2005-04-16 22:20:36 +00:00
|
|
|
/* Kernel module to match connection tracking information. */
|
|
|
|
|
|
|
|
/* (C) 1999-2001 Paul `Rusty' Russell
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 21:30:04 +00:00
|
|
|
* (C) 2002-2005 Netfilter Core Team <coreteam@netfilter.org>
|
2005-04-16 22:20:36 +00:00
|
|
|
*
|
|
|
|
* This program is free software; you can redistribute it and/or modify
|
|
|
|
* it under the terms of the GNU General Public License version 2 as
|
|
|
|
* published by the Free Software Foundation.
|
|
|
|
*/
|
|
|
|
|
|
|
|
#include <linux/module.h>
|
|
|
|
#include <linux/skbuff.h>
|
2007-03-14 23:37:25 +00:00
|
|
|
#include <net/netfilter/nf_conntrack.h>
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 21:30:04 +00:00
|
|
|
#include <linux/netfilter/x_tables.h>
|
|
|
|
#include <linux/netfilter/xt_state.h>
|
2005-04-16 22:20:36 +00:00
|
|
|
|
|
|
|
MODULE_LICENSE("GPL");
|
|
|
|
MODULE_AUTHOR("Rusty Russell <rusty@rustcorp.com.au>");
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 21:30:04 +00:00
|
|
|
MODULE_DESCRIPTION("ip[6]_tables connection tracking state match module");
|
|
|
|
MODULE_ALIAS("ipt_state");
|
|
|
|
MODULE_ALIAS("ip6t_state");
|
2005-04-16 22:20:36 +00:00
|
|
|
|
2007-07-08 05:15:35 +00:00
|
|
|
static bool
|
2009-07-07 18:42:08 +00:00
|
|
|
state_mt(const struct sk_buff *skb, struct xt_action_param *par)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2008-10-08 09:35:18 +00:00
|
|
|
const struct xt_state_info *sinfo = par->matchinfo;
|
2005-04-16 22:20:36 +00:00
|
|
|
enum ip_conntrack_info ctinfo;
|
|
|
|
unsigned int statebit;
|
2010-06-08 14:09:52 +00:00
|
|
|
struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
|
2005-04-16 22:20:36 +00:00
|
|
|
|
netfilter: kill the fake untracked conntrack objects
resurrect an old patch from Pablo Neira to remove the untracked objects.
Currently, there are four possible states of an skb wrt. conntrack.
1. No conntrack attached, ct is NULL.
2. Normal (kmem cache allocated) ct attached.
3. a template (kmalloc'd), not in any hash tables at any point in time
4. the 'untracked' conntrack, a percpu nf_conn object, tagged via
IPS_UNTRACKED_BIT in ct->status.
Untracked is supposed to be identical to case 1. It exists only
so users can check
-m conntrack --ctstate UNTRACKED vs.
-m conntrack --ctstate INVALID
e.g. attempts to set connmark on INVALID or UNTRACKED conntracks is
supposed to be a no-op.
Thus currently we need to check
ct == NULL || nf_ct_is_untracked(ct)
in a lot of places in order to avoid altering untracked objects.
The other consequence of the percpu untracked object is that all
-j NOTRACK (and, later, kfree_skb of such skbs) result in an atomic op
(inc/dec the untracked conntracks refcount).
This adds a new kernel-private ctinfo state, IP_CT_UNTRACKED, to
make the distinction instead.
The (few) places that care about packet invalid (ct is NULL) vs.
packet untracked now need to test ct == NULL vs. ctinfo == IP_CT_UNTRACKED,
but all other places can omit the nf_ct_is_untracked() check.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-04-14 18:31:08 +00:00
|
|
|
if (ct)
|
|
|
|
statebit = XT_STATE_BIT(ctinfo);
|
|
|
|
else if (ctinfo == IP_CT_UNTRACKED)
|
|
|
|
statebit = XT_STATE_UNTRACKED;
|
|
|
|
else
|
[NETFILTER] x_tables: Abstraction layer for {ip,ip6,arp}_tables
This monster-patch tries to do the best job for unifying the data
structures and backend interfaces for the three evil clones ip_tables,
ip6_tables and arp_tables. In an ideal world we would never have
allowed this kind of copy+paste programming... but well, our world
isn't (yet?) ideal.
o introduce a new x_tables module
o {ip,arp,ip6}_tables depend on this x_tables module
o registration functions for tables, matches and targets are only
wrappers around x_tables provided functions
o all matches/targets that are used from ip_tables and ip6_tables
are now implemented as xt_FOOBAR.c files and provide module aliases
to ipt_FOOBAR and ip6t_FOOBAR
o header files for xt_matches are in include/linux/netfilter/,
include/linux/netfilter_{ipv4,ipv6} contains compatibility wrappers
around the xt_FOOBAR.h headers
Based on this patchset we're going to further unify the code,
gradually getting rid of all the layer 3 specific assumptions.
Signed-off-by: Harald Welte <laforge@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
2006-01-12 21:30:04 +00:00
|
|
|
statebit = XT_STATE_INVALID;
|
netfilter: kill the fake untracked conntrack objects
resurrect an old patch from Pablo Neira to remove the untracked objects.
Currently, there are four possible states of an skb wrt. conntrack.
1. No conntrack attached, ct is NULL.
2. Normal (kmem cache allocated) ct attached.
3. a template (kmalloc'd), not in any hash tables at any point in time
4. the 'untracked' conntrack, a percpu nf_conn object, tagged via
IPS_UNTRACKED_BIT in ct->status.
Untracked is supposed to be identical to case 1. It exists only
so users can check
-m conntrack --ctstate UNTRACKED vs.
-m conntrack --ctstate INVALID
e.g. attempts to set connmark on INVALID or UNTRACKED conntracks is
supposed to be a no-op.
Thus currently we need to check
ct == NULL || nf_ct_is_untracked(ct)
in a lot of places in order to avoid altering untracked objects.
The other consequence of the percpu untracked object is that all
-j NOTRACK (and, later, kfree_skb of such skbs) result in an atomic op
(inc/dec the untracked conntracks refcount).
This adds a new kernel-private ctinfo state, IP_CT_UNTRACKED, to
make the distinction instead.
The (few) places that care about packet invalid (ct is NULL) vs.
packet untracked now need to test ct == NULL vs. ctinfo == IP_CT_UNTRACKED,
but all other places can omit the nf_ct_is_untracked() check.
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2017-04-14 18:31:08 +00:00
|
|
|
|
2005-04-16 22:20:36 +00:00
|
|
|
return (sinfo->statemask & statebit);
|
|
|
|
}
|
|
|
|
|
2010-03-19 16:16:42 +00:00
|
|
|
static int state_mt_check(const struct xt_mtchk_param *par)
|
2006-03-22 21:56:08 +00:00
|
|
|
{
|
2010-03-19 16:32:59 +00:00
|
|
|
int ret;
|
|
|
|
|
2016-11-15 20:36:40 +00:00
|
|
|
ret = nf_ct_netns_get(par->net, par->family);
|
2010-03-21 03:05:56 +00:00
|
|
|
if (ret < 0)
|
2018-02-09 14:52:07 +00:00
|
|
|
pr_info_ratelimited("cannot load conntrack support for proto=%u\n",
|
|
|
|
par->family);
|
2010-03-21 03:05:56 +00:00
|
|
|
return ret;
|
2006-03-22 21:56:08 +00:00
|
|
|
}
|
|
|
|
|
2008-10-08 09:35:19 +00:00
|
|
|
static void state_mt_destroy(const struct xt_mtdtor_param *par)
|
2006-03-22 21:56:08 +00:00
|
|
|
{
|
2016-11-15 20:36:40 +00:00
|
|
|
nf_ct_netns_put(par->net, par->family);
|
2006-03-22 21:56:08 +00:00
|
|
|
}
|
|
|
|
|
2010-03-24 21:50:01 +00:00
|
|
|
static struct xt_match state_mt_reg __read_mostly = {
|
|
|
|
.name = "state",
|
|
|
|
.family = NFPROTO_UNSPEC,
|
|
|
|
.checkentry = state_mt_check,
|
|
|
|
.match = state_mt,
|
|
|
|
.destroy = state_mt_destroy,
|
|
|
|
.matchsize = sizeof(struct xt_state_info),
|
|
|
|
.me = THIS_MODULE,
|
2005-04-16 22:20:36 +00:00
|
|
|
};
|
|
|
|
|
2007-12-05 07:24:03 +00:00
|
|
|
static int __init state_mt_init(void)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2010-03-24 21:50:01 +00:00
|
|
|
return xt_register_match(&state_mt_reg);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2007-12-05 07:24:03 +00:00
|
|
|
static void __exit state_mt_exit(void)
|
2005-04-16 22:20:36 +00:00
|
|
|
{
|
2010-03-24 21:50:01 +00:00
|
|
|
xt_unregister_match(&state_mt_reg);
|
2005-04-16 22:20:36 +00:00
|
|
|
}
|
|
|
|
|
2007-12-05 07:24:03 +00:00
|
|
|
module_init(state_mt_init);
|
|
|
|
module_exit(state_mt_exit);
|