[conntrack-tools] conntrack: cleanup command line tool protocol extensions
Pablo Neira
netfilter-cvslog-bounces at lists.netfilter.org
Tue Nov 18 10:36:48 CET 2008
Gitweb: http://git.netfilter.org/cgi-bin/gitweb.cgi?p=conntrack-tools.git;a=commit;h=40efc1ebb15be022453f8c820c31099a8a0ebebd
commit 40efc1ebb15be022453f8c820c31099a8a0ebebd
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue Nov 18 10:33:35 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Tue Nov 18 10:33:35 2008 +0100
conntrack: cleanup command line tool protocol extensions
This patch cleans up the protocol extensions.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 6d8903cbf33ac10e8e03f884a58e374adc366887
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Tue Nov 18 10:33:33 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Tue Nov 18 10:33:33 2008 +0100
filter: choose the filtering method via configuration file
This patch changes the current behaviour of the filtering selection.
Up to now, conntrackd has used the kernel version to select the
filtering method based on the following logic: If kernel is >= 2.6.26
we use BSF-based filtering from kernel-space, otherwise, default to
userspace.
However, this filtering method still lacks of IPv6 support and
it requires a patch that got into 2.6.29 to filter IPv6 addresses
from kernel-space. To fix this issue, we default to user-space
filtering and let the user choose the method via the configuration
file.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit d6f1b4be37e97dabb5de2d9ae664ef8afeec37ae
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Nov 15 21:22:24 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Nov 15 21:22:24 2008 +0100
conntrack: --status should not be mandatory with -I
This patch relaxes the parameter checking as now we don't need to
pass --status when we create a conntrack via command line interface.
In this case, the conntrack entry is created only with the
IPS_CONFIRMED flag.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 2ea70aa69ec0535101d0f417517fc3d4454ca840
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Nov 15 21:22:24 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Nov 15 21:22:24 2008 +0100
filter: remove useless branch in the check functions
If the logic is set to -1, this means that we do not perform any
filtering for this sort of network address. Therefore, we don't
need to re-check if there is any filter later. This patch also
inlines the check functions.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit e6d816f8d096d98deeb0a52f96d44a4ace03ffe7
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sat Nov 15 21:22:24 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sat Nov 15 21:22:24 2008 +0100
filter: use jhash2 instead of jhash for IPv6 addresses
Since an IPv6 address can be seen as an array of uint32_t. Use
the optimized jhash2() function instead of the generic jhash().
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit f135f1c317a3c9430dc33a6ea7ff90a1ba808e36
Author: Pablo Neira Ayuso <pablo at netfilter.org>
AuthorDate: Sun Nov 9 13:26:31 2008 +0100
Commit: Pablo Neira Ayuso <pablo at netfilter.org>
CommitDate: Sun Nov 9 13:26:31 2008 +0100
filter: use XOR instead of branches
use XOR instead of branches in ct_filter_check.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
via 40efc1ebb15be022453f8c820c31099a8a0ebebd (commit)
via 6d8903cbf33ac10e8e03f884a58e374adc366887 (commit)
via d6f1b4be37e97dabb5de2d9ae664ef8afeec37ae (commit)
via 2ea70aa69ec0535101d0f417517fc3d4454ca840 (commit)
via e6d816f8d096d98deeb0a52f96d44a4ace03ffe7 (commit)
via f135f1c317a3c9430dc33a6ea7ff90a1ba808e36 (commit)
from 76ac8ebe5e49385585c8e29fe530ed4baef390bf (commit)
Those revisions listed above that are new to this repository have
not appeared on any other notification email; so we list those
revisions in full, below.
- Log -----------------------------------------------------------------
commit 40efc1ebb15be022453f8c820c31099a8a0ebebd
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Tue Nov 18 10:33:35 2008 +0100
conntrack: cleanup command line tool protocol extensions
This patch cleans up the protocol extensions.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 6d8903cbf33ac10e8e03f884a58e374adc366887
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Tue Nov 18 10:33:33 2008 +0100
filter: choose the filtering method via configuration file
This patch changes the current behaviour of the filtering selection.
Up to now, conntrackd has used the kernel version to select the
filtering method based on the following logic: If kernel is >= 2.6.26
we use BSF-based filtering from kernel-space, otherwise, default to
userspace.
However, this filtering method still lacks of IPv6 support and
it requires a patch that got into 2.6.29 to filter IPv6 addresses
from kernel-space. To fix this issue, we default to user-space
filtering and let the user choose the method via the configuration
file.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit d6f1b4be37e97dabb5de2d9ae664ef8afeec37ae
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Nov 15 21:22:24 2008 +0100
conntrack: --status should not be mandatory with -I
This patch relaxes the parameter checking as now we don't need to
pass --status when we create a conntrack via command line interface.
In this case, the conntrack entry is created only with the
IPS_CONFIRMED flag.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit 2ea70aa69ec0535101d0f417517fc3d4454ca840
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Nov 15 21:22:24 2008 +0100
filter: remove useless branch in the check functions
If the logic is set to -1, this means that we do not perform any
filtering for this sort of network address. Therefore, we don't
need to re-check if there is any filter later. This patch also
inlines the check functions.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit e6d816f8d096d98deeb0a52f96d44a4ace03ffe7
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sat Nov 15 21:22:24 2008 +0100
filter: use jhash2 instead of jhash for IPv6 addresses
Since an IPv6 address can be seen as an array of uint32_t. Use
the optimized jhash2() function instead of the generic jhash().
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
commit f135f1c317a3c9430dc33a6ea7ff90a1ba808e36
Author: Pablo Neira Ayuso <pablo at netfilter.org>
Date: Sun Nov 9 13:26:31 2008 +0100
filter: use XOR instead of branches
use XOR instead of branches in ct_filter_check.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
-----------------------------------------------------------------------
doc/sync/alarm/conntrackd.conf | 12 ++++-
doc/sync/ftfw/conntrackd.conf | 12 ++++-
doc/sync/notrack/conntrackd.conf | 12 ++++-
extensions/libct_proto_icmp.c | 32 +++----------
extensions/libct_proto_icmpv6.c | 34 +++-----------
extensions/libct_proto_tcp.c | 92 ++++++++------------------------------
extensions/libct_proto_udp.c | 81 +++++++--------------------------
include/conntrackd.h | 2 +-
include/jhash.h | 2 +-
src/conntrack.c | 2 +-
src/filter.c | 30 +++---------
src/main.c | 4 --
src/netlink.c | 8 ++-
src/read_config_lex.l | 3 +
src/read_config_yy.y | 16 ++++++-
15 files changed, 116 insertions(+), 226 deletions(-)
use XOR instead of branches in ct_filter_check.
Signed-off-by: Pablo Neira Ayuso <pablo at netfilter.org>
diff --git a/src/filter.c b/src/filter.c
index 33fe30e..c4854bb 100644
--- a/src/filter.c
+++ b/src/filter.c
@@ -211,9 +211,7 @@ int ct_filter_check(struct ct_filter *f, struct nf_conntrack *ct)
if (f->logic[CT_FILTER_L4PROTO] != -1) {
ret = test_bit_u32(protonum, f->l4protomap);
- if (ret == 0 && f->logic[CT_FILTER_L4PROTO])
- return 0;
- else if (ret == 1 && !f->logic[CT_FILTER_L4PROTO])
+ if (ret ^ f->logic[CT_FILTER_L4PROTO])
return 0;
}
@@ -221,16 +219,12 @@ int ct_filter_check(struct ct_filter *f, struct nf_conntrack *ct)
switch(nfct_get_attr_u8(ct, ATTR_L3PROTO)) {
case AF_INET:
ret = __ct_filter_test_ipv4(f, ct);
- if (ret == 0 && f->logic[CT_FILTER_ADDRESS])
- return 0;
- else if (ret == 1 && !f->logic[CT_FILTER_ADDRESS])
+ if (ret ^ f->logic[CT_FILTER_ADDRESS])
return 0;
break;
case AF_INET6:
- ret = __ct_filter_test_ipv6(f, ct);
- if (ret == 0 && f->logic[CT_FILTER_ADDRESS])
- return 0;
- else if (ret == 1 && !f->logic[CT_FILTER_ADDRESS])
+ ret = __ct_filter_test_ipv6(f, ct);
+ if (ret ^ f->logic[CT_FILTER_ADDRESS])
return 0;
break;
default:
@@ -240,9 +234,7 @@ int ct_filter_check(struct ct_filter *f, struct nf_conntrack *ct)
if (f->logic[CT_FILTER_STATE] != -1) {
ret = __ct_filter_test_state(f, ct);
- if (ret == 0 && f->logic[CT_FILTER_STATE])
- return 0;
- else if (ret == 1 && !f->logic[CT_FILTER_STATE])
+ if (ret ^ f->logic[CT_FILTER_STATE])
return 0;
}
More information about the netfilter-cvslog
mailing list