* [PATCH nf-next 0/4] netfilter: handle race w. module removal and nfqueue
@ 2017-07-24 16:57 Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 1/4] netfilter: expect: add and use nf_ct_expect_iterate helpers Florian Westphal
` (3 more replies)
0 siblings, 4 replies; 6+ messages in thread
From: Florian Westphal @ 2017-07-24 16:57 UTC (permalink / raw)
To: netfilter-devel
There is a long-standing race that occurs with module removal (such as helpers)
nfqueue, and unconfirmed (not in hash table) conntracks.
The main issue is that
a). unconfirmed conntracks can't safely be mangled from other cpu (we assume
exclusive access to grow/alter the extension area) and
b). nfqueued skbs leave RCU protection
This series address this by making the queue event similar to a confirm event:
Just as we do not commit 'dying' conntracks to the main table, refuse
to queue dying and unconfirmed conntracks to userspace.
Combined with a 'drop queued skbs' when a module exit path calls
the ct_iterate_destroy function this closes the hole, see patch #4 for details.
^ permalink raw reply [flat|nested] 6+ messages in thread
* [PATCH nf-next 1/4] netfilter: expect: add and use nf_ct_expect_iterate helpers
2017-07-24 16:57 [PATCH nf-next 0/4] netfilter: handle race w. module removal and nfqueue Florian Westphal
@ 2017-07-24 16:57 ` Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 2/4] netfilter: add and use nf_ct_unconfirmed_destroy Florian Westphal
` (2 subsequent siblings)
3 siblings, 0 replies; 6+ messages in thread
From: Florian Westphal @ 2017-07-24 16:57 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
We have several spots that open-code a expect walk, add a helper
that is similar to nf_ct_iterate_destroy/nf_ct_iterate_cleanup.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/net/netfilter/nf_conntrack_expect.h | 5 +++
net/netfilter/nf_conntrack_expect.c | 54 +++++++++++++++++++++++++
net/netfilter/nf_conntrack_helper.c | 34 +++++++---------
net/netfilter/nf_conntrack_netlink.c | 63 ++++++++++-------------------
4 files changed, 95 insertions(+), 61 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack_expect.h b/include/net/netfilter/nf_conntrack_expect.h
index 2ba54feaccd8..818def011110 100644
--- a/include/net/netfilter/nf_conntrack_expect.h
+++ b/include/net/netfilter/nf_conntrack_expect.h
@@ -107,6 +107,11 @@ void nf_ct_remove_expectations(struct nf_conn *ct);
void nf_ct_unexpect_related(struct nf_conntrack_expect *exp);
bool nf_ct_remove_expect(struct nf_conntrack_expect *exp);
+void nf_ct_expect_iterate_destroy(bool (*iter)(struct nf_conntrack_expect *e, void *data), void *data);
+void nf_ct_expect_iterate_net(struct net *net,
+ bool (*iter)(struct nf_conntrack_expect *e, void *data),
+ void *data, u32 portid, int report);
+
/* Allocate space for an expectation: this is mandatory before calling
nf_ct_expect_related. You will have to call put afterwards. */
struct nf_conntrack_expect *nf_ct_expect_alloc(struct nf_conn *me);
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 899c2c36da13..e65d9b27dd39 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -474,6 +474,60 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
}
EXPORT_SYMBOL_GPL(nf_ct_expect_related_report);
+void nf_ct_expect_iterate_destroy(bool (*iter)(struct nf_conntrack_expect *e, void *data),
+ void *data)
+{
+ struct nf_conntrack_expect *exp;
+ const struct hlist_node *next;
+ unsigned int i;
+
+ spin_lock_bh(&nf_conntrack_expect_lock);
+
+ for (i = 0; i < nf_ct_expect_hsize; i++) {
+ hlist_for_each_entry_safe(exp, next,
+ &nf_ct_expect_hash[i],
+ hnode) {
+ if (iter(exp, data) && del_timer(&exp->timeout)) {
+ nf_ct_unlink_expect(exp);
+ nf_ct_expect_put(exp);
+ }
+ }
+ }
+
+ spin_unlock_bh(&nf_conntrack_expect_lock);
+}
+EXPORT_SYMBOL_GPL(nf_ct_expect_iterate_destroy);
+
+void nf_ct_expect_iterate_net(struct net *net,
+ bool (*iter)(struct nf_conntrack_expect *e, void *data),
+ void *data,
+ u32 portid, int report)
+{
+ struct nf_conntrack_expect *exp;
+ const struct hlist_node *next;
+ unsigned int i;
+
+ spin_lock_bh(&nf_conntrack_expect_lock);
+
+ for (i = 0; i < nf_ct_expect_hsize; i++) {
+ hlist_for_each_entry_safe(exp, next,
+ &nf_ct_expect_hash[i],
+ hnode) {
+
+ if (!net_eq(nf_ct_exp_net(exp), net))
+ continue;
+
+ if (iter(exp, data) && del_timer(&exp->timeout)) {
+ nf_ct_unlink_expect_report(exp, portid, report);
+ nf_ct_expect_put(exp);
+ }
+ }
+ }
+
+ spin_unlock_bh(&nf_conntrack_expect_lock);
+}
+EXPORT_SYMBOL_GPL(nf_ct_expect_iterate_net);
+
#ifdef CONFIG_NF_CONNTRACK_PROCFS
struct ct_expect_iter_state {
struct seq_net_private p;
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 9129bb3b5153..551a1eddf0fa 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -437,12 +437,22 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
}
EXPORT_SYMBOL_GPL(nf_conntrack_helper_register);
-void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
+static bool expect_iter_me(struct nf_conntrack_expect *exp, void *data)
{
- struct nf_conntrack_expect *exp;
- const struct hlist_node *next;
- unsigned int i;
+ struct nf_conn_help *help = nfct_help(exp->master);
+ const struct nf_conntrack_helper *me = data;
+ const struct nf_conntrack_helper *this;
+
+ if (exp->helper == me)
+ return true;
+ this = rcu_dereference_protected(help->helper,
+ lockdep_is_held(&nf_conntrack_expect_lock));
+ return this == me;
+}
+
+void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
+{
mutex_lock(&nf_ct_helper_mutex);
hlist_del_rcu(&me->hnode);
nf_ct_helper_count--;
@@ -453,21 +463,7 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
*/
synchronize_rcu();
- /* Get rid of expectations */
- spin_lock_bh(&nf_conntrack_expect_lock);
- for (i = 0; i < nf_ct_expect_hsize; i++) {
- hlist_for_each_entry_safe(exp, next,
- &nf_ct_expect_hash[i], hnode) {
- struct nf_conn_help *help = nfct_help(exp->master);
- if ((rcu_dereference_protected(
- help->helper,
- lockdep_is_held(&nf_conntrack_expect_lock)
- ) == me || exp->helper == me))
- nf_ct_remove_expect(exp);
- }
- }
- spin_unlock_bh(&nf_conntrack_expect_lock);
-
+ nf_ct_expect_iterate_destroy(expect_iter_me, NULL);
nf_ct_iterate_destroy(unhelp, me);
}
EXPORT_SYMBOL_GPL(nf_conntrack_helper_unregister);
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 7999e70c3bfb..5eaa4730e700 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -2910,6 +2910,21 @@ static int ctnetlink_get_expect(struct net *net, struct sock *ctnl,
return err == -EAGAIN ? -ENOBUFS : err;
}
+static bool expect_iter_name(struct nf_conntrack_expect *exp, void *data)
+{
+ const struct nf_conn_help *m_help;
+ const char *name = data;
+
+ m_help = nfct_help(exp->master);
+
+ return strcmp(m_help->helper->name, name) == 0;
+}
+
+static bool expect_iter_all(struct nf_conntrack_expect *exp, void *data)
+{
+ return true;
+}
+
static int ctnetlink_del_expect(struct net *net, struct sock *ctnl,
struct sk_buff *skb, const struct nlmsghdr *nlh,
const struct nlattr * const cda[],
@@ -2918,10 +2933,8 @@ static int ctnetlink_del_expect(struct net *net, struct sock *ctnl,
struct nf_conntrack_expect *exp;
struct nf_conntrack_tuple tuple;
struct nfgenmsg *nfmsg = nlmsg_data(nlh);
- struct hlist_node *next;
u_int8_t u3 = nfmsg->nfgen_family;
struct nf_conntrack_zone zone;
- unsigned int i;
int err;
if (cda[CTA_EXPECT_TUPLE]) {
@@ -2961,49 +2974,15 @@ static int ctnetlink_del_expect(struct net *net, struct sock *ctnl,
nf_ct_expect_put(exp);
} else if (cda[CTA_EXPECT_HELP_NAME]) {
char *name = nla_data(cda[CTA_EXPECT_HELP_NAME]);
- struct nf_conn_help *m_help;
- /* delete all expectations for this helper */
- spin_lock_bh(&nf_conntrack_expect_lock);
- for (i = 0; i < nf_ct_expect_hsize; i++) {
- hlist_for_each_entry_safe(exp, next,
- &nf_ct_expect_hash[i],
- hnode) {
-
- if (!net_eq(nf_ct_exp_net(exp), net))
- continue;
-
- m_help = nfct_help(exp->master);
- if (!strcmp(m_help->helper->name, name) &&
- del_timer(&exp->timeout)) {
- nf_ct_unlink_expect_report(exp,
- NETLINK_CB(skb).portid,
- nlmsg_report(nlh));
- nf_ct_expect_put(exp);
- }
- }
- }
- spin_unlock_bh(&nf_conntrack_expect_lock);
+ nf_ct_expect_iterate_net(net, expect_iter_name, name,
+ NETLINK_CB(skb).portid,
+ nlmsg_report(nlh));
} else {
/* This basically means we have to flush everything*/
- spin_lock_bh(&nf_conntrack_expect_lock);
- for (i = 0; i < nf_ct_expect_hsize; i++) {
- hlist_for_each_entry_safe(exp, next,
- &nf_ct_expect_hash[i],
- hnode) {
-
- if (!net_eq(nf_ct_exp_net(exp), net))
- continue;
-
- if (del_timer(&exp->timeout)) {
- nf_ct_unlink_expect_report(exp,
- NETLINK_CB(skb).portid,
- nlmsg_report(nlh));
- nf_ct_expect_put(exp);
- }
- }
- }
- spin_unlock_bh(&nf_conntrack_expect_lock);
+ nf_ct_expect_iterate_net(net, expect_iter_all, NULL,
+ NETLINK_CB(skb).portid,
+ nlmsg_report(nlh));
}
return 0;
--
2.13.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH nf-next 2/4] netfilter: add and use nf_ct_unconfirmed_destroy
2017-07-24 16:57 [PATCH nf-next 0/4] netfilter: handle race w. module removal and nfqueue Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 1/4] netfilter: expect: add and use nf_ct_expect_iterate helpers Florian Westphal
@ 2017-07-24 16:57 ` Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 3/4] netfilter: conntrack: destroy functions need to free queued packets Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 4/4] netfilter: nfnetlink_queue: don't queue dying conntracks to userspace Florian Westphal
3 siblings, 0 replies; 6+ messages in thread
From: Florian Westphal @ 2017-07-24 16:57 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
This also removes __nf_ct_unconfirmed_destroy() call from
nf_ct_iterate_cleanup_net, so that function can be used only
when missing conntracks from unconfirmed list isn't a problem.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
include/net/netfilter/nf_conntrack.h | 3 +++
net/netfilter/nf_conntrack_core.c | 15 +++++++++++----
net/netfilter/nfnetlink_cttimeout.c | 1 +
3 files changed, 15 insertions(+), 4 deletions(-)
diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h
index 48407569585d..6e6f678aaac7 100644
--- a/include/net/netfilter/nf_conntrack.h
+++ b/include/net/netfilter/nf_conntrack.h
@@ -224,6 +224,9 @@ extern s32 (*nf_ct_nat_offset)(const struct nf_conn *ct,
enum ip_conntrack_dir dir,
u32 seq);
+/* Set all unconfirmed conntrack as dying */
+void nf_ct_unconfirmed_destroy(struct net *);
+
/* Iterate over all conntracks: if iter returns true, it's deleted. */
void nf_ct_iterate_cleanup_net(struct net *net,
int (*iter)(struct nf_conn *i, void *data),
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 9979f46c81dc..c8b87eaa17a2 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1689,6 +1689,17 @@ __nf_ct_unconfirmed_destroy(struct net *net)
}
}
+void nf_ct_unconfirmed_destroy(struct net *net)
+{
+ might_sleep();
+
+ if (atomic_read(&net->ct.count) > 0) {
+ __nf_ct_unconfirmed_destroy(net);
+ synchronize_net();
+ }
+}
+EXPORT_SYMBOL_GPL(nf_ct_unconfirmed_destroy);
+
void nf_ct_iterate_cleanup_net(struct net *net,
int (*iter)(struct nf_conn *i, void *data),
void *data, u32 portid, int report)
@@ -1700,14 +1711,10 @@ void nf_ct_iterate_cleanup_net(struct net *net,
if (atomic_read(&net->ct.count) == 0)
return;
- __nf_ct_unconfirmed_destroy(net);
-
d.iter = iter;
d.data = data;
d.net = net;
- synchronize_net();
-
nf_ct_iterate_cleanup(iter_net_only, &d, portid, report);
}
EXPORT_SYMBOL_GPL(nf_ct_iterate_cleanup_net);
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index 400e9ae97153..83c8da48df59 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -572,6 +572,7 @@ static void __net_exit cttimeout_net_exit(struct net *net)
{
struct ctnl_timeout *cur, *tmp;
+ nf_ct_unconfirmed_destroy(net);
ctnl_untimeout(net, NULL);
list_for_each_entry_safe(cur, tmp, &net->nfct_timeout_list, head) {
--
2.13.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH nf-next 3/4] netfilter: conntrack: destroy functions need to free queued packets
2017-07-24 16:57 [PATCH nf-next 0/4] netfilter: handle race w. module removal and nfqueue Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 1/4] netfilter: expect: add and use nf_ct_expect_iterate helpers Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 2/4] netfilter: add and use nf_ct_unconfirmed_destroy Florian Westphal
@ 2017-07-24 16:57 ` Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 4/4] netfilter: nfnetlink_queue: don't queue dying conntracks to userspace Florian Westphal
3 siblings, 0 replies; 6+ messages in thread
From: Florian Westphal @ 2017-07-24 16:57 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
queued skbs might be using conntrack extensions that are being removed,
such as timeout. This happens for skbs that have a skb->nfct in
unconfirmed state (i.e., not in hash table yet).
This is destructive, but there are only two use cases:
- module removal (rare)
- netns cleanup (most likely no conntracks exist, and if they do,
they are removed anyway later on).
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_conntrack_core.c | 4 ++++
net/netfilter/nf_queue.c | 1 +
2 files changed, 5 insertions(+)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index c8b87eaa17a2..258077980a93 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -56,6 +56,8 @@
#include <net/netfilter/nf_nat_helper.h>
#include <net/netns/hash.h>
+#include "nf_internals.h"
+
#define NF_CONNTRACK_VERSION "0.5.0"
int (*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct,
@@ -1695,6 +1697,7 @@ void nf_ct_unconfirmed_destroy(struct net *net)
if (atomic_read(&net->ct.count) > 0) {
__nf_ct_unconfirmed_destroy(net);
+ nf_queue_nf_hook_drop(net);
synchronize_net();
}
}
@@ -1740,6 +1743,7 @@ nf_ct_iterate_destroy(int (*iter)(struct nf_conn *i, void *data), void *data)
if (atomic_read(&net->ct.count) == 0)
continue;
__nf_ct_unconfirmed_destroy(net);
+ nf_queue_nf_hook_drop(net);
}
rtnl_unlock();
diff --git a/net/netfilter/nf_queue.c b/net/netfilter/nf_queue.c
index 043850c9d154..4f4d80a58fb5 100644
--- a/net/netfilter/nf_queue.c
+++ b/net/netfilter/nf_queue.c
@@ -109,6 +109,7 @@ unsigned int nf_queue_nf_hook_drop(struct net *net)
return count;
}
+EXPORT_SYMBOL_GPL(nf_queue_nf_hook_drop);
static int __nf_queue(struct sk_buff *skb, const struct nf_hook_state *state,
struct nf_hook_entry *hook_entry, unsigned int queuenum)
--
2.13.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH nf-next 4/4] netfilter: nfnetlink_queue: don't queue dying conntracks to userspace
2017-07-24 16:57 [PATCH nf-next 0/4] netfilter: handle race w. module removal and nfqueue Florian Westphal
` (2 preceding siblings ...)
2017-07-24 16:57 ` [PATCH nf-next 3/4] netfilter: conntrack: destroy functions need to free queued packets Florian Westphal
@ 2017-07-24 16:57 ` Florian Westphal
2017-07-25 19:19 ` kbuild test robot
3 siblings, 1 reply; 6+ messages in thread
From: Florian Westphal @ 2017-07-24 16:57 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
When skb is queued to userspace it leaves softirq/rcu protection.
skb->nfct (via conntrack extensions such as helper) could then reference
modules that no longer exist if the conntrack was not yet confirmed.
nf_ct_iterate_destroy() will set the DYING bit for unconfirmed
conntracks, we therefore solve this race as follows:
1. take the queue spinlock.
2. check if the conntrack is unconfirmed and has dying bit set.
In this case, we must discard skb while we're still inside
rcu read-side section.
3. If nf_ct_iterate_destroy() is called right after the packet is queued
to userspace, it will be removed from the queue via
nf_ct_iterate_destroy -> nf_queue_nf_hook_drop.
When userspace sends the verdict (nfnetlink takes rcu read lock), there
are two cases to consider:
1. nf_ct_iterate_destroy() was called while packet was out.
In this case, skb will have been removed from the queue already
and no reinject takes place as we won't find a matching entry for the
packet id.
2. nf_ct_iterate_destroy() gets called right after verdict callback
found and removed the skb from queue list.
In this case, skb->nfct is marked as dying but it is still valid.
The skb will be dropped either in nf_conntrack_confirm (we don't
insert DYING conntracks into hash table) or when we try to queue
the skb again, but either events don't occur before the rcu read lock
is dropped.
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nfnetlink_queue.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
index 16fa04086880..91e2500ab4e7 100644
--- a/net/netfilter/nfnetlink_queue.c
+++ b/net/netfilter/nfnetlink_queue.c
@@ -28,11 +28,11 @@
#include <linux/netfilter_bridge.h>
#include <linux/netfilter/nfnetlink.h>
#include <linux/netfilter/nfnetlink_queue.h>
-#include <linux/netfilter/nf_conntrack_common.h>
#include <linux/list.h>
#include <net/sock.h>
#include <net/tcp_states.h>
#include <net/netfilter/nf_queue.h>
+#include <net/netfilter/nf_conntrack.h>
#include <net/netns/generic.h>
#include <linux/atomic.h>
@@ -612,6 +612,18 @@ nfqnl_build_packet_message(struct net *net, struct nfqnl_instance *queue,
return NULL;
}
+static bool nf_ct_drop_unconfirmed(const struct nf_queue_entry *entry)
+{
+#if IS_ENABLED(CONFIG_NF_CONNTRACK)
+ static const unsigned long flags = IPS_CONFIRMED | IPS_DYING;
+ const struct nf_conn *ct = (void *)skb_nfct(entry->skb);
+
+ if (ct && ((ct->status & flags) == IPS_DYING))
+ return true;
+#endif
+ return false;
+}
+
static int
__nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue,
struct nf_queue_entry *entry)
@@ -628,6 +640,9 @@ __nfqnl_enqueue_packet(struct net *net, struct nfqnl_instance *queue,
}
spin_lock_bh(&queue->lock);
+ if (nf_ct_drop_unconfirmed(entry))
+ goto err_out_free_nskb;
+
if (queue->queue_total >= queue->queue_maxlen) {
if (queue->flags & NFQA_CFG_F_FAIL_OPEN) {
failopen = 1;
--
2.13.0
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH nf-next 4/4] netfilter: nfnetlink_queue: don't queue dying conntracks to userspace
2017-07-24 16:57 ` [PATCH nf-next 4/4] netfilter: nfnetlink_queue: don't queue dying conntracks to userspace Florian Westphal
@ 2017-07-25 19:19 ` kbuild test robot
0 siblings, 0 replies; 6+ messages in thread
From: kbuild test robot @ 2017-07-25 19:19 UTC (permalink / raw)
To: Florian Westphal; +Cc: kbuild-all, netfilter-devel, Florian Westphal
[-- Attachment #1: Type: text/plain, Size: 35180 bytes --]
Hi Florian,
[auto build test ERROR on nf-next/master]
url: https://github.com/0day-ci/linux/commits/Florian-Westphal/netfilter-handle-race-w-module-removal-and-nfqueue/20170726-024704
base: https://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git master
config: x86_64-randconfig-x002-201730 (attached as .config)
compiler: gcc-6 (Debian 6.2.0-3) 6.2.0 20160901
reproduce:
# save the attached .config to linux build tree
make ARCH=x86_64
All errors (new ones prefixed by >>):
In file included from net/netfilter/nfnetlink_queue.c:35:0:
include/net/netfilter/nf_conntrack.h:65:22: error: field 'ct_general' has incomplete type
struct nf_conntrack ct_general;
^~~~~~~~~~
include/net/netfilter/nf_conntrack.h: In function 'nf_ct_get':
>> include/net/netfilter/nf_conntrack.h:154:15: error: 'const struct sk_buff' has no member named '_nfct'
*ctinfo = skb->_nfct & NFCT_INFOMASK;
^~
include/net/netfilter/nf_conntrack.h:156:31: error: 'const struct sk_buff' has no member named '_nfct'
return (struct nf_conn *)(skb->_nfct & NFCT_PTRMASK);
^~
include/net/netfilter/nf_conntrack.h: In function 'nf_ct_put':
include/net/netfilter/nf_conntrack.h:163:2: error: implicit declaration of function 'nf_conntrack_put' [-Werror=implicit-function-declaration]
nf_conntrack_put(&ct->ct_general);
^~~~~~~~~~~~~~~~
include/net/netfilter/nf_conntrack.h: In function 'nf_ct_set':
>> include/net/netfilter/nf_conntrack.h:327:5: error: 'struct sk_buff' has no member named '_nfct'
skb->_nfct = (unsigned long)ct | info;
^~
In file included from include/uapi/linux/stddef.h:1:0,
from include/linux/stddef.h:4,
from include/uapi/linux/posix_types.h:4,
from include/uapi/linux/types.h:13,
from include/linux/types.h:5,
from include/linux/list.h:4,
from include/linux/module.h:9,
from net/netfilter/nfnetlink_queue.c:17:
net/netfilter/nfnetlink_queue.c: At top level:
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'strcpy' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:390:2: note: in expansion of macro 'if'
if (p_size == (size_t)-1 && q_size == (size_t)-1)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'kmemdup' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:380:2: note: in expansion of macro 'if'
if (p_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'kmemdup' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:378:2: note: in expansion of macro 'if'
if (__builtin_constant_p(size) && p_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr_inv' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:369:2: note: in expansion of macro 'if'
if (p_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr_inv' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:367:2: note: in expansion of macro 'if'
if (__builtin_constant_p(size) && p_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:358:2: note: in expansion of macro 'if'
if (p_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:356:2: note: in expansion of macro 'if'
if (__builtin_constant_p(size) && p_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memcmp' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:348:2: note: in expansion of macro 'if'
if (p_size < size || q_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memcmp' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:345:3: note: in expansion of macro 'if'
if (q_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memcmp' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:343:3: note: in expansion of macro 'if'
if (p_size < size)
--
In file included from net//netfilter/nfnetlink_queue.c:35:0:
include/net/netfilter/nf_conntrack.h:65:22: error: field 'ct_general' has incomplete type
struct nf_conntrack ct_general;
^~~~~~~~~~
include/net/netfilter/nf_conntrack.h: In function 'nf_ct_get':
>> include/net/netfilter/nf_conntrack.h:154:15: error: 'const struct sk_buff' has no member named '_nfct'
*ctinfo = skb->_nfct & NFCT_INFOMASK;
^~
include/net/netfilter/nf_conntrack.h:156:31: error: 'const struct sk_buff' has no member named '_nfct'
return (struct nf_conn *)(skb->_nfct & NFCT_PTRMASK);
^~
include/net/netfilter/nf_conntrack.h: In function 'nf_ct_put':
include/net/netfilter/nf_conntrack.h:163:2: error: implicit declaration of function 'nf_conntrack_put' [-Werror=implicit-function-declaration]
nf_conntrack_put(&ct->ct_general);
^~~~~~~~~~~~~~~~
include/net/netfilter/nf_conntrack.h: In function 'nf_ct_set':
>> include/net/netfilter/nf_conntrack.h:327:5: error: 'struct sk_buff' has no member named '_nfct'
skb->_nfct = (unsigned long)ct | info;
^~
In file included from include/uapi/linux/stddef.h:1:0,
from include/linux/stddef.h:4,
from include/uapi/linux/posix_types.h:4,
from include/uapi/linux/types.h:13,
from include/linux/types.h:5,
from include/linux/list.h:4,
from include/linux/module.h:9,
from net//netfilter/nfnetlink_queue.c:17:
net//netfilter/nfnetlink_queue.c: At top level:
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'strcpy' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:390:2: note: in expansion of macro 'if'
if (p_size == (size_t)-1 && q_size == (size_t)-1)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'kmemdup' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:380:2: note: in expansion of macro 'if'
if (p_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'kmemdup' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:378:2: note: in expansion of macro 'if'
if (__builtin_constant_p(size) && p_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr_inv' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:369:2: note: in expansion of macro 'if'
if (p_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr_inv' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:367:2: note: in expansion of macro 'if'
if (__builtin_constant_p(size) && p_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:358:2: note: in expansion of macro 'if'
if (p_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memchr' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:356:2: note: in expansion of macro 'if'
if (__builtin_constant_p(size) && p_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memcmp' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:348:2: note: in expansion of macro 'if'
if (p_size < size || q_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memcmp' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:345:3: note: in expansion of macro 'if'
if (q_size < size)
^~
include/linux/compiler.h:162:4: warning: '______f' is static but declared in inline function 'memcmp' which is not static
______f = { \
^
include/linux/compiler.h:154:23: note: in expansion of macro '__trace_if'
#define if(cond, ...) __trace_if( (cond , ## __VA_ARGS__) )
^~~~~~~~~~
include/linux/string.h:343:3: note: in expansion of macro 'if'
if (p_size < size)
vim +154 include/net/netfilter/nf_conntrack.h
f8eb24a89a Patrick McHardy 2006-11-29 55
ea781f197d Eric Dumazet 2009-03-25 56 struct nf_conn {
f330a7fdbe Florian Westphal 2016-08-25 57 /* Usage count in here is 1 for hash table, 1 per skb,
b476b72a0f Jesper Dangaard Brouer 2014-03-03 58 * plus 1 for any connection(s) we are `master' for
b476b72a0f Jesper Dangaard Brouer 2014-03-03 59 *
a9e419dc7b Florian Westphal 2017-01-23 60 * Hint, SKB address this struct and refcnt via skb->_nfct and
b476b72a0f Jesper Dangaard Brouer 2014-03-03 61 * helpers nf_conntrack_get() and nf_conntrack_put().
b476b72a0f Jesper Dangaard Brouer 2014-03-03 62 * Helper nf_ct_put() equals nf_conntrack_put() by dec refcnt,
b476b72a0f Jesper Dangaard Brouer 2014-03-03 63 * beware nf_ct_get() is different and don't inc refcnt.
b476b72a0f Jesper Dangaard Brouer 2014-03-03 64 */
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 @65 struct nf_conntrack ct_general;
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 66
440f0d5885 Patrick McHardy 2009-06-10 67 spinlock_t lock;
b7779d06f9 Jesper Dangaard Brouer 2014-03-03 68 u16 cpu;
440f0d5885 Patrick McHardy 2009-06-10 69
6c8dee9842 Florian Westphal 2016-06-11 70 #ifdef CONFIG_NF_CONNTRACK_ZONES
6c8dee9842 Florian Westphal 2016-06-11 71 struct nf_conntrack_zone zone;
6c8dee9842 Florian Westphal 2016-06-11 72 #endif
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 73 /* XXX should I move this to the tail ? - Y.K */
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 74 /* These are my tuples; original and reply */
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 75 struct nf_conntrack_tuple_hash tuplehash[IP_CT_DIR_MAX];
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 76
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 77 /* Have we seen traffic both ways yet? (bitset) */
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 78 unsigned long status;
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 79
f330a7fdbe Florian Westphal 2016-08-25 80 /* jiffies32 when this ct is considered dead */
f330a7fdbe Florian Westphal 2016-08-25 81 u32 timeout;
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 82
0c5c9fb551 Eric W. Biederman 2015-03-11 83 possible_net_t ct_net;
0c5c9fb551 Eric W. Biederman 2015-03-11 84
5173bc679d Florian Westphal 2016-11-23 85 #if IS_ENABLED(CONFIG_NF_NAT)
5173bc679d Florian Westphal 2016-11-23 86 struct rhlist_head nat_bysource;
5173bc679d Florian Westphal 2016-11-23 87 #endif
c41884ce05 Florian Westphal 2014-11-24 88 /* all members below initialized via memset */
c41884ce05 Florian Westphal 2014-11-24 89 u8 __nfct_init_offset[0];
c41884ce05 Florian Westphal 2014-11-24 90
c41884ce05 Florian Westphal 2014-11-24 91 /* If we were expected by an expectation, this will be it */
c41884ce05 Florian Westphal 2014-11-24 92 struct nf_conn *master;
c41884ce05 Florian Westphal 2014-11-24 93
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 94 #if defined(CONFIG_NF_CONNTRACK_MARK)
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 95 u_int32_t mark;
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 96 #endif
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 97
7c9728c393 James Morris 2006-06-09 98 #ifdef CONFIG_NF_CONNTRACK_SECMARK
7c9728c393 James Morris 2006-06-09 99 u_int32_t secmark;
7c9728c393 James Morris 2006-06-09 100 #endif
7c9728c393 James Morris 2006-06-09 101
ecfab2c9fe Yasuyuki Kozakai 2007-07-07 102 /* Extensions */
ecfab2c9fe Yasuyuki Kozakai 2007-07-07 103 struct nf_ct_ext *ext;
e5fc9e7a66 Changli Gao 2010-11-12 104
e5fc9e7a66 Changli Gao 2010-11-12 105 /* Storage reserved for other modules, must be the last member */
e5fc9e7a66 Changli Gao 2010-11-12 106 union nf_conntrack_proto proto;
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 107 };
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 108
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 109 static inline struct nf_conn *
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 110 nf_ct_tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash)
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 111 {
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 112 return container_of(hash, struct nf_conn,
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 113 tuplehash[hash->tuple.dst.dir]);
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 114 }
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 115
5e8fbe2ac8 Patrick McHardy 2008-04-14 116 static inline u_int16_t nf_ct_l3num(const struct nf_conn *ct)
5e8fbe2ac8 Patrick McHardy 2008-04-14 117 {
5e8fbe2ac8 Patrick McHardy 2008-04-14 118 return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.l3num;
5e8fbe2ac8 Patrick McHardy 2008-04-14 119 }
5e8fbe2ac8 Patrick McHardy 2008-04-14 120
5e8fbe2ac8 Patrick McHardy 2008-04-14 121 static inline u_int8_t nf_ct_protonum(const struct nf_conn *ct)
5e8fbe2ac8 Patrick McHardy 2008-04-14 122 {
5e8fbe2ac8 Patrick McHardy 2008-04-14 123 return ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum;
5e8fbe2ac8 Patrick McHardy 2008-04-14 124 }
5e8fbe2ac8 Patrick McHardy 2008-04-14 125
f2f3e38c63 Pablo Neira Ayuso 2009-06-02 126 #define nf_ct_tuple(ct, dir) (&(ct)->tuplehash[dir].tuple)
f2f3e38c63 Pablo Neira Ayuso 2009-06-02 127
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 128 /* get master conntrack via master expectation */
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 129 #define master_ct(conntr) (conntr->master)
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 130
5a1fb391d8 Alexey Dobriyan 2008-10-08 131 extern struct net init_net;
5a1fb391d8 Alexey Dobriyan 2008-10-08 132
5a1fb391d8 Alexey Dobriyan 2008-10-08 133 static inline struct net *nf_ct_net(const struct nf_conn *ct)
5a1fb391d8 Alexey Dobriyan 2008-10-08 134 {
c2d9ba9bce Eric Dumazet 2010-06-01 135 return read_pnet(&ct->ct_net);
5a1fb391d8 Alexey Dobriyan 2008-10-08 136 }
5a1fb391d8 Alexey Dobriyan 2008-10-08 137
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 138 /* Alter reply tuple (maybe alter helper). */
4e77be4637 Joe Perches 2013-09-23 139 void nf_conntrack_alter_reply(struct nf_conn *ct,
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 140 const struct nf_conntrack_tuple *newreply);
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 141
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 142 /* Is this tuple taken? (ignoring any belonging to the given
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 143 conntrack). */
4e77be4637 Joe Perches 2013-09-23 144 int nf_conntrack_tuple_taken(const struct nf_conntrack_tuple *tuple,
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 145 const struct nf_conn *ignored_conntrack);
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 146
3032230920 Florian Westphal 2017-01-23 147 #define NFCT_INFOMASK 7UL
a9e419dc7b Florian Westphal 2017-01-23 148 #define NFCT_PTRMASK ~(NFCT_INFOMASK)
3032230920 Florian Westphal 2017-01-23 149
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 150 /* Return conntrack_info and tuple hash for given skb. */
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 151 static inline struct nf_conn *
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 152 nf_ct_get(const struct sk_buff *skb, enum ip_conntrack_info *ctinfo)
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 153 {
a9e419dc7b Florian Westphal 2017-01-23 @154 *ctinfo = skb->_nfct & NFCT_INFOMASK;
a9e419dc7b Florian Westphal 2017-01-23 155
a9e419dc7b Florian Westphal 2017-01-23 @156 return (struct nf_conn *)(skb->_nfct & NFCT_PTRMASK);
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 157 }
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 158
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 159 /* decrement reference count on a conntrack */
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 160 static inline void nf_ct_put(struct nf_conn *ct)
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 161 {
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 162 NF_CT_ASSERT(ct);
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 163 nf_conntrack_put(&ct->ct_general);
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 164 }
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 165
b9f78f9fca Pablo Neira Ayuso 2006-03-22 166 /* Protocol module loading */
4e77be4637 Joe Perches 2013-09-23 167 int nf_ct_l3proto_try_module_get(unsigned short l3proto);
4e77be4637 Joe Perches 2013-09-23 168 void nf_ct_l3proto_module_put(unsigned short l3proto);
b9f78f9fca Pablo Neira Ayuso 2006-03-22 169
ecb2421b5d Florian Westphal 2016-11-15 170 /* load module; enable/disable conntrack in this namespace */
ecb2421b5d Florian Westphal 2016-11-15 171 int nf_ct_netns_get(struct net *net, u8 nfproto);
ecb2421b5d Florian Westphal 2016-11-15 172 void nf_ct_netns_put(struct net *net, u8 nfproto);
ecb2421b5d Florian Westphal 2016-11-15 173
ea781f197d Eric Dumazet 2009-03-25 174 /*
ea781f197d Eric Dumazet 2009-03-25 175 * Allocate a hashtable of hlist_head (if nulls == 0),
ea781f197d Eric Dumazet 2009-03-25 176 * or hlist_nulls_head (if nulls == 1)
ea781f197d Eric Dumazet 2009-03-25 177 */
4e77be4637 Joe Perches 2013-09-23 178 void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls);
ea781f197d Eric Dumazet 2009-03-25 179
4e77be4637 Joe Perches 2013-09-23 180 void nf_ct_free_hashtable(void *hash, unsigned int size);
ac565e5fc1 Patrick McHardy 2007-07-07 181
4e77be4637 Joe Perches 2013-09-23 182 int nf_conntrack_hash_check_insert(struct nf_conn *ct);
02982c27ba Florian Westphal 2013-07-29 183 bool nf_ct_delete(struct nf_conn *ct, u32 pid, int report);
c1d10adb4a Pablo Neira Ayuso 2006-01-05 184
4e77be4637 Joe Perches 2013-09-23 185 bool nf_ct_get_tuplepr(const struct sk_buff *skb, unsigned int nhoff,
a31f1adc09 Eric W. Biederman 2015-09-18 186 u_int16_t l3num, struct net *net,
a31f1adc09 Eric W. Biederman 2015-09-18 187 struct nf_conntrack_tuple *tuple);
4e77be4637 Joe Perches 2013-09-23 188 bool nf_ct_invert_tuplepr(struct nf_conntrack_tuple *inverse,
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 189 const struct nf_conntrack_tuple *orig);
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 190
4e77be4637 Joe Perches 2013-09-23 191 void __nf_ct_refresh_acct(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 192 const struct sk_buff *skb,
4e77be4637 Joe Perches 2013-09-23 193 unsigned long extra_jiffies, int do_acct);
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 194
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 195 /* Refresh conntrack for this many jiffies and do accounting */
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 196 static inline void nf_ct_refresh_acct(struct nf_conn *ct,
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 197 enum ip_conntrack_info ctinfo,
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 198 const struct sk_buff *skb,
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 199 unsigned long extra_jiffies)
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 200 {
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 201 __nf_ct_refresh_acct(ct, ctinfo, skb, extra_jiffies, 1);
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 202 }
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 203
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 204 /* Refresh conntrack for this many jiffies */
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 205 static inline void nf_ct_refresh(struct nf_conn *ct,
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 206 const struct sk_buff *skb,
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 207 unsigned long extra_jiffies)
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 208 {
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 209 __nf_ct_refresh_acct(ct, 0, skb, extra_jiffies, 0);
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 210 }
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 211
718d4ad98e Fabian Hugelshofer 2008-06-09 212 /* kill conntrack and do accounting */
ad66713f5a Florian Westphal 2016-08-25 213 bool nf_ct_kill_acct(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
ad66713f5a Florian Westphal 2016-08-25 214 const struct sk_buff *skb);
718d4ad98e Fabian Hugelshofer 2008-06-09 215
718d4ad98e Fabian Hugelshofer 2008-06-09 216 /* kill conntrack without accounting */
4c88949800 David S. Miller 2008-07-14 217 static inline bool nf_ct_kill(struct nf_conn *ct)
718d4ad98e Fabian Hugelshofer 2008-06-09 218 {
ad66713f5a Florian Westphal 2016-08-25 219 return nf_ct_delete(ct, 0, 0);
718d4ad98e Fabian Hugelshofer 2008-06-09 220 }
51091764f2 Patrick McHardy 2008-06-09 221
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 222 /* These are for NAT. Icky. */
2d89c68ac7 Patrick McHardy 2013-07-28 223 extern s32 (*nf_ct_nat_offset)(const struct nf_conn *ct,
f9dd09c7f7 Jozsef Kadlecsik 2009-11-06 224 enum ip_conntrack_dir dir,
f9dd09c7f7 Jozsef Kadlecsik 2009-11-06 225 u32 seq);
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 226
d171e8b544 Florian Westphal 2017-07-24 227 /* Set all unconfirmed conntrack as dying */
d171e8b544 Florian Westphal 2017-07-24 228 void nf_ct_unconfirmed_destroy(struct net *);
d171e8b544 Florian Westphal 2017-07-24 229
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 230 /* Iterate over all conntracks: if iter returns true, it's deleted. */
9fd6452d67 Florian Westphal 2017-05-21 231 void nf_ct_iterate_cleanup_net(struct net *net,
c655bc6896 Florian Westphal 2013-07-29 232 int (*iter)(struct nf_conn *i, void *data),
c655bc6896 Florian Westphal 2013-07-29 233 void *data, u32 portid, int report);
308ac9143e Daniel Borkmann 2015-08-08 234
2843fb6998 Florian Westphal 2017-05-21 235 /* also set unconfirmed conntracks as dying. Only use in module exit path. */
2843fb6998 Florian Westphal 2017-05-21 236 void nf_ct_iterate_destroy(int (*iter)(struct nf_conn *i, void *data),
2843fb6998 Florian Westphal 2017-05-21 237 void *data);
2843fb6998 Florian Westphal 2017-05-21 238
308ac9143e Daniel Borkmann 2015-08-08 239 struct nf_conntrack_zone;
308ac9143e Daniel Borkmann 2015-08-08 240
4e77be4637 Joe Perches 2013-09-23 241 void nf_conntrack_free(struct nf_conn *ct);
308ac9143e Daniel Borkmann 2015-08-08 242 struct nf_conn *nf_conntrack_alloc(struct net *net,
308ac9143e Daniel Borkmann 2015-08-08 243 const struct nf_conntrack_zone *zone,
5a1fb391d8 Alexey Dobriyan 2008-10-08 244 const struct nf_conntrack_tuple *orig,
b891c5a831 Pablo Neira Ayuso 2008-07-08 245 const struct nf_conntrack_tuple *repl,
b891c5a831 Pablo Neira Ayuso 2008-07-08 246 gfp_t gfp);
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 247
b2a15a604d Patrick McHardy 2010-02-03 248 static inline int nf_ct_is_template(const struct nf_conn *ct)
b2a15a604d Patrick McHardy 2010-02-03 249 {
b2a15a604d Patrick McHardy 2010-02-03 250 return test_bit(IPS_TEMPLATE_BIT, &ct->status);
b2a15a604d Patrick McHardy 2010-02-03 251 }
b2a15a604d Patrick McHardy 2010-02-03 252
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 253 /* It's confirmed if it is, or has been in the hash table. */
d51ed8367b Florian Westphal 2016-07-08 254 static inline int nf_ct_is_confirmed(const struct nf_conn *ct)
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 255 {
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 256 return test_bit(IPS_CONFIRMED_BIT, &ct->status);
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 257 }
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 258
d51ed8367b Florian Westphal 2016-07-08 259 static inline int nf_ct_is_dying(const struct nf_conn *ct)
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 260 {
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 261 return test_bit(IPS_DYING_BIT, &ct->status);
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 262 }
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 263
42c1edd345 Julian Anastasov 2011-06-16 264 /* Packet is received from loopback */
42c1edd345 Julian Anastasov 2011-06-16 265 static inline bool nf_is_loopback_packet(const struct sk_buff *skb)
42c1edd345 Julian Anastasov 2011-06-16 266 {
42c1edd345 Julian Anastasov 2011-06-16 267 return skb->dev && skb->skb_iif && skb->dev->flags & IFF_LOOPBACK;
42c1edd345 Julian Anastasov 2011-06-16 268 }
42c1edd345 Julian Anastasov 2011-06-16 269
f330a7fdbe Florian Westphal 2016-08-25 270 #define nfct_time_stamp ((u32)(jiffies))
f330a7fdbe Florian Westphal 2016-08-25 271
c8607e0200 Florian Westphal 2016-07-06 272 /* jiffies until ct expires, 0 if already expired */
c8607e0200 Florian Westphal 2016-07-06 273 static inline unsigned long nf_ct_expires(const struct nf_conn *ct)
c8607e0200 Florian Westphal 2016-07-06 274 {
f330a7fdbe Florian Westphal 2016-08-25 275 s32 timeout = ct->timeout - nfct_time_stamp;
c8607e0200 Florian Westphal 2016-07-06 276
c8607e0200 Florian Westphal 2016-07-06 277 return timeout > 0 ? timeout : 0;
c8607e0200 Florian Westphal 2016-07-06 278 }
c8607e0200 Florian Westphal 2016-07-06 279
f330a7fdbe Florian Westphal 2016-08-25 280 static inline bool nf_ct_is_expired(const struct nf_conn *ct)
f330a7fdbe Florian Westphal 2016-08-25 281 {
f330a7fdbe Florian Westphal 2016-08-25 282 return (__s32)(ct->timeout - nfct_time_stamp) <= 0;
f330a7fdbe Florian Westphal 2016-08-25 283 }
f330a7fdbe Florian Westphal 2016-08-25 284
f330a7fdbe Florian Westphal 2016-08-25 285 /* use after obtaining a reference count */
f330a7fdbe Florian Westphal 2016-08-25 286 static inline bool nf_ct_should_gc(const struct nf_conn *ct)
f330a7fdbe Florian Westphal 2016-08-25 287 {
f330a7fdbe Florian Westphal 2016-08-25 288 return nf_ct_is_expired(ct) && nf_ct_is_confirmed(ct) &&
f330a7fdbe Florian Westphal 2016-08-25 289 !nf_ct_is_dying(ct);
f330a7fdbe Florian Westphal 2016-08-25 290 }
f330a7fdbe Florian Westphal 2016-08-25 291
34641c6d00 Paul Gortmaker 2011-08-29 292 struct kernel_param;
34641c6d00 Paul Gortmaker 2011-08-29 293
4e77be4637 Joe Perches 2013-09-23 294 int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp);
3183ab8997 Florian Westphal 2016-06-22 295 int nf_conntrack_hash_resize(unsigned int hashsize);
92e47ba883 Liping Zhang 2016-08-13 296
92e47ba883 Liping Zhang 2016-08-13 297 extern struct hlist_nulls_head *nf_conntrack_hash;
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 298 extern unsigned int nf_conntrack_htable_size;
92e47ba883 Liping Zhang 2016-08-13 299 extern seqcount_t nf_conntrack_generation;
e478075c6f Hagen Paul Pfeifer 2009-02-20 300 extern unsigned int nf_conntrack_max;
9fb9cbb108 Yasuyuki Kozakai 2005-11-09 301
92e47ba883 Liping Zhang 2016-08-13 302 /* must be called with rcu read lock held */
92e47ba883 Liping Zhang 2016-08-13 303 static inline void
92e47ba883 Liping Zhang 2016-08-13 304 nf_conntrack_get_ht(struct hlist_nulls_head **hash, unsigned int *hsize)
92e47ba883 Liping Zhang 2016-08-13 305 {
92e47ba883 Liping Zhang 2016-08-13 306 struct hlist_nulls_head *hptr;
92e47ba883 Liping Zhang 2016-08-13 307 unsigned int sequence, hsz;
92e47ba883 Liping Zhang 2016-08-13 308
92e47ba883 Liping Zhang 2016-08-13 309 do {
92e47ba883 Liping Zhang 2016-08-13 310 sequence = read_seqcount_begin(&nf_conntrack_generation);
92e47ba883 Liping Zhang 2016-08-13 311 hsz = nf_conntrack_htable_size;
92e47ba883 Liping Zhang 2016-08-13 312 hptr = nf_conntrack_hash;
92e47ba883 Liping Zhang 2016-08-13 313 } while (read_seqcount_retry(&nf_conntrack_generation, sequence));
92e47ba883 Liping Zhang 2016-08-13 314
92e47ba883 Liping Zhang 2016-08-13 315 *hash = hptr;
92e47ba883 Liping Zhang 2016-08-13 316 *hsize = hsz;
92e47ba883 Liping Zhang 2016-08-13 317 }
92e47ba883 Liping Zhang 2016-08-13 318
308ac9143e Daniel Borkmann 2015-08-08 319 struct nf_conn *nf_ct_tmpl_alloc(struct net *net,
308ac9143e Daniel Borkmann 2015-08-08 320 const struct nf_conntrack_zone *zone,
308ac9143e Daniel Borkmann 2015-08-08 321 gfp_t flags);
9cf94eab8b Daniel Borkmann 2015-08-31 322 void nf_ct_tmpl_free(struct nf_conn *tmpl);
e53376bef2 Pablo Neira Ayuso 2014-02-03 323
c74454fadd Florian Westphal 2017-01-23 324 static inline void
c74454fadd Florian Westphal 2017-01-23 325 nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)
c74454fadd Florian Westphal 2017-01-23 326 {
a9e419dc7b Florian Westphal 2017-01-23 @327 skb->_nfct = (unsigned long)ct | info;
c74454fadd Florian Westphal 2017-01-23 328 }
c74454fadd Florian Westphal 2017-01-23 329
:::::: The code at line 154 was first introduced by commit
:::::: a9e419dc7be6997409dca6d1b9daf3cc7046902f netfilter: merge ctinfo into nfct pointer storage area
:::::: TO: Florian Westphal <fw@strlen.de>
:::::: CC: Pablo Neira Ayuso <pablo@netfilter.org>
---
0-DAY kernel test infrastructure Open Source Technology Center
https://lists.01.org/pipermail/kbuild-all Intel Corporation
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 28205 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-07-25 19:19 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-07-24 16:57 [PATCH nf-next 0/4] netfilter: handle race w. module removal and nfqueue Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 1/4] netfilter: expect: add and use nf_ct_expect_iterate helpers Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 2/4] netfilter: add and use nf_ct_unconfirmed_destroy Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 3/4] netfilter: conntrack: destroy functions need to free queued packets Florian Westphal
2017-07-24 16:57 ` [PATCH nf-next 4/4] netfilter: nfnetlink_queue: don't queue dying conntracks to userspace Florian Westphal
2017-07-25 19:19 ` kbuild test robot
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).