Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
Merge master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6
+16
-5
include/linux/netfilter.h
+16
-5
include/linux/netfilter.h
···
184
struct sk_buff **pskb,
185
struct net_device *indev,
186
struct net_device *outdev,
187
-
int (*okfn)(struct sk_buff *), int thresh)
188
{
189
#ifndef CONFIG_NETFILTER_DEBUG
190
if (list_empty(&nf_hooks[pf][hook]))
191
return 1;
···
200
struct net_device *indev, struct net_device *outdev,
201
int (*okfn)(struct sk_buff *))
202
{
203
-
return nf_hook_thresh(pf, hook, pskb, indev, outdev, okfn, INT_MIN);
204
}
205
206
/* Activate hook; either okfn or kfree_skb called, unless a hook
···
227
228
#define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \
229
({int __ret; \
230
-
if ((__ret=nf_hook_thresh(pf, hook, &(skb), indev, outdev, okfn, thresh)) == 1)\
231
__ret = (okfn)(skb); \
232
__ret;})
233
···
304
305
#else /* !CONFIG_NETFILTER */
306
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
307
static inline int nf_hook_thresh(int pf, unsigned int hook,
308
struct sk_buff **pskb,
309
struct net_device *indev,
310
struct net_device *outdev,
311
-
int (*okfn)(struct sk_buff *), int thresh)
312
{
313
return okfn(*pskb);
314
}
···
318
struct net_device *indev, struct net_device *outdev,
319
int (*okfn)(struct sk_buff *))
320
{
321
-
return okfn(*pskb);
322
}
323
static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
324
struct flowi;
···
184
struct sk_buff **pskb,
185
struct net_device *indev,
186
struct net_device *outdev,
187
+
int (*okfn)(struct sk_buff *), int thresh,
188
+
int cond)
189
{
190
+
if (!cond)
191
+
return 1;
192
#ifndef CONFIG_NETFILTER_DEBUG
193
if (list_empty(&nf_hooks[pf][hook]))
194
return 1;
···
197
struct net_device *indev, struct net_device *outdev,
198
int (*okfn)(struct sk_buff *))
199
{
200
+
return nf_hook_thresh(pf, hook, pskb, indev, outdev, okfn, INT_MIN, 1);
201
}
202
203
/* Activate hook; either okfn or kfree_skb called, unless a hook
···
224
225
#define NF_HOOK_THRESH(pf, hook, skb, indev, outdev, okfn, thresh) \
226
({int __ret; \
227
+
if ((__ret=nf_hook_thresh(pf, hook, &(skb), indev, outdev, okfn, thresh, 1)) == 1)\
228
+
__ret = (okfn)(skb); \
229
+
__ret;})
230
+
231
+
#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) \
232
+
({int __ret; \
233
+
if ((__ret=nf_hook_thresh(pf, hook, &(skb), indev, outdev, okfn, INT_MIN, cond)) == 1)\
234
__ret = (okfn)(skb); \
235
__ret;})
236
···
295
296
#else /* !CONFIG_NETFILTER */
297
#define NF_HOOK(pf, hook, skb, indev, outdev, okfn) (okfn)(skb)
298
+
#define NF_HOOK_COND(pf, hook, skb, indev, outdev, okfn, cond) (okfn)(skb)
299
static inline int nf_hook_thresh(int pf, unsigned int hook,
300
struct sk_buff **pskb,
301
struct net_device *indev,
302
struct net_device *outdev,
303
+
int (*okfn)(struct sk_buff *), int thresh,
304
+
int cond)
305
{
306
return okfn(*pskb);
307
}
···
307
struct net_device *indev, struct net_device *outdev,
308
int (*okfn)(struct sk_buff *))
309
{
310
+
return 1;
311
}
312
static inline void nf_ct_attach(struct sk_buff *new, struct sk_buff *skb) {}
313
struct flowi;
+1
include/net/ip.h
+1
include/net/ip.h
-1
include/net/xfrm.h
-1
include/net/xfrm.h
···
866
extern int xfrm_init_state(struct xfrm_state *x);
867
extern int xfrm4_rcv(struct sk_buff *skb);
868
extern int xfrm4_output(struct sk_buff *skb);
869
-
extern int xfrm4_output_finish(struct sk_buff *skb);
870
extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler);
871
extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler);
872
extern int xfrm6_rcv_spi(struct sk_buff **pskb, u32 spi);
···
866
extern int xfrm_init_state(struct xfrm_state *x);
867
extern int xfrm4_rcv(struct sk_buff *skb);
868
extern int xfrm4_output(struct sk_buff *skb);
869
extern int xfrm4_tunnel_register(struct xfrm_tunnel *handler);
870
extern int xfrm4_tunnel_deregister(struct xfrm_tunnel *handler);
871
extern int xfrm6_rcv_spi(struct sk_buff **pskb, u32 spi);
+2
-1
net/ipv4/ip_gre.c
+2
-1
net/ipv4/ip_gre.c
+10
-6
net/ipv4/ip_output.c
+10
-6
net/ipv4/ip_output.c
···
207
{
208
#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
209
/* Policy lookup after SNAT yielded a new policy */
210
-
if (skb->dst->xfrm != NULL)
211
-
return xfrm4_output_finish(skb);
212
#endif
213
if (skb->len > dst_mtu(skb->dst) &&
214
!(skb_shinfo(skb)->ufo_size || skb_shinfo(skb)->tso_size))
···
273
newskb->dev, ip_dev_loopback_xmit);
274
}
275
276
-
return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dev,
277
-
ip_finish_output);
278
}
279
280
int ip_output(struct sk_buff *skb)
···
287
skb->dev = dev;
288
skb->protocol = htons(ETH_P_IP);
289
290
-
return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, dev,
291
-
ip_finish_output);
292
}
293
294
int ip_queue_xmit(struct sk_buff *skb, int ipfragok)
···
207
{
208
#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM)
209
/* Policy lookup after SNAT yielded a new policy */
210
+
if (skb->dst->xfrm != NULL) {
211
+
IPCB(skb)->flags |= IPSKB_REROUTED;
212
+
return dst_output(skb);
213
+
}
214
#endif
215
if (skb->len > dst_mtu(skb->dst) &&
216
!(skb_shinfo(skb)->ufo_size || skb_shinfo(skb)->tso_size))
···
271
newskb->dev, ip_dev_loopback_xmit);
272
}
273
274
+
return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dev,
275
+
ip_finish_output,
276
+
!(IPCB(skb)->flags & IPSKB_REROUTED));
277
}
278
279
int ip_output(struct sk_buff *skb)
···
284
skb->dev = dev;
285
skb->protocol = htons(ETH_P_IP);
286
287
+
return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, dev,
288
+
ip_finish_output,
289
+
!(IPCB(skb)->flags & IPSKB_REROUTED));
290
}
291
292
int ip_queue_xmit(struct sk_buff *skb, int ipfragok)
+2
-1
net/ipv4/ipip.c
+2
-1
net/ipv4/ipip.c
···
622
skb->h.raw = skb->nh.raw;
623
skb->nh.raw = skb_push(skb, sizeof(struct iphdr));
624
memset(&(IPCB(skb)->opt), 0, sizeof(IPCB(skb)->opt));
625
+
IPCB(skb)->flags &= ~(IPSKB_XFRM_TUNNEL_SIZE | IPSKB_XFRM_TRANSFORMED |
626
+
IPSKB_REROUTED);
627
dst_release(skb->dst);
628
skb->dst = &rt->u.dst;
629
-5
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
-5
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
···
529
goto cleanup_localinops;
530
}
531
#endif
532
-
533
-
/* For use by REJECT target */
534
-
ip_ct_attach = __nf_conntrack_attach;
535
-
536
return ret;
537
538
cleanup:
539
synchronize_net();
540
-
ip_ct_attach = NULL;
541
#ifdef CONFIG_SYSCTL
542
unregister_sysctl_table(nf_ct_ipv4_sysctl_header);
543
cleanup_localinops:
+10
-3
net/ipv4/xfrm4_output.c
+10
-3
net/ipv4/xfrm4_output.c
···
152
goto out_exit;
153
}
154
155
-
int xfrm4_output_finish(struct sk_buff *skb)
156
{
157
int err;
158
159
while (likely((err = xfrm4_output_one(skb)) == 0)) {
160
nf_reset(skb);
161
···
184
185
int xfrm4_output(struct sk_buff *skb)
186
{
187
-
return NF_HOOK(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dst->dev,
188
-
xfrm4_output_finish);
189
}
···
152
goto out_exit;
153
}
154
155
+
static int xfrm4_output_finish(struct sk_buff *skb)
156
{
157
int err;
158
159
+
#ifdef CONFIG_NETFILTER
160
+
if (!skb->dst->xfrm) {
161
+
IPCB(skb)->flags |= IPSKB_REROUTED;
162
+
return dst_output(skb);
163
+
}
164
+
#endif
165
while (likely((err = xfrm4_output_one(skb)) == 0)) {
166
nf_reset(skb);
167
···
178
179
int xfrm4_output(struct sk_buff *skb)
180
{
181
+
return NF_HOOK_COND(PF_INET, NF_IP_POST_ROUTING, skb, NULL, skb->dst->dev,
182
+
xfrm4_output_finish,
183
+
!(IPCB(skb)->flags & IPSKB_REROUTED));
184
}
+6
net/ipv6/icmp.c
+6
net/ipv6/icmp.c
···
42
#include <linux/net.h>
43
#include <linux/skbuff.h>
44
#include <linux/init.h>
45
46
#ifdef CONFIG_SYSCTL
47
#include <linux/sysctl.h>
···
256
struct icmpv6_msg {
257
struct sk_buff *skb;
258
int offset;
259
};
260
261
static int icmpv6_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb)
···
268
csum = skb_copy_and_csum_bits(org_skb, msg->offset + offset,
269
to, len, csum);
270
skb->csum = csum_block_add(skb->csum, csum, odd);
271
return 0;
272
}
273
···
407
408
msg.skb = skb;
409
msg.offset = skb->nh.raw - skb->data;
410
411
len = skb->len - msg.offset;
412
len = min_t(unsigned int, len, IPV6_MIN_MTU - sizeof(struct ipv6hdr) -sizeof(struct icmp6hdr));
···
505
506
msg.skb = skb;
507
msg.offset = 0;
508
509
err = ip6_append_data(sk, icmpv6_getfrag, &msg, skb->len + sizeof(struct icmp6hdr),
510
sizeof(struct icmp6hdr), hlimit, tclass, NULL, &fl,
···
42
#include <linux/net.h>
43
#include <linux/skbuff.h>
44
#include <linux/init.h>
45
+
#include <linux/netfilter.h>
46
47
#ifdef CONFIG_SYSCTL
48
#include <linux/sysctl.h>
···
255
struct icmpv6_msg {
256
struct sk_buff *skb;
257
int offset;
258
+
uint8_t type;
259
};
260
261
static int icmpv6_getfrag(void *from, char *to, int offset, int len, int odd, struct sk_buff *skb)
···
266
csum = skb_copy_and_csum_bits(org_skb, msg->offset + offset,
267
to, len, csum);
268
skb->csum = csum_block_add(skb->csum, csum, odd);
269
+
if (!(msg->type & ICMPV6_INFOMSG_MASK))
270
+
nf_ct_attach(skb, org_skb);
271
return 0;
272
}
273
···
403
404
msg.skb = skb;
405
msg.offset = skb->nh.raw - skb->data;
406
+
msg.type = type;
407
408
len = skb->len - msg.offset;
409
len = min_t(unsigned int, len, IPV6_MIN_MTU - sizeof(struct ipv6hdr) -sizeof(struct icmp6hdr));
···
500
501
msg.skb = skb;
502
msg.offset = 0;
503
+
msg.type = ICMPV6_ECHO_REPLY;
504
505
err = ip6_append_data(sk, icmpv6_getfrag, &msg, skb->len + sizeof(struct icmp6hdr),
506
sizeof(struct icmp6hdr), hlimit, tclass, NULL, &fl,
+2
net/ipv6/netfilter/ip6t_REJECT.c
+2
net/ipv6/netfilter/ip6t_REJECT.c
+3
-3
net/netfilter/Kconfig
+3
-3
net/netfilter/Kconfig
···
126
tristate '"CONNMARK" target support'
127
depends on NETFILTER_XTABLES
128
depends on IP_NF_MANGLE || IP6_NF_MANGLE
129
-
depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK_IPV4)
130
help
131
This option adds a `CONNMARK' target, which allows one to manipulate
132
the connection mark value. Similar to the MARK target, but
···
187
config NETFILTER_XT_MATCH_CONNBYTES
188
tristate '"connbytes" per-connection counter match support'
189
depends on NETFILTER_XTABLES
190
-
depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || NF_CT_ACCT
191
help
192
This option adds a `connbytes' match, which allows you to match the
193
number of bytes and/or packets for each direction within a connection.
···
198
config NETFILTER_XT_MATCH_CONNMARK
199
tristate '"connmark" connection mark match support'
200
depends on NETFILTER_XTABLES
201
-
depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || NF_CONNTRACK_MARK
202
help
203
This option adds a `connmark' match, which allows you to match the
204
connection mark value previously set for the session by `CONNMARK'.
···
126
tristate '"CONNMARK" target support'
127
depends on NETFILTER_XTABLES
128
depends on IP_NF_MANGLE || IP6_NF_MANGLE
129
+
depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK)
130
help
131
This option adds a `CONNMARK' target, which allows one to manipulate
132
the connection mark value. Similar to the MARK target, but
···
187
config NETFILTER_XT_MATCH_CONNBYTES
188
tristate '"connbytes" per-connection counter match support'
189
depends on NETFILTER_XTABLES
190
+
depends on (IP_NF_CONNTRACK && IP_NF_CT_ACCT) || (NF_CT_ACCT && NF_CONNTRACK)
191
help
192
This option adds a `connbytes' match, which allows you to match the
193
number of bytes and/or packets for each direction within a connection.
···
198
config NETFILTER_XT_MATCH_CONNMARK
199
tristate '"connmark" connection mark match support'
200
depends on NETFILTER_XTABLES
201
+
depends on (IP_NF_CONNTRACK && IP_NF_CONNTRACK_MARK) || (NF_CONNTRACK_MARK && NF_CONNTRACK)
202
help
203
This option adds a `connmark' match, which allows you to match the
204
connection mark value previously set for the session by `CONNMARK'.
+5
net/netfilter/nf_conntrack_core.c
+5
net/netfilter/nf_conntrack_core.c
···
1556
{
1557
int i;
1558
1559
/* This makes sure all current packets have passed through
1560
netfilter framework. Roll on, two-stage module
1561
delete... */
···
1716
for (i = 0; i < PF_MAX; i++)
1717
nf_ct_l3protos[i] = &nf_conntrack_generic_l3proto;
1718
write_unlock_bh(&nf_conntrack_lock);
1719
1720
/* Set up fake conntrack:
1721
- to never be deleted, not in any hashes */
···
1556
{
1557
int i;
1558
1559
+
ip_ct_attach = NULL;
1560
+
1561
/* This makes sure all current packets have passed through
1562
netfilter framework. Roll on, two-stage module
1563
delete... */
···
1714
for (i = 0; i < PF_MAX; i++)
1715
nf_ct_l3protos[i] = &nf_conntrack_generic_l3proto;
1716
write_unlock_bh(&nf_conntrack_lock);
1717
+
1718
+
/* For use by REJECT target */
1719
+
ip_ct_attach = __nf_conntrack_attach;
1720
1721
/* Set up fake conntrack:
1722
- to never be deleted, not in any hashes */
+3
-1
net/netfilter/nf_conntrack_proto_tcp.c
+3
-1
net/netfilter/nf_conntrack_proto_tcp.c
+3
-1
net/netfilter/nf_conntrack_proto_udp.c
+3
-1
net/netfilter/nf_conntrack_proto_udp.c