2006-11-28 18:35:01 -07:00
|
|
|
/*
|
|
|
|
|
* connection tracking event cache.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#ifndef _NF_CONNTRACK_ECACHE_H
|
|
|
|
|
#define _NF_CONNTRACK_ECACHE_H
|
|
|
|
|
#include <net/netfilter/nf_conntrack.h>
|
|
|
|
|
|
|
|
|
|
#include <linux/interrupt.h>
|
2008-10-08 03:35:07 -06:00
|
|
|
#include <net/net_namespace.h>
|
2006-11-28 18:35:01 -07:00
|
|
|
#include <net/netfilter/nf_conntrack_expect.h>
|
|
|
|
|
|
2009-06-02 12:08:44 -06:00
|
|
|
/* Connection tracking event bits */
|
|
|
|
|
enum ip_conntrack_events
|
|
|
|
|
{
|
|
|
|
|
/* New conntrack */
|
|
|
|
|
IPCT_NEW_BIT = 0,
|
|
|
|
|
IPCT_NEW = (1 << IPCT_NEW_BIT),
|
|
|
|
|
|
|
|
|
|
/* Expected connection */
|
|
|
|
|
IPCT_RELATED_BIT = 1,
|
|
|
|
|
IPCT_RELATED = (1 << IPCT_RELATED_BIT),
|
|
|
|
|
|
|
|
|
|
/* Destroyed conntrack */
|
|
|
|
|
IPCT_DESTROY_BIT = 2,
|
|
|
|
|
IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
|
|
|
|
|
|
|
|
|
|
/* Status has changed */
|
netfilter: conntrack: simplify event caching system
This patch simplifies the conntrack event caching system by removing
several events:
* IPCT_[*]_VOLATILE, IPCT_HELPINFO and IPCT_NATINFO has been deleted
since the have no clients.
* IPCT_COUNTER_FILLING which is a leftover of the 32-bits counter
days.
* IPCT_REFRESH which is not of any use since we always include the
timeout in the messages.
After this patch, the existing events are:
* IPCT_NEW, IPCT_RELATED and IPCT_DESTROY, that are used to identify
addition and deletion of entries.
* IPCT_STATUS, that notes that the status bits have changes,
eg. IPS_SEEN_REPLY and IPS_ASSURED.
* IPCT_PROTOINFO, that reports that internal protocol information has
changed, eg. the TCP, DCCP and SCTP protocol state.
* IPCT_HELPER, that a helper has been assigned or unassigned to this
entry.
* IPCT_MARK and IPCT_SECMARK, that reports that the mark has changed, this
covers the case when a mark is set to zero.
* IPCT_NATSEQADJ, to report that there's updates in the NAT sequence
adjustment.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-02 12:08:46 -06:00
|
|
|
IPCT_STATUS_BIT = 3,
|
2009-06-02 12:08:44 -06:00
|
|
|
IPCT_STATUS = (1 << IPCT_STATUS_BIT),
|
|
|
|
|
|
|
|
|
|
/* Update of protocol info */
|
netfilter: conntrack: simplify event caching system
This patch simplifies the conntrack event caching system by removing
several events:
* IPCT_[*]_VOLATILE, IPCT_HELPINFO and IPCT_NATINFO has been deleted
since the have no clients.
* IPCT_COUNTER_FILLING which is a leftover of the 32-bits counter
days.
* IPCT_REFRESH which is not of any use since we always include the
timeout in the messages.
After this patch, the existing events are:
* IPCT_NEW, IPCT_RELATED and IPCT_DESTROY, that are used to identify
addition and deletion of entries.
* IPCT_STATUS, that notes that the status bits have changes,
eg. IPS_SEEN_REPLY and IPS_ASSURED.
* IPCT_PROTOINFO, that reports that internal protocol information has
changed, eg. the TCP, DCCP and SCTP protocol state.
* IPCT_HELPER, that a helper has been assigned or unassigned to this
entry.
* IPCT_MARK and IPCT_SECMARK, that reports that the mark has changed, this
covers the case when a mark is set to zero.
* IPCT_NATSEQADJ, to report that there's updates in the NAT sequence
adjustment.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-02 12:08:46 -06:00
|
|
|
IPCT_PROTOINFO_BIT = 4,
|
2009-06-02 12:08:44 -06:00
|
|
|
IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
|
|
|
|
|
|
|
|
|
|
/* New helper for conntrack */
|
netfilter: conntrack: simplify event caching system
This patch simplifies the conntrack event caching system by removing
several events:
* IPCT_[*]_VOLATILE, IPCT_HELPINFO and IPCT_NATINFO has been deleted
since the have no clients.
* IPCT_COUNTER_FILLING which is a leftover of the 32-bits counter
days.
* IPCT_REFRESH which is not of any use since we always include the
timeout in the messages.
After this patch, the existing events are:
* IPCT_NEW, IPCT_RELATED and IPCT_DESTROY, that are used to identify
addition and deletion of entries.
* IPCT_STATUS, that notes that the status bits have changes,
eg. IPS_SEEN_REPLY and IPS_ASSURED.
* IPCT_PROTOINFO, that reports that internal protocol information has
changed, eg. the TCP, DCCP and SCTP protocol state.
* IPCT_HELPER, that a helper has been assigned or unassigned to this
entry.
* IPCT_MARK and IPCT_SECMARK, that reports that the mark has changed, this
covers the case when a mark is set to zero.
* IPCT_NATSEQADJ, to report that there's updates in the NAT sequence
adjustment.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-02 12:08:46 -06:00
|
|
|
IPCT_HELPER_BIT = 5,
|
2009-06-02 12:08:44 -06:00
|
|
|
IPCT_HELPER = (1 << IPCT_HELPER_BIT),
|
|
|
|
|
|
|
|
|
|
/* Mark is set */
|
netfilter: conntrack: simplify event caching system
This patch simplifies the conntrack event caching system by removing
several events:
* IPCT_[*]_VOLATILE, IPCT_HELPINFO and IPCT_NATINFO has been deleted
since the have no clients.
* IPCT_COUNTER_FILLING which is a leftover of the 32-bits counter
days.
* IPCT_REFRESH which is not of any use since we always include the
timeout in the messages.
After this patch, the existing events are:
* IPCT_NEW, IPCT_RELATED and IPCT_DESTROY, that are used to identify
addition and deletion of entries.
* IPCT_STATUS, that notes that the status bits have changes,
eg. IPS_SEEN_REPLY and IPS_ASSURED.
* IPCT_PROTOINFO, that reports that internal protocol information has
changed, eg. the TCP, DCCP and SCTP protocol state.
* IPCT_HELPER, that a helper has been assigned or unassigned to this
entry.
* IPCT_MARK and IPCT_SECMARK, that reports that the mark has changed, this
covers the case when a mark is set to zero.
* IPCT_NATSEQADJ, to report that there's updates in the NAT sequence
adjustment.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-02 12:08:46 -06:00
|
|
|
IPCT_MARK_BIT = 6,
|
2009-06-02 12:08:44 -06:00
|
|
|
IPCT_MARK = (1 << IPCT_MARK_BIT),
|
|
|
|
|
|
|
|
|
|
/* NAT sequence adjustment */
|
netfilter: conntrack: simplify event caching system
This patch simplifies the conntrack event caching system by removing
several events:
* IPCT_[*]_VOLATILE, IPCT_HELPINFO and IPCT_NATINFO has been deleted
since the have no clients.
* IPCT_COUNTER_FILLING which is a leftover of the 32-bits counter
days.
* IPCT_REFRESH which is not of any use since we always include the
timeout in the messages.
After this patch, the existing events are:
* IPCT_NEW, IPCT_RELATED and IPCT_DESTROY, that are used to identify
addition and deletion of entries.
* IPCT_STATUS, that notes that the status bits have changes,
eg. IPS_SEEN_REPLY and IPS_ASSURED.
* IPCT_PROTOINFO, that reports that internal protocol information has
changed, eg. the TCP, DCCP and SCTP protocol state.
* IPCT_HELPER, that a helper has been assigned or unassigned to this
entry.
* IPCT_MARK and IPCT_SECMARK, that reports that the mark has changed, this
covers the case when a mark is set to zero.
* IPCT_NATSEQADJ, to report that there's updates in the NAT sequence
adjustment.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-02 12:08:46 -06:00
|
|
|
IPCT_NATSEQADJ_BIT = 7,
|
2009-06-02 12:08:44 -06:00
|
|
|
IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
|
|
|
|
|
|
|
|
|
|
/* Secmark is set */
|
netfilter: conntrack: simplify event caching system
This patch simplifies the conntrack event caching system by removing
several events:
* IPCT_[*]_VOLATILE, IPCT_HELPINFO and IPCT_NATINFO has been deleted
since the have no clients.
* IPCT_COUNTER_FILLING which is a leftover of the 32-bits counter
days.
* IPCT_REFRESH which is not of any use since we always include the
timeout in the messages.
After this patch, the existing events are:
* IPCT_NEW, IPCT_RELATED and IPCT_DESTROY, that are used to identify
addition and deletion of entries.
* IPCT_STATUS, that notes that the status bits have changes,
eg. IPS_SEEN_REPLY and IPS_ASSURED.
* IPCT_PROTOINFO, that reports that internal protocol information has
changed, eg. the TCP, DCCP and SCTP protocol state.
* IPCT_HELPER, that a helper has been assigned or unassigned to this
entry.
* IPCT_MARK and IPCT_SECMARK, that reports that the mark has changed, this
covers the case when a mark is set to zero.
* IPCT_NATSEQADJ, to report that there's updates in the NAT sequence
adjustment.
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2009-06-02 12:08:46 -06:00
|
|
|
IPCT_SECMARK_BIT = 8,
|
2009-06-02 12:08:44 -06:00
|
|
|
IPCT_SECMARK = (1 << IPCT_SECMARK_BIT),
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
enum ip_conntrack_expect_events {
|
|
|
|
|
IPEXP_NEW_BIT = 0,
|
|
|
|
|
IPEXP_NEW = (1 << IPEXP_NEW_BIT),
|
|
|
|
|
};
|
|
|
|
|
|
2006-11-28 18:35:01 -07:00
|
|
|
#ifdef CONFIG_NF_CONNTRACK_EVENTS
|
|
|
|
|
struct nf_conntrack_ecache {
|
|
|
|
|
struct nf_conn *ct;
|
|
|
|
|
unsigned int events;
|
|
|
|
|
};
|
|
|
|
|
|
2008-11-18 03:56:20 -07:00
|
|
|
/* This structure is passed to event handler */
|
|
|
|
|
struct nf_ct_event {
|
|
|
|
|
struct nf_conn *ct;
|
|
|
|
|
u32 pid;
|
|
|
|
|
int report;
|
|
|
|
|
};
|
|
|
|
|
|
2009-06-03 02:32:06 -06:00
|
|
|
struct nf_ct_event_notifier {
|
|
|
|
|
int (*fcn)(unsigned int events, struct nf_ct_event *item);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
extern struct nf_ct_event_notifier *nf_conntrack_event_cb;
|
|
|
|
|
extern int nf_conntrack_register_notifier(struct nf_ct_event_notifier *nb);
|
|
|
|
|
extern void nf_conntrack_unregister_notifier(struct nf_ct_event_notifier *nb);
|
2006-11-28 18:35:01 -07:00
|
|
|
|
|
|
|
|
extern void nf_ct_deliver_cached_events(const struct nf_conn *ct);
|
|
|
|
|
extern void __nf_ct_event_cache_init(struct nf_conn *ct);
|
2008-10-08 03:35:07 -06:00
|
|
|
extern void nf_ct_event_cache_flush(struct net *net);
|
2006-11-28 18:35:01 -07:00
|
|
|
|
|
|
|
|
static inline void
|
2008-10-08 03:35:07 -06:00
|
|
|
nf_conntrack_event_cache(enum ip_conntrack_events event, struct nf_conn *ct)
|
2006-11-28 18:35:01 -07:00
|
|
|
{
|
2008-10-08 03:35:07 -06:00
|
|
|
struct net *net = nf_ct_net(ct);
|
2006-11-28 18:35:01 -07:00
|
|
|
struct nf_conntrack_ecache *ecache;
|
|
|
|
|
|
|
|
|
|
local_bh_disable();
|
2008-10-08 03:35:07 -06:00
|
|
|
ecache = per_cpu_ptr(net->ct.ecache, raw_smp_processor_id());
|
2006-11-28 18:35:01 -07:00
|
|
|
if (ct != ecache->ct)
|
|
|
|
|
__nf_ct_event_cache_init(ct);
|
|
|
|
|
ecache->events |= event;
|
|
|
|
|
local_bh_enable();
|
|
|
|
|
}
|
|
|
|
|
|
2008-11-18 03:56:20 -07:00
|
|
|
static inline void
|
|
|
|
|
nf_conntrack_event_report(enum ip_conntrack_events event,
|
|
|
|
|
struct nf_conn *ct,
|
|
|
|
|
u32 pid,
|
|
|
|
|
int report)
|
2006-11-28 18:35:01 -07:00
|
|
|
{
|
2009-06-03 02:32:06 -06:00
|
|
|
struct nf_ct_event_notifier *notify;
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
notify = rcu_dereference(nf_conntrack_event_cb);
|
|
|
|
|
if (notify == NULL)
|
|
|
|
|
goto out_unlock;
|
|
|
|
|
|
|
|
|
|
if (nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct)) {
|
|
|
|
|
struct nf_ct_event item = {
|
|
|
|
|
.ct = ct,
|
|
|
|
|
.pid = pid,
|
|
|
|
|
.report = report
|
|
|
|
|
};
|
|
|
|
|
notify->fcn(event, &item);
|
|
|
|
|
}
|
|
|
|
|
out_unlock:
|
|
|
|
|
rcu_read_unlock();
|
2006-11-28 18:35:01 -07:00
|
|
|
}
|
|
|
|
|
|
2008-11-18 03:56:20 -07:00
|
|
|
static inline void
|
|
|
|
|
nf_conntrack_event(enum ip_conntrack_events event, struct nf_conn *ct)
|
|
|
|
|
{
|
|
|
|
|
nf_conntrack_event_report(event, ct, 0, 0);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
struct nf_exp_event {
|
|
|
|
|
struct nf_conntrack_expect *exp;
|
|
|
|
|
u32 pid;
|
|
|
|
|
int report;
|
|
|
|
|
};
|
|
|
|
|
|
2009-06-03 02:32:06 -06:00
|
|
|
struct nf_exp_event_notifier {
|
|
|
|
|
int (*fcn)(unsigned int events, struct nf_exp_event *item);
|
|
|
|
|
};
|
|
|
|
|
|
|
|
|
|
extern struct nf_exp_event_notifier *nf_expect_event_cb;
|
|
|
|
|
extern int nf_ct_expect_register_notifier(struct nf_exp_event_notifier *nb);
|
|
|
|
|
extern void nf_ct_expect_unregister_notifier(struct nf_exp_event_notifier *nb);
|
2007-03-14 17:40:10 -06:00
|
|
|
|
2008-11-18 03:56:20 -07:00
|
|
|
static inline void
|
|
|
|
|
nf_ct_expect_event_report(enum ip_conntrack_expect_events event,
|
|
|
|
|
struct nf_conntrack_expect *exp,
|
|
|
|
|
u32 pid,
|
|
|
|
|
int report)
|
|
|
|
|
{
|
2009-06-03 02:32:06 -06:00
|
|
|
struct nf_exp_event_notifier *notify;
|
|
|
|
|
|
|
|
|
|
rcu_read_lock();
|
|
|
|
|
notify = rcu_dereference(nf_expect_event_cb);
|
|
|
|
|
if (notify == NULL)
|
|
|
|
|
goto out_unlock;
|
|
|
|
|
|
|
|
|
|
{
|
|
|
|
|
struct nf_exp_event item = {
|
|
|
|
|
.exp = exp,
|
|
|
|
|
.pid = pid,
|
|
|
|
|
.report = report
|
|
|
|
|
};
|
|
|
|
|
notify->fcn(event, &item);
|
|
|
|
|
}
|
|
|
|
|
out_unlock:
|
|
|
|
|
rcu_read_unlock();
|
2008-11-18 03:56:20 -07:00
|
|
|
}
|
|
|
|
|
|
2006-11-28 18:35:01 -07:00
|
|
|
static inline void
|
2007-07-07 23:30:49 -06:00
|
|
|
nf_ct_expect_event(enum ip_conntrack_expect_events event,
|
|
|
|
|
struct nf_conntrack_expect *exp)
|
2006-11-28 18:35:01 -07:00
|
|
|
{
|
2008-11-18 03:56:20 -07:00
|
|
|
nf_ct_expect_event_report(event, exp, 0, 0);
|
2006-11-28 18:35:01 -07:00
|
|
|
}
|
|
|
|
|
|
2008-10-08 03:35:07 -06:00
|
|
|
extern int nf_conntrack_ecache_init(struct net *net);
|
|
|
|
|
extern void nf_conntrack_ecache_fini(struct net *net);
|
|
|
|
|
|
2006-11-28 18:35:01 -07:00
|
|
|
#else /* CONFIG_NF_CONNTRACK_EVENTS */
|
|
|
|
|
|
|
|
|
|
static inline void nf_conntrack_event_cache(enum ip_conntrack_events event,
|
2008-10-11 10:46:24 -06:00
|
|
|
struct nf_conn *ct) {}
|
2006-11-28 18:35:01 -07:00
|
|
|
static inline void nf_conntrack_event(enum ip_conntrack_events event,
|
|
|
|
|
struct nf_conn *ct) {}
|
2008-11-18 03:56:20 -07:00
|
|
|
static inline void nf_conntrack_event_report(enum ip_conntrack_events event,
|
|
|
|
|
struct nf_conn *ct,
|
|
|
|
|
u32 pid,
|
|
|
|
|
int report) {}
|
2006-11-28 18:35:01 -07:00
|
|
|
static inline void nf_ct_deliver_cached_events(const struct nf_conn *ct) {}
|
2007-07-07 23:30:49 -06:00
|
|
|
static inline void nf_ct_expect_event(enum ip_conntrack_expect_events event,
|
|
|
|
|
struct nf_conntrack_expect *exp) {}
|
2008-11-18 03:56:20 -07:00
|
|
|
static inline void nf_ct_expect_event_report(enum ip_conntrack_expect_events e,
|
|
|
|
|
struct nf_conntrack_expect *exp,
|
|
|
|
|
u32 pid,
|
|
|
|
|
int report) {}
|
2008-10-08 03:35:07 -06:00
|
|
|
static inline void nf_ct_event_cache_flush(struct net *net) {}
|
|
|
|
|
|
|
|
|
|
static inline int nf_conntrack_ecache_init(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
return 0;
|
2008-10-09 22:10:36 -06:00
|
|
|
}
|
2008-10-08 03:35:07 -06:00
|
|
|
|
|
|
|
|
static inline void nf_conntrack_ecache_fini(struct net *net)
|
|
|
|
|
{
|
|
|
|
|
}
|
2006-11-28 18:35:01 -07:00
|
|
|
#endif /* CONFIG_NF_CONNTRACK_EVENTS */
|
|
|
|
|
|
|
|
|
|
#endif /*_NF_CONNTRACK_ECACHE_H*/
|
|
|
|
|
|