1 /* Kernel module to match connection tracking information.
2 * Superset of Rusty's minimalistic state match.
4 * (C) 2001 Marc Boucher (marc@mbsi.ca).
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License version 2 as
8 * published by the Free Software Foundation.
11 #include <linux/module.h>
12 #include <linux/skbuff.h>
13 #include <linux/netfilter/x_tables.h>
14 #include <linux/netfilter/xt_conntrack.h>
15 #include <net/netfilter/nf_conntrack.h>
17 MODULE_LICENSE("GPL");
18 MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
19 MODULE_DESCRIPTION("iptables connection tracking match module");
20 MODULE_ALIAS("ipt_conntrack");
23 conntrack_mt(const struct sk_buff
*skb
, const struct net_device
*in
,
24 const struct net_device
*out
, const struct xt_match
*match
,
25 const void *matchinfo
, int offset
, unsigned int protoff
,
28 const struct xt_conntrack_info
*sinfo
= matchinfo
;
29 const struct nf_conn
*ct
;
30 enum ip_conntrack_info ctinfo
;
31 unsigned int statebit
;
33 ct
= nf_ct_get(skb
, &ctinfo
);
35 #define FWINV(bool, invflg) ((bool) ^ !!(sinfo->invflags & (invflg)))
37 if (ct
== &nf_conntrack_untracked
)
38 statebit
= XT_CONNTRACK_STATE_UNTRACKED
;
40 statebit
= XT_CONNTRACK_STATE_BIT(ctinfo
);
42 statebit
= XT_CONNTRACK_STATE_INVALID
;
44 if (sinfo
->flags
& XT_CONNTRACK_STATE
) {
46 if (test_bit(IPS_SRC_NAT_BIT
, &ct
->status
))
47 statebit
|= XT_CONNTRACK_STATE_SNAT
;
48 if (test_bit(IPS_DST_NAT_BIT
, &ct
->status
))
49 statebit
|= XT_CONNTRACK_STATE_DNAT
;
51 if (FWINV((statebit
& sinfo
->statemask
) == 0,
57 if (sinfo
->flags
& ~XT_CONNTRACK_STATE
)
62 if (sinfo
->flags
& XT_CONNTRACK_PROTO
&&
63 FWINV(ct
->tuplehash
[IP_CT_DIR_ORIGINAL
].tuple
.dst
.protonum
!=
64 sinfo
->tuple
[IP_CT_DIR_ORIGINAL
].dst
.protonum
,
68 if (sinfo
->flags
& XT_CONNTRACK_ORIGSRC
&&
69 FWINV((ct
->tuplehash
[IP_CT_DIR_ORIGINAL
].tuple
.src
.u3
.ip
&
70 sinfo
->sipmsk
[IP_CT_DIR_ORIGINAL
].s_addr
) !=
71 sinfo
->tuple
[IP_CT_DIR_ORIGINAL
].src
.ip
,
72 XT_CONNTRACK_ORIGSRC
))
75 if (sinfo
->flags
& XT_CONNTRACK_ORIGDST
&&
76 FWINV((ct
->tuplehash
[IP_CT_DIR_ORIGINAL
].tuple
.dst
.u3
.ip
&
77 sinfo
->dipmsk
[IP_CT_DIR_ORIGINAL
].s_addr
) !=
78 sinfo
->tuple
[IP_CT_DIR_ORIGINAL
].dst
.ip
,
79 XT_CONNTRACK_ORIGDST
))
82 if (sinfo
->flags
& XT_CONNTRACK_REPLSRC
&&
83 FWINV((ct
->tuplehash
[IP_CT_DIR_REPLY
].tuple
.src
.u3
.ip
&
84 sinfo
->sipmsk
[IP_CT_DIR_REPLY
].s_addr
) !=
85 sinfo
->tuple
[IP_CT_DIR_REPLY
].src
.ip
,
86 XT_CONNTRACK_REPLSRC
))
89 if (sinfo
->flags
& XT_CONNTRACK_REPLDST
&&
90 FWINV((ct
->tuplehash
[IP_CT_DIR_REPLY
].tuple
.dst
.u3
.ip
&
91 sinfo
->dipmsk
[IP_CT_DIR_REPLY
].s_addr
) !=
92 sinfo
->tuple
[IP_CT_DIR_REPLY
].dst
.ip
,
93 XT_CONNTRACK_REPLDST
))
96 if (sinfo
->flags
& XT_CONNTRACK_STATUS
&&
97 FWINV((ct
->status
& sinfo
->statusmask
) == 0,
101 if(sinfo
->flags
& XT_CONNTRACK_EXPIRES
) {
102 unsigned long expires
= timer_pending(&ct
->timeout
) ?
103 (ct
->timeout
.expires
- jiffies
)/HZ
: 0;
105 if (FWINV(!(expires
>= sinfo
->expires_min
&&
106 expires
<= sinfo
->expires_max
),
107 XT_CONNTRACK_EXPIRES
))
115 conntrack_mt_check(const char *tablename
, const void *ip
,
116 const struct xt_match
*match
, void *matchinfo
,
117 unsigned int hook_mask
)
119 if (nf_ct_l3proto_try_module_get(match
->family
) < 0) {
120 printk(KERN_WARNING
"can't load conntrack support for "
121 "proto=%u\n", match
->family
);
128 conntrack_mt_destroy(const struct xt_match
*match
, void *matchinfo
)
130 nf_ct_l3proto_module_put(match
->family
);
134 struct compat_xt_conntrack_info
136 compat_uint_t statemask
;
137 compat_uint_t statusmask
;
138 struct ip_conntrack_old_tuple tuple
[IP_CT_DIR_MAX
];
139 struct in_addr sipmsk
[IP_CT_DIR_MAX
];
140 struct in_addr dipmsk
[IP_CT_DIR_MAX
];
141 compat_ulong_t expires_min
;
142 compat_ulong_t expires_max
;
147 static void conntrack_mt_compat_from_user(void *dst
, void *src
)
149 const struct compat_xt_conntrack_info
*cm
= src
;
150 struct xt_conntrack_info m
= {
151 .statemask
= cm
->statemask
,
152 .statusmask
= cm
->statusmask
,
153 .expires_min
= cm
->expires_min
,
154 .expires_max
= cm
->expires_max
,
156 .invflags
= cm
->invflags
,
158 memcpy(m
.tuple
, cm
->tuple
, sizeof(m
.tuple
));
159 memcpy(m
.sipmsk
, cm
->sipmsk
, sizeof(m
.sipmsk
));
160 memcpy(m
.dipmsk
, cm
->dipmsk
, sizeof(m
.dipmsk
));
161 memcpy(dst
, &m
, sizeof(m
));
164 static int conntrack_mt_compat_to_user(void __user
*dst
, void *src
)
166 const struct xt_conntrack_info
*m
= src
;
167 struct compat_xt_conntrack_info cm
= {
168 .statemask
= m
->statemask
,
169 .statusmask
= m
->statusmask
,
170 .expires_min
= m
->expires_min
,
171 .expires_max
= m
->expires_max
,
173 .invflags
= m
->invflags
,
175 memcpy(cm
.tuple
, m
->tuple
, sizeof(cm
.tuple
));
176 memcpy(cm
.sipmsk
, m
->sipmsk
, sizeof(cm
.sipmsk
));
177 memcpy(cm
.dipmsk
, m
->dipmsk
, sizeof(cm
.dipmsk
));
178 return copy_to_user(dst
, &cm
, sizeof(cm
)) ? -EFAULT
: 0;
182 static struct xt_match conntrack_mt_reg __read_mostly
= {
184 .match
= conntrack_mt
,
185 .checkentry
= conntrack_mt_check
,
186 .destroy
= conntrack_mt_destroy
,
187 .matchsize
= sizeof(struct xt_conntrack_info
),
189 .compatsize
= sizeof(struct compat_xt_conntrack_info
),
190 .compat_from_user
= conntrack_mt_compat_from_user
,
191 .compat_to_user
= conntrack_mt_compat_to_user
,
197 static int __init
conntrack_mt_init(void)
199 return xt_register_match(&conntrack_mt_reg
);
202 static void __exit
conntrack_mt_exit(void)
204 xt_unregister_match(&conntrack_mt_reg
);
207 module_init(conntrack_mt_init
);
208 module_exit(conntrack_mt_exit
);