Raw nf_conntrack: default automatic helper assignment has been turned off for security reasons and CT-based firewall rule not found. Use the iptables CT target to attach helpers instead. Environment Red Hat Enterprise Linux 8 nftables firewall firewalld firewall Service which requires a "conntrack...
处理一个连接的子连接协议,利用nf_conntrack_helper.c文件中的nf_conntrack_helper_register(struct nf_conntrack_helper *me)来注册nf_conntrack_helper结构,和nf_conntrack_expect.c文件中的nf_ct_expect_related_report(struct nf_conntrack_expect *expect, u32 pid, int report)来注册nf_conntrack_expect结构。
}/*根据skb L3和L4层的信息 得到一个nf_conn结构*/ct=resolve_normal_ct(net, tmpl, skb, dataoff, pf, protonum, l3proto, l4proto,&set_reply, &ctinfo);if(!ct) {/*Not valid part of a connection*/NF_CT_STAT_INC_ATOMIC(net, invalid); ret=NF_ACCEPT;gotoout; }if(IS_ERR(ct)) {/...
nf_ct_ext_destroy(ct); atomic_dec(&net->ct.count); nf_ct_ext_free(ct); kmem_cache_free(nf_conntrack_cachep, ct); kmem_cache_free(net->ct.nf_conntrack_cachep, ct); } EXPORT_SYMBOL_GPL(nf_conntrack_free);@@ -1119,7 +1117,6 @@ static void nf_conntrack_cleanup_init_net(void...
NF_CT_EXT_HELPER, NF_CT_EXT_NAT, NF_CT_EXT_ACCT, NF_CT_EXT_ECACHE, - NF_CT_EXT_NEW, +#ifdef NFCT_EXT_EXT + NF_CT_EXT_EXT, +#endif NF_CT_EXT_NUM, }; @@ -17,13 +21,21 @@ #define NF_CT_EXT_NAT_TYPE struct nf_conn_nat ...
MAX_EXT_SLOTS 8 #define BITINT 1 struct nf_conntrack_ext { /* 必须有一个数组用于自省或者反射 */ int bits_idx[MAX_EXT_SLOTS]; int bits[BITINT]; char *slot[MAX_EXT_SLOTS]; }; int nf_ct_exts_add(const struct nf_conn *ct, void *ext); void *nf_ct_exts_get(const struct nf_...
(NF_NAT_HELPER_NAME(name))structmodule;enumnf_ct_helper_flags{NF_CT_HELPER_F_USERSPACE=(1<<0),NF_CT_HELPER_F_CONFIGURED=(1<<1),};#defineNF_CT_HELPER_NAME_LEN16structnf_conntrack_helper{structhlist_nodehnode;/* Internal use. */charname[NF_CT_HELPER_NAME_LEN];/* name of the ...
目前conntrack扩展有acct,helper,nat三种。它存储在*nf_ct_ext_types[NF_CT_EXT_NUM]全局数组中。 以nf_conntrack_acct为例: /net/netfilter/nf_conntrack_acct.c 初始化 59static struct nf_ct_ext_type acct_extend__read_mostly = { 60.len= sizeof(struct nf_conn_counter[IP_CT_DIR_MAX]), ...
net / ipv4 / netfilter / nf_nat_pptp.c v6 v6.14 v6.13 v6.13.7 v6.13.6 v6.13.5 v6.13.4 v6.13.3 v6.13.2 v6.13.1 v6.13 v6.13-rc7 v6.13-rc6 v6.13-rc5 v6.13-rc4 v6.13-rc3 v6.13-rc2 v6.13-rc1 ...
* Helper nf_ct_put() equals nf_conntrack_put() by dec refcnt, * beware nf_ct_get() is different and don't inc refcnt.*/structnf_conntrack ct_general;//对连接的引用计数spinlock_tlock; u16 cpu;/*These are my tuples; original and reply*//*Connection tracking(链接跟踪)用来跟踪、记录...