Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
272a5322
Commit
272a5322
authored
Feb 27, 2006
by
Linus Torvalds
Browse files
Options
Browse Files
Download
Plain Diff
Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
parents
051d3cbd
ba13c984
Changes
11
Hide whitespace changes
Inline
Side-by-side
Showing
11 changed files
with
109 additions
and
155 deletions
+109
-155
include/linux/netfilter_bridge/ebt_log.h
include/linux/netfilter_bridge/ebt_log.h
+1
-0
include/linux/netfilter_ipv4/ipt_LOG.h
include/linux/netfilter_ipv4/ipt_LOG.h
+2
-1
include/linux/netfilter_ipv6/ip6t_LOG.h
include/linux/netfilter_ipv6/ip6t_LOG.h
+2
-1
include/net/xfrm.h
include/net/xfrm.h
+0
-1
net/bridge/netfilter/ebt_log.c
net/bridge/netfilter/ebt_log.c
+6
-1
net/core/request_sock.c
net/core/request_sock.c
+0
-1
net/ipv4/esp4.c
net/ipv4/esp4.c
+66
-119
net/ipv4/netfilter/ipt_LOG.c
net/ipv4/netfilter/ipt_LOG.c
+6
-1
net/ipv6/netfilter/ip6t_LOG.c
net/ipv6/netfilter/ip6t_LOG.c
+6
-1
net/netfilter/nf_queue.c
net/netfilter/nf_queue.c
+20
-22
net/xfrm/xfrm_policy.c
net/xfrm/xfrm_policy.c
+0
-7
No files found.
include/linux/netfilter_bridge/ebt_log.h
View file @
272a5322
...
@@ -3,6 +3,7 @@
...
@@ -3,6 +3,7 @@
#define EBT_LOG_IP 0x01
/* if the frame is made by ip, log the ip information */
#define EBT_LOG_IP 0x01
/* if the frame is made by ip, log the ip information */
#define EBT_LOG_ARP 0x02
#define EBT_LOG_ARP 0x02
#define EBT_LOG_NFLOG 0x04
#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP)
#define EBT_LOG_MASK (EBT_LOG_IP | EBT_LOG_ARP)
#define EBT_LOG_PREFIX_SIZE 30
#define EBT_LOG_PREFIX_SIZE 30
#define EBT_LOG_WATCHER "log"
#define EBT_LOG_WATCHER "log"
...
...
include/linux/netfilter_ipv4/ipt_LOG.h
View file @
272a5322
...
@@ -6,7 +6,8 @@
...
@@ -6,7 +6,8 @@
#define IPT_LOG_TCPOPT 0x02
/* Log TCP options */
#define IPT_LOG_TCPOPT 0x02
/* Log TCP options */
#define IPT_LOG_IPOPT 0x04
/* Log IP options */
#define IPT_LOG_IPOPT 0x04
/* Log IP options */
#define IPT_LOG_UID 0x08
/* Log UID owning local socket */
#define IPT_LOG_UID 0x08
/* Log UID owning local socket */
#define IPT_LOG_MASK 0x0f
#define IPT_LOG_NFLOG 0x10
/* Log using nf_log backend */
#define IPT_LOG_MASK 0x1f
struct
ipt_log_info
{
struct
ipt_log_info
{
unsigned
char
level
;
unsigned
char
level
;
...
...
include/linux/netfilter_ipv6/ip6t_LOG.h
View file @
272a5322
...
@@ -6,7 +6,8 @@
...
@@ -6,7 +6,8 @@
#define IP6T_LOG_TCPOPT 0x02
/* Log TCP options */
#define IP6T_LOG_TCPOPT 0x02
/* Log TCP options */
#define IP6T_LOG_IPOPT 0x04
/* Log IP options */
#define IP6T_LOG_IPOPT 0x04
/* Log IP options */
#define IP6T_LOG_UID 0x08
/* Log UID owning local socket */
#define IP6T_LOG_UID 0x08
/* Log UID owning local socket */
#define IP6T_LOG_MASK 0x0f
#define IP6T_LOG_NFLOG 0x10
/* Log using nf_log backend */
#define IP6T_LOG_MASK 0x1f
struct
ip6t_log_info
{
struct
ip6t_log_info
{
unsigned
char
level
;
unsigned
char
level
;
...
...
include/net/xfrm.h
View file @
272a5322
...
@@ -233,7 +233,6 @@ struct xfrm_type
...
@@ -233,7 +233,6 @@ struct xfrm_type
int
(
*
init_state
)(
struct
xfrm_state
*
x
);
int
(
*
init_state
)(
struct
xfrm_state
*
x
);
void
(
*
destructor
)(
struct
xfrm_state
*
);
void
(
*
destructor
)(
struct
xfrm_state
*
);
int
(
*
input
)(
struct
xfrm_state
*
,
struct
xfrm_decap_state
*
,
struct
sk_buff
*
skb
);
int
(
*
input
)(
struct
xfrm_state
*
,
struct
xfrm_decap_state
*
,
struct
sk_buff
*
skb
);
int
(
*
post_input
)(
struct
xfrm_state
*
,
struct
xfrm_decap_state
*
,
struct
sk_buff
*
skb
);
int
(
*
output
)(
struct
xfrm_state
*
,
struct
sk_buff
*
pskb
);
int
(
*
output
)(
struct
xfrm_state
*
,
struct
sk_buff
*
pskb
);
/* Estimate maximal size of result of transformation of a dgram */
/* Estimate maximal size of result of transformation of a dgram */
u32
(
*
get_max_size
)(
struct
xfrm_state
*
,
int
size
);
u32
(
*
get_max_size
)(
struct
xfrm_state
*
,
int
size
);
...
...
net/bridge/netfilter/ebt_log.c
View file @
272a5322
...
@@ -166,7 +166,12 @@ static void ebt_log(const struct sk_buff *skb, unsigned int hooknr,
...
@@ -166,7 +166,12 @@ static void ebt_log(const struct sk_buff *skb, unsigned int hooknr,
li
.
u
.
log
.
level
=
info
->
loglevel
;
li
.
u
.
log
.
level
=
info
->
loglevel
;
li
.
u
.
log
.
logflags
=
info
->
bitmask
;
li
.
u
.
log
.
logflags
=
info
->
bitmask
;
nf_log_packet
(
PF_BRIDGE
,
hooknr
,
skb
,
in
,
out
,
&
li
,
info
->
prefix
);
if
(
info
->
bitmask
&
EBT_LOG_NFLOG
)
nf_log_packet
(
PF_BRIDGE
,
hooknr
,
skb
,
in
,
out
,
&
li
,
info
->
prefix
);
else
ebt_log_packet
(
PF_BRIDGE
,
hooknr
,
skb
,
in
,
out
,
&
li
,
info
->
prefix
);
}
}
static
struct
ebt_watcher
log
=
static
struct
ebt_watcher
log
=
...
...
net/core/request_sock.c
View file @
272a5322
...
@@ -52,7 +52,6 @@ int reqsk_queue_alloc(struct request_sock_queue *queue,
...
@@ -52,7 +52,6 @@ int reqsk_queue_alloc(struct request_sock_queue *queue,
get_random_bytes
(
&
lopt
->
hash_rnd
,
sizeof
(
lopt
->
hash_rnd
));
get_random_bytes
(
&
lopt
->
hash_rnd
,
sizeof
(
lopt
->
hash_rnd
));
rwlock_init
(
&
queue
->
syn_wait_lock
);
rwlock_init
(
&
queue
->
syn_wait_lock
);
queue
->
rskq_accept_head
=
queue
->
rskq_accept_head
=
NULL
;
queue
->
rskq_accept_head
=
queue
->
rskq_accept_head
=
NULL
;
queue
->
rskq_defer_accept
=
0
;
lopt
->
nr_table_entries
=
nr_table_entries
;
lopt
->
nr_table_entries
=
nr_table_entries
;
write_lock_bh
(
&
queue
->
syn_wait_lock
);
write_lock_bh
(
&
queue
->
syn_wait_lock
);
...
...
net/ipv4/esp4.c
View file @
272a5322
...
@@ -12,13 +12,6 @@
...
@@ -12,13 +12,6 @@
#include <net/protocol.h>
#include <net/protocol.h>
#include <net/udp.h>
#include <net/udp.h>
/* decapsulation data for use when post-processing */
struct
esp_decap_data
{
xfrm_address_t
saddr
;
__u16
sport
;
__u8
proto
;
};
static
int
esp_output
(
struct
xfrm_state
*
x
,
struct
sk_buff
*
skb
)
static
int
esp_output
(
struct
xfrm_state
*
x
,
struct
sk_buff
*
skb
)
{
{
int
err
;
int
err
;
...
@@ -150,6 +143,10 @@ static int esp_input(struct xfrm_state *x, struct xfrm_decap_state *decap, struc
...
@@ -150,6 +143,10 @@ static int esp_input(struct xfrm_state *x, struct xfrm_decap_state *decap, struc
int
elen
=
skb
->
len
-
sizeof
(
struct
ip_esp_hdr
)
-
esp
->
conf
.
ivlen
-
alen
;
int
elen
=
skb
->
len
-
sizeof
(
struct
ip_esp_hdr
)
-
esp
->
conf
.
ivlen
-
alen
;
int
nfrags
;
int
nfrags
;
int
encap_len
=
0
;
int
encap_len
=
0
;
u8
nexthdr
[
2
];
struct
scatterlist
*
sg
;
u8
workbuf
[
60
];
int
padlen
;
if
(
!
pskb_may_pull
(
skb
,
sizeof
(
struct
ip_esp_hdr
)))
if
(
!
pskb_may_pull
(
skb
,
sizeof
(
struct
ip_esp_hdr
)))
goto
out
;
goto
out
;
...
@@ -185,122 +182,82 @@ static int esp_input(struct xfrm_state *x, struct xfrm_decap_state *decap, struc
...
@@ -185,122 +182,82 @@ static int esp_input(struct xfrm_state *x, struct xfrm_decap_state *decap, struc
if
(
esp
->
conf
.
ivlen
)
if
(
esp
->
conf
.
ivlen
)
crypto_cipher_set_iv
(
esp
->
conf
.
tfm
,
esph
->
enc_data
,
crypto_tfm_alg_ivsize
(
esp
->
conf
.
tfm
));
crypto_cipher_set_iv
(
esp
->
conf
.
tfm
,
esph
->
enc_data
,
crypto_tfm_alg_ivsize
(
esp
->
conf
.
tfm
));
{
sg
=
&
esp
->
sgbuf
[
0
];
u8
nexthdr
[
2
];
struct
scatterlist
*
sg
=
&
esp
->
sgbuf
[
0
];
u8
workbuf
[
60
];
int
padlen
;
if
(
unlikely
(
nfrags
>
ESP_NUM_FAST_SG
))
{
sg
=
kmalloc
(
sizeof
(
struct
scatterlist
)
*
nfrags
,
GFP_ATOMIC
);
if
(
!
sg
)
goto
out
;
}
skb_to_sgvec
(
skb
,
sg
,
sizeof
(
struct
ip_esp_hdr
)
+
esp
->
conf
.
ivlen
,
elen
);
crypto_cipher_decrypt
(
esp
->
conf
.
tfm
,
sg
,
sg
,
elen
);
if
(
unlikely
(
sg
!=
&
esp
->
sgbuf
[
0
]))
kfree
(
sg
);
if
(
skb_copy_bits
(
skb
,
skb
->
len
-
alen
-
2
,
nexthdr
,
2
))
BUG
();
padlen
=
nexthdr
[
0
];
if
(
unlikely
(
nfrags
>
ESP_NUM_FAST_SG
))
{
if
(
padlen
+
2
>=
elen
)
sg
=
kmalloc
(
sizeof
(
struct
scatterlist
)
*
nfrags
,
GFP_ATOMIC
);
if
(
!
sg
)
goto
out
;
goto
out
;
/* ... check padding bits here. Silly. :-) */
if
(
x
->
encap
&&
decap
&&
decap
->
decap_type
)
{
struct
esp_decap_data
*
encap_data
;
struct
udphdr
*
uh
=
(
struct
udphdr
*
)
(
iph
+
1
);
encap_data
=
(
struct
esp_decap_data
*
)
(
decap
->
decap_data
);
encap_data
->
proto
=
0
;
switch
(
decap
->
decap_type
)
{
case
UDP_ENCAP_ESPINUDP
:
case
UDP_ENCAP_ESPINUDP_NON_IKE
:
encap_data
->
proto
=
AF_INET
;
encap_data
->
saddr
.
a4
=
iph
->
saddr
;
encap_data
->
sport
=
uh
->
source
;
encap_len
=
(
void
*
)
esph
-
(
void
*
)
uh
;
break
;
default:
goto
out
;
}
}
iph
->
protocol
=
nexthdr
[
1
];
pskb_trim
(
skb
,
skb
->
len
-
alen
-
padlen
-
2
);
memcpy
(
workbuf
,
skb
->
nh
.
raw
,
iph
->
ihl
*
4
);
skb
->
h
.
raw
=
skb_pull
(
skb
,
sizeof
(
struct
ip_esp_hdr
)
+
esp
->
conf
.
ivlen
);
skb
->
nh
.
raw
+=
encap_len
+
sizeof
(
struct
ip_esp_hdr
)
+
esp
->
conf
.
ivlen
;
memcpy
(
skb
->
nh
.
raw
,
workbuf
,
iph
->
ihl
*
4
);
skb
->
nh
.
iph
->
tot_len
=
htons
(
skb
->
len
);
}
}
skb_to_sgvec
(
skb
,
sg
,
sizeof
(
struct
ip_esp_hdr
)
+
esp
->
conf
.
ivlen
,
elen
);
crypto_cipher_decrypt
(
esp
->
conf
.
tfm
,
sg
,
sg
,
elen
);
if
(
unlikely
(
sg
!=
&
esp
->
sgbuf
[
0
]))
kfree
(
sg
);
return
0
;
if
(
skb_copy_bits
(
skb
,
skb
->
len
-
alen
-
2
,
nexthdr
,
2
))
BUG
();
out:
padlen
=
nexthdr
[
0
];
return
-
EINVAL
;
if
(
padlen
+
2
>=
elen
)
}
goto
out
;
static
int
esp_post_input
(
struct
xfrm_state
*
x
,
struct
xfrm_decap_state
*
decap
,
struct
sk_buff
*
skb
)
/* ... check padding bits here. Silly. :-) */
{
if
(
x
->
encap
)
{
struct
xfrm_encap_tmpl
*
encap
;
struct
esp_decap_data
*
decap_data
;
encap
=
x
->
encap
;
if
(
x
->
encap
)
{
decap_data
=
(
struct
esp_decap_data
*
)(
decap
->
decap_data
);
struct
xfrm_encap_tmpl
*
encap
=
x
->
encap
;
struct
udphdr
*
uh
;
/* first, make sure that the decap type == the encap type */
if
(
encap
->
encap_type
!=
decap
->
decap_type
)
if
(
encap
->
encap_type
!=
decap
->
decap_type
)
return
-
EINVAL
;
goto
out
;
switch
(
encap
->
encap_type
)
{
uh
=
(
struct
udphdr
*
)(
iph
+
1
);
default:
encap_len
=
(
void
*
)
esph
-
(
void
*
)
uh
;
case
UDP_ENCAP_ESPINUDP
:
case
UDP_ENCAP_ESPINUDP_NON_IKE
:
/*
/*
* 1) if the NAT-T peer's IP or port changed then
* 1) if the NAT-T peer's IP or port changed then
* advertize the change to the keying daemon.
* advertize the change to the keying daemon.
* This is an inbound SA, so just compare
* This is an inbound SA, so just compare
* SRC ports.
* SRC ports.
*/
*/
if
(
iph
->
saddr
!=
x
->
props
.
saddr
.
a4
||
if
(
decap_data
->
proto
==
AF_INET
&&
uh
->
source
!=
encap
->
encap_sport
)
{
(
decap_data
->
saddr
.
a4
!=
x
->
props
.
saddr
.
a4
||
xfrm_address_t
ipaddr
;
decap_data
->
sport
!=
encap
->
encap_sport
))
{
xfrm_address_t
ipaddr
;
ipaddr
.
a4
=
iph
->
saddr
;
km_new_mapping
(
x
,
&
ipaddr
,
uh
->
source
);
ipaddr
.
a4
=
decap_data
->
saddr
.
a4
;
km_new_mapping
(
x
,
&
ipaddr
,
decap_data
->
sport
);
/* XXX: perhaps add an extra
* policy check here, to see
/* XXX: perhaps add an extra
* if we should allow or
* policy check here, to see
* reject a packet from a
* if we should allow or
* different source
* reject a packet from a
* address/port.
* different source
* address/port.
*/
}
/*
* 2) ignore UDP/TCP checksums in case
* of NAT-T in Transport Mode, or
* perform other post-processing fixes
* as per * draft-ietf-ipsec-udp-encaps-06,
* section 3.1.2
*/
*/
if
(
!
x
->
props
.
mode
)
skb
->
ip_summed
=
CHECKSUM_UNNECESSARY
;
break
;
}
}
/*
* 2) ignore UDP/TCP checksums in case
* of NAT-T in Transport Mode, or
* perform other post-processing fixes
* as per draft-ietf-ipsec-udp-encaps-06,
* section 3.1.2
*/
if
(
!
x
->
props
.
mode
)
skb
->
ip_summed
=
CHECKSUM_UNNECESSARY
;
}
}
iph
->
protocol
=
nexthdr
[
1
];
pskb_trim
(
skb
,
skb
->
len
-
alen
-
padlen
-
2
);
memcpy
(
workbuf
,
skb
->
nh
.
raw
,
iph
->
ihl
*
4
);
skb
->
h
.
raw
=
skb_pull
(
skb
,
sizeof
(
struct
ip_esp_hdr
)
+
esp
->
conf
.
ivlen
);
skb
->
nh
.
raw
+=
encap_len
+
sizeof
(
struct
ip_esp_hdr
)
+
esp
->
conf
.
ivlen
;
memcpy
(
skb
->
nh
.
raw
,
workbuf
,
iph
->
ihl
*
4
);
skb
->
nh
.
iph
->
tot_len
=
htons
(
skb
->
len
);
return
0
;
return
0
;
out:
return
-
EINVAL
;
}
}
static
u32
esp4_get_max_size
(
struct
xfrm_state
*
x
,
int
mtu
)
static
u32
esp4_get_max_size
(
struct
xfrm_state
*
x
,
int
mtu
)
...
@@ -458,7 +415,6 @@ static struct xfrm_type esp_type =
...
@@ -458,7 +415,6 @@ static struct xfrm_type esp_type =
.
destructor
=
esp_destroy
,
.
destructor
=
esp_destroy
,
.
get_max_size
=
esp4_get_max_size
,
.
get_max_size
=
esp4_get_max_size
,
.
input
=
esp_input
,
.
input
=
esp_input
,
.
post_input
=
esp_post_input
,
.
output
=
esp_output
.
output
=
esp_output
};
};
...
@@ -470,15 +426,6 @@ static struct net_protocol esp4_protocol = {
...
@@ -470,15 +426,6 @@ static struct net_protocol esp4_protocol = {
static
int
__init
esp4_init
(
void
)
static
int
__init
esp4_init
(
void
)
{
{
struct
xfrm_decap_state
decap
;
if
(
sizeof
(
struct
esp_decap_data
)
>
sizeof
(
decap
.
decap_data
))
{
extern
void
decap_data_too_small
(
void
);
decap_data_too_small
();
}
if
(
xfrm_register_type
(
&
esp_type
,
AF_INET
)
<
0
)
{
if
(
xfrm_register_type
(
&
esp_type
,
AF_INET
)
<
0
)
{
printk
(
KERN_INFO
"ip esp init: can't add xfrm type
\n
"
);
printk
(
KERN_INFO
"ip esp init: can't add xfrm type
\n
"
);
return
-
EAGAIN
;
return
-
EAGAIN
;
...
...
net/ipv4/netfilter/ipt_LOG.c
View file @
272a5322
...
@@ -425,7 +425,12 @@ ipt_log_target(struct sk_buff **pskb,
...
@@ -425,7 +425,12 @@ ipt_log_target(struct sk_buff **pskb,
li
.
u
.
log
.
level
=
loginfo
->
level
;
li
.
u
.
log
.
level
=
loginfo
->
level
;
li
.
u
.
log
.
logflags
=
loginfo
->
logflags
;
li
.
u
.
log
.
logflags
=
loginfo
->
logflags
;
nf_log_packet
(
PF_INET
,
hooknum
,
*
pskb
,
in
,
out
,
&
li
,
loginfo
->
prefix
);
if
(
loginfo
->
logflags
&
IPT_LOG_NFLOG
)
nf_log_packet
(
PF_INET
,
hooknum
,
*
pskb
,
in
,
out
,
&
li
,
loginfo
->
prefix
);
else
ipt_log_packet
(
PF_INET
,
hooknum
,
*
pskb
,
in
,
out
,
&
li
,
loginfo
->
prefix
);
return
IPT_CONTINUE
;
return
IPT_CONTINUE
;
}
}
...
...
net/ipv6/netfilter/ip6t_LOG.c
View file @
272a5322
...
@@ -436,7 +436,12 @@ ip6t_log_target(struct sk_buff **pskb,
...
@@ -436,7 +436,12 @@ ip6t_log_target(struct sk_buff **pskb,
li
.
u
.
log
.
level
=
loginfo
->
level
;
li
.
u
.
log
.
level
=
loginfo
->
level
;
li
.
u
.
log
.
logflags
=
loginfo
->
logflags
;
li
.
u
.
log
.
logflags
=
loginfo
->
logflags
;
nf_log_packet
(
PF_INET6
,
hooknum
,
*
pskb
,
in
,
out
,
&
li
,
loginfo
->
prefix
);
if
(
loginfo
->
logflags
&
IP6T_LOG_NFLOG
)
nf_log_packet
(
PF_INET6
,
hooknum
,
*
pskb
,
in
,
out
,
&
li
,
loginfo
->
prefix
);
else
ip6t_log_packet
(
PF_INET6
,
hooknum
,
*
pskb
,
in
,
out
,
&
li
,
loginfo
->
prefix
);
return
IP6T_CONTINUE
;
return
IP6T_CONTINUE
;
}
}
...
...
net/netfilter/nf_queue.c
View file @
272a5322
...
@@ -6,6 +6,7 @@
...
@@ -6,6 +6,7 @@
#include <linux/skbuff.h>
#include <linux/skbuff.h>
#include <linux/netfilter.h>
#include <linux/netfilter.h>
#include <linux/seq_file.h>
#include <linux/seq_file.h>
#include <linux/rcupdate.h>
#include <net/protocol.h>
#include <net/protocol.h>
#include "nf_internals.h"
#include "nf_internals.h"
...
@@ -16,7 +17,7 @@
...
@@ -16,7 +17,7 @@
* for queueing and must reinject all packets it receives, no matter what.
* for queueing and must reinject all packets it receives, no matter what.
*/
*/
static
struct
nf_queue_handler
*
queue_handler
[
NPROTO
];
static
struct
nf_queue_handler
*
queue_handler
[
NPROTO
];
static
struct
nf_queue_rerouter
*
queue_rerouter
;
static
struct
nf_queue_rerouter
*
queue_rerouter
[
NPROTO
]
;
static
DEFINE_RWLOCK
(
queue_handler_lock
);
static
DEFINE_RWLOCK
(
queue_handler_lock
);
...
@@ -64,7 +65,7 @@ int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer)
...
@@ -64,7 +65,7 @@ int nf_register_queue_rerouter(int pf, struct nf_queue_rerouter *rer)
return
-
EINVAL
;
return
-
EINVAL
;
write_lock_bh
(
&
queue_handler_lock
);
write_lock_bh
(
&
queue_handler_lock
);
memcpy
(
&
queue_rerouter
[
pf
],
rer
,
sizeof
(
queue_rerouter
[
pf
])
);
rcu_assign_pointer
(
queue_rerouter
[
pf
],
rer
);
write_unlock_bh
(
&
queue_handler_lock
);
write_unlock_bh
(
&
queue_handler_lock
);
return
0
;
return
0
;
...
@@ -77,8 +78,9 @@ int nf_unregister_queue_rerouter(int pf)
...
@@ -77,8 +78,9 @@ int nf_unregister_queue_rerouter(int pf)
return
-
EINVAL
;
return
-
EINVAL
;
write_lock_bh
(
&
queue_handler_lock
);
write_lock_bh
(
&
queue_handler_lock
);
memset
(
&
queue_rerouter
[
pf
],
0
,
sizeof
(
queue_rerouter
[
pf
])
);
rcu_assign_pointer
(
queue_rerouter
[
pf
],
NULL
);
write_unlock_bh
(
&
queue_handler_lock
);
write_unlock_bh
(
&
queue_handler_lock
);
synchronize_rcu
();
return
0
;
return
0
;
}
}
EXPORT_SYMBOL_GPL
(
nf_unregister_queue_rerouter
);
EXPORT_SYMBOL_GPL
(
nf_unregister_queue_rerouter
);
...
@@ -114,16 +116,17 @@ int nf_queue(struct sk_buff **skb,
...
@@ -114,16 +116,17 @@ int nf_queue(struct sk_buff **skb,
struct
net_device
*
physindev
=
NULL
;
struct
net_device
*
physindev
=
NULL
;
struct
net_device
*
physoutdev
=
NULL
;
struct
net_device
*
physoutdev
=
NULL
;
#endif
#endif
struct
nf_queue_rerouter
*
rerouter
;
/* QUEUE == DROP if noone is waiting, to be safe. */
/* QUEUE == DROP if noone is waiting, to be safe. */
read_lock
(
&
queue_handler_lock
);
read_lock
(
&
queue_handler_lock
);
if
(
!
queue_handler
[
pf
]
||
!
queue_handler
[
pf
]
->
outfn
)
{
if
(
!
queue_handler
[
pf
])
{
read_unlock
(
&
queue_handler_lock
);
read_unlock
(
&
queue_handler_lock
);
kfree_skb
(
*
skb
);
kfree_skb
(
*
skb
);
return
1
;
return
1
;
}
}
info
=
kmalloc
(
sizeof
(
*
info
)
+
queue_rerouter
[
pf
]
.
rer_size
,
GFP_ATOMIC
);
info
=
kmalloc
(
sizeof
(
*
info
)
+
queue_rerouter
[
pf
]
->
rer_size
,
GFP_ATOMIC
);
if
(
!
info
)
{
if
(
!
info
)
{
if
(
net_ratelimit
())
if
(
net_ratelimit
())
printk
(
KERN_ERR
"OOM queueing packet %p
\n
"
,
printk
(
KERN_ERR
"OOM queueing packet %p
\n
"
,
...
@@ -155,15 +158,13 @@ int nf_queue(struct sk_buff **skb,
...
@@ -155,15 +158,13 @@ int nf_queue(struct sk_buff **skb,
if
(
physoutdev
)
dev_hold
(
physoutdev
);
if
(
physoutdev
)
dev_hold
(
physoutdev
);
}
}
#endif
#endif
if
(
queue_rerouter
[
pf
].
save
)
rerouter
=
rcu_dereference
(
queue_rerouter
[
pf
]);
queue_rerouter
[
pf
].
save
(
*
skb
,
info
);
if
(
rerouter
)
rerouter
->
save
(
*
skb
,
info
);
status
=
queue_handler
[
pf
]
->
outfn
(
*
skb
,
info
,
queuenum
,
status
=
queue_handler
[
pf
]
->
outfn
(
*
skb
,
info
,
queuenum
,
queue_handler
[
pf
]
->
data
);
queue_handler
[
pf
]
->
data
);
if
(
status
>=
0
&&
queue_rerouter
[
pf
].
reroute
)
status
=
queue_rerouter
[
pf
].
reroute
(
skb
,
info
);
read_unlock
(
&
queue_handler_lock
);
read_unlock
(
&
queue_handler_lock
);
if
(
status
<
0
)
{
if
(
status
<
0
)
{
...
@@ -189,6 +190,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
...
@@ -189,6 +190,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
{
{
struct
list_head
*
elem
=
&
info
->
elem
->
list
;
struct
list_head
*
elem
=
&
info
->
elem
->
list
;
struct
list_head
*
i
;
struct
list_head
*
i
;
struct
nf_queue_rerouter
*
rerouter
;
rcu_read_lock
();
rcu_read_lock
();
...
@@ -212,7 +214,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
...
@@ -212,7 +214,7 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
break
;
break
;
}
}
if
(
elem
==
&
nf_hooks
[
info
->
pf
][
info
->
hook
])
{
if
(
i
==
&
nf_hooks
[
info
->
pf
][
info
->
hook
])
{
/* The module which sent it to userspace is gone. */
/* The module which sent it to userspace is gone. */
NFDEBUG
(
"%s: module disappeared, dropping packet.
\n
"
,
NFDEBUG
(
"%s: module disappeared, dropping packet.
\n
"
,
__FUNCTION__
);
__FUNCTION__
);
...
@@ -225,6 +227,12 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
...
@@ -225,6 +227,12 @@ void nf_reinject(struct sk_buff *skb, struct nf_info *info,
verdict
=
NF_ACCEPT
;
verdict
=
NF_ACCEPT
;
}
}
if
(
verdict
==
NF_ACCEPT
)
{
rerouter
=
rcu_dereference
(
queue_rerouter
[
info
->
pf
]);
if
(
rerouter
&&
rerouter
->
reroute
(
&
skb
,
info
)
<
0
)
verdict
=
NF_DROP
;
}
if
(
verdict
==
NF_ACCEPT
)
{
if
(
verdict
==
NF_ACCEPT
)
{
next_hook:
next_hook:
verdict
=
nf_iterate
(
&
nf_hooks
[
info
->
pf
][
info
->
hook
],
verdict
=
nf_iterate
(
&
nf_hooks
[
info
->
pf
][
info
->
hook
],
...
@@ -322,22 +330,12 @@ int __init netfilter_queue_init(void)
...
@@ -322,22 +330,12 @@ int __init netfilter_queue_init(void)
{
{
#ifdef CONFIG_PROC_FS
#ifdef CONFIG_PROC_FS
struct
proc_dir_entry
*
pde
;
struct
proc_dir_entry
*
pde
;
#endif
queue_rerouter
=
kmalloc
(
NPROTO
*
sizeof
(
struct
nf_queue_rerouter
),
GFP_KERNEL
);
if
(
!
queue_rerouter
)
return
-
ENOMEM
;
#ifdef CONFIG_PROC_FS
pde
=
create_proc_entry
(
"nf_queue"
,
S_IRUGO
,
proc_net_netfilter
);
pde
=
create_proc_entry
(
"nf_queue"
,
S_IRUGO
,
proc_net_netfilter
);
if
(
!
pde
)
{
if
(
!
pde
)
kfree
(
queue_rerouter
);
return
-
1
;
return
-
1
;
}
pde
->
proc_fops
=
&
nfqueue_file_ops
;
pde
->
proc_fops
=
&
nfqueue_file_ops
;
#endif
#endif
memset
(
queue_rerouter
,
0
,
NPROTO
*
sizeof
(
struct
nf_queue_rerouter
));
return
0
;
return
0
;
}
}
net/xfrm/xfrm_policy.c
View file @
272a5322
...
@@ -996,13 +996,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
...
@@ -996,13 +996,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
struct
sec_decap_state
*
xvec
=
&
(
skb
->
sp
->
x
[
i
]);
struct
sec_decap_state
*
xvec
=
&
(
skb
->
sp
->
x
[
i
]);
if
(
!
xfrm_selector_match
(
&
xvec
->
xvec
->
sel
,
&
fl
,
family
))
if
(
!
xfrm_selector_match
(
&
xvec
->
xvec
->
sel
,
&
fl
,
family
))
return
0
;
return
0
;
/* If there is a post_input processor, try running it */
if
(
xvec
->
xvec
->
type
->
post_input
&&
(
xvec
->
xvec
->
type
->
post_input
)(
xvec
->
xvec
,
&
(
xvec
->
decap
),
skb
)
!=
0
)
return
0
;
}
}
}
}
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment