diff options
| author | Patrick McHardy <kaber@trash.net> | 2010-02-03 07:48:53 -0500 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2010-02-03 07:48:53 -0500 |
| commit | 858b31330054a9ad259feceea0ad1ce5385c47f0 (patch) | |
| tree | 642349680ff9c29d506dd7661bbc8b724209fbf5 | |
| parent | add67461240c1dadc7c8d97e66f8f92b556ca523 (diff) | |
netfilter: nf_conntrack: split up IPCT_STATUS event
Split up the IPCT_STATUS event into an IPCT_REPLY event, which is generated
when the IPS_SEEN_REPLY bit is set, and an IPCT_ASSURED event, which is
generated when the IPS_ASSURED bit is set.
In combination with a following patch to support selective event delivery,
this can be used for "sparse" conntrack replication: start replicating the
conntrack entry after it reached the ASSURED state and that way it's SYN-flood
resistant.
Signed-off-by: Patrick McHardy <kaber@trash.net>
| -rw-r--r-- | include/net/netfilter/nf_conntrack_ecache.h | 21 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_core.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 6 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_gre.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_sctp.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_udp.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_udplite.c | 2 |
8 files changed, 21 insertions, 18 deletions
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h index 475facc3051a..5e05fb883ab1 100644 --- a/include/net/netfilter/nf_conntrack_ecache.h +++ b/include/net/netfilter/nf_conntrack_ecache.h | |||
| @@ -14,19 +14,20 @@ | |||
| 14 | 14 | ||
| 15 | /* Connection tracking event types */ | 15 | /* Connection tracking event types */ |
| 16 | enum ip_conntrack_events { | 16 | enum ip_conntrack_events { |
| 17 | IPCT_NEW = 0, /* new conntrack */ | 17 | IPCT_NEW, /* new conntrack */ |
| 18 | IPCT_RELATED = 1, /* related conntrack */ | 18 | IPCT_RELATED, /* related conntrack */ |
| 19 | IPCT_DESTROY = 2, /* destroyed conntrack */ | 19 | IPCT_DESTROY, /* destroyed conntrack */ |
| 20 | IPCT_STATUS = 3, /* status has changed */ | 20 | IPCT_REPLY, /* connection has seen two-way traffic */ |
| 21 | IPCT_PROTOINFO = 4, /* protocol information has changed */ | 21 | IPCT_ASSURED, /* connection status has changed to assured */ |
| 22 | IPCT_HELPER = 5, /* new helper has been set */ | 22 | IPCT_PROTOINFO, /* protocol information has changed */ |
| 23 | IPCT_MARK = 6, /* new mark has been set */ | 23 | IPCT_HELPER, /* new helper has been set */ |
| 24 | IPCT_NATSEQADJ = 7, /* NAT is doing sequence adjustment */ | 24 | IPCT_MARK, /* new mark has been set */ |
| 25 | IPCT_SECMARK = 8, /* new security mark has been set */ | 25 | IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */ |
| 26 | IPCT_SECMARK, /* new security mark has been set */ | ||
| 26 | }; | 27 | }; |
| 27 | 28 | ||
| 28 | enum ip_conntrack_expect_events { | 29 | enum ip_conntrack_expect_events { |
| 29 | IPEXP_NEW = 0, /* new expectation */ | 30 | IPEXP_NEW, /* new expectation */ |
| 30 | }; | 31 | }; |
| 31 | 32 | ||
| 32 | struct nf_conntrack_ecache { | 33 | struct nf_conntrack_ecache { |
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 0e98c3282d42..091ff770eb7b 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
| @@ -825,7 +825,7 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, | |||
| 825 | } | 825 | } |
| 826 | 826 | ||
| 827 | if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status)) | 827 | if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status)) |
| 828 | nf_conntrack_event_cache(IPCT_STATUS, ct); | 828 | nf_conntrack_event_cache(IPCT_REPLY, ct); |
| 829 | 829 | ||
| 830 | return ret; | 830 | return ret; |
| 831 | } | 831 | } |
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 16f86d61e5d1..ff594eb138c1 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c | |||
| @@ -1371,7 +1371,8 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
| 1371 | else | 1371 | else |
| 1372 | events = IPCT_NEW; | 1372 | events = IPCT_NEW; |
| 1373 | 1373 | ||
| 1374 | nf_conntrack_eventmask_report((1 << IPCT_STATUS) | | 1374 | nf_conntrack_eventmask_report((1 << IPCT_REPLY) | |
| 1375 | (1 << IPCT_ASSURED) | | ||
| 1375 | (1 << IPCT_HELPER) | | 1376 | (1 << IPCT_HELPER) | |
| 1376 | (1 << IPCT_PROTOINFO) | | 1377 | (1 << IPCT_PROTOINFO) | |
| 1377 | (1 << IPCT_NATSEQADJ) | | 1378 | (1 << IPCT_NATSEQADJ) | |
| @@ -1396,7 +1397,8 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb, | |||
| 1396 | if (err == 0) { | 1397 | if (err == 0) { |
| 1397 | nf_conntrack_get(&ct->ct_general); | 1398 | nf_conntrack_get(&ct->ct_general); |
| 1398 | spin_unlock_bh(&nf_conntrack_lock); | 1399 | spin_unlock_bh(&nf_conntrack_lock); |
| 1399 | nf_conntrack_eventmask_report((1 << IPCT_STATUS) | | 1400 | nf_conntrack_eventmask_report((1 << IPCT_REPLY) | |
| 1401 | (1 << IPCT_ASSURED) | | ||
| 1400 | (1 << IPCT_HELPER) | | 1402 | (1 << IPCT_HELPER) | |
| 1401 | (1 << IPCT_PROTOINFO) | | 1403 | (1 << IPCT_PROTOINFO) | |
| 1402 | (1 << IPCT_NATSEQADJ) | | 1404 | (1 << IPCT_NATSEQADJ) | |
diff --git a/net/netfilter/nf_conntrack_proto_gre.c b/net/netfilter/nf_conntrack_proto_gre.c index c99cfba64ddc..d899b1a69940 100644 --- a/net/netfilter/nf_conntrack_proto_gre.c +++ b/net/netfilter/nf_conntrack_proto_gre.c | |||
| @@ -241,7 +241,7 @@ static int gre_packet(struct nf_conn *ct, | |||
| 241 | ct->proto.gre.stream_timeout); | 241 | ct->proto.gre.stream_timeout); |
| 242 | /* Also, more likely to be important, and not a probe. */ | 242 | /* Also, more likely to be important, and not a probe. */ |
| 243 | set_bit(IPS_ASSURED_BIT, &ct->status); | 243 | set_bit(IPS_ASSURED_BIT, &ct->status); |
| 244 | nf_conntrack_event_cache(IPCT_STATUS, ct); | 244 | nf_conntrack_event_cache(IPCT_ASSURED, ct); |
| 245 | } else | 245 | } else |
| 246 | nf_ct_refresh_acct(ct, ctinfo, skb, | 246 | nf_ct_refresh_acct(ct, ctinfo, skb, |
| 247 | ct->proto.gre.timeout); | 247 | ct->proto.gre.timeout); |
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index f9d930f80276..b68ff15ed979 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c | |||
| @@ -377,7 +377,7 @@ static int sctp_packet(struct nf_conn *ct, | |||
| 377 | new_state == SCTP_CONNTRACK_ESTABLISHED) { | 377 | new_state == SCTP_CONNTRACK_ESTABLISHED) { |
| 378 | pr_debug("Setting assured bit\n"); | 378 | pr_debug("Setting assured bit\n"); |
| 379 | set_bit(IPS_ASSURED_BIT, &ct->status); | 379 | set_bit(IPS_ASSURED_BIT, &ct->status); |
| 380 | nf_conntrack_event_cache(IPCT_STATUS, ct); | 380 | nf_conntrack_event_cache(IPCT_ASSURED, ct); |
| 381 | } | 381 | } |
| 382 | 382 | ||
| 383 | return NF_ACCEPT; | 383 | return NF_ACCEPT; |
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 3c96437b45ad..ad118053971a 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c | |||
| @@ -1045,7 +1045,7 @@ static int tcp_packet(struct nf_conn *ct, | |||
| 1045 | after SYN_RECV or a valid answer for a picked up | 1045 | after SYN_RECV or a valid answer for a picked up |
| 1046 | connection. */ | 1046 | connection. */ |
| 1047 | set_bit(IPS_ASSURED_BIT, &ct->status); | 1047 | set_bit(IPS_ASSURED_BIT, &ct->status); |
| 1048 | nf_conntrack_event_cache(IPCT_STATUS, ct); | 1048 | nf_conntrack_event_cache(IPCT_ASSURED, ct); |
| 1049 | } | 1049 | } |
| 1050 | nf_ct_refresh_acct(ct, ctinfo, skb, timeout); | 1050 | nf_ct_refresh_acct(ct, ctinfo, skb, timeout); |
| 1051 | 1051 | ||
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c index 5c5518bedb4b..8d38f9a4bed8 100644 --- a/net/netfilter/nf_conntrack_proto_udp.c +++ b/net/netfilter/nf_conntrack_proto_udp.c | |||
| @@ -77,7 +77,7 @@ static int udp_packet(struct nf_conn *ct, | |||
| 77 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout_stream); | 77 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout_stream); |
| 78 | /* Also, more likely to be important, and not a probe */ | 78 | /* Also, more likely to be important, and not a probe */ |
| 79 | if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) | 79 | if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) |
| 80 | nf_conntrack_event_cache(IPCT_STATUS, ct); | 80 | nf_conntrack_event_cache(IPCT_ASSURED, ct); |
| 81 | } else | 81 | } else |
| 82 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout); | 82 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout); |
| 83 | 83 | ||
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c index 458655bb2106..0b1bc9ba6678 100644 --- a/net/netfilter/nf_conntrack_proto_udplite.c +++ b/net/netfilter/nf_conntrack_proto_udplite.c | |||
| @@ -75,7 +75,7 @@ static int udplite_packet(struct nf_conn *ct, | |||
| 75 | nf_ct_udplite_timeout_stream); | 75 | nf_ct_udplite_timeout_stream); |
| 76 | /* Also, more likely to be important, and not a probe */ | 76 | /* Also, more likely to be important, and not a probe */ |
| 77 | if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) | 77 | if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) |
| 78 | nf_conntrack_event_cache(IPCT_STATUS, ct); | 78 | nf_conntrack_event_cache(IPCT_ASSURED, ct); |
| 79 | } else | 79 | } else |
| 80 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udplite_timeout); | 80 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udplite_timeout); |
| 81 | 81 | ||