Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Kirill Smelkov
linux
Commits
cad8e944
Commit
cad8e944
authored
Nov 09, 2005
by
Linus Torvalds
Browse files
Options
Browse Files
Download
Plain Diff
Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
parents
8ca2bdc7
9f0ede52
Changes
8
Show whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
92 additions
and
72 deletions
+92
-72
include/linux/netfilter/nfnetlink.h
include/linux/netfilter/nfnetlink.h
+1
-1
net/ipv4/netfilter/ip_conntrack_netlink.c
net/ipv4/netfilter/ip_conntrack_netlink.c
+37
-46
net/ipv4/netfilter/ip_conntrack_proto_icmp.c
net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+8
-7
net/ipv4/netfilter/ip_conntrack_proto_tcp.c
net/ipv4/netfilter/ip_conntrack_proto_tcp.c
+6
-5
net/ipv4/netfilter/ip_nat_helper_pptp.c
net/ipv4/netfilter/ip_nat_helper_pptp.c
+26
-2
net/ipv6/addrconf.c
net/ipv6/addrconf.c
+2
-1
net/ipv6/ip6_tunnel.c
net/ipv6/ip6_tunnel.c
+1
-0
net/netfilter/nfnetlink.c
net/netfilter/nfnetlink.c
+11
-10
No files found.
include/linux/netfilter/nfnetlink.h
View file @
cad8e944
...
@@ -146,7 +146,7 @@ extern void nfnl_unlock(void);
...
@@ -146,7 +146,7 @@ extern void nfnl_unlock(void);
extern
int
nfnetlink_subsys_register
(
struct
nfnetlink_subsystem
*
n
);
extern
int
nfnetlink_subsys_register
(
struct
nfnetlink_subsystem
*
n
);
extern
int
nfnetlink_subsys_unregister
(
struct
nfnetlink_subsystem
*
n
);
extern
int
nfnetlink_subsys_unregister
(
struct
nfnetlink_subsystem
*
n
);
extern
int
nfattr_parse
(
struct
nfattr
*
tb
[],
int
maxattr
,
extern
void
nfattr_parse
(
struct
nfattr
*
tb
[],
int
maxattr
,
struct
nfattr
*
nfa
,
int
len
);
struct
nfattr
*
nfa
,
int
len
);
#define nfattr_parse_nested(tb, max, nfa) \
#define nfattr_parse_nested(tb, max, nfa) \
...
...
net/ipv4/netfilter/ip_conntrack_netlink.c
View file @
cad8e944
...
@@ -28,11 +28,8 @@
...
@@ -28,11 +28,8 @@
#include <linux/netlink.h>
#include <linux/netlink.h>
#include <linux/spinlock.h>
#include <linux/spinlock.h>
#include <linux/notifier.h>
#include <linux/notifier.h>
#include <linux/rtnetlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter.h>
#include <linux/netfilter_ipv4.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ip_conntrack.h>
#include <linux/netfilter_ipv4/ip_conntrack.h>
#include <linux/netfilter_ipv4/ip_conntrack_core.h>
#include <linux/netfilter_ipv4/ip_conntrack_core.h>
#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
#include <linux/netfilter_ipv4/ip_conntrack_helper.h>
...
@@ -58,14 +55,17 @@ ctnetlink_dump_tuples_proto(struct sk_buff *skb,
...
@@ -58,14 +55,17 @@ ctnetlink_dump_tuples_proto(struct sk_buff *skb,
const
struct
ip_conntrack_tuple
*
tuple
)
const
struct
ip_conntrack_tuple
*
tuple
)
{
{
struct
ip_conntrack_protocol
*
proto
;
struct
ip_conntrack_protocol
*
proto
;
int
ret
=
0
;
NFA_PUT
(
skb
,
CTA_PROTO_NUM
,
sizeof
(
u_int8_t
),
&
tuple
->
dst
.
protonum
);
NFA_PUT
(
skb
,
CTA_PROTO_NUM
,
sizeof
(
u_int8_t
),
&
tuple
->
dst
.
protonum
);
proto
=
ip_conntrack_proto_find_get
(
tuple
->
dst
.
protonum
);
proto
=
ip_conntrack_proto_find_get
(
tuple
->
dst
.
protonum
);
if
(
proto
&&
proto
->
tuple_to_nfattr
)
if
(
likely
(
proto
&&
proto
->
tuple_to_nfattr
))
{
return
proto
->
tuple_to_nfattr
(
skb
,
tuple
);
ret
=
proto
->
tuple_to_nfattr
(
skb
,
tuple
);
ip_conntrack_proto_put
(
proto
);
}
return
0
;
return
ret
;
nfattr_failure:
nfattr_failure:
return
-
1
;
return
-
1
;
...
@@ -175,7 +175,7 @@ ctnetlink_dump_counters(struct sk_buff *skb, const struct ip_conntrack *ct,
...
@@ -175,7 +175,7 @@ ctnetlink_dump_counters(struct sk_buff *skb, const struct ip_conntrack *ct,
{
{
enum
ctattr_type
type
=
dir
?
CTA_COUNTERS_REPLY
:
CTA_COUNTERS_ORIG
;
enum
ctattr_type
type
=
dir
?
CTA_COUNTERS_REPLY
:
CTA_COUNTERS_ORIG
;
struct
nfattr
*
nest_count
=
NFA_NEST
(
skb
,
type
);
struct
nfattr
*
nest_count
=
NFA_NEST
(
skb
,
type
);
u_int
64
_t
tmp
;
u_int
32
_t
tmp
;
tmp
=
htonl
(
ct
->
counters
[
dir
].
packets
);
tmp
=
htonl
(
ct
->
counters
[
dir
].
packets
);
NFA_PUT
(
skb
,
CTA_COUNTERS32_PACKETS
,
sizeof
(
u_int32_t
),
&
tmp
);
NFA_PUT
(
skb
,
CTA_COUNTERS32_PACKETS
,
sizeof
(
u_int32_t
),
&
tmp
);
...
@@ -479,9 +479,7 @@ ctnetlink_parse_tuple_ip(struct nfattr *attr, struct ip_conntrack_tuple *tuple)
...
@@ -479,9 +479,7 @@ ctnetlink_parse_tuple_ip(struct nfattr *attr, struct ip_conntrack_tuple *tuple)
DEBUGP
(
"entered %s
\n
"
,
__FUNCTION__
);
DEBUGP
(
"entered %s
\n
"
,
__FUNCTION__
);
nfattr_parse_nested
(
tb
,
CTA_IP_MAX
,
attr
);
if
(
nfattr_parse_nested
(
tb
,
CTA_IP_MAX
,
attr
)
<
0
)
goto
nfattr_failure
;
if
(
nfattr_bad_size
(
tb
,
CTA_IP_MAX
,
cta_min_ip
))
if
(
nfattr_bad_size
(
tb
,
CTA_IP_MAX
,
cta_min_ip
))
return
-
EINVAL
;
return
-
EINVAL
;
...
@@ -497,9 +495,6 @@ ctnetlink_parse_tuple_ip(struct nfattr *attr, struct ip_conntrack_tuple *tuple)
...
@@ -497,9 +495,6 @@ ctnetlink_parse_tuple_ip(struct nfattr *attr, struct ip_conntrack_tuple *tuple)
DEBUGP
(
"leaving
\n
"
);
DEBUGP
(
"leaving
\n
"
);
return
0
;
return
0
;
nfattr_failure:
return
-
1
;
}
}
static
const
int
cta_min_proto
[
CTA_PROTO_MAX
]
=
{
static
const
int
cta_min_proto
[
CTA_PROTO_MAX
]
=
{
...
@@ -521,8 +516,7 @@ ctnetlink_parse_tuple_proto(struct nfattr *attr,
...
@@ -521,8 +516,7 @@ ctnetlink_parse_tuple_proto(struct nfattr *attr,
DEBUGP
(
"entered %s
\n
"
,
__FUNCTION__
);
DEBUGP
(
"entered %s
\n
"
,
__FUNCTION__
);
if
(
nfattr_parse_nested
(
tb
,
CTA_PROTO_MAX
,
attr
)
<
0
)
nfattr_parse_nested
(
tb
,
CTA_PROTO_MAX
,
attr
);
goto
nfattr_failure
;
if
(
nfattr_bad_size
(
tb
,
CTA_PROTO_MAX
,
cta_min_proto
))
if
(
nfattr_bad_size
(
tb
,
CTA_PROTO_MAX
,
cta_min_proto
))
return
-
EINVAL
;
return
-
EINVAL
;
...
@@ -539,9 +533,6 @@ ctnetlink_parse_tuple_proto(struct nfattr *attr,
...
@@ -539,9 +533,6 @@ ctnetlink_parse_tuple_proto(struct nfattr *attr,
}
}
return
ret
;
return
ret
;
nfattr_failure:
return
-
1
;
}
}
static
inline
int
static
inline
int
...
@@ -555,8 +546,7 @@ ctnetlink_parse_tuple(struct nfattr *cda[], struct ip_conntrack_tuple *tuple,
...
@@ -555,8 +546,7 @@ ctnetlink_parse_tuple(struct nfattr *cda[], struct ip_conntrack_tuple *tuple,
memset
(
tuple
,
0
,
sizeof
(
*
tuple
));
memset
(
tuple
,
0
,
sizeof
(
*
tuple
));
if
(
nfattr_parse_nested
(
tb
,
CTA_TUPLE_MAX
,
cda
[
type
-
1
])
<
0
)
nfattr_parse_nested
(
tb
,
CTA_TUPLE_MAX
,
cda
[
type
-
1
]);
goto
nfattr_failure
;
if
(
!
tb
[
CTA_TUPLE_IP
-
1
])
if
(
!
tb
[
CTA_TUPLE_IP
-
1
])
return
-
EINVAL
;
return
-
EINVAL
;
...
@@ -583,9 +573,6 @@ ctnetlink_parse_tuple(struct nfattr *cda[], struct ip_conntrack_tuple *tuple,
...
@@ -583,9 +573,6 @@ ctnetlink_parse_tuple(struct nfattr *cda[], struct ip_conntrack_tuple *tuple,
DEBUGP
(
"leaving
\n
"
);
DEBUGP
(
"leaving
\n
"
);
return
0
;
return
0
;
nfattr_failure:
return
-
1
;
}
}
#ifdef CONFIG_IP_NF_NAT_NEEDED
#ifdef CONFIG_IP_NF_NAT_NEEDED
...
@@ -603,11 +590,10 @@ static int ctnetlink_parse_nat_proto(struct nfattr *attr,
...
@@ -603,11 +590,10 @@ static int ctnetlink_parse_nat_proto(struct nfattr *attr,
DEBUGP
(
"entered %s
\n
"
,
__FUNCTION__
);
DEBUGP
(
"entered %s
\n
"
,
__FUNCTION__
);
if
(
nfattr_parse_nested
(
tb
,
CTA_PROTONAT_MAX
,
attr
)
<
0
)
nfattr_parse_nested
(
tb
,
CTA_PROTONAT_MAX
,
attr
);
goto
nfattr_failure
;
if
(
nfattr_bad_size
(
tb
,
CTA_PROTONAT_MAX
,
cta_min_protonat
))
if
(
nfattr_bad_size
(
tb
,
CTA_PROTONAT_MAX
,
cta_min_protonat
))
goto
nfattr_failure
;
return
-
EINVAL
;
npt
=
ip_nat_proto_find_get
(
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
dst
.
protonum
);
npt
=
ip_nat_proto_find_get
(
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
dst
.
protonum
);
if
(
!
npt
)
if
(
!
npt
)
...
@@ -626,9 +612,6 @@ static int ctnetlink_parse_nat_proto(struct nfattr *attr,
...
@@ -626,9 +612,6 @@ static int ctnetlink_parse_nat_proto(struct nfattr *attr,
DEBUGP
(
"leaving
\n
"
);
DEBUGP
(
"leaving
\n
"
);
return
0
;
return
0
;
nfattr_failure:
return
-
1
;
}
}
static
inline
int
static
inline
int
...
@@ -642,8 +625,7 @@ ctnetlink_parse_nat(struct nfattr *cda[],
...
@@ -642,8 +625,7 @@ ctnetlink_parse_nat(struct nfattr *cda[],
memset
(
range
,
0
,
sizeof
(
*
range
));
memset
(
range
,
0
,
sizeof
(
*
range
));
if
(
nfattr_parse_nested
(
tb
,
CTA_NAT_MAX
,
cda
[
CTA_NAT
-
1
])
<
0
)
nfattr_parse_nested
(
tb
,
CTA_NAT_MAX
,
cda
[
CTA_NAT
-
1
]);
goto
nfattr_failure
;
if
(
tb
[
CTA_NAT_MINIP
-
1
])
if
(
tb
[
CTA_NAT_MINIP
-
1
])
range
->
min_ip
=
*
(
u_int32_t
*
)
NFA_DATA
(
tb
[
CTA_NAT_MINIP
-
1
]);
range
->
min_ip
=
*
(
u_int32_t
*
)
NFA_DATA
(
tb
[
CTA_NAT_MINIP
-
1
]);
...
@@ -665,9 +647,6 @@ ctnetlink_parse_nat(struct nfattr *cda[],
...
@@ -665,9 +647,6 @@ ctnetlink_parse_nat(struct nfattr *cda[],
DEBUGP
(
"leaving
\n
"
);
DEBUGP
(
"leaving
\n
"
);
return
0
;
return
0
;
nfattr_failure:
return
-
1
;
}
}
#endif
#endif
...
@@ -678,8 +657,7 @@ ctnetlink_parse_help(struct nfattr *attr, char **helper_name)
...
@@ -678,8 +657,7 @@ ctnetlink_parse_help(struct nfattr *attr, char **helper_name)
DEBUGP
(
"entered %s
\n
"
,
__FUNCTION__
);
DEBUGP
(
"entered %s
\n
"
,
__FUNCTION__
);
if
(
nfattr_parse_nested
(
tb
,
CTA_HELP_MAX
,
attr
)
<
0
)
nfattr_parse_nested
(
tb
,
CTA_HELP_MAX
,
attr
);
goto
nfattr_failure
;
if
(
!
tb
[
CTA_HELP_NAME
-
1
])
if
(
!
tb
[
CTA_HELP_NAME
-
1
])
return
-
EINVAL
;
return
-
EINVAL
;
...
@@ -687,9 +665,6 @@ ctnetlink_parse_help(struct nfattr *attr, char **helper_name)
...
@@ -687,9 +665,6 @@ ctnetlink_parse_help(struct nfattr *attr, char **helper_name)
*
helper_name
=
NFA_DATA
(
tb
[
CTA_HELP_NAME
-
1
]);
*
helper_name
=
NFA_DATA
(
tb
[
CTA_HELP_NAME
-
1
]);
return
0
;
return
0
;
nfattr_failure:
return
-
1
;
}
}
static
int
static
int
...
@@ -804,7 +779,7 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
...
@@ -804,7 +779,7 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
ct
=
tuplehash_to_ctrack
(
h
);
ct
=
tuplehash_to_ctrack
(
h
);
err
=
-
ENOMEM
;
err
=
-
ENOMEM
;
skb2
=
alloc_skb
(
NLMSG_GOODSIZE
,
GFP_
ATOMIC
);
skb2
=
alloc_skb
(
NLMSG_GOODSIZE
,
GFP_
KERNEL
);
if
(
!
skb2
)
{
if
(
!
skb2
)
{
ip_conntrack_put
(
ct
);
ip_conntrack_put
(
ct
);
return
-
ENOMEM
;
return
-
ENOMEM
;
...
@@ -827,7 +802,7 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
...
@@ -827,7 +802,7 @@ ctnetlink_get_conntrack(struct sock *ctnl, struct sk_buff *skb,
free:
free:
kfree_skb
(
skb2
);
kfree_skb
(
skb2
);
out:
out:
return
-
1
;
return
err
;
}
}
static
inline
int
static
inline
int
...
@@ -957,8 +932,7 @@ ctnetlink_change_protoinfo(struct ip_conntrack *ct, struct nfattr *cda[])
...
@@ -957,8 +932,7 @@ ctnetlink_change_protoinfo(struct ip_conntrack *ct, struct nfattr *cda[])
u_int16_t
npt
=
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
dst
.
protonum
;
u_int16_t
npt
=
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
dst
.
protonum
;
int
err
=
0
;
int
err
=
0
;
if
(
nfattr_parse_nested
(
tb
,
CTA_PROTOINFO_MAX
,
attr
)
<
0
)
nfattr_parse_nested
(
tb
,
CTA_PROTOINFO_MAX
,
attr
);
goto
nfattr_failure
;
proto
=
ip_conntrack_proto_find_get
(
npt
);
proto
=
ip_conntrack_proto_find_get
(
npt
);
if
(
!
proto
)
if
(
!
proto
)
...
@@ -969,9 +943,6 @@ ctnetlink_change_protoinfo(struct ip_conntrack *ct, struct nfattr *cda[])
...
@@ -969,9 +943,6 @@ ctnetlink_change_protoinfo(struct ip_conntrack *ct, struct nfattr *cda[])
ip_conntrack_proto_put
(
proto
);
ip_conntrack_proto_put
(
proto
);
return
err
;
return
err
;
nfattr_failure:
return
-
ENOMEM
;
}
}
static
int
static
int
...
@@ -1005,6 +976,11 @@ ctnetlink_change_conntrack(struct ip_conntrack *ct, struct nfattr *cda[])
...
@@ -1005,6 +976,11 @@ ctnetlink_change_conntrack(struct ip_conntrack *ct, struct nfattr *cda[])
return
err
;
return
err
;
}
}
#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
if
(
cda
[
CTA_MARK
-
1
])
ct
->
mark
=
ntohl
(
*
(
u_int32_t
*
)
NFA_DATA
(
cda
[
CTA_MARK
-
1
]));
#endif
DEBUGP
(
"all done
\n
"
);
DEBUGP
(
"all done
\n
"
);
return
0
;
return
0
;
}
}
...
@@ -1048,6 +1024,11 @@ ctnetlink_create_conntrack(struct nfattr *cda[],
...
@@ -1048,6 +1024,11 @@ ctnetlink_create_conntrack(struct nfattr *cda[],
if
(
ct
->
helper
)
if
(
ct
->
helper
)
ip_conntrack_helper_put
(
ct
->
helper
);
ip_conntrack_helper_put
(
ct
->
helper
);
#if defined(CONFIG_IP_NF_CONNTRACK_MARK)
if
(
cda
[
CTA_MARK
-
1
])
ct
->
mark
=
ntohl
(
*
(
u_int32_t
*
)
NFA_DATA
(
cda
[
CTA_MARK
-
1
]));
#endif
DEBUGP
(
"conntrack with id %u inserted
\n
"
,
ct
->
id
);
DEBUGP
(
"conntrack with id %u inserted
\n
"
,
ct
->
id
);
return
0
;
return
0
;
...
@@ -1312,6 +1293,14 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
...
@@ -1312,6 +1293,14 @@ ctnetlink_get_expect(struct sock *ctnl, struct sk_buff *skb,
if
(
!
exp
)
if
(
!
exp
)
return
-
ENOENT
;
return
-
ENOENT
;
if
(
cda
[
CTA_EXPECT_ID
-
1
])
{
u_int32_t
id
=
*
(
u_int32_t
*
)
NFA_DATA
(
cda
[
CTA_EXPECT_ID
-
1
]);
if
(
exp
->
id
!=
ntohl
(
id
))
{
ip_conntrack_expect_put
(
exp
);
return
-
ENOENT
;
}
}
err
=
-
ENOMEM
;
err
=
-
ENOMEM
;
skb2
=
alloc_skb
(
NLMSG_GOODSIZE
,
GFP_KERNEL
);
skb2
=
alloc_skb
(
NLMSG_GOODSIZE
,
GFP_KERNEL
);
if
(
!
skb2
)
if
(
!
skb2
)
...
@@ -1554,6 +1543,8 @@ static struct nfnetlink_subsystem ctnl_exp_subsys = {
...
@@ -1554,6 +1543,8 @@ static struct nfnetlink_subsystem ctnl_exp_subsys = {
.
cb
=
ctnl_exp_cb
,
.
cb
=
ctnl_exp_cb
,
};
};
MODULE_ALIAS_NFNL_SUBSYS
(
NFNL_SUBSYS_CTNETLINK
);
static
int
__init
ctnetlink_init
(
void
)
static
int
__init
ctnetlink_init
(
void
)
{
{
int
ret
;
int
ret
;
...
...
net/ipv4/netfilter/ip_conntrack_proto_icmp.c
View file @
cad8e944
...
@@ -151,13 +151,13 @@ icmp_error_message(struct sk_buff *skb,
...
@@ -151,13 +151,13 @@ icmp_error_message(struct sk_buff *skb,
/* Not enough header? */
/* Not enough header? */
inside
=
skb_header_pointer
(
skb
,
skb
->
nh
.
iph
->
ihl
*
4
,
sizeof
(
_in
),
&
_in
);
inside
=
skb_header_pointer
(
skb
,
skb
->
nh
.
iph
->
ihl
*
4
,
sizeof
(
_in
),
&
_in
);
if
(
inside
==
NULL
)
if
(
inside
==
NULL
)
return
NF_ACCEPT
;
return
-
NF_ACCEPT
;
/* Ignore ICMP's containing fragments (shouldn't happen) */
/* Ignore ICMP's containing fragments (shouldn't happen) */
if
(
inside
->
ip
.
frag_off
&
htons
(
IP_OFFSET
))
{
if
(
inside
->
ip
.
frag_off
&
htons
(
IP_OFFSET
))
{
DEBUGP
(
"icmp_error_track: fragment of proto %u
\n
"
,
DEBUGP
(
"icmp_error_track: fragment of proto %u
\n
"
,
inside
->
ip
.
protocol
);
inside
->
ip
.
protocol
);
return
NF_ACCEPT
;
return
-
NF_ACCEPT
;
}
}
innerproto
=
ip_conntrack_proto_find_get
(
inside
->
ip
.
protocol
);
innerproto
=
ip_conntrack_proto_find_get
(
inside
->
ip
.
protocol
);
...
@@ -166,7 +166,7 @@ icmp_error_message(struct sk_buff *skb,
...
@@ -166,7 +166,7 @@ icmp_error_message(struct sk_buff *skb,
if
(
!
ip_ct_get_tuple
(
&
inside
->
ip
,
skb
,
dataoff
,
&
origtuple
,
innerproto
))
{
if
(
!
ip_ct_get_tuple
(
&
inside
->
ip
,
skb
,
dataoff
,
&
origtuple
,
innerproto
))
{
DEBUGP
(
"icmp_error: ! get_tuple p=%u"
,
inside
->
ip
.
protocol
);
DEBUGP
(
"icmp_error: ! get_tuple p=%u"
,
inside
->
ip
.
protocol
);
ip_conntrack_proto_put
(
innerproto
);
ip_conntrack_proto_put
(
innerproto
);
return
NF_ACCEPT
;
return
-
NF_ACCEPT
;
}
}
/* Ordinarily, we'd expect the inverted tupleproto, but it's
/* Ordinarily, we'd expect the inverted tupleproto, but it's
...
@@ -174,7 +174,7 @@ icmp_error_message(struct sk_buff *skb,
...
@@ -174,7 +174,7 @@ icmp_error_message(struct sk_buff *skb,
if
(
!
ip_ct_invert_tuple
(
&
innertuple
,
&
origtuple
,
innerproto
))
{
if
(
!
ip_ct_invert_tuple
(
&
innertuple
,
&
origtuple
,
innerproto
))
{
DEBUGP
(
"icmp_error_track: Can't invert tuple
\n
"
);
DEBUGP
(
"icmp_error_track: Can't invert tuple
\n
"
);
ip_conntrack_proto_put
(
innerproto
);
ip_conntrack_proto_put
(
innerproto
);
return
NF_ACCEPT
;
return
-
NF_ACCEPT
;
}
}
ip_conntrack_proto_put
(
innerproto
);
ip_conntrack_proto_put
(
innerproto
);
...
@@ -190,7 +190,7 @@ icmp_error_message(struct sk_buff *skb,
...
@@ -190,7 +190,7 @@ icmp_error_message(struct sk_buff *skb,
if
(
!
h
)
{
if
(
!
h
)
{
DEBUGP
(
"icmp_error_track: no match
\n
"
);
DEBUGP
(
"icmp_error_track: no match
\n
"
);
return
NF_ACCEPT
;
return
-
NF_ACCEPT
;
}
}
/* Reverse direction from that found */
/* Reverse direction from that found */
if
(
DIRECTION
(
h
)
!=
IP_CT_DIR_REPLY
)
if
(
DIRECTION
(
h
)
!=
IP_CT_DIR_REPLY
)
...
@@ -296,7 +296,8 @@ static int icmp_nfattr_to_tuple(struct nfattr *tb[],
...
@@ -296,7 +296,8 @@ static int icmp_nfattr_to_tuple(struct nfattr *tb[],
struct
ip_conntrack_tuple
*
tuple
)
struct
ip_conntrack_tuple
*
tuple
)
{
{
if
(
!
tb
[
CTA_PROTO_ICMP_TYPE
-
1
]
if
(
!
tb
[
CTA_PROTO_ICMP_TYPE
-
1
]
||
!
tb
[
CTA_PROTO_ICMP_CODE
-
1
])
||
!
tb
[
CTA_PROTO_ICMP_CODE
-
1
]
||
!
tb
[
CTA_PROTO_ICMP_ID
-
1
])
return
-
1
;
return
-
1
;
tuple
->
dst
.
u
.
icmp
.
type
=
tuple
->
dst
.
u
.
icmp
.
type
=
...
@@ -304,7 +305,7 @@ static int icmp_nfattr_to_tuple(struct nfattr *tb[],
...
@@ -304,7 +305,7 @@ static int icmp_nfattr_to_tuple(struct nfattr *tb[],
tuple
->
dst
.
u
.
icmp
.
code
=
tuple
->
dst
.
u
.
icmp
.
code
=
*
(
u_int8_t
*
)
NFA_DATA
(
tb
[
CTA_PROTO_ICMP_CODE
-
1
]);
*
(
u_int8_t
*
)
NFA_DATA
(
tb
[
CTA_PROTO_ICMP_CODE
-
1
]);
tuple
->
src
.
u
.
icmp
.
id
=
tuple
->
src
.
u
.
icmp
.
id
=
*
(
u_int
8
_t
*
)
NFA_DATA
(
tb
[
CTA_PROTO_ICMP_ID
-
1
]);
*
(
u_int
16
_t
*
)
NFA_DATA
(
tb
[
CTA_PROTO_ICMP_ID
-
1
]);
return
0
;
return
0
;
}
}
...
...
net/ipv4/netfilter/ip_conntrack_proto_tcp.c
View file @
cad8e944
...
@@ -362,8 +362,12 @@ static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct)
...
@@ -362,8 +362,12 @@ static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct)
struct
nfattr
*
attr
=
cda
[
CTA_PROTOINFO_TCP
-
1
];
struct
nfattr
*
attr
=
cda
[
CTA_PROTOINFO_TCP
-
1
];
struct
nfattr
*
tb
[
CTA_PROTOINFO_TCP_MAX
];
struct
nfattr
*
tb
[
CTA_PROTOINFO_TCP_MAX
];
if
(
nfattr_parse_nested
(
tb
,
CTA_PROTOINFO_TCP_MAX
,
attr
)
<
0
)
/* updates could not contain anything about the private
goto
nfattr_failure
;
* protocol info, in that case skip the parsing */
if
(
!
attr
)
return
0
;
nfattr_parse_nested
(
tb
,
CTA_PROTOINFO_TCP_MAX
,
attr
);
if
(
!
tb
[
CTA_PROTOINFO_TCP_STATE
-
1
])
if
(
!
tb
[
CTA_PROTOINFO_TCP_STATE
-
1
])
return
-
EINVAL
;
return
-
EINVAL
;
...
@@ -374,9 +378,6 @@ static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct)
...
@@ -374,9 +378,6 @@ static int nfattr_to_tcp(struct nfattr *cda[], struct ip_conntrack *ct)
write_unlock_bh
(
&
tcp_lock
);
write_unlock_bh
(
&
tcp_lock
);
return
0
;
return
0
;
nfattr_failure:
return
-
1
;
}
}
#endif
#endif
...
...
net/ipv4/netfilter/ip_nat_helper_pptp.c
View file @
cad8e944
...
@@ -73,6 +73,7 @@ static void pptp_nat_expected(struct ip_conntrack *ct,
...
@@ -73,6 +73,7 @@ static void pptp_nat_expected(struct ip_conntrack *ct,
struct
ip_conntrack_tuple
t
;
struct
ip_conntrack_tuple
t
;
struct
ip_ct_pptp_master
*
ct_pptp_info
;
struct
ip_ct_pptp_master
*
ct_pptp_info
;
struct
ip_nat_pptp
*
nat_pptp_info
;
struct
ip_nat_pptp
*
nat_pptp_info
;
struct
ip_nat_range
range
;
ct_pptp_info
=
&
master
->
help
.
ct_pptp_info
;
ct_pptp_info
=
&
master
->
help
.
ct_pptp_info
;
nat_pptp_info
=
&
master
->
nat
.
help
.
nat_pptp_info
;
nat_pptp_info
=
&
master
->
nat
.
help
.
nat_pptp_info
;
...
@@ -110,7 +111,30 @@ static void pptp_nat_expected(struct ip_conntrack *ct,
...
@@ -110,7 +111,30 @@ static void pptp_nat_expected(struct ip_conntrack *ct,
DEBUGP
(
"not found!
\n
"
);
DEBUGP
(
"not found!
\n
"
);
}
}
ip_nat_follow_master
(
ct
,
exp
);
/* This must be a fresh one. */
BUG_ON
(
ct
->
status
&
IPS_NAT_DONE_MASK
);
/* Change src to where master sends to */
range
.
flags
=
IP_NAT_RANGE_MAP_IPS
;
range
.
min_ip
=
range
.
max_ip
=
ct
->
master
->
tuplehash
[
!
exp
->
dir
].
tuple
.
dst
.
ip
;
if
(
exp
->
dir
==
IP_CT_DIR_ORIGINAL
)
{
range
.
flags
|=
IP_NAT_RANGE_PROTO_SPECIFIED
;
range
.
min
=
range
.
max
=
exp
->
saved_proto
;
}
/* hook doesn't matter, but it has to do source manip */
ip_nat_setup_info
(
ct
,
&
range
,
NF_IP_POST_ROUTING
);
/* For DST manip, map port here to where it's expected. */
range
.
flags
=
IP_NAT_RANGE_MAP_IPS
;
range
.
min_ip
=
range
.
max_ip
=
ct
->
master
->
tuplehash
[
!
exp
->
dir
].
tuple
.
src
.
ip
;
if
(
exp
->
dir
==
IP_CT_DIR_REPLY
)
{
range
.
flags
|=
IP_NAT_RANGE_PROTO_SPECIFIED
;
range
.
min
=
range
.
max
=
exp
->
saved_proto
;
}
/* hook doesn't matter, but it has to do destination manip */
ip_nat_setup_info
(
ct
,
&
range
,
NF_IP_PRE_ROUTING
);
}
}
/* outbound packets == from PNS to PAC */
/* outbound packets == from PNS to PAC */
...
@@ -213,7 +237,7 @@ pptp_exp_gre(struct ip_conntrack_expect *expect_orig,
...
@@ -213,7 +237,7 @@ pptp_exp_gre(struct ip_conntrack_expect *expect_orig,
/* alter expectation for PNS->PAC direction */
/* alter expectation for PNS->PAC direction */
invert_tuplepr
(
&
inv_t
,
&
expect_orig
->
tuple
);
invert_tuplepr
(
&
inv_t
,
&
expect_orig
->
tuple
);
expect_orig
->
saved_proto
.
gre
.
key
=
htons
(
nat_pptp_info
->
pac
_call_id
);
expect_orig
->
saved_proto
.
gre
.
key
=
htons
(
ct_pptp_info
->
pns
_call_id
);
expect_orig
->
tuple
.
src
.
u
.
gre
.
key
=
htons
(
nat_pptp_info
->
pns_call_id
);
expect_orig
->
tuple
.
src
.
u
.
gre
.
key
=
htons
(
nat_pptp_info
->
pns_call_id
);
expect_orig
->
tuple
.
dst
.
u
.
gre
.
key
=
htons
(
ct_pptp_info
->
pac_call_id
);
expect_orig
->
tuple
.
dst
.
u
.
gre
.
key
=
htons
(
ct_pptp_info
->
pac_call_id
);
expect_orig
->
dir
=
IP_CT_DIR_ORIGINAL
;
expect_orig
->
dir
=
IP_CT_DIR_ORIGINAL
;
...
...
net/ipv6/addrconf.c
View file @
cad8e944
...
@@ -1022,6 +1022,7 @@ int ipv6_dev_get_saddr(struct net_device *daddr_dev,
...
@@ -1022,6 +1022,7 @@ int ipv6_dev_get_saddr(struct net_device *daddr_dev,
continue
;
continue
;
}
}
#ifdef CONFIG_IPV6_PRIVACY
/* Rule 7: Prefer public address
/* Rule 7: Prefer public address
* Note: prefer temprary address if use_tempaddr >= 2
* Note: prefer temprary address if use_tempaddr >= 2
*/
*/
...
@@ -1042,7 +1043,7 @@ int ipv6_dev_get_saddr(struct net_device *daddr_dev,
...
@@ -1042,7 +1043,7 @@ int ipv6_dev_get_saddr(struct net_device *daddr_dev,
if
(
hiscore
.
attrs
&
IPV6_SADDR_SCORE_PRIVACY
)
if
(
hiscore
.
attrs
&
IPV6_SADDR_SCORE_PRIVACY
)
continue
;
continue
;
}
}
#endif
/* Rule 8: Use longest matching prefix */
/* Rule 8: Use longest matching prefix */
if
(
hiscore
.
rule
<
8
)
if
(
hiscore
.
rule
<
8
)
hiscore
.
matchlen
=
ipv6_addr_diff
(
&
ifa_result
->
addr
,
daddr
);
hiscore
.
matchlen
=
ipv6_addr_diff
(
&
ifa_result
->
addr
,
daddr
);
...
...
net/ipv6/ip6_tunnel.c
View file @
cad8e944
...
@@ -525,6 +525,7 @@ ip6ip6_rcv(struct sk_buff **pskb, unsigned int *nhoffp)
...
@@ -525,6 +525,7 @@ ip6ip6_rcv(struct sk_buff **pskb, unsigned int *nhoffp)
if
((
t
=
ip6ip6_tnl_lookup
(
&
ipv6h
->
saddr
,
&
ipv6h
->
daddr
))
!=
NULL
)
{
if
((
t
=
ip6ip6_tnl_lookup
(
&
ipv6h
->
saddr
,
&
ipv6h
->
daddr
))
!=
NULL
)
{
if
(
!
xfrm6_policy_check
(
NULL
,
XFRM_POLICY_IN
,
skb
))
{
if
(
!
xfrm6_policy_check
(
NULL
,
XFRM_POLICY_IN
,
skb
))
{
read_unlock
(
&
ip6ip6_lock
);
kfree_skb
(
skb
);
kfree_skb
(
skb
);
return
0
;
return
0
;
}
}
...
...
net/netfilter/nfnetlink.c
View file @
cad8e944
...
@@ -128,7 +128,7 @@ void __nfa_fill(struct sk_buff *skb, int attrtype, int attrlen,
...
@@ -128,7 +128,7 @@ void __nfa_fill(struct sk_buff *skb, int attrtype, int attrlen,
memset
(
NFA_DATA
(
nfa
)
+
attrlen
,
0
,
NFA_ALIGN
(
size
)
-
size
);
memset
(
NFA_DATA
(
nfa
)
+
attrlen
,
0
,
NFA_ALIGN
(
size
)
-
size
);
}
}
int
nfattr_parse
(
struct
nfattr
*
tb
[],
int
maxattr
,
struct
nfattr
*
nfa
,
int
len
)
void
nfattr_parse
(
struct
nfattr
*
tb
[],
int
maxattr
,
struct
nfattr
*
nfa
,
int
len
)
{
{
memset
(
tb
,
0
,
sizeof
(
struct
nfattr
*
)
*
maxattr
);
memset
(
tb
,
0
,
sizeof
(
struct
nfattr
*
)
*
maxattr
);
...
@@ -138,8 +138,6 @@ int nfattr_parse(struct nfattr *tb[], int maxattr, struct nfattr *nfa, int len)
...
@@ -138,8 +138,6 @@ int nfattr_parse(struct nfattr *tb[], int maxattr, struct nfattr *nfa, int len)
tb
[
flavor
-
1
]
=
nfa
;
tb
[
flavor
-
1
]
=
nfa
;
nfa
=
NFA_NEXT
(
nfa
,
len
);
nfa
=
NFA_NEXT
(
nfa
,
len
);
}
}
return
0
;
}
}
/**
/**
...
@@ -242,12 +240,15 @@ static inline int nfnetlink_rcv_msg(struct sk_buff *skb,
...
@@ -242,12 +240,15 @@ static inline int nfnetlink_rcv_msg(struct sk_buff *skb,
ss
=
nfnetlink_get_subsys
(
type
);
ss
=
nfnetlink_get_subsys
(
type
);
if
(
!
ss
)
{
if
(
!
ss
)
{
#ifdef CONFIG_KMOD
#ifdef CONFIG_KMOD
if
(
cap_raised
(
NETLINK_CB
(
skb
).
eff_cap
,
CAP_NET_ADMIN
))
{
/* don't call nfnl_shunlock, since it would reenter
/* don't call nfnl_shunlock, since it would reenter
* with further packet processing */
* with further packet processing */
up
(
&
nfnl_sem
);
up
(
&
nfnl_sem
);
request_module
(
"nfnetlink-subsys-%d"
,
NFNL_SUBSYS_ID
(
type
));
request_module
(
"nfnetlink-subsys-%d"
,
NFNL_SUBSYS_ID
(
type
));
nfnl_shlock
();
nfnl_shlock
();
ss
=
nfnetlink_get_subsys
(
type
);
ss
=
nfnetlink_get_subsys
(
type
);
}
if
(
!
ss
)
if
(
!
ss
)
#endif
#endif
goto
err_inval
;
goto
err_inval
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment