19 Sep, 2015
1 commit
-
As gre does not have the srckey in the packet gre_pkt_to_tuple
needs to perform a lookup in it's per network namespace tables.Pass in the proper network namespace to all pkt_to_tuple
implementations to ensure gre (and any similar protocols) can get this
right.Signed-off-by: "Eric W. Biederman"
Signed-off-by: Pablo Neira Ayuso
30 Jul, 2015
1 commit
-
Currently nf_conntrack_proto_sctp module handles only packets between
primary addresses used to establish the connection. Any packets between
secondary addresses are classified as invalid so that usual firewall
configurations drop them. Allowing HEARTBEAT and HEARTBEAT-ACK chunks to
establish a new conntrack would allow traffic between secondary
addresses to pass through. A more sophisticated solution based on the
addresses advertised in the initial handshake (and possibly also later
dynamic address addition and removal) would be much harder to implement.
Moreover, in general we cannot assume to always see the initial
handshake as it can be routed through a different path.The patch adds two new conntrack states:
SCTP_CONNTRACK_HEARTBEAT_SENT - a HEARTBEAT chunk seen but not acked
SCTP_CONNTRACK_HEARTBEAT_ACKED - a HEARTBEAT acked by HEARTBEAT-ACKState transition rules:
- HEARTBEAT_SENT responds to usual chunks the same way as NONE (so that
the behaviour changes as little as possible)
- HEARTBEAT_ACKED responds to usual chunks the same way as ESTABLISHED
does, except the resulting state is HEARTBEAT_ACKED rather than
ESTABLISHED
- previously existing states except NONE are preserved when HEARTBEAT or
HEARTBEAT-ACK is seen
- NONE (in the initial direction) changes to HEARTBEAT_SENT on HEARTBEAT
and to CLOSED on HEARTBEAT-ACK
- HEARTBEAT_SENT changes to HEARTBEAT_ACKED on HEARTBEAT-ACK in the
reply direction
- HEARTBEAT_SENT and HEARTBEAT_ACKED are preserved on HEARTBEAT and
HEARTBEAT-ACK otherwiseNormally, vtag is set from the INIT chunk for the reply direction and
from the INIT-ACK chunk for the originating direction (i.e. each of
these defines vtag value for the opposite direction). For secondary
conntracks, we can't rely on seeing INIT/INIT-ACK and even if we have
seen them, we would need to connect two different conntracks. Therefore
simplified logic is applied: vtag of first packet in each direction
(HEARTBEAT in the originating and HEARTBEAT-ACK in reply direction) is
saved and all following packets in that direction are compared with this
saved value. While INIT and INIT-ACK define vtag for the opposite
direction, vtags extracted from HEARTBEAT and HEARTBEAT-ACK are always
for their direction.Default timeout values for new states are
HEARTBEAT_SENT: 30 seconds (default hb_interval)
HEARTBEAT_ACKED: 210 seconds (hb_interval * path_max_retry + max_rto)(We cannot expect to see the shutdown sequence so that, unlike
ESTABLISHED, the HEARTBEAT_ACKED timeout shouldn't be too long.)Signed-off-by: Michal Kubecek
Signed-off-by: Pablo Neira Ayuso
06 Nov, 2014
2 commits
-
Since adding a new function to seq_file (seq_has_overflowed())
there isn't any value for functions called from seq_show to
return anything. Remove the int returns of the various
print_tuple/_print_tuple functions.Link: http://lkml.kernel.org/p/f2e8cf8df433a197daa62cbaf124c900c708edc7.1412031505.git.joe@perches.com
Cc: Pablo Neira Ayuso
Cc: Patrick McHardy
Cc: Jozsef Kadlecsik
Cc: netfilter-devel@vger.kernel.org
Cc: coreteam@netfilter.org
Signed-off-by: Joe Perches
Signed-off-by: Steven Rostedt -
The seq_printf() and friends are having their return values removed.
The print_conntrack() returns the result of seq_printf(), which is
meaningless when seq_printf() returns void. Might as well remove the
return values of print_conntrack() as well.Link: http://lkml.kernel.org/r/20141029220107.465008329@goodmis.org
Acked-by: Pablo Neira Ayuso
Cc: Patrick McHardy
Cc: Jozsef Kadlecsik
Cc: netfilter-devel@vger.kernel.org
Cc: coreteam@netfilter.org
Signed-off-by: Steven Rostedt
19 Apr, 2013
1 commit
-
Add copyright statements to all netfilter files which have had significant
changes done by myself in the past.Some notes:
- nf_conntrack_ecache.c was incorrectly attributed to Rusty and Netfilter
Core Team when it got split out of nf_conntrack_core.c. The copyrights
even state a date which lies six years before it was written. It was
written in 2005 by Harald and myself.- net/ipv{4,6}/netfilter.c, net/netfitler/nf_queue.c were missing copyright
statements. I've added the copyright statement from net/netfilter/core.c,
where this code originated- for nf_conntrack_proto_tcp.c I've also added Jozsef, since I didn't want
it to give the wrong impressionSigned-off-by: Patrick McHardy
Signed-off-by: Pablo Neira Ayuso
15 Mar, 2013
1 commit
-
In (c296bb4 netfilter: nf_conntrack: refactor l4proto support for netns)
the l4proto gre/dccp/udplite/sctp registration happened before the pernet
subsystem, which is wrong.Register pernet subsystem before register L4proto since after register
L4proto, init_conntrack may try to access the resources which allocated
in register_pernet_subsys.Reported-by: Alexey Dobriyan
Cc: Alexey Dobriyan
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
23 Jan, 2013
1 commit
-
Move the code that register/unregister l4proto to the
module_init/exit context.Given that we have to modify some interfaces to accomodate
these changes, it is a good time to use shorter function names
for this using the nf_ct_* prefix instead of nf_conntrack_*,
that is:nf_ct_l4proto_register
nf_ct_l4proto_pernet_register
nf_ct_l4proto_unregister
nf_ct_l4proto_pernet_unregisterWe same many line breaks with it.
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
28 Jun, 2012
2 commits
-
Merge sctpv4_net_init and sctpv6_net_init into sctp_net_init to
remove redundant code now that we have the u_int16_t proto
parameter.And use nf_proto_net.users to identify if it's the first time
we use the nf_proto_net, in that case, we initialize iSigned-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
l4proto->init contain quite redundant code. We can simplify this
by adding a new parameter l3proto.This patch prepares that code simplification.
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
07 Jun, 2012
4 commits
-
This patch adds namespace support for cttimeout.
Acked-by: Eric W. Biederman
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
Since the sysctl data for l[3|4]proto now resides in pernet nf_proto_net.
We can now remove this unused fields from struct nf_contrack_l[3,4]proto.Acked-by: Eric W. Biederman
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
This patch adds namespace support for SCTP protocol tracker.
Acked-by: Eric W. Biederman
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
This patch prepares the namespace support for layer 4 protocol trackers.
Basically, this modifies the following interfaces:* nf_ct_[un]register_sysctl
* nf_conntrack_l4proto_[un]registerto include the namespace parameter. We still use init_net in this patch
to prepare the ground for follow-up patches for each layer 4 protocol
tracker.We add a new net_id field to struct nf_conntrack_l4proto that is used
to store the pernet_operations id for each layer 4 protocol tracker.Note that AF_INET6's protocols do not need to do sysctl compat. Thus,
we only register compat sysctl when l4proto.l3proto != AF_INET6.Acked-by: Eric W. Biederman
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
02 Apr, 2012
1 commit
-
These macros contain a hidden goto, and are thus extremely error
prone and make code hard to audit.Signed-off-by: David S. Miller
08 Mar, 2012
2 commits
-
This patch adds the infrastructure to add fine timeout tuning
over nfnetlink. Now you can use the NFNL_SUBSYS_CTNETLINK_TIMEOUT
subsystem to create/delete/dump timeout objects that contain some
specific timeout policy for one flow.The follow up patches will allow you attach timeout policy object
to conntrack via the CT target and the conntrack extension
infrastructure.Signed-off-by: Pablo Neira Ayuso
-
This patch defines a new interface for l4 protocol trackers:
unsigned int *(*get_timeouts)(struct net *net);
that is used to return the array of unsigned int that contains
the timeouts that will be applied for this flow. This is passed
to the l4proto->new(...) and l4proto->packet(...) functions to
specify the timeout policy.This interface allows per-net global timeout configuration
(although only DCCP supports this by now) and it will allow
custom custom timeout configuration by means of follow-up
patches.Signed-off-by: Pablo Neira Ayuso
17 Dec, 2011
1 commit
-
Use IS_ENABLED(CONFIG_FOO)
instead of defined(CONFIG_FOO) || defined (CONFIG_FOO_MODULE)Signed-off-by: Igor Maravić
Signed-off-by: David S. Miller
31 Mar, 2011
1 commit
-
Fixes generated by 'codespell' and manually reviewed.
Signed-off-by: Lucas De Marchi
13 Nov, 2010
1 commit
-
ct->proto is big(60 bytes) due to structure ip_ct_tcp, and we don't need
to initialize the whole for all the other protocols. This patch moves
proto to the end of structure nf_conn, and pushes the initialization down
to the individual protocols.Signed-off-by: Changli Gao
Signed-off-by: Patrick McHardy
13 May, 2010
1 commit
-
Make sure all printk messages have a severity level.
Signed-off-by: Stephen Hemminger
Signed-off-by: Patrick McHardy
03 Feb, 2010
1 commit
-
Split up the IPCT_STATUS event into an IPCT_REPLY event, which is generated
when the IPS_SEEN_REPLY bit is set, and an IPCT_ASSURED event, which is
generated when the IPS_ASSURED bit is set.In combination with a following patch to support selective event delivery,
this can be used for "sparse" conntrack replication: start replicating the
conntrack entry after it reached the ASSURED state and that way it's SYN-flood
resistant.Signed-off-by: Patrick McHardy
12 Nov, 2009
1 commit
-
Now that sys_sysctl is a compatiblity wrapper around /proc/sys
all sysctl strategy routines, and all ctl_name and strategy
entries in the sysctl tables are unused, and can be
revmoed.In addition neigh_sysctl_register has been modified to no longer
take a strategy argument and it's callers have been modified not
to pass one.Cc: "David Miller"
Cc: Hideaki YOSHIFUJI
Cc: netdev@vger.kernel.org
Signed-off-by: Eric W. Biederman
10 Jun, 2009
1 commit
-
Introduce per-conntrack locks and use them instead of the global protocol
locks to avoid contention. Especially tcp_lock shows up very high in
profiles on larger machines.This will also allow to simplify the upcoming reliable event delivery patches.
Signed-off-by: Patrick McHardy
26 Mar, 2009
1 commit
-
Signed-off-by: Holger Eitzenberger
Signed-off-by: Patrick McHardy
24 Nov, 2008
1 commit
-
net/netfilter/nf_conntrack_proto_sctp.c: In function 'sctp_packet':
net/netfilter/nf_conntrack_proto_sctp.c:376: warning: array subscript is above array boundsgcc doesn't realize that do_basic_checks() guarantees that there is
at least one valid chunk and thus new_state is never SCTP_CONNTRACK_MAX
after the loop. Initialize to SCTP_CONNTRACK_NONE to avoid the warning.Based on patch by Wu Fengguang
Signed-off-by: Patrick McHardy
04 Nov, 2008
1 commit
-
I want to compile out proc_* and sysctl_* handlers totally and
stub them to NULL depending on config options, however usage of &
will prevent this, since taking adress of NULL pointer will break
compilation.So, drop & in front of every ->proc_handler and every ->strategy
handler, it was never needed in fact.Signed-off-by: Alexey Dobriyan
Signed-off-by: David S. Miller
08 Oct, 2008
2 commits
-
This is cleaner, we already know conntrack to which event is relevant.
Signed-off-by: Alexey Dobriyan
Signed-off-by: Patrick McHardy -
and (try to) consistently use u_int8_t for the L3 family.
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
22 Jul, 2008
1 commit
-
Introduced by a258860e (netfilter: ctnetlink: add full support for SCTP to ctnetlink):
net/netfilter/nf_conntrack_proto_sctp.c:483:2: warning: cast from restricted type
net/netfilter/nf_conntrack_proto_sctp.c:483:2: warning: incorrect type in argument 1 (different base types)
net/netfilter/nf_conntrack_proto_sctp.c:483:2: expected unsigned int [unsigned] [usertype] x
net/netfilter/nf_conntrack_proto_sctp.c:483:2: got restricted unsigned int const
net/netfilter/nf_conntrack_proto_sctp.c:483:2: warning: cast from restricted type
net/netfilter/nf_conntrack_proto_sctp.c:483:2: warning: cast from restricted type
net/netfilter/nf_conntrack_proto_sctp.c:483:2: warning: cast from restricted type
net/netfilter/nf_conntrack_proto_sctp.c:483:2: warning: cast from restricted type
net/netfilter/nf_conntrack_proto_sctp.c:487:2: warning: cast from restricted type
net/netfilter/nf_conntrack_proto_sctp.c:487:2: warning: incorrect type in argument 1 (different base types)
net/netfilter/nf_conntrack_proto_sctp.c:487:2: expected unsigned int [unsigned] [usertype] x
net/netfilter/nf_conntrack_proto_sctp.c:487:2: got restricted unsigned int const
net/netfilter/nf_conntrack_proto_sctp.c:487:2: warning: cast from restricted type
net/netfilter/nf_conntrack_proto_sctp.c:487:2: warning: cast from restricted type
net/netfilter/nf_conntrack_proto_sctp.c:487:2: warning: cast from restricted type
net/netfilter/nf_conntrack_proto_sctp.c:487:2: warning: cast from restricted type
net/netfilter/nf_conntrack_proto_sctp.c:532:42: warning: incorrect type in assignment (different base types)
net/netfilter/nf_conntrack_proto_sctp.c:532:42: expected restricted unsigned int
net/netfilter/nf_conntrack_proto_sctp.c:532:42: got unsigned int
net/netfilter/nf_conntrack_proto_sctp.c:534:39: warning: incorrect type in assignment (different base types)
net/netfilter/nf_conntrack_proto_sctp.c:534:39: expected restricted unsigned int
net/netfilter/nf_conntrack_proto_sctp.c:534:39: got unsigned intSigned-off-by: Patrick McHardy
Signed-off-by: David S. Miller
10 Jun, 2008
1 commit
-
This patch adds full support for SCTP to ctnetlink. This includes three
new attributes: state, original vtag and reply vtag.Signed-off-by: Pablo Neira Ayuso
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
14 Apr, 2008
2 commits
-
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy -
Signed-off-by: Jan Engelhardt
Signed-off-by: Patrick McHardy
01 Feb, 2008
2 commits
-
Rename all "conntrack" variables to "ct" for more consistency and
avoiding some overly long lines.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Teach sparse about locking here, and fix signed/unsigned warnings.
Signed-off-by: Stephen Hemminger
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller
29 Jan, 2008
6 commits
-
Instead of keeping pointers to the timeout values in a table, simply
put the timeout values in the table directly.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Use SCTP_CHUNK_FLAG_T instead of 0x1.
Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Don't take and release the lock once per SCTP chunk, simply hold it
the entire time while iterating through the chunks.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
The name is misleading, it holds the new connection state, so rename it
to "newstate". Also rename "oldsctpstate" to "oldstate" for consistency.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Consolidate error paths and use proper symbolic return value instead
of magic values.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller -
Eliminate a few lines over 80 characters by using a local variable to
hold the conntrack direction instead of using CTINFO2DIR everywhere.Signed-off-by: Patrick McHardy
Signed-off-by: David S. Miller