1 /* Connection tracking via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace.
4 * (C) 2001 by Jay Schulist <jschlst@samba.org>
5 * (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7 * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>
9 * I've reworked this stuff to use attributes instead of conntrack
10 * structures. 5.44 am. I need more tea. --pablo 05/07/11.
12 * Initial connection tracking via netlink development funded and
13 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
15 * Further development of this code funded by Astaro AG (http://www.astaro.com)
17 * This software may be used and distributed according to the terms
18 * of the GNU General Public License, incorporated herein by reference.
21 #include <linux/init.h>
22 #include <linux/module.h>
23 #include <linux/kernel.h>
24 #include <linux/types.h>
25 #include <linux/timer.h>
26 #include <linux/skbuff.h>
27 #include <linux/errno.h>
28 #include <linux/netlink.h>
29 #include <linux/spinlock.h>
30 #include <linux/interrupt.h>
31 #include <linux/notifier.h>
33 #include <linux/netfilter.h>
34 #include <linux/netfilter_ipv4/ip_conntrack.h>
35 #include <linux/netfilter_ipv4/ip_conntrack_core.h>
36 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
37 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
38 #include <linux/netfilter_ipv4/ip_nat_protocol.h>
40 #include <linux/netfilter/nfnetlink.h>
41 #include <linux/netfilter/nfnetlink_conntrack.h>
43 MODULE_LICENSE("GPL");
45 static char __initdata version[] = "0.90";
50 #define DEBUGP(format, args...)
55 ctnetlink_dump_tuples_proto(struct sk_buff *skb,
56 const struct ip_conntrack_tuple *tuple)
58 struct ip_conntrack_protocol *proto;
61 NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum);
63 /* If no protocol helper is found, this function will return the
64 * generic protocol helper, so proto won't *ever* be NULL */
65 proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
66 if (likely(proto->tuple_to_nfattr))
67 ret = proto->tuple_to_nfattr(skb, tuple);
69 ip_conntrack_proto_put(proto);
78 ctnetlink_dump_tuples(struct sk_buff *skb,
79 const struct ip_conntrack_tuple *tuple)
81 struct nfattr *nest_parms;
83 nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
84 NFA_PUT(skb, CTA_IP_V4_SRC, sizeof(u_int32_t), &tuple->src.ip);
85 NFA_PUT(skb, CTA_IP_V4_DST, sizeof(u_int32_t), &tuple->dst.ip);
86 NFA_NEST_END(skb, nest_parms);
88 nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
89 ctnetlink_dump_tuples_proto(skb, tuple);
90 NFA_NEST_END(skb, nest_parms);
99 ctnetlink_dump_status(struct sk_buff *skb, const struct ip_conntrack *ct)
101 u_int32_t status = htonl((u_int32_t) ct->status);
102 NFA_PUT(skb, CTA_STATUS, sizeof(status), &status);
110 ctnetlink_dump_timeout(struct sk_buff *skb, const struct ip_conntrack *ct)
112 long timeout_l = ct->timeout.expires - jiffies;
118 timeout = htonl(timeout_l / HZ);
120 NFA_PUT(skb, CTA_TIMEOUT, sizeof(timeout), &timeout);
128 ctnetlink_dump_protoinfo(struct sk_buff *skb, const struct ip_conntrack *ct)
130 struct ip_conntrack_protocol *proto = ip_conntrack_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
132 struct nfattr *nest_proto;
135 if (!proto->to_nfattr) {
136 ip_conntrack_proto_put(proto);
140 nest_proto = NFA_NEST(skb, CTA_PROTOINFO);
142 ret = proto->to_nfattr(skb, nest_proto, ct);
144 ip_conntrack_proto_put(proto);
146 NFA_NEST_END(skb, nest_proto);
155 ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct ip_conntrack *ct)
157 struct nfattr *nest_helper;
162 nest_helper = NFA_NEST(skb, CTA_HELP);
163 NFA_PUT(skb, CTA_HELP_NAME, CTA_HELP_MAXNAMESIZE, &ct->helper->name);
165 if (ct->helper->to_nfattr)
166 ct->helper->to_nfattr(skb, ct);
168 NFA_NEST_END(skb, nest_helper);
176 #ifdef CONFIG_IP_NF_CT_ACCT
178 ctnetlink_dump_counters(struct sk_buff *skb, const struct ip_conntrack *ct,
179 enum ip_conntrack_dir dir)
181 enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
182 struct nfattr *nest_count = NFA_NEST(skb, type);
185 tmp = htonl(ct->counters[dir].packets);
186 NFA_PUT(skb, CTA_COUNTERS32_PACKETS, sizeof(u_int32_t), &tmp);
188 tmp = htonl(ct->counters[dir].bytes);
189 NFA_PUT(skb, CTA_COUNTERS32_BYTES, sizeof(u_int32_t), &tmp);
191 NFA_NEST_END(skb, nest_count);
199 #define ctnetlink_dump_counters(a, b, c) (0)
202 #ifdef CONFIG_IP_NF_CONNTRACK_MARK
204 ctnetlink_dump_mark(struct sk_buff *skb, const struct ip_conntrack *ct)
206 u_int32_t mark = htonl(ct->mark);
208 NFA_PUT(skb, CTA_MARK, sizeof(u_int32_t), &mark);
215 #define ctnetlink_dump_mark(a, b) (0)
219 ctnetlink_dump_id(struct sk_buff *skb, const struct ip_conntrack *ct)
221 u_int32_t id = htonl(ct->id);
222 NFA_PUT(skb, CTA_ID, sizeof(u_int32_t), &id);
230 ctnetlink_dump_use(struct sk_buff *skb, const struct ip_conntrack *ct)
232 unsigned int use = htonl(atomic_read(&ct->ct_general.use));
234 NFA_PUT(skb, CTA_USE, sizeof(u_int32_t), &use);
241 #define tuple(ct, dir) (&(ct)->tuplehash[dir].tuple)
244 ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
245 int event, int nowait,
246 const struct ip_conntrack *ct)
248 struct nlmsghdr *nlh;
249 struct nfgenmsg *nfmsg;
250 struct nfattr *nest_parms;
255 event |= NFNL_SUBSYS_CTNETLINK << 8;
256 nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg));
257 nfmsg = NLMSG_DATA(nlh);
259 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0;
260 nfmsg->nfgen_family = AF_INET;
261 nfmsg->version = NFNETLINK_V0;
264 nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG);
265 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
267 NFA_NEST_END(skb, nest_parms);
269 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
270 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
272 NFA_NEST_END(skb, nest_parms);
274 if (ctnetlink_dump_status(skb, ct) < 0 ||
275 ctnetlink_dump_timeout(skb, ct) < 0 ||
276 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
277 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 ||
278 ctnetlink_dump_protoinfo(skb, ct) < 0 ||
279 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
280 ctnetlink_dump_mark(skb, ct) < 0 ||
281 ctnetlink_dump_id(skb, ct) < 0 ||
282 ctnetlink_dump_use(skb, ct) < 0)
285 nlh->nlmsg_len = skb->tail - b;
290 skb_trim(skb, b - skb->data);
294 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
295 static int ctnetlink_conntrack_event(struct notifier_block *this,
296 unsigned long events, void *ptr)
298 struct nlmsghdr *nlh;
299 struct nfgenmsg *nfmsg;
300 struct nfattr *nest_parms;
301 struct ip_conntrack *ct = (struct ip_conntrack *)ptr;
305 unsigned int flags = 0, group;
307 /* ignore our fake conntrack entry */
308 if (ct == &ip_conntrack_untracked)
311 if (events & IPCT_DESTROY) {
312 type = IPCTNL_MSG_CT_DELETE;
313 group = NFNLGRP_CONNTRACK_DESTROY;
316 if (events & (IPCT_NEW | IPCT_RELATED)) {
317 type = IPCTNL_MSG_CT_NEW;
318 flags = NLM_F_CREATE|NLM_F_EXCL;
319 /* dump everything */
321 group = NFNLGRP_CONNTRACK_NEW;
324 if (events & (IPCT_STATUS |
329 type = IPCTNL_MSG_CT_NEW;
330 group = NFNLGRP_CONNTRACK_UPDATE;
337 /* FIXME: Check if there are any listeners before, don't hurt performance */
339 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
345 type |= NFNL_SUBSYS_CTNETLINK << 8;
346 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg));
347 nfmsg = NLMSG_DATA(nlh);
349 nlh->nlmsg_flags = flags;
350 nfmsg->nfgen_family = AF_INET;
351 nfmsg->version = NFNETLINK_V0;
354 nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG);
355 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
357 NFA_NEST_END(skb, nest_parms);
359 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
360 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
362 NFA_NEST_END(skb, nest_parms);
364 /* NAT stuff is now a status flag */
365 if ((events & IPCT_STATUS || events & IPCT_NATINFO)
366 && ctnetlink_dump_status(skb, ct) < 0)
368 if (events & IPCT_REFRESH
369 && ctnetlink_dump_timeout(skb, ct) < 0)
371 if (events & IPCT_PROTOINFO
372 && ctnetlink_dump_protoinfo(skb, ct) < 0)
374 if (events & IPCT_HELPINFO
375 && ctnetlink_dump_helpinfo(skb, ct) < 0)
378 if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
379 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
382 nlh->nlmsg_len = skb->tail - b;
383 nfnetlink_send(skb, 0, group, 0);
391 #endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */
393 static int ctnetlink_done(struct netlink_callback *cb)
395 DEBUGP("entered %s\n", __FUNCTION__);
400 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
402 struct ip_conntrack *ct = NULL;
403 struct ip_conntrack_tuple_hash *h;
405 u_int32_t *id = (u_int32_t *) &cb->args[1];
407 DEBUGP("entered %s, last bucket=%lu id=%u\n", __FUNCTION__,
410 read_lock_bh(&ip_conntrack_lock);
411 for (; cb->args[0] < ip_conntrack_htable_size; cb->args[0]++, *id = 0) {
412 list_for_each_prev(i, &ip_conntrack_hash[cb->args[0]]) {
413 h = (struct ip_conntrack_tuple_hash *) i;
414 if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
416 ct = tuplehash_to_ctrack(h);
419 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
428 read_unlock_bh(&ip_conntrack_lock);
430 DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id);
435 #ifdef CONFIG_IP_NF_CT_ACCT
437 ctnetlink_dump_table_w(struct sk_buff *skb, struct netlink_callback *cb)
439 struct ip_conntrack *ct = NULL;
440 struct ip_conntrack_tuple_hash *h;
442 u_int32_t *id = (u_int32_t *) &cb->args[1];
444 DEBUGP("entered %s, last bucket=%u id=%u\n", __FUNCTION__,
447 write_lock_bh(&ip_conntrack_lock);
448 for (; cb->args[0] < ip_conntrack_htable_size; cb->args[0]++, *id = 0) {
449 list_for_each_prev(i, &ip_conntrack_hash[cb->args[0]]) {
450 h = (struct ip_conntrack_tuple_hash *) i;
451 if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
453 ct = tuplehash_to_ctrack(h);
456 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
463 memset(&ct->counters, 0, sizeof(ct->counters));
467 write_unlock_bh(&ip_conntrack_lock);
469 DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id);
475 static const size_t cta_min_ip[CTA_IP_MAX] = {
476 [CTA_IP_V4_SRC-1] = sizeof(u_int32_t),
477 [CTA_IP_V4_DST-1] = sizeof(u_int32_t),
481 ctnetlink_parse_tuple_ip(struct nfattr *attr, struct ip_conntrack_tuple *tuple)
483 struct nfattr *tb[CTA_IP_MAX];
485 DEBUGP("entered %s\n", __FUNCTION__);
487 nfattr_parse_nested(tb, CTA_IP_MAX, attr);
489 if (nfattr_bad_size(tb, CTA_IP_MAX, cta_min_ip))
492 if (!tb[CTA_IP_V4_SRC-1])
494 tuple->src.ip = *(u_int32_t *)NFA_DATA(tb[CTA_IP_V4_SRC-1]);
496 if (!tb[CTA_IP_V4_DST-1])
498 tuple->dst.ip = *(u_int32_t *)NFA_DATA(tb[CTA_IP_V4_DST-1]);
505 static const size_t cta_min_proto[CTA_PROTO_MAX] = {
506 [CTA_PROTO_NUM-1] = sizeof(u_int16_t),
507 [CTA_PROTO_SRC_PORT-1] = sizeof(u_int16_t),
508 [CTA_PROTO_DST_PORT-1] = sizeof(u_int16_t),
509 [CTA_PROTO_ICMP_TYPE-1] = sizeof(u_int8_t),
510 [CTA_PROTO_ICMP_CODE-1] = sizeof(u_int8_t),
511 [CTA_PROTO_ICMP_ID-1] = sizeof(u_int16_t),
515 ctnetlink_parse_tuple_proto(struct nfattr *attr,
516 struct ip_conntrack_tuple *tuple)
518 struct nfattr *tb[CTA_PROTO_MAX];
519 struct ip_conntrack_protocol *proto;
522 DEBUGP("entered %s\n", __FUNCTION__);
524 nfattr_parse_nested(tb, CTA_PROTO_MAX, attr);
526 if (nfattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto))
529 if (!tb[CTA_PROTO_NUM-1])
531 tuple->dst.protonum = *(u_int16_t *)NFA_DATA(tb[CTA_PROTO_NUM-1]);
533 proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
535 if (likely(proto->nfattr_to_tuple))
536 ret = proto->nfattr_to_tuple(tb, tuple);
538 ip_conntrack_proto_put(proto);
544 ctnetlink_parse_tuple(struct nfattr *cda[], struct ip_conntrack_tuple *tuple,
545 enum ctattr_tuple type)
547 struct nfattr *tb[CTA_TUPLE_MAX];
550 DEBUGP("entered %s\n", __FUNCTION__);
552 memset(tuple, 0, sizeof(*tuple));
554 nfattr_parse_nested(tb, CTA_TUPLE_MAX, cda[type-1]);
556 if (!tb[CTA_TUPLE_IP-1])
559 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP-1], tuple);
563 if (!tb[CTA_TUPLE_PROTO-1])
566 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO-1], tuple);
570 /* orig and expect tuples get DIR_ORIGINAL */
571 if (type == CTA_TUPLE_REPLY)
572 tuple->dst.dir = IP_CT_DIR_REPLY;
574 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
583 #ifdef CONFIG_IP_NF_NAT_NEEDED
584 static const size_t cta_min_protonat[CTA_PROTONAT_MAX] = {
585 [CTA_PROTONAT_PORT_MIN-1] = sizeof(u_int16_t),
586 [CTA_PROTONAT_PORT_MAX-1] = sizeof(u_int16_t),
589 static int ctnetlink_parse_nat_proto(struct nfattr *attr,
590 const struct ip_conntrack *ct,
591 struct ip_nat_range *range)
593 struct nfattr *tb[CTA_PROTONAT_MAX];
594 struct ip_nat_protocol *npt;
596 DEBUGP("entered %s\n", __FUNCTION__);
598 nfattr_parse_nested(tb, CTA_PROTONAT_MAX, attr);
600 if (nfattr_bad_size(tb, CTA_PROTONAT_MAX, cta_min_protonat))
603 npt = ip_nat_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
605 if (!npt->nfattr_to_range) {
606 ip_nat_proto_put(npt);
610 /* nfattr_to_range returns 1 if it parsed, 0 if not, neg. on error */
611 if (npt->nfattr_to_range(tb, range) > 0)
612 range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
614 ip_nat_proto_put(npt);
620 static const size_t cta_min_nat[CTA_NAT_MAX] = {
621 [CTA_NAT_MINIP-1] = sizeof(u_int32_t),
622 [CTA_NAT_MAXIP-1] = sizeof(u_int32_t),
626 ctnetlink_parse_nat(struct nfattr *cda[],
627 const struct ip_conntrack *ct, struct ip_nat_range *range)
629 struct nfattr *tb[CTA_NAT_MAX];
632 DEBUGP("entered %s\n", __FUNCTION__);
634 memset(range, 0, sizeof(*range));
636 nfattr_parse_nested(tb, CTA_NAT_MAX, cda[CTA_NAT-1]);
638 if (nfattr_bad_size(tb, CTA_NAT_MAX, cta_min_nat))
641 if (tb[CTA_NAT_MINIP-1])
642 range->min_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MINIP-1]);
644 if (!tb[CTA_NAT_MAXIP-1])
645 range->max_ip = range->min_ip;
647 range->max_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MAXIP-1]);
650 range->flags |= IP_NAT_RANGE_MAP_IPS;
652 if (!tb[CTA_NAT_PROTO-1])
655 err = ctnetlink_parse_nat_proto(tb[CTA_NAT_PROTO-1], ct, range);
665 ctnetlink_parse_help(struct nfattr *attr, char **helper_name)
667 struct nfattr *tb[CTA_HELP_MAX];
669 DEBUGP("entered %s\n", __FUNCTION__);
671 nfattr_parse_nested(tb, CTA_HELP_MAX, attr);
673 if (!tb[CTA_HELP_NAME-1])
676 *helper_name = NFA_DATA(tb[CTA_HELP_NAME-1]);
681 static const size_t cta_min[CTA_MAX] = {
682 [CTA_STATUS-1] = sizeof(u_int32_t),
683 [CTA_TIMEOUT-1] = sizeof(u_int32_t),
684 [CTA_MARK-1] = sizeof(u_int32_t),
685 [CTA_USE-1] = sizeof(u_int32_t),
686 [CTA_ID-1] = sizeof(u_int32_t)
690 ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
691 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
693 struct ip_conntrack_tuple_hash *h;
694 struct ip_conntrack_tuple tuple;
695 struct ip_conntrack *ct;
698 DEBUGP("entered %s\n", __FUNCTION__);
700 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
703 if (cda[CTA_TUPLE_ORIG-1])
704 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG);
705 else if (cda[CTA_TUPLE_REPLY-1])
706 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY);
708 /* Flush the whole table */
709 ip_conntrack_flush();
716 h = ip_conntrack_find_get(&tuple, NULL);
718 DEBUGP("tuple not found in conntrack hash\n");
722 ct = tuplehash_to_ctrack(h);
725 u_int32_t id = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_ID-1]));
727 ip_conntrack_put(ct);
731 if (del_timer(&ct->timeout)) {
732 ip_conntrack_put(ct);
733 ct->timeout.function((unsigned long)ct);
736 ip_conntrack_put(ct);
743 ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
744 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
746 struct ip_conntrack_tuple_hash *h;
747 struct ip_conntrack_tuple tuple;
748 struct ip_conntrack *ct;
749 struct sk_buff *skb2 = NULL;
752 DEBUGP("entered %s\n", __FUNCTION__);
754 if (nlh->nlmsg_flags & NLM_F_DUMP) {
755 struct nfgenmsg *msg = NLMSG_DATA(nlh);
758 if (msg->nfgen_family != AF_INET)
759 return -EAFNOSUPPORT;
761 if (NFNL_MSG_TYPE(nlh->nlmsg_type) ==
762 IPCTNL_MSG_CT_GET_CTRZERO) {
763 #ifdef CONFIG_IP_NF_CT_ACCT
764 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
765 ctnetlink_dump_table_w,
766 ctnetlink_done)) != 0)
772 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
773 ctnetlink_dump_table,
774 ctnetlink_done)) != 0)
778 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
785 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
788 if (cda[CTA_TUPLE_ORIG-1])
789 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG);
790 else if (cda[CTA_TUPLE_REPLY-1])
791 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY);
798 h = ip_conntrack_find_get(&tuple, NULL);
800 DEBUGP("tuple not found in conntrack hash");
803 DEBUGP("tuple found\n");
804 ct = tuplehash_to_ctrack(h);
807 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
809 ip_conntrack_put(ct);
812 NETLINK_CB(skb2).dst_pid = NETLINK_CB(skb).pid;
814 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq,
815 IPCTNL_MSG_CT_NEW, 1, ct);
816 ip_conntrack_put(ct);
820 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
834 ctnetlink_change_status(struct ip_conntrack *ct, struct nfattr *cda[])
837 unsigned status = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_STATUS-1]));
838 d = ct->status ^ status;
840 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
844 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
845 /* SEEN_REPLY bit can only be set */
849 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
850 /* ASSURED bit can only be set */
853 if (cda[CTA_NAT-1]) {
854 #ifndef CONFIG_IP_NF_NAT_NEEDED
857 unsigned int hooknum;
858 struct ip_nat_range range;
860 if (ctnetlink_parse_nat(cda, ct, &range) < 0)
863 DEBUGP("NAT: %u.%u.%u.%u-%u.%u.%u.%u:%u-%u\n",
864 NIPQUAD(range.min_ip), NIPQUAD(range.max_ip),
865 htons(range.min.all), htons(range.max.all));
867 /* This is tricky but it works. ip_nat_setup_info needs the
868 * hook number as parameter, so let's do the correct
869 * conversion and run away */
870 if (status & IPS_SRC_NAT_DONE)
871 hooknum = NF_IP_POST_ROUTING; /* IP_NAT_MANIP_SRC */
872 else if (status & IPS_DST_NAT_DONE)
873 hooknum = NF_IP_PRE_ROUTING; /* IP_NAT_MANIP_DST */
875 return -EINVAL; /* Missing NAT flags */
877 DEBUGP("NAT status: %lu\n",
878 status & (IPS_NAT_MASK | IPS_NAT_DONE_MASK));
880 if (ip_nat_initialized(ct, hooknum))
882 ip_nat_setup_info(ct, &range, hooknum);
884 DEBUGP("NAT status after setup_info: %lu\n",
885 ct->status & (IPS_NAT_MASK | IPS_NAT_DONE_MASK));
889 /* Be careful here, modifying NAT bits can screw up things,
890 * so don't let users modify them directly if they don't pass
892 ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
898 ctnetlink_change_helper(struct ip_conntrack *ct, struct nfattr *cda[])
900 struct ip_conntrack_helper *helper;
904 DEBUGP("entered %s\n", __FUNCTION__);
906 /* don't change helper of sibling connections */
910 err = ctnetlink_parse_help(cda[CTA_HELP-1], &helpname);
914 helper = __ip_conntrack_helper_find_byname(helpname);
916 if (!strcmp(helpname, ""))
924 /* we had a helper before ... */
925 ip_ct_remove_expectations(ct);
928 /* need to zero data of old helper */
929 memset(&ct->help, 0, sizeof(ct->help));
939 ctnetlink_change_timeout(struct ip_conntrack *ct, struct nfattr *cda[])
941 u_int32_t timeout = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1]));
943 if (!del_timer(&ct->timeout))
946 ct->timeout.expires = jiffies + timeout * HZ;
947 add_timer(&ct->timeout);
953 ctnetlink_change_protoinfo(struct ip_conntrack *ct, struct nfattr *cda[])
955 struct nfattr *tb[CTA_PROTOINFO_MAX], *attr = cda[CTA_PROTOINFO-1];
956 struct ip_conntrack_protocol *proto;
957 u_int16_t npt = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
960 nfattr_parse_nested(tb, CTA_PROTOINFO_MAX, attr);
962 proto = ip_conntrack_proto_find_get(npt);
964 if (proto->from_nfattr)
965 err = proto->from_nfattr(tb, ct);
966 ip_conntrack_proto_put(proto);
972 ctnetlink_change_conntrack(struct ip_conntrack *ct, struct nfattr *cda[])
976 DEBUGP("entered %s\n", __FUNCTION__);
978 if (cda[CTA_HELP-1]) {
979 err = ctnetlink_change_helper(ct, cda);
984 if (cda[CTA_TIMEOUT-1]) {
985 err = ctnetlink_change_timeout(ct, cda);
990 if (cda[CTA_STATUS-1]) {
991 err = ctnetlink_change_status(ct, cda);
996 if (cda[CTA_PROTOINFO-1]) {
997 err = ctnetlink_change_protoinfo(ct, cda);
1002 #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
1003 if (cda[CTA_MARK-1])
1004 ct->mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
1007 DEBUGP("all done\n");
1012 ctnetlink_create_conntrack(struct nfattr *cda[],
1013 struct ip_conntrack_tuple *otuple,
1014 struct ip_conntrack_tuple *rtuple)
1016 struct ip_conntrack *ct;
1019 DEBUGP("entered %s\n", __FUNCTION__);
1021 ct = ip_conntrack_alloc(otuple, rtuple);
1022 if (ct == NULL || IS_ERR(ct))
1025 if (!cda[CTA_TIMEOUT-1])
1027 ct->timeout.expires = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1]));
1029 ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
1030 ct->status |= IPS_CONFIRMED;
1032 err = ctnetlink_change_status(ct, cda);
1036 if (cda[CTA_PROTOINFO-1]) {
1037 err = ctnetlink_change_protoinfo(ct, cda);
1042 ct->helper = ip_conntrack_helper_find_get(rtuple);
1044 add_timer(&ct->timeout);
1045 ip_conntrack_hash_insert(ct);
1048 ip_conntrack_helper_put(ct->helper);
1050 #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
1051 if (cda[CTA_MARK-1])
1052 ct->mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
1055 DEBUGP("conntrack with id %u inserted\n", ct->id);
1059 ip_conntrack_free(ct);
1064 ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1065 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1067 struct ip_conntrack_tuple otuple, rtuple;
1068 struct ip_conntrack_tuple_hash *h = NULL;
1071 DEBUGP("entered %s\n", __FUNCTION__);
1073 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
1076 if (cda[CTA_TUPLE_ORIG-1]) {
1077 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG);
1082 if (cda[CTA_TUPLE_REPLY-1]) {
1083 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY);
1088 write_lock_bh(&ip_conntrack_lock);
1089 if (cda[CTA_TUPLE_ORIG-1])
1090 h = __ip_conntrack_find(&otuple, NULL);
1091 else if (cda[CTA_TUPLE_REPLY-1])
1092 h = __ip_conntrack_find(&rtuple, NULL);
1095 write_unlock_bh(&ip_conntrack_lock);
1096 DEBUGP("no such conntrack, create new\n");
1098 if (nlh->nlmsg_flags & NLM_F_CREATE)
1099 err = ctnetlink_create_conntrack(cda, &otuple, &rtuple);
1102 /* implicit 'else' */
1104 /* we only allow nat config for new conntracks */
1105 if (cda[CTA_NAT-1]) {
1110 /* We manipulate the conntrack inside the global conntrack table lock,
1111 * so there's no need to increase the refcount */
1112 DEBUGP("conntrack found\n");
1114 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
1115 err = ctnetlink_change_conntrack(tuplehash_to_ctrack(h), cda);
1118 write_unlock_bh(&ip_conntrack_lock);
1122 /***********************************************************************
1124 ***********************************************************************/
1127 ctnetlink_exp_dump_tuple(struct sk_buff *skb,
1128 const struct ip_conntrack_tuple *tuple,
1129 enum ctattr_expect type)
1131 struct nfattr *nest_parms = NFA_NEST(skb, type);
1133 if (ctnetlink_dump_tuples(skb, tuple) < 0)
1134 goto nfattr_failure;
1136 NFA_NEST_END(skb, nest_parms);
1145 ctnetlink_exp_dump_expect(struct sk_buff *skb,
1146 const struct ip_conntrack_expect *exp)
1148 struct ip_conntrack *master = exp->master;
1149 u_int32_t timeout = htonl((exp->timeout.expires - jiffies) / HZ);
1150 u_int32_t id = htonl(exp->id);
1152 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
1153 goto nfattr_failure;
1154 if (ctnetlink_exp_dump_tuple(skb, &exp->mask, CTA_EXPECT_MASK) < 0)
1155 goto nfattr_failure;
1156 if (ctnetlink_exp_dump_tuple(skb,
1157 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
1158 CTA_EXPECT_MASTER) < 0)
1159 goto nfattr_failure;
1161 NFA_PUT(skb, CTA_EXPECT_TIMEOUT, sizeof(timeout), &timeout);
1162 NFA_PUT(skb, CTA_EXPECT_ID, sizeof(u_int32_t), &id);
1171 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
1174 const struct ip_conntrack_expect *exp)
1176 struct nlmsghdr *nlh;
1177 struct nfgenmsg *nfmsg;
1182 event |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1183 nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg));
1184 nfmsg = NLMSG_DATA(nlh);
1186 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0;
1187 nfmsg->nfgen_family = AF_INET;
1188 nfmsg->version = NFNETLINK_V0;
1191 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1192 goto nfattr_failure;
1194 nlh->nlmsg_len = skb->tail - b;
1199 skb_trim(skb, b - skb->data);
1203 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1204 static int ctnetlink_expect_event(struct notifier_block *this,
1205 unsigned long events, void *ptr)
1207 struct nlmsghdr *nlh;
1208 struct nfgenmsg *nfmsg;
1209 struct ip_conntrack_expect *exp = (struct ip_conntrack_expect *)ptr;
1210 struct sk_buff *skb;
1216 if (events & IPEXP_NEW) {
1217 type = IPCTNL_MSG_EXP_NEW;
1218 flags = NLM_F_CREATE|NLM_F_EXCL;
1222 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1228 type |= NFNL_SUBSYS_CTNETLINK << 8;
1229 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg));
1230 nfmsg = NLMSG_DATA(nlh);
1232 nlh->nlmsg_flags = flags;
1233 nfmsg->nfgen_family = AF_INET;
1234 nfmsg->version = NFNETLINK_V0;
1237 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1238 goto nfattr_failure;
1240 nlh->nlmsg_len = skb->tail - b;
1241 proto = exp->tuple.dst.protonum;
1242 nfnetlink_send(skb, 0, NFNLGRP_CONNTRACK_EXP_NEW, 0);
1253 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
1255 struct ip_conntrack_expect *exp = NULL;
1256 struct list_head *i;
1257 u_int32_t *id = (u_int32_t *) &cb->args[0];
1259 DEBUGP("entered %s, last id=%llu\n", __FUNCTION__, *id);
1261 read_lock_bh(&ip_conntrack_lock);
1262 list_for_each_prev(i, &ip_conntrack_expect_list) {
1263 exp = (struct ip_conntrack_expect *) i;
1266 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).pid,
1274 read_unlock_bh(&ip_conntrack_lock);
1276 DEBUGP("leaving, last id=%llu\n", *id);
1281 static const size_t cta_min_exp[CTA_EXPECT_MAX] = {
1282 [CTA_EXPECT_TIMEOUT-1] = sizeof(u_int32_t),
1283 [CTA_EXPECT_ID-1] = sizeof(u_int32_t)
1287 ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
1288 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1290 struct ip_conntrack_tuple tuple;
1291 struct ip_conntrack_expect *exp;
1292 struct sk_buff *skb2;
1295 DEBUGP("entered %s\n", __FUNCTION__);
1297 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1300 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1301 struct nfgenmsg *msg = NLMSG_DATA(nlh);
1304 if (msg->nfgen_family != AF_INET)
1305 return -EAFNOSUPPORT;
1307 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
1308 ctnetlink_exp_dump_table,
1309 ctnetlink_done)) != 0)
1311 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
1312 if (rlen > skb->len)
1314 skb_pull(skb, rlen);
1318 if (cda[CTA_EXPECT_MASTER-1])
1319 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER);
1326 exp = ip_conntrack_expect_find(&tuple);
1330 if (cda[CTA_EXPECT_ID-1]) {
1331 u_int32_t id = *(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_ID-1]);
1332 if (exp->id != ntohl(id)) {
1333 ip_conntrack_expect_put(exp);
1339 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1342 NETLINK_CB(skb2).dst_pid = NETLINK_CB(skb).pid;
1344 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid,
1345 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
1350 ip_conntrack_expect_put(exp);
1352 return netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1357 ip_conntrack_expect_put(exp);
1362 ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
1363 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1365 struct ip_conntrack_expect *exp, *tmp;
1366 struct ip_conntrack_tuple tuple;
1367 struct ip_conntrack_helper *h;
1370 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1373 if (cda[CTA_EXPECT_TUPLE-1]) {
1374 /* delete a single expect by tuple */
1375 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE);
1379 /* bump usage count to 2 */
1380 exp = ip_conntrack_expect_find(&tuple);
1384 if (cda[CTA_EXPECT_ID-1]) {
1386 *(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_ID-1]);
1387 if (exp->id != ntohl(id)) {
1388 ip_conntrack_expect_put(exp);
1393 /* after list removal, usage count == 1 */
1394 ip_conntrack_unexpect_related(exp);
1395 /* have to put what we 'get' above.
1396 * after this line usage count == 0 */
1397 ip_conntrack_expect_put(exp);
1398 } else if (cda[CTA_EXPECT_HELP_NAME-1]) {
1399 char *name = NFA_DATA(cda[CTA_EXPECT_HELP_NAME-1]);
1401 /* delete all expectations for this helper */
1402 write_lock_bh(&ip_conntrack_lock);
1403 h = __ip_conntrack_helper_find_byname(name);
1405 write_unlock_bh(&ip_conntrack_lock);
1408 list_for_each_entry_safe(exp, tmp, &ip_conntrack_expect_list,
1410 if (exp->master->helper == h
1411 && del_timer(&exp->timeout)) {
1412 ip_ct_unlink_expect(exp);
1413 ip_conntrack_expect_put(exp);
1416 write_unlock_bh(&ip_conntrack_lock);
1418 /* This basically means we have to flush everything*/
1419 write_lock_bh(&ip_conntrack_lock);
1420 list_for_each_entry_safe(exp, tmp, &ip_conntrack_expect_list,
1422 if (del_timer(&exp->timeout)) {
1423 ip_ct_unlink_expect(exp);
1424 ip_conntrack_expect_put(exp);
1427 write_unlock_bh(&ip_conntrack_lock);
1433 ctnetlink_change_expect(struct ip_conntrack_expect *x, struct nfattr *cda[])
1439 ctnetlink_create_expect(struct nfattr *cda[])
1441 struct ip_conntrack_tuple tuple, mask, master_tuple;
1442 struct ip_conntrack_tuple_hash *h = NULL;
1443 struct ip_conntrack_expect *exp;
1444 struct ip_conntrack *ct;
1447 DEBUGP("entered %s\n", __FUNCTION__);
1449 /* caller guarantees that those three CTA_EXPECT_* exist */
1450 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE);
1453 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK);
1456 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER);
1460 /* Look for master conntrack of this expectation */
1461 h = ip_conntrack_find_get(&master_tuple, NULL);
1464 ct = tuplehash_to_ctrack(h);
1467 /* such conntrack hasn't got any helper, abort */
1472 exp = ip_conntrack_expect_alloc(ct);
1478 exp->expectfn = NULL;
1481 memcpy(&exp->tuple, &tuple, sizeof(struct ip_conntrack_tuple));
1482 memcpy(&exp->mask, &mask, sizeof(struct ip_conntrack_tuple));
1484 err = ip_conntrack_expect_related(exp);
1485 ip_conntrack_expect_put(exp);
1488 ip_conntrack_put(tuplehash_to_ctrack(h));
1493 ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
1494 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1496 struct ip_conntrack_tuple tuple;
1497 struct ip_conntrack_expect *exp;
1500 DEBUGP("entered %s\n", __FUNCTION__);
1502 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1505 if (!cda[CTA_EXPECT_TUPLE-1]
1506 || !cda[CTA_EXPECT_MASK-1]
1507 || !cda[CTA_EXPECT_MASTER-1])
1510 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE);
1514 write_lock_bh(&ip_conntrack_lock);
1515 exp = __ip_conntrack_expect_find(&tuple);
1518 write_unlock_bh(&ip_conntrack_lock);
1520 if (nlh->nlmsg_flags & NLM_F_CREATE)
1521 err = ctnetlink_create_expect(cda);
1526 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
1527 err = ctnetlink_change_expect(exp, cda);
1528 write_unlock_bh(&ip_conntrack_lock);
1530 DEBUGP("leaving\n");
1535 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1536 static struct notifier_block ctnl_notifier = {
1537 .notifier_call = ctnetlink_conntrack_event,
1540 static struct notifier_block ctnl_notifier_exp = {
1541 .notifier_call = ctnetlink_expect_event,
1545 static struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
1546 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
1547 .attr_count = CTA_MAX, },
1548 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
1549 .attr_count = CTA_MAX, },
1550 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
1551 .attr_count = CTA_MAX, },
1552 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
1553 .attr_count = CTA_MAX, },
1556 static struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
1557 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
1558 .attr_count = CTA_EXPECT_MAX, },
1559 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
1560 .attr_count = CTA_EXPECT_MAX, },
1561 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
1562 .attr_count = CTA_EXPECT_MAX, },
1565 static struct nfnetlink_subsystem ctnl_subsys = {
1566 .name = "conntrack",
1567 .subsys_id = NFNL_SUBSYS_CTNETLINK,
1568 .cb_count = IPCTNL_MSG_MAX,
1572 static struct nfnetlink_subsystem ctnl_exp_subsys = {
1573 .name = "conntrack_expect",
1574 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
1575 .cb_count = IPCTNL_MSG_EXP_MAX,
1579 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
1581 static int __init ctnetlink_init(void)
1585 printk("ctnetlink v%s: registering with nfnetlink.\n", version);
1586 ret = nfnetlink_subsys_register(&ctnl_subsys);
1588 printk("ctnetlink_init: cannot register with nfnetlink.\n");
1592 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
1594 printk("ctnetlink_init: cannot register exp with nfnetlink.\n");
1595 goto err_unreg_subsys;
1598 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1599 ret = ip_conntrack_register_notifier(&ctnl_notifier);
1601 printk("ctnetlink_init: cannot register notifier.\n");
1602 goto err_unreg_exp_subsys;
1605 ret = ip_conntrack_expect_register_notifier(&ctnl_notifier_exp);
1607 printk("ctnetlink_init: cannot expect register notifier.\n");
1608 goto err_unreg_notifier;
1614 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1616 ip_conntrack_unregister_notifier(&ctnl_notifier);
1617 err_unreg_exp_subsys:
1618 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1621 nfnetlink_subsys_unregister(&ctnl_subsys);
1626 static void __exit ctnetlink_exit(void)
1628 printk("ctnetlink: unregistering from nfnetlink.\n");
1630 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1631 ip_conntrack_unregister_notifier(&ctnl_notifier_exp);
1632 ip_conntrack_unregister_notifier(&ctnl_notifier);
1635 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1636 nfnetlink_subsys_unregister(&ctnl_subsys);
1640 module_init(ctnetlink_init);
1641 module_exit(ctnetlink_exit);
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob