1. 03 Jun, 2009 1 commit
    • Pablo Neira Ayuso's avatar
      netfilter: conntrack: replace notify chain by function pointer · e34d5c1a
      Pablo Neira Ayuso authored
      This patch removes the notify chain infrastructure and replace it
      by a simple function pointer. This issue has been mentioned in the
      mailing list several times: the use of the notify chain adds
      too much overhead for something that is only used by ctnetlink.
      
      This patch also changes nfnetlink_send(). It seems that gfp_any()
      returns GFP_KERNEL for user-context request, like those via
      ctnetlink, inside the RCU read-side section which is not valid.
      Using GFP_KERNEL is also evil since netlink may schedule(),
      this leads to "scheduling while atomic" bug reports.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e34d5c1a
  2. 02 Jun, 2009 10 commits
    • Pablo Neira Ayuso's avatar
      netfilter: conntrack: simplify event caching system · 17e6e4ea
      Pablo Neira Ayuso authored
      This patch simplifies the conntrack event caching system by removing
      several events:
      
       * IPCT_[*]_VOLATILE, IPCT_HELPINFO and IPCT_NATINFO has been deleted
         since the have no clients.
       * IPCT_COUNTER_FILLING which is a leftover of the 32-bits counter
         days.
       * IPCT_REFRESH which is not of any use since we always include the
         timeout in the messages.
      
      After this patch, the existing events are:
      
       * IPCT_NEW, IPCT_RELATED and IPCT_DESTROY, that are used to identify
       addition and deletion of entries.
       * IPCT_STATUS, that notes that the status bits have changes,
       eg. IPS_SEEN_REPLY and IPS_ASSURED.
       * IPCT_PROTOINFO, that reports that internal protocol information has
       changed, eg. the TCP, DCCP and SCTP protocol state.
       * IPCT_HELPER, that a helper has been assigned or unassigned to this
       entry.
       * IPCT_MARK and IPCT_SECMARK, that reports that the mark has changed, this
       covers the case when a mark is set to zero.
       * IPCT_NATSEQADJ, to report that there's updates in the NAT sequence
       adjustment.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      17e6e4ea
    • Pablo Neira Ayuso's avatar
      netfilter: conntrack: remove events flags from userspace exposed file · 6bfea198
      Pablo Neira Ayuso authored
      This patch moves the event flags from linux/netfilter/nf_conntrack_common.h
      to net/netfilter/nf_conntrack_ecache.h. This flags are not of any use
      from userspace.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      6bfea198
    • Pablo Neira Ayuso's avatar
      netfilter: conntrack: don't report events on module removal · 274d383b
      Pablo Neira Ayuso authored
      During the module removal there are no possible event listeners
      since ctnetlink must be removed before to allow removing
      nf_conntrack. This patch removes the event reporting for the
      module removal case which is not of any use in the existing code.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      274d383b
    • Pablo Neira Ayuso's avatar
      netfilter: ctnetlink: cleanup message-size calculation · 03b64f51
      Pablo Neira Ayuso authored
      This patch cleans up the message calculation to make it similar
      to rtnetlink, moreover, it removes unneeded verbose information.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      03b64f51
    • Pablo Neira Ayuso's avatar
      netfilter: ctnetlink: use nlmsg_* helper function to build messages · 96bcf938
      Pablo Neira Ayuso authored
      Replaces the old macros to build Netlink messages with the
      new nlmsg_*() helper functions.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      96bcf938
    • Pablo Neira Ayuso's avatar
      netfilter: ctnetlink: rename tuple() by nf_ct_tuple() macro definition · f2f3e38c
      Pablo Neira Ayuso authored
      This patch move the internal tuple() macro definition to the
      header file as nf_ct_tuple().
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f2f3e38c
    • Pablo Neira Ayuso's avatar
      netfilter: ctnetlink: remove nowait parameter from *fill_info() · 8b0a231d
      Pablo Neira Ayuso authored
      This patch is a cleanup, it removes the `nowait' parameter
      from all *fill_info() function since it is always set to one.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      8b0a231d
    • Pablo Neira Ayuso's avatar
      netfilter: nfnetlink: cleanup for nfnetlink_rcv_msg() function · f49c857f
      Pablo Neira Ayuso authored
      This patch cleans up the message handling path in two aspects:
      
       * it uses NLMSG_LENGTH() instead of NLMSG_SPACE() like rtnetlink
      does in this case to check if there is enough room for the
      Netlink/nfnetlink headers. No need to check for the padding room.
      
       * it removes a redundant header size checking that has been
       already do at the beginning of the function.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      f49c857f
    • Jozsef Kadlecsik's avatar
      netfilter: nf_ct_tcp: TCP simultaneous open support · 874ab923
      Jozsef Kadlecsik authored
      The patch below adds supporting TCP simultaneous open to conntrack. The
      unused LISTEN state is replaced by a new state (SYN_SENT2) denoting the
      second SYN sent from the reply direction in the new case. The state table
      is updated and the function tcp_in_window is modified to handle
      simultaneous open.
      
      The functionality can fairly easily be tested by socat. A sample tcpdump
      recording
      
      23:21:34.244733 IP (tos 0x0, ttl 64, id 49224, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.254.2020 > 192.168.0.1.2020: S, cksum 0xe75f (correct), 3383710133:3383710133(0) win 5840 <mss 1460,sackOK,timestamp 173445629 0,nop,wscale 7>
      23:21:34.244783 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 40) 192.168.0.1.2020 > 192.168.0.254.2020: R, cksum 0x0253 (correct), 0:0(0) ack 3383710134 win 0
      23:21:36.038680 IP (tos 0x0, ttl 64, id 28092, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.1.2020 > 192.168.0.254.2020: S, cksum 0x704b (correct), 2634546729:2634546729(0) win 5840 <mss 1460,sackOK,timestamp 824213 0,nop,wscale 1>
      23:21:36.038777 IP (tos 0x0, ttl 64, id 49225, offset 0, flags [DF], proto TCP (6), length 60) 192.168.0.254.2020 > 192.168.0.1.2020: S, cksum 0xb179 (correct), 3383710133:3383710133(0) ack 2634546730 win 5840 <mss 1460,sackOK,timestamp 173447423 824213,nop,wscale 7>
      23:21:36.038847 IP (tos 0x0, ttl 64, id 28093, offset 0, flags [DF], proto TCP (6), length 52) 192.168.0.1.2020 > 192.168.0.254.2020: ., cksum 0xebad (correct), ack 3383710134 win 2920 <nop,nop,timestamp 824213 173447423>
      
      and the corresponding netlink events:
      
          [NEW] tcp      6 120 SYN_SENT src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 [UNREPLIED] src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020
       [UPDATE] tcp      6 120 LISTEN src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020
       [UPDATE] tcp      6 60 SYN_RECV src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020
       [UPDATE] tcp      6 432000 ESTABLISHED src=192.168.0.254 dst=192.168.0.1 sport=2020 dport=2020 src=192.168.0.1 dst=192.168.0.254 sport=2020 dport=2020 [ASSURED]
      
      The RST packet was dropped in the raw table, thus it did not reach
      conntrack.  nfnetlink_conntrack is unpatched so it shows the new SYN_SENT2
      state as the old unused LISTEN.
      
      With TCP simultaneous open support we satisfy REQ-2 in RFC 5382  ;-) .
      
      Additional minor correction in this patch is that in order to catch
      uninitialized reply directions, "td_maxwin == 0" is used instead of
      "td_end == 0" because the former can't be true except in uninitialized
      state while td_end may accidentally be equal to zero in the mid of a
      connection.
      Signed-off-by: default avatarJozsef Kadlecsik <kadlec@blackhole.kfki.hu>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      874ab923
    • Patrick McHardy's avatar
      8cc848fa
  3. 27 May, 2009 29 commits