Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
272a5322
Commit
272a5322
authored
Feb 27, 2006
by
Linus Torvalds
Browse files
Options
Browse Files
Download
Plain Diff
Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
parents
051d3cbd
ba13c984
Changes
11
Show whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
109 additions
and
155 deletions
+109
-155
include/linux/netfilter_bridge/ebt_log.h
include/linux/netfilter_bridge/ebt_log.h
+1
-0
include/linux/netfilter_ipv4/ipt_LOG.h
include/linux/netfilter_ipv4/ipt_LOG.h
+2
-1
include/linux/netfilter_ipv6/ip6t_LOG.h
include/linux/netfilter_ipv6/ip6t_LOG.h
+2
-1
include/net/xfrm.h
include/net/xfrm.h
+0
-1
net/bridge/netfilter/ebt_log.c
net/bridge/netfilter/ebt_log.c
+6
-1
net/core/request_sock.c
net/core/request_sock.c
+0
-1
net/ipv4/esp4.c
net/ipv4/esp4.c
+66
-119
net/ipv4/netfilter/ipt_LOG.c
net/ipv4/netfilter/ipt_LOG.c
+6
-1
net/ipv6/netfilter/ip6t_LOG.c
net/ipv6/netfilter/ip6t_LOG.c
+6
-1
net/netfilter/nf_queue.c
net/netfilter/nf_queue.c
+20
-22
net/xfrm/xfrm_policy.c
net/xfrm/xfrm_policy.c
+0
-7
No files found.
include/linux/netfilter_bridge/ebt_log.h
View file @
272a5322
...
...
@@ -3,6 +3,7 @@
#define EBT_LOG_IP 0x01
/* if the frame is made by ip, log the ip information */
#define EBT_LOG_ARP 0x02
#define EBT_LOG_NFLOG 0x04
#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP)
#define EBT_LOG_PREFIX_SIZE 30
#define EBT_LOG_WATCHER "log"
...
...
include/linux/netfilter_ipv4/ipt_LOG.h
View file @
272a5322
...
...
@@ -6,7 +6,8 @@
#define IPT_LOG_TCPOPT 0x02
/* Log TCP options */
#define IPT_LOG_IPOPT 0x04
/* Log IP options */
#define IPT_LOG_UID 0x08
/* Log UID owning local socket */
#define IPT_LOG_MASK 0x0f
#define IPT_LOG_NFLOG 0x10
/* Log using nf_log backend */
#define IPT_LOG_MASK 0x1f
struct
ipt_log_info
{
unsigned
char
level
;
...
...
include/linux/netfilter_ipv6/ip6t_LOG.h
View file @
272a5322
...
...
@@ -6,7 +6,8 @@
#define IP6T_LOG_TCPOPT 0x02
/* Log TCP options */
#define IP6T_LOG_IPOPT 0x04
/* Log IP options */
#define IP6T_LOG_UID 0x08
/* Log UID owning local socket */
#define IP6T_LOG_MASK 0x0f
#define IP6T_LOG_NFLOG 0x10
/* Log using nf_log backend */
#define IP6T_LOG_MASK 0x1f
struct
ip6t_log_info
{
unsigned
char
level
;
...
...
include/net/xfrm.h
View file @
272a5322
...
...
@@ -233,7 +233,6 @@ struct xfrm_type
int
(
*
init_state
)(
struct
xfrm_state
*
x
);
void
(
*
destructor
)(
struct
xfrm_state
*
);
int
(
*
input
)(
struct
xfrm_state
*
,
struct
xfrm_decap_state
*
,
struct
sk_buff
*
skb
);
int
(
*
post_input
)(
struct
xfrm_state
*
,
struct
xfrm_decap_state
*
,
struct
sk_buff
*
skb
);
int
(
*
output
)(
struct
xfrm_state
*
,
struct
sk_buff
*
pskb
);
/* Estimate maximal size of result of transformation of a dgram */
u32
(
*
get_max_size
)(
struct
xfrm_state
*
,
int
size
);
...
...
net/bridge/netfilter/ebt_log.c
View file @
272a5322
...
...
@@ -166,7 +166,12 @@ static void ebt_log(const struct sk_buff *skb, unsigned int hooknr,
li
.
u
.
log
.
level
=
info
->
loglevel
;
li
.
u
.
log
.
logflags
=
info
->
bitmask
;
nf_log_packet
(
PF_BRIDGE
,
hooknr
,
skb
,
in
,
out
,
&
li
,
info
->
prefix
);
if
(
info
->
bitmask
&
EBT_LOG_NFLOG
)
nf_log_packet
(
PF_BRIDGE
,
hooknr
,
skb
,
in
,
out
,
&
li
,
info
->
prefix
);
else
ebt_log_packet
(
PF_BRIDGE
,
hooknr
,
skb
,
in
,
out
,
&
li
,
info
->
prefix
);
}
static
struct
ebt_watcher
log
=
...
...
net/core/request_sock.c
View file @
272a5322
...
...
@@ -52,7 +52,6 @@ int reqsk_queue_alloc(struct request_sock_queue *queue,
get_random_bytes
(
&
lopt
->
hash_rnd
,
sizeof
(
lopt
->
hash_rnd
));
rwlock_init
(
&
queue
->
syn_wait_lock
);
queue
->
rskq_accept_head
=
queue
->
rskq_accept_head
=
NULL
;
queue
->
rskq_defer_accept
=
0
;
lopt
->
nr_table_entries
=
nr_table_entries
;
write_lock_bh
(
&
queue
->
syn_wait_lock
);
...
...
net/ipv4/esp4.c
View file @
272a5322
...
...
@@ -12,13 +12,6 @@
#include <net/protocol.h>
#include <net/udp.h>
/* decapsulation data for use when post-processing */
struct
esp_decap_data
{
xfrm_address_t
saddr
;
__u16
sport
;
__u8
proto
;
};
static
int
esp_output
(
struct
xfrm_state
*
x
,
struct
sk_buff
*
skb
)
{
int
err
;
...
...
@@ -150,6 +143,10 @@ static int esp_input(struct xfrm_state *x, struct xfrm_decap_state *decap, struc
int
elen
=
skb
->
len
-
sizeof
(
struct
ip_esp_hdr
)
-
esp
->
conf
.
ivlen
-
alen
;
int
nfrags
;
int
encap_len
=
0
;
u8
nexthdr
[
2
];
struct
scatterlist
*
sg
;
u8
workbuf
[
60
];
int
padlen
;
if
(
!
pskb_may_pull
(
skb
,
sizeof
(
struct
ip_esp_hdr
)))
goto
out
;
...
...
@@ -185,11 +182,7 @@ static int esp_input(struct xfrm_state *x, struct xfrm_decap_state *decap, struc
if
(
esp
->
conf
.
ivlen
)
crypto_cipher_set_iv
(
esp
->
conf
.
tfm
,
esph
->
enc_data
,
crypto_tfm_alg_ivsize
(
esp
->
conf
.
tfm
));
{
u8
nexthdr
[
2
];
struct
scatterlist
*
sg
=
&
esp
->
sgbuf
[
0
];
u8
workbuf
[
60
];
int
padlen
;
sg
=
&
esp
->
sgbuf
[
0
];
if
(
unlikely
(
nfrags
>
ESP_NUM_FAST_SG
))
{
sg
=
kmalloc
(
sizeof
(
struct
scatterlist
)
*
nfrags
,
GFP_ATOMIC
);
...
...
@@ -210,73 +203,28 @@ static int esp_input(struct xfrm_state *x, struct xfrm_decap_state *decap, struc
/* ... check padding bits here. Silly. :-) */
if
(
x
->
encap
&&
decap
&&
decap
->
decap_type
)
{
struct
esp_decap_data
*
encap_data
;
struct
udphdr
*
uh
=
(
struct
udphdr
*
)
(
iph
+
1
);
encap_data
=
(
struct
esp_decap_data
*
)
(
decap
->
decap_data
);
encap_data
->
proto
=
0
;
switch
(
decap
->
decap_type
)
{
case
UDP_ENCAP_ESPINUDP
:
case
UDP_ENCAP_ESPINUDP_NON_IKE
:
encap_data
->
proto
=
AF_INET
;
encap_data
->
saddr
.
a4
=
iph
->
saddr
;
encap_data
->
sport
=
uh
->
source
;
encap_len
=
(
void
*
)
esph
-
(
void
*
)
uh
;
break
;
default:
goto
out
;
}
}
iph
->
protocol
=
nexthdr
[
1
];
pskb_trim
(
skb
,
skb
->
len
-
alen
-
padlen
-
2
);
memcpy
(
workbuf
,
skb
->
nh
.
raw
,
iph
->
ihl
*
4
);
skb
->
h
.
raw
=
skb_pull
(
skb
,
sizeof
(
struct
ip_esp_hdr
)
+
esp
->
conf
.
ivlen
);
skb
->
nh
.
raw
+=
encap_len
+
sizeof
(
struct
ip_esp_hdr
)
+
esp
->
conf
.
ivlen
;
memcpy
(
skb
->
nh
.
raw
,
workbuf
,
iph
->
ihl
*
4
);
skb
->
nh
.
iph
->
tot_len
=
htons
(
skb
->
len
);
}
return
0
;
out:
return
-
EINVAL
;
}
static
int
esp_post_input
(
struct
xfrm_state
*
x
,
struct
xfrm_decap_state
*
decap
,
struct
sk_buff
*
skb
)
{
if
(
x
->
encap
)
{
struct
xfrm_encap_tmpl
*
encap
;
struct
esp_decap_data
*
decap_data
;
encap
=
x
->
encap
;
decap_data
=
(
struct
esp_decap_data
*
)(
decap
->
decap_data
);
struct
xfrm_encap_tmpl
*
encap
=
x
->
encap
;
struct
udphdr
*
uh
;
/* first, make sure that the decap type == the encap type */
if
(
encap
->
encap_type
!=
decap
->
decap_type
)
return
-
EINVAL
;
goto
out
;
uh
=
(
struct
udphdr
*
)(
iph
+
1
);
encap_len
=
(
void
*
)
esph
-
(
void
*
)
uh
;
switch
(
encap
->
encap_type
)
{
default:
case
UDP_ENCAP_ESPINUDP
:
case
UDP_ENCAP_ESPINUDP_NON_IKE
:
/*
* 1) if the NAT-T peer's IP or port changed then
* advertize the change to the keying daemon.
* This is an inbound SA, so just compare
* SRC ports.
*/
if
(
decap_data
->
proto
==
AF_INET
&&
(
decap_data
->
saddr
.
a4
!=
x
->
props
.
saddr
.
a4
||
decap_data
->
sport
!=
encap
->
encap_sport
))
{
if
(
iph
->
saddr
!=
x
->
props
.
saddr
.
a4
||
uh
->
source
!=
encap
->
encap_sport
)
{
xfrm_address_t
ipaddr
;
ipaddr
.
a4
=
decap_data
->
saddr
.
a4
;
km_new_mapping
(
x
,
&
ipaddr
,
decap_data
->
sport
);
ipaddr
.
a4
=
iph
->
saddr
;
km_new_mapping
(
x
,
&
ipaddr
,
uh
->
source
);
/* XXX: perhaps add an extra
* policy check here, to see
...
...
@@ -291,16 +239,25 @@ static int esp_post_input(struct xfrm_state *x, struct xfrm_decap_state *decap,
* 2) ignore UDP/TCP checksums in case
* of NAT-T in Transport Mode, or
* perform other post-processing fixes
* as per *
draft-ietf-ipsec-udp-encaps-06,
* as per
draft-ietf-ipsec-udp-encaps-06,
* section 3.1.2
*/
if
(
!
x
->
props
.
mode
)
skb
->
ip_summed
=
CHECKSUM_UNNECESSARY
;
break
;
}
}
iph
->
protocol
=
nexthdr
[
1
];
pskb_trim
(
skb
,
skb
->
len
-
alen
-
padlen
-
2
);
memcpy
(
workbuf
,
skb
->
nh
.
raw
,
iph
->
ihl
*
4
);
skb
->
h
.
raw
=
skb_pull
(
skb
,
sizeof
(
struct
ip_esp_hdr
)
+
esp
->
conf
.
ivlen
);
skb
->
nh
.
raw
+=
encap_len
+
sizeof
(
struct
ip_esp_hdr
)
+
esp
->
conf
.
ivlen
;
memcpy
(
skb
->
nh
.
raw
,
workbuf
,
iph
->
ihl
*
4
);
skb
->
nh
.
iph
->
tot_len
=
htons
(
skb
->
len
);
return
0
;
out:
return
-
EINVAL
;
}
static
u32
esp4_get_max_size
(
struct
xfrm_state
*
x
,
int
mtu
)
...
...
@@ -458,7 +415,6 @@ static struct xfrm_type esp_type =
.
destructor
=
esp_destroy
,
.
get_max_size
=
esp4_get_max_size
,
.
input
=
esp_input
,
.
post_input
=
esp_post_input
,
.
output
=
esp_output
};
...
...
@@ -470,15 +426,6 @@ static struct net_protocol esp4_protocol = {
static
int
__init
esp4_init
(
void
)
{
struct
xfrm_decap_state
decap
;
if
(
sizeof
(
struct
esp_decap_data
)
>
sizeof
(
decap
.
decap_data
))
{
extern
void
decap_data_too_small
(
void
);
decap_data_too_small
();
}
if
(
xfrm_register_type
(
&
esp_type
,
AF_INET
)
<
0
)
{
printk
(
KERN_INFO
"ip esp init: can't add xfrm type
\n
"
);
return
-
EAGAIN
;
...
...
net/ipv4/netfilter/ipt_LOG.c
View file @
272a5322
...
...
@@ -425,7 +425,12 @@ ipt_log_target(struct sk_buff **pskb,
li
.
u
.
log
.
level
=
loginfo
->
level
;
li
.
u
.
log
.
logflags
=
loginfo
->
logflags
;
nf_log_packet
(
PF_INET
,
hooknum
,
*
pskb
,
in
,
out
,
&
li
,
loginfo
->
prefix
);
if
(
loginfo
->
logflags
&
IPT_LOG_NFLOG
)
nf_log_packet
(
PF_INET
,
hooknum
,
*
pskb
,
in
,
out
,
&
li
,
loginfo
->
prefix
);
else
ipt_log_packet
(
PF_INET
,
hooknum
,
*
pskb
,
in
,
out
,
&
li
,
loginfo
->
prefix
);
return
IPT_CONTINUE
;
}
...
...
net/ipv6/netfilter/ip6t_LOG.c
View file @
272a5322
...
...
@@ -436,7 +436,12 @@ ip6t_log_target(struct sk_buff **pskb,
li
.
u
.
log
.
level
=
loginfo
->
level
;
li
.
u
.
log
.
logflags
=
loginfo
->
logflags
;
nf_log_packet
(
PF_INET6
,
hooknum
,
*
pskb
,
in
,
out
,
&
li
,
loginfo
->
prefix
);
if
(
loginfo
->
logflags
&
IP6T_LOG_NFLOG
)
nf_log_packet
(
PF_INET6
,
hooknum
,
*
pskb
,
in
,
out
,
&
li
,
loginfo
->
prefix
);
else
ip6t_log_packet
(
PF_INET6
,
hooknum
,
*
pskb
,
in
,
out
,
&
li
,
loginfo
->
prefix
);
return
IP6T_CONTINUE
;
}
...
...
net/netfilter/nf_queue.c
View file @
272a5322
...
...
@@ -6,6 +6,7 @@
#include <linux/skbuff.h>
#include <linux/netfilter.h>
#include <linux/seq_file.h>
#include <linux/rcupdate.h>
#include <net/protocol.h>
#include "nf_internals.h"
...
...
@@ -16,7 +17,7 @@
* for queueing and must reinject all packets it receives, no matter what.
*/
static
struct
nf_queue_handler
*
queue_handler
[
NPROTO
];
static
struct
nf_queue_rerouter
*
queue_rerouter
;
static
struct
nf_queue_rerouter
*
queue_rerouter
[
NPROTO
]
;
static
DEFINE_RWLOCK
(
queue_handler_lock
);
...
...
@@ -64,7 +65,7 @@ int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer)
return
-
EINVAL
;
write_lock_bh
(
&
queue_handler_lock
);
memcpy
(
&
queue_rerouter
[
pf
],
rer
,
sizeof
(
queue_rerouter
[
pf
])
);
rcu_assign_pointer
(
queue_rerouter
[
pf
],
rer
);
write_unlock_bh
(
&
queue_handler_lock
);
return
0
;
...
...
@@ -77,8 +78,9 @@ int nf_unregister_queue_rerouter(int pf)
return
-
EINVAL
;
write_lock_bh
(
&
queue_handler_lock
);
memset
(
&
queue_rerouter
[
pf
],
0
,
sizeof
(
queue_rerouter
[
pf
])
);
rcu_assign_pointer
(
queue_rerouter
[
pf
],
NULL
);
write_unlock_bh
(
&
queue_handler_lock
);
synchronize_rcu
();
return
0
;
}
EXPORT_SYMBOL_GPL
(
nf_unregister_queue_rerouter
);
...
...
@@ -114,16 +116,17 @@ int nf_queue(struct sk_buff **skb,
struct
net_device
*
physindev
=
NULL
;
struct
net_device
*
physoutdev
=
NULL
;
#endif
struct
nf_queue_rerouter
*
rerouter
;
/* QUEUE == DROP if noone is waiting, to be safe. */
read_lock
(
&
queue_handler_lock
);
if
(
!
queue_handler
[
pf
]
||
!
queue_handler
[
pf
]
->
outfn
)
{
if
(
!
queue_handler
[
pf
])
{
read_unlock
(
&
queue_handler_lock
);
kfree_skb
(
*
skb
);
return
1
;
}
info
=
kmalloc
(
sizeof
(
*
info
)
+
queue_rerouter
[
pf
]
.
rer_size
,
GFP_ATOMIC
);
info
=
kmalloc
(
sizeof
(
*
info
)
+
queue_rerouter
[
pf
]
->
rer_size
,
GFP_ATOMIC
);
if
(
!
info
)
{
if
(
net_ratelimit
())
printk
(
KERN_ERR
"OOM queueing packet %p
\n
"
,
...
...
@@ -155,15 +158,13 @@ int nf_queue(struct sk_buff **skb,
if
(
physoutdev
)
dev_hold
(
physoutdev
);
}
#endif
if
(
queue_rerouter
[
pf
].
save
)
queue_rerouter
[
pf
].
save
(
*
skb
,
info
);
rerouter
=
rcu_dereference
(
queue_rerouter
[
pf
]);
if
(
rerouter
)
rerouter
->
save
(
*
skb
,
info
);
status
=
queue_handler
[
pf
]
->
outfn
(
*
skb
,
info
,
queuenum
,
queue_handler
[
pf
]
->
data
);
if
(
status
>=
0
&&
queue_rerouter
[
pf
].
reroute
)
status
=
queue_rerouter
[
pf
].
reroute
(
skb
,
info
);
read_unlock
(
&
queue_handler_lock
);
if
(
status
<
0
)
{
...
...
@@ -189,6 +190,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
{
struct
list_head
*
elem
=
&
info
->
elem
->
list
;
struct
list_head
*
i
;
struct
nf_queue_rerouter
*
rerouter
;
rcu_read_lock
();
...
...
@@ -212,7 +214,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
break
;
}
if
(
elem
==
&
nf_hooks
[
info
->
pf
][
info
->
hook
])
{
if
(
i
==
&
nf_hooks
[
info
->
pf
][
info
->
hook
])
{
/* The module which sent it to userspace is gone. */
NFDEBUG
(
"%s: module disappeared, dropping packet.
\n
"
,
__FUNCTION__
);
...
...
@@ -225,6 +227,12 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
verdict
=
NF_ACCEPT
;
}
if
(
verdict
==
NF_ACCEPT
)
{
rerouter
=
rcu_dereference
(
queue_rerouter
[
info
->
pf
]);
if
(
rerouter
&&
rerouter
->
reroute
(
&
skb
,
info
)
<
0
)
verdict
=
NF_DROP
;
}
if
(
verdict
==
NF_ACCEPT
)
{
next_hook:
verdict
=
nf_iterate
(
&
nf_hooks
[
info
->
pf
][
info
->
hook
],
...
...
@@ -322,22 +330,12 @@ int __init netfilter_queue_init(void)
{
#ifdef CONFIG_PROC_FS
struct
proc_dir_entry
*
pde
;
#endif
queue_rerouter
=
kmalloc
(
NPROTO
*
sizeof
(
struct
nf_queue_rerouter
),
GFP_KERNEL
);
if
(
!
queue_rerouter
)
return
-
ENOMEM
;
#ifdef CONFIG_PROC_FS
pde
=
create_proc_entry
(
"nf_queue"
,
S_IRUGO
,
proc_net_netfilter
);
if
(
!
pde
)
{
kfree
(
queue_rerouter
);
if
(
!
pde
)
return
-
1
;
}
pde
->
proc_fops
=
&
nfqueue_file_ops
;
#endif
memset
(
queue_rerouter
,
0
,
NPROTO
*
sizeof
(
struct
nf_queue_rerouter
));
return
0
;
}
net/xfrm/xfrm_policy.c
View file @
272a5322
...
...
@@ -996,13 +996,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
struct
sec_decap_state
*
xvec
=
&
(
skb
->
sp
->
x
[
i
]);
if
(
!
xfrm_selector_match
(
&
xvec
->
xvec
->
sel
,
&
fl
,
family
))
return
0
;
/* If there is a post_input processor, try running it */
if
(
xvec
->
xvec
->
type
->
post_input
&&
(
xvec
->
xvec
->
type
->
post_input
)(
xvec
->
xvec
,
&
(
xvec
->
decap
),
skb
)
!=
0
)
return
0
;
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment