diff options
-rw-r--r-- | include/net/netfilter/nf_conntrack.h | 4 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_l3proto.h | 4 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_l4proto.h | 6 | ||||
-rw-r--r-- | net/ipv4/netfilter/nf_conntrack_proto_icmp.c | 12 | ||||
-rw-r--r-- | net/ipv4/netfilter/nf_nat_proto_gre.c | 10 | ||||
-rw-r--r-- | net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | 8 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_core.c | 58 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_proto_generic.c | 6 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_proto_sctp.c | 2 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 150 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_proto_udp.c | 13 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_proto_udplite.c | 13 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_standalone.c | 38 |
13 files changed, 157 insertions, 167 deletions
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 14e0cc8364f2..bda78a286e2b 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h | |||
@@ -145,7 +145,7 @@ nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash) | |||
145 | 145 | ||
146 | /* Alter reply tuple (maybe alter helper). */ | 146 | /* Alter reply tuple (maybe alter helper). */ |
147 | extern void | 147 | extern void |
148 | nf_conntrack_alter_reply(struct nf_conn *conntrack, | 148 | nf_conntrack_alter_reply(struct nf_conn *ct, |
149 | const struct nf_conntrack_tuple *newreply); | 149 | const struct nf_conntrack_tuple *newreply); |
150 | 150 | ||
151 | /* Is this tuple taken? (ignoring any belonging to the given | 151 | /* Is this tuple taken? (ignoring any belonging to the given |
@@ -218,7 +218,7 @@ static inline void nf_ct_refresh(struct nf_conn *ct, | |||
218 | /* Update TCP window tracking data when NAT mangles the packet */ | 218 | /* Update TCP window tracking data when NAT mangles the packet */ |
219 | extern void nf_conntrack_tcp_update(struct sk_buff *skb, | 219 | extern void nf_conntrack_tcp_update(struct sk_buff *skb, |
220 | unsigned int dataoff, | 220 | unsigned int dataoff, |
221 | struct nf_conn *conntrack, | 221 | struct nf_conn *ct, |
222 | int dir); | 222 | int dir); |
223 | 223 | ||
224 | /* Fake conntrack entry for untracked connections */ | 224 | /* Fake conntrack entry for untracked connections */ |
diff --git a/include/net/netfilter/nf_conntrack_l3proto.h b/include/net/netfilter/nf_conntrack_l3proto.h index d5526bcce147..b886e3ae6cad 100644 --- a/include/net/netfilter/nf_conntrack_l3proto.h +++ b/include/net/netfilter/nf_conntrack_l3proto.h | |||
@@ -43,7 +43,7 @@ struct nf_conntrack_l3proto | |||
43 | const struct nf_conntrack_tuple *); | 43 | const struct nf_conntrack_tuple *); |
44 | 44 | ||
45 | /* Returns verdict for packet, or -1 for invalid. */ | 45 | /* Returns verdict for packet, or -1 for invalid. */ |
46 | int (*packet)(struct nf_conn *conntrack, | 46 | int (*packet)(struct nf_conn *ct, |
47 | const struct sk_buff *skb, | 47 | const struct sk_buff *skb, |
48 | enum ip_conntrack_info ctinfo); | 48 | enum ip_conntrack_info ctinfo); |
49 | 49 | ||
@@ -51,7 +51,7 @@ struct nf_conntrack_l3proto | |||
51 | * Called when a new connection for this protocol found; | 51 | * Called when a new connection for this protocol found; |
52 | * returns TRUE if it's OK. If so, packet() called next. | 52 | * returns TRUE if it's OK. If so, packet() called next. |
53 | */ | 53 | */ |
54 | int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb); | 54 | int (*new)(struct nf_conn *ct, const struct sk_buff *skb); |
55 | 55 | ||
56 | /* | 56 | /* |
57 | * Called before tracking. | 57 | * Called before tracking. |
diff --git a/include/net/netfilter/nf_conntrack_l4proto.h b/include/net/netfilter/nf_conntrack_l4proto.h index 84892cc1d603..efc16eccddb1 100644 --- a/include/net/netfilter/nf_conntrack_l4proto.h +++ b/include/net/netfilter/nf_conntrack_l4proto.h | |||
@@ -36,7 +36,7 @@ struct nf_conntrack_l4proto | |||
36 | const struct nf_conntrack_tuple *orig); | 36 | const struct nf_conntrack_tuple *orig); |
37 | 37 | ||
38 | /* Returns verdict for packet, or -1 for invalid. */ | 38 | /* Returns verdict for packet, or -1 for invalid. */ |
39 | int (*packet)(struct nf_conn *conntrack, | 39 | int (*packet)(struct nf_conn *ct, |
40 | const struct sk_buff *skb, | 40 | const struct sk_buff *skb, |
41 | unsigned int dataoff, | 41 | unsigned int dataoff, |
42 | enum ip_conntrack_info ctinfo, | 42 | enum ip_conntrack_info ctinfo, |
@@ -45,11 +45,11 @@ struct nf_conntrack_l4proto | |||
45 | 45 | ||
46 | /* Called when a new connection for this protocol found; | 46 | /* Called when a new connection for this protocol found; |
47 | * returns TRUE if it's OK. If so, packet() called next. */ | 47 | * returns TRUE if it's OK. If so, packet() called next. */ |
48 | int (*new)(struct nf_conn *conntrack, const struct sk_buff *skb, | 48 | int (*new)(struct nf_conn *ct, const struct sk_buff *skb, |
49 | unsigned int dataoff); | 49 | unsigned int dataoff); |
50 | 50 | ||
51 | /* Called when a conntrack entry is destroyed */ | 51 | /* Called when a conntrack entry is destroyed */ |
52 | void (*destroy)(struct nf_conn *conntrack); | 52 | void (*destroy)(struct nf_conn *ct); |
53 | 53 | ||
54 | int (*error)(struct sk_buff *skb, unsigned int dataoff, | 54 | int (*error)(struct sk_buff *skb, unsigned int dataoff, |
55 | enum ip_conntrack_info *ctinfo, | 55 | enum ip_conntrack_info *ctinfo, |
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c index 4004a04c5510..17217f4f9918 100644 --- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c +++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c | |||
@@ -100,7 +100,7 @@ static int icmp_packet(struct nf_conn *ct, | |||
100 | } | 100 | } |
101 | 101 | ||
102 | /* Called when a new connection for this protocol found. */ | 102 | /* Called when a new connection for this protocol found. */ |
103 | static int icmp_new(struct nf_conn *conntrack, | 103 | static int icmp_new(struct nf_conn *ct, |
104 | const struct sk_buff *skb, unsigned int dataoff) | 104 | const struct sk_buff *skb, unsigned int dataoff) |
105 | { | 105 | { |
106 | static const u_int8_t valid_new[] = { | 106 | static const u_int8_t valid_new[] = { |
@@ -110,15 +110,15 @@ static int icmp_new(struct nf_conn *conntrack, | |||
110 | [ICMP_ADDRESS] = 1 | 110 | [ICMP_ADDRESS] = 1 |
111 | }; | 111 | }; |
112 | 112 | ||
113 | if (conntrack->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) | 113 | if (ct->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) |
114 | || !valid_new[conntrack->tuplehash[0].tuple.dst.u.icmp.type]) { | 114 | || !valid_new[ct->tuplehash[0].tuple.dst.u.icmp.type]) { |
115 | /* Can't create a new ICMP `conn' with this. */ | 115 | /* Can't create a new ICMP `conn' with this. */ |
116 | pr_debug("icmp: can't create new conn with type %u\n", | 116 | pr_debug("icmp: can't create new conn with type %u\n", |
117 | conntrack->tuplehash[0].tuple.dst.u.icmp.type); | 117 | ct->tuplehash[0].tuple.dst.u.icmp.type); |
118 | NF_CT_DUMP_TUPLE(&conntrack->tuplehash[0].tuple); | 118 | NF_CT_DUMP_TUPLE(&ct->tuplehash[0].tuple); |
119 | return 0; | 119 | return 0; |
120 | } | 120 | } |
121 | atomic_set(&conntrack->proto.icmp.count, 0); | 121 | atomic_set(&ct->proto.icmp.count, 0); |
122 | return 1; | 122 | return 1; |
123 | } | 123 | } |
124 | 124 | ||
diff --git a/net/ipv4/netfilter/nf_nat_proto_gre.c b/net/ipv4/netfilter/nf_nat_proto_gre.c index c9dbd550df39..b887ebb42133 100644 --- a/net/ipv4/netfilter/nf_nat_proto_gre.c +++ b/net/ipv4/netfilter/nf_nat_proto_gre.c | |||
@@ -59,7 +59,7 @@ static int | |||
59 | gre_unique_tuple(struct nf_conntrack_tuple *tuple, | 59 | gre_unique_tuple(struct nf_conntrack_tuple *tuple, |
60 | const struct nf_nat_range *range, | 60 | const struct nf_nat_range *range, |
61 | enum nf_nat_manip_type maniptype, | 61 | enum nf_nat_manip_type maniptype, |
62 | const struct nf_conn *conntrack) | 62 | const struct nf_conn *ct) |
63 | { | 63 | { |
64 | static u_int16_t key; | 64 | static u_int16_t key; |
65 | __be16 *keyptr; | 65 | __be16 *keyptr; |
@@ -67,7 +67,7 @@ gre_unique_tuple(struct nf_conntrack_tuple *tuple, | |||
67 | 67 | ||
68 | /* If there is no master conntrack we are not PPTP, | 68 | /* If there is no master conntrack we are not PPTP, |
69 | do not change tuples */ | 69 | do not change tuples */ |
70 | if (!conntrack->master) | 70 | if (!ct->master) |
71 | return 0; | 71 | return 0; |
72 | 72 | ||
73 | if (maniptype == IP_NAT_MANIP_SRC) | 73 | if (maniptype == IP_NAT_MANIP_SRC) |
@@ -76,7 +76,7 @@ gre_unique_tuple(struct nf_conntrack_tuple *tuple, | |||
76 | keyptr = &tuple->dst.u.gre.key; | 76 | keyptr = &tuple->dst.u.gre.key; |
77 | 77 | ||
78 | if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) { | 78 | if (!(range->flags & IP_NAT_RANGE_PROTO_SPECIFIED)) { |
79 | pr_debug("%p: NATing GRE PPTP\n", conntrack); | 79 | pr_debug("%p: NATing GRE PPTP\n", ct); |
80 | min = 1; | 80 | min = 1; |
81 | range_size = 0xffff; | 81 | range_size = 0xffff; |
82 | } else { | 82 | } else { |
@@ -88,11 +88,11 @@ gre_unique_tuple(struct nf_conntrack_tuple *tuple, | |||
88 | 88 | ||
89 | for (i = 0; i < range_size; i++, key++) { | 89 | for (i = 0; i < range_size; i++, key++) { |
90 | *keyptr = htons(min + key % range_size); | 90 | *keyptr = htons(min + key % range_size); |
91 | if (!nf_nat_used_tuple(tuple, conntrack)) | 91 | if (!nf_nat_used_tuple(tuple, ct)) |
92 | return 1; | 92 | return 1; |
93 | } | 93 | } |
94 | 94 | ||
95 | pr_debug("%p: no NAT mapping\n", conntrack); | 95 | pr_debug("%p: no NAT mapping\n", ct); |
96 | return 0; | 96 | return 0; |
97 | } | 97 | } |
98 | 98 | ||
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c index da924c6b5f06..430db1de31e3 100644 --- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c +++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c | |||
@@ -101,7 +101,7 @@ static int icmpv6_packet(struct nf_conn *ct, | |||
101 | } | 101 | } |
102 | 102 | ||
103 | /* Called when a new connection for this protocol found. */ | 103 | /* Called when a new connection for this protocol found. */ |
104 | static int icmpv6_new(struct nf_conn *conntrack, | 104 | static int icmpv6_new(struct nf_conn *ct, |
105 | const struct sk_buff *skb, | 105 | const struct sk_buff *skb, |
106 | unsigned int dataoff) | 106 | unsigned int dataoff) |
107 | { | 107 | { |
@@ -109,16 +109,16 @@ static int icmpv6_new(struct nf_conn *conntrack, | |||
109 | [ICMPV6_ECHO_REQUEST - 128] = 1, | 109 | [ICMPV6_ECHO_REQUEST - 128] = 1, |
110 | [ICMPV6_NI_QUERY - 128] = 1 | 110 | [ICMPV6_NI_QUERY - 128] = 1 |
111 | }; | 111 | }; |
112 | int type = conntrack->tuplehash[0].tuple.dst.u.icmp.type - 128; | 112 | int type = ct->tuplehash[0].tuple.dst.u.icmp.type - 128; |
113 | 113 | ||
114 | if (type < 0 || type >= sizeof(valid_new) || !valid_new[type]) { | 114 | if (type < 0 || type >= sizeof(valid_new) || !valid_new[type]) { |
115 | /* Can't create a new ICMPv6 `conn' with this. */ | 115 | /* Can't create a new ICMPv6 `conn' with this. */ |
116 | pr_debug("icmpv6: can't create new conn with type %u\n", | 116 | pr_debug("icmpv6: can't create new conn with type %u\n", |
117 | type + 128); | 117 | type + 128); |
118 | NF_CT_DUMP_TUPLE(&conntrack->tuplehash[0].tuple); | 118 | NF_CT_DUMP_TUPLE(&ct->tuplehash[0].tuple); |
119 | return 0; | 119 | return 0; |
120 | } | 120 | } |
121 | atomic_set(&conntrack->proto.icmp.count, 0); | 121 | atomic_set(&ct->proto.icmp.count, 0); |
122 | return 1; | 122 | return 1; |
123 | } | 123 | } |
124 | 124 | ||
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 120588333c73..1a3673d55868 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
@@ -462,7 +462,7 @@ static noinline int early_drop(unsigned int hash) | |||
462 | struct nf_conn *nf_conntrack_alloc(const struct nf_conntrack_tuple *orig, | 462 | struct nf_conn *nf_conntrack_alloc(const struct nf_conntrack_tuple *orig, |
463 | const struct nf_conntrack_tuple *repl) | 463 | const struct nf_conntrack_tuple *repl) |
464 | { | 464 | { |
465 | struct nf_conn *conntrack = NULL; | 465 | struct nf_conn *ct = NULL; |
466 | 466 | ||
467 | if (unlikely(!nf_conntrack_hash_rnd_initted)) { | 467 | if (unlikely(!nf_conntrack_hash_rnd_initted)) { |
468 | get_random_bytes(&nf_conntrack_hash_rnd, 4); | 468 | get_random_bytes(&nf_conntrack_hash_rnd, 4); |
@@ -485,22 +485,21 @@ struct nf_conn *nf_conntrack_alloc(const struct nf_conntrack_tuple *orig, | |||
485 | } | 485 | } |
486 | } | 486 | } |
487 | 487 | ||
488 | conntrack = kmem_cache_zalloc(nf_conntrack_cachep, GFP_ATOMIC); | 488 | ct = kmem_cache_zalloc(nf_conntrack_cachep, GFP_ATOMIC); |
489 | if (conntrack == NULL) { | 489 | if (ct == NULL) { |
490 | pr_debug("nf_conntrack_alloc: Can't alloc conntrack.\n"); | 490 | pr_debug("nf_conntrack_alloc: Can't alloc conntrack.\n"); |
491 | atomic_dec(&nf_conntrack_count); | 491 | atomic_dec(&nf_conntrack_count); |
492 | return ERR_PTR(-ENOMEM); | 492 | return ERR_PTR(-ENOMEM); |
493 | } | 493 | } |
494 | 494 | ||
495 | atomic_set(&conntrack->ct_general.use, 1); | 495 | atomic_set(&ct->ct_general.use, 1); |
496 | conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig; | 496 | ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig; |
497 | conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *repl; | 497 | ct->tuplehash[IP_CT_DIR_REPLY].tuple = *repl; |
498 | /* Don't set timer yet: wait for confirmation */ | 498 | /* Don't set timer yet: wait for confirmation */ |
499 | setup_timer(&conntrack->timeout, death_by_timeout, | 499 | setup_timer(&ct->timeout, death_by_timeout, (unsigned long)ct); |
500 | (unsigned long)conntrack); | 500 | INIT_RCU_HEAD(&ct->rcu); |
501 | INIT_RCU_HEAD(&conntrack->rcu); | ||
502 | 501 | ||
503 | return conntrack; | 502 | return ct; |
504 | } | 503 | } |
505 | EXPORT_SYMBOL_GPL(nf_conntrack_alloc); | 504 | EXPORT_SYMBOL_GPL(nf_conntrack_alloc); |
506 | 505 | ||
@@ -513,9 +512,9 @@ static void nf_conntrack_free_rcu(struct rcu_head *head) | |||
513 | atomic_dec(&nf_conntrack_count); | 512 | atomic_dec(&nf_conntrack_count); |
514 | } | 513 | } |
515 | 514 | ||
516 | void nf_conntrack_free(struct nf_conn *conntrack) | 515 | void nf_conntrack_free(struct nf_conn *ct) |
517 | { | 516 | { |
518 | call_rcu(&conntrack->rcu, nf_conntrack_free_rcu); | 517 | call_rcu(&ct->rcu, nf_conntrack_free_rcu); |
519 | } | 518 | } |
520 | EXPORT_SYMBOL_GPL(nf_conntrack_free); | 519 | EXPORT_SYMBOL_GPL(nf_conntrack_free); |
521 | 520 | ||
@@ -528,7 +527,7 @@ init_conntrack(const struct nf_conntrack_tuple *tuple, | |||
528 | struct sk_buff *skb, | 527 | struct sk_buff *skb, |
529 | unsigned int dataoff) | 528 | unsigned int dataoff) |
530 | { | 529 | { |
531 | struct nf_conn *conntrack; | 530 | struct nf_conn *ct; |
532 | struct nf_conn_help *help; | 531 | struct nf_conn_help *help; |
533 | struct nf_conntrack_tuple repl_tuple; | 532 | struct nf_conntrack_tuple repl_tuple; |
534 | struct nf_conntrack_expect *exp; | 533 | struct nf_conntrack_expect *exp; |
@@ -538,14 +537,14 @@ init_conntrack(const struct nf_conntrack_tuple *tuple, | |||
538 | return NULL; | 537 | return NULL; |
539 | } | 538 | } |
540 | 539 | ||
541 | conntrack = nf_conntrack_alloc(tuple, &repl_tuple); | 540 | ct = nf_conntrack_alloc(tuple, &repl_tuple); |
542 | if (conntrack == NULL || IS_ERR(conntrack)) { | 541 | if (ct == NULL || IS_ERR(ct)) { |
543 | pr_debug("Can't allocate conntrack.\n"); | 542 | pr_debug("Can't allocate conntrack.\n"); |
544 | return (struct nf_conntrack_tuple_hash *)conntrack; | 543 | return (struct nf_conntrack_tuple_hash *)ct; |
545 | } | 544 | } |
546 | 545 | ||
547 | if (!l4proto->new(conntrack, skb, dataoff)) { | 546 | if (!l4proto->new(ct, skb, dataoff)) { |
548 | nf_conntrack_free(conntrack); | 547 | nf_conntrack_free(ct); |
549 | pr_debug("init conntrack: can't track with proto module\n"); | 548 | pr_debug("init conntrack: can't track with proto module\n"); |
550 | return NULL; | 549 | return NULL; |
551 | } | 550 | } |
@@ -554,30 +553,30 @@ init_conntrack(const struct nf_conntrack_tuple *tuple, | |||
554 | exp = nf_ct_find_expectation(tuple); | 553 | exp = nf_ct_find_expectation(tuple); |
555 | if (exp) { | 554 | if (exp) { |
556 | pr_debug("conntrack: expectation arrives ct=%p exp=%p\n", | 555 | pr_debug("conntrack: expectation arrives ct=%p exp=%p\n", |
557 | conntrack, exp); | 556 | ct, exp); |
558 | /* Welcome, Mr. Bond. We've been expecting you... */ | 557 | /* Welcome, Mr. Bond. We've been expecting you... */ |
559 | __set_bit(IPS_EXPECTED_BIT, &conntrack->status); | 558 | __set_bit(IPS_EXPECTED_BIT, &ct->status); |
560 | conntrack->master = exp->master; | 559 | ct->master = exp->master; |
561 | if (exp->helper) { | 560 | if (exp->helper) { |
562 | help = nf_ct_helper_ext_add(conntrack, GFP_ATOMIC); | 561 | help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); |
563 | if (help) | 562 | if (help) |
564 | rcu_assign_pointer(help->helper, exp->helper); | 563 | rcu_assign_pointer(help->helper, exp->helper); |
565 | } | 564 | } |
566 | 565 | ||
567 | #ifdef CONFIG_NF_CONNTRACK_MARK | 566 | #ifdef CONFIG_NF_CONNTRACK_MARK |
568 | conntrack->mark = exp->master->mark; | 567 | ct->mark = exp->master->mark; |
569 | #endif | 568 | #endif |
570 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | 569 | #ifdef CONFIG_NF_CONNTRACK_SECMARK |
571 | conntrack->secmark = exp->master->secmark; | 570 | ct->secmark = exp->master->secmark; |
572 | #endif | 571 | #endif |
573 | nf_conntrack_get(&conntrack->master->ct_general); | 572 | nf_conntrack_get(&ct->master->ct_general); |
574 | NF_CT_STAT_INC(expect_new); | 573 | NF_CT_STAT_INC(expect_new); |
575 | } else { | 574 | } else { |
576 | struct nf_conntrack_helper *helper; | 575 | struct nf_conntrack_helper *helper; |
577 | 576 | ||
578 | helper = __nf_ct_helper_find(&repl_tuple); | 577 | helper = __nf_ct_helper_find(&repl_tuple); |
579 | if (helper) { | 578 | if (helper) { |
580 | help = nf_ct_helper_ext_add(conntrack, GFP_ATOMIC); | 579 | help = nf_ct_helper_ext_add(ct, GFP_ATOMIC); |
581 | if (help) | 580 | if (help) |
582 | rcu_assign_pointer(help->helper, helper); | 581 | rcu_assign_pointer(help->helper, helper); |
583 | } | 582 | } |
@@ -585,18 +584,17 @@ init_conntrack(const struct nf_conntrack_tuple *tuple, | |||
585 | } | 584 | } |
586 | 585 | ||
587 | /* Overload tuple linked list to put us in unconfirmed list. */ | 586 | /* Overload tuple linked list to put us in unconfirmed list. */ |
588 | hlist_add_head(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL].hnode, | 587 | hlist_add_head(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnode, &unconfirmed); |
589 | &unconfirmed); | ||
590 | 588 | ||
591 | spin_unlock_bh(&nf_conntrack_lock); | 589 | spin_unlock_bh(&nf_conntrack_lock); |
592 | 590 | ||
593 | if (exp) { | 591 | if (exp) { |
594 | if (exp->expectfn) | 592 | if (exp->expectfn) |
595 | exp->expectfn(conntrack, exp); | 593 | exp->expectfn(ct, exp); |
596 | nf_ct_expect_put(exp); | 594 | nf_ct_expect_put(exp); |
597 | } | 595 | } |
598 | 596 | ||
599 | return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL]; | 597 | return &ct->tuplehash[IP_CT_DIR_ORIGINAL]; |
600 | } | 598 | } |
601 | 599 | ||
602 | /* On success, returns conntrack ptr, sets skb->nfct and ctinfo */ | 600 | /* On success, returns conntrack ptr, sets skb->nfct and ctinfo */ |
diff --git a/net/netfilter/nf_conntrack_proto_generic.c b/net/netfilter/nf_conntrack_proto_generic.c index 22c5dcb6306a..55458915575f 100644 --- a/net/netfilter/nf_conntrack_proto_generic.c +++ b/net/netfilter/nf_conntrack_proto_generic.c | |||
@@ -41,19 +41,19 @@ static int generic_print_tuple(struct seq_file *s, | |||
41 | } | 41 | } |
42 | 42 | ||
43 | /* Returns verdict for packet, or -1 for invalid. */ | 43 | /* Returns verdict for packet, or -1 for invalid. */ |
44 | static int packet(struct nf_conn *conntrack, | 44 | static int packet(struct nf_conn *ct, |
45 | const struct sk_buff *skb, | 45 | const struct sk_buff *skb, |
46 | unsigned int dataoff, | 46 | unsigned int dataoff, |
47 | enum ip_conntrack_info ctinfo, | 47 | enum ip_conntrack_info ctinfo, |
48 | int pf, | 48 | int pf, |
49 | unsigned int hooknum) | 49 | unsigned int hooknum) |
50 | { | 50 | { |
51 | nf_ct_refresh_acct(conntrack, ctinfo, skb, nf_ct_generic_timeout); | 51 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_generic_timeout); |
52 | return NF_ACCEPT; | 52 | return NF_ACCEPT; |
53 | } | 53 | } |
54 | 54 | ||
55 | /* Called when a new connection for this protocol found. */ | 55 | /* Called when a new connection for this protocol found. */ |
56 | static int new(struct nf_conn *conntrack, const struct sk_buff *skb, | 56 | static int new(struct nf_conn *ct, const struct sk_buff *skb, |
57 | unsigned int dataoff) | 57 | unsigned int dataoff) |
58 | { | 58 | { |
59 | return 1; | 59 | return 1; |
diff --git a/net/netfilter/nf_conntrack_proto_sctp.c b/net/netfilter/nf_conntrack_proto_sctp.c index 7017b161a14b..f9a08370dbb3 100644 --- a/net/netfilter/nf_conntrack_proto_sctp.c +++ b/net/netfilter/nf_conntrack_proto_sctp.c | |||
@@ -25,7 +25,7 @@ | |||
25 | #include <net/netfilter/nf_conntrack_l4proto.h> | 25 | #include <net/netfilter/nf_conntrack_l4proto.h> |
26 | #include <net/netfilter/nf_conntrack_ecache.h> | 26 | #include <net/netfilter/nf_conntrack_ecache.h> |
27 | 27 | ||
28 | /* Protects conntrack->proto.sctp */ | 28 | /* Protects ct->proto.sctp */ |
29 | static DEFINE_RWLOCK(sctp_lock); | 29 | static DEFINE_RWLOCK(sctp_lock); |
30 | 30 | ||
31 | /* FIXME: Examine ipfilter's timeouts and conntrack transitions more | 31 | /* FIXME: Examine ipfilter's timeouts and conntrack transitions more |
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index 8e2207535665..9807af677a56 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c | |||
@@ -26,7 +26,7 @@ | |||
26 | #include <net/netfilter/nf_conntrack_ecache.h> | 26 | #include <net/netfilter/nf_conntrack_ecache.h> |
27 | #include <net/netfilter/nf_log.h> | 27 | #include <net/netfilter/nf_log.h> |
28 | 28 | ||
29 | /* Protects conntrack->proto.tcp */ | 29 | /* Protects ct->proto.tcp */ |
30 | static DEFINE_RWLOCK(tcp_lock); | 30 | static DEFINE_RWLOCK(tcp_lock); |
31 | 31 | ||
32 | /* "Be conservative in what you do, | 32 | /* "Be conservative in what you do, |
@@ -292,13 +292,12 @@ static int tcp_print_tuple(struct seq_file *s, | |||
292 | } | 292 | } |
293 | 293 | ||
294 | /* Print out the private part of the conntrack. */ | 294 | /* Print out the private part of the conntrack. */ |
295 | static int tcp_print_conntrack(struct seq_file *s, | 295 | static int tcp_print_conntrack(struct seq_file *s, const struct nf_conn *ct) |
296 | const struct nf_conn *conntrack) | ||
297 | { | 296 | { |
298 | enum tcp_conntrack state; | 297 | enum tcp_conntrack state; |
299 | 298 | ||
300 | read_lock_bh(&tcp_lock); | 299 | read_lock_bh(&tcp_lock); |
301 | state = conntrack->proto.tcp.state; | 300 | state = ct->proto.tcp.state; |
302 | read_unlock_bh(&tcp_lock); | 301 | read_unlock_bh(&tcp_lock); |
303 | 302 | ||
304 | return seq_printf(s, "%s ", tcp_conntrack_names[state]); | 303 | return seq_printf(s, "%s ", tcp_conntrack_names[state]); |
@@ -689,12 +688,12 @@ static int tcp_in_window(struct nf_conn *ct, | |||
689 | /* Caller must linearize skb at tcp header. */ | 688 | /* Caller must linearize skb at tcp header. */ |
690 | void nf_conntrack_tcp_update(struct sk_buff *skb, | 689 | void nf_conntrack_tcp_update(struct sk_buff *skb, |
691 | unsigned int dataoff, | 690 | unsigned int dataoff, |
692 | struct nf_conn *conntrack, | 691 | struct nf_conn *ct, |
693 | int dir) | 692 | int dir) |
694 | { | 693 | { |
695 | struct tcphdr *tcph = (void *)skb->data + dataoff; | 694 | struct tcphdr *tcph = (void *)skb->data + dataoff; |
696 | struct ip_ct_tcp_state *sender = &conntrack->proto.tcp.seen[dir]; | 695 | struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[dir]; |
697 | struct ip_ct_tcp_state *receiver = &conntrack->proto.tcp.seen[!dir]; | 696 | struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[!dir]; |
698 | __u32 end; | 697 | __u32 end; |
699 | 698 | ||
700 | end = segment_seq_plus_len(ntohl(tcph->seq), skb->len, dataoff, tcph); | 699 | end = segment_seq_plus_len(ntohl(tcph->seq), skb->len, dataoff, tcph); |
@@ -703,9 +702,9 @@ void nf_conntrack_tcp_update(struct sk_buff *skb, | |||
703 | /* | 702 | /* |
704 | * We have to worry for the ack in the reply packet only... | 703 | * We have to worry for the ack in the reply packet only... |
705 | */ | 704 | */ |
706 | if (after(end, conntrack->proto.tcp.seen[dir].td_end)) | 705 | if (after(end, ct->proto.tcp.seen[dir].td_end)) |
707 | conntrack->proto.tcp.seen[dir].td_end = end; | 706 | ct->proto.tcp.seen[dir].td_end = end; |
708 | conntrack->proto.tcp.last_end = end; | 707 | ct->proto.tcp.last_end = end; |
709 | write_unlock_bh(&tcp_lock); | 708 | write_unlock_bh(&tcp_lock); |
710 | pr_debug("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i " | 709 | pr_debug("tcp_update: sender end=%u maxend=%u maxwin=%u scale=%i " |
711 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", | 710 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", |
@@ -794,7 +793,7 @@ static int tcp_error(struct sk_buff *skb, | |||
794 | } | 793 | } |
795 | 794 | ||
796 | /* Returns verdict for packet, or -1 for invalid. */ | 795 | /* Returns verdict for packet, or -1 for invalid. */ |
797 | static int tcp_packet(struct nf_conn *conntrack, | 796 | static int tcp_packet(struct nf_conn *ct, |
798 | const struct sk_buff *skb, | 797 | const struct sk_buff *skb, |
799 | unsigned int dataoff, | 798 | unsigned int dataoff, |
800 | enum ip_conntrack_info ctinfo, | 799 | enum ip_conntrack_info ctinfo, |
@@ -812,26 +811,24 @@ static int tcp_packet(struct nf_conn *conntrack, | |||
812 | BUG_ON(th == NULL); | 811 | BUG_ON(th == NULL); |
813 | 812 | ||
814 | write_lock_bh(&tcp_lock); | 813 | write_lock_bh(&tcp_lock); |
815 | old_state = conntrack->proto.tcp.state; | 814 | old_state = ct->proto.tcp.state; |
816 | dir = CTINFO2DIR(ctinfo); | 815 | dir = CTINFO2DIR(ctinfo); |
817 | index = get_conntrack_index(th); | 816 | index = get_conntrack_index(th); |
818 | new_state = tcp_conntracks[dir][index][old_state]; | 817 | new_state = tcp_conntracks[dir][index][old_state]; |
819 | tuple = &conntrack->tuplehash[dir].tuple; | 818 | tuple = &ct->tuplehash[dir].tuple; |
820 | 819 | ||
821 | switch (new_state) { | 820 | switch (new_state) { |
822 | case TCP_CONNTRACK_SYN_SENT: | 821 | case TCP_CONNTRACK_SYN_SENT: |
823 | if (old_state < TCP_CONNTRACK_TIME_WAIT) | 822 | if (old_state < TCP_CONNTRACK_TIME_WAIT) |
824 | break; | 823 | break; |
825 | if ((conntrack->proto.tcp.seen[!dir].flags & | 824 | if ((ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_CLOSE_INIT) |
826 | IP_CT_TCP_FLAG_CLOSE_INIT) | 825 | || (ct->proto.tcp.last_dir == dir |
827 | || (conntrack->proto.tcp.last_dir == dir | 826 | && ct->proto.tcp.last_index == TCP_RST_SET)) { |
828 | && conntrack->proto.tcp.last_index == TCP_RST_SET)) { | ||
829 | /* Attempt to reopen a closed/aborted connection. | 827 | /* Attempt to reopen a closed/aborted connection. |
830 | * Delete this connection and look up again. */ | 828 | * Delete this connection and look up again. */ |
831 | write_unlock_bh(&tcp_lock); | 829 | write_unlock_bh(&tcp_lock); |
832 | if (del_timer(&conntrack->timeout)) | 830 | if (del_timer(&ct->timeout)) |
833 | conntrack->timeout.function((unsigned long) | 831 | ct->timeout.function((unsigned long)ct); |
834 | conntrack); | ||
835 | return -NF_REPEAT; | 832 | return -NF_REPEAT; |
836 | } | 833 | } |
837 | /* Fall through */ | 834 | /* Fall through */ |
@@ -843,10 +840,9 @@ static int tcp_packet(struct nf_conn *conntrack, | |||
843 | * c) ACK in reply direction after initial SYN in original. | 840 | * c) ACK in reply direction after initial SYN in original. |
844 | */ | 841 | */ |
845 | if (index == TCP_SYNACK_SET | 842 | if (index == TCP_SYNACK_SET |
846 | && conntrack->proto.tcp.last_index == TCP_SYN_SET | 843 | && ct->proto.tcp.last_index == TCP_SYN_SET |
847 | && conntrack->proto.tcp.last_dir != dir | 844 | && ct->proto.tcp.last_dir != dir |
848 | && ntohl(th->ack_seq) == | 845 | && ntohl(th->ack_seq) == ct->proto.tcp.last_end) { |
849 | conntrack->proto.tcp.last_end) { | ||
850 | /* This SYN/ACK acknowledges a SYN that we earlier | 846 | /* This SYN/ACK acknowledges a SYN that we earlier |
851 | * ignored as invalid. This means that the client and | 847 | * ignored as invalid. This means that the client and |
852 | * the server are both in sync, while the firewall is | 848 | * the server are both in sync, while the firewall is |
@@ -858,15 +854,14 @@ static int tcp_packet(struct nf_conn *conntrack, | |||
858 | if (LOG_INVALID(IPPROTO_TCP)) | 854 | if (LOG_INVALID(IPPROTO_TCP)) |
859 | nf_log_packet(pf, 0, skb, NULL, NULL, NULL, | 855 | nf_log_packet(pf, 0, skb, NULL, NULL, NULL, |
860 | "nf_ct_tcp: killing out of sync session "); | 856 | "nf_ct_tcp: killing out of sync session "); |
861 | if (del_timer(&conntrack->timeout)) | 857 | if (del_timer(&ct->timeout)) |
862 | conntrack->timeout.function((unsigned long) | 858 | ct->timeout.function((unsigned long)ct); |
863 | conntrack); | ||
864 | return -NF_DROP; | 859 | return -NF_DROP; |
865 | } | 860 | } |
866 | conntrack->proto.tcp.last_index = index; | 861 | ct->proto.tcp.last_index = index; |
867 | conntrack->proto.tcp.last_dir = dir; | 862 | ct->proto.tcp.last_dir = dir; |
868 | conntrack->proto.tcp.last_seq = ntohl(th->seq); | 863 | ct->proto.tcp.last_seq = ntohl(th->seq); |
869 | conntrack->proto.tcp.last_end = | 864 | ct->proto.tcp.last_end = |
870 | segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th); | 865 | segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th); |
871 | 866 | ||
872 | write_unlock_bh(&tcp_lock); | 867 | write_unlock_bh(&tcp_lock); |
@@ -885,11 +880,11 @@ static int tcp_packet(struct nf_conn *conntrack, | |||
885 | return -NF_ACCEPT; | 880 | return -NF_ACCEPT; |
886 | case TCP_CONNTRACK_CLOSE: | 881 | case TCP_CONNTRACK_CLOSE: |
887 | if (index == TCP_RST_SET | 882 | if (index == TCP_RST_SET |
888 | && ((test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status) | 883 | && ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status) |
889 | && conntrack->proto.tcp.last_index == TCP_SYN_SET) | 884 | && ct->proto.tcp.last_index == TCP_SYN_SET) |
890 | || (!test_bit(IPS_ASSURED_BIT, &conntrack->status) | 885 | || (!test_bit(IPS_ASSURED_BIT, &ct->status) |
891 | && conntrack->proto.tcp.last_index == TCP_ACK_SET)) | 886 | && ct->proto.tcp.last_index == TCP_ACK_SET)) |
892 | && ntohl(th->ack_seq) == conntrack->proto.tcp.last_end) { | 887 | && ntohl(th->ack_seq) == ct->proto.tcp.last_end) { |
893 | /* RST sent to invalid SYN or ACK we had let through | 888 | /* RST sent to invalid SYN or ACK we had let through |
894 | * at a) and c) above: | 889 | * at a) and c) above: |
895 | * | 890 | * |
@@ -907,15 +902,15 @@ static int tcp_packet(struct nf_conn *conntrack, | |||
907 | break; | 902 | break; |
908 | } | 903 | } |
909 | 904 | ||
910 | if (!tcp_in_window(conntrack, &conntrack->proto.tcp, dir, index, | 905 | if (!tcp_in_window(ct, &ct->proto.tcp, dir, index, |
911 | skb, dataoff, th, pf)) { | 906 | skb, dataoff, th, pf)) { |
912 | write_unlock_bh(&tcp_lock); | 907 | write_unlock_bh(&tcp_lock); |
913 | return -NF_ACCEPT; | 908 | return -NF_ACCEPT; |
914 | } | 909 | } |
915 | in_window: | 910 | in_window: |
916 | /* From now on we have got in-window packets */ | 911 | /* From now on we have got in-window packets */ |
917 | conntrack->proto.tcp.last_index = index; | 912 | ct->proto.tcp.last_index = index; |
918 | conntrack->proto.tcp.last_dir = dir; | 913 | ct->proto.tcp.last_dir = dir; |
919 | 914 | ||
920 | pr_debug("tcp_conntracks: "); | 915 | pr_debug("tcp_conntracks: "); |
921 | NF_CT_DUMP_TUPLE(tuple); | 916 | NF_CT_DUMP_TUPLE(tuple); |
@@ -924,12 +919,12 @@ static int tcp_packet(struct nf_conn *conntrack, | |||
924 | (th->fin ? 1 : 0), (th->rst ? 1 : 0), | 919 | (th->fin ? 1 : 0), (th->rst ? 1 : 0), |
925 | old_state, new_state); | 920 | old_state, new_state); |
926 | 921 | ||
927 | conntrack->proto.tcp.state = new_state; | 922 | ct->proto.tcp.state = new_state; |
928 | if (old_state != new_state | 923 | if (old_state != new_state |
929 | && (new_state == TCP_CONNTRACK_FIN_WAIT | 924 | && (new_state == TCP_CONNTRACK_FIN_WAIT |
930 | || new_state == TCP_CONNTRACK_CLOSE)) | 925 | || new_state == TCP_CONNTRACK_CLOSE)) |
931 | conntrack->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT; | 926 | ct->proto.tcp.seen[dir].flags |= IP_CT_TCP_FLAG_CLOSE_INIT; |
932 | timeout = conntrack->proto.tcp.retrans >= nf_ct_tcp_max_retrans | 927 | timeout = ct->proto.tcp.retrans >= nf_ct_tcp_max_retrans |
933 | && tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans | 928 | && tcp_timeouts[new_state] > nf_ct_tcp_timeout_max_retrans |
934 | ? nf_ct_tcp_timeout_max_retrans : tcp_timeouts[new_state]; | 929 | ? nf_ct_tcp_timeout_max_retrans : tcp_timeouts[new_state]; |
935 | write_unlock_bh(&tcp_lock); | 930 | write_unlock_bh(&tcp_lock); |
@@ -938,41 +933,40 @@ static int tcp_packet(struct nf_conn *conntrack, | |||
938 | if (new_state != old_state) | 933 | if (new_state != old_state) |
939 | nf_conntrack_event_cache(IPCT_PROTOINFO, skb); | 934 | nf_conntrack_event_cache(IPCT_PROTOINFO, skb); |
940 | 935 | ||
941 | if (!test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)) { | 936 | if (!test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { |
942 | /* If only reply is a RST, we can consider ourselves not to | 937 | /* If only reply is a RST, we can consider ourselves not to |
943 | have an established connection: this is a fairly common | 938 | have an established connection: this is a fairly common |
944 | problem case, so we can delete the conntrack | 939 | problem case, so we can delete the conntrack |
945 | immediately. --RR */ | 940 | immediately. --RR */ |
946 | if (th->rst) { | 941 | if (th->rst) { |
947 | if (del_timer(&conntrack->timeout)) | 942 | if (del_timer(&ct->timeout)) |
948 | conntrack->timeout.function((unsigned long) | 943 | ct->timeout.function((unsigned long)ct); |
949 | conntrack); | ||
950 | return NF_ACCEPT; | 944 | return NF_ACCEPT; |
951 | } | 945 | } |
952 | } else if (!test_bit(IPS_ASSURED_BIT, &conntrack->status) | 946 | } else if (!test_bit(IPS_ASSURED_BIT, &ct->status) |
953 | && (old_state == TCP_CONNTRACK_SYN_RECV | 947 | && (old_state == TCP_CONNTRACK_SYN_RECV |
954 | || old_state == TCP_CONNTRACK_ESTABLISHED) | 948 | || old_state == TCP_CONNTRACK_ESTABLISHED) |
955 | && new_state == TCP_CONNTRACK_ESTABLISHED) { | 949 | && new_state == TCP_CONNTRACK_ESTABLISHED) { |
956 | /* Set ASSURED if we see see valid ack in ESTABLISHED | 950 | /* Set ASSURED if we see see valid ack in ESTABLISHED |
957 | after SYN_RECV or a valid answer for a picked up | 951 | after SYN_RECV or a valid answer for a picked up |
958 | connection. */ | 952 | connection. */ |
959 | set_bit(IPS_ASSURED_BIT, &conntrack->status); | 953 | set_bit(IPS_ASSURED_BIT, &ct->status); |
960 | nf_conntrack_event_cache(IPCT_STATUS, skb); | 954 | nf_conntrack_event_cache(IPCT_STATUS, skb); |
961 | } | 955 | } |
962 | nf_ct_refresh_acct(conntrack, ctinfo, skb, timeout); | 956 | nf_ct_refresh_acct(ct, ctinfo, skb, timeout); |
963 | 957 | ||
964 | return NF_ACCEPT; | 958 | return NF_ACCEPT; |
965 | } | 959 | } |
966 | 960 | ||
967 | /* Called when a new connection for this protocol found. */ | 961 | /* Called when a new connection for this protocol found. */ |
968 | static int tcp_new(struct nf_conn *conntrack, | 962 | static int tcp_new(struct nf_conn *ct, |
969 | const struct sk_buff *skb, | 963 | const struct sk_buff *skb, |
970 | unsigned int dataoff) | 964 | unsigned int dataoff) |
971 | { | 965 | { |
972 | enum tcp_conntrack new_state; | 966 | enum tcp_conntrack new_state; |
973 | struct tcphdr *th, _tcph; | 967 | struct tcphdr *th, _tcph; |
974 | struct ip_ct_tcp_state *sender = &conntrack->proto.tcp.seen[0]; | 968 | struct ip_ct_tcp_state *sender = &ct->proto.tcp.seen[0]; |
975 | struct ip_ct_tcp_state *receiver = &conntrack->proto.tcp.seen[1]; | 969 | struct ip_ct_tcp_state *receiver = &ct->proto.tcp.seen[1]; |
976 | 970 | ||
977 | th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph); | 971 | th = skb_header_pointer(skb, dataoff, sizeof(_tcph), &_tcph); |
978 | BUG_ON(th == NULL); | 972 | BUG_ON(th == NULL); |
@@ -990,17 +984,17 @@ static int tcp_new(struct nf_conn *conntrack, | |||
990 | 984 | ||
991 | if (new_state == TCP_CONNTRACK_SYN_SENT) { | 985 | if (new_state == TCP_CONNTRACK_SYN_SENT) { |
992 | /* SYN packet */ | 986 | /* SYN packet */ |
993 | conntrack->proto.tcp.seen[0].td_end = | 987 | ct->proto.tcp.seen[0].td_end = |
994 | segment_seq_plus_len(ntohl(th->seq), skb->len, | 988 | segment_seq_plus_len(ntohl(th->seq), skb->len, |
995 | dataoff, th); | 989 | dataoff, th); |
996 | conntrack->proto.tcp.seen[0].td_maxwin = ntohs(th->window); | 990 | ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window); |
997 | if (conntrack->proto.tcp.seen[0].td_maxwin == 0) | 991 | if (ct->proto.tcp.seen[0].td_maxwin == 0) |
998 | conntrack->proto.tcp.seen[0].td_maxwin = 1; | 992 | ct->proto.tcp.seen[0].td_maxwin = 1; |
999 | conntrack->proto.tcp.seen[0].td_maxend = | 993 | ct->proto.tcp.seen[0].td_maxend = |
1000 | conntrack->proto.tcp.seen[0].td_end; | 994 | ct->proto.tcp.seen[0].td_end; |
1001 | 995 | ||
1002 | tcp_options(skb, dataoff, th, &conntrack->proto.tcp.seen[0]); | 996 | tcp_options(skb, dataoff, th, &ct->proto.tcp.seen[0]); |
1003 | conntrack->proto.tcp.seen[1].flags = 0; | 997 | ct->proto.tcp.seen[1].flags = 0; |
1004 | } else if (nf_ct_tcp_loose == 0) { | 998 | } else if (nf_ct_tcp_loose == 0) { |
1005 | /* Don't try to pick up connections. */ | 999 | /* Don't try to pick up connections. */ |
1006 | return 0; | 1000 | return 0; |
@@ -1010,32 +1004,32 @@ static int tcp_new(struct nf_conn *conntrack, | |||
1010 | * its history is lost for us. | 1004 | * its history is lost for us. |
1011 | * Let's try to use the data from the packet. | 1005 | * Let's try to use the data from the packet. |
1012 | */ | 1006 | */ |
1013 | conntrack->proto.tcp.seen[0].td_end = | 1007 | ct->proto.tcp.seen[0].td_end = |
1014 | segment_seq_plus_len(ntohl(th->seq), skb->len, | 1008 | segment_seq_plus_len(ntohl(th->seq), skb->len, |
1015 | dataoff, th); | 1009 | dataoff, th); |
1016 | conntrack->proto.tcp.seen[0].td_maxwin = ntohs(th->window); | 1010 | ct->proto.tcp.seen[0].td_maxwin = ntohs(th->window); |
1017 | if (conntrack->proto.tcp.seen[0].td_maxwin == 0) | 1011 | if (ct->proto.tcp.seen[0].td_maxwin == 0) |
1018 | conntrack->proto.tcp.seen[0].td_maxwin = 1; | 1012 | ct->proto.tcp.seen[0].td_maxwin = 1; |
1019 | conntrack->proto.tcp.seen[0].td_maxend = | 1013 | ct->proto.tcp.seen[0].td_maxend = |
1020 | conntrack->proto.tcp.seen[0].td_end + | 1014 | ct->proto.tcp.seen[0].td_end + |
1021 | conntrack->proto.tcp.seen[0].td_maxwin; | 1015 | ct->proto.tcp.seen[0].td_maxwin; |
1022 | conntrack->proto.tcp.seen[0].td_scale = 0; | 1016 | ct->proto.tcp.seen[0].td_scale = 0; |
1023 | 1017 | ||
1024 | /* We assume SACK and liberal window checking to handle | 1018 | /* We assume SACK and liberal window checking to handle |
1025 | * window scaling */ | 1019 | * window scaling */ |
1026 | conntrack->proto.tcp.seen[0].flags = | 1020 | ct->proto.tcp.seen[0].flags = |
1027 | conntrack->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM | | 1021 | ct->proto.tcp.seen[1].flags = IP_CT_TCP_FLAG_SACK_PERM | |
1028 | IP_CT_TCP_FLAG_BE_LIBERAL; | 1022 | IP_CT_TCP_FLAG_BE_LIBERAL; |
1029 | } | 1023 | } |
1030 | 1024 | ||
1031 | conntrack->proto.tcp.seen[1].td_end = 0; | 1025 | ct->proto.tcp.seen[1].td_end = 0; |
1032 | conntrack->proto.tcp.seen[1].td_maxend = 0; | 1026 | ct->proto.tcp.seen[1].td_maxend = 0; |
1033 | conntrack->proto.tcp.seen[1].td_maxwin = 1; | 1027 | ct->proto.tcp.seen[1].td_maxwin = 1; |
1034 | conntrack->proto.tcp.seen[1].td_scale = 0; | 1028 | ct->proto.tcp.seen[1].td_scale = 0; |
1035 | 1029 | ||
1036 | /* tcp_packet will set them */ | 1030 | /* tcp_packet will set them */ |
1037 | conntrack->proto.tcp.state = TCP_CONNTRACK_NONE; | 1031 | ct->proto.tcp.state = TCP_CONNTRACK_NONE; |
1038 | conntrack->proto.tcp.last_index = TCP_NONE_SET; | 1032 | ct->proto.tcp.last_index = TCP_NONE_SET; |
1039 | 1033 | ||
1040 | pr_debug("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i " | 1034 | pr_debug("tcp_new: sender end=%u maxend=%u maxwin=%u scale=%i " |
1041 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", | 1035 | "receiver end=%u maxend=%u maxwin=%u scale=%i\n", |
diff --git a/net/netfilter/nf_conntrack_proto_udp.c b/net/netfilter/nf_conntrack_proto_udp.c index 384875411082..4c1e67ed63bd 100644 --- a/net/netfilter/nf_conntrack_proto_udp.c +++ b/net/netfilter/nf_conntrack_proto_udp.c | |||
@@ -61,7 +61,7 @@ static int udp_print_tuple(struct seq_file *s, | |||
61 | } | 61 | } |
62 | 62 | ||
63 | /* Returns verdict for packet, and may modify conntracktype */ | 63 | /* Returns verdict for packet, and may modify conntracktype */ |
64 | static int udp_packet(struct nf_conn *conntrack, | 64 | static int udp_packet(struct nf_conn *ct, |
65 | const struct sk_buff *skb, | 65 | const struct sk_buff *skb, |
66 | unsigned int dataoff, | 66 | unsigned int dataoff, |
67 | enum ip_conntrack_info ctinfo, | 67 | enum ip_conntrack_info ctinfo, |
@@ -70,20 +70,19 @@ static int udp_packet(struct nf_conn *conntrack, | |||
70 | { | 70 | { |
71 | /* If we've seen traffic both ways, this is some kind of UDP | 71 | /* If we've seen traffic both ways, this is some kind of UDP |
72 | stream. Extend timeout. */ | 72 | stream. Extend timeout. */ |
73 | if (test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)) { | 73 | if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { |
74 | nf_ct_refresh_acct(conntrack, ctinfo, skb, | 74 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout_stream); |
75 | nf_ct_udp_timeout_stream); | ||
76 | /* Also, more likely to be important, and not a probe */ | 75 | /* Also, more likely to be important, and not a probe */ |
77 | if (!test_and_set_bit(IPS_ASSURED_BIT, &conntrack->status)) | 76 | if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) |
78 | nf_conntrack_event_cache(IPCT_STATUS, skb); | 77 | nf_conntrack_event_cache(IPCT_STATUS, skb); |
79 | } else | 78 | } else |
80 | nf_ct_refresh_acct(conntrack, ctinfo, skb, nf_ct_udp_timeout); | 79 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout); |
81 | 80 | ||
82 | return NF_ACCEPT; | 81 | return NF_ACCEPT; |
83 | } | 82 | } |
84 | 83 | ||
85 | /* Called when a new connection for this protocol found. */ | 84 | /* Called when a new connection for this protocol found. */ |
86 | static int udp_new(struct nf_conn *conntrack, const struct sk_buff *skb, | 85 | static int udp_new(struct nf_conn *ct, const struct sk_buff *skb, |
87 | unsigned int dataoff) | 86 | unsigned int dataoff) |
88 | { | 87 | { |
89 | return 1; | 88 | return 1; |
diff --git a/net/netfilter/nf_conntrack_proto_udplite.c b/net/netfilter/nf_conntrack_proto_udplite.c index 070056d9bcd6..d9e1532b45d9 100644 --- a/net/netfilter/nf_conntrack_proto_udplite.c +++ b/net/netfilter/nf_conntrack_proto_udplite.c | |||
@@ -60,7 +60,7 @@ static int udplite_print_tuple(struct seq_file *s, | |||
60 | } | 60 | } |
61 | 61 | ||
62 | /* Returns verdict for packet, and may modify conntracktype */ | 62 | /* Returns verdict for packet, and may modify conntracktype */ |
63 | static int udplite_packet(struct nf_conn *conntrack, | 63 | static int udplite_packet(struct nf_conn *ct, |
64 | const struct sk_buff *skb, | 64 | const struct sk_buff *skb, |
65 | unsigned int dataoff, | 65 | unsigned int dataoff, |
66 | enum ip_conntrack_info ctinfo, | 66 | enum ip_conntrack_info ctinfo, |
@@ -69,21 +69,20 @@ static int udplite_packet(struct nf_conn *conntrack, | |||
69 | { | 69 | { |
70 | /* If we've seen traffic both ways, this is some kind of UDP | 70 | /* If we've seen traffic both ways, this is some kind of UDP |
71 | stream. Extend timeout. */ | 71 | stream. Extend timeout. */ |
72 | if (test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status)) { | 72 | if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { |
73 | nf_ct_refresh_acct(conntrack, ctinfo, skb, | 73 | nf_ct_refresh_acct(ct, ctinfo, skb, |
74 | nf_ct_udplite_timeout_stream); | 74 | nf_ct_udplite_timeout_stream); |
75 | /* Also, more likely to be important, and not a probe */ | 75 | /* Also, more likely to be important, and not a probe */ |
76 | if (!test_and_set_bit(IPS_ASSURED_BIT, &conntrack->status)) | 76 | if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status)) |
77 | nf_conntrack_event_cache(IPCT_STATUS, skb); | 77 | nf_conntrack_event_cache(IPCT_STATUS, skb); |
78 | } else | 78 | } else |
79 | nf_ct_refresh_acct(conntrack, ctinfo, skb, | 79 | nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udplite_timeout); |
80 | nf_ct_udplite_timeout); | ||
81 | 80 | ||
82 | return NF_ACCEPT; | 81 | return NF_ACCEPT; |
83 | } | 82 | } |
84 | 83 | ||
85 | /* Called when a new connection for this protocol found. */ | 84 | /* Called when a new connection for this protocol found. */ |
86 | static int udplite_new(struct nf_conn *conntrack, const struct sk_buff *skb, | 85 | static int udplite_new(struct nf_conn *ct, const struct sk_buff *skb, |
87 | unsigned int dataoff) | 86 | unsigned int dataoff) |
88 | { | 87 | { |
89 | return 1; | 88 | return 1; |
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c index 98f0cd31150d..278b35e64d74 100644 --- a/net/netfilter/nf_conntrack_standalone.c +++ b/net/netfilter/nf_conntrack_standalone.c | |||
@@ -117,71 +117,71 @@ static void ct_seq_stop(struct seq_file *s, void *v) | |||
117 | static int ct_seq_show(struct seq_file *s, void *v) | 117 | static int ct_seq_show(struct seq_file *s, void *v) |
118 | { | 118 | { |
119 | const struct nf_conntrack_tuple_hash *hash = v; | 119 | const struct nf_conntrack_tuple_hash *hash = v; |
120 | const struct nf_conn *conntrack = nf_ct_tuplehash_to_ctrack(hash); | 120 | const struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash); |
121 | struct nf_conntrack_l3proto *l3proto; | 121 | struct nf_conntrack_l3proto *l3proto; |
122 | struct nf_conntrack_l4proto *l4proto; | 122 | struct nf_conntrack_l4proto *l4proto; |
123 | 123 | ||
124 | NF_CT_ASSERT(conntrack); | 124 | NF_CT_ASSERT(ct); |
125 | 125 | ||
126 | /* we only want to print DIR_ORIGINAL */ | 126 | /* we only want to print DIR_ORIGINAL */ |
127 | if (NF_CT_DIRECTION(hash)) | 127 | if (NF_CT_DIRECTION(hash)) |
128 | return 0; | 128 | return 0; |
129 | 129 | ||
130 | l3proto = __nf_ct_l3proto_find(conntrack->tuplehash[IP_CT_DIR_ORIGINAL] | 130 | l3proto = __nf_ct_l3proto_find(ct->tuplehash[IP_CT_DIR_ORIGINAL] |
131 | .tuple.src.l3num); | 131 | .tuple.src.l3num); |
132 | 132 | ||
133 | NF_CT_ASSERT(l3proto); | 133 | NF_CT_ASSERT(l3proto); |
134 | l4proto = __nf_ct_l4proto_find(conntrack->tuplehash[IP_CT_DIR_ORIGINAL] | 134 | l4proto = __nf_ct_l4proto_find(ct->tuplehash[IP_CT_DIR_ORIGINAL] |
135 | .tuple.src.l3num, | 135 | .tuple.src.l3num, |
136 | conntrack->tuplehash[IP_CT_DIR_ORIGINAL] | 136 | ct->tuplehash[IP_CT_DIR_ORIGINAL] |
137 | .tuple.dst.protonum); | 137 | .tuple.dst.protonum); |
138 | NF_CT_ASSERT(l4proto); | 138 | NF_CT_ASSERT(l4proto); |
139 | 139 | ||
140 | if (seq_printf(s, "%-8s %u %-8s %u %ld ", | 140 | if (seq_printf(s, "%-8s %u %-8s %u %ld ", |
141 | l3proto->name, | 141 | l3proto->name, |
142 | conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num, | 142 | ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num, |
143 | l4proto->name, | 143 | l4proto->name, |
144 | conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum, | 144 | ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum, |
145 | timer_pending(&conntrack->timeout) | 145 | timer_pending(&ct->timeout) |
146 | ? (long)(conntrack->timeout.expires - jiffies)/HZ : 0) != 0) | 146 | ? (long)(ct->timeout.expires - jiffies)/HZ : 0) != 0) |
147 | return -ENOSPC; | 147 | return -ENOSPC; |
148 | 148 | ||
149 | if (l4proto->print_conntrack && l4proto->print_conntrack(s, conntrack)) | 149 | if (l4proto->print_conntrack && l4proto->print_conntrack(s, ct)) |
150 | return -ENOSPC; | 150 | return -ENOSPC; |
151 | 151 | ||
152 | if (print_tuple(s, &conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple, | 152 | if (print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, |
153 | l3proto, l4proto)) | 153 | l3proto, l4proto)) |
154 | return -ENOSPC; | 154 | return -ENOSPC; |
155 | 155 | ||
156 | if (seq_print_counters(s, &conntrack->counters[IP_CT_DIR_ORIGINAL])) | 156 | if (seq_print_counters(s, &ct->counters[IP_CT_DIR_ORIGINAL])) |
157 | return -ENOSPC; | 157 | return -ENOSPC; |
158 | 158 | ||
159 | if (!(test_bit(IPS_SEEN_REPLY_BIT, &conntrack->status))) | 159 | if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status))) |
160 | if (seq_printf(s, "[UNREPLIED] ")) | 160 | if (seq_printf(s, "[UNREPLIED] ")) |
161 | return -ENOSPC; | 161 | return -ENOSPC; |
162 | 162 | ||
163 | if (print_tuple(s, &conntrack->tuplehash[IP_CT_DIR_REPLY].tuple, | 163 | if (print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple, |
164 | l3proto, l4proto)) | 164 | l3proto, l4proto)) |
165 | return -ENOSPC; | 165 | return -ENOSPC; |
166 | 166 | ||
167 | if (seq_print_counters(s, &conntrack->counters[IP_CT_DIR_REPLY])) | 167 | if (seq_print_counters(s, &ct->counters[IP_CT_DIR_REPLY])) |
168 | return -ENOSPC; | 168 | return -ENOSPC; |
169 | 169 | ||
170 | if (test_bit(IPS_ASSURED_BIT, &conntrack->status)) | 170 | if (test_bit(IPS_ASSURED_BIT, &ct->status)) |
171 | if (seq_printf(s, "[ASSURED] ")) | 171 | if (seq_printf(s, "[ASSURED] ")) |
172 | return -ENOSPC; | 172 | return -ENOSPC; |
173 | 173 | ||
174 | #if defined(CONFIG_NF_CONNTRACK_MARK) | 174 | #if defined(CONFIG_NF_CONNTRACK_MARK) |
175 | if (seq_printf(s, "mark=%u ", conntrack->mark)) | 175 | if (seq_printf(s, "mark=%u ", ct->mark)) |
176 | return -ENOSPC; | 176 | return -ENOSPC; |
177 | #endif | 177 | #endif |
178 | 178 | ||
179 | #ifdef CONFIG_NF_CONNTRACK_SECMARK | 179 | #ifdef CONFIG_NF_CONNTRACK_SECMARK |
180 | if (seq_printf(s, "secmark=%u ", conntrack->secmark)) | 180 | if (seq_printf(s, "secmark=%u ", ct->secmark)) |
181 | return -ENOSPC; | 181 | return -ENOSPC; |
182 | #endif | 182 | #endif |
183 | 183 | ||
184 | if (seq_printf(s, "use=%u\n", atomic_read(&conntrack->ct_general.use))) | 184 | if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use))) |
185 | return -ENOSPC; | 185 | return -ENOSPC; |
186 | 186 | ||
187 | return 0; | 187 | return 0; |