2
0
mirror of https://github.com/edk2-porting/linux-next.git synced 2025-01-15 17:14:00 +08:00

[NETFILTER]: Add support for permanent expectations

A permanent expectation exists until timeing out and can expect
multiple related connections.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Patrick McHardy 2005-09-06 15:06:42 -07:00 committed by David S. Miller
parent 9261c9b042
commit 2248bcfcd8
7 changed files with 18 additions and 4 deletions

View File

@ -263,6 +263,9 @@ struct ip_conntrack_expect
/* Unique ID */ /* Unique ID */
unsigned int id; unsigned int id;
/* Flags */
unsigned int flags;
#ifdef CONFIG_IP_NF_NAT_NEEDED #ifdef CONFIG_IP_NF_NAT_NEEDED
/* This is the original per-proto part, used to map the /* This is the original per-proto part, used to map the
* expected connection the way the recipient expects. */ * expected connection the way the recipient expects. */
@ -272,6 +275,8 @@ struct ip_conntrack_expect
#endif #endif
}; };
#define IP_CT_EXPECT_PERMANENT 0x1
static inline struct ip_conntrack * static inline struct ip_conntrack *
tuplehash_to_ctrack(const struct ip_conntrack_tuple_hash *hash) tuplehash_to_ctrack(const struct ip_conntrack_tuple_hash *hash)
{ {

View File

@ -108,6 +108,7 @@ static int help(struct sk_buff **pskb,
} }
exp->expectfn = NULL; exp->expectfn = NULL;
exp->flags = 0;
exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip; exp->tuple.src.ip = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip;
exp->tuple.src.u.tcp.port = 0; exp->tuple.src.u.tcp.port = 0;

View File

@ -264,12 +264,16 @@ find_expectation(const struct ip_conntrack_tuple *tuple)
master ct never got confirmed, we'd hold a reference to it master ct never got confirmed, we'd hold a reference to it
and weird things would happen to future packets). */ and weird things would happen to future packets). */
if (ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) if (ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)
&& is_confirmed(i->master) && is_confirmed(i->master)) {
&& del_timer(&i->timeout)) { if (i->flags & IP_CT_EXPECT_PERMANENT) {
atomic_inc(&i->use);
return i;
} else if (del_timer(&i->timeout)) {
unlink_expect(i); unlink_expect(i);
return i; return i;
} }
} }
}
return NULL; return NULL;
} }

View File

@ -421,6 +421,7 @@ static int help(struct sk_buff **pskb,
{ 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFF }}); { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFF }});
exp->expectfn = NULL; exp->expectfn = NULL;
exp->flags = 0;
/* Now, NAT might want to mangle the packet, and register the /* Now, NAT might want to mangle the packet, and register the
* (possibly changed) expectation itself. */ * (possibly changed) expectation itself. */

View File

@ -221,6 +221,7 @@ static int help(struct sk_buff **pskb,
{ { 0, { 0 } }, { { 0, { 0 } },
{ 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFF }}); { 0xFFFFFFFF, { .tcp = { 0xFFFF } }, 0xFF }});
exp->expectfn = NULL; exp->expectfn = NULL;
exp->flags = 0;
if (ip_nat_irc_hook) if (ip_nat_irc_hook)
ret = ip_nat_irc_hook(pskb, ctinfo, ret = ip_nat_irc_hook(pskb, ctinfo,
addr_beg_p - ib_ptr, addr_beg_p - ib_ptr,

View File

@ -1413,6 +1413,7 @@ ctnetlink_create_expect(struct nfattr *cda[])
} }
exp->expectfn = NULL; exp->expectfn = NULL;
exp->flags = 0;
exp->master = ct; exp->master = ct;
memcpy(&exp->tuple, &tuple, sizeof(struct ip_conntrack_tuple)); memcpy(&exp->tuple, &tuple, sizeof(struct ip_conntrack_tuple));
memcpy(&exp->mask, &mask, sizeof(struct ip_conntrack_tuple)); memcpy(&exp->mask, &mask, sizeof(struct ip_conntrack_tuple));

View File

@ -75,6 +75,7 @@ static int tftp_help(struct sk_buff **pskb,
exp->mask.dst.u.udp.port = 0xffff; exp->mask.dst.u.udp.port = 0xffff;
exp->mask.dst.protonum = 0xff; exp->mask.dst.protonum = 0xff;
exp->expectfn = NULL; exp->expectfn = NULL;
exp->flags = 0;
DEBUGP("expect: "); DEBUGP("expect: ");
DUMP_TUPLE(&exp->tuple); DUMP_TUPLE(&exp->tuple);