Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
0b60afba
Commit
0b60afba
authored
Feb 15, 2006
by
Linus Torvalds
Browse files
Options
Browse Files
Download
Plain Diff
Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
parents
61be6d66
7c6de058
Changes
14
Hide whitespace changes
Inline
Side-by-side
Showing
14 changed files
with
63 additions
and
27 deletions
+63
-27
include/linux/netfilter.h
include/linux/netfilter.h
+16
-5
include/net/ip.h
include/net/ip.h
+1
-0
include/net/xfrm.h
include/net/xfrm.h
+0
-1
net/ipv4/ip_gre.c
net/ipv4/ip_gre.c
+2
-1
net/ipv4/ip_output.c
net/ipv4/ip_output.c
+10
-6
net/ipv4/ipip.c
net/ipv4/ipip.c
+2
-1
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+0
-5
net/ipv4/xfrm4_output.c
net/ipv4/xfrm4_output.c
+10
-3
net/ipv6/icmp.c
net/ipv6/icmp.c
+6
-0
net/ipv6/netfilter/ip6t_REJECT.c
net/ipv6/netfilter/ip6t_REJECT.c
+2
-0
net/netfilter/Kconfig
net/netfilter/Kconfig
+3
-3
net/netfilter/nf_conntrack_core.c
net/netfilter/nf_conntrack_core.c
+5
-0
net/netfilter/nf_conntrack_proto_tcp.c
net/netfilter/nf_conntrack_proto_tcp.c
+3
-1
net/netfilter/nf_conntrack_proto_udp.c
net/netfilter/nf_conntrack_proto_udp.c
+3
-1
No files found.
include/linux/netfilter.h
View file @
0b60afba
...
...
@@ -184,8 +184,11 @@ static inline int nf_hook_thresh(int pf, unsigned int hook,
struct
sk_buff
**
pskb
,
struct
net_device
*
indev
,
struct
net_device
*
outdev
,
int
(
*
okfn
)(
struct
sk_buff
*
),
int
thresh
)
int
(
*
okfn
)(
struct
sk_buff
*
),
int
thresh
,
int
cond
)
{
if
(
!
cond
)
return
1
;
#ifndef CONFIG_NETFILTER_DEBUG
if
(
list_empty
(
&
nf_hooks
[
pf
][
hook
]))
return
1
;
...
...
@@ -197,7 +200,7 @@ static inline int nf_hook(int pf, unsigned int hook, struct sk_buff **pskb,
struct
net_device
*
indev
,
struct
net_device
*
outdev
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
nf_hook_thresh
(
pf
,
hook
,
pskb
,
indev
,
outdev
,
okfn
,
INT_MIN
);
return
nf_hook_thresh
(
pf
,
hook
,
pskb
,
indev
,
outdev
,
okfn
,
INT_MIN
,
1
);
}
/* Activate hook; either okfn or kfree_skb called, unless a hook
...
...
@@ -224,7 +227,13 @@ static inline int nf_hook(int pf, unsigned int hook, struct sk_buff **pskb,
#define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \
({int __ret; \
if ((__ret=nf_hook_thresh(pf, hook, &(skb), indev, outdev, okfn, thresh)) == 1)\
if ((__ret=nf_hook_thresh(pf, hook, &(skb), indev, outdev, okfn, thresh, 1)) == 1)\
__ret = (okfn)(skb); \
__ret;})
#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \
({int __ret; \
if ((__ret=nf_hook_thresh(pf, hook, &(skb), indev, outdev, okfn, INT_MIN, cond)) == 1)\
__ret = (okfn)(skb); \
__ret;})
...
...
@@ -295,11 +304,13 @@ extern struct proc_dir_entry *proc_net_netfilter;
#else
/* !CONFIG_NETFILTER */
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb)
static
inline
int
nf_hook_thresh
(
int
pf
,
unsigned
int
hook
,
struct
sk_buff
**
pskb
,
struct
net_device
*
indev
,
struct
net_device
*
outdev
,
int
(
*
okfn
)(
struct
sk_buff
*
),
int
thresh
)
int
(
*
okfn
)(
struct
sk_buff
*
),
int
thresh
,
int
cond
)
{
return
okfn
(
*
pskb
);
}
...
...
@@ -307,7 +318,7 @@ static inline int nf_hook(int pf, unsigned int hook, struct sk_buff **pskb,
struct
net_device
*
indev
,
struct
net_device
*
outdev
,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
return
okfn
(
*
pskb
)
;
return
1
;
}
static
inline
void
nf_ct_attach
(
struct
sk_buff
*
new
,
struct
sk_buff
*
skb
)
{}
struct
flowi
;
...
...
include/net/ip.h
View file @
0b60afba
...
...
@@ -41,6 +41,7 @@ struct inet_skb_parm
#define IPSKB_XFRM_TUNNEL_SIZE 2
#define IPSKB_XFRM_TRANSFORMED 4
#define IPSKB_FRAG_COMPLETE 8
#define IPSKB_REROUTED 16
};
struct
ipcm_cookie
...
...
include/net/xfrm.h
View file @
0b60afba
...
...
@@ -866,7 +866,6 @@ extern int xfrm_state_mtu(struct xfrm_state *x, int mtu);
extern
int
xfrm_init_state
(
struct
xfrm_state
*
x
);
extern
int
xfrm4_rcv
(
struct
sk_buff
*
skb
);
extern
int
xfrm4_output
(
struct
sk_buff
*
skb
);
extern
int
xfrm4_output_finish
(
struct
sk_buff
*
skb
);
extern
int
xfrm4_tunnel_register
(
struct
xfrm_tunnel
*
handler
);
extern
int
xfrm4_tunnel_deregister
(
struct
xfrm_tunnel
*
handler
);
extern
int
xfrm6_rcv_spi
(
struct
sk_buff
**
pskb
,
u32
spi
);
...
...
net/ipv4/ip_gre.c
View file @
0b60afba
...
...
@@ -830,7 +830,8 @@ static int ipgre_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
skb
->
h
.
raw
=
skb
->
nh
.
raw
;
skb
->
nh
.
raw
=
skb_push
(
skb
,
gre_hlen
);
memset
(
&
(
IPCB
(
skb
)
->
opt
),
0
,
sizeof
(
IPCB
(
skb
)
->
opt
));
IPCB
(
skb
)
->
flags
&=
~
(
IPSKB_XFRM_TUNNEL_SIZE
|
IPSKB_XFRM_TRANSFORMED
);
IPCB
(
skb
)
->
flags
&=
~
(
IPSKB_XFRM_TUNNEL_SIZE
|
IPSKB_XFRM_TRANSFORMED
|
IPSKB_REROUTED
);
dst_release
(
skb
->
dst
);
skb
->
dst
=
&
rt
->
u
.
dst
;
...
...
net/ipv4/ip_output.c
View file @
0b60afba
...
...
@@ -207,8 +207,10 @@ static inline int ip_finish_output(struct sk_buff *skb)
{
#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
/* Policy lookup after SNAT yielded a new policy */
if
(
skb
->
dst
->
xfrm
!=
NULL
)
return
xfrm4_output_finish
(
skb
);
if
(
skb
->
dst
->
xfrm
!=
NULL
)
{
IPCB
(
skb
)
->
flags
|=
IPSKB_REROUTED
;
return
dst_output
(
skb
);
}
#endif
if
(
skb
->
len
>
dst_mtu
(
skb
->
dst
)
&&
!
(
skb_shinfo
(
skb
)
->
ufo_size
||
skb_shinfo
(
skb
)
->
tso_size
))
...
...
@@ -271,8 +273,9 @@ int ip_mc_output(struct sk_buff *skb)
newskb
->
dev
,
ip_dev_loopback_xmit
);
}
return
NF_HOOK
(
PF_INET
,
NF_IP_POST_ROUTING
,
skb
,
NULL
,
skb
->
dev
,
ip_finish_output
);
return
NF_HOOK_COND
(
PF_INET
,
NF_IP_POST_ROUTING
,
skb
,
NULL
,
skb
->
dev
,
ip_finish_output
,
!
(
IPCB
(
skb
)
->
flags
&
IPSKB_REROUTED
));
}
int
ip_output
(
struct
sk_buff
*
skb
)
...
...
@@ -284,8 +287,9 @@ int ip_output(struct sk_buff *skb)
skb
->
dev
=
dev
;
skb
->
protocol
=
htons
(
ETH_P_IP
);
return
NF_HOOK
(
PF_INET
,
NF_IP_POST_ROUTING
,
skb
,
NULL
,
dev
,
ip_finish_output
);
return
NF_HOOK_COND
(
PF_INET
,
NF_IP_POST_ROUTING
,
skb
,
NULL
,
dev
,
ip_finish_output
,
!
(
IPCB
(
skb
)
->
flags
&
IPSKB_REROUTED
));
}
int
ip_queue_xmit
(
struct
sk_buff
*
skb
,
int
ipfragok
)
...
...
net/ipv4/ipip.c
View file @
0b60afba
...
...
@@ -622,7 +622,8 @@ static int ipip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev)
skb
->
h
.
raw
=
skb
->
nh
.
raw
;
skb
->
nh
.
raw
=
skb_push
(
skb
,
sizeof
(
struct
iphdr
));
memset
(
&
(
IPCB
(
skb
)
->
opt
),
0
,
sizeof
(
IPCB
(
skb
)
->
opt
));
IPCB
(
skb
)
->
flags
&=
~
(
IPSKB_XFRM_TUNNEL_SIZE
|
IPSKB_XFRM_TRANSFORMED
);
IPCB
(
skb
)
->
flags
&=
~
(
IPSKB_XFRM_TUNNEL_SIZE
|
IPSKB_XFRM_TRANSFORMED
|
IPSKB_REROUTED
);
dst_release
(
skb
->
dst
);
skb
->
dst
=
&
rt
->
u
.
dst
;
...
...
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
View file @
0b60afba
...
...
@@ -529,15 +529,10 @@ static int init_or_cleanup(int init)
goto
cleanup_localinops
;
}
#endif
/* For use by REJECT target */
ip_ct_attach
=
__nf_conntrack_attach
;
return
ret
;
cleanup:
synchronize_net
();
ip_ct_attach
=
NULL
;
#ifdef CONFIG_SYSCTL
unregister_sysctl_table
(
nf_ct_ipv4_sysctl_header
);
cleanup_localinops:
...
...
net/ipv4/xfrm4_output.c
View file @
0b60afba
...
...
@@ -152,10 +152,16 @@ static int xfrm4_output_one(struct sk_buff *skb)
goto
out_exit
;
}
int
xfrm4_output_finish
(
struct
sk_buff
*
skb
)
static
int
xfrm4_output_finish
(
struct
sk_buff
*
skb
)
{
int
err
;
#ifdef CONFIG_NETFILTER
if
(
!
skb
->
dst
->
xfrm
)
{
IPCB
(
skb
)
->
flags
|=
IPSKB_REROUTED
;
return
dst_output
(
skb
);
}
#endif
while
(
likely
((
err
=
xfrm4_output_one
(
skb
))
==
0
))
{
nf_reset
(
skb
);
...
...
@@ -178,6 +184,7 @@ int xfrm4_output_finish(struct sk_buff *skb)
int
xfrm4_output
(
struct
sk_buff
*
skb
)
{
return
NF_HOOK
(
PF_INET
,
NF_IP_POST_ROUTING
,
skb
,
NULL
,
skb
->
dst
->
dev
,
xfrm4_output_finish
);
return
NF_HOOK_COND
(
PF_INET
,
NF_IP_POST_ROUTING
,
skb
,
NULL
,
skb
->
dst
->
dev
,
xfrm4_output_finish
,
!
(
IPCB
(
skb
)
->
flags
&
IPSKB_REROUTED
));
}
net/ipv6/icmp.c
View file @
0b60afba
...
...
@@ -42,6 +42,7 @@
#include <linux/net.h>
#include <linux/skbuff.h>
#include <linux/init.h>
#include <linux/netfilter.h>
#ifdef CONFIG_SYSCTL
#include <linux/sysctl.h>
...
...
@@ -255,6 +256,7 @@ static int icmpv6_push_pending_frames(struct sock *sk, struct flowi *fl, struct
struct
icmpv6_msg
{
struct
sk_buff
*
skb
;
int
offset
;
uint8_t
type
;
};
static
int
icmpv6_getfrag
(
void
*
from
,
char
*
to
,
int
offset
,
int
len
,
int
odd
,
struct
sk_buff
*
skb
)
...
...
@@ -266,6 +268,8 @@ static int icmpv6_getfrag(void *from, char *to, int offset, int len, int odd, st
csum
=
skb_copy_and_csum_bits
(
org_skb
,
msg
->
offset
+
offset
,
to
,
len
,
csum
);
skb
->
csum
=
csum_block_add
(
skb
->
csum
,
csum
,
odd
);
if
(
!
(
msg
->
type
&
ICMPV6_INFOMSG_MASK
))
nf_ct_attach
(
skb
,
org_skb
);
return
0
;
}
...
...
@@ -403,6 +407,7 @@ void icmpv6_send(struct sk_buff *skb, int type, int code, __u32 info,
msg
.
skb
=
skb
;
msg
.
offset
=
skb
->
nh
.
raw
-
skb
->
data
;
msg
.
type
=
type
;
len
=
skb
->
len
-
msg
.
offset
;
len
=
min_t
(
unsigned
int
,
len
,
IPV6_MIN_MTU
-
sizeof
(
struct
ipv6hdr
)
-
sizeof
(
struct
icmp6hdr
));
...
...
@@ -500,6 +505,7 @@ static void icmpv6_echo_reply(struct sk_buff *skb)
msg
.
skb
=
skb
;
msg
.
offset
=
0
;
msg
.
type
=
ICMPV6_ECHO_REPLY
;
err
=
ip6_append_data
(
sk
,
icmpv6_getfrag
,
&
msg
,
skb
->
len
+
sizeof
(
struct
icmp6hdr
),
sizeof
(
struct
icmp6hdr
),
hlimit
,
tclass
,
NULL
,
&
fl
,
...
...
net/ipv6/netfilter/ip6t_REJECT.c
View file @
0b60afba
...
...
@@ -160,6 +160,8 @@ static void send_reset(struct sk_buff *oldskb)
csum_partial
((
char
*
)
tcph
,
sizeof
(
struct
tcphdr
),
0
));
nf_ct_attach
(
nskb
,
oldskb
);
NF_HOOK
(
PF_INET6
,
NF_IP6_LOCAL_OUT
,
nskb
,
NULL
,
nskb
->
dst
->
dev
,
dst_output
);
}
...
...
net/netfilter/Kconfig
View file @
0b60afba
...
...
@@ -126,7 +126,7 @@ config NETFILTER_XT_TARGET_CONNMARK
tristate '"CONNMARK" target support'
depends on NETFILTER_XTABLES
depends on IP_NF_MANGLE || IP6_NF_MANGLE
depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK
_IPV4
)
depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK)
help
This option adds a `CONNMARK' target, which allows one to manipulate
the connection mark value. Similar to the MARK target, but
...
...
@@ -187,7 +187,7 @@ config NETFILTER_XT_MATCH_COMMENT
config NETFILTER_XT_MATCH_CONNBYTES
tristate '"connbytes" per-connection counter match support'
depends on NETFILTER_XTABLES
depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) ||
NF_CT_ACCT
depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) ||
(NF_CT_ACCT && NF_CONNTRACK)
help
This option adds a `connbytes' match, which allows you to match the
number of bytes and/or packets for each direction within a connection.
...
...
@@ -198,7 +198,7 @@ config NETFILTER_XT_MATCH_CONNBYTES
config NETFILTER_XT_MATCH_CONNMARK
tristate '"connmark" connection mark match support'
depends on NETFILTER_XTABLES
depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) ||
NF_CONNTRACK_MARK
depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) ||
(NF_CONNTRACK_MARK && NF_CONNTRACK)
help
This option adds a `connmark' match, which allows you to match the
connection mark value previously set for the session by `CONNMARK'.
...
...
net/netfilter/nf_conntrack_core.c
View file @
0b60afba
...
...
@@ -1556,6 +1556,8 @@ void nf_conntrack_cleanup(void)
{
int
i
;
ip_ct_attach
=
NULL
;
/* This makes sure all current packets have passed through
netfilter framework. Roll on, two-stage module
delete... */
...
...
@@ -1715,6 +1717,9 @@ int __init nf_conntrack_init(void)
nf_ct_l3protos
[
i
]
=
&
nf_conntrack_generic_l3proto
;
write_unlock_bh
(
&
nf_conntrack_lock
);
/* For use by REJECT target */
ip_ct_attach
=
__nf_conntrack_attach
;
/* Set up fake conntrack:
- to never be deleted, not in any hashes */
atomic_set
(
&
nf_conntrack_untracked
.
ct_general
.
use
,
1
);
...
...
net/netfilter/nf_conntrack_proto_tcp.c
View file @
0b60afba
...
...
@@ -864,7 +864,9 @@ static int csum6(const struct sk_buff *skb, unsigned int dataoff)
{
return
csum_ipv6_magic
(
&
skb
->
nh
.
ipv6h
->
saddr
,
&
skb
->
nh
.
ipv6h
->
daddr
,
skb
->
len
-
dataoff
,
IPPROTO_TCP
,
skb
->
ip_summed
==
CHECKSUM_HW
?
skb
->
csum
skb
->
ip_summed
==
CHECKSUM_HW
?
csum_sub
(
skb
->
csum
,
skb_checksum
(
skb
,
0
,
dataoff
,
0
))
:
skb_checksum
(
skb
,
dataoff
,
skb
->
len
-
dataoff
,
0
));
}
...
...
net/netfilter/nf_conntrack_proto_udp.c
View file @
0b60afba
...
...
@@ -161,7 +161,9 @@ static int csum6(const struct sk_buff *skb, unsigned int dataoff)
{
return
csum_ipv6_magic
(
&
skb
->
nh
.
ipv6h
->
saddr
,
&
skb
->
nh
.
ipv6h
->
daddr
,
skb
->
len
-
dataoff
,
IPPROTO_UDP
,
skb
->
ip_summed
==
CHECKSUM_HW
?
skb
->
csum
skb
->
ip_summed
==
CHECKSUM_HW
?
csum_sub
(
skb
->
csum
,
skb_checksum
(
skb
,
0
,
dataoff
,
0
))
:
skb_checksum
(
skb
,
dataoff
,
skb
->
len
-
dataoff
,
0
));
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment