mirror of
https://github.com/adulau/aha.git
synced 2024-12-28 03:36:19 +00:00
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6
This commit is contained in:
commit
4d3383d0ad
5 changed files with 33 additions and 1 deletions
|
@ -35,6 +35,9 @@ enum tcp_conntrack {
|
|||
/* Has unacknowledged data */
|
||||
#define IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED 0x10
|
||||
|
||||
/* The field td_maxack has been set */
|
||||
#define IP_CT_TCP_FLAG_MAXACK_SET 0x20
|
||||
|
||||
struct nf_ct_tcp_flags {
|
||||
__u8 flags;
|
||||
__u8 mask;
|
||||
|
@ -46,6 +49,7 @@ struct ip_ct_tcp_state {
|
|||
u_int32_t td_end; /* max of seq + len */
|
||||
u_int32_t td_maxend; /* max of ack + max(win, 1) */
|
||||
u_int32_t td_maxwin; /* max(win) */
|
||||
u_int32_t td_maxack; /* max of ack */
|
||||
u_int8_t td_scale; /* window scale factor */
|
||||
u_int8_t flags; /* per direction options */
|
||||
};
|
||||
|
|
|
@ -22,6 +22,7 @@
|
|||
#include <linux/netfilter/nfnetlink_conntrack.h>
|
||||
#include <net/netfilter/nf_conntrack.h>
|
||||
#include <net/netfilter/nf_conntrack_l4proto.h>
|
||||
#include <net/netfilter/nf_conntrack_ecache.h>
|
||||
#include <net/netfilter/nf_log.h>
|
||||
|
||||
static DEFINE_RWLOCK(dccp_lock);
|
||||
|
@ -553,6 +554,9 @@ static int dccp_packet(struct nf_conn *ct, const struct sk_buff *skb,
|
|||
ct->proto.dccp.state = new_state;
|
||||
write_unlock_bh(&dccp_lock);
|
||||
|
||||
if (new_state != old_state)
|
||||
nf_conntrack_event_cache(IPCT_PROTOINFO, ct);
|
||||
|
||||
dn = dccp_pernet(net);
|
||||
nf_ct_refresh_acct(ct, ctinfo, skb, dn->dccp_timeout[new_state]);
|
||||
|
||||
|
|
|
@ -634,6 +634,14 @@ static bool tcp_in_window(const struct nf_conn *ct,
|
|||
sender->td_end = end;
|
||||
sender->flags |= IP_CT_TCP_FLAG_DATA_UNACKNOWLEDGED;
|
||||
}
|
||||
if (tcph->ack) {
|
||||
if (!(sender->flags & IP_CT_TCP_FLAG_MAXACK_SET)) {
|
||||
sender->td_maxack = ack;
|
||||
sender->flags |= IP_CT_TCP_FLAG_MAXACK_SET;
|
||||
} else if (after(ack, sender->td_maxack))
|
||||
sender->td_maxack = ack;
|
||||
}
|
||||
|
||||
/*
|
||||
* Update receiver data.
|
||||
*/
|
||||
|
@ -918,6 +926,16 @@ static int tcp_packet(struct nf_conn *ct,
|
|||
"nf_ct_tcp: invalid state ");
|
||||
return -NF_ACCEPT;
|
||||
case TCP_CONNTRACK_CLOSE:
|
||||
if (index == TCP_RST_SET
|
||||
&& (ct->proto.tcp.seen[!dir].flags & IP_CT_TCP_FLAG_MAXACK_SET)
|
||||
&& before(ntohl(th->seq), ct->proto.tcp.seen[!dir].td_maxack)) {
|
||||
/* Invalid RST */
|
||||
write_unlock_bh(&tcp_lock);
|
||||
if (LOG_INVALID(net, IPPROTO_TCP))
|
||||
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
|
||||
"nf_ct_tcp: invalid RST ");
|
||||
return -NF_ACCEPT;
|
||||
}
|
||||
if (index == TCP_RST_SET
|
||||
&& ((test_bit(IPS_SEEN_REPLY_BIT, &ct->status)
|
||||
&& ct->proto.tcp.last_index == TCP_SYN_SET)
|
||||
|
|
|
@ -581,6 +581,12 @@ nfulnl_log_packet(u_int8_t pf,
|
|||
+ nla_total_size(sizeof(struct nfulnl_msg_packet_hw))
|
||||
+ nla_total_size(sizeof(struct nfulnl_msg_packet_timestamp));
|
||||
|
||||
if (in && skb_mac_header_was_set(skb)) {
|
||||
size += nla_total_size(skb->dev->hard_header_len)
|
||||
+ nla_total_size(sizeof(u_int16_t)) /* hwtype */
|
||||
+ nla_total_size(sizeof(u_int16_t)); /* hwlen */
|
||||
}
|
||||
|
||||
spin_lock_bh(&inst->lock);
|
||||
|
||||
if (inst->flags & NFULNL_CFG_F_SEQ)
|
||||
|
|
|
@ -926,7 +926,7 @@ static int dl_seq_show(struct seq_file *s, void *v)
|
|||
if (!hlist_empty(&htable->hash[*bucket])) {
|
||||
hlist_for_each_entry(ent, pos, &htable->hash[*bucket], node)
|
||||
if (dl_seq_real_show(ent, htable->family, s))
|
||||
return 1;
|
||||
return -1;
|
||||
}
|
||||
return 0;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue