1 /* Expectation handling for nf_conntrack. */
3 /* (C) 1999-2001 Paul `Rusty' Russell
4 * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
5 * (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
7 * This program is free software; you can redistribute it and/or modify
8 * it under the terms of the GNU General Public License version 2 as
9 * published by the Free Software Foundation.
12 #include <linux/types.h>
13 #include <linux/netfilter.h>
14 #include <linux/skbuff.h>
15 #include <linux/proc_fs.h>
16 #include <linux/seq_file.h>
17 #include <linux/stddef.h>
18 #include <linux/slab.h>
19 #include <linux/err.h>
20 #include <linux/percpu.h>
21 #include <linux/kernel.h>
22 #include <linux/jhash.h>
23 #include <net/net_namespace.h>
25 #include <net/netfilter/nf_conntrack.h>
26 #include <net/netfilter/nf_conntrack_core.h>
27 #include <net/netfilter/nf_conntrack_expect.h>
28 #include <net/netfilter/nf_conntrack_helper.h>
29 #include <net/netfilter/nf_conntrack_tuple.h>
31 unsigned int nf_ct_expect_hsize __read_mostly;
32 EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
34 static unsigned int nf_ct_expect_hash_rnd __read_mostly;
35 unsigned int nf_ct_expect_max __read_mostly;
36 static int nf_ct_expect_hash_rnd_initted __read_mostly;
38 static struct kmem_cache *nf_ct_expect_cachep __read_mostly;
40 /* nf_conntrack_expect helper functions */
41 void nf_ct_unlink_expect(struct nf_conntrack_expect *exp)
43 struct nf_conn_help *master_help = nfct_help(exp->master);
44 struct net *net = nf_ct_exp_net(exp);
46 NF_CT_ASSERT(master_help);
47 NF_CT_ASSERT(!timer_pending(&exp->timeout));
49 hlist_del_rcu(&exp->hnode);
50 net->ct.expect_count--;
52 hlist_del(&exp->lnode);
53 master_help->expecting[exp->class]--;
54 nf_ct_expect_put(exp);
56 NF_CT_STAT_INC(net, expect_delete);
58 EXPORT_SYMBOL_GPL(nf_ct_unlink_expect);
60 static void nf_ct_expectation_timed_out(unsigned long ul_expect)
62 struct nf_conntrack_expect *exp = (void *)ul_expect;
64 spin_lock_bh(&nf_conntrack_lock);
65 nf_ct_unlink_expect(exp);
66 spin_unlock_bh(&nf_conntrack_lock);
67 nf_ct_expect_put(exp);
70 static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple)
74 if (unlikely(!nf_ct_expect_hash_rnd_initted)) {
75 get_random_bytes(&nf_ct_expect_hash_rnd,
76 sizeof(nf_ct_expect_hash_rnd));
77 nf_ct_expect_hash_rnd_initted = 1;
80 hash = jhash2(tuple->dst.u3.all, ARRAY_SIZE(tuple->dst.u3.all),
81 (((tuple->dst.protonum ^ tuple->src.l3num) << 16) |
82 (__force __u16)tuple->dst.u.all) ^ nf_ct_expect_hash_rnd);
83 return ((u64)hash * nf_ct_expect_hsize) >> 32;
86 struct nf_conntrack_expect *
87 __nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple)
89 struct nf_conntrack_expect *i;
93 if (!net->ct.expect_count)
96 h = nf_ct_expect_dst_hash(tuple);
97 hlist_for_each_entry_rcu(i, n, &net->ct.expect_hash[h], hnode) {
98 if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask))
103 EXPORT_SYMBOL_GPL(__nf_ct_expect_find);
105 /* Just find a expectation corresponding to a tuple. */
106 struct nf_conntrack_expect *
107 nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_tuple *tuple)
109 struct nf_conntrack_expect *i;
112 i = __nf_ct_expect_find(net, tuple);
113 if (i && !atomic_inc_not_zero(&i->use))
119 EXPORT_SYMBOL_GPL(nf_ct_expect_find_get);
121 /* If an expectation for this connection is found, it gets delete from
122 * global list then returned. */
123 struct nf_conntrack_expect *
124 nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple)
126 struct nf_conntrack_expect *i, *exp = NULL;
127 struct hlist_node *n;
130 if (!net->ct.expect_count)
133 h = nf_ct_expect_dst_hash(tuple);
134 hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) {
135 if (!(i->flags & NF_CT_EXPECT_INACTIVE) &&
136 nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) {
144 /* If master is not in hash table yet (ie. packet hasn't left
145 this machine yet), how can other end know about expected?
146 Hence these are not the droids you are looking for (if
147 master ct never got confirmed, we'd hold a reference to it
148 and weird things would happen to future packets). */
149 if (!nf_ct_is_confirmed(exp->master))
152 if (exp->flags & NF_CT_EXPECT_PERMANENT) {
153 atomic_inc(&exp->use);
155 } else if (del_timer(&exp->timeout)) {
156 nf_ct_unlink_expect(exp);
163 /* delete all expectations for this conntrack */
164 void nf_ct_remove_expectations(struct nf_conn *ct)
166 struct nf_conn_help *help = nfct_help(ct);
167 struct nf_conntrack_expect *exp;
168 struct hlist_node *n, *next;
170 /* Optimization: most connection never expect any others. */
174 hlist_for_each_entry_safe(exp, n, next, &help->expectations, lnode) {
175 if (del_timer(&exp->timeout)) {
176 nf_ct_unlink_expect(exp);
177 nf_ct_expect_put(exp);
181 EXPORT_SYMBOL_GPL(nf_ct_remove_expectations);
183 /* Would two expected things clash? */
184 static inline int expect_clash(const struct nf_conntrack_expect *a,
185 const struct nf_conntrack_expect *b)
187 /* Part covered by intersection of masks must be unequal,
188 otherwise they clash */
189 struct nf_conntrack_tuple_mask intersect_mask;
192 intersect_mask.src.u.all = a->mask.src.u.all & b->mask.src.u.all;
194 for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
195 intersect_mask.src.u3.all[count] =
196 a->mask.src.u3.all[count] & b->mask.src.u3.all[count];
199 return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
202 static inline int expect_matches(const struct nf_conntrack_expect *a,
203 const struct nf_conntrack_expect *b)
205 return a->master == b->master && a->class == b->class &&
206 nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
207 nf_ct_tuple_mask_equal(&a->mask, &b->mask);
210 /* Generally a bad idea to call this: could have matched already. */
211 void nf_ct_unexpect_related(struct nf_conntrack_expect *exp)
213 spin_lock_bh(&nf_conntrack_lock);
214 if (del_timer(&exp->timeout)) {
215 nf_ct_unlink_expect(exp);
216 nf_ct_expect_put(exp);
218 spin_unlock_bh(&nf_conntrack_lock);
220 EXPORT_SYMBOL_GPL(nf_ct_unexpect_related);
222 /* We don't increase the master conntrack refcount for non-fulfilled
223 * conntracks. During the conntrack destruction, the expectations are
224 * always killed before the conntrack itself */
225 struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me)
227 struct nf_conntrack_expect *new;
229 new = kmem_cache_alloc(nf_ct_expect_cachep, GFP_ATOMIC);
234 atomic_set(&new->use, 1);
237 EXPORT_SYMBOL_GPL(nf_ct_expect_alloc);
239 void nf_ct_expect_init(struct nf_conntrack_expect *exp, unsigned int class,
241 const union nf_inet_addr *saddr,
242 const union nf_inet_addr *daddr,
243 u_int8_t proto, const __be16 *src, const __be16 *dst)
247 if (family == AF_INET)
254 exp->expectfn = NULL;
256 exp->tuple.src.l3num = family;
257 exp->tuple.dst.protonum = proto;
260 memcpy(&exp->tuple.src.u3, saddr, len);
261 if (sizeof(exp->tuple.src.u3) > len)
262 /* address needs to be cleared for nf_ct_tuple_equal */
263 memset((void *)&exp->tuple.src.u3 + len, 0x00,
264 sizeof(exp->tuple.src.u3) - len);
265 memset(&exp->mask.src.u3, 0xFF, len);
266 if (sizeof(exp->mask.src.u3) > len)
267 memset((void *)&exp->mask.src.u3 + len, 0x00,
268 sizeof(exp->mask.src.u3) - len);
270 memset(&exp->tuple.src.u3, 0x00, sizeof(exp->tuple.src.u3));
271 memset(&exp->mask.src.u3, 0x00, sizeof(exp->mask.src.u3));
275 exp->tuple.src.u.all = *src;
276 exp->mask.src.u.all = htons(0xFFFF);
278 exp->tuple.src.u.all = 0;
279 exp->mask.src.u.all = 0;
282 memcpy(&exp->tuple.dst.u3, daddr, len);
283 if (sizeof(exp->tuple.dst.u3) > len)
284 /* address needs to be cleared for nf_ct_tuple_equal */
285 memset((void *)&exp->tuple.dst.u3 + len, 0x00,
286 sizeof(exp->tuple.dst.u3) - len);
288 exp->tuple.dst.u.all = *dst;
290 EXPORT_SYMBOL_GPL(nf_ct_expect_init);
292 static void nf_ct_expect_free_rcu(struct rcu_head *head)
294 struct nf_conntrack_expect *exp;
296 exp = container_of(head, struct nf_conntrack_expect, rcu);
297 kmem_cache_free(nf_ct_expect_cachep, exp);
300 void nf_ct_expect_put(struct nf_conntrack_expect *exp)
302 if (atomic_dec_and_test(&exp->use))
303 call_rcu(&exp->rcu, nf_ct_expect_free_rcu);
305 EXPORT_SYMBOL_GPL(nf_ct_expect_put);
307 static void nf_ct_expect_insert(struct nf_conntrack_expect *exp)
309 struct nf_conn_help *master_help = nfct_help(exp->master);
310 struct net *net = nf_ct_exp_net(exp);
311 const struct nf_conntrack_expect_policy *p;
312 unsigned int h = nf_ct_expect_dst_hash(&exp->tuple);
314 atomic_inc(&exp->use);
316 hlist_add_head(&exp->lnode, &master_help->expectations);
317 master_help->expecting[exp->class]++;
319 hlist_add_head_rcu(&exp->hnode, &net->ct.expect_hash[h]);
320 net->ct.expect_count++;
322 setup_timer(&exp->timeout, nf_ct_expectation_timed_out,
324 p = &master_help->helper->expect_policy[exp->class];
325 exp->timeout.expires = jiffies + p->timeout * HZ;
326 add_timer(&exp->timeout);
328 atomic_inc(&exp->use);
329 NF_CT_STAT_INC(net, expect_create);
332 /* Race with expectations being used means we could have none to find; OK. */
333 static void evict_oldest_expect(struct nf_conn *master,
334 struct nf_conntrack_expect *new)
336 struct nf_conn_help *master_help = nfct_help(master);
337 struct nf_conntrack_expect *exp, *last = NULL;
338 struct hlist_node *n;
340 hlist_for_each_entry(exp, n, &master_help->expectations, lnode) {
341 if (exp->class == new->class)
345 if (last && del_timer(&last->timeout)) {
346 nf_ct_unlink_expect(last);
347 nf_ct_expect_put(last);
351 static inline int refresh_timer(struct nf_conntrack_expect *i)
353 struct nf_conn_help *master_help = nfct_help(i->master);
354 const struct nf_conntrack_expect_policy *p;
356 if (!del_timer(&i->timeout))
359 p = &master_help->helper->expect_policy[i->class];
360 i->timeout.expires = jiffies + p->timeout * HZ;
361 add_timer(&i->timeout);
365 static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
367 const struct nf_conntrack_expect_policy *p;
368 struct nf_conntrack_expect *i;
369 struct nf_conn *master = expect->master;
370 struct nf_conn_help *master_help = nfct_help(master);
371 struct net *net = nf_ct_exp_net(expect);
372 struct hlist_node *n;
376 if (!master_help->helper) {
380 h = nf_ct_expect_dst_hash(&expect->tuple);
381 hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) {
382 if (expect_matches(i, expect)) {
383 /* Refresh timer: if it's dying, ignore.. */
384 if (refresh_timer(i)) {
388 } else if (expect_clash(i, expect)) {
393 /* Will be over limit? */
394 p = &master_help->helper->expect_policy[expect->class];
395 if (p->max_expected &&
396 master_help->expecting[expect->class] >= p->max_expected) {
397 evict_oldest_expect(master, expect);
398 if (master_help->expecting[expect->class] >= p->max_expected) {
404 if (net->ct.expect_count >= nf_ct_expect_max) {
407 "nf_conntrack: expectation table full\n");
414 int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
419 spin_lock_bh(&nf_conntrack_lock);
420 ret = __nf_ct_expect_check(expect);
425 nf_ct_expect_insert(expect);
426 spin_unlock_bh(&nf_conntrack_lock);
427 nf_ct_expect_event_report(IPEXP_NEW, expect, pid, report);
430 spin_unlock_bh(&nf_conntrack_lock);
433 EXPORT_SYMBOL_GPL(nf_ct_expect_related_report);
435 #ifdef CONFIG_PROC_FS
436 struct ct_expect_iter_state {
437 struct seq_net_private p;
441 static struct hlist_node *ct_expect_get_first(struct seq_file *seq)
443 struct net *net = seq_file_net(seq);
444 struct ct_expect_iter_state *st = seq->private;
445 struct hlist_node *n;
447 for (st->bucket = 0; st->bucket < nf_ct_expect_hsize; st->bucket++) {
448 n = rcu_dereference(net->ct.expect_hash[st->bucket].first);
455 static struct hlist_node *ct_expect_get_next(struct seq_file *seq,
456 struct hlist_node *head)
458 struct net *net = seq_file_net(seq);
459 struct ct_expect_iter_state *st = seq->private;
461 head = rcu_dereference(head->next);
462 while (head == NULL) {
463 if (++st->bucket >= nf_ct_expect_hsize)
465 head = rcu_dereference(net->ct.expect_hash[st->bucket].first);
470 static struct hlist_node *ct_expect_get_idx(struct seq_file *seq, loff_t pos)
472 struct hlist_node *head = ct_expect_get_first(seq);
475 while (pos && (head = ct_expect_get_next(seq, head)))
477 return pos ? NULL : head;
480 static void *exp_seq_start(struct seq_file *seq, loff_t *pos)
484 return ct_expect_get_idx(seq, *pos);
487 static void *exp_seq_next(struct seq_file *seq, void *v, loff_t *pos)
490 return ct_expect_get_next(seq, v);
493 static void exp_seq_stop(struct seq_file *seq, void *v)
499 static int exp_seq_show(struct seq_file *s, void *v)
501 struct nf_conntrack_expect *expect;
502 struct nf_conntrack_helper *helper;
503 struct hlist_node *n = v;
506 expect = hlist_entry(n, struct nf_conntrack_expect, hnode);
508 if (expect->timeout.function)
509 seq_printf(s, "%ld ", timer_pending(&expect->timeout)
510 ? (long)(expect->timeout.expires - jiffies)/HZ : 0);
513 seq_printf(s, "l3proto = %u proto=%u ",
514 expect->tuple.src.l3num,
515 expect->tuple.dst.protonum);
516 print_tuple(s, &expect->tuple,
517 __nf_ct_l3proto_find(expect->tuple.src.l3num),
518 __nf_ct_l4proto_find(expect->tuple.src.l3num,
519 expect->tuple.dst.protonum));
521 if (expect->flags & NF_CT_EXPECT_PERMANENT) {
522 seq_printf(s, "PERMANENT");
525 if (expect->flags & NF_CT_EXPECT_INACTIVE)
526 seq_printf(s, "%sINACTIVE", delim);
528 helper = rcu_dereference(nfct_help(expect->master)->helper);
530 seq_printf(s, "%s%s", expect->flags ? " " : "", helper->name);
531 if (helper->expect_policy[expect->class].name)
533 helper->expect_policy[expect->class].name);
536 return seq_putc(s, '\n');
539 static const struct seq_operations exp_seq_ops = {
540 .start = exp_seq_start,
541 .next = exp_seq_next,
542 .stop = exp_seq_stop,
546 static int exp_open(struct inode *inode, struct file *file)
548 return seq_open_net(inode, file, &exp_seq_ops,
549 sizeof(struct ct_expect_iter_state));
552 static const struct file_operations exp_file_ops = {
553 .owner = THIS_MODULE,
557 .release = seq_release_net,
559 #endif /* CONFIG_PROC_FS */
561 static int exp_proc_init(struct net *net)
563 #ifdef CONFIG_PROC_FS
564 struct proc_dir_entry *proc;
566 proc = proc_net_fops_create(net, "nf_conntrack_expect", 0440, &exp_file_ops);
569 #endif /* CONFIG_PROC_FS */
573 static void exp_proc_remove(struct net *net)
575 #ifdef CONFIG_PROC_FS
576 proc_net_remove(net, "nf_conntrack_expect");
577 #endif /* CONFIG_PROC_FS */
580 module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);
582 int nf_conntrack_expect_init(struct net *net)
586 if (net_eq(net, &init_net)) {
587 if (!nf_ct_expect_hsize) {
588 nf_ct_expect_hsize = net->ct.htable_size / 256;
589 if (!nf_ct_expect_hsize)
590 nf_ct_expect_hsize = 1;
592 nf_ct_expect_max = nf_ct_expect_hsize * 4;
595 net->ct.expect_count = 0;
596 net->ct.expect_hash = nf_ct_alloc_hashtable(&nf_ct_expect_hsize,
597 &net->ct.expect_vmalloc, 0);
598 if (net->ct.expect_hash == NULL)
601 if (net_eq(net, &init_net)) {
602 nf_ct_expect_cachep = kmem_cache_create("nf_conntrack_expect",
603 sizeof(struct nf_conntrack_expect),
605 if (!nf_ct_expect_cachep)
609 err = exp_proc_init(net);
616 if (net_eq(net, &init_net))
617 kmem_cache_destroy(nf_ct_expect_cachep);
619 nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc,
625 void nf_conntrack_expect_fini(struct net *net)
627 exp_proc_remove(net);
628 if (net_eq(net, &init_net)) {
629 rcu_barrier(); /* Wait for call_rcu() before destroy */
630 kmem_cache_destroy(nf_ct_expect_cachep);
632 nf_ct_free_hashtable(net->ct.expect_hash, net->ct.expect_vmalloc,
git://ftp.safe.ca / safe / jmp / linux-2.6 / blob