Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
L
linux
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
linux
Commits
e068209a
Commit
e068209a
authored
Sep 24, 2004
by
David S. Miller
Browse files
Options
Browse Files
Download
Plain Diff
Merge nuts.davemloft.net:/disk1/BK/nf-work-2.6
into nuts.davemloft.net:/disk1/BK/nf-2.6
parents
6caaa717
480a73d5
Changes
32
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
32 changed files
with
265 additions
and
300 deletions
+265
-300
include/linux/netfilter.h
include/linux/netfilter.h
+1
-1
include/linux/netfilter_ipv4/ip_conntrack.h
include/linux/netfilter_ipv4/ip_conntrack.h
+11
-11
include/linux/netfilter_ipv4/ip_conntrack_core.h
include/linux/netfilter_ipv4/ip_conntrack_core.h
+3
-7
include/linux/netfilter_ipv4/ip_conntrack_protocol.h
include/linux/netfilter_ipv4/ip_conntrack_protocol.h
+9
-3
include/linux/netfilter_ipv4/ip_nat.h
include/linux/netfilter_ipv4/ip_nat.h
+3
-12
include/linux/netfilter_ipv4/ip_nat_core.h
include/linux/netfilter_ipv4/ip_nat_core.h
+0
-6
include/linux/netfilter_ipv4/ip_nat_protocol.h
include/linux/netfilter_ipv4/ip_nat_protocol.h
+14
-2
include/linux/netfilter_ipv4/ipt_comment.h
include/linux/netfilter_ipv4/ipt_comment.h
+10
-0
include/linux/skbuff.h
include/linux/skbuff.h
+8
-10
include/linux/sysctl.h
include/linux/sysctl.h
+1
-0
net/core/netfilter.c
net/core/netfilter.c
+1
-1
net/core/skbuff.c
net/core/skbuff.c
+2
-0
net/ipv4/ip_output.c
net/ipv4/ip_output.c
+1
-0
net/ipv4/netfilter/Kconfig
net/ipv4/netfilter/Kconfig
+10
-0
net/ipv4/netfilter/Makefile
net/ipv4/netfilter/Makefile
+1
-6
net/ipv4/netfilter/ip_conntrack_core.c
net/ipv4/netfilter/ip_conntrack_core.c
+42
-108
net/ipv4/netfilter/ip_conntrack_proto_icmp.c
net/ipv4/netfilter/ip_conntrack_proto_icmp.c
+2
-1
net/ipv4/netfilter/ip_conntrack_proto_sctp.c
net/ipv4/netfilter/ip_conntrack_proto_sctp.c
+5
-6
net/ipv4/netfilter/ip_conntrack_standalone.c
net/ipv4/netfilter/ip_conntrack_standalone.c
+17
-18
net/ipv4/netfilter/ip_fw_compat_masq.c
net/ipv4/netfilter/ip_fw_compat_masq.c
+3
-3
net/ipv4/netfilter/ip_nat_core.c
net/ipv4/netfilter/ip_nat_core.c
+40
-80
net/ipv4/netfilter/ip_nat_proto_icmp.c
net/ipv4/netfilter/ip_nat_proto_icmp.c
+1
-1
net/ipv4/netfilter/ip_nat_proto_tcp.c
net/ipv4/netfilter/ip_nat_proto_tcp.c
+1
-1
net/ipv4/netfilter/ip_nat_proto_udp.c
net/ipv4/netfilter/ip_nat_proto_udp.c
+1
-1
net/ipv4/netfilter/ip_nat_proto_unknown.c
net/ipv4/netfilter/ip_nat_proto_unknown.c
+2
-2
net/ipv4/netfilter/ip_nat_standalone.c
net/ipv4/netfilter/ip_nat_standalone.c
+5
-10
net/ipv4/netfilter/ipt_NOTRACK.c
net/ipv4/netfilter/ipt_NOTRACK.c
+2
-1
net/ipv4/netfilter/ipt_REJECT.c
net/ipv4/netfilter/ipt_REJECT.c
+6
-6
net/ipv4/netfilter/ipt_comment.c
net/ipv4/netfilter/ipt_comment.c
+59
-0
net/ipv4/netfilter/ipt_conntrack.c
net/ipv4/netfilter/ipt_conntrack.c
+1
-1
net/ipv4/netfilter/ipt_state.c
net/ipv4/netfilter/ipt_state.c
+2
-2
net/ipv6/ip6_output.c
net/ipv6/ip6_output.c
+1
-0
No files found.
include/linux/netfilter.h
View file @
e068209a
...
...
@@ -178,7 +178,7 @@ extern inline struct ip6t_target *
ip6t_find_target_lock
(
const
char
*
name
,
int
*
error
,
struct
semaphore
*
mutex
);
extern
inline
struct
arpt_target
*
arpt_find_target_lock
(
const
char
*
name
,
int
*
error
,
struct
semaphore
*
mutex
);
extern
void
(
*
ip_ct_attach
)(
struct
sk_buff
*
,
struct
nf_ct_info
*
);
extern
void
(
*
ip_ct_attach
)(
struct
sk_buff
*
,
struct
sk_buff
*
);
#ifdef CONFIG_NETFILTER_DEBUG
extern
void
nf_dump_skb
(
int
pf
,
struct
sk_buff
*
skb
);
...
...
include/linux/netfilter_ipv4/ip_conntrack.h
View file @
e068209a
...
...
@@ -172,9 +172,6 @@ struct ip_conntrack
plus 1 for any connection(s) we are `master' for */
struct
nf_conntrack
ct_general
;
/* These are my tuples; original and reply */
struct
ip_conntrack_tuple_hash
tuplehash
[
IP_CT_DIR_MAX
];
/* Have we seen traffic both ways yet? (bitset) */
unsigned
long
status
;
...
...
@@ -199,12 +196,7 @@ struct ip_conntrack
/* Helper, if any. */
struct
ip_conntrack_helper
*
helper
;
/* Our various nf_ct_info structs specify *what* relation this
packet has to the conntrack */
struct
nf_ct_info
infos
[
IP_CT_NUMBER
];
/* Storage reserved for other modules: */
union
ip_conntrack_proto
proto
;
union
ip_conntrack_help
help
;
...
...
@@ -220,6 +212,9 @@ struct ip_conntrack
}
nat
;
#endif
/* CONFIG_IP_NF_NAT_NEEDED */
/* Traversed often, so hopefully in different cacheline to top */
/* These are my tuples; original and reply */
struct
ip_conntrack_tuple_hash
tuplehash
[
IP_CT_DIR_MAX
];
};
/* get master conntrack via master expectation */
...
...
@@ -238,8 +233,12 @@ ip_conntrack_tuple_taken(const struct ip_conntrack_tuple *tuple,
const
struct
ip_conntrack
*
ignored_conntrack
);
/* Return conntrack_info and tuple hash for given skb. */
extern
struct
ip_conntrack
*
ip_conntrack_get
(
struct
sk_buff
*
skb
,
enum
ip_conntrack_info
*
ctinfo
);
static
inline
struct
ip_conntrack
*
ip_conntrack_get
(
const
struct
sk_buff
*
skb
,
enum
ip_conntrack_info
*
ctinfo
)
{
*
ctinfo
=
skb
->
nfctinfo
;
return
(
struct
ip_conntrack
*
)
skb
->
nfct
;
}
/* decrement reference count on a conntrack */
extern
inline
void
ip_conntrack_put
(
struct
ip_conntrack
*
ct
);
...
...
@@ -306,12 +305,13 @@ struct ip_conntrack_stat
unsigned
int
insert_failed
;
unsigned
int
drop
;
unsigned
int
early_drop
;
unsigned
int
icmp_
error
;
unsigned
int
error
;
unsigned
int
expect_new
;
unsigned
int
expect_create
;
unsigned
int
expect_delete
;
};
#define CONNTRACK_STAT_INC(count) (__get_cpu_var(ip_conntrack_stat).count++)
/* eg. PROVIDES_CONNTRACK(ftp); */
#define PROVIDES_CONNTRACK(name) \
...
...
include/linux/netfilter_ipv4/ip_conntrack_core.h
View file @
e068209a
...
...
@@ -16,10 +16,6 @@ extern int ip_conntrack_init(void);
extern
void
ip_conntrack_cleanup
(
void
);
struct
ip_conntrack_protocol
;
extern
struct
ip_conntrack_protocol
*
ip_ct_find_proto
(
u_int8_t
protocol
);
/* Like above, but you already have conntrack read lock. */
extern
struct
ip_conntrack_protocol
*
__ip_ct_find_proto
(
u_int8_t
protocol
);
extern
struct
list_head
protocol_list
;
extern
int
ip_ct_get_tuple
(
const
struct
iphdr
*
iph
,
...
...
@@ -38,14 +34,14 @@ struct ip_conntrack_tuple_hash *
ip_conntrack_find_get
(
const
struct
ip_conntrack_tuple
*
tuple
,
const
struct
ip_conntrack
*
ignored_conntrack
);
extern
int
__ip_conntrack_confirm
(
struct
nf_ct_info
*
nfct
);
extern
int
__ip_conntrack_confirm
(
struct
sk_buff
*
skb
);
/* Confirm a connection: returns NF_DROP if packet must be dropped. */
static
inline
int
ip_conntrack_confirm
(
struct
sk_buff
*
skb
)
{
if
(
skb
->
nfct
&&
!
is_confirmed
((
struct
ip_conntrack
*
)
skb
->
nfct
->
master
))
return
__ip_conntrack_confirm
(
skb
->
nfct
);
&&
!
is_confirmed
((
struct
ip_conntrack
*
)
skb
->
nfct
))
return
__ip_conntrack_confirm
(
skb
);
return
NF_ACCEPT
;
}
...
...
include/linux/netfilter_ipv4/ip_conntrack_protocol.h
View file @
e068209a
...
...
@@ -7,9 +7,6 @@ struct seq_file;
struct
ip_conntrack_protocol
{
/* Next pointer. */
struct
list_head
list
;
/* Protocol number. */
u_int8_t
proto
;
...
...
@@ -58,14 +55,23 @@ struct ip_conntrack_protocol
struct
module
*
me
;
};
#define MAX_IP_CT_PROTO 256
extern
struct
ip_conntrack_protocol
*
ip_ct_protos
[
MAX_IP_CT_PROTO
];
/* Protocol registration. */
extern
int
ip_conntrack_protocol_register
(
struct
ip_conntrack_protocol
*
proto
);
extern
void
ip_conntrack_protocol_unregister
(
struct
ip_conntrack_protocol
*
proto
);
static
inline
struct
ip_conntrack_protocol
*
ip_ct_find_proto
(
u_int8_t
protocol
)
{
return
ip_ct_protos
[
protocol
];
}
/* Existing built-in protocols */
extern
struct
ip_conntrack_protocol
ip_conntrack_protocol_tcp
;
extern
struct
ip_conntrack_protocol
ip_conntrack_protocol_udp
;
extern
struct
ip_conntrack_protocol
ip_conntrack_protocol_icmp
;
extern
struct
ip_conntrack_protocol
ip_conntrack_generic_protocol
;
extern
int
ip_conntrack_protocol_tcp_init
(
void
);
/* Log invalid packets */
...
...
include/linux/netfilter_ipv4/ip_nat.h
View file @
e068209a
...
...
@@ -80,27 +80,18 @@ struct ip_nat_info_manip
/* Protects NAT hash tables, and NAT-private part of conntracks. */
DECLARE_RWLOCK_EXTERN
(
ip_nat_lock
);
/* Hashes for by-source and IP/protocol. */
struct
ip_nat_hash
{
struct
list_head
list
;
/* conntrack we're embedded in: NULL if not in hash. */
struct
ip_conntrack
*
conntrack
;
};
/* The structure embedded in the conntrack structure. */
struct
ip_nat_info
{
/* Set to zero when conntrack created: bitmask of maniptypes */
in
t
initialized
;
u_int16_
t
initialized
;
u
nsigned
in
t
num_manips
;
u
_int16_
t
num_manips
;
/* Manipulations to be done on this conntrack. */
struct
ip_nat_info_manip
manips
[
IP_NAT_MAX_MANIPS
];
struct
ip_nat_hash
bysource
,
byipsproto
;
struct
list_head
bysource
,
byipsproto
;
/* Helper (NULL if none). */
struct
ip_nat_helper
*
helper
;
...
...
include/linux/netfilter_ipv4/ip_nat_core.h
View file @
e068209a
...
...
@@ -14,8 +14,6 @@ extern unsigned int do_bindings(struct ip_conntrack *ct,
unsigned
int
hooknum
,
struct
sk_buff
**
pskb
);
extern
struct
list_head
protos
;
extern
int
icmp_reply_translation
(
struct
sk_buff
**
pskb
,
struct
ip_conntrack
*
conntrack
,
unsigned
int
hooknum
,
...
...
@@ -26,8 +24,4 @@ extern void replace_in_hashes(struct ip_conntrack *conntrack,
extern
void
place_in_hashes
(
struct
ip_conntrack
*
conntrack
,
struct
ip_nat_info
*
info
);
/* Built-in protocols. */
extern
struct
ip_nat_protocol
ip_nat_protocol_tcp
;
extern
struct
ip_nat_protocol
ip_nat_protocol_udp
;
extern
struct
ip_nat_protocol
ip_nat_protocol_icmp
;
#endif
/* _IP_NAT_CORE_H */
include/linux/netfilter_ipv4/ip_nat_protocol.h
View file @
e068209a
...
...
@@ -9,8 +9,6 @@ struct ip_nat_range;
struct
ip_nat_protocol
{
struct
list_head
list
;
/* Protocol name */
const
char
*
name
;
...
...
@@ -47,10 +45,24 @@ struct ip_nat_protocol
const
struct
ip_nat_range
*
range
);
};
#define MAX_IP_NAT_PROTO 256
extern
struct
ip_nat_protocol
*
ip_nat_protos
[
MAX_IP_NAT_PROTO
];
/* Protocol registration. */
extern
int
ip_nat_protocol_register
(
struct
ip_nat_protocol
*
proto
);
extern
void
ip_nat_protocol_unregister
(
struct
ip_nat_protocol
*
proto
);
static
inline
struct
ip_nat_protocol
*
ip_nat_find_proto
(
u_int8_t
protocol
)
{
return
ip_nat_protos
[
protocol
];
}
/* Built-in protocols. */
extern
struct
ip_nat_protocol
ip_nat_protocol_tcp
;
extern
struct
ip_nat_protocol
ip_nat_protocol_udp
;
extern
struct
ip_nat_protocol
ip_nat_protocol_icmp
;
extern
struct
ip_nat_protocol
ip_nat_unknown_protocol
;
extern
int
init_protocols
(
void
)
__init
;
extern
void
cleanup_protocols
(
void
);
extern
struct
ip_nat_protocol
*
find_nat_proto
(
u_int16_t
protonum
);
...
...
include/linux/netfilter_ipv4/ipt_comment.h
0 → 100644
View file @
e068209a
#ifndef _IPT_COMMENT_H
#define _IPT_COMMENT_H
#define IPT_MAX_COMMENT_LEN 256
struct
ipt_comment_info
{
unsigned
char
comment
[
IPT_MAX_COMMENT_LEN
];
};
#endif
/* _IPT_COMMENT_H */
include/linux/skbuff.h
View file @
e068209a
...
...
@@ -97,10 +97,6 @@ struct nf_conntrack {
void
(
*
destroy
)(
struct
nf_conntrack
*
);
};
struct
nf_ct_info
{
struct
nf_conntrack
*
master
;
};
#ifdef CONFIG_BRIDGE_NETFILTER
struct
nf_bridge_info
{
atomic_t
use
;
...
...
@@ -186,6 +182,7 @@ struct skb_shared_info {
* @nfmark: Can be used for communication between hooks
* @nfcache: Cache info
* @nfct: Associated connection, if any
* @nfctinfo: Relationship of this skb to the connection
* @nf_debug: Netfilter debugging
* @nf_bridge: Saved data about a bridged frame - see br_netfilter.c
* @private: Data which is private to the HIPPI implementation
...
...
@@ -253,7 +250,8 @@ struct sk_buff {
#ifdef CONFIG_NETFILTER
unsigned
long
nfmark
;
__u32
nfcache
;
struct
nf_ct_info
*
nfct
;
struct
nf_conntrack
*
nfct
;
__u32
nfctinfo
;
#ifdef CONFIG_NETFILTER_DEBUG
unsigned
int
nf_debug
;
#endif
...
...
@@ -1141,15 +1139,15 @@ extern int skb_iter_next(const struct sk_buff *skb, struct skb_iter *i);
extern
void
skb_iter_abort
(
const
struct
sk_buff
*
skb
,
struct
skb_iter
*
i
);
#ifdef CONFIG_NETFILTER
static
inline
void
nf_conntrack_put
(
struct
nf_c
t_info
*
nfct
)
static
inline
void
nf_conntrack_put
(
struct
nf_c
onntrack
*
nfct
)
{
if
(
nfct
&&
atomic_dec_and_test
(
&
nfct
->
master
->
use
))
nfct
->
master
->
destroy
(
nfct
->
master
);
if
(
nfct
&&
atomic_dec_and_test
(
&
nfct
->
use
))
nfct
->
destroy
(
nfct
);
}
static
inline
void
nf_conntrack_get
(
struct
nf_c
t_info
*
nfct
)
static
inline
void
nf_conntrack_get
(
struct
nf_c
onntrack
*
nfct
)
{
if
(
nfct
)
atomic_inc
(
&
nfct
->
master
->
use
);
atomic_inc
(
&
nfct
->
use
);
}
static
inline
void
nf_reset
(
struct
sk_buff
*
skb
)
{
...
...
include/linux/sysctl.h
View file @
e068209a
...
...
@@ -424,6 +424,7 @@ enum
NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_SENT
=
24
,
NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_RECD
=
25
,
NET_IPV4_NF_CONNTRACK_SCTP_TIMEOUT_SHUTDOWN_ACK_SENT
=
26
,
NET_IPV4_NF_CONNTRACK_COUNT
=
27
,
};
/* /proc/sys/net/ipv6 */
...
...
net/core/netfilter.c
View file @
e068209a
...
...
@@ -806,7 +806,7 @@ EXPORT_SYMBOL(nf_log_packet);
tracking in use: without this, connection may not be in hash table,
and hence manufactured ICMP or RST packets will not be associated
with it. */
void
(
*
ip_ct_attach
)(
struct
sk_buff
*
,
struct
nf_ct_info
*
);
void
(
*
ip_ct_attach
)(
struct
sk_buff
*
,
struct
sk_buff
*
);
void
__init
netfilter_init
(
void
)
{
...
...
net/core/skbuff.c
View file @
e068209a
...
...
@@ -311,6 +311,7 @@ struct sk_buff *skb_clone(struct sk_buff *skb, int gfp_mask)
C
(
nfcache
);
C
(
nfct
);
nf_conntrack_get
(
skb
->
nfct
);
C
(
nfctinfo
);
#ifdef CONFIG_NETFILTER_DEBUG
C
(
nf_debug
);
#endif
...
...
@@ -377,6 +378,7 @@ static void copy_skb_header(struct sk_buff *new, const struct sk_buff *old)
new
->
nfcache
=
old
->
nfcache
;
new
->
nfct
=
old
->
nfct
;
nf_conntrack_get
(
old
->
nfct
);
new
->
nfctinfo
=
old
->
nfctinfo
;
#ifdef CONFIG_NETFILTER_DEBUG
new
->
nf_debug
=
old
->
nf_debug
;
#endif
...
...
net/ipv4/ip_output.c
View file @
e068209a
...
...
@@ -422,6 +422,7 @@ static void ip_copy_metadata(struct sk_buff *to, struct sk_buff *from)
nf_conntrack_put
(
to
->
nfct
);
to
->
nfct
=
from
->
nfct
;
nf_conntrack_get
(
to
->
nfct
);
to
->
nfctinfo
=
from
->
nfctinfo
;
#ifdef CONFIG_BRIDGE_NETFILTER
nf_bridge_put
(
to
->
nf_bridge
);
to
->
nf_bridge
=
from
->
nf_bridge
;
...
...
net/ipv4/netfilter/Kconfig
View file @
e068209a
...
...
@@ -332,6 +332,16 @@ config IP_NF_MATCH_SCTP
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
config IP_NF_MATCH_COMMENT
tristate 'comment match support'
depends on IP_NF_IPTABLES
help
This option adds a `comment' dummy-match, which allows you to put
comments in your iptables ruleset.
If you want to compile it as a module, say M here and read
Documentation/modules.txt. If unsure, say `N'.
# `filter', generic and specific targets
config IP_NF_FILTER
tristate "Packet filtering"
...
...
net/ipv4/netfilter/Makefile
View file @
e068209a
...
...
@@ -50,28 +50,23 @@ obj-$(CONFIG_IP_NF_MATCH_SCTP) += ipt_sctp.o
obj-$(CONFIG_IP_NF_MATCH_MARK)
+=
ipt_mark.o
obj-$(CONFIG_IP_NF_MATCH_MAC)
+=
ipt_mac.o
obj-$(CONFIG_IP_NF_MATCH_IPRANGE)
+=
ipt_iprange.o
obj-$(CONFIG_IP_NF_MATCH_PKTTYPE)
+=
ipt_pkttype.o
obj-$(CONFIG_IP_NF_MATCH_MULTIPORT)
+=
ipt_multiport.o
obj-$(CONFIG_IP_NF_MATCH_OWNER)
+=
ipt_owner.o
obj-$(CONFIG_IP_NF_MATCH_TOS)
+=
ipt_tos.o
obj-$(CONFIG_IP_NF_MATCH_RECENT)
+=
ipt_recent.o
obj-$(CONFIG_IP_NF_MATCH_ECN)
+=
ipt_ecn.o
obj-$(CONFIG_IP_NF_MATCH_DSCP)
+=
ipt_dscp.o
obj-$(CONFIG_IP_NF_MATCH_AH_ESP)
+=
ipt_ah.o ipt_esp.o
obj-$(CONFIG_IP_NF_MATCH_LENGTH)
+=
ipt_length.o
obj-$(CONFIG_IP_NF_MATCH_TTL)
+=
ipt_ttl.o
obj-$(CONFIG_IP_NF_MATCH_STATE)
+=
ipt_state.o
obj-$(CONFIG_IP_NF_MATCH_CONNTRACK)
+=
ipt_conntrack.o
obj-$(CONFIG_IP_NF_MATCH_TCPMSS)
+=
ipt_tcpmss.o
obj-$(CONFIG_IP_NF_MATCH_REALM)
+=
ipt_realm.o
obj-$(CONFIG_IP_NF_MATCH_ADDRTYPE)
+=
ipt_addrtype.o
obj-$(CONFIG_IP_NF_MATCH_PHYSDEV)
+=
ipt_physdev.o
obj-$(CONFIG_IP_NF_MATCH_COMMENT)
+=
ipt_comment.o
# targets
obj-$(CONFIG_IP_NF_TARGET_REJECT)
+=
ipt_REJECT.o
...
...
net/ipv4/netfilter/ip_conntrack_core.c
View file @
e068209a
This diff is collapsed.
Click to expand it.
net/ipv4/netfilter/ip_conntrack_proto_icmp.c
View file @
e068209a
...
...
@@ -195,7 +195,8 @@ icmp_error_message(struct sk_buff *skb,
}
/* Update skb to refer to this connection */
skb
->
nfct
=
&
h
->
ctrack
->
infos
[
*
ctinfo
];
skb
->
nfct
=
&
h
->
ctrack
->
ct_general
;
skb
->
nfctinfo
=
*
ctinfo
;
return
-
NF_ACCEPT
;
}
...
...
net/ipv4/netfilter/ip_conntrack_proto_sctp.c
View file @
e068209a
...
...
@@ -430,16 +430,16 @@ static int sctp_new(struct ip_conntrack *conntrack,
DEBUGP
(
"
\n
"
);
if
(
skb_copy_bits
(
skb
,
skb
->
nh
.
iph
->
ihl
*
4
,
&
sctph
,
sizeof
(
sctph
))
!=
0
)
return
-
1
;
return
0
;
if
(
do_basic_checks
(
conntrack
,
skb
,
map
)
!=
0
)
return
-
1
;
return
0
;
/* If an OOTB packet has any of these chunks discard (Sec 8.4) */
if
((
test_bit
(
SCTP_CID_ABORT
,
(
void
*
)
map
))
||
(
test_bit
(
SCTP_CID_SHUTDOWN_COMPLETE
,
(
void
*
)
map
))
||
(
test_bit
(
SCTP_CID_COOKIE_ACK
,
(
void
*
)
map
)))
{
return
-
1
;
return
0
;
}
newconntrack
=
SCTP_CONNTRACK_MAX
;
...
...
@@ -461,7 +461,7 @@ static int sctp_new(struct ip_conntrack *conntrack,
if
(
skb_copy_bits
(
skb
,
offset
+
sizeof
(
sctp_chunkhdr_t
),
&
inithdr
,
sizeof
(
inithdr
))
!=
0
)
{
return
-
1
;
return
0
;
}
DEBUGP
(
"Setting vtag %x for new conn
\n
"
,
...
...
@@ -471,7 +471,7 @@ static int sctp_new(struct ip_conntrack *conntrack,
inithdr
.
init_tag
;
}
else
{
/* Sec 8.5.1 (A) */
return
-
1
;
return
0
;
}
}
/* If it is a shutdown ack OOTB packet, we expect a return
...
...
@@ -496,7 +496,6 @@ static int sctp_exp_matches_pkt(struct ip_conntrack_expect *exp,
}
struct
ip_conntrack_protocol
ip_conntrack_protocol_sctp
=
{
.
list
=
{
NULL
,
NULL
},
.
proto
=
IPPROTO_SCTP
,
.
name
=
"sctp"
,
.
pkt_to_tuple
=
sctp_pkt_to_tuple
,
...
...
net/ipv4/netfilter/ip_conntrack_standalone.c
View file @
e068209a
...
...
@@ -112,7 +112,7 @@ static int ct_seq_real_show(const struct ip_conntrack_tuple_hash *hash,
if
(
DIRECTION
(
hash
))
return
0
;
proto
=
__
ip_ct_find_proto
(
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
]
proto
=
ip_ct_find_proto
(
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
]
.
tuple
.
dst
.
protonum
);
IP_NF_ASSERT
(
proto
);
...
...
@@ -242,7 +242,7 @@ static int exp_seq_show(struct seq_file *s, void *v)
expect
->
tuple
.
dst
.
protonum
);
print_tuple
(
s
,
&
expect
->
tuple
,
__
ip_ct_find_proto
(
expect
->
tuple
.
dst
.
protonum
));
ip_ct_find_proto
(
expect
->
tuple
.
dst
.
protonum
));
return
seq_putc
(
s
,
'\n'
);
}
...
...
@@ -317,7 +317,7 @@ static int ct_cpu_seq_show(struct seq_file *seq, void *v)
st
->
insert_failed
,
st
->
drop
,
st
->
early_drop
,
st
->
icmp_
error
,
st
->
error
,
st
->
expect_new
,
st
->
expect_create
,
...
...
@@ -515,6 +515,14 @@ static ctl_table ip_ct_sysctl_table[] = {
.
mode
=
0644
,
.
proc_handler
=
&
proc_dointvec
,
},
{
.
ctl_name
=
NET_IPV4_NF_CONNTRACK_COUNT
,
.
procname
=
"ip_conntrack_count"
,
.
data
=
&
ip_conntrack_count
,
.
maxlen
=
sizeof
(
int
),
.
mode
=
0444
,
.
proc_handler
=
&
proc_dointvec
,
},
{
.
ctl_name
=
NET_IPV4_NF_CONNTRACK_BUCKETS
,
.
procname
=
"ip_conntrack_buckets"
,
...
...
@@ -816,19 +824,13 @@ static int init_or_cleanup(int init)
int
ip_conntrack_protocol_register
(
struct
ip_conntrack_protocol
*
proto
)
{
int
ret
=
0
;
struct
list_head
*
i
;
WRITE_LOCK
(
&
ip_conntrack_lock
);
list_for_each
(
i
,
&
protocol_list
)
{
if
(((
struct
ip_conntrack_protocol
*
)
i
)
->
proto
==
proto
->
proto
)
{
if
(
ip_ct_protos
[
proto
->
proto
]
!=
&
ip_conntrack_generic_protocol
)
{
ret
=
-
EBUSY
;
goto
out
;
}
}
list_prepend
(
&
protocol_list
,
proto
);
ip_ct_protos
[
proto
->
proto
]
=
proto
;
out:
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
return
ret
;
...
...
@@ -837,10 +839,7 @@ int ip_conntrack_protocol_register(struct ip_conntrack_protocol *proto)
void
ip_conntrack_protocol_unregister
(
struct
ip_conntrack_protocol
*
proto
)
{
WRITE_LOCK
(
&
ip_conntrack_lock
);
/* ip_ct_find_proto() returns proto_generic in case there is no protocol
* helper. So this should be enough - HW */
LIST_DELETE
(
&
protocol_list
,
proto
);
ip_ct_protos
[
proto
->
proto
]
=
&
ip_conntrack_generic_protocol
;
WRITE_UNLOCK
(
&
ip_conntrack_lock
);
/* Somebody could be still looking at the proto in bh. */
...
...
@@ -880,8 +879,8 @@ EXPORT_SYMBOL(ip_conntrack_helper_register);
EXPORT_SYMBOL
(
ip_conntrack_helper_unregister
);
EXPORT_SYMBOL
(
ip_ct_selective_cleanup
);
EXPORT_SYMBOL
(
ip_ct_refresh_acct
);
EXPORT_SYMBOL
(
ip_ct_protos
);
EXPORT_SYMBOL
(
ip_ct_find_proto
);
EXPORT_SYMBOL
(
__ip_ct_find_proto
);
EXPORT_SYMBOL
(
ip_ct_find_helper
);
EXPORT_SYMBOL
(
ip_conntrack_expect_alloc
);
EXPORT_SYMBOL
(
ip_conntrack_expect_related
);
...
...
net/ipv4/netfilter/ip_fw_compat_masq.c
View file @
e068209a
...
...
@@ -146,7 +146,7 @@ check_for_demasq(struct sk_buff **pskb)
case
IPPROTO_ICMP
:
/* ICMP errors. */
protocol
->
error
(
*
pskb
,
&
ctinfo
,
NF_IP_PRE_ROUTING
);
ct
=
(
struct
ip_conntrack
*
)(
*
pskb
)
->
nfct
->
master
;
ct
=
(
struct
ip_conntrack
*
)(
*
pskb
)
->
nfct
;
if
(
ct
)
{
/* We only do SNAT in the compatibility layer.
So we can manipulate ICMP errors from
...
...
@@ -187,7 +187,7 @@ check_for_demasq(struct sk_buff **pskb)
NULL
,
NULL
,
NULL
);
/* Put back the reference gained from find_get */
nf_conntrack_put
(
&
h
->
ctrack
->
infos
[
0
]
);
nf_conntrack_put
(
&
h
->
ctrack
->
ct_general
);
if
(
ret
==
NF_ACCEPT
)
{
struct
ip_conntrack
*
ct
;
ct
=
ip_conntrack_get
(
*
pskb
,
&
ctinfo
);
...
...
@@ -206,7 +206,7 @@ check_for_demasq(struct sk_buff **pskb)
}
else
{
if
(
h
)
/* Put back the reference gained from find_get */
nf_conntrack_put
(
&
h
->
ctrack
->
infos
[
0
]
);
nf_conntrack_put
(
&
h
->
ctrack
->
ct_general
);
ret
=
NF_ACCEPT
;
}
...
...
net/ipv4/netfilter/ip_nat_core.c
View file @
e068209a
...
...
@@ -48,9 +48,8 @@ static unsigned int ip_nat_htable_size;
static
struct
list_head
*
bysource
;
static
struct
list_head
*
byipsproto
;
LIST_HEAD
(
protos
)
;
struct
ip_nat_protocol
*
ip_nat_protos
[
MAX_IP_NAT_PROTO
]
;
extern
struct
ip_nat_protocol
unknown_nat_protocol
;
/* We keep extra hashes for each conntrack, for fast searching. */
static
inline
size_t
...
...
@@ -77,9 +76,6 @@ static void ip_nat_cleanup_conntrack(struct ip_conntrack *conn)
if
(
!
info
->
initialized
)
return
;
IP_NF_ASSERT
(
info
->
bysource
.
conntrack
);
IP_NF_ASSERT
(
info
->
byipsproto
.
conntrack
);
hs
=
hash_by_src
(
&
conn
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
,
conn
->
tuplehash
[
IP_CT_DIR_ORIGINAL
]
.
tuple
.
dst
.
protonum
);
...
...
@@ -90,8 +86,8 @@ static void ip_nat_cleanup_conntrack(struct ip_conntrack *conn)
.
tuple
.
dst
.
protonum
);
WRITE_LOCK
(
&
ip_nat_lock
);
LIST_DELETE
(
&
bysource
[
hs
],
&
info
->
bysource
);
LIST_DELETE
(
&
byipsproto
[
hp
],
&
info
->
byipsproto
);
list_del
(
&
info
->
bysource
);
list_del
(
&
info
->
byipsproto
);
WRITE_UNLOCK
(
&
ip_nat_lock
);
}
...
...
@@ -106,23 +102,6 @@ ip_nat_cheat_check(u_int32_t oldvalinv, u_int32_t newval, u_int16_t oldcheck)
oldcheck
^
0xFFFF
));
}
static
inline
int
cmp_proto
(
const
struct
ip_nat_protocol
*
i
,
int
proto
)
{
return
i
->
protonum
==
proto
;
}
struct
ip_nat_protocol
*
find_nat_proto
(
u_int16_t
protonum
)
{
struct
ip_nat_protocol
*
i
;
MUST_BE_READ_LOCKED
(
&
ip_nat_lock
);
i
=
LIST_FIND
(
&
protos
,
cmp_proto
,
struct
ip_nat_protocol
*
,
protonum
);
if
(
!
i
)
i
=
&
unknown_nat_protocol
;
return
i
;
}
/* Is this tuple already taken? (not by us) */
int
ip_nat_used_tuple
(
const
struct
ip_conntrack_tuple
*
tuple
,
...
...
@@ -145,7 +124,7 @@ in_range(const struct ip_conntrack_tuple *tuple,
const
struct
ip_conntrack_manip
*
manip
,
const
struct
ip_nat_multi_range
*
mr
)
{
struct
ip_nat_protocol
*
proto
=
find_nat
_proto
(
tuple
->
dst
.
protonum
);
struct
ip_nat_protocol
*
proto
=
ip_nat_find
_proto
(
tuple
->
dst
.
protonum
);
unsigned
int
i
;
struct
ip_conntrack_tuple
newtuple
=
{
*
manip
,
tuple
->
dst
};
...
...
@@ -171,20 +150,18 @@ in_range(const struct ip_conntrack_tuple *tuple,
}
static
inline
int
src_cmp
(
const
struct
ip_
nat_hash
*
i
,
src_cmp
(
const
struct
ip_
conntrack
*
ct
,
const
struct
ip_conntrack_tuple
*
tuple
,
const
struct
ip_nat_multi_range
*
mr
)
{
return
(
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
dst
.
protonum
return
(
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
dst
.
protonum
==
tuple
->
dst
.
protonum
&&
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
.
ip
&&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
.
ip
==
tuple
->
src
.
ip
&&
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
.
u
.
all
&&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
.
u
.
all
==
tuple
->
src
.
u
.
all
&&
in_range
(
tuple
,
&
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
]
.
tuple
.
src
,
mr
));
&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
,
mr
));
}
/* Only called for SRC manip */
...
...
@@ -193,13 +170,12 @@ find_appropriate_src(const struct ip_conntrack_tuple *tuple,
const
struct
ip_nat_multi_range
*
mr
)
{
unsigned
int
h
=
hash_by_src
(
&
tuple
->
src
,
tuple
->
dst
.
protonum
);
struct
ip_
nat_hash
*
i
;
struct
ip_
conntrack
*
ct
;
MUST_BE_READ_LOCKED
(
&
ip_nat_lock
);
i
=
LIST_FIND
(
&
bysource
[
h
],
src_cmp
,
struct
ip_nat_hash
*
,
tuple
,
mr
);
if
(
i
)
return
&
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
;
else
list_for_each_entry
(
ct
,
&
bysource
[
h
],
nat
.
info
.
bysource
)
if
(
src_cmp
(
ct
,
tuple
,
mr
))
return
&
ct
->
tuplehash
[
IP_CT_DIR_ORIGINAL
].
tuple
.
src
;
return
NULL
;
}
...
...
@@ -226,19 +202,17 @@ do_extra_mangle(u_int32_t var_ip, u_int32_t *other_ipp)
#endif
/* Simple way to iterate through all. */
static
inline
int
fake_cmp
(
const
struct
ip_
nat_hash
*
i
,
static
inline
int
fake_cmp
(
const
struct
ip_
conntrack
*
ct
,
u_int32_t
src
,
u_int32_t
dst
,
u_int16_t
protonum
,
unsigned
int
*
score
,
const
struct
ip_conntrack
*
conntrack
)
unsigned
int
*
score
,
const
struct
ip_conntrack
*
ct2
)
{
/* Compare backwards: we're dealing with OUTGOING tuples, and
inside the conntrack is the REPLY tuple. Don't count this
conntrack. */
if
(
i
->
conntrack
!=
conntrack
&&
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
.
src
.
ip
==
dst
&&
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
.
dst
.
ip
==
src
&&
(
i
->
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
.
dst
.
protonum
==
protonum
))
if
(
ct
!=
ct2
&&
ct
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
.
src
.
ip
==
dst
&&
ct
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
.
dst
.
ip
==
src
&&
(
ct
->
tuplehash
[
IP_CT_DIR_REPLY
].
tuple
.
dst
.
protonum
==
protonum
))
(
*
score
)
++
;
return
0
;
}
...
...
@@ -247,13 +221,14 @@ static inline unsigned int
count_maps
(
u_int32_t
src
,
u_int32_t
dst
,
u_int16_t
protonum
,
const
struct
ip_conntrack
*
conntrack
)
{
struct
ip_conntrack
*
ct
;
unsigned
int
score
=
0
;
unsigned
int
h
;
MUST_BE_READ_LOCKED
(
&
ip_nat_lock
);
h
=
hash_by_ipsproto
(
src
,
dst
,
protonum
);
LIST_FIND
(
&
byipsproto
[
h
],
fake_cmp
,
struct
ip_nat_hash
*
,
src
,
dst
,
protonum
,
&
score
,
conntrack
);
list_for_each_entry
(
ct
,
&
byipsproto
[
h
],
nat
.
info
.
byipsproto
)
fake_cmp
(
ct
,
src
,
dst
,
protonum
,
&
score
,
conntrack
);
return
score
;
}
...
...
@@ -401,7 +376,7 @@ get_unique_tuple(struct ip_conntrack_tuple *tuple,
unsigned
int
hooknum
)
{
struct
ip_nat_protocol
*
proto
=
find_nat
_proto
(
orig_tuple
->
dst
.
protonum
);
=
ip_nat_find
_proto
(
orig_tuple
->
dst
.
protonum
);
struct
ip_nat_range
*
rptr
;
unsigned
int
i
;
int
ret
;
...
...
@@ -640,12 +615,10 @@ ip_nat_setup_info(struct ip_conntrack *conntrack,
/* It's done. */
info
->
initialized
|=
(
1
<<
HOOK2MANIP
(
hooknum
));
if
(
in_hashes
)
{
IP_NF_ASSERT
(
info
->
bysource
.
conntrack
);
if
(
in_hashes
)
replace_in_hashes
(
conntrack
,
info
);
}
else
{
else
place_in_hashes
(
conntrack
,
info
);
}
return
NF_ACCEPT
;
}
...
...
@@ -669,14 +642,9 @@ void replace_in_hashes(struct ip_conntrack *conntrack,
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
]
.
tuple
.
dst
.
protonum
);
IP_NF_ASSERT
(
info
->
bysource
.
conntrack
==
conntrack
);
MUST_BE_WRITE_LOCKED
(
&
ip_nat_lock
);
list_del
(
&
info
->
bysource
.
list
);
list_del
(
&
info
->
byipsproto
.
list
);
list_prepend
(
&
bysource
[
srchash
],
&
info
->
bysource
);
list_prepend
(
&
byipsproto
[
ipsprotohash
],
&
info
->
byipsproto
);
list_move
(
&
info
->
bysource
,
&
bysource
[
srchash
]);
list_move
(
&
info
->
byipsproto
,
&
byipsproto
[
ipsprotohash
]);
}
void
place_in_hashes
(
struct
ip_conntrack
*
conntrack
,
...
...
@@ -697,14 +665,9 @@ void place_in_hashes(struct ip_conntrack *conntrack,
conntrack
->
tuplehash
[
IP_CT_DIR_REPLY
]
.
tuple
.
dst
.
protonum
);
IP_NF_ASSERT
(
!
info
->
bysource
.
conntrack
);
MUST_BE_WRITE_LOCKED
(
&
ip_nat_lock
);
info
->
byipsproto
.
conntrack
=
conntrack
;
info
->
bysource
.
conntrack
=
conntrack
;
list_prepend
(
&
bysource
[
srchash
],
&
info
->
bysource
);
list_prepend
(
&
byipsproto
[
ipsprotohash
],
&
info
->
byipsproto
);
list_add
(
&
info
->
bysource
,
&
bysource
[
srchash
]);
list_add
(
&
info
->
byipsproto
,
&
byipsproto
[
ipsprotohash
]);
}
/* Returns true if succeeded. */
...
...
@@ -724,8 +687,7 @@ manip_pkt(u_int16_t proto,
iph
=
(
void
*
)(
*
pskb
)
->
data
+
iphdroff
;
/* Manipulate protcol part. */
if
(
!
find_nat_proto
(
proto
)
->
manip_pkt
(
pskb
,
iphdroff
+
iph
->
ihl
*
4
,
if
(
!
ip_nat_find_proto
(
proto
)
->
manip_pkt
(
pskb
,
iphdroff
+
iph
->
ihl
*
4
,
manip
,
maniptype
))
return
0
;
...
...
@@ -750,7 +712,7 @@ static inline int exp_for_packet(struct ip_conntrack_expect *exp,
int
ret
=
1
;
MUST_BE_READ_LOCKED
(
&
ip_conntrack_lock
);
proto
=
__
ip_ct_find_proto
(
skb
->
nh
.
iph
->
protocol
);
proto
=
ip_ct_find_proto
(
skb
->
nh
.
iph
->
protocol
);
if
(
proto
->
exp_matches_pkt
)
ret
=
proto
->
exp_matches_pkt
(
exp
,
skb
);
...
...
@@ -890,12 +852,8 @@ icmp_reply_translation(struct sk_buff **pskb,
}
/* Must be RELATED */
IP_NF_ASSERT
((
*
pskb
)
->
nfct
-
((
struct
ip_conntrack
*
)(
*
pskb
)
->
nfct
->
master
)
->
infos
==
IP_CT_RELATED
||
(
*
pskb
)
->
nfct
-
((
struct
ip_conntrack
*
)(
*
pskb
)
->
nfct
->
master
)
->
infos
==
IP_CT_RELATED
+
IP_CT_IS_REPLY
);
IP_NF_ASSERT
((
*
pskb
)
->
nfctinfo
==
IP_CT_RELATED
||
(
*
pskb
)
->
nfctinfo
==
IP_CT_RELATED
+
IP_CT_IS_REPLY
);
/* Redirects on non-null nats must be dropped, else they'll
start talking to each other without our translation, and be
...
...
@@ -995,9 +953,11 @@ int __init ip_nat_init(void)
/* Sew in builtin protocols. */
WRITE_LOCK
(
&
ip_nat_lock
);
list_append
(
&
protos
,
&
ip_nat_protocol_tcp
);
list_append
(
&
protos
,
&
ip_nat_protocol_udp
);
list_append
(
&
protos
,
&
ip_nat_protocol_icmp
);
for
(
i
=
0
;
i
<
MAX_IP_NAT_PROTO
;
i
++
)
ip_nat_protos
[
i
]
=
&
ip_nat_unknown_protocol
;
ip_nat_protos
[
IPPROTO_TCP
]
=
&
ip_nat_protocol_tcp
;
ip_nat_protos
[
IPPROTO_UDP
]
=
&
ip_nat_protocol_udp
;
ip_nat_protos
[
IPPROTO_ICMP
]
=
&
ip_nat_protocol_icmp
;
WRITE_UNLOCK
(
&
ip_nat_lock
);
for
(
i
=
0
;
i
<
ip_nat_htable_size
;
i
++
)
{
...
...
net/ipv4/netfilter/ip_nat_proto_icmp.c
View file @
e068209a
...
...
@@ -104,7 +104,7 @@ icmp_print_range(char *buffer, const struct ip_nat_range *range)
}
struct
ip_nat_protocol
ip_nat_protocol_icmp
=
{
{
NULL
,
NULL
},
"ICMP"
,
IPPROTO_ICMP
,
=
{
"ICMP"
,
IPPROTO_ICMP
,
icmp_manip_pkt
,
icmp_in_range
,
icmp_unique_tuple
,
...
...
net/ipv4/netfilter/ip_nat_proto_tcp.c
View file @
e068209a
...
...
@@ -162,7 +162,7 @@ tcp_print_range(char *buffer, const struct ip_nat_range *range)
}
struct
ip_nat_protocol
ip_nat_protocol_tcp
=
{
{
NULL
,
NULL
},
"TCP"
,
IPPROTO_TCP
,
=
{
"TCP"
,
IPPROTO_TCP
,
tcp_manip_pkt
,
tcp_in_range
,
tcp_unique_tuple
,
...
...
net/ipv4/netfilter/ip_nat_proto_udp.c
View file @
e068209a
...
...
@@ -148,7 +148,7 @@ udp_print_range(char *buffer, const struct ip_nat_range *range)
}
struct
ip_nat_protocol
ip_nat_protocol_udp
=
{
{
NULL
,
NULL
},
"UDP"
,
IPPROTO_UDP
,
=
{
"UDP"
,
IPPROTO_UDP
,
udp_manip_pkt
,
udp_in_range
,
udp_unique_tuple
,
...
...
net/ipv4/netfilter/ip_nat_proto_unknown.c
View file @
e068209a
...
...
@@ -60,8 +60,8 @@ unknown_print_range(char *buffer, const struct ip_nat_range *range)
return
0
;
}
struct
ip_nat_protocol
unknown_nat
_protocol
=
{
{
NULL
,
NULL
},
"unknown"
,
0
,
struct
ip_nat_protocol
ip_nat_unknown
_protocol
=
{
"unknown"
,
0
,
unknown_manip_pkt
,
unknown_in_range
,
unknown_unique_tuple
,
...
...
net/ipv4/netfilter/ip_nat_standalone.c
View file @
e068209a
...
...
@@ -283,18 +283,13 @@ static struct nf_hook_ops ip_nat_local_in_ops = {
int
ip_nat_protocol_register
(
struct
ip_nat_protocol
*
proto
)
{
int
ret
=
0
;
struct
list_head
*
i
;
WRITE_LOCK
(
&
ip_nat_lock
);
list_for_each
(
i
,
&
protos
)
{
if
(((
struct
ip_nat_protocol
*
)
i
)
->
protonum
==
proto
->
protonum
)
{
if
(
ip_nat_protos
[
proto
->
protonum
]
!=
&
ip_nat_unknown_protocol
)
{
ret
=
-
EBUSY
;
goto
out
;
}
}
list_prepend
(
&
protos
,
proto
);
ip_nat_protos
[
proto
->
protonum
]
=
proto
;
out:
WRITE_UNLOCK
(
&
ip_nat_lock
);
return
ret
;
...
...
@@ -304,7 +299,7 @@ int ip_nat_protocol_register(struct ip_nat_protocol *proto)
void
ip_nat_protocol_unregister
(
struct
ip_nat_protocol
*
proto
)
{
WRITE_LOCK
(
&
ip_nat_lock
);
LIST_DELETE
(
&
protos
,
proto
)
;
ip_nat_protos
[
proto
->
protonum
]
=
&
ip_nat_unknown_protocol
;
WRITE_UNLOCK
(
&
ip_nat_lock
);
/* Someone could be still looking at the proto in a bh. */
...
...
net/ipv4/netfilter/ipt_NOTRACK.c
View file @
e068209a
...
...
@@ -23,7 +23,8 @@ target(struct sk_buff **pskb,
If there is a real ct entry correspondig to this packet,
it'll hang aroun till timing out. We don't deal with it
for performance reasons. JK */
(
*
pskb
)
->
nfct
=
&
ip_conntrack_untracked
.
infos
[
IP_CT_NEW
];
(
*
pskb
)
->
nfct
=
&
ip_conntrack_untracked
.
ct_general
;
(
*
pskb
)
->
nfctinfo
=
IP_CT_NEW
;
nf_conntrack_get
((
*
pskb
)
->
nfct
);
return
IPT_CONTINUE
;
...
...
net/ipv4/netfilter/ipt_REJECT.c
View file @
e068209a
...
...
@@ -41,14 +41,14 @@ MODULE_DESCRIPTION("iptables REJECT target module");
/* If the original packet is part of a connection, but the connection
is not confirmed, our manufactured reply will not be associated
with it, so we need to do this manually. */
static
void
connection_attach
(
struct
sk_buff
*
new_skb
,
struct
nf_ct_info
*
nfct
)
static
void
connection_attach
(
struct
sk_buff
*
new_skb
,
struct
sk_buff
*
skb
)
{
void
(
*
attach
)(
struct
sk_buff
*
,
struct
nf_ct_info
*
);
void
(
*
attach
)(
struct
sk_buff
*
,
struct
sk_buff
*
);
/* Avoid module unload race with ip_ct_attach being NULLed out */
if
(
nfct
&&
(
attach
=
ip_ct_attach
)
!=
NULL
)
{
if
(
skb
->
nfct
&&
(
attach
=
ip_ct_attach
)
!=
NULL
)
{
mb
();
/* Just to be sure: must be read before executing this */
attach
(
new_skb
,
nfct
);
attach
(
new_skb
,
skb
);
}
}
...
...
@@ -209,7 +209,7 @@ static void send_reset(struct sk_buff *oldskb, int hook)
if
(
nskb
->
len
>
dst_pmtu
(
nskb
->
dst
))
goto
free_nskb
;
connection_attach
(
nskb
,
oldskb
->
nfct
);
connection_attach
(
nskb
,
oldskb
);
NF_HOOK
(
PF_INET
,
NF_IP_LOCAL_OUT
,
nskb
,
NULL
,
nskb
->
dst
->
dev
,
ip_finish_output
);
...
...
@@ -360,7 +360,7 @@ static void send_unreach(struct sk_buff *skb_in, int code)
icmph
->
checksum
=
ip_compute_csum
((
unsigned
char
*
)
icmph
,
length
-
sizeof
(
struct
iphdr
));
connection_attach
(
nskb
,
skb_in
->
nfct
);
connection_attach
(
nskb
,
skb_in
);
NF_HOOK
(
PF_INET
,
NF_IP_LOCAL_OUT
,
nskb
,
NULL
,
nskb
->
dst
->
dev
,
ip_finish_output
);
...
...
net/ipv4/netfilter/ipt_comment.c
0 → 100644
View file @
e068209a
/*
* Implements a dummy match to allow attaching comments to rules
*
* 2003-05-13 Brad Fisher (brad@info-link.net)
*/
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter_ipv4/ipt_comment.h>
MODULE_AUTHOR
(
"Brad Fisher <brad@info-link.net>"
);
MODULE_DESCRIPTION
(
"iptables comment match module"
);
MODULE_LICENSE
(
"GPL"
);
static
int
match
(
const
struct
sk_buff
*
skb
,
const
struct
net_device
*
in
,
const
struct
net_device
*
out
,
const
void
*
matchinfo
,
int
offset
,
int
*
hotdrop
)
{
/* We always match */
return
1
;
}
static
int
checkentry
(
const
char
*
tablename
,
const
struct
ipt_ip
*
ip
,
void
*
matchinfo
,
unsigned
int
matchsize
,
unsigned
int
hook_mask
)
{
/* Check the size */
if
(
matchsize
!=
IPT_ALIGN
(
sizeof
(
struct
ipt_comment_info
)))
return
0
;
return
1
;
}
static
struct
ipt_match
comment_match
=
{
.
name
=
"comment"
,
.
match
=
match
,
.
checkentry
=
checkentry
,
.
me
=
THIS_MODULE
};
static
int
__init
init
(
void
)
{
return
ipt_register_match
(
&
comment_match
);
}
static
void
__exit
fini
(
void
)
{
ipt_unregister_match
(
&
comment_match
);
}
module_init
(
init
);
module_exit
(
fini
);
net/ipv4/netfilter/ipt_conntrack.c
View file @
e068209a
...
...
@@ -35,7 +35,7 @@ match(const struct sk_buff *skb,
#define FWINV(bool,invflg) ((bool) ^ !!(sinfo->invflags & invflg))
if
(
skb
->
nfct
==
&
ip_conntrack_untracked
.
infos
[
IP_CT_NEW
]
)
if
(
ct
==
&
ip_conntrack_untracked
)
statebit
=
IPT_CONNTRACK_STATE_UNTRACKED
;
else
if
(
ct
)
statebit
=
IPT_CONNTRACK_STATE_BIT
(
ctinfo
);
...
...
net/ipv4/netfilter/ipt_state.c
View file @
e068209a
...
...
@@ -30,9 +30,9 @@ match(const struct sk_buff *skb,
enum
ip_conntrack_info
ctinfo
;
unsigned
int
statebit
;
if
(
skb
->
nfct
==
&
ip_conntrack_untracked
.
infos
[
IP_CT_NEW
]
)
if
(
skb
->
nfct
==
&
ip_conntrack_untracked
.
ct_general
)
statebit
=
IPT_STATE_UNTRACKED
;
else
if
(
!
ip_conntrack_get
(
(
struct
sk_buff
*
)
skb
,
&
ctinfo
))
else
if
(
!
ip_conntrack_get
(
skb
,
&
ctinfo
))
statebit
=
IPT_STATE_INVALID
;
else
statebit
=
IPT_STATE_BIT
(
ctinfo
);
...
...
net/ipv6/ip6_output.c
View file @
e068209a
...
...
@@ -477,6 +477,7 @@ static void ip6_copy_metadata(struct sk_buff *to, struct sk_buff *from)
/* Connection association is same as pre-frag packet */
to
->
nfct
=
from
->
nfct
;
nf_conntrack_get
(
to
->
nfct
);
to
->
nfctinfo
=
from
->
nfctinfo
;
#ifdef CONFIG_BRIDGE_NETFILTER
nf_bridge_put
(
to
->
nf_bridge
);
to
->
nf_bridge
=
from
->
nf_bridge
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment