提交 a71996fc 编写于 作者: A Alexey Dobriyan 提交者: Patrick McHardy

netfilter: netns nf_conntrack: pass conntrack to nf_conntrack_event_cache() not skb

This is cleaner, we already know conntrack to which event is relevant.
Signed-off-by: NAlexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: NPatrick McHardy <kaber@trash.net>
上级 678d6675
...@@ -28,10 +28,8 @@ extern void __nf_ct_event_cache_init(struct nf_conn *ct); ...@@ -28,10 +28,8 @@ extern void __nf_ct_event_cache_init(struct nf_conn *ct);
extern void nf_ct_event_cache_flush(void); extern void nf_ct_event_cache_flush(void);
static inline void static inline void
nf_conntrack_event_cache(enum ip_conntrack_events event, nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
const struct sk_buff *skb)
{ {
struct nf_conn *ct = (struct nf_conn *)skb->nfct;
struct nf_conntrack_ecache *ecache; struct nf_conntrack_ecache *ecache;
local_bh_disable(); local_bh_disable();
......
...@@ -91,7 +91,7 @@ static int icmp_packet(struct nf_conn *ct, ...@@ -91,7 +91,7 @@ static int icmp_packet(struct nf_conn *ct,
nf_ct_kill_acct(ct, ctinfo, skb); nf_ct_kill_acct(ct, ctinfo, skb);
} else { } else {
atomic_inc(&ct->proto.icmp.count); atomic_inc(&ct->proto.icmp.count);
nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb); nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, ct);
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout); nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout);
} }
......
...@@ -193,7 +193,7 @@ nf_nat_mangle_tcp_packet(struct sk_buff *skb, ...@@ -193,7 +193,7 @@ nf_nat_mangle_tcp_packet(struct sk_buff *skb,
nf_conntrack_tcp_update(skb, ip_hdrlen(skb), nf_conntrack_tcp_update(skb, ip_hdrlen(skb),
ct, CTINFO2DIR(ctinfo)); ct, CTINFO2DIR(ctinfo));
nf_conntrack_event_cache(IPCT_NATSEQADJ, skb); nf_conntrack_event_cache(IPCT_NATSEQADJ, ct);
} }
return 1; return 1;
} }
......
...@@ -93,7 +93,7 @@ static int icmpv6_packet(struct nf_conn *ct, ...@@ -93,7 +93,7 @@ static int icmpv6_packet(struct nf_conn *ct,
nf_ct_kill_acct(ct, ctinfo, skb); nf_ct_kill_acct(ct, ctinfo, skb);
} else { } else {
atomic_inc(&ct->proto.icmp.count); atomic_inc(&ct->proto.icmp.count);
nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb); nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, ct);
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout); nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout);
} }
......
...@@ -370,14 +370,14 @@ __nf_conntrack_confirm(struct sk_buff *skb) ...@@ -370,14 +370,14 @@ __nf_conntrack_confirm(struct sk_buff *skb)
spin_unlock_bh(&nf_conntrack_lock); spin_unlock_bh(&nf_conntrack_lock);
help = nfct_help(ct); help = nfct_help(ct);
if (help && help->helper) if (help && help->helper)
nf_conntrack_event_cache(IPCT_HELPER, skb); nf_conntrack_event_cache(IPCT_HELPER, ct);
#ifdef CONFIG_NF_NAT_NEEDED #ifdef CONFIG_NF_NAT_NEEDED
if (test_bit(IPS_SRC_NAT_DONE_BIT, &ct->status) || if (test_bit(IPS_SRC_NAT_DONE_BIT, &ct->status) ||
test_bit(IPS_DST_NAT_DONE_BIT, &ct->status)) test_bit(IPS_DST_NAT_DONE_BIT, &ct->status))
nf_conntrack_event_cache(IPCT_NATINFO, skb); nf_conntrack_event_cache(IPCT_NATINFO, ct);
#endif #endif
nf_conntrack_event_cache(master_ct(ct) ? nf_conntrack_event_cache(master_ct(ct) ?
IPCT_RELATED : IPCT_NEW, skb); IPCT_RELATED : IPCT_NEW, ct);
return NF_ACCEPT; return NF_ACCEPT;
out: out:
...@@ -740,7 +740,7 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, ...@@ -740,7 +740,7 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
} }
if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status)) if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
nf_conntrack_event_cache(IPCT_STATUS, skb); nf_conntrack_event_cache(IPCT_STATUS, ct);
return ret; return ret;
} }
...@@ -853,7 +853,7 @@ void __nf_ct_refresh_acct(struct nf_conn *ct, ...@@ -853,7 +853,7 @@ void __nf_ct_refresh_acct(struct nf_conn *ct,
/* must be unlocked when calling event cache */ /* must be unlocked when calling event cache */
if (event) if (event)
nf_conntrack_event_cache(event, skb); nf_conntrack_event_cache(event, ct);
} }
EXPORT_SYMBOL_GPL(__nf_ct_refresh_acct); EXPORT_SYMBOL_GPL(__nf_ct_refresh_acct);
......
...@@ -318,7 +318,8 @@ static int find_nl_seq(u32 seq, const struct nf_ct_ftp_master *info, int dir) ...@@ -318,7 +318,8 @@ static int find_nl_seq(u32 seq, const struct nf_ct_ftp_master *info, int dir)
} }
/* We don't update if it's older than what we have. */ /* We don't update if it's older than what we have. */
static void update_nl_seq(u32 nl_seq, struct nf_ct_ftp_master *info, int dir, static void update_nl_seq(struct nf_conn *ct, u32 nl_seq,
struct nf_ct_ftp_master *info, int dir,
struct sk_buff *skb) struct sk_buff *skb)
{ {
unsigned int i, oldest = NUM_SEQ_TO_REMEMBER; unsigned int i, oldest = NUM_SEQ_TO_REMEMBER;
...@@ -336,11 +337,11 @@ static void update_nl_seq(u32 nl_seq, struct nf_ct_ftp_master *info, int dir, ...@@ -336,11 +337,11 @@ static void update_nl_seq(u32 nl_seq, struct nf_ct_ftp_master *info, int dir,
if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) { if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {
info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq; info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;
nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb); nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, ct);
} else if (oldest != NUM_SEQ_TO_REMEMBER && } else if (oldest != NUM_SEQ_TO_REMEMBER &&
after(nl_seq, info->seq_aft_nl[dir][oldest])) { after(nl_seq, info->seq_aft_nl[dir][oldest])) {
info->seq_aft_nl[dir][oldest] = nl_seq; info->seq_aft_nl[dir][oldest] = nl_seq;
nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, skb); nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, ct);
} }
} }
...@@ -509,7 +510,7 @@ static int help(struct sk_buff *skb, ...@@ -509,7 +510,7 @@ static int help(struct sk_buff *skb,
/* Now if this ends in \n, update ftp info. Seq may have been /* Now if this ends in \n, update ftp info. Seq may have been
* adjusted by NAT code. */ * adjusted by NAT code. */
if (ends_in_nl) if (ends_in_nl)
update_nl_seq(seq, ct_ftp_info, dir, skb); update_nl_seq(ct, seq, ct_ftp_info, dir, skb);
out: out:
spin_unlock_bh(&nf_ftp_lock); spin_unlock_bh(&nf_ftp_lock);
return ret; return ret;
......
...@@ -229,7 +229,7 @@ static int gre_packet(struct nf_conn *ct, ...@@ -229,7 +229,7 @@ static int gre_packet(struct nf_conn *ct,
ct->proto.gre.stream_timeout); ct->proto.gre.stream_timeout);
/* Also, more likely to be important, and not a probe. */ /* Also, more likely to be important, and not a probe. */
set_bit(IPS_ASSURED_BIT, &ct->status); set_bit(IPS_ASSURED_BIT, &ct->status);
nf_conntrack_event_cache(IPCT_STATUS, skb); nf_conntrack_event_cache(IPCT_STATUS, ct);
} else } else
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_refresh_acct(ct, ctinfo, skb,
ct->proto.gre.timeout); ct->proto.gre.timeout);
......
...@@ -369,7 +369,7 @@ static int sctp_packet(struct nf_conn *ct, ...@@ -369,7 +369,7 @@ static int sctp_packet(struct nf_conn *ct,
ct->proto.sctp.state = new_state; ct->proto.sctp.state = new_state;
if (old_state != new_state) if (old_state != new_state)
nf_conntrack_event_cache(IPCT_PROTOINFO, skb); nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
} }
write_unlock_bh(&sctp_lock); write_unlock_bh(&sctp_lock);
...@@ -380,7 +380,7 @@ static int sctp_packet(struct nf_conn *ct, ...@@ -380,7 +380,7 @@ static int sctp_packet(struct nf_conn *ct,
new_state == SCTP_CONNTRACK_ESTABLISHED) { new_state == SCTP_CONNTRACK_ESTABLISHED) {
pr_debug("Setting assured bit\n"); pr_debug("Setting assured bit\n");
set_bit(IPS_ASSURED_BIT, &ct->status); set_bit(IPS_ASSURED_BIT, &ct->status);
nf_conntrack_event_cache(IPCT_STATUS, skb); nf_conntrack_event_cache(IPCT_STATUS, ct);
} }
return NF_ACCEPT; return NF_ACCEPT;
......
...@@ -969,9 +969,9 @@ static int tcp_packet(struct nf_conn *ct, ...@@ -969,9 +969,9 @@ static int tcp_packet(struct nf_conn *ct,
timeout = tcp_timeouts[new_state]; timeout = tcp_timeouts[new_state];
write_unlock_bh(&tcp_lock); write_unlock_bh(&tcp_lock);
nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb); nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, ct);
if (new_state != old_state) if (new_state != old_state)
nf_conntrack_event_cache(IPCT_PROTOINFO, skb); nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
if (!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { if (!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
/* If only reply is a RST, we can consider ourselves not to /* If only reply is a RST, we can consider ourselves not to
...@@ -990,7 +990,7 @@ static int tcp_packet(struct nf_conn *ct, ...@@ -990,7 +990,7 @@ static int tcp_packet(struct nf_conn *ct,
after SYN_RECV or a valid answer for a picked up after SYN_RECV or a valid answer for a picked up
connection. */ connection. */
set_bit(IPS_ASSURED_BIT, &ct->status); set_bit(IPS_ASSURED_BIT, &ct->status);
nf_conntrack_event_cache(IPCT_STATUS, skb); nf_conntrack_event_cache(IPCT_STATUS, ct);
} }
nf_ct_refresh_acct(ct, ctinfo, skb, timeout); nf_ct_refresh_acct(ct, ctinfo, skb, timeout);
......
...@@ -75,7 +75,7 @@ static int udp_packet(struct nf_conn *ct, ...@@ -75,7 +75,7 @@ static int udp_packet(struct nf_conn *ct,
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout_stream); nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout_stream);
/* Also, more likely to be important, and not a probe */ /* Also, more likely to be important, and not a probe */
if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
nf_conntrack_event_cache(IPCT_STATUS, skb); nf_conntrack_event_cache(IPCT_STATUS, ct);
} else } else
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout); nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout);
......
...@@ -75,7 +75,7 @@ static int udplite_packet(struct nf_conn *ct, ...@@ -75,7 +75,7 @@ static int udplite_packet(struct nf_conn *ct,
nf_ct_udplite_timeout_stream); nf_ct_udplite_timeout_stream);
/* Also, more likely to be important, and not a probe */ /* Also, more likely to be important, and not a probe */
if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
nf_conntrack_event_cache(IPCT_STATUS, skb); nf_conntrack_event_cache(IPCT_STATUS, ct);
} else } else
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udplite_timeout); nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udplite_timeout);
......
...@@ -54,7 +54,7 @@ connmark_tg_v0(struct sk_buff *skb, const struct net_device *in, ...@@ -54,7 +54,7 @@ connmark_tg_v0(struct sk_buff *skb, const struct net_device *in,
newmark = (ct->mark & ~markinfo->mask) | markinfo->mark; newmark = (ct->mark & ~markinfo->mask) | markinfo->mark;
if (newmark != ct->mark) { if (newmark != ct->mark) {
ct->mark = newmark; ct->mark = newmark;
nf_conntrack_event_cache(IPCT_MARK, skb); nf_conntrack_event_cache(IPCT_MARK, ct);
} }
break; break;
case XT_CONNMARK_SAVE: case XT_CONNMARK_SAVE:
...@@ -62,7 +62,7 @@ connmark_tg_v0(struct sk_buff *skb, const struct net_device *in, ...@@ -62,7 +62,7 @@ connmark_tg_v0(struct sk_buff *skb, const struct net_device *in,
(skb->mark & markinfo->mask); (skb->mark & markinfo->mask);
if (ct->mark != newmark) { if (ct->mark != newmark) {
ct->mark = newmark; ct->mark = newmark;
nf_conntrack_event_cache(IPCT_MARK, skb); nf_conntrack_event_cache(IPCT_MARK, ct);
} }
break; break;
case XT_CONNMARK_RESTORE: case XT_CONNMARK_RESTORE:
...@@ -95,7 +95,7 @@ connmark_tg(struct sk_buff *skb, const struct net_device *in, ...@@ -95,7 +95,7 @@ connmark_tg(struct sk_buff *skb, const struct net_device *in,
newmark = (ct->mark & ~info->ctmask) ^ info->ctmark; newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
if (ct->mark != newmark) { if (ct->mark != newmark) {
ct->mark = newmark; ct->mark = newmark;
nf_conntrack_event_cache(IPCT_MARK, skb); nf_conntrack_event_cache(IPCT_MARK, ct);
} }
break; break;
case XT_CONNMARK_SAVE: case XT_CONNMARK_SAVE:
...@@ -103,7 +103,7 @@ connmark_tg(struct sk_buff *skb, const struct net_device *in, ...@@ -103,7 +103,7 @@ connmark_tg(struct sk_buff *skb, const struct net_device *in,
(skb->mark & info->nfmask); (skb->mark & info->nfmask);
if (ct->mark != newmark) { if (ct->mark != newmark) {
ct->mark = newmark; ct->mark = newmark;
nf_conntrack_event_cache(IPCT_MARK, skb); nf_conntrack_event_cache(IPCT_MARK, ct);
} }
break; break;
case XT_CONNMARK_RESTORE: case XT_CONNMARK_RESTORE:
......
...@@ -43,7 +43,7 @@ static void secmark_save(const struct sk_buff *skb) ...@@ -43,7 +43,7 @@ static void secmark_save(const struct sk_buff *skb)
ct = nf_ct_get(skb, &ctinfo); ct = nf_ct_get(skb, &ctinfo);
if (ct && !ct->secmark) { if (ct && !ct->secmark) {
ct->secmark = skb->secmark; ct->secmark = skb->secmark;
nf_conntrack_event_cache(IPCT_SECMARK, skb); nf_conntrack_event_cache(IPCT_SECMARK, ct);
} }
} }
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册