aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-07-08 01:31:32 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-07-11 01:17:55 -0400
commitd4156e8cd93f5772483928aaf4960120caebd789 (patch)
treee740e629df29d8ea1ad21244998851362b64a70e /include
parentdf43b4e7ca46952756b2fc039ed80469b1bff62d (diff)
[NETFILTER]: nf_conntrack: reduce masks to a subset of tuples
Since conntrack currently allows to use masks for every bit of both helper and expectation tuples, we can't hash them and have to keep them on two global lists that are searched for every new connection. This patch removes the never used ability to use masks for the destination part of the expectation tuple and completely removes masks from helpers since the only reasonable choice is a full match on l3num, protonum and src.u.all. Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
-rw-r--r--include/net/netfilter/nf_conntrack_expect.h3
-rw-r--r--include/net/netfilter/nf_conntrack_helper.h5
-rw-r--r--include/net/netfilter/nf_conntrack_tuple.h65
3 files changed, 47 insertions, 26 deletions
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index c0b1d1fb23e1..13643f7f7422 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -16,7 +16,8 @@ struct nf_conntrack_expect
16 struct list_head list; 16 struct list_head list;
17 17
18 /* We expect this tuple, with the following mask */ 18 /* We expect this tuple, with the following mask */
19 struct nf_conntrack_tuple tuple, mask; 19 struct nf_conntrack_tuple tuple;
20 struct nf_conntrack_tuple_mask mask;
20 21
21 /* Function to call after setup and insertion */ 22 /* Function to call after setup and insertion */
22 void (*expectfn)(struct nf_conn *new, 23 void (*expectfn)(struct nf_conn *new,
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index b43a75ba44ac..d62e6f093af4 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -24,10 +24,9 @@ struct nf_conntrack_helper
24 * expected connections */ 24 * expected connections */
25 unsigned int timeout; /* timeout for expecteds */ 25 unsigned int timeout; /* timeout for expecteds */
26 26
27 /* Mask of things we will help (compared against server response) */ 27 /* Tuple of things we will help (compared against server response) */
28 struct nf_conntrack_tuple tuple; 28 struct nf_conntrack_tuple tuple;
29 struct nf_conntrack_tuple mask; 29
30
31 /* Function to call when data passes; return verdict, or -1 to 30 /* Function to call when data passes; return verdict, or -1 to
32 invalidate. */ 31 invalidate. */
33 int (*help)(struct sk_buff **pskb, 32 int (*help)(struct sk_buff **pskb,
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index d02ce876b4ca..99934ab538e6 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -100,6 +100,14 @@ struct nf_conntrack_tuple
100 } dst; 100 } dst;
101}; 101};
102 102
103struct nf_conntrack_tuple_mask
104{
105 struct {
106 union nf_conntrack_address u3;
107 union nf_conntrack_man_proto u;
108 } src;
109};
110
103/* This is optimized opposed to a memset of the whole structure. Everything we 111/* This is optimized opposed to a memset of the whole structure. Everything we
104 * really care about is the source/destination unions */ 112 * really care about is the source/destination unions */
105#define NF_CT_TUPLE_U_BLANK(tuple) \ 113#define NF_CT_TUPLE_U_BLANK(tuple) \
@@ -161,31 +169,44 @@ static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1,
161 return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2); 169 return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2);
162} 170}
163 171
172static inline int nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1,
173 const struct nf_conntrack_tuple_mask *m2)
174{
175 return (m1->src.u3.all[0] == m2->src.u3.all[0] &&
176 m1->src.u3.all[1] == m2->src.u3.all[1] &&
177 m1->src.u3.all[2] == m2->src.u3.all[2] &&
178 m1->src.u3.all[3] == m2->src.u3.all[3] &&
179 m1->src.u.all == m2->src.u.all);
180}
181
182static inline int nf_ct_tuple_src_mask_cmp(const struct nf_conntrack_tuple *t1,
183 const struct nf_conntrack_tuple *t2,
184 const struct nf_conntrack_tuple_mask *mask)
185{
186 int count;
187
188 for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++) {
189 if ((t1->src.u3.all[count] ^ t2->src.u3.all[count]) &
190 mask->src.u3.all[count])
191 return 0;
192 }
193
194 if ((t1->src.u.all ^ t2->src.u.all) & mask->src.u.all)
195 return 0;
196
197 if (t1->src.l3num != t2->src.l3num ||
198 t1->dst.protonum != t2->dst.protonum)
199 return 0;
200
201 return 1;
202}
203
164static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t, 204static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,
165 const struct nf_conntrack_tuple *tuple, 205 const struct nf_conntrack_tuple *tuple,
166 const struct nf_conntrack_tuple *mask) 206 const struct nf_conntrack_tuple_mask *mask)
167{ 207{
168 int count = 0; 208 return nf_ct_tuple_src_mask_cmp(t, tuple, mask) &&
169 209 nf_ct_tuple_dst_equal(t, tuple);
170 for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
171 if ((t->src.u3.all[count] ^ tuple->src.u3.all[count]) &
172 mask->src.u3.all[count])
173 return 0;
174 }
175
176 for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
177 if ((t->dst.u3.all[count] ^ tuple->dst.u3.all[count]) &
178 mask->dst.u3.all[count])
179 return 0;
180 }
181
182 if ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all ||
183 (t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all ||
184 (t->src.l3num ^ tuple->src.l3num) & mask->src.l3num ||
185 (t->dst.protonum ^ tuple->dst.protonum) & mask->dst.protonum)
186 return 0;
187
188 return 1;
189} 210}
190 211
191#endif /* _NF_CONNTRACK_TUPLE_H */ 212#endif /* _NF_CONNTRACK_TUPLE_H */