netfilter: add and use nf_ct_set helper
authorFlorian Westphal <fw@strlen.de>
Mon, 23 Jan 2017 17:21:57 +0000 (18:21 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Thu, 2 Feb 2017 13:31:54 +0000 (14:31 +0100)
Add a helper to assign a nf_conn entry and the ctinfo bits to an sk_buff.
This avoids changing code in followup patch that merges skb->nfct and
skb->nfctinfo into skb->_nfct.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
12 files changed:
include/net/ip_vs.h
include/net/netfilter/nf_conntrack.h
net/ipv4/netfilter/ipt_SYNPROXY.c
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
net/ipv4/netfilter/nf_dup_ipv4.c
net/ipv6/netfilter/ip6t_SYNPROXY.c
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
net/ipv6/netfilter/nf_dup_ipv6.c
net/netfilter/nf_conntrack_core.c
net/netfilter/nft_ct.c
net/netfilter/xt_CT.c
net/openvswitch/conntrack.c

index 2a344ebd7ebe7b49f287a243dec59cddacfe75f2..4b46c591b542983ecfdf681d4787d9933eccdece 100644 (file)
@@ -1559,8 +1559,7 @@ static inline void ip_vs_notrack(struct sk_buff *skb)
                nf_conntrack_put(&ct->ct_general);
                untracked = nf_ct_untracked_get();
                nf_conntrack_get(&untracked->ct_general);
-               skb->nfct = &untracked->ct_general;
-               skb->nfctinfo = IP_CT_NEW;
+               nf_ct_set(skb, untracked, IP_CT_NEW);
        }
 #endif
 }
index 5916aa9ab3f0070411f6c3eb2842fadcdb605510..d704aed11684a2ba971510a40b1b8c5e4269d0b5 100644 (file)
@@ -34,6 +34,7 @@ union nf_conntrack_proto {
        struct ip_ct_sctp sctp;
        struct ip_ct_tcp tcp;
        struct nf_ct_gre gre;
+       unsigned int tmpl_padto;
 };
 
 union nf_conntrack_expect_proto {
@@ -341,6 +342,13 @@ struct nf_conn *nf_ct_tmpl_alloc(struct net *net,
                                 gfp_t flags);
 void nf_ct_tmpl_free(struct nf_conn *tmpl);
 
+static inline void
+nf_ct_set(struct sk_buff *skb, struct nf_conn *ct, enum ip_conntrack_info info)
+{
+       skb->nfct = &ct->ct_general;
+       skb->nfctinfo = info;
+}
+
 #define NF_CT_STAT_INC(net, count)       __this_cpu_inc((net)->ct.stat->count)
 #define NF_CT_STAT_INC_ATOMIC(net, count) this_cpu_inc((net)->ct.stat->count)
 #define NF_CT_STAT_ADD_ATOMIC(net, count, v) this_cpu_add((net)->ct.stat->count, (v))
index a12d4f0aa67493c8e08b9649f6dd2807e0768410..3240a2614e82bd82c674aac84ab140c91670f163 100644 (file)
@@ -57,8 +57,7 @@ synproxy_send_tcp(struct net *net,
                goto free_nskb;
 
        if (nfct) {
-               nskb->nfct = nfct;
-               nskb->nfctinfo = ctinfo;
+               nf_ct_set(nskb, (struct nf_conn *)nfct, ctinfo);
                nf_conntrack_get(nfct);
        }
 
index 478a025909fc06367401fcbf6f6a0c96d88a9728..73c591d8a9a8e5295000f702e1b32e6a643e30e0 100644 (file)
@@ -172,8 +172,7 @@ icmp_error_message(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
                ctinfo += IP_CT_IS_REPLY;
 
        /* Update skb to refer to this connection */
-       skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general;
-       skb->nfctinfo = ctinfo;
+       nf_ct_set(skb, nf_ct_tuplehash_to_ctrack(h), ctinfo);
        return NF_ACCEPT;
 }
 
index 1a5e1f53ceaa91bed85f04935b7bcd6429b65ea5..f0dbff05fc28174de694ecad1d1adcde63c314ec 100644 (file)
@@ -69,8 +69,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
        /* Avoid counting cloned packets towards the original connection. */
        nf_reset(skb);
-       skb->nfct     = &nf_ct_untracked_get()->ct_general;
-       skb->nfctinfo = IP_CT_NEW;
+       nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);
        nf_conntrack_get(skb_nfct(skb));
 #endif
        /*
index 2dc01d2c6ec02a6da732e039ebba751577c1a16e..4ef1ddd4bbbd813ff8e6ed46275ecdf48d5ff9a8 100644 (file)
@@ -71,8 +71,7 @@ synproxy_send_tcp(struct net *net,
        skb_dst_set(nskb, dst);
 
        if (nfct) {
-               nskb->nfct = nfct;
-               nskb->nfctinfo = ctinfo;
+               nf_ct_set(nskb, (struct nf_conn *)nfct, ctinfo);
                nf_conntrack_get(nfct);
        }
 
index 09f1661a4e885c3aaa8b88ba59070109e5a578ca..d2c2ccbfbe728f8ff2d7bc42c5e7feb2ae4ad97b 100644 (file)
@@ -189,8 +189,7 @@ icmpv6_error_message(struct net *net, struct nf_conn *tmpl,
        }
 
        /* Update skb to refer to this connection */
-       skb->nfct = &nf_ct_tuplehash_to_ctrack(h)->ct_general;
-       skb->nfctinfo = ctinfo;
+       nf_ct_set(skb, nf_ct_tuplehash_to_ctrack(h), ctinfo);
        return NF_ACCEPT;
 }
 
@@ -222,8 +221,7 @@ icmpv6_error(struct net *net, struct nf_conn *tmpl,
        type = icmp6h->icmp6_type - 130;
        if (type >= 0 && type < sizeof(noct_valid_new) &&
            noct_valid_new[type]) {
-               skb->nfct = &nf_ct_untracked_get()->ct_general;
-               skb->nfctinfo = IP_CT_NEW;
+               nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);
                nf_conntrack_get(skb_nfct(skb));
                return NF_ACCEPT;
        }
index 5f52e5f90e7e01c2e181a094ee7b517e7ca10f34..ff04f6a7f45bc8bdee4a14d7688a7d3b596274c6 100644 (file)
@@ -58,8 +58,7 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
 
 #if IS_ENABLED(CONFIG_NF_CONNTRACK)
        nf_reset(skb);
-       skb->nfct     = &nf_ct_untracked_get()->ct_general;
-       skb->nfctinfo = IP_CT_NEW;
+       nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);
        nf_conntrack_get(skb->nfct);
 #endif
        if (hooknum == NF_INET_PRE_ROUTING ||
index 78aebf0ee6e37c84e41426030a45ff82047857e7..c9bd107478641b719a8414da0df0d29a792cba2c 100644 (file)
@@ -691,10 +691,7 @@ static int nf_ct_resolve_clash(struct net *net, struct sk_buff *skb,
 
                nf_ct_acct_merge(ct, ctinfo, loser_ct);
                nf_conntrack_put(&loser_ct->ct_general);
-               /* Assign conntrack already in hashes to this skbuff. Don't
-                * modify skb->nfctinfo to ensure consistent stateful filtering.
-                */
-               skb->nfct = &ct->ct_general;
+               nf_ct_set(skb, ct, oldinfo);
                return NF_ACCEPT;
        }
        NF_CT_STAT_INC(net, drop);
@@ -1282,8 +1279,7 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl,
                }
                *set_reply = 0;
        }
-       skb->nfct = &ct->ct_general;
-       skb->nfctinfo = *ctinfo;
+       nf_ct_set(skb, ct, *ctinfo);
        return ct;
 }
 
@@ -1526,8 +1522,7 @@ static void nf_conntrack_attach(struct sk_buff *nskb, const struct sk_buff *skb)
                ctinfo = IP_CT_RELATED;
 
        /* Attach to new skbuff, and increment count */
-       nskb->nfct = &ct->ct_general;
-       nskb->nfctinfo = ctinfo;
+       nf_ct_set(nskb, ct, ctinfo);
        nf_conntrack_get(skb_nfct(nskb));
 }
 
index d774d7823688378c89e577efc89773b25f8fa885..66a2377510e17526bf14c93b5db2acbe9d0ee1dd 100644 (file)
@@ -554,8 +554,7 @@ static void nft_notrack_eval(const struct nft_expr *expr,
 
        ct = nf_ct_untracked_get();
        atomic_inc(&ct->ct_general.use);
-       skb->nfct = &ct->ct_general;
-       skb->nfctinfo = IP_CT_NEW;
+       nf_ct_set(skb, ct, IP_CT_NEW);
 }
 
 static struct nft_expr_type nft_notrack_type;
index cd7e29910ae1b06f6af41218822406490483e9b2..51f00e1e120879bb85f60d6f78188811aa0958b9 100644 (file)
@@ -30,8 +30,7 @@ static inline int xt_ct_target(struct sk_buff *skb, struct nf_conn *ct)
        if (!ct)
                ct = nf_ct_untracked_get();
        atomic_inc(&ct->ct_general.use);
-       skb->nfct = &ct->ct_general;
-       skb->nfctinfo = IP_CT_NEW;
+       nf_ct_set(skb, ct, IP_CT_NEW);
 
        return XT_CONTINUE;
 }
@@ -413,8 +412,7 @@ notrack_tg(struct sk_buff *skb, const struct xt_action_param *par)
        if (skb->nfct != NULL)
                return XT_CONTINUE;
 
-       skb->nfct = &nf_ct_untracked_get()->ct_general;
-       skb->nfctinfo = IP_CT_NEW;
+       nf_ct_set(skb, nf_ct_untracked_get(), IP_CT_NEW);
        nf_conntrack_get(skb_nfct(skb));
 
        return XT_CONTINUE;
index 4525579461475af7a434da9855991d80716b53a8..d1fbfcaa009a1b152953a1e07217c0ce753daa2d 100644 (file)
@@ -460,8 +460,7 @@ ovs_ct_find_existing(struct net *net, const struct nf_conntrack_zone *zone,
 
        ct = nf_ct_tuplehash_to_ctrack(h);
 
-       skb->nfct = &ct->ct_general;
-       skb->nfctinfo = ovs_ct_get_info(h);
+       nf_ct_set(skb, ct, ovs_ct_get_info(h));
        return ct;
 }
 
@@ -724,8 +723,7 @@ static int __ovs_ct_lookup(struct net *net, struct sw_flow_key *key,
                        if (skb_nfct(skb))
                                nf_conntrack_put(skb_nfct(skb));
                        nf_conntrack_get(&tmpl->ct_general);
-                       skb->nfct = &tmpl->ct_general;
-                       skb->nfctinfo = IP_CT_NEW;
+                       nf_ct_set(skb, tmpl, IP_CT_NEW);
                }
 
                err = nf_conntrack_in(net, info->family,