41d73ec053
Split out sequence number adjustments from NAT and move them to the conntrack core to make them usable for SYN proxying. The sequence number adjustment information is moved to a seperate extend. The extend is added to new conntracks when a NAT mapping is set up for a connection using a helper. As a side effect, this saves 24 bytes per connection with NAT in the common case that a connection does not have a helper assigned. Signed-off-by: Patrick McHardy <kaber@trash.net> Tested-by: Martin Topholm <mph@one.com> Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
114 lines
2.5 KiB
C
114 lines
2.5 KiB
C
/*
|
|
* (C) 2012 by Pablo Neira Ayuso <pablo@netfilter.org>
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
* published by the Free Software Foundation.
|
|
*
|
|
*/
|
|
|
|
#include <linux/skbuff.h>
|
|
#include <linux/netfilter.h>
|
|
#include <linux/netfilter/nfnetlink.h>
|
|
#include <linux/netfilter/nfnetlink_queue.h>
|
|
#include <net/netfilter/nf_conntrack.h>
|
|
#include <net/netfilter/nfnetlink_queue.h>
|
|
|
|
struct nf_conn *nfqnl_ct_get(struct sk_buff *entskb, size_t *size,
|
|
enum ip_conntrack_info *ctinfo)
|
|
{
|
|
struct nfq_ct_hook *nfq_ct;
|
|
struct nf_conn *ct;
|
|
|
|
/* rcu_read_lock()ed by __nf_queue already. */
|
|
nfq_ct = rcu_dereference(nfq_ct_hook);
|
|
if (nfq_ct == NULL)
|
|
return NULL;
|
|
|
|
ct = nf_ct_get(entskb, ctinfo);
|
|
if (ct) {
|
|
if (!nf_ct_is_untracked(ct))
|
|
*size += nfq_ct->build_size(ct);
|
|
else
|
|
ct = NULL;
|
|
}
|
|
return ct;
|
|
}
|
|
|
|
struct nf_conn *
|
|
nfqnl_ct_parse(const struct sk_buff *skb, const struct nlattr *attr,
|
|
enum ip_conntrack_info *ctinfo)
|
|
{
|
|
struct nfq_ct_hook *nfq_ct;
|
|
struct nf_conn *ct;
|
|
|
|
/* rcu_read_lock()ed by __nf_queue already. */
|
|
nfq_ct = rcu_dereference(nfq_ct_hook);
|
|
if (nfq_ct == NULL)
|
|
return NULL;
|
|
|
|
ct = nf_ct_get(skb, ctinfo);
|
|
if (ct && !nf_ct_is_untracked(ct))
|
|
nfq_ct->parse(attr, ct);
|
|
|
|
return ct;
|
|
}
|
|
|
|
int nfqnl_ct_put(struct sk_buff *skb, struct nf_conn *ct,
|
|
enum ip_conntrack_info ctinfo)
|
|
{
|
|
struct nfq_ct_hook *nfq_ct;
|
|
struct nlattr *nest_parms;
|
|
u_int32_t tmp;
|
|
|
|
nfq_ct = rcu_dereference(nfq_ct_hook);
|
|
if (nfq_ct == NULL)
|
|
return 0;
|
|
|
|
nest_parms = nla_nest_start(skb, NFQA_CT | NLA_F_NESTED);
|
|
if (!nest_parms)
|
|
goto nla_put_failure;
|
|
|
|
if (nfq_ct->build(skb, ct) < 0)
|
|
goto nla_put_failure;
|
|
|
|
nla_nest_end(skb, nest_parms);
|
|
|
|
tmp = ctinfo;
|
|
if (nla_put_be32(skb, NFQA_CT_INFO, htonl(tmp)))
|
|
goto nla_put_failure;
|
|
|
|
return 0;
|
|
|
|
nla_put_failure:
|
|
return -1;
|
|
}
|
|
|
|
void nfqnl_ct_seq_adjust(struct sk_buff *skb, struct nf_conn *ct,
|
|
enum ip_conntrack_info ctinfo, int diff)
|
|
{
|
|
struct nfq_ct_hook *nfq_ct;
|
|
|
|
nfq_ct = rcu_dereference(nfq_ct_hook);
|
|
if (nfq_ct == NULL)
|
|
return;
|
|
|
|
if ((ct->status & IPS_NAT_MASK) && diff)
|
|
nfq_ct->seq_adjust(skb, ct, ctinfo, diff);
|
|
}
|
|
|
|
int nfqnl_attach_expect(struct nf_conn *ct, const struct nlattr *attr,
|
|
u32 portid, u32 report)
|
|
{
|
|
struct nfq_ct_hook *nfq_ct;
|
|
|
|
if (nf_ct_is_untracked(ct))
|
|
return 0;
|
|
|
|
nfq_ct = rcu_dereference(nfq_ct_hook);
|
|
if (nfq_ct == NULL)
|
|
return -EOPNOTSUPP;
|
|
|
|
return nfq_ct->attach_expect(attr, ct, portid, report);
|
|
}
|