netfilter: nf_conntrack: split up IPCT_STATUS event
Split up the IPCT_STATUS event into an IPCT_REPLY event, which is generated when the IPS_SEEN_REPLY bit is set, and an IPCT_ASSURED event, which is generated when the IPS_ASSURED bit is set. In combination with a following patch to support selective event delivery, this can be used for "sparse" conntrack replication: start replicating the conntrack entry after it reached the ASSURED state and that way it's SYN-flood resistant. Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
parent
add6746124
commit
858b313300
|
@ -14,19 +14,20 @@
|
||||||
|
|
||||||
/* Connection tracking event types */
|
/* Connection tracking event types */
|
||||||
enum ip_conntrack_events {
|
enum ip_conntrack_events {
|
||||||
IPCT_NEW = 0, /* new conntrack */
|
IPCT_NEW, /* new conntrack */
|
||||||
IPCT_RELATED = 1, /* related conntrack */
|
IPCT_RELATED, /* related conntrack */
|
||||||
IPCT_DESTROY = 2, /* destroyed conntrack */
|
IPCT_DESTROY, /* destroyed conntrack */
|
||||||
IPCT_STATUS = 3, /* status has changed */
|
IPCT_REPLY, /* connection has seen two-way traffic */
|
||||||
IPCT_PROTOINFO = 4, /* protocol information has changed */
|
IPCT_ASSURED, /* connection status has changed to assured */
|
||||||
IPCT_HELPER = 5, /* new helper has been set */
|
IPCT_PROTOINFO, /* protocol information has changed */
|
||||||
IPCT_MARK = 6, /* new mark has been set */
|
IPCT_HELPER, /* new helper has been set */
|
||||||
IPCT_NATSEQADJ = 7, /* NAT is doing sequence adjustment */
|
IPCT_MARK, /* new mark has been set */
|
||||||
IPCT_SECMARK = 8, /* new security mark has been set */
|
IPCT_NATSEQADJ, /* NAT is doing sequence adjustment */
|
||||||
|
IPCT_SECMARK, /* new security mark has been set */
|
||||||
};
|
};
|
||||||
|
|
||||||
enum ip_conntrack_expect_events {
|
enum ip_conntrack_expect_events {
|
||||||
IPEXP_NEW = 0, /* new expectation */
|
IPEXP_NEW, /* new expectation */
|
||||||
};
|
};
|
||||||
|
|
||||||
struct nf_conntrack_ecache {
|
struct nf_conntrack_ecache {
|
||||||
|
|
|
@ -825,7 +825,7 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
|
||||||
}
|
}
|
||||||
|
|
||||||
if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
|
if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
|
||||||
nf_conntrack_event_cache(IPCT_STATUS, ct);
|
nf_conntrack_event_cache(IPCT_REPLY, ct);
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1371,7 +1371,8 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
|
||||||
else
|
else
|
||||||
events = IPCT_NEW;
|
events = IPCT_NEW;
|
||||||
|
|
||||||
nf_conntrack_eventmask_report((1 << IPCT_STATUS) |
|
nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
|
||||||
|
(1 << IPCT_ASSURED) |
|
||||||
(1 << IPCT_HELPER) |
|
(1 << IPCT_HELPER) |
|
||||||
(1 << IPCT_PROTOINFO) |
|
(1 << IPCT_PROTOINFO) |
|
||||||
(1 << IPCT_NATSEQADJ) |
|
(1 << IPCT_NATSEQADJ) |
|
||||||
|
@ -1396,7 +1397,8 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
|
||||||
if (err == 0) {
|
if (err == 0) {
|
||||||
nf_conntrack_get(&ct->ct_general);
|
nf_conntrack_get(&ct->ct_general);
|
||||||
spin_unlock_bh(&nf_conntrack_lock);
|
spin_unlock_bh(&nf_conntrack_lock);
|
||||||
nf_conntrack_eventmask_report((1 << IPCT_STATUS) |
|
nf_conntrack_eventmask_report((1 << IPCT_REPLY) |
|
||||||
|
(1 << IPCT_ASSURED) |
|
||||||
(1 << IPCT_HELPER) |
|
(1 << IPCT_HELPER) |
|
||||||
(1 << IPCT_PROTOINFO) |
|
(1 << IPCT_PROTOINFO) |
|
||||||
(1 << IPCT_NATSEQADJ) |
|
(1 << IPCT_NATSEQADJ) |
|
||||||
|
|
|
@ -241,7 +241,7 @@ static int gre_packet(struct nf_conn *ct,
|
||||||
ct->proto.gre.stream_timeout);
|
ct->proto.gre.stream_timeout);
|
||||||
/* Also, more likely to be important, and not a probe. */
|
/* Also, more likely to be important, and not a probe. */
|
||||||
set_bit(IPS_ASSURED_BIT, &ct->status);
|
set_bit(IPS_ASSURED_BIT, &ct->status);
|
||||||
nf_conntrack_event_cache(IPCT_STATUS, ct);
|
nf_conntrack_event_cache(IPCT_ASSURED, ct);
|
||||||
} else
|
} else
|
||||||
nf_ct_refresh_acct(ct, ctinfo, skb,
|
nf_ct_refresh_acct(ct, ctinfo, skb,
|
||||||
ct->proto.gre.timeout);
|
ct->proto.gre.timeout);
|
||||||
|
|
|
@ -377,7 +377,7 @@ static int sctp_packet(struct nf_conn *ct,
|
||||||
new_state == SCTP_CONNTRACK_ESTABLISHED) {
|
new_state == SCTP_CONNTRACK_ESTABLISHED) {
|
||||||
pr_debug("Setting assured bit\n");
|
pr_debug("Setting assured bit\n");
|
||||||
set_bit(IPS_ASSURED_BIT, &ct->status);
|
set_bit(IPS_ASSURED_BIT, &ct->status);
|
||||||
nf_conntrack_event_cache(IPCT_STATUS, ct);
|
nf_conntrack_event_cache(IPCT_ASSURED, ct);
|
||||||
}
|
}
|
||||||
|
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
|
@ -1045,7 +1045,7 @@ static int tcp_packet(struct nf_conn *ct,
|
||||||
after SYN_RECV or a valid answer for a picked up
|
after SYN_RECV or a valid answer for a picked up
|
||||||
connection. */
|
connection. */
|
||||||
set_bit(IPS_ASSURED_BIT, &ct->status);
|
set_bit(IPS_ASSURED_BIT, &ct->status);
|
||||||
nf_conntrack_event_cache(IPCT_STATUS, ct);
|
nf_conntrack_event_cache(IPCT_ASSURED, ct);
|
||||||
}
|
}
|
||||||
nf_ct_refresh_acct(ct, ctinfo, skb, timeout);
|
nf_ct_refresh_acct(ct, ctinfo, skb, timeout);
|
||||||
|
|
||||||
|
|
|
@ -77,7 +77,7 @@ static int udp_packet(struct nf_conn *ct,
|
||||||
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout_stream);
|
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout_stream);
|
||||||
/* Also, more likely to be important, and not a probe */
|
/* Also, more likely to be important, and not a probe */
|
||||||
if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
|
if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
|
||||||
nf_conntrack_event_cache(IPCT_STATUS, ct);
|
nf_conntrack_event_cache(IPCT_ASSURED, ct);
|
||||||
} else
|
} else
|
||||||
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout);
|
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udp_timeout);
|
||||||
|
|
||||||
|
|
|
@ -75,7 +75,7 @@ static int udplite_packet(struct nf_conn *ct,
|
||||||
nf_ct_udplite_timeout_stream);
|
nf_ct_udplite_timeout_stream);
|
||||||
/* Also, more likely to be important, and not a probe */
|
/* Also, more likely to be important, and not a probe */
|
||||||
if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
|
if (!test_and_set_bit(IPS_ASSURED_BIT, &ct->status))
|
||||||
nf_conntrack_event_cache(IPCT_STATUS, ct);
|
nf_conntrack_event_cache(IPCT_ASSURED, ct);
|
||||||
} else
|
} else
|
||||||
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udplite_timeout);
|
nf_ct_refresh_acct(ct, ctinfo, skb, nf_ct_udplite_timeout);
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue