Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
4a2258dd
Commit
4a2258dd
authored
Feb 23, 2012
by
David S. Miller
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'nf' of
git://1984.lsi.us.es/net
parents
ee932bf9
af14cca1
Changes
4
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
51 additions
and
38 deletions
+51
-38
include/linux/netfilter_bridge/ebtables.h
include/linux/netfilter_bridge/ebtables.h
+2
-2
net/netfilter/ipvs/ip_vs_core.c
net/netfilter/ipvs/ip_vs_core.c
+1
-1
net/netfilter/nf_conntrack_netlink.c
net/netfilter/nf_conntrack_netlink.c
+16
-27
net/netfilter/nf_queue.c
net/netfilter/nf_queue.c
+32
-8
No files found.
include/linux/netfilter_bridge/ebtables.h
View file @
4a2258dd
...
@@ -285,8 +285,8 @@ struct ebt_table {
...
@@ -285,8 +285,8 @@ struct ebt_table {
struct
module
*
me
;
struct
module
*
me
;
};
};
#define EBT_ALIGN(s) (((s) + (__alignof__(struct
ebt_replace
)-1)) & \
#define EBT_ALIGN(s) (((s) + (__alignof__(struct
_xt_align
)-1)) & \
~(__alignof__(struct
ebt_replace
)-1))
~(__alignof__(struct
_xt_align
)-1))
extern
struct
ebt_table
*
ebt_register_table
(
struct
net
*
net
,
extern
struct
ebt_table
*
ebt_register_table
(
struct
net
*
net
,
const
struct
ebt_table
*
table
);
const
struct
ebt_table
*
table
);
extern
void
ebt_unregister_table
(
struct
net
*
net
,
struct
ebt_table
*
table
);
extern
void
ebt_unregister_table
(
struct
net
*
net
,
struct
ebt_table
*
table
);
...
...
net/netfilter/ipvs/ip_vs_core.c
View file @
4a2258dd
...
@@ -232,6 +232,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
...
@@ -232,6 +232,7 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
__be16
dport
=
0
;
/* destination port to forward */
__be16
dport
=
0
;
/* destination port to forward */
unsigned
int
flags
;
unsigned
int
flags
;
struct
ip_vs_conn_param
param
;
struct
ip_vs_conn_param
param
;
const
union
nf_inet_addr
fwmark
=
{
.
ip
=
htonl
(
svc
->
fwmark
)
};
union
nf_inet_addr
snet
;
/* source network of the client,
union
nf_inet_addr
snet
;
/* source network of the client,
after masking */
after masking */
...
@@ -267,7 +268,6 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
...
@@ -267,7 +268,6 @@ ip_vs_sched_persist(struct ip_vs_service *svc,
{
{
int
protocol
=
iph
.
protocol
;
int
protocol
=
iph
.
protocol
;
const
union
nf_inet_addr
*
vaddr
=
&
iph
.
daddr
;
const
union
nf_inet_addr
*
vaddr
=
&
iph
.
daddr
;
const
union
nf_inet_addr
fwmark
=
{
.
ip
=
htonl
(
svc
->
fwmark
)
};
__be16
vport
=
0
;
__be16
vport
=
0
;
if
(
dst_port
==
svc
->
port
)
{
if
(
dst_port
==
svc
->
port
)
{
...
...
net/netfilter/nf_conntrack_netlink.c
View file @
4a2258dd
...
@@ -1367,15 +1367,12 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
...
@@ -1367,15 +1367,12 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
nf_ct_protonum
(
ct
));
nf_ct_protonum
(
ct
));
if
(
helper
==
NULL
)
{
if
(
helper
==
NULL
)
{
rcu_read_unlock
();
rcu_read_unlock
();
spin_unlock_bh
(
&
nf_conntrack_lock
);
#ifdef CONFIG_MODULES
#ifdef CONFIG_MODULES
if
(
request_module
(
"nfct-helper-%s"
,
helpname
)
<
0
)
{
if
(
request_module
(
"nfct-helper-%s"
,
helpname
)
<
0
)
{
spin_lock_bh
(
&
nf_conntrack_lock
);
err
=
-
EOPNOTSUPP
;
err
=
-
EOPNOTSUPP
;
goto
err1
;
goto
err1
;
}
}
spin_lock_bh
(
&
nf_conntrack_lock
);
rcu_read_lock
();
rcu_read_lock
();
helper
=
__nf_conntrack_helper_find
(
helpname
,
helper
=
__nf_conntrack_helper_find
(
helpname
,
nf_ct_l3num
(
ct
),
nf_ct_l3num
(
ct
),
...
@@ -1469,7 +1466,10 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
...
@@ -1469,7 +1466,10 @@ ctnetlink_create_conntrack(struct net *net, u16 zone,
tstamp
->
start
=
ktime_to_ns
(
ktime_get_real
());
tstamp
->
start
=
ktime_to_ns
(
ktime_get_real
());
add_timer
(
&
ct
->
timeout
);
add_timer
(
&
ct
->
timeout
);
spin_lock_bh
(
&
nf_conntrack_lock
);
nf_conntrack_hash_insert
(
ct
);
nf_conntrack_hash_insert
(
ct
);
nf_conntrack_get
(
&
ct
->
ct_general
);
spin_unlock_bh
(
&
nf_conntrack_lock
);
rcu_read_unlock
();
rcu_read_unlock
();
return
ct
;
return
ct
;
...
@@ -1490,6 +1490,7 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
...
@@ -1490,6 +1490,7 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
struct
nf_conntrack_tuple
otuple
,
rtuple
;
struct
nf_conntrack_tuple
otuple
,
rtuple
;
struct
nf_conntrack_tuple_hash
*
h
=
NULL
;
struct
nf_conntrack_tuple_hash
*
h
=
NULL
;
struct
nfgenmsg
*
nfmsg
=
nlmsg_data
(
nlh
);
struct
nfgenmsg
*
nfmsg
=
nlmsg_data
(
nlh
);
struct
nf_conn
*
ct
;
u_int8_t
u3
=
nfmsg
->
nfgen_family
;
u_int8_t
u3
=
nfmsg
->
nfgen_family
;
u16
zone
;
u16
zone
;
int
err
;
int
err
;
...
@@ -1512,25 +1513,22 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
...
@@ -1512,25 +1513,22 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
spin_lock_bh
(
&
nf_conntrack_lock
);
spin_lock_bh
(
&
nf_conntrack_lock
);
if
(
cda
[
CTA_TUPLE_ORIG
])
if
(
cda
[
CTA_TUPLE_ORIG
])
h
=
__nf_conntrack_find
(
net
,
zone
,
&
otuple
);
h
=
nf_conntrack_find_get
(
net
,
zone
,
&
otuple
);
else
if
(
cda
[
CTA_TUPLE_REPLY
])
else
if
(
cda
[
CTA_TUPLE_REPLY
])
h
=
__nf_conntrack_find
(
net
,
zone
,
&
rtuple
);
h
=
nf_conntrack_find_get
(
net
,
zone
,
&
rtuple
);
spin_unlock_bh
(
&
nf_conntrack_lock
);
if
(
h
==
NULL
)
{
if
(
h
==
NULL
)
{
err
=
-
ENOENT
;
err
=
-
ENOENT
;
if
(
nlh
->
nlmsg_flags
&
NLM_F_CREATE
)
{
if
(
nlh
->
nlmsg_flags
&
NLM_F_CREATE
)
{
struct
nf_conn
*
ct
;
enum
ip_conntrack_events
events
;
enum
ip_conntrack_events
events
;
ct
=
ctnetlink_create_conntrack
(
net
,
zone
,
cda
,
&
otuple
,
ct
=
ctnetlink_create_conntrack
(
net
,
zone
,
cda
,
&
otuple
,
&
rtuple
,
u3
);
&
rtuple
,
u3
);
if
(
IS_ERR
(
ct
))
{
if
(
IS_ERR
(
ct
))
err
=
PTR_ERR
(
ct
);
return
PTR_ERR
(
ct
);
goto
out_unlock
;
}
err
=
0
;
err
=
0
;
nf_conntrack_get
(
&
ct
->
ct_general
);
spin_unlock_bh
(
&
nf_conntrack_lock
);
if
(
test_bit
(
IPS_EXPECTED_BIT
,
&
ct
->
status
))
if
(
test_bit
(
IPS_EXPECTED_BIT
,
&
ct
->
status
))
events
=
IPCT_RELATED
;
events
=
IPCT_RELATED
;
else
else
...
@@ -1545,23 +1543,19 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
...
@@ -1545,23 +1543,19 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
ct
,
NETLINK_CB
(
skb
).
pid
,
ct
,
NETLINK_CB
(
skb
).
pid
,
nlmsg_report
(
nlh
));
nlmsg_report
(
nlh
));
nf_ct_put
(
ct
);
nf_ct_put
(
ct
);
}
else
}
spin_unlock_bh
(
&
nf_conntrack_lock
);
return
err
;
return
err
;
}
}
/* implicit 'else' */
/* implicit 'else' */
/* We manipulate the conntrack inside the global conntrack table lock,
* so there's no need to increase the refcount */
err
=
-
EEXIST
;
err
=
-
EEXIST
;
ct
=
nf_ct_tuplehash_to_ctrack
(
h
);
if
(
!
(
nlh
->
nlmsg_flags
&
NLM_F_EXCL
))
{
if
(
!
(
nlh
->
nlmsg_flags
&
NLM_F_EXCL
))
{
struct
nf_conn
*
ct
=
nf_ct_tuplehash_to_ctrack
(
h
);
spin_lock_bh
(
&
nf_conntrack_lock
);
err
=
ctnetlink_change_conntrack
(
ct
,
cda
);
err
=
ctnetlink_change_conntrack
(
ct
,
cda
);
spin_unlock_bh
(
&
nf_conntrack_lock
);
if
(
err
==
0
)
{
if
(
err
==
0
)
{
nf_conntrack_get
(
&
ct
->
ct_general
);
spin_unlock_bh
(
&
nf_conntrack_lock
);
nf_conntrack_eventmask_report
((
1
<<
IPCT_REPLY
)
|
nf_conntrack_eventmask_report
((
1
<<
IPCT_REPLY
)
|
(
1
<<
IPCT_ASSURED
)
|
(
1
<<
IPCT_ASSURED
)
|
(
1
<<
IPCT_HELPER
)
|
(
1
<<
IPCT_HELPER
)
|
...
@@ -1570,15 +1564,10 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
...
@@ -1570,15 +1564,10 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
(
1
<<
IPCT_MARK
),
(
1
<<
IPCT_MARK
),
ct
,
NETLINK_CB
(
skb
).
pid
,
ct
,
NETLINK_CB
(
skb
).
pid
,
nlmsg_report
(
nlh
));
nlmsg_report
(
nlh
));
nf_ct_put
(
ct
);
}
}
else
spin_unlock_bh
(
&
nf_conntrack_lock
);
return
err
;
}
}
out_unlock:
nf_ct_put
(
ct
);
spin_unlock_bh
(
&
nf_conntrack_lock
);
return
err
;
return
err
;
}
}
...
...
net/netfilter/nf_queue.c
View file @
4a2258dd
...
@@ -203,6 +203,27 @@ static int __nf_queue(struct sk_buff *skb,
...
@@ -203,6 +203,27 @@ static int __nf_queue(struct sk_buff *skb,
return
status
;
return
status
;
}
}
#ifdef CONFIG_BRIDGE_NETFILTER
/* When called from bridge netfilter, skb->data must point to MAC header
* before calling skb_gso_segment(). Else, original MAC header is lost
* and segmented skbs will be sent to wrong destination.
*/
static
void
nf_bridge_adjust_skb_data
(
struct
sk_buff
*
skb
)
{
if
(
skb
->
nf_bridge
)
__skb_push
(
skb
,
skb
->
network_header
-
skb
->
mac_header
);
}
static
void
nf_bridge_adjust_segmented_data
(
struct
sk_buff
*
skb
)
{
if
(
skb
->
nf_bridge
)
__skb_pull
(
skb
,
skb
->
network_header
-
skb
->
mac_header
);
}
#else
#define nf_bridge_adjust_skb_data(s) do {} while (0)
#define nf_bridge_adjust_segmented_data(s) do {} while (0)
#endif
int
nf_queue
(
struct
sk_buff
*
skb
,
int
nf_queue
(
struct
sk_buff
*
skb
,
struct
list_head
*
elem
,
struct
list_head
*
elem
,
u_int8_t
pf
,
unsigned
int
hook
,
u_int8_t
pf
,
unsigned
int
hook
,
...
@@ -212,7 +233,7 @@ int nf_queue(struct sk_buff *skb,
...
@@ -212,7 +233,7 @@ int nf_queue(struct sk_buff *skb,
unsigned
int
queuenum
)
unsigned
int
queuenum
)
{
{
struct
sk_buff
*
segs
;
struct
sk_buff
*
segs
;
int
err
;
int
err
=
-
EINVAL
;
unsigned
int
queued
;
unsigned
int
queued
;
if
(
!
skb_is_gso
(
skb
))
if
(
!
skb_is_gso
(
skb
))
...
@@ -228,23 +249,25 @@ int nf_queue(struct sk_buff *skb,
...
@@ -228,23 +249,25 @@ int nf_queue(struct sk_buff *skb,
break
;
break
;
}
}
nf_bridge_adjust_skb_data
(
skb
);
segs
=
skb_gso_segment
(
skb
,
0
);
segs
=
skb_gso_segment
(
skb
,
0
);
/* Does not use PTR_ERR to limit the number of error codes that can be
/* Does not use PTR_ERR to limit the number of error codes that can be
* returned by nf_queue. For instance, callers rely on -ECANCELED to mean
* returned by nf_queue. For instance, callers rely on -ECANCELED to mean
* 'ignore this hook'.
* 'ignore this hook'.
*/
*/
if
(
IS_ERR
(
segs
))
if
(
IS_ERR
(
segs
))
return
-
EINVAL
;
goto
out_err
;
queued
=
0
;
queued
=
0
;
err
=
0
;
err
=
0
;
do
{
do
{
struct
sk_buff
*
nskb
=
segs
->
next
;
struct
sk_buff
*
nskb
=
segs
->
next
;
segs
->
next
=
NULL
;
segs
->
next
=
NULL
;
if
(
err
==
0
)
if
(
err
==
0
)
{
nf_bridge_adjust_segmented_data
(
segs
);
err
=
__nf_queue
(
segs
,
elem
,
pf
,
hook
,
indev
,
err
=
__nf_queue
(
segs
,
elem
,
pf
,
hook
,
indev
,
outdev
,
okfn
,
queuenum
);
outdev
,
okfn
,
queuenum
);
}
if
(
err
==
0
)
if
(
err
==
0
)
queued
++
;
queued
++
;
else
else
...
@@ -252,11 +275,12 @@ int nf_queue(struct sk_buff *skb,
...
@@ -252,11 +275,12 @@ int nf_queue(struct sk_buff *skb,
segs
=
nskb
;
segs
=
nskb
;
}
while
(
segs
);
}
while
(
segs
);
/* also free orig skb if only some segments were queued */
if
(
queued
)
{
if
(
unlikely
(
err
&&
queued
))
err
=
0
;
if
(
err
==
0
)
kfree_skb
(
skb
);
kfree_skb
(
skb
);
return
0
;
}
out_err:
nf_bridge_adjust_segmented_data
(
skb
);
return
err
;
return
err
;
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment