Commit 17e6e4ea authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by pablo

netfilter: conntrack: simplify event caching system

This patch simplifies the conntrack event caching system by removing
several events:

 * IPCT_[*]_VOLATILE, IPCT_HELPINFO and IPCT_NATINFO has been deleted
   since the have no clients.
 * IPCT_COUNTER_FILLING which is a leftover of the 32-bits counter
   days.
 * IPCT_REFRESH which is not of any use since we always include the
   timeout in the messages.

After this patch, the existing events are:

 * IPCT_NEW, IPCT_RELATED and IPCT_DESTROY, that are used to identify
 addition and deletion of entries.
 * IPCT_STATUS, that notes that the status bits have changes,
 eg. IPS_SEEN_REPLY and IPS_ASSURED.
 * IPCT_PROTOINFO, that reports that internal protocol information has
 changed, eg. the TCP, DCCP and SCTP protocol state.
 * IPCT_HELPER, that a helper has been assigned or unassigned to this
 entry.
 * IPCT_MARK and IPCT_SECMARK, that reports that the mark has changed, this
 covers the case when a mark is set to zero.
 * IPCT_NATSEQADJ, to report that there's updates in the NAT sequence
 adjustment.
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 6bfea198
...@@ -26,52 +26,28 @@ enum ip_conntrack_events ...@@ -26,52 +26,28 @@ enum ip_conntrack_events
IPCT_DESTROY_BIT = 2, IPCT_DESTROY_BIT = 2,
IPCT_DESTROY = (1 << IPCT_DESTROY_BIT), IPCT_DESTROY = (1 << IPCT_DESTROY_BIT),
/* Timer has been refreshed */
IPCT_REFRESH_BIT = 3,
IPCT_REFRESH = (1 << IPCT_REFRESH_BIT),
/* Status has changed */ /* Status has changed */
IPCT_STATUS_BIT = 4, IPCT_STATUS_BIT = 3,
IPCT_STATUS = (1 << IPCT_STATUS_BIT), IPCT_STATUS = (1 << IPCT_STATUS_BIT),
/* Update of protocol info */ /* Update of protocol info */
IPCT_PROTOINFO_BIT = 5, IPCT_PROTOINFO_BIT = 4,
IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT), IPCT_PROTOINFO = (1 << IPCT_PROTOINFO_BIT),
/* Volatile protocol info */
IPCT_PROTOINFO_VOLATILE_BIT = 6,
IPCT_PROTOINFO_VOLATILE = (1 << IPCT_PROTOINFO_VOLATILE_BIT),
/* New helper for conntrack */ /* New helper for conntrack */
IPCT_HELPER_BIT = 7, IPCT_HELPER_BIT = 5,
IPCT_HELPER = (1 << IPCT_HELPER_BIT), IPCT_HELPER = (1 << IPCT_HELPER_BIT),
/* Update of helper info */
IPCT_HELPINFO_BIT = 8,
IPCT_HELPINFO = (1 << IPCT_HELPINFO_BIT),
/* Volatile helper info */
IPCT_HELPINFO_VOLATILE_BIT = 9,
IPCT_HELPINFO_VOLATILE = (1 << IPCT_HELPINFO_VOLATILE_BIT),
/* NAT info */
IPCT_NATINFO_BIT = 10,
IPCT_NATINFO = (1 << IPCT_NATINFO_BIT),
/* Counter highest bit has been set, unused */
IPCT_COUNTER_FILLING_BIT = 11,
IPCT_COUNTER_FILLING = (1 << IPCT_COUNTER_FILLING_BIT),
/* Mark is set */ /* Mark is set */
IPCT_MARK_BIT = 12, IPCT_MARK_BIT = 6,
IPCT_MARK = (1 << IPCT_MARK_BIT), IPCT_MARK = (1 << IPCT_MARK_BIT),
/* NAT sequence adjustment */ /* NAT sequence adjustment */
IPCT_NATSEQADJ_BIT = 13, IPCT_NATSEQADJ_BIT = 7,
IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT), IPCT_NATSEQADJ = (1 << IPCT_NATSEQADJ_BIT),
/* Secmark is set */ /* Secmark is set */
IPCT_SECMARK_BIT = 14, IPCT_SECMARK_BIT = 8,
IPCT_SECMARK = (1 << IPCT_SECMARK_BIT), IPCT_SECMARK = (1 << IPCT_SECMARK_BIT),
}; };
......
...@@ -91,7 +91,6 @@ static int icmp_packet(struct nf_conn *ct, ...@@ -91,7 +91,6 @@ static int icmp_packet(struct nf_conn *ct,
nf_ct_kill_acct(ct, ctinfo, skb); nf_ct_kill_acct(ct, ctinfo, skb);
} else { } else {
atomic_inc(&ct->proto.icmp.count); atomic_inc(&ct->proto.icmp.count);
nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, ct);
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout); nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmp_timeout);
} }
......
...@@ -104,7 +104,6 @@ static int icmpv6_packet(struct nf_conn *ct, ...@@ -104,7 +104,6 @@ static int icmpv6_packet(struct nf_conn *ct,
nf_ct_kill_acct(ct, ctinfo, skb); nf_ct_kill_acct(ct, ctinfo, skb);
} else { } else {
atomic_inc(&ct->proto.icmp.count); atomic_inc(&ct->proto.icmp.count);
nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, ct);
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout); nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_icmpv6_timeout);
} }
......
...@@ -398,11 +398,7 @@ __nf_conntrack_confirm(struct sk_buff *skb) ...@@ -398,11 +398,7 @@ __nf_conntrack_confirm(struct sk_buff *skb)
help = nfct_help(ct); help = nfct_help(ct);
if (help && help->helper) if (help && help->helper)
nf_conntrack_event_cache(IPCT_HELPER, ct); nf_conntrack_event_cache(IPCT_HELPER, ct);
#ifdef CONFIG_NF_NAT_NEEDED
if (test_bit(IPS_SRC_NAT_DONE_BIT, &ct->status) ||
test_bit(IPS_DST_NAT_DONE_BIT, &ct->status))
nf_conntrack_event_cache(IPCT_NATINFO, ct);
#endif
nf_conntrack_event_cache(master_ct(ct) ? nf_conntrack_event_cache(master_ct(ct) ?
IPCT_RELATED : IPCT_NEW, ct); IPCT_RELATED : IPCT_NEW, ct);
return NF_ACCEPT; return NF_ACCEPT;
...@@ -807,8 +803,6 @@ void __nf_ct_refresh_acct(struct nf_conn *ct, ...@@ -807,8 +803,6 @@ void __nf_ct_refresh_acct(struct nf_conn *ct,
unsigned long extra_jiffies, unsigned long extra_jiffies,
int do_acct) int do_acct)
{ {
int event = 0;
NF_CT_ASSERT(ct->timeout.data == (unsigned long)ct); NF_CT_ASSERT(ct->timeout.data == (unsigned long)ct);
NF_CT_ASSERT(skb); NF_CT_ASSERT(skb);
...@@ -821,7 +815,6 @@ void __nf_ct_refresh_acct(struct nf_conn *ct, ...@@ -821,7 +815,6 @@ void __nf_ct_refresh_acct(struct nf_conn *ct,
/* If not in hash table, timer will not be active yet */ /* If not in hash table, timer will not be active yet */
if (!nf_ct_is_confirmed(ct)) { if (!nf_ct_is_confirmed(ct)) {
ct->timeout.expires = extra_jiffies; ct->timeout.expires = extra_jiffies;
event = IPCT_REFRESH;
} else { } else {
unsigned long newtime = jiffies + extra_jiffies; unsigned long newtime = jiffies + extra_jiffies;
...@@ -832,7 +825,6 @@ void __nf_ct_refresh_acct(struct nf_conn *ct, ...@@ -832,7 +825,6 @@ void __nf_ct_refresh_acct(struct nf_conn *ct,
&& del_timer(&ct->timeout)) { && del_timer(&ct->timeout)) {
ct->timeout.expires = newtime; ct->timeout.expires = newtime;
add_timer(&ct->timeout); add_timer(&ct->timeout);
event = IPCT_REFRESH;
} }
} }
...@@ -849,10 +841,6 @@ void __nf_ct_refresh_acct(struct nf_conn *ct, ...@@ -849,10 +841,6 @@ void __nf_ct_refresh_acct(struct nf_conn *ct,
} }
spin_unlock_bh(&nf_conntrack_lock); spin_unlock_bh(&nf_conntrack_lock);
/* must be unlocked when calling event cache */
if (event)
nf_conntrack_event_cache(event, ct);
} }
EXPORT_SYMBOL_GPL(__nf_ct_refresh_acct); EXPORT_SYMBOL_GPL(__nf_ct_refresh_acct);
......
...@@ -338,11 +338,9 @@ static void update_nl_seq(struct nf_conn *ct, u32 nl_seq, ...@@ -338,11 +338,9 @@ static void update_nl_seq(struct nf_conn *ct, u32 nl_seq,
if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) { if (info->seq_aft_nl_num[dir] < NUM_SEQ_TO_REMEMBER) {
info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq; info->seq_aft_nl[dir][info->seq_aft_nl_num[dir]++] = nl_seq;
nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, ct);
} else if (oldest != NUM_SEQ_TO_REMEMBER && } else if (oldest != NUM_SEQ_TO_REMEMBER &&
after(nl_seq, info->seq_aft_nl[dir][oldest])) { after(nl_seq, info->seq_aft_nl[dir][oldest])) {
info->seq_aft_nl[dir][oldest] = nl_seq; info->seq_aft_nl[dir][oldest] = nl_seq;
nf_conntrack_event_cache(IPCT_HELPINFO_VOLATILE, ct);
} }
} }
......
...@@ -477,7 +477,7 @@ static int ctnetlink_conntrack_event(struct notifier_block *this, ...@@ -477,7 +477,7 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
type = IPCTNL_MSG_CT_NEW; type = IPCTNL_MSG_CT_NEW;
flags = NLM_F_CREATE|NLM_F_EXCL; flags = NLM_F_CREATE|NLM_F_EXCL;
group = NFNLGRP_CONNTRACK_NEW; group = NFNLGRP_CONNTRACK_NEW;
} else if (events & (IPCT_STATUS | IPCT_PROTOINFO)) { } else if (events) {
type = IPCTNL_MSG_CT_NEW; type = IPCTNL_MSG_CT_NEW;
group = NFNLGRP_CONNTRACK_UPDATE; group = NFNLGRP_CONNTRACK_UPDATE;
} else } else
......
...@@ -991,7 +991,6 @@ static int tcp_packet(struct nf_conn *ct, ...@@ -991,7 +991,6 @@ static int tcp_packet(struct nf_conn *ct,
timeout = tcp_timeouts[new_state]; timeout = tcp_timeouts[new_state];
write_unlock_bh(&tcp_lock); write_unlock_bh(&tcp_lock);
nf_conntrack_event_cache(IPCT_PROTOINFO_VOLATILE, ct);
if (new_state != old_state) if (new_state != old_state)
nf_conntrack_event_cache(IPCT_PROTOINFO, ct); nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment