netfilter: nf_conntrack: add support for "conntrack zones"

[net-next-2.6.git] / net / netfilter / nf_conntrack_expect.c

diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 6182fb1b55de706b63d45befac0e258436f5558f..acb29ccaa41fd46624754adb794b5d9389a45c3c 100644 (file)
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -27,6 +27,7 @@
 #include <net/netfilter/nf_conntrack_expect.h>
 #include <net/netfilter/nf_conntrack_helper.h>
 #include <net/netfilter/nf_conntrack_tuple.h>
+#include <net/netfilter/nf_conntrack_zones.h>
 
 unsigned int nf_ct_expect_hsize __read_mostly;
 EXPORT_SYMBOL_GPL(nf_ct_expect_hsize);
@@ -84,7 +85,8 @@ static unsigned int nf_ct_expect_dst_hash(const struct nf_conntrack_tuple *tuple
 }
 
 struct nf_conntrack_expect *
-__nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple)
+__nf_ct_expect_find(struct net *net, u16 zone,
+                   const struct nf_conntrack_tuple *tuple)
 {
        struct nf_conntrack_expect *i;
        struct hlist_node *n;
@@ -95,7 +97,8 @@ __nf_ct_expect_find(struct net *net, const struct nf_conntrack_tuple *tuple)
 
        h = nf_ct_expect_dst_hash(tuple);
        hlist_for_each_entry_rcu(i, n, &net->ct.expect_hash[h], hnode) {
-               if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask))
+               if (nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) &&
+                   nf_ct_zone(i->master) == zone)
                        return i;
        }
        return NULL;
@@ -104,12 +107,13 @@ EXPORT_SYMBOL_GPL(__nf_ct_expect_find);
 
 /* Just find a expectation corresponding to a tuple. */
 struct nf_conntrack_expect *
-nf_ct_expect_find_get(struct net *net, const struct nf_conntrack_tuple *tuple)
+nf_ct_expect_find_get(struct net *net, u16 zone,
+                     const struct nf_conntrack_tuple *tuple)
 {
        struct nf_conntrack_expect *i;
 
        rcu_read_lock();
-       i = __nf_ct_expect_find(net, tuple);
+       i = __nf_ct_expect_find(net, zone, tuple);
        if (i && !atomic_inc_not_zero(&i->use))
                i = NULL;
        rcu_read_unlock();
@@ -121,7 +125,8 @@ EXPORT_SYMBOL_GPL(nf_ct_expect_find_get);
 /* If an expectation for this connection is found, it gets delete from
  * global list then returned. */
 struct nf_conntrack_expect *
-nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple)
+nf_ct_find_expectation(struct net *net, u16 zone,
+                      const struct nf_conntrack_tuple *tuple)
 {
        struct nf_conntrack_expect *i, *exp = NULL;
        struct hlist_node *n;
@@ -133,7 +138,8 @@ nf_ct_find_expectation(struct net *net, const struct nf_conntrack_tuple *tuple)
        h = nf_ct_expect_dst_hash(tuple);
        hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) {
                if (!(i->flags & NF_CT_EXPECT_INACTIVE) &&
-                   nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask)) {
+                   nf_ct_tuple_mask_cmp(tuple, &i->tuple, &i->mask) &&
+                   nf_ct_zone(i->master) == zone) {
                        exp = i;
                        break;
                }
@@ -204,7 +210,8 @@ static inline int expect_matches(const struct nf_conntrack_expect *a,
 {
        return a->master == b->master && a->class == b->class &&
                nf_ct_tuple_equal(&a->tuple, &b->tuple) &&
-               nf_ct_tuple_mask_equal(&a->mask, &b->mask);
+               nf_ct_tuple_mask_equal(&a->mask, &b->mask) &&
+               nf_ct_zone(a->master) == nf_ct_zone(b->master);
 }
 
 /* Generally a bad idea to call this: could have matched already. */