Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit dd2934a9 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: conntrack: remove l3->l4 mapping information 



l4 protocols are demuxed by l3num, l4num pair.

However, almost all l4 trackers are l3 agnostic.

Only exceptions are:
 - gre, icmp (ipv4 only)
 - icmpv6 (ipv6 only)

This commit gets rid of the l3 mapping, l4 trackers can now be looked up
by their IPPROTO_XXX value alone, which gets rid of the additional l3
indirection.

For icmp, ipcmp6 and gre, add a check on state->pf and
return -NF_ACCEPT in case we're asked to track e.g. icmpv6-in-ipv4,
this seems more fitting than using the generic tracker.

Additionally we can kill the 2nd l4proto definitions that were needed
for v4/v6 split -- they are now the same so we can use single l4proto
struct for each protocol, rather than two.

The EXPORT_SYMBOLs can be removed as all these object files are
part of nf_conntrack with no external references.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent ca2ca6e1

include/net/netfilter/ipv4/nf_conntrack_ipv4.h

+5 −8
Original line number Diff line number Diff line
@@ -10,20 +10,17 @@ 
#ifndef _NF_CONNTRACK_IPV4_H

#define _NF_CONNTRACK_IPV4_H



extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4;

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4;

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp;

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp;

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;

#ifdef CONFIG_NF_CT_PROTO_DCCP

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4;

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp;

#endif

#ifdef CONFIG_NF_CT_PROTO_SCTP

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4;

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp;

#endif

#ifdef CONFIG_NF_CT_PROTO_UDPLITE

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4;

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite;

#endif



int nf_conntrack_ipv4_compat_init(void);

void nf_conntrack_ipv4_compat_fini(void);



#endif /*_NF_CONNTRACK_IPV4_H*/

include/net/netfilter/ipv6/nf_conntrack_ipv6.h

+0 −13
Original line number Diff line number Diff line
@@ -2,20 +2,7 @@ 
#ifndef _NF_CONNTRACK_IPV6_H

#define _NF_CONNTRACK_IPV6_H



extern const struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6;



extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6;

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6;

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6;

#ifdef CONFIG_NF_CT_PROTO_DCCP

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6;

#endif

#ifdef CONFIG_NF_CT_PROTO_SCTP

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6;

#endif

#ifdef CONFIG_NF_CT_PROTO_UDPLITE

extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6;

#endif



#include <linux/sysctl.h>

extern struct ctl_table nf_ct_ipv6_sysctl_table[];

include/net/netfilter/nf_conntrack_l4proto.h

+2 −7
Original line number Diff line number Diff line
@@ -18,9 +18,6 @@ 
struct seq_file;



struct nf_conntrack_l4proto {

	/* L3 Protocol number. */

	u_int16_t l3proto;



	/* L4 Protocol number. */

	u_int8_t l4proto;
@@ -107,11 +104,9 @@ extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_generic; 


#define MAX_NF_CT_PROTO 256



const struct nf_conntrack_l4proto *__nf_ct_l4proto_find(u_int16_t l3proto,

						  u_int8_t l4proto);

const struct nf_conntrack_l4proto *__nf_ct_l4proto_find(u8 l4proto);



const struct nf_conntrack_l4proto *nf_ct_l4proto_find_get(u_int16_t l3proto,

						    u_int8_t l4proto);

const struct nf_conntrack_l4proto *nf_ct_l4proto_find_get(u8 l4proto);

void nf_ct_l4proto_put(const struct nf_conntrack_l4proto *p);



/* Protocol pernet registration. */

net/netfilter/nf_conntrack_core.c

+7 −8
Original line number Diff line number Diff line
@@ -379,7 +379,7 @@ bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff, 
		return false;

	}



	l4proto = __nf_ct_l4proto_find(l3num, protonum);

	l4proto = __nf_ct_l4proto_find(protonum);



	ret = nf_ct_get_tuple(skb, nhoff, protoff, l3num, protonum, net, tuple,

			      l4proto);
@@ -539,7 +539,7 @@ destroy_conntrack(struct nf_conntrack *nfct) 
		nf_ct_tmpl_free(ct);

		return;

	}

	l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));

	l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));

	if (l4proto->destroy)

		l4proto->destroy(ct);
@@ -840,7 +840,7 @@ static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb, 
	enum ip_conntrack_info oldinfo;

	struct nf_conn *loser_ct = nf_ct_get(skb, &oldinfo);



	l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));

	l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));

	if (l4proto->allow_clash &&

	    !nf_ct_is_dying(ct) &&

	    atomic_inc_not_zero(&ct->ct_general.use)) {
@@ -1109,7 +1109,7 @@ static bool gc_worker_can_early_drop(const struct nf_conn *ct) 
	if (!test_bit(IPS_ASSURED_BIT, &ct->status))

		return true;



	l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));

	l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));

	if (l4proto->can_early_drop && l4proto->can_early_drop(ct))

		return true;
@@ -1549,7 +1549,7 @@ nf_conntrack_in(struct sk_buff *skb, const struct nf_hook_state *state) 
		goto out;

	}



	l4proto = __nf_ct_l4proto_find(state->pf, protonum);

	l4proto = __nf_ct_l4proto_find(protonum);



	if (protonum == IPPROTO_ICMP || protonum == IPPROTO_ICMPV6) {

		ret = nf_conntrack_handle_icmp(tmpl, skb, dataoff,
@@ -1618,8 +1618,7 @@ bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse, 


	rcu_read_lock();

	ret = nf_ct_invert_tuple(inverse, orig,

				 __nf_ct_l4proto_find(orig->src.l3num,

						      orig->dst.protonum));

				 __nf_ct_l4proto_find(orig->dst.protonum));

	rcu_read_unlock();

	return ret;

}
@@ -1776,7 +1775,7 @@ static int nf_conntrack_update(struct net *net, struct sk_buff *skb) 
	if (dataoff <= 0)

		return -1;



	l4proto = nf_ct_l4proto_find_get(l3num, l4num);

	l4proto = nf_ct_l4proto_find_get(l4num);



	if (!nf_ct_get_tuple(skb, skb_network_offset(skb), dataoff, l3num,

			     l4num, net, &tuple, l4proto))

net/netfilter/nf_conntrack_expect.c

+1 −2
Original line number Diff line number Diff line
@@ -610,8 +610,7 @@ static int exp_seq_show(struct seq_file *s, void *v) 
		   expect->tuple.src.l3num,

		   expect->tuple.dst.protonum);

	print_tuple(s, &expect->tuple,

		    __nf_ct_l4proto_find(expect->tuple.src.l3num,

				       expect->tuple.dst.protonum));

		    __nf_ct_l4proto_find(expect->tuple.dst.protonum));



	if (expect->flags & NF_CT_EXPECT_PERMANENT) {

		seq_puts(s, "PERMANENT");