Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 2248bcfc authored by Patrick McHardy's avatar Patrick McHardy Committed by David S. Miller
Browse files

[NETFILTER]: Add support for permanent expectations 



A permanent expectation exists until timeing out and can expect
multiple related connections.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 9261c9b0

include/linux/netfilter_ipv4/ip_conntrack.h

+5 −0
Original line number Diff line number Diff line
@@ -263,6 +263,9 @@ struct ip_conntrack_expect 
	/* Unique ID */

	unsigned int id;



	/* Flags */

	unsigned int flags;



#ifdef CONFIG_IP_NF_NAT_NEEDED

	/* This is the original per-proto part, used to map the

	 * expected connection the way the recipient expects. */
@@ -272,6 +275,8 @@ struct ip_conntrack_expect 
#endif

};



#define IP_CT_EXPECT_PERMANENT	0x1



static inline struct ip_conntrack *

tuplehash_to_ctrack(const struct ip_conntrack_tuple_hash *hash)

{

net/ipv4/netfilter/ip_conntrack_amanda.c

+1 −0
Original line number Diff line number Diff line
@@ -108,6 +108,7 @@ static int help(struct sk_buff **pskb, 
		}



		exp->expectfn = NULL;

		exp->flags = 0;



		exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;

		exp->tuple.src.u.tcp.port = 0;

net/ipv4/netfilter/ip_conntrack_core.c

+8 −4
Original line number Diff line number Diff line
@@ -264,12 +264,16 @@ find_expectation(const struct ip_conntrack_tuple *tuple) 
		   master ct never got confirmed, we'd hold a reference to it

		   and weird things would happen to future packets). */

		if (ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)

		    && is_confirmed(i->master)

		    && del_timer(&i->timeout)) {

		    && is_confirmed(i->master)) {

			if (i->flags & IP_CT_EXPECT_PERMANENT) {

				atomic_inc(&i->use);

				return i;

			} else if (del_timer(&i->timeout)) {

				unlink_expect(i);

				return i;

			}

		}

	}

	return NULL;

}

net/ipv4/netfilter/ip_conntrack_ftp.c

+1 −0
Original line number Diff line number Diff line
@@ -421,6 +421,7 @@ static int help(struct sk_buff **pskb, 
		  { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFF }});



	exp->expectfn = NULL;

	exp->flags = 0;



	/* Now, NAT might want to mangle the packet, and register the

	 * (possibly changed) expectation itself. */

net/ipv4/netfilter/ip_conntrack_irc.c

+1 −0
Original line number Diff line number Diff line
@@ -221,6 +221,7 @@ static int help(struct sk_buff **pskb, 
				{ { 0, { 0 } },

				  { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFF }});

			exp->expectfn = NULL;

			exp->flags = 0;

			if (ip_nat_irc_hook)

				ret = ip_nat_irc_hook(pskb, ctinfo, 

						      addr_beg_p - ib_ptr,