1 /* Connection state tracking for netfilter. This is separated from,
2 but required by, the NAT layer; it can also be used by an iptables
5 /* (C) 1999-2001 Paul `Rusty' Russell
6 * (C) 2002-2004 Netfilter Core Team <coreteam@netfilter.org>
8 * This program is free software; you can redistribute it and/or modify
9 * it under the terms of the GNU General Public License version 2 as
10 * published by the Free Software Foundation.
12 * 23 Apr 2001: Harald Welte <laforge@gnumonks.org>
13 * - new API and handling of conntrack/nat helpers
14 * - now capable of multiple expectations for one master
15 * 16 Jul 2002: Harald Welte <laforge@gnumonks.org>
16 * - add usage/reference counts to ip_conntrack_expect
17 * - export ip_conntrack[_expect]_{find_get,put} functions
20 #include <linux/config.h>
21 #include <linux/types.h>
22 #include <linux/icmp.h>
24 #include <linux/netfilter.h>
25 #include <linux/netfilter_ipv4.h>
26 #include <linux/module.h>
27 #include <linux/skbuff.h>
28 #include <linux/proc_fs.h>
29 #include <linux/vmalloc.h>
30 #include <net/checksum.h>
32 #include <linux/stddef.h>
33 #include <linux/sysctl.h>
34 #include <linux/slab.h>
35 #include <linux/random.h>
36 #include <linux/jhash.h>
37 #include <linux/err.h>
38 #include <linux/percpu.h>
39 #include <linux/moduleparam.h>
40 #include <linux/notifier.h>
42 /* ip_conntrack_lock protects the main hash table, protocol/helper/expected
43 registrations, conntrack timers*/
44 #define ASSERT_READ_LOCK(x)
45 #define ASSERT_WRITE_LOCK(x)
47 #include <linux/netfilter_ipv4/ip_conntrack.h>
48 #include <linux/netfilter_ipv4/ip_conntrack_protocol.h>
49 #include <linux/netfilter_ipv4/ip_conntrack_helper.h>
50 #include <linux/netfilter_ipv4/ip_conntrack_core.h>
51 #include <linux/netfilter_ipv4/listhelp.h>
53 #define IP_CONNTRACK_VERSION "2.3"
58 #define DEBUGP(format, args...)
61 DEFINE_RWLOCK(ip_conntrack_lock);
63 /* ip_conntrack_standalone needs this */
64 atomic_t ip_conntrack_count = ATOMIC_INIT(0);
66 void (*ip_conntrack_destroyed)(struct ip_conntrack *conntrack) = NULL;
67 LIST_HEAD(ip_conntrack_expect_list);
68 struct ip_conntrack_protocol *ip_ct_protos[MAX_IP_CT_PROTO];
69 static LIST_HEAD(helpers);
70 unsigned int ip_conntrack_htable_size = 0;
72 struct list_head *ip_conntrack_hash;
73 static kmem_cache_t *ip_conntrack_cachep __read_mostly;
74 static kmem_cache_t *ip_conntrack_expect_cachep __read_mostly;
75 struct ip_conntrack ip_conntrack_untracked;
76 unsigned int ip_ct_log_invalid;
77 static LIST_HEAD(unconfirmed);
78 static int ip_conntrack_vmalloc;
80 static unsigned int ip_conntrack_next_id = 1;
81 static unsigned int ip_conntrack_expect_next_id = 1;
82 #ifdef CONFIG_IP_NF_CONNTRACK_EVENTS
83 struct notifier_block *ip_conntrack_chain;
84 struct notifier_block *ip_conntrack_expect_chain;
86 DEFINE_PER_CPU(struct ip_conntrack_ecache, ip_conntrack_ecache);
88 /* deliver cached events and clear cache entry - must be called with locally
89 * disabled softirqs */
91 __ip_ct_deliver_cached_events(struct ip_conntrack_ecache *ecache)
93 DEBUGP("ecache: delivering events for %p\n", ecache->ct);
94 if (is_confirmed(ecache->ct) && !is_dying(ecache->ct) && ecache->events)
95 notifier_call_chain(&ip_conntrack_chain, ecache->events,
98 ip_conntrack_put(ecache->ct);
102 /* Deliver all cached events for a particular conntrack. This is called
103 * by code prior to async packet handling or freeing the skb */
104 void ip_ct_deliver_cached_events(const struct ip_conntrack *ct)
106 struct ip_conntrack_ecache *ecache;
109 ecache = &__get_cpu_var(ip_conntrack_ecache);
110 if (ecache->ct == ct)
111 __ip_ct_deliver_cached_events(ecache);
115 void __ip_ct_event_cache_init(struct ip_conntrack *ct)
117 struct ip_conntrack_ecache *ecache;
119 /* take care of delivering potentially old events */
120 ecache = &__get_cpu_var(ip_conntrack_ecache);
121 BUG_ON(ecache->ct == ct);
123 __ip_ct_deliver_cached_events(ecache);
124 /* initialize for this conntrack/packet */
126 nf_conntrack_get(&ct->ct_general);
129 /* flush the event cache - touches other CPU's data and must not be called while
130 * packets are still passing through the code */
131 static void ip_ct_event_cache_flush(void)
133 struct ip_conntrack_ecache *ecache;
137 ecache = &per_cpu(ip_conntrack_ecache, cpu);
139 ip_conntrack_put(ecache->ct);
143 static inline void ip_ct_event_cache_flush(void) {}
144 #endif /* CONFIG_IP_NF_CONNTRACK_EVENTS */
146 DEFINE_PER_CPU(struct ip_conntrack_stat, ip_conntrack_stat);
148 static int ip_conntrack_hash_rnd_initted;
149 static unsigned int ip_conntrack_hash_rnd;
152 hash_conntrack(const struct ip_conntrack_tuple *tuple)
157 return (jhash_3words(tuple->src.ip,
158 (tuple->dst.ip ^ tuple->dst.protonum),
159 (tuple->src.u.all | (tuple->dst.u.all << 16)),
160 ip_conntrack_hash_rnd) % ip_conntrack_htable_size);
164 ip_ct_get_tuple(const struct iphdr *iph,
165 const struct sk_buff *skb,
166 unsigned int dataoff,
167 struct ip_conntrack_tuple *tuple,
168 const struct ip_conntrack_protocol *protocol)
171 if (iph->frag_off & htons(IP_OFFSET)) {
172 printk("ip_conntrack_core: Frag of proto %u.\n",
177 tuple->src.ip = iph->saddr;
178 tuple->dst.ip = iph->daddr;
179 tuple->dst.protonum = iph->protocol;
180 tuple->dst.dir = IP_CT_DIR_ORIGINAL;
182 return protocol->pkt_to_tuple(skb, dataoff, tuple);
186 ip_ct_invert_tuple(struct ip_conntrack_tuple *inverse,
187 const struct ip_conntrack_tuple *orig,
188 const struct ip_conntrack_protocol *protocol)
190 inverse->src.ip = orig->dst.ip;
191 inverse->dst.ip = orig->src.ip;
192 inverse->dst.protonum = orig->dst.protonum;
193 inverse->dst.dir = !orig->dst.dir;
195 return protocol->invert_tuple(inverse, orig);
199 /* ip_conntrack_expect helper functions */
200 static void unlink_expect(struct ip_conntrack_expect *exp)
202 ASSERT_WRITE_LOCK(&ip_conntrack_lock);
203 IP_NF_ASSERT(!timer_pending(&exp->timeout));
204 list_del(&exp->list);
205 CONNTRACK_STAT_INC(expect_delete);
206 exp->master->expecting--;
207 ip_conntrack_expect_put(exp);
210 void __ip_ct_expect_unlink_destroy(struct ip_conntrack_expect *exp)
213 ip_conntrack_expect_put(exp);
216 static void expectation_timed_out(unsigned long ul_expect)
218 struct ip_conntrack_expect *exp = (void *)ul_expect;
220 write_lock_bh(&ip_conntrack_lock);
222 write_unlock_bh(&ip_conntrack_lock);
223 ip_conntrack_expect_put(exp);
226 struct ip_conntrack_expect *
227 __ip_conntrack_expect_find(const struct ip_conntrack_tuple *tuple)
229 struct ip_conntrack_expect *i;
231 list_for_each_entry(i, &ip_conntrack_expect_list, list) {
232 if (ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) {
240 /* Just find a expectation corresponding to a tuple. */
241 struct ip_conntrack_expect *
242 ip_conntrack_expect_find_get(const struct ip_conntrack_tuple *tuple)
244 struct ip_conntrack_expect *i;
246 read_lock_bh(&ip_conntrack_lock);
247 i = __ip_conntrack_expect_find(tuple);
248 read_unlock_bh(&ip_conntrack_lock);
253 /* If an expectation for this connection is found, it gets delete from
254 * global list then returned. */
255 static struct ip_conntrack_expect *
256 find_expectation(const struct ip_conntrack_tuple *tuple)
258 struct ip_conntrack_expect *i;
260 list_for_each_entry(i, &ip_conntrack_expect_list, list) {
261 /* If master is not in hash table yet (ie. packet hasn't left
262 this machine yet), how can other end know about expected?
263 Hence these are not the droids you are looking for (if
264 master ct never got confirmed, we'd hold a reference to it
265 and weird things would happen to future packets). */
266 if (ip_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)
267 && is_confirmed(i->master)
268 && del_timer(&i->timeout)) {
276 /* delete all expectations for this conntrack */
277 void ip_ct_remove_expectations(struct ip_conntrack *ct)
279 struct ip_conntrack_expect *i, *tmp;
281 /* Optimization: most connection never expect any others. */
282 if (ct->expecting == 0)
285 list_for_each_entry_safe(i, tmp, &ip_conntrack_expect_list, list) {
286 if (i->master == ct && del_timer(&i->timeout)) {
288 ip_conntrack_expect_put(i);
294 clean_from_lists(struct ip_conntrack *ct)
298 DEBUGP("clean_from_lists(%p)\n", ct);
299 ASSERT_WRITE_LOCK(&ip_conntrack_lock);
301 ho = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
302 hr = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
303 LIST_DELETE(&ip_conntrack_hash[ho], &ct->tuplehash[IP_CT_DIR_ORIGINAL]);
304 LIST_DELETE(&ip_conntrack_hash[hr], &ct->tuplehash[IP_CT_DIR_REPLY]);
306 /* Destroy all pending expectations */
307 ip_ct_remove_expectations(ct);
311 destroy_conntrack(struct nf_conntrack *nfct)
313 struct ip_conntrack *ct = (struct ip_conntrack *)nfct;
314 struct ip_conntrack_protocol *proto;
316 DEBUGP("destroy_conntrack(%p)\n", ct);
317 IP_NF_ASSERT(atomic_read(&nfct->use) == 0);
318 IP_NF_ASSERT(!timer_pending(&ct->timeout));
320 ip_conntrack_event(IPCT_DESTROY, ct);
321 set_bit(IPS_DYING_BIT, &ct->status);
323 /* To make sure we don't get any weird locking issues here:
324 * destroy_conntrack() MUST NOT be called with a write lock
325 * to ip_conntrack_lock!!! -HW */
326 proto = __ip_conntrack_proto_find(ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.protonum);
327 if (proto && proto->destroy)
330 if (ip_conntrack_destroyed)
331 ip_conntrack_destroyed(ct);
333 write_lock_bh(&ip_conntrack_lock);
334 /* Expectations will have been removed in clean_from_lists,
335 * except TFTP can create an expectation on the first packet,
336 * before connection is in the list, so we need to clean here,
338 ip_ct_remove_expectations(ct);
340 /* We overload first tuple to link into unconfirmed list. */
341 if (!is_confirmed(ct)) {
342 BUG_ON(list_empty(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list));
343 list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
346 CONNTRACK_STAT_INC(delete);
347 write_unlock_bh(&ip_conntrack_lock);
350 ip_conntrack_put(ct->master);
352 DEBUGP("destroy_conntrack: returning ct=%p to slab\n", ct);
353 ip_conntrack_free(ct);
356 static void death_by_timeout(unsigned long ul_conntrack)
358 struct ip_conntrack *ct = (void *)ul_conntrack;
360 write_lock_bh(&ip_conntrack_lock);
361 /* Inside lock so preempt is disabled on module removal path.
362 * Otherwise we can get spurious warnings. */
363 CONNTRACK_STAT_INC(delete_list);
364 clean_from_lists(ct);
365 write_unlock_bh(&ip_conntrack_lock);
366 ip_conntrack_put(ct);
370 conntrack_tuple_cmp(const struct ip_conntrack_tuple_hash *i,
371 const struct ip_conntrack_tuple *tuple,
372 const struct ip_conntrack *ignored_conntrack)
374 ASSERT_READ_LOCK(&ip_conntrack_lock);
375 return tuplehash_to_ctrack(i) != ignored_conntrack
376 && ip_ct_tuple_equal(tuple, &i->tuple);
379 struct ip_conntrack_tuple_hash *
380 __ip_conntrack_find(const struct ip_conntrack_tuple *tuple,
381 const struct ip_conntrack *ignored_conntrack)
383 struct ip_conntrack_tuple_hash *h;
384 unsigned int hash = hash_conntrack(tuple);
386 ASSERT_READ_LOCK(&ip_conntrack_lock);
387 list_for_each_entry(h, &ip_conntrack_hash[hash], list) {
388 if (conntrack_tuple_cmp(h, tuple, ignored_conntrack)) {
389 CONNTRACK_STAT_INC(found);
392 CONNTRACK_STAT_INC(searched);
398 /* Find a connection corresponding to a tuple. */
399 struct ip_conntrack_tuple_hash *
400 ip_conntrack_find_get(const struct ip_conntrack_tuple *tuple,
401 const struct ip_conntrack *ignored_conntrack)
403 struct ip_conntrack_tuple_hash *h;
405 read_lock_bh(&ip_conntrack_lock);
406 h = __ip_conntrack_find(tuple, ignored_conntrack);
408 atomic_inc(&tuplehash_to_ctrack(h)->ct_general.use);
409 read_unlock_bh(&ip_conntrack_lock);
414 static void __ip_conntrack_hash_insert(struct ip_conntrack *ct,
416 unsigned int repl_hash)
418 ct->id = ++ip_conntrack_next_id;
419 list_prepend(&ip_conntrack_hash[hash],
420 &ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
421 list_prepend(&ip_conntrack_hash[repl_hash],
422 &ct->tuplehash[IP_CT_DIR_REPLY].list);
425 void ip_conntrack_hash_insert(struct ip_conntrack *ct)
427 unsigned int hash, repl_hash;
429 hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
430 repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
432 write_lock_bh(&ip_conntrack_lock);
433 __ip_conntrack_hash_insert(ct, hash, repl_hash);
434 write_unlock_bh(&ip_conntrack_lock);
437 /* Confirm a connection given skb; places it in hash table */
439 __ip_conntrack_confirm(struct sk_buff **pskb)
441 unsigned int hash, repl_hash;
442 struct ip_conntrack *ct;
443 enum ip_conntrack_info ctinfo;
445 ct = ip_conntrack_get(*pskb, &ctinfo);
447 /* ipt_REJECT uses ip_conntrack_attach to attach related
448 ICMP/TCP RST packets in other direction. Actual packet
449 which created connection will be IP_CT_NEW or for an
450 expected connection, IP_CT_RELATED. */
451 if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
454 hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple);
455 repl_hash = hash_conntrack(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
457 /* We're not in hash table, and we refuse to set up related
458 connections for unconfirmed conns. But packet copies and
459 REJECT will give spurious warnings here. */
460 /* IP_NF_ASSERT(atomic_read(&ct->ct_general.use) == 1); */
462 /* No external references means noone else could have
464 IP_NF_ASSERT(!is_confirmed(ct));
465 DEBUGP("Confirming conntrack %p\n", ct);
467 write_lock_bh(&ip_conntrack_lock);
469 /* See if there's one in the list already, including reverse:
470 NAT could have grabbed it without realizing, since we're
471 not in the hash. If there is, we lost race. */
472 if (!LIST_FIND(&ip_conntrack_hash[hash],
474 struct ip_conntrack_tuple_hash *,
475 &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple, NULL)
476 && !LIST_FIND(&ip_conntrack_hash[repl_hash],
478 struct ip_conntrack_tuple_hash *,
479 &ct->tuplehash[IP_CT_DIR_REPLY].tuple, NULL)) {
480 /* Remove from unconfirmed list */
481 list_del(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list);
483 __ip_conntrack_hash_insert(ct, hash, repl_hash);
484 /* Timer relative to confirmation time, not original
485 setting time, otherwise we'd get timer wrap in
486 weird delay cases. */
487 ct->timeout.expires += jiffies;
488 add_timer(&ct->timeout);
489 atomic_inc(&ct->ct_general.use);
490 set_bit(IPS_CONFIRMED_BIT, &ct->status);
491 CONNTRACK_STAT_INC(insert);
492 write_unlock_bh(&ip_conntrack_lock);
494 ip_conntrack_event_cache(IPCT_HELPER, *pskb);
495 #ifdef CONFIG_IP_NF_NAT_NEEDED
496 if (test_bit(IPS_SRC_NAT_DONE_BIT, &ct->status) ||
497 test_bit(IPS_DST_NAT_DONE_BIT, &ct->status))
498 ip_conntrack_event_cache(IPCT_NATINFO, *pskb);
500 ip_conntrack_event_cache(master_ct(ct) ?
501 IPCT_RELATED : IPCT_NEW, *pskb);
506 CONNTRACK_STAT_INC(insert_failed);
507 write_unlock_bh(&ip_conntrack_lock);
512 /* Returns true if a connection correspondings to the tuple (required
515 ip_conntrack_tuple_taken(const struct ip_conntrack_tuple *tuple,
516 const struct ip_conntrack *ignored_conntrack)
518 struct ip_conntrack_tuple_hash *h;
520 read_lock_bh(&ip_conntrack_lock);
521 h = __ip_conntrack_find(tuple, ignored_conntrack);
522 read_unlock_bh(&ip_conntrack_lock);
527 /* There's a small race here where we may free a just-assured
528 connection. Too bad: we're in trouble anyway. */
529 static inline int unreplied(const struct ip_conntrack_tuple_hash *i)
531 return !(test_bit(IPS_ASSURED_BIT, &tuplehash_to_ctrack(i)->status));
534 static int early_drop(struct list_head *chain)
536 /* Traverse backwards: gives us oldest, which is roughly LRU */
537 struct ip_conntrack_tuple_hash *h;
538 struct ip_conntrack *ct = NULL;
541 read_lock_bh(&ip_conntrack_lock);
542 h = LIST_FIND_B(chain, unreplied, struct ip_conntrack_tuple_hash *);
544 ct = tuplehash_to_ctrack(h);
545 atomic_inc(&ct->ct_general.use);
547 read_unlock_bh(&ip_conntrack_lock);
552 if (del_timer(&ct->timeout)) {
553 death_by_timeout((unsigned long)ct);
555 CONNTRACK_STAT_INC(early_drop);
557 ip_conntrack_put(ct);
561 static inline int helper_cmp(const struct ip_conntrack_helper *i,
562 const struct ip_conntrack_tuple *rtuple)
564 return ip_ct_tuple_mask_cmp(rtuple, &i->tuple, &i->mask);
567 static struct ip_conntrack_helper *
568 __ip_conntrack_helper_find( const struct ip_conntrack_tuple *tuple)
570 return LIST_FIND(&helpers, helper_cmp,
571 struct ip_conntrack_helper *,
575 struct ip_conntrack_helper *
576 ip_conntrack_helper_find_get( const struct ip_conntrack_tuple *tuple)
578 struct ip_conntrack_helper *helper;
580 /* need ip_conntrack_lock to assure that helper exists until
581 * try_module_get() is called */
582 read_lock_bh(&ip_conntrack_lock);
584 helper = __ip_conntrack_helper_find(tuple);
586 /* need to increase module usage count to assure helper will
587 * not go away while the caller is e.g. busy putting a
588 * conntrack in the hash that uses the helper */
589 if (!try_module_get(helper->me))
593 read_unlock_bh(&ip_conntrack_lock);
598 void ip_conntrack_helper_put(struct ip_conntrack_helper *helper)
600 module_put(helper->me);
603 struct ip_conntrack_protocol *
604 __ip_conntrack_proto_find(u_int8_t protocol)
606 return ip_ct_protos[protocol];
609 /* this is guaranteed to always return a valid protocol helper, since
610 * it falls back to generic_protocol */
611 struct ip_conntrack_protocol *
612 ip_conntrack_proto_find_get(u_int8_t protocol)
614 struct ip_conntrack_protocol *p;
617 p = __ip_conntrack_proto_find(protocol);
619 if (!try_module_get(p->me))
620 p = &ip_conntrack_generic_protocol;
627 void ip_conntrack_proto_put(struct ip_conntrack_protocol *p)
632 struct ip_conntrack *ip_conntrack_alloc(struct ip_conntrack_tuple *orig,
633 struct ip_conntrack_tuple *repl)
635 struct ip_conntrack *conntrack;
637 if (!ip_conntrack_hash_rnd_initted) {
638 get_random_bytes(&ip_conntrack_hash_rnd, 4);
639 ip_conntrack_hash_rnd_initted = 1;
643 && atomic_read(&ip_conntrack_count) >= ip_conntrack_max) {
644 unsigned int hash = hash_conntrack(orig);
645 /* Try dropping from this hash chain. */
646 if (!early_drop(&ip_conntrack_hash[hash])) {
649 "ip_conntrack: table full, dropping"
651 return ERR_PTR(-ENOMEM);
655 conntrack = kmem_cache_alloc(ip_conntrack_cachep, GFP_ATOMIC);
657 DEBUGP("Can't allocate conntrack.\n");
658 return ERR_PTR(-ENOMEM);
661 memset(conntrack, 0, sizeof(*conntrack));
662 atomic_set(&conntrack->ct_general.use, 1);
663 conntrack->ct_general.destroy = destroy_conntrack;
664 conntrack->tuplehash[IP_CT_DIR_ORIGINAL].tuple = *orig;
665 conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *repl;
666 /* Don't set timer yet: wait for confirmation */
667 init_timer(&conntrack->timeout);
668 conntrack->timeout.data = (unsigned long)conntrack;
669 conntrack->timeout.function = death_by_timeout;
671 atomic_inc(&ip_conntrack_count);
677 ip_conntrack_free(struct ip_conntrack *conntrack)
679 atomic_dec(&ip_conntrack_count);
680 kmem_cache_free(ip_conntrack_cachep, conntrack);
683 /* Allocate a new conntrack: we return -ENOMEM if classification
684 * failed due to stress. Otherwise it really is unclassifiable */
685 static struct ip_conntrack_tuple_hash *
686 init_conntrack(struct ip_conntrack_tuple *tuple,
687 struct ip_conntrack_protocol *protocol,
690 struct ip_conntrack *conntrack;
691 struct ip_conntrack_tuple repl_tuple;
692 struct ip_conntrack_expect *exp;
694 if (!ip_ct_invert_tuple(&repl_tuple, tuple, protocol)) {
695 DEBUGP("Can't invert tuple.\n");
699 conntrack = ip_conntrack_alloc(tuple, &repl_tuple);
700 if (conntrack == NULL || IS_ERR(conntrack))
701 return (struct ip_conntrack_tuple_hash *)conntrack;
703 if (!protocol->new(conntrack, skb)) {
704 ip_conntrack_free(conntrack);
708 write_lock_bh(&ip_conntrack_lock);
709 exp = find_expectation(tuple);
712 DEBUGP("conntrack: expectation arrives ct=%p exp=%p\n",
714 /* Welcome, Mr. Bond. We've been expecting you... */
715 __set_bit(IPS_EXPECTED_BIT, &conntrack->status);
716 conntrack->master = exp->master;
717 #ifdef CONFIG_IP_NF_CONNTRACK_MARK
718 conntrack->mark = exp->master->mark;
720 #if defined(CONFIG_IP_NF_TARGET_MASQUERADE) || \
721 defined(CONFIG_IP_NF_TARGET_MASQUERADE_MODULE)
722 /* this is ugly, but there is no other place where to put it */
723 conntrack->nat.masq_index = exp->master->nat.masq_index;
725 nf_conntrack_get(&conntrack->master->ct_general);
726 CONNTRACK_STAT_INC(expect_new);
728 conntrack->helper = __ip_conntrack_helper_find(&repl_tuple);
730 CONNTRACK_STAT_INC(new);
733 /* Overload tuple linked list to put us in unconfirmed list. */
734 list_add(&conntrack->tuplehash[IP_CT_DIR_ORIGINAL].list, &unconfirmed);
736 write_unlock_bh(&ip_conntrack_lock);
740 exp->expectfn(conntrack, exp);
741 ip_conntrack_expect_put(exp);
744 return &conntrack->tuplehash[IP_CT_DIR_ORIGINAL];
747 /* On success, returns conntrack ptr, sets skb->nfct and ctinfo */
748 static inline struct ip_conntrack *
749 resolve_normal_ct(struct sk_buff *skb,
750 struct ip_conntrack_protocol *proto,
752 unsigned int hooknum,
753 enum ip_conntrack_info *ctinfo)
755 struct ip_conntrack_tuple tuple;
756 struct ip_conntrack_tuple_hash *h;
757 struct ip_conntrack *ct;
759 IP_NF_ASSERT((skb->nh.iph->frag_off & htons(IP_OFFSET)) == 0);
761 if (!ip_ct_get_tuple(skb->nh.iph, skb, skb->nh.iph->ihl*4,
765 /* look for tuple match */
766 h = ip_conntrack_find_get(&tuple, NULL);
768 h = init_conntrack(&tuple, proto, skb);
774 ct = tuplehash_to_ctrack(h);
776 /* It exists; we have (non-exclusive) reference. */
777 if (DIRECTION(h) == IP_CT_DIR_REPLY) {
778 *ctinfo = IP_CT_ESTABLISHED + IP_CT_IS_REPLY;
779 /* Please set reply bit if this packet OK */
782 /* Once we've had two way comms, always ESTABLISHED. */
783 if (test_bit(IPS_SEEN_REPLY_BIT, &ct->status)) {
784 DEBUGP("ip_conntrack_in: normal packet for %p\n",
786 *ctinfo = IP_CT_ESTABLISHED;
787 } else if (test_bit(IPS_EXPECTED_BIT, &ct->status)) {
788 DEBUGP("ip_conntrack_in: related packet for %p\n",
790 *ctinfo = IP_CT_RELATED;
792 DEBUGP("ip_conntrack_in: new packet for %p\n",
798 skb->nfct = &ct->ct_general;
799 skb->nfctinfo = *ctinfo;
803 /* Netfilter hook itself. */
804 unsigned int ip_conntrack_in(unsigned int hooknum,
805 struct sk_buff **pskb,
806 const struct net_device *in,
807 const struct net_device *out,
808 int (*okfn)(struct sk_buff *))
810 struct ip_conntrack *ct;
811 enum ip_conntrack_info ctinfo;
812 struct ip_conntrack_protocol *proto;
816 /* Previously seen (loopback or untracked)? Ignore. */
818 CONNTRACK_STAT_INC(ignore);
823 if ((*pskb)->nh.iph->frag_off & htons(IP_OFFSET)) {
824 if (net_ratelimit()) {
825 printk(KERN_ERR "ip_conntrack_in: Frag of proto %u (hook=%u)\n",
826 (*pskb)->nh.iph->protocol, hooknum);
831 /* Doesn't cover locally-generated broadcast, so not worth it. */
833 /* Ignore broadcast: no `connection'. */
834 if ((*pskb)->pkt_type == PACKET_BROADCAST) {
835 printk("Broadcast packet!\n");
837 } else if (((*pskb)->nh.iph->daddr & htonl(0x000000FF))
838 == htonl(0x000000FF)) {
839 printk("Should bcast: %u.%u.%u.%u->%u.%u.%u.%u (sk=%p, ptype=%u)\n",
840 NIPQUAD((*pskb)->nh.iph->saddr),
841 NIPQUAD((*pskb)->nh.iph->daddr),
842 (*pskb)->sk, (*pskb)->pkt_type);
846 proto = __ip_conntrack_proto_find((*pskb)->nh.iph->protocol);
848 /* It may be an special packet, error, unclean...
849 * inverse of the return code tells to the netfilter
850 * core what to do with the packet. */
851 if (proto->error != NULL
852 && (ret = proto->error(*pskb, &ctinfo, hooknum)) <= 0) {
853 CONNTRACK_STAT_INC(error);
854 CONNTRACK_STAT_INC(invalid);
858 if (!(ct = resolve_normal_ct(*pskb, proto,&set_reply,hooknum,&ctinfo))) {
859 /* Not valid part of a connection */
860 CONNTRACK_STAT_INC(invalid);
865 /* Too stressed to deal. */
866 CONNTRACK_STAT_INC(drop);
870 IP_NF_ASSERT((*pskb)->nfct);
872 ret = proto->packet(ct, *pskb, ctinfo);
874 /* Invalid: inverse of the return code tells
875 * the netfilter core what to do*/
876 nf_conntrack_put((*pskb)->nfct);
877 (*pskb)->nfct = NULL;
878 CONNTRACK_STAT_INC(invalid);
882 if (set_reply && !test_and_set_bit(IPS_SEEN_REPLY_BIT, &ct->status))
883 ip_conntrack_event_cache(IPCT_STATUS, *pskb);
888 int invert_tuplepr(struct ip_conntrack_tuple *inverse,
889 const struct ip_conntrack_tuple *orig)
891 return ip_ct_invert_tuple(inverse, orig,
892 __ip_conntrack_proto_find(orig->dst.protonum));
895 /* Would two expected things clash? */
896 static inline int expect_clash(const struct ip_conntrack_expect *a,
897 const struct ip_conntrack_expect *b)
899 /* Part covered by intersection of masks must be unequal,
900 otherwise they clash */
901 struct ip_conntrack_tuple intersect_mask
902 = { { a->mask.src.ip & b->mask.src.ip,
903 { a->mask.src.u.all & b->mask.src.u.all } },
904 { a->mask.dst.ip & b->mask.dst.ip,
905 { a->mask.dst.u.all & b->mask.dst.u.all },
906 a->mask.dst.protonum & b->mask.dst.protonum } };
908 return ip_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask);
911 static inline int expect_matches(const struct ip_conntrack_expect *a,
912 const struct ip_conntrack_expect *b)
914 return a->master == b->master
915 && ip_ct_tuple_equal(&a->tuple, &b->tuple)
916 && ip_ct_tuple_equal(&a->mask, &b->mask);
919 /* Generally a bad idea to call this: could have matched already. */
920 void ip_conntrack_unexpect_related(struct ip_conntrack_expect *exp)
922 struct ip_conntrack_expect *i;
924 write_lock_bh(&ip_conntrack_lock);
925 /* choose the the oldest expectation to evict */
926 list_for_each_entry_reverse(i, &ip_conntrack_expect_list, list) {
927 if (expect_matches(i, exp) && del_timer(&i->timeout)) {
929 write_unlock_bh(&ip_conntrack_lock);
930 ip_conntrack_expect_put(i);
934 write_unlock_bh(&ip_conntrack_lock);
937 struct ip_conntrack_expect *ip_conntrack_expect_alloc(struct ip_conntrack *me)
939 struct ip_conntrack_expect *new;
941 new = kmem_cache_alloc(ip_conntrack_expect_cachep, GFP_ATOMIC);
943 DEBUGP("expect_related: OOM allocating expect\n");
947 atomic_inc(&new->master->ct_general.use);
948 atomic_set(&new->use, 1);
952 void ip_conntrack_expect_put(struct ip_conntrack_expect *exp)
954 if (atomic_dec_and_test(&exp->use)) {
955 ip_conntrack_put(exp->master);
956 kmem_cache_free(ip_conntrack_expect_cachep, exp);
960 static void ip_conntrack_expect_insert(struct ip_conntrack_expect *exp)
962 atomic_inc(&exp->use);
963 exp->master->expecting++;
964 list_add(&exp->list, &ip_conntrack_expect_list);
966 init_timer(&exp->timeout);
967 exp->timeout.data = (unsigned long)exp;
968 exp->timeout.function = expectation_timed_out;
969 exp->timeout.expires = jiffies + exp->master->helper->timeout * HZ;
970 add_timer(&exp->timeout);
972 exp->id = ++ip_conntrack_expect_next_id;
973 atomic_inc(&exp->use);
974 CONNTRACK_STAT_INC(expect_create);
977 /* Race with expectations being used means we could have none to find; OK. */
978 static void evict_oldest_expect(struct ip_conntrack *master)
980 struct ip_conntrack_expect *i;
982 list_for_each_entry_reverse(i, &ip_conntrack_expect_list, list) {
983 if (i->master == master) {
984 if (del_timer(&i->timeout)) {
986 ip_conntrack_expect_put(i);
993 static inline int refresh_timer(struct ip_conntrack_expect *i)
995 if (!del_timer(&i->timeout))
998 i->timeout.expires = jiffies + i->master->helper->timeout*HZ;
999 add_timer(&i->timeout);
1003 int ip_conntrack_expect_related(struct ip_conntrack_expect *expect)
1005 struct ip_conntrack_expect *i;
1008 DEBUGP("ip_conntrack_expect_related %p\n", related_to);
1009 DEBUGP("tuple: "); DUMP_TUPLE(&expect->tuple);
1010 DEBUGP("mask: "); DUMP_TUPLE(&expect->mask);
1012 write_lock_bh(&ip_conntrack_lock);
1013 list_for_each_entry(i, &ip_conntrack_expect_list, list) {
1014 if (expect_matches(i, expect)) {
1015 /* Refresh timer: if it's dying, ignore.. */
1016 if (refresh_timer(i)) {
1020 } else if (expect_clash(i, expect)) {
1026 /* Will be over limit? */
1027 if (expect->master->helper->max_expected &&
1028 expect->master->expecting >= expect->master->helper->max_expected)
1029 evict_oldest_expect(expect->master);
1031 ip_conntrack_expect_insert(expect);
1032 ip_conntrack_expect_event(IPEXP_NEW, expect);
1035 write_unlock_bh(&ip_conntrack_lock);
1039 /* Alter reply tuple (maybe alter helper). This is for NAT, and is
1040 implicitly racy: see __ip_conntrack_confirm */
1041 void ip_conntrack_alter_reply(struct ip_conntrack *conntrack,
1042 const struct ip_conntrack_tuple *newreply)
1044 write_lock_bh(&ip_conntrack_lock);
1045 /* Should be unconfirmed, so not in hash table yet */
1046 IP_NF_ASSERT(!is_confirmed(conntrack));
1048 DEBUGP("Altering reply tuple of %p to ", conntrack);
1049 DUMP_TUPLE(newreply);
1051 conntrack->tuplehash[IP_CT_DIR_REPLY].tuple = *newreply;
1052 if (!conntrack->master && conntrack->expecting == 0)
1053 conntrack->helper = __ip_conntrack_helper_find(newreply);
1054 write_unlock_bh(&ip_conntrack_lock);
1057 int ip_conntrack_helper_register(struct ip_conntrack_helper *me)
1059 BUG_ON(me->timeout == 0);
1060 write_lock_bh(&ip_conntrack_lock);
1061 list_prepend(&helpers, me);
1062 write_unlock_bh(&ip_conntrack_lock);
1067 struct ip_conntrack_helper *
1068 __ip_conntrack_helper_find_byname(const char *name)
1070 struct ip_conntrack_helper *h;
1072 list_for_each_entry(h, &helpers, list) {
1073 if (!strcmp(h->name, name))
1080 static inline int unhelp(struct ip_conntrack_tuple_hash *i,
1081 const struct ip_conntrack_helper *me)
1083 if (tuplehash_to_ctrack(i)->helper == me) {
1084 ip_conntrack_event(IPCT_HELPER, tuplehash_to_ctrack(i));
1085 tuplehash_to_ctrack(i)->helper = NULL;
1090 void ip_conntrack_helper_unregister(struct ip_conntrack_helper *me)
1093 struct ip_conntrack_expect *exp, *tmp;
1095 /* Need write lock here, to delete helper. */
1096 write_lock_bh(&ip_conntrack_lock);
1097 LIST_DELETE(&helpers, me);
1099 /* Get rid of expectations */
1100 list_for_each_entry_safe(exp, tmp, &ip_conntrack_expect_list, list) {
1101 if (exp->master->helper == me && del_timer(&exp->timeout)) {
1103 ip_conntrack_expect_put(exp);
1106 /* Get rid of expecteds, set helpers to NULL. */
1107 LIST_FIND_W(&unconfirmed, unhelp, struct ip_conntrack_tuple_hash*, me);
1108 for (i = 0; i < ip_conntrack_htable_size; i++)
1109 LIST_FIND_W(&ip_conntrack_hash[i], unhelp,
1110 struct ip_conntrack_tuple_hash *, me);
1111 write_unlock_bh(&ip_conntrack_lock);
1113 /* Someone could be still looking at the helper in a bh. */
1117 static inline void ct_add_counters(struct ip_conntrack *ct,
1118 enum ip_conntrack_info ctinfo,
1119 const struct sk_buff *skb)
1121 #ifdef CONFIG_IP_NF_CT_ACCT
1123 ct->counters[CTINFO2DIR(ctinfo)].packets++;
1124 ct->counters[CTINFO2DIR(ctinfo)].bytes +=
1125 ntohs(skb->nh.iph->tot_len);
1130 /* Refresh conntrack for this many jiffies and do accounting (if skb != NULL) */
1131 void ip_ct_refresh_acct(struct ip_conntrack *ct,
1132 enum ip_conntrack_info ctinfo,
1133 const struct sk_buff *skb,
1134 unsigned long extra_jiffies)
1136 IP_NF_ASSERT(ct->timeout.data == (unsigned long)ct);
1138 /* If not in hash table, timer will not be active yet */
1139 if (!is_confirmed(ct)) {
1140 ct->timeout.expires = extra_jiffies;
1141 ct_add_counters(ct, ctinfo, skb);
1143 write_lock_bh(&ip_conntrack_lock);
1144 /* Need del_timer for race avoidance (may already be dying). */
1145 if (del_timer(&ct->timeout)) {
1146 ct->timeout.expires = jiffies + extra_jiffies;
1147 add_timer(&ct->timeout);
1148 ip_conntrack_event_cache(IPCT_REFRESH, skb);
1150 ct_add_counters(ct, ctinfo, skb);
1151 write_unlock_bh(&ip_conntrack_lock);
1155 #if defined(CONFIG_IP_NF_CONNTRACK_NETLINK) || \
1156 defined(CONFIG_IP_NF_CONNTRACK_NETLINK_MODULE)
1157 /* Generic function for tcp/udp/sctp/dccp and alike. This needs to be
1158 * in ip_conntrack_core, since we don't want the protocols to autoload
1159 * or depend on ctnetlink */
1160 int ip_ct_port_tuple_to_nfattr(struct sk_buff *skb,
1161 const struct ip_conntrack_tuple *tuple)
1163 NFA_PUT(skb, CTA_PROTO_SRC_PORT, sizeof(u_int16_t),
1164 &tuple->src.u.tcp.port);
1165 NFA_PUT(skb, CTA_PROTO_DST_PORT, sizeof(u_int16_t),
1166 &tuple->dst.u.tcp.port);
1173 int ip_ct_port_nfattr_to_tuple(struct nfattr *tb[],
1174 struct ip_conntrack_tuple *t)
1176 if (!tb[CTA_PROTO_SRC_PORT-1] || !tb[CTA_PROTO_DST_PORT-1])
1180 *(u_int16_t *)NFA_DATA(tb[CTA_PROTO_SRC_PORT-1]);
1182 *(u_int16_t *)NFA_DATA(tb[CTA_PROTO_DST_PORT-1]);
1188 /* Returns new sk_buff, or NULL */
1190 ip_ct_gather_frags(struct sk_buff *skb, u_int32_t user)
1195 skb = ip_defrag(skb, user);
1199 ip_send_check(skb->nh.iph);
1203 /* Used by ipt_REJECT. */
1204 static void ip_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb)
1206 struct ip_conntrack *ct;
1207 enum ip_conntrack_info ctinfo;
1209 /* This ICMP is in reverse direction to the packet which caused it */
1210 ct = ip_conntrack_get(skb, &ctinfo);
1212 if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL)
1213 ctinfo = IP_CT_RELATED + IP_CT_IS_REPLY;
1215 ctinfo = IP_CT_RELATED;
1217 /* Attach to new skbuff, and increment count */
1218 nskb->nfct = &ct->ct_general;
1219 nskb->nfctinfo = ctinfo;
1220 nf_conntrack_get(nskb->nfct);
1224 do_iter(const struct ip_conntrack_tuple_hash *i,
1225 int (*iter)(struct ip_conntrack *i, void *data),
1228 return iter(tuplehash_to_ctrack(i), data);
1231 /* Bring out ya dead! */
1232 static struct ip_conntrack_tuple_hash *
1233 get_next_corpse(int (*iter)(struct ip_conntrack *i, void *data),
1234 void *data, unsigned int *bucket)
1236 struct ip_conntrack_tuple_hash *h = NULL;
1238 write_lock_bh(&ip_conntrack_lock);
1239 for (; *bucket < ip_conntrack_htable_size; (*bucket)++) {
1240 h = LIST_FIND_W(&ip_conntrack_hash[*bucket], do_iter,
1241 struct ip_conntrack_tuple_hash *, iter, data);
1246 h = LIST_FIND_W(&unconfirmed, do_iter,
1247 struct ip_conntrack_tuple_hash *, iter, data);
1249 atomic_inc(&tuplehash_to_ctrack(h)->ct_general.use);
1250 write_unlock_bh(&ip_conntrack_lock);
1256 ip_ct_iterate_cleanup(int (*iter)(struct ip_conntrack *i, void *), void *data)
1258 struct ip_conntrack_tuple_hash *h;
1259 unsigned int bucket = 0;
1261 while ((h = get_next_corpse(iter, data, &bucket)) != NULL) {
1262 struct ip_conntrack *ct = tuplehash_to_ctrack(h);
1263 /* Time to push up daises... */
1264 if (del_timer(&ct->timeout))
1265 death_by_timeout((unsigned long)ct);
1266 /* ... else the timer will get him soon. */
1268 ip_conntrack_put(ct);
1272 /* Fast function for those who don't want to parse /proc (and I don't
1274 /* Reversing the socket's dst/src point of view gives us the reply
1277 getorigdst(struct sock *sk, int optval, void __user *user, int *len)
1279 struct inet_sock *inet = inet_sk(sk);
1280 struct ip_conntrack_tuple_hash *h;
1281 struct ip_conntrack_tuple tuple;
1283 IP_CT_TUPLE_U_BLANK(&tuple);
1284 tuple.src.ip = inet->rcv_saddr;
1285 tuple.src.u.tcp.port = inet->sport;
1286 tuple.dst.ip = inet->daddr;
1287 tuple.dst.u.tcp.port = inet->dport;
1288 tuple.dst.protonum = IPPROTO_TCP;
1290 /* We only do TCP at the moment: is there a better way? */
1291 if (strcmp(sk->sk_prot->name, "TCP")) {
1292 DEBUGP("SO_ORIGINAL_DST: Not a TCP socket\n");
1293 return -ENOPROTOOPT;
1296 if ((unsigned int) *len < sizeof(struct sockaddr_in)) {
1297 DEBUGP("SO_ORIGINAL_DST: len %u not %u\n",
1298 *len, sizeof(struct sockaddr_in));
1302 h = ip_conntrack_find_get(&tuple, NULL);
1304 struct sockaddr_in sin;
1305 struct ip_conntrack *ct = tuplehash_to_ctrack(h);
1307 sin.sin_family = AF_INET;
1308 sin.sin_port = ct->tuplehash[IP_CT_DIR_ORIGINAL]
1309 .tuple.dst.u.tcp.port;
1310 sin.sin_addr.s_addr = ct->tuplehash[IP_CT_DIR_ORIGINAL]
1313 DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n",
1314 NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port));
1315 ip_conntrack_put(ct);
1316 if (copy_to_user(user, &sin, sizeof(sin)) != 0)
1321 DEBUGP("SO_ORIGINAL_DST: Can't find %u.%u.%u.%u/%u-%u.%u.%u.%u/%u.\n",
1322 NIPQUAD(tuple.src.ip), ntohs(tuple.src.u.tcp.port),
1323 NIPQUAD(tuple.dst.ip), ntohs(tuple.dst.u.tcp.port));
1327 static struct nf_sockopt_ops so_getorigdst = {
1329 .get_optmin = SO_ORIGINAL_DST,
1330 .get_optmax = SO_ORIGINAL_DST+1,
1334 static int kill_all(struct ip_conntrack *i, void *data)
1339 static void free_conntrack_hash(void)
1341 if (ip_conntrack_vmalloc)
1342 vfree(ip_conntrack_hash);
1344 free_pages((unsigned long)ip_conntrack_hash,
1345 get_order(sizeof(struct list_head)
1346 * ip_conntrack_htable_size));
1349 void ip_conntrack_flush()
1351 /* This makes sure all current packets have passed through
1352 netfilter framework. Roll on, two-stage module
1356 ip_ct_event_cache_flush();
1358 ip_ct_iterate_cleanup(kill_all, NULL);
1359 if (atomic_read(&ip_conntrack_count) != 0) {
1361 goto i_see_dead_people;
1363 /* wait until all references to ip_conntrack_untracked are dropped */
1364 while (atomic_read(&ip_conntrack_untracked.ct_general.use) > 1)
1368 /* Mishearing the voices in his head, our hero wonders how he's
1369 supposed to kill the mall. */
1370 void ip_conntrack_cleanup(void)
1372 ip_ct_attach = NULL;
1373 ip_conntrack_flush();
1374 kmem_cache_destroy(ip_conntrack_cachep);
1375 kmem_cache_destroy(ip_conntrack_expect_cachep);
1376 free_conntrack_hash();
1377 nf_unregister_sockopt(&so_getorigdst);
1380 static int hashsize;
1381 module_param(hashsize, int, 0400);
1383 int __init ip_conntrack_init(void)
1388 /* Idea from tcp.c: use 1/16384 of memory. On i386: 32MB
1389 * machine has 256 buckets. >= 1GB machines have 8192 buckets. */
1391 ip_conntrack_htable_size = hashsize;
1393 ip_conntrack_htable_size
1394 = (((num_physpages << PAGE_SHIFT) / 16384)
1395 / sizeof(struct list_head));
1396 if (num_physpages > (1024 * 1024 * 1024 / PAGE_SIZE))
1397 ip_conntrack_htable_size = 8192;
1398 if (ip_conntrack_htable_size < 16)
1399 ip_conntrack_htable_size = 16;
1401 ip_conntrack_max = 8 * ip_conntrack_htable_size;
1403 printk("ip_conntrack version %s (%u buckets, %d max)"
1404 " - %Zd bytes per conntrack\n", IP_CONNTRACK_VERSION,
1405 ip_conntrack_htable_size, ip_conntrack_max,
1406 sizeof(struct ip_conntrack));
1408 ret = nf_register_sockopt(&so_getorigdst);
1410 printk(KERN_ERR "Unable to register netfilter socket option\n");
1414 /* AK: the hash table is twice as big than needed because it
1415 uses list_head. it would be much nicer to caches to use a
1416 single pointer list head here. */
1417 ip_conntrack_vmalloc = 0;
1419 =(void*)__get_free_pages(GFP_KERNEL,
1420 get_order(sizeof(struct list_head)
1421 *ip_conntrack_htable_size));
1422 if (!ip_conntrack_hash) {
1423 ip_conntrack_vmalloc = 1;
1424 printk(KERN_WARNING "ip_conntrack: falling back to vmalloc.\n");
1425 ip_conntrack_hash = vmalloc(sizeof(struct list_head)
1426 * ip_conntrack_htable_size);
1428 if (!ip_conntrack_hash) {
1429 printk(KERN_ERR "Unable to create ip_conntrack_hash\n");
1430 goto err_unreg_sockopt;
1433 ip_conntrack_cachep = kmem_cache_create("ip_conntrack",
1434 sizeof(struct ip_conntrack), 0,
1436 if (!ip_conntrack_cachep) {
1437 printk(KERN_ERR "Unable to create ip_conntrack slab cache\n");
1441 ip_conntrack_expect_cachep = kmem_cache_create("ip_conntrack_expect",
1442 sizeof(struct ip_conntrack_expect),
1444 if (!ip_conntrack_expect_cachep) {
1445 printk(KERN_ERR "Unable to create ip_expect slab cache\n");
1446 goto err_free_conntrack_slab;
1449 /* Don't NEED lock here, but good form anyway. */
1450 write_lock_bh(&ip_conntrack_lock);
1451 for (i = 0; i < MAX_IP_CT_PROTO; i++)
1452 ip_ct_protos[i] = &ip_conntrack_generic_protocol;
1453 /* Sew in builtin protocols. */
1454 ip_ct_protos[IPPROTO_TCP] = &ip_conntrack_protocol_tcp;
1455 ip_ct_protos[IPPROTO_UDP] = &ip_conntrack_protocol_udp;
1456 ip_ct_protos[IPPROTO_ICMP] = &ip_conntrack_protocol_icmp;
1457 write_unlock_bh(&ip_conntrack_lock);
1459 for (i = 0; i < ip_conntrack_htable_size; i++)
1460 INIT_LIST_HEAD(&ip_conntrack_hash[i]);
1462 /* For use by ipt_REJECT */
1463 ip_ct_attach = ip_conntrack_attach;
1465 /* Set up fake conntrack:
1466 - to never be deleted, not in any hashes */
1467 atomic_set(&ip_conntrack_untracked.ct_general.use, 1);
1468 /* - and look it like as a confirmed connection */
1469 set_bit(IPS_CONFIRMED_BIT, &ip_conntrack_untracked.status);
1473 err_free_conntrack_slab:
1474 kmem_cache_destroy(ip_conntrack_cachep);
1476 free_conntrack_hash();
1478 nf_unregister_sockopt(&so_getorigdst);
git.samba.org / sfrench / cifs-2.6.git / blob