diff options
| author | Patrick McHardy <kaber@trash.net> | 2008-03-25 23:09:15 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-03-25 23:09:15 -0400 |
| commit | 6002f266b3e7f0acc2d5158cddbed41730b02e82 (patch) | |
| tree | f776f47618eef4da0d6c43b6f34fe6634d426a8d /include | |
| parent | 359b9ab614aba71c2c3bc047efbd6d12dd4a2b9e (diff) | |
[NETFILTER]: nf_conntrack: introduce expectation classes and policies
Introduce expectation classes and policies. An expectation class
is used to distinguish different types of expectations by the
same helper (for example audio/video/t.120). The expectation
policy is used to hold the maximum number of expectations and
the initial timeout for each class.
The individual classes are isolated from each other, which means
that for example an audio expectation will only evict other audio
expectations.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include')
| -rw-r--r-- | include/net/netfilter/nf_conntrack.h | 5 | ||||
| -rw-r--r-- | include/net/netfilter/nf_conntrack_expect.h | 13 | ||||
| -rw-r--r-- | include/net/netfilter/nf_conntrack_helper.h | 5 |
3 files changed, 18 insertions, 5 deletions
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 90b3e7f5df5f..922877133598 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h | |||
| @@ -75,6 +75,9 @@ do { \ | |||
| 75 | 75 | ||
| 76 | struct nf_conntrack_helper; | 76 | struct nf_conntrack_helper; |
| 77 | 77 | ||
| 78 | /* Must be kept in sync with the classes defined by helpers */ | ||
| 79 | #define NF_CT_MAX_EXPECT_CLASSES 1 | ||
| 80 | |||
| 78 | /* nf_conn feature for connections that have a helper */ | 81 | /* nf_conn feature for connections that have a helper */ |
| 79 | struct nf_conn_help { | 82 | struct nf_conn_help { |
| 80 | /* Helper. if any */ | 83 | /* Helper. if any */ |
| @@ -85,7 +88,7 @@ struct nf_conn_help { | |||
| 85 | struct hlist_head expectations; | 88 | struct hlist_head expectations; |
| 86 | 89 | ||
| 87 | /* Current number of expected connections */ | 90 | /* Current number of expected connections */ |
| 88 | unsigned int expecting; | 91 | u8 expecting[NF_CT_MAX_EXPECT_CLASSES]; |
| 89 | }; | 92 | }; |
| 90 | 93 | ||
| 91 | 94 | ||
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index 47c28dd07896..dfdf4b459475 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h | |||
| @@ -41,6 +41,9 @@ struct nf_conntrack_expect | |||
| 41 | /* Flags */ | 41 | /* Flags */ |
| 42 | unsigned int flags; | 42 | unsigned int flags; |
| 43 | 43 | ||
| 44 | /* Expectation class */ | ||
| 45 | unsigned int class; | ||
| 46 | |||
| 44 | #ifdef CONFIG_NF_NAT_NEEDED | 47 | #ifdef CONFIG_NF_NAT_NEEDED |
| 45 | __be32 saved_ip; | 48 | __be32 saved_ip; |
| 46 | /* This is the original per-proto part, used to map the | 49 | /* This is the original per-proto part, used to map the |
| @@ -53,6 +56,14 @@ struct nf_conntrack_expect | |||
| 53 | struct rcu_head rcu; | 56 | struct rcu_head rcu; |
| 54 | }; | 57 | }; |
| 55 | 58 | ||
| 59 | struct nf_conntrack_expect_policy | ||
| 60 | { | ||
| 61 | unsigned int max_expected; | ||
| 62 | unsigned int timeout; | ||
| 63 | }; | ||
| 64 | |||
| 65 | #define NF_CT_EXPECT_CLASS_DEFAULT 0 | ||
| 66 | |||
| 56 | #define NF_CT_EXPECT_PERMANENT 0x1 | 67 | #define NF_CT_EXPECT_PERMANENT 0x1 |
| 57 | #define NF_CT_EXPECT_INACTIVE 0x2 | 68 | #define NF_CT_EXPECT_INACTIVE 0x2 |
| 58 | 69 | ||
| @@ -75,7 +86,7 @@ void nf_ct_unexpect_related(struct nf_conntrack_expect *exp); | |||
| 75 | /* Allocate space for an expectation: this is mandatory before calling | 86 | /* Allocate space for an expectation: this is mandatory before calling |
| 76 | nf_ct_expect_related. You will have to call put afterwards. */ | 87 | nf_ct_expect_related. You will have to call put afterwards. */ |
| 77 | struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me); | 88 | struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me); |
| 78 | void nf_ct_expect_init(struct nf_conntrack_expect *, int, | 89 | void nf_ct_expect_init(struct nf_conntrack_expect *, unsigned int, int, |
| 79 | const union nf_inet_addr *, | 90 | const union nf_inet_addr *, |
| 80 | const union nf_inet_addr *, | 91 | const union nf_inet_addr *, |
| 81 | u_int8_t, const __be16 *, const __be16 *); | 92 | u_int8_t, const __be16 *, const __be16 *); |
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h index 4ca125e9b3ce..f8060ab5a083 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h | |||
| @@ -20,9 +20,7 @@ struct nf_conntrack_helper | |||
| 20 | 20 | ||
| 21 | const char *name; /* name of the module */ | 21 | const char *name; /* name of the module */ |
| 22 | struct module *me; /* pointer to self */ | 22 | struct module *me; /* pointer to self */ |
| 23 | unsigned int max_expected; /* Maximum number of concurrent | 23 | const struct nf_conntrack_expect_policy *expect_policy; |
| 24 | * expected connections */ | ||
| 25 | unsigned int timeout; /* timeout for expecteds */ | ||
| 26 | 24 | ||
| 27 | /* Tuple of things we will help (compared against server response) */ | 25 | /* Tuple of things we will help (compared against server response) */ |
| 28 | struct nf_conntrack_tuple tuple; | 26 | struct nf_conntrack_tuple tuple; |
| @@ -37,6 +35,7 @@ struct nf_conntrack_helper | |||
| 37 | void (*destroy)(struct nf_conn *ct); | 35 | void (*destroy)(struct nf_conn *ct); |
| 38 | 36 | ||
| 39 | int (*to_nlattr)(struct sk_buff *skb, const struct nf_conn *ct); | 37 | int (*to_nlattr)(struct sk_buff *skb, const struct nf_conn *ct); |
| 38 | unsigned int expect_class_max; | ||
| 40 | }; | 39 | }; |
| 41 | 40 | ||
| 42 | extern struct nf_conntrack_helper * | 41 | extern struct nf_conntrack_helper * |