tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: conntrack: remove l3->l4 mapping information
l4 protocols are demuxed by l3num, l4num pair.
However, almost all l4 trackers are l3 agnostic.
Only exceptions are:
- gre, icmp (ipv4 only)
- icmpv6 (ipv6 only)
This commit gets rid of the l3 mapping, l4 trackers can now be looked up
by their IPPROTO_XXX value alone, which gets rid of the additional l3
indirection.
For icmp, ipcmp6 and gre, add a check on state->pf and
return -NF_ACCEPT in case we're asked to track e.g. icmpv6-in-ipv4,
this seems more fitting than using the generic tracker.
Additionally we can kill the 2nd l4proto definitions that were needed
for v4/v6 split -- they are now the same so we can use single l4proto
struct for each protocol, rather than two.
The EXPORT_SYMBOLs can be removed as all these object files are
part of nf_conntrack with no external references.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
authored by
Florian Westphal
and committed by
Pablo Neira Ayuso
dd2934a9
ca2ca6e1
+76
-301
+5
-8
include/net/netfilter/ipv4/nf_conntrack_ipv4.h
+5
-8
include/net/netfilter/ipv4/nf_conntrack_ipv4.h
···
10
10
#ifndef _NF_CONNTRACK_IPV4_H
11
11
#define _NF_CONNTRACK_IPV4_H
12
12
13
-
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4;
14
-
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4;
13
+
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp;
14
+
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp;
15
15
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp;
16
16
#ifdef CONFIG_NF_CT_PROTO_DCCP
17
-
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4;
17
+
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp;
18
18
#endif
19
19
#ifdef CONFIG_NF_CT_PROTO_SCTP
20
-
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4;
20
+
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp;
21
21
#endif
22
22
#ifdef CONFIG_NF_CT_PROTO_UDPLITE
23
-
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4;
23
+
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite;
24
24
#endif
25
-
26
-
int nf_conntrack_ipv4_compat_init(void);
27
-
void nf_conntrack_ipv4_compat_fini(void);
28
25
29
26
#endif /*_NF_CONNTRACK_IPV4_H*/
-13
include/net/netfilter/ipv6/nf_conntrack_ipv6.h
-13
include/net/netfilter/ipv6/nf_conntrack_ipv6.h
···
2
2
#ifndef _NF_CONNTRACK_IPV6_H
3
3
#define _NF_CONNTRACK_IPV6_H
4
4
5
-
extern const struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6;
6
-
7
-
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6;
8
-
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6;
9
5
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6;
10
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
11
-
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6;
12
-
#endif
13
-
#ifdef CONFIG_NF_CT_PROTO_SCTP
14
-
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6;
15
-
#endif
16
-
#ifdef CONFIG_NF_CT_PROTO_UDPLITE
17
-
extern const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6;
18
-
#endif
19
6
20
7
#include <linux/sysctl.h>
21
8
extern struct ctl_table nf_ct_ipv6_sysctl_table[];
+2
-7
include/net/netfilter/nf_conntrack_l4proto.h
+2
-7
include/net/netfilter/nf_conntrack_l4proto.h
···
18
18
struct seq_file;
19
19
20
20
struct nf_conntrack_l4proto {
21
-
/* L3 Protocol number. */
22
-
u_int16_t l3proto;
23
-
24
21
/* L4 Protocol number. */
25
22
u_int8_t l4proto;
26
23
···
104
107
105
108
#define MAX_NF_CT_PROTO 256
106
109
107
-
const struct nf_conntrack_l4proto *__nf_ct_l4proto_find(u_int16_t l3proto,
108
-
u_int8_t l4proto);
110
+
const struct nf_conntrack_l4proto *__nf_ct_l4proto_find(u8 l4proto);
109
111
110
-
const struct nf_conntrack_l4proto *nf_ct_l4proto_find_get(u_int16_t l3proto,
111
-
u_int8_t l4proto);
112
+
const struct nf_conntrack_l4proto *nf_ct_l4proto_find_get(u8 l4proto);
112
113
void nf_ct_l4proto_put(const struct nf_conntrack_l4proto *p);
113
114
114
115
/* Protocol pernet registration. */
+7
-8
net/netfilter/nf_conntrack_core.c
+7
-8
net/netfilter/nf_conntrack_core.c
···
379
379
return false;
380
380
}
381
381
382
-
l4proto = __nf_ct_l4proto_find(l3num, protonum);
382
+
l4proto = __nf_ct_l4proto_find(protonum);
383
383
384
384
ret = nf_ct_get_tuple(skb, nhoff, protoff, l3num, protonum, net, tuple,
385
385
l4proto);
···
539
539
nf_ct_tmpl_free(ct);
540
540
return;
541
541
}
542
-
l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
542
+
l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));
543
543
if (l4proto->destroy)
544
544
l4proto->destroy(ct);
545
545
···
840
840
enum ip_conntrack_info oldinfo;
841
841
struct nf_conn *loser_ct = nf_ct_get(skb, &oldinfo);
842
842
843
-
l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
843
+
l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));
844
844
if (l4proto->allow_clash &&
845
845
!nf_ct_is_dying(ct) &&
846
846
atomic_inc_not_zero(&ct->ct_general.use)) {
···
1109
1109
if (!test_bit(IPS_ASSURED_BIT, &ct->status))
1110
1110
return true;
1111
1111
1112
-
l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
1112
+
l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));
1113
1113
if (l4proto->can_early_drop && l4proto->can_early_drop(ct))
1114
1114
return true;
1115
1115
···
1549
1549
goto out;
1550
1550
}
1551
1551
1552
-
l4proto = __nf_ct_l4proto_find(state->pf, protonum);
1552
+
l4proto = __nf_ct_l4proto_find(protonum);
1553
1553
1554
1554
if (protonum == IPPROTO_ICMP || protonum == IPPROTO_ICMPV6) {
1555
1555
ret = nf_conntrack_handle_icmp(tmpl, skb, dataoff,
···
1618
1618
1619
1619
rcu_read_lock();
1620
1620
ret = nf_ct_invert_tuple(inverse, orig,
1621
-
__nf_ct_l4proto_find(orig->src.l3num,
1622
-
orig->dst.protonum));
1621
+
__nf_ct_l4proto_find(orig->dst.protonum));
1623
1622
rcu_read_unlock();
1624
1623
return ret;
1625
1624
}
···
1775
1776
if (dataoff <= 0)
1776
1777
return -1;
1777
1778
1778
-
l4proto = nf_ct_l4proto_find_get(l3num, l4num);
1779
+
l4proto = nf_ct_l4proto_find_get(l4num);
1779
1780
1780
1781
if (!nf_ct_get_tuple(skb, skb_network_offset(skb), dataoff, l3num,
1781
1782
l4num, net, &tuple, l4proto))
+1
-2
net/netfilter/nf_conntrack_expect.c
+1
-2
net/netfilter/nf_conntrack_expect.c
···
610
610
expect->tuple.src.l3num,
611
611
expect->tuple.dst.protonum);
612
612
print_tuple(s, &expect->tuple,
613
-
__nf_ct_l4proto_find(expect->tuple.src.l3num,
614
-
expect->tuple.dst.protonum));
613
+
__nf_ct_l4proto_find(expect->tuple.dst.protonum));
615
614
616
615
if (expect->flags & NF_CT_EXPECT_PERMANENT) {
617
616
seq_puts(s, "PERMANENT");
+6
-8
net/netfilter/nf_conntrack_netlink.c
+6
-8
net/netfilter/nf_conntrack_netlink.c
···
135
135
ret = ctnetlink_dump_tuples_ip(skb, tuple);
136
136
137
137
if (ret >= 0) {
138
-
l4proto = __nf_ct_l4proto_find(tuple->src.l3num,
139
-
tuple->dst.protonum);
138
+
l4proto = __nf_ct_l4proto_find(tuple->dst.protonum);
140
139
ret = ctnetlink_dump_tuples_proto(skb, tuple, l4proto);
141
140
}
142
141
rcu_read_unlock();
···
183
184
struct nlattr *nest_proto;
184
185
int ret;
185
186
186
-
l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
187
+
l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));
187
188
if (!l4proto->to_nlattr)
188
189
return 0;
189
190
···
591
592
len = nla_policy_len(cta_ip_nla_policy, CTA_IP_MAX + 1);
592
593
len *= 3u; /* ORIG, REPLY, MASTER */
593
594
594
-
l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
595
+
l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));
595
596
len += l4proto->nlattr_size;
596
597
if (l4proto->nlattr_tuple_size) {
597
598
len4 = l4proto->nlattr_tuple_size();
···
1053
1054
tuple->dst.protonum = nla_get_u8(tb[CTA_PROTO_NUM]);
1054
1055
1055
1056
rcu_read_lock();
1056
-
l4proto = __nf_ct_l4proto_find(tuple->src.l3num, tuple->dst.protonum);
1057
+
l4proto = __nf_ct_l4proto_find(tuple->dst.protonum);
1057
1058
1058
1059
if (likely(l4proto->nlattr_to_tuple)) {
1059
1060
ret = nla_validate_nested(attr, CTA_PROTO_MAX,
···
1701
1702
return err;
1702
1703
1703
1704
rcu_read_lock();
1704
-
l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
1705
+
l4proto = __nf_ct_l4proto_find(nf_ct_protonum(ct));
1705
1706
if (l4proto->from_nlattr)
1706
1707
err = l4proto->from_nlattr(tb, ct);
1707
1708
rcu_read_unlock();
···
2661
2662
rcu_read_lock();
2662
2663
ret = ctnetlink_dump_tuples_ip(skb, &m);
2663
2664
if (ret >= 0) {
2664
-
l4proto = __nf_ct_l4proto_find(tuple->src.l3num,
2665
-
tuple->dst.protonum);
2665
+
l4proto = __nf_ct_l4proto_find(tuple->dst.protonum);
2666
2666
ret = ctnetlink_dump_tuples_proto(skb, &m, l4proto);
2667
2667
}
2668
2668
rcu_read_unlock();
+29
-75
net/netfilter/nf_conntrack_proto.c
+29
-75
net/netfilter/nf_conntrack_proto.c
···
43
43
44
44
extern unsigned int nf_conntrack_net_id;
45
45
46
-
static struct nf_conntrack_l4proto __rcu **nf_ct_protos[NFPROTO_NUMPROTO] __read_mostly;
46
+
static struct nf_conntrack_l4proto __rcu *nf_ct_protos[MAX_NF_CT_PROTO] __read_mostly;
47
47
48
48
static DEFINE_MUTEX(nf_ct_proto_mutex);
49
49
···
124
124
EXPORT_SYMBOL_GPL(nf_ct_l4proto_log_invalid);
125
125
#endif
126
126
127
-
const struct nf_conntrack_l4proto *
128
-
__nf_ct_l4proto_find(u_int16_t l3proto, u_int8_t l4proto)
127
+
const struct nf_conntrack_l4proto *__nf_ct_l4proto_find(u8 l4proto)
129
128
{
130
-
if (unlikely(l3proto >= NFPROTO_NUMPROTO || nf_ct_protos[l3proto] == NULL))
129
+
if (unlikely(l4proto >= ARRAY_SIZE(nf_ct_protos)))
131
130
return &nf_conntrack_l4proto_generic;
132
131
133
-
return rcu_dereference(nf_ct_protos[l3proto][l4proto]);
132
+
return rcu_dereference(nf_ct_protos[l4proto]);
134
133
}
135
134
EXPORT_SYMBOL_GPL(__nf_ct_l4proto_find);
136
135
137
-
const struct nf_conntrack_l4proto *
138
-
nf_ct_l4proto_find_get(u_int16_t l3num, u_int8_t l4num)
136
+
const struct nf_conntrack_l4proto *nf_ct_l4proto_find_get(u8 l4num)
139
137
{
140
138
const struct nf_conntrack_l4proto *p;
141
139
142
140
rcu_read_lock();
143
-
p = __nf_ct_l4proto_find(l3num, l4num);
141
+
p = __nf_ct_l4proto_find(l4num);
144
142
if (!try_module_get(p->me))
145
143
p = &nf_conntrack_l4proto_generic;
146
144
rcu_read_unlock();
···
157
159
{
158
160
const struct nf_conntrack_l4proto *l4proto;
159
161
l4proto = data;
160
-
return nf_ct_protonum(i) == l4proto->l4proto &&
161
-
nf_ct_l3num(i) == l4proto->l3proto;
162
+
return nf_ct_protonum(i) == l4proto->l4proto;
162
163
}
163
164
164
165
static struct nf_proto_net *nf_ct_l4proto_net(struct net *net,
···
216
219
{
217
220
int ret = 0;
218
221
219
-
if (l4proto->l3proto >= ARRAY_SIZE(nf_ct_protos))
220
-
return -EBUSY;
221
-
222
222
if ((l4proto->to_nlattr && l4proto->nlattr_size == 0) ||
223
223
(l4proto->tuple_to_nlattr && !l4proto->nlattr_tuple_size))
224
224
return -EINVAL;
225
225
226
226
mutex_lock(&nf_ct_proto_mutex);
227
-
if (!nf_ct_protos[l4proto->l3proto]) {
228
-
/* l3proto may be loaded latter. */
229
-
struct nf_conntrack_l4proto __rcu **proto_array;
230
-
int i;
231
-
232
-
proto_array =
233
-
kmalloc_array(MAX_NF_CT_PROTO,
234
-
sizeof(struct nf_conntrack_l4proto *),
235
-
GFP_KERNEL);
236
-
if (proto_array == NULL) {
237
-
ret = -ENOMEM;
238
-
goto out_unlock;
239
-
}
240
-
241
-
for (i = 0; i < MAX_NF_CT_PROTO; i++)
242
-
RCU_INIT_POINTER(proto_array[i],
243
-
&nf_conntrack_l4proto_generic);
244
-
245
-
/* Before making proto_array visible to lockless readers,
246
-
* we must make sure its content is committed to memory.
247
-
*/
248
-
smp_wmb();
249
-
250
-
nf_ct_protos[l4proto->l3proto] = proto_array;
251
-
} else if (rcu_dereference_protected(
252
-
nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
227
+
if (rcu_dereference_protected(
228
+
nf_ct_protos[l4proto->l4proto],
253
229
lockdep_is_held(&nf_ct_proto_mutex)
254
230
) != &nf_conntrack_l4proto_generic) {
255
231
ret = -EBUSY;
256
232
goto out_unlock;
257
233
}
258
234
259
-
rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
260
-
l4proto);
235
+
rcu_assign_pointer(nf_ct_protos[l4proto->l4proto], l4proto);
261
236
out_unlock:
262
237
mutex_unlock(&nf_ct_proto_mutex);
263
238
return ret;
···
265
296
static void __nf_ct_l4proto_unregister_one(const struct nf_conntrack_l4proto *l4proto)
266
297
267
298
{
268
-
BUG_ON(l4proto->l3proto >= ARRAY_SIZE(nf_ct_protos));
299
+
BUG_ON(l4proto->l4proto >= ARRAY_SIZE(nf_ct_protos));
269
300
270
301
BUG_ON(rcu_dereference_protected(
271
-
nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
302
+
nf_ct_protos[l4proto->l4proto],
272
303
lockdep_is_held(&nf_ct_proto_mutex)
273
304
) != l4proto);
274
-
rcu_assign_pointer(nf_ct_protos[l4proto->l3proto][l4proto->l4proto],
305
+
rcu_assign_pointer(nf_ct_protos[l4proto->l4proto],
275
306
&nf_conntrack_l4proto_generic);
276
307
}
277
308
···
321
352
nf_ct_l4proto_register(const struct nf_conntrack_l4proto * const l4proto[],
322
353
unsigned int num_proto)
323
354
{
324
-
int ret = -EINVAL, ver;
355
+
int ret = -EINVAL;
325
356
unsigned int i;
326
357
327
358
for (i = 0; i < num_proto; i++) {
···
330
361
break;
331
362
}
332
363
if (i != num_proto) {
333
-
ver = l4proto[i]->l3proto == PF_INET6 ? 6 : 4;
334
-
pr_err("nf_conntrack_ipv%d: can't register l4 %d proto.\n",
335
-
ver, l4proto[i]->l4proto);
364
+
pr_err("nf_conntrack: can't register l4 %d proto.\n",
365
+
l4proto[i]->l4proto);
336
366
nf_ct_l4proto_unregister(l4proto, i);
337
367
}
338
368
return ret;
···
350
382
break;
351
383
}
352
384
if (i != num_proto) {
353
-
pr_err("nf_conntrack_proto_%d %d: pernet registration failed\n",
354
-
l4proto[i]->l4proto,
355
-
l4proto[i]->l3proto == PF_INET6 ? 6 : 4);
385
+
pr_err("nf_conntrack %d: pernet registration failed\n",
386
+
l4proto[i]->l4proto);
356
387
nf_ct_l4proto_pernet_unregister(net, l4proto, i);
357
388
}
358
389
return ret;
···
878
911
EXPORT_SYMBOL_GPL(nf_ct_netns_put);
879
912
880
913
static const struct nf_conntrack_l4proto * const builtin_l4proto[] = {
881
-
&nf_conntrack_l4proto_tcp4,
882
-
&nf_conntrack_l4proto_udp4,
914
+
&nf_conntrack_l4proto_tcp,
915
+
&nf_conntrack_l4proto_udp,
883
916
&nf_conntrack_l4proto_icmp,
884
917
#ifdef CONFIG_NF_CT_PROTO_DCCP
885
-
&nf_conntrack_l4proto_dccp4,
918
+
&nf_conntrack_l4proto_dccp,
886
919
#endif
887
920
#ifdef CONFIG_NF_CT_PROTO_SCTP
888
-
&nf_conntrack_l4proto_sctp4,
921
+
&nf_conntrack_l4proto_sctp,
889
922
#endif
890
923
#ifdef CONFIG_NF_CT_PROTO_UDPLITE
891
-
&nf_conntrack_l4proto_udplite4,
924
+
&nf_conntrack_l4proto_udplite,
892
925
#endif
893
926
#if IS_ENABLED(CONFIG_IPV6)
894
-
&nf_conntrack_l4proto_tcp6,
895
-
&nf_conntrack_l4proto_udp6,
896
927
&nf_conntrack_l4proto_icmpv6,
897
-
#ifdef CONFIG_NF_CT_PROTO_DCCP
898
-
&nf_conntrack_l4proto_dccp6,
899
-
#endif
900
-
#ifdef CONFIG_NF_CT_PROTO_SCTP
901
-
&nf_conntrack_l4proto_sctp6,
902
-
#endif
903
-
#ifdef CONFIG_NF_CT_PROTO_UDPLITE
904
-
&nf_conntrack_l4proto_udplite6,
905
-
#endif
906
928
#endif /* CONFIG_IPV6 */
907
929
};
908
930
909
931
int nf_conntrack_proto_init(void)
910
932
{
911
-
int ret = 0;
933
+
int ret = 0, i;
912
934
913
935
ret = nf_register_sockopt(&so_getorigdst);
914
936
if (ret < 0)
···
908
952
if (ret < 0)
909
953
goto cleanup_sockopt;
910
954
#endif
955
+
956
+
for (i = 0; i < ARRAY_SIZE(nf_ct_protos); i++)
957
+
RCU_INIT_POINTER(nf_ct_protos[i],
958
+
&nf_conntrack_l4proto_generic);
959
+
911
960
ret = nf_ct_l4proto_register(builtin_l4proto,
912
961
ARRAY_SIZE(builtin_l4proto));
913
962
if (ret < 0)
···
930
969
931
970
void nf_conntrack_proto_fini(void)
932
971
{
933
-
unsigned int i;
934
-
935
972
nf_unregister_sockopt(&so_getorigdst);
936
973
#if IS_ENABLED(CONFIG_IPV6)
937
974
nf_unregister_sockopt(&so_getorigdst6);
938
975
#endif
939
-
/* No need to call nf_ct_l4proto_unregister(), the register
940
-
* tables are free'd here anyway.
941
-
*/
942
-
for (i = 0; i < ARRAY_SIZE(nf_ct_protos); i++)
943
-
kfree(nf_ct_protos[i]);
944
976
}
945
977
946
978
int nf_conntrack_proto_pernet_init(struct net *net)
+1
-34
net/netfilter/nf_conntrack_proto_dccp.c
+1
-34
net/netfilter/nf_conntrack_proto_dccp.c
···
842
842
return &net->ct.nf_ct_proto.dccp.pn;
843
843
}
844
844
845
-
const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp4 = {
846
-
.l3proto = AF_INET,
845
+
const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp = {
847
846
.l4proto = IPPROTO_DCCP,
848
847
.packet = dccp_packet,
849
848
.can_early_drop = dccp_can_early_drop,
···
870
871
.init_net = dccp_init_net,
871
872
.get_net_proto = dccp_get_net_proto,
872
873
};
873
-
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_dccp4);
874
-
875
-
const struct nf_conntrack_l4proto nf_conntrack_l4proto_dccp6 = {
876
-
.l3proto = AF_INET6,
877
-
.l4proto = IPPROTO_DCCP,
878
-
.packet = dccp_packet,
879
-
.can_early_drop = dccp_can_early_drop,
880
-
#ifdef CONFIG_NF_CONNTRACK_PROCFS
881
-
.print_conntrack = dccp_print_conntrack,
882
-
#endif
883
-
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
884
-
.nlattr_size = DCCP_NLATTR_SIZE,
885
-
.to_nlattr = dccp_to_nlattr,
886
-
.from_nlattr = nlattr_to_dccp,
887
-
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
888
-
.nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
889
-
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
890
-
.nla_policy = nf_ct_port_nla_policy,
891
-
#endif
892
-
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
893
-
.ctnl_timeout = {
894
-
.nlattr_to_obj = dccp_timeout_nlattr_to_obj,
895
-
.obj_to_nlattr = dccp_timeout_obj_to_nlattr,
896
-
.nlattr_max = CTA_TIMEOUT_DCCP_MAX,
897
-
.obj_size = sizeof(unsigned int) * CT_DCCP_MAX,
898
-
.nla_policy = dccp_timeout_nla_policy,
899
-
},
900
-
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
901
-
.init_net = dccp_init_net,
902
-
.get_net_proto = dccp_get_net_proto,
903
-
};
904
-
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_dccp6);
-1
net/netfilter/nf_conntrack_proto_generic.c
-1
net/netfilter/nf_conntrack_proto_generic.c
+3
-1
net/netfilter/nf_conntrack_proto_gre.c
+3
-1
net/netfilter/nf_conntrack_proto_gre.c
···
238
238
enum ip_conntrack_info ctinfo,
239
239
const struct nf_hook_state *state)
240
240
{
241
+
if (state->pf != NFPROTO_IPV4)
242
+
return -NF_ACCEPT;
243
+
241
244
if (!nf_ct_is_confirmed(ct)) {
242
245
unsigned int *timeouts = nf_ct_timeout_lookup(ct);
243
246
···
347
344
348
345
/* protocol helper struct */
349
346
static const struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 = {
350
-
.l3proto = AF_INET,
351
347
.l4proto = IPPROTO_GRE,
352
348
.pkt_to_tuple = gre_pkt_to_tuple,
353
349
#ifdef CONFIG_NF_CONNTRACK_PROCFS
+4
-2
net/netfilter/nf_conntrack_proto_icmp.c
+4
-2
net/netfilter/nf_conntrack_proto_icmp.c
···
90
90
[ICMP_ADDRESS] = 1
91
91
};
92
92
93
+
if (state->pf != NFPROTO_IPV4)
94
+
return -NF_ACCEPT;
95
+
93
96
if (ct->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) ||
94
97
!valid_new[ct->tuplehash[0].tuple.dst.u.icmp.type]) {
95
98
/* Can't create a new ICMP `conn' with this. */
···
134
131
}
135
132
136
133
/* rcu_read_lock()ed by nf_hook_thresh */
137
-
innerproto = __nf_ct_l4proto_find(PF_INET, origtuple.dst.protonum);
134
+
innerproto = __nf_ct_l4proto_find(origtuple.dst.protonum);
138
135
139
136
/* Ordinarily, we'd expect the inverted tupleproto, but it's
140
137
been preserved inside the ICMP. */
···
352
349
353
350
const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp =
354
351
{
355
-
.l3proto = PF_INET,
356
352
.l4proto = IPPROTO_ICMP,
357
353
.pkt_to_tuple = icmp_pkt_to_tuple,
358
354
.invert_tuple = icmp_invert_tuple,
+4
-2
net/netfilter/nf_conntrack_proto_icmpv6.c
+4
-2
net/netfilter/nf_conntrack_proto_icmpv6.c
···
103
103
[ICMPV6_NI_QUERY - 128] = 1
104
104
};
105
105
106
+
if (state->pf != NFPROTO_IPV6)
107
+
return -NF_ACCEPT;
108
+
106
109
if (!nf_ct_is_confirmed(ct)) {
107
110
int type = ct->tuplehash[0].tuple.dst.u.icmp.type - 128;
108
111
···
153
150
}
154
151
155
152
/* rcu_read_lock()ed by nf_hook_thresh */
156
-
inproto = __nf_ct_l4proto_find(PF_INET6, origtuple.dst.protonum);
153
+
inproto = __nf_ct_l4proto_find(origtuple.dst.protonum);
157
154
158
155
/* Ordinarily, we'd expect the inverted tupleproto, but it's
159
156
been preserved inside the ICMP. */
···
363
360
364
361
const struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 =
365
362
{
366
-
.l3proto = PF_INET6,
367
363
.l4proto = IPPROTO_ICMPV6,
368
364
.pkt_to_tuple = icmpv6_pkt_to_tuple,
369
365
.invert_tuple = icmpv6_invert_tuple,
+1
-35
net/netfilter/nf_conntrack_proto_sctp.c
+1
-35
net/netfilter/nf_conntrack_proto_sctp.c
···
759
759
return &net->ct.nf_ct_proto.sctp.pn;
760
760
}
761
761
762
-
const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 = {
763
-
.l3proto = PF_INET,
762
+
const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp = {
764
763
.l4proto = IPPROTO_SCTP,
765
764
#ifdef CONFIG_NF_CONNTRACK_PROCFS
766
765
.print_conntrack = sctp_print_conntrack,
···
788
789
.init_net = sctp_init_net,
789
790
.get_net_proto = sctp_get_net_proto,
790
791
};
791
-
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp4);
792
-
793
-
const struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 = {
794
-
.l3proto = PF_INET6,
795
-
.l4proto = IPPROTO_SCTP,
796
-
#ifdef CONFIG_NF_CONNTRACK_PROCFS
797
-
.print_conntrack = sctp_print_conntrack,
798
-
#endif
799
-
.packet = sctp_packet,
800
-
.can_early_drop = sctp_can_early_drop,
801
-
.me = THIS_MODULE,
802
-
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
803
-
.nlattr_size = SCTP_NLATTR_SIZE,
804
-
.to_nlattr = sctp_to_nlattr,
805
-
.from_nlattr = nlattr_to_sctp,
806
-
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
807
-
.nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
808
-
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
809
-
.nla_policy = nf_ct_port_nla_policy,
810
-
#endif
811
-
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
812
-
.ctnl_timeout = {
813
-
.nlattr_to_obj = sctp_timeout_nlattr_to_obj,
814
-
.obj_to_nlattr = sctp_timeout_obj_to_nlattr,
815
-
.nlattr_max = CTA_TIMEOUT_SCTP_MAX,
816
-
.obj_size = sizeof(unsigned int) * SCTP_CONNTRACK_MAX,
817
-
.nla_policy = sctp_timeout_nla_policy,
818
-
},
819
-
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
820
-
.init_net = sctp_init_net,
821
-
.get_net_proto = sctp_get_net_proto,
822
-
};
823
-
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_sctp6);
+1
-36
net/netfilter/nf_conntrack_proto_tcp.c
+1
-36
net/netfilter/nf_conntrack_proto_tcp.c
···
1534
1534
return &net->ct.nf_ct_proto.tcp.pn;
1535
1535
}
1536
1536
1537
-
const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 =
1537
+
const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp =
1538
1538
{
1539
-
.l3proto = PF_INET,
1540
1539
.l4proto = IPPROTO_TCP,
1541
1540
#ifdef CONFIG_NF_CONNTRACK_PROCFS
1542
1541
.print_conntrack = tcp_print_conntrack,
···
1564
1565
.init_net = tcp_init_net,
1565
1566
.get_net_proto = tcp_get_net_proto,
1566
1567
};
1567
-
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp4);
1568
-
1569
-
const struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 =
1570
-
{
1571
-
.l3proto = PF_INET6,
1572
-
.l4proto = IPPROTO_TCP,
1573
-
#ifdef CONFIG_NF_CONNTRACK_PROCFS
1574
-
.print_conntrack = tcp_print_conntrack,
1575
-
#endif
1576
-
.packet = tcp_packet,
1577
-
.can_early_drop = tcp_can_early_drop,
1578
-
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
1579
-
.nlattr_size = TCP_NLATTR_SIZE,
1580
-
.to_nlattr = tcp_to_nlattr,
1581
-
.from_nlattr = nlattr_to_tcp,
1582
-
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
1583
-
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
1584
-
.nlattr_tuple_size = tcp_nlattr_tuple_size,
1585
-
.nla_policy = nf_ct_port_nla_policy,
1586
-
#endif
1587
-
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
1588
-
.ctnl_timeout = {
1589
-
.nlattr_to_obj = tcp_timeout_nlattr_to_obj,
1590
-
.obj_to_nlattr = tcp_timeout_obj_to_nlattr,
1591
-
.nlattr_max = CTA_TIMEOUT_TCP_MAX,
1592
-
.obj_size = sizeof(unsigned int) *
1593
-
TCP_CONNTRACK_TIMEOUT_MAX,
1594
-
.nla_policy = tcp_timeout_nla_policy,
1595
-
},
1596
-
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
1597
-
.init_net = tcp_init_net,
1598
-
.get_net_proto = tcp_get_net_proto,
1599
-
};
1600
-
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_tcp6);
+2
-60
net/netfilter/nf_conntrack_proto_udp.c
+2
-60
net/netfilter/nf_conntrack_proto_udp.c
···
310
310
return &net->ct.nf_ct_proto.udp.pn;
311
311
}
312
312
313
-
const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 =
313
+
const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp =
314
314
{
315
-
.l3proto = PF_INET,
316
315
.l4proto = IPPROTO_UDP,
317
316
.allow_clash = true,
318
317
.packet = udp_packet,
···
333
334
.init_net = udp_init_net,
334
335
.get_net_proto = udp_get_net_proto,
335
336
};
336
-
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp4);
337
337
338
338
#ifdef CONFIG_NF_CT_PROTO_UDPLITE
339
-
const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 =
339
+
const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite =
340
340
{
341
-
.l3proto = PF_INET,
342
341
.l4proto = IPPROTO_UDPLITE,
343
342
.allow_clash = true,
344
343
.packet = udplite_packet,
···
358
361
.init_net = udp_init_net,
359
362
.get_net_proto = udp_get_net_proto,
360
363
};
361
-
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udplite4);
362
-
#endif
363
-
364
-
const struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 =
365
-
{
366
-
.l3proto = PF_INET6,
367
-
.l4proto = IPPROTO_UDP,
368
-
.allow_clash = true,
369
-
.packet = udp_packet,
370
-
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
371
-
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
372
-
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
373
-
.nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
374
-
.nla_policy = nf_ct_port_nla_policy,
375
-
#endif
376
-
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
377
-
.ctnl_timeout = {
378
-
.nlattr_to_obj = udp_timeout_nlattr_to_obj,
379
-
.obj_to_nlattr = udp_timeout_obj_to_nlattr,
380
-
.nlattr_max = CTA_TIMEOUT_UDP_MAX,
381
-
.obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
382
-
.nla_policy = udp_timeout_nla_policy,
383
-
},
384
-
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
385
-
.init_net = udp_init_net,
386
-
.get_net_proto = udp_get_net_proto,
387
-
};
388
-
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udp6);
389
-
390
-
#ifdef CONFIG_NF_CT_PROTO_UDPLITE
391
-
const struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite6 =
392
-
{
393
-
.l3proto = PF_INET6,
394
-
.l4proto = IPPROTO_UDPLITE,
395
-
.allow_clash = true,
396
-
.packet = udplite_packet,
397
-
#if IS_ENABLED(CONFIG_NF_CT_NETLINK)
398
-
.tuple_to_nlattr = nf_ct_port_tuple_to_nlattr,
399
-
.nlattr_to_tuple = nf_ct_port_nlattr_to_tuple,
400
-
.nlattr_tuple_size = nf_ct_port_nlattr_tuple_size,
401
-
.nla_policy = nf_ct_port_nla_policy,
402
-
#endif
403
-
#ifdef CONFIG_NF_CONNTRACK_TIMEOUT
404
-
.ctnl_timeout = {
405
-
.nlattr_to_obj = udp_timeout_nlattr_to_obj,
406
-
.obj_to_nlattr = udp_timeout_obj_to_nlattr,
407
-
.nlattr_max = CTA_TIMEOUT_UDP_MAX,
408
-
.obj_size = sizeof(unsigned int) * CTA_TIMEOUT_UDP_MAX,
409
-
.nla_policy = udp_timeout_nla_policy,
410
-
},
411
-
#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
412
-
.init_net = udp_init_net,
413
-
.get_net_proto = udp_get_net_proto,
414
-
};
415
-
EXPORT_SYMBOL_GPL(nf_conntrack_l4proto_udplite6);
416
364
#endif
+1
-1
net/netfilter/nf_conntrack_standalone.c
+1
-1
net/netfilter/nf_conntrack_standalone.c
+1
-1
net/netfilter/nf_flow_table_core.c
+1
-1
net/netfilter/nf_flow_table_core.c
+6
-5
net/netfilter/nfnetlink_cttimeout.c
+6
-5
net/netfilter/nfnetlink_cttimeout.c
···
122
122
return -EBUSY;
123
123
}
124
124
125
-
l4proto = nf_ct_l4proto_find_get(l3num, l4num);
125
+
l4proto = nf_ct_l4proto_find_get(l4num);
126
126
127
127
/* This protocol is not supportted, skip. */
128
128
if (l4proto->l4proto != l4num) {
···
361
361
362
362
l3num = ntohs(nla_get_be16(cda[CTA_TIMEOUT_L3PROTO]));
363
363
l4num = nla_get_u8(cda[CTA_TIMEOUT_L4PROTO]);
364
-
l4proto = nf_ct_l4proto_find_get(l3num, l4num);
364
+
l4proto = nf_ct_l4proto_find_get(l4num);
365
365
366
366
/* This protocol is not supported, skip. */
367
367
if (l4proto->l4proto != l4num) {
···
383
383
384
384
static int
385
385
cttimeout_default_fill_info(struct net *net, struct sk_buff *skb, u32 portid,
386
-
u32 seq, u32 type, int event,
386
+
u32 seq, u32 type, int event, u16 l3num,
387
387
const struct nf_conntrack_l4proto *l4proto)
388
388
{
389
389
struct nlmsghdr *nlh;
···
402
402
nfmsg->version = NFNETLINK_V0;
403
403
nfmsg->res_id = 0;
404
404
405
-
if (nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, htons(l4proto->l3proto)) ||
405
+
if (nla_put_be16(skb, CTA_TIMEOUT_L3PROTO, htons(l3num)) ||
406
406
nla_put_u8(skb, CTA_TIMEOUT_L4PROTO, l4proto->l4proto))
407
407
goto nla_put_failure;
408
408
···
442
442
443
443
l3num = ntohs(nla_get_be16(cda[CTA_TIMEOUT_L3PROTO]));
444
444
l4num = nla_get_u8(cda[CTA_TIMEOUT_L4PROTO]);
445
-
l4proto = nf_ct_l4proto_find_get(l3num, l4num);
445
+
l4proto = nf_ct_l4proto_find_get(l4num);
446
446
447
447
/* This protocol is not supported, skip. */
448
448
if (l4proto->l4proto != l4num) {
···
460
460
nlh->nlmsg_seq,
461
461
NFNL_MSG_TYPE(nlh->nlmsg_type),
462
462
IPCTNL_MSG_TIMEOUT_DEFAULT_SET,
463
+
l3num,
463
464
l4proto);
464
465
if (ret <= 0) {
465
466
kfree_skb(skb2);
+1
-1
net/netfilter/nft_ct.c
+1
-1
net/netfilter/nft_ct.c
+1
-1
net/netfilter/xt_CT.c
+1
-1
net/netfilter/xt_CT.c
···
159
159
/* Make sure the timeout policy matches any existing protocol tracker,
160
160
* otherwise default to generic.
161
161
*/
162
-
l4proto = __nf_ct_l4proto_find(par->family, proto);
162
+
l4proto = __nf_ct_l4proto_find(proto);
163
163
if (timeout->l4proto->l4proto != l4proto->l4proto) {
164
164
ret = -EINVAL;
165
165
pr_info_ratelimited("Timeout policy `%s' can only be used by L%d protocol number %d\n",