netfilter: ctnetlink: use nlmsg_* helper function to build messages
[linux-2.6.git] / net / netfilter / nf_conntrack_netlink.c
1 /* Connection tracking via netlink socket. Allows for user space
2  * protocol helpers and general trouble making from userspace.
3  *
4  * (C) 2001 by Jay Schulist <jschlst@samba.org>
5  * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
6  * (C) 2003 by Patrick Mchardy <kaber@trash.net>
7  * (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
8  *
9  * Initial connection tracking via netlink development funded and
10  * generally made possible by Network Robots, Inc. (www.networkrobots.com)
11  *
12  * Further development of this code funded by Astaro AG (http://www.astaro.com)
13  *
14  * This software may be used and distributed according to the terms
15  * of the GNU General Public License, incorporated herein by reference.
16  */
17
18 #include <linux/init.h>
19 #include <linux/module.h>
20 #include <linux/kernel.h>
21 #include <linux/rculist.h>
22 #include <linux/rculist_nulls.h>
23 #include <linux/types.h>
24 #include <linux/timer.h>
25 #include <linux/skbuff.h>
26 #include <linux/errno.h>
27 #include <linux/netlink.h>
28 #include <linux/spinlock.h>
29 #include <linux/interrupt.h>
30 #include <linux/notifier.h>
31
32 #include <linux/netfilter.h>
33 #include <net/netlink.h>
34 #include <net/netfilter/nf_conntrack.h>
35 #include <net/netfilter/nf_conntrack_core.h>
36 #include <net/netfilter/nf_conntrack_expect.h>
37 #include <net/netfilter/nf_conntrack_helper.h>
38 #include <net/netfilter/nf_conntrack_l3proto.h>
39 #include <net/netfilter/nf_conntrack_l4proto.h>
40 #include <net/netfilter/nf_conntrack_tuple.h>
41 #include <net/netfilter/nf_conntrack_acct.h>
42 #ifdef CONFIG_NF_NAT_NEEDED
43 #include <net/netfilter/nf_nat_core.h>
44 #include <net/netfilter/nf_nat_protocol.h>
45 #endif
46
47 #include <linux/netfilter/nfnetlink.h>
48 #include <linux/netfilter/nfnetlink_conntrack.h>
49
50 MODULE_LICENSE("GPL");
51
52 static char __initdata version[] = "0.93";
53
54 static inline int
55 ctnetlink_dump_tuples_proto(struct sk_buff *skb,
56                             const struct nf_conntrack_tuple *tuple,
57                             struct nf_conntrack_l4proto *l4proto)
58 {
59         int ret = 0;
60         struct nlattr *nest_parms;
61
62         nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED);
63         if (!nest_parms)
64                 goto nla_put_failure;
65         NLA_PUT_U8(skb, CTA_PROTO_NUM, tuple->dst.protonum);
66
67         if (likely(l4proto->tuple_to_nlattr))
68                 ret = l4proto->tuple_to_nlattr(skb, tuple);
69
70         nla_nest_end(skb, nest_parms);
71
72         return ret;
73
74 nla_put_failure:
75         return -1;
76 }
77
78 static inline int
79 ctnetlink_dump_tuples_ip(struct sk_buff *skb,
80                          const struct nf_conntrack_tuple *tuple,
81                          struct nf_conntrack_l3proto *l3proto)
82 {
83         int ret = 0;
84         struct nlattr *nest_parms;
85
86         nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED);
87         if (!nest_parms)
88                 goto nla_put_failure;
89
90         if (likely(l3proto->tuple_to_nlattr))
91                 ret = l3proto->tuple_to_nlattr(skb, tuple);
92
93         nla_nest_end(skb, nest_parms);
94
95         return ret;
96
97 nla_put_failure:
98         return -1;
99 }
100
101 static int
102 ctnetlink_dump_tuples(struct sk_buff *skb,
103                       const struct nf_conntrack_tuple *tuple)
104 {
105         int ret;
106         struct nf_conntrack_l3proto *l3proto;
107         struct nf_conntrack_l4proto *l4proto;
108
109         l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
110         ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
111
112         if (unlikely(ret < 0))
113                 return ret;
114
115         l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
116         ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
117
118         return ret;
119 }
120
121 static inline int
122 ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
123 {
124         NLA_PUT_BE32(skb, CTA_STATUS, htonl(ct->status));
125         return 0;
126
127 nla_put_failure:
128         return -1;
129 }
130
131 static inline int
132 ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
133 {
134         long timeout = (ct->timeout.expires - jiffies) / HZ;
135
136         if (timeout < 0)
137                 timeout = 0;
138
139         NLA_PUT_BE32(skb, CTA_TIMEOUT, htonl(timeout));
140         return 0;
141
142 nla_put_failure:
143         return -1;
144 }
145
146 static inline int
147 ctnetlink_dump_protoinfo(struct sk_buff *skb, const struct nf_conn *ct)
148 {
149         struct nf_conntrack_l4proto *l4proto;
150         struct nlattr *nest_proto;
151         int ret;
152
153         l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
154         if (!l4proto->to_nlattr)
155                 return 0;
156
157         nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED);
158         if (!nest_proto)
159                 goto nla_put_failure;
160
161         ret = l4proto->to_nlattr(skb, nest_proto, ct);
162
163         nla_nest_end(skb, nest_proto);
164
165         return ret;
166
167 nla_put_failure:
168         return -1;
169 }
170
171 static inline int
172 ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct)
173 {
174         struct nlattr *nest_helper;
175         const struct nf_conn_help *help = nfct_help(ct);
176         struct nf_conntrack_helper *helper;
177
178         if (!help)
179                 return 0;
180
181         helper = rcu_dereference(help->helper);
182         if (!helper)
183                 goto out;
184
185         nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED);
186         if (!nest_helper)
187                 goto nla_put_failure;
188         NLA_PUT_STRING(skb, CTA_HELP_NAME, helper->name);
189
190         if (helper->to_nlattr)
191                 helper->to_nlattr(skb, ct);
192
193         nla_nest_end(skb, nest_helper);
194 out:
195         return 0;
196
197 nla_put_failure:
198         return -1;
199 }
200
201 static int
202 ctnetlink_dump_counters(struct sk_buff *skb, const struct nf_conn *ct,
203                         enum ip_conntrack_dir dir)
204 {
205         enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
206         struct nlattr *nest_count;
207         const struct nf_conn_counter *acct;
208
209         acct = nf_conn_acct_find(ct);
210         if (!acct)
211                 return 0;
212
213         nest_count = nla_nest_start(skb, type | NLA_F_NESTED);
214         if (!nest_count)
215                 goto nla_put_failure;
216
217         NLA_PUT_BE64(skb, CTA_COUNTERS_PACKETS,
218                      cpu_to_be64(acct[dir].packets));
219         NLA_PUT_BE64(skb, CTA_COUNTERS_BYTES,
220                      cpu_to_be64(acct[dir].bytes));
221
222         nla_nest_end(skb, nest_count);
223
224         return 0;
225
226 nla_put_failure:
227         return -1;
228 }
229
230 #ifdef CONFIG_NF_CONNTRACK_MARK
231 static inline int
232 ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
233 {
234         NLA_PUT_BE32(skb, CTA_MARK, htonl(ct->mark));
235         return 0;
236
237 nla_put_failure:
238         return -1;
239 }
240 #else
241 #define ctnetlink_dump_mark(a, b) (0)
242 #endif
243
244 #ifdef CONFIG_NF_CONNTRACK_SECMARK
245 static inline int
246 ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct)
247 {
248         NLA_PUT_BE32(skb, CTA_SECMARK, htonl(ct->secmark));
249         return 0;
250
251 nla_put_failure:
252         return -1;
253 }
254 #else
255 #define ctnetlink_dump_secmark(a, b) (0)
256 #endif
257
258 #define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
259
260 static inline int
261 ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
262 {
263         struct nlattr *nest_parms;
264
265         if (!(ct->status & IPS_EXPECTED))
266                 return 0;
267
268         nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED);
269         if (!nest_parms)
270                 goto nla_put_failure;
271         if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
272                 goto nla_put_failure;
273         nla_nest_end(skb, nest_parms);
274
275         return 0;
276
277 nla_put_failure:
278         return -1;
279 }
280
281 #ifdef CONFIG_NF_NAT_NEEDED
282 static int
283 dump_nat_seq_adj(struct sk_buff *skb, const struct nf_nat_seq *natseq, int type)
284 {
285         struct nlattr *nest_parms;
286
287         nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
288         if (!nest_parms)
289                 goto nla_put_failure;
290
291         NLA_PUT_BE32(skb, CTA_NAT_SEQ_CORRECTION_POS,
292                      htonl(natseq->correction_pos));
293         NLA_PUT_BE32(skb, CTA_NAT_SEQ_OFFSET_BEFORE,
294                      htonl(natseq->offset_before));
295         NLA_PUT_BE32(skb, CTA_NAT_SEQ_OFFSET_AFTER,
296                      htonl(natseq->offset_after));
297
298         nla_nest_end(skb, nest_parms);
299
300         return 0;
301
302 nla_put_failure:
303         return -1;
304 }
305
306 static inline int
307 ctnetlink_dump_nat_seq_adj(struct sk_buff *skb, const struct nf_conn *ct)
308 {
309         struct nf_nat_seq *natseq;
310         struct nf_conn_nat *nat = nfct_nat(ct);
311
312         if (!(ct->status & IPS_SEQ_ADJUST) || !nat)
313                 return 0;
314
315         natseq = &nat->seq[IP_CT_DIR_ORIGINAL];
316         if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_ORIG) == -1)
317                 return -1;
318
319         natseq = &nat->seq[IP_CT_DIR_REPLY];
320         if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_REPLY) == -1)
321                 return -1;
322
323         return 0;
324 }
325 #else
326 #define ctnetlink_dump_nat_seq_adj(a, b) (0)
327 #endif
328
329 static inline int
330 ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
331 {
332         NLA_PUT_BE32(skb, CTA_ID, htonl((unsigned long)ct));
333         return 0;
334
335 nla_put_failure:
336         return -1;
337 }
338
339 static inline int
340 ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
341 {
342         NLA_PUT_BE32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use)));
343         return 0;
344
345 nla_put_failure:
346         return -1;
347 }
348
349 static int
350 ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
351                     int event, const struct nf_conn *ct)
352 {
353         struct nlmsghdr *nlh;
354         struct nfgenmsg *nfmsg;
355         struct nlattr *nest_parms;
356         unsigned int flags = pid ? NLM_F_MULTI : 0;
357
358         event |= NFNL_SUBSYS_CTNETLINK << 8;
359         nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags);
360         if (nlh == NULL)
361                 goto nlmsg_failure;
362
363         nfmsg = nlmsg_data(nlh);
364         nfmsg->nfgen_family = nf_ct_l3num(ct);
365         nfmsg->version      = NFNETLINK_V0;
366         nfmsg->res_id       = 0;
367
368         nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
369         if (!nest_parms)
370                 goto nla_put_failure;
371         if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
372                 goto nla_put_failure;
373         nla_nest_end(skb, nest_parms);
374
375         nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
376         if (!nest_parms)
377                 goto nla_put_failure;
378         if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
379                 goto nla_put_failure;
380         nla_nest_end(skb, nest_parms);
381
382         if (ctnetlink_dump_status(skb, ct) < 0 ||
383             ctnetlink_dump_timeout(skb, ct) < 0 ||
384             ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
385             ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 ||
386             ctnetlink_dump_protoinfo(skb, ct) < 0 ||
387             ctnetlink_dump_helpinfo(skb, ct) < 0 ||
388             ctnetlink_dump_mark(skb, ct) < 0 ||
389             ctnetlink_dump_secmark(skb, ct) < 0 ||
390             ctnetlink_dump_id(skb, ct) < 0 ||
391             ctnetlink_dump_use(skb, ct) < 0 ||
392             ctnetlink_dump_master(skb, ct) < 0 ||
393             ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
394                 goto nla_put_failure;
395
396         nlmsg_end(skb, nlh);
397         return skb->len;
398
399 nlmsg_failure:
400 nla_put_failure:
401         nlmsg_cancel(skb, nlh);
402         return -1;
403 }
404
405 #ifdef CONFIG_NF_CONNTRACK_EVENTS
406 /*
407  * The general structure of a ctnetlink event is
408  *
409  *  CTA_TUPLE_ORIG
410  *    <l3/l4-proto-attributes>
411  *  CTA_TUPLE_REPLY
412  *    <l3/l4-proto-attributes>
413  *  CTA_ID
414  *  ...
415  *  CTA_PROTOINFO
416  *    <l4-proto-attributes>
417  *  CTA_TUPLE_MASTER
418  *    <l3/l4-proto-attributes>
419  *
420  * Therefore the formular is
421  *
422  *   size = sizeof(headers) + sizeof(generic_nlas) + 3 * sizeof(tuple_nlas)
423  *              + sizeof(protoinfo_nlas)
424  */
425 static struct sk_buff *
426 ctnetlink_alloc_skb(const struct nf_conntrack_tuple *tuple, gfp_t gfp)
427 {
428         struct nf_conntrack_l3proto *l3proto;
429         struct nf_conntrack_l4proto *l4proto;
430         int len;
431
432 #define NLA_TYPE_SIZE(type)             nla_total_size(sizeof(type))
433
434         /* proto independant part */
435         len = NLMSG_ALIGN(sizeof(struct nfgenmsg))
436                 + 3 * nla_total_size(0)         /* CTA_TUPLE_ORIG|REPL|MASTER */
437                 + 3 * nla_total_size(0)         /* CTA_TUPLE_IP */
438                 + 3 * nla_total_size(0)         /* CTA_TUPLE_PROTO */
439                 + 3 * NLA_TYPE_SIZE(u_int8_t)   /* CTA_PROTO_NUM */
440                 + NLA_TYPE_SIZE(u_int32_t)      /* CTA_ID */
441                 + NLA_TYPE_SIZE(u_int32_t)      /* CTA_STATUS */
442 #ifdef CONFIG_NF_CT_ACCT
443                 + 2 * nla_total_size(0)         /* CTA_COUNTERS_ORIG|REPL */
444                 + 2 * NLA_TYPE_SIZE(uint64_t)   /* CTA_COUNTERS_PACKETS */
445                 + 2 * NLA_TYPE_SIZE(uint64_t)   /* CTA_COUNTERS_BYTES */
446 #endif
447                 + NLA_TYPE_SIZE(u_int32_t)      /* CTA_TIMEOUT */
448                 + nla_total_size(0)             /* CTA_PROTOINFO */
449                 + nla_total_size(0)             /* CTA_HELP */
450                 + nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
451 #ifdef CONFIG_NF_CONNTRACK_SECMARK
452                 + NLA_TYPE_SIZE(u_int32_t)      /* CTA_SECMARK */
453 #endif
454 #ifdef CONFIG_NF_NAT_NEEDED
455                 + 2 * nla_total_size(0)         /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
456                 + 2 * NLA_TYPE_SIZE(u_int32_t)  /* CTA_NAT_SEQ_CORRECTION_POS */
457                 + 2 * NLA_TYPE_SIZE(u_int32_t)  /* CTA_NAT_SEQ_CORRECTION_BEFORE */
458                 + 2 * NLA_TYPE_SIZE(u_int32_t)  /* CTA_NAT_SEQ_CORRECTION_AFTER */
459 #endif
460 #ifdef CONFIG_NF_CONNTRACK_MARK
461                 + NLA_TYPE_SIZE(u_int32_t)      /* CTA_MARK */
462 #endif
463                 ;
464
465 #undef NLA_TYPE_SIZE
466
467         rcu_read_lock();
468         l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
469         len += l3proto->nla_size;
470
471         l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
472         len += l4proto->nla_size;
473         rcu_read_unlock();
474
475         return nlmsg_new(len, gfp);
476 }
477
478 static int ctnetlink_conntrack_event(struct notifier_block *this,
479                                      unsigned long events, void *ptr)
480 {
481         struct nlmsghdr *nlh;
482         struct nfgenmsg *nfmsg;
483         struct nlattr *nest_parms;
484         struct nf_ct_event *item = (struct nf_ct_event *)ptr;
485         struct nf_conn *ct = item->ct;
486         struct sk_buff *skb;
487         unsigned int type;
488         unsigned int flags = 0, group;
489
490         /* ignore our fake conntrack entry */
491         if (ct == &nf_conntrack_untracked)
492                 return NOTIFY_DONE;
493
494         if (events & IPCT_DESTROY) {
495                 type = IPCTNL_MSG_CT_DELETE;
496                 group = NFNLGRP_CONNTRACK_DESTROY;
497         } else  if (events & (IPCT_NEW | IPCT_RELATED)) {
498                 type = IPCTNL_MSG_CT_NEW;
499                 flags = NLM_F_CREATE|NLM_F_EXCL;
500                 group = NFNLGRP_CONNTRACK_NEW;
501         } else  if (events & (IPCT_STATUS | IPCT_PROTOINFO)) {
502                 type = IPCTNL_MSG_CT_NEW;
503                 group = NFNLGRP_CONNTRACK_UPDATE;
504         } else
505                 return NOTIFY_DONE;
506
507         if (!item->report && !nfnetlink_has_listeners(group))
508                 return NOTIFY_DONE;
509
510         skb = ctnetlink_alloc_skb(nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL),
511                                   GFP_ATOMIC);
512         if (!skb)
513                 goto errout;
514
515         type |= NFNL_SUBSYS_CTNETLINK << 8;
516         nlh = nlmsg_put(skb, item->pid, 0, type, sizeof(*nfmsg), flags);
517         if (nlh == NULL)
518                 goto nlmsg_failure;
519
520         nfmsg = nlmsg_data(nlh);
521         nfmsg->nfgen_family = nf_ct_l3num(ct);
522         nfmsg->version  = NFNETLINK_V0;
523         nfmsg->res_id   = 0;
524
525         rcu_read_lock();
526         nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
527         if (!nest_parms)
528                 goto nla_put_failure;
529         if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
530                 goto nla_put_failure;
531         nla_nest_end(skb, nest_parms);
532
533         nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
534         if (!nest_parms)
535                 goto nla_put_failure;
536         if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
537                 goto nla_put_failure;
538         nla_nest_end(skb, nest_parms);
539
540         if (ctnetlink_dump_id(skb, ct) < 0)
541                 goto nla_put_failure;
542
543         if (ctnetlink_dump_status(skb, ct) < 0)
544                 goto nla_put_failure;
545
546         if (events & IPCT_DESTROY) {
547                 if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
548                     ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
549                         goto nla_put_failure;
550         } else {
551                 if (ctnetlink_dump_timeout(skb, ct) < 0)
552                         goto nla_put_failure;
553
554                 if (events & IPCT_PROTOINFO
555                     && ctnetlink_dump_protoinfo(skb, ct) < 0)
556                         goto nla_put_failure;
557
558                 if ((events & IPCT_HELPER || nfct_help(ct))
559                     && ctnetlink_dump_helpinfo(skb, ct) < 0)
560                         goto nla_put_failure;
561
562 #ifdef CONFIG_NF_CONNTRACK_SECMARK
563                 if ((events & IPCT_SECMARK || ct->secmark)
564                     && ctnetlink_dump_secmark(skb, ct) < 0)
565                         goto nla_put_failure;
566 #endif
567
568                 if (events & IPCT_RELATED &&
569                     ctnetlink_dump_master(skb, ct) < 0)
570                         goto nla_put_failure;
571
572                 if (events & IPCT_NATSEQADJ &&
573                     ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
574                         goto nla_put_failure;
575         }
576
577 #ifdef CONFIG_NF_CONNTRACK_MARK
578         if ((events & IPCT_MARK || ct->mark)
579             && ctnetlink_dump_mark(skb, ct) < 0)
580                 goto nla_put_failure;
581 #endif
582         rcu_read_unlock();
583
584         nlmsg_end(skb, nlh);
585         nfnetlink_send(skb, item->pid, group, item->report);
586         return NOTIFY_DONE;
587
588 nla_put_failure:
589         rcu_read_unlock();
590         nlmsg_cancel(skb, nlh);
591 nlmsg_failure:
592         kfree_skb(skb);
593 errout:
594         nfnetlink_set_err(0, group, -ENOBUFS);
595         return NOTIFY_DONE;
596 }
597 #endif /* CONFIG_NF_CONNTRACK_EVENTS */
598
599 static int ctnetlink_done(struct netlink_callback *cb)
600 {
601         if (cb->args[1])
602                 nf_ct_put((struct nf_conn *)cb->args[1]);
603         return 0;
604 }
605
606 static int
607 ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
608 {
609         struct nf_conn *ct, *last;
610         struct nf_conntrack_tuple_hash *h;
611         struct hlist_nulls_node *n;
612         struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
613         u_int8_t l3proto = nfmsg->nfgen_family;
614
615         rcu_read_lock();
616         last = (struct nf_conn *)cb->args[1];
617         for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
618 restart:
619                 hlist_nulls_for_each_entry_rcu(h, n, &init_net.ct.hash[cb->args[0]],
620                                          hnnode) {
621                         if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
622                                 continue;
623                         ct = nf_ct_tuplehash_to_ctrack(h);
624                         if (!atomic_inc_not_zero(&ct->ct_general.use))
625                                 continue;
626                         /* Dump entries of a given L3 protocol number.
627                          * If it is not specified, ie. l3proto == 0,
628                          * then dump everything. */
629                         if (l3proto && nf_ct_l3num(ct) != l3proto)
630                                 goto releasect;
631                         if (cb->args[1]) {
632                                 if (ct != last)
633                                         goto releasect;
634                                 cb->args[1] = 0;
635                         }
636                         if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
637                                                 cb->nlh->nlmsg_seq,
638                                                 IPCTNL_MSG_CT_NEW, ct) < 0) {
639                                 cb->args[1] = (unsigned long)ct;
640                                 goto out;
641                         }
642
643                         if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) ==
644                                                 IPCTNL_MSG_CT_GET_CTRZERO) {
645                                 struct nf_conn_counter *acct;
646
647                                 acct = nf_conn_acct_find(ct);
648                                 if (acct)
649                                         memset(acct, 0, sizeof(struct nf_conn_counter[IP_CT_DIR_MAX]));
650                         }
651 releasect:
652                 nf_ct_put(ct);
653                 }
654                 if (cb->args[1]) {
655                         cb->args[1] = 0;
656                         goto restart;
657                 }
658         }
659 out:
660         rcu_read_unlock();
661         if (last)
662                 nf_ct_put(last);
663
664         return skb->len;
665 }
666
667 static inline int
668 ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple)
669 {
670         struct nlattr *tb[CTA_IP_MAX+1];
671         struct nf_conntrack_l3proto *l3proto;
672         int ret = 0;
673
674         nla_parse_nested(tb, CTA_IP_MAX, attr, NULL);
675
676         rcu_read_lock();
677         l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
678
679         if (likely(l3proto->nlattr_to_tuple)) {
680                 ret = nla_validate_nested(attr, CTA_IP_MAX,
681                                           l3proto->nla_policy);
682                 if (ret == 0)
683                         ret = l3proto->nlattr_to_tuple(tb, tuple);
684         }
685
686         rcu_read_unlock();
687
688         return ret;
689 }
690
691 static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
692         [CTA_PROTO_NUM] = { .type = NLA_U8 },
693 };
694
695 static inline int
696 ctnetlink_parse_tuple_proto(struct nlattr *attr,
697                             struct nf_conntrack_tuple *tuple)
698 {
699         struct nlattr *tb[CTA_PROTO_MAX+1];
700         struct nf_conntrack_l4proto *l4proto;
701         int ret = 0;
702
703         ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy);
704         if (ret < 0)
705                 return ret;
706
707         if (!tb[CTA_PROTO_NUM])
708                 return -EINVAL;
709         tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
710
711         rcu_read_lock();
712         l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
713
714         if (likely(l4proto->nlattr_to_tuple)) {
715                 ret = nla_validate_nested(attr, CTA_PROTO_MAX,
716                                           l4proto->nla_policy);
717                 if (ret == 0)
718                         ret = l4proto->nlattr_to_tuple(tb, tuple);
719         }
720
721         rcu_read_unlock();
722
723         return ret;
724 }
725
726 static int
727 ctnetlink_parse_tuple(struct nlattr *cda[], struct nf_conntrack_tuple *tuple,
728                       enum ctattr_tuple type, u_int8_t l3num)
729 {
730         struct nlattr *tb[CTA_TUPLE_MAX+1];
731         int err;
732
733         memset(tuple, 0, sizeof(*tuple));
734
735         nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], NULL);
736
737         if (!tb[CTA_TUPLE_IP])
738                 return -EINVAL;
739
740         tuple->src.l3num = l3num;
741
742         err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
743         if (err < 0)
744                 return err;
745
746         if (!tb[CTA_TUPLE_PROTO])
747                 return -EINVAL;
748
749         err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple);
750         if (err < 0)
751                 return err;
752
753         /* orig and expect tuples get DIR_ORIGINAL */
754         if (type == CTA_TUPLE_REPLY)
755                 tuple->dst.dir = IP_CT_DIR_REPLY;
756         else
757                 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
758
759         return 0;
760 }
761
762 static inline int
763 ctnetlink_parse_help(struct nlattr *attr, char **helper_name)
764 {
765         struct nlattr *tb[CTA_HELP_MAX+1];
766
767         nla_parse_nested(tb, CTA_HELP_MAX, attr, NULL);
768
769         if (!tb[CTA_HELP_NAME])
770                 return -EINVAL;
771
772         *helper_name = nla_data(tb[CTA_HELP_NAME]);
773
774         return 0;
775 }
776
777 static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
778         [CTA_STATUS]            = { .type = NLA_U32 },
779         [CTA_TIMEOUT]           = { .type = NLA_U32 },
780         [CTA_MARK]              = { .type = NLA_U32 },
781         [CTA_USE]               = { .type = NLA_U32 },
782         [CTA_ID]                = { .type = NLA_U32 },
783 };
784
785 static int
786 ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
787                         struct nlmsghdr *nlh, struct nlattr *cda[])
788 {
789         struct nf_conntrack_tuple_hash *h;
790         struct nf_conntrack_tuple tuple;
791         struct nf_conn *ct;
792         struct nfgenmsg *nfmsg = nlmsg_data(nlh);
793         u_int8_t u3 = nfmsg->nfgen_family;
794         int err = 0;
795
796         if (cda[CTA_TUPLE_ORIG])
797                 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
798         else if (cda[CTA_TUPLE_REPLY])
799                 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
800         else {
801                 /* Flush the whole table */
802                 nf_conntrack_flush(&init_net, 
803                                    NETLINK_CB(skb).pid, 
804                                    nlmsg_report(nlh));
805                 return 0;
806         }
807
808         if (err < 0)
809                 return err;
810
811         h = nf_conntrack_find_get(&init_net, &tuple);
812         if (!h)
813                 return -ENOENT;
814
815         ct = nf_ct_tuplehash_to_ctrack(h);
816
817         if (cda[CTA_ID]) {
818                 u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
819                 if (id != (u32)(unsigned long)ct) {
820                         nf_ct_put(ct);
821                         return -ENOENT;
822                 }
823         }
824
825         nf_conntrack_event_report(IPCT_DESTROY,
826                                   ct,
827                                   NETLINK_CB(skb).pid,
828                                   nlmsg_report(nlh));
829
830         /* death_by_timeout would report the event again */
831         set_bit(IPS_DYING_BIT, &ct->status);
832
833         nf_ct_kill(ct);
834         nf_ct_put(ct);
835
836         return 0;
837 }
838
839 static int
840 ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
841                         struct nlmsghdr *nlh, struct nlattr *cda[])
842 {
843         struct nf_conntrack_tuple_hash *h;
844         struct nf_conntrack_tuple tuple;
845         struct nf_conn *ct;
846         struct sk_buff *skb2 = NULL;
847         struct nfgenmsg *nfmsg = nlmsg_data(nlh);
848         u_int8_t u3 = nfmsg->nfgen_family;
849         int err = 0;
850
851         if (nlh->nlmsg_flags & NLM_F_DUMP)
852                 return netlink_dump_start(ctnl, skb, nlh, ctnetlink_dump_table,
853                                           ctnetlink_done);
854
855         if (cda[CTA_TUPLE_ORIG])
856                 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
857         else if (cda[CTA_TUPLE_REPLY])
858                 err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
859         else
860                 return -EINVAL;
861
862         if (err < 0)
863                 return err;
864
865         h = nf_conntrack_find_get(&init_net, &tuple);
866         if (!h)
867                 return -ENOENT;
868
869         ct = nf_ct_tuplehash_to_ctrack(h);
870
871         err = -ENOMEM;
872         skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
873         if (skb2 == NULL) {
874                 nf_ct_put(ct);
875                 return -ENOMEM;
876         }
877
878         rcu_read_lock();
879         err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq,
880                                   IPCTNL_MSG_CT_NEW, ct);
881         rcu_read_unlock();
882         nf_ct_put(ct);
883         if (err <= 0)
884                 goto free;
885
886         err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
887         if (err < 0)
888                 goto out;
889
890         return 0;
891
892 free:
893         kfree_skb(skb2);
894 out:
895         return err;
896 }
897
898 #ifdef CONFIG_NF_NAT_NEEDED
899 static int
900 ctnetlink_parse_nat_setup(struct nf_conn *ct,
901                           enum nf_nat_manip_type manip,
902                           struct nlattr *attr)
903 {
904         typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup;
905
906         parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook);
907         if (!parse_nat_setup) {
908 #ifdef CONFIG_MODULES
909                 rcu_read_unlock();
910                 spin_unlock_bh(&nf_conntrack_lock);
911                 nfnl_unlock();
912                 if (request_module("nf-nat-ipv4") < 0) {
913                         nfnl_lock();
914                         spin_lock_bh(&nf_conntrack_lock);
915                         rcu_read_lock();
916                         return -EOPNOTSUPP;
917                 }
918                 nfnl_lock();
919                 spin_lock_bh(&nf_conntrack_lock);
920                 rcu_read_lock();
921                 if (nfnetlink_parse_nat_setup_hook)
922                         return -EAGAIN;
923 #endif
924                 return -EOPNOTSUPP;
925         }
926
927         return parse_nat_setup(ct, manip, attr);
928 }
929 #endif
930
931 static int
932 ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
933 {
934         unsigned long d;
935         unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
936         d = ct->status ^ status;
937
938         if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
939                 /* unchangeable */
940                 return -EBUSY;
941
942         if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
943                 /* SEEN_REPLY bit can only be set */
944                 return -EBUSY;
945
946         if (d & IPS_ASSURED && !(status & IPS_ASSURED))
947                 /* ASSURED bit can only be set */
948                 return -EBUSY;
949
950         /* Be careful here, modifying NAT bits can screw up things,
951          * so don't let users modify them directly if they don't pass
952          * nf_nat_range. */
953         ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
954         return 0;
955 }
956
957 static int
958 ctnetlink_change_nat(struct nf_conn *ct, struct nlattr *cda[])
959 {
960 #ifdef CONFIG_NF_NAT_NEEDED
961         int ret;
962
963         if (cda[CTA_NAT_DST]) {
964                 ret = ctnetlink_parse_nat_setup(ct,
965                                                 IP_NAT_MANIP_DST,
966                                                 cda[CTA_NAT_DST]);
967                 if (ret < 0)
968                         return ret;
969         }
970         if (cda[CTA_NAT_SRC]) {
971                 ret = ctnetlink_parse_nat_setup(ct,
972                                                 IP_NAT_MANIP_SRC,
973                                                 cda[CTA_NAT_SRC]);
974                 if (ret < 0)
975                         return ret;
976         }
977         return 0;
978 #else
979         return -EOPNOTSUPP;
980 #endif
981 }
982
983 static inline int
984 ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
985 {
986         struct nf_conntrack_helper *helper;
987         struct nf_conn_help *help = nfct_help(ct);
988         char *helpname = NULL;
989         int err;
990
991         /* don't change helper of sibling connections */
992         if (ct->master)
993                 return -EBUSY;
994
995         err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
996         if (err < 0)
997                 return err;
998
999         if (!strcmp(helpname, "")) {
1000                 if (help && help->helper) {
1001                         /* we had a helper before ... */
1002                         nf_ct_remove_expectations(ct);
1003                         rcu_assign_pointer(help->helper, NULL);
1004                 }
1005
1006                 return 0;
1007         }
1008
1009         helper = __nf_conntrack_helper_find_byname(helpname);
1010         if (helper == NULL) {
1011 #ifdef CONFIG_MODULES
1012                 spin_unlock_bh(&nf_conntrack_lock);
1013
1014                 if (request_module("nfct-helper-%s", helpname) < 0) {
1015                         spin_lock_bh(&nf_conntrack_lock);
1016                         return -EOPNOTSUPP;
1017                 }
1018
1019                 spin_lock_bh(&nf_conntrack_lock);
1020                 helper = __nf_conntrack_helper_find_byname(helpname);
1021                 if (helper)
1022                         return -EAGAIN;
1023 #endif
1024                 return -EOPNOTSUPP;
1025         }
1026
1027         if (help) {
1028                 if (help->helper == helper)
1029                         return 0;
1030                 if (help->helper)
1031                         return -EBUSY;
1032                 /* need to zero data of old helper */
1033                 memset(&help->help, 0, sizeof(help->help));
1034         } else {
1035                 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
1036                 if (help == NULL)
1037                         return -ENOMEM;
1038         }
1039
1040         rcu_assign_pointer(help->helper, helper);
1041
1042         return 0;
1043 }
1044
1045 static inline int
1046 ctnetlink_change_timeout(struct nf_conn *ct, struct nlattr *cda[])
1047 {
1048         u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
1049
1050         if (!del_timer(&ct->timeout))
1051                 return -ETIME;
1052
1053         ct->timeout.expires = jiffies + timeout * HZ;
1054         add_timer(&ct->timeout);
1055
1056         return 0;
1057 }
1058
1059 static inline int
1060 ctnetlink_change_protoinfo(struct nf_conn *ct, struct nlattr *cda[])
1061 {
1062         struct nlattr *tb[CTA_PROTOINFO_MAX+1], *attr = cda[CTA_PROTOINFO];
1063         struct nf_conntrack_l4proto *l4proto;
1064         int err = 0;
1065
1066         nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, NULL);
1067
1068         rcu_read_lock();
1069         l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
1070         if (l4proto->from_nlattr)
1071                 err = l4proto->from_nlattr(tb, ct);
1072         rcu_read_unlock();
1073
1074         return err;
1075 }
1076
1077 #ifdef CONFIG_NF_NAT_NEEDED
1078 static inline int
1079 change_nat_seq_adj(struct nf_nat_seq *natseq, struct nlattr *attr)
1080 {
1081         struct nlattr *cda[CTA_NAT_SEQ_MAX+1];
1082
1083         nla_parse_nested(cda, CTA_NAT_SEQ_MAX, attr, NULL);
1084
1085         if (!cda[CTA_NAT_SEQ_CORRECTION_POS])
1086                 return -EINVAL;
1087
1088         natseq->correction_pos =
1089                 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_CORRECTION_POS]));
1090
1091         if (!cda[CTA_NAT_SEQ_OFFSET_BEFORE])
1092                 return -EINVAL;
1093
1094         natseq->offset_before =
1095                 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_BEFORE]));
1096
1097         if (!cda[CTA_NAT_SEQ_OFFSET_AFTER])
1098                 return -EINVAL;
1099
1100         natseq->offset_after =
1101                 ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_AFTER]));
1102
1103         return 0;
1104 }
1105
1106 static int
1107 ctnetlink_change_nat_seq_adj(struct nf_conn *ct, struct nlattr *cda[])
1108 {
1109         int ret = 0;
1110         struct nf_conn_nat *nat = nfct_nat(ct);
1111
1112         if (!nat)
1113                 return 0;
1114
1115         if (cda[CTA_NAT_SEQ_ADJ_ORIG]) {
1116                 ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_ORIGINAL],
1117                                          cda[CTA_NAT_SEQ_ADJ_ORIG]);
1118                 if (ret < 0)
1119                         return ret;
1120
1121                 ct->status |= IPS_SEQ_ADJUST;
1122         }
1123
1124         if (cda[CTA_NAT_SEQ_ADJ_REPLY]) {
1125                 ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_REPLY],
1126                                          cda[CTA_NAT_SEQ_ADJ_REPLY]);
1127                 if (ret < 0)
1128                         return ret;
1129
1130                 ct->status |= IPS_SEQ_ADJUST;
1131         }
1132
1133         return 0;
1134 }
1135 #endif
1136
1137 static int
1138 ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[])
1139 {
1140         int err;
1141
1142         /* only allow NAT changes and master assignation for new conntracks */
1143         if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
1144                 return -EOPNOTSUPP;
1145
1146         if (cda[CTA_HELP]) {
1147                 err = ctnetlink_change_helper(ct, cda);
1148                 if (err < 0)
1149                         return err;
1150         }
1151
1152         if (cda[CTA_TIMEOUT]) {
1153                 err = ctnetlink_change_timeout(ct, cda);
1154                 if (err < 0)
1155                         return err;
1156         }
1157
1158         if (cda[CTA_STATUS]) {
1159                 err = ctnetlink_change_status(ct, cda);
1160                 if (err < 0)
1161                         return err;
1162         }
1163
1164         if (cda[CTA_PROTOINFO]) {
1165                 err = ctnetlink_change_protoinfo(ct, cda);
1166                 if (err < 0)
1167                         return err;
1168         }
1169
1170 #if defined(CONFIG_NF_CONNTRACK_MARK)
1171         if (cda[CTA_MARK])
1172                 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1173 #endif
1174
1175 #ifdef CONFIG_NF_NAT_NEEDED
1176         if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) {
1177                 err = ctnetlink_change_nat_seq_adj(ct, cda);
1178                 if (err < 0)
1179                         return err;
1180         }
1181 #endif
1182
1183         return 0;
1184 }
1185
1186 static struct nf_conn *
1187 ctnetlink_create_conntrack(struct nlattr *cda[],
1188                            struct nf_conntrack_tuple *otuple,
1189                            struct nf_conntrack_tuple *rtuple,
1190                            u8 u3)
1191 {
1192         struct nf_conn *ct;
1193         int err = -EINVAL;
1194         struct nf_conntrack_helper *helper;
1195
1196         ct = nf_conntrack_alloc(&init_net, otuple, rtuple, GFP_ATOMIC);
1197         if (IS_ERR(ct))
1198                 return ERR_PTR(-ENOMEM);
1199
1200         if (!cda[CTA_TIMEOUT])
1201                 goto err1;
1202         ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
1203
1204         ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
1205         ct->status |= IPS_CONFIRMED;
1206
1207         rcu_read_lock();
1208         if (cda[CTA_HELP]) {
1209                 char *helpname = NULL;
1210  
1211                 err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
1212                 if (err < 0)
1213                         goto err2;
1214
1215                 helper = __nf_conntrack_helper_find_byname(helpname);
1216                 if (helper == NULL) {
1217                         rcu_read_unlock();
1218 #ifdef CONFIG_MODULES
1219                         if (request_module("nfct-helper-%s", helpname) < 0) {
1220                                 err = -EOPNOTSUPP;
1221                                 goto err1;
1222                         }
1223
1224                         rcu_read_lock();
1225                         helper = __nf_conntrack_helper_find_byname(helpname);
1226                         if (helper) {
1227                                 err = -EAGAIN;
1228                                 goto err2;
1229                         }
1230                         rcu_read_unlock();
1231 #endif
1232                         err = -EOPNOTSUPP;
1233                         goto err1;
1234                 } else {
1235                         struct nf_conn_help *help;
1236
1237                         help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
1238                         if (help == NULL) {
1239                                 err = -ENOMEM;
1240                                 goto err2;
1241                         }
1242
1243                         /* not in hash table yet so not strictly necessary */
1244                         rcu_assign_pointer(help->helper, helper);
1245                 }
1246         } else {
1247                 /* try an implicit helper assignation */
1248                 err = __nf_ct_try_assign_helper(ct, GFP_ATOMIC);
1249                 if (err < 0)
1250                         goto err2;
1251         }
1252
1253         if (cda[CTA_STATUS]) {
1254                 err = ctnetlink_change_status(ct, cda);
1255                 if (err < 0)
1256                         goto err2;
1257         }
1258
1259         if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
1260                 err = ctnetlink_change_nat(ct, cda);
1261                 if (err < 0)
1262                         goto err2;
1263         }
1264
1265 #ifdef CONFIG_NF_NAT_NEEDED
1266         if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) {
1267                 err = ctnetlink_change_nat_seq_adj(ct, cda);
1268                 if (err < 0)
1269                         goto err2;
1270         }
1271 #endif
1272
1273         if (cda[CTA_PROTOINFO]) {
1274                 err = ctnetlink_change_protoinfo(ct, cda);
1275                 if (err < 0)
1276                         goto err2;
1277         }
1278
1279         nf_ct_acct_ext_add(ct, GFP_ATOMIC);
1280
1281 #if defined(CONFIG_NF_CONNTRACK_MARK)
1282         if (cda[CTA_MARK])
1283                 ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
1284 #endif
1285
1286         /* setup master conntrack: this is a confirmed expectation */
1287         if (cda[CTA_TUPLE_MASTER]) {
1288                 struct nf_conntrack_tuple master;
1289                 struct nf_conntrack_tuple_hash *master_h;
1290                 struct nf_conn *master_ct;
1291
1292                 err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER, u3);
1293                 if (err < 0)
1294                         goto err2;
1295
1296                 master_h = nf_conntrack_find_get(&init_net, &master);
1297                 if (master_h == NULL) {
1298                         err = -ENOENT;
1299                         goto err2;
1300                 }
1301                 master_ct = nf_ct_tuplehash_to_ctrack(master_h);
1302                 __set_bit(IPS_EXPECTED_BIT, &ct->status);
1303                 ct->master = master_ct;
1304         }
1305
1306         add_timer(&ct->timeout);
1307         nf_conntrack_hash_insert(ct);
1308         rcu_read_unlock();
1309
1310         return ct;
1311
1312 err2:
1313         rcu_read_unlock();
1314 err1:
1315         nf_conntrack_free(ct);
1316         return ERR_PTR(err);
1317 }
1318
1319 static int
1320 ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
1321                         struct nlmsghdr *nlh, struct nlattr *cda[])
1322 {
1323         struct nf_conntrack_tuple otuple, rtuple;
1324         struct nf_conntrack_tuple_hash *h = NULL;
1325         struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1326         u_int8_t u3 = nfmsg->nfgen_family;
1327         int err = 0;
1328
1329         if (cda[CTA_TUPLE_ORIG]) {
1330                 err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3);
1331                 if (err < 0)
1332                         return err;
1333         }
1334
1335         if (cda[CTA_TUPLE_REPLY]) {
1336                 err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, u3);
1337                 if (err < 0)
1338                         return err;
1339         }
1340
1341         spin_lock_bh(&nf_conntrack_lock);
1342         if (cda[CTA_TUPLE_ORIG])
1343                 h = __nf_conntrack_find(&init_net, &otuple);
1344         else if (cda[CTA_TUPLE_REPLY])
1345                 h = __nf_conntrack_find(&init_net, &rtuple);
1346
1347         if (h == NULL) {
1348                 err = -ENOENT;
1349                 if (nlh->nlmsg_flags & NLM_F_CREATE) {
1350                         struct nf_conn *ct;
1351                         enum ip_conntrack_events events;
1352
1353                         ct = ctnetlink_create_conntrack(cda, &otuple,
1354                                                         &rtuple, u3);
1355                         if (IS_ERR(ct)) {
1356                                 err = PTR_ERR(ct);
1357                                 goto out_unlock;
1358                         }
1359                         err = 0;
1360                         nf_conntrack_get(&ct->ct_general);
1361                         spin_unlock_bh(&nf_conntrack_lock);
1362                         if (test_bit(IPS_EXPECTED_BIT, &ct->status))
1363                                 events = IPCT_RELATED;
1364                         else
1365                                 events = IPCT_NEW;
1366
1367                         nf_conntrack_event_report(IPCT_STATUS |
1368                                                   IPCT_HELPER |
1369                                                   IPCT_PROTOINFO |
1370                                                   IPCT_NATSEQADJ |
1371                                                   IPCT_MARK | events,
1372                                                   ct, NETLINK_CB(skb).pid,
1373                                                   nlmsg_report(nlh));
1374                         nf_ct_put(ct);
1375                 } else
1376                         spin_unlock_bh(&nf_conntrack_lock);
1377
1378                 return err;
1379         }
1380         /* implicit 'else' */
1381
1382         /* We manipulate the conntrack inside the global conntrack table lock,
1383          * so there's no need to increase the refcount */
1384         err = -EEXIST;
1385         if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
1386                 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
1387
1388                 err = ctnetlink_change_conntrack(ct, cda);
1389                 if (err == 0) {
1390                         nf_conntrack_get(&ct->ct_general);
1391                         spin_unlock_bh(&nf_conntrack_lock);
1392                         nf_conntrack_event_report(IPCT_STATUS |
1393                                                   IPCT_HELPER |
1394                                                   IPCT_PROTOINFO |
1395                                                   IPCT_NATSEQADJ |
1396                                                   IPCT_MARK,
1397                                                   ct, NETLINK_CB(skb).pid,
1398                                                   nlmsg_report(nlh));
1399                         nf_ct_put(ct);
1400                 } else
1401                         spin_unlock_bh(&nf_conntrack_lock);
1402
1403                 return err;
1404         }
1405
1406 out_unlock:
1407         spin_unlock_bh(&nf_conntrack_lock);
1408         return err;
1409 }
1410
1411 /***********************************************************************
1412  * EXPECT
1413  ***********************************************************************/
1414
1415 static inline int
1416 ctnetlink_exp_dump_tuple(struct sk_buff *skb,
1417                          const struct nf_conntrack_tuple *tuple,
1418                          enum ctattr_expect type)
1419 {
1420         struct nlattr *nest_parms;
1421
1422         nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
1423         if (!nest_parms)
1424                 goto nla_put_failure;
1425         if (ctnetlink_dump_tuples(skb, tuple) < 0)
1426                 goto nla_put_failure;
1427         nla_nest_end(skb, nest_parms);
1428
1429         return 0;
1430
1431 nla_put_failure:
1432         return -1;
1433 }
1434
1435 static inline int
1436 ctnetlink_exp_dump_mask(struct sk_buff *skb,
1437                         const struct nf_conntrack_tuple *tuple,
1438                         const struct nf_conntrack_tuple_mask *mask)
1439 {
1440         int ret;
1441         struct nf_conntrack_l3proto *l3proto;
1442         struct nf_conntrack_l4proto *l4proto;
1443         struct nf_conntrack_tuple m;
1444         struct nlattr *nest_parms;
1445
1446         memset(&m, 0xFF, sizeof(m));
1447         m.src.u.all = mask->src.u.all;
1448         memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
1449
1450         nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED);
1451         if (!nest_parms)
1452                 goto nla_put_failure;
1453
1454         l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
1455         ret = ctnetlink_dump_tuples_ip(skb, &m, l3proto);
1456
1457         if (unlikely(ret < 0))
1458                 goto nla_put_failure;
1459
1460         l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
1461         ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
1462         if (unlikely(ret < 0))
1463                 goto nla_put_failure;
1464
1465         nla_nest_end(skb, nest_parms);
1466
1467         return 0;
1468
1469 nla_put_failure:
1470         return -1;
1471 }
1472
1473 static int
1474 ctnetlink_exp_dump_expect(struct sk_buff *skb,
1475                           const struct nf_conntrack_expect *exp)
1476 {
1477         struct nf_conn *master = exp->master;
1478         long timeout = (exp->timeout.expires - jiffies) / HZ;
1479
1480         if (timeout < 0)
1481                 timeout = 0;
1482
1483         if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
1484                 goto nla_put_failure;
1485         if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
1486                 goto nla_put_failure;
1487         if (ctnetlink_exp_dump_tuple(skb,
1488                                  &master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
1489                                  CTA_EXPECT_MASTER) < 0)
1490                 goto nla_put_failure;
1491
1492         NLA_PUT_BE32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout));
1493         NLA_PUT_BE32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp));
1494
1495         return 0;
1496
1497 nla_put_failure:
1498         return -1;
1499 }
1500
1501 static int
1502 ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
1503                         int event, const struct nf_conntrack_expect *exp)
1504 {
1505         struct nlmsghdr *nlh;
1506         struct nfgenmsg *nfmsg;
1507         unsigned int flags = pid ? NLM_F_MULTI : 0;
1508
1509         event |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1510         nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags);
1511         if (nlh == NULL)
1512                 goto nlmsg_failure;
1513
1514         nfmsg = nlmsg_data(nlh);
1515         nfmsg->nfgen_family = exp->tuple.src.l3num;
1516         nfmsg->version      = NFNETLINK_V0;
1517         nfmsg->res_id       = 0;
1518
1519         if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1520                 goto nla_put_failure;
1521
1522         nlmsg_end(skb, nlh);
1523         return skb->len;
1524
1525 nlmsg_failure:
1526 nla_put_failure:
1527         nlmsg_cancel(skb, nlh);
1528         return -1;
1529 }
1530
1531 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1532 static int ctnetlink_expect_event(struct notifier_block *this,
1533                                   unsigned long events, void *ptr)
1534 {
1535         struct nlmsghdr *nlh;
1536         struct nfgenmsg *nfmsg;
1537         struct nf_exp_event *item = (struct nf_exp_event *)ptr;
1538         struct nf_conntrack_expect *exp = item->exp;
1539         struct sk_buff *skb;
1540         unsigned int type;
1541         int flags = 0;
1542
1543         if (events & IPEXP_NEW) {
1544                 type = IPCTNL_MSG_EXP_NEW;
1545                 flags = NLM_F_CREATE|NLM_F_EXCL;
1546         } else
1547                 return NOTIFY_DONE;
1548
1549         if (!item->report &&
1550             !nfnetlink_has_listeners(NFNLGRP_CONNTRACK_EXP_NEW))
1551                 return NOTIFY_DONE;
1552
1553         skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
1554         if (skb == NULL)
1555                 goto errout;
1556
1557         type |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
1558         nlh = nlmsg_put(skb, item->pid, 0, type, sizeof(*nfmsg), flags);
1559         if (nlh == NULL)
1560                 goto nlmsg_failure;
1561
1562         nfmsg = nlmsg_data(nlh);
1563         nfmsg->nfgen_family = exp->tuple.src.l3num;
1564         nfmsg->version      = NFNETLINK_V0;
1565         nfmsg->res_id       = 0;
1566
1567         rcu_read_lock();
1568         if (ctnetlink_exp_dump_expect(skb, exp) < 0)
1569                 goto nla_put_failure;
1570         rcu_read_unlock();
1571
1572         nlmsg_end(skb, nlh);
1573         nfnetlink_send(skb, item->pid, NFNLGRP_CONNTRACK_EXP_NEW, item->report);
1574         return NOTIFY_DONE;
1575
1576 nla_put_failure:
1577         rcu_read_unlock();
1578         nlmsg_cancel(skb, nlh);
1579 nlmsg_failure:
1580         kfree_skb(skb);
1581 errout:
1582         nfnetlink_set_err(0, 0, -ENOBUFS);
1583         return NOTIFY_DONE;
1584 }
1585 #endif
1586 static int ctnetlink_exp_done(struct netlink_callback *cb)
1587 {
1588         if (cb->args[1])
1589                 nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
1590         return 0;
1591 }
1592
1593 static int
1594 ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
1595 {
1596         struct net *net = &init_net;
1597         struct nf_conntrack_expect *exp, *last;
1598         struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
1599         struct hlist_node *n;
1600         u_int8_t l3proto = nfmsg->nfgen_family;
1601
1602         rcu_read_lock();
1603         last = (struct nf_conntrack_expect *)cb->args[1];
1604         for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
1605 restart:
1606                 hlist_for_each_entry(exp, n, &net->ct.expect_hash[cb->args[0]],
1607                                      hnode) {
1608                         if (l3proto && exp->tuple.src.l3num != l3proto)
1609                                 continue;
1610                         if (cb->args[1]) {
1611                                 if (exp != last)
1612                                         continue;
1613                                 cb->args[1] = 0;
1614                         }
1615                         if (ctnetlink_exp_fill_info(skb,
1616                                                     NETLINK_CB(cb->skb).pid,
1617                                                     cb->nlh->nlmsg_seq,
1618                                                     IPCTNL_MSG_EXP_NEW,
1619                                                     exp) < 0) {
1620                                 if (!atomic_inc_not_zero(&exp->use))
1621                                         continue;
1622                                 cb->args[1] = (unsigned long)exp;
1623                                 goto out;
1624                         }
1625                 }
1626                 if (cb->args[1]) {
1627                         cb->args[1] = 0;
1628                         goto restart;
1629                 }
1630         }
1631 out:
1632         rcu_read_unlock();
1633         if (last)
1634                 nf_ct_expect_put(last);
1635
1636         return skb->len;
1637 }
1638
1639 static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
1640         [CTA_EXPECT_TIMEOUT]    = { .type = NLA_U32 },
1641         [CTA_EXPECT_ID]         = { .type = NLA_U32 },
1642 };
1643
1644 static int
1645 ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
1646                      struct nlmsghdr *nlh, struct nlattr *cda[])
1647 {
1648         struct nf_conntrack_tuple tuple;
1649         struct nf_conntrack_expect *exp;
1650         struct sk_buff *skb2;
1651         struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1652         u_int8_t u3 = nfmsg->nfgen_family;
1653         int err = 0;
1654
1655         if (nlh->nlmsg_flags & NLM_F_DUMP) {
1656                 return netlink_dump_start(ctnl, skb, nlh,
1657                                           ctnetlink_exp_dump_table,
1658                                           ctnetlink_exp_done);
1659         }
1660
1661         if (cda[CTA_EXPECT_MASTER])
1662                 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3);
1663         else
1664                 return -EINVAL;
1665
1666         if (err < 0)
1667                 return err;
1668
1669         exp = nf_ct_expect_find_get(&init_net, &tuple);
1670         if (!exp)
1671                 return -ENOENT;
1672
1673         if (cda[CTA_EXPECT_ID]) {
1674                 __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
1675                 if (ntohl(id) != (u32)(unsigned long)exp) {
1676                         nf_ct_expect_put(exp);
1677                         return -ENOENT;
1678                 }
1679         }
1680
1681         err = -ENOMEM;
1682         skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
1683         if (skb2 == NULL)
1684                 goto out;
1685
1686         rcu_read_lock();
1687         err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid,
1688                                       nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp);
1689         rcu_read_unlock();
1690         if (err <= 0)
1691                 goto free;
1692
1693         nf_ct_expect_put(exp);
1694
1695         return netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
1696
1697 free:
1698         kfree_skb(skb2);
1699 out:
1700         nf_ct_expect_put(exp);
1701         return err;
1702 }
1703
1704 static int
1705 ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
1706                      struct nlmsghdr *nlh, struct nlattr *cda[])
1707 {
1708         struct nf_conntrack_expect *exp;
1709         struct nf_conntrack_tuple tuple;
1710         struct nf_conntrack_helper *h;
1711         struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1712         struct hlist_node *n, *next;
1713         u_int8_t u3 = nfmsg->nfgen_family;
1714         unsigned int i;
1715         int err;
1716
1717         if (cda[CTA_EXPECT_TUPLE]) {
1718                 /* delete a single expect by tuple */
1719                 err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1720                 if (err < 0)
1721                         return err;
1722
1723                 /* bump usage count to 2 */
1724                 exp = nf_ct_expect_find_get(&init_net, &tuple);
1725                 if (!exp)
1726                         return -ENOENT;
1727
1728                 if (cda[CTA_EXPECT_ID]) {
1729                         __be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
1730                         if (ntohl(id) != (u32)(unsigned long)exp) {
1731                                 nf_ct_expect_put(exp);
1732                                 return -ENOENT;
1733                         }
1734                 }
1735
1736                 /* after list removal, usage count == 1 */
1737                 nf_ct_unexpect_related(exp);
1738                 /* have to put what we 'get' above.
1739                  * after this line usage count == 0 */
1740                 nf_ct_expect_put(exp);
1741         } else if (cda[CTA_EXPECT_HELP_NAME]) {
1742                 char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
1743                 struct nf_conn_help *m_help;
1744
1745                 /* delete all expectations for this helper */
1746                 spin_lock_bh(&nf_conntrack_lock);
1747                 h = __nf_conntrack_helper_find_byname(name);
1748                 if (!h) {
1749                         spin_unlock_bh(&nf_conntrack_lock);
1750                         return -EOPNOTSUPP;
1751                 }
1752                 for (i = 0; i < nf_ct_expect_hsize; i++) {
1753                         hlist_for_each_entry_safe(exp, n, next,
1754                                                   &init_net.ct.expect_hash[i],
1755                                                   hnode) {
1756                                 m_help = nfct_help(exp->master);
1757                                 if (m_help->helper == h
1758                                     && del_timer(&exp->timeout)) {
1759                                         nf_ct_unlink_expect(exp);
1760                                         nf_ct_expect_put(exp);
1761                                 }
1762                         }
1763                 }
1764                 spin_unlock_bh(&nf_conntrack_lock);
1765         } else {
1766                 /* This basically means we have to flush everything*/
1767                 spin_lock_bh(&nf_conntrack_lock);
1768                 for (i = 0; i < nf_ct_expect_hsize; i++) {
1769                         hlist_for_each_entry_safe(exp, n, next,
1770                                                   &init_net.ct.expect_hash[i],
1771                                                   hnode) {
1772                                 if (del_timer(&exp->timeout)) {
1773                                         nf_ct_unlink_expect(exp);
1774                                         nf_ct_expect_put(exp);
1775                                 }
1776                         }
1777                 }
1778                 spin_unlock_bh(&nf_conntrack_lock);
1779         }
1780
1781         return 0;
1782 }
1783 static int
1784 ctnetlink_change_expect(struct nf_conntrack_expect *x, struct nlattr *cda[])
1785 {
1786         return -EOPNOTSUPP;
1787 }
1788
1789 static int
1790 ctnetlink_create_expect(struct nlattr *cda[], u_int8_t u3, u32 pid, int report)
1791 {
1792         struct nf_conntrack_tuple tuple, mask, master_tuple;
1793         struct nf_conntrack_tuple_hash *h = NULL;
1794         struct nf_conntrack_expect *exp;
1795         struct nf_conn *ct;
1796         struct nf_conn_help *help;
1797         int err = 0;
1798
1799         /* caller guarantees that those three CTA_EXPECT_* exist */
1800         err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1801         if (err < 0)
1802                 return err;
1803         err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, u3);
1804         if (err < 0)
1805                 return err;
1806         err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, u3);
1807         if (err < 0)
1808                 return err;
1809
1810         /* Look for master conntrack of this expectation */
1811         h = nf_conntrack_find_get(&init_net, &master_tuple);
1812         if (!h)
1813                 return -ENOENT;
1814         ct = nf_ct_tuplehash_to_ctrack(h);
1815         help = nfct_help(ct);
1816
1817         if (!help || !help->helper) {
1818                 /* such conntrack hasn't got any helper, abort */
1819                 err = -EOPNOTSUPP;
1820                 goto out;
1821         }
1822
1823         exp = nf_ct_expect_alloc(ct);
1824         if (!exp) {
1825                 err = -ENOMEM;
1826                 goto out;
1827         }
1828
1829         exp->class = 0;
1830         exp->expectfn = NULL;
1831         exp->flags = 0;
1832         exp->master = ct;
1833         exp->helper = NULL;
1834         memcpy(&exp->tuple, &tuple, sizeof(struct nf_conntrack_tuple));
1835         memcpy(&exp->mask.src.u3, &mask.src.u3, sizeof(exp->mask.src.u3));
1836         exp->mask.src.u.all = mask.src.u.all;
1837
1838         err = nf_ct_expect_related_report(exp, pid, report);
1839         nf_ct_expect_put(exp);
1840
1841 out:
1842         nf_ct_put(nf_ct_tuplehash_to_ctrack(h));
1843         return err;
1844 }
1845
1846 static int
1847 ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
1848                      struct nlmsghdr *nlh, struct nlattr *cda[])
1849 {
1850         struct nf_conntrack_tuple tuple;
1851         struct nf_conntrack_expect *exp;
1852         struct nfgenmsg *nfmsg = nlmsg_data(nlh);
1853         u_int8_t u3 = nfmsg->nfgen_family;
1854         int err = 0;
1855
1856         if (!cda[CTA_EXPECT_TUPLE]
1857             || !cda[CTA_EXPECT_MASK]
1858             || !cda[CTA_EXPECT_MASTER])
1859                 return -EINVAL;
1860
1861         err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
1862         if (err < 0)
1863                 return err;
1864
1865         spin_lock_bh(&nf_conntrack_lock);
1866         exp = __nf_ct_expect_find(&init_net, &tuple);
1867
1868         if (!exp) {
1869                 spin_unlock_bh(&nf_conntrack_lock);
1870                 err = -ENOENT;
1871                 if (nlh->nlmsg_flags & NLM_F_CREATE) {
1872                         err = ctnetlink_create_expect(cda,
1873                                                       u3,
1874                                                       NETLINK_CB(skb).pid,
1875                                                       nlmsg_report(nlh));
1876                 }
1877                 return err;
1878         }
1879
1880         err = -EEXIST;
1881         if (!(nlh->nlmsg_flags & NLM_F_EXCL))
1882                 err = ctnetlink_change_expect(exp, cda);
1883         spin_unlock_bh(&nf_conntrack_lock);
1884
1885         return err;
1886 }
1887
1888 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1889 static struct notifier_block ctnl_notifier = {
1890         .notifier_call  = ctnetlink_conntrack_event,
1891 };
1892
1893 static struct notifier_block ctnl_notifier_exp = {
1894         .notifier_call  = ctnetlink_expect_event,
1895 };
1896 #endif
1897
1898 static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
1899         [IPCTNL_MSG_CT_NEW]             = { .call = ctnetlink_new_conntrack,
1900                                             .attr_count = CTA_MAX,
1901                                             .policy = ct_nla_policy },
1902         [IPCTNL_MSG_CT_GET]             = { .call = ctnetlink_get_conntrack,
1903                                             .attr_count = CTA_MAX,
1904                                             .policy = ct_nla_policy },
1905         [IPCTNL_MSG_CT_DELETE]          = { .call = ctnetlink_del_conntrack,
1906                                             .attr_count = CTA_MAX,
1907                                             .policy = ct_nla_policy },
1908         [IPCTNL_MSG_CT_GET_CTRZERO]     = { .call = ctnetlink_get_conntrack,
1909                                             .attr_count = CTA_MAX,
1910                                             .policy = ct_nla_policy },
1911 };
1912
1913 static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
1914         [IPCTNL_MSG_EXP_GET]            = { .call = ctnetlink_get_expect,
1915                                             .attr_count = CTA_EXPECT_MAX,
1916                                             .policy = exp_nla_policy },
1917         [IPCTNL_MSG_EXP_NEW]            = { .call = ctnetlink_new_expect,
1918                                             .attr_count = CTA_EXPECT_MAX,
1919                                             .policy = exp_nla_policy },
1920         [IPCTNL_MSG_EXP_DELETE]         = { .call = ctnetlink_del_expect,
1921                                             .attr_count = CTA_EXPECT_MAX,
1922                                             .policy = exp_nla_policy },
1923 };
1924
1925 static const struct nfnetlink_subsystem ctnl_subsys = {
1926         .name                           = "conntrack",
1927         .subsys_id                      = NFNL_SUBSYS_CTNETLINK,
1928         .cb_count                       = IPCTNL_MSG_MAX,
1929         .cb                             = ctnl_cb,
1930 };
1931
1932 static const struct nfnetlink_subsystem ctnl_exp_subsys = {
1933         .name                           = "conntrack_expect",
1934         .subsys_id                      = NFNL_SUBSYS_CTNETLINK_EXP,
1935         .cb_count                       = IPCTNL_MSG_EXP_MAX,
1936         .cb                             = ctnl_exp_cb,
1937 };
1938
1939 MODULE_ALIAS("ip_conntrack_netlink");
1940 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
1941 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
1942
1943 static int __init ctnetlink_init(void)
1944 {
1945         int ret;
1946
1947         printk("ctnetlink v%s: registering with nfnetlink.\n", version);
1948         ret = nfnetlink_subsys_register(&ctnl_subsys);
1949         if (ret < 0) {
1950                 printk("ctnetlink_init: cannot register with nfnetlink.\n");
1951                 goto err_out;
1952         }
1953
1954         ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
1955         if (ret < 0) {
1956                 printk("ctnetlink_init: cannot register exp with nfnetlink.\n");
1957                 goto err_unreg_subsys;
1958         }
1959
1960 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1961         ret = nf_conntrack_register_notifier(&ctnl_notifier);
1962         if (ret < 0) {
1963                 printk("ctnetlink_init: cannot register notifier.\n");
1964                 goto err_unreg_exp_subsys;
1965         }
1966
1967         ret = nf_ct_expect_register_notifier(&ctnl_notifier_exp);
1968         if (ret < 0) {
1969                 printk("ctnetlink_init: cannot expect register notifier.\n");
1970                 goto err_unreg_notifier;
1971         }
1972 #endif
1973
1974         return 0;
1975
1976 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1977 err_unreg_notifier:
1978         nf_conntrack_unregister_notifier(&ctnl_notifier);
1979 err_unreg_exp_subsys:
1980         nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1981 #endif
1982 err_unreg_subsys:
1983         nfnetlink_subsys_unregister(&ctnl_subsys);
1984 err_out:
1985         return ret;
1986 }
1987
1988 static void __exit ctnetlink_exit(void)
1989 {
1990         printk("ctnetlink: unregistering from nfnetlink.\n");
1991
1992 #ifdef CONFIG_NF_CONNTRACK_EVENTS
1993         nf_ct_expect_unregister_notifier(&ctnl_notifier_exp);
1994         nf_conntrack_unregister_notifier(&ctnl_notifier);
1995 #endif
1996
1997         nfnetlink_subsys_unregister(&ctnl_exp_subsys);
1998         nfnetlink_subsys_unregister(&ctnl_subsys);
1999         return;
2000 }
2001
2002 module_init(ctnetlink_init);
2003 module_exit(ctnetlink_exit);