1/* SPDX-License-Identifier: GPL-2.0 */
2/*
3 * Connection state tracking for netfilter. This is separated from,
4 * but required by, the (future) NAT layer; it can also be used by an iptables
5 * extension.
6 *
7 * 16 Dec 2003: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
8 * - generalize L3 protocol dependent part.
9 *
10 * Derived from include/linux/netfiter_ipv4/ip_conntrack.h
11 */
12
13#ifndef _NF_CONNTRACK_H
14#define _NF_CONNTRACK_H
15
16#include <linux/bitops.h>
17#include <linux/compiler.h>
18
19#include <linux/netfilter/nf_conntrack_common.h>
20#include <linux/netfilter/nf_conntrack_tcp.h>
21#include <linux/netfilter/nf_conntrack_sctp.h>
22#include <linux/netfilter/nf_conntrack_proto_gre.h>
23
24#include <net/netfilter/nf_conntrack_tuple.h>
25
26struct nf_ct_udp {
27 unsigned long stream_ts;
28};
29
30/* per conntrack: protocol private data */
31union nf_conntrack_proto {
32 /* insert conntrack proto private data here */
33 struct ip_ct_sctp sctp;
34 struct ip_ct_tcp tcp;
35 struct nf_ct_udp udp;
36 struct nf_ct_gre gre;
37 unsigned int tmpl_padto;
38};
39
40union nf_conntrack_expect_proto {
41 /* insert expect proto private data here */
42};
43
44struct nf_conntrack_net_ecache {
45 struct delayed_work dwork;
46 spinlock_t dying_lock;
47 struct hlist_nulls_head dying_list;
48};
49
50struct nf_conntrack_net {
51 /* only used when new connection is allocated: */
52 atomic_t count;
53 unsigned int expect_count;
54
55 /* only used from work queues, configuration plane, and so on: */
56 unsigned int users4;
57 unsigned int users6;
58 unsigned int users_bridge;
59#ifdef CONFIG_SYSCTL
60 struct ctl_table_header *sysctl_header;
61#endif
62#ifdef CONFIG_NF_CONNTRACK_EVENTS
63 struct nf_conntrack_net_ecache ecache;
64#endif
65};
66
67#include <linux/types.h>
68#include <linux/skbuff.h>
69
70#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
71#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
72
73struct nf_conn {
74 /* Usage count in here is 1 for hash table, 1 per skb,
75 * plus 1 for any connection(s) we are `master' for
76 *
77 * Hint, SKB address this struct and refcnt via skb->_nfct and
78 * helpers nf_conntrack_get() and nf_conntrack_put().
79 * Helper nf_ct_put() equals nf_conntrack_put() by dec refcnt,
80 * except that the latter uses internal indirection and does not
81 * result in a conntrack module dependency.
82 * beware nf_ct_get() is different and don't inc refcnt.
83 */
84 struct nf_conntrack ct_general;
85
86 spinlock_t lock;
87 /* jiffies32 when this ct is considered dead */
88 u32 timeout;
89
90#ifdef CONFIG_NF_CONNTRACK_ZONES
91 struct nf_conntrack_zone zone;
92#endif
93 /* XXX should I move this to the tail ? - Y.K */
94 /* These are my tuples; original and reply */
95 struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
96
97 /* Have we seen traffic both ways yet? (bitset) */
98 unsigned long status;
99
100 possible_net_t ct_net;
101
102#if IS_ENABLED(CONFIG_NF_NAT)
103 struct hlist_node nat_bysource;
104#endif
105 /* all members below initialized via memset */
106 struct { } __nfct_init_offset;
107
108 /* If we were expected by an expectation, this will be it */
109 struct nf_conn *master;
110
111#if defined(CONFIG_NF_CONNTRACK_MARK)
112 u_int32_t mark;
113#endif
114
115#ifdef CONFIG_NF_CONNTRACK_SECMARK
116 u_int32_t secmark;
117#endif
118
119 /* Extensions */
120 struct nf_ct_ext *ext;
121
122 /* Storage reserved for other modules, must be the last member */
123 union nf_conntrack_proto proto;
124};
125
126static inline struct nf_conn *
127nf_ct_to_nf_conn(const struct nf_conntrack *nfct)
128{
129 return container_of(nfct, struct nf_conn, ct_general);
130}
131
132static inline struct nf_conn *
133nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash)
134{
135 return container_of(hash, struct nf_conn,
136 tuplehash[hash->tuple.dst.dir]);
137}
138
139static inline u_int16_t nf_ct_l3num(const struct nf_conn *ct)
140{
141 return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
142}
143
144static inline u_int8_t nf_ct_protonum(const struct nf_conn *ct)
145{
146 return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
147}
148
149#define nf_ct_tuple(ct, dir) (&(ct)->tuplehash[dir].tuple)
150
151/* get master conntrack via master expectation */
152#define master_ct(conntr) (conntr->master)
153
154extern struct net init_net;
155
156static inline struct net *nf_ct_net(const struct nf_conn *ct)
157{
158 return read_pnet(pnet: &ct->ct_net);
159}
160
161/* Is this tuple taken? (ignoring any belonging to the given
162 conntrack). */
163int nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
164 const struct nf_conn *ignored_conntrack);
165
166/* Return conntrack_info and tuple hash for given skb. */
167static inline struct nf_conn *
168nf_ct_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo)
169{
170 unsigned long nfct = skb_get_nfct(skb);
171
172 *ctinfo = nfct & NFCT_INFOMASK;
173 return (struct nf_conn *)(nfct & NFCT_PTRMASK);
174}
175
176void nf_ct_destroy(struct nf_conntrack *nfct);
177
178void nf_conntrack_tcp_set_closing(struct nf_conn *ct);
179
180/* decrement reference count on a conntrack */
181static inline void nf_ct_put(struct nf_conn *ct)
182{
183 if (ct && refcount_dec_and_test(r: &ct->ct_general.use))
184 nf_ct_destroy(nfct: &ct->ct_general);
185}
186
187/* load module; enable/disable conntrack in this namespace */
188int nf_ct_netns_get(struct net *net, u8 nfproto);
189void nf_ct_netns_put(struct net *net, u8 nfproto);
190
191/*
192 * Allocate a hashtable of hlist_head (if nulls == 0),
193 * or hlist_nulls_head (if nulls == 1)
194 */
195void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls);
196
197int nf_conntrack_hash_check_insert(struct nf_conn *ct);
198bool nf_ct_delete(struct nf_conn *ct, u32 pid, int report);
199
200bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff,
201 u_int16_t l3num, struct net *net,
202 struct nf_conntrack_tuple *tuple);
203
204void __nf_ct_refresh_acct(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
205 u32 extra_jiffies, unsigned int bytes);
206
207/* Refresh conntrack for this many jiffies and do accounting */
208static inline void nf_ct_refresh_acct(struct nf_conn *ct,
209 enum ip_conntrack_info ctinfo,
210 const struct sk_buff *skb,
211 u32 extra_jiffies)
212{
213 __nf_ct_refresh_acct(ct, ctinfo, extra_jiffies, bytes: skb->len);
214}
215
216/* Refresh conntrack for this many jiffies */
217static inline void nf_ct_refresh(struct nf_conn *ct,
218 u32 extra_jiffies)
219{
220 __nf_ct_refresh_acct(ct, ctinfo: 0, extra_jiffies, bytes: 0);
221}
222
223/* kill conntrack and do accounting */
224bool nf_ct_kill_acct(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
225 const struct sk_buff *skb);
226
227/* kill conntrack without accounting */
228static inline bool nf_ct_kill(struct nf_conn *ct)
229{
230 return nf_ct_delete(ct, pid: 0, report: 0);
231}
232
233struct nf_ct_iter_data {
234 struct net *net;
235 void *data;
236 u32 portid;
237 int report;
238};
239
240/* Iterate over all conntracks: if iter returns true, it's deleted. */
241void nf_ct_iterate_cleanup_net(int (*iter)(struct nf_conn *i, void *data),
242 const struct nf_ct_iter_data *iter_data);
243
244/* also set unconfirmed conntracks as dying. Only use in module exit path. */
245void nf_ct_iterate_destroy(int (*iter)(struct nf_conn *i, void *data),
246 void *data);
247
248struct nf_conntrack_zone;
249
250void nf_conntrack_free(struct nf_conn *ct);
251struct nf_conn *nf_conntrack_alloc(struct net *net,
252 const struct nf_conntrack_zone *zone,
253 const struct nf_conntrack_tuple *orig,
254 const struct nf_conntrack_tuple *repl,
255 gfp_t gfp);
256
257static inline int nf_ct_is_template(const struct nf_conn *ct)
258{
259 return test_bit(IPS_TEMPLATE_BIT, &ct->status);
260}
261
262/* It's confirmed if it is, or has been in the hash table. */
263static inline int nf_ct_is_confirmed(const struct nf_conn *ct)
264{
265 return test_bit(IPS_CONFIRMED_BIT, &ct->status);
266}
267
268static inline int nf_ct_is_dying(const struct nf_conn *ct)
269{
270 return test_bit(IPS_DYING_BIT, &ct->status);
271}
272
273/* Packet is received from loopback */
274static inline bool nf_is_loopback_packet(const struct sk_buff *skb)
275{
276 return skb->dev && skb->skb_iif && skb->dev->flags & IFF_LOOPBACK;
277}
278
279static inline void nf_conntrack_alter_reply(struct nf_conn *ct,
280 const struct nf_conntrack_tuple *newreply)
281{
282 /* Must be unconfirmed, so not in hash table yet */
283 if (WARN_ON(nf_ct_is_confirmed(ct)))
284 return;
285
286 ct->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
287}
288
289#define nfct_time_stamp ((u32)(jiffies))
290
291/* jiffies until ct expires, 0 if already expired */
292static inline unsigned long nf_ct_expires(const struct nf_conn *ct)
293{
294 s32 timeout = READ_ONCE(ct->timeout) - nfct_time_stamp;
295
296 return max(timeout, 0);
297}
298
299static inline bool nf_ct_is_expired(const struct nf_conn *ct)
300{
301 return (__s32)(READ_ONCE(ct->timeout) - nfct_time_stamp) <= 0;
302}
303
304/* use after obtaining a reference count */
305static inline bool nf_ct_should_gc(const struct nf_conn *ct)
306{
307 if (!nf_ct_is_confirmed(ct))
308 return false;
309
310 /* load ct->timeout after is_confirmed() test.
311 * Pairs with __nf_conntrack_confirm() which:
312 * 1. Increases ct->timeout value
313 * 2. Inserts ct into rcu hlist
314 * 3. Sets the confirmed bit
315 * 4. Unlocks the hlist lock
316 */
317 smp_acquire__after_ctrl_dep();
318
319 return nf_ct_is_expired(ct) && !nf_ct_is_dying(ct);
320}
321
322#define NF_CT_DAY (86400 * HZ)
323
324struct kernel_param;
325
326int nf_conntrack_set_hashsize(const char *val, const struct kernel_param *kp);
327int nf_conntrack_hash_resize(unsigned int hashsize);
328
329extern struct hlist_nulls_head *nf_conntrack_hash;
330extern unsigned int nf_conntrack_htable_size;
331extern seqcount_spinlock_t nf_conntrack_generation;
332extern unsigned int nf_conntrack_max;
333
334/* must be called with rcu read lock held */
335static inline void
336nf_conntrack_get_ht(struct hlist_nulls_head **hash, unsigned int *hsize)
337{
338 struct hlist_nulls_head *hptr;
339 unsigned int sequence, hsz;
340
341 do {
342 sequence = read_seqcount_begin(&nf_conntrack_generation);
343 hsz = nf_conntrack_htable_size;
344 hptr = nf_conntrack_hash;
345 } while (read_seqcount_retry(&nf_conntrack_generation, sequence));
346
347 *hash = hptr;
348 *hsize = hsz;
349}
350
351struct nf_conn *nf_ct_tmpl_alloc(struct net *net,
352 const struct nf_conntrack_zone *zone,
353 gfp_t flags);
354void nf_ct_tmpl_free(struct nf_conn *tmpl);
355
356u32 nf_ct_get_id(const struct nf_conn *ct);
357u32 nf_conntrack_count(const struct net *net);
358
359static inline void
360nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)
361{
362 skb_set_nfct(skb, nfct: (unsigned long)ct | info);
363}
364
365extern unsigned int nf_conntrack_net_id;
366
367static inline struct nf_conntrack_net *nf_ct_pernet(const struct net *net)
368{
369 return net_generic(net, id: nf_conntrack_net_id);
370}
371
372int nf_ct_skb_network_trim(struct sk_buff *skb, int family);
373int nf_ct_handle_fragments(struct net *net, struct sk_buff *skb,
374 u16 zone, u8 family, u8 *proto, u16 *mru);
375
376#define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count)
377#define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
378#define NF_CT_STAT_ADD_ATOMIC(net, count, v) this_cpu_add((net)->ct.stat->count, (v))
379
380#define MODULE_ALIAS_NFCT_HELPER(helper) \
381 MODULE_ALIAS("nfct-helper-" helper)
382
383#endif /* _NF_CONNTRACK_H */
384