Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

This commit is contained in:
David S. Miller 2009-12-03 13:23:12 -08:00
commit 424eff9751
32 changed files with 251 additions and 255 deletions

View file

@ -66,6 +66,9 @@ struct ip_ct_tcp {
u_int32_t last_ack; /* Last sequence number seen in opposite dir */ u_int32_t last_ack; /* Last sequence number seen in opposite dir */
u_int32_t last_end; /* Last seq + len */ u_int32_t last_end; /* Last seq + len */
u_int16_t last_win; /* Last window advertisement seen in dir */ u_int16_t last_win; /* Last window advertisement seen in dir */
/* For SYN packets while we may be out-of-sync */
u_int8_t last_wscale; /* Last window scaling factor seen */
u_int8_t last_flags; /* Last flags set */
}; };
#endif /* __KERNEL__ */ #endif /* __KERNEL__ */

View file

@ -384,11 +384,11 @@ static int mark_source_chains(struct xt_table_info *newinfo,
|= ((1 << hook) | (1 << NF_ARP_NUMHOOKS)); |= ((1 << hook) | (1 << NF_ARP_NUMHOOKS));
/* Unconditional return/END. */ /* Unconditional return/END. */
if ((e->target_offset == sizeof(struct arpt_entry) if ((e->target_offset == sizeof(struct arpt_entry) &&
&& (strcmp(t->target.u.user.name, (strcmp(t->target.u.user.name,
ARPT_STANDARD_TARGET) == 0) ARPT_STANDARD_TARGET) == 0) &&
&& t->verdict < 0 t->verdict < 0 && unconditional(&e->arp)) ||
&& unconditional(&e->arp)) || visited) { visited) {
unsigned int oldpos, size; unsigned int oldpos, size;
if ((strcmp(t->target.u.user.name, if ((strcmp(t->target.u.user.name,
@ -427,8 +427,8 @@ static int mark_source_chains(struct xt_table_info *newinfo,
int newpos = t->verdict; int newpos = t->verdict;
if (strcmp(t->target.u.user.name, if (strcmp(t->target.u.user.name,
ARPT_STANDARD_TARGET) == 0 ARPT_STANDARD_TARGET) == 0 &&
&& newpos >= 0) { newpos >= 0) {
if (newpos > newinfo->size - if (newpos > newinfo->size -
sizeof(struct arpt_entry)) { sizeof(struct arpt_entry)) {
duprintf("mark_source_chains: " duprintf("mark_source_chains: "
@ -559,8 +559,8 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
{ {
unsigned int h; unsigned int h;
if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
|| (unsigned char *)e + sizeof(struct arpt_entry) >= limit) { (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
duprintf("Bad offset %p\n", e); duprintf("Bad offset %p\n", e);
return -EINVAL; return -EINVAL;
} }
@ -1251,8 +1251,8 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
int ret, off, h; int ret, off, h;
duprintf("check_compat_entry_size_and_hooks %p\n", e); duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
|| (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) { (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) {
duprintf("Bad offset %p, limit = %p\n", e, limit); duprintf("Bad offset %p, limit = %p\n", e, limit);
return -EINVAL; return -EINVAL;
} }

View file

@ -497,8 +497,7 @@ ipq_rcv_nl_event(struct notifier_block *this,
{ {
struct netlink_notify *n = ptr; struct netlink_notify *n = ptr;
if (event == NETLINK_URELEASE && if (event == NETLINK_URELEASE && n->protocol == NETLINK_FIREWALL) {
n->protocol == NETLINK_FIREWALL && n->pid) {
write_lock_bh(&queue_lock); write_lock_bh(&queue_lock);
if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid)) if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid))
__ipq_reset(); __ipq_reset();
@ -622,7 +621,7 @@ cleanup_netlink_notifier:
static void __exit ip_queue_fini(void) static void __exit ip_queue_fini(void)
{ {
nf_unregister_queue_handlers(&nfqh); nf_unregister_queue_handlers(&nfqh);
synchronize_net();
ipq_flush(NULL, 0); ipq_flush(NULL, 0);
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL

View file

@ -89,9 +89,9 @@ ip_packet_match(const struct iphdr *ip,
#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg))) #define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr, if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
IPT_INV_SRCIP) IPT_INV_SRCIP) ||
|| FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr, FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
IPT_INV_DSTIP)) { IPT_INV_DSTIP)) {
dprintf("Source or dest mismatch.\n"); dprintf("Source or dest mismatch.\n");
dprintf("SRC: %pI4. Mask: %pI4. Target: %pI4.%s\n", dprintf("SRC: %pI4. Mask: %pI4. Target: %pI4.%s\n",
@ -122,8 +122,8 @@ ip_packet_match(const struct iphdr *ip,
} }
/* Check specific protocol */ /* Check specific protocol */
if (ipinfo->proto if (ipinfo->proto &&
&& FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) { FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
dprintf("Packet protocol %hi does not match %hi.%s\n", dprintf("Packet protocol %hi does not match %hi.%s\n",
ip->protocol, ipinfo->proto, ip->protocol, ipinfo->proto,
ipinfo->invflags&IPT_INV_PROTO ? " (INV)":""); ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
@ -246,11 +246,11 @@ get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e,
} else if (s == e) { } else if (s == e) {
(*rulenum)++; (*rulenum)++;
if (s->target_offset == sizeof(struct ipt_entry) if (s->target_offset == sizeof(struct ipt_entry) &&
&& strcmp(t->target.u.kernel.target->name, strcmp(t->target.u.kernel.target->name,
IPT_STANDARD_TARGET) == 0 IPT_STANDARD_TARGET) == 0 &&
&& t->verdict < 0 t->verdict < 0 &&
&& unconditional(&s->ip)) { unconditional(&s->ip)) {
/* Tail of chains: STANDARD target (return/policy) */ /* Tail of chains: STANDARD target (return/policy) */
*comment = *chainname == hookname *comment = *chainname == hookname
? comments[NF_IP_TRACE_COMMENT_POLICY] ? comments[NF_IP_TRACE_COMMENT_POLICY]
@ -388,8 +388,8 @@ ipt_do_table(struct sk_buff *skb,
back = get_entry(table_base, back->comefrom); back = get_entry(table_base, back->comefrom);
continue; continue;
} }
if (table_base + v != ipt_next_entry(e) if (table_base + v != ipt_next_entry(e) &&
&& !(e->ip.flags & IPT_F_GOTO)) { !(e->ip.flags & IPT_F_GOTO)) {
/* Save old back ptr in next entry */ /* Save old back ptr in next entry */
struct ipt_entry *next = ipt_next_entry(e); struct ipt_entry *next = ipt_next_entry(e);
next->comefrom = (void *)back - table_base; next->comefrom = (void *)back - table_base;
@ -473,11 +473,11 @@ mark_source_chains(struct xt_table_info *newinfo,
e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS)); e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
/* Unconditional return/END. */ /* Unconditional return/END. */
if ((e->target_offset == sizeof(struct ipt_entry) if ((e->target_offset == sizeof(struct ipt_entry) &&
&& (strcmp(t->target.u.user.name, (strcmp(t->target.u.user.name,
IPT_STANDARD_TARGET) == 0) IPT_STANDARD_TARGET) == 0) &&
&& t->verdict < 0 t->verdict < 0 && unconditional(&e->ip)) ||
&& unconditional(&e->ip)) || visited) { visited) {
unsigned int oldpos, size; unsigned int oldpos, size;
if ((strcmp(t->target.u.user.name, if ((strcmp(t->target.u.user.name,
@ -524,8 +524,8 @@ mark_source_chains(struct xt_table_info *newinfo,
int newpos = t->verdict; int newpos = t->verdict;
if (strcmp(t->target.u.user.name, if (strcmp(t->target.u.user.name,
IPT_STANDARD_TARGET) == 0 IPT_STANDARD_TARGET) == 0 &&
&& newpos >= 0) { newpos >= 0) {
if (newpos > newinfo->size - if (newpos > newinfo->size -
sizeof(struct ipt_entry)) { sizeof(struct ipt_entry)) {
duprintf("mark_source_chains: " duprintf("mark_source_chains: "
@ -735,8 +735,8 @@ check_entry_size_and_hooks(struct ipt_entry *e,
{ {
unsigned int h; unsigned int h;
if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
|| (unsigned char *)e + sizeof(struct ipt_entry) >= limit) { (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
duprintf("Bad offset %p\n", e); duprintf("Bad offset %p\n", e);
return -EINVAL; return -EINVAL;
} }
@ -1548,8 +1548,8 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
int ret, off, h; int ret, off, h;
duprintf("check_compat_entry_size_and_hooks %p\n", e); duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
|| (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) { (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
duprintf("Bad offset %p, limit = %p\n", e, limit); duprintf("Bad offset %p, limit = %p\n", e, limit);
return -EINVAL; return -EINVAL;
} }

View file

@ -303,9 +303,9 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
/* special case: ICMP error handling. conntrack distinguishes between /* special case: ICMP error handling. conntrack distinguishes between
* error messages (RELATED) and information requests (see below) */ * error messages (RELATED) and information requests (see below) */
if (ip_hdr(skb)->protocol == IPPROTO_ICMP if (ip_hdr(skb)->protocol == IPPROTO_ICMP &&
&& (ctinfo == IP_CT_RELATED (ctinfo == IP_CT_RELATED ||
|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY)) ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY))
return XT_CONTINUE; return XT_CONTINUE;
/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO, /* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
@ -362,8 +362,8 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
return false; return false;
} }
if (e->ip.dmsk.s_addr != htonl(0xffffffff) if (e->ip.dmsk.s_addr != htonl(0xffffffff) ||
|| e->ip.dst.s_addr == 0) { e->ip.dst.s_addr == 0) {
printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n"); printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n");
return false; return false;
} }
@ -495,14 +495,14 @@ arp_mangle(unsigned int hook,
struct clusterip_config *c; struct clusterip_config *c;
/* we don't care about non-ethernet and non-ipv4 ARP */ /* we don't care about non-ethernet and non-ipv4 ARP */
if (arp->ar_hrd != htons(ARPHRD_ETHER) if (arp->ar_hrd != htons(ARPHRD_ETHER) ||
|| arp->ar_pro != htons(ETH_P_IP) arp->ar_pro != htons(ETH_P_IP) ||
|| arp->ar_pln != 4 || arp->ar_hln != ETH_ALEN) arp->ar_pln != 4 || arp->ar_hln != ETH_ALEN)
return NF_ACCEPT; return NF_ACCEPT;
/* we only want to mangle arp requests and replies */ /* we only want to mangle arp requests and replies */
if (arp->ar_op != htons(ARPOP_REPLY) if (arp->ar_op != htons(ARPOP_REPLY) &&
&& arp->ar_op != htons(ARPOP_REQUEST)) arp->ar_op != htons(ARPOP_REQUEST))
return NF_ACCEPT; return NF_ACCEPT;
payload = (void *)(arp+1); payload = (void *)(arp+1);

View file

@ -85,8 +85,8 @@ ecn_tg(struct sk_buff *skb, const struct xt_target_param *par)
if (!set_ect_ip(skb, einfo)) if (!set_ect_ip(skb, einfo))
return NF_DROP; return NF_DROP;
if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR) if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR) &&
&& ip_hdr(skb)->protocol == IPPROTO_TCP) ip_hdr(skb)->protocol == IPPROTO_TCP)
if (!set_ect_tcp(skb, einfo)) if (!set_ect_tcp(skb, einfo))
return NF_DROP; return NF_DROP;
@ -108,8 +108,8 @@ static bool ecn_tg_check(const struct xt_tgchk_param *par)
einfo->ip_ect); einfo->ip_ect);
return false; return false;
} }
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
&& (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) { (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
printk(KERN_WARNING "ECN: cannot use TCP operations on a " printk(KERN_WARNING "ECN: cannot use TCP operations on a "
"non-tcp rule\n"); "non-tcp rule\n");
return false; return false;

View file

@ -74,8 +74,8 @@ static void dump_packet(const struct nf_loginfo *info,
if (ntohs(ih->frag_off) & IP_OFFSET) if (ntohs(ih->frag_off) & IP_OFFSET)
printk("FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET); printk("FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET);
if ((logflags & IPT_LOG_IPOPT) if ((logflags & IPT_LOG_IPOPT) &&
&& ih->ihl * 4 > sizeof(struct iphdr)) { ih->ihl * 4 > sizeof(struct iphdr)) {
const unsigned char *op; const unsigned char *op;
unsigned char _opt[4 * 15 - sizeof(struct iphdr)]; unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
unsigned int i, optsize; unsigned int i, optsize;
@ -146,8 +146,8 @@ static void dump_packet(const struct nf_loginfo *info,
/* Max length: 11 "URGP=65535 " */ /* Max length: 11 "URGP=65535 " */
printk("URGP=%u ", ntohs(th->urg_ptr)); printk("URGP=%u ", ntohs(th->urg_ptr));
if ((logflags & IPT_LOG_TCPOPT) if ((logflags & IPT_LOG_TCPOPT) &&
&& th->doff * 4 > sizeof(struct tcphdr)) { th->doff * 4 > sizeof(struct tcphdr)) {
unsigned char _opt[4 * 15 - sizeof(struct tcphdr)]; unsigned char _opt[4 * 15 - sizeof(struct tcphdr)];
const unsigned char *op; const unsigned char *op;
unsigned int i, optsize; unsigned int i, optsize;
@ -238,9 +238,9 @@ static void dump_packet(const struct nf_loginfo *info,
printk("TYPE=%u CODE=%u ", ich->type, ich->code); printk("TYPE=%u CODE=%u ", ich->type, ich->code);
/* Max length: 25 "INCOMPLETE [65535 bytes] " */ /* Max length: 25 "INCOMPLETE [65535 bytes] " */
if (ich->type <= NR_ICMP_TYPES if (ich->type <= NR_ICMP_TYPES &&
&& required_len[ich->type] required_len[ich->type] &&
&& skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) { skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) {
printk("INCOMPLETE [%u bytes] ", printk("INCOMPLETE [%u bytes] ",
skb->len - iphoff - ih->ihl*4); skb->len - iphoff - ih->ihl*4);
break; break;
@ -276,8 +276,8 @@ static void dump_packet(const struct nf_loginfo *info,
} }
/* Max length: 10 "MTU=65535 " */ /* Max length: 10 "MTU=65535 " */
if (ich->type == ICMP_DEST_UNREACH if (ich->type == ICMP_DEST_UNREACH &&
&& ich->code == ICMP_FRAG_NEEDED) ich->code == ICMP_FRAG_NEEDED)
printk("MTU=%u ", ntohs(ich->un.frag.mtu)); printk("MTU=%u ", ntohs(ich->un.frag.mtu));
} }
break; break;
@ -407,8 +407,8 @@ ipt_log_packet(u_int8_t pf,
if (in && !out) { if (in && !out) {
/* MAC logging for input chain only. */ /* MAC logging for input chain only. */
printk("MAC="); printk("MAC=");
if (skb->dev && skb->dev->hard_header_len if (skb->dev && skb->dev->hard_header_len &&
&& skb->mac_header != skb->network_header) { skb->mac_header != skb->network_header) {
int i; int i;
const unsigned char *p = skb_mac_header(skb); const unsigned char *p = skb_mac_header(skb);
for (i = 0; i < skb->dev->hard_header_len; i++,p++) for (i = 0; i < skb->dev->hard_header_len; i++,p++)

View file

@ -59,8 +59,8 @@ masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par)
ct = nf_ct_get(skb, &ctinfo); ct = nf_ct_get(skb, &ctinfo);
nat = nfct_nat(ct); nat = nfct_nat(ct);
NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
|| ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY)); ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
/* Source address is 0.0.0.0 - locally generated packet that is /* Source address is 0.0.0.0 - locally generated packet that is
* probably not supposed to be masqueraded. * probably not supposed to be masqueraded.

View file

@ -184,8 +184,8 @@ static bool reject_tg_check(const struct xt_tgchk_param *par)
return false; return false;
} else if (rejinfo->with == IPT_TCP_RESET) { } else if (rejinfo->with == IPT_TCP_RESET) {
/* Must specify that it's a TCP packet */ /* Must specify that it's a TCP packet */
if (e->ip.proto != IPPROTO_TCP if (e->ip.proto != IPPROTO_TCP ||
|| (e->ip.invflags & XT_INV_PROTO)) { (e->ip.invflags & XT_INV_PROTO)) {
printk("ipt_REJECT: TCP_RESET invalid for non-tcp\n"); printk("ipt_REJECT: TCP_RESET invalid for non-tcp\n");
return false; return false;
} }

View file

@ -226,9 +226,9 @@ static void ipt_ulog_packet(unsigned int hooknum,
else else
*(pm->prefix) = '\0'; *(pm->prefix) = '\0';
if (in && in->hard_header_len > 0 if (in && in->hard_header_len > 0 &&
&& skb->mac_header != skb->network_header skb->mac_header != skb->network_header &&
&& in->hard_header_len <= ULOG_MAC_LEN) { in->hard_header_len <= ULOG_MAC_LEN) {
memcpy(pm->mac, skb_mac_header(skb), in->hard_header_len); memcpy(pm->mac, skb_mac_header(skb), in->hard_header_len);
pm->mac_len = in->hard_header_len; pm->mac_len = in->hard_header_len;
} else } else

View file

@ -96,8 +96,8 @@ static bool ecn_mt_check(const struct xt_mtchk_param *par)
if (info->invert & IPT_ECN_OP_MATCH_MASK) if (info->invert & IPT_ECN_OP_MATCH_MASK)
return false; return false;
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
&& ip->proto != IPPROTO_TCP) { ip->proto != IPPROTO_TCP) {
printk(KERN_WARNING "ipt_ecn: can't match TCP bits in rule for" printk(KERN_WARNING "ipt_ecn: can't match TCP bits in rule for"
" non-tcp packets\n"); " non-tcp packets\n");
return false; return false;

View file

@ -130,8 +130,8 @@ ipt_local_hook(unsigned int hook,
u_int32_t mark; u_int32_t mark;
/* root is playing with raw sockets. */ /* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr) if (skb->len < sizeof(struct iphdr) ||
|| ip_hdrlen(skb) < sizeof(struct iphdr)) ip_hdrlen(skb) < sizeof(struct iphdr))
return NF_ACCEPT; return NF_ACCEPT;
/* Save things which could affect route */ /* Save things which could affect route */

View file

@ -94,8 +94,8 @@ ipt_local_out_hook(unsigned int hook,
int (*okfn)(struct sk_buff *)) int (*okfn)(struct sk_buff *))
{ {
/* Somebody is playing with raw sockets. */ /* Somebody is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr) if (skb->len < sizeof(struct iphdr) ||
|| ip_hdrlen(skb) < sizeof(struct iphdr)) ip_hdrlen(skb) < sizeof(struct iphdr))
return NF_ACCEPT; return NF_ACCEPT;
return ipt_do_table(skb, hook, in, out, return ipt_do_table(skb, hook, in, out,
dev_net(out)->ipv4.iptable_security); dev_net(out)->ipv4.iptable_security);

View file

@ -54,8 +54,8 @@ static const u_int8_t invmap[] = {
static bool icmp_invert_tuple(struct nf_conntrack_tuple *tuple, static bool icmp_invert_tuple(struct nf_conntrack_tuple *tuple,
const struct nf_conntrack_tuple *orig) const struct nf_conntrack_tuple *orig)
{ {
if (orig->dst.u.icmp.type >= sizeof(invmap) if (orig->dst.u.icmp.type >= sizeof(invmap) ||
|| !invmap[orig->dst.u.icmp.type]) !invmap[orig->dst.u.icmp.type])
return false; return false;
tuple->src.u.icmp.id = orig->src.u.icmp.id; tuple->src.u.icmp.id = orig->src.u.icmp.id;
@ -101,8 +101,8 @@ static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb,
[ICMP_ADDRESS] = 1 [ICMP_ADDRESS] = 1
}; };
if (ct->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) if (ct->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) ||
|| !valid_new[ct->tuplehash[0].tuple.dst.u.icmp.type]) { !valid_new[ct->tuplehash[0].tuple.dst.u.icmp.type]) {
/* Can't create a new ICMP `conn' with this. */ /* Can't create a new ICMP `conn' with this. */
pr_debug("icmp: can't create new conn with type %u\n", pr_debug("icmp: can't create new conn with type %u\n",
ct->tuplehash[0].tuple.dst.u.icmp.type); ct->tuplehash[0].tuple.dst.u.icmp.type);
@ -201,11 +201,11 @@ icmp_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
} }
/* Need to track icmp error message? */ /* Need to track icmp error message? */
if (icmph->type != ICMP_DEST_UNREACH if (icmph->type != ICMP_DEST_UNREACH &&
&& icmph->type != ICMP_SOURCE_QUENCH icmph->type != ICMP_SOURCE_QUENCH &&
&& icmph->type != ICMP_TIME_EXCEEDED icmph->type != ICMP_TIME_EXCEEDED &&
&& icmph->type != ICMP_PARAMETERPROB icmph->type != ICMP_PARAMETERPROB &&
&& icmph->type != ICMP_REDIRECT) icmph->type != ICMP_REDIRECT)
return NF_ACCEPT; return NF_ACCEPT;
return icmp_error_message(net, skb, ctinfo, hooknum); return icmp_error_message(net, skb, ctinfo, hooknum);
@ -238,17 +238,17 @@ static const struct nla_policy icmp_nla_policy[CTA_PROTO_MAX+1] = {
static int icmp_nlattr_to_tuple(struct nlattr *tb[], static int icmp_nlattr_to_tuple(struct nlattr *tb[],
struct nf_conntrack_tuple *tuple) struct nf_conntrack_tuple *tuple)
{ {
if (!tb[CTA_PROTO_ICMP_TYPE] if (!tb[CTA_PROTO_ICMP_TYPE] ||
|| !tb[CTA_PROTO_ICMP_CODE] !tb[CTA_PROTO_ICMP_CODE] ||
|| !tb[CTA_PROTO_ICMP_ID]) !tb[CTA_PROTO_ICMP_ID])
return -EINVAL; return -EINVAL;
tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMP_TYPE]); tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMP_TYPE]);
tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMP_CODE]); tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMP_CODE]);
tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMP_ID]); tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMP_ID]);
if (tuple->dst.u.icmp.type >= sizeof(invmap) if (tuple->dst.u.icmp.type >= sizeof(invmap) ||
|| !invmap[tuple->dst.u.icmp.type]) !invmap[tuple->dst.u.icmp.type])
return -EINVAL; return -EINVAL;
return 0; return 0;

View file

@ -41,18 +41,14 @@ adjust_tcp_sequence(u32 seq,
struct nf_conn *ct, struct nf_conn *ct,
enum ip_conntrack_info ctinfo) enum ip_conntrack_info ctinfo)
{ {
int dir; enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
struct nf_nat_seq *this_way, *other_way;
struct nf_conn_nat *nat = nfct_nat(ct); struct nf_conn_nat *nat = nfct_nat(ct);
struct nf_nat_seq *this_way = &nat->seq[dir];
pr_debug("adjust_tcp_sequence: seq = %u, sizediff = %d\n", seq, seq); pr_debug("adjust_tcp_sequence: seq = %u, sizediff = %d\n",
seq, sizediff);
dir = CTINFO2DIR(ctinfo); pr_debug("adjust_tcp_sequence: Seq_offset before: ");
this_way = &nat->seq[dir];
other_way = &nat->seq[!dir];
pr_debug("nf_nat_resize_packet: Seq_offset before: ");
DUMP_OFFSET(this_way); DUMP_OFFSET(this_way);
spin_lock_bh(&nf_nat_seqofs_lock); spin_lock_bh(&nf_nat_seqofs_lock);
@ -63,13 +59,13 @@ adjust_tcp_sequence(u32 seq,
* retransmit */ * retransmit */
if (this_way->offset_before == this_way->offset_after || if (this_way->offset_before == this_way->offset_after ||
before(this_way->correction_pos, seq)) { before(this_way->correction_pos, seq)) {
this_way->correction_pos = seq; this_way->correction_pos = seq;
this_way->offset_before = this_way->offset_after; this_way->offset_before = this_way->offset_after;
this_way->offset_after += sizediff; this_way->offset_after += sizediff;
} }
spin_unlock_bh(&nf_nat_seqofs_lock); spin_unlock_bh(&nf_nat_seqofs_lock);
pr_debug("nf_nat_resize_packet: Seq_offset after: "); pr_debug("adjust_tcp_sequence: Seq_offset after: ");
DUMP_OFFSET(this_way); DUMP_OFFSET(this_way);
} }

View file

@ -197,11 +197,11 @@ nf_nat_out(unsigned int hooknum,
(ct = nf_ct_get(skb, &ctinfo)) != NULL) { (ct = nf_ct_get(skb, &ctinfo)) != NULL) {
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo); enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
if (ct->tuplehash[dir].tuple.src.u3.ip != if ((ct->tuplehash[dir].tuple.src.u3.ip !=
ct->tuplehash[!dir].tuple.dst.u3.ip ct->tuplehash[!dir].tuple.dst.u3.ip) ||
|| ct->tuplehash[dir].tuple.src.u.all != (ct->tuplehash[dir].tuple.src.u.all !=
ct->tuplehash[!dir].tuple.dst.u.all ct->tuplehash[!dir].tuple.dst.u.all)
) )
return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP; return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP;
} }
#endif #endif

View file

@ -499,8 +499,7 @@ ipq_rcv_nl_event(struct notifier_block *this,
{ {
struct netlink_notify *n = ptr; struct netlink_notify *n = ptr;
if (event == NETLINK_URELEASE && if (event == NETLINK_URELEASE && n->protocol == NETLINK_IP6_FW) {
n->protocol == NETLINK_IP6_FW && n->pid) {
write_lock_bh(&queue_lock); write_lock_bh(&queue_lock);
if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid)) if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid))
__ipq_reset(); __ipq_reset();
@ -625,7 +624,7 @@ cleanup_netlink_notifier:
static void __exit ip6_queue_fini(void) static void __exit ip6_queue_fini(void)
{ {
nf_unregister_queue_handlers(&nfqh); nf_unregister_queue_handlers(&nfqh);
synchronize_net();
ipq_flush(NULL, 0); ipq_flush(NULL, 0);
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL

View file

@ -105,9 +105,9 @@ ip6_packet_match(const struct sk_buff *skb,
#define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg))) #define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk, if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
&ip6info->src), IP6T_INV_SRCIP) &ip6info->src), IP6T_INV_SRCIP) ||
|| FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk, FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
&ip6info->dst), IP6T_INV_DSTIP)) { &ip6info->dst), IP6T_INV_DSTIP)) {
dprintf("Source or dest mismatch.\n"); dprintf("Source or dest mismatch.\n");
/* /*
dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr, dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
@ -277,11 +277,11 @@ get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e,
} else if (s == e) { } else if (s == e) {
(*rulenum)++; (*rulenum)++;
if (s->target_offset == sizeof(struct ip6t_entry) if (s->target_offset == sizeof(struct ip6t_entry) &&
&& strcmp(t->target.u.kernel.target->name, strcmp(t->target.u.kernel.target->name,
IP6T_STANDARD_TARGET) == 0 IP6T_STANDARD_TARGET) == 0 &&
&& t->verdict < 0 t->verdict < 0 &&
&& unconditional(&s->ipv6)) { unconditional(&s->ipv6)) {
/* Tail of chains: STANDARD target (return/policy) */ /* Tail of chains: STANDARD target (return/policy) */
*comment = *chainname == hookname *comment = *chainname == hookname
? comments[NF_IP6_TRACE_COMMENT_POLICY] ? comments[NF_IP6_TRACE_COMMENT_POLICY]
@ -418,8 +418,8 @@ ip6t_do_table(struct sk_buff *skb,
back = get_entry(table_base, back->comefrom); back = get_entry(table_base, back->comefrom);
continue; continue;
} }
if (table_base + v != ip6t_next_entry(e) if (table_base + v != ip6t_next_entry(e) &&
&& !(e->ipv6.flags & IP6T_F_GOTO)) { !(e->ipv6.flags & IP6T_F_GOTO)) {
/* Save old back ptr in next entry */ /* Save old back ptr in next entry */
struct ip6t_entry *next = ip6t_next_entry(e); struct ip6t_entry *next = ip6t_next_entry(e);
next->comefrom = (void *)back - table_base; next->comefrom = (void *)back - table_base;
@ -505,11 +505,11 @@ mark_source_chains(struct xt_table_info *newinfo,
e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS)); e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
/* Unconditional return/END. */ /* Unconditional return/END. */
if ((e->target_offset == sizeof(struct ip6t_entry) if ((e->target_offset == sizeof(struct ip6t_entry) &&
&& (strcmp(t->target.u.user.name, (strcmp(t->target.u.user.name,
IP6T_STANDARD_TARGET) == 0) IP6T_STANDARD_TARGET) == 0) &&
&& t->verdict < 0 t->verdict < 0 &&
&& unconditional(&e->ipv6)) || visited) { unconditional(&e->ipv6)) || visited) {
unsigned int oldpos, size; unsigned int oldpos, size;
if ((strcmp(t->target.u.user.name, if ((strcmp(t->target.u.user.name,
@ -556,8 +556,8 @@ mark_source_chains(struct xt_table_info *newinfo,
int newpos = t->verdict; int newpos = t->verdict;
if (strcmp(t->target.u.user.name, if (strcmp(t->target.u.user.name,
IP6T_STANDARD_TARGET) == 0 IP6T_STANDARD_TARGET) == 0 &&
&& newpos >= 0) { newpos >= 0) {
if (newpos > newinfo->size - if (newpos > newinfo->size -
sizeof(struct ip6t_entry)) { sizeof(struct ip6t_entry)) {
duprintf("mark_source_chains: " duprintf("mark_source_chains: "
@ -767,8 +767,8 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
{ {
unsigned int h; unsigned int h;
if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
|| (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) { (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
duprintf("Bad offset %p\n", e); duprintf("Bad offset %p\n", e);
return -EINVAL; return -EINVAL;
} }
@ -1584,8 +1584,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
int ret, off, h; int ret, off, h;
duprintf("check_compat_entry_size_and_hooks %p\n", e); duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
|| (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) { (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
duprintf("Bad offset %p, limit = %p\n", e, limit); duprintf("Bad offset %p, limit = %p\n", e, limit);
return -EINVAL; return -EINVAL;
} }

View file

@ -249,8 +249,8 @@ static void dump_packet(const struct nf_loginfo *info,
/* Max length: 11 "URGP=65535 " */ /* Max length: 11 "URGP=65535 " */
printk("URGP=%u ", ntohs(th->urg_ptr)); printk("URGP=%u ", ntohs(th->urg_ptr));
if ((logflags & IP6T_LOG_TCPOPT) if ((logflags & IP6T_LOG_TCPOPT) &&
&& th->doff * 4 > sizeof(struct tcphdr)) { th->doff * 4 > sizeof(struct tcphdr)) {
u_int8_t _opt[60 - sizeof(struct tcphdr)]; u_int8_t _opt[60 - sizeof(struct tcphdr)];
const u_int8_t *op; const u_int8_t *op;
unsigned int i; unsigned int i;

View file

@ -223,8 +223,8 @@ static bool reject_tg6_check(const struct xt_tgchk_param *par)
return false; return false;
} else if (rejinfo->with == IP6T_TCP_RESET) { } else if (rejinfo->with == IP6T_TCP_RESET) {
/* Must specify that it's a TCP packet */ /* Must specify that it's a TCP packet */
if (e->ipv6.proto != IPPROTO_TCP if (e->ipv6.proto != IPPROTO_TCP ||
|| (e->ipv6.invflags & XT_INV_PROTO)) { (e->ipv6.invflags & XT_INV_PROTO)) {
printk("ip6t_REJECT: TCP_RESET illegal for non-tcp\n"); printk("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
return false; return false;
} }

View file

@ -77,17 +77,14 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
ahinfo->hdrres, ah->reserved, ahinfo->hdrres, ah->reserved,
!(ahinfo->hdrres && ah->reserved)); !(ahinfo->hdrres && ah->reserved));
return (ah != NULL) return (ah != NULL) &&
&& spi_match(ahinfo->spis[0], ahinfo->spis[1],
spi_match(ahinfo->spis[0], ahinfo->spis[1], ntohl(ah->spi),
ntohl(ah->spi), !!(ahinfo->invflags & IP6T_AH_INV_SPI)) &&
!!(ahinfo->invflags & IP6T_AH_INV_SPI)) (!ahinfo->hdrlen ||
&& (ahinfo->hdrlen == hdrlen) ^
(!ahinfo->hdrlen || !!(ahinfo->invflags & IP6T_AH_INV_LEN)) &&
(ahinfo->hdrlen == hdrlen) ^ !(ahinfo->hdrres && ah->reserved);
!!(ahinfo->invflags & IP6T_AH_INV_LEN))
&&
!(ahinfo->hdrres && ah->reserved);
} }
static bool ah_mt6_check(const struct xt_mtchk_param *par) static bool ah_mt6_check(const struct xt_mtchk_param *par)

View file

@ -70,41 +70,36 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
pr_debug("res %02X %02X%04X %02X ", pr_debug("res %02X %02X%04X %02X ",
fraginfo->flags & IP6T_FRAG_RES, fh->reserved, fraginfo->flags & IP6T_FRAG_RES, fh->reserved,
ntohs(fh->frag_off) & 0x6, ntohs(fh->frag_off) & 0x6,
!((fraginfo->flags & IP6T_FRAG_RES) !((fraginfo->flags & IP6T_FRAG_RES) &&
&& (fh->reserved || (ntohs(fh->frag_off) & 0x06)))); (fh->reserved || (ntohs(fh->frag_off) & 0x06))));
pr_debug("first %02X %02X %02X ", pr_debug("first %02X %02X %02X ",
fraginfo->flags & IP6T_FRAG_FST, fraginfo->flags & IP6T_FRAG_FST,
ntohs(fh->frag_off) & ~0x7, ntohs(fh->frag_off) & ~0x7,
!((fraginfo->flags & IP6T_FRAG_FST) !((fraginfo->flags & IP6T_FRAG_FST) &&
&& (ntohs(fh->frag_off) & ~0x7))); (ntohs(fh->frag_off) & ~0x7)));
pr_debug("mf %02X %02X %02X ", pr_debug("mf %02X %02X %02X ",
fraginfo->flags & IP6T_FRAG_MF, fraginfo->flags & IP6T_FRAG_MF,
ntohs(fh->frag_off) & IP6_MF, ntohs(fh->frag_off) & IP6_MF,
!((fraginfo->flags & IP6T_FRAG_MF) !((fraginfo->flags & IP6T_FRAG_MF) &&
&& !((ntohs(fh->frag_off) & IP6_MF)))); !((ntohs(fh->frag_off) & IP6_MF))));
pr_debug("last %02X %02X %02X\n", pr_debug("last %02X %02X %02X\n",
fraginfo->flags & IP6T_FRAG_NMF, fraginfo->flags & IP6T_FRAG_NMF,
ntohs(fh->frag_off) & IP6_MF, ntohs(fh->frag_off) & IP6_MF,
!((fraginfo->flags & IP6T_FRAG_NMF) !((fraginfo->flags & IP6T_FRAG_NMF) &&
&& (ntohs(fh->frag_off) & IP6_MF))); (ntohs(fh->frag_off) & IP6_MF)));
return (fh != NULL) return (fh != NULL) &&
&& id_match(fraginfo->ids[0], fraginfo->ids[1],
id_match(fraginfo->ids[0], fraginfo->ids[1], ntohl(fh->identification),
ntohl(fh->identification), !!(fraginfo->invflags & IP6T_FRAG_INV_IDS)) &&
!!(fraginfo->invflags & IP6T_FRAG_INV_IDS)) !((fraginfo->flags & IP6T_FRAG_RES) &&
&& (fh->reserved || (ntohs(fh->frag_off) & 0x6))) &&
!((fraginfo->flags & IP6T_FRAG_RES) !((fraginfo->flags & IP6T_FRAG_FST) &&
&& (fh->reserved || (ntohs(fh->frag_off) & 0x6))) (ntohs(fh->frag_off) & ~0x7)) &&
&& !((fraginfo->flags & IP6T_FRAG_MF) &&
!((fraginfo->flags & IP6T_FRAG_FST) !(ntohs(fh->frag_off) & IP6_MF)) &&
&& (ntohs(fh->frag_off) & ~0x7)) !((fraginfo->flags & IP6T_FRAG_NMF) &&
&& (ntohs(fh->frag_off) & IP6_MF));
!((fraginfo->flags & IP6T_FRAG_MF)
&& !(ntohs(fh->frag_off) & IP6_MF))
&&
!((fraginfo->flags & IP6T_FRAG_NMF)
&& (ntohs(fh->frag_off) & IP6_MF));
} }
static bool frag_mt6_check(const struct xt_mtchk_param *par) static bool frag_mt6_check(const struct xt_mtchk_param *par)

View file

@ -92,16 +92,13 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
!((rtinfo->flags & IP6T_RT_RES) && !((rtinfo->flags & IP6T_RT_RES) &&
(((const struct rt0_hdr *)rh)->reserved))); (((const struct rt0_hdr *)rh)->reserved)));
ret = (rh != NULL) ret = (rh != NULL) &&
&&
(segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1], (segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1],
rh->segments_left, rh->segments_left,
!!(rtinfo->invflags & IP6T_RT_INV_SGS))) !!(rtinfo->invflags & IP6T_RT_INV_SGS))) &&
&&
(!(rtinfo->flags & IP6T_RT_LEN) || (!(rtinfo->flags & IP6T_RT_LEN) ||
((rtinfo->hdrlen == hdrlen) ^ ((rtinfo->hdrlen == hdrlen) ^
!!(rtinfo->invflags & IP6T_RT_INV_LEN))) !!(rtinfo->invflags & IP6T_RT_INV_LEN))) &&
&&
(!(rtinfo->flags & IP6T_RT_TYP) || (!(rtinfo->flags & IP6T_RT_TYP) ||
((rtinfo->rt_type == rh->type) ^ ((rtinfo->rt_type == rh->type) ^
!!(rtinfo->invflags & IP6T_RT_INV_TYP))); !!(rtinfo->invflags & IP6T_RT_INV_TYP)));

View file

@ -79,8 +79,8 @@ ip6t_local_out_hook(unsigned int hook,
{ {
#if 0 #if 0
/* root is playing with raw sockets. */ /* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr) if (skb->len < sizeof(struct iphdr) ||
|| ip_hdrlen(skb) < sizeof(struct iphdr)) { ip_hdrlen(skb) < sizeof(struct iphdr)) {
if (net_ratelimit()) if (net_ratelimit())
printk("ip6t_hook: happy cracking.\n"); printk("ip6t_hook: happy cracking.\n");
return NF_ACCEPT; return NF_ACCEPT;

View file

@ -102,8 +102,8 @@ ip6t_local_out_hook(unsigned int hook,
#if 0 #if 0
/* root is playing with raw sockets. */ /* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr) if (skb->len < sizeof(struct iphdr) ||
|| ip_hdrlen(skb) < sizeof(struct iphdr)) { ip_hdrlen(skb) < sizeof(struct iphdr)) {
if (net_ratelimit()) if (net_ratelimit())
printk("ip6t_hook: happy cracking.\n"); printk("ip6t_hook: happy cracking.\n");
return NF_ACCEPT; return NF_ACCEPT;
@ -122,11 +122,11 @@ ip6t_local_out_hook(unsigned int hook,
ret = ip6t_do_table(skb, hook, in, out, ret = ip6t_do_table(skb, hook, in, out,
dev_net(out)->ipv6.ip6table_mangle); dev_net(out)->ipv6.ip6table_mangle);
if (ret != NF_DROP && ret != NF_STOLEN if (ret != NF_DROP && ret != NF_STOLEN &&
&& (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) ||
|| memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) ||
|| skb->mark != mark skb->mark != mark ||
|| ipv6_hdr(skb)->hop_limit != hop_limit)) ipv6_hdr(skb)->hop_limit != hop_limit))
return ip6_route_me_harder(skb) == 0 ? ret : NF_DROP; return ip6_route_me_harder(skb) == 0 ? ret : NF_DROP;
return ret; return ret;

View file

@ -244,18 +244,18 @@ static const struct nla_policy icmpv6_nla_policy[CTA_PROTO_MAX+1] = {
static int icmpv6_nlattr_to_tuple(struct nlattr *tb[], static int icmpv6_nlattr_to_tuple(struct nlattr *tb[],
struct nf_conntrack_tuple *tuple) struct nf_conntrack_tuple *tuple)
{ {
if (!tb[CTA_PROTO_ICMPV6_TYPE] if (!tb[CTA_PROTO_ICMPV6_TYPE] ||
|| !tb[CTA_PROTO_ICMPV6_CODE] !tb[CTA_PROTO_ICMPV6_CODE] ||
|| !tb[CTA_PROTO_ICMPV6_ID]) !tb[CTA_PROTO_ICMPV6_ID])
return -EINVAL; return -EINVAL;
tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMPV6_TYPE]); tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMPV6_TYPE]);
tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMPV6_CODE]); tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMPV6_CODE]);
tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMPV6_ID]); tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMPV6_ID]);
if (tuple->dst.u.icmp.type < 128 if (tuple->dst.u.icmp.type < 128 ||
|| tuple->dst.u.icmp.type - 128 >= sizeof(invmap) tuple->dst.u.icmp.type - 128 >= sizeof(invmap) ||
|| !invmap[tuple->dst.u.icmp.type - 128]) !invmap[tuple->dst.u.icmp.type - 128])
return -EINVAL; return -EINVAL;
return 0; return 0;

View file

@ -512,11 +512,17 @@ static noinline int early_drop(struct net *net, unsigned int hash)
cnt++; cnt++;
} }
if (ct && unlikely(nf_ct_is_dying(ct) || if (ct != NULL) {
!atomic_inc_not_zero(&ct->ct_general.use))) if (likely(!nf_ct_is_dying(ct) &&
ct = NULL; atomic_inc_not_zero(&ct->ct_general.use)))
if (ct || cnt >= NF_CT_EVICTION_RANGE) break;
else
ct = NULL;
}
if (cnt >= NF_CT_EVICTION_RANGE)
break; break;
hash = (hash + 1) % nf_conntrack_htable_size; hash = (hash + 1) % nf_conntrack_htable_size;
} }
rcu_read_unlock(); rcu_read_unlock();

View file

@ -896,23 +896,54 @@ static int tcp_packet(struct nf_conn *ct,
/* b) This SYN/ACK acknowledges a SYN that we earlier /* b) This SYN/ACK acknowledges a SYN that we earlier
* ignored as invalid. This means that the client and * ignored as invalid. This means that the client and
* the server are both in sync, while the firewall is * the server are both in sync, while the firewall is
* not. We kill this session and block the SYN/ACK so * not. We get in sync from the previously annotated
* that the client cannot but retransmit its SYN and * values.
* thus initiate a clean new session.
*/ */
spin_unlock_bh(&ct->lock); old_state = TCP_CONNTRACK_SYN_SENT;
if (LOG_INVALID(net, IPPROTO_TCP)) new_state = TCP_CONNTRACK_SYN_RECV;
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_end =
"nf_ct_tcp: killing out of sync session "); ct->proto.tcp.last_end;
nf_ct_kill(ct); ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxend =
return NF_DROP; ct->proto.tcp.last_end;
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxwin =
ct->proto.tcp.last_win == 0 ?
1 : ct->proto.tcp.last_win;
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale =
ct->proto.tcp.last_wscale;
ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
ct->proto.tcp.last_flags;
memset(&ct->proto.tcp.seen[dir], 0,
sizeof(struct ip_ct_tcp_state));
break;
} }
ct->proto.tcp.last_index = index; ct->proto.tcp.last_index = index;
ct->proto.tcp.last_dir = dir; ct->proto.tcp.last_dir = dir;
ct->proto.tcp.last_seq = ntohl(th->seq); ct->proto.tcp.last_seq = ntohl(th->seq);
ct->proto.tcp.last_end = ct->proto.tcp.last_end =
segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th); segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th);
ct->proto.tcp.last_win = ntohs(th->window);
/* a) This is a SYN in ORIGINAL. The client and the server
* may be in sync but we are not. In that case, we annotate
* the TCP options and let the packet go through. If it is a
* valid SYN packet, the server will reply with a SYN/ACK, and
* then we'll get in sync. Otherwise, the server ignores it. */
if (index == TCP_SYN_SET && dir == IP_CT_DIR_ORIGINAL) {
struct ip_ct_tcp_state seen = {};
ct->proto.tcp.last_flags =
ct->proto.tcp.last_wscale = 0;
tcp_options(skb, dataoff, th, &seen);
if (seen.flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
ct->proto.tcp.last_flags |=
IP_CT_TCP_FLAG_WINDOW_SCALE;
ct->proto.tcp.last_wscale = seen.td_scale;
}
if (seen.flags & IP_CT_TCP_FLAG_SACK_PERM) {
ct->proto.tcp.last_flags |=
IP_CT_TCP_FLAG_SACK_PERM;
}
}
spin_unlock_bh(&ct->lock); spin_unlock_bh(&ct->lock);
if (LOG_INVALID(net, IPPROTO_TCP)) if (LOG_INVALID(net, IPPROTO_TCP))
nf_log_packet(pf, 0, skb, NULL, NULL, NULL, nf_log_packet(pf, 0, skb, NULL, NULL, NULL,

View file

@ -666,8 +666,7 @@ nfulnl_rcv_nl_event(struct notifier_block *this,
{ {
struct netlink_notify *n = ptr; struct netlink_notify *n = ptr;
if (event == NETLINK_URELEASE && if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) {
n->protocol == NETLINK_NETFILTER && n->pid) {
int i; int i;
/* destroy all instances for this pid */ /* destroy all instances for this pid */

View file

@ -574,8 +574,7 @@ nfqnl_rcv_nl_event(struct notifier_block *this,
{ {
struct netlink_notify *n = ptr; struct netlink_notify *n = ptr;
if (event == NETLINK_URELEASE && if (event == NETLINK_URELEASE && n->protocol == NETLINK_NETFILTER) {
n->protocol == NETLINK_NETFILTER && n->pid) {
int i; int i;
/* destroy all instances for this pid */ /* destroy all instances for this pid */

View file

@ -113,7 +113,8 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
} }
static bool static bool
conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par) conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par,
u16 state_mask, u16 status_mask)
{ {
const struct xt_conntrack_mtinfo2 *info = par->matchinfo; const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
enum ip_conntrack_info ctinfo; enum ip_conntrack_info ctinfo;
@ -136,7 +137,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
if (test_bit(IPS_DST_NAT_BIT, &ct->status)) if (test_bit(IPS_DST_NAT_BIT, &ct->status))
statebit |= XT_CONNTRACK_STATE_DNAT; statebit |= XT_CONNTRACK_STATE_DNAT;
} }
if (!!(info->state_mask & statebit) ^ if (!!(state_mask & statebit) ^
!(info->invert_flags & XT_CONNTRACK_STATE)) !(info->invert_flags & XT_CONNTRACK_STATE))
return false; return false;
} }
@ -172,7 +173,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return false; return false;
if ((info->match_flags & XT_CONNTRACK_STATUS) && if ((info->match_flags & XT_CONNTRACK_STATUS) &&
(!!(info->status_mask & ct->status) ^ (!!(status_mask & ct->status) ^
!(info->invert_flags & XT_CONNTRACK_STATUS))) !(info->invert_flags & XT_CONNTRACK_STATUS)))
return false; return false;
@ -192,11 +193,17 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
static bool static bool
conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par) conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
{ {
const struct xt_conntrack_mtinfo2 *const *info = par->matchinfo; const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
struct xt_match_param newpar = *par;
newpar.matchinfo = *info; return conntrack_mt(skb, par, info->state_mask, info->status_mask);
return conntrack_mt(skb, &newpar); }
static bool
conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
return conntrack_mt(skb, par, info->state_mask, info->status_mask);
} }
static bool conntrack_mt_check(const struct xt_mtchk_param *par) static bool conntrack_mt_check(const struct xt_mtchk_param *par)
@ -209,45 +216,11 @@ static bool conntrack_mt_check(const struct xt_mtchk_param *par)
return true; return true;
} }
static bool conntrack_mt_check_v1(const struct xt_mtchk_param *par)
{
struct xt_conntrack_mtinfo1 *info = par->matchinfo;
struct xt_conntrack_mtinfo2 *up;
int ret = conntrack_mt_check(par);
if (ret < 0)
return ret;
up = kmalloc(sizeof(*up), GFP_KERNEL);
if (up == NULL) {
nf_ct_l3proto_module_put(par->family);
return -ENOMEM;
}
/*
* The strategy here is to minimize the overhead of v1 matching,
* by prebuilding a v2 struct and putting the pointer into the
* v1 dataspace.
*/
memcpy(up, info, offsetof(typeof(*info), state_mask));
up->state_mask = info->state_mask;
up->status_mask = info->status_mask;
*(void **)info = up;
return true;
}
static void conntrack_mt_destroy(const struct xt_mtdtor_param *par) static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
{ {
nf_ct_l3proto_module_put(par->family); nf_ct_l3proto_module_put(par->family);
} }
static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
{
struct xt_conntrack_mtinfo2 **info = par->matchinfo;
kfree(*info);
conntrack_mt_destroy(par);
}
static struct xt_match conntrack_mt_reg[] __read_mostly = { static struct xt_match conntrack_mt_reg[] __read_mostly = {
{ {
.name = "conntrack", .name = "conntrack",
@ -255,8 +228,8 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
.matchsize = sizeof(struct xt_conntrack_mtinfo1), .matchsize = sizeof(struct xt_conntrack_mtinfo1),
.match = conntrack_mt_v1, .match = conntrack_mt_v1,
.checkentry = conntrack_mt_check_v1, .checkentry = conntrack_mt_check,
.destroy = conntrack_mt_destroy_v1, .destroy = conntrack_mt_destroy,
.me = THIS_MODULE, .me = THIS_MODULE,
}, },
{ {
@ -264,7 +237,7 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
.revision = 2, .revision = 2,
.family = NFPROTO_UNSPEC, .family = NFPROTO_UNSPEC,
.matchsize = sizeof(struct xt_conntrack_mtinfo2), .matchsize = sizeof(struct xt_conntrack_mtinfo2),
.match = conntrack_mt, .match = conntrack_mt_v2,
.checkentry = conntrack_mt_check, .checkentry = conntrack_mt_check,
.destroy = conntrack_mt_destroy, .destroy = conntrack_mt_destroy,
.me = THIS_MODULE, .me = THIS_MODULE,

View file

@ -192,7 +192,8 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.revision = 0, .revision = 0,
.family = NFPROTO_IPV4, .family = NFPROTO_IPV4,
.match = socket_mt_v0, .match = socket_mt_v0,
.hooks = 1 << NF_INET_PRE_ROUTING, .hooks = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_LOCAL_IN),
.me = THIS_MODULE, .me = THIS_MODULE,
}, },
{ {
@ -201,7 +202,8 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.family = NFPROTO_IPV4, .family = NFPROTO_IPV4,
.match = socket_mt_v1, .match = socket_mt_v1,
.matchsize = sizeof(struct xt_socket_mtinfo1), .matchsize = sizeof(struct xt_socket_mtinfo1),
.hooks = 1 << NF_INET_PRE_ROUTING, .hooks = (1 << NF_INET_PRE_ROUTING) |
(1 << NF_INET_LOCAL_IN),
.me = THIS_MODULE, .me = THIS_MODULE,
}, },
}; };