list_for_each_entry_safe(cur, tmp, &net->nfct_timeout_list,
|
|
|
|
|
head)
|
2015-12-09 22:07:40 +09:00
|
|
|
ctnl_timeout_try_del(net, cur);
|
2012-02-29 03:13:48 +09:00
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
name = nla_data(cda[CTA_TIMEOUT_NAME]);
|
|
|
|
|
|
2015-12-09 22:07:40 +09:00
|
|
|
list_for_each_entry(cur, &net->nfct_timeout_list, head) {
|
2012-02-29 03:13:48 +09:00
|
|
|
if (strncmp(cur->name, name, CTNL_TIMEOUT_NAME_MAX) != 0)
|
|
|
|
|
continue;
|
|
|
|
|
|
2015-12-09 22:07:40 +09:00
|
|
|
ret = ctnl_timeout_try_del(net, cur);
|
2012-02-29 03:13:48 +09:00
|
|
|
if (ret < 0)
|
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-16 02:41:56 +09:00
|
|
|
static int cttimeout_default_set(struct net *net, struct sock *ctnl,
|
|
|
|
|
struct sk_buff *skb,
|
|
|
|
|
const struct nlmsghdr *nlh,
|
2017-06-20 02:35:46 +09:00
|
|
|
const struct nlattr * const cda[],
|
|
|
|
|
struct netlink_ext_ack *extack)
|
2013-09-05 03:57:48 +09:00
|
|
|
{
|
2017-08-12 07:57:08 +09:00
|
|
|
const struct nf_conntrack_l4proto *l4proto;
|
2013-09-05 03:57:48 +09:00
|
|
|
__u8 l4num;
|
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
|
|
if (!cda[CTA_TIMEOUT_L3PROTO] ||
|
|
|
|
|
!cda[CTA_TIMEOUT_L4PROTO] ||
|
|
|
|
|
!cda[CTA_TIMEOUT_DATA])
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
l4num = nla_get_u8(cda[CTA_TIMEOUT_L4PROTO]);
|
2019-01-16 06:03:47 +09:00
|
|
|
l4proto = nf_ct_l4proto_find(l4num);
|
2013-09-05 03:57:48 +09:00
|
|
|
|
|
|
|
|
/* This protocol is not supported, skip. */
|
|
|
|
|
if (l4proto->l4proto != l4num) {
|
|
|
|
|
ret = -EOPNOTSUPP;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-29 14:46:50 +09:00
|
|
|
ret = ctnl_timeout_parse_policy(NULL, l4proto, net,
|
2013-09-05 03:57:48 +09:00
|
|
|
cda[CTA_TIMEOUT_DATA]);
|
|
|
|
|
if (ret < 0)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
err:
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int
|
|
|
|
|
cttimeout_default_fill_info(struct net *net, struct sk_buff *skb, u32 portid,
|
2018-09-17 19:02:54 +09:00
|
|
|
u32 seq, u32 type, int event, u16 l3num,
|
2018-11-02 08:14:00 +09:00
|
|
|
const struct nf_conntrack_l4proto *l4proto,
|
|
|
|
|
const unsigned int *timeouts)
|
2013-09-05 03:57:48 +09:00
|
|
|
{
|
|
|
|
|
struct nlmsghdr *nlh;
|
|
|
|
|
struct nfgenmsg *nfmsg;
|
|
|
|
|
unsigned int flags = portid ? NLM_F_MULTI : 0;
|
2018-09-11 09:31:11 +09:00
|
|
|
struct nlattr *nest_parms;
|
|
|
|
|
int ret;
|
2013-09-05 03:57:48 +09:00
|
|
|
|
2017-03-29 01:57:32 +09:00
|
|
|
event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_TIMEOUT, event);
|
2013-09-05 03:57:48 +09:00
|
|
|
nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
|
|
|
|
|
if (nlh == NULL)
|
|
|
|
|
goto nlmsg_failure;
|
|
|
|
|
|
|
|
|
|
nfmsg = nlmsg_data(nlh);
|
|
|
|
|
nfmsg->nfgen_family = AF_UNSPEC;
|
|
|
|
|
nfmsg->version = NFNETLINK_V0;
|
|
|
|
|
nfmsg->res_id = 0;
|
|
|
|
|
|
2018-09-17 19:02:54 +09:00
|
|
|
if (nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, htons(l3num)) ||
|
2013-09-05 03:57:48 +09:00
|
|
|
nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, l4proto->l4proto))
|
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
|
2019-04-26 18:13:06 +09:00
|
|
|
nest_parms = nla_nest_start(skb, CTA_TIMEOUT_DATA);
|
2018-09-11 09:31:11 +09:00
|
|
|
if (!nest_parms)
|
|
|
|
|
goto nla_put_failure;
|
2013-09-05 03:57:48 +09:00
|
|
|
|
2018-11-02 08:14:00 +09:00
|
|
|
ret = l4proto->ctnl_timeout.obj_to_nlattr(skb, timeouts);
|
2018-09-11 09:31:11 +09:00
|
|
|
if (ret < 0)
|
|
|
|
|
goto nla_put_failure;
|
2013-09-05 03:57:48 +09:00
|
|
|
|
2018-09-11 09:31:11 +09:00
|
|
|
nla_nest_end(skb, nest_parms);
|
2013-09-05 03:57:48 +09:00
|
|
|
|
|
|
|
|
nlmsg_end(skb, nlh);
|
|
|
|
|
return skb->len;
|
|
|
|
|
|
|
|
|
|
nlmsg_failure:
|
|
|
|
|
nla_put_failure:
|
|
|
|
|
nlmsg_cancel(skb, nlh);
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
|
|
|
|
|
2015-12-16 02:41:56 +09:00
|
|
|
static int cttimeout_default_get(struct net *net, struct sock *ctnl,
|
|
|
|
|
struct sk_buff *skb,
|
2013-09-05 03:57:48 +09:00
|
|
|
const struct nlmsghdr *nlh,
|
2017-06-20 02:35:46 +09:00
|
|
|
const struct nlattr * const cda[],
|
|
|
|
|
struct netlink_ext_ack *extack)
|
2013-09-05 03:57:48 +09:00
|
|
|
{
|
2017-08-12 07:57:08 +09:00
|
|
|
const struct nf_conntrack_l4proto *l4proto;
|
2018-11-02 08:14:00 +09:00
|
|
|
unsigned int *timeouts = NULL;
|
2013-09-05 03:57:48 +09:00
|
|
|
struct sk_buff *skb2;
|
|
|
|
|
int ret, err;
|
2017-08-12 07:57:08 +09:00
|
|
|
__u16 l3num;
|
|
|
|
|
__u8 l4num;
|
2013-09-05 03:57:48 +09:00
|
|
|
|
|
|
|
|
if (!cda[CTA_TIMEOUT_L3PROTO] || !cda[CTA_TIMEOUT_L4PROTO])
|
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
|
|
l3num = ntohs(nla_get_be16(cda[CTA_TIMEOUT_L3PROTO]));
|
|
|
|
|
l4num = nla_get_u8(cda[CTA_TIMEOUT_L4PROTO]);
|
2019-01-16 06:03:47 +09:00
|
|
|
l4proto = nf_ct_l4proto_find(l4num);
|
2013-09-05 03:57:48 +09:00
|
|
|
|
2018-11-02 08:14:00 +09:00
|
|
|
err = -EOPNOTSUPP;
|
|
|
|
|
if (l4proto->l4proto != l4num)
|
2013-09-05 03:57:48 +09:00
|
|
|
goto err;
|
2018-11-02 08:14:00 +09:00
|
|
|
|
|
|
|
|
switch (l4proto->l4proto) {
|
|
|
|
|
case IPPROTO_ICMP:
|
|
|
|
|
timeouts = &nf_icmp_pernet(net)->timeout;
|
|
|
|
|
break;
|
|
|
|
|
case IPPROTO_TCP:
|
|
|
|
|
timeouts = nf_tcp_pernet(net)->timeouts;
|
|
|
|
|
break;
|
2018-11-17 19:32:29 +09:00
|
|
|
case IPPROTO_UDP: /* fallthrough */
|
|
|
|
|
case IPPROTO_UDPLITE:
|
2018-11-02 08:14:00 +09:00
|
|
|
timeouts = nf_udp_pernet(net)->timeouts;
|
|
|
|
|
break;
|
|
|
|
|
case IPPROTO_DCCP:
|
|
|
|
|
#ifdef CONFIG_NF_CT_PROTO_DCCP
|
|
|
|
|
timeouts = nf_dccp_pernet(net)->dccp_timeout;
|
|
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
case IPPROTO_ICMPV6:
|
|
|
|
|
timeouts = &nf_icmpv6_pernet(net)->timeout;
|
|
|
|
|
break;
|
|
|
|
|
case IPPROTO_SCTP:
|
|
|
|
|
#ifdef CONFIG_NF_CT_PROTO_SCTP
|
|
|
|
|
timeouts = nf_sctp_pernet(net)->timeouts;
|
2018-11-17 19:32:29 +09:00
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
case IPPROTO_GRE:
|
|
|
|
|
#ifdef CONFIG_NF_CT_PROTO_GRE
|
2019-01-16 06:03:35 +09:00
|
|
|
timeouts = nf_gre_pernet(net)->timeouts;
|
2018-11-02 08:14:00 +09:00
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
case 255:
|
|
|
|
|
timeouts = &nf_generic_pernet(net)->timeout;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2018-11-17 19:32:29 +09:00
|
|
|
WARN_ONCE(1, "Missing timeouts for proto %d", l4proto->l4proto);
|
2018-11-02 08:14:00 +09:00
|
|
|
break;
|
2013-09-05 03:57:48 +09:00
|
|
|
}
|
|
|
|
|
|
2018-11-02 08:14:00 +09:00
|
|
|
if (!timeouts)
|
|
|
|
|
goto err;
|
|
|
|
|
|
2013-09-05 03:57:48 +09:00
|
|
|
skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
|
|
|
|
|
if (skb2 == NULL) {
|
|
|
|
|
err = -ENOMEM;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = cttimeout_default_fill_info(net, skb2, NETLINK_CB(skb).portid,
|
|
|
|
|
nlh->nlmsg_seq,
|
|
|
|
|
NFNL_MSG_TYPE(nlh->nlmsg_type),
|
|
|
|
|
IPCTNL_MSG_TIMEOUT_DEFAULT_SET,
|
2018-11-02 08:14:00 +09:00
|
|
|
l3num, l4proto, timeouts);
|
2013-09-05 03:57:48 +09:00
|
|
|
if (ret <= 0) {
|
|
|
|
|
kfree_skb(skb2);
|
|
|
|
|
err = -ENOMEM;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
ret = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).portid, MSG_DONTWAIT);
|
|
|
|
|
if (ret > 0)
|
|
|
|
|
ret = 0;
|
|
|
|
|
|
|
|
|
|
/* this avoids a loop in nfnetlink. */
|
|
|
|
|
return ret == -EAGAIN ? -ENOBUFS : ret;
|
|
|
|
|
err:
|
|
|
|
|
return err;
|
|
|
|
|
}
|
|
|
|
|
|
2018-09-03 20:53:22 +09:00
|
|
|
static struct nf_ct_timeout *ctnl_timeout_find_get(struct net *net,
|
|
|
|
|
const char *name)
|
2012-02-29 10:19:19 +09:00
|
|
|
{
|
|
|
|
|
struct ctnl_timeout *timeout, *matching = NULL;
|
|
|
|
|
|
2015-12-09 22:07:40 +09:00
|
|
|
list_for_each_entry_rcu(timeout, &net->nfct_timeout_list, head) {
|
2012-02-29 10:19:19 +09:00
|
|
|
if (strncmp(timeout->name, name, CTNL_TIMEOUT_NAME_MAX) != 0)
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (!try_module_get(THIS_MODULE))
|
|
|
|
|
goto err;
|
|
|
|
|
|
2017-03-16 17:03:34 +09:00
|
|
|
if (!refcount_inc_not_zero(&timeout->refcnt)) {
|
2012-02-29 10:19:19 +09:00
|
|
|
module_put(THIS_MODULE);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
matching = timeout;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
err:
|
2018-09-03 20:53:22 +09:00
|
|
|
return matching ? &matching->timeout : NULL;
|
2012-02-29 10:19:19 +09:00
|
|
|
}
|
|
|
|
|
|
2018-08-08 00:14:15 +09:00
|
|
|
static void ctnl_timeout_put(struct nf_ct_timeout *t)
|
2012-02-29 10:19:19 +09:00
|
|
|
{
|
2018-08-08 00:14:15 +09:00
|
|
|
struct ctnl_timeout *timeout =
|
|
|
|
|
container_of(t, struct ctnl_timeout, timeout);
|
|
|
|
|
|
2017-03-16 17:03:34 +09:00
|
|
|
if (refcount_dec_and_test(&timeout->refcnt))
|
2016-08-18 21:39:05 +09:00
|
|
|
kfree_rcu(timeout, rcu_head);
|
|
|
|
|
|
2012-02-29 10:19:19 +09:00
|
|
|
module_put(THIS_MODULE);
|
|
|
|
|
}
|
|
|
|
|
|
2012-02-29 03:13:48 +09:00
|
|
|
static const struct nfnl_callback cttimeout_cb[IPCTNL_MSG_TIMEOUT_MAX] = {
|
|
|
|
|
[IPCTNL_MSG_TIMEOUT_NEW] = { .call = cttimeout_new_timeout,
|
|
|
|
|
.attr_count = CTA_TIMEOUT_MAX,
|
|
|
|
|
.policy = cttimeout_nla_policy },
|
|
|
|
|
[IPCTNL_MSG_TIMEOUT_GET] = { .call = cttimeout_get_timeout,
|
|
|
|
|
.attr_count = CTA_TIMEOUT_MAX,
|
|
|
|
|
.policy = cttimeout_nla_policy },
|
|
|
|
|
[IPCTNL_MSG_TIMEOUT_DELETE] = { .call = cttimeout_del_timeout,
|
|
|
|
|
.attr_count = CTA_TIMEOUT_MAX,
|
|
|
|
|
.policy = cttimeout_nla_policy },
|
2013-09-05 03:57:48 +09:00
|
|
|
[IPCTNL_MSG_TIMEOUT_DEFAULT_SET]= { .call = cttimeout_default_set,
|
|
|
|
|
.attr_count = CTA_TIMEOUT_MAX,
|
|
|
|
|
.policy = cttimeout_nla_policy },
|
|
|
|
|
[IPCTNL_MSG_TIMEOUT_DEFAULT_GET]= { .call = cttimeout_default_get,
|
|
|
|
|
.attr_count = CTA_TIMEOUT_MAX,
|
|
|
|
|
.policy = cttimeout_nla_policy },
|
2012-02-29 03:13:48 +09:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static const struct nfnetlink_subsystem cttimeout_subsys = {
|
|
|
|
|
.name = "conntrack_timeout",
|
|
|
|
|
.subsys_id = NFNL_SUBSYS_CTNETLINK_TIMEOUT,
|
|
|
|
|
.cb_count = IPCTNL_MSG_TIMEOUT_MAX,
|
|
|
|
|
.cb = cttimeout_cb,
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_TIMEOUT);
|
|
|
|
|
|
2015-12-09 22:07:40 +09:00
|
|
|
static int __net_init cttimeout_net_init(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
INIT_LIST_HEAD(&net->nfct_timeout_list);
|
|
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __net_exit cttimeout_net_exit(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
struct ctnl_timeout *cur, *tmp;
|
|
|
|
|
|
2017-07-26 07:02:32 +09:00
|
|
|
nf_ct_unconfirmed_destroy(net);
|
2018-08-08 00:14:10 +09:00
|
|
|
nf_ct_untimeout(net, NULL);
|
2015-12-09 22:07:40 +09:00
|
|
|
|
|
|
|
|
list_for_each_entry_safe(cur, tmp, &net->nfct_timeout_list, head) {
|
|
|
|
|
list_del_rcu(&cur->head);
|
2016-08-18 21:39:05 +09:00
|
|
|
|
2017-03-16 17:03:34 +09:00
|
|
|
if (refcount_dec_and_test(&cur->refcnt))
|
2016-08-18 21:39:05 +09:00
|
|
|
kfree_rcu(cur, rcu_head);
|
2015-12-09 22:07:40 +09:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static struct pernet_operations cttimeout_ops = {
|
|
|
|
|
.init = cttimeout_net_init,
|
|
|
|
|
.exit = cttimeout_net_exit,
|
|
|
|
|
};
|
|
|
|
|
|
2012-02-29 03:13:48 +09:00
|
|
|
static int __init cttimeout_init(void)
|
|
|
|
|
{
|
|
|
|
|
int ret;
|
|
|
|
|
|
2015-12-09 22:07:40 +09:00
|
|
|
ret = register_pernet_subsys(&cttimeout_ops);
|
|
|
|
|
if (ret < 0)
|
|
|
|
|
return ret;
|
|
|
|
|
|
2012-02-29 03:13:48 +09:00
|
|
|
ret = nfnetlink_subsys_register(&cttimeout_subsys);
|
|
|
|
|
if (ret < 0) {
|
|
|
|
|
pr_err("cttimeout_init: cannot register cttimeout with "
|
|
|
|
|
"nfnetlink.\n");
|
|
|
|
|
goto err_out;
|
|
|
|
|
}
|
2012-02-29 10:19:19 +09:00
|
|
|
RCU_INIT_POINTER(nf_ct_timeout_find_get_hook, ctnl_timeout_find_get);
|
|
|
|
|
RCU_INIT_POINTER(nf_ct_timeout_put_hook, ctnl_timeout_put);
|
2012-02-29 03:13:48 +09:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
err_out:
|
2015-12-09 22:07:40 +09:00
|
|
|
unregister_pernet_subsys(&cttimeout_ops);
|
2012-02-29 03:13:48 +09:00
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void __exit cttimeout_exit(void)
|
|
|
|
|
{
|
|
|
|
|
nfnetlink_subsys_unregister(&cttimeout_subsys);
|
2015-10-05 23:51:01 +09:00
|
|
|
|
2015-12-09 22:07:40 +09:00
|
|
|
unregister_pernet_subsys(&cttimeout_ops);
|
2012-02-29 10:19:19 +09:00
|
|
|
RCU_INIT_POINTER(nf_ct_timeout_find_get_hook, NULL);
|
|
|
|
|
RCU_INIT_POINTER(nf_ct_timeout_put_hook, NULL);
|
netfilter: invoke synchronize_rcu after set the _hook_ to NULL
Otherwise, another CPU may access the invalid pointer. For example:
CPU0 CPU1
- rcu_read_lock();
- pfunc = _hook_;
_hook_ = NULL; -
mod unload -
- pfunc(); // invalid, panic
- rcu_read_unlock();
So we must call synchronize_rcu() to wait the rcu reader to finish.
Also note, in nf_nat_snmp_basic_fini, synchronize_rcu() will be invoked
by later nf_conntrack_helper_unregister, but I'm inclined to add a
explicit synchronize_rcu after set the nf_nat_snmp_hook to NULL. Depend
on such obscure assumptions is not a good idea.
Last, in nfnetlink_cttimeout, we use kfree_rcu to free the time object,
so in cttimeout_exit, invoking rcu_barrier() is not necessary at all,
remove it too.
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-03-25 09:53:12 +09:00
|
|
|
synchronize_rcu();
|
2012-02-29 03:13:48 +09:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
module_init(cttimeout_init);
|
|
|
|
|
module_exit(cttimeout_exit);
|