diff options
| author | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-02-28 12:23:31 -0500 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2012-03-07 11:41:19 -0500 |
| commit | 2c8503f55fbdfbeff4164f133df804cf4d316290 (patch) | |
| tree | fe491bc79fd59aa4b8b99ea63d13e62b6a2ef1cb /net/ipv4 | |
| parent | b888341c7f33035694f70428d7001d73f0b2a3b1 (diff) | |
netfilter: nf_conntrack: pass timeout array to l4->new and l4->packet
This patch defines a new interface for l4 protocol trackers:
unsigned int *(*get_timeouts)(struct net *net);
that is used to return the array of unsigned int that contains
the timeouts that will be applied for this flow. This is passed
to the l4proto->new(...) and l4proto->packet(...) functions to
specify the timeout policy.
This interface allows per-net global timeout configuration
(although only DCCP supports this by now) and it will allow
custom custom timeout configuration by means of follow-up
patches.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c index ab5b27a2916f..6b801124b31f 100644 --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c | |||
| @@ -75,25 +75,31 @@ static int icmp_print_tuple(struct seq_file *s, | |||
| 75 | ntohs(tuple->src.u.icmp.id)); | 75 | ntohs(tuple->src.u.icmp.id)); |
| 76 | } | 76 | } |
| 77 | 77 | ||
| 78 | static unsigned int *icmp_get_timeouts(struct net *net) | ||
| 79 | { | ||
| 80 | return &nf_ct_icmp_timeout; | ||
| 81 | } | ||
| 82 | |||
| 78 | /* Returns verdict for packet, or -1 for invalid. */ | 83 | /* Returns verdict for packet, or -1 for invalid. */ |
| 79 | static int icmp_packet(struct nf_conn *ct, | 84 | static int icmp_packet(struct nf_conn *ct, |
| 80 | const struct sk_buff *skb, | 85 | const struct sk_buff *skb, |
| 81 | unsigned int dataoff, | 86 | unsigned int dataoff, |
| 82 | enum ip_conntrack_info ctinfo, | 87 | enum ip_conntrack_info ctinfo, |
| 83 | u_int8_t pf, | 88 | u_int8_t pf, |
| 84 | unsigned int hooknum) | 89 | unsigned int hooknum, |
| 90 | unsigned int *timeout) | ||
| 85 | { | 91 | { |
| 86 | /* Do not immediately delete the connection after the first | 92 | /* Do not immediately delete the connection after the first |
| 87 | successful reply to avoid excessive conntrackd traffic | 93 | successful reply to avoid excessive conntrackd traffic |
| 88 | and also to handle correctly ICMP echo reply duplicates. */ | 94 | and also to handle correctly ICMP echo reply duplicates. */ |
| 89 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout); | 95 | nf_ct_refresh_acct(ct, ctinfo, skb, *timeout); |
| 90 | 96 | ||
| 91 | return NF_ACCEPT; | 97 | return NF_ACCEPT; |
| 92 | } | 98 | } |
| 93 | 99 | ||
| 94 | /* Called when a new connection for this protocol found. */ | 100 | /* Called when a new connection for this protocol found. */ |
| 95 | static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb, | 101 | static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb, |
| 96 | unsigned int dataoff) | 102 | unsigned int dataoff, unsigned int *timeouts) |
| 97 | { | 103 | { |
| 98 | static const u_int8_t valid_new[] = { | 104 | static const u_int8_t valid_new[] = { |
| 99 | [ICMP_ECHO] = 1, | 105 | [ICMP_ECHO] = 1, |
| @@ -298,6 +304,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly = | |||
| 298 | .invert_tuple = icmp_invert_tuple, | 304 | .invert_tuple = icmp_invert_tuple, |
| 299 | .print_tuple = icmp_print_tuple, | 305 | .print_tuple = icmp_print_tuple, |
| 300 | .packet = icmp_packet, | 306 | .packet = icmp_packet, |
| 307 | .get_timeouts = icmp_get_timeouts, | ||
| 301 | .new = icmp_new, | 308 | .new = icmp_new, |
| 302 | .error = icmp_error, | 309 | .error = icmp_error, |
| 303 | .destroy = NULL, | 310 | .destroy = NULL, |