diff options
| author | Patrick McHardy <kaber@trash.net> | 2010-02-03 07:48:53 -0500 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2010-02-03 07:48:53 -0500 |
| commit | 858b31330054a9ad259feceea0ad1ce5385c47f0 (patch) | |
| tree | 642349680ff9c29d506dd7661bbc8b724209fbf5 /include/net | |
| parent | add67461240c1dadc7c8d97e66f8f92b556ca523 (diff) | |
netfilter: nf_conntrack: split up IPCT_STATUS event
Split up the IPCT_STATUS event into an IPCT_REPLY event, which is generated
when the IPS_SEEN_REPLY bit is set, and an IPCT_ASSURED event, which is
generated when the IPS_ASSURED bit is set.
In combination with a following patch to support selective event delivery,
this can be used for "sparse" conntrack replication: start replicating the
conntrack entry after it reached the ASSURED state and that way it's SYN-flood
resistant.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'include/net')
| -rw-r--r-- | include/net/netfilter/nf_conntrack_ecache.h | 21 |
1 files changed, 11 insertions, 10 deletions
diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h index 475facc3051a..5e05fb883ab1 100644 --- a/include/net/netfilter/nf_conntrack_ecache.h +++ b/include/net/netfilter/nf_conntrack_ecache.h | |||
| @@ -14,19 +14,20 @@ | |||
| 14 | 14 | ||
| 15 | /* Connection tracking event types */ | 15 | /* Connection tracking event types */ |
| 16 | enum ip_conntrack_events { | 16 | enum ip_conntrack_events { |
| 17 | IPCT_NEW = 0, /* new conntrack */ | 17 | IPCT_NEW, /* new conntrack */ |
| 18 | IPCT_RELATED = 1, /* related conntrack */ | 18 | IPCT_RELATED, /* related conntrack */ |
| 19 | IPCT_DESTROY = 2, /* destroyed conntrack */ | 19 | IPCT_DESTROY, /* destroyed conntrack */ |
| 20 | IPCT_STATUS = 3, /* status has changed */ | 20 | IPCT_REPLY, /* connection has seen two-way traffic */ |
| 21 | IPCT_PROTOINFO = 4, /* protocol information has changed */ | 21 | IPCT_ASSURED, /* connection status has changed to assured */ |
| 22 | IPCT_HELPER = 5, /* new helper has been set */ | 22 | IPCT_PROTOINFO, /* protocol information has changed */ |
| 23 | IPCT_MARK = 6, /* new mark has been set */ | 23 | IPCT_HELPER, /* new helper has been set */ |
| 24 | IPCT_NATSEQADJ = 7, /* NAT is doing sequence adjustment */ | 24 | IPCT_MARK, /* new mark has been set */ |
| 25 | IPCT_SECMARK = 8, /* new security mark has been set */ | 25 | IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */ |
| 26 | IPCT_SECMARK, /* new security mark has been set */ | ||
| 26 | }; | 27 | }; |
| 27 | 28 | ||
| 28 | enum ip_conntrack_expect_events { | 29 | enum ip_conntrack_expect_events { |
| 29 | IPEXP_NEW = 0, /* new expectation */ | 30 | IPEXP_NEW, /* new expectation */ |
| 30 | }; | 31 | }; |
| 31 | 32 | ||
| 32 | struct nf_conntrack_ecache { | 33 | struct nf_conntrack_ecache { |