Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
a8c28d05
Commit
a8c28d05
authored
Feb 10, 2010
by
Patrick McHardy
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' of
git://dev.medozas.de/linux
parents
d0b0268f
e3eaa991
Changes
19
Show whitespace changes
Inline
Side-by-side
Showing
19 changed files
with
348 additions
and
825 deletions
+348
-825
include/linux/netfilter/x_tables.h
include/linux/netfilter/x_tables.h
+4
-0
include/linux/netfilter_arp/arp_tables.h
include/linux/netfilter_arp/arp_tables.h
+1
-0
include/linux/netfilter_ipv4/ip_tables.h
include/linux/netfilter_ipv4/ip_tables.h
+1
-0
include/linux/netfilter_ipv6/ip6_tables.h
include/linux/netfilter_ipv6/ip6_tables.h
+1
-0
net/ipv4/netfilter/arp_tables.c
net/ipv4/netfilter/arp_tables.c
+7
-0
net/ipv4/netfilter/arptable_filter.c
net/ipv4/netfilter/arptable_filter.c
+21
-74
net/ipv4/netfilter/ip_tables.c
net/ipv4/netfilter/ip_tables.c
+7
-0
net/ipv4/netfilter/iptable_filter.c
net/ipv4/netfilter/iptable_filter.c
+29
-93
net/ipv4/netfilter/iptable_mangle.c
net/ipv4/netfilter/iptable_mangle.c
+30
-124
net/ipv4/netfilter/iptable_raw.c
net/ipv4/netfilter/iptable_raw.c
+25
-69
net/ipv4/netfilter/iptable_security.c
net/ipv4/netfilter/iptable_security.c
+26
-89
net/ipv4/netfilter/nf_nat_rule.c
net/ipv4/netfilter/nf_nat_rule.c
+7
-32
net/ipv6/netfilter/ip6_tables.c
net/ipv6/netfilter/ip6_tables.c
+7
-0
net/ipv6/netfilter/ip6table_filter.c
net/ipv6/netfilter/ip6table_filter.c
+23
-88
net/ipv6/netfilter/ip6table_mangle.c
net/ipv6/netfilter/ip6table_mangle.c
+28
-103
net/ipv6/netfilter/ip6table_raw.c
net/ipv6/netfilter/ip6table_raw.c
+19
-65
net/ipv6/netfilter/ip6table_security.c
net/ipv6/netfilter/ip6table_security.c
+20
-87
net/netfilter/x_tables.c
net/netfilter/x_tables.c
+57
-1
net/netfilter/xt_repldata.h
net/netfilter/xt_repldata.h
+35
-0
No files found.
include/linux/netfilter/x_tables.h
View file @
a8c28d05
...
@@ -360,6 +360,7 @@ struct xt_table {
...
@@ -360,6 +360,7 @@ struct xt_table {
struct
module
*
me
;
struct
module
*
me
;
u_int8_t
af
;
/* address/protocol family */
u_int8_t
af
;
/* address/protocol family */
int
priority
;
/* hook order */
/* A unique name... */
/* A unique name... */
const
char
name
[
XT_TABLE_MAXNAMELEN
];
const
char
name
[
XT_TABLE_MAXNAMELEN
];
...
@@ -521,6 +522,9 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
...
@@ -521,6 +522,9 @@ static inline unsigned long ifname_compare_aligned(const char *_a,
return
ret
;
return
ret
;
}
}
extern
struct
nf_hook_ops
*
xt_hook_link
(
const
struct
xt_table
*
,
nf_hookfn
*
);
extern
void
xt_hook_unlink
(
const
struct
xt_table
*
,
struct
nf_hook_ops
*
);
#ifdef CONFIG_COMPAT
#ifdef CONFIG_COMPAT
#include <net/compat.h>
#include <net/compat.h>
...
...
include/linux/netfilter_arp/arp_tables.h
View file @
a8c28d05
...
@@ -258,6 +258,7 @@ struct arpt_error {
...
@@ -258,6 +258,7 @@ struct arpt_error {
.target.errorname = "ERROR", \
.target.errorname = "ERROR", \
}
}
extern
void
*
arpt_alloc_initial_table
(
const
struct
xt_table
*
);
extern
struct
xt_table
*
arpt_register_table
(
struct
net
*
net
,
extern
struct
xt_table
*
arpt_register_table
(
struct
net
*
net
,
const
struct
xt_table
*
table
,
const
struct
xt_table
*
table
,
const
struct
arpt_replace
*
repl
);
const
struct
arpt_replace
*
repl
);
...
...
include/linux/netfilter_ipv4/ip_tables.h
View file @
a8c28d05
...
@@ -282,6 +282,7 @@ struct ipt_error {
...
@@ -282,6 +282,7 @@ struct ipt_error {
.target.errorname = "ERROR", \
.target.errorname = "ERROR", \
}
}
extern
void
*
ipt_alloc_initial_table
(
const
struct
xt_table
*
);
extern
unsigned
int
ipt_do_table
(
struct
sk_buff
*
skb
,
extern
unsigned
int
ipt_do_table
(
struct
sk_buff
*
skb
,
unsigned
int
hook
,
unsigned
int
hook
,
const
struct
net_device
*
in
,
const
struct
net_device
*
in
,
...
...
include/linux/netfilter_ipv6/ip6_tables.h
View file @
a8c28d05
...
@@ -297,6 +297,7 @@ ip6t_get_target(struct ip6t_entry *e)
...
@@ -297,6 +297,7 @@ ip6t_get_target(struct ip6t_entry *e)
#include <linux/init.h>
#include <linux/init.h>
extern
void
ip6t_init
(
void
)
__init
;
extern
void
ip6t_init
(
void
)
__init
;
extern
void
*
ip6t_alloc_initial_table
(
const
struct
xt_table
*
);
extern
struct
xt_table
*
ip6t_register_table
(
struct
net
*
net
,
extern
struct
xt_table
*
ip6t_register_table
(
struct
net
*
net
,
const
struct
xt_table
*
table
,
const
struct
xt_table
*
table
,
const
struct
ip6t_replace
*
repl
);
const
struct
ip6t_replace
*
repl
);
...
...
net/ipv4/netfilter/arp_tables.c
View file @
a8c28d05
...
@@ -27,6 +27,7 @@
...
@@ -27,6 +27,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_arp/arp_tables.h>
#include <linux/netfilter_arp/arp_tables.h>
#include "../../netfilter/xt_repldata.h"
MODULE_LICENSE
(
"GPL"
);
MODULE_LICENSE
(
"GPL"
);
MODULE_AUTHOR
(
"David S. Miller <davem@redhat.com>"
);
MODULE_AUTHOR
(
"David S. Miller <davem@redhat.com>"
);
...
@@ -58,6 +59,12 @@ do { \
...
@@ -58,6 +59,12 @@ do { \
#define ARP_NF_ASSERT(x)
#define ARP_NF_ASSERT(x)
#endif
#endif
void
*
arpt_alloc_initial_table
(
const
struct
xt_table
*
info
)
{
return
xt_alloc_initial_table
(
arpt
,
ARPT
);
}
EXPORT_SYMBOL_GPL
(
arpt_alloc_initial_table
);
static
inline
int
arp_devaddr_compare
(
const
struct
arpt_devaddr_info
*
ap
,
static
inline
int
arp_devaddr_compare
(
const
struct
arpt_devaddr_info
*
ap
,
const
char
*
hdr_addr
,
int
len
)
const
char
*
hdr_addr
,
int
len
)
{
{
...
...
net/ipv4/netfilter/arptable_filter.c
View file @
a8c28d05
...
@@ -6,6 +6,7 @@
...
@@ -6,6 +6,7 @@
*/
*/
#include <linux/module.h>
#include <linux/module.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_arp/arp_tables.h>
#include <linux/netfilter_arp/arp_tables.h>
MODULE_LICENSE
(
"GPL"
);
MODULE_LICENSE
(
"GPL"
);
...
@@ -15,93 +16,37 @@ MODULE_DESCRIPTION("arptables filter table");
...
@@ -15,93 +16,37 @@ MODULE_DESCRIPTION("arptables filter table");
#define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | \
#define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | \
(1 << NF_ARP_FORWARD))
(1 << NF_ARP_FORWARD))
static
const
struct
{
struct
arpt_replace
repl
;
struct
arpt_standard
entries
[
3
];
struct
arpt_error
term
;
}
initial_table
__net_initdata
=
{
.
repl
=
{
.
name
=
"filter"
,
.
valid_hooks
=
FILTER_VALID_HOOKS
,
.
num_entries
=
4
,
.
size
=
sizeof
(
struct
arpt_standard
)
*
3
+
sizeof
(
struct
arpt_error
),
.
hook_entry
=
{
[
NF_ARP_IN
]
=
0
,
[
NF_ARP_OUT
]
=
sizeof
(
struct
arpt_standard
),
[
NF_ARP_FORWARD
]
=
2
*
sizeof
(
struct
arpt_standard
),
},
.
underflow
=
{
[
NF_ARP_IN
]
=
0
,
[
NF_ARP_OUT
]
=
sizeof
(
struct
arpt_standard
),
[
NF_ARP_FORWARD
]
=
2
*
sizeof
(
struct
arpt_standard
),
},
},
.
entries
=
{
ARPT_STANDARD_INIT
(
NF_ACCEPT
),
/* ARP_IN */
ARPT_STANDARD_INIT
(
NF_ACCEPT
),
/* ARP_OUT */
ARPT_STANDARD_INIT
(
NF_ACCEPT
),
/* ARP_FORWARD */
},
.
term
=
ARPT_ERROR_INIT
,
};
static
const
struct
xt_table
packet_filter
=
{
static
const
struct
xt_table
packet_filter
=
{
.
name
=
"filter"
,
.
name
=
"filter"
,
.
valid_hooks
=
FILTER_VALID_HOOKS
,
.
valid_hooks
=
FILTER_VALID_HOOKS
,
.
me
=
THIS_MODULE
,
.
me
=
THIS_MODULE
,
.
af
=
NFPROTO_ARP
,
.
af
=
NFPROTO_ARP
,
.
priority
=
NF_IP_PRI_FILTER
,
};
};
/* The work comes in here from netfilter.c */
/* The work comes in here from netfilter.c */
static
unsigned
int
arpt_in_hook
(
unsigned
int
hook
,
static
unsigned
int
struct
sk_buff
*
skb
,
arptable_filter_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
int
(
*
okfn
)(
struct
sk_buff
*
))
{
{
return
arpt_do_table
(
skb
,
hook
,
in
,
out
,
const
struct
net
*
net
=
dev_net
((
in
!=
NULL
)
?
in
:
out
);
dev_net
(
in
)
->
ipv4
.
arptable_filter
);
}
static
unsigned
int
arpt_out_hook
(
unsigned
int
hook
,
return
arpt_do_table
(
skb
,
hook
,
in
,
out
,
net
->
ipv4
.
arptable_filter
);
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
arpt_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
out
)
->
ipv4
.
arptable_filter
);
}
}
static
struct
nf_hook_ops
arpt_ops
[]
__read_mostly
=
{
static
struct
nf_hook_ops
*
arpfilter_ops
__read_mostly
;
{
.
hook
=
arpt_in_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_ARP
,
.
hooknum
=
NF_ARP_IN
,
.
priority
=
NF_IP_PRI_FILTER
,
},
{
.
hook
=
arpt_out_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_ARP
,
.
hooknum
=
NF_ARP_OUT
,
.
priority
=
NF_IP_PRI_FILTER
,
},
{
.
hook
=
arpt_in_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_ARP
,
.
hooknum
=
NF_ARP_FORWARD
,
.
priority
=
NF_IP_PRI_FILTER
,
},
};
static
int
__net_init
arptable_filter_net_init
(
struct
net
*
net
)
static
int
__net_init
arptable_filter_net_init
(
struct
net
*
net
)
{
{
/* Register table */
struct
arpt_replace
*
repl
;
repl
=
arpt_alloc_initial_table
(
&
packet_filter
);
if
(
repl
==
NULL
)
return
-
ENOMEM
;
net
->
ipv4
.
arptable_filter
=
net
->
ipv4
.
arptable_filter
=
arpt_register_table
(
net
,
&
packet_filter
,
&
initial_table
.
repl
);
arpt_register_table
(
net
,
&
packet_filter
,
repl
);
kfree
(
repl
);
if
(
IS_ERR
(
net
->
ipv4
.
arptable_filter
))
if
(
IS_ERR
(
net
->
ipv4
.
arptable_filter
))
return
PTR_ERR
(
net
->
ipv4
.
arptable_filter
);
return
PTR_ERR
(
net
->
ipv4
.
arptable_filter
);
return
0
;
return
0
;
...
@@ -125,9 +70,11 @@ static int __init arptable_filter_init(void)
...
@@ -125,9 +70,11 @@ static int __init arptable_filter_init(void)
if
(
ret
<
0
)
if
(
ret
<
0
)
return
ret
;
return
ret
;
ret
=
nf_register_hooks
(
arpt_ops
,
ARRAY_SIZE
(
arpt_ops
));
arpfilter_ops
=
xt_hook_link
(
&
packet_filter
,
arptable_filter_hook
);
if
(
ret
<
0
)
if
(
IS_ERR
(
arpfilter_ops
))
{
ret
=
PTR_ERR
(
arpfilter_ops
);
goto
cleanup_table
;
goto
cleanup_table
;
}
return
ret
;
return
ret
;
cleanup_table:
cleanup_table:
...
@@ -137,7 +84,7 @@ static int __init arptable_filter_init(void)
...
@@ -137,7 +84,7 @@ static int __init arptable_filter_init(void)
static
void
__exit
arptable_filter_fini
(
void
)
static
void
__exit
arptable_filter_fini
(
void
)
{
{
nf_unregister_hooks
(
arpt_ops
,
ARRAY_SIZE
(
arpt_ops
)
);
xt_hook_unlink
(
&
packet_filter
,
arpfilter_ops
);
unregister_pernet_subsys
(
&
arptable_filter_net_ops
);
unregister_pernet_subsys
(
&
arptable_filter_net_ops
);
}
}
...
...
net/ipv4/netfilter/ip_tables.c
View file @
a8c28d05
...
@@ -28,6 +28,7 @@
...
@@ -28,6 +28,7 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <net/netfilter/nf_log.h>
#include <net/netfilter/nf_log.h>
#include "../../netfilter/xt_repldata.h"
MODULE_LICENSE
(
"GPL"
);
MODULE_LICENSE
(
"GPL"
);
MODULE_AUTHOR
(
"Netfilter Core Team <coreteam@netfilter.org>"
);
MODULE_AUTHOR
(
"Netfilter Core Team <coreteam@netfilter.org>"
);
...
@@ -66,6 +67,12 @@ do { \
...
@@ -66,6 +67,12 @@ do { \
#define inline
#define inline
#endif
#endif
void
*
ipt_alloc_initial_table
(
const
struct
xt_table
*
info
)
{
return
xt_alloc_initial_table
(
ipt
,
IPT
);
}
EXPORT_SYMBOL_GPL
(
ipt_alloc_initial_table
);
/*
/*
We keep a set of rules for each CPU, so we can avoid write-locking
We keep a set of rules for each CPU, so we can avoid write-locking
them in the softirq when updating the counters and therefore
them in the softirq when updating the counters and therefore
...
...
net/ipv4/netfilter/iptable_filter.c
View file @
a8c28d05
...
@@ -23,104 +23,32 @@ MODULE_DESCRIPTION("iptables filter table");
...
@@ -23,104 +23,32 @@ MODULE_DESCRIPTION("iptables filter table");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT))
(1 << NF_INET_LOCAL_OUT))
static
struct
{
struct
ipt_replace
repl
;
struct
ipt_standard
entries
[
3
];
struct
ipt_error
term
;
}
initial_table
__net_initdata
=
{
.
repl
=
{
.
name
=
"filter"
,
.
valid_hooks
=
FILTER_VALID_HOOKS
,
.
num_entries
=
4
,
.
size
=
sizeof
(
struct
ipt_standard
)
*
3
+
sizeof
(
struct
ipt_error
),
.
hook_entry
=
{
[
NF_INET_LOCAL_IN
]
=
0
,
[
NF_INET_FORWARD
]
=
sizeof
(
struct
ipt_standard
),
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ipt_standard
)
*
2
,
},
.
underflow
=
{
[
NF_INET_LOCAL_IN
]
=
0
,
[
NF_INET_FORWARD
]
=
sizeof
(
struct
ipt_standard
),
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ipt_standard
)
*
2
,
},
},
.
entries
=
{
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_IN */
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* FORWARD */
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_OUT */
},
.
term
=
IPT_ERROR_INIT
,
/* ERROR */
};
static
const
struct
xt_table
packet_filter
=
{
static
const
struct
xt_table
packet_filter
=
{
.
name
=
"filter"
,
.
name
=
"filter"
,
.
valid_hooks
=
FILTER_VALID_HOOKS
,
.
valid_hooks
=
FILTER_VALID_HOOKS
,
.
me
=
THIS_MODULE
,
.
me
=
THIS_MODULE
,
.
af
=
NFPROTO_IPV4
,
.
af
=
NFPROTO_IPV4
,
.
priority
=
NF_IP_PRI_FILTER
,
};
};
/* The work comes in here from netfilter.c. */
static
unsigned
int
ipt_local_in_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
in
)
->
ipv4
.
iptable_filter
);
}
static
unsigned
int
static
unsigned
int
ipt_hook
(
unsigned
int
hook
,
iptable_filter_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
int
(
*
okfn
)(
struct
sk_buff
*
))
{
{
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
const
struct
net
*
net
;
dev_net
(
in
)
->
ipv4
.
iptable_filter
);
}
static
unsigned
int
if
(
hook
==
NF_INET_LOCAL_OUT
&&
ipt_local_out_hook
(
unsigned
int
hook
,
(
skb
->
len
<
sizeof
(
struct
iphdr
)
||
struct
sk_buff
*
skb
,
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
)))
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
/* root is playing with raw sockets. */
/* root is playing with raw sockets. */
if
(
skb
->
len
<
sizeof
(
struct
iphdr
)
||
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
))
return
NF_ACCEPT
;
return
NF_ACCEPT
;
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
out
)
->
ipv4
.
iptable_filter
);
net
=
dev_net
((
in
!=
NULL
)
?
in
:
out
);
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
net
->
ipv4
.
iptable_filter
);
}
}
static
struct
nf_hook_ops
ipt_ops
[]
__read_mostly
=
{
static
struct
nf_hook_ops
*
filter_ops
__read_mostly
;
{
.
hook
=
ipt_local_in_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV4
,
.
hooknum
=
NF_INET_LOCAL_IN
,
.
priority
=
NF_IP_PRI_FILTER
,
},
{
.
hook
=
ipt_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV4
,
.
hooknum
=
NF_INET_FORWARD
,
.
priority
=
NF_IP_PRI_FILTER
,
},
{
.
hook
=
ipt_local_out_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV4
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
NF_IP_PRI_FILTER
,
},
};
/* Default to forward because I got too much mail already. */
/* Default to forward because I got too much mail already. */
static
int
forward
=
NF_ACCEPT
;
static
int
forward
=
NF_ACCEPT
;
...
@@ -128,9 +56,18 @@ module_param(forward, bool, 0000);
...
@@ -128,9 +56,18 @@ module_param(forward, bool, 0000);
static
int
__net_init
iptable_filter_net_init
(
struct
net
*
net
)
static
int
__net_init
iptable_filter_net_init
(
struct
net
*
net
)
{
{
/* Register table */
struct
ipt_replace
*
repl
;
repl
=
ipt_alloc_initial_table
(
&
packet_filter
);
if
(
repl
==
NULL
)
return
-
ENOMEM
;
/* Entry 1 is the FORWARD hook */
((
struct
ipt_standard
*
)
repl
->
entries
)[
1
].
target
.
verdict
=
-
forward
-
1
;
net
->
ipv4
.
iptable_filter
=
net
->
ipv4
.
iptable_filter
=
ipt_register_table
(
net
,
&
packet_filter
,
&
initial_table
.
repl
);
ipt_register_table
(
net
,
&
packet_filter
,
repl
);
kfree
(
repl
);
if
(
IS_ERR
(
net
->
ipv4
.
iptable_filter
))
if
(
IS_ERR
(
net
->
ipv4
.
iptable_filter
))
return
PTR_ERR
(
net
->
ipv4
.
iptable_filter
);
return
PTR_ERR
(
net
->
ipv4
.
iptable_filter
);
return
0
;
return
0
;
...
@@ -155,17 +92,16 @@ static int __init iptable_filter_init(void)
...
@@ -155,17 +92,16 @@ static int __init iptable_filter_init(void)
return
-
EINVAL
;
return
-
EINVAL
;
}
}
/* Entry 1 is the FORWARD hook */
initial_table
.
entries
[
1
].
target
.
verdict
=
-
forward
-
1
;
ret
=
register_pernet_subsys
(
&
iptable_filter_net_ops
);
ret
=
register_pernet_subsys
(
&
iptable_filter_net_ops
);
if
(
ret
<
0
)
if
(
ret
<
0
)
return
ret
;
return
ret
;
/* Register hooks */
/* Register hooks */
ret
=
nf_register_hooks
(
ipt_ops
,
ARRAY_SIZE
(
ipt_ops
));
filter_ops
=
xt_hook_link
(
&
packet_filter
,
iptable_filter_hook
);
if
(
ret
<
0
)
if
(
IS_ERR
(
filter_ops
))
{
ret
=
PTR_ERR
(
filter_ops
);
goto
cleanup_table
;
goto
cleanup_table
;
}
return
ret
;
return
ret
;
...
@@ -176,7 +112,7 @@ static int __init iptable_filter_init(void)
...
@@ -176,7 +112,7 @@ static int __init iptable_filter_init(void)
static
void
__exit
iptable_filter_fini
(
void
)
static
void
__exit
iptable_filter_fini
(
void
)
{
{
nf_unregister_hooks
(
ipt_ops
,
ARRAY_SIZE
(
ipt_ops
)
);
xt_hook_unlink
(
&
packet_filter
,
filter_ops
);
unregister_pernet_subsys
(
&
iptable_filter_net_ops
);
unregister_pernet_subsys
(
&
iptable_filter_net_ops
);
}
}
...
...
net/ipv4/netfilter/iptable_mangle.c
View file @
a8c28d05
...
@@ -27,95 +27,14 @@ MODULE_DESCRIPTION("iptables mangle table");
...
@@ -27,95 +27,14 @@ MODULE_DESCRIPTION("iptables mangle table");
(1 << NF_INET_LOCAL_OUT) | \
(1 << NF_INET_LOCAL_OUT) | \
(1 << NF_INET_POST_ROUTING))
(1 << NF_INET_POST_ROUTING))
/* Ouch - five different hooks? Maybe this should be a config option..... -- BC */
static
const
struct
{
struct
ipt_replace
repl
;
struct
ipt_standard
entries
[
5
];
struct
ipt_error
term
;
}
initial_table
__net_initdata
=
{
.
repl
=
{
.
name
=
"mangle"
,
.
valid_hooks
=
MANGLE_VALID_HOOKS
,
.
num_entries
=
6
,
.
size
=
sizeof
(
struct
ipt_standard
)
*
5
+
sizeof
(
struct
ipt_error
),
.
hook_entry
=
{
[
NF_INET_PRE_ROUTING
]
=
0
,
[
NF_INET_LOCAL_IN
]
=
sizeof
(
struct
ipt_standard
),
[
NF_INET_FORWARD
]
=
sizeof
(
struct
ipt_standard
)
*
2
,
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ipt_standard
)
*
3
,
[
NF_INET_POST_ROUTING
]
=
sizeof
(
struct
ipt_standard
)
*
4
,
},
.
underflow
=
{
[
NF_INET_PRE_ROUTING
]
=
0
,
[
NF_INET_LOCAL_IN
]
=
sizeof
(
struct
ipt_standard
),
[
NF_INET_FORWARD
]
=
sizeof
(
struct
ipt_standard
)
*
2
,
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ipt_standard
)
*
3
,
[
NF_INET_POST_ROUTING
]
=
sizeof
(
struct
ipt_standard
)
*
4
,
},
},
.
entries
=
{
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* PRE_ROUTING */
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_IN */
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* FORWARD */
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_OUT */
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* POST_ROUTING */
},
.
term
=
IPT_ERROR_INIT
,
/* ERROR */
};
static
const
struct
xt_table
packet_mangler
=
{
static
const
struct
xt_table
packet_mangler
=
{
.
name
=
"mangle"
,
.
name
=
"mangle"
,
.
valid_hooks
=
MANGLE_VALID_HOOKS
,
.
valid_hooks
=
MANGLE_VALID_HOOKS
,
.
me
=
THIS_MODULE
,
.
me
=
THIS_MODULE
,
.
af
=
NFPROTO_IPV4
,
.
af
=
NFPROTO_IPV4
,
.
priority
=
NF_IP_PRI_MANGLE
,
};
};
/* The work comes in here from netfilter.c. */
static
unsigned
int
ipt_pre_routing_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
in
)
->
ipv4
.
iptable_mangle
);
}
static
unsigned
int
ipt_post_routing_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
out
)
->
ipv4
.
iptable_mangle
);
}
static
unsigned
int
ipt_local_in_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
in
)
->
ipv4
.
iptable_mangle
);
}
static
unsigned
int
ipt_forward_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
in
)
->
ipv4
.
iptable_mangle
);
}
static
unsigned
int
static
unsigned
int
ipt_local_hook
(
unsigned
int
hook
,
ipt_local_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
struct
sk_buff
*
skb
,
...
@@ -158,49 +77,34 @@ ipt_local_hook(unsigned int hook,
...
@@ -158,49 +77,34 @@ ipt_local_hook(unsigned int hook,
return
ret
;
return
ret
;
}
}
static
struct
nf_hook_ops
ipt_ops
[]
__read_mostly
=
{
/* The work comes in here from netfilter.c. */
{
static
unsigned
int
.
hook
=
ipt_pre_routing_hook
,
iptable_mangle_hook
(
unsigned
int
hook
,
.
owner
=
THIS_MODULE
,
struct
sk_buff
*
skb
,
.
pf
=
NFPROTO_IPV4
,
const
struct
net_device
*
in
,
.
hooknum
=
NF_INET_PRE_ROUTING
,
const
struct
net_device
*
out
,
.
priority
=
NF_IP_PRI_MANGLE
,
int
(
*
okfn
)(
struct
sk_buff
*
))
},
{
{
if
(
hook
==
NF_INET_LOCAL_OUT
)
.
hook
=
ipt_local_in_hook
,
return
ipt_local_hook
(
hook
,
skb
,
in
,
out
,
okfn
);
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV4
,
/* PREROUTING/INPUT/FORWARD: */
.
hooknum
=
NF_INET_LOCAL_IN
,
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
.
priority
=
NF_IP_PRI_MANGLE
,
dev_net
(
in
)
->
ipv4
.
iptable_mangle
);
},
}
{
.
hook
=
ipt_forward_hook
,
static
struct
nf_hook_ops
*
mangle_ops
__read_mostly
;
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV4
,
.
hooknum
=
NF_INET_FORWARD
,
.
priority
=
NF_IP_PRI_MANGLE
,
},
{
.
hook
=
ipt_local_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV4
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
NF_IP_PRI_MANGLE
,
},
{
.
hook
=
ipt_post_routing_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV4
,
.
hooknum
=
NF_INET_POST_ROUTING
,
.
priority
=
NF_IP_PRI_MANGLE
,
},
};
static
int
__net_init
iptable_mangle_net_init
(
struct
net
*
net
)
static
int
__net_init
iptable_mangle_net_init
(
struct
net
*
net
)
{
{
/* Register table */
struct
ipt_replace
*
repl
;
repl
=
ipt_alloc_initial_table
(
&
packet_mangler
);
if
(
repl
==
NULL
)
return
-
ENOMEM
;
net
->
ipv4
.
iptable_mangle
=
net
->
ipv4
.
iptable_mangle
=
ipt_register_table
(
net
,
&
packet_mangler
,
&
initial_table
.
repl
);
ipt_register_table
(
net
,
&
packet_mangler
,
repl
);
kfree
(
repl
);
if
(
IS_ERR
(
net
->
ipv4
.
iptable_mangle
))
if
(
IS_ERR
(
net
->
ipv4
.
iptable_mangle
))
return
PTR_ERR
(
net
->
ipv4
.
iptable_mangle
);
return
PTR_ERR
(
net
->
ipv4
.
iptable_mangle
);
return
0
;
return
0
;
...
@@ -225,9 +129,11 @@ static int __init iptable_mangle_init(void)
...
@@ -225,9 +129,11 @@ static int __init iptable_mangle_init(void)
return
ret
;
return
ret
;
/* Register hooks */
/* Register hooks */
ret
=
nf_register_hooks
(
ipt_ops
,
ARRAY_SIZE
(
ipt_ops
));
mangle_ops
=
xt_hook_link
(
&
packet_mangler
,
iptable_mangle_hook
);
if
(
ret
<
0
)
if
(
IS_ERR
(
mangle_ops
))
{
ret
=
PTR_ERR
(
mangle_ops
);
goto
cleanup_table
;
goto
cleanup_table
;
}
return
ret
;
return
ret
;
...
@@ -238,7 +144,7 @@ static int __init iptable_mangle_init(void)
...
@@ -238,7 +144,7 @@ static int __init iptable_mangle_init(void)
static
void
__exit
iptable_mangle_fini
(
void
)
static
void
__exit
iptable_mangle_fini
(
void
)
{
{
nf_unregister_hooks
(
ipt_ops
,
ARRAY_SIZE
(
ipt_ops
)
);
xt_hook_unlink
(
&
packet_mangler
,
mangle_ops
);
unregister_pernet_subsys
(
&
iptable_mangle_net_ops
);
unregister_pernet_subsys
(
&
iptable_mangle_net_ops
);
}
}
...
...
net/ipv4/netfilter/iptable_raw.c
View file @
a8c28d05
...
@@ -9,90 +9,44 @@
...
@@ -9,90 +9,44 @@
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
static
const
struct
{
struct
ipt_replace
repl
;
struct
ipt_standard
entries
[
2
];
struct
ipt_error
term
;
}
initial_table
__net_initdata
=
{
.
repl
=
{
.
name
=
"raw"
,
.
valid_hooks
=
RAW_VALID_HOOKS
,
.
num_entries
=
3
,
.
size
=
sizeof
(
struct
ipt_standard
)
*
2
+
sizeof
(
struct
ipt_error
),
.
hook_entry
=
{
[
NF_INET_PRE_ROUTING
]
=
0
,
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ipt_standard
)
},
.
underflow
=
{
[
NF_INET_PRE_ROUTING
]
=
0
,
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ipt_standard
)
},
},
.
entries
=
{
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* PRE_ROUTING */
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_OUT */
},
.
term
=
IPT_ERROR_INIT
,
/* ERROR */
};
static
const
struct
xt_table
packet_raw
=
{
static
const
struct
xt_table
packet_raw
=
{
.
name
=
"raw"
,
.
name
=
"raw"
,
.
valid_hooks
=
RAW_VALID_HOOKS
,
.
valid_hooks
=
RAW_VALID_HOOKS
,
.
me
=
THIS_MODULE
,
.
me
=
THIS_MODULE
,
.
af
=
NFPROTO_IPV4
,
.
af
=
NFPROTO_IPV4
,
.
priority
=
NF_IP_PRI_RAW
,
};
};
/* The work comes in here from netfilter.c. */
/* The work comes in here from netfilter.c. */
static
unsigned
int
static
unsigned
int
ipt_hook
(
unsigned
int
hook
,
iptable_raw_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
int
(
*
okfn
)(
struct
sk_buff
*
))
{
{
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
const
struct
net
*
net
;
dev_net
(
in
)
->
ipv4
.
iptable_raw
);
}
static
unsigned
int
if
(
hook
==
NF_INET_LOCAL_OUT
&&
ipt_local_hook
(
unsigned
int
hook
,
(
skb
->
len
<
sizeof
(
struct
iphdr
)
||
struct
sk_buff
*
skb
,
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
)))
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
/* root is playing with raw sockets. */
/* root is playing with raw sockets. */
if
(
skb
->
len
<
sizeof
(
struct
iphdr
)
||
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
))
return
NF_ACCEPT
;
return
NF_ACCEPT
;
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
out
)
->
ipv4
.
iptable_raw
);
net
=
dev_net
((
in
!=
NULL
)
?
in
:
out
);
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
net
->
ipv4
.
iptable_raw
);
}
}
/* 'raw' is the very first table. */
static
struct
nf_hook_ops
*
rawtable_ops
__read_mostly
;
static
struct
nf_hook_ops
ipt_ops
[]
__read_mostly
=
{
{
.
hook
=
ipt_hook
,
.
pf
=
NFPROTO_IPV4
,
.
hooknum
=
NF_INET_PRE_ROUTING
,
.
priority
=
NF_IP_PRI_RAW
,
.
owner
=
THIS_MODULE
,
},
{
.
hook
=
ipt_local_hook
,
.
pf
=
NFPROTO_IPV4
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
NF_IP_PRI_RAW
,
.
owner
=
THIS_MODULE
,
},
};
static
int
__net_init
iptable_raw_net_init
(
struct
net
*
net
)
static
int
__net_init
iptable_raw_net_init
(
struct
net
*
net
)
{
{
/* Register table */
struct
ipt_replace
*
repl
;
repl
=
ipt_alloc_initial_table
(
&
packet_raw
);
if
(
repl
==
NULL
)
return
-
ENOMEM
;
net
->
ipv4
.
iptable_raw
=
net
->
ipv4
.
iptable_raw
=
ipt_register_table
(
net
,
&
packet_raw
,
&
initial_table
.
repl
);
ipt_register_table
(
net
,
&
packet_raw
,
repl
);
kfree
(
repl
);
if
(
IS_ERR
(
net
->
ipv4
.
iptable_raw
))
if
(
IS_ERR
(
net
->
ipv4
.
iptable_raw
))
return
PTR_ERR
(
net
->
ipv4
.
iptable_raw
);
return
PTR_ERR
(
net
->
ipv4
.
iptable_raw
);
return
0
;
return
0
;
...
@@ -117,9 +71,11 @@ static int __init iptable_raw_init(void)
...
@@ -117,9 +71,11 @@ static int __init iptable_raw_init(void)
return
ret
;
return
ret
;
/* Register hooks */
/* Register hooks */
ret
=
nf_register_hooks
(
ipt_ops
,
ARRAY_SIZE
(
ipt_ops
));
rawtable_ops
=
xt_hook_link
(
&
packet_raw
,
iptable_raw_hook
);
if
(
ret
<
0
)
if
(
IS_ERR
(
rawtable_ops
))
{
ret
=
PTR_ERR
(
rawtable_ops
);
goto
cleanup_table
;
goto
cleanup_table
;
}
return
ret
;
return
ret
;
...
@@ -130,7 +86,7 @@ static int __init iptable_raw_init(void)
...
@@ -130,7 +86,7 @@ static int __init iptable_raw_init(void)
static
void
__exit
iptable_raw_fini
(
void
)
static
void
__exit
iptable_raw_fini
(
void
)
{
{
nf_unregister_hooks
(
ipt_ops
,
ARRAY_SIZE
(
ipt_ops
)
);
xt_hook_unlink
(
&
packet_raw
,
rawtable_ops
);
unregister_pernet_subsys
(
&
iptable_raw_net_ops
);
unregister_pernet_subsys
(
&
iptable_raw_net_ops
);
}
}
...
...
net/ipv4/netfilter/iptable_security.c
View file @
a8c28d05
...
@@ -27,109 +27,44 @@ MODULE_DESCRIPTION("iptables security table, for MAC rules");
...
@@ -27,109 +27,44 @@ MODULE_DESCRIPTION("iptables security table, for MAC rules");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT)
(1 << NF_INET_LOCAL_OUT)
static
const
struct
{
struct
ipt_replace
repl
;
struct
ipt_standard
entries
[
3
];
struct
ipt_error
term
;
}
initial_table
__net_initdata
=
{
.
repl
=
{
.
name
=
"security"
,
.
valid_hooks
=
SECURITY_VALID_HOOKS
,
.
num_entries
=
4
,
.
size
=
sizeof
(
struct
ipt_standard
)
*
3
+
sizeof
(
struct
ipt_error
),
.
hook_entry
=
{
[
NF_INET_LOCAL_IN
]
=
0
,
[
NF_INET_FORWARD
]
=
sizeof
(
struct
ipt_standard
),
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ipt_standard
)
*
2
,
},
.
underflow
=
{
[
NF_INET_LOCAL_IN
]
=
0
,
[
NF_INET_FORWARD
]
=
sizeof
(
struct
ipt_standard
),
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ipt_standard
)
*
2
,
},
},
.
entries
=
{
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_IN */
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* FORWARD */
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_OUT */
},
.
term
=
IPT_ERROR_INIT
,
/* ERROR */
};
static
const
struct
xt_table
security_table
=
{
static
const
struct
xt_table
security_table
=
{
.
name
=
"security"
,
.
name
=
"security"
,
.
valid_hooks
=
SECURITY_VALID_HOOKS
,
.
valid_hooks
=
SECURITY_VALID_HOOKS
,
.
me
=
THIS_MODULE
,
.
me
=
THIS_MODULE
,
.
af
=
NFPROTO_IPV4
,
.
af
=
NFPROTO_IPV4
,
.
priority
=
NF_IP_PRI_SECURITY
,
};
};
static
unsigned
int
static
unsigned
int
ipt_local_in_hook
(
unsigned
int
hook
,
iptable_security_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
in
)
->
ipv4
.
iptable_security
);
}
static
unsigned
int
ipt_forward_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
int
(
*
okfn
)(
struct
sk_buff
*
))
{
{
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
const
struct
net
*
net
;
dev_net
(
in
)
->
ipv4
.
iptable_security
);
}
static
unsigned
int
if
(
hook
==
NF_INET_LOCAL_OUT
&&
ipt_local_out_hook
(
unsigned
int
hook
,
(
skb
->
len
<
sizeof
(
struct
iphdr
)
||
struct
sk_buff
*
skb
,
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
)))
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
/* Somebody is playing with raw sockets. */
/* Somebody is playing with raw sockets. */
if
(
skb
->
len
<
sizeof
(
struct
iphdr
)
||
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
))
return
NF_ACCEPT
;
return
NF_ACCEPT
;
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
out
)
->
ipv4
.
iptable_security
);
net
=
dev_net
((
in
!=
NULL
)
?
in
:
out
);
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
net
->
ipv4
.
iptable_security
);
}
}
static
struct
nf_hook_ops
ipt_ops
[]
__read_mostly
=
{
static
struct
nf_hook_ops
*
sectbl_ops
__read_mostly
;
{
.
hook
=
ipt_local_in_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV4
,
.
hooknum
=
NF_INET_LOCAL_IN
,
.
priority
=
NF_IP_PRI_SECURITY
,
},
{
.
hook
=
ipt_forward_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV4
,
.
hooknum
=
NF_INET_FORWARD
,
.
priority
=
NF_IP_PRI_SECURITY
,
},
{
.
hook
=
ipt_local_out_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV4
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
NF_IP_PRI_SECURITY
,
},
};
static
int
__net_init
iptable_security_net_init
(
struct
net
*
net
)
static
int
__net_init
iptable_security_net_init
(
struct
net
*
net
)
{
{
net
->
ipv4
.
iptable_security
=
struct
ipt_replace
*
repl
;
ipt_register_table
(
net
,
&
security_table
,
&
initial_table
.
repl
);
repl
=
ipt_alloc_initial_table
(
&
security_table
);
if
(
repl
==
NULL
)
return
-
ENOMEM
;
net
->
ipv4
.
iptable_security
=
ipt_register_table
(
net
,
&
security_table
,
repl
);
kfree
(
repl
);
if
(
IS_ERR
(
net
->
ipv4
.
iptable_security
))
if
(
IS_ERR
(
net
->
ipv4
.
iptable_security
))
return
PTR_ERR
(
net
->
ipv4
.
iptable_security
);
return
PTR_ERR
(
net
->
ipv4
.
iptable_security
);
...
@@ -154,9 +89,11 @@ static int __init iptable_security_init(void)
...
@@ -154,9 +89,11 @@ static int __init iptable_security_init(void)
if
(
ret
<
0
)
if
(
ret
<
0
)
return
ret
;
return
ret
;
ret
=
nf_register_hooks
(
ipt_ops
,
ARRAY_SIZE
(
ipt_ops
));
sectbl_ops
=
xt_hook_link
(
&
security_table
,
iptable_security_hook
);
if
(
ret
<
0
)
if
(
IS_ERR
(
sectbl_ops
))
{
ret
=
PTR_ERR
(
sectbl_ops
);
goto
cleanup_table
;
goto
cleanup_table
;
}
return
ret
;
return
ret
;
...
@@ -167,7 +104,7 @@ static int __init iptable_security_init(void)
...
@@ -167,7 +104,7 @@ static int __init iptable_security_init(void)
static
void
__exit
iptable_security_fini
(
void
)
static
void
__exit
iptable_security_fini
(
void
)
{
{
nf_unregister_hooks
(
ipt_ops
,
ARRAY_SIZE
(
ipt_ops
)
);
xt_hook_unlink
(
&
security_table
,
sectbl_ops
);
unregister_pernet_subsys
(
&
iptable_security_net_ops
);
unregister_pernet_subsys
(
&
iptable_security_net_ops
);
}
}
...
...
net/ipv4/netfilter/nf_nat_rule.c
View file @
a8c28d05
...
@@ -28,36 +28,6 @@
...
@@ -28,36 +28,6 @@
(1 << NF_INET_POST_ROUTING) | \
(1 << NF_INET_POST_ROUTING) | \
(1 << NF_INET_LOCAL_OUT))
(1 << NF_INET_LOCAL_OUT))
static
const
struct
{
struct
ipt_replace
repl
;
struct
ipt_standard
entries
[
3
];
struct
ipt_error
term
;
}
nat_initial_table
__net_initdata
=
{
.
repl
=
{
.
name
=
"nat"
,
.
valid_hooks
=
NAT_VALID_HOOKS
,
.
num_entries
=
4
,
.
size
=
sizeof
(
struct
ipt_standard
)
*
3
+
sizeof
(
struct
ipt_error
),
.
hook_entry
=
{
[
NF_INET_PRE_ROUTING
]
=
0
,
[
NF_INET_POST_ROUTING
]
=
sizeof
(
struct
ipt_standard
),
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ipt_standard
)
*
2
},
.
underflow
=
{
[
NF_INET_PRE_ROUTING
]
=
0
,
[
NF_INET_POST_ROUTING
]
=
sizeof
(
struct
ipt_standard
),
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ipt_standard
)
*
2
},
},
.
entries
=
{
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* PRE_ROUTING */
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* POST_ROUTING */
IPT_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_OUT */
},
.
term
=
IPT_ERROR_INIT
,
/* ERROR */
};
static
const
struct
xt_table
nat_table
=
{
static
const
struct
xt_table
nat_table
=
{
.
name
=
"nat"
,
.
name
=
"nat"
,
.
valid_hooks
=
NAT_VALID_HOOKS
,
.
valid_hooks
=
NAT_VALID_HOOKS
,
...
@@ -186,8 +156,13 @@ static struct xt_target ipt_dnat_reg __read_mostly = {
...
@@ -186,8 +156,13 @@ static struct xt_target ipt_dnat_reg __read_mostly = {
static
int
__net_init
nf_nat_rule_net_init
(
struct
net
*
net
)
static
int
__net_init
nf_nat_rule_net_init
(
struct
net
*
net
)
{
{
net
->
ipv4
.
nat_table
=
ipt_register_table
(
net
,
&
nat_table
,
struct
ipt_replace
*
repl
;
&
nat_initial_table
.
repl
);
repl
=
ipt_alloc_initial_table
(
&
nat_table
);
if
(
repl
==
NULL
)
return
-
ENOMEM
;
net
->
ipv4
.
nat_table
=
ipt_register_table
(
net
,
&
nat_table
,
repl
);
kfree
(
repl
);
if
(
IS_ERR
(
net
->
ipv4
.
nat_table
))
if
(
IS_ERR
(
net
->
ipv4
.
nat_table
))
return
PTR_ERR
(
net
->
ipv4
.
nat_table
);
return
PTR_ERR
(
net
->
ipv4
.
nat_table
);
return
0
;
return
0
;
...
...
net/ipv6/netfilter/ip6_tables.c
View file @
a8c28d05
...
@@ -29,6 +29,7 @@
...
@@ -29,6 +29,7 @@
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/x_tables.h>
#include <net/netfilter/nf_log.h>
#include <net/netfilter/nf_log.h>
#include "../../netfilter/xt_repldata.h"
MODULE_LICENSE
(
"GPL"
);
MODULE_LICENSE
(
"GPL"
);
MODULE_AUTHOR
(
"Netfilter Core Team <coreteam@netfilter.org>"
);
MODULE_AUTHOR
(
"Netfilter Core Team <coreteam@netfilter.org>"
);
...
@@ -67,6 +68,12 @@ do { \
...
@@ -67,6 +68,12 @@ do { \
#define inline
#define inline
#endif
#endif
void
*
ip6t_alloc_initial_table
(
const
struct
xt_table
*
info
)
{
return
xt_alloc_initial_table
(
ip6t
,
IP6T
);
}
EXPORT_SYMBOL_GPL
(
ip6t_alloc_initial_table
);
/*
/*
We keep a set of rules for each CPU, so we can avoid write-locking
We keep a set of rules for each CPU, so we can avoid write-locking
them in the softirq when updating the counters and therefore
them in the softirq when updating the counters and therefore
...
...
net/ipv6/netfilter/ip6table_filter.c
View file @
a8c28d05
...
@@ -21,99 +21,26 @@ MODULE_DESCRIPTION("ip6tables filter table");
...
@@ -21,99 +21,26 @@ MODULE_DESCRIPTION("ip6tables filter table");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT))
(1 << NF_INET_LOCAL_OUT))
static
struct
{
struct
ip6t_replace
repl
;
struct
ip6t_standard
entries
[
3
];
struct
ip6t_error
term
;
}
initial_table
__net_initdata
=
{
.
repl
=
{
.
name
=
"filter"
,
.
valid_hooks
=
FILTER_VALID_HOOKS
,
.
num_entries
=
4
,
.
size
=
sizeof
(
struct
ip6t_standard
)
*
3
+
sizeof
(
struct
ip6t_error
),
.
hook_entry
=
{
[
NF_INET_LOCAL_IN
]
=
0
,
[
NF_INET_FORWARD
]
=
sizeof
(
struct
ip6t_standard
),
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ip6t_standard
)
*
2
},
.
underflow
=
{
[
NF_INET_LOCAL_IN
]
=
0
,
[
NF_INET_FORWARD
]
=
sizeof
(
struct
ip6t_standard
),
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ip6t_standard
)
*
2
},
},
.
entries
=
{
IP6T_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_IN */
IP6T_STANDARD_INIT
(
NF_ACCEPT
),
/* FORWARD */
IP6T_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_OUT */
},
.
term
=
IP6T_ERROR_INIT
,
/* ERROR */
};
static
const
struct
xt_table
packet_filter
=
{
static
const
struct
xt_table
packet_filter
=
{
.
name
=
"filter"
,
.
name
=
"filter"
,
.
valid_hooks
=
FILTER_VALID_HOOKS
,
.
valid_hooks
=
FILTER_VALID_HOOKS
,
.
me
=
THIS_MODULE
,
.
me
=
THIS_MODULE
,
.
af
=
NFPROTO_IPV6
,
.
af
=
NFPROTO_IPV6
,
.
priority
=
NF_IP6_PRI_FILTER
,
};
};
/* The work comes in here from netfilter.c. */
/* The work comes in here from netfilter.c. */
static
unsigned
int
static
unsigned
int
ip6t_in_hook
(
unsigned
int
hook
,
ip6table_filter_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
int
(
*
okfn
)(
struct
sk_buff
*
))
{
{
return
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
const
struct
net
*
net
=
dev_net
((
in
!=
NULL
)
?
in
:
out
);
dev_net
(
in
)
->
ipv6
.
ip6table_filter
);
}
static
unsigned
int
ip6t_local_out_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
#if 0
/* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr) ||
ip_hdrlen(skb) < sizeof(struct iphdr)) {
if (net_ratelimit())
printk("ip6t_hook: happy cracking.\n");
return NF_ACCEPT;
}
#endif
return
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
return
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
net
->
ipv6
.
ip6table_filter
);
dev_net
(
out
)
->
ipv6
.
ip6table_filter
);
}
}
static
struct
nf_hook_ops
ip6t_ops
[]
__read_mostly
=
{
static
struct
nf_hook_ops
*
filter_ops
__read_mostly
;
{
.
hook
=
ip6t_in_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV6
,
.
hooknum
=
NF_INET_LOCAL_IN
,
.
priority
=
NF_IP6_PRI_FILTER
,
},
{
.
hook
=
ip6t_in_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV6
,
.
hooknum
=
NF_INET_FORWARD
,
.
priority
=
NF_IP6_PRI_FILTER
,
},
{
.
hook
=
ip6t_local_out_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV6
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
NF_IP6_PRI_FILTER
,
},
};
/* Default to forward because I got too much mail already. */
/* Default to forward because I got too much mail already. */
static
int
forward
=
NF_ACCEPT
;
static
int
forward
=
NF_ACCEPT
;
...
@@ -121,9 +48,18 @@ module_param(forward, bool, 0000);
...
@@ -121,9 +48,18 @@ module_param(forward, bool, 0000);
static
int
__net_init
ip6table_filter_net_init
(
struct
net
*
net
)
static
int
__net_init
ip6table_filter_net_init
(
struct
net
*
net
)
{
{
/* Register table */
struct
ip6t_replace
*
repl
;
repl
=
ip6t_alloc_initial_table
(
&
packet_filter
);
if
(
repl
==
NULL
)
return
-
ENOMEM
;
/* Entry 1 is the FORWARD hook */
((
struct
ip6t_standard
*
)
repl
->
entries
)[
1
].
target
.
verdict
=
-
forward
-
1
;
net
->
ipv6
.
ip6table_filter
=
net
->
ipv6
.
ip6table_filter
=
ip6t_register_table
(
net
,
&
packet_filter
,
&
initial_table
.
repl
);
ip6t_register_table
(
net
,
&
packet_filter
,
repl
);
kfree
(
repl
);
if
(
IS_ERR
(
net
->
ipv6
.
ip6table_filter
))
if
(
IS_ERR
(
net
->
ipv6
.
ip6table_filter
))
return
PTR_ERR
(
net
->
ipv6
.
ip6table_filter
);
return
PTR_ERR
(
net
->
ipv6
.
ip6table_filter
);
return
0
;
return
0
;
...
@@ -148,17 +84,16 @@ static int __init ip6table_filter_init(void)
...
@@ -148,17 +84,16 @@ static int __init ip6table_filter_init(void)
return
-
EINVAL
;
return
-
EINVAL
;
}
}
/* Entry 1 is the FORWARD hook */
initial_table
.
entries
[
1
].
target
.
verdict
=
-
forward
-
1
;
ret
=
register_pernet_subsys
(
&
ip6table_filter_net_ops
);
ret
=
register_pernet_subsys
(
&
ip6table_filter_net_ops
);
if
(
ret
<
0
)
if
(
ret
<
0
)
return
ret
;
return
ret
;
/* Register hooks */
/* Register hooks */
ret
=
nf_register_hooks
(
ip6t_ops
,
ARRAY_SIZE
(
ip6t_ops
));
filter_ops
=
xt_hook_link
(
&
packet_filter
,
ip6table_filter_hook
);
if
(
ret
<
0
)
if
(
IS_ERR
(
filter_ops
))
{
ret
=
PTR_ERR
(
filter_ops
);
goto
cleanup_table
;
goto
cleanup_table
;
}
return
ret
;
return
ret
;
...
@@ -169,7 +104,7 @@ static int __init ip6table_filter_init(void)
...
@@ -169,7 +104,7 @@ static int __init ip6table_filter_init(void)
static
void
__exit
ip6table_filter_fini
(
void
)
static
void
__exit
ip6table_filter_fini
(
void
)
{
{
nf_unregister_hooks
(
ip6t_ops
,
ARRAY_SIZE
(
ip6t_ops
)
);
xt_hook_unlink
(
&
packet_filter
,
filter_ops
);
unregister_pernet_subsys
(
&
ip6table_filter_net_ops
);
unregister_pernet_subsys
(
&
ip6table_filter_net_ops
);
}
}
...
...
net/ipv6/netfilter/ip6table_mangle.c
View file @
a8c28d05
...
@@ -21,76 +21,17 @@ MODULE_DESCRIPTION("ip6tables mangle table");
...
@@ -21,76 +21,17 @@ MODULE_DESCRIPTION("ip6tables mangle table");
(1 << NF_INET_LOCAL_OUT) | \
(1 << NF_INET_LOCAL_OUT) | \
(1 << NF_INET_POST_ROUTING))
(1 << NF_INET_POST_ROUTING))
static
const
struct
{
struct
ip6t_replace
repl
;
struct
ip6t_standard
entries
[
5
];
struct
ip6t_error
term
;
}
initial_table
__net_initdata
=
{
.
repl
=
{
.
name
=
"mangle"
,
.
valid_hooks
=
MANGLE_VALID_HOOKS
,
.
num_entries
=
6
,
.
size
=
sizeof
(
struct
ip6t_standard
)
*
5
+
sizeof
(
struct
ip6t_error
),
.
hook_entry
=
{
[
NF_INET_PRE_ROUTING
]
=
0
,
[
NF_INET_LOCAL_IN
]
=
sizeof
(
struct
ip6t_standard
),
[
NF_INET_FORWARD
]
=
sizeof
(
struct
ip6t_standard
)
*
2
,
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ip6t_standard
)
*
3
,
[
NF_INET_POST_ROUTING
]
=
sizeof
(
struct
ip6t_standard
)
*
4
,
},
.
underflow
=
{
[
NF_INET_PRE_ROUTING
]
=
0
,
[
NF_INET_LOCAL_IN
]
=
sizeof
(
struct
ip6t_standard
),
[
NF_INET_FORWARD
]
=
sizeof
(
struct
ip6t_standard
)
*
2
,
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ip6t_standard
)
*
3
,
[
NF_INET_POST_ROUTING
]
=
sizeof
(
struct
ip6t_standard
)
*
4
,
},
},
.
entries
=
{
IP6T_STANDARD_INIT
(
NF_ACCEPT
),
/* PRE_ROUTING */
IP6T_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_IN */
IP6T_STANDARD_INIT
(
NF_ACCEPT
),
/* FORWARD */
IP6T_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_OUT */
IP6T_STANDARD_INIT
(
NF_ACCEPT
),
/* POST_ROUTING */
},
.
term
=
IP6T_ERROR_INIT
,
/* ERROR */
};
static
const
struct
xt_table
packet_mangler
=
{
static
const
struct
xt_table
packet_mangler
=
{
.
name
=
"mangle"
,
.
name
=
"mangle"
,
.
valid_hooks
=
MANGLE_VALID_HOOKS
,
.
valid_hooks
=
MANGLE_VALID_HOOKS
,
.
me
=
THIS_MODULE
,
.
me
=
THIS_MODULE
,
.
af
=
NFPROTO_IPV6
,
.
af
=
NFPROTO_IPV6
,
.
priority
=
NF_IP6_PRI_MANGLE
,
};
};
/* The work comes in here from netfilter.c. */
static
unsigned
int
ip6t_in_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
in
)
->
ipv6
.
ip6table_mangle
);
}
static
unsigned
int
ip6t_post_routing_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
out
)
->
ipv6
.
ip6table_mangle
);
}
static
unsigned
int
static
unsigned
int
ip6t_local_out_hook
(
unsigned
int
hook
,
ip6t_local_out_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
int
(
*
okfn
)(
struct
sk_buff
*
))
{
{
...
@@ -119,7 +60,7 @@ ip6t_local_out_hook(unsigned int hook,
...
@@ -119,7 +60,7 @@ ip6t_local_out_hook(unsigned int hook,
/* flowlabel and prio (includes version, which shouldn't change either */
/* flowlabel and prio (includes version, which shouldn't change either */
flowlabel
=
*
((
u_int32_t
*
)
ipv6_hdr
(
skb
));
flowlabel
=
*
((
u_int32_t
*
)
ipv6_hdr
(
skb
));
ret
=
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
ret
=
ip6t_do_table
(
skb
,
hook
,
NULL
,
out
,
dev_net
(
out
)
->
ipv6
.
ip6table_mangle
);
dev_net
(
out
)
->
ipv6
.
ip6table_mangle
);
if
(
ret
!=
NF_DROP
&&
ret
!=
NF_STOLEN
&&
if
(
ret
!=
NF_DROP
&&
ret
!=
NF_STOLEN
&&
...
@@ -132,49 +73,31 @@ ip6t_local_out_hook(unsigned int hook,
...
@@ -132,49 +73,31 @@ ip6t_local_out_hook(unsigned int hook,
return
ret
;
return
ret
;
}
}
static
struct
nf_hook_ops
ip6t_ops
[]
__read_mostly
=
{
/* The work comes in here from netfilter.c. */
{
static
unsigned
int
.
hook
=
ip6t_in_hook
,
ip6table_mangle_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
.
owner
=
THIS_MODULE
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
.
pf
=
NFPROTO_IPV6
,
int
(
*
okfn
)(
struct
sk_buff
*
))
.
hooknum
=
NF_INET_PRE_ROUTING
,
{
.
priority
=
NF_IP6_PRI_MANGLE
,
if
(
hook
==
NF_INET_LOCAL_OUT
)
},
return
ip6t_local_out_hook
(
hook
,
skb
,
out
,
okfn
);
{
.
hook
=
ip6t_in_hook
,
/* INPUT/FORWARD */
.
owner
=
THIS_MODULE
,
return
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
.
pf
=
NFPROTO_IPV6
,
dev_net
(
in
)
->
ipv6
.
ip6table_mangle
);
.
hooknum
=
NF_INET_LOCAL_IN
,
}
.
priority
=
NF_IP6_PRI_MANGLE
,
},
{
.
hook
=
ip6t_in_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV6
,
.
hooknum
=
NF_INET_FORWARD
,
.
priority
=
NF_IP6_PRI_MANGLE
,
},
{
.
hook
=
ip6t_local_out_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV6
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
NF_IP6_PRI_MANGLE
,
},
{
.
hook
=
ip6t_post_routing_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV6
,
.
hooknum
=
NF_INET_POST_ROUTING
,
.
priority
=
NF_IP6_PRI_MANGLE
,
},
};
static
struct
nf_hook_ops
*
mangle_ops
__read_mostly
;
static
int
__net_init
ip6table_mangle_net_init
(
struct
net
*
net
)
static
int
__net_init
ip6table_mangle_net_init
(
struct
net
*
net
)
{
{
/* Register table */
struct
ip6t_replace
*
repl
;
repl
=
ip6t_alloc_initial_table
(
&
packet_mangler
);
if
(
repl
==
NULL
)
return
-
ENOMEM
;
net
->
ipv6
.
ip6table_mangle
=
net
->
ipv6
.
ip6table_mangle
=
ip6t_register_table
(
net
,
&
packet_mangler
,
&
initial_table
.
repl
);
ip6t_register_table
(
net
,
&
packet_mangler
,
repl
);
kfree
(
repl
);
if
(
IS_ERR
(
net
->
ipv6
.
ip6table_mangle
))
if
(
IS_ERR
(
net
->
ipv6
.
ip6table_mangle
))
return
PTR_ERR
(
net
->
ipv6
.
ip6table_mangle
);
return
PTR_ERR
(
net
->
ipv6
.
ip6table_mangle
);
return
0
;
return
0
;
...
@@ -199,9 +122,11 @@ static int __init ip6table_mangle_init(void)
...
@@ -199,9 +122,11 @@ static int __init ip6table_mangle_init(void)
return
ret
;
return
ret
;
/* Register hooks */
/* Register hooks */
ret
=
nf_register_hooks
(
ip6t_ops
,
ARRAY_SIZE
(
ip6t_ops
));
mangle_ops
=
xt_hook_link
(
&
packet_mangler
,
ip6table_mangle_hook
);
if
(
ret
<
0
)
if
(
IS_ERR
(
mangle_ops
))
{
ret
=
PTR_ERR
(
mangle_ops
);
goto
cleanup_table
;
goto
cleanup_table
;
}
return
ret
;
return
ret
;
...
@@ -212,7 +137,7 @@ static int __init ip6table_mangle_init(void)
...
@@ -212,7 +137,7 @@ static int __init ip6table_mangle_init(void)
static
void
__exit
ip6table_mangle_fini
(
void
)
static
void
__exit
ip6table_mangle_fini
(
void
)
{
{
nf_unregister_hooks
(
ip6t_ops
,
ARRAY_SIZE
(
ip6t_ops
)
);
xt_hook_unlink
(
&
packet_mangler
,
mangle_ops
);
unregister_pernet_subsys
(
&
ip6table_mangle_net_ops
);
unregister_pernet_subsys
(
&
ip6table_mangle_net_ops
);
}
}
...
...
net/ipv6/netfilter/ip6table_raw.c
View file @
a8c28d05
...
@@ -8,85 +8,37 @@
...
@@ -8,85 +8,37 @@
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
static
const
struct
{
struct
ip6t_replace
repl
;
struct
ip6t_standard
entries
[
2
];
struct
ip6t_error
term
;
}
initial_table
__net_initdata
=
{
.
repl
=
{
.
name
=
"raw"
,
.
valid_hooks
=
RAW_VALID_HOOKS
,
.
num_entries
=
3
,
.
size
=
sizeof
(
struct
ip6t_standard
)
*
2
+
sizeof
(
struct
ip6t_error
),
.
hook_entry
=
{
[
NF_INET_PRE_ROUTING
]
=
0
,
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ip6t_standard
)
},
.
underflow
=
{
[
NF_INET_PRE_ROUTING
]
=
0
,
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ip6t_standard
)
},
},
.
entries
=
{
IP6T_STANDARD_INIT
(
NF_ACCEPT
),
/* PRE_ROUTING */
IP6T_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_OUT */
},
.
term
=
IP6T_ERROR_INIT
,
/* ERROR */
};
static
const
struct
xt_table
packet_raw
=
{
static
const
struct
xt_table
packet_raw
=
{
.
name
=
"raw"
,
.
name
=
"raw"
,
.
valid_hooks
=
RAW_VALID_HOOKS
,
.
valid_hooks
=
RAW_VALID_HOOKS
,
.
me
=
THIS_MODULE
,
.
me
=
THIS_MODULE
,
.
af
=
NFPROTO_IPV6
,
.
af
=
NFPROTO_IPV6
,
.
priority
=
NF_IP6_PRI_FIRST
,
};
};
/* The work comes in here from netfilter.c. */
/* The work comes in here from netfilter.c. */
static
unsigned
int
static
unsigned
int
ip6t_pre_routing_hook
(
unsigned
int
hook
,
ip6table_raw_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
int
(
*
okfn
)(
struct
sk_buff
*
))
{
{
return
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
const
struct
net
*
net
=
dev_net
((
in
!=
NULL
)
?
in
:
out
);
dev_net
(
in
)
->
ipv6
.
ip6table_raw
);
}
static
unsigned
int
return
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
net
->
ipv6
.
ip6table_raw
);
ip6t_local_out_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
out
)
->
ipv6
.
ip6table_raw
);
}
}
static
struct
nf_hook_ops
ip6t_ops
[]
__read_mostly
=
{
static
struct
nf_hook_ops
*
rawtable_ops
__read_mostly
;
{
.
hook
=
ip6t_pre_routing_hook
,
.
pf
=
NFPROTO_IPV6
,
.
hooknum
=
NF_INET_PRE_ROUTING
,
.
priority
=
NF_IP6_PRI_FIRST
,
.
owner
=
THIS_MODULE
,
},
{
.
hook
=
ip6t_local_out_hook
,
.
pf
=
NFPROTO_IPV6
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
NF_IP6_PRI_FIRST
,
.
owner
=
THIS_MODULE
,
},
};
static
int
__net_init
ip6table_raw_net_init
(
struct
net
*
net
)
static
int
__net_init
ip6table_raw_net_init
(
struct
net
*
net
)
{
{
/* Register table */
struct
ip6t_replace
*
repl
;
repl
=
ip6t_alloc_initial_table
(
&
packet_raw
);
if
(
repl
==
NULL
)
return
-
ENOMEM
;
net
->
ipv6
.
ip6table_raw
=
net
->
ipv6
.
ip6table_raw
=
ip6t_register_table
(
net
,
&
packet_raw
,
&
initial_table
.
repl
);
ip6t_register_table
(
net
,
&
packet_raw
,
repl
);
kfree
(
repl
);
if
(
IS_ERR
(
net
->
ipv6
.
ip6table_raw
))
if
(
IS_ERR
(
net
->
ipv6
.
ip6table_raw
))
return
PTR_ERR
(
net
->
ipv6
.
ip6table_raw
);
return
PTR_ERR
(
net
->
ipv6
.
ip6table_raw
);
return
0
;
return
0
;
...
@@ -111,9 +63,11 @@ static int __init ip6table_raw_init(void)
...
@@ -111,9 +63,11 @@ static int __init ip6table_raw_init(void)
return
ret
;
return
ret
;
/* Register hooks */
/* Register hooks */
ret
=
nf_register_hooks
(
ip6t_ops
,
ARRAY_SIZE
(
ip6t_ops
));
rawtable_ops
=
xt_hook_link
(
&
packet_raw
,
ip6table_raw_hook
);
if
(
ret
<
0
)
if
(
IS_ERR
(
rawtable_ops
))
{
ret
=
PTR_ERR
(
rawtable_ops
);
goto
cleanup_table
;
goto
cleanup_table
;
}
return
ret
;
return
ret
;
...
@@ -124,7 +78,7 @@ static int __init ip6table_raw_init(void)
...
@@ -124,7 +78,7 @@ static int __init ip6table_raw_init(void)
static
void
__exit
ip6table_raw_fini
(
void
)
static
void
__exit
ip6table_raw_fini
(
void
)
{
{
nf_unregister_hooks
(
ip6t_ops
,
ARRAY_SIZE
(
ip6t_ops
)
);
xt_hook_unlink
(
&
packet_raw
,
rawtable_ops
);
unregister_pernet_subsys
(
&
ip6table_raw_net_ops
);
unregister_pernet_subsys
(
&
ip6table_raw_net_ops
);
}
}
...
...
net/ipv6/netfilter/ip6table_security.c
View file @
a8c28d05
...
@@ -26,106 +26,37 @@ MODULE_DESCRIPTION("ip6tables security table, for MAC rules");
...
@@ -26,106 +26,37 @@ MODULE_DESCRIPTION("ip6tables security table, for MAC rules");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT)
(1 << NF_INET_LOCAL_OUT)
static
const
struct
{
struct
ip6t_replace
repl
;
struct
ip6t_standard
entries
[
3
];
struct
ip6t_error
term
;
}
initial_table
__net_initdata
=
{
.
repl
=
{
.
name
=
"security"
,
.
valid_hooks
=
SECURITY_VALID_HOOKS
,
.
num_entries
=
4
,
.
size
=
sizeof
(
struct
ip6t_standard
)
*
3
+
sizeof
(
struct
ip6t_error
),
.
hook_entry
=
{
[
NF_INET_LOCAL_IN
]
=
0
,
[
NF_INET_FORWARD
]
=
sizeof
(
struct
ip6t_standard
),
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ip6t_standard
)
*
2
,
},
.
underflow
=
{
[
NF_INET_LOCAL_IN
]
=
0
,
[
NF_INET_FORWARD
]
=
sizeof
(
struct
ip6t_standard
),
[
NF_INET_LOCAL_OUT
]
=
sizeof
(
struct
ip6t_standard
)
*
2
,
},
},
.
entries
=
{
IP6T_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_IN */
IP6T_STANDARD_INIT
(
NF_ACCEPT
),
/* FORWARD */
IP6T_STANDARD_INIT
(
NF_ACCEPT
),
/* LOCAL_OUT */
},
.
term
=
IP6T_ERROR_INIT
,
/* ERROR */
};
static
const
struct
xt_table
security_table
=
{
static
const
struct
xt_table
security_table
=
{
.
name
=
"security"
,
.
name
=
"security"
,
.
valid_hooks
=
SECURITY_VALID_HOOKS
,
.
valid_hooks
=
SECURITY_VALID_HOOKS
,
.
me
=
THIS_MODULE
,
.
me
=
THIS_MODULE
,
.
af
=
NFPROTO_IPV6
,
.
af
=
NFPROTO_IPV6
,
.
priority
=
NF_IP6_PRI_SECURITY
,
};
};
static
unsigned
int
static
unsigned
int
ip6t_local_in_hook
(
unsigned
int
hook
,
ip6table_security_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
in
)
->
ipv6
.
ip6table_security
);
}
static
unsigned
int
ip6t_forward_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
int
(
*
okfn
)(
struct
sk_buff
*
))
{
{
return
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
const
struct
net
*
net
=
dev_net
((
in
!=
NULL
)
?
in
:
out
);
dev_net
(
in
)
->
ipv6
.
ip6table_security
);
}
static
unsigned
int
return
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
net
->
ipv6
.
ip6table_security
);
ip6t_local_out_hook
(
unsigned
int
hook
,
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
/* TBD: handle short packets via raw socket */
return
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
out
)
->
ipv6
.
ip6table_security
);
}
}
static
struct
nf_hook_ops
ip6t_ops
[]
__read_mostly
=
{
static
struct
nf_hook_ops
*
sectbl_ops
__read_mostly
;
{
.
hook
=
ip6t_local_in_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV6
,
.
hooknum
=
NF_INET_LOCAL_IN
,
.
priority
=
NF_IP6_PRI_SECURITY
,
},
{
.
hook
=
ip6t_forward_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV6
,
.
hooknum
=
NF_INET_FORWARD
,
.
priority
=
NF_IP6_PRI_SECURITY
,
},
{
.
hook
=
ip6t_local_out_hook
,
.
owner
=
THIS_MODULE
,
.
pf
=
NFPROTO_IPV6
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
NF_IP6_PRI_SECURITY
,
},
};
static
int
__net_init
ip6table_security_net_init
(
struct
net
*
net
)
static
int
__net_init
ip6table_security_net_init
(
struct
net
*
net
)
{
{
net
->
ipv6
.
ip6table_security
=
struct
ip6t_replace
*
repl
;
ip6t_register_table
(
net
,
&
security_table
,
&
initial_table
.
repl
);
repl
=
ip6t_alloc_initial_table
(
&
security_table
);
if
(
repl
==
NULL
)
return
-
ENOMEM
;
net
->
ipv6
.
ip6table_security
=
ip6t_register_table
(
net
,
&
security_table
,
repl
);
kfree
(
repl
);
if
(
IS_ERR
(
net
->
ipv6
.
ip6table_security
))
if
(
IS_ERR
(
net
->
ipv6
.
ip6table_security
))
return
PTR_ERR
(
net
->
ipv6
.
ip6table_security
);
return
PTR_ERR
(
net
->
ipv6
.
ip6table_security
);
...
@@ -150,9 +81,11 @@ static int __init ip6table_security_init(void)
...
@@ -150,9 +81,11 @@ static int __init ip6table_security_init(void)
if
(
ret
<
0
)
if
(
ret
<
0
)
return
ret
;
return
ret
;
ret
=
nf_register_hooks
(
ip6t_ops
,
ARRAY_SIZE
(
ip6t_ops
));
sectbl_ops
=
xt_hook_link
(
&
security_table
,
ip6table_security_hook
);
if
(
ret
<
0
)
if
(
IS_ERR
(
sectbl_ops
))
{
ret
=
PTR_ERR
(
sectbl_ops
);
goto
cleanup_table
;
goto
cleanup_table
;
}
return
ret
;
return
ret
;
...
@@ -163,7 +96,7 @@ static int __init ip6table_security_init(void)
...
@@ -163,7 +96,7 @@ static int __init ip6table_security_init(void)
static
void
__exit
ip6table_security_fini
(
void
)
static
void
__exit
ip6table_security_fini
(
void
)
{
{
nf_unregister_hooks
(
ip6t_ops
,
ARRAY_SIZE
(
ip6t_ops
)
);
xt_hook_unlink
(
&
security_table
,
sectbl_ops
);
unregister_pernet_subsys
(
&
ip6table_security_net_ops
);
unregister_pernet_subsys
(
&
ip6table_security_net_ops
);
}
}
...
...
net/netfilter/x_tables.c
View file @
a8c28d05
...
@@ -26,7 +26,9 @@
...
@@ -26,7 +26,9 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter_arp.h>
#include <linux/netfilter_arp.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv6/ip6_tables.h>
#include <linux/netfilter_arp/arp_tables.h>
MODULE_LICENSE
(
"GPL"
);
MODULE_LICENSE
(
"GPL"
);
MODULE_AUTHOR
(
"Harald Welte <laforge@netfilter.org>"
);
MODULE_AUTHOR
(
"Harald Welte <laforge@netfilter.org>"
);
...
@@ -1091,6 +1093,60 @@ static const struct file_operations xt_target_ops = {
...
@@ -1091,6 +1093,60 @@ static const struct file_operations xt_target_ops = {
#endif
/* CONFIG_PROC_FS */
#endif
/* CONFIG_PROC_FS */
/**
* xt_hook_link - set up hooks for a new table
* @table: table with metadata needed to set up hooks
* @fn: Hook function
*
* This function will take care of creating and registering the necessary
* Netfilter hooks for XT tables.
*/
struct
nf_hook_ops
*
xt_hook_link
(
const
struct
xt_table
*
table
,
nf_hookfn
*
fn
)
{
unsigned
int
hook_mask
=
table
->
valid_hooks
;
uint8_t
i
,
num_hooks
=
hweight32
(
hook_mask
);
uint8_t
hooknum
;
struct
nf_hook_ops
*
ops
;
int
ret
;
ops
=
kmalloc
(
sizeof
(
*
ops
)
*
num_hooks
,
GFP_KERNEL
);
if
(
ops
==
NULL
)
return
ERR_PTR
(
-
ENOMEM
);
for
(
i
=
0
,
hooknum
=
0
;
i
<
num_hooks
&&
hook_mask
!=
0
;
hook_mask
>>=
1
,
++
hooknum
)
{
if
(
!
(
hook_mask
&
1
))
continue
;
ops
[
i
].
hook
=
fn
;
ops
[
i
].
owner
=
table
->
me
;
ops
[
i
].
pf
=
table
->
af
;
ops
[
i
].
hooknum
=
hooknum
;
ops
[
i
].
priority
=
table
->
priority
;
++
i
;
}
ret
=
nf_register_hooks
(
ops
,
num_hooks
);
if
(
ret
<
0
)
{
kfree
(
ops
);
return
ERR_PTR
(
ret
);
}
return
ops
;
}
EXPORT_SYMBOL_GPL
(
xt_hook_link
);
/**
* xt_hook_unlink - remove hooks for a table
* @ops: nf_hook_ops array as returned by nf_hook_link
* @hook_mask: the very same mask that was passed to nf_hook_link
*/
void
xt_hook_unlink
(
const
struct
xt_table
*
table
,
struct
nf_hook_ops
*
ops
)
{
nf_unregister_hooks
(
ops
,
hweight32
(
table
->
valid_hooks
));
kfree
(
ops
);
}
EXPORT_SYMBOL_GPL
(
xt_hook_unlink
);
int
xt_proto_init
(
struct
net
*
net
,
u_int8_t
af
)
int
xt_proto_init
(
struct
net
*
net
,
u_int8_t
af
)
{
{
#ifdef CONFIG_PROC_FS
#ifdef CONFIG_PROC_FS
...
...
net/netfilter/xt_repldata.h
0 → 100644
View file @
a8c28d05
/*
* Today's hack: quantum tunneling in structs
*
* 'entries' and 'term' are never anywhere referenced by word in code. In fact,
* they serve as the hanging-off data accessed through repl.data[].
*/
#define xt_alloc_initial_table(type, typ2) ({ \
unsigned int hook_mask = info->valid_hooks; \
unsigned int nhooks = hweight32(hook_mask); \
unsigned int bytes = 0, hooknum = 0, i = 0; \
struct { \
struct type##_replace repl; \
struct type##_standard entries[nhooks]; \
struct type##_error term; \
} *tbl = kzalloc(sizeof(*tbl), GFP_KERNEL); \
if (tbl == NULL) \
return NULL; \
strncpy(tbl->repl.name, info->name, sizeof(tbl->repl.name)); \
tbl->term = (struct type##_error)typ2##_ERROR_INIT; \
tbl->repl.valid_hooks = hook_mask; \
tbl->repl.num_entries = nhooks + 1; \
tbl->repl.size = nhooks * sizeof(struct type##_standard) + \
sizeof(struct type##_error); \
for (; hook_mask != 0; hook_mask >>= 1, ++hooknum) { \
if (!(hook_mask & 1)) \
continue; \
tbl->repl.hook_entry[hooknum] = bytes; \
tbl->repl.underflow[hooknum] = bytes; \
tbl->entries[i++] = (struct type##_standard) \
typ2##_STANDARD_INIT(NF_ACCEPT); \
bytes += sizeof(struct type##_standard); \
} \
tbl; \
})
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment