Commit 35fdc2d8 authored by David S. Miller's avatar David S. Miller

Merge davem@nuts.davemloft.net:/disk1/BK/nf-2.6

into kernel.bkbits.net:/home/davem/nf-2.6
parents 3e13e3b2 41d63bb6
......@@ -103,7 +103,7 @@ union ip_conntrack_nat_help {
#include <linux/types.h>
#include <linux/skbuff.h>
#ifdef CONFIG_NF_DEBUG
#ifdef CONFIG_NETFILTER_DEBUG
#define IP_NF_ASSERT(x) \
do { \
if (!(x)) \
......
#ifndef _IPT_ADDRTYPE_H
#define _IPT_ADDRTYPE_H
struct ipt_addrtype_info {
u_int16_t source; /* source-type mask */
u_int16_t dest; /* dest-type mask */
u_int32_t invert_source;
u_int32_t invert_dest;
};
#endif
#ifndef _IPT_REALM_H
#define _IPT_REALM_H
struct ipt_realm_info {
u_int32_t id;
u_int32_t mask;
u_int8_t invert;
};
#endif /* _IPT_REALM_H */
......@@ -1109,6 +1109,14 @@ static inline void nf_conntrack_get(struct nf_ct_info *nfct)
if (nfct)
atomic_inc(&nfct->master->use);
}
static inline void nf_reset(struct sk_buff *skb)
{
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
}
#ifdef CONFIG_BRIDGE_NETFILTER
static inline void nf_bridge_put(struct nf_bridge_info *nf_bridge)
......@@ -1121,9 +1129,10 @@ static inline void nf_bridge_get(struct nf_bridge_info *nf_bridge)
if (nf_bridge)
atomic_inc(&nf_bridge->use);
}
#endif
#endif
#endif /* CONFIG_BRIDGE_NETFILTER */
#else /* CONFIG_NETFILTER */
static inline void nf_reset(struct sk_buff *skb) {}
#endif /* CONFIG_NETFILTER */
#endif /* __KERNEL__ */
#endif /* _LINUX_SKBUFF_H */
......@@ -643,13 +643,7 @@ int ipgre_rcv(struct sk_buff *skb)
skb->dev = tunnel->dev;
dst_release(skb->dst);
skb->dst = NULL;
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
#endif
nf_reset(skb);
ipgre_ecn_decapsulate(iph, skb);
netif_rx(skb);
read_unlock(&ipgre_lock);
......@@ -877,13 +871,7 @@ static int ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
}
}
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
#endif
nf_reset(skb);
IPTUNNEL_XMIT();
tunnel->recursion--;
......
......@@ -202,17 +202,13 @@ static inline int ip_local_deliver_finish(struct sk_buff *skb)
#ifdef CONFIG_NETFILTER_DEBUG
nf_debug_ip_local_deliver(skb);
skb->nf_debug = 0;
#endif /*CONFIG_NETFILTER_DEBUG*/
__skb_pull(skb, ihl);
#ifdef CONFIG_NETFILTER
/* Free reference early: we don't need it any more, and it may
hold ip_conntrack module loaded indefinitely. */
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#endif /*CONFIG_NETFILTER*/
nf_reset(skb);
/* Point into the IP datagram, just past the header. */
skb->h.raw = skb->data;
......
......@@ -497,13 +497,7 @@ static int ipip_rcv(struct sk_buff *skb)
skb->dev = tunnel->dev;
dst_release(skb->dst);
skb->dst = NULL;
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
#endif
nf_reset(skb);
ipip_ecn_decapsulate(iph, skb);
netif_rx(skb);
read_unlock(&ipip_lock);
......@@ -648,13 +642,7 @@ static int ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
if ((iph->ttl = tiph->ttl) == 0)
iph->ttl = old_iph->ttl;
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
#endif
nf_reset(skb);
IPTUNNEL_XMIT();
tunnel->recursion--;
......
......@@ -1105,10 +1105,7 @@ static void ip_encap(struct sk_buff *skb, u32 saddr, u32 daddr)
skb->h.ipiph = skb->nh.iph;
skb->nh.iph = iph;
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#endif
nf_reset(skb);
}
static inline int ipmr_forward_finish(struct sk_buff *skb)
......@@ -1461,10 +1458,7 @@ int pim_rcv_v1(struct sk_buff * skb)
skb->dst = NULL;
((struct net_device_stats*)reg_dev->priv)->rx_bytes += skb->len;
((struct net_device_stats*)reg_dev->priv)->rx_packets++;
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#endif
nf_reset(skb);
netif_rx(skb);
dev_put(reg_dev);
return 0;
......@@ -1520,10 +1514,7 @@ static int pim_rcv(struct sk_buff * skb)
((struct net_device_stats*)reg_dev->priv)->rx_bytes += skb->len;
((struct net_device_stats*)reg_dev->priv)->rx_packets++;
skb->dst = NULL;
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#endif
nf_reset(skb);
netif_rx(skb);
dev_put(reg_dev);
return 0;
......
......@@ -603,5 +603,29 @@ config IP_NF_RAW
<file:Documentation/modules.txt>. If unsure, say `N'.
help
config IP_NF_MATCH_ADDRTYPE
tristate 'address type match support'
depends on IP_NF_IPTABLES
help
This option allows you to match what routing thinks of an address,
eg. UNICAST, LOCAL, BROADCAST, ...
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
config IP_NF_MATCH_REALM
tristate 'realm match support'
depends on IP_NF_IPTABLES
select NET_CLS_ROUTE
help
This option adds a `realm' match, which allows you to use the realm
key from the routing subsytem inside iptables.
This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
in tc world.
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
endmenu
......@@ -64,6 +64,8 @@ obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_STATE) += ipt_state.o
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK) += ipt_conntrack.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS) += ipt_tcpmss.o
obj-$(CONFIG_IP_NF_MATCH_REALM) += ipt_realm.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE) += ipt_addrtype.o
obj-$(CONFIG_IP_NF_MATCH_PHYSDEV) += ipt_physdev.o
......
......@@ -107,7 +107,7 @@ static int help(struct sk_buff *skb,
exp->mask.dst.u.tcp.port = 0xFFFF;
exp_amanda_info = &exp->help.exp_amanda_info;
exp_amanda_info->offset = data - amanda_buffer;
exp_amanda_info->offset = tmp - amanda_buffer;
exp_amanda_info->port = port;
exp_amanda_info->len = len;
......
......@@ -174,13 +174,12 @@ static void
destroy_expect(struct ip_conntrack_expect *exp)
{
DEBUGP("destroy_expect(%p) use=%d\n", exp, atomic_read(&exp->use));
IP_NF_ASSERT(atomic_read(&exp->use));
IP_NF_ASSERT(atomic_read(&exp->use) == 0);
IP_NF_ASSERT(!timer_pending(&exp->timeout));
kfree(exp);
}
inline void ip_conntrack_expect_put(struct ip_conntrack_expect *exp)
{
IP_NF_ASSERT(exp);
......@@ -716,7 +715,6 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
DEBUGP("conntrack: expectation arrives ct=%p exp=%p\n",
conntrack, expected);
/* Welcome, Mr. Bond. We've been expecting you... */
IP_NF_ASSERT(master_ct(conntrack));
__set_bit(IPS_EXPECTED_BIT, &conntrack->status);
conntrack->master = expected;
expected->sibling = conntrack;
......@@ -949,9 +947,8 @@ ip_conntrack_expect_insert(struct ip_conntrack_expect *new,
atomic_set(&new->use, 1);
/* add to expected list for this connection */
list_add(&new->expected_list, &related_to->sibling_list);
list_add_tail(&new->expected_list, &related_to->sibling_list);
/* add to global list of expectations */
list_prepend(&ip_conntrack_expect_list, &new->list);
/* add and start timer if required */
if (related_to->helper->timeout) {
......@@ -1005,7 +1002,6 @@ int ip_conntrack_expect_related(struct ip_conntrack_expect *expect,
} else if (related_to->helper->max_expected &&
related_to->expecting >= related_to->helper->max_expected) {
struct list_head *cur_item;
/* old == NULL */
if (!(related_to->helper->flags &
IP_CT_HELPER_F_REUSE_EXPECT)) {
......@@ -1031,21 +1027,14 @@ int ip_conntrack_expect_related(struct ip_conntrack_expect *expect,
NIPQUAD(related_to->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.ip));
/* choose the the oldest expectation to evict */
list_for_each(cur_item, &related_to->sibling_list) {
struct ip_conntrack_expect *cur;
cur = list_entry(cur_item,
struct ip_conntrack_expect,
expected_list);
if (cur->sibling == NULL) {
old = cur;
list_for_each_entry(old, &related_to->sibling_list,
expected_list)
if (old->sibling == NULL)
break;
}
}
/* (!old) cannot happen, since related_to->expecting is the
* number of unconfirmed expects */
IP_NF_ASSERT(old);
/* We cannot fail since related_to->expecting is the number
* of unconfirmed expectations */
IP_NF_ASSERT(old && old->sibling == NULL);
/* newnat14 does not reuse the real allocated memory
* structures but rather unexpects the old and
......
......@@ -503,7 +503,7 @@ static int init_or_cleanup(int init)
if (ret < 0)
goto cleanup_nothing;
proc = proc_net_create("ip_conntrack",0,list_conntracks);
proc = proc_net_create("ip_conntrack", 0440, list_conntracks);
if (!proc) goto cleanup_init;
proc->owner = THIS_MODULE;
......
......@@ -528,6 +528,7 @@ ip_nat_setup_info(struct ip_conntrack *conntrack,
MUST_BE_WRITE_LOCKED(&ip_nat_lock);
IP_NF_ASSERT(hooknum == NF_IP_PRE_ROUTING
|| hooknum == NF_IP_POST_ROUTING
|| hooknum == NF_IP_LOCAL_IN
|| hooknum == NF_IP_LOCAL_OUT);
IP_NF_ASSERT(info->num_manips < IP_NAT_MAX_MANIPS);
IP_NF_ASSERT(!(info->initialized & (1 << HOOK2MANIP(hooknum))));
......@@ -816,7 +817,7 @@ do_bindings(struct ip_conntrack *ct,
/* Have to grab read lock before sibling_list traversal */
READ_LOCK(&ip_conntrack_lock);
list_for_each(cur_item, &ct->sibling_list) {
list_for_each_prev(cur_item, &ct->sibling_list) {
exp = list_entry(cur_item, struct ip_conntrack_expect,
expected_list);
......@@ -899,10 +900,10 @@ icmp_reply_translation(struct sk_buff **pskb,
/* Must be RELATED */
IP_NF_ASSERT((*pskb)->nfct
- (struct ip_conntrack *)(*pskb)->nfct->master
- ((struct ip_conntrack *)(*pskb)->nfct->master)->infos
== IP_CT_RELATED
|| (*pskb)->nfct
- (struct ip_conntrack *)(*pskb)->nfct->master
- ((struct ip_conntrack *)(*pskb)->nfct->master)->infos
== IP_CT_RELATED+IP_CT_IS_REPLY);
/* Redirects on non-null nats must be dropped, else they'll
......
......@@ -1731,6 +1731,15 @@ static inline int print_name(const char *i,
return 0;
}
static inline int print_target(const struct ipt_target *t,
off_t start_offset, char *buffer, int length,
off_t *pos, unsigned int *count)
{
if (t == &ipt_standard_target || t == &ipt_error_target)
return 0;
return print_name((char *)t, start_offset, buffer, length, pos, count);
}
static int ipt_get_tables(char *buffer, char **start, off_t offset, int length)
{
off_t pos = 0;
......@@ -1757,7 +1766,7 @@ static int ipt_get_targets(char *buffer, char **start, off_t offset, int length)
if (down_interruptible(&ipt_mutex) != 0)
return 0;
LIST_FIND(&ipt_target, print_name, void *,
LIST_FIND(&ipt_target, print_target, struct ipt_target *,
offset, buffer, length, &pos, &count);
up(&ipt_mutex);
......
......@@ -54,13 +54,15 @@ checkentry(const char *tablename,
return 0;
}
if (hook_mask & ~(1 << NF_IP_POST_ROUTING)) {
printk(KERN_ERR "CLASSIFY: only valid in POST_ROUTING.\n");
if (hook_mask & ~((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
(1 << NF_IP_POST_ROUTING))) {
printk(KERN_ERR "CLASSIFY: only valid in LOCAL_OUT, FORWARD "
"and POST_ROUTING.\n");
return 0;
}
if (strcmp(tablename, "mangle") != 0) {
printk(KERN_WARNING "CLASSIFY: can only be called from "
printk(KERN_ERR "CLASSIFY: can only be called from "
"\"mangle\" table, not \"%s\".\n",
tablename);
return 0;
......
......@@ -142,12 +142,8 @@ static void send_reset(struct sk_buff *oldskb, int hook)
nskb->dst = &rt->u.dst;
/* This packet will not be the same as the other: clear nf fields */
nf_conntrack_put(nskb->nfct);
nskb->nfct = NULL;
nf_reset(nskb);
nskb->nfcache = 0;
#ifdef CONFIG_NETFILTER_DEBUG
nskb->nf_debug = 0;
#endif
nskb->nfmark = 0;
#ifdef CONFIG_BRIDGE_NETFILTER
nf_bridge_put(nskb->nf_bridge);
......
/*
* iptables module to match inet_addr_type() of an ip.
*
* Copyright (c) 2004 Patrick McHardy <kaber@trash.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/ip.h>
#include <net/route.h>
#include <linux/netfilter_ipv4/ipt_addrtype.h>
#include <linux/netfilter_ipv4/ip_tables.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
MODULE_DESCRIPTION("iptables addrtype match");
static inline int match_type(u_int32_t addr, u_int16_t mask)
{
return !!(mask & (1 << inet_addr_type(addr)));
}
static int match(const struct sk_buff *skb, const struct net_device *in,
const struct net_device *out, const void *matchinfo,
int offset, int *hotdrop)
{
const struct ipt_addrtype_info *info = matchinfo;
const struct iphdr *iph = skb->nh.iph;
int ret = 1;
if (info->source)
ret &= match_type(iph->saddr, info->source)^info->invert_source;
if (info->dest)
ret &= match_type(iph->daddr, info->dest)^info->invert_dest;
return ret;
}
static int checkentry(const char *tablename, const struct ipt_ip *ip,
void *matchinfo, unsigned int matchsize,
unsigned int hook_mask)
{
if (matchsize != IPT_ALIGN(sizeof(struct ipt_addrtype_info))) {
printk(KERN_ERR "ipt_addrtype: invalid size (%u != %u)\n.",
matchsize, IPT_ALIGN(sizeof(struct ipt_addrtype_info)));
return 0;
}
return 1;
}
static struct ipt_match addrtype_match = {
.name = "addrtype",
.match = match,
.checkentry = checkentry,
.me = THIS_MODULE
};
static int __init init(void)
{
return ipt_register_match(&addrtype_match);
}
static void __exit fini(void)
{
ipt_unregister_match(&addrtype_match);
}
module_init(init);
module_exit(fini);
......@@ -41,17 +41,17 @@ match(const struct sk_buff *skb,
struct ip_conntrack_expect *exp;
struct ip_conntrack *ct;
enum ip_conntrack_info ctinfo;
int ret = 0;
int ret = info->invert;
ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
if (!ct) {
DEBUGP("ipt_helper: Eek! invalid conntrack?\n");
return 0;
return ret;
}
if (!ct->master) {
DEBUGP("ipt_helper: conntrack %p has no master\n", ct);
return 0;
return ret;
}
exp = ct->master;
......@@ -71,8 +71,11 @@ match(const struct sk_buff *skb,
DEBUGP("master's name = %s , info->name = %s\n",
exp->expectant->helper->name, info->name);
ret = !strncmp(exp->expectant->helper->name, info->name,
strlen(exp->expectant->helper->name)) ^ info->invert;
if (info->name[0] == '\0')
ret ^= 1;
else
ret ^= !strncmp(exp->expectant->helper->name, info->name,
strlen(exp->expectant->helper->name));
out_unlock:
READ_UNLOCK(&ip_conntrack_lock);
return ret;
......@@ -92,10 +95,6 @@ static int check(const char *tablename,
if (matchsize != IPT_ALIGN(sizeof(struct ipt_helper_info)))
return 0;
/* verify that we actually should match anything */
if ( strlen(info->name) == 0 )
return 0;
return 1;
}
......@@ -108,7 +107,6 @@ static struct ipt_match helper_match = {
static int __init init(void)
{
need_ip_conntrack();
return ipt_register_match(&helper_match);
}
......
......@@ -184,7 +184,15 @@ checkentry(const char *tablename,
IPT_ALIGN(sizeof(struct ipt_owner_info)));
return 0;
}
#ifdef CONFIG_SMP
/* files->file_lock can not be used in a BH */
if (((struct ipt_owner_info *)matchinfo)->match
& (IPT_OWNER_PID|IPT_OWNER_SID|IPT_OWNER_COMM)) {
printk("ipt_owner: pid, sid and command matching is broken "
"on SMP.\n");
return 0;
}
#endif
return 1;
}
......
/* IP tables module for matching the routing realm
*
* $Id: ipt_realm.c,v 1.3 2004/03/05 13:25:40 laforge Exp $
*
* (C) 2003 by Sampsa Ranta <sampsa@netsonic.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <net/route.h>
#include <linux/netfilter_ipv4/ipt_realm.h>
#include <linux/netfilter_ipv4/ip_tables.h>
MODULE_AUTHOR("Sampsa Ranta <sampsa@netsonic.fi>");
MODULE_LICENSE("GPL");
MODULE_DESCRIPTION("iptables realm match");
static int
match(const struct sk_buff *skb,
const struct net_device *in,
const struct net_device *out,
const void *matchinfo,
int offset,
int *hotdrop)
{
const struct ipt_realm_info *info = matchinfo;
struct dst_entry *dst = skb->dst;
return (info->id == (dst->tclassid & info->mask)) ^ info->invert;
}
static int check(const char *tablename,
const struct ipt_ip *ip,
void *matchinfo,
unsigned int matchsize,
unsigned int hook_mask)
{
if (hook_mask
& ~((1 << NF_IP_POST_ROUTING) | (1 << NF_IP_FORWARD) |
(1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_LOCAL_IN))) {
printk("ipt_realm: only valid for POST_ROUTING, LOCAL_OUT, "
"LOCAL_IN or FORWARD.\n");
return 0;
}
if (matchsize != IPT_ALIGN(sizeof(struct ipt_realm_info))) {
printk("ipt_realm: invalid matchsize.\n");
return 0;
}
return 1;
}
static struct ipt_match realm_match = {
.name = "realm",
.match = match,
.checkentry = check,
.me = THIS_MODULE
};
static int __init init(void)
{
return ipt_register_match(&realm_match);
}
static void __exit fini(void)
{
ipt_unregister_match(&realm_match);
}
module_init(init);
module_exit(fini);
......@@ -173,7 +173,9 @@ ipt_local_hook(unsigned int hook,
if (ret != NF_DROP && ret != NF_STOLEN && ret != NF_QUEUE
&& ((*pskb)->nh.iph->saddr != saddr
|| (*pskb)->nh.iph->daddr != daddr
#ifdef CONFIG_IP_ROUTE_FWMARK
|| (*pskb)->nfmark != nfmark
#endif
|| (*pskb)->nh.iph->tos != tos))
return ip_route_me_harder(pskb) == 0 ? ret : NF_DROP;
......
......@@ -32,42 +32,63 @@ static struct
struct ipt_replace repl;
struct ipt_standard entries[2];
struct ipt_error term;
} initial_table __initdata
= { { "raw", RAW_VALID_HOOKS, 3,
sizeof(struct ipt_standard) * 2 + sizeof(struct ipt_error),
{ [NF_IP_PRE_ROUTING] 0,
[NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) },
{ [NF_IP_PRE_ROUTING] 0,
[NF_IP_LOCAL_OUT] sizeof(struct ipt_standard) },
0, NULL, { } },
{
} initial_table __initdata = {
.repl = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.num_entries = 3,
.size = sizeof(struct ipt_standard) * 2 + sizeof(struct ipt_error),
.hook_entry = {
[NF_IP_PRE_ROUTING] = 0,
[NF_IP_LOCAL_OUT] = sizeof(struct ipt_standard) },
.underflow = {
[NF_IP_PRE_ROUTING] = 0,
[NF_IP_LOCAL_OUT] = sizeof(struct ipt_standard) },
},
.entries = {
/* PRE_ROUTING */
{ { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
0,
sizeof(struct ipt_entry),
sizeof(struct ipt_standard),
0, { 0, 0 }, { } },
{ { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
-NF_ACCEPT - 1 } },
{
.entry = {
.target_offset = sizeof(struct ipt_entry),
.next_offset = sizeof(struct ipt_standard),
},
.target = {
.target = {
.u.target_size = IPT_ALIGN(sizeof(struct ipt_standard_target)),
},
.verdict = -NF_ACCEPT - 1,
},
},
/* LOCAL_OUT */
{ { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
0,
sizeof(struct ipt_entry),
sizeof(struct ipt_standard),
0, { 0, 0 }, { } },
{ { { { IPT_ALIGN(sizeof(struct ipt_standard_target)), "" } }, { } },
-NF_ACCEPT - 1 } }
{
.entry = {
.target_offset = sizeof(struct ipt_entry),
.next_offset = sizeof(struct ipt_standard),
},
.target = {
.target = {
.u.target_size = IPT_ALIGN(sizeof(struct ipt_standard_target)),
},
.verdict = -NF_ACCEPT - 1,
},
},
},
/* ERROR */
{ { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0, 0, 0 },
0,
sizeof(struct ipt_entry),
sizeof(struct ipt_error),
0, { 0, 0 }, { } },
{ { { { IPT_ALIGN(sizeof(struct ipt_error_target)), IPT_ERROR_TARGET } },
{ } },
"ERROR"
}
.term = {
.entry = {
.target_offset = sizeof(struct ipt_entry),
.next_offset = sizeof(struct ipt_error),
},
.target = {
.target = {
.u.user = {
.target_size = IPT_ALIGN(sizeof(struct ipt_error_target)),
.name = IPT_ERROR_TARGET,
},
},
.errorname = "ERROR",
},
}
};
......
......@@ -722,13 +722,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
ipv6h->nexthdr = proto;
ipv6_addr_copy(&ipv6h->saddr, &fl.fl6_src);
ipv6_addr_copy(&ipv6h->daddr, &fl.fl6_dst);
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
#endif
nf_reset(skb);
pkt_len = skb->len;
err = NF_HOOK(PF_INET6, NF_IP6_LOCAL_OUT, skb, NULL,
skb->dst->dev, dst_output);
......
......@@ -1845,6 +1845,15 @@ static inline int print_name(const char *i,
return 0;
}
static inline int print_target(const struct ip6t_target *t,
off_t start_offset, char *buffer, int length,
off_t *pos, unsigned int *count)
{
if (t == &ip6t_standard_target || t == &ip6t_error_target)
return 0;
return print_name((char *)t, start_offset, buffer, length, pos, count);
}
static int ip6t_get_tables(char *buffer, char **start, off_t offset, int length)
{
off_t pos = 0;
......@@ -1871,7 +1880,7 @@ static int ip6t_get_targets(char *buffer, char **start, off_t offset, int length
if (down_interruptible(&ip6t_mutex) != 0)
return 0;
LIST_FIND(&ip6t_target, print_name, char *,
LIST_FIND(&ip6t_target, print_target, struct ip6t_target *,
offset, buffer, length, &pos, &count);
up(&ip6t_mutex);
......
......@@ -143,7 +143,14 @@ checkentry(const char *tablename,
if (matchsize != IP6T_ALIGN(sizeof(struct ip6t_owner_info)))
return 0;
#ifdef CONFIG_SMP
/* files->file_lock can not be used in a BH */
if (((struct ip6t_owner_info *)matchinfo)->match
& (IP6T_OWNER_PID|IP6T_OWNER_SID)) {
printk("ip6t_owner: pid and sid matching is broken on SMP.\n");
return 0;
}
#endif
return 1;
}
......
......@@ -388,13 +388,7 @@ static int ipip6_rcv(struct sk_buff *skb)
skb->dev = tunnel->dev;
dst_release(skb->dst);
skb->dst = NULL;
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
#endif
nf_reset(skb);
ipip6_ecn_decapsulate(iph, skb);
netif_rx(skb);
read_unlock(&ipip6_lock);
......@@ -580,13 +574,7 @@ static int ipip6_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
if ((iph->ttl = tiph->ttl) == 0)
iph->ttl = iph6->hop_limit;
#ifdef CONFIG_NETFILTER
nf_conntrack_put(skb->nfct);
skb->nfct = NULL;
#ifdef CONFIG_NETFILTER_DEBUG
skb->nf_debug = 0;
#endif
#endif
nf_reset(skb);
IPTUNNEL_XMIT();
tunnel->recursion--;
......
......@@ -242,6 +242,7 @@ config NET_CLS_TCINDEX
config NET_CLS_ROUTE4
tristate "Routing table based classifier"
depends on NET_CLS
select NET_CLS_ROUTE
help
If you say Y here, you will be able to classify outgoing packets
according to the route table entry they matched. If unsure, say Y.
......@@ -251,8 +252,7 @@ config NET_CLS_ROUTE4
config NET_CLS_ROUTE
bool
depends on NET_CLS_ROUTE4
default y
default n
config NET_CLS_FW
tristate "Firewall based classifier"
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment