netfilter: nf_conntrack: add support for "conntrack zones"

[net-next-2.6.git] / net / ipv4 / netfilter / nf_defrag_ipv4.c

diff --git a/net/ipv4/netfilter/nf_defrag_ipv4.c b/net/ipv4/netfilter/nf_defrag_ipv4.c
index fa2d6b6fc3e581524181d88a1402df6289eb42c8..d498a704d456b1300ddec6a0d4a81c78dc8062eb 100644 (file)
--- a/net/ipv4/netfilter/nf_defrag_ipv4.c
+++ b/net/ipv4/netfilter/nf_defrag_ipv4.c
@@ -14,8 +14,11 @@
 #include <net/route.h>
 #include <net/ip.h>
 
+#include <linux/netfilter_bridge.h>
 #include <linux/netfilter_ipv4.h>
+#include <net/netfilter/nf_conntrack_zones.h>
 #include <net/netfilter/ipv4/nf_defrag_ipv4.h>
+#include <net/netfilter/nf_conntrack.h>
 
 /* Returns new sk_buff, or NULL */
 static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
@@ -34,6 +37,25 @@ static int nf_ct_ipv4_gather_frags(struct sk_buff *skb, u_int32_t user)
        return err;
 }
 
+static enum ip_defrag_users nf_ct_defrag_user(unsigned int hooknum,
+                                             struct sk_buff *skb)
+{
+       u16 zone = NF_CT_DEFAULT_ZONE;
+
+       if (skb->nfct)
+               zone = nf_ct_zone((struct nf_conn *)skb->nfct);
+
+#ifdef CONFIG_BRIDGE_NETFILTER
+       if (skb->nf_bridge &&
+           skb->nf_bridge->mask & BRNF_NF_BRIDGE_PREROUTING)
+               return IP_DEFRAG_CONNTRACK_BRIDGE_IN + zone;
+#endif
+       if (hooknum == NF_INET_PRE_ROUTING)
+               return IP_DEFRAG_CONNTRACK_IN + zone;
+       else
+               return IP_DEFRAG_CONNTRACK_OUT + zone;
+}
+
 static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
                                          struct sk_buff *skb,
                                          const struct net_device *in,
@@ -44,16 +66,14 @@ static unsigned int ipv4_conntrack_defrag(unsigned int hooknum,
 #if !defined(CONFIG_NF_NAT) && !defined(CONFIG_NF_NAT_MODULE)
        /* Previously seen (loopback)?  Ignore.  Do this before
           fragment check. */
-       if (skb->nfct)
+       if (skb->nfct && !nf_ct_is_template((struct nf_conn *)skb->nfct))
                return NF_ACCEPT;
 #endif
 #endif
        /* Gather fragments. */
        if (ip_hdr(skb)->frag_off & htons(IP_MF | IP_OFFSET)) {
-               if (nf_ct_ipv4_gather_frags(skb,
-                                           hooknum == NF_INET_PRE_ROUTING ?
-                                           IP_DEFRAG_CONNTRACK_IN :
-                                           IP_DEFRAG_CONNTRACK_OUT))
+               enum ip_defrag_users user = nf_ct_defrag_user(hooknum, skb);
+               if (nf_ct_ipv4_gather_frags(skb, user))
                        return NF_STOLEN;
        }
        return NF_ACCEPT;