/*
* (C) 2006-2011 by Pablo Neira Ayuso <pablo@netfilter.org>
* (C) 2011 by Vyatta Inc. <http://www.vyatta.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*
* This program is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with this program; if not, write to the Free Software
* Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
*/
#include "conntrackd.h"
#include "sync.h"
#include "log.h"
#include "cache.h"
#include "origin.h"
#include "external.h"
#include "netlink.h"
#include <libnetfilter_conntrack/libnetfilter_conntrack.h>
#include <errno.h>
#include <stdlib.h>
static struct nfct_handle *inject;
struct {
uint32_t add_ok;
uint32_t add_fail;
uint32_t upd_ok;
uint32_t upd_fail;
uint32_t del_ok;
uint32_t del_fail;
} external_inject_stat;
static int external_inject_init(void)
{
/* handler to directly inject conntracks into kernel-space */
inject = nfct_open(CONFIG(netlink).subsys_id, 0);
if (inject == NULL) {
dlog(LOG_ERR, "can't open netlink handler: %s",
strerror(errno));
dlog(LOG_ERR, "no ctnetlink kernel support?");
return -1;
}
/* we are directly injecting the entries into the kernel */
origin_register(inject, CTD_ORIGIN_INJECT);
return 0;
}
static void external_inject_close(void)
{
origin_unregister(inject);
nfct_close(inject);
}
static void external_inject_ct_new(struct nf_conntrack *ct)
{
int ret, retry = 1;
retry:
if (nl_create_conntrack(inject, ct, 0) == -1) {
/* if the state entry exists, we delete and try again */
if (errno == EEXIST && retry == 1) {
ret = nl_destroy_conntrack(inject, ct);
if (ret == 0 || (ret == -1 && errno == ENOENT)) {
if (retry) {
retry = 0;
goto retry;
}
}
external_inject_stat.add_fail++;
dlog(LOG_ERR, "inject-add1: %s", strerror(errno));
dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
return;
}
external_inject_stat.add_fail++;
dlog(LOG_ERR, "inject-add2: %s", strerror(errno));
dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
} else {
external_inject_stat.add_ok++;
}
}
static void external_inject_ct_upd(struct nf_conntrack *ct)
{
int ret;
/* if we successfully update the entry, everything is OK */
if (nl_update_conntrack(inject, ct, 0) != -1) {
external_inject_stat.upd_ok++;
return;
}
/* state entries does not exist, we have to create it */
if (errno == ENOENT) {
if (nl_create_conntrack(inject, ct, 0) == -1) {
external_inject_stat.upd_fail++;
dlog(LOG_ERR, "inject-upd1: %s", strerror(errno));
dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
} else {
external_inject_stat.upd_ok++;
}
return;
}
/* we failed to update the entry, there are some operations that
* may trigger this error, eg. unset some status bits. Try harder,
* delete the existing entry and create a new one. */
ret = nl_destroy_conntrack(inject, ct);
if (ret == 0 || (ret == -1 && errno == ENOENT)) {
if (nl_create_conntrack(inject, ct, 0) == -1) {
external_inject_stat.upd_fail++;
dlog(LOG_ERR, "inject-upd2: %s", strerror(errno));
dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
} else {
external_inject_stat.upd_ok++;
}
return;
}
external_inject_stat.upd_fail++;
dlog(LOG_ERR, "inject-upd3: %s", strerror(errno));
dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
}
static void external_inject_ct_del(struct nf_conntrack *ct)
{
if (nl_destroy_conntrack(inject, ct) == -1) {
if (errno != ENOENT) {
external_inject_stat.del_fail++;
dlog(LOG_ERR, "inject-del: %s", strerror(errno));
dlog_ct(STATE(log), ct, NFCT_O_PLAIN);
}
} else {
external_inject_stat.del_ok++;
}
}
static void external_inject_ct_dump(int fd, int type)
{
}
static int external_inject_ct_commit(struct nfct_handle *h, int fd)
{
/* close the commit socket. */
return LOCAL_RET_OK;
}
static void external_inject_ct_flush(void)
{
}
static void external_inject_ct_stats(int fd)
{
char buf[512];
int size;
size = sprintf(buf, "external inject:\n"
"connections created:\t\t%12u\tfailed:\t%12u\n"
"connections updated:\t\t%12u\tfailed:\t%12u\n"
"connections destroyed:\t\t%12u\tfailed:\t%12u\n\n",
external_inject_stat.add_ok,
external_inject_stat.add_fail,
external_inject_stat.upd_ok,
external_inject_stat.upd_fail,
external_inject_stat.del_ok,
external_inject_stat.del_fail);
send(fd, buf, size, 0);
}
struct {
uint32_t add_ok;
uint32_t add_fail;
uint32_t upd_ok;
uint32_t upd_fail;
uint32_t del_ok;
uint32_t del_fail;
} exp_external_inject_stat;
static void external_inject_exp_new(struct nf_expect *exp)
{
int ret, retry = 1;
retry:
if (nl_create_expect(inject, exp, 0) == -1) {
/* if the state entry exists, we delete and try again */
if (errno == EEXIST && retry == 1) {
ret = nl_destroy_expect(inject, exp);
if (ret == 0 || (ret == -1 && errno == ENOENT)) {
if (retry) {
retry = 0;
goto retry;
}
}
exp_external_inject_stat.add_fail++;
dlog(LOG_ERR, "inject-add1: %s", strerror(errno));
dlog_exp(STATE(log), exp, NFCT_O_PLAIN);
return;
}
exp_external_inject_stat.add_fail++;
dlog(LOG_ERR, "inject-add2: %s", strerror(errno));
dlog_exp(STATE(log), exp, NFCT_O_PLAIN);
} else {
exp_external_inject_stat.add_ok++;
}
}
static void external_inject_exp_del(struct nf_expect *exp)
{
if (nl_destroy_expect(inject, exp) == -1) {
if (errno != ENOENT) {
exp_external_inject_stat.del_fail++;
dlog(LOG_ERR, "inject-del: %s", strerror(errno));
dlog_exp(STATE(log), exp, NFCT_O_PLAIN);
}
} else {
exp_external_inject_stat.del_ok++;
}
}
static void external_inject_exp_dump(int fd, int type)
{
}
static int external_inject_exp_commit(struct nfct_handle *h, int fd)
{
/* close the commit socket. */
return LOCAL_RET_OK;
}
static void external_inject_exp_flush(void)
{
}
static void external_inject_exp_stats(int fd)
{
char buf[512];
int size;
size = sprintf(buf, "external inject:\n"
"connections created:\t\t%12u\tfailed:\t%12u\n"
"connections updated:\t\t%12u\tfailed:\t%12u\n"
"connections destroyed:\t\t%12u\tfailed:\t%12u\n\n",
exp_external_inject_stat.add_ok,
exp_external_inject_stat.add_fail,
exp_external_inject_stat.upd_ok,
exp_external_inject_stat.upd_fail,
exp_external_inject_stat.del_ok,
exp_external_inject_stat.del_fail);
send(fd, buf, size, 0);
}
struct external_handler external_inject = {
.init = external_inject_init,
.close = external_inject_close,
.ct = {
.new = external_inject_ct_new,
.upd = external_inject_ct_upd,
.del = external_inject_ct_del,
.dump = external_inject_ct_dump,
.commit = external_inject_ct_commit,
.flush = external_inject_ct_flush,
.stats = external_inject_ct_stats,
.stats_ext = external_inject_ct_stats,
},
.exp = {
.new = external_inject_exp_new,
.upd = external_inject_exp_new,
.del = external_inject_exp_del,
.dump = external_inject_exp_dump,
.commit = external_inject_exp_commit,
.flush = external_inject_exp_flush,
.stats = external_inject_exp_stats,
.stats_ext = external_inject_exp_stats,
},
};