Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit e4781421 authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: merge udp and udplite conntrack helpers 



udplite was copied from udp, they are virtually 100% identical.

This adds udplite tracker to udp instead, removes udplite module,
and then makes the udplite tracker builtin.

udplite will then simply re-use udp timeout settings.
It makes little sense to add separate sysctls, nowadays we have
fine-grained timeout policy support via the CT target.

old:
 text    data     bss     dec     hex filename
 1633     672       0    2305     901 nf_conntrack_proto_udp.o
 1756     672       0    2428     97c nf_conntrack_proto_udplite.o
69526   17937     268   87731   156b3 nf_conntrack.ko

new:
 text    data     bss     dec     hex filename
 2442    1184       0    3626     e2a nf_conntrack_proto_udp.o
68565   17721     268   86554   1521a nf_conntrack.ko

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 0a0a8d6b

include/net/netfilter/ipv4/nf_conntrack_ipv4.h

+1 −0
Original line number Diff line number Diff line
@@ -14,6 +14,7 @@ extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4; 


extern struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4;

extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4;

extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4;

extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;

#ifdef CONFIG_NF_CT_PROTO_DCCP

extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4;

include/net/netfilter/ipv6/nf_conntrack_ipv6.h

+1 −0
Original line number Diff line number Diff line
@@ -5,6 +5,7 @@ extern struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6; 


extern struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6;

extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6;

extern struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6;

extern struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6;

#ifdef CONFIG_NF_CT_PROTO_DCCP

extern struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6;

include/net/netns/conntrack.h

+0 −16
Original line number Diff line number Diff line
@@ -69,19 +69,6 @@ struct nf_sctp_net { 
};

#endif



#ifdef CONFIG_NF_CT_PROTO_UDPLITE

enum udplite_conntrack {

	UDPLITE_CT_UNREPLIED,

	UDPLITE_CT_REPLIED,

	UDPLITE_CT_MAX

};



struct nf_udplite_net {

	struct nf_proto_net pn;

	unsigned int timeouts[UDPLITE_CT_MAX];

};

#endif



struct nf_ip_net {

	struct nf_generic_net   generic;

	struct nf_tcp_net	tcp;
@@ -94,9 +81,6 @@ struct nf_ip_net { 
#ifdef CONFIG_NF_CT_PROTO_SCTP

	struct nf_sctp_net	sctp;

#endif

#ifdef CONFIG_NF_CT_PROTO_UDPLITE

	struct nf_udplite_net	udplite;

#endif

};



struct ct_pcpu {

net/netfilter/Makefile

+0 −1
Original line number Diff line number Diff line
@@ -7,7 +7,6 @@ nf_conntrack-$(CONFIG_NF_CONNTRACK_EVENTS) += nf_conntrack_ecache.o 
nf_conntrack-$(CONFIG_NF_CONNTRACK_LABELS) += nf_conntrack_labels.o

nf_conntrack-$(CONFIG_NF_CT_PROTO_DCCP) += nf_conntrack_proto_dccp.o

nf_conntrack-$(CONFIG_NF_CT_PROTO_SCTP) += nf_conntrack_proto_sctp.o

nf_conntrack-$(CONFIG_NF_CT_PROTO_UDPLITE) += nf_conntrack_proto_udplite.o



obj-$(CONFIG_NETFILTER) = netfilter.o

net/netfilter/nf_conntrack_proto_udp.c

+123 −0
Original line number Diff line number Diff line
@@ -108,6 +108,59 @@ static bool udp_new(struct nf_conn *ct, const struct sk_buff *skb, 
	return true;

}



#ifdef CONFIG_NF_CT_PROTO_UDPLITE

static int udplite_error(struct net *net, struct nf_conn *tmpl,

			 struct sk_buff *skb,

			 unsigned int dataoff,

			 enum ip_conntrack_info *ctinfo,

			 u8 pf, unsigned int hooknum)

{

	unsigned int udplen = skb->len - dataoff;

	const struct udphdr *hdr;

	struct udphdr _hdr;

	unsigned int cscov;



	/* Header is too small? */

	hdr = skb_header_pointer(skb, dataoff, sizeof(_hdr), &_hdr);

	if (!hdr) {

		if (LOG_INVALID(net, IPPROTO_UDPLITE))

			nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,

				      "nf_ct_udplite: short packet ");

		return -NF_ACCEPT;

	}



	cscov = ntohs(hdr->len);

	if (cscov == 0) {

		cscov = udplen;

	} else if (cscov < sizeof(*hdr) || cscov > udplen) {

		if (LOG_INVALID(net, IPPROTO_UDPLITE))

			nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,

				      "nf_ct_udplite: invalid checksum coverage ");

		return -NF_ACCEPT;

	}



	/* UDPLITE mandates checksums */

	if (!hdr->check) {

		if (LOG_INVALID(net, IPPROTO_UDPLITE))

			nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,

				      "nf_ct_udplite: checksum missing ");

		return -NF_ACCEPT;

	}



	/* Checksum invalid? Ignore. */

	if (net->ct.sysctl_checksum && hooknum == NF_INET_PRE_ROUTING &&

	    nf_checksum_partial(skb, hooknum, dataoff, cscov, IPPROTO_UDP,

				pf)) {

		if (LOG_INVALID(net, IPPROTO_UDPLITE))

			nf_log_packet(net, pf, 0, skb, NULL, NULL, NULL,

				      "nf_ct_udplite: bad UDPLite checksum ");

		return -NF_ACCEPT;

	}



	return NF_ACCEPT;

}

#endif



static int udp_error(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,

		     unsigned int dataoff, enum ip_conntrack_info *ctinfo,

		     u_int8_t pf,
@@ -290,6 +343,41 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly = 
};

EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp4);



#ifdef CONFIG_NF_CT_PROTO_UDPLITE

struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =

{

	.l3proto		= PF_INET,

	.l4proto		= IPPROTO_UDPLITE,

	.name			= "udplite",

	.allow_clash		= true,

	.pkt_to_tuple		= udp_pkt_to_tuple,

	.invert_tuple		= udp_invert_tuple,

	.print_tuple		= udp_print_tuple,

	.packet			= udp_packet,

	.get_timeouts		= udp_get_timeouts,

	.new			= udp_new,

	.error			= udplite_error,

#if IS_ENABLED(CONFIG_NF_CT_NETLINK)

	.tuple_to_nlattr	= nf_ct_port_tuple_to_nlattr,

	.nlattr_to_tuple	= nf_ct_port_nlattr_to_tuple,

	.nlattr_tuple_size	= nf_ct_port_nlattr_tuple_size,

	.nla_policy		= nf_ct_port_nla_policy,

#endif

#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)

	.ctnl_timeout		= {

		.nlattr_to_obj	= udp_timeout_nlattr_to_obj,

		.obj_to_nlattr	= udp_timeout_obj_to_nlattr,

		.nlattr_max	= CTA_TIMEOUT_UDP_MAX,

		.obj_size	= sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,

		.nla_policy	= udp_timeout_nla_policy,

	},

#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */

	.init_net		= udp_init_net,

	.get_net_proto		= udp_get_net_proto,

};

EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udplite4);

#endif



struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly =

{

	.l3proto		= PF_INET6,
@@ -322,3 +410,38 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly = 
	.get_net_proto		= udp_get_net_proto,

};

EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp6);



#ifdef CONFIG_NF_CT_PROTO_UDPLITE

struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 __read_mostly =

{

	.l3proto		= PF_INET6,

	.l4proto		= IPPROTO_UDPLITE,

	.name			= "udplite",

	.allow_clash		= true,

	.pkt_to_tuple		= udp_pkt_to_tuple,

	.invert_tuple		= udp_invert_tuple,

	.print_tuple		= udp_print_tuple,

	.packet			= udp_packet,

	.get_timeouts		= udp_get_timeouts,

	.new			= udp_new,

	.error			= udplite_error,

#if IS_ENABLED(CONFIG_NF_CT_NETLINK)

	.tuple_to_nlattr	= nf_ct_port_tuple_to_nlattr,

	.nlattr_to_tuple	= nf_ct_port_nlattr_to_tuple,

	.nlattr_tuple_size	= nf_ct_port_nlattr_tuple_size,

	.nla_policy		= nf_ct_port_nla_policy,

#endif

#if IS_ENABLED(CONFIG_NF_CT_NETLINK_TIMEOUT)

	.ctnl_timeout		= {

		.nlattr_to_obj	= udp_timeout_nlattr_to_obj,

		.obj_to_nlattr	= udp_timeout_obj_to_nlattr,

		.nlattr_max	= CTA_TIMEOUT_UDP_MAX,

		.obj_size	= sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,

		.nla_policy	= udp_timeout_nla_policy,

	},

#endif /* CONFIG_NF_CT_NETLINK_TIMEOUT */

	.init_net		= udp_init_net,

	.get_net_proto		= udp_get_net_proto,

};

EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udplite6);

#endif