From: Patrick McHardy <kaber@trash.net>
To: davem@davemloft.net
Cc: Patrick McHardy <kaber@trash.net>, netfilter-devel@vger.kernel.org
Subject: [NETFILTER 11/38]: xt_conntrack match, revision 1
Date: Tue, 15 Jan 2008 07:19:27 +0100 (MET) [thread overview]
Message-ID: <20080115061922.3184.96744.sendpatchset@localhost.localdomain> (raw)
In-Reply-To: <20080115061907.3184.39432.sendpatchset@localhost.localdomain>
[NETFILTER]: xt_conntrack match, revision 1
Introduces the xt_conntrack match revision 1. It uses fixed types, the
new nf_inet_addr and comes with IPv6 support, thereby completely
superseding xt_state.
Signed-off-by: Jan Engelhardt <jengelh@computergmbh.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
commit b222e77b3dc12bb1765559d1aec2bc2701d5e913
tree b39e728f72f678814902b81baf51b5e4c42685d1
parent eecfb07f489d73875a46d4a7c9270f92596adf88
author Jan Engelhardt <jengelh@computergmbh.de> Mon, 14 Jan 2008 06:51:31 +0100
committer Patrick McHardy <kaber@trash.net> Tue, 15 Jan 2008 06:23:26 +0100
include/linux/netfilter/xt_conntrack.h | 16 ++
net/netfilter/xt_conntrack.c | 207 ++++++++++++++++++++++++++++----
2 files changed, 197 insertions(+), 26 deletions(-)
diff --git a/include/linux/netfilter/xt_conntrack.h b/include/linux/netfilter/xt_conntrack.h
index 70b6f71..d2492a3 100644
--- a/include/linux/netfilter/xt_conntrack.h
+++ b/include/linux/netfilter/xt_conntrack.h
@@ -6,7 +6,9 @@
#define _XT_CONNTRACK_H
#include <linux/netfilter/nf_conntrack_tuple_common.h>
-#include <linux/in.h>
+#ifdef __KERNEL__
+# include <linux/in.h>
+#endif
#define XT_CONNTRACK_STATE_BIT(ctinfo) (1 << ((ctinfo)%IP_CT_IS_REPLY+1))
#define XT_CONNTRACK_STATE_INVALID (1 << 0)
@@ -60,4 +62,16 @@ struct xt_conntrack_info
/* Inverse flags */
u_int8_t invflags;
};
+
+struct xt_conntrack_mtinfo1 {
+ union nf_inet_addr origsrc_addr, origsrc_mask;
+ union nf_inet_addr origdst_addr, origdst_mask;
+ union nf_inet_addr replsrc_addr, replsrc_mask;
+ union nf_inet_addr repldst_addr, repldst_mask;
+ u_int32_t expires_min, expires_max;
+ u_int16_t l4proto;
+ u_int8_t state_mask, status_mask;
+ u_int8_t match_flags, invert_flags;
+};
+
#endif /*_XT_CONNTRACK_H*/
diff --git a/net/netfilter/xt_conntrack.c b/net/netfilter/xt_conntrack.c
index 3f8bfba..dc9e737 100644
--- a/net/netfilter/xt_conntrack.c
+++ b/net/netfilter/xt_conntrack.c
@@ -1,15 +1,19 @@
-/* Kernel module to match connection tracking information.
- * Superset of Rusty's minimalistic state match.
+/*
+ * xt_conntrack - Netfilter module to match connection tracking
+ * information. (Superset of Rusty's minimalistic state match.)
*
- * (C) 2001 Marc Boucher (marc@mbsi.ca).
+ * (C) 2001 Marc Boucher (marc@mbsi.ca).
+ * Copyright © CC Computer Consultants GmbH, 2007 - 2008
+ * Jan Engelhardt <jengelh@computergmbh.de>
*
- * This program is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License version 2 as
- * published by the Free Software Foundation.
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of the GNU General Public License version 2 as
+ * published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/skbuff.h>
+#include <net/ipv6.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_conntrack.h>
#include <net/netfilter/nf_conntrack.h>
@@ -18,12 +22,13 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
MODULE_DESCRIPTION("iptables connection tracking match module");
MODULE_ALIAS("ipt_conntrack");
+MODULE_ALIAS("ip6t_conntrack");
static bool
-conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
- const struct net_device *out, const struct xt_match *match,
- const void *matchinfo, int offset, unsigned int protoff,
- bool *hotdrop)
+conntrack_mt_v0(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
{
const struct xt_conntrack_info *sinfo = matchinfo;
const struct nf_conn *ct;
@@ -112,6 +117,134 @@ conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
}
static bool
+conntrack_addrcmp(const union nf_inet_addr *kaddr,
+ const union nf_inet_addr *uaddr,
+ const union nf_inet_addr *umask, unsigned int l3proto)
+{
+ if (l3proto == AF_INET)
+ return (kaddr->ip & umask->ip) == uaddr->ip;
+ else if (l3proto == AF_INET6)
+ return ipv6_masked_addr_cmp(&kaddr->in6, &umask->in6,
+ &uaddr->in6) == 0;
+ else
+ return false;
+}
+
+static inline bool
+conntrack_mt_origsrc(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3,
+ &info->origsrc_addr, &info->origsrc_mask, family);
+}
+
+static inline bool
+conntrack_mt_origdst(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3,
+ &info->origdst_addr, &info->origdst_mask, family);
+}
+
+static inline bool
+conntrack_mt_replsrc(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3,
+ &info->replsrc_addr, &info->replsrc_mask, family);
+}
+
+static inline bool
+conntrack_mt_repldst(const struct nf_conn *ct,
+ const struct xt_conntrack_mtinfo1 *info,
+ unsigned int family)
+{
+ return conntrack_addrcmp(&ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3,
+ &info->repldst_addr, &info->repldst_mask, family);
+}
+
+static bool
+conntrack_mt(const struct sk_buff *skb, const struct net_device *in,
+ const struct net_device *out, const struct xt_match *match,
+ const void *matchinfo, int offset, unsigned int protoff,
+ bool *hotdrop)
+{
+ const struct xt_conntrack_mtinfo1 *info = matchinfo;
+ enum ip_conntrack_info ctinfo;
+ const struct nf_conn *ct;
+ unsigned int statebit;
+
+ ct = nf_ct_get(skb, &ctinfo);
+
+ if (ct == &nf_conntrack_untracked)
+ statebit = XT_CONNTRACK_STATE_UNTRACKED;
+ else if (ct != NULL)
+ statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
+ else
+ statebit = XT_CONNTRACK_STATE_INVALID;
+
+ if (info->match_flags & XT_CONNTRACK_STATE) {
+ if (ct != NULL) {
+ if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
+ statebit |= XT_CONNTRACK_STATE_SNAT;
+ if (test_bit(IPS_DST_NAT_BIT, &ct->status))
+ statebit |= XT_CONNTRACK_STATE_DNAT;
+ }
+ if ((info->state_mask & statebit) ^
+ !(info->invert_flags & XT_CONNTRACK_STATE))
+ return false;
+ }
+
+ if (ct == NULL)
+ return info->match_flags & XT_CONNTRACK_STATE;
+
+ if ((info->match_flags & XT_CONNTRACK_PROTO) &&
+ ((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum ==
+ info->l4proto) ^ !(info->invert_flags & XT_CONNTRACK_PROTO)))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_ORIGSRC)
+ if (conntrack_mt_origsrc(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_ORIGSRC))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_ORIGDST)
+ if (conntrack_mt_origdst(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_ORIGDST))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_REPLSRC)
+ if (conntrack_mt_replsrc(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_REPLSRC))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_REPLDST)
+ if (conntrack_mt_repldst(ct, info, match->family) ^
+ !(info->invert_flags & XT_CONNTRACK_REPLDST))
+ return false;
+
+ if ((info->match_flags & XT_CONNTRACK_STATUS) &&
+ (!!(info->status_mask & ct->status) ^
+ !(info->invert_flags & XT_CONNTRACK_STATUS)))
+ return false;
+
+ if (info->match_flags & XT_CONNTRACK_EXPIRES) {
+ unsigned long expires = 0;
+
+ if (timer_pending(&ct->timeout))
+ expires = (ct->timeout.expires - jiffies) / HZ;
+ if ((expires >= info->expires_min &&
+ expires <= info->expires_max) ^
+ !(info->invert_flags & XT_CONNTRACK_EXPIRES))
+ return false;
+ }
+ return true;
+}
+
+static bool
conntrack_mt_check(const char *tablename, const void *ip,
const struct xt_match *match, void *matchinfo,
unsigned int hook_mask)
@@ -144,7 +277,7 @@ struct compat_xt_conntrack_info
u_int8_t invflags;
};
-static void conntrack_mt_compat_from_user(void *dst, void *src)
+static void conntrack_mt_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_conntrack_info *cm = src;
struct xt_conntrack_info m = {
@@ -161,7 +294,7 @@ static void conntrack_mt_compat_from_user(void *dst, void *src)
memcpy(dst, &m, sizeof(m));
}
-static int conntrack_mt_compat_to_user(void __user *dst, void *src)
+static int conntrack_mt_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_conntrack_info *m = src;
struct compat_xt_conntrack_info cm = {
@@ -179,29 +312,53 @@ static int conntrack_mt_compat_to_user(void __user *dst, void *src)
}
#endif
-static struct xt_match conntrack_mt_reg __read_mostly = {
- .name = "conntrack",
- .match = conntrack_mt,
- .checkentry = conntrack_mt_check,
- .destroy = conntrack_mt_destroy,
- .matchsize = sizeof(struct xt_conntrack_info),
+static struct xt_match conntrack_mt_reg[] __read_mostly = {
+ {
+ .name = "conntrack",
+ .revision = 0,
+ .family = AF_INET,
+ .match = conntrack_mt_v0,
+ .checkentry = conntrack_mt_check,
+ .destroy = conntrack_mt_destroy,
+ .matchsize = sizeof(struct xt_conntrack_info),
+ .me = THIS_MODULE,
#ifdef CONFIG_COMPAT
- .compatsize = sizeof(struct compat_xt_conntrack_info),
- .compat_from_user = conntrack_mt_compat_from_user,
- .compat_to_user = conntrack_mt_compat_to_user,
+ .compatsize = sizeof(struct compat_xt_conntrack_info),
+ .compat_from_user = conntrack_mt_compat_from_user_v0,
+ .compat_to_user = conntrack_mt_compat_to_user_v0,
#endif
- .family = AF_INET,
- .me = THIS_MODULE,
+ },
+ {
+ .name = "conntrack",
+ .revision = 1,
+ .family = AF_INET,
+ .matchsize = sizeof(struct xt_conntrack_mtinfo1),
+ .match = conntrack_mt,
+ .checkentry = conntrack_mt_check,
+ .destroy = conntrack_mt_destroy,
+ .me = THIS_MODULE,
+ },
+ {
+ .name = "conntrack",
+ .revision = 1,
+ .family = AF_INET6,
+ .matchsize = sizeof(struct xt_conntrack_mtinfo1),
+ .match = conntrack_mt,
+ .checkentry = conntrack_mt_check,
+ .destroy = conntrack_mt_destroy,
+ .me = THIS_MODULE,
+ },
};
static int __init conntrack_mt_init(void)
{
- return xt_register_match(&conntrack_mt_reg);
+ return xt_register_matches(conntrack_mt_reg,
+ ARRAY_SIZE(conntrack_mt_reg));
}
static void __exit conntrack_mt_exit(void)
{
- xt_unregister_match(&conntrack_mt_reg);
+ xt_unregister_matches(conntrack_mt_reg, ARRAY_SIZE(conntrack_mt_reg));
}
module_init(conntrack_mt_init);
-
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2008-01-15 6:19 UTC|newest]
Thread overview: 44+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-01-15 6:19 [NETFILTER 00/38]: Netfilter update Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 01/38]: Hide a few more options under NETFILTER_ADVANCED Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 02/38]: Remove some EXPERIMENTAL dependencies Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 03/38]: remove ipt_TOS.c Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 04/38]: xt_TOS: Change semantic of mask value Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 05/38]: xt_TOS: Properly set the TOS field Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 06/38]: Annotate start of kernel fields in NF headers Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 07/38]: xt_CONNMARK target, revision 1 Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 08/38]: xt_MARK target, revision 2 Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 09/38]: xt_connmark match, revision 1 Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 10/38]: Extend nf_inet_addr with in{,6}_addr Patrick McHardy
2008-01-15 6:19 ` Patrick McHardy [this message]
2008-01-15 6:19 ` [NETFILTER 12/38]: xt_mark match, revision 1 Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 13/38]: xt_pkttype: Add explicit check for IPv4 Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 14/38]: xt_pkttype: IPv6 multicast address recognition Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 15/38]: xt_policy: use the new union nf_inet_addr Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 16/38]: Update modules' descriptions Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 17/38]: Rename ipt_iprange to xt_iprange Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 18/38]: xt_iprange match, revision 1 Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 19/38]: Update feature-removal-schedule.txt Patrick McHardy
2008-01-15 16:15 ` Jones Desougi
2008-01-15 16:40 ` Patrick McHardy
2008-01-15 16:54 ` Jan Engelhardt
2008-01-15 16:59 ` Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 20/38]: {ip,ip6}_tables: remove some inlines Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 21/38]: ipt_REJECT: properly handle IP options Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 22/38]: nf_conntrack_{tcp,sctp}: mark state table const Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 23/38]: nf_conntrack_{tcp,sctp}: shrink state table Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 24/38]: nf_conntrack_tcp: remove timeout indirection Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 25/38]: nf_conntrack_sctp: basic cleanups Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 26/38]: nf_conntrack_sctp: use proper types for bitops Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 27/38]: nf_conntrack_sctp: reduce line length Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 28/38]: nf_conntrack_sctp: reduce line length further Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 29/38]: nf_conntrack_sctp: consolidate sctp_packet() error paths Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 30/38]: nf_conntrack_sctp: rename "newconntrack" variable Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 31/38]: nf_conntrack_sctp: don't take sctp_lock once per chunk Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 32/38]: nf_conntrack_sctp: remove unused ttag field from conntrack data Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 33/38]: nf_conntrack_sctp: replace magic value by symbolic constant Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 34/38]: nf_conntrack_sctp: remove timeout indirection Patrick McHardy
2008-01-15 6:19 ` [NETFILTER 35/38]: kill nf_sysctl.c Patrick McHardy
2008-01-15 6:20 ` [NETFILTER 36/38]: nf_conntrack: clean up a few header files Patrick McHardy
2008-01-15 6:20 ` [NETFILTER 37/38]: nf_conntrack: remove print_conntrack function from l3protos Patrick McHardy
2008-01-15 6:20 ` [NETFILTER 38/38]: nf_conntrack: make print_conntrack function optional for l4protos Patrick McHardy
2008-01-15 7:50 ` [NETFILTER 00/38]: Netfilter update David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080115061922.3184.96744.sendpatchset@localhost.localdomain \
--to=kaber@trash.net \
--cc=davem@davemloft.net \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.