Commit 2c8503f5 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso
Browse files

netfilter: nf_conntrack: pass timeout array to l4->new and l4->packet 



This patch defines a new interface for l4 protocol trackers:

unsigned int *(*get_timeouts)(struct net *net);

that is used to return the array of unsigned int that contains
the timeouts that will be applied for this flow. This is passed
to the l4proto->new(...) and l4proto->packet(...) functions to
specify the timeout policy.

This interface allows per-net global timeout configuration
(although only DCCP supports this by now) and it will allow
custom custom timeout configuration by means of follow-up
patches.

Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent b888341c

include/net/netfilter/nf_conntrack_l4proto.h

+6 −2
Original line number Diff line number Diff line
@@ -39,12 +39,13 @@ struct nf_conntrack_l4proto { 
		      unsigned int dataoff,

		      enum ip_conntrack_info ctinfo,

		      u_int8_t pf,

		      unsigned int hooknum);

		      unsigned int hooknum,

		      unsigned int *timeouts);



	/* Called when a new connection for this protocol found;

	 * returns TRUE if it's OK.  If so, packet() called next. */

	bool (*new)(struct nf_conn *ct, const struct sk_buff *skb,

		    unsigned int dataoff);

		    unsigned int dataoff, unsigned int *timeouts);



	/* Called when a conntrack entry is destroyed */

	void (*destroy)(struct nf_conn *ct);
@@ -60,6 +61,9 @@ struct nf_conntrack_l4proto { 
	/* Print out the private part of the conntrack. */

	int (*print_conntrack)(struct seq_file *s, struct nf_conn *);



	/* Return the array of timeouts for this protocol. */

	unsigned int *(*get_timeouts)(struct net *net);



	/* convert protoinfo to nfnetink attributes */

	int (*to_nlattr)(struct sk_buff *skb, struct nlattr *nla,

			 struct nf_conn *ct);

net/ipv4/netfilter/nf_conntrack_proto_icmp.c

+10 −3
Original line number Diff line number Diff line
@@ -75,25 +75,31 @@ static int icmp_print_tuple(struct seq_file *s, 
			  ntohs(tuple->src.u.icmp.id));

}



static unsigned int *icmp_get_timeouts(struct net *net)

{

	return &nf_ct_icmp_timeout;

}



/* Returns verdict for packet, or -1 for invalid. */

static int icmp_packet(struct nf_conn *ct,

		       const struct sk_buff *skb,

		       unsigned int dataoff,

		       enum ip_conntrack_info ctinfo,

		       u_int8_t pf,

		       unsigned int hooknum)

		       unsigned int hooknum,

		       unsigned int *timeout)

{

	/* Do not immediately delete the connection after the first

	   successful reply to avoid excessive conntrackd traffic

	   and also to handle correctly ICMP echo reply duplicates. */

	nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout);

	nf_ct_refresh_acct(ct, ctinfo, skb, *timeout);



	return NF_ACCEPT;

}



/* Called when a new connection for this protocol found. */

static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb,

		     unsigned int dataoff)

		     unsigned int dataoff, unsigned int *timeouts)

{

	static const u_int8_t valid_new[] = {

		[ICMP_ECHO] = 1,
@@ -298,6 +304,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly = 
	.invert_tuple		= icmp_invert_tuple,

	.print_tuple		= icmp_print_tuple,

	.packet			= icmp_packet,

	.get_timeouts		= icmp_get_timeouts,

	.new			= icmp_new,

	.error			= icmp_error,

	.destroy		= NULL,

net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c

+10 −3
Original line number Diff line number Diff line
@@ -88,25 +88,31 @@ static int icmpv6_print_tuple(struct seq_file *s, 
			  ntohs(tuple->src.u.icmp.id));

}



static unsigned int *icmpv6_get_timeouts(struct net *net)

{

	return &nf_ct_icmpv6_timeout;

}



/* Returns verdict for packet, or -1 for invalid. */

static int icmpv6_packet(struct nf_conn *ct,

		       const struct sk_buff *skb,

		       unsigned int dataoff,

		       enum ip_conntrack_info ctinfo,

		       u_int8_t pf,

		       unsigned int hooknum)

		       unsigned int hooknum,

		       unsigned int *timeout)

{

	/* Do not immediately delete the connection after the first

	   successful reply to avoid excessive conntrackd traffic

	   and also to handle correctly ICMP echo reply duplicates. */

	nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout);

	nf_ct_refresh_acct(ct, ctinfo, skb, *timeout);



	return NF_ACCEPT;

}



/* Called when a new connection for this protocol found. */

static bool icmpv6_new(struct nf_conn *ct, const struct sk_buff *skb,

		       unsigned int dataoff)

		       unsigned int dataoff, unsigned int *timeouts)

{

	static const u_int8_t valid_new[] = {

		[ICMPV6_ECHO_REQUEST - 128] = 1,
@@ -293,6 +299,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly = 
	.invert_tuple		= icmpv6_invert_tuple,

	.print_tuple		= icmpv6_print_tuple,

	.packet			= icmpv6_packet,

	.get_timeouts		= icmpv6_get_timeouts,

	.new			= icmpv6_new,

	.error			= icmpv6_error,

#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)

net/netfilter/nf_conntrack_core.c

+12 −6
Original line number Diff line number Diff line
@@ -763,7 +763,8 @@ init_conntrack(struct net *net, struct nf_conn *tmpl, 
	       struct nf_conntrack_l3proto *l3proto,

	       struct nf_conntrack_l4proto *l4proto,

	       struct sk_buff *skb,

	       unsigned int dataoff, u32 hash)

	       unsigned int dataoff, u32 hash,

	       unsigned int *timeouts)

{

	struct nf_conn *ct;

	struct nf_conn_help *help;
@@ -782,7 +783,7 @@ init_conntrack(struct net *net, struct nf_conn *tmpl, 
	if (IS_ERR(ct))

		return (struct nf_conntrack_tuple_hash *)ct;



	if (!l4proto->new(ct, skb, dataoff)) {

	if (!l4proto->new(ct, skb, dataoff, timeouts)) {

		nf_conntrack_free(ct);

		pr_debug("init conntrack: can't track with proto module\n");

		return NULL;
@@ -848,7 +849,8 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl, 
		  struct nf_conntrack_l3proto *l3proto,

		  struct nf_conntrack_l4proto *l4proto,

		  int *set_reply,

		  enum ip_conntrack_info *ctinfo)

		  enum ip_conntrack_info *ctinfo,

		  unsigned int *timeouts)

{

	struct nf_conntrack_tuple tuple;

	struct nf_conntrack_tuple_hash *h;
@@ -868,7 +870,7 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl, 
	h = __nf_conntrack_find_get(net, zone, &tuple, hash);

	if (!h) {

		h = init_conntrack(net, tmpl, &tuple, l3proto, l4proto,

				   skb, dataoff, hash);

				   skb, dataoff, hash, timeouts);

		if (!h)

			return NULL;

		if (IS_ERR(h))
@@ -909,6 +911,7 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, 
	enum ip_conntrack_info ctinfo;

	struct nf_conntrack_l3proto *l3proto;

	struct nf_conntrack_l4proto *l4proto;

	unsigned int *timeouts;

	unsigned int dataoff;

	u_int8_t protonum;

	int set_reply = 0;
@@ -955,8 +958,11 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, 
			goto out;

	}



	timeouts = l4proto->get_timeouts(net);



	ct = resolve_normal_ct(net, tmpl, skb, dataoff, pf, protonum,

			       l3proto, l4proto, &set_reply, &ctinfo);

			       l3proto, l4proto, &set_reply, &ctinfo,

			       timeouts);

	if (!ct) {

		/* Not valid part of a connection */

		NF_CT_STAT_INC_ATOMIC(net, invalid);
@@ -973,7 +979,7 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum, 


	NF_CT_ASSERT(skb->nfct);



	ret = l4proto->packet(ct, skb, dataoff, ctinfo, pf, hooknum);

	ret = l4proto->packet(ct, skb, dataoff, ctinfo, pf, hooknum, timeouts);

	if (ret <= 0) {

		/* Invalid: inverse of the return code tells

		 * the netfilter core what to do */

net/netfilter/nf_conntrack_proto_dccp.c

+11 −5
Original line number Diff line number Diff line
@@ -423,7 +423,7 @@ static bool dccp_invert_tuple(struct nf_conntrack_tuple *inv, 
}



static bool dccp_new(struct nf_conn *ct, const struct sk_buff *skb,

		     unsigned int dataoff)

		     unsigned int dataoff, unsigned int *timeouts)

{

	struct net *net = nf_ct_net(ct);

	struct dccp_net *dn;
@@ -472,12 +472,17 @@ static u64 dccp_ack_seq(const struct dccp_hdr *dh) 
		     ntohl(dhack->dccph_ack_nr_low);

}



static unsigned int *dccp_get_timeouts(struct net *net)

{

	return dccp_pernet(net)->dccp_timeout;

}



static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,

		       unsigned int dataoff, enum ip_conntrack_info ctinfo,

		       u_int8_t pf, unsigned int hooknum)

		       u_int8_t pf, unsigned int hooknum,

		       unsigned int *timeouts)

{

	struct net *net = nf_ct_net(ct);

	struct dccp_net *dn;

	enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);

	struct dccp_hdr _dh, *dh;

	u_int8_t type, old_state, new_state;
@@ -559,8 +564,7 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb, 
	if (new_state != old_state)

		nf_conntrack_event_cache(IPCT_PROTOINFO, ct);



	dn = dccp_pernet(net);

	nf_ct_refresh_acct(ct, ctinfo, skb, dn->dccp_timeout[new_state]);

	nf_ct_refresh_acct(ct, ctinfo, skb, timeouts[new_state]);



	return NF_ACCEPT;

}
@@ -767,6 +771,7 @@ static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = { 
	.invert_tuple		= dccp_invert_tuple,

	.new			= dccp_new,

	.packet			= dccp_packet,

	.get_timeouts		= dccp_get_timeouts,

	.error			= dccp_error,

	.print_tuple		= dccp_print_tuple,

	.print_conntrack	= dccp_print_conntrack,
@@ -789,6 +794,7 @@ static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = { 
	.invert_tuple		= dccp_invert_tuple,

	.new			= dccp_new,

	.packet			= dccp_packet,

	.get_timeouts		= dccp_get_timeouts,

	.error			= dccp_error,

	.print_tuple		= dccp_print_tuple,

	.print_conntrack	= dccp_print_conntrack,

CRA Git | Maintained and supported by SUSTech CRA and CCSE