Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
This commit is contained in:
David S. Miller
@@ -81,19 +81,7 @@ static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap,
|
||||
static unsigned long ifname_compare(const char *_a, const char *_b, const char *_mask)
|
||||
{
|
||||
#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
|
||||
const unsigned long *a = (const unsigned long *)_a;
|
||||
const unsigned long *b = (const unsigned long *)_b;
|
||||
const unsigned long *mask = (const unsigned long *)_mask;
|
||||
unsigned long ret;
|
||||
|
||||
ret = (a[0] ^ b[0]) & mask[0];
|
||||
if (IFNAMSIZ > sizeof(unsigned long))
|
||||
ret |= (a[1] ^ b[1]) & mask[1];
|
||||
if (IFNAMSIZ > 2 * sizeof(unsigned long))
|
||||
ret |= (a[2] ^ b[2]) & mask[2];
|
||||
if (IFNAMSIZ > 3 * sizeof(unsigned long))
|
||||
ret |= (a[3] ^ b[3]) & mask[3];
|
||||
BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
|
||||
unsigned long ret = ifname_compare_aligned(_a, _b, _mask);
|
||||
#else
|
||||
unsigned long ret = 0;
|
||||
const u16 *a = (const u16 *)_a;
|
||||
@@ -404,7 +392,9 @@ static int mark_source_chains(struct xt_table_info *newinfo,
|
||||
&& unconditional(&e->arp)) || visited) {
|
||||
unsigned int oldpos, size;
|
||||
|
||||
if (t->verdict < -NF_MAX_VERDICT - 1) {
|
||||
if ((strcmp(t->target.u.user.name,
|
||||
ARPT_STANDARD_TARGET) == 0) &&
|
||||
t->verdict < -NF_MAX_VERDICT - 1) {
|
||||
duprintf("mark_source_chains: bad "
|
||||
"negative verdict (%i)\n",
|
||||
t->verdict);
|
||||
|
||||
@@ -74,25 +74,6 @@ do { \
|
||||
|
||||
Hence the start of any table is given by get_table() below. */
|
||||
|
||||
static unsigned long ifname_compare(const char *_a, const char *_b,
|
||||
const unsigned char *_mask)
|
||||
{
|
||||
const unsigned long *a = (const unsigned long *)_a;
|
||||
const unsigned long *b = (const unsigned long *)_b;
|
||||
const unsigned long *mask = (const unsigned long *)_mask;
|
||||
unsigned long ret;
|
||||
|
||||
ret = (a[0] ^ b[0]) & mask[0];
|
||||
if (IFNAMSIZ > sizeof(unsigned long))
|
||||
ret |= (a[1] ^ b[1]) & mask[1];
|
||||
if (IFNAMSIZ > 2 * sizeof(unsigned long))
|
||||
ret |= (a[2] ^ b[2]) & mask[2];
|
||||
if (IFNAMSIZ > 3 * sizeof(unsigned long))
|
||||
ret |= (a[3] ^ b[3]) & mask[3];
|
||||
BUILD_BUG_ON(IFNAMSIZ > 4 * sizeof(unsigned long));
|
||||
return ret;
|
||||
}
|
||||
|
||||
/* Returns whether matches rule or not. */
|
||||
/* Performance critical - called for every packet */
|
||||
static inline bool
|
||||
@@ -121,7 +102,7 @@ ip_packet_match(const struct iphdr *ip,
|
||||
return false;
|
||||
}
|
||||
|
||||
ret = ifname_compare(indev, ipinfo->iniface, ipinfo->iniface_mask);
|
||||
ret = ifname_compare_aligned(indev, ipinfo->iniface, ipinfo->iniface_mask);
|
||||
|
||||
if (FWINV(ret != 0, IPT_INV_VIA_IN)) {
|
||||
dprintf("VIA in mismatch (%s vs %s).%s\n",
|
||||
@@ -130,7 +111,7 @@ ip_packet_match(const struct iphdr *ip,
|
||||
return false;
|
||||
}
|
||||
|
||||
ret = ifname_compare(outdev, ipinfo->outiface, ipinfo->outiface_mask);
|
||||
ret = ifname_compare_aligned(outdev, ipinfo->outiface, ipinfo->outiface_mask);
|
||||
|
||||
if (FWINV(ret != 0, IPT_INV_VIA_OUT)) {
|
||||
dprintf("VIA out mismatch (%s vs %s).%s\n",
|
||||
@@ -507,7 +488,9 @@ mark_source_chains(struct xt_table_info *newinfo,
|
||||
&& unconditional(&e->ip)) || visited) {
|
||||
unsigned int oldpos, size;
|
||||
|
||||
if (t->verdict < -NF_MAX_VERDICT - 1) {
|
||||
if ((strcmp(t->target.u.user.name,
|
||||
IPT_STANDARD_TARGET) == 0) &&
|
||||
t->verdict < -NF_MAX_VERDICT - 1) {
|
||||
duprintf("mark_source_chains: bad "
|
||||
"negative verdict (%i)\n",
|
||||
t->verdict);
|
||||
|
||||
@@ -328,6 +328,11 @@ static int ipv4_nlattr_to_tuple(struct nlattr *tb[],
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int ipv4_nlattr_tuple_size(void)
|
||||
{
|
||||
return nla_policy_len(ipv4_nla_policy, CTA_IP_MAX + 1);
|
||||
}
|
||||
#endif
|
||||
|
||||
static struct nf_sockopt_ops so_getorigdst = {
|
||||
@@ -347,6 +352,7 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
|
||||
.get_l4proto = ipv4_get_l4proto,
|
||||
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
|
||||
.tuple_to_nlattr = ipv4_tuple_to_nlattr,
|
||||
.nlattr_tuple_size = ipv4_nlattr_tuple_size,
|
||||
.nlattr_to_tuple = ipv4_nlattr_to_tuple,
|
||||
.nla_policy = ipv4_nla_policy,
|
||||
#endif
|
||||
|
||||
@@ -25,40 +25,42 @@ struct ct_iter_state {
|
||||
unsigned int bucket;
|
||||
};
|
||||
|
||||
static struct hlist_node *ct_get_first(struct seq_file *seq)
|
||||
static struct hlist_nulls_node *ct_get_first(struct seq_file *seq)
|
||||
{
|
||||
struct net *net = seq_file_net(seq);
|
||||
struct ct_iter_state *st = seq->private;
|
||||
struct hlist_node *n;
|
||||
struct hlist_nulls_node *n;
|
||||
|
||||
for (st->bucket = 0;
|
||||
st->bucket < nf_conntrack_htable_size;
|
||||
st->bucket++) {
|
||||
n = rcu_dereference(net->ct.hash[st->bucket].first);
|
||||
if (n)
|
||||
if (!is_a_nulls(n))
|
||||
return n;
|
||||
}
|
||||
return NULL;
|
||||
}
|
||||
|
||||
static struct hlist_node *ct_get_next(struct seq_file *seq,
|
||||
struct hlist_node *head)
|
||||
static struct hlist_nulls_node *ct_get_next(struct seq_file *seq,
|
||||
struct hlist_nulls_node *head)
|
||||
{
|
||||
struct net *net = seq_file_net(seq);
|
||||
struct ct_iter_state *st = seq->private;
|
||||
|
||||
head = rcu_dereference(head->next);
|
||||
while (head == NULL) {
|
||||
if (++st->bucket >= nf_conntrack_htable_size)
|
||||
return NULL;
|
||||
while (is_a_nulls(head)) {
|
||||
if (likely(get_nulls_value(head) == st->bucket)) {
|
||||
if (++st->bucket >= nf_conntrack_htable_size)
|
||||
return NULL;
|
||||
}
|
||||
head = rcu_dereference(net->ct.hash[st->bucket].first);
|
||||
}
|
||||
return head;
|
||||
}
|
||||
|
||||
static struct hlist_node *ct_get_idx(struct seq_file *seq, loff_t pos)
|
||||
static struct hlist_nulls_node *ct_get_idx(struct seq_file *seq, loff_t pos)
|
||||
{
|
||||
struct hlist_node *head = ct_get_first(seq);
|
||||
struct hlist_nulls_node *head = ct_get_first(seq);
|
||||
|
||||
if (head)
|
||||
while (pos && (head = ct_get_next(seq, head)))
|
||||
@@ -87,69 +89,76 @@ static void ct_seq_stop(struct seq_file *s, void *v)
|
||||
|
||||
static int ct_seq_show(struct seq_file *s, void *v)
|
||||
{
|
||||
const struct nf_conntrack_tuple_hash *hash = v;
|
||||
const struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash);
|
||||
struct nf_conntrack_tuple_hash *hash = v;
|
||||
struct nf_conn *ct = nf_ct_tuplehash_to_ctrack(hash);
|
||||
const struct nf_conntrack_l3proto *l3proto;
|
||||
const struct nf_conntrack_l4proto *l4proto;
|
||||
int ret = 0;
|
||||
|
||||
NF_CT_ASSERT(ct);
|
||||
if (unlikely(!atomic_inc_not_zero(&ct->ct_general.use)))
|
||||
return 0;
|
||||
|
||||
|
||||
/* we only want to print DIR_ORIGINAL */
|
||||
if (NF_CT_DIRECTION(hash))
|
||||
return 0;
|
||||
goto release;
|
||||
if (nf_ct_l3num(ct) != AF_INET)
|
||||
return 0;
|
||||
goto release;
|
||||
|
||||
l3proto = __nf_ct_l3proto_find(nf_ct_l3num(ct));
|
||||
NF_CT_ASSERT(l3proto);
|
||||
l4proto = __nf_ct_l4proto_find(nf_ct_l3num(ct), nf_ct_protonum(ct));
|
||||
NF_CT_ASSERT(l4proto);
|
||||
|
||||
ret = -ENOSPC;
|
||||
if (seq_printf(s, "%-8s %u %ld ",
|
||||
l4proto->name, nf_ct_protonum(ct),
|
||||
timer_pending(&ct->timeout)
|
||||
? (long)(ct->timeout.expires - jiffies)/HZ : 0) != 0)
|
||||
return -ENOSPC;
|
||||
goto release;
|
||||
|
||||
if (l4proto->print_conntrack && l4proto->print_conntrack(s, ct))
|
||||
return -ENOSPC;
|
||||
goto release;
|
||||
|
||||
if (print_tuple(s, &ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple,
|
||||
l3proto, l4proto))
|
||||
return -ENOSPC;
|
||||
goto release;
|
||||
|
||||
if (seq_print_acct(s, ct, IP_CT_DIR_ORIGINAL))
|
||||
return -ENOSPC;
|
||||
goto release;
|
||||
|
||||
if (!(test_bit(IPS_SEEN_REPLY_BIT, &ct->status)))
|
||||
if (seq_printf(s, "[UNREPLIED] "))
|
||||
return -ENOSPC;
|
||||
goto release;
|
||||
|
||||
if (print_tuple(s, &ct->tuplehash[IP_CT_DIR_REPLY].tuple,
|
||||
l3proto, l4proto))
|
||||
return -ENOSPC;
|
||||
goto release;
|
||||
|
||||
if (seq_print_acct(s, ct, IP_CT_DIR_REPLY))
|
||||
return -ENOSPC;
|
||||
goto release;
|
||||
|
||||
if (test_bit(IPS_ASSURED_BIT, &ct->status))
|
||||
if (seq_printf(s, "[ASSURED] "))
|
||||
return -ENOSPC;
|
||||
goto release;
|
||||
|
||||
#ifdef CONFIG_NF_CONNTRACK_MARK
|
||||
if (seq_printf(s, "mark=%u ", ct->mark))
|
||||
return -ENOSPC;
|
||||
goto release;
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_NF_CONNTRACK_SECMARK
|
||||
if (seq_printf(s, "secmark=%u ", ct->secmark))
|
||||
return -ENOSPC;
|
||||
goto release;
|
||||
#endif
|
||||
|
||||
if (seq_printf(s, "use=%u\n", atomic_read(&ct->ct_general.use)))
|
||||
return -ENOSPC;
|
||||
|
||||
return 0;
|
||||
goto release;
|
||||
ret = 0;
|
||||
release:
|
||||
nf_ct_put(ct);
|
||||
return ret;
|
||||
}
|
||||
|
||||
static const struct seq_operations ct_seq_ops = {
|
||||
|
||||
@@ -262,6 +262,11 @@ static int icmp_nlattr_to_tuple(struct nlattr *tb[],
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int icmp_nlattr_tuple_size(void)
|
||||
{
|
||||
return nla_policy_len(icmp_nla_policy, CTA_PROTO_MAX + 1);
|
||||
}
|
||||
#endif
|
||||
|
||||
#ifdef CONFIG_SYSCTL
|
||||
@@ -309,6 +314,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly =
|
||||
.me = NULL,
|
||||
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
|
||||
.tuple_to_nlattr = icmp_tuple_to_nlattr,
|
||||
.nlattr_tuple_size = icmp_nlattr_tuple_size,
|
||||
.nlattr_to_tuple = icmp_nlattr_to_tuple,
|
||||
.nla_policy = icmp_nla_policy,
|
||||
#endif
|
||||
|
||||
@@ -679,7 +679,7 @@ nfnetlink_parse_nat_setup(struct nf_conn *ct,
|
||||
static int __net_init nf_nat_net_init(struct net *net)
|
||||
{
|
||||
net->ipv4.nat_bysource = nf_ct_alloc_hashtable(&nf_nat_htable_size,
|
||||
&net->ipv4.nat_vmalloced);
|
||||
&net->ipv4.nat_vmalloced, 0);
|
||||
if (!net->ipv4.nat_bysource)
|
||||
return -ENOMEM;
|
||||
return 0;
|
||||
|
||||
Reference in New Issue
Block a user