1 /* 2 * lib/netfilter/exp_obj.c Conntrack Expectation Object 3 * 4 * This library is free software; you can redistribute it and/or 5 * modify it under the terms of the GNU Lesser General Public 6 * License as published by the Free Software Foundation version 2.1 7 * of the License. 8 * 9 * Copyright (c) 2003-2008 Thomas Graf <tgraf (at) suug.ch> 10 * Copyright (c) 2007 Philip Craig <philipc (at) snapgear.com> 11 * Copyright (c) 2007 Secure Computing Corporation 12 * Copyright (c) 2012 Rich Fought <rich.fought (at) watchguard.com> 13 */ 14 15 #include <sys/types.h> 16 #include <netinet/in.h> 17 #include <linux/netfilter/nfnetlink_conntrack.h> 18 #include <linux/netfilter/nf_conntrack_common.h> 19 #include <linux/netfilter/nf_conntrack_tcp.h> 20 21 #include <netlink-private/netlink.h> 22 #include <netlink/netfilter/nfnl.h> 23 #include <netlink/netfilter/exp.h> 24 25 // The 32-bit attribute mask in the common object header isn't 26 // big enough to handle all attributes of an expectation. So 27 // we'll for sure specify optional attributes + parent attributes 28 // that are required for valid object comparison. Comparison of 29 // these parent attributes will include nested attributes. 30 31 /** @cond SKIP */ 32 #define EXP_ATTR_FAMILY (1UL << 0) // 8-bit 33 #define EXP_ATTR_TIMEOUT (1UL << 1) // 32-bit 34 #define EXP_ATTR_ID (1UL << 2) // 32-bit 35 #define EXP_ATTR_HELPER_NAME (1UL << 3) // string 36 #define EXP_ATTR_ZONE (1UL << 4) // 16-bit 37 #define EXP_ATTR_FLAGS (1UL << 5) // 32-bit 38 #define EXP_ATTR_CLASS (1UL << 6) // 32-bit 39 #define EXP_ATTR_FN (1UL << 7) // String 40 // Tuples 41 #define EXP_ATTR_EXPECT_IP_SRC (1UL << 8) 42 #define EXP_ATTR_EXPECT_IP_DST (1UL << 9) 43 #define EXP_ATTR_EXPECT_L4PROTO_NUM (1UL << 10) 44 #define EXP_ATTR_EXPECT_L4PROTO_PORTS (1UL << 11) 45 #define EXP_ATTR_EXPECT_L4PROTO_ICMP (1UL << 12) 46 #define EXP_ATTR_MASTER_IP_SRC (1UL << 13) 47 #define EXP_ATTR_MASTER_IP_DST (1UL << 14) 48 #define EXP_ATTR_MASTER_L4PROTO_NUM (1UL << 15) 49 #define EXP_ATTR_MASTER_L4PROTO_PORTS (1UL << 16) 50 #define EXP_ATTR_MASTER_L4PROTO_ICMP (1UL << 17) 51 #define EXP_ATTR_MASK_IP_SRC (1UL << 18) 52 #define EXP_ATTR_MASK_IP_DST (1UL << 19) 53 #define EXP_ATTR_MASK_L4PROTO_NUM (1UL << 20) 54 #define EXP_ATTR_MASK_L4PROTO_PORTS (1UL << 21) 55 #define EXP_ATTR_MASK_L4PROTO_ICMP (1UL << 22) 56 #define EXP_ATTR_NAT_IP_SRC (1UL << 23) 57 #define EXP_ATTR_NAT_IP_DST (1UL << 24) 58 #define EXP_ATTR_NAT_L4PROTO_NUM (1UL << 25) 59 #define EXP_ATTR_NAT_L4PROTO_PORTS (1UL << 26) 60 #define EXP_ATTR_NAT_L4PROTO_ICMP (1UL << 27) 61 #define EXP_ATTR_NAT_DIR (1UL << 28) 62 /** @endcond */ 63 64 static void exp_free_data(struct nl_object *c) 65 { 66 struct nfnl_exp *exp = (struct nfnl_exp *) c; 67 68 if (exp == NULL) 69 return; 70 71 nl_addr_put(exp->exp_expect.src); 72 nl_addr_put(exp->exp_expect.dst); 73 nl_addr_put(exp->exp_master.src); 74 nl_addr_put(exp->exp_master.dst); 75 nl_addr_put(exp->exp_mask.src); 76 nl_addr_put(exp->exp_mask.dst); 77 nl_addr_put(exp->exp_nat.src); 78 nl_addr_put(exp->exp_nat.dst); 79 80 free(exp->exp_fn); 81 free(exp->exp_helper_name); 82 } 83 84 static int exp_clone(struct nl_object *_dst, struct nl_object *_src) 85 { 86 struct nfnl_exp *dst = (struct nfnl_exp *) _dst; 87 struct nfnl_exp *src = (struct nfnl_exp *) _src; 88 struct nl_addr *addr; 89 90 // Expectation 91 if (src->exp_expect.src) { 92 addr = nl_addr_clone(src->exp_expect.src); 93 if (!addr) 94 return -NLE_NOMEM; 95 dst->exp_expect.src = addr; 96 } 97 98 if (src->exp_expect.dst) { 99 addr = nl_addr_clone(src->exp_expect.dst); 100 if (!addr) 101 return -NLE_NOMEM; 102 dst->exp_expect.dst = addr; 103 } 104 105 // Master CT 106 if (src->exp_master.src) { 107 addr = nl_addr_clone(src->exp_master.src); 108 if (!addr) 109 return -NLE_NOMEM; 110 dst->exp_master.src = addr; 111 } 112 113 if (src->exp_master.dst) { 114 addr = nl_addr_clone(src->exp_master.dst); 115 if (!addr) 116 return -NLE_NOMEM; 117 dst->exp_master.dst = addr; 118 } 119 120 // Mask 121 if (src->exp_mask.src) { 122 addr = nl_addr_clone(src->exp_mask.src); 123 if (!addr) 124 return -NLE_NOMEM; 125 dst->exp_mask.src = addr; 126 } 127 128 if (src->exp_mask.dst) { 129 addr = nl_addr_clone(src->exp_mask.dst); 130 if (!addr) 131 return -NLE_NOMEM; 132 dst->exp_mask.dst = addr; 133 } 134 135 // NAT 136 if (src->exp_nat.src) { 137 addr = nl_addr_clone(src->exp_nat.src); 138 if (!addr) 139 return -NLE_NOMEM; 140 dst->exp_nat.src = addr; 141 } 142 143 if (src->exp_nat.dst) { 144 addr = nl_addr_clone(src->exp_nat.dst); 145 if (!addr) 146 return -NLE_NOMEM; 147 dst->exp_nat.dst = addr; 148 } 149 150 if (src->exp_fn) 151 dst->exp_fn = strdup(src->exp_fn); 152 153 if (src->exp_helper_name) 154 dst->exp_helper_name = strdup(src->exp_helper_name); 155 156 return 0; 157 } 158 159 static void dump_addr(struct nl_dump_params *p, struct nl_addr *addr, int port) 160 { 161 char buf[64]; 162 163 if (addr) 164 nl_dump(p, "%s", nl_addr2str(addr, buf, sizeof(buf))); 165 166 if (port) 167 nl_dump(p, ":%u ", port); 168 else if (addr) 169 nl_dump(p, " "); 170 } 171 172 static void dump_icmp(struct nl_dump_params *p, struct nfnl_exp *exp, int tuple) 173 { 174 if (nfnl_exp_test_icmp(exp, tuple)) { 175 176 nl_dump(p, "icmp type %d ", nfnl_exp_get_icmp_type(exp, tuple)); 177 178 nl_dump(p, "code %d ", nfnl_exp_get_icmp_code(exp, tuple)); 179 180 nl_dump(p, "id %d ", nfnl_exp_get_icmp_id(exp, tuple)); 181 } 182 } 183 184 static void exp_dump_tuples(struct nfnl_exp *exp, struct nl_dump_params *p) 185 { 186 struct nl_addr *tuple_src, *tuple_dst; 187 int tuple_sport, tuple_dport; 188 int i = 0; 189 char buf[64]; 190 191 for (i = NFNL_EXP_TUPLE_EXPECT; i < NFNL_EXP_TUPLE_MAX; i++) { 192 tuple_src = NULL; 193 tuple_dst = NULL; 194 tuple_sport = 0; 195 tuple_dport = 0; 196 197 // Test needed for NAT case 198 if (nfnl_exp_test_src(exp, i)) 199 tuple_src = nfnl_exp_get_src(exp, i); 200 if (nfnl_exp_test_dst(exp, i)) 201 tuple_dst = nfnl_exp_get_dst(exp, i); 202 203 // Don't have tests for individual ports/types/codes/ids, 204 if (nfnl_exp_test_l4protonum(exp, i)) { 205 nl_dump(p, "%s ", 206 nl_ip_proto2str(nfnl_exp_get_l4protonum(exp, i), buf, sizeof(buf))); 207 } 208 209 if (nfnl_exp_test_ports(exp, i)) { 210 tuple_sport = nfnl_exp_get_src_port(exp, i); 211 tuple_dport = nfnl_exp_get_dst_port(exp, i); 212 } 213 214 dump_addr(p, tuple_src, tuple_sport); 215 dump_addr(p, tuple_dst, tuple_dport); 216 dump_icmp(p, exp, 0); 217 } 218 219 if (nfnl_exp_test_nat_dir(exp)) 220 nl_dump(p, "nat dir %s ", exp->exp_nat_dir); 221 222 } 223 224 /* FIXME Compatible with /proc/net/nf_conntrack */ 225 static void exp_dump_line(struct nl_object *a, struct nl_dump_params *p) 226 { 227 struct nfnl_exp *exp = (struct nfnl_exp *) a; 228 229 nl_new_line(p); 230 231 exp_dump_tuples(exp, p); 232 233 nl_dump(p, "\n"); 234 } 235 236 static void exp_dump_details(struct nl_object *a, struct nl_dump_params *p) 237 { 238 struct nfnl_exp *exp = (struct nfnl_exp *) a; 239 char buf[64]; 240 int fp = 0; 241 242 exp_dump_line(a, p); 243 244 nl_dump(p, " id 0x%x ", exp->exp_id); 245 nl_dump_line(p, "family %s ", 246 nl_af2str(exp->exp_family, buf, sizeof(buf))); 247 248 if (nfnl_exp_test_timeout(exp)) { 249 uint64_t timeout_ms = nfnl_exp_get_timeout(exp) * 1000UL; 250 nl_dump(p, "timeout %s ", 251 nl_msec2str(timeout_ms, buf, sizeof(buf))); 252 } 253 254 if (nfnl_exp_test_helper_name(exp)) 255 nl_dump(p, "helper %s ", exp->exp_helper_name); 256 257 if (nfnl_exp_test_fn(exp)) 258 nl_dump(p, "fn %s ", exp->exp_fn); 259 260 if (nfnl_exp_test_class(exp)) 261 nl_dump(p, "class %u ", nfnl_exp_get_class(exp)); 262 263 if (nfnl_exp_test_zone(exp)) 264 nl_dump(p, "zone %u ", nfnl_exp_get_zone(exp)); 265 266 if (nfnl_exp_test_flags(exp)) 267 nl_dump(p, "<"); 268 #define PRINT_FLAG(str) \ 269 { nl_dump(p, "%s%s", fp++ ? "," : "", (str)); } 270 271 if (exp->exp_flags & NF_CT_EXPECT_PERMANENT) 272 PRINT_FLAG("PERMANENT"); 273 if (exp->exp_flags & NF_CT_EXPECT_INACTIVE) 274 PRINT_FLAG("INACTIVE"); 275 if (exp->exp_flags & NF_CT_EXPECT_USERSPACE) 276 PRINT_FLAG("USERSPACE"); 277 #undef PRINT_FLAG 278 279 if (nfnl_exp_test_flags(exp)) 280 nl_dump(p, ">"); 281 282 nl_dump(p, "\n"); 283 } 284 285 static int exp_cmp_l4proto_ports (union nfnl_exp_protodata *a, union nfnl_exp_protodata *b) { 286 // Must return 0 for match, 1 for mismatch 287 int d = 0; 288 d = ( (a->port.src != b->port.src) || 289 (a->port.dst != b->port.dst) ); 290 291 return d; 292 } 293 294 static int exp_cmp_l4proto_icmp (union nfnl_exp_protodata *a, union nfnl_exp_protodata *b) { 295 // Must return 0 for match, 1 for mismatch 296 int d = 0; 297 d = ( (a->icmp.code != b->icmp.code) || 298 (a->icmp.type != b->icmp.type) || 299 (a->icmp.id != b->icmp.id) ); 300 301 return d; 302 } 303 304 static int exp_compare(struct nl_object *_a, struct nl_object *_b, 305 uint32_t attrs, int flags) 306 { 307 struct nfnl_exp *a = (struct nfnl_exp *) _a; 308 struct nfnl_exp *b = (struct nfnl_exp *) _b; 309 int diff = 0; 310 311 #define EXP_DIFF(ATTR, EXPR) ATTR_DIFF(attrs, EXP_ATTR_##ATTR, a, b, EXPR) 312 #define EXP_DIFF_VAL(ATTR, FIELD) EXP_DIFF(ATTR, a->FIELD != b->FIELD) 313 #define EXP_DIFF_STRING(ATTR, FIELD) EXP_DIFF(ATTR, (strcmp(a->FIELD, b->FIELD) != 0)) 314 #define EXP_DIFF_ADDR(ATTR, FIELD) \ 315 ((flags & LOOSE_COMPARISON) \ 316 ? EXP_DIFF(ATTR, nl_addr_cmp_prefix(a->FIELD, b->FIELD)) \ 317 : EXP_DIFF(ATTR, nl_addr_cmp(a->FIELD, b->FIELD))) 318 #define EXP_DIFF_L4PROTO_PORTS(ATTR, FIELD) \ 319 EXP_DIFF(ATTR, exp_cmp_l4proto_ports(&(a->FIELD), &(b->FIELD))) 320 #define EXP_DIFF_L4PROTO_ICMP(ATTR, FIELD) \ 321 EXP_DIFF(ATTR, exp_cmp_l4proto_icmp(&(a->FIELD), &(b->FIELD))) 322 323 diff |= EXP_DIFF_VAL(FAMILY, exp_family); 324 diff |= EXP_DIFF_VAL(TIMEOUT, exp_timeout); 325 diff |= EXP_DIFF_VAL(ID, exp_id); 326 diff |= EXP_DIFF_VAL(ZONE, exp_zone); 327 diff |= EXP_DIFF_VAL(CLASS, exp_class); 328 diff |= EXP_DIFF_VAL(FLAGS, exp_flags); 329 diff |= EXP_DIFF_VAL(NAT_DIR, exp_nat_dir); 330 331 diff |= EXP_DIFF_STRING(FN, exp_fn); 332 diff |= EXP_DIFF_STRING(HELPER_NAME, exp_helper_name); 333 334 diff |= EXP_DIFF_ADDR(EXPECT_IP_SRC, exp_expect.src); 335 diff |= EXP_DIFF_ADDR(EXPECT_IP_DST, exp_expect.dst); 336 diff |= EXP_DIFF_VAL(EXPECT_L4PROTO_NUM, exp_expect.proto.l4protonum); 337 diff |= EXP_DIFF_L4PROTO_PORTS(EXPECT_L4PROTO_PORTS, exp_expect.proto.l4protodata); 338 diff |= EXP_DIFF_L4PROTO_ICMP(EXPECT_L4PROTO_ICMP, exp_expect.proto.l4protodata); 339 340 diff |= EXP_DIFF_ADDR(MASTER_IP_SRC, exp_master.src); 341 diff |= EXP_DIFF_ADDR(MASTER_IP_DST, exp_master.dst); 342 diff |= EXP_DIFF_VAL(MASTER_L4PROTO_NUM, exp_master.proto.l4protonum); 343 diff |= EXP_DIFF_L4PROTO_PORTS(MASTER_L4PROTO_PORTS, exp_master.proto.l4protodata); 344 diff |= EXP_DIFF_L4PROTO_ICMP(MASTER_L4PROTO_ICMP, exp_master.proto.l4protodata); 345 346 diff |= EXP_DIFF_ADDR(MASK_IP_SRC, exp_mask.src); 347 diff |= EXP_DIFF_ADDR(MASK_IP_DST, exp_mask.dst); 348 diff |= EXP_DIFF_VAL(MASK_L4PROTO_NUM, exp_mask.proto.l4protonum); 349 diff |= EXP_DIFF_L4PROTO_PORTS(MASK_L4PROTO_PORTS, exp_mask.proto.l4protodata); 350 diff |= EXP_DIFF_L4PROTO_ICMP(MASK_L4PROTO_ICMP, exp_mask.proto.l4protodata); 351 352 diff |= EXP_DIFF_ADDR(NAT_IP_SRC, exp_nat.src); 353 diff |= EXP_DIFF_ADDR(NAT_IP_DST, exp_nat.dst); 354 diff |= EXP_DIFF_VAL(NAT_L4PROTO_NUM, exp_nat.proto.l4protonum); 355 diff |= EXP_DIFF_L4PROTO_PORTS(NAT_L4PROTO_PORTS, exp_nat.proto.l4protodata); 356 diff |= EXP_DIFF_L4PROTO_ICMP(NAT_L4PROTO_ICMP, exp_nat.proto.l4protodata); 357 358 #undef EXP_DIFF 359 #undef EXP_DIFF_VAL 360 #undef EXP_DIFF_STRING 361 #undef EXP_DIFF_ADDR 362 #undef EXP_DIFF_L4PROTO_PORTS 363 #undef EXP_DIFF_L4PROTO_ICMP 364 365 return diff; 366 } 367 368 // CLI arguments? 369 static const struct trans_tbl exp_attrs[] = { 370 __ADD(EXP_ATTR_FAMILY, family) 371 __ADD(EXP_ATTR_TIMEOUT, timeout) 372 __ADD(EXP_ATTR_ID, id) 373 __ADD(EXP_ATTR_HELPER_NAME, helpername) 374 __ADD(EXP_ATTR_ZONE, zone) 375 __ADD(EXP_ATTR_CLASS, class) 376 __ADD(EXP_ATTR_FLAGS, flags) 377 __ADD(EXP_ATTR_FN, function) 378 __ADD(EXP_ATTR_EXPECT_IP_SRC, expectipsrc) 379 __ADD(EXP_ATTR_EXPECT_IP_DST, expectipdst) 380 __ADD(EXP_ATTR_EXPECT_L4PROTO_NUM, expectprotonum) 381 __ADD(EXP_ATTR_EXPECT_L4PROTO_PORTS, expectports) 382 __ADD(EXP_ATTR_EXPECT_L4PROTO_ICMP, expecticmp) 383 __ADD(EXP_ATTR_MASTER_IP_SRC, masteripsrc) 384 __ADD(EXP_ATTR_MASTER_IP_DST, masteripdst) 385 __ADD(EXP_ATTR_MASTER_L4PROTO_NUM, masterprotonum) 386 __ADD(EXP_ATTR_MASTER_L4PROTO_PORTS, masterports) 387 __ADD(EXP_ATTR_MASTER_L4PROTO_ICMP, mastericmp) 388 __ADD(EXP_ATTR_MASK_IP_SRC, maskipsrc) 389 __ADD(EXP_ATTR_MASK_IP_DST, maskipdst) 390 __ADD(EXP_ATTR_MASK_L4PROTO_NUM, maskprotonum) 391 __ADD(EXP_ATTR_MASK_L4PROTO_PORTS, maskports) 392 __ADD(EXP_ATTR_MASK_L4PROTO_ICMP, maskicmp) 393 __ADD(EXP_ATTR_NAT_IP_SRC, natipsrc) 394 __ADD(EXP_ATTR_NAT_IP_DST, natipdst) 395 __ADD(EXP_ATTR_NAT_L4PROTO_NUM, natprotonum) 396 __ADD(EXP_ATTR_NAT_L4PROTO_PORTS, natports) 397 __ADD(EXP_ATTR_NAT_L4PROTO_ICMP, naticmp) 398 __ADD(EXP_ATTR_NAT_DIR, natdir) 399 }; 400 401 static char *exp_attrs2str(int attrs, char *buf, size_t len) 402 { 403 return __flags2str(attrs, buf, len, exp_attrs, ARRAY_SIZE(exp_attrs)); 404 } 405 406 /** 407 * @name Allocation/Freeing 408 * @{ 409 */ 410 411 struct nfnl_exp *nfnl_exp_alloc(void) 412 { 413 return (struct nfnl_exp *) nl_object_alloc(&exp_obj_ops); 414 } 415 416 void nfnl_exp_get(struct nfnl_exp *exp) 417 { 418 nl_object_get((struct nl_object *) exp); 419 } 420 421 void nfnl_exp_put(struct nfnl_exp *exp) 422 { 423 nl_object_put((struct nl_object *) exp); 424 } 425 426 /** @} */ 427 428 /** 429 * @name Attributes 430 * @{ 431 */ 432 433 void nfnl_exp_set_family(struct nfnl_exp *exp, uint8_t family) 434 { 435 exp->exp_family = family; 436 exp->ce_mask |= EXP_ATTR_FAMILY; 437 } 438 439 uint8_t nfnl_exp_get_family(const struct nfnl_exp *exp) 440 { 441 if (exp->ce_mask & EXP_ATTR_FAMILY) 442 return exp->exp_family; 443 else 444 return AF_UNSPEC; 445 } 446 447 void nfnl_exp_set_flags(struct nfnl_exp *exp, uint32_t flags) 448 { 449 exp->exp_flags |= flags; 450 exp->ce_mask |= EXP_ATTR_FLAGS; 451 } 452 453 int nfnl_exp_test_flags(const struct nfnl_exp *exp) 454 { 455 return !!(exp->ce_mask & EXP_ATTR_FLAGS); 456 } 457 458 void nfnl_exp_unset_flags(struct nfnl_exp *exp, uint32_t flags) 459 { 460 exp->exp_flags &= ~flags; 461 exp->ce_mask |= EXP_ATTR_FLAGS; 462 } 463 464 uint32_t nfnl_exp_get_flags(const struct nfnl_exp *exp) 465 { 466 return exp->exp_flags; 467 } 468 469 static const struct trans_tbl flag_table[] = { 470 __ADD(IPS_EXPECTED, expected) 471 __ADD(IPS_SEEN_REPLY, seen_reply) 472 __ADD(IPS_ASSURED, assured) 473 }; 474 475 char * nfnl_exp_flags2str(int flags, char *buf, size_t len) 476 { 477 return __flags2str(flags, buf, len, flag_table, 478 ARRAY_SIZE(flag_table)); 479 } 480 481 int nfnl_exp_str2flags(const char *name) 482 { 483 return __str2flags(name, flag_table, ARRAY_SIZE(flag_table)); 484 } 485 486 void nfnl_exp_set_timeout(struct nfnl_exp *exp, uint32_t timeout) 487 { 488 exp->exp_timeout = timeout; 489 exp->ce_mask |= EXP_ATTR_TIMEOUT; 490 } 491 492 int nfnl_exp_test_timeout(const struct nfnl_exp *exp) 493 { 494 return !!(exp->ce_mask & EXP_ATTR_TIMEOUT); 495 } 496 497 uint32_t nfnl_exp_get_timeout(const struct nfnl_exp *exp) 498 { 499 return exp->exp_timeout; 500 } 501 502 void nfnl_exp_set_id(struct nfnl_exp *exp, uint32_t id) 503 { 504 exp->exp_id = id; 505 exp->ce_mask |= EXP_ATTR_ID; 506 } 507 508 int nfnl_exp_test_id(const struct nfnl_exp *exp) 509 { 510 return !!(exp->ce_mask & EXP_ATTR_ID); 511 } 512 513 uint32_t nfnl_exp_get_id(const struct nfnl_exp *exp) 514 { 515 return exp->exp_id; 516 } 517 518 int nfnl_exp_set_helper_name(struct nfnl_exp *exp, void *name) 519 { 520 free(exp->exp_helper_name); 521 exp->exp_helper_name = strdup(name); 522 if (!exp->exp_helper_name) 523 return -NLE_NOMEM; 524 525 exp->ce_mask |= EXP_ATTR_HELPER_NAME; 526 return 0; 527 } 528 529 int nfnl_exp_test_helper_name(const struct nfnl_exp *exp) 530 { 531 return !!(exp->ce_mask & EXP_ATTR_HELPER_NAME); 532 } 533 534 const char * nfnl_exp_get_helper_name(const struct nfnl_exp *exp) 535 { 536 return exp->exp_helper_name; 537 } 538 539 void nfnl_exp_set_zone(struct nfnl_exp *exp, uint16_t zone) 540 { 541 exp->exp_zone = zone; 542 exp->ce_mask |= EXP_ATTR_ZONE; 543 } 544 545 int nfnl_exp_test_zone(const struct nfnl_exp *exp) 546 { 547 return !!(exp->ce_mask & EXP_ATTR_ZONE); 548 } 549 550 uint16_t nfnl_exp_get_zone(const struct nfnl_exp *exp) 551 { 552 return exp->exp_zone; 553 } 554 555 void nfnl_exp_set_class(struct nfnl_exp *exp, uint32_t class) 556 { 557 exp->exp_class = class; 558 exp->ce_mask |= EXP_ATTR_CLASS; 559 } 560 561 int nfnl_exp_test_class(const struct nfnl_exp *exp) 562 { 563 return !!(exp->ce_mask & EXP_ATTR_CLASS); 564 } 565 566 uint32_t nfnl_exp_get_class(const struct nfnl_exp *exp) 567 { 568 return exp->exp_class; 569 } 570 571 int nfnl_exp_set_fn(struct nfnl_exp *exp, void *fn) 572 { 573 free(exp->exp_fn); 574 exp->exp_fn = strdup(fn); 575 if (!exp->exp_fn) 576 return -NLE_NOMEM; 577 578 exp->ce_mask |= EXP_ATTR_FN; 579 return 0; 580 } 581 582 int nfnl_exp_test_fn(const struct nfnl_exp *exp) 583 { 584 return !!(exp->ce_mask & EXP_ATTR_FN); 585 } 586 587 const char * nfnl_exp_get_fn(const struct nfnl_exp *exp) 588 { 589 return exp->exp_fn; 590 } 591 592 void nfnl_exp_set_nat_dir(struct nfnl_exp *exp, uint8_t nat_dir) 593 { 594 exp->exp_nat_dir = nat_dir; 595 exp->ce_mask |= EXP_ATTR_NAT_DIR; 596 } 597 598 int nfnl_exp_test_nat_dir(const struct nfnl_exp *exp) 599 { 600 return !!(exp->ce_mask & EXP_ATTR_NAT_DIR); 601 } 602 603 uint8_t nfnl_exp_get_nat_dir(const struct nfnl_exp *exp) 604 { 605 return exp->exp_nat_dir; 606 } 607 608 #define EXP_GET_TUPLE(e, t) \ 609 (t == NFNL_EXP_TUPLE_MASTER) ? \ 610 &(e->exp_master) : \ 611 (t == NFNL_EXP_TUPLE_MASK) ? \ 612 &(e->exp_mask) : \ 613 (t == NFNL_EXP_TUPLE_NAT) ? \ 614 &(e->exp_nat) : &(exp->exp_expect) 615 616 static int exp_get_src_attr(int tuple) 617 { 618 int attr = 0; 619 620 switch (tuple) { 621 case NFNL_EXP_TUPLE_MASTER: 622 attr = EXP_ATTR_MASTER_IP_SRC; 623 break; 624 case NFNL_EXP_TUPLE_MASK: 625 attr = EXP_ATTR_MASK_IP_SRC; 626 break; 627 case NFNL_EXP_TUPLE_NAT: 628 attr = EXP_ATTR_NAT_IP_SRC; 629 break; 630 case NFNL_EXP_TUPLE_EXPECT: 631 default : 632 attr = EXP_ATTR_EXPECT_IP_SRC; 633 } 634 635 return attr; 636 } 637 638 static int exp_get_dst_attr(int tuple) 639 { 640 int attr = 0; 641 642 switch (tuple) { 643 case NFNL_EXP_TUPLE_MASTER: 644 attr = EXP_ATTR_MASTER_IP_DST; 645 break; 646 case NFNL_EXP_TUPLE_MASK: 647 attr = EXP_ATTR_MASK_IP_DST; 648 break; 649 case NFNL_EXP_TUPLE_NAT: 650 attr = EXP_ATTR_NAT_IP_DST; 651 break; 652 case NFNL_EXP_TUPLE_EXPECT: 653 default : 654 attr = EXP_ATTR_EXPECT_IP_DST; 655 } 656 657 return attr; 658 } 659 660 661 static int exp_set_addr(struct nfnl_exp *exp, struct nl_addr *addr, 662 int attr, struct nl_addr ** exp_addr) 663 { 664 if (exp->ce_mask & EXP_ATTR_FAMILY) { 665 if (addr->a_family != exp->exp_family) 666 return -NLE_AF_MISMATCH; 667 } else 668 nfnl_exp_set_family(exp, addr->a_family); 669 670 if (*exp_addr) 671 nl_addr_put(*exp_addr); 672 673 nl_addr_get(addr); 674 *exp_addr = addr; 675 exp->ce_mask |= attr; 676 677 return 0; 678 } 679 680 int nfnl_exp_set_src(struct nfnl_exp *exp, int tuple, struct nl_addr *addr) 681 { 682 struct nfnl_exp_dir *dir = EXP_GET_TUPLE(exp, tuple); 683 684 return exp_set_addr(exp, addr, exp_get_src_attr(tuple), &dir->src); 685 } 686 687 int nfnl_exp_set_dst(struct nfnl_exp *exp, int tuple, struct nl_addr *addr) 688 { 689 struct nfnl_exp_dir *dir = EXP_GET_TUPLE(exp, tuple); 690 691 return exp_set_addr(exp, addr, exp_get_dst_attr(tuple), &dir->dst); 692 } 693 694 int nfnl_exp_test_src(const struct nfnl_exp *exp, int tuple) 695 { 696 return !!(exp->ce_mask & exp_get_src_attr(tuple)); 697 } 698 699 int nfnl_exp_test_dst(const struct nfnl_exp *exp, int tuple) 700 { 701 return !!(exp->ce_mask & exp_get_dst_attr(tuple)); 702 } 703 704 struct nl_addr *nfnl_exp_get_src(const struct nfnl_exp *exp, int tuple) 705 { 706 const struct nfnl_exp_dir *dir = EXP_GET_TUPLE(exp, tuple); 707 708 if (!(exp->ce_mask & exp_get_src_attr(tuple))) 709 return NULL; 710 return dir->src; 711 } 712 713 struct nl_addr *nfnl_exp_get_dst(const struct nfnl_exp *exp, int tuple) 714 { 715 const struct nfnl_exp_dir *dir = EXP_GET_TUPLE(exp, tuple); 716 717 if (!(exp->ce_mask & exp_get_dst_attr(tuple))) 718 return NULL; 719 return dir->dst; 720 } 721 722 static int exp_get_l4protonum_attr(int tuple) 723 { 724 int attr = 0; 725 726 switch (tuple) { 727 case NFNL_EXP_TUPLE_MASTER: 728 attr = EXP_ATTR_MASTER_L4PROTO_NUM; 729 break; 730 case NFNL_EXP_TUPLE_MASK: 731 attr = EXP_ATTR_MASK_L4PROTO_NUM; 732 break; 733 case NFNL_EXP_TUPLE_NAT: 734 attr = EXP_ATTR_NAT_L4PROTO_NUM; 735 break; 736 case NFNL_EXP_TUPLE_EXPECT: 737 default : 738 attr = EXP_ATTR_EXPECT_L4PROTO_NUM; 739 } 740 741 return attr; 742 } 743 744 void nfnl_exp_set_l4protonum(struct nfnl_exp *exp, int tuple, uint8_t l4protonum) 745 { 746 struct nfnl_exp_dir *dir = EXP_GET_TUPLE(exp, tuple); 747 748 dir->proto.l4protonum = l4protonum; 749 exp->ce_mask |= exp_get_l4protonum_attr(tuple); 750 } 751 752 int nfnl_exp_test_l4protonum(const struct nfnl_exp *exp, int tuple) 753 { 754 return !!(exp->ce_mask & exp_get_l4protonum_attr(tuple)); 755 } 756 757 uint8_t nfnl_exp_get_l4protonum(const struct nfnl_exp *exp, int tuple) 758 { 759 const struct nfnl_exp_dir *dir = EXP_GET_TUPLE(exp, tuple); 760 return dir->proto.l4protonum; 761 } 762 763 static int exp_get_l4ports_attr(int tuple) 764 { 765 int attr = 0; 766 767 switch (tuple) { 768 case NFNL_EXP_TUPLE_MASTER: 769 attr = EXP_ATTR_MASTER_L4PROTO_PORTS; 770 break; 771 case NFNL_EXP_TUPLE_MASK: 772 attr = EXP_ATTR_MASK_L4PROTO_PORTS; 773 break; 774 case NFNL_EXP_TUPLE_NAT: 775 attr = EXP_ATTR_NAT_L4PROTO_PORTS; 776 break; 777 case NFNL_EXP_TUPLE_EXPECT: 778 default : 779 attr = EXP_ATTR_EXPECT_L4PROTO_PORTS; 780 } 781 782 return attr; 783 } 784 785 void nfnl_exp_set_ports(struct nfnl_exp *exp, int tuple, uint16_t srcport, uint16_t dstport) 786 { 787 struct nfnl_exp_dir *dir = EXP_GET_TUPLE(exp, tuple); 788 789 dir->proto.l4protodata.port.src = srcport; 790 dir->proto.l4protodata.port.dst = dstport; 791 792 exp->ce_mask |= exp_get_l4ports_attr(tuple); 793 } 794 795 int nfnl_exp_test_ports(const struct nfnl_exp *exp, int tuple) 796 { 797 return !!(exp->ce_mask & exp_get_l4ports_attr(tuple)); 798 } 799 800 uint16_t nfnl_exp_get_src_port(const struct nfnl_exp *exp, int tuple) 801 { 802 const struct nfnl_exp_dir *dir = EXP_GET_TUPLE(exp, tuple); 803 return dir->proto.l4protodata.port.src; 804 } 805 806 uint16_t nfnl_exp_get_dst_port(const struct nfnl_exp *exp, int tuple) 807 { 808 const struct nfnl_exp_dir *dir = EXP_GET_TUPLE(exp, tuple); 809 810 return dir->proto.l4protodata.port.dst; 811 } 812 813 static int exp_get_l4icmp_attr(int tuple) 814 { 815 int attr = 0; 816 817 switch (tuple) { 818 case NFNL_EXP_TUPLE_MASTER: 819 attr = EXP_ATTR_MASTER_L4PROTO_ICMP; 820 break; 821 case NFNL_EXP_TUPLE_MASK: 822 attr = EXP_ATTR_MASK_L4PROTO_ICMP; 823 break; 824 case NFNL_EXP_TUPLE_NAT: 825 attr = EXP_ATTR_NAT_L4PROTO_ICMP; 826 break; 827 case NFNL_EXP_TUPLE_EXPECT: 828 default : 829 attr = EXP_ATTR_EXPECT_L4PROTO_ICMP; 830 } 831 832 return attr; 833 } 834 835 void nfnl_exp_set_icmp(struct nfnl_exp *exp, int tuple, uint16_t id, uint8_t type, uint8_t code) 836 { 837 struct nfnl_exp_dir *dir = EXP_GET_TUPLE(exp, tuple); 838 839 dir->proto.l4protodata.icmp.id = id; 840 dir->proto.l4protodata.icmp.type = type; 841 dir->proto.l4protodata.icmp.code = code; 842 843 exp->ce_mask |= exp_get_l4icmp_attr(tuple); 844 } 845 846 int nfnl_exp_test_icmp(const struct nfnl_exp *exp, int tuple) 847 { 848 int attr = exp_get_l4icmp_attr(tuple); 849 return !!(exp->ce_mask & attr); 850 } 851 852 uint16_t nfnl_exp_get_icmp_id(const struct nfnl_exp *exp, int tuple) 853 { 854 const struct nfnl_exp_dir *dir = EXP_GET_TUPLE(exp, tuple); 855 856 return dir->proto.l4protodata.icmp.id; 857 } 858 859 uint8_t nfnl_exp_get_icmp_type(const struct nfnl_exp *exp, int tuple) 860 { 861 const struct nfnl_exp_dir *dir = EXP_GET_TUPLE(exp, tuple); 862 863 return dir->proto.l4protodata.icmp.type; 864 } 865 866 uint8_t nfnl_exp_get_icmp_code(const struct nfnl_exp *exp, int tuple) 867 { 868 const struct nfnl_exp_dir *dir = EXP_GET_TUPLE(exp, tuple); 869 870 return dir->proto.l4protodata.icmp.code; 871 } 872 873 /** @} */ 874 875 struct nl_object_ops exp_obj_ops = { 876 .oo_name = "netfilter/exp", 877 .oo_size = sizeof(struct nfnl_exp), 878 .oo_free_data = exp_free_data, 879 .oo_clone = exp_clone, 880 .oo_dump = { 881 [NL_DUMP_LINE] = exp_dump_line, 882 [NL_DUMP_DETAILS] = exp_dump_details, 883 }, 884 .oo_compare = exp_compare, 885 .oo_attrs2str = exp_attrs2str, 886 }; 887 888 /** @} */ 889
