[NETFILTER]: ctnetlink: rework conntrack fields dumping logic on events
| NEW | UPDATE | DESTROY | ----------------------------------------| tuples | Y | Y | Y | status | Y | Y | N | timeout | Y | Y | N | protoinfo | S | S | N | helper | S | S | N | mark | S | S | N | counters | F | F | Y | Leyend: Y: yes N: no S: iif the field is set F: iif overflow This patch also replace IPCT_HELPINFO by IPCT_HELPER since we want to track the helper assignation process, not the changes in the private information held by the helper. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Patrick McHardy <kaber@trash.net>
This commit is contained in:
parent
bbb3357d14
commit
7b621c1ea6
2 changed files with 54 additions and 44 deletions
|
@ -320,8 +320,6 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
|
|||
} else if (events & (IPCT_NEW | IPCT_RELATED)) {
|
||||
type = IPCTNL_MSG_CT_NEW;
|
||||
flags = NLM_F_CREATE|NLM_F_EXCL;
|
||||
/* dump everything */
|
||||
events = ~0UL;
|
||||
group = NFNLGRP_CONNTRACK_NEW;
|
||||
} else if (events & (IPCT_STATUS | IPCT_PROTOINFO)) {
|
||||
type = IPCTNL_MSG_CT_NEW;
|
||||
|
@ -356,28 +354,35 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
|
|||
if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
|
||||
goto nfattr_failure;
|
||||
NFA_NEST_END(skb, nest_parms);
|
||||
|
||||
/* NAT stuff is now a status flag */
|
||||
if ((events & IPCT_STATUS || events & IPCT_NATINFO)
|
||||
&& ctnetlink_dump_status(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
if (events & IPCT_REFRESH
|
||||
&& ctnetlink_dump_timeout(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
if (events & IPCT_PROTOINFO
|
||||
&& ctnetlink_dump_protoinfo(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
if (events & IPCT_HELPINFO
|
||||
&& ctnetlink_dump_helpinfo(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
|
||||
if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
|
||||
ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
|
||||
goto nfattr_failure;
|
||||
if (events & IPCT_DESTROY) {
|
||||
if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
|
||||
ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
|
||||
goto nfattr_failure;
|
||||
} else {
|
||||
if (ctnetlink_dump_status(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
|
||||
if (events & IPCT_MARK
|
||||
&& ctnetlink_dump_mark(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
if (ctnetlink_dump_timeout(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
|
||||
if (events & IPCT_PROTOINFO
|
||||
&& ctnetlink_dump_protoinfo(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
|
||||
if ((events & IPCT_HELPER || ct->helper)
|
||||
&& ctnetlink_dump_helpinfo(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
|
||||
if ((events & IPCT_MARK || ct->mark)
|
||||
&& ctnetlink_dump_mark(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
|
||||
if (events & IPCT_COUNTER_FILLING &&
|
||||
(ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
|
||||
ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0))
|
||||
goto nfattr_failure;
|
||||
}
|
||||
|
||||
nlh->nlmsg_len = skb->tail - b;
|
||||
nfnetlink_send(skb, 0, group, 0);
|
||||
|
|
|
@ -331,8 +331,6 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
|
|||
} else if (events & (IPCT_NEW | IPCT_RELATED)) {
|
||||
type = IPCTNL_MSG_CT_NEW;
|
||||
flags = NLM_F_CREATE|NLM_F_EXCL;
|
||||
/* dump everything */
|
||||
events = ~0UL;
|
||||
group = NFNLGRP_CONNTRACK_NEW;
|
||||
} else if (events & (IPCT_STATUS | IPCT_PROTOINFO)) {
|
||||
type = IPCTNL_MSG_CT_NEW;
|
||||
|
@ -367,28 +365,35 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
|
|||
if (ctnetlink_dump_tuples(skb, tuple(ct, IP_CT_DIR_REPLY)) < 0)
|
||||
goto nfattr_failure;
|
||||
NFA_NEST_END(skb, nest_parms);
|
||||
|
||||
/* NAT stuff is now a status flag */
|
||||
if ((events & IPCT_STATUS || events & IPCT_NATINFO)
|
||||
&& ctnetlink_dump_status(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
if (events & IPCT_REFRESH
|
||||
&& ctnetlink_dump_timeout(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
if (events & IPCT_PROTOINFO
|
||||
&& ctnetlink_dump_protoinfo(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
if (events & IPCT_HELPINFO
|
||||
&& ctnetlink_dump_helpinfo(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
|
||||
if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
|
||||
ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
|
||||
goto nfattr_failure;
|
||||
if (events & IPCT_DESTROY) {
|
||||
if (ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
|
||||
ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0)
|
||||
goto nfattr_failure;
|
||||
} else {
|
||||
if (ctnetlink_dump_status(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
|
||||
if (events & IPCT_MARK
|
||||
&& ctnetlink_dump_mark(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
if (ctnetlink_dump_timeout(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
|
||||
if (events & IPCT_PROTOINFO
|
||||
&& ctnetlink_dump_protoinfo(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
|
||||
if ((events & IPCT_HELPER || nfct_help(ct))
|
||||
&& ctnetlink_dump_helpinfo(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
|
||||
if ((events & IPCT_MARK || ct->mark)
|
||||
&& ctnetlink_dump_mark(skb, ct) < 0)
|
||||
goto nfattr_failure;
|
||||
|
||||
if (events & IPCT_COUNTER_FILLING &&
|
||||
(ctnetlink_dump_counters(skb, ct, IP_CT_DIR_ORIGINAL) < 0 ||
|
||||
ctnetlink_dump_counters(skb, ct, IP_CT_DIR_REPLY) < 0))
|
||||
goto nfattr_failure;
|
||||
}
|
||||
|
||||
nlh->nlmsg_len = skb->tail - b;
|
||||
nfnetlink_send(skb, 0, group, 0);
|
||||
|
|
Loading…
Reference in a new issue