netfilter: add and use nf_ct_set helper
Add a helper to assign a nf_conn entry and the ctinfo bits to an sk_buff. This avoids changing code in followup patch that merges skb->nfct and skb->nfctinfo into skb->_nfct. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
parent
cb9c68363e
commit
c74454fadd
@ -1559,8 +1559,7 @@ static inline void ip_vs_notrack(struct sk_buff *skb)
|
||||
nf_conntrack_put(&ct->ct_general);
|
||||
untracked = nf_ct_untracked_get();
|
||||
nf_conntrack_get(&untracked->ct_general);
|
||||
skb->nfct = &untracked->ct_general;
|
||||
skb->nfctinfo = IP_CT_NEW;
|
||||
nf_ct_set(skb, untracked, IP_CT_NEW);
|
||||
}
|
||||
#endif
|
||||
}
|
||||
|
@ -34,6 +34,7 @@ union nf_conntrack_proto {
|
||||
struct ip_ct_sctp sctp;
|
||||
struct ip_ct_tcp tcp;
|
||||
struct nf_ct_gre gre;
|
||||
unsigned int tmpl_padto;
|
||||
};
|
||||
|
||||
union nf_conntrack_expect_proto {
|
||||
@ -341,6 +342,13 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net,
|
||||
gfp_t flags);
|
||||
void nf_ct_tmpl_free(struct nf_conn *tmpl);
|
||||
|
||||
static inline void
|
||||
nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)
|
||||
{
|
||||
skb->nfct = &ct->ct_general;
|
||||
skb->nfctinfo = info;
|
||||
}
|
||||
|
||||
#define NF_CT_STAT_INC(net, count) __this_cpu_inc((net)->ct.stat->count)
|
||||
#define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
|
||||
#define NF_CT_STAT_ADD_ATOMIC(net, count, v) this_cpu_add((net)->ct.stat->count, (v))
|
||||
|
@ -57,8 +57,7 @@ synproxy_send_tcp(struct net *net,
|
||||
goto free_nskb;
|
||||
|
||||
if (nfct) {
|
||||
nskb->nfct = nfct;
|
||||
nskb->nfctinfo = ctinfo;
|
||||
nf_ct_set(nskb, (struct nf_conn *)nfct, ctinfo);
|
||||
nf_conntrack_get(nfct);
|
||||
}
|
||||
|
||||
|
@ -172,8 +172,7 @@ icmp_error_message(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
|
||||
ctinfo += IP_CT_IS_REPLY;
|
||||
|
||||
/* Update skb to refer to this connection */
|
||||
skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general;
|
||||
skb->nfctinfo = ctinfo;
|
||||
nf_ct_set(skb, nf_ct_tuplehash_to_ctrack(h), ctinfo);
|
||||
return NF_ACCEPT;
|
||||
}
|
||||
|
||||
|
@ -69,8 +69,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
|
||||
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
|
||||
/* Avoid counting cloned packets towards the original connection. */
|
||||
nf_reset(skb);
|
||||
skb->nfct = &nf_ct_untracked_get()->ct_general;
|
||||
skb->nfctinfo = IP_CT_NEW;
|
||||
nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);
|
||||
nf_conntrack_get(skb_nfct(skb));
|
||||
#endif
|
||||
/*
|
||||
|
@ -71,8 +71,7 @@ synproxy_send_tcp(struct net *net,
|
||||
skb_dst_set(nskb, dst);
|
||||
|
||||
if (nfct) {
|
||||
nskb->nfct = nfct;
|
||||
nskb->nfctinfo = ctinfo;
|
||||
nf_ct_set(nskb, (struct nf_conn *)nfct, ctinfo);
|
||||
nf_conntrack_get(nfct);
|
||||
}
|
||||
|
||||
|
@ -189,8 +189,7 @@ icmpv6_error_message(struct net *net, struct nf_conn *tmpl,
|
||||
}
|
||||
|
||||
/* Update skb to refer to this connection */
|
||||
skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general;
|
||||
skb->nfctinfo = ctinfo;
|
||||
nf_ct_set(skb, nf_ct_tuplehash_to_ctrack(h), ctinfo);
|
||||
return NF_ACCEPT;
|
||||
}
|
||||
|
||||
@ -222,8 +221,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl,
|
||||
type = icmp6h->icmp6_type - 130;
|
||||
if (type >= 0 && type < sizeof(noct_valid_new) &&
|
||||
noct_valid_new[type]) {
|
||||
skb->nfct = &nf_ct_untracked_get()->ct_general;
|
||||
skb->nfctinfo = IP_CT_NEW;
|
||||
nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);
|
||||
nf_conntrack_get(skb_nfct(skb));
|
||||
return NF_ACCEPT;
|
||||
}
|
||||
|
@ -58,8 +58,7 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
|
||||
|
||||
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
|
||||
nf_reset(skb);
|
||||
skb->nfct = &nf_ct_untracked_get()->ct_general;
|
||||
skb->nfctinfo = IP_CT_NEW;
|
||||
nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);
|
||||
nf_conntrack_get(skb->nfct);
|
||||
#endif
|
||||
if (hooknum == NF_INET_PRE_ROUTING ||
|
||||
|
@ -691,10 +691,7 @@ static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb,
|
||||
|
||||
nf_ct_acct_merge(ct, ctinfo, loser_ct);
|
||||
nf_conntrack_put(&loser_ct->ct_general);
|
||||
/* Assign conntrack already in hashes to this skbuff. Don't
|
||||
* modify skb->nfctinfo to ensure consistent stateful filtering.
|
||||
*/
|
||||
skb->nfct = &ct->ct_general;
|
||||
nf_ct_set(skb, ct, oldinfo);
|
||||
return NF_ACCEPT;
|
||||
}
|
||||
NF_CT_STAT_INC(net, drop);
|
||||
@ -1282,8 +1279,7 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl,
|
||||
}
|
||||
*set_reply = 0;
|
||||
}
|
||||
skb->nfct = &ct->ct_general;
|
||||
skb->nfctinfo = *ctinfo;
|
||||
nf_ct_set(skb, ct, *ctinfo);
|
||||
return ct;
|
||||
}
|
||||
|
||||
@ -1526,8 +1522,7 @@ static void nf_conntrack_attach(struct sk_buff *nskb, const struct sk_buff *skb)
|
||||
ctinfo = IP_CT_RELATED;
|
||||
|
||||
/* Attach to new skbuff, and increment count */
|
||||
nskb->nfct = &ct->ct_general;
|
||||
nskb->nfctinfo = ctinfo;
|
||||
nf_ct_set(nskb, ct, ctinfo);
|
||||
nf_conntrack_get(skb_nfct(nskb));
|
||||
}
|
||||
|
||||
|
@ -554,8 +554,7 @@ static void nft_notrack_eval(const struct nft_expr *expr,
|
||||
|
||||
ct = nf_ct_untracked_get();
|
||||
atomic_inc(&ct->ct_general.use);
|
||||
skb->nfct = &ct->ct_general;
|
||||
skb->nfctinfo = IP_CT_NEW;
|
||||
nf_ct_set(skb, ct, IP_CT_NEW);
|
||||
}
|
||||
|
||||
static struct nft_expr_type nft_notrack_type;
|
||||
|
@ -30,8 +30,7 @@ static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct)
|
||||
if (!ct)
|
||||
ct = nf_ct_untracked_get();
|
||||
atomic_inc(&ct->ct_general.use);
|
||||
skb->nfct = &ct->ct_general;
|
||||
skb->nfctinfo = IP_CT_NEW;
|
||||
nf_ct_set(skb, ct, IP_CT_NEW);
|
||||
|
||||
return XT_CONTINUE;
|
||||
}
|
||||
@ -413,8 +412,7 @@ notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
|
||||
if (skb->nfct != NULL)
|
||||
return XT_CONTINUE;
|
||||
|
||||
skb->nfct = &nf_ct_untracked_get()->ct_general;
|
||||
skb->nfctinfo = IP_CT_NEW;
|
||||
nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);
|
||||
nf_conntrack_get(skb_nfct(skb));
|
||||
|
||||
return XT_CONTINUE;
|
||||
|
@ -460,8 +460,7 @@ ovs_ct_find_existing(struct net *net, const struct nf_conntrack_zone *zone,
|
||||
|
||||
ct = nf_ct_tuplehash_to_ctrack(h);
|
||||
|
||||
skb->nfct = &ct->ct_general;
|
||||
skb->nfctinfo = ovs_ct_get_info(h);
|
||||
nf_ct_set(skb, ct, ovs_ct_get_info(h));
|
||||
return ct;
|
||||
}
|
||||
|
||||
@ -724,8 +723,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
|
||||
if (skb_nfct(skb))
|
||||
nf_conntrack_put(skb_nfct(skb));
|
||||
nf_conntrack_get(&tmpl->ct_general);
|
||||
skb->nfct = &tmpl->ct_general;
|
||||
skb->nfctinfo = IP_CT_NEW;
|
||||
nf_ct_set(skb, tmpl, IP_CT_NEW);
|
||||
}
|
||||
|
||||
err = nf_conntrack_in(net, info->family,
|
||||
|
Loading…
Reference in New Issue
Block a user