diff options
| author | David S. Miller <davem@davemloft.net> | 2016-07-06 12:15:15 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-07-06 12:15:15 -0400 |
| commit | ae3e4562e2ce0149a4424c994a282955700711e7 (patch) | |
| tree | af7f75611e30d8502c2f3eee9f1f9e1aaa9f6534 /net/bridge | |
| parent | 73e20b761acf8678de2d55d92b90a623b8558a77 (diff) | |
| parent | c6ac37d8d8843fb1fdc34e4a2a41a4f027ab670c (diff) | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
Pablo Neira Ayuso says:
====================
Netfilter updates for net-next
The following patchset contains Netfilter updates for net-next,
they are:
1) Don't use userspace datatypes in bridge netfilter code, from
Tobin Harding.
2) Iterate only once over the expectation table when removing the
helper module, instead of once per-netns, from Florian Westphal.
3) Extra sanitization in xt_hook_ops_alloc() to return error in case
we ever pass zero hooks, xt_hook_ops_alloc():
4) Handle NFPROTO_INET from the logging core infrastructure, from
Liping Zhang.
5) Autoload loggers when TRACE target is used from rules, this doesn't
change the behaviour in case the user already selected nfnetlink_log
as preferred way to print tracing logs, also from Liping Zhang.
6) Conntrack slabs with SLAB_HWCACHE_ALIGN to allow rearranging fields
by cache lines, increases the size of entries in 11% per entry.
From Florian Westphal.
7) Skip zone comparison if CONFIG_NF_CONNTRACK_ZONES=n, from Florian.
8) Remove useless defensive check in nf_logger_find_get() from Shivani
Bhardwaj.
9) Remove zone extension as place it in the conntrack object, this is
always include in the hashing and we expect more intensive use of
zones since containers are in place. Also from Florian Westphal.
10) Owner match now works from any namespace, from Eric Bierdeman.
11) Make sure we only reply with TCP reset to TCP traffic from
nf_reject_ipv4, patch from Liping Zhang.
12) Introduce --nflog-size to indicate amount of network packet bytes
that are copied to userspace via log message, from Vishwanath Pai.
This obsoletes --nflog-range that has never worked, it was designed
to achieve this but it has never worked.
13) Introduce generic macros for nf_tables object generation masks.
14) Use generation mask in table, chain and set objects in nf_tables.
This allows fixes interferences with ongoing preparation phase of
the commit protocol and object listings going on at the same time.
This update is introduced in three patches, one per object.
15) Check if the object is active in the next generation for element
deactivation in the rbtree implementation, given that deactivation
happens from the commit phase path we have to observe the future
status of the object.
16) Support for deletion of just added elements in the hash set type.
17) Allow to resize hashtable from /proc entry, not only from the
obscure /sys entry that maps to the module parameter, from Florian
Westphal.
18) Get rid of NFT_BASECHAIN_DISABLED, this code is not exercised
anymore since we tear down the ruleset whenever the netdevice
goes away.
19) Support for matching inverted set lookups, from Arturo Borrero.
20) Simplify the iptables_mangle_hook() by removing a superfluous
extra branch.
21) Introduce ether_addr_equal_masked() and use it from the netfilter
codebase, from Joe Perches.
22) Remove references to "Use netfilter MARK value as routing key"
from the Netfilter Kconfig description given that this toggle
doesn't exists already for 10 years, from Moritz Sichert.
23) Introduce generic NF_INVF() and use it from the xtables codebase,
from Joe Perches.
24) Setting logger to NONE via /proc was not working unless explicit
nul-termination was included in the string. This fixes seems to
leave the former behaviour there, so we don't break backward.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/bridge')
| -rw-r--r-- | net/bridge/netfilter/ebt_802_3.c | 6 | ||||
| -rw-r--r-- | net/bridge/netfilter/ebt_arp.c | 43 | ||||
| -rw-r--r-- | net/bridge/netfilter/ebt_ip.c | 28 | ||||
| -rw-r--r-- | net/bridge/netfilter/ebt_ip6.c | 41 | ||||
| -rw-r--r-- | net/bridge/netfilter/ebt_stp.c | 97 | ||||
| -rw-r--r-- | net/bridge/netfilter/ebtables.c | 32 |
6 files changed, 121 insertions, 126 deletions
diff --git a/net/bridge/netfilter/ebt_802_3.c b/net/bridge/netfilter/ebt_802_3.c index 2a449b7ab8fa..5fc4affd9fdb 100644 --- a/net/bridge/netfilter/ebt_802_3.c +++ b/net/bridge/netfilter/ebt_802_3.c | |||
| @@ -20,16 +20,16 @@ ebt_802_3_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 20 | __be16 type = hdr->llc.ui.ctrl & IS_UI ? hdr->llc.ui.type : hdr->llc.ni.type; | 20 | __be16 type = hdr->llc.ui.ctrl & IS_UI ? hdr->llc.ui.type : hdr->llc.ni.type; |
| 21 | 21 | ||
| 22 | if (info->bitmask & EBT_802_3_SAP) { | 22 | if (info->bitmask & EBT_802_3_SAP) { |
| 23 | if (FWINV(info->sap != hdr->llc.ui.ssap, EBT_802_3_SAP)) | 23 | if (NF_INVF(info, EBT_802_3_SAP, info->sap != hdr->llc.ui.ssap)) |
| 24 | return false; | 24 | return false; |
| 25 | if (FWINV(info->sap != hdr->llc.ui.dsap, EBT_802_3_SAP)) | 25 | if (NF_INVF(info, EBT_802_3_SAP, info->sap != hdr->llc.ui.dsap)) |
| 26 | return false; | 26 | return false; |
| 27 | } | 27 | } |
| 28 | 28 | ||
| 29 | if (info->bitmask & EBT_802_3_TYPE) { | 29 | if (info->bitmask & EBT_802_3_TYPE) { |
| 30 | if (!(hdr->llc.ui.dsap == CHECK_TYPE && hdr->llc.ui.ssap == CHECK_TYPE)) | 30 | if (!(hdr->llc.ui.dsap == CHECK_TYPE && hdr->llc.ui.ssap == CHECK_TYPE)) |
| 31 | return false; | 31 | return false; |
| 32 | if (FWINV(info->type != type, EBT_802_3_TYPE)) | 32 | if (NF_INVF(info, EBT_802_3_TYPE, info->type != type)) |
| 33 | return false; | 33 | return false; |
| 34 | } | 34 | } |
| 35 | 35 | ||
diff --git a/net/bridge/netfilter/ebt_arp.c b/net/bridge/netfilter/ebt_arp.c index cd457b891b27..227142282b45 100644 --- a/net/bridge/netfilter/ebt_arp.c +++ b/net/bridge/netfilter/ebt_arp.c | |||
| @@ -25,14 +25,14 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 25 | ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph); | 25 | ah = skb_header_pointer(skb, 0, sizeof(_arph), &_arph); |
| 26 | if (ah == NULL) | 26 | if (ah == NULL) |
| 27 | return false; | 27 | return false; |
| 28 | if (info->bitmask & EBT_ARP_OPCODE && FWINV(info->opcode != | 28 | if ((info->bitmask & EBT_ARP_OPCODE) && |
| 29 | ah->ar_op, EBT_ARP_OPCODE)) | 29 | NF_INVF(info, EBT_ARP_OPCODE, info->opcode != ah->ar_op)) |
| 30 | return false; | 30 | return false; |
| 31 | if (info->bitmask & EBT_ARP_HTYPE && FWINV(info->htype != | 31 | if ((info->bitmask & EBT_ARP_HTYPE) && |
| 32 | ah->ar_hrd, EBT_ARP_HTYPE)) | 32 | NF_INVF(info, EBT_ARP_HTYPE, info->htype != ah->ar_hrd)) |
| 33 | return false; | 33 | return false; |
| 34 | if (info->bitmask & EBT_ARP_PTYPE && FWINV(info->ptype != | 34 | if ((info->bitmask & EBT_ARP_PTYPE) && |
| 35 | ah->ar_pro, EBT_ARP_PTYPE)) | 35 | NF_INVF(info, EBT_ARP_PTYPE, info->ptype != ah->ar_pro)) |
| 36 | return false; | 36 | return false; |
| 37 | 37 | ||
| 38 | if (info->bitmask & (EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_GRAT)) { | 38 | if (info->bitmask & (EBT_ARP_SRC_IP | EBT_ARP_DST_IP | EBT_ARP_GRAT)) { |
| @@ -51,21 +51,22 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 51 | sizeof(daddr), &daddr); | 51 | sizeof(daddr), &daddr); |
| 52 | if (dap == NULL) | 52 | if (dap == NULL) |
| 53 | return false; | 53 | return false; |
| 54 | if (info->bitmask & EBT_ARP_SRC_IP && | 54 | if ((info->bitmask & EBT_ARP_SRC_IP) && |
| 55 | FWINV(info->saddr != (*sap & info->smsk), EBT_ARP_SRC_IP)) | 55 | NF_INVF(info, EBT_ARP_SRC_IP, |
| 56 | info->saddr != (*sap & info->smsk))) | ||
| 56 | return false; | 57 | return false; |
| 57 | if (info->bitmask & EBT_ARP_DST_IP && | 58 | if ((info->bitmask & EBT_ARP_DST_IP) && |
| 58 | FWINV(info->daddr != (*dap & info->dmsk), EBT_ARP_DST_IP)) | 59 | NF_INVF(info, EBT_ARP_DST_IP, |
| 60 | info->daddr != (*dap & info->dmsk))) | ||
| 59 | return false; | 61 | return false; |
| 60 | if (info->bitmask & EBT_ARP_GRAT && | 62 | if ((info->bitmask & EBT_ARP_GRAT) && |
| 61 | FWINV(*dap != *sap, EBT_ARP_GRAT)) | 63 | NF_INVF(info, EBT_ARP_GRAT, *dap != *sap)) |
| 62 | return false; | 64 | return false; |
| 63 | } | 65 | } |
| 64 | 66 | ||
| 65 | if (info->bitmask & (EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC)) { | 67 | if (info->bitmask & (EBT_ARP_SRC_MAC | EBT_ARP_DST_MAC)) { |
| 66 | const unsigned char *mp; | 68 | const unsigned char *mp; |
| 67 | unsigned char _mac[ETH_ALEN]; | 69 | unsigned char _mac[ETH_ALEN]; |
| 68 | uint8_t verdict, i; | ||
| 69 | 70 | ||
| 70 | if (ah->ar_hln != ETH_ALEN || ah->ar_hrd != htons(ARPHRD_ETHER)) | 71 | if (ah->ar_hln != ETH_ALEN || ah->ar_hrd != htons(ARPHRD_ETHER)) |
| 71 | return false; | 72 | return false; |
| @@ -74,11 +75,9 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 74 | sizeof(_mac), &_mac); | 75 | sizeof(_mac), &_mac); |
| 75 | if (mp == NULL) | 76 | if (mp == NULL) |
| 76 | return false; | 77 | return false; |
| 77 | verdict = 0; | 78 | if (NF_INVF(info, EBT_ARP_SRC_MAC, |
| 78 | for (i = 0; i < 6; i++) | 79 | !ether_addr_equal_masked(mp, info->smaddr, |
| 79 | verdict |= (mp[i] ^ info->smaddr[i]) & | 80 | info->smmsk))) |
| 80 | info->smmsk[i]; | ||
| 81 | if (FWINV(verdict != 0, EBT_ARP_SRC_MAC)) | ||
| 82 | return false; | 81 | return false; |
| 83 | } | 82 | } |
| 84 | 83 | ||
| @@ -88,11 +87,9 @@ ebt_arp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 88 | sizeof(_mac), &_mac); | 87 | sizeof(_mac), &_mac); |
| 89 | if (mp == NULL) | 88 | if (mp == NULL) |
| 90 | return false; | 89 | return false; |
| 91 | verdict = 0; | 90 | if (NF_INVF(info, EBT_ARP_DST_MAC, |
| 92 | for (i = 0; i < 6; i++) | 91 | !ether_addr_equal_masked(mp, info->dmaddr, |
| 93 | verdict |= (mp[i] ^ info->dmaddr[i]) & | 92 | info->dmmsk))) |
| 94 | info->dmmsk[i]; | ||
| 95 | if (FWINV(verdict != 0, EBT_ARP_DST_MAC)) | ||
| 96 | return false; | 93 | return false; |
| 97 | } | 94 | } |
| 98 | } | 95 | } |
diff --git a/net/bridge/netfilter/ebt_ip.c b/net/bridge/netfilter/ebt_ip.c index 23bca62d58d2..d06968bdf5ec 100644 --- a/net/bridge/netfilter/ebt_ip.c +++ b/net/bridge/netfilter/ebt_ip.c | |||
| @@ -36,19 +36,19 @@ ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 36 | ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); | 36 | ih = skb_header_pointer(skb, 0, sizeof(_iph), &_iph); |
| 37 | if (ih == NULL) | 37 | if (ih == NULL) |
| 38 | return false; | 38 | return false; |
| 39 | if (info->bitmask & EBT_IP_TOS && | 39 | if ((info->bitmask & EBT_IP_TOS) && |
| 40 | FWINV(info->tos != ih->tos, EBT_IP_TOS)) | 40 | NF_INVF(info, EBT_IP_TOS, info->tos != ih->tos)) |
| 41 | return false; | 41 | return false; |
| 42 | if (info->bitmask & EBT_IP_SOURCE && | 42 | if ((info->bitmask & EBT_IP_SOURCE) && |
| 43 | FWINV((ih->saddr & info->smsk) != | 43 | NF_INVF(info, EBT_IP_SOURCE, |
| 44 | info->saddr, EBT_IP_SOURCE)) | 44 | (ih->saddr & info->smsk) != info->saddr)) |
| 45 | return false; | 45 | return false; |
| 46 | if ((info->bitmask & EBT_IP_DEST) && | 46 | if ((info->bitmask & EBT_IP_DEST) && |
| 47 | FWINV((ih->daddr & info->dmsk) != | 47 | NF_INVF(info, EBT_IP_DEST, |
| 48 | info->daddr, EBT_IP_DEST)) | 48 | (ih->daddr & info->dmsk) != info->daddr)) |
| 49 | return false; | 49 | return false; |
| 50 | if (info->bitmask & EBT_IP_PROTO) { | 50 | if (info->bitmask & EBT_IP_PROTO) { |
| 51 | if (FWINV(info->protocol != ih->protocol, EBT_IP_PROTO)) | 51 | if (NF_INVF(info, EBT_IP_PROTO, info->protocol != ih->protocol)) |
| 52 | return false; | 52 | return false; |
| 53 | if (!(info->bitmask & EBT_IP_DPORT) && | 53 | if (!(info->bitmask & EBT_IP_DPORT) && |
| 54 | !(info->bitmask & EBT_IP_SPORT)) | 54 | !(info->bitmask & EBT_IP_SPORT)) |
| @@ -61,16 +61,16 @@ ebt_ip_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 61 | return false; | 61 | return false; |
| 62 | if (info->bitmask & EBT_IP_DPORT) { | 62 | if (info->bitmask & EBT_IP_DPORT) { |
| 63 | u32 dst = ntohs(pptr->dst); | 63 | u32 dst = ntohs(pptr->dst); |
| 64 | if (FWINV(dst < info->dport[0] || | 64 | if (NF_INVF(info, EBT_IP_DPORT, |
| 65 | dst > info->dport[1], | 65 | dst < info->dport[0] || |
| 66 | EBT_IP_DPORT)) | 66 | dst > info->dport[1])) |
| 67 | return false; | 67 | return false; |
| 68 | } | 68 | } |
| 69 | if (info->bitmask & EBT_IP_SPORT) { | 69 | if (info->bitmask & EBT_IP_SPORT) { |
| 70 | u32 src = ntohs(pptr->src); | 70 | u32 src = ntohs(pptr->src); |
| 71 | if (FWINV(src < info->sport[0] || | 71 | if (NF_INVF(info, EBT_IP_SPORT, |
| 72 | src > info->sport[1], | 72 | src < info->sport[0] || |
| 73 | EBT_IP_SPORT)) | 73 | src > info->sport[1])) |
| 74 | return false; | 74 | return false; |
| 75 | } | 75 | } |
| 76 | } | 76 | } |
diff --git a/net/bridge/netfilter/ebt_ip6.c b/net/bridge/netfilter/ebt_ip6.c index 98de6e7fd86d..4617491be41e 100644 --- a/net/bridge/netfilter/ebt_ip6.c +++ b/net/bridge/netfilter/ebt_ip6.c | |||
| @@ -45,15 +45,18 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 45 | ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h); | 45 | ih6 = skb_header_pointer(skb, 0, sizeof(_ip6h), &_ip6h); |
| 46 | if (ih6 == NULL) | 46 | if (ih6 == NULL) |
| 47 | return false; | 47 | return false; |
| 48 | if (info->bitmask & EBT_IP6_TCLASS && | 48 | if ((info->bitmask & EBT_IP6_TCLASS) && |
| 49 | FWINV(info->tclass != ipv6_get_dsfield(ih6), EBT_IP6_TCLASS)) | 49 | NF_INVF(info, EBT_IP6_TCLASS, |
| 50 | info->tclass != ipv6_get_dsfield(ih6))) | ||
| 50 | return false; | 51 | return false; |
| 51 | if ((info->bitmask & EBT_IP6_SOURCE && | 52 | if (((info->bitmask & EBT_IP6_SOURCE) && |
| 52 | FWINV(ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk, | 53 | NF_INVF(info, EBT_IP6_SOURCE, |
| 53 | &info->saddr), EBT_IP6_SOURCE)) || | 54 | ipv6_masked_addr_cmp(&ih6->saddr, &info->smsk, |
| 54 | (info->bitmask & EBT_IP6_DEST && | 55 | &info->saddr))) || |
| 55 | FWINV(ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk, | 56 | ((info->bitmask & EBT_IP6_DEST) && |
| 56 | &info->daddr), EBT_IP6_DEST))) | 57 | NF_INVF(info, EBT_IP6_DEST, |
| 58 | ipv6_masked_addr_cmp(&ih6->daddr, &info->dmsk, | ||
| 59 | &info->daddr)))) | ||
| 57 | return false; | 60 | return false; |
| 58 | if (info->bitmask & EBT_IP6_PROTO) { | 61 | if (info->bitmask & EBT_IP6_PROTO) { |
| 59 | uint8_t nexthdr = ih6->nexthdr; | 62 | uint8_t nexthdr = ih6->nexthdr; |
| @@ -63,7 +66,7 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 63 | offset_ph = ipv6_skip_exthdr(skb, sizeof(_ip6h), &nexthdr, &frag_off); | 66 | offset_ph = ipv6_skip_exthdr(skb, sizeof(_ip6h), &nexthdr, &frag_off); |
| 64 | if (offset_ph == -1) | 67 | if (offset_ph == -1) |
| 65 | return false; | 68 | return false; |
| 66 | if (FWINV(info->protocol != nexthdr, EBT_IP6_PROTO)) | 69 | if (NF_INVF(info, EBT_IP6_PROTO, info->protocol != nexthdr)) |
| 67 | return false; | 70 | return false; |
| 68 | if (!(info->bitmask & (EBT_IP6_DPORT | | 71 | if (!(info->bitmask & (EBT_IP6_DPORT | |
| 69 | EBT_IP6_SPORT | EBT_IP6_ICMP6))) | 72 | EBT_IP6_SPORT | EBT_IP6_ICMP6))) |
| @@ -76,22 +79,24 @@ ebt_ip6_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 76 | return false; | 79 | return false; |
| 77 | if (info->bitmask & EBT_IP6_DPORT) { | 80 | if (info->bitmask & EBT_IP6_DPORT) { |
| 78 | u16 dst = ntohs(pptr->tcpudphdr.dst); | 81 | u16 dst = ntohs(pptr->tcpudphdr.dst); |
| 79 | if (FWINV(dst < info->dport[0] || | 82 | if (NF_INVF(info, EBT_IP6_DPORT, |
| 80 | dst > info->dport[1], EBT_IP6_DPORT)) | 83 | dst < info->dport[0] || |
| 84 | dst > info->dport[1])) | ||
| 81 | return false; | 85 | return false; |
| 82 | } | 86 | } |
| 83 | if (info->bitmask & EBT_IP6_SPORT) { | 87 | if (info->bitmask & EBT_IP6_SPORT) { |
| 84 | u16 src = ntohs(pptr->tcpudphdr.src); | 88 | u16 src = ntohs(pptr->tcpudphdr.src); |
| 85 | if (FWINV(src < info->sport[0] || | 89 | if (NF_INVF(info, EBT_IP6_SPORT, |
| 86 | src > info->sport[1], EBT_IP6_SPORT)) | 90 | src < info->sport[0] || |
| 91 | src > info->sport[1])) | ||
| 87 | return false; | 92 | return false; |
| 88 | } | 93 | } |
| 89 | if ((info->bitmask & EBT_IP6_ICMP6) && | 94 | if ((info->bitmask & EBT_IP6_ICMP6) && |
| 90 | FWINV(pptr->icmphdr.type < info->icmpv6_type[0] || | 95 | NF_INVF(info, EBT_IP6_ICMP6, |
| 91 | pptr->icmphdr.type > info->icmpv6_type[1] || | 96 | pptr->icmphdr.type < info->icmpv6_type[0] || |
| 92 | pptr->icmphdr.code < info->icmpv6_code[0] || | 97 | pptr->icmphdr.type > info->icmpv6_type[1] || |
| 93 | pptr->icmphdr.code > info->icmpv6_code[1], | 98 | pptr->icmphdr.code < info->icmpv6_code[0] || |
| 94 | EBT_IP6_ICMP6)) | 99 | pptr->icmphdr.code > info->icmpv6_code[1])) |
| 95 | return false; | 100 | return false; |
| 96 | } | 101 | } |
| 97 | return true; | 102 | return true; |
diff --git a/net/bridge/netfilter/ebt_stp.c b/net/bridge/netfilter/ebt_stp.c index 6b731e12ecfa..3140eb912d7e 100644 --- a/net/bridge/netfilter/ebt_stp.c +++ b/net/bridge/netfilter/ebt_stp.c | |||
| @@ -17,24 +17,24 @@ | |||
| 17 | #define BPDU_TYPE_TCN 0x80 | 17 | #define BPDU_TYPE_TCN 0x80 |
| 18 | 18 | ||
| 19 | struct stp_header { | 19 | struct stp_header { |
| 20 | uint8_t dsap; | 20 | u8 dsap; |
| 21 | uint8_t ssap; | 21 | u8 ssap; |
| 22 | uint8_t ctrl; | 22 | u8 ctrl; |
| 23 | uint8_t pid; | 23 | u8 pid; |
| 24 | uint8_t vers; | 24 | u8 vers; |
| 25 | uint8_t type; | 25 | u8 type; |
| 26 | }; | 26 | }; |
| 27 | 27 | ||
| 28 | struct stp_config_pdu { | 28 | struct stp_config_pdu { |
| 29 | uint8_t flags; | 29 | u8 flags; |
| 30 | uint8_t root[8]; | 30 | u8 root[8]; |
| 31 | uint8_t root_cost[4]; | 31 | u8 root_cost[4]; |
| 32 | uint8_t sender[8]; | 32 | u8 sender[8]; |
| 33 | uint8_t port[2]; | 33 | u8 port[2]; |
| 34 | uint8_t msg_age[2]; | 34 | u8 msg_age[2]; |
| 35 | uint8_t max_age[2]; | 35 | u8 max_age[2]; |
| 36 | uint8_t hello_time[2]; | 36 | u8 hello_time[2]; |
| 37 | uint8_t forward_delay[2]; | 37 | u8 forward_delay[2]; |
| 38 | }; | 38 | }; |
| 39 | 39 | ||
| 40 | #define NR16(p) (p[0] << 8 | p[1]) | 40 | #define NR16(p) (p[0] << 8 | p[1]) |
| @@ -44,76 +44,73 @@ static bool ebt_filter_config(const struct ebt_stp_info *info, | |||
| 44 | const struct stp_config_pdu *stpc) | 44 | const struct stp_config_pdu *stpc) |
| 45 | { | 45 | { |
| 46 | const struct ebt_stp_config_info *c; | 46 | const struct ebt_stp_config_info *c; |
| 47 | uint16_t v16; | 47 | u16 v16; |
| 48 | uint32_t v32; | 48 | u32 v32; |
| 49 | int verdict, i; | ||
| 50 | 49 | ||
| 51 | c = &info->config; | 50 | c = &info->config; |
| 52 | if ((info->bitmask & EBT_STP_FLAGS) && | 51 | if ((info->bitmask & EBT_STP_FLAGS) && |
| 53 | FWINV(c->flags != stpc->flags, EBT_STP_FLAGS)) | 52 | NF_INVF(info, EBT_STP_FLAGS, c->flags != stpc->flags)) |
| 54 | return false; | 53 | return false; |
| 55 | if (info->bitmask & EBT_STP_ROOTPRIO) { | 54 | if (info->bitmask & EBT_STP_ROOTPRIO) { |
| 56 | v16 = NR16(stpc->root); | 55 | v16 = NR16(stpc->root); |
| 57 | if (FWINV(v16 < c->root_priol || | 56 | if (NF_INVF(info, EBT_STP_ROOTPRIO, |
| 58 | v16 > c->root_priou, EBT_STP_ROOTPRIO)) | 57 | v16 < c->root_priol || v16 > c->root_priou)) |
| 59 | return false; | 58 | return false; |
| 60 | } | 59 | } |
| 61 | if (info->bitmask & EBT_STP_ROOTADDR) { | 60 | if (info->bitmask & EBT_STP_ROOTADDR) { |
| 62 | verdict = 0; | 61 | if (NF_INVF(info, EBT_STP_ROOTADDR, |
| 63 | for (i = 0; i < 6; i++) | 62 | !ether_addr_equal_masked(&stpc->root[2], |
| 64 | verdict |= (stpc->root[2+i] ^ c->root_addr[i]) & | 63 | c->root_addr, |
| 65 | c->root_addrmsk[i]; | 64 | c->root_addrmsk))) |
| 66 | if (FWINV(verdict != 0, EBT_STP_ROOTADDR)) | ||
| 67 | return false; | 65 | return false; |
| 68 | } | 66 | } |
| 69 | if (info->bitmask & EBT_STP_ROOTCOST) { | 67 | if (info->bitmask & EBT_STP_ROOTCOST) { |
| 70 | v32 = NR32(stpc->root_cost); | 68 | v32 = NR32(stpc->root_cost); |
| 71 | if (FWINV(v32 < c->root_costl || | 69 | if (NF_INVF(info, EBT_STP_ROOTCOST, |
| 72 | v32 > c->root_costu, EBT_STP_ROOTCOST)) | 70 | v32 < c->root_costl || v32 > c->root_costu)) |
| 73 | return false; | 71 | return false; |
| 74 | } | 72 | } |
| 75 | if (info->bitmask & EBT_STP_SENDERPRIO) { | 73 | if (info->bitmask & EBT_STP_SENDERPRIO) { |
| 76 | v16 = NR16(stpc->sender); | 74 | v16 = NR16(stpc->sender); |
| 77 | if (FWINV(v16 < c->sender_priol || | 75 | if (NF_INVF(info, EBT_STP_SENDERPRIO, |
| 78 | v16 > c->sender_priou, EBT_STP_SENDERPRIO)) | 76 | v16 < c->sender_priol || v16 > c->sender_priou)) |
| 79 | return false; | 77 | return false; |
| 80 | } | 78 | } |
| 81 | if (info->bitmask & EBT_STP_SENDERADDR) { | 79 | if (info->bitmask & EBT_STP_SENDERADDR) { |
| 82 | verdict = 0; | 80 | if (NF_INVF(info, EBT_STP_SENDERADDR, |
| 83 | for (i = 0; i < 6; i++) | 81 | !ether_addr_equal_masked(&stpc->sender[2], |
| 84 | verdict |= (stpc->sender[2+i] ^ c->sender_addr[i]) & | 82 | c->sender_addr, |
| 85 | c->sender_addrmsk[i]; | 83 | c->sender_addrmsk))) |
| 86 | if (FWINV(verdict != 0, EBT_STP_SENDERADDR)) | ||
| 87 | return false; | 84 | return false; |
| 88 | } | 85 | } |
| 89 | if (info->bitmask & EBT_STP_PORT) { | 86 | if (info->bitmask & EBT_STP_PORT) { |
| 90 | v16 = NR16(stpc->port); | 87 | v16 = NR16(stpc->port); |
| 91 | if (FWINV(v16 < c->portl || | 88 | if (NF_INVF(info, EBT_STP_PORT, |
| 92 | v16 > c->portu, EBT_STP_PORT)) | 89 | v16 < c->portl || v16 > c->portu)) |
| 93 | return false; | 90 | return false; |
| 94 | } | 91 | } |
| 95 | if (info->bitmask & EBT_STP_MSGAGE) { | 92 | if (info->bitmask & EBT_STP_MSGAGE) { |
| 96 | v16 = NR16(stpc->msg_age); | 93 | v16 = NR16(stpc->msg_age); |
| 97 | if (FWINV(v16 < c->msg_agel || | 94 | if (NF_INVF(info, EBT_STP_MSGAGE, |
| 98 | v16 > c->msg_ageu, EBT_STP_MSGAGE)) | 95 | v16 < c->msg_agel || v16 > c->msg_ageu)) |
| 99 | return false; | 96 | return false; |
| 100 | } | 97 | } |
| 101 | if (info->bitmask & EBT_STP_MAXAGE) { | 98 | if (info->bitmask & EBT_STP_MAXAGE) { |
| 102 | v16 = NR16(stpc->max_age); | 99 | v16 = NR16(stpc->max_age); |
| 103 | if (FWINV(v16 < c->max_agel || | 100 | if (NF_INVF(info, EBT_STP_MAXAGE, |
| 104 | v16 > c->max_ageu, EBT_STP_MAXAGE)) | 101 | v16 < c->max_agel || v16 > c->max_ageu)) |
| 105 | return false; | 102 | return false; |
| 106 | } | 103 | } |
| 107 | if (info->bitmask & EBT_STP_HELLOTIME) { | 104 | if (info->bitmask & EBT_STP_HELLOTIME) { |
| 108 | v16 = NR16(stpc->hello_time); | 105 | v16 = NR16(stpc->hello_time); |
| 109 | if (FWINV(v16 < c->hello_timel || | 106 | if (NF_INVF(info, EBT_STP_HELLOTIME, |
| 110 | v16 > c->hello_timeu, EBT_STP_HELLOTIME)) | 107 | v16 < c->hello_timel || v16 > c->hello_timeu)) |
| 111 | return false; | 108 | return false; |
| 112 | } | 109 | } |
| 113 | if (info->bitmask & EBT_STP_FWDD) { | 110 | if (info->bitmask & EBT_STP_FWDD) { |
| 114 | v16 = NR16(stpc->forward_delay); | 111 | v16 = NR16(stpc->forward_delay); |
| 115 | if (FWINV(v16 < c->forward_delayl || | 112 | if (NF_INVF(info, EBT_STP_FWDD, |
| 116 | v16 > c->forward_delayu, EBT_STP_FWDD)) | 113 | v16 < c->forward_delayl || v16 > c->forward_delayu)) |
| 117 | return false; | 114 | return false; |
| 118 | } | 115 | } |
| 119 | return true; | 116 | return true; |
| @@ -125,7 +122,7 @@ ebt_stp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 125 | const struct ebt_stp_info *info = par->matchinfo; | 122 | const struct ebt_stp_info *info = par->matchinfo; |
| 126 | const struct stp_header *sp; | 123 | const struct stp_header *sp; |
| 127 | struct stp_header _stph; | 124 | struct stp_header _stph; |
| 128 | const uint8_t header[6] = {0x42, 0x42, 0x03, 0x00, 0x00, 0x00}; | 125 | const u8 header[6] = {0x42, 0x42, 0x03, 0x00, 0x00, 0x00}; |
| 129 | 126 | ||
| 130 | sp = skb_header_pointer(skb, 0, sizeof(_stph), &_stph); | 127 | sp = skb_header_pointer(skb, 0, sizeof(_stph), &_stph); |
| 131 | if (sp == NULL) | 128 | if (sp == NULL) |
| @@ -135,8 +132,8 @@ ebt_stp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 135 | if (memcmp(sp, header, sizeof(header))) | 132 | if (memcmp(sp, header, sizeof(header))) |
| 136 | return false; | 133 | return false; |
| 137 | 134 | ||
| 138 | if (info->bitmask & EBT_STP_TYPE && | 135 | if ((info->bitmask & EBT_STP_TYPE) && |
| 139 | FWINV(info->type != sp->type, EBT_STP_TYPE)) | 136 | NF_INVF(info, EBT_STP_TYPE, info->type != sp->type)) |
| 140 | return false; | 137 | return false; |
| 141 | 138 | ||
| 142 | if (sp->type == BPDU_TYPE_CONFIG && | 139 | if (sp->type == BPDU_TYPE_CONFIG && |
| @@ -156,8 +153,8 @@ ebt_stp_mt(const struct sk_buff *skb, struct xt_action_param *par) | |||
| 156 | static int ebt_stp_mt_check(const struct xt_mtchk_param *par) | 153 | static int ebt_stp_mt_check(const struct xt_mtchk_param *par) |
| 157 | { | 154 | { |
| 158 | const struct ebt_stp_info *info = par->matchinfo; | 155 | const struct ebt_stp_info *info = par->matchinfo; |
| 159 | const uint8_t bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00}; | 156 | const u8 bridge_ula[6] = {0x01, 0x80, 0xc2, 0x00, 0x00, 0x00}; |
| 160 | const uint8_t msk[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; | 157 | const u8 msk[6] = {0xff, 0xff, 0xff, 0xff, 0xff, 0xff}; |
| 161 | const struct ebt_entry *e = par->entryinfo; | 158 | const struct ebt_entry *e = par->entryinfo; |
| 162 | 159 | ||
| 163 | if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK || | 160 | if (info->bitmask & ~EBT_STP_MASK || info->invflags & ~EBT_STP_MASK || |
diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index 5a61f35412a0..cceac5bb658f 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c | |||
| @@ -121,7 +121,6 @@ ebt_dev_check(const char *entry, const struct net_device *device) | |||
| 121 | return devname[i] != entry[i] && entry[i] != 1; | 121 | return devname[i] != entry[i] && entry[i] != 1; |
| 122 | } | 122 | } |
| 123 | 123 | ||
| 124 | #define FWINV2(bool, invflg) ((bool) ^ !!(e->invflags & invflg)) | ||
| 125 | /* process standard matches */ | 124 | /* process standard matches */ |
| 126 | static inline int | 125 | static inline int |
| 127 | ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb, | 126 | ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb, |
| @@ -130,7 +129,6 @@ ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb, | |||
| 130 | const struct ethhdr *h = eth_hdr(skb); | 129 | const struct ethhdr *h = eth_hdr(skb); |
| 131 | const struct net_bridge_port *p; | 130 | const struct net_bridge_port *p; |
| 132 | __be16 ethproto; | 131 | __be16 ethproto; |
| 133 | int verdict, i; | ||
| 134 | 132 | ||
| 135 | if (skb_vlan_tag_present(skb)) | 133 | if (skb_vlan_tag_present(skb)) |
| 136 | ethproto = htons(ETH_P_8021Q); | 134 | ethproto = htons(ETH_P_8021Q); |
| @@ -138,38 +136,36 @@ ebt_basic_match(const struct ebt_entry *e, const struct sk_buff *skb, | |||
| 138 | ethproto = h->h_proto; | 136 | ethproto = h->h_proto; |
| 139 | 137 | ||
| 140 | if (e->bitmask & EBT_802_3) { | 138 | if (e->bitmask & EBT_802_3) { |
| 141 | if (FWINV2(eth_proto_is_802_3(ethproto), EBT_IPROTO)) | 139 | if (NF_INVF(e, EBT_IPROTO, eth_proto_is_802_3(ethproto))) |
| 142 | return 1; | 140 | return 1; |
| 143 | } else if (!(e->bitmask & EBT_NOPROTO) && | 141 | } else if (!(e->bitmask & EBT_NOPROTO) && |
| 144 | FWINV2(e->ethproto != ethproto, EBT_IPROTO)) | 142 | NF_INVF(e, EBT_IPROTO, e->ethproto != ethproto)) |
| 145 | return 1; | 143 | return 1; |
| 146 | 144 | ||
| 147 | if (FWINV2(ebt_dev_check(e->in, in), EBT_IIN)) | 145 | if (NF_INVF(e, EBT_IIN, ebt_dev_check(e->in, in))) |
| 148 | return 1; | 146 | return 1; |
| 149 | if (FWINV2(ebt_dev_check(e->out, out), EBT_IOUT)) | 147 | if (NF_INVF(e, EBT_IOUT, ebt_dev_check(e->out, out))) |
| 150 | return 1; | 148 | return 1; |
| 151 | /* rcu_read_lock()ed by nf_hook_slow */ | 149 | /* rcu_read_lock()ed by nf_hook_slow */ |
| 152 | if (in && (p = br_port_get_rcu(in)) != NULL && | 150 | if (in && (p = br_port_get_rcu(in)) != NULL && |
| 153 | FWINV2(ebt_dev_check(e->logical_in, p->br->dev), EBT_ILOGICALIN)) | 151 | NF_INVF(e, EBT_ILOGICALIN, |
| 152 | ebt_dev_check(e->logical_in, p->br->dev))) | ||
| 154 | return 1; | 153 | return 1; |
| 155 | if (out && (p = br_port_get_rcu(out)) != NULL && | 154 | if (out && (p = br_port_get_rcu(out)) != NULL && |
| 156 | FWINV2(ebt_dev_check(e->logical_out, p->br->dev), EBT_ILOGICALOUT)) | 155 | NF_INVF(e, EBT_ILOGICALOUT, |
| 156 | ebt_dev_check(e->logical_out, p->br->dev))) | ||
| 157 | return 1; | 157 | return 1; |
| 158 | 158 | ||
| 159 | if (e->bitmask & EBT_SOURCEMAC) { | 159 | if (e->bitmask & EBT_SOURCEMAC) { |
| 160 | verdict = 0; | 160 | if (NF_INVF(e, EBT_ISOURCE, |
| 161 | for (i = 0; i < 6; i++) | 161 | !ether_addr_equal_masked(h->h_source, e->sourcemac, |
| 162 | verdict |= (h->h_source[i] ^ e->sourcemac[i]) & | 162 | e->sourcemsk))) |
| 163 | e->sourcemsk[i]; | ||
| 164 | if (FWINV2(verdict != 0, EBT_ISOURCE)) | ||
| 165 | return 1; | 163 | return 1; |
| 166 | } | 164 | } |
| 167 | if (e->bitmask & EBT_DESTMAC) { | 165 | if (e->bitmask & EBT_DESTMAC) { |
| 168 | verdict = 0; | 166 | if (NF_INVF(e, EBT_IDEST, |
| 169 | for (i = 0; i < 6; i++) | 167 | !ether_addr_equal_masked(h->h_dest, e->destmac, |
| 170 | verdict |= (h->h_dest[i] ^ e->destmac[i]) & | 168 | e->destmsk))) |
| 171 | e->destmsk[i]; | ||
| 172 | if (FWINV2(verdict != 0, EBT_IDEST)) | ||
| 173 | return 1; | 169 | return 1; |
| 174 | } | 170 | } |
| 175 | return 0; | 171 | return 0; |