Commit 601e68e1 authored by YOSHIFUJI Hideaki's avatar YOSHIFUJI Hideaki Committed by David S. Miller

[NETFILTER]: Fix whitespace errors

Signed-off-by: default avatarYOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent a3c941b0
/* netfilter.c: look after the filters for various protocols. /* netfilter.c: look after the filters for various protocols.
* Heavily influenced by the old firewall.c by David Bonn and Alan Cox. * Heavily influenced by the old firewall.c by David Bonn and Alan Cox.
* *
* Thanks to Rob `CmdrTaco' Malda for not influencing this code in any * Thanks to Rob `CmdrTaco' Malda for not influencing this code in any
...@@ -141,14 +141,14 @@ unsigned int nf_iterate(struct list_head *head, ...@@ -141,14 +141,14 @@ unsigned int nf_iterate(struct list_head *head,
continue; continue;
/* Optimization: we don't need to hold module /* Optimization: we don't need to hold module
reference here, since function can't sleep. --RR */ reference here, since function can't sleep. --RR */
verdict = elem->hook(hook, skb, indev, outdev, okfn); verdict = elem->hook(hook, skb, indev, outdev, okfn);
if (verdict != NF_ACCEPT) { if (verdict != NF_ACCEPT) {
#ifdef CONFIG_NETFILTER_DEBUG #ifdef CONFIG_NETFILTER_DEBUG
if (unlikely((verdict & NF_VERDICT_MASK) if (unlikely((verdict & NF_VERDICT_MASK)
> NF_MAX_VERDICT)) { > NF_MAX_VERDICT)) {
NFDEBUG("Evil return from %p(%u).\n", NFDEBUG("Evil return from %p(%u).\n",
elem->hook, hook); elem->hook, hook);
continue; continue;
} }
#endif #endif
......
...@@ -424,7 +424,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_find_get); ...@@ -424,7 +424,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_find_get);
static void __nf_conntrack_hash_insert(struct nf_conn *ct, static void __nf_conntrack_hash_insert(struct nf_conn *ct,
unsigned int hash, unsigned int hash,
unsigned int repl_hash) unsigned int repl_hash)
{ {
ct->id = ++nf_conntrack_next_id; ct->id = ++nf_conntrack_next_id;
list_add(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list, list_add(&ct->tuplehash[IP_CT_DIR_ORIGINAL].list,
...@@ -1066,7 +1066,7 @@ get_next_corpse(int (*iter)(struct nf_conn *i, void *data), ...@@ -1066,7 +1066,7 @@ get_next_corpse(int (*iter)(struct nf_conn *i, void *data),
if (iter(ct, data)) if (iter(ct, data))
goto found; goto found;
} }
} }
list_for_each_entry(h, &unconfirmed, list) { list_for_each_entry(h, &unconfirmed, list) {
ct = nf_ct_tuplehash_to_ctrack(h); ct = nf_ct_tuplehash_to_ctrack(h);
if (iter(ct, data)) if (iter(ct, data))
...@@ -1107,7 +1107,7 @@ static void free_conntrack_hash(struct list_head *hash, int vmalloced, int size) ...@@ -1107,7 +1107,7 @@ static void free_conntrack_hash(struct list_head *hash, int vmalloced, int size)
if (vmalloced) if (vmalloced)
vfree(hash); vfree(hash);
else else
free_pages((unsigned long)hash, free_pages((unsigned long)hash,
get_order(sizeof(struct list_head) * size)); get_order(sizeof(struct list_head) * size));
} }
...@@ -1168,18 +1168,18 @@ static struct list_head *alloc_hashtable(int size, int *vmalloced) ...@@ -1168,18 +1168,18 @@ static struct list_head *alloc_hashtable(int size, int *vmalloced)
struct list_head *hash; struct list_head *hash;
unsigned int i; unsigned int i;
*vmalloced = 0; *vmalloced = 0;
hash = (void*)__get_free_pages(GFP_KERNEL, hash = (void*)__get_free_pages(GFP_KERNEL,
get_order(sizeof(struct list_head) get_order(sizeof(struct list_head)
* size)); * size));
if (!hash) { if (!hash) {
*vmalloced = 1; *vmalloced = 1;
printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n"); printk(KERN_WARNING "nf_conntrack: falling back to vmalloc.\n");
hash = vmalloc(sizeof(struct list_head) * size); hash = vmalloc(sizeof(struct list_head) * size);
} }
if (hash) if (hash)
for (i = 0; i < size; i++) for (i = 0; i < size; i++)
INIT_LIST_HEAD(&hash[i]); INIT_LIST_HEAD(&hash[i]);
return hash; return hash;
...@@ -1286,9 +1286,9 @@ int __init nf_conntrack_init(void) ...@@ -1286,9 +1286,9 @@ int __init nf_conntrack_init(void)
/* Don't NEED lock here, but good form anyway. */ /* Don't NEED lock here, but good form anyway. */
write_lock_bh(&nf_conntrack_lock); write_lock_bh(&nf_conntrack_lock);
for (i = 0; i < AF_MAX; i++) for (i = 0; i < AF_MAX; i++)
nf_ct_l3protos[i] = &nf_conntrack_l3proto_generic; nf_ct_l3protos[i] = &nf_conntrack_l3proto_generic;
write_unlock_bh(&nf_conntrack_lock); write_unlock_bh(&nf_conntrack_lock);
/* For use by REJECT target */ /* For use by REJECT target */
rcu_assign_pointer(ip_ct_attach, __nf_conntrack_attach); rcu_assign_pointer(ip_ct_attach, __nf_conntrack_attach);
......
...@@ -130,7 +130,7 @@ void nf_ct_remove_expectations(struct nf_conn *ct) ...@@ -130,7 +130,7 @@ void nf_ct_remove_expectations(struct nf_conn *ct)
if (i->master == ct && del_timer(&i->timeout)) { if (i->master == ct && del_timer(&i->timeout)) {
nf_ct_unlink_expect(i); nf_ct_unlink_expect(i);
nf_conntrack_expect_put(i); nf_conntrack_expect_put(i);
} }
} }
} }
EXPORT_SYMBOL_GPL(nf_ct_remove_expectations); EXPORT_SYMBOL_GPL(nf_ct_remove_expectations);
......
...@@ -126,7 +126,7 @@ get_ipv6_addr(const char *src, size_t dlen, struct in6_addr *dst, u_int8_t term) ...@@ -126,7 +126,7 @@ get_ipv6_addr(const char *src, size_t dlen, struct in6_addr *dst, u_int8_t term)
} }
static int try_number(const char *data, size_t dlen, u_int32_t array[], static int try_number(const char *data, size_t dlen, u_int32_t array[],
int array_size, char sep, char term) int array_size, char sep, char term)
{ {
u_int32_t i, len; u_int32_t i, len;
...@@ -413,8 +413,8 @@ static int help(struct sk_buff **pskb, ...@@ -413,8 +413,8 @@ static int help(struct sk_buff **pskb,
goto out_update_nl; goto out_update_nl;
} }
/* Initialize IP/IPv6 addr to expected address (it's not mentioned /* Initialize IP/IPv6 addr to expected address (it's not mentioned
in EPSV responses) */ in EPSV responses) */
cmd.l3num = ct->tuplehash[dir].tuple.src.l3num; cmd.l3num = ct->tuplehash[dir].tuple.src.l3num;
memcpy(cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all, memcpy(cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all,
sizeof(cmd.u3.all)); sizeof(cmd.u3.all));
...@@ -466,11 +466,11 @@ static int help(struct sk_buff **pskb, ...@@ -466,11 +466,11 @@ static int help(struct sk_buff **pskb,
memcmp(&cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all, memcmp(&cmd.u3.all, &ct->tuplehash[dir].tuple.src.u3.all,
sizeof(cmd.u3.all))) { sizeof(cmd.u3.all))) {
/* Enrico Scholz's passive FTP to partially RNAT'd ftp /* Enrico Scholz's passive FTP to partially RNAT'd ftp
server: it really wants us to connect to a server: it really wants us to connect to a
different IP address. Simply don't record it for different IP address. Simply don't record it for
NAT. */ NAT. */
if (cmd.l3num == PF_INET) { if (cmd.l3num == PF_INET) {
DEBUGP("conntrack_ftp: NOT RECORDING: " NIPQUAD_FMT " != " NIPQUAD_FMT "\n", DEBUGP("conntrack_ftp: NOT RECORDING: " NIPQUAD_FMT " != " NIPQUAD_FMT "\n",
NIPQUAD(cmd.u3.ip), NIPQUAD(cmd.u3.ip),
NIPQUAD(ct->tuplehash[dir].tuple.src.u3.ip)); NIPQUAD(ct->tuplehash[dir].tuple.src.u3.ip));
} else { } else {
......
...@@ -49,7 +49,7 @@ MODULE_PARM_DESC(gkrouted_only, "only accept calls from gatekeeper"); ...@@ -49,7 +49,7 @@ MODULE_PARM_DESC(gkrouted_only, "only accept calls from gatekeeper");
static int callforward_filter __read_mostly = 1; static int callforward_filter __read_mostly = 1;
module_param(callforward_filter, bool, 0600); module_param(callforward_filter, bool, 0600);
MODULE_PARM_DESC(callforward_filter, "only create call forwarding expectations " MODULE_PARM_DESC(callforward_filter, "only create call forwarding expectations "
"if both endpoints are on different sides " "if both endpoints are on different sides "
"(determined by routing information)"); "(determined by routing information)");
/* Hooks for NAT */ /* Hooks for NAT */
...@@ -300,7 +300,7 @@ static int expect_rtp_rtcp(struct sk_buff **pskb, struct nf_conn *ct, ...@@ -300,7 +300,7 @@ static int expect_rtp_rtcp(struct sk_buff **pskb, struct nf_conn *ct,
IPPROTO_UDP, NULL, &rtcp_port); IPPROTO_UDP, NULL, &rtcp_port);
if (memcmp(&ct->tuplehash[dir].tuple.src.u3, if (memcmp(&ct->tuplehash[dir].tuple.src.u3,
&ct->tuplehash[!dir].tuple.dst.u3, &ct->tuplehash[!dir].tuple.dst.u3,
sizeof(ct->tuplehash[dir].tuple.src.u3)) && sizeof(ct->tuplehash[dir].tuple.src.u3)) &&
(nat_rtp_rtcp = rcu_dereference(nat_rtp_rtcp_hook)) && (nat_rtp_rtcp = rcu_dereference(nat_rtp_rtcp_hook)) &&
ct->status & IPS_NAT_MASK) { ct->status & IPS_NAT_MASK) {
...@@ -743,7 +743,7 @@ static int callforward_do_filter(union nf_conntrack_address *src, ...@@ -743,7 +743,7 @@ static int callforward_do_filter(union nf_conntrack_address *src,
rt2 = (struct rt6_info *)ip6_route_output(NULL, &fl2); rt2 = (struct rt6_info *)ip6_route_output(NULL, &fl2);
if (rt2) { if (rt2) {
if (!memcmp(&rt1->rt6i_gateway, &rt2->rt6i_gateway, if (!memcmp(&rt1->rt6i_gateway, &rt2->rt6i_gateway,
sizeof(rt1->rt6i_gateway)) && sizeof(rt1->rt6i_gateway)) &&
rt1->u.dst.dev == rt2->u.dst.dev) rt1->u.dst.dev == rt2->u.dst.dev)
ret = 1; ret = 1;
dst_release(&rt2->u.dst); dst_release(&rt2->u.dst);
...@@ -780,7 +780,7 @@ static int expect_callforwarding(struct sk_buff **pskb, ...@@ -780,7 +780,7 @@ static int expect_callforwarding(struct sk_buff **pskb,
* we don't need to track the second call */ * we don't need to track the second call */
if (callforward_filter && if (callforward_filter &&
callforward_do_filter(&addr, &ct->tuplehash[!dir].tuple.src.u3, callforward_do_filter(&addr, &ct->tuplehash[!dir].tuple.src.u3,
ct->tuplehash[!dir].tuple.src.l3num)) { ct->tuplehash[!dir].tuple.src.l3num)) {
DEBUGP("nf_ct_q931: Call Forwarding not tracked\n"); DEBUGP("nf_ct_q931: Call Forwarding not tracked\n");
return 0; return 0;
} }
...@@ -840,7 +840,7 @@ static int process_setup(struct sk_buff **pskb, struct nf_conn *ct, ...@@ -840,7 +840,7 @@ static int process_setup(struct sk_buff **pskb, struct nf_conn *ct,
if ((setup->options & eSetup_UUIE_destCallSignalAddress) && if ((setup->options & eSetup_UUIE_destCallSignalAddress) &&
(set_h225_addr) && ct->status && IPS_NAT_MASK && (set_h225_addr) && ct->status && IPS_NAT_MASK &&
get_h225_addr(ct, *data, &setup->destCallSignalAddress, get_h225_addr(ct, *data, &setup->destCallSignalAddress,
&addr, &port) && &addr, &port) &&
memcmp(&addr, &ct->tuplehash[!dir].tuple.src.u3, sizeof(addr))) { memcmp(&addr, &ct->tuplehash[!dir].tuple.src.u3, sizeof(addr))) {
DEBUGP("nf_ct_q931: set destCallSignalAddress " DEBUGP("nf_ct_q931: set destCallSignalAddress "
NIP6_FMT ":%hu->" NIP6_FMT ":%hu\n", NIP6_FMT ":%hu->" NIP6_FMT ":%hu\n",
...@@ -858,7 +858,7 @@ static int process_setup(struct sk_buff **pskb, struct nf_conn *ct, ...@@ -858,7 +858,7 @@ static int process_setup(struct sk_buff **pskb, struct nf_conn *ct,
if ((setup->options & eSetup_UUIE_sourceCallSignalAddress) && if ((setup->options & eSetup_UUIE_sourceCallSignalAddress) &&
(set_h225_addr) && ct->status & IPS_NAT_MASK && (set_h225_addr) && ct->status & IPS_NAT_MASK &&
get_h225_addr(ct, *data, &setup->sourceCallSignalAddress, get_h225_addr(ct, *data, &setup->sourceCallSignalAddress,
&addr, &port) && &addr, &port) &&
memcmp(&addr, &ct->tuplehash[!dir].tuple.dst.u3, sizeof(addr))) { memcmp(&addr, &ct->tuplehash[!dir].tuple.dst.u3, sizeof(addr))) {
DEBUGP("nf_ct_q931: set sourceCallSignalAddress " DEBUGP("nf_ct_q931: set sourceCallSignalAddress "
NIP6_FMT ":%hu->" NIP6_FMT ":%hu\n", NIP6_FMT ":%hu->" NIP6_FMT ":%hu\n",
...@@ -1282,7 +1282,7 @@ static int expect_q931(struct sk_buff **pskb, struct nf_conn *ct, ...@@ -1282,7 +1282,7 @@ static int expect_q931(struct sk_buff **pskb, struct nf_conn *ct,
for (i = 0; i < count; i++) { for (i = 0; i < count; i++) {
if (get_h225_addr(ct, *data, &taddr[i], &addr, &port) && if (get_h225_addr(ct, *data, &taddr[i], &addr, &port) &&
memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3,
sizeof(addr)) == 0 && port != 0) sizeof(addr)) == 0 && port != 0)
break; break;
} }
...@@ -1294,7 +1294,7 @@ static int expect_q931(struct sk_buff **pskb, struct nf_conn *ct, ...@@ -1294,7 +1294,7 @@ static int expect_q931(struct sk_buff **pskb, struct nf_conn *ct,
return -1; return -1;
nf_conntrack_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num, nf_conntrack_expect_init(exp, ct->tuplehash[!dir].tuple.src.l3num,
gkrouted_only ? /* only accept calls from GK? */ gkrouted_only ? /* only accept calls from GK? */
&ct->tuplehash[!dir].tuple.src.u3 : &ct->tuplehash[!dir].tuple.src.u3 :
NULL, NULL,
&ct->tuplehash[!dir].tuple.dst.u3, &ct->tuplehash[!dir].tuple.dst.u3,
IPPROTO_TCP, NULL, &port); IPPROTO_TCP, NULL, &port);
...@@ -1513,7 +1513,7 @@ static int process_arq(struct sk_buff **pskb, struct nf_conn *ct, ...@@ -1513,7 +1513,7 @@ static int process_arq(struct sk_buff **pskb, struct nf_conn *ct,
set_h225_addr = rcu_dereference(set_h225_addr_hook); set_h225_addr = rcu_dereference(set_h225_addr_hook);
if ((arq->options & eAdmissionRequest_destCallSignalAddress) && if ((arq->options & eAdmissionRequest_destCallSignalAddress) &&
get_h225_addr(ct, *data, &arq->destCallSignalAddress, get_h225_addr(ct, *data, &arq->destCallSignalAddress,
&addr, &port) && &addr, &port) &&
!memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) && !memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) &&
port == info->sig_port[dir] && port == info->sig_port[dir] &&
set_h225_addr && ct->status & IPS_NAT_MASK) { set_h225_addr && ct->status & IPS_NAT_MASK) {
...@@ -1526,7 +1526,7 @@ static int process_arq(struct sk_buff **pskb, struct nf_conn *ct, ...@@ -1526,7 +1526,7 @@ static int process_arq(struct sk_buff **pskb, struct nf_conn *ct,
if ((arq->options & eAdmissionRequest_srcCallSignalAddress) && if ((arq->options & eAdmissionRequest_srcCallSignalAddress) &&
get_h225_addr(ct, *data, &arq->srcCallSignalAddress, get_h225_addr(ct, *data, &arq->srcCallSignalAddress,
&addr, &port) && &addr, &port) &&
!memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) && !memcmp(&addr, &ct->tuplehash[dir].tuple.src.u3, sizeof(addr)) &&
set_h225_addr && ct->status & IPS_NAT_MASK) { set_h225_addr && ct->status & IPS_NAT_MASK) {
/* Calling ARQ */ /* Calling ARQ */
......
...@@ -57,7 +57,7 @@ static const char *dccprotos[] = { ...@@ -57,7 +57,7 @@ static const char *dccprotos[] = {
#if 0 #if 0
#define DEBUGP(format, args...) printk(KERN_DEBUG "%s:%s:" format, \ #define DEBUGP(format, args...) printk(KERN_DEBUG "%s:%s:" format, \
__FILE__, __FUNCTION__ , ## args) __FILE__, __FUNCTION__ , ## args)
#else #else
#define DEBUGP(format, args...) #define DEBUGP(format, args...)
#endif #endif
......
...@@ -77,7 +77,7 @@ generic_prepare(struct sk_buff **pskb, unsigned int hooknum, ...@@ -77,7 +77,7 @@ generic_prepare(struct sk_buff **pskb, unsigned int hooknum,
static u_int32_t generic_get_features(const struct nf_conntrack_tuple *tuple) static u_int32_t generic_get_features(const struct nf_conntrack_tuple *tuple)
{ {
return NF_CT_F_BASIC; return NF_CT_F_BASIC;
} }
......
...@@ -43,7 +43,7 @@ module_param(timeout, uint, 0400); ...@@ -43,7 +43,7 @@ module_param(timeout, uint, 0400);
MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds"); MODULE_PARM_DESC(timeout, "timeout for master connection/replies in seconds");
static int help(struct sk_buff **pskb, unsigned int protoff, static int help(struct sk_buff **pskb, unsigned int protoff,
struct nf_conn *ct, enum ip_conntrack_info ctinfo) struct nf_conn *ct, enum ip_conntrack_info ctinfo)
{ {
struct nf_conntrack_expect *exp; struct nf_conntrack_expect *exp;
struct iphdr *iph = (*pskb)->nh.iph; struct iphdr *iph = (*pskb)->nh.iph;
......
This diff is collapsed.
...@@ -520,7 +520,7 @@ conntrack_pptp_help(struct sk_buff **pskb, unsigned int protoff, ...@@ -520,7 +520,7 @@ conntrack_pptp_help(struct sk_buff **pskb, unsigned int protoff,
tcph = skb_header_pointer(*pskb, nexthdr_off, sizeof(_tcph), &_tcph); tcph = skb_header_pointer(*pskb, nexthdr_off, sizeof(_tcph), &_tcph);
BUG_ON(!tcph); BUG_ON(!tcph);
nexthdr_off += tcph->doff * 4; nexthdr_off += tcph->doff * 4;
datalen = tcplen - tcph->doff * 4; datalen = tcplen - tcph->doff * 4;
pptph = skb_header_pointer(*pskb, nexthdr_off, sizeof(_pptph), &_pptph); pptph = skb_header_pointer(*pskb, nexthdr_off, sizeof(_pptph), &_pptph);
if (!pptph) { if (!pptph) {
......
/* /*
* Connection tracking protocol helper module for SCTP. * Connection tracking protocol helper module for SCTP.
* *
* SCTP is defined in RFC 2960. References to various sections in this code * SCTP is defined in RFC 2960. References to various sections in this code
* are to this RFC. * are to this RFC.
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as * it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation. * published by the Free Software Foundation.
...@@ -45,7 +45,7 @@ ...@@ -45,7 +45,7 @@
static DEFINE_RWLOCK(sctp_lock); static DEFINE_RWLOCK(sctp_lock);
/* FIXME: Examine ipfilter's timeouts and conntrack transitions more /* FIXME: Examine ipfilter's timeouts and conntrack transitions more
closely. They're more complex. --RR closely. They're more complex. --RR
And so for me for SCTP :D -Kiran */ And so for me for SCTP :D -Kiran */
...@@ -94,32 +94,32 @@ static unsigned int * sctp_timeouts[] ...@@ -94,32 +94,32 @@ static unsigned int * sctp_timeouts[]
#define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT #define sSA SCTP_CONNTRACK_SHUTDOWN_ACK_SENT
#define sIV SCTP_CONNTRACK_MAX #define sIV SCTP_CONNTRACK_MAX
/* /*
These are the descriptions of the states: These are the descriptions of the states:
NOTE: These state names are tantalizingly similar to the states of an NOTE: These state names are tantalizingly similar to the states of an
SCTP endpoint. But the interpretation of the states is a little different, SCTP endpoint. But the interpretation of the states is a little different,
considering that these are the states of the connection and not of an end considering that these are the states of the connection and not of an end
point. Please note the subtleties. -Kiran point. Please note the subtleties. -Kiran
NONE - Nothing so far. NONE - Nothing so far.
COOKIE WAIT - We have seen an INIT chunk in the original direction, or also COOKIE WAIT - We have seen an INIT chunk in the original direction, or also
an INIT_ACK chunk in the reply direction. an INIT_ACK chunk in the reply direction.
COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction. COOKIE ECHOED - We have seen a COOKIE_ECHO chunk in the original direction.
ESTABLISHED - We have seen a COOKIE_ACK in the reply direction. ESTABLISHED - We have seen a COOKIE_ACK in the reply direction.
SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction. SHUTDOWN_SENT - We have seen a SHUTDOWN chunk in the original direction.
SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin. SHUTDOWN_RECD - We have seen a SHUTDOWN chunk in the reply directoin.
SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite SHUTDOWN_ACK_SENT - We have seen a SHUTDOWN_ACK chunk in the direction opposite
to that of the SHUTDOWN chunk. to that of the SHUTDOWN chunk.
CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of CLOSED - We have seen a SHUTDOWN_COMPLETE chunk in the direction of
the SHUTDOWN chunk. Connection is closed. the SHUTDOWN chunk. Connection is closed.
*/ */
/* TODO /* TODO
- I have assumed that the first INIT is in the original direction. - I have assumed that the first INIT is in the original direction.
This messes things when an INIT comes in the reply direction in CLOSED This messes things when an INIT comes in the reply direction in CLOSED
state. state.
- Check the error type in the reply dir before transitioning from - Check the error type in the reply dir before transitioning from
cookie echoed to closed. cookie echoed to closed.
- Sec 5.2.4 of RFC 2960 - Sec 5.2.4 of RFC 2960
- Multi Homing support. - Multi Homing support.
...@@ -237,7 +237,7 @@ static int do_basic_checks(struct nf_conn *conntrack, ...@@ -237,7 +237,7 @@ static int do_basic_checks(struct nf_conn *conntrack,
for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
DEBUGP("Chunk Num: %d Type: %d\n", count, sch->type); DEBUGP("Chunk Num: %d Type: %d\n", count, sch->type);
if (sch->type == SCTP_CID_INIT if (sch->type == SCTP_CID_INIT
|| sch->type == SCTP_CID_INIT_ACK || sch->type == SCTP_CID_INIT_ACK
|| sch->type == SCTP_CID_SHUTDOWN_COMPLETE) { || sch->type == SCTP_CID_SHUTDOWN_COMPLETE) {
flag = 1; flag = 1;
...@@ -277,42 +277,42 @@ static int new_state(enum ip_conntrack_dir dir, ...@@ -277,42 +277,42 @@ static int new_state(enum ip_conntrack_dir dir,
DEBUGP("Chunk type: %d\n", chunk_type); DEBUGP("Chunk type: %d\n", chunk_type);
switch (chunk_type) { switch (chunk_type) {
case SCTP_CID_INIT: case SCTP_CID_INIT:
DEBUGP("SCTP_CID_INIT\n"); DEBUGP("SCTP_CID_INIT\n");
i = 0; break; i = 0; break;
case SCTP_CID_INIT_ACK: case SCTP_CID_INIT_ACK:
DEBUGP("SCTP_CID_INIT_ACK\n"); DEBUGP("SCTP_CID_INIT_ACK\n");
i = 1; break; i = 1; break;
case SCTP_CID_ABORT: case SCTP_CID_ABORT:
DEBUGP("SCTP_CID_ABORT\n"); DEBUGP("SCTP_CID_ABORT\n");
i = 2; break; i = 2; break;
case SCTP_CID_SHUTDOWN: case SCTP_CID_SHUTDOWN:
DEBUGP("SCTP_CID_SHUTDOWN\n"); DEBUGP("SCTP_CID_SHUTDOWN\n");
i = 3; break; i = 3; break;
case SCTP_CID_SHUTDOWN_ACK: case SCTP_CID_SHUTDOWN_ACK:
DEBUGP("SCTP_CID_SHUTDOWN_ACK\n"); DEBUGP("SCTP_CID_SHUTDOWN_ACK\n");
i = 4; break; i = 4; break;
case SCTP_CID_ERROR: case SCTP_CID_ERROR:
DEBUGP("SCTP_CID_ERROR\n"); DEBUGP("SCTP_CID_ERROR\n");
i = 5; break; i = 5; break;
case SCTP_CID_COOKIE_ECHO: case SCTP_CID_COOKIE_ECHO:
DEBUGP("SCTP_CID_COOKIE_ECHO\n"); DEBUGP("SCTP_CID_COOKIE_ECHO\n");
i = 6; break; i = 6; break;
case SCTP_CID_COOKIE_ACK: case SCTP_CID_COOKIE_ACK:
DEBUGP("SCTP_CID_COOKIE_ACK\n"); DEBUGP("SCTP_CID_COOKIE_ACK\n");
i = 7; break; i = 7; break;
case SCTP_CID_SHUTDOWN_COMPLETE: case SCTP_CID_SHUTDOWN_COMPLETE:
DEBUGP("SCTP_CID_SHUTDOWN_COMPLETE\n"); DEBUGP("SCTP_CID_SHUTDOWN_COMPLETE\n");
i = 8; break; i = 8; break;
default: default:
/* Other chunks like DATA, SACK, HEARTBEAT and /* Other chunks like DATA, SACK, HEARTBEAT and
its ACK do not cause a change in state */ its ACK do not cause a change in state */
DEBUGP("Unknown chunk type, Will stay in %s\n", DEBUGP("Unknown chunk type, Will stay in %s\n",
sctp_conntrack_names[cur_state]); sctp_conntrack_names[cur_state]);
return cur_state; return cur_state;
} }
DEBUGP("dir: %d cur_state: %s chunk_type: %d new_state: %s\n", DEBUGP("dir: %d cur_state: %s chunk_type: %d new_state: %s\n",
dir, sctp_conntrack_names[cur_state], chunk_type, dir, sctp_conntrack_names[cur_state], chunk_type,
sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]); sctp_conntrack_names[sctp_conntracks[dir][i][cur_state]]);
...@@ -377,7 +377,7 @@ static int sctp_packet(struct nf_conn *conntrack, ...@@ -377,7 +377,7 @@ static int sctp_packet(struct nf_conn *conntrack,
/* Sec 8.5.1 (C) */ /* Sec 8.5.1 (C) */
if (!(sh->vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)]) if (!(sh->vtag == conntrack->proto.sctp.vtag[CTINFO2DIR(ctinfo)])
&& !(sh->vtag == conntrack->proto.sctp.vtag && !(sh->vtag == conntrack->proto.sctp.vtag
[1 - CTINFO2DIR(ctinfo)] [1 - CTINFO2DIR(ctinfo)]
&& (sch->flags & 1))) { && (sch->flags & 1))) {
write_unlock_bh(&sctp_lock); write_unlock_bh(&sctp_lock);
return -1; return -1;
...@@ -402,17 +402,17 @@ static int sctp_packet(struct nf_conn *conntrack, ...@@ -402,17 +402,17 @@ static int sctp_packet(struct nf_conn *conntrack,
} }
/* If it is an INIT or an INIT ACK note down the vtag */ /* If it is an INIT or an INIT ACK note down the vtag */
if (sch->type == SCTP_CID_INIT if (sch->type == SCTP_CID_INIT
|| sch->type == SCTP_CID_INIT_ACK) { || sch->type == SCTP_CID_INIT_ACK) {
sctp_inithdr_t _inithdr, *ih; sctp_inithdr_t _inithdr, *ih;
ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t), ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
sizeof(_inithdr), &_inithdr); sizeof(_inithdr), &_inithdr);
if (ih == NULL) { if (ih == NULL) {
write_unlock_bh(&sctp_lock); write_unlock_bh(&sctp_lock);
return -1; return -1;
} }
DEBUGP("Setting vtag %x for dir %d\n", DEBUGP("Setting vtag %x for dir %d\n",
ih->init_tag, !CTINFO2DIR(ctinfo)); ih->init_tag, !CTINFO2DIR(ctinfo));
conntrack->proto.sctp.vtag[!CTINFO2DIR(ctinfo)] = ih->init_tag; conntrack->proto.sctp.vtag[!CTINFO2DIR(ctinfo)] = ih->init_tag;
} }
...@@ -466,7 +466,7 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb, ...@@ -466,7 +466,7 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
newconntrack = SCTP_CONNTRACK_MAX; newconntrack = SCTP_CONNTRACK_MAX;
for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) { for_each_sctp_chunk (skb, sch, _sch, offset, dataoff, count) {
/* Don't need lock here: this conntrack not in circulation yet */ /* Don't need lock here: this conntrack not in circulation yet */
newconntrack = new_state(IP_CT_DIR_ORIGINAL, newconntrack = new_state(IP_CT_DIR_ORIGINAL,
SCTP_CONNTRACK_NONE, sch->type); SCTP_CONNTRACK_NONE, sch->type);
/* Invalid: delete conntrack */ /* Invalid: delete conntrack */
...@@ -481,14 +481,14 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb, ...@@ -481,14 +481,14 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
sctp_inithdr_t _inithdr, *ih; sctp_inithdr_t _inithdr, *ih;
ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t), ih = skb_header_pointer(skb, offset + sizeof(sctp_chunkhdr_t),
sizeof(_inithdr), &_inithdr); sizeof(_inithdr), &_inithdr);
if (ih == NULL) if (ih == NULL)
return 0; return 0;
DEBUGP("Setting vtag %x for new conn\n", DEBUGP("Setting vtag %x for new conn\n",
ih->init_tag); ih->init_tag);
conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] =
ih->init_tag; ih->init_tag;
} else { } else {
/* Sec 8.5.1 (A) */ /* Sec 8.5.1 (A) */
...@@ -498,7 +498,7 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb, ...@@ -498,7 +498,7 @@ static int sctp_new(struct nf_conn *conntrack, const struct sk_buff *skb,
/* If it is a shutdown ack OOTB packet, we expect a return /* If it is a shutdown ack OOTB packet, we expect a return
shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */ shutdown complete, otherwise an ABORT Sec 8.4 (5) and (8) */
else { else {
DEBUGP("Setting vtag %x for new conn OOTB\n", DEBUGP("Setting vtag %x for new conn OOTB\n",
sh->vtag); sh->vtag);
conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag; conntrack->proto.sctp.vtag[IP_CT_DIR_REPLY] = sh->vtag;
} }
...@@ -698,7 +698,7 @@ int __init nf_conntrack_proto_sctp_init(void) ...@@ -698,7 +698,7 @@ int __init nf_conntrack_proto_sctp_init(void)
cleanup_sctp4: cleanup_sctp4:
nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4); nf_conntrack_l4proto_unregister(&nf_conntrack_l4proto_sctp4);
out: out:
DEBUGP("SCTP conntrack module loading %s\n", DEBUGP("SCTP conntrack module loading %s\n",
ret ? "failed": "succeeded"); ret ? "failed": "succeeded");
return ret; return ret;
} }
......
This diff is collapsed.
...@@ -341,7 +341,7 @@ int ct_sip_get_info(struct nf_conn *ct, ...@@ -341,7 +341,7 @@ int ct_sip_get_info(struct nf_conn *ct,
continue; continue;
} }
aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen, aux = ct_sip_search(hnfo->ln_str, dptr, hnfo->ln_strlen,
ct_sip_lnlen(dptr, limit), ct_sip_lnlen(dptr, limit),
hnfo->case_sensitive); hnfo->case_sensitive);
if (!aux) { if (!aux) {
DEBUGP("'%s' not found in '%s'.\n", hnfo->ln_str, DEBUGP("'%s' not found in '%s'.\n", hnfo->ln_str,
...@@ -451,12 +451,12 @@ static int sip_help(struct sk_buff **pskb, ...@@ -451,12 +451,12 @@ static int sip_help(struct sk_buff **pskb,
/* We'll drop only if there are parse problems. */ /* We'll drop only if there are parse problems. */
if (!parse_addr(ct, dptr + matchoff, NULL, &addr, if (!parse_addr(ct, dptr + matchoff, NULL, &addr,
dptr + datalen)) { dptr + datalen)) {
ret = NF_DROP; ret = NF_DROP;
goto out; goto out;
} }
if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen, if (ct_sip_get_info(ct, dptr, datalen, &matchoff, &matchlen,
POS_MEDIA) > 0) { POS_MEDIA) > 0) {
port = simple_strtoul(dptr + matchoff, NULL, 10); port = simple_strtoul(dptr + matchoff, NULL, 10);
if (port < 1024) { if (port < 1024) {
......
...@@ -472,7 +472,7 @@ static int __init nf_conntrack_standalone_init(void) ...@@ -472,7 +472,7 @@ static int __init nf_conntrack_standalone_init(void)
static void __exit nf_conntrack_standalone_fini(void) static void __exit nf_conntrack_standalone_fini(void)
{ {
#ifdef CONFIG_SYSCTL #ifdef CONFIG_SYSCTL
unregister_sysctl_table(nf_ct_sysctl_header); unregister_sysctl_table(nf_ct_sysctl_header);
#endif #endif
#ifdef CONFIG_PROC_FS #ifdef CONFIG_PROC_FS
remove_proc_entry("nf_conntrack", proc_net_stat); remove_proc_entry("nf_conntrack", proc_net_stat);
......
...@@ -31,7 +31,7 @@ MODULE_PARM_DESC(ports, "Port numbers of TFTP servers"); ...@@ -31,7 +31,7 @@ MODULE_PARM_DESC(ports, "Port numbers of TFTP servers");
#if 0 #if 0
#define DEBUGP(format, args...) printk("%s:%s:" format, \ #define DEBUGP(format, args...) printk("%s:%s:" format, \
__FILE__, __FUNCTION__ , ## args) __FILE__, __FUNCTION__ , ## args)
#else #else
#define DEBUGP(format, args...) #define DEBUGP(format, args...)
#endif #endif
......
...@@ -24,7 +24,7 @@ extern unsigned int nf_iterate(struct list_head *head, ...@@ -24,7 +24,7 @@ extern unsigned int nf_iterate(struct list_head *head,
/* nf_queue.c */ /* nf_queue.c */
extern int nf_queue(struct sk_buff *skb, extern int nf_queue(struct sk_buff *skb,
struct list_head *elem, struct list_head *elem,
int pf, unsigned int hook, int pf, unsigned int hook,
struct net_device *indev, struct net_device *indev,
struct net_device *outdev, struct net_device *outdev,
......
...@@ -41,7 +41,7 @@ int nf_log_register(int pf, struct nf_logger *logger) ...@@ -41,7 +41,7 @@ int nf_log_register(int pf, struct nf_logger *logger)
mutex_unlock(&nf_log_mutex); mutex_unlock(&nf_log_mutex);
return ret; return ret;
} }
EXPORT_SYMBOL(nf_log_register); EXPORT_SYMBOL(nf_log_register);
void nf_log_unregister_pf(int pf) void nf_log_unregister_pf(int pf)
...@@ -83,7 +83,7 @@ void nf_log_packet(int pf, ...@@ -83,7 +83,7 @@ void nf_log_packet(int pf,
va_list args; va_list args;
char prefix[NF_LOG_PREFIXLEN]; char prefix[NF_LOG_PREFIXLEN];
struct nf_logger *logger; struct nf_logger *logger;
rcu_read_lock(); rcu_read_lock();
logger = rcu_dereference(nf_loggers[pf]); logger = rcu_dereference(nf_loggers[pf]);
if (logger) { if (logger) {
...@@ -136,7 +136,7 @@ static int seq_show(struct seq_file *s, void *v) ...@@ -136,7 +136,7 @@ static int seq_show(struct seq_file *s, void *v)
if (!logger) if (!logger)
return seq_printf(s, "%2lld NONE\n", *pos); return seq_printf(s, "%2lld NONE\n", *pos);
return seq_printf(s, "%2lld %s\n", *pos, logger->name); return seq_printf(s, "%2lld %s\n", *pos, logger->name);
} }
......
...@@ -10,7 +10,7 @@ ...@@ -10,7 +10,7 @@
#include "nf_internals.h" #include "nf_internals.h"
/* /*
* A queue handler may be registered for each protocol. Each is protected by * A queue handler may be registered for each protocol. Each is protected by
* long term mutex. The handler must provide an an outfn() to accept packets * long term mutex. The handler must provide an an outfn() to accept packets
* for queueing and must reinject all packets it receives, no matter what. * for queueing and must reinject all packets it receives, no matter what.
...@@ -22,7 +22,7 @@ static DEFINE_RWLOCK(queue_handler_lock); ...@@ -22,7 +22,7 @@ static DEFINE_RWLOCK(queue_handler_lock);
/* return EBUSY when somebody else is registered, return EEXIST if the /* return EBUSY when somebody else is registered, return EEXIST if the
* same handler is registered, return 0 in case of success. */ * same handler is registered, return 0 in case of success. */
int nf_register_queue_handler(int pf, struct nf_queue_handler *qh) int nf_register_queue_handler(int pf, struct nf_queue_handler *qh)
{ {
int ret; int ret;
if (pf >= NPROTO) if (pf >= NPROTO)
...@@ -52,7 +52,7 @@ int nf_unregister_queue_handler(int pf) ...@@ -52,7 +52,7 @@ int nf_unregister_queue_handler(int pf)
write_lock_bh(&queue_handler_lock); write_lock_bh(&queue_handler_lock);
queue_handler[pf] = NULL; queue_handler[pf] = NULL;
write_unlock_bh(&queue_handler_lock); write_unlock_bh(&queue_handler_lock);
return 0; return 0;
} }
EXPORT_SYMBOL(nf_unregister_queue_handler); EXPORT_SYMBOL(nf_unregister_queue_handler);
...@@ -70,8 +70,8 @@ void nf_unregister_queue_handlers(struct nf_queue_handler *qh) ...@@ -70,8 +70,8 @@ void nf_unregister_queue_handlers(struct nf_queue_handler *qh)
} }
EXPORT_SYMBOL_GPL(nf_unregister_queue_handlers); EXPORT_SYMBOL_GPL(nf_unregister_queue_handlers);
/* /*
* Any packet that leaves via this function must come back * Any packet that leaves via this function must come back
* through nf_reinject(). * through nf_reinject().
*/ */
static int __nf_queue(struct sk_buff *skb, static int __nf_queue(struct sk_buff *skb,
...@@ -115,7 +115,7 @@ static int __nf_queue(struct sk_buff *skb, ...@@ -115,7 +115,7 @@ static int __nf_queue(struct sk_buff *skb,
return 1; return 1;
} }
*info = (struct nf_info) { *info = (struct nf_info) {
(struct nf_hook_ops *)elem, pf, hook, indev, outdev, okfn }; (struct nf_hook_ops *)elem, pf, hook, indev, outdev, okfn };
/* If it's going away, ignore hook. */ /* If it's going away, ignore hook. */
...@@ -226,10 +226,10 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info, ...@@ -226,10 +226,10 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
module_put(info->elem->owner); module_put(info->elem->owner);
list_for_each_rcu(i, &nf_hooks[info->pf][info->hook]) { list_for_each_rcu(i, &nf_hooks[info->pf][info->hook]) {
if (i == elem) if (i == elem)
break; break;
} }
if (i == &nf_hooks[info->pf][info->hook]) { if (i == &nf_hooks[info->pf][info->hook]) {
/* The module which sent it to userspace is gone. */ /* The module which sent it to userspace is gone. */
NFDEBUG("%s: module disappeared, dropping packet.\n", NFDEBUG("%s: module disappeared, dropping packet.\n",
...@@ -252,7 +252,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info, ...@@ -252,7 +252,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
if (verdict == NF_ACCEPT) { if (verdict == NF_ACCEPT) {
next_hook: next_hook:
verdict = nf_iterate(&nf_hooks[info->pf][info->hook], verdict = nf_iterate(&nf_hooks[info->pf][info->hook],
&skb, info->hook, &skb, info->hook,
info->indev, info->outdev, &elem, info->indev, info->outdev, &elem,
info->okfn, INT_MIN); info->okfn, INT_MIN);
} }
......
...@@ -32,13 +32,13 @@ int nf_register_sockopt(struct nf_sockopt_ops *reg) ...@@ -32,13 +32,13 @@ int nf_register_sockopt(struct nf_sockopt_ops *reg)
list_for_each(i, &nf_sockopts) { list_for_each(i, &nf_sockopts) {
struct nf_sockopt_ops *ops = (struct nf_sockopt_ops *)i; struct nf_sockopt_ops *ops = (struct nf_sockopt_ops *)i;
if (ops->pf == reg->pf if (ops->pf == reg->pf
&& (overlap(ops->set_optmin, ops->set_optmax, && (overlap(ops->set_optmin, ops->set_optmax,
reg->set_optmin, reg->set_optmax) reg->set_optmin, reg->set_optmax)
|| overlap(ops->get_optmin, ops->get_optmax, || overlap(ops->get_optmin, ops->get_optmax,
reg->get_optmin, reg->get_optmax))) { reg->get_optmin, reg->get_optmax))) {
NFDEBUG("nf_sock overlap: %u-%u/%u-%u v %u-%u/%u-%u\n", NFDEBUG("nf_sock overlap: %u-%u/%u-%u v %u-%u/%u-%u\n",
ops->set_optmin, ops->set_optmax, ops->set_optmin, ops->set_optmax,
ops->get_optmin, ops->get_optmax, ops->get_optmin, ops->get_optmax,
reg->set_optmin, reg->set_optmax, reg->set_optmin, reg->set_optmax,
reg->get_optmin, reg->get_optmax); reg->get_optmin, reg->get_optmax);
ret = -EBUSY; ret = -EBUSY;
...@@ -73,7 +73,7 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg) ...@@ -73,7 +73,7 @@ void nf_unregister_sockopt(struct nf_sockopt_ops *reg)
EXPORT_SYMBOL(nf_unregister_sockopt); EXPORT_SYMBOL(nf_unregister_sockopt);
/* Call get/setsockopt() */ /* Call get/setsockopt() */
static int nf_sockopt(struct sock *sk, int pf, int val, static int nf_sockopt(struct sock *sk, int pf, int val,
char __user *opt, int *len, int get) char __user *opt, int *len, int get)
{ {
struct list_head *i; struct list_head *i;
...@@ -107,7 +107,7 @@ static int nf_sockopt(struct sock *sk, int pf, int val, ...@@ -107,7 +107,7 @@ static int nf_sockopt(struct sock *sk, int pf, int val,
} }
mutex_unlock(&nf_sockopt_mutex); mutex_unlock(&nf_sockopt_mutex);
return -ENOPROTOOPT; return -ENOPROTOOPT;
out: out:
mutex_lock(&nf_sockopt_mutex); mutex_lock(&nf_sockopt_mutex);
ops->use--; ops->use--;
......
...@@ -105,7 +105,7 @@ static inline struct nfnl_callback * ...@@ -105,7 +105,7 @@ static inline struct nfnl_callback *
nfnetlink_find_client(u_int16_t type, struct nfnetlink_subsystem *ss) nfnetlink_find_client(u_int16_t type, struct nfnetlink_subsystem *ss)
{ {
u_int8_t cb_id = NFNL_MSG_TYPE(type); u_int8_t cb_id = NFNL_MSG_TYPE(type);
if (cb_id >= ss->cb_count) { if (cb_id >= ss->cb_count) {
DEBUGP("msgtype %u >= %u, returning\n", type, ss->cb_count); DEBUGP("msgtype %u >= %u, returning\n", type, ss->cb_count);
return NULL; return NULL;
...@@ -187,7 +187,7 @@ nfnetlink_check_attributes(struct nfnetlink_subsystem *subsys, ...@@ -187,7 +187,7 @@ nfnetlink_check_attributes(struct nfnetlink_subsystem *subsys,
/* implicit: if nlmsg_len == min_len, we return 0, and an empty /* implicit: if nlmsg_len == min_len, we return 0, and an empty
* (zeroed) cda[] array. The message is valid, but empty. */ * (zeroed) cda[] array. The message is valid, but empty. */
return 0; return 0;
} }
int nfnetlink_has_listeners(unsigned int group) int nfnetlink_has_listeners(unsigned int group)
...@@ -268,12 +268,12 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, ...@@ -268,12 +268,12 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb,
} }
{ {
u_int16_t attr_count = u_int16_t attr_count =
ss->cb[NFNL_MSG_TYPE(nlh->nlmsg_type)].attr_count; ss->cb[NFNL_MSG_TYPE(nlh->nlmsg_type)].attr_count;
struct nfattr *cda[attr_count]; struct nfattr *cda[attr_count];
memset(cda, 0, sizeof(struct nfattr *) * attr_count); memset(cda, 0, sizeof(struct nfattr *) * attr_count);
err = nfnetlink_check_attributes(ss, nlh, cda); err = nfnetlink_check_attributes(ss, nlh, cda);
if (err < 0) if (err < 0)
goto err_inval; goto err_inval;
...@@ -357,7 +357,7 @@ static int __init nfnetlink_init(void) ...@@ -357,7 +357,7 @@ static int __init nfnetlink_init(void)
printk("Netfilter messages via NETLINK v%s.\n", nfversion); printk("Netfilter messages via NETLINK v%s.\n", nfversion);
nfnl = netlink_kernel_create(NETLINK_NETFILTER, NFNLGRP_MAX, nfnl = netlink_kernel_create(NETLINK_NETFILTER, NFNLGRP_MAX,
nfnetlink_rcv, THIS_MODULE); nfnetlink_rcv, THIS_MODULE);
if (!nfnl) { if (!nfnl) {
printk(KERN_ERR "cannot initialize nfnetlink!\n"); printk(KERN_ERR "cannot initialize nfnetlink!\n");
return -1; return -1;
......
...@@ -75,7 +75,7 @@ struct nfulnl_instance { ...@@ -75,7 +75,7 @@ struct nfulnl_instance {
u_int32_t seq; /* instance-local sequential counter */ u_int32_t seq; /* instance-local sequential counter */
u_int16_t group_num; /* number of this queue */ u_int16_t group_num; /* number of this queue */
u_int16_t flags; u_int16_t flags;
u_int8_t copy_mode; u_int8_t copy_mode;
}; };
static DEFINE_RWLOCK(instances_lock); static DEFINE_RWLOCK(instances_lock);
...@@ -146,7 +146,7 @@ instance_create(u_int16_t group_num, int pid) ...@@ -146,7 +146,7 @@ instance_create(u_int16_t group_num, int pid)
UDEBUG("entering (group_num=%u, pid=%d)\n", group_num, UDEBUG("entering (group_num=%u, pid=%d)\n", group_num,
pid); pid);
write_lock_bh(&instances_lock); write_lock_bh(&instances_lock);
if (__instance_lookup(group_num)) { if (__instance_lookup(group_num)) {
inst = NULL; inst = NULL;
UDEBUG("aborting, instance already exists\n"); UDEBUG("aborting, instance already exists\n");
...@@ -179,10 +179,10 @@ instance_create(u_int16_t group_num, int pid) ...@@ -179,10 +179,10 @@ instance_create(u_int16_t group_num, int pid)
if (!try_module_get(THIS_MODULE)) if (!try_module_get(THIS_MODULE))
goto out_free; goto out_free;
hlist_add_head(&inst->hlist, hlist_add_head(&inst->hlist,
&instance_table[instance_hashfn(group_num)]); &instance_table[instance_hashfn(group_num)]);
UDEBUG("newly added node: %p, next=%p\n", &inst->hlist, UDEBUG("newly added node: %p, next=%p\n", &inst->hlist,
inst->hlist.next); inst->hlist.next);
write_unlock_bh(&instances_lock); write_unlock_bh(&instances_lock);
...@@ -251,14 +251,14 @@ nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode, ...@@ -251,14 +251,14 @@ nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode,
int status = 0; int status = 0;
spin_lock_bh(&inst->lock); spin_lock_bh(&inst->lock);
switch (mode) { switch (mode) {
case NFULNL_COPY_NONE: case NFULNL_COPY_NONE:
case NFULNL_COPY_META: case NFULNL_COPY_META:
inst->copy_mode = mode; inst->copy_mode = mode;
inst->copy_range = 0; inst->copy_range = 0;
break; break;
case NFULNL_COPY_PACKET: case NFULNL_COPY_PACKET:
inst->copy_mode = mode; inst->copy_mode = mode;
/* we're using struct nfattr which has 16bit nfa_len */ /* we're using struct nfattr which has 16bit nfa_len */
...@@ -267,7 +267,7 @@ nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode, ...@@ -267,7 +267,7 @@ nfulnl_set_mode(struct nfulnl_instance *inst, u_int8_t mode,
else else
inst->copy_range = range; inst->copy_range = range;
break; break;
default: default:
status = -EINVAL; status = -EINVAL;
break; break;
...@@ -327,7 +327,7 @@ nfulnl_set_flags(struct nfulnl_instance *inst, u_int16_t flags) ...@@ -327,7 +327,7 @@ nfulnl_set_flags(struct nfulnl_instance *inst, u_int16_t flags)
return 0; return 0;
} }
static struct sk_buff *nfulnl_alloc_skb(unsigned int inst_size, static struct sk_buff *nfulnl_alloc_skb(unsigned int inst_size,
unsigned int pkt_size) unsigned int pkt_size)
{ {
struct sk_buff *skb; struct sk_buff *skb;
...@@ -387,7 +387,7 @@ __nfulnl_send(struct nfulnl_instance *inst) ...@@ -387,7 +387,7 @@ __nfulnl_send(struct nfulnl_instance *inst)
static void nfulnl_timer(unsigned long data) static void nfulnl_timer(unsigned long data)
{ {
struct nfulnl_instance *inst = (struct nfulnl_instance *)data; struct nfulnl_instance *inst = (struct nfulnl_instance *)data;
UDEBUG("timer function called, flushing buffer\n"); UDEBUG("timer function called, flushing buffer\n");
...@@ -399,9 +399,9 @@ static void nfulnl_timer(unsigned long data) ...@@ -399,9 +399,9 @@ static void nfulnl_timer(unsigned long data)
/* This is an inline function, we don't really care about a long /* This is an inline function, we don't really care about a long
* list of arguments */ * list of arguments */
static inline int static inline int
__build_packet_message(struct nfulnl_instance *inst, __build_packet_message(struct nfulnl_instance *inst,
const struct sk_buff *skb, const struct sk_buff *skb,
unsigned int data_len, unsigned int data_len,
unsigned int pf, unsigned int pf,
unsigned int hooknum, unsigned int hooknum,
...@@ -417,9 +417,9 @@ __build_packet_message(struct nfulnl_instance *inst, ...@@ -417,9 +417,9 @@ __build_packet_message(struct nfulnl_instance *inst,
__be32 tmp_uint; __be32 tmp_uint;
UDEBUG("entered\n"); UDEBUG("entered\n");
old_tail = inst->skb->tail; old_tail = inst->skb->tail;
nlh = NLMSG_PUT(inst->skb, 0, 0, nlh = NLMSG_PUT(inst->skb, 0, 0,
NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET, NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET,
sizeof(struct nfgenmsg)); sizeof(struct nfgenmsg));
nfmsg = NLMSG_DATA(nlh); nfmsg = NLMSG_DATA(nlh);
...@@ -457,7 +457,7 @@ __build_packet_message(struct nfulnl_instance *inst, ...@@ -457,7 +457,7 @@ __build_packet_message(struct nfulnl_instance *inst,
NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV, NFA_PUT(inst->skb, NFULA_IFINDEX_INDEV,
sizeof(tmp_uint), &tmp_uint); sizeof(tmp_uint), &tmp_uint);
if (skb->nf_bridge && skb->nf_bridge->physindev) { if (skb->nf_bridge && skb->nf_bridge->physindev) {
tmp_uint = tmp_uint =
htonl(skb->nf_bridge->physindev->ifindex); htonl(skb->nf_bridge->physindev->ifindex);
NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSINDEV, NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSINDEV,
sizeof(tmp_uint), &tmp_uint); sizeof(tmp_uint), &tmp_uint);
...@@ -488,7 +488,7 @@ __build_packet_message(struct nfulnl_instance *inst, ...@@ -488,7 +488,7 @@ __build_packet_message(struct nfulnl_instance *inst,
NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV, NFA_PUT(inst->skb, NFULA_IFINDEX_OUTDEV,
sizeof(tmp_uint), &tmp_uint); sizeof(tmp_uint), &tmp_uint);
if (skb->nf_bridge) { if (skb->nf_bridge) {
tmp_uint = tmp_uint =
htonl(skb->nf_bridge->physoutdev->ifindex); htonl(skb->nf_bridge->physoutdev->ifindex);
NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV, NFA_PUT(inst->skb, NFULA_IFINDEX_PHYSOUTDEV,
sizeof(tmp_uint), &tmp_uint); sizeof(tmp_uint), &tmp_uint);
...@@ -558,7 +558,7 @@ __build_packet_message(struct nfulnl_instance *inst, ...@@ -558,7 +558,7 @@ __build_packet_message(struct nfulnl_instance *inst,
if (skb_copy_bits(skb, 0, NFA_DATA(nfa), data_len)) if (skb_copy_bits(skb, 0, NFA_DATA(nfa), data_len))
BUG(); BUG();
} }
nlh->nlmsg_len = inst->skb->tail - old_tail; nlh->nlmsg_len = inst->skb->tail - old_tail;
return 0; return 0;
...@@ -599,7 +599,7 @@ nfulnl_log_packet(unsigned int pf, ...@@ -599,7 +599,7 @@ nfulnl_log_packet(unsigned int pf,
unsigned int nlbufsiz; unsigned int nlbufsiz;
unsigned int plen; unsigned int plen;
if (li_user && li_user->type == NF_LOG_TYPE_ULOG) if (li_user && li_user->type == NF_LOG_TYPE_ULOG)
li = li_user; li = li_user;
else else
li = &default_loginfo; li = &default_loginfo;
...@@ -648,24 +648,24 @@ nfulnl_log_packet(unsigned int pf, ...@@ -648,24 +648,24 @@ nfulnl_log_packet(unsigned int pf,
/* per-rule qthreshold overrides per-instance */ /* per-rule qthreshold overrides per-instance */
if (qthreshold > li->u.ulog.qthreshold) if (qthreshold > li->u.ulog.qthreshold)
qthreshold = li->u.ulog.qthreshold; qthreshold = li->u.ulog.qthreshold;
switch (inst->copy_mode) { switch (inst->copy_mode) {
case NFULNL_COPY_META: case NFULNL_COPY_META:
case NFULNL_COPY_NONE: case NFULNL_COPY_NONE:
data_len = 0; data_len = 0;
break; break;
case NFULNL_COPY_PACKET: case NFULNL_COPY_PACKET:
if (inst->copy_range == 0 if (inst->copy_range == 0
|| inst->copy_range > skb->len) || inst->copy_range > skb->len)
data_len = skb->len; data_len = skb->len;
else else
data_len = inst->copy_range; data_len = inst->copy_range;
size += NFA_SPACE(data_len); size += NFA_SPACE(data_len);
UDEBUG("copy_packet, therefore size now %u\n", size); UDEBUG("copy_packet, therefore size now %u\n", size);
break; break;
default: default:
spin_unlock_bh(&inst->lock); spin_unlock_bh(&inst->lock);
instance_put(inst); instance_put(inst);
...@@ -991,9 +991,9 @@ static int seq_show(struct seq_file *s, void *v) ...@@ -991,9 +991,9 @@ static int seq_show(struct seq_file *s, void *v)
{ {
const struct nfulnl_instance *inst = v; const struct nfulnl_instance *inst = v;
return seq_printf(s, "%5d %6d %5d %1d %5d %6d %2d\n", return seq_printf(s, "%5d %6d %5d %1d %5d %6d %2d\n",
inst->group_num, inst->group_num,
inst->peer_pid, inst->qlen, inst->peer_pid, inst->qlen,
inst->copy_mode, inst->copy_range, inst->copy_mode, inst->copy_range,
inst->flushtimeout, atomic_read(&inst->use)); inst->flushtimeout, atomic_read(&inst->use));
} }
...@@ -1041,10 +1041,10 @@ static int __init nfnetlink_log_init(void) ...@@ -1041,10 +1041,10 @@ static int __init nfnetlink_log_init(void)
#ifdef CONFIG_PROC_FS #ifdef CONFIG_PROC_FS
struct proc_dir_entry *proc_nful; struct proc_dir_entry *proc_nful;
#endif #endif
for (i = 0; i < INSTANCE_BUCKETS; i++) for (i = 0; i < INSTANCE_BUCKETS; i++)
INIT_HLIST_HEAD(&instance_table[i]); INIT_HLIST_HEAD(&instance_table[i]);
/* it's not really all that important to have a random value, so /* it's not really all that important to have a random value, so
* we can do this from the init function, even if there hasn't * we can do this from the init function, even if there hasn't
* been that much entropy yet */ * been that much entropy yet */
......
...@@ -129,7 +129,7 @@ instance_create(u_int16_t queue_num, int pid) ...@@ -129,7 +129,7 @@ instance_create(u_int16_t queue_num, int pid)
QDEBUG("entering for queue_num=%u, pid=%d\n", queue_num, pid); QDEBUG("entering for queue_num=%u, pid=%d\n", queue_num, pid);
write_lock_bh(&instances_lock); write_lock_bh(&instances_lock);
if (__instance_lookup(queue_num)) { if (__instance_lookup(queue_num)) {
inst = NULL; inst = NULL;
QDEBUG("aborting, instance already exists\n"); QDEBUG("aborting, instance already exists\n");
...@@ -154,7 +154,7 @@ instance_create(u_int16_t queue_num, int pid) ...@@ -154,7 +154,7 @@ instance_create(u_int16_t queue_num, int pid)
if (!try_module_get(THIS_MODULE)) if (!try_module_get(THIS_MODULE))
goto out_free; goto out_free;
hlist_add_head(&inst->hlist, hlist_add_head(&inst->hlist,
&instance_table[instance_hashfn(queue_num)]); &instance_table[instance_hashfn(queue_num)]);
write_unlock_bh(&instances_lock); write_unlock_bh(&instances_lock);
...@@ -239,14 +239,14 @@ __enqueue_entry(struct nfqnl_instance *queue, ...@@ -239,14 +239,14 @@ __enqueue_entry(struct nfqnl_instance *queue,
* entry if cmpfn is NULL. * entry if cmpfn is NULL.
*/ */
static inline struct nfqnl_queue_entry * static inline struct nfqnl_queue_entry *
__find_entry(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn, __find_entry(struct nfqnl_instance *queue, nfqnl_cmpfn cmpfn,
unsigned long data) unsigned long data)
{ {
struct list_head *p; struct list_head *p;
list_for_each_prev(p, &queue->queue_list) { list_for_each_prev(p, &queue->queue_list) {
struct nfqnl_queue_entry *entry = (struct nfqnl_queue_entry *)p; struct nfqnl_queue_entry *entry = (struct nfqnl_queue_entry *)p;
if (!cmpfn || cmpfn(entry, data)) if (!cmpfn || cmpfn(entry, data))
return entry; return entry;
} }
...@@ -279,7 +279,7 @@ static inline void ...@@ -279,7 +279,7 @@ static inline void
__nfqnl_flush(struct nfqnl_instance *queue, int verdict) __nfqnl_flush(struct nfqnl_instance *queue, int verdict)
{ {
struct nfqnl_queue_entry *entry; struct nfqnl_queue_entry *entry;
while ((entry = __find_dequeue_entry(queue, NULL, 0))) while ((entry = __find_dequeue_entry(queue, NULL, 0)))
issue_verdict(entry, verdict); issue_verdict(entry, verdict);
} }
...@@ -289,14 +289,14 @@ __nfqnl_set_mode(struct nfqnl_instance *queue, ...@@ -289,14 +289,14 @@ __nfqnl_set_mode(struct nfqnl_instance *queue,
unsigned char mode, unsigned int range) unsigned char mode, unsigned int range)
{ {
int status = 0; int status = 0;
switch (mode) { switch (mode) {
case NFQNL_COPY_NONE: case NFQNL_COPY_NONE:
case NFQNL_COPY_META: case NFQNL_COPY_META:
queue->copy_mode = mode; queue->copy_mode = mode;
queue->copy_range = 0; queue->copy_range = 0;
break; break;
case NFQNL_COPY_PACKET: case NFQNL_COPY_PACKET:
queue->copy_mode = mode; queue->copy_mode = mode;
/* we're using struct nfattr which has 16bit nfa_len */ /* we're using struct nfattr which has 16bit nfa_len */
...@@ -305,7 +305,7 @@ __nfqnl_set_mode(struct nfqnl_instance *queue, ...@@ -305,7 +305,7 @@ __nfqnl_set_mode(struct nfqnl_instance *queue,
else else
queue->copy_range = range; queue->copy_range = range;
break; break;
default: default:
status = -EINVAL; status = -EINVAL;
...@@ -318,7 +318,7 @@ find_dequeue_entry(struct nfqnl_instance *queue, ...@@ -318,7 +318,7 @@ find_dequeue_entry(struct nfqnl_instance *queue,
nfqnl_cmpfn cmpfn, unsigned long data) nfqnl_cmpfn cmpfn, unsigned long data)
{ {
struct nfqnl_queue_entry *entry; struct nfqnl_queue_entry *entry;
spin_lock_bh(&queue->lock); spin_lock_bh(&queue->lock);
entry = __find_dequeue_entry(queue, cmpfn, data); entry = __find_dequeue_entry(queue, cmpfn, data);
spin_unlock_bh(&queue->lock); spin_unlock_bh(&queue->lock);
...@@ -369,13 +369,13 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -369,13 +369,13 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
outdev = entinf->outdev; outdev = entinf->outdev;
spin_lock_bh(&queue->lock); spin_lock_bh(&queue->lock);
switch (queue->copy_mode) { switch (queue->copy_mode) {
case NFQNL_COPY_META: case NFQNL_COPY_META:
case NFQNL_COPY_NONE: case NFQNL_COPY_NONE:
data_len = 0; data_len = 0;
break; break;
case NFQNL_COPY_PACKET: case NFQNL_COPY_PACKET:
if ((entskb->ip_summed == CHECKSUM_PARTIAL || if ((entskb->ip_summed == CHECKSUM_PARTIAL ||
entskb->ip_summed == CHECKSUM_COMPLETE) && entskb->ip_summed == CHECKSUM_COMPLETE) &&
...@@ -383,15 +383,15 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -383,15 +383,15 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
spin_unlock_bh(&queue->lock); spin_unlock_bh(&queue->lock);
return NULL; return NULL;
} }
if (queue->copy_range == 0 if (queue->copy_range == 0
|| queue->copy_range > entskb->len) || queue->copy_range > entskb->len)
data_len = entskb->len; data_len = entskb->len;
else else
data_len = queue->copy_range; data_len = queue->copy_range;
size += NFA_SPACE(data_len); size += NFA_SPACE(data_len);
break; break;
default: default:
*errp = -EINVAL; *errp = -EINVAL;
spin_unlock_bh(&queue->lock); spin_unlock_bh(&queue->lock);
...@@ -403,9 +403,9 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -403,9 +403,9 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
skb = alloc_skb(size, GFP_ATOMIC); skb = alloc_skb(size, GFP_ATOMIC);
if (!skb) if (!skb)
goto nlmsg_failure; goto nlmsg_failure;
old_tail= skb->tail; old_tail= skb->tail;
nlh = NLMSG_PUT(skb, 0, 0, nlh = NLMSG_PUT(skb, 0, 0,
NFNL_SUBSYS_QUEUE << 8 | NFQNL_MSG_PACKET, NFNL_SUBSYS_QUEUE << 8 | NFQNL_MSG_PACKET,
sizeof(struct nfgenmsg)); sizeof(struct nfgenmsg));
nfmsg = NLMSG_DATA(nlh); nfmsg = NLMSG_DATA(nlh);
...@@ -427,9 +427,9 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -427,9 +427,9 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
#else #else
if (entinf->pf == PF_BRIDGE) { if (entinf->pf == PF_BRIDGE) {
/* Case 1: indev is physical input device, we need to /* Case 1: indev is physical input device, we need to
* look for bridge group (when called from * look for bridge group (when called from
* netfilter_bridge) */ * netfilter_bridge) */
NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, sizeof(tmp_uint), NFA_PUT(skb, NFQA_IFINDEX_PHYSINDEV, sizeof(tmp_uint),
&tmp_uint); &tmp_uint);
/* this is the bridge group "brX" */ /* this is the bridge group "brX" */
tmp_uint = htonl(indev->br_port->br->dev->ifindex); tmp_uint = htonl(indev->br_port->br->dev->ifindex);
...@@ -457,7 +457,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -457,7 +457,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
#else #else
if (entinf->pf == PF_BRIDGE) { if (entinf->pf == PF_BRIDGE) {
/* Case 1: outdev is physical output device, we need to /* Case 1: outdev is physical output device, we need to
* look for bridge group (when called from * look for bridge group (when called from
* netfilter_bridge) */ * netfilter_bridge) */
NFA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV, sizeof(tmp_uint), NFA_PUT(skb, NFQA_IFINDEX_PHYSOUTDEV, sizeof(tmp_uint),
&tmp_uint); &tmp_uint);
...@@ -490,7 +490,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -490,7 +490,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
struct nfqnl_msg_packet_hw phw; struct nfqnl_msg_packet_hw phw;
int len = entskb->dev->hard_header_parse(entskb, int len = entskb->dev->hard_header_parse(entskb,
phw.hw_addr); phw.hw_addr);
phw.hw_addrlen = htons(len); phw.hw_addrlen = htons(len);
NFA_PUT(skb, NFQA_HWADDR, sizeof(phw), &phw); NFA_PUT(skb, NFQA_HWADDR, sizeof(phw), &phw);
} }
...@@ -520,7 +520,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -520,7 +520,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
if (skb_copy_bits(entskb, 0, NFA_DATA(nfa), data_len)) if (skb_copy_bits(entskb, 0, NFA_DATA(nfa), data_len))
BUG(); BUG();
} }
nlh->nlmsg_len = skb->tail - old_tail; nlh->nlmsg_len = skb->tail - old_tail;
return skb; return skb;
...@@ -535,7 +535,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue, ...@@ -535,7 +535,7 @@ nfqnl_build_packet_message(struct nfqnl_instance *queue,
} }
static int static int
nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info, nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info,
unsigned int queuenum, void *data) unsigned int queuenum, void *data)
{ {
int status = -EINVAL; int status = -EINVAL;
...@@ -560,7 +560,7 @@ nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info, ...@@ -560,7 +560,7 @@ nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info,
entry = kmalloc(sizeof(*entry), GFP_ATOMIC); entry = kmalloc(sizeof(*entry), GFP_ATOMIC);
if (entry == NULL) { if (entry == NULL) {
if (net_ratelimit()) if (net_ratelimit())
printk(KERN_ERR printk(KERN_ERR
"nf_queue: OOM in nfqnl_enqueue_packet()\n"); "nf_queue: OOM in nfqnl_enqueue_packet()\n");
status = -ENOMEM; status = -ENOMEM;
goto err_out_put; goto err_out_put;
...@@ -573,18 +573,18 @@ nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info, ...@@ -573,18 +573,18 @@ nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info,
nskb = nfqnl_build_packet_message(queue, entry, &status); nskb = nfqnl_build_packet_message(queue, entry, &status);
if (nskb == NULL) if (nskb == NULL)
goto err_out_free; goto err_out_free;
spin_lock_bh(&queue->lock); spin_lock_bh(&queue->lock);
if (!queue->peer_pid) if (!queue->peer_pid)
goto err_out_free_nskb; goto err_out_free_nskb;
if (queue->queue_total >= queue->queue_maxlen) { if (queue->queue_total >= queue->queue_maxlen) {
queue->queue_dropped++; queue->queue_dropped++;
status = -ENOSPC; status = -ENOSPC;
if (net_ratelimit()) if (net_ratelimit())
printk(KERN_WARNING "nf_queue: full at %d entries, " printk(KERN_WARNING "nf_queue: full at %d entries, "
"dropping packets(s). Dropped: %d\n", "dropping packets(s). Dropped: %d\n",
queue->queue_total, queue->queue_dropped); queue->queue_total, queue->queue_dropped);
goto err_out_free_nskb; goto err_out_free_nskb;
} }
...@@ -592,7 +592,7 @@ nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info, ...@@ -592,7 +592,7 @@ nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info,
/* nfnetlink_unicast will either free the nskb or add it to a socket */ /* nfnetlink_unicast will either free the nskb or add it to a socket */
status = nfnetlink_unicast(nskb, queue->peer_pid, MSG_DONTWAIT); status = nfnetlink_unicast(nskb, queue->peer_pid, MSG_DONTWAIT);
if (status < 0) { if (status < 0) {
queue->queue_user_dropped++; queue->queue_user_dropped++;
goto err_out_unlock; goto err_out_unlock;
} }
...@@ -603,8 +603,8 @@ nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info, ...@@ -603,8 +603,8 @@ nfqnl_enqueue_packet(struct sk_buff *skb, struct nf_info *info,
return status; return status;
err_out_free_nskb: err_out_free_nskb:
kfree_skb(nskb); kfree_skb(nskb);
err_out_unlock: err_out_unlock:
spin_unlock_bh(&queue->lock); spin_unlock_bh(&queue->lock);
...@@ -629,11 +629,11 @@ nfqnl_mangle(void *data, int data_len, struct nfqnl_queue_entry *e) ...@@ -629,11 +629,11 @@ nfqnl_mangle(void *data, int data_len, struct nfqnl_queue_entry *e)
return -EINVAL; return -EINVAL;
if (diff > skb_tailroom(e->skb)) { if (diff > skb_tailroom(e->skb)) {
struct sk_buff *newskb; struct sk_buff *newskb;
newskb = skb_copy_expand(e->skb, newskb = skb_copy_expand(e->skb,
skb_headroom(e->skb), skb_headroom(e->skb),
diff, diff,
GFP_ATOMIC); GFP_ATOMIC);
if (newskb == NULL) { if (newskb == NULL) {
printk(KERN_WARNING "nf_queue: OOM " printk(KERN_WARNING "nf_queue: OOM "
"in mangle, dropping packet\n"); "in mangle, dropping packet\n");
...@@ -676,7 +676,7 @@ static int ...@@ -676,7 +676,7 @@ static int
dev_cmp(struct nfqnl_queue_entry *entry, unsigned long ifindex) dev_cmp(struct nfqnl_queue_entry *entry, unsigned long ifindex)
{ {
struct nf_info *entinf = entry->info; struct nf_info *entinf = entry->info;
if (entinf->indev) if (entinf->indev)
if (entinf->indev->ifindex == ifindex) if (entinf->indev->ifindex == ifindex)
return 1; return 1;
...@@ -702,7 +702,7 @@ static void ...@@ -702,7 +702,7 @@ static void
nfqnl_dev_drop(int ifindex) nfqnl_dev_drop(int ifindex)
{ {
int i; int i;
QDEBUG("entering for ifindex %u\n", ifindex); QDEBUG("entering for ifindex %u\n", ifindex);
/* this only looks like we have to hold the readlock for a way too long /* this only looks like we have to hold the readlock for a way too long
...@@ -717,7 +717,7 @@ nfqnl_dev_drop(int ifindex) ...@@ -717,7 +717,7 @@ nfqnl_dev_drop(int ifindex)
hlist_for_each_entry(inst, tmp, head, hlist) { hlist_for_each_entry(inst, tmp, head, hlist) {
struct nfqnl_queue_entry *entry; struct nfqnl_queue_entry *entry;
while ((entry = find_dequeue_entry(inst, dev_cmp, while ((entry = find_dequeue_entry(inst, dev_cmp,
ifindex)) != NULL) ifindex)) != NULL)
issue_verdict(entry, NF_DROP); issue_verdict(entry, NF_DROP);
} }
...@@ -835,8 +835,8 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb, ...@@ -835,8 +835,8 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
if (nfqa[NFQA_MARK-1]) if (nfqa[NFQA_MARK-1])
entry->skb->mark = ntohl(*(__be32 *) entry->skb->mark = ntohl(*(__be32 *)
NFA_DATA(nfqa[NFQA_MARK-1])); NFA_DATA(nfqa[NFQA_MARK-1]));
issue_verdict(entry, verdict); issue_verdict(entry, verdict);
instance_put(queue); instance_put(queue);
return 0; return 0;
...@@ -1093,7 +1093,7 @@ static int __init nfnetlink_queue_init(void) ...@@ -1093,7 +1093,7 @@ static int __init nfnetlink_queue_init(void)
#ifdef CONFIG_PROC_FS #ifdef CONFIG_PROC_FS
struct proc_dir_entry *proc_nfqueue; struct proc_dir_entry *proc_nfqueue;
#endif #endif
for (i = 0; i < INSTANCE_BUCKETS; i++) for (i = 0; i < INSTANCE_BUCKETS; i++)
INIT_HLIST_HEAD(&instance_table[i]); INIT_HLIST_HEAD(&instance_table[i]);
......
...@@ -305,7 +305,7 @@ int xt_find_revision(int af, const char *name, u8 revision, int target, ...@@ -305,7 +305,7 @@ int xt_find_revision(int af, const char *name, u8 revision, int target,
EXPORT_SYMBOL_GPL(xt_find_revision); EXPORT_SYMBOL_GPL(xt_find_revision);
int xt_check_match(const struct xt_match *match, unsigned short family, int xt_check_match(const struct xt_match *match, unsigned short family,
unsigned int size, const char *table, unsigned int hook_mask, unsigned int size, const char *table, unsigned int hook_mask,
unsigned short proto, int inv_proto) unsigned short proto, int inv_proto)
{ {
if (XT_ALIGN(match->matchsize) != size) { if (XT_ALIGN(match->matchsize) != size) {
...@@ -377,7 +377,7 @@ int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr, ...@@ -377,7 +377,7 @@ int xt_compat_match_to_user(struct xt_entry_match *m, void __user **dstptr,
if (copy_to_user(cm, m, sizeof(*cm)) || if (copy_to_user(cm, m, sizeof(*cm)) ||
put_user(msize, &cm->u.user.match_size)) put_user(msize, &cm->u.user.match_size))
return -EFAULT; return -EFAULT;
if (match->compat_to_user) { if (match->compat_to_user) {
if (match->compat_to_user((void __user *)cm->data, m->data)) if (match->compat_to_user((void __user *)cm->data, m->data))
...@@ -432,7 +432,7 @@ int xt_compat_target_offset(struct xt_target *target) ...@@ -432,7 +432,7 @@ int xt_compat_target_offset(struct xt_target *target)
EXPORT_SYMBOL_GPL(xt_compat_target_offset); EXPORT_SYMBOL_GPL(xt_compat_target_offset);
void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr, void xt_compat_target_from_user(struct xt_entry_target *t, void **dstptr,
int *size) int *size)
{ {
struct xt_target *target = t->u.kernel.target; struct xt_target *target = t->u.kernel.target;
struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t; struct compat_xt_entry_target *ct = (struct compat_xt_entry_target *)t;
...@@ -467,7 +467,7 @@ int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr, ...@@ -467,7 +467,7 @@ int xt_compat_target_to_user(struct xt_entry_target *t, void __user **dstptr,
if (copy_to_user(ct, t, sizeof(*ct)) || if (copy_to_user(ct, t, sizeof(*ct)) ||
put_user(tsize, &ct->u.user.target_size)) put_user(tsize, &ct->u.user.target_size))
return -EFAULT; return -EFAULT;
if (target->compat_to_user) { if (target->compat_to_user) {
if (target->compat_to_user((void __user *)ct->data, t->data)) if (target->compat_to_user((void __user *)ct->data, t->data))
...@@ -710,7 +710,7 @@ static void *xt_tgt_seq_start(struct seq_file *seq, loff_t *pos) ...@@ -710,7 +710,7 @@ static void *xt_tgt_seq_start(struct seq_file *seq, loff_t *pos)
if (mutex_lock_interruptible(&xt[af].mutex) != 0) if (mutex_lock_interruptible(&xt[af].mutex) != 0)
return NULL; return NULL;
return xt_get_idx(list, seq, *pos); return xt_get_idx(list, seq, *pos);
} }
...@@ -723,7 +723,7 @@ static void *xt_tgt_seq_next(struct seq_file *seq, void *v, loff_t *pos) ...@@ -723,7 +723,7 @@ static void *xt_tgt_seq_next(struct seq_file *seq, void *v, loff_t *pos)
if (af >= NPROTO) if (af >= NPROTO)
return NULL; return NULL;
list = type2list(af, type); list = type2list(af, type);
if (!list) if (!list)
return NULL; return NULL;
......
...@@ -48,7 +48,7 @@ static struct xt_target xt_classify_target[] = { ...@@ -48,7 +48,7 @@ static struct xt_target xt_classify_target[] = {
.table = "mangle", .table = "mangle",
.hooks = (1 << NF_IP_LOCAL_OUT) | .hooks = (1 << NF_IP_LOCAL_OUT) |
(1 << NF_IP_FORWARD) | (1 << NF_IP_FORWARD) |
(1 << NF_IP_POST_ROUTING), (1 << NF_IP_POST_ROUTING),
.me = THIS_MODULE, .me = THIS_MODULE,
}, },
{ {
...@@ -59,7 +59,7 @@ static struct xt_target xt_classify_target[] = { ...@@ -59,7 +59,7 @@ static struct xt_target xt_classify_target[] = {
.table = "mangle", .table = "mangle",
.hooks = (1 << NF_IP6_LOCAL_OUT) | .hooks = (1 << NF_IP6_LOCAL_OUT) |
(1 << NF_IP6_FORWARD) | (1 << NF_IP6_FORWARD) |
(1 << NF_IP6_POST_ROUTING), (1 << NF_IP6_POST_ROUTING),
.me = THIS_MODULE, .me = THIS_MODULE,
}, },
}; };
......
...@@ -50,11 +50,11 @@ target_v1(struct sk_buff **pskb, ...@@ -50,11 +50,11 @@ target_v1(struct sk_buff **pskb,
case XT_MARK_SET: case XT_MARK_SET:
mark = markinfo->mark; mark = markinfo->mark;
break; break;
case XT_MARK_AND: case XT_MARK_AND:
mark = (*pskb)->mark & markinfo->mark; mark = (*pskb)->mark & markinfo->mark;
break; break;
case XT_MARK_OR: case XT_MARK_OR:
mark = (*pskb)->mark | markinfo->mark; mark = (*pskb)->mark | markinfo->mark;
break; break;
......
...@@ -3,9 +3,9 @@ ...@@ -3,9 +3,9 @@
* (C) 2005 by Harald Welte <laforge@netfilter.org> * (C) 2005 by Harald Welte <laforge@netfilter.org>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as * it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation. * published by the Free Software Foundation.
* *
*/ */
#include <linux/module.h> #include <linux/module.h>
......
...@@ -22,8 +22,8 @@ target(struct sk_buff **pskb, ...@@ -22,8 +22,8 @@ target(struct sk_buff **pskb,
if ((*pskb)->nfct != NULL) if ((*pskb)->nfct != NULL)
return XT_CONTINUE; return XT_CONTINUE;
/* Attach fake conntrack entry. /* Attach fake conntrack entry.
If there is a real ct entry correspondig to this packet, If there is a real ct entry correspondig to this packet,
it'll hang aroun till timing out. We don't deal with it it'll hang aroun till timing out. We don't deal with it
for performance reasons. JK */ for performance reasons. JK */
nf_ct_untrack(*pskb); nf_ct_untrack(*pskb);
......
...@@ -55,7 +55,7 @@ static int checkentry_selinux(struct xt_secmark_target_info *info) ...@@ -55,7 +55,7 @@ static int checkentry_selinux(struct xt_secmark_target_info *info)
{ {
int err; int err;
struct xt_secmark_target_selinux_info *sel = &info->u.sel; struct xt_secmark_target_selinux_info *sel = &info->u.sel;
sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0'; sel->selctx[SECMARK_SELCTX_MAX - 1] = '\0';
err = selinux_string_to_sid(sel->selctx, &sel->selsid); err = selinux_string_to_sid(sel->selctx, &sel->selsid);
......
...@@ -51,10 +51,10 @@ match(const struct sk_buff *skb, ...@@ -51,10 +51,10 @@ match(const struct sk_buff *skb,
if (ct == &ip_conntrack_untracked) if (ct == &ip_conntrack_untracked)
statebit = XT_CONNTRACK_STATE_UNTRACKED; statebit = XT_CONNTRACK_STATE_UNTRACKED;
else if (ct) else if (ct)
statebit = XT_CONNTRACK_STATE_BIT(ctinfo); statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
else else
statebit = XT_CONNTRACK_STATE_INVALID; statebit = XT_CONNTRACK_STATE_INVALID;
if (sinfo->flags & XT_CONNTRACK_STATE) { if (sinfo->flags & XT_CONNTRACK_STATE) {
if (ct) { if (ct) {
if (test_bit(IPS_SRC_NAT_BIT, &ct->status)) if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
...@@ -77,7 +77,7 @@ match(const struct sk_buff *skb, ...@@ -77,7 +77,7 @@ match(const struct sk_buff *skb,
FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum != FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum !=
sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
XT_CONNTRACK_PROTO)) XT_CONNTRACK_PROTO))
return 0; return 0;
if (sinfo->flags & XT_CONNTRACK_ORIGSRC && if (sinfo->flags & XT_CONNTRACK_ORIGSRC &&
FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip & FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.ip &
...@@ -147,10 +147,10 @@ match(const struct sk_buff *skb, ...@@ -147,10 +147,10 @@ match(const struct sk_buff *skb,
if (ct == &nf_conntrack_untracked) if (ct == &nf_conntrack_untracked)
statebit = XT_CONNTRACK_STATE_UNTRACKED; statebit = XT_CONNTRACK_STATE_UNTRACKED;
else if (ct) else if (ct)
statebit = XT_CONNTRACK_STATE_BIT(ctinfo); statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
else else
statebit = XT_CONNTRACK_STATE_INVALID; statebit = XT_CONNTRACK_STATE_INVALID;
if (sinfo->flags & XT_CONNTRACK_STATE) { if (sinfo->flags & XT_CONNTRACK_STATE) {
if (ct) { if (ct) {
if (test_bit(IPS_SRC_NAT_BIT, &ct->status)) if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
...@@ -171,41 +171,41 @@ match(const struct sk_buff *skb, ...@@ -171,41 +171,41 @@ match(const struct sk_buff *skb,
if (sinfo->flags & XT_CONNTRACK_PROTO && if (sinfo->flags & XT_CONNTRACK_PROTO &&
FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum != FWINV(ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.protonum !=
sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum, sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
XT_CONNTRACK_PROTO)) XT_CONNTRACK_PROTO))
return 0; return 0;
if (sinfo->flags & XT_CONNTRACK_ORIGSRC && if (sinfo->flags & XT_CONNTRACK_ORIGSRC &&
FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip & FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip &
sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip, sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
XT_CONNTRACK_ORIGSRC)) XT_CONNTRACK_ORIGSRC))
return 0; return 0;
if (sinfo->flags & XT_CONNTRACK_ORIGDST && if (sinfo->flags & XT_CONNTRACK_ORIGDST &&
FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip & FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip &
sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) != sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip, sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
XT_CONNTRACK_ORIGDST)) XT_CONNTRACK_ORIGDST))
return 0; return 0;
if (sinfo->flags & XT_CONNTRACK_REPLSRC && if (sinfo->flags & XT_CONNTRACK_REPLSRC &&
FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip & FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip &
sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) !=
sinfo->tuple[IP_CT_DIR_REPLY].src.ip, sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
XT_CONNTRACK_REPLSRC)) XT_CONNTRACK_REPLSRC))
return 0; return 0;
if (sinfo->flags & XT_CONNTRACK_REPLDST && if (sinfo->flags & XT_CONNTRACK_REPLDST &&
FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip & FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip &
sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) != sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) !=
sinfo->tuple[IP_CT_DIR_REPLY].dst.ip, sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
XT_CONNTRACK_REPLDST)) XT_CONNTRACK_REPLDST))
return 0; return 0;
if (sinfo->flags & XT_CONNTRACK_STATUS && if (sinfo->flags & XT_CONNTRACK_STATUS &&
FWINV((ct->status & sinfo->statusmask) == 0, FWINV((ct->status & sinfo->statusmask) == 0,
XT_CONNTRACK_STATUS)) XT_CONNTRACK_STATUS))
return 0; return 0;
if(sinfo->flags & XT_CONNTRACK_EXPIRES) { if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
......
...@@ -26,7 +26,7 @@ MODULE_DESCRIPTION("Match for DCCP protocol packets"); ...@@ -26,7 +26,7 @@ MODULE_DESCRIPTION("Match for DCCP protocol packets");
MODULE_ALIAS("ipt_dccp"); MODULE_ALIAS("ipt_dccp");
#define DCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \ #define DCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \
|| (!!((invflag) & (option)) ^ (cond))) || (!!((invflag) & (option)) ^ (cond)))
static unsigned char *dccp_optbuf; static unsigned char *dccp_optbuf;
static DEFINE_SPINLOCK(dccp_buflock); static DEFINE_SPINLOCK(dccp_buflock);
...@@ -67,9 +67,9 @@ dccp_find_option(u_int8_t option, ...@@ -67,9 +67,9 @@ dccp_find_option(u_int8_t option,
return 1; return 1;
} }
if (op[i] < 2) if (op[i] < 2)
i++; i++;
else else
i += op[i+1]?:1; i += op[i+1]?:1;
} }
...@@ -106,18 +106,18 @@ match(const struct sk_buff *skb, ...@@ -106,18 +106,18 @@ match(const struct sk_buff *skb,
if (offset) if (offset)
return 0; return 0;
dh = skb_header_pointer(skb, protoff, sizeof(_dh), &_dh); dh = skb_header_pointer(skb, protoff, sizeof(_dh), &_dh);
if (dh == NULL) { if (dh == NULL) {
*hotdrop = 1; *hotdrop = 1;
return 0; return 0;
} }
return DCCHECK(((ntohs(dh->dccph_sport) >= info->spts[0]) return DCCHECK(((ntohs(dh->dccph_sport) >= info->spts[0])
&& (ntohs(dh->dccph_sport) <= info->spts[1])), && (ntohs(dh->dccph_sport) <= info->spts[1])),
XT_DCCP_SRC_PORTS, info->flags, info->invflags) XT_DCCP_SRC_PORTS, info->flags, info->invflags)
&& DCCHECK(((ntohs(dh->dccph_dport) >= info->dpts[0]) && DCCHECK(((ntohs(dh->dccph_dport) >= info->dpts[0])
&& (ntohs(dh->dccph_dport) <= info->dpts[1])), && (ntohs(dh->dccph_dport) <= info->dpts[1])),
XT_DCCP_DEST_PORTS, info->flags, info->invflags) XT_DCCP_DEST_PORTS, info->flags, info->invflags)
&& DCCHECK(match_types(dh, info->typemask), && DCCHECK(match_types(dh, info->typemask),
XT_DCCP_TYPE, info->flags, info->invflags) XT_DCCP_TYPE, info->flags, info->invflags)
......
...@@ -208,7 +208,7 @@ static int htable_create(struct xt_hashlimit_info *minfo, int family) ...@@ -208,7 +208,7 @@ static int htable_create(struct xt_hashlimit_info *minfo, int family)
spin_lock_init(&hinfo->lock); spin_lock_init(&hinfo->lock);
hinfo->pde = create_proc_entry(minfo->name, 0, hinfo->pde = create_proc_entry(minfo->name, 0,
family == AF_INET ? hashlimit_procdir4 : family == AF_INET ? hashlimit_procdir4 :
hashlimit_procdir6); hashlimit_procdir6);
if (!hinfo->pde) { if (!hinfo->pde) {
vfree(hinfo); vfree(hinfo);
return -1; return -1;
...@@ -240,7 +240,7 @@ static int select_gc(struct xt_hashlimit_htable *ht, struct dsthash_ent *he) ...@@ -240,7 +240,7 @@ static int select_gc(struct xt_hashlimit_htable *ht, struct dsthash_ent *he)
} }
static void htable_selective_cleanup(struct xt_hashlimit_htable *ht, static void htable_selective_cleanup(struct xt_hashlimit_htable *ht,
int (*select)(struct xt_hashlimit_htable *ht, int (*select)(struct xt_hashlimit_htable *ht,
struct dsthash_ent *he)) struct dsthash_ent *he))
{ {
unsigned int i; unsigned int i;
...@@ -279,7 +279,7 @@ static void htable_destroy(struct xt_hashlimit_htable *hinfo) ...@@ -279,7 +279,7 @@ static void htable_destroy(struct xt_hashlimit_htable *hinfo)
/* remove proc entry */ /* remove proc entry */
remove_proc_entry(hinfo->pde->name, remove_proc_entry(hinfo->pde->name,
hinfo->family == AF_INET ? hashlimit_procdir4 : hinfo->family == AF_INET ? hashlimit_procdir4 :
hashlimit_procdir6); hashlimit_procdir6);
htable_selective_cleanup(hinfo, select_all); htable_selective_cleanup(hinfo, select_all);
vfree(hinfo); vfree(hinfo);
} }
...@@ -483,7 +483,7 @@ hashlimit_match(const struct sk_buff *skb, ...@@ -483,7 +483,7 @@ hashlimit_match(const struct sk_buff *skb,
return 1; return 1;
} }
spin_unlock_bh(&hinfo->lock); spin_unlock_bh(&hinfo->lock);
/* default case: we're overlimit, thus don't match */ /* default case: we're overlimit, thus don't match */
return 0; return 0;
......
...@@ -53,7 +53,7 @@ match(const struct sk_buff *skb, ...@@ -53,7 +53,7 @@ match(const struct sk_buff *skb,
struct ip_conntrack *ct; struct ip_conntrack *ct;
enum ip_conntrack_info ctinfo; enum ip_conntrack_info ctinfo;
int ret = info->invert; int ret = info->invert;
ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo); ct = ip_conntrack_get((struct sk_buff *)skb, &ctinfo);
if (!ct) { if (!ct) {
DEBUGP("xt_helper: Eek! invalid conntrack?\n"); DEBUGP("xt_helper: Eek! invalid conntrack?\n");
...@@ -67,19 +67,19 @@ match(const struct sk_buff *skb, ...@@ -67,19 +67,19 @@ match(const struct sk_buff *skb,
read_lock_bh(&ip_conntrack_lock); read_lock_bh(&ip_conntrack_lock);
if (!ct->master->helper) { if (!ct->master->helper) {
DEBUGP("xt_helper: master ct %p has no helper\n", DEBUGP("xt_helper: master ct %p has no helper\n",
exp->expectant); exp->expectant);
goto out_unlock; goto out_unlock;
} }
DEBUGP("master's name = %s , info->name = %s\n", DEBUGP("master's name = %s , info->name = %s\n",
ct->master->helper->name, info->name); ct->master->helper->name, info->name);
if (info->name[0] == '\0') if (info->name[0] == '\0')
ret ^= 1; ret ^= 1;
else else
ret ^= !strncmp(ct->master->helper->name, info->name, ret ^= !strncmp(ct->master->helper->name, info->name,
strlen(ct->master->helper->name)); strlen(ct->master->helper->name));
out_unlock: out_unlock:
read_unlock_bh(&ip_conntrack_lock); read_unlock_bh(&ip_conntrack_lock);
return ret; return ret;
...@@ -102,7 +102,7 @@ match(const struct sk_buff *skb, ...@@ -102,7 +102,7 @@ match(const struct sk_buff *skb,
struct nf_conn_help *master_help; struct nf_conn_help *master_help;
enum ip_conntrack_info ctinfo; enum ip_conntrack_info ctinfo;
int ret = info->invert; int ret = info->invert;
ct = nf_ct_get((struct sk_buff *)skb, &ctinfo); ct = nf_ct_get((struct sk_buff *)skb, &ctinfo);
if (!ct) { if (!ct) {
DEBUGP("xt_helper: Eek! invalid conntrack?\n"); DEBUGP("xt_helper: Eek! invalid conntrack?\n");
...@@ -117,19 +117,19 @@ match(const struct sk_buff *skb, ...@@ -117,19 +117,19 @@ match(const struct sk_buff *skb,
read_lock_bh(&nf_conntrack_lock); read_lock_bh(&nf_conntrack_lock);
master_help = nfct_help(ct->master); master_help = nfct_help(ct->master);
if (!master_help || !master_help->helper) { if (!master_help || !master_help->helper) {
DEBUGP("xt_helper: master ct %p has no helper\n", DEBUGP("xt_helper: master ct %p has no helper\n",
exp->expectant); exp->expectant);
goto out_unlock; goto out_unlock;
} }
DEBUGP("master's name = %s , info->name = %s\n", DEBUGP("master's name = %s , info->name = %s\n",
ct->master->helper->name, info->name); ct->master->helper->name, info->name);
if (info->name[0] == '\0') if (info->name[0] == '\0')
ret ^= 1; ret ^= 1;
else else
ret ^= !strncmp(master_help->helper->name, info->name, ret ^= !strncmp(master_help->helper->name, info->name,
strlen(master_help->helper->name)); strlen(master_help->helper->name));
out_unlock: out_unlock:
read_unlock_bh(&nf_conntrack_lock); read_unlock_bh(&nf_conntrack_lock);
return ret; return ret;
......
...@@ -32,7 +32,7 @@ match(const struct sk_buff *skb, ...@@ -32,7 +32,7 @@ match(const struct sk_buff *skb,
{ {
const struct xt_length_info *info = matchinfo; const struct xt_length_info *info = matchinfo;
u_int16_t pktlen = ntohs(skb->nh.iph->tot_len); u_int16_t pktlen = ntohs(skb->nh.iph->tot_len);
return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
} }
...@@ -48,7 +48,7 @@ match6(const struct sk_buff *skb, ...@@ -48,7 +48,7 @@ match6(const struct sk_buff *skb,
{ {
const struct xt_length_info *info = matchinfo; const struct xt_length_info *info = matchinfo;
u_int16_t pktlen = ntohs(skb->nh.ipv6h->payload_len) + sizeof(struct ipv6hdr); u_int16_t pktlen = ntohs(skb->nh.ipv6h->payload_len) + sizeof(struct ipv6hdr);
return (pktlen >= info->min && pktlen <= info->max) ^ info->invert; return (pktlen >= info->min && pktlen <= info->max) ^ info->invert;
} }
......
...@@ -89,7 +89,7 @@ ipt_limit_match(const struct sk_buff *skb, ...@@ -89,7 +89,7 @@ ipt_limit_match(const struct sk_buff *skb,
return 1; return 1;
} }
spin_unlock_bh(&limit_lock); spin_unlock_bh(&limit_lock);
return 0; return 0;
} }
......
...@@ -36,10 +36,10 @@ match(const struct sk_buff *skb, ...@@ -36,10 +36,10 @@ match(const struct sk_buff *skb,
static int static int
checkentry(const char *tablename, checkentry(const char *tablename,
const void *entry, const void *entry,
const struct xt_match *match, const struct xt_match *match,
void *matchinfo, void *matchinfo,
unsigned int hook_mask) unsigned int hook_mask)
{ {
const struct xt_mark_info *minfo = matchinfo; const struct xt_mark_info *minfo = matchinfo;
......
...@@ -91,7 +91,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo, ...@@ -91,7 +91,7 @@ ports_match_v1(const struct xt_multiport_v1 *minfo,
} }
} }
return minfo->invert; return minfo->invert;
} }
static int static int
......
...@@ -117,7 +117,7 @@ checkentry(const char *tablename, ...@@ -117,7 +117,7 @@ checkentry(const char *tablename,
(!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) || (!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
info->invert & XT_PHYSDEV_OP_BRIDGED) && info->invert & XT_PHYSDEV_OP_BRIDGED) &&
hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) | hook_mask & ((1 << NF_IP_LOCAL_OUT) | (1 << NF_IP_FORWARD) |
(1 << NF_IP_POST_ROUTING))) { (1 << NF_IP_POST_ROUTING))) {
printk(KERN_WARNING "physdev match: using --physdev-out in the " printk(KERN_WARNING "physdev match: using --physdev-out in the "
"OUTPUT, FORWARD and POSTROUTING chains for non-bridged " "OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
"traffic is not supported anymore.\n"); "traffic is not supported anymore.\n");
......
...@@ -109,13 +109,13 @@ match_policy_out(const struct sk_buff *skb, const struct xt_policy_info *info, ...@@ -109,13 +109,13 @@ match_policy_out(const struct sk_buff *skb, const struct xt_policy_info *info,
} }
static int match(const struct sk_buff *skb, static int match(const struct sk_buff *skb,
const struct net_device *in, const struct net_device *in,
const struct net_device *out, const struct net_device *out,
const struct xt_match *match, const struct xt_match *match,
const void *matchinfo, const void *matchinfo,
int offset, int offset,
unsigned int protoff, unsigned int protoff,
int *hotdrop) int *hotdrop)
{ {
const struct xt_policy_info *info = matchinfo; const struct xt_policy_info *info = matchinfo;
int ret; int ret;
...@@ -134,27 +134,27 @@ static int match(const struct sk_buff *skb, ...@@ -134,27 +134,27 @@ static int match(const struct sk_buff *skb,
} }
static int checkentry(const char *tablename, const void *ip_void, static int checkentry(const char *tablename, const void *ip_void,
const struct xt_match *match, const struct xt_match *match,
void *matchinfo, unsigned int hook_mask) void *matchinfo, unsigned int hook_mask)
{ {
struct xt_policy_info *info = matchinfo; struct xt_policy_info *info = matchinfo;
if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) { if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
printk(KERN_ERR "xt_policy: neither incoming nor " printk(KERN_ERR "xt_policy: neither incoming nor "
"outgoing policy selected\n"); "outgoing policy selected\n");
return 0; return 0;
} }
/* hook values are equal for IPv4 and IPv6 */ /* hook values are equal for IPv4 and IPv6 */
if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN) if (hook_mask & (1 << NF_IP_PRE_ROUTING | 1 << NF_IP_LOCAL_IN)
&& info->flags & XT_POLICY_MATCH_OUT) { && info->flags & XT_POLICY_MATCH_OUT) {
printk(KERN_ERR "xt_policy: output policy not valid in " printk(KERN_ERR "xt_policy: output policy not valid in "
"PRE_ROUTING and INPUT\n"); "PRE_ROUTING and INPUT\n");
return 0; return 0;
} }
if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT) if (hook_mask & (1 << NF_IP_POST_ROUTING | 1 << NF_IP_LOCAL_OUT)
&& info->flags & XT_POLICY_MATCH_IN) { && info->flags & XT_POLICY_MATCH_IN) {
printk(KERN_ERR "xt_policy: input policy not valid in " printk(KERN_ERR "xt_policy: input policy not valid in "
"POST_ROUTING and OUTPUT\n"); "POST_ROUTING and OUTPUT\n");
return 0; return 0;
} }
if (info->len > XT_POLICY_MAX_ELEM) { if (info->len > XT_POLICY_MAX_ELEM) {
......
...@@ -30,8 +30,8 @@ match(const struct sk_buff *skb, ...@@ -30,8 +30,8 @@ match(const struct sk_buff *skb,
q->quota -= skb->len; q->quota -= skb->len;
ret ^= 1; ret ^= 1;
} else { } else {
/* we do not allow even small packets from now on */ /* we do not allow even small packets from now on */
q->quota = 0; q->quota = 0;
} }
spin_unlock_bh(&quota_lock); spin_unlock_bh(&quota_lock);
......
...@@ -35,7 +35,7 @@ match(const struct sk_buff *skb, ...@@ -35,7 +35,7 @@ match(const struct sk_buff *skb,
{ {
const struct xt_realm_info *info = matchinfo; const struct xt_realm_info *info = matchinfo;
struct dst_entry *dst = skb->dst; struct dst_entry *dst = skb->dst;
return (info->id == (dst->tclassid & info->mask)) ^ info->invert; return (info->id == (dst->tclassid & info->mask)) ^ info->invert;
} }
......
...@@ -66,9 +66,9 @@ match_packet(const struct sk_buff *skb, ...@@ -66,9 +66,9 @@ match_packet(const struct sk_buff *skb,
duprintf("Dropping invalid SCTP packet.\n"); duprintf("Dropping invalid SCTP packet.\n");
*hotdrop = 1; *hotdrop = 1;
return 0; return 0;
} }
duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n", duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n",
++i, offset, sch->type, htons(sch->length), sch->flags); ++i, offset, sch->type, htons(sch->length), sch->flags);
offset += (ntohs(sch->length) + 3) & ~3; offset += (ntohs(sch->length) + 3) & ~3;
...@@ -78,21 +78,21 @@ match_packet(const struct sk_buff *skb, ...@@ -78,21 +78,21 @@ match_packet(const struct sk_buff *skb,
if (SCTP_CHUNKMAP_IS_SET(chunkmap, sch->type)) { if (SCTP_CHUNKMAP_IS_SET(chunkmap, sch->type)) {
switch (chunk_match_type) { switch (chunk_match_type) {
case SCTP_CHUNK_MATCH_ANY: case SCTP_CHUNK_MATCH_ANY:
if (match_flags(flag_info, flag_count, if (match_flags(flag_info, flag_count,
sch->type, sch->flags)) { sch->type, sch->flags)) {
return 1; return 1;
} }
break; break;
case SCTP_CHUNK_MATCH_ALL: case SCTP_CHUNK_MATCH_ALL:
if (match_flags(flag_info, flag_count, if (match_flags(flag_info, flag_count,
sch->type, sch->flags)) { sch->type, sch->flags)) {
SCTP_CHUNKMAP_CLEAR(chunkmapcopy, sch->type); SCTP_CHUNKMAP_CLEAR(chunkmapcopy, sch->type);
} }
break; break;
case SCTP_CHUNK_MATCH_ONLY: case SCTP_CHUNK_MATCH_ONLY:
if (!match_flags(flag_info, flag_count, if (!match_flags(flag_info, flag_count,
sch->type, sch->flags)) { sch->type, sch->flags)) {
return 0; return 0;
} }
...@@ -136,24 +136,24 @@ match(const struct sk_buff *skb, ...@@ -136,24 +136,24 @@ match(const struct sk_buff *skb,
duprintf("Dropping non-first fragment.. FIXME\n"); duprintf("Dropping non-first fragment.. FIXME\n");
return 0; return 0;
} }
sh = skb_header_pointer(skb, protoff, sizeof(_sh), &_sh); sh = skb_header_pointer(skb, protoff, sizeof(_sh), &_sh);
if (sh == NULL) { if (sh == NULL) {
duprintf("Dropping evil TCP offset=0 tinygram.\n"); duprintf("Dropping evil TCP offset=0 tinygram.\n");
*hotdrop = 1; *hotdrop = 1;
return 0; return 0;
} }
duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest)); duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
return SCCHECK(((ntohs(sh->source) >= info->spts[0]) return SCCHECK(((ntohs(sh->source) >= info->spts[0])
&& (ntohs(sh->source) <= info->spts[1])), && (ntohs(sh->source) <= info->spts[1])),
XT_SCTP_SRC_PORTS, info->flags, info->invflags) XT_SCTP_SRC_PORTS, info->flags, info->invflags)
&& SCCHECK(((ntohs(sh->dest) >= info->dpts[0]) && SCCHECK(((ntohs(sh->dest) >= info->dpts[0])
&& (ntohs(sh->dest) <= info->dpts[1])), && (ntohs(sh->dest) <= info->dpts[1])),
XT_SCTP_DEST_PORTS, info->flags, info->invflags) XT_SCTP_DEST_PORTS, info->flags, info->invflags)
&& SCCHECK(match_packet(skb, protoff + sizeof (sctp_sctphdr_t), && SCCHECK(match_packet(skb, protoff + sizeof (sctp_sctphdr_t),
info->chunkmap, info->chunk_match_type, info->chunkmap, info->chunk_match_type,
info->flag_info, info->flag_count, info->flag_info, info->flag_count,
hotdrop), hotdrop),
XT_SCTP_CHUNK_TYPES, info->flags, info->invflags); XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
} }
...@@ -170,9 +170,9 @@ checkentry(const char *tablename, ...@@ -170,9 +170,9 @@ checkentry(const char *tablename,
return !(info->flags & ~XT_SCTP_VALID_FLAGS) return !(info->flags & ~XT_SCTP_VALID_FLAGS)
&& !(info->invflags & ~XT_SCTP_VALID_FLAGS) && !(info->invflags & ~XT_SCTP_VALID_FLAGS)
&& !(info->invflags & ~info->flags) && !(info->invflags & ~info->flags)
&& ((!(info->flags & XT_SCTP_CHUNK_TYPES)) || && ((!(info->flags & XT_SCTP_CHUNK_TYPES)) ||
(info->chunk_match_type & (info->chunk_match_type &
(SCTP_CHUNK_MATCH_ALL (SCTP_CHUNK_MATCH_ALL
| SCTP_CHUNK_MATCH_ANY | SCTP_CHUNK_MATCH_ANY
| SCTP_CHUNK_MATCH_ONLY))); | SCTP_CHUNK_MATCH_ONLY)));
} }
......
/* String matching match for iptables /* String matching match for iptables
* *
* (C) 2005 Pablo Neira Ayuso <pablo@eurodev.net> * (C) 2005 Pablo Neira Ayuso <pablo@eurodev.net>
* *
* This program is free software; you can redistribute it and/or modify * This program is free software; you can redistribute it and/or modify
...@@ -35,8 +35,8 @@ static int match(const struct sk_buff *skb, ...@@ -35,8 +35,8 @@ static int match(const struct sk_buff *skb,
memset(&state, 0, sizeof(struct ts_state)); memset(&state, 0, sizeof(struct ts_state));
return (skb_find_text((struct sk_buff *)skb, conf->from_offset, return (skb_find_text((struct sk_buff *)skb, conf->from_offset,
conf->to_offset, conf->config, &state) conf->to_offset, conf->config, &state)
!= UINT_MAX) ^ conf->invert; != UINT_MAX) ^ conf->invert;
} }
...@@ -55,7 +55,7 @@ static int checkentry(const char *tablename, ...@@ -55,7 +55,7 @@ static int checkentry(const char *tablename,
if (conf->from_offset > conf->to_offset) if (conf->from_offset > conf->to_offset)
return 0; return 0;
if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0') if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0')
return 0; return 0;
if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE) if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE)
return 0; return 0;
ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen, ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen,
......
...@@ -64,9 +64,9 @@ match(const struct sk_buff *skb, ...@@ -64,9 +64,9 @@ match(const struct sk_buff *skb,
u_int16_t mssval; u_int16_t mssval;
mssval = (op[i+2] << 8) | op[i+3]; mssval = (op[i+2] << 8) | op[i+3];
return (mssval >= info->mss_min && return (mssval >= info->mss_min &&
mssval <= info->mss_max) ^ info->invert; mssval <= info->mss_max) ^ info->invert;
} }
if (op[i] < 2) if (op[i] < 2)
i++; i++;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment