aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--include/net/netfilter/nf_conntrack.h4
-rw-r--r--include/net/netfilter/nf_conntrack_l3proto.h4
-rw-r--r--include/net/netfilter/nf_conntrack_l4proto.h6
-rw-r--r--net/ipv4/netfilter/nf_conntrack_proto_icmp.c12
-rw-r--r--net/ipv4/netfilter/nf_nat_proto_gre.c10
-rw-r--r--net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c8
-rw-r--r--net/netfilter/nf_conntrack_core.c58
-rw-r--r--net/netfilter/nf_conntrack_proto_generic.c6
-rw-r--r--net/netfilter/nf_conntrack_proto_sctp.c2
-rw-r--r--net/netfilter/nf_conntrack_proto_tcp.c150
-rw-r--r--net/netfilter/nf_conntrack_proto_udp.c13
-rw-r--r--net/netfilter/nf_conntrack_proto_udplite.c13
-rw-r--r--net/netfilter/nf_conntrack_standalone.c38
13 files changed, 157 insertions, 167 deletions
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 14e0cc8364f2..bda78a286e2b 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -145,7 +145,7 @@ nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash)
145 145
146/* Alter reply tuple (maybe alter helper). */ 146/* Alter reply tuple (maybe alter helper). */
147extern void 147extern void
148nf_conntrack_alter_reply(struct nf_conn *conntrack, 148nf_conntrack_alter_reply(struct nf_conn *ct,
149 const struct nf_conntrack_tuple *newreply); 149 const struct nf_conntrack_tuple *newreply);
150 150
151/* Is this tuple taken? (ignoring any belonging to the given 151/* Is this tuple taken? (ignoring any belonging to the given
@@ -218,7 +218,7 @@ static inline void nf_ct_refresh(struct nf_conn *ct,
218/* Update TCP window tracking data when NAT mangles the packet */ 218/* Update TCP window tracking data when NAT mangles the packet */
219extern void nf_conntrack_tcp_update(struct sk_buff *skb, 219extern void nf_conntrack_tcp_update(struct sk_buff *skb,
220 unsigned int dataoff, 220 unsigned int dataoff,
221 struct nf_conn *conntrack, 221 struct nf_conn *ct,
222 int dir); 222 int dir);
223 223
224/* Fake conntrack entry for untracked connections */ 224/* Fake conntrack entry for untracked connections */
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h
index d5526bcce147..b886e3ae6cad 100644
--- a/include/net/netfilter/nf_conntrack_l3proto.h
+++ b/include/net/netfilter/nf_conntrack_l3proto.h
@@ -43,7 +43,7 @@ struct nf_conntrack_l3proto
43 const struct nf_conntrack_tuple *); 43 const struct nf_conntrack_tuple *);
44 44
45 /* Returns verdict for packet, or -1 for invalid. */ 45 /* Returns verdict for packet, or -1 for invalid. */
46 int (*packet)(struct nf_conn *conntrack, 46 int (*packet)(struct nf_conn *ct,
47 const struct sk_buff *skb, 47 const struct sk_buff *skb,
48 enum ip_conntrack_info ctinfo); 48 enum ip_conntrack_info ctinfo);
49 49
@@ -51,7 +51,7 @@ struct nf_conntrack_l3proto
51 * Called when a new connection for this protocol found; 51 * Called when a new connection for this protocol found;
52 * returns TRUE if it's OK. If so, packet() called next. 52 * returns TRUE if it's OK. If so, packet() called next.
53 */ 53 */
54 int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb); 54 int (*new)(struct nf_conn *ct, const struct sk_buff *skb);
55 55
56 /* 56 /*
57 * Called before tracking. 57 * Called before tracking.
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h
index 84892cc1d603..efc16eccddb1 100644
--- a/include/net/netfilter/nf_conntrack_l4proto.h
+++ b/include/net/netfilter/nf_conntrack_l4proto.h
@@ -36,7 +36,7 @@ struct nf_conntrack_l4proto
36 const struct nf_conntrack_tuple *orig); 36 const struct nf_conntrack_tuple *orig);
37 37
38 /* Returns verdict for packet, or -1 for invalid. */ 38 /* Returns verdict for packet, or -1 for invalid. */
39 int (*packet)(struct nf_conn *conntrack, 39 int (*packet)(struct nf_conn *ct,
40 const struct sk_buff *skb, 40 const struct sk_buff *skb,
41 unsigned int dataoff, 41 unsigned int dataoff,
42 enum ip_conntrack_info ctinfo, 42 enum ip_conntrack_info ctinfo,
@@ -45,11 +45,11 @@ struct nf_conntrack_l4proto
45 45
46 /* Called when a new connection for this protocol found; 46 /* Called when a new connection for this protocol found;
47 * returns TRUE if it's OK. If so, packet() called next. */ 47 * returns TRUE if it's OK. If so, packet() called next. */
48 int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb, 48 int (*new)(struct nf_conn *ct, const struct sk_buff *skb,
49 unsigned int dataoff); 49 unsigned int dataoff);
50 50
51 /* Called when a conntrack entry is destroyed */ 51 /* Called when a conntrack entry is destroyed */
52 void (*destroy)(struct nf_conn *conntrack); 52 void (*destroy)(struct nf_conn *ct);
53 53
54 int (*error)(struct sk_buff *skb, unsigned int dataoff, 54 int (*error)(struct sk_buff *skb, unsigned int dataoff,
55 enum ip_conntrack_info *ctinfo, 55 enum ip_conntrack_info *ctinfo,
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 4004a04c5510..17217f4f9918 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -100,7 +100,7 @@ static int icmp_packet(struct nf_conn *ct,
100} 100}
101 101
102/* Called when a new connection for this protocol found. */ 102/* Called when a new connection for this protocol found. */
103static int icmp_new(struct nf_conn *conntrack, 103static int icmp_new(struct nf_conn *ct,
104 const struct sk_buff *skb, unsigned int dataoff) 104 const struct sk_buff *skb, unsigned int dataoff)
105{ 105{
106 static const u_int8_t valid_new[] = { 106 static const u_int8_t valid_new[] = {
@@ -110,15 +110,15 @@ static int icmp_new(struct nf_conn *conntrack,
110 [ICMP_ADDRESS] = 1 110 [ICMP_ADDRESS] = 1
111 }; 111 };
112 112
113 if (conntrack->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) 113 if (ct->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new)
114 || !valid_new[conntrack->tuplehash[0].tuple.dst.u.icmp.type]) { 114 || !valid_new[ct->tuplehash[0].tuple.dst.u.icmp.type]) {
115 /* Can't create a new ICMP `conn' with this. */ 115 /* Can't create a new ICMP `conn' with this. */
116 pr_debug("icmp: can't create new conn with type %u\n", 116 pr_debug("icmp: can't create new conn with type %u\n",
117 conntrack->tuplehash[0].tuple.dst.u.icmp.type); 117 ct->tuplehash[0].tuple.dst.u.icmp.type);
118 NF_CT_DUMP_TUPLE(&conntrack->tuplehash[0].tuple); 118 NF_CT_DUMP_TUPLE(&ct->tuplehash[0].tuple);
119 return 0; 119 return 0;
120 } 120 }
121 atomic_set(&conntrack->proto.icmp.count, 0); 121 atomic_set(&ct->proto.icmp.count, 0);
122 return 1; 122 return 1;
123} 123}
124 124
diff --git a/net/ipv4/netfilter/nf_nat_proto_gre.c b/net/ipv4/netfilter/nf_nat_proto_gre.c
index c9dbd550df39..b887ebb42133 100644
--- a/net/ipv4/netfilter/nf_nat_proto_gre.c
+++ b/net/ipv4/netfilter/nf_nat_proto_gre.c
@@ -59,7 +59,7 @@ static int
59gre_unique_tuple(struct nf_conntrack_tuple *tuple, 59gre_unique_tuple(struct nf_conntrack_tuple *tuple,
60 const struct nf_nat_range *range, 60 const struct nf_nat_range *range,
61 enum nf_nat_manip_type maniptype, 61 enum nf_nat_manip_type maniptype,
62 const struct nf_conn *conntrack) 62 const struct nf_conn *ct)
63{ 63{
64 static u_int16_t key; 64 static u_int16_t key;
65 __be16 *keyptr; 65 __be16 *keyptr;
@@ -67,7 +67,7 @@ gre_unique_tuple(struct nf_conntrack_tuple *tuple,
67 67
68 /* If there is no master conntrack we are not PPTP, 68 /* If there is no master conntrack we are not PPTP,
69 do not change tuples */ 69 do not change tuples */
70 if (!conntrack->master) 70 if (!ct->master)
71 return 0; 71 return 0;
72 72
73 if (maniptype == IP_NAT_MANIP_SRC) 73 if (maniptype == IP_NAT_MANIP_SRC)
@@ -76,7 +76,7 @@ gre_unique_tuple(struct nf_conntrack_tuple *tuple,
76 keyptr = &tuple->dst.u.gre.key; 76 keyptr = &tuple->dst.u.gre.key;
77 77
78 if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) { 78 if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) {
79 pr_debug("%p: NATing GRE PPTP\n", conntrack); 79 pr_debug("%p: NATing GRE PPTP\n", ct);
80 min = 1; 80 min = 1;
81 range_size = 0xffff; 81 range_size = 0xffff;
82 } else { 82 } else {
@@ -88,11 +88,11 @@ gre_unique_tuple(struct nf_conntrack_tuple *tuple,
88 88
89 for (i = 0; i < range_size; i++, key++) { 89 for (i = 0; i < range_size; i++, key++) {
90 *keyptr = htons(min + key % range_size); 90 *keyptr = htons(min + key % range_size);
91 if (!nf_nat_used_tuple(tuple, conntrack)) 91 if (!nf_nat_used_tuple(tuple, ct))
92 return 1; 92 return 1;
93 } 93 }
94 94
95 pr_debug("%p: no NAT mapping\n", conntrack); 95 pr_debug("%p: no NAT mapping\n", ct);
96 return 0; 96 return 0;
97} 97}
98 98
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index da924c6b5f06..430db1de31e3 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -101,7 +101,7 @@ static int icmpv6_packet(struct nf_conn *ct,
101} 101}
102 102
103/* Called when a new connection for this protocol found. */ 103/* Called when a new connection for this protocol found. */
104static int icmpv6_new(struct nf_conn *conntrack, 104static int icmpv6_new(struct nf_conn *ct,
105 const struct sk_buff *skb, 105 const struct sk_buff *skb,
106 unsigned int dataoff) 106 unsigned int dataoff)
107{ 107{
@@ -109,16 +109,16 @@ static int icmpv6_new(struct nf_conn *conntrack,
109 [ICMPV6_ECHO_REQUEST - 128] = 1, 109 [ICMPV6_ECHO_REQUEST - 128] = 1,
110 [ICMPV6_NI_QUERY - 128] = 1 110 [ICMPV6_NI_QUERY - 128] = 1
111 }; 111 };
112 int type = conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128; 112 int type = ct->tuplehash[0].tuple.dst.u.icmp.type - 128;
113 113
114 if (type < 0 || type >= sizeof(valid_new) || !valid_new[type]) { 114 if (type < 0 || type >= sizeof(valid_new) || !valid_new[type]) {
115 /* Can't create a new ICMPv6 `conn' with this. */ 115 /* Can't create a new ICMPv6 `conn' with this. */
116 pr_debug("icmpv6: can't create new conn with type %u\n", 116 pr_debug("icmpv6: can't create new conn with type %u\n",
117 type + 128); 117 type + 128);
118 NF_CT_DUMP_TUPLE(&conntrack->tuplehash[0].tuple); 118 NF_CT_DUMP_TUPLE(&ct->tuplehash[0].tuple);
119 return 0; 119 return 0;
120 } 120 }
121 atomic_set(&conntrack->proto.icmp.count, 0); 121 atomic_set(&ct->proto.icmp.count, 0);
122 return 1; 122 return 1;
123} 123}
124 124
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 120588333c73..1a3673d55868 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -462,7 +462,7 @@ static noinline int early_drop(unsigned int hash)
462struct nf_conn *nf_conntrack_alloc(const struct nf_conntrack_tuple *orig, 462struct nf_conn *nf_conntrack_alloc(const struct nf_conntrack_tuple *orig,
463 const struct nf_conntrack_tuple *repl) 463 const struct nf_conntrack_tuple *repl)
464{ 464{
465 struct nf_conn *conntrack = NULL; 465 struct nf_conn *ct = NULL;
466 466
467 if (unlikely(!nf_conntrack_hash_rnd_initted)) { 467 if (unlikely(!nf_conntrack_hash_rnd_initted)) {
468 get_random_bytes(&nf_conntrack_hash_rnd, 4); 468 get_random_bytes(&nf_conntrack_hash_rnd, 4);
@@ -485,22 +485,21 @@ struct nf_conn *nf_conntrack_alloc(const struct nf_conntrack_tuple *orig,
485 } 485 }
486 } 486 }
487 487
488 conntrack = kmem_cache_zalloc(nf_conntrack_cachep, GFP_ATOMIC); 488 ct = kmem_cache_zalloc(nf_conntrack_cachep, GFP_ATOMIC);
489 if (conntrack == NULL) { 489 if (ct == NULL) {
490 pr_debug("nf_conntrack_alloc: Can't alloc conntrack.\n"); 490 pr_debug("nf_conntrack_alloc: Can't alloc conntrack.\n");
491 atomic_dec(&nf_conntrack_count); 491 atomic_dec(&nf_conntrack_count);
492 return ERR_PTR(-ENOMEM); 492 return ERR_PTR(-ENOMEM);
493 } 493 }
494 494
495 atomic_set(&conntrack->ct_general.use, 1); 495 atomic_set(&ct->ct_general.use, 1);
496 conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig; 496 ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig;
497 conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *repl; 497 ct->tuplehash[IP_CT_DIR_REPLY].tuple = *repl;
498 /* Don't set timer yet: wait for confirmation */ 498 /* Don't set timer yet: wait for confirmation */
499 setup_timer(&conntrack->timeout, death_by_timeout, 499 setup_timer(&ct->timeout, death_by_timeout, (unsigned long)ct);
500 (unsigned long)conntrack); 500 INIT_RCU_HEAD(&ct->rcu);
501 INIT_RCU_HEAD(&conntrack->rcu);
502 501
503 return conntrack; 502 return ct;
504} 503}
505EXPORT_SYMBOL_GPL(nf_conntrack_alloc); 504EXPORT_SYMBOL_GPL(nf_conntrack_alloc);
506 505
@@ -513,9 +512,9 @@ static void nf_conntrack_free_rcu(struct rcu_head *head)
513 atomic_dec(&nf_conntrack_count); 512 atomic_dec(&nf_conntrack_count);
514} 513}
515 514
516void nf_conntrack_free(struct nf_conn *conntrack) 515void nf_conntrack_free(struct nf_conn *ct)
517{ 516{
518 call_rcu(&conntrack->rcu, nf_conntrack_free_rcu); 517 call_rcu(&ct->rcu, nf_conntrack_free_rcu);
519} 518}
520EXPORT_SYMBOL_GPL(nf_conntrack_free); 519EXPORT_SYMBOL_GPL(nf_conntrack_free);
521 520
@@ -528,7 +527,7 @@ init_conntrack(const struct nf_conntrack_tuple *tuple,
528 struct sk_buff *skb, 527 struct sk_buff *skb,
529 unsigned int dataoff) 528 unsigned int dataoff)
530{ 529{
531 struct nf_conn *conntrack; 530 struct nf_conn *ct;
532 struct nf_conn_help *help; 531 struct nf_conn_help *help;
533 struct nf_conntrack_tuple repl_tuple; 532 struct nf_conntrack_tuple repl_tuple;
534 struct nf_conntrack_expect *exp; 533 struct nf_conntrack_expect *exp;
@@ -538,14 +537,14 @@ init_conntrack(const struct nf_conntrack_tuple *tuple,
538 return NULL; 537 return NULL;
539 } 538 }
540 539
541 conntrack = nf_conntrack_alloc(tuple, &repl_tuple); 540 ct = nf_conntrack_alloc(tuple, &repl_tuple);
542 if (conntrack == NULL || IS_ERR(conntrack)) { 541 if (ct == NULL || IS_ERR(ct)) {
543 pr_debug("Can't allocate conntrack.\n"); 542 pr_debug("Can't allocate conntrack.\n");
544 return (struct nf_conntrack_tuple_hash *)conntrack; 543 return (struct nf_conntrack_tuple_hash *)ct;
545 } 544 }
546 545
547 if (!l4proto->new(conntrack, skb, dataoff)) { 546 if (!l4proto->new(ct, skb, dataoff)) {
548 nf_conntrack_free(conntrack); 547 nf_conntrack_free(ct);
549 pr_debug("init conntrack: can't track with proto module\n"); 548 pr_debug("init conntrack: can't track with proto module\n");
550 return NULL; 549 return NULL;
551 } 550 }
@@ -554,30 +553,30 @@ init_conntrack(const struct nf_conntrack_tuple *tuple,
554 exp = nf_ct_find_expectation(tuple); 553 exp = nf_ct_find_expectation(tuple);
555 if (exp) { 554 if (exp) {
556 pr_debug("conntrack: expectation arrives ct=%p exp=%p\n", 555 pr_debug("conntrack: expectation arrives ct=%p exp=%p\n",
557 conntrack, exp); 556 ct, exp);
558 /* Welcome, Mr. Bond. We've been expecting you... */ 557 /* Welcome, Mr. Bond. We've been expecting you... */
559 __set_bit(IPS_EXPECTED_BIT, &conntrack->status); 558 __set_bit(IPS_EXPECTED_BIT, &ct->status);
560 conntrack->master = exp->master; 559 ct->master = exp->master;
561 if (exp->helper) { 560 if (exp->helper) {
562 help = nf_ct_helper_ext_add(conntrack, GFP_ATOMIC); 561 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
563 if (help) 562 if (help)
564 rcu_assign_pointer(help->helper, exp->helper); 563 rcu_assign_pointer(help->helper, exp->helper);
565 } 564 }
566 565
567#ifdef CONFIG_NF_CONNTRACK_MARK 566#ifdef CONFIG_NF_CONNTRACK_MARK
568 conntrack->mark = exp->master->mark; 567 ct->mark = exp->master->mark;
569#endif 568#endif
570#ifdef CONFIG_NF_CONNTRACK_SECMARK 569#ifdef CONFIG_NF_CONNTRACK_SECMARK
571 conntrack->secmark = exp->master->secmark; 570 ct->secmark = exp->master->secmark;
572#endif 571#endif
573 nf_conntrack_get(&conntrack->master->ct_general); 572 nf_conntrack_get(&ct->master->ct_general);
574 NF_CT_STAT_INC(expect_new); 573 NF_CT_STAT_INC(expect_new);
575 } else { 574 } else {
576 struct nf_conntrack_helper *helper; 575 struct nf_conntrack_helper *helper;
577 576
578 helper = __nf_ct_helper_find(&repl_tuple); 577 helper = __nf_ct_helper_find(&repl_tuple);
579 if (helper) { 578 if (helper) {
580 help = nf_ct_helper_ext_add(conntrack, GFP_ATOMIC); 579 help = nf_ct_helper_ext_add(ct, GFP_ATOMIC);
581 if (help) 580 if (help)
582 rcu_assign_pointer(help->helper, helper); 581 rcu_assign_pointer(help->helper, helper);
583 } 582 }
@@ -585,18 +584,17 @@ init_conntrack(const struct nf_conntrack_tuple *tuple,
585 } 584 }
586 585
587 /* Overload tuple linked list to put us in unconfirmed list. */ 586 /* Overload tuple linked list to put us in unconfirmed list. */
588 hlist_add_head(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL].hnode, 587 hlist_add_head(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode, &unconfirmed);
589 &unconfirmed);
590 588
591 spin_unlock_bh(&nf_conntrack_lock); 589 spin_unlock_bh(&nf_conntrack_lock);
592 590
593 if (exp) { 591 if (exp) {
594 if (exp->expectfn) 592 if (exp->expectfn)
595 exp->expectfn(conntrack, exp); 593 exp->expectfn(ct, exp);
596 nf_ct_expect_put(exp); 594 nf_ct_expect_put(exp);
597 } 595 }
598 596
599 return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL]; 597 return &ct->tuplehash[IP_CT_DIR_ORIGINAL];
600} 598}
601 599
602/* On success, returns conntrack ptr, sets skb->nfct and ctinfo */ 600/* On success, returns conntrack ptr, sets skb->nfct and ctinfo */
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c
index 22c5dcb6306a..55458915575f 100644
--- a/net/netfilter/nf_conntrack_proto_generic.c
+++ b/net/netfilter/nf_conntrack_proto_generic.c
@@ -41,19 +41,19 @@ static int generic_print_tuple(struct seq_file *s,
41} 41}
42 42
43/* Returns verdict for packet, or -1 for invalid. */ 43/* Returns verdict for packet, or -1 for invalid. */
44static int packet(struct nf_conn *conntrack, 44static int packet(struct nf_conn *ct,
45 const struct sk_buff *skb, 45 const struct sk_buff *skb,
46 unsigned int dataoff, 46 unsigned int dataoff,
47 enum ip_conntrack_info ctinfo, 47 enum ip_conntrack_info ctinfo,
48 int pf, 48 int pf,
49 unsigned int hooknum) 49 unsigned int hooknum)
50{ 50{
51 nf_ct_refresh_acct(conntrack, ctinfo, skb, nf_ct_generic_timeout); 51 nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_generic_timeout);
52 return NF_ACCEPT; 52 return NF_ACCEPT;
53} 53}
54 54
55/* Called when a new connection for this protocol found. */ 55/* Called when a new connection for this protocol found. */
56static int new(struct nf_conn *conntrack, const struct sk_buff *skb, 56static int new(struct nf_conn *ct, const struct sk_buff *skb,
57 unsigned int dataoff) 57 unsigned int dataoff)
58{ 58{
59 return 1; 59 return 1;
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c
index 7017b161a14b..f9a08370dbb3 100644
--- a/net/netfilter/nf_conntrack_proto_sctp.c
+++ b/net/netfilter/nf_conntrack_proto_sctp.c
@@ -25,7 +25,7 @@
25#include <net/netfilter/nf_conntrack_l4proto.h> 25#include <net/netfilter/nf_conntrack_l4proto.h>
26#include <net/netfilter/nf_conntrack_ecache.h> 26#include <net/netfilter/nf_conntrack_ecache.h>
27 27
28/* Protects conntrack->proto.sctp */ 28/* Protects ct->proto.sctp */
29static DEFINE_RWLOCK(sctp_lock); 29static DEFINE_RWLOCK(sctp_lock);
30 30
31/* FIXME: Examine ipfilter's timeouts and conntrack transitions more 31/* FIXME: Examine ipfilter's timeouts and conntrack transitions more
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 8e2207535665..9807af677a56 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -26,7 +26,7 @@
26#include <net/netfilter/nf_conntrack_ecache.h> 26#include <net/netfilter/nf_conntrack_ecache.h>
27#include <net/netfilter/nf_log.h> 27#include <net/netfilter/nf_log.h>
28 28
29/* Protects conntrack->proto.tcp */ 29/* Protects ct->proto.tcp */
30static DEFINE_RWLOCK(tcp_lock); 30static DEFINE_RWLOCK(tcp_lock);
31 31
32/* "Be conservative in what you do, 32/* "Be conservative in what you do,
@@ -292,13 +292,12 @@ static int tcp_print_tuple(struct seq_file *s,
292} 292}
293 293
294/* Print out the private part of the conntrack. */ 294/* Print out the private part of the conntrack. */
295static int tcp_print_conntrack(struct seq_file *s, 295static int tcp_print_conntrack(struct seq_file *s, const struct nf_conn *ct)
296 const struct nf_conn *conntrack)
297{ 296{
298 enum tcp_conntrack state; 297 enum tcp_conntrack state;
299 298
300 read_lock_bh(&tcp_lock); 299 read_lock_bh(&tcp_lock);
301 state = conntrack->proto.tcp.state; 300 state = ct->proto.tcp.state;
302 read_unlock_bh(&tcp_lock); 301 read_unlock_bh(&tcp_lock);
303 302
304 return seq_printf(s, "%s ", tcp_conntrack_names[state]); 303 return seq_printf(s, "%s ", tcp_conntrack_names[state]);
@@ -689,12 +688,12 @@ static int tcp_in_window(struct nf_conn *ct,
689/* Caller must linearize skb at tcp header. */ 688/* Caller must linearize skb at tcp header. */
690void nf_conntrack_tcp_update(struct sk_buff *skb, 689void nf_conntrack_tcp_update(struct sk_buff *skb,
691 unsigned int dataoff, 690 unsigned int dataoff,
692 struct nf_conn *conntrack, 691 struct nf_conn *ct,
693 int dir) 692 int dir)
694{ 693{
695 struct tcphdr *tcph = (void *)skb->data + dataoff; 694 struct tcphdr *tcph = (void *)skb->data + dataoff;
696 struct ip_ct_tcp_state *sender = &conntrack->proto.tcp.seen[dir]; 695 struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[dir];
697 struct ip_ct_tcp_state *receiver = &conntrack->proto.tcp.seen[!dir]; 696 struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[!dir];
698 __u32 end; 697 __u32 end;
699 698
700 end = segment_seq_plus_len(ntohl(tcph->seq), skb->len, dataoff, tcph); 699 end = segment_seq_plus_len(ntohl(tcph->seq), skb->len, dataoff, tcph);
@@ -703,9 +702,9 @@ void nf_conntrack_tcp_update(struct sk_buff *skb,
703 /* 702 /*
704 * We have to worry for the ack in the reply packet only... 703 * We have to worry for the ack in the reply packet only...
705 */ 704 */
706 if (after(end, conntrack->proto.tcp.seen[dir].td_end)) 705 if (after(end, ct->proto.tcp.seen[dir].td_end))
707 conntrack->proto.tcp.seen[dir].td_end = end; 706 ct->proto.tcp.seen[dir].td_end = end;
708 conntrack->proto.tcp.last_end = end; 707 ct->proto.tcp.last_end = end;
709 write_unlock_bh(&tcp_lock); 708 write_unlock_bh(&tcp_lock);
710 pr_debug("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i " 709 pr_debug("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i "
711 "receiver end=%u maxend=%u maxwin=%u scale=%i\n", 710 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
@@ -794,7 +793,7 @@ static int tcp_error(struct sk_buff *skb,
794} 793}
795 794
796/* Returns verdict for packet, or -1 for invalid. */ 795/* Returns verdict for packet, or -1 for invalid. */
797static int tcp_packet(struct nf_conn *conntrack, 796static int tcp_packet(struct nf_conn *ct,
798 const struct sk_buff *skb, 797 const struct sk_buff *skb,
799 unsigned int dataoff, 798 unsigned int dataoff,
800 enum ip_conntrack_info ctinfo, 799 enum ip_conntrack_info ctinfo,
@@ -812,26 +811,24 @@ static int tcp_packet(struct nf_conn *conntrack,
812 BUG_ON(th == NULL); 811 BUG_ON(th == NULL);
813 812
814 write_lock_bh(&tcp_lock); 813 write_lock_bh(&tcp_lock);
815 old_state = conntrack->proto.tcp.state; 814 old_state = ct->proto.tcp.state;
816 dir = CTINFO2DIR(ctinfo); 815 dir = CTINFO2DIR(ctinfo);
817 index = get_conntrack_index(th); 816 index = get_conntrack_index(th);
818 new_state = tcp_conntracks[dir][index][old_state]; 817 new_state = tcp_conntracks[dir][index][old_state];
819 tuple = &conntrack->tuplehash[dir].tuple; 818 tuple = &ct->tuplehash[dir].tuple;
820 819
821 switch (new_state) { 820 switch (new_state) {
822 case TCP_CONNTRACK_SYN_SENT: 821 case TCP_CONNTRACK_SYN_SENT:
823 if (old_state < TCP_CONNTRACK_TIME_WAIT) 822 if (old_state < TCP_CONNTRACK_TIME_WAIT)
824 break; 823 break;
825 if ((conntrack->proto.tcp.seen[!dir].flags & 824 if ((ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_CLOSE_INIT)
826 IP_CT_TCP_FLAG_CLOSE_INIT) 825 || (ct->proto.tcp.last_dir == dir
827 || (conntrack->proto.tcp.last_dir == dir 826 && ct->proto.tcp.last_index == TCP_RST_SET)) {
828 && conntrack->proto.tcp.last_index == TCP_RST_SET)) {
829 /* Attempt to reopen a closed/aborted connection. 827 /* Attempt to reopen a closed/aborted connection.
830 * Delete this connection and look up again. */ 828 * Delete this connection and look up again. */
831 write_unlock_bh(&tcp_lock); 829 write_unlock_bh(&tcp_lock);
832 if (del_timer(&conntrack->timeout)) 830 if (del_timer(&ct->timeout))
833 conntrack->timeout.function((unsigned long) 831 ct->timeout.function((unsigned long)ct);
834 conntrack);
835 return -NF_REPEAT; 832 return -NF_REPEAT;
836 } 833 }
837 /* Fall through */ 834 /* Fall through */
@@ -843,10 +840,9 @@ static int tcp_packet(struct nf_conn *conntrack,
843 * c) ACK in reply direction after initial SYN in original. 840 * c) ACK in reply direction after initial SYN in original.
844 */ 841 */
845 if (index == TCP_SYNACK_SET 842 if (index == TCP_SYNACK_SET
846 && conntrack->proto.tcp.last_index == TCP_SYN_SET 843 && ct->proto.tcp.last_index == TCP_SYN_SET
847 && conntrack->proto.tcp.last_dir != dir 844 && ct->proto.tcp.last_dir != dir
848 && ntohl(th->ack_seq) == 845 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
849 conntrack->proto.tcp.last_end) {
850 /* This SYN/ACK acknowledges a SYN that we earlier 846 /* This SYN/ACK acknowledges a SYN that we earlier
851 * ignored as invalid. This means that the client and 847 * ignored as invalid. This means that the client and
852 * the server are both in sync, while the firewall is 848 * the server are both in sync, while the firewall is
@@ -858,15 +854,14 @@ static int tcp_packet(struct nf_conn *conntrack,
858 if (LOG_INVALID(IPPROTO_TCP)) 854 if (LOG_INVALID(IPPROTO_TCP))
859 nf_log_packet(pf, 0, skb, NULL, NULL, NULL, 855 nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
860 "nf_ct_tcp: killing out of sync session "); 856 "nf_ct_tcp: killing out of sync session ");
861 if (del_timer(&conntrack->timeout)) 857 if (del_timer(&ct->timeout))
862 conntrack->timeout.function((unsigned long) 858 ct->timeout.function((unsigned long)ct);
863 conntrack);
864 return -NF_DROP; 859 return -NF_DROP;
865 } 860 }
866 conntrack->proto.tcp.last_index = index; 861 ct->proto.tcp.last_index = index;
867 conntrack->proto.tcp.last_dir = dir; 862 ct->proto.tcp.last_dir = dir;
868 conntrack->proto.tcp.last_seq = ntohl(th->seq); 863 ct->proto.tcp.last_seq = ntohl(th->seq);
869 conntrack->proto.tcp.last_end = 864 ct->proto.tcp.last_end =
870 segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th); 865 segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th);
871 866
872 write_unlock_bh(&tcp_lock); 867 write_unlock_bh(&tcp_lock);
@@ -885,11 +880,11 @@ static int tcp_packet(struct nf_conn *conntrack,
885 return -NF_ACCEPT; 880 return -NF_ACCEPT;
886 case TCP_CONNTRACK_CLOSE: 881 case TCP_CONNTRACK_CLOSE:
887 if (index == TCP_RST_SET 882 if (index == TCP_RST_SET
888 && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status) 883 && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
889 && conntrack->proto.tcp.last_index == TCP_SYN_SET) 884 && ct->proto.tcp.last_index == TCP_SYN_SET)
890 || (!test_bit(IPS_ASSURED_BIT, &conntrack->status) 885 || (!test_bit(IPS_ASSURED_BIT, &ct->status)
891 && conntrack->proto.tcp.last_index == TCP_ACK_SET)) 886 && ct->proto.tcp.last_index == TCP_ACK_SET))
892 && ntohl(th->ack_seq) == conntrack->proto.tcp.last_end) { 887 && ntohl(th->ack_seq) == ct->proto.tcp.last_end) {
893 /* RST sent to invalid SYN or ACK we had let through 888 /* RST sent to invalid SYN or ACK we had let through
894 * at a) and c) above: 889 * at a) and c) above:
895 * 890 *
@@ -907,15 +902,15 @@ static int tcp_packet(struct nf_conn *conntrack,
907 break; 902 break;
908 } 903 }
909 904
910 if (!tcp_in_window(conntrack, &conntrack->proto.tcp, dir, index, 905 if (!tcp_in_window(ct, &ct->proto.tcp, dir, index,
911 skb, dataoff, th, pf)) { 906 skb, dataoff, th, pf)) {
912 write_unlock_bh(&tcp_lock); 907 write_unlock_bh(&tcp_lock);
913 return -NF_ACCEPT; 908 return -NF_ACCEPT;
914 } 909 }
915 in_window: 910 in_window:
916 /* From now on we have got in-window packets */ 911 /* From now on we have got in-window packets */
917 conntrack->proto.tcp.last_index = index; 912 ct->proto.tcp.last_index = index;
918 conntrack->proto.tcp.last_dir = dir; 913 ct->proto.tcp.last_dir = dir;
919 914
920 pr_debug("tcp_conntracks: "); 915 pr_debug("tcp_conntracks: ");
921 NF_CT_DUMP_TUPLE(tuple); 916 NF_CT_DUMP_TUPLE(tuple);
@@ -924,12 +919,12 @@ static int tcp_packet(struct nf_conn *conntrack,
924 (th->fin ? 1 : 0), (th->rst ? 1 : 0), 919 (th->fin ? 1 : 0), (th->rst ? 1 : 0),
925 old_state, new_state); 920 old_state, new_state);
926 921
927 conntrack->proto.tcp.state = new_state; 922 ct->proto.tcp.state = new_state;
928 if (old_state != new_state 923 if (old_state != new_state
929 && (new_state == TCP_CONNTRACK_FIN_WAIT 924 && (new_state == TCP_CONNTRACK_FIN_WAIT
930 || new_state == TCP_CONNTRACK_CLOSE)) 925 || new_state == TCP_CONNTRACK_CLOSE))
931 conntrack->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT; 926 ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT;
932 timeout = conntrack->proto.tcp.retrans >= nf_ct_tcp_max_retrans 927 timeout = ct->proto.tcp.retrans >= nf_ct_tcp_max_retrans
933 && tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans 928 && tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans
934 ? nf_ct_tcp_timeout_max_retrans : tcp_timeouts[new_state]; 929 ? nf_ct_tcp_timeout_max_retrans : tcp_timeouts[new_state];
935 write_unlock_bh(&tcp_lock); 930 write_unlock_bh(&tcp_lock);
@@ -938,41 +933,40 @@ static int tcp_packet(struct nf_conn *conntrack,
938 if (new_state != old_state) 933 if (new_state != old_state)
939 nf_conntrack_event_cache(IPCT_PROTOINFO, skb); 934 nf_conntrack_event_cache(IPCT_PROTOINFO, skb);
940 935
941 if (!test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)) { 936 if (!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
942 /* If only reply is a RST, we can consider ourselves not to 937 /* If only reply is a RST, we can consider ourselves not to
943 have an established connection: this is a fairly common 938 have an established connection: this is a fairly common
944 problem case, so we can delete the conntrack 939 problem case, so we can delete the conntrack
945 immediately. --RR */ 940 immediately. --RR */
946 if (th->rst) { 941 if (th->rst) {
947 if (del_timer(&conntrack->timeout)) 942 if (del_timer(&ct->timeout))
948 conntrack->timeout.function((unsigned long) 943 ct->timeout.function((unsigned long)ct);
949 conntrack);
950 return NF_ACCEPT; 944 return NF_ACCEPT;
951 } 945 }
952 } else if (!test_bit(IPS_ASSURED_BIT, &conntrack->status) 946 } else if (!test_bit(IPS_ASSURED_BIT, &ct->status)
953 && (old_state == TCP_CONNTRACK_SYN_RECV 947 && (old_state == TCP_CONNTRACK_SYN_RECV
954 || old_state == TCP_CONNTRACK_ESTABLISHED) 948 || old_state == TCP_CONNTRACK_ESTABLISHED)
955 && new_state == TCP_CONNTRACK_ESTABLISHED) { 949 && new_state == TCP_CONNTRACK_ESTABLISHED) {
956 /* Set ASSURED if we see see valid ack in ESTABLISHED 950 /* Set ASSURED if we see see valid ack in ESTABLISHED
957 after SYN_RECV or a valid answer for a picked up 951 after SYN_RECV or a valid answer for a picked up
958 connection. */ 952 connection. */
959 set_bit(IPS_ASSURED_BIT, &conntrack->status); 953 set_bit(IPS_ASSURED_BIT, &ct->status);
960 nf_conntrack_event_cache(IPCT_STATUS, skb); 954 nf_conntrack_event_cache(IPCT_STATUS, skb);
961 } 955 }
962 nf_ct_refresh_acct(conntrack, ctinfo, skb, timeout); 956 nf_ct_refresh_acct(ct, ctinfo, skb, timeout);
963 957
964 return NF_ACCEPT; 958 return NF_ACCEPT;
965} 959}
966 960
967/* Called when a new connection for this protocol found. */ 961/* Called when a new connection for this protocol found. */
968static int tcp_new(struct nf_conn *conntrack, 962static int tcp_new(struct nf_conn *ct,
969 const struct sk_buff *skb, 963 const struct sk_buff *skb,
970 unsigned int dataoff) 964 unsigned int dataoff)
971{ 965{
972 enum tcp_conntrack new_state; 966 enum tcp_conntrack new_state;
973 struct tcphdr *th, _tcph; 967 struct tcphdr *th, _tcph;
974 struct ip_ct_tcp_state *sender = &conntrack->proto.tcp.seen[0]; 968 struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0];
975 struct ip_ct_tcp_state *receiver = &conntrack->proto.tcp.seen[1]; 969 struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1];
976 970
977 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph); 971 th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph);
978 BUG_ON(th == NULL); 972 BUG_ON(th == NULL);
@@ -990,17 +984,17 @@ static int tcp_new(struct nf_conn *conntrack,
990 984
991 if (new_state == TCP_CONNTRACK_SYN_SENT) { 985 if (new_state == TCP_CONNTRACK_SYN_SENT) {
992 /* SYN packet */ 986 /* SYN packet */
993 conntrack->proto.tcp.seen[0].td_end = 987 ct->proto.tcp.seen[0].td_end =
994 segment_seq_plus_len(ntohl(th->seq), skb->len, 988 segment_seq_plus_len(ntohl(th->seq), skb->len,
995 dataoff, th); 989 dataoff, th);
996 conntrack->proto.tcp.seen[0].td_maxwin = ntohs(th->window); 990 ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window);
997 if (conntrack->proto.tcp.seen[0].td_maxwin == 0) 991 if (ct->proto.tcp.seen[0].td_maxwin == 0)
998 conntrack->proto.tcp.seen[0].td_maxwin = 1; 992 ct->proto.tcp.seen[0].td_maxwin = 1;
999 conntrack->proto.tcp.seen[0].td_maxend = 993 ct->proto.tcp.seen[0].td_maxend =
1000 conntrack->proto.tcp.seen[0].td_end; 994 ct->proto.tcp.seen[0].td_end;
1001 995
1002 tcp_options(skb, dataoff, th, &conntrack->proto.tcp.seen[0]); 996 tcp_options(skb, dataoff, th, &ct->proto.tcp.seen[0]);
1003 conntrack->proto.tcp.seen[1].flags = 0; 997 ct->proto.tcp.seen[1].flags = 0;
1004 } else if (nf_ct_tcp_loose == 0) { 998 } else if (nf_ct_tcp_loose == 0) {
1005 /* Don't try to pick up connections. */ 999 /* Don't try to pick up connections. */
1006 return 0; 1000 return 0;
@@ -1010,32 +1004,32 @@ static int tcp_new(struct nf_conn *conntrack,
1010 * its history is lost for us. 1004 * its history is lost for us.
1011 * Let's try to use the data from the packet. 1005 * Let's try to use the data from the packet.
1012 */ 1006 */
1013 conntrack->proto.tcp.seen[0].td_end = 1007 ct->proto.tcp.seen[0].td_end =
1014 segment_seq_plus_len(ntohl(th->seq), skb->len, 1008 segment_seq_plus_len(ntohl(th->seq), skb->len,
1015 dataoff, th); 1009 dataoff, th);
1016 conntrack->proto.tcp.seen[0].td_maxwin = ntohs(th->window); 1010 ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window);
1017 if (conntrack->proto.tcp.seen[0].td_maxwin == 0) 1011 if (ct->proto.tcp.seen[0].td_maxwin == 0)
1018 conntrack->proto.tcp.seen[0].td_maxwin = 1; 1012 ct->proto.tcp.seen[0].td_maxwin = 1;
1019 conntrack->proto.tcp.seen[0].td_maxend = 1013 ct->proto.tcp.seen[0].td_maxend =
1020 conntrack->proto.tcp.seen[0].td_end + 1014 ct->proto.tcp.seen[0].td_end +
1021 conntrack->proto.tcp.seen[0].td_maxwin; 1015 ct->proto.tcp.seen[0].td_maxwin;
1022 conntrack->proto.tcp.seen[0].td_scale = 0; 1016 ct->proto.tcp.seen[0].td_scale = 0;
1023 1017
1024 /* We assume SACK and liberal window checking to handle 1018 /* We assume SACK and liberal window checking to handle
1025 * window scaling */ 1019 * window scaling */
1026 conntrack->proto.tcp.seen[0].flags = 1020 ct->proto.tcp.seen[0].flags =
1027 conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM | 1021 ct->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM |
1028 IP_CT_TCP_FLAG_BE_LIBERAL; 1022 IP_CT_TCP_FLAG_BE_LIBERAL;
1029 } 1023 }
1030 1024
1031 conntrack->proto.tcp.seen[1].td_end = 0; 1025 ct->proto.tcp.seen[1].td_end = 0;
1032 conntrack->proto.tcp.seen[1].td_maxend = 0; 1026 ct->proto.tcp.seen[1].td_maxend = 0;
1033 conntrack->proto.tcp.seen[1].td_maxwin = 1; 1027 ct->proto.tcp.seen[1].td_maxwin = 1;
1034 conntrack->proto.tcp.seen[1].td_scale = 0; 1028 ct->proto.tcp.seen[1].td_scale = 0;
1035 1029
1036 /* tcp_packet will set them */ 1030 /* tcp_packet will set them */
1037 conntrack->proto.tcp.state = TCP_CONNTRACK_NONE; 1031 ct->proto.tcp.state = TCP_CONNTRACK_NONE;
1038 conntrack->proto.tcp.last_index = TCP_NONE_SET; 1032 ct->proto.tcp.last_index = TCP_NONE_SET;
1039 1033
1040 pr_debug("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i " 1034 pr_debug("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i "
1041 "receiver end=%u maxend=%u maxwin=%u scale=%i\n", 1035 "receiver end=%u maxend=%u maxwin=%u scale=%i\n",
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c
index 384875411082..4c1e67ed63bd 100644
--- a/net/netfilter/nf_conntrack_proto_udp.c
+++ b/net/netfilter/nf_conntrack_proto_udp.c
@@ -61,7 +61,7 @@ static int udp_print_tuple(struct seq_file *s,
61} 61}
62 62
63/* Returns verdict for packet, and may modify conntracktype */ 63/* Returns verdict for packet, and may modify conntracktype */
64static int udp_packet(struct nf_conn *conntrack, 64static int udp_packet(struct nf_conn *ct,
65 const struct sk_buff *skb, 65 const struct sk_buff *skb,
66 unsigned int dataoff, 66 unsigned int dataoff,
67 enum ip_conntrack_info ctinfo, 67 enum ip_conntrack_info ctinfo,
@@ -70,20 +70,19 @@ static int udp_packet(struct nf_conn *conntrack,
70{ 70{
71 /* If we've seen traffic both ways, this is some kind of UDP 71 /* If we've seen traffic both ways, this is some kind of UDP
72 stream. Extend timeout. */ 72 stream. Extend timeout. */
73 if (test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)) { 73 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
74 nf_ct_refresh_acct(conntrack, ctinfo, skb, 74 nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout_stream);
75 nf_ct_udp_timeout_stream);
76 /* Also, more likely to be important, and not a probe */ 75 /* Also, more likely to be important, and not a probe */
77 if (!test_and_set_bit(IPS_ASSURED_BIT, &conntrack->status)) 76 if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
78 nf_conntrack_event_cache(IPCT_STATUS, skb); 77 nf_conntrack_event_cache(IPCT_STATUS, skb);
79 } else 78 } else
80 nf_ct_refresh_acct(conntrack, ctinfo, skb, nf_ct_udp_timeout); 79 nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout);
81 80
82 return NF_ACCEPT; 81 return NF_ACCEPT;
83} 82}
84 83
85/* Called when a new connection for this protocol found. */ 84/* Called when a new connection for this protocol found. */
86static int udp_new(struct nf_conn *conntrack, const struct sk_buff *skb, 85static int udp_new(struct nf_conn *ct, const struct sk_buff *skb,
87 unsigned int dataoff) 86 unsigned int dataoff)
88{ 87{
89 return 1; 88 return 1;
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c
index 070056d9bcd6..d9e1532b45d9 100644
--- a/net/netfilter/nf_conntrack_proto_udplite.c
+++ b/net/netfilter/nf_conntrack_proto_udplite.c
@@ -60,7 +60,7 @@ static int udplite_print_tuple(struct seq_file *s,
60} 60}
61 61
62/* Returns verdict for packet, and may modify conntracktype */ 62/* Returns verdict for packet, and may modify conntracktype */
63static int udplite_packet(struct nf_conn *conntrack, 63static int udplite_packet(struct nf_conn *ct,
64 const struct sk_buff *skb, 64 const struct sk_buff *skb,
65 unsigned int dataoff, 65 unsigned int dataoff,
66 enum ip_conntrack_info ctinfo, 66 enum ip_conntrack_info ctinfo,
@@ -69,21 +69,20 @@ static int udplite_packet(struct nf_conn *conntrack,
69{ 69{
70 /* If we've seen traffic both ways, this is some kind of UDP 70 /* If we've seen traffic both ways, this is some kind of UDP
71 stream. Extend timeout. */ 71 stream. Extend timeout. */
72 if (test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)) { 72 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
73 nf_ct_refresh_acct(conntrack, ctinfo, skb, 73 nf_ct_refresh_acct(ct, ctinfo, skb,
74 nf_ct_udplite_timeout_stream); 74 nf_ct_udplite_timeout_stream);
75 /* Also, more likely to be important, and not a probe */ 75 /* Also, more likely to be important, and not a probe */
76 if (!test_and_set_bit(IPS_ASSURED_BIT, &conntrack->status)) 76 if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
77 nf_conntrack_event_cache(IPCT_STATUS, skb); 77 nf_conntrack_event_cache(IPCT_STATUS, skb);
78 } else 78 } else
79 nf_ct_refresh_acct(conntrack, ctinfo, skb, 79 nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udplite_timeout);
80 nf_ct_udplite_timeout);
81 80
82 return NF_ACCEPT; 81 return NF_ACCEPT;
83} 82}
84 83
85/* Called when a new connection for this protocol found. */ 84/* Called when a new connection for this protocol found. */
86static int udplite_new(struct nf_conn *conntrack, const struct sk_buff *skb, 85static int udplite_new(struct nf_conn *ct, const struct sk_buff *skb,
87 unsigned int dataoff) 86 unsigned int dataoff)
88{ 87{
89 return 1; 88 return 1;
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 98f0cd31150d..278b35e64d74 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -117,71 +117,71 @@ static void ct_seq_stop(struct seq_file *s, void *v)
117static int ct_seq_show(struct seq_file *s, void *v) 117static int ct_seq_show(struct seq_file *s, void *v)
118{ 118{
119 const struct nf_conntrack_tuple_hash *hash = v; 119 const struct nf_conntrack_tuple_hash *hash = v;
120 const struct nf_conn *conntrack = nf_ct_tuplehash_to_ctrack(hash); 120 const struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash);
121 struct nf_conntrack_l3proto *l3proto; 121 struct nf_conntrack_l3proto *l3proto;
122 struct nf_conntrack_l4proto *l4proto; 122 struct nf_conntrack_l4proto *l4proto;
123 123
124 NF_CT_ASSERT(conntrack); 124 NF_CT_ASSERT(ct);
125 125
126 /* we only want to print DIR_ORIGINAL */ 126 /* we only want to print DIR_ORIGINAL */
127 if (NF_CT_DIRECTION(hash)) 127 if (NF_CT_DIRECTION(hash))
128 return 0; 128 return 0;
129 129
130 l3proto = __nf_ct_l3proto_find(conntrack->tuplehash[IP_CT_DIR_ORIGINAL] 130 l3proto = __nf_ct_l3proto_find(ct->tuplehash[IP_CT_DIR_ORIGINAL]
131 .tuple.src.l3num); 131 .tuple.src.l3num);
132 132
133 NF_CT_ASSERT(l3proto); 133 NF_CT_ASSERT(l3proto);
134 l4proto = __nf_ct_l4proto_find(conntrack->tuplehash[IP_CT_DIR_ORIGINAL] 134 l4proto = __nf_ct_l4proto_find(ct->tuplehash[IP_CT_DIR_ORIGINAL]
135 .tuple.src.l3num, 135 .tuple.src.l3num,
136 conntrack->tuplehash[IP_CT_DIR_ORIGINAL] 136 ct->tuplehash[IP_CT_DIR_ORIGINAL]
137 .tuple.dst.protonum); 137 .tuple.dst.protonum);
138 NF_CT_ASSERT(l4proto); 138 NF_CT_ASSERT(l4proto);
139 139
140 if (seq_printf(s, "%-8s %u %-8s %u %ld ", 140 if (seq_printf(s, "%-8s %u %-8s %u %ld ",
141 l3proto->name, 141 l3proto->name,
142 conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num, 142 ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num,
143 l4proto->name, 143 l4proto->name,
144 conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum, 144 ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum,
145 timer_pending(&conntrack->timeout) 145 timer_pending(&ct->timeout)
146 ? (long)(conntrack->timeout.expires - jiffies)/HZ : 0) != 0) 146 ? (long)(ct->timeout.expires - jiffies)/HZ : 0) != 0)
147 return -ENOSPC; 147 return -ENOSPC;
148 148
149 if (l4proto->print_conntrack && l4proto->print_conntrack(s, conntrack)) 149 if (l4proto->print_conntrack && l4proto->print_conntrack(s, ct))
150 return -ENOSPC; 150 return -ENOSPC;
151 151
152 if (print_tuple(s, &conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple, 152 if (print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
153 l3proto, l4proto)) 153 l3proto, l4proto))
154 return -ENOSPC; 154 return -ENOSPC;
155 155
156 if (seq_print_counters(s, &conntrack->counters[IP_CT_DIR_ORIGINAL])) 156 if (seq_print_counters(s, &ct->counters[IP_CT_DIR_ORIGINAL]))
157 return -ENOSPC; 157 return -ENOSPC;
158 158
159 if (!(test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status))) 159 if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status)))
160 if (seq_printf(s, "[UNREPLIED] ")) 160 if (seq_printf(s, "[UNREPLIED] "))
161 return -ENOSPC; 161 return -ENOSPC;
162 162
163 if (print_tuple(s, &conntrack->tuplehash[IP_CT_DIR_REPLY].tuple, 163 if (print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple,
164 l3proto, l4proto)) 164 l3proto, l4proto))
165 return -ENOSPC; 165 return -ENOSPC;
166 166
167 if (seq_print_counters(s, &conntrack->counters[IP_CT_DIR_REPLY])) 167 if (seq_print_counters(s, &ct->counters[IP_CT_DIR_REPLY]))
168 return -ENOSPC; 168 return -ENOSPC;
169 169
170 if (test_bit(IPS_ASSURED_BIT, &conntrack->status)) 170 if (test_bit(IPS_ASSURED_BIT, &ct->status))
171 if (seq_printf(s, "[ASSURED] ")) 171 if (seq_printf(s, "[ASSURED] "))
172 return -ENOSPC; 172 return -ENOSPC;
173 173
174#if defined(CONFIG_NF_CONNTRACK_MARK) 174#if defined(CONFIG_NF_CONNTRACK_MARK)
175 if (seq_printf(s, "mark=%u ", conntrack->mark)) 175 if (seq_printf(s, "mark=%u ", ct->mark))
176 return -ENOSPC; 176 return -ENOSPC;
177#endif 177#endif
178 178
179#ifdef CONFIG_NF_CONNTRACK_SECMARK 179#ifdef CONFIG_NF_CONNTRACK_SECMARK
180 if (seq_printf(s, "secmark=%u ", conntrack->secmark)) 180 if (seq_printf(s, "secmark=%u ", ct->secmark))
181 return -ENOSPC; 181 return -ENOSPC;
182#endif 182#endif
183 183
184 if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) 184 if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)))
185 return -ENOSPC; 185 return -ENOSPC;
186 186
187 return 0; 187 return 0;