tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
+251
-255
+3
include/linux/netfilter/nf_conntrack_tcp.h
+3
include/linux/netfilter/nf_conntrack_tcp.h
···
66
66
u_int32_t last_ack; /* Last sequence number seen in opposite dir */
67
67
u_int32_t last_end; /* Last seq + len */
68
68
u_int16_t last_win; /* Last window advertisement seen in dir */
69
+
/* For SYN packets while we may be out-of-sync */
70
+
u_int8_t last_wscale; /* Last window scaling factor seen */
71
+
u_int8_t last_flags; /* Last flags set */
69
72
};
70
73
71
74
#endif /* __KERNEL__ */
+11
-11
net/ipv4/netfilter/arp_tables.c
+11
-11
net/ipv4/netfilter/arp_tables.c
···
384
384
|= ((1 << hook) | (1 << NF_ARP_NUMHOOKS));
385
385
386
386
/* Unconditional return/END. */
387
-
if ((e->target_offset == sizeof(struct arpt_entry)
388
-
&& (strcmp(t->target.u.user.name,
389
-
ARPT_STANDARD_TARGET) == 0)
390
-
&& t->verdict < 0
391
-
&& unconditional(&e->arp)) || visited) {
387
+
if ((e->target_offset == sizeof(struct arpt_entry) &&
388
+
(strcmp(t->target.u.user.name,
389
+
ARPT_STANDARD_TARGET) == 0) &&
390
+
t->verdict < 0 && unconditional(&e->arp)) ||
391
+
visited) {
392
392
unsigned int oldpos, size;
393
393
394
394
if ((strcmp(t->target.u.user.name,
···
427
427
int newpos = t->verdict;
428
428
429
429
if (strcmp(t->target.u.user.name,
430
-
ARPT_STANDARD_TARGET) == 0
431
-
&& newpos >= 0) {
430
+
ARPT_STANDARD_TARGET) == 0 &&
431
+
newpos >= 0) {
432
432
if (newpos > newinfo->size -
433
433
sizeof(struct arpt_entry)) {
434
434
duprintf("mark_source_chains: "
···
559
559
{
560
560
unsigned int h;
561
561
562
-
if ((unsigned long)e % __alignof__(struct arpt_entry) != 0
563
-
|| (unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
562
+
if ((unsigned long)e % __alignof__(struct arpt_entry) != 0 ||
563
+
(unsigned char *)e + sizeof(struct arpt_entry) >= limit) {
564
564
duprintf("Bad offset %p\n", e);
565
565
return -EINVAL;
566
566
}
···
1251
1251
int ret, off, h;
1252
1252
1253
1253
duprintf("check_compat_entry_size_and_hooks %p\n", e);
1254
-
if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0
1255
-
|| (unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) {
1254
+
if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
1255
+
(unsigned char *)e + sizeof(struct compat_arpt_entry) >= limit) {
1256
1256
duprintf("Bad offset %p, limit = %p\n", e, limit);
1257
1257
return -EINVAL;
1258
1258
}
+2
-3
net/ipv4/netfilter/ip_queue.c
+2
-3
net/ipv4/netfilter/ip_queue.c
···
497
497
{
498
498
struct netlink_notify *n = ptr;
499
499
500
-
if (event == NETLINK_URELEASE &&
501
-
n->protocol == NETLINK_FIREWALL && n->pid) {
500
+
if (event == NETLINK_URELEASE && n->protocol == NETLINK_FIREWALL) {
502
501
write_lock_bh(&queue_lock);
503
502
if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid))
504
503
__ipq_reset();
···
621
622
static void __exit ip_queue_fini(void)
622
623
{
623
624
nf_unregister_queue_handlers(&nfqh);
624
-
synchronize_net();
625
+
625
626
ipq_flush(NULL, 0);
626
627
627
628
#ifdef CONFIG_SYSCTL
+23
-23
net/ipv4/netfilter/ip_tables.c
+23
-23
net/ipv4/netfilter/ip_tables.c
···
89
89
#define FWINV(bool, invflg) ((bool) ^ !!(ipinfo->invflags & (invflg)))
90
90
91
91
if (FWINV((ip->saddr&ipinfo->smsk.s_addr) != ipinfo->src.s_addr,
92
-
IPT_INV_SRCIP)
93
-
|| FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
94
-
IPT_INV_DSTIP)) {
92
+
IPT_INV_SRCIP) ||
93
+
FWINV((ip->daddr&ipinfo->dmsk.s_addr) != ipinfo->dst.s_addr,
94
+
IPT_INV_DSTIP)) {
95
95
dprintf("Source or dest mismatch.\n");
96
96
97
97
dprintf("SRC: %pI4. Mask: %pI4. Target: %pI4.%s\n",
···
122
122
}
123
123
124
124
/* Check specific protocol */
125
-
if (ipinfo->proto
126
-
&& FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
125
+
if (ipinfo->proto &&
126
+
FWINV(ip->protocol != ipinfo->proto, IPT_INV_PROTO)) {
127
127
dprintf("Packet protocol %hi does not match %hi.%s\n",
128
128
ip->protocol, ipinfo->proto,
129
129
ipinfo->invflags&IPT_INV_PROTO ? " (INV)":"");
···
246
246
} else if (s == e) {
247
247
(*rulenum)++;
248
248
249
-
if (s->target_offset == sizeof(struct ipt_entry)
250
-
&& strcmp(t->target.u.kernel.target->name,
251
-
IPT_STANDARD_TARGET) == 0
252
-
&& t->verdict < 0
253
-
&& unconditional(&s->ip)) {
249
+
if (s->target_offset == sizeof(struct ipt_entry) &&
250
+
strcmp(t->target.u.kernel.target->name,
251
+
IPT_STANDARD_TARGET) == 0 &&
252
+
t->verdict < 0 &&
253
+
unconditional(&s->ip)) {
254
254
/* Tail of chains: STANDARD target (return/policy) */
255
255
*comment = *chainname == hookname
256
256
? comments[NF_IP_TRACE_COMMENT_POLICY]
···
388
388
back = get_entry(table_base, back->comefrom);
389
389
continue;
390
390
}
391
-
if (table_base + v != ipt_next_entry(e)
392
-
&& !(e->ip.flags & IPT_F_GOTO)) {
391
+
if (table_base + v != ipt_next_entry(e) &&
392
+
!(e->ip.flags & IPT_F_GOTO)) {
393
393
/* Save old back ptr in next entry */
394
394
struct ipt_entry *next = ipt_next_entry(e);
395
395
next->comefrom = (void *)back - table_base;
···
473
473
e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
474
474
475
475
/* Unconditional return/END. */
476
-
if ((e->target_offset == sizeof(struct ipt_entry)
477
-
&& (strcmp(t->target.u.user.name,
478
-
IPT_STANDARD_TARGET) == 0)
479
-
&& t->verdict < 0
480
-
&& unconditional(&e->ip)) || visited) {
476
+
if ((e->target_offset == sizeof(struct ipt_entry) &&
477
+
(strcmp(t->target.u.user.name,
478
+
IPT_STANDARD_TARGET) == 0) &&
479
+
t->verdict < 0 && unconditional(&e->ip)) ||
480
+
visited) {
481
481
unsigned int oldpos, size;
482
482
483
483
if ((strcmp(t->target.u.user.name,
···
524
524
int newpos = t->verdict;
525
525
526
526
if (strcmp(t->target.u.user.name,
527
-
IPT_STANDARD_TARGET) == 0
528
-
&& newpos >= 0) {
527
+
IPT_STANDARD_TARGET) == 0 &&
528
+
newpos >= 0) {
529
529
if (newpos > newinfo->size -
530
530
sizeof(struct ipt_entry)) {
531
531
duprintf("mark_source_chains: "
···
735
735
{
736
736
unsigned int h;
737
737
738
-
if ((unsigned long)e % __alignof__(struct ipt_entry) != 0
739
-
|| (unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
738
+
if ((unsigned long)e % __alignof__(struct ipt_entry) != 0 ||
739
+
(unsigned char *)e + sizeof(struct ipt_entry) >= limit) {
740
740
duprintf("Bad offset %p\n", e);
741
741
return -EINVAL;
742
742
}
···
1548
1548
int ret, off, h;
1549
1549
1550
1550
duprintf("check_compat_entry_size_and_hooks %p\n", e);
1551
-
if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0
1552
-
|| (unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
1551
+
if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
1552
+
(unsigned char *)e + sizeof(struct compat_ipt_entry) >= limit) {
1553
1553
duprintf("Bad offset %p, limit = %p\n", e, limit);
1554
1554
return -EINVAL;
1555
1555
}
+10
-10
net/ipv4/netfilter/ipt_CLUSTERIP.c
+10
-10
net/ipv4/netfilter/ipt_CLUSTERIP.c
···
303
303
304
304
/* special case: ICMP error handling. conntrack distinguishes between
305
305
* error messages (RELATED) and information requests (see below) */
306
-
if (ip_hdr(skb)->protocol == IPPROTO_ICMP
307
-
&& (ctinfo == IP_CT_RELATED
308
-
|| ctinfo == IP_CT_RELATED+IP_CT_IS_REPLY))
306
+
if (ip_hdr(skb)->protocol == IPPROTO_ICMP &&
307
+
(ctinfo == IP_CT_RELATED ||
308
+
ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY))
309
309
return XT_CONTINUE;
310
310
311
311
/* ip_conntrack_icmp guarantees us that we only have ICMP_ECHO,
···
362
362
return false;
363
363
364
364
}
365
-
if (e->ip.dmsk.s_addr != htonl(0xffffffff)
366
-
|| e->ip.dst.s_addr == 0) {
365
+
if (e->ip.dmsk.s_addr != htonl(0xffffffff) ||
366
+
e->ip.dst.s_addr == 0) {
367
367
printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n");
368
368
return false;
369
369
}
···
495
495
struct clusterip_config *c;
496
496
497
497
/* we don't care about non-ethernet and non-ipv4 ARP */
498
-
if (arp->ar_hrd != htons(ARPHRD_ETHER)
499
-
|| arp->ar_pro != htons(ETH_P_IP)
500
-
|| arp->ar_pln != 4 || arp->ar_hln != ETH_ALEN)
498
+
if (arp->ar_hrd != htons(ARPHRD_ETHER) ||
499
+
arp->ar_pro != htons(ETH_P_IP) ||
500
+
arp->ar_pln != 4 || arp->ar_hln != ETH_ALEN)
501
501
return NF_ACCEPT;
502
502
503
503
/* we only want to mangle arp requests and replies */
504
-
if (arp->ar_op != htons(ARPOP_REPLY)
505
-
&& arp->ar_op != htons(ARPOP_REQUEST))
504
+
if (arp->ar_op != htons(ARPOP_REPLY) &&
505
+
arp->ar_op != htons(ARPOP_REQUEST))
506
506
return NF_ACCEPT;
507
507
508
508
payload = (void *)(arp+1);
+4
-4
net/ipv4/netfilter/ipt_ECN.c
+4
-4
net/ipv4/netfilter/ipt_ECN.c
···
85
85
if (!set_ect_ip(skb, einfo))
86
86
return NF_DROP;
87
87
88
-
if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR)
89
-
&& ip_hdr(skb)->protocol == IPPROTO_TCP)
88
+
if (einfo->operation & (IPT_ECN_OP_SET_ECE | IPT_ECN_OP_SET_CWR) &&
89
+
ip_hdr(skb)->protocol == IPPROTO_TCP)
90
90
if (!set_ect_tcp(skb, einfo))
91
91
return NF_DROP;
92
92
···
108
108
einfo->ip_ect);
109
109
return false;
110
110
}
111
-
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR))
112
-
&& (e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
111
+
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
112
+
(e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
113
113
printk(KERN_WARNING "ECN: cannot use TCP operations on a "
114
114
"non-tcp rule\n");
115
115
return false;
+11
-11
net/ipv4/netfilter/ipt_LOG.c
+11
-11
net/ipv4/netfilter/ipt_LOG.c
···
74
74
if (ntohs(ih->frag_off) & IP_OFFSET)
75
75
printk("FRAG:%u ", ntohs(ih->frag_off) & IP_OFFSET);
76
76
77
-
if ((logflags & IPT_LOG_IPOPT)
78
-
&& ih->ihl * 4 > sizeof(struct iphdr)) {
77
+
if ((logflags & IPT_LOG_IPOPT) &&
78
+
ih->ihl * 4 > sizeof(struct iphdr)) {
79
79
const unsigned char *op;
80
80
unsigned char _opt[4 * 15 - sizeof(struct iphdr)];
81
81
unsigned int i, optsize;
···
146
146
/* Max length: 11 "URGP=65535 " */
147
147
printk("URGP=%u ", ntohs(th->urg_ptr));
148
148
149
-
if ((logflags & IPT_LOG_TCPOPT)
150
-
&& th->doff * 4 > sizeof(struct tcphdr)) {
149
+
if ((logflags & IPT_LOG_TCPOPT) &&
150
+
th->doff * 4 > sizeof(struct tcphdr)) {
151
151
unsigned char _opt[4 * 15 - sizeof(struct tcphdr)];
152
152
const unsigned char *op;
153
153
unsigned int i, optsize;
···
238
238
printk("TYPE=%u CODE=%u ", ich->type, ich->code);
239
239
240
240
/* Max length: 25 "INCOMPLETE [65535 bytes] " */
241
-
if (ich->type <= NR_ICMP_TYPES
242
-
&& required_len[ich->type]
243
-
&& skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) {
241
+
if (ich->type <= NR_ICMP_TYPES &&
242
+
required_len[ich->type] &&
243
+
skb->len-iphoff-ih->ihl*4 < required_len[ich->type]) {
244
244
printk("INCOMPLETE [%u bytes] ",
245
245
skb->len - iphoff - ih->ihl*4);
246
246
break;
···
276
276
}
277
277
278
278
/* Max length: 10 "MTU=65535 " */
279
-
if (ich->type == ICMP_DEST_UNREACH
280
-
&& ich->code == ICMP_FRAG_NEEDED)
279
+
if (ich->type == ICMP_DEST_UNREACH &&
280
+
ich->code == ICMP_FRAG_NEEDED)
281
281
printk("MTU=%u ", ntohs(ich->un.frag.mtu));
282
282
}
283
283
break;
···
407
407
if (in && !out) {
408
408
/* MAC logging for input chain only. */
409
409
printk("MAC=");
410
-
if (skb->dev && skb->dev->hard_header_len
411
-
&& skb->mac_header != skb->network_header) {
410
+
if (skb->dev && skb->dev->hard_header_len &&
411
+
skb->mac_header != skb->network_header) {
412
412
int i;
413
413
const unsigned char *p = skb_mac_header(skb);
414
414
for (i = 0; i < skb->dev->hard_header_len; i++,p++)
+2
-2
net/ipv4/netfilter/ipt_MASQUERADE.c
+2
-2
net/ipv4/netfilter/ipt_MASQUERADE.c
···
59
59
ct = nf_ct_get(skb, &ctinfo);
60
60
nat = nfct_nat(ct);
61
61
62
-
NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED
63
-
|| ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
62
+
NF_CT_ASSERT(ct && (ctinfo == IP_CT_NEW || ctinfo == IP_CT_RELATED ||
63
+
ctinfo == IP_CT_RELATED + IP_CT_IS_REPLY));
64
64
65
65
/* Source address is 0.0.0.0 - locally generated packet that is
66
66
* probably not supposed to be masqueraded.
+2
-2
net/ipv4/netfilter/ipt_REJECT.c
+2
-2
net/ipv4/netfilter/ipt_REJECT.c
···
184
184
return false;
185
185
} else if (rejinfo->with == IPT_TCP_RESET) {
186
186
/* Must specify that it's a TCP packet */
187
-
if (e->ip.proto != IPPROTO_TCP
188
-
|| (e->ip.invflags & XT_INV_PROTO)) {
187
+
if (e->ip.proto != IPPROTO_TCP ||
188
+
(e->ip.invflags & XT_INV_PROTO)) {
189
189
printk("ipt_REJECT: TCP_RESET invalid for non-tcp\n");
190
190
return false;
191
191
}
+3
-3
net/ipv4/netfilter/ipt_ULOG.c
+3
-3
net/ipv4/netfilter/ipt_ULOG.c
···
226
226
else
227
227
*(pm->prefix) = '\0';
228
228
229
-
if (in && in->hard_header_len > 0
230
-
&& skb->mac_header != skb->network_header
231
-
&& in->hard_header_len <= ULOG_MAC_LEN) {
229
+
if (in && in->hard_header_len > 0 &&
230
+
skb->mac_header != skb->network_header &&
231
+
in->hard_header_len <= ULOG_MAC_LEN) {
232
232
memcpy(pm->mac, skb_mac_header(skb), in->hard_header_len);
233
233
pm->mac_len = in->hard_header_len;
234
234
} else
+2
-2
net/ipv4/netfilter/ipt_ecn.c
+2
-2
net/ipv4/netfilter/ipt_ecn.c
···
96
96
if (info->invert & IPT_ECN_OP_MATCH_MASK)
97
97
return false;
98
98
99
-
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR)
100
-
&& ip->proto != IPPROTO_TCP) {
99
+
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
100
+
ip->proto != IPPROTO_TCP) {
101
101
printk(KERN_WARNING "ipt_ecn: can't match TCP bits in rule for"
102
102
" non-tcp packets\n");
103
103
return false;
+2
-2
net/ipv4/netfilter/iptable_mangle.c
+2
-2
net/ipv4/netfilter/iptable_mangle.c
···
130
130
u_int32_t mark;
131
131
132
132
/* root is playing with raw sockets. */
133
-
if (skb->len < sizeof(struct iphdr)
134
-
|| ip_hdrlen(skb) < sizeof(struct iphdr))
133
+
if (skb->len < sizeof(struct iphdr) ||
134
+
ip_hdrlen(skb) < sizeof(struct iphdr))
135
135
return NF_ACCEPT;
136
136
137
137
/* Save things which could affect route */
+2
-2
net/ipv4/netfilter/iptable_security.c
+2
-2
net/ipv4/netfilter/iptable_security.c
···
94
94
int (*okfn)(struct sk_buff *))
95
95
{
96
96
/* Somebody is playing with raw sockets. */
97
-
if (skb->len < sizeof(struct iphdr)
98
-
|| ip_hdrlen(skb) < sizeof(struct iphdr))
97
+
if (skb->len < sizeof(struct iphdr) ||
98
+
ip_hdrlen(skb) < sizeof(struct iphdr))
99
99
return NF_ACCEPT;
100
100
return ipt_do_table(skb, hook, in, out,
101
101
dev_net(out)->ipv4.iptable_security);
+14
-14
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
+14
-14
net/ipv4/netfilter/nf_conntrack_proto_icmp.c
···
54
54
static bool icmp_invert_tuple(struct nf_conntrack_tuple *tuple,
55
55
const struct nf_conntrack_tuple *orig)
56
56
{
57
-
if (orig->dst.u.icmp.type >= sizeof(invmap)
58
-
|| !invmap[orig->dst.u.icmp.type])
57
+
if (orig->dst.u.icmp.type >= sizeof(invmap) ||
58
+
!invmap[orig->dst.u.icmp.type])
59
59
return false;
60
60
61
61
tuple->src.u.icmp.id = orig->src.u.icmp.id;
···
101
101
[ICMP_ADDRESS] = 1
102
102
};
103
103
104
-
if (ct->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new)
105
-
|| !valid_new[ct->tuplehash[0].tuple.dst.u.icmp.type]) {
104
+
if (ct->tuplehash[0].tuple.dst.u.icmp.type >= sizeof(valid_new) ||
105
+
!valid_new[ct->tuplehash[0].tuple.dst.u.icmp.type]) {
106
106
/* Can't create a new ICMP `conn' with this. */
107
107
pr_debug("icmp: can't create new conn with type %u\n",
108
108
ct->tuplehash[0].tuple.dst.u.icmp.type);
···
201
201
}
202
202
203
203
/* Need to track icmp error message? */
204
-
if (icmph->type != ICMP_DEST_UNREACH
205
-
&& icmph->type != ICMP_SOURCE_QUENCH
206
-
&& icmph->type != ICMP_TIME_EXCEEDED
207
-
&& icmph->type != ICMP_PARAMETERPROB
208
-
&& icmph->type != ICMP_REDIRECT)
204
+
if (icmph->type != ICMP_DEST_UNREACH &&
205
+
icmph->type != ICMP_SOURCE_QUENCH &&
206
+
icmph->type != ICMP_TIME_EXCEEDED &&
207
+
icmph->type != ICMP_PARAMETERPROB &&
208
+
icmph->type != ICMP_REDIRECT)
209
209
return NF_ACCEPT;
210
210
211
211
return icmp_error_message(net, skb, ctinfo, hooknum);
···
238
238
static int icmp_nlattr_to_tuple(struct nlattr *tb[],
239
239
struct nf_conntrack_tuple *tuple)
240
240
{
241
-
if (!tb[CTA_PROTO_ICMP_TYPE]
242
-
|| !tb[CTA_PROTO_ICMP_CODE]
243
-
|| !tb[CTA_PROTO_ICMP_ID])
241
+
if (!tb[CTA_PROTO_ICMP_TYPE] ||
242
+
!tb[CTA_PROTO_ICMP_CODE] ||
243
+
!tb[CTA_PROTO_ICMP_ID])
244
244
return -EINVAL;
245
245
246
246
tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMP_TYPE]);
247
247
tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMP_CODE]);
248
248
tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMP_ID]);
249
249
250
-
if (tuple->dst.u.icmp.type >= sizeof(invmap)
251
-
|| !invmap[tuple->dst.u.icmp.type])
250
+
if (tuple->dst.u.icmp.type >= sizeof(invmap) ||
251
+
!invmap[tuple->dst.u.icmp.type])
252
252
return -EINVAL;
253
253
254
254
return 0;
+9
-13
net/ipv4/netfilter/nf_nat_helper.c
+9
-13
net/ipv4/netfilter/nf_nat_helper.c
···
41
41
struct nf_conn *ct,
42
42
enum ip_conntrack_info ctinfo)
43
43
{
44
-
int dir;
45
-
struct nf_nat_seq *this_way, *other_way;
44
+
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
46
45
struct nf_conn_nat *nat = nfct_nat(ct);
46
+
struct nf_nat_seq *this_way = &nat->seq[dir];
47
47
48
-
pr_debug("adjust_tcp_sequence: seq = %u, sizediff = %d\n", seq, seq);
48
+
pr_debug("adjust_tcp_sequence: seq = %u, sizediff = %d\n",
49
+
seq, sizediff);
49
50
50
-
dir = CTINFO2DIR(ctinfo);
51
-
52
-
this_way = &nat->seq[dir];
53
-
other_way = &nat->seq[!dir];
54
-
55
-
pr_debug("nf_nat_resize_packet: Seq_offset before: ");
51
+
pr_debug("adjust_tcp_sequence: Seq_offset before: ");
56
52
DUMP_OFFSET(this_way);
57
53
58
54
spin_lock_bh(&nf_nat_seqofs_lock);
···
59
63
* retransmit */
60
64
if (this_way->offset_before == this_way->offset_after ||
61
65
before(this_way->correction_pos, seq)) {
62
-
this_way->correction_pos = seq;
63
-
this_way->offset_before = this_way->offset_after;
64
-
this_way->offset_after += sizediff;
66
+
this_way->correction_pos = seq;
67
+
this_way->offset_before = this_way->offset_after;
68
+
this_way->offset_after += sizediff;
65
69
}
66
70
spin_unlock_bh(&nf_nat_seqofs_lock);
67
71
68
-
pr_debug("nf_nat_resize_packet: Seq_offset after: ");
72
+
pr_debug("adjust_tcp_sequence: Seq_offset after: ");
69
73
DUMP_OFFSET(this_way);
70
74
}
71
75
+5
-5
net/ipv4/netfilter/nf_nat_standalone.c
+5
-5
net/ipv4/netfilter/nf_nat_standalone.c
···
197
197
(ct = nf_ct_get(skb, &ctinfo)) != NULL) {
198
198
enum ip_conntrack_dir dir = CTINFO2DIR(ctinfo);
199
199
200
-
if (ct->tuplehash[dir].tuple.src.u3.ip !=
201
-
ct->tuplehash[!dir].tuple.dst.u3.ip
202
-
|| ct->tuplehash[dir].tuple.src.u.all !=
203
-
ct->tuplehash[!dir].tuple.dst.u.all
204
-
)
200
+
if ((ct->tuplehash[dir].tuple.src.u3.ip !=
201
+
ct->tuplehash[!dir].tuple.dst.u3.ip) ||
202
+
(ct->tuplehash[dir].tuple.src.u.all !=
203
+
ct->tuplehash[!dir].tuple.dst.u.all)
204
+
)
205
205
return ip_xfrm_me_harder(skb) == 0 ? ret : NF_DROP;
206
206
}
207
207
#endif
+2
-3
net/ipv6/netfilter/ip6_queue.c
+2
-3
net/ipv6/netfilter/ip6_queue.c
···
499
499
{
500
500
struct netlink_notify *n = ptr;
501
501
502
-
if (event == NETLINK_URELEASE &&
503
-
n->protocol == NETLINK_IP6_FW && n->pid) {
502
+
if (event == NETLINK_URELEASE && n->protocol == NETLINK_IP6_FW) {
504
503
write_lock_bh(&queue_lock);
505
504
if ((net_eq(n->net, &init_net)) && (n->pid == peer_pid))
506
505
__ipq_reset();
···
624
625
static void __exit ip6_queue_fini(void)
625
626
{
626
627
nf_unregister_queue_handlers(&nfqh);
627
-
synchronize_net();
628
+
628
629
ipq_flush(NULL, 0);
629
630
630
631
#ifdef CONFIG_SYSCTL
+21
-21
net/ipv6/netfilter/ip6_tables.c
+21
-21
net/ipv6/netfilter/ip6_tables.c
···
105
105
#define FWINV(bool, invflg) ((bool) ^ !!(ip6info->invflags & (invflg)))
106
106
107
107
if (FWINV(ipv6_masked_addr_cmp(&ipv6->saddr, &ip6info->smsk,
108
-
&ip6info->src), IP6T_INV_SRCIP)
109
-
|| FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
110
-
&ip6info->dst), IP6T_INV_DSTIP)) {
108
+
&ip6info->src), IP6T_INV_SRCIP) ||
109
+
FWINV(ipv6_masked_addr_cmp(&ipv6->daddr, &ip6info->dmsk,
110
+
&ip6info->dst), IP6T_INV_DSTIP)) {
111
111
dprintf("Source or dest mismatch.\n");
112
112
/*
113
113
dprintf("SRC: %u. Mask: %u. Target: %u.%s\n", ip->saddr,
···
277
277
} else if (s == e) {
278
278
(*rulenum)++;
279
279
280
-
if (s->target_offset == sizeof(struct ip6t_entry)
281
-
&& strcmp(t->target.u.kernel.target->name,
282
-
IP6T_STANDARD_TARGET) == 0
283
-
&& t->verdict < 0
284
-
&& unconditional(&s->ipv6)) {
280
+
if (s->target_offset == sizeof(struct ip6t_entry) &&
281
+
strcmp(t->target.u.kernel.target->name,
282
+
IP6T_STANDARD_TARGET) == 0 &&
283
+
t->verdict < 0 &&
284
+
unconditional(&s->ipv6)) {
285
285
/* Tail of chains: STANDARD target (return/policy) */
286
286
*comment = *chainname == hookname
287
287
? comments[NF_IP6_TRACE_COMMENT_POLICY]
···
418
418
back = get_entry(table_base, back->comefrom);
419
419
continue;
420
420
}
421
-
if (table_base + v != ip6t_next_entry(e)
422
-
&& !(e->ipv6.flags & IP6T_F_GOTO)) {
421
+
if (table_base + v != ip6t_next_entry(e) &&
422
+
!(e->ipv6.flags & IP6T_F_GOTO)) {
423
423
/* Save old back ptr in next entry */
424
424
struct ip6t_entry *next = ip6t_next_entry(e);
425
425
next->comefrom = (void *)back - table_base;
···
505
505
e->comefrom |= ((1 << hook) | (1 << NF_INET_NUMHOOKS));
506
506
507
507
/* Unconditional return/END. */
508
-
if ((e->target_offset == sizeof(struct ip6t_entry)
509
-
&& (strcmp(t->target.u.user.name,
510
-
IP6T_STANDARD_TARGET) == 0)
511
-
&& t->verdict < 0
512
-
&& unconditional(&e->ipv6)) || visited) {
508
+
if ((e->target_offset == sizeof(struct ip6t_entry) &&
509
+
(strcmp(t->target.u.user.name,
510
+
IP6T_STANDARD_TARGET) == 0) &&
511
+
t->verdict < 0 &&
512
+
unconditional(&e->ipv6)) || visited) {
513
513
unsigned int oldpos, size;
514
514
515
515
if ((strcmp(t->target.u.user.name,
···
556
556
int newpos = t->verdict;
557
557
558
558
if (strcmp(t->target.u.user.name,
559
-
IP6T_STANDARD_TARGET) == 0
560
-
&& newpos >= 0) {
559
+
IP6T_STANDARD_TARGET) == 0 &&
560
+
newpos >= 0) {
561
561
if (newpos > newinfo->size -
562
562
sizeof(struct ip6t_entry)) {
563
563
duprintf("mark_source_chains: "
···
767
767
{
768
768
unsigned int h;
769
769
770
-
if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0
771
-
|| (unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
770
+
if ((unsigned long)e % __alignof__(struct ip6t_entry) != 0 ||
771
+
(unsigned char *)e + sizeof(struct ip6t_entry) >= limit) {
772
772
duprintf("Bad offset %p\n", e);
773
773
return -EINVAL;
774
774
}
···
1584
1584
int ret, off, h;
1585
1585
1586
1586
duprintf("check_compat_entry_size_and_hooks %p\n", e);
1587
-
if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0
1588
-
|| (unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
1587
+
if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
1588
+
(unsigned char *)e + sizeof(struct compat_ip6t_entry) >= limit) {
1589
1589
duprintf("Bad offset %p, limit = %p\n", e, limit);
1590
1590
return -EINVAL;
1591
1591
}
+2
-2
net/ipv6/netfilter/ip6t_LOG.c
+2
-2
net/ipv6/netfilter/ip6t_LOG.c
···
249
249
/* Max length: 11 "URGP=65535 " */
250
250
printk("URGP=%u ", ntohs(th->urg_ptr));
251
251
252
-
if ((logflags & IP6T_LOG_TCPOPT)
253
-
&& th->doff * 4 > sizeof(struct tcphdr)) {
252
+
if ((logflags & IP6T_LOG_TCPOPT) &&
253
+
th->doff * 4 > sizeof(struct tcphdr)) {
254
254
u_int8_t _opt[60 - sizeof(struct tcphdr)];
255
255
const u_int8_t *op;
256
256
unsigned int i;
+2
-2
net/ipv6/netfilter/ip6t_REJECT.c
+2
-2
net/ipv6/netfilter/ip6t_REJECT.c
···
223
223
return false;
224
224
} else if (rejinfo->with == IP6T_TCP_RESET) {
225
225
/* Must specify that it's a TCP packet */
226
-
if (e->ipv6.proto != IPPROTO_TCP
227
-
|| (e->ipv6.invflags & XT_INV_PROTO)) {
226
+
if (e->ipv6.proto != IPPROTO_TCP ||
227
+
(e->ipv6.invflags & XT_INV_PROTO)) {
228
228
printk("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
229
229
return false;
230
230
}
+8
-11
net/ipv6/netfilter/ip6t_ah.c
+8
-11
net/ipv6/netfilter/ip6t_ah.c
···
77
77
ahinfo->hdrres, ah->reserved,
78
78
!(ahinfo->hdrres && ah->reserved));
79
79
80
-
return (ah != NULL)
81
-
&&
82
-
spi_match(ahinfo->spis[0], ahinfo->spis[1],
83
-
ntohl(ah->spi),
84
-
!!(ahinfo->invflags & IP6T_AH_INV_SPI))
85
-
&&
86
-
(!ahinfo->hdrlen ||
87
-
(ahinfo->hdrlen == hdrlen) ^
88
-
!!(ahinfo->invflags & IP6T_AH_INV_LEN))
89
-
&&
90
-
!(ahinfo->hdrres && ah->reserved);
80
+
return (ah != NULL) &&
81
+
spi_match(ahinfo->spis[0], ahinfo->spis[1],
82
+
ntohl(ah->spi),
83
+
!!(ahinfo->invflags & IP6T_AH_INV_SPI)) &&
84
+
(!ahinfo->hdrlen ||
85
+
(ahinfo->hdrlen == hdrlen) ^
86
+
!!(ahinfo->invflags & IP6T_AH_INV_LEN)) &&
87
+
!(ahinfo->hdrres && ah->reserved);
91
88
}
92
89
93
90
static bool ah_mt6_check(const struct xt_mtchk_param *par)
+20
-25
net/ipv6/netfilter/ip6t_frag.c
+20
-25
net/ipv6/netfilter/ip6t_frag.c
···
70
70
pr_debug("res %02X %02X%04X %02X ",
71
71
fraginfo->flags & IP6T_FRAG_RES, fh->reserved,
72
72
ntohs(fh->frag_off) & 0x6,
73
-
!((fraginfo->flags & IP6T_FRAG_RES)
74
-
&& (fh->reserved || (ntohs(fh->frag_off) & 0x06))));
73
+
!((fraginfo->flags & IP6T_FRAG_RES) &&
74
+
(fh->reserved || (ntohs(fh->frag_off) & 0x06))));
75
75
pr_debug("first %02X %02X %02X ",
76
76
fraginfo->flags & IP6T_FRAG_FST,
77
77
ntohs(fh->frag_off) & ~0x7,
78
-
!((fraginfo->flags & IP6T_FRAG_FST)
79
-
&& (ntohs(fh->frag_off) & ~0x7)));
78
+
!((fraginfo->flags & IP6T_FRAG_FST) &&
79
+
(ntohs(fh->frag_off) & ~0x7)));
80
80
pr_debug("mf %02X %02X %02X ",
81
81
fraginfo->flags & IP6T_FRAG_MF,
82
82
ntohs(fh->frag_off) & IP6_MF,
83
-
!((fraginfo->flags & IP6T_FRAG_MF)
84
-
&& !((ntohs(fh->frag_off) & IP6_MF))));
83
+
!((fraginfo->flags & IP6T_FRAG_MF) &&
84
+
!((ntohs(fh->frag_off) & IP6_MF))));
85
85
pr_debug("last %02X %02X %02X\n",
86
86
fraginfo->flags & IP6T_FRAG_NMF,
87
87
ntohs(fh->frag_off) & IP6_MF,
88
-
!((fraginfo->flags & IP6T_FRAG_NMF)
89
-
&& (ntohs(fh->frag_off) & IP6_MF)));
88
+
!((fraginfo->flags & IP6T_FRAG_NMF) &&
89
+
(ntohs(fh->frag_off) & IP6_MF)));
90
90
91
-
return (fh != NULL)
92
-
&&
93
-
id_match(fraginfo->ids[0], fraginfo->ids[1],
94
-
ntohl(fh->identification),
95
-
!!(fraginfo->invflags & IP6T_FRAG_INV_IDS))
96
-
&&
97
-
!((fraginfo->flags & IP6T_FRAG_RES)
98
-
&& (fh->reserved || (ntohs(fh->frag_off) & 0x6)))
99
-
&&
100
-
!((fraginfo->flags & IP6T_FRAG_FST)
101
-
&& (ntohs(fh->frag_off) & ~0x7))
102
-
&&
103
-
!((fraginfo->flags & IP6T_FRAG_MF)
104
-
&& !(ntohs(fh->frag_off) & IP6_MF))
105
-
&&
106
-
!((fraginfo->flags & IP6T_FRAG_NMF)
107
-
&& (ntohs(fh->frag_off) & IP6_MF));
91
+
return (fh != NULL) &&
92
+
id_match(fraginfo->ids[0], fraginfo->ids[1],
93
+
ntohl(fh->identification),
94
+
!!(fraginfo->invflags & IP6T_FRAG_INV_IDS)) &&
95
+
!((fraginfo->flags & IP6T_FRAG_RES) &&
96
+
(fh->reserved || (ntohs(fh->frag_off) & 0x6))) &&
97
+
!((fraginfo->flags & IP6T_FRAG_FST) &&
98
+
(ntohs(fh->frag_off) & ~0x7)) &&
99
+
!((fraginfo->flags & IP6T_FRAG_MF) &&
100
+
!(ntohs(fh->frag_off) & IP6_MF)) &&
101
+
!((fraginfo->flags & IP6T_FRAG_NMF) &&
102
+
(ntohs(fh->frag_off) & IP6_MF));
108
103
}
109
104
110
105
static bool frag_mt6_check(const struct xt_mtchk_param *par)
+3
-6
net/ipv6/netfilter/ip6t_rt.c
+3
-6
net/ipv6/netfilter/ip6t_rt.c
···
92
92
!((rtinfo->flags & IP6T_RT_RES) &&
93
93
(((const struct rt0_hdr *)rh)->reserved)));
94
94
95
-
ret = (rh != NULL)
96
-
&&
95
+
ret = (rh != NULL) &&
97
96
(segsleft_match(rtinfo->segsleft[0], rtinfo->segsleft[1],
98
97
rh->segments_left,
99
-
!!(rtinfo->invflags & IP6T_RT_INV_SGS)))
100
-
&&
98
+
!!(rtinfo->invflags & IP6T_RT_INV_SGS))) &&
101
99
(!(rtinfo->flags & IP6T_RT_LEN) ||
102
100
((rtinfo->hdrlen == hdrlen) ^
103
-
!!(rtinfo->invflags & IP6T_RT_INV_LEN)))
104
-
&&
101
+
!!(rtinfo->invflags & IP6T_RT_INV_LEN))) &&
105
102
(!(rtinfo->flags & IP6T_RT_TYP) ||
106
103
((rtinfo->rt_type == rh->type) ^
107
104
!!(rtinfo->invflags & IP6T_RT_INV_TYP)));
+2
-2
net/ipv6/netfilter/ip6table_filter.c
+2
-2
net/ipv6/netfilter/ip6table_filter.c
···
79
79
{
80
80
#if 0
81
81
/* root is playing with raw sockets. */
82
-
if (skb->len < sizeof(struct iphdr)
83
-
|| ip_hdrlen(skb) < sizeof(struct iphdr)) {
82
+
if (skb->len < sizeof(struct iphdr) ||
83
+
ip_hdrlen(skb) < sizeof(struct iphdr)) {
84
84
if (net_ratelimit())
85
85
printk("ip6t_hook: happy cracking.\n");
86
86
return NF_ACCEPT;
+7
-7
net/ipv6/netfilter/ip6table_mangle.c
+7
-7
net/ipv6/netfilter/ip6table_mangle.c
···
102
102
103
103
#if 0
104
104
/* root is playing with raw sockets. */
105
-
if (skb->len < sizeof(struct iphdr)
106
-
|| ip_hdrlen(skb) < sizeof(struct iphdr)) {
105
+
if (skb->len < sizeof(struct iphdr) ||
106
+
ip_hdrlen(skb) < sizeof(struct iphdr)) {
107
107
if (net_ratelimit())
108
108
printk("ip6t_hook: happy cracking.\n");
109
109
return NF_ACCEPT;
···
122
122
ret = ip6t_do_table(skb, hook, in, out,
123
123
dev_net(out)->ipv6.ip6table_mangle);
124
124
125
-
if (ret != NF_DROP && ret != NF_STOLEN
126
-
&& (memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr))
127
-
|| memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr))
128
-
|| skb->mark != mark
129
-
|| ipv6_hdr(skb)->hop_limit != hop_limit))
125
+
if (ret != NF_DROP && ret != NF_STOLEN &&
126
+
(memcmp(&ipv6_hdr(skb)->saddr, &saddr, sizeof(saddr)) ||
127
+
memcmp(&ipv6_hdr(skb)->daddr, &daddr, sizeof(daddr)) ||
128
+
skb->mark != mark ||
129
+
ipv6_hdr(skb)->hop_limit != hop_limit))
130
130
return ip6_route_me_harder(skb) == 0 ? ret : NF_DROP;
131
131
132
132
return ret;
+6
-6
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
+6
-6
net/ipv6/netfilter/nf_conntrack_proto_icmpv6.c
···
244
244
static int icmpv6_nlattr_to_tuple(struct nlattr *tb[],
245
245
struct nf_conntrack_tuple *tuple)
246
246
{
247
-
if (!tb[CTA_PROTO_ICMPV6_TYPE]
248
-
|| !tb[CTA_PROTO_ICMPV6_CODE]
249
-
|| !tb[CTA_PROTO_ICMPV6_ID])
247
+
if (!tb[CTA_PROTO_ICMPV6_TYPE] ||
248
+
!tb[CTA_PROTO_ICMPV6_CODE] ||
249
+
!tb[CTA_PROTO_ICMPV6_ID])
250
250
return -EINVAL;
251
251
252
252
tuple->dst.u.icmp.type = nla_get_u8(tb[CTA_PROTO_ICMPV6_TYPE]);
253
253
tuple->dst.u.icmp.code = nla_get_u8(tb[CTA_PROTO_ICMPV6_CODE]);
254
254
tuple->src.u.icmp.id = nla_get_be16(tb[CTA_PROTO_ICMPV6_ID]);
255
255
256
-
if (tuple->dst.u.icmp.type < 128
257
-
|| tuple->dst.u.icmp.type - 128 >= sizeof(invmap)
258
-
|| !invmap[tuple->dst.u.icmp.type - 128])
256
+
if (tuple->dst.u.icmp.type < 128 ||
257
+
tuple->dst.u.icmp.type - 128 >= sizeof(invmap) ||
258
+
!invmap[tuple->dst.u.icmp.type - 128])
259
259
return -EINVAL;
260
260
261
261
return 0;
+10
-4
net/netfilter/nf_conntrack_core.c
+10
-4
net/netfilter/nf_conntrack_core.c
···
512
512
cnt++;
513
513
}
514
514
515
-
if (ct && unlikely(nf_ct_is_dying(ct) ||
516
-
!atomic_inc_not_zero(&ct->ct_general.use)))
517
-
ct = NULL;
518
-
if (ct || cnt >= NF_CT_EVICTION_RANGE)
515
+
if (ct != NULL) {
516
+
if (likely(!nf_ct_is_dying(ct) &&
517
+
atomic_inc_not_zero(&ct->ct_general.use)))
518
+
break;
519
+
else
520
+
ct = NULL;
521
+
}
522
+
523
+
if (cnt >= NF_CT_EVICTION_RANGE)
519
524
break;
525
+
520
526
hash = (hash + 1) % nf_conntrack_htable_size;
521
527
}
522
528
rcu_read_unlock();
+40
-9
net/netfilter/nf_conntrack_proto_tcp.c
+40
-9
net/netfilter/nf_conntrack_proto_tcp.c
···
896
896
/* b) This SYN/ACK acknowledges a SYN that we earlier
897
897
* ignored as invalid. This means that the client and
898
898
* the server are both in sync, while the firewall is
899
-
* not. We kill this session and block the SYN/ACK so
900
-
* that the client cannot but retransmit its SYN and
901
-
* thus initiate a clean new session.
899
+
* not. We get in sync from the previously annotated
900
+
* values.
902
901
*/
903
-
spin_unlock_bh(&ct->lock);
904
-
if (LOG_INVALID(net, IPPROTO_TCP))
905
-
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
906
-
"nf_ct_tcp: killing out of sync session ");
907
-
nf_ct_kill(ct);
908
-
return NF_DROP;
902
+
old_state = TCP_CONNTRACK_SYN_SENT;
903
+
new_state = TCP_CONNTRACK_SYN_RECV;
904
+
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_end =
905
+
ct->proto.tcp.last_end;
906
+
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxend =
907
+
ct->proto.tcp.last_end;
908
+
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_maxwin =
909
+
ct->proto.tcp.last_win == 0 ?
910
+
1 : ct->proto.tcp.last_win;
911
+
ct->proto.tcp.seen[ct->proto.tcp.last_dir].td_scale =
912
+
ct->proto.tcp.last_wscale;
913
+
ct->proto.tcp.seen[ct->proto.tcp.last_dir].flags =
914
+
ct->proto.tcp.last_flags;
915
+
memset(&ct->proto.tcp.seen[dir], 0,
916
+
sizeof(struct ip_ct_tcp_state));
917
+
break;
909
918
}
910
919
ct->proto.tcp.last_index = index;
911
920
ct->proto.tcp.last_dir = dir;
912
921
ct->proto.tcp.last_seq = ntohl(th->seq);
913
922
ct->proto.tcp.last_end =
914
923
segment_seq_plus_len(ntohl(th->seq), skb->len, dataoff, th);
924
+
ct->proto.tcp.last_win = ntohs(th->window);
915
925
926
+
/* a) This is a SYN in ORIGINAL. The client and the server
927
+
* may be in sync but we are not. In that case, we annotate
928
+
* the TCP options and let the packet go through. If it is a
929
+
* valid SYN packet, the server will reply with a SYN/ACK, and
930
+
* then we'll get in sync. Otherwise, the server ignores it. */
931
+
if (index == TCP_SYN_SET && dir == IP_CT_DIR_ORIGINAL) {
932
+
struct ip_ct_tcp_state seen = {};
933
+
934
+
ct->proto.tcp.last_flags =
935
+
ct->proto.tcp.last_wscale = 0;
936
+
tcp_options(skb, dataoff, th, &seen);
937
+
if (seen.flags & IP_CT_TCP_FLAG_WINDOW_SCALE) {
938
+
ct->proto.tcp.last_flags |=
939
+
IP_CT_TCP_FLAG_WINDOW_SCALE;
940
+
ct->proto.tcp.last_wscale = seen.td_scale;
941
+
}
942
+
if (seen.flags & IP_CT_TCP_FLAG_SACK_PERM) {
943
+
ct->proto.tcp.last_flags |=
944
+
IP_CT_TCP_FLAG_SACK_PERM;
945
+
}
946
+
}
916
947
spin_unlock_bh(&ct->lock);
917
948
if (LOG_INVALID(net, IPPROTO_TCP))
918
949
nf_log_packet(pf, 0, skb, NULL, NULL, NULL,
+1
-2
net/netfilter/nfnetlink_log.c
+1
-2
net/netfilter/nfnetlink_log.c
+1
-2
net/netfilter/nfnetlink_queue.c
+1
-2
net/netfilter/nfnetlink_queue.c
+17
-44
net/netfilter/xt_conntrack.c
+17
-44
net/netfilter/xt_conntrack.c
···
113
113
}
114
114
115
115
static bool
116
-
conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par)
116
+
conntrack_mt(const struct sk_buff *skb, const struct xt_match_param *par,
117
+
u16 state_mask, u16 status_mask)
117
118
{
118
119
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
119
120
enum ip_conntrack_info ctinfo;
···
137
136
if (test_bit(IPS_DST_NAT_BIT, &ct->status))
138
137
statebit |= XT_CONNTRACK_STATE_DNAT;
139
138
}
140
-
if (!!(info->state_mask & statebit) ^
139
+
if (!!(state_mask & statebit) ^
141
140
!(info->invert_flags & XT_CONNTRACK_STATE))
142
141
return false;
143
142
}
···
173
172
return false;
174
173
175
174
if ((info->match_flags & XT_CONNTRACK_STATUS) &&
176
-
(!!(info->status_mask & ct->status) ^
175
+
(!!(status_mask & ct->status) ^
177
176
!(info->invert_flags & XT_CONNTRACK_STATUS)))
178
177
return false;
179
178
···
193
192
static bool
194
193
conntrack_mt_v1(const struct sk_buff *skb, const struct xt_match_param *par)
195
194
{
196
-
const struct xt_conntrack_mtinfo2 *const *info = par->matchinfo;
197
-
struct xt_match_param newpar = *par;
195
+
const struct xt_conntrack_mtinfo1 *info = par->matchinfo;
198
196
199
-
newpar.matchinfo = *info;
200
-
return conntrack_mt(skb, &newpar);
197
+
return conntrack_mt(skb, par, info->state_mask, info->status_mask);
198
+
}
199
+
200
+
static bool
201
+
conntrack_mt_v2(const struct sk_buff *skb, const struct xt_match_param *par)
202
+
{
203
+
const struct xt_conntrack_mtinfo2 *info = par->matchinfo;
204
+
205
+
return conntrack_mt(skb, par, info->state_mask, info->status_mask);
201
206
}
202
207
203
208
static bool conntrack_mt_check(const struct xt_mtchk_param *par)
···
216
209
return true;
217
210
}
218
211
219
-
static bool conntrack_mt_check_v1(const struct xt_mtchk_param *par)
220
-
{
221
-
struct xt_conntrack_mtinfo1 *info = par->matchinfo;
222
-
struct xt_conntrack_mtinfo2 *up;
223
-
int ret = conntrack_mt_check(par);
224
-
225
-
if (ret < 0)
226
-
return ret;
227
-
228
-
up = kmalloc(sizeof(*up), GFP_KERNEL);
229
-
if (up == NULL) {
230
-
nf_ct_l3proto_module_put(par->family);
231
-
return -ENOMEM;
232
-
}
233
-
234
-
/*
235
-
* The strategy here is to minimize the overhead of v1 matching,
236
-
* by prebuilding a v2 struct and putting the pointer into the
237
-
* v1 dataspace.
238
-
*/
239
-
memcpy(up, info, offsetof(typeof(*info), state_mask));
240
-
up->state_mask = info->state_mask;
241
-
up->status_mask = info->status_mask;
242
-
*(void **)info = up;
243
-
return true;
244
-
}
245
-
246
212
static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
247
213
{
248
214
nf_ct_l3proto_module_put(par->family);
249
-
}
250
-
251
-
static void conntrack_mt_destroy_v1(const struct xt_mtdtor_param *par)
252
-
{
253
-
struct xt_conntrack_mtinfo2 **info = par->matchinfo;
254
-
kfree(*info);
255
-
conntrack_mt_destroy(par);
256
215
}
257
216
258
217
static struct xt_match conntrack_mt_reg[] __read_mostly = {
···
228
255
.family = NFPROTO_UNSPEC,
229
256
.matchsize = sizeof(struct xt_conntrack_mtinfo1),
230
257
.match = conntrack_mt_v1,
231
-
.checkentry = conntrack_mt_check_v1,
232
-
.destroy = conntrack_mt_destroy_v1,
258
+
.checkentry = conntrack_mt_check,
259
+
.destroy = conntrack_mt_destroy,
233
260
.me = THIS_MODULE,
234
261
},
235
262
{
···
237
264
.revision = 2,
238
265
.family = NFPROTO_UNSPEC,
239
266
.matchsize = sizeof(struct xt_conntrack_mtinfo2),
240
-
.match = conntrack_mt,
267
+
.match = conntrack_mt_v2,
241
268
.checkentry = conntrack_mt_check,
242
269
.destroy = conntrack_mt_destroy,
243
270
.me = THIS_MODULE,
+4
-2
net/netfilter/xt_socket.c
+4
-2
net/netfilter/xt_socket.c
···
192
192
.revision = 0,
193
193
.family = NFPROTO_IPV4,
194
194
.match = socket_mt_v0,
195
-
.hooks = 1 << NF_INET_PRE_ROUTING,
195
+
.hooks = (1 << NF_INET_PRE_ROUTING) |
196
+
(1 << NF_INET_LOCAL_IN),
196
197
.me = THIS_MODULE,
197
198
},
198
199
{
···
202
201
.family = NFPROTO_IPV4,
203
202
.match = socket_mt_v1,
204
203
.matchsize = sizeof(struct xt_socket_mtinfo1),
205
-
.hooks = 1 << NF_INET_PRE_ROUTING,
204
+
.hooks = (1 << NF_INET_PRE_ROUTING) |
205
+
(1 << NF_INET_LOCAL_IN),
206
206
.me = THIS_MODULE,
207
207
},
208
208
};