microsoft
/
WSL2-Linux-Kernel
зеркало из https://github.com/microsoft/WSL2-Linux-Kernel.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

netfilter: netns nf_conntrack: pass netns pointer to nf_conntrack_in() 

It's deducible from skb->dev or skb->dst->dev, but we know netns at
the moment of call, so pass it down and use for finding and creating
conntracks.

Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
Alexey Dobriyan 2008-10-08 11:35:04 +02:00 коммит произвёл Patrick McHardy
Родитель 63c9a26264
Коммит a702a65fc1
4 изменённых файлов: 28 добавлений и 18 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

3
include/net/netfilter/nf_conntrack_core.h
Просмотреть файл

@ -20,7 +20,8 @@
/* This header is used to share core functionality between the /* This header is used to share core functionality between the
standalone connection tracking module, and the compatibility layer's use standalone connection tracking module, and the compatibility layer's use
of connection tracking. */ of connection tracking. */
extern unsigned int nf_conntrack_in(u_int8_t pf, extern unsigned int nf_conntrack_in(struct net *net,
u_int8_t pf,
unsigned int hooknum, unsigned int hooknum,
struct sk_buff *skb); struct sk_buff *skb);

4
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
Просмотреть файл

@ -172,7 +172,7 @@ static unsigned int ipv4_conntrack_in(unsigned int hooknum,
const struct net_device *out, const struct net_device *out,
int (*okfn)(struct sk_buff *)) int (*okfn)(struct sk_buff *))
{ {
return nf_conntrack_in(PF_INET, hooknum, skb); return nf_conntrack_in(dev_net(in), PF_INET, hooknum, skb);
} }
static unsigned int ipv4_conntrack_local(unsigned int hooknum, static unsigned int ipv4_conntrack_local(unsigned int hooknum,
@ -188,7 +188,7 @@ static unsigned int ipv4_conntrack_local(unsigned int hooknum,
printk("ipt_hook: happy cracking.\n"); printk("ipt_hook: happy cracking.\n");
return NF_ACCEPT; return NF_ACCEPT;
} }
return nf_conntrack_in(PF_INET, hooknum, skb); return nf_conntrack_in(dev_net(out), PF_INET, hooknum, skb);
} }
/* Connection tracking may drop packets, but never alters them, so /* Connection tracking may drop packets, but never alters them, so

20
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
Просмотреть файл

@ -211,10 +211,9 @@ static unsigned int ipv6_defrag(unsigned int hooknum,
return NF_STOLEN; return NF_STOLEN;
} }
static unsigned int ipv6_conntrack_in(unsigned int hooknum, static unsigned int __ipv6_conntrack_in(struct net *net,
unsigned int hooknum,
struct sk_buff *skb, struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *)) int (*okfn)(struct sk_buff *))
{ {
struct sk_buff *reasm = skb->nfct_reasm; struct sk_buff *reasm = skb->nfct_reasm;
@ -225,7 +224,7 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
if (!reasm->nfct) { if (!reasm->nfct) {
unsigned int ret; unsigned int ret;
ret = nf_conntrack_in(PF_INET6, hooknum, reasm); ret = nf_conntrack_in(net, PF_INET6, hooknum, reasm);
if (ret != NF_ACCEPT) if (ret != NF_ACCEPT)
return ret; return ret;
} }
@ -235,7 +234,16 @@ static unsigned int ipv6_conntrack_in(unsigned int hooknum,
return NF_ACCEPT; return NF_ACCEPT;
} }
return nf_conntrack_in(PF_INET6, hooknum, skb); return nf_conntrack_in(net, PF_INET6, hooknum, skb);
}
static unsigned int ipv6_conntrack_in(unsigned int hooknum,
struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
int (*okfn)(struct sk_buff *))
{
return __ipv6_conntrack_in(dev_net(in), hooknum, skb, okfn);
} }
static unsigned int ipv6_conntrack_local(unsigned int hooknum, static unsigned int ipv6_conntrack_local(unsigned int hooknum,
@ -250,7 +258,7 @@ static unsigned int ipv6_conntrack_local(unsigned int hooknum,
printk("ipv6_conntrack_local: packet too short\n"); printk("ipv6_conntrack_local: packet too short\n");
return NF_ACCEPT; return NF_ACCEPT;
} }
return ipv6_conntrack_in(hooknum, skb, in, out, okfn); return __ipv6_conntrack_in(dev_net(out), hooknum, skb, okfn);
} }
static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = { static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {

15
net/netfilter/nf_conntrack_core.c
Просмотреть файл

@ -611,7 +611,8 @@ init_conntrack(struct net *net,
/* On success, returns conntrack ptr, sets skb->nfct and ctinfo */ /* On success, returns conntrack ptr, sets skb->nfct and ctinfo */
static inline struct nf_conn * static inline struct nf_conn *
resolve_normal_ct(struct sk_buff *skb, resolve_normal_ct(struct net *net,
struct sk_buff *skb,
unsigned int dataoff, unsigned int dataoff,
u_int16_t l3num, u_int16_t l3num,
u_int8_t protonum, u_int8_t protonum,
@ -632,10 +633,9 @@ resolve_normal_ct(struct sk_buff *skb,
} }
/* look for tuple match */ /* look for tuple match */
h = nf_conntrack_find_get(&init_net, &tuple); h = nf_conntrack_find_get(net, &tuple);
if (!h) { if (!h) {
h = init_conntrack(&init_net, &tuple, l3proto, l4proto, skb, h = init_conntrack(net, &tuple, l3proto, l4proto, skb, dataoff);
dataoff);
if (!h) if (!h)
return NULL; return NULL;
if (IS_ERR(h)) if (IS_ERR(h))
@ -669,7 +669,8 @@ resolve_normal_ct(struct sk_buff *skb,
} }
unsigned int unsigned int
nf_conntrack_in(u_int8_t pf, unsigned int hooknum, struct sk_buff *skb) nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
struct sk_buff *skb)
{ {
struct nf_conn *ct; struct nf_conn *ct;
enum ip_conntrack_info ctinfo; enum ip_conntrack_info ctinfo;
@ -709,8 +710,8 @@ nf_conntrack_in(u_int8_t pf, unsigned int hooknum, struct sk_buff *skb)
return -ret; return -ret;
} }
ct = resolve_normal_ct(skb, dataoff, pf, protonum, l3proto, l4proto, ct = resolve_normal_ct(net, skb, dataoff, pf, protonum,
&set_reply, &ctinfo); l3proto, l4proto, &set_reply, &ctinfo);
if (!ct) { if (!ct) {
/* Not valid part of a connection */ /* Not valid part of a connection */
NF_CT_STAT_INC_ATOMIC(invalid); NF_CT_STAT_INC_ATOMIC(invalid);