aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorJan Engelhardt <jengelh@medozas.de>2009-06-29 08:31:46 -0400
committerPatrick McHardy <kaber@trash.net>2009-06-29 08:31:46 -0400
commitd6d3f08b0fd998b647a05540cedd11a067b72867 (patch)
tree9f5152df21771607d13440fe5ae2db9c08051a6b
parent8a3af79361e85db6fec4173ef1916322471c19e3 (diff)
netfilter: xtables: conntrack match revision 2
As reported by Philip, the UNTRACKED state bit does not fit within the 8-bit state_mask member. Enlarge state_mask and give status_mask a few more bits too. Reported-by: Philip Craig <philipc@snapgear.com> References: http://markmail.org/thread/b7eg6aovfh4agyz7 Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r--include/linux/netfilter/xt_conntrack.h13
-rw-r--r--net/netfilter/xt_conntrack.c66
2 files changed, 73 insertions, 6 deletions
diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index 3430c7751948..7ae05338e94c 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -81,4 +81,17 @@ struct xt_conntrack_mtinfo1 {
81 __u8 state_mask, status_mask; 81 __u8 state_mask, status_mask;
82}; 82};
83 83
84struct xt_conntrack_mtinfo2 {
85 union nf_inet_addr origsrc_addr, origsrc_mask;
86 union nf_inet_addr origdst_addr, origdst_mask;
87 union nf_inet_addr replsrc_addr, replsrc_mask;
88 union nf_inet_addr repldst_addr, repldst_mask;
89 __u32 expires_min, expires_max;
90 __u16 l4proto;
91 __be16 origsrc_port, origdst_port;
92 __be16 replsrc_port, repldst_port;
93 __u16 match_flags, invert_flags;
94 __u16 state_mask, status_mask;
95};
96
84#endif /*_XT_CONNTRACK_H*/ 97#endif /*_XT_CONNTRACK_H*/
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 0b7139f3dd78..fc581800698e 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -129,7 +129,7 @@ conntrack_addrcmp(const union nf_inet_addr *kaddr,
129 129
130static inline bool 130static inline bool
131conntrack_mt_origsrc(const struct nf_conn *ct, 131conntrack_mt_origsrc(const struct nf_conn *ct,
132 const struct xt_conntrack_mtinfo1 *info, 132 const struct xt_conntrack_mtinfo2 *info,
133 u_int8_t family) 133 u_int8_t family)
134{ 134{
135 return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3, 135 return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3,
@@ -138,7 +138,7 @@ conntrack_mt_origsrc(const struct nf_conn *ct,
138 138
139static inline bool 139static inline bool
140conntrack_mt_origdst(const struct nf_conn *ct, 140conntrack_mt_origdst(const struct nf_conn *ct,
141 const struct xt_conntrack_mtinfo1 *info, 141 const struct xt_conntrack_mtinfo2 *info,
142 u_int8_t family) 142 u_int8_t family)
143{ 143{
144 return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3, 144 return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3,
@@ -147,7 +147,7 @@ conntrack_mt_origdst(const struct nf_conn *ct,
147 147
148static inline bool 148static inline bool
149conntrack_mt_replsrc(const struct nf_conn *ct, 149conntrack_mt_replsrc(const struct nf_conn *ct,
150 const struct xt_conntrack_mtinfo1 *info, 150 const struct xt_conntrack_mtinfo2 *info,
151 u_int8_t family) 151 u_int8_t family)
152{ 152{
153 return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3, 153 return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3,
@@ -156,7 +156,7 @@ conntrack_mt_replsrc(const struct nf_conn *ct,
156 156
157static inline bool 157static inline bool
158conntrack_mt_repldst(const struct nf_conn *ct, 158conntrack_mt_repldst(const struct nf_conn *ct,
159 const struct xt_conntrack_mtinfo1 *info, 159 const struct xt_conntrack_mtinfo2 *info,
160 u_int8_t family) 160 u_int8_t family)
161{ 161{
162 return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3, 162 return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3,
@@ -164,7 +164,7 @@ conntrack_mt_repldst(const struct nf_conn *ct,
164} 164}
165 165
166static inline bool 166static inline bool
167ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info, 167ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
168 const struct nf_conn *ct) 168 const struct nf_conn *ct)
169{ 169{
170 const struct nf_conntrack_tuple *tuple; 170 const struct nf_conntrack_tuple *tuple;
@@ -204,7 +204,7 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo1 *info,
204static bool 204static bool
205conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par) 205conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
206{ 206{
207 const struct xt_conntrack_mtinfo1 *info = par->matchinfo; 207 const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
208 enum ip_conntrack_info ctinfo; 208 enum ip_conntrack_info ctinfo;
209 const struct nf_conn *ct; 209 const struct nf_conn *ct;
210 unsigned int statebit; 210 unsigned int statebit;
@@ -278,6 +278,16 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
278 return true; 278 return true;
279} 279}
280 280
281static bool
282conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
283{
284 const struct xt_conntrack_mtinfo2 *const *info = par->matchinfo;
285 struct xt_match_param newpar = *par;
286
287 newpar.matchinfo = *info;
288 return conntrack_mt(skb, &newpar);
289}
290
281static bool conntrack_mt_check(const struct xt_mtchk_param *par) 291static bool conntrack_mt_check(const struct xt_mtchk_param *par)
282{ 292{
283 if (nf_ct_l3proto_try_module_get(par->family) < 0) { 293 if (nf_ct_l3proto_try_module_get(par->family) < 0) {
@@ -288,11 +298,45 @@ static bool conntrack_mt_check(const struct xt_mtchk_param *par)
288 return true; 298 return true;
289} 299}
290 300
301static bool conntrack_mt_check_v1(const struct xt_mtchk_param *par)
302{
303 struct xt_conntrack_mtinfo1 *info = par->matchinfo;
304 struct xt_conntrack_mtinfo2 *up;
305 int ret = conntrack_mt_check(par);
306
307 if (ret < 0)
308 return ret;
309
310 up = kmalloc(sizeof(*up), GFP_KERNEL);
311 if (up == NULL) {
312 nf_ct_l3proto_module_put(par->family);
313 return -ENOMEM;
314 }
315
316 /*
317 * The strategy here is to minimize the overhead of v1 matching,
318 * by prebuilding a v2 struct and putting the pointer into the
319 * v1 dataspace.
320 */
321 memcpy(up, info, offsetof(typeof(*info), state_mask));
322 up->state_mask = info->state_mask;
323 up->status_mask = info->status_mask;
324 *(void **)info = up;
325 return true;
326}
327
291static void conntrack_mt_destroy(const struct xt_mtdtor_param *par) 328static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
292{ 329{
293 nf_ct_l3proto_module_put(par->family); 330 nf_ct_l3proto_module_put(par->family);
294} 331}
295 332
333static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
334{
335 struct xt_conntrack_mtinfo2 **info = par->matchinfo;
336 kfree(*info);
337 conntrack_mt_destroy(par);
338}
339
296#ifdef CONFIG_COMPAT 340#ifdef CONFIG_COMPAT
297struct compat_xt_conntrack_info 341struct compat_xt_conntrack_info
298{ 342{
@@ -363,6 +407,16 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
363 .revision = 1, 407 .revision = 1,
364 .family = NFPROTO_UNSPEC, 408 .family = NFPROTO_UNSPEC,
365 .matchsize = sizeof(struct xt_conntrack_mtinfo1), 409 .matchsize = sizeof(struct xt_conntrack_mtinfo1),
410 .match = conntrack_mt_v1,
411 .checkentry = conntrack_mt_check_v1,
412 .destroy = conntrack_mt_destroy_v1,
413 .me = THIS_MODULE,
414 },
415 {
416 .name = "conntrack",
417 .revision = 2,
418 .family = NFPROTO_UNSPEC,
419 .matchsize = sizeof(struct xt_conntrack_mtinfo2),
366 .match = conntrack_mt, 420 .match = conntrack_mt,
367 .checkentry = conntrack_mt_check, 421 .checkentry = conntrack_mt_check,
368 .destroy = conntrack_mt_destroy, 422 .destroy = conntrack_mt_destroy,