[netfilter-cvslog] r3711 - in
trunk/patch-o-matic-ng/nf_conntrack/linux-2.6:
include/linux/netfilter net/ipv4/netfilter net/ipv6/netfilter
net/netfilter
laforge at netfilter.org
laforge at netfilter.org
Tue Feb 15 04:41:02 CET 2005
Author: laforge at netfilter.org
Date: 2005-02-15 04:41:02 +0100 (Tue, 15 Feb 2005)
New Revision: 3711
Modified:
trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack.h
trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack_tuple.h
trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_core.c
trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_ftp.c
trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_standalone.c
Log:
[NETFILTER]: Remove ip_conntrack_tuple_hash 'ctrack' pointer
We keep a pointer from the hash table entry into the connection
tracking entry it's a part of. However, there's a spare byte in the
hash entry anyway, which we can use to indicate which of the two
tuples it is, and the simply use container_of() to access the
conntrack.
This saves two pointers per connection tracking entry.
Signed-off-by: Rusty Russell <rusty at rustcorp.com.au>
Signed-off-by: David S. Miller <davem at davemloft.net>
Modified: trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack.h
===================================================================
--- trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack.h 2005-02-15 03:25:14 UTC (rev 3710)
+++ trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack.h 2005-02-15 03:41:02 UTC (rev 3711)
@@ -188,6 +188,13 @@
void *data[0];
};
+static inline struct nf_conn *
+tuplehash_to_ctrack(const struct nf_conntrack_tuple_hash *hash)
+{
+ return container_of(hash, struct ip_conntrack,
+ tuplehash[hash->tuple.dst.dir]);
+}
+
/* get master conntrack via master expectation */
#define master_ct(conntr) (conntr->master)
Modified: trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack_tuple.h
===================================================================
--- trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack_tuple.h 2005-02-15 03:25:14 UTC (rev 3710)
+++ trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/include/linux/netfilter/nf_conntrack_tuple.h 2005-02-15 03:41:02 UTC (rev 3711)
@@ -89,7 +89,10 @@
} u;
/* The protocol. */
- u_int16_t protonum;
+ u_int8_t protonum;
+
+ /* The direction (for tuplehash) */
+ u_int8_t dir;
} dst;
};
@@ -124,7 +127,7 @@
/* If we're the first tuple, it's the original dir. */
#define NF_CT_DIRECTION(h) \
- ((enum nf_conntrack_dir)(&(h)->ctrack->tuplehash[1] == (h)))
+ ((enum nf_conntrack_dir)(h)->tuple.dst.dir)
/* Connections have two entries in the hash table: one for each way */
struct nf_conntrack_tuple_hash
@@ -132,9 +135,6 @@
struct list_head list;
struct nf_conntrack_tuple tuple;
-
- /* this == &ctrack->tuplehash[DIRECTION(this)]. */
- struct nf_conn *ctrack;
};
#endif /* __KERNEL__ */
Modified: trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
===================================================================
--- trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c 2005-02-15 03:25:14 UTC (rev 3710)
+++ trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c 2005-02-15 03:41:02 UTC (rev 3711)
@@ -376,16 +376,17 @@
h = nf_conntrack_find_get(&tuple, NULL);
if (h) {
struct sockaddr_in sin;
+ struct nf_conn *ct = tuplehash_to_ctrack(h);
sin.sin_family = AF_INET;
- sin.sin_port = h->ctrack->tuplehash[NF_CT_DIR_ORIGINAL]
+ sin.sin_port = ct->tuplehash[NF_CT_DIR_ORIGINAL]
.tuple.dst.u.tcp.port;
- sin.sin_addr.s_addr = h->ctrack->tuplehash[NF_CT_DIR_ORIGINAL]
+ sin.sin_addr.s_addr = ct->tuplehash[NF_CT_DIR_ORIGINAL]
.tuple.dst.u3.ip;
DEBUGP("SO_ORIGINAL_DST: %u.%u.%u.%u %u\n",
NIPQUAD(sin.sin_addr.s_addr), ntohs(sin.sin_port));
- nf_ct_put(h->ctrack);
+ nf_ct_put(ct);
if (copy_to_user(user, &sin, sizeof(sin)) != 0)
return -EFAULT;
else
Modified: trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/ipv4/netfilter/nf_conntrack_proto_icmp.c
===================================================================
--- trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/ipv4/netfilter/nf_conntrack_proto_icmp.c 2005-02-15 03:25:14 UTC (rev 3710)
+++ trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/ipv4/netfilter/nf_conntrack_proto_icmp.c 2005-02-15 03:41:02 UTC (rev 3711)
@@ -210,7 +210,7 @@
}
/* Update skb to refer to this connection */
- skb->nfct = &h->ctrack->ct_general;
+ skb->nfct = &tuplehash_to_ctrack(h)->ct_general;
skb->nfctinfo = *ctinfo;
return -NF_ACCEPT;
}
Modified: trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
===================================================================
--- trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c 2005-02-15 03:25:14 UTC (rev 3710)
+++ trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c 2005-02-15 03:41:02 UTC (rev 3711)
@@ -426,16 +426,17 @@
h = nf_conntrack_find_get(&tuple, NULL);
if (h) {
struct sockaddr_in6 sin;
+ struct nf_conn *ct = tuplehash_to_ct(h);
sin.sin6_family = AF_INET6;
- sin.sin6_port = h->ctrack->tuplehash[NF_CT_DIR_ORIGINAL]
+ sin.sin6_port = ct->tuplehash[NF_CT_DIR_ORIGINAL]
.tuple.dst.u.tcp.port;
ipv6_addr_copy(&sin.sin6_addr,
- (struct in6_addr *)h->ctrack->tuplehash[NF_CT_DIR_ORIGINAL].tuple.dst.u3.ip6);
+ (struct in6_addr *)ct->tuplehash[NF_CT_DIR_ORIGINAL].tuple.dst.u3.ip6);
DEBUGP("IPV6 ORIGINAL_DST: %x:%x:%x:%x:%x:%x:%x:%x %u\n",
NIP6(sin.sin6_addr), ntohs(sin.sin6_port));
- nf_ct_put(h->ctrack);
+ nf_ct_put(ct);
if (copy_to_user(user, &sin, sizeof(sin)) != 0)
return -EFAULT;
else
Modified: trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_core.c
===================================================================
--- trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_core.c 2005-02-15 03:25:14 UTC (rev 3710)
+++ trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_core.c 2005-02-15 03:41:02 UTC (rev 3711)
@@ -334,6 +334,8 @@
return 0;
tuple->dst.protonum = protonum;
+ tuple->dst.dir = NF_CT_DIR_ORIGINAL;
+
return protocol->pkt_to_tuple(skb, dataoff, tuple);
}
@@ -349,6 +351,8 @@
if (l3proto->invert_tuple(inverse, orig) == 0)
return 0;
+ tuple->dst.dir = !orig->dst.dir;
+
inverse->dst.protonum = orig->dst.protonum;
return protocol->invert_tuple(inverse, orig);
}
@@ -508,7 +512,7 @@
const struct nf_conn *ignored_conntrack)
{
MUST_BE_READ_LOCKED(&nf_conntrack_lock);
- return i->ctrack != ignored_conntrack
+ return tuplehash_to_ctrack(i) != ignored_conntrack
&& nf_ct_tuple_equal(tuple, &i->tuple);
}
@@ -543,7 +547,7 @@
READ_LOCK(&nf_conntrack_lock);
h = __nf_conntrack_find(tuple, ignored_conntrack);
if (h)
- atomic_inc(&h->ctrack->ct_general.use);
+ atomic_inc(&tuplehash_to_ctrack(h)->ct_general.use);
READ_UNLOCK(&nf_conntrack_lock);
return h;
@@ -638,30 +642,33 @@
connection. Too bad: we're in trouble anyway. */
static inline int unreplied(const struct nf_conntrack_tuple_hash *i)
{
- return !(test_bit(NF_S_ASSURED_BIT, &i->ctrack->status));
+ return !(test_bit(NF_S_ASSURED_BIT, &tuplehash_to_ctrack(i)->status));
}
static int early_drop(struct list_head *chain)
{
/* Traverse backwards: gives us oldest, which is roughly LRU */
struct nf_conntrack_tuple_hash *h;
+ struct nf_conn *ct = NULL;
int dropped = 0;
READ_LOCK(&nf_conntrack_lock);
h = LIST_FIND_B(chain, unreplied, struct nf_conntrack_tuple_hash *);
- if (h)
- atomic_inc(&h->ctrack->ct_general.use);
+ if (h) {
+ ct = tuplehash_to_ctrack(h);
+ atomic_inc(&ct->ct_general.use);
+ }
READ_UNLOCK(&nf_conntrack_lock);
- if (!h)
+ if (!ct)
return dropped;
- if (del_timer(&h->ctrack->timeout)) {
- death_by_timeout((unsigned long)h->ctrack);
+ if (del_timer(&ct->timeout)) {
+ death_by_timeout((unsigned long)ct);
dropped = 1;
NF_CT_STAT_INC(early_drop);
}
- nf_ct_put(h->ctrack);
+ nf_ct_put(ct);
return dropped;
}
@@ -737,9 +744,7 @@
atomic_set(&conntrack->ct_general.use, 1);
conntrack->ct_general.destroy = destroy_conntrack;
conntrack->tuplehash[NF_CT_DIR_ORIGINAL].tuple = *tuple;
- conntrack->tuplehash[NF_CT_DIR_ORIGINAL].ctrack = conntrack;
conntrack->tuplehash[NF_CT_DIR_REPLY].tuple = repl_tuple;
- conntrack->tuplehash[NF_CT_DIR_REPLY].ctrack = conntrack;
if (!protocol->new(conntrack, skb, dataoff)) {
free_conntrack(conntrack);
@@ -804,6 +809,7 @@
{
struct nf_conntrack_tuple tuple;
struct nf_conntrack_tuple_hash *h;
+ struct nf_conn *ct;
if (!nf_ct_get_tuple(skb, (unsigned int)(skb->nh.raw - skb->data),
dataoff, l3num, protonum, &tuple, l3proto,
@@ -825,6 +831,7 @@
return (void *)h;
}
}
+ ct = tuplehash_to_ctrack(h);
/* It exists; we have (non-exclusive) reference. */
if (NF_CT_DIRECTION(h) == NF_CT_DIR_REPLY) {
@@ -833,24 +840,21 @@
*set_reply = 1;
} else {
/* Once we've had two way comms, always ESTABLISHED. */
- if (test_bit(NF_S_SEEN_REPLY_BIT, &h->ctrack->status)) {
- DEBUGP("nf_conntrack_in: normal packet for %p\n",
- h->ctrack);
+ if (test_bit(NF_S_SEEN_REPLY_BIT, &ct->status)) {
+ DEBUGP("nf_conntrack_in: normal packet for %p\n", ct);
*ctinfo = NF_CT_ESTABLISHED;
- } else if (test_bit(NF_S_EXPECTED_BIT, &h->ctrack->status)) {
- DEBUGP("nf_conntrack_in: related packet for %p\n",
- h->ctrack);
+ } else if (test_bit(NF_S_EXPECTED_BIT, &ct->status)) {
+ DEBUGP("nf_conntrack_in: related packet for %p\n", ct);
*ctinfo = NF_CT_RELATED;
} else {
- DEBUGP("nf_conntrack_in: new packet for %p\n",
- h->ctrack);
+ DEBUGP("nf_conntrack_in: new packet for %p\n", ct);
*ctinfo = NF_CT_NEW;
}
*set_reply = 0;
}
- skb->nfct = &h->ctrack->ct_general;
+ skb->nfct = &ct->ct_general;
skb->nfctinfo = *ctinfo;
- return h->ctrack;
+ return ct;
}
unsigned int
@@ -1138,8 +1142,8 @@
static inline int unhelp(struct nf_conntrack_tuple_hash *i,
const struct nf_conntrack_helper *me)
{
- if (i->ctrack->helper == me)
- i->ctrack->helper = NULL;
+ if (tuplehash_to_ctrack(i)->helper == me)
+ tuplehash_to_ctrack(i)->helper = NULL;
return 0;
}
@@ -1234,7 +1238,7 @@
int (*iter)(struct nf_conn *i, void *data),
void *data)
{
- return iter(i->ctrack, data);
+ return iter(tuplehash_to_ct(i), data);
}
/* Bring out ya dead! */
@@ -1256,7 +1260,7 @@
h = LIST_FIND_W(&unconfirmed, do_iter,
struct nf_conntrack_tuple_hash *, iter, data);
if (h)
- atomic_inc(&h->ctrack->ct_general.use);
+ atomic_inc(&tuplehash_to_ctrack(h)->ct_general.use);
WRITE_UNLOCK(&nf_conntrack_lock);
return h;
@@ -1269,12 +1273,13 @@
unsigned int bucket = 0;
while ((h = get_next_corpse(iter, data, &bucket)) != NULL) {
+ struct nf_conn *ct = tuplehash_to_ctrack(h);
/* Time to push up daises... */
- if (del_timer(&h->ctrack->timeout))
- death_by_timeout((unsigned long)h->ctrack);
+ if (del_timer(&ct->timeout))
+ death_by_timeout((unsigned long)ct);
/* ... else the timer will get him soon. */
- nf_ct_put(h->ctrack);
+ nf_ct_put(ct);
}
}
Modified: trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_ftp.c
===================================================================
--- trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_ftp.c 2005-02-15 03:25:14 UTC (rev 3710)
+++ trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_ftp.c 2005-02-15 03:41:02 UTC (rev 3711)
@@ -585,7 +585,7 @@
exp->mask.src.l3num = 0xFFFF;
exp->mask.src.u.tcp.port = 0;
exp->mask.dst.u.tcp.port = 0xFFFF;
- exp->mask.dst.protonum = 0xFFFF;
+ exp->mask.dst.protonum = 0xFF;
exp->expectfn = NULL;
exp->master = ct;
@@ -649,7 +649,7 @@
ftp[i][j].tuple.src.u.tcp.port = htons(ports[i]);
ftp[i][j].tuple.dst.protonum = IPPROTO_TCP;
ftp[i][j].mask.src.u.tcp.port = 0xFFFF;
- ftp[i][j].mask.dst.protonum = 0xFFFF;
+ ftp[i][j].mask.dst.protonum = 0xFF;
ftp[i][j].max_expected = 1;
ftp[i][j].timeout = 5 * 60; /* 5 Minutes */
ftp[i][j].me = THIS_MODULE;
Modified: trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_standalone.c
===================================================================
--- trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_standalone.c 2005-02-15 03:25:14 UTC (rev 3710)
+++ trunk/patch-o-matic-ng/nf_conntrack/linux-2.6/net/netfilter/nf_conntrack_standalone.c 2005-02-15 03:41:02 UTC (rev 3711)
@@ -79,7 +79,8 @@
}
#ifdef CONFIG_NF_CT_ACCT
static unsigned int
-seq_print_counters(struct seq_file *s, struct nf_conntrack_counter *counter)
+seq_print_counters(struct seq_file *s,
+ const struct nf_conntrack_counter *counter)
{
return seq_printf(s, "packets=%llu bytes=%llu ",
(unsigned long long)counter->packets,
@@ -112,7 +113,7 @@
static int ct_seq_real_show(const struct nf_conntrack_tuple_hash *hash,
struct seq_file *s)
{
- struct nf_conn *conntrack = hash->ctrack;
+ const struct nf_conn *conntrack = tuplehash_to_ctrack(hash);
struct nf_conntrack_l3proto *l3proto;
struct nf_conntrack_protocol *proto;
More information about the netfilter-cvslog
mailing list