From: Pablo Neira <pablo@eurodev.net>
To: Netfilter Development Mailinglist
<netfilter-devel@lists.netfilter.org>,
Harald Welte <laforge@netfilter.org>,
Patrick McHardy <kaber@trash.net>
Subject: [PATCH] return value of conntrack protocol helper functions and a macro for stats
Date: Thu, 05 Aug 2004 15:34:50 +0200 [thread overview]
Message-ID: <4112377A.8050106@eurodev.net> (raw)
[-- Attachment #1: Type: text/plain, Size: 435 bytes --]
Hi,
This patch applies to last Harald's patch bombing. It's based on
Martin's idea of removing negative values in conntrack protocol helper
functions. Please see:
http://lists.netfilter.org/pipermail/netfilter-devel/2004-June/015769.html
Now functions packet and error return CONNTRACK_CONT to let the packet
continue its travel through the conntrack system. It also add a macro to
increase vars used for stats.
regards,
Pablo
[-- Attachment #2: conntrack_cont-and-fix-stats.patch --]
[-- Type: text/x-patch, Size: 11716 bytes --]
diff -u -r1.2 ip_conntrack.h
--- a/include/linux/netfilter_ipv4/ip_conntrack.h 4 Aug 2004 15:26:52 -0000 1.2
+++ b/include/linux/netfilter_ipv4/ip_conntrack.h 5 Aug 2004 11:09:17 -0000
@@ -10,6 +10,10 @@
#include <linux/compiler.h>
#include <asm/atomic.h>
+/* Protocol specific functions (packet and error) return CONNTRACK_CONT
+ * to perform no action on a packet. */
+#define CONNTRACK_CONT -1
+
enum ip_conntrack_info
{
/* Part of an established connection (either direction). */
@@ -303,12 +307,13 @@
unsigned int insert_failed;
unsigned int drop;
unsigned int early_drop;
- unsigned int icmp_error;
+ unsigned int error;
unsigned int expect_new;
unsigned int expect_create;
unsigned int expect_delete;
};
+#define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++)
/* eg. PROVIDES_CONNTRACK(ftp); */
#define PROVIDES_CONNTRACK(name) \
diff -u -r1.2 ip_conntrack_core.c
--- a/net/ipv4/netfilter/ip_conntrack_core.c 4 Aug 2004 15:26:55 -0000 1.2
+++ b/net/ipv4/netfilter/ip_conntrack_core.c 5 Aug 2004 11:17:18 -0000
@@ -182,7 +182,7 @@
IP_NF_ASSERT(!timer_pending(&exp->timeout));
kmem_cache_free(ip_conntrack_expect_cachep, exp);
- __get_cpu_var(ip_conntrack_stat).expect_delete++;
+ CONNTRACK_STAT_INC(expect_delete);
}
inline void ip_conntrack_expect_put(struct ip_conntrack_expect *exp)
@@ -351,14 +351,14 @@
DEBUGP("destroy_conntrack: returning ct=%p to slab\n", ct);
kmem_cache_free(ip_conntrack_cachep, ct);
atomic_dec(&ip_conntrack_count);
- __get_cpu_var(ip_conntrack_stat).delete++;
+ CONNTRACK_STAT_INC(delete);
}
static void death_by_timeout(unsigned long ul_conntrack)
{
struct ip_conntrack *ct = (void *)ul_conntrack;
- __get_cpu_var(ip_conntrack_stat).delete_list++;
+ CONNTRACK_STAT_INC(delete_list);
WRITE_LOCK(&ip_conntrack_lock);
clean_from_lists(ct);
@@ -488,12 +488,12 @@
atomic_inc(&ct->ct_general.use);
set_bit(IPS_CONFIRMED_BIT, &ct->status);
WRITE_UNLOCK(&ip_conntrack_lock);
- __get_cpu_var(ip_conntrack_stat).insert++;
+ CONNTRACK_STAT_INC(insert);
return NF_ACCEPT;
}
WRITE_UNLOCK(&ip_conntrack_lock);
- __get_cpu_var(ip_conntrack_stat).insert_failed++;
+ CONNTRACK_STAT_INC(insert_failed);
return NF_DROP;
}
@@ -537,7 +537,7 @@
if (del_timer(&h->ctrack->timeout)) {
death_by_timeout((unsigned long)h->ctrack);
dropped = 1;
- __get_cpu_var(ip_conntrack_stat).early_drop++;
+ CONNTRACK_STAT_INC(early_drop);
}
ip_conntrack_put(h->ctrack);
return dropped;
@@ -667,13 +667,13 @@
if (expected->expectfn)
expected->expectfn(conntrack);
- __get_cpu_var(ip_conntrack_stat).expect_new++;
+ CONNTRACK_STAT_INC(expect_new);
goto ret;
} else {
conntrack->helper = ip_ct_find_helper(&repl_tuple);
- __get_cpu_var(ip_conntrack_stat).new++;
+ CONNTRACK_STAT_INC(new);
}
end: atomic_inc(&ip_conntrack_count);
@@ -777,7 +777,7 @@
/* Previously seen (loopback or untracked)? Ignore. */
if ((*pskb)->nfct) {
- __get_cpu_var(ip_conntrack_stat).ignore++;
+ CONNTRACK_STAT_INC(ignore);
return NF_ACCEPT;
}
@@ -786,41 +786,42 @@
/* It may be an special packet, error, unclean...
* inverse of the return code tells to the netfilter
* core what to do with the packet. */
- if (proto->error != NULL
- && (ret = proto->error(*pskb, &ctinfo, hooknum)) <= 0) {
- __get_cpu_var(ip_conntrack_stat).icmp_error++;
- return -ret;
+ if (proto->error != NULL) {
+ ret = proto->error(*pskb, &ctinfo, hooknum);
+ if (ret != CONNTRACK_CONT) {
+ CONNTRACK_STAT_INC(error);
+ CONNTRACK_STAT_INC(invalid);
+ return ret;
+ }
}
if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo))) {
/* Not valid part of a connection */
- __get_cpu_var(ip_conntrack_stat).invalid++;
+ CONNTRACK_STAT_INC(invalid);
return NF_ACCEPT;
}
if (IS_ERR(ct)) {
/* Too stressed to deal. */
- __get_cpu_var(ip_conntrack_stat).drop++;
+ CONNTRACK_STAT_INC(drop);
return NF_DROP;
}
IP_NF_ASSERT((*pskb)->nfct);
ret = proto->packet(ct, *pskb, ctinfo);
- if (ret < 0) {
- /* Invalid: inverse of the return code tells
- * the netfilter core what to do*/
+ if (ret != CONNTRACK_CONT) {
nf_conntrack_put((*pskb)->nfct);
(*pskb)->nfct = NULL;
- __get_cpu_var(ip_conntrack_stat).invalid++;
- return -ret;
+ CONNTRACK_STAT_INC(invalid);
+ return ret;
}
- if (ret != NF_DROP && ct->helper) {
+ if (ct->helper != NULL) {
ret = ct->helper->help(*pskb, ct, ctinfo);
if (ret == -1) {
/* Invalid */
- __get_cpu_var(ip_conntrack_stat).invalid++;
+ CONNTRACK_STAT_INC(invalid);
nf_conntrack_put((*pskb)->nfct);
(*pskb)->nfct = NULL;
return NF_ACCEPT;
@@ -1024,7 +1025,7 @@
WRITE_UNLOCK(&ip_conntrack_lock);
- __get_cpu_var(ip_conntrack_stat).expect_create++;
+ CONNTRACK_STAT_INC(expect_create);
return ret;
}
diff -u -r1.2 ip_conntrack_proto_generic.c
--- a/net/ipv4/netfilter/ip_conntrack_proto_generic.c 4 Aug 2004 15:26:55 -0000 1.2
+++ b/net/ipv4/netfilter/ip_conntrack_proto_generic.c 5 Aug 2004 11:08:28 -0000
@@ -53,7 +53,7 @@
enum ip_conntrack_info ctinfo)
{
ip_ct_refresh_acct(conntrack, ctinfo, skb, ip_ct_generic_timeout);
- return NF_ACCEPT;
+ return CONNTRACK_CONT;
}
/* Called when a new connection for this protocol found. */
diff -u -r1.2 ip_conntrack_proto_icmp.c
--- a/net/ipv4/netfilter/ip_conntrack_proto_icmp.c 4 Aug 2004 15:26:55 -0000 1.2
+++ b/net/ipv4/netfilter/ip_conntrack_proto_icmp.c 5 Aug 2004 11:16:11 -0000
@@ -102,7 +102,7 @@
ip_ct_refresh_acct(ct, ctinfo, skb, ip_ct_icmp_timeout);
}
- return NF_ACCEPT;
+ return CONNTRACK_CONT;
}
/* Called when a new connection for this protocol found. */
@@ -193,7 +193,7 @@
/* Update skb to refer to this connection */
skb->nfct = &h->ctrack->infos[*ctinfo];
- return -NF_ACCEPT;
+ return NF_ACCEPT;
}
/* Small and modified version of icmp_rcv */
@@ -208,7 +208,7 @@
if (LOG_INVALID(IPPROTO_ICMP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL,
"ip_ct_icmp: short packet ");
- return -NF_ACCEPT;
+ return NF_ACCEPT;
}
/* See ip_conntrack_proto_tcp.c */
@@ -222,13 +222,13 @@
if (LOG_INVALID(IPPROTO_ICMP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL,
"ip_ct_icmp: bad HW ICMP checksum ");
- return -NF_ACCEPT;
+ return NF_ACCEPT;
case CHECKSUM_NONE:
if ((u16)csum_fold(skb_checksum(skb, 0, skb->len, 0))) {
if (LOG_INVALID(IPPROTO_ICMP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL,
"ip_ct_icmp: bad ICMP checksum ");
- return -NF_ACCEPT;
+ return NF_ACCEPT;
}
default:
break;
@@ -245,7 +245,7 @@
if (LOG_INVALID(IPPROTO_ICMP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL,
"ip_ct_icmp: invalid ICMP type ");
- return -NF_ACCEPT;
+ return NF_ACCEPT;
}
/* Need to track icmp error message? */
@@ -254,7 +254,7 @@
&& icmph.type != ICMP_TIME_EXCEEDED
&& icmph.type != ICMP_PARAMETERPROB
&& icmph.type != ICMP_REDIRECT)
- return NF_ACCEPT;
+ return CONNTRACK_CONT;
return icmp_error_message(skb, ctinfo, hooknum);
}
diff -u -r1.2 ip_conntrack_proto_tcp.c
--- a/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 4 Aug 2004 15:26:55 -0000 1.2
+++ b/net/ipv4/netfilter/ip_conntrack_proto_tcp.c 5 Aug 2004 11:16:17 -0000
@@ -769,7 +769,7 @@
if (LOG_INVALID(IPPROTO_TCP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL,
"ip_ct_tcp: short packet ");
- return -NF_ACCEPT;
+ return NF_ACCEPT;
}
/* Not whole TCP header or malformed packet */
@@ -777,7 +777,7 @@
if (LOG_INVALID(IPPROTO_TCP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL,
"ip_ct_tcp: truncated/malformed packet ");
- return -NF_ACCEPT;
+ return NF_ACCEPT;
}
/* Checksum invalid? Ignore.
@@ -793,7 +793,7 @@
if (LOG_INVALID(IPPROTO_TCP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL,
"ip_ct_tcp: bad TCP checksum ");
- return -NF_ACCEPT;
+ return NF_ACCEPT;
}
/* Check TCP flags. */
@@ -802,10 +802,10 @@
if (LOG_INVALID(IPPROTO_TCP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL,
"ip_ct_tcp: invalid TCP flag combination ");
- return -NF_ACCEPT;
+ return NF_ACCEPT;
}
- return NF_ACCEPT;
+ return CONNTRACK_CONT;
}
static inline void copy_whole_tcp_header(const struct sk_buff *skb,
@@ -864,7 +864,7 @@
if (del_timer(&conntrack->timeout))
conntrack->timeout.function((unsigned long)
conntrack);
- return -NF_DROP;
+ return NF_DROP;
}
conntrack->proto.tcp.last_index = index;
conntrack->proto.tcp.last_dir = dir;
@@ -874,7 +874,7 @@
if (LOG_INVALID(IPPROTO_TCP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL,
"ip_ct_tcp: invalid SYN (ignored) ");
- return NF_ACCEPT;
+ return CONNTRACK_CONT;
case TCP_CONNTRACK_MAX:
/* Invalid packet */
DEBUGP("ip_ct_tcp: Invalid dir=%i index=%u ostate=%u\n",
@@ -884,7 +884,7 @@
if (LOG_INVALID(IPPROTO_TCP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL,
"ip_ct_tcp: invalid state ");
- return -NF_ACCEPT;
+ return NF_ACCEPT;
case TCP_CONNTRACK_SYN_SENT:
if (old_state >= TCP_CONNTRACK_TIME_WAIT) {
/* Attempt to reopen a closed connection.
@@ -893,7 +893,7 @@
if (del_timer(&conntrack->timeout))
conntrack->timeout.function((unsigned long)
conntrack);
- return -NF_REPEAT;
+ return NF_REPEAT;
}
break;
case TCP_CONNTRACK_CLOSE:
@@ -908,7 +908,7 @@
if (LOG_INVALID(IPPROTO_TCP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL,
"ip_ct_tcp: invalid RST (ignored) ");
- return NF_ACCEPT;
+ return CONNTRACK_CONT;
}
/* Just fall trough */
default:
@@ -919,7 +919,7 @@
if (!tcp_in_window(&conntrack->proto.tcp, dir, &index,
skb, iph, tcph)) {
WRITE_UNLOCK(&tcp_lock);
- return -NF_ACCEPT;
+ return NF_ACCEPT;
}
/* From now on we have got in-window packets */
@@ -950,7 +950,7 @@
if (del_timer(&conntrack->timeout))
conntrack->timeout.function((unsigned long)
conntrack);
- return NF_ACCEPT;
+ return CONNTRACK_CONT;
}
} else if (!test_bit(IPS_ASSURED_BIT, &conntrack->status)
&& (old_state == TCP_CONNTRACK_SYN_RECV
@@ -963,7 +963,7 @@
}
ip_ct_refresh_acct(conntrack, ctinfo, skb, timeout);
- return NF_ACCEPT;
+ return CONNTRACK_CONT;
}
/* Called when a new connection for this protocol found. */
diff -u -r1.2 ip_conntrack_proto_udp.c
--- a/net/ipv4/netfilter/ip_conntrack_proto_udp.c 4 Aug 2004 15:26:55 -0000 1.2
+++ b/net/ipv4/netfilter/ip_conntrack_proto_udp.c 5 Aug 2004 11:15:31 -0000
@@ -74,7 +74,7 @@
} else
ip_ct_refresh_acct(conntrack, ctinfo, skb, ip_ct_udp_timeout);
- return NF_ACCEPT;
+ return CONNTRACK_CONT;
}
/* Called when a new connection for this protocol found. */
@@ -95,7 +95,7 @@
if (LOG_INVALID(IPPROTO_UDP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL,
"ip_ct_udp: short packet ");
- return -NF_ACCEPT;
+ return NF_ACCEPT;
}
/* Truncated/malformed packets */
@@ -103,12 +103,12 @@
if (LOG_INVALID(IPPROTO_UDP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL,
"ip_ct_udp: truncated/malformed packet ");
- return -NF_ACCEPT;
+ return NF_ACCEPT;
}
/* Packet with no checksum */
if (!hdr.check)
- return NF_ACCEPT;
+ return CONNTRACK_CONT;
/* Checksum invalid? Ignore.
* We skip checking packets on the outgoing path
@@ -122,10 +122,10 @@
if (LOG_INVALID(IPPROTO_UDP))
nf_log_packet(PF_INET, 0, skb, NULL, NULL,
"ip_ct_udp: bad UDP checksum ");
- return -NF_ACCEPT;
+ return NF_ACCEPT;
}
- return NF_ACCEPT;
+ return CONNTRACK_CONT;
}
struct ip_conntrack_protocol ip_conntrack_protocol_udp =
next reply other threads:[~2004-08-05 13:34 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2004-08-05 13:34 Pablo Neira [this message]
2004-08-20 22:15 ` [PATCH] return value of conntrack protocol helper functions and a macro for stats Martin Josefsson
2004-08-21 21:27 ` Martin Josefsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4112377A.8050106@eurodev.net \
--to=pablo@eurodev.net \
--cc=kaber@trash.net \
--cc=laforge@netfilter.org \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.