path: root/net/netfilter/nf_conntrack_ftp.c
AgeCommit message (Collapse)AuthorLines
2019-08-27netfilter: nf_conntrack_ftp: Fix debug outputThomas Jarosch-1/+1
The find_pattern() debug output was printing the 'skip' character. This can be a NULL-byte and messes up further pr_debug() output. Output without the fix: kernel: nf_conntrack_ftp: Pattern matches! kernel: nf_conntrack_ftp: Skipped up to `<7>nf_conntrack_ftp: find_pattern `PORT': dlen = 8 kernel: nf_conntrack_ftp: find_pattern `EPRT': dlen = 8 Output with the fix: kernel: nf_conntrack_ftp: Pattern matches! kernel: nf_conntrack_ftp: Skipped up to 0x0 delimiter! kernel: nf_conntrack_ftp: Match succeeded! kernel: nf_conntrack_ftp: conntrack_ftp: match `172,17,0,100,200,207' (20 bytes at 4150681645) kernel: nf_conntrack_ftp: find_pattern `PORT': dlen = 8 Signed-off-by: Thomas Jarosch <> Signed-off-by: Pablo Neira Ayuso <>
2019-07-16netfilter: nf_conntrack_sip: fix expectation clashxiao ruizhu-1/+1
When conntracks change during a dialog, SDP messages may be sent from different conntracks to establish expects with identical tuples. In this case expects conflict may be detected for the 2nd SDP message and end up with a process failure. The fixing here is to reuse an existing expect who has the same tuple for a different conntrack if any. Here are two scenarios for the case. 1) SERVER CPE | INVITE SDP | 5060 |<----------------------|5060 | 100 Trying | 5060 |---------------------->|5060 | 183 SDP | 5060 |---------------------->|5060 ===> Conntrack 1 | PRACK | 50601 |<----------------------|5060 | 200 OK (PRACK) | 50601 |---------------------->|5060 | 200 OK (INVITE) | 5060 |---------------------->|5060 | ACK | 50601 |<----------------------|5060 | | |<--- RTP stream ------>| | | | INVITE SDP (t38) | 50601 |---------------------->|5060 ===> Conntrack 2 With a certain configuration in the CPE, SIP messages "183 with SDP" and "re-INVITE with SDP t38" will go through the sip helper to create expects for RTP and RTCP. It is okay to create RTP and RTCP expects for "183", whose master connection source port is 5060, and destination port is 5060. In the "183" message, port in Contact header changes to 50601 (from the original 5060). So the following requests e.g. PRACK and ACK are sent to port 50601. It is a different conntrack (let call Conntrack 2) from the original INVITE (let call Conntrack 1) due to the port difference. In this example, after the call is established, there is RTP stream but no RTCP stream for Conntrack 1, so the RTP expect created upon "183" is cleared, and RTCP expect created for Conntrack 1 retains. When "re-INVITE with SDP t38" arrives to create RTP&RTCP expects, current ALG implementation will call nf_ct_expect_related() for RTP and RTCP. The expects tuples are identical to those for Conntrack 1. RTP expect for Conntrack 2 succeeds in creation as the one for Conntrack 1 has been removed. RTCP expect for Conntrack 2 fails in creation because it has idential tuples and 'conflict' with the one retained for Conntrack 1. And then result in a failure in processing of the re-INVITE. 2) SERVER A CPE | REGISTER | 5060 |<------------------| 5060 ==> CT1 | 200 | 5060 |------------------>| 5060 | | | INVITE SDP(1) | 5060 |<------------------| 5060 | 300(multi choice) | 5060 |------------------>| 5060 SERVER B | ACK | 5060 |<------------------| 5060 | INVITE SDP(2) | 5060 |-------------------->| 5060 ==> CT2 | 100 | 5060 |<--------------------| 5060 | 200(contact changes)| 5060 |<--------------------| 5060 | ACK | 5060 |-------------------->| 50601 ==> CT3 | | |<--- RTP stream ---->| | | | BYE | 5060 |<--------------------| 50601 | 200 | 5060 |-------------------->| 50601 | INVITE SDP(3) | 5060 |<------------------| 5060 ==> CT1 CPE sends an INVITE request(1) to Server A, and creates a RTP&RTCP expect pair for this Conntrack 1 (CT1). Server A responds 300 to redirect to Server B. The RTP&RTCP expect pairs created on CT1 are removed upon 300 response. CPE sends the INVITE request(2) to Server B, and creates an expect pair for the new conntrack (due to destination address difference), let call CT2. Server B changes the port to 50601 in 200 OK response, and the following requests ACK and BYE from CPE are sent to 50601. The call is established. There is RTP stream and no RTCP stream. So RTP expect is removed and RTCP expect for CT2 retains. As BYE request is sent from port 50601, it is another conntrack, let call CT3, different from CT2 due to the port difference. So the BYE request will not remove the RTCP expect for CT2. Then another outgoing call is made, with the same RTP port being used (not definitely but possibly). CPE firstly sends the INVITE request(3) to Server A, and tries to create a RTP&RTCP expect pairs for this CT1. In current ALG implementation, the RTCP expect for CT1 fails in creation because it 'conflicts' with the residual one for CT2. As a result the INVITE request fails to send. Signed-off-by: xiao ruizhu <> Signed-off-by: Pablo Neira Ayuso <>
2019-06-19treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500Thomas Gleixner-4/+1
Based on 2 normalized pattern(s): this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation this program is free software you can redistribute it and or modify it under the terms of the gnu general public license version 2 as published by the free software foundation # extracted by the scancode license scanner the SPDX license identifier GPL-2.0-only has been chosen to replace the boilerplate/reference in 4122 file(s). Signed-off-by: Thomas Gleixner <> Reviewed-by: Enrico Weigelt <> Reviewed-by: Kate Stewart <> Reviewed-by: Allison Randal <> Cc: Link: Signed-off-by: Greg Kroah-Hartman <>
2019-04-30netfilter: add API to manage NAT helpers.Flavio Leitner-7/+11
The API allows a conntrack helper to indicate its corresponding NAT helper which then can be loaded and reference counted. Signed-off-by: Flavio Leitner <> Signed-off-by: Pablo Neira Ayuso <>
2018-04-24netfilter: add __exit mark to helper modulesTaehee Yoo-2/+1
There are no __exit mark in the helper modules. because these exit functions used to be called by init function but now that is not. so we can add __exit mark. Signed-off-by: Taehee Yoo <> Signed-off-by: Pablo Neira Ayuso <>
2017-04-19netfilter: helpers: remove data_len usage for inkernel helpersFlorian Westphal-4/+2
No need to track this for inkernel helpers anymore as NF_CT_HELPER_BUILD_BUG_ON checks do this now. All inkernel helpers know what kind of structure they stored in helper->data. Signed-off-by: Florian Westphal <> Signed-off-by: Pablo Neira Ayuso <>
2017-04-19netfilter: helper: add build-time asserts for helper data sizeFlorian Westphal-0/+2
add a 32 byte scratch area in the helper struct instead of relying on variable sized helpers plus compile-time asserts to let us know if 32 bytes aren't enough anymore. Not having variable sized helpers will later allow to add BUILD_BUG_ON for the total size of conntrack extensions -- the helper extension is the only one that doesn't have a fixed size. The (useless!) NF_CT_HELPER_BUILD_BUG_ON(0); are added so that in case someone adds a new helper and copy-pastes from one that doesn't store private data at least some indication that this macro should be used somehow is there... Signed-off-by: Florian Westphal <> Signed-off-by: Pablo Neira Ayuso <>
2017-02-27lib/vsprintf.c: remove %Z supportAlexey Dobriyan-1/+1
Now that %z is standartised in C99 there is no reason to support %Z. Unlike %L it doesn't even make format strings smaller. Use BUILD_BUG_ON in a couple ATM drivers. In case anyone didn't notice lib/vsprintf.o is about half of SLUB which is in my opinion is quite an achievement. Hopefully this patch inspires someone else to trim vsprintf.c more. Link: Signed-off-by: Alexey Dobriyan <> Cc: Andy Shevchenko <> Cc: Rasmus Villemoes <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2016-09-07netfilter: ftp: Remove the useless codeGao Feng-12/+1
There are some debug code which are commented out in find_pattern by #if 0. Now remove them. Signed-off-by: Gao Feng <> Signed-off-by: Pablo Neira Ayuso <>
2016-09-07netfilter: ftp: Remove the useless dlen==0 condition check in find_patternGao Feng-2/+0
The caller function "help" has already make sure the datalen could not be zero before invoke find_pattern as a parameter by the following codes if (dataoff >= skb->len) { pr_debug("ftp: dataoff(%u) >= skblen(%u)\n", dataoff, skb->len); return NF_ACCEPT; } datalen = skb->len - dataoff; And the latter codes "ends_in_nl = (fb_ptr[datalen - 1] == '\n');" use datalen directly without checking if it is zero. So it is unneccessary to check it in find_pattern too. Signed-off-by: Gao Feng <> Signed-off-by: Pablo Neira Ayuso <>
2016-08-22netfilter: fix spelling mistake: "delimitter" -> "delimiter"Colin Ian King-1/+1
trivial fix to spelling mistake in pr_debug message Signed-off-by: Colin Ian King <> Signed-off-by: Pablo Neira Ayuso <>
2016-07-21netfilter: Add helper array register/unregister functionsGao Feng-40/+18
Add nf_ct_helper_init(), nf_conntrack_helpers_register() and nf_conntrack_helpers_unregister() functions to avoid repetitive opencoded initialization in helpers. This patch keeps an id parameter for nf_ct_helper_init() not to break helper matching by name that has been inconsistently exposed to userspace through ports, eg. ftp-2121, and through an incremental id, eg. tftp-1. Signed-off-by: Gao Feng <> Signed-off-by: Pablo Neira Ayuso <>
2016-05-30netfilter: nf_ct_helper: Fix helper unregister count.Taehee Yoo-0/+1
helpers should unregister the only registered ports. but, helper cannot have correct registered ports value when failed to register. Signed-off-by: Taehee Yoo <> Signed-off-by: Pablo Neira Ayuso <>
2016-01-04netfilter: nf_ct_helper: define pr_fmt()Pablo Neira Ayuso-9/+8
Signed-off-by: Pablo Neira Ayuso <>
2014-10-14netfilter: replace strnicmp with strncasecmpRasmus Villemoes-2/+2
The kernel used to contain two functions for length-delimited, case-insensitive string comparison, strnicmp with correct semantics and a slightly buggy strncasecmp. The latter is the POSIX name, so strnicmp was renamed to strncasecmp, and strnicmp made into a wrapper for the new strncasecmp to avoid breaking existing users. To allow the compat wrapper strnicmp to be removed at some point in the future, and to avoid the extra indirection cost, do s/strnicmp/strncasecmp/g. Signed-off-by: Rasmus Villemoes <> Cc: "David S. Miller" <> Signed-off-by: Andrew Morton <> Signed-off-by: Linus Torvalds <>
2013-05-27netfilter: Implement RFC 1123 for FTP conntrackJeff Mahoney-19/+54
The FTP conntrack code currently only accepts the following format for the 227 response for PASV: 227 Entering Passive Mode (148,100,81,40,31,161). It doesn't accept the following format from an obscure server: 227 Data transfer will passively listen to 67,218,99,134,50,144 From RFC 1123: The format of the 227 reply to a PASV command is not well standardized. In particular, an FTP client cannot assume that the parentheses shown on page 40 of RFC-959 will be present (and in fact, Figure 3 on page 43 omits them). Therefore, a User-FTP program that interprets the PASV reply must scan the reply for the first digit of the host and port numbers. This patch adds support for the RFC 1123 clarification by: - Allowing a search filter to specify NUL as the terminator so that try_number will return successfully if the array of numbers has been filled when an unexpected character is encountered. - Using space as the separator for the 227 reply and then scanning for the first digit of the number sequence. The number sequence is parsed out using the existing try_rfc959 but with a NUL terminator. References: References: Reported-by: Mark Post <> Signed-off-by: Jeff Mahoney <> Signed-off-by: Jiri Slaby <> Cc: Pablo Neira Ayuso <> Cc: Patrick McHardy <> Cc: "David S. Miller" <> Cc: Cc: Cc: Cc: Signed-off-by: Pablo Neira Ayuso <>
2013-04-18netfilter: add my copyright statementsPatrick McHardy-0/+1
Add copyright statements to all netfilter files which have had significant changes done by myself in the past. Some notes: - nf_conntrack_ecache.c was incorrectly attributed to Rusty and Netfilter Core Team when it got split out of nf_conntrack_core.c. The copyrights even state a date which lies six years before it was written. It was written in 2005 by Harald and myself. - net/ipv{4,6}/netfilter.c, net/netfitler/nf_queue.c were missing copyright statements. I've added the copyright statement from net/netfilter/core.c, where this code originated - for nf_conntrack_proto_tcp.c I've also added Jozsef, since I didn't want it to give the wrong impression Signed-off-by: Patrick McHardy <> Signed-off-by: Pablo Neira Ayuso <>
2013-02-19netfilter: nf_ct_helper: better logging for dropped packetsPablo Neira Ayuso-4/+6
Connection tracking helpers have to drop packets under exceptional situations. Currently, the user gets the following logging message in case that happens: nf_ct_%s: dropping packet ... However, depending on the helper, there are different reasons why a packet can be dropped. This patch modifies the existing code to provide more specific error message in the scope of each helper to help users to debug the reason why the packet has been dropped, ie: nf_ct_%s: dropping packet: reason ... Thanks to Joe Perches for many formatting suggestions. Signed-off-by: Pablo Neira Ayuso <>
2012-09-24netfilter: nf_ct_ftp: add sequence tracking pickup facility for injected entriesPablo Neira Ayuso-0/+21
This patch allows the FTP helper to pickup the sequence tracking from the first packet seen. This is useful to fix the breakage of the first FTP command after the failover while using conntrackd to synchronize states. The seq_aft_nl_num field in struct nf_ct_ftp_info has been shrinked to 16-bits (enough for what it does), so we can use the remaining 16-bits to store the flags while using the same size for the private FTP helper data. Signed-off-by: Pablo Neira Ayuso <>
2012-08-30netfilter: nf_nat: support IPv6 in FTP NAT helperPatrick McHardy-2/+1
Signed-off-by: Patrick McHardy <>
2012-08-30netfilter: nf_nat: add protoff argument to packet mangling functionsPatrick McHardy-1/+2
For mangling IPv6 packets the protocol header offset needs to be known by the NAT packet mangling functions. Add a so far unused protoff argument and convert the conntrack and NAT helpers to use it in preparation of IPv6 NAT. Signed-off-by: Patrick McHardy <>
2012-08-30netfilter: nf_conntrack: restrict NAT helper invocation to IPv4Patrick McHardy-1/+2
The NAT helpers currently only handle IPv4 packets correctly. Restrict invocation of the helpers to IPv4 in preparation of IPv6 NAT. Signed-off-by: Patrick McHardy <>
2012-06-16netfilter: nf_ct_helper: implement variable length helper private dataPablo Neira Ayuso-1/+2
This patch uses the new variable length conntrack extensions. Instead of using union nf_conntrack_help that contain all the helper private data information, we allocate variable length area to store the private helper data. This patch includes the modification of all existing helpers. It also includes a couple of include header to avoid compilation warnings. Signed-off-by: Pablo Neira Ayuso <>
2012-06-16netfilter: nf_ct_helper: allocate 16 bytes for the helper and policy namesPablo Neira Ayuso-6/+2
This patch modifies the struct nf_conntrack_helper to allocate the room for the helper name. The maximum length is 16 bytes (this was already introduced in 2.6.24). For the maximum length for expectation policy names, I have also selected 16 bytes. This patch is required by the follow-up patch to support user-space connection tracking helpers. Signed-off-by: Pablo Neira Ayuso <>
2011-12-19module_param: make bool parameters really bool (net & drivers/net)Rusty Russell-1/+1
module_param(bool) used to counter-intuitively take an int. In fddd5201 (mid-2009) we allowed bool or int/unsigned int using a messy trick. It's time to remove the int/unsigned int option. For this version it'll simply give a warning, but it'll break next kernel version. (Thanks to Joe Perches for suggesting coccinelle for 0/1 -> true/false). Cc: "David S. Miller" <> Cc: Signed-off-by: Rusty Russell <> Signed-off-by: David S. Miller <>
2011-06-06netfilter: add more values to enum ip_conntrack_infoEric Dumazet-1/+1
Following error is raised (and other similar ones) : net/ipv4/netfilter/nf_nat_standalone.c: In function ‘nf_nat_fn’: net/ipv4/netfilter/nf_nat_standalone.c:119:2: warning: case value ‘4’ not in enumerated type ‘enum ip_conntrack_info’ gcc barfs on adding two enum values and getting a not enumerated result : case IP_CT_RELATED+IP_CT_IS_REPLY: Add missing enum values Signed-off-by: Eric Dumazet <> CC: David Miller <> Signed-off-by: Pablo Neira Ayuso <>
2010-05-13netfilter: cleanup printk messagesStephen Hemminger-2/+2
Make sure all printk messages have a severity level. Signed-off-by: Stephen Hemminger <> Signed-off-by: Patrick McHardy <>
2010-03-30include cleanup: Update gfp.h and slab.h includes to prepare for breaking ↵Tejun Heo-0/+1
implicit slab.h inclusion from percpu.h percpu.h is included by sched.h and module.h and thus ends up being included when building most .c files. percpu.h includes slab.h which in turn includes gfp.h making everything defined by the two files universally available and complicating inclusion dependencies. percpu.h -> slab.h dependency is about to be removed. Prepare for this change by updating users of gfp and slab facilities include those headers directly instead of assuming availability. As this conversion needs to touch large number of source files, the following script is used as the basis of conversion. The script does the followings. * Scan files for gfp and slab usages and update includes such that only the necessary includes are there. ie. if only gfp is used, gfp.h, if slab is used, slab.h. * When the script inserts a new include, it looks at the include blocks and try to put the new include such that its order conforms to its surrounding. It's put in the include block which contains core kernel includes, in the same order that the rest are ordered - alphabetical, Christmas tree, rev-Xmas-tree or at the end if there doesn't seem to be any matching order. * If the script can't find a place to put a new include (mostly because the file doesn't have fitting include block), it prints out an error message indicating which .h file needs to be added to the file. The conversion was done in the following steps. 1. The initial automatic conversion of all .c files updated slightly over 4000 files, deleting around 700 includes and adding ~480 gfp.h and ~3000 slab.h inclusions. The script emitted errors for ~400 files. 2. Each error was manually checked. Some didn't need the inclusion, some needed manual addition while adding it to implementation .h or embedding .c file was more appropriate for others. This step added inclusions to around 150 files. 3. The script was run again and the output was compared to the edits from #2 to make sure no file was left behind. 4. Several build tests were done and a couple of problems were fixed. e.g. lib/decompress_*.c used malloc/free() wrappers around slab APIs requiring slab.h to be added manually. 5. The script was run on all .h files but without automatically editing them as sprinkling gfp.h and slab.h inclusions around .h files could easily lead to inclusion dependency hell. Most gfp.h inclusion directives were ignored as stuff from gfp.h was usually wildly available and often used in preprocessor macros. Each slab.h inclusion directive was examined and added manually as necessary. 6. percpu.h was updated not to include slab.h. 7. Build test were done on the following configurations and failures were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my distributed build env didn't work with gcov compiles) and a few more options had to be turned off depending on archs to make things build (like ipr on powerpc/64 which failed due to missing writeq). * x86 and x86_64 UP and SMP allmodconfig and a custom test config. * powerpc and powerpc64 SMP allmodconfig * sparc and sparc64 SMP allmodconfig * ia64 SMP allmodconfig * s390 SMP allmodconfig * alpha SMP allmodconfig * um on x86_64 SMP allmodconfig 8. percpu.h modifications were reverted so that it could be applied as a separate patch and serve as bisection point. Given the fact that I had only a couple of failures from tests on step 6, I'm fairly confident about the coverage of this conversion patch. If there is a breakage, it's likely to be something in one of the arch headers which should be easily discoverable easily on most builds of the specific arch. Signed-off-by: Tejun Heo <> Guess-its-ok-by: Christoph Lameter <> Cc: Ingo Molnar <> Cc: Lee Schermerhorn <>
2010-01-07netfilter: nf_ct_ftp: fix out of bounds read in update_nl_seq()Patrick McHardy-9/+9
As noticed by Dan Carpenter <>, update_nl_seq() currently contains an out of bounds read of the seq_aft_nl array when looking for the oldest sequence number position. Fix it to only compare valid positions. Cc: Signed-off-by: Patrick McHardy <>
2009-11-29net: Move && and || to end of previous lineJoe Perches-4/+4
Not including net/atm/ Compiled tested x86 allyesconfig only Added a > 80 column line or two, which I ignored. Existing checkpatch plaints willfully, cheerfully ignored. Signed-off-by: Joe Perches <> Signed-off-by: David S. Miller <>
2009-06-02netfilter: conntrack: simplify event caching systemPablo Neira Ayuso-2/+0
This patch simplifies the conntrack event caching system by removing several events: * IPCT_[*]_VOLATILE, IPCT_HELPINFO and IPCT_NATINFO has been deleted since the have no clients. * IPCT_COUNTER_FILLING which is a leftover of the 32-bits counter days. * IPCT_REFRESH which is not of any use since we always include the timeout in the messages. After this patch, the existing events are: * IPCT_NEW, IPCT_RELATED and IPCT_DESTROY, that are used to identify addition and deletion of entries. * IPCT_STATUS, that notes that the status bits have changes, eg. IPS_SEEN_REPLY and IPS_ASSURED. * IPCT_PROTOINFO, that reports that internal protocol information has changed, eg. the TCP, DCCP and SCTP protocol state. * IPCT_HELPER, that a helper has been assigned or unassigned to this entry. * IPCT_MARK and IPCT_SECMARK, that reports that the mark has changed, this covers the case when a mark is set to zero. * IPCT_NATSEQADJ, to report that there's updates in the NAT sequence adjustment. Signed-off-by: Pablo Neira Ayuso <>
2008-11-25netfilter: fix warning in net/netfilter/nf_conntrack_ftp.cIngo Molnar-1/+1
this warning: net/netfilter/nf_conntrack_ftp.c: In function 'help': net/netfilter/nf_conntrack_ftp.c:360: warning: 'matchoff' may be used uninitialized in this function net/netfilter/nf_conntrack_ftp.c:360: warning: 'matchlen' may be used uninitialized in this function triggers because GCC does not recognize the (correct) error flow between find_pattern(), 'found', 'matchoff' and 'matchlen'. Annotate it. Signed-off-by: Ingo Molnar <> Signed-off-by: Patrick McHardy <>
2008-11-24netfilter: nf_conntrack_ftp: change "partial ..." message to pr_debug()Patrick McHardy-4/+2
The message triggers when sending non-FTP data on port 21 or with certain clients that use multiple syscalls to send the command. Change to pr_debug() since users have been complaining. Signed-off-by: Patrick McHardy <>
2008-11-17netfilter: nf_conntrack: connection tracking helper name persistent aliasesPablo Neira Ayuso-0/+1
This patch adds the macro MODULE_ALIAS_NFCT_HELPER that defines a way to provide generic and persistent aliases for the connection tracking helpers. This next patch requires this patch. Signed-off-by: Pablo Neira Ayuso <> Signed-off-by: Patrick McHardy <>
2008-10-31net: replace NIPQUAD() in net/netfilter/Harvey Harrison-4/+3
Using NIPQUAD() with NIPQUAD_FMT, %d.%d.%d.%d or %u.%u.%u.%u can be replaced with %pI4 Signed-off-by: Harvey Harrison <> Signed-off-by: David S. Miller <>
2008-10-29net: replace %p6 with %pI6Harvey Harrison-1/+1
Signed-off-by: Harvey Harrison <> Signed-off-by: David S. Miller <>
2008-10-28netfilter: replace uses of NIP6_FMT with %p6Harvey Harrison-5/+3
Signed-off-by: Harvey Harrison <> Signed-off-by: David S. Miller <>
2008-10-08netfilter: netns nf_conntrack: pass conntrack to nf_conntrack_event_cache() ↵Alexey Dobriyan-4/+5
not skb This is cleaner, we already know conntrack to which event is relevant. Signed-off-by: Alexey Dobriyan <> Signed-off-by: Patrick McHardy <>
2008-04-14[NETFILTER]: nf_conntrack: add tuplehash l3num/protonum accessorsPatrick McHardy-2/+2
Add accessors for l3num and protonum and get rid of some overly long expressions. Signed-off-by: Patrick McHardy <>
2008-04-14[NETFILTER]: annotate rest of nf_conntrack_* with constJan Engelhardt-2/+3
Signed-off-by: Jan Engelhardt <> Signed-off-by: Patrick McHardy <>
2008-03-25[NETFILTER]: nf_conntrack: introduce expectation classes and policiesPatrick McHardy-3/+7
Introduce expectation classes and policies. An expectation class is used to distinguish different types of expectations by the same helper (for example audio/video/t.120). The expectation policy is used to hold the maximum number of expectations and the initial timeout for each class. The individual classes are isolated from each other, which means that for example an audio expectation will only evict other audio expectations. Signed-off-by: Patrick McHardy <> Signed-off-by: David S. Miller <>
2008-01-28[NETFILTER]: Introduce nf_inet_addressJan Engelhardt-1/+1
A few netfilter modules provide their own union of IPv4 and IPv6 address storage. Will unify that in this patch series. (1/4): Rename union nf_conntrack_address to union nf_inet_addr and move it to x_tables.h. Signed-off-by: Jan Engelhardt <> Signed-off-by: Patrick McHardy <> Signed-off-by: David S. Miller <>
2007-10-15[NETFILTER]: Replace sk_buff ** with sk_buff *Herbert Xu-9/+9
With all the users of the double pointers removed, this patch mops up by finally replacing all occurances of sk_buff ** in the netfilter API by sk_buff *. Signed-off-by: Herbert Xu <> Signed-off-by: David S. Miller <>
2007-07-10[NETFILTER]: Convert DEBUGP to pr_debugPatrick McHardy-49/+45
Convert DEBUGP to pr_debug and fix lots of non-compiling debug statements. Signed-off-by: Patrick McHardy <> Signed-off-by: David S. Miller <>
2007-07-10[NETFILTER]: nf_conntrack: mark helpers __read_mostlyPatrick McHardy-2/+2
Most are __read_mostly already, this changes the remaining ones. Signed-off-by: Patrick McHardy <> Signed-off-by: David S. Miller <>
2007-07-10[NETFILTER]: nf_conntrack: reduce masks to a subset of tuplesPatrick McHardy-3/+0
Since conntrack currently allows to use masks for every bit of both helper and expectation tuples, we can't hash them and have to keep them on two global lists that are searched for every new connection. This patch removes the never used ability to use masks for the destination part of the expectation tuple and completely removes masks from helpers since the only reasonable choice is a full match on l3num, protonum and src.u.all. Signed-off-by: Patrick McHardy <> Signed-off-by: David S. Miller <>
2007-07-10[NETFILTER]: nf_conntrack_ftp: use nf_ct_expect_initPatrick McHardy-30/+6
Signed-off-by: Patrick McHardy <> Signed-off-by: David S. Miller <>
2007-07-10[NETFILTER]: nf_conntrack_expect: function naming unificationPatrick McHardy-3/+3
Currently there is a wild mix of nf_conntrack_expect_, nf_ct_exp_, expect_, exp_, ... Consistently use nf_ct_ as prefix for exported functions. Signed-off-by: Patrick McHardy <> Signed-off-by: David S. Miller <>
2007-05-24[NETFILTER]: nf_conntrack_ftp: fix newline sequence number calculationPatrick McHardy-3/+2
When the packet size is changed by the FTP NAT helper, the connection tracking helper adjusts the sequence number of the newline character by the size difference. This is wrong because NAT sequence number adjustment happens after helpers are called, so the unadjusted number is compared to the already adjusted one. Based on report by YU, Haitao <> Signed-off-by: Patrick McHardy <> Signed-off-by: David S. Miller <>
2007-05-24[NETFILTER]: nf_conntrack_ftp: fix newline sequence number updatePatrick McHardy-3/+5
When trying to locate the oldest entry in the history of newline character sequence numbers, the sequence number of the current entry is incorrectly compared with the index of the oldest sequence number instead of the number itself. Additionally it is not made sure that the current sequence number really is after the oldest known one. Based on report by YU, Haitao <> Signed-off-by: Patrick McHardy <> Signed-off-by: David S. Miller <>