Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
85fadea9
Commit
85fadea9
authored
Jun 05, 2011
by
David S. Miller
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'pablo/nf-2.6-updates' of
git://1984.lsi.us.es/net-2.6
parents
5fb9fb13
d232b8dd
Changes
26
Hide whitespace changes
Inline
Side-by-side
Showing
26 changed files
with
61 additions
and
49 deletions
+61
-49
include/linux/netfilter/nf_conntrack_common.h
include/linux/netfilter/nf_conntrack_common.h
+3
-0
net/ipv4/netfilter/ip_queue.c
net/ipv4/netfilter/ip_queue.c
+2
-1
net/ipv4/netfilter/ipt_CLUSTERIP.c
net/ipv4/netfilter/ipt_CLUSTERIP.c
+3
-3
net/ipv4/netfilter/ipt_MASQUERADE.c
net/ipv4/netfilter/ipt_MASQUERADE.c
+1
-1
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+1
-1
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+1
-1
net/ipv4/netfilter/nf_nat_core.c
net/ipv4/netfilter/nf_nat_core.c
+1
-1
net/ipv4/netfilter/nf_nat_helper.c
net/ipv4/netfilter/nf_nat_helper.c
+1
-1
net/ipv4/netfilter/nf_nat_rule.c
net/ipv4/netfilter/nf_nat_rule.c
+1
-1
net/ipv4/netfilter/nf_nat_standalone.c
net/ipv4/netfilter/nf_nat_standalone.c
+2
-2
net/ipv6/netfilter/ip6_queue.c
net/ipv6/netfilter/ip6_queue.c
+2
-1
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+1
-1
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+1
-1
net/netfilter/ipset/ip_set_core.c
net/netfilter/ipset/ip_set_core.c
+1
-1
net/netfilter/ipset/ip_set_hash_ipportnet.c
net/netfilter/ipset/ip_set_hash_ipportnet.c
+6
-4
net/netfilter/ipset/ip_set_hash_net.c
net/netfilter/ipset/ip_set_hash_net.c
+6
-2
net/netfilter/ipset/ip_set_hash_netport.c
net/netfilter/ipset/ip_set_hash_netport.c
+4
-2
net/netfilter/ipvs/ip_vs_core.c
net/netfilter/ipvs/ip_vs_core.c
+8
-8
net/netfilter/nf_conntrack_core.c
net/netfilter/nf_conntrack_core.c
+5
-2
net/netfilter/nf_conntrack_ftp.c
net/netfilter/nf_conntrack_ftp.c
+1
-1
net/netfilter/nf_conntrack_h323_main.c
net/netfilter/nf_conntrack_h323_main.c
+4
-6
net/netfilter/nf_conntrack_irc.c
net/netfilter/nf_conntrack_irc.c
+1
-2
net/netfilter/nf_conntrack_pptp.c
net/netfilter/nf_conntrack_pptp.c
+1
-2
net/netfilter/nf_conntrack_sane.c
net/netfilter/nf_conntrack_sane.c
+1
-1
net/netfilter/nf_conntrack_sip.c
net/netfilter/nf_conntrack_sip.c
+1
-1
net/netfilter/xt_socket.c
net/netfilter/xt_socket.c
+2
-2
No files found.
include/linux/netfilter/nf_conntrack_common.h
View file @
85fadea9
...
@@ -18,6 +18,9 @@ enum ip_conntrack_info {
...
@@ -18,6 +18,9 @@ enum ip_conntrack_info {
/* >= this indicates reply direction */
/* >= this indicates reply direction */
IP_CT_IS_REPLY
,
IP_CT_IS_REPLY
,
IP_CT_ESTABLISHED_REPLY
=
IP_CT_ESTABLISHED
+
IP_CT_IS_REPLY
,
IP_CT_RELATED_REPLY
=
IP_CT_RELATED
+
IP_CT_IS_REPLY
,
IP_CT_NEW_REPLY
=
IP_CT_NEW
+
IP_CT_IS_REPLY
,
/* Number of distinct IP_CT types (no NEW in reply dirn). */
/* Number of distinct IP_CT types (no NEW in reply dirn). */
IP_CT_NUMBER
=
IP_CT_IS_REPLY
*
2
-
1
IP_CT_NUMBER
=
IP_CT_IS_REPLY
*
2
-
1
};
};
...
...
net/ipv4/netfilter/ip_queue.c
View file @
85fadea9
...
@@ -402,7 +402,8 @@ ipq_dev_drop(int ifindex)
...
@@ -402,7 +402,8 @@ ipq_dev_drop(int ifindex)
static
inline
void
static
inline
void
__ipq_rcv_skb
(
struct
sk_buff
*
skb
)
__ipq_rcv_skb
(
struct
sk_buff
*
skb
)
{
{
int
status
,
type
,
pid
,
flags
,
nlmsglen
,
skblen
;
int
status
,
type
,
pid
,
flags
;
unsigned
int
nlmsglen
,
skblen
;
struct
nlmsghdr
*
nlh
;
struct
nlmsghdr
*
nlh
;
skblen
=
skb
->
len
;
skblen
=
skb
->
len
;
...
...
net/ipv4/netfilter/ipt_CLUSTERIP.c
View file @
85fadea9
...
@@ -307,7 +307,7 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
...
@@ -307,7 +307,7 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
* error messages (RELATED) and information requests (see below) */
* error messages (RELATED) and information requests (see below) */
if
(
ip_hdr
(
skb
)
->
protocol
==
IPPROTO_ICMP
&&
if
(
ip_hdr
(
skb
)
->
protocol
==
IPPROTO_ICMP
&&
(
ctinfo
==
IP_CT_RELATED
||
(
ctinfo
==
IP_CT_RELATED
||
ctinfo
==
IP_CT_RELATED
+
IP_CT_IS
_REPLY
))
ctinfo
==
IP_CT_RELATED_REPLY
))
return
XT_CONTINUE
;
return
XT_CONTINUE
;
/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
...
@@ -321,12 +321,12 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
...
@@ -321,12 +321,12 @@ clusterip_tg(struct sk_buff *skb, const struct xt_action_param *par)
ct
->
mark
=
hash
;
ct
->
mark
=
hash
;
break
;
break
;
case
IP_CT_RELATED
:
case
IP_CT_RELATED
:
case
IP_CT_RELATED
+
IP_CT_IS
_REPLY
:
case
IP_CT_RELATED_REPLY
:
/* FIXME: we don't handle expectations at the
/* FIXME: we don't handle expectations at the
* moment. they can arrive on a different node than
* moment. they can arrive on a different node than
* the master connection (e.g. FTP passive mode) */
* the master connection (e.g. FTP passive mode) */
case
IP_CT_ESTABLISHED
:
case
IP_CT_ESTABLISHED
:
case
IP_CT_ESTABLISHED
+
IP_CT_IS
_REPLY
:
case
IP_CT_ESTABLISHED_REPLY
:
break
;
break
;
default:
default:
break
;
break
;
...
...
net/ipv4/netfilter/ipt_MASQUERADE.c
View file @
85fadea9
...
@@ -60,7 +60,7 @@ masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
...
@@ -60,7 +60,7 @@ masquerade_tg(struct sk_buff *skb, const struct xt_action_param *par)
nat
=
nfct_nat
(
ct
);
nat
=
nfct_nat
(
ct
);
NF_CT_ASSERT
(
ct
&&
(
ctinfo
==
IP_CT_NEW
||
ctinfo
==
IP_CT_RELATED
||
NF_CT_ASSERT
(
ct
&&
(
ctinfo
==
IP_CT_NEW
||
ctinfo
==
IP_CT_RELATED
||
ctinfo
==
IP_CT_RELATED
+
IP_CT_IS
_REPLY
));
ctinfo
==
IP_CT_RELATED_REPLY
));
/* Source address is 0.0.0.0 - locally generated packet that is
/* Source address is 0.0.0.0 - locally generated packet that is
* probably not supposed to be masqueraded.
* probably not supposed to be masqueraded.
...
...
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
View file @
85fadea9
...
@@ -101,7 +101,7 @@ static unsigned int ipv4_confirm(unsigned int hooknum,
...
@@ -101,7 +101,7 @@ static unsigned int ipv4_confirm(unsigned int hooknum,
/* This is where we call the helper: as the packet goes out. */
/* This is where we call the helper: as the packet goes out. */
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
if
(
!
ct
||
ctinfo
==
IP_CT_RELATED
+
IP_CT_IS
_REPLY
)
if
(
!
ct
||
ctinfo
==
IP_CT_RELATED_REPLY
)
goto
out
;
goto
out
;
help
=
nfct_help
(
ct
);
help
=
nfct_help
(
ct
);
...
...
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
View file @
85fadea9
...
@@ -160,7 +160,7 @@ icmp_error_message(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
...
@@ -160,7 +160,7 @@ icmp_error_message(struct net *net, struct nf_conn *tmpl, struct sk_buff *skb,
/* Update skb to refer to this connection */
/* Update skb to refer to this connection */
skb
->
nfct
=
&
nf_ct_tuplehash_to_ctrack
(
h
)
->
ct_general
;
skb
->
nfct
=
&
nf_ct_tuplehash_to_ctrack
(
h
)
->
ct_general
;
skb
->
nfctinfo
=
*
ctinfo
;
skb
->
nfctinfo
=
*
ctinfo
;
return
-
NF_ACCEPT
;
return
NF_ACCEPT
;
}
}
/* Small and modified version of icmp_rcv */
/* Small and modified version of icmp_rcv */
...
...
net/ipv4/netfilter/nf_nat_core.c
View file @
85fadea9
...
@@ -433,7 +433,7 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
...
@@ -433,7 +433,7 @@ int nf_nat_icmp_reply_translation(struct nf_conn *ct,
/* Must be RELATED */
/* Must be RELATED */
NF_CT_ASSERT
(
skb
->
nfctinfo
==
IP_CT_RELATED
||
NF_CT_ASSERT
(
skb
->
nfctinfo
==
IP_CT_RELATED
||
skb
->
nfctinfo
==
IP_CT_RELATED
+
IP_CT_IS
_REPLY
);
skb
->
nfctinfo
==
IP_CT_RELATED_REPLY
);
/* Redirects on non-null nats must be dropped, else they'll
/* Redirects on non-null nats must be dropped, else they'll
start talking to each other without our translation, and be
start talking to each other without our translation, and be
...
...
net/ipv4/netfilter/nf_nat_helper.c
View file @
85fadea9
...
@@ -160,7 +160,7 @@ static void nf_nat_csum(struct sk_buff *skb, const struct iphdr *iph, void *data
...
@@ -160,7 +160,7 @@ static void nf_nat_csum(struct sk_buff *skb, const struct iphdr *iph, void *data
if
(
skb
->
ip_summed
!=
CHECKSUM_PARTIAL
)
{
if
(
skb
->
ip_summed
!=
CHECKSUM_PARTIAL
)
{
if
(
!
(
rt
->
rt_flags
&
RTCF_LOCAL
)
&&
if
(
!
(
rt
->
rt_flags
&
RTCF_LOCAL
)
&&
skb
->
dev
->
features
&
NETIF_F_V4_CSUM
)
{
(
!
skb
->
dev
||
skb
->
dev
->
features
&
NETIF_F_V4_CSUM
)
)
{
skb
->
ip_summed
=
CHECKSUM_PARTIAL
;
skb
->
ip_summed
=
CHECKSUM_PARTIAL
;
skb
->
csum_start
=
skb_headroom
(
skb
)
+
skb
->
csum_start
=
skb_headroom
(
skb
)
+
skb_network_offset
(
skb
)
+
skb_network_offset
(
skb
)
+
...
...
net/ipv4/netfilter/nf_nat_rule.c
View file @
85fadea9
...
@@ -53,7 +53,7 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
...
@@ -53,7 +53,7 @@ ipt_snat_target(struct sk_buff *skb, const struct xt_action_param *par)
/* Connection must be valid and new. */
/* Connection must be valid and new. */
NF_CT_ASSERT
(
ct
&&
(
ctinfo
==
IP_CT_NEW
||
ctinfo
==
IP_CT_RELATED
||
NF_CT_ASSERT
(
ct
&&
(
ctinfo
==
IP_CT_NEW
||
ctinfo
==
IP_CT_RELATED
||
ctinfo
==
IP_CT_RELATED
+
IP_CT_IS
_REPLY
));
ctinfo
==
IP_CT_RELATED_REPLY
));
NF_CT_ASSERT
(
par
->
out
!=
NULL
);
NF_CT_ASSERT
(
par
->
out
!=
NULL
);
return
nf_nat_setup_info
(
ct
,
&
mr
->
range
[
0
],
IP_NAT_MANIP_SRC
);
return
nf_nat_setup_info
(
ct
,
&
mr
->
range
[
0
],
IP_NAT_MANIP_SRC
);
...
...
net/ipv4/netfilter/nf_nat_standalone.c
View file @
85fadea9
...
@@ -116,7 +116,7 @@ nf_nat_fn(unsigned int hooknum,
...
@@ -116,7 +116,7 @@ nf_nat_fn(unsigned int hooknum,
switch
(
ctinfo
)
{
switch
(
ctinfo
)
{
case
IP_CT_RELATED
:
case
IP_CT_RELATED
:
case
IP_CT_RELATED
+
IP_CT_IS
_REPLY
:
case
IP_CT_RELATED_REPLY
:
if
(
ip_hdr
(
skb
)
->
protocol
==
IPPROTO_ICMP
)
{
if
(
ip_hdr
(
skb
)
->
protocol
==
IPPROTO_ICMP
)
{
if
(
!
nf_nat_icmp_reply_translation
(
ct
,
ctinfo
,
if
(
!
nf_nat_icmp_reply_translation
(
ct
,
ctinfo
,
hooknum
,
skb
))
hooknum
,
skb
))
...
@@ -144,7 +144,7 @@ nf_nat_fn(unsigned int hooknum,
...
@@ -144,7 +144,7 @@ nf_nat_fn(unsigned int hooknum,
default:
default:
/* ESTABLISHED */
/* ESTABLISHED */
NF_CT_ASSERT
(
ctinfo
==
IP_CT_ESTABLISHED
||
NF_CT_ASSERT
(
ctinfo
==
IP_CT_ESTABLISHED
||
ctinfo
==
(
IP_CT_ESTABLISHED
+
IP_CT_IS_REPLY
)
);
ctinfo
==
IP_CT_ESTABLISHED_REPLY
);
}
}
return
nf_nat_packet
(
ct
,
ctinfo
,
hooknum
,
skb
);
return
nf_nat_packet
(
ct
,
ctinfo
,
hooknum
,
skb
);
...
...
net/ipv6/netfilter/ip6_queue.c
View file @
85fadea9
...
@@ -403,7 +403,8 @@ ipq_dev_drop(int ifindex)
...
@@ -403,7 +403,8 @@ ipq_dev_drop(int ifindex)
static
inline
void
static
inline
void
__ipq_rcv_skb
(
struct
sk_buff
*
skb
)
__ipq_rcv_skb
(
struct
sk_buff
*
skb
)
{
{
int
status
,
type
,
pid
,
flags
,
nlmsglen
,
skblen
;
int
status
,
type
,
pid
,
flags
;
unsigned
int
nlmsglen
,
skblen
;
struct
nlmsghdr
*
nlh
;
struct
nlmsghdr
*
nlh
;
skblen
=
skb
->
len
;
skblen
=
skb
->
len
;
...
...
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
View file @
85fadea9
...
@@ -160,7 +160,7 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
...
@@ -160,7 +160,7 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
/* This is where we call the helper: as the packet goes out. */
/* This is where we call the helper: as the packet goes out. */
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
if
(
!
ct
||
ctinfo
==
IP_CT_RELATED
+
IP_CT_IS
_REPLY
)
if
(
!
ct
||
ctinfo
==
IP_CT_RELATED_REPLY
)
goto
out
;
goto
out
;
help
=
nfct_help
(
ct
);
help
=
nfct_help
(
ct
);
...
...
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
View file @
85fadea9
...
@@ -177,7 +177,7 @@ icmpv6_error_message(struct net *net, struct nf_conn *tmpl,
...
@@ -177,7 +177,7 @@ icmpv6_error_message(struct net *net, struct nf_conn *tmpl,
/* Update skb to refer to this connection */
/* Update skb to refer to this connection */
skb
->
nfct
=
&
nf_ct_tuplehash_to_ctrack
(
h
)
->
ct_general
;
skb
->
nfct
=
&
nf_ct_tuplehash_to_ctrack
(
h
)
->
ct_general
;
skb
->
nfctinfo
=
*
ctinfo
;
skb
->
nfctinfo
=
*
ctinfo
;
return
-
NF_ACCEPT
;
return
NF_ACCEPT
;
}
}
static
int
static
int
...
...
net/netfilter/ipset/ip_set_core.c
View file @
85fadea9
...
@@ -767,7 +767,7 @@ ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
...
@@ -767,7 +767,7 @@ ip_set_destroy(struct sock *ctnl, struct sk_buff *skb,
if
(
!
attr
[
IPSET_ATTR_SETNAME
])
{
if
(
!
attr
[
IPSET_ATTR_SETNAME
])
{
for
(
i
=
0
;
i
<
ip_set_max
;
i
++
)
{
for
(
i
=
0
;
i
<
ip_set_max
;
i
++
)
{
if
(
ip_set_list
[
i
]
!=
NULL
&&
ip_set_list
[
i
]
->
ref
)
{
if
(
ip_set_list
[
i
]
!=
NULL
&&
ip_set_list
[
i
]
->
ref
)
{
ret
=
IPSET_ERR_BUSY
;
ret
=
-
IPSET_ERR_BUSY
;
goto
out
;
goto
out
;
}
}
}
}
...
...
net/netfilter/ipset/ip_set_hash_ipportnet.c
View file @
85fadea9
...
@@ -146,8 +146,9 @@ hash_ipportnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
...
@@ -146,8 +146,9 @@ hash_ipportnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
{
{
const
struct
ip_set_hash
*
h
=
set
->
data
;
const
struct
ip_set_hash
*
h
=
set
->
data
;
ipset_adtfn
adtfn
=
set
->
variant
->
adt
[
adt
];
ipset_adtfn
adtfn
=
set
->
variant
->
adt
[
adt
];
struct
hash_ipportnet4_elem
data
=
struct
hash_ipportnet4_elem
data
=
{
{
.
cidr
=
h
->
nets
[
0
].
cidr
||
HOST_MASK
};
.
cidr
=
h
->
nets
[
0
].
cidr
?
h
->
nets
[
0
].
cidr
:
HOST_MASK
};
if
(
data
.
cidr
==
0
)
if
(
data
.
cidr
==
0
)
return
-
EINVAL
;
return
-
EINVAL
;
...
@@ -394,8 +395,9 @@ hash_ipportnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
...
@@ -394,8 +395,9 @@ hash_ipportnet6_kadt(struct ip_set *set, const struct sk_buff *skb,
{
{
const
struct
ip_set_hash
*
h
=
set
->
data
;
const
struct
ip_set_hash
*
h
=
set
->
data
;
ipset_adtfn
adtfn
=
set
->
variant
->
adt
[
adt
];
ipset_adtfn
adtfn
=
set
->
variant
->
adt
[
adt
];
struct
hash_ipportnet6_elem
data
=
struct
hash_ipportnet6_elem
data
=
{
{
.
cidr
=
h
->
nets
[
0
].
cidr
||
HOST_MASK
};
.
cidr
=
h
->
nets
[
0
].
cidr
?
h
->
nets
[
0
].
cidr
:
HOST_MASK
};
if
(
data
.
cidr
==
0
)
if
(
data
.
cidr
==
0
)
return
-
EINVAL
;
return
-
EINVAL
;
...
...
net/netfilter/ipset/ip_set_hash_net.c
View file @
85fadea9
...
@@ -131,7 +131,9 @@ hash_net4_kadt(struct ip_set *set, const struct sk_buff *skb,
...
@@ -131,7 +131,9 @@ hash_net4_kadt(struct ip_set *set, const struct sk_buff *skb,
{
{
const
struct
ip_set_hash
*
h
=
set
->
data
;
const
struct
ip_set_hash
*
h
=
set
->
data
;
ipset_adtfn
adtfn
=
set
->
variant
->
adt
[
adt
];
ipset_adtfn
adtfn
=
set
->
variant
->
adt
[
adt
];
struct
hash_net4_elem
data
=
{
.
cidr
=
h
->
nets
[
0
].
cidr
||
HOST_MASK
};
struct
hash_net4_elem
data
=
{
.
cidr
=
h
->
nets
[
0
].
cidr
?
h
->
nets
[
0
].
cidr
:
HOST_MASK
};
if
(
data
.
cidr
==
0
)
if
(
data
.
cidr
==
0
)
return
-
EINVAL
;
return
-
EINVAL
;
...
@@ -296,7 +298,9 @@ hash_net6_kadt(struct ip_set *set, const struct sk_buff *skb,
...
@@ -296,7 +298,9 @@ hash_net6_kadt(struct ip_set *set, const struct sk_buff *skb,
{
{
const
struct
ip_set_hash
*
h
=
set
->
data
;
const
struct
ip_set_hash
*
h
=
set
->
data
;
ipset_adtfn
adtfn
=
set
->
variant
->
adt
[
adt
];
ipset_adtfn
adtfn
=
set
->
variant
->
adt
[
adt
];
struct
hash_net6_elem
data
=
{
.
cidr
=
h
->
nets
[
0
].
cidr
||
HOST_MASK
};
struct
hash_net6_elem
data
=
{
.
cidr
=
h
->
nets
[
0
].
cidr
?
h
->
nets
[
0
].
cidr
:
HOST_MASK
};
if
(
data
.
cidr
==
0
)
if
(
data
.
cidr
==
0
)
return
-
EINVAL
;
return
-
EINVAL
;
...
...
net/netfilter/ipset/ip_set_hash_netport.c
View file @
85fadea9
...
@@ -144,7 +144,8 @@ hash_netport4_kadt(struct ip_set *set, const struct sk_buff *skb,
...
@@ -144,7 +144,8 @@ hash_netport4_kadt(struct ip_set *set, const struct sk_buff *skb,
const
struct
ip_set_hash
*
h
=
set
->
data
;
const
struct
ip_set_hash
*
h
=
set
->
data
;
ipset_adtfn
adtfn
=
set
->
variant
->
adt
[
adt
];
ipset_adtfn
adtfn
=
set
->
variant
->
adt
[
adt
];
struct
hash_netport4_elem
data
=
{
struct
hash_netport4_elem
data
=
{
.
cidr
=
h
->
nets
[
0
].
cidr
||
HOST_MASK
};
.
cidr
=
h
->
nets
[
0
].
cidr
?
h
->
nets
[
0
].
cidr
:
HOST_MASK
};
if
(
data
.
cidr
==
0
)
if
(
data
.
cidr
==
0
)
return
-
EINVAL
;
return
-
EINVAL
;
...
@@ -357,7 +358,8 @@ hash_netport6_kadt(struct ip_set *set, const struct sk_buff *skb,
...
@@ -357,7 +358,8 @@ hash_netport6_kadt(struct ip_set *set, const struct sk_buff *skb,
const
struct
ip_set_hash
*
h
=
set
->
data
;
const
struct
ip_set_hash
*
h
=
set
->
data
;
ipset_adtfn
adtfn
=
set
->
variant
->
adt
[
adt
];
ipset_adtfn
adtfn
=
set
->
variant
->
adt
[
adt
];
struct
hash_netport6_elem
data
=
{
struct
hash_netport6_elem
data
=
{
.
cidr
=
h
->
nets
[
0
].
cidr
||
HOST_MASK
};
.
cidr
=
h
->
nets
[
0
].
cidr
?
h
->
nets
[
0
].
cidr
:
HOST_MASK
};
if
(
data
.
cidr
==
0
)
if
(
data
.
cidr
==
0
)
return
-
EINVAL
;
return
-
EINVAL
;
...
...
net/netfilter/ipvs/ip_vs_core.c
View file @
85fadea9
...
@@ -1772,7 +1772,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
...
@@ -1772,7 +1772,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
.
owner
=
THIS_MODULE
,
.
owner
=
THIS_MODULE
,
.
pf
=
PF_INET
,
.
pf
=
PF_INET
,
.
hooknum
=
NF_INET_LOCAL_IN
,
.
hooknum
=
NF_INET_LOCAL_IN
,
.
priority
=
99
,
.
priority
=
NF_IP_PRI_NAT_SRC
-
2
,
},
},
/* After packet filtering, forward packet through VS/DR, VS/TUN,
/* After packet filtering, forward packet through VS/DR, VS/TUN,
* or VS/NAT(change destination), so that filtering rules can be
* or VS/NAT(change destination), so that filtering rules can be
...
@@ -1782,7 +1782,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
...
@@ -1782,7 +1782,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
.
owner
=
THIS_MODULE
,
.
owner
=
THIS_MODULE
,
.
pf
=
PF_INET
,
.
pf
=
PF_INET
,
.
hooknum
=
NF_INET_LOCAL_IN
,
.
hooknum
=
NF_INET_LOCAL_IN
,
.
priority
=
10
1
,
.
priority
=
NF_IP_PRI_NAT_SRC
-
1
,
},
},
/* Before ip_vs_in, change source only for VS/NAT */
/* Before ip_vs_in, change source only for VS/NAT */
{
{
...
@@ -1790,7 +1790,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
...
@@ -1790,7 +1790,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
.
owner
=
THIS_MODULE
,
.
owner
=
THIS_MODULE
,
.
pf
=
PF_INET
,
.
pf
=
PF_INET
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
-
99
,
.
priority
=
NF_IP_PRI_NAT_DST
+
1
,
},
},
/* After mangle, schedule and forward local requests */
/* After mangle, schedule and forward local requests */
{
{
...
@@ -1798,7 +1798,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
...
@@ -1798,7 +1798,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
.
owner
=
THIS_MODULE
,
.
owner
=
THIS_MODULE
,
.
pf
=
PF_INET
,
.
pf
=
PF_INET
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
-
98
,
.
priority
=
NF_IP_PRI_NAT_DST
+
2
,
},
},
/* After packet filtering (but before ip_vs_out_icmp), catch icmp
/* After packet filtering (but before ip_vs_out_icmp), catch icmp
* destined for 0.0.0.0/0, which is for incoming IPVS connections */
* destined for 0.0.0.0/0, which is for incoming IPVS connections */
...
@@ -1824,7 +1824,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
...
@@ -1824,7 +1824,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
.
owner
=
THIS_MODULE
,
.
owner
=
THIS_MODULE
,
.
pf
=
PF_INET6
,
.
pf
=
PF_INET6
,
.
hooknum
=
NF_INET_LOCAL_IN
,
.
hooknum
=
NF_INET_LOCAL_IN
,
.
priority
=
99
,
.
priority
=
NF_IP6_PRI_NAT_SRC
-
2
,
},
},
/* After packet filtering, forward packet through VS/DR, VS/TUN,
/* After packet filtering, forward packet through VS/DR, VS/TUN,
* or VS/NAT(change destination), so that filtering rules can be
* or VS/NAT(change destination), so that filtering rules can be
...
@@ -1834,7 +1834,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
...
@@ -1834,7 +1834,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
.
owner
=
THIS_MODULE
,
.
owner
=
THIS_MODULE
,
.
pf
=
PF_INET6
,
.
pf
=
PF_INET6
,
.
hooknum
=
NF_INET_LOCAL_IN
,
.
hooknum
=
NF_INET_LOCAL_IN
,
.
priority
=
10
1
,
.
priority
=
NF_IP6_PRI_NAT_SRC
-
1
,
},
},
/* Before ip_vs_in, change source only for VS/NAT */
/* Before ip_vs_in, change source only for VS/NAT */
{
{
...
@@ -1842,7 +1842,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
...
@@ -1842,7 +1842,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
.
owner
=
THIS_MODULE
,
.
owner
=
THIS_MODULE
,
.
pf
=
PF_INET
,
.
pf
=
PF_INET
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
-
99
,
.
priority
=
NF_IP6_PRI_NAT_DST
+
1
,
},
},
/* After mangle, schedule and forward local requests */
/* After mangle, schedule and forward local requests */
{
{
...
@@ -1850,7 +1850,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
...
@@ -1850,7 +1850,7 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = {
.
owner
=
THIS_MODULE
,
.
owner
=
THIS_MODULE
,
.
pf
=
PF_INET6
,
.
pf
=
PF_INET6
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
hooknum
=
NF_INET_LOCAL_OUT
,
.
priority
=
-
98
,
.
priority
=
NF_IP6_PRI_NAT_DST
+
2
,
},
},
/* After packet filtering (but before ip_vs_out_icmp), catch icmp
/* After packet filtering (but before ip_vs_out_icmp), catch icmp
* destined for 0.0.0.0/0, which is for incoming IPVS connections */
* destined for 0.0.0.0/0, which is for incoming IPVS connections */
...
...
net/netfilter/nf_conntrack_core.c
View file @
85fadea9
...
@@ -850,7 +850,7 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl,
...
@@ -850,7 +850,7 @@ resolve_normal_ct(struct net *net, struct nf_conn *tmpl,
/* It exists; we have (non-exclusive) reference. */
/* It exists; we have (non-exclusive) reference. */
if
(
NF_CT_DIRECTION
(
h
)
==
IP_CT_DIR_REPLY
)
{
if
(
NF_CT_DIRECTION
(
h
)
==
IP_CT_DIR_REPLY
)
{
*
ctinfo
=
IP_CT_ESTABLISHED
+
IP_CT_IS
_REPLY
;
*
ctinfo
=
IP_CT_ESTABLISHED_REPLY
;
/* Please set reply bit if this packet OK */
/* Please set reply bit if this packet OK */
*
set_reply
=
1
;
*
set_reply
=
1
;
}
else
{
}
else
{
...
@@ -922,6 +922,9 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
...
@@ -922,6 +922,9 @@ nf_conntrack_in(struct net *net, u_int8_t pf, unsigned int hooknum,
ret
=
-
ret
;
ret
=
-
ret
;
goto
out
;
goto
out
;
}
}
/* ICMP[v6] protocol trackers may assign one conntrack. */
if
(
skb
->
nfct
)
goto
out
;
}
}
ct
=
resolve_normal_ct
(
net
,
tmpl
,
skb
,
dataoff
,
pf
,
protonum
,
ct
=
resolve_normal_ct
(
net
,
tmpl
,
skb
,
dataoff
,
pf
,
protonum
,
...
@@ -1143,7 +1146,7 @@ static void nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb)
...
@@ -1143,7 +1146,7 @@ static void nf_conntrack_attach(struct sk_buff *nskb, struct sk_buff *skb)
/* This ICMP is in reverse direction to the packet which caused it */
/* This ICMP is in reverse direction to the packet which caused it */
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
if
(
CTINFO2DIR
(
ctinfo
)
==
IP_CT_DIR_ORIGINAL
)
if
(
CTINFO2DIR
(
ctinfo
)
==
IP_CT_DIR_ORIGINAL
)
ctinfo
=
IP_CT_RELATED
+
IP_CT_IS
_REPLY
;
ctinfo
=
IP_CT_RELATED_REPLY
;
else
else
ctinfo
=
IP_CT_RELATED
;
ctinfo
=
IP_CT_RELATED
;
...
...
net/netfilter/nf_conntrack_ftp.c
View file @
85fadea9
...
@@ -368,7 +368,7 @@ static int help(struct sk_buff *skb,
...
@@ -368,7 +368,7 @@ static int help(struct sk_buff *skb,
/* Until there's been traffic both ways, don't look in packets. */
/* Until there's been traffic both ways, don't look in packets. */
if
(
ctinfo
!=
IP_CT_ESTABLISHED
&&
if
(
ctinfo
!=
IP_CT_ESTABLISHED
&&
ctinfo
!=
IP_CT_ESTABLISHED
+
IP_CT_IS
_REPLY
)
{
ctinfo
!=
IP_CT_ESTABLISHED_REPLY
)
{
pr_debug
(
"ftp: Conntrackinfo = %u
\n
"
,
ctinfo
);
pr_debug
(
"ftp: Conntrackinfo = %u
\n
"
,
ctinfo
);
return
NF_ACCEPT
;
return
NF_ACCEPT
;
}
}
...
...
net/netfilter/nf_conntrack_h323_main.c
View file @
85fadea9
...
@@ -571,10 +571,9 @@ static int h245_help(struct sk_buff *skb, unsigned int protoff,
...
@@ -571,10 +571,9 @@ static int h245_help(struct sk_buff *skb, unsigned int protoff,
int
ret
;
int
ret
;
/* Until there's been traffic both ways, don't look in packets. */
/* Until there's been traffic both ways, don't look in packets. */
if
(
ctinfo
!=
IP_CT_ESTABLISHED
&&
if
(
ctinfo
!=
IP_CT_ESTABLISHED
&&
ctinfo
!=
IP_CT_ESTABLISHED_REPLY
)
ctinfo
!=
IP_CT_ESTABLISHED
+
IP_CT_IS_REPLY
)
{
return
NF_ACCEPT
;
return
NF_ACCEPT
;
}
pr_debug
(
"nf_ct_h245: skblen = %u
\n
"
,
skb
->
len
);
pr_debug
(
"nf_ct_h245: skblen = %u
\n
"
,
skb
->
len
);
spin_lock_bh
(
&
nf_h323_lock
);
spin_lock_bh
(
&
nf_h323_lock
);
...
@@ -1125,10 +1124,9 @@ static int q931_help(struct sk_buff *skb, unsigned int protoff,
...
@@ -1125,10 +1124,9 @@ static int q931_help(struct sk_buff *skb, unsigned int protoff,
int
ret
;
int
ret
;
/* Until there's been traffic both ways, don't look in packets. */
/* Until there's been traffic both ways, don't look in packets. */
if
(
ctinfo
!=
IP_CT_ESTABLISHED
&&
if
(
ctinfo
!=
IP_CT_ESTABLISHED
&&
ctinfo
!=
IP_CT_ESTABLISHED_REPLY
)
ctinfo
!=
IP_CT_ESTABLISHED
+
IP_CT_IS_REPLY
)
{
return
NF_ACCEPT
;
return
NF_ACCEPT
;
}
pr_debug
(
"nf_ct_q931: skblen = %u
\n
"
,
skb
->
len
);
pr_debug
(
"nf_ct_q931: skblen = %u
\n
"
,
skb
->
len
);
spin_lock_bh
(
&
nf_h323_lock
);
spin_lock_bh
(
&
nf_h323_lock
);
...
...
net/netfilter/nf_conntrack_irc.c
View file @
85fadea9
...
@@ -125,8 +125,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
...
@@ -125,8 +125,7 @@ static int help(struct sk_buff *skb, unsigned int protoff,
return
NF_ACCEPT
;
return
NF_ACCEPT
;
/* Until there's been traffic both ways, don't look in packets. */
/* Until there's been traffic both ways, don't look in packets. */
if
(
ctinfo
!=
IP_CT_ESTABLISHED
&&
if
(
ctinfo
!=
IP_CT_ESTABLISHED
&&
ctinfo
!=
IP_CT_ESTABLISHED_REPLY
)
ctinfo
!=
IP_CT_ESTABLISHED
+
IP_CT_IS_REPLY
)
return
NF_ACCEPT
;
return
NF_ACCEPT
;
/* Not a full tcp header? */
/* Not a full tcp header? */
...
...
net/netfilter/nf_conntrack_pptp.c
View file @
85fadea9
...
@@ -519,8 +519,7 @@ conntrack_pptp_help(struct sk_buff *skb, unsigned int protoff,
...
@@ -519,8 +519,7 @@ conntrack_pptp_help(struct sk_buff *skb, unsigned int protoff,
u_int16_t
msg
;
u_int16_t
msg
;
/* don't do any tracking before tcp handshake complete */
/* don't do any tracking before tcp handshake complete */
if
(
ctinfo
!=
IP_CT_ESTABLISHED
&&
if
(
ctinfo
!=
IP_CT_ESTABLISHED
&&
ctinfo
!=
IP_CT_ESTABLISHED_REPLY
)
ctinfo
!=
IP_CT_ESTABLISHED
+
IP_CT_IS_REPLY
)
return
NF_ACCEPT
;
return
NF_ACCEPT
;
nexthdr_off
=
protoff
;
nexthdr_off
=
protoff
;
...
...
net/netfilter/nf_conntrack_sane.c
View file @
85fadea9
...
@@ -78,7 +78,7 @@ static int help(struct sk_buff *skb,
...
@@ -78,7 +78,7 @@ static int help(struct sk_buff *skb,
ct_sane_info
=
&
nfct_help
(
ct
)
->
help
.
ct_sane_info
;
ct_sane_info
=
&
nfct_help
(
ct
)
->
help
.
ct_sane_info
;
/* Until there's been traffic both ways, don't look in packets. */
/* Until there's been traffic both ways, don't look in packets. */
if
(
ctinfo
!=
IP_CT_ESTABLISHED
&&
if
(
ctinfo
!=
IP_CT_ESTABLISHED
&&
ctinfo
!=
IP_CT_ESTABLISHED
+
IP_CT_IS
_REPLY
)
ctinfo
!=
IP_CT_ESTABLISHED_REPLY
)
return
NF_ACCEPT
;
return
NF_ACCEPT
;
/* Not a full tcp header? */
/* Not a full tcp header? */
...
...
net/netfilter/nf_conntrack_sip.c
View file @
85fadea9
...
@@ -1423,7 +1423,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
...
@@ -1423,7 +1423,7 @@ static int sip_help_tcp(struct sk_buff *skb, unsigned int protoff,
typeof
(
nf_nat_sip_seq_adjust_hook
)
nf_nat_sip_seq_adjust
;
typeof
(
nf_nat_sip_seq_adjust_hook
)
nf_nat_sip_seq_adjust
;
if
(
ctinfo
!=
IP_CT_ESTABLISHED
&&
if
(
ctinfo
!=
IP_CT_ESTABLISHED
&&
ctinfo
!=
IP_CT_ESTABLISHED
+
IP_CT_IS
_REPLY
)
ctinfo
!=
IP_CT_ESTABLISHED_REPLY
)
return
NF_ACCEPT
;
return
NF_ACCEPT
;
/* No Data ? */
/* No Data ? */
...
...
net/netfilter/xt_socket.c
View file @
85fadea9
...
@@ -143,9 +143,9 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,
...
@@ -143,9 +143,9 @@ socket_match(const struct sk_buff *skb, struct xt_action_param *par,
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
if
(
ct
&&
!
nf_ct_is_untracked
(
ct
)
&&
if
(
ct
&&
!
nf_ct_is_untracked
(
ct
)
&&
((
iph
->
protocol
!=
IPPROTO_ICMP
&&
((
iph
->
protocol
!=
IPPROTO_ICMP
&&
ctinfo
==
IP_CT_
IS_REPLY
+
IP_CT_ESTABLISHED
)
||
ctinfo
==
IP_CT_
ESTABLISHED_REPLY
)
||
(
iph
->
protocol
==
IPPROTO_ICMP
&&
(
iph
->
protocol
==
IPPROTO_ICMP
&&
ctinfo
==
IP_CT_
IS_REPLY
+
IP_CT_RELATED
))
&&
ctinfo
==
IP_CT_
RELATED_REPLY
))
&&
(
ct
->
status
&
IPS_SRC_NAT_DONE
))
{
(
ct
->
status
&
IPS_SRC_NAT_DONE
))
{
daddr
=
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
.
u3
.
ip
;
daddr
=
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
.
u3
.
ip
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment