3 files changed, 47 insertions, 26 deletions
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index c0b1d1fb23e1..13643f7f7422 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -16,7 +16,8 @@ struct nf_conntrack_expect
        struct list_head list;
        /* We expect this tuple, with the following mask */
-        struct nf_conntrack_tuple tuple, mask;
+        struct nf_conntrack_tuple tuple;
+        struct nf_conntrack_tuple_mask mask;
        /* Function to call after setup and insertion */
        void (*expectfn)(struct nf_conn *new,
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index b43a75ba44ac..d62e6f093af4 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -24,10 +24,9 @@ struct nf_conntrack_helper
                                         * expected connections */
        unsigned int timeout;           /* timeout for expecteds */
-        /* Mask of things we will help (compared against server response) */
+        /* Tuple of things we will help (compared against server response) */
        struct nf_conntrack_tuple tuple;
-        struct nf_conntrack_tuple mask;
-        
        /* Function to call when data passes; return verdict, or -1 to
           invalidate. */
        int (*help)(struct sk_buff **pskb,
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index d02ce876b4ca..99934ab538e6 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -100,6 +100,14 @@ struct nf_conntrack_tuple
        } dst;
 };
+struct nf_conntrack_tuple_mask
+{
+        struct {
+                union nf_conntrack_address u3;
+                union nf_conntrack_man_proto u;
+        } src;
+};
 /* This is optimized opposed to a memset of the whole structure.  Everything we
 * really care about is the  source/destination unions */
 #define NF_CT_TUPLE_U_BLANK(tuple)                                      \
@@ -161,31 +169,44 @@ static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1,
        return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2);
 }
+static inline int nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1,
+                                         const struct nf_conntrack_tuple_mask *m2)
+{
+        return (m1->src.u3.all[0] == m2->src.u3.all[0] &&
+                m1->src.u3.all[1] == m2->src.u3.all[1] &&
+                m1->src.u3.all[2] == m2->src.u3.all[2] &&
+                m1->src.u3.all[3] == m2->src.u3.all[3] &&
+                m1->src.u.all == m2->src.u.all);
+}
+static inline int nf_ct_tuple_src_mask_cmp(const struct nf_conntrack_tuple *t1,
+                                           const struct nf_conntrack_tuple *t2,
+                                           const struct nf_conntrack_tuple_mask *mask)
+{
+        int count;
+        for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++) {
+                if ((t1->src.u3.all[count] ^ t2->src.u3.all[count]) &
+                    mask->src.u3.all[count])
+                        return 0;
+        }
+        if ((t1->src.u.all ^ t2->src.u.all) & mask->src.u.all)
+                return 0;
+        if (t1->src.l3num != t2->src.l3num ||
+            t1->dst.protonum != t2->dst.protonum)
+                return 0;
+        return 1;
+}
 static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,
                                       const struct nf_conntrack_tuple *tuple,
-                                       const struct nf_conntrack_tuple *mask)
+                                       const struct nf_conntrack_tuple_mask *mask)
 {
-        int count = 0;
+        return nf_ct_tuple_src_mask_cmp(t, tuple, mask) &&
+               nf_ct_tuple_dst_equal(t, tuple);
-        for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
-                if ((t->src.u3.all[count] ^ tuple->src.u3.all[count]) &
-                    mask->src.u3.all[count])
-                        return 0;
-        }
-        for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
-                if ((t->dst.u3.all[count] ^ tuple->dst.u3.all[count]) &
-                    mask->dst.u3.all[count])
-                        return 0;
-        }
-        if ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all ||
-            (t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all ||
-            (t->src.l3num ^ tuple->src.l3num) & mask->src.l3num ||
-            (t->dst.protonum ^ tuple->dst.protonum) & mask->dst.protonum)
-                return 0;
-        return 1;
 }
 #endif /* _NF_CONNTRACK_TUPLE_H */

diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h index c0b1d1fb23e1..13643f7f7422 100644 --- a/include/net/netfilter/nf_conntrack_expect.h +++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -16,7 +16,8 @@ struct nf_conntrack_expect
16	struct list_head list;	16	struct list_head list;
17		17
18	/* We expect this tuple, with the following mask */	18	/* We expect this tuple, with the following mask */
19	struct nf_conntrack_tuple tuple, mask;	19	struct nf_conntrack_tuple tuple;
		20	struct nf_conntrack_tuple_mask mask;
20		21
21	/* Function to call after setup and insertion */	22	/* Function to call after setup and insertion */
22	void (expectfn)(struct nf_conn new,	23	void (expectfn)(struct nf_conn new,


diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h index b43a75ba44ac..d62e6f093af4 100644 --- a/include/net/netfilter/nf_conntrack_helper.h +++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -24,10 +24,9 @@ struct nf_conntrack_helper
24	* expected connections */	24	* expected connections */
25	unsigned int timeout; /* timeout for expecteds */	25	unsigned int timeout; /* timeout for expecteds */
26		26
27	/* Mask of things we will help (compared against server response) */	27	/* Tuple of things we will help (compared against server response) */
28	struct nf_conntrack_tuple tuple;	28	struct nf_conntrack_tuple tuple;
29	struct nf_conntrack_tuple mask;	29
30
31	/* Function to call when data passes; return verdict, or -1 to	30	/* Function to call when data passes; return verdict, or -1 to
32	invalidate. */	31	invalidate. */
33	int (help)(struct sk_buff *pskb,	32	int (help)(struct sk_buff *pskb,


diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h index d02ce876b4ca..99934ab538e6 100644 --- a/include/net/netfilter/nf_conntrack_tuple.h +++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -100,6 +100,14 @@ struct nf_conntrack_tuple
100	} dst;	100	} dst;
101	};	101	};
102		102
		103	struct nf_conntrack_tuple_mask
		104	{
		105	struct {
		106	union nf_conntrack_address u3;
		107	union nf_conntrack_man_proto u;
		108	} src;
		109	};
		110
103	/* This is optimized opposed to a memset of the whole structure. Everything we	111	/* This is optimized opposed to a memset of the whole structure. Everything we
104	* really care about is the source/destination unions */	112	* really care about is the source/destination unions */
105	#define NF_CT_TUPLE_U_BLANK(tuple) \	113	#define NF_CT_TUPLE_U_BLANK(tuple) \
@@ -161,31 +169,44 @@ static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1,
161	return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2);	169	return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2);
162	}	170	}
163		171
		172	static inline int nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1,
		173	const struct nf_conntrack_tuple_mask *m2)
		174	{
		175	return (m1->src.u3.all[0] == m2->src.u3.all[0] &&
		176	m1->src.u3.all[1] == m2->src.u3.all[1] &&
		177	m1->src.u3.all[2] == m2->src.u3.all[2] &&
		178	m1->src.u3.all[3] == m2->src.u3.all[3] &&
		179	m1->src.u.all == m2->src.u.all);
		180	}
		181
		182	static inline int nf_ct_tuple_src_mask_cmp(const struct nf_conntrack_tuple *t1,
		183	const struct nf_conntrack_tuple *t2,
		184	const struct nf_conntrack_tuple_mask *mask)
		185	{
		186	int count;
		187
		188	for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++) {
		189	if ((t1->src.u3.all[count] ^ t2->src.u3.all[count]) &
		190	mask->src.u3.all[count])
		191	return 0;
		192	}
		193
		194	if ((t1->src.u.all ^ t2->src.u.all) & mask->src.u.all)
		195	return 0;
		196
		197	if (t1->src.l3num != t2->src.l3num \|\|
		198	t1->dst.protonum != t2->dst.protonum)
		199	return 0;
		200
		201	return 1;
		202	}
		203
164	static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,	204	static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,
165	const struct nf_conntrack_tuple *tuple,	205	const struct nf_conntrack_tuple *tuple,
166	const struct nf_conntrack_tuple *mask)	206	const struct nf_conntrack_tuple_mask *mask)
167	{	207	{
168	int count = 0;	208	return nf_ct_tuple_src_mask_cmp(t, tuple, mask) &&
169		209	nf_ct_tuple_dst_equal(t, tuple);
170	for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
171	if ((t->src.u3.all[count] ^ tuple->src.u3.all[count]) &
172	mask->src.u3.all[count])
173	return 0;
174	}
175
176	for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
177	if ((t->dst.u3.all[count] ^ tuple->dst.u3.all[count]) &
178	mask->dst.u3.all[count])
179	return 0;
180	}
181
182	if ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all \|\|
183	(t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all \|\|
184	(t->src.l3num ^ tuple->src.l3num) & mask->src.l3num \|\|
185	(t->dst.protonum ^ tuple->dst.protonum) & mask->dst.protonum)
186	return 0;
187
188	return 1;
189	}	210	}
190		211
191	#endif /* _NF_CONNTRACK_TUPLE_H */	212	#endif /* _NF_CONNTRACK_TUPLE_H */