Skip to content

L
linux
Commit 9a0da0d1 authored by David S. Miller's avatar David S. Miller
Browse files
Options

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6

parents ec282e92 8a56df0a
Show whitespace changes
Inline Side-by-side
Showing with 373 additions and 1856 deletions
Documentation/feature-removal-schedule.txt
View file @ 9a0da0d1
......@@ -264,31 +264,6 @@ Who: Thomas Gleixner <tglx@linutronix.de>
---------------------------
What (Why):
- include/linux/netfilter_ipv4/ipt_TOS.h ipt_tos.h header files
(superseded by xt_TOS/xt_tos target & match)
- "forwarding" header files like ipt_mac.h in
include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
- xt_CONNMARK match revision 0
(superseded by xt_CONNMARK match revision 1)
- xt_MARK target revisions 0 and 1
(superseded by xt_MARK match revision 2)
- xt_connmark match revision 0
(superseded by xt_connmark match revision 1)
- xt_conntrack match revision 0
(superseded by xt_conntrack match revision 1)
- xt_iprange match revision 0,
include/linux/netfilter_ipv4/ipt_iprange.h
(superseded by xt_iprange match revision 1)
- xt_mark match revision 0
(superseded by xt_mark match revision 1)
- xt_recent: the old ipt_recent proc dir
(superseded by /proc/net/xt_recent)
......
include/linux/netfilter/nfnetlink.h
View file @ 9a0da0d1
......@@ -58,7 +58,8 @@ struct nfgenmsg {
struct nfnl_callback
{
int (*call)(struct sock *nl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *cda[]);
const struct nlmsghdr *nlh,
const struct nlattr * const cda[]);
const struct nla_policy *policy; /* netlink attribute policy */
const u_int16_t attr_count; /* number of nlattr's */
};
......
include/linux/netfilter/x_tables.h
View file @ 9a0da0d1
......@@ -238,9 +238,9 @@ struct xt_mtdtor_param {
*/
struct xt_target_param {
const struct net_device *in, *out;
unsigned int hooknum;
const struct xt_target *target;
const void *targinfo;
unsigned int hooknum;
u_int8_t family;
};
......@@ -407,7 +407,7 @@ extern int xt_check_target(struct xt_tgchk_param *,
unsigned int size, u_int8_t proto, bool inv_proto);
extern struct xt_table *xt_register_table(struct net *net,
struct xt_table *table,
const struct xt_table *table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo);
extern void *xt_unregister_table(struct xt_table *table);
......
include/linux/netfilter/xt_CONNMARK.h
View file @ 9a0da0d1
......@@ -18,12 +18,6 @@ enum {
XT_CONNMARK_RESTORE
};
struct xt_connmark_target_info {
unsigned long mark;
unsigned long mask;
__u8 mode;
};
struct xt_connmark_tginfo1 {
__u32 ctmark, ctmask, nfmask;
__u8 mode;
......
include/linux/netfilter/xt_MARK.h
View file @ 9a0da0d1
......@@ -3,23 +3,6 @@
#include <linux/types.h>
/* Version 0 */
struct xt_mark_target_info {
unsigned long mark;
};
/* Version 1 */
enum {
XT_MARK_SET=0,
XT_MARK_AND,
XT_MARK_OR,
};
struct xt_mark_target_info_v1 {
unsigned long mark;
__u8 mode;
};
struct xt_mark_tginfo2 {
__u32 mark, mask;
};
......
include/linux/netfilter/xt_connmark.h
View file @ 9a0da0d1
......@@ -12,11 +12,6 @@
* (at your option) any later version.
*/
struct xt_connmark_info {
unsigned long mark, mask;
__u8 invert;
};
struct xt_connmark_mtinfo1 {
__u32 mark, mask;
__u8 invert;
......
include/linux/netfilter/xt_conntrack.h
View file @ 9a0da0d1
......@@ -32,42 +32,6 @@ enum {
XT_CONNTRACK_DIRECTION = 1 << 12,
};
/* This is exposed to userspace, so remains frozen in time. */
struct ip_conntrack_old_tuple
{
struct {
__be32 ip;
union {
__u16 all;
} u;
} src;
struct {
__be32 ip;
union {
__u16 all;
} u;
/* The protocol. */
__u16 protonum;
} dst;
};
struct xt_conntrack_info
{
unsigned int statemask, statusmask;
struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
unsigned long expires_min, expires_max;
/* Flags word */
__u8 flags;
/* Inverse flags */
__u8 invflags;
};
struct xt_conntrack_mtinfo1 {
union nf_inet_addr origsrc_addr, origsrc_mask;
union nf_inet_addr origdst_addr, origdst_mask;
......
include/linux/netfilter/xt_mark.h
View file @ 9a0da0d1
......@@ -3,11 +3,6 @@
#include <linux/types.h>
struct xt_mark_info {
unsigned long mark, mask;
__u8 invert;
};
struct xt_mark_mtinfo1 {
__u32 mark, mask;
__u8 invert;
......
include/linux/netfilter_arp/arp_tables.h
View file @ 9a0da0d1
......@@ -265,7 +265,7 @@ struct arpt_error
}
extern struct xt_table *arpt_register_table(struct net *net,
struct xt_table *table,
const struct xt_table *table,
const struct arpt_replace *repl);
extern void arpt_unregister_table(struct xt_table *table);
extern unsigned int arpt_do_table(struct sk_buff *skb,
......
include/linux/netfilter_bridge/ebtables.h
View file @ 9a0da0d1
......@@ -301,7 +301,7 @@ struct ebt_table
#define EBT_ALIGN(s) (((s) + (__alignof__(struct ebt_replace)-1)) & \
~(__alignof__(struct ebt_replace)-1))
extern struct ebt_table *ebt_register_table(struct net *net,
struct ebt_table *table);
const struct ebt_table *table);
extern void ebt_unregister_table(struct ebt_table *table);
extern unsigned int ebt_do_table(unsigned int hook, struct sk_buff *skb,
const struct net_device *in, const struct net_device *out,
......
include/linux/netfilter_ipv4/Kbuild
View file @ 9a0da0d1
header-y += ipt_CLASSIFY.h
header-y += ipt_CLUSTERIP.h
header-y += ipt_CONNMARK.h
header-y += ipt_DSCP.h
header-y += ipt_ECN.h
header-y += ipt_LOG.h
header-y += ipt_MARK.h
header-y += ipt_NFQUEUE.h
header-y += ipt_REJECT.h
header-y += ipt_SAME.h
header-y += ipt_TCPMSS.h
header-y += ipt_TOS.h
header-y += ipt_TTL.h
header-y += ipt_ULOG.h
header-y += ipt_addrtype.h
header-y += ipt_ah.h
header-y += ipt_comment.h
header-y += ipt_connbytes.h
header-y += ipt_connmark.h
header-y += ipt_conntrack.h
header-y += ipt_dccp.h
header-y += ipt_dscp.h
header-y += ipt_ecn.h
header-y += ipt_esp.h
header-y += ipt_hashlimit.h
header-y += ipt_helper.h
header-y += ipt_iprange.h
header-y += ipt_length.h
header-y += ipt_limit.h
header-y += ipt_mac.h
header-y += ipt_mark.h
header-y += ipt_multiport.h
header-y += ipt_owner.h
header-y += ipt_physdev.h
header-y += ipt_pkttype.h
header-y += ipt_policy.h
header-y += ipt_realm.h
header-y += ipt_recent.h
header-y += ipt_sctp.h
header-y += ipt_state.h
header-y += ipt_string.h
header-y += ipt_tcpmss.h
header-y += ipt_tos.h
header-y += ipt_ttl.h
unifdef-y += ip_queue.h
......
include/linux/netfilter_ipv4/ip_tables.h
View file @ 9a0da0d1
......@@ -245,7 +245,7 @@ ipt_get_target(struct ipt_entry *e)
extern void ipt_init(void) __init;
extern struct xt_table *ipt_register_table(struct net *net,
struct xt_table *table,
const struct xt_table *table,
const struct ipt_replace *repl);
extern void ipt_unregister_table(struct xt_table *table);
......
include/linux/netfilter_ipv4/ipt_CLASSIFY.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_CLASSIFY_H
#define _IPT_CLASSIFY_H
#include <linux/netfilter/xt_CLASSIFY.h>
#define ipt_classify_target_info xt_classify_target_info
#endif /*_IPT_CLASSIFY_H */
include/linux/netfilter_ipv4/ipt_CONNMARK.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_CONNMARK_H_target
#define _IPT_CONNMARK_H_target
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
* by Henrik Nordstrom <hno@marasystems.com>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation; either version 2 of the License, or
* (at your option) any later version.
*/
#include <linux/netfilter/xt_CONNMARK.h>
#define IPT_CONNMARK_SET XT_CONNMARK_SET
#define IPT_CONNMARK_SAVE XT_CONNMARK_SAVE
#define IPT_CONNMARK_RESTORE XT_CONNMARK_RESTORE
#define ipt_connmark_target_info xt_connmark_target_info
#endif /*_IPT_CONNMARK_H_target*/
include/linux/netfilter_ipv4/ipt_DSCP.h deleted 100644 → 0
View file @ ec282e92
/* iptables module for setting the IPv4 DSCP field
*
* (C) 2002 Harald Welte <laforge@gnumonks.org>
* based on ipt_FTOS.c (C) 2000 by Matthew G. Marsh <mgm@paktronix.com>
* This software is distributed under GNU GPL v2, 1991
*
* See RFC2474 for a description of the DSCP field within the IP Header.
*
* ipt_DSCP.h,v 1.7 2002/03/14 12:03:13 laforge Exp
*/
#ifndef _IPT_DSCP_TARGET_H
#define _IPT_DSCP_TARGET_H
#include <linux/netfilter_ipv4/ipt_dscp.h>
#include <linux/netfilter/xt_DSCP.h>
#define ipt_DSCP_info xt_DSCP_info
#endif /* _IPT_DSCP_TARGET_H */
include/linux/netfilter_ipv4/ipt_ECN.h
View file @ 9a0da0d1
......@@ -8,9 +8,9 @@
*/
#ifndef _IPT_ECN_TARGET_H
#define _IPT_ECN_TARGET_H
#include <linux/netfilter_ipv4/ipt_DSCP.h>
#include <linux/netfilter/xt_DSCP.h>
#define IPT_ECN_IP_MASK (~IPT_DSCP_MASK)
#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
#define IPT_ECN_OP_SET_IP 0x01 /* set ECN bits of IPv4 header */
#define IPT_ECN_OP_SET_ECE 0x10 /* set ECE bit of TCP header */
......
include/linux/netfilter_ipv4/ipt_MARK.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_MARK_H_target
#define _IPT_MARK_H_target
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_MARK.h>
/* Version 0 */
#define ipt_mark_target_info xt_mark_target_info
/* Version 1 */
#define IPT_MARK_SET XT_MARK_SET
#define IPT_MARK_AND XT_MARK_AND
#define IPT_MARK_OR XT_MARK_OR
#define ipt_mark_target_info_v1 xt_mark_target_info_v1
#endif /*_IPT_MARK_H_target*/
include/linux/netfilter_ipv4/ipt_NFQUEUE.h deleted 100644 → 0
View file @ ec282e92
/* iptables module for using NFQUEUE mechanism
*
* (C) 2005 Harald Welte <laforge@netfilter.org>
*
* This software is distributed under GNU GPL v2, 1991
*
*/
#ifndef _IPT_NFQ_TARGET_H
#define _IPT_NFQ_TARGET_H
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_NFQUEUE.h>
#define ipt_NFQ_info xt_NFQ_info
#endif /* _IPT_DSCP_TARGET_H */
include/linux/netfilter_ipv4/ipt_TCPMSS.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_TCPMSS_H
#define _IPT_TCPMSS_H
#include <linux/netfilter/xt_TCPMSS.h>
#define ipt_tcpmss_info xt_tcpmss_info
#define IPT_TCPMSS_CLAMP_PMTU XT_TCPMSS_CLAMP_PMTU
#endif /*_IPT_TCPMSS_H*/
include/linux/netfilter_ipv4/ipt_TOS.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_TOS_H_target
#define _IPT_TOS_H_target
#ifndef IPTOS_NORMALSVC
#define IPTOS_NORMALSVC 0
#endif
struct ipt_tos_target_info {
u_int8_t tos;
};
#endif /*_IPT_TOS_H_target*/
include/linux/netfilter_ipv4/ipt_comment.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_COMMENT_H
#define _IPT_COMMENT_H
#include <linux/netfilter/xt_comment.h>
#define IPT_MAX_COMMENT_LEN XT_MAX_COMMENT_LEN
#define ipt_comment_info xt_comment_info
#endif /* _IPT_COMMENT_H */
include/linux/netfilter_ipv4/ipt_connbytes.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_CONNBYTES_H
#define _IPT_CONNBYTES_H
#include <linux/netfilter/xt_connbytes.h>
#define ipt_connbytes_what xt_connbytes_what
#define IPT_CONNBYTES_PKTS XT_CONNBYTES_PKTS
#define IPT_CONNBYTES_BYTES XT_CONNBYTES_BYTES
#define IPT_CONNBYTES_AVGPKT XT_CONNBYTES_AVGPKT
#define ipt_connbytes_direction xt_connbytes_direction
#define IPT_CONNBYTES_DIR_ORIGINAL XT_CONNBYTES_DIR_ORIGINAL
#define IPT_CONNBYTES_DIR_REPLY XT_CONNBYTES_DIR_REPLY
#define IPT_CONNBYTES_DIR_BOTH XT_CONNBYTES_DIR_BOTH
#define ipt_connbytes_info xt_connbytes_info
#endif
include/linux/netfilter_ipv4/ipt_connmark.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_CONNMARK_H
#define _IPT_CONNMARK_H
#include <linux/netfilter/xt_connmark.h>
#define ipt_connmark_info xt_connmark_info
#endif /*_IPT_CONNMARK_H*/
include/linux/netfilter_ipv4/ipt_conntrack.h deleted 100644 → 0
View file @ ec282e92
/* Header file for kernel module to match connection tracking information.
* GPL (C) 2001 Marc Boucher (marc@mbsi.ca).
*/
#ifndef _IPT_CONNTRACK_H
#define _IPT_CONNTRACK_H
#include <linux/netfilter/xt_conntrack.h>
#define IPT_CONNTRACK_STATE_BIT(ctinfo) XT_CONNTRACK_STATE_BIT(ctinfo)
#define IPT_CONNTRACK_STATE_INVALID XT_CONNTRACK_STATE_INVALID
#define IPT_CONNTRACK_STATE_SNAT XT_CONNTRACK_STATE_SNAT
#define IPT_CONNTRACK_STATE_DNAT XT_CONNTRACK_STATE_DNAT
#define IPT_CONNTRACK_STATE_UNTRACKED XT_CONNTRACK_STATE_UNTRACKED
/* flags, invflags: */
#define IPT_CONNTRACK_STATE XT_CONNTRACK_STATE
#define IPT_CONNTRACK_PROTO XT_CONNTRACK_PROTO
#define IPT_CONNTRACK_ORIGSRC XT_CONNTRACK_ORIGSRC
#define IPT_CONNTRACK_ORIGDST XT_CONNTRACK_ORIGDST
#define IPT_CONNTRACK_REPLSRC XT_CONNTRACK_REPLSRC
#define IPT_CONNTRACK_REPLDST XT_CONNTRACK_REPLDST
#define IPT_CONNTRACK_STATUS XT_CONNTRACK_STATUS
#define IPT_CONNTRACK_EXPIRES XT_CONNTRACK_EXPIRES
#define ipt_conntrack_info xt_conntrack_info
#endif /*_IPT_CONNTRACK_H*/
include/linux/netfilter_ipv4/ipt_dccp.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_DCCP_H_
#define _IPT_DCCP_H_
#include <linux/netfilter/xt_dccp.h>
#define IPT_DCCP_SRC_PORTS XT_DCCP_SRC_PORTS
#define IPT_DCCP_DEST_PORTS XT_DCCP_DEST_PORTS
#define IPT_DCCP_TYPE XT_DCCP_TYPE
#define IPT_DCCP_OPTION XT_DCCP_OPTION
#define IPT_DCCP_VALID_FLAGS XT_DCCP_VALID_FLAGS
#define ipt_dccp_info xt_dccp_info
#endif /* _IPT_DCCP_H_ */
include/linux/netfilter_ipv4/ipt_dscp.h deleted 100644 → 0
View file @ ec282e92
/* iptables module for matching the IPv4 DSCP field
*
* (C) 2002 Harald Welte <laforge@gnumonks.org>
* This software is distributed under GNU GPL v2, 1991
*
* See RFC2474 for a description of the DSCP field within the IP Header.
*
* ipt_dscp.h,v 1.3 2002/08/05 19:00:21 laforge Exp
*/
#ifndef _IPT_DSCP_H
#define _IPT_DSCP_H
#include <linux/netfilter/xt_dscp.h>
#define IPT_DSCP_MASK XT_DSCP_MASK
#define IPT_DSCP_SHIFT XT_DSCP_SHIFT
#define IPT_DSCP_MAX XT_DSCP_MAX
#define ipt_dscp_info xt_dscp_info
#endif /* _IPT_DSCP_H */
include/linux/netfilter_ipv4/ipt_ecn.h
View file @ 9a0da0d1
......@@ -8,9 +8,9 @@
*/
#ifndef _IPT_ECN_H
#define _IPT_ECN_H
#include <linux/netfilter_ipv4/ipt_dscp.h>
#include <linux/netfilter/xt_dscp.h>
#define IPT_ECN_IP_MASK (~IPT_DSCP_MASK)
#define IPT_ECN_IP_MASK (~XT_DSCP_MASK)
#define IPT_ECN_OP_MATCH_IP 0x01
#define IPT_ECN_OP_MATCH_ECE 0x10
......
include/linux/netfilter_ipv4/ipt_esp.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_ESP_H
#define _IPT_ESP_H
#include <linux/netfilter/xt_esp.h>
#define ipt_esp xt_esp
#define IPT_ESP_INV_SPI XT_ESP_INV_SPI
#define IPT_ESP_INV_MASK XT_ESP_INV_MASK
#endif /*_IPT_ESP_H*/
include/linux/netfilter_ipv4/ipt_hashlimit.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_HASHLIMIT_H
#define _IPT_HASHLIMIT_H
#include <linux/netfilter/xt_hashlimit.h>
#define IPT_HASHLIMIT_SCALE XT_HASHLIMIT_SCALE
#define IPT_HASHLIMIT_HASH_DIP XT_HASHLIMIT_HASH_DIP
#define IPT_HASHLIMIT_HASH_DPT XT_HASHLIMIT_HASH_DPT
#define IPT_HASHLIMIT_HASH_SIP XT_HASHLIMIT_HASH_SIP
#define IPT_HASHLIMIT_HASH_SPT XT_HASHLIMIT_HASH_SPT
#define ipt_hashlimit_info xt_hashlimit_info
#endif /* _IPT_HASHLIMIT_H */
include/linux/netfilter_ipv4/ipt_helper.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_HELPER_H
#define _IPT_HELPER_H
#include <linux/netfilter/xt_helper.h>
#define ipt_helper_info xt_helper_info
#endif /* _IPT_HELPER_H */
include/linux/netfilter_ipv4/ipt_iprange.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_IPRANGE_H
#define _IPT_IPRANGE_H
#include <linux/types.h>
#include <linux/netfilter/xt_iprange.h>
struct ipt_iprange {
/* Inclusive: network order. */
__be32 min_ip, max_ip;
};
struct ipt_iprange_info
{
struct ipt_iprange src;
struct ipt_iprange dst;
/* Flags from above */
u_int8_t flags;
};
#endif /* _IPT_IPRANGE_H */
include/linux/netfilter_ipv4/ipt_length.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_LENGTH_H
#define _IPT_LENGTH_H
#include <linux/netfilter/xt_length.h>
#define ipt_length_info xt_length_info
#endif /*_IPT_LENGTH_H*/
include/linux/netfilter_ipv4/ipt_limit.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_RATE_H
#define _IPT_RATE_H
#include <linux/netfilter/xt_limit.h>
#define IPT_LIMIT_SCALE XT_LIMIT_SCALE
#define ipt_rateinfo xt_rateinfo
#endif /*_IPT_RATE_H*/
include/linux/netfilter_ipv4/ipt_mac.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_MAC_H
#define _IPT_MAC_H
#include <linux/netfilter/xt_mac.h>
#define ipt_mac_info xt_mac_info
#endif /*_IPT_MAC_H*/
include/linux/netfilter_ipv4/ipt_mark.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_MARK_H
#define _IPT_MARK_H
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_mark.h>
#define ipt_mark_info xt_mark_info
#endif /*_IPT_MARK_H*/
include/linux/netfilter_ipv4/ipt_multiport.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_MULTIPORT_H
#define _IPT_MULTIPORT_H
#include <linux/netfilter/xt_multiport.h>
#define IPT_MULTIPORT_SOURCE XT_MULTIPORT_SOURCE
#define IPT_MULTIPORT_DESTINATION XT_MULTIPORT_DESTINATION
#define IPT_MULTIPORT_EITHER XT_MULTIPORT_EITHER
#define IPT_MULTI_PORTS XT_MULTI_PORTS
#define ipt_multiport xt_multiport
#define ipt_multiport_v1 xt_multiport_v1
#endif /*_IPT_MULTIPORT_H*/
include/linux/netfilter_ipv4/ipt_owner.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_OWNER_H
#define _IPT_OWNER_H
/* match and invert flags */
#define IPT_OWNER_UID 0x01
#define IPT_OWNER_GID 0x02
#define IPT_OWNER_PID 0x04
#define IPT_OWNER_SID 0x08
#define IPT_OWNER_COMM 0x10
struct ipt_owner_info {
__kernel_uid32_t uid;
__kernel_gid32_t gid;
__kernel_pid_t pid;
__kernel_pid_t sid;
char comm[16];
u_int8_t match, invert; /* flags */
};
#endif /*_IPT_OWNER_H*/
include/linux/netfilter_ipv4/ipt_physdev.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_PHYSDEV_H
#define _IPT_PHYSDEV_H
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_physdev.h>
#define IPT_PHYSDEV_OP_IN XT_PHYSDEV_OP_IN
#define IPT_PHYSDEV_OP_OUT XT_PHYSDEV_OP_OUT
#define IPT_PHYSDEV_OP_BRIDGED XT_PHYSDEV_OP_BRIDGED
#define IPT_PHYSDEV_OP_ISIN XT_PHYSDEV_OP_ISIN
#define IPT_PHYSDEV_OP_ISOUT XT_PHYSDEV_OP_ISOUT
#define IPT_PHYSDEV_OP_MASK XT_PHYSDEV_OP_MASK
#define ipt_physdev_info xt_physdev_info
#endif /*_IPT_PHYSDEV_H*/
include/linux/netfilter_ipv4/ipt_pkttype.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_PKTTYPE_H
#define _IPT_PKTTYPE_H
#include <linux/netfilter/xt_pkttype.h>
#define ipt_pkttype_info xt_pkttype_info
#endif /*_IPT_PKTTYPE_H*/
include/linux/netfilter_ipv4/ipt_policy.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_POLICY_H
#define _IPT_POLICY_H
#include <linux/netfilter/xt_policy.h>
#define IPT_POLICY_MAX_ELEM XT_POLICY_MAX_ELEM
/* ipt_policy_flags */
#define IPT_POLICY_MATCH_IN XT_POLICY_MATCH_IN
#define IPT_POLICY_MATCH_OUT XT_POLICY_MATCH_OUT
#define IPT_POLICY_MATCH_NONE XT_POLICY_MATCH_NONE
#define IPT_POLICY_MATCH_STRICT XT_POLICY_MATCH_STRICT
/* ipt_policy_modes */
#define IPT_POLICY_MODE_TRANSPORT XT_POLICY_MODE_TRANSPORT
#define IPT_POLICY_MODE_TUNNEL XT_POLICY_MODE_TUNNEL
#define ipt_policy_spec xt_policy_spec
#define ipt_policy_addr xt_policy_addr
#define ipt_policy_elem xt_policy_elem
#define ipt_policy_info xt_policy_info
#endif /* _IPT_POLICY_H */
include/linux/netfilter_ipv4/ipt_recent.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_RECENT_H
#define _IPT_RECENT_H
#include <linux/netfilter/xt_recent.h>
#define ipt_recent_info xt_recent_mtinfo
enum {
IPT_RECENT_CHECK = XT_RECENT_CHECK,
IPT_RECENT_SET = XT_RECENT_SET,
IPT_RECENT_UPDATE = XT_RECENT_UPDATE,
IPT_RECENT_REMOVE = XT_RECENT_REMOVE,
IPT_RECENT_TTL = XT_RECENT_TTL,
IPT_RECENT_SOURCE = XT_RECENT_SOURCE,
IPT_RECENT_DEST = XT_RECENT_DEST,
IPT_RECENT_NAME_LEN = XT_RECENT_NAME_LEN,
};
#endif /*_IPT_RECENT_H*/
include/linux/netfilter_ipv4/ipt_sctp.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_SCTP_H_
#define _IPT_SCTP_H_
#define IPT_SCTP_SRC_PORTS 0x01
#define IPT_SCTP_DEST_PORTS 0x02
#define IPT_SCTP_CHUNK_TYPES 0x04
#define IPT_SCTP_VALID_FLAGS 0x07
struct ipt_sctp_flag_info {
u_int8_t chunktype;
u_int8_t flag;
u_int8_t flag_mask;
};
#define IPT_NUM_SCTP_FLAGS 4
struct ipt_sctp_info {
u_int16_t dpts[2]; /* Min, Max */
u_int16_t spts[2]; /* Min, Max */
u_int32_t chunkmap[256 / sizeof (u_int32_t)]; /* Bit mask of chunks to be matched according to RFC 2960 */
#define SCTP_CHUNK_MATCH_ANY 0x01 /* Match if any of the chunk types are present */
#define SCTP_CHUNK_MATCH_ALL 0x02 /* Match if all of the chunk types are present */
#define SCTP_CHUNK_MATCH_ONLY 0x04 /* Match if these are the only chunk types present */
u_int32_t chunk_match_type;
struct ipt_sctp_flag_info flag_info[IPT_NUM_SCTP_FLAGS];
int flag_count;
u_int32_t flags;
u_int32_t invflags;
};
#define bytes(type) (sizeof(type) * 8)
#define SCTP_CHUNKMAP_SET(chunkmap, type) \
do { \
chunkmap[type / bytes(u_int32_t)] |= \
1 << (type % bytes(u_int32_t)); \
} while (0)
#define SCTP_CHUNKMAP_CLEAR(chunkmap, type) \
do { \
chunkmap[type / bytes(u_int32_t)] &= \
~(1 << (type % bytes(u_int32_t))); \
} while (0)
#define SCTP_CHUNKMAP_IS_SET(chunkmap, type) \
({ \
(chunkmap[type / bytes (u_int32_t)] & \
(1 << (type % bytes (u_int32_t)))) ? 1: 0; \
})
#define SCTP_CHUNKMAP_RESET(chunkmap) \
do { \
int i; \
for (i = 0; i < ARRAY_SIZE(chunkmap); i++) \
chunkmap[i] = 0; \
} while (0)
#define SCTP_CHUNKMAP_SET_ALL(chunkmap) \
do { \
int i; \
for (i = 0; i < ARRAY_SIZE(chunkmap); i++) \
chunkmap[i] = ~0; \
} while (0)
#define SCTP_CHUNKMAP_COPY(destmap, srcmap) \
do { \
int i; \
for (i = 0; i < ARRAY_SIZE(chunkmap); i++) \
destmap[i] = srcmap[i]; \
} while (0)
#define SCTP_CHUNKMAP_IS_CLEAR(chunkmap) \
({ \
int i; \
int flag = 1; \
for (i = 0; i < ARRAY_SIZE(chunkmap); i++) { \
if (chunkmap[i]) { \
flag = 0; \
break; \
} \
} \
flag; \
})
#define SCTP_CHUNKMAP_IS_ALL_SET(chunkmap) \
({ \
int i; \
int flag = 1; \
for (i = 0; i < ARRAY_SIZE(chunkmap); i++) { \
if (chunkmap[i] != ~0) { \
flag = 0; \
break; \
} \
} \
flag; \
})
#endif /* _IPT_SCTP_H_ */
include/linux/netfilter_ipv4/ipt_state.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_STATE_H
#define _IPT_STATE_H
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_state.h>
#define IPT_STATE_BIT XT_STATE_BIT
#define IPT_STATE_INVALID XT_STATE_INVALID
#define IPT_STATE_UNTRACKED XT_STATE_UNTRACKED
#define ipt_state_info xt_state_info
#endif /*_IPT_STATE_H*/
include/linux/netfilter_ipv4/ipt_string.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_STRING_H
#define _IPT_STRING_H
#include <linux/netfilter/xt_string.h>
#define IPT_STRING_MAX_PATTERN_SIZE XT_STRING_MAX_PATTERN_SIZE
#define IPT_STRING_MAX_ALGO_NAME_SIZE XT_STRING_MAX_ALGO_NAME_SIZE
#define ipt_string_info xt_string_info
#endif /*_IPT_STRING_H*/
include/linux/netfilter_ipv4/ipt_tcpmss.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_TCPMSS_MATCH_H
#define _IPT_TCPMSS_MATCH_H
#include <linux/netfilter/xt_tcpmss.h>
#define ipt_tcpmss_match_info xt_tcpmss_match_info
#endif /*_IPT_TCPMSS_MATCH_H*/
include/linux/netfilter_ipv4/ipt_tos.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IPT_TOS_H
#define _IPT_TOS_H
struct ipt_tos_info {
u_int8_t tos;
u_int8_t invert;
};
#ifndef IPTOS_NORMALSVC
#define IPTOS_NORMALSVC 0
#endif
#endif /*_IPT_TOS_H*/
include/linux/netfilter_ipv6/Kbuild
View file @ 9a0da0d1
header-y += ip6t_HL.h
header-y += ip6t_LOG.h
header-y += ip6t_MARK.h
header-y += ip6t_REJECT.h
header-y += ip6t_ah.h
header-y += ip6t_esp.h
header-y += ip6t_frag.h
header-y += ip6t_hl.h
header-y += ip6t_ipv6header.h
header-y += ip6t_length.h
header-y += ip6t_limit.h
header-y += ip6t_mac.h
header-y += ip6t_mark.h
header-y += ip6t_hl.h
header-y += ip6t_mh.h
header-y += ip6t_multiport.h
header-y += ip6t_opts.h
header-y += ip6t_owner.h
header-y += ip6t_physdev.h
header-y += ip6t_policy.h
header-y += ip6t_rt.h
unifdef-y += ip6_tables.h
include/linux/netfilter_ipv6/ip6_tables.h
View file @ 9a0da0d1
......@@ -306,7 +306,7 @@ ip6t_get_target(struct ip6t_entry *e)
extern void ip6t_init(void) __init;
extern struct xt_table *ip6t_register_table(struct net *net,
struct xt_table *table,
const struct xt_table *table,
const struct ip6t_replace *repl);
extern void ip6t_unregister_table(struct xt_table *table);
extern unsigned int ip6t_do_table(struct sk_buff *skb,
......
include/linux/netfilter_ipv6/ip6t_MARK.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IP6T_MARK_H_target
#define _IP6T_MARK_H_target
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_MARK.h>
#define ip6t_mark_target_info xt_mark_target_info
#endif /*_IP6T_MARK_H_target*/
include/linux/netfilter_ipv6/ip6t_esp.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IP6T_ESP_H
#define _IP6T_ESP_H
#include <linux/netfilter/xt_esp.h>
#define ip6t_esp xt_esp
#define IP6T_ESP_INV_SPI XT_ESP_INV_SPI
#define IP6T_ESP_INV_MASK XT_ESP_INV_MASK
#endif /*_IP6T_ESP_H*/
include/linux/netfilter_ipv6/ip6t_length.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IP6T_LENGTH_H
#define _IP6T_LENGTH_H
#include <linux/netfilter/xt_length.h>
#define ip6t_length_info xt_length_info
#endif /*_IP6T_LENGTH_H*/
include/linux/netfilter_ipv6/ip6t_limit.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IP6T_RATE_H
#define _IP6T_RATE_H
#include <linux/netfilter/xt_limit.h>
#define IP6T_LIMIT_SCALE XT_LIMIT_SCALE
#define ip6t_rateinfo xt_rateinfo
#endif /*_IP6T_RATE_H*/
include/linux/netfilter_ipv6/ip6t_mac.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IP6T_MAC_H
#define _IP6T_MAC_H
#include <linux/netfilter/xt_mac.h>
#define ip6t_mac_info xt_mac_info
#endif /*_IP6T_MAC_H*/
include/linux/netfilter_ipv6/ip6t_mark.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IP6T_MARK_H
#define _IP6T_MARK_H
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_mark.h>
#define ip6t_mark_info xt_mark_info
#endif /*_IPT_MARK_H*/
include/linux/netfilter_ipv6/ip6t_multiport.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IP6T_MULTIPORT_H
#define _IP6T_MULTIPORT_H
#include <linux/netfilter/xt_multiport.h>
#define IP6T_MULTIPORT_SOURCE XT_MULTIPORT_SOURCE
#define IP6T_MULTIPORT_DESTINATION XT_MULTIPORT_DESTINATION
#define IP6T_MULTIPORT_EITHER XT_MULTIPORT_EITHER
#define IP6T_MULTI_PORTS XT_MULTI_PORTS
#define ip6t_multiport xt_multiport
#endif /*_IP6T_MULTIPORT_H*/
include/linux/netfilter_ipv6/ip6t_owner.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IP6T_OWNER_H
#define _IP6T_OWNER_H
/* match and invert flags */
#define IP6T_OWNER_UID 0x01
#define IP6T_OWNER_GID 0x02
#define IP6T_OWNER_PID 0x04
#define IP6T_OWNER_SID 0x08
struct ip6t_owner_info {
__kernel_uid32_t uid;
__kernel_gid32_t gid;
__kernel_pid_t pid;
__kernel_pid_t sid;
u_int8_t match, invert; /* flags */
};
#endif /*_IPT_OWNER_H*/
include/linux/netfilter_ipv6/ip6t_physdev.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IP6T_PHYSDEV_H
#define _IP6T_PHYSDEV_H
/* Backwards compatibility for old userspace */
#include <linux/netfilter/xt_physdev.h>
#define IP6T_PHYSDEV_OP_IN XT_PHYSDEV_OP_IN
#define IP6T_PHYSDEV_OP_OUT XT_PHYSDEV_OP_OUT
#define IP6T_PHYSDEV_OP_BRIDGED XT_PHYSDEV_OP_BRIDGED
#define IP6T_PHYSDEV_OP_ISIN XT_PHYSDEV_OP_ISIN
#define IP6T_PHYSDEV_OP_ISOUT XT_PHYSDEV_OP_ISOUT
#define IP6T_PHYSDEV_OP_MASK XT_PHYSDEV_OP_MASK
#define ip6t_physdev_info xt_physdev_info
#endif /*_IP6T_PHYSDEV_H*/
include/linux/netfilter_ipv6/ip6t_policy.h deleted 100644 → 0
View file @ ec282e92
#ifndef _IP6T_POLICY_H
#define _IP6T_POLICY_H
#include <linux/netfilter/xt_policy.h>
#define IP6T_POLICY_MAX_ELEM XT_POLICY_MAX_ELEM
/* ip6t_policy_flags */
#define IP6T_POLICY_MATCH_IN XT_POLICY_MATCH_IN
#define IP6T_POLICY_MATCH_OUT XT_POLICY_MATCH_OUT
#define IP6T_POLICY_MATCH_NONE XT_POLICY_MATCH_NONE
#define IP6T_POLICY_MATCH_STRICT XT_POLICY_MATCH_STRICT
/* ip6t_policy_modes */
#define IP6T_POLICY_MODE_TRANSPORT XT_POLICY_MODE_TRANSPORT
#define IP6T_POLICY_MODE_TUNNEL XT_POLICY_MODE_TUNNEL
#define ip6t_policy_spec xt_policy_spec
#define ip6t_policy_addr xt_policy_addr
#define ip6t_policy_elem xt_policy_elem
#define ip6t_policy_info xt_policy_info
#endif /* _IP6T_POLICY_H */
include/linux/netlink.h
View file @ 9a0da0d1
......@@ -218,8 +218,9 @@ int netlink_sendskb(struct sock *sk, struct sk_buff *skb);
struct netlink_callback
{
struct sk_buff *skb;
struct nlmsghdr *nlh;
int (*dump)(struct sk_buff * skb, struct netlink_callback *cb);
const struct nlmsghdr *nlh;
int (*dump)(struct sk_buff * skb,
struct netlink_callback *cb);
int (*done)(struct netlink_callback *cb);
int family;
long args[6];
......@@ -258,7 +259,7 @@ __nlmsg_put(struct sk_buff *skb, u32 pid, u32 seq, int type, int len, int flags)
NLMSG_NEW(skb, pid, seq, type, len, 0)
extern int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
struct nlmsghdr *nlh,
const struct nlmsghdr *nlh,
int (*dump)(struct sk_buff *skb, struct netlink_callback*),
int (*done)(struct netlink_callback*));
......
include/net/netfilter/nf_nat_core.h
View file @ 9a0da0d1
......@@ -31,6 +31,6 @@ struct nlattr;
extern int
(*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct,
enum nf_nat_manip_type manip,
struct nlattr *attr);
const struct nlattr *attr);
#endif /* _NF_NAT_CORE_H */
include/net/netlink.h
View file @ 9a0da0d1
......@@ -365,7 +365,7 @@ static inline struct nlmsghdr *nlmsg_next(struct nlmsghdr *nlh, int *remaining)
*
* See nla_parse()
*/
static inline int nlmsg_parse(struct nlmsghdr *nlh, int hdrlen,
static inline int nlmsg_parse(const struct nlmsghdr *nlh, int hdrlen,
struct nlattr *tb[], int maxtype,
const struct nla_policy *policy)
{
......@@ -414,7 +414,7 @@ static inline int nlmsg_validate(struct nlmsghdr *nlh, int hdrlen, int maxtype,
*
* Returns 1 if a report back to the application is requested.
*/
static inline int nlmsg_report(struct nlmsghdr *nlh)
static inline int nlmsg_report(const struct nlmsghdr *nlh)
{
return !!(nlh->nlmsg_flags & NLM_F_ECHO);
}
......
include/net/rtnetlink.h
View file @ 9a0da0d1
......@@ -14,7 +14,7 @@ extern void rtnl_register(int protocol, int msgtype,
extern int rtnl_unregister(int protocol, int msgtype);
extern void rtnl_unregister_all(int protocol);
static inline int rtnl_msg_family(struct nlmsghdr *nlh)
static inline int rtnl_msg_family(const struct nlmsghdr *nlh)
{
if (nlmsg_len(nlh) >= sizeof(struct rtgenmsg))
return ((struct rtgenmsg *) nlmsg_data(nlh))->rtgen_family;
......
net/bridge/br_netfilter.c
View file @ 9a0da0d1
......@@ -359,7 +359,7 @@ static int br_nf_pre_routing_finish(struct sk_buff *skb)
},
.proto = 0,
};
struct in_device *in_dev = in_dev_get(dev);
struct in_device *in_dev = __in_dev_get_rcu(dev);
/* If err equals -EHOSTUNREACH the error is due to a
* martian destination or due to the fact that
......
net/bridge/netfilter/ebt_log.c
View file @ 9a0da0d1
......@@ -50,14 +50,6 @@ struct arppayload
unsigned char ip_dst[4];
};
static void print_MAC(const unsigned char *p)
{
int i;
for (i = 0; i < ETH_ALEN; i++, p++)
printk("%02x%c", *p, i == ETH_ALEN - 1 ? ' ':':');
}
static void
print_ports(const struct sk_buff *skb, uint8_t protocol, int offset)
{
......@@ -88,14 +80,11 @@ ebt_log_packet(u_int8_t pf, unsigned int hooknum,
unsigned int bitmask;
spin_lock_bh(&ebt_log_lock);
printk("<%c>%s IN=%s OUT=%s MAC source = ", '0' + loginfo->u.log.level,
prefix, in ? in->name : "", out ? out->name : "");
print_MAC(eth_hdr(skb)->h_source);
printk("MAC dest = ");
print_MAC(eth_hdr(skb)->h_dest);
printk("proto = 0x%04x", ntohs(eth_hdr(skb)->h_proto));
printk("<%c>%s IN=%s OUT=%s MAC source = %pM MAC dest = %pM proto = 0x%04x",
'0' + loginfo->u.log.level, prefix,
in ? in->name : "", out ? out->name : "",
eth_hdr(skb)->h_source, eth_hdr(skb)->h_dest,
ntohs(eth_hdr(skb)->h_proto));
if (loginfo->type == NF_LOG_TYPE_LOG)
bitmask = loginfo->u.log.logflags;
......@@ -171,12 +160,8 @@ ebt_log_packet(u_int8_t pf, unsigned int hooknum,
printk(" INCOMPLETE ARP payload");
goto out;
}
printk(" ARP MAC SRC=");
print_MAC(ap->mac_src);
printk(" ARP IP SRC=%pI4", ap->ip_src);
printk(" ARP MAC DST=");
print_MAC(ap->mac_dst);
printk(" ARP IP DST=%pI4", ap->ip_dst);
printk(" ARP MAC SRC=%pM ARP IP SRC=%pI4 ARP MAC DST=%pM ARP IP DST=%pI4",
ap->mac_src, ap->ip_src, ap->mac_dst, ap->ip_dst);
}
}
out:
......
net/bridge/netfilter/ebt_ulog.c
View file @ 9a0da0d1
......@@ -266,7 +266,7 @@ static bool ebt_ulog_tg_check(const struct xt_tgchk_param *par)
if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN)
uloginfo->qthreshold = EBT_ULOG_MAX_QLEN;
return 0;
return true;
}
static struct xt_target ebt_ulog_tg_reg __read_mostly = {
......
net/bridge/netfilter/ebtable_broute.c
View file @ 9a0da0d1
......@@ -41,7 +41,7 @@ static int check(const struct ebt_table_info *info, unsigned int valid_hooks)
return 0;
}
static struct ebt_table broute_table =
static const struct ebt_table broute_table =
{
.name = "broute",
.table = &initial_table,
......
net/bridge/netfilter/ebtable_filter.c
View file @ 9a0da0d1
......@@ -50,7 +50,7 @@ static int check(const struct ebt_table_info *info, unsigned int valid_hooks)
return 0;
}
static struct ebt_table frame_filter =
static const struct ebt_table frame_filter =
{
.name = "filter",
.table = &initial_table,
......@@ -77,21 +77,21 @@ static struct nf_hook_ops ebt_ops_filter[] __read_mostly = {
{
.hook = ebt_in_hook,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_LOCAL_IN,
.priority = NF_BR_PRI_FILTER_BRIDGED,
},
{
.hook = ebt_in_hook,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_FORWARD,
.priority = NF_BR_PRI_FILTER_BRIDGED,
},
{
.hook = ebt_out_hook,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_LOCAL_OUT,
.priority = NF_BR_PRI_FILTER_OTHER,
},
......
net/bridge/netfilter/ebtable_nat.c
View file @ 9a0da0d1
......@@ -77,21 +77,21 @@ static struct nf_hook_ops ebt_ops_nat[] __read_mostly = {
{
.hook = ebt_nat_out,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_LOCAL_OUT,
.priority = NF_BR_PRI_NAT_DST_OTHER,
},
{
.hook = ebt_nat_out,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_POST_ROUTING,
.priority = NF_BR_PRI_NAT_SRC,
},
{
.hook = ebt_nat_in,
.owner = THIS_MODULE,
.pf = PF_BRIDGE,
.pf = NFPROTO_BRIDGE,
.hooknum = NF_BR_PRE_ROUTING,
.priority = NF_BR_PRI_NAT_DST_BRIDGED,
},
......
net/bridge/netfilter/ebtables.c
View file @ 9a0da0d1
......@@ -1103,23 +1103,24 @@ static int do_replace(struct net *net, void __user *user, unsigned int len)
return ret;
}
struct ebt_table *ebt_register_table(struct net *net, struct ebt_table *table)
struct ebt_table *
ebt_register_table(struct net *net, const struct ebt_table *input_table)
{
struct ebt_table_info *newinfo;
struct ebt_table *t;
struct ebt_table *t, *table;
struct ebt_replace_kernel *repl;
int ret, i, countersize;
void *p;
if (!table || !(repl = table->table) || !repl->entries ||
repl->entries_size == 0 ||
repl->counters || table->private) {
if (input_table == NULL || (repl = input_table->table) == NULL ||
repl->entries == 0 || repl->entries_size == 0 ||
repl->counters != NULL || input_table->private != NULL) {
BUGPRINT("Bad table data for ebt_register_table!!!\n");
return ERR_PTR(-EINVAL);
}
/* Don't add one table to multiple lists. */
table = kmemdup(table, sizeof(struct ebt_table), GFP_KERNEL);
table = kmemdup(input_table, sizeof(struct ebt_table), GFP_KERNEL);
if (!table) {
ret = -ENOMEM;
goto out;
......
net/ipv4/netfilter/arp_tables.c
View file @ 9a0da0d1
......@@ -8,7 +8,7 @@
* Copyright (C) 2002 David S. Miller (davem@redhat.com)
*
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/kernel.h>
#include <linux/skbuff.h>
#include <linux/netdevice.h>
......@@ -341,15 +341,11 @@ unsigned int arpt_do_table(struct sk_buff *skb,
}
/* All zeroes == unconditional rule. */
static inline int unconditional(const struct arpt_arp *arp)
static inline bool unconditional(const struct arpt_arp *arp)
{
unsigned int i;
static const struct arpt_arp uncond;
for (i = 0; i < sizeof(*arp)/sizeof(__u32); i++)
if (((__u32 *)arp)[i])
return 0;
return 1;
return memcmp(arp, &uncond, sizeof(uncond)) == 0;
}
/* Figures out from what hook each rule can be called: returns 0 if
......@@ -537,12 +533,28 @@ find_check_entry(struct arpt_entry *e, const char *name, unsigned int size,
return ret;
}
static bool check_underflow(struct arpt_entry *e)
{
const struct arpt_entry_target *t;
unsigned int verdict;
if (!unconditional(&e->arp))
return false;
t = arpt_get_target(e);
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
return false;
verdict = ((struct arpt_standard_target *)t)->verdict;
verdict = -verdict - 1;
return verdict == NF_DROP || verdict == NF_ACCEPT;
}
static inline int check_entry_size_and_hooks(struct arpt_entry *e,
struct xt_table_info *newinfo,
unsigned char *base,
unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
unsigned int valid_hooks,
unsigned int *i)
{
unsigned int h;
......@@ -562,14 +574,20 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
/* Check hooks & underflows */
for (h = 0; h < NF_ARP_NUMHOOKS; h++) {
if (!(valid_hooks & (1 << h)))
continue;
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h])
if ((unsigned char *)e - base == underflows[h]) {
if (!check_underflow(e)) {
pr_err("Underflows must be unconditional and "
"use the STANDARD target with "
"ACCEPT/DROP\n");
return -EINVAL;
}
newinfo->underflow[h] = underflows[h];
}
/* FIXME: underflows must be unconditional, standard verdicts
< 0 (not ARPT_RETURN). --RR */
}
/* Clear counters and comefrom */
e->counters = ((struct xt_counters) { 0, 0 });
......@@ -630,7 +648,7 @@ static int translate_table(const char *name,
newinfo,
entry0,
entry0 + size,
hook_entries, underflows, &i);
hook_entries, underflows, valid_hooks, &i);
duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
if (ret != 0)
return ret;
......@@ -1760,7 +1778,8 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len
return ret;
}
struct xt_table *arpt_register_table(struct net *net, struct xt_table *table,
struct xt_table *arpt_register_table(struct net *net,
const struct xt_table *table,
const struct arpt_replace *repl)
{
int ret;
......
net/ipv4/netfilter/arptable_filter.c
View file @ 9a0da0d1
......@@ -15,7 +15,7 @@ MODULE_DESCRIPTION("arptables filter table");
#define FILTER_VALID_HOOKS ((1 << NF_ARP_IN) | (1 << NF_ARP_OUT) | \
(1 << NF_ARP_FORWARD))
static struct
static const struct
{
struct arpt_replace repl;
struct arpt_standard entries[3];
......@@ -45,7 +45,7 @@ static struct
.term = ARPT_ERROR_INIT,
};
static struct xt_table packet_filter = {
static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
......
net/ipv4/netfilter/ip_tables.c
View file @ 9a0da0d1
......@@ -8,6 +8,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/cache.h>
#include <linux/capability.h>
#include <linux/skbuff.h>
......@@ -190,16 +191,11 @@ get_entry(void *base, unsigned int offset)
/* All zeroes == unconditional rule. */
/* Mildly perf critical (only if packet tracing is on) */
static inline int
unconditional(const struct ipt_ip *ip)
static inline bool unconditional(const struct ipt_ip *ip)
{
unsigned int i;
for (i = 0; i < sizeof(*ip)/sizeof(__u32); i++)
if (((__u32 *)ip)[i])
return 0;
static const struct ipt_ip uncond;
return 1;
return memcmp(ip, &uncond, sizeof(uncond)) == 0;
#undef FWINV
}
......@@ -315,7 +311,6 @@ ipt_do_table(struct sk_buff *skb,
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
const struct iphdr *ip;
u_int16_t datalen;
bool hotdrop = false;
/* Initializing verdict to NF_DROP keeps gcc happy. */
unsigned int verdict = NF_DROP;
......@@ -328,7 +323,6 @@ ipt_do_table(struct sk_buff *skb,
/* Initialization */
ip = ip_hdr(skb);
datalen = skb->len - ip->ihl * 4;
indev = in ? in->name : nulldevname;
outdev = out ? out->name : nulldevname;
/* We handle fragments by dealing with the first fragment as
......@@ -427,8 +421,6 @@ ipt_do_table(struct sk_buff *skb,
#endif
/* Target might have changed stuff. */
ip = ip_hdr(skb);
datalen = skb->len - ip->ihl * 4;
if (verdict == IPT_CONTINUE)
e = ipt_next_entry(e);
else
......@@ -716,6 +708,21 @@ find_check_entry(struct ipt_entry *e, const char *name, unsigned int size,
return ret;
}
static bool check_underflow(struct ipt_entry *e)
{
const struct ipt_entry_target *t;
unsigned int verdict;
if (!unconditional(&e->ip))
return false;
t = ipt_get_target(e);
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
return false;
verdict = ((struct ipt_standard_target *)t)->verdict;
verdict = -verdict - 1;
return verdict == NF_DROP || verdict == NF_ACCEPT;
}
static int
check_entry_size_and_hooks(struct ipt_entry *e,
struct xt_table_info *newinfo,
......@@ -723,6 +730,7 @@ check_entry_size_and_hooks(struct ipt_entry *e,
unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
unsigned int valid_hooks,
unsigned int *i)
{
unsigned int h;
......@@ -742,14 +750,20 @@ check_entry_size_and_hooks(struct ipt_entry *e,
/* Check hooks & underflows */
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
if (!(valid_hooks & (1 << h)))
continue;
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h])
if ((unsigned char *)e - base == underflows[h]) {
if (!check_underflow(e)) {
pr_err("Underflows must be unconditional and "
"use the STANDARD target with "
"ACCEPT/DROP\n");
return -EINVAL;
}
newinfo->underflow[h] = underflows[h];
}
/* FIXME: underflows must be unconditional, standard verdicts
< 0 (not IPT_RETURN). --RR */
}
/* Clear counters and comefrom */
e->counters = ((struct xt_counters) { 0, 0 });
......@@ -813,7 +827,7 @@ translate_table(const char *name,
newinfo,
entry0,
entry0 + size,
hook_entries, underflows, &i);
hook_entries, underflows, valid_hooks, &i);
if (ret != 0)
return ret;
......@@ -2051,7 +2065,8 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
return ret;
}
struct xt_table *ipt_register_table(struct net *net, struct xt_table *table,
struct xt_table *ipt_register_table(struct net *net,
const struct xt_table *table,
const struct ipt_replace *repl)
{
int ret;
......
net/ipv4/netfilter/iptable_filter.c
View file @ 9a0da0d1
......@@ -53,11 +53,11 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
static struct xt_table packet_filter = {
static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
.af = AF_INET,
.af = NFPROTO_IPV4,
};
/* The work comes in here from netfilter.c. */
......@@ -102,21 +102,21 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
.hook = ipt_local_in_hook,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_FILTER,
},
{
.hook = ipt_hook,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_FILTER,
},
{
.hook = ipt_local_out_hook,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_FILTER,
},
......
net/ipv4/netfilter/iptable_mangle.c
View file @ 9a0da0d1
......@@ -28,7 +28,7 @@ MODULE_DESCRIPTION("iptables mangle table");
(1 << NF_INET_POST_ROUTING))
/* Ouch - five different hooks? Maybe this should be a config option..... -- BC */
static struct
static const struct
{
struct ipt_replace repl;
struct ipt_standard entries[5];
......@@ -64,11 +64,11 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
static struct xt_table packet_mangler = {
static const struct xt_table packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
.me = THIS_MODULE,
.af = AF_INET,
.af = NFPROTO_IPV4,
};
/* The work comes in here from netfilter.c. */
......@@ -162,35 +162,35 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
.hook = ipt_pre_routing_hook,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_MANGLE,
},
{
.hook = ipt_local_in_hook,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_MANGLE,
},
{
.hook = ipt_forward_hook,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_MANGLE,
},
{
.hook = ipt_local_hook,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_MANGLE,
},
{
.hook = ipt_post_routing_hook,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_MANGLE,
},
......
net/ipv4/netfilter/iptable_raw.c
View file @ 9a0da0d1
......@@ -9,7 +9,7 @@
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
static struct
static const struct
{
struct ipt_replace repl;
struct ipt_standard entries[2];
......@@ -36,11 +36,11 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
static struct xt_table packet_raw = {
static const struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
.af = AF_INET,
.af = NFPROTO_IPV4,
};
/* The work comes in here from netfilter.c. */
......@@ -74,14 +74,14 @@ ipt_local_hook(unsigned int hook,
static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
.hook = ipt_hook,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_RAW,
.owner = THIS_MODULE,
},
{
.hook = ipt_local_hook,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_RAW,
.owner = THIS_MODULE,
......
net/ipv4/netfilter/iptable_security.c
View file @ 9a0da0d1
......@@ -27,7 +27,7 @@ MODULE_DESCRIPTION("iptables security table, for MAC rules");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT)
static struct
static const struct
{
struct ipt_replace repl;
struct ipt_standard entries[3];
......@@ -57,11 +57,11 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
static struct xt_table security_table = {
static const struct xt_table security_table = {
.name = "security",
.valid_hooks = SECURITY_VALID_HOOKS,
.me = THIS_MODULE,
.af = AF_INET,
.af = NFPROTO_IPV4,
};
static unsigned int
......@@ -105,21 +105,21 @@ static struct nf_hook_ops ipt_ops[] __read_mostly = {
{
.hook = ipt_local_in_hook,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_SECURITY,
},
{
.hook = ipt_forward_hook,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP_PRI_SECURITY,
},
{
.hook = ipt_local_out_hook,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_SECURITY,
},
......
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
View file @ 9a0da0d1
......@@ -26,6 +26,7 @@
#include <net/netfilter/ipv4/nf_conntrack_ipv4.h>
#include <net/netfilter/nf_nat_helper.h>
#include <net/netfilter/ipv4/nf_defrag_ipv4.h>
#include <net/netfilter/nf_log.h>
int (*nf_nat_seq_adjust_hook)(struct sk_buff *skb,
struct nf_conn *ct,
......@@ -113,8 +114,11 @@ static unsigned int ipv4_confirm(unsigned int hooknum,
ret = helper->help(skb, skb_network_offset(skb) + ip_hdrlen(skb),
ct, ctinfo);
if (ret != NF_ACCEPT)
if (ret != NF_ACCEPT) {
nf_log_packet(NFPROTO_IPV4, hooknum, skb, in, out, NULL,
"nf_ct_%s: dropping packet", helper->name);
return ret;
}
if (test_bit(IPS_SEQ_ADJUST_BIT, &ct->status)) {
typeof(nf_nat_seq_adjust_hook) seq_adjust;
......@@ -158,28 +162,28 @@ static struct nf_hook_ops ipv4_conntrack_ops[] __read_mostly = {
{
.hook = ipv4_conntrack_in,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_CONNTRACK,
},
{
.hook = ipv4_conntrack_local,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_CONNTRACK,
},
{
.hook = ipv4_confirm,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_CONNTRACK_CONFIRM,
},
{
.hook = ipv4_confirm,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_CONNTRACK_CONFIRM,
},
......@@ -256,11 +260,11 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len)
tuple.dst.u3.ip = inet->daddr;
tuple.dst.u.tcp.port = inet->dport;
tuple.src.l3num = PF_INET;
tuple.dst.protonum = IPPROTO_TCP;
tuple.dst.protonum = sk->sk_protocol;
/* We only do TCP at the moment: is there a better way? */
if (strcmp(sk->sk_prot->name, "TCP")) {
pr_debug("SO_ORIGINAL_DST: Not a TCP socket\n");
/* We only do TCP and SCTP at the moment: is there a better way? */
if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP) {
pr_debug("SO_ORIGINAL_DST: Not a TCP/SCTP socket\n");
return -ENOPROTOOPT;
}
......
net/ipv4/netfilter/nf_nat_core.c
View file @ 9a0da0d1
......@@ -212,7 +212,7 @@ find_best_ips_proto(struct nf_conntrack_tuple *tuple,
maxip = ntohl(range->max_ip);
j = jhash_2words((__force u32)tuple->src.u3.ip,
range->flags & IP_NAT_RANGE_PERSISTENT ?
(__force u32)tuple->dst.u3.ip : 0, 0);
0 : (__force u32)tuple->dst.u3.ip, 0);
j = ((u64)j * (maxip - minip + 1)) >> 32;
*var_ipp = htonl(minip + j);
}
......@@ -620,7 +620,7 @@ static const struct nla_policy nat_nla_policy[CTA_NAT_MAX+1] = {
};
static int
nfnetlink_parse_nat(struct nlattr *nat,
nfnetlink_parse_nat(const struct nlattr *nat,
const struct nf_conn *ct, struct nf_nat_range *range)
{
struct nlattr *tb[CTA_NAT_MAX+1];
......@@ -656,7 +656,7 @@ nfnetlink_parse_nat(struct nlattr *nat,
static int
nfnetlink_parse_nat_setup(struct nf_conn *ct,
enum nf_nat_manip_type manip,
struct nlattr *attr)
const struct nlattr *attr)
{
struct nf_nat_range range;
......@@ -671,7 +671,7 @@ nfnetlink_parse_nat_setup(struct nf_conn *ct,
static int
nfnetlink_parse_nat_setup(struct nf_conn *ct,
enum nf_nat_manip_type manip,
struct nlattr *attr)
const struct nlattr *attr)
{
return -EOPNOTSUPP;
}
......
net/ipv4/netfilter/nf_nat_rule.c
View file @ 9a0da0d1
......@@ -28,7 +28,7 @@
(1 << NF_INET_POST_ROUTING) | \
(1 << NF_INET_LOCAL_OUT))
static struct
static const struct
{
struct ipt_replace repl;
struct ipt_standard entries[3];
......@@ -58,11 +58,11 @@ static struct
.term = IPT_ERROR_INIT, /* ERROR */
};
static struct xt_table nat_table = {
static const struct xt_table nat_table = {
.name = "nat",
.valid_hooks = NAT_VALID_HOOKS,
.me = THIS_MODULE,
.af = AF_INET,
.af = NFPROTO_IPV4,
};
/* Source NAT */
......
net/ipv4/netfilter/nf_nat_standalone.c
View file @ 9a0da0d1
......@@ -251,7 +251,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
{
.hook = nf_nat_in,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP_PRI_NAT_DST,
},
......@@ -259,7 +259,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
{
.hook = nf_nat_out,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP_PRI_NAT_SRC,
},
......@@ -267,7 +267,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
{
.hook = nf_nat_local_fn,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP_PRI_NAT_DST,
},
......@@ -275,7 +275,7 @@ static struct nf_hook_ops nf_nat_ops[] __read_mostly = {
{
.hook = nf_nat_fn,
.owner = THIS_MODULE,
.pf = PF_INET,
.pf = NFPROTO_IPV4,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP_PRI_NAT_SRC,
},
......
net/ipv6/netfilter/ip6_tables.c
View file @ 9a0da0d1
......@@ -8,7 +8,7 @@
* it under the terms of the GNU General Public License version 2 as
* published by the Free Software Foundation.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/capability.h>
#include <linux/in.h>
#include <linux/skbuff.h>
......@@ -222,16 +222,11 @@ get_entry(void *base, unsigned int offset)
/* All zeroes == unconditional rule. */
/* Mildly perf critical (only if packet tracing is on) */
static inline int
unconditional(const struct ip6t_ip6 *ipv6)
static inline bool unconditional(const struct ip6t_ip6 *ipv6)
{
unsigned int i;
for (i = 0; i < sizeof(*ipv6); i++)
if (((char *)ipv6)[i])
break;
static const struct ip6t_ip6 uncond;
return (i == sizeof(*ipv6));
return memcmp(ipv6, &uncond, sizeof(uncond)) == 0;
}
#if defined(CONFIG_NETFILTER_XT_TARGET_TRACE) || \
......@@ -745,6 +740,21 @@ find_check_entry(struct ip6t_entry *e, const char *name, unsigned int size,
return ret;
}
static bool check_underflow(struct ip6t_entry *e)
{
const struct ip6t_entry_target *t;
unsigned int verdict;
if (!unconditional(&e->ipv6))
return false;
t = ip6t_get_target(e);
if (strcmp(t->u.user.name, XT_STANDARD_TARGET) != 0)
return false;
verdict = ((struct ip6t_standard_target *)t)->verdict;
verdict = -verdict - 1;
return verdict == NF_DROP || verdict == NF_ACCEPT;
}
static int
check_entry_size_and_hooks(struct ip6t_entry *e,
struct xt_table_info *newinfo,
......@@ -752,6 +762,7 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
unsigned char *limit,
const unsigned int *hook_entries,
const unsigned int *underflows,
unsigned int valid_hooks,
unsigned int *i)
{
unsigned int h;
......@@ -771,14 +782,20 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
/* Check hooks & underflows */
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
if (!(valid_hooks & (1 << h)))
continue;
if ((unsigned char *)e - base == hook_entries[h])
newinfo->hook_entry[h] = hook_entries[h];
if ((unsigned char *)e - base == underflows[h])
if ((unsigned char *)e - base == underflows[h]) {
if (!check_underflow(e)) {
pr_err("Underflows must be unconditional and "
"use the STANDARD target with "
"ACCEPT/DROP\n");
return -EINVAL;
}
newinfo->underflow[h] = underflows[h];
}
/* FIXME: underflows must be unconditional, standard verdicts
< 0 (not IP6T_RETURN). --RR */
}
/* Clear counters and comefrom */
e->counters = ((struct xt_counters) { 0, 0 });
......@@ -842,7 +859,7 @@ translate_table(const char *name,
newinfo,
entry0,
entry0 + size,
hook_entries, underflows, &i);
hook_entries, underflows, valid_hooks, &i);
if (ret != 0)
return ret;
......@@ -2083,7 +2100,8 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len)
return ret;
}
struct xt_table *ip6t_register_table(struct net *net, struct xt_table *table,
struct xt_table *ip6t_register_table(struct net *net,
const struct xt_table *table,
const struct ip6t_replace *repl)
{
int ret;
......
net/ipv6/netfilter/ip6t_eui64.c
View file @ 9a0da0d1
......@@ -23,7 +23,6 @@ static bool
eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
{
unsigned char eui64[8];
int i = 0;
if (!(skb_mac_header(skb) >= skb->head &&
skb_mac_header(skb) + ETH_HLEN <= skb->data) &&
......@@ -42,12 +41,8 @@ eui64_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
eui64[4] = 0xfe;
eui64[0] ^= 0x02;
i = 0;
while (ipv6_hdr(skb)->saddr.s6_addr[8 + i] == eui64[i]
&& i < 8)
i++;
if (i == 8)
if (!memcmp(ipv6_hdr(skb)->saddr.s6_addr + 8, eui64,
sizeof(eui64)))
return true;
}
}
......
net/ipv6/netfilter/ip6table_filter.c
View file @ 9a0da0d1
......@@ -51,11 +51,11 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};
static struct xt_table packet_filter = {
static const struct xt_table packet_filter = {
.name = "filter",
.valid_hooks = FILTER_VALID_HOOKS,
.me = THIS_MODULE,
.af = AF_INET6,
.af = NFPROTO_IPV6,
};
/* The work comes in here from netfilter.c. */
......@@ -95,21 +95,21 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
.hook = ip6t_in_hook,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_FILTER,
},
{
.hook = ip6t_in_hook,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_FILTER,
},
{
.hook = ip6t_local_out_hook,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_FILTER,
},
......
net/ipv6/netfilter/ip6table_mangle.c
View file @ 9a0da0d1
......@@ -21,7 +21,7 @@ MODULE_DESCRIPTION("ip6tables mangle table");
(1 << NF_INET_LOCAL_OUT) | \
(1 << NF_INET_POST_ROUTING))
static struct
static const struct
{
struct ip6t_replace repl;
struct ip6t_standard entries[5];
......@@ -57,11 +57,11 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};
static struct xt_table packet_mangler = {
static const struct xt_table packet_mangler = {
.name = "mangle",
.valid_hooks = MANGLE_VALID_HOOKS,
.me = THIS_MODULE,
.af = AF_INET6,
.af = NFPROTO_IPV6,
};
/* The work comes in here from netfilter.c. */
......@@ -136,35 +136,35 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
.hook = ip6t_in_hook,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_MANGLE,
},
{
.hook = ip6t_in_hook,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_MANGLE,
},
{
.hook = ip6t_in_hook,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_MANGLE,
},
{
.hook = ip6t_local_out_hook,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_MANGLE,
},
{
.hook = ip6t_post_routing_hook,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP6_PRI_MANGLE,
},
......
net/ipv6/netfilter/ip6table_raw.c
View file @ 9a0da0d1
......@@ -8,7 +8,7 @@
#define RAW_VALID_HOOKS ((1 << NF_INET_PRE_ROUTING) | (1 << NF_INET_LOCAL_OUT))
static struct
static const struct
{
struct ip6t_replace repl;
struct ip6t_standard entries[2];
......@@ -35,11 +35,11 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};
static struct xt_table packet_raw = {
static const struct xt_table packet_raw = {
.name = "raw",
.valid_hooks = RAW_VALID_HOOKS,
.me = THIS_MODULE,
.af = AF_INET6,
.af = NFPROTO_IPV6,
};
/* The work comes in here from netfilter.c. */
......@@ -68,14 +68,14 @@ ip6t_local_out_hook(unsigned int hook,
static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
.hook = ip6t_pre_routing_hook,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_FIRST,
.owner = THIS_MODULE,
},
{
.hook = ip6t_local_out_hook,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_FIRST,
.owner = THIS_MODULE,
......
net/ipv6/netfilter/ip6table_security.c
View file @ 9a0da0d1
......@@ -26,7 +26,7 @@ MODULE_DESCRIPTION("ip6tables security table, for MAC rules");
(1 << NF_INET_FORWARD) | \
(1 << NF_INET_LOCAL_OUT)
static struct
static const struct
{
struct ip6t_replace repl;
struct ip6t_standard entries[3];
......@@ -56,11 +56,11 @@ static struct
.term = IP6T_ERROR_INIT, /* ERROR */
};
static struct xt_table security_table = {
static const struct xt_table security_table = {
.name = "security",
.valid_hooks = SECURITY_VALID_HOOKS,
.me = THIS_MODULE,
.af = AF_INET6,
.af = NFPROTO_IPV6,
};
static unsigned int
......@@ -101,21 +101,21 @@ static struct nf_hook_ops ip6t_ops[] __read_mostly = {
{
.hook = ip6t_local_in_hook,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_SECURITY,
},
{
.hook = ip6t_forward_hook,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_FORWARD,
.priority = NF_IP6_PRI_SECURITY,
},
{
.hook = ip6t_local_out_hook,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_SECURITY,
},
......
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
View file @ 9a0da0d1
......@@ -27,6 +27,7 @@
#include <net/netfilter/nf_conntrack_l3proto.h>
#include <net/netfilter/nf_conntrack_core.h>
#include <net/netfilter/ipv6/nf_conntrack_ipv6.h>
#include <net/netfilter/nf_log.h>
static bool ipv6_pkt_to_tuple(const struct sk_buff *skb, unsigned int nhoff,
struct nf_conntrack_tuple *tuple)
......@@ -176,8 +177,11 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
}
ret = helper->help(skb, protoff, ct, ctinfo);
if (ret != NF_ACCEPT)
if (ret != NF_ACCEPT) {
nf_log_packet(NFPROTO_IPV6, hooknum, skb, in, out, NULL,
"nf_ct_%s: dropping packet", helper->name);
return ret;
}
out:
/* We've seen it coming out the other side: confirm it */
return nf_conntrack_confirm(skb);
......@@ -265,42 +269,42 @@ static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = {
{
.hook = ipv6_defrag,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_CONNTRACK_DEFRAG,
},
{
.hook = ipv6_conntrack_in,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_PRE_ROUTING,
.priority = NF_IP6_PRI_CONNTRACK,
},
{
.hook = ipv6_conntrack_local,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_CONNTRACK,
},
{
.hook = ipv6_defrag,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_OUT,
.priority = NF_IP6_PRI_CONNTRACK_DEFRAG,
},
{
.hook = ipv6_confirm,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_POST_ROUTING,
.priority = NF_IP6_PRI_LAST,
},
{
.hook = ipv6_confirm,
.owner = THIS_MODULE,
.pf = PF_INET6,
.pf = NFPROTO_IPV6,
.hooknum = NF_INET_LOCAL_IN,
.priority = NF_IP6_PRI_LAST-1,
},
......
net/netfilter/ipvs/ip_vs_core.c
View file @ 9a0da0d1
......@@ -1259,7 +1259,7 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb,
struct ip_vs_iphdr iph;
struct ip_vs_protocol *pp;
struct ip_vs_conn *cp;
int ret, restart, af;
int ret, restart, af, pkts;
af = (skb->protocol == htons(ETH_P_IP)) ? AF_INET : AF_INET6;
......@@ -1277,6 +1277,17 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb,
return NF_ACCEPT;
}
#ifdef CONFIG_IP_VS_IPV6
if (af == AF_INET6) {
if (unlikely(iph.protocol == IPPROTO_ICMPV6)) {
int related, verdict = ip_vs_in_icmp_v6(skb, &related, hooknum);
if (related)
return verdict;
ip_vs_fill_iphdr(af, skb_network_header(skb), &iph);
}
} else
#endif
if (unlikely(iph.protocol == IPPROTO_ICMP)) {
int related, verdict = ip_vs_in_icmp(skb, &related, hooknum);
......@@ -1346,12 +1357,12 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb,
* Sync connection if it is about to close to
* encorage the standby servers to update the connections timeout
*/
atomic_inc(&cp->in_pkts);
pkts = atomic_add_return(1, &cp->in_pkts);
if (af == AF_INET &&
(ip_vs_sync_state & IP_VS_STATE_MASTER) &&
(((cp->protocol != IPPROTO_TCP ||
cp->state == IP_VS_TCP_S_ESTABLISHED) &&
(atomic_read(&cp->in_pkts) % sysctl_ip_vs_sync_threshold[1]
(pkts % sysctl_ip_vs_sync_threshold[1]
== sysctl_ip_vs_sync_threshold[0])) ||
((cp->protocol == IPPROTO_TCP) && (cp->old_state != cp->state) &&
((cp->state == IP_VS_TCP_S_FIN_WAIT) ||
......
net/netfilter/ipvs/ip_vs_wrr.c
View file @ 9a0da0d1
......@@ -77,11 +77,12 @@ static int ip_vs_wrr_gcd_weight(struct ip_vs_service *svc)
static int ip_vs_wrr_max_weight(struct ip_vs_service *svc)
{
struct ip_vs_dest *dest;
int weight = 0;
int new_weight, weight = 0;
list_for_each_entry(dest, &svc->destinations, n_list) {
if (atomic_read(&dest->weight) > weight)
weight = atomic_read(&dest->weight);
new_weight = atomic_read(&dest->weight);
if (new_weight > weight)
weight = new_weight;
}
return weight;
......
net/netfilter/nf_conntrack_core.c
View file @ 9a0da0d1
......@@ -47,7 +47,7 @@
int (*nfnetlink_parse_nat_setup_hook)(struct nf_conn *ct,
enum nf_nat_manip_type manip,
struct nlattr *attr) __read_mostly;
const struct nlattr *attr) __read_mostly;
EXPORT_SYMBOL_GPL(nfnetlink_parse_nat_setup_hook);
DEFINE_SPINLOCK(nf_conntrack_lock);
......@@ -1089,14 +1089,14 @@ void nf_conntrack_flush_report(struct net *net, u32 pid, int report)
}
EXPORT_SYMBOL_GPL(nf_conntrack_flush_report);
static void nf_ct_release_dying_list(void)
static void nf_ct_release_dying_list(struct net *net)
{
struct nf_conntrack_tuple_hash *h;
struct nf_conn *ct;
struct hlist_nulls_node *n;
spin_lock_bh(&nf_conntrack_lock);
hlist_nulls_for_each_entry(h, n, &init_net.ct.dying, hnnode) {
hlist_nulls_for_each_entry(h, n, &net->ct.dying, hnnode) {
ct = nf_ct_tuplehash_to_ctrack(h);
/* never fails to remove them, no listeners at this point */
nf_ct_kill(ct);
......@@ -1115,7 +1115,7 @@ static void nf_conntrack_cleanup_net(struct net *net)
{
i_see_dead_people:
nf_ct_iterate_cleanup(net, kill_all, NULL);
nf_ct_release_dying_list();
nf_ct_release_dying_list(net);
if (atomic_read(&net->ct.count) != 0) {
schedule();
goto i_see_dead_people;
......
net/netfilter/nf_conntrack_netlink.c
View file @ 9a0da0d1
......@@ -704,7 +704,8 @@ ctnetlink_parse_tuple_proto(struct nlattr *attr,
}
static int
ctnetlink_parse_tuple(struct nlattr *cda[], struct nf_conntrack_tuple *tuple,
ctnetlink_parse_tuple(const struct nlattr * const cda[],
struct nf_conntrack_tuple *tuple,
enum ctattr_tuple type, u_int8_t l3num)
{
struct nlattr *tb[CTA_TUPLE_MAX+1];
......@@ -740,7 +741,7 @@ ctnetlink_parse_tuple(struct nlattr *cda[], struct nf_conntrack_tuple *tuple,
}
static inline int
ctnetlink_parse_help(struct nlattr *attr, char **helper_name)
ctnetlink_parse_help(const struct nlattr *attr, char **helper_name)
{
struct nlattr *tb[CTA_HELP_MAX+1];
......@@ -764,7 +765,8 @@ static const struct nla_policy ct_nla_policy[CTA_MAX+1] = {
static int
ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *cda[])
const struct nlmsghdr *nlh,
const struct nlattr * const cda[])
{
struct nf_conntrack_tuple_hash *h;
struct nf_conntrack_tuple tuple;
......@@ -823,7 +825,8 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb,
static int
ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *cda[])
const struct nlmsghdr *nlh,
const struct nlattr * const cda[])
{
struct nf_conntrack_tuple_hash *h;
struct nf_conntrack_tuple tuple;
......@@ -884,7 +887,7 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
static int
ctnetlink_parse_nat_setup(struct nf_conn *ct,
enum nf_nat_manip_type manip,
struct nlattr *attr)
const struct nlattr *attr)
{
typeof(nfnetlink_parse_nat_setup_hook) parse_nat_setup;
......@@ -914,7 +917,7 @@ ctnetlink_parse_nat_setup(struct nf_conn *ct,
#endif
static int
ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
{
unsigned long d;
unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
......@@ -940,7 +943,7 @@ ctnetlink_change_status(struct nf_conn *ct, struct nlattr *cda[])
}
static int
ctnetlink_change_nat(struct nf_conn *ct, struct nlattr *cda[])
ctnetlink_change_nat(struct nf_conn *ct, const struct nlattr * const cda[])
{
#ifdef CONFIG_NF_NAT_NEEDED
int ret;
......@@ -966,7 +969,7 @@ ctnetlink_change_nat(struct nf_conn *ct, struct nlattr *cda[])
}
static inline int
ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
ctnetlink_change_helper(struct nf_conn *ct, const struct nlattr * const cda[])
{
struct nf_conntrack_helper *helper;
struct nf_conn_help *help = nfct_help(ct);
......@@ -1028,7 +1031,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nlattr *cda[])
}
static inline int
ctnetlink_change_timeout(struct nf_conn *ct, struct nlattr *cda[])
ctnetlink_change_timeout(struct nf_conn *ct, const struct nlattr * const cda[])
{
u_int32_t timeout = ntohl(nla_get_be32(cda[CTA_TIMEOUT]));
......@@ -1042,9 +1045,10 @@ ctnetlink_change_timeout(struct nf_conn *ct, struct nlattr *cda[])
}
static inline int
ctnetlink_change_protoinfo(struct nf_conn *ct, struct nlattr *cda[])
ctnetlink_change_protoinfo(struct nf_conn *ct, const struct nlattr * const cda[])
{
struct nlattr *tb[CTA_PROTOINFO_MAX+1], *attr = cda[CTA_PROTOINFO];
const struct nlattr *attr = cda[CTA_PROTOINFO];
struct nlattr *tb[CTA_PROTOINFO_MAX+1];
struct nf_conntrack_l4proto *l4proto;
int err = 0;
......@@ -1061,7 +1065,7 @@ ctnetlink_change_protoinfo(struct nf_conn *ct, struct nlattr *cda[])
#ifdef CONFIG_NF_NAT_NEEDED
static inline int
change_nat_seq_adj(struct nf_nat_seq *natseq, struct nlattr *attr)
change_nat_seq_adj(struct nf_nat_seq *natseq, const struct nlattr * const attr)
{
struct nlattr *cda[CTA_NAT_SEQ_MAX+1];
......@@ -1089,7 +1093,8 @@ change_nat_seq_adj(struct nf_nat_seq *natseq, struct nlattr *attr)
}
static int
ctnetlink_change_nat_seq_adj(struct nf_conn *ct, struct nlattr *cda[])
ctnetlink_change_nat_seq_adj(struct nf_conn *ct,
const struct nlattr * const cda[])
{
int ret = 0;
struct nf_conn_nat *nat = nfct_nat(ct);
......@@ -1120,7 +1125,8 @@ ctnetlink_change_nat_seq_adj(struct nf_conn *ct, struct nlattr *cda[])
#endif
static int
ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[])
ctnetlink_change_conntrack(struct nf_conn *ct,
const struct nlattr * const cda[])
{
int err;
......@@ -1169,7 +1175,7 @@ ctnetlink_change_conntrack(struct nf_conn *ct, struct nlattr *cda[])
}
static struct nf_conn *
ctnetlink_create_conntrack(struct nlattr *cda[],
ctnetlink_create_conntrack(const struct nlattr * const cda[],
struct nf_conntrack_tuple *otuple,
struct nf_conntrack_tuple *rtuple,
u8 u3)
......@@ -1304,7 +1310,8 @@ ctnetlink_create_conntrack(struct nlattr *cda[],
static int
ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *cda[])
const struct nlmsghdr *nlh,
const struct nlattr * const cda[])
{
struct nf_conntrack_tuple otuple, rtuple;
struct nf_conntrack_tuple_hash *h = NULL;
......@@ -1629,7 +1636,8 @@ static const struct nla_policy exp_nla_policy[CTA_EXPECT_MAX+1] = {
static int
ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *cda[])
const struct nlmsghdr *nlh,
const struct nlattr * const cda[])
{
struct nf_conntrack_tuple tuple;
struct nf_conntrack_expect *exp;
......@@ -1689,7 +1697,8 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
static int
ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *cda[])
const struct nlmsghdr *nlh,
const struct nlattr * const cda[])
{
struct nf_conntrack_expect *exp;
struct nf_conntrack_tuple tuple;
......@@ -1767,13 +1776,15 @@ ctnetlink_del_expect(struct sock *ctnl, struct sk_buff *skb,
return 0;
}
static int
ctnetlink_change_expect(struct nf_conntrack_expect *x, struct nlattr *cda[])
ctnetlink_change_expect(struct nf_conntrack_expect *x,
const struct nlattr * const cda[])
{
return -EOPNOTSUPP;
}
static int
ctnetlink_create_expect(struct nlattr *cda[], u_int8_t u3, u32 pid, int report)
ctnetlink_create_expect(const struct nlattr * const cda[], u_int8_t u3,
u32 pid, int report)
{
struct nf_conntrack_tuple tuple, mask, master_tuple;
struct nf_conntrack_tuple_hash *h = NULL;
......@@ -1831,7 +1842,8 @@ ctnetlink_create_expect(struct nlattr *cda[], u_int8_t u3, u32 pid, int report)
static int
ctnetlink_new_expect(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *cda[])
const struct nlmsghdr *nlh,
const struct nlattr * const cda[])
{
struct nf_conntrack_tuple tuple;
struct nf_conntrack_expect *exp;
......
net/netfilter/nfnetlink.c
View file @ 9a0da0d1
......@@ -170,7 +170,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh)
if (err < 0)
return err;
err = nc->call(nfnl, skb, nlh, cda);
err = nc->call(nfnl, skb, nlh, (const struct nlattr **)cda);
if (err == -EAGAIN)
goto replay;
return err;
......
net/netfilter/nfnetlink_log.c
View file @ 9a0da0d1
......@@ -694,7 +694,8 @@ static struct notifier_block nfulnl_rtnl_notifier = {
static int
nfulnl_recv_unsupp(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *nfqa[])
const struct nlmsghdr *nlh,
const struct nlattr * const nfqa[])
{
return -ENOTSUPP;
}
......@@ -716,7 +717,8 @@ static const struct nla_policy nfula_cfg_policy[NFULA_CFG_MAX+1] = {
static int
nfulnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *nfula[])
const struct nlmsghdr *nlh,
const struct nlattr * const nfula[])
{
struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
u_int16_t group_num = ntohs(nfmsg->res_id);
......
net/netfilter/nfnetlink_queue.c
View file @ 9a0da0d1
......@@ -608,7 +608,8 @@ static const struct nla_policy nfqa_verdict_policy[NFQA_MAX+1] = {
static int
nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *nfqa[])
const struct nlmsghdr *nlh,
const struct nlattr * const nfqa[])
{
struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
u_int16_t queue_num = ntohs(nfmsg->res_id);
......@@ -670,7 +671,8 @@ nfqnl_recv_verdict(struct sock *ctnl, struct sk_buff *skb,
static int
nfqnl_recv_unsupp(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *nfqa[])
const struct nlmsghdr *nlh,
const struct nlattr * const nfqa[])
{
return -ENOTSUPP;
}
......@@ -687,7 +689,8 @@ static const struct nf_queue_handler nfqh = {
static int
nfqnl_recv_config(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *nfqa[])
const struct nlmsghdr *nlh,
const struct nlattr * const nfqa[])
{
struct nfgenmsg *nfmsg = NLMSG_DATA(nlh);
u_int16_t queue_num = ntohs(nfmsg->res_id);
......
net/netfilter/x_tables.c
View file @ 9a0da0d1
......@@ -736,16 +736,17 @@ xt_replace_table(struct xt_table *table,
}
EXPORT_SYMBOL_GPL(xt_replace_table);
struct xt_table *xt_register_table(struct net *net, struct xt_table *table,
struct xt_table *xt_register_table(struct net *net,
const struct xt_table *input_table,
struct xt_table_info *bootstrap,
struct xt_table_info *newinfo)
{
int ret;
struct xt_table_info *private;
struct xt_table *t;
struct xt_table *t, *table;
/* Don't add one object to multiple lists. */
table = kmemdup(table, sizeof(struct xt_table), GFP_KERNEL);
table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
if (!table) {
ret = -ENOMEM;
goto out;
......
net/netfilter/xt_CONNMARK.c
View file @ 9a0da0d1
......@@ -35,45 +35,6 @@ MODULE_ALIAS("ip6t_CONNMARK");
#include <linux/netfilter/xt_CONNMARK.h>
#include <net/netfilter/nf_conntrack_ecache.h>
static unsigned int
connmark_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
{
const struct xt_connmark_target_info *markinfo = par->targinfo;
struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
u_int32_t diff;
u_int32_t mark;
u_int32_t newmark;
ct = nf_ct_get(skb, &ctinfo);
if (ct) {
switch(markinfo->mode) {
case XT_CONNMARK_SET:
newmark = (ct->mark & ~markinfo->mask) | markinfo->mark;
if (newmark != ct->mark) {
ct->mark = newmark;
nf_conntrack_event_cache(IPCT_MARK, ct);
}
break;
case XT_CONNMARK_SAVE:
newmark = (ct->mark & ~markinfo->mask) |
(skb->mark & markinfo->mask);
if (ct->mark != newmark) {
ct->mark = newmark;
nf_conntrack_event_cache(IPCT_MARK, ct);
}
break;
case XT_CONNMARK_RESTORE:
mark = skb->mark;
diff = (ct->mark ^ mark) & markinfo->mask;
skb->mark = mark ^ diff;
break;
}
}
return XT_CONTINUE;
}
static unsigned int
connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
{
......@@ -112,30 +73,6 @@ connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
static bool connmark_tg_check_v0(const struct xt_tgchk_param *par)
{
const struct xt_connmark_target_info *matchinfo = par->targinfo;
if (matchinfo->mode == XT_CONNMARK_RESTORE) {
if (strcmp(par->table, "mangle") != 0) {
printk(KERN_WARNING "CONNMARK: restore can only be "
"called from \"mangle\" table, not \"%s\"\n",
par->table);
return false;
}
}
if (matchinfo->mark > 0xffffffff || matchinfo->mask > 0xffffffff) {
printk(KERN_WARNING "CONNMARK: Only supports 32bit mark\n");
return false;
}
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
printk(KERN_WARNING "can't load conntrack support for "
"proto=%u\n", par->family);
return false;
}
return true;
}
static bool connmark_tg_check(const struct xt_tgchk_param *par)
{
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
......@@ -151,54 +88,7 @@ static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
nf_ct_l3proto_module_put(par->family);
}
#ifdef CONFIG_COMPAT
struct compat_xt_connmark_target_info {
compat_ulong_t mark, mask;
u_int8_t mode;
u_int8_t __pad1;
u_int16_t __pad2;
};
static void connmark_tg_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_connmark_target_info *cm = src;
struct xt_connmark_target_info m = {
.mark = cm->mark,
.mask = cm->mask,
.mode = cm->mode,
};
memcpy(dst, &m, sizeof(m));
}
static int connmark_tg_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_connmark_target_info *m = src;
struct compat_xt_connmark_target_info cm = {
.mark = m->mark,
.mask = m->mask,
.mode = m->mode,
};
return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
}
#endif /* CONFIG_COMPAT */
static struct xt_target connmark_tg_reg[] __read_mostly = {
{
.name = "CONNMARK",
.revision = 0,
.family = NFPROTO_UNSPEC,
.checkentry = connmark_tg_check_v0,
.destroy = connmark_tg_destroy,
.target = connmark_tg_v0,
.targetsize = sizeof(struct xt_connmark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_target_info),
.compat_from_user = connmark_tg_compat_from_user_v0,
.compat_to_user = connmark_tg_compat_to_user_v0,
#endif
.me = THIS_MODULE
},
{
static struct xt_target connmark_tg_reg __read_mostly = {
.name = "CONNMARK",
.revision = 1,
.family = NFPROTO_UNSPEC,
......@@ -207,18 +97,16 @@ static struct xt_target connmark_tg_reg[] __read_mostly = {
.targetsize = sizeof(struct xt_connmark_tginfo1),
.destroy = connmark_tg_destroy,
.me = THIS_MODULE,
},
};
static int __init connmark_tg_init(void)
{
return xt_register_targets(connmark_tg_reg,
ARRAY_SIZE(connmark_tg_reg));
return xt_register_target(&connmark_tg_reg);
}
static void __exit connmark_tg_exit(void)
{
xt_unregister_targets(connmark_tg_reg, ARRAY_SIZE(connmark_tg_reg));
xt_unregister_target(&connmark_tg_reg);
}
module_init(connmark_tg_init);
......
net/netfilter/xt_DSCP.c
View file @ 9a0da0d1
......@@ -18,7 +18,6 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_DSCP.h>
#include <linux/netfilter_ipv4/ipt_TOS.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_DESCRIPTION("Xtables: DSCP/TOS field modification");
......@@ -72,41 +71,6 @@ static bool dscp_tg_check(const struct xt_tgchk_param *par)
return true;
}
static unsigned int
tos_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
{
const struct ipt_tos_target_info *info = par->targinfo;
struct iphdr *iph = ip_hdr(skb);
u_int8_t oldtos;
if ((iph->tos & IPTOS_TOS_MASK) != info->tos) {
if (!skb_make_writable(skb, sizeof(struct iphdr)))
return NF_DROP;
iph = ip_hdr(skb);
oldtos = iph->tos;
iph->tos = (iph->tos & IPTOS_PREC_MASK) | info->tos;
csum_replace2(&iph->check, htons(oldtos), htons(iph->tos));
}
return XT_CONTINUE;
}
static bool tos_tg_check_v0(const struct xt_tgchk_param *par)
{
const struct ipt_tos_target_info *info = par->targinfo;
const uint8_t tos = info->tos;
if (tos != IPTOS_LOWDELAY && tos != IPTOS_THROUGHPUT &&
tos != IPTOS_RELIABILITY && tos != IPTOS_MINCOST &&
tos != IPTOS_NORMALSVC) {
printk(KERN_WARNING "TOS: bad tos value %#x\n", tos);
return false;
}
return true;
}
static unsigned int
tos_tg(struct sk_buff *skb, const struct xt_target_param *par)
{
......@@ -166,16 +130,6 @@ static struct xt_target dscp_tg_reg[] __read_mostly = {
.table = "mangle",
.me = THIS_MODULE,
},
{
.name = "TOS",
.revision = 0,
.family = NFPROTO_IPV4,
.table = "mangle",
.target = tos_tg_v0,
.targetsize = sizeof(struct ipt_tos_target_info),
.checkentry = tos_tg_check_v0,
.me = THIS_MODULE,
},
{
.name = "TOS",
.revision = 1,
......
net/netfilter/xt_MARK.c
View file @ 9a0da0d1
......@@ -24,39 +24,6 @@ MODULE_DESCRIPTION("Xtables: packet mark modification");
MODULE_ALIAS("ipt_MARK");
MODULE_ALIAS("ip6t_MARK");
static unsigned int
mark_tg_v0(struct sk_buff *skb, const struct xt_target_param *par)
{
const struct xt_mark_target_info *markinfo = par->targinfo;
skb->mark = markinfo->mark;
return XT_CONTINUE;
}
static unsigned int
mark_tg_v1(struct sk_buff *skb, const struct xt_target_param *par)
{
const struct xt_mark_target_info_v1 *markinfo = par->targinfo;
int mark = 0;
switch (markinfo->mode) {
case XT_MARK_SET:
mark = markinfo->mark;
break;
case XT_MARK_AND:
mark = skb->mark & markinfo->mark;
break;
case XT_MARK_OR:
mark = skb->mark | markinfo->mark;
break;
}
skb->mark = mark;
return XT_CONTINUE;
}
static unsigned int
mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
{
......@@ -66,135 +33,23 @@ mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
return XT_CONTINUE;
}
static bool mark_tg_check_v0(const struct xt_tgchk_param *par)
{
const struct xt_mark_target_info *markinfo = par->targinfo;
if (markinfo->mark > 0xffffffff) {
printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
return false;
}
return true;
}
static bool mark_tg_check_v1(const struct xt_tgchk_param *par)
{
const struct xt_mark_target_info_v1 *markinfo = par->targinfo;
if (markinfo->mode != XT_MARK_SET
&& markinfo->mode != XT_MARK_AND
&& markinfo->mode != XT_MARK_OR) {
printk(KERN_WARNING "MARK: unknown mode %u\n",
markinfo->mode);
return false;
}
if (markinfo->mark > 0xffffffff) {
printk(KERN_WARNING "MARK: Only supports 32bit wide mark\n");
return false;
}
return true;
}
#ifdef CONFIG_COMPAT
struct compat_xt_mark_target_info {
compat_ulong_t mark;
};
static void mark_tg_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_mark_target_info *cm = src;
struct xt_mark_target_info m = {
.mark = cm->mark,
};
memcpy(dst, &m, sizeof(m));
}
static int mark_tg_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_mark_target_info *m = src;
struct compat_xt_mark_target_info cm = {
.mark = m->mark,
};
return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
}
struct compat_xt_mark_target_info_v1 {
compat_ulong_t mark;
u_int8_t mode;
u_int8_t __pad1;
u_int16_t __pad2;
};
static void mark_tg_compat_from_user_v1(void *dst, void *src)
{
const struct compat_xt_mark_target_info_v1 *cm = src;
struct xt_mark_target_info_v1 m = {
.mark = cm->mark,
.mode = cm->mode,
};
memcpy(dst, &m, sizeof(m));
}
static int mark_tg_compat_to_user_v1(void __user *dst, void *src)
{
const struct xt_mark_target_info_v1 *m = src;
struct compat_xt_mark_target_info_v1 cm = {
.mark = m->mark,
.mode = m->mode,
};
return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
}
#endif /* CONFIG_COMPAT */
static struct xt_target mark_tg_reg[] __read_mostly = {
{
.name = "MARK",
.family = NFPROTO_UNSPEC,
.revision = 0,
.checkentry = mark_tg_check_v0,
.target = mark_tg_v0,
.targetsize = sizeof(struct xt_mark_target_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_target_info),
.compat_from_user = mark_tg_compat_from_user_v0,
.compat_to_user = mark_tg_compat_to_user_v0,
#endif
.table = "mangle",
.me = THIS_MODULE,
},
{
.name = "MARK",
.family = NFPROTO_UNSPEC,
.revision = 1,
.checkentry = mark_tg_check_v1,
.target = mark_tg_v1,
.targetsize = sizeof(struct xt_mark_target_info_v1),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_target_info_v1),
.compat_from_user = mark_tg_compat_from_user_v1,
.compat_to_user = mark_tg_compat_to_user_v1,
#endif
.table = "mangle",
.me = THIS_MODULE,
},
{
static struct xt_target mark_tg_reg __read_mostly = {
.name = "MARK",
.revision = 2,
.family = NFPROTO_UNSPEC,
.target = mark_tg,
.targetsize = sizeof(struct xt_mark_tginfo2),
.me = THIS_MODULE,
},
};
static int __init mark_tg_init(void)
{
return xt_register_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
return xt_register_target(&mark_tg_reg);
}
static void __exit mark_tg_exit(void)
{
xt_unregister_targets(mark_tg_reg, ARRAY_SIZE(mark_tg_reg));
xt_unregister_target(&mark_tg_reg);
}
module_init(mark_tg_init);
......
net/netfilter/xt_connmark.c
View file @ 9a0da0d1
......@@ -47,36 +47,6 @@ connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ((ct->mark & info->mask) == info->mark) ^ info->invert;
}
static bool
connmark_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct xt_connmark_info *info = par->matchinfo;
const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
ct = nf_ct_get(skb, &ctinfo);
if (!ct)
return false;
return ((ct->mark & info->mask) == info->mark) ^ info->invert;
}
static bool connmark_mt_check_v0(const struct xt_mtchk_param *par)
{
const struct xt_connmark_info *cm = par->matchinfo;
if (cm->mark > 0xffffffff || cm->mask > 0xffffffff) {
printk(KERN_WARNING "connmark: only support 32bit mark\n");
return false;
}
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
printk(KERN_WARNING "can't load conntrack support for "
"proto=%u\n", par->family);
return false;
}
return true;
}
static bool connmark_mt_check(const struct xt_mtchk_param *par)
{
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
......@@ -92,54 +62,7 @@ static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
nf_ct_l3proto_module_put(par->family);
}
#ifdef CONFIG_COMPAT
struct compat_xt_connmark_info {
compat_ulong_t mark, mask;
u_int8_t invert;
u_int8_t __pad1;
u_int16_t __pad2;
};
static void connmark_mt_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_connmark_info *cm = src;
struct xt_connmark_info m = {
.mark = cm->mark,
.mask = cm->mask,
.invert = cm->invert,
};
memcpy(dst, &m, sizeof(m));
}
static int connmark_mt_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_connmark_info *m = src;
struct compat_xt_connmark_info cm = {
.mark = m->mark,
.mask = m->mask,
.invert = m->invert,
};
return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
}
#endif /* CONFIG_COMPAT */
static struct xt_match connmark_mt_reg[] __read_mostly = {
{
.name = "connmark",
.revision = 0,
.family = NFPROTO_UNSPEC,
.checkentry = connmark_mt_check_v0,
.match = connmark_mt_v0,
.destroy = connmark_mt_destroy,
.matchsize = sizeof(struct xt_connmark_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_connmark_info),
.compat_from_user = connmark_mt_compat_from_user_v0,
.compat_to_user = connmark_mt_compat_to_user_v0,
#endif
.me = THIS_MODULE
},
{
static struct xt_match connmark_mt_reg __read_mostly = {
.name = "connmark",
.revision = 1,
.family = NFPROTO_UNSPEC,
......@@ -148,18 +71,16 @@ static struct xt_match connmark_mt_reg[] __read_mostly = {
.matchsize = sizeof(struct xt_connmark_mtinfo1),
.destroy = connmark_mt_destroy,
.me = THIS_MODULE,
},
};
static int __init connmark_mt_init(void)
{
return xt_register_matches(connmark_mt_reg,
ARRAY_SIZE(connmark_mt_reg));
return xt_register_match(&connmark_mt_reg);
}
static void __exit connmark_mt_exit(void)
{
xt_unregister_matches(connmark_mt_reg, ARRAY_SIZE(connmark_mt_reg));
xt_unregister_match(&connmark_mt_reg);
}
module_init(connmark_mt_init);
......
net/netfilter/xt_conntrack.c
View file @ 9a0da0d1
......@@ -19,100 +19,11 @@
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: connection tracking state match");
MODULE_ALIAS("ipt_conntrack");
MODULE_ALIAS("ip6t_conntrack");
static bool
conntrack_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct xt_conntrack_info *sinfo = par->matchinfo;
const struct nf_conn *ct;
enum ip_conntrack_info ctinfo;
unsigned int statebit;
ct = nf_ct_get(skb, &ctinfo);
#define FWINV(bool, invflg) ((bool) ^ !!(sinfo->invflags & (invflg)))
if (ct == &nf_conntrack_untracked)
statebit = XT_CONNTRACK_STATE_UNTRACKED;
else if (ct)
statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
else
statebit = XT_CONNTRACK_STATE_INVALID;
if (sinfo->flags & XT_CONNTRACK_STATE) {
if (ct) {
if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
statebit |= XT_CONNTRACK_STATE_SNAT;
if (test_bit(IPS_DST_NAT_BIT, &ct->status))
statebit |= XT_CONNTRACK_STATE_DNAT;
}
if (FWINV((statebit & sinfo->statemask) == 0,
XT_CONNTRACK_STATE))
return false;
}
if (ct == NULL) {
if (sinfo->flags & ~XT_CONNTRACK_STATE)
return false;
return true;
}
if (sinfo->flags & XT_CONNTRACK_PROTO &&
FWINV(nf_ct_protonum(ct) !=
sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
XT_CONNTRACK_PROTO))
return false;
if (sinfo->flags & XT_CONNTRACK_ORIGSRC &&
FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip &
sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
XT_CONNTRACK_ORIGSRC))
return false;
if (sinfo->flags & XT_CONNTRACK_ORIGDST &&
FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip &
sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
XT_CONNTRACK_ORIGDST))
return false;
if (sinfo->flags & XT_CONNTRACK_REPLSRC &&
FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip &
sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) !=
sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
XT_CONNTRACK_REPLSRC))
return false;
if (sinfo->flags & XT_CONNTRACK_REPLDST &&
FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip &
sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) !=
sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
XT_CONNTRACK_REPLDST))
return false;
if (sinfo->flags & XT_CONNTRACK_STATUS &&
FWINV((ct->status & sinfo->statusmask) == 0,
XT_CONNTRACK_STATUS))
return false;
if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
unsigned long expires = timer_pending(&ct->timeout) ?
(ct->timeout.expires - jiffies)/HZ : 0;
if (FWINV(!(expires >= sinfo->expires_min &&
expires <= sinfo->expires_max),
XT_CONNTRACK_EXPIRES))
return false;
}
return true;
#undef FWINV
}
static bool
conntrack_addrcmp(const union nf_inet_addr *kaddr,
const union nf_inet_addr *uaddr,
......@@ -337,71 +248,7 @@ static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
conntrack_mt_destroy(par);
}
#ifdef CONFIG_COMPAT
struct compat_xt_conntrack_info
{
compat_uint_t statemask;
compat_uint_t statusmask;
struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
struct in_addr sipmsk[IP_CT_DIR_MAX];
struct in_addr dipmsk[IP_CT_DIR_MAX];
compat_ulong_t expires_min;
compat_ulong_t expires_max;
u_int8_t flags;
u_int8_t invflags;
};
static void conntrack_mt_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_conntrack_info *cm = src;
struct xt_conntrack_info m = {
.statemask = cm->statemask,
.statusmask = cm->statusmask,
.expires_min = cm->expires_min,
.expires_max = cm->expires_max,
.flags = cm->flags,
.invflags = cm->invflags,
};
memcpy(m.tuple, cm->tuple, sizeof(m.tuple));
memcpy(m.sipmsk, cm->sipmsk, sizeof(m.sipmsk));
memcpy(m.dipmsk, cm->dipmsk, sizeof(m.dipmsk));
memcpy(dst, &m, sizeof(m));
}
static int conntrack_mt_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_conntrack_info *m = src;
struct compat_xt_conntrack_info cm = {
.statemask = m->statemask,
.statusmask = m->statusmask,
.expires_min = m->expires_min,
.expires_max = m->expires_max,
.flags = m->flags,
.invflags = m->invflags,
};
memcpy(cm.tuple, m->tuple, sizeof(cm.tuple));
memcpy(cm.sipmsk, m->sipmsk, sizeof(cm.sipmsk));
memcpy(cm.dipmsk, m->dipmsk, sizeof(cm.dipmsk));
return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
}
#endif
static struct xt_match conntrack_mt_reg[] __read_mostly = {
{
.name = "conntrack",
.revision = 0,
.family = NFPROTO_IPV4,
.match = conntrack_mt_v0,
.checkentry = conntrack_mt_check,
.destroy = conntrack_mt_destroy,
.matchsize = sizeof(struct xt_conntrack_info),
.me = THIS_MODULE,
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_conntrack_info),
.compat_from_user = conntrack_mt_compat_from_user_v0,
.compat_to_user = conntrack_mt_compat_to_user_v0,
#endif
},
{
.name = "conntrack",
.revision = 1,
......
net/netfilter/xt_dscp.c
View file @ 9a0da0d1
......@@ -15,7 +15,6 @@
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_dscp.h>
#include <linux/netfilter_ipv4/ipt_tos.h>
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_DESCRIPTION("Xtables: DSCP/TOS field match");
......@@ -55,14 +54,6 @@ static bool dscp_mt_check(const struct xt_mtchk_param *par)
return true;
}
static bool
tos_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct ipt_tos_info *info = par->matchinfo;
return (ip_hdr(skb)->tos == info->tos) ^ info->invert;
}
static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct xt_tos_match_info *info = par->matchinfo;
......@@ -92,14 +83,6 @@ static struct xt_match dscp_mt_reg[] __read_mostly = {
.matchsize = sizeof(struct xt_dscp_info),
.me = THIS_MODULE,
},
{
.name = "tos",
.revision = 0,
.family = NFPROTO_IPV4,
.match = tos_mt_v0,
.matchsize = sizeof(struct ipt_tos_info),
.me = THIS_MODULE,
},
{
.name = "tos",
.revision = 1,
......
net/netfilter/xt_iprange.c
View file @ 9a0da0d1
......@@ -14,40 +14,6 @@
#include <linux/ipv6.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_iprange.h>
#include <linux/netfilter_ipv4/ipt_iprange.h>
static bool
iprange_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct ipt_iprange_info *info = par->matchinfo;
const struct iphdr *iph = ip_hdr(skb);
if (info->flags & IPRANGE_SRC) {
if ((ntohl(iph->saddr) < ntohl(info->src.min_ip)
|| ntohl(iph->saddr) > ntohl(info->src.max_ip))
^ !!(info->flags & IPRANGE_SRC_INV)) {
pr_debug("src IP %pI4 NOT in range %s%pI4-%pI4\n",
&iph->saddr,
info->flags & IPRANGE_SRC_INV ? "(INV) " : "",
&info->src.min_ip,
&info->src.max_ip);
return false;
}
}
if (info->flags & IPRANGE_DST) {
if ((ntohl(iph->daddr) < ntohl(info->dst.min_ip)
|| ntohl(iph->daddr) > ntohl(info->dst.max_ip))
^ !!(info->flags & IPRANGE_DST_INV)) {
pr_debug("dst IP %pI4 NOT in range %s%pI4-%pI4\n",
&iph->daddr,
info->flags & IPRANGE_DST_INV ? "(INV) " : "",
&info->dst.min_ip,
&info->dst.max_ip);
return false;
}
}
return true;
}
static bool
iprange_mt4(const struct sk_buff *skb, const struct xt_match_param *par)
......@@ -125,14 +91,6 @@ iprange_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
}
static struct xt_match iprange_mt_reg[] __read_mostly = {
{
.name = "iprange",
.revision = 0,
.family = NFPROTO_IPV4,
.match = iprange_mt_v0,
.matchsize = sizeof(struct ipt_iprange_info),
.me = THIS_MODULE,
},
{
.name = "iprange",
.revision = 1,
......@@ -164,7 +122,8 @@ static void __exit iprange_mt_exit(void)
module_init(iprange_mt_init);
module_exit(iprange_mt_exit);
MODULE_LICENSE("GPL");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>, Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: arbitrary IPv4 range matching");
MODULE_ALIAS("ipt_iprange");
MODULE_ALIAS("ip6t_iprange");
net/netfilter/xt_mark.c
View file @ 9a0da0d1
......@@ -3,7 +3,7 @@
*
* (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
* Jan Engelhardt <jengelh@computergmbh.de>
* Jan Engelhardt <jengelh@medozas.de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
......@@ -22,14 +22,6 @@ MODULE_DESCRIPTION("Xtables: packet mark match");
MODULE_ALIAS("ipt_mark");
MODULE_ALIAS("ip6t_mark");
static bool
mark_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct xt_mark_info *info = par->matchinfo;
return ((skb->mark & info->mask) == info->mark) ^ info->invert;
}
static bool
mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
{
......@@ -38,81 +30,23 @@ mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return ((skb->mark & info->mask) == info->mark) ^ info->invert;
}
static bool mark_mt_check_v0(const struct xt_mtchk_param *par)
{
const struct xt_mark_info *minfo = par->matchinfo;
if (minfo->mark > 0xffffffff || minfo->mask > 0xffffffff) {
printk(KERN_WARNING "mark: only supports 32bit mark\n");
return false;
}
return true;
}
#ifdef CONFIG_COMPAT
struct compat_xt_mark_info {
compat_ulong_t mark, mask;
u_int8_t invert;
u_int8_t __pad1;
u_int16_t __pad2;
};
static void mark_mt_compat_from_user_v0(void *dst, void *src)
{
const struct compat_xt_mark_info *cm = src;
struct xt_mark_info m = {
.mark = cm->mark,
.mask = cm->mask,
.invert = cm->invert,
};
memcpy(dst, &m, sizeof(m));
}
static int mark_mt_compat_to_user_v0(void __user *dst, void *src)
{
const struct xt_mark_info *m = src;
struct compat_xt_mark_info cm = {
.mark = m->mark,
.mask = m->mask,
.invert = m->invert,
};
return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
}
#endif /* CONFIG_COMPAT */
static struct xt_match mark_mt_reg[] __read_mostly = {
{
.name = "mark",
.revision = 0,
.family = NFPROTO_UNSPEC,
.checkentry = mark_mt_check_v0,
.match = mark_mt_v0,
.matchsize = sizeof(struct xt_mark_info),
#ifdef CONFIG_COMPAT
.compatsize = sizeof(struct compat_xt_mark_info),
.compat_from_user = mark_mt_compat_from_user_v0,
.compat_to_user = mark_mt_compat_to_user_v0,
#endif
.me = THIS_MODULE,
},
{
static struct xt_match mark_mt_reg __read_mostly = {
.name = "mark",
.revision = 1,
.family = NFPROTO_UNSPEC,
.match = mark_mt,
.matchsize = sizeof(struct xt_mark_mtinfo1),
.me = THIS_MODULE,
},
};
static int __init mark_mt_init(void)
{
return xt_register_matches(mark_mt_reg, ARRAY_SIZE(mark_mt_reg));
return xt_register_match(&mark_mt_reg);
}
static void __exit mark_mt_exit(void)
{
xt_unregister_matches(mark_mt_reg, ARRAY_SIZE(mark_mt_reg));
xt_unregister_match(&mark_mt_reg);
}
module_init(mark_mt_init);
......
net/netfilter/xt_osf.c
View file @ 9a0da0d1
......@@ -70,7 +70,8 @@ static void xt_osf_finger_free_rcu(struct rcu_head *rcu_head)
}
static int xt_osf_add_callback(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *osf_attrs[])
const struct nlmsghdr *nlh,
const struct nlattr * const osf_attrs[])
{
struct xt_osf_user_finger *f;
struct xt_osf_finger *kf = NULL, *sf;
......@@ -112,7 +113,8 @@ static int xt_osf_add_callback(struct sock *ctnl, struct sk_buff *skb,
}
static int xt_osf_remove_callback(struct sock *ctnl, struct sk_buff *skb,
struct nlmsghdr *nlh, struct nlattr *osf_attrs[])
const struct nlmsghdr *nlh,
const struct nlattr * const osf_attrs[])
{
struct xt_osf_user_finger *f;
struct xt_osf_finger *sf;
......
net/netfilter/xt_owner.c
View file @ 9a0da0d1
......@@ -5,7 +5,6 @@
* (C) 2000 Marc Boucher <marc@mbsi.ca>
*
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
* <jengelh@computergmbh.de>
*
* This program is free software; you can redistribute it and/or modify
* it under the terms of the GNU General Public License version 2 as
......@@ -17,60 +16,6 @@
#include <net/sock.h>
#include <linux/netfilter/x_tables.h>
#include <linux/netfilter/xt_owner.h>
#include <linux/netfilter_ipv4/ipt_owner.h>
#include <linux/netfilter_ipv6/ip6t_owner.h>
static bool
owner_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct ipt_owner_info *info = par->matchinfo;
const struct file *filp;
if (skb->sk == NULL || skb->sk->sk_socket == NULL)
return false;
filp = skb->sk->sk_socket->file;
if (filp == NULL)
return false;
if (info->match & IPT_OWNER_UID)
if ((filp->f_cred->fsuid != info->uid) ^
!!(info->invert & IPT_OWNER_UID))
return false;
if (info->match & IPT_OWNER_GID)
if ((filp->f_cred->fsgid != info->gid) ^
!!(info->invert & IPT_OWNER_GID))
return false;
return true;
}
static bool
owner_mt6_v0(const struct sk_buff *skb, const struct xt_match_param *par)
{
const struct ip6t_owner_info *info = par->matchinfo;
const struct file *filp;
if (skb->sk == NULL || skb->sk->sk_socket == NULL)
return false;
filp = skb->sk->sk_socket->file;
if (filp == NULL)
return false;
if (info->match & IP6T_OWNER_UID)
if ((filp->f_cred->fsuid != info->uid) ^
!!(info->invert & IP6T_OWNER_UID))
return false;
if (info->match & IP6T_OWNER_GID)
if ((filp->f_cred->fsgid != info->gid) ^
!!(info->invert & IP6T_OWNER_GID))
return false;
return true;
}
static bool
owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
......@@ -107,57 +52,7 @@ owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return true;
}
static bool owner_mt_check_v0(const struct xt_mtchk_param *par)
{
const struct ipt_owner_info *info = par->matchinfo;
if (info->match & (IPT_OWNER_PID | IPT_OWNER_SID | IPT_OWNER_COMM)) {
printk(KERN_WARNING KBUILD_MODNAME
": PID, SID and command matching is not "
"supported anymore\n");
return false;
}
return true;
}
static bool owner_mt6_check_v0(const struct xt_mtchk_param *par)
{
const struct ip6t_owner_info *info = par->matchinfo;
if (info->match & (IP6T_OWNER_PID | IP6T_OWNER_SID)) {
printk(KERN_WARNING KBUILD_MODNAME
": PID and SID matching is not supported anymore\n");
return false;
}
return true;
}
static struct xt_match owner_mt_reg[] __read_mostly = {
{
.name = "owner",
.revision = 0,
.family = NFPROTO_IPV4,
.match = owner_mt_v0,
.matchsize = sizeof(struct ipt_owner_info),
.checkentry = owner_mt_check_v0,
.hooks = (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING),
.me = THIS_MODULE,
},
{
.name = "owner",
.revision = 0,
.family = NFPROTO_IPV6,
.match = owner_mt6_v0,
.matchsize = sizeof(struct ip6t_owner_info),
.checkentry = owner_mt6_check_v0,
.hooks = (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING),
.me = THIS_MODULE,
},
{
static struct xt_match owner_mt_reg __read_mostly = {
.name = "owner",
.revision = 1,
.family = NFPROTO_UNSPEC,
......@@ -166,22 +61,21 @@ static struct xt_match owner_mt_reg[] __read_mostly = {
.hooks = (1 << NF_INET_LOCAL_OUT) |
(1 << NF_INET_POST_ROUTING),
.me = THIS_MODULE,
},
};
static int __init owner_mt_init(void)
{
return xt_register_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
return xt_register_match(&owner_mt_reg);
}
static void __exit owner_mt_exit(void)
{
xt_unregister_matches(owner_mt_reg, ARRAY_SIZE(owner_mt_reg));
xt_unregister_match(&owner_mt_reg);
}
module_init(owner_mt_init);
module_exit(owner_mt_exit);
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
MODULE_DESCRIPTION("Xtables: socket owner matching");
MODULE_LICENSE("GPL");
MODULE_ALIAS("ipt_owner");
......
net/netlink/af_netlink.c
View file @ 9a0da0d1
......@@ -1705,7 +1705,7 @@ static int netlink_dump(struct sock *sk)
}
int netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
struct nlmsghdr *nlh,
const struct nlmsghdr *nlh,
int (*dump)(struct sk_buff *skb,
struct netlink_callback *),
int (*done)(struct netlink_callback *))
......
net/sched/act_api.c
View file @ 9a0da0d1
......@@ -1011,7 +1011,7 @@ static int tc_ctl_action(struct sk_buff *skb, struct nlmsghdr *n, void *arg)
}
static struct nlattr *
find_dump_kind(struct nlmsghdr *n)
find_dump_kind(const struct nlmsghdr *n)
{
struct nlattr *tb1, *tb2[TCA_ACT_MAX+1];
struct nlattr *tb[TCA_ACT_MAX_PRIO + 1];
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7