summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorHarald Welte <laforge@netfilter.org>2006-03-20 17:56:32 -0800
committerDavid S. Miller <davem@davemloft.net>2006-03-20 17:56:32 -0800
commitdc808fe28db59fadf4ec32d53f62477fa28f3be8 (patch)
tree2d7033e5808a63d7fb1bddc452d1ec0b2f3d381a
parent0d36f37bb1e1cbadca6dc90a840bb2bc9ab51c44 (diff)
downloadop-kernel-dev-dc808fe28db59fadf4ec32d53f62477fa28f3be8.zip
op-kernel-dev-dc808fe28db59fadf4ec32d53f62477fa28f3be8.tar.gz
[NETFILTER] nf_conntrack: clean up to reduce size of 'struct nf_conn'
This patch moves all helper related data fields of 'struct nf_conn' into a separate structure 'struct nf_conn_help'. This new structure is only present in conntrack entries for which we actually have a helper loaded. Also, this patch cleans up the nf_conntrack 'features' mechanism to resemble what the original idea was: Just glue the feature-specific data structures at the end of 'struct nf_conn', and explicitly re-calculate the pointer to it when needed rather than keeping pointers around. Saves 20 bytes per conntrack on my x86_64 box. A non-helped conntrack is 276 bytes. We still need to save another 20 bytes in order to fit into to target of 256bytes. Signed-off-by: Harald Welte <laforge@netfilter.org> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/net/netfilter/nf_conntrack.h56
-rw-r--r--net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c22
-rw-r--r--net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c39
-rw-r--r--net/netfilter/nf_conntrack_core.c119
-rw-r--r--net/netfilter/nf_conntrack_ftp.c2
-rw-r--r--net/netfilter/nf_conntrack_netlink.c39
-rw-r--r--net/netfilter/nf_conntrack_standalone.c1
-rw-r--r--net/netfilter/xt_helper.c8
8 files changed, 148 insertions, 138 deletions
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 6d075ca..2743c15 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -67,6 +67,18 @@ do { \
struct nf_conntrack_helper;
+/* nf_conn feature for connections that have a helper */
+struct nf_conn_help {
+ /* Helper. if any */
+ struct nf_conntrack_helper *helper;
+
+ union nf_conntrack_help help;
+
+ /* Current number of expected connections */
+ unsigned int expecting;
+};
+
+
#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
struct nf_conn
{
@@ -81,6 +93,9 @@ struct nf_conn
/* Have we seen traffic both ways yet? (bitset) */
unsigned long status;
+ /* If we were expected by an expectation, this will be it */
+ struct nf_conn *master;
+
/* Timer function; drops refcnt when it goes off. */
struct timer_list timeout;
@@ -88,38 +103,22 @@ struct nf_conn
/* Accounting Information (same cache line as other written members) */
struct ip_conntrack_counter counters[IP_CT_DIR_MAX];
#endif
- /* If we were expected by an expectation, this will be it */
- struct nf_conn *master;
-
- /* Current number of expected connections */
- unsigned int expecting;
/* Unique ID that identifies this conntrack*/
unsigned int id;
- /* Helper. if any */
- struct nf_conntrack_helper *helper;
-
/* features - nat, helper, ... used by allocating system */
u_int32_t features;
- /* Storage reserved for other modules: */
-
- union nf_conntrack_proto proto;
-
#if defined(CONFIG_NF_CONNTRACK_MARK)
u_int32_t mark;
#endif
- /* These members are dynamically allocated. */
-
- union nf_conntrack_help *help;
+ /* Storage reserved for other modules: */
+ union nf_conntrack_proto proto;
- /* Layer 3 dependent members. (ex: NAT) */
- union {
- struct nf_conntrack_ipv4 *ipv4;
- } l3proto;
- void *data[0];
+ /* features dynamically at the end: helper, nat (both optional) */
+ char data[0];
};
struct nf_conntrack_expect
@@ -373,10 +372,23 @@ nf_conntrack_expect_event(enum ip_conntrack_expect_events event,
#define NF_CT_F_NUM 4
extern int
-nf_conntrack_register_cache(u_int32_t features, const char *name, size_t size,
- int (*init_conntrack)(struct nf_conn *, u_int32_t));
+nf_conntrack_register_cache(u_int32_t features, const char *name, size_t size);
extern void
nf_conntrack_unregister_cache(u_int32_t features);
+/* valid combinations:
+ * basic: nf_conn, nf_conn .. nf_conn_help
+ * nat: nf_conn .. nf_conn_nat, nf_conn .. nf_conn_nat, nf_conn help
+ */
+static inline struct nf_conn_help *nfct_help(const struct nf_conn *ct)
+{
+ unsigned int offset = sizeof(struct nf_conn);
+
+ if (!(ct->features & NF_CT_F_HELP))
+ return NULL;
+
+ return (struct nf_conn_help *) ((void *)ct + offset);
+}
+
#endif /* __KERNEL__ */
#endif /* _NF_CONNTRACK_H */
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 6c8624a..cb9c661 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -141,19 +141,21 @@ static unsigned int ipv4_conntrack_help(unsigned int hooknum,
{
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
+ struct nf_conn_help *help;
/* This is where we call the helper: as the packet goes out. */
ct = nf_ct_get(*pskb, &ctinfo);
- if (ct && ct->helper) {
- unsigned int ret;
- ret = ct->helper->help(pskb,
- (*pskb)->nh.raw - (*pskb)->data
- + (*pskb)->nh.iph->ihl*4,
- ct, ctinfo);
- if (ret != NF_ACCEPT)
- return ret;
- }
- return NF_ACCEPT;
+ if (!ct)
+ return NF_ACCEPT;
+
+ help = nfct_help(ct);
+ if (!help || !help->helper)
+ return NF_ACCEPT;
+
+ return help->helper->help(pskb,
+ (*pskb)->nh.raw - (*pskb)->data
+ + (*pskb)->nh.iph->ihl*4,
+ ct, ctinfo);
}
static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index ac702a2..ac35f95 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -179,31 +179,36 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
int (*okfn)(struct sk_buff *))
{
struct nf_conn *ct;
+ struct nf_conn_help *help;
enum ip_conntrack_info ctinfo;
+ unsigned int ret, protoff;
+ unsigned int extoff = (u8*)((*pskb)->nh.ipv6h + 1)
+ - (*pskb)->data;
+ unsigned char pnum = (*pskb)->nh.ipv6h->nexthdr;
+
/* This is where we call the helper: as the packet goes out. */
ct = nf_ct_get(*pskb, &ctinfo);
- if (ct && ct->helper) {
- unsigned int ret, protoff;
- unsigned int extoff = (u8*)((*pskb)->nh.ipv6h + 1)
- - (*pskb)->data;
- unsigned char pnum = (*pskb)->nh.ipv6h->nexthdr;
-
- protoff = nf_ct_ipv6_skip_exthdr(*pskb, extoff, &pnum,
- (*pskb)->len - extoff);
- if (protoff < 0 || protoff > (*pskb)->len ||
- pnum == NEXTHDR_FRAGMENT) {
- DEBUGP("proto header not found\n");
- return NF_ACCEPT;
- }
+ if (!ct)
+ goto out;
- ret = ct->helper->help(pskb, protoff, ct, ctinfo);
- if (ret != NF_ACCEPT)
- return ret;
+ help = nfct_help(ct);
+ if (!help || !help->helper)
+ goto out;
+
+ protoff = nf_ct_ipv6_skip_exthdr(*pskb, extoff, &pnum,
+ (*pskb)->len - extoff);
+ if (protoff < 0 || protoff > (*pskb)->len ||
+ pnum == NEXTHDR_FRAGMENT) {
+ DEBUGP("proto header not found\n");
+ return NF_ACCEPT;
}
+ ret = help->helper->help(pskb, protoff, ct, ctinfo);
+ if (ret != NF_ACCEPT)
+ return ret;
+out:
/* We've seen it coming out the other side: confirm it */
-
return nf_conntrack_confirm(pskb);
}
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index d622ddf..dc68d00 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -3,7 +3,7 @@
extension. */
/* (C) 1999-2001 Paul `Rusty' Russell
- * (C) 2002-2005 Netfilter Core Team <coreteam@netfilter.org>
+ * (C) 2002-2006 Netfilter Core Team <coreteam@netfilter.org>
* (C) 2003,2004 USAGI/WIDE Project <http://www.linux-ipv6.org>
*
* This program is free software; you can redistribute it and/or modify
@@ -20,6 +20,9 @@
* - generalize L3 protocol denendent part.
* 23 Mar 2004: Yasuyuki Kozakai @USAGI <yasuyuki.kozakai@toshiba.co.jp>
* - add support various size of conntrack structures.
+ * 26 Jan 2006: Harald Welte <laforge@netfilter.org>
+ * - restructure nf_conn (introduce nf_conn_help)
+ * - redesign 'features' how they were originally intended
*
* Derived from net/ipv4/netfilter/ip_conntrack_core.c
*/
@@ -55,7 +58,7 @@
#include <net/netfilter/nf_conntrack_core.h>
#include <linux/netfilter_ipv4/listhelp.h>
-#define NF_CONNTRACK_VERSION "0.4.1"
+#define NF_CONNTRACK_VERSION "0.5.0"
#if 0
#define DEBUGP printk
@@ -259,21 +262,8 @@ static inline u_int32_t hash_conntrack(const struct nf_conntrack_tuple *tuple)
nf_conntrack_hash_rnd);
}
-/* Initialize "struct nf_conn" which has spaces for helper */
-static int
-init_conntrack_for_helper(struct nf_conn *conntrack, u_int32_t features)
-{
-
- conntrack->help = (union nf_conntrack_help *)
- (((unsigned long)conntrack->data
- + (__alignof__(union nf_conntrack_help) - 1))
- & (~((unsigned long)(__alignof__(union nf_conntrack_help) -1))));
- return 0;
-}
-
int nf_conntrack_register_cache(u_int32_t features, const char *name,
- size_t size,
- int (*init)(struct nf_conn *, u_int32_t))
+ size_t size)
{
int ret = 0;
char *cache_name;
@@ -296,8 +286,7 @@ int nf_conntrack_register_cache(u_int32_t features, const char *name,
DEBUGP("nf_conntrack_register_cache: already resisterd.\n");
if ((!strncmp(nf_ct_cache[features].name, name,
NF_CT_FEATURES_NAMELEN))
- && nf_ct_cache[features].size == size
- && nf_ct_cache[features].init_conntrack == init) {
+ && nf_ct_cache[features].size == size) {
DEBUGP("nf_conntrack_register_cache: reusing.\n");
nf_ct_cache[features].use++;
ret = 0;
@@ -340,7 +329,6 @@ int nf_conntrack_register_cache(u_int32_t features, const char *name,
write_lock_bh(&nf_ct_cache_lock);
nf_ct_cache[features].use = 1;
nf_ct_cache[features].size = size;
- nf_ct_cache[features].init_conntrack = init;
nf_ct_cache[features].cachep = cachep;
nf_ct_cache[features].name = cache_name;
write_unlock_bh(&nf_ct_cache_lock);
@@ -377,7 +365,6 @@ void nf_conntrack_unregister_cache(u_int32_t features)
name = nf_ct_cache[features].name;
nf_ct_cache[features].cachep = NULL;
nf_ct_cache[features].name = NULL;
- nf_ct_cache[features].init_conntrack = NULL;
nf_ct_cache[features].size = 0;
write_unlock_bh(&nf_ct_cache_lock);
@@ -432,11 +419,15 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse,
/* nf_conntrack_expect helper functions */
void nf_ct_unlink_expect(struct nf_conntrack_expect *exp)
{
+ struct nf_conn_help *master_help = nfct_help(exp->master);
+
+ NF_CT_ASSERT(master_help);
ASSERT_WRITE_LOCK(&nf_conntrack_lock);
NF_CT_ASSERT(!timer_pending(&exp->timeout));
+
list_del(&exp->list);
NF_CT_STAT_INC(expect_delete);
- exp->master->expecting--;
+ master_help->expecting--;
nf_conntrack_expect_put(exp);
}
@@ -508,9 +499,10 @@ find_expectation(const struct nf_conntrack_tuple *tuple)
void nf_ct_remove_expectations(struct nf_conn *ct)
{
struct nf_conntrack_expect *i, *tmp;
+ struct nf_conn_help *help = nfct_help(ct);
/* Optimization: most connection never expect any others. */
- if (ct->expecting == 0)
+ if (!help || help->expecting == 0)
return;
list_for_each_entry_safe(i, tmp, &nf_conntrack_expect_list, list) {
@@ -713,6 +705,7 @@ __nf_conntrack_confirm(struct sk_buff **pskb)
conntrack_tuple_cmp,
struct nf_conntrack_tuple_hash *,
&ct->tuplehash[IP_CT_DIR_REPLY].tuple, NULL)) {
+ struct nf_conn_help *help;
/* Remove from unconfirmed list */
list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
@@ -726,7 +719,8 @@ __nf_conntrack_confirm(struct sk_buff **pskb)
set_bit(IPS_CONFIRMED_BIT, &ct->status);
NF_CT_STAT_INC(insert);
write_unlock_bh(&nf_conntrack_lock);
- if (ct->helper)
+ help = nfct_help(ct);
+ if (help && help->helper)
nf_conntrack_event_cache(IPCT_HELPER, *pskb);
#ifdef CONFIG_NF_NAT_NEEDED
if (test_bit(IPS_SRC_NAT_DONE_BIT, &ct->status) ||
@@ -842,8 +836,9 @@ __nf_conntrack_alloc(const struct nf_conntrack_tuple *orig,
{
struct nf_conn *conntrack = NULL;
u_int32_t features = 0;
+ struct nf_conntrack_helper *helper;
- if (!nf_conntrack_hash_rnd_initted) {
+ if (unlikely(!nf_conntrack_hash_rnd_initted)) {
get_random_bytes(&nf_conntrack_hash_rnd, 4);
nf_conntrack_hash_rnd_initted = 1;
}
@@ -863,8 +858,11 @@ __nf_conntrack_alloc(const struct nf_conntrack_tuple *orig,
/* find features needed by this conntrack. */
features = l3proto->get_features(orig);
+
+ /* FIXME: protect helper list per RCU */
read_lock_bh(&nf_conntrack_lock);
- if (__nf_ct_helper_find(repl) != NULL)
+ helper = __nf_ct_helper_find(repl);
+ if (helper)
features |= NF_CT_F_HELP;
read_unlock_bh(&nf_conntrack_lock);
@@ -872,7 +870,7 @@ __nf_conntrack_alloc(const struct nf_conntrack_tuple *orig,
read_lock_bh(&nf_ct_cache_lock);
- if (!nf_ct_cache[features].use) {
+ if (unlikely(!nf_ct_cache[features].use)) {
DEBUGP("nf_conntrack_alloc: not supported features = 0x%x\n",
features);
goto out;
@@ -886,12 +884,10 @@ __nf_conntrack_alloc(const struct nf_conntrack_tuple *orig,
memset(conntrack, 0, nf_ct_cache[features].size);
conntrack->features = features;
- if (nf_ct_cache[features].init_conntrack &&
- nf_ct_cache[features].init_conntrack(conntrack, features) < 0) {
- DEBUGP("nf_conntrack_alloc: failed to init\n");
- kmem_cache_free(nf_ct_cache[features].cachep, conntrack);
- conntrack = NULL;
- goto out;
+ if (helper) {
+ struct nf_conn_help *help = nfct_help(conntrack);
+ NF_CT_ASSERT(help);
+ help->helper = helper;
}
atomic_set(&conntrack->ct_general.use, 1);
@@ -972,11 +968,8 @@ init_conntrack(const struct nf_conntrack_tuple *tuple,
#endif
nf_conntrack_get(&conntrack->master->ct_general);
NF_CT_STAT_INC(expect_new);
- } else {
- conntrack->helper = __nf_ct_helper_find(&repl_tuple);
-
+ } else
NF_CT_STAT_INC(new);
- }
/* Overload tuple linked list to put us in unconfirmed list. */
list_add(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL].list, &unconfirmed);
@@ -1206,14 +1199,16 @@ void nf_conntrack_expect_put(struct nf_conntrack_expect *exp)
static void nf_conntrack_expect_insert(struct nf_conntrack_expect *exp)
{
+ struct nf_conn_help *master_help = nfct_help(exp->master);
+
atomic_inc(&exp->use);
- exp->master->expecting++;
+ master_help->expecting++;
list_add(&exp->list, &nf_conntrack_expect_list);
init_timer(&exp->timeout);
exp->timeout.data = (unsigned long)exp;
exp->timeout.function = expectation_timed_out;
- exp->timeout.expires = jiffies + exp->master->helper->timeout * HZ;
+ exp->timeout.expires = jiffies + master_help->helper->timeout * HZ;
add_timer(&exp->timeout);
exp->id = ++nf_conntrack_expect_next_id;
@@ -1239,10 +1234,12 @@ static void evict_oldest_expect(struct nf_conn *master)
static inline int refresh_timer(struct nf_conntrack_expect *i)
{
+ struct nf_conn_help *master_help = nfct_help(i->master);
+
if (!del_timer(&i->timeout))
return 0;
- i->timeout.expires = jiffies + i->master->helper->timeout*HZ;
+ i->timeout.expires = jiffies + master_help->helper->timeout*HZ;
add_timer(&i->timeout);
return 1;
}
@@ -1251,8 +1248,11 @@ int nf_conntrack_expect_related(struct nf_conntrack_expect *expect)
{
struct nf_conntrack_expect *i;
struct nf_conn *master = expect->master;
+ struct nf_conn_help *master_help = nfct_help(master);
int ret;
+ NF_CT_ASSERT(master_help);
+
DEBUGP("nf_conntrack_expect_related %p\n", related_to);
DEBUGP("tuple: "); NF_CT_DUMP_TUPLE(&expect->tuple);
DEBUGP("mask: "); NF_CT_DUMP_TUPLE(&expect->mask);
@@ -1271,8 +1271,8 @@ int nf_conntrack_expect_related(struct nf_conntrack_expect *expect)
}
}
/* Will be over limit? */
- if (master->helper->max_expected &&
- master->expecting >= master->helper->max_expected)
+ if (master_help->helper->max_expected &&
+ master_help->expecting >= master_help->helper->max_expected)
evict_oldest_expect(master);
nf_conntrack_expect_insert(expect);
@@ -1283,24 +1283,6 @@ out:
return ret;
}
-/* Alter reply tuple (maybe alter helper). This is for NAT, and is
- implicitly racy: see __nf_conntrack_confirm */
-void nf_conntrack_alter_reply(struct nf_conn *conntrack,
- const struct nf_conntrack_tuple *newreply)
-{
- write_lock_bh(&nf_conntrack_lock);
- /* Should be unconfirmed, so not in hash table yet */
- NF_CT_ASSERT(!nf_ct_is_confirmed(conntrack));
-
- DEBUGP("Altering reply tuple of %p to ", conntrack);
- NF_CT_DUMP_TUPLE(newreply);
-
- conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
- if (!conntrack->master && conntrack->expecting == 0)
- conntrack->helper = __nf_ct_helper_find(newreply);
- write_unlock_bh(&nf_conntrack_lock);
-}
-
int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
{
int ret;
@@ -1308,9 +1290,8 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
ret = nf_conntrack_register_cache(NF_CT_F_HELP, "nf_conntrack:help",
sizeof(struct nf_conn)
- + sizeof(union nf_conntrack_help)
- + __alignof__(union nf_conntrack_help),
- init_conntrack_for_helper);
+ + sizeof(struct nf_conn_help)
+ + __alignof__(struct nf_conn_help));
if (ret < 0) {
printk(KERN_ERR "nf_conntrack_helper_reigster: Unable to create slab cache for conntracks\n");
return ret;
@@ -1338,9 +1319,12 @@ __nf_conntrack_helper_find_byname(const char *name)
static inline int unhelp(struct nf_conntrack_tuple_hash *i,
const struct nf_conntrack_helper *me)
{
- if (nf_ct_tuplehash_to_ctrack(i)->helper == me) {
- nf_conntrack_event(IPCT_HELPER, nf_ct_tuplehash_to_ctrack(i));
- nf_ct_tuplehash_to_ctrack(i)->helper = NULL;
+ struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(i);
+ struct nf_conn_help *help = nfct_help(ct);
+
+ if (help && help->helper == me) {
+ nf_conntrack_event(IPCT_HELPER, ct);
+ help->helper = NULL;
}
return 0;
}
@@ -1356,7 +1340,8 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
/* Get rid of expectations */
list_for_each_entry_safe(exp, tmp, &nf_conntrack_expect_list, list) {
- if (exp->master->helper == me && del_timer(&exp->timeout)) {
+ struct nf_conn_help *help = nfct_help(exp->master);
+ if (help->helper == me && del_timer(&exp->timeout)) {
nf_ct_unlink_expect(exp);
nf_conntrack_expect_put(exp);
}
@@ -1697,7 +1682,7 @@ int __init nf_conntrack_init(void)
}
ret = nf_conntrack_register_cache(NF_CT_F_BASIC, "nf_conntrack:basic",
- sizeof(struct nf_conn), NULL);
+ sizeof(struct nf_conn));
if (ret < 0) {
printk(KERN_ERR "Unable to create nf_conn slab cache\n");
goto err_free_hash;
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 6f210f3..cd191b0 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -440,7 +440,7 @@ static int help(struct sk_buff **pskb,
u32 seq;
int dir = CTINFO2DIR(ctinfo);
unsigned int matchlen, matchoff;
- struct ip_ct_ftp_master *ct_ftp_info = &ct->help->ct_ftp_info;
+ struct ip_ct_ftp_master *ct_ftp_info = &nfct_help(ct)->help.ct_ftp_info;
struct nf_conntrack_expect *exp;
struct nf_conntrack_man cmd = {};
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 9ff34630..aef3cb4 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2,7 +2,7 @@
* protocol helpers and general trouble making from userspace.
*
* (C) 2001 by Jay Schulist <jschlst@samba.org>
- * (C) 2002-2005 by Harald Welte <laforge@gnumonks.org>
+ * (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
* (C) 2003 by Patrick Mchardy <kaber@trash.net>
* (C) 2005 by Pablo Neira Ayuso <pablo@eurodev.net>
*
@@ -44,7 +44,7 @@
MODULE_LICENSE("GPL");
-static char __initdata version[] = "0.92";
+static char __initdata version[] = "0.93";
#if 0
#define DEBUGP printk
@@ -165,15 +165,16 @@ static inline int
ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct)
{
struct nfattr *nest_helper;
+ const struct nf_conn_help *help = nfct_help(ct);
- if (!ct->helper)
+ if (!help || !help->helper)
return 0;
nest_helper = NFA_NEST(skb, CTA_HELP);
- NFA_PUT(skb, CTA_HELP_NAME, strlen(ct->helper->name), ct->helper->name);
+ NFA_PUT(skb, CTA_HELP_NAME, strlen(help->helper->name), help->helper->name);
- if (ct->helper->to_nfattr)
- ct->helper->to_nfattr(skb, ct);
+ if (help->helper->to_nfattr)
+ help->helper->to_nfattr(skb, ct);
NFA_NEST_END(skb, nest_helper);
@@ -903,11 +904,17 @@ static inline int
ctnetlink_change_helper(struct nf_conn *ct, struct nfattr *cda[])
{
struct nf_conntrack_helper *helper;
+ struct nf_conn_help *help = nfct_help(ct);
char *helpname;
int err;
DEBUGP("entered %s\n", __FUNCTION__);
+ if (!help) {
+ /* FIXME: we need to reallocate and rehash */
+ return -EBUSY;
+ }
+
/* don't change helper of sibling connections */
if (ct->master)
return -EINVAL;
@@ -924,18 +931,18 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nfattr *cda[])
return -EINVAL;
}
- if (ct->helper) {
+ if (help->helper) {
if (!helper) {
/* we had a helper before ... */
nf_ct_remove_expectations(ct);
- ct->helper = NULL;
+ help->helper = NULL;
} else {
/* need to zero data of old helper */
- memset(&ct->help, 0, sizeof(ct->help));
+ memset(&help->help, 0, sizeof(help->help));
}
}
- ct->helper = helper;
+ help->helper = helper;
return 0;
}
@@ -1050,14 +1057,9 @@ ctnetlink_create_conntrack(struct nfattr *cda[],
ct->mark = ntohl(*(u_int32_t *)NFA_DATA(cda[CTA_MARK-1]));
#endif
- ct->helper = nf_ct_helper_find_get(rtuple);
-
add_timer(&ct->timeout);
nf_conntrack_hash_insert(ct);
- if (ct->helper)
- nf_ct_helper_put(ct->helper);
-
DEBUGP("conntrack with id %u inserted\n", ct->id);
return 0;
@@ -1417,7 +1419,8 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
}
list_for_each_entry_safe(exp, tmp, &nf_conntrack_expect_list,
list) {
- if (exp->master->helper == h
+ struct nf_conn_help *m_help = nfct_help(exp->master);
+ if (m_help->helper == h
&& del_timer(&exp->timeout)) {
nf_ct_unlink_expect(exp);
nf_conntrack_expect_put(exp);
@@ -1452,6 +1455,7 @@ ctnetlink_create_expect(struct nfattr *cda[], u_int8_t u3)
struct nf_conntrack_tuple_hash *h = NULL;
struct nf_conntrack_expect *exp;
struct nf_conn *ct;
+ struct nf_conn_help *help;
int err = 0;
DEBUGP("entered %s\n", __FUNCTION__);
@@ -1472,8 +1476,9 @@ ctnetlink_create_expect(struct nfattr *cda[], u_int8_t u3)
if (!h)
return -ENOENT;
ct = nf_ct_tuplehash_to_ctrack(h);
+ help = nfct_help(ct);
- if (!ct->helper) {
+ if (!help || !help->helper) {
/* such conntrack hasn't got any helper, abort */
err = -EINVAL;
goto out;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 617599a..290d5a0 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -839,7 +839,6 @@ EXPORT_SYMBOL(nf_conntrack_l3proto_unregister);
EXPORT_SYMBOL(nf_conntrack_protocol_register);
EXPORT_SYMBOL(nf_conntrack_protocol_unregister);
EXPORT_SYMBOL(nf_ct_invert_tuplepr);
-EXPORT_SYMBOL(nf_conntrack_alter_reply);
EXPORT_SYMBOL(nf_conntrack_destroyed);
EXPORT_SYMBOL(need_conntrack);
EXPORT_SYMBOL(nf_conntrack_helper_register);
diff --git a/net/netfilter/xt_helper.c b/net/netfilter/xt_helper.c
index 38b6715..0ddb323 100644
--- a/net/netfilter/xt_helper.c
+++ b/net/netfilter/xt_helper.c
@@ -96,6 +96,7 @@ match(const struct sk_buff *skb,
{
const struct xt_helper_info *info = matchinfo;
struct nf_conn *ct;
+ struct nf_conn_help *master_help;
enum ip_conntrack_info ctinfo;
int ret = info->invert;
@@ -111,7 +112,8 @@ match(const struct sk_buff *skb,
}
read_lock_bh(&nf_conntrack_lock);
- if (!ct->master->helper) {
+ master_help = nfct_help(ct->master);
+ if (!master_help || !master_help->helper) {
DEBUGP("xt_helper: master ct %p has no helper\n",
exp->expectant);
goto out_unlock;
@@ -123,8 +125,8 @@ match(const struct sk_buff *skb,
if (info->name[0] == '\0')
ret ^= 1;
else
- ret ^= !strncmp(ct->master->helper->name, info->name,
- strlen(ct->master->helper->name));
+ ret ^= !strncmp(master_help->helper->name, info->name,
+ strlen(master_help->helper->name));
out_unlock:
read_unlock_bh(&nf_conntrack_lock);
return ret;
OpenPOWER on IntegriCloud