提交 fd685657 编写于 作者: D David S. Miller

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following batch contains netfilter updates for your net-next tree:

1) Expose NFT_OSF_MAXGENRELEN maximum OS name length from the new OS
   passive fingerprint matching extension, from Fernando Fernandez.

2) Add extension to support for fine grain conntrack timeout policies
   from nf_tables. As preparation works, this patchset moves
   nf_ct_untimeout() to nf_conntrack_timeout and it also decouples the
   timeout policy from the ctnl_timeout object, most work done by
   Harsha Sharma.

3) Enable connection tracking when conntrack helper is in place.

4) Missing enumeration in uapi header when splitting original xt_osf
   to nfnetlink_osf, also from Fernando.

5) Fix a sparse warning due to incorrect typing in the nf_osf_find(),
   from Wei Yongjun.
====================
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
...@@ -4,18 +4,6 @@ ...@@ -4,18 +4,6 @@
#include <uapi/linux/netfilter/nfnetlink_osf.h> #include <uapi/linux/netfilter/nfnetlink_osf.h>
/* Initial window size option state machine: multiple of mss, mtu or
* plain numeric value. Can also be made as plain numeric value which
* is not a multiple of specified value.
*/
enum nf_osf_window_size_options {
OSF_WSS_PLAIN = 0,
OSF_WSS_MSS,
OSF_WSS_MTU,
OSF_WSS_MODULO,
OSF_WSS_MAX,
};
enum osf_fmatch_states { enum osf_fmatch_states {
/* Packet does not match the fingerprint */ /* Packet does not match the fingerprint */
FMATCH_WRONG = 0, FMATCH_WRONG = 0,
......
...@@ -77,7 +77,6 @@ struct nf_conntrack_l4proto { ...@@ -77,7 +77,6 @@ struct nf_conntrack_l4proto {
struct nf_conntrack_tuple *t); struct nf_conntrack_tuple *t);
const struct nla_policy *nla_policy; const struct nla_policy *nla_policy;
#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)
struct { struct {
int (*nlattr_to_obj)(struct nlattr *tb[], int (*nlattr_to_obj)(struct nlattr *tb[],
struct net *net, void *data); struct net *net, void *data);
...@@ -87,7 +86,6 @@ struct nf_conntrack_l4proto { ...@@ -87,7 +86,6 @@ struct nf_conntrack_l4proto {
u16 nlattr_max; u16 nlattr_max;
const struct nla_policy *nla_policy; const struct nla_policy *nla_policy;
} ctnl_timeout; } ctnl_timeout;
#endif
#ifdef CONFIG_NF_CONNTRACK_PROCFS #ifdef CONFIG_NF_CONNTRACK_PROCFS
/* Print out the private part of the conntrack. */ /* Print out the private part of the conntrack. */
void (*print_conntrack)(struct seq_file *s, struct nf_conn *); void (*print_conntrack)(struct seq_file *s, struct nf_conn *);
......
...@@ -11,24 +11,28 @@ ...@@ -11,24 +11,28 @@
#define CTNL_TIMEOUT_NAME_MAX 32 #define CTNL_TIMEOUT_NAME_MAX 32
struct nf_ct_timeout {
__u16 l3num;
const struct nf_conntrack_l4proto *l4proto;
char data[0];
};
struct ctnl_timeout { struct ctnl_timeout {
struct list_head head; struct list_head head;
struct rcu_head rcu_head; struct rcu_head rcu_head;
refcount_t refcnt; refcount_t refcnt;
char name[CTNL_TIMEOUT_NAME_MAX]; char name[CTNL_TIMEOUT_NAME_MAX];
__u16 l3num; struct nf_ct_timeout timeout;
const struct nf_conntrack_l4proto *l4proto;
char data[0];
}; };
struct nf_conn_timeout { struct nf_conn_timeout {
struct ctnl_timeout __rcu *timeout; struct nf_ct_timeout __rcu *timeout;
}; };
static inline unsigned int * static inline unsigned int *
nf_ct_timeout_data(struct nf_conn_timeout *t) nf_ct_timeout_data(struct nf_conn_timeout *t)
{ {
struct ctnl_timeout *timeout; struct nf_ct_timeout *timeout;
timeout = rcu_dereference(t->timeout); timeout = rcu_dereference(t->timeout);
if (timeout == NULL) if (timeout == NULL)
...@@ -49,7 +53,7 @@ struct nf_conn_timeout *nf_ct_timeout_find(const struct nf_conn *ct) ...@@ -49,7 +53,7 @@ struct nf_conn_timeout *nf_ct_timeout_find(const struct nf_conn *ct)
static inline static inline
struct nf_conn_timeout *nf_ct_timeout_ext_add(struct nf_conn *ct, struct nf_conn_timeout *nf_ct_timeout_ext_add(struct nf_conn *ct,
struct ctnl_timeout *timeout, struct nf_ct_timeout *timeout,
gfp_t gfp) gfp_t gfp)
{ {
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
...@@ -83,6 +87,7 @@ static inline unsigned int *nf_ct_timeout_lookup(const struct nf_conn *ct) ...@@ -83,6 +87,7 @@ static inline unsigned int *nf_ct_timeout_lookup(const struct nf_conn *ct)
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
int nf_conntrack_timeout_init(void); int nf_conntrack_timeout_init(void);
void nf_conntrack_timeout_fini(void); void nf_conntrack_timeout_fini(void);
void nf_ct_untimeout(struct net *net, struct nf_ct_timeout *timeout);
#else #else
static inline int nf_conntrack_timeout_init(void) static inline int nf_conntrack_timeout_init(void)
{ {
...@@ -96,8 +101,8 @@ static inline void nf_conntrack_timeout_fini(void) ...@@ -96,8 +101,8 @@ static inline void nf_conntrack_timeout_fini(void)
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */ #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
extern struct ctnl_timeout *(*nf_ct_timeout_find_get_hook)(struct net *net, const char *name); extern struct nf_ct_timeout *(*nf_ct_timeout_find_get_hook)(struct net *net, const char *name);
extern void (*nf_ct_timeout_put_hook)(struct ctnl_timeout *timeout); extern void (*nf_ct_timeout_put_hook)(struct nf_ct_timeout *timeout);
#endif #endif
#endif /* _NF_CONNTRACK_TIMEOUT_H */ #endif /* _NF_CONNTRACK_TIMEOUT_H */
...@@ -8,6 +8,7 @@ ...@@ -8,6 +8,7 @@
#define NFT_SET_MAXNAMELEN NFT_NAME_MAXLEN #define NFT_SET_MAXNAMELEN NFT_NAME_MAXLEN
#define NFT_OBJ_MAXNAMELEN NFT_NAME_MAXLEN #define NFT_OBJ_MAXNAMELEN NFT_NAME_MAXLEN
#define NFT_USERDATA_MAXLEN 256 #define NFT_USERDATA_MAXLEN 256
#define NFT_OSF_MAXGENRELEN 16
/** /**
* enum nft_registers - nf_tables registers * enum nft_registers - nf_tables registers
...@@ -957,6 +958,7 @@ enum nft_socket_keys { ...@@ -957,6 +958,7 @@ enum nft_socket_keys {
* @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address) * @NFT_CT_DST_IP: conntrack layer 3 protocol destination (IPv4 address)
* @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address) * @NFT_CT_SRC_IP6: conntrack layer 3 protocol source (IPv6 address)
* @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address) * @NFT_CT_DST_IP6: conntrack layer 3 protocol destination (IPv6 address)
* @NFT_CT_TIMEOUT: connection tracking timeout policy assigned to conntrack
*/ */
enum nft_ct_keys { enum nft_ct_keys {
NFT_CT_STATE, NFT_CT_STATE,
...@@ -982,6 +984,7 @@ enum nft_ct_keys { ...@@ -982,6 +984,7 @@ enum nft_ct_keys {
NFT_CT_DST_IP, NFT_CT_DST_IP,
NFT_CT_SRC_IP6, NFT_CT_SRC_IP6,
NFT_CT_DST_IP6, NFT_CT_DST_IP6,
NFT_CT_TIMEOUT,
__NFT_CT_MAX __NFT_CT_MAX
}; };
#define NFT_CT_MAX (__NFT_CT_MAX - 1) #define NFT_CT_MAX (__NFT_CT_MAX - 1)
...@@ -1410,6 +1413,15 @@ enum nft_ct_helper_attributes { ...@@ -1410,6 +1413,15 @@ enum nft_ct_helper_attributes {
}; };
#define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1) #define NFTA_CT_HELPER_MAX (__NFTA_CT_HELPER_MAX - 1)
enum nft_ct_timeout_timeout_attributes {
NFTA_CT_TIMEOUT_UNSPEC,
NFTA_CT_TIMEOUT_L3PROTO,
NFTA_CT_TIMEOUT_L4PROTO,
NFTA_CT_TIMEOUT_DATA,
__NFTA_CT_TIMEOUT_MAX,
};
#define NFTA_CT_TIMEOUT_MAX (__NFTA_CT_TIMEOUT_MAX - 1)
#define NFT_OBJECT_UNSPEC 0 #define NFT_OBJECT_UNSPEC 0
#define NFT_OBJECT_COUNTER 1 #define NFT_OBJECT_COUNTER 1
#define NFT_OBJECT_QUOTA 2 #define NFT_OBJECT_QUOTA 2
...@@ -1417,7 +1429,8 @@ enum nft_ct_helper_attributes { ...@@ -1417,7 +1429,8 @@ enum nft_ct_helper_attributes {
#define NFT_OBJECT_LIMIT 4 #define NFT_OBJECT_LIMIT 4
#define NFT_OBJECT_CONNLIMIT 5 #define NFT_OBJECT_CONNLIMIT 5
#define NFT_OBJECT_TUNNEL 6 #define NFT_OBJECT_TUNNEL 6
#define __NFT_OBJECT_MAX 7 #define NFT_OBJECT_CT_TIMEOUT 7
#define __NFT_OBJECT_MAX 8
#define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1) #define NFT_OBJECT_MAX (__NFT_OBJECT_MAX - 1)
/** /**
......
...@@ -88,6 +88,18 @@ enum iana_options { ...@@ -88,6 +88,18 @@ enum iana_options {
OSFOPT_EMPTY = 255, OSFOPT_EMPTY = 255,
}; };
/* Initial window size option state machine: multiple of mss, mtu or
* plain numeric value. Can also be made as plain numeric value which
* is not a multiple of specified value.
*/
enum nf_osf_window_size_options {
OSF_WSS_PLAIN = 0,
OSF_WSS_MSS,
OSF_WSS_MTU,
OSF_WSS_MODULO,
OSF_WSS_MAX,
};
enum nf_osf_attr_type { enum nf_osf_attr_type {
OSF_ATTR_UNSPEC, OSF_ATTR_UNSPEC,
OSF_ATTR_FINGER, OSF_ATTR_FINGER,
......
...@@ -46,6 +46,7 @@ ...@@ -46,6 +46,7 @@
#define xt_osf_finger nf_osf_finger #define xt_osf_finger nf_osf_finger
#define xt_osf_nlmsg nf_osf_nlmsg #define xt_osf_nlmsg nf_osf_nlmsg
#define xt_osf_window_size_options nf_osf_window_size_options
#define xt_osf_attr_type nf_osf_attr_type #define xt_osf_attr_type nf_osf_attr_type
#define xt_osf_msg_types nf_osf_msg_types #define xt_osf_msg_types nf_osf_msg_types
......
...@@ -24,13 +24,30 @@ ...@@ -24,13 +24,30 @@
#include <net/netfilter/nf_conntrack_extend.h> #include <net/netfilter/nf_conntrack_extend.h>
#include <net/netfilter/nf_conntrack_timeout.h> #include <net/netfilter/nf_conntrack_timeout.h>
struct ctnl_timeout * struct nf_ct_timeout *
(*nf_ct_timeout_find_get_hook)(struct net *net, const char *name) __read_mostly; (*nf_ct_timeout_find_get_hook)(struct net *net, const char *name) __read_mostly;
EXPORT_SYMBOL_GPL(nf_ct_timeout_find_get_hook); EXPORT_SYMBOL_GPL(nf_ct_timeout_find_get_hook);
void (*nf_ct_timeout_put_hook)(struct ctnl_timeout *timeout) __read_mostly; void (*nf_ct_timeout_put_hook)(struct nf_ct_timeout *timeout) __read_mostly;
EXPORT_SYMBOL_GPL(nf_ct_timeout_put_hook); EXPORT_SYMBOL_GPL(nf_ct_timeout_put_hook);
static int untimeout(struct nf_conn *ct, void *timeout)
{
struct nf_conn_timeout *timeout_ext = nf_ct_timeout_find(ct);
if (timeout_ext && (!timeout || timeout_ext->timeout == timeout))
RCU_INIT_POINTER(timeout_ext->timeout, NULL);
/* We are not intended to delete this conntrack. */
return 0;
}
void nf_ct_untimeout(struct net *net, struct nf_ct_timeout *timeout)
{
nf_ct_iterate_cleanup_net(net, untimeout, timeout, 0, 0);
}
EXPORT_SYMBOL_GPL(nf_ct_untimeout);
static const struct nf_ct_ext_type timeout_extend = { static const struct nf_ct_ext_type timeout_extend = {
.len = sizeof(struct nf_conn_timeout), .len = sizeof(struct nf_conn_timeout),
.align = __alignof__(struct nf_conn_timeout), .align = __alignof__(struct nf_conn_timeout),
......
...@@ -113,13 +113,13 @@ static int cttimeout_new_timeout(struct net *net, struct sock *ctnl, ...@@ -113,13 +113,13 @@ static int cttimeout_new_timeout(struct net *net, struct sock *ctnl,
/* You cannot replace one timeout policy by another of /* You cannot replace one timeout policy by another of
* different kind, sorry. * different kind, sorry.
*/ */
if (matching->l3num != l3num || if (matching->timeout.l3num != l3num ||
matching->l4proto->l4proto != l4num) matching->timeout.l4proto->l4proto != l4num)
return -EINVAL; return -EINVAL;
return ctnl_timeout_parse_policy(&matching->data, return ctnl_timeout_parse_policy(&matching->timeout.data,
matching->l4proto, net, matching->timeout.l4proto,
cda[CTA_TIMEOUT_DATA]); net, cda[CTA_TIMEOUT_DATA]);
} }
return -EBUSY; return -EBUSY;
...@@ -140,14 +140,14 @@ static int cttimeout_new_timeout(struct net *net, struct sock *ctnl, ...@@ -140,14 +140,14 @@ static int cttimeout_new_timeout(struct net *net, struct sock *ctnl,
goto err_proto_put; goto err_proto_put;
} }
ret = ctnl_timeout_parse_policy(&timeout->data, l4proto, net, ret = ctnl_timeout_parse_policy(&timeout->timeout.data, l4proto, net,
cda[CTA_TIMEOUT_DATA]); cda[CTA_TIMEOUT_DATA]);
if (ret < 0) if (ret < 0)
goto err; goto err;
strcpy(timeout->name, nla_data(cda[CTA_TIMEOUT_NAME])); strcpy(timeout->name, nla_data(cda[CTA_TIMEOUT_NAME]));
timeout->l3num = l3num; timeout->timeout.l3num = l3num;
timeout->l4proto = l4proto; timeout->timeout.l4proto = l4proto;
refcount_set(&timeout->refcnt, 1); refcount_set(&timeout->refcnt, 1);
list_add_tail_rcu(&timeout->head, &net->nfct_timeout_list); list_add_tail_rcu(&timeout->head, &net->nfct_timeout_list);
...@@ -166,7 +166,7 @@ ctnl_timeout_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, ...@@ -166,7 +166,7 @@ ctnl_timeout_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
struct nlmsghdr *nlh; struct nlmsghdr *nlh;
struct nfgenmsg *nfmsg; struct nfgenmsg *nfmsg;
unsigned int flags = portid ? NLM_F_MULTI : 0; unsigned int flags = portid ? NLM_F_MULTI : 0;
const struct nf_conntrack_l4proto *l4proto = timeout->l4proto; const struct nf_conntrack_l4proto *l4proto = timeout->timeout.l4proto;
event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_TIMEOUT, event); event = nfnl_msg_type(NFNL_SUBSYS_CTNETLINK_TIMEOUT, event);
nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags); nlh = nlmsg_put(skb, portid, seq, event, sizeof(*nfmsg), flags);
...@@ -179,8 +179,9 @@ ctnl_timeout_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, ...@@ -179,8 +179,9 @@ ctnl_timeout_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
nfmsg->res_id = 0; nfmsg->res_id = 0;
if (nla_put_string(skb, CTA_TIMEOUT_NAME, timeout->name) || if (nla_put_string(skb, CTA_TIMEOUT_NAME, timeout->name) ||
nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, htons(timeout->l3num)) || nla_put_be16(skb, CTA_TIMEOUT_L3PROTO,
nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, timeout->l4proto->l4proto) || htons(timeout->timeout.l3num)) ||
nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, l4proto->l4proto) ||
nla_put_be32(skb, CTA_TIMEOUT_USE, nla_put_be32(skb, CTA_TIMEOUT_USE,
htonl(refcount_read(&timeout->refcnt)))) htonl(refcount_read(&timeout->refcnt))))
goto nla_put_failure; goto nla_put_failure;
...@@ -194,7 +195,8 @@ ctnl_timeout_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type, ...@@ -194,7 +195,8 @@ ctnl_timeout_fill_info(struct sk_buff *skb, u32 portid, u32 seq, u32 type,
if (!nest_parms) if (!nest_parms)
goto nla_put_failure; goto nla_put_failure;
ret = l4proto->ctnl_timeout.obj_to_nlattr(skb, &timeout->data); ret = l4proto->ctnl_timeout.obj_to_nlattr(skb,
&timeout->timeout.data);
if (ret < 0) if (ret < 0)
goto nla_put_failure; goto nla_put_failure;
...@@ -297,22 +299,6 @@ static int cttimeout_get_timeout(struct net *net, struct sock *ctnl, ...@@ -297,22 +299,6 @@ static int cttimeout_get_timeout(struct net *net, struct sock *ctnl,
return ret; return ret;
} }
static int untimeout(struct nf_conn *ct, void *timeout)
{
struct nf_conn_timeout *timeout_ext = nf_ct_timeout_find(ct);
if (timeout_ext && (!timeout || timeout_ext->timeout == timeout))
RCU_INIT_POINTER(timeout_ext->timeout, NULL);
/* We are not intended to delete this conntrack. */
return 0;
}
static void ctnl_untimeout(struct net *net, struct ctnl_timeout *timeout)
{
nf_ct_iterate_cleanup_net(net, untimeout, timeout, 0, 0);
}
/* try to delete object, fail if it is still in use. */ /* try to delete object, fail if it is still in use. */
static int ctnl_timeout_try_del(struct net *net, struct ctnl_timeout *timeout) static int ctnl_timeout_try_del(struct net *net, struct ctnl_timeout *timeout)
{ {
...@@ -324,8 +310,8 @@ static int ctnl_timeout_try_del(struct net *net, struct ctnl_timeout *timeout) ...@@ -324,8 +310,8 @@ static int ctnl_timeout_try_del(struct net *net, struct ctnl_timeout *timeout)
if (refcount_dec_if_one(&timeout->refcnt)) { if (refcount_dec_if_one(&timeout->refcnt)) {
/* We are protected by nfnl mutex. */ /* We are protected by nfnl mutex. */
list_del_rcu(&timeout->head); list_del_rcu(&timeout->head);
nf_ct_l4proto_put(timeout->l4proto); nf_ct_l4proto_put(timeout->timeout.l4proto);
ctnl_untimeout(net, timeout); nf_ct_untimeout(net, &timeout->timeout);
kfree_rcu(timeout, rcu_head); kfree_rcu(timeout, rcu_head);
} else { } else {
ret = -EBUSY; ret = -EBUSY;
...@@ -526,8 +512,11 @@ ctnl_timeout_find_get(struct net *net, const char *name) ...@@ -526,8 +512,11 @@ ctnl_timeout_find_get(struct net *net, const char *name)
return matching; return matching;
} }
static void ctnl_timeout_put(struct ctnl_timeout *timeout) static void ctnl_timeout_put(struct nf_ct_timeout *t)
{ {
struct ctnl_timeout *timeout =
container_of(t, struct ctnl_timeout, timeout);
if (refcount_dec_and_test(&timeout->refcnt)) if (refcount_dec_and_test(&timeout->refcnt))
kfree_rcu(timeout, rcu_head); kfree_rcu(timeout, rcu_head);
...@@ -573,11 +562,11 @@ static void __net_exit cttimeout_net_exit(struct net *net) ...@@ -573,11 +562,11 @@ static void __net_exit cttimeout_net_exit(struct net *net)
struct ctnl_timeout *cur, *tmp; struct ctnl_timeout *cur, *tmp;
nf_ct_unconfirmed_destroy(net); nf_ct_unconfirmed_destroy(net);
ctnl_untimeout(net, NULL); nf_ct_untimeout(net, NULL);
list_for_each_entry_safe(cur, tmp, &net->nfct_timeout_list, head) { list_for_each_entry_safe(cur, tmp, &net->nfct_timeout_list, head) {
list_del_rcu(&cur->head); list_del_rcu(&cur->head);
nf_ct_l4proto_put(cur->l4proto); nf_ct_l4proto_put(cur->timeout.l4proto);
if (refcount_dec_and_test(&cur->refcnt)) if (refcount_dec_and_test(&cur->refcnt))
kfree_rcu(cur, rcu_head); kfree_rcu(cur, rcu_head);
......
...@@ -271,7 +271,7 @@ const char *nf_osf_find(const struct sk_buff *skb, ...@@ -271,7 +271,7 @@ const char *nf_osf_find(const struct sk_buff *skb,
tcp = nf_osf_hdr_ctx_init(&ctx, skb, ip, opts); tcp = nf_osf_hdr_ctx_init(&ctx, skb, ip, opts);
if (!tcp) if (!tcp)
return false; return NULL;
list_for_each_entry_rcu(kf, &nf_osf_fingers[ctx.df], finger_entry) { list_for_each_entry_rcu(kf, &nf_osf_fingers[ctx.df], finger_entry) {
f = &kf->finger; f = &kf->finger;
......
...@@ -22,6 +22,8 @@ ...@@ -22,6 +22,8 @@
#include <net/netfilter/nf_conntrack_helper.h> #include <net/netfilter/nf_conntrack_helper.h>
#include <net/netfilter/nf_conntrack_ecache.h> #include <net/netfilter/nf_conntrack_ecache.h>
#include <net/netfilter/nf_conntrack_labels.h> #include <net/netfilter/nf_conntrack_labels.h>
#include <net/netfilter/nf_conntrack_timeout.h>
#include <net/netfilter/nf_conntrack_l4proto.h>
struct nft_ct { struct nft_ct {
enum nft_ct_keys key:8; enum nft_ct_keys key:8;
...@@ -765,6 +767,194 @@ static struct nft_expr_type nft_notrack_type __read_mostly = { ...@@ -765,6 +767,194 @@ static struct nft_expr_type nft_notrack_type __read_mostly = {
.owner = THIS_MODULE, .owner = THIS_MODULE,
}; };
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
static int
nft_ct_timeout_parse_policy(void *timeouts,
const struct nf_conntrack_l4proto *l4proto,
struct net *net, const struct nlattr *attr)
{
struct nlattr **tb;
int ret = 0;
if (!l4proto->ctnl_timeout.nlattr_to_obj)
return 0;
tb = kcalloc(l4proto->ctnl_timeout.nlattr_max + 1, sizeof(*tb),
GFP_KERNEL);
if (!tb)
return -ENOMEM;
ret = nla_parse_nested(tb, l4proto->ctnl_timeout.nlattr_max,
attr, l4proto->ctnl_timeout.nla_policy,
NULL);
if (ret < 0)
goto err;
ret = l4proto->ctnl_timeout.nlattr_to_obj(tb, net, timeouts);
err:
kfree(tb);
return ret;
}
struct nft_ct_timeout_obj {
struct nf_conn *tmpl;
u8 l4proto;
};
static void nft_ct_timeout_obj_eval(struct nft_object *obj,
struct nft_regs *regs,
const struct nft_pktinfo *pkt)
{
const struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
struct nf_conn *ct = (struct nf_conn *)skb_nfct(pkt->skb);
struct sk_buff *skb = pkt->skb;
if (ct ||
priv->l4proto != pkt->tprot)
return;
nf_ct_set(skb, priv->tmpl, IP_CT_NEW);
}
static int nft_ct_timeout_obj_init(const struct nft_ctx *ctx,
const struct nlattr * const tb[],
struct nft_object *obj)
{
const struct nf_conntrack_zone *zone = &nf_ct_zone_dflt;
struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
const struct nf_conntrack_l4proto *l4proto;
struct nf_conn_timeout *timeout_ext;
struct nf_ct_timeout *timeout;
int l3num = ctx->family;
struct nf_conn *tmpl;
__u8 l4num;
int ret;
if (!tb[NFTA_CT_TIMEOUT_L3PROTO] ||
!tb[NFTA_CT_TIMEOUT_L4PROTO] ||
!tb[NFTA_CT_TIMEOUT_DATA])
return -EINVAL;
l3num = ntohs(nla_get_be16(tb[NFTA_CT_TIMEOUT_L3PROTO]));
l4num = nla_get_u8(tb[NFTA_CT_TIMEOUT_L4PROTO]);
priv->l4proto = l4num;
l4proto = nf_ct_l4proto_find_get(l3num, l4num);
if (l4proto->l4proto != l4num) {
ret = -EOPNOTSUPP;
goto err_proto_put;
}
timeout = kzalloc(sizeof(struct nf_ct_timeout) +
l4proto->ctnl_timeout.obj_size, GFP_KERNEL);
if (timeout == NULL) {
ret = -ENOMEM;
goto err_proto_put;
}
ret = nft_ct_timeout_parse_policy(&timeout->data, l4proto, ctx->net,
tb[NFTA_CT_TIMEOUT_DATA]);
if (ret < 0)
goto err_free_timeout;
timeout->l3num = l3num;
timeout->l4proto = l4proto;
tmpl = nf_ct_tmpl_alloc(ctx->net, zone, GFP_ATOMIC);
if (!tmpl) {
ret = -ENOMEM;
goto err_free_timeout;
}
timeout_ext = nf_ct_timeout_ext_add(tmpl, timeout, GFP_ATOMIC);
if (!timeout_ext) {
ret = -ENOMEM;
goto err_free_tmpl;
}
ret = nf_ct_netns_get(ctx->net, ctx->family);
if (ret < 0)
goto err_free_tmpl;
priv->tmpl = tmpl;
return 0;
err_free_tmpl:
nf_ct_tmpl_free(tmpl);
err_free_timeout:
kfree(timeout);
err_proto_put:
nf_ct_l4proto_put(l4proto);
return ret;
}
static void nft_ct_timeout_obj_destroy(const struct nft_ctx *ctx,
struct nft_object *obj)
{
struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
struct nf_conn_timeout *t = nf_ct_timeout_find(priv->tmpl);
struct nf_ct_timeout *timeout;
timeout = rcu_dereference_raw(t->timeout);
nf_ct_untimeout(ctx->net, timeout);
nf_ct_l4proto_put(timeout->l4proto);
nf_ct_netns_put(ctx->net, ctx->family);
nf_ct_tmpl_free(priv->tmpl);
}
static int nft_ct_timeout_obj_dump(struct sk_buff *skb,
struct nft_object *obj, bool reset)
{
const struct nft_ct_timeout_obj *priv = nft_obj_data(obj);
const struct nf_conn_timeout *t = nf_ct_timeout_find(priv->tmpl);
const struct nf_ct_timeout *timeout = rcu_dereference_raw(t->timeout);
struct nlattr *nest_params;
int ret;
if (nla_put_u8(skb, NFTA_CT_TIMEOUT_L4PROTO, timeout->l4proto->l4proto) ||
nla_put_be16(skb, NFTA_CT_TIMEOUT_L3PROTO, htons(timeout->l3num)))
return -1;
nest_params = nla_nest_start(skb, NFTA_CT_TIMEOUT_DATA | NLA_F_NESTED);
if (!nest_params)
return -1;
ret = timeout->l4proto->ctnl_timeout.obj_to_nlattr(skb, &timeout->data);
if (ret < 0)
return -1;
nla_nest_end(skb, nest_params);
return 0;
}
static const struct nla_policy nft_ct_timeout_policy[NFTA_CT_TIMEOUT_MAX + 1] = {
[NFTA_CT_TIMEOUT_L3PROTO] = {.type = NLA_U16 },
[NFTA_CT_TIMEOUT_L4PROTO] = {.type = NLA_U8 },
[NFTA_CT_TIMEOUT_DATA] = {.type = NLA_NESTED },
};
static struct nft_object_type nft_ct_timeout_obj_type;
static const struct nft_object_ops nft_ct_timeout_obj_ops = {
.type = &nft_ct_timeout_obj_type,
.size = sizeof(struct nft_ct_timeout_obj),
.eval = nft_ct_timeout_obj_eval,
.init = nft_ct_timeout_obj_init,
.destroy = nft_ct_timeout_obj_destroy,
.dump = nft_ct_timeout_obj_dump,
};
static struct nft_object_type nft_ct_timeout_obj_type __read_mostly = {
.type = NFT_OBJECT_CT_TIMEOUT,
.ops = &nft_ct_timeout_obj_ops,
.maxattr = NFTA_CT_TIMEOUT_MAX,
.policy = nft_ct_timeout_policy,
.owner = THIS_MODULE,
};
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
static int nft_ct_helper_obj_init(const struct nft_ctx *ctx, static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
const struct nlattr * const tb[], const struct nlattr * const tb[],
struct nft_object *obj) struct nft_object *obj)
...@@ -773,6 +963,7 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx, ...@@ -773,6 +963,7 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
struct nf_conntrack_helper *help4, *help6; struct nf_conntrack_helper *help4, *help6;
char name[NF_CT_HELPER_NAME_LEN]; char name[NF_CT_HELPER_NAME_LEN];
int family = ctx->family; int family = ctx->family;
int err;
if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO]) if (!tb[NFTA_CT_HELPER_NAME] || !tb[NFTA_CT_HELPER_L4PROTO])
return -EINVAL; return -EINVAL;
...@@ -823,7 +1014,18 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx, ...@@ -823,7 +1014,18 @@ static int nft_ct_helper_obj_init(const struct nft_ctx *ctx,
priv->helper4 = help4; priv->helper4 = help4;
priv->helper6 = help6; priv->helper6 = help6;
err = nf_ct_netns_get(ctx->net, ctx->family);
if (err < 0)
goto err_put_helper;
return 0; return 0;
err_put_helper:
if (priv->helper4)
nf_conntrack_helper_put(priv->helper4);
if (priv->helper6)
nf_conntrack_helper_put(priv->helper6);
return err;
} }
static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx, static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx,
...@@ -835,6 +1037,8 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx, ...@@ -835,6 +1037,8 @@ static void nft_ct_helper_obj_destroy(const struct nft_ctx *ctx,
nf_conntrack_helper_put(priv->helper4); nf_conntrack_helper_put(priv->helper4);
if (priv->helper6) if (priv->helper6)
nf_conntrack_helper_put(priv->helper6); nf_conntrack_helper_put(priv->helper6);
nf_ct_netns_put(ctx->net, ctx->family);
} }
static void nft_ct_helper_obj_eval(struct nft_object *obj, static void nft_ct_helper_obj_eval(struct nft_object *obj,
...@@ -949,9 +1153,17 @@ static int __init nft_ct_module_init(void) ...@@ -949,9 +1153,17 @@ static int __init nft_ct_module_init(void)
err = nft_register_obj(&nft_ct_helper_obj_type); err = nft_register_obj(&nft_ct_helper_obj_type);
if (err < 0) if (err < 0)
goto err2; goto err2;
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
err = nft_register_obj(&nft_ct_timeout_obj_type);
if (err < 0)
goto err3;
#endif
return 0; return 0;
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
err3:
nft_unregister_obj(&nft_ct_helper_obj_type);
#endif
err2: err2:
nft_unregister_expr(&nft_notrack_type); nft_unregister_expr(&nft_notrack_type);
err1: err1:
...@@ -961,6 +1173,9 @@ static int __init nft_ct_module_init(void) ...@@ -961,6 +1173,9 @@ static int __init nft_ct_module_init(void)
static void __exit nft_ct_module_exit(void) static void __exit nft_ct_module_exit(void)
{ {
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
nft_unregister_obj(&nft_ct_timeout_obj_type);
#endif
nft_unregister_obj(&nft_ct_helper_obj_type); nft_unregister_obj(&nft_ct_helper_obj_type);
nft_unregister_expr(&nft_notrack_type); nft_unregister_expr(&nft_notrack_type);
nft_unregister_expr(&nft_ct_type); nft_unregister_expr(&nft_ct_type);
...@@ -974,3 +1189,4 @@ MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>"); ...@@ -974,3 +1189,4 @@ MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_ALIAS_NFT_EXPR("ct"); MODULE_ALIAS_NFT_EXPR("ct");
MODULE_ALIAS_NFT_EXPR("notrack"); MODULE_ALIAS_NFT_EXPR("notrack");
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_HELPER); MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_HELPER);
MODULE_ALIAS_NFT_OBJ(NFT_OBJECT_CT_TIMEOUT);
...@@ -4,8 +4,6 @@ ...@@ -4,8 +4,6 @@
#include <net/netfilter/nf_tables.h> #include <net/netfilter/nf_tables.h>
#include <linux/netfilter/nfnetlink_osf.h> #include <linux/netfilter/nfnetlink_osf.h>
#define OSF_GENRE_SIZE 32
struct nft_osf { struct nft_osf {
enum nft_registers dreg:8; enum nft_registers dreg:8;
}; };
...@@ -37,9 +35,9 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs, ...@@ -37,9 +35,9 @@ static void nft_osf_eval(const struct nft_expr *expr, struct nft_regs *regs,
os_name = nf_osf_find(skb, nf_osf_fingers); os_name = nf_osf_find(skb, nf_osf_fingers);
if (!os_name) if (!os_name)
strncpy((char *)dest, "unknown", IFNAMSIZ); strncpy((char *)dest, "unknown", NFT_OSF_MAXGENRELEN);
else else
strncpy((char *)dest, os_name, IFNAMSIZ); strncpy((char *)dest, os_name, NFT_OSF_MAXGENRELEN);
} }
static int nft_osf_init(const struct nft_ctx *ctx, static int nft_osf_init(const struct nft_ctx *ctx,
...@@ -51,7 +49,7 @@ static int nft_osf_init(const struct nft_ctx *ctx, ...@@ -51,7 +49,7 @@ static int nft_osf_init(const struct nft_ctx *ctx,
priv->dreg = nft_parse_register(tb[NFTA_OSF_DREG]); priv->dreg = nft_parse_register(tb[NFTA_OSF_DREG]);
err = nft_validate_register_store(ctx, priv->dreg, NULL, err = nft_validate_register_store(ctx, priv->dreg, NULL,
NFTA_DATA_VALUE, OSF_GENRE_SIZE); NFTA_DATA_VALUE, NFT_OSF_MAXGENRELEN);
if (err < 0) if (err < 0)
return err; return err;
......
...@@ -104,7 +104,7 @@ xt_ct_set_helper(struct nf_conn *ct, const char *helper_name, ...@@ -104,7 +104,7 @@ xt_ct_set_helper(struct nf_conn *ct, const char *helper_name,
} }
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
static void __xt_ct_tg_timeout_put(struct ctnl_timeout *timeout) static void __xt_ct_tg_timeout_put(struct nf_ct_timeout *timeout)
{ {
typeof(nf_ct_timeout_put_hook) timeout_put; typeof(nf_ct_timeout_put_hook) timeout_put;
...@@ -121,7 +121,7 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par, ...@@ -121,7 +121,7 @@ xt_ct_set_timeout(struct nf_conn *ct, const struct xt_tgchk_param *par,
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
typeof(nf_ct_timeout_find_get_hook) timeout_find_get; typeof(nf_ct_timeout_find_get_hook) timeout_find_get;
const struct nf_conntrack_l4proto *l4proto; const struct nf_conntrack_l4proto *l4proto;
struct ctnl_timeout *timeout; struct nf_ct_timeout *timeout;
struct nf_conn_timeout *timeout_ext; struct nf_conn_timeout *timeout_ext;
const char *errmsg = NULL; const char *errmsg = NULL;
int ret = 0; int ret = 0;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册