1 /* Connection tracking via netlink socket. Allows for user space
2 * protocol helpers and general trouble making from userspace.
4 * (C) 2001 by Jay Schulist <jschlst@samba.org>
5 * (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>
6 * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7 * (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>
9 * I've reworked this stuff to use attributes instead of conntrack
10 * structures. 5.44 am. I need more tea. --pablo 05/07/11.
12 * Initial connection tracking via netlink development funded and
13 * generally made possible by Network Robots, Inc. (www.networkrobots.com)
15 * Further development of this code funded by Astaro AG (http://www.astaro.com)
17 * This software may be used and distributed according to the terms
18 * of the GNU General Public License, incorporated herein by reference.
21 #include <linux/init.h>
22 #include <linux/module.h>
23 #include <linux/kernel.h>
24 #include <linux/types.h>
25 #include <linux/timer.h>
26 #include <linux/skbuff.h>
27 #include <linux/errno.h>
28 #include <linux/netlink.h>
29 #include <linux/spinlock.h>
30 #include <linux/interrupt.h>
31 #include <linux/notifier.h>
33 #include <linux/netfilter.h>
34 #include <linux/netfilter_ipv4/ip_conntrack.h>
35 #include <linux/netfilter_ipv4/ip_conntrack_core.h>
36 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
37 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
38 #include <linux/netfilter_ipv4/ip_nat_protocol.h>
40 #include <linux/netfilter/nfnetlink.h>
41 #include <linux/netfilter/nfnetlink_conntrack.h>
43 MODULE_LICENSE("GPL");
45 static char __initdata version[] = "0.90";
50 #define DEBUGP(format, args...)
55 ctnetlink_dump_tuples_proto(struct sk_buff *skb,
56 const struct ip_conntrack_tuple *tuple)
58 struct ip_conntrack_protocol *proto;
61 NFA_PUT(skb, CTA_PROTO_NUM, sizeof(u_int8_t), &tuple->dst.protonum);
63 /* If no protocol helper is found, this function will return the
64 * generic protocol helper, so proto won't *ever* be NULL */
65 proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
66 if (likely(proto->tuple_to_nfattr))
67 ret = proto->tuple_to_nfattr(skb, tuple);
69 ip_conntrack_proto_put(proto);
78 ctnetlink_dump_tuples(struct sk_buff *skb,
79 const struct ip_conntrack_tuple *tuple)
81 struct nfattr *nest_parms;
83 nest_parms = NFA_NEST(skb, CTA_TUPLE_IP);
84 NFA_PUT(skb, CTA_IP_V4_SRC, sizeof(u_int32_t), &tuple->src.ip);
85 NFA_PUT(skb, CTA_IP_V4_DST, sizeof(u_int32_t), &tuple->dst.ip);
86 NFA_NEST_END(skb, nest_parms);
88 nest_parms = NFA_NEST(skb, CTA_TUPLE_PROTO);
89 ctnetlink_dump_tuples_proto(skb, tuple);
90 NFA_NEST_END(skb, nest_parms);
99 ctnetlink_dump_status(struct sk_buff *skb, const struct ip_conntrack *ct)
101 u_int32_t status = htonl((u_int32_t) ct->status);
102 NFA_PUT(skb, CTA_STATUS, sizeof(status), &status);
110 ctnetlink_dump_timeout(struct sk_buff *skb, const struct ip_conntrack *ct)
112 long timeout_l = ct->timeout.expires - jiffies;
118 timeout = htonl(timeout_l / HZ);
120 NFA_PUT(skb, CTA_TIMEOUT, sizeof(timeout), &timeout);
128 ctnetlink_dump_protoinfo(struct sk_buff *skb, const struct ip_conntrack *ct)
130 struct ip_conntrack_protocol *proto = ip_conntrack_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
132 struct nfattr *nest_proto;
135 if (!proto->to_nfattr) {
136 ip_conntrack_proto_put(proto);
140 nest_proto = NFA_NEST(skb, CTA_PROTOINFO);
142 ret = proto->to_nfattr(skb, nest_proto, ct);
144 ip_conntrack_proto_put(proto);
146 NFA_NEST_END(skb, nest_proto);
155 ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct ip_conntrack *ct)
157 struct nfattr *nest_helper;
162 nest_helper = NFA_NEST(skb, CTA_HELP);
163 NFA_PUT(skb, CTA_HELP_NAME, CTA_HELP_MAXNAMESIZE, &ct->helper->name);
165 if (ct->helper->to_nfattr)
166 ct->helper->to_nfattr(skb, ct);
168 NFA_NEST_END(skb, nest_helper);
176 #ifdef CONFIG_IP_NF_CT_ACCT
178 ctnetlink_dump_counters(struct sk_buff *skb, const struct ip_conntrack *ct,
179 enum ip_conntrack_dir dir)
181 enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
182 struct nfattr *nest_count = NFA_NEST(skb, type);
185 tmp = htonl(ct->counters[dir].packets);
186 NFA_PUT(skb, CTA_COUNTERS32_PACKETS, sizeof(u_int32_t), &tmp);
188 tmp = htonl(ct->counters[dir].bytes);
189 NFA_PUT(skb, CTA_COUNTERS32_BYTES, sizeof(u_int32_t), &tmp);
191 NFA_NEST_END(skb, nest_count);
199 #define ctnetlink_dump_counters(a, b, c) (0)
202 #ifdef CONFIG_IP_NF_CONNTRACK_MARK
204 ctnetlink_dump_mark(struct sk_buff *skb, const struct ip_conntrack *ct)
206 u_int32_t mark = htonl(ct->mark);
208 NFA_PUT(skb, CTA_MARK, sizeof(u_int32_t), &mark);
215 #define ctnetlink_dump_mark(a, b) (0)
219 ctnetlink_dump_id(struct sk_buff *skb, const struct ip_conntrack *ct)
221 u_int32_t id = htonl(ct->id);
222 NFA_PUT(skb, CTA_ID, sizeof(u_int32_t), &id);
230 ctnetlink_dump_use(struct sk_buff *skb, const struct ip_conntrack *ct)
232 unsigned int use = htonl(atomic_read(&ct->ct_general.use));
234 NFA_PUT(skb, CTA_USE, sizeof(u_int32_t), &use);
241 #define tuple(ct, dir) (&(ct)->tuplehash[dir].tuple)
244 ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
245 int event, int nowait,
246 const struct ip_conntrack *ct)
248 struct nlmsghdr *nlh;
249 struct nfgenmsg *nfmsg;
250 struct nfattr *nest_parms;
255 event |= NFNL_SUBSYS_CTNETLINK << 8;
256 nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg));
257 nfmsg = NLMSG_DATA(nlh);
259 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0;
260 nfmsg->nfgen_family = AF_INET;
261 nfmsg->version = NFNETLINK_V0;
264 nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG);
265 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
267 NFA_NEST_END(skb, nest_parms);
269 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
270 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
272 NFA_NEST_END(skb, nest_parms);
274 if (ctnetlink_dump_status(skb, ct) < 0 ||
275 ctnetlink_dump_timeout(skb, ct) < 0 ||
276 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
277 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 ||
278 ctnetlink_dump_protoinfo(skb, ct) < 0 ||
279 ctnetlink_dump_helpinfo(skb, ct) < 0 ||
280 ctnetlink_dump_mark(skb, ct) < 0 ||
281 ctnetlink_dump_id(skb, ct) < 0 ||
282 ctnetlink_dump_use(skb, ct) < 0)
285 nlh->nlmsg_len = skb->tail - b;
290 skb_trim(skb, b - skb->data);
294 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
295 static int ctnetlink_conntrack_event(struct notifier_block *this,
296 unsigned long events, void *ptr)
298 struct nlmsghdr *nlh;
299 struct nfgenmsg *nfmsg;
300 struct nfattr *nest_parms;
301 struct ip_conntrack *ct = (struct ip_conntrack *)ptr;
305 unsigned int flags = 0, group;
307 /* ignore our fake conntrack entry */
308 if (ct == &ip_conntrack_untracked)
311 if (events & IPCT_DESTROY) {
312 type = IPCTNL_MSG_CT_DELETE;
313 group = NFNLGRP_CONNTRACK_DESTROY;
316 if (events & (IPCT_NEW | IPCT_RELATED)) {
317 type = IPCTNL_MSG_CT_NEW;
318 flags = NLM_F_CREATE|NLM_F_EXCL;
319 /* dump everything */
321 group = NFNLGRP_CONNTRACK_NEW;
324 if (events & (IPCT_STATUS |
329 type = IPCTNL_MSG_CT_NEW;
330 group = NFNLGRP_CONNTRACK_UPDATE;
337 /* FIXME: Check if there are any listeners before, don't hurt performance */
339 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
345 type |= NFNL_SUBSYS_CTNETLINK << 8;
346 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg));
347 nfmsg = NLMSG_DATA(nlh);
349 nlh->nlmsg_flags = flags;
350 nfmsg->nfgen_family = AF_INET;
351 nfmsg->version = NFNETLINK_V0;
354 nest_parms = NFA_NEST(skb, CTA_TUPLE_ORIG);
355 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
357 NFA_NEST_END(skb, nest_parms);
359 nest_parms = NFA_NEST(skb, CTA_TUPLE_REPLY);
360 if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
362 NFA_NEST_END(skb, nest_parms);
364 /* NAT stuff is now a status flag */
365 if ((events & IPCT_STATUS || events & IPCT_NATINFO)
366 && ctnetlink_dump_status(skb, ct) < 0)
368 if (events & IPCT_REFRESH
369 && ctnetlink_dump_timeout(skb, ct) < 0)
371 if (events & IPCT_PROTOINFO
372 && ctnetlink_dump_protoinfo(skb, ct) < 0)
374 if (events & IPCT_HELPINFO
375 && ctnetlink_dump_helpinfo(skb, ct) < 0)
378 if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
379 ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
382 nlh->nlmsg_len = skb->tail - b;
383 nfnetlink_send(skb, 0, group, 0);
391 #endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */
393 static int ctnetlink_done(struct netlink_callback *cb)
395 DEBUGP("entered %s\n", __FUNCTION__);
400 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
402 struct ip_conntrack *ct = NULL;
403 struct ip_conntrack_tuple_hash *h;
405 u_int32_t *id = (u_int32_t *) &cb->args[1];
407 DEBUGP("entered %s, last bucket=%lu id=%u\n", __FUNCTION__,
410 read_lock_bh(&ip_conntrack_lock);
411 for (; cb->args[0] < ip_conntrack_htable_size; cb->args[0]++, *id = 0) {
412 list_for_each_prev(i, &ip_conntrack_hash[cb->args[0]]) {
413 h = (struct ip_conntrack_tuple_hash *) i;
414 if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
416 ct = tuplehash_to_ctrack(h);
419 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
428 read_unlock_bh(&ip_conntrack_lock);
430 DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id);
435 #ifdef CONFIG_IP_NF_CT_ACCT
437 ctnetlink_dump_table_w(struct sk_buff *skb, struct netlink_callback *cb)
439 struct ip_conntrack *ct = NULL;
440 struct ip_conntrack_tuple_hash *h;
442 u_int32_t *id = (u_int32_t *) &cb->args[1];
444 DEBUGP("entered %s, last bucket=%u id=%u\n", __FUNCTION__,
447 write_lock_bh(&ip_conntrack_lock);
448 for (; cb->args[0] < ip_conntrack_htable_size; cb->args[0]++, *id = 0) {
449 list_for_each_prev(i, &ip_conntrack_hash[cb->args[0]]) {
450 h = (struct ip_conntrack_tuple_hash *) i;
451 if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
453 ct = tuplehash_to_ctrack(h);
456 if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
463 memset(&ct->counters, 0, sizeof(ct->counters));
467 write_unlock_bh(&ip_conntrack_lock);
469 DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id);
475 static const size_t cta_min_ip[CTA_IP_MAX] = {
476 [CTA_IP_V4_SRC-1] = sizeof(u_int32_t),
477 [CTA_IP_V4_DST-1] = sizeof(u_int32_t),
481 ctnetlink_parse_tuple_ip(struct nfattr *attr, struct ip_conntrack_tuple *tuple)
483 struct nfattr *tb[CTA_IP_MAX];
485 DEBUGP("entered %s\n", __FUNCTION__);
487 nfattr_parse_nested(tb, CTA_IP_MAX, attr);
489 if (nfattr_bad_size(tb, CTA_IP_MAX, cta_min_ip))
492 if (!tb[CTA_IP_V4_SRC-1])
494 tuple->src.ip = *(u_int32_t *)NFA_DATA(tb[CTA_IP_V4_SRC-1]);
496 if (!tb[CTA_IP_V4_DST-1])
498 tuple->dst.ip = *(u_int32_t *)NFA_DATA(tb[CTA_IP_V4_DST-1]);
505 static const size_t cta_min_proto[CTA_PROTO_MAX] = {
506 [CTA_PROTO_NUM-1] = sizeof(u_int8_t),
507 [CTA_PROTO_SRC_PORT-1] = sizeof(u_int16_t),
508 [CTA_PROTO_DST_PORT-1] = sizeof(u_int16_t),
509 [CTA_PROTO_ICMP_TYPE-1] = sizeof(u_int8_t),
510 [CTA_PROTO_ICMP_CODE-1] = sizeof(u_int8_t),
511 [CTA_PROTO_ICMP_ID-1] = sizeof(u_int16_t),
515 ctnetlink_parse_tuple_proto(struct nfattr *attr,
516 struct ip_conntrack_tuple *tuple)
518 struct nfattr *tb[CTA_PROTO_MAX];
519 struct ip_conntrack_protocol *proto;
522 DEBUGP("entered %s\n", __FUNCTION__);
524 nfattr_parse_nested(tb, CTA_PROTO_MAX, attr);
526 if (nfattr_bad_size(tb, CTA_PROTO_MAX, cta_min_proto))
529 if (!tb[CTA_PROTO_NUM-1])
531 tuple->dst.protonum = *(u_int8_t *)NFA_DATA(tb[CTA_PROTO_NUM-1]);
533 proto = ip_conntrack_proto_find_get(tuple->dst.protonum);
535 if (likely(proto->nfattr_to_tuple))
536 ret = proto->nfattr_to_tuple(tb, tuple);
538 ip_conntrack_proto_put(proto);
544 ctnetlink_parse_tuple(struct nfattr *cda[], struct ip_conntrack_tuple *tuple,
545 enum ctattr_tuple type)
547 struct nfattr *tb[CTA_TUPLE_MAX];
550 DEBUGP("entered %s\n", __FUNCTION__);
552 memset(tuple, 0, sizeof(*tuple));
554 nfattr_parse_nested(tb, CTA_TUPLE_MAX, cda[type-1]);
556 if (!tb[CTA_TUPLE_IP-1])
559 err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP-1], tuple);
563 if (!tb[CTA_TUPLE_PROTO-1])
566 err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO-1], tuple);
570 /* orig and expect tuples get DIR_ORIGINAL */
571 if (type == CTA_TUPLE_REPLY)
572 tuple->dst.dir = IP_CT_DIR_REPLY;
574 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
583 #ifdef CONFIG_IP_NF_NAT_NEEDED
584 static const size_t cta_min_protonat[CTA_PROTONAT_MAX] = {
585 [CTA_PROTONAT_PORT_MIN-1] = sizeof(u_int16_t),
586 [CTA_PROTONAT_PORT_MAX-1] = sizeof(u_int16_t),
589 static int ctnetlink_parse_nat_proto(struct nfattr *attr,
590 const struct ip_conntrack *ct,
591 struct ip_nat_range *range)
593 struct nfattr *tb[CTA_PROTONAT_MAX];
594 struct ip_nat_protocol *npt;
596 DEBUGP("entered %s\n", __FUNCTION__);
598 nfattr_parse_nested(tb, CTA_PROTONAT_MAX, attr);
600 if (nfattr_bad_size(tb, CTA_PROTONAT_MAX, cta_min_protonat))
603 npt = ip_nat_proto_find_get(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum);
605 if (!npt->nfattr_to_range) {
606 ip_nat_proto_put(npt);
610 /* nfattr_to_range returns 1 if it parsed, 0 if not, neg. on error */
611 if (npt->nfattr_to_range(tb, range) > 0)
612 range->flags |= IP_NAT_RANGE_PROTO_SPECIFIED;
614 ip_nat_proto_put(npt);
620 static const size_t cta_min_nat[CTA_NAT_MAX] = {
621 [CTA_NAT_MINIP-1] = sizeof(u_int32_t),
622 [CTA_NAT_MAXIP-1] = sizeof(u_int32_t),
626 ctnetlink_parse_nat(struct nfattr *cda[],
627 const struct ip_conntrack *ct, struct ip_nat_range *range)
629 struct nfattr *tb[CTA_NAT_MAX];
632 DEBUGP("entered %s\n", __FUNCTION__);
634 memset(range, 0, sizeof(*range));
636 nfattr_parse_nested(tb, CTA_NAT_MAX, cda[CTA_NAT-1]);
638 if (nfattr_bad_size(tb, CTA_NAT_MAX, cta_min_nat))
641 if (tb[CTA_NAT_MINIP-1])
642 range->min_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MINIP-1]);
644 if (!tb[CTA_NAT_MAXIP-1])
645 range->max_ip = range->min_ip;
647 range->max_ip = *(u_int32_t *)NFA_DATA(tb[CTA_NAT_MAXIP-1]);
650 range->flags |= IP_NAT_RANGE_MAP_IPS;
652 if (!tb[CTA_NAT_PROTO-1])
655 err = ctnetlink_parse_nat_proto(tb[CTA_NAT_PROTO-1], ct, range);
665 ctnetlink_parse_help(struct nfattr *attr, char **helper_name)
667 struct nfattr *tb[CTA_HELP_MAX];
669 DEBUGP("entered %s\n", __FUNCTION__);
671 nfattr_parse_nested(tb, CTA_HELP_MAX, attr);
673 if (!tb[CTA_HELP_NAME-1])
676 *helper_name = NFA_DATA(tb[CTA_HELP_NAME-1]);
681 static const size_t cta_min[CTA_MAX] = {
682 [CTA_STATUS-1] = sizeof(u_int32_t),
683 [CTA_TIMEOUT-1] = sizeof(u_int32_t),
684 [CTA_MARK-1] = sizeof(u_int32_t),
685 [CTA_USE-1] = sizeof(u_int32_t),
686 [CTA_ID-1] = sizeof(u_int32_t)
690 ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
691 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
693 struct ip_conntrack_tuple_hash *h;
694 struct ip_conntrack_tuple tuple;
695 struct ip_conntrack *ct;
698 DEBUGP("entered %s\n", __FUNCTION__);
700 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
703 if (cda[CTA_TUPLE_ORIG-1])
704 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG);
705 else if (cda[CTA_TUPLE_REPLY-1])
706 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY);
708 /* Flush the whole table */
709 ip_conntrack_flush();
716 h = ip_conntrack_find_get(&tuple, NULL);
718 DEBUGP("tuple not found in conntrack hash\n");
722 ct = tuplehash_to_ctrack(h);
725 u_int32_t id = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_ID-1]));
727 ip_conntrack_put(ct);
731 if (del_timer(&ct->timeout))
732 ct->timeout.function((unsigned long)ct);
734 ip_conntrack_put(ct);
741 ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
742 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
744 struct ip_conntrack_tuple_hash *h;
745 struct ip_conntrack_tuple tuple;
746 struct ip_conntrack *ct;
747 struct sk_buff *skb2 = NULL;
750 DEBUGP("entered %s\n", __FUNCTION__);
752 if (nlh->nlmsg_flags & NLM_F_DUMP) {
753 struct nfgenmsg *msg = NLMSG_DATA(nlh);
756 if (msg->nfgen_family != AF_INET)
757 return -EAFNOSUPPORT;
759 if (NFNL_MSG_TYPE(nlh->nlmsg_type) ==
760 IPCTNL_MSG_CT_GET_CTRZERO) {
761 #ifdef CONFIG_IP_NF_CT_ACCT
762 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
763 ctnetlink_dump_table_w,
764 ctnetlink_done)) != 0)
770 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
771 ctnetlink_dump_table,
772 ctnetlink_done)) != 0)
776 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
783 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
786 if (cda[CTA_TUPLE_ORIG-1])
787 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG);
788 else if (cda[CTA_TUPLE_REPLY-1])
789 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY);
796 h = ip_conntrack_find_get(&tuple, NULL);
798 DEBUGP("tuple not found in conntrack hash");
801 DEBUGP("tuple found\n");
802 ct = tuplehash_to_ctrack(h);
805 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
807 ip_conntrack_put(ct);
810 NETLINK_CB(skb2).dst_pid = NETLINK_CB(skb).pid;
812 err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq,
813 IPCTNL_MSG_CT_NEW, 1, ct);
814 ip_conntrack_put(ct);
818 err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
832 ctnetlink_change_status(struct ip_conntrack *ct, struct nfattr *cda[])
835 unsigned status = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_STATUS-1]));
836 d = ct->status ^ status;
838 if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
842 if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
843 /* SEEN_REPLY bit can only be set */
847 if (d & IPS_ASSURED && !(status & IPS_ASSURED))
848 /* ASSURED bit can only be set */
851 if (cda[CTA_NAT-1]) {
852 #ifndef CONFIG_IP_NF_NAT_NEEDED
855 unsigned int hooknum;
856 struct ip_nat_range range;
858 if (ctnetlink_parse_nat(cda, ct, &range) < 0)
861 DEBUGP("NAT: %u.%u.%u.%u-%u.%u.%u.%u:%u-%u\n",
862 NIPQUAD(range.min_ip), NIPQUAD(range.max_ip),
863 htons(range.min.all), htons(range.max.all));
865 /* This is tricky but it works. ip_nat_setup_info needs the
866 * hook number as parameter, so let's do the correct
867 * conversion and run away */
868 if (status & IPS_SRC_NAT_DONE)
869 hooknum = NF_IP_POST_ROUTING; /* IP_NAT_MANIP_SRC */
870 else if (status & IPS_DST_NAT_DONE)
871 hooknum = NF_IP_PRE_ROUTING; /* IP_NAT_MANIP_DST */
873 return -EINVAL; /* Missing NAT flags */
875 DEBUGP("NAT status: %lu\n",
876 status & (IPS_NAT_MASK | IPS_NAT_DONE_MASK));
878 if (ip_nat_initialized(ct, HOOK2MANIP(hooknum)))
880 ip_nat_setup_info(ct, &range, hooknum);
882 DEBUGP("NAT status after setup_info: %lu\n",
883 ct->status & (IPS_NAT_MASK | IPS_NAT_DONE_MASK));
887 /* Be careful here, modifying NAT bits can screw up things,
888 * so don't let users modify them directly if they don't pass
890 ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
896 ctnetlink_change_helper(struct ip_conntrack *ct, struct nfattr *cda[])
898 struct ip_conntrack_helper *helper;
902 DEBUGP("entered %s\n", __FUNCTION__);
904 /* don't change helper of sibling connections */
908 err = ctnetlink_parse_help(cda[CTA_HELP-1], &helpname);
912 helper = __ip_conntrack_helper_find_byname(helpname);
914 if (!strcmp(helpname, ""))
922 /* we had a helper before ... */
923 ip_ct_remove_expectations(ct);
926 /* need to zero data of old helper */
927 memset(&ct->help, 0, sizeof(ct->help));
937 ctnetlink_change_timeout(struct ip_conntrack *ct, struct nfattr *cda[])
939 u_int32_t timeout = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1]));
941 if (!del_timer(&ct->timeout))
944 ct->timeout.expires = jiffies + timeout * HZ;
945 add_timer(&ct->timeout);
951 ctnetlink_change_protoinfo(struct ip_conntrack *ct, struct nfattr *cda[])
953 struct nfattr *tb[CTA_PROTOINFO_MAX], *attr = cda[CTA_PROTOINFO-1];
954 struct ip_conntrack_protocol *proto;
955 u_int16_t npt = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
958 nfattr_parse_nested(tb, CTA_PROTOINFO_MAX, attr);
960 proto = ip_conntrack_proto_find_get(npt);
962 if (proto->from_nfattr)
963 err = proto->from_nfattr(tb, ct);
964 ip_conntrack_proto_put(proto);
970 ctnetlink_change_conntrack(struct ip_conntrack *ct, struct nfattr *cda[])
974 DEBUGP("entered %s\n", __FUNCTION__);
976 if (cda[CTA_HELP-1]) {
977 err = ctnetlink_change_helper(ct, cda);
982 if (cda[CTA_TIMEOUT-1]) {
983 err = ctnetlink_change_timeout(ct, cda);
988 if (cda[CTA_STATUS-1]) {
989 err = ctnetlink_change_status(ct, cda);
994 if (cda[CTA_PROTOINFO-1]) {
995 err = ctnetlink_change_protoinfo(ct, cda);
1000 #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
1001 if (cda[CTA_MARK-1])
1002 ct->mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
1005 DEBUGP("all done\n");
1010 ctnetlink_create_conntrack(struct nfattr *cda[],
1011 struct ip_conntrack_tuple *otuple,
1012 struct ip_conntrack_tuple *rtuple)
1014 struct ip_conntrack *ct;
1017 DEBUGP("entered %s\n", __FUNCTION__);
1019 ct = ip_conntrack_alloc(otuple, rtuple);
1020 if (ct == NULL || IS_ERR(ct))
1023 if (!cda[CTA_TIMEOUT-1])
1025 ct->timeout.expires = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_TIMEOUT-1]));
1027 ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
1028 ct->status |= IPS_CONFIRMED;
1030 err = ctnetlink_change_status(ct, cda);
1034 if (cda[CTA_PROTOINFO-1]) {
1035 err = ctnetlink_change_protoinfo(ct, cda);
1040 ct->helper = ip_conntrack_helper_find_get(rtuple);
1042 add_timer(&ct->timeout);
1043 ip_conntrack_hash_insert(ct);
1046 ip_conntrack_helper_put(ct->helper);
1048 #if defined(CONFIG_IP_NF_CONNTRACK_MARK)
1049 if (cda[CTA_MARK-1])
1050 ct->mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
1053 DEBUGP("conntrack with id %u inserted\n", ct->id);
1057 ip_conntrack_free(ct);
1062 ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1063 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1065 struct ip_conntrack_tuple otuple, rtuple;
1066 struct ip_conntrack_tuple_hash *h = NULL;
1069 DEBUGP("entered %s\n", __FUNCTION__);
1071 if (nfattr_bad_size(cda, CTA_MAX, cta_min))
1074 if (cda[CTA_TUPLE_ORIG-1]) {
1075 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG);
1080 if (cda[CTA_TUPLE_REPLY-1]) {
1081 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY);
1086 write_lock_bh(&ip_conntrack_lock);
1087 if (cda[CTA_TUPLE_ORIG-1])
1088 h = __ip_conntrack_find(&otuple, NULL);
1089 else if (cda[CTA_TUPLE_REPLY-1])
1090 h = __ip_conntrack_find(&rtuple, NULL);
1093 write_unlock_bh(&ip_conntrack_lock);
1094 DEBUGP("no such conntrack, create new\n");
1096 if (nlh->nlmsg_flags & NLM_F_CREATE)
1097 err = ctnetlink_create_conntrack(cda, &otuple, &rtuple);
1100 /* implicit 'else' */
1102 /* we only allow nat config for new conntracks */
1103 if (cda[CTA_NAT-1]) {
1108 /* We manipulate the conntrack inside the global conntrack table lock,
1109 * so there's no need to increase the refcount */
1110 DEBUGP("conntrack found\n");
1112 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
1113 err = ctnetlink_change_conntrack(tuplehash_to_ctrack(h), cda);
1116 write_unlock_bh(&ip_conntrack_lock);
1120 /***********************************************************************
1122 ***********************************************************************/
1125 ctnetlink_exp_dump_tuple(struct sk_buff *skb,
1126 const struct ip_conntrack_tuple *tuple,
1127 enum ctattr_expect type)
1129 struct nfattr *nest_parms = NFA_NEST(skb, type);
1131 if (ctnetlink_dump_tuples(skb, tuple) < 0)
1132 goto nfattr_failure;
1134 NFA_NEST_END(skb, nest_parms);
1143 ctnetlink_exp_dump_expect(struct sk_buff *skb,
1144 const struct ip_conntrack_expect *exp)
1146 struct ip_conntrack *master = exp->master;
1147 u_int32_t timeout = htonl((exp->timeout.expires - jiffies) / HZ);
1148 u_int32_t id = htonl(exp->id);
1150 if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
1151 goto nfattr_failure;
1152 if (ctnetlink_exp_dump_tuple(skb, &exp->mask, CTA_EXPECT_MASK) < 0)
1153 goto nfattr_failure;
1154 if (ctnetlink_exp_dump_tuple(skb,
1155 &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
1156 CTA_EXPECT_MASTER) < 0)
1157 goto nfattr_failure;
1159 NFA_PUT(skb, CTA_EXPECT_TIMEOUT, sizeof(timeout), &timeout);
1160 NFA_PUT(skb, CTA_EXPECT_ID, sizeof(u_int32_t), &id);
1169 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
1172 const struct ip_conntrack_expect *exp)
1174 struct nlmsghdr *nlh;
1175 struct nfgenmsg *nfmsg;
1180 event |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1181 nlh = NLMSG_PUT(skb, pid, seq, event, sizeof(struct nfgenmsg));
1182 nfmsg = NLMSG_DATA(nlh);
1184 nlh->nlmsg_flags = (nowait && pid) ? NLM_F_MULTI : 0;
1185 nfmsg->nfgen_family = AF_INET;
1186 nfmsg->version = NFNETLINK_V0;
1189 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1190 goto nfattr_failure;
1192 nlh->nlmsg_len = skb->tail - b;
1197 skb_trim(skb, b - skb->data);
1201 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1202 static int ctnetlink_expect_event(struct notifier_block *this,
1203 unsigned long events, void *ptr)
1205 struct nlmsghdr *nlh;
1206 struct nfgenmsg *nfmsg;
1207 struct ip_conntrack_expect *exp = (struct ip_conntrack_expect *)ptr;
1208 struct sk_buff *skb;
1214 if (events & IPEXP_NEW) {
1215 type = IPCTNL_MSG_EXP_NEW;
1216 flags = NLM_F_CREATE|NLM_F_EXCL;
1220 skb = alloc_skb(NLMSG_GOODSIZE, GFP_ATOMIC);
1226 type |= NFNL_SUBSYS_CTNETLINK << 8;
1227 nlh = NLMSG_PUT(skb, 0, 0, type, sizeof(struct nfgenmsg));
1228 nfmsg = NLMSG_DATA(nlh);
1230 nlh->nlmsg_flags = flags;
1231 nfmsg->nfgen_family = AF_INET;
1232 nfmsg->version = NFNETLINK_V0;
1235 if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1236 goto nfattr_failure;
1238 nlh->nlmsg_len = skb->tail - b;
1239 proto = exp->tuple.dst.protonum;
1240 nfnetlink_send(skb, 0, NFNLGRP_CONNTRACK_EXP_NEW, 0);
1251 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
1253 struct ip_conntrack_expect *exp = NULL;
1254 struct list_head *i;
1255 u_int32_t *id = (u_int32_t *) &cb->args[0];
1257 DEBUGP("entered %s, last id=%llu\n", __FUNCTION__, *id);
1259 read_lock_bh(&ip_conntrack_lock);
1260 list_for_each_prev(i, &ip_conntrack_expect_list) {
1261 exp = (struct ip_conntrack_expect *) i;
1264 if (ctnetlink_exp_fill_info(skb, NETLINK_CB(cb->skb).pid,
1272 read_unlock_bh(&ip_conntrack_lock);
1274 DEBUGP("leaving, last id=%llu\n", *id);
1279 static const size_t cta_min_exp[CTA_EXPECT_MAX] = {
1280 [CTA_EXPECT_TIMEOUT-1] = sizeof(u_int32_t),
1281 [CTA_EXPECT_ID-1] = sizeof(u_int32_t)
1285 ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
1286 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1288 struct ip_conntrack_tuple tuple;
1289 struct ip_conntrack_expect *exp;
1290 struct sk_buff *skb2;
1293 DEBUGP("entered %s\n", __FUNCTION__);
1295 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1298 if (nlh->nlmsg_flags & NLM_F_DUMP) {
1299 struct nfgenmsg *msg = NLMSG_DATA(nlh);
1302 if (msg->nfgen_family != AF_INET)
1303 return -EAFNOSUPPORT;
1305 if ((*errp = netlink_dump_start(ctnl, skb, nlh,
1306 ctnetlink_exp_dump_table,
1307 ctnetlink_done)) != 0)
1309 rlen = NLMSG_ALIGN(nlh->nlmsg_len);
1310 if (rlen > skb->len)
1312 skb_pull(skb, rlen);
1316 if (cda[CTA_EXPECT_MASTER-1])
1317 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER);
1324 exp = ip_conntrack_expect_find(&tuple);
1328 if (cda[CTA_EXPECT_ID-1]) {
1329 u_int32_t id = *(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_ID-1]);
1330 if (exp->id != ntohl(id)) {
1331 ip_conntrack_expect_put(exp);
1337 skb2 = alloc_skb(NLMSG_GOODSIZE, GFP_KERNEL);
1340 NETLINK_CB(skb2).dst_pid = NETLINK_CB(skb).pid;
1342 err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid,
1343 nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW,
1348 ip_conntrack_expect_put(exp);
1350 return netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1355 ip_conntrack_expect_put(exp);
1360 ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
1361 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1363 struct ip_conntrack_expect *exp, *tmp;
1364 struct ip_conntrack_tuple tuple;
1365 struct ip_conntrack_helper *h;
1368 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1371 if (cda[CTA_EXPECT_TUPLE-1]) {
1372 /* delete a single expect by tuple */
1373 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE);
1377 /* bump usage count to 2 */
1378 exp = ip_conntrack_expect_find(&tuple);
1382 if (cda[CTA_EXPECT_ID-1]) {
1384 *(u_int32_t *)NFA_DATA(cda[CTA_EXPECT_ID-1]);
1385 if (exp->id != ntohl(id)) {
1386 ip_conntrack_expect_put(exp);
1391 /* after list removal, usage count == 1 */
1392 ip_conntrack_unexpect_related(exp);
1393 /* have to put what we 'get' above.
1394 * after this line usage count == 0 */
1395 ip_conntrack_expect_put(exp);
1396 } else if (cda[CTA_EXPECT_HELP_NAME-1]) {
1397 char *name = NFA_DATA(cda[CTA_EXPECT_HELP_NAME-1]);
1399 /* delete all expectations for this helper */
1400 write_lock_bh(&ip_conntrack_lock);
1401 h = __ip_conntrack_helper_find_byname(name);
1403 write_unlock_bh(&ip_conntrack_lock);
1406 list_for_each_entry_safe(exp, tmp, &ip_conntrack_expect_list,
1408 if (exp->master->helper == h
1409 && del_timer(&exp->timeout)) {
1410 ip_ct_unlink_expect(exp);
1411 ip_conntrack_expect_put(exp);
1414 write_unlock_bh(&ip_conntrack_lock);
1416 /* This basically means we have to flush everything*/
1417 write_lock_bh(&ip_conntrack_lock);
1418 list_for_each_entry_safe(exp, tmp, &ip_conntrack_expect_list,
1420 if (del_timer(&exp->timeout)) {
1421 ip_ct_unlink_expect(exp);
1422 ip_conntrack_expect_put(exp);
1425 write_unlock_bh(&ip_conntrack_lock);
1431 ctnetlink_change_expect(struct ip_conntrack_expect *x, struct nfattr *cda[])
1437 ctnetlink_create_expect(struct nfattr *cda[])
1439 struct ip_conntrack_tuple tuple, mask, master_tuple;
1440 struct ip_conntrack_tuple_hash *h = NULL;
1441 struct ip_conntrack_expect *exp;
1442 struct ip_conntrack *ct;
1445 DEBUGP("entered %s\n", __FUNCTION__);
1447 /* caller guarantees that those three CTA_EXPECT_* exist */
1448 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE);
1451 err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK);
1454 err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER);
1458 /* Look for master conntrack of this expectation */
1459 h = ip_conntrack_find_get(&master_tuple, NULL);
1462 ct = tuplehash_to_ctrack(h);
1465 /* such conntrack hasn't got any helper, abort */
1470 exp = ip_conntrack_expect_alloc(ct);
1476 exp->expectfn = NULL;
1479 memcpy(&exp->tuple, &tuple, sizeof(struct ip_conntrack_tuple));
1480 memcpy(&exp->mask, &mask, sizeof(struct ip_conntrack_tuple));
1482 err = ip_conntrack_expect_related(exp);
1483 ip_conntrack_expect_put(exp);
1486 ip_conntrack_put(tuplehash_to_ctrack(h));
1491 ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
1492 struct nlmsghdr *nlh, struct nfattr *cda[], int *errp)
1494 struct ip_conntrack_tuple tuple;
1495 struct ip_conntrack_expect *exp;
1498 DEBUGP("entered %s\n", __FUNCTION__);
1500 if (nfattr_bad_size(cda, CTA_EXPECT_MAX, cta_min_exp))
1503 if (!cda[CTA_EXPECT_TUPLE-1]
1504 || !cda[CTA_EXPECT_MASK-1]
1505 || !cda[CTA_EXPECT_MASTER-1])
1508 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE);
1512 write_lock_bh(&ip_conntrack_lock);
1513 exp = __ip_conntrack_expect_find(&tuple);
1516 write_unlock_bh(&ip_conntrack_lock);
1518 if (nlh->nlmsg_flags & NLM_F_CREATE)
1519 err = ctnetlink_create_expect(cda);
1524 if (!(nlh->nlmsg_flags & NLM_F_EXCL))
1525 err = ctnetlink_change_expect(exp, cda);
1526 write_unlock_bh(&ip_conntrack_lock);
1528 DEBUGP("leaving\n");
1533 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1534 static struct notifier_block ctnl_notifier = {
1535 .notifier_call = ctnetlink_conntrack_event,
1538 static struct notifier_block ctnl_notifier_exp = {
1539 .notifier_call = ctnetlink_expect_event,
1543 static struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
1544 [IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
1545 .attr_count = CTA_MAX, },
1546 [IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
1547 .attr_count = CTA_MAX, },
1548 [IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
1549 .attr_count = CTA_MAX, },
1550 [IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
1551 .attr_count = CTA_MAX, },
1554 static struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
1555 [IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
1556 .attr_count = CTA_EXPECT_MAX, },
1557 [IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
1558 .attr_count = CTA_EXPECT_MAX, },
1559 [IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
1560 .attr_count = CTA_EXPECT_MAX, },
1563 static struct nfnetlink_subsystem ctnl_subsys = {
1564 .name = "conntrack",
1565 .subsys_id = NFNL_SUBSYS_CTNETLINK,
1566 .cb_count = IPCTNL_MSG_MAX,
1570 static struct nfnetlink_subsystem ctnl_exp_subsys = {
1571 .name = "conntrack_expect",
1572 .subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
1573 .cb_count = IPCTNL_MSG_EXP_MAX,
1577 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
1579 static int __init ctnetlink_init(void)
1583 printk("ctnetlink v%s: registering with nfnetlink.\n", version);
1584 ret = nfnetlink_subsys_register(&ctnl_subsys);
1586 printk("ctnetlink_init: cannot register with nfnetlink.\n");
1590 ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
1592 printk("ctnetlink_init: cannot register exp with nfnetlink.\n");
1593 goto err_unreg_subsys;
1596 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1597 ret = ip_conntrack_register_notifier(&ctnl_notifier);
1599 printk("ctnetlink_init: cannot register notifier.\n");
1600 goto err_unreg_exp_subsys;
1603 ret = ip_conntrack_expect_register_notifier(&ctnl_notifier_exp);
1605 printk("ctnetlink_init: cannot expect register notifier.\n");
1606 goto err_unreg_notifier;
1612 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1614 ip_conntrack_unregister_notifier(&ctnl_notifier);
1615 err_unreg_exp_subsys:
1616 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1619 nfnetlink_subsys_unregister(&ctnl_subsys);
1624 static void __exit ctnetlink_exit(void)
1626 printk("ctnetlink: unregistering from nfnetlink.\n");
1628 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
1629 ip_conntrack_unregister_notifier(&ctnl_notifier_exp);
1630 ip_conntrack_unregister_notifier(&ctnl_notifier);
1633 nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1634 nfnetlink_subsys_unregister(&ctnl_subsys);
1638 module_init(ctnetlink_init);
1639 module_exit(ctnetlink_exit);