← Back to branch summary

~ubuntu-branches/ubuntu/precise/linux-lowlatency/precise

« back to all changes in this revision

Viewing changes to net/netfilter/xt_CT.c

  • Committer: Package Import Robot
  • Author(s): Alessio Igor Bogani
  • Date: 2011-10-26 11:13:05 UTC
  • Revision ID: package-import@ubuntu.com-20111026111305-tz023xykf0i6eosh
Tags: upstream-3.2.0
ImportĀ upstreamĀ versionĀ 3.2.0

Show diffs side-by-side

added added

removed removed

Lines of Context:
net/netfilter/xt_CT.c
 
1
/*
 
2
 * Copyright (c) 2010 Patrick McHardy <kaber@trash.net>
 
3
 *
 
4
 * This program is free software; you can redistribute it and/or modify
 
5
 * it under the terms of the GNU General Public License version 2 as
 
6
 * published by the Free Software Foundation.
 
7
 */
 
8
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 
9
#include <linux/module.h>
 
10
#include <linux/gfp.h>
 
11
#include <linux/skbuff.h>
 
12
#include <linux/netfilter_ipv4/ip_tables.h>
 
13
#include <linux/netfilter_ipv6/ip6_tables.h>
 
14
#include <linux/netfilter/x_tables.h>
 
15
#include <linux/netfilter/xt_CT.h>
 
16
#include <net/netfilter/nf_conntrack.h>
 
17
#include <net/netfilter/nf_conntrack_helper.h>
 
18
#include <net/netfilter/nf_conntrack_ecache.h>
 
19
#include <net/netfilter/nf_conntrack_zones.h>
 
20
 
 
21
static unsigned int xt_ct_target(struct sk_buff *skb,
 
22
                                 const struct xt_action_param *par)
 
23
{
 
24
        const struct xt_ct_target_info *info = par->targinfo;
 
25
        struct nf_conn *ct = info->ct;
 
26
 
 
27
        /* Previously seen (loopback)? Ignore. */
 
28
        if (skb->nfct != NULL)
 
29
                return XT_CONTINUE;
 
30
 
 
31
        atomic_inc(&ct->ct_general.use);
 
32
        skb->nfct = &ct->ct_general;
 
33
        skb->nfctinfo = IP_CT_NEW;
 
34
 
 
35
        return XT_CONTINUE;
 
36
}
 
37
 
 
38
static u8 xt_ct_find_proto(const struct xt_tgchk_param *par)
 
39
{
 
40
        if (par->family == NFPROTO_IPV4) {
 
41
                const struct ipt_entry *e = par->entryinfo;
 
42
 
 
43
                if (e->ip.invflags & IPT_INV_PROTO)
 
44
                        return 0;
 
45
                return e->ip.proto;
 
46
        } else if (par->family == NFPROTO_IPV6) {
 
47
                const struct ip6t_entry *e = par->entryinfo;
 
48
 
 
49
                if (e->ipv6.invflags & IP6T_INV_PROTO)
 
50
                        return 0;
 
51
                return e->ipv6.proto;
 
52
        } else
 
53
                return 0;
 
54
}
 
55
 
 
56
static int xt_ct_tg_check(const struct xt_tgchk_param *par)
 
57
{
 
58
        struct xt_ct_target_info *info = par->targinfo;
 
59
        struct nf_conntrack_tuple t;
 
60
        struct nf_conn_help *help;
 
61
        struct nf_conn *ct;
 
62
        int ret = 0;
 
63
        u8 proto;
 
64
 
 
65
        if (info->flags & ~XT_CT_NOTRACK)
 
66
                return -EINVAL;
 
67
 
 
68
        if (info->flags & XT_CT_NOTRACK) {
 
69
                ct = nf_ct_untracked_get();
 
70
                atomic_inc(&ct->ct_general.use);
 
71
                goto out;
 
72
        }
 
73
 
 
74
#ifndef CONFIG_NF_CONNTRACK_ZONES
 
75
        if (info->zone)
 
76
                goto err1;
 
77
#endif
 
78
 
 
79
        ret = nf_ct_l3proto_try_module_get(par->family);
 
80
        if (ret < 0)
 
81
                goto err1;
 
82
 
 
83
        memset(&t, 0, sizeof(t));
 
84
        ct = nf_conntrack_alloc(par->net, info->zone, &t, &t, GFP_KERNEL);
 
85
        ret = PTR_ERR(ct);
 
86
        if (IS_ERR(ct))
 
87
                goto err2;
 
88
 
 
89
        ret = 0;
 
90
        if ((info->ct_events || info->exp_events) &&
 
91
            !nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events,
 
92
                                  GFP_KERNEL))
 
93
                goto err3;
 
94
 
 
95
        if (info->helper[0]) {
 
96
                ret = -ENOENT;
 
97
                proto = xt_ct_find_proto(par);
 
98
                if (!proto) {
 
99
                        pr_info("You must specify a L4 protocol, "
 
100
                                "and not use inversions on it.\n");
 
101
                        goto err3;
 
102
                }
 
103
 
 
104
                ret = -ENOMEM;
 
105
                help = nf_ct_helper_ext_add(ct, GFP_KERNEL);
 
106
                if (help == NULL)
 
107
                        goto err3;
 
108
 
 
109
                ret = -ENOENT;
 
110
                help->helper = nf_conntrack_helper_try_module_get(info->helper,
 
111
                                                                  par->family,
 
112
                                                                  proto);
 
113
                if (help->helper == NULL) {
 
114
                        pr_info("No such helper \"%s\"\n", info->helper);
 
115
                        goto err3;
 
116
                }
 
117
        }
 
118
 
 
119
        __set_bit(IPS_TEMPLATE_BIT, &ct->status);
 
120
        __set_bit(IPS_CONFIRMED_BIT, &ct->status);
 
121
out:
 
122
        info->ct = ct;
 
123
        return 0;
 
124
 
 
125
err3:
 
126
        nf_conntrack_free(ct);
 
127
err2:
 
128
        nf_ct_l3proto_module_put(par->family);
 
129
err1:
 
130
        return ret;
 
131
}
 
132
 
 
133
static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par)
 
134
{
 
135
        struct xt_ct_target_info *info = par->targinfo;
 
136
        struct nf_conn *ct = info->ct;
 
137
        struct nf_conn_help *help;
 
138
 
 
139
        if (!nf_ct_is_untracked(ct)) {
 
140
                help = nfct_help(ct);
 
141
                if (help)
 
142
                        module_put(help->helper->me);
 
143
 
 
144
                nf_ct_l3proto_module_put(par->family);
 
145
        }
 
146
        nf_ct_put(info->ct);
 
147
}
 
148
 
 
149
static struct xt_target xt_ct_tg __read_mostly = {
 
150
        .name           = "CT",
 
151
        .family         = NFPROTO_UNSPEC,
 
152
        .targetsize     = sizeof(struct xt_ct_target_info),
 
153
        .checkentry     = xt_ct_tg_check,
 
154
        .destroy        = xt_ct_tg_destroy,
 
155
        .target         = xt_ct_target,
 
156
        .table          = "raw",
 
157
        .me             = THIS_MODULE,
 
158
};
 
159
 
 
160
static int __init xt_ct_tg_init(void)
 
161
{
 
162
        return xt_register_target(&xt_ct_tg);
 
163
}
 
164
 
 
165
static void __exit xt_ct_tg_exit(void)
 
166
{
 
167
        xt_unregister_target(&xt_ct_tg);
 
168
}
 
169
 
 
170
module_init(xt_ct_tg_init);
 
171
module_exit(xt_ct_tg_exit);
 
172
 
 
173
MODULE_LICENSE("GPL");
 
174
MODULE_DESCRIPTION("Xtables: connection tracking target");
 
175
MODULE_ALIAS("ipt_CT");
 
176
MODULE_ALIAS("ip6t_CT");