This requires a bit more code for connection tracking with tunnels to
work: `nf_conntrack_put(skb->nfct); skb->nfct=NULL;' when untunnelling
packets. If a tunnelling person wants to add that...
Index: include/linux/netfilter.h
===================================================================
RCS file: /cvs/linux/linux/include/linux/netfilter.h,v
retrieving revision 1.7
diff -u -r1.7 netfilter.h
--- include/linux/netfilter.h 2000/03/01 20:34:48 1.7
+++ include/linux/netfilter.h 2000/03/03 08:10:16
@@ -179,7 +179,6 @@
NF_REASON_SET_BY_IPCHAINS,
NF_REASON_FOR_ROUTING,
NF_REASON_FOR_CLS_FW,
- NF_REASON_MIN_RESERVED_FOR_CONNTRACK = 1024,
};
#endif /*__LINUX_NETFILTER_H*/
Index: include/linux/skbuff.h
===================================================================
RCS file: /cvs/linux/linux/include/linux/skbuff.h,v
retrieving revision 1.66
diff -u -r1.66 skbuff.h
--- include/linux/skbuff.h 2000/02/18 16:47:01 1.66
+++ include/linux/skbuff.h 2000/03/03 08:10:18
@@ -37,6 +37,17 @@
#define NET_CALLER(arg) __builtin_return_address(0)
#endif
+#ifdef CONFIG_NETFILTER
+struct nf_conntrack {
+ atomic_t use;
+ void (*destroy)(struct nf_conntrack *);
+};
+
+struct nf_ct_info {
+ struct nf_conntrack *master;
+};
+#endif
+
struct sk_buff_head {
/* These two members must be first. */
struct sk_buff * next;
@@ -115,6 +126,8 @@
__u32 nfreason;
/* Cache info */
__u32 nfcache;
+ /* Associated connection, if any */
+ struct nf_ct_info *nfct;
#ifdef CONFIG_NETFILTER_DEBUG
unsigned int nf_debug;
#endif
@@ -634,6 +647,21 @@
extern void skb_init(void);
extern void skb_add_mtu(int mtu);
+
+#ifdef CONFIG_NETFILTER
+extern __inline__ void
+nf_conntrack_put(struct nf_ct_info *nfct)
+{
+ if (nfct && atomic_dec_and_test(&nfct->master->use))
+ nfct->master->destroy(nfct->master);
+}
+extern __inline__ void
+nf_conntrack_get(struct nf_ct_info *nfct)
+{
+ if (nfct)
+ atomic_inc(&nfct->master->use);
+}
+#endif
#endif /* __KERNEL__ */
#endif /* _LINUX_SKBUFF_H */
Index: net/core/skbuff.c
===================================================================
RCS file: /cvs/linux/linux/net/core/skbuff.c,v
retrieving revision 1.68
diff -u -r1.68 skbuff.c
--- net/core/skbuff.c 2000/02/18 16:47:18 1.68
+++ net/core/skbuff.c 2000/03/03 08:10:26
@@ -204,6 +204,7 @@
skb->rx_dev = NULL;
#ifdef CONFIG_NETFILTER
skb->nfmark = skb->nfreason = skb->nfcache = 0;
+ skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
@@ -246,6 +247,9 @@
}
skb->destructor(skb);
}
+#ifdef CONFIG_NETFILTER
+ nf_conntrack_put(skb->nfct);
+#endif
#ifdef CONFIG_NET
if(skb->rx_dev)
dev_put(skb->rx_dev);
@@ -282,6 +286,9 @@
n->is_clone = 1;
atomic_set(&n->users, 1);
n->destructor = NULL;
+#ifdef CONFIG_NETFILTER
+ nf_conntrack_get(skb->nfct);
+#endif
return n;
}
@@ -314,6 +321,8 @@
new->nfmark=old->nfmark;
new->nfreason=old->nfreason;
new->nfcache=old->nfcache;
+ new->nfct=old->nfct;
+ nf_conntrack_get(new->nfct);
#ifdef CONFIG_NETFILTER_DEBUG
new->nf_debug=old->nf_debug;
#endif
Index: net/ipv4/ip_output.c
===================================================================
RCS file: /cvs/linux/linux/net/ipv4/ip_output.c,v
retrieving revision 1.80
diff -u -r1.80 ip_output.c
--- net/ipv4/ip_output.c 2000/02/09 11:16:41 1.80
+++ net/ipv4/ip_output.c 2000/03/03 08:10:30
@@ -890,6 +890,12 @@
ptr += len;
offset += len;
+#ifdef CONFIG_NETFILTER
+ /* Connection association is same as pre-frag packet */
+ skb2->nfct = skb->nfct;
+ nf_conntrack_get(skb2->nfct);
+#endif
+
/*
* Put this fragment into the sending queue.
*/
--
Hacking time.
|