Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b2a15a60 authored by Patrick McHardy's avatar Patrick McHardy
Browse files

netfilter: nf_conntrack: support conntrack templates 



Support initializing selected parameters of new conntrack entries from a
"conntrack template", which is a specially marked conntrack entry attached
to the skb.

Currently the helper and the event delivery masks can be initialized this
way.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
parent 0cebe4b4

include/linux/netfilter/nf_conntrack_common.h

+4 −0
Original line number Diff line number Diff line
@@ -72,6 +72,10 @@ enum ip_conntrack_status { 
	/* Connection has fixed timeout. */

	IPS_FIXED_TIMEOUT_BIT = 10,

	IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),



	/* Conntrack is a template */

	IPS_TEMPLATE_BIT = 11,

	IPS_TEMPLATE = (1 << IPS_TEMPLATE_BIT),

};



/* Connection tracking event types */

include/net/netfilter/nf_conntrack.h

+5 −0
Original line number Diff line number Diff line
@@ -272,6 +272,11 @@ nf_conntrack_alloc(struct net *net, 
		   const struct nf_conntrack_tuple *repl,

		   gfp_t gfp);



static inline int nf_ct_is_template(const struct nf_conn *ct)

{

	return test_bit(IPS_TEMPLATE_BIT, &ct->status);

}



/* It's confirmed if it is, or has been in the hash table. */

static inline int nf_ct_is_confirmed(struct nf_conn *ct)

{

include/net/netfilter/nf_conntrack_helper.h

+2 −1
Original line number Diff line number Diff line
@@ -47,7 +47,8 @@ extern void nf_conntrack_helper_unregister(struct nf_conntrack_helper *); 


extern struct nf_conn_help *nf_ct_helper_ext_add(struct nf_conn *ct, gfp_t gfp);



extern int __nf_ct_try_assign_helper(struct nf_conn *ct, gfp_t flags);

extern int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,

				     gfp_t flags);



extern void nf_ct_helper_destroy(struct nf_conn *ct);

net/ipv4/netfilter/nf_defrag_ipv4.c

+1 −1
Original line number Diff line number Diff line
@@ -59,7 +59,7 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum, 
#if !defined(CONFIG_NF_NAT) && !defined(CONFIG_NF_NAT_MODULE)

	/* Previously seen (loopback)?  Ignore.  Do this before

	   fragment check. */

	if (skb->nfct)

	if (skb->nfct && !nf_ct_is_template((struct nf_conn *)skb->nfct))

		return NF_ACCEPT;

#endif

#endif

net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c

+1 −1
Original line number Diff line number Diff line
@@ -212,7 +212,7 @@ static unsigned int ipv6_defrag(unsigned int hooknum, 
	struct sk_buff *reasm;



	/* Previously seen (loopback)?  */

	if (skb->nfct)

	if (skb->nfct && !nf_ct_is_template((struct nf_conn *)skb->nfct))

		return NF_ACCEPT;



	reasm = nf_ct_frag6_gather(skb, nf_ct6_defrag_user(hooknum, skb));