[NETFILTER]: nf_conntrack: reduce masks to a subset of tuples

	struct list_head list;

	struct list_head list;

	/* We expect this tuple, with the following mask */

	/* We expect this tuple, with the following mask */

	struct nf_conntrack_tuple tuple, mask;

	struct nf_conntrack_tuple tuple;

	struct nf_conntrack_tuple_mask mask;

	/* Function to call after setup and insertion */

	/* Function to call after setup and insertion */

	void (*expectfn)(struct nf_conn *new,

	void (*expectfn)(struct nf_conn *new,

					 * expected connections */

					 * expected connections */

	unsigned int timeout;		/* timeout for expecteds */

	unsigned int timeout;		/* timeout for expecteds */

	/* Mask of things we will help (compared against server response) */

	/* Tuple of things we will help (compared against server response) */

	struct nf_conntrack_tuple tuple;

	struct nf_conntrack_tuple tuple;

	struct nf_conntrack_tuple mask;

	/* Function to call when data passes; return verdict, or -1 to

	/* Function to call when data passes; return verdict, or -1 to

           invalidate. */

           invalidate. */

	} dst;

	} dst;

};

};

struct nf_conntrack_tuple_mask

{

	struct {

		union nf_conntrack_address u3;

		union nf_conntrack_man_proto u;

	} src;

};

/* This is optimized opposed to a memset of the whole structure.  Everything we

/* This is optimized opposed to a memset of the whole structure.  Everything we

 * really care about is the  source/destination unions */

 * really care about is the  source/destination unions */

#define NF_CT_TUPLE_U_BLANK(tuple)                              	\

#define NF_CT_TUPLE_U_BLANK(tuple)                              	\

	return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2);

	return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2);

}

}

static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,

static inline int nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1,

				       const struct nf_conntrack_tuple *tuple,

					 const struct nf_conntrack_tuple_mask *m2)

				       const struct nf_conntrack_tuple *mask)

{

	return (m1->src.u3.all[0] == m2->src.u3.all[0] &&

		m1->src.u3.all[1] == m2->src.u3.all[1] &&

		m1->src.u3.all[2] == m2->src.u3.all[2] &&

		m1->src.u3.all[3] == m2->src.u3.all[3] &&

		m1->src.u.all == m2->src.u.all);

}

static inline int nf_ct_tuple_src_mask_cmp(const struct nf_conntrack_tuple *t1,

					   const struct nf_conntrack_tuple *t2,

					   const struct nf_conntrack_tuple_mask *mask)

{

{

	int count = 0;

	int count;

	for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++) {

	for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++) {

                if ((t->src.u3.all[count] ^ tuple->src.u3.all[count]) &

		if ((t1->src.u3.all[count] ^ t2->src.u3.all[count]) &

		    mask->src.u3.all[count])

		    mask->src.u3.all[count])

			return 0;

			return 0;

	}

	}

        for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){

	if ((t1->src.u.all ^ t2->src.u.all) & mask->src.u.all)

                if ((t->dst.u3.all[count] ^ tuple->dst.u3.all[count]) &

                    mask->dst.u3.all[count])

		return 0;

		return 0;

        }

        if ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all ||

	if (t1->src.l3num != t2->src.l3num ||

            (t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all ||

	    t1->dst.protonum != t2->dst.protonum)

            (t->src.l3num ^ tuple->src.l3num) & mask->src.l3num ||

            (t->dst.protonum ^ tuple->dst.protonum) & mask->dst.protonum)

		return 0;

		return 0;

	return 1;

	return 1;

}

}

static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,

				       const struct nf_conntrack_tuple *tuple,

				       const struct nf_conntrack_tuple_mask *mask)

{

	return nf_ct_tuple_src_mask_cmp(t, tuple, mask) &&

	       nf_ct_tuple_dst_equal(t, tuple);

}

#endif /* _NF_CONNTRACK_TUPLE_H */

#endif /* _NF_CONNTRACK_TUPLE_H */

	.tuple.src.l3num	= AF_INET,

	.tuple.src.l3num	= AF_INET,

	.tuple.src.u.udp.port	= __constant_htons(SNMP_PORT),

	.tuple.src.u.udp.port	= __constant_htons(SNMP_PORT),

	.tuple.dst.protonum	= IPPROTO_UDP,

	.tuple.dst.protonum	= IPPROTO_UDP,

	.mask.src.l3num		= 0xFFFF,

	.mask.src.u.udp.port	= __constant_htons(0xFFFF),

	.mask.dst.protonum	= 0xFF,

};

};

static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {

static struct nf_conntrack_helper snmp_trap_helper __read_mostly = {

	.tuple.src.l3num	= AF_INET,

	.tuple.src.l3num	= AF_INET,

	.tuple.src.u.udp.port	= __constant_htons(SNMP_TRAP_PORT),

	.tuple.src.u.udp.port	= __constant_htons(SNMP_TRAP_PORT),

	.tuple.dst.protonum	= IPPROTO_UDP,

	.tuple.dst.protonum	= IPPROTO_UDP,

	.mask.src.l3num		= 0xFFFF,

	.mask.src.u.udp.port	= __constant_htons(0xFFFF),

	.mask.dst.protonum	= 0xFF,

};

};

/*****************************************************************************

/*****************************************************************************

		.tuple.src.l3num	= AF_INET,

		.tuple.src.l3num	= AF_INET,

		.tuple.src.u.udp.port	= __constant_htons(10080),

		.tuple.src.u.udp.port	= __constant_htons(10080),

		.tuple.dst.protonum	= IPPROTO_UDP,

		.tuple.dst.protonum	= IPPROTO_UDP,

		.mask.src.l3num		= 0xFFFF,

		.mask.src.u.udp.port	= __constant_htons(0xFFFF),

		.mask.dst.protonum	= 0xFF,

	},

	},

	{

	{

		.name			= "amanda",

		.name			= "amanda",

		.tuple.src.l3num	= AF_INET6,

		.tuple.src.l3num	= AF_INET6,

		.tuple.src.u.udp.port	= __constant_htons(10080),

		.tuple.src.u.udp.port	= __constant_htons(10080),

		.tuple.dst.protonum	= IPPROTO_UDP,

		.tuple.dst.protonum	= IPPROTO_UDP,

		.mask.src.l3num		= 0xFFFF,

		.mask.src.u.udp.port	= __constant_htons(0xFFFF),

		.mask.dst.protonum	= 0xFF,

	},

	},

};

};