[netfilter-cvslog] r3775 - branches/netfilter-ha/linux-2.6-actact/ct_sync

laforge at netfilter.org laforge at netfilter.org
Wed Mar 9 17:37:31 CET 2005 

Author: laforge at netfilter.org
Date: 2005-03-09 17:37:30 +0100 (Wed, 09 Mar 2005)
New Revision: 3775

Modified:
   branches/netfilter-ha/linux-2.6-actact/ct_sync/ct_sync_main.c
Log:
finally get rid of global syncdev parameter


Modified: branches/netfilter-ha/linux-2.6-actact/ct_sync/ct_sync_main.c
===================================================================
--- branches/netfilter-ha/linux-2.6-actact/ct_sync/ct_sync_main.c	2005-03-09 16:17:32 UTC (rev 3774)
+++ branches/netfilter-ha/linux-2.6-actact/ct_sync/ct_sync_main.c	2005-03-09 16:37:30 UTC (rev 3775)
@@ -73,8 +73,6 @@
 MODULE_DESCRIPTION("Connection tracking state synchronization module");
 
 /* module parameters */
-static char *syncdev = "";
-module_param(syncdev, charp, 0000);
 static int l2drop = 0;
 module_param(l2drop, int, 0000);
 static int notrack = 1;
@@ -94,7 +92,6 @@
 
 DEFINE_PER_CPU(struct ct_sync_stat, ct_sync_stats);
 
-static int syncdev_ifindex;	/* ifindex of the network device */
 
 struct ct_sync_instance;
 
@@ -1353,23 +1350,30 @@
 	     const struct net_device *outdev,
 	     int (*okfn)(struct sk_buff *))
 {
+	unsigned int ifindex;
+	struct ct_sync_instance *ctsi;
+
 	if ((*pskb)->nfct != NULL)
 		return NF_ACCEPT;
 
+	if (hook == NF_IP_PRE_ROUTING && indev)
+		ifindex = indev->ifindex;
+	else if (hook == NF_IP_LOCAL_OUT && outdev)
+		ifindex = outdev->ifindex;
+	else
+		return NF_ACCEPT;
+
 	/* all traffic coming in or going out sync interface is not
 	   to be tracked. Also, loopback traffic is ignored */
-
-	if ((hook == NF_IP_PRE_ROUTING && indev && 
-	     indev->ifindex == syncdev_ifindex) ||
-	    (hook == NF_IP_LOCAL_OUT && outdev &&
-	     outdev->ifindex == syncdev_ifindex) ||
-	    (indev && indev == &loopback_dev) || 
-	    (outdev && outdev == &loopback_dev)) {
-
-		/* Attach fake conntrack entry */
-		(*pskb)->nfct = &ip_conntrack_untracked.ct_general;
-		(*pskb)->nfctinfo = IP_CT_NEW;
-		nf_conntrack_get((*pskb)->nfct);
+	list_for_each_entry(ctsi, &ct_sync_instances, list) {
+		if (ctsi->syncdev_ifindex == ifindex ||
+		    loopback_dev.ifindex == ifindex) {
+			/* Attach fake conntrack entry */
+			(*pskb)->nfct = &ip_conntrack_untracked.ct_general;
+			(*pskb)->nfctinfo = IP_CT_NEW;
+			nf_conntrack_get((*pskb)->nfct);
+			return NF_ACCEPT;
+		}
 	}
 
 	return NF_ACCEPT;
@@ -1382,6 +1386,7 @@
 	    const struct net_device *outdev,
 	    int (*okfn)(struct sk_buff *))
 {
+	unsigned int ifindex;
 	struct ct_sync_instance *ctsi;
 
 	/* Allow local traffic */
@@ -1389,21 +1394,28 @@
 	    (outdev && outdev == &loopback_dev))
 		return NF_ACCEPT;
 
-	/* if all instances are in slave mode, all traffic _NOT_ on sync
-	 * interface has to be dropped */
+	if (hook == NF_PACKET_OUTPUT && outdev)
+		ifindex = outdev->ifindex;
+	else if (hook == NF_PACKET_INPUT && indev)
+		ifindex = indev->ifindex;
+	else
+		return NF_ACCEPT;
+	
 	list_for_each_entry(ctsi, &ct_sync_instances, list) {
 		if (cts_proto_is_master(ctsi->protoh))
+			/* if we have one instance in master,
+			 * we need to accept all packets */
 			return NF_ACCEPT;
+		else {
+			/* if we have one instance in slave mode, all traffic
+			 * on sync interface has to be accepted */
+			if (ifindex == ctsi->syncdev_ifindex)
+				return NF_ACCEPT;
+		}
 	}
 
-	if ((hook == NF_PACKET_OUTPUT && outdev &&
-	     outdev->ifindex != syncdev_ifindex) ||
-	    (hook == NF_PACKET_INPUT && indev &&
-	     indev->ifindex != syncdev_ifindex)) {
-		return NF_DROP;
-	}
-
-	return NF_ACCEPT;
+	/* drop is the default */
+	return NF_DROP;
 }
 
 static struct nf_hook_ops cts_hook_ops[] = {
@@ -1716,11 +1728,24 @@
 static ssize_t sysfs_syncdev_store(struct ct_sync_instance *ctsi,
 				   const char *buf, size_t len)
 {
+	char syncdev[IFNAMSIZ];
+	struct net_device *sync_netdev;
+
+	if (ctsi->active != 0)
+		return -EBUSY;
+
 	if (len >= IFNAMSIZ)
 		return -E2BIG;
 
-	strlcpy((char *)&ctsi->config.syncdev, buf, IFNAMSIZ-1);
+	strlcpy((char *)syncdev, buf, IFNAMSIZ-1);
 
+	if ((sync_netdev = dev_get_by_name(syncdev)) != NULL) {
+		ctsi->syncdev_ifindex = sync_netdev->ifindex;
+		dev_put(sync_netdev);
+		strlcpy(&ctsi->config.syncdev, syncdev, IFNAMSIZ-1);
+	} else 
+		return -EINVAL;
+
 	return strlen((char *)&ctsi->config.syncdev);
 }
 
@@ -2057,7 +2082,6 @@
 init_or_cleanup(int fini)
 {
 	int err, ret = -1;
-      	struct net_device *sync_netdev;
 	struct proc_dir_entry *ct_sync_stat;
 
 	if (fini)
@@ -2077,21 +2101,7 @@
 #ifdef CONFIG_IP_NF_CONNTRACK_MARK
 	CT_SYNC_DEBUG("cmarkbit: %d\n", cmarkbit);
 #endif
-	if (strcmp(syncdev, "") == 0) {
-		CT_SYNC_ERR("Required parameter syncdev is missing.\n");
-		return -1;
-	}
 
-	/* Get ifindex of sync device, used by the notrack and l2drop hook */
-	if ((sync_netdev = dev_get_by_name(syncdev)) != NULL) {
-		syncdev_ifindex = sync_netdev->ifindex;
-		dev_put(sync_netdev);
-	} else {
-		CT_SYNC_ERR("Lookup for network interface '%s' failed\n", 
-			    syncdev);
-		return -1;
-	}
-
 	/* Register hooks first, make sure not even the first sync packet gets
 	 * tracked */
 	if (notrack) {
@@ -2155,11 +2165,11 @@
 	/* Now we have all of our infrastructure up and running */
 	printk(KERN_NOTICE "netfilter conntrack_sync version %s loaded\n",
 	       CT_SYNC_VERSION);
-	CT_SYNC_INFO("parameters: syncdev='%s' l2drop=%u notrack=%u"
+	CT_SYNC_INFO("parameters: l2drop=%u notrack=%u"
 #ifdef CONFIG_IP_NF_CONNTRACK_MARK
 		     " cmarkbit=%u"
 #endif
-		     "\n", syncdev, l2drop, notrack
+		     "\n", l2drop, notrack
 #ifdef CONFIG_IP_NF_CONNTRACK_MARK
 		     , cmarkbit
 #endif

More information about the netfilter-cvslog mailing list