diff options
author | Patrick McHardy <kaber@trash.net> | 2010-02-15 12:13:33 -0500 |
---|---|---|
committer | Patrick McHardy <kaber@trash.net> | 2010-02-15 12:13:33 -0500 |
commit | 5d0aa2ccd4699a01cfdf14886191c249d7b45a01 (patch) | |
tree | 6ea81b5eede26bd6a04bcc3cd79770c334139381 /include/net | |
parent | 8fea97ec1772bbf553d89187340ef624d548e115 (diff) |
netfilter: nf_conntrack: add support for "conntrack zones"
Normally, each connection needs a unique identity. Conntrack zones allow
to specify a numerical zone using the CT target, connections in different
zones can use the same identity.
Example:
iptables -t raw -A PREROUTING -i veth0 -j CT --zone 1
iptables -t raw -A OUTPUT -o veth1 -j CT --zone 1
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'include/net')
-rw-r--r-- | include/net/ip.h | 3 | ||||
-rw-r--r-- | include/net/ipv6.h | 3 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack.h | 5 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_core.h | 3 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_expect.h | 9 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_extend.h | 2 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_zones.h | 23 |
7 files changed, 42 insertions, 6 deletions
diff --git a/include/net/ip.h b/include/net/ip.h index fb63371c07a8..7bc47873e3fc 100644 --- a/include/net/ip.h +++ b/include/net/ip.h | |||
@@ -352,8 +352,11 @@ enum ip_defrag_users { | |||
352 | IP_DEFRAG_LOCAL_DELIVER, | 352 | IP_DEFRAG_LOCAL_DELIVER, |
353 | IP_DEFRAG_CALL_RA_CHAIN, | 353 | IP_DEFRAG_CALL_RA_CHAIN, |
354 | IP_DEFRAG_CONNTRACK_IN, | 354 | IP_DEFRAG_CONNTRACK_IN, |
355 | __IP_DEFRAG_CONNTRACK_IN_END = IP_DEFRAG_CONNTRACK_IN + USHORT_MAX, | ||
355 | IP_DEFRAG_CONNTRACK_OUT, | 356 | IP_DEFRAG_CONNTRACK_OUT, |
357 | __IP_DEFRAG_CONNTRACK_OUT_END = IP_DEFRAG_CONNTRACK_OUT + USHORT_MAX, | ||
356 | IP_DEFRAG_CONNTRACK_BRIDGE_IN, | 358 | IP_DEFRAG_CONNTRACK_BRIDGE_IN, |
359 | __IP_DEFRAG_CONNTRACK_BRIDGE_IN = IP_DEFRAG_CONNTRACK_BRIDGE_IN + USHORT_MAX, | ||
357 | IP_DEFRAG_VS_IN, | 360 | IP_DEFRAG_VS_IN, |
358 | IP_DEFRAG_VS_OUT, | 361 | IP_DEFRAG_VS_OUT, |
359 | IP_DEFRAG_VS_FWD | 362 | IP_DEFRAG_VS_FWD |
diff --git a/include/net/ipv6.h b/include/net/ipv6.h index 299bbf5adfb6..639ec53ea081 100644 --- a/include/net/ipv6.h +++ b/include/net/ipv6.h | |||
@@ -355,8 +355,11 @@ struct inet_frag_queue; | |||
355 | enum ip6_defrag_users { | 355 | enum ip6_defrag_users { |
356 | IP6_DEFRAG_LOCAL_DELIVER, | 356 | IP6_DEFRAG_LOCAL_DELIVER, |
357 | IP6_DEFRAG_CONNTRACK_IN, | 357 | IP6_DEFRAG_CONNTRACK_IN, |
358 | __IP6_DEFRAG_CONNTRACK_IN = IP6_DEFRAG_CONNTRACK_IN + USHORT_MAX, | ||
358 | IP6_DEFRAG_CONNTRACK_OUT, | 359 | IP6_DEFRAG_CONNTRACK_OUT, |
360 | __IP6_DEFRAG_CONNTRACK_OUT = IP6_DEFRAG_CONNTRACK_OUT + USHORT_MAX, | ||
359 | IP6_DEFRAG_CONNTRACK_BRIDGE_IN, | 361 | IP6_DEFRAG_CONNTRACK_BRIDGE_IN, |
362 | __IP6_DEFRAG_CONNTRACK_BRIDGE_IN = IP6_DEFRAG_CONNTRACK_BRIDGE_IN + USHORT_MAX, | ||
360 | }; | 363 | }; |
361 | 364 | ||
362 | struct ip6_create_arg { | 365 | struct ip6_create_arg { |
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 5b7d8835523f..bde095f7e845 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h | |||
@@ -198,7 +198,8 @@ extern void *nf_ct_alloc_hashtable(unsigned int *sizep, int *vmalloced, int null | |||
198 | extern void nf_ct_free_hashtable(void *hash, int vmalloced, unsigned int size); | 198 | extern void nf_ct_free_hashtable(void *hash, int vmalloced, unsigned int size); |
199 | 199 | ||
200 | extern struct nf_conntrack_tuple_hash * | 200 | extern struct nf_conntrack_tuple_hash * |
201 | __nf_conntrack_find(struct net *net, const struct nf_conntrack_tuple *tuple); | 201 | __nf_conntrack_find(struct net *net, u16 zone, |
202 | const struct nf_conntrack_tuple *tuple); | ||
202 | 203 | ||
203 | extern void nf_conntrack_hash_insert(struct nf_conn *ct); | 204 | extern void nf_conntrack_hash_insert(struct nf_conn *ct); |
204 | extern void nf_ct_delete_from_lists(struct nf_conn *ct); | 205 | extern void nf_ct_delete_from_lists(struct nf_conn *ct); |
@@ -267,7 +268,7 @@ extern void | |||
267 | nf_ct_iterate_cleanup(struct net *net, int (*iter)(struct nf_conn *i, void *data), void *data); | 268 | nf_ct_iterate_cleanup(struct net *net, int (*iter)(struct nf_conn *i, void *data), void *data); |
268 | extern void nf_conntrack_free(struct nf_conn *ct); | 269 | extern void nf_conntrack_free(struct nf_conn *ct); |
269 | extern struct nf_conn * | 270 | extern struct nf_conn * |
270 | nf_conntrack_alloc(struct net *net, | 271 | nf_conntrack_alloc(struct net *net, u16 zone, |
271 | const struct nf_conntrack_tuple *orig, | 272 | const struct nf_conntrack_tuple *orig, |
272 | const struct nf_conntrack_tuple *repl, | 273 | const struct nf_conntrack_tuple *repl, |
273 | gfp_t gfp); | 274 | gfp_t gfp); |
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h index 5a449b44ba33..dffde8e6920e 100644 --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h | |||
@@ -49,7 +49,8 @@ nf_ct_invert_tuple(struct nf_conntrack_tuple *inverse, | |||
49 | 49 | ||
50 | /* Find a connection corresponding to a tuple. */ | 50 | /* Find a connection corresponding to a tuple. */ |
51 | extern struct nf_conntrack_tuple_hash * | 51 | extern struct nf_conntrack_tuple_hash * |
52 | nf_conntrack_find_get(struct net *net, const struct nf_conntrack_tuple *tuple); | 52 | nf_conntrack_find_get(struct net *net, u16 zone, |
53 | const struct nf_conntrack_tuple *tuple); | ||
53 | 54 | ||
54 | extern int __nf_conntrack_confirm(struct sk_buff *skb); | 55 | extern int __nf_conntrack_confirm(struct sk_buff *skb); |
55 | 56 | ||
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index 4b47ec19ef39..11e815084fcf 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h | |||
@@ -74,13 +74,16 @@ int nf_conntrack_expect_init(struct net *net); | |||
74 | void nf_conntrack_expect_fini(struct net *net); | 74 | void nf_conntrack_expect_fini(struct net *net); |
75 | 75 | ||
76 | struct nf_conntrack_expect * | 76 | struct nf_conntrack_expect * |
77 | __nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple); | 77 | __nf_ct_expect_find(struct net *net, u16 zone, |
78 | const struct nf_conntrack_tuple *tuple); | ||
78 | 79 | ||
79 | struct nf_conntrack_expect * | 80 | struct nf_conntrack_expect * |
80 | nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_tuple *tuple); | 81 | nf_ct_expect_find_get(struct net *net, u16 zone, |
82 | const struct nf_conntrack_tuple *tuple); | ||
81 | 83 | ||
82 | struct nf_conntrack_expect * | 84 | struct nf_conntrack_expect * |
83 | nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple); | 85 | nf_ct_find_expectation(struct net *net, u16 zone, |
86 | const struct nf_conntrack_tuple *tuple); | ||
84 | 87 | ||
85 | void nf_ct_unlink_expect(struct nf_conntrack_expect *exp); | 88 | void nf_ct_unlink_expect(struct nf_conntrack_expect *exp); |
86 | void nf_ct_remove_expectations(struct nf_conn *ct); | 89 | void nf_ct_remove_expectations(struct nf_conn *ct); |
diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h index e192dc17c583..2d2a1f9a61d8 100644 --- a/include/net/netfilter/nf_conntrack_extend.h +++ b/include/net/netfilter/nf_conntrack_extend.h | |||
@@ -8,6 +8,7 @@ enum nf_ct_ext_id { | |||
8 | NF_CT_EXT_NAT, | 8 | NF_CT_EXT_NAT, |
9 | NF_CT_EXT_ACCT, | 9 | NF_CT_EXT_ACCT, |
10 | NF_CT_EXT_ECACHE, | 10 | NF_CT_EXT_ECACHE, |
11 | NF_CT_EXT_ZONE, | ||
11 | NF_CT_EXT_NUM, | 12 | NF_CT_EXT_NUM, |
12 | }; | 13 | }; |
13 | 14 | ||
@@ -15,6 +16,7 @@ enum nf_ct_ext_id { | |||
15 | #define NF_CT_EXT_NAT_TYPE struct nf_conn_nat | 16 | #define NF_CT_EXT_NAT_TYPE struct nf_conn_nat |
16 | #define NF_CT_EXT_ACCT_TYPE struct nf_conn_counter | 17 | #define NF_CT_EXT_ACCT_TYPE struct nf_conn_counter |
17 | #define NF_CT_EXT_ECACHE_TYPE struct nf_conntrack_ecache | 18 | #define NF_CT_EXT_ECACHE_TYPE struct nf_conntrack_ecache |
19 | #define NF_CT_EXT_ZONE_TYPE struct nf_conntrack_zone | ||
18 | 20 | ||
19 | /* Extensions: optional stuff which isn't permanently in struct. */ | 21 | /* Extensions: optional stuff which isn't permanently in struct. */ |
20 | struct nf_ct_ext { | 22 | struct nf_ct_ext { |
diff --git a/include/net/netfilter/nf_conntrack_zones.h b/include/net/netfilter/nf_conntrack_zones.h new file mode 100644 index 000000000000..0bbb2bd51e89 --- /dev/null +++ b/include/net/netfilter/nf_conntrack_zones.h | |||
@@ -0,0 +1,23 @@ | |||
1 | #ifndef _NF_CONNTRACK_ZONES_H | ||
2 | #define _NF_CONNTRACK_ZONES_H | ||
3 | |||
4 | #include <net/netfilter/nf_conntrack_extend.h> | ||
5 | |||
6 | #define NF_CT_DEFAULT_ZONE 0 | ||
7 | |||
8 | struct nf_conntrack_zone { | ||
9 | u16 id; | ||
10 | }; | ||
11 | |||
12 | static inline u16 nf_ct_zone(const struct nf_conn *ct) | ||
13 | { | ||
14 | #ifdef CONFIG_NF_CONNTRACK_ZONES | ||
15 | struct nf_conntrack_zone *nf_ct_zone; | ||
16 | nf_ct_zone = nf_ct_ext_find(ct, NF_CT_EXT_ZONE); | ||
17 | if (nf_ct_zone) | ||
18 | return nf_ct_zone->id; | ||
19 | #endif | ||
20 | return NF_CT_DEFAULT_ZONE; | ||
21 | } | ||
22 | |||
23 | #endif /* _NF_CONNTRACK_ZONES_H */ | ||