diff options
| author | Patrick McHardy <kaber@trash.net> | 2013-08-27 02:50:12 -0400 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2013-08-27 18:26:48 -0400 |
| commit | 41d73ec053d2424599c4ed8452b889374d523ade (patch) | |
| tree | 404e0418e7f4c06cd37065eee97f67f6123df160 /include/uapi/linux | |
| parent | 706f5151e349a3d8ab85237d0d6c553930376e9f (diff) | |
netfilter: nf_conntrack: make sequence number adjustments usuable without NAT
Split out sequence number adjustments from NAT and move them to the conntrack
core to make them usable for SYN proxying. The sequence number adjustment
information is moved to a seperate extend. The extend is added to new
conntracks when a NAT mapping is set up for a connection using a helper.
As a side effect, this saves 24 bytes per connection with NAT in the common
case that a connection does not have a helper assigned.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Tested-by: Martin Topholm <mph@one.com>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'include/uapi/linux')
| -rw-r--r-- | include/uapi/linux/netfilter/nf_conntrack_common.h | 3 | ||||
| -rw-r--r-- | include/uapi/linux/netfilter/nfnetlink_conntrack.h | 15 |
2 files changed, 15 insertions, 3 deletions
diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h index d69483fb3825..8dd803818ebe 100644 --- a/include/uapi/linux/netfilter/nf_conntrack_common.h +++ b/include/uapi/linux/netfilter/nf_conntrack_common.h | |||
| @@ -99,7 +99,8 @@ enum ip_conntrack_events { | |||
| 99 | IPCT_PROTOINFO, /* protocol information has changed */ | 99 | IPCT_PROTOINFO, /* protocol information has changed */ |
| 100 | IPCT_HELPER, /* new helper has been set */ | 100 | IPCT_HELPER, /* new helper has been set */ |
| 101 | IPCT_MARK, /* new mark has been set */ | 101 | IPCT_MARK, /* new mark has been set */ |
| 102 | IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */ | 102 | IPCT_SEQADJ, /* sequence adjustment has changed */ |
| 103 | IPCT_NATSEQADJ = IPCT_SEQADJ, | ||
| 103 | IPCT_SECMARK, /* new security mark has been set */ | 104 | IPCT_SECMARK, /* new security mark has been set */ |
| 104 | IPCT_LABEL, /* new connlabel has been set */ | 105 | IPCT_LABEL, /* new connlabel has been set */ |
| 105 | }; | 106 | }; |
diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h index 08fabc6c93f3..acad6c52a652 100644 --- a/include/uapi/linux/netfilter/nfnetlink_conntrack.h +++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h | |||
| @@ -42,8 +42,10 @@ enum ctattr_type { | |||
| 42 | CTA_ID, | 42 | CTA_ID, |
| 43 | CTA_NAT_DST, | 43 | CTA_NAT_DST, |
| 44 | CTA_TUPLE_MASTER, | 44 | CTA_TUPLE_MASTER, |
| 45 | CTA_NAT_SEQ_ADJ_ORIG, | 45 | CTA_SEQ_ADJ_ORIG, |
| 46 | CTA_NAT_SEQ_ADJ_REPLY, | 46 | CTA_NAT_SEQ_ADJ_ORIG = CTA_SEQ_ADJ_ORIG, |
| 47 | CTA_SEQ_ADJ_REPLY, | ||
| 48 | CTA_NAT_SEQ_ADJ_REPLY = CTA_SEQ_ADJ_REPLY, | ||
| 47 | CTA_SECMARK, /* obsolete */ | 49 | CTA_SECMARK, /* obsolete */ |
| 48 | CTA_ZONE, | 50 | CTA_ZONE, |
| 49 | CTA_SECCTX, | 51 | CTA_SECCTX, |
| @@ -165,6 +167,15 @@ enum ctattr_protonat { | |||
| 165 | }; | 167 | }; |
| 166 | #define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1) | 168 | #define CTA_PROTONAT_MAX (__CTA_PROTONAT_MAX - 1) |
| 167 | 169 | ||
| 170 | enum ctattr_seqadj { | ||
| 171 | CTA_SEQADJ_UNSPEC, | ||
| 172 | CTA_SEQADJ_CORRECTION_POS, | ||
| 173 | CTA_SEQADJ_OFFSET_BEFORE, | ||
| 174 | CTA_SEQADJ_OFFSET_AFTER, | ||
| 175 | __CTA_SEQADJ_MAX | ||
| 176 | }; | ||
| 177 | #define CTA_SEQADJ_MAX (__CTA_SEQADJ_MAX - 1) | ||
| 178 | |||
| 168 | enum ctattr_natseq { | 179 | enum ctattr_natseq { |
| 169 | CTA_NAT_SEQ_UNSPEC, | 180 | CTA_NAT_SEQ_UNSPEC, |
| 170 | CTA_NAT_SEQ_CORRECTION_POS, | 181 | CTA_NAT_SEQ_CORRECTION_POS, |