diff options
author | Patrick McHardy <kaber@trash.net> | 2007-07-08 01:31:32 -0400 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-07-11 01:17:55 -0400 |
commit | d4156e8cd93f5772483928aaf4960120caebd789 (patch) | |
tree | e740e629df29d8ea1ad21244998851362b64a70e /include/net | |
parent | df43b4e7ca46952756b2fc039ed80469b1bff62d (diff) |
[NETFILTER]: nf_conntrack: reduce masks to a subset of tuples
Since conntrack currently allows to use masks for every bit of both
helper and expectation tuples, we can't hash them and have to keep
them on two global lists that are searched for every new connection.
This patch removes the never used ability to use masks for the
destination part of the expectation tuple and completely removes
masks from helpers since the only reasonable choice is a full
match on l3num, protonum and src.u.all.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/net')
-rw-r--r-- | include/net/netfilter/nf_conntrack_expect.h | 3 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_helper.h | 5 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_tuple.h | 65 |
3 files changed, 47 insertions, 26 deletions
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index c0b1d1fb23e..13643f7f742 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h | |||
@@ -16,7 +16,8 @@ struct nf_conntrack_expect | |||
16 | struct list_head list; | 16 | struct list_head list; |
17 | 17 | ||
18 | /* We expect this tuple, with the following mask */ | 18 | /* We expect this tuple, with the following mask */ |
19 | struct nf_conntrack_tuple tuple, mask; | 19 | struct nf_conntrack_tuple tuple; |
20 | struct nf_conntrack_tuple_mask mask; | ||
20 | 21 | ||
21 | /* Function to call after setup and insertion */ | 22 | /* Function to call after setup and insertion */ |
22 | void (*expectfn)(struct nf_conn *new, | 23 | void (*expectfn)(struct nf_conn *new, |
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h index b43a75ba44a..d62e6f093af 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h | |||
@@ -24,10 +24,9 @@ struct nf_conntrack_helper | |||
24 | * expected connections */ | 24 | * expected connections */ |
25 | unsigned int timeout; /* timeout for expecteds */ | 25 | unsigned int timeout; /* timeout for expecteds */ |
26 | 26 | ||
27 | /* Mask of things we will help (compared against server response) */ | 27 | /* Tuple of things we will help (compared against server response) */ |
28 | struct nf_conntrack_tuple tuple; | 28 | struct nf_conntrack_tuple tuple; |
29 | struct nf_conntrack_tuple mask; | 29 | |
30 | |||
31 | /* Function to call when data passes; return verdict, or -1 to | 30 | /* Function to call when data passes; return verdict, or -1 to |
32 | invalidate. */ | 31 | invalidate. */ |
33 | int (*help)(struct sk_buff **pskb, | 32 | int (*help)(struct sk_buff **pskb, |
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h index d02ce876b4c..99934ab538e 100644 --- a/include/net/netfilter/nf_conntrack_tuple.h +++ b/include/net/netfilter/nf_conntrack_tuple.h | |||
@@ -100,6 +100,14 @@ struct nf_conntrack_tuple | |||
100 | } dst; | 100 | } dst; |
101 | }; | 101 | }; |
102 | 102 | ||
103 | struct nf_conntrack_tuple_mask | ||
104 | { | ||
105 | struct { | ||
106 | union nf_conntrack_address u3; | ||
107 | union nf_conntrack_man_proto u; | ||
108 | } src; | ||
109 | }; | ||
110 | |||
103 | /* This is optimized opposed to a memset of the whole structure. Everything we | 111 | /* This is optimized opposed to a memset of the whole structure. Everything we |
104 | * really care about is the source/destination unions */ | 112 | * really care about is the source/destination unions */ |
105 | #define NF_CT_TUPLE_U_BLANK(tuple) \ | 113 | #define NF_CT_TUPLE_U_BLANK(tuple) \ |
@@ -161,31 +169,44 @@ static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1, | |||
161 | return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2); | 169 | return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2); |
162 | } | 170 | } |
163 | 171 | ||
172 | static inline int nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1, | ||
173 | const struct nf_conntrack_tuple_mask *m2) | ||
174 | { | ||
175 | return (m1->src.u3.all[0] == m2->src.u3.all[0] && | ||
176 | m1->src.u3.all[1] == m2->src.u3.all[1] && | ||
177 | m1->src.u3.all[2] == m2->src.u3.all[2] && | ||
178 | m1->src.u3.all[3] == m2->src.u3.all[3] && | ||
179 | m1->src.u.all == m2->src.u.all); | ||
180 | } | ||
181 | |||
182 | static inline int nf_ct_tuple_src_mask_cmp(const struct nf_conntrack_tuple *t1, | ||
183 | const struct nf_conntrack_tuple *t2, | ||
184 | const struct nf_conntrack_tuple_mask *mask) | ||
185 | { | ||
186 | int count; | ||
187 | |||
188 | for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++) { | ||
189 | if ((t1->src.u3.all[count] ^ t2->src.u3.all[count]) & | ||
190 | mask->src.u3.all[count]) | ||
191 | return 0; | ||
192 | } | ||
193 | |||
194 | if ((t1->src.u.all ^ t2->src.u.all) & mask->src.u.all) | ||
195 | return 0; | ||
196 | |||
197 | if (t1->src.l3num != t2->src.l3num || | ||
198 | t1->dst.protonum != t2->dst.protonum) | ||
199 | return 0; | ||
200 | |||
201 | return 1; | ||
202 | } | ||
203 | |||
164 | static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t, | 204 | static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t, |
165 | const struct nf_conntrack_tuple *tuple, | 205 | const struct nf_conntrack_tuple *tuple, |
166 | const struct nf_conntrack_tuple *mask) | 206 | const struct nf_conntrack_tuple_mask *mask) |
167 | { | 207 | { |
168 | int count = 0; | 208 | return nf_ct_tuple_src_mask_cmp(t, tuple, mask) && |
169 | 209 | nf_ct_tuple_dst_equal(t, tuple); | |
170 | for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){ | ||
171 | if ((t->src.u3.all[count] ^ tuple->src.u3.all[count]) & | ||
172 | mask->src.u3.all[count]) | ||
173 | return 0; | ||
174 | } | ||
175 | |||
176 | for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){ | ||
177 | if ((t->dst.u3.all[count] ^ tuple->dst.u3.all[count]) & | ||
178 | mask->dst.u3.all[count]) | ||
179 | return 0; | ||
180 | } | ||
181 | |||
182 | if ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all || | ||
183 | (t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all || | ||
184 | (t->src.l3num ^ tuple->src.l3num) & mask->src.l3num || | ||
185 | (t->dst.protonum ^ tuple->dst.protonum) & mask->dst.protonum) | ||
186 | return 0; | ||
187 | |||
188 | return 1; | ||
189 | } | 210 | } |
190 | 211 | ||
191 | #endif /* _NF_CONNTRACK_TUPLE_H */ | 212 | #endif /* _NF_CONNTRACK_TUPLE_H */ |