From patchwork Thu May 23 08:42:35 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 245842 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id DDE412C009F for ; Thu, 23 May 2013 18:42:51 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1757354Ab3EWImt (ORCPT ); Thu, 23 May 2013 04:42:49 -0400 Received: from mail.us.es ([193.147.175.20]:33599 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1757143Ab3EWImr (ORCPT ); Thu, 23 May 2013 04:42:47 -0400 Received: (qmail 22518 invoked from network); 23 May 2013 10:42:43 +0200 Received: from unknown (HELO us.es) (192.168.2.11) by us.es with SMTP; 23 May 2013 10:42:43 +0200 Received: (qmail 471 invoked by uid 507); 23 May 2013 08:42:43 -0000 X-Qmail-Scanner-Diagnostics: from 127.0.0.1 by antivirus1 (envelope-from , uid 501) with qmail-scanner-2.10 (clamdscan: 0.97.8/17262. spamassassin: 3.3.2. Clear:RC:1(127.0.0.1):SA:0(-99.2/7.5):. Processed in 1.946236 secs); 23 May 2013 08:42:43 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on antivirus1 X-Spam-Level: X-Spam-Status: No, score=-99.2 required=7.5 tests=BAYES_50, USER_IN_WHITELIST autolearn=disabled version=3.3.2 X-Envelope-From: pablo@netfilter.org Received: from unknown (HELO antivirus1) (127.0.0.1) by us.es with SMTP; 23 May 2013 08:42:41 -0000 Received: from 192.168.1.13 (192.168.1.13) by antivirus1 (F-Secure/fsigk_smtp/410/antivirus1); Thu, 23 May 2013 10:42:41 +0200 (CEST) X-Virus-Status: clean(F-Secure/fsigk_smtp/410/antivirus1) Received: (qmail 27330 invoked from network); 23 May 2013 10:42:40 +0200 Received: from 1984.lsi.us.es (HELO soleta.ugr.es) (pneira@us.es@150.214.188.80) by us.es with SMTP; 23 May 2013 10:42:40 +0200 From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Subject: [PATCH 1/3] netfilter: ctnetlink: attach expectations to unconfirmed conntracks Date: Thu, 23 May 2013 10:42:35 +0200 Message-Id: <1369298557-5351-1-git-send-email-pablo@netfilter.org> X-Mailer: git-send-email 1.7.10.4 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org This patch adds the capability to attach expectations to unconfirmed conntrack entries. This patch is required by the DHCPv6 helper in user-space. Signed-off-by: Pablo Neira Ayuso --- include/net/netfilter/nf_conntrack.h | 4 ++++ include/uapi/linux/netfilter/nfnetlink_conntrack.h | 1 + net/netfilter/nf_conntrack_core.c | 20 ++++++++++++++++++++ net/netfilter/nf_conntrack_netlink.c | 14 ++++++++++++-- 4 files changed, 37 insertions(+), 2 deletions(-) diff --git a/include/net/netfilter/nf_conntrack.h b/include/net/netfilter/nf_conntrack.h index 644d9c2..d172fc5 100644 --- a/include/net/netfilter/nf_conntrack.h +++ b/include/net/netfilter/nf_conntrack.h @@ -180,6 +180,10 @@ extern struct nf_conntrack_tuple_hash * __nf_conntrack_find(struct net *net, u16 zone, const struct nf_conntrack_tuple *tuple); +struct nf_conntrack_tuple_hash * +nf_ct_unconfirmed_find(struct net *net, u16 zone, + const struct nf_conntrack_tuple *tuple); + extern int nf_conntrack_hash_check_insert(struct nf_conn *ct); extern void nf_ct_delete_from_lists(struct nf_conn *ct); extern void nf_ct_dying_timeout(struct nf_conn *ct); diff --git a/include/uapi/linux/netfilter/nfnetlink_conntrack.h b/include/uapi/linux/netfilter/nfnetlink_conntrack.h index 08fabc6..8f7c2fe 100644 --- a/include/uapi/linux/netfilter/nfnetlink_conntrack.h +++ b/include/uapi/linux/netfilter/nfnetlink_conntrack.h @@ -187,6 +187,7 @@ enum ctattr_expect { CTA_EXPECT_CLASS, CTA_EXPECT_NAT, CTA_EXPECT_FN, + CTA_EXPECT_MASTER_STATUS, __CTA_EXPECT_MAX }; #define CTA_EXPECT_MAX (__CTA_EXPECT_MAX - 1) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index ebb81d6..a6e5764 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -401,6 +401,26 @@ nf_conntrack_find_get(struct net *net, u16 zone, } EXPORT_SYMBOL_GPL(nf_conntrack_find_get); +struct nf_conntrack_tuple_hash * +nf_ct_unconfirmed_find(struct net *net, u16 zone, + const struct nf_conntrack_tuple *tuple) +{ + struct nf_conntrack_tuple_hash *h, *ret = NULL; + struct hlist_nulls_node *n; + + rcu_read_lock(); + hlist_nulls_for_each_entry_rcu(h, n, &net->ct.unconfirmed, hnnode) { + if (nf_ct_tuple_equal(tuple, &h->tuple) && + nf_ct_zone(nf_ct_tuplehash_to_ctrack(h)) == zone) { + ret = h; + break; + } + } + rcu_read_unlock(); + return ret; +} +EXPORT_SYMBOL_GPL(nf_ct_unconfirmed_find); + static void __nf_conntrack_hash_insert(struct nf_conn *ct, unsigned int hash, unsigned int repl_hash) diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index 6d0f8a1..3596682 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -2742,7 +2742,7 @@ ctnetlink_create_expect(struct net *net, u16 zone, struct nf_conn *ct; struct nf_conn_help *help; struct nf_conntrack_helper *helper = NULL; - u_int32_t class = 0; + u_int32_t class = 0, master_status; int err = 0; /* caller guarantees that those three CTA_EXPECT_* exist */ @@ -2756,8 +2756,18 @@ ctnetlink_create_expect(struct net *net, u16 zone, if (err < 0) return err; + if (cda[CTA_EXPECT_MASTER_STATUS]) { + master_status = + ntohl(nla_get_be32(cda[CTA_EXPECT_MASTER_STATUS])); + } else + master_status = IPS_CONFIRMED; + /* Look for master conntrack of this expectation */ - h = nf_conntrack_find_get(net, zone, &master_tuple); + if (master_status & IPS_CONFIRMED) + h = nf_conntrack_find_get(net, zone, &master_tuple); + else + h = nf_ct_unconfirmed_find(net, zone, &master_tuple); + if (!h) return -ENOENT; ct = nf_ct_tuplehash_to_ctrack(h);