aboutsummaryrefslogtreecommitdiffstats
path: root/include/net
diff options
context:
space:
mode:
authorPablo Neira Ayuso <pablo@netfilter.org>2008-11-18 05:56:20 -0500
committerPatrick McHardy <kaber@trash.net>2008-11-18 05:56:20 -0500
commit19abb7b090a6bce88d4e9b2914a0367f4f684432 (patch)
tree3603eafaf214ef1ab200c6e5d6d05318512a3bd6 /include/net
parent226c0c0ef2abdf91b8d9cce1aaf7d4635a5e5926 (diff)
netfilter: ctnetlink: deliver events for conntracks changed from userspace
As for now, the creation and update of conntracks via ctnetlink do not propagate an event to userspace. This can result in inconsistent situations if several userspace processes modify the connection tracking table by means of ctnetlink at the same time. Specifically, using the conntrack command line tool and conntrackd at the same time can trigger unconsistencies. This patch also modifies the event cache infrastructure to pass the process PID and the ECHO flag to nfnetlink_send() to report back to userspace if the process that triggered the change needs so. Based on a suggestion from Patrick McHardy. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/netfilter/nf_conntrack.h2
-rw-r--r--include/net/netfilter/nf_conntrack_ecache.h57
-rw-r--r--include/net/netfilter/nf_conntrack_expect.h2
3 files changed, 56 insertions, 5 deletions
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index f11255e1ea35..2e0c53641cbe 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -199,7 +199,7 @@ __nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple);
199 199
200extern void nf_conntrack_hash_insert(struct nf_conn *ct); 200extern void nf_conntrack_hash_insert(struct nf_conn *ct);
201 201
202extern void nf_conntrack_flush(struct net *net); 202extern void nf_conntrack_flush(struct net *net, u32 pid, int report);
203 203
204extern bool nf_ct_get_tuplepr(const struct sk_buff *skb, 204extern bool nf_ct_get_tuplepr(const struct sk_buff *skb,
205 unsigned int nhoff, u_int16_t l3num, 205 unsigned int nhoff, u_int16_t l3num,
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index 1285ff26a014..0ff0dc69ca4a 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -17,6 +17,13 @@ struct nf_conntrack_ecache {
17 unsigned int events; 17 unsigned int events;
18}; 18};
19 19
20/* This structure is passed to event handler */
21struct nf_ct_event {
22 struct nf_conn *ct;
23 u32 pid;
24 int report;
25};
26
20extern struct atomic_notifier_head nf_conntrack_chain; 27extern struct atomic_notifier_head nf_conntrack_chain;
21extern int nf_conntrack_register_notifier(struct notifier_block *nb); 28extern int nf_conntrack_register_notifier(struct notifier_block *nb);
22extern int nf_conntrack_unregister_notifier(struct notifier_block *nb); 29extern int nf_conntrack_unregister_notifier(struct notifier_block *nb);
@@ -39,22 +46,56 @@ nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
39 local_bh_enable(); 46 local_bh_enable();
40} 47}
41 48
42static inline void nf_conntrack_event(enum ip_conntrack_events event, 49static inline void
43 struct nf_conn *ct) 50nf_conntrack_event_report(enum ip_conntrack_events event,
51 struct nf_conn *ct,
52 u32 pid,
53 int report)
44{ 54{
55 struct nf_ct_event item = {
56 .ct = ct,
57 .pid = pid,
58 .report = report
59 };
45 if (nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct)) 60 if (nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct))
46 atomic_notifier_call_chain(&nf_conntrack_chain, event, ct); 61 atomic_notifier_call_chain(&nf_conntrack_chain, event, &item);
47} 62}
48 63
64static inline void
65nf_conntrack_event(enum ip_conntrack_events event, struct nf_conn *ct)
66{
67 nf_conntrack_event_report(event, ct, 0, 0);
68}
69
70struct nf_exp_event {
71 struct nf_conntrack_expect *exp;
72 u32 pid;
73 int report;
74};
75
49extern struct atomic_notifier_head nf_ct_expect_chain; 76extern struct atomic_notifier_head nf_ct_expect_chain;
50extern int nf_ct_expect_register_notifier(struct notifier_block *nb); 77extern int nf_ct_expect_register_notifier(struct notifier_block *nb);
51extern int nf_ct_expect_unregister_notifier(struct notifier_block *nb); 78extern int nf_ct_expect_unregister_notifier(struct notifier_block *nb);
52 79
53static inline void 80static inline void
81nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
82 struct nf_conntrack_expect *exp,
83 u32 pid,
84 int report)
85{
86 struct nf_exp_event item = {
87 .exp = exp,
88 .pid = pid,
89 .report = report
90 };
91 atomic_notifier_call_chain(&nf_ct_expect_chain, event, &item);
92}
93
94static inline void
54nf_ct_expect_event(enum ip_conntrack_expect_events event, 95nf_ct_expect_event(enum ip_conntrack_expect_events event,
55 struct nf_conntrack_expect *exp) 96 struct nf_conntrack_expect *exp)
56{ 97{
57 atomic_notifier_call_chain(&nf_ct_expect_chain, event, exp); 98 nf_ct_expect_event_report(event, exp, 0, 0);
58} 99}
59 100
60extern int nf_conntrack_ecache_init(struct net *net); 101extern int nf_conntrack_ecache_init(struct net *net);
@@ -66,9 +107,17 @@ static inline void nf_conntrack_event_cache(enum ip_conntrack_events event,
66 struct nf_conn *ct) {} 107 struct nf_conn *ct) {}
67static inline void nf_conntrack_event(enum ip_conntrack_events event, 108static inline void nf_conntrack_event(enum ip_conntrack_events event,
68 struct nf_conn *ct) {} 109 struct nf_conn *ct) {}
110static inline void nf_conntrack_event_report(enum ip_conntrack_events event,
111 struct nf_conn *ct,
112 u32 pid,
113 int report) {}
69static inline void nf_ct_deliver_cached_events(const struct nf_conn *ct) {} 114static inline void nf_ct_deliver_cached_events(const struct nf_conn *ct) {}
70static inline void nf_ct_expect_event(enum ip_conntrack_expect_events event, 115static inline void nf_ct_expect_event(enum ip_conntrack_expect_events event,
71 struct nf_conntrack_expect *exp) {} 116 struct nf_conntrack_expect *exp) {}
117static inline void nf_ct_expect_event_report(enum ip_conntrack_expect_events e,
118 struct nf_conntrack_expect *exp,
119 u32 pid,
120 int report) {}
72static inline void nf_ct_event_cache_flush(struct net *net) {} 121static inline void nf_ct_event_cache_flush(struct net *net) {}
73 122
74static inline int nf_conntrack_ecache_init(struct net *net) 123static inline int nf_conntrack_ecache_init(struct net *net)
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 37a7fc1164b0..ab17a159ac66 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -100,6 +100,8 @@ void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int, u_int8_t,
100 u_int8_t, const __be16 *, const __be16 *); 100 u_int8_t, const __be16 *, const __be16 *);
101void nf_ct_expect_put(struct nf_conntrack_expect *exp); 101void nf_ct_expect_put(struct nf_conntrack_expect *exp);
102int nf_ct_expect_related(struct nf_conntrack_expect *expect); 102int nf_ct_expect_related(struct nf_conntrack_expect *expect);
103int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
104 u32 pid, int report);
103 105
104#endif /*_NF_CONNTRACK_EXPECT_H*/ 106#endif /*_NF_CONNTRACK_EXPECT_H*/
105 107