2006-01-05 21:19:05 +01:00
|
|
|
/* Connection tracking via netlink socket. Allows for user space
|
|
|
|
* protocol helpers and general trouble making from userspace.
|
|
|
|
*
|
|
|
|
* (C) 2001 by Jay Schulist <jschlst@samba.org>
|
2006-03-21 02:56:32 +01:00
|
|
|
* (C) 2002-2006 by Harald Welte <laforge@gnumonks.org>
|
2006-01-05 21:19:05 +01:00
|
|
|
* (C) 2003 by Patrick Mchardy <kaber@trash.net>
|
2008-06-10 00:56:20 +02:00
|
|
|
* (C) 2005-2008 by Pablo Neira Ayuso <pablo@netfilter.org>
|
2006-01-05 21:19:05 +01:00
|
|
|
*
|
2007-02-12 20:15:49 +01:00
|
|
|
* Initial connection tracking via netlink development funded and
|
2006-01-05 21:19:05 +01:00
|
|
|
* generally made possible by Network Robots, Inc. (www.networkrobots.com)
|
|
|
|
*
|
|
|
|
* Further development of this code funded by Astaro AG (http://www.astaro.com)
|
|
|
|
*
|
|
|
|
* This software may be used and distributed according to the terms
|
|
|
|
* of the GNU General Public License, incorporated herein by reference.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/init.h>
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/kernel.h>
|
2008-05-17 08:26:25 +02:00
|
|
|
#include <linux/rculist.h>
|
2009-03-25 21:05:46 +01:00
|
|
|
#include <linux/rculist_nulls.h>
|
2006-01-05 21:19:05 +01:00
|
|
|
#include <linux/types.h>
|
|
|
|
#include <linux/timer.h>
|
|
|
|
#include <linux/skbuff.h>
|
|
|
|
#include <linux/errno.h>
|
|
|
|
#include <linux/netlink.h>
|
|
|
|
#include <linux/spinlock.h>
|
2006-06-27 12:00:35 +02:00
|
|
|
#include <linux/interrupt.h>
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
#include <linux/netfilter.h>
|
2007-03-26 08:06:12 +02:00
|
|
|
#include <net/netlink.h>
|
2006-01-05 21:19:05 +01:00
|
|
|
#include <net/netfilter/nf_conntrack.h>
|
|
|
|
#include <net/netfilter/nf_conntrack_core.h>
|
2006-11-29 02:34:58 +01:00
|
|
|
#include <net/netfilter/nf_conntrack_expect.h>
|
2006-01-05 21:19:05 +01:00
|
|
|
#include <net/netfilter/nf_conntrack_helper.h>
|
|
|
|
#include <net/netfilter/nf_conntrack_l3proto.h>
|
2006-11-29 02:35:06 +01:00
|
|
|
#include <net/netfilter/nf_conntrack_l4proto.h>
|
2006-12-03 07:07:13 +01:00
|
|
|
#include <net/netfilter/nf_conntrack_tuple.h>
|
netfilter: accounting rework: ct_extend + 64bit counters (v4)
Initially netfilter has had 64bit counters for conntrack-based accounting, but
it was changed in 2.6.14 to save memory. Unfortunately in-kernel 64bit counters are
still required, for example for "connbytes" extension. However, 64bit counters
waste a lot of memory and it was not possible to enable/disable it runtime.
This patch:
- reimplements accounting with respect to the extension infrastructure,
- makes one global version of seq_print_acct() instead of two seq_print_counters(),
- makes it possible to enable it at boot time (for CONFIG_SYSCTL/CONFIG_SYSFS=n),
- makes it possible to enable/disable it at runtime by sysctl or sysfs,
- extends counters from 32bit to 64bit,
- renames ip_conntrack_counter -> nf_conn_counter,
- enables accounting code unconditionally (no longer depends on CONFIG_NF_CT_ACCT),
- set initial accounting enable state based on CONFIG_NF_CT_ACCT
- removes buggy IPCT_COUNTER_FILLING event handling.
If accounting is enabled newly created connections get additional acct extend.
Old connections are not changed as it is not possible to add a ct_extend area
to confirmed conntrack. Accounting is performed for all connections with
acct extend regardless of a current state of "net.netfilter.nf_conntrack_acct".
Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-07-21 19:01:34 +02:00
|
|
|
#include <net/netfilter/nf_conntrack_acct.h>
|
2006-12-03 07:07:13 +01:00
|
|
|
#ifdef CONFIG_NF_NAT_NEEDED
|
|
|
|
#include <net/netfilter/nf_nat_core.h>
|
|
|
|
#include <net/netfilter/nf_nat_protocol.h>
|
|
|
|
#endif
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
#include <linux/netfilter/nfnetlink.h>
|
|
|
|
#include <linux/netfilter/nfnetlink_conntrack.h>
|
|
|
|
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
|
2006-03-21 02:56:32 +01:00
|
|
|
static char __initdata version[] = "0.93";
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
static inline int
|
2007-02-12 20:15:49 +01:00
|
|
|
ctnetlink_dump_tuples_proto(struct sk_buff *skb,
|
2006-03-22 22:54:15 +01:00
|
|
|
const struct nf_conntrack_tuple *tuple,
|
2006-11-29 02:35:06 +01:00
|
|
|
struct nf_conntrack_l4proto *l4proto)
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
int ret = 0;
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlattr *nest_parms;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nest_parms = nla_nest_start(skb, CTA_TUPLE_PROTO | NLA_F_NESTED);
|
|
|
|
if (!nest_parms)
|
|
|
|
goto nla_put_failure;
|
2007-12-18 07:29:45 +01:00
|
|
|
NLA_PUT_U8(skb, CTA_PROTO_NUM, tuple->dst.protonum);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:41 +02:00
|
|
|
if (likely(l4proto->tuple_to_nlattr))
|
|
|
|
ret = l4proto->tuple_to_nlattr(skb, tuple);
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_nest_end(skb, nest_parms);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2006-01-05 21:19:05 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int
|
2006-03-22 22:54:15 +01:00
|
|
|
ctnetlink_dump_tuples_ip(struct sk_buff *skb,
|
|
|
|
const struct nf_conntrack_tuple *tuple,
|
|
|
|
struct nf_conntrack_l3proto *l3proto)
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
int ret = 0;
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlattr *nest_parms;
|
|
|
|
|
|
|
|
nest_parms = nla_nest_start(skb, CTA_TUPLE_IP | NLA_F_NESTED);
|
|
|
|
if (!nest_parms)
|
|
|
|
goto nla_put_failure;
|
2006-03-22 22:54:15 +01:00
|
|
|
|
2007-09-28 23:37:41 +02:00
|
|
|
if (likely(l3proto->tuple_to_nlattr))
|
|
|
|
ret = l3proto->tuple_to_nlattr(skb, tuple);
|
2006-03-22 22:54:15 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_nest_end(skb, nest_parms);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2006-03-22 22:54:15 +01:00
|
|
|
return ret;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2006-03-22 22:54:15 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
[NETFILTER]: Kill some supper dupper bloatry
/me awards the bloatiest-of-all-net/-.c-code award to
nf_conntrack_netlink.c, congratulations to all the authors :-/!
Hall of (unquestionable) fame (measured per inline, top 10 under
net/):
-4496 ctnetlink_parse_tuple netfilter/nf_conntrack_netlink.c
-2165 ctnetlink_dump_tuples netfilter/nf_conntrack_netlink.c
-2115 __ip_vs_get_out_rt ipv4/ipvs/ip_vs_xmit.c
-1924 xfrm_audit_helper_pktinfo xfrm/xfrm_state.c
-1799 ctnetlink_parse_tuple_proto netfilter/nf_conntrack_netlink.c
-1268 ctnetlink_parse_tuple_ip netfilter/nf_conntrack_netlink.c
-1093 ctnetlink_exp_dump_expect netfilter/nf_conntrack_netlink.c
-1060 void ccid3_update_send_interval dccp/ccids/ccid3.c
-983 ctnetlink_dump_tuples_proto netfilter/nf_conntrack_netlink.c
-827 ctnetlink_exp_dump_tuple netfilter/nf_conntrack_netlink.c
(i386 / gcc (GCC) 4.1.2 20070626 (Red Hat 4.1.2-13) /
allyesconfig except CONFIG_FORCED_INLINING)
...and I left < 200 byte gains as future work item.
After iterative inline removal, I finally have this:
net/netfilter/nf_conntrack_netlink.c:
ctnetlink_exp_fill_info | -1104
ctnetlink_new_expect | -1572
ctnetlink_fill_info | -1303
ctnetlink_new_conntrack | -2230
ctnetlink_get_expect | -341
ctnetlink_del_expect | -352
ctnetlink_expect_event | -1110
ctnetlink_conntrack_event | -1548
ctnetlink_del_conntrack | -729
ctnetlink_get_conntrack | -728
10 functions changed, 11017 bytes removed, diff: -11017
net/netfilter/nf_conntrack_netlink.c:
ctnetlink_parse_tuple | +419
dump_nat_seq_adj | +183
ctnetlink_dump_counters | +166
ctnetlink_dump_tuples | +261
ctnetlink_exp_dump_expect | +633
ctnetlink_change_status | +460
6 functions changed, 2122 bytes added, diff: +2122
net/netfilter/nf_conntrack_netlink.o:
16 functions changed, 2122 bytes added, 11017 bytes removed, diff: -8895
Without a number of CONFIG.*DEBUGs, I got this:
net/netfilter/nf_conntrack_netlink.o:
16 functions changed, 2122 bytes added, 11029 bytes removed, diff: -8907
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-06 08:11:31 +01:00
|
|
|
static int
|
2006-03-22 22:54:15 +01:00
|
|
|
ctnetlink_dump_tuples(struct sk_buff *skb,
|
|
|
|
const struct nf_conntrack_tuple *tuple)
|
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
struct nf_conntrack_l3proto *l3proto;
|
2006-11-29 02:35:06 +01:00
|
|
|
struct nf_conntrack_l4proto *l4proto;
|
2006-03-22 22:54:15 +01:00
|
|
|
|
2008-11-17 16:00:40 +01:00
|
|
|
l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
|
2006-03-22 22:54:15 +01:00
|
|
|
ret = ctnetlink_dump_tuples_ip(skb, tuple, l3proto);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
if (unlikely(ret < 0))
|
|
|
|
return ret;
|
|
|
|
|
2008-11-17 16:00:40 +01:00
|
|
|
l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
|
2006-11-29 02:35:06 +01:00
|
|
|
ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int
|
|
|
|
ctnetlink_dump_status(struct sk_buff *skb, const struct nf_conn *ct)
|
|
|
|
{
|
2007-12-18 07:29:45 +01:00
|
|
|
NLA_PUT_BE32(skb, CTA_STATUS, htonl(ct->status));
|
2006-01-05 21:19:05 +01:00
|
|
|
return 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2006-01-05 21:19:05 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int
|
|
|
|
ctnetlink_dump_timeout(struct sk_buff *skb, const struct nf_conn *ct)
|
|
|
|
{
|
2007-12-18 07:29:45 +01:00
|
|
|
long timeout = (ct->timeout.expires - jiffies) / HZ;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-12-18 07:29:45 +01:00
|
|
|
if (timeout < 0)
|
2006-01-05 21:19:05 +01:00
|
|
|
timeout = 0;
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2007-12-18 07:29:45 +01:00
|
|
|
NLA_PUT_BE32(skb, CTA_TIMEOUT, htonl(timeout));
|
2006-01-05 21:19:05 +01:00
|
|
|
return 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2006-01-05 21:19:05 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int
|
2009-06-10 14:32:47 +02:00
|
|
|
ctnetlink_dump_protoinfo(struct sk_buff *skb, struct nf_conn *ct)
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
2008-04-14 11:15:52 +02:00
|
|
|
struct nf_conntrack_l4proto *l4proto;
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlattr *nest_proto;
|
2006-01-05 21:19:05 +01:00
|
|
|
int ret;
|
|
|
|
|
2008-11-17 16:00:40 +01:00
|
|
|
l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
|
|
|
|
if (!l4proto->to_nlattr)
|
2006-01-05 21:19:05 +01:00
|
|
|
return 0;
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nest_proto = nla_nest_start(skb, CTA_PROTOINFO | NLA_F_NESTED);
|
|
|
|
if (!nest_proto)
|
|
|
|
goto nla_put_failure;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:41 +02:00
|
|
|
ret = l4proto->to_nlattr(skb, nest_proto, ct);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_nest_end(skb, nest_proto);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2006-01-05 21:19:05 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int
|
|
|
|
ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct)
|
|
|
|
{
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlattr *nest_helper;
|
2006-03-21 02:56:32 +01:00
|
|
|
const struct nf_conn_help *help = nfct_help(ct);
|
2007-06-05 21:55:27 +02:00
|
|
|
struct nf_conntrack_helper *helper;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-06-05 21:55:27 +02:00
|
|
|
if (!help)
|
2006-01-05 21:19:05 +01:00
|
|
|
return 0;
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2007-06-05 21:55:27 +02:00
|
|
|
helper = rcu_dereference(help->helper);
|
|
|
|
if (!helper)
|
|
|
|
goto out;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nest_helper = nla_nest_start(skb, CTA_HELP | NLA_F_NESTED);
|
|
|
|
if (!nest_helper)
|
|
|
|
goto nla_put_failure;
|
2007-12-18 07:29:45 +01:00
|
|
|
NLA_PUT_STRING(skb, CTA_HELP_NAME, helper->name);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:41 +02:00
|
|
|
if (helper->to_nlattr)
|
|
|
|
helper->to_nlattr(skb, ct);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_nest_end(skb, nest_helper);
|
2007-06-05 21:55:27 +02:00
|
|
|
out:
|
2006-01-05 21:19:05 +01:00
|
|
|
return 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2006-01-05 21:19:05 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
[NETFILTER]: Kill some supper dupper bloatry
/me awards the bloatiest-of-all-net/-.c-code award to
nf_conntrack_netlink.c, congratulations to all the authors :-/!
Hall of (unquestionable) fame (measured per inline, top 10 under
net/):
-4496 ctnetlink_parse_tuple netfilter/nf_conntrack_netlink.c
-2165 ctnetlink_dump_tuples netfilter/nf_conntrack_netlink.c
-2115 __ip_vs_get_out_rt ipv4/ipvs/ip_vs_xmit.c
-1924 xfrm_audit_helper_pktinfo xfrm/xfrm_state.c
-1799 ctnetlink_parse_tuple_proto netfilter/nf_conntrack_netlink.c
-1268 ctnetlink_parse_tuple_ip netfilter/nf_conntrack_netlink.c
-1093 ctnetlink_exp_dump_expect netfilter/nf_conntrack_netlink.c
-1060 void ccid3_update_send_interval dccp/ccids/ccid3.c
-983 ctnetlink_dump_tuples_proto netfilter/nf_conntrack_netlink.c
-827 ctnetlink_exp_dump_tuple netfilter/nf_conntrack_netlink.c
(i386 / gcc (GCC) 4.1.2 20070626 (Red Hat 4.1.2-13) /
allyesconfig except CONFIG_FORCED_INLINING)
...and I left < 200 byte gains as future work item.
After iterative inline removal, I finally have this:
net/netfilter/nf_conntrack_netlink.c:
ctnetlink_exp_fill_info | -1104
ctnetlink_new_expect | -1572
ctnetlink_fill_info | -1303
ctnetlink_new_conntrack | -2230
ctnetlink_get_expect | -341
ctnetlink_del_expect | -352
ctnetlink_expect_event | -1110
ctnetlink_conntrack_event | -1548
ctnetlink_del_conntrack | -729
ctnetlink_get_conntrack | -728
10 functions changed, 11017 bytes removed, diff: -11017
net/netfilter/nf_conntrack_netlink.c:
ctnetlink_parse_tuple | +419
dump_nat_seq_adj | +183
ctnetlink_dump_counters | +166
ctnetlink_dump_tuples | +261
ctnetlink_exp_dump_expect | +633
ctnetlink_change_status | +460
6 functions changed, 2122 bytes added, diff: +2122
net/netfilter/nf_conntrack_netlink.o:
16 functions changed, 2122 bytes added, 11017 bytes removed, diff: -8895
Without a number of CONFIG.*DEBUGs, I got this:
net/netfilter/nf_conntrack_netlink.o:
16 functions changed, 2122 bytes added, 11029 bytes removed, diff: -8907
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-06 08:11:31 +01:00
|
|
|
static int
|
2006-01-05 21:19:05 +01:00
|
|
|
ctnetlink_dump_counters(struct sk_buff *skb, const struct nf_conn *ct,
|
|
|
|
enum ip_conntrack_dir dir)
|
|
|
|
{
|
|
|
|
enum ctattr_type type = dir ? CTA_COUNTERS_REPLY: CTA_COUNTERS_ORIG;
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlattr *nest_count;
|
netfilter: accounting rework: ct_extend + 64bit counters (v4)
Initially netfilter has had 64bit counters for conntrack-based accounting, but
it was changed in 2.6.14 to save memory. Unfortunately in-kernel 64bit counters are
still required, for example for "connbytes" extension. However, 64bit counters
waste a lot of memory and it was not possible to enable/disable it runtime.
This patch:
- reimplements accounting with respect to the extension infrastructure,
- makes one global version of seq_print_acct() instead of two seq_print_counters(),
- makes it possible to enable it at boot time (for CONFIG_SYSCTL/CONFIG_SYSFS=n),
- makes it possible to enable/disable it at runtime by sysctl or sysfs,
- extends counters from 32bit to 64bit,
- renames ip_conntrack_counter -> nf_conn_counter,
- enables accounting code unconditionally (no longer depends on CONFIG_NF_CT_ACCT),
- set initial accounting enable state based on CONFIG_NF_CT_ACCT
- removes buggy IPCT_COUNTER_FILLING event handling.
If accounting is enabled newly created connections get additional acct extend.
Old connections are not changed as it is not possible to add a ct_extend area
to confirmed conntrack. Accounting is performed for all connections with
acct extend regardless of a current state of "net.netfilter.nf_conntrack_acct".
Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-07-21 19:01:34 +02:00
|
|
|
const struct nf_conn_counter *acct;
|
|
|
|
|
|
|
|
acct = nf_conn_acct_find(ct);
|
|
|
|
if (!acct)
|
|
|
|
return 0;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nest_count = nla_nest_start(skb, type | NLA_F_NESTED);
|
|
|
|
if (!nest_count)
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
netfilter: accounting rework: ct_extend + 64bit counters (v4)
Initially netfilter has had 64bit counters for conntrack-based accounting, but
it was changed in 2.6.14 to save memory. Unfortunately in-kernel 64bit counters are
still required, for example for "connbytes" extension. However, 64bit counters
waste a lot of memory and it was not possible to enable/disable it runtime.
This patch:
- reimplements accounting with respect to the extension infrastructure,
- makes one global version of seq_print_acct() instead of two seq_print_counters(),
- makes it possible to enable it at boot time (for CONFIG_SYSCTL/CONFIG_SYSFS=n),
- makes it possible to enable/disable it at runtime by sysctl or sysfs,
- extends counters from 32bit to 64bit,
- renames ip_conntrack_counter -> nf_conn_counter,
- enables accounting code unconditionally (no longer depends on CONFIG_NF_CT_ACCT),
- set initial accounting enable state based on CONFIG_NF_CT_ACCT
- removes buggy IPCT_COUNTER_FILLING event handling.
If accounting is enabled newly created connections get additional acct extend.
Old connections are not changed as it is not possible to add a ct_extend area
to confirmed conntrack. Accounting is performed for all connections with
acct extend regardless of a current state of "net.netfilter.nf_conntrack_acct".
Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-07-21 19:01:34 +02:00
|
|
|
NLA_PUT_BE64(skb, CTA_COUNTERS_PACKETS,
|
|
|
|
cpu_to_be64(acct[dir].packets));
|
|
|
|
NLA_PUT_BE64(skb, CTA_COUNTERS_BYTES,
|
|
|
|
cpu_to_be64(acct[dir].bytes));
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_nest_end(skb, nest_count);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2006-01-05 21:19:05 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef CONFIG_NF_CONNTRACK_MARK
|
|
|
|
static inline int
|
|
|
|
ctnetlink_dump_mark(struct sk_buff *skb, const struct nf_conn *ct)
|
|
|
|
{
|
2007-12-18 07:29:45 +01:00
|
|
|
NLA_PUT_BE32(skb, CTA_MARK, htonl(ct->mark));
|
2006-01-05 21:19:05 +01:00
|
|
|
return 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2006-01-05 21:19:05 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
#define ctnetlink_dump_mark(a, b) (0)
|
|
|
|
#endif
|
|
|
|
|
2007-12-18 07:28:41 +01:00
|
|
|
#ifdef CONFIG_NF_CONNTRACK_SECMARK
|
|
|
|
static inline int
|
|
|
|
ctnetlink_dump_secmark(struct sk_buff *skb, const struct nf_conn *ct)
|
|
|
|
{
|
2007-12-18 07:29:45 +01:00
|
|
|
NLA_PUT_BE32(skb, CTA_SECMARK, htonl(ct->secmark));
|
2007-12-18 07:28:41 +01:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
nla_put_failure:
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
#define ctnetlink_dump_secmark(a, b) (0)
|
|
|
|
#endif
|
|
|
|
|
2007-12-18 07:28:19 +01:00
|
|
|
#define master_tuple(ct) &(ct->master->tuplehash[IP_CT_DIR_ORIGINAL].tuple)
|
|
|
|
|
|
|
|
static inline int
|
|
|
|
ctnetlink_dump_master(struct sk_buff *skb, const struct nf_conn *ct)
|
|
|
|
{
|
|
|
|
struct nlattr *nest_parms;
|
|
|
|
|
|
|
|
if (!(ct->status & IPS_EXPECTED))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
nest_parms = nla_nest_start(skb, CTA_TUPLE_MASTER | NLA_F_NESTED);
|
|
|
|
if (!nest_parms)
|
|
|
|
goto nla_put_failure;
|
|
|
|
if (ctnetlink_dump_tuples(skb, master_tuple(ct)) < 0)
|
|
|
|
goto nla_put_failure;
|
|
|
|
nla_nest_end(skb, nest_parms);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
nla_put_failure:
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
2007-12-18 07:28:00 +01:00
|
|
|
#ifdef CONFIG_NF_NAT_NEEDED
|
[NETFILTER]: Kill some supper dupper bloatry
/me awards the bloatiest-of-all-net/-.c-code award to
nf_conntrack_netlink.c, congratulations to all the authors :-/!
Hall of (unquestionable) fame (measured per inline, top 10 under
net/):
-4496 ctnetlink_parse_tuple netfilter/nf_conntrack_netlink.c
-2165 ctnetlink_dump_tuples netfilter/nf_conntrack_netlink.c
-2115 __ip_vs_get_out_rt ipv4/ipvs/ip_vs_xmit.c
-1924 xfrm_audit_helper_pktinfo xfrm/xfrm_state.c
-1799 ctnetlink_parse_tuple_proto netfilter/nf_conntrack_netlink.c
-1268 ctnetlink_parse_tuple_ip netfilter/nf_conntrack_netlink.c
-1093 ctnetlink_exp_dump_expect netfilter/nf_conntrack_netlink.c
-1060 void ccid3_update_send_interval dccp/ccids/ccid3.c
-983 ctnetlink_dump_tuples_proto netfilter/nf_conntrack_netlink.c
-827 ctnetlink_exp_dump_tuple netfilter/nf_conntrack_netlink.c
(i386 / gcc (GCC) 4.1.2 20070626 (Red Hat 4.1.2-13) /
allyesconfig except CONFIG_FORCED_INLINING)
...and I left < 200 byte gains as future work item.
After iterative inline removal, I finally have this:
net/netfilter/nf_conntrack_netlink.c:
ctnetlink_exp_fill_info | -1104
ctnetlink_new_expect | -1572
ctnetlink_fill_info | -1303
ctnetlink_new_conntrack | -2230
ctnetlink_get_expect | -341
ctnetlink_del_expect | -352
ctnetlink_expect_event | -1110
ctnetlink_conntrack_event | -1548
ctnetlink_del_conntrack | -729
ctnetlink_get_conntrack | -728
10 functions changed, 11017 bytes removed, diff: -11017
net/netfilter/nf_conntrack_netlink.c:
ctnetlink_parse_tuple | +419
dump_nat_seq_adj | +183
ctnetlink_dump_counters | +166
ctnetlink_dump_tuples | +261
ctnetlink_exp_dump_expect | +633
ctnetlink_change_status | +460
6 functions changed, 2122 bytes added, diff: +2122
net/netfilter/nf_conntrack_netlink.o:
16 functions changed, 2122 bytes added, 11017 bytes removed, diff: -8895
Without a number of CONFIG.*DEBUGs, I got this:
net/netfilter/nf_conntrack_netlink.o:
16 functions changed, 2122 bytes added, 11029 bytes removed, diff: -8907
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-06 08:11:31 +01:00
|
|
|
static int
|
2007-12-18 07:28:00 +01:00
|
|
|
dump_nat_seq_adj(struct sk_buff *skb, const struct nf_nat_seq *natseq, int type)
|
|
|
|
{
|
|
|
|
struct nlattr *nest_parms;
|
|
|
|
|
|
|
|
nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
|
|
|
|
if (!nest_parms)
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
2007-12-18 07:29:45 +01:00
|
|
|
NLA_PUT_BE32(skb, CTA_NAT_SEQ_CORRECTION_POS,
|
|
|
|
htonl(natseq->correction_pos));
|
|
|
|
NLA_PUT_BE32(skb, CTA_NAT_SEQ_OFFSET_BEFORE,
|
|
|
|
htonl(natseq->offset_before));
|
|
|
|
NLA_PUT_BE32(skb, CTA_NAT_SEQ_OFFSET_AFTER,
|
|
|
|
htonl(natseq->offset_after));
|
2007-12-18 07:28:00 +01:00
|
|
|
|
|
|
|
nla_nest_end(skb, nest_parms);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
nla_put_failure:
|
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int
|
|
|
|
ctnetlink_dump_nat_seq_adj(struct sk_buff *skb, const struct nf_conn *ct)
|
|
|
|
{
|
|
|
|
struct nf_nat_seq *natseq;
|
|
|
|
struct nf_conn_nat *nat = nfct_nat(ct);
|
|
|
|
|
|
|
|
if (!(ct->status & IPS_SEQ_ADJUST) || !nat)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
natseq = &nat->seq[IP_CT_DIR_ORIGINAL];
|
|
|
|
if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_ORIG) == -1)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
natseq = &nat->seq[IP_CT_DIR_REPLY];
|
|
|
|
if (dump_nat_seq_adj(skb, natseq, CTA_NAT_SEQ_ADJ_REPLY) == -1)
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#else
|
|
|
|
#define ctnetlink_dump_nat_seq_adj(a, b) (0)
|
|
|
|
#endif
|
|
|
|
|
2006-01-05 21:19:05 +01:00
|
|
|
static inline int
|
|
|
|
ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
|
|
|
|
{
|
2007-12-18 07:29:45 +01:00
|
|
|
NLA_PUT_BE32(skb, CTA_ID, htonl((unsigned long)ct));
|
2006-01-05 21:19:05 +01:00
|
|
|
return 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2006-01-05 21:19:05 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int
|
|
|
|
ctnetlink_dump_use(struct sk_buff *skb, const struct nf_conn *ct)
|
|
|
|
{
|
2007-12-18 07:29:45 +01:00
|
|
|
NLA_PUT_BE32(skb, CTA_USE, htonl(atomic_read(&ct->ct_general.use)));
|
2006-01-05 21:19:05 +01:00
|
|
|
return 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2006-01-05 21:19:05 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
|
2009-06-10 14:32:47 +02:00
|
|
|
int event, struct nf_conn *ct)
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
struct nlmsghdr *nlh;
|
|
|
|
struct nfgenmsg *nfmsg;
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlattr *nest_parms;
|
2009-06-02 20:07:39 +02:00
|
|
|
unsigned int flags = pid ? NLM_F_MULTI : 0;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
event |= NFNL_SUBSYS_CTNETLINK << 8;
|
2009-06-02 20:07:39 +02:00
|
|
|
nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags);
|
|
|
|
if (nlh == NULL)
|
|
|
|
goto nlmsg_failure;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-06-02 20:07:39 +02:00
|
|
|
nfmsg = nlmsg_data(nlh);
|
2008-04-14 11:15:52 +02:00
|
|
|
nfmsg->nfgen_family = nf_ct_l3num(ct);
|
2006-01-05 21:19:05 +01:00
|
|
|
nfmsg->version = NFNETLINK_V0;
|
|
|
|
nfmsg->res_id = 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
|
|
|
|
if (!nest_parms)
|
|
|
|
goto nla_put_failure;
|
2009-06-02 20:03:35 +02:00
|
|
|
if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
|
|
|
nla_nest_end(skb, nest_parms);
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
|
|
|
|
if (!nest_parms)
|
|
|
|
goto nla_put_failure;
|
2009-06-02 20:03:35 +02:00
|
|
|
if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
|
|
|
nla_nest_end(skb, nest_parms);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
if (ctnetlink_dump_status(skb, ct) < 0 ||
|
|
|
|
ctnetlink_dump_timeout(skb, ct) < 0 ||
|
|
|
|
ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
|
|
|
|
ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0 ||
|
|
|
|
ctnetlink_dump_protoinfo(skb, ct) < 0 ||
|
|
|
|
ctnetlink_dump_helpinfo(skb, ct) < 0 ||
|
|
|
|
ctnetlink_dump_mark(skb, ct) < 0 ||
|
2007-12-18 07:28:41 +01:00
|
|
|
ctnetlink_dump_secmark(skb, ct) < 0 ||
|
2006-01-05 21:19:05 +01:00
|
|
|
ctnetlink_dump_id(skb, ct) < 0 ||
|
2007-12-18 07:28:00 +01:00
|
|
|
ctnetlink_dump_use(skb, ct) < 0 ||
|
2007-12-18 07:28:19 +01:00
|
|
|
ctnetlink_dump_master(skb, ct) < 0 ||
|
2007-12-18 07:28:00 +01:00
|
|
|
ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-06-02 20:07:39 +02:00
|
|
|
nlmsg_end(skb, nlh);
|
2006-01-05 21:19:05 +01:00
|
|
|
return skb->len;
|
|
|
|
|
|
|
|
nlmsg_failure:
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2009-06-02 20:07:39 +02:00
|
|
|
nlmsg_cancel(skb, nlh);
|
2006-01-05 21:19:05 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef CONFIG_NF_CONNTRACK_EVENTS
|
2009-06-02 20:08:27 +02:00
|
|
|
static inline size_t
|
|
|
|
ctnetlink_proto_size(const struct nf_conn *ct)
|
2009-03-25 21:50:59 +01:00
|
|
|
{
|
|
|
|
struct nf_conntrack_l3proto *l3proto;
|
|
|
|
struct nf_conntrack_l4proto *l4proto;
|
2009-06-02 20:08:27 +02:00
|
|
|
size_t len = 0;
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
|
|
|
|
len += l3proto->nla_size;
|
|
|
|
|
|
|
|
l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
|
|
|
|
len += l4proto->nla_size;
|
|
|
|
rcu_read_unlock();
|
|
|
|
|
|
|
|
return len;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline size_t
|
|
|
|
ctnetlink_nlmsg_size(const struct nf_conn *ct)
|
|
|
|
{
|
|
|
|
return NLMSG_ALIGN(sizeof(struct nfgenmsg))
|
|
|
|
+ 3 * nla_total_size(0) /* CTA_TUPLE_ORIG|REPL|MASTER */
|
|
|
|
+ 3 * nla_total_size(0) /* CTA_TUPLE_IP */
|
|
|
|
+ 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
|
|
|
|
+ 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
|
|
|
|
+ nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
|
|
|
|
+ nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
|
2009-03-26 13:37:14 +01:00
|
|
|
#ifdef CONFIG_NF_CT_ACCT
|
2009-06-02 20:08:27 +02:00
|
|
|
+ 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
|
|
|
|
+ 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
|
|
|
|
+ 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
|
2009-03-26 13:37:14 +01:00
|
|
|
#endif
|
2009-06-02 20:08:27 +02:00
|
|
|
+ nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
|
|
|
|
+ nla_total_size(0) /* CTA_PROTOINFO */
|
|
|
|
+ nla_total_size(0) /* CTA_HELP */
|
|
|
|
+ nla_total_size(NF_CT_HELPER_NAME_LEN) /* CTA_HELP_NAME */
|
2009-03-26 13:37:14 +01:00
|
|
|
#ifdef CONFIG_NF_CONNTRACK_SECMARK
|
2009-06-02 20:08:27 +02:00
|
|
|
+ nla_total_size(sizeof(u_int32_t)) /* CTA_SECMARK */
|
2009-03-26 13:37:14 +01:00
|
|
|
#endif
|
|
|
|
#ifdef CONFIG_NF_NAT_NEEDED
|
2009-06-02 20:08:27 +02:00
|
|
|
+ 2 * nla_total_size(0) /* CTA_NAT_SEQ_ADJ_ORIG|REPL */
|
|
|
|
+ 6 * nla_total_size(sizeof(u_int32_t)) /* CTA_NAT_SEQ_OFFSET */
|
2009-03-26 13:37:14 +01:00
|
|
|
#endif
|
|
|
|
#ifdef CONFIG_NF_CONNTRACK_MARK
|
2009-06-02 20:08:27 +02:00
|
|
|
+ nla_total_size(sizeof(u_int32_t)) /* CTA_MARK */
|
2009-03-26 13:37:14 +01:00
|
|
|
#endif
|
2009-06-02 20:08:27 +02:00
|
|
|
+ ctnetlink_proto_size(ct)
|
|
|
|
;
|
2009-03-25 21:50:59 +01:00
|
|
|
}
|
|
|
|
|
2009-06-03 10:32:06 +02:00
|
|
|
static int
|
|
|
|
ctnetlink_conntrack_event(unsigned int events, struct nf_ct_event *item)
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
struct nlmsghdr *nlh;
|
|
|
|
struct nfgenmsg *nfmsg;
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlattr *nest_parms;
|
2008-11-18 11:56:20 +01:00
|
|
|
struct nf_conn *ct = item->ct;
|
2006-01-05 21:19:05 +01:00
|
|
|
struct sk_buff *skb;
|
|
|
|
unsigned int type;
|
|
|
|
unsigned int flags = 0, group;
|
netfilter: conntrack: optional reliable conntrack event delivery
This patch improves ctnetlink event reliability if one broadcast
listener has set the NETLINK_BROADCAST_ERROR socket option.
The logic is the following: if an event delivery fails, we keep
the undelivered events in the missed event cache. Once the next
packet arrives, we add the new events (if any) to the missed
events in the cache and we try a new delivery, and so on. Thus,
if ctnetlink fails to deliver an event, we try to deliver them
once we see a new packet. Therefore, we may lose state
transitions but the userspace process gets in sync at some point.
At worst case, if no events were delivered to userspace, we make
sure that destroy events are successfully delivered. Basically,
if ctnetlink fails to deliver the destroy event, we remove the
conntrack entry from the hashes and we insert them in the dying
list, which contains inactive entries. Then, the conntrack timer
is added with an extra grace timeout of random32() % 15 seconds
to trigger the event again (this grace timeout is tunable via
/proc). The use of a limited random timeout value allows
distributing the "destroy" resends, thus, avoiding accumulating
lots "destroy" events at the same time. Event delivery may
re-order but we can identify them by means of the tuple plus
the conntrack ID.
The maximum number of conntrack entries (active or inactive) is
still handled by nf_conntrack_max. Thus, we may start dropping
packets at some point if we accumulate a lot of inactive conntrack
entries that did not successfully report the destroy event to
userspace.
During my stress tests consisting of setting a very small buffer
of 2048 bytes for conntrackd and the NETLINK_BROADCAST_ERROR socket
flag, and generating lots of very small connections, I noticed
very few destroy entries on the fly waiting to be resend.
A simple way to test this patch consist of creating a lot of
entries, set a very small Netlink buffer in conntrackd (+ a patch
which is not in the git tree to set the BROADCAST_ERROR flag)
and invoke `conntrack -F'.
For expectations, no changes are introduced in this patch.
Currently, event delivery is only done for new expectations (no
events from expectation expiration, removal and confirmation).
In that case, they need a per-expectation event cache to implement
the same idea that is exposed in this patch.
This patch can be useful to provide reliable flow-accouting. We
still have to add a new conntrack extension to store the creation
and destroy time.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-06-13 12:30:52 +02:00
|
|
|
int err;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
/* ignore our fake conntrack entry */
|
|
|
|
if (ct == &nf_conntrack_untracked)
|
2009-06-03 10:32:06 +02:00
|
|
|
return 0;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-06-13 12:26:29 +02:00
|
|
|
if (events & (1 << IPCT_DESTROY)) {
|
2006-01-05 21:19:05 +01:00
|
|
|
type = IPCTNL_MSG_CT_DELETE;
|
|
|
|
group = NFNLGRP_CONNTRACK_DESTROY;
|
2009-06-13 12:26:29 +02:00
|
|
|
} else if (events & ((1 << IPCT_NEW) | (1 << IPCT_RELATED))) {
|
2006-01-05 21:19:05 +01:00
|
|
|
type = IPCTNL_MSG_CT_NEW;
|
|
|
|
flags = NLM_F_CREATE|NLM_F_EXCL;
|
|
|
|
group = NFNLGRP_CONNTRACK_NEW;
|
netfilter: conntrack: simplify event caching system
This patch simplifies the conntrack event caching system by removing
several events:
* IPCT_[*]_VOLATILE, IPCT_HELPINFO and IPCT_NATINFO has been deleted
since the have no clients.
* IPCT_COUNTER_FILLING which is a leftover of the 32-bits counter
days.
* IPCT_REFRESH which is not of any use since we always include the
timeout in the messages.
After this patch, the existing events are:
* IPCT_NEW, IPCT_RELATED and IPCT_DESTROY, that are used to identify
addition and deletion of entries.
* IPCT_STATUS, that notes that the status bits have changes,
eg. IPS_SEEN_REPLY and IPS_ASSURED.
* IPCT_PROTOINFO, that reports that internal protocol information has
changed, eg. the TCP, DCCP and SCTP protocol state.
* IPCT_HELPER, that a helper has been assigned or unassigned to this
entry.
* IPCT_MARK and IPCT_SECMARK, that reports that the mark has changed, this
covers the case when a mark is set to zero.
* IPCT_NATSEQADJ, to report that there's updates in the NAT sequence
adjustment.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-02 20:08:46 +02:00
|
|
|
} else if (events) {
|
2006-01-05 21:19:05 +01:00
|
|
|
type = IPCTNL_MSG_CT_NEW;
|
|
|
|
group = NFNLGRP_CONNTRACK_UPDATE;
|
|
|
|
} else
|
2009-06-03 10:32:06 +02:00
|
|
|
return 0;
|
2006-03-21 03:03:59 +01:00
|
|
|
|
2009-02-09 23:34:26 +01:00
|
|
|
if (!item->report && !nfnetlink_has_listeners(group))
|
2009-06-03 10:32:06 +02:00
|
|
|
return 0;
|
2006-03-21 03:03:59 +01:00
|
|
|
|
2009-06-02 20:08:27 +02:00
|
|
|
skb = nlmsg_new(ctnetlink_nlmsg_size(ct), GFP_ATOMIC);
|
|
|
|
if (skb == NULL)
|
2009-04-17 17:47:31 +02:00
|
|
|
goto errout;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
type |= NFNL_SUBSYS_CTNETLINK << 8;
|
2009-06-02 20:07:39 +02:00
|
|
|
nlh = nlmsg_put(skb, item->pid, 0, type, sizeof(*nfmsg), flags);
|
|
|
|
if (nlh == NULL)
|
|
|
|
goto nlmsg_failure;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-06-02 20:07:39 +02:00
|
|
|
nfmsg = nlmsg_data(nlh);
|
2008-04-14 11:15:52 +02:00
|
|
|
nfmsg->nfgen_family = nf_ct_l3num(ct);
|
2006-01-05 21:19:05 +01:00
|
|
|
nfmsg->version = NFNETLINK_V0;
|
|
|
|
nfmsg->res_id = 0;
|
|
|
|
|
2008-11-17 16:00:40 +01:00
|
|
|
rcu_read_lock();
|
2007-09-28 23:37:03 +02:00
|
|
|
nest_parms = nla_nest_start(skb, CTA_TUPLE_ORIG | NLA_F_NESTED);
|
|
|
|
if (!nest_parms)
|
|
|
|
goto nla_put_failure;
|
2009-06-02 20:03:35 +02:00
|
|
|
if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_ORIGINAL)) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
|
|
|
nla_nest_end(skb, nest_parms);
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nest_parms = nla_nest_start(skb, CTA_TUPLE_REPLY | NLA_F_NESTED);
|
|
|
|
if (!nest_parms)
|
|
|
|
goto nla_put_failure;
|
2009-06-02 20:03:35 +02:00
|
|
|
if (ctnetlink_dump_tuples(skb, nf_ct_tuple(ct, IP_CT_DIR_REPLY)) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
|
|
|
nla_nest_end(skb, nest_parms);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2008-05-14 08:27:11 +02:00
|
|
|
if (ctnetlink_dump_id(skb, ct) < 0)
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
2008-06-10 00:59:58 +02:00
|
|
|
if (ctnetlink_dump_status(skb, ct) < 0)
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
2009-06-13 12:26:29 +02:00
|
|
|
if (events & (1 << IPCT_DESTROY)) {
|
2006-11-29 02:35:32 +01:00
|
|
|
if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
|
|
|
|
ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
2006-11-29 02:35:32 +01:00
|
|
|
} else {
|
|
|
|
if (ctnetlink_dump_timeout(skb, ct) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
2006-11-29 02:35:32 +01:00
|
|
|
|
2009-06-13 12:26:29 +02:00
|
|
|
if (events & (1 << IPCT_PROTOINFO)
|
2006-11-29 02:35:32 +01:00
|
|
|
&& ctnetlink_dump_protoinfo(skb, ct) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
2006-11-29 02:35:32 +01:00
|
|
|
|
2009-06-13 12:26:29 +02:00
|
|
|
if ((events & (1 << IPCT_HELPER) || nfct_help(ct))
|
2006-11-29 02:35:32 +01:00
|
|
|
&& ctnetlink_dump_helpinfo(skb, ct) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
2006-11-29 02:35:32 +01:00
|
|
|
|
2007-12-18 07:28:41 +01:00
|
|
|
#ifdef CONFIG_NF_CONNTRACK_SECMARK
|
2009-06-13 12:26:29 +02:00
|
|
|
if ((events & (1 << IPCT_SECMARK) || ct->secmark)
|
2007-12-18 07:28:41 +01:00
|
|
|
&& ctnetlink_dump_secmark(skb, ct) < 0)
|
|
|
|
goto nla_put_failure;
|
|
|
|
#endif
|
2006-11-29 02:35:32 +01:00
|
|
|
|
2009-06-13 12:26:29 +02:00
|
|
|
if (events & (1 << IPCT_RELATED) &&
|
2007-12-18 07:28:19 +01:00
|
|
|
ctnetlink_dump_master(skb, ct) < 0)
|
|
|
|
goto nla_put_failure;
|
|
|
|
|
2009-06-13 12:26:29 +02:00
|
|
|
if (events & (1 << IPCT_NATSEQADJ) &&
|
2007-12-18 07:28:00 +01:00
|
|
|
ctnetlink_dump_nat_seq_adj(skb, ct) < 0)
|
|
|
|
goto nla_put_failure;
|
2006-11-29 02:35:32 +01:00
|
|
|
}
|
2006-08-22 09:31:49 +02:00
|
|
|
|
2008-01-31 13:44:27 +01:00
|
|
|
#ifdef CONFIG_NF_CONNTRACK_MARK
|
2009-06-13 12:26:29 +02:00
|
|
|
if ((events & (1 << IPCT_MARK) || ct->mark)
|
2008-01-31 13:44:27 +01:00
|
|
|
&& ctnetlink_dump_mark(skb, ct) < 0)
|
|
|
|
goto nla_put_failure;
|
|
|
|
#endif
|
2008-11-17 16:00:40 +01:00
|
|
|
rcu_read_unlock();
|
2008-01-31 13:44:27 +01:00
|
|
|
|
2009-06-02 20:07:39 +02:00
|
|
|
nlmsg_end(skb, nlh);
|
netfilter: conntrack: optional reliable conntrack event delivery
This patch improves ctnetlink event reliability if one broadcast
listener has set the NETLINK_BROADCAST_ERROR socket option.
The logic is the following: if an event delivery fails, we keep
the undelivered events in the missed event cache. Once the next
packet arrives, we add the new events (if any) to the missed
events in the cache and we try a new delivery, and so on. Thus,
if ctnetlink fails to deliver an event, we try to deliver them
once we see a new packet. Therefore, we may lose state
transitions but the userspace process gets in sync at some point.
At worst case, if no events were delivered to userspace, we make
sure that destroy events are successfully delivered. Basically,
if ctnetlink fails to deliver the destroy event, we remove the
conntrack entry from the hashes and we insert them in the dying
list, which contains inactive entries. Then, the conntrack timer
is added with an extra grace timeout of random32() % 15 seconds
to trigger the event again (this grace timeout is tunable via
/proc). The use of a limited random timeout value allows
distributing the "destroy" resends, thus, avoiding accumulating
lots "destroy" events at the same time. Event delivery may
re-order but we can identify them by means of the tuple plus
the conntrack ID.
The maximum number of conntrack entries (active or inactive) is
still handled by nf_conntrack_max. Thus, we may start dropping
packets at some point if we accumulate a lot of inactive conntrack
entries that did not successfully report the destroy event to
userspace.
During my stress tests consisting of setting a very small buffer
of 2048 bytes for conntrackd and the NETLINK_BROADCAST_ERROR socket
flag, and generating lots of very small connections, I noticed
very few destroy entries on the fly waiting to be resend.
A simple way to test this patch consist of creating a lot of
entries, set a very small Netlink buffer in conntrackd (+ a patch
which is not in the git tree to set the BROADCAST_ERROR flag)
and invoke `conntrack -F'.
For expectations, no changes are introduced in this patch.
Currently, event delivery is only done for new expectations (no
events from expectation expiration, removal and confirmation).
In that case, they need a per-expectation event cache to implement
the same idea that is exposed in this patch.
This patch can be useful to provide reliable flow-accouting. We
still have to add a new conntrack extension to store the creation
and destroy time.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-06-13 12:30:52 +02:00
|
|
|
err = nfnetlink_send(skb, item->pid, group, item->report, GFP_ATOMIC);
|
|
|
|
if (err == -ENOBUFS || err == -EAGAIN)
|
|
|
|
return -ENOBUFS;
|
|
|
|
|
2009-06-03 10:32:06 +02:00
|
|
|
return 0;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2008-11-17 16:00:40 +01:00
|
|
|
rcu_read_unlock();
|
2009-06-02 20:07:39 +02:00
|
|
|
nlmsg_cancel(skb, nlh);
|
2008-11-17 16:00:40 +01:00
|
|
|
nlmsg_failure:
|
2006-01-05 21:19:05 +01:00
|
|
|
kfree_skb(skb);
|
2009-04-17 17:47:31 +02:00
|
|
|
errout:
|
|
|
|
nfnetlink_set_err(0, group, -ENOBUFS);
|
2009-06-03 10:32:06 +02:00
|
|
|
return 0;
|
2006-01-05 21:19:05 +01:00
|
|
|
}
|
|
|
|
#endif /* CONFIG_NF_CONNTRACK_EVENTS */
|
|
|
|
|
|
|
|
static int ctnetlink_done(struct netlink_callback *cb)
|
|
|
|
{
|
2006-05-30 03:24:58 +02:00
|
|
|
if (cb->args[1])
|
|
|
|
nf_ct_put((struct nf_conn *)cb->args[1]);
|
2006-01-05 21:19:05 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
|
|
|
|
{
|
2006-05-30 03:24:58 +02:00
|
|
|
struct nf_conn *ct, *last;
|
2006-01-05 21:19:05 +01:00
|
|
|
struct nf_conntrack_tuple_hash *h;
|
2009-03-25 21:05:46 +01:00
|
|
|
struct hlist_nulls_node *n;
|
2009-06-02 20:07:39 +02:00
|
|
|
struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
|
2006-01-05 21:19:23 +01:00
|
|
|
u_int8_t l3proto = nfmsg->nfgen_family;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2008-01-31 13:38:38 +01:00
|
|
|
rcu_read_lock();
|
2006-08-18 03:12:38 +02:00
|
|
|
last = (struct nf_conn *)cb->args[1];
|
2006-05-30 03:24:58 +02:00
|
|
|
for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
|
|
|
|
restart:
|
2009-03-25 21:05:46 +01:00
|
|
|
hlist_nulls_for_each_entry_rcu(h, n, &init_net.ct.hash[cb->args[0]],
|
|
|
|
hnnode) {
|
2006-12-03 07:07:13 +01:00
|
|
|
if (NF_CT_DIRECTION(h) != IP_CT_DIR_ORIGINAL)
|
2006-01-05 21:19:05 +01:00
|
|
|
continue;
|
|
|
|
ct = nf_ct_tuplehash_to_ctrack(h);
|
2009-03-25 21:05:46 +01:00
|
|
|
if (!atomic_inc_not_zero(&ct->ct_general.use))
|
|
|
|
continue;
|
2006-01-05 21:19:23 +01:00
|
|
|
/* Dump entries of a given L3 protocol number.
|
|
|
|
* If it is not specified, ie. l3proto == 0,
|
|
|
|
* then dump everything. */
|
2008-04-14 11:15:52 +02:00
|
|
|
if (l3proto && nf_ct_l3num(ct) != l3proto)
|
2009-03-25 21:05:46 +01:00
|
|
|
goto releasect;
|
2006-08-18 03:12:38 +02:00
|
|
|
if (cb->args[1]) {
|
|
|
|
if (ct != last)
|
2009-03-25 21:05:46 +01:00
|
|
|
goto releasect;
|
2006-08-18 03:12:38 +02:00
|
|
|
cb->args[1] = 0;
|
2006-05-30 03:24:58 +02:00
|
|
|
}
|
2006-01-05 21:19:05 +01:00
|
|
|
if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
|
2007-02-12 20:15:49 +01:00
|
|
|
cb->nlh->nlmsg_seq,
|
2009-06-02 20:03:34 +02:00
|
|
|
IPCTNL_MSG_CT_NEW, ct) < 0) {
|
2006-05-30 03:24:58 +02:00
|
|
|
cb->args[1] = (unsigned long)ct;
|
2006-01-05 21:19:05 +01:00
|
|
|
goto out;
|
2006-05-30 03:24:58 +02:00
|
|
|
}
|
netfilter: accounting rework: ct_extend + 64bit counters (v4)
Initially netfilter has had 64bit counters for conntrack-based accounting, but
it was changed in 2.6.14 to save memory. Unfortunately in-kernel 64bit counters are
still required, for example for "connbytes" extension. However, 64bit counters
waste a lot of memory and it was not possible to enable/disable it runtime.
This patch:
- reimplements accounting with respect to the extension infrastructure,
- makes one global version of seq_print_acct() instead of two seq_print_counters(),
- makes it possible to enable it at boot time (for CONFIG_SYSCTL/CONFIG_SYSFS=n),
- makes it possible to enable/disable it at runtime by sysctl or sysfs,
- extends counters from 32bit to 64bit,
- renames ip_conntrack_counter -> nf_conn_counter,
- enables accounting code unconditionally (no longer depends on CONFIG_NF_CT_ACCT),
- set initial accounting enable state based on CONFIG_NF_CT_ACCT
- removes buggy IPCT_COUNTER_FILLING event handling.
If accounting is enabled newly created connections get additional acct extend.
Old connections are not changed as it is not possible to add a ct_extend area
to confirmed conntrack. Accounting is performed for all connections with
acct extend regardless of a current state of "net.netfilter.nf_conntrack_acct".
Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-07-21 19:01:34 +02:00
|
|
|
|
2006-09-20 21:00:45 +02:00
|
|
|
if (NFNL_MSG_TYPE(cb->nlh->nlmsg_type) ==
|
netfilter: accounting rework: ct_extend + 64bit counters (v4)
Initially netfilter has had 64bit counters for conntrack-based accounting, but
it was changed in 2.6.14 to save memory. Unfortunately in-kernel 64bit counters are
still required, for example for "connbytes" extension. However, 64bit counters
waste a lot of memory and it was not possible to enable/disable it runtime.
This patch:
- reimplements accounting with respect to the extension infrastructure,
- makes one global version of seq_print_acct() instead of two seq_print_counters(),
- makes it possible to enable it at boot time (for CONFIG_SYSCTL/CONFIG_SYSFS=n),
- makes it possible to enable/disable it at runtime by sysctl or sysfs,
- extends counters from 32bit to 64bit,
- renames ip_conntrack_counter -> nf_conn_counter,
- enables accounting code unconditionally (no longer depends on CONFIG_NF_CT_ACCT),
- set initial accounting enable state based on CONFIG_NF_CT_ACCT
- removes buggy IPCT_COUNTER_FILLING event handling.
If accounting is enabled newly created connections get additional acct extend.
Old connections are not changed as it is not possible to add a ct_extend area
to confirmed conntrack. Accounting is performed for all connections with
acct extend regardless of a current state of "net.netfilter.nf_conntrack_acct".
Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-07-21 19:01:34 +02:00
|
|
|
IPCTNL_MSG_CT_GET_CTRZERO) {
|
|
|
|
struct nf_conn_counter *acct;
|
|
|
|
|
|
|
|
acct = nf_conn_acct_find(ct);
|
|
|
|
if (acct)
|
|
|
|
memset(acct, 0, sizeof(struct nf_conn_counter[IP_CT_DIR_MAX]));
|
|
|
|
}
|
2009-03-25 21:05:46 +01:00
|
|
|
releasect:
|
|
|
|
nf_ct_put(ct);
|
2006-05-30 03:24:58 +02:00
|
|
|
}
|
2006-08-18 03:12:38 +02:00
|
|
|
if (cb->args[1]) {
|
2006-05-30 03:24:58 +02:00
|
|
|
cb->args[1] = 0;
|
|
|
|
goto restart;
|
2006-01-05 21:19:05 +01:00
|
|
|
}
|
|
|
|
}
|
2006-05-30 03:24:58 +02:00
|
|
|
out:
|
2008-01-31 13:38:38 +01:00
|
|
|
rcu_read_unlock();
|
2006-08-18 03:12:38 +02:00
|
|
|
if (last)
|
|
|
|
nf_ct_put(last);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
return skb->len;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int
|
2007-09-28 23:37:03 +02:00
|
|
|
ctnetlink_parse_tuple_ip(struct nlattr *attr, struct nf_conntrack_tuple *tuple)
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlattr *tb[CTA_IP_MAX+1];
|
2006-01-05 21:19:05 +01:00
|
|
|
struct nf_conntrack_l3proto *l3proto;
|
|
|
|
int ret = 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_parse_nested(tb, CTA_IP_MAX, attr, NULL);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-03-18 17:28:37 +01:00
|
|
|
rcu_read_lock();
|
|
|
|
l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:39:55 +02:00
|
|
|
if (likely(l3proto->nlattr_to_tuple)) {
|
|
|
|
ret = nla_validate_nested(attr, CTA_IP_MAX,
|
|
|
|
l3proto->nla_policy);
|
|
|
|
if (ret == 0)
|
|
|
|
ret = l3proto->nlattr_to_tuple(tb, tuple);
|
|
|
|
}
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-03-18 17:28:37 +01:00
|
|
|
rcu_read_unlock();
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
2007-09-28 23:39:55 +02:00
|
|
|
static const struct nla_policy proto_nla_policy[CTA_PROTO_MAX+1] = {
|
|
|
|
[CTA_PROTO_NUM] = { .type = NLA_U8 },
|
2006-01-05 21:19:05 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
static inline int
|
2007-09-28 23:37:03 +02:00
|
|
|
ctnetlink_parse_tuple_proto(struct nlattr *attr,
|
2006-01-05 21:19:05 +01:00
|
|
|
struct nf_conntrack_tuple *tuple)
|
|
|
|
{
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlattr *tb[CTA_PROTO_MAX+1];
|
2006-11-29 02:35:06 +01:00
|
|
|
struct nf_conntrack_l4proto *l4proto;
|
2006-01-05 21:19:05 +01:00
|
|
|
int ret = 0;
|
|
|
|
|
2007-09-28 23:39:55 +02:00
|
|
|
ret = nla_parse_nested(tb, CTA_PROTO_MAX, attr, proto_nla_policy);
|
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (!tb[CTA_PROTO_NUM])
|
2006-01-05 21:19:05 +01:00
|
|
|
return -EINVAL;
|
2007-12-18 07:29:45 +01:00
|
|
|
tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-03-18 17:28:37 +01:00
|
|
|
rcu_read_lock();
|
|
|
|
l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:39:55 +02:00
|
|
|
if (likely(l4proto->nlattr_to_tuple)) {
|
|
|
|
ret = nla_validate_nested(attr, CTA_PROTO_MAX,
|
|
|
|
l4proto->nla_policy);
|
|
|
|
if (ret == 0)
|
|
|
|
ret = l4proto->nlattr_to_tuple(tb, tuple);
|
|
|
|
}
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-03-18 17:28:37 +01:00
|
|
|
rcu_read_unlock();
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2006-01-05 21:19:05 +01:00
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
[NETFILTER]: Kill some supper dupper bloatry
/me awards the bloatiest-of-all-net/-.c-code award to
nf_conntrack_netlink.c, congratulations to all the authors :-/!
Hall of (unquestionable) fame (measured per inline, top 10 under
net/):
-4496 ctnetlink_parse_tuple netfilter/nf_conntrack_netlink.c
-2165 ctnetlink_dump_tuples netfilter/nf_conntrack_netlink.c
-2115 __ip_vs_get_out_rt ipv4/ipvs/ip_vs_xmit.c
-1924 xfrm_audit_helper_pktinfo xfrm/xfrm_state.c
-1799 ctnetlink_parse_tuple_proto netfilter/nf_conntrack_netlink.c
-1268 ctnetlink_parse_tuple_ip netfilter/nf_conntrack_netlink.c
-1093 ctnetlink_exp_dump_expect netfilter/nf_conntrack_netlink.c
-1060 void ccid3_update_send_interval dccp/ccids/ccid3.c
-983 ctnetlink_dump_tuples_proto netfilter/nf_conntrack_netlink.c
-827 ctnetlink_exp_dump_tuple netfilter/nf_conntrack_netlink.c
(i386 / gcc (GCC) 4.1.2 20070626 (Red Hat 4.1.2-13) /
allyesconfig except CONFIG_FORCED_INLINING)
...and I left < 200 byte gains as future work item.
After iterative inline removal, I finally have this:
net/netfilter/nf_conntrack_netlink.c:
ctnetlink_exp_fill_info | -1104
ctnetlink_new_expect | -1572
ctnetlink_fill_info | -1303
ctnetlink_new_conntrack | -2230
ctnetlink_get_expect | -341
ctnetlink_del_expect | -352
ctnetlink_expect_event | -1110
ctnetlink_conntrack_event | -1548
ctnetlink_del_conntrack | -729
ctnetlink_get_conntrack | -728
10 functions changed, 11017 bytes removed, diff: -11017
net/netfilter/nf_conntrack_netlink.c:
ctnetlink_parse_tuple | +419
dump_nat_seq_adj | +183
ctnetlink_dump_counters | +166
ctnetlink_dump_tuples | +261
ctnetlink_exp_dump_expect | +633
ctnetlink_change_status | +460
6 functions changed, 2122 bytes added, diff: +2122
net/netfilter/nf_conntrack_netlink.o:
16 functions changed, 2122 bytes added, 11017 bytes removed, diff: -8895
Without a number of CONFIG.*DEBUGs, I got this:
net/netfilter/nf_conntrack_netlink.o:
16 functions changed, 2122 bytes added, 11029 bytes removed, diff: -8907
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-06 08:11:31 +01:00
|
|
|
static int
|
2007-09-28 23:37:03 +02:00
|
|
|
ctnetlink_parse_tuple(struct nlattr *cda[], struct nf_conntrack_tuple *tuple,
|
2006-01-05 21:19:05 +01:00
|
|
|
enum ctattr_tuple type, u_int8_t l3num)
|
|
|
|
{
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlattr *tb[CTA_TUPLE_MAX+1];
|
2006-01-05 21:19:05 +01:00
|
|
|
int err;
|
|
|
|
|
|
|
|
memset(tuple, 0, sizeof(*tuple));
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_parse_nested(tb, CTA_TUPLE_MAX, cda[type], NULL);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (!tb[CTA_TUPLE_IP])
|
2006-01-05 21:19:05 +01:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
tuple->src.l3num = l3num;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
err = ctnetlink_parse_tuple_ip(tb[CTA_TUPLE_IP], tuple);
|
2006-01-05 21:19:05 +01:00
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (!tb[CTA_TUPLE_PROTO])
|
2006-01-05 21:19:05 +01:00
|
|
|
return -EINVAL;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
err = ctnetlink_parse_tuple_proto(tb[CTA_TUPLE_PROTO], tuple);
|
2006-01-05 21:19:05 +01:00
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
/* orig and expect tuples get DIR_ORIGINAL */
|
|
|
|
if (type == CTA_TUPLE_REPLY)
|
|
|
|
tuple->dst.dir = IP_CT_DIR_REPLY;
|
|
|
|
else
|
|
|
|
tuple->dst.dir = IP_CT_DIR_ORIGINAL;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int
|
2007-09-28 23:37:03 +02:00
|
|
|
ctnetlink_parse_help(struct nlattr *attr, char **helper_name)
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlattr *tb[CTA_HELP_MAX+1];
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_parse_nested(tb, CTA_HELP_MAX, attr, NULL);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (!tb[CTA_HELP_NAME])
|
2006-01-05 21:19:05 +01:00
|
|
|
return -EINVAL;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
*helper_name = nla_data(tb[CTA_HELP_NAME]);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2007-09-28 23:39:55 +02:00
|
|
|
static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
|
|
|
|
[CTA_STATUS] = { .type = NLA_U32 },
|
|
|
|
[CTA_TIMEOUT] = { .type = NLA_U32 },
|
|
|
|
[CTA_MARK] = { .type = NLA_U32 },
|
|
|
|
[CTA_USE] = { .type = NLA_U32 },
|
|
|
|
[CTA_ID] = { .type = NLA_U32 },
|
2006-01-05 21:19:05 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
static int
|
2007-02-12 20:15:49 +01:00
|
|
|
ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlmsghdr *nlh, struct nlattr *cda[])
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
struct nf_conntrack_tuple_hash *h;
|
|
|
|
struct nf_conntrack_tuple tuple;
|
|
|
|
struct nf_conn *ct;
|
2009-06-02 20:07:39 +02:00
|
|
|
struct nfgenmsg *nfmsg = nlmsg_data(nlh);
|
2006-01-05 21:19:05 +01:00
|
|
|
u_int8_t u3 = nfmsg->nfgen_family;
|
|
|
|
int err = 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_TUPLE_ORIG])
|
2006-01-05 21:19:05 +01:00
|
|
|
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
|
2007-09-28 23:37:03 +02:00
|
|
|
else if (cda[CTA_TUPLE_REPLY])
|
2006-01-05 21:19:05 +01:00
|
|
|
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
|
|
|
|
else {
|
|
|
|
/* Flush the whole table */
|
2009-06-02 20:08:38 +02:00
|
|
|
nf_conntrack_flush_report(&init_net,
|
|
|
|
NETLINK_CB(skb).pid,
|
|
|
|
nlmsg_report(nlh));
|
2006-01-05 21:19:05 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
2008-10-08 11:35:03 +02:00
|
|
|
h = nf_conntrack_find_get(&init_net, &tuple);
|
2006-10-12 23:09:16 +02:00
|
|
|
if (!h)
|
2006-01-05 21:19:05 +01:00
|
|
|
return -ENOENT;
|
|
|
|
|
|
|
|
ct = nf_ct_tuplehash_to_ctrack(h);
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_ID]) {
|
2007-12-18 07:29:45 +01:00
|
|
|
u_int32_t id = ntohl(nla_get_be32(cda[CTA_ID]));
|
2007-09-28 23:41:27 +02:00
|
|
|
if (id != (u32)(unsigned long)ct) {
|
2006-01-05 21:19:05 +01:00
|
|
|
nf_ct_put(ct);
|
|
|
|
return -ENOENT;
|
|
|
|
}
|
2007-02-12 20:15:49 +01:00
|
|
|
}
|
2006-01-05 21:19:05 +01:00
|
|
|
|
netfilter: conntrack: optional reliable conntrack event delivery
This patch improves ctnetlink event reliability if one broadcast
listener has set the NETLINK_BROADCAST_ERROR socket option.
The logic is the following: if an event delivery fails, we keep
the undelivered events in the missed event cache. Once the next
packet arrives, we add the new events (if any) to the missed
events in the cache and we try a new delivery, and so on. Thus,
if ctnetlink fails to deliver an event, we try to deliver them
once we see a new packet. Therefore, we may lose state
transitions but the userspace process gets in sync at some point.
At worst case, if no events were delivered to userspace, we make
sure that destroy events are successfully delivered. Basically,
if ctnetlink fails to deliver the destroy event, we remove the
conntrack entry from the hashes and we insert them in the dying
list, which contains inactive entries. Then, the conntrack timer
is added with an extra grace timeout of random32() % 15 seconds
to trigger the event again (this grace timeout is tunable via
/proc). The use of a limited random timeout value allows
distributing the "destroy" resends, thus, avoiding accumulating
lots "destroy" events at the same time. Event delivery may
re-order but we can identify them by means of the tuple plus
the conntrack ID.
The maximum number of conntrack entries (active or inactive) is
still handled by nf_conntrack_max. Thus, we may start dropping
packets at some point if we accumulate a lot of inactive conntrack
entries that did not successfully report the destroy event to
userspace.
During my stress tests consisting of setting a very small buffer
of 2048 bytes for conntrackd and the NETLINK_BROADCAST_ERROR socket
flag, and generating lots of very small connections, I noticed
very few destroy entries on the fly waiting to be resend.
A simple way to test this patch consist of creating a lot of
entries, set a very small Netlink buffer in conntrackd (+ a patch
which is not in the git tree to set the BROADCAST_ERROR flag)
and invoke `conntrack -F'.
For expectations, no changes are introduced in this patch.
Currently, event delivery is only done for new expectations (no
events from expectation expiration, removal and confirmation).
In that case, they need a per-expectation event cache to implement
the same idea that is exposed in this patch.
This patch can be useful to provide reliable flow-accouting. We
still have to add a new conntrack extension to store the creation
and destroy time.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
2009-06-13 12:30:52 +02:00
|
|
|
if (nf_conntrack_event_report(IPCT_DESTROY, ct,
|
|
|
|
NETLINK_CB(skb).pid,
|
|
|
|
nlmsg_report(nlh)) < 0) {
|
|
|
|
nf_ct_delete_from_lists(ct);
|
|
|
|
/* we failed to report the event, try later */
|
|
|
|
nf_ct_insert_dying_list(ct);
|
|
|
|
nf_ct_put(ct);
|
|
|
|
return 0;
|
|
|
|
}
|
2008-11-18 11:56:20 +01:00
|
|
|
|
|
|
|
/* death_by_timeout would report the event again */
|
|
|
|
set_bit(IPS_DYING_BIT, &ct->status);
|
|
|
|
|
2008-06-10 00:59:06 +02:00
|
|
|
nf_ct_kill(ct);
|
2006-01-05 21:19:05 +01:00
|
|
|
nf_ct_put(ct);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2007-02-12 20:15:49 +01:00
|
|
|
ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlmsghdr *nlh, struct nlattr *cda[])
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
struct nf_conntrack_tuple_hash *h;
|
|
|
|
struct nf_conntrack_tuple tuple;
|
|
|
|
struct nf_conn *ct;
|
|
|
|
struct sk_buff *skb2 = NULL;
|
2009-06-02 20:07:39 +02:00
|
|
|
struct nfgenmsg *nfmsg = nlmsg_data(nlh);
|
2006-01-05 21:19:05 +01:00
|
|
|
u_int8_t u3 = nfmsg->nfgen_family;
|
|
|
|
int err = 0;
|
|
|
|
|
netfilter: accounting rework: ct_extend + 64bit counters (v4)
Initially netfilter has had 64bit counters for conntrack-based accounting, but
it was changed in 2.6.14 to save memory. Unfortunately in-kernel 64bit counters are
still required, for example for "connbytes" extension. However, 64bit counters
waste a lot of memory and it was not possible to enable/disable it runtime.
This patch:
- reimplements accounting with respect to the extension infrastructure,
- makes one global version of seq_print_acct() instead of two seq_print_counters(),
- makes it possible to enable it at boot time (for CONFIG_SYSCTL/CONFIG_SYSFS=n),
- makes it possible to enable/disable it at runtime by sysctl or sysfs,
- extends counters from 32bit to 64bit,
- renames ip_conntrack_counter -> nf_conn_counter,
- enables accounting code unconditionally (no longer depends on CONFIG_NF_CT_ACCT),
- set initial accounting enable state based on CONFIG_NF_CT_ACCT
- removes buggy IPCT_COUNTER_FILLING event handling.
If accounting is enabled newly created connections get additional acct extend.
Old connections are not changed as it is not possible to add a ct_extend area
to confirmed conntrack. Accounting is performed for all connections with
acct extend regardless of a current state of "net.netfilter.nf_conntrack_acct".
Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-07-21 19:01:34 +02:00
|
|
|
if (nlh->nlmsg_flags & NLM_F_DUMP)
|
2007-03-23 07:30:55 +01:00
|
|
|
return netlink_dump_start(ctnl, skb, nlh, ctnetlink_dump_table,
|
|
|
|
ctnetlink_done);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_TUPLE_ORIG])
|
2006-01-05 21:19:05 +01:00
|
|
|
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_ORIG, u3);
|
2007-09-28 23:37:03 +02:00
|
|
|
else if (cda[CTA_TUPLE_REPLY])
|
2006-01-05 21:19:05 +01:00
|
|
|
err = ctnetlink_parse_tuple(cda, &tuple, CTA_TUPLE_REPLY, u3);
|
|
|
|
else
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
2008-10-08 11:35:03 +02:00
|
|
|
h = nf_conntrack_find_get(&init_net, &tuple);
|
2006-10-12 23:09:16 +02:00
|
|
|
if (!h)
|
2006-01-05 21:19:05 +01:00
|
|
|
return -ENOENT;
|
2006-10-12 23:09:16 +02:00
|
|
|
|
2006-01-05 21:19:05 +01:00
|
|
|
ct = nf_ct_tuplehash_to_ctrack(h);
|
|
|
|
|
|
|
|
err = -ENOMEM;
|
2009-06-02 20:07:39 +02:00
|
|
|
skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
|
|
|
|
if (skb2 == NULL) {
|
2006-01-05 21:19:05 +01:00
|
|
|
nf_ct_put(ct);
|
|
|
|
return -ENOMEM;
|
|
|
|
}
|
|
|
|
|
2008-11-17 16:00:40 +01:00
|
|
|
rcu_read_lock();
|
2007-02-12 20:15:49 +01:00
|
|
|
err = ctnetlink_fill_info(skb2, NETLINK_CB(skb).pid, nlh->nlmsg_seq,
|
2009-06-02 20:03:34 +02:00
|
|
|
IPCTNL_MSG_CT_NEW, ct);
|
2008-11-17 16:00:40 +01:00
|
|
|
rcu_read_unlock();
|
2006-01-05 21:19:05 +01:00
|
|
|
nf_ct_put(ct);
|
|
|
|
if (err <= 0)
|
|
|
|
goto free;
|
|
|
|
|
|
|
|
err = netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
|
|
|
|
if (err < 0)
|
|
|
|
goto out;
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
free:
|
|
|
|
kfree_skb(skb2);
|
|
|
|
out:
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2008-10-20 12:34:27 +02:00
|
|
|
#ifdef CONFIG_NF_NAT_NEEDED
|
2008-10-14 20:58:31 +02:00
|
|
|
static int
|
|
|
|
ctnetlink_parse_nat_setup(struct nf_conn *ct,
|
|
|
|
enum nf_nat_manip_type manip,
|
|
|
|
struct nlattr *attr)
|
|
|
|
{
|
|
|
|
typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup;
|
|
|
|
|
|
|
|
parse_nat_setup = rcu_dereference(nfnetlink_parse_nat_setup_hook);
|
|
|
|
if (!parse_nat_setup) {
|
2008-10-17 00:24:51 +02:00
|
|
|
#ifdef CONFIG_MODULES
|
2008-10-14 20:58:31 +02:00
|
|
|
rcu_read_unlock();
|
2009-01-21 21:19:49 +01:00
|
|
|
spin_unlock_bh(&nf_conntrack_lock);
|
2008-10-14 20:58:31 +02:00
|
|
|
nfnl_unlock();
|
|
|
|
if (request_module("nf-nat-ipv4") < 0) {
|
|
|
|
nfnl_lock();
|
2009-01-21 21:19:49 +01:00
|
|
|
spin_lock_bh(&nf_conntrack_lock);
|
2008-10-14 20:58:31 +02:00
|
|
|
rcu_read_lock();
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
}
|
|
|
|
nfnl_lock();
|
2009-01-21 21:19:49 +01:00
|
|
|
spin_lock_bh(&nf_conntrack_lock);
|
2008-10-14 20:58:31 +02:00
|
|
|
rcu_read_lock();
|
|
|
|
if (nfnetlink_parse_nat_setup_hook)
|
|
|
|
return -EAGAIN;
|
|
|
|
#endif
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
}
|
|
|
|
|
|
|
|
return parse_nat_setup(ct, manip, attr);
|
|
|
|
}
|
2008-10-20 12:34:27 +02:00
|
|
|
#endif
|
2008-10-14 20:58:31 +02:00
|
|
|
|
[NETFILTER]: Kill some supper dupper bloatry
/me awards the bloatiest-of-all-net/-.c-code award to
nf_conntrack_netlink.c, congratulations to all the authors :-/!
Hall of (unquestionable) fame (measured per inline, top 10 under
net/):
-4496 ctnetlink_parse_tuple netfilter/nf_conntrack_netlink.c
-2165 ctnetlink_dump_tuples netfilter/nf_conntrack_netlink.c
-2115 __ip_vs_get_out_rt ipv4/ipvs/ip_vs_xmit.c
-1924 xfrm_audit_helper_pktinfo xfrm/xfrm_state.c
-1799 ctnetlink_parse_tuple_proto netfilter/nf_conntrack_netlink.c
-1268 ctnetlink_parse_tuple_ip netfilter/nf_conntrack_netlink.c
-1093 ctnetlink_exp_dump_expect netfilter/nf_conntrack_netlink.c
-1060 void ccid3_update_send_interval dccp/ccids/ccid3.c
-983 ctnetlink_dump_tuples_proto netfilter/nf_conntrack_netlink.c
-827 ctnetlink_exp_dump_tuple netfilter/nf_conntrack_netlink.c
(i386 / gcc (GCC) 4.1.2 20070626 (Red Hat 4.1.2-13) /
allyesconfig except CONFIG_FORCED_INLINING)
...and I left < 200 byte gains as future work item.
After iterative inline removal, I finally have this:
net/netfilter/nf_conntrack_netlink.c:
ctnetlink_exp_fill_info | -1104
ctnetlink_new_expect | -1572
ctnetlink_fill_info | -1303
ctnetlink_new_conntrack | -2230
ctnetlink_get_expect | -341
ctnetlink_del_expect | -352
ctnetlink_expect_event | -1110
ctnetlink_conntrack_event | -1548
ctnetlink_del_conntrack | -729
ctnetlink_get_conntrack | -728
10 functions changed, 11017 bytes removed, diff: -11017
net/netfilter/nf_conntrack_netlink.c:
ctnetlink_parse_tuple | +419
dump_nat_seq_adj | +183
ctnetlink_dump_counters | +166
ctnetlink_dump_tuples | +261
ctnetlink_exp_dump_expect | +633
ctnetlink_change_status | +460
6 functions changed, 2122 bytes added, diff: +2122
net/netfilter/nf_conntrack_netlink.o:
16 functions changed, 2122 bytes added, 11017 bytes removed, diff: -8895
Without a number of CONFIG.*DEBUGs, I got this:
net/netfilter/nf_conntrack_netlink.o:
16 functions changed, 2122 bytes added, 11029 bytes removed, diff: -8907
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-06 08:11:31 +01:00
|
|
|
static int
|
2007-09-28 23:37:03 +02:00
|
|
|
ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
unsigned long d;
|
2007-12-18 07:29:45 +01:00
|
|
|
unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
|
2006-01-05 21:19:05 +01:00
|
|
|
d = ct->status ^ status;
|
|
|
|
|
|
|
|
if (d & (IPS_EXPECTED|IPS_CONFIRMED|IPS_DYING))
|
|
|
|
/* unchangeable */
|
2008-06-10 00:56:20 +02:00
|
|
|
return -EBUSY;
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2006-01-05 21:19:05 +01:00
|
|
|
if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
|
|
|
|
/* SEEN_REPLY bit can only be set */
|
2008-06-10 00:56:20 +02:00
|
|
|
return -EBUSY;
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2006-01-05 21:19:05 +01:00
|
|
|
if (d & IPS_ASSURED && !(status & IPS_ASSURED))
|
|
|
|
/* ASSURED bit can only be set */
|
2008-06-10 00:56:20 +02:00
|
|
|
return -EBUSY;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
/* Be careful here, modifying NAT bits can screw up things,
|
|
|
|
* so don't let users modify them directly if they don't pass
|
2006-12-03 07:07:13 +01:00
|
|
|
* nf_nat_range. */
|
2006-01-05 21:19:05 +01:00
|
|
|
ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2008-10-14 20:58:31 +02:00
|
|
|
static int
|
|
|
|
ctnetlink_change_nat(struct nf_conn *ct, struct nlattr *cda[])
|
|
|
|
{
|
|
|
|
#ifdef CONFIG_NF_NAT_NEEDED
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
if (cda[CTA_NAT_DST]) {
|
|
|
|
ret = ctnetlink_parse_nat_setup(ct,
|
|
|
|
IP_NAT_MANIP_DST,
|
|
|
|
cda[CTA_NAT_DST]);
|
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
if (cda[CTA_NAT_SRC]) {
|
|
|
|
ret = ctnetlink_parse_nat_setup(ct,
|
|
|
|
IP_NAT_MANIP_SRC,
|
|
|
|
cda[CTA_NAT_SRC]);
|
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
return 0;
|
|
|
|
#else
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
#endif
|
|
|
|
}
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
static inline int
|
2007-09-28 23:37:03 +02:00
|
|
|
ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
struct nf_conntrack_helper *helper;
|
2006-03-21 02:56:32 +01:00
|
|
|
struct nf_conn_help *help = nfct_help(ct);
|
2009-04-22 11:26:37 +02:00
|
|
|
char *helpname = NULL;
|
2006-01-05 21:19:05 +01:00
|
|
|
int err;
|
|
|
|
|
|
|
|
/* don't change helper of sibling connections */
|
|
|
|
if (ct->master)
|
2008-06-10 00:56:20 +02:00
|
|
|
return -EBUSY;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
|
2006-01-05 21:19:05 +01:00
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
2007-05-10 23:15:58 +02:00
|
|
|
if (!strcmp(helpname, "")) {
|
|
|
|
if (help && help->helper) {
|
2006-01-05 21:19:05 +01:00
|
|
|
/* we had a helper before ... */
|
|
|
|
nf_ct_remove_expectations(ct);
|
2007-06-05 21:55:27 +02:00
|
|
|
rcu_assign_pointer(help->helper, NULL);
|
2006-01-05 21:19:05 +01:00
|
|
|
}
|
2007-05-10 23:15:58 +02:00
|
|
|
|
|
|
|
return 0;
|
2006-01-05 21:19:05 +01:00
|
|
|
}
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2007-05-10 23:15:58 +02:00
|
|
|
helper = __nf_conntrack_helper_find_byname(helpname);
|
2008-11-18 11:54:05 +01:00
|
|
|
if (helper == NULL) {
|
|
|
|
#ifdef CONFIG_MODULES
|
|
|
|
spin_unlock_bh(&nf_conntrack_lock);
|
|
|
|
|
|
|
|
if (request_module("nfct-helper-%s", helpname) < 0) {
|
|
|
|
spin_lock_bh(&nf_conntrack_lock);
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
}
|
|
|
|
|
|
|
|
spin_lock_bh(&nf_conntrack_lock);
|
|
|
|
helper = __nf_conntrack_helper_find_byname(helpname);
|
|
|
|
if (helper)
|
|
|
|
return -EAGAIN;
|
|
|
|
#endif
|
2008-06-10 00:56:20 +02:00
|
|
|
return -EOPNOTSUPP;
|
2008-11-18 11:54:05 +01:00
|
|
|
}
|
2007-05-10 23:15:58 +02:00
|
|
|
|
2007-07-08 07:23:42 +02:00
|
|
|
if (help) {
|
|
|
|
if (help->helper == helper)
|
|
|
|
return 0;
|
|
|
|
if (help->helper)
|
|
|
|
return -EBUSY;
|
|
|
|
/* need to zero data of old helper */
|
|
|
|
memset(&help->help, 0, sizeof(help->help));
|
|
|
|
} else {
|
2008-08-19 06:31:46 +02:00
|
|
|
help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
|
2007-07-08 07:23:42 +02:00
|
|
|
if (help == NULL)
|
|
|
|
return -ENOMEM;
|
|
|
|
}
|
2007-05-10 23:15:58 +02:00
|
|
|
|
2007-06-05 21:55:27 +02:00
|
|
|
rcu_assign_pointer(help->helper, helper);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int
|
2007-09-28 23:37:03 +02:00
|
|
|
ctnetlink_change_timeout(struct nf_conn *ct, struct nlattr *cda[])
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
2007-12-18 07:29:45 +01:00
|
|
|
u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2006-01-05 21:19:05 +01:00
|
|
|
if (!del_timer(&ct->timeout))
|
|
|
|
return -ETIME;
|
|
|
|
|
|
|
|
ct->timeout.expires = jiffies + timeout * HZ;
|
|
|
|
add_timer(&ct->timeout);
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static inline int
|
2007-09-28 23:37:03 +02:00
|
|
|
ctnetlink_change_protoinfo(struct nf_conn *ct, struct nlattr *cda[])
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlattr *tb[CTA_PROTOINFO_MAX+1], *attr = cda[CTA_PROTOINFO];
|
2006-11-29 02:35:06 +01:00
|
|
|
struct nf_conntrack_l4proto *l4proto;
|
2006-01-05 21:19:05 +01:00
|
|
|
int err = 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_parse_nested(tb, CTA_PROTOINFO_MAX, attr, NULL);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-03-18 17:28:37 +01:00
|
|
|
rcu_read_lock();
|
|
|
|
l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
|
2007-09-28 23:37:41 +02:00
|
|
|
if (l4proto->from_nlattr)
|
|
|
|
err = l4proto->from_nlattr(tb, ct);
|
2009-03-18 17:28:37 +01:00
|
|
|
rcu_read_unlock();
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2007-12-18 07:28:00 +01:00
|
|
|
#ifdef CONFIG_NF_NAT_NEEDED
|
|
|
|
static inline int
|
|
|
|
change_nat_seq_adj(struct nf_nat_seq *natseq, struct nlattr *attr)
|
|
|
|
{
|
|
|
|
struct nlattr *cda[CTA_NAT_SEQ_MAX+1];
|
|
|
|
|
|
|
|
nla_parse_nested(cda, CTA_NAT_SEQ_MAX, attr, NULL);
|
|
|
|
|
|
|
|
if (!cda[CTA_NAT_SEQ_CORRECTION_POS])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
natseq->correction_pos =
|
2007-12-18 07:29:45 +01:00
|
|
|
ntohl(nla_get_be32(cda[CTA_NAT_SEQ_CORRECTION_POS]));
|
2007-12-18 07:28:00 +01:00
|
|
|
|
|
|
|
if (!cda[CTA_NAT_SEQ_OFFSET_BEFORE])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
natseq->offset_before =
|
2007-12-18 07:29:45 +01:00
|
|
|
ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_BEFORE]));
|
2007-12-18 07:28:00 +01:00
|
|
|
|
|
|
|
if (!cda[CTA_NAT_SEQ_OFFSET_AFTER])
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
natseq->offset_after =
|
2007-12-18 07:29:45 +01:00
|
|
|
ntohl(nla_get_be32(cda[CTA_NAT_SEQ_OFFSET_AFTER]));
|
2007-12-18 07:28:00 +01:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
ctnetlink_change_nat_seq_adj(struct nf_conn *ct, struct nlattr *cda[])
|
|
|
|
{
|
|
|
|
int ret = 0;
|
|
|
|
struct nf_conn_nat *nat = nfct_nat(ct);
|
|
|
|
|
|
|
|
if (!nat)
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if (cda[CTA_NAT_SEQ_ADJ_ORIG]) {
|
|
|
|
ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_ORIGINAL],
|
|
|
|
cda[CTA_NAT_SEQ_ADJ_ORIG]);
|
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
ct->status |= IPS_SEQ_ADJUST;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (cda[CTA_NAT_SEQ_ADJ_REPLY]) {
|
|
|
|
ret = change_nat_seq_adj(&nat->seq[IP_CT_DIR_REPLY],
|
|
|
|
cda[CTA_NAT_SEQ_ADJ_REPLY]);
|
|
|
|
if (ret < 0)
|
|
|
|
return ret;
|
|
|
|
|
|
|
|
ct->status |= IPS_SEQ_ADJUST;
|
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2006-01-05 21:19:05 +01:00
|
|
|
static int
|
2007-09-28 23:37:03 +02:00
|
|
|
ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[])
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
int err;
|
|
|
|
|
2009-03-16 15:27:22 +01:00
|
|
|
/* only allow NAT changes and master assignation for new conntracks */
|
|
|
|
if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST] || cda[CTA_TUPLE_MASTER])
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_HELP]) {
|
2006-01-05 21:19:05 +01:00
|
|
|
err = ctnetlink_change_helper(ct, cda);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_TIMEOUT]) {
|
2006-01-05 21:19:05 +01:00
|
|
|
err = ctnetlink_change_timeout(ct, cda);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_STATUS]) {
|
2006-01-05 21:19:05 +01:00
|
|
|
err = ctnetlink_change_status(ct, cda);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_PROTOINFO]) {
|
2006-01-05 21:19:05 +01:00
|
|
|
err = ctnetlink_change_protoinfo(ct, cda);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2006-04-01 12:23:21 +02:00
|
|
|
#if defined(CONFIG_NF_CONNTRACK_MARK)
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_MARK])
|
2007-12-18 07:29:45 +01:00
|
|
|
ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
|
2006-01-05 21:19:05 +01:00
|
|
|
#endif
|
|
|
|
|
2007-12-18 07:28:00 +01:00
|
|
|
#ifdef CONFIG_NF_NAT_NEEDED
|
|
|
|
if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) {
|
|
|
|
err = ctnetlink_change_nat_seq_adj(ct, cda);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2006-01-05 21:19:05 +01:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2009-03-16 15:28:09 +01:00
|
|
|
static struct nf_conn *
|
2007-09-28 23:37:03 +02:00
|
|
|
ctnetlink_create_conntrack(struct nlattr *cda[],
|
2006-01-05 21:19:05 +01:00
|
|
|
struct nf_conntrack_tuple *otuple,
|
2007-09-28 23:43:53 +02:00
|
|
|
struct nf_conntrack_tuple *rtuple,
|
2009-03-16 15:25:46 +01:00
|
|
|
u8 u3)
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
struct nf_conn *ct;
|
|
|
|
int err = -EINVAL;
|
2007-07-08 07:23:42 +02:00
|
|
|
struct nf_conntrack_helper *helper;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2008-11-25 00:56:17 +01:00
|
|
|
ct = nf_conntrack_alloc(&init_net, otuple, rtuple, GFP_ATOMIC);
|
netfilter 07/09: simplify nf_conntrack_alloc() error handling
nf_conntrack_alloc cannot return NULL, so there is no need to check for
NULL before using the value. I have also removed the initialization of ct
to NULL in nf_conntrack_alloc, since the value is never used, and since
perhaps it might lead one to think that return ct at the end might return
NULL.
The semantic patch that finds this problem is as follows:
(http://www.emn.fr/x-info/coccinelle/)
// <smpl>
@match exists@
expression x, E;
position p1,p2;
statement S1, S2;
@@
x@p1 = nf_conntrack_alloc(...)
... when != x = E
(
if (x@p2 == NULL || ...) S1 else S2
|
if (x@p2 == NULL && ...) S1 else S2
)
@other_match exists@
expression match.x, E1, E2;
position p1!=match.p1,match.p2;
@@
x@p1 = E1
... when != x = E2
x@p2
@ script:python depends on !other_match@
p1 << match.p1;
p2 << match.p2;
@@
print "%s: call to nf_conntrack_alloc %s bad test %s" % (p1[0].file,p1[0].line,p2[0].line)
// </smpl>
Signed-off-by: Julia Lawall <julia@diku.dk>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2009-01-12 01:06:08 +01:00
|
|
|
if (IS_ERR(ct))
|
2009-03-16 15:28:09 +01:00
|
|
|
return ERR_PTR(-ENOMEM);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (!cda[CTA_TIMEOUT])
|
2009-03-18 17:36:40 +01:00
|
|
|
goto err1;
|
2007-12-18 07:29:45 +01:00
|
|
|
ct->timeout.expires = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
ct->timeout.expires = jiffies + ct->timeout.expires * HZ;
|
|
|
|
ct->status |= IPS_CONFIRMED;
|
|
|
|
|
2008-08-19 06:30:55 +02:00
|
|
|
rcu_read_lock();
|
2008-11-18 11:54:05 +01:00
|
|
|
if (cda[CTA_HELP]) {
|
2009-04-22 11:26:37 +02:00
|
|
|
char *helpname = NULL;
|
2008-11-18 11:54:05 +01:00
|
|
|
|
|
|
|
err = ctnetlink_parse_help(cda[CTA_HELP], &helpname);
|
2009-03-18 17:36:40 +01:00
|
|
|
if (err < 0)
|
|
|
|
goto err2;
|
2008-11-18 11:54:05 +01:00
|
|
|
|
|
|
|
helper = __nf_conntrack_helper_find_byname(helpname);
|
|
|
|
if (helper == NULL) {
|
|
|
|
rcu_read_unlock();
|
|
|
|
#ifdef CONFIG_MODULES
|
|
|
|
if (request_module("nfct-helper-%s", helpname) < 0) {
|
|
|
|
err = -EOPNOTSUPP;
|
2009-03-18 17:36:40 +01:00
|
|
|
goto err1;
|
2008-11-18 11:54:05 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
helper = __nf_conntrack_helper_find_byname(helpname);
|
|
|
|
if (helper) {
|
|
|
|
err = -EAGAIN;
|
2009-03-18 17:36:40 +01:00
|
|
|
goto err2;
|
2008-11-18 11:54:05 +01:00
|
|
|
}
|
|
|
|
rcu_read_unlock();
|
|
|
|
#endif
|
|
|
|
err = -EOPNOTSUPP;
|
2009-03-18 17:36:40 +01:00
|
|
|
goto err1;
|
2008-11-18 11:54:05 +01:00
|
|
|
} else {
|
|
|
|
struct nf_conn_help *help;
|
|
|
|
|
|
|
|
help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
|
|
|
|
if (help == NULL) {
|
|
|
|
err = -ENOMEM;
|
2009-03-18 17:36:40 +01:00
|
|
|
goto err2;
|
2008-11-18 11:54:05 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
/* not in hash table yet so not strictly necessary */
|
|
|
|
rcu_assign_pointer(help->helper, helper);
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
/* try an implicit helper assignation */
|
|
|
|
err = __nf_ct_try_assign_helper(ct, GFP_ATOMIC);
|
2009-03-18 17:36:40 +01:00
|
|
|
if (err < 0)
|
|
|
|
goto err2;
|
2008-08-19 06:30:55 +02:00
|
|
|
}
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_STATUS]) {
|
2006-11-29 02:35:31 +01:00
|
|
|
err = ctnetlink_change_status(ct, cda);
|
2009-03-18 17:36:40 +01:00
|
|
|
if (err < 0)
|
|
|
|
goto err2;
|
2008-10-14 20:58:31 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if (cda[CTA_NAT_SRC] || cda[CTA_NAT_DST]) {
|
|
|
|
err = ctnetlink_change_nat(ct, cda);
|
2009-03-18 17:36:40 +01:00
|
|
|
if (err < 0)
|
|
|
|
goto err2;
|
2006-11-29 02:35:31 +01:00
|
|
|
}
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-02-09 23:33:57 +01:00
|
|
|
#ifdef CONFIG_NF_NAT_NEEDED
|
|
|
|
if (cda[CTA_NAT_SEQ_ADJ_ORIG] || cda[CTA_NAT_SEQ_ADJ_REPLY]) {
|
|
|
|
err = ctnetlink_change_nat_seq_adj(ct, cda);
|
2009-03-18 17:36:40 +01:00
|
|
|
if (err < 0)
|
|
|
|
goto err2;
|
2009-02-09 23:33:57 +01:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_PROTOINFO]) {
|
2006-01-05 21:19:05 +01:00
|
|
|
err = ctnetlink_change_protoinfo(ct, cda);
|
2009-03-18 17:36:40 +01:00
|
|
|
if (err < 0)
|
|
|
|
goto err2;
|
2006-01-05 21:19:05 +01:00
|
|
|
}
|
|
|
|
|
2008-11-26 12:57:44 +01:00
|
|
|
nf_ct_acct_ext_add(ct, GFP_ATOMIC);
|
2009-06-13 12:26:29 +02:00
|
|
|
nf_ct_ecache_ext_add(ct, GFP_ATOMIC);
|
netfilter: accounting rework: ct_extend + 64bit counters (v4)
Initially netfilter has had 64bit counters for conntrack-based accounting, but
it was changed in 2.6.14 to save memory. Unfortunately in-kernel 64bit counters are
still required, for example for "connbytes" extension. However, 64bit counters
waste a lot of memory and it was not possible to enable/disable it runtime.
This patch:
- reimplements accounting with respect to the extension infrastructure,
- makes one global version of seq_print_acct() instead of two seq_print_counters(),
- makes it possible to enable it at boot time (for CONFIG_SYSCTL/CONFIG_SYSFS=n),
- makes it possible to enable/disable it at runtime by sysctl or sysfs,
- extends counters from 32bit to 64bit,
- renames ip_conntrack_counter -> nf_conn_counter,
- enables accounting code unconditionally (no longer depends on CONFIG_NF_CT_ACCT),
- set initial accounting enable state based on CONFIG_NF_CT_ACCT
- removes buggy IPCT_COUNTER_FILLING event handling.
If accounting is enabled newly created connections get additional acct extend.
Old connections are not changed as it is not possible to add a ct_extend area
to confirmed conntrack. Accounting is performed for all connections with
acct extend regardless of a current state of "net.netfilter.nf_conntrack_acct".
Signed-off-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-07-21 19:01:34 +02:00
|
|
|
|
2006-04-01 12:23:21 +02:00
|
|
|
#if defined(CONFIG_NF_CONNTRACK_MARK)
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_MARK])
|
2007-12-18 07:29:45 +01:00
|
|
|
ct->mark = ntohl(nla_get_be32(cda[CTA_MARK]));
|
2006-01-05 21:19:05 +01:00
|
|
|
#endif
|
|
|
|
|
2007-09-28 23:43:53 +02:00
|
|
|
/* setup master conntrack: this is a confirmed expectation */
|
2009-03-16 15:25:46 +01:00
|
|
|
if (cda[CTA_TUPLE_MASTER]) {
|
|
|
|
struct nf_conntrack_tuple master;
|
|
|
|
struct nf_conntrack_tuple_hash *master_h;
|
|
|
|
struct nf_conn *master_ct;
|
|
|
|
|
|
|
|
err = ctnetlink_parse_tuple(cda, &master, CTA_TUPLE_MASTER, u3);
|
|
|
|
if (err < 0)
|
2009-03-18 17:36:40 +01:00
|
|
|
goto err2;
|
2009-03-16 15:25:46 +01:00
|
|
|
|
2009-03-25 21:05:46 +01:00
|
|
|
master_h = nf_conntrack_find_get(&init_net, &master);
|
2009-03-16 15:25:46 +01:00
|
|
|
if (master_h == NULL) {
|
|
|
|
err = -ENOENT;
|
2009-03-18 17:36:40 +01:00
|
|
|
goto err2;
|
2009-03-16 15:25:46 +01:00
|
|
|
}
|
|
|
|
master_ct = nf_ct_tuplehash_to_ctrack(master_h);
|
2007-12-12 19:34:29 +01:00
|
|
|
__set_bit(IPS_EXPECTED_BIT, &ct->status);
|
2007-09-28 23:43:53 +02:00
|
|
|
ct->master = master_ct;
|
2007-12-12 19:34:29 +01:00
|
|
|
}
|
2007-09-28 23:43:53 +02:00
|
|
|
|
2006-01-05 21:19:05 +01:00
|
|
|
add_timer(&ct->timeout);
|
|
|
|
nf_conntrack_hash_insert(ct);
|
2008-01-31 13:36:54 +01:00
|
|
|
rcu_read_unlock();
|
2006-11-27 19:25:32 +01:00
|
|
|
|
2009-03-16 15:28:09 +01:00
|
|
|
return ct;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-03-18 17:36:40 +01:00
|
|
|
err2:
|
|
|
|
rcu_read_unlock();
|
|
|
|
err1:
|
2006-01-05 21:19:05 +01:00
|
|
|
nf_conntrack_free(ct);
|
2009-03-16 15:28:09 +01:00
|
|
|
return ERR_PTR(err);
|
2006-01-05 21:19:05 +01:00
|
|
|
}
|
|
|
|
|
2007-02-12 20:15:49 +01:00
|
|
|
static int
|
|
|
|
ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlmsghdr *nlh, struct nlattr *cda[])
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
struct nf_conntrack_tuple otuple, rtuple;
|
|
|
|
struct nf_conntrack_tuple_hash *h = NULL;
|
2009-06-02 20:07:39 +02:00
|
|
|
struct nfgenmsg *nfmsg = nlmsg_data(nlh);
|
2006-01-05 21:19:05 +01:00
|
|
|
u_int8_t u3 = nfmsg->nfgen_family;
|
|
|
|
int err = 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_TUPLE_ORIG]) {
|
2006-01-05 21:19:05 +01:00
|
|
|
err = ctnetlink_parse_tuple(cda, &otuple, CTA_TUPLE_ORIG, u3);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_TUPLE_REPLY]) {
|
2006-01-05 21:19:05 +01:00
|
|
|
err = ctnetlink_parse_tuple(cda, &rtuple, CTA_TUPLE_REPLY, u3);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2008-01-31 13:38:58 +01:00
|
|
|
spin_lock_bh(&nf_conntrack_lock);
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_TUPLE_ORIG])
|
2008-10-08 11:35:03 +02:00
|
|
|
h = __nf_conntrack_find(&init_net, &otuple);
|
2007-09-28 23:37:03 +02:00
|
|
|
else if (cda[CTA_TUPLE_REPLY])
|
2008-10-08 11:35:03 +02:00
|
|
|
h = __nf_conntrack_find(&init_net, &rtuple);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
if (h == NULL) {
|
|
|
|
err = -ENOENT;
|
2009-03-16 15:28:09 +01:00
|
|
|
if (nlh->nlmsg_flags & NLM_F_CREATE) {
|
|
|
|
struct nf_conn *ct;
|
2009-05-05 17:48:26 +02:00
|
|
|
enum ip_conntrack_events events;
|
2007-09-28 23:43:53 +02:00
|
|
|
|
2009-03-16 15:28:09 +01:00
|
|
|
ct = ctnetlink_create_conntrack(cda, &otuple,
|
|
|
|
&rtuple, u3);
|
|
|
|
if (IS_ERR(ct)) {
|
|
|
|
err = PTR_ERR(ct);
|
2007-09-28 23:43:53 +02:00
|
|
|
goto out_unlock;
|
|
|
|
}
|
2009-03-16 15:28:09 +01:00
|
|
|
err = 0;
|
|
|
|
nf_conntrack_get(&ct->ct_general);
|
|
|
|
spin_unlock_bh(&nf_conntrack_lock);
|
2009-05-05 17:48:26 +02:00
|
|
|
if (test_bit(IPS_EXPECTED_BIT, &ct->status))
|
|
|
|
events = IPCT_RELATED;
|
|
|
|
else
|
|
|
|
events = IPCT_NEW;
|
|
|
|
|
2009-06-13 12:26:29 +02:00
|
|
|
nf_conntrack_eventmask_report((1 << IPCT_STATUS) |
|
|
|
|
(1 << IPCT_HELPER) |
|
|
|
|
(1 << IPCT_PROTOINFO) |
|
|
|
|
(1 << IPCT_NATSEQADJ) |
|
|
|
|
(1 << IPCT_MARK) | events,
|
|
|
|
ct, NETLINK_CB(skb).pid,
|
|
|
|
nlmsg_report(nlh));
|
2009-03-16 15:28:09 +01:00
|
|
|
nf_ct_put(ct);
|
|
|
|
} else
|
|
|
|
spin_unlock_bh(&nf_conntrack_lock);
|
2007-09-28 23:43:53 +02:00
|
|
|
|
2006-01-05 21:19:05 +01:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
/* implicit 'else' */
|
|
|
|
|
|
|
|
/* We manipulate the conntrack inside the global conntrack table lock,
|
|
|
|
* so there's no need to increase the refcount */
|
|
|
|
err = -EEXIST;
|
2007-08-08 03:11:26 +02:00
|
|
|
if (!(nlh->nlmsg_flags & NLM_F_EXCL)) {
|
2008-11-18 11:56:20 +01:00
|
|
|
struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(h);
|
|
|
|
|
|
|
|
err = ctnetlink_change_conntrack(ct, cda);
|
|
|
|
if (err == 0) {
|
|
|
|
nf_conntrack_get(&ct->ct_general);
|
|
|
|
spin_unlock_bh(&nf_conntrack_lock);
|
2009-06-13 12:26:29 +02:00
|
|
|
nf_conntrack_eventmask_report((1 << IPCT_STATUS) |
|
|
|
|
(1 << IPCT_HELPER) |
|
|
|
|
(1 << IPCT_PROTOINFO) |
|
|
|
|
(1 << IPCT_NATSEQADJ) |
|
|
|
|
(1 << IPCT_MARK),
|
|
|
|
ct, NETLINK_CB(skb).pid,
|
|
|
|
nlmsg_report(nlh));
|
2008-11-18 11:56:20 +01:00
|
|
|
nf_ct_put(ct);
|
|
|
|
} else
|
|
|
|
spin_unlock_bh(&nf_conntrack_lock);
|
|
|
|
|
|
|
|
return err;
|
2007-08-08 03:11:26 +02:00
|
|
|
}
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
out_unlock:
|
2008-01-31 13:38:58 +01:00
|
|
|
spin_unlock_bh(&nf_conntrack_lock);
|
2006-01-05 21:19:05 +01:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
2007-02-12 20:15:49 +01:00
|
|
|
/***********************************************************************
|
|
|
|
* EXPECT
|
|
|
|
***********************************************************************/
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
static inline int
|
|
|
|
ctnetlink_exp_dump_tuple(struct sk_buff *skb,
|
|
|
|
const struct nf_conntrack_tuple *tuple,
|
|
|
|
enum ctattr_expect type)
|
|
|
|
{
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlattr *nest_parms;
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nest_parms = nla_nest_start(skb, type | NLA_F_NESTED);
|
|
|
|
if (!nest_parms)
|
|
|
|
goto nla_put_failure;
|
2006-01-05 21:19:05 +01:00
|
|
|
if (ctnetlink_dump_tuples(skb, tuple) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
|
|
|
nla_nest_end(skb, nest_parms);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2006-01-05 21:19:05 +01:00
|
|
|
return -1;
|
2007-02-12 20:15:49 +01:00
|
|
|
}
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2006-03-22 22:54:15 +01:00
|
|
|
static inline int
|
|
|
|
ctnetlink_exp_dump_mask(struct sk_buff *skb,
|
|
|
|
const struct nf_conntrack_tuple *tuple,
|
2007-07-08 07:31:32 +02:00
|
|
|
const struct nf_conntrack_tuple_mask *mask)
|
2006-03-22 22:54:15 +01:00
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
struct nf_conntrack_l3proto *l3proto;
|
2006-11-29 02:35:06 +01:00
|
|
|
struct nf_conntrack_l4proto *l4proto;
|
2007-07-08 07:31:32 +02:00
|
|
|
struct nf_conntrack_tuple m;
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlattr *nest_parms;
|
2007-07-08 07:31:32 +02:00
|
|
|
|
|
|
|
memset(&m, 0xFF, sizeof(m));
|
|
|
|
m.src.u.all = mask->src.u.all;
|
|
|
|
memcpy(&m.src.u3, &mask->src.u3, sizeof(m.src.u3));
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nest_parms = nla_nest_start(skb, CTA_EXPECT_MASK | NLA_F_NESTED);
|
|
|
|
if (!nest_parms)
|
|
|
|
goto nla_put_failure;
|
2006-03-22 22:54:15 +01:00
|
|
|
|
2008-11-17 16:00:40 +01:00
|
|
|
l3proto = __nf_ct_l3proto_find(tuple->src.l3num);
|
2007-07-08 07:31:32 +02:00
|
|
|
ret = ctnetlink_dump_tuples_ip(skb, &m, l3proto);
|
2006-03-22 22:54:15 +01:00
|
|
|
|
|
|
|
if (unlikely(ret < 0))
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
2006-03-22 22:54:15 +01:00
|
|
|
|
2008-11-17 16:00:40 +01:00
|
|
|
l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
|
2007-07-08 07:31:32 +02:00
|
|
|
ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
|
2006-03-22 22:54:15 +01:00
|
|
|
if (unlikely(ret < 0))
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
2006-03-22 22:54:15 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_nest_end(skb, nest_parms);
|
2006-03-22 22:54:15 +01:00
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2006-03-22 22:54:15 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
[NETFILTER]: Kill some supper dupper bloatry
/me awards the bloatiest-of-all-net/-.c-code award to
nf_conntrack_netlink.c, congratulations to all the authors :-/!
Hall of (unquestionable) fame (measured per inline, top 10 under
net/):
-4496 ctnetlink_parse_tuple netfilter/nf_conntrack_netlink.c
-2165 ctnetlink_dump_tuples netfilter/nf_conntrack_netlink.c
-2115 __ip_vs_get_out_rt ipv4/ipvs/ip_vs_xmit.c
-1924 xfrm_audit_helper_pktinfo xfrm/xfrm_state.c
-1799 ctnetlink_parse_tuple_proto netfilter/nf_conntrack_netlink.c
-1268 ctnetlink_parse_tuple_ip netfilter/nf_conntrack_netlink.c
-1093 ctnetlink_exp_dump_expect netfilter/nf_conntrack_netlink.c
-1060 void ccid3_update_send_interval dccp/ccids/ccid3.c
-983 ctnetlink_dump_tuples_proto netfilter/nf_conntrack_netlink.c
-827 ctnetlink_exp_dump_tuple netfilter/nf_conntrack_netlink.c
(i386 / gcc (GCC) 4.1.2 20070626 (Red Hat 4.1.2-13) /
allyesconfig except CONFIG_FORCED_INLINING)
...and I left < 200 byte gains as future work item.
After iterative inline removal, I finally have this:
net/netfilter/nf_conntrack_netlink.c:
ctnetlink_exp_fill_info | -1104
ctnetlink_new_expect | -1572
ctnetlink_fill_info | -1303
ctnetlink_new_conntrack | -2230
ctnetlink_get_expect | -341
ctnetlink_del_expect | -352
ctnetlink_expect_event | -1110
ctnetlink_conntrack_event | -1548
ctnetlink_del_conntrack | -729
ctnetlink_get_conntrack | -728
10 functions changed, 11017 bytes removed, diff: -11017
net/netfilter/nf_conntrack_netlink.c:
ctnetlink_parse_tuple | +419
dump_nat_seq_adj | +183
ctnetlink_dump_counters | +166
ctnetlink_dump_tuples | +261
ctnetlink_exp_dump_expect | +633
ctnetlink_change_status | +460
6 functions changed, 2122 bytes added, diff: +2122
net/netfilter/nf_conntrack_netlink.o:
16 functions changed, 2122 bytes added, 11017 bytes removed, diff: -8895
Without a number of CONFIG.*DEBUGs, I got this:
net/netfilter/nf_conntrack_netlink.o:
16 functions changed, 2122 bytes added, 11029 bytes removed, diff: -8907
Signed-off-by: Ilpo Järvinen <ilpo.jarvinen@helsinki.fi>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-01-06 08:11:31 +01:00
|
|
|
static int
|
2006-01-05 21:19:05 +01:00
|
|
|
ctnetlink_exp_dump_expect(struct sk_buff *skb,
|
2007-02-12 20:15:49 +01:00
|
|
|
const struct nf_conntrack_expect *exp)
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
struct nf_conn *master = exp->master;
|
2007-12-18 07:37:03 +01:00
|
|
|
long timeout = (exp->timeout.expires - jiffies) / HZ;
|
|
|
|
|
|
|
|
if (timeout < 0)
|
|
|
|
timeout = 0;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
if (ctnetlink_exp_dump_tuple(skb, &exp->tuple, CTA_EXPECT_TUPLE) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
2006-03-22 22:54:15 +01:00
|
|
|
if (ctnetlink_exp_dump_mask(skb, &exp->tuple, &exp->mask) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
2006-01-05 21:19:05 +01:00
|
|
|
if (ctnetlink_exp_dump_tuple(skb,
|
|
|
|
&master->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
|
|
|
|
CTA_EXPECT_MASTER) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2007-12-18 07:37:03 +01:00
|
|
|
NLA_PUT_BE32(skb, CTA_EXPECT_TIMEOUT, htonl(timeout));
|
2007-12-18 07:29:45 +01:00
|
|
|
NLA_PUT_BE32(skb, CTA_EXPECT_ID, htonl((unsigned long)exp));
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
return 0;
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2006-01-05 21:19:05 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
ctnetlink_exp_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
|
2009-06-02 20:03:34 +02:00
|
|
|
int event, const struct nf_conntrack_expect *exp)
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
struct nlmsghdr *nlh;
|
|
|
|
struct nfgenmsg *nfmsg;
|
2009-06-02 20:07:39 +02:00
|
|
|
unsigned int flags = pid ? NLM_F_MULTI : 0;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
event |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
|
2009-06-02 20:07:39 +02:00
|
|
|
nlh = nlmsg_put(skb, pid, seq, event, sizeof(*nfmsg), flags);
|
|
|
|
if (nlh == NULL)
|
|
|
|
goto nlmsg_failure;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-06-02 20:07:39 +02:00
|
|
|
nfmsg = nlmsg_data(nlh);
|
2006-01-05 21:19:05 +01:00
|
|
|
nfmsg->nfgen_family = exp->tuple.src.l3num;
|
|
|
|
nfmsg->version = NFNETLINK_V0;
|
|
|
|
nfmsg->res_id = 0;
|
|
|
|
|
|
|
|
if (ctnetlink_exp_dump_expect(skb, exp) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-06-02 20:07:39 +02:00
|
|
|
nlmsg_end(skb, nlh);
|
2006-01-05 21:19:05 +01:00
|
|
|
return skb->len;
|
|
|
|
|
|
|
|
nlmsg_failure:
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2009-06-02 20:07:39 +02:00
|
|
|
nlmsg_cancel(skb, nlh);
|
2006-01-05 21:19:05 +01:00
|
|
|
return -1;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef CONFIG_NF_CONNTRACK_EVENTS
|
2009-06-03 10:32:06 +02:00
|
|
|
static int
|
|
|
|
ctnetlink_expect_event(unsigned int events, struct nf_exp_event *item)
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
struct nlmsghdr *nlh;
|
|
|
|
struct nfgenmsg *nfmsg;
|
2008-11-18 11:56:20 +01:00
|
|
|
struct nf_conntrack_expect *exp = item->exp;
|
2006-01-05 21:19:05 +01:00
|
|
|
struct sk_buff *skb;
|
|
|
|
unsigned int type;
|
|
|
|
int flags = 0;
|
|
|
|
|
2009-06-13 12:26:29 +02:00
|
|
|
if (events & (1 << IPEXP_NEW)) {
|
2006-01-05 21:19:05 +01:00
|
|
|
type = IPCTNL_MSG_EXP_NEW;
|
|
|
|
flags = NLM_F_CREATE|NLM_F_EXCL;
|
|
|
|
} else
|
2009-06-03 10:32:06 +02:00
|
|
|
return 0;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-02-09 23:34:26 +01:00
|
|
|
if (!item->report &&
|
|
|
|
!nfnetlink_has_listeners(NFNLGRP_CONNTRACK_EXP_NEW))
|
2009-06-03 10:32:06 +02:00
|
|
|
return 0;
|
2006-08-22 09:32:05 +02:00
|
|
|
|
2009-06-02 20:07:39 +02:00
|
|
|
skb = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_ATOMIC);
|
|
|
|
if (skb == NULL)
|
2009-04-17 17:47:31 +02:00
|
|
|
goto errout;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2006-02-04 11:11:09 +01:00
|
|
|
type |= NFNL_SUBSYS_CTNETLINK_EXP << 8;
|
2009-06-02 20:07:39 +02:00
|
|
|
nlh = nlmsg_put(skb, item->pid, 0, type, sizeof(*nfmsg), flags);
|
|
|
|
if (nlh == NULL)
|
|
|
|
goto nlmsg_failure;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-06-02 20:07:39 +02:00
|
|
|
nfmsg = nlmsg_data(nlh);
|
2006-01-05 21:19:05 +01:00
|
|
|
nfmsg->nfgen_family = exp->tuple.src.l3num;
|
|
|
|
nfmsg->version = NFNETLINK_V0;
|
|
|
|
nfmsg->res_id = 0;
|
|
|
|
|
2008-11-17 16:00:40 +01:00
|
|
|
rcu_read_lock();
|
2006-01-05 21:19:05 +01:00
|
|
|
if (ctnetlink_exp_dump_expect(skb, exp) < 0)
|
2007-09-28 23:37:03 +02:00
|
|
|
goto nla_put_failure;
|
2008-11-17 16:00:40 +01:00
|
|
|
rcu_read_unlock();
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2009-06-02 20:07:39 +02:00
|
|
|
nlmsg_end(skb, nlh);
|
2009-06-03 10:32:06 +02:00
|
|
|
nfnetlink_send(skb, item->pid, NFNLGRP_CONNTRACK_EXP_NEW,
|
|
|
|
item->report, GFP_ATOMIC);
|
|
|
|
return 0;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
nla_put_failure:
|
2008-11-17 16:00:40 +01:00
|
|
|
rcu_read_unlock();
|
2009-06-02 20:07:39 +02:00
|
|
|
nlmsg_cancel(skb, nlh);
|
2008-11-17 16:00:40 +01:00
|
|
|
nlmsg_failure:
|
2006-01-05 21:19:05 +01:00
|
|
|
kfree_skb(skb);
|
2009-04-17 17:47:31 +02:00
|
|
|
errout:
|
|
|
|
nfnetlink_set_err(0, 0, -ENOBUFS);
|
2009-06-03 10:32:06 +02:00
|
|
|
return 0;
|
2006-01-05 21:19:05 +01:00
|
|
|
}
|
|
|
|
#endif
|
2007-07-08 07:32:34 +02:00
|
|
|
static int ctnetlink_exp_done(struct netlink_callback *cb)
|
|
|
|
{
|
2007-07-08 07:35:21 +02:00
|
|
|
if (cb->args[1])
|
|
|
|
nf_ct_expect_put((struct nf_conntrack_expect *)cb->args[1]);
|
2007-07-08 07:32:34 +02:00
|
|
|
return 0;
|
|
|
|
}
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
static int
|
|
|
|
ctnetlink_exp_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
|
|
|
|
{
|
2008-10-08 11:35:03 +02:00
|
|
|
struct net *net = &init_net;
|
2007-07-08 07:32:34 +02:00
|
|
|
struct nf_conntrack_expect *exp, *last;
|
2009-06-02 20:07:39 +02:00
|
|
|
struct nfgenmsg *nfmsg = nlmsg_data(cb->nlh);
|
2007-07-08 07:35:21 +02:00
|
|
|
struct hlist_node *n;
|
2006-01-05 21:19:23 +01:00
|
|
|
u_int8_t l3proto = nfmsg->nfgen_family;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2008-01-31 13:38:19 +01:00
|
|
|
rcu_read_lock();
|
2007-07-08 07:35:21 +02:00
|
|
|
last = (struct nf_conntrack_expect *)cb->args[1];
|
|
|
|
for (; cb->args[0] < nf_ct_expect_hsize; cb->args[0]++) {
|
2007-07-08 07:32:34 +02:00
|
|
|
restart:
|
2008-10-08 11:35:03 +02:00
|
|
|
hlist_for_each_entry(exp, n, &net->ct.expect_hash[cb->args[0]],
|
2007-07-08 07:35:21 +02:00
|
|
|
hnode) {
|
|
|
|
if (l3proto && exp->tuple.src.l3num != l3proto)
|
2007-07-08 07:32:34 +02:00
|
|
|
continue;
|
2007-07-08 07:35:21 +02:00
|
|
|
if (cb->args[1]) {
|
|
|
|
if (exp != last)
|
|
|
|
continue;
|
|
|
|
cb->args[1] = 0;
|
|
|
|
}
|
2009-06-02 20:03:34 +02:00
|
|
|
if (ctnetlink_exp_fill_info(skb,
|
|
|
|
NETLINK_CB(cb->skb).pid,
|
2007-07-08 07:35:21 +02:00
|
|
|
cb->nlh->nlmsg_seq,
|
|
|
|
IPCTNL_MSG_EXP_NEW,
|
2009-06-02 20:03:34 +02:00
|
|
|
exp) < 0) {
|
2008-01-31 13:38:19 +01:00
|
|
|
if (!atomic_inc_not_zero(&exp->use))
|
|
|
|
continue;
|
2007-07-08 07:35:21 +02:00
|
|
|
cb->args[1] = (unsigned long)exp;
|
|
|
|
goto out;
|
|
|
|
}
|
2007-07-08 07:32:34 +02:00
|
|
|
}
|
2007-07-08 07:35:21 +02:00
|
|
|
if (cb->args[1]) {
|
|
|
|
cb->args[1] = 0;
|
|
|
|
goto restart;
|
2007-07-08 07:32:34 +02:00
|
|
|
}
|
|
|
|
}
|
2007-02-12 20:15:49 +01:00
|
|
|
out:
|
2008-01-31 13:38:19 +01:00
|
|
|
rcu_read_unlock();
|
2007-07-08 07:32:34 +02:00
|
|
|
if (last)
|
|
|
|
nf_ct_expect_put(last);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
return skb->len;
|
|
|
|
}
|
|
|
|
|
2007-09-28 23:39:55 +02:00
|
|
|
static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
|
|
|
|
[CTA_EXPECT_TIMEOUT] = { .type = NLA_U32 },
|
|
|
|
[CTA_EXPECT_ID] = { .type = NLA_U32 },
|
2006-01-05 21:19:05 +01:00
|
|
|
};
|
|
|
|
|
|
|
|
static int
|
2007-02-12 20:15:49 +01:00
|
|
|
ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlmsghdr *nlh, struct nlattr *cda[])
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
struct nf_conntrack_tuple tuple;
|
|
|
|
struct nf_conntrack_expect *exp;
|
|
|
|
struct sk_buff *skb2;
|
2009-06-02 20:07:39 +02:00
|
|
|
struct nfgenmsg *nfmsg = nlmsg_data(nlh);
|
2006-01-05 21:19:05 +01:00
|
|
|
u_int8_t u3 = nfmsg->nfgen_family;
|
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
if (nlh->nlmsg_flags & NLM_F_DUMP) {
|
2007-03-23 07:30:55 +01:00
|
|
|
return netlink_dump_start(ctnl, skb, nlh,
|
|
|
|
ctnetlink_exp_dump_table,
|
2007-07-08 07:32:34 +02:00
|
|
|
ctnetlink_exp_done);
|
2006-01-05 21:19:05 +01:00
|
|
|
}
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_EXPECT_MASTER])
|
2006-01-05 21:19:05 +01:00
|
|
|
err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_MASTER, u3);
|
|
|
|
else
|
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
2008-10-08 11:35:03 +02:00
|
|
|
exp = nf_ct_expect_find_get(&init_net, &tuple);
|
2006-01-05 21:19:05 +01:00
|
|
|
if (!exp)
|
|
|
|
return -ENOENT;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_EXPECT_ID]) {
|
2007-12-18 07:29:45 +01:00
|
|
|
__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
|
2007-09-28 23:41:50 +02:00
|
|
|
if (ntohl(id) != (u32)(unsigned long)exp) {
|
2007-07-08 07:30:49 +02:00
|
|
|
nf_ct_expect_put(exp);
|
2006-01-05 21:19:05 +01:00
|
|
|
return -ENOENT;
|
|
|
|
}
|
2007-02-12 20:15:49 +01:00
|
|
|
}
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
err = -ENOMEM;
|
2009-06-02 20:07:39 +02:00
|
|
|
skb2 = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL);
|
|
|
|
if (skb2 == NULL)
|
2006-01-05 21:19:05 +01:00
|
|
|
goto out;
|
2006-11-27 18:25:58 +01:00
|
|
|
|
2008-11-17 16:00:40 +01:00
|
|
|
rcu_read_lock();
|
2007-02-12 20:15:49 +01:00
|
|
|
err = ctnetlink_exp_fill_info(skb2, NETLINK_CB(skb).pid,
|
2009-06-02 20:03:34 +02:00
|
|
|
nlh->nlmsg_seq, IPCTNL_MSG_EXP_NEW, exp);
|
2008-11-17 16:00:40 +01:00
|
|
|
rcu_read_unlock();
|
2006-01-05 21:19:05 +01:00
|
|
|
if (err <= 0)
|
|
|
|
goto free;
|
|
|
|
|
2007-07-08 07:30:49 +02:00
|
|
|
nf_ct_expect_put(exp);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
return netlink_unicast(ctnl, skb2, NETLINK_CB(skb).pid, MSG_DONTWAIT);
|
|
|
|
|
|
|
|
free:
|
|
|
|
kfree_skb(skb2);
|
|
|
|
out:
|
2007-07-08 07:30:49 +02:00
|
|
|
nf_ct_expect_put(exp);
|
2006-01-05 21:19:05 +01:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2007-02-12 20:15:49 +01:00
|
|
|
ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlmsghdr *nlh, struct nlattr *cda[])
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
2007-07-08 07:35:21 +02:00
|
|
|
struct nf_conntrack_expect *exp;
|
2006-01-05 21:19:05 +01:00
|
|
|
struct nf_conntrack_tuple tuple;
|
|
|
|
struct nf_conntrack_helper *h;
|
2009-06-02 20:07:39 +02:00
|
|
|
struct nfgenmsg *nfmsg = nlmsg_data(nlh);
|
2007-07-08 07:35:21 +02:00
|
|
|
struct hlist_node *n, *next;
|
2006-01-05 21:19:05 +01:00
|
|
|
u_int8_t u3 = nfmsg->nfgen_family;
|
2007-07-08 07:35:21 +02:00
|
|
|
unsigned int i;
|
2006-01-05 21:19:05 +01:00
|
|
|
int err;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_EXPECT_TUPLE]) {
|
2006-01-05 21:19:05 +01:00
|
|
|
/* delete a single expect by tuple */
|
|
|
|
err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
/* bump usage count to 2 */
|
2008-10-08 11:35:03 +02:00
|
|
|
exp = nf_ct_expect_find_get(&init_net, &tuple);
|
2006-01-05 21:19:05 +01:00
|
|
|
if (!exp)
|
|
|
|
return -ENOENT;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (cda[CTA_EXPECT_ID]) {
|
2007-12-18 07:29:45 +01:00
|
|
|
__be32 id = nla_get_be32(cda[CTA_EXPECT_ID]);
|
2007-09-28 23:41:50 +02:00
|
|
|
if (ntohl(id) != (u32)(unsigned long)exp) {
|
2007-07-08 07:30:49 +02:00
|
|
|
nf_ct_expect_put(exp);
|
2006-01-05 21:19:05 +01:00
|
|
|
return -ENOENT;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
/* after list removal, usage count == 1 */
|
2007-07-08 07:30:49 +02:00
|
|
|
nf_ct_unexpect_related(exp);
|
2007-02-12 20:15:49 +01:00
|
|
|
/* have to put what we 'get' above.
|
2006-01-05 21:19:05 +01:00
|
|
|
* after this line usage count == 0 */
|
2007-07-08 07:30:49 +02:00
|
|
|
nf_ct_expect_put(exp);
|
2007-09-28 23:37:03 +02:00
|
|
|
} else if (cda[CTA_EXPECT_HELP_NAME]) {
|
|
|
|
char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
|
2007-07-08 07:35:21 +02:00
|
|
|
struct nf_conn_help *m_help;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
/* delete all expectations for this helper */
|
2008-01-31 13:38:58 +01:00
|
|
|
spin_lock_bh(&nf_conntrack_lock);
|
2006-01-05 21:19:05 +01:00
|
|
|
h = __nf_conntrack_helper_find_byname(name);
|
|
|
|
if (!h) {
|
2008-01-31 13:38:58 +01:00
|
|
|
spin_unlock_bh(&nf_conntrack_lock);
|
2008-06-10 00:56:20 +02:00
|
|
|
return -EOPNOTSUPP;
|
2006-01-05 21:19:05 +01:00
|
|
|
}
|
2007-07-08 07:35:21 +02:00
|
|
|
for (i = 0; i < nf_ct_expect_hsize; i++) {
|
|
|
|
hlist_for_each_entry_safe(exp, n, next,
|
2008-10-08 11:35:03 +02:00
|
|
|
&init_net.ct.expect_hash[i],
|
2007-07-08 07:35:21 +02:00
|
|
|
hnode) {
|
|
|
|
m_help = nfct_help(exp->master);
|
|
|
|
if (m_help->helper == h
|
|
|
|
&& del_timer(&exp->timeout)) {
|
|
|
|
nf_ct_unlink_expect(exp);
|
|
|
|
nf_ct_expect_put(exp);
|
|
|
|
}
|
2006-01-05 21:19:05 +01:00
|
|
|
}
|
|
|
|
}
|
2008-01-31 13:38:58 +01:00
|
|
|
spin_unlock_bh(&nf_conntrack_lock);
|
2006-01-05 21:19:05 +01:00
|
|
|
} else {
|
|
|
|
/* This basically means we have to flush everything*/
|
2008-01-31 13:38:58 +01:00
|
|
|
spin_lock_bh(&nf_conntrack_lock);
|
2007-07-08 07:35:21 +02:00
|
|
|
for (i = 0; i < nf_ct_expect_hsize; i++) {
|
|
|
|
hlist_for_each_entry_safe(exp, n, next,
|
2008-10-08 11:35:03 +02:00
|
|
|
&init_net.ct.expect_hash[i],
|
2007-07-08 07:35:21 +02:00
|
|
|
hnode) {
|
|
|
|
if (del_timer(&exp->timeout)) {
|
|
|
|
nf_ct_unlink_expect(exp);
|
|
|
|
nf_ct_expect_put(exp);
|
|
|
|
}
|
2006-01-05 21:19:05 +01:00
|
|
|
}
|
|
|
|
}
|
2008-01-31 13:38:58 +01:00
|
|
|
spin_unlock_bh(&nf_conntrack_lock);
|
2006-01-05 21:19:05 +01:00
|
|
|
}
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
static int
|
2007-09-28 23:37:03 +02:00
|
|
|
ctnetlink_change_expect(struct nf_conntrack_expect *x, struct nlattr *cda[])
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
return -EOPNOTSUPP;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
2008-11-18 11:56:20 +01:00
|
|
|
ctnetlink_create_expect(struct nlattr *cda[], u_int8_t u3, u32 pid, int report)
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
struct nf_conntrack_tuple tuple, mask, master_tuple;
|
|
|
|
struct nf_conntrack_tuple_hash *h = NULL;
|
|
|
|
struct nf_conntrack_expect *exp;
|
|
|
|
struct nf_conn *ct;
|
2006-03-21 02:56:32 +01:00
|
|
|
struct nf_conn_help *help;
|
2006-01-05 21:19:05 +01:00
|
|
|
int err = 0;
|
|
|
|
|
|
|
|
/* caller guarantees that those three CTA_EXPECT_* exist */
|
|
|
|
err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
err = ctnetlink_parse_tuple(cda, &mask, CTA_EXPECT_MASK, u3);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
err = ctnetlink_parse_tuple(cda, &master_tuple, CTA_EXPECT_MASTER, u3);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
|
|
|
/* Look for master conntrack of this expectation */
|
2008-10-08 11:35:03 +02:00
|
|
|
h = nf_conntrack_find_get(&init_net, &master_tuple);
|
2006-01-05 21:19:05 +01:00
|
|
|
if (!h)
|
|
|
|
return -ENOENT;
|
|
|
|
ct = nf_ct_tuplehash_to_ctrack(h);
|
2006-03-21 02:56:32 +01:00
|
|
|
help = nfct_help(ct);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2006-03-21 02:56:32 +01:00
|
|
|
if (!help || !help->helper) {
|
2006-01-05 21:19:05 +01:00
|
|
|
/* such conntrack hasn't got any helper, abort */
|
2008-11-17 15:55:48 +01:00
|
|
|
err = -EOPNOTSUPP;
|
2006-01-05 21:19:05 +01:00
|
|
|
goto out;
|
|
|
|
}
|
|
|
|
|
2007-07-08 07:30:49 +02:00
|
|
|
exp = nf_ct_expect_alloc(ct);
|
2006-01-05 21:19:05 +01:00
|
|
|
if (!exp) {
|
|
|
|
err = -ENOMEM;
|
|
|
|
goto out;
|
|
|
|
}
|
2007-02-12 20:15:49 +01:00
|
|
|
|
2009-03-16 15:50:51 +01:00
|
|
|
exp->class = 0;
|
2006-01-05 21:19:05 +01:00
|
|
|
exp->expectfn = NULL;
|
|
|
|
exp->flags = 0;
|
|
|
|
exp->master = ct;
|
2006-12-03 07:05:25 +01:00
|
|
|
exp->helper = NULL;
|
2006-01-05 21:19:05 +01:00
|
|
|
memcpy(&exp->tuple, &tuple, sizeof(struct nf_conntrack_tuple));
|
2007-07-08 07:31:32 +02:00
|
|
|
memcpy(&exp->mask.src.u3, &mask.src.u3, sizeof(exp->mask.src.u3));
|
|
|
|
exp->mask.src.u.all = mask.src.u.all;
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2008-11-18 11:56:20 +01:00
|
|
|
err = nf_ct_expect_related_report(exp, pid, report);
|
2007-07-08 07:30:49 +02:00
|
|
|
nf_ct_expect_put(exp);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
2007-02-12 20:15:49 +01:00
|
|
|
out:
|
2006-01-05 21:19:05 +01:00
|
|
|
nf_ct_put(nf_ct_tuplehash_to_ctrack(h));
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
static int
|
|
|
|
ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
|
2007-09-28 23:37:03 +02:00
|
|
|
struct nlmsghdr *nlh, struct nlattr *cda[])
|
2006-01-05 21:19:05 +01:00
|
|
|
{
|
|
|
|
struct nf_conntrack_tuple tuple;
|
|
|
|
struct nf_conntrack_expect *exp;
|
2009-06-02 20:07:39 +02:00
|
|
|
struct nfgenmsg *nfmsg = nlmsg_data(nlh);
|
2006-01-05 21:19:05 +01:00
|
|
|
u_int8_t u3 = nfmsg->nfgen_family;
|
|
|
|
int err = 0;
|
|
|
|
|
2007-09-28 23:37:03 +02:00
|
|
|
if (!cda[CTA_EXPECT_TUPLE]
|
|
|
|
|| !cda[CTA_EXPECT_MASK]
|
|
|
|
|| !cda[CTA_EXPECT_MASTER])
|
2006-01-05 21:19:05 +01:00
|
|
|
return -EINVAL;
|
|
|
|
|
|
|
|
err = ctnetlink_parse_tuple(cda, &tuple, CTA_EXPECT_TUPLE, u3);
|
|
|
|
if (err < 0)
|
|
|
|
return err;
|
|
|
|
|
2008-01-31 13:38:58 +01:00
|
|
|
spin_lock_bh(&nf_conntrack_lock);
|
2008-10-08 11:35:03 +02:00
|
|
|
exp = __nf_ct_expect_find(&init_net, &tuple);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
if (!exp) {
|
2008-01-31 13:38:58 +01:00
|
|
|
spin_unlock_bh(&nf_conntrack_lock);
|
2006-01-05 21:19:05 +01:00
|
|
|
err = -ENOENT;
|
2008-11-18 11:56:20 +01:00
|
|
|
if (nlh->nlmsg_flags & NLM_F_CREATE) {
|
|
|
|
err = ctnetlink_create_expect(cda,
|
|
|
|
u3,
|
|
|
|
NETLINK_CB(skb).pid,
|
|
|
|
nlmsg_report(nlh));
|
|
|
|
}
|
2006-01-05 21:19:05 +01:00
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
err = -EEXIST;
|
|
|
|
if (!(nlh->nlmsg_flags & NLM_F_EXCL))
|
|
|
|
err = ctnetlink_change_expect(exp, cda);
|
2008-01-31 13:38:58 +01:00
|
|
|
spin_unlock_bh(&nf_conntrack_lock);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
return err;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef CONFIG_NF_CONNTRACK_EVENTS
|
2009-06-03 10:32:06 +02:00
|
|
|
static struct nf_ct_event_notifier ctnl_notifier = {
|
|
|
|
.fcn = ctnetlink_conntrack_event,
|
2006-01-05 21:19:05 +01:00
|
|
|
};
|
|
|
|
|
2009-06-03 10:32:06 +02:00
|
|
|
static struct nf_exp_event_notifier ctnl_notifier_exp = {
|
|
|
|
.fcn = ctnetlink_expect_event,
|
2006-01-05 21:19:05 +01:00
|
|
|
};
|
|
|
|
#endif
|
|
|
|
|
2007-09-28 23:15:45 +02:00
|
|
|
static const struct nfnl_callback ctnl_cb[IPCTNL_MSG_MAX] = {
|
2006-01-05 21:19:05 +01:00
|
|
|
[IPCTNL_MSG_CT_NEW] = { .call = ctnetlink_new_conntrack,
|
2007-09-28 23:39:55 +02:00
|
|
|
.attr_count = CTA_MAX,
|
|
|
|
.policy = ct_nla_policy },
|
2006-01-05 21:19:05 +01:00
|
|
|
[IPCTNL_MSG_CT_GET] = { .call = ctnetlink_get_conntrack,
|
2007-09-28 23:39:55 +02:00
|
|
|
.attr_count = CTA_MAX,
|
|
|
|
.policy = ct_nla_policy },
|
2006-01-05 21:19:05 +01:00
|
|
|
[IPCTNL_MSG_CT_DELETE] = { .call = ctnetlink_del_conntrack,
|
2007-09-28 23:39:55 +02:00
|
|
|
.attr_count = CTA_MAX,
|
|
|
|
.policy = ct_nla_policy },
|
2006-01-05 21:19:05 +01:00
|
|
|
[IPCTNL_MSG_CT_GET_CTRZERO] = { .call = ctnetlink_get_conntrack,
|
2007-09-28 23:39:55 +02:00
|
|
|
.attr_count = CTA_MAX,
|
|
|
|
.policy = ct_nla_policy },
|
2006-01-05 21:19:05 +01:00
|
|
|
};
|
|
|
|
|
2007-09-28 23:15:45 +02:00
|
|
|
static const struct nfnl_callback ctnl_exp_cb[IPCTNL_MSG_EXP_MAX] = {
|
2006-01-05 21:19:05 +01:00
|
|
|
[IPCTNL_MSG_EXP_GET] = { .call = ctnetlink_get_expect,
|
2007-09-28 23:39:55 +02:00
|
|
|
.attr_count = CTA_EXPECT_MAX,
|
|
|
|
.policy = exp_nla_policy },
|
2006-01-05 21:19:05 +01:00
|
|
|
[IPCTNL_MSG_EXP_NEW] = { .call = ctnetlink_new_expect,
|
2007-09-28 23:39:55 +02:00
|
|
|
.attr_count = CTA_EXPECT_MAX,
|
|
|
|
.policy = exp_nla_policy },
|
2006-01-05 21:19:05 +01:00
|
|
|
[IPCTNL_MSG_EXP_DELETE] = { .call = ctnetlink_del_expect,
|
2007-09-28 23:39:55 +02:00
|
|
|
.attr_count = CTA_EXPECT_MAX,
|
|
|
|
.policy = exp_nla_policy },
|
2006-01-05 21:19:05 +01:00
|
|
|
};
|
|
|
|
|
2007-09-28 23:15:45 +02:00
|
|
|
static const struct nfnetlink_subsystem ctnl_subsys = {
|
2006-01-05 21:19:05 +01:00
|
|
|
.name = "conntrack",
|
|
|
|
.subsys_id = NFNL_SUBSYS_CTNETLINK,
|
|
|
|
.cb_count = IPCTNL_MSG_MAX,
|
|
|
|
.cb = ctnl_cb,
|
|
|
|
};
|
|
|
|
|
2007-09-28 23:15:45 +02:00
|
|
|
static const struct nfnetlink_subsystem ctnl_exp_subsys = {
|
2006-01-05 21:19:05 +01:00
|
|
|
.name = "conntrack_expect",
|
|
|
|
.subsys_id = NFNL_SUBSYS_CTNETLINK_EXP,
|
|
|
|
.cb_count = IPCTNL_MSG_EXP_MAX,
|
|
|
|
.cb = ctnl_exp_cb,
|
|
|
|
};
|
|
|
|
|
2006-12-03 07:06:05 +01:00
|
|
|
MODULE_ALIAS("ip_conntrack_netlink");
|
2006-01-05 21:19:05 +01:00
|
|
|
MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK);
|
2006-02-04 11:11:41 +01:00
|
|
|
MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_CTNETLINK_EXP);
|
2006-01-05 21:19:05 +01:00
|
|
|
|
|
|
|
static int __init ctnetlink_init(void)
|
|
|
|
{
|
|
|
|
int ret;
|
|
|
|
|
|
|
|
printk("ctnetlink v%s: registering with nfnetlink.\n", version);
|
|
|
|
ret = nfnetlink_subsys_register(&ctnl_subsys);
|
|
|
|
if (ret < 0) {
|
|
|
|
printk("ctnetlink_init: cannot register with nfnetlink.\n");
|
|
|
|
goto err_out;
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = nfnetlink_subsys_register(&ctnl_exp_subsys);
|
|
|
|
if (ret < 0) {
|
|
|
|
printk("ctnetlink_init: cannot register exp with nfnetlink.\n");
|
|
|
|
goto err_unreg_subsys;
|
|
|
|
}
|
|
|
|
|
|
|
|
#ifdef CONFIG_NF_CONNTRACK_EVENTS
|
|
|
|
ret = nf_conntrack_register_notifier(&ctnl_notifier);
|
|
|
|
if (ret < 0) {
|
|
|
|
printk("ctnetlink_init: cannot register notifier.\n");
|
|
|
|
goto err_unreg_exp_subsys;
|
|
|
|
}
|
|
|
|
|
2007-07-08 07:30:49 +02:00
|
|
|
ret = nf_ct_expect_register_notifier(&ctnl_notifier_exp);
|
2006-01-05 21:19:05 +01:00
|
|
|
if (ret < 0) {
|
|
|
|
printk("ctnetlink_init: cannot expect register notifier.\n");
|
|
|
|
goto err_unreg_notifier;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
#ifdef CONFIG_NF_CONNTRACK_EVENTS
|
|
|
|
err_unreg_notifier:
|
|
|
|
nf_conntrack_unregister_notifier(&ctnl_notifier);
|
|
|
|
err_unreg_exp_subsys:
|
|
|
|
nfnetlink_subsys_unregister(&ctnl_exp_subsys);
|
|
|
|
#endif
|
|
|
|
err_unreg_subsys:
|
|
|
|
nfnetlink_subsys_unregister(&ctnl_subsys);
|
|
|
|
err_out:
|
|
|
|
return ret;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void __exit ctnetlink_exit(void)
|
|
|
|
{
|
|
|
|
printk("ctnetlink: unregistering from nfnetlink.\n");
|
|
|
|
|
|
|
|
#ifdef CONFIG_NF_CONNTRACK_EVENTS
|
2007-07-08 07:30:49 +02:00
|
|
|
nf_ct_expect_unregister_notifier(&ctnl_notifier_exp);
|
2006-01-05 21:19:05 +01:00
|
|
|
nf_conntrack_unregister_notifier(&ctnl_notifier);
|
|
|
|
#endif
|
|
|
|
|
|
|
|
nfnetlink_subsys_unregister(&ctnl_exp_subsys);
|
|
|
|
nfnetlink_subsys_unregister(&ctnl_subsys);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
|
|
|
module_init(ctnetlink_init);
|
|
|
|
module_exit(ctnetlink_exit);
|