xt_connlimit 20070707 kernel
Yasuyuki KOZAKAI
yasuyuki.kozakai at toshiba.co.jp
Tue Jul 10 08:30:09 CEST 2007
From: Jan Engelhardt <jengelh at computergmbh.de>
Date: Mon, 9 Jul 2007 17:10:52 +0200 (CEST)
> + } else {
> + struct nf_conntrack_l3proto *l3proto;
> + struct nf_conntrack_l4proto *l4proto;
> +
> + l3proto = __nf_ct_l3proto_find(match->family);
> + if (l3proto == NULL)
> + goto hotdrop;
> + l4proto = __nf_ct_l4proto_find(match->family, match->proto);
> + if (l4proto == NULL)
> + goto hotdrop;
> + if (nf_ct_get_tuple(skb, 0, 0, match->family, match->proto,
> + &tuple, NULL, NULL) != 0)
> + goto hotdrop;
The second argument is the offset to network protocol header,
skb_network_offset(skb) (it is 0 in most cases, but it is more logical).
The third argument is the offset to the transport protocol header. In the case
of IPv4, you can use ip_hdrlen(). About IPv6, you can use
nf_ct_ipv6_skip_exthdr(), but you also need to export the symbol of
nf_ct_ipv6_skip_exthdr().
IIRC nf_conntrack_proto_icmp[v6].c do same things. If I have any time
at late night today, I'll write a generic function for them.
-- Yasuyuki Kozakai
More information about the netfilter-devel
mailing list