// SPDX-License-Identifier: GPL-2.0-or-later /* * ip_vs_nfct.c: Netfilter connection tracking support for IPVS * * Portions Copyright (C) 2001-2002 * Antefacto Ltd, 181 Parnell St, Dublin 1, Ireland. * * Portions Copyright (C) 2003-2010 * Julian Anastasov * * Authors: * Ben North <[email protected]> * Julian Anastasov <[email protected]> Reorganize and sync with latest kernels * Hannes Eder <[email protected]> Extend NFCT support for FTP, ipvs match * * Current status: * * - provide conntrack confirmation for new and related connections, by * this way we can see their proper conntrack state in all hooks * - support for all forwarding methods, not only NAT * - FTP support (NAT), ability to support other NAT apps with expectations * - to correctly create expectations for related NAT connections the proper * NF conntrack support must be already installed, eg. ip_vs_ftp requires * nf_conntrack_ftp ... iptables_nat for the same ports (but no iptables * NAT rules are needed) * - alter reply for NAT when forwarding packet in original direction: * conntrack from client in NEW or RELATED (Passive FTP DATA) state or * when RELATED conntrack is created from real server (Active FTP DATA) * - if iptables_nat is not loaded the Passive FTP will not work (the * PASV response can not be NAT-ed) but Active FTP should work */ #define KMSG_COMPONENT … #define pr_fmt(fmt) … #include <linux/module.h> #include <linux/types.h> #include <linux/kernel.h> #include <linux/errno.h> #include <linux/compiler.h> #include <linux/vmalloc.h> #include <linux/skbuff.h> #include <net/ip.h> #include <linux/netfilter.h> #include <linux/netfilter_ipv4.h> #include <net/ip_vs.h> #include <net/netfilter/nf_conntrack_core.h> #include <net/netfilter/nf_conntrack_expect.h> #include <net/netfilter/nf_conntrack_seqadj.h> #include <net/netfilter/nf_conntrack_helper.h> #include <net/netfilter/nf_conntrack_zones.h> #define FMT_TUPLE … #define ARG_TUPLE(T) … #define FMT_CONN … #define ARG_CONN(C) … void ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, int outin) { … } int ip_vs_confirm_conntrack(struct sk_buff *skb) { … } /* * Called from init_conntrack() as expectfn handler. */ static void ip_vs_nfct_expect_callback(struct nf_conn *ct, struct nf_conntrack_expect *exp) { … } /* * Create NF conntrack expectation with wildcard (optional) source port. * Then the default callback function will alter the reply and will confirm * the conntrack entry when the first packet comes. * Use port 0 to expect connection from any port. */ void ip_vs_nfct_expect_related(struct sk_buff *skb, struct nf_conn *ct, struct ip_vs_conn *cp, u_int8_t proto, const __be16 port, int from_rs) { … } EXPORT_SYMBOL(…); /* * Our connection was terminated, try to drop the conntrack immediately */ void ip_vs_conn_drop_conntrack(struct ip_vs_conn *cp) { … }
Codebase Browser
linux