From 2248bcfcd8fb622ec88b8587d0c1f139635ffd2e Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Tue, 6 Sep 2005 15:06:42 -0700 Subject: [NETFILTER]: Add support for permanent expectations A permanent expectation exists until timeing out and can expect multiple related connections. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_ipv4/ip_conntrack.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'include/linux') diff --git a/include/linux/netfilter_ipv4/ip_conntrack.h b/include/linux/netfilter_ipv4/ip_conntrack.h index 088742befe4..7e033e9271a 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack.h +++ b/include/linux/netfilter_ipv4/ip_conntrack.h @@ -263,6 +263,9 @@ struct ip_conntrack_expect /* Unique ID */ unsigned int id; + /* Flags */ + unsigned int flags; + #ifdef CONFIG_IP_NF_NAT_NEEDED /* This is the original per-proto part, used to map the * expected connection the way the recipient expects. */ @@ -272,6 +275,8 @@ struct ip_conntrack_expect #endif }; +#define IP_CT_EXPECT_PERMANENT 0x1 + static inline struct ip_conntrack * tuplehash_to_ctrack(const struct ip_conntrack_tuple_hash *hash) { -- cgit v1.2.3 From 03486a4f838c55481317fca5ac2e7d12550a4fb7 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Tue, 6 Sep 2005 15:09:43 -0700 Subject: [NETFILTER]: Handle NAT module load race When the NAT module is loaded when connections are already confirmed it must not change their tuples anymore. This is especially important with CONFIG_NETFILTER_DEBUG, the netfilter listhelp functions will refuse to remove an entry from a list when it can not be found on the list, so when a changed tuple hashes to a new bucket the entry is kept in the list until and after the conntrack is freed. Allocate the exact conntrack tuple for NAT for already confirmed connections or drop them if that fails. Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_ipv4/ip_nat_rule.h | 5 +++++ 1 file changed, 5 insertions(+) (limited to 'include/linux') diff --git a/include/linux/netfilter_ipv4/ip_nat_rule.h b/include/linux/netfilter_ipv4/ip_nat_rule.h index fecd2a06dcd..73b9552e6a8 100644 --- a/include/linux/netfilter_ipv4/ip_nat_rule.h +++ b/include/linux/netfilter_ipv4/ip_nat_rule.h @@ -19,5 +19,10 @@ extern unsigned int alloc_null_binding(struct ip_conntrack *conntrack, struct ip_nat_info *info, unsigned int hooknum); + +extern unsigned int +alloc_null_binding_confirmed(struct ip_conntrack *conntrack, + struct ip_nat_info *info, + unsigned int hooknum); #endif #endif /* _IP_NAT_RULE_H */ -- cgit v1.2.3 From 49719eb355d32fa07793017b4b46b1c02e88b275 Mon Sep 17 00:00:00 2001 From: Pablo Neira Ayuso Date: Tue, 6 Sep 2005 15:10:46 -0700 Subject: [NETFILTER]: kill __ip_ct_expect_unlink_destroy The following patch kills __ip_ct_expect_unlink_destroy and export unlink_expect as ip_ct_unlink_expect. As it was discussed [1], the function __ip_ct_expect_unlink_destroy is a bit confusing so better do the following sequence: ip_ct_destroy_expect and ip_conntrack_expect_put. [1] https://lists.netfilter.org/pipermail/netfilter-devel/2005-August/020794.html Signed-off-by: Pablo Neira Ayuso Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_ipv4/ip_conntrack_core.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include/linux') diff --git a/include/linux/netfilter_ipv4/ip_conntrack_core.h b/include/linux/netfilter_ipv4/ip_conntrack_core.h index dc4d2a0575d..907d4f5ca5d 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_core.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_core.h @@ -52,7 +52,7 @@ static inline int ip_conntrack_confirm(struct sk_buff **pskb) return ret; } -extern void __ip_ct_expect_unlink_destroy(struct ip_conntrack_expect *exp); +extern void ip_ct_unlink_expect(struct ip_conntrack_expect *exp); extern struct list_head *ip_conntrack_hash; extern struct list_head ip_conntrack_expect_list; -- cgit v1.2.3 From f2c383988d68c91a7d474b7cf26c0a2df49bbafe Mon Sep 17 00:00:00 2001 From: Stephen Hemminger Date: Tue, 6 Sep 2005 15:48:03 -0700 Subject: [NET]: skb_get/set_timestamp use const The new timestamp get/set routines should have const attribute on parameters (helps to indicate direction). Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller --- include/linux/skbuff.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'include/linux') diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h index 42edce6abe2..da7da9c0ed1 100644 --- a/include/linux/skbuff.h +++ b/include/linux/skbuff.h @@ -1251,7 +1251,7 @@ extern void skb_add_mtu(int mtu); * This function converts the offset back to a struct timeval and stores * it in stamp. */ -static inline void skb_get_timestamp(struct sk_buff *skb, struct timeval *stamp) +static inline void skb_get_timestamp(const struct sk_buff *skb, struct timeval *stamp) { stamp->tv_sec = skb->tstamp.off_sec; stamp->tv_usec = skb->tstamp.off_usec; @@ -1270,7 +1270,7 @@ static inline void skb_get_timestamp(struct sk_buff *skb, struct timeval *stamp) * This function converts a struct timeval to an offset and stores * it in the skb. */ -static inline void skb_set_timestamp(struct sk_buff *skb, struct timeval *stamp) +static inline void skb_set_timestamp(struct sk_buff *skb, const struct timeval *stamp) { skb->tstamp.off_sec = stamp->tv_sec - skb_tv_base.tv_sec; skb->tstamp.off_usec = stamp->tv_usec - skb_tv_base.tv_usec; -- cgit v1.2.3