From: Gao feng <gaofeng@cn.fujitsu.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks
Date: Thu, 23 May 2013 17:34:43 +0800 [thread overview]
Message-ID: <519DE2B3.6030005@cn.fujitsu.com> (raw)
In-Reply-To: <1369298557-5351-1-git-send-email-pablo@netfilter.org>
On 05/23/2013 04:42 PM, Pablo Neira Ayuso wrote:
> This patch adds the capability to attach expectations to unconfirmed
> conntrack entries. This patch is required by the DHCPv6 helper in
> user-space.
>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> include/net/netfilter/nf_conntrack.h | 4 ++++
> include/uapi/linux/netfilter/nfnetlink_conntrack.h | 1 +
> net/netfilter/nf_conntrack_core.c | 20 ++++++++++++++++++++
> net/netfilter/nf_conntrack_netlink.c | 14 ++++++++++++--
> 4 files changed, 37 insertions(+), 2 deletions(-)
>
> diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
> index 644d9c2..d172fc5 100644
> --- a/include/net/netfilter/nf_conntrack.h
> +++ b/include/net/netfilter/nf_conntrack.h
> @@ -180,6 +180,10 @@ extern struct nf_conntrack_tuple_hash *
> __nf_conntrack_find(struct net *net, u16 zone,
> const struct nf_conntrack_tuple *tuple);
>
> +struct nf_conntrack_tuple_hash *
> +nf_ct_unconfirmed_find(struct net *net, u16 zone,
> + const struct nf_conntrack_tuple *tuple);
> +
> extern int nf_conntrack_hash_check_insert(struct nf_conn *ct);
> extern void nf_ct_delete_from_lists(struct nf_conn *ct);
> extern void nf_ct_dying_timeout(struct nf_conn *ct);
> diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
> index 08fabc6..8f7c2fe 100644
> --- a/include/uapi/linux/netfilter/nfnetlink_conntrack.h
> +++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
> @@ -187,6 +187,7 @@ enum ctattr_expect {
> CTA_EXPECT_CLASS,
> CTA_EXPECT_NAT,
> CTA_EXPECT_FN,
> + CTA_EXPECT_MASTER_STATUS,
> __CTA_EXPECT_MAX
> };
> #define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1)
> diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
> index ebb81d6..a6e5764 100644
> --- a/net/netfilter/nf_conntrack_core.c
> +++ b/net/netfilter/nf_conntrack_core.c
> @@ -401,6 +401,26 @@ nf_conntrack_find_get(struct net *net, u16 zone,
> }
> EXPORT_SYMBOL_GPL(nf_conntrack_find_get);
>
> +struct nf_conntrack_tuple_hash *
> +nf_ct_unconfirmed_find(struct net *net, u16 zone,
> + const struct nf_conntrack_tuple *tuple)
> +{
> + struct nf_conntrack_tuple_hash *h, *ret = NULL;
> + struct hlist_nulls_node *n;
> +
> + rcu_read_lock();
> + hlist_nulls_for_each_entry_rcu(h, n, &net->ct.unconfirmed, hnnode) {
> + if (nf_ct_tuple_equal(tuple, &h->tuple) &&
> + nf_ct_zone(nf_ct_tuplehash_to_ctrack(h)) == zone) {
> + ret = h;
Shouldn't we get reference of nf_ct_tuplehash_to_ctrack(h) here?
ctnetlink_create_expect will call nf_ct_put to release the reference finally.
or I miss something?
> + break;
> + }
> + }
> + rcu_read_unlock();
> + return ret;
> +}
> +EXPORT_SYMBOL_GPL(nf_ct_unconfirmed_find);
> +
> static void __nf_conntrack_hash_insert(struct nf_conn *ct,
> unsigned int hash,
> unsigned int repl_hash)
> diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
> index 6d0f8a1..3596682 100644
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -2742,7 +2742,7 @@ ctnetlink_create_expect(struct net *net, u16 zone,
> struct nf_conn *ct;
> struct nf_conn_help *help;
> struct nf_conntrack_helper *helper = NULL;
> - u_int32_t class = 0;
> + u_int32_t class = 0, master_status;
> int err = 0;
>
> /* caller guarantees that those three CTA_EXPECT_* exist */
> @@ -2756,8 +2756,18 @@ ctnetlink_create_expect(struct net *net, u16 zone,
> if (err < 0)
> return err;
>
> + if (cda[CTA_EXPECT_MASTER_STATUS]) {
> + master_status =
> + ntohl(nla_get_be32(cda[CTA_EXPECT_MASTER_STATUS]));
> + } else
> + master_status = IPS_CONFIRMED;
> +
> /* Look for master conntrack of this expectation */
> - h = nf_conntrack_find_get(net, zone, &master_tuple);
> + if (master_status & IPS_CONFIRMED)
> + h = nf_conntrack_find_get(net, zone, &master_tuple);
> + else
> + h = nf_ct_unconfirmed_find(net, zone, &master_tuple);
> +
> if (!h)
> return -ENOENT;
> ct = nf_ct_tuplehash_to_ctrack(h);
>
prev parent reply other threads:[~2013-05-23 9:33 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-23 8:42 [PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks Pablo Neira Ayuso
2013-05-23 8:42 ` [PATCH 2/3] netfilter: don't panic on error while walking through the init path Pablo Neira Ayuso
2013-05-23 8:50 ` Gao feng
2013-05-23 11:09 ` Pablo Neira Ayuso
2013-05-23 8:42 ` [PATCH 3/3] netfilter: {ipt,ebt}_ULOG: rise warning on deprecation Pablo Neira Ayuso
2013-05-23 8:59 ` Gao feng
2013-05-23 11:09 ` Pablo Neira Ayuso
2013-05-23 9:34 ` Gao feng [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=519DE2B3.6030005@cn.fujitsu.com \
--to=gaofeng@cn.fujitsu.com \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.