diff options
author | Daniel Borkmann <daniel@iogearbox.net> | 2015-08-14 16:03:40 +0200 |
---|---|---|
committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2015-08-18 01:24:05 +0200 |
commit | 5e8018fc61423e677398d4ad4d72df70b9788e77 (patch) | |
tree | 5605633fddd52cf0a677ad6f62fb8bb2e7a46054 /net/netfilter/xt_CT.c | |
parent | deedb59039f111c41aa5a54ee384c8e7c08bc78a (diff) | |
download | linux-5e8018fc61423e677398d4ad4d72df70b9788e77.tar.gz linux-5e8018fc61423e677398d4ad4d72df70b9788e77.tar.bz2 linux-5e8018fc61423e677398d4ad4d72df70b9788e77.zip |
netfilter: nf_conntrack: add efficient mark to zone mapping
This work adds the possibility of deriving the zone id from the skb->mark
field in a scalable manner. This allows for having only a single template
serving hundreds/thousands of different zones, for example, instead of the
need to have one match for each zone as an extra CT jump target.
Note that we'd need to have this information attached to the template as at
the time when we're trying to lookup a possible ct object, we already need
to know zone information for a possible match when going into
__nf_conntrack_find_get(). This work provides a minimal implementation for
a possible mapping.
In order to not add/expose an extra ct->status bit, the zone structure has
been extended to carry a flag for deriving the mark.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/xt_CT.c')
-rw-r--r-- | net/netfilter/xt_CT.c | 5 |
1 files changed, 4 insertions, 1 deletions
diff --git a/net/netfilter/xt_CT.c b/net/netfilter/xt_CT.c index 536cb67928ad..346509825a80 100644 --- a/net/netfilter/xt_CT.c +++ b/net/netfilter/xt_CT.c @@ -208,7 +208,8 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par, #ifndef CONFIG_NF_CONNTRACK_ZONES if (info->zone || info->flags & (XT_CT_ZONE_DIR_ORIG | - XT_CT_ZONE_DIR_REPL)) + XT_CT_ZONE_DIR_REPL | + XT_CT_ZONE_MARK)) goto err1; #endif @@ -219,6 +220,8 @@ static int xt_ct_tg_check(const struct xt_tgchk_param *par, memset(&zone, 0, sizeof(zone)); zone.id = info->zone; zone.dir = xt_ct_flags_to_dir(info); + if (info->flags & XT_CT_ZONE_MARK) + zone.flags |= NF_CT_FLAG_MARK; ct = nf_ct_tmpl_alloc(par->net, &zone, GFP_KERNEL); ret = PTR_ERR(ct); |