tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
netfilter: xtables: remove xt_conntrack v0
Superseded by xt_conntrack v1 (v2.6.24-2921-g64eb12f).
Signed-off-by: Jan Engelhardt <jengelh@medozas.de>
+1
-193
-3
Documentation/feature-removal-schedule.txt
-3
Documentation/feature-removal-schedule.txt
···
238
238
- "forwarding" header files like ipt_mac.h in
239
239
include/linux/netfilter_ipv4/ and include/linux/netfilter_ipv6/
240
240
241
-
- xt_conntrack match revision 0
242
-
(superseded by xt_conntrack match revision 1)
243
-
244
241
- xt_iprange match revision 0,
245
242
include/linux/netfilter_ipv4/ipt_iprange.h
246
243
(superseded by xt_iprange match revision 1)
-36
include/linux/netfilter/xt_conntrack.h
-36
include/linux/netfilter/xt_conntrack.h
···
32
32
XT_CONNTRACK_DIRECTION = 1 << 12,
33
33
};
34
34
35
-
/* This is exposed to userspace, so remains frozen in time. */
36
-
struct ip_conntrack_old_tuple
37
-
{
38
-
struct {
39
-
__be32 ip;
40
-
union {
41
-
__u16 all;
42
-
} u;
43
-
} src;
44
-
45
-
struct {
46
-
__be32 ip;
47
-
union {
48
-
__u16 all;
49
-
} u;
50
-
51
-
/* The protocol. */
52
-
__u16 protonum;
53
-
} dst;
54
-
};
55
-
56
-
struct xt_conntrack_info
57
-
{
58
-
unsigned int statemask, statusmask;
59
-
60
-
struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
61
-
struct in_addr sipmsk[IP_CT_DIR_MAX], dipmsk[IP_CT_DIR_MAX];
62
-
63
-
unsigned long expires_min, expires_max;
64
-
65
-
/* Flags word */
66
-
__u8 flags;
67
-
/* Inverse flags */
68
-
__u8 invflags;
69
-
};
70
-
71
35
struct xt_conntrack_mtinfo1 {
72
36
union nf_inet_addr origsrc_addr, origsrc_mask;
73
37
union nf_inet_addr origdst_addr, origdst_mask;
+1
-154
net/netfilter/xt_conntrack.c
+1
-154
net/netfilter/xt_conntrack.c
···
19
19
20
20
MODULE_LICENSE("GPL");
21
21
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
22
-
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
22
+
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
23
23
MODULE_DESCRIPTION("Xtables: connection tracking state match");
24
24
MODULE_ALIAS("ipt_conntrack");
25
25
MODULE_ALIAS("ip6t_conntrack");
26
-
27
-
static bool
28
-
conntrack_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
29
-
{
30
-
const struct xt_conntrack_info *sinfo = par->matchinfo;
31
-
const struct nf_conn *ct;
32
-
enum ip_conntrack_info ctinfo;
33
-
unsigned int statebit;
34
-
35
-
ct = nf_ct_get(skb, &ctinfo);
36
-
37
-
#define FWINV(bool, invflg) ((bool) ^ !!(sinfo->invflags & (invflg)))
38
-
39
-
if (ct == &nf_conntrack_untracked)
40
-
statebit = XT_CONNTRACK_STATE_UNTRACKED;
41
-
else if (ct)
42
-
statebit = XT_CONNTRACK_STATE_BIT(ctinfo);
43
-
else
44
-
statebit = XT_CONNTRACK_STATE_INVALID;
45
-
46
-
if (sinfo->flags & XT_CONNTRACK_STATE) {
47
-
if (ct) {
48
-
if (test_bit(IPS_SRC_NAT_BIT, &ct->status))
49
-
statebit |= XT_CONNTRACK_STATE_SNAT;
50
-
if (test_bit(IPS_DST_NAT_BIT, &ct->status))
51
-
statebit |= XT_CONNTRACK_STATE_DNAT;
52
-
}
53
-
if (FWINV((statebit & sinfo->statemask) == 0,
54
-
XT_CONNTRACK_STATE))
55
-
return false;
56
-
}
57
-
58
-
if (ct == NULL) {
59
-
if (sinfo->flags & ~XT_CONNTRACK_STATE)
60
-
return false;
61
-
return true;
62
-
}
63
-
64
-
if (sinfo->flags & XT_CONNTRACK_PROTO &&
65
-
FWINV(nf_ct_protonum(ct) !=
66
-
sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.protonum,
67
-
XT_CONNTRACK_PROTO))
68
-
return false;
69
-
70
-
if (sinfo->flags & XT_CONNTRACK_ORIGSRC &&
71
-
FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.src.u3.ip &
72
-
sinfo->sipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
73
-
sinfo->tuple[IP_CT_DIR_ORIGINAL].src.ip,
74
-
XT_CONNTRACK_ORIGSRC))
75
-
return false;
76
-
77
-
if (sinfo->flags & XT_CONNTRACK_ORIGDST &&
78
-
FWINV((ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.ip &
79
-
sinfo->dipmsk[IP_CT_DIR_ORIGINAL].s_addr) !=
80
-
sinfo->tuple[IP_CT_DIR_ORIGINAL].dst.ip,
81
-
XT_CONNTRACK_ORIGDST))
82
-
return false;
83
-
84
-
if (sinfo->flags & XT_CONNTRACK_REPLSRC &&
85
-
FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.src.u3.ip &
86
-
sinfo->sipmsk[IP_CT_DIR_REPLY].s_addr) !=
87
-
sinfo->tuple[IP_CT_DIR_REPLY].src.ip,
88
-
XT_CONNTRACK_REPLSRC))
89
-
return false;
90
-
91
-
if (sinfo->flags & XT_CONNTRACK_REPLDST &&
92
-
FWINV((ct->tuplehash[IP_CT_DIR_REPLY].tuple.dst.u3.ip &
93
-
sinfo->dipmsk[IP_CT_DIR_REPLY].s_addr) !=
94
-
sinfo->tuple[IP_CT_DIR_REPLY].dst.ip,
95
-
XT_CONNTRACK_REPLDST))
96
-
return false;
97
-
98
-
if (sinfo->flags & XT_CONNTRACK_STATUS &&
99
-
FWINV((ct->status & sinfo->statusmask) == 0,
100
-
XT_CONNTRACK_STATUS))
101
-
return false;
102
-
103
-
if(sinfo->flags & XT_CONNTRACK_EXPIRES) {
104
-
unsigned long expires = timer_pending(&ct->timeout) ?
105
-
(ct->timeout.expires - jiffies)/HZ : 0;
106
-
107
-
if (FWINV(!(expires >= sinfo->expires_min &&
108
-
expires <= sinfo->expires_max),
109
-
XT_CONNTRACK_EXPIRES))
110
-
return false;
111
-
}
112
-
return true;
113
-
#undef FWINV
114
-
}
115
26
116
27
static bool
117
28
conntrack_addrcmp(const union nf_inet_addr *kaddr,
···
248
337
conntrack_mt_destroy(par);
249
338
}
250
339
251
-
#ifdef CONFIG_COMPAT
252
-
struct compat_xt_conntrack_info
253
-
{
254
-
compat_uint_t statemask;
255
-
compat_uint_t statusmask;
256
-
struct ip_conntrack_old_tuple tuple[IP_CT_DIR_MAX];
257
-
struct in_addr sipmsk[IP_CT_DIR_MAX];
258
-
struct in_addr dipmsk[IP_CT_DIR_MAX];
259
-
compat_ulong_t expires_min;
260
-
compat_ulong_t expires_max;
261
-
u_int8_t flags;
262
-
u_int8_t invflags;
263
-
};
264
-
265
-
static void conntrack_mt_compat_from_user_v0(void *dst, void *src)
266
-
{
267
-
const struct compat_xt_conntrack_info *cm = src;
268
-
struct xt_conntrack_info m = {
269
-
.statemask = cm->statemask,
270
-
.statusmask = cm->statusmask,
271
-
.expires_min = cm->expires_min,
272
-
.expires_max = cm->expires_max,
273
-
.flags = cm->flags,
274
-
.invflags = cm->invflags,
275
-
};
276
-
memcpy(m.tuple, cm->tuple, sizeof(m.tuple));
277
-
memcpy(m.sipmsk, cm->sipmsk, sizeof(m.sipmsk));
278
-
memcpy(m.dipmsk, cm->dipmsk, sizeof(m.dipmsk));
279
-
memcpy(dst, &m, sizeof(m));
280
-
}
281
-
282
-
static int conntrack_mt_compat_to_user_v0(void __user *dst, void *src)
283
-
{
284
-
const struct xt_conntrack_info *m = src;
285
-
struct compat_xt_conntrack_info cm = {
286
-
.statemask = m->statemask,
287
-
.statusmask = m->statusmask,
288
-
.expires_min = m->expires_min,
289
-
.expires_max = m->expires_max,
290
-
.flags = m->flags,
291
-
.invflags = m->invflags,
292
-
};
293
-
memcpy(cm.tuple, m->tuple, sizeof(cm.tuple));
294
-
memcpy(cm.sipmsk, m->sipmsk, sizeof(cm.sipmsk));
295
-
memcpy(cm.dipmsk, m->dipmsk, sizeof(cm.dipmsk));
296
-
return copy_to_user(dst, &cm, sizeof(cm)) ? -EFAULT : 0;
297
-
}
298
-
#endif
299
-
300
340
static struct xt_match conntrack_mt_reg[] __read_mostly = {
301
-
{
302
-
.name = "conntrack",
303
-
.revision = 0,
304
-
.family = NFPROTO_IPV4,
305
-
.match = conntrack_mt_v0,
306
-
.checkentry = conntrack_mt_check,
307
-
.destroy = conntrack_mt_destroy,
308
-
.matchsize = sizeof(struct xt_conntrack_info),
309
-
.me = THIS_MODULE,
310
-
#ifdef CONFIG_COMPAT
311
-
.compatsize = sizeof(struct compat_xt_conntrack_info),
312
-
.compat_from_user = conntrack_mt_compat_from_user_v0,
313
-
.compat_to_user = conntrack_mt_compat_to_user_v0,
314
-
#endif
315
-
},
316
341
{
317
342
.name = "conntrack",
318
343
.revision = 1,