16 Jul, 2018
2 commits
-
Not needed, we can have the l4trackers fetch it themselvs.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Its simpler to just handle it directly in nf_ct_invert_tuple().
Also gets rid of need to pass l3proto pointer to resolve_conntrack().Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
09 Jan, 2018
2 commits
-
Nowadays this is just the default template that is used when setting up
the net namespace, so nothing writes to these locations.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
previous patches removed all writes to these structs so we can
now mark them as const.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
06 Nov, 2017
1 commit
-
We currently call ->nlattr_tuple_size() once at register time and
cache result in l4proto->nla_size.nla_size is the only member that is written to, avoiding this would
allow to make l4proto trackers const.We can use ->nlattr_tuple_size() at run time, and cache result in
the individual trackers instead.This is an intermediate step, next patch removes nlattr_size()
callback and computes size at compile time, then removes nla_size.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
25 Oct, 2017
2 commits
-
not needed/used anymore.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
We currently pass down the l4 protocol to the conntrack ->packet()
function, but the only user of this is the debug info decision.Same information can be derived from struct nf_conn.
As a first step, add and use a new log function for this, similar to
nf_ct_helper_log().Add __cold annotation -- invalid packets should be infrequent so
gcc can consider all call paths that lead to such a function as
unlikely.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
04 Sep, 2017
2 commits
-
This patch removes NF_CT_ASSERT() and instead uses WARN_ON().
Signed-off-by: Varsha Rao
-
tested with allmodconfig build.
Signed-off-by: Florian Westphal
28 Aug, 2017
1 commit
-
When enabling logging for invalid connections we currently also log most
icmpv6 types, which we don't track intentionally (e.g. neigh discovery).
"invalid" should really mean "invalid", i.e. short header or bad checksum.We don't do any logging for icmp(v4) either, its just useless noise.
Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
25 Aug, 2017
2 commits
-
CONFIG_NF_CONNTRACK_PROCFS is deprecated, no need to use a function
pointer in the trackers for this. Place the printf formatting in
the one place that uses it.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
no need to waste storage for something that is only needed
in one place and can be deduced from protocol number.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
15 Apr, 2017
1 commit
-
resurrect an old patch from Pablo Neira to remove the untracked objects.
Currently, there are four possible states of an skb wrt. conntrack.
1. No conntrack attached, ct is NULL.
2. Normal (kmem cache allocated) ct attached.
3. a template (kmalloc'd), not in any hash tables at any point in time
4. the 'untracked' conntrack, a percpu nf_conn object, tagged via
IPS_UNTRACKED_BIT in ct->status.Untracked is supposed to be identical to case 1. It exists only
so users can check-m conntrack --ctstate UNTRACKED vs.
-m conntrack --ctstate INVALIDe.g. attempts to set connmark on INVALID or UNTRACKED conntracks is
supposed to be a no-op.Thus currently we need to check
ct == NULL || nf_ct_is_untracked(ct)in a lot of places in order to avoid altering untracked objects.
The other consequence of the percpu untracked object is that all
-j NOTRACK (and, later, kfree_skb of such skbs) result in an atomic op
(inc/dec the untracked conntracks refcount).This adds a new kernel-private ctinfo state, IP_CT_UNTRACKED, to
make the distinction instead.The (few) places that care about packet invalid (ct is NULL) vs.
packet untracked now need to test ct == NULL vs. ctinfo == IP_CT_UNTRACKED,
but all other places can omit the nf_ct_is_untracked() check.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
02 Feb, 2017
3 commits
-
Add a helper to assign a nf_conn entry and the ctinfo bits to an sk_buff.
This avoids changing code in followup patch that merges skb->nfct and
skb->nfctinfo into skb->_nfct.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
Followup patch renames skb->nfct and changes its type so add a helper to
avoid intrusive rename change later.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso -
It is never accessed for reading and the only places that write to it
are the icmp(6) handlers, which also set skb->nfct (and skb->nfctinfo).The conntrack core specifically checks for attached skb->nfct after
->error() invocation and returns early in this case.Signed-off-by: Florian Westphal
Signed-off-by: Pablo Neira Ayuso
25 Sep, 2016
1 commit
-
All of the callers of nf_hook_slow already hold the rcu_read_lock, so this
cleanup removes the recursive call. This is just a cleanup, as the locking
code gracefully handles this situation.Signed-off-by: Aaron Conole
Signed-off-by: Pablo Neira Ayuso
13 Oct, 2015
1 commit
-
This patch cleanses whitespace around arithmetical operators.
No changes detected by objdiff.
Signed-off-by: Ian Morris
Signed-off-by: Pablo Neira Ayuso
19 Sep, 2015
1 commit
-
As gre does not have the srckey in the packet gre_pkt_to_tuple
needs to perform a lookup in it's per network namespace tables.Pass in the proper network namespace to all pkt_to_tuple
implementations to ensure gre (and any similar protocols) can get this
right.Signed-off-by: "Eric W. Biederman"
Signed-off-by: Pablo Neira Ayuso
18 Aug, 2015
1 commit
-
This work adds the possibility of deriving the zone id from the skb->mark
field in a scalable manner. This allows for having only a single template
serving hundreds/thousands of different zones, for example, instead of the
need to have one match for each zone as an extra CT jump target.Note that we'd need to have this information attached to the template as at
the time when we're trying to lookup a possible ct object, we already need
to know zone information for a possible match when going into
__nf_conntrack_find_get(). This work provides a minimal implementation for
a possible mapping.In order to not add/expose an extra ct->status bit, the zone structure has
been extended to carry a flag for deriving the mark.Signed-off-by: Daniel Borkmann
Signed-off-by: Pablo Neira Ayuso
11 Aug, 2015
1 commit
-
This patch replaces the zone id which is pushed down into functions
with the actual zone object. It's a bigger one-time change, but
needed for later on extending zones with a direction parameter, and
thus decoupling this additional information from all call-sites.No functional changes in this patch.
The default zone becomes a global const object, namely nf_ct_zone_dflt
and will be returned directly in various cases, one being, when there's
f.e. no zoning support.Signed-off-by: Daniel Borkmann
Signed-off-by: Pablo Neira Ayuso
06 Nov, 2014
1 commit
-
Since adding a new function to seq_file (seq_has_overflowed())
there isn't any value for functions called from seq_show to
return anything. Remove the int returns of the various
print_tuple/_print_tuple functions.Link: http://lkml.kernel.org/p/f2e8cf8df433a197daa62cbaf124c900c708edc7.1412031505.git.joe@perches.com
Cc: Pablo Neira Ayuso
Cc: Patrick McHardy
Cc: Jozsef Kadlecsik
Cc: netfilter-devel@vger.kernel.org
Cc: coreteam@netfilter.org
Signed-off-by: Joe Perches
Signed-off-by: Steven Rostedt
06 Apr, 2013
1 commit
-
This patch adds netns support to nf_log and it prepares netns
support for existing loggers. It is composed of four major
changes.1) nf_log_register has been split to two functions: nf_log_register
and nf_log_set. The new nf_log_register is used to globally
register the nf_logger and nf_log_set is used for enabling
pernet support from nf_loggers.Per netns is not yet complete after this patch, it comes in
separate follow up patches.2) Add net as a parameter of nf_log_bind_pf. Per netns is not
yet complete after this patch, it only allows to bind the
nf_logger to the protocol family from init_net and it skips
other cases.3) Adapt all nf_log_packet callers to pass netns as parameter.
After this patch, this function only works for init_net.4) Make the sysctl net/netfilter/nf_log pernet.
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
02 Nov, 2012
1 commit
-
#if defined(CONFIG_FOO) || defined(CONFIG_FOO_MODULE)
can be replaced by
#if IS_ENABLED(CONFIG_FOO)
Cc: David S. Miller
Signed-off-by: Cong Wang
Signed-off-by: David S. Miller
05 Jul, 2012
1 commit
-
This patch generalizes nf_ct_l4proto_net by splitting it into chunks and
moving the corresponding protocol part to where it really belongs to.To clarify, note that we follow two different approaches to support per-net
depending if it's built-in or run-time loadable protocol tracker.Signed-off-by: Pablo Neira Ayuso
Acked-by: Gao feng
28 Jun, 2012
2 commits
-
Split sysctl function into smaller chucks to cleanup code and prepare
patches to reduce ifdef pollution.Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
l4proto->init contain quite redundant code. We can simplify this
by adding a new parameter l3proto.This patch prepares that code simplification.
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
07 Jun, 2012
3 commits
-
This patch adds namespace support for cttimeout.
Acked-by: Eric W. Biederman
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
Since the sysctl data for l[3|4]proto now resides in pernet nf_proto_net.
We can now remove this unused fields from struct nf_contrack_l[3,4]proto.Acked-by: Eric W. Biederman
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso -
This patch adds namespace support for ICMPv6 protocol tracker.
Acked-by: Eric W. Biederman
Signed-off-by: Gao feng
Signed-off-by: Pablo Neira Ayuso
02 Apr, 2012
1 commit
-
These macros contain a hidden goto, and are thus extremely error
prone and make code hard to audit.Signed-off-by: David S. Miller
08 Mar, 2012
2 commits
-
This patch adds the infrastructure to add fine timeout tuning
over nfnetlink. Now you can use the NFNL_SUBSYS_CTNETLINK_TIMEOUT
subsystem to create/delete/dump timeout objects that contain some
specific timeout policy for one flow.The follow up patches will allow you attach timeout policy object
to conntrack via the CT target and the conntrack extension
infrastructure.Signed-off-by: Pablo Neira Ayuso
-
This patch defines a new interface for l4 protocol trackers:
unsigned int *(*get_timeouts)(struct net *net);
that is used to return the array of unsigned int that contains
the timeouts that will be applied for this flow. This is passed
to the l4proto->new(...) and l4proto->packet(...) functions to
specify the timeout policy.This interface allows per-net global timeout configuration
(although only DCCP supports this by now) and it will allow
custom custom timeout configuration by means of follow-up
patches.Signed-off-by: Pablo Neira Ayuso
06 Jun, 2011
1 commit
-
This patch fixes a refcount leak of ct objects that may occur if
l4proto->error() assigns one conntrack object to one skbuff. In
that case, we have to skip further processing in nf_conntrack_in().With this patch, we can also fix wrong return values (-NF_ACCEPT)
for special cases in ICMP[v6] that should not bump the invalid/error
statistic counters.Reported-by: Zoltan Menyhart
Signed-off-by: Pablo Neira Ayuso
08 Jun, 2010
1 commit
-
NOTRACK makes all cpus share a cache line on nf_conntrack_untracked
twice per packet. This is bad for performance.
__read_mostly annotation is also a bad choice.This patch introduces IPS_UNTRACKED bit so that we can use later a
per_cpu untrack structure more easily.A new helper, nf_ct_untracked_get() returns a pointer to
nf_conntrack_untracked.Another one, nf_ct_untracked_status_or() is used by nf_nat_init() to add
IPS_NAT_DONE_MASK bits to untracked status.nf_ct_is_untracked() prototype is changed to work on a nf_conn pointer.
Signed-off-by: Eric Dumazet
Signed-off-by: Patrick McHardy
16 Feb, 2010
2 commits
-
Normally, each connection needs a unique identity. Conntrack zones allow
to specify a numerical zone using the CT target, connections in different
zones can use the same identity.Example:
iptables -t raw -A PREROUTING -i veth0 -j CT --zone 1
iptables -t raw -A OUTPUT -o veth1 -j CT --zone 1Signed-off-by: Patrick McHardy
-
The error handlers might need the template to get the conntrack zone
introduced in the next patches to perform a conntrack lookup.Signed-off-by: Patrick McHardy
08 Dec, 2009
1 commit
-
* git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6: (1815 commits)
mac80211: fix reorder buffer release
iwmc3200wifi: Enable wimax core through module parameter
iwmc3200wifi: Add wifi-wimax coexistence mode as a module parameter
iwmc3200wifi: Coex table command does not expect a response
iwmc3200wifi: Update wiwi priority table
iwlwifi: driver version track kernel version
iwlwifi: indicate uCode type when fail dump error/event log
iwl3945: remove duplicated event logging code
b43: fix two warnings
ipw2100: fix rebooting hang with driver loaded
cfg80211: indent regulatory messages with spaces
iwmc3200wifi: fix NULL pointer dereference in pmkid update
mac80211: Fix TX status reporting for injected data frames
ath9k: enable 2GHz band only if the device supports it
airo: Fix integer overflow warning
rt2x00: Fix padding bug on L2PAD devices.
WE: Fix set events not propagated
b43legacy: avoid PPC fault during resume
b43: avoid PPC fault during resume
tcp: fix a timewait refcnt race
...Fix up conflicts due to sysctl cleanups (dead sysctl_check code and
CTL_UNNUMBERED removed) in
kernel/sysctl_check.c
net/ipv4/sysctl_net_ipv4.c
net/ipv6/addrconf.c
net/sctp/sysctl.c
24 Nov, 2009
1 commit
-
Compile tested only.
Signed-off-by: Joe Perches
Signed-off-by: Patrick McHardy
12 Nov, 2009
1 commit
-
Now that sys_sysctl is a compatiblity wrapper around /proc/sys
all sysctl strategy routines, and all ctl_name and strategy
entries in the sysctl tables are unused, and can be
revmoed.In addition neigh_sysctl_register has been modified to no longer
take a strategy argument and it's callers have been modified not
to pass one.Cc: "David Miller"
Cc: Hideaki YOSHIFUJI
Cc: netdev@vger.kernel.org
Signed-off-by: Eric W. Biederman