[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
(usagi-users 03052) IPv6 state filter update
- To: usagi-users@xxxxxxxxxxxxxx
- Subject: (usagi-users 03052) IPv6 state filter update
- From: Michal Rokos <michal@xxxxxxxxxx>
- Date: Fri, 1 Oct 2004 10:23:14 +0200
- Reply-to: usagi-users@xxxxxxxxxxxxxx
- Resent-date: Fri, 1 Oct 2004 17:37:01 +0900
- Resent-from: sekiya@xxxxxxxxxxxxxx
- Resent-message-id: <200410011737.FMLAAB11908.usagi-users@linux-ipv6.org>
- Resent-to: usagi-users@xxxxxxxxxxxxxx (moderated)
- User-agent: KMail/1.7
Hello,
this patch reflect the latest changes in linux2.6 netfilter.
(The struct nf_ct_info was removed.)
Could you, please, review this IPv6 state filter portion of usagi patch?
(It could save you a few minutes of typing your own code when building
new usagi patch).
The patch is against current bk with applied
usagi-ipv6-statefilter-20040914.patch
Thank you
Michal
PS: Please cc to me since I'm off the list.
# This is a BitKeeper generated diff -Nru style patch.
#
# ChangeSet
# 2004/09/30 00:44:26+02:00 michal@xxxxxxxxxxxxxxxxx
# Reflect nf_ct_info removal.
#
# net/ipv6/netfilter/ip6t_REJECT.c
# 2004/09/30 00:44:15+02:00 michal@xxxxxxxxxxxxxxxxx +6 -6
# Reflect nf_ct_info removal.
#
# ChangeSet
# 2004/09/30 00:33:43+02:00 michal@xxxxxxxxxxxxxxxxx
# Reflect nf_ct_info removal change.
#
# net/ipv6/netfilter/ip6t_state.c
# 2004/09/30 00:33:30+02:00 michal@xxxxxxxxxxxxxxxxx +1 -1
# Reflect nf_ct_info removal change.
#
# net/ipv6/netfilter/ip6_conntrack_standalone.c
# 2004/09/30 00:33:30+02:00 michal@xxxxxxxxxxxxxxxxx +2 -3
# Reflect nf_ct_info removal change.
#
# net/ipv6/netfilter/ip6_conntrack_core.c
# 2004/09/30 00:33:30+02:00 michal@xxxxxxxxxxxxxxxxx +15 -41
# Reflect nf_ct_info removal change.
#
# include/linux/netfilter_ipv6/ip6_conntrack_core.h
# 2004/09/30 00:33:30+02:00 michal@xxxxxxxxxxxxxxxxx +3 -3
# Reflect nf_ct_info removal change.
#
# include/linux/netfilter_ipv6/ip6_conntrack.h
# 2004/09/30 00:33:29+02:00 michal@xxxxxxxxxxxxxxxxx +6 -7
# Reflect nf_ct_info removal change.
#
# ChangeSet
# 2004/09/29 22:45:21+02:00 michal@xxxxxxxxxxxxxxxxx
# Make it compile, but only when IPv6 conntrack & REJECT are disabled.
#
# net/core/netfilter.c
# 2004/09/29 22:45:09+02:00 michal@xxxxxxxxxxxxxxxxx +1 -1
# Make it compile, but only when IPv6 conntrack & REJECT are disabled.
#
# include/linux/netfilter.h
# 2004/09/29 22:45:09+02:00 michal@xxxxxxxxxxxxxxxxx +1 -1
# Make it compile, but only when IPv6 conntrack & REJECT are disabled.
#
diff -Nru a/include/linux/netfilter.h b/include/linux/netfilter.h
--- a/include/linux/netfilter.h 2004-10-01 10:12:01 +02:00
+++ b/include/linux/netfilter.h 2004-10-01 10:12:01 +02:00
@@ -181,7 +181,7 @@
extern void (*ip_ct_attach)(struct sk_buff *, struct sk_buff *);
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-extern void (*ip6_ct_attach)(struct sk_buff *, struct nf_ct_info *);
+extern void (*ip6_ct_attach)(struct sk_buff *, struct sk_buff *);
#endif
#ifdef CONFIG_NETFILTER_DEBUG
diff -Nru a/include/linux/netfilter_ipv6/ip6_conntrack.h b/include/linux/netfilter_ipv6/ip6_conntrack.h
--- a/include/linux/netfilter_ipv6/ip6_conntrack.h 2004-10-01 10:12:01 +02:00
+++ b/include/linux/netfilter_ipv6/ip6_conntrack.h 2004-10-01 10:12:01 +02:00
@@ -181,12 +181,7 @@
/* Helper, if any. */
struct ip6_conntrack_helper *helper;
- /* Our various nf_ct_info structs specify *what* relation this
- packet has to the conntrack */
- struct nf_ct_info infos[IP6_CT_NUMBER];
-
/* Storage reserved for other modules: */
-
union ip6_conntrack_proto proto;
union ip6_conntrack_help help;
@@ -208,8 +203,12 @@
const struct ip6_conntrack *ignored_conntrack);
/* Return conntrack_info and tuple hash for given skb. */
-extern struct ip6_conntrack *
-ip6_conntrack_get(struct sk_buff *skb, enum ip6_conntrack_info *ctinfo);
+static inline struct ip6_conntrack *
+ip6_conntrack_get(const struct sk_buff *skb, enum ip6_conntrack_info *ctinfo)
+{
+ *ctinfo = skb->nfctinfo;
+ return (struct ip6_conntrack *)skb->nfct;
+}
/* decrement reference count on a conntrack */
extern inline void ip6_conntrack_put(struct ip6_conntrack *ct);
diff -Nru a/include/linux/netfilter_ipv6/ip6_conntrack_core.h b/include/linux/netfilter_ipv6/ip6_conntrack_core.h
--- a/include/linux/netfilter_ipv6/ip6_conntrack_core.h 2004-10-01 10:12:01 +02:00
+++ b/include/linux/netfilter_ipv6/ip6_conntrack_core.h 2004-10-01 10:12:01 +02:00
@@ -51,14 +51,14 @@
ip6_conntrack_find_get(const struct ip6_conntrack_tuple *tuple,
const struct ip6_conntrack *ignored_conntrack);
-extern int __ip6_conntrack_confirm(struct nf_ct_info *nfct);
+extern int __ip6_conntrack_confirm(struct sk_buff *skb);
/* Confirm a connection: returns NF_DROP if packet must be dropped. */
static inline int ip6_conntrack_confirm(struct sk_buff *skb)
{
if (skb->nfct
- && !is_confirmed((struct ip6_conntrack *)skb->nfct->master))
- return __ip6_conntrack_confirm(skb->nfct);
+ && !is_confirmed((struct ip6_conntrack *)skb->nfct))
+ return __ip6_conntrack_confirm(skb);
return NF_ACCEPT;
}
diff -Nru a/net/core/netfilter.c b/net/core/netfilter.c
--- a/net/core/netfilter.c 2004-10-01 10:12:01 +02:00
+++ b/net/core/netfilter.c 2004-10-01 10:12:01 +02:00
@@ -809,7 +809,7 @@
void (*ip_ct_attach)(struct sk_buff *, struct sk_buff *);
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
-void (*ip6_ct_attach)(struct sk_buff *, struct nf_ct_info *);
+void (*ip6_ct_attach)(struct sk_buff *, struct sk_buff *);
#endif
void __init netfilter_init(void)
diff -Nru a/net/ipv6/netfilter/ip6_conntrack_core.c b/net/ipv6/netfilter/ip6_conntrack_core.c
--- a/net/ipv6/netfilter/ip6_conntrack_core.c 2004-10-01 10:12:01 +02:00
+++ b/net/ipv6/netfilter/ip6_conntrack_core.c 2004-10-01 10:12:01 +02:00
@@ -242,10 +242,7 @@
ip6_conntrack_put(struct ip6_conntrack *ct)
{
IP6_NF_ASSERT(ct);
- IP6_NF_ASSERT(ct->infos[0].master);
- /* nf_conntrack_put wants to go via an info struct, so feed it
- one at random. */
- nf_conntrack_put(&ct->infos[0]);
+ nf_conntrack_put(&ct->ct_general);
}
static int ip6_conntrack_hash_rnd_initted;
@@ -554,36 +551,15 @@
return h;
}
-static inline struct ip6_conntrack *
-__ip6_conntrack_get(struct nf_ct_info *nfct, enum ip6_conntrack_info *ctinfo)
-{
- struct ip6_conntrack *ct
- = (struct ip6_conntrack *)nfct->master;
-
- /* ctinfo is the index of the nfct inside the conntrack */
- *ctinfo = nfct - ct->infos;
- IP6_NF_ASSERT(*ctinfo >= 0 && *ctinfo < IP6_CT_NUMBER);
- return ct;
-}
-
-/* Return conntrack and conntrack_info given skb->nfct->master */
-struct ip6_conntrack *
-ip6_conntrack_get(struct sk_buff *skb, enum ip6_conntrack_info *ctinfo)
-{
- if (skb->nfct)
- return __ip6_conntrack_get(skb->nfct, ctinfo);
- return NULL;
-}
-
-/* Confirm a connection given skb->nfct; places it in hash table */
+/* Confirm a connection given skb; places it in hash table */
int
-__ip6_conntrack_confirm(struct nf_ct_info *nfct)
+__ip6_conntrack_confirm(struct sk_buff *skb)
{
unsigned int hash, repl_hash;
struct ip6_conntrack *ct;
enum ip6_conntrack_info ctinfo;
- ct = __ip6_conntrack_get(nfct, &ctinfo);
+ ct = ip6_conntrack_get(skb, &ctinfo);
/* ip6t_REJECT uses ip6_conntrack_attach to attach related
ICMP/TCP RST packets in other direction. Actual packet
@@ -742,7 +718,7 @@
}
/* Update skb to refer to this connection */
- skb->nfct = &h->ctrack->infos[*ctinfo];
+ skb->nfct = &h->ctrack->ct_general;
return h->ctrack;
}
@@ -803,7 +779,6 @@
struct ip6_conntrack_tuple repl_tuple;
size_t hash;
struct ip6_conntrack_expect *expected;
- int i;
static unsigned int drop_next = 0;
if (!ip6_conntrack_hash_rnd_initted) {
@@ -848,8 +823,6 @@
conntrack->tuplehash[IP6_CT_DIR_ORIGINAL].ctrack = conntrack;
conntrack->tuplehash[IP6_CT_DIR_REPLY].tuple = repl_tuple;
conntrack->tuplehash[IP6_CT_DIR_REPLY].ctrack = conntrack;
- for (i=0; i < IP6_CT_NUMBER; i++)
- conntrack->infos[i].master = &conntrack->ct_general;
if (!protocol->new(conntrack, skb, protoff)) {
kmem_cache_free(ip6_conntrack_cachep, conntrack);
@@ -897,7 +870,7 @@
expected->sibling = conntrack;
LIST_DELETE(&ip6_conntrack_expect_list, expected);
expected->expectant->expecting--;
- nf_conntrack_get(&master_ct6(conntrack)->infos[0]);
+ nf_conntrack_get(&master_ct6(conntrack)->ct_general);
}
atomic_inc(&ip6_conntrack_count);
WRITE_UNLOCK(&ip6_conntrack_lock);
@@ -955,7 +928,8 @@
}
*set_reply = 0;
}
- skb->nfct = &h->ctrack->infos[*ctinfo];
+ skb->nfct = &h->ctrack->ct_general;
+ skb->nfctinfo = *ctinfo;
return h->ctrack;
}
@@ -1334,23 +1308,23 @@
}
/* Used by ip6t_REJECT. */
-static void ip6_conntrack_attach(struct sk_buff *nskb, struct nf_ct_info *nfct)
+static void ip6_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb)
{
struct ip6_conntrack *ct;
enum ip6_conntrack_info ctinfo;
- ct = __ip6_conntrack_get(nfct, &ctinfo);
+ /* This ICMP is in reverse direction to the packet which caused it */
+ ct = ip6_conntrack_get(skb, &ctinfo);
- /* This ICMP is in reverse direction to the packet which
- caused it */
if (CTINFO2DIR(ctinfo) == IP6_CT_DIR_ORIGINAL)
ctinfo = IP6_CT_RELATED + IP6_CT_IS_REPLY;
else
ctinfo = IP6_CT_RELATED;
- /* Attach new skbuff, and increment count */
- nskb->nfct = &ct->infos[ctinfo];
- atomic_inc(&ct->ct_general.use);
+ /* Attach to new skbuff, and increment count */
+ nskb->nfct = &ct->ct_general;
+ nskb->nfctinfo = ctinfo;
+ nf_conntrack_get(nskb->nfct);
}
static inline int
diff -Nru a/net/ipv6/netfilter/ip6_conntrack_standalone.c b/net/ipv6/netfilter/ip6_conntrack_standalone.c
--- a/net/ipv6/netfilter/ip6_conntrack_standalone.c 2004-10-01 10:12:01 +02:00
+++ b/net/ipv6/netfilter/ip6_conntrack_standalone.c 2004-10-01 10:12:01 +02:00
@@ -313,7 +313,7 @@
if (ret == NF_DROP) {
ip6_ct_kfree_frags(skb);
- }else{
+ } else {
struct nf_info info;
info.pf = PF_INET6;
@@ -330,9 +330,8 @@
break;
}
- if (ip6_ct_output_frags(skb, &info) <0)
+ if (ip6_ct_output_frags(skb, &info) < 0)
DEBUGP("Can't output fragments\n");
-
}
return NF_STOLEN;
diff -Nru a/net/ipv6/netfilter/ip6t_REJECT.c b/net/ipv6/netfilter/ip6t_REJECT.c
--- a/net/ipv6/netfilter/ip6t_REJECT.c 2004-10-01 10:12:01 +02:00
+++ b/net/ipv6/netfilter/ip6t_REJECT.c 2004-10-01 10:12:01 +02:00
@@ -40,12 +40,12 @@
#define DEBUGP(format, args...)
#endif
-static void connection_attach(struct sk_buff *new_skb, struct nf_ct_info *nfct)
+static void connection_attach(struct sk_buff *new_skb, struct sk_buff *skb)
{
- void (*attach)(struct sk_buff *, struct nf_ct_info *);
- if (nfct && (attach = ip6_ct_attach) != NULL) {
+ void (*attach)(struct sk_buff *, struct sk_buff *);
+ if (skb->nfct && (attach = ip6_ct_attach) != NULL) {
mb();
- attach(new_skb, nfct);
+ attach(new_skb, skb);
}
}
@@ -188,7 +188,7 @@
csum_partial((char *)tcph,
sizeof(struct tcphdr), 0));
- connection_attach(nskb, oldskb->nfct);
+ connection_attach(nskb, oldskb);
NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
maybe_reroute);
@@ -337,7 +337,7 @@
datalen + sizeof(struct icmp6hdr),
IPPROTO_ICMPV6, csum);
- connection_attach(nskb, skb_in->nfct);
+ connection_attach(nskb, skb_in);
NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
maybe_reroute);
diff -Nru a/net/ipv6/netfilter/ip6t_state.c b/net/ipv6/netfilter/ip6t_state.c
--- a/net/ipv6/netfilter/ip6t_state.c 2004-10-01 10:12:01 +02:00
+++ b/net/ipv6/netfilter/ip6t_state.c 2004-10-01 10:12:01 +02:00
@@ -37,7 +37,7 @@
enum ip6_conntrack_info ctinfo;
unsigned int statebit;
- if (!ip6_conntrack_get((struct sk_buff *)skb, &ctinfo))
+ if (!ip6_conntrack_get(skb, &ctinfo))
statebit = IP6T_STATE_INVALID;
else
statebit = IP6T_STATE_BIT(ctinfo);