提交 c74454fa 编写于 作者: F Florian Westphal 提交者: Pablo Neira Ayuso

netfilter: add and use nf_ct_set helper

Add a helper to assign a nf_conn entry and the ctinfo bits to an sk_buff.
This avoids changing code in followup patch that merges skb->nfct and
skb->nfctinfo into skb->_nfct.
Signed-off-by: NFlorian Westphal <fw@strlen.de>
Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
上级 cb9c6836
...@@ -1559,8 +1559,7 @@ static inline void ip_vs_notrack(struct sk_buff *skb) ...@@ -1559,8 +1559,7 @@ static inline void ip_vs_notrack(struct sk_buff *skb)
nf_conntrack_put(&ct->ct_general); nf_conntrack_put(&ct->ct_general);
untracked = nf_ct_untracked_get(); untracked = nf_ct_untracked_get();
nf_conntrack_get(&untracked->ct_general); nf_conntrack_get(&untracked->ct_general);
skb->nfct = &untracked->ct_general; nf_ct_set(skb, untracked, IP_CT_NEW);
skb->nfctinfo = IP_CT_NEW;
} }
#endif #endif
} }
......
...@@ -34,6 +34,7 @@ union nf_conntrack_proto { ...@@ -34,6 +34,7 @@ union nf_conntrack_proto {
struct ip_ct_sctp sctp; struct ip_ct_sctp sctp;
struct ip_ct_tcp tcp; struct ip_ct_tcp tcp;
struct nf_ct_gre gre; struct nf_ct_gre gre;
unsigned int tmpl_padto;
}; };
union nf_conntrack_expect_proto { union nf_conntrack_expect_proto {
...@@ -341,6 +342,13 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net, ...@@ -341,6 +342,13 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net,
gfp_t flags); gfp_t flags);
void nf_ct_tmpl_free(struct nf_conn *tmpl); void nf_ct_tmpl_free(struct nf_conn *tmpl);
static inline void
nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)
{
skb->nfct = &ct->ct_general;
skb->nfctinfo = info;
}
#define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count) #define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count)
#define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count) #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
#define NF_CT_STAT_ADD_ATOMIC(net, count, v) this_cpu_add((net)->ct.stat->count, (v)) #define NF_CT_STAT_ADD_ATOMIC(net, count, v) this_cpu_add((net)->ct.stat->count, (v))
......
...@@ -57,8 +57,7 @@ synproxy_send_tcp(struct net *net, ...@@ -57,8 +57,7 @@ synproxy_send_tcp(struct net *net,
goto free_nskb; goto free_nskb;
if (nfct) { if (nfct) {
nskb->nfct = nfct; nf_ct_set(nskb, (struct nf_conn *)nfct, ctinfo);
nskb->nfctinfo = ctinfo;
nf_conntrack_get(nfct); nf_conntrack_get(nfct);
} }
......
...@@ -172,8 +172,7 @@ icmp_error_message(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb, ...@@ -172,8 +172,7 @@ icmp_error_message(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
ctinfo += IP_CT_IS_REPLY; ctinfo += IP_CT_IS_REPLY;
/* Update skb to refer to this connection */ /* Update skb to refer to this connection */
skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general; nf_ct_set(skb, nf_ct_tuplehash_to_ctrack(h), ctinfo);
skb->nfctinfo = ctinfo;
return NF_ACCEPT; return NF_ACCEPT;
} }
......
...@@ -69,8 +69,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum, ...@@ -69,8 +69,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
#if IS_ENABLED(CONFIG_NF_CONNTRACK) #if IS_ENABLED(CONFIG_NF_CONNTRACK)
/* Avoid counting cloned packets towards the original connection. */ /* Avoid counting cloned packets towards the original connection. */
nf_reset(skb); nf_reset(skb);
skb->nfct = &nf_ct_untracked_get()->ct_general; nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb_nfct(skb)); nf_conntrack_get(skb_nfct(skb));
#endif #endif
/* /*
......
...@@ -71,8 +71,7 @@ synproxy_send_tcp(struct net *net, ...@@ -71,8 +71,7 @@ synproxy_send_tcp(struct net *net,
skb_dst_set(nskb, dst); skb_dst_set(nskb, dst);
if (nfct) { if (nfct) {
nskb->nfct = nfct; nf_ct_set(nskb, (struct nf_conn *)nfct, ctinfo);
nskb->nfctinfo = ctinfo;
nf_conntrack_get(nfct); nf_conntrack_get(nfct);
} }
......
...@@ -189,8 +189,7 @@ icmpv6_error_message(struct net *net, struct nf_conn *tmpl, ...@@ -189,8 +189,7 @@ icmpv6_error_message(struct net *net, struct nf_conn *tmpl,
} }
/* Update skb to refer to this connection */ /* Update skb to refer to this connection */
skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general; nf_ct_set(skb, nf_ct_tuplehash_to_ctrack(h), ctinfo);
skb->nfctinfo = ctinfo;
return NF_ACCEPT; return NF_ACCEPT;
} }
...@@ -222,8 +221,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl, ...@@ -222,8 +221,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl,
type = icmp6h->icmp6_type - 130; type = icmp6h->icmp6_type - 130;
if (type >= 0 && type < sizeof(noct_valid_new) && if (type >= 0 && type < sizeof(noct_valid_new) &&
noct_valid_new[type]) { noct_valid_new[type]) {
skb->nfct = &nf_ct_untracked_get()->ct_general; nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb_nfct(skb)); nf_conntrack_get(skb_nfct(skb));
return NF_ACCEPT; return NF_ACCEPT;
} }
......
...@@ -58,8 +58,7 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum, ...@@ -58,8 +58,7 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
#if IS_ENABLED(CONFIG_NF_CONNTRACK) #if IS_ENABLED(CONFIG_NF_CONNTRACK)
nf_reset(skb); nf_reset(skb);
skb->nfct = &nf_ct_untracked_get()->ct_general; nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb->nfct); nf_conntrack_get(skb->nfct);
#endif #endif
if (hooknum == NF_INET_PRE_ROUTING || if (hooknum == NF_INET_PRE_ROUTING ||
......
...@@ -691,10 +691,7 @@ static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb, ...@@ -691,10 +691,7 @@ static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb,
nf_ct_acct_merge(ct, ctinfo, loser_ct); nf_ct_acct_merge(ct, ctinfo, loser_ct);
nf_conntrack_put(&loser_ct->ct_general); nf_conntrack_put(&loser_ct->ct_general);
/* Assign conntrack already in hashes to this skbuff. Don't nf_ct_set(skb, ct, oldinfo);
* modify skb->nfctinfo to ensure consistent stateful filtering.
*/
skb->nfct = &ct->ct_general;
return NF_ACCEPT; return NF_ACCEPT;
} }
NF_CT_STAT_INC(net, drop); NF_CT_STAT_INC(net, drop);
...@@ -1282,8 +1279,7 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl, ...@@ -1282,8 +1279,7 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl,
} }
*set_reply = 0; *set_reply = 0;
} }
skb->nfct = &ct->ct_general; nf_ct_set(skb, ct, *ctinfo);
skb->nfctinfo = *ctinfo;
return ct; return ct;
} }
...@@ -1526,8 +1522,7 @@ static void nf_conntrack_attach(struct sk_buff *nskb, const struct sk_buff *skb) ...@@ -1526,8 +1522,7 @@ static void nf_conntrack_attach(struct sk_buff *nskb, const struct sk_buff *skb)
ctinfo = IP_CT_RELATED; ctinfo = IP_CT_RELATED;
/* Attach to new skbuff, and increment count */ /* Attach to new skbuff, and increment count */
nskb->nfct = &ct->ct_general; nf_ct_set(nskb, ct, ctinfo);
nskb->nfctinfo = ctinfo;
nf_conntrack_get(skb_nfct(nskb)); nf_conntrack_get(skb_nfct(nskb));
} }
......
...@@ -554,8 +554,7 @@ static void nft_notrack_eval(const struct nft_expr *expr, ...@@ -554,8 +554,7 @@ static void nft_notrack_eval(const struct nft_expr *expr,
ct = nf_ct_untracked_get(); ct = nf_ct_untracked_get();
atomic_inc(&ct->ct_general.use); atomic_inc(&ct->ct_general.use);
skb->nfct = &ct->ct_general; nf_ct_set(skb, ct, IP_CT_NEW);
skb->nfctinfo = IP_CT_NEW;
} }
static struct nft_expr_type nft_notrack_type; static struct nft_expr_type nft_notrack_type;
......
...@@ -30,8 +30,7 @@ static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct) ...@@ -30,8 +30,7 @@ static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct)
if (!ct) if (!ct)
ct = nf_ct_untracked_get(); ct = nf_ct_untracked_get();
atomic_inc(&ct->ct_general.use); atomic_inc(&ct->ct_general.use);
skb->nfct = &ct->ct_general; nf_ct_set(skb, ct, IP_CT_NEW);
skb->nfctinfo = IP_CT_NEW;
return XT_CONTINUE; return XT_CONTINUE;
} }
...@@ -413,8 +412,7 @@ notrack_tg(struct sk_buff *skb, const struct xt_action_param *par) ...@@ -413,8 +412,7 @@ notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
if (skb->nfct != NULL) if (skb->nfct != NULL)
return XT_CONTINUE; return XT_CONTINUE;
skb->nfct = &nf_ct_untracked_get()->ct_general; nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);
skb->nfctinfo = IP_CT_NEW;
nf_conntrack_get(skb_nfct(skb)); nf_conntrack_get(skb_nfct(skb));
return XT_CONTINUE; return XT_CONTINUE;
......
...@@ -460,8 +460,7 @@ ovs_ct_find_existing(struct net *net, const struct nf_conntrack_zone *zone, ...@@ -460,8 +460,7 @@ ovs_ct_find_existing(struct net *net, const struct nf_conntrack_zone *zone,
ct = nf_ct_tuplehash_to_ctrack(h); ct = nf_ct_tuplehash_to_ctrack(h);
skb->nfct = &ct->ct_general; nf_ct_set(skb, ct, ovs_ct_get_info(h));
skb->nfctinfo = ovs_ct_get_info(h);
return ct; return ct;
} }
...@@ -724,8 +723,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key, ...@@ -724,8 +723,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
if (skb_nfct(skb)) if (skb_nfct(skb))
nf_conntrack_put(skb_nfct(skb)); nf_conntrack_put(skb_nfct(skb));
nf_conntrack_get(&tmpl->ct_general); nf_conntrack_get(&tmpl->ct_general);
skb->nfct = &tmpl->ct_general; nf_ct_set(skb, tmpl, IP_CT_NEW);
skb->nfctinfo = IP_CT_NEW;
} }
err = nf_conntrack_in(net, info->family, err = nf_conntrack_in(net, info->family,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册