xt_connlimit 20070707 kernel

Yasuyuki KOZAKAI yasuyuki.kozakai at toshiba.co.jp
Tue Jul 10 08:30:09 CEST 2007


From: Jan Engelhardt <jengelh at computergmbh.de>
Date: Mon, 9 Jul 2007 17:10:52 +0200 (CEST)

> +	} else {
> +		struct nf_conntrack_l3proto *l3proto;
> +		struct nf_conntrack_l4proto *l4proto;
> +
> +		l3proto = __nf_ct_l3proto_find(match->family);
> +		if (l3proto == NULL)
> +			goto hotdrop;
> +		l4proto = __nf_ct_l4proto_find(match->family, match->proto);
> +		if (l4proto == NULL)
> +			goto hotdrop;
> +		if (nf_ct_get_tuple(skb, 0, 0, match->family, match->proto,
> +		    &tuple, NULL, NULL) != 0)
> +			goto hotdrop;

The second argument is the offset to network protocol header,
skb_network_offset(skb) (it is 0 in most cases, but it is more logical).

The third argument is the offset to the transport protocol header. In the case
of IPv4, you can use ip_hdrlen(). About IPv6, you can use
nf_ct_ipv6_skip_exthdr(), but you also need to export the symbol of
nf_ct_ipv6_skip_exthdr().

IIRC nf_conntrack_proto_icmp[v6].c do same things. If I have any time
at late night today, I'll write a generic function for them.

-- Yasuyuki Kozakai



More information about the netfilter-devel mailing list