1 // SPDX-License-Identifier: GPL-2.0
3 #include <linux/types.h>
4 #include <linux/netfilter.h>
5 #include <linux/module.h>
6 #include <linux/slab.h>
7 #include <linux/mutex.h>
8 #include <linux/vmalloc.h>
9 #include <linux/stddef.h>
10 #include <linux/err.h>
11 #include <linux/percpu.h>
12 #include <linux/notifier.h>
13 #include <linux/kernel.h>
14 #include <linux/netdevice.h>
16 #include <net/netfilter/nf_conntrack.h>
17 #include <net/netfilter/nf_conntrack_l4proto.h>
18 #include <net/netfilter/nf_conntrack_core.h>
19 #include <net/netfilter/nf_log.h>
22 #include <linux/icmp.h>
23 #include <linux/sysctl.h>
24 #include <net/route.h>
27 #include <linux/netfilter_ipv4.h>
28 #include <linux/netfilter_ipv6.h>
29 #include <linux/netfilter_ipv6/ip6_tables.h>
30 #include <net/netfilter/nf_conntrack_helper.h>
31 #include <net/netfilter/nf_conntrack_zones.h>
32 #include <net/netfilter/nf_conntrack_seqadj.h>
33 #include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
34 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
35 #include <net/netfilter/nf_nat_helper.h>
36 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
37 #include <net/netfilter/ipv6/nf_defrag_ipv6.h>
39 #include <linux/ipv6.h>
40 #include <linux/in6.h>
42 #include <net/inet_frag.h>
44 extern unsigned int nf_conntrack_net_id;
46 static struct nf_conntrack_l4proto __rcu *nf_ct_protos[MAX_NF_CT_PROTO + 1] __read_mostly;
48 static DEFINE_MUTEX(nf_ct_proto_mutex);
52 nf_ct_register_sysctl(struct net *net,
53 struct ctl_table_header **header,
55 struct ctl_table *table)
57 if (*header == NULL) {
58 *header = register_net_sysctl(net, path, table);
67 nf_ct_unregister_sysctl(struct ctl_table_header **header,
68 struct ctl_table **table,
74 unregister_net_sysctl_table(*header);
81 void nf_l4proto_log_invalid(const struct sk_buff *skb,
89 if (net->ct.sysctl_log_invalid != protonum ||
90 net->ct.sysctl_log_invalid != IPPROTO_RAW)
97 nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,
98 "nf_ct_proto_%d: %pV ", protonum, &vaf);
101 EXPORT_SYMBOL_GPL(nf_l4proto_log_invalid);
104 void nf_ct_l4proto_log_invalid(const struct sk_buff *skb,
105 const struct nf_conn *ct,
106 const char *fmt, ...)
108 struct va_format vaf;
113 if (likely(net->ct.sysctl_log_invalid == 0))
120 nf_l4proto_log_invalid(skb, net, nf_ct_l3num(ct),
121 nf_ct_protonum(ct), "%pV", &vaf);
124 EXPORT_SYMBOL_GPL(nf_ct_l4proto_log_invalid);
127 const struct nf_conntrack_l4proto *__nf_ct_l4proto_find(u8 l4proto)
129 if (unlikely(l4proto >= ARRAY_SIZE(nf_ct_protos)))
130 return &nf_conntrack_l4proto_generic;
132 return rcu_dereference(nf_ct_protos[l4proto]);
134 EXPORT_SYMBOL_GPL(__nf_ct_l4proto_find);
136 const struct nf_conntrack_l4proto *nf_ct_l4proto_find_get(u8 l4num)
138 const struct nf_conntrack_l4proto *p;
141 p = __nf_ct_l4proto_find(l4num);
142 if (!try_module_get(p->me))
143 p = &nf_conntrack_l4proto_generic;
148 EXPORT_SYMBOL_GPL(nf_ct_l4proto_find_get);
150 void nf_ct_l4proto_put(const struct nf_conntrack_l4proto *p)
154 EXPORT_SYMBOL_GPL(nf_ct_l4proto_put);
156 static int kill_l4proto(struct nf_conn *i, void *data)
158 const struct nf_conntrack_l4proto *l4proto;
160 return nf_ct_protonum(i) == l4proto->l4proto;
163 static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
164 const struct nf_conntrack_l4proto *l4proto)
166 if (l4proto->get_net_proto) {
167 /* statically built-in protocols use static per-net */
168 return l4proto->get_net_proto(net);
169 } else if (l4proto->net_id) {
170 /* ... and loadable protocols use dynamic per-net */
171 return net_generic(net, *l4proto->net_id);
177 int nf_ct_l4proto_register_sysctl(struct net *net,
178 struct nf_proto_net *pn,
179 const struct nf_conntrack_l4proto *l4proto)
184 if (pn->ctl_table != NULL) {
185 err = nf_ct_register_sysctl(net,
186 &pn->ctl_table_header,
191 kfree(pn->ctl_table);
192 pn->ctl_table = NULL;
196 #endif /* CONFIG_SYSCTL */
201 void nf_ct_l4proto_unregister_sysctl(struct net *net,
202 struct nf_proto_net *pn,
203 const struct nf_conntrack_l4proto *l4proto)
206 if (pn->ctl_table_header != NULL)
207 nf_ct_unregister_sysctl(&pn->ctl_table_header,
210 #endif /* CONFIG_SYSCTL */
213 /* FIXME: Allow NULL functions and sub in pointers to generic for
215 int nf_ct_l4proto_register_one(const struct nf_conntrack_l4proto *l4proto)
219 if ((l4proto->to_nlattr && l4proto->nlattr_size == 0) ||
220 (l4proto->tuple_to_nlattr && !l4proto->nlattr_tuple_size))
223 mutex_lock(&nf_ct_proto_mutex);
224 if (rcu_dereference_protected(
225 nf_ct_protos[l4proto->l4proto],
226 lockdep_is_held(&nf_ct_proto_mutex)
227 ) != &nf_conntrack_l4proto_generic) {
232 rcu_assign_pointer(nf_ct_protos[l4proto->l4proto], l4proto);
234 mutex_unlock(&nf_ct_proto_mutex);
237 EXPORT_SYMBOL_GPL(nf_ct_l4proto_register_one);
239 int nf_ct_l4proto_pernet_register_one(struct net *net,
240 const struct nf_conntrack_l4proto *l4proto)
243 struct nf_proto_net *pn = NULL;
245 if (l4proto->init_net) {
246 ret = l4proto->init_net(net);
251 pn = nf_ct_l4proto_net(net, l4proto);
255 ret = nf_ct_l4proto_register_sysctl(net, pn, l4proto);
263 EXPORT_SYMBOL_GPL(nf_ct_l4proto_pernet_register_one);
265 static void __nf_ct_l4proto_unregister_one(const struct nf_conntrack_l4proto *l4proto)
268 BUG_ON(l4proto->l4proto >= ARRAY_SIZE(nf_ct_protos));
270 BUG_ON(rcu_dereference_protected(
271 nf_ct_protos[l4proto->l4proto],
272 lockdep_is_held(&nf_ct_proto_mutex)
274 rcu_assign_pointer(nf_ct_protos[l4proto->l4proto],
275 &nf_conntrack_l4proto_generic);
278 void nf_ct_l4proto_unregister_one(const struct nf_conntrack_l4proto *l4proto)
280 mutex_lock(&nf_ct_proto_mutex);
281 __nf_ct_l4proto_unregister_one(l4proto);
282 mutex_unlock(&nf_ct_proto_mutex);
285 /* Remove all contrack entries for this protocol */
286 nf_ct_iterate_destroy(kill_l4proto, (void *)l4proto);
288 EXPORT_SYMBOL_GPL(nf_ct_l4proto_unregister_one);
290 void nf_ct_l4proto_pernet_unregister_one(struct net *net,
291 const struct nf_conntrack_l4proto *l4proto)
293 struct nf_proto_net *pn = nf_ct_l4proto_net(net, l4proto);
299 nf_ct_l4proto_unregister_sysctl(net, pn, l4proto);
301 EXPORT_SYMBOL_GPL(nf_ct_l4proto_pernet_unregister_one);
304 nf_ct_l4proto_unregister(const struct nf_conntrack_l4proto * const l4proto[],
305 unsigned int num_proto)
309 mutex_lock(&nf_ct_proto_mutex);
310 for (i = 0; i < num_proto; i++)
311 __nf_ct_l4proto_unregister_one(l4proto[i]);
312 mutex_unlock(&nf_ct_proto_mutex);
316 for (i = 0; i < num_proto; i++)
317 nf_ct_iterate_destroy(kill_l4proto, (void *)l4proto[i]);
321 nf_ct_l4proto_register(const struct nf_conntrack_l4proto * const l4proto[],
322 unsigned int num_proto)
327 for (i = 0; i < num_proto; i++) {
328 ret = nf_ct_l4proto_register_one(l4proto[i]);
332 if (i != num_proto) {
333 pr_err("nf_conntrack: can't register l4 %d proto.\n",
334 l4proto[i]->l4proto);
335 nf_ct_l4proto_unregister(l4proto, i);
340 int nf_ct_l4proto_pernet_register(struct net *net,
341 const struct nf_conntrack_l4proto *const l4proto[],
342 unsigned int num_proto)
347 for (i = 0; i < num_proto; i++) {
348 ret = nf_ct_l4proto_pernet_register_one(net, l4proto[i]);
352 if (i != num_proto) {
353 pr_err("nf_conntrack %d: pernet registration failed\n",
354 l4proto[i]->l4proto);
355 nf_ct_l4proto_pernet_unregister(net, l4proto, i);
359 EXPORT_SYMBOL_GPL(nf_ct_l4proto_pernet_register);
361 void nf_ct_l4proto_pernet_unregister(struct net *net,
362 const struct nf_conntrack_l4proto *const l4proto[],
363 unsigned int num_proto)
365 while (num_proto-- != 0)
366 nf_ct_l4proto_pernet_unregister_one(net, l4proto[num_proto]);
368 EXPORT_SYMBOL_GPL(nf_ct_l4proto_pernet_unregister);
370 static unsigned int ipv4_helper(void *priv,
372 const struct nf_hook_state *state)
375 enum ip_conntrack_info ctinfo;
376 const struct nf_conn_help *help;
377 const struct nf_conntrack_helper *helper;
379 /* This is where we call the helper: as the packet goes out. */
380 ct = nf_ct_get(skb, &ctinfo);
381 if (!ct || ctinfo == IP_CT_RELATED_REPLY)
384 help = nfct_help(ct);
388 /* rcu_read_lock()ed by nf_hook_thresh */
389 helper = rcu_dereference(help->helper);
393 return helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
397 static unsigned int ipv4_confirm(void *priv,
399 const struct nf_hook_state *state)
402 enum ip_conntrack_info ctinfo;
404 ct = nf_ct_get(skb, &ctinfo);
405 if (!ct || ctinfo == IP_CT_RELATED_REPLY)
408 /* adjust seqs for loopback traffic only in outgoing direction */
409 if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) &&
410 !nf_is_loopback_packet(skb)) {
411 if (!nf_ct_seq_adjust(skb, ct, ctinfo, ip_hdrlen(skb))) {
412 NF_CT_STAT_INC_ATOMIC(nf_ct_net(ct), drop);
417 /* We've seen it coming out the other side: confirm it */
418 return nf_conntrack_confirm(skb);
421 static unsigned int ipv4_conntrack_in(void *priv,
423 const struct nf_hook_state *state)
425 return nf_conntrack_in(skb, state);
428 static unsigned int ipv4_conntrack_local(void *priv,
430 const struct nf_hook_state *state)
432 if (ip_is_fragment(ip_hdr(skb))) { /* IP_NODEFRAG setsockopt set */
433 enum ip_conntrack_info ctinfo;
434 struct nf_conn *tmpl;
436 tmpl = nf_ct_get(skb, &ctinfo);
437 if (tmpl && nf_ct_is_template(tmpl)) {
438 /* when skipping ct, clear templates to avoid fooling
439 * later targets/matches
447 return nf_conntrack_in(skb, state);
450 /* Connection tracking may drop packets, but never alters them, so
451 * make it the first hook.
453 static const struct nf_hook_ops ipv4_conntrack_ops[] = {
455 .hook = ipv4_conntrack_in,
457 .hooknum = NF_INET_PRE_ROUTING,
458 .priority = NF_IP_PRI_CONNTRACK,
461 .hook = ipv4_conntrack_local,
463 .hooknum = NF_INET_LOCAL_OUT,
464 .priority = NF_IP_PRI_CONNTRACK,
469 .hooknum = NF_INET_POST_ROUTING,
470 .priority = NF_IP_PRI_CONNTRACK_HELPER,
473 .hook = ipv4_confirm,
475 .hooknum = NF_INET_POST_ROUTING,
476 .priority = NF_IP_PRI_CONNTRACK_CONFIRM,
481 .hooknum = NF_INET_LOCAL_IN,
482 .priority = NF_IP_PRI_CONNTRACK_HELPER,
485 .hook = ipv4_confirm,
487 .hooknum = NF_INET_LOCAL_IN,
488 .priority = NF_IP_PRI_CONNTRACK_CONFIRM,
492 /* Fast function for those who don't want to parse /proc (and I don't
494 * Reversing the socket's dst/src point of view gives us the reply
498 getorigdst(struct sock *sk, int optval, void __user *user, int *len)
500 const struct inet_sock *inet = inet_sk(sk);
501 const struct nf_conntrack_tuple_hash *h;
502 struct nf_conntrack_tuple tuple;
504 memset(&tuple, 0, sizeof(tuple));
507 tuple.src.u3.ip = inet->inet_rcv_saddr;
508 tuple.src.u.tcp.port = inet->inet_sport;
509 tuple.dst.u3.ip = inet->inet_daddr;
510 tuple.dst.u.tcp.port = inet->inet_dport;
511 tuple.src.l3num = PF_INET;
512 tuple.dst.protonum = sk->sk_protocol;
515 /* We only do TCP and SCTP at the moment: is there a better way? */
516 if (tuple.dst.protonum != IPPROTO_TCP &&
517 tuple.dst.protonum != IPPROTO_SCTP) {
518 pr_debug("SO_ORIGINAL_DST: Not a TCP/SCTP socket\n");
522 if ((unsigned int)*len < sizeof(struct sockaddr_in)) {
523 pr_debug("SO_ORIGINAL_DST: len %d not %zu\n",
524 *len, sizeof(struct sockaddr_in));
528 h = nf_conntrack_find_get(sock_net(sk), &nf_ct_zone_dflt, &tuple);
530 struct sockaddr_in sin;
531 struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
533 sin.sin_family = AF_INET;
534 sin.sin_port = ct->tuplehash[IP_CT_DIR_ORIGINAL]
535 .tuple.dst.u.tcp.port;
536 sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL]
538 memset(sin.sin_zero, 0, sizeof(sin.sin_zero));
540 pr_debug("SO_ORIGINAL_DST: %pI4 %u\n",
541 &sin.sin_addr.s_addr, ntohs(sin.sin_port));
543 if (copy_to_user(user, &sin, sizeof(sin)) != 0)
548 pr_debug("SO_ORIGINAL_DST: Can't find %pI4/%u-%pI4/%u.\n",
549 &tuple.src.u3.ip, ntohs(tuple.src.u.tcp.port),
550 &tuple.dst.u3.ip, ntohs(tuple.dst.u.tcp.port));
554 static struct nf_sockopt_ops so_getorigdst = {
556 .get_optmin = SO_ORIGINAL_DST,
557 .get_optmax = SO_ORIGINAL_DST + 1,
559 .owner = THIS_MODULE,
562 #if IS_ENABLED(CONFIG_IPV6)
564 ipv6_getorigdst(struct sock *sk, int optval, void __user *user, int *len)
566 struct nf_conntrack_tuple tuple = { .src.l3num = NFPROTO_IPV6 };
567 const struct ipv6_pinfo *inet6 = inet6_sk(sk);
568 const struct inet_sock *inet = inet_sk(sk);
569 const struct nf_conntrack_tuple_hash *h;
570 struct sockaddr_in6 sin6;
576 tuple.src.u3.in6 = sk->sk_v6_rcv_saddr;
577 tuple.src.u.tcp.port = inet->inet_sport;
578 tuple.dst.u3.in6 = sk->sk_v6_daddr;
579 tuple.dst.u.tcp.port = inet->inet_dport;
580 tuple.dst.protonum = sk->sk_protocol;
581 bound_dev_if = sk->sk_bound_dev_if;
582 flow_label = inet6->flow_label;
585 if (tuple.dst.protonum != IPPROTO_TCP &&
586 tuple.dst.protonum != IPPROTO_SCTP)
589 if (*len < 0 || (unsigned int)*len < sizeof(sin6))
592 h = nf_conntrack_find_get(sock_net(sk), &nf_ct_zone_dflt, &tuple);
594 pr_debug("IP6T_SO_ORIGINAL_DST: Can't find %pI6c/%u-%pI6c/%u.\n",
595 &tuple.src.u3.ip6, ntohs(tuple.src.u.tcp.port),
596 &tuple.dst.u3.ip6, ntohs(tuple.dst.u.tcp.port));
600 ct = nf_ct_tuplehash_to_ctrack(h);
602 sin6.sin6_family = AF_INET6;
603 sin6.sin6_port = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.tcp.port;
604 sin6.sin6_flowinfo = flow_label & IPV6_FLOWINFO_MASK;
605 memcpy(&sin6.sin6_addr,
606 &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.in6,
607 sizeof(sin6.sin6_addr));
610 sin6.sin6_scope_id = ipv6_iface_scope_id(&sin6.sin6_addr, bound_dev_if);
611 return copy_to_user(user, &sin6, sizeof(sin6)) ? -EFAULT : 0;
614 static struct nf_sockopt_ops so_getorigdst6 = {
616 .get_optmin = IP6T_SO_ORIGINAL_DST,
617 .get_optmax = IP6T_SO_ORIGINAL_DST + 1,
618 .get = ipv6_getorigdst,
619 .owner = THIS_MODULE,
622 static unsigned int ipv6_confirm(void *priv,
624 const struct nf_hook_state *state)
627 enum ip_conntrack_info ctinfo;
628 unsigned char pnum = ipv6_hdr(skb)->nexthdr;
632 ct = nf_ct_get(skb, &ctinfo);
633 if (!ct || ctinfo == IP_CT_RELATED_REPLY)
636 protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &pnum,
638 if (protoff < 0 || (frag_off & htons(~0x7)) != 0) {
639 pr_debug("proto header not found\n");
643 /* adjust seqs for loopback traffic only in outgoing direction */
644 if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status) &&
645 !nf_is_loopback_packet(skb)) {
646 if (!nf_ct_seq_adjust(skb, ct, ctinfo, protoff)) {
647 NF_CT_STAT_INC_ATOMIC(nf_ct_net(ct), drop);
652 /* We've seen it coming out the other side: confirm it */
653 return nf_conntrack_confirm(skb);
656 static unsigned int ipv6_conntrack_in(void *priv,
658 const struct nf_hook_state *state)
660 return nf_conntrack_in(skb, state);
663 static unsigned int ipv6_conntrack_local(void *priv,
665 const struct nf_hook_state *state)
667 return nf_conntrack_in(skb, state);
670 static unsigned int ipv6_helper(void *priv,
672 const struct nf_hook_state *state)
675 const struct nf_conn_help *help;
676 const struct nf_conntrack_helper *helper;
677 enum ip_conntrack_info ctinfo;
682 /* This is where we call the helper: as the packet goes out. */
683 ct = nf_ct_get(skb, &ctinfo);
684 if (!ct || ctinfo == IP_CT_RELATED_REPLY)
687 help = nfct_help(ct);
690 /* rcu_read_lock()ed by nf_hook_thresh */
691 helper = rcu_dereference(help->helper);
695 nexthdr = ipv6_hdr(skb)->nexthdr;
696 protoff = ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &nexthdr,
698 if (protoff < 0 || (frag_off & htons(~0x7)) != 0) {
699 pr_debug("proto header not found\n");
703 return helper->help(skb, protoff, ct, ctinfo);
706 static const struct nf_hook_ops ipv6_conntrack_ops[] = {
708 .hook = ipv6_conntrack_in,
710 .hooknum = NF_INET_PRE_ROUTING,
711 .priority = NF_IP6_PRI_CONNTRACK,
714 .hook = ipv6_conntrack_local,
716 .hooknum = NF_INET_LOCAL_OUT,
717 .priority = NF_IP6_PRI_CONNTRACK,
722 .hooknum = NF_INET_POST_ROUTING,
723 .priority = NF_IP6_PRI_CONNTRACK_HELPER,
726 .hook = ipv6_confirm,
728 .hooknum = NF_INET_POST_ROUTING,
729 .priority = NF_IP6_PRI_LAST,
734 .hooknum = NF_INET_LOCAL_IN,
735 .priority = NF_IP6_PRI_CONNTRACK_HELPER,
738 .hook = ipv6_confirm,
740 .hooknum = NF_INET_LOCAL_IN,
741 .priority = NF_IP6_PRI_LAST - 1,
746 static int nf_ct_tcp_fixup(struct nf_conn *ct, void *_nfproto)
748 u8 nfproto = (unsigned long)_nfproto;
750 if (nf_ct_l3num(ct) != nfproto)
753 if (nf_ct_protonum(ct) == IPPROTO_TCP &&
754 ct->proto.tcp.state == TCP_CONNTRACK_ESTABLISHED) {
755 ct->proto.tcp.seen[0].td_maxwin = 0;
756 ct->proto.tcp.seen[1].td_maxwin = 0;
762 static int nf_ct_netns_do_get(struct net *net, u8 nfproto)
764 struct nf_conntrack_net *cnet = net_generic(net, nf_conntrack_net_id);
765 bool fixup_needed = false;
768 mutex_lock(&nf_ct_proto_mutex);
773 if (cnet->users4 > 1)
775 err = nf_defrag_ipv4_enable(net);
781 err = nf_register_net_hooks(net, ipv4_conntrack_ops,
782 ARRAY_SIZE(ipv4_conntrack_ops));
788 #if IS_ENABLED(CONFIG_IPV6)
791 if (cnet->users6 > 1)
793 err = nf_defrag_ipv6_enable(net);
799 err = nf_register_net_hooks(net, ipv6_conntrack_ops,
800 ARRAY_SIZE(ipv6_conntrack_ops));
812 mutex_unlock(&nf_ct_proto_mutex);
815 nf_ct_iterate_cleanup_net(net, nf_ct_tcp_fixup,
816 (void *)(unsigned long)nfproto, 0, 0);
821 static void nf_ct_netns_do_put(struct net *net, u8 nfproto)
823 struct nf_conntrack_net *cnet = net_generic(net, nf_conntrack_net_id);
825 mutex_lock(&nf_ct_proto_mutex);
828 if (cnet->users4 && (--cnet->users4 == 0))
829 nf_unregister_net_hooks(net, ipv4_conntrack_ops,
830 ARRAY_SIZE(ipv4_conntrack_ops));
832 #if IS_ENABLED(CONFIG_IPV6)
834 if (cnet->users6 && (--cnet->users6 == 0))
835 nf_unregister_net_hooks(net, ipv6_conntrack_ops,
836 ARRAY_SIZE(ipv6_conntrack_ops));
841 mutex_unlock(&nf_ct_proto_mutex);
844 int nf_ct_netns_get(struct net *net, u8 nfproto)
848 if (nfproto == NFPROTO_INET) {
849 err = nf_ct_netns_do_get(net, NFPROTO_IPV4);
852 err = nf_ct_netns_do_get(net, NFPROTO_IPV6);
856 err = nf_ct_netns_do_get(net, nfproto);
863 nf_ct_netns_put(net, NFPROTO_IPV4);
867 EXPORT_SYMBOL_GPL(nf_ct_netns_get);
869 void nf_ct_netns_put(struct net *net, uint8_t nfproto)
871 if (nfproto == NFPROTO_INET) {
872 nf_ct_netns_do_put(net, NFPROTO_IPV4);
873 nf_ct_netns_do_put(net, NFPROTO_IPV6);
875 nf_ct_netns_do_put(net, nfproto);
878 EXPORT_SYMBOL_GPL(nf_ct_netns_put);
880 static const struct nf_conntrack_l4proto * const builtin_l4proto[] = {
881 &nf_conntrack_l4proto_tcp,
882 &nf_conntrack_l4proto_udp,
883 &nf_conntrack_l4proto_icmp,
884 #ifdef CONFIG_NF_CT_PROTO_DCCP
885 &nf_conntrack_l4proto_dccp,
887 #ifdef CONFIG_NF_CT_PROTO_SCTP
888 &nf_conntrack_l4proto_sctp,
890 #ifdef CONFIG_NF_CT_PROTO_UDPLITE
891 &nf_conntrack_l4proto_udplite,
893 #if IS_ENABLED(CONFIG_IPV6)
894 &nf_conntrack_l4proto_icmpv6,
895 #endif /* CONFIG_IPV6 */
898 int nf_conntrack_proto_init(void)
902 ret = nf_register_sockopt(&so_getorigdst);
906 #if IS_ENABLED(CONFIG_IPV6)
907 ret = nf_register_sockopt(&so_getorigdst6);
909 goto cleanup_sockopt;
912 for (i = 0; i < ARRAY_SIZE(nf_ct_protos); i++)
913 RCU_INIT_POINTER(nf_ct_protos[i],
914 &nf_conntrack_l4proto_generic);
916 ret = nf_ct_l4proto_register(builtin_l4proto,
917 ARRAY_SIZE(builtin_l4proto));
919 goto cleanup_sockopt2;
923 nf_unregister_sockopt(&so_getorigdst);
924 #if IS_ENABLED(CONFIG_IPV6)
926 nf_unregister_sockopt(&so_getorigdst6);
931 void nf_conntrack_proto_fini(void)
933 nf_unregister_sockopt(&so_getorigdst);
934 #if IS_ENABLED(CONFIG_IPV6)
935 nf_unregister_sockopt(&so_getorigdst6);
939 int nf_conntrack_proto_pernet_init(struct net *net)
942 struct nf_proto_net *pn = nf_ct_l4proto_net(net,
943 &nf_conntrack_l4proto_generic);
945 err = nf_conntrack_l4proto_generic.init_net(net);
948 err = nf_ct_l4proto_register_sysctl(net,
950 &nf_conntrack_l4proto_generic);
954 err = nf_ct_l4proto_pernet_register(net, builtin_l4proto,
955 ARRAY_SIZE(builtin_l4proto));
957 nf_ct_l4proto_unregister_sysctl(net, pn,
958 &nf_conntrack_l4proto_generic);
966 void nf_conntrack_proto_pernet_fini(struct net *net)
968 struct nf_proto_net *pn = nf_ct_l4proto_net(net,
969 &nf_conntrack_l4proto_generic);
971 nf_ct_l4proto_pernet_unregister(net, builtin_l4proto,
972 ARRAY_SIZE(builtin_l4proto));
974 nf_ct_l4proto_unregister_sysctl(net,
976 &nf_conntrack_l4proto_generic);
980 module_param_call(hashsize, nf_conntrack_set_hashsize, param_get_uint,
981 &nf_conntrack_htable_size, 0600);
983 MODULE_ALIAS("ip_conntrack");
984 MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET));
985 MODULE_ALIAS("nf_conntrack-" __stringify(AF_INET6));
986 MODULE_LICENSE("GPL");
projects / linux-2.6-block.git / blob