From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: richard@nod.at, fw@strlen.de
Subject: [PATCH nf-next,RFC 2/3] netfilter: ctnetlink: use 64-bit conntrack ID
Date: Tue, 28 Nov 2017 03:13:08 +0100 [thread overview]
Message-ID: <20171128021309.11277-2-pablo@netfilter.org> (raw)
In-Reply-To: <20171128021309.11277-1-pablo@netfilter.org>
The older 32-bit conntrack ID is still exposed for backward
compatibility reasons, add new CTA_ID64 attribute.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/uapi/linux/netfilter/nfnetlink_conntrack.h | 2 ++
net/netfilter/nf_conntrack_netlink.c | 14 ++++++++++++--
2 files changed, 14 insertions(+), 2 deletions(-)
diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
index 7397e022ce6e..dcd7b97eeeac 100644
--- a/include/uapi/linux/netfilter/nfnetlink_conntrack.h
+++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h
@@ -54,6 +54,8 @@ enum ctattr_type {
CTA_MARK_MASK,
CTA_LABELS,
CTA_LABELS_MASK,
+ CTA_ID64,
+ CTA_PAD,
__CTA_MAX
};
#define CTA_MAX (__CTA_MAX - 1)
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index b3b8249ced4a..7aecb8ae5ecc 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -446,7 +446,8 @@ static int ctnetlink_dump_ct_seq_adj(struct sk_buff *skb, struct nf_conn *ct)
static int ctnetlink_dump_id(struct sk_buff *skb, const struct nf_conn *ct)
{
- if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct)))
+ if (nla_put_be32(skb, CTA_ID, htonl((unsigned long)ct)) ||
+ nla_put_be64(skb, CTA_ID64, cpu_to_be64(nf_ct_id(ct)), CTA_PAD))
goto nla_put_failure;
return 0;
@@ -600,6 +601,7 @@ static size_t ctnetlink_nlmsg_size(const struct nf_conn *ct)
+ 3 * nla_total_size(0) /* CTA_TUPLE_PROTO */
+ 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
+ nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
+ + nla_total_size(sizeof(u64)) /* CTA_ID64 */
+ nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
+ ctnetlink_acct_size(ct)
+ ctnetlink_timestamp_size(ct)
@@ -1108,6 +1110,7 @@ static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
.len = NF_CT_LABELS_MAX_SIZE },
[CTA_LABELS_MASK] = { .type = NLA_BINARY,
.len = NF_CT_LABELS_MAX_SIZE },
+ [CTA_ID64] = { .type = NLA_U64 },
};
static int ctnetlink_flush_conntrack(struct net *net,
@@ -1174,6 +1177,13 @@ static int ctnetlink_del_conntrack(struct net *net, struct sock *ctnl,
nf_ct_put(ct);
return -ENOENT;
}
+ } else if (cda[CTA_ID64]) {
+ u64 id = ntohl(nla_get_be64(cda[CTA_ID64]));
+
+ if (id != nf_ct_id(ct)) {
+ nf_ct_put(ct);
+ return -ENOENT;
+ }
}
nf_ct_delete(ct, NETLINK_CB(skb).portid, nlmsg_report(nlh));
@@ -1319,7 +1329,7 @@ ctnetlink_dump_list(struct sk_buff *skb, struct netlink_callback *cb, bool dying
if (!atomic_inc_not_zero(&ct->ct_general.use))
continue;
cb->args[0] = cpu;
- cb->args[1] = (unsigned long)ct;
+ cb->args[1] = nf_ct_id(ct);
spin_unlock_bh(&pcpu->lock);
goto out;
}
--
2.11.0
next prev parent reply other threads:[~2017-11-28 2:13 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-11-28 2:13 [PATCH nf-next,RFC 1/3] netfilter: nf_conntrack: add 64-bit conntrack ID extension Pablo Neira Ayuso
2017-11-28 2:13 ` Pablo Neira Ayuso [this message]
2017-11-28 12:12 ` [PATCH nf-next,RFC 2/3] netfilter: ctnetlink: use 64-bit conntrack ID Florian Westphal
2017-11-28 15:45 ` Pablo Neira Ayuso
2017-11-28 20:27 ` Florian Westphal
2017-11-28 2:13 ` [PATCH nf-next,RFC 3/3] netfilter: ctnetlink: randomize 32-bit ID Pablo Neira Ayuso
2017-11-28 12:18 ` Florian Westphal
2017-11-28 15:46 ` Pablo Neira Ayuso
2017-11-28 10:54 ` [PATCH nf-next,RFC 1/3] netfilter: nf_conntrack: add 64-bit conntrack ID extension Florian Westphal
2017-11-28 15:44 ` Pablo Neira Ayuso
2017-11-28 20:43 ` Florian Westphal
2017-11-28 12:16 ` Florian Westphal
2017-11-28 15:57 ` Pablo Neira Ayuso
2017-11-28 20:44 ` Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20171128021309.11277-2-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=richard@nod.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).