Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit f957be9d authored by Florian Westphal's avatar Florian Westphal Committed by Pablo Neira Ayuso
Browse files

netfilter: conntrack: remove ctnetlink callbacks from l3 protocol trackers 



handle everything from ctnetlink directly.

After all these years we still only support ipv4 and ipv6, so it
seems reasonable to remove l3 protocol tracker support and instead
handle ipv4/ipv6 from a common, always builtin inet tracker.

Step 1: Get rid of all the l3proto->func() calls.

Start with ctnetlink, then move on to packet-path ones.

Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 7414d929

include/net/netfilter/nf_conntrack_core.h

+2 −4
Original line number Diff line number Diff line
@@ -68,9 +68,7 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb) 
	return ret;

}



void

print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple,

            const struct nf_conntrack_l3proto *l3proto,

void print_tuple(struct seq_file *s, const struct nf_conntrack_tuple *tuple,

		 const struct nf_conntrack_l4proto *proto);



#define CONNTRACK_LOCKS 1024

include/net/netfilter/nf_conntrack_l3proto.h

+0 −8
Original line number Diff line number Diff line
@@ -46,14 +46,6 @@ struct nf_conntrack_l3proto { 
	int (*get_l4proto)(const struct sk_buff *skb, unsigned int nhoff,

			   unsigned int *dataoff, u_int8_t *protonum);



#if IS_ENABLED(CONFIG_NF_CT_NETLINK)

	int (*tuple_to_nlattr)(struct sk_buff *skb,

			       const struct nf_conntrack_tuple *t);

	int (*nlattr_to_tuple)(struct nlattr *tb[],

			       struct nf_conntrack_tuple *t);

	const struct nla_policy *nla_policy;

#endif



	/* Called when netns wants to use connection tracking */

	int (*net_ns_get)(struct net *);

	void (*net_ns_put)(struct net *);

net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c

+0 −47
Original line number Diff line number Diff line
@@ -274,41 +274,6 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len) 
	return -ENOENT;

}



#if IS_ENABLED(CONFIG_NF_CT_NETLINK)



#include <linux/netfilter/nfnetlink.h>

#include <linux/netfilter/nfnetlink_conntrack.h>



static int ipv4_tuple_to_nlattr(struct sk_buff *skb,

				const struct nf_conntrack_tuple *tuple)

{

	if (nla_put_in_addr(skb, CTA_IP_V4_SRC, tuple->src.u3.ip) ||

	    nla_put_in_addr(skb, CTA_IP_V4_DST, tuple->dst.u3.ip))

		goto nla_put_failure;

	return 0;



nla_put_failure:

	return -1;

}



static const struct nla_policy ipv4_nla_policy[CTA_IP_MAX+1] = {

	[CTA_IP_V4_SRC]	= { .type = NLA_U32 },

	[CTA_IP_V4_DST]	= { .type = NLA_U32 },

};



static int ipv4_nlattr_to_tuple(struct nlattr *tb[],

				struct nf_conntrack_tuple *t)

{

	if (!tb[CTA_IP_V4_SRC] || !tb[CTA_IP_V4_DST])

		return -EINVAL;



	t->src.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_SRC]);

	t->dst.u3.ip = nla_get_in_addr(tb[CTA_IP_V4_DST]);



	return 0;

}

#endif



static struct nf_sockopt_ops so_getorigdst = {

	.pf		= PF_INET,

	.get_optmin	= SO_ORIGINAL_DST,
@@ -360,13 +325,6 @@ const struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 = { 
	.pkt_to_tuple	 = ipv4_pkt_to_tuple,

	.invert_tuple	 = ipv4_invert_tuple,

	.get_l4proto	 = ipv4_get_l4proto,

#if IS_ENABLED(CONFIG_NF_CT_NETLINK)

	.tuple_to_nlattr = ipv4_tuple_to_nlattr,

	.nlattr_to_tuple = ipv4_nlattr_to_tuple,

	.nla_policy	 = ipv4_nla_policy,

	.nla_size	 = NLA_ALIGN(NLA_HDRLEN + sizeof(u32)) + /* CTA_IP_V4_SRC */

			   NLA_ALIGN(NLA_HDRLEN + sizeof(u32)),  /* CTA_IP_V4_DST */

#endif

	.net_ns_get	 = ipv4_hooks_register,

	.net_ns_put	 = ipv4_hooks_unregister,

	.me		 = THIS_MODULE,
@@ -419,11 +377,6 @@ static int __init nf_conntrack_l3proto_ipv4_init(void) 


	need_conntrack();



#if IS_ENABLED(CONFIG_NF_CT_NETLINK)

	if (WARN_ON(nla_policy_len(ipv4_nla_policy, CTA_IP_MAX + 1) !=

	    nf_conntrack_l3proto_ipv4.nla_size))

		return -EINVAL;

#endif

	ret = nf_register_sockopt(&so_getorigdst);

	if (ret < 0) {

		pr_err("Unable to register netfilter socket option\n");

net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c

+0 −48
Original line number Diff line number Diff line
@@ -269,41 +269,6 @@ ipv6_getorigdst(struct sock *sk, int optval, void __user *user, int *len) 
	return copy_to_user(user, &sin6, sizeof(sin6)) ? -EFAULT : 0;

}



#if IS_ENABLED(CONFIG_NF_CT_NETLINK)



#include <linux/netfilter/nfnetlink.h>

#include <linux/netfilter/nfnetlink_conntrack.h>



static int ipv6_tuple_to_nlattr(struct sk_buff *skb,

				const struct nf_conntrack_tuple *tuple)

{

	if (nla_put_in6_addr(skb, CTA_IP_V6_SRC, &tuple->src.u3.in6) ||

	    nla_put_in6_addr(skb, CTA_IP_V6_DST, &tuple->dst.u3.in6))

		goto nla_put_failure;

	return 0;



nla_put_failure:

	return -1;

}



static const struct nla_policy ipv6_nla_policy[CTA_IP_MAX+1] = {

	[CTA_IP_V6_SRC]	= { .len = sizeof(u_int32_t)*4 },

	[CTA_IP_V6_DST]	= { .len = sizeof(u_int32_t)*4 },

};



static int ipv6_nlattr_to_tuple(struct nlattr *tb[],

				struct nf_conntrack_tuple *t)

{

	if (!tb[CTA_IP_V6_SRC] || !tb[CTA_IP_V6_DST])

		return -EINVAL;



	t->src.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_SRC]);

	t->dst.u3.in6 = nla_get_in6_addr(tb[CTA_IP_V6_DST]);



	return 0;

}

#endif



static int ipv6_hooks_register(struct net *net)

{

	struct conntrack6_net *cnet = net_generic(net, conntrack6_net_id);
@@ -345,13 +310,6 @@ const struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6 = { 
	.pkt_to_tuple		= ipv6_pkt_to_tuple,

	.invert_tuple		= ipv6_invert_tuple,

	.get_l4proto		= ipv6_get_l4proto,

#if IS_ENABLED(CONFIG_NF_CT_NETLINK)

	.tuple_to_nlattr	= ipv6_tuple_to_nlattr,

	.nlattr_to_tuple	= ipv6_nlattr_to_tuple,

	.nla_policy		= ipv6_nla_policy,

	.nla_size		= NLA_ALIGN(NLA_HDRLEN + sizeof(u32[4])) +

				  NLA_ALIGN(NLA_HDRLEN + sizeof(u32[4])),

#endif

	.net_ns_get		= ipv6_hooks_register,

	.net_ns_put		= ipv6_hooks_unregister,

	.me			= THIS_MODULE,
@@ -409,12 +367,6 @@ static int __init nf_conntrack_l3proto_ipv6_init(void) 


	need_conntrack();



#if IS_ENABLED(CONFIG_NF_CT_NETLINK)

	if (WARN_ON(nla_policy_len(ipv6_nla_policy, CTA_IP_MAX + 1) !=

	    nf_conntrack_l3proto_ipv6.nla_size))

		return -EINVAL;

#endif



	ret = nf_register_sockopt(&so_getorigdst6);

	if (ret < 0) {

		pr_err("Unable to register netfilter socket option\n");

net/ipv6/netfilter/nf_defrag_ipv6_hooks.c

+0 −1
Original line number Diff line number Diff line
@@ -23,7 +23,6 @@ 
#include <net/netfilter/nf_conntrack.h>

#include <net/netfilter/nf_conntrack_helper.h>

#include <net/netfilter/nf_conntrack_l4proto.h>

#include <net/netfilter/nf_conntrack_l3proto.h>

#include <net/netfilter/nf_conntrack_core.h>

#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>

#endif