netfilter: nf_conntrack: pass timeout array to l4->new and l4->packet

This patch defines a new interface for l4 protocol trackers: unsigned int *(*get_timeouts)(struct net *net); that is used to return the array of unsigned int that contains the timeouts that will be applied for this flow. This is passed to the l4proto->new(...) and l4proto->packet(...) functions to specify the timeout policy. This interface allows per-net global timeout configuration (although only DCCP supports this by now) and it will allow custom custom timeout configuration by means of follow-up patches. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Pablo Neira Ayuso <pablo@netfilter.org> 2012-02-28 12:23:31 -0500
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2012-03-07 11:41:19 -0500
commit: 2c8503f55fbdfbeff4164f133df804cf4d316290 (patch)
tree: fe491bc79fd59aa4b8b99ea63d13e62b6a2ef1cb /net/ipv6
parent: b888341c7f33035694f70428d7001d73f0b2a3b1 (diff)
1 files changed, 10 insertions, 3 deletions
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index 7c05e7eacbc6..2eb9751eb7a8 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -88,25 +88,31 @@ static int icmpv6_print_tuple(struct seq_file *s,
                          ntohs(tuple->src.u.icmp.id));
 }
+static unsigned int *icmpv6_get_timeouts(struct net *net)
+{
+        return &nf_ct_icmpv6_timeout;
+}
 /* Returns verdict for packet, or -1 for invalid. */
 static int icmpv6_packet(struct nf_conn *ct,
                       const struct sk_buff *skb,
                       unsigned int dataoff,
                       enum ip_conntrack_info ctinfo,
                       u_int8_t pf,
-                       unsigned int hooknum)
+                       unsigned int hooknum,
+                       unsigned int *timeout)
 {
        /* Do not immediately delete the connection after the first
           successful reply to avoid excessive conntrackd traffic
           and also to handle correctly ICMP echo reply duplicates. */
-        nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout);
+        nf_ct_refresh_acct(ct, ctinfo, skb, *timeout);
        return NF_ACCEPT;
 }
 /* Called when a new connection for this protocol found. */
 static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,
-                       unsigned int dataoff)
+                       unsigned int dataoff, unsigned int *timeouts)
 {
        static const u_int8_t valid_new[] = {
                [ICMPV6_ECHO_REQUEST - 128] = 1,
@@ -293,6 +299,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
        .invert_tuple           = icmpv6_invert_tuple,
        .print_tuple            = icmpv6_print_tuple,
        .packet                 = icmpv6_packet,
+        .get_timeouts           = icmpv6_get_timeouts,
        .new                    = icmpv6_new,
        .error                  = icmpv6_error,
 #if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
author	Pablo Neira Ayuso <pablo@netfilter.org>	2012-02-28 12:23:31 -0500
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2012-03-07 11:41:19 -0500
commit	2c8503f55fbdfbeff4164f133df804cf4d316290 (patch)
tree	fe491bc79fd59aa4b8b99ea63d13e62b6a2ef1cb /net/ipv6
parent	b888341c7f33035694f70428d7001d73f0b2a3b1 (diff)