mirror of
https://github.com/adulau/aha.git
synced 2024-12-28 03:36:19 +00:00
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
This commit is contained in:
commit
424eff9751
32 changed files with 251 additions and 255 deletions
|
@ -66,6 +66,9 @@ struct ip_ct_tcp {
|
||||||
u_int32_t last_ack; /* Last sequence number seen in opposite dir */
|
u_int32_t last_ack; /* Last sequence number seen in opposite dir */
|
||||||
u_int32_t last_end; /* Last seq + len */
|
u_int32_t last_end; /* Last seq + len */
|
||||||
u_int16_t last_win; /* Last window advertisement seen in dir */
|
u_int16_t last_win; /* Last window advertisement seen in dir */
|
||||||
|
/* For SYN packets while we may be out-of-sync */
|
||||||
|
u_int8_t last_wscale; /* Last window scaling factor seen */
|
||||||
|
u_int8_t last_flags; /* Last flags set */
|
||||||
};
|
};
|
||||||
|
|
||||||
#endif /* __KERNEL__ */
|
#endif /* __KERNEL__ */
|
||||||
|
|
|
@ -384,11 +384,11 @@ static int mark_source_chains(struct xt_table_info *newinfo,
|
||||||
|= ((1 << hook) | (1 << NF_ARP_NUMHOOKS));
|
|= ((1 << hook) | (1 << NF_ARP_NUMHOOKS));
|
||||||
|
|
||||||
/* Unconditional return/END. */
|
/* Unconditional return/END. */
|
||||||
if ((e->target_offset == sizeof(struct arpt_entry)
|
if ((e->target_offset == sizeof(struct arpt_entry) &&
|
||||||
&& (strcmp(t->target.u.user.name,
|
(strcmp(t->target.u.user.name,
|
||||||
ARPT_STANDARD_TARGET) == 0)
|
ARPT_STANDARD_TARGET) == 0) &&
|
||||||
&& t->verdict < 0
|
t->verdict < 0 && unconditional(&e->arp)) ||
|
||||||
&& unconditional(&e->arp)) || visited) {
|
visited) {
|
||||||
unsigned int oldpos, size;
|
unsigned int oldpos, size;
|
||||||
|
|
||||||
if ((strcmp(t->target.u.user.name,
|
if ((strcmp(t->target.u.user.name,
|
||||||
|
@ -427,8 +427,8 @@ static int mark_source_chains(struct xt_table_info *newinfo,
|
||||||
int newpos = t->verdict;
|
int newpos = t->verdict;
|
||||||
|
|
||||||
if (strcmp(t->target.u.user.name,
|
if (strcmp(t->target.u.user.name,
|
||||||
ARPT_STANDARD_TARGET) == 0
|
ARPT_STANDARD_TARGET) == 0 &&
|
||||||
&& newpos >= 0) {
|
newpos >= 0) {
|
||||||
if (newpos > newinfo->size -
|
if (newpos > newinfo->size -
|
||||||
sizeof(struct arpt_entry)) {
|
sizeof(struct arpt_entry)) {
|
||||||
duprintf("mark_source_chains: "
|
duprintf("mark_source_chains: "
|
||||||
|
@ -559,8 +559,8 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
|
||||||
{
|
{
|
||||||
unsigned int h;
|
unsigned int h;
|
||||||
|
|
||||||
if ((unsigned long)e % __alignof__(struct arpt_entry) != 0
|
if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
|
||||||
|| (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
|
(unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
|
||||||
duprintf("Bad offset %p\n", e);
|
duprintf("Bad offset %p\n", e);
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
@ -1251,8 +1251,8 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
|
||||||
int ret, off, h;
|
int ret, off, h;
|
||||||
|
|
||||||
duprintf("check_compat_entry_size_and_hooks %p\n", e);
|
duprintf("check_compat_entry_size_and_hooks %p\n", e);
|
||||||
if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0
|
if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
|
||||||
|| (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) {
|
(unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) {
|
||||||
duprintf("Bad offset %p, limit = %p\n", e, limit);
|
duprintf("Bad offset %p, limit = %p\n", e, limit);
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
|
@ -497,8 +497,7 @@ ipq_rcv_nl_event(struct notifier_block *this,
|
||||||
{
|
{
|
||||||
struct netlink_notify *n = ptr;
|
struct netlink_notify *n = ptr;
|
||||||
|
|
||||||
if (event == NETLINK_URELEASE &&
|
if (event == NETLINK_URELEASE && n->protocol == NETLINK_FIREWALL) {
|
||||||
n->protocol == NETLINK_FIREWALL && n->pid) {
|
|
||||||
write_lock_bh(&queue_lock);
|
write_lock_bh(&queue_lock);
|
||||||
if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid))
|
if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid))
|
||||||
__ipq_reset();
|
__ipq_reset();
|
||||||
|
@ -622,7 +621,7 @@ cleanup_netlink_notifier:
|
||||||
static void __exit ip_queue_fini(void)
|
static void __exit ip_queue_fini(void)
|
||||||
{
|
{
|
||||||
nf_unregister_queue_handlers(&nfqh);
|
nf_unregister_queue_handlers(&nfqh);
|
||||||
synchronize_net();
|
|
||||||
ipq_flush(NULL, 0);
|
ipq_flush(NULL, 0);
|
||||||
|
|
||||||
#ifdef CONFIG_SYSCTL
|
#ifdef CONFIG_SYSCTL
|
||||||
|
|
|
@ -89,9 +89,9 @@ ip_packet_match(const struct iphdr *ip,
|
||||||
#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
|
#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
|
||||||
|
|
||||||
if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
|
if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
|
||||||
IPT_INV_SRCIP)
|
IPT_INV_SRCIP) ||
|
||||||
|| FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
|
FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
|
||||||
IPT_INV_DSTIP)) {
|
IPT_INV_DSTIP)) {
|
||||||
dprintf("Source or dest mismatch.\n");
|
dprintf("Source or dest mismatch.\n");
|
||||||
|
|
||||||
dprintf("SRC: %pI4. Mask: %pI4. Target: %pI4.%s\n",
|
dprintf("SRC: %pI4. Mask: %pI4. Target: %pI4.%s\n",
|
||||||
|
@ -122,8 +122,8 @@ ip_packet_match(const struct iphdr *ip,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Check specific protocol */
|
/* Check specific protocol */
|
||||||
if (ipinfo->proto
|
if (ipinfo->proto &&
|
||||||
&& FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
|
FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
|
||||||
dprintf("Packet protocol %hi does not match %hi.%s\n",
|
dprintf("Packet protocol %hi does not match %hi.%s\n",
|
||||||
ip->protocol, ipinfo->proto,
|
ip->protocol, ipinfo->proto,
|
||||||
ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
|
ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
|
||||||
|
@ -246,11 +246,11 @@ get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e,
|
||||||
} else if (s == e) {
|
} else if (s == e) {
|
||||||
(*rulenum)++;
|
(*rulenum)++;
|
||||||
|
|
||||||
if (s->target_offset == sizeof(struct ipt_entry)
|
if (s->target_offset == sizeof(struct ipt_entry) &&
|
||||||
&& strcmp(t->target.u.kernel.target->name,
|
strcmp(t->target.u.kernel.target->name,
|
||||||
IPT_STANDARD_TARGET) == 0
|
IPT_STANDARD_TARGET) == 0 &&
|
||||||
&& t->verdict < 0
|
t->verdict < 0 &&
|
||||||
&& unconditional(&s->ip)) {
|
unconditional(&s->ip)) {
|
||||||
/* Tail of chains: STANDARD target (return/policy) */
|
/* Tail of chains: STANDARD target (return/policy) */
|
||||||
*comment = *chainname == hookname
|
*comment = *chainname == hookname
|
||||||
? comments[NF_IP_TRACE_COMMENT_POLICY]
|
? comments[NF_IP_TRACE_COMMENT_POLICY]
|
||||||
|
@ -388,8 +388,8 @@ ipt_do_table(struct sk_buff *skb,
|
||||||
back = get_entry(table_base, back->comefrom);
|
back = get_entry(table_base, back->comefrom);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if (table_base + v != ipt_next_entry(e)
|
if (table_base + v != ipt_next_entry(e) &&
|
||||||
&& !(e->ip.flags & IPT_F_GOTO)) {
|
!(e->ip.flags & IPT_F_GOTO)) {
|
||||||
/* Save old back ptr in next entry */
|
/* Save old back ptr in next entry */
|
||||||
struct ipt_entry *next = ipt_next_entry(e);
|
struct ipt_entry *next = ipt_next_entry(e);
|
||||||
next->comefrom = (void *)back - table_base;
|
next->comefrom = (void *)back - table_base;
|
||||||
|
@ -473,11 +473,11 @@ mark_source_chains(struct xt_table_info *newinfo,
|
||||||
e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
|
e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
|
||||||
|
|
||||||
/* Unconditional return/END. */
|
/* Unconditional return/END. */
|
||||||
if ((e->target_offset == sizeof(struct ipt_entry)
|
if ((e->target_offset == sizeof(struct ipt_entry) &&
|
||||||
&& (strcmp(t->target.u.user.name,
|
(strcmp(t->target.u.user.name,
|
||||||
IPT_STANDARD_TARGET) == 0)
|
IPT_STANDARD_TARGET) == 0) &&
|
||||||
&& t->verdict < 0
|
t->verdict < 0 && unconditional(&e->ip)) ||
|
||||||
&& unconditional(&e->ip)) || visited) {
|
visited) {
|
||||||
unsigned int oldpos, size;
|
unsigned int oldpos, size;
|
||||||
|
|
||||||
if ((strcmp(t->target.u.user.name,
|
if ((strcmp(t->target.u.user.name,
|
||||||
|
@ -524,8 +524,8 @@ mark_source_chains(struct xt_table_info *newinfo,
|
||||||
int newpos = t->verdict;
|
int newpos = t->verdict;
|
||||||
|
|
||||||
if (strcmp(t->target.u.user.name,
|
if (strcmp(t->target.u.user.name,
|
||||||
IPT_STANDARD_TARGET) == 0
|
IPT_STANDARD_TARGET) == 0 &&
|
||||||
&& newpos >= 0) {
|
newpos >= 0) {
|
||||||
if (newpos > newinfo->size -
|
if (newpos > newinfo->size -
|
||||||
sizeof(struct ipt_entry)) {
|
sizeof(struct ipt_entry)) {
|
||||||
duprintf("mark_source_chains: "
|
duprintf("mark_source_chains: "
|
||||||
|
@ -735,8 +735,8 @@ check_entry_size_and_hooks(struct ipt_entry *e,
|
||||||
{
|
{
|
||||||
unsigned int h;
|
unsigned int h;
|
||||||
|
|
||||||
if ((unsigned long)e % __alignof__(struct ipt_entry) != 0
|
if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
|
||||||
|| (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
|
(unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
|
||||||
duprintf("Bad offset %p\n", e);
|
duprintf("Bad offset %p\n", e);
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
@ -1548,8 +1548,8 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
|
||||||
int ret, off, h;
|
int ret, off, h;
|
||||||
|
|
||||||
duprintf("check_compat_entry_size_and_hooks %p\n", e);
|
duprintf("check_compat_entry_size_and_hooks %p\n", e);
|
||||||
if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
|
if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
|
||||||
|| (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
|
(unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
|
||||||
duprintf("Bad offset %p, limit = %p\n", e, limit);
|
duprintf("Bad offset %p, limit = %p\n", e, limit);
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
|
@ -303,9 +303,9 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
||||||
|
|
||||||
/* special case: ICMP error handling. conntrack distinguishes between
|
/* special case: ICMP error handling. conntrack distinguishes between
|
||||||
* error messages (RELATED) and information requests (see below) */
|
* error messages (RELATED) and information requests (see below) */
|
||||||
if (ip_hdr(skb)->protocol == IPPROTO_ICMP
|
if (ip_hdr(skb)->protocol == IPPROTO_ICMP &&
|
||||||
&& (ctinfo == IP_CT_RELATED
|
(ctinfo == IP_CT_RELATED ||
|
||||||
|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
|
ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY))
|
||||||
return XT_CONTINUE;
|
return XT_CONTINUE;
|
||||||
|
|
||||||
/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
|
/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
|
||||||
|
@ -362,8 +362,8 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
}
|
}
|
||||||
if (e->ip.dmsk.s_addr != htonl(0xffffffff)
|
if (e->ip.dmsk.s_addr != htonl(0xffffffff) ||
|
||||||
|| e->ip.dst.s_addr == 0) {
|
e->ip.dst.s_addr == 0) {
|
||||||
printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n");
|
printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
@ -495,14 +495,14 @@ arp_mangle(unsigned int hook,
|
||||||
struct clusterip_config *c;
|
struct clusterip_config *c;
|
||||||
|
|
||||||
/* we don't care about non-ethernet and non-ipv4 ARP */
|
/* we don't care about non-ethernet and non-ipv4 ARP */
|
||||||
if (arp->ar_hrd != htons(ARPHRD_ETHER)
|
if (arp->ar_hrd != htons(ARPHRD_ETHER) ||
|
||||||
|| arp->ar_pro != htons(ETH_P_IP)
|
arp->ar_pro != htons(ETH_P_IP) ||
|
||||||
|| arp->ar_pln != 4 || arp->ar_hln != ETH_ALEN)
|
arp->ar_pln != 4 || arp->ar_hln != ETH_ALEN)
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
||||||
/* we only want to mangle arp requests and replies */
|
/* we only want to mangle arp requests and replies */
|
||||||
if (arp->ar_op != htons(ARPOP_REPLY)
|
if (arp->ar_op != htons(ARPOP_REPLY) &&
|
||||||
&& arp->ar_op != htons(ARPOP_REQUEST))
|
arp->ar_op != htons(ARPOP_REQUEST))
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
||||||
payload = (void *)(arp+1);
|
payload = (void *)(arp+1);
|
||||||
|
|
|
@ -85,8 +85,8 @@ ecn_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
||||||
if (!set_ect_ip(skb, einfo))
|
if (!set_ect_ip(skb, einfo))
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|
||||||
if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR)
|
if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR) &&
|
||||||
&& ip_hdr(skb)->protocol == IPPROTO_TCP)
|
ip_hdr(skb)->protocol == IPPROTO_TCP)
|
||||||
if (!set_ect_tcp(skb, einfo))
|
if (!set_ect_tcp(skb, einfo))
|
||||||
return NF_DROP;
|
return NF_DROP;
|
||||||
|
|
||||||
|
@ -108,8 +108,8 @@ static bool ecn_tg_check(const struct xt_tgchk_param *par)
|
||||||
einfo->ip_ect);
|
einfo->ip_ect);
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
|
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
|
||||||
&& (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
|
(e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
|
||||||
printk(KERN_WARNING "ECN: cannot use TCP operations on a "
|
printk(KERN_WARNING "ECN: cannot use TCP operations on a "
|
||||||
"non-tcp rule\n");
|
"non-tcp rule\n");
|
||||||
return false;
|
return false;
|
||||||
|
|
|
@ -74,8 +74,8 @@ static void dump_packet(const struct nf_loginfo *info,
|
||||||
if (ntohs(ih->frag_off) & IP_OFFSET)
|
if (ntohs(ih->frag_off) & IP_OFFSET)
|
||||||
printk("FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET);
|
printk("FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET);
|
||||||
|
|
||||||
if ((logflags & IPT_LOG_IPOPT)
|
if ((logflags & IPT_LOG_IPOPT) &&
|
||||||
&& ih->ihl * 4 > sizeof(struct iphdr)) {
|
ih->ihl * 4 > sizeof(struct iphdr)) {
|
||||||
const unsigned char *op;
|
const unsigned char *op;
|
||||||
unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
|
unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
|
||||||
unsigned int i, optsize;
|
unsigned int i, optsize;
|
||||||
|
@ -146,8 +146,8 @@ static void dump_packet(const struct nf_loginfo *info,
|
||||||
/* Max length: 11 "URGP=65535 " */
|
/* Max length: 11 "URGP=65535 " */
|
||||||
printk("URGP=%u ", ntohs(th->urg_ptr));
|
printk("URGP=%u ", ntohs(th->urg_ptr));
|
||||||
|
|
||||||
if ((logflags & IPT_LOG_TCPOPT)
|
if ((logflags & IPT_LOG_TCPOPT) &&
|
||||||
&& th->doff * 4 > sizeof(struct tcphdr)) {
|
th->doff * 4 > sizeof(struct tcphdr)) {
|
||||||
unsigned char _opt[4 * 15 - sizeof(struct tcphdr)];
|
unsigned char _opt[4 * 15 - sizeof(struct tcphdr)];
|
||||||
const unsigned char *op;
|
const unsigned char *op;
|
||||||
unsigned int i, optsize;
|
unsigned int i, optsize;
|
||||||
|
@ -238,9 +238,9 @@ static void dump_packet(const struct nf_loginfo *info,
|
||||||
printk("TYPE=%u CODE=%u ", ich->type, ich->code);
|
printk("TYPE=%u CODE=%u ", ich->type, ich->code);
|
||||||
|
|
||||||
/* Max length: 25 "INCOMPLETE [65535 bytes] " */
|
/* Max length: 25 "INCOMPLETE [65535 bytes] " */
|
||||||
if (ich->type <= NR_ICMP_TYPES
|
if (ich->type <= NR_ICMP_TYPES &&
|
||||||
&& required_len[ich->type]
|
required_len[ich->type] &&
|
||||||
&& skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) {
|
skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) {
|
||||||
printk("INCOMPLETE [%u bytes] ",
|
printk("INCOMPLETE [%u bytes] ",
|
||||||
skb->len - iphoff - ih->ihl*4);
|
skb->len - iphoff - ih->ihl*4);
|
||||||
break;
|
break;
|
||||||
|
@ -276,8 +276,8 @@ static void dump_packet(const struct nf_loginfo *info,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Max length: 10 "MTU=65535 " */
|
/* Max length: 10 "MTU=65535 " */
|
||||||
if (ich->type == ICMP_DEST_UNREACH
|
if (ich->type == ICMP_DEST_UNREACH &&
|
||||||
&& ich->code == ICMP_FRAG_NEEDED)
|
ich->code == ICMP_FRAG_NEEDED)
|
||||||
printk("MTU=%u ", ntohs(ich->un.frag.mtu));
|
printk("MTU=%u ", ntohs(ich->un.frag.mtu));
|
||||||
}
|
}
|
||||||
break;
|
break;
|
||||||
|
@ -407,8 +407,8 @@ ipt_log_packet(u_int8_t pf,
|
||||||
if (in && !out) {
|
if (in && !out) {
|
||||||
/* MAC logging for input chain only. */
|
/* MAC logging for input chain only. */
|
||||||
printk("MAC=");
|
printk("MAC=");
|
||||||
if (skb->dev && skb->dev->hard_header_len
|
if (skb->dev && skb->dev->hard_header_len &&
|
||||||
&& skb->mac_header != skb->network_header) {
|
skb->mac_header != skb->network_header) {
|
||||||
int i;
|
int i;
|
||||||
const unsigned char *p = skb_mac_header(skb);
|
const unsigned char *p = skb_mac_header(skb);
|
||||||
for (i = 0; i < skb->dev->hard_header_len; i++,p++)
|
for (i = 0; i < skb->dev->hard_header_len; i++,p++)
|
||||||
|
|
|
@ -59,8 +59,8 @@ masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par)
|
||||||
ct = nf_ct_get(skb, &ctinfo);
|
ct = nf_ct_get(skb, &ctinfo);
|
||||||
nat = nfct_nat(ct);
|
nat = nfct_nat(ct);
|
||||||
|
|
||||||
NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED
|
NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
|
||||||
|| ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
|
ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
|
||||||
|
|
||||||
/* Source address is 0.0.0.0 - locally generated packet that is
|
/* Source address is 0.0.0.0 - locally generated packet that is
|
||||||
* probably not supposed to be masqueraded.
|
* probably not supposed to be masqueraded.
|
||||||
|
|
|
@ -184,8 +184,8 @@ static bool reject_tg_check(const struct xt_tgchk_param *par)
|
||||||
return false;
|
return false;
|
||||||
} else if (rejinfo->with == IPT_TCP_RESET) {
|
} else if (rejinfo->with == IPT_TCP_RESET) {
|
||||||
/* Must specify that it's a TCP packet */
|
/* Must specify that it's a TCP packet */
|
||||||
if (e->ip.proto != IPPROTO_TCP
|
if (e->ip.proto != IPPROTO_TCP ||
|
||||||
|| (e->ip.invflags & XT_INV_PROTO)) {
|
(e->ip.invflags & XT_INV_PROTO)) {
|
||||||
printk("ipt_REJECT: TCP_RESET invalid for non-tcp\n");
|
printk("ipt_REJECT: TCP_RESET invalid for non-tcp\n");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -226,9 +226,9 @@ static void ipt_ulog_packet(unsigned int hooknum,
|
||||||
else
|
else
|
||||||
*(pm->prefix) = '\0';
|
*(pm->prefix) = '\0';
|
||||||
|
|
||||||
if (in && in->hard_header_len > 0
|
if (in && in->hard_header_len > 0 &&
|
||||||
&& skb->mac_header != skb->network_header
|
skb->mac_header != skb->network_header &&
|
||||||
&& in->hard_header_len <= ULOG_MAC_LEN) {
|
in->hard_header_len <= ULOG_MAC_LEN) {
|
||||||
memcpy(pm->mac, skb_mac_header(skb), in->hard_header_len);
|
memcpy(pm->mac, skb_mac_header(skb), in->hard_header_len);
|
||||||
pm->mac_len = in->hard_header_len;
|
pm->mac_len = in->hard_header_len;
|
||||||
} else
|
} else
|
||||||
|
|
|
@ -96,8 +96,8 @@ static bool ecn_mt_check(const struct xt_mtchk_param *par)
|
||||||
if (info->invert & IPT_ECN_OP_MATCH_MASK)
|
if (info->invert & IPT_ECN_OP_MATCH_MASK)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)
|
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
|
||||||
&& ip->proto != IPPROTO_TCP) {
|
ip->proto != IPPROTO_TCP) {
|
||||||
printk(KERN_WARNING "ipt_ecn: can't match TCP bits in rule for"
|
printk(KERN_WARNING "ipt_ecn: can't match TCP bits in rule for"
|
||||||
" non-tcp packets\n");
|
" non-tcp packets\n");
|
||||||
return false;
|
return false;
|
||||||
|
|
|
@ -130,8 +130,8 @@ ipt_local_hook(unsigned int hook,
|
||||||
u_int32_t mark;
|
u_int32_t mark;
|
||||||
|
|
||||||
/* root is playing with raw sockets. */
|
/* root is playing with raw sockets. */
|
||||||
if (skb->len < sizeof(struct iphdr)
|
if (skb->len < sizeof(struct iphdr) ||
|
||||||
|| ip_hdrlen(skb) < sizeof(struct iphdr))
|
ip_hdrlen(skb) < sizeof(struct iphdr))
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
||||||
/* Save things which could affect route */
|
/* Save things which could affect route */
|
||||||
|
|
|
@ -94,8 +94,8 @@ ipt_local_out_hook(unsigned int hook,
|
||||||
int (*okfn)(struct sk_buff *))
|
int (*okfn)(struct sk_buff *))
|
||||||
{
|
{
|
||||||
/* Somebody is playing with raw sockets. */
|
/* Somebody is playing with raw sockets. */
|
||||||
if (skb->len < sizeof(struct iphdr)
|
if (skb->len < sizeof(struct iphdr) ||
|
||||||
|| ip_hdrlen(skb) < sizeof(struct iphdr))
|
ip_hdrlen(skb) < sizeof(struct iphdr))
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
return ipt_do_table(skb, hook, in, out,
|
return ipt_do_table(skb, hook, in, out,
|
||||||
dev_net(out)->ipv4.iptable_security);
|
dev_net(out)->ipv4.iptable_security);
|
||||||
|
|
|
@ -54,8 +54,8 @@ static const u_int8_t invmap[] = {
|
||||||
static bool icmp_invert_tuple(struct nf_conntrack_tuple *tuple,
|
static bool icmp_invert_tuple(struct nf_conntrack_tuple *tuple,
|
||||||
const struct nf_conntrack_tuple *orig)
|
const struct nf_conntrack_tuple *orig)
|
||||||
{
|
{
|
||||||
if (orig->dst.u.icmp.type >= sizeof(invmap)
|
if (orig->dst.u.icmp.type >= sizeof(invmap) ||
|
||||||
|| !invmap[orig->dst.u.icmp.type])
|
!invmap[orig->dst.u.icmp.type])
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
tuple->src.u.icmp.id = orig->src.u.icmp.id;
|
tuple->src.u.icmp.id = orig->src.u.icmp.id;
|
||||||
|
@ -101,8 +101,8 @@ static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb,
|
||||||
[ICMP_ADDRESS] = 1
|
[ICMP_ADDRESS] = 1
|
||||||
};
|
};
|
||||||
|
|
||||||
if (ct->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new)
|
if (ct->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) ||
|
||||||
|| !valid_new[ct->tuplehash[0].tuple.dst.u.icmp.type]) {
|
!valid_new[ct->tuplehash[0].tuple.dst.u.icmp.type]) {
|
||||||
/* Can't create a new ICMP `conn' with this. */
|
/* Can't create a new ICMP `conn' with this. */
|
||||||
pr_debug("icmp: can't create new conn with type %u\n",
|
pr_debug("icmp: can't create new conn with type %u\n",
|
||||||
ct->tuplehash[0].tuple.dst.u.icmp.type);
|
ct->tuplehash[0].tuple.dst.u.icmp.type);
|
||||||
|
@ -201,11 +201,11 @@ icmp_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Need to track icmp error message? */
|
/* Need to track icmp error message? */
|
||||||
if (icmph->type != ICMP_DEST_UNREACH
|
if (icmph->type != ICMP_DEST_UNREACH &&
|
||||||
&& icmph->type != ICMP_SOURCE_QUENCH
|
icmph->type != ICMP_SOURCE_QUENCH &&
|
||||||
&& icmph->type != ICMP_TIME_EXCEEDED
|
icmph->type != ICMP_TIME_EXCEEDED &&
|
||||||
&& icmph->type != ICMP_PARAMETERPROB
|
icmph->type != ICMP_PARAMETERPROB &&
|
||||||
&& icmph->type != ICMP_REDIRECT)
|
icmph->type != ICMP_REDIRECT)
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
||||||
return icmp_error_message(net, skb, ctinfo, hooknum);
|
return icmp_error_message(net, skb, ctinfo, hooknum);
|
||||||
|
@ -238,17 +238,17 @@ static const struct nla_policy icmp_nla_policy[CTA_PROTO_MAX+1] = {
|
||||||
static int icmp_nlattr_to_tuple(struct nlattr *tb[],
|
static int icmp_nlattr_to_tuple(struct nlattr *tb[],
|
||||||
struct nf_conntrack_tuple *tuple)
|
struct nf_conntrack_tuple *tuple)
|
||||||
{
|
{
|
||||||
if (!tb[CTA_PROTO_ICMP_TYPE]
|
if (!tb[CTA_PROTO_ICMP_TYPE] ||
|
||||||
|| !tb[CTA_PROTO_ICMP_CODE]
|
!tb[CTA_PROTO_ICMP_CODE] ||
|
||||||
|| !tb[CTA_PROTO_ICMP_ID])
|
!tb[CTA_PROTO_ICMP_ID])
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMP_TYPE]);
|
tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMP_TYPE]);
|
||||||
tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMP_CODE]);
|
tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMP_CODE]);
|
||||||
tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMP_ID]);
|
tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMP_ID]);
|
||||||
|
|
||||||
if (tuple->dst.u.icmp.type >= sizeof(invmap)
|
if (tuple->dst.u.icmp.type >= sizeof(invmap) ||
|
||||||
|| !invmap[tuple->dst.u.icmp.type])
|
!invmap[tuple->dst.u.icmp.type])
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -41,18 +41,14 @@ adjust_tcp_sequence(u32 seq,
|
||||||
struct nf_conn *ct,
|
struct nf_conn *ct,
|
||||||
enum ip_conntrack_info ctinfo)
|
enum ip_conntrack_info ctinfo)
|
||||||
{
|
{
|
||||||
int dir;
|
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
|
||||||
struct nf_nat_seq *this_way, *other_way;
|
|
||||||
struct nf_conn_nat *nat = nfct_nat(ct);
|
struct nf_conn_nat *nat = nfct_nat(ct);
|
||||||
|
struct nf_nat_seq *this_way = &nat->seq[dir];
|
||||||
|
|
||||||
pr_debug("adjust_tcp_sequence: seq = %u, sizediff = %d\n", seq, seq);
|
pr_debug("adjust_tcp_sequence: seq = %u, sizediff = %d\n",
|
||||||
|
seq, sizediff);
|
||||||
|
|
||||||
dir = CTINFO2DIR(ctinfo);
|
pr_debug("adjust_tcp_sequence: Seq_offset before: ");
|
||||||
|
|
||||||
this_way = &nat->seq[dir];
|
|
||||||
other_way = &nat->seq[!dir];
|
|
||||||
|
|
||||||
pr_debug("nf_nat_resize_packet: Seq_offset before: ");
|
|
||||||
DUMP_OFFSET(this_way);
|
DUMP_OFFSET(this_way);
|
||||||
|
|
||||||
spin_lock_bh(&nf_nat_seqofs_lock);
|
spin_lock_bh(&nf_nat_seqofs_lock);
|
||||||
|
@ -63,13 +59,13 @@ adjust_tcp_sequence(u32 seq,
|
||||||
* retransmit */
|
* retransmit */
|
||||||
if (this_way->offset_before == this_way->offset_after ||
|
if (this_way->offset_before == this_way->offset_after ||
|
||||||
before(this_way->correction_pos, seq)) {
|
before(this_way->correction_pos, seq)) {
|
||||||
this_way->correction_pos = seq;
|
this_way->correction_pos = seq;
|
||||||
this_way->offset_before = this_way->offset_after;
|
this_way->offset_before = this_way->offset_after;
|
||||||
this_way->offset_after += sizediff;
|
this_way->offset_after += sizediff;
|
||||||
}
|
}
|
||||||
spin_unlock_bh(&nf_nat_seqofs_lock);
|
spin_unlock_bh(&nf_nat_seqofs_lock);
|
||||||
|
|
||||||
pr_debug("nf_nat_resize_packet: Seq_offset after: ");
|
pr_debug("adjust_tcp_sequence: Seq_offset after: ");
|
||||||
DUMP_OFFSET(this_way);
|
DUMP_OFFSET(this_way);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -197,11 +197,11 @@ nf_nat_out(unsigned int hooknum,
|
||||||
(ct = nf_ct_get(skb, &ctinfo)) != NULL) {
|
(ct = nf_ct_get(skb, &ctinfo)) != NULL) {
|
||||||
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
|
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
|
||||||
|
|
||||||
if (ct->tuplehash[dir].tuple.src.u3.ip !=
|
if ((ct->tuplehash[dir].tuple.src.u3.ip !=
|
||||||
ct->tuplehash[!dir].tuple.dst.u3.ip
|
ct->tuplehash[!dir].tuple.dst.u3.ip) ||
|
||||||
|| ct->tuplehash[dir].tuple.src.u.all !=
|
(ct->tuplehash[dir].tuple.src.u.all !=
|
||||||
ct->tuplehash[!dir].tuple.dst.u.all
|
ct->tuplehash[!dir].tuple.dst.u.all)
|
||||||
)
|
)
|
||||||
return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP;
|
return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP;
|
||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -499,8 +499,7 @@ ipq_rcv_nl_event(struct notifier_block *this,
|
||||||
{
|
{
|
||||||
struct netlink_notify *n = ptr;
|
struct netlink_notify *n = ptr;
|
||||||
|
|
||||||
if (event == NETLINK_URELEASE &&
|
if (event == NETLINK_URELEASE && n->protocol == NETLINK_IP6_FW) {
|
||||||
n->protocol == NETLINK_IP6_FW && n->pid) {
|
|
||||||
write_lock_bh(&queue_lock);
|
write_lock_bh(&queue_lock);
|
||||||
if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid))
|
if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid))
|
||||||
__ipq_reset();
|
__ipq_reset();
|
||||||
|
@ -625,7 +624,7 @@ cleanup_netlink_notifier:
|
||||||
static void __exit ip6_queue_fini(void)
|
static void __exit ip6_queue_fini(void)
|
||||||
{
|
{
|
||||||
nf_unregister_queue_handlers(&nfqh);
|
nf_unregister_queue_handlers(&nfqh);
|
||||||
synchronize_net();
|
|
||||||
ipq_flush(NULL, 0);
|
ipq_flush(NULL, 0);
|
||||||
|
|
||||||
#ifdef CONFIG_SYSCTL
|
#ifdef CONFIG_SYSCTL
|
||||||
|
|
|
@ -105,9 +105,9 @@ ip6_packet_match(const struct sk_buff *skb,
|
||||||
#define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
|
#define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
|
||||||
|
|
||||||
if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
|
if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
|
||||||
&ip6info->src), IP6T_INV_SRCIP)
|
&ip6info->src), IP6T_INV_SRCIP) ||
|
||||||
|| FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
|
FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
|
||||||
&ip6info->dst), IP6T_INV_DSTIP)) {
|
&ip6info->dst), IP6T_INV_DSTIP)) {
|
||||||
dprintf("Source or dest mismatch.\n");
|
dprintf("Source or dest mismatch.\n");
|
||||||
/*
|
/*
|
||||||
dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
|
dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
|
||||||
|
@ -277,11 +277,11 @@ get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e,
|
||||||
} else if (s == e) {
|
} else if (s == e) {
|
||||||
(*rulenum)++;
|
(*rulenum)++;
|
||||||
|
|
||||||
if (s->target_offset == sizeof(struct ip6t_entry)
|
if (s->target_offset == sizeof(struct ip6t_entry) &&
|
||||||
&& strcmp(t->target.u.kernel.target->name,
|
strcmp(t->target.u.kernel.target->name,
|
||||||
IP6T_STANDARD_TARGET) == 0
|
IP6T_STANDARD_TARGET) == 0 &&
|
||||||
&& t->verdict < 0
|
t->verdict < 0 &&
|
||||||
&& unconditional(&s->ipv6)) {
|
unconditional(&s->ipv6)) {
|
||||||
/* Tail of chains: STANDARD target (return/policy) */
|
/* Tail of chains: STANDARD target (return/policy) */
|
||||||
*comment = *chainname == hookname
|
*comment = *chainname == hookname
|
||||||
? comments[NF_IP6_TRACE_COMMENT_POLICY]
|
? comments[NF_IP6_TRACE_COMMENT_POLICY]
|
||||||
|
@ -418,8 +418,8 @@ ip6t_do_table(struct sk_buff *skb,
|
||||||
back = get_entry(table_base, back->comefrom);
|
back = get_entry(table_base, back->comefrom);
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
if (table_base + v != ip6t_next_entry(e)
|
if (table_base + v != ip6t_next_entry(e) &&
|
||||||
&& !(e->ipv6.flags & IP6T_F_GOTO)) {
|
!(e->ipv6.flags & IP6T_F_GOTO)) {
|
||||||
/* Save old back ptr in next entry */
|
/* Save old back ptr in next entry */
|
||||||
struct ip6t_entry *next = ip6t_next_entry(e);
|
struct ip6t_entry *next = ip6t_next_entry(e);
|
||||||
next->comefrom = (void *)back - table_base;
|
next->comefrom = (void *)back - table_base;
|
||||||
|
@ -505,11 +505,11 @@ mark_source_chains(struct xt_table_info *newinfo,
|
||||||
e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
|
e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
|
||||||
|
|
||||||
/* Unconditional return/END. */
|
/* Unconditional return/END. */
|
||||||
if ((e->target_offset == sizeof(struct ip6t_entry)
|
if ((e->target_offset == sizeof(struct ip6t_entry) &&
|
||||||
&& (strcmp(t->target.u.user.name,
|
(strcmp(t->target.u.user.name,
|
||||||
IP6T_STANDARD_TARGET) == 0)
|
IP6T_STANDARD_TARGET) == 0) &&
|
||||||
&& t->verdict < 0
|
t->verdict < 0 &&
|
||||||
&& unconditional(&e->ipv6)) || visited) {
|
unconditional(&e->ipv6)) || visited) {
|
||||||
unsigned int oldpos, size;
|
unsigned int oldpos, size;
|
||||||
|
|
||||||
if ((strcmp(t->target.u.user.name,
|
if ((strcmp(t->target.u.user.name,
|
||||||
|
@ -556,8 +556,8 @@ mark_source_chains(struct xt_table_info *newinfo,
|
||||||
int newpos = t->verdict;
|
int newpos = t->verdict;
|
||||||
|
|
||||||
if (strcmp(t->target.u.user.name,
|
if (strcmp(t->target.u.user.name,
|
||||||
IP6T_STANDARD_TARGET) == 0
|
IP6T_STANDARD_TARGET) == 0 &&
|
||||||
&& newpos >= 0) {
|
newpos >= 0) {
|
||||||
if (newpos > newinfo->size -
|
if (newpos > newinfo->size -
|
||||||
sizeof(struct ip6t_entry)) {
|
sizeof(struct ip6t_entry)) {
|
||||||
duprintf("mark_source_chains: "
|
duprintf("mark_source_chains: "
|
||||||
|
@ -767,8 +767,8 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
|
||||||
{
|
{
|
||||||
unsigned int h;
|
unsigned int h;
|
||||||
|
|
||||||
if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0
|
if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
|
||||||
|| (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
|
(unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
|
||||||
duprintf("Bad offset %p\n", e);
|
duprintf("Bad offset %p\n", e);
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
@ -1584,8 +1584,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
|
||||||
int ret, off, h;
|
int ret, off, h;
|
||||||
|
|
||||||
duprintf("check_compat_entry_size_and_hooks %p\n", e);
|
duprintf("check_compat_entry_size_and_hooks %p\n", e);
|
||||||
if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0
|
if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
|
||||||
|| (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
|
(unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
|
||||||
duprintf("Bad offset %p, limit = %p\n", e, limit);
|
duprintf("Bad offset %p, limit = %p\n", e, limit);
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
}
|
}
|
||||||
|
|
|
@ -249,8 +249,8 @@ static void dump_packet(const struct nf_loginfo *info,
|
||||||
/* Max length: 11 "URGP=65535 " */
|
/* Max length: 11 "URGP=65535 " */
|
||||||
printk("URGP=%u ", ntohs(th->urg_ptr));
|
printk("URGP=%u ", ntohs(th->urg_ptr));
|
||||||
|
|
||||||
if ((logflags & IP6T_LOG_TCPOPT)
|
if ((logflags & IP6T_LOG_TCPOPT) &&
|
||||||
&& th->doff * 4 > sizeof(struct tcphdr)) {
|
th->doff * 4 > sizeof(struct tcphdr)) {
|
||||||
u_int8_t _opt[60 - sizeof(struct tcphdr)];
|
u_int8_t _opt[60 - sizeof(struct tcphdr)];
|
||||||
const u_int8_t *op;
|
const u_int8_t *op;
|
||||||
unsigned int i;
|
unsigned int i;
|
||||||
|
|
|
@ -223,8 +223,8 @@ static bool reject_tg6_check(const struct xt_tgchk_param *par)
|
||||||
return false;
|
return false;
|
||||||
} else if (rejinfo->with == IP6T_TCP_RESET) {
|
} else if (rejinfo->with == IP6T_TCP_RESET) {
|
||||||
/* Must specify that it's a TCP packet */
|
/* Must specify that it's a TCP packet */
|
||||||
if (e->ipv6.proto != IPPROTO_TCP
|
if (e->ipv6.proto != IPPROTO_TCP ||
|
||||||
|| (e->ipv6.invflags & XT_INV_PROTO)) {
|
(e->ipv6.invflags & XT_INV_PROTO)) {
|
||||||
printk("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
|
printk("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
|
|
@ -77,17 +77,14 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
ahinfo->hdrres, ah->reserved,
|
ahinfo->hdrres, ah->reserved,
|
||||||
!(ahinfo->hdrres && ah->reserved));
|
!(ahinfo->hdrres && ah->reserved));
|
||||||
|
|
||||||
return (ah != NULL)
|
return (ah != NULL) &&
|
||||||
&&
|
spi_match(ahinfo->spis[0], ahinfo->spis[1],
|
||||||
spi_match(ahinfo->spis[0], ahinfo->spis[1],
|
ntohl(ah->spi),
|
||||||
ntohl(ah->spi),
|
!!(ahinfo->invflags & IP6T_AH_INV_SPI)) &&
|
||||||
!!(ahinfo->invflags & IP6T_AH_INV_SPI))
|
(!ahinfo->hdrlen ||
|
||||||
&&
|
(ahinfo->hdrlen == hdrlen) ^
|
||||||
(!ahinfo->hdrlen ||
|
!!(ahinfo->invflags & IP6T_AH_INV_LEN)) &&
|
||||||
(ahinfo->hdrlen == hdrlen) ^
|
!(ahinfo->hdrres && ah->reserved);
|
||||||
!!(ahinfo->invflags & IP6T_AH_INV_LEN))
|
|
||||||
&&
|
|
||||||
!(ahinfo->hdrres && ah->reserved);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool ah_mt6_check(const struct xt_mtchk_param *par)
|
static bool ah_mt6_check(const struct xt_mtchk_param *par)
|
||||||
|
|
|
@ -70,41 +70,36 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
pr_debug("res %02X %02X%04X %02X ",
|
pr_debug("res %02X %02X%04X %02X ",
|
||||||
fraginfo->flags & IP6T_FRAG_RES, fh->reserved,
|
fraginfo->flags & IP6T_FRAG_RES, fh->reserved,
|
||||||
ntohs(fh->frag_off) & 0x6,
|
ntohs(fh->frag_off) & 0x6,
|
||||||
!((fraginfo->flags & IP6T_FRAG_RES)
|
!((fraginfo->flags & IP6T_FRAG_RES) &&
|
||||||
&& (fh->reserved || (ntohs(fh->frag_off) & 0x06))));
|
(fh->reserved || (ntohs(fh->frag_off) & 0x06))));
|
||||||
pr_debug("first %02X %02X %02X ",
|
pr_debug("first %02X %02X %02X ",
|
||||||
fraginfo->flags & IP6T_FRAG_FST,
|
fraginfo->flags & IP6T_FRAG_FST,
|
||||||
ntohs(fh->frag_off) & ~0x7,
|
ntohs(fh->frag_off) & ~0x7,
|
||||||
!((fraginfo->flags & IP6T_FRAG_FST)
|
!((fraginfo->flags & IP6T_FRAG_FST) &&
|
||||||
&& (ntohs(fh->frag_off) & ~0x7)));
|
(ntohs(fh->frag_off) & ~0x7)));
|
||||||
pr_debug("mf %02X %02X %02X ",
|
pr_debug("mf %02X %02X %02X ",
|
||||||
fraginfo->flags & IP6T_FRAG_MF,
|
fraginfo->flags & IP6T_FRAG_MF,
|
||||||
ntohs(fh->frag_off) & IP6_MF,
|
ntohs(fh->frag_off) & IP6_MF,
|
||||||
!((fraginfo->flags & IP6T_FRAG_MF)
|
!((fraginfo->flags & IP6T_FRAG_MF) &&
|
||||||
&& !((ntohs(fh->frag_off) & IP6_MF))));
|
!((ntohs(fh->frag_off) & IP6_MF))));
|
||||||
pr_debug("last %02X %02X %02X\n",
|
pr_debug("last %02X %02X %02X\n",
|
||||||
fraginfo->flags & IP6T_FRAG_NMF,
|
fraginfo->flags & IP6T_FRAG_NMF,
|
||||||
ntohs(fh->frag_off) & IP6_MF,
|
ntohs(fh->frag_off) & IP6_MF,
|
||||||
!((fraginfo->flags & IP6T_FRAG_NMF)
|
!((fraginfo->flags & IP6T_FRAG_NMF) &&
|
||||||
&& (ntohs(fh->frag_off) & IP6_MF)));
|
(ntohs(fh->frag_off) & IP6_MF)));
|
||||||
|
|
||||||
return (fh != NULL)
|
return (fh != NULL) &&
|
||||||
&&
|
id_match(fraginfo->ids[0], fraginfo->ids[1],
|
||||||
id_match(fraginfo->ids[0], fraginfo->ids[1],
|
ntohl(fh->identification),
|
||||||
ntohl(fh->identification),
|
!!(fraginfo->invflags & IP6T_FRAG_INV_IDS)) &&
|
||||||
!!(fraginfo->invflags & IP6T_FRAG_INV_IDS))
|
!((fraginfo->flags & IP6T_FRAG_RES) &&
|
||||||
&&
|
(fh->reserved || (ntohs(fh->frag_off) & 0x6))) &&
|
||||||
!((fraginfo->flags & IP6T_FRAG_RES)
|
!((fraginfo->flags & IP6T_FRAG_FST) &&
|
||||||
&& (fh->reserved || (ntohs(fh->frag_off) & 0x6)))
|
(ntohs(fh->frag_off) & ~0x7)) &&
|
||||||
&&
|
!((fraginfo->flags & IP6T_FRAG_MF) &&
|
||||||
!((fraginfo->flags & IP6T_FRAG_FST)
|
!(ntohs(fh->frag_off) & IP6_MF)) &&
|
||||||
&& (ntohs(fh->frag_off) & ~0x7))
|
!((fraginfo->flags & IP6T_FRAG_NMF) &&
|
||||||
&&
|
(ntohs(fh->frag_off) & IP6_MF));
|
||||||
!((fraginfo->flags & IP6T_FRAG_MF)
|
|
||||||
&& !(ntohs(fh->frag_off) & IP6_MF))
|
|
||||||
&&
|
|
||||||
!((fraginfo->flags & IP6T_FRAG_NMF)
|
|
||||||
&& (ntohs(fh->frag_off) & IP6_MF));
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool frag_mt6_check(const struct xt_mtchk_param *par)
|
static bool frag_mt6_check(const struct xt_mtchk_param *par)
|
||||||
|
|
|
@ -92,16 +92,13 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
!((rtinfo->flags & IP6T_RT_RES) &&
|
!((rtinfo->flags & IP6T_RT_RES) &&
|
||||||
(((const struct rt0_hdr *)rh)->reserved)));
|
(((const struct rt0_hdr *)rh)->reserved)));
|
||||||
|
|
||||||
ret = (rh != NULL)
|
ret = (rh != NULL) &&
|
||||||
&&
|
|
||||||
(segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1],
|
(segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1],
|
||||||
rh->segments_left,
|
rh->segments_left,
|
||||||
!!(rtinfo->invflags & IP6T_RT_INV_SGS)))
|
!!(rtinfo->invflags & IP6T_RT_INV_SGS))) &&
|
||||||
&&
|
|
||||||
(!(rtinfo->flags & IP6T_RT_LEN) ||
|
(!(rtinfo->flags & IP6T_RT_LEN) ||
|
||||||
((rtinfo->hdrlen == hdrlen) ^
|
((rtinfo->hdrlen == hdrlen) ^
|
||||||
!!(rtinfo->invflags & IP6T_RT_INV_LEN)))
|
!!(rtinfo->invflags & IP6T_RT_INV_LEN))) &&
|
||||||
&&
|
|
||||||
(!(rtinfo->flags & IP6T_RT_TYP) ||
|
(!(rtinfo->flags & IP6T_RT_TYP) ||
|
||||||
((rtinfo->rt_type == rh->type) ^
|
((rtinfo->rt_type == rh->type) ^
|
||||||
!!(rtinfo->invflags & IP6T_RT_INV_TYP)));
|
!!(rtinfo->invflags & IP6T_RT_INV_TYP)));
|
||||||
|
|
|
@ -79,8 +79,8 @@ ip6t_local_out_hook(unsigned int hook,
|
||||||
{
|
{
|
||||||
#if 0
|
#if 0
|
||||||
/* root is playing with raw sockets. */
|
/* root is playing with raw sockets. */
|
||||||
if (skb->len < sizeof(struct iphdr)
|
if (skb->len < sizeof(struct iphdr) ||
|
||||||
|| ip_hdrlen(skb) < sizeof(struct iphdr)) {
|
ip_hdrlen(skb) < sizeof(struct iphdr)) {
|
||||||
if (net_ratelimit())
|
if (net_ratelimit())
|
||||||
printk("ip6t_hook: happy cracking.\n");
|
printk("ip6t_hook: happy cracking.\n");
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
|
|
@ -102,8 +102,8 @@ ip6t_local_out_hook(unsigned int hook,
|
||||||
|
|
||||||
#if 0
|
#if 0
|
||||||
/* root is playing with raw sockets. */
|
/* root is playing with raw sockets. */
|
||||||
if (skb->len < sizeof(struct iphdr)
|
if (skb->len < sizeof(struct iphdr) ||
|
||||||
|| ip_hdrlen(skb) < sizeof(struct iphdr)) {
|
ip_hdrlen(skb) < sizeof(struct iphdr)) {
|
||||||
if (net_ratelimit())
|
if (net_ratelimit())
|
||||||
printk("ip6t_hook: happy cracking.\n");
|
printk("ip6t_hook: happy cracking.\n");
|
||||||
return NF_ACCEPT;
|
return NF_ACCEPT;
|
||||||
|
@ -122,11 +122,11 @@ ip6t_local_out_hook(unsigned int hook,
|
||||||
ret = ip6t_do_table(skb, hook, in, out,
|
ret = ip6t_do_table(skb, hook, in, out,
|
||||||
dev_net(out)->ipv6.ip6table_mangle);
|
dev_net(out)->ipv6.ip6table_mangle);
|
||||||
|
|
||||||
if (ret != NF_DROP && ret != NF_STOLEN
|
if (ret != NF_DROP && ret != NF_STOLEN &&
|
||||||
&& (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr))
|
(memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) ||
|
||||||
|| memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr))
|
memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) ||
|
||||||
|| skb->mark != mark
|
skb->mark != mark ||
|
||||||
|| ipv6_hdr(skb)->hop_limit != hop_limit))
|
ipv6_hdr(skb)->hop_limit != hop_limit))
|
||||||
return ip6_route_me_harder(skb) == 0 ? ret : NF_DROP;
|
return ip6_route_me_harder(skb) == 0 ? ret : NF_DROP;
|
||||||
|
|
||||||
return ret;
|
return ret;
|
||||||
|
|
|
@ -244,18 +244,18 @@ static const struct nla_policy icmpv6_nla_policy[CTA_PROTO_MAX+1] = {
|
||||||
static int icmpv6_nlattr_to_tuple(struct nlattr *tb[],
|
static int icmpv6_nlattr_to_tuple(struct nlattr *tb[],
|
||||||
struct nf_conntrack_tuple *tuple)
|
struct nf_conntrack_tuple *tuple)
|
||||||
{
|
{
|
||||||
if (!tb[CTA_PROTO_ICMPV6_TYPE]
|
if (!tb[CTA_PROTO_ICMPV6_TYPE] ||
|
||||||
|| !tb[CTA_PROTO_ICMPV6_CODE]
|
!tb[CTA_PROTO_ICMPV6_CODE] ||
|
||||||
|| !tb[CTA_PROTO_ICMPV6_ID])
|
!tb[CTA_PROTO_ICMPV6_ID])
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMPV6_TYPE]);
|
tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMPV6_TYPE]);
|
||||||
tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMPV6_CODE]);
|
tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMPV6_CODE]);
|
||||||
tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMPV6_ID]);
|
tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMPV6_ID]);
|
||||||
|
|
||||||
if (tuple->dst.u.icmp.type < 128
|
if (tuple->dst.u.icmp.type < 128 ||
|
||||||
|| tuple->dst.u.icmp.type - 128 >= sizeof(invmap)
|
tuple->dst.u.icmp.type - 128 >= sizeof(invmap) ||
|
||||||
|| !invmap[tuple->dst.u.icmp.type - 128])
|
!invmap[tuple->dst.u.icmp.type - 128])
|
||||||
return -EINVAL;
|
return -EINVAL;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
|
|
@ -512,11 +512,17 @@ static noinline int early_drop(struct net *net, unsigned int hash)
|
||||||
cnt++;
|
cnt++;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ct && unlikely(nf_ct_is_dying(ct) ||
|
if (ct != NULL) {
|
||||||
!atomic_inc_not_zero(&ct->ct_general.use)))
|
if (likely(!nf_ct_is_dying(ct) &&
|
||||||
ct = NULL;
|
atomic_inc_not_zero(&ct->ct_general.use)))
|
||||||
if (ct || cnt >= NF_CT_EVICTION_RANGE)
|
break;
|
||||||
|
else
|
||||||
|
ct = NULL;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (cnt >= NF_CT_EVICTION_RANGE)
|
||||||
break;
|
break;
|
||||||
|
|
||||||
hash = (hash + 1) % nf_conntrack_htable_size;
|
hash = (hash + 1) % nf_conntrack_htable_size;
|
||||||
}
|
}
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
|
|
|
@ -896,23 +896,54 @@ static int tcp_packet(struct nf_conn *ct,
|
||||||
/* b) This SYN/ACK acknowledges a SYN that we earlier
|
/* b) This SYN/ACK acknowledges a SYN that we earlier
|
||||||
* ignored as invalid. This means that the client and
|
* ignored as invalid. This means that the client and
|
||||||
* the server are both in sync, while the firewall is
|
* the server are both in sync, while the firewall is
|
||||||
* not. We kill this session and block the SYN/ACK so
|
* not. We get in sync from the previously annotated
|
||||||
* that the client cannot but retransmit its SYN and
|
* values.
|
||||||
* thus initiate a clean new session.
|
|
||||||
*/
|
*/
|
||||||
spin_unlock_bh(&ct->lock);
|
old_state = TCP_CONNTRACK_SYN_SENT;
|
||||||
if (LOG_INVALID(net, IPPROTO_TCP))
|
new_state = TCP_CONNTRACK_SYN_RECV;
|
||||||
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
|
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_end =
|
||||||
"nf_ct_tcp: killing out of sync session ");
|
ct->proto.tcp.last_end;
|
||||||
nf_ct_kill(ct);
|
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxend =
|
||||||
return NF_DROP;
|
ct->proto.tcp.last_end;
|
||||||
|
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxwin =
|
||||||
|
ct->proto.tcp.last_win == 0 ?
|
||||||
|
1 : ct->proto.tcp.last_win;
|
||||||
|
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale =
|
||||||
|
ct->proto.tcp.last_wscale;
|
||||||
|
ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
|
||||||
|
ct->proto.tcp.last_flags;
|
||||||
|
memset(&ct->proto.tcp.seen[dir], 0,
|
||||||
|
sizeof(struct ip_ct_tcp_state));
|
||||||
|
break;
|
||||||
}
|
}
|
||||||
ct->proto.tcp.last_index = index;
|
ct->proto.tcp.last_index = index;
|
||||||
ct->proto.tcp.last_dir = dir;
|
ct->proto.tcp.last_dir = dir;
|
||||||
ct->proto.tcp.last_seq = ntohl(th->seq);
|
ct->proto.tcp.last_seq = ntohl(th->seq);
|
||||||
ct->proto.tcp.last_end =
|
ct->proto.tcp.last_end =
|
||||||
segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th);
|
segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th);
|
||||||
|
ct->proto.tcp.last_win = ntohs(th->window);
|
||||||
|
|
||||||
|
/* a) This is a SYN in ORIGINAL. The client and the server
|
||||||
|
* may be in sync but we are not. In that case, we annotate
|
||||||
|
* the TCP options and let the packet go through. If it is a
|
||||||
|
* valid SYN packet, the server will reply with a SYN/ACK, and
|
||||||
|
* then we'll get in sync. Otherwise, the server ignores it. */
|
||||||
|
if (index == TCP_SYN_SET && dir == IP_CT_DIR_ORIGINAL) {
|
||||||
|
struct ip_ct_tcp_state seen = {};
|
||||||
|
|
||||||
|
ct->proto.tcp.last_flags =
|
||||||
|
ct->proto.tcp.last_wscale = 0;
|
||||||
|
tcp_options(skb, dataoff, th, &seen);
|
||||||
|
if (seen.flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
|
||||||
|
ct->proto.tcp.last_flags |=
|
||||||
|
IP_CT_TCP_FLAG_WINDOW_SCALE;
|
||||||
|
ct->proto.tcp.last_wscale = seen.td_scale;
|
||||||
|
}
|
||||||
|
if (seen.flags & IP_CT_TCP_FLAG_SACK_PERM) {
|
||||||
|
ct->proto.tcp.last_flags |=
|
||||||
|
IP_CT_TCP_FLAG_SACK_PERM;
|
||||||
|
}
|
||||||
|
}
|
||||||
spin_unlock_bh(&ct->lock);
|
spin_unlock_bh(&ct->lock);
|
||||||
if (LOG_INVALID(net, IPPROTO_TCP))
|
if (LOG_INVALID(net, IPPROTO_TCP))
|
||||||
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
|
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
|
||||||
|
|
|
@ -666,8 +666,7 @@ nfulnl_rcv_nl_event(struct notifier_block *this,
|
||||||
{
|
{
|
||||||
struct netlink_notify *n = ptr;
|
struct netlink_notify *n = ptr;
|
||||||
|
|
||||||
if (event == NETLINK_URELEASE &&
|
if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) {
|
||||||
n->protocol == NETLINK_NETFILTER && n->pid) {
|
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
/* destroy all instances for this pid */
|
/* destroy all instances for this pid */
|
||||||
|
|
|
@ -574,8 +574,7 @@ nfqnl_rcv_nl_event(struct notifier_block *this,
|
||||||
{
|
{
|
||||||
struct netlink_notify *n = ptr;
|
struct netlink_notify *n = ptr;
|
||||||
|
|
||||||
if (event == NETLINK_URELEASE &&
|
if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) {
|
||||||
n->protocol == NETLINK_NETFILTER && n->pid) {
|
|
||||||
int i;
|
int i;
|
||||||
|
|
||||||
/* destroy all instances for this pid */
|
/* destroy all instances for this pid */
|
||||||
|
|
|
@ -113,7 +113,8 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool
|
static bool
|
||||||
conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par,
|
||||||
|
u16 state_mask, u16 status_mask)
|
||||||
{
|
{
|
||||||
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
|
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
|
||||||
enum ip_conntrack_info ctinfo;
|
enum ip_conntrack_info ctinfo;
|
||||||
|
@ -136,7 +137,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
if (test_bit(IPS_DST_NAT_BIT, &ct->status))
|
if (test_bit(IPS_DST_NAT_BIT, &ct->status))
|
||||||
statebit |= XT_CONNTRACK_STATE_DNAT;
|
statebit |= XT_CONNTRACK_STATE_DNAT;
|
||||||
}
|
}
|
||||||
if (!!(info->state_mask & statebit) ^
|
if (!!(state_mask & statebit) ^
|
||||||
!(info->invert_flags & XT_CONNTRACK_STATE))
|
!(info->invert_flags & XT_CONNTRACK_STATE))
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
|
@ -172,7 +173,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
if ((info->match_flags & XT_CONNTRACK_STATUS) &&
|
if ((info->match_flags & XT_CONNTRACK_STATUS) &&
|
||||||
(!!(info->status_mask & ct->status) ^
|
(!!(status_mask & ct->status) ^
|
||||||
!(info->invert_flags & XT_CONNTRACK_STATUS)))
|
!(info->invert_flags & XT_CONNTRACK_STATUS)))
|
||||||
return false;
|
return false;
|
||||||
|
|
||||||
|
@ -192,11 +193,17 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
static bool
|
static bool
|
||||||
conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
|
conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
{
|
{
|
||||||
const struct xt_conntrack_mtinfo2 *const *info = par->matchinfo;
|
const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
|
||||||
struct xt_match_param newpar = *par;
|
|
||||||
|
|
||||||
newpar.matchinfo = *info;
|
return conntrack_mt(skb, par, info->state_mask, info->status_mask);
|
||||||
return conntrack_mt(skb, &newpar);
|
}
|
||||||
|
|
||||||
|
static bool
|
||||||
|
conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par)
|
||||||
|
{
|
||||||
|
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
|
||||||
|
|
||||||
|
return conntrack_mt(skb, par, info->state_mask, info->status_mask);
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool conntrack_mt_check(const struct xt_mtchk_param *par)
|
static bool conntrack_mt_check(const struct xt_mtchk_param *par)
|
||||||
|
@ -209,45 +216,11 @@ static bool conntrack_mt_check(const struct xt_mtchk_param *par)
|
||||||
return true;
|
return true;
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool conntrack_mt_check_v1(const struct xt_mtchk_param *par)
|
|
||||||
{
|
|
||||||
struct xt_conntrack_mtinfo1 *info = par->matchinfo;
|
|
||||||
struct xt_conntrack_mtinfo2 *up;
|
|
||||||
int ret = conntrack_mt_check(par);
|
|
||||||
|
|
||||||
if (ret < 0)
|
|
||||||
return ret;
|
|
||||||
|
|
||||||
up = kmalloc(sizeof(*up), GFP_KERNEL);
|
|
||||||
if (up == NULL) {
|
|
||||||
nf_ct_l3proto_module_put(par->family);
|
|
||||||
return -ENOMEM;
|
|
||||||
}
|
|
||||||
|
|
||||||
/*
|
|
||||||
* The strategy here is to minimize the overhead of v1 matching,
|
|
||||||
* by prebuilding a v2 struct and putting the pointer into the
|
|
||||||
* v1 dataspace.
|
|
||||||
*/
|
|
||||||
memcpy(up, info, offsetof(typeof(*info), state_mask));
|
|
||||||
up->state_mask = info->state_mask;
|
|
||||||
up->status_mask = info->status_mask;
|
|
||||||
*(void **)info = up;
|
|
||||||
return true;
|
|
||||||
}
|
|
||||||
|
|
||||||
static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
|
static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
|
||||||
{
|
{
|
||||||
nf_ct_l3proto_module_put(par->family);
|
nf_ct_l3proto_module_put(par->family);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
|
|
||||||
{
|
|
||||||
struct xt_conntrack_mtinfo2 **info = par->matchinfo;
|
|
||||||
kfree(*info);
|
|
||||||
conntrack_mt_destroy(par);
|
|
||||||
}
|
|
||||||
|
|
||||||
static struct xt_match conntrack_mt_reg[] __read_mostly = {
|
static struct xt_match conntrack_mt_reg[] __read_mostly = {
|
||||||
{
|
{
|
||||||
.name = "conntrack",
|
.name = "conntrack",
|
||||||
|
@ -255,8 +228,8 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
|
||||||
.family = NFPROTO_UNSPEC,
|
.family = NFPROTO_UNSPEC,
|
||||||
.matchsize = sizeof(struct xt_conntrack_mtinfo1),
|
.matchsize = sizeof(struct xt_conntrack_mtinfo1),
|
||||||
.match = conntrack_mt_v1,
|
.match = conntrack_mt_v1,
|
||||||
.checkentry = conntrack_mt_check_v1,
|
.checkentry = conntrack_mt_check,
|
||||||
.destroy = conntrack_mt_destroy_v1,
|
.destroy = conntrack_mt_destroy,
|
||||||
.me = THIS_MODULE,
|
.me = THIS_MODULE,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -264,7 +237,7 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
|
||||||
.revision = 2,
|
.revision = 2,
|
||||||
.family = NFPROTO_UNSPEC,
|
.family = NFPROTO_UNSPEC,
|
||||||
.matchsize = sizeof(struct xt_conntrack_mtinfo2),
|
.matchsize = sizeof(struct xt_conntrack_mtinfo2),
|
||||||
.match = conntrack_mt,
|
.match = conntrack_mt_v2,
|
||||||
.checkentry = conntrack_mt_check,
|
.checkentry = conntrack_mt_check,
|
||||||
.destroy = conntrack_mt_destroy,
|
.destroy = conntrack_mt_destroy,
|
||||||
.me = THIS_MODULE,
|
.me = THIS_MODULE,
|
||||||
|
|
|
@ -192,7 +192,8 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
|
||||||
.revision = 0,
|
.revision = 0,
|
||||||
.family = NFPROTO_IPV4,
|
.family = NFPROTO_IPV4,
|
||||||
.match = socket_mt_v0,
|
.match = socket_mt_v0,
|
||||||
.hooks = 1 << NF_INET_PRE_ROUTING,
|
.hooks = (1 << NF_INET_PRE_ROUTING) |
|
||||||
|
(1 << NF_INET_LOCAL_IN),
|
||||||
.me = THIS_MODULE,
|
.me = THIS_MODULE,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
@ -201,7 +202,8 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
|
||||||
.family = NFPROTO_IPV4,
|
.family = NFPROTO_IPV4,
|
||||||
.match = socket_mt_v1,
|
.match = socket_mt_v1,
|
||||||
.matchsize = sizeof(struct xt_socket_mtinfo1),
|
.matchsize = sizeof(struct xt_socket_mtinfo1),
|
||||||
.hooks = 1 << NF_INET_PRE_ROUTING,
|
.hooks = (1 << NF_INET_PRE_ROUTING) |
|
||||||
|
(1 << NF_INET_LOCAL_IN),
|
||||||
.me = THIS_MODULE,
|
.me = THIS_MODULE,
|
||||||
},
|
},
|
||||||
};
|
};
|
||||||
|
|
Loading…
Reference in a new issue