Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
35fdc2d8
Commit
35fdc2d8
authored
Jun 22, 2004
by
David S. Miller
Browse files
Options
Browse Files
Download
Plain Diff
Merge davem@nuts.davemloft.net:/disk1/BK/nf-2.6
into kernel.bkbits.net:/home/davem/nf-2.6
parents
3e13e3b2
41d63bb6
Changes
28
Show whitespace changes
Inline
Side-by-side
Showing
28 changed files
with
353 additions
and
157 deletions
+353
-157
include/linux/netfilter_ipv4/ip_conntrack.h
include/linux/netfilter_ipv4/ip_conntrack.h
+1
-1
include/linux/netfilter_ipv4/ipt_addrtype.h
include/linux/netfilter_ipv4/ipt_addrtype.h
+11
-0
include/linux/netfilter_ipv4/ipt_realm.h
include/linux/netfilter_ipv4/ipt_realm.h
+10
-0
include/linux/skbuff.h
include/linux/skbuff.h
+12
-3
net/ipv4/ip_gre.c
net/ipv4/ip_gre.c
+2
-14
net/ipv4/ip_input.c
net/ipv4/ip_input.c
+1
-5
net/ipv4/ipip.c
net/ipv4/ipip.c
+2
-14
net/ipv4/ipmr.c
net/ipv4/ipmr.c
+3
-12
net/ipv4/netfilter/Kconfig
net/ipv4/netfilter/Kconfig
+24
-0
net/ipv4/netfilter/Makefile
net/ipv4/netfilter/Makefile
+2
-0
net/ipv4/netfilter/ip_conntrack_amanda.c
net/ipv4/netfilter/ip_conntrack_amanda.c
+1
-1
net/ipv4/netfilter/ip_conntrack_core.c
net/ipv4/netfilter/ip_conntrack_core.c
+8
-19
net/ipv4/netfilter/ip_conntrack_standalone.c
net/ipv4/netfilter/ip_conntrack_standalone.c
+1
-1
net/ipv4/netfilter/ip_nat_core.c
net/ipv4/netfilter/ip_nat_core.c
+4
-3
net/ipv4/netfilter/ip_tables.c
net/ipv4/netfilter/ip_tables.c
+10
-1
net/ipv4/netfilter/ipt_CLASSIFY.c
net/ipv4/netfilter/ipt_CLASSIFY.c
+7
-5
net/ipv4/netfilter/ipt_REJECT.c
net/ipv4/netfilter/ipt_REJECT.c
+1
-5
net/ipv4/netfilter/ipt_addrtype.c
net/ipv4/netfilter/ipt_addrtype.c
+77
-0
net/ipv4/netfilter/ipt_helper.c
net/ipv4/netfilter/ipt_helper.c
+8
-10
net/ipv4/netfilter/ipt_owner.c
net/ipv4/netfilter/ipt_owner.c
+9
-1
net/ipv4/netfilter/ipt_realm.c
net/ipv4/netfilter/ipt_realm.c
+76
-0
net/ipv4/netfilter/iptable_mangle.c
net/ipv4/netfilter/iptable_mangle.c
+2
-0
net/ipv4/netfilter/iptable_raw.c
net/ipv4/netfilter/iptable_raw.c
+58
-37
net/ipv6/ip6_tunnel.c
net/ipv6/ip6_tunnel.c
+1
-7
net/ipv6/netfilter/ip6_tables.c
net/ipv6/netfilter/ip6_tables.c
+10
-1
net/ipv6/netfilter/ip6t_owner.c
net/ipv6/netfilter/ip6t_owner.c
+8
-1
net/ipv6/sit.c
net/ipv6/sit.c
+2
-14
net/sched/Kconfig
net/sched/Kconfig
+2
-2
No files found.
include/linux/netfilter_ipv4/ip_conntrack.h
View file @
35fdc2d8
...
...
@@ -103,7 +103,7 @@ union ip_conntrack_nat_help {
#include <linux/types.h>
#include <linux/skbuff.h>
#ifdef CONFIG_N
F
_DEBUG
#ifdef CONFIG_N
ETFILTER
_DEBUG
#define IP_NF_ASSERT(x) \
do { \
if (!(x)) \
...
...
include/linux/netfilter_ipv4/ipt_addrtype.h
0 → 100644
View file @
35fdc2d8
#ifndef _IPT_ADDRTYPE_H
#define _IPT_ADDRTYPE_H
struct
ipt_addrtype_info
{
u_int16_t
source
;
/* source-type mask */
u_int16_t
dest
;
/* dest-type mask */
u_int32_t
invert_source
;
u_int32_t
invert_dest
;
};
#endif
include/linux/netfilter_ipv4/ipt_realm.h
0 → 100644
View file @
35fdc2d8
#ifndef _IPT_REALM_H
#define _IPT_REALM_H
struct
ipt_realm_info
{
u_int32_t
id
;
u_int32_t
mask
;
u_int8_t
invert
;
};
#endif
/* _IPT_REALM_H */
include/linux/skbuff.h
View file @
35fdc2d8
...
...
@@ -1109,6 +1109,14 @@ static inline void nf_conntrack_get(struct nf_ct_info *nfct)
if
(
nfct
)
atomic_inc
(
&
nfct
->
master
->
use
);
}
static
inline
void
nf_reset
(
struct
sk_buff
*
skb
)
{
nf_conntrack_put
(
skb
->
nfct
);
skb
->
nfct
=
NULL
;
#ifdef CONFIG_NETFILTER_DEBUG
skb
->
nf_debug
=
0
;
#endif
}
#ifdef CONFIG_BRIDGE_NETFILTER
static
inline
void
nf_bridge_put
(
struct
nf_bridge_info
*
nf_bridge
)
...
...
@@ -1121,9 +1129,10 @@ static inline void nf_bridge_get(struct nf_bridge_info *nf_bridge)
if
(
nf_bridge
)
atomic_inc
(
&
nf_bridge
->
use
);
}
#endif
#endif
#endif
/* CONFIG_BRIDGE_NETFILTER */
#else
/* CONFIG_NETFILTER */
static
inline
void
nf_reset
(
struct
sk_buff
*
skb
)
{}
#endif
/* CONFIG_NETFILTER */
#endif
/* __KERNEL__ */
#endif
/* _LINUX_SKBUFF_H */
net/ipv4/ip_gre.c
View file @
35fdc2d8
...
...
@@ -643,13 +643,7 @@ int ipgre_rcv(struct sk_buff *skb)
skb
->
dev
=
tunnel
->
dev
;
dst_release
(
skb
->
dst
);
skb
->
dst
=
NULL
;
#ifdef CONFIG_NETFILTER
nf_conntrack_put
(
skb
->
nfct
);
skb
->
nfct
=
NULL
;
#ifdef CONFIG_NETFILTER_DEBUG
skb
->
nf_debug
=
0
;
#endif
#endif
nf_reset
(
skb
);
ipgre_ecn_decapsulate
(
iph
,
skb
);
netif_rx
(
skb
);
read_unlock
(
&
ipgre_lock
);
...
...
@@ -877,13 +871,7 @@ static int ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
}
}
#ifdef CONFIG_NETFILTER
nf_conntrack_put
(
skb
->
nfct
);
skb
->
nfct
=
NULL
;
#ifdef CONFIG_NETFILTER_DEBUG
skb
->
nf_debug
=
0
;
#endif
#endif
nf_reset
(
skb
);
IPTUNNEL_XMIT
();
tunnel
->
recursion
--
;
...
...
net/ipv4/ip_input.c
View file @
35fdc2d8
...
...
@@ -202,17 +202,13 @@ static inline int ip_local_deliver_finish(struct sk_buff *skb)
#ifdef CONFIG_NETFILTER_DEBUG
nf_debug_ip_local_deliver
(
skb
);
skb
->
nf_debug
=
0
;
#endif
/*CONFIG_NETFILTER_DEBUG*/
__skb_pull
(
skb
,
ihl
);
#ifdef CONFIG_NETFILTER
/* Free reference early: we don't need it any more, and it may
hold ip_conntrack module loaded indefinitely. */
nf_conntrack_put
(
skb
->
nfct
);
skb
->
nfct
=
NULL
;
#endif
/*CONFIG_NETFILTER*/
nf_reset
(
skb
);
/* Point into the IP datagram, just past the header. */
skb
->
h
.
raw
=
skb
->
data
;
...
...
net/ipv4/ipip.c
View file @
35fdc2d8
...
...
@@ -497,13 +497,7 @@ static int ipip_rcv(struct sk_buff *skb)
skb
->
dev
=
tunnel
->
dev
;
dst_release
(
skb
->
dst
);
skb
->
dst
=
NULL
;
#ifdef CONFIG_NETFILTER
nf_conntrack_put
(
skb
->
nfct
);
skb
->
nfct
=
NULL
;
#ifdef CONFIG_NETFILTER_DEBUG
skb
->
nf_debug
=
0
;
#endif
#endif
nf_reset
(
skb
);
ipip_ecn_decapsulate
(
iph
,
skb
);
netif_rx
(
skb
);
read_unlock
(
&
ipip_lock
);
...
...
@@ -648,13 +642,7 @@ static int ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
if
((
iph
->
ttl
=
tiph
->
ttl
)
==
0
)
iph
->
ttl
=
old_iph
->
ttl
;
#ifdef CONFIG_NETFILTER
nf_conntrack_put
(
skb
->
nfct
);
skb
->
nfct
=
NULL
;
#ifdef CONFIG_NETFILTER_DEBUG
skb
->
nf_debug
=
0
;
#endif
#endif
nf_reset
(
skb
);
IPTUNNEL_XMIT
();
tunnel
->
recursion
--
;
...
...
net/ipv4/ipmr.c
View file @
35fdc2d8
...
...
@@ -1105,10 +1105,7 @@ static void ip_encap(struct sk_buff *skb, u32 saddr, u32 daddr)
skb
->
h
.
ipiph
=
skb
->
nh
.
iph
;
skb
->
nh
.
iph
=
iph
;
memset
(
&
(
IPCB
(
skb
)
->
opt
),
0
,
sizeof
(
IPCB
(
skb
)
->
opt
));
#ifdef CONFIG_NETFILTER
nf_conntrack_put
(
skb
->
nfct
);
skb
->
nfct
=
NULL
;
#endif
nf_reset
(
skb
);
}
static
inline
int
ipmr_forward_finish
(
struct
sk_buff
*
skb
)
...
...
@@ -1461,10 +1458,7 @@ int pim_rcv_v1(struct sk_buff * skb)
skb
->
dst
=
NULL
;
((
struct
net_device_stats
*
)
reg_dev
->
priv
)
->
rx_bytes
+=
skb
->
len
;
((
struct
net_device_stats
*
)
reg_dev
->
priv
)
->
rx_packets
++
;
#ifdef CONFIG_NETFILTER
nf_conntrack_put
(
skb
->
nfct
);
skb
->
nfct
=
NULL
;
#endif
nf_reset
(
skb
);
netif_rx
(
skb
);
dev_put
(
reg_dev
);
return
0
;
...
...
@@ -1520,10 +1514,7 @@ static int pim_rcv(struct sk_buff * skb)
((
struct
net_device_stats
*
)
reg_dev
->
priv
)
->
rx_bytes
+=
skb
->
len
;
((
struct
net_device_stats
*
)
reg_dev
->
priv
)
->
rx_packets
++
;
skb
->
dst
=
NULL
;
#ifdef CONFIG_NETFILTER
nf_conntrack_put
(
skb
->
nfct
);
skb
->
nfct
=
NULL
;
#endif
nf_reset
(
skb
);
netif_rx
(
skb
);
dev_put
(
reg_dev
);
return
0
;
...
...
net/ipv4/netfilter/Kconfig
View file @
35fdc2d8
...
...
@@ -603,5 +603,29 @@ config IP_NF_RAW
<file:Documentation/modules.txt>. If unsure, say `N'.
help
config IP_NF_MATCH_ADDRTYPE
tristate 'address type match support'
depends on IP_NF_IPTABLES
help
This option allows you to match what routing thinks of an address,
eg. UNICAST, LOCAL, BROADCAST, ...
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
config IP_NF_MATCH_REALM
tristate 'realm match support'
depends on IP_NF_IPTABLES
select NET_CLS_ROUTE
help
This option adds a `realm' match, which allows you to use the realm
key from the routing subsytem inside iptables.
This match pretty much resembles the CONFIG_NET_CLS_ROUTE4 option
in tc world.
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
endmenu
net/ipv4/netfilter/Makefile
View file @
35fdc2d8
...
...
@@ -64,6 +64,8 @@ obj-$(CONFIG_IP_NF_MATCH_TTL) += ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_STATE)
+=
ipt_state.o
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK)
+=
ipt_conntrack.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS)
+=
ipt_tcpmss.o
obj-$(CONFIG_IP_NF_MATCH_REALM)
+=
ipt_realm.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE)
+=
ipt_addrtype.o
obj-$(CONFIG_IP_NF_MATCH_PHYSDEV)
+=
ipt_physdev.o
...
...
net/ipv4/netfilter/ip_conntrack_amanda.c
View file @
35fdc2d8
...
...
@@ -107,7 +107,7 @@ static int help(struct sk_buff *skb,
exp
->
mask
.
dst
.
u
.
tcp
.
port
=
0xFFFF
;
exp_amanda_info
=
&
exp
->
help
.
exp_amanda_info
;
exp_amanda_info
->
offset
=
data
-
amanda_buffer
;
exp_amanda_info
->
offset
=
tmp
-
amanda_buffer
;
exp_amanda_info
->
port
=
port
;
exp_amanda_info
->
len
=
len
;
...
...
net/ipv4/netfilter/ip_conntrack_core.c
View file @
35fdc2d8
...
...
@@ -174,13 +174,12 @@ static void
destroy_expect
(
struct
ip_conntrack_expect
*
exp
)
{
DEBUGP
(
"destroy_expect(%p) use=%d
\n
"
,
exp
,
atomic_read
(
&
exp
->
use
));
IP_NF_ASSERT
(
atomic_read
(
&
exp
->
use
));
IP_NF_ASSERT
(
atomic_read
(
&
exp
->
use
)
==
0
);
IP_NF_ASSERT
(
!
timer_pending
(
&
exp
->
timeout
));
kfree
(
exp
);
}
inline
void
ip_conntrack_expect_put
(
struct
ip_conntrack_expect
*
exp
)
{
IP_NF_ASSERT
(
exp
);
...
...
@@ -716,7 +715,6 @@ init_conntrack(const struct ip_conntrack_tuple *tuple,
DEBUGP
(
"conntrack: expectation arrives ct=%p exp=%p
\n
"
,
conntrack
,
expected
);
/* Welcome, Mr. Bond. We've been expecting you... */
IP_NF_ASSERT
(
master_ct
(
conntrack
));
__set_bit
(
IPS_EXPECTED_BIT
,
&
conntrack
->
status
);
conntrack
->
master
=
expected
;
expected
->
sibling
=
conntrack
;
...
...
@@ -949,9 +947,8 @@ ip_conntrack_expect_insert(struct ip_conntrack_expect *new,
atomic_set
(
&
new
->
use
,
1
);
/* add to expected list for this connection */
list_add
(
&
new
->
expected_list
,
&
related_to
->
sibling_list
);
list_add
_tail
(
&
new
->
expected_list
,
&
related_to
->
sibling_list
);
/* add to global list of expectations */
list_prepend
(
&
ip_conntrack_expect_list
,
&
new
->
list
);
/* add and start timer if required */
if
(
related_to
->
helper
->
timeout
)
{
...
...
@@ -1005,7 +1002,6 @@ int ip_conntrack_expect_related(struct ip_conntrack_expect *expect,
}
else
if
(
related_to
->
helper
->
max_expected
&&
related_to
->
expecting
>=
related_to
->
helper
->
max_expected
)
{
struct
list_head
*
cur_item
;
/* old == NULL */
if
(
!
(
related_to
->
helper
->
flags
&
IP_CT_HELPER_F_REUSE_EXPECT
))
{
...
...
@@ -1031,21 +1027,14 @@ int ip_conntrack_expect_related(struct ip_conntrack_expect *expect,
NIPQUAD
(
related_to
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
dst
.
ip
));
/* choose the the oldest expectation to evict */
list_for_each
(
cur_item
,
&
related_to
->
sibling_list
)
{
struct
ip_conntrack_expect
*
cur
;
cur
=
list_entry
(
cur_item
,
struct
ip_conntrack_expect
,
expected_list
);
if
(
cur
->
sibling
==
NULL
)
{
old
=
cur
;
list_for_each_entry
(
old
,
&
related_to
->
sibling_list
,
expected_list
)
if
(
old
->
sibling
==
NULL
)
break
;
}
}
/*
(!old) cannot happen, since related_to->expecting is the
*
number of unconfirmed expect
s */
IP_NF_ASSERT
(
old
);
/*
We cannot fail since related_to->expecting is the number
*
of unconfirmed expectation
s */
IP_NF_ASSERT
(
old
&&
old
->
sibling
==
NULL
);
/* newnat14 does not reuse the real allocated memory
* structures but rather unexpects the old and
...
...
net/ipv4/netfilter/ip_conntrack_standalone.c
View file @
35fdc2d8
...
...
@@ -503,7 +503,7 @@ static int init_or_cleanup(int init)
if
(
ret
<
0
)
goto
cleanup_nothing
;
proc
=
proc_net_create
(
"ip_conntrack"
,
0
,
list_conntracks
);
proc
=
proc_net_create
(
"ip_conntrack"
,
0440
,
list_conntracks
);
if
(
!
proc
)
goto
cleanup_init
;
proc
->
owner
=
THIS_MODULE
;
...
...
net/ipv4/netfilter/ip_nat_core.c
View file @
35fdc2d8
...
...
@@ -528,6 +528,7 @@ ip_nat_setup_info(struct ip_conntrack *conntrack,
MUST_BE_WRITE_LOCKED
(
&
ip_nat_lock
);
IP_NF_ASSERT
(
hooknum
==
NF_IP_PRE_ROUTING
||
hooknum
==
NF_IP_POST_ROUTING
||
hooknum
==
NF_IP_LOCAL_IN
||
hooknum
==
NF_IP_LOCAL_OUT
);
IP_NF_ASSERT
(
info
->
num_manips
<
IP_NAT_MAX_MANIPS
);
IP_NF_ASSERT
(
!
(
info
->
initialized
&
(
1
<<
HOOK2MANIP
(
hooknum
))));
...
...
@@ -816,7 +817,7 @@ do_bindings(struct ip_conntrack *ct,
/* Have to grab read lock before sibling_list traversal */
READ_LOCK
(
&
ip_conntrack_lock
);
list_for_each
(
cur_item
,
&
ct
->
sibling_list
)
{
list_for_each
_prev
(
cur_item
,
&
ct
->
sibling_list
)
{
exp
=
list_entry
(
cur_item
,
struct
ip_conntrack_expect
,
expected_list
);
...
...
@@ -899,10 +900,10 @@ icmp_reply_translation(struct sk_buff **pskb,
/* Must be RELATED */
IP_NF_ASSERT
((
*
pskb
)
->
nfct
-
(
struct
ip_conntrack
*
)(
*
pskb
)
->
nfct
->
master
-
(
(
struct
ip_conntrack
*
)(
*
pskb
)
->
nfct
->
master
)
->
infos
==
IP_CT_RELATED
||
(
*
pskb
)
->
nfct
-
(
struct
ip_conntrack
*
)(
*
pskb
)
->
nfct
->
master
-
(
(
struct
ip_conntrack
*
)(
*
pskb
)
->
nfct
->
master
)
->
infos
==
IP_CT_RELATED
+
IP_CT_IS_REPLY
);
/* Redirects on non-null nats must be dropped, else they'll
...
...
net/ipv4/netfilter/ip_tables.c
View file @
35fdc2d8
...
...
@@ -1731,6 +1731,15 @@ static inline int print_name(const char *i,
return
0
;
}
static
inline
int
print_target
(
const
struct
ipt_target
*
t
,
off_t
start_offset
,
char
*
buffer
,
int
length
,
off_t
*
pos
,
unsigned
int
*
count
)
{
if
(
t
==
&
ipt_standard_target
||
t
==
&
ipt_error_target
)
return
0
;
return
print_name
((
char
*
)
t
,
start_offset
,
buffer
,
length
,
pos
,
count
);
}
static
int
ipt_get_tables
(
char
*
buffer
,
char
**
start
,
off_t
offset
,
int
length
)
{
off_t
pos
=
0
;
...
...
@@ -1757,7 +1766,7 @@ static int ipt_get_targets(char *buffer, char **start, off_t offset, int length)
if
(
down_interruptible
(
&
ipt_mutex
)
!=
0
)
return
0
;
LIST_FIND
(
&
ipt_target
,
print_
name
,
void
*
,
LIST_FIND
(
&
ipt_target
,
print_
target
,
struct
ipt_target
*
,
offset
,
buffer
,
length
,
&
pos
,
&
count
);
up
(
&
ipt_mutex
);
...
...
net/ipv4/netfilter/ipt_CLASSIFY.c
View file @
35fdc2d8
...
...
@@ -54,13 +54,15 @@ checkentry(const char *tablename,
return
0
;
}
if
(
hook_mask
&
~
(
1
<<
NF_IP_POST_ROUTING
))
{
printk
(
KERN_ERR
"CLASSIFY: only valid in POST_ROUTING.
\n
"
);
if
(
hook_mask
&
~
((
1
<<
NF_IP_LOCAL_OUT
)
|
(
1
<<
NF_IP_FORWARD
)
|
(
1
<<
NF_IP_POST_ROUTING
)))
{
printk
(
KERN_ERR
"CLASSIFY: only valid in LOCAL_OUT, FORWARD "
"and POST_ROUTING.
\n
"
);
return
0
;
}
if
(
strcmp
(
tablename
,
"mangle"
)
!=
0
)
{
printk
(
KERN_
WARNING
"CLASSIFY: can only be called from "
printk
(
KERN_
ERR
"CLASSIFY: can only be called from "
"
\"
mangle
\"
table, not
\"
%s
\"
.
\n
"
,
tablename
);
return
0
;
...
...
net/ipv4/netfilter/ipt_REJECT.c
View file @
35fdc2d8
...
...
@@ -142,12 +142,8 @@ static void send_reset(struct sk_buff *oldskb, int hook)
nskb
->
dst
=
&
rt
->
u
.
dst
;
/* This packet will not be the same as the other: clear nf fields */
nf_conntrack_put
(
nskb
->
nfct
);
nskb
->
nfct
=
NULL
;
nf_reset
(
nskb
);
nskb
->
nfcache
=
0
;
#ifdef CONFIG_NETFILTER_DEBUG
nskb
->
nf_debug
=
0
;
#endif
nskb
->
nfmark
=
0
;
#ifdef CONFIG_BRIDGE_NETFILTER
nf_bridge_put
(
nskb
->
nf_bridge
);
...
...
net/ipv4/netfilter/ipt_addrtype.c
0 → 100644
View file @
35fdc2d8
/*
* iptables module to match inet_addr_type() of an ip.
*
* Copyright (c) 2004 Patrick McHardy <kaber@trash.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <linux/ip.h>
#include <net/route.h>
#include <linux/netfilter_ipv4/ipt_addrtype.h>
#include <linux/netfilter_ipv4/ip_tables.h>
MODULE_LICENSE
(
"GPL"
);
MODULE_AUTHOR
(
"Patrick McHardy <kaber@trash.net>"
);
MODULE_DESCRIPTION
(
"iptables addrtype match"
);
static
inline
int
match_type
(
u_int32_t
addr
,
u_int16_t
mask
)
{
return
!!
(
mask
&
(
1
<<
inet_addr_type
(
addr
)));
}
static
int
match
(
const
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
void
*
matchinfo
,
int
offset
,
int
*
hotdrop
)
{
const
struct
ipt_addrtype_info
*
info
=
matchinfo
;
const
struct
iphdr
*
iph
=
skb
->
nh
.
iph
;
int
ret
=
1
;
if
(
info
->
source
)
ret
&=
match_type
(
iph
->
saddr
,
info
->
source
)
^
info
->
invert_source
;
if
(
info
->
dest
)
ret
&=
match_type
(
iph
->
daddr
,
info
->
dest
)
^
info
->
invert_dest
;
return
ret
;
}
static
int
checkentry
(
const
char
*
tablename
,
const
struct
ipt_ip
*
ip
,
void
*
matchinfo
,
unsigned
int
matchsize
,
unsigned
int
hook_mask
)
{
if
(
matchsize
!=
IPT_ALIGN
(
sizeof
(
struct
ipt_addrtype_info
)))
{
printk
(
KERN_ERR
"ipt_addrtype: invalid size (%u != %u)
\n
."
,
matchsize
,
IPT_ALIGN
(
sizeof
(
struct
ipt_addrtype_info
)));
return
0
;
}
return
1
;
}
static
struct
ipt_match
addrtype_match
=
{
.
name
=
"addrtype"
,
.
match
=
match
,
.
checkentry
=
checkentry
,
.
me
=
THIS_MODULE
};
static
int
__init
init
(
void
)
{
return
ipt_register_match
(
&
addrtype_match
);
}
static
void
__exit
fini
(
void
)
{
ipt_unregister_match
(
&
addrtype_match
);
}
module_init
(
init
);
module_exit
(
fini
);
net/ipv4/netfilter/ipt_helper.c
View file @
35fdc2d8
...
...
@@ -41,17 +41,17 @@ match(const struct sk_buff *skb,
struct
ip_conntrack_expect
*
exp
;
struct
ip_conntrack
*
ct
;
enum
ip_conntrack_info
ctinfo
;
int
ret
=
0
;
int
ret
=
info
->
invert
;
ct
=
ip_conntrack_get
((
struct
sk_buff
*
)
skb
,
&
ctinfo
);
if
(
!
ct
)
{
DEBUGP
(
"ipt_helper: Eek! invalid conntrack?
\n
"
);
return
0
;
return
ret
;
}
if
(
!
ct
->
master
)
{
DEBUGP
(
"ipt_helper: conntrack %p has no master
\n
"
,
ct
);
return
0
;
return
ret
;
}
exp
=
ct
->
master
;
...
...
@@ -71,8 +71,11 @@ match(const struct sk_buff *skb,
DEBUGP
(
"master's name = %s , info->name = %s
\n
"
,
exp
->
expectant
->
helper
->
name
,
info
->
name
);
ret
=
!
strncmp
(
exp
->
expectant
->
helper
->
name
,
info
->
name
,
strlen
(
exp
->
expectant
->
helper
->
name
))
^
info
->
invert
;
if
(
info
->
name
[
0
]
==
'\0'
)
ret
^=
1
;
else
ret
^=
!
strncmp
(
exp
->
expectant
->
helper
->
name
,
info
->
name
,
strlen
(
exp
->
expectant
->
helper
->
name
));
out_unlock:
READ_UNLOCK
(
&
ip_conntrack_lock
);
return
ret
;
...
...
@@ -92,10 +95,6 @@ static int check(const char *tablename,
if
(
matchsize
!=
IPT_ALIGN
(
sizeof
(
struct
ipt_helper_info
)))
return
0
;
/* verify that we actually should match anything */
if
(
strlen
(
info
->
name
)
==
0
)
return
0
;
return
1
;
}
...
...
@@ -108,7 +107,6 @@ static struct ipt_match helper_match = {
static
int
__init
init
(
void
)
{
need_ip_conntrack
();
return
ipt_register_match
(
&
helper_match
);
}
...
...
net/ipv4/netfilter/ipt_owner.c
View file @
35fdc2d8
...
...
@@ -184,7 +184,15 @@ checkentry(const char *tablename,
IPT_ALIGN
(
sizeof
(
struct
ipt_owner_info
)));
return
0
;
}
#ifdef CONFIG_SMP
/* files->file_lock can not be used in a BH */
if
(((
struct
ipt_owner_info
*
)
matchinfo
)
->
match
&
(
IPT_OWNER_PID
|
IPT_OWNER_SID
|
IPT_OWNER_COMM
))
{
printk
(
"ipt_owner: pid, sid and command matching is broken "
"on SMP.
\n
"
);
return
0
;
}
#endif
return
1
;
}
...
...
net/ipv4/netfilter/ipt_realm.c
0 → 100644
View file @
35fdc2d8
/* IP tables module for matching the routing realm
*
* $Id: ipt_realm.c,v 1.3 2004/03/05 13:25:40 laforge Exp $
*
* (C) 2003 by Sampsa Ranta <sampsa@netsonic.fi>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
#include <net/route.h>
#include <linux/netfilter_ipv4/ipt_realm.h>
#include <linux/netfilter_ipv4/ip_tables.h>
MODULE_AUTHOR
(
"Sampsa Ranta <sampsa@netsonic.fi>"
);
MODULE_LICENSE
(
"GPL"
);
MODULE_DESCRIPTION
(
"iptables realm match"
);
static
int
match
(
const
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
void
*
matchinfo
,
int
offset
,
int
*
hotdrop
)
{
const
struct
ipt_realm_info
*
info
=
matchinfo
;
struct
dst_entry
*
dst
=
skb
->
dst
;
return
(
info
->
id
==
(
dst
->
tclassid
&
info
->
mask
))
^
info
->
invert
;
}
static
int
check
(
const
char
*
tablename
,
const
struct
ipt_ip
*
ip
,
void
*
matchinfo
,
unsigned
int
matchsize
,
unsigned
int
hook_mask
)
{
if
(
hook_mask
&
~
((
1
<<
NF_IP_POST_ROUTING
)
|
(
1
<<
NF_IP_FORWARD
)
|
(
1
<<
NF_IP_LOCAL_OUT
)
|
(
1
<<
NF_IP_LOCAL_IN
)))
{
printk
(
"ipt_realm: only valid for POST_ROUTING, LOCAL_OUT, "
"LOCAL_IN or FORWARD.
\n
"
);
return
0
;
}
if
(
matchsize
!=
IPT_ALIGN
(
sizeof
(
struct
ipt_realm_info
)))
{
printk
(
"ipt_realm: invalid matchsize.
\n
"
);
return
0
;
}
return
1
;
}
static
struct
ipt_match
realm_match
=
{
.
name
=
"realm"
,
.
match
=
match
,
.
checkentry
=
check
,
.
me
=
THIS_MODULE
};
static
int
__init
init
(
void
)
{
return
ipt_register_match
(
&
realm_match
);
}
static
void
__exit
fini
(
void
)
{
ipt_unregister_match
(
&
realm_match
);
}
module_init
(
init
);
module_exit
(
fini
);
net/ipv4/netfilter/iptable_mangle.c
View file @
35fdc2d8
...
...
@@ -173,7 +173,9 @@ ipt_local_hook(unsigned int hook,
if
(
ret
!=
NF_DROP
&&
ret
!=
NF_STOLEN
&&
ret
!=
NF_QUEUE
&&
((
*
pskb
)
->
nh
.
iph
->
saddr
!=
saddr
||
(
*
pskb
)
->
nh
.
iph
->
daddr
!=
daddr
#ifdef CONFIG_IP_ROUTE_FWMARK
||
(
*
pskb
)
->
nfmark
!=
nfmark
#endif
||
(
*
pskb
)
->
nh
.
iph
->
tos
!=
tos
))
return
ip_route_me_harder
(
pskb
)
==
0
?
ret
:
NF_DROP
;
...
...
net/ipv4/netfilter/iptable_raw.c
View file @
35fdc2d8
...
...
@@ -32,42 +32,63 @@ static struct
struct
ipt_replace
repl
;
struct
ipt_standard
entries
[
2
];
struct
ipt_error
term
;
}
initial_table
__initdata
=
{
{
"raw"
,
RAW_VALID_HOOKS
,
3
,
sizeof
(
struct
ipt_standard
)
*
2
+
sizeof
(
struct
ipt_error
),
{
[
NF_IP_PRE_ROUTING
]
0
,
[
NF_IP_LOCAL_OUT
]
sizeof
(
struct
ipt_standard
)
},
{
[
NF_IP_PRE_ROUTING
]
0
,
[
NF_IP_LOCAL_OUT
]
sizeof
(
struct
ipt_standard
)
},
0
,
NULL
,
{
}
},
{
}
initial_table
__initdata
=
{
.
repl
=
{
.
name
=
"raw"
,
.
valid_hooks
=
RAW_VALID_HOOKS
,
.
num_entries
=
3
,
.
size
=
sizeof
(
struct
ipt_standard
)
*
2
+
sizeof
(
struct
ipt_error
),
.
hook_entry
=
{
[
NF_IP_PRE_ROUTING
]
=
0
,
[
NF_IP_LOCAL_OUT
]
=
sizeof
(
struct
ipt_standard
)
},
.
underflow
=
{
[
NF_IP_PRE_ROUTING
]
=
0
,
[
NF_IP_LOCAL_OUT
]
=
sizeof
(
struct
ipt_standard
)
},
},
.
entries
=
{
/* PRE_ROUTING */
{
{
{
{
0
},
{
0
},
{
0
},
{
0
},
""
,
""
,
{
0
},
{
0
},
0
,
0
,
0
},
0
,
sizeof
(
struct
ipt_entry
),
sizeof
(
struct
ipt_standard
),
0
,
{
0
,
0
},
{
}
},
{
{
{
{
IPT_ALIGN
(
sizeof
(
struct
ipt_standard_target
)),
""
}
},
{
}
},
-
NF_ACCEPT
-
1
}
},
{
.
entry
=
{
.
target_offset
=
sizeof
(
struct
ipt_entry
),
.
next_offset
=
sizeof
(
struct
ipt_standard
),
},
.
target
=
{
.
target
=
{
.
u
.
target_size
=
IPT_ALIGN
(
sizeof
(
struct
ipt_standard_target
)),
},
.
verdict
=
-
NF_ACCEPT
-
1
,
},
},
/* LOCAL_OUT */
{
{
{
{
0
},
{
0
},
{
0
},
{
0
},
""
,
""
,
{
0
},
{
0
},
0
,
0
,
0
},
0
,
sizeof
(
struct
ipt_entry
),
sizeof
(
struct
ipt_standard
),
0
,
{
0
,
0
},
{
}
},
{
{
{
{
IPT_ALIGN
(
sizeof
(
struct
ipt_standard_target
)),
""
}
},
{
}
},
-
NF_ACCEPT
-
1
}
}
{
.
entry
=
{
.
target_offset
=
sizeof
(
struct
ipt_entry
),
.
next_offset
=
sizeof
(
struct
ipt_standard
),
},
.
target
=
{
.
target
=
{
.
u
.
target_size
=
IPT_ALIGN
(
sizeof
(
struct
ipt_standard_target
)),
},
.
verdict
=
-
NF_ACCEPT
-
1
,
},
},
},
/* ERROR */
{
{
{
{
0
},
{
0
},
{
0
},
{
0
},
""
,
""
,
{
0
},
{
0
},
0
,
0
,
0
},
0
,
sizeof
(
struct
ipt_entry
),
sizeof
(
struct
ipt_error
),
0
,
{
0
,
0
},
{
}
},
{
{
{
{
IPT_ALIGN
(
sizeof
(
struct
ipt_error_target
)),
IPT_ERROR_TARGET
}
},
{
}
},
"ERROR"
}
.
term
=
{
.
entry
=
{
.
target_offset
=
sizeof
(
struct
ipt_entry
),
.
next_offset
=
sizeof
(
struct
ipt_error
),
},
.
target
=
{
.
target
=
{
.
u
.
user
=
{
.
target_size
=
IPT_ALIGN
(
sizeof
(
struct
ipt_error_target
)),
.
name
=
IPT_ERROR_TARGET
,
},
},
.
errorname
=
"ERROR"
,
},
}
};
...
...
net/ipv6/ip6_tunnel.c
View file @
35fdc2d8
...
...
@@ -722,13 +722,7 @@ ip6ip6_tnl_xmit(struct sk_buff *skb, struct net_device *dev)
ipv6h
->
nexthdr
=
proto
;
ipv6_addr_copy
(
&
ipv6h
->
saddr
,
&
fl
.
fl6_src
);
ipv6_addr_copy
(
&
ipv6h
->
daddr
,
&
fl
.
fl6_dst
);
#ifdef CONFIG_NETFILTER
nf_conntrack_put
(
skb
->
nfct
);
skb
->
nfct
=
NULL
;
#ifdef CONFIG_NETFILTER_DEBUG
skb
->
nf_debug
=
0
;
#endif
#endif
nf_reset
(
skb
);
pkt_len
=
skb
->
len
;
err
=
NF_HOOK
(
PF_INET6
,
NF_IP6_LOCAL_OUT
,
skb
,
NULL
,
skb
->
dst
->
dev
,
dst_output
);
...
...
net/ipv6/netfilter/ip6_tables.c
View file @
35fdc2d8
...
...
@@ -1845,6 +1845,15 @@ static inline int print_name(const char *i,
return
0
;
}
static
inline
int
print_target
(
const
struct
ip6t_target
*
t
,
off_t
start_offset
,
char
*
buffer
,
int
length
,
off_t
*
pos
,
unsigned
int
*
count
)
{
if
(
t
==
&
ip6t_standard_target
||
t
==
&
ip6t_error_target
)
return
0
;
return
print_name
((
char
*
)
t
,
start_offset
,
buffer
,
length
,
pos
,
count
);
}
static
int
ip6t_get_tables
(
char
*
buffer
,
char
**
start
,
off_t
offset
,
int
length
)
{
off_t
pos
=
0
;
...
...
@@ -1871,7 +1880,7 @@ static int ip6t_get_targets(char *buffer, char **start, off_t offset, int length
if
(
down_interruptible
(
&
ip6t_mutex
)
!=
0
)
return
0
;
LIST_FIND
(
&
ip6t_target
,
print_
name
,
char
*
,
LIST_FIND
(
&
ip6t_target
,
print_
target
,
struct
ip6t_target
*
,
offset
,
buffer
,
length
,
&
pos
,
&
count
);
up
(
&
ip6t_mutex
);
...
...
net/ipv6/netfilter/ip6t_owner.c
View file @
35fdc2d8
...
...
@@ -143,7 +143,14 @@ checkentry(const char *tablename,
if
(
matchsize
!=
IP6T_ALIGN
(
sizeof
(
struct
ip6t_owner_info
)))
return
0
;
#ifdef CONFIG_SMP
/* files->file_lock can not be used in a BH */
if
(((
struct
ip6t_owner_info
*
)
matchinfo
)
->
match
&
(
IP6T_OWNER_PID
|
IP6T_OWNER_SID
))
{
printk
(
"ip6t_owner: pid and sid matching is broken on SMP.
\n
"
);
return
0
;
}
#endif
return
1
;
}
...
...
net/ipv6/sit.c
View file @
35fdc2d8
...
...
@@ -388,13 +388,7 @@ static int ipip6_rcv(struct sk_buff *skb)
skb
->
dev
=
tunnel
->
dev
;
dst_release
(
skb
->
dst
);
skb
->
dst
=
NULL
;
#ifdef CONFIG_NETFILTER
nf_conntrack_put
(
skb
->
nfct
);
skb
->
nfct
=
NULL
;
#ifdef CONFIG_NETFILTER_DEBUG
skb
->
nf_debug
=
0
;
#endif
#endif
nf_reset
(
skb
);
ipip6_ecn_decapsulate
(
iph
,
skb
);
netif_rx
(
skb
);
read_unlock
(
&
ipip6_lock
);
...
...
@@ -580,13 +574,7 @@ static int ipip6_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
if
((
iph
->
ttl
=
tiph
->
ttl
)
==
0
)
iph
->
ttl
=
iph6
->
hop_limit
;
#ifdef CONFIG_NETFILTER
nf_conntrack_put
(
skb
->
nfct
);
skb
->
nfct
=
NULL
;
#ifdef CONFIG_NETFILTER_DEBUG
skb
->
nf_debug
=
0
;
#endif
#endif
nf_reset
(
skb
);
IPTUNNEL_XMIT
();
tunnel
->
recursion
--
;
...
...
net/sched/Kconfig
View file @
35fdc2d8
...
...
@@ -242,6 +242,7 @@ config NET_CLS_TCINDEX
config NET_CLS_ROUTE4
tristate "Routing table based classifier"
depends on NET_CLS
select NET_CLS_ROUTE
help
If you say Y here, you will be able to classify outgoing packets
according to the route table entry they matched. If unsure, say Y.
...
...
@@ -251,8 +252,7 @@ config NET_CLS_ROUTE4
config NET_CLS_ROUTE
bool
depends on NET_CLS_ROUTE4
default y
default n
config NET_CLS_FW
tristate "Firewall based classifier"
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment