netfilter: nf_conntrack: add support for "conntrack zones"

Normally, each connection needs a unique identity. Conntrack zones allow
to specify a numerical zone using the CT target, connections in different
zones can use the same identity.

Example:

iptables -t raw -A PREROUTING -i veth0 -j CT --zone 1
iptables -t raw -A OUTPUT -o veth1 -j CT --zone 1

Signed-off-by: Patrick McHardy <kaber@trash.net>

2 files changed, 14 insertions, 6 deletions

diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 55ce22e5de49..996c3f41fecd 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -27,6 +27,7 @@
 #include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_l3proto.h>
 #include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_zones.h>
 #include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
 #include <net/netfilter/nf_log.h>
 
@@ -191,15 +192,20 @@ out:
 static enum ip6_defrag_users nf_ct6_defrag_user(unsigned int hooknum,
                                                 struct sk_buff *skb)
 {
+        u16 zone = NF_CT_DEFAULT_ZONE;
+
+        if (skb->nfct)
+                zone = nf_ct_zone((struct nf_conn *)skb->nfct);
+
 #ifdef CONFIG_BRIDGE_NETFILTER
         if (skb->nf_bridge &&
             skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)
-                return IP6_DEFRAG_CONNTRACK_BRIDGE_IN;
+                return IP6_DEFRAG_CONNTRACK_BRIDGE_IN + zone;
 #endif
         if (hooknum == NF_INET_PRE_ROUTING)
-                return IP6_DEFRAG_CONNTRACK_IN;
+                return IP6_DEFRAG_CONNTRACK_IN + zone;
         else
-                return IP6_DEFRAG_CONNTRACK_OUT;
+                return IP6_DEFRAG_CONNTRACK_OUT + zone;
 
 }
 
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index d772dc21857f..9be81776415e 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -23,6 +23,7 @@
 #include <net/netfilter/nf_conntrack_tuple.h>
 #include <net/netfilter/nf_conntrack_l4proto.h>
 #include <net/netfilter/nf_conntrack_core.h>
+#include <net/netfilter/nf_conntrack_zones.h>
 #include <net/netfilter/ipv6/nf_conntrack_icmpv6.h>
 #include <net/netfilter/nf_log.h>
 
@@ -128,7 +129,7 @@ static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
 }
 
 static int
-icmpv6_error_message(struct net *net,
+icmpv6_error_message(struct net *net, struct nf_conn *tmpl,
                      struct sk_buff *skb,
                      unsigned int icmp6off,
                      enum ip_conntrack_info *ctinfo,
@@ -137,6 +138,7 @@ icmpv6_error_message(struct net *net,
         struct nf_conntrack_tuple intuple, origtuple;
         const struct nf_conntrack_tuple_hash *h;
         const struct nf_conntrack_l4proto *inproto;
+        u16 zone = tmpl ? nf_ct_zone(tmpl) : NF_CT_DEFAULT_ZONE;
 
         NF_CT_ASSERT(skb->nfct == NULL);
 
@@ -163,7 +165,7 @@ icmpv6_error_message(struct net *net,
 
         *ctinfo = IP_CT_RELATED;
 
-        h = nf_conntrack_find_get(net, &intuple);
+        h = nf_conntrack_find_get(net, zone, &intuple);
         if (!h) {
                 pr_debug("icmpv6_error: no match\n");
                 return -NF_ACCEPT;
@@ -216,7 +218,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl,
         if (icmp6h->icmp6_type >= 128)
                 return NF_ACCEPT;
 
-        return icmpv6_error_message(net, skb, dataoff, ctinfo, hooknum);
+        return icmpv6_error_message(net, tmpl, skb, dataoff, ctinfo, hooknum);
 }
 
 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)