aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
Diffstat (limited to 'include')
-rw-r--r--include/net/netfilter/nf_conntrack_expect.h3
-rw-r--r--include/net/netfilter/nf_conntrack_helper.h5
-rw-r--r--include/net/netfilter/nf_conntrack_tuple.h65
3 files changed, 47 insertions, 26 deletions
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index c0b1d1fb23e1..13643f7f7422 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -16,7 +16,8 @@ struct nf_conntrack_expect
16 struct list_head list; 16 struct list_head list;
17 17
18 /* We expect this tuple, with the following mask */ 18 /* We expect this tuple, with the following mask */
19 struct nf_conntrack_tuple tuple, mask; 19 struct nf_conntrack_tuple tuple;
20 struct nf_conntrack_tuple_mask mask;
20 21
21 /* Function to call after setup and insertion */ 22 /* Function to call after setup and insertion */
22 void (*expectfn)(struct nf_conn *new, 23 void (*expectfn)(struct nf_conn *new,
diff --git a/include/net/netfilter/nf_conntrack_helper.h b/include/net/netfilter/nf_conntrack_helper.h
index b43a75ba44ac..d62e6f093af4 100644
--- a/include/net/netfilter/nf_conntrack_helper.h
+++ b/include/net/netfilter/nf_conntrack_helper.h
@@ -24,10 +24,9 @@ struct nf_conntrack_helper
24 * expected connections */ 24 * expected connections */
25 unsigned int timeout; /* timeout for expecteds */ 25 unsigned int timeout; /* timeout for expecteds */
26 26
27 /* Mask of things we will help (compared against server response) */ 27 /* Tuple of things we will help (compared against server response) */
28 struct nf_conntrack_tuple tuple; 28 struct nf_conntrack_tuple tuple;
29 struct nf_conntrack_tuple mask; 29
30
31 /* Function to call when data passes; return verdict, or -1 to 30 /* Function to call when data passes; return verdict, or -1 to
32 invalidate. */ 31 invalidate. */
33 int (*help)(struct sk_buff **pskb, 32 int (*help)(struct sk_buff **pskb,
diff --git a/include/net/netfilter/nf_conntrack_tuple.h b/include/net/netfilter/nf_conntrack_tuple.h
index d02ce876b4ca..99934ab538e6 100644
--- a/include/net/netfilter/nf_conntrack_tuple.h
+++ b/include/net/netfilter/nf_conntrack_tuple.h
@@ -100,6 +100,14 @@ struct nf_conntrack_tuple
100 } dst; 100 } dst;
101}; 101};
102 102
103struct nf_conntrack_tuple_mask
104{
105 struct {
106 union nf_conntrack_address u3;
107 union nf_conntrack_man_proto u;
108 } src;
109};
110
103/* This is optimized opposed to a memset of the whole structure. Everything we 111/* This is optimized opposed to a memset of the whole structure. Everything we
104 * really care about is the source/destination unions */ 112 * really care about is the source/destination unions */
105#define NF_CT_TUPLE_U_BLANK(tuple) \ 113#define NF_CT_TUPLE_U_BLANK(tuple) \
@@ -161,31 +169,44 @@ static inline int nf_ct_tuple_equal(const struct nf_conntrack_tuple *t1,
161 return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2); 169 return nf_ct_tuple_src_equal(t1, t2) && nf_ct_tuple_dst_equal(t1, t2);
162} 170}
163 171
172static inline int nf_ct_tuple_mask_equal(const struct nf_conntrack_tuple_mask *m1,
173 const struct nf_conntrack_tuple_mask *m2)
174{
175 return (m1->src.u3.all[0] == m2->src.u3.all[0] &&
176 m1->src.u3.all[1] == m2->src.u3.all[1] &&
177 m1->src.u3.all[2] == m2->src.u3.all[2] &&
178 m1->src.u3.all[3] == m2->src.u3.all[3] &&
179 m1->src.u.all == m2->src.u.all);
180}
181
182static inline int nf_ct_tuple_src_mask_cmp(const struct nf_conntrack_tuple *t1,
183 const struct nf_conntrack_tuple *t2,
184 const struct nf_conntrack_tuple_mask *mask)
185{
186 int count;
187
188 for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++) {
189 if ((t1->src.u3.all[count] ^ t2->src.u3.all[count]) &
190 mask->src.u3.all[count])
191 return 0;
192 }
193
194 if ((t1->src.u.all ^ t2->src.u.all) & mask->src.u.all)
195 return 0;
196
197 if (t1->src.l3num != t2->src.l3num ||
198 t1->dst.protonum != t2->dst.protonum)
199 return 0;
200
201 return 1;
202}
203
164static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t, 204static inline int nf_ct_tuple_mask_cmp(const struct nf_conntrack_tuple *t,
165 const struct nf_conntrack_tuple *tuple, 205 const struct nf_conntrack_tuple *tuple,
166 const struct nf_conntrack_tuple *mask) 206 const struct nf_conntrack_tuple_mask *mask)
167{ 207{
168 int count = 0; 208 return nf_ct_tuple_src_mask_cmp(t, tuple, mask) &&
169 209 nf_ct_tuple_dst_equal(t, tuple);
170 for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
171 if ((t->src.u3.all[count] ^ tuple->src.u3.all[count]) &
172 mask->src.u3.all[count])
173 return 0;
174 }
175
176 for (count = 0; count < NF_CT_TUPLE_L3SIZE; count++){
177 if ((t->dst.u3.all[count] ^ tuple->dst.u3.all[count]) &
178 mask->dst.u3.all[count])
179 return 0;
180 }
181
182 if ((t->src.u.all ^ tuple->src.u.all) & mask->src.u.all ||
183 (t->dst.u.all ^ tuple->dst.u.all) & mask->dst.u.all ||
184 (t->src.l3num ^ tuple->src.l3num) & mask->src.l3num ||
185 (t->dst.protonum ^ tuple->dst.protonum) & mask->dst.protonum)
186 return 0;
187
188 return 1;
189} 210}
190 211
191#endif /* _NF_CONNTRACK_TUPLE_H */ 212#endif /* _NF_CONNTRACK_TUPLE_H */