Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
This commit is contained in:
David S. Miller
@@ -1259,7 +1259,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb,
|
||||
struct ip_vs_iphdr iph;
|
||||
struct ip_vs_protocol *pp;
|
||||
struct ip_vs_conn *cp;
|
||||
int ret, restart, af;
|
||||
int ret, restart, af, pkts;
|
||||
|
||||
af = (skb->protocol == htons(ETH_P_IP)) ? AF_INET : AF_INET6;
|
||||
|
||||
@@ -1277,13 +1277,24 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb,
|
||||
return NF_ACCEPT;
|
||||
}
|
||||
|
||||
if (unlikely(iph.protocol == IPPROTO_ICMP)) {
|
||||
int related, verdict = ip_vs_in_icmp(skb, &related, hooknum);
|
||||
#ifdef CONFIG_IP_VS_IPV6
|
||||
if (af == AF_INET6) {
|
||||
if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
|
||||
int related, verdict = ip_vs_in_icmp_v6(skb, &related, hooknum);
|
||||
|
||||
if (related)
|
||||
return verdict;
|
||||
ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
|
||||
}
|
||||
if (related)
|
||||
return verdict;
|
||||
ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
|
||||
}
|
||||
} else
|
||||
#endif
|
||||
if (unlikely(iph.protocol == IPPROTO_ICMP)) {
|
||||
int related, verdict = ip_vs_in_icmp(skb, &related, hooknum);
|
||||
|
||||
if (related)
|
||||
return verdict;
|
||||
ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
|
||||
}
|
||||
|
||||
/* Protocol supported? */
|
||||
pp = ip_vs_proto_get(iph.protocol);
|
||||
@@ -1346,12 +1357,12 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb,
|
||||
* Sync connection if it is about to close to
|
||||
* encorage the standby servers to update the connections timeout
|
||||
*/
|
||||
atomic_inc(&cp->in_pkts);
|
||||
pkts = atomic_add_return(1, &cp->in_pkts);
|
||||
if (af == AF_INET &&
|
||||
(ip_vs_sync_state & IP_VS_STATE_MASTER) &&
|
||||
(((cp->protocol != IPPROTO_TCP ||
|
||||
cp->state == IP_VS_TCP_S_ESTABLISHED) &&
|
||||
(atomic_read(&cp->in_pkts) % sysctl_ip_vs_sync_threshold[1]
|
||||
(pkts % sysctl_ip_vs_sync_threshold[1]
|
||||
== sysctl_ip_vs_sync_threshold[0])) ||
|
||||
((cp->protocol == IPPROTO_TCP) && (cp->old_state != cp->state) &&
|
||||
((cp->state == IP_VS_TCP_S_FIN_WAIT) ||
|
||||
|
||||
@@ -77,11 +77,12 @@ static int ip_vs_wrr_gcd_weight(struct ip_vs_service *svc)
|
||||
static int ip_vs_wrr_max_weight(struct ip_vs_service *svc)
|
||||
{
|
||||
struct ip_vs_dest *dest;
|
||||
int weight = 0;
|
||||
int new_weight, weight = 0;
|
||||
|
||||
list_for_each_entry(dest, &svc->destinations, n_list) {
|
||||
if (atomic_read(&dest->weight) > weight)
|
||||
weight = atomic_read(&dest->weight);
|
||||
new_weight = atomic_read(&dest->weight);
|
||||
if (new_weight > weight)
|
||||
weight = new_weight;
|
||||
}
|
||||
|
||||
return weight;
|
||||
|
||||
@@ -47,7 +47,7 @@
|
||||
|
||||
int (*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct,
|
||||
enum nf_nat_manip_type manip,
|
||||
struct nlattr *attr) __read_mostly;
|
||||
const struct nlattr *attr) __read_mostly;
|
||||
EXPORT_SYMBOL_GPL(nfnetlink_parse_nat_setup_hook);
|
||||
|
||||
DEFINE_SPINLOCK(nf_conntrack_lock);
|
||||
@@ -1089,14 +1089,14 @@ void nf_conntrack_flush_report(struct net *net, u32 pid, int report)
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(nf_conntrack_flush_report);
|
||||
|
||||
static void nf_ct_release_dying_list(void)
|
||||
static void nf_ct_release_dying_list(struct net *net)
|
||||
{
|
||||
struct nf_conntrack_tuple_hash *h;
|
||||
struct nf_conn *ct;
|
||||
struct hlist_nulls_node *n;
|
||||
|
||||
spin_lock_bh(&nf_conntrack_lock);
|
||||
hlist_nulls_for_each_entry(h, n, &init_net.ct.dying, hnnode) {
|
||||
hlist_nulls_for_each_entry(h, n, &net->ct.dying, hnnode) {
|
||||
ct = nf_ct_tuplehash_to_ctrack(h);
|
||||
/* never fails to remove them, no listeners at this point */
|
||||
nf_ct_kill(ct);
|
||||
@@ -1115,7 +1115,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
|
||||
{
|
||||
i_see_dead_people:
|
||||
nf_ct_iterate_cleanup(net, kill_all, NULL);
|
||||
nf_ct_release_dying_list();
|
||||
nf_ct_release_dying_list(net);
|
||||
if (atomic_read(&net->ct.count) != 0) {
|
||||
schedule();
|
||||
goto i_see_dead_people;
|
||||
|
||||
@@ -704,7 +704,8 @@ ctnetlink_parse_tuple_proto(struct nlattr *attr,
|
||||
}
|
||||
|
||||
static int
|
||||
ctnetlink_parse_tuple(struct nlattr *cda[], struct nf_conntrack_tuple *tuple,
|
||||
ctnetlink_parse_tuple(const struct nlattr * const cda[],
|
||||
struct nf_conntrack_tuple *tuple,
|
||||
enum ctattr_tuple type, u_int8_t l3num)
|
||||
{
|
||||
struct nlattr *tb[CTA_TUPLE_MAX+1];
|
||||
@@ -740,7 +741,7 @@ ctnetlink_parse_tuple(struct nlattr *cda[], struct nf_conntrack_tuple *tuple,
|
||||
}
|
||||
|
||||
static inline int
|
||||
ctnetlink_parse_help(struct nlattr *attr, char **helper_name)
|
||||
ctnetlink_parse_help(const struct nlattr *attr, char **helper_name)
|
||||
{
|
||||
struct nlattr *tb[CTA_HELP_MAX+1];
|
||||
|
||||
@@ -764,7 +765,8 @@ static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
|
||||
|
||||
static int
|
||||
ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
|
||||
struct nlmsghdr *nlh, struct nlattr *cda[])
|
||||
const struct nlmsghdr *nlh,
|
||||
const struct nlattr * const cda[])
|
||||
{
|
||||
struct nf_conntrack_tuple_hash *h;
|
||||
struct nf_conntrack_tuple tuple;
|
||||
@@ -823,7 +825,8 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
|
||||
|
||||
static int
|
||||
ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
|
||||
struct nlmsghdr *nlh, struct nlattr *cda[])
|
||||
const struct nlmsghdr *nlh,
|
||||
const struct nlattr * const cda[])
|
||||
{
|
||||
struct nf_conntrack_tuple_hash *h;
|
||||
struct nf_conntrack_tuple tuple;
|
||||
@@ -884,7 +887,7 @@ out:
|
||||
static int
|
||||
ctnetlink_parse_nat_setup(struct nf_conn *ct,
|
||||
enum nf_nat_manip_type manip,
|
||||
struct nlattr *attr)
|
||||
const struct nlattr *attr)
|
||||
{
|
||||
typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup;
|
||||
|
||||
@@ -914,7 +917,7 @@ ctnetlink_parse_nat_setup(struct nf_conn *ct,
|
||||
#endif
|
||||
|
||||
static int
|
||||
ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
|
||||
ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
|
||||
{
|
||||
unsigned long d;
|
||||
unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
|
||||
@@ -940,7 +943,7 @@ ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
|
||||
}
|
||||
|
||||
static int
|
||||
ctnetlink_change_nat(struct nf_conn *ct, struct nlattr *cda[])
|
||||
ctnetlink_change_nat(struct nf_conn *ct, const struct nlattr * const cda[])
|
||||
{
|
||||
#ifdef CONFIG_NF_NAT_NEEDED
|
||||
int ret;
|
||||
@@ -966,7 +969,7 @@ ctnetlink_change_nat(struct nf_conn *ct, struct nlattr *cda[])
|
||||
}
|
||||
|
||||
static inline int
|
||||
ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
|
||||
ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[])
|
||||
{
|
||||
struct nf_conntrack_helper *helper;
|
||||
struct nf_conn_help *help = nfct_help(ct);
|
||||
@@ -1028,7 +1031,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
|
||||
}
|
||||
|
||||
static inline int
|
||||
ctnetlink_change_timeout(struct nf_conn *ct, struct nlattr *cda[])
|
||||
ctnetlink_change_timeout(struct nf_conn *ct, const struct nlattr * const cda[])
|
||||
{
|
||||
u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
|
||||
|
||||
@@ -1042,9 +1045,10 @@ ctnetlink_change_timeout(struct nf_conn *ct, struct nlattr *cda[])
|
||||
}
|
||||
|
||||
static inline int
|
||||
ctnetlink_change_protoinfo(struct nf_conn *ct, struct nlattr *cda[])
|
||||
ctnetlink_change_protoinfo(struct nf_conn *ct, const struct nlattr * const cda[])
|
||||
{
|
||||
struct nlattr *tb[CTA_PROTOINFO_MAX+1], *attr = cda[CTA_PROTOINFO];
|
||||
const struct nlattr *attr = cda[CTA_PROTOINFO];
|
||||
struct nlattr *tb[CTA_PROTOINFO_MAX+1];
|
||||
struct nf_conntrack_l4proto *l4proto;
|
||||
int err = 0;
|
||||
|
||||
@@ -1061,7 +1065,7 @@ ctnetlink_change_protoinfo(struct nf_conn *ct, struct nlattr *cda[])
|
||||
|
||||
#ifdef CONFIG_NF_NAT_NEEDED
|
||||
static inline int
|
||||
change_nat_seq_adj(struct nf_nat_seq *natseq, struct nlattr *attr)
|
||||
change_nat_seq_adj(struct nf_nat_seq *natseq, const struct nlattr * const attr)
|
||||
{
|
||||
struct nlattr *cda[CTA_NAT_SEQ_MAX+1];
|
||||
|
||||
@@ -1089,7 +1093,8 @@ change_nat_seq_adj(struct nf_nat_seq *natseq, struct nlattr *attr)
|
||||
}
|
||||
|
||||
static int
|
||||
ctnetlink_change_nat_seq_adj(struct nf_conn *ct, struct nlattr *cda[])
|
||||
ctnetlink_change_nat_seq_adj(struct nf_conn *ct,
|
||||
const struct nlattr * const cda[])
|
||||
{
|
||||
int ret = 0;
|
||||
struct nf_conn_nat *nat = nfct_nat(ct);
|
||||
@@ -1120,7 +1125,8 @@ ctnetlink_change_nat_seq_adj(struct nf_conn *ct, struct nlattr *cda[])
|
||||
#endif
|
||||
|
||||
static int
|
||||
ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[])
|
||||
ctnetlink_change_conntrack(struct nf_conn *ct,
|
||||
const struct nlattr * const cda[])
|
||||
{
|
||||
int err;
|
||||
|
||||
@@ -1169,7 +1175,7 @@ ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[])
|
||||
}
|
||||
|
||||
static struct nf_conn *
|
||||
ctnetlink_create_conntrack(struct nlattr *cda[],
|
||||
ctnetlink_create_conntrack(const struct nlattr * const cda[],
|
||||
struct nf_conntrack_tuple *otuple,
|
||||
struct nf_conntrack_tuple *rtuple,
|
||||
u8 u3)
|
||||
@@ -1304,7 +1310,8 @@ err1:
|
||||
|
||||
static int
|
||||
ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
|
||||
struct nlmsghdr *nlh, struct nlattr *cda[])
|
||||
const struct nlmsghdr *nlh,
|
||||
const struct nlattr * const cda[])
|
||||
{
|
||||
struct nf_conntrack_tuple otuple, rtuple;
|
||||
struct nf_conntrack_tuple_hash *h = NULL;
|
||||
@@ -1629,7 +1636,8 @@ static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
|
||||
|
||||
static int
|
||||
ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
|
||||
struct nlmsghdr *nlh, struct nlattr *cda[])
|
||||
const struct nlmsghdr *nlh,
|
||||
const struct nlattr * const cda[])
|
||||
{
|
||||
struct nf_conntrack_tuple tuple;
|
||||
struct nf_conntrack_expect *exp;
|
||||
@@ -1689,7 +1697,8 @@ out:
|
||||
|
||||
static int
|
||||
ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
|
||||
struct nlmsghdr *nlh, struct nlattr *cda[])
|
||||
const struct nlmsghdr *nlh,
|
||||
const struct nlattr * const cda[])
|
||||
{
|
||||
struct nf_conntrack_expect *exp;
|
||||
struct nf_conntrack_tuple tuple;
|
||||
@@ -1767,13 +1776,15 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
|
||||
return 0;
|
||||
}
|
||||
static int
|
||||
ctnetlink_change_expect(struct nf_conntrack_expect *x, struct nlattr *cda[])
|
||||
ctnetlink_change_expect(struct nf_conntrack_expect *x,
|
||||
const struct nlattr * const cda[])
|
||||
{
|
||||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
static int
|
||||
ctnetlink_create_expect(struct nlattr *cda[], u_int8_t u3, u32 pid, int report)
|
||||
ctnetlink_create_expect(const struct nlattr * const cda[], u_int8_t u3,
|
||||
u32 pid, int report)
|
||||
{
|
||||
struct nf_conntrack_tuple tuple, mask, master_tuple;
|
||||
struct nf_conntrack_tuple_hash *h = NULL;
|
||||
@@ -1831,7 +1842,8 @@ out:
|
||||
|
||||
static int
|
||||
ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
|
||||
struct nlmsghdr *nlh, struct nlattr *cda[])
|
||||
const struct nlmsghdr *nlh,
|
||||
const struct nlattr * const cda[])
|
||||
{
|
||||
struct nf_conntrack_tuple tuple;
|
||||
struct nf_conntrack_expect *exp;
|
||||
|
||||
@@ -170,7 +170,7 @@ replay:
|
||||
if (err < 0)
|
||||
return err;
|
||||
|
||||
err = nc->call(nfnl, skb, nlh, cda);
|
||||
err = nc->call(nfnl, skb, nlh, (const struct nlattr **)cda);
|
||||
if (err == -EAGAIN)
|
||||
goto replay;
|
||||
return err;
|
||||
|
||||
@@ -694,7 +694,8 @@ static struct notifier_block nfulnl_rtnl_notifier = {
|
||||
|
||||
static int
|
||||
nfulnl_recv_unsupp(struct sock *ctnl, struct sk_buff *skb,
|
||||
struct nlmsghdr *nlh, struct nlattr *nfqa[])
|
||||
const struct nlmsghdr *nlh,
|
||||
const struct nlattr * const nfqa[])
|
||||
{
|
||||
return -ENOTSUPP;
|
||||
}
|
||||
@@ -716,7 +717,8 @@ static const struct nla_policy nfula_cfg_policy[NFULA_CFG_MAX+1] = {
|
||||
|
||||
static int
|
||||
nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
|
||||
struct nlmsghdr *nlh, struct nlattr *nfula[])
|
||||
const struct nlmsghdr *nlh,
|
||||
const struct nlattr * const nfula[])
|
||||
{
|
||||
struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
|
||||
u_int16_t group_num = ntohs(nfmsg->res_id);
|
||||
|
||||
@@ -608,7 +608,8 @@ static const struct nla_policy nfqa_verdict_policy[NFQA_MAX+1] = {
|
||||
|
||||
static int
|
||||
nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
|
||||
struct nlmsghdr *nlh, struct nlattr *nfqa[])
|
||||
const struct nlmsghdr *nlh,
|
||||
const struct nlattr * const nfqa[])
|
||||
{
|
||||
struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
|
||||
u_int16_t queue_num = ntohs(nfmsg->res_id);
|
||||
@@ -670,7 +671,8 @@ err_out_unlock:
|
||||
|
||||
static int
|
||||
nfqnl_recv_unsupp(struct sock *ctnl, struct sk_buff *skb,
|
||||
struct nlmsghdr *nlh, struct nlattr *nfqa[])
|
||||
const struct nlmsghdr *nlh,
|
||||
const struct nlattr * const nfqa[])
|
||||
{
|
||||
return -ENOTSUPP;
|
||||
}
|
||||
@@ -687,7 +689,8 @@ static const struct nf_queue_handler nfqh = {
|
||||
|
||||
static int
|
||||
nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
|
||||
struct nlmsghdr *nlh, struct nlattr *nfqa[])
|
||||
const struct nlmsghdr *nlh,
|
||||
const struct nlattr * const nfqa[])
|
||||
{
|
||||
struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
|
||||
u_int16_t queue_num = ntohs(nfmsg->res_id);
|
||||
|
||||
@@ -736,16 +736,17 @@ xt_replace_table(struct xt_table *table,
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(xt_replace_table);
|
||||
|
||||
struct xt_table *xt_register_table(struct net *net, struct xt_table *table,
|
||||
struct xt_table *xt_register_table(struct net *net,
|
||||
const struct xt_table *input_table,
|
||||
struct xt_table_info *bootstrap,
|
||||
struct xt_table_info *newinfo)
|
||||
{
|
||||
int ret;
|
||||
struct xt_table_info *private;
|
||||
struct xt_table *t;
|
||||
struct xt_table *t, *table;
|
||||
|
||||
/* Don't add one object to multiple lists. */
|
||||
table = kmemdup(table, sizeof(struct xt_table), GFP_KERNEL);
|
||||
table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
|
||||
if (!table) {
|
||||
ret = -ENOMEM;
|
||||
goto out;
|
||||
|
||||
@@ -35,45 +35,6 @@ MODULE_ALIAS("ip6t_CONNMARK");
|
||||
#include <linux/netfilter/xt_CONNMARK.h>
|
||||
#include <net/netfilter/nf_conntrack_ecache.h>
|
||||
|
||||
static unsigned int
|
||||
connmark_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
|
||||
{
|
||||
const struct xt_connmark_target_info *markinfo = par->targinfo;
|
||||
struct nf_conn *ct;
|
||||
enum ip_conntrack_info ctinfo;
|
||||
u_int32_t diff;
|
||||
u_int32_t mark;
|
||||
u_int32_t newmark;
|
||||
|
||||
ct = nf_ct_get(skb, &ctinfo);
|
||||
if (ct) {
|
||||
switch(markinfo->mode) {
|
||||
case XT_CONNMARK_SET:
|
||||
newmark = (ct->mark & ~markinfo->mask) | markinfo->mark;
|
||||
if (newmark != ct->mark) {
|
||||
ct->mark = newmark;
|
||||
nf_conntrack_event_cache(IPCT_MARK, ct);
|
||||
}
|
||||
break;
|
||||
case XT_CONNMARK_SAVE:
|
||||
newmark = (ct->mark & ~markinfo->mask) |
|
||||
(skb->mark & markinfo->mask);
|
||||
if (ct->mark != newmark) {
|
||||
ct->mark = newmark;
|
||||
nf_conntrack_event_cache(IPCT_MARK, ct);
|
||||
}
|
||||
break;
|
||||
case XT_CONNMARK_RESTORE:
|
||||
mark = skb->mark;
|
||||
diff = (ct->mark ^ mark) & markinfo->mask;
|
||||
skb->mark = mark ^ diff;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
return XT_CONTINUE;
|
||||
}
|
||||
|
||||
static unsigned int
|
||||
connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
||||
{
|
||||
@@ -112,30 +73,6 @@ connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
||||
return XT_CONTINUE;
|
||||
}
|
||||
|
||||
static bool connmark_tg_check_v0(const struct xt_tgchk_param *par)
|
||||
{
|
||||
const struct xt_connmark_target_info *matchinfo = par->targinfo;
|
||||
|
||||
if (matchinfo->mode == XT_CONNMARK_RESTORE) {
|
||||
if (strcmp(par->table, "mangle") != 0) {
|
||||
printk(KERN_WARNING "CONNMARK: restore can only be "
|
||||
"called from \"mangle\" table, not \"%s\"\n",
|
||||
par->table);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if (matchinfo->mark > 0xffffffff || matchinfo->mask > 0xffffffff) {
|
||||
printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n");
|
||||
return false;
|
||||
}
|
||||
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
|
||||
printk(KERN_WARNING "can't load conntrack support for "
|
||||
"proto=%u\n", par->family);
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool connmark_tg_check(const struct xt_tgchk_param *par)
|
||||
{
|
||||
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
|
||||
@@ -151,74 +88,25 @@ static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
|
||||
nf_ct_l3proto_module_put(par->family);
|
||||
}
|
||||
|
||||
#ifdef CONFIG_COMPAT
|
||||
struct compat_xt_connmark_target_info {
|
||||
compat_ulong_t mark, mask;
|
||||
u_int8_t mode;
|
||||
u_int8_t __pad1;
|
||||
u_int16_t __pad2;
|
||||
};
|
||||
|
||||
static void connmark_tg_compat_from_user_v0(void *dst, void *src)
|
||||
{
|
||||
const struct compat_xt_connmark_target_info *cm = src;
|
||||
struct xt_connmark_target_info m = {
|
||||
.mark = cm->mark,
|
||||
.mask = cm->mask,
|
||||
.mode = cm->mode,
|
||||
};
|
||||
memcpy(dst, &m, sizeof(m));
|
||||
}
|
||||
|
||||
static int connmark_tg_compat_to_user_v0(void __user *dst, void *src)
|
||||
{
|
||||
const struct xt_connmark_target_info *m = src;
|
||||
struct compat_xt_connmark_target_info cm = {
|
||||
.mark = m->mark,
|
||||
.mask = m->mask,
|
||||
.mode = m->mode,
|
||||
};
|
||||
return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
|
||||
}
|
||||
#endif /* CONFIG_COMPAT */
|
||||
|
||||
static struct xt_target connmark_tg_reg[] __read_mostly = {
|
||||
{
|
||||
.name = "CONNMARK",
|
||||
.revision = 0,
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.checkentry = connmark_tg_check_v0,
|
||||
.destroy = connmark_tg_destroy,
|
||||
.target = connmark_tg_v0,
|
||||
.targetsize = sizeof(struct xt_connmark_target_info),
|
||||
#ifdef CONFIG_COMPAT
|
||||
.compatsize = sizeof(struct compat_xt_connmark_target_info),
|
||||
.compat_from_user = connmark_tg_compat_from_user_v0,
|
||||
.compat_to_user = connmark_tg_compat_to_user_v0,
|
||||
#endif
|
||||
.me = THIS_MODULE
|
||||
},
|
||||
{
|
||||
.name = "CONNMARK",
|
||||
.revision = 1,
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.checkentry = connmark_tg_check,
|
||||
.target = connmark_tg,
|
||||
.targetsize = sizeof(struct xt_connmark_tginfo1),
|
||||
.destroy = connmark_tg_destroy,
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
static struct xt_target connmark_tg_reg __read_mostly = {
|
||||
.name = "CONNMARK",
|
||||
.revision = 1,
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.checkentry = connmark_tg_check,
|
||||
.target = connmark_tg,
|
||||
.targetsize = sizeof(struct xt_connmark_tginfo1),
|
||||
.destroy = connmark_tg_destroy,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init connmark_tg_init(void)
|
||||
{
|
||||
return xt_register_targets(connmark_tg_reg,
|
||||
ARRAY_SIZE(connmark_tg_reg));
|
||||
return xt_register_target(&connmark_tg_reg);
|
||||
}
|
||||
|
||||
static void __exit connmark_tg_exit(void)
|
||||
{
|
||||
xt_unregister_targets(connmark_tg_reg, ARRAY_SIZE(connmark_tg_reg));
|
||||
xt_unregister_target(&connmark_tg_reg);
|
||||
}
|
||||
|
||||
module_init(connmark_tg_init);
|
||||
|
||||
@@ -18,7 +18,6 @@
|
||||
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
#include <linux/netfilter/xt_DSCP.h>
|
||||
#include <linux/netfilter_ipv4/ipt_TOS.h>
|
||||
|
||||
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
|
||||
MODULE_DESCRIPTION("Xtables: DSCP/TOS field modification");
|
||||
@@ -72,41 +71,6 @@ static bool dscp_tg_check(const struct xt_tgchk_param *par)
|
||||
return true;
|
||||
}
|
||||
|
||||
static unsigned int
|
||||
tos_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
|
||||
{
|
||||
const struct ipt_tos_target_info *info = par->targinfo;
|
||||
struct iphdr *iph = ip_hdr(skb);
|
||||
u_int8_t oldtos;
|
||||
|
||||
if ((iph->tos & IPTOS_TOS_MASK) != info->tos) {
|
||||
if (!skb_make_writable(skb, sizeof(struct iphdr)))
|
||||
return NF_DROP;
|
||||
|
||||
iph = ip_hdr(skb);
|
||||
oldtos = iph->tos;
|
||||
iph->tos = (iph->tos & IPTOS_PREC_MASK) | info->tos;
|
||||
csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
|
||||
}
|
||||
|
||||
return XT_CONTINUE;
|
||||
}
|
||||
|
||||
static bool tos_tg_check_v0(const struct xt_tgchk_param *par)
|
||||
{
|
||||
const struct ipt_tos_target_info *info = par->targinfo;
|
||||
const uint8_t tos = info->tos;
|
||||
|
||||
if (tos != IPTOS_LOWDELAY && tos != IPTOS_THROUGHPUT &&
|
||||
tos != IPTOS_RELIABILITY && tos != IPTOS_MINCOST &&
|
||||
tos != IPTOS_NORMALSVC) {
|
||||
printk(KERN_WARNING "TOS: bad tos value %#x\n", tos);
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static unsigned int
|
||||
tos_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
||||
{
|
||||
@@ -166,16 +130,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
|
||||
.table = "mangle",
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
{
|
||||
.name = "TOS",
|
||||
.revision = 0,
|
||||
.family = NFPROTO_IPV4,
|
||||
.table = "mangle",
|
||||
.target = tos_tg_v0,
|
||||
.targetsize = sizeof(struct ipt_tos_target_info),
|
||||
.checkentry = tos_tg_check_v0,
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
{
|
||||
.name = "TOS",
|
||||
.revision = 1,
|
||||
|
||||
@@ -24,39 +24,6 @@ MODULE_DESCRIPTION("Xtables: packet mark modification");
|
||||
MODULE_ALIAS("ipt_MARK");
|
||||
MODULE_ALIAS("ip6t_MARK");
|
||||
|
||||
static unsigned int
|
||||
mark_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
|
||||
{
|
||||
const struct xt_mark_target_info *markinfo = par->targinfo;
|
||||
|
||||
skb->mark = markinfo->mark;
|
||||
return XT_CONTINUE;
|
||||
}
|
||||
|
||||
static unsigned int
|
||||
mark_tg_v1(struct sk_buff *skb, const struct xt_target_param *par)
|
||||
{
|
||||
const struct xt_mark_target_info_v1 *markinfo = par->targinfo;
|
||||
int mark = 0;
|
||||
|
||||
switch (markinfo->mode) {
|
||||
case XT_MARK_SET:
|
||||
mark = markinfo->mark;
|
||||
break;
|
||||
|
||||
case XT_MARK_AND:
|
||||
mark = skb->mark & markinfo->mark;
|
||||
break;
|
||||
|
||||
case XT_MARK_OR:
|
||||
mark = skb->mark | markinfo->mark;
|
||||
break;
|
||||
}
|
||||
|
||||
skb->mark = mark;
|
||||
return XT_CONTINUE;
|
||||
}
|
||||
|
||||
static unsigned int
|
||||
mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
||||
{
|
||||
@@ -66,135 +33,23 @@ mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
||||
return XT_CONTINUE;
|
||||
}
|
||||
|
||||
static bool mark_tg_check_v0(const struct xt_tgchk_param *par)
|
||||
{
|
||||
const struct xt_mark_target_info *markinfo = par->targinfo;
|
||||
|
||||
if (markinfo->mark > 0xffffffff) {
|
||||
printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool mark_tg_check_v1(const struct xt_tgchk_param *par)
|
||||
{
|
||||
const struct xt_mark_target_info_v1 *markinfo = par->targinfo;
|
||||
|
||||
if (markinfo->mode != XT_MARK_SET
|
||||
&& markinfo->mode != XT_MARK_AND
|
||||
&& markinfo->mode != XT_MARK_OR) {
|
||||
printk(KERN_WARNING "MARK: unknown mode %u\n",
|
||||
markinfo->mode);
|
||||
return false;
|
||||
}
|
||||
if (markinfo->mark > 0xffffffff) {
|
||||
printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
#ifdef CONFIG_COMPAT
|
||||
struct compat_xt_mark_target_info {
|
||||
compat_ulong_t mark;
|
||||
};
|
||||
|
||||
static void mark_tg_compat_from_user_v0(void *dst, void *src)
|
||||
{
|
||||
const struct compat_xt_mark_target_info *cm = src;
|
||||
struct xt_mark_target_info m = {
|
||||
.mark = cm->mark,
|
||||
};
|
||||
memcpy(dst, &m, sizeof(m));
|
||||
}
|
||||
|
||||
static int mark_tg_compat_to_user_v0(void __user *dst, void *src)
|
||||
{
|
||||
const struct xt_mark_target_info *m = src;
|
||||
struct compat_xt_mark_target_info cm = {
|
||||
.mark = m->mark,
|
||||
};
|
||||
return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
|
||||
}
|
||||
|
||||
struct compat_xt_mark_target_info_v1 {
|
||||
compat_ulong_t mark;
|
||||
u_int8_t mode;
|
||||
u_int8_t __pad1;
|
||||
u_int16_t __pad2;
|
||||
};
|
||||
|
||||
static void mark_tg_compat_from_user_v1(void *dst, void *src)
|
||||
{
|
||||
const struct compat_xt_mark_target_info_v1 *cm = src;
|
||||
struct xt_mark_target_info_v1 m = {
|
||||
.mark = cm->mark,
|
||||
.mode = cm->mode,
|
||||
};
|
||||
memcpy(dst, &m, sizeof(m));
|
||||
}
|
||||
|
||||
static int mark_tg_compat_to_user_v1(void __user *dst, void *src)
|
||||
{
|
||||
const struct xt_mark_target_info_v1 *m = src;
|
||||
struct compat_xt_mark_target_info_v1 cm = {
|
||||
.mark = m->mark,
|
||||
.mode = m->mode,
|
||||
};
|
||||
return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
|
||||
}
|
||||
#endif /* CONFIG_COMPAT */
|
||||
|
||||
static struct xt_target mark_tg_reg[] __read_mostly = {
|
||||
{
|
||||
.name = "MARK",
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.revision = 0,
|
||||
.checkentry = mark_tg_check_v0,
|
||||
.target = mark_tg_v0,
|
||||
.targetsize = sizeof(struct xt_mark_target_info),
|
||||
#ifdef CONFIG_COMPAT
|
||||
.compatsize = sizeof(struct compat_xt_mark_target_info),
|
||||
.compat_from_user = mark_tg_compat_from_user_v0,
|
||||
.compat_to_user = mark_tg_compat_to_user_v0,
|
||||
#endif
|
||||
.table = "mangle",
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
{
|
||||
.name = "MARK",
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.revision = 1,
|
||||
.checkentry = mark_tg_check_v1,
|
||||
.target = mark_tg_v1,
|
||||
.targetsize = sizeof(struct xt_mark_target_info_v1),
|
||||
#ifdef CONFIG_COMPAT
|
||||
.compatsize = sizeof(struct compat_xt_mark_target_info_v1),
|
||||
.compat_from_user = mark_tg_compat_from_user_v1,
|
||||
.compat_to_user = mark_tg_compat_to_user_v1,
|
||||
#endif
|
||||
.table = "mangle",
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
{
|
||||
.name = "MARK",
|
||||
.revision = 2,
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.target = mark_tg,
|
||||
.targetsize = sizeof(struct xt_mark_tginfo2),
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
static struct xt_target mark_tg_reg __read_mostly = {
|
||||
.name = "MARK",
|
||||
.revision = 2,
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.target = mark_tg,
|
||||
.targetsize = sizeof(struct xt_mark_tginfo2),
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init mark_tg_init(void)
|
||||
{
|
||||
return xt_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
|
||||
return xt_register_target(&mark_tg_reg);
|
||||
}
|
||||
|
||||
static void __exit mark_tg_exit(void)
|
||||
{
|
||||
xt_unregister_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
|
||||
xt_unregister_target(&mark_tg_reg);
|
||||
}
|
||||
|
||||
module_init(mark_tg_init);
|
||||
|
||||
@@ -47,36 +47,6 @@ connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
return ((ct->mark & info->mask) == info->mark) ^ info->invert;
|
||||
}
|
||||
|
||||
static bool
|
||||
connmark_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
{
|
||||
const struct xt_connmark_info *info = par->matchinfo;
|
||||
const struct nf_conn *ct;
|
||||
enum ip_conntrack_info ctinfo;
|
||||
|
||||
ct = nf_ct_get(skb, &ctinfo);
|
||||
if (!ct)
|
||||
return false;
|
||||
|
||||
return ((ct->mark & info->mask) == info->mark) ^ info->invert;
|
||||
}
|
||||
|
||||
static bool connmark_mt_check_v0(const struct xt_mtchk_param *par)
|
||||
{
|
||||
const struct xt_connmark_info *cm = par->matchinfo;
|
||||
|
||||
if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) {
|
||||
printk(KERN_WARNING "connmark: only support 32bit mark\n");
|
||||
return false;
|
||||
}
|
||||
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
|
||||
printk(KERN_WARNING "can't load conntrack support for "
|
||||
"proto=%u\n", par->family);
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool connmark_mt_check(const struct xt_mtchk_param *par)
|
||||
{
|
||||
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
|
||||
@@ -92,74 +62,25 @@ static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
|
||||
nf_ct_l3proto_module_put(par->family);
|
||||
}
|
||||
|
||||
#ifdef CONFIG_COMPAT
|
||||
struct compat_xt_connmark_info {
|
||||
compat_ulong_t mark, mask;
|
||||
u_int8_t invert;
|
||||
u_int8_t __pad1;
|
||||
u_int16_t __pad2;
|
||||
};
|
||||
|
||||
static void connmark_mt_compat_from_user_v0(void *dst, void *src)
|
||||
{
|
||||
const struct compat_xt_connmark_info *cm = src;
|
||||
struct xt_connmark_info m = {
|
||||
.mark = cm->mark,
|
||||
.mask = cm->mask,
|
||||
.invert = cm->invert,
|
||||
};
|
||||
memcpy(dst, &m, sizeof(m));
|
||||
}
|
||||
|
||||
static int connmark_mt_compat_to_user_v0(void __user *dst, void *src)
|
||||
{
|
||||
const struct xt_connmark_info *m = src;
|
||||
struct compat_xt_connmark_info cm = {
|
||||
.mark = m->mark,
|
||||
.mask = m->mask,
|
||||
.invert = m->invert,
|
||||
};
|
||||
return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
|
||||
}
|
||||
#endif /* CONFIG_COMPAT */
|
||||
|
||||
static struct xt_match connmark_mt_reg[] __read_mostly = {
|
||||
{
|
||||
.name = "connmark",
|
||||
.revision = 0,
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.checkentry = connmark_mt_check_v0,
|
||||
.match = connmark_mt_v0,
|
||||
.destroy = connmark_mt_destroy,
|
||||
.matchsize = sizeof(struct xt_connmark_info),
|
||||
#ifdef CONFIG_COMPAT
|
||||
.compatsize = sizeof(struct compat_xt_connmark_info),
|
||||
.compat_from_user = connmark_mt_compat_from_user_v0,
|
||||
.compat_to_user = connmark_mt_compat_to_user_v0,
|
||||
#endif
|
||||
.me = THIS_MODULE
|
||||
},
|
||||
{
|
||||
.name = "connmark",
|
||||
.revision = 1,
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.checkentry = connmark_mt_check,
|
||||
.match = connmark_mt,
|
||||
.matchsize = sizeof(struct xt_connmark_mtinfo1),
|
||||
.destroy = connmark_mt_destroy,
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
static struct xt_match connmark_mt_reg __read_mostly = {
|
||||
.name = "connmark",
|
||||
.revision = 1,
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.checkentry = connmark_mt_check,
|
||||
.match = connmark_mt,
|
||||
.matchsize = sizeof(struct xt_connmark_mtinfo1),
|
||||
.destroy = connmark_mt_destroy,
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init connmark_mt_init(void)
|
||||
{
|
||||
return xt_register_matches(connmark_mt_reg,
|
||||
ARRAY_SIZE(connmark_mt_reg));
|
||||
return xt_register_match(&connmark_mt_reg);
|
||||
}
|
||||
|
||||
static void __exit connmark_mt_exit(void)
|
||||
{
|
||||
xt_unregister_matches(connmark_mt_reg, ARRAY_SIZE(connmark_mt_reg));
|
||||
xt_unregister_match(&connmark_mt_reg);
|
||||
}
|
||||
|
||||
module_init(connmark_mt_init);
|
||||
|
||||
@@ -19,100 +19,11 @@
|
||||
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
|
||||
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
|
||||
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
|
||||
MODULE_DESCRIPTION("Xtables: connection tracking state match");
|
||||
MODULE_ALIAS("ipt_conntrack");
|
||||
MODULE_ALIAS("ip6t_conntrack");
|
||||
|
||||
static bool
|
||||
conntrack_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
{
|
||||
const struct xt_conntrack_info *sinfo = par->matchinfo;
|
||||
const struct nf_conn *ct;
|
||||
enum ip_conntrack_info ctinfo;
|
||||
unsigned int statebit;
|
||||
|
||||
ct = nf_ct_get(skb, &ctinfo);
|
||||
|
||||
#define FWINV(bool, invflg) ((bool) ^ !!(sinfo->invflags & (invflg)))
|
||||
|
||||
if (ct == &nf_conntrack_untracked)
|
||||
statebit = XT_CONNTRACK_STATE_UNTRACKED;
|
||||
else if (ct)
|
||||
statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
|
||||
else
|
||||
statebit = XT_CONNTRACK_STATE_INVALID;
|
||||
|
||||
if (sinfo->flags & XT_CONNTRACK_STATE) {
|
||||
if (ct) {
|
||||
if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
|
||||
statebit |= XT_CONNTRACK_STATE_SNAT;
|
||||
if (test_bit(IPS_DST_NAT_BIT, &ct->status))
|
||||
statebit |= XT_CONNTRACK_STATE_DNAT;
|
||||
}
|
||||
if (FWINV((statebit & sinfo->statemask) == 0,
|
||||
XT_CONNTRACK_STATE))
|
||||
return false;
|
||||
}
|
||||
|
||||
if (ct == NULL) {
|
||||
if (sinfo->flags & ~XT_CONNTRACK_STATE)
|
||||
return false;
|
||||
return true;
|
||||
}
|
||||
|
||||
if (sinfo->flags & XT_CONNTRACK_PROTO &&
|
||||
FWINV(nf_ct_protonum(ct) !=
|
||||
sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
|
||||
XT_CONNTRACK_PROTO))
|
||||
return false;
|
||||
|
||||
if (sinfo->flags & XT_CONNTRACK_ORIGSRC &&
|
||||
FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip &
|
||||
sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
|
||||
sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
|
||||
XT_CONNTRACK_ORIGSRC))
|
||||
return false;
|
||||
|
||||
if (sinfo->flags & XT_CONNTRACK_ORIGDST &&
|
||||
FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip &
|
||||
sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
|
||||
sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
|
||||
XT_CONNTRACK_ORIGDST))
|
||||
return false;
|
||||
|
||||
if (sinfo->flags & XT_CONNTRACK_REPLSRC &&
|
||||
FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip &
|
||||
sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) !=
|
||||
sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
|
||||
XT_CONNTRACK_REPLSRC))
|
||||
return false;
|
||||
|
||||
if (sinfo->flags & XT_CONNTRACK_REPLDST &&
|
||||
FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip &
|
||||
sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) !=
|
||||
sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
|
||||
XT_CONNTRACK_REPLDST))
|
||||
return false;
|
||||
|
||||
if (sinfo->flags & XT_CONNTRACK_STATUS &&
|
||||
FWINV((ct->status & sinfo->statusmask) == 0,
|
||||
XT_CONNTRACK_STATUS))
|
||||
return false;
|
||||
|
||||
if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
|
||||
unsigned long expires = timer_pending(&ct->timeout) ?
|
||||
(ct->timeout.expires - jiffies)/HZ : 0;
|
||||
|
||||
if (FWINV(!(expires >= sinfo->expires_min &&
|
||||
expires <= sinfo->expires_max),
|
||||
XT_CONNTRACK_EXPIRES))
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
#undef FWINV
|
||||
}
|
||||
|
||||
static bool
|
||||
conntrack_addrcmp(const union nf_inet_addr *kaddr,
|
||||
const union nf_inet_addr *uaddr,
|
||||
@@ -337,71 +248,7 @@ static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
|
||||
conntrack_mt_destroy(par);
|
||||
}
|
||||
|
||||
#ifdef CONFIG_COMPAT
|
||||
struct compat_xt_conntrack_info
|
||||
{
|
||||
compat_uint_t statemask;
|
||||
compat_uint_t statusmask;
|
||||
struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
|
||||
struct in_addr sipmsk[IP_CT_DIR_MAX];
|
||||
struct in_addr dipmsk[IP_CT_DIR_MAX];
|
||||
compat_ulong_t expires_min;
|
||||
compat_ulong_t expires_max;
|
||||
u_int8_t flags;
|
||||
u_int8_t invflags;
|
||||
};
|
||||
|
||||
static void conntrack_mt_compat_from_user_v0(void *dst, void *src)
|
||||
{
|
||||
const struct compat_xt_conntrack_info *cm = src;
|
||||
struct xt_conntrack_info m = {
|
||||
.statemask = cm->statemask,
|
||||
.statusmask = cm->statusmask,
|
||||
.expires_min = cm->expires_min,
|
||||
.expires_max = cm->expires_max,
|
||||
.flags = cm->flags,
|
||||
.invflags = cm->invflags,
|
||||
};
|
||||
memcpy(m.tuple, cm->tuple, sizeof(m.tuple));
|
||||
memcpy(m.sipmsk, cm->sipmsk, sizeof(m.sipmsk));
|
||||
memcpy(m.dipmsk, cm->dipmsk, sizeof(m.dipmsk));
|
||||
memcpy(dst, &m, sizeof(m));
|
||||
}
|
||||
|
||||
static int conntrack_mt_compat_to_user_v0(void __user *dst, void *src)
|
||||
{
|
||||
const struct xt_conntrack_info *m = src;
|
||||
struct compat_xt_conntrack_info cm = {
|
||||
.statemask = m->statemask,
|
||||
.statusmask = m->statusmask,
|
||||
.expires_min = m->expires_min,
|
||||
.expires_max = m->expires_max,
|
||||
.flags = m->flags,
|
||||
.invflags = m->invflags,
|
||||
};
|
||||
memcpy(cm.tuple, m->tuple, sizeof(cm.tuple));
|
||||
memcpy(cm.sipmsk, m->sipmsk, sizeof(cm.sipmsk));
|
||||
memcpy(cm.dipmsk, m->dipmsk, sizeof(cm.dipmsk));
|
||||
return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
|
||||
}
|
||||
#endif
|
||||
|
||||
static struct xt_match conntrack_mt_reg[] __read_mostly = {
|
||||
{
|
||||
.name = "conntrack",
|
||||
.revision = 0,
|
||||
.family = NFPROTO_IPV4,
|
||||
.match = conntrack_mt_v0,
|
||||
.checkentry = conntrack_mt_check,
|
||||
.destroy = conntrack_mt_destroy,
|
||||
.matchsize = sizeof(struct xt_conntrack_info),
|
||||
.me = THIS_MODULE,
|
||||
#ifdef CONFIG_COMPAT
|
||||
.compatsize = sizeof(struct compat_xt_conntrack_info),
|
||||
.compat_from_user = conntrack_mt_compat_from_user_v0,
|
||||
.compat_to_user = conntrack_mt_compat_to_user_v0,
|
||||
#endif
|
||||
},
|
||||
{
|
||||
.name = "conntrack",
|
||||
.revision = 1,
|
||||
|
||||
@@ -15,7 +15,6 @@
|
||||
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
#include <linux/netfilter/xt_dscp.h>
|
||||
#include <linux/netfilter_ipv4/ipt_tos.h>
|
||||
|
||||
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
|
||||
MODULE_DESCRIPTION("Xtables: DSCP/TOS field match");
|
||||
@@ -55,14 +54,6 @@ static bool dscp_mt_check(const struct xt_mtchk_param *par)
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool
|
||||
tos_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
{
|
||||
const struct ipt_tos_info *info = par->matchinfo;
|
||||
|
||||
return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
|
||||
}
|
||||
|
||||
static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
{
|
||||
const struct xt_tos_match_info *info = par->matchinfo;
|
||||
@@ -92,14 +83,6 @@ static struct xt_match dscp_mt_reg[] __read_mostly = {
|
||||
.matchsize = sizeof(struct xt_dscp_info),
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
{
|
||||
.name = "tos",
|
||||
.revision = 0,
|
||||
.family = NFPROTO_IPV4,
|
||||
.match = tos_mt_v0,
|
||||
.matchsize = sizeof(struct ipt_tos_info),
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
{
|
||||
.name = "tos",
|
||||
.revision = 1,
|
||||
|
||||
@@ -14,40 +14,6 @@
|
||||
#include <linux/ipv6.h>
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
#include <linux/netfilter/xt_iprange.h>
|
||||
#include <linux/netfilter_ipv4/ipt_iprange.h>
|
||||
|
||||
static bool
|
||||
iprange_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
{
|
||||
const struct ipt_iprange_info *info = par->matchinfo;
|
||||
const struct iphdr *iph = ip_hdr(skb);
|
||||
|
||||
if (info->flags & IPRANGE_SRC) {
|
||||
if ((ntohl(iph->saddr) < ntohl(info->src.min_ip)
|
||||
|| ntohl(iph->saddr) > ntohl(info->src.max_ip))
|
||||
^ !!(info->flags & IPRANGE_SRC_INV)) {
|
||||
pr_debug("src IP %pI4 NOT in range %s%pI4-%pI4\n",
|
||||
&iph->saddr,
|
||||
info->flags & IPRANGE_SRC_INV ? "(INV) " : "",
|
||||
&info->src.min_ip,
|
||||
&info->src.max_ip);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
if (info->flags & IPRANGE_DST) {
|
||||
if ((ntohl(iph->daddr) < ntohl(info->dst.min_ip)
|
||||
|| ntohl(iph->daddr) > ntohl(info->dst.max_ip))
|
||||
^ !!(info->flags & IPRANGE_DST_INV)) {
|
||||
pr_debug("dst IP %pI4 NOT in range %s%pI4-%pI4\n",
|
||||
&iph->daddr,
|
||||
info->flags & IPRANGE_DST_INV ? "(INV) " : "",
|
||||
&info->dst.min_ip,
|
||||
&info->dst.max_ip);
|
||||
return false;
|
||||
}
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool
|
||||
iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
@@ -125,14 +91,6 @@ iprange_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
}
|
||||
|
||||
static struct xt_match iprange_mt_reg[] __read_mostly = {
|
||||
{
|
||||
.name = "iprange",
|
||||
.revision = 0,
|
||||
.family = NFPROTO_IPV4,
|
||||
.match = iprange_mt_v0,
|
||||
.matchsize = sizeof(struct ipt_iprange_info),
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
{
|
||||
.name = "iprange",
|
||||
.revision = 1,
|
||||
@@ -164,7 +122,8 @@ static void __exit iprange_mt_exit(void)
|
||||
module_init(iprange_mt_init);
|
||||
module_exit(iprange_mt_exit);
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>, Jan Engelhardt <jengelh@computergmbh.de>");
|
||||
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
|
||||
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
|
||||
MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching");
|
||||
MODULE_ALIAS("ipt_iprange");
|
||||
MODULE_ALIAS("ip6t_iprange");
|
||||
|
||||
@@ -3,7 +3,7 @@
|
||||
*
|
||||
* (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
|
||||
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
|
||||
* Jan Engelhardt <jengelh@computergmbh.de>
|
||||
* Jan Engelhardt <jengelh@medozas.de>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
@@ -22,14 +22,6 @@ MODULE_DESCRIPTION("Xtables: packet mark match");
|
||||
MODULE_ALIAS("ipt_mark");
|
||||
MODULE_ALIAS("ip6t_mark");
|
||||
|
||||
static bool
|
||||
mark_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
{
|
||||
const struct xt_mark_info *info = par->matchinfo;
|
||||
|
||||
return ((skb->mark & info->mask) == info->mark) ^ info->invert;
|
||||
}
|
||||
|
||||
static bool
|
||||
mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
{
|
||||
@@ -38,81 +30,23 @@ mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
return ((skb->mark & info->mask) == info->mark) ^ info->invert;
|
||||
}
|
||||
|
||||
static bool mark_mt_check_v0(const struct xt_mtchk_param *par)
|
||||
{
|
||||
const struct xt_mark_info *minfo = par->matchinfo;
|
||||
|
||||
if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) {
|
||||
printk(KERN_WARNING "mark: only supports 32bit mark\n");
|
||||
return false;
|
||||
}
|
||||
return true;
|
||||
}
|
||||
|
||||
#ifdef CONFIG_COMPAT
|
||||
struct compat_xt_mark_info {
|
||||
compat_ulong_t mark, mask;
|
||||
u_int8_t invert;
|
||||
u_int8_t __pad1;
|
||||
u_int16_t __pad2;
|
||||
};
|
||||
|
||||
static void mark_mt_compat_from_user_v0(void *dst, void *src)
|
||||
{
|
||||
const struct compat_xt_mark_info *cm = src;
|
||||
struct xt_mark_info m = {
|
||||
.mark = cm->mark,
|
||||
.mask = cm->mask,
|
||||
.invert = cm->invert,
|
||||
};
|
||||
memcpy(dst, &m, sizeof(m));
|
||||
}
|
||||
|
||||
static int mark_mt_compat_to_user_v0(void __user *dst, void *src)
|
||||
{
|
||||
const struct xt_mark_info *m = src;
|
||||
struct compat_xt_mark_info cm = {
|
||||
.mark = m->mark,
|
||||
.mask = m->mask,
|
||||
.invert = m->invert,
|
||||
};
|
||||
return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
|
||||
}
|
||||
#endif /* CONFIG_COMPAT */
|
||||
|
||||
static struct xt_match mark_mt_reg[] __read_mostly = {
|
||||
{
|
||||
.name = "mark",
|
||||
.revision = 0,
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.checkentry = mark_mt_check_v0,
|
||||
.match = mark_mt_v0,
|
||||
.matchsize = sizeof(struct xt_mark_info),
|
||||
#ifdef CONFIG_COMPAT
|
||||
.compatsize = sizeof(struct compat_xt_mark_info),
|
||||
.compat_from_user = mark_mt_compat_from_user_v0,
|
||||
.compat_to_user = mark_mt_compat_to_user_v0,
|
||||
#endif
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
{
|
||||
.name = "mark",
|
||||
.revision = 1,
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.match = mark_mt,
|
||||
.matchsize = sizeof(struct xt_mark_mtinfo1),
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
static struct xt_match mark_mt_reg __read_mostly = {
|
||||
.name = "mark",
|
||||
.revision = 1,
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.match = mark_mt,
|
||||
.matchsize = sizeof(struct xt_mark_mtinfo1),
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init mark_mt_init(void)
|
||||
{
|
||||
return xt_register_matches(mark_mt_reg, ARRAY_SIZE(mark_mt_reg));
|
||||
return xt_register_match(&mark_mt_reg);
|
||||
}
|
||||
|
||||
static void __exit mark_mt_exit(void)
|
||||
{
|
||||
xt_unregister_matches(mark_mt_reg, ARRAY_SIZE(mark_mt_reg));
|
||||
xt_unregister_match(&mark_mt_reg);
|
||||
}
|
||||
|
||||
module_init(mark_mt_init);
|
||||
|
||||
@@ -70,7 +70,8 @@ static void xt_osf_finger_free_rcu(struct rcu_head *rcu_head)
|
||||
}
|
||||
|
||||
static int xt_osf_add_callback(struct sock *ctnl, struct sk_buff *skb,
|
||||
struct nlmsghdr *nlh, struct nlattr *osf_attrs[])
|
||||
const struct nlmsghdr *nlh,
|
||||
const struct nlattr * const osf_attrs[])
|
||||
{
|
||||
struct xt_osf_user_finger *f;
|
||||
struct xt_osf_finger *kf = NULL, *sf;
|
||||
@@ -112,7 +113,8 @@ static int xt_osf_add_callback(struct sock *ctnl, struct sk_buff *skb,
|
||||
}
|
||||
|
||||
static int xt_osf_remove_callback(struct sock *ctnl, struct sk_buff *skb,
|
||||
struct nlmsghdr *nlh, struct nlattr *osf_attrs[])
|
||||
const struct nlmsghdr *nlh,
|
||||
const struct nlattr * const osf_attrs[])
|
||||
{
|
||||
struct xt_osf_user_finger *f;
|
||||
struct xt_osf_finger *sf;
|
||||
|
||||
@@ -5,7 +5,6 @@
|
||||
* (C) 2000 Marc Boucher <marc@mbsi.ca>
|
||||
*
|
||||
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
|
||||
* <jengelh@computergmbh.de>
|
||||
*
|
||||
* This program is free software; you can redistribute it and/or modify
|
||||
* it under the terms of the GNU General Public License version 2 as
|
||||
@@ -17,60 +16,6 @@
|
||||
#include <net/sock.h>
|
||||
#include <linux/netfilter/x_tables.h>
|
||||
#include <linux/netfilter/xt_owner.h>
|
||||
#include <linux/netfilter_ipv4/ipt_owner.h>
|
||||
#include <linux/netfilter_ipv6/ip6t_owner.h>
|
||||
|
||||
static bool
|
||||
owner_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
{
|
||||
const struct ipt_owner_info *info = par->matchinfo;
|
||||
const struct file *filp;
|
||||
|
||||
if (skb->sk == NULL || skb->sk->sk_socket == NULL)
|
||||
return false;
|
||||
|
||||
filp = skb->sk->sk_socket->file;
|
||||
if (filp == NULL)
|
||||
return false;
|
||||
|
||||
if (info->match & IPT_OWNER_UID)
|
||||
if ((filp->f_cred->fsuid != info->uid) ^
|
||||
!!(info->invert & IPT_OWNER_UID))
|
||||
return false;
|
||||
|
||||
if (info->match & IPT_OWNER_GID)
|
||||
if ((filp->f_cred->fsgid != info->gid) ^
|
||||
!!(info->invert & IPT_OWNER_GID))
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool
|
||||
owner_mt6_v0(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
{
|
||||
const struct ip6t_owner_info *info = par->matchinfo;
|
||||
const struct file *filp;
|
||||
|
||||
if (skb->sk == NULL || skb->sk->sk_socket == NULL)
|
||||
return false;
|
||||
|
||||
filp = skb->sk->sk_socket->file;
|
||||
if (filp == NULL)
|
||||
return false;
|
||||
|
||||
if (info->match & IP6T_OWNER_UID)
|
||||
if ((filp->f_cred->fsuid != info->uid) ^
|
||||
!!(info->invert & IP6T_OWNER_UID))
|
||||
return false;
|
||||
|
||||
if (info->match & IP6T_OWNER_GID)
|
||||
if ((filp->f_cred->fsgid != info->gid) ^
|
||||
!!(info->invert & IP6T_OWNER_GID))
|
||||
return false;
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool
|
||||
owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
@@ -107,81 +52,30 @@ owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool owner_mt_check_v0(const struct xt_mtchk_param *par)
|
||||
{
|
||||
const struct ipt_owner_info *info = par->matchinfo;
|
||||
|
||||
if (info->match & (IPT_OWNER_PID | IPT_OWNER_SID | IPT_OWNER_COMM)) {
|
||||
printk(KERN_WARNING KBUILD_MODNAME
|
||||
": PID, SID and command matching is not "
|
||||
"supported anymore\n");
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static bool owner_mt6_check_v0(const struct xt_mtchk_param *par)
|
||||
{
|
||||
const struct ip6t_owner_info *info = par->matchinfo;
|
||||
|
||||
if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
|
||||
printk(KERN_WARNING KBUILD_MODNAME
|
||||
": PID and SID matching is not supported anymore\n");
|
||||
return false;
|
||||
}
|
||||
|
||||
return true;
|
||||
}
|
||||
|
||||
static struct xt_match owner_mt_reg[] __read_mostly = {
|
||||
{
|
||||
.name = "owner",
|
||||
.revision = 0,
|
||||
.family = NFPROTO_IPV4,
|
||||
.match = owner_mt_v0,
|
||||
.matchsize = sizeof(struct ipt_owner_info),
|
||||
.checkentry = owner_mt_check_v0,
|
||||
.hooks = (1 << NF_INET_LOCAL_OUT) |
|
||||
(1 << NF_INET_POST_ROUTING),
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
{
|
||||
.name = "owner",
|
||||
.revision = 0,
|
||||
.family = NFPROTO_IPV6,
|
||||
.match = owner_mt6_v0,
|
||||
.matchsize = sizeof(struct ip6t_owner_info),
|
||||
.checkentry = owner_mt6_check_v0,
|
||||
.hooks = (1 << NF_INET_LOCAL_OUT) |
|
||||
(1 << NF_INET_POST_ROUTING),
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
{
|
||||
.name = "owner",
|
||||
.revision = 1,
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.match = owner_mt,
|
||||
.matchsize = sizeof(struct xt_owner_match_info),
|
||||
.hooks = (1 << NF_INET_LOCAL_OUT) |
|
||||
(1 << NF_INET_POST_ROUTING),
|
||||
.me = THIS_MODULE,
|
||||
},
|
||||
static struct xt_match owner_mt_reg __read_mostly = {
|
||||
.name = "owner",
|
||||
.revision = 1,
|
||||
.family = NFPROTO_UNSPEC,
|
||||
.match = owner_mt,
|
||||
.matchsize = sizeof(struct xt_owner_match_info),
|
||||
.hooks = (1 << NF_INET_LOCAL_OUT) |
|
||||
(1 << NF_INET_POST_ROUTING),
|
||||
.me = THIS_MODULE,
|
||||
};
|
||||
|
||||
static int __init owner_mt_init(void)
|
||||
{
|
||||
return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
|
||||
return xt_register_match(&owner_mt_reg);
|
||||
}
|
||||
|
||||
static void __exit owner_mt_exit(void)
|
||||
{
|
||||
xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
|
||||
xt_unregister_match(&owner_mt_reg);
|
||||
}
|
||||
|
||||
module_init(owner_mt_init);
|
||||
module_exit(owner_mt_exit);
|
||||
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
|
||||
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
|
||||
MODULE_DESCRIPTION("Xtables: socket owner matching");
|
||||
MODULE_LICENSE("GPL");
|
||||
MODULE_ALIAS("ipt_owner");
|
||||
|
||||
Reference in New Issue
Block a user