Release 4.11 net/netfilter/xt_CT.c
/*
* Copyright (c) 2010 Patrick McHardy <kaber@trash.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/module.h>
#include <linux/gfp.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_CT.h>
#include <net/netfilter/nf_conntrack.h>
#include <net/netfilter/nf_conntrack_l4proto.h>
#include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_conntrack_timeout.h>
#include <net/netfilter/nf_conntrack_zones.h>
static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct)
{
/* Previously seen (loopback)? Ignore. */
if (skb->_nfct != 0)
return XT_CONTINUE;
/* special case the untracked ct : we want the percpu object */
if (!ct)
ct = nf_ct_untracked_get();
atomic_inc(&ct->ct_general.use);
nf_ct_set(skb, ct, IP_CT_NEW);
return XT_CONTINUE;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Patrick McHardy | 40 | 64.52% | 1 | 20.00% |
| Eric Dumazet | 11 | 17.74% | 1 | 20.00% |
| Florian Westphal | 7 | 11.29% | 2 | 40.00% |
| Pablo Neira Ayuso | 4 | 6.45% | 1 | 20.00% |
| Total | 62 | 100.00% | 5 | 100.00% |
static unsigned int xt_ct_target_v0(struct sk_buff *skb,
const struct xt_action_param *par)
{
const struct xt_ct_target_info *info = par->targinfo;
struct nf_conn *ct = info->ct;
return xt_ct_target(skb, ct);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 45 | 100.00% | 2 | 100.00% |
| Total | 45 | 100.00% | 2 | 100.00% |
static unsigned int xt_ct_target_v1(struct sk_buff *skb,
const struct xt_action_param *par)
{
const struct xt_ct_target_info_v1 *info = par->targinfo;
struct nf_conn *ct = info->ct;
return xt_ct_target(skb, ct);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 45 | 100.00% | 2 | 100.00% |
| Total | 45 | 100.00% | 2 | 100.00% |
static u8 xt_ct_find_proto(const struct xt_tgchk_param *par)
{
if (par->family == NFPROTO_IPV4) {
const struct ipt_entry *e = par->entryinfo;
if (e->ip.invflags & IPT_INV_PROTO)
return 0;
return e->ip.proto;
} else if (par->family == NFPROTO_IPV6) {
const struct ip6t_entry *e = par->entryinfo;
if (e->ipv6.invflags & IP6T_INV_PROTO)
return 0;
return e->ipv6.proto;
} else
return 0;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Patrick McHardy | 95 | 97.94% | 1 | 50.00% |
| Jan Engelhardt | 2 | 2.06% | 1 | 50.00% |
| Total | 97 | 100.00% | 2 | 100.00% |
static int
xt_ct_set_helper(struct nf_conn *ct, const char *helper_name,
const struct xt_tgchk_param *par)
{
struct nf_conntrack_helper *helper;
struct nf_conn_help *help;
u8 proto;
proto = xt_ct_find_proto(par);
if (!proto) {
pr_info("You must specify a L4 protocol, and not use "
"inversions on it.\n");
return -ENOENT;
}
helper = nf_conntrack_helper_try_module_get(helper_name, par->family,
proto);
if (helper == NULL) {
pr_info("No such helper \"%s\"\n", helper_name);
return -ENOENT;
}
help = nf_ct_helper_ext_add(ct, helper, GFP_KERNEL);
if (help == NULL) {
module_put(helper->me);
return -ENOMEM;
}
help->helper = helper;
return 0;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 130 | 100.00% | 1 | 100.00% |
| Total | 130 | 100.00% | 1 | 100.00% |
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
static void __xt_ct_tg_timeout_put(struct ctnl_timeout *timeout)
{
typeof(nf_ct_timeout_put_hook) timeout_put;
timeout_put = rcu_dereference(nf_ct_timeout_put_hook);
if (timeout_put)
timeout_put(timeout);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 33 | 100.00% | 1 | 100.00% |
| Total | 33 | 100.00% | 1 | 100.00% |
#endif
static int
xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
const char *timeout_name)
{
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
typeof(nf_ct_timeout_find_get_hook) timeout_find_get;
struct ctnl_timeout *timeout;
struct nf_conn_timeout *timeout_ext;
struct nf_conntrack_l4proto *l4proto;
int ret = 0;
u8 proto;
rcu_read_lock();
timeout_find_get = rcu_dereference(nf_ct_timeout_find_get_hook);
if (timeout_find_get == NULL) {
ret = -ENOENT;
pr_info("Timeout policy base is empty\n");
goto out;
}
proto = xt_ct_find_proto(par);
if (!proto) {
ret = -EINVAL;
pr_info("You must specify a L4 protocol, and not use "
"inversions on it.\n");
goto out;
}
timeout = timeout_find_get(par->net, timeout_name);
if (timeout == NULL) {
ret = -ENOENT;
pr_info("No such timeout policy \"%s\"\n", timeout_name);
goto out;
}
if (timeout->l3num != par->family) {
ret = -EINVAL;
pr_info("Timeout policy `%s' can only be used by L3 protocol "
"number %d\n", timeout_name, timeout->l3num);
goto err_put_timeout;
}
/* Make sure the timeout policy matches any existing protocol tracker,
* otherwise default to generic.
*/
l4proto = __nf_ct_l4proto_find(par->family, proto);
if (timeout->l4proto->l4proto != l4proto->l4proto) {
ret = -EINVAL;
pr_info("Timeout policy `%s' can only be used by L4 protocol "
"number %d\n",
timeout_name, timeout->l4proto->l4proto);
goto err_put_timeout;
}
timeout_ext = nf_ct_timeout_ext_add(ct, timeout, GFP_ATOMIC);
if (timeout_ext == NULL)
ret = -ENOMEM;
rcu_read_unlock();
return ret;
err_put_timeout:
__xt_ct_tg_timeout_put(timeout);
out:
rcu_read_unlock();
return ret;
#else
return -EOPNOTSUPP;
#endif
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 249 | 89.57% | 7 | 87.50% |
| Patrick McHardy | 29 | 10.43% | 1 | 12.50% |
| Total | 278 | 100.00% | 8 | 100.00% |
static u16 xt_ct_flags_to_dir(const struct xt_ct_target_info_v1 *info)
{
switch (info->flags & (XT_CT_ZONE_DIR_ORIG |
XT_CT_ZONE_DIR_REPL)) {
case XT_CT_ZONE_DIR_ORIG:
return NF_CT_ZONE_DIR_ORIG;
case XT_CT_ZONE_DIR_REPL:
return NF_CT_ZONE_DIR_REPL;
default:
return NF_CT_DEFAULT_ZONE_DIR;
}
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Daniel Borkmann | 42 | 100.00% | 1 | 100.00% |
| Total | 42 | 100.00% | 1 | 100.00% |
static int xt_ct_tg_check(const struct xt_tgchk_param *par,
struct xt_ct_target_info_v1 *info)
{
struct nf_conntrack_zone zone;
struct nf_conn *ct;
int ret = -EOPNOTSUPP;
if (info->flags & XT_CT_NOTRACK) {
ct = NULL;
goto out;
}
#ifndef CONFIG_NF_CONNTRACK_ZONES
if (info->zone || info->flags & (XT_CT_ZONE_DIR_ORIG |
XT_CT_ZONE_DIR_REPL |
XT_CT_ZONE_MARK))
goto err1;
#endif
ret = nf_ct_netns_get(par->net, par->family);
if (ret < 0)
goto err1;
memset(&zone, 0, sizeof(zone));
zone.id = info->zone;
zone.dir = xt_ct_flags_to_dir(info);
if (info->flags & XT_CT_ZONE_MARK)
zone.flags |= NF_CT_FLAG_MARK;
ct = nf_ct_tmpl_alloc(par->net, &zone, GFP_KERNEL);
if (!ct) {
ret = -ENOMEM;
goto err2;
}
ret = 0;
if ((info->ct_events || info->exp_events) &&
!nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events,
GFP_KERNEL)) {
ret = -EINVAL;
goto err3;
}
if (info->helper[0]) {
ret = xt_ct_set_helper(ct, info->helper, par);
if (ret < 0)
goto err3;
}
if (info->timeout[0]) {
ret = xt_ct_set_timeout(ct, par, info->timeout);
if (ret < 0)
goto err3;
}
__set_bit(IPS_CONFIRMED_BIT, &ct->status);
nf_conntrack_get(&ct->ct_general);
out:
info->ct = ct;
return 0;
err3:
nf_ct_tmpl_free(ct);
err2:
nf_ct_netns_put(par->net, par->family);
err1:
return ret;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 244 | 73.49% | 9 | 52.94% |
| Daniel Borkmann | 62 | 18.67% | 4 | 23.53% |
| Florian Westphal | 10 | 3.01% | 1 | 5.88% |
| Dan Carpenter | 8 | 2.41% | 1 | 5.88% |
| Eric Leblond | 7 | 2.11% | 1 | 5.88% |
| Eric Dumazet | 1 | 0.30% | 1 | 5.88% |
| Total | 332 | 100.00% | 17 | 100.00% |
static int xt_ct_tg_check_v0(const struct xt_tgchk_param *par)
{
struct xt_ct_target_info *info = par->targinfo;
struct xt_ct_target_info_v1 info_v1 = {
.flags = info->flags,
.zone = info->zone,
.ct_events = info->ct_events,
.exp_events = info->exp_events,
};
int ret;
if (info->flags & ~XT_CT_NOTRACK)
return -EINVAL;
memcpy(info_v1.helper, info->helper, sizeof(info->helper));
ret = xt_ct_tg_check(par, &info_v1);
if (ret < 0)
return ret;
info->ct = info_v1.ct;
return ret;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 119 | 100.00% | 3 | 100.00% |
| Total | 119 | 100.00% | 3 | 100.00% |
static int xt_ct_tg_check_v1(const struct xt_tgchk_param *par)
{
struct xt_ct_target_info_v1 *info = par->targinfo;
if (info->flags & ~XT_CT_NOTRACK)
return -EINVAL;
return xt_ct_tg_check(par, par->targinfo);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 44 | 100.00% | 2 | 100.00% |
| Total | 44 | 100.00% | 2 | 100.00% |
static int xt_ct_tg_check_v2(const struct xt_tgchk_param *par)
{
struct xt_ct_target_info_v1 *info = par->targinfo;
if (info->flags & ~XT_CT_MASK)
return -EINVAL;
return xt_ct_tg_check(par, par->targinfo);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 44 | 100.00% | 3 | 100.00% |
| Total | 44 | 100.00% | 3 | 100.00% |
static void xt_ct_destroy_timeout(struct nf_conn *ct)
{
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
struct nf_conn_timeout *timeout_ext;
typeof(nf_ct_timeout_put_hook) timeout_put;
rcu_read_lock();
timeout_put = rcu_dereference(nf_ct_timeout_put_hook);
if (timeout_put) {
timeout_ext = nf_ct_timeout_find(ct);
if (timeout_ext) {
timeout_put(timeout_ext->timeout);
RCU_INIT_POINTER(timeout_ext->timeout, NULL);
}
}
rcu_read_unlock();
#endif
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 75 | 100.00% | 2 | 100.00% |
| Total | 75 | 100.00% | 2 | 100.00% |
static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par,
struct xt_ct_target_info_v1 *info)
{
struct nf_conn *ct = info->ct;
struct nf_conn_help *help;
if (ct && !nf_ct_is_untracked(ct)) {
help = nfct_help(ct);
if (help)
module_put(help->helper->me);
nf_ct_netns_put(par->net, par->family);
xt_ct_destroy_timeout(ct);
nf_ct_put(info->ct);
}
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 78 | 90.70% | 3 | 60.00% |
| Florian Westphal | 5 | 5.81% | 1 | 20.00% |
| Eric Dumazet | 3 | 3.49% | 1 | 20.00% |
| Total | 86 | 100.00% | 5 | 100.00% |
static void xt_ct_tg_destroy_v0(const struct xt_tgdtor_param *par)
{
struct xt_ct_target_info *info = par->targinfo;
struct xt_ct_target_info_v1 info_v1 = {
.flags = info->flags,
.zone = info->zone,
.ct_events = info->ct_events,
.exp_events = info->exp_events,
.ct = info->ct,
};
memcpy(info_v1.helper, info->helper, sizeof(info->helper));
xt_ct_tg_destroy(par, &info_v1);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 88 | 100.00% | 1 | 100.00% |
| Total | 88 | 100.00% | 1 | 100.00% |
static void xt_ct_tg_destroy_v1(const struct xt_tgdtor_param *par)
{
xt_ct_tg_destroy(par, par->targinfo);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 21 | 100.00% | 1 | 100.00% |
| Total | 21 | 100.00% | 1 | 100.00% |
static struct xt_target xt_ct_tg_reg[] __read_mostly = {
{
.name = "CT",
.family = NFPROTO_UNSPEC,
.targetsize = sizeof(struct xt_ct_target_info),
.usersize = offsetof(struct xt_ct_target_info, ct),
.checkentry = xt_ct_tg_check_v0,
.destroy = xt_ct_tg_destroy_v0,
.target = xt_ct_target_v0,
.table = "raw",
.me = THIS_MODULE,
},
{
.name = "CT",
.family = NFPROTO_UNSPEC,
.revision = 1,
.targetsize = sizeof(struct xt_ct_target_info_v1),
.usersize = offsetof(struct xt_ct_target_info, ct),
.checkentry = xt_ct_tg_check_v1,
.destroy = xt_ct_tg_destroy_v1,
.target = xt_ct_target_v1,
.table = "raw",
.me = THIS_MODULE,
},
{
.name = "CT",
.family = NFPROTO_UNSPEC,
.revision = 2,
.targetsize = sizeof(struct xt_ct_target_info_v1),
.usersize = offsetof(struct xt_ct_target_info, ct),
.checkentry = xt_ct_tg_check_v2,
.destroy = xt_ct_tg_destroy_v1,
.target = xt_ct_target_v1,
.table = "raw",
.me = THIS_MODULE,
},
};
static unsigned int
notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
{
/* Previously seen (loopback)? Ignore. */
if (skb->_nfct != 0)
return XT_CONTINUE;
nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);
nf_conntrack_get(skb_nfct(skb));
return XT_CONTINUE;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 41 | 80.39% | 1 | 25.00% |
| Florian Westphal | 10 | 19.61% | 3 | 75.00% |
| Total | 51 | 100.00% | 4 | 100.00% |
static int notrack_chk(const struct xt_tgchk_param *par)
{
if (!par->net->xt.notrack_deprecated_warning) {
pr_info("netfilter: NOTRACK target is deprecated, "
"use CT instead or upgrade iptables\n");
par->net->xt.notrack_deprecated_warning = true;
}
return 0;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 44 | 100.00% | 1 | 100.00% |
| Total | 44 | 100.00% | 1 | 100.00% |
static struct xt_target notrack_tg_reg __read_mostly = {
.name = "NOTRACK",
.revision = 0,
.family = NFPROTO_UNSPEC,
.checkentry = notrack_chk,
.target = notrack_tg,
.table = "raw",
.me = THIS_MODULE,
};
static int __init xt_ct_tg_init(void)
{
int ret;
ret = xt_register_target(¬rack_tg_reg);
if (ret < 0)
return ret;
ret = xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
if (ret < 0) {
xt_unregister_target(¬rack_tg_reg);
return ret;
}
return 0;
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 48 | 78.69% | 2 | 66.67% |
| Patrick McHardy | 13 | 21.31% | 1 | 33.33% |
| Total | 61 | 100.00% | 3 | 100.00% |
static void __exit xt_ct_tg_exit(void)
{
xt_unregister_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg));
xt_unregister_target(¬rack_tg_reg);
}
Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 13 | 52.00% | 2 | 66.67% |
| Patrick McHardy | 12 | 48.00% | 1 | 33.33% |
| Total | 25 | 100.00% | 3 | 100.00% |
module_init(xt_ct_tg_init);
module_exit(xt_ct_tg_exit);
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("Xtables: connection tracking target");
MODULE_ALIAS("ipt_CT");
MODULE_ALIAS("ip6t_CT");
MODULE_ALIAS("ipt_NOTRACK");
MODULE_ALIAS("ip6t_NOTRACK");
Overall Contributors
| Person | Tokens | Prop | Commits | CommitProp |
| Pablo Neira Ayuso | 1568 | 76.60% | 18 | 51.43% |
| Patrick McHardy | 268 | 13.09% | 2 | 5.71% |
| Daniel Borkmann | 104 | 5.08% | 4 | 11.43% |
| Willem de Bruijn | 33 | 1.61% | 1 | 2.86% |
| Florian Westphal | 32 | 1.56% | 4 | 11.43% |
| Eric Dumazet | 15 | 0.73% | 1 | 2.86% |
| Jan Engelhardt | 9 | 0.44% | 2 | 5.71% |
| Dan Carpenter | 8 | 0.39% | 1 | 2.86% |
| Eric Leblond | 7 | 0.34% | 1 | 2.86% |
| Tejun Heo | 3 | 0.15% | 1 | 2.86% |
| Total | 2047 | 100.00% | 35 | 100.00% |
Information contained on this website is for historical information purposes only and does not indicate or represent copyright ownership.