tjh.dev
Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel
os
linux
Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/kaber/nf-next-2.6
+2032
-2113
+1
-1
Documentation/Changes
+1
-1
Documentation/Changes
+8
-10
Documentation/feature-removal-schedule.txt
+8
-10
Documentation/feature-removal-schedule.txt
···
241
241
242
242
---------------------------
243
243
244
-
What (Why):
245
-
- xt_recent: the old ipt_recent proc dir
246
-
(superseded by /proc/net/xt_recent)
247
-
248
-
When: January 2009 or Linux 2.7.0, whichever comes first
249
-
Why: Superseded by newer revisions or modules
250
-
Who: Jan Engelhardt <jengelh@computergmbh.de>
251
-
252
-
---------------------------
253
-
254
244
What: GPIO autorequest on gpio_direction_{input,output}() in gpiolib
255
245
When: February 2010
256
246
Why: All callers should use explicit gpio_request()/gpio_free().
···
618
628
with no impact.
619
629
620
630
Who: Wey-Yi Guy <wey-yi.w.guy@intel.com>
631
+
632
+
---------------------------
633
+
634
+
What: xt_NOTRACK
635
+
Files: net/netfilter/xt_NOTRACK.c
636
+
When: April 2011
637
+
Why: Superseded by xt_CT
638
+
Who: Netfilter developer team <netfilter-devel@vger.kernel.org>
+1
include/linux/ipv6.h
+1
include/linux/ipv6.h
+4
-2
include/linux/kernel.h
+4
-2
include/linux/kernel.h
···
4
4
/*
5
5
* 'kernel.h' contains some often-used function prototypes etc
6
6
*/
7
+
#define __ALIGN_KERNEL(x, a) __ALIGN_KERNEL_MASK(x, (typeof(x))(a) - 1)
8
+
#define __ALIGN_KERNEL_MASK(x, mask) (((x) + (mask)) & ~(mask))
7
9
8
10
#ifdef __KERNEL__
9
11
···
39
37
40
38
#define STACK_MAGIC 0xdeadbeef
41
39
42
-
#define ALIGN(x,a) __ALIGN_MASK(x,(typeof(x))(a)-1)
43
-
#define __ALIGN_MASK(x,mask) (((x)+(mask))&~(mask))
40
+
#define ALIGN(x, a) __ALIGN_KERNEL((x), (a))
41
+
#define __ALIGN_MASK(x, mask) __ALIGN_KERNEL_MASK((x), (mask))
44
42
#define PTR_ALIGN(p, a) ((typeof(p))ALIGN((unsigned long)(p), (a)))
45
43
#define IS_ALIGNED(x, a) (((x) & ((typeof(x))(a) - 1)) == 0)
46
44
+1
include/linux/netfilter/Kbuild
+1
include/linux/netfilter/Kbuild
+1
include/linux/netfilter/nf_conntrack_common.h
+1
include/linux/netfilter/nf_conntrack_common.h
+1
-2
include/linux/netfilter/nf_conntrack_tuple_common.h
+1
-2
include/linux/netfilter/nf_conntrack_tuple_common.h
+30
-20
include/linux/netfilter/x_tables.h
+30
-20
include/linux/netfilter/x_tables.h
···
1
1
#ifndef _X_TABLES_H
2
2
#define _X_TABLES_H
3
-
3
+
#include <linux/kernel.h>
4
4
#include <linux/types.h>
5
5
6
6
#define XT_FUNCTION_MAXNAMELEN 30
7
+
#define XT_EXTENSION_MAXNAMELEN 29
7
8
#define XT_TABLE_MAXNAMELEN 32
8
9
9
10
struct xt_entry_match {
···
13
12
__u16 match_size;
14
13
15
14
/* Used by userspace */
16
-
char name[XT_FUNCTION_MAXNAMELEN-1];
17
-
15
+
char name[XT_EXTENSION_MAXNAMELEN];
18
16
__u8 revision;
19
17
} user;
20
18
struct {
···
36
36
__u16 target_size;
37
37
38
38
/* Used by userspace */
39
-
char name[XT_FUNCTION_MAXNAMELEN-1];
40
-
39
+
char name[XT_EXTENSION_MAXNAMELEN];
41
40
__u8 revision;
42
41
} user;
43
42
struct {
···
69
70
/* The argument to IPT_SO_GET_REVISION_*. Returns highest revision
70
71
* kernel supports, if >= revision. */
71
72
struct xt_get_revision {
72
-
char name[XT_FUNCTION_MAXNAMELEN-1];
73
-
73
+
char name[XT_EXTENSION_MAXNAMELEN];
74
74
__u8 revision;
75
75
};
76
76
···
91
93
__u64 u64;
92
94
};
93
95
94
-
#define XT_ALIGN(s) ALIGN((s), __alignof__(struct _xt_align))
96
+
#define XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _xt_align))
95
97
96
98
/* Standard return verdict, or do jump. */
97
99
#define XT_STANDARD_TARGET ""
···
195
197
* @family: Actual NFPROTO_* through which the function is invoked
196
198
* (helpful when match->family == NFPROTO_UNSPEC)
197
199
* @hotdrop: drop packet if we had inspection problems
200
+
* Network namespace obtainable using dev_net(in/out)
198
201
*/
199
202
struct xt_match_param {
200
203
const struct net_device *in, *out;
···
212
213
* struct xt_mtchk_param - parameters for match extensions'
213
214
* checkentry functions
214
215
*
216
+
* @net: network namespace through which the check was invoked
215
217
* @table: table the rule is tried to be inserted into
216
218
* @entryinfo: the family-specific rule data
217
-
* (struct ipt_ip, ip6t_ip, ebt_entry)
219
+
* (struct ipt_ip, ip6t_ip, arpt_arp or (note) ebt_entry)
218
220
* @match: struct xt_match through which this function was invoked
219
221
* @matchinfo: per-match data
220
222
* @hook_mask: via which hooks the new rule is reachable
223
+
* Other fields as above.
221
224
*/
222
225
struct xt_mtchk_param {
223
226
struct net *net;
···
231
230
u_int8_t family;
232
231
};
233
232
234
-
/* Match destructor parameters */
233
+
/**
234
+
* struct xt_mdtor_param - match destructor parameters
235
+
* Fields as above.
236
+
*/
235
237
struct xt_mtdtor_param {
236
238
struct net *net;
237
239
const struct xt_match *match;
···
289
285
struct xt_match {
290
286
struct list_head list;
291
287
292
-
const char name[XT_FUNCTION_MAXNAMELEN-1];
288
+
const char name[XT_EXTENSION_MAXNAMELEN];
293
289
u_int8_t revision;
294
290
295
291
/* Return true or false: return FALSE and set *hotdrop = 1 to
···
301
297
const struct xt_match_param *);
302
298
303
299
/* Called when user tries to insert an entry of this type. */
304
-
bool (*checkentry)(const struct xt_mtchk_param *);
300
+
int (*checkentry)(const struct xt_mtchk_param *);
305
301
306
302
/* Called when entry of this type deleted. */
307
303
void (*destroy)(const struct xt_mtdtor_param *);
···
312
308
#endif
313
309
/* Set this to THIS_MODULE if you are a module, otherwise NULL */
314
310
struct module *me;
315
-
316
-
/* Free to use by each match */
317
-
unsigned long data;
318
311
319
312
const char *table;
320
313
unsigned int matchsize;
···
328
327
struct xt_target {
329
328
struct list_head list;
330
329
331
-
const char name[XT_FUNCTION_MAXNAMELEN-1];
330
+
const char name[XT_EXTENSION_MAXNAMELEN];
331
+
u_int8_t revision;
332
332
333
333
/* Returns verdict. Argument order changed since 2.6.9, as this
334
334
must now handle non-linear skbs, using skb_copy_bits and
···
340
338
/* Called when user tries to insert an entry of this type:
341
339
hook_mask is a bitmask of hooks from which it can be
342
340
called. */
343
-
/* Should return true or false. */
344
-
bool (*checkentry)(const struct xt_tgchk_param *);
341
+
/* Should return true or false, or an error code (-Exxxx). */
342
+
int (*checkentry)(const struct xt_tgchk_param *);
345
343
346
344
/* Called when entry of this type deleted. */
347
345
void (*destroy)(const struct xt_tgdtor_param *);
···
362
360
unsigned short proto;
363
361
364
362
unsigned short family;
365
-
u_int8_t revision;
366
363
};
367
364
368
365
/* Furniture shopping... */
···
399
398
unsigned int hook_entry[NF_INET_NUMHOOKS];
400
399
unsigned int underflow[NF_INET_NUMHOOKS];
401
400
401
+
/*
402
+
* Number of user chains. Since tables cannot have loops, at most
403
+
* @stacksize jumps (number of user chains) can possibly be made.
404
+
*/
405
+
unsigned int stacksize;
406
+
unsigned int *stackptr;
407
+
void ***jumpstack;
402
408
/* ipt_entry tables: one per CPU */
403
409
/* Note : this field MUST be the last one, see XT_TABLE_INFO_SZ */
404
410
void *entries[1];
···
441
433
442
434
extern struct xt_match *xt_find_match(u8 af, const char *name, u8 revision);
443
435
extern struct xt_target *xt_find_target(u8 af, const char *name, u8 revision);
436
+
extern struct xt_match *xt_request_find_match(u8 af, const char *name,
437
+
u8 revision);
444
438
extern struct xt_target *xt_request_find_target(u8 af, const char *name,
445
439
u8 revision);
446
440
extern int xt_find_revision(u8 af, const char *name, u8 revision,
···
608
598
compat_u64 u64;
609
599
};
610
600
611
-
#define COMPAT_XT_ALIGN(s) ALIGN((s), __alignof__(struct _compat_xt_align))
601
+
#define COMPAT_XT_ALIGN(s) __ALIGN_KERNEL((s), __alignof__(struct _compat_xt_align))
612
602
613
603
extern void xt_compat_lock(u_int8_t af);
614
604
extern void xt_compat_unlock(u_int8_t af);
+1
-21
include/linux/netfilter/xt_CONNMARK.h
+1
-21
include/linux/netfilter/xt_CONNMARK.h
···
1
1
#ifndef _XT_CONNMARK_H_target
2
2
#define _XT_CONNMARK_H_target
3
3
4
-
#include <linux/types.h>
5
-
6
-
/* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
7
-
* by Henrik Nordstrom <hno@marasystems.com>
8
-
*
9
-
* This program is free software; you can redistribute it and/or modify
10
-
* it under the terms of the GNU General Public License as published by
11
-
* the Free Software Foundation; either version 2 of the License, or
12
-
* (at your option) any later version.
13
-
*/
14
-
15
-
enum {
16
-
XT_CONNMARK_SET = 0,
17
-
XT_CONNMARK_SAVE,
18
-
XT_CONNMARK_RESTORE
19
-
};
20
-
21
-
struct xt_connmark_tginfo1 {
22
-
__u32 ctmark, ctmask, nfmask;
23
-
__u8 mode;
24
-
};
4
+
#include <linux/netfilter/xt_connmark.h>
25
5
26
6
#endif /*_XT_CONNMARK_H_target*/
+1
-5
include/linux/netfilter/xt_MARK.h
+1
-5
include/linux/netfilter/xt_MARK.h
+12
include/linux/netfilter/xt_TEE.h
+12
include/linux/netfilter/xt_TEE.h
+11
include/linux/netfilter/xt_connmark.h
+11
include/linux/netfilter/xt_connmark.h
···
12
12
* (at your option) any later version.
13
13
*/
14
14
15
+
enum {
16
+
XT_CONNMARK_SET = 0,
17
+
XT_CONNMARK_SAVE,
18
+
XT_CONNMARK_RESTORE
19
+
};
20
+
21
+
struct xt_connmark_tginfo1 {
22
+
__u32 ctmark, ctmask, nfmask;
23
+
__u8 mode;
24
+
};
25
+
15
26
struct xt_connmark_mtinfo1 {
16
27
__u32 mark, mask;
17
28
__u8 invert;
+4
include/linux/netfilter/xt_mark.h
+4
include/linux/netfilter/xt_mark.h
+7
include/linux/netfilter/xt_recent.h
+7
include/linux/netfilter/xt_recent.h
···
9
9
XT_RECENT_UPDATE = 1 << 2,
10
10
XT_RECENT_REMOVE = 1 << 3,
11
11
XT_RECENT_TTL = 1 << 4,
12
+
XT_RECENT_REAP = 1 << 5,
12
13
13
14
XT_RECENT_SOURCE = 0,
14
15
XT_RECENT_DEST = 1,
15
16
16
17
XT_RECENT_NAME_LEN = 200,
17
18
};
19
+
20
+
/* Only allowed with --rcheck and --update */
21
+
#define XT_RECENT_MODIFIERS (XT_RECENT_TTL|XT_RECENT_REAP)
22
+
23
+
#define XT_RECENT_VALID_FLAGS (XT_RECENT_CHECK|XT_RECENT_SET|XT_RECENT_UPDATE|\
24
+
XT_RECENT_REMOVE|XT_RECENT_TTL|XT_RECENT_REAP)
18
25
19
26
struct xt_recent_mtinfo {
20
27
__u32 seconds;
+25
-4
include/linux/netfilter_bridge.h
+25
-4
include/linux/netfilter_bridge.h
···
41
41
42
42
#define BRNF_PKT_TYPE 0x01
43
43
#define BRNF_BRIDGED_DNAT 0x02
44
-
#define BRNF_DONT_TAKE_PARENT 0x04
45
-
#define BRNF_BRIDGED 0x08
46
-
#define BRNF_NF_BRIDGE_PREROUTING 0x10
47
-
44
+
#define BRNF_BRIDGED 0x04
45
+
#define BRNF_NF_BRIDGE_PREROUTING 0x08
46
+
#define BRNF_8021Q 0x10
47
+
#define BRNF_PPPoE 0x20
48
48
49
49
/* Only used in br_forward.c */
50
50
extern int nf_bridge_copy_header(struct sk_buff *skb);
···
66
66
default:
67
67
return 0;
68
68
}
69
+
}
70
+
71
+
static inline unsigned int nf_bridge_mtu_reduction(const struct sk_buff *skb)
72
+
{
73
+
if (unlikely(skb->nf_bridge->mask & BRNF_PPPoE))
74
+
return PPPOE_SES_HLEN;
75
+
return 0;
76
+
}
77
+
78
+
extern int br_handle_frame_finish(struct sk_buff *skb);
79
+
/* Only used in br_device.c */
80
+
static inline int br_nf_pre_routing_finish_bridge_slow(struct sk_buff *skb)
81
+
{
82
+
struct nf_bridge_info *nf_bridge = skb->nf_bridge;
83
+
84
+
skb_pull(skb, ETH_HLEN);
85
+
nf_bridge->mask ^= BRNF_BRIDGED_DNAT;
86
+
skb_copy_to_linear_data_offset(skb, -(ETH_HLEN-ETH_ALEN),
87
+
skb->nf_bridge->data, ETH_HLEN-ETH_ALEN);
88
+
skb->dev = nf_bridge->physindev;
89
+
return br_handle_frame_finish(skb);
69
90
}
70
91
71
92
/* This is called by the IP fragmenting code and it ensures there is
-4
include/linux/netfilter_ipv6/ip6_tables.h
-4
include/linux/netfilter_ipv6/ip6_tables.h
···
316
316
extern int ipv6_find_hdr(const struct sk_buff *skb, unsigned int *offset,
317
317
int target, unsigned short *fragoff);
318
318
319
-
extern int ip6_masked_addrcmp(const struct in6_addr *addr1,
320
-
const struct in6_addr *mask,
321
-
const struct in6_addr *addr2);
322
-
323
319
#define IP6T_ALIGN(s) XT_ALIGN(s)
324
320
325
321
#ifdef CONFIG_COMPAT
+14
include/net/neighbour.h
+14
include/net/neighbour.h
···
299
299
return 0;
300
300
}
301
301
302
+
#ifdef CONFIG_BRIDGE_NETFILTER
303
+
static inline int neigh_hh_bridge(struct hh_cache *hh, struct sk_buff *skb)
304
+
{
305
+
unsigned seq, hh_alen;
306
+
307
+
do {
308
+
seq = read_seqbegin(&hh->hh_lock);
309
+
hh_alen = HH_DATA_ALIGN(ETH_HLEN);
310
+
memcpy(skb->data - hh_alen, hh->hh_data, ETH_ALEN + hh_alen - ETH_HLEN);
311
+
} while (read_seqretry(&hh->hh_lock, seq));
312
+
return 0;
313
+
}
314
+
#endif
315
+
302
316
static inline int neigh_hh_output(struct hh_cache *hh, struct sk_buff *skb)
303
317
{
304
318
unsigned seq;
+8
net/bridge/br_device.c
+8
net/bridge/br_device.c
···
17
17
#include <linux/etherdevice.h>
18
18
#include <linux/ethtool.h>
19
19
#include <linux/list.h>
20
+
#include <linux/netfilter_bridge.h>
20
21
21
22
#include <asm/uaccess.h>
22
23
#include "br_private.h"
···
30
29
struct net_bridge_fdb_entry *dst;
31
30
struct net_bridge_mdb_entry *mdst;
32
31
struct br_cpu_netstats *brstats = this_cpu_ptr(br->stats);
32
+
33
+
#ifdef CONFIG_BRIDGE_NETFILTER
34
+
if (skb->nf_bridge && (skb->nf_bridge->mask & BRNF_BRIDGED_DNAT)) {
35
+
br_nf_pre_routing_finish_bridge_slow(skb);
36
+
return NETDEV_TX_OK;
37
+
}
38
+
#endif
33
39
34
40
brstats->tx_packets++;
35
41
brstats->tx_bytes += skb->len;
+6
-6
net/bridge/br_forward.c
+6
-6
net/bridge/br_forward.c
···
45
45
if (packet_length(skb) > skb->dev->mtu && !skb_is_gso(skb))
46
46
kfree_skb(skb);
47
47
else {
48
-
/* ip_refrag calls ip_fragment, doesn't copy the MAC header. */
48
+
/* ip_fragment doesn't copy the MAC header */
49
49
if (nf_bridge_maybe_copy_header(skb))
50
50
kfree_skb(skb);
51
51
else {
···
66
66
67
67
int br_forward_finish(struct sk_buff *skb)
68
68
{
69
-
return NF_HOOK(PF_BRIDGE, NF_BR_POST_ROUTING, skb, NULL, skb->dev,
69
+
return NF_HOOK(NFPROTO_BRIDGE, NF_BR_POST_ROUTING, skb, NULL, skb->dev,
70
70
br_dev_queue_push_xmit);
71
71
72
72
}
···
84
84
}
85
85
#endif
86
86
skb->dev = to->dev;
87
-
NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
88
-
br_forward_finish);
87
+
NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_OUT, skb, NULL, skb->dev,
88
+
br_forward_finish);
89
89
#ifdef CONFIG_NET_POLL_CONTROLLER
90
90
if (skb->dev->npinfo)
91
91
skb->dev->npinfo->netpoll->dev = br->dev;
···
105
105
skb->dev = to->dev;
106
106
skb_forward_csum(skb);
107
107
108
-
NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev,
109
-
br_forward_finish);
108
+
NF_HOOK(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, indev, skb->dev,
109
+
br_forward_finish);
110
110
}
111
111
112
112
/* called with rcu_read_lock */
+3
-3
net/bridge/br_input.c
+3
-3
net/bridge/br_input.c
···
33
33
indev = skb->dev;
34
34
skb->dev = brdev;
35
35
36
-
return NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL,
36
+
return NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, indev, NULL,
37
37
netif_receive_skb);
38
38
}
39
39
···
156
156
if (p->br->stp_enabled == BR_NO_STP && dest[5] == 0)
157
157
goto forward;
158
158
159
-
if (NF_HOOK(PF_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
159
+
if (NF_HOOK(NFPROTO_BRIDGE, NF_BR_LOCAL_IN, skb, skb->dev,
160
160
NULL, br_handle_local_finish))
161
161
return NULL; /* frame consumed by filter */
162
162
else
···
177
177
if (!compare_ether_addr(p->br->dev->dev_addr, dest))
178
178
skb->pkt_type = PACKET_HOST;
179
179
180
-
NF_HOOK(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
180
+
NF_HOOK(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
181
181
br_handle_frame_finish);
182
182
break;
183
183
default:
+1
-1
net/bridge/br_multicast.c
+1
-1
net/bridge/br_multicast.c
+86
-177
net/bridge/br_netfilter.c
+86
-177
net/bridge/br_netfilter.c
···
3
3
* Linux ethernet bridge
4
4
*
5
5
* Authors:
6
-
* Lennert Buytenhek <buytenh@gnu.org>
7
-
* Bart De Schuymer (maintainer) <bdschuym@pandora.be>
8
-
*
9
-
* Changes:
10
-
* Apr 29 2003: physdev module support (bdschuym)
11
-
* Jun 19 2003: let arptables see bridged ARP traffic (bdschuym)
12
-
* Oct 06 2003: filter encapsulated IP/ARP VLAN traffic on untagged bridge
13
-
* (bdschuym)
14
-
* Sep 01 2004: add IPv6 filtering (bdschuym)
6
+
* Lennert Buytenhek <buytenh@gnu.org>
7
+
* Bart De Schuymer <bdschuym@pandora.be>
15
8
*
16
9
* This program is free software; you can redistribute it and/or
17
10
* modify it under the terms of the GNU General Public License
···
197
204
skb->nf_bridge->data, header_size);
198
205
}
199
206
200
-
/*
201
-
* When forwarding bridge frames, we save a copy of the original
202
-
* header before processing.
207
+
static inline void nf_bridge_update_protocol(struct sk_buff *skb)
208
+
{
209
+
if (skb->nf_bridge->mask & BRNF_8021Q)
210
+
skb->protocol = htons(ETH_P_8021Q);
211
+
else if (skb->nf_bridge->mask & BRNF_PPPoE)
212
+
skb->protocol = htons(ETH_P_PPP_SES);
213
+
}
214
+
215
+
/* Fill in the header for fragmented IP packets handled by
216
+
* the IPv4 connection tracking code.
203
217
*/
204
218
int nf_bridge_copy_header(struct sk_buff *skb)
205
219
{
206
220
int err;
207
-
int header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
221
+
unsigned int header_size;
208
222
223
+
nf_bridge_update_protocol(skb);
224
+
header_size = ETH_HLEN + nf_bridge_encap_header_len(skb);
209
225
err = skb_cow_head(skb, header_size);
210
226
if (err)
211
227
return err;
···
248
246
skb_dst_set(skb, &rt->u.dst);
249
247
250
248
skb->dev = nf_bridge->physindev;
249
+
nf_bridge_update_protocol(skb);
251
250
nf_bridge_push_encap_header(skb);
252
-
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
251
+
NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
253
252
br_handle_frame_finish, 1);
254
253
255
254
return 0;
256
255
}
257
256
258
-
static void __br_dnat_complain(void)
257
+
/* Obtain the correct destination MAC address, while preserving the original
258
+
* source MAC address. If we already know this address, we just copy it. If we
259
+
* don't, we use the neighbour framework to find out. In both cases, we make
260
+
* sure that br_handle_frame_finish() is called afterwards.
261
+
*/
262
+
static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
259
263
{
260
-
static unsigned long last_complaint;
264
+
struct nf_bridge_info *nf_bridge = skb->nf_bridge;
265
+
struct dst_entry *dst;
261
266
262
-
if (jiffies - last_complaint >= 5 * HZ) {
263
-
printk(KERN_WARNING "Performing cross-bridge DNAT requires IP "
264
-
"forwarding to be enabled\n");
265
-
last_complaint = jiffies;
267
+
skb->dev = bridge_parent(skb->dev);
268
+
if (!skb->dev)
269
+
goto free_skb;
270
+
dst = skb_dst(skb);
271
+
if (dst->hh) {
272
+
neigh_hh_bridge(dst->hh, skb);
273
+
skb->dev = nf_bridge->physindev;
274
+
return br_handle_frame_finish(skb);
275
+
} else if (dst->neighbour) {
276
+
/* the neighbour function below overwrites the complete
277
+
* MAC header, so we save the Ethernet source address and
278
+
* protocol number. */
279
+
skb_copy_from_linear_data_offset(skb, -(ETH_HLEN-ETH_ALEN), skb->nf_bridge->data, ETH_HLEN-ETH_ALEN);
280
+
/* tell br_dev_xmit to continue with forwarding */
281
+
nf_bridge->mask |= BRNF_BRIDGED_DNAT;
282
+
return dst->neighbour->output(skb);
266
283
}
284
+
free_skb:
285
+
kfree_skb(skb);
286
+
return 0;
267
287
}
268
288
269
289
/* This requires some explaining. If DNAT has taken place,
270
-
* we will need to fix up the destination Ethernet address,
271
-
* and this is a tricky process.
290
+
* we will need to fix up the destination Ethernet address.
272
291
*
273
292
* There are two cases to consider:
274
293
* 1. The packet was DNAT'ed to a device in the same bridge
···
303
280
* call ip_route_input() and to look at skb->dst->dev, which is
304
281
* changed to the destination device if ip_route_input() succeeds.
305
282
*
306
-
* Let us first consider the case that ip_route_input() succeeds:
283
+
* Let's first consider the case that ip_route_input() succeeds:
307
284
*
308
-
* If skb->dst->dev equals the logical bridge device the packet
309
-
* came in on, we can consider this bridging. The packet is passed
310
-
* through the neighbour output function to build a new destination
311
-
* MAC address, which will make the packet enter br_nf_local_out()
312
-
* not much later. In that function it is assured that the iptables
313
-
* FORWARD chain is traversed for the packet.
314
-
*
285
+
* If the output device equals the logical bridge device the packet
286
+
* came in on, we can consider this bridging. The corresponding MAC
287
+
* address will be obtained in br_nf_pre_routing_finish_bridge.
315
288
* Otherwise, the packet is considered to be routed and we just
316
289
* change the destination MAC address so that the packet will
317
290
* later be passed up to the IP stack to be routed. For a redirected
318
291
* packet, ip_route_input() will give back the localhost as output device,
319
292
* which differs from the bridge device.
320
293
*
321
-
* Let us now consider the case that ip_route_input() fails:
294
+
* Let's now consider the case that ip_route_input() fails:
322
295
*
323
296
* This can be because the destination address is martian, in which case
324
297
* the packet will be dropped.
325
-
* After a "echo '0' > /proc/sys/net/ipv4/ip_forward" ip_route_input()
326
-
* will fail, while __ip_route_output_key() will return success. The source
327
-
* address for __ip_route_output_key() is set to zero, so __ip_route_output_key
298
+
* If IP forwarding is disabled, ip_route_input() will fail, while
299
+
* ip_route_output_key() can return success. The source
300
+
* address for ip_route_output_key() is set to zero, so ip_route_output_key()
328
301
* thinks we're handling a locally generated packet and won't care
329
-
* if IP forwarding is allowed. We send a warning message to the users's
330
-
* log telling her to put IP forwarding on.
331
-
*
332
-
* ip_route_input() will also fail if there is no route available.
333
-
* In that case we just drop the packet.
334
-
*
335
-
* --Lennert, 20020411
336
-
* --Bart, 20020416 (updated)
337
-
* --Bart, 20021007 (updated)
338
-
* --Bart, 20062711 (updated) */
339
-
static int br_nf_pre_routing_finish_bridge(struct sk_buff *skb)
340
-
{
341
-
if (skb->pkt_type == PACKET_OTHERHOST) {
342
-
skb->pkt_type = PACKET_HOST;
343
-
skb->nf_bridge->mask |= BRNF_PKT_TYPE;
344
-
}
345
-
skb->nf_bridge->mask ^= BRNF_NF_BRIDGE_PREROUTING;
346
-
347
-
skb->dev = bridge_parent(skb->dev);
348
-
if (skb->dev) {
349
-
struct dst_entry *dst = skb_dst(skb);
350
-
351
-
nf_bridge_pull_encap_header(skb);
352
-
353
-
if (dst->hh)
354
-
return neigh_hh_output(dst->hh, skb);
355
-
else if (dst->neighbour)
356
-
return dst->neighbour->output(skb);
357
-
}
358
-
kfree_skb(skb);
359
-
return 0;
360
-
}
361
-
302
+
* if IP forwarding is enabled. If the output device equals the logical bridge
303
+
* device, we proceed as if ip_route_input() succeeded. If it differs from the
304
+
* logical bridge port or if ip_route_output_key() fails we drop the packet.
305
+
*/
362
306
static int br_nf_pre_routing_finish(struct sk_buff *skb)
363
307
{
364
308
struct net_device *dev = skb->dev;
···
369
379
skb_dst_set(skb, (struct dst_entry *)rt);
370
380
goto bridged_dnat;
371
381
}
372
-
/* we are sure that forwarding is disabled, so printing
373
-
* this message is no problem. Note that the packet could
374
-
* still have a martian destination address, in which case
375
-
* the packet could be dropped even if forwarding were enabled */
376
-
__br_dnat_complain();
377
382
dst_release((struct dst_entry *)rt);
378
383
}
379
384
free_skb:
···
377
392
} else {
378
393
if (skb_dst(skb)->dev == dev) {
379
394
bridged_dnat:
380
-
/* Tell br_nf_local_out this is a
381
-
* bridged frame */
382
-
nf_bridge->mask |= BRNF_BRIDGED_DNAT;
383
395
skb->dev = nf_bridge->physindev;
396
+
nf_bridge_update_protocol(skb);
384
397
nf_bridge_push_encap_header(skb);
385
-
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING,
398
+
NF_HOOK_THRESH(NFPROTO_BRIDGE,
399
+
NF_BR_PRE_ROUTING,
386
400
skb, skb->dev, NULL,
387
401
br_nf_pre_routing_finish_bridge,
388
402
1);
···
401
417
}
402
418
403
419
skb->dev = nf_bridge->physindev;
420
+
nf_bridge_update_protocol(skb);
404
421
nf_bridge_push_encap_header(skb);
405
-
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
422
+
NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_PRE_ROUTING, skb, skb->dev, NULL,
406
423
br_handle_frame_finish, 1);
407
424
408
425
return 0;
···
422
437
nf_bridge->mask |= BRNF_NF_BRIDGE_PREROUTING;
423
438
nf_bridge->physindev = skb->dev;
424
439
skb->dev = bridge_parent(skb->dev);
440
+
if (skb->protocol == htons(ETH_P_8021Q))
441
+
nf_bridge->mask |= BRNF_8021Q;
442
+
else if (skb->protocol == htons(ETH_P_PPP_SES))
443
+
nf_bridge->mask |= BRNF_PPPoE;
425
444
426
445
return skb->dev;
427
446
}
···
524
535
if (!setup_pre_routing(skb))
525
536
return NF_DROP;
526
537
527
-
NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
538
+
skb->protocol = htons(ETH_P_IPV6);
539
+
NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
528
540
br_nf_pre_routing_finish_ipv6);
529
541
530
542
return NF_STOLEN;
···
597
607
if (!setup_pre_routing(skb))
598
608
return NF_DROP;
599
609
store_orig_dstaddr(skb);
610
+
skb->protocol = htons(ETH_P_IP);
600
611
601
-
NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
612
+
NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
602
613
br_nf_pre_routing_finish);
603
614
604
615
return NF_STOLEN;
···
646
655
} else {
647
656
in = *((struct net_device **)(skb->cb));
648
657
}
658
+
nf_bridge_update_protocol(skb);
649
659
nf_bridge_push_encap_header(skb);
650
-
NF_HOOK_THRESH(PF_BRIDGE, NF_BR_FORWARD, skb, in,
660
+
661
+
NF_HOOK_THRESH(NFPROTO_BRIDGE, NF_BR_FORWARD, skb, in,
651
662
skb->dev, br_forward_finish, 1);
652
663
return 0;
653
664
}
···
700
707
/* The physdev module checks on this */
701
708
nf_bridge->mask |= BRNF_BRIDGED;
702
709
nf_bridge->physoutdev = skb->dev;
710
+
if (pf == PF_INET)
711
+
skb->protocol = htons(ETH_P_IP);
712
+
else
713
+
skb->protocol = htons(ETH_P_IPV6);
703
714
704
715
NF_HOOK(pf, NF_INET_FORWARD, skb, bridge_parent(in), parent,
705
716
br_nf_forward_finish);
···
741
744
return NF_STOLEN;
742
745
}
743
746
744
-
/* PF_BRIDGE/LOCAL_OUT ***********************************************
745
-
*
746
-
* This function sees both locally originated IP packets and forwarded
747
-
* IP packets (in both cases the destination device is a bridge
748
-
* device). It also sees bridged-and-DNAT'ed packets.
749
-
*
750
-
* If (nf_bridge->mask & BRNF_BRIDGED_DNAT) then the packet is bridged
751
-
* and we fake the PF_BRIDGE/FORWARD hook. The function br_nf_forward()
752
-
* will then fake the PF_INET/FORWARD hook. br_nf_local_out() has priority
753
-
* NF_BR_PRI_FIRST, so no relevant PF_BRIDGE/INPUT functions have been nor
754
-
* will be executed.
755
-
*/
756
-
static unsigned int br_nf_local_out(unsigned int hook, struct sk_buff *skb,
757
-
const struct net_device *in,
758
-
const struct net_device *out,
759
-
int (*okfn)(struct sk_buff *))
760
-
{
761
-
struct net_device *realindev;
762
-
struct nf_bridge_info *nf_bridge;
763
-
764
-
if (!skb->nf_bridge)
765
-
return NF_ACCEPT;
766
-
767
-
/* Need exclusive nf_bridge_info since we might have multiple
768
-
* different physoutdevs. */
769
-
if (!nf_bridge_unshare(skb))
770
-
return NF_DROP;
771
-
772
-
nf_bridge = skb->nf_bridge;
773
-
if (!(nf_bridge->mask & BRNF_BRIDGED_DNAT))
774
-
return NF_ACCEPT;
775
-
776
-
/* Bridged, take PF_BRIDGE/FORWARD.
777
-
* (see big note in front of br_nf_pre_routing_finish) */
778
-
nf_bridge->physoutdev = skb->dev;
779
-
realindev = nf_bridge->physindev;
780
-
781
-
if (nf_bridge->mask & BRNF_PKT_TYPE) {
782
-
skb->pkt_type = PACKET_OTHERHOST;
783
-
nf_bridge->mask ^= BRNF_PKT_TYPE;
784
-
}
785
-
nf_bridge_push_encap_header(skb);
786
-
787
-
NF_HOOK(PF_BRIDGE, NF_BR_FORWARD, skb, realindev, skb->dev,
788
-
br_forward_finish);
789
-
return NF_STOLEN;
790
-
}
791
-
792
747
#if defined(CONFIG_NF_CONNTRACK_IPV4) || defined(CONFIG_NF_CONNTRACK_IPV4_MODULE)
793
748
static int br_nf_dev_queue_xmit(struct sk_buff *skb)
794
749
{
795
-
if (skb->nfct != NULL &&
796
-
(skb->protocol == htons(ETH_P_IP) || IS_VLAN_IP(skb)) &&
797
-
skb->len > skb->dev->mtu &&
750
+
if (skb->nfct != NULL && skb->protocol == htons(ETH_P_IP) &&
751
+
skb->len + nf_bridge_mtu_reduction(skb) > skb->dev->mtu &&
798
752
!skb_is_gso(skb))
799
753
return ip_fragment(skb, br_dev_queue_push_xmit);
800
754
else
···
768
820
struct net_device *realoutdev = bridge_parent(skb->dev);
769
821
u_int8_t pf;
770
822
771
-
#ifdef CONFIG_NETFILTER_DEBUG
772
-
/* Be very paranoid. This probably won't happen anymore, but let's
773
-
* keep the check just to be sure... */
774
-
if (skb_mac_header(skb) < skb->head ||
775
-
skb_mac_header(skb) + ETH_HLEN > skb->data) {
776
-
printk(KERN_CRIT "br_netfilter: Argh!! br_nf_post_routing: "
777
-
"bad mac.raw pointer.\n");
778
-
goto print_error;
779
-
}
780
-
#endif
781
-
782
-
if (!nf_bridge)
783
-
return NF_ACCEPT;
784
-
785
-
if (!(nf_bridge->mask & (BRNF_BRIDGED | BRNF_BRIDGED_DNAT)))
823
+
if (!nf_bridge || !(nf_bridge->mask & BRNF_BRIDGED))
786
824
return NF_ACCEPT;
787
825
788
826
if (!realoutdev)
···
783
849
else
784
850
return NF_ACCEPT;
785
851
786
-
#ifdef CONFIG_NETFILTER_DEBUG
787
-
if (skb_dst(skb) == NULL) {
788
-
printk(KERN_INFO "br_netfilter post_routing: skb->dst == NULL\n");
789
-
goto print_error;
790
-
}
791
-
#endif
792
-
793
852
/* We assume any code from br_dev_queue_push_xmit onwards doesn't care
794
853
* about the value of skb->pkt_type. */
795
854
if (skb->pkt_type == PACKET_OTHERHOST) {
···
792
865
793
866
nf_bridge_pull_encap_header(skb);
794
867
nf_bridge_save_header(skb);
868
+
if (pf == PF_INET)
869
+
skb->protocol = htons(ETH_P_IP);
870
+
else
871
+
skb->protocol = htons(ETH_P_IPV6);
795
872
796
873
NF_HOOK(pf, NF_INET_POST_ROUTING, skb, NULL, realoutdev,
797
874
br_nf_dev_queue_xmit);
798
875
799
876
return NF_STOLEN;
800
-
801
-
#ifdef CONFIG_NETFILTER_DEBUG
802
-
print_error:
803
-
if (skb->dev != NULL) {
804
-
printk("[%s]", skb->dev->name);
805
-
if (realoutdev)
806
-
printk("[%s]", realoutdev->name);
807
-
}
808
-
printk(" head:%p, raw:%p, data:%p\n", skb->head, skb_mac_header(skb),
809
-
skb->data);
810
-
dump_stack();
811
-
return NF_ACCEPT;
812
-
#endif
813
877
}
814
878
815
879
/* IP/SABOTAGE *****************************************************/
···
819
901
return NF_ACCEPT;
820
902
}
821
903
822
-
/* For br_nf_local_out we need (prio = NF_BR_PRI_FIRST), to insure that innocent
823
-
* PF_BRIDGE/NF_BR_LOCAL_OUT functions don't get bridged traffic as input.
824
-
* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
825
-
* ip_refrag() can return NF_STOLEN. */
904
+
/* For br_nf_post_routing, we need (prio = NF_BR_PRI_LAST), because
905
+
* br_dev_queue_push_xmit is called afterwards */
826
906
static struct nf_hook_ops br_nf_ops[] __read_mostly = {
827
907
{
828
908
.hook = br_nf_pre_routing,
···
849
933
.pf = PF_BRIDGE,
850
934
.hooknum = NF_BR_FORWARD,
851
935
.priority = NF_BR_PRI_BRNF,
852
-
},
853
-
{
854
-
.hook = br_nf_local_out,
855
-
.owner = THIS_MODULE,
856
-
.pf = PF_BRIDGE,
857
-
.hooknum = NF_BR_LOCAL_OUT,
858
-
.priority = NF_BR_PRI_FIRST,
859
936
},
860
937
{
861
938
.hook = br_nf_post_routing,
+1
-1
net/bridge/br_stp_bpdu.c
+1
-1
net/bridge/br_stp_bpdu.c
+3
-3
net/bridge/netfilter/ebt_802_3.c
+3
-3
net/bridge/netfilter/ebt_802_3.c
···
36
36
return true;
37
37
}
38
38
39
-
static bool ebt_802_3_mt_check(const struct xt_mtchk_param *par)
39
+
static int ebt_802_3_mt_check(const struct xt_mtchk_param *par)
40
40
{
41
41
const struct ebt_802_3_info *info = par->matchinfo;
42
42
43
43
if (info->bitmask & ~EBT_802_3_MASK || info->invflags & ~EBT_802_3_MASK)
44
-
return false;
44
+
return -EINVAL;
45
45
46
-
return true;
46
+
return 0;
47
47
}
48
48
49
49
static struct xt_match ebt_802_3_mt_reg __read_mostly = {
+11
-14
net/bridge/netfilter/ebt_among.c
+11
-14
net/bridge/netfilter/ebt_among.c
···
7
7
* August, 2003
8
8
*
9
9
*/
10
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
11
#include <linux/ip.h>
11
12
#include <linux/if_arp.h>
12
13
#include <linux/module.h>
···
172
171
return true;
173
172
}
174
173
175
-
static bool ebt_among_mt_check(const struct xt_mtchk_param *par)
174
+
static int ebt_among_mt_check(const struct xt_mtchk_param *par)
176
175
{
177
176
const struct ebt_among_info *info = par->matchinfo;
178
177
const struct ebt_entry_match *em =
···
187
186
expected_length += ebt_mac_wormhash_size(wh_src);
188
187
189
188
if (em->match_size != EBT_ALIGN(expected_length)) {
190
-
printk(KERN_WARNING
191
-
"ebtables: among: wrong size: %d "
192
-
"against expected %d, rounded to %Zd\n",
193
-
em->match_size, expected_length,
194
-
EBT_ALIGN(expected_length));
195
-
return false;
189
+
pr_info("wrong size: %d against expected %d, rounded to %Zd\n",
190
+
em->match_size, expected_length,
191
+
EBT_ALIGN(expected_length));
192
+
return -EINVAL;
196
193
}
197
194
if (wh_dst && (err = ebt_mac_wormhash_check_integrity(wh_dst))) {
198
-
printk(KERN_WARNING
199
-
"ebtables: among: dst integrity fail: %x\n", -err);
200
-
return false;
195
+
pr_info("dst integrity fail: %x\n", -err);
196
+
return -EINVAL;
201
197
}
202
198
if (wh_src && (err = ebt_mac_wormhash_check_integrity(wh_src))) {
203
-
printk(KERN_WARNING
204
-
"ebtables: among: src integrity fail: %x\n", -err);
205
-
return false;
199
+
pr_info("src integrity fail: %x\n", -err);
200
+
return -EINVAL;
206
201
}
207
-
return true;
202
+
return 0;
208
203
}
209
204
210
205
static struct xt_match ebt_among_mt_reg __read_mostly = {
+4
-4
net/bridge/netfilter/ebt_arp.c
+4
-4
net/bridge/netfilter/ebt_arp.c
···
100
100
return true;
101
101
}
102
102
103
-
static bool ebt_arp_mt_check(const struct xt_mtchk_param *par)
103
+
static int ebt_arp_mt_check(const struct xt_mtchk_param *par)
104
104
{
105
105
const struct ebt_arp_info *info = par->matchinfo;
106
106
const struct ebt_entry *e = par->entryinfo;
···
108
108
if ((e->ethproto != htons(ETH_P_ARP) &&
109
109
e->ethproto != htons(ETH_P_RARP)) ||
110
110
e->invflags & EBT_IPROTO)
111
-
return false;
111
+
return -EINVAL;
112
112
if (info->bitmask & ~EBT_ARP_MASK || info->invflags & ~EBT_ARP_MASK)
113
-
return false;
114
-
return true;
113
+
return -EINVAL;
114
+
return 0;
115
115
}
116
116
117
117
static struct xt_match ebt_arp_mt_reg __read_mostly = {
+4
-4
net/bridge/netfilter/ebt_arpreply.c
+4
-4
net/bridge/netfilter/ebt_arpreply.c
···
57
57
return info->target;
58
58
}
59
59
60
-
static bool ebt_arpreply_tg_check(const struct xt_tgchk_param *par)
60
+
static int ebt_arpreply_tg_check(const struct xt_tgchk_param *par)
61
61
{
62
62
const struct ebt_arpreply_info *info = par->targinfo;
63
63
const struct ebt_entry *e = par->entryinfo;
64
64
65
65
if (BASE_CHAIN && info->target == EBT_RETURN)
66
-
return false;
66
+
return -EINVAL;
67
67
if (e->ethproto != htons(ETH_P_ARP) ||
68
68
e->invflags & EBT_IPROTO)
69
-
return false;
70
-
return true;
69
+
return -EINVAL;
70
+
return 0;
71
71
}
72
72
73
73
static struct xt_target ebt_arpreply_tg_reg __read_mostly = {
+5
-5
net/bridge/netfilter/ebt_dnat.c
+5
-5
net/bridge/netfilter/ebt_dnat.c
···
26
26
return info->target;
27
27
}
28
28
29
-
static bool ebt_dnat_tg_check(const struct xt_tgchk_param *par)
29
+
static int ebt_dnat_tg_check(const struct xt_tgchk_param *par)
30
30
{
31
31
const struct ebt_nat_info *info = par->targinfo;
32
32
unsigned int hook_mask;
33
33
34
34
if (BASE_CHAIN && info->target == EBT_RETURN)
35
-
return false;
35
+
return -EINVAL;
36
36
37
37
hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS);
38
38
if ((strcmp(par->table, "nat") != 0 ||
···
40
40
(1 << NF_BR_LOCAL_OUT)))) &&
41
41
(strcmp(par->table, "broute") != 0 ||
42
42
hook_mask & ~(1 << NF_BR_BROUTING)))
43
-
return false;
43
+
return -EINVAL;
44
44
if (INVALID_TARGET)
45
-
return false;
46
-
return true;
45
+
return -EINVAL;
46
+
return 0;
47
47
}
48
48
49
49
static struct xt_target ebt_dnat_tg_reg __read_mostly = {
+8
-8
net/bridge/netfilter/ebt_ip.c
+8
-8
net/bridge/netfilter/ebt_ip.c
···
77
77
return true;
78
78
}
79
79
80
-
static bool ebt_ip_mt_check(const struct xt_mtchk_param *par)
80
+
static int ebt_ip_mt_check(const struct xt_mtchk_param *par)
81
81
{
82
82
const struct ebt_ip_info *info = par->matchinfo;
83
83
const struct ebt_entry *e = par->entryinfo;
84
84
85
85
if (e->ethproto != htons(ETH_P_IP) ||
86
86
e->invflags & EBT_IPROTO)
87
-
return false;
87
+
return -EINVAL;
88
88
if (info->bitmask & ~EBT_IP_MASK || info->invflags & ~EBT_IP_MASK)
89
-
return false;
89
+
return -EINVAL;
90
90
if (info->bitmask & (EBT_IP_DPORT | EBT_IP_SPORT)) {
91
91
if (info->invflags & EBT_IP_PROTO)
92
-
return false;
92
+
return -EINVAL;
93
93
if (info->protocol != IPPROTO_TCP &&
94
94
info->protocol != IPPROTO_UDP &&
95
95
info->protocol != IPPROTO_UDPLITE &&
96
96
info->protocol != IPPROTO_SCTP &&
97
97
info->protocol != IPPROTO_DCCP)
98
-
return false;
98
+
return -EINVAL;
99
99
}
100
100
if (info->bitmask & EBT_IP_DPORT && info->dport[0] > info->dport[1])
101
-
return false;
101
+
return -EINVAL;
102
102
if (info->bitmask & EBT_IP_SPORT && info->sport[0] > info->sport[1])
103
-
return false;
104
-
return true;
103
+
return -EINVAL;
104
+
return 0;
105
105
}
106
106
107
107
static struct xt_match ebt_ip_mt_reg __read_mostly = {
+14
-23
net/bridge/netfilter/ebt_ip6.c
+14
-23
net/bridge/netfilter/ebt_ip6.c
···
4
4
* Authors:
5
5
* Manohar Castelino <manohar.r.castelino@intel.com>
6
6
* Kuo-Lang Tseng <kuo-lang.tseng@intel.com>
7
-
* Jan Engelhardt <jengelh@computergmbh.de>
7
+
* Jan Engelhardt <jengelh@medozas.de>
8
8
*
9
9
* Summary:
10
10
* This is just a modification of the IPv4 code written by
···
35
35
struct ipv6hdr _ip6h;
36
36
const struct tcpudphdr *pptr;
37
37
struct tcpudphdr _ports;
38
-
struct in6_addr tmp_addr;
39
-
int i;
40
38
41
39
ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h);
42
40
if (ih6 == NULL)
···
42
44
if (info->bitmask & EBT_IP6_TCLASS &&
43
45
FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS))
44
46
return false;
45
-
for (i = 0; i < 4; i++)
46
-
tmp_addr.in6_u.u6_addr32[i] = ih6->saddr.in6_u.u6_addr32[i] &
47
-
info->smsk.in6_u.u6_addr32[i];
48
-
if (info->bitmask & EBT_IP6_SOURCE &&
49
-
FWINV((ipv6_addr_cmp(&tmp_addr, &info->saddr) != 0),
50
-
EBT_IP6_SOURCE))
51
-
return false;
52
-
for (i = 0; i < 4; i++)
53
-
tmp_addr.in6_u.u6_addr32[i] = ih6->daddr.in6_u.u6_addr32[i] &
54
-
info->dmsk.in6_u.u6_addr32[i];
55
-
if (info->bitmask & EBT_IP6_DEST &&
56
-
FWINV((ipv6_addr_cmp(&tmp_addr, &info->daddr) != 0), EBT_IP6_DEST))
47
+
if (FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk,
48
+
&info->saddr), EBT_IP6_SOURCE) ||
49
+
FWINV(ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk,
50
+
&info->daddr), EBT_IP6_DEST))
57
51
return false;
58
52
if (info->bitmask & EBT_IP6_PROTO) {
59
53
uint8_t nexthdr = ih6->nexthdr;
···
80
90
return true;
81
91
}
82
92
83
-
static bool ebt_ip6_mt_check(const struct xt_mtchk_param *par)
93
+
static int ebt_ip6_mt_check(const struct xt_mtchk_param *par)
84
94
{
85
95
const struct ebt_entry *e = par->entryinfo;
86
96
struct ebt_ip6_info *info = par->matchinfo;
87
97
88
98
if (e->ethproto != htons(ETH_P_IPV6) || e->invflags & EBT_IPROTO)
89
-
return false;
99
+
return -EINVAL;
90
100
if (info->bitmask & ~EBT_IP6_MASK || info->invflags & ~EBT_IP6_MASK)
91
-
return false;
101
+
return -EINVAL;
92
102
if (info->bitmask & (EBT_IP6_DPORT | EBT_IP6_SPORT)) {
93
103
if (info->invflags & EBT_IP6_PROTO)
94
-
return false;
104
+
return -EINVAL;
95
105
if (info->protocol != IPPROTO_TCP &&
96
106
info->protocol != IPPROTO_UDP &&
97
107
info->protocol != IPPROTO_UDPLITE &&
98
108
info->protocol != IPPROTO_SCTP &&
99
109
info->protocol != IPPROTO_DCCP)
100
-
return false;
110
+
return -EINVAL;
101
111
}
102
112
if (info->bitmask & EBT_IP6_DPORT && info->dport[0] > info->dport[1])
103
-
return false;
113
+
return -EINVAL;
104
114
if (info->bitmask & EBT_IP6_SPORT && info->sport[0] > info->sport[1])
105
-
return false;
106
-
return true;
115
+
return -EINVAL;
116
+
return 0;
107
117
}
108
118
109
119
static struct xt_match ebt_ip6_mt_reg __read_mostly = {
···
129
139
module_init(ebt_ip6_init);
130
140
module_exit(ebt_ip6_fini);
131
141
MODULE_DESCRIPTION("Ebtables: IPv6 protocol packet match");
142
+
MODULE_AUTHOR("Kuo-Lang Tseng <kuo-lang.tseng@intel.com>");
132
143
MODULE_LICENSE("GPL");
+5
-4
net/bridge/netfilter/ebt_limit.c
+5
-4
net/bridge/netfilter/ebt_limit.c
···
10
10
* September, 2003
11
11
*
12
12
*/
13
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
14
#include <linux/module.h>
14
15
#include <linux/netdevice.h>
15
16
#include <linux/spinlock.h>
···
65
64
return (user * HZ * CREDITS_PER_JIFFY) / EBT_LIMIT_SCALE;
66
65
}
67
66
68
-
static bool ebt_limit_mt_check(const struct xt_mtchk_param *par)
67
+
static int ebt_limit_mt_check(const struct xt_mtchk_param *par)
69
68
{
70
69
struct ebt_limit_info *info = par->matchinfo;
71
70
72
71
/* Check for overflow. */
73
72
if (info->burst == 0 ||
74
73
user2credits(info->avg * info->burst) < user2credits(info->avg)) {
75
-
printk("Overflow in ebt_limit, try lower: %u/%u\n",
74
+
pr_info("overflow, try lower: %u/%u\n",
76
75
info->avg, info->burst);
77
-
return false;
76
+
return -EINVAL;
78
77
}
79
78
80
79
/* User avg in seconds * EBT_LIMIT_SCALE: convert to jiffies * 128. */
···
82
81
info->credit = user2credits(info->avg * info->burst);
83
82
info->credit_cap = user2credits(info->avg * info->burst);
84
83
info->cost = user2credits(info->avg);
85
-
return true;
84
+
return 0;
86
85
}
87
86
88
87
+4
-4
net/bridge/netfilter/ebt_log.c
+4
-4
net/bridge/netfilter/ebt_log.c
···
24
24
25
25
static DEFINE_SPINLOCK(ebt_log_lock);
26
26
27
-
static bool ebt_log_tg_check(const struct xt_tgchk_param *par)
27
+
static int ebt_log_tg_check(const struct xt_tgchk_param *par)
28
28
{
29
29
struct ebt_log_info *info = par->targinfo;
30
30
31
31
if (info->bitmask & ~EBT_LOG_MASK)
32
-
return false;
32
+
return -EINVAL;
33
33
if (info->loglevel >= 8)
34
-
return false;
34
+
return -EINVAL;
35
35
info->prefix[EBT_LOG_PREFIX_SIZE - 1] = '\0';
36
-
return true;
36
+
return 0;
37
37
}
38
38
39
39
struct tcpudphdr
+5
-5
net/bridge/netfilter/ebt_mark.c
+5
-5
net/bridge/netfilter/ebt_mark.c
···
36
36
return info->target | ~EBT_VERDICT_BITS;
37
37
}
38
38
39
-
static bool ebt_mark_tg_check(const struct xt_tgchk_param *par)
39
+
static int ebt_mark_tg_check(const struct xt_tgchk_param *par)
40
40
{
41
41
const struct ebt_mark_t_info *info = par->targinfo;
42
42
int tmp;
43
43
44
44
tmp = info->target | ~EBT_VERDICT_BITS;
45
45
if (BASE_CHAIN && tmp == EBT_RETURN)
46
-
return false;
46
+
return -EINVAL;
47
47
if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
48
-
return false;
48
+
return -EINVAL;
49
49
tmp = info->target & ~EBT_VERDICT_BITS;
50
50
if (tmp != MARK_SET_VALUE && tmp != MARK_OR_VALUE &&
51
51
tmp != MARK_AND_VALUE && tmp != MARK_XOR_VALUE)
52
-
return false;
53
-
return true;
52
+
return -EINVAL;
53
+
return 0;
54
54
}
55
55
#ifdef CONFIG_COMPAT
56
56
struct compat_ebt_mark_t_info {
+5
-5
net/bridge/netfilter/ebt_mark_m.c
+5
-5
net/bridge/netfilter/ebt_mark_m.c
···
22
22
return ((skb->mark & info->mask) == info->mark) ^ info->invert;
23
23
}
24
24
25
-
static bool ebt_mark_mt_check(const struct xt_mtchk_param *par)
25
+
static int ebt_mark_mt_check(const struct xt_mtchk_param *par)
26
26
{
27
27
const struct ebt_mark_m_info *info = par->matchinfo;
28
28
29
29
if (info->bitmask & ~EBT_MARK_MASK)
30
-
return false;
30
+
return -EINVAL;
31
31
if ((info->bitmask & EBT_MARK_OR) && (info->bitmask & EBT_MARK_AND))
32
-
return false;
32
+
return -EINVAL;
33
33
if (!info->bitmask)
34
-
return false;
35
-
return true;
34
+
return -EINVAL;
35
+
return 0;
36
36
}
37
37
38
38
+3
-3
net/bridge/netfilter/ebt_nflog.c
+3
-3
net/bridge/netfilter/ebt_nflog.c
···
35
35
return EBT_CONTINUE;
36
36
}
37
37
38
-
static bool ebt_nflog_tg_check(const struct xt_tgchk_param *par)
38
+
static int ebt_nflog_tg_check(const struct xt_tgchk_param *par)
39
39
{
40
40
struct ebt_nflog_info *info = par->targinfo;
41
41
42
42
if (info->flags & ~EBT_NFLOG_MASK)
43
-
return false;
43
+
return -EINVAL;
44
44
info->prefix[EBT_NFLOG_PREFIX_SIZE - 1] = '\0';
45
-
return true;
45
+
return 0;
46
46
}
47
47
48
48
static struct xt_target ebt_nflog_tg_reg __read_mostly = {
+3
-3
net/bridge/netfilter/ebt_pkttype.c
+3
-3
net/bridge/netfilter/ebt_pkttype.c
···
20
20
return (skb->pkt_type == info->pkt_type) ^ info->invert;
21
21
}
22
22
23
-
static bool ebt_pkttype_mt_check(const struct xt_mtchk_param *par)
23
+
static int ebt_pkttype_mt_check(const struct xt_mtchk_param *par)
24
24
{
25
25
const struct ebt_pkttype_info *info = par->matchinfo;
26
26
27
27
if (info->invert != 0 && info->invert != 1)
28
-
return false;
28
+
return -EINVAL;
29
29
/* Allow any pkt_type value */
30
-
return true;
30
+
return 0;
31
31
}
32
32
33
33
static struct xt_match ebt_pkttype_mt_reg __read_mostly = {
+5
-5
net/bridge/netfilter/ebt_redirect.c
+5
-5
net/bridge/netfilter/ebt_redirect.c
···
32
32
return info->target;
33
33
}
34
34
35
-
static bool ebt_redirect_tg_check(const struct xt_tgchk_param *par)
35
+
static int ebt_redirect_tg_check(const struct xt_tgchk_param *par)
36
36
{
37
37
const struct ebt_redirect_info *info = par->targinfo;
38
38
unsigned int hook_mask;
39
39
40
40
if (BASE_CHAIN && info->target == EBT_RETURN)
41
-
return false;
41
+
return -EINVAL;
42
42
43
43
hook_mask = par->hook_mask & ~(1 << NF_BR_NUMHOOKS);
44
44
if ((strcmp(par->table, "nat") != 0 ||
45
45
hook_mask & ~(1 << NF_BR_PRE_ROUTING)) &&
46
46
(strcmp(par->table, "broute") != 0 ||
47
47
hook_mask & ~(1 << NF_BR_BROUTING)))
48
-
return false;
48
+
return -EINVAL;
49
49
if (INVALID_TARGET)
50
-
return false;
51
-
return true;
50
+
return -EINVAL;
51
+
return 0;
52
52
}
53
53
54
54
static struct xt_target ebt_redirect_tg_reg __read_mostly = {
+5
-5
net/bridge/netfilter/ebt_snat.c
+5
-5
net/bridge/netfilter/ebt_snat.c
···
42
42
return info->target | ~EBT_VERDICT_BITS;
43
43
}
44
44
45
-
static bool ebt_snat_tg_check(const struct xt_tgchk_param *par)
45
+
static int ebt_snat_tg_check(const struct xt_tgchk_param *par)
46
46
{
47
47
const struct ebt_nat_info *info = par->targinfo;
48
48
int tmp;
49
49
50
50
tmp = info->target | ~EBT_VERDICT_BITS;
51
51
if (BASE_CHAIN && tmp == EBT_RETURN)
52
-
return false;
52
+
return -EINVAL;
53
53
54
54
if (tmp < -NUM_STANDARD_TARGETS || tmp >= 0)
55
-
return false;
55
+
return -EINVAL;
56
56
tmp = info->target | EBT_VERDICT_BITS;
57
57
if ((tmp & ~NAT_ARP_BIT) != ~NAT_ARP_BIT)
58
-
return false;
59
-
return true;
58
+
return -EINVAL;
59
+
return 0;
60
60
}
61
61
62
62
static struct xt_target ebt_snat_tg_reg __read_mostly = {
+4
-4
net/bridge/netfilter/ebt_stp.c
+4
-4
net/bridge/netfilter/ebt_stp.c
···
153
153
return true;
154
154
}
155
155
156
-
static bool ebt_stp_mt_check(const struct xt_mtchk_param *par)
156
+
static int ebt_stp_mt_check(const struct xt_mtchk_param *par)
157
157
{
158
158
const struct ebt_stp_info *info = par->matchinfo;
159
159
const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00};
···
162
162
163
163
if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK ||
164
164
!(info->bitmask & EBT_STP_MASK))
165
-
return false;
165
+
return -EINVAL;
166
166
/* Make sure the match only receives stp frames */
167
167
if (compare_ether_addr(e->destmac, bridge_ula) ||
168
168
compare_ether_addr(e->destmsk, msk) || !(e->bitmask & EBT_DESTMAC))
169
-
return false;
169
+
return -EINVAL;
170
170
171
-
return true;
171
+
return 0;
172
172
}
173
173
174
174
static struct xt_match ebt_stp_mt_reg __read_mostly = {
+14
-22
net/bridge/netfilter/ebt_ulog.c
+14
-22
net/bridge/netfilter/ebt_ulog.c
···
27
27
* flushed even if it is not full yet.
28
28
*
29
29
*/
30
-
30
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
31
31
#include <linux/module.h>
32
32
#include <linux/slab.h>
33
33
#include <linux/spinlock.h>
···
43
43
#include <net/netfilter/nf_log.h>
44
44
#include <net/sock.h>
45
45
#include "../br_private.h"
46
-
47
-
#define PRINTR(format, args...) do { if (net_ratelimit()) \
48
-
printk(format , ## args); } while (0)
49
46
50
47
static unsigned int nlbufsiz = NLMSG_GOODSIZE;
51
48
module_param(nlbufsiz, uint, 0600);
···
104
107
n = max(size, nlbufsiz);
105
108
skb = alloc_skb(n, GFP_ATOMIC);
106
109
if (!skb) {
107
-
PRINTR(KERN_ERR "ebt_ulog: can't alloc whole buffer "
108
-
"of size %ub!\n", n);
110
+
pr_debug("cannot alloc whole buffer of size %ub!\n", n);
109
111
if (n > size) {
110
112
/* try to allocate only as much as we need for
111
113
* current packet */
112
114
skb = alloc_skb(size, GFP_ATOMIC);
113
115
if (!skb)
114
-
PRINTR(KERN_ERR "ebt_ulog: can't even allocate "
115
-
"buffer of size %ub\n", size);
116
+
pr_debug("cannot even allocate "
117
+
"buffer of size %ub\n", size);
116
118
}
117
119
}
118
120
···
138
142
139
143
size = NLMSG_SPACE(sizeof(*pm) + copy_len);
140
144
if (size > nlbufsiz) {
141
-
PRINTR("ebt_ulog: Size %Zd needed, but nlbufsiz=%d\n",
142
-
size, nlbufsiz);
145
+
pr_debug("Size %Zd needed, but nlbufsiz=%d\n", size, nlbufsiz);
143
146
return;
144
147
}
145
148
···
212
217
return;
213
218
214
219
nlmsg_failure:
215
-
printk(KERN_CRIT "ebt_ulog: error during NLMSG_PUT. This should "
216
-
"not happen, please report to author.\n");
220
+
pr_debug("error during NLMSG_PUT. This should "
221
+
"not happen, please report to author.\n");
217
222
goto unlock;
218
223
alloc_failure:
219
224
goto unlock;
···
250
255
return EBT_CONTINUE;
251
256
}
252
257
253
-
static bool ebt_ulog_tg_check(const struct xt_tgchk_param *par)
258
+
static int ebt_ulog_tg_check(const struct xt_tgchk_param *par)
254
259
{
255
260
struct ebt_ulog_info *uloginfo = par->targinfo;
256
261
257
262
if (uloginfo->nlgroup > 31)
258
-
return false;
263
+
return -EINVAL;
259
264
260
265
uloginfo->prefix[EBT_ULOG_PREFIX_LEN - 1] = '\0';
261
266
262
267
if (uloginfo->qthreshold > EBT_ULOG_MAX_QLEN)
263
268
uloginfo->qthreshold = EBT_ULOG_MAX_QLEN;
264
269
265
-
return true;
270
+
return 0;
266
271
}
267
272
268
273
static struct xt_target ebt_ulog_tg_reg __read_mostly = {
···
287
292
int i;
288
293
289
294
if (nlbufsiz >= 128*1024) {
290
-
printk(KERN_NOTICE "ebt_ulog: Netlink buffer has to be <= 128kB,"
291
-
" please try a smaller nlbufsiz parameter.\n");
295
+
pr_warning("Netlink buffer has to be <= 128kB,"
296
+
" please try a smaller nlbufsiz parameter.\n");
292
297
return -EINVAL;
293
298
}
294
299
···
301
306
ebtulognl = netlink_kernel_create(&init_net, NETLINK_NFLOG,
302
307
EBT_ULOG_MAXNLGROUPS, NULL, NULL,
303
308
THIS_MODULE);
304
-
if (!ebtulognl) {
305
-
printk(KERN_WARNING KBUILD_MODNAME ": out of memory trying to "
306
-
"call netlink_kernel_create\n");
309
+
if (!ebtulognl)
307
310
ret = -ENOMEM;
308
-
} else if ((ret = xt_register_target(&ebt_ulog_tg_reg)) != 0) {
311
+
else if ((ret = xt_register_target(&ebt_ulog_tg_reg)) != 0)
309
312
netlink_kernel_release(ebtulognl);
310
-
}
311
313
312
314
if (ret == 0)
313
315
nf_log_register(NFPROTO_BRIDGE, &ebt_ulog_logger);
+21
-31
net/bridge/netfilter/ebt_vlan.c
+21
-31
net/bridge/netfilter/ebt_vlan.c
···
26
26
#include <linux/netfilter_bridge/ebtables.h>
27
27
#include <linux/netfilter_bridge/ebt_vlan.h>
28
28
29
-
static int debug;
30
29
#define MODULE_VERS "0.6"
31
30
32
-
module_param(debug, int, 0);
33
-
MODULE_PARM_DESC(debug, "debug=1 is turn on debug messages");
34
31
MODULE_AUTHOR("Nick Fedchik <nick@fedchik.org.ua>");
35
32
MODULE_DESCRIPTION("Ebtables: 802.1Q VLAN tag match");
36
33
MODULE_LICENSE("GPL");
37
34
38
-
39
-
#define DEBUG_MSG(args...) if (debug) printk (KERN_DEBUG "ebt_vlan: " args)
40
35
#define GET_BITMASK(_BIT_MASK_) info->bitmask & _BIT_MASK_
41
36
#define EXIT_ON_MISMATCH(_MATCH_,_MASK_) {if (!((info->_MATCH_ == _MATCH_)^!!(info->invflags & _MASK_))) return false; }
42
37
···
79
84
return true;
80
85
}
81
86
82
-
static bool ebt_vlan_mt_check(const struct xt_mtchk_param *par)
87
+
static int ebt_vlan_mt_check(const struct xt_mtchk_param *par)
83
88
{
84
89
struct ebt_vlan_info *info = par->matchinfo;
85
90
const struct ebt_entry *e = par->entryinfo;
86
91
87
92
/* Is it 802.1Q frame checked? */
88
93
if (e->ethproto != htons(ETH_P_8021Q)) {
89
-
DEBUG_MSG
90
-
("passed entry proto %2.4X is not 802.1Q (8100)\n",
91
-
(unsigned short) ntohs(e->ethproto));
92
-
return false;
94
+
pr_debug("passed entry proto %2.4X is not 802.1Q (8100)\n",
95
+
ntohs(e->ethproto));
96
+
return -EINVAL;
93
97
}
94
98
95
99
/* Check for bitmask range
96
100
* True if even one bit is out of mask */
97
101
if (info->bitmask & ~EBT_VLAN_MASK) {
98
-
DEBUG_MSG("bitmask %2X is out of mask (%2X)\n",
99
-
info->bitmask, EBT_VLAN_MASK);
100
-
return false;
102
+
pr_debug("bitmask %2X is out of mask (%2X)\n",
103
+
info->bitmask, EBT_VLAN_MASK);
104
+
return -EINVAL;
101
105
}
102
106
103
107
/* Check for inversion flags range */
104
108
if (info->invflags & ~EBT_VLAN_MASK) {
105
-
DEBUG_MSG("inversion flags %2X is out of mask (%2X)\n",
106
-
info->invflags, EBT_VLAN_MASK);
107
-
return false;
109
+
pr_debug("inversion flags %2X is out of mask (%2X)\n",
110
+
info->invflags, EBT_VLAN_MASK);
111
+
return -EINVAL;
108
112
}
109
113
110
114
/* Reserved VLAN ID (VID) values
···
115
121
if (GET_BITMASK(EBT_VLAN_ID)) {
116
122
if (!!info->id) { /* if id!=0 => check vid range */
117
123
if (info->id > VLAN_GROUP_ARRAY_LEN) {
118
-
DEBUG_MSG
119
-
("id %d is out of range (1-4096)\n",
120
-
info->id);
121
-
return false;
124
+
pr_debug("id %d is out of range (1-4096)\n",
125
+
info->id);
126
+
return -EINVAL;
122
127
}
123
128
/* Note: This is valid VLAN-tagged frame point.
124
129
* Any value of user_priority are acceptable,
···
130
137
131
138
if (GET_BITMASK(EBT_VLAN_PRIO)) {
132
139
if ((unsigned char) info->prio > 7) {
133
-
DEBUG_MSG("prio %d is out of range (0-7)\n",
134
-
info->prio);
135
-
return false;
140
+
pr_debug("prio %d is out of range (0-7)\n",
141
+
info->prio);
142
+
return -EINVAL;
136
143
}
137
144
}
138
145
/* Check for encapsulated proto range - it is possible to be
···
140
147
* if_ether.h: ETH_ZLEN 60 - Min. octets in frame sans FCS */
141
148
if (GET_BITMASK(EBT_VLAN_ENCAP)) {
142
149
if ((unsigned short) ntohs(info->encap) < ETH_ZLEN) {
143
-
DEBUG_MSG
144
-
("encap frame length %d is less than minimal\n",
145
-
ntohs(info->encap));
146
-
return false;
150
+
pr_debug("encap frame length %d is less than "
151
+
"minimal\n", ntohs(info->encap));
152
+
return -EINVAL;
147
153
}
148
154
}
149
155
150
-
return true;
156
+
return 0;
151
157
}
152
158
153
159
static struct xt_match ebt_vlan_mt_reg __read_mostly = {
···
161
169
162
170
static int __init ebt_vlan_init(void)
163
171
{
164
-
DEBUG_MSG("ebtables 802.1Q extension module v"
165
-
MODULE_VERS "\n");
166
-
DEBUG_MSG("module debug=%d\n", !!debug);
172
+
pr_debug("ebtables 802.1Q extension module v" MODULE_VERS "\n");
167
173
return xt_register_match(&ebt_vlan_mt_reg);
168
174
}
169
175
+5
-18
net/bridge/netfilter/ebtables.c
+5
-18
net/bridge/netfilter/ebtables.c
···
14
14
* as published by the Free Software Foundation; either version
15
15
* 2 of the License, or (at your option) any later version.
16
16
*/
17
-
18
-
17
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
19
18
#include <linux/kmod.h>
20
19
#include <linux/module.h>
21
20
#include <linux/vmalloc.h>
···
362
363
left - sizeof(struct ebt_entry_match) < m->match_size)
363
364
return -EINVAL;
364
365
365
-
match = try_then_request_module(xt_find_match(NFPROTO_BRIDGE,
366
-
m->u.name, 0), "ebt_%s", m->u.name);
366
+
match = xt_request_find_match(NFPROTO_BRIDGE, m->u.name, 0);
367
367
if (IS_ERR(match))
368
368
return PTR_ERR(match);
369
-
if (match == NULL)
370
-
return -ENOENT;
371
369
m->u.match = match;
372
370
373
371
par->match = match;
···
393
397
left - sizeof(struct ebt_entry_watcher) < w->watcher_size)
394
398
return -EINVAL;
395
399
396
-
watcher = try_then_request_module(
397
-
xt_find_target(NFPROTO_BRIDGE, w->u.name, 0),
398
-
"ebt_%s", w->u.name);
400
+
watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);
399
401
if (IS_ERR(watcher))
400
402
return PTR_ERR(watcher);
401
-
if (watcher == NULL)
402
-
return -ENOENT;
403
403
w->u.watcher = watcher;
404
404
405
405
par->target = watcher;
···
708
716
t = (struct ebt_entry_target *)(((char *)e) + e->target_offset);
709
717
gap = e->next_offset - e->target_offset;
710
718
711
-
target = try_then_request_module(
712
-
xt_find_target(NFPROTO_BRIDGE, t->u.name, 0),
713
-
"ebt_%s", t->u.name);
719
+
target = xt_request_find_target(NFPROTO_BRIDGE, t->u.name, 0);
714
720
if (IS_ERR(target)) {
715
721
ret = PTR_ERR(target);
716
-
goto cleanup_watchers;
717
-
} else if (target == NULL) {
718
-
ret = -ENOENT;
719
722
goto cleanup_watchers;
720
723
}
721
724
···
2115
2128
return ret;
2116
2129
new_offset += ret;
2117
2130
if (offsets_update && new_offset) {
2118
-
pr_debug("ebtables: change offset %d to %d\n",
2131
+
pr_debug("change offset %d to %d\n",
2119
2132
offsets_update[i], offsets[j] + new_offset);
2120
2133
offsets_update[i] = offsets[j] + new_offset;
2121
2134
}
+6
-3
net/decnet/dn_neigh.c
+6
-3
net/decnet/dn_neigh.c
···
266
266
267
267
skb_reset_network_header(skb);
268
268
269
-
return NF_HOOK(PF_DECnet, NF_DN_POST_ROUTING, skb, NULL, neigh->dev, dn_neigh_output_packet);
269
+
return NF_HOOK(NFPROTO_DECNET, NF_DN_POST_ROUTING, skb, NULL,
270
+
neigh->dev, dn_neigh_output_packet);
270
271
}
271
272
272
273
static int dn_short_output(struct sk_buff *skb)
···
306
305
307
306
skb_reset_network_header(skb);
308
307
309
-
return NF_HOOK(PF_DECnet, NF_DN_POST_ROUTING, skb, NULL, neigh->dev, dn_neigh_output_packet);
308
+
return NF_HOOK(NFPROTO_DECNET, NF_DN_POST_ROUTING, skb, NULL,
309
+
neigh->dev, dn_neigh_output_packet);
310
310
}
311
311
312
312
/*
···
349
347
350
348
skb_reset_network_header(skb);
351
349
352
-
return NF_HOOK(PF_DECnet, NF_DN_POST_ROUTING, skb, NULL, neigh->dev, dn_neigh_output_packet);
350
+
return NF_HOOK(NFPROTO_DECNET, NF_DN_POST_ROUTING, skb, NULL,
351
+
neigh->dev, dn_neigh_output_packet);
353
352
}
354
353
355
354
/*
+2
-1
net/decnet/dn_nsp_in.c
+2
-1
net/decnet/dn_nsp_in.c
+20
-8
net/decnet/dn_route.c
+20
-8
net/decnet/dn_route.c
···
518
518
ptr++;
519
519
cb->hops = *ptr++; /* Visit Count */
520
520
521
-
return NF_HOOK(PF_DECnet, NF_DN_PRE_ROUTING, skb, skb->dev, NULL, dn_route_rx_packet);
521
+
return NF_HOOK(NFPROTO_DECNET, NF_DN_PRE_ROUTING, skb, skb->dev, NULL,
522
+
dn_route_rx_packet);
522
523
523
524
drop_it:
524
525
kfree_skb(skb);
···
545
544
ptr += 2;
546
545
cb->hops = *ptr & 0x3f;
547
546
548
-
return NF_HOOK(PF_DECnet, NF_DN_PRE_ROUTING, skb, skb->dev, NULL, dn_route_rx_packet);
547
+
return NF_HOOK(NFPROTO_DECNET, NF_DN_PRE_ROUTING, skb, skb->dev, NULL,
548
+
dn_route_rx_packet);
549
549
550
550
drop_it:
551
551
kfree_skb(skb);
···
648
646
649
647
switch(flags & DN_RT_CNTL_MSK) {
650
648
case DN_RT_PKT_HELO:
651
-
return NF_HOOK(PF_DECnet, NF_DN_HELLO, skb, skb->dev, NULL, dn_route_ptp_hello);
649
+
return NF_HOOK(NFPROTO_DECNET, NF_DN_HELLO,
650
+
skb, skb->dev, NULL,
651
+
dn_route_ptp_hello);
652
652
653
653
case DN_RT_PKT_L1RT:
654
654
case DN_RT_PKT_L2RT:
655
-
return NF_HOOK(PF_DECnet, NF_DN_ROUTE, skb, skb->dev, NULL, dn_route_discard);
655
+
return NF_HOOK(NFPROTO_DECNET, NF_DN_ROUTE,
656
+
skb, skb->dev, NULL,
657
+
dn_route_discard);
656
658
case DN_RT_PKT_ERTH:
657
-
return NF_HOOK(PF_DECnet, NF_DN_HELLO, skb, skb->dev, NULL, dn_neigh_router_hello);
659
+
return NF_HOOK(NFPROTO_DECNET, NF_DN_HELLO,
660
+
skb, skb->dev, NULL,
661
+
dn_neigh_router_hello);
658
662
659
663
case DN_RT_PKT_EEDH:
660
-
return NF_HOOK(PF_DECnet, NF_DN_HELLO, skb, skb->dev, NULL, dn_neigh_endnode_hello);
664
+
return NF_HOOK(NFPROTO_DECNET, NF_DN_HELLO,
665
+
skb, skb->dev, NULL,
666
+
dn_neigh_endnode_hello);
661
667
}
662
668
} else {
663
669
if (dn->parms.state != DN_DEV_S_RU)
···
714
704
cb->rt_flags |= DN_RT_F_IE;
715
705
cb->hops = 0;
716
706
717
-
return NF_HOOK(PF_DECnet, NF_DN_LOCAL_OUT, skb, NULL, dev, neigh->output);
707
+
return NF_HOOK(NFPROTO_DECNET, NF_DN_LOCAL_OUT, skb, NULL, dev,
708
+
neigh->output);
718
709
719
710
error:
720
711
if (net_ratelimit())
···
764
753
if (rt->rt_flags & RTCF_DOREDIRECT)
765
754
cb->rt_flags |= DN_RT_F_IE;
766
755
767
-
return NF_HOOK(PF_DECnet, NF_DN_FORWARD, skb, dev, skb->dev, neigh->output);
756
+
return NF_HOOK(NFPROTO_DECNET, NF_DN_FORWARD, skb, dev, skb->dev,
757
+
neigh->output);
768
758
769
759
drop:
770
760
kfree_skb(skb);
+2
-2
net/ipv4/ip_forward.c
+2
-2
net/ipv4/ip_forward.c
···
112
112
113
113
skb->priority = rt_tos2priority(iph->tos);
114
114
115
-
return NF_HOOK(PF_INET, NF_INET_FORWARD, skb, skb->dev, rt->u.dst.dev,
116
-
ip_forward_finish);
115
+
return NF_HOOK(NFPROTO_IPV4, NF_INET_FORWARD, skb, skb->dev,
116
+
rt->u.dst.dev, ip_forward_finish);
117
117
118
118
sr_failed:
119
119
/*
+2
-2
net/ipv4/ip_input.c
+2
-2
net/ipv4/ip_input.c
···
266
266
return 0;
267
267
}
268
268
269
-
return NF_HOOK(PF_INET, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
269
+
return NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
270
270
ip_local_deliver_finish);
271
271
}
272
272
···
444
444
/* Must drop socket now because of tproxy. */
445
445
skb_orphan(skb);
446
446
447
-
return NF_HOOK(PF_INET, NF_INET_PRE_ROUTING, skb, dev, NULL,
447
+
return NF_HOOK(NFPROTO_IPV4, NF_INET_PRE_ROUTING, skb, dev, NULL,
448
448
ip_rcv_finish);
449
449
450
450
inhdr_error:
+13
-9
net/ipv4/ip_output.c
+13
-9
net/ipv4/ip_output.c
···
96
96
97
97
iph->tot_len = htons(skb->len);
98
98
ip_send_check(iph);
99
-
return nf_hook(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, skb_dst(skb)->dev,
100
-
dst_output);
99
+
return nf_hook(NFPROTO_IPV4, NF_INET_LOCAL_OUT, skb, NULL,
100
+
skb_dst(skb)->dev, dst_output);
101
101
}
102
102
103
103
int ip_local_out(struct sk_buff *skb)
···
272
272
) {
273
273
struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
274
274
if (newskb)
275
-
NF_HOOK(PF_INET, NF_INET_POST_ROUTING, newskb,
276
-
NULL, newskb->dev,
275
+
NF_HOOK(NFPROTO_IPV4, NF_INET_POST_ROUTING,
276
+
newskb, NULL, newskb->dev,
277
277
ip_dev_loopback_xmit);
278
278
}
279
279
···
288
288
if (rt->rt_flags&RTCF_BROADCAST) {
289
289
struct sk_buff *newskb = skb_clone(skb, GFP_ATOMIC);
290
290
if (newskb)
291
-
NF_HOOK(PF_INET, NF_INET_POST_ROUTING, newskb, NULL,
292
-
newskb->dev, ip_dev_loopback_xmit);
291
+
NF_HOOK(NFPROTO_IPV4, NF_INET_POST_ROUTING, newskb,
292
+
NULL, newskb->dev, ip_dev_loopback_xmit);
293
293
}
294
294
295
-
return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb, NULL, skb->dev,
296
-
ip_finish_output,
295
+
return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb, NULL,
296
+
skb->dev, ip_finish_output,
297
297
!(IPCB(skb)->flags & IPSKB_REROUTED));
298
298
}
299
299
···
306
306
skb->dev = dev;
307
307
skb->protocol = htons(ETH_P_IP);
308
308
309
-
return NF_HOOK_COND(PF_INET, NF_INET_POST_ROUTING, skb, NULL, dev,
309
+
return NF_HOOK_COND(NFPROTO_IPV4, NF_INET_POST_ROUTING, skb, NULL, dev,
310
310
ip_finish_output,
311
311
!(IPCB(skb)->flags & IPSKB_REROUTED));
312
312
}
···
469
469
470
470
hlen = iph->ihl * 4;
471
471
mtu = dst_mtu(&rt->u.dst) - hlen; /* Size of data space */
472
+
#ifdef CONFIG_BRIDGE_NETFILTER
473
+
if (skb->nf_bridge)
474
+
mtu -= nf_bridge_mtu_reduction(skb);
475
+
#endif
472
476
IPCB(skb)->flags |= IPSKB_FRAG_COMPLETE;
473
477
474
478
/* When frag_list is given, use it. First, check its validity:
+1
-1
net/ipv4/ipmr.c
+1
-1
net/ipv4/ipmr.c
···
1599
1599
* not mrouter) cannot join to more than one interface - it will
1600
1600
* result in receiving multiple packets.
1601
1601
*/
1602
-
NF_HOOK(PF_INET, NF_INET_FORWARD, skb, skb->dev, dev,
1602
+
NF_HOOK(NFPROTO_IPV4, NF_INET_FORWARD, skb, skb->dev, dev,
1603
1603
ipmr_forward_finish);
1604
1604
return;
1605
1605
+12
-14
net/ipv4/netfilter/arp_tables.c
+12
-14
net/ipv4/netfilter/arp_tables.c
···
523
523
return ret;
524
524
525
525
t = arpt_get_target(e);
526
-
target = try_then_request_module(xt_find_target(NFPROTO_ARP,
527
-
t->u.user.name,
528
-
t->u.user.revision),
529
-
"arpt_%s", t->u.user.name);
530
-
if (IS_ERR(target) || !target) {
526
+
target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
527
+
t->u.user.revision);
528
+
if (IS_ERR(target)) {
531
529
duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
532
-
ret = target ? PTR_ERR(target) : -ENOENT;
530
+
ret = PTR_ERR(target);
533
531
goto out;
534
532
}
535
533
t->u.kernel.target = target;
···
649
651
if (ret != 0)
650
652
break;
651
653
++i;
654
+
if (strcmp(arpt_get_target(iter)->u.user.name,
655
+
XT_ERROR_TARGET) == 0)
656
+
++newinfo->stacksize;
652
657
}
653
658
duprintf("translate_table: ARPT_ENTRY_ITERATE gives %d\n", ret);
654
659
if (ret != 0)
···
1253
1252
entry_offset = (void *)e - (void *)base;
1254
1253
1255
1254
t = compat_arpt_get_target(e);
1256
-
target = try_then_request_module(xt_find_target(NFPROTO_ARP,
1257
-
t->u.user.name,
1258
-
t->u.user.revision),
1259
-
"arpt_%s", t->u.user.name);
1260
-
if (IS_ERR(target) || !target) {
1255
+
target = xt_request_find_target(NFPROTO_ARP, t->u.user.name,
1256
+
t->u.user.revision);
1257
+
if (IS_ERR(target)) {
1261
1258
duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1262
1259
t->u.user.name);
1263
-
ret = target ? PTR_ERR(target) : -ENOENT;
1260
+
ret = PTR_ERR(target);
1264
1261
goto out;
1265
1262
}
1266
1263
t->u.kernel.target = target;
···
1777
1778
{
1778
1779
int ret;
1779
1780
struct xt_table_info *newinfo;
1780
-
struct xt_table_info bootstrap
1781
-
= { 0, 0, 0, { 0 }, { 0 }, { } };
1781
+
struct xt_table_info bootstrap = {0};
1782
1782
void *loc_cpu_entry;
1783
1783
struct xt_table *new_table;
1784
1784
+1
-1
net/ipv4/netfilter/arpt_mangle.c
+1
-1
net/ipv4/netfilter/arpt_mangle.c
+1
-2
net/ipv4/netfilter/ip_queue.c
+1
-2
net/ipv4/netfilter/ip_queue.c
···
161
161
break;
162
162
163
163
case IPQ_COPY_PACKET:
164
-
if ((entry->skb->ip_summed == CHECKSUM_PARTIAL ||
165
-
entry->skb->ip_summed == CHECKSUM_COMPLETE) &&
164
+
if (entry->skb->ip_summed == CHECKSUM_PARTIAL &&
166
165
(*errp = skb_checksum_help(entry->skb))) {
167
166
read_unlock_bh(&queue_lock);
168
167
return NULL;
+61
-66
net/ipv4/netfilter/ip_tables.c
+61
-66
net/ipv4/netfilter/ip_tables.c
···
39
39
/*#define DEBUG_IP_FIREWALL_USER*/
40
40
41
41
#ifdef DEBUG_IP_FIREWALL
42
-
#define dprintf(format, args...) printk(format , ## args)
42
+
#define dprintf(format, args...) pr_info(format , ## args)
43
43
#else
44
44
#define dprintf(format, args...)
45
45
#endif
46
46
47
47
#ifdef DEBUG_IP_FIREWALL_USER
48
-
#define duprintf(format, args...) printk(format , ## args)
48
+
#define duprintf(format, args...) pr_info(format , ## args)
49
49
#else
50
50
#define duprintf(format, args...)
51
51
#endif
···
168
168
ipt_error(struct sk_buff *skb, const struct xt_target_param *par)
169
169
{
170
170
if (net_ratelimit())
171
-
printk("ip_tables: error: `%s'\n",
172
-
(const char *)par->targinfo);
171
+
pr_info("error: `%s'\n", (const char *)par->targinfo);
173
172
174
173
return NF_DROP;
175
174
}
···
321
322
const struct net_device *out,
322
323
struct xt_table *table)
323
324
{
324
-
#define tb_comefrom ((struct ipt_entry *)table_base)->comefrom
325
-
326
325
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
327
326
const struct iphdr *ip;
328
327
bool hotdrop = false;
···
328
331
unsigned int verdict = NF_DROP;
329
332
const char *indev, *outdev;
330
333
const void *table_base;
331
-
struct ipt_entry *e, *back;
334
+
struct ipt_entry *e, **jumpstack;
335
+
unsigned int *stackptr, origptr, cpu;
332
336
const struct xt_table_info *private;
333
337
struct xt_match_param mtpar;
334
338
struct xt_target_param tgpar;
···
355
357
IP_NF_ASSERT(table->valid_hooks & (1 << hook));
356
358
xt_info_rdlock_bh();
357
359
private = table->private;
358
-
table_base = private->entries[smp_processor_id()];
360
+
cpu = smp_processor_id();
361
+
table_base = private->entries[cpu];
362
+
jumpstack = (struct ipt_entry **)private->jumpstack[cpu];
363
+
stackptr = &private->stackptr[cpu];
364
+
origptr = *stackptr;
359
365
360
366
e = get_entry(table_base, private->hook_entry[hook]);
361
367
362
-
/* For return from builtin chain */
363
-
back = get_entry(table_base, private->underflow[hook]);
368
+
pr_debug("Entering %s(hook %u); sp at %u (UF %p)\n",
369
+
table->name, hook, origptr,
370
+
get_entry(table_base, private->underflow[hook]));
364
371
365
372
do {
366
373
const struct ipt_entry_target *t;
367
374
const struct xt_entry_match *ematch;
368
375
369
376
IP_NF_ASSERT(e);
370
-
IP_NF_ASSERT(back);
371
377
if (!ip_packet_match(ip, indev, outdev,
372
378
&e->ip, mtpar.fragoff)) {
373
379
no_match:
···
406
404
verdict = (unsigned)(-v) - 1;
407
405
break;
408
406
}
409
-
e = back;
410
-
back = get_entry(table_base, back->comefrom);
407
+
if (*stackptr == 0) {
408
+
e = get_entry(table_base,
409
+
private->underflow[hook]);
410
+
pr_debug("Underflow (this is normal) "
411
+
"to %p\n", e);
412
+
} else {
413
+
e = jumpstack[--*stackptr];
414
+
pr_debug("Pulled %p out from pos %u\n",
415
+
e, *stackptr);
416
+
e = ipt_next_entry(e);
417
+
}
411
418
continue;
412
419
}
413
420
if (table_base + v != ipt_next_entry(e) &&
414
421
!(e->ip.flags & IPT_F_GOTO)) {
415
-
/* Save old back ptr in next entry */
416
-
struct ipt_entry *next = ipt_next_entry(e);
417
-
next->comefrom = (void *)back - table_base;
418
-
/* set back pointer to next entry */
419
-
back = next;
422
+
if (*stackptr >= private->stacksize) {
423
+
verdict = NF_DROP;
424
+
break;
425
+
}
426
+
jumpstack[(*stackptr)++] = e;
427
+
pr_debug("Pushed %p into pos %u\n",
428
+
e, *stackptr - 1);
420
429
}
421
430
422
431
e = get_entry(table_base, v);
423
432
continue;
424
433
}
425
434
426
-
/* Targets which reenter must return
427
-
abs. verdicts */
428
435
tgpar.target = t->u.kernel.target;
429
436
tgpar.targinfo = t->data;
430
437
431
438
432
-
#ifdef CONFIG_NETFILTER_DEBUG
433
-
tb_comefrom = 0xeeeeeeec;
434
-
#endif
435
439
verdict = t->u.kernel.target->target(skb, &tgpar);
436
-
#ifdef CONFIG_NETFILTER_DEBUG
437
-
if (tb_comefrom != 0xeeeeeeec && verdict == IPT_CONTINUE) {
438
-
printk("Target %s reentered!\n",
439
-
t->u.kernel.target->name);
440
-
verdict = NF_DROP;
441
-
}
442
-
tb_comefrom = 0x57acc001;
443
-
#endif
444
440
/* Target might have changed stuff. */
445
441
ip = ip_hdr(skb);
446
442
if (verdict == IPT_CONTINUE)
···
448
448
break;
449
449
} while (!hotdrop);
450
450
xt_info_rdunlock_bh();
451
-
451
+
pr_debug("Exiting %s; resetting sp from %u to %u\n",
452
+
__func__, *stackptr, origptr);
453
+
*stackptr = origptr;
452
454
#ifdef DEBUG_ALLOW_ALL
453
455
return NF_ACCEPT;
454
456
#else
···
458
456
return NF_DROP;
459
457
else return verdict;
460
458
#endif
461
-
462
-
#undef tb_comefrom
463
459
}
464
460
465
461
/* Figures out from what hook each rule can be called: returns 0 if
···
591
591
const struct ipt_entry_target *t;
592
592
593
593
if (!ip_checkentry(&e->ip)) {
594
-
duprintf("ip_tables: ip check failed %p %s.\n", e, name);
594
+
duprintf("ip check failed %p %s.\n", e, name);
595
595
return -EINVAL;
596
596
}
597
597
···
618
618
ret = xt_check_match(par, m->u.match_size - sizeof(*m),
619
619
ip->proto, ip->invflags & IPT_INV_PROTO);
620
620
if (ret < 0) {
621
-
duprintf("ip_tables: check failed for `%s'.\n",
622
-
par.match->name);
621
+
duprintf("check failed for `%s'.\n", par.match->name);
623
622
return ret;
624
623
}
625
624
return 0;
···
630
631
struct xt_match *match;
631
632
int ret;
632
633
633
-
match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
634
-
m->u.user.revision),
635
-
"ipt_%s", m->u.user.name);
636
-
if (IS_ERR(match) || !match) {
634
+
match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
635
+
m->u.user.revision);
636
+
if (IS_ERR(match)) {
637
637
duprintf("find_check_match: `%s' not found\n", m->u.user.name);
638
-
return match ? PTR_ERR(match) : -ENOENT;
638
+
return PTR_ERR(match);
639
639
}
640
640
m->u.kernel.match = match;
641
641
···
665
667
ret = xt_check_target(&par, t->u.target_size - sizeof(*t),
666
668
e->ip.proto, e->ip.invflags & IPT_INV_PROTO);
667
669
if (ret < 0) {
668
-
duprintf("ip_tables: check failed for `%s'.\n",
670
+
duprintf("check failed for `%s'.\n",
669
671
t->u.kernel.target->name);
670
672
return ret;
671
673
}
···
701
703
}
702
704
703
705
t = ipt_get_target(e);
704
-
target = try_then_request_module(xt_find_target(AF_INET,
705
-
t->u.user.name,
706
-
t->u.user.revision),
707
-
"ipt_%s", t->u.user.name);
708
-
if (IS_ERR(target) || !target) {
706
+
target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
707
+
t->u.user.revision);
708
+
if (IS_ERR(target)) {
709
709
duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
710
-
ret = target ? PTR_ERR(target) : -ENOENT;
710
+
ret = PTR_ERR(target);
711
711
goto cleanup_matches;
712
712
}
713
713
t->u.kernel.target = target;
···
839
843
if (ret != 0)
840
844
return ret;
841
845
++i;
846
+
if (strcmp(ipt_get_target(iter)->u.user.name,
847
+
XT_ERROR_TARGET) == 0)
848
+
++newinfo->stacksize;
842
849
}
843
850
844
851
if (i != repl->num_entries) {
···
1310
1311
if (ret != 0)
1311
1312
goto free_newinfo;
1312
1313
1313
-
duprintf("ip_tables: Translated table\n");
1314
+
duprintf("Translated table\n");
1314
1315
1315
1316
ret = __do_replace(net, tmp.name, tmp.valid_hooks, newinfo,
1316
1317
tmp.num_counters, tmp.counters);
···
1475
1476
{
1476
1477
struct xt_match *match;
1477
1478
1478
-
match = try_then_request_module(xt_find_match(AF_INET, m->u.user.name,
1479
-
m->u.user.revision),
1480
-
"ipt_%s", m->u.user.name);
1481
-
if (IS_ERR(match) || !match) {
1479
+
match = xt_request_find_match(NFPROTO_IPV4, m->u.user.name,
1480
+
m->u.user.revision);
1481
+
if (IS_ERR(match)) {
1482
1482
duprintf("compat_check_calc_match: `%s' not found\n",
1483
1483
m->u.user.name);
1484
-
return match ? PTR_ERR(match) : -ENOENT;
1484
+
return PTR_ERR(match);
1485
1485
}
1486
1486
m->u.kernel.match = match;
1487
1487
*size += xt_compat_match_offset(match);
···
1547
1549
}
1548
1550
1549
1551
t = compat_ipt_get_target(e);
1550
-
target = try_then_request_module(xt_find_target(AF_INET,
1551
-
t->u.user.name,
1552
-
t->u.user.revision),
1553
-
"ipt_%s", t->u.user.name);
1554
-
if (IS_ERR(target) || !target) {
1552
+
target = xt_request_find_target(NFPROTO_IPV4, t->u.user.name,
1553
+
t->u.user.revision);
1554
+
if (IS_ERR(target)) {
1555
1555
duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1556
1556
t->u.user.name);
1557
-
ret = target ? PTR_ERR(target) : -ENOENT;
1557
+
ret = PTR_ERR(target);
1558
1558
goto release_matches;
1559
1559
}
1560
1560
t->u.kernel.target = target;
···
2090
2094
{
2091
2095
int ret;
2092
2096
struct xt_table_info *newinfo;
2093
-
struct xt_table_info bootstrap
2094
-
= { 0, 0, 0, { 0 }, { 0 }, { } };
2097
+
struct xt_table_info bootstrap = {0};
2095
2098
void *loc_cpu_entry;
2096
2099
struct xt_table *new_table;
2097
2100
···
2179
2184
!!(icmpinfo->invflags&IPT_ICMP_INV));
2180
2185
}
2181
2186
2182
-
static bool icmp_checkentry(const struct xt_mtchk_param *par)
2187
+
static int icmp_checkentry(const struct xt_mtchk_param *par)
2183
2188
{
2184
2189
const struct ipt_icmp *icmpinfo = par->matchinfo;
2185
2190
2186
2191
/* Must specify no unknown invflags */
2187
-
return !(icmpinfo->invflags & ~IPT_ICMP_INV);
2192
+
return (icmpinfo->invflags & ~IPT_ICMP_INV) ? -EINVAL : 0;
2188
2193
}
2189
2194
2190
2195
/* The built-in targets: standard (NULL) and error. */
···
2271
2276
if (ret < 0)
2272
2277
goto err5;
2273
2278
2274
-
printk(KERN_INFO "ip_tables: (C) 2000-2006 Netfilter Core Team\n");
2279
+
pr_info("(C) 2000-2006 Netfilter Core Team\n");
2275
2280
return 0;
2276
2281
2277
2282
err5:
+35
-36
net/ipv4/netfilter/ipt_CLUSTERIP.c
+35
-36
net/ipv4/netfilter/ipt_CLUSTERIP.c
···
9
9
* published by the Free Software Foundation.
10
10
*
11
11
*/
12
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12
13
#include <linux/module.h>
13
14
#include <linux/proc_fs.h>
14
15
#include <linux/jhash.h>
···
240
239
break;
241
240
default:
242
241
if (net_ratelimit())
243
-
printk(KERN_NOTICE "CLUSTERIP: unknown protocol `%u'\n",
244
-
iph->protocol);
242
+
pr_info("unknown protocol %u\n", iph->protocol);
245
243
sport = dport = 0;
246
244
}
247
245
···
262
262
hashval = 0;
263
263
/* This cannot happen, unless the check function wasn't called
264
264
* at rule load time */
265
-
printk("CLUSTERIP: unknown mode `%u'\n", config->hash_mode);
265
+
pr_info("unknown mode %u\n", config->hash_mode);
266
266
BUG();
267
267
break;
268
268
}
···
295
295
296
296
ct = nf_ct_get(skb, &ctinfo);
297
297
if (ct == NULL) {
298
-
printk(KERN_ERR "CLUSTERIP: no conntrack!\n");
298
+
pr_info("no conntrack!\n");
299
299
/* FIXME: need to drop invalid ones, since replies
300
300
* to outgoing connections of other nodes will be
301
301
* marked as INVALID */
···
348
348
return XT_CONTINUE;
349
349
}
350
350
351
-
static bool clusterip_tg_check(const struct xt_tgchk_param *par)
351
+
static int clusterip_tg_check(const struct xt_tgchk_param *par)
352
352
{
353
353
struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
354
354
const struct ipt_entry *e = par->entryinfo;
355
-
356
355
struct clusterip_config *config;
356
+
int ret;
357
357
358
358
if (cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP &&
359
359
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT &&
360
360
cipinfo->hash_mode != CLUSTERIP_HASHMODE_SIP_SPT_DPT) {
361
-
printk(KERN_WARNING "CLUSTERIP: unknown mode `%u'\n",
362
-
cipinfo->hash_mode);
363
-
return false;
361
+
pr_info("unknown mode %u\n", cipinfo->hash_mode);
362
+
return -EINVAL;
364
363
365
364
}
366
365
if (e->ip.dmsk.s_addr != htonl(0xffffffff) ||
367
366
e->ip.dst.s_addr == 0) {
368
-
printk(KERN_ERR "CLUSTERIP: Please specify destination IP\n");
369
-
return false;
367
+
pr_info("Please specify destination IP\n");
368
+
return -EINVAL;
370
369
}
371
370
372
371
/* FIXME: further sanity checks */
···
373
374
config = clusterip_config_find_get(e->ip.dst.s_addr, 1);
374
375
if (!config) {
375
376
if (!(cipinfo->flags & CLUSTERIP_FLAG_NEW)) {
376
-
printk(KERN_WARNING "CLUSTERIP: no config found for %pI4, need 'new'\n", &e->ip.dst.s_addr);
377
-
return false;
377
+
pr_info("no config found for %pI4, need 'new'\n",
378
+
&e->ip.dst.s_addr);
379
+
return -EINVAL;
378
380
} else {
379
381
struct net_device *dev;
380
382
381
383
if (e->ip.iniface[0] == '\0') {
382
-
printk(KERN_WARNING "CLUSTERIP: Please specify an interface name\n");
383
-
return false;
384
+
pr_info("Please specify an interface name\n");
385
+
return -EINVAL;
384
386
}
385
387
386
388
dev = dev_get_by_name(&init_net, e->ip.iniface);
387
389
if (!dev) {
388
-
printk(KERN_WARNING "CLUSTERIP: no such interface %s\n", e->ip.iniface);
389
-
return false;
390
+
pr_info("no such interface %s\n",
391
+
e->ip.iniface);
392
+
return -ENOENT;
390
393
}
391
394
392
395
config = clusterip_config_init(cipinfo,
393
396
e->ip.dst.s_addr, dev);
394
397
if (!config) {
395
-
printk(KERN_WARNING "CLUSTERIP: cannot allocate config\n");
398
+
pr_info("cannot allocate config\n");
396
399
dev_put(dev);
397
-
return false;
400
+
return -ENOMEM;
398
401
}
399
402
dev_mc_add(config->dev, config->clustermac);
400
403
}
401
404
}
402
405
cipinfo->config = config;
403
406
404
-
if (nf_ct_l3proto_try_module_get(par->target->family) < 0) {
405
-
printk(KERN_WARNING "can't load conntrack support for "
406
-
"proto=%u\n", par->target->family);
407
-
return false;
408
-
}
409
-
410
-
return true;
407
+
ret = nf_ct_l3proto_try_module_get(par->family);
408
+
if (ret < 0)
409
+
pr_info("cannot load conntrack support for proto=%u\n",
410
+
par->family);
411
+
return ret;
411
412
}
412
413
413
414
/* drop reference count of cluster config when rule is deleted */
···
421
422
422
423
clusterip_config_put(cipinfo->config);
423
424
424
-
nf_ct_l3proto_module_put(par->target->family);
425
+
nf_ct_l3proto_module_put(par->family);
425
426
}
426
427
427
428
#ifdef CONFIG_COMPAT
···
478
479
}
479
480
hbuffer[--k]='\0';
480
481
481
-
printk("src %pI4@%s, dst %pI4\n",
482
-
&payload->src_ip, hbuffer, &payload->dst_ip);
482
+
pr_debug("src %pI4@%s, dst %pI4\n",
483
+
&payload->src_ip, hbuffer, &payload->dst_ip);
483
484
}
484
485
#endif
485
486
···
518
519
* this wouldn't work, since we didn't subscribe the mcast group on
519
520
* other interfaces */
520
521
if (c->dev != out) {
521
-
pr_debug("CLUSTERIP: not mangling arp reply on different "
522
+
pr_debug("not mangling arp reply on different "
522
523
"interface: cip'%s'-skb'%s'\n",
523
524
c->dev->name, out->name);
524
525
clusterip_config_put(c);
···
529
530
memcpy(payload->src_hw, c->clustermac, arp->ar_hln);
530
531
531
532
#ifdef DEBUG
532
-
pr_debug(KERN_DEBUG "CLUSTERIP mangled arp reply: ");
533
+
pr_debug("mangled arp reply: ");
533
534
arp_print(payload);
534
535
#endif
535
536
···
600
601
601
602
static void clusterip_seq_stop(struct seq_file *s, void *v)
602
603
{
603
-
kfree(v);
604
+
if (!IS_ERR(v))
605
+
kfree(v);
604
606
}
605
607
606
608
static int clusterip_seq_show(struct seq_file *s, void *v)
···
706
706
#ifdef CONFIG_PROC_FS
707
707
clusterip_procdir = proc_mkdir("ipt_CLUSTERIP", init_net.proc_net);
708
708
if (!clusterip_procdir) {
709
-
printk(KERN_ERR "CLUSTERIP: Unable to proc dir entry\n");
709
+
pr_err("Unable to proc dir entry\n");
710
710
ret = -ENOMEM;
711
711
goto cleanup_hook;
712
712
}
713
713
#endif /* CONFIG_PROC_FS */
714
714
715
-
printk(KERN_NOTICE "ClusterIP Version %s loaded successfully\n",
715
+
pr_info("ClusterIP Version %s loaded successfully\n",
716
716
CLUSTERIP_VERSION);
717
717
return 0;
718
718
···
727
727
728
728
static void __exit clusterip_tg_exit(void)
729
729
{
730
-
printk(KERN_NOTICE "ClusterIP Version %s unloading\n",
731
-
CLUSTERIP_VERSION);
730
+
pr_info("ClusterIP Version %s unloading\n", CLUSTERIP_VERSION);
732
731
#ifdef CONFIG_PROC_FS
733
732
remove_proc_entry(clusterip_procdir->name, clusterip_procdir->parent);
734
733
#endif
+9
-12
net/ipv4/netfilter/ipt_ECN.c
+9
-12
net/ipv4/netfilter/ipt_ECN.c
···
6
6
* it under the terms of the GNU General Public License version 2 as
7
7
* published by the Free Software Foundation.
8
8
*/
9
-
9
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
10
#include <linux/in.h>
11
11
#include <linux/module.h>
12
12
#include <linux/skbuff.h>
···
93
93
return XT_CONTINUE;
94
94
}
95
95
96
-
static bool ecn_tg_check(const struct xt_tgchk_param *par)
96
+
static int ecn_tg_check(const struct xt_tgchk_param *par)
97
97
{
98
98
const struct ipt_ECN_info *einfo = par->targinfo;
99
99
const struct ipt_entry *e = par->entryinfo;
100
100
101
101
if (einfo->operation & IPT_ECN_OP_MASK) {
102
-
printk(KERN_WARNING "ECN: unsupported ECN operation %x\n",
103
-
einfo->operation);
104
-
return false;
102
+
pr_info("unsupported ECN operation %x\n", einfo->operation);
103
+
return -EINVAL;
105
104
}
106
105
if (einfo->ip_ect & ~IPT_ECN_IP_MASK) {
107
-
printk(KERN_WARNING "ECN: new ECT codepoint %x out of mask\n",
108
-
einfo->ip_ect);
109
-
return false;
106
+
pr_info("new ECT codepoint %x out of mask\n", einfo->ip_ect);
107
+
return -EINVAL;
110
108
}
111
109
if ((einfo->operation & (IPT_ECN_OP_SET_ECE|IPT_ECN_OP_SET_CWR)) &&
112
110
(e->ip.proto != IPPROTO_TCP || (e->ip.invflags & XT_INV_PROTO))) {
113
-
printk(KERN_WARNING "ECN: cannot use TCP operations on a "
114
-
"non-tcp rule\n");
115
-
return false;
111
+
pr_info("cannot use TCP operations on a non-tcp rule\n");
112
+
return -EINVAL;
116
113
}
117
-
return true;
114
+
return 0;
118
115
}
119
116
120
117
static struct xt_target ecn_tg_reg __read_mostly = {
+8
-9
net/ipv4/netfilter/ipt_LOG.c
+8
-9
net/ipv4/netfilter/ipt_LOG.c
···
9
9
* it under the terms of the GNU General Public License version 2 as
10
10
* published by the Free Software Foundation.
11
11
*/
12
-
12
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
13
#include <linux/module.h>
14
14
#include <linux/spinlock.h>
15
15
#include <linux/skbuff.h>
···
367
367
.type = NF_LOG_TYPE_LOG,
368
368
.u = {
369
369
.log = {
370
-
.level = 0,
370
+
.level = 5,
371
371
.logflags = NF_LOG_MASK,
372
372
},
373
373
},
···
439
439
return XT_CONTINUE;
440
440
}
441
441
442
-
static bool log_tg_check(const struct xt_tgchk_param *par)
442
+
static int log_tg_check(const struct xt_tgchk_param *par)
443
443
{
444
444
const struct ipt_log_info *loginfo = par->targinfo;
445
445
446
446
if (loginfo->level >= 8) {
447
-
pr_debug("LOG: level %u >= 8\n", loginfo->level);
448
-
return false;
447
+
pr_debug("level %u >= 8\n", loginfo->level);
448
+
return -EINVAL;
449
449
}
450
450
if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
451
-
pr_debug("LOG: prefix term %i\n",
452
-
loginfo->prefix[sizeof(loginfo->prefix)-1]);
453
-
return false;
451
+
pr_debug("prefix is not null-terminated\n");
452
+
return -EINVAL;
454
453
}
455
-
return true;
454
+
return 0;
456
455
}
457
456
458
457
static struct xt_target log_tg_reg __read_mostly = {
+8
-8
net/ipv4/netfilter/ipt_MASQUERADE.c
+8
-8
net/ipv4/netfilter/ipt_MASQUERADE.c
···
8
8
* it under the terms of the GNU General Public License version 2 as
9
9
* published by the Free Software Foundation.
10
10
*/
11
-
11
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12
12
#include <linux/types.h>
13
13
#include <linux/inetdevice.h>
14
14
#include <linux/ip.h>
···
28
28
MODULE_DESCRIPTION("Xtables: automatic-address SNAT");
29
29
30
30
/* FIXME: Multiple targets. --RR */
31
-
static bool masquerade_tg_check(const struct xt_tgchk_param *par)
31
+
static int masquerade_tg_check(const struct xt_tgchk_param *par)
32
32
{
33
33
const struct nf_nat_multi_range_compat *mr = par->targinfo;
34
34
35
35
if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
36
-
pr_debug("masquerade_check: bad MAP_IPS.\n");
37
-
return false;
36
+
pr_debug("bad MAP_IPS.\n");
37
+
return -EINVAL;
38
38
}
39
39
if (mr->rangesize != 1) {
40
-
pr_debug("masquerade_check: bad rangesize %u\n", mr->rangesize);
41
-
return false;
40
+
pr_debug("bad rangesize %u\n", mr->rangesize);
41
+
return -EINVAL;
42
42
}
43
-
return true;
43
+
return 0;
44
44
}
45
45
46
46
static unsigned int
···
72
72
rt = skb_rtable(skb);
73
73
newsrc = inet_select_addr(par->out, rt->rt_gateway, RT_SCOPE_UNIVERSE);
74
74
if (!newsrc) {
75
-
printk("MASQUERADE: %s ate my IP address\n", par->out->name);
75
+
pr_info("%s ate my IP address\n", par->out->name);
76
76
return NF_DROP;
77
77
}
78
78
+7
-7
net/ipv4/netfilter/ipt_NETMAP.c
+7
-7
net/ipv4/netfilter/ipt_NETMAP.c
···
9
9
* it under the terms of the GNU General Public License version 2 as
10
10
* published by the Free Software Foundation.
11
11
*/
12
-
12
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
13
#include <linux/ip.h>
14
14
#include <linux/module.h>
15
15
#include <linux/netdevice.h>
···
22
22
MODULE_AUTHOR("Svenning Soerensen <svenning@post5.tele.dk>");
23
23
MODULE_DESCRIPTION("Xtables: 1:1 NAT mapping of IPv4 subnets");
24
24
25
-
static bool netmap_tg_check(const struct xt_tgchk_param *par)
25
+
static int netmap_tg_check(const struct xt_tgchk_param *par)
26
26
{
27
27
const struct nf_nat_multi_range_compat *mr = par->targinfo;
28
28
29
29
if (!(mr->range[0].flags & IP_NAT_RANGE_MAP_IPS)) {
30
-
pr_debug("NETMAP:check: bad MAP_IPS.\n");
31
-
return false;
30
+
pr_debug("bad MAP_IPS.\n");
31
+
return -EINVAL;
32
32
}
33
33
if (mr->rangesize != 1) {
34
-
pr_debug("NETMAP:check: bad rangesize %u.\n", mr->rangesize);
35
-
return false;
34
+
pr_debug("bad rangesize %u.\n", mr->rangesize);
35
+
return -EINVAL;
36
36
}
37
-
return true;
37
+
return 0;
38
38
}
39
39
40
40
static unsigned int
+7
-7
net/ipv4/netfilter/ipt_REDIRECT.c
+7
-7
net/ipv4/netfilter/ipt_REDIRECT.c
···
6
6
* it under the terms of the GNU General Public License version 2 as
7
7
* published by the Free Software Foundation.
8
8
*/
9
-
9
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
10
#include <linux/types.h>
11
11
#include <linux/ip.h>
12
12
#include <linux/timer.h>
···
26
26
MODULE_DESCRIPTION("Xtables: Connection redirection to localhost");
27
27
28
28
/* FIXME: Take multiple ranges --RR */
29
-
static bool redirect_tg_check(const struct xt_tgchk_param *par)
29
+
static int redirect_tg_check(const struct xt_tgchk_param *par)
30
30
{
31
31
const struct nf_nat_multi_range_compat *mr = par->targinfo;
32
32
33
33
if (mr->range[0].flags & IP_NAT_RANGE_MAP_IPS) {
34
-
pr_debug("redirect_check: bad MAP_IPS.\n");
35
-
return false;
34
+
pr_debug("bad MAP_IPS.\n");
35
+
return -EINVAL;
36
36
}
37
37
if (mr->rangesize != 1) {
38
-
pr_debug("redirect_check: bad rangesize %u.\n", mr->rangesize);
39
-
return false;
38
+
pr_debug("bad rangesize %u.\n", mr->rangesize);
39
+
return -EINVAL;
40
40
}
41
-
return true;
41
+
return 0;
42
42
}
43
43
44
44
static unsigned int
+7
-10
net/ipv4/netfilter/ipt_REJECT.c
+7
-10
net/ipv4/netfilter/ipt_REJECT.c
···
9
9
* it under the terms of the GNU General Public License version 2 as
10
10
* published by the Free Software Foundation.
11
11
*/
12
-
12
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
13
#include <linux/module.h>
14
14
#include <linux/skbuff.h>
15
15
#include <linux/slab.h>
···
140
140
{
141
141
const struct ipt_reject_info *reject = par->targinfo;
142
142
143
-
/* WARNING: This code causes reentry within iptables.
144
-
This means that the iptables jump stack is now crap. We
145
-
must return an absolute verdict. --RR */
146
143
switch (reject->with) {
147
144
case IPT_ICMP_NET_UNREACHABLE:
148
145
send_unreach(skb, ICMP_NET_UNREACH);
···
172
175
return NF_DROP;
173
176
}
174
177
175
-
static bool reject_tg_check(const struct xt_tgchk_param *par)
178
+
static int reject_tg_check(const struct xt_tgchk_param *par)
176
179
{
177
180
const struct ipt_reject_info *rejinfo = par->targinfo;
178
181
const struct ipt_entry *e = par->entryinfo;
179
182
180
183
if (rejinfo->with == IPT_ICMP_ECHOREPLY) {
181
-
printk("ipt_REJECT: ECHOREPLY no longer supported.\n");
182
-
return false;
184
+
pr_info("ECHOREPLY no longer supported.\n");
185
+
return -EINVAL;
183
186
} else if (rejinfo->with == IPT_TCP_RESET) {
184
187
/* Must specify that it's a TCP packet */
185
188
if (e->ip.proto != IPPROTO_TCP ||
186
189
(e->ip.invflags & XT_INV_PROTO)) {
187
-
printk("ipt_REJECT: TCP_RESET invalid for non-tcp\n");
188
-
return false;
190
+
pr_info("TCP_RESET invalid for non-tcp\n");
191
+
return -EINVAL;
189
192
}
190
193
}
191
-
return true;
194
+
return 0;
192
195
}
193
196
194
197
static struct xt_target reject_tg_reg __read_mostly = {
+19
-26
net/ipv4/netfilter/ipt_ULOG.c
+19
-26
net/ipv4/netfilter/ipt_ULOG.c
···
29
29
* Specify, after how many hundredths of a second the queue should be
30
30
* flushed even if it is not full yet.
31
31
*/
32
-
32
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
33
33
#include <linux/module.h>
34
34
#include <linux/spinlock.h>
35
35
#include <linux/socket.h>
···
56
56
57
57
#define ULOG_NL_EVENT 111 /* Harald's favorite number */
58
58
#define ULOG_MAXNLGROUPS 32 /* numer of nlgroups */
59
-
60
-
#define PRINTR(format, args...) do { if (net_ratelimit()) printk(format , ## args); } while (0)
61
59
62
60
static unsigned int nlbufsiz = NLMSG_GOODSIZE;
63
61
module_param(nlbufsiz, uint, 0400);
···
89
91
ulog_buff_t *ub = &ulog_buffers[nlgroupnum];
90
92
91
93
if (timer_pending(&ub->timer)) {
92
-
pr_debug("ipt_ULOG: ulog_send: timer was pending, deleting\n");
94
+
pr_debug("ulog_send: timer was pending, deleting\n");
93
95
del_timer(&ub->timer);
94
96
}
95
97
96
98
if (!ub->skb) {
97
-
pr_debug("ipt_ULOG: ulog_send: nothing to send\n");
99
+
pr_debug("ulog_send: nothing to send\n");
98
100
return;
99
101
}
100
102
···
103
105
ub->lastnlh->nlmsg_type = NLMSG_DONE;
104
106
105
107
NETLINK_CB(ub->skb).dst_group = nlgroupnum + 1;
106
-
pr_debug("ipt_ULOG: throwing %d packets to netlink group %u\n",
108
+
pr_debug("throwing %d packets to netlink group %u\n",
107
109
ub->qlen, nlgroupnum + 1);
108
110
netlink_broadcast(nflognl, ub->skb, 0, nlgroupnum + 1, GFP_ATOMIC);
109
111
···
116
118
/* timer function to flush queue in flushtimeout time */
117
119
static void ulog_timer(unsigned long data)
118
120
{
119
-
pr_debug("ipt_ULOG: timer function called, calling ulog_send\n");
121
+
pr_debug("timer function called, calling ulog_send\n");
120
122
121
123
/* lock to protect against somebody modifying our structure
122
124
* from ipt_ulog_target at the same time */
···
137
139
n = max(size, nlbufsiz);
138
140
skb = alloc_skb(n, GFP_ATOMIC);
139
141
if (!skb) {
140
-
PRINTR("ipt_ULOG: can't alloc whole buffer %ub!\n", n);
142
+
pr_debug("cannot alloc whole buffer %ub!\n", n);
141
143
142
144
if (n > size) {
143
145
/* try to allocate only as much as we need for
···
145
147
146
148
skb = alloc_skb(size, GFP_ATOMIC);
147
149
if (!skb)
148
-
PRINTR("ipt_ULOG: can't even allocate %ub\n",
149
-
size);
150
+
pr_debug("cannot even allocate %ub\n", size);
150
151
}
151
152
}
152
153
···
196
199
goto alloc_failure;
197
200
}
198
201
199
-
pr_debug("ipt_ULOG: qlen %d, qthreshold %Zu\n", ub->qlen,
200
-
loginfo->qthreshold);
202
+
pr_debug("qlen %d, qthreshold %Zu\n", ub->qlen, loginfo->qthreshold);
201
203
202
204
/* NLMSG_PUT contains a hidden goto nlmsg_failure !!! */
203
205
nlh = NLMSG_PUT(ub->skb, 0, ub->qlen, ULOG_NL_EVENT,
···
269
273
return;
270
274
271
275
nlmsg_failure:
272
-
PRINTR("ipt_ULOG: error during NLMSG_PUT\n");
273
-
276
+
pr_debug("error during NLMSG_PUT\n");
274
277
alloc_failure:
275
-
PRINTR("ipt_ULOG: Error building netlink message\n");
276
-
278
+
pr_debug("Error building netlink message\n");
277
279
spin_unlock_bh(&ulog_lock);
278
280
}
279
281
···
308
314
ipt_ulog_packet(hooknum, skb, in, out, &loginfo, prefix);
309
315
}
310
316
311
-
static bool ulog_tg_check(const struct xt_tgchk_param *par)
317
+
static int ulog_tg_check(const struct xt_tgchk_param *par)
312
318
{
313
319
const struct ipt_ulog_info *loginfo = par->targinfo;
314
320
315
321
if (loginfo->prefix[sizeof(loginfo->prefix) - 1] != '\0') {
316
-
pr_debug("ipt_ULOG: prefix term %i\n",
317
-
loginfo->prefix[sizeof(loginfo->prefix) - 1]);
318
-
return false;
322
+
pr_debug("prefix not null-terminated\n");
323
+
return -EINVAL;
319
324
}
320
325
if (loginfo->qthreshold > ULOG_MAX_QLEN) {
321
-
pr_debug("ipt_ULOG: queue threshold %Zu > MAX_QLEN\n",
326
+
pr_debug("queue threshold %Zu > MAX_QLEN\n",
322
327
loginfo->qthreshold);
323
-
return false;
328
+
return -EINVAL;
324
329
}
325
-
return true;
330
+
return 0;
326
331
}
327
332
328
333
#ifdef CONFIG_COMPAT
···
383
390
{
384
391
int ret, i;
385
392
386
-
pr_debug("ipt_ULOG: init module\n");
393
+
pr_debug("init module\n");
387
394
388
395
if (nlbufsiz > 128*1024) {
389
-
printk("Netlink buffer has to be <= 128kB\n");
396
+
pr_warning("Netlink buffer has to be <= 128kB\n");
390
397
return -EINVAL;
391
398
}
392
399
···
416
423
ulog_buff_t *ub;
417
424
int i;
418
425
419
-
pr_debug("ipt_ULOG: cleanup_module\n");
426
+
pr_debug("cleanup_module\n");
420
427
421
428
if (nflog)
422
429
nf_log_unregister(&ipt_ulog_logger);
+12
-12
net/ipv4/netfilter/ipt_addrtype.c
+12
-12
net/ipv4/netfilter/ipt_addrtype.c
···
8
8
* it under the terms of the GNU General Public License version 2 as
9
9
* published by the Free Software Foundation.
10
10
*/
11
-
11
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12
12
#include <linux/kernel.h>
13
13
#include <linux/module.h>
14
14
#include <linux/skbuff.h>
···
70
70
return ret;
71
71
}
72
72
73
-
static bool addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
73
+
static int addrtype_mt_checkentry_v1(const struct xt_mtchk_param *par)
74
74
{
75
75
struct ipt_addrtype_info_v1 *info = par->matchinfo;
76
76
77
77
if (info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN &&
78
78
info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
79
-
printk(KERN_ERR "ipt_addrtype: both incoming and outgoing "
80
-
"interface limitation cannot be selected\n");
81
-
return false;
79
+
pr_info("both incoming and outgoing "
80
+
"interface limitation cannot be selected\n");
81
+
return -EINVAL;
82
82
}
83
83
84
84
if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
85
85
(1 << NF_INET_LOCAL_IN)) &&
86
86
info->flags & IPT_ADDRTYPE_LIMIT_IFACE_OUT) {
87
-
printk(KERN_ERR "ipt_addrtype: output interface limitation "
88
-
"not valid in PRE_ROUTING and INPUT\n");
89
-
return false;
87
+
pr_info("output interface limitation "
88
+
"not valid in PREROUTING and INPUT\n");
89
+
return -EINVAL;
90
90
}
91
91
92
92
if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
93
93
(1 << NF_INET_LOCAL_OUT)) &&
94
94
info->flags & IPT_ADDRTYPE_LIMIT_IFACE_IN) {
95
-
printk(KERN_ERR "ipt_addrtype: input interface limitation "
96
-
"not valid in POST_ROUTING and OUTPUT\n");
97
-
return false;
95
+
pr_info("input interface limitation "
96
+
"not valid in POSTROUTING and OUTPUT\n");
97
+
return -EINVAL;
98
98
}
99
99
100
-
return true;
100
+
return 0;
101
101
}
102
102
103
103
static struct xt_match addrtype_mt_reg[] __read_mostly = {
+9
-15
net/ipv4/netfilter/ipt_ah.c
+9
-15
net/ipv4/netfilter/ipt_ah.c
···
5
5
* it under the terms of the GNU General Public License version 2 as
6
6
* published by the Free Software Foundation.
7
7
*/
8
-
8
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
9
9
#include <linux/in.h>
10
10
#include <linux/module.h>
11
11
#include <linux/skbuff.h>
···
18
18
MODULE_AUTHOR("Yon Uriarte <yon@astaro.de>");
19
19
MODULE_DESCRIPTION("Xtables: IPv4 IPsec-AH SPI match");
20
20
21
-
#ifdef DEBUG_CONNTRACK
22
-
#define duprintf(format, args...) printk(format , ## args)
23
-
#else
24
-
#define duprintf(format, args...)
25
-
#endif
26
-
27
21
/* Returns 1 if the spi is matched by the range, 0 otherwise */
28
22
static inline bool
29
23
spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
30
24
{
31
25
bool r;
32
-
duprintf("ah spi_match:%c 0x%x <= 0x%x <= 0x%x",invert? '!':' ',
33
-
min,spi,max);
26
+
pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
27
+
invert ? '!' : ' ', min, spi, max);
34
28
r=(spi >= min && spi <= max) ^ invert;
35
-
duprintf(" result %s\n",r? "PASS" : "FAILED");
29
+
pr_debug(" result %s\n", r ? "PASS" : "FAILED");
36
30
return r;
37
31
}
38
32
···
45
51
/* We've been asked to examine this packet, and we
46
52
* can't. Hence, no choice but to drop.
47
53
*/
48
-
duprintf("Dropping evil AH tinygram.\n");
54
+
pr_debug("Dropping evil AH tinygram.\n");
49
55
*par->hotdrop = true;
50
56
return 0;
51
57
}
···
55
61
!!(ahinfo->invflags & IPT_AH_INV_SPI));
56
62
}
57
63
58
-
static bool ah_mt_check(const struct xt_mtchk_param *par)
64
+
static int ah_mt_check(const struct xt_mtchk_param *par)
59
65
{
60
66
const struct ipt_ah *ahinfo = par->matchinfo;
61
67
62
68
/* Must specify no unknown invflags */
63
69
if (ahinfo->invflags & ~IPT_AH_INV_MASK) {
64
-
duprintf("ipt_ah: unknown flags %X\n", ahinfo->invflags);
65
-
return false;
70
+
pr_debug("unknown flags %X\n", ahinfo->invflags);
71
+
return -EINVAL;
66
72
}
67
-
return true;
73
+
return 0;
68
74
}
69
75
70
76
static struct xt_match ah_mt_reg __read_mostly = {
+7
-8
net/ipv4/netfilter/ipt_ecn.c
+7
-8
net/ipv4/netfilter/ipt_ecn.c
···
6
6
* it under the terms of the GNU General Public License version 2 as
7
7
* published by the Free Software Foundation.
8
8
*/
9
-
9
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
10
#include <linux/in.h>
11
11
#include <linux/ip.h>
12
12
#include <net/ip.h>
···
85
85
return true;
86
86
}
87
87
88
-
static bool ecn_mt_check(const struct xt_mtchk_param *par)
88
+
static int ecn_mt_check(const struct xt_mtchk_param *par)
89
89
{
90
90
const struct ipt_ecn_info *info = par->matchinfo;
91
91
const struct ipt_ip *ip = par->entryinfo;
92
92
93
93
if (info->operation & IPT_ECN_OP_MATCH_MASK)
94
-
return false;
94
+
return -EINVAL;
95
95
96
96
if (info->invert & IPT_ECN_OP_MATCH_MASK)
97
-
return false;
97
+
return -EINVAL;
98
98
99
99
if (info->operation & (IPT_ECN_OP_MATCH_ECE|IPT_ECN_OP_MATCH_CWR) &&
100
100
ip->proto != IPPROTO_TCP) {
101
-
printk(KERN_WARNING "ipt_ecn: can't match TCP bits in rule for"
102
-
" non-tcp packets\n");
103
-
return false;
101
+
pr_info("cannot match TCP bits in rule for non-tcp packets\n");
102
+
return -EINVAL;
104
103
}
105
104
106
-
return true;
105
+
return 0;
107
106
}
108
107
109
108
static struct xt_match ecn_mt_reg __read_mostly = {
+4
-3
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
+4
-3
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4_compat.c
···
336
336
const struct ip_conntrack_stat *st = v;
337
337
338
338
if (v == SEQ_START_TOKEN) {
339
-
seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete\n");
339
+
seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n");
340
340
return 0;
341
341
}
342
342
343
343
seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x "
344
-
"%08x %08x %08x %08x %08x %08x %08x %08x \n",
344
+
"%08x %08x %08x %08x %08x %08x %08x %08x %08x\n",
345
345
nr_conntracks,
346
346
st->searched,
347
347
st->found,
···
358
358
359
359
st->expect_new,
360
360
st->expect_create,
361
-
st->expect_delete
361
+
st->expect_delete,
362
+
st->search_restart
362
363
);
363
364
return 0;
364
365
}
-1
net/ipv4/netfilter/nf_nat_h323.c
-1
net/ipv4/netfilter/nf_nat_h323.c
+9
-8
net/ipv4/netfilter/nf_nat_rule.c
+9
-8
net/ipv4/netfilter/nf_nat_rule.c
···
7
7
*/
8
8
9
9
/* Everything about the rules for NAT. */
10
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
11
#include <linux/types.h>
11
12
#include <linux/ip.h>
12
13
#include <linux/netfilter.h>
···
75
74
return nf_nat_setup_info(ct, &mr->range[0], IP_NAT_MANIP_DST);
76
75
}
77
76
78
-
static bool ipt_snat_checkentry(const struct xt_tgchk_param *par)
77
+
static int ipt_snat_checkentry(const struct xt_tgchk_param *par)
79
78
{
80
79
const struct nf_nat_multi_range_compat *mr = par->targinfo;
81
80
82
81
/* Must be a valid range */
83
82
if (mr->rangesize != 1) {
84
-
printk("SNAT: multiple ranges no longer supported\n");
85
-
return false;
83
+
pr_info("SNAT: multiple ranges no longer supported\n");
84
+
return -EINVAL;
86
85
}
87
-
return true;
86
+
return 0;
88
87
}
89
88
90
-
static bool ipt_dnat_checkentry(const struct xt_tgchk_param *par)
89
+
static int ipt_dnat_checkentry(const struct xt_tgchk_param *par)
91
90
{
92
91
const struct nf_nat_multi_range_compat *mr = par->targinfo;
93
92
94
93
/* Must be a valid range */
95
94
if (mr->rangesize != 1) {
96
-
printk("DNAT: multiple ranges no longer supported\n");
97
-
return false;
95
+
pr_info("DNAT: multiple ranges no longer supported\n");
96
+
return -EINVAL;
98
97
}
99
-
return true;
98
+
return 0;
100
99
}
101
100
102
101
unsigned int
+1
-2
net/ipv4/netfilter/nf_nat_standalone.c
+1
-2
net/ipv4/netfilter/nf_nat_standalone.c
-1
net/ipv4/netfilter/nf_nat_tftp.c
-1
net/ipv4/netfilter/nf_nat_tftp.c
+2
-2
net/ipv4/raw.c
+2
-2
net/ipv4/raw.c
···
381
381
icmp_out_count(net, ((struct icmphdr *)
382
382
skb_transport_header(skb))->type);
383
383
384
-
err = NF_HOOK(PF_INET, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
385
-
dst_output);
384
+
err = NF_HOOK(NFPROTO_IPV4, NF_INET_LOCAL_OUT, skb, NULL,
385
+
rt->u.dst.dev, dst_output);
386
386
if (err > 0)
387
387
err = net_xmit_errno(err);
388
388
if (err)
+1
-1
net/ipv4/xfrm4_input.c
+1
-1
net/ipv4/xfrm4_input.c
+1
-1
net/ipv4/xfrm4_output.c
+1
-1
net/ipv4/xfrm4_output.c
+2
-2
net/ipv6/ip6_input.c
+2
-2
net/ipv6/ip6_input.c
···
143
143
/* Must drop socket now because of tproxy. */
144
144
skb_orphan(skb);
145
145
146
-
return NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, dev, NULL,
146
+
return NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, dev, NULL,
147
147
ip6_rcv_finish);
148
148
err:
149
149
IP6_INC_STATS_BH(net, idev, IPSTATS_MIB_INHDRERRORS);
···
236
236
237
237
int ip6_input(struct sk_buff *skb)
238
238
{
239
-
return NF_HOOK(PF_INET6, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
239
+
return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_IN, skb, skb->dev, NULL,
240
240
ip6_input_finish);
241
241
}
242
242
+31
-33
net/ipv6/ip6_output.c
+31
-33
net/ipv6/ip6_output.c
···
67
67
len = 0;
68
68
ipv6_hdr(skb)->payload_len = htons(len);
69
69
70
-
return nf_hook(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb_dst(skb)->dev,
71
-
dst_output);
70
+
return nf_hook(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
71
+
skb_dst(skb)->dev, dst_output);
72
72
}
73
73
74
74
int ip6_local_out(struct sk_buff *skb)
···
83
83
}
84
84
EXPORT_SYMBOL_GPL(ip6_local_out);
85
85
86
-
static int ip6_output_finish(struct sk_buff *skb)
87
-
{
88
-
struct dst_entry *dst = skb_dst(skb);
89
-
90
-
if (dst->hh)
91
-
return neigh_hh_output(dst->hh, skb);
92
-
else if (dst->neighbour)
93
-
return dst->neighbour->output(skb);
94
-
95
-
IP6_INC_STATS_BH(dev_net(dst->dev),
96
-
ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
97
-
kfree_skb(skb);
98
-
return -EINVAL;
99
-
100
-
}
101
-
102
86
/* dev_loopback_xmit for use with netfilter. */
103
87
static int ip6_dev_loopback_xmit(struct sk_buff *newskb)
104
88
{
···
96
112
return 0;
97
113
}
98
114
99
-
100
-
static int ip6_output2(struct sk_buff *skb)
115
+
static int ip6_finish_output2(struct sk_buff *skb)
101
116
{
102
117
struct dst_entry *dst = skb_dst(skb);
103
118
struct net_device *dev = dst->dev;
···
118
135
is not supported in any case.
119
136
*/
120
137
if (newskb)
121
-
NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, newskb,
122
-
NULL, newskb->dev,
138
+
NF_HOOK(NFPROTO_IPV6, NF_INET_POST_ROUTING,
139
+
newskb, NULL, newskb->dev,
123
140
ip6_dev_loopback_xmit);
124
141
125
142
if (ipv6_hdr(skb)->hop_limit == 0) {
···
134
151
skb->len);
135
152
}
136
153
137
-
return NF_HOOK(PF_INET6, NF_INET_POST_ROUTING, skb, NULL, skb->dev,
138
-
ip6_output_finish);
154
+
if (dst->hh)
155
+
return neigh_hh_output(dst->hh, skb);
156
+
else if (dst->neighbour)
157
+
return dst->neighbour->output(skb);
158
+
159
+
IP6_INC_STATS_BH(dev_net(dst->dev),
160
+
ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
161
+
kfree_skb(skb);
162
+
return -EINVAL;
139
163
}
140
164
141
165
static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
···
153
163
skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb));
154
164
}
155
165
166
+
static int ip6_finish_output(struct sk_buff *skb)
167
+
{
168
+
if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
169
+
dst_allfrag(skb_dst(skb)))
170
+
return ip6_fragment(skb, ip6_finish_output2);
171
+
else
172
+
return ip6_finish_output2(skb);
173
+
}
174
+
156
175
int ip6_output(struct sk_buff *skb)
157
176
{
177
+
struct net_device *dev = skb_dst(skb)->dev;
158
178
struct inet6_dev *idev = ip6_dst_idev(skb_dst(skb));
159
179
if (unlikely(idev->cnf.disable_ipv6)) {
160
-
IP6_INC_STATS(dev_net(skb_dst(skb)->dev), idev,
180
+
IP6_INC_STATS(dev_net(dev), idev,
161
181
IPSTATS_MIB_OUTDISCARDS);
162
182
kfree_skb(skb);
163
183
return 0;
164
184
}
165
185
166
-
if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) ||
167
-
dst_allfrag(skb_dst(skb)))
168
-
return ip6_fragment(skb, ip6_output2);
169
-
else
170
-
return ip6_output2(skb);
186
+
return NF_HOOK_COND(NFPROTO_IPV6, NF_INET_POST_ROUTING, skb, NULL, dev,
187
+
ip6_finish_output,
188
+
!(IP6CB(skb)->flags & IP6SKB_REROUTED));
171
189
}
172
190
173
191
/*
···
254
256
if ((skb->len <= mtu) || skb->local_df || skb_is_gso(skb)) {
255
257
IP6_UPD_PO_STATS(net, ip6_dst_idev(skb_dst(skb)),
256
258
IPSTATS_MIB_OUT, skb->len);
257
-
return NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev,
258
-
dst_output);
259
+
return NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
260
+
dst->dev, dst_output);
259
261
}
260
262
261
263
if (net_ratelimit())
···
531
533
hdr->hop_limit--;
532
534
533
535
IP6_INC_STATS_BH(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTFORWDATAGRAMS);
534
-
return NF_HOOK(PF_INET6, NF_INET_FORWARD, skb, skb->dev, dst->dev,
536
+
return NF_HOOK(NFPROTO_IPV6, NF_INET_FORWARD, skb, skb->dev, dst->dev,
535
537
ip6_forward_finish);
536
538
537
539
error:
+1
-1
net/ipv6/ip6mr.c
+1
-1
net/ipv6/ip6mr.c
+2
-2
net/ipv6/mcast.c
+2
-2
net/ipv6/mcast.c
···
1428
1428
1429
1429
payload_len = skb->len;
1430
1430
1431
-
err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev,
1431
+
err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev,
1432
1432
dst_output);
1433
1433
out:
1434
1434
if (!err) {
···
1793
1793
goto err_out;
1794
1794
1795
1795
skb_dst_set(skb, dst);
1796
-
err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev,
1796
+
err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, skb->dev,
1797
1797
dst_output);
1798
1798
out:
1799
1799
if (!err) {
+2
-2
net/ipv6/ndisc.c
+2
-2
net/ipv6/ndisc.c
···
536
536
idev = in6_dev_get(dst->dev);
537
537
IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
538
538
539
-
err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev,
539
+
err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL, dst->dev,
540
540
dst_output);
541
541
if (!err) {
542
542
ICMP6MSGOUT_INC_STATS(net, idev, type);
···
1618
1618
skb_dst_set(buff, dst);
1619
1619
idev = in6_dev_get(dst->dev);
1620
1620
IP6_UPD_PO_STATS(net, idev, IPSTATS_MIB_OUT, skb->len);
1621
-
err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, buff, NULL, dst->dev,
1621
+
err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, buff, NULL, dst->dev,
1622
1622
dst_output);
1623
1623
if (!err) {
1624
1624
ICMP6MSGOUT_INC_STATS(net, idev, NDISC_REDIRECT);
+11
-14
net/ipv6/netfilter.c
+11
-14
net/ipv6/netfilter.c
···
25
25
};
26
26
27
27
dst = ip6_route_output(net, skb->sk, &fl);
28
-
29
-
#ifdef CONFIG_XFRM
30
-
if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
31
-
xfrm_decode_session(skb, &fl, AF_INET6) == 0) {
32
-
struct dst_entry *dst2 = skb_dst(skb);
33
-
34
-
if (xfrm_lookup(net, &dst2, &fl, skb->sk, 0)) {
35
-
skb_dst_set(skb, NULL);
36
-
return -1;
37
-
}
38
-
skb_dst_set(skb, dst2);
39
-
}
40
-
#endif
41
-
42
28
if (dst->error) {
43
29
IP6_INC_STATS(net, ip6_dst_idev(dst), IPSTATS_MIB_OUTNOROUTES);
44
30
LIMIT_NETDEBUG(KERN_DEBUG "ip6_route_me_harder: No more route.\n");
···
36
50
skb_dst_drop(skb);
37
51
38
52
skb_dst_set(skb, dst);
53
+
54
+
#ifdef CONFIG_XFRM
55
+
if (!(IP6CB(skb)->flags & IP6SKB_XFRM_TRANSFORMED) &&
56
+
xfrm_decode_session(skb, &fl, AF_INET6) == 0) {
57
+
skb_dst_set(skb, NULL);
58
+
if (xfrm_lookup(net, &dst, &fl, skb->sk, 0))
59
+
return -1;
60
+
skb_dst_set(skb, dst);
61
+
}
62
+
#endif
63
+
39
64
return 0;
40
65
}
41
66
EXPORT_SYMBOL(ip6_route_me_harder);
+1
-2
net/ipv6/netfilter/ip6_queue.c
+1
-2
net/ipv6/netfilter/ip6_queue.c
···
162
162
break;
163
163
164
164
case IPQ_COPY_PACKET:
165
-
if ((entry->skb->ip_summed == CHECKSUM_PARTIAL ||
166
-
entry->skb->ip_summed == CHECKSUM_COMPLETE) &&
165
+
if (entry->skb->ip_summed == CHECKSUM_PARTIAL &&
167
166
(*errp = skb_checksum_help(entry->skb))) {
168
167
read_unlock_bh(&queue_lock);
169
168
return NULL;
+44
-65
net/ipv6/netfilter/ip6_tables.c
+44
-65
net/ipv6/netfilter/ip6_tables.c
···
40
40
/*#define DEBUG_IP_FIREWALL_USER*/
41
41
42
42
#ifdef DEBUG_IP_FIREWALL
43
-
#define dprintf(format, args...) printk(format , ## args)
43
+
#define dprintf(format, args...) pr_info(format , ## args)
44
44
#else
45
45
#define dprintf(format, args...)
46
46
#endif
47
47
48
48
#ifdef DEBUG_IP_FIREWALL_USER
49
-
#define duprintf(format, args...) printk(format , ## args)
49
+
#define duprintf(format, args...) pr_info(format , ## args)
50
50
#else
51
51
#define duprintf(format, args...)
52
52
#endif
···
200
200
ip6t_error(struct sk_buff *skb, const struct xt_target_param *par)
201
201
{
202
202
if (net_ratelimit())
203
-
printk("ip6_tables: error: `%s'\n",
204
-
(const char *)par->targinfo);
203
+
pr_info("error: `%s'\n", (const char *)par->targinfo);
205
204
206
205
return NF_DROP;
207
206
}
···
351
352
const struct net_device *out,
352
353
struct xt_table *table)
353
354
{
354
-
#define tb_comefrom ((struct ip6t_entry *)table_base)->comefrom
355
-
356
355
static const char nulldevname[IFNAMSIZ] __attribute__((aligned(sizeof(long))));
357
356
bool hotdrop = false;
358
357
/* Initializing verdict to NF_DROP keeps gcc happy. */
359
358
unsigned int verdict = NF_DROP;
360
359
const char *indev, *outdev;
361
360
const void *table_base;
362
-
struct ip6t_entry *e, *back;
361
+
struct ip6t_entry *e, **jumpstack;
362
+
unsigned int *stackptr, origptr, cpu;
363
363
const struct xt_table_info *private;
364
364
struct xt_match_param mtpar;
365
365
struct xt_target_param tgpar;
···
382
384
383
385
xt_info_rdlock_bh();
384
386
private = table->private;
385
-
table_base = private->entries[smp_processor_id()];
387
+
cpu = smp_processor_id();
388
+
table_base = private->entries[cpu];
389
+
jumpstack = (struct ip6t_entry **)private->jumpstack[cpu];
390
+
stackptr = &private->stackptr[cpu];
391
+
origptr = *stackptr;
386
392
387
393
e = get_entry(table_base, private->hook_entry[hook]);
388
-
389
-
/* For return from builtin chain */
390
-
back = get_entry(table_base, private->underflow[hook]);
391
394
392
395
do {
393
396
const struct ip6t_entry_target *t;
394
397
const struct xt_entry_match *ematch;
395
398
396
399
IP_NF_ASSERT(e);
397
-
IP_NF_ASSERT(back);
398
400
if (!ip6_packet_match(skb, indev, outdev, &e->ipv6,
399
401
&mtpar.thoff, &mtpar.fragoff, &hotdrop)) {
400
402
no_match:
···
431
433
verdict = (unsigned)(-v) - 1;
432
434
break;
433
435
}
434
-
e = back;
435
-
back = get_entry(table_base, back->comefrom);
436
+
if (*stackptr == 0)
437
+
e = get_entry(table_base,
438
+
private->underflow[hook]);
439
+
else
440
+
e = ip6t_next_entry(jumpstack[--*stackptr]);
436
441
continue;
437
442
}
438
443
if (table_base + v != ip6t_next_entry(e) &&
439
444
!(e->ipv6.flags & IP6T_F_GOTO)) {
440
-
/* Save old back ptr in next entry */
441
-
struct ip6t_entry *next = ip6t_next_entry(e);
442
-
next->comefrom = (void *)back - table_base;
443
-
/* set back pointer to next entry */
444
-
back = next;
445
+
if (*stackptr >= private->stacksize) {
446
+
verdict = NF_DROP;
447
+
break;
448
+
}
449
+
jumpstack[(*stackptr)++] = e;
445
450
}
446
451
447
452
e = get_entry(table_base, v);
448
453
continue;
449
454
}
450
455
451
-
/* Targets which reenter must return
452
-
abs. verdicts */
453
456
tgpar.target = t->u.kernel.target;
454
457
tgpar.targinfo = t->data;
455
458
456
-
#ifdef CONFIG_NETFILTER_DEBUG
457
-
tb_comefrom = 0xeeeeeeec;
458
-
#endif
459
459
verdict = t->u.kernel.target->target(skb, &tgpar);
460
-
461
-
#ifdef CONFIG_NETFILTER_DEBUG
462
-
if (tb_comefrom != 0xeeeeeeec && verdict == IP6T_CONTINUE) {
463
-
printk("Target %s reentered!\n",
464
-
t->u.kernel.target->name);
465
-
verdict = NF_DROP;
466
-
}
467
-
tb_comefrom = 0x57acc001;
468
-
#endif
469
460
if (verdict == IP6T_CONTINUE)
470
461
e = ip6t_next_entry(e);
471
462
else
···
462
475
break;
463
476
} while (!hotdrop);
464
477
465
-
#ifdef CONFIG_NETFILTER_DEBUG
466
-
tb_comefrom = NETFILTER_LINK_POISON;
467
-
#endif
468
478
xt_info_rdunlock_bh();
479
+
*stackptr = origptr;
469
480
470
481
#ifdef DEBUG_ALLOW_ALL
471
482
return NF_ACCEPT;
···
472
487
return NF_DROP;
473
488
else return verdict;
474
489
#endif
475
-
476
-
#undef tb_comefrom
477
490
}
478
491
479
492
/* Figures out from what hook each rule can be called: returns 0 if
···
644
661
struct xt_match *match;
645
662
int ret;
646
663
647
-
match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
648
-
m->u.user.revision),
649
-
"ip6t_%s", m->u.user.name);
650
-
if (IS_ERR(match) || !match) {
664
+
match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
665
+
m->u.user.revision);
666
+
if (IS_ERR(match)) {
651
667
duprintf("find_check_match: `%s' not found\n", m->u.user.name);
652
-
return match ? PTR_ERR(match) : -ENOENT;
668
+
return PTR_ERR(match);
653
669
}
654
670
m->u.kernel.match = match;
655
671
···
716
734
}
717
735
718
736
t = ip6t_get_target(e);
719
-
target = try_then_request_module(xt_find_target(AF_INET6,
720
-
t->u.user.name,
721
-
t->u.user.revision),
722
-
"ip6t_%s", t->u.user.name);
723
-
if (IS_ERR(target) || !target) {
737
+
target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
738
+
t->u.user.revision);
739
+
if (IS_ERR(target)) {
724
740
duprintf("find_check_entry: `%s' not found\n", t->u.user.name);
725
-
ret = target ? PTR_ERR(target) : -ENOENT;
741
+
ret = PTR_ERR(target);
726
742
goto cleanup_matches;
727
743
}
728
744
t->u.kernel.target = target;
···
853
873
if (ret != 0)
854
874
return ret;
855
875
++i;
876
+
if (strcmp(ip6t_get_target(iter)->u.user.name,
877
+
XT_ERROR_TARGET) == 0)
878
+
++newinfo->stacksize;
856
879
}
857
880
858
881
if (i != repl->num_entries) {
···
1492
1509
{
1493
1510
struct xt_match *match;
1494
1511
1495
-
match = try_then_request_module(xt_find_match(AF_INET6, m->u.user.name,
1496
-
m->u.user.revision),
1497
-
"ip6t_%s", m->u.user.name);
1498
-
if (IS_ERR(match) || !match) {
1512
+
match = xt_request_find_match(NFPROTO_IPV6, m->u.user.name,
1513
+
m->u.user.revision);
1514
+
if (IS_ERR(match)) {
1499
1515
duprintf("compat_check_calc_match: `%s' not found\n",
1500
1516
m->u.user.name);
1501
-
return match ? PTR_ERR(match) : -ENOENT;
1517
+
return PTR_ERR(match);
1502
1518
}
1503
1519
m->u.kernel.match = match;
1504
1520
*size += xt_compat_match_offset(match);
···
1564
1582
}
1565
1583
1566
1584
t = compat_ip6t_get_target(e);
1567
-
target = try_then_request_module(xt_find_target(AF_INET6,
1568
-
t->u.user.name,
1569
-
t->u.user.revision),
1570
-
"ip6t_%s", t->u.user.name);
1571
-
if (IS_ERR(target) || !target) {
1585
+
target = xt_request_find_target(NFPROTO_IPV6, t->u.user.name,
1586
+
t->u.user.revision);
1587
+
if (IS_ERR(target)) {
1572
1588
duprintf("check_compat_entry_size_and_hooks: `%s' not found\n",
1573
1589
t->u.user.name);
1574
-
ret = target ? PTR_ERR(target) : -ENOENT;
1590
+
ret = PTR_ERR(target);
1575
1591
goto release_matches;
1576
1592
}
1577
1593
t->u.kernel.target = target;
···
2107
2127
{
2108
2128
int ret;
2109
2129
struct xt_table_info *newinfo;
2110
-
struct xt_table_info bootstrap
2111
-
= { 0, 0, 0, { 0 }, { 0 }, { } };
2130
+
struct xt_table_info bootstrap = {0};
2112
2131
void *loc_cpu_entry;
2113
2132
struct xt_table *new_table;
2114
2133
···
2195
2216
}
2196
2217
2197
2218
/* Called when user tries to insert an entry of this type. */
2198
-
static bool icmp6_checkentry(const struct xt_mtchk_param *par)
2219
+
static int icmp6_checkentry(const struct xt_mtchk_param *par)
2199
2220
{
2200
2221
const struct ip6t_icmp *icmpinfo = par->matchinfo;
2201
2222
2202
2223
/* Must specify no unknown invflags */
2203
-
return !(icmpinfo->invflags & ~IP6T_ICMP_INV);
2224
+
return (icmpinfo->invflags & ~IP6T_ICMP_INV) ? -EINVAL : 0;
2204
2225
}
2205
2226
2206
2227
/* The built-in targets: standard (NULL) and error. */
···
2287
2308
if (ret < 0)
2288
2309
goto err5;
2289
2310
2290
-
printk(KERN_INFO "ip6_tables: (C) 2000-2006 Netfilter Core Team\n");
2311
+
pr_info("(C) 2000-2006 Netfilter Core Team\n");
2291
2312
return 0;
2292
2313
2293
2314
err5:
+8
-10
net/ipv6/netfilter/ip6t_LOG.c
+8
-10
net/ipv6/netfilter/ip6t_LOG.c
···
9
9
* it under the terms of the GNU General Public License version 2 as
10
10
* published by the Free Software Foundation.
11
11
*/
12
-
12
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
13
#include <linux/module.h>
14
-
#include <linux/moduleparam.h>
15
14
#include <linux/skbuff.h>
16
15
#include <linux/if_arp.h>
17
16
#include <linux/ip.h>
···
377
378
.type = NF_LOG_TYPE_LOG,
378
379
.u = {
379
380
.log = {
380
-
.level = 0,
381
+
.level = 5,
381
382
.logflags = NF_LOG_MASK,
382
383
},
383
384
},
···
451
452
}
452
453
453
454
454
-
static bool log_tg6_check(const struct xt_tgchk_param *par)
455
+
static int log_tg6_check(const struct xt_tgchk_param *par)
455
456
{
456
457
const struct ip6t_log_info *loginfo = par->targinfo;
457
458
458
459
if (loginfo->level >= 8) {
459
-
pr_debug("LOG: level %u >= 8\n", loginfo->level);
460
-
return false;
460
+
pr_debug("level %u >= 8\n", loginfo->level);
461
+
return -EINVAL;
461
462
}
462
463
if (loginfo->prefix[sizeof(loginfo->prefix)-1] != '\0') {
463
-
pr_debug("LOG: prefix term %i\n",
464
-
loginfo->prefix[sizeof(loginfo->prefix)-1]);
465
-
return false;
464
+
pr_debug("prefix not null-terminated\n");
465
+
return -EINVAL;
466
466
}
467
-
return true;
467
+
return 0;
468
468
}
469
469
470
470
static struct xt_target log_tg6_reg __read_mostly = {
+14
-16
net/ipv6/netfilter/ip6t_REJECT.c
+14
-16
net/ipv6/netfilter/ip6t_REJECT.c
···
14
14
* as published by the Free Software Foundation; either version
15
15
* 2 of the License, or (at your option) any later version.
16
16
*/
17
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
17
18
18
19
#include <linux/gfp.h>
19
20
#include <linux/module.h>
···
51
50
52
51
if ((!(ipv6_addr_type(&oip6h->saddr) & IPV6_ADDR_UNICAST)) ||
53
52
(!(ipv6_addr_type(&oip6h->daddr) & IPV6_ADDR_UNICAST))) {
54
-
pr_debug("ip6t_REJECT: addr is not unicast.\n");
53
+
pr_debug("addr is not unicast.\n");
55
54
return;
56
55
}
57
56
···
59
58
tcphoff = ipv6_skip_exthdr(oldskb, ((u8*)(oip6h+1) - oldskb->data), &proto);
60
59
61
60
if ((tcphoff < 0) || (tcphoff > oldskb->len)) {
62
-
pr_debug("ip6t_REJECT: Can't get TCP header.\n");
61
+
pr_debug("Cannot get TCP header.\n");
63
62
return;
64
63
}
65
64
···
67
66
68
67
/* IP header checks: fragment, too short. */
69
68
if (proto != IPPROTO_TCP || otcplen < sizeof(struct tcphdr)) {
70
-
pr_debug("ip6t_REJECT: proto(%d) != IPPROTO_TCP, "
69
+
pr_debug("proto(%d) != IPPROTO_TCP, "
71
70
"or too short. otcplen = %d\n",
72
71
proto, otcplen);
73
72
return;
···
78
77
79
78
/* No RST for RST. */
80
79
if (otcph.rst) {
81
-
pr_debug("ip6t_REJECT: RST is set\n");
80
+
pr_debug("RST is set\n");
82
81
return;
83
82
}
84
83
85
84
/* Check checksum. */
86
85
if (csum_ipv6_magic(&oip6h->saddr, &oip6h->daddr, otcplen, IPPROTO_TCP,
87
86
skb_checksum(oldskb, tcphoff, otcplen, 0))) {
88
-
pr_debug("ip6t_REJECT: TCP checksum is invalid\n");
87
+
pr_debug("TCP checksum is invalid\n");
89
88
return;
90
89
}
91
90
···
109
108
110
109
if (!nskb) {
111
110
if (net_ratelimit())
112
-
printk("ip6t_REJECT: Can't alloc skb\n");
111
+
pr_debug("cannot alloc skb\n");
113
112
dst_release(dst);
114
113
return;
115
114
}
···
181
180
struct net *net = dev_net((par->in != NULL) ? par->in : par->out);
182
181
183
182
pr_debug("%s: medium point\n", __func__);
184
-
/* WARNING: This code causes reentry within ip6tables.
185
-
This means that the ip6tables jump stack is now crap. We
186
-
must return an absolute verdict. --RR */
187
183
switch (reject->with) {
188
184
case IP6T_ICMP6_NO_ROUTE:
189
185
send_unreach(net, skb, ICMPV6_NOROUTE, par->hooknum);
···
205
207
break;
206
208
default:
207
209
if (net_ratelimit())
208
-
printk(KERN_WARNING "ip6t_REJECT: case %u not handled yet\n", reject->with);
210
+
pr_info("case %u not handled yet\n", reject->with);
209
211
break;
210
212
}
211
213
212
214
return NF_DROP;
213
215
}
214
216
215
-
static bool reject_tg6_check(const struct xt_tgchk_param *par)
217
+
static int reject_tg6_check(const struct xt_tgchk_param *par)
216
218
{
217
219
const struct ip6t_reject_info *rejinfo = par->targinfo;
218
220
const struct ip6t_entry *e = par->entryinfo;
219
221
220
222
if (rejinfo->with == IP6T_ICMP6_ECHOREPLY) {
221
-
printk("ip6t_REJECT: ECHOREPLY is not supported.\n");
222
-
return false;
223
+
pr_info("ECHOREPLY is not supported.\n");
224
+
return -EINVAL;
223
225
} else if (rejinfo->with == IP6T_TCP_RESET) {
224
226
/* Must specify that it's a TCP packet */
225
227
if (e->ipv6.proto != IPPROTO_TCP ||
226
228
(e->ipv6.invflags & XT_INV_PROTO)) {
227
-
printk("ip6t_REJECT: TCP_RESET illegal for non-tcp\n");
228
-
return false;
229
+
pr_info("TCP_RESET illegal for non-tcp\n");
230
+
return -EINVAL;
229
231
}
230
232
}
231
-
return true;
233
+
return 0;
232
234
}
233
235
234
236
static struct xt_target reject_tg6_reg __read_mostly = {
+6
-6
net/ipv6/netfilter/ip6t_ah.c
+6
-6
net/ipv6/netfilter/ip6t_ah.c
···
6
6
* it under the terms of the GNU General Public License version 2 as
7
7
* published by the Free Software Foundation.
8
8
*/
9
-
9
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
10
#include <linux/module.h>
11
11
#include <linux/skbuff.h>
12
12
#include <linux/ip.h>
···
29
29
{
30
30
bool r;
31
31
32
-
pr_debug("ah spi_match:%c 0x%x <= 0x%x <= 0x%x",
32
+
pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
33
33
invert ? '!' : ' ', min, spi, max);
34
34
r = (spi >= min && spi <= max) ^ invert;
35
35
pr_debug(" result %s\n", r ? "PASS" : "FAILED");
···
87
87
!(ahinfo->hdrres && ah->reserved);
88
88
}
89
89
90
-
static bool ah_mt6_check(const struct xt_mtchk_param *par)
90
+
static int ah_mt6_check(const struct xt_mtchk_param *par)
91
91
{
92
92
const struct ip6t_ah *ahinfo = par->matchinfo;
93
93
94
94
if (ahinfo->invflags & ~IP6T_AH_INV_MASK) {
95
-
pr_debug("ip6t_ah: unknown flags %X\n", ahinfo->invflags);
96
-
return false;
95
+
pr_debug("unknown flags %X\n", ahinfo->invflags);
96
+
return -EINVAL;
97
97
}
98
-
return true;
98
+
return 0;
99
99
}
100
100
101
101
static struct xt_match ah_mt6_reg __read_mostly = {
+6
-6
net/ipv6/netfilter/ip6t_frag.c
+6
-6
net/ipv6/netfilter/ip6t_frag.c
···
6
6
* it under the terms of the GNU General Public License version 2 as
7
7
* published by the Free Software Foundation.
8
8
*/
9
-
9
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
10
#include <linux/module.h>
11
11
#include <linux/skbuff.h>
12
12
#include <linux/ipv6.h>
···
27
27
id_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
28
28
{
29
29
bool r;
30
-
pr_debug("frag id_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ',
30
+
pr_debug("id_match:%c 0x%x <= 0x%x <= 0x%x\n", invert ? '!' : ' ',
31
31
min, id, max);
32
32
r = (id >= min && id <= max) ^ invert;
33
33
pr_debug(" result %s\n", r ? "PASS" : "FAILED");
···
102
102
(ntohs(fh->frag_off) & IP6_MF));
103
103
}
104
104
105
-
static bool frag_mt6_check(const struct xt_mtchk_param *par)
105
+
static int frag_mt6_check(const struct xt_mtchk_param *par)
106
106
{
107
107
const struct ip6t_frag *fraginfo = par->matchinfo;
108
108
109
109
if (fraginfo->invflags & ~IP6T_FRAG_INV_MASK) {
110
-
pr_debug("ip6t_frag: unknown flags %X\n", fraginfo->invflags);
111
-
return false;
110
+
pr_debug("unknown flags %X\n", fraginfo->invflags);
111
+
return -EINVAL;
112
112
}
113
-
return true;
113
+
return 0;
114
114
}
115
115
116
116
static struct xt_match frag_mt6_reg __read_mostly = {
+13
-10
net/ipv6/netfilter/ip6t_hbh.c
+13
-10
net/ipv6/netfilter/ip6t_hbh.c
···
6
6
* it under the terms of the GNU General Public License version 2 as
7
7
* published by the Free Software Foundation.
8
8
*/
9
-
9
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
10
#include <linux/module.h>
11
11
#include <linux/skbuff.h>
12
12
#include <linux/ipv6.h>
···
41
41
* 5 -> RTALERT 2 x x
42
42
*/
43
43
44
+
static struct xt_match hbh_mt6_reg[] __read_mostly;
45
+
44
46
static bool
45
47
hbh_mt6(const struct sk_buff *skb, const struct xt_match_param *par)
46
48
{
···
60
58
unsigned int optlen;
61
59
int err;
62
60
63
-
err = ipv6_find_hdr(skb, &ptr, par->match->data, NULL);
61
+
err = ipv6_find_hdr(skb, &ptr,
62
+
(par->match == &hbh_mt6_reg[0]) ?
63
+
NEXTHDR_HOP : NEXTHDR_DEST, NULL);
64
64
if (err < 0) {
65
65
if (err != -ENOENT)
66
66
*par->hotdrop = true;
···
164
160
return false;
165
161
}
166
162
167
-
static bool hbh_mt6_check(const struct xt_mtchk_param *par)
163
+
static int hbh_mt6_check(const struct xt_mtchk_param *par)
168
164
{
169
165
const struct ip6t_opts *optsinfo = par->matchinfo;
170
166
171
167
if (optsinfo->invflags & ~IP6T_OPTS_INV_MASK) {
172
-
pr_debug("ip6t_opts: unknown flags %X\n", optsinfo->invflags);
173
-
return false;
168
+
pr_debug("unknown flags %X\n", optsinfo->invflags);
169
+
return -EINVAL;
174
170
}
175
171
176
172
if (optsinfo->flags & IP6T_OPTS_NSTRICT) {
177
-
pr_debug("ip6t_opts: Not strict - not implemented");
178
-
return false;
173
+
pr_debug("Not strict - not implemented");
174
+
return -EINVAL;
179
175
}
180
176
181
-
return true;
177
+
return 0;
182
178
}
183
179
184
180
static struct xt_match hbh_mt6_reg[] __read_mostly = {
185
181
{
182
+
/* Note, hbh_mt6 relies on the order of hbh_mt6_reg */
186
183
.name = "hbh",
187
184
.family = NFPROTO_IPV6,
188
185
.match = hbh_mt6,
189
186
.matchsize = sizeof(struct ip6t_opts),
190
187
.checkentry = hbh_mt6_check,
191
188
.me = THIS_MODULE,
192
-
.data = NEXTHDR_HOP,
193
189
},
194
190
{
195
191
.name = "dst",
···
198
194
.matchsize = sizeof(struct ip6t_opts),
199
195
.checkentry = hbh_mt6_check,
200
196
.me = THIS_MODULE,
201
-
.data = NEXTHDR_DEST,
202
197
},
203
198
};
204
199
+3
-3
net/ipv6/netfilter/ip6t_ipv6header.c
+3
-3
net/ipv6/netfilter/ip6t_ipv6header.c
···
118
118
}
119
119
}
120
120
121
-
static bool ipv6header_mt6_check(const struct xt_mtchk_param *par)
121
+
static int ipv6header_mt6_check(const struct xt_mtchk_param *par)
122
122
{
123
123
const struct ip6t_ipv6header_info *info = par->matchinfo;
124
124
125
125
/* invflags is 0 or 0xff in hard mode */
126
126
if ((!info->modeflag) && info->invflags != 0x00 &&
127
127
info->invflags != 0xFF)
128
-
return false;
128
+
return -EINVAL;
129
129
130
-
return true;
130
+
return 0;
131
131
}
132
132
133
133
static struct xt_match ipv6header_mt6_reg __read_mostly = {
+5
-10
net/ipv6/netfilter/ip6t_mh.c
+5
-10
net/ipv6/netfilter/ip6t_mh.c
···
11
11
* Based on net/netfilter/xt_tcpudp.c
12
12
*
13
13
*/
14
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
14
15
#include <linux/types.h>
15
16
#include <linux/module.h>
16
17
#include <net/ip.h>
···
24
23
25
24
MODULE_DESCRIPTION("Xtables: IPv6 Mobility Header match");
26
25
MODULE_LICENSE("GPL");
27
-
28
-
#ifdef DEBUG_IP_FIREWALL_USER
29
-
#define duprintf(format, args...) printk(format , ## args)
30
-
#else
31
-
#define duprintf(format, args...)
32
-
#endif
33
26
34
27
/* Returns 1 if the type is matched by the range, 0 otherwise */
35
28
static inline bool
···
46
51
if (mh == NULL) {
47
52
/* We've been asked to examine this packet, and we
48
53
can't. Hence, no choice but to drop. */
49
-
duprintf("Dropping evil MH tinygram.\n");
54
+
pr_debug("Dropping evil MH tinygram.\n");
50
55
*par->hotdrop = true;
51
56
return false;
52
57
}
53
58
54
59
if (mh->ip6mh_proto != IPPROTO_NONE) {
55
-
duprintf("Dropping invalid MH Payload Proto: %u\n",
60
+
pr_debug("Dropping invalid MH Payload Proto: %u\n",
56
61
mh->ip6mh_proto);
57
62
*par->hotdrop = true;
58
63
return false;
···
62
67
!!(mhinfo->invflags & IP6T_MH_INV_TYPE));
63
68
}
64
69
65
-
static bool mh_mt6_check(const struct xt_mtchk_param *par)
70
+
static int mh_mt6_check(const struct xt_mtchk_param *par)
66
71
{
67
72
const struct ip6t_mh *mhinfo = par->matchinfo;
68
73
69
74
/* Must specify no unknown invflags */
70
-
return !(mhinfo->invflags & ~IP6T_MH_INV_MASK);
75
+
return (mhinfo->invflags & ~IP6T_MH_INV_MASK) ? -EINVAL : 0;
71
76
}
72
77
73
78
static struct xt_match mh_mt6_reg __read_mostly = {
+7
-7
net/ipv6/netfilter/ip6t_rt.c
+7
-7
net/ipv6/netfilter/ip6t_rt.c
···
6
6
* it under the terms of the GNU General Public License version 2 as
7
7
* published by the Free Software Foundation.
8
8
*/
9
-
9
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
10
#include <linux/module.h>
11
11
#include <linux/skbuff.h>
12
12
#include <linux/ipv6.h>
···
29
29
segsleft_match(u_int32_t min, u_int32_t max, u_int32_t id, bool invert)
30
30
{
31
31
bool r;
32
-
pr_debug("rt segsleft_match:%c 0x%x <= 0x%x <= 0x%x",
32
+
pr_debug("segsleft_match:%c 0x%x <= 0x%x <= 0x%x\n",
33
33
invert ? '!' : ' ', min, id, max);
34
34
r = (id >= min && id <= max) ^ invert;
35
35
pr_debug(" result %s\n", r ? "PASS" : "FAILED");
···
183
183
return false;
184
184
}
185
185
186
-
static bool rt_mt6_check(const struct xt_mtchk_param *par)
186
+
static int rt_mt6_check(const struct xt_mtchk_param *par)
187
187
{
188
188
const struct ip6t_rt *rtinfo = par->matchinfo;
189
189
190
190
if (rtinfo->invflags & ~IP6T_RT_INV_MASK) {
191
-
pr_debug("ip6t_rt: unknown flags %X\n", rtinfo->invflags);
192
-
return false;
191
+
pr_debug("unknown flags %X\n", rtinfo->invflags);
192
+
return -EINVAL;
193
193
}
194
194
if ((rtinfo->flags & (IP6T_RT_RES | IP6T_RT_FST_MASK)) &&
195
195
(!(rtinfo->flags & IP6T_RT_TYP) ||
196
196
(rtinfo->rt_type != 0) ||
197
197
(rtinfo->invflags & IP6T_RT_INV_TYP))) {
198
198
pr_debug("`--rt-type 0' required before `--rt-0-*'");
199
-
return false;
199
+
return -EINVAL;
200
200
}
201
201
202
-
return true;
202
+
return 0;
203
203
}
204
204
205
205
static struct xt_match rt_mt6_reg __read_mostly = {
+1
-1
net/ipv6/netfilter/nf_conntrack_reasm.c
+1
-1
net/ipv6/netfilter/nf_conntrack_reasm.c
+2
-2
net/ipv6/raw.c
+2
-2
net/ipv6/raw.c
···
640
640
goto error_fault;
641
641
642
642
IP6_UPD_PO_STATS(sock_net(sk), rt->rt6i_idev, IPSTATS_MIB_OUT, skb->len);
643
-
err = NF_HOOK(PF_INET6, NF_INET_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
644
-
dst_output);
643
+
err = NF_HOOK(NFPROTO_IPV6, NF_INET_LOCAL_OUT, skb, NULL,
644
+
rt->u.dst.dev, dst_output);
645
645
if (err > 0)
646
646
err = net_xmit_errno(err);
647
647
if (err)
+1
-1
net/ipv6/xfrm6_input.c
+1
-1
net/ipv6/xfrm6_input.c
···
42
42
ipv6_hdr(skb)->payload_len = htons(skb->len);
43
43
__skb_push(skb, skb->data - skb_network_header(skb));
44
44
45
-
NF_HOOK(PF_INET6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
45
+
NF_HOOK(NFPROTO_IPV6, NF_INET_PRE_ROUTING, skb, skb->dev, NULL,
46
46
ip6_rcv_finish);
47
47
return -1;
48
48
}
+2
-2
net/ipv6/xfrm6_output.c
+2
-2
net/ipv6/xfrm6_output.c
+77
-54
net/netfilter/Kconfig
+77
-54
net/netfilter/Kconfig
···
314
314
315
315
if NETFILTER_XTABLES
316
316
317
+
comment "Xtables combined modules"
318
+
319
+
config NETFILTER_XT_MARK
320
+
tristate 'nfmark target and match support'
321
+
default m if NETFILTER_ADVANCED=n
322
+
---help---
323
+
This option adds the "MARK" target and "mark" match.
324
+
325
+
Netfilter mark matching allows you to match packets based on the
326
+
"nfmark" value in the packet.
327
+
The target allows you to create rules in the "mangle" table which alter
328
+
the netfilter mark (nfmark) field associated with the packet.
329
+
330
+
Prior to routing, the nfmark can influence the routing method (see
331
+
"Use netfilter MARK value as routing key") and can also be used by
332
+
other subsystems to change their behavior.
333
+
334
+
config NETFILTER_XT_CONNMARK
335
+
tristate 'ctmark target and match support'
336
+
depends on NF_CONNTRACK
337
+
depends on NETFILTER_ADVANCED
338
+
select NF_CONNTRACK_MARK
339
+
---help---
340
+
This option adds the "CONNMARK" target and "connmark" match.
341
+
342
+
Netfilter allows you to store a mark value per connection (a.k.a.
343
+
ctmark), similarly to the packet mark (nfmark). Using this
344
+
target and match, you can set and match on this mark.
345
+
317
346
# alphabetically ordered list of targets
347
+
348
+
comment "Xtables targets"
318
349
319
350
config NETFILTER_XT_TARGET_CLASSIFY
320
351
tristate '"CLASSIFY" target support'
···
363
332
tristate '"CONNMARK" target support'
364
333
depends on NF_CONNTRACK
365
334
depends on NETFILTER_ADVANCED
366
-
select NF_CONNTRACK_MARK
367
-
help
368
-
This option adds a `CONNMARK' target, which allows one to manipulate
369
-
the connection mark value. Similar to the MARK target, but
370
-
affects the connection mark value rather than the packet mark value.
371
-
372
-
If you want to compile it as a module, say M here and read
373
-
<file:Documentation/kbuild/modules.txt>. The module will be called
374
-
ipt_CONNMARK. If unsure, say `N'.
335
+
select NETFILTER_XT_CONNMARK
336
+
---help---
337
+
This is a backwards-compat option for the user's convenience
338
+
(e.g. when running oldconfig). It selects
339
+
CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
375
340
376
341
config NETFILTER_XT_TARGET_CONNSECMARK
377
342
tristate '"CONNSECMARK" target support'
···
450
423
451
424
config NETFILTER_XT_TARGET_MARK
452
425
tristate '"MARK" target support'
453
-
default m if NETFILTER_ADVANCED=n
454
-
help
455
-
This option adds a `MARK' target, which allows you to create rules
456
-
in the `mangle' table which alter the netfilter mark (nfmark) field
457
-
associated with the packet prior to routing. This can change
458
-
the routing method (see `Use netfilter MARK value as routing
459
-
key') and can also be used by other subsystems to change their
460
-
behavior.
461
-
462
-
To compile it as a module, choose M here. If unsure, say N.
426
+
depends on NETFILTER_ADVANCED
427
+
select NETFILTER_XT_MARK
428
+
---help---
429
+
This is a backwards-compat option for the user's convenience
430
+
(e.g. when running oldconfig). It selects
431
+
CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
463
432
464
433
config NETFILTER_XT_TARGET_NFLOG
465
434
tristate '"NFLOG" target support'
···
501
478
used to match on the measured rates.
502
479
503
480
To compile it as a module, choose M here. If unsure, say N.
481
+
482
+
config NETFILTER_XT_TARGET_TEE
483
+
tristate '"TEE" - packet cloning to alternate destiantion'
484
+
depends on NETFILTER_ADVANCED
485
+
---help---
486
+
This option adds a "TEE" target with which a packet can be cloned and
487
+
this clone be rerouted to another nexthop.
504
488
505
489
config NETFILTER_XT_TARGET_TPROXY
506
490
tristate '"TPROXY" target support (EXPERIMENTAL)'
···
582
552
This option adds a "TCPOPTSTRIP" target, which allows you to strip
583
553
TCP options from TCP packets.
584
554
555
+
# alphabetically ordered list of matches
556
+
557
+
comment "Xtables matches"
558
+
585
559
config NETFILTER_XT_MATCH_CLUSTER
586
560
tristate '"cluster" match support'
587
561
depends on NF_CONNTRACK
···
636
602
tristate '"connmark" connection mark match support'
637
603
depends on NF_CONNTRACK
638
604
depends on NETFILTER_ADVANCED
639
-
select NF_CONNTRACK_MARK
640
-
help
641
-
This option adds a `connmark' match, which allows you to match the
642
-
connection mark value previously set for the session by `CONNMARK'.
643
-
644
-
If you want to compile it as a module, say M here and read
645
-
<file:Documentation/kbuild/modules.txt>. The module will be called
646
-
ipt_connmark. If unsure, say `N'.
605
+
select NETFILTER_XT_CONNMARK
606
+
---help---
607
+
This is a backwards-compat option for the user's convenience
608
+
(e.g. when running oldconfig). It selects
609
+
CONFIG_NETFILTER_XT_CONNMARK (combined connmark/CONNMARK module).
647
610
648
611
config NETFILTER_XT_MATCH_CONNTRACK
649
612
tristate '"conntrack" connection tracking match support'
···
764
733
765
734
config NETFILTER_XT_MATCH_MARK
766
735
tristate '"mark" match support'
767
-
default m if NETFILTER_ADVANCED=n
768
-
help
769
-
Netfilter mark matching allows you to match packets based on the
770
-
`nfmark' value in the packet. This can be set by the MARK target
771
-
(see below).
772
-
773
-
To compile it as a module, choose M here. If unsure, say N.
736
+
depends on NETFILTER_ADVANCED
737
+
select NETFILTER_XT_MARK
738
+
---help---
739
+
This is a backwards-compat option for the user's convenience
740
+
(e.g. when running oldconfig). It selects
741
+
CONFIG_NETFILTER_XT_MARK (combined mark/MARK module).
774
742
775
743
config NETFILTER_XT_MATCH_MULTIPORT
776
744
tristate '"multiport" Multiple port match support'
···
778
748
Multiport matching allows you to match TCP or UDP packets based on
779
749
a series of source or destination ports: normally a rule can only
780
750
match a single range of ports.
751
+
752
+
To compile it as a module, choose M here. If unsure, say N.
753
+
754
+
config NETFILTER_XT_MATCH_OSF
755
+
tristate '"osf" Passive OS fingerprint match'
756
+
depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
757
+
help
758
+
This option selects the Passive OS Fingerprinting match module
759
+
that allows to passively match the remote operating system by
760
+
analyzing incoming TCP SYN packets.
761
+
762
+
Rules and loading software can be downloaded from
763
+
http://www.ioremap.net/projects/osf
781
764
782
765
To compile it as a module, choose M here. If unsure, say N.
783
766
···
878
835
879
836
Short options are available by using 'iptables -m recent -h'
880
837
Official Website: <http://snowman.net/projects/ipt_recent/>
881
-
882
-
config NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
883
-
bool 'Enable obsolete /proc/net/ipt_recent'
884
-
depends on NETFILTER_XT_MATCH_RECENT && PROC_FS
885
-
---help---
886
-
This option enables the old /proc/net/ipt_recent interface,
887
-
which has been obsoleted by /proc/net/xt_recent.
888
838
889
839
config NETFILTER_XT_MATCH_SCTP
890
840
tristate '"sctp" protocol match support (EXPERIMENTAL)'
···
977
941
lengths.
978
942
979
943
Details and examples are in the kernel module source.
980
-
981
-
config NETFILTER_XT_MATCH_OSF
982
-
tristate '"osf" Passive OS fingerprint match'
983
-
depends on NETFILTER_ADVANCED && NETFILTER_NETLINK
984
-
help
985
-
This option selects the Passive OS Fingerprinting match module
986
-
that allows to passively match the remote operating system by
987
-
analyzing incoming TCP SYN packets.
988
-
989
-
Rules and loading software can be downloaded from
990
-
http://www.ioremap.net/projects/osf
991
-
992
-
To compile it as a module, choose M here. If unsure, say N.
993
944
994
945
endif # NETFILTER_XTABLES
995
946
+5
-4
net/netfilter/Makefile
+5
-4
net/netfilter/Makefile
···
40
40
# generic X tables
41
41
obj-$(CONFIG_NETFILTER_XTABLES) += x_tables.o xt_tcpudp.o
42
42
43
+
# combos
44
+
obj-$(CONFIG_NETFILTER_XT_MARK) += xt_mark.o
45
+
obj-$(CONFIG_NETFILTER_XT_CONNMARK) += xt_connmark.o
46
+
43
47
# targets
44
48
obj-$(CONFIG_NETFILTER_XT_TARGET_CLASSIFY) += xt_CLASSIFY.o
45
-
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNMARK) += xt_CONNMARK.o
46
49
obj-$(CONFIG_NETFILTER_XT_TARGET_CONNSECMARK) += xt_CONNSECMARK.o
47
50
obj-$(CONFIG_NETFILTER_XT_TARGET_CT) += xt_CT.o
48
51
obj-$(CONFIG_NETFILTER_XT_TARGET_DSCP) += xt_DSCP.o
49
52
obj-$(CONFIG_NETFILTER_XT_TARGET_HL) += xt_HL.o
50
53
obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
51
-
obj-$(CONFIG_NETFILTER_XT_TARGET_MARK) += xt_MARK.o
52
54
obj-$(CONFIG_NETFILTER_XT_TARGET_NFLOG) += xt_NFLOG.o
53
55
obj-$(CONFIG_NETFILTER_XT_TARGET_NFQUEUE) += xt_NFQUEUE.o
54
56
obj-$(CONFIG_NETFILTER_XT_TARGET_NOTRACK) += xt_NOTRACK.o
···
59
57
obj-$(CONFIG_NETFILTER_XT_TARGET_TPROXY) += xt_TPROXY.o
60
58
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPMSS) += xt_TCPMSS.o
61
59
obj-$(CONFIG_NETFILTER_XT_TARGET_TCPOPTSTRIP) += xt_TCPOPTSTRIP.o
60
+
obj-$(CONFIG_NETFILTER_XT_TARGET_TEE) += xt_TEE.o
62
61
obj-$(CONFIG_NETFILTER_XT_TARGET_TRACE) += xt_TRACE.o
63
62
64
63
# matches
···
67
64
obj-$(CONFIG_NETFILTER_XT_MATCH_COMMENT) += xt_comment.o
68
65
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNBYTES) += xt_connbytes.o
69
66
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNLIMIT) += xt_connlimit.o
70
-
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNMARK) += xt_connmark.o
71
67
obj-$(CONFIG_NETFILTER_XT_MATCH_CONNTRACK) += xt_conntrack.o
72
68
obj-$(CONFIG_NETFILTER_XT_MATCH_DCCP) += xt_dccp.o
73
69
obj-$(CONFIG_NETFILTER_XT_MATCH_DSCP) += xt_dscp.o
···
78
76
obj-$(CONFIG_NETFILTER_XT_MATCH_LENGTH) += xt_length.o
79
77
obj-$(CONFIG_NETFILTER_XT_MATCH_LIMIT) += xt_limit.o
80
78
obj-$(CONFIG_NETFILTER_XT_MATCH_MAC) += xt_mac.o
81
-
obj-$(CONFIG_NETFILTER_XT_MATCH_MARK) += xt_mark.o
82
79
obj-$(CONFIG_NETFILTER_XT_MATCH_MULTIPORT) += xt_multiport.o
83
80
obj-$(CONFIG_NETFILTER_XT_MATCH_OSF) += xt_osf.o
84
81
obj-$(CONFIG_NETFILTER_XT_MATCH_OWNER) += xt_owner.o
+8
-2
net/netfilter/ipvs/ip_vs_ftp.c
+8
-2
net/netfilter/ipvs/ip_vs_ftp.c
···
209
209
*/
210
210
from.ip = n_cp->vaddr.ip;
211
211
port = n_cp->vport;
212
-
sprintf(buf, "%u,%u,%u,%u,%u,%u", NIPQUAD(from.ip),
213
-
(ntohs(port)>>8)&255, ntohs(port)&255);
212
+
snprintf(buf, sizeof(buf), "%u,%u,%u,%u,%u,%u",
213
+
((unsigned char *)&from.ip)[0],
214
+
((unsigned char *)&from.ip)[1],
215
+
((unsigned char *)&from.ip)[2],
216
+
((unsigned char *)&from.ip)[3],
217
+
ntohs(port) >> 8,
218
+
ntohs(port) & 0xFF);
219
+
214
220
buf_len = strlen(buf);
215
221
216
222
/*
+12
-16
net/netfilter/ipvs/ip_vs_proto.c
+12
-16
net/netfilter/ipvs/ip_vs_proto.c
···
167
167
168
168
ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
169
169
if (ih == NULL)
170
-
sprintf(buf, "%s TRUNCATED", pp->name);
170
+
sprintf(buf, "TRUNCATED");
171
171
else if (ih->frag_off & htons(IP_OFFSET))
172
-
sprintf(buf, "%s %pI4->%pI4 frag",
173
-
pp->name, &ih->saddr, &ih->daddr);
172
+
sprintf(buf, "%pI4->%pI4 frag", &ih->saddr, &ih->daddr);
174
173
else {
175
174
__be16 _ports[2], *pptr
176
175
;
177
176
pptr = skb_header_pointer(skb, offset + ih->ihl*4,
178
177
sizeof(_ports), _ports);
179
178
if (pptr == NULL)
180
-
sprintf(buf, "%s TRUNCATED %pI4->%pI4",
181
-
pp->name, &ih->saddr, &ih->daddr);
179
+
sprintf(buf, "TRUNCATED %pI4->%pI4",
180
+
&ih->saddr, &ih->daddr);
182
181
else
183
-
sprintf(buf, "%s %pI4:%u->%pI4:%u",
184
-
pp->name,
182
+
sprintf(buf, "%pI4:%u->%pI4:%u",
185
183
&ih->saddr, ntohs(pptr[0]),
186
184
&ih->daddr, ntohs(pptr[1]));
187
185
}
188
186
189
-
pr_debug("%s: %s\n", msg, buf);
187
+
pr_debug("%s: %s %s\n", msg, pp->name, buf);
190
188
}
191
189
192
190
#ifdef CONFIG_IP_VS_IPV6
···
199
201
200
202
ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
201
203
if (ih == NULL)
202
-
sprintf(buf, "%s TRUNCATED", pp->name);
204
+
sprintf(buf, "TRUNCATED");
203
205
else if (ih->nexthdr == IPPROTO_FRAGMENT)
204
-
sprintf(buf, "%s %pI6->%pI6 frag",
205
-
pp->name, &ih->saddr, &ih->daddr);
206
+
sprintf(buf, "%pI6->%pI6 frag", &ih->saddr, &ih->daddr);
206
207
else {
207
208
__be16 _ports[2], *pptr;
208
209
209
210
pptr = skb_header_pointer(skb, offset + sizeof(struct ipv6hdr),
210
211
sizeof(_ports), _ports);
211
212
if (pptr == NULL)
212
-
sprintf(buf, "%s TRUNCATED %pI6->%pI6",
213
-
pp->name, &ih->saddr, &ih->daddr);
213
+
sprintf(buf, "TRUNCATED %pI6->%pI6",
214
+
&ih->saddr, &ih->daddr);
214
215
else
215
-
sprintf(buf, "%s %pI6:%u->%pI6:%u",
216
-
pp->name,
216
+
sprintf(buf, "%pI6:%u->%pI6:%u",
217
217
&ih->saddr, ntohs(pptr[0]),
218
218
&ih->daddr, ntohs(pptr[1]));
219
219
}
220
220
221
-
pr_debug("%s: %s\n", msg, buf);
221
+
pr_debug("%s: %s %s\n", msg, pp->name, buf);
222
222
}
223
223
#endif
224
224
+6
-8
net/netfilter/ipvs/ip_vs_proto_ah_esp.c
+6
-8
net/netfilter/ipvs/ip_vs_proto_ah_esp.c
···
136
136
137
137
ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
138
138
if (ih == NULL)
139
-
sprintf(buf, "%s TRUNCATED", pp->name);
139
+
sprintf(buf, "TRUNCATED");
140
140
else
141
-
sprintf(buf, "%s %pI4->%pI4",
142
-
pp->name, &ih->saddr, &ih->daddr);
141
+
sprintf(buf, "%pI4->%pI4", &ih->saddr, &ih->daddr);
143
142
144
-
pr_debug("%s: %s\n", msg, buf);
143
+
pr_debug("%s: %s %s\n", msg, pp->name, buf);
145
144
}
146
145
147
146
#ifdef CONFIG_IP_VS_IPV6
···
153
154
154
155
ih = skb_header_pointer(skb, offset, sizeof(_iph), &_iph);
155
156
if (ih == NULL)
156
-
sprintf(buf, "%s TRUNCATED", pp->name);
157
+
sprintf(buf, "TRUNCATED");
157
158
else
158
-
sprintf(buf, "%s %pI6->%pI6",
159
-
pp->name, &ih->saddr, &ih->daddr);
159
+
sprintf(buf, "%pI6->%pI6", &ih->saddr, &ih->daddr);
160
160
161
-
pr_debug("%s: %s\n", msg, buf);
161
+
pr_debug("%s: %s %s\n", msg, pp->name, buf);
162
162
}
163
163
#endif
164
164
+8
-8
net/netfilter/ipvs/ip_vs_xmit.c
+8
-8
net/netfilter/ipvs/ip_vs_xmit.c
···
270
270
/* Another hack: avoid icmp_send in ip_fragment */
271
271
skb->local_df = 1;
272
272
273
-
IP_VS_XMIT(PF_INET, skb, rt);
273
+
IP_VS_XMIT(NFPROTO_IPV4, skb, rt);
274
274
275
275
LeaveFunction(10);
276
276
return NF_STOLEN;
···
334
334
/* Another hack: avoid icmp_send in ip_fragment */
335
335
skb->local_df = 1;
336
336
337
-
IP_VS_XMIT(PF_INET6, skb, rt);
337
+
IP_VS_XMIT(NFPROTO_IPV6, skb, rt);
338
338
339
339
LeaveFunction(10);
340
340
return NF_STOLEN;
···
410
410
/* Another hack: avoid icmp_send in ip_fragment */
411
411
skb->local_df = 1;
412
412
413
-
IP_VS_XMIT(PF_INET, skb, rt);
413
+
IP_VS_XMIT(NFPROTO_IPV4, skb, rt);
414
414
415
415
LeaveFunction(10);
416
416
return NF_STOLEN;
···
486
486
/* Another hack: avoid icmp_send in ip_fragment */
487
487
skb->local_df = 1;
488
488
489
-
IP_VS_XMIT(PF_INET6, skb, rt);
489
+
IP_VS_XMIT(NFPROTO_IPV6, skb, rt);
490
490
491
491
LeaveFunction(10);
492
492
return NF_STOLEN;
···
785
785
/* Another hack: avoid icmp_send in ip_fragment */
786
786
skb->local_df = 1;
787
787
788
-
IP_VS_XMIT(PF_INET, skb, rt);
788
+
IP_VS_XMIT(NFPROTO_IPV4, skb, rt);
789
789
790
790
LeaveFunction(10);
791
791
return NF_STOLEN;
···
838
838
/* Another hack: avoid icmp_send in ip_fragment */
839
839
skb->local_df = 1;
840
840
841
-
IP_VS_XMIT(PF_INET6, skb, rt);
841
+
IP_VS_XMIT(NFPROTO_IPV6, skb, rt);
842
842
843
843
LeaveFunction(10);
844
844
return NF_STOLEN;
···
912
912
/* Another hack: avoid icmp_send in ip_fragment */
913
913
skb->local_df = 1;
914
914
915
-
IP_VS_XMIT(PF_INET, skb, rt);
915
+
IP_VS_XMIT(NFPROTO_IPV4, skb, rt);
916
916
917
917
rc = NF_STOLEN;
918
918
goto out;
···
987
987
/* Another hack: avoid icmp_send in ip_fragment */
988
988
skb->local_df = 1;
989
989
990
-
IP_VS_XMIT(PF_INET6, skb, rt);
990
+
IP_VS_XMIT(NFPROTO_IPV6, skb, rt);
991
991
992
992
rc = NF_STOLEN;
993
993
goto out;
+3
-1
net/netfilter/nf_conntrack_core.c
+3
-1
net/netfilter/nf_conntrack_core.c
···
319
319
* not the expected one, we must restart lookup.
320
320
* We probably met an item that was moved to another chain.
321
321
*/
322
-
if (get_nulls_value(n) != hash)
322
+
if (get_nulls_value(n) != hash) {
323
+
NF_CT_STAT_INC(net, search_restart);
323
324
goto begin;
325
+
}
324
326
local_bh_enable();
325
327
326
328
return NULL;
+8
-4
net/netfilter/nf_conntrack_ecache.c
+8
-4
net/netfilter/nf_conntrack_ecache.c
···
85
85
struct nf_ct_event_notifier *notify;
86
86
87
87
mutex_lock(&nf_ct_ecache_mutex);
88
-
notify = rcu_dereference(nf_conntrack_event_cb);
88
+
notify = rcu_dereference_protected(nf_conntrack_event_cb,
89
+
lockdep_is_held(&nf_ct_ecache_mutex));
89
90
if (notify != NULL) {
90
91
ret = -EBUSY;
91
92
goto out_unlock;
···
106
105
struct nf_ct_event_notifier *notify;
107
106
108
107
mutex_lock(&nf_ct_ecache_mutex);
109
-
notify = rcu_dereference(nf_conntrack_event_cb);
108
+
notify = rcu_dereference_protected(nf_conntrack_event_cb,
109
+
lockdep_is_held(&nf_ct_ecache_mutex));
110
110
BUG_ON(notify != new);
111
111
rcu_assign_pointer(nf_conntrack_event_cb, NULL);
112
112
mutex_unlock(&nf_ct_ecache_mutex);
···
120
118
struct nf_exp_event_notifier *notify;
121
119
122
120
mutex_lock(&nf_ct_ecache_mutex);
123
-
notify = rcu_dereference(nf_expect_event_cb);
121
+
notify = rcu_dereference_protected(nf_expect_event_cb,
122
+
lockdep_is_held(&nf_ct_ecache_mutex));
124
123
if (notify != NULL) {
125
124
ret = -EBUSY;
126
125
goto out_unlock;
···
141
138
struct nf_exp_event_notifier *notify;
142
139
143
140
mutex_lock(&nf_ct_ecache_mutex);
144
-
notify = rcu_dereference(nf_expect_event_cb);
141
+
notify = rcu_dereference_protected(nf_expect_event_cb,
142
+
lockdep_is_held(&nf_ct_ecache_mutex));
145
143
BUG_ON(notify != new);
146
144
rcu_assign_pointer(nf_expect_event_cb, NULL);
147
145
mutex_unlock(&nf_ct_ecache_mutex);
+1
-2
net/netfilter/nf_conntrack_h323_main.c
+1
-2
net/netfilter/nf_conntrack_h323_main.c
+12
-5
net/netfilter/nf_conntrack_netlink.c
+12
-5
net/netfilter/nf_conntrack_netlink.c
···
427
427
}
428
428
429
429
static inline size_t
430
+
ctnetlink_counters_size(const struct nf_conn *ct)
431
+
{
432
+
if (!nf_ct_ext_exist(ct, NF_CT_EXT_ACCT))
433
+
return 0;
434
+
return 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
435
+
+ 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
436
+
+ 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
437
+
;
438
+
}
439
+
440
+
static inline size_t
430
441
ctnetlink_nlmsg_size(const struct nf_conn *ct)
431
442
{
432
443
return NLMSG_ALIGN(sizeof(struct nfgenmsg))
···
447
436
+ 3 * nla_total_size(sizeof(u_int8_t)) /* CTA_PROTO_NUM */
448
437
+ nla_total_size(sizeof(u_int32_t)) /* CTA_ID */
449
438
+ nla_total_size(sizeof(u_int32_t)) /* CTA_STATUS */
450
-
#ifdef CONFIG_NF_CT_ACCT
451
-
+ 2 * nla_total_size(0) /* CTA_COUNTERS_ORIG|REPL */
452
-
+ 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_PACKETS */
453
-
+ 2 * nla_total_size(sizeof(uint64_t)) /* CTA_COUNTERS_BYTES */
454
-
#endif
439
+
+ ctnetlink_counters_size(ct)
455
440
+ nla_total_size(sizeof(u_int32_t)) /* CTA_TIMEOUT */
456
441
+ nla_total_size(0) /* CTA_PROTOINFO */
457
442
+ nla_total_size(0) /* CTA_HELP */
+5
-3
net/netfilter/nf_conntrack_proto.c
+5
-3
net/netfilter/nf_conntrack_proto.c
···
14
14
#include <linux/module.h>
15
15
#include <linux/slab.h>
16
16
#include <linux/mutex.h>
17
-
#include <linux/skbuff.h>
18
17
#include <linux/vmalloc.h>
19
18
#include <linux/stddef.h>
20
19
#include <linux/err.h>
21
20
#include <linux/percpu.h>
22
-
#include <linux/moduleparam.h>
23
21
#include <linux/notifier.h>
24
22
#include <linux/kernel.h>
25
23
#include <linux/netdevice.h>
···
117
119
{
118
120
struct nf_conntrack_l3proto *p;
119
121
120
-
/* rcu_read_lock not necessary since the caller holds a reference */
122
+
/* rcu_read_lock not necessary since the caller holds a reference, but
123
+
* taken anyways to avoid lockdep warnings in __nf_ct_l3proto_find()
124
+
*/
125
+
rcu_read_lock();
121
126
p = __nf_ct_l3proto_find(l3proto);
122
127
module_put(p->me);
128
+
rcu_read_unlock();
123
129
}
124
130
EXPORT_SYMBOL_GPL(nf_ct_l3proto_module_put);
125
131
+4
-3
net/netfilter/nf_conntrack_standalone.c
+4
-3
net/netfilter/nf_conntrack_standalone.c
···
252
252
const struct ip_conntrack_stat *st = v;
253
253
254
254
if (v == SEQ_START_TOKEN) {
255
-
seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete\n");
255
+
seq_printf(seq, "entries searched found new invalid ignore delete delete_list insert insert_failed drop early_drop icmp_error expect_new expect_create expect_delete search_restart\n");
256
256
return 0;
257
257
}
258
258
259
259
seq_printf(seq, "%08x %08x %08x %08x %08x %08x %08x %08x "
260
-
"%08x %08x %08x %08x %08x %08x %08x %08x \n",
260
+
"%08x %08x %08x %08x %08x %08x %08x %08x %08x\n",
261
261
nr_conntracks,
262
262
st->searched,
263
263
st->found,
···
274
274
275
275
st->expect_new,
276
276
st->expect_create,
277
-
st->expect_delete
277
+
st->expect_delete,
278
+
st->search_restart
278
279
);
279
280
return 0;
280
281
}
+4
-2
net/netfilter/nf_log.c
+4
-2
net/netfilter/nf_log.c
···
52
52
} else {
53
53
/* register at end of list to honor first register win */
54
54
list_add_tail(&logger->list[pf], &nf_loggers_l[pf]);
55
-
llog = rcu_dereference(nf_loggers[pf]);
55
+
llog = rcu_dereference_protected(nf_loggers[pf],
56
+
lockdep_is_held(&nf_log_mutex));
56
57
if (llog == NULL)
57
58
rcu_assign_pointer(nf_loggers[pf], logger);
58
59
}
···
71
70
72
71
mutex_lock(&nf_log_mutex);
73
72
for (i = 0; i < ARRAY_SIZE(nf_loggers); i++) {
74
-
c_logger = rcu_dereference(nf_loggers[i]);
73
+
c_logger = rcu_dereference_protected(nf_loggers[i],
74
+
lockdep_is_held(&nf_log_mutex));
75
75
if (c_logger == logger)
76
76
rcu_assign_pointer(nf_loggers[i], NULL);
77
77
list_del(&logger->list[i]);
-3
net/netfilter/nfnetlink.c
-3
net/netfilter/nfnetlink.c
···
18
18
#include <linux/types.h>
19
19
#include <linux/socket.h>
20
20
#include <linux/kernel.h>
21
-
#include <linux/major.h>
22
-
#include <linux/timer.h>
23
21
#include <linux/string.h>
24
22
#include <linux/sockios.h>
25
23
#include <linux/net.h>
26
-
#include <linux/fcntl.h>
27
24
#include <linux/skbuff.h>
28
25
#include <asm/uaccess.h>
29
26
#include <asm/system.h>
+1
-2
net/netfilter/nfnetlink_queue.c
+1
-2
net/netfilter/nfnetlink_queue.c
···
246
246
break;
247
247
248
248
case NFQNL_COPY_PACKET:
249
-
if ((entskb->ip_summed == CHECKSUM_PARTIAL ||
250
-
entskb->ip_summed == CHECKSUM_COMPLETE) &&
249
+
if (entskb->ip_summed == CHECKSUM_PARTIAL &&
251
250
skb_checksum_help(entskb)) {
252
251
spin_unlock_bh(&queue->lock);
253
252
return NULL;
+112
-16
net/netfilter/x_tables.c
+112
-16
net/netfilter/x_tables.c
···
12
12
* published by the Free Software Foundation.
13
13
*
14
14
*/
15
-
15
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
16
16
#include <linux/kernel.h>
17
17
#include <linux/socket.h>
18
18
#include <linux/net.h>
···
55
55
56
56
static struct xt_af *xt;
57
57
58
-
#ifdef DEBUG_IP_FIREWALL_USER
59
-
#define duprintf(format, args...) printk(format , ## args)
60
-
#else
61
-
#define duprintf(format, args...)
62
-
#endif
63
-
64
58
static const char *const xt_prefix[NFPROTO_NUMPROTO] = {
65
59
[NFPROTO_UNSPEC] = "x",
66
60
[NFPROTO_IPV4] = "ip",
···
62
68
[NFPROTO_BRIDGE] = "eb",
63
69
[NFPROTO_IPV6] = "ip6",
64
70
};
71
+
72
+
/* Allow this many total (re)entries. */
73
+
static const unsigned int xt_jumpstack_multiplier = 2;
65
74
66
75
/* Registration hooks for targets. */
67
76
int
···
218
221
}
219
222
EXPORT_SYMBOL(xt_find_match);
220
223
224
+
struct xt_match *
225
+
xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
226
+
{
227
+
struct xt_match *match;
228
+
229
+
match = try_then_request_module(xt_find_match(nfproto, name, revision),
230
+
"%st_%s", xt_prefix[nfproto], name);
231
+
return (match != NULL) ? match : ERR_PTR(-ENOENT);
232
+
}
233
+
EXPORT_SYMBOL_GPL(xt_request_find_match);
234
+
221
235
/* Find target, grabs ref. Returns ERR_PTR() on error. */
222
236
struct xt_target *xt_find_target(u8 af, const char *name, u8 revision)
223
237
{
···
265
257
266
258
target = try_then_request_module(xt_find_target(af, name, revision),
267
259
"%st_%s", xt_prefix[af], name);
268
-
if (IS_ERR(target) || !target)
269
-
return NULL;
270
-
return target;
260
+
return (target != NULL) ? target : ERR_PTR(-ENOENT);
271
261
}
272
262
EXPORT_SYMBOL_GPL(xt_request_find_target);
273
263
···
367
361
int xt_check_match(struct xt_mtchk_param *par,
368
362
unsigned int size, u_int8_t proto, bool inv_proto)
369
363
{
364
+
int ret;
365
+
370
366
if (XT_ALIGN(par->match->matchsize) != size &&
371
367
par->match->matchsize != -1) {
372
368
/*
···
405
397
par->match->proto);
406
398
return -EINVAL;
407
399
}
408
-
if (par->match->checkentry != NULL && !par->match->checkentry(par))
409
-
return -EINVAL;
400
+
if (par->match->checkentry != NULL) {
401
+
ret = par->match->checkentry(par);
402
+
if (ret < 0)
403
+
return ret;
404
+
else if (ret > 0)
405
+
/* Flag up potential errors. */
406
+
return -EIO;
407
+
}
410
408
return 0;
411
409
}
412
410
EXPORT_SYMBOL_GPL(xt_check_match);
···
532
518
int xt_check_target(struct xt_tgchk_param *par,
533
519
unsigned int size, u_int8_t proto, bool inv_proto)
534
520
{
521
+
int ret;
522
+
535
523
if (XT_ALIGN(par->target->targetsize) != size) {
536
524
pr_err("%s_tables: %s.%u target: invalid size "
537
525
"%u (kernel) != (user) %u\n",
···
565
549
par->target->proto);
566
550
return -EINVAL;
567
551
}
568
-
if (par->target->checkentry != NULL && !par->target->checkentry(par))
569
-
return -EINVAL;
552
+
if (par->target->checkentry != NULL) {
553
+
ret = par->target->checkentry(par);
554
+
if (ret < 0)
555
+
return ret;
556
+
else if (ret > 0)
557
+
/* Flag up potential errors. */
558
+
return -EIO;
559
+
}
570
560
return 0;
571
561
}
572
562
EXPORT_SYMBOL_GPL(xt_check_target);
···
684
662
else
685
663
vfree(info->entries[cpu]);
686
664
}
665
+
666
+
if (info->jumpstack != NULL) {
667
+
if (sizeof(void *) * info->stacksize > PAGE_SIZE) {
668
+
for_each_possible_cpu(cpu)
669
+
vfree(info->jumpstack[cpu]);
670
+
} else {
671
+
for_each_possible_cpu(cpu)
672
+
kfree(info->jumpstack[cpu]);
673
+
}
674
+
}
675
+
676
+
if (sizeof(void **) * nr_cpu_ids > PAGE_SIZE)
677
+
vfree(info->jumpstack);
678
+
else
679
+
kfree(info->jumpstack);
680
+
if (sizeof(unsigned int) * nr_cpu_ids > PAGE_SIZE)
681
+
vfree(info->stackptr);
682
+
else
683
+
kfree(info->stackptr);
684
+
687
685
kfree(info);
688
686
}
689
687
EXPORT_SYMBOL(xt_free_table_info);
···
748
706
DEFINE_PER_CPU(struct xt_info_lock, xt_info_locks);
749
707
EXPORT_PER_CPU_SYMBOL_GPL(xt_info_locks);
750
708
709
+
static int xt_jumpstack_alloc(struct xt_table_info *i)
710
+
{
711
+
unsigned int size;
712
+
int cpu;
713
+
714
+
size = sizeof(unsigned int) * nr_cpu_ids;
715
+
if (size > PAGE_SIZE)
716
+
i->stackptr = vmalloc(size);
717
+
else
718
+
i->stackptr = kmalloc(size, GFP_KERNEL);
719
+
if (i->stackptr == NULL)
720
+
return -ENOMEM;
721
+
memset(i->stackptr, 0, size);
722
+
723
+
size = sizeof(void **) * nr_cpu_ids;
724
+
if (size > PAGE_SIZE)
725
+
i->jumpstack = vmalloc(size);
726
+
else
727
+
i->jumpstack = kmalloc(size, GFP_KERNEL);
728
+
if (i->jumpstack == NULL)
729
+
return -ENOMEM;
730
+
memset(i->jumpstack, 0, size);
731
+
732
+
i->stacksize *= xt_jumpstack_multiplier;
733
+
size = sizeof(void *) * i->stacksize;
734
+
for_each_possible_cpu(cpu) {
735
+
if (size > PAGE_SIZE)
736
+
i->jumpstack[cpu] = vmalloc_node(size,
737
+
cpu_to_node(cpu));
738
+
else
739
+
i->jumpstack[cpu] = kmalloc_node(size,
740
+
GFP_KERNEL, cpu_to_node(cpu));
741
+
if (i->jumpstack[cpu] == NULL)
742
+
/*
743
+
* Freeing will be done later on by the callers. The
744
+
* chain is: xt_replace_table -> __do_replace ->
745
+
* do_replace -> xt_free_table_info.
746
+
*/
747
+
return -ENOMEM;
748
+
}
749
+
750
+
return 0;
751
+
}
751
752
752
753
struct xt_table_info *
753
754
xt_replace_table(struct xt_table *table,
···
799
714
int *error)
800
715
{
801
716
struct xt_table_info *private;
717
+
int ret;
718
+
719
+
ret = xt_jumpstack_alloc(newinfo);
720
+
if (ret < 0) {
721
+
*error = ret;
722
+
return NULL;
723
+
}
802
724
803
725
/* Do the substitution. */
804
726
local_bh_disable();
···
813
721
814
722
/* Check inside lock: is the old number correct? */
815
723
if (num_counters != private->number) {
816
-
duprintf("num_counters != table->private->number (%u/%u)\n",
724
+
pr_debug("num_counters != table->private->number (%u/%u)\n",
817
725
num_counters, private->number);
818
726
local_bh_enable();
819
727
*error = -EAGAIN;
···
844
752
struct xt_table_info *private;
845
753
struct xt_table *t, *table;
846
754
755
+
ret = xt_jumpstack_alloc(newinfo);
756
+
if (ret < 0)
757
+
return ERR_PTR(ret);
758
+
847
759
/* Don't add one object to multiple lists. */
848
760
table = kmemdup(input_table, sizeof(struct xt_table), GFP_KERNEL);
849
761
if (!table) {
···
874
778
goto unlock;
875
779
876
780
private = table->private;
877
-
duprintf("table->private->number = %u\n", private->number);
781
+
pr_debug("table->private->number = %u\n", private->number);
878
782
879
783
/* save number of initial entries */
880
784
private->initial_entries = private->number;
-113
net/netfilter/xt_CONNMARK.c
-113
net/netfilter/xt_CONNMARK.c
···
1
-
/*
2
-
* xt_CONNMARK - Netfilter module to modify the connection mark values
3
-
*
4
-
* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
5
-
* by Henrik Nordstrom <hno@marasystems.com>
6
-
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
7
-
* Jan Engelhardt <jengelh@computergmbh.de>
8
-
*
9
-
* This program is free software; you can redistribute it and/or modify
10
-
* it under the terms of the GNU General Public License as published by
11
-
* the Free Software Foundation; either version 2 of the License, or
12
-
* (at your option) any later version.
13
-
*
14
-
* This program is distributed in the hope that it will be useful,
15
-
* but WITHOUT ANY WARRANTY; without even the implied warranty of
16
-
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17
-
* GNU General Public License for more details.
18
-
*
19
-
* You should have received a copy of the GNU General Public License
20
-
* along with this program; if not, write to the Free Software
21
-
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
22
-
*/
23
-
#include <linux/module.h>
24
-
#include <linux/skbuff.h>
25
-
#include <linux/ip.h>
26
-
#include <net/checksum.h>
27
-
28
-
MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
29
-
MODULE_DESCRIPTION("Xtables: connection mark modification");
30
-
MODULE_LICENSE("GPL");
31
-
MODULE_ALIAS("ipt_CONNMARK");
32
-
MODULE_ALIAS("ip6t_CONNMARK");
33
-
34
-
#include <linux/netfilter/x_tables.h>
35
-
#include <linux/netfilter/xt_CONNMARK.h>
36
-
#include <net/netfilter/nf_conntrack_ecache.h>
37
-
38
-
static unsigned int
39
-
connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
40
-
{
41
-
const struct xt_connmark_tginfo1 *info = par->targinfo;
42
-
enum ip_conntrack_info ctinfo;
43
-
struct nf_conn *ct;
44
-
u_int32_t newmark;
45
-
46
-
ct = nf_ct_get(skb, &ctinfo);
47
-
if (ct == NULL)
48
-
return XT_CONTINUE;
49
-
50
-
switch (info->mode) {
51
-
case XT_CONNMARK_SET:
52
-
newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
53
-
if (ct->mark != newmark) {
54
-
ct->mark = newmark;
55
-
nf_conntrack_event_cache(IPCT_MARK, ct);
56
-
}
57
-
break;
58
-
case XT_CONNMARK_SAVE:
59
-
newmark = (ct->mark & ~info->ctmask) ^
60
-
(skb->mark & info->nfmask);
61
-
if (ct->mark != newmark) {
62
-
ct->mark = newmark;
63
-
nf_conntrack_event_cache(IPCT_MARK, ct);
64
-
}
65
-
break;
66
-
case XT_CONNMARK_RESTORE:
67
-
newmark = (skb->mark & ~info->nfmask) ^
68
-
(ct->mark & info->ctmask);
69
-
skb->mark = newmark;
70
-
break;
71
-
}
72
-
73
-
return XT_CONTINUE;
74
-
}
75
-
76
-
static bool connmark_tg_check(const struct xt_tgchk_param *par)
77
-
{
78
-
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
79
-
printk(KERN_WARNING "cannot load conntrack support for "
80
-
"proto=%u\n", par->family);
81
-
return false;
82
-
}
83
-
return true;
84
-
}
85
-
86
-
static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
87
-
{
88
-
nf_ct_l3proto_module_put(par->family);
89
-
}
90
-
91
-
static struct xt_target connmark_tg_reg __read_mostly = {
92
-
.name = "CONNMARK",
93
-
.revision = 1,
94
-
.family = NFPROTO_UNSPEC,
95
-
.checkentry = connmark_tg_check,
96
-
.target = connmark_tg,
97
-
.targetsize = sizeof(struct xt_connmark_tginfo1),
98
-
.destroy = connmark_tg_destroy,
99
-
.me = THIS_MODULE,
100
-
};
101
-
102
-
static int __init connmark_tg_init(void)
103
-
{
104
-
return xt_register_target(&connmark_tg_reg);
105
-
}
106
-
107
-
static void __exit connmark_tg_exit(void)
108
-
{
109
-
xt_unregister_target(&connmark_tg_reg);
110
-
}
111
-
112
-
module_init(connmark_tg_init);
113
-
module_exit(connmark_tg_exit);
+13
-14
net/netfilter/xt_CONNSECMARK.c
+13
-14
net/netfilter/xt_CONNSECMARK.c
···
15
15
* published by the Free Software Foundation.
16
16
*
17
17
*/
18
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
18
19
#include <linux/module.h>
19
20
#include <linux/skbuff.h>
20
21
#include <linux/netfilter/x_tables.h>
21
22
#include <linux/netfilter/xt_CONNSECMARK.h>
22
23
#include <net/netfilter/nf_conntrack.h>
23
24
#include <net/netfilter/nf_conntrack_ecache.h>
24
-
25
-
#define PFX "CONNSECMARK: "
26
25
27
26
MODULE_LICENSE("GPL");
28
27
MODULE_AUTHOR("James Morris <jmorris@redhat.com>");
···
84
85
return XT_CONTINUE;
85
86
}
86
87
87
-
static bool connsecmark_tg_check(const struct xt_tgchk_param *par)
88
+
static int connsecmark_tg_check(const struct xt_tgchk_param *par)
88
89
{
89
90
const struct xt_connsecmark_target_info *info = par->targinfo;
91
+
int ret;
90
92
91
93
if (strcmp(par->table, "mangle") != 0 &&
92
94
strcmp(par->table, "security") != 0) {
93
-
printk(KERN_INFO PFX "target only valid in the \'mangle\' "
94
-
"or \'security\' tables, not \'%s\'.\n", par->table);
95
-
return false;
95
+
pr_info("target only valid in the \'mangle\' "
96
+
"or \'security\' tables, not \'%s\'.\n", par->table);
97
+
return -EINVAL;
96
98
}
97
99
98
100
switch (info->mode) {
···
102
102
break;
103
103
104
104
default:
105
-
printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode);
106
-
return false;
105
+
pr_info("invalid mode: %hu\n", info->mode);
106
+
return -EINVAL;
107
107
}
108
108
109
-
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
110
-
printk(KERN_WARNING "can't load conntrack support for "
111
-
"proto=%u\n", par->family);
112
-
return false;
113
-
}
114
-
return true;
109
+
ret = nf_ct_l3proto_try_module_get(par->family);
110
+
if (ret < 0)
111
+
pr_info("cannot load conntrack support for proto=%u\n",
112
+
par->family);
113
+
return ret;
115
114
}
116
115
117
116
static void connsecmark_tg_destroy(const struct xt_tgdtor_param *par)
+15
-8
net/netfilter/xt_CT.c
+15
-8
net/netfilter/xt_CT.c
···
38
38
39
39
static u8 xt_ct_find_proto(const struct xt_tgchk_param *par)
40
40
{
41
-
if (par->family == AF_INET) {
41
+
if (par->family == NFPROTO_IPV4) {
42
42
const struct ipt_entry *e = par->entryinfo;
43
43
44
44
if (e->ip.invflags & IPT_INV_PROTO)
45
45
return 0;
46
46
return e->ip.proto;
47
-
} else if (par->family == AF_INET6) {
47
+
} else if (par->family == NFPROTO_IPV6) {
48
48
const struct ip6t_entry *e = par->entryinfo;
49
49
50
50
if (e->ipv6.invflags & IP6T_INV_PROTO)
···
54
54
return 0;
55
55
}
56
56
57
-
static bool xt_ct_tg_check(const struct xt_tgchk_param *par)
57
+
static int xt_ct_tg_check(const struct xt_tgchk_param *par)
58
58
{
59
59
struct xt_ct_target_info *info = par->targinfo;
60
60
struct nf_conntrack_tuple t;
61
61
struct nf_conn_help *help;
62
62
struct nf_conn *ct;
63
+
int ret = 0;
63
64
u8 proto;
64
65
65
66
if (info->flags & ~XT_CT_NOTRACK)
66
-
return false;
67
+
return -EINVAL;
67
68
68
69
if (info->flags & XT_CT_NOTRACK) {
69
70
ct = &nf_conntrack_untracked;
···
77
76
goto err1;
78
77
#endif
79
78
80
-
if (nf_ct_l3proto_try_module_get(par->family) < 0)
79
+
ret = nf_ct_l3proto_try_module_get(par->family);
80
+
if (ret < 0)
81
81
goto err1;
82
82
83
83
memset(&t, 0, sizeof(t));
84
84
ct = nf_conntrack_alloc(par->net, info->zone, &t, &t, GFP_KERNEL);
85
+
ret = PTR_ERR(ct);
85
86
if (IS_ERR(ct))
86
87
goto err2;
87
88
89
+
ret = 0;
88
90
if ((info->ct_events || info->exp_events) &&
89
91
!nf_ct_ecache_ext_add(ct, info->ct_events, info->exp_events,
90
92
GFP_KERNEL))
91
93
goto err3;
92
94
93
95
if (info->helper[0]) {
96
+
ret = -ENOENT;
94
97
proto = xt_ct_find_proto(par);
95
98
if (!proto)
96
99
goto err3;
97
100
101
+
ret = -ENOMEM;
98
102
help = nf_ct_helper_ext_add(ct, GFP_KERNEL);
99
103
if (help == NULL)
100
104
goto err3;
101
105
106
+
ret = -ENOENT;
102
107
help->helper = nf_conntrack_helper_try_module_get(info->helper,
103
108
par->family,
104
109
proto);
···
116
109
__set_bit(IPS_CONFIRMED_BIT, &ct->status);
117
110
out:
118
111
info->ct = ct;
119
-
return true;
112
+
return 0;
120
113
121
114
err3:
122
115
nf_conntrack_free(ct);
123
116
err2:
124
117
nf_ct_l3proto_module_put(par->family);
125
118
err1:
126
-
return false;
119
+
return ret;
127
120
}
128
121
129
122
static void xt_ct_tg_destroy(const struct xt_tgdtor_param *par)
···
145
138
static struct xt_target xt_ct_tg __read_mostly = {
146
139
.name = "CT",
147
140
.family = NFPROTO_UNSPEC,
148
-
.targetsize = XT_ALIGN(sizeof(struct xt_ct_target_info)),
141
+
.targetsize = sizeof(struct xt_ct_target_info),
149
142
.checkentry = xt_ct_tg_check,
150
143
.destroy = xt_ct_tg_destroy,
151
144
.target = xt_ct_target,
+5
-5
net/netfilter/xt_DSCP.c
+5
-5
net/netfilter/xt_DSCP.c
···
9
9
*
10
10
* See RFC2474 for a description of the DSCP field within the IP Header.
11
11
*/
12
-
12
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
13
#include <linux/module.h>
14
14
#include <linux/skbuff.h>
15
15
#include <linux/ip.h>
···
60
60
return XT_CONTINUE;
61
61
}
62
62
63
-
static bool dscp_tg_check(const struct xt_tgchk_param *par)
63
+
static int dscp_tg_check(const struct xt_tgchk_param *par)
64
64
{
65
65
const struct xt_DSCP_info *info = par->targinfo;
66
66
67
67
if (info->dscp > XT_DSCP_MAX) {
68
-
printk(KERN_WARNING "DSCP: dscp %x out of range\n", info->dscp);
69
-
return false;
68
+
pr_info("dscp %x out of range\n", info->dscp);
69
+
return -EDOM;
70
70
}
71
-
return true;
71
+
return 0;
72
72
}
73
73
74
74
static unsigned int
+12
-14
net/netfilter/xt_HL.c
+12
-14
net/netfilter/xt_HL.c
···
9
9
* it under the terms of the GNU General Public License version 2 as
10
10
* published by the Free Software Foundation.
11
11
*/
12
-
12
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
13
#include <linux/module.h>
14
14
#include <linux/skbuff.h>
15
15
#include <linux/ip.h>
···
101
101
return XT_CONTINUE;
102
102
}
103
103
104
-
static bool ttl_tg_check(const struct xt_tgchk_param *par)
104
+
static int ttl_tg_check(const struct xt_tgchk_param *par)
105
105
{
106
106
const struct ipt_TTL_info *info = par->targinfo;
107
107
108
108
if (info->mode > IPT_TTL_MAXMODE) {
109
-
printk(KERN_WARNING "ipt_TTL: invalid or unknown Mode %u\n",
110
-
info->mode);
111
-
return false;
109
+
pr_info("TTL: invalid or unknown mode %u\n", info->mode);
110
+
return -EINVAL;
112
111
}
113
112
if (info->mode != IPT_TTL_SET && info->ttl == 0)
114
-
return false;
115
-
return true;
113
+
return -EINVAL;
114
+
return 0;
116
115
}
117
116
118
-
static bool hl_tg6_check(const struct xt_tgchk_param *par)
117
+
static int hl_tg6_check(const struct xt_tgchk_param *par)
119
118
{
120
119
const struct ip6t_HL_info *info = par->targinfo;
121
120
122
121
if (info->mode > IP6T_HL_MAXMODE) {
123
-
printk(KERN_WARNING "ip6t_HL: invalid or unknown Mode %u\n",
124
-
info->mode);
125
-
return false;
122
+
pr_info("invalid or unknown mode %u\n", info->mode);
123
+
return -EINVAL;
126
124
}
127
125
if (info->mode != IP6T_HL_SET && info->hop_limit == 0) {
128
-
printk(KERN_WARNING "ip6t_HL: increment/decrement doesn't "
126
+
pr_info("increment/decrement does not "
129
127
"make sense with value 0\n");
130
-
return false;
128
+
return -EINVAL;
131
129
}
132
-
return true;
130
+
return 0;
133
131
}
134
132
135
133
static struct xt_target hl_tg_reg[] __read_mostly = {
+71
-20
net/netfilter/xt_LED.c
+71
-20
net/netfilter/xt_LED.c
···
18
18
* 02110-1301 USA.
19
19
*
20
20
*/
21
-
21
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
22
22
#include <linux/module.h>
23
23
#include <linux/skbuff.h>
24
24
#include <linux/netfilter/x_tables.h>
···
32
32
MODULE_AUTHOR("Adam Nielsen <a.nielsen@shikadi.net>");
33
33
MODULE_DESCRIPTION("Xtables: trigger LED devices on packet match");
34
34
35
+
static LIST_HEAD(xt_led_triggers);
36
+
static DEFINE_MUTEX(xt_led_mutex);
37
+
35
38
/*
36
39
* This is declared in here (the kernel module) only, to avoid having these
37
40
* dependencies in userspace code. This is what xt_led_info.internal_data
38
41
* points to.
39
42
*/
40
43
struct xt_led_info_internal {
44
+
struct list_head list;
45
+
int refcnt;
46
+
char *trigger_id;
41
47
struct led_trigger netfilter_led_trigger;
42
48
struct timer_list timer;
43
49
};
···
60
54
*/
61
55
if ((ledinfo->delay > 0) && ledinfo->always_blink &&
62
56
timer_pending(&ledinternal->timer))
63
-
led_trigger_event(&ledinternal->netfilter_led_trigger,LED_OFF);
57
+
led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF);
64
58
65
59
led_trigger_event(&ledinternal->netfilter_led_trigger, LED_FULL);
66
60
···
81
75
82
76
static void led_timeout_callback(unsigned long data)
83
77
{
84
-
struct xt_led_info *ledinfo = (struct xt_led_info *)data;
85
-
struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
78
+
struct xt_led_info_internal *ledinternal = (struct xt_led_info_internal *)data;
86
79
87
80
led_trigger_event(&ledinternal->netfilter_led_trigger, LED_OFF);
88
81
}
89
82
90
-
static bool led_tg_check(const struct xt_tgchk_param *par)
83
+
static struct xt_led_info_internal *led_trigger_lookup(const char *name)
84
+
{
85
+
struct xt_led_info_internal *ledinternal;
86
+
87
+
list_for_each_entry(ledinternal, &xt_led_triggers, list) {
88
+
if (!strcmp(name, ledinternal->netfilter_led_trigger.name)) {
89
+
return ledinternal;
90
+
}
91
+
}
92
+
return NULL;
93
+
}
94
+
95
+
static int led_tg_check(const struct xt_tgchk_param *par)
91
96
{
92
97
struct xt_led_info *ledinfo = par->targinfo;
93
98
struct xt_led_info_internal *ledinternal;
94
99
int err;
95
100
96
101
if (ledinfo->id[0] == '\0') {
97
-
printk(KERN_ERR KBUILD_MODNAME ": No 'id' parameter given.\n");
98
-
return false;
102
+
pr_info("No 'id' parameter given.\n");
103
+
return -EINVAL;
99
104
}
100
105
106
+
mutex_lock(&xt_led_mutex);
107
+
108
+
ledinternal = led_trigger_lookup(ledinfo->id);
109
+
if (ledinternal) {
110
+
ledinternal->refcnt++;
111
+
goto out;
112
+
}
113
+
114
+
err = -ENOMEM;
101
115
ledinternal = kzalloc(sizeof(struct xt_led_info_internal), GFP_KERNEL);
102
-
if (!ledinternal) {
103
-
printk(KERN_CRIT KBUILD_MODNAME ": out of memory\n");
104
-
return false;
105
-
}
116
+
if (!ledinternal)
117
+
goto exit_mutex_only;
106
118
107
-
ledinternal->netfilter_led_trigger.name = ledinfo->id;
119
+
ledinternal->trigger_id = kstrdup(ledinfo->id, GFP_KERNEL);
120
+
if (!ledinternal->trigger_id)
121
+
goto exit_internal_alloc;
122
+
123
+
ledinternal->refcnt = 1;
124
+
ledinternal->netfilter_led_trigger.name = ledinternal->trigger_id;
108
125
109
126
err = led_trigger_register(&ledinternal->netfilter_led_trigger);
110
127
if (err) {
111
-
printk(KERN_CRIT KBUILD_MODNAME
112
-
": led_trigger_register() failed\n");
128
+
pr_warning("led_trigger_register() failed\n");
113
129
if (err == -EEXIST)
114
-
printk(KERN_ERR KBUILD_MODNAME
115
-
": Trigger name is already in use.\n");
130
+
pr_warning("Trigger name is already in use.\n");
116
131
goto exit_alloc;
117
132
}
118
133
119
134
/* See if we need to set up a timer */
120
135
if (ledinfo->delay > 0)
121
136
setup_timer(&ledinternal->timer, led_timeout_callback,
122
-
(unsigned long)ledinfo);
137
+
(unsigned long)ledinternal);
138
+
139
+
list_add_tail(&ledinternal->list, &xt_led_triggers);
140
+
141
+
out:
142
+
mutex_unlock(&xt_led_mutex);
123
143
124
144
ledinfo->internal_data = ledinternal;
125
145
126
-
return true;
146
+
return 0;
127
147
128
148
exit_alloc:
149
+
kfree(ledinternal->trigger_id);
150
+
151
+
exit_internal_alloc:
129
152
kfree(ledinternal);
130
153
131
-
return false;
154
+
exit_mutex_only:
155
+
mutex_unlock(&xt_led_mutex);
156
+
157
+
return err;
132
158
}
133
159
134
160
static void led_tg_destroy(const struct xt_tgdtor_param *par)
···
168
130
const struct xt_led_info *ledinfo = par->targinfo;
169
131
struct xt_led_info_internal *ledinternal = ledinfo->internal_data;
170
132
133
+
mutex_lock(&xt_led_mutex);
134
+
135
+
if (--ledinternal->refcnt) {
136
+
mutex_unlock(&xt_led_mutex);
137
+
return;
138
+
}
139
+
140
+
list_del(&ledinternal->list);
141
+
171
142
if (ledinfo->delay > 0)
172
143
del_timer_sync(&ledinternal->timer);
173
144
174
145
led_trigger_unregister(&ledinternal->netfilter_led_trigger);
146
+
147
+
mutex_unlock(&xt_led_mutex);
148
+
149
+
kfree(ledinternal->trigger_id);
175
150
kfree(ledinternal);
176
151
}
177
152
···
193
142
.revision = 0,
194
143
.family = NFPROTO_UNSPEC,
195
144
.target = led_tg,
196
-
.targetsize = XT_ALIGN(sizeof(struct xt_led_info)),
145
+
.targetsize = sizeof(struct xt_led_info),
197
146
.checkentry = led_tg_check,
198
147
.destroy = led_tg_destroy,
199
148
.me = THIS_MODULE,
-56
net/netfilter/xt_MARK.c
-56
net/netfilter/xt_MARK.c
···
1
-
/*
2
-
* xt_MARK - Netfilter module to modify the NFMARK field of an skb
3
-
*
4
-
* (C) 1999-2001 Marc Boucher <marc@mbsi.ca>
5
-
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
6
-
* Jan Engelhardt <jengelh@computergmbh.de>
7
-
*
8
-
* This program is free software; you can redistribute it and/or modify
9
-
* it under the terms of the GNU General Public License version 2 as
10
-
* published by the Free Software Foundation.
11
-
*/
12
-
13
-
#include <linux/module.h>
14
-
#include <linux/skbuff.h>
15
-
#include <linux/ip.h>
16
-
#include <net/checksum.h>
17
-
18
-
#include <linux/netfilter/x_tables.h>
19
-
#include <linux/netfilter/xt_MARK.h>
20
-
21
-
MODULE_LICENSE("GPL");
22
-
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
23
-
MODULE_DESCRIPTION("Xtables: packet mark modification");
24
-
MODULE_ALIAS("ipt_MARK");
25
-
MODULE_ALIAS("ip6t_MARK");
26
-
27
-
static unsigned int
28
-
mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
29
-
{
30
-
const struct xt_mark_tginfo2 *info = par->targinfo;
31
-
32
-
skb->mark = (skb->mark & ~info->mask) ^ info->mark;
33
-
return XT_CONTINUE;
34
-
}
35
-
36
-
static struct xt_target mark_tg_reg __read_mostly = {
37
-
.name = "MARK",
38
-
.revision = 2,
39
-
.family = NFPROTO_UNSPEC,
40
-
.target = mark_tg,
41
-
.targetsize = sizeof(struct xt_mark_tginfo2),
42
-
.me = THIS_MODULE,
43
-
};
44
-
45
-
static int __init mark_tg_init(void)
46
-
{
47
-
return xt_register_target(&mark_tg_reg);
48
-
}
49
-
50
-
static void __exit mark_tg_exit(void)
51
-
{
52
-
xt_unregister_target(&mark_tg_reg);
53
-
}
54
-
55
-
module_init(mark_tg_init);
56
-
module_exit(mark_tg_exit);
+4
-4
net/netfilter/xt_NFLOG.c
+4
-4
net/netfilter/xt_NFLOG.c
···
37
37
return XT_CONTINUE;
38
38
}
39
39
40
-
static bool nflog_tg_check(const struct xt_tgchk_param *par)
40
+
static int nflog_tg_check(const struct xt_tgchk_param *par)
41
41
{
42
42
const struct xt_nflog_info *info = par->targinfo;
43
43
44
44
if (info->flags & ~XT_NFLOG_MASK)
45
-
return false;
45
+
return -EINVAL;
46
46
if (info->prefix[sizeof(info->prefix) - 1] != '\0')
47
-
return false;
48
-
return true;
47
+
return -EINVAL;
48
+
return 0;
49
49
}
50
50
51
51
static struct xt_target nflog_tg_reg __read_mostly = {
+16
-32
net/netfilter/xt_NFQUEUE.c
+16
-32
net/netfilter/xt_NFQUEUE.c
···
49
49
return jhash_2words((__force u32)ipaddr, iph->protocol, jhash_initval);
50
50
}
51
51
52
-
static unsigned int
53
-
nfqueue_tg4_v1(struct sk_buff *skb, const struct xt_target_param *par)
54
-
{
55
-
const struct xt_NFQ_info_v1 *info = par->targinfo;
56
-
u32 queue = info->queuenum;
57
-
58
-
if (info->queues_total > 1)
59
-
queue = hash_v4(skb) % info->queues_total + queue;
60
-
return NF_QUEUE_NR(queue);
61
-
}
62
-
63
52
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
64
53
static u32 hash_v6(const struct sk_buff *skb)
65
54
{
···
62
73
63
74
return jhash2((__force u32 *)addr, ARRAY_SIZE(addr), jhash_initval);
64
75
}
76
+
#endif
65
77
66
78
static unsigned int
67
-
nfqueue_tg6_v1(struct sk_buff *skb, const struct xt_target_param *par)
79
+
nfqueue_tg_v1(struct sk_buff *skb, const struct xt_target_param *par)
68
80
{
69
81
const struct xt_NFQ_info_v1 *info = par->targinfo;
70
82
u32 queue = info->queuenum;
71
83
72
-
if (info->queues_total > 1)
73
-
queue = hash_v6(skb) % info->queues_total + queue;
84
+
if (info->queues_total > 1) {
85
+
if (par->family == NFPROTO_IPV4)
86
+
queue = hash_v4(skb) % info->queues_total + queue;
87
+
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
88
+
else if (par->family == NFPROTO_IPV6)
89
+
queue = hash_v6(skb) % info->queues_total + queue;
90
+
#endif
91
+
}
74
92
return NF_QUEUE_NR(queue);
75
93
}
76
-
#endif
77
94
78
-
static bool nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
95
+
static int nfqueue_tg_v1_check(const struct xt_tgchk_param *par)
79
96
{
80
97
const struct xt_NFQ_info_v1 *info = par->targinfo;
81
98
u32 maxid;
···
92
97
}
93
98
if (info->queues_total == 0) {
94
99
pr_err("NFQUEUE: number of total queues is 0\n");
95
-
return false;
100
+
return -EINVAL;
96
101
}
97
102
maxid = info->queues_total - 1 + info->queuenum;
98
103
if (maxid > 0xffff) {
99
104
pr_err("NFQUEUE: number of queues (%u) out of range (got %u)\n",
100
105
info->queues_total, maxid);
101
-
return false;
106
+
return -ERANGE;
102
107
}
103
-
return true;
108
+
return 0;
104
109
}
105
110
106
111
static struct xt_target nfqueue_tg_reg[] __read_mostly = {
···
114
119
{
115
120
.name = "NFQUEUE",
116
121
.revision = 1,
117
-
.family = NFPROTO_IPV4,
122
+
.family = NFPROTO_UNSPEC,
118
123
.checkentry = nfqueue_tg_v1_check,
119
-
.target = nfqueue_tg4_v1,
124
+
.target = nfqueue_tg_v1,
120
125
.targetsize = sizeof(struct xt_NFQ_info_v1),
121
126
.me = THIS_MODULE,
122
127
},
123
-
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
124
-
{
125
-
.name = "NFQUEUE",
126
-
.revision = 1,
127
-
.family = NFPROTO_IPV6,
128
-
.checkentry = nfqueue_tg_v1_check,
129
-
.target = nfqueue_tg6_v1,
130
-
.targetsize = sizeof(struct xt_NFQ_info_v1),
131
-
.me = THIS_MODULE,
132
-
},
133
-
#endif
134
128
};
135
129
136
130
static int __init nfqueue_tg_init(void)
+10
-8
net/netfilter/xt_RATEEST.c
+10
-8
net/netfilter/xt_RATEEST.c
···
86
86
return XT_CONTINUE;
87
87
}
88
88
89
-
static bool xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
89
+
static int xt_rateest_tg_checkentry(const struct xt_tgchk_param *par)
90
90
{
91
91
struct xt_rateest_target_info *info = par->targinfo;
92
92
struct xt_rateest *est;
···
94
94
struct nlattr opt;
95
95
struct gnet_estimator est;
96
96
} cfg;
97
+
int ret;
97
98
98
99
if (unlikely(!rnd_inited)) {
99
100
get_random_bytes(&jhash_rnd, sizeof(jhash_rnd));
···
111
110
(info->interval != est->params.interval ||
112
111
info->ewma_log != est->params.ewma_log)) {
113
112
xt_rateest_put(est);
114
-
return false;
113
+
return -EINVAL;
115
114
}
116
115
info->est = est;
117
-
return true;
116
+
return 0;
118
117
}
119
118
119
+
ret = -ENOMEM;
120
120
est = kzalloc(sizeof(*est), GFP_KERNEL);
121
121
if (!est)
122
122
goto err1;
···
133
131
cfg.est.interval = info->interval;
134
132
cfg.est.ewma_log = info->ewma_log;
135
133
136
-
if (gen_new_estimator(&est->bstats, &est->rstats, &est->lock,
137
-
&cfg.opt) < 0)
134
+
ret = gen_new_estimator(&est->bstats, &est->rstats,
135
+
&est->lock, &cfg.opt);
136
+
if (ret < 0)
138
137
goto err2;
139
138
140
139
info->est = est;
141
140
xt_rateest_hash_insert(est);
142
-
143
-
return true;
141
+
return 0;
144
142
145
143
err2:
146
144
kfree(est);
147
145
err1:
148
-
return false;
146
+
return ret;
149
147
}
150
148
151
149
static void xt_rateest_tg_destroy(const struct xt_tgdtor_param *par)
+24
-22
net/netfilter/xt_SECMARK.c
+24
-22
net/netfilter/xt_SECMARK.c
···
12
12
* published by the Free Software Foundation.
13
13
*
14
14
*/
15
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15
16
#include <linux/module.h>
16
17
#include <linux/skbuff.h>
17
18
#include <linux/selinux.h>
···
50
49
return XT_CONTINUE;
51
50
}
52
51
53
-
static bool checkentry_selinux(struct xt_secmark_target_info *info)
52
+
static int checkentry_selinux(struct xt_secmark_target_info *info)
54
53
{
55
54
int err;
56
55
struct xt_secmark_target_selinux_info *sel = &info->u.sel;
···
60
59
err = selinux_string_to_sid(sel->selctx, &sel->selsid);
61
60
if (err) {
62
61
if (err == -EINVAL)
63
-
printk(KERN_INFO PFX "invalid SELinux context \'%s\'\n",
64
-
sel->selctx);
65
-
return false;
62
+
pr_info("invalid SELinux context \'%s\'\n",
63
+
sel->selctx);
64
+
return err;
66
65
}
67
66
68
67
if (!sel->selsid) {
69
-
printk(KERN_INFO PFX "unable to map SELinux context \'%s\'\n",
70
-
sel->selctx);
71
-
return false;
68
+
pr_info("unable to map SELinux context \'%s\'\n", sel->selctx);
69
+
return -ENOENT;
72
70
}
73
71
74
72
err = selinux_secmark_relabel_packet_permission(sel->selsid);
75
73
if (err) {
76
-
printk(KERN_INFO PFX "unable to obtain relabeling permission\n");
77
-
return false;
74
+
pr_info("unable to obtain relabeling permission\n");
75
+
return err;
78
76
}
79
77
80
78
selinux_secmark_refcount_inc();
81
-
return true;
79
+
return 0;
82
80
}
83
81
84
-
static bool secmark_tg_check(const struct xt_tgchk_param *par)
82
+
static int secmark_tg_check(const struct xt_tgchk_param *par)
85
83
{
86
84
struct xt_secmark_target_info *info = par->targinfo;
85
+
int err;
87
86
88
87
if (strcmp(par->table, "mangle") != 0 &&
89
88
strcmp(par->table, "security") != 0) {
90
-
printk(KERN_INFO PFX "target only valid in the \'mangle\' "
91
-
"or \'security\' tables, not \'%s\'.\n", par->table);
92
-
return false;
89
+
pr_info("target only valid in the \'mangle\' "
90
+
"or \'security\' tables, not \'%s\'.\n", par->table);
91
+
return -EINVAL;
93
92
}
94
93
95
94
if (mode && mode != info->mode) {
96
-
printk(KERN_INFO PFX "mode already set to %hu cannot mix with "
97
-
"rules for mode %hu\n", mode, info->mode);
98
-
return false;
95
+
pr_info("mode already set to %hu cannot mix with "
96
+
"rules for mode %hu\n", mode, info->mode);
97
+
return -EINVAL;
99
98
}
100
99
101
100
switch (info->mode) {
102
101
case SECMARK_MODE_SEL:
103
-
if (!checkentry_selinux(info))
104
-
return false;
102
+
err = checkentry_selinux(info);
103
+
if (err <= 0)
104
+
return err;
105
105
break;
106
106
107
107
default:
108
-
printk(KERN_INFO PFX "invalid mode: %hu\n", info->mode);
109
-
return false;
108
+
pr_info("invalid mode: %hu\n", info->mode);
109
+
return -EINVAL;
110
110
}
111
111
112
112
if (!mode)
113
113
mode = info->mode;
114
-
return true;
114
+
return 0;
115
115
}
116
116
117
117
static void secmark_tg_destroy(const struct xt_tgdtor_param *par)
+18
-19
net/netfilter/xt_TCPMSS.c
+18
-19
net/netfilter/xt_TCPMSS.c
···
7
7
* it under the terms of the GNU General Public License version 2 as
8
8
* published by the Free Software Foundation.
9
9
*/
10
-
10
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11
11
#include <linux/module.h>
12
12
#include <linux/skbuff.h>
13
13
#include <linux/ip.h>
···
68
68
if (info->mss == XT_TCPMSS_CLAMP_PMTU) {
69
69
if (dst_mtu(skb_dst(skb)) <= minlen) {
70
70
if (net_ratelimit())
71
-
printk(KERN_ERR "xt_TCPMSS: "
72
-
"unknown or invalid path-MTU (%u)\n",
71
+
pr_err("unknown or invalid path-MTU (%u)\n",
73
72
dst_mtu(skb_dst(skb)));
74
73
return -1;
75
74
}
76
75
if (in_mtu <= minlen) {
77
76
if (net_ratelimit())
78
-
printk(KERN_ERR "xt_TCPMSS: unknown or "
79
-
"invalid path-MTU (%u)\n", in_mtu);
77
+
pr_err("unknown or invalid path-MTU (%u)\n",
78
+
in_mtu);
80
79
return -1;
81
80
}
82
81
newmss = min(dst_mtu(skb_dst(skb)), in_mtu) - minlen;
···
235
236
return false;
236
237
}
237
238
238
-
static bool tcpmss_tg4_check(const struct xt_tgchk_param *par)
239
+
static int tcpmss_tg4_check(const struct xt_tgchk_param *par)
239
240
{
240
241
const struct xt_tcpmss_info *info = par->targinfo;
241
242
const struct ipt_entry *e = par->entryinfo;
···
245
246
(par->hook_mask & ~((1 << NF_INET_FORWARD) |
246
247
(1 << NF_INET_LOCAL_OUT) |
247
248
(1 << NF_INET_POST_ROUTING))) != 0) {
248
-
printk("xt_TCPMSS: path-MTU clamping only supported in "
249
-
"FORWARD, OUTPUT and POSTROUTING hooks\n");
250
-
return false;
249
+
pr_info("path-MTU clamping only supported in "
250
+
"FORWARD, OUTPUT and POSTROUTING hooks\n");
251
+
return -EINVAL;
251
252
}
252
253
xt_ematch_foreach(ematch, e)
253
254
if (find_syn_match(ematch))
254
-
return true;
255
-
printk("xt_TCPMSS: Only works on TCP SYN packets\n");
256
-
return false;
255
+
return 0;
256
+
pr_info("Only works on TCP SYN packets\n");
257
+
return -EINVAL;
257
258
}
258
259
259
260
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
260
-
static bool tcpmss_tg6_check(const struct xt_tgchk_param *par)
261
+
static int tcpmss_tg6_check(const struct xt_tgchk_param *par)
261
262
{
262
263
const struct xt_tcpmss_info *info = par->targinfo;
263
264
const struct ip6t_entry *e = par->entryinfo;
···
267
268
(par->hook_mask & ~((1 << NF_INET_FORWARD) |
268
269
(1 << NF_INET_LOCAL_OUT) |
269
270
(1 << NF_INET_POST_ROUTING))) != 0) {
270
-
printk("xt_TCPMSS: path-MTU clamping only supported in "
271
-
"FORWARD, OUTPUT and POSTROUTING hooks\n");
272
-
return false;
271
+
pr_info("path-MTU clamping only supported in "
272
+
"FORWARD, OUTPUT and POSTROUTING hooks\n");
273
+
return -EINVAL;
273
274
}
274
275
xt_ematch_foreach(ematch, e)
275
276
if (find_syn_match(ematch))
276
-
return true;
277
-
printk("xt_TCPMSS: Only works on TCP SYN packets\n");
278
-
return false;
277
+
return 0;
278
+
pr_info("Only works on TCP SYN packets\n");
279
+
return -EINVAL;
279
280
}
280
281
#endif
281
282
+1
-2
net/netfilter/xt_TCPOPTSTRIP.c
+1
-2
net/netfilter/xt_TCPOPTSTRIP.c
···
3
3
*
4
4
* Copyright (C) 2007 Sven Schnelle <svens@bitebene.org>
5
5
* Copyright © CC Computer Consultants GmbH, 2007
6
-
* Contact: Jan Engelhardt <jengelh@computergmbh.de>
7
6
*
8
7
* This program is free software; you can redistribute it and/or modify
9
8
* it under the terms of the GNU General Public License version 2 as
···
135
136
136
137
module_init(tcpoptstrip_tg_init);
137
138
module_exit(tcpoptstrip_tg_exit);
138
-
MODULE_AUTHOR("Sven Schnelle <svens@bitebene.org>, Jan Engelhardt <jengelh@computergmbh.de>");
139
+
MODULE_AUTHOR("Sven Schnelle <svens@bitebene.org>, Jan Engelhardt <jengelh@medozas.de>");
139
140
MODULE_DESCRIPTION("Xtables: TCP option stripping");
140
141
MODULE_LICENSE("GPL");
141
142
MODULE_ALIAS("ipt_TCPOPTSTRIP");
+309
net/netfilter/xt_TEE.c
+309
net/netfilter/xt_TEE.c
···
1
+
/*
2
+
* "TEE" target extension for Xtables
3
+
* Copyright © Sebastian Claßen, 2007
4
+
* Jan Engelhardt, 2007-2010
5
+
*
6
+
* based on ipt_ROUTE.c from Cédric de Launois
7
+
* <delaunois@info.ucl.be>
8
+
*
9
+
* This program is free software; you can redistribute it and/or
10
+
* modify it under the terms of the GNU General Public License
11
+
* version 2 or later, as published by the Free Software Foundation.
12
+
*/
13
+
#include <linux/ip.h>
14
+
#include <linux/module.h>
15
+
#include <linux/percpu.h>
16
+
#include <linux/route.h>
17
+
#include <linux/skbuff.h>
18
+
#include <linux/notifier.h>
19
+
#include <net/checksum.h>
20
+
#include <net/icmp.h>
21
+
#include <net/ip.h>
22
+
#include <net/ipv6.h>
23
+
#include <net/ip6_route.h>
24
+
#include <net/route.h>
25
+
#include <linux/netfilter/x_tables.h>
26
+
#include <linux/netfilter/xt_TEE.h>
27
+
28
+
#if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE)
29
+
# define WITH_CONNTRACK 1
30
+
# include <net/netfilter/nf_conntrack.h>
31
+
#endif
32
+
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
33
+
# define WITH_IPV6 1
34
+
#endif
35
+
36
+
struct xt_tee_priv {
37
+
struct notifier_block notifier;
38
+
struct xt_tee_tginfo *tginfo;
39
+
int oif;
40
+
};
41
+
42
+
static const union nf_inet_addr tee_zero_address;
43
+
static DEFINE_PER_CPU(bool, tee_active);
44
+
45
+
static struct net *pick_net(struct sk_buff *skb)
46
+
{
47
+
#ifdef CONFIG_NET_NS
48
+
const struct dst_entry *dst;
49
+
50
+
if (skb->dev != NULL)
51
+
return dev_net(skb->dev);
52
+
dst = skb_dst(skb);
53
+
if (dst != NULL && dst->dev != NULL)
54
+
return dev_net(dst->dev);
55
+
#endif
56
+
return &init_net;
57
+
}
58
+
59
+
static bool
60
+
tee_tg_route4(struct sk_buff *skb, const struct xt_tee_tginfo *info)
61
+
{
62
+
const struct iphdr *iph = ip_hdr(skb);
63
+
struct net *net = pick_net(skb);
64
+
struct rtable *rt;
65
+
struct flowi fl;
66
+
67
+
memset(&fl, 0, sizeof(fl));
68
+
if (info->priv) {
69
+
if (info->priv->oif == -1)
70
+
return false;
71
+
fl.oif = info->priv->oif;
72
+
}
73
+
fl.nl_u.ip4_u.daddr = info->gw.ip;
74
+
fl.nl_u.ip4_u.tos = RT_TOS(iph->tos);
75
+
fl.nl_u.ip4_u.scope = RT_SCOPE_UNIVERSE;
76
+
if (ip_route_output_key(net, &rt, &fl) != 0)
77
+
return false;
78
+
79
+
dst_release(skb_dst(skb));
80
+
skb_dst_set(skb, &rt->u.dst);
81
+
skb->dev = rt->u.dst.dev;
82
+
skb->protocol = htons(ETH_P_IP);
83
+
return true;
84
+
}
85
+
86
+
static unsigned int
87
+
tee_tg4(struct sk_buff *skb, const struct xt_target_param *par)
88
+
{
89
+
const struct xt_tee_tginfo *info = par->targinfo;
90
+
struct iphdr *iph;
91
+
92
+
if (percpu_read(tee_active))
93
+
return XT_CONTINUE;
94
+
/*
95
+
* Copy the skb, and route the copy. Will later return %XT_CONTINUE for
96
+
* the original skb, which should continue on its way as if nothing has
97
+
* happened. The copy should be independently delivered to the TEE
98
+
* --gateway.
99
+
*/
100
+
skb = pskb_copy(skb, GFP_ATOMIC);
101
+
if (skb == NULL)
102
+
return XT_CONTINUE;
103
+
104
+
#ifdef WITH_CONNTRACK
105
+
/* Avoid counting cloned packets towards the original connection. */
106
+
nf_conntrack_put(skb->nfct);
107
+
skb->nfct = &nf_conntrack_untracked.ct_general;
108
+
skb->nfctinfo = IP_CT_NEW;
109
+
nf_conntrack_get(skb->nfct);
110
+
#endif
111
+
/*
112
+
* If we are in PREROUTING/INPUT, the checksum must be recalculated
113
+
* since the length could have changed as a result of defragmentation.
114
+
*
115
+
* We also decrease the TTL to mitigate potential TEE loops
116
+
* between two hosts.
117
+
*
118
+
* Set %IP_DF so that the original source is notified of a potentially
119
+
* decreased MTU on the clone route. IPv6 does this too.
120
+
*/
121
+
iph = ip_hdr(skb);
122
+
iph->frag_off |= htons(IP_DF);
123
+
if (par->hooknum == NF_INET_PRE_ROUTING ||
124
+
par->hooknum == NF_INET_LOCAL_IN)
125
+
--iph->ttl;
126
+
ip_send_check(iph);
127
+
128
+
if (tee_tg_route4(skb, info)) {
129
+
percpu_write(tee_active, true);
130
+
ip_local_out(skb);
131
+
percpu_write(tee_active, false);
132
+
} else {
133
+
kfree_skb(skb);
134
+
}
135
+
return XT_CONTINUE;
136
+
}
137
+
138
+
#ifdef WITH_IPV6
139
+
static bool
140
+
tee_tg_route6(struct sk_buff *skb, const struct xt_tee_tginfo *info)
141
+
{
142
+
const struct ipv6hdr *iph = ipv6_hdr(skb);
143
+
struct net *net = pick_net(skb);
144
+
struct dst_entry *dst;
145
+
struct flowi fl;
146
+
147
+
memset(&fl, 0, sizeof(fl));
148
+
if (info->priv) {
149
+
if (info->priv->oif == -1)
150
+
return false;
151
+
fl.oif = info->priv->oif;
152
+
}
153
+
fl.nl_u.ip6_u.daddr = info->gw.in6;
154
+
fl.nl_u.ip6_u.flowlabel = ((iph->flow_lbl[0] & 0xF) << 16) |
155
+
(iph->flow_lbl[1] << 8) | iph->flow_lbl[2];
156
+
dst = ip6_route_output(net, NULL, &fl);
157
+
if (dst == NULL)
158
+
return false;
159
+
160
+
dst_release(skb_dst(skb));
161
+
skb_dst_set(skb, dst);
162
+
skb->dev = dst->dev;
163
+
skb->protocol = htons(ETH_P_IPV6);
164
+
return true;
165
+
}
166
+
167
+
static unsigned int
168
+
tee_tg6(struct sk_buff *skb, const struct xt_target_param *par)
169
+
{
170
+
const struct xt_tee_tginfo *info = par->targinfo;
171
+
172
+
if (percpu_read(tee_active))
173
+
return XT_CONTINUE;
174
+
skb = pskb_copy(skb, GFP_ATOMIC);
175
+
if (skb == NULL)
176
+
return XT_CONTINUE;
177
+
178
+
#ifdef WITH_CONNTRACK
179
+
nf_conntrack_put(skb->nfct);
180
+
skb->nfct = &nf_conntrack_untracked.ct_general;
181
+
skb->nfctinfo = IP_CT_NEW;
182
+
nf_conntrack_get(skb->nfct);
183
+
#endif
184
+
if (par->hooknum == NF_INET_PRE_ROUTING ||
185
+
par->hooknum == NF_INET_LOCAL_IN) {
186
+
struct ipv6hdr *iph = ipv6_hdr(skb);
187
+
--iph->hop_limit;
188
+
}
189
+
if (tee_tg_route6(skb, info)) {
190
+
percpu_write(tee_active, true);
191
+
ip6_local_out(skb);
192
+
percpu_write(tee_active, false);
193
+
} else {
194
+
kfree_skb(skb);
195
+
}
196
+
return XT_CONTINUE;
197
+
}
198
+
#endif /* WITH_IPV6 */
199
+
200
+
static int tee_netdev_event(struct notifier_block *this, unsigned long event,
201
+
void *ptr)
202
+
{
203
+
struct net_device *dev = ptr;
204
+
struct xt_tee_priv *priv;
205
+
206
+
priv = container_of(this, struct xt_tee_priv, notifier);
207
+
switch (event) {
208
+
case NETDEV_REGISTER:
209
+
if (!strcmp(dev->name, priv->tginfo->oif))
210
+
priv->oif = dev->ifindex;
211
+
break;
212
+
case NETDEV_UNREGISTER:
213
+
if (dev->ifindex == priv->oif)
214
+
priv->oif = -1;
215
+
break;
216
+
case NETDEV_CHANGENAME:
217
+
if (!strcmp(dev->name, priv->tginfo->oif))
218
+
priv->oif = dev->ifindex;
219
+
else if (dev->ifindex == priv->oif)
220
+
priv->oif = -1;
221
+
break;
222
+
}
223
+
224
+
return NOTIFY_DONE;
225
+
}
226
+
227
+
static int tee_tg_check(const struct xt_tgchk_param *par)
228
+
{
229
+
struct xt_tee_tginfo *info = par->targinfo;
230
+
struct xt_tee_priv *priv;
231
+
232
+
/* 0.0.0.0 and :: not allowed */
233
+
if (memcmp(&info->gw, &tee_zero_address,
234
+
sizeof(tee_zero_address)) == 0)
235
+
return -EINVAL;
236
+
237
+
if (info->oif[0]) {
238
+
if (info->oif[sizeof(info->oif)-1] != '\0')
239
+
return -EINVAL;
240
+
241
+
priv = kzalloc(sizeof(*priv), GFP_KERNEL);
242
+
if (priv == NULL)
243
+
return -ENOMEM;
244
+
245
+
priv->tginfo = info;
246
+
priv->oif = -1;
247
+
priv->notifier.notifier_call = tee_netdev_event;
248
+
info->priv = priv;
249
+
250
+
register_netdevice_notifier(&priv->notifier);
251
+
} else
252
+
info->priv = NULL;
253
+
254
+
return 0;
255
+
}
256
+
257
+
static void tee_tg_destroy(const struct xt_tgdtor_param *par)
258
+
{
259
+
struct xt_tee_tginfo *info = par->targinfo;
260
+
261
+
if (info->priv) {
262
+
unregister_netdevice_notifier(&info->priv->notifier);
263
+
kfree(info->priv);
264
+
}
265
+
}
266
+
267
+
static struct xt_target tee_tg_reg[] __read_mostly = {
268
+
{
269
+
.name = "TEE",
270
+
.revision = 1,
271
+
.family = NFPROTO_IPV4,
272
+
.target = tee_tg4,
273
+
.targetsize = sizeof(struct xt_tee_tginfo),
274
+
.checkentry = tee_tg_check,
275
+
.destroy = tee_tg_destroy,
276
+
.me = THIS_MODULE,
277
+
},
278
+
#ifdef WITH_IPV6
279
+
{
280
+
.name = "TEE",
281
+
.revision = 1,
282
+
.family = NFPROTO_IPV6,
283
+
.target = tee_tg6,
284
+
.targetsize = sizeof(struct xt_tee_tginfo),
285
+
.checkentry = tee_tg_check,
286
+
.destroy = tee_tg_destroy,
287
+
.me = THIS_MODULE,
288
+
},
289
+
#endif
290
+
};
291
+
292
+
static int __init tee_tg_init(void)
293
+
{
294
+
return xt_register_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
295
+
}
296
+
297
+
static void __exit tee_tg_exit(void)
298
+
{
299
+
xt_unregister_targets(tee_tg_reg, ARRAY_SIZE(tee_tg_reg));
300
+
}
301
+
302
+
module_init(tee_tg_init);
303
+
module_exit(tee_tg_exit);
304
+
MODULE_AUTHOR("Sebastian Claßen <sebastian.classen@freenet.ag>");
305
+
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
306
+
MODULE_DESCRIPTION("Xtables: Reroute packet copy");
307
+
MODULE_LICENSE("GPL");
308
+
MODULE_ALIAS("ipt_TEE");
309
+
MODULE_ALIAS("ip6t_TEE");
+5
-5
net/netfilter/xt_TPROXY.c
+5
-5
net/netfilter/xt_TPROXY.c
···
9
9
* published by the Free Software Foundation.
10
10
*
11
11
*/
12
-
12
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
13
#include <linux/module.h>
14
14
#include <linux/skbuff.h>
15
15
#include <linux/ip.h>
···
59
59
return NF_DROP;
60
60
}
61
61
62
-
static bool tproxy_tg_check(const struct xt_tgchk_param *par)
62
+
static int tproxy_tg_check(const struct xt_tgchk_param *par)
63
63
{
64
64
const struct ipt_ip *i = par->entryinfo;
65
65
66
66
if ((i->proto == IPPROTO_TCP || i->proto == IPPROTO_UDP)
67
67
&& !(i->invflags & IPT_INV_PROTO))
68
-
return true;
68
+
return 0;
69
69
70
-
pr_info("xt_TPROXY: Can be used only in combination with "
70
+
pr_info("Can be used only in combination with "
71
71
"either -p tcp or -p udp\n");
72
-
return false;
72
+
return -EINVAL;
73
73
}
74
74
75
75
static struct xt_target tproxy_tg_reg __read_mostly = {
+10
-9
net/netfilter/xt_cluster.c
+10
-9
net/netfilter/xt_cluster.c
···
5
5
* it under the terms of the GNU General Public License version 2 as
6
6
* published by the Free Software Foundation.
7
7
*/
8
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
8
9
#include <linux/module.h>
9
10
#include <linux/skbuff.h>
10
11
#include <linux/jhash.h>
···
132
131
!!(info->flags & XT_CLUSTER_F_INV);
133
132
}
134
133
135
-
static bool xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
134
+
static int xt_cluster_mt_checkentry(const struct xt_mtchk_param *par)
136
135
{
137
136
struct xt_cluster_match_info *info = par->matchinfo;
138
137
139
138
if (info->total_nodes > XT_CLUSTER_NODES_MAX) {
140
-
printk(KERN_ERR "xt_cluster: you have exceeded the maximum "
141
-
"number of cluster nodes (%u > %u)\n",
142
-
info->total_nodes, XT_CLUSTER_NODES_MAX);
143
-
return false;
139
+
pr_info("you have exceeded the maximum "
140
+
"number of cluster nodes (%u > %u)\n",
141
+
info->total_nodes, XT_CLUSTER_NODES_MAX);
142
+
return -EINVAL;
144
143
}
145
144
if (info->node_mask >= (1ULL << info->total_nodes)) {
146
-
printk(KERN_ERR "xt_cluster: this node mask cannot be "
147
-
"higher than the total number of nodes\n");
148
-
return false;
145
+
pr_info("this node mask cannot be "
146
+
"higher than the total number of nodes\n");
147
+
return -EDOM;
149
148
}
150
-
return true;
149
+
return 0;
151
150
}
152
151
153
152
static struct xt_match xt_cluster_match __read_mostly = {
+10
-10
net/netfilter/xt_connbytes.c
+10
-10
net/netfilter/xt_connbytes.c
···
1
1
/* Kernel module to match connection tracking byte counter.
2
2
* GPL (C) 2002 Martin Devera (devik@cdi.cz).
3
3
*/
4
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
4
5
#include <linux/module.h>
5
6
#include <linux/bitops.h>
6
7
#include <linux/skbuff.h>
···
93
92
return what >= sinfo->count.from;
94
93
}
95
94
96
-
static bool connbytes_mt_check(const struct xt_mtchk_param *par)
95
+
static int connbytes_mt_check(const struct xt_mtchk_param *par)
97
96
{
98
97
const struct xt_connbytes_info *sinfo = par->matchinfo;
98
+
int ret;
99
99
100
100
if (sinfo->what != XT_CONNBYTES_PKTS &&
101
101
sinfo->what != XT_CONNBYTES_BYTES &&
102
102
sinfo->what != XT_CONNBYTES_AVGPKT)
103
-
return false;
103
+
return -EINVAL;
104
104
105
105
if (sinfo->direction != XT_CONNBYTES_DIR_ORIGINAL &&
106
106
sinfo->direction != XT_CONNBYTES_DIR_REPLY &&
107
107
sinfo->direction != XT_CONNBYTES_DIR_BOTH)
108
-
return false;
108
+
return -EINVAL;
109
109
110
-
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
111
-
printk(KERN_WARNING "can't load conntrack support for "
112
-
"proto=%u\n", par->family);
113
-
return false;
114
-
}
115
-
116
-
return true;
110
+
ret = nf_ct_l3proto_try_module_get(par->family);
111
+
if (ret < 0)
112
+
pr_info("cannot load conntrack support for proto=%u\n",
113
+
par->family);
114
+
return ret;
117
115
}
118
116
119
117
static void connbytes_mt_destroy(const struct xt_mtdtor_param *par)
+10
-8
net/netfilter/xt_connlimit.c
+10
-8
net/netfilter/xt_connlimit.c
···
5
5
* Nov 2002: Martin Bene <martin.bene@icomedias.com>:
6
6
* only ignore TIME_WAIT or gone connections
7
7
* (C) CC Computer Consultants GmbH, 2007
8
-
* Contact: <jengelh@computergmbh.de>
9
8
*
10
9
* based on ...
11
10
*
12
11
* Kernel module to match connection tracking information.
13
12
* GPL (C) 1999 Rusty Russell (rusty@rustcorp.com.au).
14
13
*/
14
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15
15
#include <linux/in.h>
16
16
#include <linux/in6.h>
17
17
#include <linux/ip.h>
···
217
217
return false;
218
218
}
219
219
220
-
static bool connlimit_mt_check(const struct xt_mtchk_param *par)
220
+
static int connlimit_mt_check(const struct xt_mtchk_param *par)
221
221
{
222
222
struct xt_connlimit_info *info = par->matchinfo;
223
223
unsigned int i;
224
+
int ret;
224
225
225
226
if (unlikely(!connlimit_rnd_inited)) {
226
227
get_random_bytes(&connlimit_rnd, sizeof(connlimit_rnd));
227
228
connlimit_rnd_inited = true;
228
229
}
229
-
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
230
-
printk(KERN_WARNING "cannot load conntrack support for "
231
-
"address family %u\n", par->family);
232
-
return false;
230
+
ret = nf_ct_l3proto_try_module_get(par->family);
231
+
if (ret < 0) {
232
+
pr_info("cannot load conntrack support for "
233
+
"address family %u\n", par->family);
234
+
return ret;
233
235
}
234
236
235
237
/* init private data */
236
238
info->data = kmalloc(sizeof(struct xt_connlimit_data), GFP_KERNEL);
237
239
if (info->data == NULL) {
238
240
nf_ct_l3proto_module_put(par->family);
239
-
return false;
241
+
return -ENOMEM;
240
242
}
241
243
242
244
spin_lock_init(&info->data->lock);
243
245
for (i = 0; i < ARRAY_SIZE(info->data->iphash); ++i)
244
246
INIT_LIST_HEAD(&info->data->iphash[i]);
245
247
246
-
return true;
248
+
return 0;
247
249
}
248
250
249
251
static void connlimit_mt_destroy(const struct xt_mtdtor_param *par)
+91
-11
net/netfilter/xt_connmark.c
+91
-11
net/netfilter/xt_connmark.c
···
1
1
/*
2
-
* xt_connmark - Netfilter module to match connection mark values
2
+
* xt_connmark - Netfilter module to operate on connection marks
3
3
*
4
4
* Copyright (C) 2002,2004 MARA Systems AB <http://www.marasystems.com>
5
5
* by Henrik Nordstrom <hno@marasystems.com>
6
6
* Copyright © CC Computer Consultants GmbH, 2007 - 2008
7
-
* Jan Engelhardt <jengelh@computergmbh.de>
7
+
* Jan Engelhardt <jengelh@medozas.de>
8
8
*
9
9
* This program is free software; you can redistribute it and/or modify
10
10
* it under the terms of the GNU General Public License as published by
···
24
24
#include <linux/module.h>
25
25
#include <linux/skbuff.h>
26
26
#include <net/netfilter/nf_conntrack.h>
27
+
#include <net/netfilter/nf_conntrack_ecache.h>
27
28
#include <linux/netfilter/x_tables.h>
28
29
#include <linux/netfilter/xt_connmark.h>
29
30
30
31
MODULE_AUTHOR("Henrik Nordstrom <hno@marasystems.com>");
31
-
MODULE_DESCRIPTION("Xtables: connection mark match");
32
+
MODULE_DESCRIPTION("Xtables: connection mark operations");
32
33
MODULE_LICENSE("GPL");
34
+
MODULE_ALIAS("ipt_CONNMARK");
35
+
MODULE_ALIAS("ip6t_CONNMARK");
33
36
MODULE_ALIAS("ipt_connmark");
34
37
MODULE_ALIAS("ip6t_connmark");
38
+
39
+
static unsigned int
40
+
connmark_tg(struct sk_buff *skb, const struct xt_target_param *par)
41
+
{
42
+
const struct xt_connmark_tginfo1 *info = par->targinfo;
43
+
enum ip_conntrack_info ctinfo;
44
+
struct nf_conn *ct;
45
+
u_int32_t newmark;
46
+
47
+
ct = nf_ct_get(skb, &ctinfo);
48
+
if (ct == NULL)
49
+
return XT_CONTINUE;
50
+
51
+
switch (info->mode) {
52
+
case XT_CONNMARK_SET:
53
+
newmark = (ct->mark & ~info->ctmask) ^ info->ctmark;
54
+
if (ct->mark != newmark) {
55
+
ct->mark = newmark;
56
+
nf_conntrack_event_cache(IPCT_MARK, ct);
57
+
}
58
+
break;
59
+
case XT_CONNMARK_SAVE:
60
+
newmark = (ct->mark & ~info->ctmask) ^
61
+
(skb->mark & info->nfmask);
62
+
if (ct->mark != newmark) {
63
+
ct->mark = newmark;
64
+
nf_conntrack_event_cache(IPCT_MARK, ct);
65
+
}
66
+
break;
67
+
case XT_CONNMARK_RESTORE:
68
+
newmark = (skb->mark & ~info->nfmask) ^
69
+
(ct->mark & info->ctmask);
70
+
skb->mark = newmark;
71
+
break;
72
+
}
73
+
74
+
return XT_CONTINUE;
75
+
}
76
+
77
+
static int connmark_tg_check(const struct xt_tgchk_param *par)
78
+
{
79
+
int ret;
80
+
81
+
ret = nf_ct_l3proto_try_module_get(par->family);
82
+
if (ret < 0)
83
+
pr_info("cannot load conntrack support for proto=%u\n",
84
+
par->family);
85
+
return ret;
86
+
}
87
+
88
+
static void connmark_tg_destroy(const struct xt_tgdtor_param *par)
89
+
{
90
+
nf_ct_l3proto_module_put(par->family);
91
+
}
35
92
36
93
static bool
37
94
connmark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
···
104
47
return ((ct->mark & info->mask) == info->mark) ^ info->invert;
105
48
}
106
49
107
-
static bool connmark_mt_check(const struct xt_mtchk_param *par)
50
+
static int connmark_mt_check(const struct xt_mtchk_param *par)
108
51
{
109
-
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
110
-
printk(KERN_WARNING "cannot load conntrack support for "
111
-
"proto=%u\n", par->family);
112
-
return false;
113
-
}
114
-
return true;
52
+
int ret;
53
+
54
+
ret = nf_ct_l3proto_try_module_get(par->family);
55
+
if (ret < 0)
56
+
pr_info("cannot load conntrack support for proto=%u\n",
57
+
par->family);
58
+
return ret;
115
59
}
116
60
117
61
static void connmark_mt_destroy(const struct xt_mtdtor_param *par)
118
62
{
119
63
nf_ct_l3proto_module_put(par->family);
120
64
}
65
+
66
+
static struct xt_target connmark_tg_reg __read_mostly = {
67
+
.name = "CONNMARK",
68
+
.revision = 1,
69
+
.family = NFPROTO_UNSPEC,
70
+
.checkentry = connmark_tg_check,
71
+
.target = connmark_tg,
72
+
.targetsize = sizeof(struct xt_connmark_tginfo1),
73
+
.destroy = connmark_tg_destroy,
74
+
.me = THIS_MODULE,
75
+
};
121
76
122
77
static struct xt_match connmark_mt_reg __read_mostly = {
123
78
.name = "connmark",
···
144
75
145
76
static int __init connmark_mt_init(void)
146
77
{
147
-
return xt_register_match(&connmark_mt_reg);
78
+
int ret;
79
+
80
+
ret = xt_register_target(&connmark_tg_reg);
81
+
if (ret < 0)
82
+
return ret;
83
+
ret = xt_register_match(&connmark_mt_reg);
84
+
if (ret < 0) {
85
+
xt_unregister_target(&connmark_tg_reg);
86
+
return ret;
87
+
}
88
+
return 0;
148
89
}
149
90
150
91
static void __exit connmark_mt_exit(void)
151
92
{
152
93
xt_unregister_match(&connmark_mt_reg);
94
+
xt_unregister_target(&connmark_tg_reg);
153
95
}
154
96
155
97
module_init(connmark_mt_init);
+9
-8
net/netfilter/xt_conntrack.c
+9
-8
net/netfilter/xt_conntrack.c
···
9
9
* it under the terms of the GNU General Public License version 2 as
10
10
* published by the Free Software Foundation.
11
11
*/
12
-
12
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
13
#include <linux/module.h>
14
14
#include <linux/skbuff.h>
15
15
#include <net/ipv6.h>
···
206
206
return conntrack_mt(skb, par, info->state_mask, info->status_mask);
207
207
}
208
208
209
-
static bool conntrack_mt_check(const struct xt_mtchk_param *par)
209
+
static int conntrack_mt_check(const struct xt_mtchk_param *par)
210
210
{
211
-
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
212
-
printk(KERN_WARNING "can't load conntrack support for "
213
-
"proto=%u\n", par->family);
214
-
return false;
215
-
}
216
-
return true;
211
+
int ret;
212
+
213
+
ret = nf_ct_l3proto_try_module_get(par->family);
214
+
if (ret < 0)
215
+
pr_info("cannot load conntrack support for proto=%u\n",
216
+
par->family);
217
+
return ret;
217
218
}
218
219
219
220
static void conntrack_mt_destroy(const struct xt_mtdtor_param *par)
+8
-4
net/netfilter/xt_dccp.c
+8
-4
net/netfilter/xt_dccp.c
···
124
124
XT_DCCP_OPTION, info->flags, info->invflags);
125
125
}
126
126
127
-
static bool dccp_mt_check(const struct xt_mtchk_param *par)
127
+
static int dccp_mt_check(const struct xt_mtchk_param *par)
128
128
{
129
129
const struct xt_dccp_info *info = par->matchinfo;
130
130
131
-
return !(info->flags & ~XT_DCCP_VALID_FLAGS)
132
-
&& !(info->invflags & ~XT_DCCP_VALID_FLAGS)
133
-
&& !(info->invflags & ~info->flags);
131
+
if (info->flags & ~XT_DCCP_VALID_FLAGS)
132
+
return -EINVAL;
133
+
if (info->invflags & ~XT_DCCP_VALID_FLAGS)
134
+
return -EINVAL;
135
+
if (info->invflags & ~info->flags)
136
+
return -EINVAL;
137
+
return 0;
134
138
}
135
139
136
140
static struct xt_match dccp_mt_reg[] __read_mostly = {
+6
-6
net/netfilter/xt_dscp.c
+6
-6
net/netfilter/xt_dscp.c
···
6
6
* it under the terms of the GNU General Public License version 2 as
7
7
* published by the Free Software Foundation.
8
8
*/
9
-
9
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
10
#include <linux/module.h>
11
11
#include <linux/skbuff.h>
12
12
#include <linux/ip.h>
···
42
42
return (dscp == info->dscp) ^ !!info->invert;
43
43
}
44
44
45
-
static bool dscp_mt_check(const struct xt_mtchk_param *par)
45
+
static int dscp_mt_check(const struct xt_mtchk_param *par)
46
46
{
47
47
const struct xt_dscp_info *info = par->matchinfo;
48
48
49
49
if (info->dscp > XT_DSCP_MAX) {
50
-
printk(KERN_ERR "xt_dscp: dscp %x out of range\n", info->dscp);
51
-
return false;
50
+
pr_info("dscp %x out of range\n", info->dscp);
51
+
return -EDOM;
52
52
}
53
53
54
-
return true;
54
+
return 0;
55
55
}
56
56
57
57
static bool tos_mt(const struct sk_buff *skb, const struct xt_match_param *par)
58
58
{
59
59
const struct xt_tos_match_info *info = par->matchinfo;
60
60
61
-
if (par->match->family == NFPROTO_IPV4)
61
+
if (par->family == NFPROTO_IPV4)
62
62
return ((ip_hdr(skb)->tos & info->tos_mask) ==
63
63
info->tos_value) ^ !!info->invert;
64
64
else
+9
-15
net/netfilter/xt_esp.c
+9
-15
net/netfilter/xt_esp.c
···
6
6
* it under the terms of the GNU General Public License version 2 as
7
7
* published by the Free Software Foundation.
8
8
*/
9
-
9
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
10
#include <linux/module.h>
11
11
#include <linux/skbuff.h>
12
12
#include <linux/in.h>
···
24
24
MODULE_ALIAS("ipt_esp");
25
25
MODULE_ALIAS("ip6t_esp");
26
26
27
-
#if 0
28
-
#define duprintf(format, args...) printk(format , ## args)
29
-
#else
30
-
#define duprintf(format, args...)
31
-
#endif
32
-
33
27
/* Returns 1 if the spi is matched by the range, 0 otherwise */
34
28
static inline bool
35
29
spi_match(u_int32_t min, u_int32_t max, u_int32_t spi, bool invert)
36
30
{
37
31
bool r;
38
-
duprintf("esp spi_match:%c 0x%x <= 0x%x <= 0x%x", invert ? '!' : ' ',
39
-
min, spi, max);
32
+
pr_debug("spi_match:%c 0x%x <= 0x%x <= 0x%x\n",
33
+
invert ? '!' : ' ', min, spi, max);
40
34
r = (spi >= min && spi <= max) ^ invert;
41
-
duprintf(" result %s\n", r ? "PASS" : "FAILED");
35
+
pr_debug(" result %s\n", r ? "PASS" : "FAILED");
42
36
return r;
43
37
}
44
38
···
51
57
/* We've been asked to examine this packet, and we
52
58
* can't. Hence, no choice but to drop.
53
59
*/
54
-
duprintf("Dropping evil ESP tinygram.\n");
60
+
pr_debug("Dropping evil ESP tinygram.\n");
55
61
*par->hotdrop = true;
56
62
return false;
57
63
}
···
60
66
!!(espinfo->invflags & XT_ESP_INV_SPI));
61
67
}
62
68
63
-
static bool esp_mt_check(const struct xt_mtchk_param *par)
69
+
static int esp_mt_check(const struct xt_mtchk_param *par)
64
70
{
65
71
const struct xt_esp *espinfo = par->matchinfo;
66
72
67
73
if (espinfo->invflags & ~XT_ESP_INV_MASK) {
68
-
duprintf("xt_esp: unknown flags %X\n", espinfo->invflags);
69
-
return false;
74
+
pr_debug("unknown flags %X\n", espinfo->invflags);
75
+
return -EINVAL;
70
76
}
71
77
72
-
return true;
78
+
return 0;
73
79
}
74
80
75
81
static struct xt_match esp_mt_reg[] __read_mostly = {
+73
-269
net/netfilter/xt_hashlimit.c
+73
-269
net/netfilter/xt_hashlimit.c
···
7
7
*
8
8
* Development of this code was funded by Astaro AG, http://www.astaro.com/
9
9
*/
10
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
11
#include <linux/module.h>
11
12
#include <linux/spinlock.h>
12
13
#include <linux/random.h>
···
37
36
38
37
MODULE_LICENSE("GPL");
39
38
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
40
-
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
39
+
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
41
40
MODULE_DESCRIPTION("Xtables: per hash-bucket rate-limit match");
42
41
MODULE_ALIAS("ipt_hashlimit");
43
42
MODULE_ALIAS("ip6t_hashlimit");
···
81
80
struct dsthash_dst dst;
82
81
83
82
/* modified structure members in the end */
83
+
spinlock_t lock;
84
84
unsigned long expires; /* precalculated expiry time */
85
85
struct {
86
86
unsigned long prev; /* last modification */
87
87
u_int32_t credit;
88
88
u_int32_t credit_cap, cost;
89
89
} rateinfo;
90
+
struct rcu_head rcu;
90
91
};
91
92
92
93
struct xt_hashlimit_htable {
···
145
142
u_int32_t hash = hash_dst(ht, dst);
146
143
147
144
if (!hlist_empty(&ht->hash[hash])) {
148
-
hlist_for_each_entry(ent, pos, &ht->hash[hash], node)
149
-
if (dst_cmp(ent, dst))
145
+
hlist_for_each_entry_rcu(ent, pos, &ht->hash[hash], node)
146
+
if (dst_cmp(ent, dst)) {
147
+
spin_lock(&ent->lock);
150
148
return ent;
149
+
}
151
150
}
152
151
return NULL;
153
152
}
···
161
156
{
162
157
struct dsthash_ent *ent;
163
158
159
+
spin_lock(&ht->lock);
164
160
/* initialize hash with random val at the time we allocate
165
161
* the first hashtable entry */
166
-
if (!ht->rnd_initialized) {
162
+
if (unlikely(!ht->rnd_initialized)) {
167
163
get_random_bytes(&ht->rnd, sizeof(ht->rnd));
168
164
ht->rnd_initialized = true;
169
165
}
···
172
166
if (ht->cfg.max && ht->count >= ht->cfg.max) {
173
167
/* FIXME: do something. question is what.. */
174
168
if (net_ratelimit())
175
-
printk(KERN_WARNING
176
-
"xt_hashlimit: max count of %u reached\n",
177
-
ht->cfg.max);
178
-
return NULL;
179
-
}
180
-
181
-
ent = kmem_cache_alloc(hashlimit_cachep, GFP_ATOMIC);
169
+
pr_err("max count of %u reached\n", ht->cfg.max);
170
+
ent = NULL;
171
+
} else
172
+
ent = kmem_cache_alloc(hashlimit_cachep, GFP_ATOMIC);
182
173
if (!ent) {
183
174
if (net_ratelimit())
184
-
printk(KERN_ERR
185
-
"xt_hashlimit: can't allocate dsthash_ent\n");
186
-
return NULL;
187
-
}
188
-
memcpy(&ent->dst, dst, sizeof(ent->dst));
175
+
pr_err("cannot allocate dsthash_ent\n");
176
+
} else {
177
+
memcpy(&ent->dst, dst, sizeof(ent->dst));
178
+
spin_lock_init(&ent->lock);
189
179
190
-
hlist_add_head(&ent->node, &ht->hash[hash_dst(ht, dst)]);
191
-
ht->count++;
180
+
spin_lock(&ent->lock);
181
+
hlist_add_head_rcu(&ent->node, &ht->hash[hash_dst(ht, dst)]);
182
+
ht->count++;
183
+
}
184
+
spin_unlock(&ht->lock);
192
185
return ent;
186
+
}
187
+
188
+
static void dsthash_free_rcu(struct rcu_head *head)
189
+
{
190
+
struct dsthash_ent *ent = container_of(head, struct dsthash_ent, rcu);
191
+
192
+
kmem_cache_free(hashlimit_cachep, ent);
193
193
}
194
194
195
195
static inline void
196
196
dsthash_free(struct xt_hashlimit_htable *ht, struct dsthash_ent *ent)
197
197
{
198
-
hlist_del(&ent->node);
199
-
kmem_cache_free(hashlimit_cachep, ent);
198
+
hlist_del_rcu(&ent->node);
199
+
call_rcu_bh(&ent->rcu, dsthash_free_rcu);
200
200
ht->count--;
201
201
}
202
202
static void htable_gc(unsigned long htlong);
203
-
204
-
static int htable_create_v0(struct net *net, struct xt_hashlimit_info *minfo, u_int8_t family)
205
-
{
206
-
struct hashlimit_net *hashlimit_net = hashlimit_pernet(net);
207
-
struct xt_hashlimit_htable *hinfo;
208
-
unsigned int size;
209
-
unsigned int i;
210
-
211
-
if (minfo->cfg.size)
212
-
size = minfo->cfg.size;
213
-
else {
214
-
size = ((totalram_pages << PAGE_SHIFT) / 16384) /
215
-
sizeof(struct list_head);
216
-
if (totalram_pages > (1024 * 1024 * 1024 / PAGE_SIZE))
217
-
size = 8192;
218
-
if (size < 16)
219
-
size = 16;
220
-
}
221
-
/* FIXME: don't use vmalloc() here or anywhere else -HW */
222
-
hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) +
223
-
sizeof(struct list_head) * size);
224
-
if (!hinfo) {
225
-
printk(KERN_ERR "xt_hashlimit: unable to create hashtable\n");
226
-
return -1;
227
-
}
228
-
minfo->hinfo = hinfo;
229
-
230
-
/* copy match config into hashtable config */
231
-
hinfo->cfg.mode = minfo->cfg.mode;
232
-
hinfo->cfg.avg = minfo->cfg.avg;
233
-
hinfo->cfg.burst = minfo->cfg.burst;
234
-
hinfo->cfg.max = minfo->cfg.max;
235
-
hinfo->cfg.gc_interval = minfo->cfg.gc_interval;
236
-
hinfo->cfg.expire = minfo->cfg.expire;
237
-
238
-
if (family == NFPROTO_IPV4)
239
-
hinfo->cfg.srcmask = hinfo->cfg.dstmask = 32;
240
-
else
241
-
hinfo->cfg.srcmask = hinfo->cfg.dstmask = 128;
242
-
243
-
hinfo->cfg.size = size;
244
-
if (!hinfo->cfg.max)
245
-
hinfo->cfg.max = 8 * hinfo->cfg.size;
246
-
else if (hinfo->cfg.max < hinfo->cfg.size)
247
-
hinfo->cfg.max = hinfo->cfg.size;
248
-
249
-
for (i = 0; i < hinfo->cfg.size; i++)
250
-
INIT_HLIST_HEAD(&hinfo->hash[i]);
251
-
252
-
hinfo->use = 1;
253
-
hinfo->count = 0;
254
-
hinfo->family = family;
255
-
hinfo->rnd_initialized = false;
256
-
spin_lock_init(&hinfo->lock);
257
-
hinfo->pde = proc_create_data(minfo->name, 0,
258
-
(family == NFPROTO_IPV4) ?
259
-
hashlimit_net->ipt_hashlimit : hashlimit_net->ip6t_hashlimit,
260
-
&dl_file_ops, hinfo);
261
-
if (!hinfo->pde) {
262
-
vfree(hinfo);
263
-
return -1;
264
-
}
265
-
hinfo->net = net;
266
-
267
-
setup_timer(&hinfo->timer, htable_gc, (unsigned long )hinfo);
268
-
hinfo->timer.expires = jiffies + msecs_to_jiffies(hinfo->cfg.gc_interval);
269
-
add_timer(&hinfo->timer);
270
-
271
-
hlist_add_head(&hinfo->node, &hashlimit_net->htables);
272
-
273
-
return 0;
274
-
}
275
203
276
204
static int htable_create(struct net *net, struct xt_hashlimit_mtinfo1 *minfo,
277
205
u_int8_t family)
···
228
288
/* FIXME: don't use vmalloc() here or anywhere else -HW */
229
289
hinfo = vmalloc(sizeof(struct xt_hashlimit_htable) +
230
290
sizeof(struct list_head) * size);
231
-
if (hinfo == NULL) {
232
-
printk(KERN_ERR "xt_hashlimit: unable to create hashtable\n");
233
-
return -1;
234
-
}
291
+
if (hinfo == NULL)
292
+
return -ENOMEM;
235
293
minfo->hinfo = hinfo;
236
294
237
295
/* copy match config into hashtable config */
···
255
317
&dl_file_ops, hinfo);
256
318
if (hinfo->pde == NULL) {
257
319
vfree(hinfo);
258
-
return -1;
320
+
return -ENOMEM;
259
321
}
260
322
hinfo->net = net;
261
323
···
516
578
}
517
579
518
580
static bool
519
-
hashlimit_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
520
-
{
521
-
const struct xt_hashlimit_info *r = par->matchinfo;
522
-
struct xt_hashlimit_htable *hinfo = r->hinfo;
523
-
unsigned long now = jiffies;
524
-
struct dsthash_ent *dh;
525
-
struct dsthash_dst dst;
526
-
527
-
if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0)
528
-
goto hotdrop;
529
-
530
-
spin_lock_bh(&hinfo->lock);
531
-
dh = dsthash_find(hinfo, &dst);
532
-
if (!dh) {
533
-
dh = dsthash_alloc_init(hinfo, &dst);
534
-
if (!dh) {
535
-
spin_unlock_bh(&hinfo->lock);
536
-
goto hotdrop;
537
-
}
538
-
539
-
dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire);
540
-
dh->rateinfo.prev = jiffies;
541
-
dh->rateinfo.credit = user2credits(hinfo->cfg.avg *
542
-
hinfo->cfg.burst);
543
-
dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg *
544
-
hinfo->cfg.burst);
545
-
dh->rateinfo.cost = user2credits(hinfo->cfg.avg);
546
-
} else {
547
-
/* update expiration timeout */
548
-
dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire);
549
-
rateinfo_recalc(dh, now);
550
-
}
551
-
552
-
if (dh->rateinfo.credit >= dh->rateinfo.cost) {
553
-
/* We're underlimit. */
554
-
dh->rateinfo.credit -= dh->rateinfo.cost;
555
-
spin_unlock_bh(&hinfo->lock);
556
-
return true;
557
-
}
558
-
559
-
spin_unlock_bh(&hinfo->lock);
560
-
561
-
/* default case: we're overlimit, thus don't match */
562
-
return false;
563
-
564
-
hotdrop:
565
-
*par->hotdrop = true;
566
-
return false;
567
-
}
568
-
569
-
static bool
570
581
hashlimit_mt(const struct sk_buff *skb, const struct xt_match_param *par)
571
582
{
572
583
const struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
···
527
640
if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0)
528
641
goto hotdrop;
529
642
530
-
spin_lock_bh(&hinfo->lock);
643
+
rcu_read_lock_bh();
531
644
dh = dsthash_find(hinfo, &dst);
532
645
if (dh == NULL) {
533
646
dh = dsthash_alloc_init(hinfo, &dst);
534
647
if (dh == NULL) {
535
-
spin_unlock_bh(&hinfo->lock);
648
+
rcu_read_unlock_bh();
536
649
goto hotdrop;
537
650
}
538
-
539
651
dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire);
540
652
dh->rateinfo.prev = jiffies;
541
653
dh->rateinfo.credit = user2credits(hinfo->cfg.avg *
···
551
665
if (dh->rateinfo.credit >= dh->rateinfo.cost) {
552
666
/* below the limit */
553
667
dh->rateinfo.credit -= dh->rateinfo.cost;
554
-
spin_unlock_bh(&hinfo->lock);
668
+
spin_unlock(&dh->lock);
669
+
rcu_read_unlock_bh();
555
670
return !(info->cfg.mode & XT_HASHLIMIT_INVERT);
556
671
}
557
672
558
-
spin_unlock_bh(&hinfo->lock);
673
+
spin_unlock(&dh->lock);
674
+
rcu_read_unlock_bh();
559
675
/* default match is underlimit - so over the limit, we need to invert */
560
676
return info->cfg.mode & XT_HASHLIMIT_INVERT;
561
677
···
566
678
return false;
567
679
}
568
680
569
-
static bool hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
570
-
{
571
-
struct net *net = par->net;
572
-
struct xt_hashlimit_info *r = par->matchinfo;
573
-
574
-
/* Check for overflow. */
575
-
if (r->cfg.burst == 0 ||
576
-
user2credits(r->cfg.avg * r->cfg.burst) < user2credits(r->cfg.avg)) {
577
-
printk(KERN_ERR "xt_hashlimit: overflow, try lower: %u/%u\n",
578
-
r->cfg.avg, r->cfg.burst);
579
-
return false;
580
-
}
581
-
if (r->cfg.mode == 0 ||
582
-
r->cfg.mode > (XT_HASHLIMIT_HASH_DPT |
583
-
XT_HASHLIMIT_HASH_DIP |
584
-
XT_HASHLIMIT_HASH_SIP |
585
-
XT_HASHLIMIT_HASH_SPT))
586
-
return false;
587
-
if (!r->cfg.gc_interval)
588
-
return false;
589
-
if (!r->cfg.expire)
590
-
return false;
591
-
if (r->name[sizeof(r->name) - 1] != '\0')
592
-
return false;
593
-
594
-
mutex_lock(&hashlimit_mutex);
595
-
r->hinfo = htable_find_get(net, r->name, par->match->family);
596
-
if (!r->hinfo && htable_create_v0(net, r, par->match->family) != 0) {
597
-
mutex_unlock(&hashlimit_mutex);
598
-
return false;
599
-
}
600
-
mutex_unlock(&hashlimit_mutex);
601
-
602
-
return true;
603
-
}
604
-
605
-
static bool hashlimit_mt_check(const struct xt_mtchk_param *par)
681
+
static int hashlimit_mt_check(const struct xt_mtchk_param *par)
606
682
{
607
683
struct net *net = par->net;
608
684
struct xt_hashlimit_mtinfo1 *info = par->matchinfo;
685
+
int ret;
609
686
610
687
/* Check for overflow. */
611
688
if (info->cfg.burst == 0 ||
612
689
user2credits(info->cfg.avg * info->cfg.burst) <
613
690
user2credits(info->cfg.avg)) {
614
-
printk(KERN_ERR "xt_hashlimit: overflow, try lower: %u/%u\n",
615
-
info->cfg.avg, info->cfg.burst);
616
-
return false;
691
+
pr_info("overflow, try lower: %u/%u\n",
692
+
info->cfg.avg, info->cfg.burst);
693
+
return -ERANGE;
617
694
}
618
695
if (info->cfg.gc_interval == 0 || info->cfg.expire == 0)
619
-
return false;
696
+
return -EINVAL;
620
697
if (info->name[sizeof(info->name)-1] != '\0')
621
-
return false;
622
-
if (par->match->family == NFPROTO_IPV4) {
698
+
return -EINVAL;
699
+
if (par->family == NFPROTO_IPV4) {
623
700
if (info->cfg.srcmask > 32 || info->cfg.dstmask > 32)
624
-
return false;
701
+
return -EINVAL;
625
702
} else {
626
703
if (info->cfg.srcmask > 128 || info->cfg.dstmask > 128)
627
-
return false;
704
+
return -EINVAL;
628
705
}
629
706
630
707
mutex_lock(&hashlimit_mutex);
631
-
info->hinfo = htable_find_get(net, info->name, par->match->family);
632
-
if (!info->hinfo && htable_create(net, info, par->match->family) != 0) {
633
-
mutex_unlock(&hashlimit_mutex);
634
-
return false;
708
+
info->hinfo = htable_find_get(net, info->name, par->family);
709
+
if (info->hinfo == NULL) {
710
+
ret = htable_create(net, info, par->family);
711
+
if (ret < 0) {
712
+
mutex_unlock(&hashlimit_mutex);
713
+
return ret;
714
+
}
635
715
}
636
716
mutex_unlock(&hashlimit_mutex);
637
-
return true;
638
-
}
639
-
640
-
static void
641
-
hashlimit_mt_destroy_v0(const struct xt_mtdtor_param *par)
642
-
{
643
-
const struct xt_hashlimit_info *r = par->matchinfo;
644
-
645
-
htable_put(r->hinfo);
717
+
return 0;
646
718
}
647
719
648
720
static void hashlimit_mt_destroy(const struct xt_mtdtor_param *par)
···
612
764
htable_put(info->hinfo);
613
765
}
614
766
615
-
#ifdef CONFIG_COMPAT
616
-
struct compat_xt_hashlimit_info {
617
-
char name[IFNAMSIZ];
618
-
struct hashlimit_cfg cfg;
619
-
compat_uptr_t hinfo;
620
-
compat_uptr_t master;
621
-
};
622
-
623
-
static void hashlimit_mt_compat_from_user(void *dst, const void *src)
624
-
{
625
-
int off = offsetof(struct compat_xt_hashlimit_info, hinfo);
626
-
627
-
memcpy(dst, src, off);
628
-
memset(dst + off, 0, sizeof(struct compat_xt_hashlimit_info) - off);
629
-
}
630
-
631
-
static int hashlimit_mt_compat_to_user(void __user *dst, const void *src)
632
-
{
633
-
int off = offsetof(struct compat_xt_hashlimit_info, hinfo);
634
-
635
-
return copy_to_user(dst, src, off) ? -EFAULT : 0;
636
-
}
637
-
#endif
638
-
639
767
static struct xt_match hashlimit_mt_reg[] __read_mostly = {
640
-
{
641
-
.name = "hashlimit",
642
-
.revision = 0,
643
-
.family = NFPROTO_IPV4,
644
-
.match = hashlimit_mt_v0,
645
-
.matchsize = sizeof(struct xt_hashlimit_info),
646
-
#ifdef CONFIG_COMPAT
647
-
.compatsize = sizeof(struct compat_xt_hashlimit_info),
648
-
.compat_from_user = hashlimit_mt_compat_from_user,
649
-
.compat_to_user = hashlimit_mt_compat_to_user,
650
-
#endif
651
-
.checkentry = hashlimit_mt_check_v0,
652
-
.destroy = hashlimit_mt_destroy_v0,
653
-
.me = THIS_MODULE
654
-
},
655
768
{
656
769
.name = "hashlimit",
657
770
.revision = 1,
···
624
815
.me = THIS_MODULE,
625
816
},
626
817
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
627
-
{
628
-
.name = "hashlimit",
629
-
.family = NFPROTO_IPV6,
630
-
.match = hashlimit_mt_v0,
631
-
.matchsize = sizeof(struct xt_hashlimit_info),
632
-
#ifdef CONFIG_COMPAT
633
-
.compatsize = sizeof(struct compat_xt_hashlimit_info),
634
-
.compat_from_user = hashlimit_mt_compat_from_user,
635
-
.compat_to_user = hashlimit_mt_compat_to_user,
636
-
#endif
637
-
.checkentry = hashlimit_mt_check_v0,
638
-
.destroy = hashlimit_mt_destroy_v0,
639
-
.me = THIS_MODULE
640
-
},
641
818
{
642
819
.name = "hashlimit",
643
820
.revision = 1,
···
683
888
static int dl_seq_real_show(struct dsthash_ent *ent, u_int8_t family,
684
889
struct seq_file *s)
685
890
{
891
+
int res;
892
+
893
+
spin_lock(&ent->lock);
686
894
/* recalculate to show accurate numbers */
687
895
rateinfo_recalc(ent, jiffies);
688
896
689
897
switch (family) {
690
898
case NFPROTO_IPV4:
691
-
return seq_printf(s, "%ld %pI4:%u->%pI4:%u %u %u %u\n",
899
+
res = seq_printf(s, "%ld %pI4:%u->%pI4:%u %u %u %u\n",
692
900
(long)(ent->expires - jiffies)/HZ,
693
901
&ent->dst.ip.src,
694
902
ntohs(ent->dst.src_port),
···
699
901
ntohs(ent->dst.dst_port),
700
902
ent->rateinfo.credit, ent->rateinfo.credit_cap,
701
903
ent->rateinfo.cost);
904
+
break;
702
905
#if defined(CONFIG_IP6_NF_IPTABLES) || defined(CONFIG_IP6_NF_IPTABLES_MODULE)
703
906
case NFPROTO_IPV6:
704
-
return seq_printf(s, "%ld %pI6:%u->%pI6:%u %u %u %u\n",
907
+
res = seq_printf(s, "%ld %pI6:%u->%pI6:%u %u %u %u\n",
705
908
(long)(ent->expires - jiffies)/HZ,
706
909
&ent->dst.ip6.src,
707
910
ntohs(ent->dst.src_port),
···
710
911
ntohs(ent->dst.dst_port),
711
912
ent->rateinfo.credit, ent->rateinfo.credit_cap,
712
913
ent->rateinfo.cost);
914
+
break;
713
915
#endif
714
916
default:
715
917
BUG();
716
-
return 0;
918
+
res = 0;
717
919
}
920
+
spin_unlock(&ent->lock);
921
+
return res;
718
922
}
719
923
720
924
static int dl_seq_show(struct seq_file *s, void *v)
···
826
1024
sizeof(struct dsthash_ent), 0, 0,
827
1025
NULL);
828
1026
if (!hashlimit_cachep) {
829
-
printk(KERN_ERR "xt_hashlimit: unable to create slab cache\n");
1027
+
pr_warning("unable to create slab cache\n");
830
1028
goto err2;
831
1029
}
832
1030
return 0;
···
841
1039
842
1040
static void __exit hashlimit_mt_exit(void)
843
1041
{
844
-
kmem_cache_destroy(hashlimit_cachep);
845
1042
xt_unregister_matches(hashlimit_mt_reg, ARRAY_SIZE(hashlimit_mt_reg));
846
1043
unregister_pernet_subsys(&hashlimit_net_ops);
1044
+
1045
+
rcu_barrier_bh();
1046
+
kmem_cache_destroy(hashlimit_cachep);
847
1047
}
848
1048
849
1049
module_init(hashlimit_mt_init);
+9
-7
net/netfilter/xt_helper.c
+9
-7
net/netfilter/xt_helper.c
···
6
6
* it under the terms of the GNU General Public License version 2 as
7
7
* published by the Free Software Foundation.
8
8
*/
9
-
9
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
10
#include <linux/module.h>
11
11
#include <linux/skbuff.h>
12
12
#include <linux/netfilter.h>
···
54
54
return ret;
55
55
}
56
56
57
-
static bool helper_mt_check(const struct xt_mtchk_param *par)
57
+
static int helper_mt_check(const struct xt_mtchk_param *par)
58
58
{
59
59
struct xt_helper_info *info = par->matchinfo;
60
+
int ret;
60
61
61
-
if (nf_ct_l3proto_try_module_get(par->family) < 0) {
62
-
printk(KERN_WARNING "can't load conntrack support for "
63
-
"proto=%u\n", par->family);
64
-
return false;
62
+
ret = nf_ct_l3proto_try_module_get(par->family);
63
+
if (ret < 0) {
64
+
pr_info("cannot load conntrack support for proto=%u\n",
65
+
par->family);
66
+
return ret;
65
67
}
66
68
info->name[29] = '\0';
67
-
return true;
69
+
return 0;
68
70
}
69
71
70
72
static void helper_mt_destroy(const struct xt_mtdtor_param *par)
-12
net/netfilter/xt_hl.c
-12
net/netfilter/xt_hl.c
···
39
39
return ttl < info->ttl;
40
40
case IPT_TTL_GT:
41
41
return ttl > info->ttl;
42
-
default:
43
-
printk(KERN_WARNING "ipt_ttl: unknown mode %d\n",
44
-
info->mode);
45
-
return false;
46
42
}
47
43
48
44
return false;
···
52
56
switch (info->mode) {
53
57
case IP6T_HL_EQ:
54
58
return ip6h->hop_limit == info->hop_limit;
55
-
break;
56
59
case IP6T_HL_NE:
57
60
return ip6h->hop_limit != info->hop_limit;
58
-
break;
59
61
case IP6T_HL_LT:
60
62
return ip6h->hop_limit < info->hop_limit;
61
-
break;
62
63
case IP6T_HL_GT:
63
64
return ip6h->hop_limit > info->hop_limit;
64
-
break;
65
-
default:
66
-
printk(KERN_WARNING "ip6t_hl: unknown mode %d\n",
67
-
info->mode);
68
-
return false;
69
65
}
70
66
71
67
return false;
+1
net/netfilter/xt_iprange.c
+1
net/netfilter/xt_iprange.c
+7
-6
net/netfilter/xt_limit.c
+7
-6
net/netfilter/xt_limit.c
···
5
5
* it under the terms of the GNU General Public License version 2 as
6
6
* published by the Free Software Foundation.
7
7
*/
8
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
8
9
9
10
#include <linux/slab.h>
10
11
#include <linux/module.h>
···
99
98
return (user * HZ * CREDITS_PER_JIFFY) / XT_LIMIT_SCALE;
100
99
}
101
100
102
-
static bool limit_mt_check(const struct xt_mtchk_param *par)
101
+
static int limit_mt_check(const struct xt_mtchk_param *par)
103
102
{
104
103
struct xt_rateinfo *r = par->matchinfo;
105
104
struct xt_limit_priv *priv;
···
107
106
/* Check for overflow. */
108
107
if (r->burst == 0
109
108
|| user2credits(r->avg * r->burst) < user2credits(r->avg)) {
110
-
printk("Overflow in xt_limit, try lower: %u/%u\n",
111
-
r->avg, r->burst);
112
-
return false;
109
+
pr_info("Overflow, try lower: %u/%u\n",
110
+
r->avg, r->burst);
111
+
return -ERANGE;
113
112
}
114
113
115
114
priv = kmalloc(sizeof(*priv), GFP_KERNEL);
116
115
if (priv == NULL)
117
-
return false;
116
+
return -ENOMEM;
118
117
119
118
/* For SMP, we only want to use one set of state. */
120
119
r->master = priv;
···
126
125
r->credit_cap = user2credits(r->avg * r->burst); /* Credits full. */
127
126
r->cost = user2credits(r->avg);
128
127
}
129
-
return true;
128
+
return 0;
130
129
}
131
130
132
131
static void limit_mt_destroy(const struct xt_mtdtor_param *par)
+12
-7
net/netfilter/xt_mac.c
+12
-7
net/netfilter/xt_mac.c
···
10
10
11
11
#include <linux/module.h>
12
12
#include <linux/skbuff.h>
13
+
#include <linux/if_arp.h>
13
14
#include <linux/if_ether.h>
14
15
#include <linux/etherdevice.h>
15
16
···
27
26
28
27
static bool mac_mt(const struct sk_buff *skb, const struct xt_match_param *par)
29
28
{
30
-
const struct xt_mac_info *info = par->matchinfo;
29
+
const struct xt_mac_info *info = par->matchinfo;
30
+
bool ret;
31
31
32
-
/* Is mac pointer valid? */
33
-
return skb_mac_header(skb) >= skb->head &&
34
-
skb_mac_header(skb) + ETH_HLEN <= skb->data
35
-
/* If so, compare... */
36
-
&& ((!compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr))
37
-
^ info->invert);
32
+
if (skb->dev == NULL || skb->dev->type != ARPHRD_ETHER)
33
+
return false;
34
+
if (skb_mac_header(skb) < skb->head)
35
+
return false;
36
+
if (skb_mac_header(skb) + ETH_HLEN > skb->data)
37
+
return false;
38
+
ret = compare_ether_addr(eth_hdr(skb)->h_source, info->srcaddr) == 0;
39
+
ret ^= info->invert;
40
+
return ret;
38
41
}
39
42
40
43
static struct xt_match mac_mt_reg __read_mostly = {
+33
-2
net/netfilter/xt_mark.c
+33
-2
net/netfilter/xt_mark.c
···
18
18
19
19
MODULE_LICENSE("GPL");
20
20
MODULE_AUTHOR("Marc Boucher <marc@mbsi.ca>");
21
-
MODULE_DESCRIPTION("Xtables: packet mark match");
21
+
MODULE_DESCRIPTION("Xtables: packet mark operations");
22
22
MODULE_ALIAS("ipt_mark");
23
23
MODULE_ALIAS("ip6t_mark");
24
+
MODULE_ALIAS("ipt_MARK");
25
+
MODULE_ALIAS("ip6t_MARK");
26
+
27
+
static unsigned int
28
+
mark_tg(struct sk_buff *skb, const struct xt_target_param *par)
29
+
{
30
+
const struct xt_mark_tginfo2 *info = par->targinfo;
31
+
32
+
skb->mark = (skb->mark & ~info->mask) ^ info->mark;
33
+
return XT_CONTINUE;
34
+
}
24
35
25
36
static bool
26
37
mark_mt(const struct sk_buff *skb, const struct xt_match_param *par)
···
40
29
41
30
return ((skb->mark & info->mask) == info->mark) ^ info->invert;
42
31
}
32
+
33
+
static struct xt_target mark_tg_reg __read_mostly = {
34
+
.name = "MARK",
35
+
.revision = 2,
36
+
.family = NFPROTO_UNSPEC,
37
+
.target = mark_tg,
38
+
.targetsize = sizeof(struct xt_mark_tginfo2),
39
+
.me = THIS_MODULE,
40
+
};
43
41
44
42
static struct xt_match mark_mt_reg __read_mostly = {
45
43
.name = "mark",
···
61
41
62
42
static int __init mark_mt_init(void)
63
43
{
64
-
return xt_register_match(&mark_mt_reg);
44
+
int ret;
45
+
46
+
ret = xt_register_target(&mark_tg_reg);
47
+
if (ret < 0)
48
+
return ret;
49
+
ret = xt_register_match(&mark_mt_reg);
50
+
if (ret < 0) {
51
+
xt_unregister_target(&mark_tg_reg);
52
+
return ret;
53
+
}
54
+
return 0;
65
55
}
66
56
67
57
static void __exit mark_mt_exit(void)
68
58
{
69
59
xt_unregister_match(&mark_mt_reg);
60
+
xt_unregister_target(&mark_tg_reg);
70
61
}
71
62
72
63
module_init(mark_mt_init);
+6
-89
net/netfilter/xt_multiport.c
+6
-89
net/netfilter/xt_multiport.c
···
8
8
* it under the terms of the GNU General Public License version 2 as
9
9
* published by the Free Software Foundation.
10
10
*/
11
-
11
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
12
12
#include <linux/module.h>
13
13
#include <linux/types.h>
14
14
#include <linux/udp.h>
···
26
26
MODULE_ALIAS("ipt_multiport");
27
27
MODULE_ALIAS("ip6t_multiport");
28
28
29
-
#if 0
30
-
#define duprintf(format, args...) printk(format , ## args)
31
-
#else
32
-
#define duprintf(format, args...)
33
-
#endif
34
-
35
-
/* Returns 1 if the port is matched by the test, 0 otherwise. */
36
-
static inline bool
37
-
ports_match_v0(const u_int16_t *portlist, enum xt_multiport_flags flags,
38
-
u_int8_t count, u_int16_t src, u_int16_t dst)
39
-
{
40
-
unsigned int i;
41
-
for (i = 0; i < count; i++) {
42
-
if (flags != XT_MULTIPORT_DESTINATION && portlist[i] == src)
43
-
return true;
44
-
45
-
if (flags != XT_MULTIPORT_SOURCE && portlist[i] == dst)
46
-
return true;
47
-
}
48
-
49
-
return false;
50
-
}
51
-
52
29
/* Returns 1 if the port is matched by the test, 0 otherwise. */
53
30
static inline bool
54
31
ports_match_v1(const struct xt_multiport_v1 *minfo,
···
40
63
if (minfo->pflags[i]) {
41
64
/* range port matching */
42
65
e = minfo->ports[++i];
43
-
duprintf("src or dst matches with %d-%d?\n", s, e);
66
+
pr_debug("src or dst matches with %d-%d?\n", s, e);
44
67
45
68
if (minfo->flags == XT_MULTIPORT_SOURCE
46
69
&& src >= s && src <= e)
···
54
77
return true ^ minfo->invert;
55
78
} else {
56
79
/* exact port matching */
57
-
duprintf("src or dst matches with %d?\n", s);
80
+
pr_debug("src or dst matches with %d?\n", s);
58
81
59
82
if (minfo->flags == XT_MULTIPORT_SOURCE
60
83
&& src == s)
···
72
95
}
73
96
74
97
static bool
75
-
multiport_mt_v0(const struct sk_buff *skb, const struct xt_match_param *par)
76
-
{
77
-
const __be16 *pptr;
78
-
__be16 _ports[2];
79
-
const struct xt_multiport *multiinfo = par->matchinfo;
80
-
81
-
if (par->fragoff != 0)
82
-
return false;
83
-
84
-
pptr = skb_header_pointer(skb, par->thoff, sizeof(_ports), _ports);
85
-
if (pptr == NULL) {
86
-
/* We've been asked to examine this packet, and we
87
-
* can't. Hence, no choice but to drop.
88
-
*/
89
-
duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
90
-
*par->hotdrop = true;
91
-
return false;
92
-
}
93
-
94
-
return ports_match_v0(multiinfo->ports, multiinfo->flags,
95
-
multiinfo->count, ntohs(pptr[0]), ntohs(pptr[1]));
96
-
}
97
-
98
-
static bool
99
98
multiport_mt(const struct sk_buff *skb, const struct xt_match_param *par)
100
99
{
101
100
const __be16 *pptr;
···
86
133
/* We've been asked to examine this packet, and we
87
134
* can't. Hence, no choice but to drop.
88
135
*/
89
-
duprintf("xt_multiport: Dropping evil offset=0 tinygram.\n");
136
+
pr_debug("Dropping evil offset=0 tinygram.\n");
90
137
*par->hotdrop = true;
91
138
return false;
92
139
}
···
111
158
&& count <= XT_MULTI_PORTS;
112
159
}
113
160
114
-
static bool multiport_mt_check_v0(const struct xt_mtchk_param *par)
115
-
{
116
-
const struct ipt_ip *ip = par->entryinfo;
117
-
const struct xt_multiport *multiinfo = par->matchinfo;
118
-
119
-
return check(ip->proto, ip->invflags, multiinfo->flags,
120
-
multiinfo->count);
121
-
}
122
-
123
-
static bool multiport_mt_check(const struct xt_mtchk_param *par)
161
+
static int multiport_mt_check(const struct xt_mtchk_param *par)
124
162
{
125
163
const struct ipt_ip *ip = par->entryinfo;
126
164
const struct xt_multiport_v1 *multiinfo = par->matchinfo;
···
120
176
multiinfo->count);
121
177
}
122
178
123
-
static bool multiport_mt6_check_v0(const struct xt_mtchk_param *par)
124
-
{
125
-
const struct ip6t_ip6 *ip = par->entryinfo;
126
-
const struct xt_multiport *multiinfo = par->matchinfo;
127
-
128
-
return check(ip->proto, ip->invflags, multiinfo->flags,
129
-
multiinfo->count);
130
-
}
131
-
132
-
static bool multiport_mt6_check(const struct xt_mtchk_param *par)
179
+
static int multiport_mt6_check(const struct xt_mtchk_param *par)
133
180
{
134
181
const struct ip6t_ip6 *ip = par->entryinfo;
135
182
const struct xt_multiport_v1 *multiinfo = par->matchinfo;
···
133
198
{
134
199
.name = "multiport",
135
200
.family = NFPROTO_IPV4,
136
-
.revision = 0,
137
-
.checkentry = multiport_mt_check_v0,
138
-
.match = multiport_mt_v0,
139
-
.matchsize = sizeof(struct xt_multiport),
140
-
.me = THIS_MODULE,
141
-
},
142
-
{
143
-
.name = "multiport",
144
-
.family = NFPROTO_IPV4,
145
201
.revision = 1,
146
202
.checkentry = multiport_mt_check,
147
203
.match = multiport_mt,
148
204
.matchsize = sizeof(struct xt_multiport_v1),
149
-
.me = THIS_MODULE,
150
-
},
151
-
{
152
-
.name = "multiport",
153
-
.family = NFPROTO_IPV6,
154
-
.revision = 0,
155
-
.checkentry = multiport_mt6_check_v0,
156
-
.match = multiport_mt_v0,
157
-
.matchsize = sizeof(struct xt_multiport),
158
205
.me = THIS_MODULE,
159
206
},
160
207
{
+4
-4
net/netfilter/xt_osf.c
+4
-4
net/netfilter/xt_osf.c
···
16
16
* along with this program; if not, write to the Free Software
17
17
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
18
18
*/
19
-
19
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
20
20
#include <linux/module.h>
21
21
#include <linux/kernel.h>
22
22
···
382
382
383
383
err = nfnetlink_subsys_register(&xt_osf_nfnetlink);
384
384
if (err < 0) {
385
-
printk(KERN_ERR "Failed (%d) to register OSF nsfnetlink helper.\n", err);
385
+
pr_err("Failed to register OSF nsfnetlink helper (%d)\n", err);
386
386
goto err_out_exit;
387
387
}
388
388
389
389
err = xt_register_match(&xt_osf_match);
390
390
if (err) {
391
-
printk(KERN_ERR "Failed (%d) to register OS fingerprint "
392
-
"matching module.\n", err);
391
+
pr_err("Failed to register OS fingerprint "
392
+
"matching module (%d)\n", err);
393
393
goto err_out_remove;
394
394
}
395
395
+8
-8
net/netfilter/xt_physdev.c
+8
-8
net/netfilter/xt_physdev.c
···
7
7
* it under the terms of the GNU General Public License version 2 as
8
8
* published by the Free Software Foundation.
9
9
*/
10
-
10
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
11
11
#include <linux/module.h>
12
12
#include <linux/skbuff.h>
13
13
#include <linux/netfilter_bridge.h>
···
83
83
return (!!ret ^ !(info->invert & XT_PHYSDEV_OP_OUT));
84
84
}
85
85
86
-
static bool physdev_mt_check(const struct xt_mtchk_param *par)
86
+
static int physdev_mt_check(const struct xt_mtchk_param *par)
87
87
{
88
88
const struct xt_physdev_info *info = par->matchinfo;
89
89
90
90
if (!(info->bitmask & XT_PHYSDEV_OP_MASK) ||
91
91
info->bitmask & ~XT_PHYSDEV_OP_MASK)
92
-
return false;
92
+
return -EINVAL;
93
93
if (info->bitmask & XT_PHYSDEV_OP_OUT &&
94
94
(!(info->bitmask & XT_PHYSDEV_OP_BRIDGED) ||
95
95
info->invert & XT_PHYSDEV_OP_BRIDGED) &&
96
96
par->hook_mask & ((1 << NF_INET_LOCAL_OUT) |
97
97
(1 << NF_INET_FORWARD) | (1 << NF_INET_POST_ROUTING))) {
98
-
printk(KERN_WARNING "physdev match: using --physdev-out in the "
99
-
"OUTPUT, FORWARD and POSTROUTING chains for non-bridged "
100
-
"traffic is not supported anymore.\n");
98
+
pr_info("using --physdev-out in the OUTPUT, FORWARD and "
99
+
"POSTROUTING chains for non-bridged traffic is not "
100
+
"supported anymore.\n");
101
101
if (par->hook_mask & (1 << NF_INET_LOCAL_OUT))
102
-
return false;
102
+
return -EINVAL;
103
103
}
104
-
return true;
104
+
return 0;
105
105
}
106
106
107
107
static struct xt_match physdev_mt_reg __read_mostly = {
+13
-16
net/netfilter/xt_policy.c
+13
-16
net/netfilter/xt_policy.c
···
6
6
* it under the terms of the GNU General Public License version 2 as
7
7
* published by the Free Software Foundation.
8
8
*/
9
-
9
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
10
10
#include <linux/kernel.h>
11
11
#include <linux/module.h>
12
12
#include <linux/skbuff.h>
···
116
116
int ret;
117
117
118
118
if (info->flags & XT_POLICY_MATCH_IN)
119
-
ret = match_policy_in(skb, info, par->match->family);
119
+
ret = match_policy_in(skb, info, par->family);
120
120
else
121
-
ret = match_policy_out(skb, info, par->match->family);
121
+
ret = match_policy_out(skb, info, par->family);
122
122
123
123
if (ret < 0)
124
124
ret = info->flags & XT_POLICY_MATCH_NONE ? true : false;
···
128
128
return ret;
129
129
}
130
130
131
-
static bool policy_mt_check(const struct xt_mtchk_param *par)
131
+
static int policy_mt_check(const struct xt_mtchk_param *par)
132
132
{
133
133
const struct xt_policy_info *info = par->matchinfo;
134
134
135
135
if (!(info->flags & (XT_POLICY_MATCH_IN|XT_POLICY_MATCH_OUT))) {
136
-
printk(KERN_ERR "xt_policy: neither incoming nor "
137
-
"outgoing policy selected\n");
138
-
return false;
136
+
pr_info("neither incoming nor outgoing policy selected\n");
137
+
return -EINVAL;
139
138
}
140
139
if (par->hook_mask & ((1 << NF_INET_PRE_ROUTING) |
141
140
(1 << NF_INET_LOCAL_IN)) && info->flags & XT_POLICY_MATCH_OUT) {
142
-
printk(KERN_ERR "xt_policy: output policy not valid in "
143
-
"PRE_ROUTING and INPUT\n");
144
-
return false;
141
+
pr_info("output policy not valid in PREROUTING and INPUT\n");
142
+
return -EINVAL;
145
143
}
146
144
if (par->hook_mask & ((1 << NF_INET_POST_ROUTING) |
147
145
(1 << NF_INET_LOCAL_OUT)) && info->flags & XT_POLICY_MATCH_IN) {
148
-
printk(KERN_ERR "xt_policy: input policy not valid in "
149
-
"POST_ROUTING and OUTPUT\n");
150
-
return false;
146
+
pr_info("input policy not valid in POSTROUTING and OUTPUT\n");
147
+
return -EINVAL;
151
148
}
152
149
if (info->len > XT_POLICY_MAX_ELEM) {
153
-
printk(KERN_ERR "xt_policy: too many policy elements\n");
154
-
return false;
150
+
pr_info("too many policy elements\n");
151
+
return -EINVAL;
155
152
}
156
-
return true;
153
+
return 0;
157
154
}
158
155
159
156
static struct xt_match policy_mt_reg[] __read_mostly = {
+4
-4
net/netfilter/xt_quota.c
+4
-4
net/netfilter/xt_quota.c
···
44
44
return ret;
45
45
}
46
46
47
-
static bool quota_mt_check(const struct xt_mtchk_param *par)
47
+
static int quota_mt_check(const struct xt_mtchk_param *par)
48
48
{
49
49
struct xt_quota_info *q = par->matchinfo;
50
50
51
51
if (q->flags & ~XT_QUOTA_MASK)
52
-
return false;
52
+
return -EINVAL;
53
53
54
54
q->master = kmalloc(sizeof(*q->master), GFP_KERNEL);
55
55
if (q->master == NULL)
56
-
return false;
56
+
return -ENOMEM;
57
57
58
58
q->master->quota = q->quota;
59
-
return true;
59
+
return 0;
60
60
}
61
61
62
62
static void quota_mt_destroy(const struct xt_mtdtor_param *par)
+5
-3
net/netfilter/xt_rateest.c
+5
-3
net/netfilter/xt_rateest.c
···
74
74
return ret;
75
75
}
76
76
77
-
static bool xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
77
+
static int xt_rateest_mt_checkentry(const struct xt_mtchk_param *par)
78
78
{
79
79
struct xt_rateest_match_info *info = par->matchinfo;
80
80
struct xt_rateest *est1, *est2;
81
+
int ret = false;
81
82
82
83
if (hweight32(info->flags & (XT_RATEEST_MATCH_ABS |
83
84
XT_RATEEST_MATCH_REL)) != 1)
···
96
95
goto err1;
97
96
}
98
97
98
+
ret = -ENOENT;
99
99
est1 = xt_rateest_lookup(info->name1);
100
100
if (!est1)
101
101
goto err1;
···
111
109
112
110
info->est1 = est1;
113
111
info->est2 = est2;
114
-
return true;
112
+
return 0;
115
113
116
114
err2:
117
115
xt_rateest_put(est1);
118
116
err1:
119
-
return false;
117
+
return -EINVAL;
120
118
}
121
119
122
120
static void xt_rateest_mt_destroy(const struct xt_mtdtor_param *par)
+57
-128
net/netfilter/xt_recent.c
+57
-128
net/netfilter/xt_recent.c
···
12
12
* Author: Stephen Frost <sfrost@snowman.net>
13
13
* Copyright 2002-2003, Stephen Frost, 2.5.x port by laforge@netfilter.org
14
14
*/
15
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
15
16
#include <linux/init.h>
16
17
#include <linux/ip.h>
17
18
#include <linux/ipv6.h>
···
36
35
#include <linux/netfilter/xt_recent.h>
37
36
38
37
MODULE_AUTHOR("Patrick McHardy <kaber@trash.net>");
39
-
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
40
-
MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching for IPv4");
38
+
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
39
+
MODULE_DESCRIPTION("Xtables: \"recently-seen\" host matching");
41
40
MODULE_LICENSE("GPL");
42
41
MODULE_ALIAS("ipt_recent");
43
42
MODULE_ALIAS("ip6t_recent");
···
52
51
module_param(ip_pkt_list_tot, uint, 0400);
53
52
module_param(ip_list_hash_size, uint, 0400);
54
53
module_param(ip_list_perms, uint, 0400);
55
-
module_param(ip_list_uid, uint, 0400);
56
-
module_param(ip_list_gid, uint, 0400);
54
+
module_param(ip_list_uid, uint, S_IRUGO | S_IWUSR);
55
+
module_param(ip_list_gid, uint, S_IRUGO | S_IWUSR);
57
56
MODULE_PARM_DESC(ip_list_tot, "number of IPs to remember per list");
58
57
MODULE_PARM_DESC(ip_pkt_list_tot, "number of packets per IP address to remember (max. 255)");
59
58
MODULE_PARM_DESC(ip_list_hash_size, "size of hash table used to look up IPs");
60
59
MODULE_PARM_DESC(ip_list_perms, "permissions on /proc/net/xt_recent/* files");
61
-
MODULE_PARM_DESC(ip_list_uid,"owner of /proc/net/xt_recent/* files");
62
-
MODULE_PARM_DESC(ip_list_gid,"owning group of /proc/net/xt_recent/* files");
60
+
MODULE_PARM_DESC(ip_list_uid, "default owner of /proc/net/xt_recent/* files");
61
+
MODULE_PARM_DESC(ip_list_gid, "default owning group of /proc/net/xt_recent/* files");
63
62
64
63
struct recent_entry {
65
64
struct list_head list;
···
85
84
struct list_head tables;
86
85
#ifdef CONFIG_PROC_FS
87
86
struct proc_dir_entry *xt_recent;
88
-
#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
89
-
struct proc_dir_entry *ipt_recent;
90
-
#endif
91
87
#endif
92
88
};
93
89
···
143
145
list_del(&e->lru_list);
144
146
kfree(e);
145
147
t->entries--;
148
+
}
149
+
150
+
/*
151
+
* Drop entries with timestamps older then 'time'.
152
+
*/
153
+
static void recent_entry_reap(struct recent_table *t, unsigned long time)
154
+
{
155
+
struct recent_entry *e;
156
+
157
+
/*
158
+
* The head of the LRU list is always the oldest entry.
159
+
*/
160
+
e = list_entry(t->lru_list.next, struct recent_entry, lru_list);
161
+
162
+
/*
163
+
* The last time stamp is the most recent.
164
+
*/
165
+
if (time_after(time, e->stamps[e->index-1]))
166
+
recent_entry_remove(t, e);
146
167
}
147
168
148
169
static struct recent_entry *
···
235
218
u_int8_t ttl;
236
219
bool ret = info->invert;
237
220
238
-
if (par->match->family == NFPROTO_IPV4) {
221
+
if (par->family == NFPROTO_IPV4) {
239
222
const struct iphdr *iph = ip_hdr(skb);
240
223
241
224
if (info->side == XT_RECENT_DEST)
···
261
244
262
245
spin_lock_bh(&recent_lock);
263
246
t = recent_table_lookup(recent_net, info->name);
264
-
e = recent_entry_lookup(t, &addr, par->match->family,
247
+
e = recent_entry_lookup(t, &addr, par->family,
265
248
(info->check_set & XT_RECENT_TTL) ? ttl : 0);
266
249
if (e == NULL) {
267
250
if (!(info->check_set & XT_RECENT_SET))
268
251
goto out;
269
-
e = recent_entry_init(t, &addr, par->match->family, ttl);
252
+
e = recent_entry_init(t, &addr, par->family, ttl);
270
253
if (e == NULL)
271
254
*par->hotdrop = true;
272
255
ret = !ret;
···
290
273
break;
291
274
}
292
275
}
276
+
277
+
/* info->seconds must be non-zero */
278
+
if (info->check_set & XT_RECENT_REAP)
279
+
recent_entry_reap(t, time);
293
280
}
294
281
295
282
if (info->check_set & XT_RECENT_SET ||
···
306
285
return ret;
307
286
}
308
287
309
-
static bool recent_mt_check(const struct xt_mtchk_param *par)
288
+
static int recent_mt_check(const struct xt_mtchk_param *par)
310
289
{
311
290
struct recent_net *recent_net = recent_pernet(par->net);
312
291
const struct xt_recent_mtinfo *info = par->matchinfo;
···
315
294
struct proc_dir_entry *pde;
316
295
#endif
317
296
unsigned i;
318
-
bool ret = false;
297
+
int ret = -EINVAL;
319
298
320
299
if (unlikely(!hash_rnd_inited)) {
321
300
get_random_bytes(&hash_rnd, sizeof(hash_rnd));
322
301
hash_rnd_inited = true;
323
302
}
303
+
if (info->check_set & ~XT_RECENT_VALID_FLAGS) {
304
+
pr_info("Unsupported user space flags (%08x)\n",
305
+
info->check_set);
306
+
return -EINVAL;
307
+
}
324
308
if (hweight8(info->check_set &
325
309
(XT_RECENT_SET | XT_RECENT_REMOVE |
326
310
XT_RECENT_CHECK | XT_RECENT_UPDATE)) != 1)
327
-
return false;
311
+
return -EINVAL;
328
312
if ((info->check_set & (XT_RECENT_SET | XT_RECENT_REMOVE)) &&
329
-
(info->seconds || info->hit_count))
330
-
return false;
313
+
(info->seconds || info->hit_count ||
314
+
(info->check_set & XT_RECENT_MODIFIERS)))
315
+
return -EINVAL;
316
+
if ((info->check_set & XT_RECENT_REAP) && !info->seconds)
317
+
return -EINVAL;
331
318
if (info->hit_count > ip_pkt_list_tot) {
332
-
pr_info(KBUILD_MODNAME ": hitcount (%u) is larger than "
319
+
pr_info("hitcount (%u) is larger than "
333
320
"packets to be remembered (%u)\n",
334
321
info->hit_count, ip_pkt_list_tot);
335
-
return false;
322
+
return -EINVAL;
336
323
}
337
324
if (info->name[0] == '\0' ||
338
325
strnlen(info->name, XT_RECENT_NAME_LEN) == XT_RECENT_NAME_LEN)
339
-
return false;
326
+
return -EINVAL;
340
327
341
328
mutex_lock(&recent_mutex);
342
329
t = recent_table_lookup(recent_net, info->name);
343
330
if (t != NULL) {
344
331
t->refcnt++;
345
-
ret = true;
332
+
ret = 0;
346
333
goto out;
347
334
}
348
335
349
336
t = kzalloc(sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size,
350
337
GFP_KERNEL);
351
-
if (t == NULL)
338
+
if (t == NULL) {
339
+
ret = -ENOMEM;
352
340
goto out;
341
+
}
353
342
t->refcnt = 1;
354
343
strcpy(t->name, info->name);
355
344
INIT_LIST_HEAD(&t->lru_list);
···
370
339
&recent_mt_fops, t);
371
340
if (pde == NULL) {
372
341
kfree(t);
342
+
ret = -ENOMEM;
373
343
goto out;
374
344
}
375
345
pde->uid = ip_list_uid;
376
346
pde->gid = ip_list_gid;
377
-
#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
378
-
pde = proc_create_data(t->name, ip_list_perms, recent_net->ipt_recent,
379
-
&recent_old_fops, t);
380
-
if (pde == NULL) {
381
-
remove_proc_entry(t->name, recent_net->xt_recent);
382
-
kfree(t);
383
-
goto out;
384
-
}
385
-
pde->uid = ip_list_uid;
386
-
pde->gid = ip_list_gid;
387
-
#endif
388
347
#endif
389
348
spin_lock_bh(&recent_lock);
390
349
list_add_tail(&t->list, &recent_net->tables);
391
350
spin_unlock_bh(&recent_lock);
392
-
ret = true;
351
+
ret = 0;
393
352
out:
394
353
mutex_unlock(&recent_mutex);
395
354
return ret;
···
398
377
list_del(&t->list);
399
378
spin_unlock_bh(&recent_lock);
400
379
#ifdef CONFIG_PROC_FS
401
-
#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
402
-
remove_proc_entry(t->name, recent_net->ipt_recent);
403
-
#endif
404
380
remove_proc_entry(t->name, recent_net->xt_recent);
405
381
#endif
406
382
recent_table_flush(t);
···
489
471
return 0;
490
472
}
491
473
492
-
#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
493
-
static int recent_old_seq_open(struct inode *inode, struct file *filp)
494
-
{
495
-
static bool warned_of_old;
496
-
497
-
if (unlikely(!warned_of_old)) {
498
-
printk(KERN_INFO KBUILD_MODNAME ": Use of /proc/net/ipt_recent"
499
-
" is deprecated; use /proc/net/xt_recent.\n");
500
-
warned_of_old = true;
501
-
}
502
-
return recent_seq_open(inode, filp);
503
-
}
504
-
505
-
static ssize_t recent_old_proc_write(struct file *file,
506
-
const char __user *input,
507
-
size_t size, loff_t *loff)
508
-
{
509
-
const struct proc_dir_entry *pde = PDE(file->f_path.dentry->d_inode);
510
-
struct recent_table *t = pde->data;
511
-
struct recent_entry *e;
512
-
char buf[sizeof("+255.255.255.255")], *c = buf;
513
-
union nf_inet_addr addr = {};
514
-
int add;
515
-
516
-
if (size > sizeof(buf))
517
-
size = sizeof(buf);
518
-
if (copy_from_user(buf, input, size))
519
-
return -EFAULT;
520
-
521
-
c = skip_spaces(c);
522
-
523
-
if (size - (c - buf) < 5)
524
-
return c - buf;
525
-
if (!strncmp(c, "clear", 5)) {
526
-
c += 5;
527
-
spin_lock_bh(&recent_lock);
528
-
recent_table_flush(t);
529
-
spin_unlock_bh(&recent_lock);
530
-
return c - buf;
531
-
}
532
-
533
-
switch (*c) {
534
-
case '-':
535
-
add = 0;
536
-
c++;
537
-
break;
538
-
case '+':
539
-
c++;
540
-
default:
541
-
add = 1;
542
-
break;
543
-
}
544
-
addr.ip = in_aton(c);
545
-
546
-
spin_lock_bh(&recent_lock);
547
-
e = recent_entry_lookup(t, &addr, NFPROTO_IPV4, 0);
548
-
if (e == NULL) {
549
-
if (add)
550
-
recent_entry_init(t, &addr, NFPROTO_IPV4, 0);
551
-
} else {
552
-
if (add)
553
-
recent_entry_update(t, e);
554
-
else
555
-
recent_entry_remove(t, e);
556
-
}
557
-
spin_unlock_bh(&recent_lock);
558
-
return size;
559
-
}
560
-
561
-
static const struct file_operations recent_old_fops = {
562
-
.open = recent_old_seq_open,
563
-
.read = seq_read,
564
-
.write = recent_old_proc_write,
565
-
.release = seq_release_private,
566
-
.owner = THIS_MODULE,
567
-
};
568
-
#endif
569
-
570
474
static ssize_t
571
475
recent_mt_proc_write(struct file *file, const char __user *input,
572
476
size_t size, loff_t *loff)
···
525
585
add = true;
526
586
break;
527
587
default:
528
-
printk(KERN_INFO KBUILD_MODNAME ": Need +ip, -ip or /\n");
588
+
pr_info("Need \"+ip\", \"-ip\" or \"/\"\n");
529
589
return -EINVAL;
530
590
}
531
591
···
540
600
}
541
601
542
602
if (!succ) {
543
-
printk(KERN_INFO KBUILD_MODNAME ": illegal address written "
544
-
"to procfs\n");
603
+
pr_info("illegal address written to procfs\n");
545
604
return -EINVAL;
546
605
}
547
606
···
576
637
recent_net->xt_recent = proc_mkdir("xt_recent", net->proc_net);
577
638
if (!recent_net->xt_recent)
578
639
return -ENOMEM;
579
-
#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
580
-
recent_net->ipt_recent = proc_mkdir("ipt_recent", net->proc_net);
581
-
if (!recent_net->ipt_recent) {
582
-
proc_net_remove(net, "xt_recent");
583
-
return -ENOMEM;
584
-
}
585
-
#endif
586
640
return 0;
587
641
}
588
642
589
643
static void __net_exit recent_proc_net_exit(struct net *net)
590
644
{
591
-
#ifdef CONFIG_NETFILTER_XT_MATCH_RECENT_PROC_COMPAT
592
-
proc_net_remove(net, "ipt_recent");
593
-
#endif
594
645
proc_net_remove(net, "xt_recent");
595
646
}
596
647
#else
+26
-25
net/netfilter/xt_sctp.c
+26
-25
net/netfilter/xt_sctp.c
···
1
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
1
2
#include <linux/module.h>
2
3
#include <linux/skbuff.h>
3
4
#include <net/ip.h>
···
15
14
MODULE_DESCRIPTION("Xtables: SCTP protocol packet match");
16
15
MODULE_ALIAS("ipt_sctp");
17
16
MODULE_ALIAS("ip6t_sctp");
18
-
19
-
#ifdef DEBUG_SCTP
20
-
#define duprintf(format, args...) printk(format , ## args)
21
-
#else
22
-
#define duprintf(format, args...)
23
-
#endif
24
17
25
18
#define SCCHECK(cond, option, flag, invflag) (!((flag) & (option)) \
26
19
|| (!!((invflag) & (option)) ^ (cond)))
···
47
52
const struct xt_sctp_flag_info *flag_info = info->flag_info;
48
53
int flag_count = info->flag_count;
49
54
50
-
#ifdef DEBUG_SCTP
55
+
#ifdef DEBUG
51
56
int i = 0;
52
57
#endif
53
58
···
57
62
do {
58
63
sch = skb_header_pointer(skb, offset, sizeof(_sch), &_sch);
59
64
if (sch == NULL || sch->length == 0) {
60
-
duprintf("Dropping invalid SCTP packet.\n");
65
+
pr_debug("Dropping invalid SCTP packet.\n");
61
66
*hotdrop = true;
62
67
return false;
63
68
}
64
-
65
-
duprintf("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d\tflags: %x\n",
66
-
++i, offset, sch->type, htons(sch->length), sch->flags);
67
-
69
+
#ifdef DEBUG
70
+
pr_debug("Chunk num: %d\toffset: %d\ttype: %d\tlength: %d"
71
+
"\tflags: %x\n",
72
+
++i, offset, sch->type, htons(sch->length),
73
+
sch->flags);
74
+
#endif
68
75
offset += (ntohs(sch->length) + 3) & ~3;
69
76
70
-
duprintf("skb->len: %d\toffset: %d\n", skb->len, offset);
77
+
pr_debug("skb->len: %d\toffset: %d\n", skb->len, offset);
71
78
72
79
if (SCTP_CHUNKMAP_IS_SET(info->chunkmap, sch->type)) {
73
80
switch (chunk_match_type) {
···
121
124
sctp_sctphdr_t _sh;
122
125
123
126
if (par->fragoff != 0) {
124
-
duprintf("Dropping non-first fragment.. FIXME\n");
127
+
pr_debug("Dropping non-first fragment.. FIXME\n");
125
128
return false;
126
129
}
127
130
128
131
sh = skb_header_pointer(skb, par->thoff, sizeof(_sh), &_sh);
129
132
if (sh == NULL) {
130
-
duprintf("Dropping evil TCP offset=0 tinygram.\n");
133
+
pr_debug("Dropping evil TCP offset=0 tinygram.\n");
131
134
*par->hotdrop = true;
132
135
return false;
133
136
}
134
-
duprintf("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
137
+
pr_debug("spt: %d\tdpt: %d\n", ntohs(sh->source), ntohs(sh->dest));
135
138
136
139
return SCCHECK(ntohs(sh->source) >= info->spts[0]
137
140
&& ntohs(sh->source) <= info->spts[1],
···
144
147
XT_SCTP_CHUNK_TYPES, info->flags, info->invflags);
145
148
}
146
149
147
-
static bool sctp_mt_check(const struct xt_mtchk_param *par)
150
+
static int sctp_mt_check(const struct xt_mtchk_param *par)
148
151
{
149
152
const struct xt_sctp_info *info = par->matchinfo;
150
153
151
-
return !(info->flags & ~XT_SCTP_VALID_FLAGS)
152
-
&& !(info->invflags & ~XT_SCTP_VALID_FLAGS)
153
-
&& !(info->invflags & ~info->flags)
154
-
&& ((!(info->flags & XT_SCTP_CHUNK_TYPES)) ||
155
-
(info->chunk_match_type &
156
-
(SCTP_CHUNK_MATCH_ALL
157
-
| SCTP_CHUNK_MATCH_ANY
158
-
| SCTP_CHUNK_MATCH_ONLY)));
154
+
if (info->flags & ~XT_SCTP_VALID_FLAGS)
155
+
return -EINVAL;
156
+
if (info->invflags & ~XT_SCTP_VALID_FLAGS)
157
+
return -EINVAL;
158
+
if (info->invflags & ~info->flags)
159
+
return -EINVAL;
160
+
if (!(info->flags & XT_SCTP_CHUNK_TYPES))
161
+
return 0;
162
+
if (info->chunk_match_type & (SCTP_CHUNK_MATCH_ALL |
163
+
SCTP_CHUNK_MATCH_ANY | SCTP_CHUNK_MATCH_ONLY))
164
+
return 0;
165
+
return -EINVAL;
159
166
}
160
167
161
168
static struct xt_match sctp_mt_reg[] __read_mostly = {
+2
-3
net/netfilter/xt_socket.c
+2
-3
net/netfilter/xt_socket.c
···
9
9
* published by the Free Software Foundation.
10
10
*
11
11
*/
12
-
12
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
13
13
#include <linux/module.h>
14
14
#include <linux/skbuff.h>
15
15
#include <linux/netfilter/x_tables.h>
···
165
165
sk = NULL;
166
166
}
167
167
168
-
pr_debug("socket match: proto %u %08x:%u -> %08x:%u "
169
-
"(orig %08x:%u) sock %p\n",
168
+
pr_debug("proto %u %08x:%u -> %08x:%u (orig %08x:%u) sock %p\n",
170
169
protocol, ntohl(saddr), ntohs(sport),
171
170
ntohl(daddr), ntohs(dport),
172
171
ntohl(iph->daddr), hp ? ntohs(hp->dest) : 0, sk);
+19
-29
net/netfilter/xt_state.c
+19
-29
net/netfilter/xt_state.c
···
37
37
return (sinfo->statemask & statebit);
38
38
}
39
39
40
-
static bool state_mt_check(const struct xt_mtchk_param *par)
40
+
static int state_mt_check(const struct xt_mtchk_param *par)
41
41
{
42
-
if (nf_ct_l3proto_try_module_get(par->match->family) < 0) {
43
-
printk(KERN_WARNING "can't load conntrack support for "
44
-
"proto=%u\n", par->match->family);
45
-
return false;
46
-
}
47
-
return true;
42
+
int ret;
43
+
44
+
ret = nf_ct_l3proto_try_module_get(par->family);
45
+
if (ret < 0)
46
+
pr_info("cannot load conntrack support for proto=%u\n",
47
+
par->family);
48
+
return ret;
48
49
}
49
50
50
51
static void state_mt_destroy(const struct xt_mtdtor_param *par)
51
52
{
52
-
nf_ct_l3proto_module_put(par->match->family);
53
+
nf_ct_l3proto_module_put(par->family);
53
54
}
54
55
55
-
static struct xt_match state_mt_reg[] __read_mostly = {
56
-
{
57
-
.name = "state",
58
-
.family = NFPROTO_IPV4,
59
-
.checkentry = state_mt_check,
60
-
.match = state_mt,
61
-
.destroy = state_mt_destroy,
62
-
.matchsize = sizeof(struct xt_state_info),
63
-
.me = THIS_MODULE,
64
-
},
65
-
{
66
-
.name = "state",
67
-
.family = NFPROTO_IPV6,
68
-
.checkentry = state_mt_check,
69
-
.match = state_mt,
70
-
.destroy = state_mt_destroy,
71
-
.matchsize = sizeof(struct xt_state_info),
72
-
.me = THIS_MODULE,
73
-
},
56
+
static struct xt_match state_mt_reg __read_mostly = {
57
+
.name = "state",
58
+
.family = NFPROTO_UNSPEC,
59
+
.checkentry = state_mt_check,
60
+
.match = state_mt,
61
+
.destroy = state_mt_destroy,
62
+
.matchsize = sizeof(struct xt_state_info),
63
+
.me = THIS_MODULE,
74
64
};
75
65
76
66
static int __init state_mt_init(void)
77
67
{
78
-
return xt_register_matches(state_mt_reg, ARRAY_SIZE(state_mt_reg));
68
+
return xt_register_match(&state_mt_reg);
79
69
}
80
70
81
71
static void __exit state_mt_exit(void)
82
72
{
83
-
xt_unregister_matches(state_mt_reg, ARRAY_SIZE(state_mt_reg));
73
+
xt_unregister_match(&state_mt_reg);
84
74
}
85
75
86
76
module_init(state_mt_init);
+5
-7
net/netfilter/xt_statistic.c
+5
-7
net/netfilter/xt_statistic.c
···
53
53
return ret;
54
54
}
55
55
56
-
static bool statistic_mt_check(const struct xt_mtchk_param *par)
56
+
static int statistic_mt_check(const struct xt_mtchk_param *par)
57
57
{
58
58
struct xt_statistic_info *info = par->matchinfo;
59
59
60
60
if (info->mode > XT_STATISTIC_MODE_MAX ||
61
61
info->flags & ~XT_STATISTIC_MASK)
62
-
return false;
62
+
return -EINVAL;
63
63
64
64
info->master = kzalloc(sizeof(*info->master), GFP_KERNEL);
65
-
if (info->master == NULL) {
66
-
printk(KERN_ERR KBUILD_MODNAME ": Out of memory\n");
67
-
return false;
68
-
}
65
+
if (info->master == NULL)
66
+
return -ENOMEM;
69
67
info->master->count = info->u.nth.count;
70
68
71
-
return true;
69
+
return 0;
72
70
}
73
71
74
72
static void statistic_mt_destroy(const struct xt_mtdtor_param *par)
+24
-42
net/netfilter/xt_string.c
+24
-42
net/netfilter/xt_string.c
···
27
27
{
28
28
const struct xt_string_info *conf = par->matchinfo;
29
29
struct ts_state state;
30
-
int invert;
30
+
bool invert;
31
31
32
32
memset(&state, 0, sizeof(struct ts_state));
33
-
34
-
invert = (par->match->revision == 0 ? conf->u.v0.invert :
35
-
conf->u.v1.flags & XT_STRING_FLAG_INVERT);
33
+
invert = conf->u.v1.flags & XT_STRING_FLAG_INVERT;
36
34
37
35
return (skb_find_text((struct sk_buff *)skb, conf->from_offset,
38
36
conf->to_offset, conf->config, &state)
···
39
41
40
42
#define STRING_TEXT_PRIV(m) ((struct xt_string_info *)(m))
41
43
42
-
static bool string_mt_check(const struct xt_mtchk_param *par)
44
+
static int string_mt_check(const struct xt_mtchk_param *par)
43
45
{
44
46
struct xt_string_info *conf = par->matchinfo;
45
47
struct ts_config *ts_conf;
···
47
49
48
50
/* Damn, can't handle this case properly with iptables... */
49
51
if (conf->from_offset > conf->to_offset)
50
-
return false;
52
+
return -EINVAL;
51
53
if (conf->algo[XT_STRING_MAX_ALGO_NAME_SIZE - 1] != '\0')
52
-
return false;
54
+
return -EINVAL;
53
55
if (conf->patlen > XT_STRING_MAX_PATTERN_SIZE)
54
-
return false;
55
-
if (par->match->revision == 1) {
56
-
if (conf->u.v1.flags &
57
-
~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT))
58
-
return false;
59
-
if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
60
-
flags |= TS_IGNORECASE;
61
-
}
56
+
return -EINVAL;
57
+
if (conf->u.v1.flags &
58
+
~(XT_STRING_FLAG_IGNORECASE | XT_STRING_FLAG_INVERT))
59
+
return -EINVAL;
60
+
if (conf->u.v1.flags & XT_STRING_FLAG_IGNORECASE)
61
+
flags |= TS_IGNORECASE;
62
62
ts_conf = textsearch_prepare(conf->algo, conf->pattern, conf->patlen,
63
63
GFP_KERNEL, flags);
64
64
if (IS_ERR(ts_conf))
65
-
return false;
65
+
return PTR_ERR(ts_conf);
66
66
67
67
conf->config = ts_conf;
68
-
69
-
return true;
68
+
return 0;
70
69
}
71
70
72
71
static void string_mt_destroy(const struct xt_mtdtor_param *par)
···
71
76
textsearch_destroy(STRING_TEXT_PRIV(par->matchinfo)->config);
72
77
}
73
78
74
-
static struct xt_match xt_string_mt_reg[] __read_mostly = {
75
-
{
76
-
.name = "string",
77
-
.revision = 0,
78
-
.family = NFPROTO_UNSPEC,
79
-
.checkentry = string_mt_check,
80
-
.match = string_mt,
81
-
.destroy = string_mt_destroy,
82
-
.matchsize = sizeof(struct xt_string_info),
83
-
.me = THIS_MODULE
84
-
},
85
-
{
86
-
.name = "string",
87
-
.revision = 1,
88
-
.family = NFPROTO_UNSPEC,
89
-
.checkentry = string_mt_check,
90
-
.match = string_mt,
91
-
.destroy = string_mt_destroy,
92
-
.matchsize = sizeof(struct xt_string_info),
93
-
.me = THIS_MODULE
94
-
},
79
+
static struct xt_match xt_string_mt_reg __read_mostly = {
80
+
.name = "string",
81
+
.revision = 1,
82
+
.family = NFPROTO_UNSPEC,
83
+
.checkentry = string_mt_check,
84
+
.match = string_mt,
85
+
.destroy = string_mt_destroy,
86
+
.matchsize = sizeof(struct xt_string_info),
87
+
.me = THIS_MODULE,
95
88
};
96
89
97
90
static int __init string_mt_init(void)
98
91
{
99
-
return xt_register_matches(xt_string_mt_reg,
100
-
ARRAY_SIZE(xt_string_mt_reg));
92
+
return xt_register_match(&xt_string_mt_reg);
101
93
}
102
94
103
95
static void __exit string_mt_exit(void)
104
96
{
105
-
xt_unregister_matches(xt_string_mt_reg, ARRAY_SIZE(xt_string_mt_reg));
97
+
xt_unregister_match(&xt_string_mt_reg);
106
98
}
107
99
108
100
module_init(string_mt_init);
+9
-15
net/netfilter/xt_tcpudp.c
+9
-15
net/netfilter/xt_tcpudp.c
···
1
+
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
1
2
#include <linux/types.h>
2
3
#include <linux/module.h>
3
4
#include <net/ip.h>
···
20
19
MODULE_ALIAS("ip6t_udp");
21
20
MODULE_ALIAS("ip6t_tcp");
22
21
23
-
#ifdef DEBUG_IP_FIREWALL_USER
24
-
#define duprintf(format, args...) printk(format , ## args)
25
-
#else
26
-
#define duprintf(format, args...)
27
-
#endif
28
-
29
-
30
22
/* Returns 1 if the port is matched by the range, 0 otherwise */
31
23
static inline bool
32
24
port_match(u_int16_t min, u_int16_t max, u_int16_t port, bool invert)
···
40
46
u_int8_t _opt[60 - sizeof(struct tcphdr)];
41
47
unsigned int i;
42
48
43
-
duprintf("tcp_match: finding option\n");
49
+
pr_debug("finding option\n");
44
50
45
51
if (!optlen)
46
52
return invert;
···
76
82
flag overwrite to pass the direction checks.
77
83
*/
78
84
if (par->fragoff == 1) {
79
-
duprintf("Dropping evil TCP offset=1 frag.\n");
85
+
pr_debug("Dropping evil TCP offset=1 frag.\n");
80
86
*par->hotdrop = true;
81
87
}
82
88
/* Must not be a fragment. */
···
89
95
if (th == NULL) {
90
96
/* We've been asked to examine this packet, and we
91
97
can't. Hence, no choice but to drop. */
92
-
duprintf("Dropping evil TCP offset=0 tinygram.\n");
98
+
pr_debug("Dropping evil TCP offset=0 tinygram.\n");
93
99
*par->hotdrop = true;
94
100
return false;
95
101
}
···
120
126
return true;
121
127
}
122
128
123
-
static bool tcp_mt_check(const struct xt_mtchk_param *par)
129
+
static int tcp_mt_check(const struct xt_mtchk_param *par)
124
130
{
125
131
const struct xt_tcp *tcpinfo = par->matchinfo;
126
132
127
133
/* Must specify no unknown invflags */
128
-
return !(tcpinfo->invflags & ~XT_TCP_INV_MASK);
134
+
return (tcpinfo->invflags & ~XT_TCP_INV_MASK) ? -EINVAL : 0;
129
135
}
130
136
131
137
static bool udp_mt(const struct sk_buff *skb, const struct xt_match_param *par)
···
142
148
if (uh == NULL) {
143
149
/* We've been asked to examine this packet, and we
144
150
can't. Hence, no choice but to drop. */
145
-
duprintf("Dropping evil UDP tinygram.\n");
151
+
pr_debug("Dropping evil UDP tinygram.\n");
146
152
*par->hotdrop = true;
147
153
return false;
148
154
}
···
155
161
!!(udpinfo->invflags & XT_UDP_INV_DSTPT));
156
162
}
157
163
158
-
static bool udp_mt_check(const struct xt_mtchk_param *par)
164
+
static int udp_mt_check(const struct xt_mtchk_param *par)
159
165
{
160
166
const struct xt_udp *udpinfo = par->matchinfo;
161
167
162
168
/* Must specify no unknown invflags */
163
-
return !(udpinfo->invflags & ~XT_UDP_INV_MASK);
169
+
return (udpinfo->invflags & ~XT_UDP_INV_MASK) ? -EINVAL : 0;
164
170
}
165
171
166
172
static struct xt_match tcpudp_mt_reg[] __read_mostly = {
+6
-7
net/netfilter/xt_time.c
+6
-7
net/netfilter/xt_time.c
···
1
1
/*
2
2
* xt_time
3
3
* Copyright © CC Computer Consultants GmbH, 2007
4
-
* Contact: <jengelh@computergmbh.de>
5
4
*
6
5
* based on ipt_time by Fabrice MARIE <fabrice@netfilter.org>
7
6
* This is a module which is used for time matching
···
217
218
return true;
218
219
}
219
220
220
-
static bool time_mt_check(const struct xt_mtchk_param *par)
221
+
static int time_mt_check(const struct xt_mtchk_param *par)
221
222
{
222
223
const struct xt_time_info *info = par->matchinfo;
223
224
224
225
if (info->daytime_start > XT_TIME_MAX_DAYTIME ||
225
226
info->daytime_stop > XT_TIME_MAX_DAYTIME) {
226
-
printk(KERN_WARNING "xt_time: invalid argument - start or "
227
-
"stop time greater than 23:59:59\n");
228
-
return false;
227
+
pr_info("invalid argument - start or "
228
+
"stop time greater than 23:59:59\n");
229
+
return -EDOM;
229
230
}
230
231
231
-
return true;
232
+
return 0;
232
233
}
233
234
234
235
static struct xt_match xt_time_mt_reg __read_mostly = {
···
263
264
264
265
module_init(time_mt_init);
265
266
module_exit(time_mt_exit);
266
-
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
267
+
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
267
268
MODULE_DESCRIPTION("Xtables: time-based matching");
268
269
MODULE_LICENSE("GPL");
269
270
MODULE_ALIAS("ipt_time");
+1
-2
net/netfilter/xt_u32.c
+1
-2
net/netfilter/xt_u32.c
···
3
3
*
4
4
* Original author: Don Cohen <don@isis.cs3-inc.com>
5
5
* (C) CC Computer Consultants GmbH, 2007
6
-
* Contact: <jengelh@computergmbh.de>
7
6
*/
8
7
9
8
#include <linux/module.h>
···
116
117
117
118
module_init(u32_mt_init);
118
119
module_exit(u32_mt_exit);
119
-
MODULE_AUTHOR("Jan Engelhardt <jengelh@computergmbh.de>");
120
+
MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
120
121
MODULE_DESCRIPTION("Xtables: arbitrary byte matching");
121
122
MODULE_LICENSE("GPL");
122
123
MODULE_ALIAS("ipt_u32");