From 98fab1e40cc093ab9ebb64aa6c4c1a0359b409ec Mon Sep 17 00:00:00 2001 From: Rusty Russell Date: Tue, 15 Apr 2003 07:56:40 -0700 Subject: [NETFILTER_IPV4]: De-linearization of IP Connection Tracking. This converts connection tracking and all the connection tracking modules to handle non-linear skbs. Enough interfaces have been broken in the process that old helpers won't compile. Interfaces which used to take a "void *data, int len" or "struct iphdr *iph, int len" now take the skb itself (and an offset to the data in the case of the first interface), which is not linearized in any way (although Alexey says after ip_rcv the IP header is always linear, so IPv4 netfilter hooks can always assume a linear IP hdr). Helpers which examine data (amanda, FTP, IRC) now copy it into a buffer and examine that. --- include/linux/netfilter_ipv4/ip_conntrack_amanda.h | 8 -------- include/linux/netfilter_ipv4/ip_conntrack_core.h | 6 ++++-- include/linux/netfilter_ipv4/ip_conntrack_helper.h | 2 +- include/linux/netfilter_ipv4/ip_conntrack_irc.h | 5 ----- include/linux/netfilter_ipv4/ip_conntrack_protocol.h | 15 ++++++++------- 5 files changed, 13 insertions(+), 23 deletions(-) (limited to 'include') diff --git a/include/linux/netfilter_ipv4/ip_conntrack_amanda.h b/include/linux/netfilter_ipv4/ip_conntrack_amanda.h index 98f8e0df3467..50726ea6b641 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_amanda.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_amanda.h @@ -11,14 +11,6 @@ DECLARE_LOCK_EXTERN(ip_amanda_lock); #endif -struct conn { - char* match; - int matchlen; -}; - -#define NUM_MSGS 3 - - struct ip_ct_amanda_expect { u_int16_t port; /* port number of this expectation */ diff --git a/include/linux/netfilter_ipv4/ip_conntrack_core.h b/include/linux/netfilter_ipv4/ip_conntrack_core.h index c46f0e86fe60..2a180c944193 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_core.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_core.h @@ -24,9 +24,11 @@ extern struct list_head protocol_list; extern struct ip_conntrack *icmp_error_track(struct sk_buff *skb, enum ip_conntrack_info *ctinfo, unsigned int hooknum); -extern int get_tuple(const struct iphdr *iph, size_t len, +extern int get_tuple(const struct iphdr *iph, + const struct sk_buff *skb, + unsigned int dataoff, struct ip_conntrack_tuple *tuple, - struct ip_conntrack_protocol *protocol); + const struct ip_conntrack_protocol *protocol); /* Find a connection corresponding to a tuple. */ struct ip_conntrack_tuple_hash * diff --git a/include/linux/netfilter_ipv4/ip_conntrack_helper.h b/include/linux/netfilter_ipv4/ip_conntrack_helper.h index d092a4fcb33b..997f09d81a92 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_helper.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_helper.h @@ -25,7 +25,7 @@ struct ip_conntrack_helper /* Function to call when data passes; return verdict, or -1 to invalidate. */ - int (*help)(const struct iphdr *, size_t len, + int (*help)(struct sk_buff *skb, struct ip_conntrack *ct, enum ip_conntrack_info conntrackinfo); }; diff --git a/include/linux/netfilter_ipv4/ip_conntrack_irc.h b/include/linux/netfilter_ipv4/ip_conntrack_irc.h index 55571becc756..170248fa87bd 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_irc.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_irc.h @@ -37,11 +37,6 @@ struct ip_ct_irc_master { #define IRC_PORT 6667 -struct dccproto { - char* match; - int matchlen; -}; - /* Protects irc part of conntracks */ DECLARE_LOCK_EXTERN(ip_irc_lock); diff --git a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h index e99cd7ded26f..56e37ef255b7 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_protocol.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_protocol.h @@ -14,9 +14,11 @@ struct ip_conntrack_protocol /* Protocol name */ const char *name; - /* Try to fill in the third arg; return true if possible. */ - int (*pkt_to_tuple)(const void *datah, size_t datalen, - struct ip_conntrack_tuple *tuple); + /* Try to fill in the third arg: dataoff is offset past IP + hdr. Return true if possible. */ + int (*pkt_to_tuple)(const struct sk_buff *skb, + unsigned int dataoff, + struct ip_conntrack_tuple *tuple); /* Invert the per-proto part of the tuple: ie. turn xmit into reply. * Some packets can't be inverted: return 0 in that case. @@ -34,20 +36,19 @@ struct ip_conntrack_protocol /* Returns verdict for packet, or -1 for invalid. */ int (*packet)(struct ip_conntrack *conntrack, - struct iphdr *iph, size_t len, + const struct sk_buff *skb, enum ip_conntrack_info ctinfo); /* Called when a new connection for this protocol found; * returns TRUE if it's OK. If so, packet() called next. */ - int (*new)(struct ip_conntrack *conntrack, struct iphdr *iph, - size_t len); + int (*new)(struct ip_conntrack *conntrack, const struct sk_buff *skb); /* Called when a conntrack entry is destroyed */ void (*destroy)(struct ip_conntrack *conntrack); /* Has to decide if a expectation matches one packet or not */ int (*exp_matches_pkt)(struct ip_conntrack_expect *exp, - struct sk_buff **pskb); + const struct sk_buff *skb); /* Module (if any) which this is connected to. */ struct module *me; -- cgit v1.2.3