1. 31 Aug, 2018 1 commit
  2. 29 Aug, 2018 2 commits
    • Florian Westphal's avatar
      netfilter: nf_tables: rework ct timeout set support · 0434ccdc
      Florian Westphal authored
      Using a private template is problematic:
      
      1. We can't assign both a zone and a timeout policy
         (zone assigns a conntrack template, so we hit problem 1)
      2. Using a template needs to take care of ct refcount, else we'll
         eventually free the private template due to ->use underflow.
      
      This patch reworks template policy to instead work with existing conntrack.
      
      As long as such conntrack has not yet been placed into the hash table
      (unconfirmed) we can still add the timeout extension.
      
      The only caveat is that we now need to update/correct ct->timeout to
      reflect the initial/new state, otherwise the conntrack entry retains the
      default 'new' timeout.
      
      Side effect of this change is that setting the policy must
      now occur from chains that are evaluated *after* the conntrack lookup
      has taken place.
      
      No released kernel contains the timeout policy feature yet, so this change
      should be ok.
      
      Changes since v2:
       - don't handle 'ct is confirmed case'
       - after previous patch, no need to special-case tcp/dccp/sctp timeout
         anymore
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      0434ccdc
    • Florian Westphal's avatar
      netfilter: conntrack: place 'new' timeout in first location too · ef39078d
      Florian Westphal authored
      tcp, sctp and dccp trackers re-use the userspace ctnetlink states
      to index their timeout arrays, which means timeout[0] is never
      used.  Copy the 'new' state (syn-sent, dccp-request, ..) to 0 as well
      so external users can simply read it off timeouts[0] without need to
      differentiate dccp/sctp/tcp and udp/icmp/gre/generic.
      
      The alternative is to map all array accesses to 'i - 1', but that
      is a much more intrusive change.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ef39078d
  3. 24 Aug, 2018 1 commit
  4. 23 Aug, 2018 22 commits
  5. 21 Aug, 2018 14 commits