cregit-Linux how code gets into the kernel

Release 4.11 net/netfilter/nf_conntrack_expect.c

Directory: net/netfilter
/* Expectation handling for nf_conntrack. */

/* (C) 1999-2001 Paul `Rusty' Russell
 * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
 * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
 * (c) 2005-2012 Patrick McHardy <kaber@trash.net>
 *
 * This program is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License version 2 as
 * published by the Free Software Foundation.
 */

#include <linux/types.h>
#include <linux/netfilter.h>
#include <linux/skbuff.h>
#include <linux/proc_fs.h>
#include <linux/seq_file.h>
#include <linux/stddef.h>
#include <linux/slab.h>
#include <linux/err.h>
#include <linux/percpu.h>
#include <linux/kernel.h>
#include <linux/jhash.h>
#include <linux/moduleparam.h>
#include <linux/export.h>
#include <net/net_namespace.h>
#include <net/netns/hash.h>

#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/nf_conntrack_expect.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_tuple.h>
#include <net/netfilter/nf_conntrack_zones.h>


unsigned int nf_ct_expect_hsize __read_mostly;

EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);


struct hlist_head *nf_ct_expect_hash __read_mostly;

EXPORT_SYMBOL_GPL(nf_ct_expect_hash);


unsigned int nf_ct_expect_max __read_mostly;


static struct kmem_cache *nf_ct_expect_cachep __read_mostly;

static unsigned int nf_ct_expect_hashrnd __read_mostly;

/* nf_conntrack_expect helper functions */

void nf_ct_unlink_expect_report(struct nf_conntrack_expect *exp, u32 portid, int report) { struct nf_conn_help *master_help = nfct_help(exp->master); struct net *net = nf_ct_exp_net(exp); NF_CT_ASSERT(master_help); NF_CT_ASSERT(!timer_pending(&exp->timeout)); hlist_del_rcu(&exp->hnode); net->ct.expect_count--; hlist_del_rcu(&exp->lnode); master_help->expecting[exp->class]--; nf_ct_expect_event_report(IPEXP_DESTROY, exp, portid, report); nf_ct_expect_put(exp); NF_CT_STAT_INC(net, expect_delete); }

Contributors

PersonTokensPropCommitsCommitProp
Martin Josefsson4540.54%18.33%
Patrick McHardy2724.32%650.00%
Pablo Neira Ayuso2118.92%216.67%
Alexey Dobriyan1715.32%216.67%
Liping Zhang10.90%18.33%
Total111100.00%12100.00%

EXPORT_SYMBOL_GPL(nf_ct_unlink_expect_report);
static void nf_ct_expectation_timed_out(unsigned long ul_expect) { struct nf_conntrack_expect *exp = (void *)ul_expect; spin_lock_bh(&nf_conntrack_expect_lock); nf_ct_unlink_expect(exp); spin_unlock_bh(&nf_conntrack_expect_lock); nf_ct_expect_put(exp); }

Contributors

PersonTokensPropCommitsCommitProp
Martin Josefsson3786.05%125.00%
Patrick McHardy49.30%250.00%
Jesper Dangaard Brouer24.65%125.00%
Total43100.00%4100.00%


static unsigned int nf_ct_expect_dst_hash(const struct net *n, const struct nf_conntrack_tuple *tuple) { unsigned int hash, seed; get_random_once(&nf_ct_expect_hashrnd, sizeof(nf_ct_expect_hashrnd)); seed = nf_ct_expect_hashrnd ^ net_hash_mix(n); hash = jhash2(tuple->dst.u3.all, ARRAY_SIZE(tuple->dst.u3.all), (((tuple->dst.protonum ^ tuple->src.l3num) << 16) | (__force __u16)tuple->dst.u.all) ^ seed); return reciprocal_scale(hash, nf_ct_expect_hsize); }

Contributors

PersonTokensPropCommitsCommitProp
Patrick McHardy7769.37%233.33%
Florian Westphal2623.42%233.33%
Daniel Borkmann43.60%116.67%
Al Viro43.60%116.67%
Total111100.00%6100.00%


static bool nf_ct_exp_equal(const struct nf_conntrack_tuple *tuple, const struct nf_conntrack_expect *i, const struct nf_conntrack_zone *zone, const struct net *net) { return nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) && net_eq(net, nf_ct_net(i->master)) && nf_ct_zone_equal_any(i->master, zone); }

Contributors

PersonTokensPropCommitsCommitProp
Florian Westphal67100.00%1100.00%
Total67100.00%1100.00%


struct nf_conntrack_expect * __nf_ct_expect_find(struct net *net, const struct nf_conntrack_zone *zone, const struct nf_conntrack_tuple *tuple) { struct nf_conntrack_expect *i; unsigned int h; if (!net->ct.expect_count) return NULL; h = nf_ct_expect_dst_hash(net, tuple); hlist_for_each_entry_rcu(i, &nf_ct_expect_hash[h], hnode) { if (nf_ct_exp_equal(tuple, i, zone, net)) return i; } return NULL; }

Contributors

PersonTokensPropCommitsCommitProp
Martin Josefsson3542.17%110.00%
Patrick McHardy2631.33%440.00%
Alexey Dobriyan1012.05%110.00%
Florian Westphal67.23%330.00%
Daniel Borkmann67.23%110.00%
Total83100.00%10100.00%

EXPORT_SYMBOL_GPL(__nf_ct_expect_find); /* Just find a expectation corresponding to a tuple. */
struct nf_conntrack_expect * nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_zone *zone, const struct nf_conntrack_tuple *tuple) { struct nf_conntrack_expect *i; rcu_read_lock(); i = __nf_ct_expect_find(net, zone, tuple); if (i && !atomic_inc_not_zero(&i->use)) i = NULL; rcu_read_unlock(); return i; }

Contributors

PersonTokensPropCommitsCommitProp
Martin Josefsson3857.58%116.67%
Patrick McHardy1725.76%350.00%
Alexey Dobriyan710.61%116.67%
Daniel Borkmann46.06%116.67%
Total66100.00%6100.00%

EXPORT_SYMBOL_GPL(nf_ct_expect_find_get); /* If an expectation for this connection is found, it gets delete from * global list then returned. */
struct nf_conntrack_expect * nf_ct_find_expectation(struct net *net, const struct nf_conntrack_zone *zone, const struct nf_conntrack_tuple *tuple) { struct nf_conntrack_expect *i, *exp = NULL; unsigned int h; if (!net->ct.expect_count) return NULL; h = nf_ct_expect_dst_hash(net, tuple); hlist_for_each_entry(i, &nf_ct_expect_hash[h], hnode) { if (!(i->flags & NF_CT_EXPECT_INACTIVE) && nf_ct_exp_equal(tuple, i, zone, net)) { exp = i; break; } } if (!exp) return NULL; /* If master is not in hash table yet (ie. packet hasn't left this machine yet), how can other end know about expected? Hence these are not the droids you are looking for (if master ct never got confirmed, we'd hold a reference to it and weird things would happen to future packets). */ if (!nf_ct_is_confirmed(exp->master)) return NULL; /* Avoid race with other CPUs, that for exp->master ct, is * about to invoke ->destroy(), or nf_ct_delete() via timeout * or early_drop(). * * The atomic_inc_not_zero() check tells: If that fails, we * know that the ct is being destroyed. If it succeeds, we * can be sure the ct cannot disappear underneath. */ if (unlikely(nf_ct_is_dying(exp->master) || !atomic_inc_not_zero(&exp->master->ct_general.use))) return NULL; if (exp->flags & NF_CT_EXPECT_PERMANENT) { atomic_inc(&exp->use); return exp; } else if (del_timer(&exp->timeout)) { nf_ct_unlink_expect(exp); return exp; } /* Undo exp->master refcnt increase, if del_timer() failed */ nf_ct_put(exp->master); return NULL; }

Contributors

PersonTokensPropCommitsCommitProp
Martin Josefsson6532.18%19.09%
Patrick McHardy5527.23%327.27%
Jesper Dangaard Brouer3718.32%19.09%
Yasuyuki Kozakai2311.39%19.09%
Alexey Dobriyan104.95%19.09%
Daniel Borkmann62.97%19.09%
Florian Westphal62.97%327.27%
Total202100.00%11100.00%

/* delete all expectations for this conntrack */
void nf_ct_remove_expectations(struct nf_conn *ct) { struct nf_conn_help *help = nfct_help(ct); struct nf_conntrack_expect *exp; struct hlist_node *next; /* Optimization: most connection never expect any others. */ if (!help) return; spin_lock_bh(&nf_conntrack_expect_lock); hlist_for_each_entry_safe(exp, next, &help->expectations, lnode) { if (del_timer(&exp->timeout)) { nf_ct_unlink_expect(exp); nf_ct_expect_put(exp); } } spin_unlock_bh(&nf_conntrack_expect_lock); }

Contributors

PersonTokensPropCommitsCommitProp
Martin Josefsson5161.45%125.00%
Patrick McHardy2024.10%250.00%
Jesper Dangaard Brouer1214.46%125.00%
Total83100.00%4100.00%

EXPORT_SYMBOL_GPL(nf_ct_remove_expectations); /* Would two expected things clash? */
static inline int expect_clash(const struct nf_conntrack_expect *a, const struct nf_conntrack_expect *b) { /* Part covered by intersection of masks must be unequal, otherwise they clash */ struct nf_conntrack_tuple_mask intersect_mask; int count; intersect_mask.src.u.all = a->mask.src.u.all & b->mask.src.u.all; for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){ intersect_mask.src.u3.all[count] = a->mask.src.u3.all[count] & b->mask.src.u3.all[count]; } return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask) && net_eq(nf_ct_net(a->master), nf_ct_net(b->master)) && nf_ct_zone_equal_any(a->master, nf_ct_zone(b->master)); }

Contributors

PersonTokensPropCommitsCommitProp
Martin Josefsson12379.35%116.67%
Florian Westphal1710.97%116.67%
Joe Stringer117.10%116.67%
Daniel Borkmann31.94%233.33%
Patrick McHardy10.65%116.67%
Total155100.00%6100.00%


static inline int expect_matches(const struct nf_conntrack_expect *a, const struct nf_conntrack_expect *b) { return a->master == b->master && a->class == b->class && nf_ct_tuple_equal(&a->tuple, &b->tuple) && nf_ct_tuple_mask_equal(&a->mask, &b->mask) && net_eq(nf_ct_net(a->master), nf_ct_net(b->master)) && nf_ct_zone_equal_any(a->master, nf_ct_zone(b->master)); }

Contributors

PersonTokensPropCommitsCommitProp
Martin Josefsson5356.99%114.29%
Patrick McHardy2021.51%342.86%
Florian Westphal1718.28%114.29%
Daniel Borkmann33.23%228.57%
Total93100.00%7100.00%

/* Generally a bad idea to call this: could have matched already. */
void nf_ct_unexpect_related(struct nf_conntrack_expect *exp) { spin_lock_bh(&nf_conntrack_expect_lock); if (del_timer(&exp->timeout)) { nf_ct_unlink_expect(exp); nf_ct_expect_put(exp); } spin_unlock_bh(&nf_conntrack_expect_lock); }

Contributors

PersonTokensPropCommitsCommitProp
Martin Josefsson3579.55%120.00%
Patrick McHardy715.91%360.00%
Jesper Dangaard Brouer24.55%120.00%
Total44100.00%5100.00%

EXPORT_SYMBOL_GPL(nf_ct_unexpect_related); /* We don't increase the master conntrack refcount for non-fulfilled * conntracks. During the conntrack destruction, the expectations are * always killed before the conntrack itself */
struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me) { struct nf_conntrack_expect *new; new = kmem_cache_alloc(nf_ct_expect_cachep, GFP_ATOMIC); if (!new) return NULL; new->master = me; atomic_set(&new->use, 1); return new; }

Contributors

PersonTokensPropCommitsCommitProp
Martin Josefsson5196.23%150.00%
Patrick McHardy23.77%150.00%
Total53100.00%2100.00%

EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);
void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class, u_int8_t family, const union nf_inet_addr *saddr, const union nf_inet_addr *daddr, u_int8_t proto, const __be16 *src, const __be16 *dst) { int len; if (family == AF_INET) len = 4; else len = 16; exp->flags = 0; exp->class = class; exp->expectfn = NULL; exp->helper = NULL; exp->tuple.src.l3num = family; exp->tuple.dst.protonum = proto; if (saddr) { memcpy(&exp->tuple.src.u3, saddr, len); if (sizeof(exp->tuple.src.u3) > len) /* address needs to be cleared for nf_ct_tuple_equal */ memset((void *)&exp->tuple.src.u3 + len, 0x00, sizeof(exp->tuple.src.u3) - len); memset(&exp->mask.src.u3, 0xFF, len); if (sizeof(exp->mask.src.u3) > len) memset((void *)&exp->mask.src.u3 + len, 0x00, sizeof(exp->mask.src.u3) - len); } else { memset(&exp->tuple.src.u3, 0x00, sizeof(exp->tuple.src.u3)); memset(&exp->mask.src.u3, 0x00, sizeof(exp->mask.src.u3)); } if (src) { exp->tuple.src.u.all = *src; exp->mask.src.u.all = htons(0xFFFF); } else { exp->tuple.src.u.all = 0; exp->mask.src.u.all = 0; } memcpy(&exp->tuple.dst.u3, daddr, len); if (sizeof(exp->tuple.dst.u3) > len) /* address needs to be cleared for nf_ct_tuple_equal */ memset((void *)&exp->tuple.dst.u3 + len, 0x00, sizeof(exp->tuple.dst.u3) - len); exp->tuple.dst.u.all = *dst; #ifdef CONFIG_NF_NAT_NEEDED memset(&exp->saved_addr, 0, sizeof(exp->saved_addr)); memset(&exp->saved_proto, 0, sizeof(exp->saved_proto)); #endif }

Contributors

PersonTokensPropCommitsCommitProp
Patrick McHardy42590.43%555.56%
Pablo Neira Ayuso398.30%111.11%
Al Viro30.64%111.11%
Jan Engelhardt30.64%222.22%
Total470100.00%9100.00%

EXPORT_SYMBOL_GPL(nf_ct_expect_init);
static void nf_ct_expect_free_rcu(struct rcu_head *head) { struct nf_conntrack_expect *exp; exp = container_of(head, struct nf_conntrack_expect, rcu); kmem_cache_free(nf_ct_expect_cachep, exp); }

Contributors

PersonTokensPropCommitsCommitProp
Patrick McHardy35100.00%1100.00%
Total35100.00%1100.00%


void nf_ct_expect_put(struct nf_conntrack_expect *exp) { if (atomic_dec_and_test(&exp->use)) call_rcu(&exp->rcu, nf_ct_expect_free_rcu); }

Contributors

PersonTokensPropCommitsCommitProp
Martin Josefsson2376.67%133.33%
Patrick McHardy723.33%266.67%
Total30100.00%3100.00%

EXPORT_SYMBOL_GPL(nf_ct_expect_put);
static void nf_ct_expect_insert(struct nf_conntrack_expect *exp) { struct nf_conn_help *master_help = nfct_help(exp->master); struct nf_conntrack_helper *helper; struct net *net = nf_ct_exp_net(exp); unsigned int h = nf_ct_expect_dst_hash(net, &exp->tuple); /* two references : one for hash insert, one for the timer */ atomic_add(2, &exp->use); hlist_add_head_rcu(&exp->lnode, &master_help->expectations); master_help->expecting[exp->class]++; hlist_add_head_rcu(&exp->hnode, &nf_ct_expect_hash[h]); net->ct.expect_count++; setup_timer(&exp->timeout, nf_ct_expectation_timed_out, (unsigned long)exp); helper = rcu_dereference_protected(master_help->helper, lockdep_is_held(&nf_conntrack_expect_lock)); if (helper) { exp->timeout.expires = jiffies + helper->expect_policy[exp->class].timeout * HZ; } add_timer(&exp->timeout); NF_CT_STAT_INC(net, expect_create); }

Contributors

PersonTokensPropCommitsCommitProp
Martin Josefsson7340.56%15.56%
Patrick McHardy5228.89%633.33%
Pablo Neira Ayuso2011.11%211.11%
Alexey Dobriyan179.44%211.11%
Eric Dumazet126.67%211.11%
Florian Westphal31.67%211.11%
Liping Zhang10.56%15.56%
Gao Feng10.56%15.56%
Jesper Dangaard Brouer10.56%15.56%
Total180100.00%18100.00%

/* Race with expectations being used means we could have none to find; OK. */
static void evict_oldest_expect(struct nf_conn *master, struct nf_conntrack_expect *new) { struct nf_conn_help *master_help = nfct_help(master); struct nf_conntrack_expect *exp, *last = NULL; hlist_for_each_entry(exp, &master_help->expectations, lnode) { if (exp->class == new->class) last = exp; } if (last && del_timer(&last->timeout)) { nf_ct_unlink_expect(last); nf_ct_expect_put(last); } }

Contributors

PersonTokensPropCommitsCommitProp
Patrick McHardy4958.33%375.00%
Martin Josefsson3541.67%125.00%
Total84100.00%4100.00%


static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect) { const struct nf_conntrack_expect_policy *p; struct nf_conntrack_expect *i; struct nf_conn *master = expect->master; struct nf_conn_help *master_help = nfct_help(master); struct nf_conntrack_helper *helper; struct net *net = nf_ct_exp_net(expect); struct hlist_node *next; unsigned int h; int ret = 0; if (!master_help) { ret = -ESHUTDOWN; goto out; } h = nf_ct_expect_dst_hash(net, &expect->tuple); hlist_for_each_entry_safe(i, next, &nf_ct_expect_hash[h], hnode) { if (expect_matches(i, expect)) { if (del_timer(&i->timeout)) { nf_ct_unlink_expect(i); nf_ct_expect_put(i); break; } } else if (expect_clash(i, expect)) { ret = -EBUSY; goto out; } } /* Will be over limit? */ helper = rcu_dereference_protected(master_help->helper, lockdep_is_held(&nf_conntrack_expect_lock)); if (helper) { p = &helper->expect_policy[expect->class]; if (p->max_expected && master_help->expecting[expect->class] >= p->max_expected) { evict_oldest_expect(master, expect); if (master_help->expecting[expect->class] >= p->max_expected) { ret = -EMFILE; goto out; } } } if (net->ct.expect_count >= nf_ct_expect_max) { net_warn_ratelimited("nf_conntrack: expectation table full\n"); ret = -EMFILE; } out: return ret; }

Contributors

PersonTokensPropCommitsCommitProp
Patrick McHardy10136.33%423.53%
Martin Josefsson10035.97%15.88%
Pablo Neira Ayuso4716.91%423.53%
Alexey Dobriyan165.76%211.76%
Eric Dumazet82.88%15.88%
Florian Westphal31.08%211.76%
Jarno Rajahalme10.36%15.88%
Joe Perches10.36%15.88%
Jesper Dangaard Brouer10.36%15.88%
Total278100.00%17100.00%


int nf_ct_expect_related_report(struct nf_conntrack_expect *expect, u32 portid, int report) { int ret; spin_lock_bh(&nf_conntrack_expect_lock); ret = __nf_ct_expect_check(expect); if (ret < 0) goto out; nf_ct_expect_insert(expect); spin_unlock_bh(&nf_conntrack_expect_lock); nf_ct_expect_event_report(IPEXP_NEW, expect, portid, report); return 0; out: spin_unlock_bh(&nf_conntrack_expect_lock); return ret; }

Contributors

PersonTokensPropCommitsCommitProp
Pablo Neira Ayuso5875.32%225.00%
Martin Josefsson1114.29%112.50%
Jesper Dangaard Brouer33.90%112.50%
Patrick McHardy33.90%225.00%
Jarno Rajahalme22.60%225.00%
Total77100.00%8100.00%

EXPORT_SYMBOL_GPL(nf_ct_expect_related_report); #ifdef CONFIG_NF_CONNTRACK_PROCFS struct ct_expect_iter_state { struct seq_net_private p; unsigned int bucket; };
static struct hlist_node *ct_expect_get_first(struct seq_file *seq) { struct ct_expect_iter_state *st = seq->private; struct hlist_node *n; for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) { n = rcu_dereference(hlist_first_rcu(&nf_ct_expect_hash[st->bucket])); if (n) return n; } return NULL; }

Contributors

PersonTokensPropCommitsCommitProp
Patrick McHardy4864.86%240.00%
Martin Josefsson2128.38%120.00%
Eric Dumazet45.41%120.00%
Florian Westphal11.35%120.00%
Total74100.00%5100.00%


static struct hlist_node *ct_expect_get_next(struct seq_file *seq, struct hlist_node *head) { struct ct_expect_iter_state *st = seq->private; head = rcu_dereference(hlist_next_rcu(head)); while (head == NULL) { if (++st->bucket >= nf_ct_expect_hsize) return NULL; head = rcu_dereference(hlist_first_rcu(&nf_ct_expect_hash[st->bucket])); } return head; }

Contributors

PersonTokensPropCommitsCommitProp
Patrick McHardy5876.32%240.00%
Martin Josefsson1013.16%120.00%
Eric Dumazet79.21%120.00%
Florian Westphal11.32%120.00%
Total76100.00%5100.00%


static struct hlist_node *ct_expect_get_idx(struct seq_file *seq, loff_t pos) { struct hlist_node *head = ct_expect_get_first(seq); if (head) while (pos && (head = ct_expect_get_next(seq, head))) pos--; return pos ? NULL : head; }

Contributors

PersonTokensPropCommitsCommitProp
Patrick McHardy55100.00%1100.00%
Total55100.00%1100.00%


static void *exp_seq_start(struct seq_file *seq, loff_t *pos) __acquires (RCU) { rcu_read_lock(); return ct_expect_get_idx(seq, *pos); }

Contributors

PersonTokensPropCommitsCommitProp
Patrick McHardy2784.38%250.00%
Eric Dumazet39.38%125.00%
Martin Josefsson26.25%125.00%
Total32100.00%4100.00%


static void *exp_seq_next(struct seq_file *seq, void *v, loff_t *pos) { (*pos)++; return ct_expect_get_next(seq, v); }

Contributors

PersonTokensPropCommitsCommitProp
Martin Josefsson2470.59%150.00%
Patrick McHardy1029.41%150.00%
Total34100.00%2100.00%


static void exp_seq_stop(struct seq_file *seq, void *v) __releases (RCU) { rcu_read_unlock(); }

Contributors

PersonTokensPropCommitsCommitProp
Martin Josefsson1568.18%125.00%
Patrick McHardy418.18%250.00%
Eric Dumazet313.64%125.00%
Total22100.00%4100.00%


static int exp_seq_show(struct seq_file *s, void *v) { struct nf_conntrack_expect *expect; struct nf_conntrack_helper *helper; struct hlist_node *n = v; char *delim = ""; expect = hlist_entry(n, struct nf_conntrack_expect, hnode); if (expect->timeout.function) seq_printf(s, "%ld ", timer_pending(&expect->timeout) ? (long)(expect->timeout.expires - jiffies)/