aboutsummaryrefslogtreecommitdiffstats
path: root/net/netfilter
diff options
context:
space:
mode:
authorWilly Tarreau <w@1wt.eu>2007-03-14 19:44:53 -0400
committerDavid S. Miller <davem@sunset.davemloft.net>2007-04-26 01:25:56 -0400
commit5c8ce7c92106434d2bdc9d5dfa5f62bf4546b296 (patch)
treeec3822ebea143678734caf45b2dd5cbc3ba0ce55 /net/netfilter
parent8f5bd99071212cd16b3449d16639971a44540d51 (diff)
[NETFILTER]: TCP conntrack: factorize out the PUSH flag
The PUSH flag is accepted with every other valid combination. Let's get it out of the tcp_valid_flags table and reduce the number of combinations we have to handle. This does not significantly reduce the table size however (8 bytes). Signed-off-by: Willy Tarreau <w@1wt.eu> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
-rw-r--r--net/netfilter/nf_conntrack_proto_tcp.c17
1 files changed, 4 insertions, 13 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 926e302494f3..a1363626bccc 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -764,27 +764,18 @@ EXPORT_SYMBOL_GPL(nf_conntrack_tcp_update);
764#define TH_ECE 0x40 764#define TH_ECE 0x40
765#define TH_CWR 0x80 765#define TH_CWR 0x80
766 766
767/* table of valid flag combinations - ECE and CWR are always valid */ 767/* table of valid flag combinations - PUSH, ECE and CWR are always valid */
768static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_PUSH|TH_ACK|TH_URG) + 1] = 768static u8 tcp_valid_flags[(TH_FIN|TH_SYN|TH_RST|TH_ACK|TH_URG) + 1] =
769{ 769{
770 [TH_SYN] = 1, 770 [TH_SYN] = 1,
771 [TH_SYN|TH_PUSH] = 1,
772 [TH_SYN|TH_URG] = 1, 771 [TH_SYN|TH_URG] = 1,
773 [TH_SYN|TH_PUSH|TH_URG] = 1,
774 [TH_SYN|TH_ACK] = 1, 772 [TH_SYN|TH_ACK] = 1,
775 [TH_SYN|TH_ACK|TH_PUSH] = 1,
776 [TH_RST] = 1, 773 [TH_RST] = 1,
777 [TH_RST|TH_PUSH] = 1,
778 [TH_RST|TH_ACK] = 1, 774 [TH_RST|TH_ACK] = 1,
779 [TH_RST|TH_ACK|TH_PUSH] = 1,
780 [TH_FIN|TH_ACK] = 1, 775 [TH_FIN|TH_ACK] = 1,
776 [TH_FIN|TH_ACK|TH_URG] = 1,
781 [TH_ACK] = 1, 777 [TH_ACK] = 1,
782 [TH_ACK|TH_PUSH] = 1,
783 [TH_ACK|TH_URG] = 1, 778 [TH_ACK|TH_URG] = 1,
784 [TH_ACK|TH_URG|TH_PUSH] = 1,
785 [TH_FIN|TH_ACK|TH_PUSH] = 1,
786 [TH_FIN|TH_ACK|TH_URG] = 1,
787 [TH_FIN|TH_ACK|TH_URG|TH_PUSH] = 1,
788}; 779};
789 780
790/* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */ 781/* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */
@@ -831,7 +822,7 @@ static int tcp_error(struct sk_buff *skb,
831 } 822 }
832 823
833 /* Check TCP flags. */ 824 /* Check TCP flags. */
834 tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR)); 825 tcpflags = (((u_int8_t *)th)[13] & ~(TH_ECE|TH_CWR|TH_PUSH));
835 if (!tcp_valid_flags[tcpflags]) { 826 if (!tcp_valid_flags[tcpflags]) {
836 if (LOG_INVALID(IPPROTO_TCP)) 827 if (LOG_INVALID(IPPROTO_TCP))
837 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 828 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,