1 /* This file contains all the functions required for the standalone
4 These are not required by the compatibility layer.
7 /* (C) 1999-2001 Paul `Rusty' Russell
8 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
10 * This program is free software; you can redistribute it and/or modify
11 * it under the terms of the GNU General Public License version 2 as
12 * published by the Free Software Foundation.
15 #include <linux/config.h>
16 #include <linux/types.h>
18 #include <linux/netfilter.h>
19 #include <linux/netfilter_ipv4.h>
20 #include <linux/module.h>
21 #include <linux/skbuff.h>
22 #include <linux/proc_fs.h>
24 #include <linux/sysctl.h>
26 #include <net/checksum.h>
29 #define ASSERT_READ_LOCK(x) MUST_BE_READ_LOCKED(&ip_conntrack_lock)
30 #define ASSERT_WRITE_LOCK(x) MUST_BE_WRITE_LOCKED(&ip_conntrack_lock)
32 #include <linux/netfilter_ipv4/ip_conntrack.h>
33 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
34 #include <linux/netfilter_ipv4/ip_conntrack_core.h>
35 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
36 #include <linux/netfilter_ipv4/listhelp.h>
41 #define DEBUGP(format, args...)
44 MODULE_LICENSE("GPL");
46 static int kill_proto(const struct ip_conntrack *i, void *data)
48 return (i->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum ==
49 *((u_int8_t *) data));
53 print_tuple(char *buffer, const struct ip_conntrack_tuple *tuple,
54 struct ip_conntrack_protocol *proto)
58 len = sprintf(buffer, "src=%u.%u.%u.%u dst=%u.%u.%u.%u ",
59 NIPQUAD(tuple->src.ip), NIPQUAD(tuple->dst.ip));
61 len += proto->print_tuple(buffer + len, tuple);
66 /* FIXME: Don't print source proto part. --RR */
68 print_expect(char *buffer, const struct ip_conntrack_expect *expect)
72 if (expect->expectant->helper->timeout)
73 len = sprintf(buffer, "EXPECTING: %lu ",
74 timer_pending(&expect->timeout)
75 ? (expect->timeout.expires - jiffies)/HZ : 0);
77 len = sprintf(buffer, "EXPECTING: - ");
78 len += sprintf(buffer + len, "use=%u proto=%u ",
79 atomic_read(&expect->use), expect->tuple.dst.protonum);
80 len += print_tuple(buffer + len, &expect->tuple,
81 __ip_ct_find_proto(expect->tuple.dst.protonum));
82 len += sprintf(buffer + len, "\n");
86 #ifdef CONFIG_IP_NF_CT_ACCT
88 print_counters(char *buffer, struct ip_conntrack_counter *counter)
90 return sprintf(buffer, "packets=%llu bytes=%llu ",
91 counter->packets, counter->bytes);
94 #define print_counters(x, y) 0
98 print_conntrack(char *buffer, struct ip_conntrack *conntrack)
101 struct ip_conntrack_protocol *proto
102 = __ip_ct_find_proto(conntrack->tuplehash[IP_CT_DIR_ORIGINAL]
103 .tuple.dst.protonum);
105 len = sprintf(buffer, "%-8s %u %lu ",
107 conntrack->tuplehash[IP_CT_DIR_ORIGINAL]
109 timer_pending(&conntrack->timeout)
110 ? (conntrack->timeout.expires - jiffies)/HZ : 0);
112 len += proto->print_conntrack(buffer + len, conntrack);
113 len += print_tuple(buffer + len,
114 &conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
116 len += sprintf(buffer + len, "xid=%d ", conntrack->xid[IP_CT_DIR_ORIGINAL]);
117 len += print_counters(buffer + len,
118 &conntrack->counters[IP_CT_DIR_ORIGINAL]);
119 if (!(test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)))
120 len += sprintf(buffer + len, "[UNREPLIED] ");
121 len += print_tuple(buffer + len,
122 &conntrack->tuplehash[IP_CT_DIR_REPLY].tuple,
124 len += sprintf(buffer + len, "xid=%d ", conntrack->xid[IP_CT_DIR_REPLY]);
125 len += print_counters(buffer + len,
126 &conntrack->counters[IP_CT_DIR_REPLY]);
127 if (test_bit(IPS_ASSURED_BIT, &conntrack->status))
128 len += sprintf(buffer + len, "[ASSURED] ");
129 len += sprintf(buffer + len, "use=%u ",
130 atomic_read(&conntrack->ct_general.use));
131 len += sprintf(buffer + len, "\n");
136 /* Returns true when finished. */
138 conntrack_iterate(const struct ip_conntrack_tuple_hash *hash,
139 char *buffer, off_t offset, off_t *upto,
140 unsigned int *len, unsigned int maxlen)
143 IP_NF_ASSERT(hash->ctrack);
145 MUST_BE_READ_LOCKED(&ip_conntrack_lock);
147 /* Only count originals */
151 if ((*upto)++ < offset)
154 newlen = print_conntrack(buffer + *len, hash->ctrack);
155 if (*len + newlen > maxlen)
163 list_conntracks(char *buffer, char **start, off_t offset, int length)
166 unsigned int len = 0;
170 READ_LOCK(&ip_conntrack_lock);
171 /* Traverse hash; print originals then reply. */
172 for (i = 0; i < ip_conntrack_htable_size; i++) {
173 if (LIST_FIND(&ip_conntrack_hash[i], conntrack_iterate,
174 struct ip_conntrack_tuple_hash *,
175 buffer, offset, &upto, &len, length))
179 /* Now iterate through expecteds. */
180 READ_LOCK(&ip_conntrack_expect_tuple_lock);
181 list_for_each(e, &ip_conntrack_expect_list) {
182 unsigned int last_len;
183 struct ip_conntrack_expect *expect
184 = (struct ip_conntrack_expect *)e;
185 if (upto++ < offset) continue;
188 len += print_expect(buffer + len, expect);
191 goto finished_expects;
196 READ_UNLOCK(&ip_conntrack_expect_tuple_lock);
198 READ_UNLOCK(&ip_conntrack_lock);
200 /* `start' hack - see fs/proc/generic.c line ~165 */
201 *start = (char *)((unsigned int)upto - offset);
205 static unsigned int ip_confirm(unsigned int hooknum,
206 struct sk_buff **pskb,
207 const struct net_device *in,
208 const struct net_device *out,
209 int (*okfn)(struct sk_buff *))
211 /* We've seen it coming out the other side: confirm it */
212 return ip_conntrack_confirm(*pskb);
215 static unsigned int ip_conntrack_defrag(unsigned int hooknum,
216 struct sk_buff **pskb,
217 const struct net_device *in,
218 const struct net_device *out,
219 int (*okfn)(struct sk_buff *))
221 /* Previously seen (loopback)? Ignore. Do this before
226 /* Gather fragments. */
227 if ((*pskb)->nh.iph->frag_off & htons(IP_MF|IP_OFFSET)) {
228 *pskb = ip_ct_gather_frags(*pskb);
235 static unsigned int ip_refrag(unsigned int hooknum,
236 struct sk_buff **pskb,
237 const struct net_device *in,
238 const struct net_device *out,
239 int (*okfn)(struct sk_buff *))
241 struct rtable *rt = (struct rtable *)(*pskb)->dst;
243 /* We've seen it coming out the other side: confirm */
244 if (ip_confirm(hooknum, pskb, in, out, okfn) != NF_ACCEPT)
247 /* Local packets are never produced too large for their
248 interface. We degfragment them at LOCAL_OUT, however,
249 so we have to refragment them here. */
250 if ((*pskb)->len > dst_pmtu(&rt->u.dst) &&
251 !skb_shinfo(*pskb)->tso_size) {
252 /* No hook can be after us, so this should be OK. */
253 ip_fragment(*pskb, okfn);
259 static unsigned int ip_conntrack_local(unsigned int hooknum,
260 struct sk_buff **pskb,
261 const struct net_device *in,
262 const struct net_device *out,
263 int (*okfn)(struct sk_buff *))
265 /* root is playing with raw sockets. */
266 if ((*pskb)->len < sizeof(struct iphdr)
267 || (*pskb)->nh.iph->ihl * 4 < sizeof(struct iphdr)) {
269 printk("ipt_hook: happy cracking.\n");
272 return ip_conntrack_in(hooknum, pskb, in, out, okfn);
275 /* Connection tracking may drop packets, but never alters them, so
276 make it the first hook. */
277 static struct nf_hook_ops ip_conntrack_defrag_ops = {
278 .hook = ip_conntrack_defrag,
279 .owner = THIS_MODULE,
281 .hooknum = NF_IP_PRE_ROUTING,
282 .priority = NF_IP_PRI_CONNTRACK_DEFRAG,
285 static struct nf_hook_ops ip_conntrack_in_ops = {
286 .hook = ip_conntrack_in,
287 .owner = THIS_MODULE,
289 .hooknum = NF_IP_PRE_ROUTING,
290 .priority = NF_IP_PRI_CONNTRACK,
293 static struct nf_hook_ops ip_conntrack_defrag_local_out_ops = {
294 .hook = ip_conntrack_defrag,
295 .owner = THIS_MODULE,
297 .hooknum = NF_IP_LOCAL_OUT,
298 .priority = NF_IP_PRI_CONNTRACK_DEFRAG,
301 static struct nf_hook_ops ip_conntrack_local_out_ops = {
302 .hook = ip_conntrack_local,
303 .owner = THIS_MODULE,
305 .hooknum = NF_IP_LOCAL_OUT,
306 .priority = NF_IP_PRI_CONNTRACK,
309 /* Refragmenter; last chance. */
310 static struct nf_hook_ops ip_conntrack_out_ops = {
312 .owner = THIS_MODULE,
314 .hooknum = NF_IP_POST_ROUTING,
315 .priority = NF_IP_PRI_LAST,
318 static struct nf_hook_ops ip_conntrack_local_in_ops = {
320 .owner = THIS_MODULE,
322 .hooknum = NF_IP_LOCAL_IN,
323 .priority = NF_IP_PRI_LAST-1,
330 /* From ip_conntrack_core.c */
331 extern int ip_conntrack_max;
332 extern unsigned int ip_conntrack_htable_size;
334 /* From ip_conntrack_proto_tcp.c */
335 extern unsigned long ip_ct_tcp_timeout_syn_sent;
336 extern unsigned long ip_ct_tcp_timeout_syn_recv;
337 extern unsigned long ip_ct_tcp_timeout_established;
338 extern unsigned long ip_ct_tcp_timeout_fin_wait;
339 extern unsigned long ip_ct_tcp_timeout_close_wait;
340 extern unsigned long ip_ct_tcp_timeout_last_ack;
341 extern unsigned long ip_ct_tcp_timeout_time_wait;
342 extern unsigned long ip_ct_tcp_timeout_close;
344 /* From ip_conntrack_proto_udp.c */
345 extern unsigned long ip_ct_udp_timeout;
346 extern unsigned long ip_ct_udp_timeout_stream;
348 /* From ip_conntrack_proto_icmp.c */
349 extern unsigned long ip_ct_icmp_timeout;
351 /* From ip_conntrack_proto_icmp.c */
352 extern unsigned long ip_ct_generic_timeout;
354 static struct ctl_table_header *ip_ct_sysctl_header;
356 static ctl_table ip_ct_sysctl_table[] = {
358 .ctl_name = NET_IPV4_NF_CONNTRACK_MAX,
359 .procname = "ip_conntrack_max",
360 .data = &ip_conntrack_max,
361 .maxlen = sizeof(int),
363 .proc_handler = &proc_dointvec,
366 .ctl_name = NET_IPV4_NF_CONNTRACK_BUCKETS,
367 .procname = "ip_conntrack_buckets",
368 .data = &ip_conntrack_htable_size,
369 .maxlen = sizeof(unsigned int),
371 .proc_handler = &proc_dointvec,
374 .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_SENT,
375 .procname = "ip_conntrack_tcp_timeout_syn_sent",
376 .data = &ip_ct_tcp_timeout_syn_sent,
377 .maxlen = sizeof(unsigned int),
379 .proc_handler = &proc_dointvec_jiffies,
382 .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_SYN_RECV,
383 .procname = "ip_conntrack_tcp_timeout_syn_recv",
384 .data = &ip_ct_tcp_timeout_syn_recv,
385 .maxlen = sizeof(unsigned int),
387 .proc_handler = &proc_dointvec_jiffies,
390 .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_ESTABLISHED,
391 .procname = "ip_conntrack_tcp_timeout_established",
392 .data = &ip_ct_tcp_timeout_established,
393 .maxlen = sizeof(unsigned int),
395 .proc_handler = &proc_dointvec_jiffies,
398 .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_FIN_WAIT,
399 .procname = "ip_conntrack_tcp_timeout_fin_wait",
400 .data = &ip_ct_tcp_timeout_fin_wait,
401 .maxlen = sizeof(unsigned int),
403 .proc_handler = &proc_dointvec_jiffies,
406 .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE_WAIT,
407 .procname = "ip_conntrack_tcp_timeout_close_wait",
408 .data = &ip_ct_tcp_timeout_close_wait,
409 .maxlen = sizeof(unsigned int),
411 .proc_handler = &proc_dointvec_jiffies,
414 .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_LAST_ACK,
415 .procname = "ip_conntrack_tcp_timeout_last_ack",
416 .data = &ip_ct_tcp_timeout_last_ack,
417 .maxlen = sizeof(unsigned int),
419 .proc_handler = &proc_dointvec_jiffies,
422 .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_TIME_WAIT,
423 .procname = "ip_conntrack_tcp_timeout_time_wait",
424 .data = &ip_ct_tcp_timeout_time_wait,
425 .maxlen = sizeof(unsigned int),
427 .proc_handler = &proc_dointvec_jiffies,
430 .ctl_name = NET_IPV4_NF_CONNTRACK_TCP_TIMEOUT_CLOSE,
431 .procname = "ip_conntrack_tcp_timeout_close",
432 .data = &ip_ct_tcp_timeout_close,
433 .maxlen = sizeof(unsigned int),
435 .proc_handler = &proc_dointvec_jiffies,
438 .ctl_name = NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT,
439 .procname = "ip_conntrack_udp_timeout",
440 .data = &ip_ct_udp_timeout,
441 .maxlen = sizeof(unsigned int),
443 .proc_handler = &proc_dointvec_jiffies,
446 .ctl_name = NET_IPV4_NF_CONNTRACK_UDP_TIMEOUT_STREAM,
447 .procname = "ip_conntrack_udp_timeout_stream",
448 .data = &ip_ct_udp_timeout_stream,
449 .maxlen = sizeof(unsigned int),
451 .proc_handler = &proc_dointvec_jiffies,
454 .ctl_name = NET_IPV4_NF_CONNTRACK_ICMP_TIMEOUT,
455 .procname = "ip_conntrack_icmp_timeout",
456 .data = &ip_ct_icmp_timeout,
457 .maxlen = sizeof(unsigned int),
459 .proc_handler = &proc_dointvec_jiffies,
462 .ctl_name = NET_IPV4_NF_CONNTRACK_GENERIC_TIMEOUT,
463 .procname = "ip_conntrack_generic_timeout",
464 .data = &ip_ct_generic_timeout,
465 .maxlen = sizeof(unsigned int),
467 .proc_handler = &proc_dointvec_jiffies,
472 #define NET_IP_CONNTRACK_MAX 2089
474 static ctl_table ip_ct_netfilter_table[] = {
476 .ctl_name = NET_IPV4_NETFILTER,
477 .procname = "netfilter",
479 .child = ip_ct_sysctl_table,
482 .ctl_name = NET_IP_CONNTRACK_MAX,
483 .procname = "ip_conntrack_max",
484 .data = &ip_conntrack_max,
485 .maxlen = sizeof(int),
487 .proc_handler = &proc_dointvec
492 static ctl_table ip_ct_ipv4_table[] = {
494 .ctl_name = NET_IPV4,
497 .child = ip_ct_netfilter_table,
502 static ctl_table ip_ct_net_table[] = {
507 .child = ip_ct_ipv4_table,
512 static int init_or_cleanup(int init)
514 struct proc_dir_entry *proc;
517 if (!init) goto cleanup;
519 ret = ip_conntrack_init();
521 goto cleanup_nothing;
523 proc = proc_net_create("ip_conntrack", 0440, list_conntracks);
524 if (!proc) goto cleanup_init;
525 proc->owner = THIS_MODULE;
527 ret = nf_register_hook(&ip_conntrack_defrag_ops);
529 printk("ip_conntrack: can't register pre-routing defrag hook.\n");
532 ret = nf_register_hook(&ip_conntrack_defrag_local_out_ops);
534 printk("ip_conntrack: can't register local_out defrag hook.\n");
535 goto cleanup_defragops;
537 ret = nf_register_hook(&ip_conntrack_in_ops);
539 printk("ip_conntrack: can't register pre-routing hook.\n");
540 goto cleanup_defraglocalops;
542 ret = nf_register_hook(&ip_conntrack_local_out_ops);
544 printk("ip_conntrack: can't register local out hook.\n");
547 ret = nf_register_hook(&ip_conntrack_out_ops);
549 printk("ip_conntrack: can't register post-routing hook.\n");
550 goto cleanup_inandlocalops;
552 ret = nf_register_hook(&ip_conntrack_local_in_ops);
554 printk("ip_conntrack: can't register local in hook.\n");
555 goto cleanup_inoutandlocalops;
558 ip_ct_sysctl_header = register_sysctl_table(ip_ct_net_table, 0);
559 if (ip_ct_sysctl_header == NULL) {
560 printk("ip_conntrack: can't register to sysctl.\n");
569 unregister_sysctl_table(ip_ct_sysctl_header);
571 nf_unregister_hook(&ip_conntrack_local_in_ops);
572 cleanup_inoutandlocalops:
573 nf_unregister_hook(&ip_conntrack_out_ops);
574 cleanup_inandlocalops:
575 nf_unregister_hook(&ip_conntrack_local_out_ops);
577 nf_unregister_hook(&ip_conntrack_in_ops);
578 cleanup_defraglocalops:
579 nf_unregister_hook(&ip_conntrack_defrag_local_out_ops);
581 nf_unregister_hook(&ip_conntrack_defrag_ops);
583 proc_net_remove("ip_conntrack");
585 ip_conntrack_cleanup();
590 /* FIXME: Allow NULL functions and sub in pointers to generic for
592 int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto)
597 WRITE_LOCK(&ip_conntrack_lock);
598 list_for_each(i, &protocol_list) {
599 if (((struct ip_conntrack_protocol *)i)->proto
606 list_prepend(&protocol_list, proto);
609 WRITE_UNLOCK(&ip_conntrack_lock);
613 void ip_conntrack_protocol_unregister(struct ip_conntrack_protocol *proto)
615 WRITE_LOCK(&ip_conntrack_lock);
617 /* ip_ct_find_proto() returns proto_generic in case there is no protocol
618 * helper. So this should be enough - HW */
619 LIST_DELETE(&protocol_list, proto);
620 WRITE_UNLOCK(&ip_conntrack_lock);
622 /* Somebody could be still looking at the proto in bh. */
625 /* Remove all contrack entries for this protocol */
626 ip_ct_selective_cleanup(kill_proto, &proto->proto);
629 static int __init init(void)
631 return init_or_cleanup(1);
634 static void __exit fini(void)
642 /* Some modules need us, but don't depend directly on any symbol.
643 They should call this. */
644 void need_ip_conntrack(void)
648 EXPORT_SYMBOL(ip_conntrack_protocol_register);
649 EXPORT_SYMBOL(ip_conntrack_protocol_unregister);
650 EXPORT_SYMBOL(invert_tuplepr);
651 EXPORT_SYMBOL(ip_conntrack_alter_reply);
652 EXPORT_SYMBOL(ip_conntrack_destroyed);
653 EXPORT_SYMBOL(ip_conntrack_get);
654 EXPORT_SYMBOL(need_ip_conntrack);
655 EXPORT_SYMBOL(ip_conntrack_helper_register);
656 EXPORT_SYMBOL(ip_conntrack_helper_unregister);
657 EXPORT_SYMBOL(ip_ct_selective_cleanup);
658 EXPORT_SYMBOL(ip_ct_refresh_acct);
659 EXPORT_SYMBOL(ip_ct_find_proto);
660 EXPORT_SYMBOL(__ip_ct_find_proto);
661 EXPORT_SYMBOL(ip_ct_find_helper);
662 EXPORT_SYMBOL(ip_conntrack_expect_alloc);
663 EXPORT_SYMBOL(ip_conntrack_expect_related);
664 EXPORT_SYMBOL(ip_conntrack_change_expect);
665 EXPORT_SYMBOL(ip_conntrack_unexpect_related);
666 EXPORT_SYMBOL_GPL(ip_conntrack_expect_find_get);
667 EXPORT_SYMBOL_GPL(ip_conntrack_expect_put);
668 EXPORT_SYMBOL(ip_conntrack_tuple_taken);
669 EXPORT_SYMBOL(ip_ct_gather_frags);
670 EXPORT_SYMBOL(ip_conntrack_htable_size);
671 EXPORT_SYMBOL(ip_conntrack_expect_list);
672 EXPORT_SYMBOL(ip_conntrack_lock);
673 EXPORT_SYMBOL(ip_conntrack_hash);
674 EXPORT_SYMBOL(ip_conntrack_untracked);
675 EXPORT_SYMBOL_GPL(ip_conntrack_find_get);
676 EXPORT_SYMBOL_GPL(ip_conntrack_put);