commit 356d6c2d55b71303a17910ea2cce3eba8e44bd29 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

fork atom

Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-2.6

David S. Miller 17 years ago 356d6c2d 86b698b8

+34 -32

5 changed files

expand all

unified split

include

linux

netfilter

xt_LED.h

xt_cluster.h

net

ipv6

netfilter

ip6t_ipv6header.c

netfilter

nf_conntrack_netlink.c

xt_cluster.c

include/linux/netfilter/xt_LED.h

··· 1 #ifndef _XT_LED_H 2 #define _XT_LED_H 3 4 struct xt_led_info { 5 char id[27]; /* Unique ID for this trigger in the LED class */ 6 __u8 always_blink; /* Blink even if the LED is already on */

··· 1 #ifndef _XT_LED_H 2 #define _XT_LED_H 3 4 + #include <linux/types.h> 5 + 6 struct xt_led_info { 7 char id[27]; /* Unique ID for this trigger in the LED class */ 8 __u8 always_blink; /* Blink even if the LED is already on */

include/linux/netfilter/xt_cluster.h

··· 12 u_int32_t flags; 13 }; 14 15 #endif /* _XT_CLUSTER_MATCH_H */

··· 12 u_int32_t flags; 13 }; 14 15 + #define XT_CLUSTER_NODES_MAX 32 16 + 17 #endif /* _XT_CLUSTER_MATCH_H */

+3 -3

net/ipv6/netfilter/ip6t_ipv6header.c

··· 50 struct ipv6_opt_hdr _hdr; 51 int hdrlen; 52 53 - /* Is there enough space for the next ext header? */ 54 - if (len < (int)sizeof(struct ipv6_opt_hdr)) 55 - return false; 56 /* No more exthdr -> evaluate */ 57 if (nexthdr == NEXTHDR_NONE) { 58 temp |= MASK_NONE; 59 break; 60 } 61 /* ESP -> evaluate */ 62 if (nexthdr == NEXTHDR_ESP) { 63 temp |= MASK_ESP;

··· 50 struct ipv6_opt_hdr _hdr; 51 int hdrlen; 52 53 /* No more exthdr -> evaluate */ 54 if (nexthdr == NEXTHDR_NONE) { 55 temp |= MASK_NONE; 56 break; 57 } 58 + /* Is there enough space for the next ext header? */ 59 + if (len < (int)sizeof(struct ipv6_opt_hdr)) 60 + return false; 61 /* ESP -> evaluate */ 62 if (nexthdr == NEXTHDR_ESP) { 63 temp |= MASK_ESP;

+20 -28

net/netfilter/nf_conntrack_netlink.c

··· 1186 return 0; 1187 } 1188 1189 - static inline void 1190 - ctnetlink_event_report(struct nf_conn *ct, u32 pid, int report) 1191 - { 1192 - unsigned int events = 0; 1193 - 1194 - if (test_bit(IPS_EXPECTED_BIT, &ct->status)) 1195 - events |= IPCT_RELATED; 1196 - else 1197 - events |= IPCT_NEW; 1198 - 1199 - nf_conntrack_event_report(IPCT_STATUS | 1200 - IPCT_HELPER | 1201 - IPCT_REFRESH | 1202 - IPCT_PROTOINFO | 1203 - IPCT_NATSEQADJ | 1204 - IPCT_MARK | 1205 - events, 1206 - ct, 1207 - pid, 1208 - report); 1209 - } 1210 - 1211 static struct nf_conn * 1212 ctnetlink_create_conntrack(struct nlattr *cda[], 1213 struct nf_conntrack_tuple *otuple, ··· 1351 err = -ENOENT; 1352 if (nlh->nlmsg_flags & NLM_F_CREATE) { 1353 struct nf_conn *ct; 1354 1355 ct = ctnetlink_create_conntrack(cda, &otuple, 1356 &rtuple, u3); ··· 1362 err = 0; 1363 nf_conntrack_get(&ct->ct_general); 1364 spin_unlock_bh(&nf_conntrack_lock); 1365 - ctnetlink_event_report(ct, 1366 - NETLINK_CB(skb).pid, 1367 - nlmsg_report(nlh)); 1368 nf_ct_put(ct); 1369 } else 1370 spin_unlock_bh(&nf_conntrack_lock); ··· 1392 if (err == 0) { 1393 nf_conntrack_get(&ct->ct_general); 1394 spin_unlock_bh(&nf_conntrack_lock); 1395 - ctnetlink_event_report(ct, 1396 - NETLINK_CB(skb).pid, 1397 - nlmsg_report(nlh)); 1398 nf_ct_put(ct); 1399 } else 1400 spin_unlock_bh(&nf_conntrack_lock);

··· 1186 return 0; 1187 } 1188 1189 static struct nf_conn * 1190 ctnetlink_create_conntrack(struct nlattr *cda[], 1191 struct nf_conntrack_tuple *otuple, ··· 1373 err = -ENOENT; 1374 if (nlh->nlmsg_flags & NLM_F_CREATE) { 1375 struct nf_conn *ct; 1376 + enum ip_conntrack_events events; 1377 1378 ct = ctnetlink_create_conntrack(cda, &otuple, 1379 &rtuple, u3); ··· 1383 err = 0; 1384 nf_conntrack_get(&ct->ct_general); 1385 spin_unlock_bh(&nf_conntrack_lock); 1386 + if (test_bit(IPS_EXPECTED_BIT, &ct->status)) 1387 + events = IPCT_RELATED; 1388 + else 1389 + events = IPCT_NEW; 1390 + 1391 + nf_conntrack_event_report(IPCT_STATUS | 1392 + IPCT_HELPER | 1393 + IPCT_PROTOINFO | 1394 + IPCT_NATSEQADJ | 1395 + IPCT_MARK | events, 1396 + ct, NETLINK_CB(skb).pid, 1397 + nlmsg_report(nlh)); 1398 nf_ct_put(ct); 1399 } else 1400 spin_unlock_bh(&nf_conntrack_lock); ··· 1404 if (err == 0) { 1405 nf_conntrack_get(&ct->ct_general); 1406 spin_unlock_bh(&nf_conntrack_lock); 1407 + nf_conntrack_event_report(IPCT_STATUS | 1408 + IPCT_HELPER | 1409 + IPCT_PROTOINFO | 1410 + IPCT_NATSEQADJ | 1411 + IPCT_MARK, 1412 + ct, NETLINK_CB(skb).pid, 1413 + nlmsg_report(nlh)); 1414 nf_ct_put(ct); 1415 } else 1416 spin_unlock_bh(&nf_conntrack_lock);

+7 -1

net/netfilter/xt_cluster.c

··· 135 { 136 struct xt_cluster_match_info *info = par->matchinfo; 137 138 - if (info->node_mask >= (1 << info->total_nodes)) { 139 printk(KERN_ERR "xt_cluster: this node mask cannot be " 140 "higher than the total number of nodes\n"); 141 return false;

··· 135 { 136 struct xt_cluster_match_info *info = par->matchinfo; 137 138 + if (info->total_nodes > XT_CLUSTER_NODES_MAX) { 139 + printk(KERN_ERR "xt_cluster: you have exceeded the maximum " 140 + "number of cluster nodes (%u > %u)\n", 141 + info->total_nodes, XT_CLUSTER_NODES_MAX); 142 + return false; 143 + } 144 + if (info->node_mask >= (1ULL << info->total_nodes)) { 145 printk(KERN_ERR "xt_cluster: this node mask cannot be " 146 "higher than the total number of nodes\n"); 147 return false;