diff options
| author | Rusty Russell <rusty@rustcorp.com.au> | 2005-01-16 22:01:26 -0800 |
|---|---|---|
| committer | David S. Miller <davem@nuts.davemloft.net> | 2005-01-16 22:01:26 -0800 |
| commit | 8d5f3377d48c74df38990688f09e773887ba4eb5 (patch) | |
| tree | 25465714cf5b26bd8ad9cddd402d6e42b6eb3c09 /include/linux/netfilter_ipv4/ip_nat.h | |
| parent | cd79564003e1b16ebc4090d3a2055e30e08898fc (diff) | |
| download | history-8d5f3377d48c74df38990688f09e773887ba4eb5.tar.gz | |
[NETFILTER]: Remove manip array from conntrack entry
Original patch and multo bugfixes by Krisztian Kovacs.
Now NAT has been simplified, there is only one place to NAT each
packet. That means we can intuit what to do by looking at the
difference between this packet and the reply we expect, getting rid of
the manips[] array in the connection tracking structure, which is 72
bytes. Rework NAT to be based on 'change this packet to make src/dst
look like this tuple'.
1) Each protocol's manip_pkt takes a 'struct ip_conntrack_manip',
which is half (the source half) of a tuple. Hand the whole desired
tuple to the NAT code and have it use the 'maniptype' arg to decide
what part to copy.
2) Krisztian points out that we don't need the NAT lock to read the
NAT information (or the tuples) as they never change once set, and
while being set we have exclusive access. A lock is only needed to
deal with only remaining NAT list: the bysource hash.
3) We don't need to rehash for the bysource hash: it depends on the
incoming packet, which we can't change.
4) Many NAT functions only need the maniptype they are to perform, not
the actual hook, which makes the code clearer.
5) New status bits to indicate what NAT needs to be done. We can
always figure it out by inverting the tuple we expect in the other
direction and comparing it, but this is faster.
6) Rename 'do_bindings' to 'nat_packet'.
7) ICMP handing is vastly simplified: we unconditionally change to
look the way we want.
Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'include/linux/netfilter_ipv4/ip_nat.h')
| -rw-r--r-- | include/linux/netfilter_ipv4/ip_nat.h | 26 |
1 files changed, 0 insertions, 26 deletions
diff --git a/include/linux/netfilter_ipv4/ip_nat.h b/include/linux/netfilter_ipv4/ip_nat.h index c4366280256ae..5018bcfaac54e 100644 --- a/include/linux/netfilter_ipv4/ip_nat.h +++ b/include/linux/netfilter_ipv4/ip_nat.h @@ -48,42 +48,16 @@ struct ip_nat_multi_range_compat struct ip_nat_range range[1]; }; -/* Worst case: local-out manip + 1 post-routing, and reverse dirn. */ -#define IP_NAT_MAX_MANIPS (2*2) - -struct ip_nat_info_manip -{ - /* The direction. */ - u_int8_t direction; - - /* Which hook the manipulation happens on. */ - u_int8_t hooknum; - - /* The manipulation type. */ - u_int8_t maniptype; - - /* Manipulations to occur at each conntrack in this dirn. */ - struct ip_conntrack_manip manip; -}; - #ifdef __KERNEL__ #include <linux/list.h> #include <linux/netfilter_ipv4/lockhelp.h> -/* Protects NAT hash tables, and NAT-private part of conntracks. */ -DECLARE_RWLOCK_EXTERN(ip_nat_lock); - /* The structure embedded in the conntrack structure. */ struct ip_nat_info { /* Set to zero when conntrack created: bitmask of maniptypes */ u_int16_t initialized; - u_int16_t num_manips; - - /* Manipulations to be done on this conntrack. */ - struct ip_nat_info_manip manips[IP_NAT_MAX_MANIPS]; - struct list_head bysource; /* Helper (NULL if none). */ |