Linux Kernel  3.7.1
 All Data Structures Namespaces Files Functions Variables Typedefs Enumerations Enumerator Macros Groups Pages
nf_conntrack_standalone.c
Go to the documentation of this file.
1 /* (C) 1999-2001 Paul `Rusty' Russell
2  * (C) 2002-2004 Netfilter Core Team <[email protected]>
3  *
4  * This program is free software; you can redistribute it and/or modify
5  * it under the terms of the GNU General Public License version 2 as
6  * published by the Free Software Foundation.
7  */
8 
9 #include <linux/types.h>
10 #include <linux/netfilter.h>
11 #include <linux/slab.h>
12 #include <linux/module.h>
13 #include <linux/skbuff.h>
14 #include <linux/proc_fs.h>
15 #include <linux/seq_file.h>
16 #include <linux/percpu.h>
17 #include <linux/netdevice.h>
18 #include <linux/security.h>
19 #include <net/net_namespace.h>
20 #ifdef CONFIG_SYSCTL
21 #include <linux/sysctl.h>
22 #endif
23 
24 #include <net/netfilter/nf_conntrack.h>
25 #include <net/netfilter/nf_conntrack_core.h>
26 #include <net/netfilter/nf_conntrack_l3proto.h>
27 #include <net/netfilter/nf_conntrack_l4proto.h>
28 #include <net/netfilter/nf_conntrack_expect.h>
29 #include <net/netfilter/nf_conntrack_helper.h>
30 #include <net/netfilter/nf_conntrack_acct.h>
31 #include <net/netfilter/nf_conntrack_zones.h>
32 #include <net/netfilter/nf_conntrack_timestamp.h>
33 #include <linux/rculist_nulls.h>
34 
35 MODULE_LICENSE("GPL");
36 
37 #ifdef CONFIG_NF_CONNTRACK_PROCFS
38 int
39 print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple,
40  const struct nf_conntrack_l3proto *l3proto,
41  const struct nf_conntrack_l4proto *l4proto)
42 {
43  return l3proto->print_tuple(s, tuple) || l4proto->print_tuple(s, tuple);
44 }
45 EXPORT_SYMBOL_GPL(print_tuple);
46 
47 struct ct_iter_state {
48  struct seq_net_private p;
49  unsigned int bucket;
50  u_int64_t time_now;
51 };
52 
53 static struct hlist_nulls_node *ct_get_first(struct seq_file *seq)
54 {
55  struct net *net = seq_file_net(seq);
56  struct ct_iter_state *st = seq->private;
57  struct hlist_nulls_node *n;
58 
59  for (st->bucket = 0;
60  st->bucket < net->ct.htable_size;
61  st->bucket++) {
62  n = rcu_dereference(hlist_nulls_first_rcu(&net->ct.hash[st->bucket]));
63  if (!is_a_nulls(n))
64  return n;
65  }
66  return NULL;
67 }
68 
69 static struct hlist_nulls_node *ct_get_next(struct seq_file *seq,
70  struct hlist_nulls_node *head)
71 {
72  struct net *net = seq_file_net(seq);
73  struct ct_iter_state *st = seq->private;
74 
75  head = rcu_dereference(hlist_nulls_next_rcu(head));
76  while (is_a_nulls(head)) {
77  if (likely(get_nulls_value(head) == st->bucket)) {
78  if (++st->bucket >= net->ct.htable_size)
79  return NULL;
80  }
81  head = rcu_dereference(
82  hlist_nulls_first_rcu(
83  &net->ct.hash[st->bucket]));
84  }
85  return head;
86 }
87 
88 static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos)
89 {
90  struct hlist_nulls_node *head = ct_get_first(seq);
91 
92  if (head)
93  while (pos && (head = ct_get_next(seq, head)))
94  pos--;
95  return pos ? NULL : head;
96 }
97 
98 static void *ct_seq_start(struct seq_file *seq, loff_t *pos)
99  __acquires(RCU)
100 {
101  struct ct_iter_state *st = seq->private;
102 
103  st->time_now = ktime_to_ns(ktime_get_real());
104  rcu_read_lock();
105  return ct_get_idx(seq, *pos);
106 }
107 
108 static void *ct_seq_next(struct seq_file *s, void *v, loff_t *pos)
109 {
110  (*pos)++;
111  return ct_get_next(s, v);
112 }
113 
114 static void ct_seq_stop(struct seq_file *s, void *v)
115  __releases(RCU)
116 {
117  rcu_read_unlock();
118 }
119 
120 #ifdef CONFIG_NF_CONNTRACK_SECMARK
121 static int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
122 {
123  int ret;
124  u32 len;
125  char *secctx;
126 
127  ret = security_secid_to_secctx(ct->secmark, &secctx, &len);
128  if (ret)
129  return 0;
130 
131  ret = seq_printf(s, "secctx=%s ", secctx);
132 
133  security_release_secctx(secctx, len);
134  return ret;
135 }
136 #else
137 static inline int ct_show_secctx(struct seq_file *s, const struct nf_conn *ct)
138 {
139  return 0;
140 }
141 #endif
142 
143 #ifdef CONFIG_NF_CONNTRACK_TIMESTAMP
144 static int ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct)
145 {
146  struct ct_iter_state *st = s->private;
147  struct nf_conn_tstamp *tstamp;
148  s64 delta_time;
149 
150  tstamp = nf_conn_tstamp_find(ct);
151  if (tstamp) {
152  delta_time = st->time_now - tstamp->start;
153  if (delta_time > 0)
154  delta_time = div_s64(delta_time, NSEC_PER_SEC);
155  else
156  delta_time = 0;
157 
158  return seq_printf(s, "delta-time=%llu ",
159  (unsigned long long)delta_time);
160  }
161  return 0;
162 }
163 #else
164 static inline int
165 ct_show_delta_time(struct seq_file *s, const struct nf_conn *ct)
166 {
167  return 0;
168 }
169 #endif
170 
171 /* return 0 on success, 1 in case of error */
172 static int ct_seq_show(struct seq_file *s, void *v)
173 {
174  struct nf_conntrack_tuple_hash *hash = v;
175  struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash);
176  const struct nf_conntrack_l3proto *l3proto;
177  const struct nf_conntrack_l4proto *l4proto;
178  int ret = 0;
179 
180  NF_CT_ASSERT(ct);
181  if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use)))
182  return 0;
183 
184  /* we only want to print DIR_ORIGINAL */
185  if (NF_CT_DIRECTION(hash))
186  goto release;
187 
188  l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
189  NF_CT_ASSERT(l3proto);
190  l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
191  NF_CT_ASSERT(l4proto);
192 
193  ret = -ENOSPC;
194  if (seq_printf(s, "%-8s %u %-8s %u %ld ",
195  l3proto->name, nf_ct_l3num(ct),
196  l4proto->name, nf_ct_protonum(ct),
197  timer_pending(&ct->timeout)
198  ? (long)(ct->timeout.expires - jiffies)/HZ : 0) != 0)
199  goto release;
200 
201  if (l4proto->print_conntrack && l4proto->print_conntrack(s, ct))
202  goto release;
203 
204  if (print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
205  l3proto, l4proto))
206  goto release;
207 
208  if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL))
209  goto release;
210 
211  if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status)))
212  if (seq_printf(s, "[UNREPLIED] "))
213  goto release;
214 
215  if (print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple,
216  l3proto, l4proto))
217  goto release;
218 
219  if (seq_print_acct(s, ct, IP_CT_DIR_REPLY))
220  goto release;
221 
222  if (test_bit(IPS_ASSURED_BIT, &ct->status))
223  if (seq_printf(s, "[ASSURED] "))
224  goto release;
225 
226 #if defined(CONFIG_NF_CONNTRACK_MARK)
227  if (seq_printf(s, "mark=%u ", ct->mark))
228  goto release;
229 #endif
230 
231  if (ct_show_secctx(s, ct))
232  goto release;
233 
234 #ifdef CONFIG_NF_CONNTRACK_ZONES
235  if (seq_printf(s, "zone=%u ", nf_ct_zone(ct)))
236  goto release;
237 #endif
238 
239  if (ct_show_delta_time(s, ct))
240  goto release;
241 
242  if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)))
243  goto release;
244 
245  ret = 0;
246 release:
247  nf_ct_put(ct);
248  return ret;
249 }
250 
251 static const struct seq_operations ct_seq_ops = {
252  .start = ct_seq_start,
253  .next = ct_seq_next,
254  .stop = ct_seq_stop,
255  .show = ct_seq_show
256 };
257 
258 static int ct_open(struct inode *inode, struct file *file)
259 {
260  return seq_open_net(inode, file, &ct_seq_ops,
261  sizeof(struct ct_iter_state));
262 }
263 
264 static const struct file_operations ct_file_ops = {
265  .owner = THIS_MODULE,
266  .open = ct_open,
267  .read = seq_read,
268  .llseek = seq_lseek,
269  .release = seq_release_net,
270 };
271 
272 static void *ct_cpu_seq_start(struct seq_file *seq, loff_t *pos)
273 {
274  struct net *net = seq_file_net(seq);
275  int cpu;
276 
277  if (*pos == 0)
278  return SEQ_START_TOKEN;
279 
280  for (cpu = *pos-1; cpu < nr_cpu_ids; ++cpu) {
281  if (!cpu_possible(cpu))
282  continue;
283  *pos = cpu + 1;
284  return per_cpu_ptr(net->ct.stat, cpu);
285  }
286 
287  return NULL;
288 }
289 
290 static void *ct_cpu_seq_next(struct seq_file *seq, void *v, loff_t *pos)
291 {
292  struct net *net = seq_file_net(seq);
293  int cpu;
294 
295  for (cpu = *pos; cpu < nr_cpu_ids; ++cpu) {
296  if (!cpu_possible(cpu))
297  continue;
298  *pos = cpu + 1;
299  return per_cpu_ptr(net->ct.stat, cpu);
300  }
301 
302  return NULL;
303 }
304 
305 static void ct_cpu_seq_stop(struct seq_file *seq, void *v)
306 {
307 }
308 
309 static int ct_cpu_seq_show(struct seq_file *seq, void *v)
310 {
311  struct net *net = seq_file_net(seq);
312  unsigned int nr_conntracks = atomic_read(&net->ct.count);
313  const struct ip_conntrack_stat *st = v;
314 
315  if (v == SEQ_START_TOKEN) {
316  seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n");
317  return 0;
318  }
319 
320  seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x "
321  "%08x %08x %08x %08x %08x %08x %08x %08x %08x\n",
322  nr_conntracks,
323  st->searched,
324  st->found,
325  st->new,
326  st->invalid,
327  st->ignore,
328  st->delete,
329  st->delete_list,
330  st->insert,
331  st->insert_failed,
332  st->drop,
333  st->early_drop,
334  st->error,
335 
336  st->expect_new,
337  st->expect_create,
338  st->expect_delete,
339  st->search_restart
340  );
341  return 0;
342 }
343 
344 static const struct seq_operations ct_cpu_seq_ops = {
345  .start = ct_cpu_seq_start,
346  .next = ct_cpu_seq_next,
347  .stop = ct_cpu_seq_stop,
348  .show = ct_cpu_seq_show,
349 };
350 
351 static int ct_cpu_seq_open(struct inode *inode, struct file *file)
352 {
353  return seq_open_net(inode, file, &ct_cpu_seq_ops,
354  sizeof(struct seq_net_private));
355 }
356 
357 static const struct file_operations ct_cpu_seq_fops = {
358  .owner = THIS_MODULE,
359  .open = ct_cpu_seq_open,
360  .read = seq_read,
361  .llseek = seq_lseek,
362  .release = seq_release_net,
363 };
364 
365 static int nf_conntrack_standalone_init_proc(struct net *net)
366 {
367  struct proc_dir_entry *pde;
368 
369  pde = proc_net_fops_create(net, "nf_conntrack", 0440, &ct_file_ops);
370  if (!pde)
371  goto out_nf_conntrack;
372 
373  pde = proc_create("nf_conntrack", S_IRUGO, net->proc_net_stat,
374  &ct_cpu_seq_fops);
375  if (!pde)
376  goto out_stat_nf_conntrack;
377  return 0;
378 
379 out_stat_nf_conntrack:
380  proc_net_remove(net, "nf_conntrack");
381 out_nf_conntrack:
382  return -ENOMEM;
383 }
384 
385 static void nf_conntrack_standalone_fini_proc(struct net *net)
386 {
387  remove_proc_entry("nf_conntrack", net->proc_net_stat);
388  proc_net_remove(net, "nf_conntrack");
389 }
390 #else
391 static int nf_conntrack_standalone_init_proc(struct net *net)
392 {
393  return 0;
394 }
395 
396 static void nf_conntrack_standalone_fini_proc(struct net *net)
397 {
398 }
399 #endif /* CONFIG_NF_CONNTRACK_PROCFS */
400 
401 /* Sysctl support */
402 
403 #ifdef CONFIG_SYSCTL
404 /* Log invalid packets of a given protocol */
405 static int log_invalid_proto_min = 0;
406 static int log_invalid_proto_max = 255;
407 
408 static struct ctl_table_header *nf_ct_netfilter_header;
409 
410 static ctl_table nf_ct_sysctl_table[] = {
411  {
412  .procname = "nf_conntrack_max",
413  .data = &nf_conntrack_max,
414  .maxlen = sizeof(int),
415  .mode = 0644,
416  .proc_handler = proc_dointvec,
417  },
418  {
419  .procname = "nf_conntrack_count",
420  .data = &init_net.ct.count,
421  .maxlen = sizeof(int),
422  .mode = 0444,
423  .proc_handler = proc_dointvec,
424  },
425  {
426  .procname = "nf_conntrack_buckets",
427  .data = &init_net.ct.htable_size,
428  .maxlen = sizeof(unsigned int),
429  .mode = 0444,
430  .proc_handler = proc_dointvec,
431  },
432  {
433  .procname = "nf_conntrack_checksum",
434  .data = &init_net.ct.sysctl_checksum,
435  .maxlen = sizeof(unsigned int),
436  .mode = 0644,
437  .proc_handler = proc_dointvec,
438  },
439  {
440  .procname = "nf_conntrack_log_invalid",
441  .data = &init_net.ct.sysctl_log_invalid,
442  .maxlen = sizeof(unsigned int),
443  .mode = 0644,
444  .proc_handler = proc_dointvec_minmax,
445  .extra1 = &log_invalid_proto_min,
446  .extra2 = &log_invalid_proto_max,
447  },
448  {
449  .procname = "nf_conntrack_expect_max",
450  .data = &nf_ct_expect_max,
451  .maxlen = sizeof(int),
452  .mode = 0644,
453  .proc_handler = proc_dointvec,
454  },
455  { }
456 };
457 
458 #define NET_NF_CONNTRACK_MAX 2089
459 
460 static ctl_table nf_ct_netfilter_table[] = {
461  {
462  .procname = "nf_conntrack_max",
463  .data = &nf_conntrack_max,
464  .maxlen = sizeof(int),
465  .mode = 0644,
466  .proc_handler = proc_dointvec,
467  },
468  { }
469 };
470 
471 static int nf_conntrack_standalone_init_sysctl(struct net *net)
472 {
473  struct ctl_table *table;
474 
475  if (net_eq(net, &init_net)) {
476  nf_ct_netfilter_header =
477  register_net_sysctl(&init_net, "net", nf_ct_netfilter_table);
478  if (!nf_ct_netfilter_header)
479  goto out;
480  }
481 
482  table = kmemdup(nf_ct_sysctl_table, sizeof(nf_ct_sysctl_table),
483  GFP_KERNEL);
484  if (!table)
485  goto out_kmemdup;
486 
487  table[1].data = &net->ct.count;
488  table[2].data = &net->ct.htable_size;
489  table[3].data = &net->ct.sysctl_checksum;
490  table[4].data = &net->ct.sysctl_log_invalid;
491 
492  net->ct.sysctl_header = register_net_sysctl(net, "net/netfilter", table);
493  if (!net->ct.sysctl_header)
494  goto out_unregister_netfilter;
495 
496  return 0;
497 
498 out_unregister_netfilter:
499  kfree(table);
500 out_kmemdup:
501  if (net_eq(net, &init_net))
502  unregister_net_sysctl_table(nf_ct_netfilter_header);
503 out:
504  printk(KERN_ERR "nf_conntrack: can't register to sysctl.\n");
505  return -ENOMEM;
506 }
507 
508 static void nf_conntrack_standalone_fini_sysctl(struct net *net)
509 {
510  struct ctl_table *table;
511 
512  if (net_eq(net, &init_net))
513  unregister_net_sysctl_table(nf_ct_netfilter_header);
514  table = net->ct.sysctl_header->ctl_table_arg;
515  unregister_net_sysctl_table(net->ct.sysctl_header);
516  kfree(table);
517 }
518 #else
519 static int nf_conntrack_standalone_init_sysctl(struct net *net)
520 {
521  return 0;
522 }
523 
524 static void nf_conntrack_standalone_fini_sysctl(struct net *net)
525 {
526 }
527 #endif /* CONFIG_SYSCTL */
528 
529 static int nf_conntrack_net_init(struct net *net)
530 {
531  int ret;
532 
533  ret = nf_conntrack_init(net);
534  if (ret < 0)
535  goto out_init;
536  ret = nf_conntrack_standalone_init_proc(net);
537  if (ret < 0)
538  goto out_proc;
539  net->ct.sysctl_checksum = 1;
540  net->ct.sysctl_log_invalid = 0;
541  ret = nf_conntrack_standalone_init_sysctl(net);
542  if (ret < 0)
543  goto out_sysctl;
544  return 0;
545 
546 out_sysctl:
547  nf_conntrack_standalone_fini_proc(net);
548 out_proc:
549  nf_conntrack_cleanup(net);
550 out_init:
551  return ret;
552 }
553 
554 static void nf_conntrack_net_exit(struct net *net)
555 {
556  nf_conntrack_standalone_fini_sysctl(net);
557  nf_conntrack_standalone_fini_proc(net);
558  nf_conntrack_cleanup(net);
559 }
560 
561 static struct pernet_operations nf_conntrack_net_ops = {
562  .init = nf_conntrack_net_init,
563  .exit = nf_conntrack_net_exit,
564 };
565 
566 static int __init nf_conntrack_standalone_init(void)
567 {
568  return register_pernet_subsys(&nf_conntrack_net_ops);
569 }
570 
571 static void __exit nf_conntrack_standalone_fini(void)
572 {
573  unregister_pernet_subsys(&nf_conntrack_net_ops);
574 }
575 
576 module_init(nf_conntrack_standalone_init);
577 module_exit(nf_conntrack_standalone_fini);
578 
579 /* Some modules need us, but don't depend directly on any symbol.
580  They should call this. */
581 void need_conntrack(void)
582 {
583 }
584 EXPORT_SYMBOL_GPL(need_conntrack);
Generated on Thu Jan 10 2013 15:00:37 for Linux Kernel by   doxygen 1.8.2