Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
54831a83
Commit
54831a83
authored
Feb 24, 2010
by
David S. Miller
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' of
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
parents
fb977e2c
0f234214
Changes
10
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
10 changed files
with
597 additions
and
656 deletions
+597
-656
include/linux/netfilter/x_tables.h
include/linux/netfilter/x_tables.h
+17
-0
include/linux/netfilter_arp/arp_tables.h
include/linux/netfilter_arp/arp_tables.h
+2
-8
include/linux/netfilter_ipv4/ip_tables.h
include/linux/netfilter_ipv4/ip_tables.h
+2
-13
include/linux/netfilter_ipv6/ip6_tables.h
include/linux/netfilter_ipv6/ip6_tables.h
+2
-12
net/ipv4/netfilter/arp_tables.c
net/ipv4/netfilter/arp_tables.c
+135
-166
net/ipv4/netfilter/ip_tables.c
net/ipv4/netfilter/ip_tables.c
+214
-222
net/ipv6/netfilter/ip6_tables.c
net/ipv6/netfilter/ip6_tables.c
+214
-222
net/ipv6/netfilter/nf_conntrack_reasm.c
net/ipv6/netfilter/nf_conntrack_reasm.c
+1
-7
net/netfilter/xt_TCPMSS.c
net/netfilter/xt_TCPMSS.c
+8
-4
net/netfilter/xt_recent.c
net/netfilter/xt_recent.c
+2
-2
No files found.
include/linux/netfilter/x_tables.h
View file @
54831a83
...
@@ -120,6 +120,7 @@ struct xt_counters_info {
...
@@ -120,6 +120,7 @@ struct xt_counters_info {
#define XT_INV_PROTO 0x40
/* Invert the sense of PROTO. */
#define XT_INV_PROTO 0x40
/* Invert the sense of PROTO. */
#ifndef __KERNEL__
/* fn returns 0 to continue iteration */
/* fn returns 0 to continue iteration */
#define XT_MATCH_ITERATE(type, e, fn, args...) \
#define XT_MATCH_ITERATE(type, e, fn, args...) \
({ \
({ \
...
@@ -163,6 +164,22 @@ struct xt_counters_info {
...
@@ -163,6 +164,22 @@ struct xt_counters_info {
#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
#define XT_ENTRY_ITERATE(type, entries, size, fn, args...) \
XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
XT_ENTRY_ITERATE_CONTINUE(type, entries, size, 0, fn, args)
#endif
/* !__KERNEL__ */
/* pos is normally a struct ipt_entry/ip6t_entry/etc. */
#define xt_entry_foreach(pos, ehead, esize) \
for ((pos) = (typeof(pos))(ehead); \
(pos) < (typeof(pos))((char *)(ehead) + (esize)); \
(pos) = (typeof(pos))((char *)(pos) + (pos)->next_offset))
/* can only be xt_entry_match, so no use of typeof here */
#define xt_ematch_foreach(pos, entry) \
for ((pos) = (struct xt_entry_match *)entry->elems; \
(pos) < (struct xt_entry_match *)((char *)(entry) + \
(entry)->target_offset); \
(pos) = (struct xt_entry_match *)((char *)(pos) + \
(pos)->u.match_size))
#ifdef __KERNEL__
#ifdef __KERNEL__
#include <linux/netdevice.h>
#include <linux/netdevice.h>
...
...
include/linux/netfilter_arp/arp_tables.h
View file @
54831a83
...
@@ -211,9 +211,11 @@ static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e
...
@@ -211,9 +211,11 @@ static __inline__ struct arpt_entry_target *arpt_get_target(struct arpt_entry *e
return
(
void
*
)
e
+
e
->
target_offset
;
return
(
void
*
)
e
+
e
->
target_offset
;
}
}
#ifndef __KERNEL__
/* fn returns 0 to continue iteration */
/* fn returns 0 to continue iteration */
#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
#define ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
XT_ENTRY_ITERATE(struct arpt_entry, entries, size, fn, ## args)
#endif
/*
/*
* Main firewall chains definitions and global var's definitions.
* Main firewall chains definitions and global var's definitions.
...
@@ -291,14 +293,6 @@ compat_arpt_get_target(struct compat_arpt_entry *e)
...
@@ -291,14 +293,6 @@ compat_arpt_get_target(struct compat_arpt_entry *e)
#define COMPAT_ARPT_ALIGN(s) COMPAT_XT_ALIGN(s)
#define COMPAT_ARPT_ALIGN(s) COMPAT_XT_ALIGN(s)
/* fn returns 0 to continue iteration */
#define COMPAT_ARPT_ENTRY_ITERATE(entries, size, fn, args...) \
XT_ENTRY_ITERATE(struct compat_arpt_entry, entries, size, fn, ## args)
#define COMPAT_ARPT_ENTRY_ITERATE_CONTINUE(entries, size, n, fn, args...) \
XT_ENTRY_ITERATE_CONTINUE(struct compat_arpt_entry, entries, size, n, \
fn, ## args)
#endif
/* CONFIG_COMPAT */
#endif
/* CONFIG_COMPAT */
#endif
/*__KERNEL__*/
#endif
/*__KERNEL__*/
#endif
/* _ARPTABLES_H */
#endif
/* _ARPTABLES_H */
include/linux/netfilter_ipv4/ip_tables.h
View file @
54831a83
...
@@ -223,6 +223,7 @@ ipt_get_target(struct ipt_entry *e)
...
@@ -223,6 +223,7 @@ ipt_get_target(struct ipt_entry *e)
return
(
void
*
)
e
+
e
->
target_offset
;
return
(
void
*
)
e
+
e
->
target_offset
;
}
}
#ifndef __KERNEL__
/* fn returns 0 to continue iteration */
/* fn returns 0 to continue iteration */
#define IPT_MATCH_ITERATE(e, fn, args...) \
#define IPT_MATCH_ITERATE(e, fn, args...) \
XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
XT_MATCH_ITERATE(struct ipt_entry, e, fn, ## args)
...
@@ -230,6 +231,7 @@ ipt_get_target(struct ipt_entry *e)
...
@@ -230,6 +231,7 @@ ipt_get_target(struct ipt_entry *e)
/* fn returns 0 to continue iteration */
/* fn returns 0 to continue iteration */
#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
#define IPT_ENTRY_ITERATE(entries, size, fn, args...) \
XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
XT_ENTRY_ITERATE(struct ipt_entry, entries, size, fn, ## args)
#endif
/*
/*
* Main firewall chains definitions and global var's definitions.
* Main firewall chains definitions and global var's definitions.
...
@@ -313,19 +315,6 @@ compat_ipt_get_target(struct compat_ipt_entry *e)
...
@@ -313,19 +315,6 @@ compat_ipt_get_target(struct compat_ipt_entry *e)
#define COMPAT_IPT_ALIGN(s) COMPAT_XT_ALIGN(s)
#define COMPAT_IPT_ALIGN(s) COMPAT_XT_ALIGN(s)
/* fn returns 0 to continue iteration */
#define COMPAT_IPT_MATCH_ITERATE(e, fn, args...) \
XT_MATCH_ITERATE(struct compat_ipt_entry, e, fn, ## args)
/* fn returns 0 to continue iteration */
#define COMPAT_IPT_ENTRY_ITERATE(entries, size, fn, args...) \
XT_ENTRY_ITERATE(struct compat_ipt_entry, entries, size, fn, ## args)
/* fn returns 0 to continue iteration */
#define COMPAT_IPT_ENTRY_ITERATE_CONTINUE(entries, size, n, fn, args...) \
XT_ENTRY_ITERATE_CONTINUE(struct compat_ipt_entry, entries, size, n, \
fn, ## args)
#endif
/* CONFIG_COMPAT */
#endif
/* CONFIG_COMPAT */
#endif
/*__KERNEL__*/
#endif
/*__KERNEL__*/
#endif
/* _IPTABLES_H */
#endif
/* _IPTABLES_H */
include/linux/netfilter_ipv6/ip6_tables.h
View file @
54831a83
...
@@ -280,6 +280,7 @@ ip6t_get_target(struct ip6t_entry *e)
...
@@ -280,6 +280,7 @@ ip6t_get_target(struct ip6t_entry *e)
return
(
void
*
)
e
+
e
->
target_offset
;
return
(
void
*
)
e
+
e
->
target_offset
;
}
}
#ifndef __KERNEL__
/* fn returns 0 to continue iteration */
/* fn returns 0 to continue iteration */
#define IP6T_MATCH_ITERATE(e, fn, args...) \
#define IP6T_MATCH_ITERATE(e, fn, args...) \
XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
XT_MATCH_ITERATE(struct ip6t_entry, e, fn, ## args)
...
@@ -287,6 +288,7 @@ ip6t_get_target(struct ip6t_entry *e)
...
@@ -287,6 +288,7 @@ ip6t_get_target(struct ip6t_entry *e)
/* fn returns 0 to continue iteration */
/* fn returns 0 to continue iteration */
#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
#define IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
XT_ENTRY_ITERATE(struct ip6t_entry, entries, size, fn, ## args)
#endif
/*
/*
* Main firewall chains definitions and global var's definitions.
* Main firewall chains definitions and global var's definitions.
...
@@ -341,18 +343,6 @@ compat_ip6t_get_target(struct compat_ip6t_entry *e)
...
@@ -341,18 +343,6 @@ compat_ip6t_get_target(struct compat_ip6t_entry *e)
#define COMPAT_IP6T_ALIGN(s) COMPAT_XT_ALIGN(s)
#define COMPAT_IP6T_ALIGN(s) COMPAT_XT_ALIGN(s)
/* fn returns 0 to continue iteration */
#define COMPAT_IP6T_MATCH_ITERATE(e, fn, args...) \
XT_MATCH_ITERATE(struct compat_ip6t_entry, e, fn, ## args)
/* fn returns 0 to continue iteration */
#define COMPAT_IP6T_ENTRY_ITERATE(entries, size, fn, args...) \
XT_ENTRY_ITERATE(struct compat_ip6t_entry, entries, size, fn, ## args)
#define COMPAT_IP6T_ENTRY_ITERATE_CONTINUE(entries, size, n, fn, args...) \
XT_ENTRY_ITERATE_CONTINUE(struct compat_ip6t_entry, entries, size, n, \
fn, ## args)
#endif
/* CONFIG_COMPAT */
#endif
/* CONFIG_COMPAT */
#endif
/*__KERNEL__*/
#endif
/*__KERNEL__*/
#endif
/* _IP6_TABLES_H */
#endif
/* _IP6_TABLES_H */
net/ipv4/netfilter/arp_tables.c
View file @
54831a83
This diff is collapsed.
Click to expand it.
net/ipv4/netfilter/ip_tables.c
View file @
54831a83
This diff is collapsed.
Click to expand it.
net/ipv6/netfilter/ip6_tables.c
View file @
54831a83
This diff is collapsed.
Click to expand it.
net/ipv6/netfilter/nf_conntrack_reasm.c
View file @
54831a83
...
@@ -469,7 +469,7 @@ nf_ct_frag6_reasm(struct nf_ct_frag6_queue *fq, struct net_device *dev)
...
@@ -469,7 +469,7 @@ nf_ct_frag6_reasm(struct nf_ct_frag6_queue *fq, struct net_device *dev)
/* all original skbs are linked into the NFCT_FRAG6_CB(head).orig */
/* all original skbs are linked into the NFCT_FRAG6_CB(head).orig */
fp
=
skb_shinfo
(
head
)
->
frag_list
;
fp
=
skb_shinfo
(
head
)
->
frag_list
;
if
(
NFCT_FRAG6_CB
(
fp
)
->
orig
==
NULL
)
if
(
fp
&&
NFCT_FRAG6_CB
(
fp
)
->
orig
==
NULL
)
/* at above code, head skb is divided into two skbs. */
/* at above code, head skb is divided into two skbs. */
fp
=
fp
->
next
;
fp
=
fp
->
next
;
...
@@ -595,12 +595,6 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user)
...
@@ -595,12 +595,6 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user)
hdr
=
ipv6_hdr
(
clone
);
hdr
=
ipv6_hdr
(
clone
);
fhdr
=
(
struct
frag_hdr
*
)
skb_transport_header
(
clone
);
fhdr
=
(
struct
frag_hdr
*
)
skb_transport_header
(
clone
);
if
(
!
(
fhdr
->
frag_off
&
htons
(
0xFFF9
)))
{
pr_debug
(
"Invalid fragment offset
\n
"
);
/* It is not a fragmented frame */
goto
ret_orig
;
}
if
(
atomic_read
(
&
nf_init_frags
.
mem
)
>
nf_init_frags
.
high_thresh
)
if
(
atomic_read
(
&
nf_init_frags
.
mem
)
>
nf_init_frags
.
high_thresh
)
nf_ct_frag6_evictor
();
nf_ct_frag6_evictor
();
...
...
net/netfilter/xt_TCPMSS.c
View file @
54831a83
...
@@ -239,6 +239,7 @@ static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
...
@@ -239,6 +239,7 @@ static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
{
{
const
struct
xt_tcpmss_info
*
info
=
par
->
targinfo
;
const
struct
xt_tcpmss_info
*
info
=
par
->
targinfo
;
const
struct
ipt_entry
*
e
=
par
->
entryinfo
;
const
struct
ipt_entry
*
e
=
par
->
entryinfo
;
const
struct
xt_entry_match
*
ematch
;
if
(
info
->
mss
==
XT_TCPMSS_CLAMP_PMTU
&&
if
(
info
->
mss
==
XT_TCPMSS_CLAMP_PMTU
&&
(
par
->
hook_mask
&
~
((
1
<<
NF_INET_FORWARD
)
|
(
par
->
hook_mask
&
~
((
1
<<
NF_INET_FORWARD
)
|
...
@@ -248,8 +249,9 @@ static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
...
@@ -248,8 +249,9 @@ static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
"FORWARD, OUTPUT and POSTROUTING hooks
\n
"
);
"FORWARD, OUTPUT and POSTROUTING hooks
\n
"
);
return
false
;
return
false
;
}
}
if
(
IPT_MATCH_ITERATE
(
e
,
find_syn_match
))
xt_ematch_foreach
(
ematch
,
e
)
return
true
;
if
(
find_syn_match
(
ematch
))
return
true
;
printk
(
"xt_TCPMSS: Only works on TCP SYN packets
\n
"
);
printk
(
"xt_TCPMSS: Only works on TCP SYN packets
\n
"
);
return
false
;
return
false
;
}
}
...
@@ -259,6 +261,7 @@ static bool tcpmss_tg6_check(const struct xt_tgchk_param *par)
...
@@ -259,6 +261,7 @@ static bool tcpmss_tg6_check(const struct xt_tgchk_param *par)
{
{
const
struct
xt_tcpmss_info
*
info
=
par
->
targinfo
;
const
struct
xt_tcpmss_info
*
info
=
par
->
targinfo
;
const
struct
ip6t_entry
*
e
=
par
->
entryinfo
;
const
struct
ip6t_entry
*
e
=
par
->
entryinfo
;
const
struct
xt_entry_match
*
ematch
;
if
(
info
->
mss
==
XT_TCPMSS_CLAMP_PMTU
&&
if
(
info
->
mss
==
XT_TCPMSS_CLAMP_PMTU
&&
(
par
->
hook_mask
&
~
((
1
<<
NF_INET_FORWARD
)
|
(
par
->
hook_mask
&
~
((
1
<<
NF_INET_FORWARD
)
|
...
@@ -268,8 +271,9 @@ static bool tcpmss_tg6_check(const struct xt_tgchk_param *par)
...
@@ -268,8 +271,9 @@ static bool tcpmss_tg6_check(const struct xt_tgchk_param *par)
"FORWARD, OUTPUT and POSTROUTING hooks
\n
"
);
"FORWARD, OUTPUT and POSTROUTING hooks
\n
"
);
return
false
;
return
false
;
}
}
if
(
IP6T_MATCH_ITERATE
(
e
,
find_syn_match
))
xt_ematch_foreach
(
ematch
,
e
)
return
true
;
if
(
find_syn_match
(
ematch
))
return
true
;
printk
(
"xt_TCPMSS: Only works on TCP SYN packets
\n
"
);
printk
(
"xt_TCPMSS: Only works on TCP SYN packets
\n
"
);
return
false
;
return
false
;
}
}
...
...
net/netfilter/xt_recent.c
View file @
54831a83
...
@@ -177,10 +177,10 @@ recent_entry_init(struct recent_table *t, const union nf_inet_addr *addr,
...
@@ -177,10 +177,10 @@ recent_entry_init(struct recent_table *t, const union nf_inet_addr *addr,
static
void
recent_entry_update
(
struct
recent_table
*
t
,
struct
recent_entry
*
e
)
static
void
recent_entry_update
(
struct
recent_table
*
t
,
struct
recent_entry
*
e
)
{
{
e
->
index
%=
ip_pkt_list_tot
;
e
->
stamps
[
e
->
index
++
]
=
jiffies
;
e
->
stamps
[
e
->
index
++
]
=
jiffies
;
if
(
e
->
index
>
e
->
nstamps
)
if
(
e
->
index
>
e
->
nstamps
)
e
->
nstamps
=
e
->
index
;
e
->
nstamps
=
e
->
index
;
e
->
index
%=
ip_pkt_list_tot
;
list_move_tail
(
&
e
->
lru_list
,
&
t
->
lru_list
);
list_move_tail
(
&
e
->
lru_list
,
&
t
->
lru_list
);
}
}
...
@@ -267,7 +267,7 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
...
@@ -267,7 +267,7 @@ recent_mt(const struct sk_buff *skb, const struct xt_match_param *par)
for
(
i
=
0
;
i
<
e
->
nstamps
;
i
++
)
{
for
(
i
=
0
;
i
<
e
->
nstamps
;
i
++
)
{
if
(
info
->
seconds
&&
time_after
(
time
,
e
->
stamps
[
i
]))
if
(
info
->
seconds
&&
time_after
(
time
,
e
->
stamps
[
i
]))
continue
;
continue
;
if
(
++
hits
>=
info
->
hit_count
)
{
if
(
info
->
hit_count
&&
++
hits
>=
info
->
hit_count
)
{
ret
=
!
ret
;
ret
=
!
ret
;
break
;
break
;
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment