[NETFILTER]: prearation of removing skb_linearize()

This patch uses skb_header_pointer() so that packets can be parsed even though skb_linearize() doesn't exist. But this patch doesn't remove skb_linearize() yet. We can remove it after changing all match/target modules. Moreover ... - I deleted the optimization not to parse IPv6 extension header many time from previous patch. I'll send the patch to do this separately. - fixed the bug that "offset" argument of match functions are always 0. - deleted "hdr" and "datalen" argument and added "protoff" argument to match functions. "protoff" means the offset to Layer 4 protocol header. - the argument order of target function is changed likely IPv4 modules. This prevents user from meeting kernel panic when they use old match modules. - changed {tcp,udp,icmp6}_match(). These functions became very similar to codes in ip_tables.c again. Signed-off-by: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net>

[NETFILTER]: prearation of removing skb_linearize()
This patch uses skb_header_pointer() so that packets can be parsed even though skb_linearize() doesn't exist. But this patch doesn't remove skb_linearize() yet. We can remove it after changing all match/target modules. Moreover ... - I deleted the optimization not to parse IPv6 extension header many time from previous patch. I'll send the patch to do this separately. - fixed the bug that "offset" argument of match functions are always 0. - deleted "hdr" and "datalen" argument and added "protoff" argument to match functions. "protoff" means the offset to Layer 4 protocol header. - the argument order of target function is changed likely IPv4 modules. This prevents user from meeting kernel panic when they use old match modules. - changed {tcp,udp,icmp6}_match(). These functions became very similar to codes in ip_tables.c again. Signed-off-by: Yasuyuki KOZAKAI <yasuyuki.kozakai@toshiba.co.jp> Signed-off-by: Patrick McHardy <kaber@trash.net>
5c1ee973 · Yasuyuki Kozakai · Patrick McHardy · 9e3466b3 · 5c1ee973 · 5c1ee973
Commit 5c1ee973 authored Oct 19, 2004 by Yasuyuki Kozakai Committed by Patrick McHardy Oct 19, 2004
19 changed files
--- a/include/linux/netfilter_ipv6/ip6_tables.h
+++ b/include/linux/netfilter_ipv6/ip6_tables.h
@@ -355,13 +355,15 @@ struct ip6t_match

 	/* Return true or false: return FALSE and set *hotdrop = 1 to
           force immediate packet drop. */
+	/* Arguments changed since 2.6.9, as this must now handle
+	   non-linear skb, using skb_header_pointer and
+	   skb_ip_make_writable. */
 	int (*match)(const struct sk_buff *skb,
 		     const struct net_device *in,
 		     const struct net_device *out,
 		     const void *matchinfo,
 		     int offset,
-		     const void *hdr,
-		     u_int16_t datalen,
+		     unsigned int protoff,
 		     int *hotdrop);

 	/* Called when user tries to insert an entry of this type. */
@@ -386,11 +388,13 @@ struct ip6t_target

 	const char name[IP6T_FUNCTION_MAXNAMELEN];

-	/* Returns verdict. */
+	/* Returns verdict. Argument order changed since 2.6.9, as this
+	   must now handle non-linear skbs, using skb_copy_bits and
+	   skb_ip_make_writable. */
 	unsigned int (*target)(struct sk_buff **pskb,
-			       unsigned int hooknum,
 			       const struct net_device *in,
 			       const struct net_device *out,
+			       unsigned int hooknum,
 			       const void *targinfo,
 			       void *userdata);


--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
--- a/net/ipv6/netfilter/ip6t_LOG.c
+++ b/net/ipv6/netfilter/ip6t_LOG.c
@@ -335,9 +335,9 @@ ip6t_log_packet(unsigned int hooknum,

 static unsigned int
 ip6t_log_target(struct sk_buff **pskb,
-		unsigned int hooknum,
 		const struct net_device *in,
 		const struct net_device *out,
+		unsigned int hooknum,
 		const void *targinfo,
 		void *userinfo)
 {

--- a/net/ipv6/netfilter/ip6t_MARK.c
+++ b/net/ipv6/netfilter/ip6t_MARK.c
@@ -20,9 +20,9 @@ MODULE_AUTHOR("Netfilter Core Team <coreteam@netfilter.org>");

 static unsigned int
 target(struct sk_buff **pskb,
-       unsigned int hooknum,
       const struct net_device *in,
       const struct net_device *out,
+       unsigned int hooknum,
       const void *targinfo,
       void *userinfo)
 {

--- a/net/ipv6/netfilter/ip6t_ah.c
+++ b/net/ipv6/netfilter/ip6t_ah.c
@@ -45,8 +45,7 @@ match(const struct sk_buff *skb,
      const struct net_device *out,
      const void *matchinfo,
      int offset,
-      const void *protohdr,
-      u_int16_t datalen,
+      unsigned int protoff,
      int *hotdrop)
 {
       struct ip_auth_hdr *ah = NULL;

--- a/net/ipv6/netfilter/ip6t_dst.c
+++ b/net/ipv6/netfilter/ip6t_dst.c
@@ -60,8 +60,7 @@ match(const struct sk_buff *skb,
      const struct net_device *out,
      const void *matchinfo,
      int offset,
-      const void *protohdr,
-      u_int16_t datalen,
+      unsigned int protoff,
      int *hotdrop)
 {
       struct ipv6_opt_hdr *optsh = NULL;

--- a/net/ipv6/netfilter/ip6t_esp.c
+++ b/net/ipv6/netfilter/ip6t_esp.c
@@ -45,8 +45,7 @@ match(const struct sk_buff *skb,
      const struct net_device *out,
      const void *matchinfo,
      int offset,
-      const void *protohdr,
-      u_int16_t datalen,
+      unsigned int protoff,
      int *hotdrop)
 {
 	struct ip_esp_hdr *esp = NULL;

--- a/net/ipv6/netfilter/ip6t_eui64.c
+++ b/net/ipv6/netfilter/ip6t_eui64.c
@@ -24,8 +24,7 @@ match(const struct sk_buff *skb,
      const struct net_device *out,
      const void *matchinfo,
      int offset,
-      const void *hdr,
-      u_int16_t datalen,
+      unsigned int protoff,
      int *hotdrop)
 {


--- a/net/ipv6/netfilter/ip6t_frag.c
+++ b/net/ipv6/netfilter/ip6t_frag.c
@@ -70,8 +70,7 @@ match(const struct sk_buff *skb,
      const struct net_device *out,
      const void *matchinfo,
      int offset,
-      const void *protohdr,
-      u_int16_t datalen,
+      unsigned int protoff,
      int *hotdrop)
 {
       struct fraghdr *frag = NULL;

--- a/net/ipv6/netfilter/ip6t_hbh.c
+++ b/net/ipv6/netfilter/ip6t_hbh.c
@@ -59,8 +59,7 @@ match(const struct sk_buff *skb,
      const struct net_device *out,
      const void *matchinfo,
      int offset,
-      const void *protohdr,
-      u_int16_t datalen,
+      unsigned int protoff,
      int *hotdrop)
 {
       struct ipv6_opt_hdr *optsh = NULL;

--- a/net/ipv6/netfilter/ip6t_hl.c
+++ b/net/ipv6/netfilter/ip6t_hl.c
@@ -20,7 +20,7 @@ MODULE_LICENSE("GPL");

 static int match(const struct sk_buff *skb, const struct net_device *in,
 		 const struct net_device *out, const void *matchinfo,
-		 int offset, const void *hdr, u_int16_t datalen,
+		 int offset, unsigned int protoff,
 		 int *hotdrop)
 {
 	const struct ip6t_hl_info *info = matchinfo;

--- a/net/ipv6/netfilter/ip6t_ipv6header.c
+++ b/net/ipv6/netfilter/ip6t_ipv6header.c
@@ -31,8 +31,7 @@ ipv6header_match(const struct sk_buff *skb,
 		 const struct net_device *out,
 		 const void *matchinfo,
 		 int offset,
-		 const void *protohdr,
-		 u_int16_t datalen,
+		 unsigned int protoff,
 		 int *hotdrop)
 {
 	const struct ip6t_ipv6header_info *info = matchinfo;

--- a/net/ipv6/netfilter/ip6t_length.c
+++ b/net/ipv6/netfilter/ip6t_length.c
@@ -23,8 +23,7 @@ match(const struct sk_buff *skb,
      const struct net_device *out,
      const void *matchinfo,
      int offset,
-      const void *hdr,
-      u_int16_t datalen,
+      unsigned int protoff,
      int *hotdrop)
 {
 	const struct ip6t_length_info *info = matchinfo;

--- a/net/ipv6/netfilter/ip6t_limit.c
+++ b/net/ipv6/netfilter/ip6t_limit.c
@@ -57,8 +57,7 @@ ip6t_limit_match(const struct sk_buff *skb,
 		const struct net_device *out,
 		const void *matchinfo,
 		int offset,
-		const void *hdr,
-		u_int16_t datalen,
+		unsigned int protoff,
 		int *hotdrop)
 {
 	struct ip6t_rateinfo *r = ((struct ip6t_rateinfo *)matchinfo)->master;

--- a/net/ipv6/netfilter/ip6t_mac.c
+++ b/net/ipv6/netfilter/ip6t_mac.c
@@ -25,8 +25,7 @@ match(const struct sk_buff *skb,
      const struct net_device *out,
      const void *matchinfo,
      int offset,
-      const void *hdr,
-      u_int16_t datalen,
+      unsigned int protoff,
      int *hotdrop)
 {
    const struct ip6t_mac_info *info = matchinfo;

--- a/net/ipv6/netfilter/ip6t_mark.c
+++ b/net/ipv6/netfilter/ip6t_mark.c
@@ -24,8 +24,7 @@ match(const struct sk_buff *skb,
      const struct net_device *out,
      const void *matchinfo,
      int offset,
-      const void *hdr,
-      u_int16_t datalen,
+      unsigned int protoff,
      int *hotdrop)
 {
 	const struct ip6t_mark_info *info = matchinfo;

--- a/net/ipv6/netfilter/ip6t_multiport.c
+++ b/net/ipv6/netfilter/ip6t_multiport.c
@@ -53,15 +53,14 @@ match(const struct sk_buff *skb,
      const struct net_device *out,
      const void *matchinfo,
      int offset,
-      const void *hdr,
-      u_int16_t datalen,
+      unsigned int protoff,
      int *hotdrop)
 {
-	const struct udphdr *udp = hdr;
+	const struct udphdr *udp = (const struct udphdr *)(skb->data + protoff);
 	const struct ip6t_multiport *multiinfo = matchinfo;

 	/* Must be big enough to read ports. */
-	if (offset == 0 && datalen < sizeof(struct udphdr)) {
+	if (offset == 0 && skb->len - protoff < sizeof(struct udphdr)) {
 		/* We've been asked to examine this packet, and we
 		   can't.  Hence, no choice but to drop. */
 			duprintf("ip6t_multiport:"

--- a/net/ipv6/netfilter/ip6t_owner.c
+++ b/net/ipv6/netfilter/ip6t_owner.c
@@ -92,8 +92,7 @@ match(const struct sk_buff *skb,
      const struct net_device *out,
      const void *matchinfo,
      int offset,
-      const void *hdr,
-      u_int16_t datalen,
+      unsigned int protoff,
      int *hotdrop)
 {
 	const struct ip6t_owner_info *info = matchinfo;

--- a/net/ipv6/netfilter/ip6t_rt.c
+++ b/net/ipv6/netfilter/ip6t_rt.c
@@ -47,8 +47,7 @@ match(const struct sk_buff *skb,
      const struct net_device *out,
      const void *matchinfo,
      int offset,
-      const void *protohdr,
-      u_int16_t datalen,
+      unsigned int protoff,
      int *hotdrop)
 {
       struct ipv6_rt_hdr *route = NULL;