List Info

Thread: Re: xt_connlimit 20070707 kernel
Re: xt_connlimit 20070707 kernel
country flaguser name
Japan		 2007-07-10 01:30:09 
From: Jan Engelhardt <jengelhcomputergmbh.de>
Date: Mon, 9 Jul 2007 17:10:52 +0200 (CEST)

> +	} else {
> +		struct nf_conntrack_l3proto *l3proto;
> +		struct nf_conntrack_l4proto *l4proto;
> +
> +		l3proto = __nf_ct_l3proto_find(match->family);
> +		if (l3proto == NULL)
> +			goto hotdrop;
> +		l4proto = __nf_ct_l4proto_find(match->family,
match->proto);
> +		if (l4proto == NULL)
> +			goto hotdrop;
> +		if (nf_ct_get_tuple(skb, 0, 0, match->family,
match->proto,
> +		    &tuple, NULL, NULL) != 0)
> +			goto hotdrop;

The second argument is the offset to network protocol
header,
skb_network_offset(skb) (it is 0 in most cases, but it is
more logical).

The third argument is the offset to the transport protocol
header. In the case
of IPv4, you can use ip_hdrlen(). About IPv6, you can use
nf_ct_ipv6_skip_exthdr(), but you also need to export the
symbol of
nf_ct_ipv6_skip_exthdr().

IIRC nf_conntrack_proto_icmp[v6].c do same things. If I have
any time
at late night today, I'll write a generic function for
them.

-- Yasuyuki Kozakai
Re: xt_connlimit 20070707 kernel
country flaguser name
Germany		 2007-07-11 12:37:11 
On Jul 10 2007 15:30, Yasuyuki KOZAKAI wrote:
>> +		if (nf_ct_get_tuple(skb, 0, 0, match->family,
match->proto,
>> +		    &tuple, NULL, NULL) != 0)
>> +			goto hotdrop;
>
>The second argument is the offset to network protocol
header,
>skb_network_offset(skb) (it is 0 in most cases, but it
is more logical).
>
>IIRC nf_conntrack_proto_icmp[v6].c do same things. If I
have any time
>at late night today, I'll write a generic function for
them.

I have applied your three patches to receive the
nf_ct_get_tuplepr() 
function, and connlimit now reads:


---
 net/netfilter/xt_connlimit.c |   20 +++++++-------------
 1 file changed, 7 insertions(+), 13 deletions(-)

Index: net-2.6/net/netfilter/xt_connlimit.c
============================================================
=======
--- net-2.6.orig/net/netfilter/xt_connlimit.c
+++ net-2.6/net/netfilter/xt_connlimit.c
 -185,9
+185,9  static bool connlimit_match(const struct
 			    unsigned int protoff, bool *hotdrop)
 {
 	const struct xt_connlimit_info *info = matchinfo;
-	const struct nf_conntrack_tuple *tuple_ptr;
 	union nf_conntrack_address addr, mask;
 	struct nf_conntrack_tuple tuple;
+	const struct nf_conntrack_tuple *tuple_ptr = &tuple;
 	enum ip_conntrack_info ctinfo;
 	const struct nf_conn *ct;
 	int connections;
 -196,19
+196,13  static bool connlimit_match(const struct
 	if (ct != NULL) {
 		tuple_ptr = &ct->tuplehash[0].tuple;
 	} else {
-		struct nf_conntrack_l3proto *l3proto;
-		struct nf_conntrack_l4proto *l4proto;
-
-		l3proto = __nf_ct_l3proto_find(match->family);
-		if (l3proto == NULL)
-			goto hotdrop;
-		l4proto = __nf_ct_l4proto_find(match->family,
match->proto);
-		if (l4proto == NULL)
+		int ret;
+		printk(KERN_WARNING "ct==NULLn");
+		if ((ret = nf_ct_get_tuplepr(skb,
skb_network_offset(skb),
+		    match->family, &tuple)) != 0) {
+			printk(KERN_WARNING "drop with %dn", ret);
 			goto hotdrop;
-		if (nf_ct_get_tuple(skb, 0, 0, match->family,
match->proto,
-		    &tuple, NULL, NULL) != 0)
-			goto hotdrop;
-		tuple_ptr = &tuple;
+		}
 	}
 
 	if (match->family == AF_INET6) {


But, nf_ct_get_tuplepr() returns with 1, and I am not sure
why.



	Jan
--
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )