tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: add more values to enum ip_conntrack_info
Following error is raised (and other similar ones) :
net/ipv4/netfilter/nf_nat_standalone.c: In function ‘nf_nat_fn’:
net/ipv4/netfilter/nf_nat_standalone.c:119:2: warning: case value ‘4’
not in enumerated type ‘enum ip_conntrack_info’
gcc barfs on adding two enum values and getting a not enumerated
result :
case IP_CT_RELATED+IP_CT_IS_REPLY:
Add missing enum values
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
CC: David Miller <davem@davemloft.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
authored by
Eric Dumazet
and committed by
Pablo Neira Ayuso
fb048833
374eeb5a
+26
-27
+3
include/linux/netfilter/nf_conntrack_common.h
+3
include/linux/netfilter/nf_conntrack_common.h
···
18
18
/* >= this indicates reply direction */
19
19
IP_CT_IS_REPLY,
20
20
21
+
IP_CT_ESTABLISHED_REPLY = IP_CT_ESTABLISHED + IP_CT_IS_REPLY,
22
+
IP_CT_RELATED_REPLY = IP_CT_RELATED + IP_CT_IS_REPLY,
23
+
IP_CT_NEW_REPLY = IP_CT_NEW + IP_CT_IS_REPLY,
21
24
/* Number of distinct IP_CT types (no NEW in reply dirn). */
22
25
IP_CT_NUMBER = IP_CT_IS_REPLY * 2 - 1
23
26
};
+3
-3
net/ipv4/netfilter/ipt_CLUSTERIP.c
+3
-3
net/ipv4/netfilter/ipt_CLUSTERIP.c
···
307
307
* error messages (RELATED) and information requests (see below) */
308
308
if (ip_hdr(skb)->protocol == IPPROTO_ICMP &&
309
309
(ctinfo == IP_CT_RELATED ||
310
-
ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY))
310
+
ctinfo == IP_CT_RELATED_REPLY))
311
311
return XT_CONTINUE;
312
312
313
313
/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
···
321
321
ct->mark = hash;
322
322
break;
323
323
case IP_CT_RELATED:
324
-
case IP_CT_RELATED+IP_CT_IS_REPLY:
324
+
case IP_CT_RELATED_REPLY:
325
325
/* FIXME: we don't handle expectations at the
326
326
* moment. they can arrive on a different node than
327
327
* the master connection (e.g. FTP passive mode) */
328
328
case IP_CT_ESTABLISHED:
329
-
case IP_CT_ESTABLISHED+IP_CT_IS_REPLY:
329
+
case IP_CT_ESTABLISHED_REPLY:
330
330
break;
331
331
default:
332
332
break;
+1
-1
net/ipv4/netfilter/ipt_MASQUERADE.c
+1
-1
net/ipv4/netfilter/ipt_MASQUERADE.c
···
60
60
nat = nfct_nat(ct);
61
61
62
62
NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
63
-
ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
63
+
ctinfo == IP_CT_RELATED_REPLY));
64
64
65
65
/* Source address is 0.0.0.0 - locally generated packet that is
66
66
* probably not supposed to be masqueraded.
+1
-1
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+1
-1
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+1
-1
net/ipv4/netfilter/nf_nat_core.c
+1
-1
net/ipv4/netfilter/nf_nat_core.c
···
433
433
434
434
/* Must be RELATED */
435
435
NF_CT_ASSERT(skb->nfctinfo == IP_CT_RELATED ||
436
-
skb->nfctinfo == IP_CT_RELATED+IP_CT_IS_REPLY);
436
+
skb->nfctinfo == IP_CT_RELATED_REPLY);
437
437
438
438
/* Redirects on non-null nats must be dropped, else they'll
439
439
start talking to each other without our translation, and be
+1
-1
net/ipv4/netfilter/nf_nat_rule.c
+1
-1
net/ipv4/netfilter/nf_nat_rule.c
···
53
53
54
54
/* Connection must be valid and new. */
55
55
NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
56
-
ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
56
+
ctinfo == IP_CT_RELATED_REPLY));
57
57
NF_CT_ASSERT(par->out != NULL);
58
58
59
59
return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_SRC);
+2
-2
net/ipv4/netfilter/nf_nat_standalone.c
+2
-2
net/ipv4/netfilter/nf_nat_standalone.c
···
116
116
117
117
switch (ctinfo) {
118
118
case IP_CT_RELATED:
119
-
case IP_CT_RELATED+IP_CT_IS_REPLY:
119
+
case IP_CT_RELATED_REPLY:
120
120
if (ip_hdr(skb)->protocol == IPPROTO_ICMP) {
121
121
if (!nf_nat_icmp_reply_translation(ct, ctinfo,
122
122
hooknum, skb))
···
144
144
default:
145
145
/* ESTABLISHED */
146
146
NF_CT_ASSERT(ctinfo == IP_CT_ESTABLISHED ||
147
-
ctinfo == (IP_CT_ESTABLISHED+IP_CT_IS_REPLY));
147
+
ctinfo == IP_CT_ESTABLISHED_REPLY);
148
148
}
149
149
150
150
return nf_nat_packet(ct, ctinfo, hooknum, skb);
+1
-1
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+1
-1
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+2
-2
net/netfilter/nf_conntrack_core.c
+2
-2
net/netfilter/nf_conntrack_core.c
···
850
850
851
851
/* It exists; we have (non-exclusive) reference. */
852
852
if (NF_CT_DIRECTION(h) == IP_CT_DIR_REPLY) {
853
-
*ctinfo = IP_CT_ESTABLISHED + IP_CT_IS_REPLY;
853
+
*ctinfo = IP_CT_ESTABLISHED_REPLY;
854
854
/* Please set reply bit if this packet OK */
855
855
*set_reply = 1;
856
856
} else {
···
1143
1143
/* This ICMP is in reverse direction to the packet which caused it */
1144
1144
ct = nf_ct_get(skb, &ctinfo);
1145
1145
if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
1146
-
ctinfo = IP_CT_RELATED + IP_CT_IS_REPLY;
1146
+
ctinfo = IP_CT_RELATED_REPLY;
1147
1147
else
1148
1148
ctinfo = IP_CT_RELATED;
1149
1149
+1
-1
net/netfilter/nf_conntrack_ftp.c
+1
-1
net/netfilter/nf_conntrack_ftp.c
···
368
368
369
369
/* Until there's been traffic both ways, don't look in packets. */
370
370
if (ctinfo != IP_CT_ESTABLISHED &&
371
-
ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
371
+
ctinfo != IP_CT_ESTABLISHED_REPLY) {
372
372
pr_debug("ftp: Conntrackinfo = %u\n", ctinfo);
373
373
return NF_ACCEPT;
374
374
}
+4
-6
net/netfilter/nf_conntrack_h323_main.c
+4
-6
net/netfilter/nf_conntrack_h323_main.c
···
571
571
int ret;
572
572
573
573
/* Until there's been traffic both ways, don't look in packets. */
574
-
if (ctinfo != IP_CT_ESTABLISHED &&
575
-
ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
574
+
if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
576
575
return NF_ACCEPT;
577
-
}
576
+
578
577
pr_debug("nf_ct_h245: skblen = %u\n", skb->len);
579
578
580
579
spin_lock_bh(&nf_h323_lock);
···
1124
1125
int ret;
1125
1126
1126
1127
/* Until there's been traffic both ways, don't look in packets. */
1127
-
if (ctinfo != IP_CT_ESTABLISHED &&
1128
-
ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY) {
1128
+
if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
1129
1129
return NF_ACCEPT;
1130
-
}
1130
+
1131
1131
pr_debug("nf_ct_q931: skblen = %u\n", skb->len);
1132
1132
1133
1133
spin_lock_bh(&nf_h323_lock);
+1
-2
net/netfilter/nf_conntrack_irc.c
+1
-2
net/netfilter/nf_conntrack_irc.c
···
125
125
return NF_ACCEPT;
126
126
127
127
/* Until there's been traffic both ways, don't look in packets. */
128
-
if (ctinfo != IP_CT_ESTABLISHED &&
129
-
ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
128
+
if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
130
129
return NF_ACCEPT;
131
130
132
131
/* Not a full tcp header? */
+1
-2
net/netfilter/nf_conntrack_pptp.c
+1
-2
net/netfilter/nf_conntrack_pptp.c
···
519
519
u_int16_t msg;
520
520
521
521
/* don't do any tracking before tcp handshake complete */
522
-
if (ctinfo != IP_CT_ESTABLISHED &&
523
-
ctinfo != IP_CT_ESTABLISHED + IP_CT_IS_REPLY)
522
+
if (ctinfo != IP_CT_ESTABLISHED && ctinfo != IP_CT_ESTABLISHED_REPLY)
524
523
return NF_ACCEPT;
525
524
526
525
nexthdr_off = protoff;
+1
-1
net/netfilter/nf_conntrack_sane.c
+1
-1
net/netfilter/nf_conntrack_sane.c
···
78
78
ct_sane_info = &nfct_help(ct)->help.ct_sane_info;
79
79
/* Until there's been traffic both ways, don't look in packets. */
80
80
if (ctinfo != IP_CT_ESTABLISHED &&
81
-
ctinfo != IP_CT_ESTABLISHED+IP_CT_IS_REPLY)
81
+
ctinfo != IP_CT_ESTABLISHED_REPLY)
82
82
return NF_ACCEPT;
83
83
84
84
/* Not a full tcp header? */
+1
-1
net/netfilter/nf_conntrack_sip.c
+1
-1
net/netfilter/nf_conntrack_sip.c
+2
-2
net/netfilter/xt_socket.c
+2
-2
net/netfilter/xt_socket.c
···
143
143
ct = nf_ct_get(skb, &ctinfo);
144
144
if (ct && !nf_ct_is_untracked(ct) &&
145
145
((iph->protocol != IPPROTO_ICMP &&
146
-
ctinfo == IP_CT_IS_REPLY + IP_CT_ESTABLISHED) ||
146
+
ctinfo == IP_CT_ESTABLISHED_REPLY) ||
147
147
(iph->protocol == IPPROTO_ICMP &&
148
-
ctinfo == IP_CT_IS_REPLY + IP_CT_RELATED)) &&
148
+
ctinfo == IP_CT_RELATED_REPLY)) &&
149
149
(ct->status & IPS_SRC_NAT_DONE)) {
150
150
151
151
daddr = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip;