Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
424eff97
Commit
424eff97
authored
Dec 03, 2009
by
David S. Miller
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'master' of
git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
parents
55dbabee
3666ed1c
Changes
32
Hide whitespace changes
Inline
Side-by-side
Showing
32 changed files
with
253 additions
and
257 deletions
+253
-257
include/linux/netfilter/nf_conntrack_tcp.h
include/linux/netfilter/nf_conntrack_tcp.h
+3
-0
net/ipv4/netfilter/arp_tables.c
net/ipv4/netfilter/arp_tables.c
+11
-11
net/ipv4/netfilter/ip_queue.c
net/ipv4/netfilter/ip_queue.c
+2
-3
net/ipv4/netfilter/ip_tables.c
net/ipv4/netfilter/ip_tables.c
+23
-23
net/ipv4/netfilter/ipt_CLUSTERIP.c
net/ipv4/netfilter/ipt_CLUSTERIP.c
+10
-10
net/ipv4/netfilter/ipt_ECN.c
net/ipv4/netfilter/ipt_ECN.c
+4
-4
net/ipv4/netfilter/ipt_LOG.c
net/ipv4/netfilter/ipt_LOG.c
+11
-11
net/ipv4/netfilter/ipt_MASQUERADE.c
net/ipv4/netfilter/ipt_MASQUERADE.c
+2
-2
net/ipv4/netfilter/ipt_REJECT.c
net/ipv4/netfilter/ipt_REJECT.c
+2
-2
net/ipv4/netfilter/ipt_ULOG.c
net/ipv4/netfilter/ipt_ULOG.c
+3
-3
net/ipv4/netfilter/ipt_ecn.c
net/ipv4/netfilter/ipt_ecn.c
+2
-2
net/ipv4/netfilter/iptable_mangle.c
net/ipv4/netfilter/iptable_mangle.c
+2
-2
net/ipv4/netfilter/iptable_security.c
net/ipv4/netfilter/iptable_security.c
+2
-2
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+14
-14
net/ipv4/netfilter/nf_nat_helper.c
net/ipv4/netfilter/nf_nat_helper.c
+9
-13
net/ipv4/netfilter/nf_nat_standalone.c
net/ipv4/netfilter/nf_nat_standalone.c
+5
-5
net/ipv6/netfilter/ip6_queue.c
net/ipv6/netfilter/ip6_queue.c
+2
-3
net/ipv6/netfilter/ip6_tables.c
net/ipv6/netfilter/ip6_tables.c
+21
-21
net/ipv6/netfilter/ip6t_LOG.c
net/ipv6/netfilter/ip6t_LOG.c
+2
-2
net/ipv6/netfilter/ip6t_REJECT.c
net/ipv6/netfilter/ip6t_REJECT.c
+2
-2
net/ipv6/netfilter/ip6t_ah.c
net/ipv6/netfilter/ip6t_ah.c
+8
-11
net/ipv6/netfilter/ip6t_frag.c
net/ipv6/netfilter/ip6t_frag.c
+21
-26
net/ipv6/netfilter/ip6t_rt.c
net/ipv6/netfilter/ip6t_rt.c
+3
-6
net/ipv6/netfilter/ip6table_filter.c
net/ipv6/netfilter/ip6table_filter.c
+2
-2
net/ipv6/netfilter/ip6table_mangle.c
net/ipv6/netfilter/ip6table_mangle.c
+7
-7
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+6
-6
net/netfilter/nf_conntrack_core.c
net/netfilter/nf_conntrack_core.c
+10
-4
net/netfilter/nf_conntrack_proto_tcp.c
net/netfilter/nf_conntrack_proto_tcp.c
+41
-10
net/netfilter/nfnetlink_log.c
net/netfilter/nfnetlink_log.c
+1
-2
net/netfilter/nfnetlink_queue.c
net/netfilter/nfnetlink_queue.c
+1
-2
net/netfilter/xt_conntrack.c
net/netfilter/xt_conntrack.c
+17
-44
net/netfilter/xt_socket.c
net/netfilter/xt_socket.c
+4
-2
No files found.
include/linux/netfilter/nf_conntrack_tcp.h
View file @
424eff97
...
...
@@ -66,6 +66,9 @@ struct ip_ct_tcp {
u_int32_t
last_ack
;
/* Last sequence number seen in opposite dir */
u_int32_t
last_end
;
/* Last seq + len */
u_int16_t
last_win
;
/* Last window advertisement seen in dir */
/* For SYN packets while we may be out-of-sync */
u_int8_t
last_wscale
;
/* Last window scaling factor seen */
u_int8_t
last_flags
;
/* Last flags set */
};
#endif
/* __KERNEL__ */
...
...
net/ipv4/netfilter/arp_tables.c
View file @
424eff97
...
...
@@ -384,11 +384,11 @@ static int mark_source_chains(struct xt_table_info *newinfo,
|=
((
1
<<
hook
)
|
(
1
<<
NF_ARP_NUMHOOKS
));
/* Unconditional return/END. */
if
((
e
->
target_offset
==
sizeof
(
struct
arpt_entry
)
&&
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
ARPT_STANDARD_TARGET
)
==
0
)
&&
t
->
verdict
<
0
&&
unconditional
(
&
e
->
arp
))
||
visited
)
{
if
((
e
->
target_offset
==
sizeof
(
struct
arpt_entry
)
&&
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
ARPT_STANDARD_TARGET
)
==
0
)
&&
t
->
verdict
<
0
&&
unconditional
(
&
e
->
arp
))
||
visited
)
{
unsigned
int
oldpos
,
size
;
if
((
strcmp
(
t
->
target
.
u
.
user
.
name
,
...
...
@@ -427,8 +427,8 @@ static int mark_source_chains(struct xt_table_info *newinfo,
int
newpos
=
t
->
verdict
;
if
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
ARPT_STANDARD_TARGET
)
==
0
&&
newpos
>=
0
)
{
ARPT_STANDARD_TARGET
)
==
0
&&
newpos
>=
0
)
{
if
(
newpos
>
newinfo
->
size
-
sizeof
(
struct
arpt_entry
))
{
duprintf
(
"mark_source_chains: "
...
...
@@ -559,8 +559,8 @@ static inline int check_entry_size_and_hooks(struct arpt_entry *e,
{
unsigned
int
h
;
if
((
unsigned
long
)
e
%
__alignof__
(
struct
arpt_entry
)
!=
0
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
arpt_entry
)
>=
limit
)
{
if
((
unsigned
long
)
e
%
__alignof__
(
struct
arpt_entry
)
!=
0
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
arpt_entry
)
>=
limit
)
{
duprintf
(
"Bad offset %p
\n
"
,
e
);
return
-
EINVAL
;
}
...
...
@@ -1251,8 +1251,8 @@ check_compat_entry_size_and_hooks(struct compat_arpt_entry *e,
int
ret
,
off
,
h
;
duprintf
(
"check_compat_entry_size_and_hooks %p
\n
"
,
e
);
if
((
unsigned
long
)
e
%
__alignof__
(
struct
compat_arpt_entry
)
!=
0
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
compat_arpt_entry
)
>=
limit
)
{
if
((
unsigned
long
)
e
%
__alignof__
(
struct
compat_arpt_entry
)
!=
0
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
compat_arpt_entry
)
>=
limit
)
{
duprintf
(
"Bad offset %p, limit = %p
\n
"
,
e
,
limit
);
return
-
EINVAL
;
}
...
...
net/ipv4/netfilter/ip_queue.c
View file @
424eff97
...
...
@@ -497,8 +497,7 @@ ipq_rcv_nl_event(struct notifier_block *this,
{
struct
netlink_notify
*
n
=
ptr
;
if
(
event
==
NETLINK_URELEASE
&&
n
->
protocol
==
NETLINK_FIREWALL
&&
n
->
pid
)
{
if
(
event
==
NETLINK_URELEASE
&&
n
->
protocol
==
NETLINK_FIREWALL
)
{
write_lock_bh
(
&
queue_lock
);
if
((
net_eq
(
n
->
net
,
&
init_net
))
&&
(
n
->
pid
==
peer_pid
))
__ipq_reset
();
...
...
@@ -622,7 +621,7 @@ cleanup_ipqnl: __maybe_unused
static
void
__exit
ip_queue_fini
(
void
)
{
nf_unregister_queue_handlers
(
&
nfqh
);
synchronize_net
();
ipq_flush
(
NULL
,
0
);
#ifdef CONFIG_SYSCTL
...
...
net/ipv4/netfilter/ip_tables.c
View file @
424eff97
...
...
@@ -89,9 +89,9 @@ ip_packet_match(const struct iphdr *ip,
#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
if
(
FWINV
((
ip
->
saddr
&
ipinfo
->
smsk
.
s_addr
)
!=
ipinfo
->
src
.
s_addr
,
IPT_INV_SRCIP
)
||
FWINV
((
ip
->
daddr
&
ipinfo
->
dmsk
.
s_addr
)
!=
ipinfo
->
dst
.
s_addr
,
IPT_INV_DSTIP
))
{
IPT_INV_SRCIP
)
||
FWINV
((
ip
->
daddr
&
ipinfo
->
dmsk
.
s_addr
)
!=
ipinfo
->
dst
.
s_addr
,
IPT_INV_DSTIP
))
{
dprintf
(
"Source or dest mismatch.
\n
"
);
dprintf
(
"SRC: %pI4. Mask: %pI4. Target: %pI4.%s
\n
"
,
...
...
@@ -122,8 +122,8 @@ ip_packet_match(const struct iphdr *ip,
}
/* Check specific protocol */
if
(
ipinfo
->
proto
&&
FWINV
(
ip
->
protocol
!=
ipinfo
->
proto
,
IPT_INV_PROTO
))
{
if
(
ipinfo
->
proto
&&
FWINV
(
ip
->
protocol
!=
ipinfo
->
proto
,
IPT_INV_PROTO
))
{
dprintf
(
"Packet protocol %hi does not match %hi.%s
\n
"
,
ip
->
protocol
,
ipinfo
->
proto
,
ipinfo
->
invflags
&
IPT_INV_PROTO
?
" (INV)"
:
""
);
...
...
@@ -246,11 +246,11 @@ get_chainname_rulenum(struct ipt_entry *s, struct ipt_entry *e,
}
else
if
(
s
==
e
)
{
(
*
rulenum
)
++
;
if
(
s
->
target_offset
==
sizeof
(
struct
ipt_entry
)
&&
strcmp
(
t
->
target
.
u
.
kernel
.
target
->
name
,
IPT_STANDARD_TARGET
)
==
0
&&
t
->
verdict
<
0
&&
unconditional
(
&
s
->
ip
))
{
if
(
s
->
target_offset
==
sizeof
(
struct
ipt_entry
)
&&
strcmp
(
t
->
target
.
u
.
kernel
.
target
->
name
,
IPT_STANDARD_TARGET
)
==
0
&&
t
->
verdict
<
0
&&
unconditional
(
&
s
->
ip
))
{
/* Tail of chains: STANDARD target (return/policy) */
*
comment
=
*
chainname
==
hookname
?
comments
[
NF_IP_TRACE_COMMENT_POLICY
]
...
...
@@ -388,8 +388,8 @@ ipt_do_table(struct sk_buff *skb,
back
=
get_entry
(
table_base
,
back
->
comefrom
);
continue
;
}
if
(
table_base
+
v
!=
ipt_next_entry
(
e
)
&&
!
(
e
->
ip
.
flags
&
IPT_F_GOTO
))
{
if
(
table_base
+
v
!=
ipt_next_entry
(
e
)
&&
!
(
e
->
ip
.
flags
&
IPT_F_GOTO
))
{
/* Save old back ptr in next entry */
struct
ipt_entry
*
next
=
ipt_next_entry
(
e
);
next
->
comefrom
=
(
void
*
)
back
-
table_base
;
...
...
@@ -473,11 +473,11 @@ mark_source_chains(struct xt_table_info *newinfo,
e
->
comefrom
|=
((
1
<<
hook
)
|
(
1
<<
NF_INET_NUMHOOKS
));
/* Unconditional return/END. */
if
((
e
->
target_offset
==
sizeof
(
struct
ipt_entry
)
&&
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
IPT_STANDARD_TARGET
)
==
0
)
&&
t
->
verdict
<
0
&&
unconditional
(
&
e
->
ip
))
||
visited
)
{
if
((
e
->
target_offset
==
sizeof
(
struct
ipt_entry
)
&&
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
IPT_STANDARD_TARGET
)
==
0
)
&&
t
->
verdict
<
0
&&
unconditional
(
&
e
->
ip
))
||
visited
)
{
unsigned
int
oldpos
,
size
;
if
((
strcmp
(
t
->
target
.
u
.
user
.
name
,
...
...
@@ -524,8 +524,8 @@ mark_source_chains(struct xt_table_info *newinfo,
int
newpos
=
t
->
verdict
;
if
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
IPT_STANDARD_TARGET
)
==
0
&&
newpos
>=
0
)
{
IPT_STANDARD_TARGET
)
==
0
&&
newpos
>=
0
)
{
if
(
newpos
>
newinfo
->
size
-
sizeof
(
struct
ipt_entry
))
{
duprintf
(
"mark_source_chains: "
...
...
@@ -735,8 +735,8 @@ check_entry_size_and_hooks(struct ipt_entry *e,
{
unsigned
int
h
;
if
((
unsigned
long
)
e
%
__alignof__
(
struct
ipt_entry
)
!=
0
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
ipt_entry
)
>=
limit
)
{
if
((
unsigned
long
)
e
%
__alignof__
(
struct
ipt_entry
)
!=
0
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
ipt_entry
)
>=
limit
)
{
duprintf
(
"Bad offset %p
\n
"
,
e
);
return
-
EINVAL
;
}
...
...
@@ -1548,8 +1548,8 @@ check_compat_entry_size_and_hooks(struct compat_ipt_entry *e,
int
ret
,
off
,
h
;
duprintf
(
"check_compat_entry_size_and_hooks %p
\n
"
,
e
);
if
((
unsigned
long
)
e
%
__alignof__
(
struct
compat_ipt_entry
)
!=
0
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
compat_ipt_entry
)
>=
limit
)
{
if
((
unsigned
long
)
e
%
__alignof__
(
struct
compat_ipt_entry
)
!=
0
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
compat_ipt_entry
)
>=
limit
)
{
duprintf
(
"Bad offset %p, limit = %p
\n
"
,
e
,
limit
);
return
-
EINVAL
;
}
...
...
net/ipv4/netfilter/ipt_CLUSTERIP.c
View file @
424eff97
...
...
@@ -303,9 +303,9 @@ clusterip_tg(struct sk_buff *skb, const struct xt_target_param *par)
/* special case: ICMP error handling. conntrack distinguishes between
* error messages (RELATED) and information requests (see below) */
if
(
ip_hdr
(
skb
)
->
protocol
==
IPPROTO_ICMP
&&
(
ctinfo
==
IP_CT_RELATED
||
ctinfo
==
IP_CT_RELATED
+
IP_CT_IS_REPLY
))
if
(
ip_hdr
(
skb
)
->
protocol
==
IPPROTO_ICMP
&&
(
ctinfo
==
IP_CT_RELATED
||
ctinfo
==
IP_CT_RELATED
+
IP_CT_IS_REPLY
))
return
XT_CONTINUE
;
/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
...
...
@@ -362,8 +362,8 @@ static bool clusterip_tg_check(const struct xt_tgchk_param *par)
return
false
;
}
if
(
e
->
ip
.
dmsk
.
s_addr
!=
htonl
(
0xffffffff
)
||
e
->
ip
.
dst
.
s_addr
==
0
)
{
if
(
e
->
ip
.
dmsk
.
s_addr
!=
htonl
(
0xffffffff
)
||
e
->
ip
.
dst
.
s_addr
==
0
)
{
printk
(
KERN_ERR
"CLUSTERIP: Please specify destination IP
\n
"
);
return
false
;
}
...
...
@@ -495,14 +495,14 @@ arp_mangle(unsigned int hook,
struct
clusterip_config
*
c
;
/* we don't care about non-ethernet and non-ipv4 ARP */
if
(
arp
->
ar_hrd
!=
htons
(
ARPHRD_ETHER
)
||
arp
->
ar_pro
!=
htons
(
ETH_P_IP
)
||
arp
->
ar_pln
!=
4
||
arp
->
ar_hln
!=
ETH_ALEN
)
if
(
arp
->
ar_hrd
!=
htons
(
ARPHRD_ETHER
)
||
arp
->
ar_pro
!=
htons
(
ETH_P_IP
)
||
arp
->
ar_pln
!=
4
||
arp
->
ar_hln
!=
ETH_ALEN
)
return
NF_ACCEPT
;
/* we only want to mangle arp requests and replies */
if
(
arp
->
ar_op
!=
htons
(
ARPOP_REPLY
)
&&
arp
->
ar_op
!=
htons
(
ARPOP_REQUEST
))
if
(
arp
->
ar_op
!=
htons
(
ARPOP_REPLY
)
&&
arp
->
ar_op
!=
htons
(
ARPOP_REQUEST
))
return
NF_ACCEPT
;
payload
=
(
void
*
)(
arp
+
1
);
...
...
net/ipv4/netfilter/ipt_ECN.c
View file @
424eff97
...
...
@@ -85,8 +85,8 @@ ecn_tg(struct sk_buff *skb, const struct xt_target_param *par)
if
(
!
set_ect_ip
(
skb
,
einfo
))
return
NF_DROP
;
if
(
einfo
->
operation
&
(
IPT_ECN_OP_SET_ECE
|
IPT_ECN_OP_SET_CWR
)
&&
ip_hdr
(
skb
)
->
protocol
==
IPPROTO_TCP
)
if
(
einfo
->
operation
&
(
IPT_ECN_OP_SET_ECE
|
IPT_ECN_OP_SET_CWR
)
&&
ip_hdr
(
skb
)
->
protocol
==
IPPROTO_TCP
)
if
(
!
set_ect_tcp
(
skb
,
einfo
))
return
NF_DROP
;
...
...
@@ -108,8 +108,8 @@ static bool ecn_tg_check(const struct xt_tgchk_param *par)
einfo
->
ip_ect
);
return
false
;
}
if
((
einfo
->
operation
&
(
IPT_ECN_OP_SET_ECE
|
IPT_ECN_OP_SET_CWR
))
&&
(
e
->
ip
.
proto
!=
IPPROTO_TCP
||
(
e
->
ip
.
invflags
&
XT_INV_PROTO
)))
{
if
((
einfo
->
operation
&
(
IPT_ECN_OP_SET_ECE
|
IPT_ECN_OP_SET_CWR
))
&&
(
e
->
ip
.
proto
!=
IPPROTO_TCP
||
(
e
->
ip
.
invflags
&
XT_INV_PROTO
)))
{
printk
(
KERN_WARNING
"ECN: cannot use TCP operations on a "
"non-tcp rule
\n
"
);
return
false
;
...
...
net/ipv4/netfilter/ipt_LOG.c
View file @
424eff97
...
...
@@ -74,8 +74,8 @@ static void dump_packet(const struct nf_loginfo *info,
if
(
ntohs
(
ih
->
frag_off
)
&
IP_OFFSET
)
printk
(
"FRAG:%u "
,
ntohs
(
ih
->
frag_off
)
&
IP_OFFSET
);
if
((
logflags
&
IPT_LOG_IPOPT
)
&&
ih
->
ihl
*
4
>
sizeof
(
struct
iphdr
))
{
if
((
logflags
&
IPT_LOG_IPOPT
)
&&
ih
->
ihl
*
4
>
sizeof
(
struct
iphdr
))
{
const
unsigned
char
*
op
;
unsigned
char
_opt
[
4
*
15
-
sizeof
(
struct
iphdr
)];
unsigned
int
i
,
optsize
;
...
...
@@ -146,8 +146,8 @@ static void dump_packet(const struct nf_loginfo *info,
/* Max length: 11 "URGP=65535 " */
printk
(
"URGP=%u "
,
ntohs
(
th
->
urg_ptr
));
if
((
logflags
&
IPT_LOG_TCPOPT
)
&&
th
->
doff
*
4
>
sizeof
(
struct
tcphdr
))
{
if
((
logflags
&
IPT_LOG_TCPOPT
)
&&
th
->
doff
*
4
>
sizeof
(
struct
tcphdr
))
{
unsigned
char
_opt
[
4
*
15
-
sizeof
(
struct
tcphdr
)];
const
unsigned
char
*
op
;
unsigned
int
i
,
optsize
;
...
...
@@ -238,9 +238,9 @@ static void dump_packet(const struct nf_loginfo *info,
printk
(
"TYPE=%u CODE=%u "
,
ich
->
type
,
ich
->
code
);
/* Max length: 25 "INCOMPLETE [65535 bytes] " */
if
(
ich
->
type
<=
NR_ICMP_TYPES
&&
required_len
[
ich
->
type
]
&&
skb
->
len
-
iphoff
-
ih
->
ihl
*
4
<
required_len
[
ich
->
type
])
{
if
(
ich
->
type
<=
NR_ICMP_TYPES
&&
required_len
[
ich
->
type
]
&&
skb
->
len
-
iphoff
-
ih
->
ihl
*
4
<
required_len
[
ich
->
type
])
{
printk
(
"INCOMPLETE [%u bytes] "
,
skb
->
len
-
iphoff
-
ih
->
ihl
*
4
);
break
;
...
...
@@ -276,8 +276,8 @@ static void dump_packet(const struct nf_loginfo *info,
}
/* Max length: 10 "MTU=65535 " */
if
(
ich
->
type
==
ICMP_DEST_UNREACH
&&
ich
->
code
==
ICMP_FRAG_NEEDED
)
if
(
ich
->
type
==
ICMP_DEST_UNREACH
&&
ich
->
code
==
ICMP_FRAG_NEEDED
)
printk
(
"MTU=%u "
,
ntohs
(
ich
->
un
.
frag
.
mtu
));
}
break
;
...
...
@@ -407,8 +407,8 @@ ipt_log_packet(u_int8_t pf,
if
(
in
&&
!
out
)
{
/* MAC logging for input chain only. */
printk
(
"MAC="
);
if
(
skb
->
dev
&&
skb
->
dev
->
hard_header_len
&&
skb
->
mac_header
!=
skb
->
network_header
)
{
if
(
skb
->
dev
&&
skb
->
dev
->
hard_header_len
&&
skb
->
mac_header
!=
skb
->
network_header
)
{
int
i
;
const
unsigned
char
*
p
=
skb_mac_header
(
skb
);
for
(
i
=
0
;
i
<
skb
->
dev
->
hard_header_len
;
i
++
,
p
++
)
...
...
net/ipv4/netfilter/ipt_MASQUERADE.c
View file @
424eff97
...
...
@@ -59,8 +59,8 @@ masquerade_tg(struct sk_buff *skb, const struct xt_target_param *par)
ct
=
nf_ct_get
(
skb
,
&
ctinfo
);
nat
=
nfct_nat
(
ct
);
NF_CT_ASSERT
(
ct
&&
(
ctinfo
==
IP_CT_NEW
||
ctinfo
==
IP_CT_RELATED
||
ctinfo
==
IP_CT_RELATED
+
IP_CT_IS_REPLY
));
NF_CT_ASSERT
(
ct
&&
(
ctinfo
==
IP_CT_NEW
||
ctinfo
==
IP_CT_RELATED
||
ctinfo
==
IP_CT_RELATED
+
IP_CT_IS_REPLY
));
/* Source address is 0.0.0.0 - locally generated packet that is
* probably not supposed to be masqueraded.
...
...
net/ipv4/netfilter/ipt_REJECT.c
View file @
424eff97
...
...
@@ -184,8 +184,8 @@ static bool reject_tg_check(const struct xt_tgchk_param *par)
return
false
;
}
else
if
(
rejinfo
->
with
==
IPT_TCP_RESET
)
{
/* Must specify that it's a TCP packet */
if
(
e
->
ip
.
proto
!=
IPPROTO_TCP
||
(
e
->
ip
.
invflags
&
XT_INV_PROTO
))
{
if
(
e
->
ip
.
proto
!=
IPPROTO_TCP
||
(
e
->
ip
.
invflags
&
XT_INV_PROTO
))
{
printk
(
"ipt_REJECT: TCP_RESET invalid for non-tcp
\n
"
);
return
false
;
}
...
...
net/ipv4/netfilter/ipt_ULOG.c
View file @
424eff97
...
...
@@ -226,9 +226,9 @@ static void ipt_ulog_packet(unsigned int hooknum,
else
*
(
pm
->
prefix
)
=
'\0'
;
if
(
in
&&
in
->
hard_header_len
>
0
&&
skb
->
mac_header
!=
skb
->
network_header
&&
in
->
hard_header_len
<=
ULOG_MAC_LEN
)
{
if
(
in
&&
in
->
hard_header_len
>
0
&&
skb
->
mac_header
!=
skb
->
network_header
&&
in
->
hard_header_len
<=
ULOG_MAC_LEN
)
{
memcpy
(
pm
->
mac
,
skb_mac_header
(
skb
),
in
->
hard_header_len
);
pm
->
mac_len
=
in
->
hard_header_len
;
}
else
...
...
net/ipv4/netfilter/ipt_ecn.c
View file @
424eff97
...
...
@@ -96,8 +96,8 @@ static bool ecn_mt_check(const struct xt_mtchk_param *par)
if
(
info
->
invert
&
IPT_ECN_OP_MATCH_MASK
)
return
false
;
if
(
info
->
operation
&
(
IPT_ECN_OP_MATCH_ECE
|
IPT_ECN_OP_MATCH_CWR
)
&&
ip
->
proto
!=
IPPROTO_TCP
)
{
if
(
info
->
operation
&
(
IPT_ECN_OP_MATCH_ECE
|
IPT_ECN_OP_MATCH_CWR
)
&&
ip
->
proto
!=
IPPROTO_TCP
)
{
printk
(
KERN_WARNING
"ipt_ecn: can't match TCP bits in rule for"
" non-tcp packets
\n
"
);
return
false
;
...
...
net/ipv4/netfilter/iptable_mangle.c
View file @
424eff97
...
...
@@ -130,8 +130,8 @@ ipt_local_hook(unsigned int hook,
u_int32_t
mark
;
/* root is playing with raw sockets. */
if
(
skb
->
len
<
sizeof
(
struct
iphdr
)
||
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
))
if
(
skb
->
len
<
sizeof
(
struct
iphdr
)
||
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
))
return
NF_ACCEPT
;
/* Save things which could affect route */
...
...
net/ipv4/netfilter/iptable_security.c
View file @
424eff97
...
...
@@ -94,8 +94,8 @@ ipt_local_out_hook(unsigned int hook,
int
(
*
okfn
)(
struct
sk_buff
*
))
{
/* Somebody is playing with raw sockets. */
if
(
skb
->
len
<
sizeof
(
struct
iphdr
)
||
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
))
if
(
skb
->
len
<
sizeof
(
struct
iphdr
)
||
ip_hdrlen
(
skb
)
<
sizeof
(
struct
iphdr
))
return
NF_ACCEPT
;
return
ipt_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
out
)
->
ipv4
.
iptable_security
);
...
...
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
View file @
424eff97
...
...
@@ -54,8 +54,8 @@ static const u_int8_t invmap[] = {
static
bool
icmp_invert_tuple
(
struct
nf_conntrack_tuple
*
tuple
,
const
struct
nf_conntrack_tuple
*
orig
)
{
if
(
orig
->
dst
.
u
.
icmp
.
type
>=
sizeof
(
invmap
)
||
!
invmap
[
orig
->
dst
.
u
.
icmp
.
type
])
if
(
orig
->
dst
.
u
.
icmp
.
type
>=
sizeof
(
invmap
)
||
!
invmap
[
orig
->
dst
.
u
.
icmp
.
type
])
return
false
;
tuple
->
src
.
u
.
icmp
.
id
=
orig
->
src
.
u
.
icmp
.
id
;
...
...
@@ -101,8 +101,8 @@ static bool icmp_new(struct nf_conn *ct, const struct sk_buff *skb,
[
ICMP_ADDRESS
]
=
1
};
if
(
ct
->
tuplehash
[
0
].
tuple
.
dst
.
u
.
icmp
.
type
>=
sizeof
(
valid_new
)
||
!
valid_new
[
ct
->
tuplehash
[
0
].
tuple
.
dst
.
u
.
icmp
.
type
])
{
if
(
ct
->
tuplehash
[
0
].
tuple
.
dst
.
u
.
icmp
.
type
>=
sizeof
(
valid_new
)
||
!
valid_new
[
ct
->
tuplehash
[
0
].
tuple
.
dst
.
u
.
icmp
.
type
])
{
/* Can't create a new ICMP `conn' with this. */
pr_debug
(
"icmp: can't create new conn with type %u
\n
"
,
ct
->
tuplehash
[
0
].
tuple
.
dst
.
u
.
icmp
.
type
);
...
...
@@ -201,11 +201,11 @@ icmp_error(struct net *net, struct sk_buff *skb, unsigned int dataoff,
}
/* Need to track icmp error message? */
if
(
icmph
->
type
!=
ICMP_DEST_UNREACH
&&
icmph
->
type
!=
ICMP_SOURCE_QUENCH
&&
icmph
->
type
!=
ICMP_TIME_EXCEEDED
&&
icmph
->
type
!=
ICMP_PARAMETERPROB
&&
icmph
->
type
!=
ICMP_REDIRECT
)
if
(
icmph
->
type
!=
ICMP_DEST_UNREACH
&&
icmph
->
type
!=
ICMP_SOURCE_QUENCH
&&
icmph
->
type
!=
ICMP_TIME_EXCEEDED
&&
icmph
->
type
!=
ICMP_PARAMETERPROB
&&
icmph
->
type
!=
ICMP_REDIRECT
)
return
NF_ACCEPT
;
return
icmp_error_message
(
net
,
skb
,
ctinfo
,
hooknum
);
...
...
@@ -238,17 +238,17 @@ static const struct nla_policy icmp_nla_policy[CTA_PROTO_MAX+1] = {
static
int
icmp_nlattr_to_tuple
(
struct
nlattr
*
tb
[],
struct
nf_conntrack_tuple
*
tuple
)
{
if
(
!
tb
[
CTA_PROTO_ICMP_TYPE
]
||
!
tb
[
CTA_PROTO_ICMP_CODE
]
||
!
tb
[
CTA_PROTO_ICMP_ID
])
if
(
!
tb
[
CTA_PROTO_ICMP_TYPE
]
||
!
tb
[
CTA_PROTO_ICMP_CODE
]
||
!
tb
[
CTA_PROTO_ICMP_ID
])
return
-
EINVAL
;
tuple
->
dst
.
u
.
icmp
.
type
=
nla_get_u8
(
tb
[
CTA_PROTO_ICMP_TYPE
]);
tuple
->
dst
.
u
.
icmp
.
code
=
nla_get_u8
(
tb
[
CTA_PROTO_ICMP_CODE
]);
tuple
->
src
.
u
.
icmp
.
id
=
nla_get_be16
(
tb
[
CTA_PROTO_ICMP_ID
]);
if
(
tuple
->
dst
.
u
.
icmp
.
type
>=
sizeof
(
invmap
)
||
!
invmap
[
tuple
->
dst
.
u
.
icmp
.
type
])
if
(
tuple
->
dst
.
u
.
icmp
.
type
>=
sizeof
(
invmap
)
||
!
invmap
[
tuple
->
dst
.
u
.
icmp
.
type
])
return
-
EINVAL
;
return
0
;
...
...
net/ipv4/netfilter/nf_nat_helper.c
View file @
424eff97
...
...
@@ -41,18 +41,14 @@ adjust_tcp_sequence(u32 seq,
struct
nf_conn
*
ct
,
enum
ip_conntrack_info
ctinfo
)
{
int
dir
;
struct
nf_nat_seq
*
this_way
,
*
other_way
;
enum
ip_conntrack_dir
dir
=
CTINFO2DIR
(
ctinfo
);
struct
nf_conn_nat
*
nat
=
nfct_nat
(
ct
);
struct
nf_nat_seq
*
this_way
=
&
nat
->
seq
[
dir
];
pr_debug
(
"adjust_tcp_sequence: seq = %u, sizediff = %d
\n
"
,
seq
,
seq
);
dir
=
CTINFO2DIR
(
ctinfo
);
this_way
=
&
nat
->
seq
[
dir
];
other_way
=
&
nat
->
seq
[
!
dir
];
pr_debug
(
"adjust_tcp_sequence: seq = %u, sizediff = %d
\n
"
,
seq
,
sizediff
);
pr_debug
(
"
nf_nat_resize_packet
: Seq_offset before: "
);
pr_debug
(
"
adjust_tcp_sequence
: Seq_offset before: "
);
DUMP_OFFSET
(
this_way
);
spin_lock_bh
(
&
nf_nat_seqofs_lock
);
...
...
@@ -63,13 +59,13 @@ adjust_tcp_sequence(u32 seq,
* retransmit */
if
(
this_way
->
offset_before
==
this_way
->
offset_after
||
before
(
this_way
->
correction_pos
,
seq
))
{
this_way
->
correction_pos
=
seq
;
this_way
->
offset_before
=
this_way
->
offset_after
;
this_way
->
offset_after
+=
sizediff
;
this_way
->
correction_pos
=
seq
;
this_way
->
offset_before
=
this_way
->
offset_after
;
this_way
->
offset_after
+=
sizediff
;
}
spin_unlock_bh
(
&
nf_nat_seqofs_lock
);
pr_debug
(
"
nf_nat_resize_packet
: Seq_offset after: "
);
pr_debug
(
"
adjust_tcp_sequence
: Seq_offset after: "
);
DUMP_OFFSET
(
this_way
);
}
...
...
net/ipv4/netfilter/nf_nat_standalone.c
View file @
424eff97
...
...
@@ -197,11 +197,11 @@ nf_nat_out(unsigned int hooknum,
(
ct
=
nf_ct_get
(
skb
,
&
ctinfo
))
!=
NULL
)
{
enum
ip_conntrack_dir
dir
=
CTINFO2DIR
(
ctinfo
);
if
(
ct
->
tuplehash
[
dir
].
tuple
.
src
.
u3
.
ip
!=
ct
->
tuplehash
[
!
dir
].
tuple
.
dst
.
u3
.
ip
||
ct
->
tuplehash
[
dir
].
tuple
.
src
.
u
.
all
!=
ct
->
tuplehash
[
!
dir
].
tuple
.
dst
.
u
.
all
)
if
(
(
ct
->
tuplehash
[
dir
].
tuple
.
src
.
u3
.
ip
!=
ct
->
tuplehash
[
!
dir
].
tuple
.
dst
.
u3
.
ip
)
||
(
ct
->
tuplehash
[
dir
].
tuple
.
src
.
u
.
all
!=
ct
->
tuplehash
[
!
dir
].
tuple
.
dst
.
u
.
all
)
)
return
ip_xfrm_me_harder
(
skb
)
==
0
?
ret
:
NF_DROP
;
}
#endif
...
...
net/ipv6/netfilter/ip6_queue.c
View file @
424eff97
...
...
@@ -499,8 +499,7 @@ ipq_rcv_nl_event(struct notifier_block *this,
{
struct
netlink_notify
*
n
=
ptr
;
if
(
event
==
NETLINK_URELEASE
&&
n
->
protocol
==
NETLINK_IP6_FW
&&
n
->
pid
)
{
if
(
event
==
NETLINK_URELEASE
&&
n
->
protocol
==
NETLINK_IP6_FW
)
{
write_lock_bh
(
&
queue_lock
);
if
((
net_eq
(
n
->
net
,
&
init_net
))
&&
(
n
->
pid
==
peer_pid
))
__ipq_reset
();
...
...
@@ -625,7 +624,7 @@ cleanup_ipqnl: __maybe_unused
static
void
__exit
ip6_queue_fini
(
void
)
{
nf_unregister_queue_handlers
(
&
nfqh
);
synchronize_net
();
ipq_flush
(
NULL
,
0
);
#ifdef CONFIG_SYSCTL
...
...
net/ipv6/netfilter/ip6_tables.c
View file @
424eff97
...
...
@@ -105,9 +105,9 @@ ip6_packet_match(const struct sk_buff *skb,
#define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
if
(
FWINV
(
ipv6_masked_addr_cmp
(
&
ipv6
->
saddr
,
&
ip6info
->
smsk
,
&
ip6info
->
src
),
IP6T_INV_SRCIP
)
||
FWINV
(
ipv6_masked_addr_cmp
(
&
ipv6
->
daddr
,
&
ip6info
->
dmsk
,
&
ip6info
->
dst
),
IP6T_INV_DSTIP
))
{
&
ip6info
->
src
),
IP6T_INV_SRCIP
)
||
FWINV
(
ipv6_masked_addr_cmp
(
&
ipv6
->
daddr
,
&
ip6info
->
dmsk
,
&
ip6info
->
dst
),
IP6T_INV_DSTIP
))
{
dprintf
(
"Source or dest mismatch.
\n
"
);
/*
dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
...
...
@@ -277,11 +277,11 @@ get_chainname_rulenum(struct ip6t_entry *s, struct ip6t_entry *e,
}
else
if
(
s
==
e
)
{
(
*
rulenum
)
++
;
if
(
s
->
target_offset
==
sizeof
(
struct
ip6t_entry
)
&&
strcmp
(
t
->
target
.
u
.
kernel
.
target
->
name
,
IP6T_STANDARD_TARGET
)
==
0
&&
t
->
verdict
<
0
&&
unconditional
(
&
s
->
ipv6
))
{
if
(
s
->
target_offset
==
sizeof
(
struct
ip6t_entry
)
&&
strcmp
(
t
->
target
.
u
.
kernel
.
target
->
name
,
IP6T_STANDARD_TARGET
)
==
0
&&
t
->
verdict
<
0
&&
unconditional
(
&
s
->
ipv6
))
{
/* Tail of chains: STANDARD target (return/policy) */
*
comment
=
*
chainname
==
hookname
?
comments
[
NF_IP6_TRACE_COMMENT_POLICY
]
...
...
@@ -418,8 +418,8 @@ ip6t_do_table(struct sk_buff *skb,
back
=
get_entry
(
table_base
,
back
->
comefrom
);
continue
;
}
if
(
table_base
+
v
!=
ip6t_next_entry
(
e
)
&&
!
(
e
->
ipv6
.
flags
&
IP6T_F_GOTO
))
{
if
(
table_base
+
v
!=
ip6t_next_entry
(
e
)
&&
!
(
e
->
ipv6
.
flags
&
IP6T_F_GOTO
))
{
/* Save old back ptr in next entry */
struct
ip6t_entry
*
next
=
ip6t_next_entry
(
e
);
next
->
comefrom
=
(
void
*
)
back
-
table_base
;
...
...
@@ -505,11 +505,11 @@ mark_source_chains(struct xt_table_info *newinfo,
e
->
comefrom
|=
((
1
<<
hook
)
|
(
1
<<
NF_INET_NUMHOOKS
));
/* Unconditional return/END. */
if
((
e
->
target_offset
==
sizeof
(
struct
ip6t_entry
)
&&
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
IP6T_STANDARD_TARGET
)
==
0
)
&&
t
->
verdict
<
0
&&
unconditional
(
&
e
->
ipv6
))
||
visited
)
{
if
((
e
->
target_offset
==
sizeof
(
struct
ip6t_entry
)
&&
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
IP6T_STANDARD_TARGET
)
==
0
)
&&
t
->
verdict
<
0
&&
unconditional
(
&
e
->
ipv6
))
||
visited
)
{
unsigned
int
oldpos
,
size
;
if
((
strcmp
(
t
->
target
.
u
.
user
.
name
,
...
...
@@ -556,8 +556,8 @@ mark_source_chains(struct xt_table_info *newinfo,
int
newpos
=
t
->
verdict
;
if
(
strcmp
(
t
->
target
.
u
.
user
.
name
,
IP6T_STANDARD_TARGET
)
==
0
&&
newpos
>=
0
)
{
IP6T_STANDARD_TARGET
)
==
0
&&
newpos
>=
0
)
{
if
(
newpos
>
newinfo
->
size
-
sizeof
(
struct
ip6t_entry
))
{
duprintf
(
"mark_source_chains: "
...
...
@@ -767,8 +767,8 @@ check_entry_size_and_hooks(struct ip6t_entry *e,
{
unsigned
int
h
;
if
((
unsigned
long
)
e
%
__alignof__
(
struct
ip6t_entry
)
!=
0
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
ip6t_entry
)
>=
limit
)
{
if
((
unsigned
long
)
e
%
__alignof__
(
struct
ip6t_entry
)
!=
0
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
ip6t_entry
)
>=
limit
)
{
duprintf
(
"Bad offset %p
\n
"
,
e
);
return
-
EINVAL
;
}
...
...
@@ -1584,8 +1584,8 @@ check_compat_entry_size_and_hooks(struct compat_ip6t_entry *e,
int
ret
,
off
,
h
;
duprintf
(
"check_compat_entry_size_and_hooks %p
\n
"
,
e
);
if
((
unsigned
long
)
e
%
__alignof__
(
struct
compat_ip6t_entry
)
!=
0
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
compat_ip6t_entry
)
>=
limit
)
{
if
((
unsigned
long
)
e
%
__alignof__
(
struct
compat_ip6t_entry
)
!=
0
||
(
unsigned
char
*
)
e
+
sizeof
(
struct
compat_ip6t_entry
)
>=
limit
)
{
duprintf
(
"Bad offset %p, limit = %p
\n
"
,
e
,
limit
);
return
-
EINVAL
;
}
...
...
net/ipv6/netfilter/ip6t_LOG.c
View file @
424eff97
...
...
@@ -249,8 +249,8 @@ static void dump_packet(const struct nf_loginfo *info,
/* Max length: 11 "URGP=65535 " */
printk
(
"URGP=%u "
,
ntohs
(
th
->
urg_ptr
));
if
((
logflags
&
IP6T_LOG_TCPOPT
)
&&
th
->
doff
*
4
>
sizeof
(
struct
tcphdr
))
{
if
((
logflags
&
IP6T_LOG_TCPOPT
)
&&
th
->
doff
*
4
>
sizeof
(
struct
tcphdr
))
{
u_int8_t
_opt
[
60
-
sizeof
(
struct
tcphdr
)];
const
u_int8_t
*
op
;
unsigned
int
i
;
...
...
net/ipv6/netfilter/ip6t_REJECT.c
View file @
424eff97
...
...
@@ -223,8 +223,8 @@ static bool reject_tg6_check(const struct xt_tgchk_param *par)
return
false
;
}
else
if
(
rejinfo
->
with
==
IP6T_TCP_RESET
)
{
/* Must specify that it's a TCP packet */
if
(
e
->
ipv6
.
proto
!=
IPPROTO_TCP
||
(
e
->
ipv6
.
invflags
&
XT_INV_PROTO
))
{
if
(
e
->
ipv6
.
proto
!=
IPPROTO_TCP
||
(
e
->
ipv6
.
invflags
&
XT_INV_PROTO
))
{
printk
(
"ip6t_REJECT: TCP_RESET illegal for non-tcp
\n
"
);
return
false
;
}
...
...
net/ipv6/netfilter/ip6t_ah.c
View file @
424eff97
...
...
@@ -77,17 +77,14 @@ static bool ah_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
ahinfo
->
hdrres
,
ah
->
reserved
,
!
(
ahinfo
->
hdrres
&&
ah
->
reserved
));
return
(
ah
!=
NULL
)
&&
spi_match
(
ahinfo
->
spis
[
0
],
ahinfo
->
spis
[
1
],
ntohl
(
ah
->
spi
),
!!
(
ahinfo
->
invflags
&
IP6T_AH_INV_SPI
))
&&
(
!
ahinfo
->
hdrlen
||
(
ahinfo
->
hdrlen
==
hdrlen
)
^
!!
(
ahinfo
->
invflags
&
IP6T_AH_INV_LEN
))
&&
!
(
ahinfo
->
hdrres
&&
ah
->
reserved
);
return
(
ah
!=
NULL
)
&&
spi_match
(
ahinfo
->
spis
[
0
],
ahinfo
->
spis
[
1
],
ntohl
(
ah
->
spi
),
!!
(
ahinfo
->
invflags
&
IP6T_AH_INV_SPI
))
&&
(
!
ahinfo
->
hdrlen
||
(
ahinfo
->
hdrlen
==
hdrlen
)
^
!!
(
ahinfo
->
invflags
&
IP6T_AH_INV_LEN
))
&&
!
(
ahinfo
->
hdrres
&&
ah
->
reserved
);
}
static
bool
ah_mt6_check
(
const
struct
xt_mtchk_param
*
par
)
...
...
net/ipv6/netfilter/ip6t_frag.c
View file @
424eff97
...
...
@@ -70,41 +70,36 @@ frag_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
pr_debug
(
"res %02X %02X%04X %02X "
,
fraginfo
->
flags
&
IP6T_FRAG_RES
,
fh
->
reserved
,
ntohs
(
fh
->
frag_off
)
&
0x6
,
!
((
fraginfo
->
flags
&
IP6T_FRAG_RES
)
&&
(
fh
->
reserved
||
(
ntohs
(
fh
->
frag_off
)
&
0x06
))));
!
((
fraginfo
->
flags
&
IP6T_FRAG_RES
)
&&
(
fh
->
reserved
||
(
ntohs
(
fh
->
frag_off
)
&
0x06
))));
pr_debug
(
"first %02X %02X %02X "
,
fraginfo
->
flags
&
IP6T_FRAG_FST
,
ntohs
(
fh
->
frag_off
)
&
~
0x7
,
!
((
fraginfo
->
flags
&
IP6T_FRAG_FST
)
&&
(
ntohs
(
fh
->
frag_off
)
&
~
0x7
)));
!
((
fraginfo
->
flags
&
IP6T_FRAG_FST
)
&&
(
ntohs
(
fh
->
frag_off
)
&
~
0x7
)));
pr_debug
(
"mf %02X %02X %02X "
,
fraginfo
->
flags
&
IP6T_FRAG_MF
,
ntohs
(
fh
->
frag_off
)
&
IP6_MF
,
!
((
fraginfo
->
flags
&
IP6T_FRAG_MF
)
&&
!
((
ntohs
(
fh
->
frag_off
)
&
IP6_MF
))));
!
((
fraginfo
->
flags
&
IP6T_FRAG_MF
)
&&
!
((
ntohs
(
fh
->
frag_off
)
&
IP6_MF
))));
pr_debug
(
"last %02X %02X %02X
\n
"
,
fraginfo
->
flags
&
IP6T_FRAG_NMF
,
ntohs
(
fh
->
frag_off
)
&
IP6_MF
,
!
((
fraginfo
->
flags
&
IP6T_FRAG_NMF
)
&&
(
ntohs
(
fh
->
frag_off
)
&
IP6_MF
)));
return
(
fh
!=
NULL
)
&&
id_match
(
fraginfo
->
ids
[
0
],
fraginfo
->
ids
[
1
],
ntohl
(
fh
->
identification
),
!!
(
fraginfo
->
invflags
&
IP6T_FRAG_INV_IDS
))
&&
!
((
fraginfo
->
flags
&
IP6T_FRAG_RES
)
&&
(
fh
->
reserved
||
(
ntohs
(
fh
->
frag_off
)
&
0x6
)))
&&
!
((
fraginfo
->
flags
&
IP6T_FRAG_FST
)
&&
(
ntohs
(
fh
->
frag_off
)
&
~
0x7
))
&&
!
((
fraginfo
->
flags
&
IP6T_FRAG_MF
)
&&
!
(
ntohs
(
fh
->
frag_off
)
&
IP6_MF
))
&&
!
((
fraginfo
->
flags
&
IP6T_FRAG_NMF
)
&&
(
ntohs
(
fh
->
frag_off
)
&
IP6_MF
));
!
((
fraginfo
->
flags
&
IP6T_FRAG_NMF
)
&&
(
ntohs
(
fh
->
frag_off
)
&
IP6_MF
)));
return
(
fh
!=
NULL
)
&&
id_match
(
fraginfo
->
ids
[
0
],
fraginfo
->
ids
[
1
],
ntohl
(
fh
->
identification
),
!!
(
fraginfo
->
invflags
&
IP6T_FRAG_INV_IDS
))
&&
!
((
fraginfo
->
flags
&
IP6T_FRAG_RES
)
&&
(
fh
->
reserved
||
(
ntohs
(
fh
->
frag_off
)
&
0x6
)))
&&
!
((
fraginfo
->
flags
&
IP6T_FRAG_FST
)
&&
(
ntohs
(
fh
->
frag_off
)
&
~
0x7
))
&&
!
((
fraginfo
->
flags
&
IP6T_FRAG_MF
)
&&
!
(
ntohs
(
fh
->
frag_off
)
&
IP6_MF
))
&&
!
((
fraginfo
->
flags
&
IP6T_FRAG_NMF
)
&&
(
ntohs
(
fh
->
frag_off
)
&
IP6_MF
));
}
static
bool
frag_mt6_check
(
const
struct
xt_mtchk_param
*
par
)
...
...
net/ipv6/netfilter/ip6t_rt.c
View file @
424eff97
...
...
@@ -92,16 +92,13 @@ static bool rt_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
!
((
rtinfo
->
flags
&
IP6T_RT_RES
)
&&
(((
const
struct
rt0_hdr
*
)
rh
)
->
reserved
)));
ret
=
(
rh
!=
NULL
)
&&
ret
=
(
rh
!=
NULL
)
&&
(
segsleft_match
(
rtinfo
->
segsleft
[
0
],
rtinfo
->
segsleft
[
1
],
rh
->
segments_left
,
!!
(
rtinfo
->
invflags
&
IP6T_RT_INV_SGS
)))
&&
!!
(
rtinfo
->
invflags
&
IP6T_RT_INV_SGS
)))
&&
(
!
(
rtinfo
->
flags
&
IP6T_RT_LEN
)
||
((
rtinfo
->
hdrlen
==
hdrlen
)
^
!!
(
rtinfo
->
invflags
&
IP6T_RT_INV_LEN
)))
&&
!!
(
rtinfo
->
invflags
&
IP6T_RT_INV_LEN
)))
&&
(
!
(
rtinfo
->
flags
&
IP6T_RT_TYP
)
||
((
rtinfo
->
rt_type
==
rh
->
type
)
^
!!
(
rtinfo
->
invflags
&
IP6T_RT_INV_TYP
)));
...
...
net/ipv6/netfilter/ip6table_filter.c
View file @
424eff97
...
...
@@ -79,8 +79,8 @@ ip6t_local_out_hook(unsigned int hook,
{
#if 0
/* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr)
||
ip_hdrlen(skb) < sizeof(struct iphdr)) {
if (skb->len < sizeof(struct iphdr)
||
ip_hdrlen(skb) < sizeof(struct iphdr)) {
if (net_ratelimit())
printk("ip6t_hook: happy cracking.\n");
return NF_ACCEPT;
...
...
net/ipv6/netfilter/ip6table_mangle.c
View file @
424eff97
...
...
@@ -102,8 +102,8 @@ ip6t_local_out_hook(unsigned int hook,
#if 0
/* root is playing with raw sockets. */
if (skb->len < sizeof(struct iphdr)
||
ip_hdrlen(skb) < sizeof(struct iphdr)) {
if (skb->len < sizeof(struct iphdr)
||
ip_hdrlen(skb) < sizeof(struct iphdr)) {
if (net_ratelimit())
printk("ip6t_hook: happy cracking.\n");
return NF_ACCEPT;
...
...
@@ -122,11 +122,11 @@ ip6t_local_out_hook(unsigned int hook,
ret
=
ip6t_do_table
(
skb
,
hook
,
in
,
out
,
dev_net
(
out
)
->
ipv6
.
ip6table_mangle
);
if
(
ret
!=
NF_DROP
&&
ret
!=
NF_STOLEN
&&
(
memcmp
(
&
ipv6_hdr
(
skb
)
->
saddr
,
&
saddr
,
sizeof
(
saddr
))
||
memcmp
(
&
ipv6_hdr
(
skb
)
->
daddr
,
&
daddr
,
sizeof
(
daddr
))
||
skb
->
mark
!=
mark
||
ipv6_hdr
(
skb
)
->
hop_limit
!=
hop_limit
))
if
(
ret
!=
NF_DROP
&&
ret
!=
NF_STOLEN
&&
(
memcmp
(
&
ipv6_hdr
(
skb
)
->
saddr
,
&
saddr
,
sizeof
(
saddr
))
||
memcmp
(
&
ipv6_hdr
(
skb
)
->
daddr
,
&
daddr
,
sizeof
(
daddr
))
||
skb
->
mark
!=
mark
||
ipv6_hdr
(
skb
)
->
hop_limit
!=
hop_limit
))
return
ip6_route_me_harder
(
skb
)
==
0
?
ret
:
NF_DROP
;
return
ret
;
...
...
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
View file @
424eff97
...
...
@@ -244,18 +244,18 @@ static const struct nla_policy icmpv6_nla_policy[CTA_PROTO_MAX+1] = {
static
int
icmpv6_nlattr_to_tuple
(
struct
nlattr
*
tb
[],
struct
nf_conntrack_tuple
*
tuple
)
{
if
(
!
tb
[
CTA_PROTO_ICMPV6_TYPE
]
||
!
tb
[
CTA_PROTO_ICMPV6_CODE
]
||
!
tb
[
CTA_PROTO_ICMPV6_ID
])
if
(
!
tb
[
CTA_PROTO_ICMPV6_TYPE
]
||
!
tb
[
CTA_PROTO_ICMPV6_CODE
]
||
!
tb
[
CTA_PROTO_ICMPV6_ID
])
return
-
EINVAL
;
tuple
->
dst
.
u
.
icmp
.
type
=
nla_get_u8
(
tb
[
CTA_PROTO_ICMPV6_TYPE
]);
tuple
->
dst
.
u
.
icmp
.
code
=
nla_get_u8
(
tb
[
CTA_PROTO_ICMPV6_CODE
]);
tuple
->
src
.
u
.
icmp
.
id
=
nla_get_be16
(
tb
[
CTA_PROTO_ICMPV6_ID
]);
if
(
tuple
->
dst
.
u
.
icmp
.
type
<
128
||
tuple
->
dst
.
u
.
icmp
.
type
-
128
>=
sizeof
(
invmap
)
||
!
invmap
[
tuple
->
dst
.
u
.
icmp
.
type
-
128
])
if
(
tuple
->
dst
.
u
.
icmp
.
type
<
128
||
tuple
->
dst
.
u
.
icmp
.
type
-
128
>=
sizeof
(
invmap
)
||
!
invmap
[
tuple
->
dst
.
u
.
icmp
.
type
-
128
])
return
-
EINVAL
;
return
0
;
...
...
net/netfilter/nf_conntrack_core.c
View file @
424eff97
...
...
@@ -512,11 +512,17 @@ static noinline int early_drop(struct net *net, unsigned int hash)
cnt
++
;
}
if
(
ct
&&
unlikely
(
nf_ct_is_dying
(
ct
)
||
!
atomic_inc_not_zero
(
&
ct
->
ct_general
.
use
)))
ct
=
NULL
;
if
(
ct
||
cnt
>=
NF_CT_EVICTION_RANGE
)
if
(
ct
!=
NULL
)
{
if
(
likely
(
!
nf_ct_is_dying
(
ct
)
&&
atomic_inc_not_zero
(
&
ct
->
ct_general
.
use
)))
break
;
else
ct
=
NULL
;
}
if
(
cnt
>=
NF_CT_EVICTION_RANGE
)
break
;
hash
=
(
hash
+
1
)
%
nf_conntrack_htable_size
;
}
rcu_read_unlock
();
...
...
net/netfilter/nf_conntrack_proto_tcp.c
View file @
424eff97
...
...
@@ -896,23 +896,54 @@ static int tcp_packet(struct nf_conn *ct,
/* b) This SYN/ACK acknowledges a SYN that we earlier
* ignored as invalid. This means that the client and
* the server are both in sync, while the firewall is
* not. We kill this session and block the SYN/ACK so
* that the client cannot but retransmit its SYN and
* thus initiate a clean new session.
* not. We get in sync from the previously annotated
* values.
*/
spin_unlock_bh
(
&
ct
->
lock
);
if
(
LOG_INVALID
(
net
,
IPPROTO_TCP
))
nf_log_packet
(
pf
,
0
,
skb
,
NULL
,
NULL
,
NULL
,
"nf_ct_tcp: killing out of sync session "
);
nf_ct_kill
(
ct
);
return
NF_DROP
;
old_state
=
TCP_CONNTRACK_SYN_SENT
;
new_state
=
TCP_CONNTRACK_SYN_RECV
;
ct
->
proto
.
tcp
.
seen
[
ct
->
proto
.
tcp
.
last_dir
].
td_end
=
ct
->
proto
.
tcp
.
last_end
;
ct
->
proto
.
tcp
.
seen
[
ct
->
proto
.
tcp
.
last_dir
].
td_maxend
=
ct
->
proto
.
tcp
.
last_end
;
ct
->
proto
.
tcp
.
seen
[
ct
->
proto
.
tcp
.
last_dir
].
td_maxwin
=
ct
->
proto
.
tcp
.
last_win
==
0
?
1
:
ct
->
proto
.
tcp
.
last_win
;
ct
->
proto
.
tcp
.
seen
[
ct
->
proto
.
tcp
.
last_dir
].
td_scale
=
ct
->
proto
.
tcp
.
last_wscale
;
ct
->
proto
.
tcp
.
seen
[
ct
->
proto
.
tcp
.
last_dir
].
flags
=
ct
->
proto
.
tcp
.
last_flags
;
memset
(
&
ct
->
proto
.
tcp
.
seen
[
dir
],
0
,
sizeof
(
struct
ip_ct_tcp_state
));
break
;
}
ct
->
proto
.
tcp
.
last_index
=
index
;
ct
->
proto
.
tcp
.
last_dir
=
dir
;
ct
->
proto
.
tcp
.
last_seq
=
ntohl
(
th
->
seq
);
ct
->
proto
.
tcp
.
last_end
=
segment_seq_plus_len
(
ntohl
(
th
->
seq
),
skb
->
len
,
dataoff
,
th
);
ct
->
proto
.
tcp
.
last_win
=
ntohs
(
th
->
window
);
/* a) This is a SYN in ORIGINAL. The client and the server
* may be in sync but we are not. In that case, we annotate
* the TCP options and let the packet go through. If it is a
* valid SYN packet, the server will reply with a SYN/ACK, and
* then we'll get in sync. Otherwise, the server ignores it. */
if
(
index
==
TCP_SYN_SET
&&
dir
==
IP_CT_DIR_ORIGINAL
)
{
struct
ip_ct_tcp_state
seen
=
{};
ct
->
proto
.
tcp
.
last_flags
=
ct
->
proto
.
tcp
.
last_wscale
=
0
;
tcp_options
(
skb
,
dataoff
,
th
,
&
seen
);
if
(
seen
.
flags
&
IP_CT_TCP_FLAG_WINDOW_SCALE
)
{
ct
->
proto
.
tcp
.
last_flags
|=
IP_CT_TCP_FLAG_WINDOW_SCALE
;
ct
->
proto
.
tcp
.
last_wscale
=
seen
.
td_scale
;
}
if
(
seen
.
flags
&
IP_CT_TCP_FLAG_SACK_PERM
)
{
ct
->
proto
.
tcp
.
last_flags
|=
IP_CT_TCP_FLAG_SACK_PERM
;
}
}
spin_unlock_bh
(
&
ct
->
lock
);
if
(
LOG_INVALID
(
net
,
IPPROTO_TCP
))
nf_log_packet
(
pf
,
0
,
skb
,
NULL
,
NULL
,
NULL
,
...
...
net/netfilter/nfnetlink_log.c
View file @
424eff97
...
...
@@ -666,8 +666,7 @@ nfulnl_rcv_nl_event(struct notifier_block *this,
{
struct
netlink_notify
*
n
=
ptr
;
if
(
event
==
NETLINK_URELEASE
&&
n
->
protocol
==
NETLINK_NETFILTER
&&
n
->
pid
)
{
if
(
event
==
NETLINK_URELEASE
&&
n
->
protocol
==
NETLINK_NETFILTER
)
{
int
i
;
/* destroy all instances for this pid */
...
...
net/netfilter/nfnetlink_queue.c
View file @
424eff97
...
...
@@ -574,8 +574,7 @@ nfqnl_rcv_nl_event(struct notifier_block *this,
{
struct
netlink_notify
*
n
=
ptr
;
if
(
event
==
NETLINK_URELEASE
&&
n
->
protocol
==
NETLINK_NETFILTER
&&
n
->
pid
)
{
if
(
event
==
NETLINK_URELEASE
&&
n
->
protocol
==
NETLINK_NETFILTER
)
{
int
i
;
/* destroy all instances for this pid */
...
...
net/netfilter/xt_conntrack.c
View file @
424eff97
...
...
@@ -113,7 +113,8 @@ ct_proto_port_check(const struct xt_conntrack_mtinfo2 *info,
}
static
bool
conntrack_mt
(
const
struct
sk_buff
*
skb
,
const
struct
xt_match_param
*
par
)
conntrack_mt
(
const
struct
sk_buff
*
skb
,
const
struct
xt_match_param
*
par
,
u16
state_mask
,
u16
status_mask
)
{
const
struct
xt_conntrack_mtinfo2
*
info
=
par
->
matchinfo
;
enum
ip_conntrack_info
ctinfo
;
...
...
@@ -136,7 +137,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
if
(
test_bit
(
IPS_DST_NAT_BIT
,
&
ct
->
status
))
statebit
|=
XT_CONNTRACK_STATE_DNAT
;
}
if
(
!!
(
info
->
state_mask
&
statebit
)
^
if
(
!!
(
state_mask
&
statebit
)
^
!
(
info
->
invert_flags
&
XT_CONNTRACK_STATE
))
return
false
;
}
...
...
@@ -172,7 +173,7 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
return
false
;
if
((
info
->
match_flags
&
XT_CONNTRACK_STATUS
)
&&
(
!!
(
info
->
status_mask
&
ct
->
status
)
^
(
!!
(
status_mask
&
ct
->
status
)
^
!
(
info
->
invert_flags
&
XT_CONNTRACK_STATUS
)))
return
false
;
...
...
@@ -192,11 +193,17 @@ conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
static
bool
conntrack_mt_v1
(
const
struct
sk_buff
*
skb
,
const
struct
xt_match_param
*
par
)
{
const
struct
xt_conntrack_mtinfo2
*
const
*
info
=
par
->
matchinfo
;
struct
xt_match_param
newpar
=
*
par
;
const
struct
xt_conntrack_mtinfo1
*
info
=
par
->
matchinfo
;
newpar
.
matchinfo
=
*
info
;
return
conntrack_mt
(
skb
,
&
newpar
);
return
conntrack_mt
(
skb
,
par
,
info
->
state_mask
,
info
->
status_mask
);
}
static
bool
conntrack_mt_v2
(
const
struct
sk_buff
*
skb
,
const
struct
xt_match_param
*
par
)
{
const
struct
xt_conntrack_mtinfo2
*
info
=
par
->
matchinfo
;
return
conntrack_mt
(
skb
,
par
,
info
->
state_mask
,
info
->
status_mask
);
}
static
bool
conntrack_mt_check
(
const
struct
xt_mtchk_param
*
par
)
...
...
@@ -209,45 +216,11 @@ static bool conntrack_mt_check(const struct xt_mtchk_param *par)
return
true
;
}
static
bool
conntrack_mt_check_v1
(
const
struct
xt_mtchk_param
*
par
)
{
struct
xt_conntrack_mtinfo1
*
info
=
par
->
matchinfo
;
struct
xt_conntrack_mtinfo2
*
up
;
int
ret
=
conntrack_mt_check
(
par
);
if
(
ret
<
0
)
return
ret
;
up
=
kmalloc
(
sizeof
(
*
up
),
GFP_KERNEL
);
if
(
up
==
NULL
)
{
nf_ct_l3proto_module_put
(
par
->
family
);
return
-
ENOMEM
;
}
/*
* The strategy here is to minimize the overhead of v1 matching,
* by prebuilding a v2 struct and putting the pointer into the
* v1 dataspace.
*/
memcpy
(
up
,
info
,
offsetof
(
typeof
(
*
info
),
state_mask
));
up
->
state_mask
=
info
->
state_mask
;
up
->
status_mask
=
info
->
status_mask
;
*
(
void
**
)
info
=
up
;
return
true
;
}
static
void
conntrack_mt_destroy
(
const
struct
xt_mtdtor_param
*
par
)
{
nf_ct_l3proto_module_put
(
par
->
family
);
}
static
void
conntrack_mt_destroy_v1
(
const
struct
xt_mtdtor_param
*
par
)
{
struct
xt_conntrack_mtinfo2
**
info
=
par
->
matchinfo
;
kfree
(
*
info
);
conntrack_mt_destroy
(
par
);
}
static
struct
xt_match
conntrack_mt_reg
[]
__read_mostly
=
{
{
.
name
=
"conntrack"
,
...
...
@@ -255,8 +228,8 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
.
family
=
NFPROTO_UNSPEC
,
.
matchsize
=
sizeof
(
struct
xt_conntrack_mtinfo1
),
.
match
=
conntrack_mt_v1
,
.
checkentry
=
conntrack_mt_check
_v1
,
.
destroy
=
conntrack_mt_destroy
_v1
,
.
checkentry
=
conntrack_mt_check
,
.
destroy
=
conntrack_mt_destroy
,
.
me
=
THIS_MODULE
,
},
{
...
...
@@ -264,7 +237,7 @@ static struct xt_match conntrack_mt_reg[] __read_mostly = {
.
revision
=
2
,
.
family
=
NFPROTO_UNSPEC
,
.
matchsize
=
sizeof
(
struct
xt_conntrack_mtinfo2
),
.
match
=
conntrack_mt
,
.
match
=
conntrack_mt
_v2
,
.
checkentry
=
conntrack_mt_check
,
.
destroy
=
conntrack_mt_destroy
,
.
me
=
THIS_MODULE
,
...
...
net/netfilter/xt_socket.c
View file @
424eff97
...
...
@@ -192,7 +192,8 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.
revision
=
0
,
.
family
=
NFPROTO_IPV4
,
.
match
=
socket_mt_v0
,
.
hooks
=
1
<<
NF_INET_PRE_ROUTING
,
.
hooks
=
(
1
<<
NF_INET_PRE_ROUTING
)
|
(
1
<<
NF_INET_LOCAL_IN
),
.
me
=
THIS_MODULE
,
},
{
...
...
@@ -201,7 +202,8 @@ static struct xt_match socket_mt_reg[] __read_mostly = {
.
family
=
NFPROTO_IPV4
,
.
match
=
socket_mt_v1
,
.
matchsize
=
sizeof
(
struct
xt_socket_mtinfo1
),
.
hooks
=
1
<<
NF_INET_PRE_ROUTING
,
.
hooks
=
(
1
<<
NF_INET_PRE_ROUTING
)
|
(
1
<<
NF_INET_LOCAL_IN
),
.
me
=
THIS_MODULE
,
},
};
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment