mirrors/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2025-11-04 10:40:15 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

netfilter: xt_socket: prepare for TCP_NEW_SYN_RECV support

Browse source 
TCP request socks soon will be visible in ehash table.

xt_socket will be able to match them, but first we need
to make sure to not consider them as full sockets.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Dumazet 2015-03-16 21:06:17 -07:00 committed by David S. Miller
parent 8b58014779
commit a940700003
1 changed files with 22 additions and 12 deletions
repo.diff.show_diff_stats Download patch file Download diff file Expand all files Collapse all files

34
net/netfilter/xt_socket.c
View file

@ -129,6 +129,20 @@ xt_socket_get_sock_v4(struct net *net, const u8 protocol,
return NULL; return NULL;
} }
static bool xt_socket_sk_is_transparent(struct sock *sk)
{
switch (sk->sk_state) {
case TCP_TIME_WAIT:
return inet_twsk(sk)->tw_transparent;
case TCP_NEW_SYN_RECV:
return inet_rsk(inet_reqsk(sk))->no_srccheck;
default:
return inet_sk(sk)->transparent;
}
}
static bool static bool
socket_match(const struct sk_buff *skb, struct xt_action_param *par, socket_match(const struct sk_buff *skb, struct xt_action_param *par,
const struct xt_socket_mtinfo1 *info) const struct xt_socket_mtinfo1 *info)
@ -195,16 +209,14 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,
* unless XT_SOCKET_NOWILDCARD is set * unless XT_SOCKET_NOWILDCARD is set
*/ */
wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) && wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) &&
sk->sk_state != TCP_TIME_WAIT && sk_fullsock(sk) &&
inet_sk(sk)->inet_rcv_saddr == 0); inet_sk(sk)->inet_rcv_saddr == 0);
/* Ignore non-transparent sockets, /* Ignore non-transparent sockets,
if XT_SOCKET_TRANSPARENT is used */ * if XT_SOCKET_TRANSPARENT is used
*/
if (info->flags & XT_SOCKET_TRANSPARENT) if (info->flags & XT_SOCKET_TRANSPARENT)
transparent = ((sk->sk_state != TCP_TIME_WAIT && transparent = xt_socket_sk_is_transparent(sk);
inet_sk(sk)->transparent) ||
(sk->sk_state == TCP_TIME_WAIT &&
inet_twsk(sk)->tw_transparent));
if (sk != skb->sk) if (sk != skb->sk)
sock_gen_put(sk); sock_gen_put(sk);
@ -363,16 +375,14 @@ socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par)
* unless XT_SOCKET_NOWILDCARD is set * unless XT_SOCKET_NOWILDCARD is set
*/ */
wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) && wildcard = (!(info->flags & XT_SOCKET_NOWILDCARD) &&
sk->sk_state != TCP_TIME_WAIT && sk_fullsock(sk) &&
ipv6_addr_any(&sk->sk_v6_rcv_saddr)); ipv6_addr_any(&sk->sk_v6_rcv_saddr));
/* Ignore non-transparent sockets, /* Ignore non-transparent sockets,
if XT_SOCKET_TRANSPARENT is used */ * if XT_SOCKET_TRANSPARENT is used
*/
if (info->flags & XT_SOCKET_TRANSPARENT) if (info->flags & XT_SOCKET_TRANSPARENT)
transparent = ((sk->sk_state != TCP_TIME_WAIT && transparent = xt_socket_sk_is_transparent(sk);
inet_sk(sk)->transparent) ||
(sk->sk_state == TCP_TIME_WAIT &&
inet_twsk(sk)->tw_transparent));
if (sk != skb->sk) if (sk != skb->sk)
sock_gen_put(sk); sock_gen_put(sk);