Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
d79aec83
Commit
d79aec83
authored
Dec 28, 2011
by
David S. Miller
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'nf-next' of
git://1984.lsi.us.es/net-next
parents
c3b084c2
54b07dca
Changes
10
Hide whitespace changes
Inline
Side-by-side
Showing
10 changed files
with
258 additions
and
44 deletions
+258
-44
include/linux/netfilter/Kbuild
include/linux/netfilter/Kbuild
+1
-0
include/linux/netfilter/xt_ecn.h
include/linux/netfilter/xt_ecn.h
+35
-0
include/linux/netfilter_ipv4/ipt_ecn.h
include/linux/netfilter_ipv4/ipt_ecn.h
+9
-29
net/ipv4/netfilter/Kconfig
net/ipv4/netfilter/Kconfig
+6
-6
net/ipv4/netfilter/Makefile
net/ipv4/netfilter/Makefile
+0
-1
net/netfilter/Kconfig
net/netfilter/Kconfig
+19
-0
net/netfilter/Makefile
net/netfilter/Makefile
+1
-0
net/netfilter/nf_conntrack_expect.c
net/netfilter/nf_conntrack_expect.c
+6
-6
net/netfilter/nf_conntrack_standalone.c
net/netfilter/nf_conntrack_standalone.c
+2
-2
net/netfilter/xt_ecn.c
net/netfilter/xt_ecn.c
+179
-0
No files found.
include/linux/netfilter/Kbuild
View file @
d79aec83
...
...
@@ -43,6 +43,7 @@ header-y += xt_cpu.h
header-y += xt_dccp.h
header-y += xt_devgroup.h
header-y += xt_dscp.h
header-y += xt_ecn.h
header-y += xt_esp.h
header-y += xt_hashlimit.h
header-y += xt_helper.h
...
...
include/linux/netfilter/xt_ecn.h
0 → 100644
View file @
d79aec83
/* iptables module for matching the ECN header in IPv4 and TCP header
*
* (C) 2002 Harald Welte <laforge@gnumonks.org>
*
* This software is distributed under GNU GPL v2, 1991
*
* ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
*/
#ifndef _XT_ECN_H
#define _XT_ECN_H
#include <linux/types.h>
#include <linux/netfilter/xt_dscp.h>
#define XT_ECN_IP_MASK (~XT_DSCP_MASK)
#define XT_ECN_OP_MATCH_IP 0x01
#define XT_ECN_OP_MATCH_ECE 0x10
#define XT_ECN_OP_MATCH_CWR 0x20
#define XT_ECN_OP_MATCH_MASK 0xce
/* match info */
struct
xt_ecn_info
{
__u8
operation
;
__u8
invert
;
__u8
ip_ect
;
union
{
struct
{
__u8
ect
;
}
tcp
;
}
proto
;
};
#endif
/* _XT_ECN_H */
include/linux/netfilter_ipv4/ipt_ecn.h
View file @
d79aec83
/* iptables module for matching the ECN header in IPv4 and TCP header
*
* (C) 2002 Harald Welte <laforge@gnumonks.org>
*
* This software is distributed under GNU GPL v2, 1991
*
* ipt_ecn.h,v 1.4 2002/08/05 19:39:00 laforge Exp
*/
#ifndef _IPT_ECN_H
#define _IPT_ECN_H
#include <linux/
types
.h>
#
include <linux/netfilter/xt_dscp.h>
#include <linux/
netfilter/xt_ecn
.h>
#
define ipt_ecn_info xt_ecn_info
#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
#define IPT_ECN_OP_MATCH_IP 0x01
#define IPT_ECN_OP_MATCH_ECE 0x10
#define IPT_ECN_OP_MATCH_CWR 0x20
#define IPT_ECN_OP_MATCH_MASK 0xce
/* match info */
struct
ipt_ecn_info
{
__u8
operation
;
__u8
invert
;
__u8
ip_ect
;
union
{
struct
{
__u8
ect
;
}
tcp
;
}
proto
;
enum
{
IPT_ECN_IP_MASK
=
XT_ECN_IP_MASK
,
IPT_ECN_OP_MATCH_IP
=
XT_ECN_OP_MATCH_IP
,
IPT_ECN_OP_MATCH_ECE
=
XT_ECN_OP_MATCH_ECE
,
IPT_ECN_OP_MATCH_CWR
=
XT_ECN_OP_MATCH_CWR
,
IPT_ECN_OP_MATCH_MASK
=
XT_ECN_OP_MATCH_MASK
,
};
#endif
/*
_
IPT_ECN_H */
#endif
/* IPT_ECN_H */
net/ipv4/netfilter/Kconfig
View file @
d79aec83
...
...
@@ -27,7 +27,7 @@ config NF_CONNTRACK_IPV4
config NF_CONNTRACK_PROC_COMPAT
bool "proc/sysctl compatibility with old connection tracking"
depends on NF_CONNTRACK_IPV4
depends on NF_CONNTRACK_
PROCFS && NF_CONNTRACK_
IPV4
default y
help
This option enables /proc and sysctl compatibility with the old
...
...
@@ -76,11 +76,11 @@ config IP_NF_MATCH_AH
config IP_NF_MATCH_ECN
tristate '"ecn" match support'
depends on NETFILTER_ADVANCED
help
This option adds a `ECN' match, which allows you to match against
the IPv4 and TCP header ECN fields.
To compile it as a module, choose M here. If unsure, say
N.
select NETFILTER_XT_MATCH_ECN
---help---
This is a backwards-compat option for the user's convenience
(e.g. when running oldconfig). It selects
CONFIG_NETFILTER_XT_MATCH_EC
N.
config IP_NF_MATCH_RPFILTER
tristate '"rpfilter" reverse path filter match support'
...
...
net/ipv4/netfilter/Makefile
View file @
d79aec83
...
...
@@ -49,7 +49,6 @@ obj-$(CONFIG_IP_NF_SECURITY) += iptable_security.o
# matches
obj-$(CONFIG_IP_NF_MATCH_AH)
+=
ipt_ah.o
obj-$(CONFIG_IP_NF_MATCH_ECN)
+=
ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_RPFILTER)
+=
ipt_rpfilter.o
# targets
...
...
net/netfilter/Kconfig
View file @
d79aec83
...
...
@@ -83,6 +83,16 @@ config NF_CONNTRACK_ZONES
If unsure, say `N'.
config NF_CONNTRACK_PROCFS
bool "Supply CT list in procfs (OBSOLETE)"
default y
depends on PROC_FS
---help---
This option enables for the list of known conntrack entries
to be shown in procfs under net/netfilter/nf_conntrack. This
is considered obsolete in favor of using the conntrack(8)
tool which uses Netlink.
config NF_CONNTRACK_EVENTS
bool "Connection tracking events"
depends on NETFILTER_ADVANCED
...
...
@@ -778,6 +788,15 @@ config NETFILTER_XT_MATCH_DSCP
To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_MATCH_ECN
tristate '"ecn" match support'
depends on NETFILTER_ADVANCED
---help---
This option adds an "ECN" match, which allows you to match against
the IPv4 and TCP header ECN fields.
To compile it as a module, choose M here. If unsure, say N.
config NETFILTER_XT_MATCH_ESP
tristate '"esp" match support'
depends on NETFILTER_ADVANCED
...
...
net/netfilter/Makefile
View file @
d79aec83
...
...
@@ -81,6 +81,7 @@ obj-$(CONFIG_NETFILTER_XT_MATCH_CPU) += xt_cpu.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP)
+=
xt_dccp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DEVGROUP)
+=
xt_devgroup.o
obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP)
+=
xt_dscp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_ECN)
+=
xt_ecn.o
obj-$(CONFIG_NETFILTER_XT_MATCH_ESP)
+=
xt_esp.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HASHLIMIT)
+=
xt_hashlimit.o
obj-$(CONFIG_NETFILTER_XT_MATCH_HELPER)
+=
xt_helper.o
...
...
net/netfilter/nf_conntrack_expect.c
View file @
d79aec83
...
...
@@ -455,7 +455,7 @@ int nf_ct_expect_related_report(struct nf_conntrack_expect *expect,
}
EXPORT_SYMBOL_GPL
(
nf_ct_expect_related_report
);
#ifdef CONFIG_
PROC_
FS
#ifdef CONFIG_
NF_CONNTRACK_PROC
FS
struct
ct_expect_iter_state
{
struct
seq_net_private
p
;
unsigned
int
bucket
;
...
...
@@ -583,25 +583,25 @@ static const struct file_operations exp_file_ops = {
.
llseek
=
seq_lseek
,
.
release
=
seq_release_net
,
};
#endif
/* CONFIG_
PROC_
FS */
#endif
/* CONFIG_
NF_CONNTRACK_PROC
FS */
static
int
exp_proc_init
(
struct
net
*
net
)
{
#ifdef CONFIG_
PROC_
FS
#ifdef CONFIG_
NF_CONNTRACK_PROC
FS
struct
proc_dir_entry
*
proc
;
proc
=
proc_net_fops_create
(
net
,
"nf_conntrack_expect"
,
0440
,
&
exp_file_ops
);
if
(
!
proc
)
return
-
ENOMEM
;
#endif
/* CONFIG_
PROC_
FS */
#endif
/* CONFIG_
NF_CONNTRACK_PROC
FS */
return
0
;
}
static
void
exp_proc_remove
(
struct
net
*
net
)
{
#ifdef CONFIG_
PROC_
FS
#ifdef CONFIG_
NF_CONNTRACK_PROC
FS
proc_net_remove
(
net
,
"nf_conntrack_expect"
);
#endif
/* CONFIG_
PROC_
FS */
#endif
/* CONFIG_
NF_CONNTRACK_PROC
FS */
}
module_param_named
(
expect_hashsize
,
nf_ct_expect_hsize
,
uint
,
0400
);
...
...
net/netfilter/nf_conntrack_standalone.c
View file @
d79aec83
...
...
@@ -34,7 +34,7 @@
MODULE_LICENSE
(
"GPL"
);
#ifdef CONFIG_
PROC_
FS
#ifdef CONFIG_
NF_CONNTRACK_PROC
FS
int
print_tuple
(
struct
seq_file
*
s
,
const
struct
nf_conntrack_tuple
*
tuple
,
const
struct
nf_conntrack_l3proto
*
l3proto
,
...
...
@@ -396,7 +396,7 @@ static int nf_conntrack_standalone_init_proc(struct net *net)
static
void
nf_conntrack_standalone_fini_proc
(
struct
net
*
net
)
{
}
#endif
/* CONFIG_
PROC_
FS */
#endif
/* CONFIG_
NF_CONNTRACK_PROC
FS */
/* Sysctl support */
...
...
net/
ipv4/netfilter/ip
t_ecn.c
→
net/
netfilter/x
t_ecn.c
View file @
d79aec83
/* IP tables module for matching the value of the IPv4 and TCP ECN bits
/*
* Xtables module for matching the value of the IPv4/IPv6 and TCP ECN bits
*
* (C) 2002 by Harald Welte <laforge@gnumonks.org>
* (C) 2011 Patrick McHardy <kaber@trash.net>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
...
...
@@ -15,38 +17,31 @@
#include <linux/tcp.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_ecn.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv
4/ipt_ecn
.h>
#include <linux/netfilter_ipv
6/ip6_tables
.h>
MODULE_AUTHOR
(
"Harald Welte <laforge@netfilter.org>"
);
MODULE_DESCRIPTION
(
"Xtables: Explicit Congestion Notification (ECN) flag match
for IPv4
"
);
MODULE_DESCRIPTION
(
"Xtables: Explicit Congestion Notification (ECN) flag match"
);
MODULE_LICENSE
(
"GPL"
);
MODULE_ALIAS
(
"ipt_ecn"
);
MODULE_ALIAS
(
"ip6t_ecn"
);
static
inline
bool
match_ip
(
const
struct
sk_buff
*
skb
,
const
struct
ipt_ecn_info
*
einfo
)
{
return
((
ip_hdr
(
skb
)
->
tos
&
IPT_ECN_IP_MASK
)
==
einfo
->
ip_ect
)
^
!!
(
einfo
->
invert
&
IPT_ECN_OP_MATCH_IP
);
}
static
inline
bool
match_tcp
(
const
struct
sk_buff
*
skb
,
const
struct
ipt_ecn_info
*
einfo
,
bool
*
hotdrop
)
static
bool
match_tcp
(
const
struct
sk_buff
*
skb
,
struct
xt_action_param
*
par
)
{
const
struct
xt_ecn_info
*
einfo
=
par
->
matchinfo
;
struct
tcphdr
_tcph
;
const
struct
tcphdr
*
th
;
/* In practice, TCP match does this, so can't fail. But let's
* be good citizens.
*/
th
=
skb_header_pointer
(
skb
,
ip_hdrlen
(
skb
),
sizeof
(
_tcph
),
&
_tcph
);
if
(
th
==
NULL
)
{
*
hotdrop
=
false
;
th
=
skb_header_pointer
(
skb
,
par
->
thoff
,
sizeof
(
_tcph
),
&
_tcph
);
if
(
th
==
NULL
)
return
false
;
}
if
(
einfo
->
operation
&
IP
T_ECN_OP_MATCH_ECE
)
{
if
(
einfo
->
invert
&
IP
T_ECN_OP_MATCH_ECE
)
{
if
(
einfo
->
operation
&
X
T_ECN_OP_MATCH_ECE
)
{
if
(
einfo
->
invert
&
X
T_ECN_OP_MATCH_ECE
)
{
if
(
th
->
ece
==
1
)
return
false
;
}
else
{
...
...
@@ -55,8 +50,8 @@ static inline bool match_tcp(const struct sk_buff *skb,
}
}
if
(
einfo
->
operation
&
IP
T_ECN_OP_MATCH_CWR
)
{
if
(
einfo
->
invert
&
IP
T_ECN_OP_MATCH_CWR
)
{
if
(
einfo
->
operation
&
X
T_ECN_OP_MATCH_CWR
)
{
if
(
einfo
->
invert
&
X
T_ECN_OP_MATCH_CWR
)
{
if
(
th
->
cwr
==
1
)
return
false
;
}
else
{
...
...
@@ -68,34 +63,39 @@ static inline bool match_tcp(const struct sk_buff *skb,
return
true
;
}
static
bool
ecn_mt
(
const
struct
sk_buff
*
skb
,
struct
xt_action_param
*
par
)
static
inline
bool
match_ip
(
const
struct
sk_buff
*
skb
,
const
struct
xt_ecn_info
*
einfo
)
{
const
struct
ipt_ecn_info
*
info
=
par
->
matchinfo
;
return
((
ip_hdr
(
skb
)
->
tos
&
XT_ECN_IP_MASK
)
==
einfo
->
ip_ect
)
^
!!
(
einfo
->
invert
&
XT_ECN_OP_MATCH_IP
);
}
if
(
info
->
operation
&
IPT_ECN_OP_MATCH_IP
)
if
(
!
match_ip
(
skb
,
info
))
return
false
;
static
bool
ecn_mt4
(
const
struct
sk_buff
*
skb
,
struct
xt_action_param
*
par
)
{
const
struct
xt_ecn_info
*
info
=
par
->
matchinfo
;
if
(
info
->
operation
&
(
IPT_ECN_OP_MATCH_ECE
|
IPT_ECN_OP_MATCH_CWR
))
{
if
(
!
match_tcp
(
skb
,
info
,
&
par
->
hotdrop
))
return
false
;
}
if
(
info
->
operation
&
XT_ECN_OP_MATCH_IP
&&
!
match_ip
(
skb
,
info
))
return
false
;
if
(
info
->
operation
&
(
XT_ECN_OP_MATCH_ECE
|
XT_ECN_OP_MATCH_CWR
)
&&
!
match_tcp
(
skb
,
par
))
return
false
;
return
true
;
}
static
int
ecn_mt_check
(
const
struct
xt_mtchk_param
*
par
)
static
int
ecn_mt_check
4
(
const
struct
xt_mtchk_param
*
par
)
{
const
struct
ip
t_ecn_info
*
info
=
par
->
matchinfo
;
const
struct
x
t_ecn_info
*
info
=
par
->
matchinfo
;
const
struct
ipt_ip
*
ip
=
par
->
entryinfo
;
if
(
info
->
operation
&
IP
T_ECN_OP_MATCH_MASK
)
if
(
info
->
operation
&
X
T_ECN_OP_MATCH_MASK
)
return
-
EINVAL
;
if
(
info
->
invert
&
IP
T_ECN_OP_MATCH_MASK
)
if
(
info
->
invert
&
X
T_ECN_OP_MATCH_MASK
)
return
-
EINVAL
;
if
(
info
->
operation
&
(
IPT_ECN_OP_MATCH_ECE
|
IP
T_ECN_OP_MATCH_CWR
)
&&
if
(
info
->
operation
&
(
XT_ECN_OP_MATCH_ECE
|
X
T_ECN_OP_MATCH_CWR
)
&&
(
ip
->
proto
!=
IPPROTO_TCP
||
ip
->
invflags
&
IPT_INV_PROTO
))
{
pr_info
(
"cannot match TCP bits in rule for non-tcp packets
\n
"
);
return
-
EINVAL
;
...
...
@@ -104,23 +104,75 @@ static int ecn_mt_check(const struct xt_mtchk_param *par)
return
0
;
}
static
struct
xt_match
ecn_mt_reg
__read_mostly
=
{
.
name
=
"ecn"
,
.
family
=
NFPROTO_IPV4
,
.
match
=
ecn_mt
,
.
matchsize
=
sizeof
(
struct
ipt_ecn_info
),
.
checkentry
=
ecn_mt_check
,
.
me
=
THIS_MODULE
,
static
inline
bool
match_ipv6
(
const
struct
sk_buff
*
skb
,
const
struct
xt_ecn_info
*
einfo
)
{
return
(((
ipv6_hdr
(
skb
)
->
flow_lbl
[
0
]
>>
4
)
&
XT_ECN_IP_MASK
)
==
einfo
->
ip_ect
)
^
!!
(
einfo
->
invert
&
XT_ECN_OP_MATCH_IP
);
}
static
bool
ecn_mt6
(
const
struct
sk_buff
*
skb
,
struct
xt_action_param
*
par
)
{
const
struct
xt_ecn_info
*
info
=
par
->
matchinfo
;
if
(
info
->
operation
&
XT_ECN_OP_MATCH_IP
&&
!
match_ipv6
(
skb
,
info
))
return
false
;
if
(
info
->
operation
&
(
XT_ECN_OP_MATCH_ECE
|
XT_ECN_OP_MATCH_CWR
)
&&
!
match_tcp
(
skb
,
par
))
return
false
;
return
true
;
}
static
int
ecn_mt_check6
(
const
struct
xt_mtchk_param
*
par
)
{
const
struct
xt_ecn_info
*
info
=
par
->
matchinfo
;
const
struct
ip6t_ip6
*
ip
=
par
->
entryinfo
;
if
(
info
->
operation
&
XT_ECN_OP_MATCH_MASK
)
return
-
EINVAL
;
if
(
info
->
invert
&
XT_ECN_OP_MATCH_MASK
)
return
-
EINVAL
;
if
(
info
->
operation
&
(
XT_ECN_OP_MATCH_ECE
|
XT_ECN_OP_MATCH_CWR
)
&&
(
ip
->
proto
!=
IPPROTO_TCP
||
ip
->
invflags
&
IP6T_INV_PROTO
))
{
pr_info
(
"cannot match TCP bits in rule for non-tcp packets
\n
"
);
return
-
EINVAL
;
}
return
0
;
}
static
struct
xt_match
ecn_mt_reg
[]
__read_mostly
=
{
{
.
name
=
"ecn"
,
.
family
=
NFPROTO_IPV4
,
.
match
=
ecn_mt4
,
.
matchsize
=
sizeof
(
struct
xt_ecn_info
),
.
checkentry
=
ecn_mt_check4
,
.
me
=
THIS_MODULE
,
},
{
.
name
=
"ecn"
,
.
family
=
NFPROTO_IPV6
,
.
match
=
ecn_mt6
,
.
matchsize
=
sizeof
(
struct
xt_ecn_info
),
.
checkentry
=
ecn_mt_check6
,
.
me
=
THIS_MODULE
,
},
};
static
int
__init
ecn_mt_init
(
void
)
{
return
xt_register_match
(
&
ecn_mt_reg
);
return
xt_register_match
es
(
ecn_mt_reg
,
ARRAY_SIZE
(
ecn_mt_reg
)
);
}
static
void
__exit
ecn_mt_exit
(
void
)
{
xt_unregister_match
(
&
ecn_mt_reg
);
xt_unregister_match
es
(
ecn_mt_reg
,
ARRAY_SIZE
(
ecn_mt_reg
)
);
}
module_init
(
ecn_mt_init
);
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment