netfilter: conntrack: simplify event caching system

This patch simplifies the conntrack event caching system by removing several events: * IPCT_[*]_VOLATILE, IPCT_HELPINFO and IPCT_NATINFO has been deleted since the have no clients. * IPCT_COUNTER_FILLING which is a leftover of the 32-bits counter days. * IPCT_REFRESH which is not of any use since we always include the timeout in the messages. After this patch, the existing events are: * IPCT_NEW, IPCT_RELATED and IPCT_DESTROY, that are used to identify addition and deletion of entries. * IPCT_STATUS, that notes that the status bits have changes, eg. IPS_SEEN_REPLY and IPS_ASSURED. * IPCT_PROTOINFO, that reports that internal protocol information has changed, eg. the TCP, DCCP and SCTP protocol state. * IPCT_HELPER, that a helper has been assigned or unassigned to this entry. * IPCT_MARK and IPCT_SECMARK, that reports that the mark has changed, this covers the case when a mark is set to zero. * IPCT_NATSEQADJ, to report that there's updates in the NAT sequence adjustment. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2009-06-02 14:08:46 -0400
committer: pablo <pablo@1984.(none)> 2009-06-02 14:08:46 -0400
commit: 17e6e4eac070607a35464ea7e2c5eceac32e5eca (patch)
tree: 3742492b50d87c07c18cec6ff2e81e1ebafdd128
parent: 6bfea1984aea86089907caf8974513c2402a3b3d (diff)
7 files changed, 8 insertions, 49 deletions
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index 892b8cdf7f62..2e17a2d0eb3b 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -26,52 +26,28 @@ enum ip_conntrack_events
        IPCT_DESTROY_BIT = 2,
        IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
-        /* Timer has been refreshed */
-        IPCT_REFRESH_BIT = 3,
-        IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
        /* Status has changed */
-        IPCT_STATUS_BIT = 4,
+        IPCT_STATUS_BIT = 3,
        IPCT_STATUS = (1 << IPCT_STATUS_BIT),
        /* Update of protocol info */
-        IPCT_PROTOINFO_BIT = 5,
+        IPCT_PROTOINFO_BIT = 4,
        IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
-        /* Volatile protocol info */
-        IPCT_PROTOINFO_VOLATILE_BIT = 6,
-        IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
        /* New helper for conntrack */
-        IPCT_HELPER_BIT = 7,
+        IPCT_HELPER_BIT = 5,
        IPCT_HELPER = (1 << IPCT_HELPER_BIT),
-        /* Update of helper info */
-        IPCT_HELPINFO_BIT = 8,
-        IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
-        /* Volatile helper info */
-        IPCT_HELPINFO_VOLATILE_BIT = 9,
-        IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
-        /* NAT info */
-        IPCT_NATINFO_BIT = 10,
-        IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
-        /* Counter highest bit has been set, unused */
-        IPCT_COUNTER_FILLING_BIT = 11,
-        IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT),
        /* Mark is set */
-        IPCT_MARK_BIT = 12,
+        IPCT_MARK_BIT = 6,
        IPCT_MARK = (1 << IPCT_MARK_BIT),
        /* NAT sequence adjustment */
-        IPCT_NATSEQADJ_BIT = 13,
+        IPCT_NATSEQADJ_BIT = 7,
        IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
        /* Secmark is set */
-        IPCT_SECMARK_BIT = 14,
+        IPCT_SECMARK_BIT = 8,
        IPCT_SECMARK = (1 << IPCT_SECMARK_BIT),
 };
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 23b2c2ee869a..c6ab3d99e792 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -91,7 +91,6 @@ static int icmp_packet(struct nf_conn *ct,
                        nf_ct_kill_acct(ct, ctinfo, skb);
        } else {
                atomic_inc(&ct->proto.icmp.count);
-                nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, ct);
                nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout);
        }
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 9903227bf37c..a0acd9655fef 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -104,7 +104,6 @@ static int icmpv6_packet(struct nf_conn *ct,
                        nf_ct_kill_acct(ct, ctinfo, skb);
        } else {
                atomic_inc(&ct->proto.icmp.count);
-                nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, ct);
                nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout);
        }
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index f59c4edf905a..b54c23475e94 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -398,11 +398,7 @@ __nf_conntrack_confirm(struct sk_buff *skb)
        help = nfct_help(ct);
        if (help && help->helper)
                nf_conntrack_event_cache(IPCT_HELPER, ct);
-#ifdef CONFIG_NF_NAT_NEEDED
-        if (test_bit(IPS_SRC_NAT_DONE_BIT, &ct->status) ||
-            test_bit(IPS_DST_NAT_DONE_BIT, &ct->status))
-                nf_conntrack_event_cache(IPCT_NATINFO, ct);
-#endif
        nf_conntrack_event_cache(master_ct(ct) ?
                                 IPCT_RELATED : IPCT_NEW, ct);
        return NF_ACCEPT;
@@ -807,8 +803,6 @@ void __nf_ct_refresh_acct(struct nf_conn *ct,
                          unsigned long extra_jiffies,
                          int do_acct)
 {
-        int event = 0;
        NF_CT_ASSERT(ct->timeout.data == (unsigned long)ct);
        NF_CT_ASSERT(skb);
@@ -821,7 +815,6 @@ void __nf_ct_refresh_acct(struct nf_conn *ct,
        /* If not in hash table, timer will not be active yet */
        if (!nf_ct_is_confirmed(ct)) {
                ct->timeout.expires = extra_jiffies;
-                event = IPCT_REFRESH;
        } else {
                unsigned long newtime = jiffies + extra_jiffies;
@@ -832,7 +825,6 @@ void __nf_ct_refresh_acct(struct nf_conn *ct,
                    && del_timer(&ct->timeout)) {
                        ct->timeout.expires = newtime;
                        add_timer(&ct->timeout);
-                        event = IPCT_REFRESH;
                }
        }
@@ -849,10 +841,6 @@ acct:
        }
        spin_unlock_bh(&nf_conntrack_lock);
-        /* must be unlocked when calling event cache */
-        if (event)
-                nf_conntrack_event_cache(event, ct);
 }
 EXPORT_SYMBOL_GPL(__nf_ct_refresh_acct);
diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c
index 00fecc385f9b..5509dd1f14cf 100644
--- a/net/netfilter/nf_conntrack_ftp.c
+++ b/net/netfilter/nf_conntrack_ftp.c
@@ -338,11 +338,9 @@ static void update_nl_seq(struct nf_conn *ct, u32 nl_seq,
        if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {
                info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;
-                nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, ct);
        } else if (oldest != NUM_SEQ_TO_REMEMBER &&
                   after(nl_seq, info->seq_aft_nl[dir][oldest])) {
                info->seq_aft_nl[dir][oldest] = nl_seq;
-                nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, ct);
        }
 }
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 3a20de1be63c..b1b9e4fb7ded 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -477,7 +477,7 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
                type = IPCTNL_MSG_CT_NEW;
                flags = NLM_F_CREATE|NLM_F_EXCL;
                group = NFNLGRP_CONNTRACK_NEW;
-        } else  if (events & (IPCT_STATUS | IPCT_PROTOINFO)) {
+        } else  if (events) {
                type = IPCTNL_MSG_CT_NEW;
                group = NFNLGRP_CONNTRACK_UPDATE;
        } else
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 4c7f6f0dae90..b7e8a825efed 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -991,7 +991,6 @@ static int tcp_packet(struct nf_conn *ct,
                timeout = tcp_timeouts[new_state];
        write_unlock_bh(&tcp_lock);
-        nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, ct);
        if (new_state != old_state)
                nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
author	Pablo Neira Ayuso <pablo@netfilter.org>	2009-06-02 14:08:46 -0400
committer	pablo <pablo@1984.(none)>	2009-06-02 14:08:46 -0400
commit	17e6e4eac070607a35464ea7e2c5eceac32e5eca (patch)
tree	3742492b50d87c07c18cec6ff2e81e1ebafdd128
parent	6bfea1984aea86089907caf8974513c2402a3b3d (diff)

diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h index 892b8cdf7f62..2e17a2d0eb3b 100644 --- a/include/net/netfilter/nf_conntrack_ecache.h +++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -26,52 +26,28 @@ enum ip_conntrack_events
26	IPCT_DESTROY_BIT = 2,	26	IPCT_DESTROY_BIT = 2,
27	IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),	27	IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
28		28
29	/* Timer has been refreshed */
30	IPCT_REFRESH_BIT = 3,
31	IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
32
33	/* Status has changed */	29	/* Status has changed */
34	IPCT_STATUS_BIT = 4,	30	IPCT_STATUS_BIT = 3,
35	IPCT_STATUS = (1 << IPCT_STATUS_BIT),	31	IPCT_STATUS = (1 << IPCT_STATUS_BIT),
36		32
37	/* Update of protocol info */	33	/* Update of protocol info */
38	IPCT_PROTOINFO_BIT = 5,	34	IPCT_PROTOINFO_BIT = 4,
39	IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),	35	IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
40		36
41	/* Volatile protocol info */
42	IPCT_PROTOINFO_VOLATILE_BIT = 6,
43	IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
44
45	/* New helper for conntrack */	37	/* New helper for conntrack */
46	IPCT_HELPER_BIT = 7,	38	IPCT_HELPER_BIT = 5,
47	IPCT_HELPER = (1 << IPCT_HELPER_BIT),	39	IPCT_HELPER = (1 << IPCT_HELPER_BIT),
48		40
49	/* Update of helper info */
50	IPCT_HELPINFO_BIT = 8,
51	IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
52
53	/* Volatile helper info */
54	IPCT_HELPINFO_VOLATILE_BIT = 9,
55	IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
56
57	/* NAT info */
58	IPCT_NATINFO_BIT = 10,
59	IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
60
61	/* Counter highest bit has been set, unused */
62	IPCT_COUNTER_FILLING_BIT = 11,
63	IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT),
64
65	/* Mark is set */	41	/* Mark is set */
66	IPCT_MARK_BIT = 12,	42	IPCT_MARK_BIT = 6,
67	IPCT_MARK = (1 << IPCT_MARK_BIT),	43	IPCT_MARK = (1 << IPCT_MARK_BIT),
68		44
69	/* NAT sequence adjustment */	45	/* NAT sequence adjustment */
70	IPCT_NATSEQADJ_BIT = 13,	46	IPCT_NATSEQADJ_BIT = 7,
71	IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),	47	IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
72		48
73	/* Secmark is set */	49	/* Secmark is set */
74	IPCT_SECMARK_BIT = 14,	50	IPCT_SECMARK_BIT = 8,
75	IPCT_SECMARK = (1 << IPCT_SECMARK_BIT),	51	IPCT_SECMARK = (1 << IPCT_SECMARK_BIT),
76	};	52	};
77		53


diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c index 23b2c2ee869a..c6ab3d99e792 100644 --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -91,7 +91,6 @@ static int icmp_packet(struct nf_conn *ct,
91	nf_ct_kill_acct(ct, ctinfo, skb);	91	nf_ct_kill_acct(ct, ctinfo, skb);
92	} else {	92	} else {
93	atomic_inc(&ct->proto.icmp.count);	93	atomic_inc(&ct->proto.icmp.count);
94	nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, ct);
95	nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout);	94	nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout);
96	}	95	}
97		96


diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c index 9903227bf37c..a0acd9655fef 100644 --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -104,7 +104,6 @@ static int icmpv6_packet(struct nf_conn *ct,
104	nf_ct_kill_acct(ct, ctinfo, skb);	104	nf_ct_kill_acct(ct, ctinfo, skb);
105	} else {	105	} else {
106	atomic_inc(&ct->proto.icmp.count);	106	atomic_inc(&ct->proto.icmp.count);
107	nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, ct);
108	nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout);	107	nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout);
109	}	108	}
110		109


diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index f59c4edf905a..b54c23475e94 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c
@@ -398,11 +398,7 @@ __nf_conntrack_confirm(struct sk_buff *skb)
398	help = nfct_help(ct);	398	help = nfct_help(ct);
399	if (help && help->helper)	399	if (help && help->helper)
400	nf_conntrack_event_cache(IPCT_HELPER, ct);	400	nf_conntrack_event_cache(IPCT_HELPER, ct);
401	#ifdef CONFIG_NF_NAT_NEEDED	401
402	if (test_bit(IPS_SRC_NAT_DONE_BIT, &ct->status) \|\|
403	test_bit(IPS_DST_NAT_DONE_BIT, &ct->status))
404	nf_conntrack_event_cache(IPCT_NATINFO, ct);
405	#endif
406	nf_conntrack_event_cache(master_ct(ct) ?	402	nf_conntrack_event_cache(master_ct(ct) ?
407	IPCT_RELATED : IPCT_NEW, ct);	403	IPCT_RELATED : IPCT_NEW, ct);
408	return NF_ACCEPT;	404	return NF_ACCEPT;
@@ -807,8 +803,6 @@ void __nf_ct_refresh_acct(struct nf_conn *ct,
807	unsigned long extra_jiffies,	803	unsigned long extra_jiffies,
808	int do_acct)	804	int do_acct)
809	{	805	{
810	int event = 0;
811
812	NF_CT_ASSERT(ct->timeout.data == (unsigned long)ct);	806	NF_CT_ASSERT(ct->timeout.data == (unsigned long)ct);
813	NF_CT_ASSERT(skb);	807	NF_CT_ASSERT(skb);
814		808
@@ -821,7 +815,6 @@ void __nf_ct_refresh_acct(struct nf_conn *ct,
821	/* If not in hash table, timer will not be active yet */	815	/* If not in hash table, timer will not be active yet */
822	if (!nf_ct_is_confirmed(ct)) {	816	if (!nf_ct_is_confirmed(ct)) {
823	ct->timeout.expires = extra_jiffies;	817	ct->timeout.expires = extra_jiffies;
824	event = IPCT_REFRESH;
825	} else {	818	} else {
826	unsigned long newtime = jiffies + extra_jiffies;	819	unsigned long newtime = jiffies + extra_jiffies;
827		820
@@ -832,7 +825,6 @@ void __nf_ct_refresh_acct(struct nf_conn *ct,
832	&& del_timer(&ct->timeout)) {	825	&& del_timer(&ct->timeout)) {
833	ct->timeout.expires = newtime;	826	ct->timeout.expires = newtime;
834	add_timer(&ct->timeout);	827	add_timer(&ct->timeout);
835	event = IPCT_REFRESH;
836	}	828	}
837	}	829	}
838		830
@@ -849,10 +841,6 @@ acct:
849	}	841	}
850		842
851	spin_unlock_bh(&nf_conntrack_lock);	843	spin_unlock_bh(&nf_conntrack_lock);
852
853	/* must be unlocked when calling event cache */
854	if (event)
855	nf_conntrack_event_cache(event, ct);
856	}	844	}
857	EXPORT_SYMBOL_GPL(__nf_ct_refresh_acct);	845	EXPORT_SYMBOL_GPL(__nf_ct_refresh_acct);
858		846


diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c index 00fecc385f9b..5509dd1f14cf 100644 --- a/net/netfilter/nf_conntrack_ftp.c +++ b/net/netfilter/nf_conntrack_ftp.c
@@ -338,11 +338,9 @@ static void update_nl_seq(struct nf_conn *ct, u32 nl_seq,
338		338
339	if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {	339	if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {
340	info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;	340	info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;
341	nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, ct);
342	} else if (oldest != NUM_SEQ_TO_REMEMBER &&	341	} else if (oldest != NUM_SEQ_TO_REMEMBER &&
343	after(nl_seq, info->seq_aft_nl[dir][oldest])) {	342	after(nl_seq, info->seq_aft_nl[dir][oldest])) {
344	info->seq_aft_nl[dir][oldest] = nl_seq;	343	info->seq_aft_nl[dir][oldest] = nl_seq;
345	nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, ct);
346	}	344	}
347	}	345	}
348		346


diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 3a20de1be63c..b1b9e4fb7ded 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c
@@ -477,7 +477,7 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
477	type = IPCTNL_MSG_CT_NEW;	477	type = IPCTNL_MSG_CT_NEW;
478	flags = NLM_F_CREATE\|NLM_F_EXCL;	478	flags = NLM_F_CREATE\|NLM_F_EXCL;
479	group = NFNLGRP_CONNTRACK_NEW;	479	group = NFNLGRP_CONNTRACK_NEW;
480	} else if (events & (IPCT_STATUS \| IPCT_PROTOINFO)) {	480	} else if (events) {
481	type = IPCTNL_MSG_CT_NEW;	481	type = IPCTNL_MSG_CT_NEW;
482	group = NFNLGRP_CONNTRACK_UPDATE;	482	group = NFNLGRP_CONNTRACK_UPDATE;
483	} else	483	} else


diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 4c7f6f0dae90..b7e8a825efed 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -991,7 +991,6 @@ static int tcp_packet(struct nf_conn *ct,
991	timeout = tcp_timeouts[new_state];	991	timeout = tcp_timeouts[new_state];
992	write_unlock_bh(&tcp_lock);	992	write_unlock_bh(&tcp_lock);
993		993
994	nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, ct);
995	if (new_state != old_state)	994	if (new_state != old_state)
996	nf_conntrack_event_cache(IPCT_PROTOINFO, ct);	995	nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
997		996