aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--include/net/netfilter/nf_conntrack.h19
-rw-r--r--net/ipv4/netfilter/nf_conntrack_proto_icmp.c2
-rw-r--r--net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c2
-rw-r--r--net/netfilter/nf_conntrack_core.c16
-rw-r--r--net/netfilter/nf_conntrack_proto_dccp.c2
-rw-r--r--net/netfilter/nf_conntrack_proto_tcp.c2
6 files changed, 36 insertions, 7 deletions
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index fc19ab23eeaa..d77dec768dc2 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -223,7 +223,24 @@ static inline void nf_ct_refresh(struct nf_conn *ct,
223 __nf_ct_refresh_acct(ct, 0, skb, extra_jiffies, 0); 223 __nf_ct_refresh_acct(ct, 0, skb, extra_jiffies, 0);
224} 224}
225 225
226extern void nf_ct_kill(struct nf_conn *ct); 226extern void __nf_ct_kill_acct(struct nf_conn *ct,
227 enum ip_conntrack_info ctinfo,
228 const struct sk_buff *skb,
229 int do_acct);
230
231/* kill conntrack and do accounting */
232static inline void nf_ct_kill_acct(struct nf_conn *ct,
233 enum ip_conntrack_info ctinfo,
234 const struct sk_buff *skb)
235{
236 __nf_ct_kill_acct(ct, ctinfo, skb, 1);
237}
238
239/* kill conntrack without accounting */
240static inline void nf_ct_kill(struct nf_conn *ct)
241{
242 __nf_ct_kill_acct(ct, 0, NULL, 0);
243}
227 244
228/* These are for NAT. Icky. */ 245/* These are for NAT. Icky. */
229/* Update TCP window tracking data when NAT mangles the packet */ 246/* Update TCP window tracking data when NAT mangles the packet */
diff --git a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
index 0e21a46184fb..97791048fa9b 100644
--- a/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+++ b/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
@@ -88,7 +88,7 @@ static int icmp_packet(struct nf_conn *ct,
88 (theoretically possible with SMP) */ 88 (theoretically possible with SMP) */
89 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) { 89 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) {
90 if (atomic_dec_and_test(&ct->proto.icmp.count)) 90 if (atomic_dec_and_test(&ct->proto.icmp.count))
91 nf_ct_kill(ct); 91 nf_ct_kill_acct(ct, ctinfo, skb);
92 } else { 92 } else {
93 atomic_inc(&ct->proto.icmp.count); 93 atomic_inc(&ct->proto.icmp.count);
94 nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb); 94 nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb);
diff --git a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
index fe081b90e05e..14d47d833545 100644
--- a/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
@@ -90,7 +90,7 @@ static int icmpv6_packet(struct nf_conn *ct,
90 (theoretically possible with SMP) */ 90 (theoretically possible with SMP) */
91 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) { 91 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_REPLY) {
92 if (atomic_dec_and_test(&ct->proto.icmp.count)) 92 if (atomic_dec_and_test(&ct->proto.icmp.count))
93 nf_ct_kill(ct); 93 nf_ct_kill_acct(ct, ctinfo, skb);
94 } else { 94 } else {
95 atomic_inc(&ct->proto.icmp.count); 95 atomic_inc(&ct->proto.icmp.count);
96 nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb); 96 nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, skb);
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 79b07c35eb87..e6d645221d5c 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -848,12 +848,24 @@ acct:
848} 848}
849EXPORT_SYMBOL_GPL(__nf_ct_refresh_acct); 849EXPORT_SYMBOL_GPL(__nf_ct_refresh_acct);
850 850
851void nf_ct_kill(struct nf_conn *ct) 851void __nf_ct_kill_acct(struct nf_conn *ct,
852 enum ip_conntrack_info ctinfo,
853 const struct sk_buff *skb,
854 int do_acct)
852{ 855{
856#ifdef CONFIG_NF_CT_ACCT
857 if (do_acct) {
858 spin_lock_bh(&nf_conntrack_lock);
859 ct->counters[CTINFO2DIR(ctinfo)].packets++;
860 ct->counters[CTINFO2DIR(ctinfo)].bytes +=
861 skb->len - skb_network_offset(skb);
862 spin_unlock_bh(&nf_conntrack_lock);
863 }
864#endif
853 if (del_timer(&ct->timeout)) 865 if (del_timer(&ct->timeout))
854 ct->timeout.function((unsigned long)ct); 866 ct->timeout.function((unsigned long)ct);
855} 867}
856EXPORT_SYMBOL_GPL(nf_ct_kill); 868EXPORT_SYMBOL_GPL(__nf_ct_kill_acct);
857 869
858#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE) 870#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
859 871
diff --git a/net/netfilter/nf_conntrack_proto_dccp.c b/net/netfilter/nf_conntrack_proto_dccp.c
index 223742f371f9..e7866dd3cde6 100644
--- a/net/netfilter/nf_conntrack_proto_dccp.c
+++ b/net/netfilter/nf_conntrack_proto_dccp.c
@@ -475,7 +475,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
475 if (type == DCCP_PKT_RESET && 475 if (type == DCCP_PKT_RESET &&
476 !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) { 476 !test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
477 /* Tear down connection immediately if only reply is a RESET */ 477 /* Tear down connection immediately if only reply is a RESET */
478 nf_ct_kill(ct); 478 nf_ct_kill_acct(ct, ctinfo, skb);
479 return NF_ACCEPT; 479 return NF_ACCEPT;
480 } 480 }
481 481
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index c4aa11e01405..8db13fba10bc 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -959,7 +959,7 @@ static int tcp_packet(struct nf_conn *ct,
959 problem case, so we can delete the conntrack 959 problem case, so we can delete the conntrack
960 immediately. --RR */ 960 immediately. --RR */
961 if (th->rst) { 961 if (th->rst) {
962 nf_ct_kill(ct); 962 nf_ct_kill_acct(ct, ctinfo, skb);
963 return NF_ACCEPT; 963 return NF_ACCEPT;
964 } 964 }
965 } else if (!test_bit(IPS_ASSURED_BIT, &ct->status) 965 } else if (!test_bit(IPS_ASSURED_BIT, &ct->status)
generated by cgit v1.2.2 (git 2.25.0) at 2024-11-18 12:15:49 -0500