Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 5d0aa2cc authored by Patrick McHardy's avatar Patrick McHardy
Browse files

netfilter: nf_conntrack: add support for "conntrack zones" 



Normally, each connection needs a unique identity. Conntrack zones allow
to specify a numerical zone using the CT target, connections in different
zones can use the same identity.

Example:

iptables -t raw -A PREROUTING -i veth0 -j CT --zone 1
iptables -t raw -A OUTPUT -o veth1 -j CT --zone 1

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 8fea97ec

include/linux/netfilter/xt_CT.h

+1 −1
Original line number Diff line number Diff line
@@ -5,7 +5,7 @@ 


struct xt_ct_target_info {

	u_int16_t	flags;

	u_int16_t	__unused;

	u_int16_t	zone;

	u_int32_t	ct_events;

	u_int32_t	exp_events;

	char		helper[16];

include/net/ip.h

+3 −0
Original line number Diff line number Diff line
@@ -352,8 +352,11 @@ enum ip_defrag_users { 
	IP_DEFRAG_LOCAL_DELIVER,

	IP_DEFRAG_CALL_RA_CHAIN,

	IP_DEFRAG_CONNTRACK_IN,

	__IP_DEFRAG_CONNTRACK_IN_END	= IP_DEFRAG_CONNTRACK_IN + USHORT_MAX,

	IP_DEFRAG_CONNTRACK_OUT,

	__IP_DEFRAG_CONNTRACK_OUT_END	= IP_DEFRAG_CONNTRACK_OUT + USHORT_MAX,

	IP_DEFRAG_CONNTRACK_BRIDGE_IN,

	__IP_DEFRAG_CONNTRACK_BRIDGE_IN = IP_DEFRAG_CONNTRACK_BRIDGE_IN + USHORT_MAX,

	IP_DEFRAG_VS_IN,

	IP_DEFRAG_VS_OUT,

	IP_DEFRAG_VS_FWD

include/net/ipv6.h

+3 −0
Original line number Diff line number Diff line
@@ -355,8 +355,11 @@ struct inet_frag_queue; 
enum ip6_defrag_users {

	IP6_DEFRAG_LOCAL_DELIVER,

	IP6_DEFRAG_CONNTRACK_IN,

	__IP6_DEFRAG_CONNTRACK_IN	= IP6_DEFRAG_CONNTRACK_IN + USHORT_MAX,

	IP6_DEFRAG_CONNTRACK_OUT,

	__IP6_DEFRAG_CONNTRACK_OUT	= IP6_DEFRAG_CONNTRACK_OUT + USHORT_MAX,

	IP6_DEFRAG_CONNTRACK_BRIDGE_IN,

	__IP6_DEFRAG_CONNTRACK_BRIDGE_IN = IP6_DEFRAG_CONNTRACK_BRIDGE_IN + USHORT_MAX,

};



struct ip6_create_arg {

include/net/netfilter/nf_conntrack.h

+3 −2
Original line number Diff line number Diff line
@@ -198,7 +198,8 @@ extern void *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced, int null 
extern void nf_ct_free_hashtable(void *hash, int vmalloced, unsigned int size);



extern struct nf_conntrack_tuple_hash *

__nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple);

__nf_conntrack_find(struct net *net, u16 zone,

		    const struct nf_conntrack_tuple *tuple);



extern void nf_conntrack_hash_insert(struct nf_conn *ct);

extern void nf_ct_delete_from_lists(struct nf_conn *ct);
@@ -267,7 +268,7 @@ extern void 
nf_ct_iterate_cleanup(struct net *net, int (*iter)(struct nf_conn *i, void *data), void *data);

extern void nf_conntrack_free(struct nf_conn *ct);

extern struct nf_conn *

nf_conntrack_alloc(struct net *net,

nf_conntrack_alloc(struct net *net, u16 zone,

		   const struct nf_conntrack_tuple *orig,

		   const struct nf_conntrack_tuple *repl,

		   gfp_t gfp);

include/net/netfilter/nf_conntrack_core.h

+2 −1
Original line number Diff line number Diff line
@@ -49,7 +49,8 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, 


/* Find a connection corresponding to a tuple. */

extern struct nf_conntrack_tuple_hash *

nf_conntrack_find_get(struct net *net, const struct nf_conntrack_tuple *tuple);

nf_conntrack_find_get(struct net *net, u16 zone,

		      const struct nf_conntrack_tuple *tuple);



extern int __nf_conntrack_confirm(struct sk_buff *skb);