Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
424eff97
Commit
424eff97
authored
Dec 03, 2009
by
David S. Miller
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' of
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
parents
55dbabee
3666ed1c
Changes
32
Hide whitespace changes
Inline
Side-by-side
Showing
32 changed files
with
253 additions
and
257 deletions
+253
-257
include/linux/netfilter/nf_conntrack_tcp.h
include/linux/netfilter/nf_conntrack_tcp.h
+3
-0
net/ipv4/netfilter/arp_tables.c
net/ipv4/netfilter/arp_tables.c
+11
-11
net/ipv4/netfilter/ip_queue.c
net/ipv4/netfilter/ip_queue.c
+2
-3
net/ipv4/netfilter/ip_tables.c
net/ipv4/netfilter/ip_tables.c
+23
-23
net/ipv4/netfilter/ipt_CLUSTERIP.c
net/ipv4/netfilter/ipt_CLUSTERIP.c
+10
-10
net/ipv4/netfilter/ipt_ECN.c
net/ipv4/netfilter/ipt_ECN.c
+4
-4
net/ipv4/netfilter/ipt_LOG.c
net/ipv4/netfilter/ipt_LOG.c
+11
-11
net/ipv4/netfilter/ipt_MASQUERADE.c
net/ipv4/netfilter/ipt_MASQUERADE.c
+2
-2
net/ipv4/netfilter/ipt_REJECT.c
net/ipv4/netfilter/ipt_REJECT.c
+2
-2
net/ipv4/netfilter/ipt_ULOG.c
net/ipv4/netfilter/ipt_ULOG.c
+3
-3
net/ipv4/netfilter/ipt_ecn.c
net/ipv4/netfilter/ipt_ecn.c
+2
-2
net/ipv4/netfilter/iptable_mangle.c
net/ipv4/netfilter/iptable_mangle.c
+2
-2
net/ipv4/netfilter/iptable_security.c
net/ipv4/netfilter/iptable_security.c
+2
-2
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+14
-14
net/ipv4/netfilter/nf_nat_helper.c
net/ipv4/netfilter/nf_nat_helper.c
+9
-13
net/ipv4/netfilter/nf_nat_standalone.c
net/ipv4/netfilter/nf_nat_standalone.c
+5
-5
net/ipv6/netfilter/ip6_queue.c
net/ipv6/netfilter/ip6_queue.c
+2
-3
net/ipv6/netfilter/ip6_tables.c
net/ipv6/netfilter/ip6_tables.c
+21
-21
net/ipv6/netfilter/ip6t_LOG.c
net/ipv6/netfilter/ip6t_LOG.c
+2
-2
net/ipv6/netfilter/ip6t_REJECT.c
net/ipv6/netfilter/ip6t_REJECT.c
+2
-2
net/ipv6/netfilter/ip6t_ah.c
net/ipv6/netfilter/ip6t_ah.c
+8
-11
net/ipv6/netfilter/ip6t_frag.c
net/ipv6/netfilter/ip6t_frag.c
+21
-26
net/ipv6/netfilter/ip6t_rt.c
net/ipv6/netfilter/ip6t_rt.c
+3
-6
net/ipv6/netfilter/ip6table_filter.c
net/ipv6/netfilter/ip6table_filter.c
+2
-2
net/ipv6/netfilter/ip6table_mangle.c
net/ipv6/netfilter/ip6table_mangle.c
+7
-7
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+6
-6
net/netfilter/nf_conntrack_core.c
net/netfilter/nf_conntrack_core.c
+10
-4
net/netfilter/nf_conntrack_proto_tcp.c
net/netfilter/nf_conntrack_proto_tcp.c
+41
-10
net/netfilter/nfnetlink_log.c
net/netfilter/nfnetlink_log.c
+1
-2
net/netfilter/nfnetlink_queue.c
net/netfilter/nfnetlink_queue.c
+1
-2
net/netfilter/xt_conntrack.c
net/netfilter/xt_conntrack.c
+17
-44
net/netfilter/xt_socket.c
net/netfilter/xt_socket.c
+4
-2
No files found.
include/linux/netfilter/nf_conntrack_tcp.h
View file @
424eff97
...
@@ -66,6 +66,9 @@ struct ip_ct_tcp {
...
@@ -66,6 +66,9 @@ struct ip_ct_tcp {
u_int32_t
last_ack
;
/* Last sequence number seen in opposite dir */
u_int32_t
last_ack
;
/* Last sequence number seen in opposite dir */
u_int32_t
last_end
;
/* Last seq + len */
u_int32_t
last_end
;
/* Last seq + len */
u_int16_t
last_win
;
/* Last window advertisement seen in dir */
u_int16_t
last_win
;
/* Last window advertisement seen in dir */
/* For SYN packets while we may be out-of-sync */
u_int8_t
last_wscale
;
/* Last window scaling factor seen */
u_int8_t
last_flags
;
/* Last flags set */
};
};
#endif
/* __KERNEL__ */
#endif
/* __KERNEL__ */
...
...
net/ipv4/netfilter/arp_tables.c
View file @
424eff97
...
@@ -384,11 +384,11 @@ static int mark_source_chains(struct xt_table_info *newinfo,
...
@@ -384,11 +384,11 @@ static int mark_source_chains(struct xt_table_info *newinfo,
|=
((
1
<<
hook
)
|
(
1
<<
NF_ARP_NUMHOOKS
));
|=
((
1
<<
hook
)
|
(
1
<<
NF_ARP_NUMHOOKS
));
/* Unconditional return/END. */
/* Unconditional return/END. */
if
((
e
->
target_offset
==
sizeof
(
struct
arpt_entry
)
if
((
e
->
target_offset
==
sizeof
(
struct
arpt_entry
)
&&
&&
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
ARPT_STANDARD_TARGET
)
==
0
)
ARPT_STANDARD_TARGET
)
==
0
)
&&
&&
t
->
verdict
<
0
t
->
verdict
<
0
&&
unconditional
(
&
e
->
arp
))
||
&&
unconditional
(
&
e
->
arp
))
||
visited
)
{
visited
)
{
unsigned
int
oldpos
,
size
;
unsigned
int
oldpos
,
size
;
if
((
strcmp
(
t
->
target
.
u
.
user
.
name
,
if
((
strcmp
(
t
->
target
.
u
.
user
.
name
,
...
@@ -427,8 +427,8 @@ static int mark_source_chains(struct xt_table_info *newinfo,
...
@@ -427,8 +427,8 @@ static int mark_source_chains(struct xt_table_info *newinfo,
int
newpos
=
t
->
verdict
;
int
newpos
=
t
->
verdict
;
if
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
if
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
ARPT_STANDARD_TARGET
)
==
0
ARPT_STANDARD_TARGET
)
==
0
&&
&&
newpos
>=
0
)
{
newpos
>=
0
)
{
if
(
newpos
>
newinfo
->
size
-
if
(
newpos
>
newinfo
->
size
-
sizeof
(
struct
arpt_entry
))
{
sizeof
(
struct
arpt_entry
))
{
duprintf
(
"mark_source_chains: "
duprintf
(
"mark_source_chains: "
...
@@ -559,8 +559,8 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
...
@@ -559,8 +559,8 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
{
{
unsigned
int
h
;
unsigned
int
h
;
if
((
unsigned
long
)
e
%
__alignof__
(
struct
arpt_entry
)
!=
0
if
((
unsigned
long
)
e
%
__alignof__
(
struct
arpt_entry
)
!=
0
||
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
arpt_entry
)
>=
limit
)
{
(
unsigned
char
*
)
e
+
sizeof
(
struct
arpt_entry
)
>=
limit
)
{
duprintf
(
"Bad offset %p
\n
"
,
e
);
duprintf
(
"Bad offset %p
\n
"
,
e
);
return
-
EINVAL
;
return
-
EINVAL
;
}
}
...
@@ -1251,8 +1251,8 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
...
@@ -1251,8 +1251,8 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
int
ret
,
off
,
h
;
int
ret
,
off
,
h
;
duprintf
(
"check_compat_entry_size_and_hooks %p
\n
"
,
e
);
duprintf
(
"check_compat_entry_size_and_hooks %p
\n
"
,
e
);
if
((
unsigned
long
)
e
%
__alignof__
(
struct
compat_arpt_entry
)
!=
0
if
((
unsigned
long
)
e
%
__alignof__
(
struct
compat_arpt_entry
)
!=
0
||
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
compat_arpt_entry
)
>=
limit
)
{
(
unsigned
char
*
)
e
+
sizeof
(
struct
compat_arpt_entry
)
>=
limit
)
{
duprintf
(
"Bad offset %p, limit = %p
\n
"
,
e
,
limit
);
duprintf
(
"Bad offset %p, limit = %p
\n
"
,
e
,
limit
);
return
-
EINVAL
;
return
-
EINVAL
;
}
}
...
...
net/ipv4/netfilter/ip_queue.c
View file @
424eff97
...
@@ -497,8 +497,7 @@ ipq_rcv_nl_event(struct notifier_block *this,
...
@@ -497,8 +497,7 @@ ipq_rcv_nl_event(struct notifier_block *this,
{
{
struct
netlink_notify
*
n
=
ptr
;
struct
netlink_notify
*
n
=
ptr
;
if
(
event
==
NETLINK_URELEASE
&&
if
(
event
==
NETLINK_URELEASE
&&
n
->
protocol
==
NETLINK_FIREWALL
)
{
n
->
protocol
==
NETLINK_FIREWALL
&&
n
->
pid
)
{
write_lock_bh
(
&
queue_lock
);
write_lock_bh
(
&
queue_lock
);
if
((
net_eq
(
n
->
net
,
&
init_net
))
&&
(
n
->
pid
==
peer_pid
))
if
((
net_eq
(
n
->
net
,
&
init_net
))
&&
(
n
->
pid
==
peer_pid
))
__ipq_reset
();
__ipq_reset
();
...
@@ -622,7 +621,7 @@ cleanup_ipqnl: __maybe_unused
...
@@ -622,7 +621,7 @@ cleanup_ipqnl: __maybe_unused
static
void
__exit
ip_queue_fini
(
void
)
static
void
__exit
ip_queue_fini
(
void
)
{
{
nf_unregister_queue_handlers
(
&
nfqh
);
nf_unregister_queue_handlers
(
&
nfqh
);
synchronize_net
();
ipq_flush
(
NULL
,
0
);
ipq_flush
(
NULL
,
0
);
#ifdef CONFIG_SYSCTL
#ifdef CONFIG_SYSCTL
...
...
net/ipv4/netfilter/ip_tables.c
View file @
424eff97
...
@@ -89,9 +89,9 @@ ip_packet_match(const struct iphdr *ip,
...
@@ -89,9 +89,9 @@ ip_packet_match(const struct iphdr *ip,
#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
if
(
FWINV
((
ip
->
saddr
&
ipinfo
->
smsk
.
s_addr
)
!=
ipinfo
->
src
.
s_addr
,
if
(
FWINV
((
ip
->
saddr
&
ipinfo
->
smsk
.
s_addr
)
!=
ipinfo
->
src
.
s_addr
,
IPT_INV_SRCIP
)
IPT_INV_SRCIP
)
||
||
FWINV
((
ip
->
daddr
&
ipinfo
->
dmsk
.
s_addr
)
!=
ipinfo
->
dst
.
s_addr
,
FWINV
((
ip
->
daddr
&
ipinfo
->
dmsk
.
s_addr
)
!=
ipinfo
->
dst
.
s_addr
,
IPT_INV_DSTIP
))
{
IPT_INV_DSTIP
))
{
dprintf
(
"Source or dest mismatch.
\n
"
);
dprintf
(
"Source or dest mismatch.
\n
"
);
dprintf
(
"SRC: %pI4. Mask: %pI4. Target: %pI4.%s
\n
"
,
dprintf
(
"SRC: %pI4. Mask: %pI4. Target: %pI4.%s
\n
"
,
...
@@ -122,8 +122,8 @@ ip_packet_match(const struct iphdr *ip,
...
@@ -122,8 +122,8 @@ ip_packet_match(const struct iphdr *ip,
}
}
/* Check specific protocol */
/* Check specific protocol */
if
(
ipinfo
->
proto
if
(
ipinfo
->
proto
&&
&&
FWINV
(
ip
->
protocol
!=
ipinfo
->
proto
,
IPT_INV_PROTO
))
{
FWINV
(
ip
->
protocol
!=
ipinfo
->
proto
,
IPT_INV_PROTO
))
{
dprintf
(
"Packet protocol %hi does not match %hi.%s
\n
"
,
dprintf
(
"Packet protocol %hi does not match %hi.%s
\n
"
,
ip
->
protocol
,
ipinfo
->
proto
,
ip
->
protocol
,
ipinfo
->
proto
,
ipinfo
->
invflags
&
IPT_INV_PROTO
?
" (INV)"
:
""
);
ipinfo
->
invflags
&
IPT_INV_PROTO
?
" (INV)"
:
""
);
...
@@ -246,11 +246,11 @@ get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e,
...
@@ -246,11 +246,11 @@ get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e,
}
else
if
(
s
==
e
)
{
}
else
if
(
s
==
e
)
{
(
*
rulenum
)
++
;
(
*
rulenum
)
++
;
if
(
s
->
target_offset
==
sizeof
(
struct
ipt_entry
)
if
(
s
->
target_offset
==
sizeof
(
struct
ipt_entry
)
&&
&&
strcmp
(
t
->
target
.
u
.
kernel
.
target
->
name
,
strcmp
(
t
->
target
.
u
.
kernel
.
target
->
name
,
IPT_STANDARD_TARGET
)
==
0
IPT_STANDARD_TARGET
)
==
0
&&
&&
t
->
verdict
<
0
t
->
verdict
<
0
&&
&&
unconditional
(
&
s
->
ip
))
{
unconditional
(
&
s
->
ip
))
{
/* Tail of chains: STANDARD target (return/policy) */
/* Tail of chains: STANDARD target (return/policy) */
*
comment
=
*
chainname
==
hookname
*
comment
=
*
chainname
==
hookname
?
comments
[
NF_IP_TRACE_COMMENT_POLICY
]
?
comments
[
NF_IP_TRACE_COMMENT_POLICY
]
...
@@ -388,8 +388,8 @@ ipt_do_table(struct sk_buff *skb,
...
@@ -388,8 +388,8 @@ ipt_do_table(struct sk_buff *skb,
back
=
get_entry
(
table_base
,
back
->
comefrom
);
back
=
get_entry
(
table_base
,
back
->
comefrom
);
continue
;
continue
;
}
}
if
(
table_base
+
v
!=
ipt_next_entry
(
e
)
if
(
table_base
+
v
!=
ipt_next_entry
(
e
)
&&
&&
!
(
e
->
ip
.
flags
&
IPT_F_GOTO
))
{
!
(
e
->
ip
.
flags
&
IPT_F_GOTO
))
{
/* Save old back ptr in next entry */
/* Save old back ptr in next entry */
struct
ipt_entry
*
next
=
ipt_next_entry
(
e
);
struct
ipt_entry
*
next
=
ipt_next_entry
(
e
);
next
->
comefrom
=
(
void
*
)
back
-
table_base
;
next
->
comefrom
=
(
void
*
)
back
-
table_base
;
...
@@ -473,11 +473,11 @@ mark_source_chains(struct xt_table_info *newinfo,
...
@@ -473,11 +473,11 @@ mark_source_chains(struct xt_table_info *newinfo,
e
->
comefrom
|=
((
1
<<
hook
)
|
(
1
<<
NF_INET_NUMHOOKS
));
e
->
comefrom
|=
((
1
<<
hook
)
|
(
1
<<
NF_INET_NUMHOOKS
));
/* Unconditional return/END. */
/* Unconditional return/END. */
if
((
e
->
target_offset
==
sizeof
(
struct
ipt_entry
)
if
((
e
->
target_offset
==
sizeof
(
struct
ipt_entry
)
&&
&&
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
IPT_STANDARD_TARGET
)
==
0
)
IPT_STANDARD_TARGET
)
==
0
)
&&
&&
t
->
verdict
<
0
t
->
verdict
<
0
&&
unconditional
(
&
e
->
ip
))
||
&&
unconditional
(
&
e
->
ip
))
||
visited
)
{
visited
)
{
unsigned
int
oldpos
,
size
;
unsigned
int
oldpos
,
size
;
if
((
strcmp
(
t
->
target
.
u
.
user
.
name
,
if
((
strcmp
(
t
->
target
.
u
.
user
.
name
,
...
@@ -524,8 +524,8 @@ mark_source_chains(struct xt_table_info *newinfo,
...
@@ -524,8 +524,8 @@ mark_source_chains(struct xt_table_info *newinfo,
int
newpos
=
t
->
verdict
;
int
newpos
=
t
->
verdict
;
if
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
if
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
IPT_STANDARD_TARGET
)
==
0
IPT_STANDARD_TARGET
)
==
0
&&
&&
newpos
>=
0
)
{
newpos
>=
0
)
{
if
(
newpos
>
newinfo
->
size
-
if
(
newpos
>
newinfo
->
size
-
sizeof
(
struct
ipt_entry
))
{
sizeof
(
struct
ipt_entry
))
{
duprintf
(
"mark_source_chains: "
duprintf
(
"mark_source_chains: "
...
@@ -735,8 +735,8 @@ check_entry_size_and_hooks(struct ipt_entry *e,
...
@@ -735,8 +735,8 @@ check_entry_size_and_hooks(struct ipt_entry *e,
{
{
unsigned
int
h
;
unsigned
int
h
;
if
((
unsigned
long
)
e
%
__alignof__
(
struct
ipt_entry
)
!=
0
if
((
unsigned
long
)
e
%
__alignof__
(
struct
ipt_entry
)
!=
0
||
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
ipt_entry
)
>=
limit
)
{
(
unsigned
char
*
)
e
+
sizeof
(
struct
ipt_entry
)
>=
limit
)
{
duprintf
(
"Bad offset %p
\n
"
,
e
);
duprintf
(
"Bad offset %p
\n
"
,
e
);
return
-
EINVAL
;
return
-
EINVAL
;
}
}
...
@@ -1548,8 +1548,8 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
...
@@ -1548,8 +1548,8 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
int
ret
,
off
,
h
;
int
ret
,
off
,
h
;
duprintf
(
"check_compat_entry_size_and_hooks %p
\n
"
,
e
);
duprintf
(
"check_compat_entry_size_and_hooks %p
\n
"
,
e
);
if
((
unsigned
long
)
e
%
__alignof__
(
struct
compat_ipt_entry
)
!=
0
if
((
unsigned
long
)
e
%
__alignof__
(
struct
compat_ipt_entry
)
!=
0
||
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
compat_ipt_entry
)
>=
limit
)
{
(
unsigned
char
*
)
e
+
sizeof
(
struct
compat_ipt_entry
)
>=
limit
)
{
duprintf
(
"Bad offset %p, limit = %p
\n
"
,
e
,
limit
);
duprintf
(
"Bad offset %p, limit = %p
\n
"
,
e
,
limit
);
return
-
EINVAL
;
return
-
EINVAL
;
}
}
...
...
net/ipv4/netfilter/ipt_CLUSTERIP.c
View file @
424eff97
...
@@ -303,9 +303,9 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
...
@@ -303,9 +303,9 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
/* special case: ICMP error handling. conntrack distinguishes between
/* special case: ICMP error handling. conntrack distinguishes between
* error messages (RELATED) and information requests (see below) */
* error messages (RELATED) and information requests (see below) */
if
(
ip_hdr
(
skb
)
->
protocol
==
IPPROTO_ICMP
if
(
ip_hdr
(
skb
)
->
protocol
==
IPPROTO_ICMP
&&
&&
(
ctinfo
==
IP_CT_RELATED
(
ctinfo
==
IP_CT_RELATED
||
||
ctinfo
==
IP_CT_RELATED
+
IP_CT_IS_REPLY
))
ctinfo
==
IP_CT_RELATED
+
IP_CT_IS_REPLY
))
return
XT_CONTINUE
;
return
XT_CONTINUE
;
/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
...
@@ -362,8 +362,8 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
...
@@ -362,8 +362,8 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
return
false
;
return
false
;
}
}
if
(
e
->
ip
.
dmsk
.
s_addr
!=
htonl
(
0xffffffff
)
if
(
e
->
ip
.
dmsk
.
s_addr
!=
htonl
(
0xffffffff
)
||
||
e
->
ip
.
dst
.
s_addr
==
0
)
{
e
->
ip
.
dst
.
s_addr
==
0
)
{
printk
(
KERN_ERR
"CLUSTERIP: Please specify destination IP
\n
"
);
printk
(
KERN_ERR
"CLUSTERIP: Please specify destination IP
\n
"
);
return
false
;
return
false
;
}
}
...
@@ -495,14 +495,14 @@ arp_mangle(unsigned int hook,
...
@@ -495,14 +495,14 @@ arp_mangle(unsigned int hook,
struct
clusterip_config
*
c
;
struct
clusterip_config
*
c
;
/* we don't care about non-ethernet and non-ipv4 ARP */
/* we don't care about non-ethernet and non-ipv4 ARP */
if
(
arp
->
ar_hrd
!=
htons
(
ARPHRD_ETHER
)
if
(
arp
->
ar_hrd
!=
htons
(
ARPHRD_ETHER
)
||
||
arp
->
ar_pro
!=
htons
(
ETH_P_IP
)
arp
->
ar_pro
!=
htons
(
ETH_P_IP
)
||
||
arp
->
ar_pln
!=
4
||
arp
->
ar_hln
!=
ETH_ALEN
)
arp
->
ar_pln
!=
4
||
arp
->
ar_hln
!=
ETH_ALEN
)
return
NF_ACCEPT
;
return
NF_ACCEPT
;
/* we only want to mangle arp requests and replies */
/* we only want to mangle arp requests and replies */
if
(
arp
->
ar_op
!=
htons
(
ARPOP_REPLY
)
if
(
arp
->
ar_op
!=
htons
(
ARPOP_REPLY
)
&&
&&
arp
->
ar_op
!=
htons
(
ARPOP_REQUEST
))
arp
->
ar_op
!=
htons
(
ARPOP_REQUEST
))
return
NF_ACCEPT
;
return
NF_ACCEPT
;
payload
=
(
void
*
)(
arp
+
1
);
payload
=
(
void
*
)(
arp
+
1
);
...
...
net/ipv4/netfilter/ipt_ECN.c
View file @
424eff97
...
@@ -85,8 +85,8 @@ ecn_tg(struct sk_buff *skb, const struct xt_target_param *par)
...
@@ -85,8 +85,8 @@ ecn_tg(struct sk_buff *skb, const struct xt_target_param *par)
if
(
!
set_ect_ip
(
skb
,
einfo
))
if
(
!
set_ect_ip
(
skb
,
einfo
))
return
NF_DROP
;
return
NF_DROP
;
if
(
einfo
->
operation
&
(
IPT_ECN_OP_SET_ECE
|
IPT_ECN_OP_SET_CWR
)
if
(
einfo
->
operation
&
(
IPT_ECN_OP_SET_ECE
|
IPT_ECN_OP_SET_CWR
)
&&
&&
ip_hdr
(
skb
)
->
protocol
==
IPPROTO_TCP
)
ip_hdr
(
skb
)
->
protocol
==
IPPROTO_TCP
)
if
(
!
set_ect_tcp
(
skb
,
einfo
))
if
(
!
set_ect_tcp
(
skb
,
einfo
))
return
NF_DROP
;
return
NF_DROP
;
...
@@ -108,8 +108,8 @@ static bool ecn_tg_check(const struct xt_tgchk_param *par)
...
@@ -108,8 +108,8 @@ static bool ecn_tg_check(const struct xt_tgchk_param *par)
einfo
->
ip_ect
);
einfo
->
ip_ect
);
return
false
;
return
false
;
}
}
if
((
einfo
->
operation
&
(
IPT_ECN_OP_SET_ECE
|
IPT_ECN_OP_SET_CWR
))
if
((
einfo
->
operation
&
(
IPT_ECN_OP_SET_ECE
|
IPT_ECN_OP_SET_CWR
))
&&
&&
(
e
->
ip
.
proto
!=
IPPROTO_TCP
||
(
e
->
ip
.
invflags
&
XT_INV_PROTO
)))
{
(
e
->
ip
.
proto
!=
IPPROTO_TCP
||
(
e
->
ip
.
invflags
&
XT_INV_PROTO
)))
{
printk
(
KERN_WARNING
"ECN: cannot use TCP operations on a "
printk
(
KERN_WARNING
"ECN: cannot use TCP operations on a "
"non-tcp rule
\n
"
);
"non-tcp rule
\n
"
);
return
false
;
return
false
;
...
...
net/ipv4/netfilter/ipt_LOG.c
View file @
424eff97
...
@@ -74,8 +74,8 @@ static void dump_packet(const struct nf_loginfo *info,
...
@@ -74,8 +74,8 @@ static void dump_packet(const struct nf_loginfo *info,
if
(
ntohs
(
ih
->
frag_off
)
&
IP_OFFSET
)
if
(
ntohs
(
ih
->
frag_off
)
&
IP_OFFSET
)
printk
(
"FRAG:%u "
,
ntohs
(
ih
->
frag_off
)
&
IP_OFFSET
);
printk
(
"FRAG:%u "
,
ntohs
(
ih
->
frag_off
)
&
IP_OFFSET
);
if
((
logflags
&
IPT_LOG_IPOPT
)
if
((
logflags
&
IPT_LOG_IPOPT
)
&&
&&
ih
->
ihl
*
4
>
sizeof
(
struct
iphdr
))
{
ih
->
ihl
*
4
>
sizeof
(
struct
iphdr
))
{
const
unsigned
char
*
op
;
const
unsigned
char
*
op
;
unsigned
char
_opt
[
4
*
15
-
sizeof
(
struct
iphdr
)];
unsigned
char
_opt
[
4
*
15
-
sizeof
(
struct
iphdr
)];
unsigned
int
i
,
optsize
;
unsigned
int
i
,
optsize
;
...
@@ -146,8 +146,8 @@ static void dump_packet(const struct nf_loginfo *info,
...
@@ -146,8 +146,8 @@ static void dump_packet(const struct nf_loginfo *info,
/* Max length: 11 "URGP=65535 " */
/* Max length: 11 "URGP=65535 " */
printk
(
"URGP=%u "
,
ntohs
(
th
->
urg_ptr
));
printk
(
"URGP=%u "
,
ntohs
(
th
->
urg_ptr
));
if
((
logflags
&
IPT_LOG_TCPOPT
)
if
((
logflags
&
IPT_LOG_TCPOPT
)
&&
&&
th
->
doff
*
4
>
sizeof
(
struct
tcphdr
))
{
th
->
doff
*
4
>
sizeof
(
struct
tcphdr
))
{
unsigned
char
_opt
[
4
*
15
-
sizeof
(
struct
tcphdr
)];
unsigned
char
_opt
[
4
*
15
-
sizeof
(
struct
tcphdr
)];
const
unsigned
char
*
op
;
const
unsigned
char
*
op
;
unsigned
int
i
,
optsize
;
unsigned
int
i
,
optsize
;
...
@@ -238,9 +238,9 @@ static void dump_packet(const struct nf_loginfo *info,
...
@@ -238,9 +238,9 @@ static void dump_packet(const struct nf_loginfo *info,
printk
(
"TYPE=%u CODE=%u "
,
ich
->
type
,
ich
->
code
);
printk
(
"TYPE=%u CODE=%u "
,
ich
->
type
,
ich
->
code
);
/* Max length: 25 "INCOMPLETE [65535 bytes] " */
/* Max length: 25 "INCOMPLETE [65535 bytes] " */
if
(
ich
->
type
<=
NR_ICMP_TYPES
if
(
ich
->
type
<=
NR_ICMP_TYPES
&&
&&
required_len
[
ich
->
type
]
required_len
[
ich
->
type
]
&&
&&
skb
->
len
-
iphoff
-
ih
->
ihl
*
4
<
required_len
[
ich
->
type
])
{
skb
->
len
-
iphoff
-
ih
->
ihl
*
4
<
required_len
[
ich
->
type
])
{
printk
(
"INCOMPLETE [%u bytes] "
,
printk
(
"INCOMPLETE [%u bytes] "
,
skb
->
len
-
iphoff
-
ih
->
ihl
*
4
);
skb
->
len
-
iphoff
-
ih
->
ihl
*
4
);
break
;
break
;
...
@@ -276,8 +276,8 @@ static void dump_packet(const struct nf_loginfo *info,
...
@@ -276,8 +276,8 @@ static void dump_packet(const struct nf_loginfo *info,
}
}
/* Max length: 10 "MTU=65535 " */
/* Max length: 10 "MTU=65535 " */
if
(
ich
->
type
==
ICMP_DEST_UNREACH
if
(
ich
->
type
==
ICMP_DEST_UNREACH
&&
&&
ich
->
code
==
ICMP_FRAG_NEEDED
)
ich
->
code
==
ICMP_FRAG_NEEDED
)
printk
(
"MTU=%u "
,
ntohs
(
ich
->
un
.
frag
.
mtu
));
printk
(
"MTU=%u "
,
ntohs
(
ich
->
un
.
frag
.
mtu
));
}
}
break
;
break
;
...
@@ -407,8 +407,8 @@ ipt_log_packet(u_int8_t pf,
...
@@ -407,8 +407,8 @@ ipt_log_packet(u_int8_t pf,
if
(
in
&&
!
out
)
{
if
(
in
&&
!
out
)
{
/* MAC logging for input chain only. */
/* MAC logging for input chain only. */
printk
(
"MAC="
);
printk
(
"MAC="
);
if
(
skb
->
dev
&&
skb
->
dev
->
hard_header_len
if
(
skb
->
dev
&&
skb
->
dev
->
hard_header_len
&&
&&
skb
->
mac_header
!=
skb
->
network_header
)
{
skb
->
mac_header
!=
skb
->
network_header
)
{
int
i
;
int
i
;
const
unsigned
char
*
p
=
skb_mac_header
(
skb
);
const
unsigned
char
*
p
=
skb_mac_header
(
skb
);
for
(
i
=
0
;
i
<
skb
->
dev
->
hard_header_len
;
i
++
,
p
++
)
for
(
i
=
0
;
i
<
skb
->
dev
->
hard_header_len
;
i
++
,
p
++
)
...
...
net/ipv4/netfilter/ipt_MASQUERADE.c
View file @
424eff97
...
@@ -59,8 +59,8 @@ masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par)
...
@@ -59,8 +59,8 @@ masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par)
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
nat
=
nfct_nat
(
ct
);
nat
=
nfct_nat
(
ct
);
NF_CT_ASSERT
(
ct
&&
(
ctinfo
==
IP_CT_NEW
||
ctinfo
==
IP_CT_RELATED
NF_CT_ASSERT
(
ct
&&
(
ctinfo
==
IP_CT_NEW
||
ctinfo
==
IP_CT_RELATED
||
||
ctinfo
==
IP_CT_RELATED
+
IP_CT_IS_REPLY
));
ctinfo
==
IP_CT_RELATED
+
IP_CT_IS_REPLY
));
/* Source address is 0.0.0.0 - locally generated packet that is
/* Source address is 0.0.0.0 - locally generated packet that is
* probably not supposed to be masqueraded.
* probably not supposed to be masqueraded.
...
...
net/ipv4/netfilter/ipt_REJECT.c
View file @
424eff97
...
@@ -184,8 +184,8 @@ static bool reject_tg_check(const struct xt_tgchk_param *par)
...
@@ -184,8 +184,8 @@ static bool reject_tg_check(const struct xt_tgchk_param *par)
return
false
;
return
false
;
}
else
if
(
rejinfo
->
with
==
IPT_TCP_RESET
)
{
}
else
if
(
rejinfo
->
with
==
IPT_TCP_RESET
)
{
/* Must specify that it's a TCP packet */
/* Must specify that it's a TCP packet */
if
(
e
->
ip
.
proto
!=
IPPROTO_TCP
if
(
e
->
ip
.
proto
!=
IPPROTO_TCP
||
||
(
e
->
ip
.
invflags
&
XT_INV_PROTO
))
{
(
e
->
ip
.
invflags
&
XT_INV_PROTO
))
{
printk
(
"ipt_REJECT: TCP_RESET invalid for non-tcp
\n
"
);
printk
(
"ipt_REJECT: TCP_RESET invalid for non-tcp
\n
"
);
return
false
;
return
false
;
}
}
...
...
net/ipv4/netfilter/ipt_ULOG.c
View file @
424eff97
...
@@ -226,9 +226,9 @@ static void ipt_ulog_packet(unsigned int hooknum,
...
@@ -226,9 +226,9 @@ static void ipt_ulog_packet(unsigned int hooknum,
else
else
*
(
pm
->
prefix
)
=
'\0'
;
*
(
pm
->
prefix
)
=
'\0'
;
if
(
in
&&
in
->
hard_header_len
>
0
if
(
in
&&
in
->
hard_header_len
>
0
&&
&&
skb
->
mac_header
!=
skb
->
network_header
skb
->
mac_header
!=
skb
->
network_header
&&
&&
in
->
hard_header_len
<=
ULOG_MAC_LEN
)
{
in
->
hard_header_len
<=
ULOG_MAC_LEN
)
{
memcpy
(
pm
->
mac
,
skb_mac_header
(
skb
),
in
->
hard_header_len
);
memcpy
(
pm
->
mac
,
skb_mac_header
(
skb
),
in
->
hard_header_len
);
pm
->
mac_len
=
in
->
hard_header_len
;
pm
->
mac_len
=
in
->
hard_header_len
;
}
else
}
else
...
...
net/ipv4/netfilter/ipt_ecn.c
View file @
424eff97
...
@@ -96,8 +96,8 @@ static bool ecn_mt_check(const struct xt_mtchk_param *par)
...
@@ -96,8 +96,8 @@ static bool ecn_mt_check(const struct xt_mtchk_param *par)
if
(
info
->
invert
&
IPT_ECN_OP_MATCH_MASK
)
if
(
info
->
invert
&
IPT_ECN_OP_MATCH_MASK
)
return
false
;
return
false
;
if
(
info
->
operation
&
(
IPT_ECN_OP_MATCH_ECE
|
IPT_ECN_OP_MATCH_CWR
)
if
(
info
->
operation
&
(
IPT_ECN_OP_MATCH_ECE
|
IPT_ECN_OP_MATCH_CWR
)
&&
&&
ip
->
proto
!=
IPPROTO_TCP
)
{
ip
->
proto
!=
IPPROTO_TCP
)
{
printk
(
KERN_WARNING
"ipt_ecn: can't match TCP bits in rule for"
printk
(
KERN_WARNING
"ipt_ecn: can't match TCP bits in rule for"
" non-tcp packets
\n
"
);
" non-tcp packets
\n
"
);
return
false
;
return
false
;
...
...
net/ipv4/netfilter/iptable_mangle.c
View file @
424eff97
...
@@ -130,8 +130,8 @@ ipt_local_hook(unsigned int hook,
...
@@ -130,8 +130,8 @@ ipt_local_hook(unsigned int hook,
u_int32_t
mark
;
u_int32_t
mark
;
/* root is playing with raw sockets. */
/* root is playing with raw sockets. */
if
(
skb
->
len
<
sizeof
(
struct
iphdr
)
if
(
skb
->
len
<
sizeof
(
struct
iphdr
)
||
||
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
))
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
))
return
NF_ACCEPT
;
return
NF_ACCEPT
;
/* Save things which could affect route */
/* Save things which could affect route */
...
...
net/ipv4/netfilter/iptable_security.c
View file @
424eff97
...
@@ -94,8 +94,8 @@ ipt_local_out_hook(unsigned int hook,
...
@@ -94,8 +94,8 @@ ipt_local_out_hook(unsigned int hook,
int
(
*
okfn
)(
struct
sk_buff
*
))
int
(
*
okfn
)(
struct
sk_buff
*
))
{
{
/* Somebody is playing with raw sockets. */
/* Somebody is playing with raw sockets. */
if
(
skb
->
len
<
sizeof
(
struct
iphdr
)
if
(
skb
->
len
<
sizeof
(
struct
iphdr
)
||
||
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
))
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
))
return
NF_ACCEPT
;
return
NF_ACCEPT
;
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
out
)
->
ipv4
.
iptable_security
);
dev_net
(
out
)
->
ipv4
.
iptable_security
);
...
...
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
View file @
424eff97
...
@@ -54,8 +54,8 @@ static const u_int8_t invmap[] = {
...
@@ -54,8 +54,8 @@ static const u_int8_t invmap[] = {
static
bool
icmp_invert_tuple
(
struct
nf_conntrack_tuple
*
tuple
,
static
bool
icmp_invert_tuple
(
struct
nf_conntrack_tuple
*
tuple
,
const
struct
nf_conntrack_tuple
*
orig
)
const
struct
nf_conntrack_tuple
*
orig
)
{
{
if
(
orig
->
dst
.
u
.
icmp
.
type
>=
sizeof
(
invmap
)
if
(
orig
->
dst
.
u
.
icmp
.
type
>=
sizeof
(
invmap
)
||
||
!
invmap
[
orig
->
dst
.
u
.
icmp
.
type
])
!
invmap
[
orig
->
dst
.
u
.
icmp
.
type
])
return
false
;
return
false
;
tuple
->
src
.
u
.
icmp
.
id
=
orig
->
src
.
u
.
icmp
.
id
;
tuple
->
src
.
u
.
icmp
.
id
=
orig
->
src
.
u
.
icmp
.
id
;
...
@@ -101,8 +101,8 @@ static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb,
...
@@ -101,8 +101,8 @@ static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb,
[
ICMP_ADDRESS
]
=
1
[
ICMP_ADDRESS
]
=
1
};
};
if
(
ct
->
tuplehash
[
0
].
tuple
.
dst
.
u
.
icmp
.
type
>=
sizeof
(
valid_new
)
if
(
ct
->
tuplehash
[
0
].
tuple
.
dst
.
u
.
icmp
.
type
>=
sizeof
(
valid_new
)
||
||
!
valid_new
[
ct
->
tuplehash
[
0
].
tuple
.
dst
.
u
.
icmp
.
type
])
{
!
valid_new
[
ct
->
tuplehash
[
0
].
tuple
.
dst
.
u
.
icmp
.
type
])
{
/* Can't create a new ICMP `conn' with this. */
/* Can't create a new ICMP `conn' with this. */
pr_debug
(
"icmp: can't create new conn with type %u
\n
"
,
pr_debug
(
"icmp: can't create new conn with type %u
\n
"
,
ct
->
tuplehash
[
0
].
tuple
.
dst
.
u
.
icmp
.
type
);
ct
->
tuplehash
[
0
].
tuple
.
dst
.
u
.
icmp
.
type
);
...
@@ -201,11 +201,11 @@ icmp_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
...
@@ -201,11 +201,11 @@ icmp_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
}
}
/* Need to track icmp error message? */
/* Need to track icmp error message? */
if
(
icmph
->
type
!=
ICMP_DEST_UNREACH
if
(
icmph
->
type
!=
ICMP_DEST_UNREACH
&&
&&
icmph
->
type
!=
ICMP_SOURCE_QUENCH
icmph
->
type
!=
ICMP_SOURCE_QUENCH
&&
&&
icmph
->
type
!=
ICMP_TIME_EXCEEDED
icmph
->
type
!=
ICMP_TIME_EXCEEDED
&&
&&
icmph
->
type
!=
ICMP_PARAMETERPROB
icmph
->
type
!=
ICMP_PARAMETERPROB
&&
&&
icmph
->
type
!=
ICMP_REDIRECT
)
icmph
->
type
!=
ICMP_REDIRECT
)
return
NF_ACCEPT
;
return
NF_ACCEPT
;
return
icmp_error_message
(
net
,
skb
,
ctinfo
,
hooknum
);
return
icmp_error_message
(
net
,
skb
,
ctinfo
,
hooknum
);
...
@@ -238,17 +238,17 @@ static const struct nla_policy icmp_nla_policy[CTA_PROTO_MAX+1] = {
...
@@ -238,17 +238,17 @@ static const struct nla_policy icmp_nla_policy[CTA_PROTO_MAX+1] = {
static
int
icmp_nlattr_to_tuple
(
struct
nlattr
*
tb
[],
static
int
icmp_nlattr_to_tuple
(
struct
nlattr
*
tb
[],
struct
nf_conntrack_tuple
*
tuple
)
struct
nf_conntrack_tuple
*
tuple
)
{
{
if
(
!
tb
[
CTA_PROTO_ICMP_TYPE
]
if
(
!
tb
[
CTA_PROTO_ICMP_TYPE
]
||
||
!
tb
[
CTA_PROTO_ICMP_CODE
]
!
tb
[
CTA_PROTO_ICMP_CODE
]
||
||
!
tb
[
CTA_PROTO_ICMP_ID
])
!
tb
[
CTA_PROTO_ICMP_ID
])
return
-
EINVAL
;
return
-
EINVAL
;
tuple
->
dst
.
u
.
icmp
.
type
=
nla_get_u8
(
tb
[
CTA_PROTO_ICMP_TYPE
]);
tuple
->
dst
.
u
.
icmp
.
type
=
nla_get_u8
(
tb
[
CTA_PROTO_ICMP_TYPE
]);
tuple
->
dst
.
u
.
icmp
.
code
=
nla_get_u8
(
tb
[
CTA_PROTO_ICMP_CODE
]);
tuple
->
dst
.
u
.
icmp
.
code
=
nla_get_u8
(
tb
[
CTA_PROTO_ICMP_CODE
]);
tuple
->
src
.
u
.
icmp
.
id
=
nla_get_be16
(
tb
[
CTA_PROTO_ICMP_ID
]);
tuple
->
src
.
u
.
icmp
.
id
=
nla_get_be16
(
tb
[
CTA_PROTO_ICMP_ID
]);
if
(
tuple
->
dst
.
u
.
icmp
.
type
>=
sizeof
(
invmap
)
if
(
tuple
->
dst
.
u
.
icmp
.
type
>=
sizeof
(
invmap
)
||
||
!
invmap
[
tuple
->
dst
.
u
.
icmp
.
type
])
!
invmap
[
tuple
->
dst
.
u
.
icmp
.
type
])
return
-
EINVAL
;
return
-
EINVAL
;
return
0
;
return
0
;
...
...
net/ipv4/netfilter/nf_nat_helper.c
View file @
424eff97
...
@@ -41,18 +41,14 @@ adjust_tcp_sequence(u32 seq,
...
@@ -41,18 +41,14 @@ adjust_tcp_sequence(u32 seq,
struct
nf_conn
*
ct
,
struct
nf_conn
*
ct
,
enum
ip_conntrack_info
ctinfo
)
enum
ip_conntrack_info
ctinfo
)
{
{
int
dir
;
enum
ip_conntrack_dir
dir
=
CTINFO2DIR
(
ctinfo
);
struct
nf_nat_seq
*
this_way
,
*
other_way
;
struct
nf_conn_nat
*
nat
=
nfct_nat
(
ct
);
struct
nf_conn_nat
*
nat
=
nfct_nat
(
ct
);
struct
nf_nat_seq
*
this_way
=
&
nat
->
seq
[
dir
];
pr_debug
(
"adjust_tcp_sequence: seq = %u, sizediff = %d
\n
"
,
seq
,
seq
);
pr_debug
(
"adjust_tcp_sequence: seq = %u, sizediff = %d
\n
"
,
seq
,
sizediff
);
dir
=
CTINFO2DIR
(
ctinfo
);
this_way
=
&
nat
->
seq
[
dir
];
other_way
=
&
nat
->
seq
[
!
dir
];
pr_debug
(
"
nf_nat_resize_packet
: Seq_offset before: "
);
pr_debug
(
"
adjust_tcp_sequence
: Seq_offset before: "
);
DUMP_OFFSET
(
this_way
);
DUMP_OFFSET
(
this_way
);
spin_lock_bh
(
&
nf_nat_seqofs_lock
);
spin_lock_bh
(
&
nf_nat_seqofs_lock
);
...
@@ -63,13 +59,13 @@ adjust_tcp_sequence(u32 seq,
...
@@ -63,13 +59,13 @@ adjust_tcp_sequence(u32 seq,
* retransmit */
* retransmit */
if
(
this_way
->
offset_before
==
this_way
->
offset_after
||
if
(
this_way
->
offset_before
==
this_way
->
offset_after
||
before
(
this_way
->
correction_pos
,
seq
))
{
before
(
this_way
->
correction_pos
,
seq
))
{
this_way
->
correction_pos
=
seq
;
this_way
->
correction_pos
=
seq
;
this_way
->
offset_before
=
this_way
->
offset_after
;
this_way
->
offset_before
=
this_way
->
offset_after
;
this_way
->
offset_after
+=
sizediff
;
this_way
->
offset_after
+=
sizediff
;
}
}
spin_unlock_bh
(
&
nf_nat_seqofs_lock
);
spin_unlock_bh
(
&
nf_nat_seqofs_lock
);
pr_debug
(
"
nf_nat_resize_packet
: Seq_offset after: "
);
pr_debug
(
"
adjust_tcp_sequence
: Seq_offset after: "
);
DUMP_OFFSET
(
this_way
);
DUMP_OFFSET
(
this_way
);
}
}
...
...
net/ipv4/netfilter/nf_nat_standalone.c
View file @
424eff97
...
@@ -197,11 +197,11 @@ nf_nat_out(unsigned int hooknum,
...
@@ -197,11 +197,11 @@ nf_nat_out(unsigned int hooknum,
(
ct
=
nf_ct_get
(
skb
,
&
ctinfo
))
!=
NULL
)
{
(
ct
=
nf_ct_get
(
skb
,
&
ctinfo
))
!=
NULL
)
{
enum
ip_conntrack_dir
dir
=
CTINFO2DIR
(
ctinfo
);
enum
ip_conntrack_dir
dir
=
CTINFO2DIR
(
ctinfo
);
if
(
ct
->
tuplehash
[
dir
].
tuple
.
src
.
u3
.
ip
!=
if
(
(
ct
->
tuplehash
[
dir
].
tuple
.
src
.
u3
.
ip
!=
ct
->
tuplehash
[
!
dir
].
tuple
.
dst
.
u3
.
ip
ct
->
tuplehash
[
!
dir
].
tuple
.
dst
.
u3
.
ip
)
||
||
ct
->
tuplehash
[
dir
].
tuple
.
src
.
u
.
all
!=
(
ct
->
tuplehash
[
dir
].
tuple
.
src
.
u
.
all
!=
ct
->
tuplehash
[
!
dir
].
tuple
.
dst
.
u
.
all
ct
->
tuplehash
[
!
dir
].
tuple
.
dst
.
u
.
all
)
)
)
return
ip_xfrm_me_harder
(
skb
)
==
0
?
ret
:
NF_DROP
;
return
ip_xfrm_me_harder
(
skb
)
==
0
?
ret
:
NF_DROP
;
}
}
#endif
#endif
...
...
net/ipv6/netfilter/ip6_queue.c
View file @
424eff97
...
@@ -499,8 +499,7 @@ ipq_rcv_nl_event(struct notifier_block *this,
...
@@ -499,8 +499,7 @@ ipq_rcv_nl_event(struct notifier_block *this,
{
{
struct
netlink_notify
*
n
=
ptr
;
struct
netlink_notify
*
n
=
ptr
;
if
(
event
==
NETLINK_URELEASE
&&
if
(
event
==
NETLINK_URELEASE
&&
n
->
protocol
==
NETLINK_IP6_FW
)
{
n
->
protocol
==
NETLINK_IP6_FW
&&
n
->
pid
)
{
write_lock_bh
(
&
queue_lock
);
write_lock_bh
(
&
queue_lock
);
if
((
net_eq
(
n
->
net
,
&
init_net
))
&&
(
n
->
pid
==
peer_pid
))
if
((
net_eq
(
n
->
net
,
&
init_net
))
&&
(
n
->
pid
==
peer_pid
))
__ipq_reset
();
__ipq_reset
();
...
@@ -625,7 +624,7 @@ cleanup_ipqnl: __maybe_unused
...
@@ -625,7 +624,7 @@ cleanup_ipqnl: __maybe_unused
static
void
__exit
ip6_queue_fini
(
void
)
static
void
__exit
ip6_queue_fini
(
void
)
{
{
nf_unregister_queue_handlers
(
&
nfqh
);
nf_unregister_queue_handlers
(
&
nfqh
);
synchronize_net
();
ipq_flush
(
NULL
,
0
);
ipq_flush
(
NULL
,
0
);
#ifdef CONFIG_SYSCTL
#ifdef CONFIG_SYSCTL
...
...
net/ipv6/netfilter/ip6_tables.c
View file @
424eff97
...
@@ -105,9 +105,9 @@ ip6_packet_match(const struct sk_buff *skb,
...
@@ -105,9 +105,9 @@ ip6_packet_match(const struct sk_buff *skb,
#define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
#define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
if
(
FWINV
(
ipv6_masked_addr_cmp
(
&
ipv6
->
saddr
,
&
ip6info
->
smsk
,
if
(
FWINV
(
ipv6_masked_addr_cmp
(
&
ipv6
->
saddr
,
&
ip6info
->
smsk
,
&
ip6info
->
src
),
IP6T_INV_SRCIP
)
&
ip6info
->
src
),
IP6T_INV_SRCIP
)
||
||
FWINV
(
ipv6_masked_addr_cmp
(
&
ipv6
->
daddr
,
&
ip6info
->
dmsk
,
FWINV
(
ipv6_masked_addr_cmp
(
&
ipv6
->
daddr
,
&
ip6info
->
dmsk
,
&
ip6info
->
dst
),
IP6T_INV_DSTIP
))
{
&
ip6info
->
dst
),
IP6T_INV_DSTIP
))
{
dprintf
(
"Source or dest mismatch.
\n
"
);
dprintf
(
"Source or dest mismatch.
\n
"
);
/*
/*
dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
...
@@ -277,11 +277,11 @@ get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e,
...
@@ -277,11 +277,11 @@ get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e,
}
else
if
(
s
==
e
)
{
}
else
if
(
s
==
e
)
{
(
*
rulenum
)
++
;
(
*
rulenum
)
++
;
if
(
s
->
target_offset
==
sizeof
(
struct
ip6t_entry
)
if
(
s
->
target_offset
==
sizeof
(
struct
ip6t_entry
)
&&
&&
strcmp
(
t
->
target
.
u
.
kernel
.
target
->
name
,
strcmp
(
t
->
target
.
u
.
kernel
.
target
->
name
,
IP6T_STANDARD_TARGET
)
==
0
IP6T_STANDARD_TARGET
)
==
0
&&
&&
t
->
verdict
<
0
t
->
verdict
<
0
&&
&&
unconditional
(
&
s
->
ipv6
))
{
unconditional
(
&
s
->
ipv6
))
{
/* Tail of chains: STANDARD target (return/policy) */
/* Tail of chains: STANDARD target (return/policy) */
*
comment
=
*
chainname
==
hookname
*
comment
=
*
chainname
==
hookname
?
comments
[
NF_IP6_TRACE_COMMENT_POLICY
]
?
comments
[
NF_IP6_TRACE_COMMENT_POLICY
]
...
@@ -418,8 +418,8 @@ ip6t_do_table(struct sk_buff *skb,
...
@@ -418,8 +418,8 @@ ip6t_do_table(struct sk_buff *skb,
back
=
get_entry
(
table_base
,
back
->
comefrom
);
back
=
get_entry
(
table_base
,
back
->
comefrom
);
continue
;
continue
;
}
}
if
(
table_base
+
v
!=
ip6t_next_entry
(
e
)
if
(
table_base
+
v
!=
ip6t_next_entry
(
e
)
&&
&&
!
(
e
->
ipv6
.
flags
&
IP6T_F_GOTO
))
{
!
(
e
->
ipv6
.
flags
&
IP6T_F_GOTO
))
{
/* Save old back ptr in next entry */
/* Save old back ptr in next entry */
struct
ip6t_entry
*
next
=
ip6t_next_entry
(
e
);
struct
ip6t_entry
*
next
=
ip6t_next_entry
(
e
);
next
->
comefrom
=
(
void
*
)
back
-
table_base
;
next
->
comefrom
=
(
void
*
)
back
-
table_base
;
...
@@ -505,11 +505,11 @@ mark_source_chains(struct xt_table_info *newinfo,
...
@@ -505,11 +505,11 @@ mark_source_chains(struct xt_table_info *newinfo,
e
->
comefrom
|=
((
1
<<
hook
)
|
(
1
<<
NF_INET_NUMHOOKS
));
e
->
comefrom
|=
((
1
<<
hook
)
|
(
1
<<
NF_INET_NUMHOOKS
));
/* Unconditional return/END. */
/* Unconditional return/END. */
if
((
e
->
target_offset
==
sizeof
(
struct
ip6t_entry
)
if
((
e
->
target_offset
==
sizeof
(
struct
ip6t_entry
)
&&
&&
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
IP6T_STANDARD_TARGET
)
==
0
)
IP6T_STANDARD_TARGET
)
==
0
)
&&
&&
t
->
verdict
<
0
t
->
verdict
<
0
&&
&&
unconditional
(
&
e
->
ipv6
))
||
visited
)
{
unconditional
(
&
e
->
ipv6
))
||
visited
)
{
unsigned
int
oldpos
,
size
;
unsigned
int
oldpos
,
size
;
if
((
strcmp
(
t
->
target
.
u
.
user
.
name
,
if
((
strcmp
(
t
->
target
.
u
.
user
.
name
,
...
@@ -556,8 +556,8 @@ mark_source_chains(struct xt_table_info *newinfo,
...
@@ -556,8 +556,8 @@ mark_source_chains(struct xt_table_info *newinfo,
int
newpos
=
t
->
verdict
;
int
newpos
=
t
->
verdict
;
if
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
if
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
IP6T_STANDARD_TARGET
)
==
0
IP6T_STANDARD_TARGET
)
==
0
&&
&&
newpos
>=
0
)
{
newpos
>=
0
)
{
if
(
newpos
>
newinfo
->
size
-
if
(
newpos
>
newinfo
->
size
-
sizeof
(
struct
ip6t_entry
))
{
sizeof
(
struct
ip6t_entry
))
{
duprintf
(
"mark_source_chains: "
duprintf
(
"mark_source_chains: "
...
@@ -767,8 +767,8 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
...
@@ -767,8 +767,8 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
{
{
unsigned
int
h
;
unsigned
int
h
;
if
((
unsigned
long
)
e
%
__alignof__
(
struct
ip6t_entry
)
!=
0
if
((
unsigned
long
)
e
%
__alignof__
(
struct
ip6t_entry
)
!=
0
||
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
ip6t_entry
)
>=
limit
)
{
(
unsigned
char
*
)
e
+
sizeof
(
struct
ip6t_entry
)
>=
limit
)
{
duprintf
(
"Bad offset %p
\n
"
,
e
);
duprintf
(
"Bad offset %p
\n
"
,
e
);
return
-
EINVAL
;
return
-
EINVAL
;
}
}
...
@@ -1584,8 +1584,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
...
@@ -1584,8 +1584,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
int
ret
,
off
,
h
;
int
ret
,
off
,
h
;
duprintf
(
"check_compat_entry_size_and_hooks %p
\n
"
,
e
);
duprintf
(
"check_compat_entry_size_and_hooks %p
\n
"
,
e
);
if
((
unsigned
long
)
e
%
__alignof__
(
struct
compat_ip6t_entry
)
!=
0
if
((
unsigned
long
)
e
%
__alignof__
(
struct
compat_ip6t_entry
)
!=
0
||
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
compat_ip6t_entry
)
>=
limit
)
{
(
unsigned
char
*
)
e
+
sizeof
(
struct
compat_ip6t_entry
)
>=
limit
)
{
duprintf
(
"Bad offset %p, limit = %p
\n
"
,
e
,
limit
);
duprintf
(
"Bad offset %p, limit = %p
\n
"
,
e
,
limit
);
return
-
EINVAL
;
return
-
EINVAL
;
}
}
...
...
net/ipv6/netfilter/ip6t_LOG.c
View file @
424eff97
...
@@ -249,8 +249,8 @@ static void dump_packet(const struct nf_loginfo *info,
...
@@ -249,8 +249,8 @@ static void dump_packet(const struct nf_loginfo *info,
/* Max length: 11 "URGP=65535 " */
/* Max length: 11 "URGP=65535 " */
printk
(
"URGP=%u "
,
ntohs
(
th
->
urg_ptr
));
printk
(
"URGP=%u "
,
ntohs
(
th
->
urg_ptr
));
if
((
logflags
&
IP6T_LOG_TCPOPT
)
if
((
logflags
&
IP6T_LOG_TCPOPT
)
&&
&&
th
->
doff
*
4
>
sizeof
(
struct
tcphdr
))
{
th
->
doff
*
4
>
sizeof
(
struct
tcphdr
))
{
u_int8_t
_opt
[
60
-
sizeof
(
struct
tcphdr
)];
u_int8_t
_opt
[
60
-
sizeof
(
struct
tcphdr
)];
const
u_int8_t
*
op
;
const
u_int8_t
*
op
;
unsigned
int
i
;
unsigned
int
i
;
...
...
net/ipv6/netfilter/ip6t_REJECT.c
View file @
424eff97
...
@@ -223,8 +223,8 @@ static bool reject_tg6_check(const struct xt_tgchk_param *par)
...
@@ -223,8 +223,8 @@ static bool reject_tg6_check(const struct xt_tgchk_param *par)
return
false
;
return
false
;
}
else
if
(
rejinfo
->
with
==
IP6T_TCP_RESET
)
{
}
else
if
(
rejinfo
->
with
==
IP6T_TCP_RESET
)
{
/* Must specify that it's a TCP packet */
/* Must specify that it's a TCP packet */
if
(
e
->
ipv6
.
proto
!=
IPPROTO_TCP
if
(
e
->
ipv6
.
proto
!=
IPPROTO_TCP
||
||
(
e
->
ipv6
.
invflags
&
XT_INV_PROTO
))
{
(
e
->
ipv6
.
invflags
&
XT_INV_PROTO
))
{
printk
(
"ip6t_REJECT: TCP_RESET illegal for non-tcp
\n
"
);
printk
(
"ip6t_REJECT: TCP_RESET illegal for non-tcp
\n
"
);
return
false
;
return
false
;
}
}
...
...
net/ipv6/netfilter/ip6t_ah.c
View file @
424eff97
...
@@ -77,17 +77,14 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
...
@@ -77,17 +77,14 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
ahinfo
->
hdrres
,
ah
->
reserved
,
ahinfo
->
hdrres
,
ah
->
reserved
,
!
(
ahinfo
->
hdrres
&&
ah
->
reserved
));
!
(
ahinfo
->
hdrres
&&
ah
->
reserved
));
return
(
ah
!=
NULL
)
return
(
ah
!=
NULL
)
&&
&&
spi_match
(
ahinfo
->
spis
[
0
],
ahinfo
->
spis
[
1
],
spi_match
(
ahinfo
->
spis
[
0
],
ahinfo
->
spis
[
1
],
ntohl
(
ah
->
spi
),
ntohl
(
ah
->
spi
),
!!
(
ahinfo
->
invflags
&
IP6T_AH_INV_SPI
))
&&
!!
(
ahinfo
->
invflags
&
IP6T_AH_INV_SPI
))
(
!
ahinfo
->
hdrlen
||
&&
(
ahinfo
->
hdrlen
==
hdrlen
)
^
(
!
ahinfo
->
hdrlen
||
!!
(
ahinfo
->
invflags
&
IP6T_AH_INV_LEN
))
&&
(
ahinfo
->
hdrlen
==
hdrlen
)
^
!
(
ahinfo
->
hdrres
&&
ah
->
reserved
);
!!
(
ahinfo
->
invflags
&
IP6T_AH_INV_LEN
))
&&
!
(
ahinfo
->
hdrres
&&
ah
->
reserved
);
}
}
static
bool
ah_mt6_check
(
const
struct
xt_mtchk_param
*
par
)
static
bool
ah_mt6_check
(
const
struct
xt_mtchk_param
*
par
)
...
...
net/ipv6/netfilter/ip6t_frag.c
View file @
424eff97
...
@@ -70,41 +70,36 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
...
@@ -70,41 +70,36 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
pr_debug
(
"res %02X %02X%04X %02X "
,
pr_debug
(
"res %02X %02X%04X %02X "
,
fraginfo
->
flags
&
IP6T_FRAG_RES
,
fh
->
reserved
,
fraginfo
->
flags
&
IP6T_FRAG_RES
,
fh
->
reserved
,
ntohs
(
fh
->
frag_off
)
&
0x6
,
ntohs
(
fh
->
frag_off
)
&
0x6
,
!
((
fraginfo
->
flags
&
IP6T_FRAG_RES
)
!
((
fraginfo
->
flags
&
IP6T_FRAG_RES
)
&&
&&
(
fh
->
reserved
||
(
ntohs
(
fh
->
frag_off
)
&
0x06
))));
(
fh
->
reserved
||
(
ntohs
(
fh
->
frag_off
)
&
0x06
))));
pr_debug
(
"first %02X %02X %02X "
,
pr_debug
(
"first %02X %02X %02X "
,
fraginfo
->
flags
&
IP6T_FRAG_FST
,
fraginfo
->
flags
&
IP6T_FRAG_FST
,
ntohs
(
fh
->
frag_off
)
&
~
0x7
,
ntohs
(
fh
->
frag_off
)
&
~
0x7
,
!
((
fraginfo
->
flags
&
IP6T_FRAG_FST
)
!
((
fraginfo
->
flags
&
IP6T_FRAG_FST
)
&&
&&
(
ntohs
(
fh
->
frag_off
)
&
~
0x7
)));
(
ntohs
(
fh
->
frag_off
)
&
~
0x7
)));
pr_debug
(
"mf %02X %02X %02X "
,
pr_debug
(
"mf %02X %02X %02X "
,
fraginfo
->
flags
&
IP6T_FRAG_MF
,
fraginfo
->
flags
&
IP6T_FRAG_MF
,
ntohs
(
fh
->
frag_off
)
&
IP6_MF
,
ntohs
(
fh
->
frag_off
)
&
IP6_MF
,
!
((
fraginfo
->
flags
&
IP6T_FRAG_MF
)
!
((
fraginfo
->
flags
&
IP6T_FRAG_MF
)
&&
&&
!
((
ntohs
(
fh
->
frag_off
)
&
IP6_MF
))));
!
((
ntohs
(
fh
->
frag_off
)
&
IP6_MF
))));
pr_debug
(
"last %02X %02X %02X
\n
"
,
pr_debug
(
"last %02X %02X %02X
\n
"
,
fraginfo
->
flags
&
IP6T_FRAG_NMF
,
fraginfo
->
flags
&
IP6T_FRAG_NMF
,
ntohs
(
fh
->
frag_off
)
&
IP6_MF
,
ntohs
(
fh
->
frag_off
)
&
IP6_MF
,
!
((
fraginfo
->
flags
&
IP6T_FRAG_NMF
)
!
((
fraginfo
->
flags
&
IP6T_FRAG_NMF
)
&&
&&
(
ntohs
(
fh
->
frag_off
)
&
IP6_MF
)));
(
ntohs
(
fh
->
frag_off
)
&
IP6_MF
)));
return
(
fh
!=
NULL
)
return
(
fh
!=
NULL
)
&&
&&
id_match
(
fraginfo
->
ids
[
0
],
fraginfo
->
ids
[
1
],
id_match
(
fraginfo
->
ids
[
0
],
fraginfo
->
ids
[
1
],
ntohl
(
fh
->
identification
),
ntohl
(
fh
->
identification
),
!!
(
fraginfo
->
invflags
&
IP6T_FRAG_INV_IDS
))
&&
!!
(
fraginfo
->
invflags
&
IP6T_FRAG_INV_IDS
))
!
((
fraginfo
->
flags
&
IP6T_FRAG_RES
)
&&
&&
(
fh
->
reserved
||
(
ntohs
(
fh
->
frag_off
)
&
0x6
)))
&&
!
((
fraginfo
->
flags
&
IP6T_FRAG_RES
)
!
((
fraginfo
->
flags
&
IP6T_FRAG_FST
)
&&
&&
(
fh
->
reserved
||
(
ntohs
(
fh
->
frag_off
)
&
0x6
)))
(
ntohs
(
fh
->
frag_off
)
&
~
0x7
))
&&
&&
!
((
fraginfo
->
flags
&
IP6T_FRAG_MF
)
&&
!
((
fraginfo
->
flags
&
IP6T_FRAG_FST
)
!
(
ntohs
(
fh
->
frag_off
)
&
IP6_MF
))
&&
&&
(
ntohs
(
fh
->
frag_off
)
&
~
0x7
))
!
((
fraginfo
->
flags
&
IP6T_FRAG_NMF
)
&&
&&
(
ntohs
(
fh
->
frag_off
)
&
IP6_MF
));
!
((
fraginfo
->
flags
&
IP6T_FRAG_MF
)
&&
!
(
ntohs
(
fh
->
frag_off
)
&
IP6_MF
))
&&
!
((
fraginfo
->
flags
&
IP6T_FRAG_NMF
)
&&
(
ntohs
(
fh
->
frag_off
)
&
IP6_MF
));
}
}
static
bool
frag_mt6_check
(
const
struct
xt_mtchk_param
*
par
)
static
bool
frag_mt6_check
(
const
struct
xt_mtchk_param
*
par
)
...
...
net/ipv6/netfilter/ip6t_rt.c
View file @
424eff97
...
@@ -92,16 +92,13 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
...
@@ -92,16 +92,13 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
!
((
rtinfo
->
flags
&
IP6T_RT_RES
)
&&
!
((
rtinfo
->
flags
&
IP6T_RT_RES
)
&&
(((
const
struct
rt0_hdr
*
)
rh
)
->
reserved
)));
(((
const
struct
rt0_hdr
*
)
rh
)
->
reserved
)));
ret
=
(
rh
!=
NULL
)
ret
=
(
rh
!=
NULL
)
&&
&&
(
segsleft_match
(
rtinfo
->
segsleft
[
0
],
rtinfo
->
segsleft
[
1
],
(
segsleft_match
(
rtinfo
->
segsleft
[
0
],
rtinfo
->
segsleft
[
1
],
rh
->
segments_left
,
rh
->
segments_left
,
!!
(
rtinfo
->
invflags
&
IP6T_RT_INV_SGS
)))
!!
(
rtinfo
->
invflags
&
IP6T_RT_INV_SGS
)))
&&
&&
(
!
(
rtinfo
->
flags
&
IP6T_RT_LEN
)
||
(
!
(
rtinfo
->
flags
&
IP6T_RT_LEN
)
||
((
rtinfo
->
hdrlen
==
hdrlen
)
^
((
rtinfo
->
hdrlen
==
hdrlen
)
^
!!
(
rtinfo
->
invflags
&
IP6T_RT_INV_LEN
)))
!!
(
rtinfo
->
invflags
&
IP6T_RT_INV_LEN
)))
&&
&&
(
!
(
rtinfo
->
flags
&
IP6T_RT_TYP
)
||
(
!
(
rtinfo
->
flags
&
IP6T_RT_TYP
)
||
((
rtinfo
->
rt_type
==
rh
->
type
)
^
((
rtinfo
->
rt_type
==
rh
->
type
)
^
!!
(
rtinfo
->
invflags
&
IP6T_RT_INV_TYP
)));
!!
(
rtinfo
->
invflags
&
IP6T_RT_INV_TYP
)));
...
...
net/ipv6/netfilter/ip6table_filter.c
View file @
424eff97
...
@@ -79,8 +79,8 @@ ip6t_local_out_hook(unsigned int hook,
...
@@ -79,8 +79,8 @@ ip6t_local_out_hook(unsigned int hook,
{
{
#if 0
#if 0
/* root is playing with raw sockets. */
/* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr)
if (skb->len < sizeof(struct iphdr)
||
||
ip_hdrlen(skb) < sizeof(struct iphdr)) {
ip_hdrlen(skb) < sizeof(struct iphdr)) {
if (net_ratelimit())
if (net_ratelimit())
printk("ip6t_hook: happy cracking.\n");
printk("ip6t_hook: happy cracking.\n");
return NF_ACCEPT;
return NF_ACCEPT;
...
...
net/ipv6/netfilter/ip6table_mangle.c
View file @
424eff97
...
@@ -102,8 +102,8 @@ ip6t_local_out_hook(unsigned int hook,
...
@@ -102,8 +102,8 @@ ip6t_local_out_hook(unsigned int hook,
#if 0
#if 0
/* root is playing with raw sockets. */
/* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr)
if (skb->len < sizeof(struct iphdr)
||
||
ip_hdrlen(skb) < sizeof(struct iphdr)) {
ip_hdrlen(skb) < sizeof(struct iphdr)) {
if (net_ratelimit())
if (net_ratelimit())
printk("ip6t_hook: happy cracking.\n");
printk("ip6t_hook: happy cracking.\n");
return NF_ACCEPT;
return NF_ACCEPT;
...
@@ -122,11 +122,11 @@ ip6t_local_out_hook(unsigned int hook,
...
@@ -122,11 +122,11 @@ ip6t_local_out_hook(unsigned int hook,
ret
=
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
ret
=
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
out
)
->
ipv6
.
ip6table_mangle
);
dev_net
(
out
)
->
ipv6
.
ip6table_mangle
);
if
(
ret
!=
NF_DROP
&&
ret
!=
NF_STOLEN
if
(
ret
!=
NF_DROP
&&
ret
!=
NF_STOLEN
&&
&&
(
memcmp
(
&
ipv6_hdr
(
skb
)
->
saddr
,
&
saddr
,
sizeof
(
saddr
))
(
memcmp
(
&
ipv6_hdr
(
skb
)
->
saddr
,
&
saddr
,
sizeof
(
saddr
))
||
||
memcmp
(
&
ipv6_hdr
(
skb
)
->
daddr
,
&
daddr
,
sizeof
(
daddr
))
memcmp
(
&
ipv6_hdr
(
skb
)
->
daddr
,
&
daddr
,
sizeof
(
daddr
))
||
||
skb
->
mark
!=
mark
skb
->
mark
!=
mark
||
||
ipv6_hdr
(
skb
)
->
hop_limit
!=
hop_limit
))
ipv6_hdr
(
skb
)
->
hop_limit
!=
hop_limit
))
return
ip6_route_me_harder
(
skb
)
==
0
?
ret
:
NF_DROP
;
return
ip6_route_me_harder
(
skb
)
==
0
?
ret
:
NF_DROP
;
return
ret
;
return
ret
;
...
...
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
View file @
424eff97
...
@@ -244,18 +244,18 @@ static const struct nla_policy icmpv6_nla_policy[CTA_PROTO_MAX+1] = {
...
@@ -244,18 +244,18 @@ static const struct nla_policy icmpv6_nla_policy[CTA_PROTO_MAX+1] = {
static
int
icmpv6_nlattr_to_tuple
(
struct
nlattr
*
tb
[],
static
int
icmpv6_nlattr_to_tuple
(
struct
nlattr
*
tb
[],
struct
nf_conntrack_tuple
*
tuple
)
struct
nf_conntrack_tuple
*
tuple
)
{
{
if
(
!
tb
[
CTA_PROTO_ICMPV6_TYPE
]
if
(
!
tb
[
CTA_PROTO_ICMPV6_TYPE
]
||
||
!
tb
[
CTA_PROTO_ICMPV6_CODE
]
!
tb
[
CTA_PROTO_ICMPV6_CODE
]
||
||
!
tb
[
CTA_PROTO_ICMPV6_ID
])
!
tb
[
CTA_PROTO_ICMPV6_ID
])
return
-
EINVAL
;
return
-
EINVAL
;
tuple
->
dst
.
u
.
icmp
.
type
=
nla_get_u8
(
tb
[
CTA_PROTO_ICMPV6_TYPE
]);
tuple
->
dst
.
u
.
icmp
.
type
=
nla_get_u8
(
tb
[
CTA_PROTO_ICMPV6_TYPE
]);
tuple
->
dst
.
u
.
icmp
.
code
=
nla_get_u8
(
tb
[
CTA_PROTO_ICMPV6_CODE
]);
tuple
->
dst
.
u
.
icmp
.
code
=
nla_get_u8
(
tb
[
CTA_PROTO_ICMPV6_CODE
]);
tuple
->
src
.
u
.
icmp
.
id
=
nla_get_be16
(
tb
[
CTA_PROTO_ICMPV6_ID
]);
tuple
->
src
.
u
.
icmp
.
id
=
nla_get_be16
(
tb
[
CTA_PROTO_ICMPV6_ID
]);
if
(
tuple
->
dst
.
u
.
icmp
.
type
<
128
if
(
tuple
->
dst
.
u
.
icmp
.
type
<
128
||
||
tuple
->
dst
.
u
.
icmp
.
type
-
128
>=
sizeof
(
invmap
)
tuple
->
dst
.
u
.
icmp
.
type
-
128
>=
sizeof
(
invmap
)
||
||
!
invmap
[
tuple
->
dst
.
u
.
icmp
.
type
-
128
])
!
invmap
[
tuple
->
dst
.
u
.
icmp
.
type
-
128
])
return
-
EINVAL
;
return
-
EINVAL
;
return
0
;
return
0
;
...
...
net/netfilter/nf_conntrack_core.c
View file @
424eff97
...
@@ -512,11 +512,17 @@ static noinline int early_drop(struct net *net, unsigned int hash)
...
@@ -512,11 +512,17 @@ static noinline int early_drop(struct net *net, unsigned int hash)
cnt
++
;
cnt
++
;
}
}
if
(
ct
&&
unlikely
(
nf_ct_is_dying
(
ct
)
||
if
(
ct
!=
NULL
)
{
!
atomic_inc_not_zero
(
&
ct
->
ct_general
.
use
)))
if
(
likely
(
!
nf_ct_is_dying
(
ct
)
&&
ct
=
NULL
;
atomic_inc_not_zero
(
&
ct
->
ct_general
.
use
)))
if
(
ct
||
cnt
>=
NF_CT_EVICTION_RANGE
)
break
;
else
ct
=
NULL
;
}
if
(
cnt
>=
NF_CT_EVICTION_RANGE
)
break
;
break
;
hash
=
(
hash
+
1
)
%
nf_conntrack_htable_size
;
hash
=
(
hash
+
1
)
%
nf_conntrack_htable_size
;
}
}
rcu_read_unlock
();
rcu_read_unlock
();
...
...
net/netfilter/nf_conntrack_proto_tcp.c
View file @
424eff97
...
@@ -896,23 +896,54 @@ static int tcp_packet(struct nf_conn *ct,
...
@@ -896,23 +896,54 @@ static int tcp_packet(struct nf_conn *ct,
/* b) This SYN/ACK acknowledges a SYN that we earlier
/* b) This SYN/ACK acknowledges a SYN that we earlier
* ignored as invalid. This means that the client and
* ignored as invalid. This means that the client and
* the server are both in sync, while the firewall is
* the server are both in sync, while the firewall is
* not. We kill this session and block the SYN/ACK so
* not. We get in sync from the previously annotated
* that the client cannot but retransmit its SYN and
* values.
* thus initiate a clean new session.
*/
*/
spin_unlock_bh
(
&
ct
->
lock
);
old_state
=
TCP_CONNTRACK_SYN_SENT
;
if
(
LOG_INVALID
(
net
,
IPPROTO_TCP
))
new_state
=
TCP_CONNTRACK_SYN_RECV
;
nf_log_packet
(
pf
,
0
,
skb
,
NULL
,
NULL
,
NULL
,
ct
->
proto
.
tcp
.
seen
[
ct
->
proto
.
tcp
.
last_dir
].
td_end
=
"nf_ct_tcp: killing out of sync session "
);
ct
->
proto
.
tcp
.
last_end
;
nf_ct_kill
(
ct
);
ct
->
proto
.
tcp
.
seen
[
ct
->
proto
.
tcp
.
last_dir
].
td_maxend
=
return
NF_DROP
;
ct
->
proto
.
tcp
.
last_end
;
ct
->
proto
.
tcp
.
seen
[
ct
->
proto
.
tcp
.
last_dir
].
td_maxwin
=
ct
->
proto
.
tcp
.
last_win
==
0
?
1
:
ct
->
proto
.
tcp
.
last_win
;
ct
->
proto
.
tcp
.
seen
[
ct
->
proto
.
tcp
.
last_dir
].
td_scale
=
ct
->
proto
.
tcp
.
last_wscale
;
ct
->
proto
.
tcp
.
seen
[
ct
->
proto
.
tcp
.
last_dir
].
flags
=
ct
->
proto
.
tcp
.
last_flags
;
memset
(
&
ct
->
proto
.
tcp
.
seen
[
dir
],
0
,
sizeof
(
struct
ip_ct_tcp_state
));
break
;
}
}
ct
->
proto
.
tcp
.
last_index
=
index
;
ct
->
proto
.
tcp
.
last_index
=
index
;
ct
->
proto
.
tcp
.
last_dir
=
dir
;
ct
->
proto
.
tcp
.
last_dir
=
dir
;
ct
->
proto
.
tcp
.
last_seq
=
ntohl
(
th
->
seq
);
ct
->
proto
.
tcp
.
last_seq
=
ntohl
(
th
->
seq
);
ct
->
proto
.
tcp
.
last_end
=
ct
->
proto
.
tcp
.
last_end
=
segment_seq_plus_len
(
ntohl
(
th
->
seq
),
skb
->
len
,
dataoff
,
th
);
segment_seq_plus_len
(
ntohl
(
th
->
seq
),
skb
->
len
,
dataoff
,
th
);
ct
->
proto
.
tcp
.
last_win
=
ntohs
(
th
->
window
);
/* a) This is a SYN in ORIGINAL. The client and the server
* may be in sync but we are not. In that case, we annotate
* the TCP options and let the packet go through. If it is a
* valid SYN packet, the server will reply with a SYN/ACK, and
* then we'll get in sync. Otherwise, the server ignores it. */
if
(
index
==
TCP_SYN_SET
&&
dir
==
IP_CT_DIR_ORIGINAL
)
{
struct
ip_ct_tcp_state
seen
=
{};
ct
->
proto
.
tcp
.
last_flags
=
ct
->
proto
.
tcp
.
last_wscale
=
0
;
tcp_options
(
skb
,
dataoff
,
th
,
&
seen
);
if
(
seen
.
flags
&
IP_CT_TCP_FLAG_WINDOW_SCALE
)
{
ct
->
proto
.
tcp
.
last_flags
|=
IP_CT_TCP_FLAG_WINDOW_SCALE
;
ct
->
proto
.
tcp
.
last_wscale
=
seen
.
td_scale
;
}
if
(
seen
.
flags
&
IP_CT_TCP_FLAG_SACK_PERM
)
{
ct
->
proto
.
tcp
.
last_flags
|=
IP_CT_TCP_FLAG_SACK_PERM
;
}
}
spin_unlock_bh
(
&
ct
->
lock
);
spin_unlock_bh
(
&
ct
->
lock
);
if
(
LOG_INVALID
(
net
,
IPPROTO_TCP
))
if
(
LOG_INVALID
(
net
,
IPPROTO_TCP
))
nf_log_packet
(
pf
,
0
,
skb
,
NULL
,
NULL
,
NULL
,
nf_log_packet
(
pf
,
0
,
skb
,
NULL
,
NULL
,
NULL
,
...
...
net/netfilter/nfnetlink_log.c
View file @
424eff97
...
@@ -666,8 +666,7 @@ nfulnl_rcv_nl_event(struct notifier_block *this,
...
@@ -666,8 +666,7 @@ nfulnl_rcv_nl_event(struct notifier_block *this,
{
{
struct
netlink_notify
*
n
=
ptr
;
struct
netlink_notify
*
n
=
ptr
;
if
(
event
==
NETLINK_URELEASE
&&
if
(
event
==
NETLINK_URELEASE
&&
n
->
protocol
==
NETLINK_NETFILTER
)
{
n
->
protocol
==
NETLINK_NETFILTER
&&
n
->
pid
)
{
int
i
;
int
i
;
/* destroy all instances for this pid */
/* destroy all instances for this pid */
...
...
net/netfilter/nfnetlink_queue.c
View file @
424eff97
...
@@ -574,8 +574,7 @@ nfqnl_rcv_nl_event(struct notifier_block *this,
...
@@ -574,8 +574,7 @@ nfqnl_rcv_nl_event(struct notifier_block *this,
{
{
struct
netlink_notify
*
n
=
ptr
;
struct
netlink_notify
*
n
=
ptr
;
if
(
event
==
NETLINK_URELEASE
&&
if
(
event
==
NETLINK_URELEASE
&&
n
->
protocol
==
NETLINK_NETFILTER
)
{
n
->
protocol
==
NETLINK_NETFILTER
&&
n
->
pid
)
{
int
i
;
int
i
;
/* destroy all instances for this pid */
/* destroy all instances for this pid */
...
...
net/netfilter/xt_conntrack.c
View file @
424eff97
...
@@ -113,7 +113,8 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
...
@@ -113,7 +113,8 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
}
}
static
bool
static
bool
conntrack_mt
(
const
struct
sk_buff
*
skb
,
const
struct
xt_match_param
*
par
)
conntrack_mt
(
const
struct
sk_buff
*
skb
,
const
struct
xt_match_param
*
par
,
u16
state_mask
,
u16
status_mask
)
{
{
const
struct
xt_conntrack_mtinfo2
*
info
=
par
->
matchinfo
;
const
struct
xt_conntrack_mtinfo2
*
info
=
par
->
matchinfo
;
enum
ip_conntrack_info
ctinfo
;
enum
ip_conntrack_info
ctinfo
;
...
@@ -136,7 +137,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
...
@@ -136,7 +137,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
if
(
test_bit
(
IPS_DST_NAT_BIT
,
&
ct
->
status
))
if
(
test_bit
(
IPS_DST_NAT_BIT
,
&
ct
->
status
))
statebit
|=
XT_CONNTRACK_STATE_DNAT
;
statebit
|=
XT_CONNTRACK_STATE_DNAT
;
}
}
if
(
!!
(
info
->
state_mask
&
statebit
)
^
if
(
!!
(
state_mask
&
statebit
)
^
!
(
info
->
invert_flags
&
XT_CONNTRACK_STATE
))
!
(
info
->
invert_flags
&
XT_CONNTRACK_STATE
))
return
false
;
return
false
;
}
}
...
@@ -172,7 +173,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
...
@@ -172,7 +173,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return
false
;
return
false
;
if
((
info
->
match_flags
&
XT_CONNTRACK_STATUS
)
&&
if
((
info
->
match_flags
&
XT_CONNTRACK_STATUS
)
&&
(
!!
(
info
->
status_mask
&
ct
->
status
)
^
(
!!
(
status_mask
&
ct
->
status
)
^
!
(
info
->
invert_flags
&
XT_CONNTRACK_STATUS
)))
!
(
info
->
invert_flags
&
XT_CONNTRACK_STATUS
)))
return
false
;
return
false
;
...
@@ -192,11 +193,17 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
...
@@ -192,11 +193,17 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
static
bool
static
bool
conntrack_mt_v1
(
const
struct
sk_buff
*
skb
,
const
struct
xt_match_param
*
par
)
conntrack_mt_v1
(
const
struct
sk_buff
*
skb
,
const
struct
xt_match_param
*
par
)
{
{
const
struct
xt_conntrack_mtinfo2
*
const
*
info
=
par
->
matchinfo
;
const
struct
xt_conntrack_mtinfo1
*
info
=
par
->
matchinfo
;
struct
xt_match_param
newpar
=
*
par
;
newpar
.
matchinfo
=
*
info
;
return
conntrack_mt
(
skb
,
par
,
info
->
state_mask
,
info
->
status_mask
);
return
conntrack_mt
(
skb
,
&
newpar
);
}
static
bool
conntrack_mt_v2
(
const
struct
sk_buff
*
skb
,
const
struct
xt_match_param
*
par
)
{
const
struct
xt_conntrack_mtinfo2
*
info
=
par
->
matchinfo
;
return
conntrack_mt
(
skb
,
par
,
info
->
state_mask
,
info
->
status_mask
);
}
}
static
bool
conntrack_mt_check
(
const
struct
xt_mtchk_param
*
par
)
static
bool
conntrack_mt_check
(
const
struct
xt_mtchk_param
*
par
)
...
@@ -209,45 +216,11 @@ static bool conntrack_mt_check(const struct xt_mtchk_param *par)
...
@@ -209,45 +216,11 @@ static bool conntrack_mt_check(const struct xt_mtchk_param *par)
return
true
;
return
true
;
}
}
static
bool
conntrack_mt_check_v1
(
const
struct
xt_mtchk_param
*
par
)
{
struct
xt_conntrack_mtinfo1
*
info
=
par
->
matchinfo
;
struct
xt_conntrack_mtinfo2
*
up
;
int
ret
=
conntrack_mt_check
(
par
);
if
(
ret
<
0
)
return
ret
;
up
=
kmalloc
(
sizeof
(
*
up
),
GFP_KERNEL
);
if
(
up
==
NULL
)
{
nf_ct_l3proto_module_put
(
par
->
family
);
return
-
ENOMEM
;
}
/*
* The strategy here is to minimize the overhead of v1 matching,
* by prebuilding a v2 struct and putting the pointer into the
* v1 dataspace.
*/
memcpy
(
up
,
info
,
offsetof
(
typeof
(
*
info
),
state_mask
));
up
->
state_mask
=
info
->
state_mask
;
up
->
status_mask
=
info
->
status_mask
;
*
(
void
**
)
info
=
up
;
return
true
;
}
static
void
conntrack_mt_destroy
(
const
struct
xt_mtdtor_param
*
par
)
static
void
conntrack_mt_destroy
(
const
struct
xt_mtdtor_param
*
par
)
{
{
nf_ct_l3proto_module_put
(
par
->
family
);
nf_ct_l3proto_module_put
(
par
->
family
);
}
}
static
void
conntrack_mt_destroy_v1
(
const
struct
xt_mtdtor_param
*
par
)
{
struct
xt_conntrack_mtinfo2
**
info
=
par
->
matchinfo
;
kfree
(
*
info
);
conntrack_mt_destroy
(
par
);
}
static
struct
xt_match
conntrack_mt_reg
[]
__read_mostly
=
{
static
struct
xt_match
conntrack_mt_reg
[]
__read_mostly
=
{
{
{
.
name
=
"conntrack"
,
.
name
=
"conntrack"
,
...
@@ -255,8 +228,8 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
...
@@ -255,8 +228,8 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
.
family
=
NFPROTO_UNSPEC
,
.
family
=
NFPROTO_UNSPEC
,
.
matchsize
=
sizeof
(
struct
xt_conntrack_mtinfo1
),
.
matchsize
=
sizeof
(
struct
xt_conntrack_mtinfo1
),
.
match
=
conntrack_mt_v1
,
.
match
=
conntrack_mt_v1
,
.
checkentry
=
conntrack_mt_check
_v1
,
.
checkentry
=
conntrack_mt_check
,
.
destroy
=
conntrack_mt_destroy
_v1
,
.
destroy
=
conntrack_mt_destroy
,
.
me
=
THIS_MODULE
,
.
me
=
THIS_MODULE
,
},
},
{
{
...
@@ -264,7 +237,7 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
...
@@ -264,7 +237,7 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
.
revision
=
2
,
.
revision
=
2
,
.
family
=
NFPROTO_UNSPEC
,
.
family
=
NFPROTO_UNSPEC
,
.
matchsize
=
sizeof
(
struct
xt_conntrack_mtinfo2
),
.
matchsize
=
sizeof
(
struct
xt_conntrack_mtinfo2
),
.
match
=
conntrack_mt
,
.
match
=
conntrack_mt
_v2
,
.
checkentry
=
conntrack_mt_check
,
.
checkentry
=
conntrack_mt_check
,
.
destroy
=
conntrack_mt_destroy
,
.
destroy
=
conntrack_mt_destroy
,
.
me
=
THIS_MODULE
,
.
me
=
THIS_MODULE
,
...
...
net/netfilter/xt_socket.c
View file @
424eff97
...
@@ -192,7 +192,8 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
...
@@ -192,7 +192,8 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.
revision
=
0
,
.
revision
=
0
,
.
family
=
NFPROTO_IPV4
,
.
family
=
NFPROTO_IPV4
,
.
match
=
socket_mt_v0
,
.
match
=
socket_mt_v0
,
.
hooks
=
1
<<
NF_INET_PRE_ROUTING
,
.
hooks
=
(
1
<<
NF_INET_PRE_ROUTING
)
|
(
1
<<
NF_INET_LOCAL_IN
),
.
me
=
THIS_MODULE
,
.
me
=
THIS_MODULE
,
},
},
{
{
...
@@ -201,7 +202,8 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
...
@@ -201,7 +202,8 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.
family
=
NFPROTO_IPV4
,
.
family
=
NFPROTO_IPV4
,
.
match
=
socket_mt_v1
,
.
match
=
socket_mt_v1
,
.
matchsize
=
sizeof
(
struct
xt_socket_mtinfo1
),
.
matchsize
=
sizeof
(
struct
xt_socket_mtinfo1
),
.
hooks
=
1
<<
NF_INET_PRE_ROUTING
,
.
hooks
=
(
1
<<
NF_INET_PRE_ROUTING
)
|
(
1
<<
NF_INET_LOCAL_IN
),
.
me
=
THIS_MODULE
,
.
me
=
THIS_MODULE
,
},
},
};
};
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment