Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
01e6de64
Commit
01e6de64
authored
Mar 26, 2009
by
David S. Miller
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' of
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
parents
8f1ead2d
d271e8bd
Changes
33
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
33 changed files
with
416 additions
and
210 deletions
+416
-210
include/linux/netfilter/x_tables.h
include/linux/netfilter/x_tables.h
+23
-0
include/net/netfilter/nf_conntrack.h
include/net/netfilter/nf_conntrack.h
+8
-6
include/net/netfilter/nf_conntrack_helper.h
include/net/netfilter/nf_conntrack_helper.h
+2
-0
include/net/netfilter/nf_conntrack_l3proto.h
include/net/netfilter/nf_conntrack_l3proto.h
+7
-0
include/net/netfilter/nf_conntrack_l4proto.h
include/net/netfilter/nf_conntrack_l4proto.h
+7
-0
include/net/netfilter/nf_conntrack_tuple.h
include/net/netfilter/nf_conntrack_tuple.h
+3
-3
include/net/netlink.h
include/net/netlink.h
+1
-0
include/net/netns/conntrack.h
include/net/netns/conntrack.h
+3
-2
lib/nlattr.c
lib/nlattr.c
+27
-0
net/ipv4/netfilter/arp_tables.c
net/ipv4/netfilter/arp_tables.c
+4
-14
net/ipv4/netfilter/ip_tables.c
net/ipv4/netfilter/ip_tables.c
+5
-22
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+6
-0
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+36
-27
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+6
-0
net/ipv4/netfilter/nf_nat_core.c
net/ipv4/netfilter/nf_nat_core.c
+1
-1
net/ipv6/netfilter/ip6_tables.c
net/ipv6/netfilter/ip6_tables.c
+5
-22
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+6
-0
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+6
-0
net/netfilter/Kconfig
net/netfilter/Kconfig
+1
-1
net/netfilter/nf_conntrack_core.c
net/netfilter/nf_conntrack_core.c
+76
-53
net/netfilter/nf_conntrack_expect.c
net/netfilter/nf_conntrack_expect.c
+1
-1
net/netfilter/nf_conntrack_helper.c
net/netfilter/nf_conntrack_helper.c
+5
-3
net/netfilter/nf_conntrack_netlink.c
net/netfilter/nf_conntrack_netlink.c
+84
-10
net/netfilter/nf_conntrack_proto.c
net/netfilter/nf_conntrack_proto.c
+16
-0
net/netfilter/nf_conntrack_proto_dccp.c
net/netfilter/nf_conntrack_proto_dccp.c
+9
-0
net/netfilter/nf_conntrack_proto_gre.c
net/netfilter/nf_conntrack_proto_gre.c
+1
-0
net/netfilter/nf_conntrack_proto_sctp.c
net/netfilter/nf_conntrack_proto_sctp.c
+10
-0
net/netfilter/nf_conntrack_proto_tcp.c
net/netfilter/nf_conntrack_proto_tcp.c
+15
-0
net/netfilter/nf_conntrack_proto_udp.c
net/netfilter/nf_conntrack_proto_udp.c
+2
-0
net/netfilter/nf_conntrack_proto_udplite.c
net/netfilter/nf_conntrack_proto_udplite.c
+1
-0
net/netfilter/nf_conntrack_standalone.c
net/netfilter/nf_conntrack_standalone.c
+33
-24
net/netfilter/xt_connlimit.c
net/netfilter/xt_connlimit.c
+4
-2
net/netfilter/xt_physdev.c
net/netfilter/xt_physdev.c
+2
-19
No files found.
include/linux/netfilter/x_tables.h
View file @
01e6de64
...
...
@@ -437,6 +437,29 @@ extern void xt_free_table_info(struct xt_table_info *info);
extern
void
xt_table_entry_swap_rcu
(
struct
xt_table_info
*
old
,
struct
xt_table_info
*
new
);
/*
* This helper is performance critical and must be inlined
*/
static
inline
unsigned
long
ifname_compare_aligned
(
const
char
*
_a
,
const
char
*
_b
,
const
char
*
_mask
)
{
const
unsigned
long
*
a
=
(
const
unsigned
long
*
)
_a
;
const
unsigned
long
*
b
=
(
const
unsigned
long
*
)
_b
;
const
unsigned
long
*
mask
=
(
const
unsigned
long
*
)
_mask
;
unsigned
long
ret
;
ret
=
(
a
[
0
]
^
b
[
0
])
&
mask
[
0
];
if
(
IFNAMSIZ
>
sizeof
(
unsigned
long
))
ret
|=
(
a
[
1
]
^
b
[
1
])
&
mask
[
1
];
if
(
IFNAMSIZ
>
2
*
sizeof
(
unsigned
long
))
ret
|=
(
a
[
2
]
^
b
[
2
])
&
mask
[
2
];
if
(
IFNAMSIZ
>
3
*
sizeof
(
unsigned
long
))
ret
|=
(
a
[
3
]
^
b
[
3
])
&
mask
[
3
];
BUILD_BUG_ON
(
IFNAMSIZ
>
4
*
sizeof
(
unsigned
long
));
return
ret
;
}
#ifdef CONFIG_COMPAT
#include <net/compat.h>
...
...
include/net/netfilter/nf_conntrack.h
View file @
01e6de64
...
...
@@ -91,8 +91,7 @@ struct nf_conn_help {
#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
struct
nf_conn
{
struct
nf_conn
{
/* Usage count in here is 1 for hash table/destruct timer, 1 per skb,
plus 1 for any connection(s) we are `master' for */
struct
nf_conntrack
ct_general
;
...
...
@@ -126,7 +125,6 @@ struct nf_conn
#ifdef CONFIG_NET_NS
struct
net
*
ct_net
;
#endif
struct
rcu_head
rcu
;
};
static
inline
struct
nf_conn
*
...
...
@@ -190,9 +188,13 @@ static inline void nf_ct_put(struct nf_conn *ct)
extern
int
nf_ct_l3proto_try_module_get
(
unsigned
short
l3proto
);
extern
void
nf_ct_l3proto_module_put
(
unsigned
short
l3proto
);
extern
struct
hlist_head
*
nf_ct_alloc_hashtable
(
unsigned
int
*
sizep
,
int
*
vmalloced
);
extern
void
nf_ct_free_hashtable
(
struct
hlist_head
*
hash
,
int
vmalloced
,
unsigned
int
size
);
/*
* Allocate a hashtable of hlist_head (if nulls == 0),
* or hlist_nulls_head (if nulls == 1)
*/
extern
void
*
nf_ct_alloc_hashtable
(
unsigned
int
*
sizep
,
int
*
vmalloced
,
int
nulls
);
extern
void
nf_ct_free_hashtable
(
void
*
hash
,
int
vmalloced
,
unsigned
int
size
);
extern
struct
nf_conntrack_tuple_hash
*
__nf_conntrack_find
(
struct
net
*
net
,
const
struct
nf_conntrack_tuple
*
tuple
);
...
...
include/net/netfilter/nf_conntrack_helper.h
View file @
01e6de64
...
...
@@ -14,6 +14,8 @@
struct
module
;
#define NF_CT_HELPER_NAME_LEN 16
struct
nf_conntrack_helper
{
struct
hlist_node
hnode
;
/* Internal use. */
...
...
include/net/netfilter/nf_conntrack_l3proto.h
View file @
01e6de64
...
...
@@ -53,10 +53,17 @@ struct nf_conntrack_l3proto
int
(
*
tuple_to_nlattr
)(
struct
sk_buff
*
skb
,
const
struct
nf_conntrack_tuple
*
t
);
/*
* Calculate size of tuple nlattr
*/
int
(
*
nlattr_tuple_size
)(
void
);
int
(
*
nlattr_to_tuple
)(
struct
nlattr
*
tb
[],
struct
nf_conntrack_tuple
*
t
);
const
struct
nla_policy
*
nla_policy
;
size_t
nla_size
;
#ifdef CONFIG_SYSCTL
struct
ctl_table_header
*
ctl_table_header
;
struct
ctl_path
*
ctl_table_path
;
...
...
include/net/netfilter/nf_conntrack_l4proto.h
View file @
01e6de64
...
...
@@ -64,16 +64,22 @@ struct nf_conntrack_l4proto
/* convert protoinfo to nfnetink attributes */
int
(
*
to_nlattr
)(
struct
sk_buff
*
skb
,
struct
nlattr
*
nla
,
const
struct
nf_conn
*
ct
);
/* Calculate protoinfo nlattr size */
int
(
*
nlattr_size
)(
void
);
/* convert nfnetlink attributes to protoinfo */
int
(
*
from_nlattr
)(
struct
nlattr
*
tb
[],
struct
nf_conn
*
ct
);
int
(
*
tuple_to_nlattr
)(
struct
sk_buff
*
skb
,
const
struct
nf_conntrack_tuple
*
t
);
/* Calculate tuple nlattr size */
int
(
*
nlattr_tuple_size
)(
void
);
int
(
*
nlattr_to_tuple
)(
struct
nlattr
*
tb
[],
struct
nf_conntrack_tuple
*
t
);
const
struct
nla_policy
*
nla_policy
;
size_t
nla_size
;
#ifdef CONFIG_SYSCTL
struct
ctl_table_header
**
ctl_table_header
;
struct
ctl_table
*
ctl_table
;
...
...
@@ -107,6 +113,7 @@ extern int nf_ct_port_tuple_to_nlattr(struct sk_buff *skb,
const
struct
nf_conntrack_tuple
*
tuple
);
extern
int
nf_ct_port_nlattr_to_tuple
(
struct
nlattr
*
tb
[],
struct
nf_conntrack_tuple
*
t
);
extern
int
nf_ct_port_nlattr_tuple_size
(
void
);
extern
const
struct
nla_policy
nf_ct_port_nla_policy
[];
#ifdef CONFIG_SYSCTL
...
...
include/net/netfilter/nf_conntrack_tuple.h
View file @
01e6de64
...
...
@@ -12,6 +12,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/nf_conntrack_tuple_common.h>
#include <linux/list_nulls.h>
/* A `tuple' is a structure containing the information to uniquely
identify a connection. ie. if two packets have the same tuple, they
...
...
@@ -146,9 +147,8 @@ static inline void nf_ct_dump_tuple(const struct nf_conntrack_tuple *t)
((enum ip_conntrack_dir)(h)->tuple.dst.dir)
/* Connections have two entries in the hash table: one for each way */
struct
nf_conntrack_tuple_hash
{
struct
hlist_node
hnode
;
struct
nf_conntrack_tuple_hash
{
struct
hlist_nulls_node
hnnode
;
struct
nf_conntrack_tuple
tuple
;
};
...
...
include/net/netlink.h
View file @
01e6de64
...
...
@@ -230,6 +230,7 @@ extern int nla_validate(struct nlattr *head, int len, int maxtype,
extern
int
nla_parse
(
struct
nlattr
*
tb
[],
int
maxtype
,
struct
nlattr
*
head
,
int
len
,
const
struct
nla_policy
*
policy
);
extern
int
nla_policy_len
(
const
struct
nla_policy
*
,
int
);
extern
struct
nlattr
*
nla_find
(
struct
nlattr
*
head
,
int
len
,
int
attrtype
);
extern
size_t
nla_strlcpy
(
char
*
dst
,
const
struct
nlattr
*
nla
,
size_t
dstsize
);
...
...
include/net/netns/conntrack.h
View file @
01e6de64
...
...
@@ -2,6 +2,7 @@
#define __NETNS_CONNTRACK_H
#include <linux/list.h>
#include <linux/list_nulls.h>
#include <asm/atomic.h>
struct
ctl_table_header
;
...
...
@@ -10,9 +11,9 @@ struct nf_conntrack_ecache;
struct
netns_ct
{
atomic_t
count
;
unsigned
int
expect_count
;
struct
hlist_head
*
hash
;
struct
hlist_
nulls_
head
*
hash
;
struct
hlist_head
*
expect_hash
;
struct
hlist_head
unconfirmed
;
struct
hlist_
nulls_
head
unconfirmed
;
struct
ip_conntrack_stat
*
stat
;
#ifdef CONFIG_NF_CONNTRACK_EVENTS
struct
nf_conntrack_ecache
*
ecache
;
...
...
lib/nlattr.c
View file @
01e6de64
...
...
@@ -132,6 +132,32 @@ int nla_validate(struct nlattr *head, int len, int maxtype,
return
err
;
}
/**
* nla_policy_len - Determin the max. length of a policy
* @policy: policy to use
* @n: number of policies
*
* Determines the max. length of the policy. It is currently used
* to allocated Netlink buffers roughly the size of the actual
* message.
*
* Returns 0 on success or a negative error code.
*/
int
nla_policy_len
(
const
struct
nla_policy
*
p
,
int
n
)
{
int
i
,
len
=
0
;
for
(
i
=
0
;
i
<
n
;
i
++
)
{
if
(
p
->
len
)
len
+=
nla_total_size
(
p
->
len
);
else
if
(
nla_attr_minlen
[
p
->
type
])
len
+=
nla_total_size
(
nla_attr_minlen
[
p
->
type
]);
}
return
len
;
}
/**
* nla_parse - Parse a stream of attributes into a tb buffer
* @tb: destination array with maxtype+1 elements
...
...
@@ -467,6 +493,7 @@ EXPORT_SYMBOL(nla_append);
#endif
EXPORT_SYMBOL
(
nla_validate
);
EXPORT_SYMBOL
(
nla_policy_len
);
EXPORT_SYMBOL
(
nla_parse
);
EXPORT_SYMBOL
(
nla_find
);
EXPORT_SYMBOL
(
nla_strlcpy
);
...
...
net/ipv4/netfilter/arp_tables.c
View file @
01e6de64
...
...
@@ -81,19 +81,7 @@ static inline int arp_devaddr_compare(const struct arpt_devaddr_info *ap,
static
unsigned
long
ifname_compare
(
const
char
*
_a
,
const
char
*
_b
,
const
char
*
_mask
)
{
#ifdef CONFIG_HAVE_EFFICIENT_UNALIGNED_ACCESS
const
unsigned
long
*
a
=
(
const
unsigned
long
*
)
_a
;
const
unsigned
long
*
b
=
(
const
unsigned
long
*
)
_b
;
const
unsigned
long
*
mask
=
(
const
unsigned
long
*
)
_mask
;
unsigned
long
ret
;
ret
=
(
a
[
0
]
^
b
[
0
])
&
mask
[
0
];
if
(
IFNAMSIZ
>
sizeof
(
unsigned
long
))
ret
|=
(
a
[
1
]
^
b
[
1
])
&
mask
[
1
];
if
(
IFNAMSIZ
>
2
*
sizeof
(
unsigned
long
))
ret
|=
(
a
[
2
]
^
b
[
2
])
&
mask
[
2
];
if
(
IFNAMSIZ
>
3
*
sizeof
(
unsigned
long
))
ret
|=
(
a
[
3
]
^
b
[
3
])
&
mask
[
3
];
BUILD_BUG_ON
(
IFNAMSIZ
>
4
*
sizeof
(
unsigned
long
));
unsigned
long
ret
=
ifname_compare_aligned
(
_a
,
_b
,
_mask
);
#else
unsigned
long
ret
=
0
;
const
u16
*
a
=
(
const
u16
*
)
_a
;
...
...
@@ -404,7 +392,9 @@ static int mark_source_chains(struct xt_table_info *newinfo,
&&
unconditional
(
&
e
->
arp
))
||
visited
)
{
unsigned
int
oldpos
,
size
;
if
(
t
->
verdict
<
-
NF_MAX_VERDICT
-
1
)
{
if
((
strcmp
(
t
->
target
.
u
.
user
.
name
,
ARPT_STANDARD_TARGET
)
==
0
)
&&
t
->
verdict
<
-
NF_MAX_VERDICT
-
1
)
{
duprintf
(
"mark_source_chains: bad "
"negative verdict (%i)
\n
"
,
t
->
verdict
);
...
...
net/ipv4/netfilter/ip_tables.c
View file @
01e6de64
...
...
@@ -74,25 +74,6 @@ do { \
Hence the start of any table is given by get_table() below. */
static
unsigned
long
ifname_compare
(
const
char
*
_a
,
const
char
*
_b
,
const
unsigned
char
*
_mask
)
{
const
unsigned
long
*
a
=
(
const
unsigned
long
*
)
_a
;
const
unsigned
long
*
b
=
(
const
unsigned
long
*
)
_b
;
const
unsigned
long
*
mask
=
(
const
unsigned
long
*
)
_mask
;
unsigned
long
ret
;
ret
=
(
a
[
0
]
^
b
[
0
])
&
mask
[
0
];
if
(
IFNAMSIZ
>
sizeof
(
unsigned
long
))
ret
|=
(
a
[
1
]
^
b
[
1
])
&
mask
[
1
];
if
(
IFNAMSIZ
>
2
*
sizeof
(
unsigned
long
))
ret
|=
(
a
[
2
]
^
b
[
2
])
&
mask
[
2
];
if
(
IFNAMSIZ
>
3
*
sizeof
(
unsigned
long
))
ret
|=
(
a
[
3
]
^
b
[
3
])
&
mask
[
3
];
BUILD_BUG_ON
(
IFNAMSIZ
>
4
*
sizeof
(
unsigned
long
));
return
ret
;
}
/* Returns whether matches rule or not. */
/* Performance critical - called for every packet */
static
inline
bool
...
...
@@ -121,7 +102,7 @@ ip_packet_match(const struct iphdr *ip,
return
false
;
}
ret
=
ifname_compare
(
indev
,
ipinfo
->
iniface
,
ipinfo
->
iniface_mask
);
ret
=
ifname_compare
_aligned
(
indev
,
ipinfo
->
iniface
,
ipinfo
->
iniface_mask
);
if
(
FWINV
(
ret
!=
0
,
IPT_INV_VIA_IN
))
{
dprintf
(
"VIA in mismatch (%s vs %s).%s
\n
"
,
...
...
@@ -130,7 +111,7 @@ ip_packet_match(const struct iphdr *ip,
return
false
;
}
ret
=
ifname_compare
(
outdev
,
ipinfo
->
outiface
,
ipinfo
->
outiface_mask
);
ret
=
ifname_compare
_aligned
(
outdev
,
ipinfo
->
outiface
,
ipinfo
->
outiface_mask
);
if
(
FWINV
(
ret
!=
0
,
IPT_INV_VIA_OUT
))
{
dprintf
(
"VIA out mismatch (%s vs %s).%s
\n
"
,
...
...
@@ -507,7 +488,9 @@ mark_source_chains(struct xt_table_info *newinfo,
&&
unconditional
(
&
e
->
ip
))
||
visited
)
{
unsigned
int
oldpos
,
size
;
if
(
t
->
verdict
<
-
NF_MAX_VERDICT
-
1
)
{
if
((
strcmp
(
t
->
target
.
u
.
user
.
name
,
IPT_STANDARD_TARGET
)
==
0
)
&&
t
->
verdict
<
-
NF_MAX_VERDICT
-
1
)
{
duprintf
(
"mark_source_chains: bad "
"negative verdict (%i)
\n
"
,
t
->
verdict
);
...
...
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
View file @
01e6de64
...
...
@@ -328,6 +328,11 @@ static int ipv4_nlattr_to_tuple(struct nlattr *tb[],
return
0
;
}
static
int
ipv4_nlattr_tuple_size
(
void
)
{
return
nla_policy_len
(
ipv4_nla_policy
,
CTA_IP_MAX
+
1
);
}
#endif
static
struct
nf_sockopt_ops
so_getorigdst
=
{
...
...
@@ -347,6 +352,7 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv4 __read_mostly = {
.
get_l4proto
=
ipv4_get_l4proto
,
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.
tuple_to_nlattr
=
ipv4_tuple_to_nlattr
,
.
nlattr_tuple_size
=
ipv4_nlattr_tuple_size
,
.
nlattr_to_tuple
=
ipv4_nlattr_to_tuple
,
.
nla_policy
=
ipv4_nla_policy
,
#endif
...
...
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
View file @
01e6de64
...
...
@@ -25,40 +25,42 @@ struct ct_iter_state {
unsigned
int
bucket
;
};
static
struct
hlist_node
*
ct_get_first
(
struct
seq_file
*
seq
)
static
struct
hlist_n
ulls_n
ode
*
ct_get_first
(
struct
seq_file
*
seq
)
{
struct
net
*
net
=
seq_file_net
(
seq
);
struct
ct_iter_state
*
st
=
seq
->
private
;
struct
hlist_node
*
n
;
struct
hlist_n
ulls_n
ode
*
n
;
for
(
st
->
bucket
=
0
;
st
->
bucket
<
nf_conntrack_htable_size
;
st
->
bucket
++
)
{
n
=
rcu_dereference
(
net
->
ct
.
hash
[
st
->
bucket
].
first
);
if
(
n
)
if
(
!
is_a_nulls
(
n
)
)
return
n
;
}
return
NULL
;
}
static
struct
hlist_node
*
ct_get_next
(
struct
seq_file
*
seq
,
struct
hlist_node
*
head
)
static
struct
hlist_n
ulls_n
ode
*
ct_get_next
(
struct
seq_file
*
seq
,
struct
hlist_n
ulls_n
ode
*
head
)
{
struct
net
*
net
=
seq_file_net
(
seq
);
struct
ct_iter_state
*
st
=
seq
->
private
;
head
=
rcu_dereference
(
head
->
next
);
while
(
head
==
NULL
)
{
while
(
is_a_nulls
(
head
))
{
if
(
likely
(
get_nulls_value
(
head
)
==
st
->
bucket
))
{
if
(
++
st
->
bucket
>=
nf_conntrack_htable_size
)
return
NULL
;
}
head
=
rcu_dereference
(
net
->
ct
.
hash
[
st
->
bucket
].
first
);
}
return
head
;
}
static
struct
hlist_node
*
ct_get_idx
(
struct
seq_file
*
seq
,
loff_t
pos
)
static
struct
hlist_n
ulls_n
ode
*
ct_get_idx
(
struct
seq_file
*
seq
,
loff_t
pos
)
{
struct
hlist_node
*
head
=
ct_get_first
(
seq
);
struct
hlist_n
ulls_n
ode
*
head
=
ct_get_first
(
seq
);
if
(
head
)
while
(
pos
&&
(
head
=
ct_get_next
(
seq
,
head
)))
...
...
@@ -87,69 +89,76 @@ static void ct_seq_stop(struct seq_file *s, void *v)
static
int
ct_seq_show
(
struct
seq_file
*
s
,
void
*
v
)
{
const
struct
nf_conntrack_tuple_hash
*
hash
=
v
;
const
struct
nf_conn
*
ct
=
nf_ct_tuplehash_to_ctrack
(
hash
);
struct
nf_conntrack_tuple_hash
*
hash
=
v
;
struct
nf_conn
*
ct
=
nf_ct_tuplehash_to_ctrack
(
hash
);
const
struct
nf_conntrack_l3proto
*
l3proto
;
const
struct
nf_conntrack_l4proto
*
l4proto
;
int
ret
=
0
;
NF_CT_ASSERT
(
ct
);
if
(
unlikely
(
!
atomic_inc_not_zero
(
&
ct
->
ct_general
.
use
)))
return
0
;
/* we only want to print DIR_ORIGINAL */
if
(
NF_CT_DIRECTION
(
hash
))
return
0
;
goto
release
;
if
(
nf_ct_l3num
(
ct
)
!=
AF_INET
)
return
0
;
goto
release
;
l3proto
=
__nf_ct_l3proto_find
(
nf_ct_l3num
(
ct
));
NF_CT_ASSERT
(
l3proto
);
l4proto
=
__nf_ct_l4proto_find
(
nf_ct_l3num
(
ct
),
nf_ct_protonum
(
ct
));
NF_CT_ASSERT
(
l4proto
);
ret
=
-
ENOSPC
;
if
(
seq_printf
(
s
,
"%-8s %u %ld "
,
l4proto
->
name
,
nf_ct_protonum
(
ct
),
timer_pending
(
&
ct
->
timeout
)
?
(
long
)(
ct
->
timeout
.
expires
-
jiffies
)
/
HZ
:
0
)
!=
0
)
return
-
ENOSPC
;
goto
release
;
if
(
l4proto
->
print_conntrack
&&
l4proto
->
print_conntrack
(
s
,
ct
))
return
-
ENOSPC
;
goto
release
;
if
(
print_tuple
(
s
,
&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
,
l3proto
,
l4proto
))
return
-
ENOSPC
;
goto
release
;
if
(
seq_print_acct
(
s
,
ct
,
IP_CT_DIR_ORIGINAL
))
return
-
ENOSPC
;
goto
release
;
if
(
!
(
test_bit
(
IPS_SEEN_REPLY_BIT
,
&
ct
->
status
)))
if
(
seq_printf
(
s
,
"[UNREPLIED] "
))
return
-
ENOSPC
;
goto
release
;
if
(
print_tuple
(
s
,
&
ct
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
,
l3proto
,
l4proto
))
return
-
ENOSPC
;
goto
release
;
if
(
seq_print_acct
(
s
,
ct
,
IP_CT_DIR_REPLY
))
return
-
ENOSPC
;
goto
release
;
if
(
test_bit
(
IPS_ASSURED_BIT
,
&
ct
->
status
))
if
(
seq_printf
(
s
,
"[ASSURED] "
))
return
-
ENOSPC
;
goto
release
;
#ifdef CONFIG_NF_CONNTRACK_MARK
if
(
seq_printf
(
s
,
"mark=%u "
,
ct
->
mark
))
return
-
ENOSPC
;
goto
release
;
#endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
if
(
seq_printf
(
s
,
"secmark=%u "
,
ct
->
secmark
))
return
-
ENOSPC
;
goto
release
;
#endif
if
(
seq_printf
(
s
,
"use=%u
\n
"
,
atomic_read
(
&
ct
->
ct_general
.
use
)))
return
-
ENOSPC
;
return
0
;
goto
release
;
ret
=
0
;
release:
nf_ct_put
(
ct
);
return
ret
;
}
static
const
struct
seq_operations
ct_seq_ops
=
{
...
...
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
View file @
01e6de64
...
...
@@ -262,6 +262,11 @@ static int icmp_nlattr_to_tuple(struct nlattr *tb[],
return
0
;
}
static
int
icmp_nlattr_tuple_size
(
void
)
{
return
nla_policy_len
(
icmp_nla_policy
,
CTA_PROTO_MAX
+
1
);
}
#endif
#ifdef CONFIG_SYSCTL
...
...
@@ -309,6 +314,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmp __read_mostly =
.
me
=
NULL
,
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.
tuple_to_nlattr
=
icmp_tuple_to_nlattr
,
.
nlattr_tuple_size
=
icmp_nlattr_tuple_size
,
.
nlattr_to_tuple
=
icmp_nlattr_to_tuple
,
.
nla_policy
=
icmp_nla_policy
,
#endif
...
...
net/ipv4/netfilter/nf_nat_core.c
View file @
01e6de64
...
...
@@ -679,7 +679,7 @@ nfnetlink_parse_nat_setup(struct nf_conn *ct,
static
int
__net_init
nf_nat_net_init
(
struct
net
*
net
)
{
net
->
ipv4
.
nat_bysource
=
nf_ct_alloc_hashtable
(
&
nf_nat_htable_size
,
&
net
->
ipv4
.
nat_vmalloced
);
&
net
->
ipv4
.
nat_vmalloced
,
0
);
if
(
!
net
->
ipv4
.
nat_bysource
)
return
-
ENOMEM
;
return
0
;
...
...
net/ipv6/netfilter/ip6_tables.c
View file @
01e6de64
...
...
@@ -89,25 +89,6 @@ ip6t_ext_hdr(u8 nexthdr)
(
nexthdr
==
IPPROTO_DSTOPTS
)
);
}
static
unsigned
long
ifname_compare
(
const
char
*
_a
,
const
char
*
_b
,
const
unsigned
char
*
_mask
)
{
const
unsigned
long
*
a
=
(
const
unsigned
long
*
)
_a
;
const
unsigned
long
*
b
=
(
const
unsigned
long
*
)
_b
;
const
unsigned
long
*
mask
=
(
const
unsigned
long
*
)
_mask
;
unsigned
long
ret
;
ret
=
(
a
[
0
]
^
b
[
0
])
&
mask
[
0
];
if
(
IFNAMSIZ
>
sizeof
(
unsigned
long
))
ret
|=
(
a
[
1
]
^
b
[
1
])
&
mask
[
1
];
if
(
IFNAMSIZ
>
2
*
sizeof
(
unsigned
long
))
ret
|=
(
a
[
2
]
^
b
[
2
])
&
mask
[
2
];
if
(
IFNAMSIZ
>
3
*
sizeof
(
unsigned
long
))
ret
|=
(
a
[
3
]
^
b
[
3
])
&
mask
[
3
];
BUILD_BUG_ON
(
IFNAMSIZ
>
4
*
sizeof
(
unsigned
long
));
return
ret
;
}
/* Returns whether matches rule or not. */
/* Performance critical - called for every packet */
static
inline
bool
...
...
@@ -138,7 +119,7 @@ ip6_packet_match(const struct sk_buff *skb,
return
false
;
}
ret
=
ifname_compare
(
indev
,
ip6info
->
iniface
,
ip6info
->
iniface_mask
);
ret
=
ifname_compare
_aligned
(
indev
,
ip6info
->
iniface
,
ip6info
->
iniface_mask
);
if
(
FWINV
(
ret
!=
0
,
IP6T_INV_VIA_IN
))
{
dprintf
(
"VIA in mismatch (%s vs %s).%s
\n
"
,
...
...
@@ -147,7 +128,7 @@ ip6_packet_match(const struct sk_buff *skb,
return
false
;
}
ret
=
ifname_compare
(
outdev
,
ip6info
->
outiface
,
ip6info
->
outiface_mask
);
ret
=
ifname_compare
_aligned
(
outdev
,
ip6info
->
outiface
,
ip6info
->
outiface_mask
);
if
(
FWINV
(
ret
!=
0
,
IP6T_INV_VIA_OUT
))
{
dprintf
(
"VIA out mismatch (%s vs %s).%s
\n
"
,
...
...
@@ -536,7 +517,9 @@ mark_source_chains(struct xt_table_info *newinfo,
&&
unconditional
(
&
e
->
ipv6
))
||
visited
)
{
unsigned
int
oldpos
,
size
;
if
(
t
->
verdict
<
-
NF_MAX_VERDICT
-
1
)
{
if
((
strcmp
(
t
->
target
.
u
.
user
.
name
,
IP6T_STANDARD_TARGET
)
==
0
)
&&
t
->
verdict
<
-
NF_MAX_VERDICT
-
1
)
{
duprintf
(
"mark_source_chains: bad "
"negative verdict (%i)
\n
"
,
t
->
verdict
);
...
...
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
View file @
01e6de64
...
...
@@ -342,6 +342,11 @@ static int ipv6_nlattr_to_tuple(struct nlattr *tb[],
return
0
;
}
static
int
ipv6_nlattr_tuple_size
(
void
)
{
return
nla_policy_len
(
ipv6_nla_policy
,
CTA_IP_MAX
+
1
);
}
#endif
struct
nf_conntrack_l3proto
nf_conntrack_l3proto_ipv6
__read_mostly
=
{
...
...
@@ -353,6 +358,7 @@ struct nf_conntrack_l3proto nf_conntrack_l3proto_ipv6 __read_mostly = {
.
get_l4proto
=
ipv6_get_l4proto
,
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.
tuple_to_nlattr
=
ipv6_tuple_to_nlattr
,
.
nlattr_tuple_size
=
ipv6_nlattr_tuple_size
,
.
nlattr_to_tuple
=
ipv6_nlattr_to_tuple
,
.
nla_policy
=
ipv6_nla_policy
,
#endif
...
...
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
View file @
01e6de64
...
...
@@ -269,6 +269,11 @@ static int icmpv6_nlattr_to_tuple(struct nlattr *tb[],
return
0
;
}
static
int
icmpv6_nlattr_tuple_size
(
void
)
{
return
nla_policy_len
(
icmpv6_nla_policy
,
CTA_PROTO_MAX
+
1
);
}
#endif
#ifdef CONFIG_SYSCTL
...
...
@@ -300,6 +305,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_icmpv6 __read_mostly =
.
error
=
icmpv6_error
,
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.
tuple_to_nlattr
=
icmpv6_tuple_to_nlattr
,
.
nlattr_tuple_size
=
icmpv6_nlattr_tuple_size
,
.
nlattr_to_tuple
=
icmpv6_nlattr_to_tuple
,
.
nla_policy
=
icmpv6_nla_policy
,
#endif
...
...
net/netfilter/Kconfig
View file @
01e6de64
...
...
@@ -374,7 +374,7 @@ config NETFILTER_XT_TARGET_HL
config NETFILTER_XT_TARGET_LED
tristate '"LED" target support'
depends on LEDS_CLASS
depends on LEDS_CLASS
&& LED_TRIGGERS
depends on NETFILTER_ADVANCED
help
This option adds a `LED' target, which allows you to blink LEDs in
...
...
net/netfilter/nf_conntrack_core.c
View file @
01e6de64
This diff is collapsed.
Click to expand it.
net/netfilter/nf_conntrack_expect.c
View file @
01e6de64
...
...
@@ -604,7 +604,7 @@ int nf_conntrack_expect_init(struct net *net)
net
->
ct
.
expect_count
=
0
;
net
->
ct
.
expect_hash
=
nf_ct_alloc_hashtable
(
&
nf_ct_expect_hsize
,
&
net
->
ct
.
expect_vmalloc
);
&
net
->
ct
.
expect_vmalloc
,
0
);
if
(
net
->
ct
.
expect_hash
==
NULL
)
goto
err1
;
...
...
net/netfilter/nf_conntrack_helper.c
View file @
01e6de64
...
...
@@ -142,6 +142,7 @@ int nf_conntrack_helper_register(struct nf_conntrack_helper *me)
BUG_ON
(
me
->
expect_policy
==
NULL
);
BUG_ON
(
me
->
expect_class_max
>=
NF_CT_MAX_EXPECT_CLASSES
);
BUG_ON
(
strlen
(
me
->
name
)
>
NF_CT_HELPER_NAME_LEN
-
1
);
mutex_lock
(
&
nf_ct_helper_mutex
);
hlist_add_head_rcu
(
&
me
->
hnode
,
&
nf_ct_helper_hash
[
h
]);
...
...
@@ -158,6 +159,7 @@ static void __nf_conntrack_helper_unregister(struct nf_conntrack_helper *me,
struct
nf_conntrack_tuple_hash
*
h
;
struct
nf_conntrack_expect
*
exp
;
const
struct
hlist_node
*
n
,
*
next
;
const
struct
hlist_nulls_node
*
nn
;
unsigned
int
i
;
/* Get rid of expectations */
...
...
@@ -174,10 +176,10 @@ static void __nf_conntrack_helper_unregister(struct nf_conntrack_helper *me,
}
/* Get rid of expecteds, set helpers to NULL. */
hlist_for_each_entry
(
h
,
n
,
&
net
->
ct
.
unconfirmed
,
h
node
)
hlist_for_each_entry
(
h
,
n
n
,
&
net
->
ct
.
unconfirmed
,
hn
node
)
unhelp
(
h
,
me
);
for
(
i
=
0
;
i
<
nf_conntrack_htable_size
;
i
++
)
{
hlist_
for_each_entry
(
h
,
n
,
&
net
->
ct
.
hash
[
i
],
h
node
)
hlist_
nulls_for_each_entry
(
h
,
nn
,
&
net
->
ct
.
hash
[
i
],
hn
node
)
unhelp
(
h
,
me
);
}
}
...
...
@@ -217,7 +219,7 @@ int nf_conntrack_helper_init(void)
nf_ct_helper_hsize
=
1
;
/* gets rounded up to use one page */
nf_ct_helper_hash
=
nf_ct_alloc_hashtable
(
&
nf_ct_helper_hsize
,
&
nf_ct_helper_vmalloc
);
&
nf_ct_helper_vmalloc
,
0
);
if
(
!
nf_ct_helper_hash
)
return
-
ENOMEM
;
...
...
net/netfilter/nf_conntrack_netlink.c
View file @
01e6de64
...
...
@@ -19,6 +19,7 @@
#include <linux/module.h>
#include <linux/kernel.h>
#include <linux/rculist.h>
#include <linux/rculist_nulls.h>
#include <linux/types.h>
#include <linux/timer.h>
#include <linux/skbuff.h>
...
...
@@ -404,6 +405,78 @@ ctnetlink_fill_info(struct sk_buff *skb, u32 pid, u32 seq,
}
#ifdef CONFIG_NF_CONNTRACK_EVENTS
/*
* The general structure of a ctnetlink event is
*
* CTA_TUPLE_ORIG
* <l3/l4-proto-attributes>
* CTA_TUPLE_REPLY
* <l3/l4-proto-attributes>
* CTA_ID
* ...
* CTA_PROTOINFO
* <l4-proto-attributes>
* CTA_TUPLE_MASTER
* <l3/l4-proto-attributes>
*
* Therefore the formular is
*
* size = sizeof(headers) + sizeof(generic_nlas) + 3 * sizeof(tuple_nlas)
* + sizeof(protoinfo_nlas)
*/
static
struct
sk_buff
*
ctnetlink_alloc_skb
(
const
struct
nf_conntrack_tuple
*
tuple
,
gfp_t
gfp
)
{
struct
nf_conntrack_l3proto
*
l3proto
;
struct
nf_conntrack_l4proto
*
l4proto
;
int
len
;
#define NLA_TYPE_SIZE(type) nla_total_size(sizeof(type))
/* proto independant part */
len
=
NLMSG_SPACE
(
sizeof
(
struct
nfgenmsg
))
+
3
*
nla_total_size
(
0
)
/* CTA_TUPLE_ORIG|REPL|MASTER */
+
3
*
nla_total_size
(
0
)
/* CTA_TUPLE_IP */
+
3
*
nla_total_size
(
0
)
/* CTA_TUPLE_PROTO */
+
3
*
NLA_TYPE_SIZE
(
u_int8_t
)
/* CTA_PROTO_NUM */
+
NLA_TYPE_SIZE
(
u_int32_t
)
/* CTA_ID */
+
NLA_TYPE_SIZE
(
u_int32_t
)
/* CTA_STATUS */
#ifdef CONFIG_NF_CT_ACCT
+
2
*
nla_total_size
(
0
)
/* CTA_COUNTERS_ORIG|REPL */
+
2
*
NLA_TYPE_SIZE
(
uint64_t
)
/* CTA_COUNTERS_PACKETS */
+
2
*
NLA_TYPE_SIZE
(
uint64_t
)
/* CTA_COUNTERS_BYTES */
#endif
+
NLA_TYPE_SIZE
(
u_int32_t
)
/* CTA_TIMEOUT */
+
nla_total_size
(
0
)
/* CTA_PROTOINFO */
+
nla_total_size
(
0
)
/* CTA_HELP */
+
nla_total_size
(
NF_CT_HELPER_NAME_LEN
)
/* CTA_HELP_NAME */
#ifdef CONFIG_NF_CONNTRACK_SECMARK
+
NLA_TYPE_SIZE
(
u_int32_t
)
/* CTA_SECMARK */
#endif
#ifdef CONFIG_NF_NAT_NEEDED
+
2
*
nla_total_size
(
0
)
/* CTA_NAT_SEQ_ADJ_ORIG|REPL */
+
2
*
NLA_TYPE_SIZE
(
u_int32_t
)
/* CTA_NAT_SEQ_CORRECTION_POS */
+
2
*
NLA_TYPE_SIZE
(
u_int32_t
)
/* CTA_NAT_SEQ_CORRECTION_BEFORE */
+
2
*
NLA_TYPE_SIZE
(
u_int32_t
)
/* CTA_NAT_SEQ_CORRECTION_AFTER */
#endif
#ifdef CONFIG_NF_CONNTRACK_MARK
+
NLA_TYPE_SIZE
(
u_int32_t
)
/* CTA_MARK */
#endif
;
#undef NLA_TYPE_SIZE
rcu_read_lock
();
l3proto
=
__nf_ct_l3proto_find
(
tuple
->
src
.
l3num
);
len
+=
l3proto
->
nla_size
;
l4proto
=
__nf_ct_l4proto_find
(
tuple
->
src
.
l3num
,
tuple
->
dst
.
protonum
);
len
+=
l4proto
->
nla_size
;
rcu_read_unlock
();
return
alloc_skb
(
len
,
gfp
);
}
static
int
ctnetlink_conntrack_event
(
struct
notifier_block
*
this
,
unsigned
long
events
,
void
*
ptr
)
{
...
...
@@ -437,7 +510,7 @@ static int ctnetlink_conntrack_event(struct notifier_block *this,
if
(
!
item
->
report
&&
!
nfnetlink_has_listeners
(
group
))
return
NOTIFY_DONE
;
skb
=
alloc_skb
(
NLMSG_GOODSIZE
,
GFP_ATOMIC
);
skb
=
ctnetlink_alloc_skb
(
tuple
(
ct
,
IP_CT_DIR_ORIGINAL
)
,
GFP_ATOMIC
);
if
(
!
skb
)
return
NOTIFY_DONE
;
...
...
@@ -536,7 +609,7 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
{
struct
nf_conn
*
ct
,
*
last
;
struct
nf_conntrack_tuple_hash
*
h
;
struct
hlist_node
*
n
;
struct
hlist_n
ulls_n
ode
*
n
;
struct
nfgenmsg
*
nfmsg
=
NLMSG_DATA
(
cb
->
nlh
);
u_int8_t
l3proto
=
nfmsg
->
nfgen_family
;
...
...
@@ -544,27 +617,27 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
last
=
(
struct
nf_conn
*
)
cb
->
args
[
1
];
for
(;
cb
->
args
[
0
]
<
nf_conntrack_htable_size
;
cb
->
args
[
0
]
++
)
{
restart:
hlist_for_each_entry_rcu
(
h
,
n
,
&
init_net
.
ct
.
hash
[
cb
->
args
[
0
]],
hnode
)
{
hlist_
nulls_
for_each_entry_rcu
(
h
,
n
,
&
init_net
.
ct
.
hash
[
cb
->
args
[
0
]],
hn
n
ode
)
{
if
(
NF_CT_DIRECTION
(
h
)
!=
IP_CT_DIR_ORIGINAL
)
continue
;
ct
=
nf_ct_tuplehash_to_ctrack
(
h
);
if
(
!
atomic_inc_not_zero
(
&
ct
->
ct_general
.
use
))
continue
;
/* Dump entries of a given L3 protocol number.
* If it is not specified, ie. l3proto == 0,
* then dump everything. */
if
(
l3proto
&&
nf_ct_l3num
(
ct
)
!=
l3proto
)
continue
;
goto
releasect
;
if
(
cb
->
args
[
1
])
{
if
(
ct
!=
last
)
continue
;
goto
releasect
;
cb
->
args
[
1
]
=
0
;
}
if
(
ctnetlink_fill_info
(
skb
,
NETLINK_CB
(
cb
->
skb
).
pid
,
cb
->
nlh
->
nlmsg_seq
,
IPCTNL_MSG_CT_NEW
,
1
,
ct
)
<
0
)
{
if
(
!
atomic_inc_not_zero
(
&
ct
->
ct_general
.
use
))
continue
;
cb
->
args
[
1
]
=
(
unsigned
long
)
ct
;
goto
out
;
}
...
...
@@ -577,6 +650,8 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
if
(
acct
)
memset
(
acct
,
0
,
sizeof
(
struct
nf_conn_counter
[
IP_CT_DIR_MAX
]));
}
releasect:
nf_ct_put
(
ct
);
}
if
(
cb
->
args
[
1
])
{
cb
->
args
[
1
]
=
0
;
...
...
@@ -1242,13 +1317,12 @@ ctnetlink_create_conntrack(struct nlattr *cda[],
if
(
err
<
0
)
goto
err2
;
master_h
=
__nf_conntrack_find
(
&
init_net
,
&
master
);
master_h
=
nf_conntrack_find_get
(
&
init_net
,
&
master
);
if
(
master_h
==
NULL
)
{
err
=
-
ENOENT
;
goto
err2
;
}
master_ct
=
nf_ct_tuplehash_to_ctrack
(
master_h
);
nf_conntrack_get
(
&
master_ct
->
ct_general
);
__set_bit
(
IPS_EXPECTED_BIT
,
&
ct
->
status
);
ct
->
master
=
master_ct
;
}
...
...
net/netfilter/nf_conntrack_proto.c
View file @
01e6de64
...
...
@@ -167,6 +167,9 @@ int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
if
(
proto
->
l3proto
>=
AF_MAX
)
return
-
EBUSY
;
if
(
proto
->
tuple_to_nlattr
&&
!
proto
->
nlattr_tuple_size
)
return
-
EINVAL
;
mutex_lock
(
&
nf_ct_proto_mutex
);
if
(
nf_ct_l3protos
[
proto
->
l3proto
]
!=
&
nf_conntrack_l3proto_generic
)
{
ret
=
-
EBUSY
;
...
...
@@ -177,6 +180,9 @@ int nf_conntrack_l3proto_register(struct nf_conntrack_l3proto *proto)
if
(
ret
<
0
)
goto
out_unlock
;
if
(
proto
->
nlattr_tuple_size
)
proto
->
nla_size
=
3
*
proto
->
nlattr_tuple_size
();
rcu_assign_pointer
(
nf_ct_l3protos
[
proto
->
l3proto
],
proto
);
out_unlock:
...
...
@@ -263,6 +269,10 @@ int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
if
(
l4proto
->
l3proto
>=
PF_MAX
)
return
-
EBUSY
;
if
((
l4proto
->
to_nlattr
&&
!
l4proto
->
nlattr_size
)
||
(
l4proto
->
tuple_to_nlattr
&&
!
l4proto
->
nlattr_tuple_size
))
return
-
EINVAL
;
mutex_lock
(
&
nf_ct_proto_mutex
);
if
(
!
nf_ct_protos
[
l4proto
->
l3proto
])
{
/* l3proto may be loaded latter. */
...
...
@@ -290,6 +300,12 @@ int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
if
(
ret
<
0
)
goto
out_unlock
;
l4proto
->
nla_size
=
0
;
if
(
l4proto
->
nlattr_size
)
l4proto
->
nla_size
+=
l4proto
->
nlattr_size
();
if
(
l4proto
->
nlattr_tuple_size
)
l4proto
->
nla_size
+=
3
*
l4proto
->
nlattr_tuple_size
();
rcu_assign_pointer
(
nf_ct_protos
[
l4proto
->
l3proto
][
l4proto
->
l4proto
],
l4proto
);
...
...
net/netfilter/nf_conntrack_proto_dccp.c
View file @
01e6de64
...
...
@@ -669,6 +669,12 @@ static int nlattr_to_dccp(struct nlattr *cda[], struct nf_conn *ct)
write_unlock_bh
(
&
dccp_lock
);
return
0
;
}
static
int
dccp_nlattr_size
(
void
)
{
return
nla_total_size
(
0
)
/* CTA_PROTOINFO_DCCP */
+
nla_policy_len
(
dccp_nla_policy
,
CTA_PROTOINFO_DCCP_MAX
+
1
);
}
#endif
#ifdef CONFIG_SYSCTL
...
...
@@ -749,8 +755,10 @@ static struct nf_conntrack_l4proto dccp_proto4 __read_mostly = {
.
print_conntrack
=
dccp_print_conntrack
,
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.
to_nlattr
=
dccp_to_nlattr
,
.
nlattr_size
=
dccp_nlattr_size
,
.
from_nlattr
=
nlattr_to_dccp
,
.
tuple_to_nlattr
=
nf_ct_port_tuple_to_nlattr
,
.
nlattr_tuple_size
=
nf_ct_port_nlattr_tuple_size
,
.
nlattr_to_tuple
=
nf_ct_port_nlattr_to_tuple
,
.
nla_policy
=
nf_ct_port_nla_policy
,
#endif
...
...
@@ -771,6 +779,7 @@ static struct nf_conntrack_l4proto dccp_proto6 __read_mostly = {
.
to_nlattr
=
dccp_to_nlattr
,
.
from_nlattr
=
nlattr_to_dccp
,
.
tuple_to_nlattr
=
nf_ct_port_tuple_to_nlattr
,
.
nlattr_tuple_size
=
nf_ct_port_nlattr_tuple_size
,
.
nlattr_to_tuple
=
nf_ct_port_nlattr_to_tuple
,
.
nla_policy
=
nf_ct_port_nla_policy
,
#endif
...
...
net/netfilter/nf_conntrack_proto_gre.c
View file @
01e6de64
...
...
@@ -293,6 +293,7 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_gre4 __read_mostly = {
.
me
=
THIS_MODULE
,
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.
tuple_to_nlattr
=
nf_ct_port_tuple_to_nlattr
,
.
nlattr_tuple_size
=
nf_ct_port_nlattr_tuple_size
,
.
nlattr_to_tuple
=
nf_ct_port_nlattr_to_tuple
,
.
nla_policy
=
nf_ct_port_nla_policy
,
#endif
...
...
net/netfilter/nf_conntrack_proto_sctp.c
View file @
01e6de64
...
...
@@ -537,6 +537,12 @@ static int nlattr_to_sctp(struct nlattr *cda[], struct nf_conn *ct)
return
0
;
}
static
int
sctp_nlattr_size
(
void
)
{
return
nla_total_size
(
0
)
/* CTA_PROTOINFO_SCTP */
+
nla_policy_len
(
sctp_nla_policy
,
CTA_PROTOINFO_SCTP_MAX
+
1
);
}
#endif
#ifdef CONFIG_SYSCTL
...
...
@@ -668,8 +674,10 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp4 __read_mostly = {
.
me
=
THIS_MODULE
,
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.
to_nlattr
=
sctp_to_nlattr
,
.
nlattr_size
=
sctp_nlattr_size
,
.
from_nlattr
=
nlattr_to_sctp
,
.
tuple_to_nlattr
=
nf_ct_port_tuple_to_nlattr
,
.
nlattr_tuple_size
=
nf_ct_port_nlattr_tuple_size
,
.
nlattr_to_tuple
=
nf_ct_port_nlattr_to_tuple
,
.
nla_policy
=
nf_ct_port_nla_policy
,
#endif
...
...
@@ -696,8 +704,10 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_sctp6 __read_mostly = {
.
me
=
THIS_MODULE
,
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.
to_nlattr
=
sctp_to_nlattr
,
.
nlattr_size
=
sctp_nlattr_size
,
.
from_nlattr
=
nlattr_to_sctp
,
.
tuple_to_nlattr
=
nf_ct_port_tuple_to_nlattr
,
.
nlattr_tuple_size
=
nf_ct_port_nlattr_tuple_size
,
.
nlattr_to_tuple
=
nf_ct_port_nlattr_to_tuple
,
.
nla_policy
=
nf_ct_port_nla_policy
,
#endif
...
...
net/netfilter/nf_conntrack_proto_tcp.c
View file @
01e6de64
...
...
@@ -1184,6 +1184,17 @@ static int nlattr_to_tcp(struct nlattr *cda[], struct nf_conn *ct)
return
0
;
}
static
int
tcp_nlattr_size
(
void
)
{
return
nla_total_size
(
0
)
/* CTA_PROTOINFO_TCP */
+
nla_policy_len
(
tcp_nla_policy
,
CTA_PROTOINFO_TCP_MAX
+
1
);
}
static
int
tcp_nlattr_tuple_size
(
void
)
{
return
nla_policy_len
(
nf_ct_port_nla_policy
,
CTA_PROTO_MAX
+
1
);
}
#endif
#ifdef CONFIG_SYSCTL
...
...
@@ -1399,9 +1410,11 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp4 __read_mostly =
.
error
=
tcp_error
,
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.
to_nlattr
=
tcp_to_nlattr
,
.
nlattr_size
=
tcp_nlattr_size
,
.
from_nlattr
=
nlattr_to_tcp
,
.
tuple_to_nlattr
=
nf_ct_port_tuple_to_nlattr
,
.
nlattr_to_tuple
=
nf_ct_port_nlattr_to_tuple
,
.
nlattr_tuple_size
=
tcp_nlattr_tuple_size
,
.
nla_policy
=
nf_ct_port_nla_policy
,
#endif
#ifdef CONFIG_SYSCTL
...
...
@@ -1429,9 +1442,11 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_tcp6 __read_mostly =
.
error
=
tcp_error
,
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.
to_nlattr
=
tcp_to_nlattr
,
.
nlattr_size
=
tcp_nlattr_size
,
.
from_nlattr
=
nlattr_to_tcp
,
.
tuple_to_nlattr
=
nf_ct_port_tuple_to_nlattr
,
.
nlattr_to_tuple
=
nf_ct_port_nlattr_to_tuple
,
.
nlattr_tuple_size
=
tcp_nlattr_tuple_size
,
.
nla_policy
=
nf_ct_port_nla_policy
,
#endif
#ifdef CONFIG_SYSCTL
...
...
net/netfilter/nf_conntrack_proto_udp.c
View file @
01e6de64
...
...
@@ -195,6 +195,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp4 __read_mostly =
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.
tuple_to_nlattr
=
nf_ct_port_tuple_to_nlattr
,
.
nlattr_to_tuple
=
nf_ct_port_nlattr_to_tuple
,
.
nlattr_tuple_size
=
nf_ct_port_nlattr_tuple_size
,
.
nla_policy
=
nf_ct_port_nla_policy
,
#endif
#ifdef CONFIG_SYSCTL
...
...
@@ -222,6 +223,7 @@ struct nf_conntrack_l4proto nf_conntrack_l4proto_udp6 __read_mostly =
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.
tuple_to_nlattr
=
nf_ct_port_tuple_to_nlattr
,
.
nlattr_to_tuple
=
nf_ct_port_nlattr_to_tuple
,
.
nlattr_tuple_size
=
nf_ct_port_nlattr_tuple_size
,
.
nla_policy
=
nf_ct_port_nla_policy
,
#endif
#ifdef CONFIG_SYSCTL
...
...
net/netfilter/nf_conntrack_proto_udplite.c
View file @
01e6de64
...
...
@@ -180,6 +180,7 @@ static struct nf_conntrack_l4proto nf_conntrack_l4proto_udplite4 __read_mostly =
.
error
=
udplite_error
,
#if defined(CONFIG_NF_CT_NETLINK) || defined(CONFIG_NF_CT_NETLINK_MODULE)
.
tuple_to_nlattr
=
nf_ct_port_tuple_to_nlattr
,
.
nlattr_tuple_size
=
nf_ct_port_nlattr_tuple_size
,
.
nlattr_to_tuple
=
nf_ct_port_nlattr_to_tuple
,
.
nla_policy
=
nf_ct_port_nla_policy
,
#endif
...
...
net/netfilter/nf_conntrack_standalone.c
View file @
01e6de64
...
...
@@ -44,40 +44,42 @@ struct ct_iter_state {
unsigned
int
bucket
;
};
static
struct
hlist_node
*
ct_get_first
(
struct
seq_file
*
seq
)
static
struct
hlist_n
ulls_n
ode
*
ct_get_first
(
struct
seq_file
*
seq
)
{
struct
net
*
net
=
seq_file_net
(
seq
);
struct
ct_iter_state
*
st
=
seq
->
private
;
struct
hlist_node
*
n
;
struct
hlist_n
ulls_n
ode
*
n
;
for
(
st
->
bucket
=
0
;
st
->
bucket
<
nf_conntrack_htable_size
;
st
->
bucket
++
)
{
n
=
rcu_dereference
(
net
->
ct
.
hash
[
st
->
bucket
].
first
);
if
(
n
)
if
(
!
is_a_nulls
(
n
)
)
return
n
;
}
return
NULL
;
}
static
struct
hlist_node
*
ct_get_next
(
struct
seq_file
*
seq
,
struct
hlist_node
*
head
)
static
struct
hlist_n
ulls_n
ode
*
ct_get_next
(
struct
seq_file
*
seq
,
struct
hlist_n
ulls_n
ode
*
head
)
{
struct
net
*
net
=
seq_file_net
(
seq
);
struct
ct_iter_state
*
st
=
seq
->
private
;
head
=
rcu_dereference
(
head
->
next
);
while
(
head
==
NULL
)
{
while
(
is_a_nulls
(
head
))
{
if
(
likely
(
get_nulls_value
(
head
)
==
st
->
bucket
))
{
if
(
++
st
->
bucket
>=
nf_conntrack_htable_size
)
return
NULL
;
}
head
=
rcu_dereference
(
net
->
ct
.
hash
[
st
->
bucket
].
first
);
}
return
head
;
}
static
struct
hlist_node
*
ct_get_idx
(
struct
seq_file
*
seq
,
loff_t
pos
)
static
struct
hlist_n
ulls_n
ode
*
ct_get_idx
(
struct
seq_file
*
seq
,
loff_t
pos
)
{
struct
hlist_node
*
head
=
ct_get_first
(
seq
);
struct
hlist_n
ulls_n
ode
*
head
=
ct_get_first
(
seq
);
if
(
head
)
while
(
pos
&&
(
head
=
ct_get_next
(
seq
,
head
)))
...
...
@@ -107,67 +109,74 @@ static void ct_seq_stop(struct seq_file *s, void *v)
/* return 0 on success, 1 in case of error */
static
int
ct_seq_show
(
struct
seq_file
*
s
,
void
*
v
)
{
const
struct
nf_conntrack_tuple_hash
*
hash
=
v
;
const
struct
nf_conn
*
ct
=
nf_ct_tuplehash_to_ctrack
(
hash
);
struct
nf_conntrack_tuple_hash
*
hash
=
v
;
struct
nf_conn
*
ct
=
nf_ct_tuplehash_to_ctrack
(
hash
);
const
struct
nf_conntrack_l3proto
*
l3proto
;
const
struct
nf_conntrack_l4proto
*
l4proto
;
int
ret
=
0
;
NF_CT_ASSERT
(
ct
);
if
(
unlikely
(
!
atomic_inc_not_zero
(
&
ct
->
ct_general
.
use
)))
return
0
;
/* we only want to print DIR_ORIGINAL */
if
(
NF_CT_DIRECTION
(
hash
))
return
0
;
goto
release
;
l3proto
=
__nf_ct_l3proto_find
(
nf_ct_l3num
(
ct
));
NF_CT_ASSERT
(
l3proto
);
l4proto
=
__nf_ct_l4proto_find
(
nf_ct_l3num
(
ct
),
nf_ct_protonum
(
ct
));
NF_CT_ASSERT
(
l4proto
);
ret
=
-
ENOSPC
;
if
(
seq_printf
(
s
,
"%-8s %u %-8s %u %ld "
,
l3proto
->
name
,
nf_ct_l3num
(
ct
),
l4proto
->
name
,
nf_ct_protonum
(
ct
),
timer_pending
(
&
ct
->
timeout
)
?
(
long
)(
ct
->
timeout
.
expires
-
jiffies
)
/
HZ
:
0
)
!=
0
)
return
-
ENOSPC
;
goto
release
;
if
(
l4proto
->
print_conntrack
&&
l4proto
->
print_conntrack
(
s
,
ct
))
return
-
ENOSPC
;
goto
release
;
if
(
print_tuple
(
s
,
&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
,
l3proto
,
l4proto
))
return
-
ENOSPC
;
goto
release
;
if
(
seq_print_acct
(
s
,
ct
,
IP_CT_DIR_ORIGINAL
))
return
-
ENOSPC
;
goto
release
;
if
(
!
(
test_bit
(
IPS_SEEN_REPLY_BIT
,
&
ct
->
status
)))
if
(
seq_printf
(
s
,
"[UNREPLIED] "
))
return
-
ENOSPC
;
goto
release
;
if
(
print_tuple
(
s
,
&
ct
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
,
l3proto
,
l4proto
))
return
-
ENOSPC
;
goto
release
;
if
(
seq_print_acct
(
s
,
ct
,
IP_CT_DIR_REPLY
))
return
-
ENOSPC
;
goto
release
;
if
(
test_bit
(
IPS_ASSURED_BIT
,
&
ct
->
status
))
if
(
seq_printf
(
s
,
"[ASSURED] "
))
return
-
ENOSPC
;
goto
release
;
#if defined(CONFIG_NF_CONNTRACK_MARK)
if
(
seq_printf
(
s
,
"mark=%u "
,
ct
->
mark
))
return
-
ENOSPC
;
goto
release
;
#endif
#ifdef CONFIG_NF_CONNTRACK_SECMARK
if
(
seq_printf
(
s
,
"secmark=%u "
,
ct
->
secmark
))
return
-
ENOSPC
;
goto
release
;
#endif
if
(
seq_printf
(
s
,
"use=%u
\n
"
,
atomic_read
(
&
ct
->
ct_general
.
use
)))
return
-
ENOSPC
;
goto
release
;
ret
=
0
;
release:
nf_ct_put
(
ct
);
return
0
;
}
...
...
net/netfilter/xt_connlimit.c
View file @
01e6de64
...
...
@@ -108,7 +108,7 @@ static int count_them(struct xt_connlimit_data *data,
const
struct
nf_conntrack_tuple_hash
*
found
;
struct
xt_connlimit_conn
*
conn
;
struct
xt_connlimit_conn
*
tmp
;
const
struct
nf_conn
*
found_ct
;
struct
nf_conn
*
found_ct
;
struct
list_head
*
hash
;
bool
addit
=
true
;
int
matches
=
0
;
...
...
@@ -123,7 +123,7 @@ static int count_them(struct xt_connlimit_data *data,
/* check the saved connections */
list_for_each_entry_safe
(
conn
,
tmp
,
hash
,
list
)
{
found
=
__nf_conntrack_find
(
&
init_net
,
&
conn
->
tuple
);
found
=
nf_conntrack_find_get
(
&
init_net
,
&
conn
->
tuple
);
found_ct
=
NULL
;
if
(
found
!=
NULL
)
...
...
@@ -151,6 +151,7 @@ static int count_them(struct xt_connlimit_data *data,
* we do not care about connections which are
* closed already -> ditch it
*/
nf_ct_put
(
found_ct
);
list_del
(
&
conn
->
list
);
kfree
(
conn
);
continue
;
...
...
@@ -160,6 +161,7 @@ static int count_them(struct xt_connlimit_data *data,
match
->
family
))
/* same source network -> be counted! */
++
matches
;
nf_ct_put
(
found_ct
);
}
rcu_read_unlock
();
...
...
net/netfilter/xt_physdev.c
View file @
01e6de64
...
...
@@ -20,23 +20,6 @@ MODULE_DESCRIPTION("Xtables: Bridge physical device match");
MODULE_ALIAS
(
"ipt_physdev"
);
MODULE_ALIAS
(
"ip6t_physdev"
);
static
unsigned
long
ifname_compare
(
const
char
*
_a
,
const
char
*
_b
,
const
char
*
_mask
)
{
const
unsigned
long
*
a
=
(
const
unsigned
long
*
)
_a
;
const
unsigned
long
*
b
=
(
const
unsigned
long
*
)
_b
;
const
unsigned
long
*
mask
=
(
const
unsigned
long
*
)
_mask
;
unsigned
long
ret
;
ret
=
(
a
[
0
]
^
b
[
0
])
&
mask
[
0
];
if
(
IFNAMSIZ
>
sizeof
(
unsigned
long
))
ret
|=
(
a
[
1
]
^
b
[
1
])
&
mask
[
1
];
if
(
IFNAMSIZ
>
2
*
sizeof
(
unsigned
long
))
ret
|=
(
a
[
2
]
^
b
[
2
])
&
mask
[
2
];
if
(
IFNAMSIZ
>
3
*
sizeof
(
unsigned
long
))
ret
|=
(
a
[
3
]
^
b
[
3
])
&
mask
[
3
];
BUILD_BUG_ON
(
IFNAMSIZ
>
4
*
sizeof
(
unsigned
long
));
return
ret
;
}
static
bool
physdev_mt
(
const
struct
sk_buff
*
skb
,
const
struct
xt_match_param
*
par
)
...
...
@@ -85,7 +68,7 @@ physdev_mt(const struct sk_buff *skb, const struct xt_match_param *par)
if
(
!
(
info
->
bitmask
&
XT_PHYSDEV_OP_IN
))
goto
match_outdev
;
indev
=
nf_bridge
->
physindev
?
nf_bridge
->
physindev
->
name
:
nulldevname
;
ret
=
ifname_compare
(
indev
,
info
->
physindev
,
info
->
in_mask
);
ret
=
ifname_compare
_aligned
(
indev
,
info
->
physindev
,
info
->
in_mask
);
if
(
!
ret
^
!
(
info
->
invert
&
XT_PHYSDEV_OP_IN
))
return
false
;
...
...
@@ -95,7 +78,7 @@ physdev_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return
true
;
outdev
=
nf_bridge
->
physoutdev
?
nf_bridge
->
physoutdev
->
name
:
nulldevname
;
ret
=
ifname_compare
(
outdev
,
info
->
physoutdev
,
info
->
out_mask
);
ret
=
ifname_compare
_aligned
(
outdev
,
info
->
physoutdev
,
info
->
out_mask
);
return
(
!!
ret
^
!
(
info
->
invert
&
XT_PHYSDEV_OP_OUT
));
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment