Release 4.10 net/netfilter/nft_ct.c
/*
* Copyright (c) 2008-2009 Patrick McHardy <kaber@trash.net>
* Copyright (c) 2016 Pablo Neira Ayuso <pablo@netfilter.org>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*
* Development of this code funded by Astaro AG (http://www.astaro.com/)
*/
#include <linux/kernel.h>
#include <linux/init.h>
#include <linux/module.h>
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_acct.h>
#include <net/netfilter/nf_conntrack_tuple.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_conntrack_labels.h>
struct nft_ct {
enum nft_ct_keys key:8;
enum ip_conntrack_dir dir:8;
union {
enum nft_registers dreg:8;
enum nft_registers sreg:8;
};
};
static u64 nft_ct_get_eval_counter(const struct nf_conn_counter *c,
enum nft_ct_keys k,
enum ip_conntrack_dir d)
{
if (d < IP_CT_DIR_MAX)
return k == NFT_CT_BYTES ? atomic64_read(&c[d].bytes) :
atomic64_read(&c[d].packets);
return nft_ct_get_eval_counter(c, k, IP_CT_DIR_ORIGINAL) +
nft_ct_get_eval_counter(c, k, IP_CT_DIR_REPLY);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| florian westphal | florian westphal | 72 | 100.00% | 1 | 100.00% |
| Total | 72 | 100.00% | 1 | 100.00% |
static void nft_ct_get_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
const struct nft_ct *priv = nft_expr_priv(expr);
u32 *dest = ®s->data[priv->dreg];
enum ip_conntrack_info ctinfo;
const struct nf_conn *ct;
const struct nf_conn_help *help;
const struct nf_conntrack_tuple *tuple;
const struct nf_conntrack_helper *helper;
unsigned int state;
ct = nf_ct_get(pkt->skb, &ctinfo);
switch (priv->key) {
case NFT_CT_STATE:
if (ct == NULL)
state = NF_CT_STATE_INVALID_BIT;
else if (nf_ct_is_untracked(ct))
state = NF_CT_STATE_UNTRACKED_BIT;
else
state = NF_CT_STATE_BIT(ctinfo);
*dest = state;
return;
default:
break;
}
if (ct == NULL)
goto err;
switch (priv->key) {
case NFT_CT_DIRECTION:
*dest = CTINFO2DIR(ctinfo);
return;
case NFT_CT_STATUS:
*dest = ct->status;
return;
#ifdef CONFIG_NF_CONNTRACK_MARK
case NFT_CT_MARK:
*dest = ct->mark;
return;
#endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
case NFT_CT_SECMARK:
*dest = ct->secmark;
return;
#endif
case NFT_CT_EXPIRATION:
*dest = jiffies_to_msecs(nf_ct_expires(ct));
return;
case NFT_CT_HELPER:
if (ct->master == NULL)
goto err;
help = nfct_help(ct->master);
if (help == NULL)
goto err;
helper = rcu_dereference(help->helper);
if (helper == NULL)
goto err;
strncpy((char *)dest, helper->name, NF_CT_HELPER_NAME_LEN);
return;
#ifdef CONFIG_NF_CONNTRACK_LABELS
case NFT_CT_LABELS: {
struct nf_conn_labels *labels = nf_ct_labels_find(ct);
if (labels)
memcpy(dest, labels->bits, NF_CT_LABELS_MAX_SIZE);
else
memset(dest, 0, NF_CT_LABELS_MAX_SIZE);
return;
}
#endif
case NFT_CT_BYTES: /* fallthrough */
case NFT_CT_PKTS: {
const struct nf_conn_acct *acct = nf_conn_acct_find(ct);
u64 count = 0;
if (acct)
count = nft_ct_get_eval_counter(acct->counter,
priv->key, priv->dir);
memcpy(dest, &count, sizeof(count));
return;
}
case NFT_CT_L3PROTOCOL:
*dest = nf_ct_l3num(ct);
return;
case NFT_CT_PROTOCOL:
*dest = nf_ct_protonum(ct);
return;
default:
break;
}
tuple = &ct->tuplehash[priv->dir].tuple;
switch (priv->key) {
case NFT_CT_SRC:
memcpy(dest, tuple->src.u3.all,
nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
return;
case NFT_CT_DST:
memcpy(dest, tuple->dst.u3.all,
nf_ct_l3num(ct) == NFPROTO_IPV4 ? 4 : 16);
return;
case NFT_CT_PROTO_SRC:
*dest = (__force __u16)tuple->src.u.all;
return;
case NFT_CT_PROTO_DST:
*dest = (__force __u16)tuple->dst.u.all;
return;
default:
break;
}
return;
err:
regs->verdict.code = NFT_BREAK;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| patrick mchardy | patrick mchardy | 415 | 74.77% | 3 | 27.27% |
| florian westphal | florian westphal | 107 | 19.28% | 4 | 36.36% |
| liping zhang | liping zhang | 24 | 4.32% | 1 | 9.09% |
| david s. miller | david s. miller | 6 | 1.08% | 1 | 9.09% |
| pablo neira ayuso | pablo neira ayuso | 2 | 0.36% | 1 | 9.09% |
| kristian evensen | kristian evensen | 1 | 0.18% | 1 | 9.09% |
| Total | 555 | 100.00% | 11 | 100.00% |
static void nft_ct_set_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
const struct nft_ct *priv = nft_expr_priv(expr);
struct sk_buff *skb = pkt->skb;
#ifdef CONFIG_NF_CONNTRACK_MARK
u32 value = regs->data[priv->sreg];
#endif
enum ip_conntrack_info ctinfo;
struct nf_conn *ct;
ct = nf_ct_get(skb, &ctinfo);
if (ct == NULL)
return;
switch (priv->key) {
#ifdef CONFIG_NF_CONNTRACK_MARK
case NFT_CT_MARK:
if (ct->mark != value) {
ct->mark = value;
nf_conntrack_event_cache(IPCT_MARK, ct);
}
break;
#endif
#ifdef CONFIG_NF_CONNTRACK_LABELS
case NFT_CT_LABELS:
nf_connlabels_replace(ct,
®s->data[priv->sreg],
®s->data[priv->sreg],
NF_CT_LABELS_MAX_SIZE / sizeof(u32));
break;
#endif
default:
break;
}
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| kristian evensen | kristian evensen | 121 | 71.60% | 2 | 40.00% |
| florian westphal | florian westphal | 41 | 24.26% | 1 | 20.00% |
| patrick mchardy | patrick mchardy | 5 | 2.96% | 1 | 20.00% |
| david s. miller | david s. miller | 2 | 1.18% | 1 | 20.00% |
| Total | 169 | 100.00% | 5 | 100.00% |
static const struct nla_policy nft_ct_policy[NFTA_CT_MAX + 1] = {
[NFTA_CT_DREG] = { .type = NLA_U32 },
[NFTA_CT_KEY] = { .type = NLA_U32 },
[NFTA_CT_DIRECTION] = { .type = NLA_U8 },
[NFTA_CT_SREG] = { .type = NLA_U32 },
};
static int nft_ct_netns_get(struct net *net, uint8_t family)
{
int err;
if (family == NFPROTO_INET) {
err = nf_ct_netns_get(net, NFPROTO_IPV4);
if (err < 0)
goto err1;
err = nf_ct_netns_get(net, NFPROTO_IPV6);
if (err < 0)
goto err2;
} else {
err = nf_ct_netns_get(net, family);
if (err < 0)
goto err1;
}
return 0;
err2:
nf_ct_netns_put(net, NFPROTO_IPV4);
err1:
return err;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| patrick mchardy | patrick mchardy | 81 | 81.82% | 1 | 50.00% |
| florian westphal | florian westphal | 18 | 18.18% | 1 | 50.00% |
| Total | 99 | 100.00% | 2 | 100.00% |
static void nft_ct_netns_put(struct net *net, uint8_t family)
{
if (family == NFPROTO_INET) {
nf_ct_netns_put(net, NFPROTO_IPV4);
nf_ct_netns_put(net, NFPROTO_IPV6);
} else
nf_ct_netns_put(net, family);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| patrick mchardy | patrick mchardy | 29 | 65.91% | 1 | 50.00% |
| florian westphal | florian westphal | 15 | 34.09% | 1 | 50.00% |
| Total | 44 | 100.00% | 2 | 100.00% |
static int nft_ct_get_init(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nlattr * const tb[])
{
struct nft_ct *priv = nft_expr_priv(expr);
unsigned int len;
int err;
priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));
switch (priv->key) {
case NFT_CT_DIRECTION:
if (tb[NFTA_CT_DIRECTION] != NULL)
return -EINVAL;
len = sizeof(u8);
break;
case NFT_CT_STATE:
case NFT_CT_STATUS:
#ifdef CONFIG_NF_CONNTRACK_MARK
case NFT_CT_MARK:
#endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
case NFT_CT_SECMARK:
#endif
case NFT_CT_EXPIRATION:
if (tb[NFTA_CT_DIRECTION] != NULL)
return -EINVAL;
len = sizeof(u32);
break;
#ifdef CONFIG_NF_CONNTRACK_LABELS
case NFT_CT_LABELS:
if (tb[NFTA_CT_DIRECTION] != NULL)
return -EINVAL;
len = NF_CT_LABELS_MAX_SIZE;
break;
#endif
case NFT_CT_HELPER:
if (tb[NFTA_CT_DIRECTION] != NULL)
return -EINVAL;
len = NF_CT_HELPER_NAME_LEN;
break;
case NFT_CT_L3PROTOCOL:
case NFT_CT_PROTOCOL:
/* For compatibility, do not report error if NFTA_CT_DIRECTION
* attribute is specified.
*/
len = sizeof(u8);
break;
case NFT_CT_SRC:
case NFT_CT_DST:
if (tb[NFTA_CT_DIRECTION] == NULL)
return -EINVAL;
switch (ctx->afi->family) {
case NFPROTO_IPV4:
len = FIELD_SIZEOF(struct nf_conntrack_tuple,
src.u3.ip);
break;
case NFPROTO_IPV6:
case NFPROTO_INET:
len = FIELD_SIZEOF(struct nf_conntrack_tuple,
src.u3.ip6);
break;
default:
return -EAFNOSUPPORT;
}
break;
case NFT_CT_PROTO_SRC:
case NFT_CT_PROTO_DST:
if (tb[NFTA_CT_DIRECTION] == NULL)
return -EINVAL;
len = FIELD_SIZEOF(struct nf_conntrack_tuple, src.u.all);
break;
case NFT_CT_BYTES:
case NFT_CT_PKTS:
/* no direction? return sum of original + reply */
if (tb[NFTA_CT_DIRECTION] == NULL)
priv->dir = IP_CT_DIR_MAX;
len = sizeof(u64);
break;
default:
return -EOPNOTSUPP;
}
if (tb[NFTA_CT_DIRECTION] != NULL) {
priv->dir = nla_get_u8(tb[NFTA_CT_DIRECTION]);
switch (priv->dir) {
case IP_CT_DIR_ORIGINAL:
case IP_CT_DIR_REPLY:
break;
default:
return -EINVAL;
}
}
priv->dreg = nft_parse_register(tb[NFTA_CT_DREG]);
err = nft_validate_register_store(ctx, priv->dreg, NULL,
NFT_DATA_VALUE, len);
if (err < 0)
return err;
err = nft_ct_netns_get(ctx->net, ctx->afi->family);
if (err < 0)
return err;
if (priv->key == NFT_CT_BYTES || priv->key == NFT_CT_PKTS)
nf_ct_set_acct(ctx->net, true);
return 0;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| patrick mchardy | patrick mchardy | 369 | 78.18% | 6 | 50.00% |
| florian westphal | florian westphal | 43 | 9.11% | 3 | 25.00% |
| kristian evensen | kristian evensen | 36 | 7.63% | 1 | 8.33% |
| liping zhang | liping zhang | 24 | 5.08% | 2 | 16.67% |
| Total | 472 | 100.00% | 12 | 100.00% |
static int nft_ct_set_init(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nlattr * const tb[])
{
struct nft_ct *priv = nft_expr_priv(expr);
bool label_got = false;
unsigned int len;
int err;
priv->key = ntohl(nla_get_be32(tb[NFTA_CT_KEY]));
switch (priv->key) {
#ifdef CONFIG_NF_CONNTRACK_MARK
case NFT_CT_MARK:
if (tb[NFTA_CT_DIRECTION])
return -EINVAL;
len = FIELD_SIZEOF(struct nf_conn, mark);
break;
#endif
#ifdef CONFIG_NF_CONNTRACK_LABELS
case NFT_CT_LABELS:
if (tb[NFTA_CT_DIRECTION])
return -EINVAL;
len = NF_CT_LABELS_MAX_SIZE;
err = nf_connlabels_get(ctx->net, (len * BITS_PER_BYTE) - 1);
if (err)
return err;
label_got = true;
break;
#endif
default:
return -EOPNOTSUPP;
}
priv->sreg = nft_parse_register(tb[NFTA_CT_SREG]);
err = nft_validate_register_load(priv->sreg, len);
if (err < 0)
goto err1;
err = nft_ct_netns_get(ctx->net, ctx->afi->family);
if (err < 0)
goto err1;
return 0;
err1:
if (label_got)
nf_connlabels_put(ctx->net);
return err;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| patrick mchardy | patrick mchardy | 104 | 44.64% | 4 | 44.44% |
| florian westphal | florian westphal | 53 | 22.75% | 2 | 22.22% |
| liping zhang | liping zhang | 41 | 17.60% | 2 | 22.22% |
| kristian evensen | kristian evensen | 35 | 15.02% | 1 | 11.11% |
| Total | 233 | 100.00% | 9 | 100.00% |
static void nft_ct_get_destroy(const struct nft_ctx *ctx,
const struct nft_expr *expr)
{
nf_ct_netns_put(ctx->net, ctx->afi->family);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| liping zhang | liping zhang | 26 | 83.87% | 1 | 50.00% |
| florian westphal | florian westphal | 5 | 16.13% | 1 | 50.00% |
| Total | 31 | 100.00% | 2 | 100.00% |
static void nft_ct_set_destroy(const struct nft_ctx *ctx,
const struct nft_expr *expr)
{
struct nft_ct *priv = nft_expr_priv(expr);
switch (priv->key) {
#ifdef CONFIG_NF_CONNTRACK_LABELS
case NFT_CT_LABELS:
nf_connlabels_put(ctx->net);
break;
#endif
default:
break;
}
nft_ct_netns_put(ctx->net, ctx->afi->family);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| florian westphal | florian westphal | 41 | 61.19% | 2 | 33.33% |
| patrick mchardy | patrick mchardy | 25 | 37.31% | 3 | 50.00% |
| liping zhang | liping zhang | 1 | 1.49% | 1 | 16.67% |
| Total | 67 | 100.00% | 6 | 100.00% |
static int nft_ct_get_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
const struct nft_ct *priv = nft_expr_priv(expr);
if (nft_dump_register(skb, NFTA_CT_DREG, priv->dreg))
goto nla_put_failure;
if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
goto nla_put_failure;
switch (priv->key) {
case NFT_CT_SRC:
case NFT_CT_DST:
case NFT_CT_PROTO_SRC:
case NFT_CT_PROTO_DST:
if (nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
goto nla_put_failure;
break;
case NFT_CT_BYTES:
case NFT_CT_PKTS:
if (priv->dir < IP_CT_DIR_MAX &&
nla_put_u8(skb, NFTA_CT_DIRECTION, priv->dir))
goto nla_put_failure;
break;
default:
break;
}
return 0;
nla_put_failure:
return -1;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| patrick mchardy | patrick mchardy | 87 | 62.14% | 2 | 40.00% |
| florian westphal | florian westphal | 30 | 21.43% | 1 | 20.00% |
| arturo borrero gonzalez | arturo borrero gonzalez | 22 | 15.71% | 1 | 20.00% |
| kristian evensen | kristian evensen | 1 | 0.71% | 1 | 20.00% |
| Total | 140 | 100.00% | 5 | 100.00% |
static int nft_ct_set_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
const struct nft_ct *priv = nft_expr_priv(expr);
if (nft_dump_register(skb, NFTA_CT_SREG, priv->sreg))
goto nla_put_failure;
if (nla_put_be32(skb, NFTA_CT_KEY, htonl(priv->key)))
goto nla_put_failure;
return 0;
nla_put_failure:
return -1;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| kristian evensen | kristian evensen | 71 | 98.61% | 1 | 50.00% |
| patrick mchardy | patrick mchardy | 1 | 1.39% | 1 | 50.00% |
| Total | 72 | 100.00% | 2 | 100.00% |
static struct nft_expr_type nft_ct_type;
static const struct nft_expr_ops nft_ct_get_ops = {
.type = &nft_ct_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_ct)),
.eval = nft_ct_get_eval,
.init = nft_ct_get_init,
.destroy = nft_ct_get_destroy,
.dump = nft_ct_get_dump,
};
static const struct nft_expr_ops nft_ct_set_ops = {
.type = &nft_ct_type,
.size = NFT_EXPR_SIZE(sizeof(struct nft_ct)),
.eval = nft_ct_set_eval,
.init = nft_ct_set_init,
.destroy = nft_ct_set_destroy,
.dump = nft_ct_set_dump,
};
static const struct nft_expr_ops *
nft_ct_select_ops(const struct nft_ctx *ctx,
const struct nlattr * const tb[])
{
if (tb[NFTA_CT_KEY] == NULL)
return ERR_PTR(-EINVAL);
if (tb[NFTA_CT_DREG] && tb[NFTA_CT_SREG])
return ERR_PTR(-EINVAL);
if (tb[NFTA_CT_DREG])
return &nft_ct_get_ops;
if (tb[NFTA_CT_SREG])
return &nft_ct_set_ops;
return ERR_PTR(-EINVAL);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| kristian evensen | kristian evensen | 87 | 100.00% | 1 | 100.00% |
| Total | 87 | 100.00% | 1 | 100.00% |
static struct nft_expr_type nft_ct_type __read_mostly = {
.name = "ct",
.select_ops = &nft_ct_select_ops,
.policy = nft_ct_policy,
.maxattr = NFTA_CT_MAX,
.owner = THIS_MODULE,
};
static void nft_notrack_eval(const struct nft_expr *expr,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
struct sk_buff *skb = pkt->skb;
enum ip_conntrack_info ctinfo;
struct nf_conn *ct;
ct = nf_ct_get(pkt->skb, &ctinfo);
/* Previously seen (loopback or untracked)? Ignore. */
if (ct)
return;
ct = nf_ct_untracked_get();
atomic_inc(&ct->ct_general.use);
skb->nfct = &ct->ct_general;
skb->nfctinfo = IP_CT_NEW;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| pablo neira ayuso | pablo neira ayuso | 89 | 100.00% | 1 | 100.00% |
| Total | 89 | 100.00% | 1 | 100.00% |
static struct nft_expr_type nft_notrack_type;
static const struct nft_expr_ops nft_notrack_ops = {
.type = &nft_notrack_type,
.size = NFT_EXPR_SIZE(0),
.eval = nft_notrack_eval,
};
static struct nft_expr_type nft_notrack_type __read_mostly = {
.name = "notrack",
.ops = &nft_notrack_ops,
.owner = THIS_MODULE,
};
static int __init nft_ct_module_init(void)
{
int err;
BUILD_BUG_ON(NF_CT_LABELS_MAX_SIZE > NFT_REG_SIZE);
err = nft_register_expr(&nft_ct_type);
if (err < 0)
return err;
err = nft_register_expr(&nft_notrack_type);
if (err < 0)
goto err1;
return 0;
err1:
nft_unregister_expr(&nft_ct_type);
return err;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| pablo neira ayuso | pablo neira ayuso | 44 | 65.67% | 1 | 25.00% |
| patrick mchardy | patrick mchardy | 16 | 23.88% | 2 | 50.00% |
| florian westphal | florian westphal | 7 | 10.45% | 1 | 25.00% |
| Total | 67 | 100.00% | 4 | 100.00% |
static void __exit nft_ct_module_exit(void)
{
nft_unregister_expr(&nft_notrack_type);
nft_unregister_expr(&nft_ct_type);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| patrick mchardy | patrick mchardy | 15 | 71.43% | 2 | 66.67% |
| pablo neira ayuso | pablo neira ayuso | 6 | 28.57% | 1 | 33.33% |
| Total | 21 | 100.00% | 3 | 100.00% |
module_init(nft_ct_module_init);
module_exit(nft_ct_module_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_EXPR("ct");
MODULE_ALIAS_NFT_EXPR("notrack");
Overall Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| patrick mchardy | patrick mchardy | 1351 | 52.67% | 13 | 43.33% |
| florian westphal | florian westphal | 438 | 17.08% | 7 | 23.33% |
| kristian evensen | kristian evensen | 425 | 16.57% | 2 | 6.67% |
| pablo neira ayuso | pablo neira ayuso | 203 | 7.91% | 2 | 6.67% |
| liping zhang | liping zhang | 118 | 4.60% | 4 | 13.33% |
| arturo borrero gonzalez | arturo borrero gonzalez | 22 | 0.86% | 1 | 3.33% |
| david s. miller | david s. miller | 8 | 0.31% | 1 | 3.33% |
| Total | 2565 | 100.00% | 30 | 100.00% |
Information contained on this website is for historical information purposes only and does not indicate or represent copyright ownership.